From 7c58572f2ab121de007cbae4d69965eeaadcbf90 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 21:32:18 +0200
Subject: [PATCH 01/12] docs(security): port security best practices 1:1 from
 portal

Replaces AI-generated security docs with verified portal content,
adds 8 missing topic files, 2 new prerequisite pages, and fixes
a confirmed double-spend bug in the inter-canister-calls guide.

Changes:
- Replace: inter-canister-calls.md, access-management.mdx,
  canister-upgrades.md, dos-prevention.md, data-integrity.md
- Add: overview.md, data-storage.md, decentralization.md,
  https-outcalls.md, misc.md, observability.md, resources.md,
  formal-verification.md
- Add: references/message-execution-properties.md (prerequisite
  referenced by inter-canister-calls.md)
- Add: guides/canister-calls/idempotency.md (prerequisite for
  safe retry patterns in inter-canister calls)
- Fix sidebar order conflicts (now matches portal ordering 1-14)
- Fix MDX HTML comment syntax in access-management.mdx
- Add security and reference diagram images to public/img/
- encryption.mdx flagged for separate security team review (new
  content not from portal, not changed here)
---
 docs/guides/canister-calls/idempotency.md     | 102 ++
 docs/guides/security/access-management.mdx    | 497 ++++------
 docs/guides/security/canister-upgrades.md     | 350 +------
 docs/guides/security/data-integrity.md        | 904 +++++++++++-------
 docs/guides/security/data-storage.md          |  94 ++
 docs/guides/security/decentralization.md      |  76 ++
 docs/guides/security/dos-prevention.md        | 360 +------
 docs/guides/security/encryption.mdx           |   2 +-
 docs/guides/security/formal-verification.md   |  34 +
 docs/guides/security/https-outcalls.md        |  97 ++
 docs/guides/security/inter-canister-calls.md  | 605 +++++-------
 docs/guides/security/misc.md                  | 280 ++++++
 docs/guides/security/observability.md         |  22 +
 docs/guides/security/overview.md              |  22 +
 docs/guides/security/resources.md             |  39 +
 .../message-execution-properties.md           |  78 ++
 .../references/example_highlighted_code.png   | Bin 0 -> 32553 bytes
 .../img/docs/references/example_orderings.png | Bin 0 -> 34582 bytes
 public/img/docs/retry_idempotency.png         | Bin 0 -> 55032 bytes
 .../security/example_trap_after_await.png     | Bin 0 -> 70597 bytes
 .../security/ii_mobile_delegation_chain.png   | Bin 0 -> 95362 bytes
 sidebar.mjs                                   |   1 +
 22 files changed, 1868 insertions(+), 1695 deletions(-)
 create mode 100644 docs/guides/canister-calls/idempotency.md
 create mode 100644 docs/guides/security/data-storage.md
 create mode 100644 docs/guides/security/decentralization.md
 create mode 100644 docs/guides/security/formal-verification.md
 create mode 100644 docs/guides/security/https-outcalls.md
 create mode 100644 docs/guides/security/misc.md
 create mode 100644 docs/guides/security/observability.md
 create mode 100644 docs/guides/security/overview.md
 create mode 100644 docs/guides/security/resources.md
 create mode 100644 docs/references/message-execution-properties.md
 create mode 100644 public/img/docs/references/example_highlighted_code.png
 create mode 100644 public/img/docs/references/example_orderings.png
 create mode 100644 public/img/docs/retry_idempotency.png
 create mode 100644 public/img/docs/security/example_trap_after_await.png
 create mode 100644 public/img/docs/security/ii_mobile_delegation_chain.png

diff --git a/docs/guides/canister-calls/idempotency.md b/docs/guides/canister-calls/idempotency.md
new file mode 100644
index 0000000..b46fb51
--- /dev/null
+++ b/docs/guides/canister-calls/idempotency.md
@@ -0,0 +1,102 @@
+---
+title: "Safe Retries and Idempotency"
+description: "Design idempotent canister APIs to enable safe retries for ingress calls and bounded-wait inter-canister calls, preventing double-spend and other correctness issues."
+---
+
+In the case of network issues or other unexpected behavior, ICP clients (such as agents) that issue ingress update calls may be unable to determine whether their ingress request has been processed. For example, this can happen if the client loses connection until after the request's ingress expiry ends and the request's status is removed from the system state tree.
+
+Similarly, canisters that call other canisters using bounded-wait calls may be unable to determine whether the call was successful or not.
+
+This can be risky as the callers (external users or applications for ingress messages, or canisters for inter-canister calls) might decide to retry the transaction, potentially leading to serious security vulnerabilities such as double spending.
+
+Thus, it is important to design and/or use canister APIs such that it is possible to retry requests safely, even when the ICP provides no information about previous request attempts. This page describes general approaches that both the canister authors and clients can adopt to enable safe retries.
+
+## Idempotent canister APIs
+
+A canister endpoint is idempotent if executing it multiple times is equivalent to executing it once.[^1] Whenever an endpoint is idempotent or can be made idempotent by the developer, this provides an easy way to implement safe retries.
+
+Given an idempotent endpoint, you can implement retries from an external application by retrying the call until you observe a certified response, either a replied or rejected status; see the illustration below. If such a response is ever observed, it's sure that the transaction has been executed at least once, which, thanks to idempotency, has the same result as executing it exactly once. However, the application may not be willing to wait for a response indefinitely, and a timeout could be implemented. Upon timeout, an error should be displayed to the user instructing them to wait until the latest message that has been sent has expired (as defined by the request's `ingress_expiry`) and then manually check the status of the transaction. Ideally, timeouts should be rare and not occur during normal operation.
+
+![Retrying an idempotent call](/img/docs/retry_idempotency.png)
+
+The situation is similar for bounded-wait inter-canister calls. Given an idempotent endpoint, the calling canister can keep retrying until a response other than `SYS_UNKNOWN` is observed or give up after a timeout if waiting indefinitely is not an option.
+
+Below are two approaches to making endpoints idempotent: sequence numbers and (time window) ID deduplication.
+
+### Update sequence numbers
+
+An endpoint can make use of sequence numbers to provide idempotency by taking a sequence number parameter in addition to other parameters. In the extreme case, a canister could keep a single expected sequence number for every endpoint, and a call could only be accepted if it contained the next expected sequence number, causing the expected sequence number to be incremented upon call execution. This trivially implies that any call can only be executed once. More practically, an expected sequence number is kept for each caller principal, or, in the case of ledger-like canisters, each ledger account. Note that Ethereum implements this mechanism.
+
+The advantages of this approach are:
+
+1. Sequence numbers are simple to implement and understand.
+2. When applicable, it has a modest memory footprint because only the next expected sequence number must be stored (for example, per active account).
+
+The approach also has some disadvantages:
+
+1. It limits the throughput. When per-caller sequence numbers are used, it means that the caller can generally perform only one ingress call per consensus block, translating to a throughput of about 1 ingress call per second for that user. The situation is better for inter-canister calls, as the requests (if delivered) will be delivered in the order in which they were sent. Thus, the calling canister can issue multiple requests simultaneously, using appropriate sequence numbers. Under normal load, all requests should be delivered. However, under heavy load where the system may drop some requests, requests that follow such a dropped request may become invalid.
+
+2. It limits concurrency. The user has to sequentialize all their calls. This is straightforward to do when the user is another canister, but it can be much more difficult when the canister is called through ingress messages. In particular, it's complicated when the user is using multiple clients or devices to access the canister, for example. This concurrency problem also makes the approach inapplicable to cases where anonymous users are allowed to trigger update calls.
+
+3. If the sequence number is stored per user or per account, tracking them for too many users can exhaust the canister memory, even if each individual number is small. This could, e.g., be exploited by an attacker to exhaust the memory. The approach is thus best suited for cases where the user has to pay for the usage in some way (e.g., the ledgers usually require a fee to both create an account and transfer funds), which thwarts attackers by requiring them to invest significant funds in an attack.
+
+### ID deduplication
+
+Another approach to idempotency is to make the calls uniquely identifiable on the receiving canister side (e.g., by using user-chosen IDs, sequence numbers, or a combination of several argument fields) to make sure a given call is executed at most once. The canister then deduplicates calls before executing them; if a call with the same ID has been executed previously, the new call is simply ignored (potentially returning the result of the previous call). Thus, the user can safely keep retrying the call until they get a response.
+
+For example, the ICRC ledger standard provides deduplication in this way. Using identical values for all call parameters, including the `created_at_time` and `memo` parameters, when issuing a transaction makes the transaction call idempotent by deduplicating calls with the same parameters.
+
+However, a naive implementation of this approach can exhaust the canister memory, as all successfully executed IDs need to be kept around forever. Thus, the deduplication is usually time-limited to a certain time window. For example, the ICP ledger uses a 24-hour window, and the ICRC standard defines a configuration parameter `TX_WINDOW` that determines the window length.
+
+Moreover, the ICP/ICRC ledgers use the `created_at_time` parameter to limit the validity period of a call. Roughly, the call is only considered valid if its `created_at_time` is not in the future and at most 24 hours in the past.[^2] This avoids the problem where the deduplication window expiring would allow a retried call to succeed again.
+
+But even with this improvement used in the ledgers, the time window approach implicitly assumes that the client will be able to get a definite answer to their call within the time window. For example, after the 24 hours expire, the user cannot easily tell if their ledger transfer happened; their only option is to analyze the ledger blocks, which is somewhat tedious and has to be done carefully to avoid asynchrony issues; see the section on [queryable call results](#queryable-call-results).
+
+Relying solely on a time window for deduplication does not guarantee bounded memory usage. In theory, an unlimited number of updates could occur within the time window, though in practice, this is constrained by the scaling limits of the ICP. The ICP/ICRC ledgers thus also define a maximum capacity: a limit on the number of deduplicated transactions (i.e., deduplication IDs) that can be stored in their deduplication store. Once this capacity is reached, further transactions are rejected until older transactions expire from the deduplication store at the end of the time window. Yet another extension of the approach is to guarantee deduplication for the stated time window as above but keep storing deduplication IDs even beyond that window, as long as the capacity is not reached. This way, the clients obtain a hard deduplication guarantee for the time window and a best-effort attempt to deduplicate transactions even past the window.
+
+An alternative is to do away with the time window and store the deduplication data forever. This requires storing this data in multiple canisters in order to prevent exhausting canister memory, similar to how the ICP/ICRC ledgers store transaction data in the archive canister. This shifts the tedious part of querying the deduplication data (e.g., ledger blocks) from the user to the canister.
+
+Summarizing, the advantages of this approach are:
+
+1. It can support high throughput.
+2. It requires no synchronization on the part of the user and supports use cases like multiple devices.
+
+The disadvantages are:
+
+1. It is more complicated to implement than sequence numbers.
+2. If a time window is used, it usually implicitly assumes that the user learns the call outcome within the time window.
+3. The memory usage can grow fairly high with high supported throughput and long deduplication windows. For example, supporting 100 transactions per second with a deduplication window of 24 hours can require hundreds of megabytes of heap space. This can be mitigated by using multiple canisters to store the deduplication data, at the expense of further implementation complexity and higher latency.
+
+## Other approaches to safe retries
+
+In the absence of idempotent endpoints, or even in addition to them, clients may be able to use other endpoints to make their retries safe.
+
+### Queryable call results
+
+If the canister, in addition to the update endpoint, also exposes a query that can inform the user of the result of the update, the client can also use this for safe retries as follows:
+
+1. Attempt to perform the update.
+2. If the result of the update is unknown (e.g., not present in the ingress history anymore, or a `SYS_UNKNOWN` error is returned for an inter-canister call), query the call result endpoint to determine whether the update was applied or not. Moreover, one needs to ensure that the previously sent call cannot be applied in the future. If both of these are true, the call might be retried or safely reported as failed.
+
+In practice, this pattern may be more complicated. For example, the ICP ledger exposes a `query_blocks` method that can be used to implement the above pattern for transfers initiated as ingress messages:
+
+1. Call the `query_blocks` method on the ledger to determine what the last block (as specified in the `chain_length` field of the response) currently is. Let's call this `last_block`.
+2. Attempt to perform a transfer. This ingress message includes an `ingress_expiry` field.
+3. If the result of the transfer is unknown, ensure that the transfer will not be applied at a later point:
+   - If using ingress messages, call the `read_state` endpoint on the ledger canister to obtain the `/time` branch of the system state tree. Repeat this until the reported time exceeds the `ingress_expiry` time.
+   - If using inter-canister calls, perform all subsequent calls (`query_blocks`) listed below from the same canister that initiated the transfer. The [ordering guarantees](../../references/message-execution-properties.md) then ensure that the transfer cannot happen later.
+4. Call the `query_blocks` method on the ledger again to retrieve all ledger blocks since `last_block`, and check that the `timestamp` also exceeds the `ingress_expiry` time. In case of failure, retry until a result is obtained. Then, scan through the returned blocks to determine whether the transaction has been included or not.
+
+### 2-step transfers
+
+Another approach applicable to ledgers (such as ICRC-1 or ICP) is to perform transfers in two steps:
+
+1. First, transfer the tokens to an intermediate subaccount of the sender that's specific to this transaction. For example, if the transaction has a unique ID, the client can hash the ID to obtain a subaccount. The transferred amount should be the desired amount plus the ledger transaction fee.
+2. If the result of the above transfer is unknown, query the balance of the transaction-specific subaccount. Like in the [queryable call result](#queryable-call-results) approach, if using ingress messages, this should be repeated until the `timestamp` accompanying the response exceeds the `ingress_expiry`. If the balance is 0, the transaction can safely be reported as failed, or it can be retried (starting from step 1). If the balance is at least the expected balance, one can proceed.
+3. If the transfer to the transaction-specific subaccount succeeded (as determined either by the transfer result or by the balance query above), the client sends another transfer from the transaction-specific subaccount to the desired target account. This can be repeated as many times as necessary until a result of the call is known. Once a result is known, the overall transfer can be declared as succeeded, even if this step fails with an error, as this signifies that some previous attempt to transfer the money to the target succeeded.
+
+[^1]: "Equivalent" is meant from the user perspective here. Multiple executions may trigger changes such as those in the canister's cycle balance, but they are not relevant for the user.
+
+[^2]: More precisely, the ledger also allows for a small time drift of `created_at_time` into the future, which has to be taken into account when clearing the deduplication window.
+
+<!-- Upstream: dfinity/portal — building-apps/best-practices/idempotency.mdx -->
diff --git a/docs/guides/security/access-management.mdx b/docs/guides/security/access-management.mdx
index 8c756eb..d9bf321 100644
--- a/docs/guides/security/access-management.mdx
+++ b/docs/guides/security/access-management.mdx
@@ -1,375 +1,250 @@
 ---
-title: "Access Management"
-description: "Control who can call your canister with guards, caller checks, and controller management"
+title: "Security Best Practices: Identity and Access Management"
+description: "Security best practices for authentication, anonymous principal rejection, ingress message inspection, and session management."
 sidebar:
-  order: 1
+  order: 3
 ---
 
 import { Tabs, TabItem } from '@astrojs/starlight/components';
 
-Every canister method is callable by anyone on the internet. Without explicit access checks, any user or canister can invoke any of your public functions. This guide covers the patterns you need to restrict access.
+## Make sure specific user actions require authentication
 
-## Checklist
+### Security concern
 
-Use this as a quick reference when securing your canister:
+If this is not the case, an attacker may be able to perform sensitive actions on behalf of a user, compromising their account.
 
-- [ ] Reject the anonymous principal (`2vxsx-fae`) in every authenticated endpoint
-- [ ] Check the caller inside each update method: not just in `canister_inspect_message`
-- [ ] Use the `guard` attribute (Rust) or guard functions (Motoko) to enforce access rules
-- [ ] Add a backup controller so you never lose canister access
-- [ ] Use `canister_inspect_message` only as a cycle-saving optimization, never as a security boundary
+### Recommendation
 
-## How caller identity works
-
-When a canister receives a message, the network includes the caller's principal. This identity is provided by the system: it cannot be forged or spoofed. You access it with:
-
-- **Motoko:** `shared({ caller })` pattern on public functions
-- **Rust:** `ic_cdk::api::msg_caller()`
-
-Every principal is one of these types:
-
-| Type | Format | Example | Meaning |
-|------|--------|---------|---------|
-| User | Varies (self-authenticating) | `wo5qg-ysjaa-aaaaa-...` | Human with a cryptographic identity |
-| Canister | 10 bytes, ends in `-cai` | `rrkah-fqaaa-aaaaa-aaaaq-cai` | Another canister making an inter-canister call |
-| Anonymous | Fixed | `2vxsx-fae` | Unauthenticated caller: no identity |
-| Management | Fixed | `aaaaa-aa` | IC management canister (system calls) |
-
-## Reject anonymous callers
-
-Any endpoint that requires authentication must reject the anonymous principal. Without this check, unauthenticated callers can invoke protected methods. If your canister uses the caller principal as an identity key (for balances, ownership, etc.), the anonymous principal becomes a shared identity anyone can use.
-
-<Tabs syncKey="lang">
-<TabItem label="Motoko">
-
-```motoko
-import Principal "mo:core/Principal";
-import Runtime "mo:core/Runtime";
-
-// Inside persistent actor { ... }
-
-  func requireAuthenticated(caller : Principal) {
-    if (Principal.isAnonymous(caller)) {
-      Runtime.trap("anonymous caller not allowed");
-    };
-  };
-
-  public shared ({ caller }) func protectedAction() : async Text {
-    requireAuthenticated(caller);
-    "ok";
-  };
-```
-
-</TabItem>
-<TabItem label="Rust">
+- The caller of every canister call can be identified. The calling [principal](../../references/ic-interface-spec/index.md#principal) can be accessed using the system API's methods [`ic0.msg_caller_size` and `ic0.msg_caller_copy`](../../references/ic-interface-spec/canister-interface.md#system-api-imports). If an identity provider such as Internet Identity is used, [the principal is the user identity for this specific origin](../../references/internet-identity-spec.md#identity-design-and-data-model). If some actions (e.g., access to user's account data or account-specific operations) should be restricted to a principal or a set of principals, then this must be explicitly checked in the canister call. An example in Rust can be found below:
 
 ```rust
-use ic_cdk::update;
-use ic_cdk::api::msg_caller;
-use candid::Principal;
-
-fn require_authenticated() -> Result<(), String> {
-    if msg_caller() == Principal::anonymous() {
-        return Err("anonymous caller not allowed".to_string());
-    }
-    Ok(())
-}
-
-#[update(guard = "require_authenticated")]
-fn protected_action() -> String {
-    "ok".to_string()
+// Let pk be the public key of a principal that is allowed to perform
+// this operation. This pk could be stored in the canister's state.
+if caller() != Principal::self_authenticating(pk) {  ic_cdk::trap(...) }
+
+// Alternatively, if the canister keeps data for different principals
+// in e.g., a map such as BTreeMap<Principal, UserData>, then the canister
+// must ensure that each caller can only access and perform operations
+// on their own data:
+if let Some(user_data) = user_data_store.get_mut(&caller()) {
+    // perform operations on the user's data
 }
 ```
+- In Rust, the `ic_cdk` crate can be used to authenticate the caller using `ic_cdk::api::caller`. Make sure the returned principal is of type `Principal::self_authenticating` and identify the user's account using the public key of that principal. See the example code above.
 
-The Rust `guard` attribute runs the check before the method body executes. If the guard returns `Err`, the call is rejected. This is more robust than calling guard functions inside the method: you cannot forget to add it. Multiple guards can be chained:
+- Do authentication as early as possible in the call to avoid unauthenticated actions and potentially expensive operations before authentication. It is also a good idea to [deny service to anonymous users](#disallow-the-anonymous-principal-in-authenticated-calls).
 
-```rust
-#[update(guard = "require_authenticated", guard = "require_admin")]
-fn admin_action() {
-    // both guards passed
-}
-```
+- Do not rely on authentication performed during [ingress message inspection](#do-not-rely-on-ingress-message-inspection).
 
-</TabItem>
-</Tabs>
-
-## Owner and role-based access control
-
-There is no built-in role system on ICP. You implement it yourself by tracking principals in your canister state.
-
-<Tabs syncKey="lang">
-<TabItem label="Motoko">
-
-The `shared(msg)` pattern on an actor class captures the deployer's principal atomically. No separate init call, no front-running risk. Use `transient` for the owner since it gets recomputed from `msg.caller` on each install/upgrade.
-
-```motoko
-import Principal "mo:core/Principal";
-import Set "mo:core/pure/Set";
-import Runtime "mo:core/Runtime";
-
-shared(msg) persistent actor class MyCanister() {
-
-  transient let owner = msg.caller;
-  var admins : Set.Set<Principal> = Set.empty();
-
-  func requireOwner(caller : Principal) {
-    if (Principal.isAnonymous(caller)) {
-      Runtime.trap("anonymous caller not allowed");
-    };
-    if (caller != owner) {
-      Runtime.trap("caller is not the owner");
-    };
-  };
-
-  func requireAdmin(caller : Principal) {
-    if (Principal.isAnonymous(caller)) {
-      Runtime.trap("anonymous caller not allowed");
-    };
-    if (caller != owner and not Set.contains(admins, Principal.compare, caller)) {
-      Runtime.trap("caller is not an admin");
-    };
-  };
-
-  public shared ({ caller }) func addAdmin(newAdmin : Principal) : async () {
-    requireOwner(caller);
-    admins := Set.add(admins, Principal.compare, newAdmin);
-  };
-
-  public shared ({ caller }) func removeAdmin(admin : Principal) : async () {
-    requireOwner(caller);
-    admins := Set.remove(admins, Principal.compare, admin);
-  };
-
-  public shared ({ caller }) func adminAction() : async () {
-    requireAdmin(caller);
-    // ... protected logic
-  };
-};
-```
+## Disallow the anonymous principal in authenticated calls
 
-</TabItem>
-<TabItem label="Rust">
+### Security concern
 
-```rust
-use ic_cdk::{init, update};
-use ic_cdk::api::msg_caller;
-use candid::Principal;
-use std::cell::RefCell;
-
-thread_local! {
-    static OWNER: RefCell<Principal> = RefCell::new(Principal::anonymous());
-    static ADMINS: RefCell<Vec<Principal>> = RefCell::new(vec![]);
-}
+The caller from the system API (e.g., `ic0::api::caller` in Rust) may also return `Principal::anonymous()`. In authenticated calls, this is probably undesired and could have security implications since this would behave like a shared account for anyone that does unauthenticated calls.
 
-fn require_authenticated() -> Result<(), String> {
-    if msg_caller() == Principal::anonymous() {
-        return Err("anonymous caller not allowed".to_string());
-    }
-    Ok(())
-}
+### Recommendation
 
-fn require_owner() -> Result<(), String> {
-    require_authenticated()?;
-    OWNER.with(|o| {
-        if msg_caller() != *o.borrow() {
-            return Err("caller is not the owner".to_string());
-        }
-        Ok(())
-    })
-}
-
-fn require_admin() -> Result<(), String> {
-    require_authenticated()?;
-    let caller = msg_caller();
-    let is_authorized = OWNER.with(|o| caller == *o.borrow())
-        || ADMINS.with(|a| a.borrow().contains(&caller));
-    if !is_authorized {
-        return Err("caller is not an admin".to_string());
+In authenticated calls, make sure the caller is not anonymous and return an error or trap if it is. This could be done centrally by using a helper method. An example in Rust can be found below:
+```rust
+fn caller() -> Result<Principal, String> {
+    let caller = ic0::api::caller();
+    // The anonymous principal is not allowed to interact with the canister.
+    if caller == Principal::anonymous() {
+        Err(String::from(
+            "Anonymous principal not allowed to make calls.",
+        ))
+    } else {
+        Ok(caller)
     }
-    Ok(())
-}
-
-#[init]
-fn init(owner: Principal) {
-    OWNER.with(|o| *o.borrow_mut() = owner);
-}
-// Unlike Motoko's shared(msg) pattern which captures the deployer automatically,
-// the Rust #[init] requires passing the owner explicitly at deploy time:
-//   icp canister deploy backend --argument '(principal "your-principal-here")'
-
-#[update(guard = "require_owner")]
-fn add_admin(new_admin: Principal) {
-    ADMINS.with(|a| a.borrow_mut().push(new_admin));
-}
-
-#[update(guard = "require_owner")]
-fn remove_admin(admin: Principal) {
-    ADMINS.with(|a| a.borrow_mut().retain(|p| p != &admin));
-}
-
-#[update(guard = "require_admin")]
-fn admin_action() {
-    // ... protected logic: guard already validated caller
 }
 ```
 
-</TabItem>
-</Tabs>
+## Do not rely on ingress message inspection
 
-Always include admin revocation (`removeAdmin`). Missing revocation is a common source of bugs: once granted, admin access should be removable.
+### Security concern
 
-## Controller checks
+The correct execution of [`canister_inspect_message`](../../references/ic-interface-spec/canister-interface.md#system-api-inspect-message) is not guaranteed because it is executed by a single node, and if that node is malicious, it can simply skip this check. In that case the update call would be executed without any message inspection checks.
 
-Controllers are the principals authorized to manage a canister (install code, change settings, stop/delete). The controller list is managed at the IC level, not inside your canister code.
+Also note that for inter-canister calls, `canister_inspect_message` is not invoked.
 
-<Tabs syncKey="lang">
-<TabItem label="Motoko">
+### Recommendation
 
-**Motoko** provides `Principal.isController` to check if a principal is a controller of the current canister:
+Your canisters should not rely on the correct execution of `canister_inspect_message`. This in particular means that no security-critical code, such as [access control checks](#make-sure-specific-user-actions-require-authentication), should be solely performed in that method. Such checks **must** be performed as part of an update method to guarantee reliable execution. Ideally, they are executed both in the `canister_inspect_message` function and a guard function.
 
-```motoko
-import Principal "mo:core/Principal";
-import Runtime "mo:core/Runtime";
+## Use a well-audited authentication service and client-side ICP libraries
 
-// Inside persistent actor { ... }
+### Security concern
 
-  public shared ({ caller }) func controllerOnly() : async () {
-    if (not Principal.isController(caller)) {
-      Runtime.trap("caller is not a controller");
-    };
-    // ...
-  };
-```
+Implementing user authentication and canister calls yourself in your web app is error-prone and risky. For example, if canister calls are implemented from scratch, there may be bugs around signature creation or verification.
 
-</TabItem>
-<TabItem label="Rust">
+### Recommendation
 
-In Rust, there is no built-in `is_controller` function: checking controllers requires an async call to the management canister. See [inter-canister calls](../canister-calls/inter-canister-calls.md#making-calls) for inter-canister call patterns.
+-   Consider using an identity provider such as [Internet Identity](https://github.com/dfinity/internet-identity) for authentication, and use the ICP JavaScript agent for making canister calls.
 
-</TabItem>
-</Tabs>
+-   You may consider alternative authentication frameworks on ICP for authentication.
 
-**Managing controllers with icp-cli:**
+## Set an appropriate session timeout
 
-```bash
-# View current canister settings including controllers
-icp canister settings show backend -e ic
+### Security concern
 
-# Add a backup controller
-icp canister settings update backend --add-controller <backup-principal> -e ic
+Currently, Internet Identity issues delegations with an expiry time. This expiry time can be set in the auth-client. After a delegation expires, the user has to re-authenticate. Setting a good value is a trade-off between security and usability.
 
-# Remove a controller (warning: removing yourself locks you out)
-icp canister settings update backend --remove-controller <principal> -e ic
-```
+### Recommendation
 
-Always add a backup controller. If you lose the private key of the only controller, the canister becomes permanently unupgradeable: there is no recovery mechanism.
+See the [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration). A timeout of 30 minutes should be set for security-sensitive applications.
 
-## `canister_inspect_message`: cycle optimization only
+The auth-client supports [idle timeouts](https://github.com/dfinity/agent-js/tree/main/packages/auth-client#idle-management).
 
-`canister_inspect_message` is a hook that runs on a single replica before consensus. It can reject ingress messages early to save cycles on Candid decoding and execution. However, it is **not a security boundary**:
+## Don't use fetchRootKey in the ICP JavaScript agent in production
 
-- It runs on one node without consensus: a malicious boundary node can bypass it
-- It is never called for inter-canister calls, query calls, or management canister calls
+### Security concern
 
-Always duplicate real access checks inside each method. Use `inspect_message` only to reduce cycle waste from spam.
+`agent.fetchRootKey()` can be used in the ICP JavaScript agent to fetch the root subnet threshold public key from a status call in test environments. This key is used to verify threshold signatures on certified data received through canister update calls. Using this method in a production web app gives an attacker the option to supply their own public key, invalidating all authenticity guarantees of update responses.
 
-<Tabs syncKey="lang">
-<TabItem label="Motoko">
+### Recommendation
 
-```motoko
-import Principal "mo:core/Principal";
+Never use `agent.fetchRootKey()` in production builds, only in test builds. Not calling this method will result in the hardcoded root subnet public key of the mainnet being used for signature verification, which is the desired behavior in production.
 
-// Inside persistent actor { ... }
-// Method variants must match your public methods
+## Integrating Internet Identity on mobile devices
 
-  system func inspect(
-    {
-      caller : Principal;
-      msg : {
-        #adminAction : () -> ();
-        #addAdmin : () -> Principal;
-        #removeAdmin : () -> Principal;
-        #protectedAction : () -> ();
-      }
-    }
-  ) : Bool {
-    switch (msg) {
-      case (#adminAction _) { not Principal.isAnonymous(caller) };
-      case (#addAdmin _) { not Principal.isAnonymous(caller) };
-      case (#removeAdmin _) { not Principal.isAnonymous(caller) };
-      case (#protectedAction _) { not Principal.isAnonymous(caller) };
-      case (_) { true };
-    };
-  };
-```
-
-</TabItem>
-<TabItem label="Rust">
+A [short presentation](https://www.youtube.com/watch?v=iRmpCkzC6iI&t=1863s) can be found as part of the November 2024 global R&D.
 
-```rust
-use ic_cdk::api::{accept_message, msg_caller, msg_method_name};
-use candid::Principal;
-
-#[ic_cdk::inspect_message]
-fn inspect_message() {
-    let method = msg_method_name();
-    match method.as_str() {
-        "admin_action" | "add_admin" | "remove_admin" | "protected_action" => {
-            if msg_caller() != Principal::anonymous() {
-                accept_message();
-            }
-            // Silently reject anonymous: saves cycles
-        }
-        _ => accept_message(),
-    }
-}
-```
+### Security concern
 
-</TabItem>
-</Tabs>
+Internet Identity has a standardized way for web applications to request authentication of a user. This [client authentication protocol](../../references/internet-identity-spec.md#client-authentication-protocol) allows a client dapp frontend to obtain a delegation signed by the Internet Identity for a locally generated session key pair. Using this delegation in combination with the session key allows the dapp frontend to make authenticated calls towards the backend canister. Such calls need to be digitally signed by the session private key. The IC will verify the signature and verify if there is a delegation (or chain of delegations) from the II key to the session public key.
 
-## Debugging identity
+The II client authentication protocol leverages the browser's `postMessage` API to communicate between the client origin and the II origin. This protocol allows II to authenticate the origin of the authorization request using the hostname.
 
-When troubleshooting access control issues, it helps to know which principal your canister sees. A simple `whoami` endpoint returns the caller's identity:
+:::note
+As part of the client authentication protocol, a dapp can specify an alternative origin by following the [alternative frontend origins](../../references/internet-identity-spec.md#alternative-frontend-origins) requirements.
+:::
 
-<Tabs syncKey="lang">
-<TabItem label="Motoko">
+Upon successful authentication, II will return a delegation for the principal derived from the users' II for the specific frontend origin. This serves two purposes. First, a client dapp can't use this delegation on other dapps to impersonate the user. Second, multiple client dapps can't correlate user behavior across dapps, thereby reducing privacy. A dapp with a different frontend origin won't be able to request authentication for your dapp, which provides protection against certain phishing attacks.
 
-```motoko
-// Inside persistent actor { ... }
+When integrating a mobile application with II, the implementation is not straightforward since a mobile app can't call the `postMessage` API. It is tempting to create a simple "proxy" web frontend served by the dapp as shown in the sequence diagram below. The mobile application can load this proxy to complete the normal II authorization flow. Upon completion, this proxy web app provides the delegation back to the mobile app.
 
-  public shared ({ caller }) func whoami() : async Principal {
-    caller;
-  };
+**Naive implementation sequence diagram:**
+```mermaid
+sequenceDiagram
+    actor U as User
+    participant MA as Mobile App
+    participant PWA as Proxy web app
+    participant II_FE as II Front-end
+    participant II_BE as II Back-end
+    participant BE as Back-end
+    activate U
+    U -> MA : 1. Login
+    activate MA
+    MA ->> MA : 2. Generate session key pair
+    activate PWA
+    MA ->> PWA: 3. Load /?sessionPublicKey=<br/><SessionPublicKey>
+    activate II_FE
+    PWA ->> II_FE: 4. Standard II client auth protocol
+    Note over PWA,II_FE: II will create a delegation for the session<br/>key generated by the mobile application.
+    U ->> II_FE: 5. Authenticate with passkey
+    activate II_BE
+    II_FE ->> II_BE: 6. getDelegation(frontEndHostname)
+    II_BE -->> II_FE: 7. <<delegation>>
+    Note over II_BE,II_FE: Delegation can leak through<br/> replica or boundary nodes
+    deactivate II_BE
+    II_FE -->> PWA: 8. Return the delegation<br/>using postMessage API
+    deactivate II_FE
+    PWA -->> MA: 9. Return the delegation
+    Note over PWA,MA: Delegation can leak through<br/> insecure return mechanism
+    deactivate PWA
+    U ->> MA: 10. Authenticated call
+    activate BE
+    MA ->> BE: 11. Update call using the delegation
+    Note over II_BE,BE: Delegation can leak through<br/> replica or boundary nodes
+    BE -->> MA: <<Response>>
+    deactivate BE
+    deactivate MA
+    deactivate U
 ```
 
-</TabItem>
-<TabItem label="Rust">
-
-```rust
-use ic_cdk::query;
-use ic_cdk::api::msg_caller;
-use candid::Principal;
-
-#[query]
-fn whoami() -> Principal {
-    msg_caller()
-}
+However, without any precautions, this proxy would happily accept malicious requests to authenticate the user and might return the delegation back to an attacker.
+
+Such an attack would start by phishing the user by means of a malicious mobile or web application. The user is asked to authenticate through II. However, instead of using II directly, the attacker abuses the open proxy to authenticate the user for the dapp, under which the vulnerable proxy is running. The attacker would generate a session key and ask the proxy to use the session public key in the II authentication protocol. Through this method, II issues a signed delegation for the user's II derived for the frontend origin of the proxy. This delegation could leak to the attacker, who can use it to impersonate the user. For example, if the attacker can trick the proxy to redirect to the malicious application (e.g., by registering Android deep links or iOS custom schemes), it could directly obtain the delegation. Furthermore, the delegation could leak through an insecure communication channel between the proxy and the mobile app or through observation of the IC state.
+
+The attack requires four conditions:
+1. An attacker can provide a session key to be used in the II client authentication protocol.
+2. The client authentication protocol is initiated for a target frontend hostname.
+3. The user completes the II authentication protocol.
+4. The attacker can obtain the delegation, which is signed by the II canister.
+
+Conditions 1, 2, and 3 can be satisfied by convincing the user to initiate an authentication flow with a session public key that is chosen by the attacker by loading the proxy from an attacker-controlled mobile or web application. Concretely, an attacker would execute a phishing attack where a victim is directed to the proxy from an unsuspicious application. For example, the victim is convinced that the attacker is issuing an airdrop. The victim has to download a corresponding malicious mobile app that requires II authentication. This malicious mobile app would load the proxy (step 3) similarly to how the legitimate mobile app would. The malicious app would ask the proxy to authenticate the user for an Condition 2 is met for any dapp that exposes such an open II authentication proxy on their domain. session key. The victim might not realize they are completing an authorization flow for a different dapp origin.
+
+Condition 4 can be satisfied by controlling a replica or boundary node that can observe the delegation in step 7. Alternatively, the delegation could leak in step 9 by using an HTTP GET parameter in a URI pointing to the IC. In such cases, if the mobile app that should receive the URI isn't installed, the browser loads the web app by making a request to the URI. Boundary and replica nodes would again receive the delegation as part of the URI. Condition 4 can also be met if the mobile app issues a request to the IC in step 11 without verifying the delegation obtained in step 9.
+
+Finally, condition 4 can also be satisfied if the delegation is returned insecurely from the proxy frontend to the mobile app. For example, by using Android deep links or iOS custom schemes, which can be intercepted by a malicious app.
+
+### Recommendation
+
+In the standard integration between a client web app and the II web frontend, the origin of the client is verified **before** starting the client authentication protocol. Unfortunately, loading the URI of the proxy app in step 3 does not provide any information about the mobile application. Therefore, the proxy frontend is unable to authenticate the client. This creates an open endpoint for attackers to use, as described in the previous section.
+
+This risk can be addressed by adopting the following remediations shown in the sequence diagram and explained further below.
+
+**Secure integration sequence diagram:**
+```mermaid
+sequenceDiagram
+    actor U as User
+    participant MA as Mobile App
+    participant PWA as Secure Proxy web app
+    participant II_FE as II Front-end
+    participant II_BE as II Back-end
+    participant BE as Back-end
+
+    activate U
+    U -> MA : 1. Login
+    activate MA
+    MA ->> MA : 2. Generate session key pair
+    activate PWA
+    MA ->> PWA: 3. Load /?sessionPublicKey=<br/><SessionPublicKey>
+    PWA ->> PWA: 4. Generate intermediate session key
+    Note over PWA: This key never<br/>leaves the proxy<br/>front-end
+    activate II_FE
+    PWA ->> II_FE: 5. Standard II client auth protocol<br/>using intermediate session key
+    Note over PWA,II_FE: II will create a delegation for the<br/>intermediate key and not for the attacker<br/>chosen session key.
+    U ->> II_FE: 6. Authenticate with passkey
+    activate II_BE
+    II_FE ->> II_BE: 7. getDelegation(frontEndHostname)
+    II_BE -->> II_FE: 8. <<delegation>>
+    II_FE ->> II_FE: 9. Construct the delegation chain
+    Note over II_FE: The proxy front-end creates a<br/>delegation from the intermediate<br/> key to the mobile app session key<br/>and combines it with the<br/>delegation from the II canister key<br/>to the intermediate key.
+    II_FE -->> PWA: 10. Return the delegation<br/>using the postMessage API
+    deactivate II_FE
+    PWA -->> MA: 11. Return the delegation chain using<br/>an app link (Android)<br/>or universal link (iOS)<br/>as part of the fragment<br/>using associated domains
+    Note over MA,PWA: Protect the delegation chain<br/>from being leaked to the web<br/> server by using a URI fragment<br/>instead of a GET parameter.
+    MA ->> MA: 12 Verify the delegation chain<br/>against the session<br/>key from step 2
+    Note over MA: Verify the delegation chain before using it<br/> to avoid leaking a delegation with an<br/>attacker controlled session key to the IC
+MA -->> U: <<Success>>
+    U ->> MA: 13. Authenticated call
+    activate BE
+    MA ->> BE: 14. Update call using the verified delegation chain
+    BE -->> MA: <<Response>>
+    deactivate BE
+    deactivate MA
+    deactivate U
 ```
 
-</TabItem>
-</Tabs>
-
-Call it to verify which identity is being used:
+* Introduce an intermediate session key that is generated and stored by the web app proxy frontend.
+* Initiate the II client authentication protocol using this intermediate session key. By using a new session key that the attacker can't control, the delegation issued by II would no longer be usable by the attacker if it were stolen in step 8, as the attacker doesn't have access to the intermediate session private key.
+* [Create a delegation chain](../../references/ic-interface-spec/https-interface.md#authentication) to allow the mobile application to use their session key. The delegation chain consists of two delegations as shown in the figure below. The first one delegates from the II canister key to the intermediate key and is generated by the II canister. The second one delegates from the intermediate key to the mobile app public key and is signed by the proxy frontend's intermediate session private key. Note, this means the intermediate key can impersonate the user. Since the proxy frontend is served from the IC, it can be trusted to handle this key properly. It is up to the developer to ensure the confidentiality of this key. For example, using the WebCrypto API to create unextractable keys as is used internally by the ICP JavaScript agent. Ideally, this intermediate key is short-lived to reduce the risk of exposure.
 
-```bash
-icp canister call backend whoami
-```
+![Delegation Chain](/img/docs/security/ii_mobile_delegation_chain.png)
+* Return the delegation chain to the mobile app using [app links](https://developer.android.com/training/app-links) on Android and [universal links](https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content) on iOS. These mechanisms bind the domain name/hostname to the mobile app, which prevents an attacker from using a malicious mobile app to receive the delegation chain. The domain-to-mobile app binding occurs through a JSON file that has to be hosted under the `/.well-known` directory of your web application. See [iOS](https://developer.apple.com/documentation/xcode/supporting-associated-domains)
+and [Android](https://developer.android.com/training/app-links/verify-android-applinks) documentation for details.
+* Return the delegation chain to the mobile app using a [URI fragment](https://www.w3.org/DesignIssues/Fragment.html) (everything following the # in the URI). The browser will load the URI if the mobile app linked to the app/universal link isn't installed on the mobile device. The benefit of URI fragments is that they are not included in the request to the server if the browser were to resolve the URI. A URL parameter or path would be included in such a request, and therefore it would leak the delegation chain to the proxy app backend (most likely the IC boundary and replica nodes). A URI fragment is still available to the mobile app for extraction.
+* Verify the delegation chain in the mobile application before using it in an IC message. The mobile application likely uses an agent that does not verify whether the session key generated in step 2 corresponds to the delegation found in the delegation chain returned in step 11. Using such an agent to make a signed update call would simply create a message with the provided delegation chain and sign it with a mismatching key. Obviously, the IC would reject such a message as the signature does not correspond to the delegation chain, but the delegation chain would already have leaked to the boundary and potentially replica nodes where an attacker could steal it.
+* Optionally, the proxy frontend could explicitly warn the user that it is about to sign in with II for your dapp. It could include the dapp's name and logo. This might alarm the user who is being phished since the pretense used by the attacker would likely not match with the purpose of your dapp. For example, the attacker claims the authentication is required as part of an airdrop while you are running an unrelated decentralized exchange. When the proxy dapp is opened, the user would see your dapp's logo and abort the sign-in.
 
-## Next steps
+For more information, view an [example implementation in the form of a Unity app](https://github.com/dfinity/examples/tree/main/native-apps/unity_ii_deeplink). The following pieces of that codebase are most important:
 
-- [Security concepts](../../concepts/security.md): understand the IC security model
-- [Canister settings](../canister-management/settings.md): configure controllers and freezing thresholds
-- [DoS prevention](dos-prevention.md): rate limiting as an access control mechanism
+* Generation of the intermediate session key [in index.js](https://github.com/dfinity/examples/blob/main/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L25).
+* [Authentication using the intermediate session key](https://github.com/dfinity/examples/blob/main/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L26-L36) instead of the mobile app public key.
+* [Generating the delegation chain](https://github.com/dfinity/examples/blob/main/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L48-L57) by combining the delegation obtained from II with a delegation created by the frontend.
+* [Returning the delegation chain using an applink/universal link](https://github.com/dfinity/examples/blob/main/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L71).
+* Returning the delegation chain [using a URI fragment](https://github.com/dfinity/examples/blob/main/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L73).
+* The example is currently being improved whereby the delegation chain will also be verified in the mobile app before using it.
 
-{/* Upstream: informed by dfinity/icskills (skills/canister-security/SKILL.md, dfinity/portal) docs/building-apps/best-practices/general.mdx */}
+{/* Upstream: dfinity/portal — building-apps/security/iam.mdx */}
diff --git a/docs/guides/security/canister-upgrades.md b/docs/guides/security/canister-upgrades.md
index 7e8ba7a..d5323c0 100644
--- a/docs/guides/security/canister-upgrades.md
+++ b/docs/guides/security/canister-upgrades.md
@@ -1,350 +1,52 @@
 ---
-title: "Secure Upgrades"
-description: "Upgrade canisters safely: pre/post hooks, stable memory, Candid compatibility, snapshot rollbacks, schema evolution, and testing"
+title: "Security Best Practices: Canister Upgrades"
+description: "Security best practices for canister upgrade hooks, panics during upgrades, and timer reinstatement."
 sidebar:
-  order: 2
+  order: 9
 ---
 
-Canister upgrades are one of the highest-risk operations in production. A bad upgrade can corrupt state, make the canister permanently non-upgradeable, or break clients. This guide covers the patterns and checks you need to upgrade safely.
+## Be careful with panics during upgrades
 
-## Checklist
+### Security concern
 
-Use this before every production upgrade:
+If a canister traps or panics in `pre_upgrade`, this can lead to permanently blocking the canister, resulting in a situation where upgrades fail or are no longer possible at all.
 
-- [ ] Take a snapshot immediately before upgrading
-- [ ] Run the upgrade locally first with `icp deploy`
-- [ ] Verify data survives: write → upgrade → read
-- [ ] Check Candid interface compatibility. No removed methods, no breaking type changes
-- [ ] Avoid `pre_upgrade` hooks that serialize large state (use stable structures instead)
-- [ ] In Motoko, use `persistent actor` (which eliminates the need for pre_upgrade hooks): avoid manual `pre_upgrade`/`post_upgrade`
-- [ ] Confirm you have a backup controller (cannot recover from a trapped `post_upgrade` without one)
-- [ ] Add a rollback plan: snapshot ID recorded, restore procedure tested
+### Recommendation
 
-## How upgrades work
+- Avoid using `pre_upgrade` hooks if possible. Panics in the `pre_upgrade` hook prevent upgrades, and since the `pre_upgrade` hook is controlled by the old code, it can permanently block upgrading.
 
-When you run `icp deploy` on an existing canister, the IC executes the following sequence:
+- Panic in the `post_upgrade` hook if the state is invalid so that one can retry the upgrade and try to fix the invalid state. Panics in the `post_upgrade` hook abort the upgrade, but one can retry with new code.
 
-1. **Stop** the canister (waits for in-flight messages to complete)
-2. Run `pre_upgrade` on the old code (if defined)
-3. Replace the Wasm module with the new code
-4. Run `post_upgrade` on the new code (if defined)
-5. **Restart** the canister
+- [Test the upgrade hooks](https://mmapped.blog/posts/01-effective-rust-canisters.html#test-upgrades) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)).
 
-Stable memory is preserved through steps 2–4. Heap memory is cleared when the new Wasm loads. If `pre_upgrade` or `post_upgrade` traps, the upgrade fails with different consequences:
+- See also the section on upgrades in [how to audit an Internet Computer canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister) (though focused on Motoko).
 
-| Hook | Trap result |
-|------|-------------|
-| `pre_upgrade` | Upgrade cancelled. Old code still running. State intact but may need attention. |
-| `post_upgrade` | New Wasm installed but initialization failed. Canister may be in an inconsistent state. |
+- See [current limitations of the Internet Computer](https://wiki.internetcomputer.org/wiki/Current_limitations_of_the_Internet_Computer), section "Bugs in `pre_upgrade` hooks."
 
-Both scenarios leave the canister in a difficult state. Prevention is far better than recovery.
+## Reinstantiate timers during upgrades
 
-## Stable memory patterns
+### Security concern
 
-### Motoko: use `persistent actor`
+Global timers are deactivated upon changes to the canister's Wasm module. The [IC specification](../../references/ic-interface-spec/canister-interface.md#global-timer) states this as follows:
 
-The `persistent actor` declaration automatically stores all `let` and `var` fields in stable memory. No serialization, no upgrade hooks, no instruction-limit traps.
+> "The timer is also deactivated upon changes to the canister's Wasm module (calling install_code or uninstall_code methods of the management canister or if the canister runs out of cycles). In particular, the function canister_global_timer won't be scheduled again unless the canister sets the global timer again (using the System API function ic0.global_timer_set)."
 
-```motoko
-persistent actor Counter {
-  var count : Nat = 0;
+Upgrade is a mode of `install_code`, and hence the timers are deactivated during an upgrade.
 
-  public func increment() : async Nat {
-    count += 1;
-    count;
-  };
+This could result in a vulnerability in certain cases where security controls or other critical features rely on these timers to function. For example, a DEX that relies on timers to update the exchange rates of currencies could be vulnerable to arbitraging opportunities if the rates are no longer updated.
 
-  public query func get() : async Nat { count };
+Since global timers are used internally by the Motoko `Timer` mechanism, the same holds true for the Motoko Timer. As explained in the [pull request](https://github.com/dfinity/motoko/pull/3542) under "The upgrade story," the global timer gets discarded on upgrade, and the timers need to be set up in the `post_upgrade` hook.
 
-  // transient: resets to [] on each upgrade: correct for caches, transient logs, and reset-on-upgrade counters
-  transient var recentCallers : [Principal] = [];
-};
-```
+This behavior is different when [using Motoko](https://github.com/dfinity/motoko/pull/3542) and implementing `system func timer`. The `timer` function will be called after an upgrade. In case your canister was using timers for recurring tasks, the `timer` function would likely set the global timer again for a later time. However, the time between invocations of `timer` would not be consistent as the upgrade triggered an "unexpected" call to `timer`.
 
-**Key rules:**
+Using the Rust CDK, the recurring timer is also lost on upgrade as explained in the API documentation of [set_timer_interval](https://docs.rs/ic-cdk/0.6.9/ic_cdk/timer/fn.set_timer_interval.html).
 
-- All `let`/`var` fields persist automatically. No `stable` keyword needed
-- `transient var` for caches or counters that should reset on upgrade
-- Do not write manual `pre_upgrade`/`post_upgrade` hooks. The runtime handles everything
-- If a persistent field's type changes incompatibly, the upgrade traps. See [Schema evolution](#schema-evolution).
+### Recommendation
 
-### Rust: use stable structures
+- In Motoko canisters, global timers should be set up in the actor initializer for canister installation or reinstallation. Canister-wide timers should be set in the `post_upgrade` hook for upgrades, as timers do not survive upgrades and must be explicitly set up thereafter.
 
-In Rust, use [`ic-stable-structures`](https://docs.rs/ic-stable-structures/latest/ic_stable_structures/) to store data directly in stable memory. Data lives there from the start. No serialization step on upgrade.
+- See the Motoko documentation on [timers](../../languages/motoko/icp-features/timers.md).
 
-```rust
-use ic_stable_structures::{
-    memory_manager::{MemoryId, MemoryManager, VirtualMemory},
-    DefaultMemoryImpl, StableBTreeMap, StableCell,
-};
-use std::cell::RefCell;
+- See the Rust documentation on [set_timer_interval](https://docs.rs/ic-cdk/0.6.9/ic_cdk/timer/fn.set_timer_interval.html).
 
-type Memory = VirtualMemory<DefaultMemoryImpl>;
-
-// Each structure must have its own unique MemoryId: never reuse IDs
-const USERS_MEM_ID: MemoryId = MemoryId::new(0);
-const COUNTER_MEM_ID: MemoryId = MemoryId::new(1);
-
-thread_local! {
-    static MEMORY_MANAGER: RefCell<MemoryManager<DefaultMemoryImpl>> =
-        RefCell::new(MemoryManager::init(DefaultMemoryImpl::default()));
-
-    static USERS: RefCell<StableBTreeMap<u64, Vec<u8>, Memory>> =
-        RefCell::new(StableBTreeMap::init(
-            MEMORY_MANAGER.with(|m| m.borrow().get(USERS_MEM_ID))
-        ));
-
-    static COUNTER: RefCell<StableCell<u64, Memory>> =
-        RefCell::new(StableCell::init(
-            MEMORY_MANAGER.with(|m| m.borrow().get(COUNTER_MEM_ID)),
-            0u64,
-        ).expect("Failed to init counter"));
-}
-
-#[ic_cdk::post_upgrade]
-fn post_upgrade() {
-    // Stable structures auto-restore: no deserialization needed.
-    // Re-initialize timers or transient state here if required.
-}
-```
-
-> **Warning:** Each `MemoryId` must map to exactly one data structure for the lifetime of the canister. Reusing a `MemoryId` for a different structure after an upgrade corrupts both. Keep a written record of your `MemoryId` allocations and never reorder them.
-
-### Avoid `pre_upgrade` serialization
-
-The serialization-based upgrade pattern is common in older Rust code but is fundamentally fragile:
-
-```rust
-// DO NOT DO THIS in production
-#[ic_cdk::pre_upgrade]
-fn pre_upgrade() {
-    // If STATE is large, this hits the instruction limit and traps.
-    // A trapped pre_upgrade prevents the upgrade: canister stays on old code.
-    ic_cdk::storage::stable_save((STATE.with(|s| s.borrow().clone()),)).unwrap();
-}
-```
-
-When `pre_upgrade` traps due to instruction exhaustion, the canister cannot be upgraded. The `skip_pre_upgrade` flag (an emergency escape hatch via the management canister's `install_code` API (see [Management canister reference](../../references/management-canister.md#install_code)) bypasses the hook) but anything the hook would have saved is lost. Use stable structures so the upgrade path cannot brick itself under load.
-
-## Candid interface compatibility
-
-The IC checks your new Wasm module's Candid interface against the old one before completing the upgrade. If the new interface is not backward-compatible, the upgrade is rejected.
-
-**Safe changes:**
-
-| Change | Why it is safe |
-|--------|---------------|
-| Add a new method | Existing clients don't call it |
-| Add optional parameters to an existing method | Old clients send no value; IC substitutes `null` |
-| Remove trailing parameters from an existing method | Old clients send extra values; IC ignores them |
-| Return additional values from a method | Old clients ignore extra return values |
-| Change a parameter type to a supertype | Old values remain valid inputs |
-| Change a return type to a subtype | New values remain valid for old clients |
-
-**Breaking changes (upgrade rejected or clients break):**
-
-| Change | Why it breaks |
-|--------|--------------|
-| Remove a method | Clients calling it get errors |
-| Add a required (non-optional) parameter | Old clients don't send it |
-| Change a parameter type to an incompatible type | Old clients send invalid values |
-
-**Example: safe evolution:**
-
-```candid
-// Before
-service counter : {
-  add : (nat) -> ();
-  get : () -> (int) query;
-}
-
-// After: safe: optional param added, new return value, new method
-service counter : {
-  add : (nat, label : opt text) -> (new_val : nat);
-  get : () -> (nat, last_change : nat) query;
-  reset : () -> ();
-}
-```
-
-icp-cli checks Candid compatibility during deploy and prompts for confirmation if it detects a potentially breaking change. Use `--yes` in automated pipelines after manually verifying compatibility:
-
-```bash
-icp deploy my-canister -e ic --yes
-```
-
-## Snapshot-based rollback
-
-Always take a snapshot immediately before a risky upgrade. If the upgrade causes unexpected behavior, you can restore the previous state within minutes.
-
-```bash
-# 1. Stop the canister and create a snapshot
-icp canister stop my-canister -e ic
-icp canister snapshot create my-canister -e ic
-# Note the snapshot ID printed in the output
-icp canister start my-canister -e ic
-
-# 2. Deploy the upgrade
-icp deploy my-canister -e ic
-
-# 3. Verify correctness
-icp canister call my-canister health_check -e ic
-
-# 4a. If everything works, clean up when no longer needed
-icp canister snapshot delete my-canister <snapshot-id> -e ic
-
-# 4b. If something is wrong, stop and restore
-icp canister stop my-canister -e ic
-icp canister snapshot restore my-canister <snapshot-id> -e ic
-icp canister start my-canister -e ic
-```
-
-Snapshots capture the full canister state: Wasm module, Wasm heap memory, stable memory, and chunk store. Restoring from a snapshot brings back all of this state atomically.
-
-See [Canister snapshots](../canister-management/snapshots.md) for listing, downloading, and the state transfer workflow.
-
-## Schema evolution
-
-Upgrading canister code sometimes requires changing the shape of stored data. The rules differ by language.
-
-### Motoko
-
-When upgrading a `persistent actor`, the runtime checks that every persistent field's current type is compatible with the value stored in stable memory. Incompatible changes cause the upgrade to trap.
-
-**Safe changes:**
-
-- Add new `let` or `var` fields with initial values. The runtime initializes them on upgrade
-- Add optional record fields (e.g., change `{ name : Text }` to `{ name : Text; email : ?Text }`)
-- Widen a field's type (e.g., `Nat` → `Int`)
-
-**Unsafe changes (upgrade traps):**
-
-- Remove or rename a persistent field
-- Narrow a field's type (e.g., `Int` → `Nat`)
-- Change a non-optional field to an incompatible type
-
-If you need to make an unsafe change, migrate the data in two upgrades: add the new field alongside the old one, upgrade once (both fields present), then upgrade again to remove the old field. Test this two-step process locally before deploying to mainnet.
-
-### Rust
-
-Rust stable structures use serialized bytes on disk. Schema evolution safety depends on the serialization format and versioning strategy.
-
-**Adding fields safely with Candid encoding:**
-
-```rust
-use candid::{CandidType, Decode, Deserialize, Encode};
-use ic_stable_structures::storable::{Bound, Storable};
-use std::borrow::Cow;
-
-#[derive(CandidType, Deserialize, Clone)]
-struct UserV2 {
-    id: u64,
-    name: String,
-    created: u64,
-    // New optional field: safe to add: old records deserialize with None
-    email: Option<String>,
-}
-
-impl Storable for UserV2 {
-    // Unbounded avoids write failures when struct grows.
-    // Bounded requires a fixed max_size; if encoded size exceeds it after
-    // adding fields, writes trap.
-    const BOUND: Bound = Bound::Unbounded;
-
-    fn to_bytes(&self) -> Cow<'_, [u8]> {
-        Cow::Owned(Encode!(self).expect("failed to encode UserV2"))
-    }
-
-    fn from_bytes(bytes: Cow<'_, [u8]>) -> Self {
-        Decode!(&bytes, Self).expect("failed to decode UserV2")
-    }
-}
-```
-
-**Rules:**
-
-- Use `Option<T>` for new fields: Candid deserializes absent fields as `None`, so old records remain readable after the upgrade
-- Use `Bound::Unbounded` unless you have a strict size requirement
-- Never reorder `MemoryId` allocations across upgrades: same effect as changing a field type
-- For breaking schema changes, use a versioned enum and migrate records lazily on read
-
-## Testing upgrades locally
-
-Never upgrade on mainnet without first verifying locally that data written before the upgrade is still readable after.
-
-**Motoko:**
-
-```bash
-# Start local network
-icp network start -d
-
-# Deploy initial version
-icp deploy backend
-
-# Write data
-icp canister call backend increment '()'
-icp canister call backend increment '()'
-icp canister call backend get '()'
-# Returns: (2 : nat)
-
-# Modify source code, then redeploy
-icp deploy backend
-
-# Verify data survived
-icp canister call backend get '()'
-# Must still return: (2 : nat)
-```
-
-**Rust:**
-
-```bash
-# Start local network
-icp network start -d
-
-# Deploy initial version
-icp deploy backend
-
-# Write data
-icp canister call backend add_user '("Alice")'
-icp canister call backend get_user_count '()'
-# Returns: (1 : nat64)
-
-# Modify source code, then upgrade
-icp deploy backend
-
-# Verify data survived
-icp canister call backend get_user_count '()'
-# Must still return: (1 : nat64)
-```
-
-If the count drops to zero after upgrade, your data is not in stable memory: review your storage declarations before touching mainnet.
-
-For advanced scenarios (upgrade rollbacks, schema migrations, concurrent call safety), use [PocketIC](../testing/pocket-ic.md) to script multi-step upgrade scenarios in a controlled environment.
-
-## Controller safety
-
-You cannot upgrade a canister without a valid controller. Losing all controller keys leaves the canister permanently frozen at its current code: there is no recovery path on the IC.
-
-```bash
-# Check current controllers
-icp canister settings show my-canister -e ic
-
-# Add a backup controller before any risky upgrade
-icp canister settings update my-canister --add-controller <backup-principal> -e ic
-```
-
-For production canisters:
-
-- Maintain at least two controllers (primary identity + hardware wallet or multisig)
-- For fully onchain governance, add an SNS or DAO canister as controller and remove personal principals
-
-See [Access management](access-management.md) for detailed controller management patterns.
-
-## Next steps
-
-- [Data persistence](../backends/data-persistence.md): stable structures and upgrade patterns in depth
-- [Canister lifecycle](../canister-management/lifecycle.md#upgrade-a-canister): the full upgrade sequence and install modes
-- [Canister snapshots](../canister-management/snapshots.md): create and restore snapshots
-- [Testing strategies](../testing/strategies.md): test upgrade scenarios before deploying to mainnet
-- [Access management](access-management.md): manage controllers and prevent lock-out
-
-<!-- Upstream: informed by dfinity/icskills — skills/canister-security/SKILL.md; dfinity/portal — docs/building-apps/canister-management/upgrade.mdx, docs/building-apps/interact-with-canisters/candid/using-candid.mdx; dfinity/icp-cli — docs/guides/canister-snapshots.md; dfinity/cdk-rs — ic-cdk/src/api/management_canister/main/types.rs; dfinity/examples — rust/tokenmania/backend/types.rs -->
+<!-- Upstream: dfinity/portal — building-apps/security/canister-upgrades.mdx -->
diff --git a/docs/guides/security/data-integrity.md b/docs/guides/security/data-integrity.md
index ad7d37d..8818067 100644
--- a/docs/guides/security/data-integrity.md
+++ b/docs/guides/security/data-integrity.md
@@ -1,455 +1,629 @@
 ---
-title: "Data Integrity"
-description: "Protect data confidentiality and authenticity in canisters using vetKeys encryption, identity-based encryption, certified variables, and signature verification."
+title: "Security Best Practices: Data Integrity and Authenticity"
+description: "Security best practices for certified variables, asset certification, and protecting data authenticity on ICP."
 sidebar:
-  order: 3
+  order: 5
 ---
 
-Data on the Internet Computer faces two distinct threats: **confidentiality** (unauthorized parties reading data) and **authenticity** (verifying that data hasn't been tampered with). This guide covers the IC mechanisms that address both: vetKeys for onchain encryption, certified variables for cryptographic data authenticity, and signature verification for external data.
+## Certified variables
 
-For a conceptual overview of how these fit into the IC security model, see [Security model](../../concepts/security.md). For a deeper look at the vetKeys cryptographic protocol, see [vetKeys](../../concepts/vetkeys.md).
+### Security concern
 
-## Onchain encryption with vetKeys
+ICP offers three modes of operation for canisters: `update`, `query`, and `composite_query`. For the sake of simplicity, we will club `composite_query` under queries for the rest of this section.
 
-Canister state on standard application subnets is readable by node operators. If your application stores private data (notes, messages, files), you must encrypt it before storing. vetKeys (verifiably encrypted threshold keys) give canisters access to cryptographic key material derived by a threshold quorum of subnet nodes. No single node ever holds the raw key.
+Update calls are slow and expensive but provide integrity guarantees as their responses include a threshold signature signed by the subnet.
 
-The core workflow:
+On the other hand, query calls are fast since a single replica formulates the response, but **there is no integrity guarantee, since the response can be manipulated by a single replica or boundary node.** For example, if the NNS dapp fetches proposal information from the governance canister via query calls and the responding node is malicious, it can mask an ill-intentioned proposal that causes irrevocable damage as innocuous by modifying the proposal payload in the response and mislead voters into voting yes. Another consequence of query calls is that users can't rely on [canister_inspect_message](../../references/ic-interface-spec/canister-interface.md#system-api-inspect-message) as a guard. **This makes query calls, in their raw form, unfit to serve data for security-critical applications.**
 
-1. The client generates an ephemeral **transport key pair**
-2. The canister calls `vetkd_derive_key` on the management canister, which derives a key encrypted under the client's transport public key
-3. The client decrypts the result with its transport private key to obtain the raw vetKey
-4. The client uses the vetKey to encrypt or decrypt data locally
+### Using certified variables for secure queries
+In certain use cases, there is a third option whereby query results can return data that has been certified by the subnet in an earlier update call. This is the concept of certified data, and it requires changes to the update call to create the certification, the query call to return the certificate, and the frontend to verify the certificate. Using certified data provides the best of both worlds with query-like response times and update-like certified responses.
 
-No key material ever leaves the subnet in plaintext. The canister never sees the raw key.
+Some examples of certified variables are asset certification in [Internet Identity](https://github.com/dfinity/internet-identity/blob/b29a6f68bbe5a49d048e12bc7a3263a9f43d080b/src/internet_identity/src/main.rs#L775-L808), [NNS dapp](https://github.com/dfinity/nns-dapp/blob/372c3562127d70c2fde059bc9c268e8ae858583e/rs/src/assets.rs#L121-L145), or the [canister signature implementation in Internet Identity](https://github.com/dfinity/ic-canister-sig-creation).
 
-### Prerequisites
+:::tip
+Certified variables are an advanced feature that require careful implementation of authenticated data structures and verification on the canister and client sides, respectively. **If the client doesn't require fast response times, call the query method as an update call (replicated query).** The response would be certified by the subnet, and a single malicious or boundary node can't modify the response.
+:::
 
-**Rust:**
-
-```toml
-[dependencies]
-ic-cdk = "0.19"
-ic-vetkeys = "0.6"
-ic-stable-structures = "0.7"
-```
-
-**Motoko** (`mops.toml`):
-
-```toml
-[dependencies]
-core = "2.0.0"
-```
-
-**Frontend:**
-
-```bash
-npm install @dfinity/vetkeys
-```
-
-> **API stability:** The `ic-vetkeys` crate and `@dfinity/vetkeys` package are published but their APIs may still change. Pin the versions above and check the [DFINITY forum](https://forum.dfinity.org) for migration guides before upgrading.
-
-### Key names and environments
-
-| Key name | Environment | Cycle cost (approx.) |
-|----------|-------------|----------------------|
-| `test_key_1` | Local + mainnet (testing) | ~10B cycles |
-| `key_1` | Mainnet (production) | ~26B cycles |
-
-Use `test_key_1` during development and mainnet testing. Switch to `key_1` for production. `vetkd_public_key` does not cost cycles; only `vetkd_derive_key` does.
-
-### Rust implementation
-
-The `ic-vetkeys` crate provides a high-level `KeyManager` that handles access control and stable storage. For simpler use cases, you can also call the management canister directly.
+:::tip
+ICP also provides replica signed queries, where query responses are signed by the answering replica node; however, it doesn't have the same security guarantees as an `update` call and only protects from malicious boundary nodes. Replica signed queries are enabled by default on both the ICP Rust agent and the ICP JavaScript agent.
+:::
 
-**Using `ic-vetkeys` KeyManager (recommended):**
+### What is certified data?
+Aside from update calls, the subnet certifies (creates a threshold signature) a part of the canister data every round. This is stored in the state tree under the label `certified_data`. However, since it's certified every round, the amount of data that can be stored in `certified_data` is limited to 32 bytes. Hence, when you modify the state of your canister during an update call, if you can convert the state into a unique representation that can fit into 32 bytes, you can store it under `certified_data`, and it will be certified. Naturally, this can be done by computing a hash of the data structure of the canister state. This is also why certified variables are difficult to implement. Depending on your data structures, you will need to develop a different kind of hashing function.
 
-Initialize the `KeyManager` with stable memory and a key ID in the `init` hook:
+Subsequent query calls can return the data as-is, including the signature on the `certified_data`, which the frontend can verify with the IC root public key. This means that data aggregation or other calculations can't be done in query calls, as there would be no way to produce a signature over that newly created data. There are two workarounds: either this data is precomputed in the update call or all raw data is sent to the frontend, which verifies it and does the calculations. Combining these features, a canister should be able to certify a variable in a query response with this [design](https://medium.com/dfinity/how-internet-computer-responses-are-certified-as-authentic-2ff1bb1ea659).
 
-```rust
-use ic_stable_structures::memory_manager::{MemoryId, MemoryManager};
-use ic_stable_structures::DefaultMemoryImpl;
-use ic_vetkeys::key_manager::KeyManager;
-use ic_vetkeys::types::{AccessRights, VetKDCurve, VetKDKeyId};
-
-thread_local! {
-    static MEMORY_MANAGER: std::cell::RefCell<MemoryManager<DefaultMemoryImpl>> =
-        std::cell::RefCell::new(MemoryManager::init(DefaultMemoryImpl::default()));
-    static KEY_MANAGER: std::cell::RefCell<Option<KeyManager<AccessRights>>> =
-        std::cell::RefCell::new(None);
-}
+On a high level, in your canister:
+1. Choose an [authenticated data structure](https://cs.brown.edu/research/pubs/pdfs/2003/Tamassia-2003-ADS.pdf) like Merkle trees to store a value in canister memory.
+2. In the **update** call:
+    - Perform the computation and store the result in the Merkle tree.
+    - The lookup path for the result must act as its `key`. Ideally this `key` should be the parameters provided by the caller in the query method.
+    - Recompute the Merkle proof (`root_hash`)
+    - Store the `root_hash` as the canister's certified data.
+    - Return the `key` as response.
+3. In the **query** call:
+    - Fetch the result from the Merkle structure using the query parameters as the lookup path.
+    - Fetch the current `certified_data` for the canister.
+    - Compute the witness for the result using the same lookup path. The Merkle witness provides proof of inclusion that the requested result exists in the Merkle tree under the given path.
+    - Return `(result, certified_data, witness)` as the response.
 
-#[ic_cdk::init]
-fn init() {
-    let key_id = VetKDKeyId {
-        curve: VetKDCurve::Bls12381G2,
-        name: "key_1".to_string(), // "test_key_1" for local + mainnet testing
-    };
-    MEMORY_MANAGER.with(|mm| {
-        KEY_MANAGER.with(|km| {
-            *km.borrow_mut() = Some(KeyManager::init(
-                "my_app_v1", key_id,
-                mm.borrow().get(MemoryId::new(0)),
-                mm.borrow().get(MemoryId::new(1)),
-                mm.borrow().get(MemoryId::new(2)),
-            ));
-        });
-    });
-}
-```
+The rest of the section shows an example canister, which can serve a certified response for a `query` using `certified_data` that is verified in the frontend. The examples are written in Rust and Motoko, but the overall design can be implemented in other languages.
 
-Expose the two endpoints callers need: one to retrieve an encrypted key, one to retrieve the verification key:
+### Building a canister with certified variables
+Let's consider the following canister interface:
 
-```rust
-use candid::Principal;
-use ic_cdk::update;
-
-#[update]
-async fn get_encrypted_vetkey(subkey_id: Vec<u8>, transport_public_key: Vec<u8>) -> Vec<u8> {
-    let caller = ic_cdk::caller(); // capture BEFORE await
-    let future = KEY_MANAGER.with(|km| {
-        km.borrow().as_ref().expect("not initialized")
-            .get_encrypted_vetkey(caller, subkey_id, transport_public_key)
-            .expect("access denied")
-    });
-    future.await
-}
-
-#[update]
-async fn get_vetkey_verification_key() -> Vec<u8> {
-    let future = KEY_MANAGER.with(|km| {
-        km.borrow().as_ref().expect("not initialized")
-            .get_vetkey_verification_key()
-    });
-    future.await
-}
-```
-
-**Calling management canister directly (lower level):**
-
-Retrieve the public key (no cycles required):
-
-```rust
-use ic_cdk::management_canister::{
-    VetKDCurve, VetKDKeyId, VetKDPublicKeyArgs,
+```c
+type User = record {
+    name: text;
+    age: nat8;
 };
 
-const CONTEXT: &[u8] = b"my_app_v1";
-
-fn key_id() -> VetKDKeyId {
-    VetKDKeyId {
-        curve: VetKDCurve::Bls12_381_G2,
-        name: "key_1".to_string(), // "test_key_1" for testing
-    }
-}
+type CertifiedUser = record {
+    user : User;
+    certificate : blob;
+    witness : blob;
+};
 
-#[ic_cdk::update]
-async fn get_public_key() -> Vec<u8> {
-    let response = ic_cdk::management_canister::vetkd_public_key(
-        &VetKDPublicKeyArgs { canister_id: None, context: CONTEXT.to_vec(), key_id: key_id() }
-    ).await.expect("vetkd_public_key call failed");
-    response.public_key
+service : {
+    "set_user": (User) -> (nat64);
+    "get_user": (nat64) -> (CertifiedUser) query;
 }
 ```
 
-Derive a key for the authenticated caller (`key_1` costs ~26B cycles; `ic-cdk` attaches them automatically):
+The canister exposes the following service:
+- **set_user**: The caller provides a `User` object to the canister. The canister records it and serves a corresponding `index` for the entry as the response. Since `certified_data` can only store 32 bytes of data, it uses a specialized data structure from `ic_certified_map` to store the `User` data.
+    - The data structure internally stores the data in a `HashTree` (or [Merkle tree](https://en.wikipedia.org/wiki/Merkle_tree)) and records the `root_hash` of the data structure in the `certified_data`, which is 32 bytes.
+    - The `root_hash` cryptographically guarantees that only one tree can correspond to that hash. The `root_hash` is also referred to as the Merkle proof.
+- **get_user**: The caller provides a `index: nat64` to the canister and gets a certified response for the corresponding `User`. The `CertifiedUser` response must have the following structure for verifying the response:
+    - **user**: The actual response.
+    - **certificate**: The payload for verifying the signature on the `certified_data`. ICP provides the system API `data_certificate()` for this.
+    - **witness**: Allows for the final verification of the response to be completed with the requested input and `certified_data`.
 
-```rust
-use ic_cdk::management_canister::{VetKDDeriveKeyArgs, VetKDCurve, VetKDKeyId};
+You can find an example implementation of the canister below.
 
-#[ic_cdk::update]
-async fn derive_key(transport_public_key: Vec<u8>) -> Vec<u8> {
-    let caller = ic_cdk::api::msg_caller(); // MUST capture before await
-    let response = ic_cdk::management_canister::vetkd_derive_key(
-        &VetKDDeriveKeyArgs {
-            input: caller.as_slice().to_vec(),
-            context: CONTEXT.to_vec(),
-            transport_public_key,
-            key_id: key_id(),
-        }
-    ).await.expect("vetkd_derive_key call failed");
-    response.encrypted_key
-}
-```
-
-### Motoko implementation
-
-Motoko uses the management canister directly. Define the request/response types and declare the actor interface:
+**Motoko:**
 
 ```motoko
+import CertifiedData "mo:core/CertifiedData";
 import Blob "mo:core/Blob";
-import Principal "mo:core/Principal";
+import Nat8 "mo:core/Nat8";
+import Debug "mo:core/Debug";
 import Text "mo:core/Text";
-
-persistent actor {
-
-  type VetKdCurve = { #bls12_381_g2 };
-  type VetKdKeyId = { curve : VetKdCurve; name : Text };
-  type VetKdPublicKeyRequest = { canister_id : ?Principal; context : Blob; key_id : VetKdKeyId };
-  type VetKdPublicKeyResponse = { public_key : Blob };
-  type VetKdDeriveKeyRequest = { input : Blob; context : Blob; transport_public_key : Blob; key_id : VetKdKeyId };
-  type VetKdDeriveKeyResponse = { encrypted_key : Blob };
-
-  let managementCanister : actor {
-    vetkd_public_key : VetKdPublicKeyRequest -> async VetKdPublicKeyResponse;
-    vetkd_derive_key : VetKdDeriveKeyRequest -> async VetKdDeriveKeyResponse;
-  } = actor "aaaaa-aa";
-
-  let context : Blob = Text.encodeUtf8("my_app_v1");
-  // "test_key_1" for local + mainnet testing, "key_1" for production
-  func keyId() : VetKdKeyId = { curve = #bls12_381_g2; name = "key_1" };
-  // ...
-```
-
-Implement the public key and key derivation endpoints:
-
-```motoko
-  public shared func getPublicKey() : async Blob {
-    // vetkd_public_key does not require cycles
-    let response = await managementCanister.vetkd_public_key({
-      canister_id = null; context; key_id = keyId();
-    });
-    response.public_key
+import Nat64 "mo:core/Nat64";
+import Array "mo:core/Array";
+import CertTree "mo:ic-certification/CertTree";
+import CV "mo:cbor/Value";
+import CborEncoder "mo:cbor/Encoder";
+import CborDecoder "mo:cbor/Decoder";
+
+actor CertifiedVariable {
+
+  type User = {
+    name : Text;
+    age : Nat8;
   };
 
-  public shared ({ caller }) func deriveKey(transportPublicKey : Blob) : async Blob {
-    // caller captured before the await; key_1 costs ~26B cycles
-    let response = await (with cycles = 26_000_000_000) managementCanister.vetkd_derive_key({
-      input = Principal.toBlob(caller);
-      context;
-      transport_public_key = transportPublicKey;
-      key_id = keyId();
-    });
-    response.encrypted_key
+  type CertifiedUser = {
+    user : User;
+    certificate : Blob;
+    witness : Blob;
   };
-};
-```
 
-### Frontend: decrypt and use the vetKey
+  stable var count : Nat64 = 0;
+  stable let cert_store : CertTree.Store = CertTree.newStore();
+  let ct = CertTree.Ops(cert_store);
 
-The frontend generates a transport key pair, sends the public half to the canister, receives the encrypted derived key, and decrypts it locally.
-
-Generate a fresh transport key pair each session, then request and decrypt the vetKey:
-
-```typescript
-import { TransportSecretKey, DerivedPublicKey, EncryptedVetKey } from "@dfinity/vetkeys";
+  public func set_user(user : User) : async Nat64 {
+    count += 1;
+    let path : [Blob] = [Text.encodeUtf8("user"), blobOfNat64(count)];
+    ct.put(path, encodeUser(user));
+    ct.setCertifiedData();
+    return count;
+  };
 
-// 1. Generate an ephemeral transport key: new one each session
-const transportSecretKey = TransportSecretKey.fromSeed(crypto.getRandomValues(new Uint8Array(32)));
-const transportPublicKey = transportSecretKey.publicKey();
+  public query func get_user(index : Nat64) : async CertifiedUser {
+    let certificate = switch (CertifiedData.getCertificate()) {
+      case (?certificate) {
+        certificate;
+      };
+      case (null) {
+        Debug.trap("Certified data not set");
+      };
+    };
 
-// 2. Request encrypted vetkey and verification key from the canister
-const [encryptedKeyBytes, verificationKeyBytes] = await Promise.all([
-  backendActor.get_encrypted_vetkey(subkeyId, transportPublicKey),
-  backendActor.get_vetkey_verification_key(),
-]);
+    let path : [Blob] = [Text.encodeUtf8("user"), blobOfNat64(index)];
 
-// 3. Decrypt the vetkey using the transport secret
-const vetKey = EncryptedVetKey.deserialize(new Uint8Array(encryptedKeyBytes))
-  .decryptAndVerify(
-    transportSecretKey,
-    DerivedPublicKey.deserialize(new Uint8Array(verificationKeyBytes)),
-    new Uint8Array(subkeyId),
-  );
-```
+    let value = switch (ct.lookup(path)) {
+      case (?value) {
+        value;
+      };
+      case (null) {
+        Debug.trap("Lookup failed");
+      };
+    };
 
-Use the vetKey to derive a symmetric AES-GCM key and encrypt/decrypt data:
-
-```typescript
-// 4. Derive a 256-bit AES key from the vetKey material
-const aesKey = await crypto.subtle.importKey(
-  "raw",
-  vetKey.toDerivedKeyMaterial().data.slice(0, 32),
-  { name: "AES-GCM" },
-  false,
-  ["encrypt", "decrypt"],
-);
-
-// 5. Encrypt data
-const iv = crypto.getRandomValues(new Uint8Array(12));
-const ciphertext = await crypto.subtle.encrypt(
-  { name: "AES-GCM", iv },
-  aesKey,
-  new TextEncoder().encode("secret message"),
-);
-
-// 6. Decrypt data
-const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, aesKey, ciphertext);
-```
+    let user : User = decodeUser(value);
+    let witness = ct.encodeWitness(ct.reveal(path));
 
-### Common mistakes
+    let certifiedUser : CertifiedUser = {
+      certificate = certificate;
+      witness = witness;
+      user = user;
+    };
 
-- **Reusing transport keys across sessions.** Generate a fresh transport key pair for each session. If an attacker ever learns the transport secret, they can decrypt all keys derived while that secret was in use.
-- **Using derived key bytes directly as an AES key.** The `encrypted_key` field from `vetkd_derive_key` is an encrypted blob. After decryption, call `toDerivedKeyMaterial()` before using for AES: do not use the raw bytes directly.
-- **Putting secret data in the `input` field.** The `input` field is sent to the management canister in plaintext and serves as a key identifier (e.g., a user principal or document ID). Never use it for actual secret data.
-- **Inconsistent context values.** The `context` field on the canister and on the frontend must match exactly. A mismatch causes silent decryption failure.
+    return certifiedUser;
+  };
 
-## Identity-based encryption (IBE)
+  func encodeUser(user : User) : Blob {
+    let bytes : CV.Value = #majorType5([
+      (#majorType3("name"), #majorType3(user.name)),
+      (#majorType3("age"), #majorType0(Nat64.fromNat(Nat8.toNat(user.age)))),
+    ]);
 
-IBE lets you encrypt to an identity (such as a user's principal) without the recipient being online or having registered a key. Anyone who knows the canister's derived public key can encrypt to any principal. The recipient later authenticates to the canister, obtains their vetKey, and decrypts locally.
+    let #ok(encoded_user) = CborEncoder.encode(bytes);
+    return Blob.fromArray(encoded_user);
+  };
 
-This is useful for private messaging, sealed auctions, and any case where you want to encrypt data "to" a principal who will retrieve it later.
+  func decodeUser(bytes : Blob) : User {
+    let #ok(#majorType5(map)) = CborDecoder.decode(bytes);
+    let name_tag = Array.find<(CV.Value, CV.Value)>(map, func x = x.0 == #majorType3("name"));
+    let age_tag = Array.find<(CV.Value, CV.Value)>(map, func x = x.0 == #majorType3("age"));
+
+    let name = switch (name_tag) {
+      case (?name_value) {
+        let #majorType3(name) = name_value.1;
+        name;
+      };
+      case (null) {
+        Debug.trap("Decoding failed for name");
+      };
+    };
 
-> **Access control:** If you implement IBE without using `KeyManager` or `EncryptedMaps`, your canister must verify that `caller == recipient_principal` before calling `vetkd_derive_key`. Without this check, any caller can request any derived key and decrypt messages meant for someone else. The `ic-vetkeys` library handles this automatically.
+    let age = switch (age_tag) {
+      case (?age_value) {
+        let #majorType0(age) = age_value.1;
+        Nat8.fromNat(Nat64.toNat(age));
+      };
+      case (null) {
+        Debug.trap("Decoding failed for age");
+      };
+    };
 
-**TypeScript IBE example: encrypt (sender side):**
+    return {
+      name = name;
+      age = age;
+    };
+  };
 
-```typescript
-import { IbeCiphertext, IbeIdentity, IbeSeed } from "@dfinity/vetkeys";
+  func blobOfNat64(n : Nat64) : Blob {
+    let byteMask : Nat64 = 0xff;
+    func byte(x : Nat64) : Nat8 {
+      Nat8.fromNat(Nat64.toNat(x));
+    };
+    Blob.fromArray([
+      byte(((byteMask << 56) & n) >> 56),
+      byte(((byteMask << 48) & n) >> 48),
+      byte(((byteMask << 40) & n) >> 40),
+      byte(((byteMask << 32) & n) >> 32),
+      byte(((byteMask << 24) & n) >> 24),
+      byte(((byteMask << 16) & n) >> 16),
+      byte(((byteMask << 8) & n) >> 8),
+      byte(((byteMask << 0) & n) >> 0),
+    ]);
+  };
 
-// No canister call needed if the public key is already known
-const recipientIdentity = IbeIdentity.fromBytes(recipientPrincipalBytes);
-const ciphertext = IbeCiphertext.encrypt(
-  derivedPublicKey, recipientIdentity,
-  new TextEncoder().encode("secret message"),
-  IbeSeed.random(),
-);
-const serialized = ciphertext.serialize(); // store this onchain (ciphertext, not plaintext)
+};
 ```
 
-**TypeScript IBE example: decrypt (recipient side):**
-
-```typescript
-import { TransportSecretKey, DerivedPublicKey, EncryptedVetKey, IbeCiphertext } from "@dfinity/vetkeys";
-
-// Recipient authenticates to the canister to obtain their vetKey
-const transportSecretKey = TransportSecretKey.fromSeed(crypto.getRandomValues(new Uint8Array(32)));
-const [encryptedKeyBytes, verificationKeyBytes] = await Promise.all([
-  backendActor.get_encrypted_vetkey(subkeyId, transportSecretKey.publicKey()),
-  backendActor.get_vetkey_verification_key(),
-]);
-const vetKey = EncryptedVetKey.deserialize(new Uint8Array(encryptedKeyBytes))
-  .decryptAndVerify(
-    transportSecretKey,
-    DerivedPublicKey.deserialize(new Uint8Array(verificationKeyBytes)),
-    new Uint8Array(subkeyId),
-  );
-
-const decrypted = IbeCiphertext.deserialize(serialized).decrypt(vetKey);
-// decrypted is Uint8Array containing "secret message"
-```
+**Rust:**
 
-### Deriving public keys offline
+```rust
+use candid::CandidType;
+use ic_certified_map::HashTree;
+use ic_certified_map::{leaf_hash, AsHashTree, Hash, RbTree};
+use serde::{Deserialize, Serialize};
+use std::borrow::Cow;
+use std::cell::Cell;
+use std::cell::RefCell;
+
+#[derive(CandidType, Serialize, Deserialize, Clone)]
+struct User {
+    name: String,
+    age: u8,
+}
 
-You can derive the canister's public key for a given context without making a canister call. This is useful for IBE encryption when the recipient is offline:
+impl AsHashTree for User {
+    fn root_hash(&self) -> Hash {
+        let user_serialized = serde_cbor::to_vec(&self).unwrap();
+        leaf_hash(&user_serialized[..])
+    }
+    fn as_hash_tree(&self) -> HashTree<'_> {
+        HashTree::Leaf(Cow::from(serde_cbor::to_vec(&self).unwrap()))
+    }
+}
 
-```typescript
-import { MasterPublicKey, DerivedPublicKey } from "@dfinity/vetkeys";
+#[derive(CandidType)]
+struct CertifiedUser {
+    user: User,
+    certificate: Vec<u8>,
+    witness: Vec<u8>,
+}
 
-// Derive offline from the known mainnet master public key
-const masterKey = MasterPublicKey.productionKey();
-const canisterKey = masterKey.deriveCanisterKey(canisterId);
-const derivedKey: DerivedPublicKey = canisterKey.deriveSubKey(
-  new TextEncoder().encode("my_app_v1"),
-);
-// Use derivedKey for IBE encryption without any network calls
-```
+thread_local! {
+    static INDEX : Cell<u64> = Cell::new(0);
+    static TREE: RefCell<RbTree<&'static str, RbTree<[u8; 8], User>>> = RefCell::new(RbTree::new());
+}
 
-For complete IBE and encrypted storage examples, see:
-- [Password manager](https://github.com/dfinity/examples/tree/master/rust/vetkeys/password_manager): encrypted key-value storage with `EncryptedMaps`
-- [Encrypted notes app](https://github.com/dfinity/examples/tree/master/rust/vetkeys/encrypted_notes_dapp_vetkd): per-user encrypted note storage
-- [IBE example](https://github.com/dfinity/examples/tree/master/rust/vetkeys/basic_ibe): identity-based encryption with Internet Identity principals
+#[ic_cdk::update]
+fn set_user(user: User) -> u64 {
+    let index = INDEX.with(|index| {
+        let count = index.get() + 1;
+        index.set(count);
+        count
+    });
 
-## Certified variables for data authenticity
+    TREE.with_borrow_mut(|tree| {
+        match tree.get(b"user") {
+            Some(_) => {
+                tree.modify(b"user", |inner| {
+                    inner.insert(index.to_be_bytes(), user);
+                });
+            }
+            None => {
+                let mut inner = RbTree::new();
+                inner.insert(index.to_be_bytes(), user);
+                tree.insert("user", inner);
+            }
+        }
+        ic_cdk::api::set_certified_data(&tree.root_hash());
+    });
+    index
+}
 
-Query calls on ICP run on a single replica and are not verified by consensus. A malicious or faulty replica could return fabricated data. Certified variables solve this: the canister stores a Merkle root hash in the subnet's certified state during update calls, and query responses include a subnet BLS signature proving the data is authentic.
+#[ic_cdk::query]
+fn get_user(index: u64) -> CertifiedUser {
+    let certificate = ic_cdk::api::data_certificate().expect("No data certificate available");
+
+    TREE.with_borrow(|tree| {
+        let user = match tree.get(b"user") {
+            Some(inner) => {
+                let user = inner.get(&index.to_be_bytes()[..]).expect("User not found");
+                user.to_owned()
+            }
+            None => {
+                panic!("Tree isn't initialized");
+            }
+        };
+
+        let mut witness = vec![];
+        let mut witness_serializer = serde_cbor::Serializer::new(&mut witness);
+        let _ = witness_serializer.self_describe();
+        tree.nested_witness(b"user", |inner| inner.witness(&index.to_be_bytes()[..]))
+            .serialize(&mut witness_serializer)
+            .unwrap();
+
+        CertifiedUser {
+            user,
+            certificate,
+            witness,
+        }
+    })
+}
+```
 
-Use certified variables when:
-- Query responses must be verifiable by clients without trusting any single replica
-- You serve data that could change (balances, configuration, records) via fast query calls
-- Your frontend needs to verify that data hasn't been tampered with in transit
+### Verifying certified variables
 
-For the full implementation guide, including Merkle tree construction, witness generation, and frontend verification, see [Certified variables](../backends/certified-variables.md).
+Once you have the response `CertifiedUser`, for the integrity guarantee, the frontend must verify the certification in the response. This is broken down into several steps implemented in the Rust and JavaScript example below.
 
-**Key rules:**
-- `certified_data_set` may only be called during update calls (not query calls)
-- You can only certify 32 bytes: build a Merkle tree and certify the root hash
-- Re-certify data in `post_upgrade`: certified data is cleared on upgrade
-- Clients must verify certificate freshness (the certificate embeds a timestamp; reject certificates older than ~5 minutes)
+:::note
+The example has some extra steps to set up the canister with some `User` data before verification. You can ignore the section marked between `// ==== START of canister data setup` and `// ==== END of canister data setup`.
+:::
 
-## Signature verification for external data
+1. Verify the IC certificate: Recompute the `root_hash` of `certificate.tree` (pruned state tree with the canister's `certified_data`) and verify the `certificate.signature` with `root_hash` as the message, `certificate.delegation`, and the IC `root_key` as the public key. This confirms that the signature is valid for the current state tree.
+2. Validate that the response is not stale by verifying the time at `/time` in `certificate.tree` is less than a certain delta of current time. The recommended delta is 5 minutes but should be adapted to the use case.
+3. Recompute the `root_hash` of the witness and verify equality with the `certified_data`. The `certified_data` can be obtained from `certificate.tree` under the path `/canister/<canister_id>/certified_data`.
+4. Check if query parameters are in the witness. In this example, the lookup path is `/user/<index>` and should be present in the witness.
+5. Validate if the value found in `/user/<index>` matches `user` from the response.
+6. If all of the previous steps succeed, return `user` as the valid response.
 
-When your canister receives data from external parties (signed messages, X.509 CSRs, or HTTP request signatures) it must verify the cryptographic signature before trusting the data. ICP verifies signatures on ingress messages automatically, but canister-to-canister or external data flows require manual verification.
+**Rust (client-side verification):**
 
-### IC ingress message signatures
+```rust
+use arbitrary::{Arbitrary, Unstructured};
+use candid::Encode;
+use candid::Principal;
+use candid::{CandidType, Decode, Deserialize};
+use futures::future::join_all;
+use ic_agent::identity::AnonymousIdentity;
+use ic_agent::Agent;
+use ic_certificate_verification::validate_certificate_time;
+use ic_certificate_verification::VerifyCertificate;
+use ic_certification::hash_tree::HashTree;
+use ic_certification::{Certificate, LookupResult};
+use rand::prelude::*;
+use serde_cbor::Deserializer;
+use std::time::{SystemTime, UNIX_EPOCH};
+
+#[derive(CandidType, Deserialize, Debug, PartialEq, Eq, Arbitrary)]
+struct User {
+    name: String,
+    age: u8,
+}
 
-Every ingress call to a canister is signed by the caller's identity. The IC verifies these signatures automatically before the message reaches your canister: you do not need to verify them yourself. The `caller` principal in your canister method is already authenticated.
+#[derive(CandidType, Deserialize)]
+struct CertifiedUser {
+    user: User,
+    certificate: Vec<u8>,
+    witness: Vec<u8>,
+}
 
-For workflows that require additional independent verification (such as verifying a message offline or in a different context), the IC uses the following signature schemes:
+static URL: &str = "http://localhost:41749";
+static CANISTER: &str = "a3shf-5eaaa-aaaaa-qaafa-cai";
+const MAX_CERT_TIME_OFFSET_NS: u128 = 300_000_000_000; // 5 min
+const MAX_CALLS: usize = 10;
+
+#[tokio::main]
+async fn main() {
+
+    let agent = Agent::builder()
+        .with_url(URL)
+        .with_identity(AnonymousIdentity)
+        .build()
+        .expect("Unable to create agent");
+
+    // This should be done only in demo environments.
+    // When interacting with mainnet, hardcode the root_key.
+    agent
+        .fetch_root_key()
+        .await
+        .expect("Unable to fetch root key");
+    let root_key = agent.read_root_key();
+
+    let canister_id = Principal::from_text(CANISTER).unwrap();
+
+    // ==== START of canister data setup
+    let mut rng = rand::thread_rng();
+
+    // Make MAX_CALLS to set_user
+    let mut get_user_calls = Vec::new();
+    for _ in 0..MAX_CALLS {
+        let bytes: [u8; 16] = rng.gen();
+        let mut u = Unstructured::new(&bytes[..]);
+        let temp_user = User::arbitrary(&mut u).unwrap();
+
+        println!("Calling set_user with {:?}", temp_user);
+        let response = agent
+            .update(&canister_id, "set_user")
+            .with_effective_canister_id(canister_id)
+            .with_arg(Encode!(&temp_user).unwrap())
+            .call_and_wait();
+        get_user_calls.push(response);
+    }
+    let results: Vec<u64> = join_all(get_user_calls)
+        .await
+        .into_iter()
+        .map(|result| {
+            Decode!(
+                result
+                    .expect("Query call get_user failed")
+                    .as_slice(),
+                u64
+            )
+            .unwrap()
+        })
+        .collect();
+
+    // From response indexes, choose a random index for get_user
+    let index: usize = rng.gen();
+    let index: u64 = *results.get(index % MAX_CALLS).unwrap();
+    // ==== END of canister data setup
+
+    println!("Fetching index {:?}", index);
+
+    let query_response = agent
+        .query(&canister_id, "get_user")
+        .with_effective_canister_id(canister_id)
+        .with_arg(Encode!(&index).unwrap())
+        .call()
+        .await
+        .expect("Unable to call query call get_user");
+
+    let certified_user = Decode!(&query_response, CertifiedUser).unwrap();
+
+    let mut deserializer = Deserializer::from_slice(&certified_user.certificate);
+    let certificate: Certificate = serde::de::Deserialize::deserialize(&mut deserializer).unwrap();
+
+    let start = SystemTime::now();
+    let current_time = start
+        .duration_since(UNIX_EPOCH)
+        .expect("Time went backwards")
+        .as_nanos();
+
+    // Step 1: Check if signature in the certificate can be validated with the
+    // root_hash of the tree in certificate as message and root_key as public_key
+    let verification_result = certificate.verify(canister_id.as_slice(), &root_key[..]);
+
+    println!(
+        "Step 1: Digest match & Signature verification: {:?}",
+        verification_result
+    );
+
+    // Step 2: Check if the response is not stale with the given time offset MAX_CERT_TIME_OFFSET_NS.
+    let time_verification_result =
+        validate_certificate_time(&certificate, &current_time, &MAX_CERT_TIME_OFFSET_NS);
+
+    println!("Step 2: Time skew: {:?}", time_verification_result);
+
+    // Step 3: Check if witness root_hash matches the certified_data
+    let lookup_result =
+        certificate
+            .tree
+            .lookup_path([b"canister", canister_id.as_slice(), b"certified_data"]);
+
+    let certified_data: [u8; 32] = match lookup_result {
+        LookupResult::Found(result) => result.try_into().unwrap(),
+        _ => panic!("Certified data not found"),
+    };
 
-- **Ed25519**: used by Internet Identity and many wallet implementations
-- **ECDSA on secp256r1 (P-256)**: used by some hardware authenticators  
-- **ECDSA on secp256k1**: used by Bitcoin-compatible wallets
+    let mut deserializer = Deserializer::from_slice(&certified_user.witness);
+    let witness_decoded: HashTree<Vec<u8>> =
+        serde::de::Deserialize::deserialize(&mut deserializer).unwrap();
+    let witness_digest = witness_decoded.digest();
+
+    println!(
+        "Step 3: Witness digest matches certified data: {:?} ",
+        witness_digest == certified_data
+    );
+
+    // Step 4: Check if the query parameters are in the witness
+    let witness_lookup: User =
+        match witness_decoded.lookup_path([b"user", &index.to_be_bytes()[..]]) {
+            LookupResult::Found(result) => serde_cbor::from_slice(result).unwrap(),
+            _ => panic!("user {} not found", index),
+        };
+
+    // Step 5: Check if the data found in Witness matches the returned result from the query.
+    println!(
+        "Step 4 & Step 5: Witness data matches User value: {:?}",
+        witness_lookup == certified_user.user
+    );
+
+    // Step 6: Return the result
+    println!("Result: {:?}", certified_user.user);
+}
+```
 
-To verify IC signatures independently (outside the IC, or as a second layer of validation), use the `ic-validator-ingress-message` Rust crate or the `@dfinity/standalone-sig-verifier-web` JavaScript library. See the [independently verifying IC signatures (Rust)](https://github.com/dfinity/ic/tree/master/rs/validator) documentation, or the [`@dfinity/standalone-sig-verifier-web` npm package](https://www.npmjs.com/package/@dfinity/standalone-sig-verifier-web) for the JavaScript path.
+**JavaScript (client-side verification):**
+
+```js
+import pkg from "@dfinity/agent";
+const { Actor, HttpAgent, Certificate, blsVerify, Cbor, reconstruct, lookup_path } = pkg;
+import { IDL } from "@dfinity/candid";
+import { Principal } from "@dfinity/principal";
+import fetch from "isomorphic-fetch";
+import assert from "node:assert/strict";
+
+const idlFactory = ({ IDL }) => {
+  const User = IDL.Record({ age: IDL.Nat8, name: IDL.Text });
+  const CertifiedUser = IDL.Record({
+    certificate: IDL.Vec(IDL.Nat8),
+    user: User,
+    witness: IDL.Vec(IDL.Nat8),
+  });
+  return IDL.Service({
+    get_user: IDL.Func([IDL.Nat64], [CertifiedUser], ["query"]),
+    set_user: IDL.Func([User], [IDL.Nat64], []),
+  });
+};
 
-### X.509 certificate handling
+const canisterId = Principal.fromText("a3shf-5eaaa-aaaaa-qaafa-cai");
+const host = "http://localhost:35777";
 
-Canisters can act as certificate authorities using threshold signing keys. Because no single node ever holds the threshold private key, only the canister (via consensus) can sign certificates: this gives you a CA whose private key cannot be exfiltrated.
+start().await;
 
-The pattern: a canister generates a root CA certificate signed with its threshold Ed25519 or ECDSA key, then issues child certificates for CSRs submitted by external parties. Certificates can be verified by any standard X.509 tool.
+async function start() {
+  const agent = new HttpAgent({ fetch, host });
+  await agent.fetchRootKey();
 
-For a complete working example in Rust, see the [x509 example](https://github.com/dfinity/examples/tree/master/rust/x509), which demonstrates:
+  const rootKey = agent.rootKey.buffer;
+  let dummyUser = { name: "test_user", age: 21 };
 
-1. Creating a root CA certificate with a threshold signing key
-2. Issuing child certificates from externally provided CSRs (in PKCS#10/PEM format)
-3. Verifying ownership of the CSR before signing
+  const actor = Actor.createActor(idlFactory, {
+    agent,
+    canisterId,
+  });
 
-The key pattern for issuing a child certificate:
+  let index = await actor.set_user(dummyUser);
+  let certifiedUser = await actor.get_user(index);
 
-```rust
-// Verify the CSR signature before trusting its contents
-verify_certificate_request_signature(&cert_req)?;
+  await verifyCertificate(certifiedUser, index, rootKey, canisterId);
+}
 
-// Verify the caller owns the key in the CSR
-prove_ownership(&cert_req, ic_cdk::api::caller())?;
+async function verifyCertificate(certifiedUser, index, rootKey, canisterId) {
+  const certificate = certifiedUser.certificate.buffer;
+  const witness = certifiedUser.witness.buffer;
+  const user = certifiedUser.user;
+
+  const cert = new Certificate(certificate, rootKey, canisterId, blsVerify);
+
+  // Step 1: Check if signature in the certificate can be validated with the
+  // root_hash of the tree in certificate as message and root_key as public_key
+  await cert.verify();
+  console.log("Certificate verification succeeded");
+
+  // Step 2: Check if the response is not stale with the given time offset of 5m.
+  const te = new TextEncoder();
+  const pathTime = [te.encode("time")];
+  const rawTime = cert.lookup(pathTime).value;
+  console.log("Time skew: ", verifyTime(rawTime));
+
+  // Step 3: Check if witness root_hash matches the certified_data
+  const pathData = [
+    te.encode("canister"),
+    canisterId.toUint8Array(),
+    te.encode("certified_data"),
+  ];
+
+  const certifiedData = cert.lookup(pathData).value;
+  let witnessTree = Cbor.decode(witness);
+  let witnessRootHash = await reconstruct(witnessTree);
+  console.log(
+    "Verify CertifiedData matches witness root_hash: ",
+    certifiedData.buffer === witnessRootHash.buffer
+  );
 
-// Sign the child certificate using the canister's threshold key
-// (ed25519_sign or ecdsa_sign via management canister)
-```
+  // Step 4: Check if the query parameters are in the witness
+  const query_params = [te.encode("user"), bigEndian(index).buffer];
+  const witnessData = Cbor.decode(lookup_path(query_params, witnessTree).value);
+  console.log("Witness data: ", witnessData);
 
-This approach is used when you need to issue certificates to external systems that expect standard PKI infrastructure, while keeping the CA private key under threshold-protected control.
+  // Step 5: Check if the data found in Witness matches the returned result from the query.
+  assert.deepStrictEqual(witnessData, user, "Value matches response data");
 
-## Deploying and testing
+  // Step 6: Return the result
+  return user
+}
 
-### Local development
+function verifyTime(rawTime) {
+  const idlMessage = new Uint8Array([
+    ...new TextEncoder().encode("DIDL\x00\x01\x7d"),
+    ...new Uint8Array(rawTime),
+  ]);
+  const decodedTime = IDL.decode([IDL.Nat], idlMessage)[0];
+  const time = Number(decodedTime) / 1e9;
+  const now = Date.now() / 1000;
+  const diff = Math.abs(time - now);
+  if (diff > 5) {
+    return false;
+  }
+  return true;
+}
 
-```bash
-# Start a local network: test_key_1 and key_1 are provisioned automatically
-icp network start -d
+function bigEndian(n) {
+  let buf = new Uint8Array(8);
 
-# Deploy your canister
-icp deploy backend
+  for (let i = 7; i >= 0; i--) {
+    buf[i] = Number(n & 0xffn);
+    n >>= 8n;
+  }
+  return buf;
+}
+```
 
-# Test public key retrieval
-icp canister call backend getPublicKey '()'
-# Returns: (blob "..."): the vetKD public key for your canister
+## Use HTTP asset certification and avoid serving your dapp through `raw.icp0.io`
 
-# Test key derivation (requires a 48-byte transport public key blob)
-# In practice, the frontend generates this using TransportSecretKey.fromSeed()
-icp canister call backend deriveKey '(blob "\00\01\02...")'
-# Returns: (blob "..."): the encrypted derived key
-```
+### Security concern
 
-### Mainnet deployment
+Dapps on ICP can use [asset certification](https://learn.internetcomputer.org/hc/en-us/articles/34276431179412-Asset-Certification) to make sure the HTTP assets delivered to the browser are authentic (i.e., threshold-signed by the subnet). If an app does not do asset certification, it can only be served insecurely through `raw.icp0.io`, where no asset certification is checked. This is insecure since a single malicious node or boundary node can freely modify the assets delivered to the browser.
 
-```bash
-# Deploy to mainnet
-icp deploy backend -e ic
+If an app is served through `raw.icp0.io` in addition to `icp0.io`, an adversary may trick users (phishing) into using the insecure `raw.icp0.io`.
 
-# Verify the public key is non-empty
-icp canister call backend getPublicKey '()' -e ic
-```
+### Recommendation
 
-Confirm that:
-- `getPublicKey` returns a non-empty blob (48+ bytes of BLS public key material)
-- `deriveKey` returns a non-empty blob (encrypted key material)
-- Different callers receive different derived keys (same caller + same input = same key; different caller = different key)
+- Only serve assets through `<canister-id>.icp0.io`, where the boundary nodes enforce response verification on the served assets. Do not serve through `<canister-id>.raw.icp0.io`.
 
-## Next steps
+- Serve assets using the asset canister, which creates asset certification automatically, or add the `ic-certificate` header including the asset certification as, e.g., done in the [NNS dapp](https://github.com/dfinity/nns-dapp) and [Internet Identity](https://github.com/dfinity/internet-identity).
 
-- [vetKeys concept guide](../../concepts/vetkeys.md): how the threshold key derivation protocol works
-- [Encryption guide](./encryption.md): vetKeys encryption patterns including EncryptedMaps
-- [Certified variables](../backends/certified-variables.md): full certified data implementation
-- [Security model](../../concepts/security.md): IC security guarantees and threat model
+- Check in the canister's `http_request` method if the request came through raw. If so, return an error and do not serve any assets.
 
-<!-- Upstream: informed by dfinity/portal — docs/building-apps/authentication/independently-verifying-ic-signatures.mdx; dfinity/icskills — canister-security, vetkd, certified-variables; dfinity/examples — rust/vetkeys/password_manager, rust/vetkeys/encrypted_notes_dapp_vetkd, rust/vetkeys/basic_ibe, rust/x509 -->
+<!-- Upstream: dfinity/portal — building-apps/security/data-integrity-and-authenticity.mdx -->
diff --git a/docs/guides/security/data-storage.md b/docs/guides/security/data-storage.md
new file mode 100644
index 0000000..767bccb
--- /dev/null
+++ b/docs/guides/security/data-storage.md
@@ -0,0 +1,94 @@
+---
+title: "Security Best Practices: Data Storage"
+description: "Security best practices for canister data storage, stable memory, encryption of sensitive data, and backups."
+sidebar:
+  order: 6
+---
+
+## Rust: Use `thread_local!` with `Cell/RefCell` for state variables and put all your globals in one basket
+
+### Security concern
+
+Canisters need a global mutable state. In Rust, there are several ways to achieve this. However, some options can lead to vulnerabilities such as memory corruption.
+
+### Recommendation
+
+- [Use `thread_local!` with `Cell/RefCell` for state variables](https://mmapped.blog/posts/01-effective-rust-canisters.html#use-threadlocal) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)).
+
+- [Put all your globals in one basket](https://mmapped.blog/posts/01-effective-rust-canisters.html#clear-state) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)).
+
+## Limit the amount of data that can be stored in a canister per user
+
+### Security concern
+
+If a user is able to store a big amount of data on a canister, this may be abused to fill up the canister storage and make the canister unusable.
+
+### Recommendation
+
+Limit the amount of data that can be stored in a canister per user. This limit has to be checked whenever data is stored for a user in an update call.
+
+## Consider using stable memory, version it, and test it
+
+### Security concern
+
+Canister memory is not persisted across upgrades. If data needs to be kept across upgrades, you may serialize the canister memory in `pre_upgrade` and deserialize it in `post_upgrade`. Using `pre_upgrade` and `post_upgrade` methods is not recommended and should be avoided. The available number of instructions for these methods is limited. If the memory grows too big, the canister can no longer be updated.
+
+### Recommendation
+
+- Stable memory is persisted across upgrades and can be used to address this issue.
+
+- [Consider using stable memory](https://mmapped.blog/posts/01-effective-rust-canisters.html#stable-memory-main) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)). Take note of the discussed disadvantages.
+
+- [Version stable memory](https://mmapped.blog/posts/01-effective-rust-canisters.html#version-stable-memory) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)).
+
+- [Test the upgrade hooks](https://mmapped.blog/posts/01-effective-rust-canisters.html#test-upgrades) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)).
+
+- See also the section on upgrades in [how to audit an ICP canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister) (focused on Motoko canisters).
+
+- Write tests for stable memory to avoid bugs.
+
+- Some libraries commonly used are:
+
+    - [https://github.com/dfinity/stable-structures](https://github.com/dfinity/stable-structures)
+
+    - [https://github.com/seniorjoinu/ic-stable-memory](https://github.com/seniorjoinu/ic-stable-memory)
+
+:::caution
+Please note some of these libraries may be partially unfinished.
+:::
+
+- See [current limitations of the Internet Computer](https://wiki.internetcomputer.org/wiki/Current_limitations_of_the_Internet_Computer), sections "Long running upgrades" and "\[de\]serializer requiring additional Wasm memory."
+
+- For example, [Internet Identity](https://github.com/dfinity/internet-identity) uses stable memory directly to store user data.
+
+## Consider encrypting sensitive data on canisters
+
+### Security concern
+
+By default, canisters provide integrity but not confidentiality. Data stored on canisters can be read by nodes/replicas.
+
+### Recommendation
+
+- Consider end-to-end encrypting any private or personal data (e.g., a user's personal or private information) on canisters.
+
+- The example dapp [encrypted notes](https://github.com/dfinity/examples/tree/master/motoko/encrypted-notes-dapp) illustrates how end-to-end encryption can be done.
+
+## Create backups
+
+### Security concern
+
+A canister could be rendered unusable and impossible to upgrade. For example, due to one of the following reasons:
+
+- It has a faulty upgrade process due to some bug from the dapp developer.
+
+- The state becomes inconsistent or corrupt because of a bug in the code that persists data.
+
+### Recommendation
+
+- Make sure methods used in upgrading are tested, or the canister becomes immutable.
+
+- It may be useful to have a disaster recovery strategy that makes it possible to reinstall the canister.
+
+- See the "Backup and recovery" section in [how to audit an Internet Computer canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister).
+
+<!-- Upstream: dfinity/portal — building-apps/security/data-storage.mdx -->
diff --git a/docs/guides/security/decentralization.md b/docs/guides/security/decentralization.md
new file mode 100644
index 0000000..a07e9f7
--- /dev/null
+++ b/docs/guides/security/decentralization.md
@@ -0,0 +1,76 @@
+---
+title: "Security Best Practices: Decentralization"
+description: "Security best practices for decentralizing dapp control using SNS, governance, and reducing centralized trust."
+sidebar:
+  order: 4
+---
+
+## Use a decentralized governance system like SNS to put dapps under decentralized control
+
+### Security concerns
+
+If single entities or small groups control canisters, they can apply changes or updates whenever they like. If a canister, e.g., holds assets such as ICP, ckBTC, or ckETH on a user's behalf, this effectively means that the controller could decide at any time to steal these funds through methods such as updating the canister and transferring the assets to their account.
+
+Furthermore, the controller of canisters serving web content (such as e.g., the asset canister) could maliciously modify the web application to e.g., steal user funds or perform security-sensitive actions on the user's behalf. For example, if [Internet Identity](../authentication/internet-identity.mdx) is used, the user principal's private key for the given origin is stored in the browser storage, and a malicious app can therefore fully control the private key, the user's session, and any assets controlled by that key.
+
+Dapps are commonly reachable over their own custom domain name instead of ic0.app. These domains are registered with a DNS registrar by one of the developers. The developer can choose to have this domain point at a completely different web application, even one not hosted on ICP. Users will trust this domain and the app it serves. This could allow such a developer to steal funds, leak data, etc.
+
+A dapp might have privileged features that are only accessible to principals that are on an allow list. For example, minting new tokens, debugging functions, managing permissions, removing NFTs for digital rights violations, etc. This means that whoever controls that principal (such as the dapp developers) may have central control over these privileged features.
+
+For performance or privacy reasons, some components of a dapp may be hosted off-chain. These off-chain components often control principals used to interact with the onchain components and are usually controlled by a developer holding credentials to the off-chain cloud environment. On top of that, third party off-chain entities such as cloud providers can inspect and manipulate data in this environment if they choose. They could take ICP principal private keys out of this environment and call privileged operations on the canisters. Off-chain components can quickly lead to many additional centrally trusted parties. Depending on the value managed by a dapp, these parties could be tempted to act maliciously.
+
+### Recommendations
+
+In the following list, we first provide recommendations for centralized dapp control and then move to recommendations for increasingly decentralized settings. From a security perspective, more decentralization is favorable. The following list could also be used as a basis for assessing a dapp's level of decentralization. This is just a set of recommendations and may be incomplete.
+
+1. **The dapp uses central, off-chain components:** The application makes use of centralized components such as those running in the cloud. The owners of these cloud services have full control over the application and assets managed by it. Your application should likely be further decentralized by avoiding central components. But while you have them, [securely manage your keys in the cloud](https://cloudsecurityalliance.org/research/topics/cloud-key-management/).
+2. **The dapp is controlled by the developer team:** Your project is not under decentralized control, for example, because it is in an early development stage or does not (yet) hold significant funds. In that case, it is recommended to manage access to your canisters securely and ideally not let individuals control the application. To achieve that, consider the following:
+    - Require approval by several individuals or parties to perform any canister controller operations.
+    - Require approval by several individuals or parties for any security-sensitive changes at the application level that are restricted to privileged principals, such as admin operations including permissions management, minting new tokens, removing NFTs for digital rights violations, etc.
+    - A helpful tool to achieve either of the above two points is the [orbit station canister](https://github.com/dfinity/orbit) which allows you to configure intricate policies for canister control. [Orbit](https://orbit.global/) also serves as an enterprise wallet where token funds are governed using policies. Ideally, individuals also manage their key material using hardware security modules, such as [YubiHSM](https://www.yubico.com/ch/store/yubihsm-2-series/) and physically protect these through methods such as using safes at different geographical locations. Some of HSMs support threshold signature schemes, which can help to further secure the setup. To increase transparency about the changes made to a dapp, consider using a tool like [LaunchTrail](https://github.com/spinner-cash/launchtrail).
+3. **Full decentralization using a DAO**: The dapp is controlled by a decentralized governance system such as ICP's [Service Nervous System (SNS)](https://learn.internetcomputer.org/hc/en-us/articles/34084394684564-SNS-Service-Nervous-System), so that any security-sensitive changes to the canisters are only executed if the SNS community approves them collectively through a proposal voting mechanism. If an SNS is used:
+    - Make sure voting power is distributed over many independent entities such that there is not one single or a few entities that can decide by themselves how the [DAO evolves](https://learn.internetcomputer.org/hc/en-us/articles/34088279488660-Tokenomics#voting-power-and-decentralization).
+    - Ensure all components of the dapp are under SNS control, including the canisters serving the web frontends; see [SNS asset canisters](../governance/managing.md).
+    - Consider the [SNS preparation checklist](../governance/launching.md). Important points from a security perspective are tokenomics, disclosing dependencies to off-chain components, and performing security reviews.
+    - Rather than self-deploying the SNS code or building your own DAO, consider using the official SNS on the SNS subnet, as this guarantees that the SNS is running an NNS-blessed version and maintained as part of ICP.
+    - See also [verification and trust in a (launched) SNS](https://wiki.internetcomputer.org/wiki/Verification_and_trust_in_a_(launched)_SNS) and [SNS decentralization swap trust](https://wiki.internetcomputer.org/wiki/SNS_decentralization_swap_trust).
+
+An alternative to DAO control (3. above) would be to create an immutable canister smart contract by removing the canister controller completely. This can be achieved by setting the controller to a [black hole canister](https://github.com/ninegua/ic-blackhole). However, note that this implies that the canister can **never** be upgraded, which may have severe implications in case a bug is found. The complexity of ICP dapps and the fact that complex frontends are hosted onchain means that black holed canisters are rarely the right solution. The option to use a decentralized governance system and thus being able to upgrade smart contracts is a big advantage of the ICP ecosystem compared to other blockchains.
+
+:::note
+Contrary to some other blockchains, immutable smart contracts need cycles to run, and they can receive cycles.
+:::
+
+It is also possible to implement a DAO on ICP from scratch. If you decide to do this (e.g., along the lines of the [basic DAO example](https://github.com/dfinity/examples/tree/master/rust/basic_dao)), be aware that this is security critical and must be security reviewed carefully. Furthermore, users will need to verify that the DAO is controlled by itself.
+
+## Verify the control and level of decentralization of smart contracts you depend on
+
+### Security concern
+
+If a dapp depends on a third-party canister smart contract (e.g., by making inter-canister calls to it), it is important to verify that the callee satisfies an appropriate level of decentralization. For example:
+- If funds or cycles are transferred to a third-party canister, one might require the canister to be controlled by a decentralized governance system, as otherwise these funds are centrally controlled.
+- If inter-canister calls are made to a centrally controlled and potentially malicious canister, that canister could execute a denial of service attack on the caller or even trigger functional bugs; see [be aware of the risks involved in calling untrustworthy canisters](./inter-canister-calls.md#be-aware-of-the-risks-involved-in-calling-untrustworthy-canisters).
+
+### Recommendation
+
+If you interact with a canister that you require to be decentralized, make sure it is controlled by the NNS, a service nervous system (SNS) or a decentralized governance system, and review under what conditions and by whom the smart contract can be changed.
+
+## Don't load JavaScript or other assets from untrusted domains
+
+### Security concern
+
+Loading untrusted JavaScript from domains other than `<canister-id>.icp0.io` means you completely trust that domain. Also, assets loaded from these domains (incl. `<canister-id>.raw.icp0.io`) will not use asset certification.
+
+If they deliver malicious JavaScript, they can take over the web app or account. This could, for example, happen by reading the private key managed by the ICP JavaScript agent from the browser's local storage.
+
+Note that also loading other assets such as [CSS](https://xsleaks.dev/docs/attacks/css-injection/) from untrusted domains is a security risk.
+
+### Recommendation
+
+- Loading JavaScript and other assets from other origins should be avoided. Especially for security-critical applications, you can't assume other domains to be trustworthy.
+
+- Make sure all the content delivered to the browser is served and certified by the canister using asset certification. This holds in particular for any JavaScript, but also for fonts, CSS, etc.
+
+- Use a [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to prevent scripts and other content from other origins from being loaded at all. See also [define security headers, including a content security policy (CSP)](./resources.md#web-security).
+
+<!-- Upstream: dfinity/portal — building-apps/security/decentralization.mdx -->
diff --git a/docs/guides/security/dos-prevention.md b/docs/guides/security/dos-prevention.md
index 946284d..b0d5208 100644
--- a/docs/guides/security/dos-prevention.md
+++ b/docs/guides/security/dos-prevention.md
@@ -1,344 +1,62 @@
 ---
-title: "DoS Prevention"
-description: "Protect canisters from denial-of-service attacks with rate limiting, cycle drain protection, and resource management"
+title: "Security Best Practices: Denial of Service"
+description: "Security best practices for protecting canisters against DoS and DDoS attacks, noisy neighbors, and expensive calls."
 sidebar:
-  order: 4
+  order: 8
 ---
 
-On ICP, [canisters pay for every message they process](../../concepts/cycles.md): including messages from attackers. Anyone on the internet can send update calls to your canister, and each call burns cycles even if your code ultimately rejects it. Left unmitigated, this lets an attacker drain your cycle balance by flooding your canister with messages.
+## Protect against DoS and DDoS attacks
 
-This guide covers the patterns that protect against denial-of-service (DoS) attacks: early message filtering, rate limiting, resource allocation, and cycle monitoring.
+### Security concern
 
-## Checklist
+A denial of service (DoS) attack aims to make a system unavailable by overwhelming it with requests or data. A Distributed Denial of Service (DDoS) attack is a more sophisticated version, where the attack originates from multiple sources, making it harder to block. An attacker will typically search for operations that are free to be executed by anyone but which are expensive for the application in terms of certain resources such as storage, memory usage, network bandwidth, computing resources, etc. In the case of canisters, such attacks can aim to deplete cycles, making the canister unable to process legitimate requests. The reverse gas model means that a dapp needs to implement strategies to deal with this.
 
-- [ ] Use `canister_inspect_message` to drop obviously invalid messages before Candid decoding
-- [ ] Reject the anonymous principal in every endpoint that requires authentication
-- [ ] Enforce per-caller rate limits or concurrency locks for expensive operations
-- [ ] Set a conservative freezing threshold (90–180 days)
-- [ ] Set explicit `wasm_memory_limit` to guard against memory exhaustion
-- [ ] Set `wasm_memory_threshold` to receive an `on_low_wasm_memory` hook notification before the limit is hit
-- [ ] Monitor cycle balances and alert on unusual consumption spikes
-- [ ] Reserve compute or memory allocation for high-traffic canisters
+### Recommendation
 
-## Cycle drain attacks
+To protect your canisters from DoS and DDoS attacks, consider the following strategies:
+* **Bot prevention techniques**: Use methods like captchas or proof of work to ensure only legitimate users can access your canister. CAPTCHAs help verify that the user is human, while proof of work requires the user to spend computational resources to proceed, deterring automated attacks. [Internet Identity](https://github.com/dfinity/internet-identity) has a [captcha implementation](https://github.com/dfinity/internet-identity/blob/2bf92dc16371428a3dcc1115580a691842ec76df/src/internet_identity/src/main.rs#L517) that can serve as an example for implementing this in other projects.
+* **Monitor cycles usage**: Regularly track your canisters cycles consumption and set alerts for any sudden spikes that may indicate an attack.
+* **Ingress message charging**: While charging for ingress messages (external requests to the canister) is not natively supported, custom solutions could be implemented to make sure that any expensive actions have costs associated with them.
+* **Filter ingress messages using inspect message**: Certain non-critical checks can be placed in the inspect message function to filter out ingress update messages before they are executed by all nodes of a subnet. Since this code only runs on a single node, the execution does not consume cycles, but it also shouldn't be relied upon for security-critical checks such as access control. However, they can efficiently reject certain ingress messages early. Read the corresponding [documentation](../../references/ic-interface-spec/canister-interface.md#system-api-inspect-message) and [security best practice](./access-management.mdx) carefully for the caveats.
 
-Every ingress message (external call to your canister) costs cycles. The cost includes:
+## Protect against noisy neighbors
 
-- A base execution fee of 5M cycles per update message (13-node subnet), plus an ingress reception fee of ~1.2M cycles and 2,000 cycles per byte received
-- Per-instruction fees for all code executed before a trap or rejection
-- Candid decoding, which runs before your method body
+### Security concern
 
-This means an attacker can drain your cycles simply by sending many messages. The canister pays for Candid decoding and early checks even when it rejects the call. See [Cycles costs](../../references/cycles-costs.md#cost-table) for exact figures.
+In a shared resource environment like the Internet Computer, multiple canisters can run on the same subnet. If one canister consumes too many resources (CPU, memory, etc.), it can negatively impact the performance of others on the same subnet. This is known as the "noisy neighbor" problem.
 
-### Use inspect_message as a first-pass filter
+### Recommendation
 
-`canister_inspect_message` runs on a **single replica** before a message enters consensus. Code in this hook does not burn cycles, so it is an efficient place to drop messages that are obviously invalid: for example, calls from the anonymous principal to authenticated endpoints.
+To mitigate the "noisy neighbor" issue, manage your canister's resource allocation effectively:
+* **Memory allocation**: Memory can be reserved per canister by setting `memory_allocation`, ensuring that your canister can always allocate memory up to the requested `memory_allocation` and preventing other canisters from using up the subnet's available memory. Note that memory availability is not guaranteed beyond the memory allocation and thus monitoring actual memory usage against this value is important to avoid availability issues.
+* **Compute reservation**: Similar to memory, computing power can also be reserved by setting `compute_allocation` to a value between 0 and 100, which denotes the percentage of one CPU core to be reserved for this canister. A value of 50 means that every 2 rounds, the canister will be scheduled to execute a message. This guarantees the minimal progress your canister can make, which protects against noisy neighbors. Both allocations are reserving resources for your canister on the subnet, which prevents the other canisters from using them. Hence, they come at a cost. Memory allocation is charged as if all that memory would be allocated. Compute allocation is currently charged at 10M cycles per percentage point.
+Learn more about managing memory and compute resources in the [cycles costs reference](../../references/cycles-costs.md).
+* **Subnet and canister distribution**: Implement a smart canister deployment strategy by monitoring the load on subnets. You can choose to deploy new canisters on less busy subnets or adopt a multi-canister architecture that balances the load across subnets. Be mindful to minimize inter-subnet communication for canisters that frequently interact with each other. Additionally, avoid deploying to known high-traffic subnets where possible, though keep in mind that resource usage can change unexpectedly with new dapps.
 
-**Critical limitation:** `canister_inspect_message` is not a security boundary. It runs on one node and can be bypassed by a malicious boundary node. It is also never called for inter-canister calls, query calls, or management canister calls. Always duplicate real access control inside each update method. See [Access management](access-management.md) for the full access control pattern.
+:::note
+When the subnet grows above 750GiB, then the new reservation mechanism activates. Every time a canister allocates new storage bytes, the system sets aside some amount of cycles from the main balance of the canister. These reserved cycles will be used to cover future payments for the newly allocated bytes. The reserved cycles are not transferable, and the amount of reserved cycles depends on how full the subnet is. For example, it may cover days, months, or even years of payments for the newly allocated bytes. It is important to note that the reservation mechanism applies only to the newly allocated bytes and does not apply to the storage already in use by the canister. See more at [resource reservations](https://forum.dfinity.org/t/increasing-subnet-storage-capacity-and-introducing-resource-reservation-mechanism/23447).
+:::
 
-`inspect_message` has a budget of **200 million instructions**: do not perform expensive work here. Use it only to short-circuit calls that are structurally invalid (wrong caller type, missing required data).
+## Handle expensive calls
 
-**Motoko: inspect_message:**
+### Security concern
 
-```motoko
-import Principal "mo:core/Principal";
+Some calls (update or query) might be expensive in terms of the memory or cycles they consume. For example, any function using chain-key signing or HTTPS outcalls is relatively expensive. See the [additional documentation](../../references/cycles-costs.md) on cycles cost details and for other examples.
 
-// Inside the persistent actor { ... }
+An attacker will target expensive calls to drain the cycles balance or available memory quickly.
 
-system func inspect(
-  {
-    caller : Principal;
-    msg : {
-      #adminAction : () -> ();
-      #publicAction : () -> ();
-      #expensiveOperation : () -> ();
-    }
-  }
-) : Bool {
-  switch (msg) {
-    // Admin and expensive methods: reject anonymous callers before Candid decoding
-    case (#adminAction _) { not Principal.isAnonymous(caller) };
-    case (#expensiveOperation _) { not Principal.isAnonymous(caller) };
-    // Public methods: accept all
-    case (_) { true };
-  };
-};
-```
+### Recommendation
 
-**Rust: inspect_message:**
+* **Use captchas**: Expensive operations should require a captcha to be solved. Try to use a library to implement a captcha instead of a cloud service, as such a service would require HTTPS outcalls and isn't decentralized.
+* **Use PoW (proof-of-work)**: Require a proof-of-work challenge to be solved by the client for any expensive operation. The parameters need to be carefully chosen to require sufficient computation per call to the expensive operation without creating too much impact for legitimate clients. Don't forget to consider clients on slow and older mobile devices while protecting against attackers on modern multi-GPU systems. Certain algorithms can limit the performance increase of GPUs to improve this uneven battlefield.
+* **Charge for expensive calls**: You can require that certain expensive calls from other canisters include cycles to compensate for the resources consumed. In addition, one can charge for ingress messages. However, that is not currently supported by the protocol itself, and a custom solution, such as pre-paying a certain amount, would need to be designed.
+* **Differentiate between update and query calls**: Expensive computations should generally be avoided for update calls unless absolutely necessary. While query calls are not authenticated, they are faster and less resource-intensive. To check whether a method was called as a query or update call, you can use `ic0.in_replicated_execution()`.
 
-```rust
-use ic_cdk::api::{accept_message, msg_caller, msg_method_name};
-use candid::Principal;
+### Further recommendations
 
-/// Pre-filter to reduce cycle waste from spam.
-/// Runs on ONE node. Can be bypassed. NOT a security check.
-/// Always duplicate real access control inside each method.
-#[ic_cdk::inspect_message]
-fn inspect_message() {
-    let method = msg_method_name();
-    match method.as_str() {
-        // Admin and expensive methods: reject anonymous callers
-        "admin_action" | "expensive_operation" => {
-            if msg_caller() != Principal::anonymous() {
-                accept_message();
-            }
-            // Silently reject anonymous: saves cycles on Candid decoding
-        }
-        // Public methods: accept all
-        _ => accept_message(),
-    }
-}
-```
+- Automatically monitor cycles consumption and set appropriate alerts for cycles consumption rate and balance. Sudden spikes in cycles consumption could indicate an attack.
+- Implement early authentication and rate limiting for your canisters.
+- Be aware of attacks targeting high cycles-consuming calls.
+- See the "Cycle balance drain attacks section" in [How to audit an ICP canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister).
 
-### Rate limiting and per-caller locking
-
-For expensive operations (chain-key signing, HTTPS outcalls, large state writes), enforce per-caller concurrency limits. Allowing the same caller to queue up many concurrent requests multiplies the cost of any single caller's flood.
-
-The CallerGuard pattern prevents concurrent calls from the same principal. While the guard is held, any second call from the same caller is rejected immediately: before any expensive work runs.
-
-**Motoko: per-caller concurrency lock:**
-
-```motoko
-import Map "mo:core/Map";
-import Principal "mo:core/Principal";
-import Result "mo:core/Result";
-
-// Inside the persistent actor { ... }
-
-let pendingRequests = Map.empty<Principal, Bool>();
-
-func acquireGuard(principal : Principal) : Result.Result<(), Text> {
-  if (Map.get(pendingRequests, Principal.compare, principal) != null) {
-    return #err("already processing a request for this caller");
-  };
-  Map.add(pendingRequests, Principal.compare, principal, true);
-  #ok;
-};
-
-func releaseGuard(principal : Principal) {
-  ignore Map.delete(pendingRequests, Principal.compare, principal);
-};
-
-public shared ({ caller }) func expensiveOperation() : async Result.Result<Text, Text> {
-  // 1. Reject anonymous
-  if (Principal.isAnonymous(caller)) {
-    return #err("anonymous principal not allowed");
-  };
-
-  // 2. Acquire per-caller lock: rejects concurrent calls from same principal
-  switch (acquireGuard(caller)) {
-    case (#err(msg)) { return #err(msg) };
-    case (#ok) {};
-  };
-
-  // 3. Do expensive work (async calls, etc.)
-  try {
-    let result = await someExpensiveCall();
-    #ok(result)
-  } catch _ {
-    #err("operation failed")
-  } finally {
-    // Released in cleanup context: runs even if the callback traps
-    releaseGuard(caller);
-  };
-};
-```
-
-**Rust: per-caller concurrency lock (CallerGuard):**
-
-```rust
-use std::cell::RefCell;
-use std::collections::BTreeSet;
-use candid::Principal;
-use ic_cdk::update;
-use ic_cdk::api::msg_caller;
-
-thread_local! {
-    static PENDING: RefCell<BTreeSet<Principal>> = RefCell::new(BTreeSet::new());
-}
-
-struct CallerGuard {
-    principal: Principal,
-}
-
-impl CallerGuard {
-    fn new(principal: Principal) -> Result<Self, String> {
-        PENDING.with(|p| {
-            if !p.borrow_mut().insert(principal) {
-                return Err("already processing a request for this caller".to_string());
-            }
-            Ok(Self { principal })
-        })
-    }
-}
-
-impl Drop for CallerGuard {
-    fn drop(&mut self) {
-        PENDING.with(|p| {
-            p.borrow_mut().remove(&self.principal);
-        });
-    }
-}
-
-#[update]
-async fn expensive_operation() -> Result<String, String> {
-    let caller = msg_caller();
-    if caller == Principal::anonymous() {
-        return Err("anonymous principal not allowed".to_string());
-    }
-
-    // Acquire per-caller lock: Drop releases it even if the callback traps
-    let _guard = CallerGuard::new(caller)?;
-
-    // Do expensive work: use Call::bounded_wait for inter-canister calls
-    // to avoid unbounded waits that would block canister upgrades
-    let result = do_expensive_work().await?;
-    Ok(result)
-    // _guard dropped here -> lock released
-}
-```
-
-The guard releases automatically when it goes out of scope: including when an inter-canister call callback traps. Never use `let _ = CallerGuard::new(caller)?` (this drops the guard immediately, making locking ineffective). Always bind to a named variable (`let _guard`).
-
-### Proof-of-work and captchas for public endpoints
-
-For endpoints that must accept anonymous or unauthenticated callers: for example, a public registration flow. The per-caller lock pattern cannot apply. Instead, require the caller to prove they spent computational resources:
-
-- **Captcha:** Require solving a captcha before calling an expensive endpoint. Use a library-based captcha (not a cloud service) to keep the solution onchain and avoid HTTPS outcalls.
-- **Proof of work:** Require the client to include a nonce that satisfies a hash challenge. The canister verifies the nonce in `inspect_message` before accepting the message. This imposes CPU cost on the caller proportional to the difficulty parameter.
-
-[Internet Identity](https://github.com/dfinity/internet-identity)'s [captcha implementation](https://github.com/dfinity/internet-identity/blob/2bf92dc16371428a3dcc1115580a691842ec76df/src/internet_identity/src/main.rs#L517) provides a working example.
-
-## Resource limit awareness
-
-The IC enforces hard limits on message execution. If your canister frequently approaches these limits, a flood of requests can make it unable to serve legitimate users:
-
-| Limit | Value |
-|-------|-------|
-| Instructions per update call | 40 billion |
-| Instructions per query call | 5 billion |
-| Instructions per `inspect_message` | 200 million |
-| Max ingress message payload | 2 MiB |
-| Wasm heap memory | 4 GiB (wasm32) |
-| Wasm stable memory | 500 GiB |
-
-Source: [Cycles costs reference](../../references/cycles-costs.md#resource-limits).
-
-### Prevent memory exhaustion
-
-If users can store data without limits, an attacker can fill the 4 GiB Wasm heap or stable memory, causing allocation failures that corrupt canister state. Mitigations:
-
-- **Enforce per-user storage quotas**: track bytes stored per principal and reject requests that exceed the limit.
-- **Validate input sizes**: check the size of user-provided blobs, text, or arrays before storing them.
-- **Set a `wasm_memory_limit`**: configures a soft ceiling below the 4 GiB hard limit. When exceeded, new update calls trap instead of corrupting state. See [Canister settings](../canister-management/settings.md).
-
-```yaml
-# icp.yaml: memory protection (settings nested under canister name)
-canisters:
-  - name: backend
-    settings:
-      wasm_memory_limit: 3gib
-      wasm_memory_threshold: 512mib  # triggers on_low_wasm_memory hook
-```
-
-### Paginate large queries
-
-Data queries that return unbounded result sets can exhaust the instruction limit for a single call. An attacker can exploit this by requesting a query that processes all stored data:
-
-- **Always paginate**: accept an optional cursor or offset and return at most a fixed number of results per call.
-- **Avoid unbounded iteration**: do not iterate entire data structures in a single call unless the data set is provably bounded.
-
-## Freezing threshold as a safety net
-
-The `freezing_threshold` setting defines the minimum number of seconds the canister should be able to survive on its current cycle balance. When the balance drops below this reserve, the canister **freezes**: update calls are rejected. A frozen canister does not execute code, but it continues to pay for storage and compute allocation.
-
-The default threshold is 30 days. For production canisters holding valuable state, increase it to 90–180 days:
-
-```bash
-# Set freezing threshold to 90 days
-icp canister settings update backend --freezing-threshold 7776000 -e ic
-```
-
-Or via `icp.yaml`:
-
-```yaml
-# icp.yaml: settings nested under canister name
-canisters:
-  - name: backend
-    settings:
-      freezing_threshold: 90d
-```
-
-A conservative freezing threshold gives you time to detect and respond to a cycle drain attack before the canister is uninstalled. If cycles reach zero and the threshold expires, the canister is uninstalled: code and data are deleted permanently. See [Canister settings](../canister-management/settings.md) for full configuration details.
-
-## Noisy neighbor protection
-
-Multiple canisters share the same subnet. If a neighboring canister consumes excessive compute or memory, it can slow your canister's response times. You can reserve resources to protect against this:
-
-### Compute allocation
-
-Setting `compute_allocation` guarantees your canister a percentage of an execution core and ensures scheduled execution even when the subnet is busy:
-
-```yaml
-# icp.yaml: settings nested under canister name
-canisters:
-  - name: backend
-    settings:
-      compute_allocation: 10  # Guaranteed 10% of one execution core
-```
-
-A value of `10` means the canister is scheduled at least every 10 consensus rounds. Compute allocation incurs an ongoing rental fee (10M cycles per percentage point per second on a 13-node subnet). Only set it if you need guaranteed throughput under load. See [Cycles costs](../../references/cycles-costs.md#compute-allocation).
-
-### Memory allocation
-
-Setting `memory_allocation` reserves a fixed pool of memory for your canister, preventing other canisters from consuming the subnet's available memory:
-
-```yaml
-# icp.yaml: settings nested under canister name
-canisters:
-  - name: backend
-    settings:
-      memory_allocation: 4gib
-```
-
-Memory allocation is charged as if the full allocated amount were in use. Monitor actual memory usage to avoid paying for unused allocation.
-
-## Monitoring cycle consumption
-
-Cycle drain attacks appear as unusual spikes in consumption. Set up monitoring before deploying to mainnet:
-
-```bash
-# Check current cycle balance
-icp canister status backend -e ic
-
-# Check balance of a specific canister by ID
-icp canister status <canister-id> -e ic
-```
-
-Key metrics to monitor:
-
-- **Balance**: alert when balance drops below a safe threshold (e.g., 2x the freezing threshold reserve)
-- **Burn rate**: track cycles per day; a sudden spike indicates unexpected activity
-- **Memory usage**: track growth over time; sudden jumps suggest user-driven data accumulation
-
-For production canister monitoring, consider automating balance checks with a heartbeat or timer canister that sends an alert notification when the balance approaches the freezing threshold.
-
-## Handling expensive operations safely
-
-Chain-key signing (threshold ECDSA/Schnorr), HTTPS outcalls, and Bitcoin API calls are significantly more expensive than standard update calls. These make attractive targets for attackers:
-
-- **Require authentication**: never allow anonymous callers to trigger expensive operations.
-- **Apply per-caller locking**: use the CallerGuard pattern to prevent the same caller from queuing multiple expensive calls.
-- **Charge callers**: for canister-to-canister calls, require the calling canister to attach cycles to cover the cost. The called canister accepts the cycles using `ic0.msg_cycles_accept` (Rust: `ic_cdk::api::msg_cycles_accept(max_amount: u128)`).
-- **Differentiate update vs. query**: move expensive computations to update calls and use query calls for cheap reads. Check whether a method is running as a query or update with `ic0.in_replicated_execution()` (Rust: `ic_cdk::api::in_replicated_execution()`).
-
-## Next steps
-
-- [Access management](access-management.md): caller checks, anonymous principal rejection, and role-based guards
-- [Inter-canister call safety](inter-canister-calls.md): TOCTOU vulnerabilities and the CallerGuard pattern
-- [Canister settings](../canister-management/settings.md): freezing threshold, memory allocation, and compute allocation
-- [Cycles costs](../../references/cycles-costs.md#cost-table): exact cost tables and resource limits
-- [Security model](../../concepts/security.md): IC trust boundaries and threat model overview
-
-<!-- Upstream: informed by dfinity/portal docs/building-apps/security/dos.mdx; icskills: canister-security -->
+<!-- Upstream: dfinity/portal — building-apps/security/dos.mdx -->
diff --git a/docs/guides/security/encryption.mdx b/docs/guides/security/encryption.mdx
index 3480abb..655618c 100644
--- a/docs/guides/security/encryption.mdx
+++ b/docs/guides/security/encryption.mdx
@@ -2,7 +2,7 @@
 title: "Encryption with VetKeys"
 description: "Encrypt and decrypt data on ICP using VetKeys for privacy, key management, and identity-based encryption"
 sidebar:
-  order: 6
+  order: 14
 ---
 
 import { Tabs, TabItem } from '@astrojs/starlight/components';
diff --git a/docs/guides/security/formal-verification.md b/docs/guides/security/formal-verification.md
new file mode 100644
index 0000000..c04f250
--- /dev/null
+++ b/docs/guides/security/formal-verification.md
@@ -0,0 +1,34 @@
+---
+title: "Security Best Practices: Formal Verification"
+description: "Applying formal verification and TLA+ model checking to find and prove the absence of security bugs in ICP canisters."
+sidebar:
+  order: 13
+---
+
+Formal verification is the highest form of quality assurance for software. Given a specification of what the system should do, formal verification tools check whether this specification is satisfied by a model of the system. The unique advantage of formal verification is that it can not only find bugs but also formally **prove** their absence — including the absence of security bugs. This goes beyond what testing or manual audits can achieve.
+
+The proof is always relative to the model and the specification. Any simplifications and assumptions in the model, or omissions in the specification, may hide bugs and attacks. On the other hand, verification can require a lot of effort, and model simplifications can make it significantly easier.
+
+For a concrete example, when verifying the ckBTC minter canister, the DFINITY team used models that exclude the possibility of calling the `update_balance` canister method more than 2 times concurrently. This potentially misses attacks that require 3 or more concurrent calls to `update_balance` to trigger a bug. But we considered such bugs highly unlikely, and, in return, we were able to run a fully automatic verification process, which was much cheaper than other verification methods.
+
+There are many existing formal verification tools. While none of them take into account the specifics of ICP yet, many of them are general enough that they can be applied to canisters. In particular, the DFINITY team has made good use of the TLA+ toolkit to combat reentrancy bugs, a type of concurrency bug where one method of a particular canister is called while another one is still executing.
+
+These bugs are particularly difficult to find, as they can involve unexpected interactions of code scattered throughout a canister or even in different canisters. The number of such code interactions may be huge and thus difficult for humans to detect. These interactions are usually difficult to test automatically and systematically, which TLA+ can do.
+
+## TLA+
+
+The Temporal Logic of Actions (TLA+) is a language for specifying and verifying complex systems. TLA+ comes with a set of tools for lightweight formal verification in the form of so-called model checking. Through model checking, it exhaustively (within bounds, such as the aforementioned 2 concurrent calls bound) explores all possible concurrent interactions of a model of the code — exactly the domain that is difficult to test — and finds bugs.
+
+Importantly, after building the model of the code, model checking runs with virtually no further human input, making it highly cost-effective. To illustrate with some made-up numbers: if the industry standard practices (such as testing and security reviews) eliminate 80% of the bugs, and "heavyweight" formal verification eliminates 99.99%, with TLA+ you can eliminate 90% with a fraction of the effort of the heavyweight verification.
+
+We have used TLA+ to create the following models that can be interesting for dapp developers:
+
+- NNS and SNS governance (focusing on interactions with the ledger canister).
+- ICP ledger (focusing on block archival).
+- ckBTC minter.
+- SNS swap canister.
+- People parties dapp.
+
+To find out more on why and how you can apply TLA+ to your canisters and dapps, including an in-depth guide to modeling canisters, refer to our series of blog posts ([1](https://medium.com/dfinity/eliminating-smart-contract-bugs-with-tla-e986aeb6da24), [2](https://medium.com/dfinity/weeding-out-the-bugs-with-tla-models-3606045bf24e), [3](https://mynosefroze.com/blog/2023-08-09-tla_for_canisters)). You can also look at the [DFINITY-produced TLA+ models](https://github.com/dfinity/formal-models) for examples and techniques.
+
+<!-- Upstream: dfinity/portal — building-apps/security/formal-verification.mdx -->
diff --git a/docs/guides/security/https-outcalls.md b/docs/guides/security/https-outcalls.md
new file mode 100644
index 0000000..cfd3280
--- /dev/null
+++ b/docs/guides/security/https-outcalls.md
@@ -0,0 +1,97 @@
+---
+title: "Security Best Practices: HTTPS Outcalls"
+description: "Security best practices for canister HTTPS outcalls: API keys, rate limits, idempotency, response consistency, and input validation."
+sidebar:
+  order: 7
+---
+
+## Do not store sensitive data such as API keys in canisters
+
+### Security concern
+
+Sensitive data is a broad term that varies depending on your application logic and behavior. Here is a non-exhaustive list of secrets that are typically considered sensitive, such as API keys or tokens:
+* Secrets that allow interaction with non-public endpoints.
+* Secrets that allow querying or modifying endpoints with confidential data.
+* API tokens that are fee-based.
+
+By default, the data stored inside your canister is unencrypted. Therefore, if your canister is installed on a malicious replica, it can easily retrieve and steal your keys, tokens, and secrets in plain text.
+
+### Recommendation
+
+Make sure you don't store sensitive data inside your canister.
+
+See also: [data confidentiality on ICP](./misc.md#data-confidentiality-on-icp).
+
+## Ensure your canisters have a sufficiently large quota with the HTTP server
+
+### Security concern
+
+When an HTTPS outcall is performed, it is amplified by the number of replicas in the subnet. The target web server will receive not only one request but as many requests as the number of nodes in the subnet.
+
+Most web servers implement some sort of rate limiting; this is a mechanism used to restrict the number of requests a client can make to a web server within a specific time period, preventing abuse or excessive usage of their API(s).
+
+### Recommendation
+
+You should consider such rate limits when designing and implementing your canisters. Rate limits are enforced using different time granularities, e.g., seconds or minutes. For second-granularity enforcement, make sure that the simultaneous requests by all subnet replicas do not violate the quota. Violations may lead to temporary or permanent bans.
+
+See the [HTTPS outcalls guide](../backends/https-outcalls.mdx) for more details.
+
+## Only make HTTPS outcall requests to idempotent endpoints
+
+### Security concern
+
+As mentioned before, if an HTTPS outcall is performed, it is amplified by the number of replicas in the subnet. That means the queried endpoint will receive the same request several times. This is especially risky in requests that change the endpoint state, given that one HTTPS outcall could lead to unintentionally changing the endpoint state several times.
+
+### Recommendation
+
+Make sure the endpoints, called by an HTTPS outcall, are idempotent, such that the queried endpoint has the same behavior with the same request payload, no matter the number of times it is called.
+
+Some servers support the use of idempotency keys. These keys are random unique strings submitted in the HTTP request as headers. If used with the HTTPS outcalls feature, all requests sent by each honest replica will contain the same idempotency key. This allows the server to recognize duplicated requests (i.e., requests with the same idempotency key), handle just one, and modify the server state only once. Note that this is a feature that must be supported by the server.
+
+See the [HTTPS outcalls guide](../backends/https-outcalls.mdx) for more details.
+
+## Ensure HTTPS responses are identical
+
+### Security concern
+
+When replicas of a subnet receive HTTP responses, these responses must be identical. Otherwise, consensus won't be achieved, and the HTTP response will be rejected but still charged.
+
+### Recommendation
+
+Make sure the HTTP responses sent to the consensus layer are identical.
+
+Ideally, the HTTP responses returned by the queried endpoint would always be the same. However, most of the time this is not possible to control, and the responses include random data (e.g., the response includes timestamps, cookie values, or some sort of identifiers). In those cases, make sure to use transformation functions to guarantee that the responses received by each replica are identical by removing any random data or extracting only the relevant data.
+
+This applies to the HTTP response body and headers. Make sure to consider both when applying the transformation functions. Response headers are often overlooked and lead to failure because of failed consensus.
+
+See the [HTTPS outcalls guide](../backends/https-outcalls.mdx) for more details.
+
+## Be aware of HTTP request and response sizes
+
+### Security concern
+
+The pricing of HTTPS outcalls is determined by the size of the HTTP request and the maximal response size, among other variables. Thus, if big requests are made, this could quickly drain the canister's cycles balance. This can be risky in scenarios where HTTPS outcalls are triggered by user actions (rather than a heartbeat or timer invocation).
+
+### Recommendation
+
+When using HTTPS outcalls, be mindful of the HTTP request and response sizes. Ensure that the size of the request issued and the size of the HTTP response coming from the server are reasonable.
+
+When making an HTTPS outcall, it is possible — and highly recommended — to define the `max_response_bytes` parameter, which allows you to set the maximum allowed response size. If this parameter is not defined, it defaults to the hard response size limit of the HTTPS outcalls feature, which is 2MiB. The cycle cost of the response is always charged based on the `max_response_bytes` or 2MB if not set.
+
+Finally, be aware that users may incur cycles costs for HTTPS outcalls in case these calls can be triggered by user actions.
+
+See the [cycles costs reference](../../references/cycles-costs.md) for pricing details.
+
+## Perform input validation in HTTPS outcalls
+
+### Security concern
+
+HTTPS outcalls that use user-submitted data are susceptible to various injection attacks. This may lead to several issues, such as the ones previously mentioned.
+
+### Recommendation
+
+Perform input validation when using user-submitted data in the HTTPS outcalls.
+
+See the [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) for more information.
+
+<!-- Upstream: dfinity/portal — building-apps/security/https-outcalls.mdx -->
diff --git a/docs/guides/security/inter-canister-calls.md b/docs/guides/security/inter-canister-calls.md
index 2f5414b..fa5ce3b 100644
--- a/docs/guides/security/inter-canister-calls.md
+++ b/docs/guides/security/inter-canister-calls.md
@@ -1,483 +1,342 @@
 ---
-title: "Inter-Canister Call Safety"
-description: "Handle reentrancy, callback traps, and async safety in inter-canister calls"
+title: "Security Best Practices: Inter-Canister Calls"
+description: "Security best practices for handling traps in callbacks, message ordering, rejected calls, and untrustworthy canisters."
 sidebar:
-  order: 5
+  order: 2
 ---
 
-Inter-canister calls are the most common source of security bugs on the Internet Computer. The async messaging model creates a class of vulnerabilities that do not exist in synchronous systems: state can change between an `await` and its response, traps in callbacks can skip security-critical operations, and calls to untrusted canisters can permanently block upgrades.
+To understand the issues around async inter-canister calls, one needs to understand the [properties of message execution on ICP](../../references/message-execution-properties.md). Understanding these properties is a prerequisite for understanding the security issues discussed below.
 
-This guide covers the specific patterns you must apply whenever your canister makes an inter-canister call.
+This is also explained in the [community conversation on security best practices](https://www.youtube.com/watch?v=PneRzDmf_Xw&list=PLuhDt1vhGcrez-f3I0_hvbwGZHZzkZ7Ng&index=2&t=4s).
 
-## Why inter-canister calls are dangerous
+## Securely handle traps in callbacks
 
-When your canister `await`s a call to another canister, the IC scheduler can interleave other incoming messages while your canister waits for the response. This means:
+### Security concern
 
-- State your canister read before the `await` may be different when the callback runs.
-- A second call from the same user can arrive and begin executing before the first call's callback completes.
-- If the callback traps, any mutations made in the callback are rolled back: but mutations made before the `await` are already committed.
+Traps and panics roll back the canister state, as described in [Property 5](../../references/message-execution-properties.md#message-execution-properties). So any state change followed by a trap or panic can be risky. This is an important concern when inter-canister calls are made. If a trap occurs after an await to an inter-canister call, then the state is reverted to the snapshot before the inter-canister call's callback invocation, and not to the state before the entire call.
 
-The code before `await` and the code after `await` execute as **separate atomic message executions**. Understanding this is the foundation of inter-canister call security.
+More precisely, suppose some state changes are applied and then an inter-canister call is issued. Also, assume that these state changes leave the canister in an inconsistent state, and that state is only made consistent again in the callback. Now if there is a trap in the callback, this leaves the canister in an inconsistent state.
 
-## Reentrancy and the CallerGuard pattern
+Here are two example security issues that can arise because of this:
 
-A reentrancy bug occurs when a second message from the same caller interleaves with a first message that is still in progress: that is, awaiting a response. In DeFi contexts this enables double-spending: the attacker calls `withdraw()`, waits for it to begin the inter-canister transfer, then calls `withdraw()` again before the first call updates the balance.
+- Assume an inter-canister call is issued to transfer funds. In the callback, the canister accounts for having made that transfer by updating the balances in the canister storage. However, suppose the callback also updates some usage statistics data, which eventually leads to a trap when some data structure becomes full. As soon as that is the case, the canister ends up in an inconsistent state because the state changes in the callback are no longer applied, and thus the transfers are not correctly accounted for.
+  ![example_trap_after_await](/img/docs/security/example_trap_after_await.png)
+  This example is also discussed in this [community conversation](https://www.youtube.com/watch?v=PneRzDmf_Xw&list=PLuhDt1vhGcrez-f3I0_hvbwGZHZzkZ7Ng&index=2&t=4s).
 
-The CallerGuard pattern prevents this by tracking which callers have an in-flight operation. When a second call arrives from the same caller, it is rejected before it can interleave.
+- Suppose part of the canister state is locked before an inter-canister call and released in the callback. Then the lock may never be released if the callback traps.
+  Note that in canisters implemented in Rust with Rust CDK version `0.5.1`, any local variables still go out of scope if a callback traps. The CDK actually calls into the `ic0.call_on_cleanup` API to release these resources. This helps to prevent issues with locks not being released, as it is possible to use Rust's Drop implementation to release locked resources, as we discuss in [Be aware that there is no reliable message ordering](#be-aware-that-there-is-no-reliable-message-ordering).
 
-### Motoko
+### Recommendation
 
-In Motoko, the guard must be released in a `finally` block. The `finally` block runs in cleanup context, where state changes are committed even if the `try` body trapped. If you release the guard inside the `try` body, a trap in the callback leaves the guard held forever. The caller is permanently locked out.
+Recall that the responses to inter-canister calls are processed in the corresponding callback. If the callback traps, the cleanup (ic0.call_on_cleanup) is executed. When making an inter-canister call, ICP reserves sufficiently many cycles to execute the response callback or cleanup, up to the instruction limit. A fixed fraction of the reservation is set aside for the cleanup. Thus, a response or cleanup execution can never "run out of cycles," but they can run into the instruction limit and trap.
 
-```motoko
-import Map "mo:core/Map";
-import Principal "mo:core/Principal";
-import Error "mo:core/Error";
-import Result "mo:core/Result";
+The naïve recommendation to address the security concern described above would be to avoid traps. However, that can be very difficult to achieve due to the following reasons:
 
-// Inside your persistent actor class { ... }
-// Replace otherCanister with your canister reference.
+- The implementation can be involved and could panic due to bugs, such as index out-of-bounds errors or panics (expect, unwrap) that should supposedly never happen.
 
-let pendingRequests = Map.empty<Principal, Bool>();
+- It is hard to make sure the callback or cleanup doesn't run into the instruction limit and thus traps, because the number of instructions required can in general not be predicted and may depend on the data being processed.
 
-func acquireGuard(principal : Principal) : Result.Result<(), Text> {
-  if (Map.get(pendingRequests, Principal.compare, principal) != null) {
-    return #err("already processing a request for this caller");
-  };
-  Map.add(pendingRequests, Principal.compare, principal, true);
-  #ok
-};
+Due to these reasons, while it is easy to recommend "avoiding traps", this is actually hard to achieve in practice. Therefore, code should be written so that it can deal even with unexpected traps due to bugs or hitting the instruction limits. There are two approaches:
 
-func releaseGuard(principal : Principal) {
-  ignore Map.delete(pendingRequests, Principal.compare, principal);
-};
+1. Perform simple cleanups
+1. Utilize "journaling."
 
-public shared ({ caller }) func withdraw(amount : Nat) : async Result.Result<(), Text> {
-  if (Principal.isAnonymous(caller)) {
-    return #err("anonymous caller not allowed");
-  };
+In the first approach, the cleanup callback is used to recover from unexpected panics. This can work, but it has several drawbacks:
+- The cleanup itself could panic, in which case one is in the initial problematic situation again. The risk may be acceptable for simple cleanups, but as discussed above, it is hard to write code that never panics, especially if it is somewhat complex.
+- As of version 0.12.0, Motoko provides the `try`/`finally` feature to clean up temporary resource allocations in a structured way. Cleanup is used (as formerly) internally by Motoko to perform some state manipulations and now allows inserting programmer-written code also. If an execution path after `await` traps, all `finally` blocks in (dynamic) scope will be executed as a last-resort measure. Be aware that `finally` is not a magical construct to end all trap worries, as trapping in the `finally` blocks themselves can still leave your canister in an inconsistent state. Thus we recommend keeping your `finally` code clear and concise and paying special attention to reviewing it well.
+- As discussed above, the Rust CDK has a feature that automatically releases local variables in cleanup, which [can be used to release locks](#recommendation-1). Since only one cleanup callback can be defined, any custom cleanup would currently have to implement that feature itself if needed, making this currently hard to use and understand.
 
-  // Acquire per-caller lock before any state reads or async calls.
-  switch (acquireGuard(caller)) {
-    case (#err(msg)) { return #err(msg) };
-    case (#ok) {};
-  };
+Instead, "journaling" is the recommended way of addressing the problem at hand.
 
-  try {
-    // Read state and make the inter-canister call here.
-    let result = await otherCanister.transfer(caller, amount);
-    #ok(result)
-  } catch (e) {
-    #err("transfer failed: " # Error.message(e))
-  } finally {
-    // Runs in cleanup context regardless of success or trap.
-    // State mutations here are always committed.
-    releaseGuard(caller);
-  };
-};
-```
+### Journaling
 
-### Rust
+Journaling can be used for ensuring that tasks are completed correctly in an asynchronous context, where any instruction or async task can fail. Journaling is generally useful in any security-critical application canister on ICP. The journaling concept we describe here is inspired and adapted from journaling in file systems.
 
-In Rust, the `Drop` trait releases the lock when the guard goes out of scope: including when the async function is cancelled or a trap occurs. Never write `let _ = CallerGuard::new(caller)?`: the leading underscore drops the guard immediately, making locking ineffective. Always bind to a named variable: `let _guard = CallerGuard::new(caller)?`.
+Conceptually, a journal is a chronological list of records kept in a canister's storage. It keeps track of tasks before they begin and when they are completed. Before each failable task, the journal records the intent to execute the task, and after the task, the journal records the result. The journal supports idempotent task flows by providing the necessary information for the canister to resume flows that failed to complete, report progress for ongoing flows, and report results for completed flows. Retries can be initiated by calls, automatically on a [heartbeat](../backends/timers.mdx#heartbeats-legacy) or using [timers](../backends/timers.mdx). If the task flow was completed in a heartbeat or a timer, a user can take advantage of idempotency to check the result.
 
-```rust
-use std::cell::RefCell;
-use std::collections::BTreeSet;
-use candid::Principal;
-use ic_cdk::update;
-use ic_cdk::api::msg_caller;
-use ic_cdk::call::Call;
+Creating a record in the journal is called "journaling." For example, to make an unreliable async call to a ledger:
 
-// Replace other_canister_id() with your canister's ID lookup.
+1. Check the journal to ensure the transfer is not already in progress. If it is already in progress, go into recovery (see the [Recovery](#recovery) section below). Otherwise, journal the intent to call a ledger to transfer 1 token from A to B. The journaled intent should contain sufficient context to later identify what happened to the call.
 
-thread_local! {
-    static PENDING: RefCell<BTreeSet<Principal>> = RefCell::new(BTreeSet::new());
-}
+    - An "in progress" transfer would show in the journal as an entry containing intent to do the transfer without an entry containing the result of the transfer call.
 
-struct CallerGuard {
-    principal: Principal,
-}
+1. Call the ledger to transfer 1 token from A to B.
 
-impl CallerGuard {
-    fn new(principal: Principal) -> Result<Self, String> {
-        PENDING.with(|p| {
-            if !p.borrow_mut().insert(principal) {
-                return Err("already processing a request for this caller".to_string());
-            }
-            Ok(Self { principal })
-        })
-    }
-}
+1. Journal the result of the transfer.
 
-impl Drop for CallerGuard {
-    fn drop(&mut self) {
-        PENDING.with(|p| {
-            p.borrow_mut().remove(&self.principal);
-        });
-    }
-}
+    - On failure, record the error.
 
-#[update]
-async fn withdraw(amount: u64) -> Result<(), String> {
-    let caller = msg_caller();
-    if caller == Principal::anonymous() {
-        return Err("anonymous caller not allowed".to_string());
-    }
+    - On success, record success. In order to commit the record, an inter-canister call can be made to an endpoint on the same canister that does nothing. Otherwise, a trap could erase the journaled result, complicating recovery.
 
-    // Acquire per-caller lock. Drop releases the lock when _guard goes out of scope.
-    let _guard = CallerGuard::new(caller)?;
+1. Continue onto the next blocked task.
 
-    // Make the inter-canister call while the lock is held.
-    Call::bounded_wait(other_canister_id(), "transfer")
-        .with_args(&(caller, amount))
-        .await
-        .map_err(|e| format!("transfer failed: {:?}", e))?;
+    - "Blocked tasks" are those that require step 3 to be completed before execution.
 
-    Ok(())
-    // _guard dropped here: lock released
-}
-```
-
-## State mutations before and after await
+    - A blocked task may depend on the success or failure recorded in step 3.
 
-Because the code before `await` and the code after `await` are separate message executions, you must treat them independently when reasoning about consistency.
+    - Examples of blocked tasks:
 
-**The critical rule:** If your canister mutates state before an `await`, that mutation is committed even if the callback traps.
+    - On failure, log the failure in a user-visible log, and if less than 5 failures have occurred, make a new transfer outcall with the same parameters.
 
-### Example: deduct before transferring
+        - On success, update the internal accounting of assets to conform to the result of the transfer.
 
-In a token transfer flow, deduct the balance before the inter-canister call rather than after. If the call fails, refund in the callback. This approach is safe: if the callback traps, the pre-deducted balance stays deducted (you can detect and remediate the stuck state. If you deduct after the call and the callback traps, the transfer happened but the balance was never deducted) funds are double-spent.
+    - Note that any independent task does not need to wait for any part of this flow.
 
-**Motoko:**
+The critical property of the journal is that at any point, if there is a failure, the journal is sufficient to determine what the next safe step should be. If, after step 1 (journal the intent),
+there is a failure in step 2 or 3, and step 3 has not been completed, then the application should complete step 3 by finding out what happened to the call in step 2. If finding out what happened to the call is too difficult to automate, it can be done manually. The journal can indicate whether a manual intervention is necessary and the type of intervention that is necessary.
+The fact that the intent has been journaled and the app knows not to reenter the flow until the result has been recorded means the journal acts as a lock on the critical section containing
+the ledger outcall. The lock will not get stuck, assuming the application can always find out what happened to a call. Enough context about the call should be recorded in the intent to ensure
+that this is the case. For the ICP ledger, an ID can be generated and recorded in the journaled intent, and the ledger can be called with the ID included in the memo so that the result of the
+call can be queried later.
 
-```motoko
-import Map "mo:core/Map";
-import Principal "mo:core/Principal";
-import Error "mo:core/Error";
-import Result "mo:core/Result";
+### Journaling is robust to panics
 
-// Inside your persistent actor class { ... }
-let balances = Map.empty<Principal, Nat>();
+Continuing the above example, consider a panic at any point.
+1. If there is panic before the async outcall, then the journaled intent will be lost. No state change occurred internally, and no outcalls were made, so the app is in a safe state. The next step is to record a new intent.
+1. If there is a panic after the async outcall and no self-call was used to commit the journal, the journaled result (step 3) will be lost. This means the app will need to determine the result and journal it before continuing to step 4. As long as it is possible to determine the result, the app can be brought back to a consistent state.
 
-public shared ({ caller }) func transfer(to : Principal, amount : Nat) : async Result.Result<(), Text> {
-  // 1. Validate balance before the await.
-  let balance = switch (Map.get(balances, Principal.compare, caller)) {
-    case (?b) b;
-    case null 0;
-  };
-  if (balance < amount) {
-    return #err("insufficient balance");
-  };
+### Journaling and audit events
 
-  // 2. Deduct BEFORE the await: mutation is committed regardless of callback outcome.
-  Map.add(balances, Principal.compare, caller, balance - amount);
-
-  // 3. Perform the inter-canister call.
-  try {
-    await ledgerCanister.transfer(to, amount);
-    #ok(())
-  } catch (e) {
-    // 4. Refund on failure: the deduction persists even if this try/catch runs.
-    let currentBalance = switch (Map.get(balances, Principal.compare, caller)) {
-      case (?b) b;
-      case null 0;
-    };
-    Map.add(balances, Principal.compare, caller, currentBalance + amount);
-    #err("transfer failed: " # Error.message(e))
-  }
-};
-```
+The journal can be used to augment the audit trail for recent events. However, it is probably too detailed for long-term storage. After a while, journal entries could be compressed and incorporated into long-term audit events. The process for creating audit events could itself be journaled.
 
-**Rust:**
+### Recovery
 
-```rust
-use std::cell::RefCell;
-use std::collections::BTreeMap;
-use candid::Principal;
-use ic_cdk::update;
-use ic_cdk::api::msg_caller;
-use ic_cdk::call::Call;
+The journal ensures the application knows that recovery from an error is needed and aids in making recovery decisions. In order to support the recovery process, the journal should support querying all unresolved tasks of a certain type and tasks of a certain type that resulted in an error. Given an intent, the journal should also be able to return the result if it exists and indicate if it does not exist.
 
-// Replace ledger_canister_id() with your canister's ID lookup.
+Note that recovery can often be complex to automate. In such cases, the journal can support a manual recovery process.
+Extending the ledger example above, a recovery process could look as follows:
 
-thread_local! {
-    static BALANCES: RefCell<BTreeMap<Principal, u64>> =
-        RefCell::new(BTreeMap::new());
-}
+1. There is a panic, and the status of the ledger call is unknown. However, the journal has recorded that a call to transfer with particular parameters and a memo has been made, including the deduplication timestamp of the transfer.
+1. The app calls the ledger to determine whether a transaction with the journaled parameters has succeeded on the ledger. Due to the guarantee that any pair of messages that are both executed are always executed in the order issued, if the ledger indicates that the transaction has not occurred, then the transaction will never occur.
+1. The app journals the result of the transfer call.
+1. The app journals the intention to update internal state according to the result of the transfer call, then updates the internal state, and finally journals the result of the attempt to update the internal state. Journaling this step is still useful even if it does not contain outcalls, because outcalls may be introduced later, and the step could conflict with other processes that are not atomic.
 
-#[update]
-async fn transfer(to: Principal, amount: u64) -> Result<(), String> {
-    let caller = msg_caller();
-
-    // 1. Validate and deduct BEFORE the await.
-    BALANCES.with(|b| {
-        let mut balances = b.borrow_mut();
-        let balance = balances.get(&caller).copied().unwrap_or(0);
-        if balance < amount {
-            return Err("insufficient balance".to_string());
-        }
-        balances.insert(caller, balance - amount);
-        Ok(())
-    })?;
-
-    // 2. Make the inter-canister call.
-    let result = Call::bounded_wait(ledger_canister_id(), "transfer")
-        .with_args(&(to, amount))
-        .await;
-
-    if let Err(e) = result {
-        // 3. Refund on failure.
-        BALANCES.with(|b| {
-            let mut balances = b.borrow_mut();
-            let current = balances.get(&caller).copied().unwrap_or(0);
-            balances.insert(caller, current + amount);
-        });
-        return Err(format!("transfer failed: {:?}", e));
-    }
+Note that querying the ICP ledger or an ICRC ledger to determine whether a transaction has succeeded is not straightforward to automate, so it could be done manually.
 
-    Ok(())
-}
-```
+### Example implementation of journaling
 
-## Callback traps and security-critical cleanup
+GoldDAO's GLDT-swap has an implementation of journaling. In their case, the journal entries are recorded in the "registry." Note that in GLDT-swap there is also a separate concept of "record," which is a permanent audit trail and is not used for journaling. Some error paths require manual recovery. See the following reference points:
 
-A trap in an inter-canister call callback is particularly dangerous: the callback's state mutations are rolled back, but the pre-`await` mutations are not. A malicious callee can induce a trap in your callback to skip actions that should always run: like debiting an account.
+- Registry (journal) structure:
+    - https://github.com/GoldDAO/gold-dao/blob/ledger-v1.0.0/canister/gldt_core/src/registry.rs#L18
+    - https://github.com/GoldDAO/gold-dao/blob/ledger-v1.0.0/canister/gldt_core/src/lib.rs#L654
+- The registry is used in `notify_sale_nft_origyn` to record progress and enforce correctness of the flow.
+    - https://github.com/GoldDAO/gold-dao/blob/ledger-v1.0.0/canister/gldt_core/src/lib.rs#L910
+    - Note that not all details of the flow appear in the registry. The amount of detail to include depends on one's goals for recovery.
 
-To protect against this:
+## Be aware that there is no reliable message ordering
 
-1. **Keep callbacks minimal.** The less logic in a callback, the fewer opportunities for a trap.
-2. **Use `finally` (Motoko) or `Drop` guards (Rust) for cleanup.** Cleanup that runs in `finally` or in `drop()` executes in cleanup context where mutations persist even after a trap.
-3. **Avoid calling untrusted canisters** from callbacks that perform security-critical state changes. The callee can cause your callback to trap.
+### Security concern
 
-### Motoko: cleanup in finally
+As described in the [properties of message executions on ICP](../../references/message-execution-properties.md), messages (but not entire calls) are processed atomically. In particular, as described in Property 4 in that document, messages from interleaving calls do not have a reliable execution ordering. Thus, the state of the canister (and other canisters) may change between the time an inter-canister call is started and the time when it returns, which may lead to issues if not handled correctly. These issues are generally called 'reentrancy bugs' (see the [Ethereum best practices on reentrancy](https://consensysdiligence.github.io/smart-contract-best-practices/attacks/reentrancy/)). Note, however, that the messaging guarantees, and thus the bugs, on ICP are different from Ethereum.
 
-```motoko
-import Error "mo:core/Error";
+Here are two concrete and somewhat similar types of bugs to illustrate potential reentrancy security issues:
 
-// Inside your persistent actor class { ... }
-// Replace otherCanister with your canister reference.
+- **Time-of-check time-of-use issues:** These occur when some condition on global state is checked before an inter-canister call and then wrongly assuming the condition still holds when the call returns. For example, one might check if there is sufficient balance on some account, then issue an inter-canister call, and finally make a transfer as part of the callback message. When the second inter-canister call starts, it is possible that the condition that was checked initially no longer holds, because other ledger transfers may have happened before the callback of the first call is executed (see also Property 4 above).
 
-var operationInProgress = false;
+- **Double-spending issues**: Such issues occur when a transfer is issued twice, often because of unfavorable message scheduling. For example, suppose you check if a caller is eligible for a refund, and if so, transfer some refund amount to them. When the refund ledger call returns successfully, you set a flag in the canister storage indicating that the caller has been refunded. This is vulnerable to double-spending because the refund method can be called twice by the caller in parallel, in which case it is possible that the messages before issuing the transfer (including the eligibility check) are scheduled before both callbacks. A detailed explanation of this issue can be found in the [community conversation on security best practices](https://www.youtube.com/watch?v=PneRzDmf_Xw&list=PLuhDt1vhGcrez-f3I0_hvbwGZHZzkZ7Ng&index=2&t=4s).
 
-public shared ({ caller }) func riskyOperation() : async () {
-  operationInProgress := true;  // Committed immediately
+### Recommendation
 
-  try {
-    await otherCanister.doSomething();
-    // ... callback logic
-  } catch (e) {
-    // Handle error
-    ignore Error.message(e);
-  } finally {
-    // Runs in cleanup context: mutation persists even if callback trapped.
-    operationInProgress := false;
-  }
-};
-```
+It is highly recommended to carefully review any canister code that makes async inter-canister calls (`await`). If two messages read or write the same state, review if there is a possible scheduling of these messages that leads to illegal transactions or an inconsistent state.
 
-### Rust: cleanup via Drop
+See also: "Inter-canister calls" section in [how to audit an ICP canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister).
 
-```rust
-use std::cell::Cell;
-use ic_cdk::update;
-use ic_cdk::call::Call;
+To address issues around message ordering that can lead to bugs, one usually employs locking mechanisms to ensure that a caller or anyone can only execute an entire call, which involves several messages, once at a time. A simple example is also given in the [community conversation](https://www.youtube.com/watch?v=PneRzDmf_Xw&list=PLuhDt1vhGcrez-f3I0_hvbwGZHZzkZ7Ng&index=2&t=4s) mentioned above.
 
-// Replace other_canister_id() with your canister's ID lookup.
+The locks would usually be released in the callback. That bears the risk that the lock may never be released in case the callback traps, as we discussed in [securely handle traps in callbacks](#securely-handle-traps-in-callbacks). The code examples below show how one can securely implement a lock per caller.
+- In Rust, one can use the drop pattern where each caller lock (`CallerGuard` struct) implements the `Drop` trait to release the lock. From Rust CDK version `0.5.1`, any local variables still go out of scope if the callback traps, so the lock on the caller is released even in that case. Technically, the CDK calls into the `ic0.call_on_cleanup` API to release these resources. Recall that `ic0.call_on_cleanup` is executed if the `reply` or the `reject` callback executed and trapped.
+- In Motoko, one can use the `try`/`finally` control flow construct. This construct guarantees that the lock is released in the `finally` block regardless of any errors or traps in the `try` or `catch` blocks.
 
-thread_local! {
-    static OPERATION_IN_PROGRESS: Cell<bool> = Cell::new(false);
-}
+**Motoko:**
 
-struct OperationGuard;
+```motoko
+import Result "mo:core/Result";
+import Map "mo:core/Map";
+import Error "mo:core/Error";
+import Principal "mo:core/Principal";
 
-impl Drop for OperationGuard {
-    fn drop(&mut self) {
-        // Runs when the guard is dropped, even during cleanup after a trap.
-        OPERATION_IN_PROGRESS.with(|f| f.set(false));
-    }
-}
+actor {
 
-#[update]
-async fn risky_operation() -> Result<(), String> {
-    OPERATION_IN_PROGRESS.with(|f| f.set(true)); // Committed immediately
+  let pending_requests = Map.empty<Principal, Bool>();
 
-    // _guard released (Drop called) when this function returns or is cancelled.
-    let _guard = OperationGuard;
+  private func guard(principal : Principal) : Result.Result<(), Error.Error> {
+    if (Map.get(pending_requests, Principal.compare, principal) != null) {
+      #err (Error.reject("Already processing a request for principal " # Principal.toText(principal)));
+    } else {
+      Map.add(pending_requests, Principal.compare, principal, true);
+      #ok;
+    };
+  };
 
-    Call::bounded_wait(other_canister_id(), "do_something")
-        .await
-        .map_err(|e| format!("call failed: {:?}", e))?;
+  private func drop_guard(principal : Principal) {
+    ignore Map.delete(pending_requests, Principal.compare, principal);
+  };
 
-    Ok(())
-}
+  public shared ({ caller }) func example_call_with_locking_per_caller() : async Result.Result<(), (Error.ErrorCode, Text)> {
+    var guard_acquired = false;
+    try {
+      // Try to create a lock for `caller`, return an error immediately if there is already a call in progress for `caller`
+      switch (guard caller) {
+        case (#ok) guard_acquired := true;
+        case (#err e) return (#err (Error.code e, Error.message e));
+      };
+      // do anything, call other canisters
+      #ok
+    } catch e {
+      #err (Error.code e, Error.message e);
+    } finally {
+      // Release the guard (only requests that have created a lock)
+      if guard_acquired {
+        drop_guard caller;
+      };
+    };
+  };
+};
 ```
 
-## Bounded vs unbounded wait
-
-The IC offers two kinds of inter-canister calls:
-
-| | `bounded_wait` | `unbounded_wait` |
-|---|---|---|
-| Timeout | 300 seconds (default) | No timeout |
-| If callee is unresponsive | Returns `SYS_UNKNOWN` error | Waits indefinitely |
-| Upgrade safety | Canister can be stopped and upgraded after timeout | Canister **cannot be stopped** while awaiting |
-| Use for | Calls to external or untrusted canisters | Calls to your own canisters you control |
-
-**The upgrade safety issue:** A canister cannot be stopped (and therefore cannot be upgraded) while it has outstanding unbounded-wait calls. If the callee is malicious or buggy and never responds, your canister is permanently stuck. Use `bounded_wait` for any call to a canister you do not control.
-
-### Motoko: bounded vs unbounded
-
-Motoko does not yet expose a direct API to switch between bounded and unbounded wait. The `await` keyword currently uses unbounded wait. For calls to untrusted canisters, prefer the system-level API (available via Rust) or structure your application so calls to untrusted canisters only go out from canisters you can afford to sacrifice.
-
-<!-- Needs human verification: Motoko bounded-wait API availability — as of current release, Motoko does not expose a bounded_wait equivalent. Verify against compiler release notes. -->
-
-### Rust: choose bounded_wait for untrusted canisters
+**Rust:**
 
 ```rust
-use ic_cdk::call::Call;
-use candid::Principal;
-
-async fn call_trusted(canister: Principal, method: &str) -> Result<String, String> {
-    // Use unbounded_wait only for canisters you control.
-    Call::unbounded_wait(canister, method)
-        .await
-        .map_err(|e| format!("call failed: {:?}", e))?
-        .candid()
-        .map_err(|e| format!("decode failed: {:?}", e))
+pub struct State {
+    pending_requests: BTreeSet<Principal>,
 }
 
-async fn call_untrusted(canister: Principal, method: &str) -> Result<String, String> {
-    // Use bounded_wait for external or untrusted canisters.
-    // Default timeout is 300 seconds. Adjust with .change_timeout(seconds).
-    Call::bounded_wait(canister, method)
-        .await
-        .map_err(|e| format!("call failed: {:?}", e))?
-        .candid()
-        .map_err(|e| format!("decode failed: {:?}", e))
+thread_local! {
+    static STATE: RefCell<State> = RefCell::new(State{pending_requests: BTreeSet::new()});
 }
-```
 
-## Response size limits
-
-All inter-canister call payloads (both requests and responses) are limited to **2 MB**. A request above 2 MB fails synchronously. A response above 2 MB causes the callee to trap.
+pub struct CallerGuard {
+    principal: Principal,
+}
 
-When reading large datasets across canisters, use pagination: return chunks of data per call rather than everything at once. Keep individual payloads under 1 MB to leave room for encoding overhead.
+impl CallerGuard {
+    pub fn new(principal: Principal) -> Result<Self, String> {
+        STATE.with(|state| {
+            let pending_requests = &mut state.borrow_mut().pending_requests;
+            if pending_requests.contains(&principal){
+                return Err(format!("Already processing a request for principal {:?}", &principal));
+            }
+            pending_requests.insert(principal);
+            Ok(Self { principal })
+        })
+    }
+}
 
-```motoko
-// Paginated query: avoid returning unbounded data
-// Requires: import Array "mo:core/Array"; import Nat "mo:core/Nat";
-public query func getItems(offset : Nat, limit : Nat) : async [Item] {
-  // Return at most `limit` items starting from `offset`.
-  // Caller makes multiple calls to retrieve all data.
-  Array.sliceToArray(items, offset, offset + Nat.min(limit, items.size() - offset))
-};
-```
+impl Drop for CallerGuard {
+    fn drop(&mut self) {
+        STATE.with(|state| {
+            state.borrow_mut().pending_requests.remove(&self.principal);
+        })
+    }
+}
 
-## Caller identity across await points
+#[update]
+#[candid_method(update)]
+async fn example_call_with_locking_per_caller() -> Result<(), String> {
+    let caller = ic_cdk::caller();
+    // using `?`, return an error immediately if there is already a call in progress for `caller`
+    // warning: never use `let _ = CallerGuard::new(caller)?`, because this will drop the guard immediately
+    // and locking would not be effective
+    let _guard = CallerGuard::new(caller)?;
+    // do anything, call other canisters
+    Ok(())
+} // here the guard goes out of scope and is dropped
+
+mod test {
+    use super::*;
+
+    #[test]
+    fn should_obtain_guard_for_different_principals() {
+        let principal_1 = Principal::anonymous();
+        let principal_2 = Principal::management_canister();
+        let caller_guard = CallerGuard::new(principal_1);
+        assert!(caller_guard.is_ok());
+        assert!(CallerGuard::new(principal_2).is_ok());
+    }
 
-In Motoko, the `caller` is captured as an immutable binding at function entry via `public shared ({ caller }) func`. This is safe across `await` points.
+    #[test]
+    fn should_not_obtain_guard_twice_for_same_principal() {
+        let principal = Principal::anonymous();
+        let caller_guard = CallerGuard::new(principal);
+        assert!(caller_guard.is_ok());
+        assert!(CallerGuard::new(principal).is_err());
+    }
 
-In Rust, the current ic-cdk executor preserves caller across `.await` points via protected tasks, but this is an implementation detail: not a language guarantee. Bind `msg_caller()` before the first `await` as a defensive practice.
+    #[test]
+    fn should_release_guard_on_drop() {
+        let principal = Principal::anonymous();
+        {
+            let caller_guard = CallerGuard::new(principal);
+            assert!(caller_guard.is_ok());
+        } // drop caller_guard as it goes out of scope here
+        // it is possible to get a guard again:
+        assert!(CallerGuard::new(principal).is_ok());
+    }
+}
+```
 
-```rust
-use ic_cdk::update;
-use ic_cdk::api::msg_caller;
-use ic_cdk::call::Call;
-use candid::Principal;
+This pattern can be extended to work for the following use cases:
 
-// Replace other_canister_id() with your canister's ID lookup.
+- A global lock that does not only lock per caller. For this, set a boolean flag in the canister state instead of using a `BTreeSet<Principal>` (Rust) or `Map<Principal, Bool>` (Motoko).
+- A guard that makes sure that only a limited number of principals are allowed to execute a method at the same time.
+  - Rust: Return an error in `CallerGuard::new()` in case `pending_requests.len() >= MAX_NUM_CONCURRENT_REQUESTS`.
+  - Motoko: Return an error in `guard` in case `Map.size(pending_requests) >= MAX_NUM_CONCURRENT_REQUESTS`.
+- A guard that limits the number of times a method can be called in parallel.
+  - Rust: Use a counter in the canister state that is checked and increased in `CallerGuard::new()` and decreased in `Drop`.
+  - Motoko: Increase a counter in the `guard` function and decrease it in the `drop` function.
+- A guard that makes sure that every task from a set of tasks can only be processed once, independent of the caller who triggered the processing. [View example project](https://github.com/dfinity/examples/tree/master/rust/guards).
+- A lock that uses a different type than `Principal` to grant access to the resource. [View an implementation using generic types](https://github.com/dfinity/examples/tree/master/rust/guards).
 
-#[update]
-async fn process() -> Result<(), String> {
-    // Capture caller BEFORE any await: defensive practice in Rust.
-    let caller: Principal = msg_caller();
+Finally, note that the same guard can be used in several methods to restrict parallel execution of them.
 
-    Call::bounded_wait(other_canister_id(), "validate")
-        .with_arg(caller)
-        .await
-        .map_err(|e| format!("validation failed: {:?}", e))?;
+## Handle rejected inter-canister calls correctly
 
-    // Use the captured binding, not msg_caller() again.
-    do_work_for(caller);
-    Ok(())
-}
+### Security concern
 
-fn do_work_for(_caller: Principal) {
-    // ...
-}
-```
+As stated by the [Property 6](../../references/message-execution-properties.md#message-execution-properties), inter-canister calls can fail in which case they result in a **reject**. See [reject codes](../../references/ic-interface-spec/https-interface.md#reject-codes) for more detail. The caller must correctly deal with the reject cases, as they can happen in normal operation, because of insufficient cycles on the sender or receiver side, or because some data structures like message queues are full.
 
-## canister_inspect_message is not called for inter-canister calls
+1. The call was issued as a bounded-wait (best-effort response) call, and the system responded with a `SYS_UNKNOWN` reject code. In this case, the caller cannot be a priori sure whether the call took effect or not.
+2. The system responded with a `CANISTER_ERROR` reject code. This indicates a bug in the ledger canister. In this case, it is still possible that the call had a partial effect on the ledger canister.
+3. The system responded with a `CANISTER_REJECT` reject code. This means that the call was explicitly rejected by the ledger canister. Normally, this indicates that the transfer didn't happen, but this depends on the ledger canister. The ICP ledger canister for example never rejects calls explicitly.
 
-`canister_inspect_message` (Motoko: `system func inspect`) runs only for **ingress messages**: calls from external users arriving at the boundary nodes. It is never called for inter-canister calls.
+### Recommendation
 
-This means any access control you implement in `inspect_message` does not protect your canister from being called by another canister. Always duplicate access checks inside the method body itself.
+When making inter-canister calls, always handle the error cases (rejects) correctly. Other than the `SYS_UNKNOWN` error code, these errors imply that the message has not been successfully executed. For `SYS_UNKNOWN`, follow the guidelines in the [safe retries and idempotency](../canister-calls/idempotency.md) document to handle this scenario correctly.
 
-For full details on access control patterns, see [access management](access-management.md).
+## Be aware of the risks involved in calling untrustworthy canisters
 
-## Handling rejected calls
+### Security concern
 
-Inter-canister calls can be rejected for reasons beyond your control: the callee may have trapped, run out of cycles, been stopped, or the system may have rejected the message due to resource pressure. Unhandled rejections trap your canister.
+- If inter-canister calls are made to potentially malicious canisters, this can lead to DoS issues, or there could be issues related to candid decoding. Also, the data returned from a canister call could be assumed to be trustworthy when it is not.
 
-Always handle the error result of an inter-canister call.
+- When a canister `C1` calls a canister `C2` using an unbounded-wait (guaranteed-response) inter-canister call, and `C2` stalls the response indefinitely by not responding, the result would be a DoS on `C1`. Additionally, since the call registers a callback on `C1`, `C1` can no longer be stopped because of the outstanding callback, and thus can no longer be cleanly upgraded. Recovery would require wiping the state of the canister by reinstalling it. Note that even if `C2` was trustworthy it could still stall indefinitely. This could happen due to a bug in `C2` (which may be unlikely to occur). But other causes could be a stall of the subnet hosting `C2` (assuming that `C1` and `C2` are on different subnets), or `C2` making a downstream call to an untrusted canister `C3`.
 
-**Motoko:** use `try/catch`:
+- In summary, this can DoS a canister, consume an excessive amount of resources, or lead to logic bugs if the behavior of the canister depends on the inter-canister call response.
 
-```motoko
-import Error "mo:core/Error";
-import Result "mo:core/Result";
+### Recommendation
 
-// Inside your persistent actor class { ... }
-// Replace otherCanister with your canister reference.
+- Making inter-canister calls to trustworthy canisters is safe, except for the (possibly unlikely) case that there is a bug in the callee or its subnet that makes it stall for a long time.
 
-public shared func callSomething() : async Result.Result<Text, Text> {
-  try {
-    let result = await otherCanister.someMethod();
-    #ok(result)
-  } catch (e) {
-    #err("call failed: " # Error.message(e))
-  }
-};
-```
+- Interacting with untrustworthy canisters is still possible by using a state-free proxy canister which could easily be re-installed if it is attacked as described above and is stuck. When the proxy is reinstalled, the caller obtains an error response to the open calls.
 
-**Rust:** handle the `Result` from `Call::bounded_wait`:
+- Sanitize data returned from inter-canister calls.
 
-```rust
-use ic_cdk::update;
-use ic_cdk::call::Call;
-use candid::Principal;
+- See the "Talking to malicious canisters" section in [how to audit an ICP canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister).
 
-// Replace other_canister_id() with your canister's ID lookup.
+- See [current limitations of the Internet Computer](https://wiki.internetcomputer.org/wiki/Current_limitations_of_the_Internet_Computer), section "Calling potentially malicious or buggy canisters can prevent canisters from upgrading."
 
-#[update]
-async fn call_something() -> Result<String, String> {
-    let response = Call::bounded_wait(other_canister_id(), "some_method")
-        .await
-        .map_err(|e| format!("call rejected: {:?}", e))?;
 
-    response.candid::<String>()
-        .map_err(|e| format!("decode failed: {:?}", e))
-}
-```
+## Make sure there are no loops in call graphs
 
-## Summary checklist
+### Security concern
 
-Before shipping any canister that makes inter-canister calls:
+Loops in the call graph (e.g., canister A calling B, B calling C, C calling A) may lead to canister deadlocks.
 
-- **Reentrancy:** Apply CallerGuard (per-caller lock) to any method that makes an inter-canister call and reads or writes shared state.
-- **State ordering:** Deduct or commit before `await`; compensate on failure in the callback.
-- **Cleanup:** Use `finally` (Motoko) or `Drop` (Rust) for locks and cleanup that must always run.
-- **Wait type:** Use `bounded_wait` for calls to canisters you do not control; `unbounded_wait` only for your own canisters.
-- **Payload size:** Keep request and response payloads under 1 MB; paginate larger datasets.
-- **Caller capture:** In Rust, bind `msg_caller()` before the first `await`.
-- **Access control:** Do not rely on `canister_inspect_message` for inter-canister call security: always check the caller inside the method.
-- **Error handling:** Always handle the `Result` of every inter-canister call.
+### Recommendation
 
-## Next steps
+- Avoid such loops, or rely on bounded-wait calls instead, since these provide timeouts.
 
-- [Inter-canister calls](../canister-calls/inter-canister-calls.md#making-calls): Basic inter-canister call patterns and the `Call` API
-- [Parallel inter-canister calls](../canister-calls/parallel-inter-canister-calls.md): Running multiple calls concurrently and handling partial failures
-- [Security concepts](../../concepts/security.md): IC security model and threat landscape
+- For more information, see [current limitations of the Internet Computer](https://wiki.internetcomputer.org/wiki/Current_limitations_of_the_Internet_Computer), section "Loops in call graphs."
 
-<!-- Upstream: informed by dfinity/icskills — canister-security/SKILL.md, multi-canister/SKILL.md -->
+<!-- Upstream: dfinity/portal — building-apps/security/inter-canister-calls.mdx -->
diff --git a/docs/guides/security/misc.md b/docs/guides/security/misc.md
new file mode 100644
index 0000000..2fa1560
--- /dev/null
+++ b/docs/guides/security/misc.md
@@ -0,0 +1,280 @@
+---
+title: "Security Best Practices: Miscellaneous"
+description: "Miscellaneous security best practices: data confidentiality, secure randomness, endpoint validation, testing, reproducible builds, monotonic time, and floating point."
+sidebar:
+  order: 11
+---
+
+## Data confidentiality on ICP
+
+### Security concern
+
+When storing data on ICP, there are two levels of data access.
+
+1. Nodes are able to read all data that is stored on a subnet. This includes all messages sent to or from a canister, along with all data stored in a canister. This means a node could extract all data available to a canister. This will change with the implementation of TEE-based security for nodes.
+
+2. End user clients can only access whatever data that nodes and canisters have made available to them. If the subnet's nodes do not misbehave and leak data, clients can only read the responses to ingress messages and queries that they have sent. The canister decides what data is exposed to the client.
+
+Partial information on data that is stored in the subnet state tree will always leak. Therefore, data with a low-entropy value may entirely leak and be fully exposed, such as a Boolean value that can only be either "True" or "False." Leakage on data with high entropy is negligible.
+
+There are two types of user-related data that may be stored in the subnet state tree. The first is when a user sends an ingress message to a canister; the message hash and the response are both stored in the subnet state tree to be retrieved securely by the client. The ingress message should contain a high-entropy nonce that is implemented by the agent and typically not exposed to the user. The message response is determined by the canister and may not contain a high-entropy value. If the canister response consists of a low-entropy value, then the data may be leaked to users other than the ingress message sender.
+
+The second type of user-related data is certified variables maintained by a canister that are also exposed through the subnet state tree. If a canister places low-entropy data into the state tree, then the data may leak to users who should not have access to that piece of data.
+
+### Recommendation
+
+For developers that need to protect the confidentiality of their data against external users, they should ensure that data in the subnet state tree has a sufficient level of entropy. 128 bits is recommended. If the data does not have enough entropy itself, then adding some artificial data using randomness would be recommended.
+
+In particular, a canister can ensure that responses to ingress messages do not leak data to external users, other than the sender, by including high-entropy data in the response. Or, a canister can ensure that data in certified variables is not leaked by adding high-entropy data to the variables that should be kept confidential.
+
+Additionally, similarly to ingress message responses, a canister's private custom sections that contain low-entropy data could leak to unauthorized users. Therefore, a sufficient level of entropy for canister private custom sections should be used. 128 bits is recommended. If the data does not have enough entropy itself, then adding some artificial data using randomness would be recommended.
+
+## Using secure randomness in canisters
+
+Canister developers often require access to secure randomness in their canisters to perform certain operations. The requirements for a secure randomness source include:
+* **Unbiased:** The value shouldn't be influenced by anyone.
+* **Unpredictable:** The value is unknown to anyone before it is generated.
+
+ICP exposes the system API [`raw_rand`](../../references/ic-interface-spec/management-canister.md#ic-raw_rand) for this exact purpose, which accepts no input and returns 32 bytes of cryptographically secure randomness. It is always recommended to use `raw_rand` as a source of randomness in canisters and **avoid** using other sources with low entropy, such as current time.
+
+To illustrate the usage of `raw_rand`, two examples in Motoko and Rust can be found below, including the benefits and caveats around using them.
+
+### 1. Direct usage of `raw_rand` as the random number generator
+
+In this Motoko example, the canister provides the requested size of random bytes by calling `raw_rand`. However, it can only generate 32 bytes of secure randomness in a single message, and thus subsequent calls to the system API are required to fill the requested size.
+
+```motoko
+import Random "mo:core/Random";
+import Array "mo:core/Array";
+
+actor Randomness {
+  public func random_bytes(n : Nat) : async [Nat8] {
+    let byteArray : [var Nat8] = Array.init<Nat8>(n, 0);
+    let entropy = await Random.blob();
+    var f = Random.Finite(entropy);
+    var i = 0;
+    loop {
+      if (i == n) {
+        return Array.freeze<Nat8>(byteArray);
+      } else {
+        switch (f.byte()) {
+          case (?byte) {
+            byteArray[i] := byte;
+            i := i + 1;
+          };
+          case null {
+            let entropy = await Random.blob();
+            f := Random.Finite(entropy);
+          };
+        };
+      };
+    };
+  };
+};
+```
+
+#### Benefits:
+- The random bytes is guaranteed to be secure.
+
+#### Caveats:
+- The method doesn't scale when a large amount of random bytes is requested, as `raw_rand` must be called for every 32 bytes.
+
+### 2. Using `raw_rand` as seed for a pseudo random number generator (PRNG)
+
+In this Rust example, we seed the output from `raw_rand` in a known PRNG like ChaCha20 in the `init` and `post_upgrade` hooks and generate randomness by calling the `random_bytes` method.
+
+```rust
+use candid::{CandidType, Principal};
+use rand_chacha::rand_core::{RngCore, SeedableRng};
+use rand_chacha::ChaCha20Rng;
+use std::cell::RefCell;
+use std::time::Duration;
+
+thread_local! {
+    static RNG: RefCell<Option<ChaCha20Rng>> = RefCell::new(None);
+}
+
+const SEEDING_INTERVAL: Duration = Duration::from_secs(3600);
+
+#[derive(CandidType)]
+enum RngError {
+    RngNotInitialized(String),
+}
+
+type RandomBytesResult = Result<String, RngError>;
+
+async fn seed_randomness() {
+    let (seed,): ([u8; 32],) = ic_cdk::call(Principal::management_canister(), "raw_rand", ())
+        .await
+        .expect("Failed to call the management canister");
+    RNG.with_borrow_mut(|rng| *rng = Some(ChaCha20Rng::from_seed(seed)));
+}
+
+fn schedule_seeding(duration: Duration) {
+    ic_cdk_timers::set_timer(duration, || {
+        ic_cdk::spawn(async {
+            seed_randomness().await;
+            // Schedule reseeding on a timer with duration SEEDING_INTERVAL
+            schedule_seeding(SEEDING_INTERVAL);
+        })
+    });
+}
+
+#[ic_cdk::init]
+fn init() {
+    // Initialize randomness during canister install or reinstall
+    schedule_seeding(Duration::ZERO);
+}
+
+#[ic_cdk::post_upgrade]
+fn post_upgrade() {
+    // Initialize randomness after a canister upgrade
+    schedule_seeding(Duration::ZERO);
+}
+
+// This must always be an update method or the PRNG state won't be updated
+#[ic_cdk::update]
+fn random_bytes(size: u32) -> RandomBytesResult {
+    let mut buf = vec![0; size as usize];
+    RNG.with_borrow_mut(|rng| match rng.as_mut() {
+        Some(rand) => {
+            rand.fill_bytes(&mut buf);
+            Ok(hex::encode(buf))
+        }
+        None => Err(RngError::RngNotInitialized(
+            "Randomness is not initialized. Please try again later".to_string(),
+        )),
+    })
+}
+```
+
+#### Benefits:
+- This method scales for large random bytes, as `raw_rand` needs to be called only once, and subsequent PRNG computation is local to the canister.
+
+#### Caveats:
+- The `setup_randomness` must **always** be initialized in both the `init` and `post_upgrade` hook as `init` [is not invoked during a canister upgrade](../../references/ic-interface-spec/canister-interface.md#system-api-upgrades).
+- The `init` and `post_upgrade` methods don't allow async calls, and thus a timer is immediately scheduled to seed the randomness.
+- Once the seed is initialized, the outcome of all future `random_bytes` is predictable to anyone having the seed (node providers), as the PRNG is deterministic. This breaks the unpredictable property of secure randomness. Hence, to balance security vs. performance, we recommend frequently reseeding the PRNG on a timer. The example above already does this with a duration of **1 hour**. However, based on the sensitivity of their dapp, developers can choose an appropriate reseeding interval by setting `SEEDING_INTERVAL`.
+- The `random_bytes` must **always** be an `update` method, so the PRNG can preserve the state and offer unique randomness on every request.
+
+## Verify that your canister doesn't export malicious endpoints
+
+### Security concern
+
+Malicious code that could for example be introduced through a library in a supply chain attack could maliciously export canister endpoints, potentially leading to exposure of sensitive data, malicious canister state changes, or denial of service.
+
+### Recommendation
+
+Verify in your CI pipeline that the endpoints a canister's WASM exports are legitimate and as intended. [The `ic-wasm check-endpoints` command can be used for that purpose](https://github.com/dfinity/ic-wasm/blob/main/README.md#check-endpoints).
+
+## Test your canister code even in the presence of system API calls
+
+### Security concern
+
+Since canisters interact with the system API, it is harder to test the code because unit tests cannot call the system API. This may lead to a lack of unit tests.
+
+### Recommendation
+
+- Create loosely coupled modules that do not depend on the system API and unit test those. See this [recommendation](https://mmapped.blog/posts/01-effective-rust-canisters.html#target-independent) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)).
+
+- For the parts that still interact with the system API, create a thin abstraction of the system API that is faked in unit tests. See the [recommendation](https://mmapped.blog/posts/01-effective-rust-canisters.html#target-independent) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)). For example, one can implement a 'Runtime' as follows and then use the 'MockRuntime' in tests (code by Dimitris Sarlis):
+
+```rust
+use ic_cdk::api::{
+    call::call, caller, data_certificate, id, print, time, trap,
+};
+
+#[async_trait]
+pub trait Runtime {
+    fn caller(&self) -> Result<Principal, String>;
+    fn id(&self) -> Principal;
+    fn time(&self) -> u64;
+    fn trap(&self, message: &str) -> !;
+    fn print(&self, message: &str);
+    fn data_certificate(&self) -> Option<Vec<u8>>;
+    (...)
+}
+
+#[async_trait]
+impl Runtime for RuntimeImpl {
+    fn caller(&self) -> Result<Principal, String> {
+        let caller = caller();
+        // The anonymous principal is not allowed to interact with the canister.
+        if caller == Principal::anonymous() {
+            Err(String::from(
+                "Anonymous principal not allowed to make calls.",
+            ))
+        } else {
+            Ok(caller)
+        }
+    }
+
+    fn id(&self) -> Principal {
+        id()
+    }
+
+    fn time(&self) -> u64 {
+        time()
+    }
+
+    (...)
+
+}
+
+pub struct MockRuntime {
+    pub caller: Principal,
+    pub canister_id: Principal,
+    pub time: u64,
+    (...)
+}
+
+#[async_trait]
+impl Runtime for MockRuntime {
+    fn caller(&self) -> Result<Principal, String> {
+        Ok(self.caller)
+    }
+
+    fn id(&self) -> Principal {
+        self.canister_id
+    }
+
+    fn time(&self) -> u64 {
+        self.time
+    }
+
+    (...)
+
+}
+```
+
+## Make canister builds reproducible
+
+### Security concern
+
+It should be possible to verify that a canister does what it claims to do. ICP provides a SHA256 hash of the deployed WASM module. In order for this to be useful, the canister build has to be reproducible.
+
+### Recommendation
+
+Make canister builds reproducible. See this [recommendation](https://mmapped.blog/posts/01-effective-rust-canisters.html#reproducible-builds) (from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html)). See also the [developer docs on reproducible builds](../canister-management/reproducible-builds.md).
+
+## Don't rely on time being strictly monotonic
+
+### Security concern
+
+The time read from the system API is monotonic but not strictly monotonic. Thus, two subsequent calls can return the same time, which could lead to security bugs when the time API is used.
+
+### Recommendation
+
+See the "Time is not strictly monotonic" section in [How to audit an ICP canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister).
+
+## Rust: Avoid floating point arithmetic for financial information
+
+### Security concern
+
+Floats in Rust may behave unexpectedly. There can be undesirable loss of precision under certain circumstances. When dividing by zero, the result could be `-inf`, `inf`, or `NaN`. When converting to an integer, this can lead to unexpected results. (There is no `checked_div` for floats.)
+
+### Recommendation
+
+Use [`rust_decimal::Decimal`](https://docs.rs/rust_decimal/latest/rust_decimal/) or [`num_rational::Ratio`](https://docs.rs/num-rational/latest/num_rational/). Decimal uses a fixed-point representation with base 10 denominators, and Ratio represents rational numbers. Both implement `checked_div` to handle division by zero, which is not available for floats. Numbers in common use, like 0.1 and 0.2, can be represented more intuitively with Decimal and can be represented exactly with Ratio. Rounding oddities like `0.1 + 0.2 != 0.3`, which happen with floats in Rust, do not arise with Decimal (see https://0.30000000000000004.com/ ). With Ratio, the desired precision can be made explicit. With either Decimal or Ratio, although one still has to manage precision, the above makes arithmetic easier to reason about.
+
+<!-- Upstream: dfinity/portal — building-apps/security/misc.mdx -->
diff --git a/docs/guides/security/observability.md b/docs/guides/security/observability.md
new file mode 100644
index 0000000..2f63c53
--- /dev/null
+++ b/docs/guides/security/observability.md
@@ -0,0 +1,22 @@
+---
+title: "Security Best Practices: Observability and Monitoring"
+description: "Security best practices for monitoring canister cycles, logs, and health indicators."
+sidebar:
+  order: 10
+---
+
+## Monitor your canister
+
+### Security concern
+
+Without monitoring, it can be hard to detect attacks or vulnerabilities that are being actively exploited. For example, a sudden increase in cycles consumption could indicate a DoS attack, while unexpected changes in canister state could indicate a security breach.
+
+### Recommendation
+
+- Monitor your canister's cycles balance regularly, set up alerts for sudden changes in cycles consumption, and add an endpoint to expose health indicators. See the [DoS prevention best practices](./dos-prevention.md) for more context on cycles monitoring.
+
+- Consider emitting logs for security-relevant events (e.g., access control failures, unexpected state transitions). Since logs are stored on-chain, they provide a tamper-resistant audit trail.
+
+- See [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html) for general patterns on canister observability.
+
+<!-- Upstream: dfinity/portal — building-apps/security/observability-and-monitoring.mdx -->
diff --git a/docs/guides/security/overview.md b/docs/guides/security/overview.md
new file mode 100644
index 0000000..b636382
--- /dev/null
+++ b/docs/guides/security/overview.md
@@ -0,0 +1,22 @@
+---
+title: "Security Best Practices Overview"
+description: "Introduction to the ICP security best practices for canister and web app developers."
+sidebar:
+  order: 1
+---
+
+This section provides security best practices for developing canisters and web apps served by canisters on ICP. These best practices are mostly inspired by issues found in security reviews.
+
+The goal of these best practices is to enable developers to identify and address potential issues early during the development of new dapps, and not only in the end when (if at all) a security review is done. Ideally, this will make the development of secure dapps more efficient.
+
+Some excellent canister best practices linked here are from [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html) and [how to audit an ICP canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister). The relevant sections are linked in the individual best practices.
+
+## Target audience
+
+The target audience for these documents is any developer working on ICP canisters or web apps and anyone who reviews such code.
+
+## Disclaimers and limitations
+
+The collection of best practices may grow over time. While it is useful to improve the security of dapps on ICP, such a list will never be complete and will never cover all potential security concerns. For example, there will always be attack vectors very specific to a dapp's use cases that cannot be covered by general best practices. Thus, following the best practices can complement, but not replace, security reviews. Especially for security-critical dapps, it is recommended to perform security reviews or audits. Furthermore, please note that the best practices are currently not ordered according to risk or priority.
+
+<!-- Upstream: dfinity/portal — building-apps/security/overview.mdx -->
diff --git a/docs/guides/security/resources.md b/docs/guides/security/resources.md
new file mode 100644
index 0000000..9da048c
--- /dev/null
+++ b/docs/guides/security/resources.md
@@ -0,0 +1,39 @@
+---
+title: "Security Best Practices: Resources"
+description: "Important security resources and further reading for ICP canister and web app developers."
+sidebar:
+  order: 12
+---
+
+Below are resources which cover security best practices for technologies you are likely using in your dapp. These best practices are equally important as our Internet Computer specific guidelines and should be studied carefully. They can be useful to reference when developing secure dapps or executing security reviews.
+
+## General
+* [How to audit an Internet Computer canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister) by Joachim Breitner
+* [OWASP application security verification standard](https://owasp.org/www-project-application-security-verification-standard/)
+* [OWASP top ten](https://owasp.org/www-project-top-ten/)
+
+## Rust
+* [Secure Rust guidelines](https://anssi-fr.github.io/rust-guide/01_introduction.html), in particular [unsafe code](https://anssi-fr.github.io/rust-guide/04_language.html#unsafe-code), [overflows](https://anssi-fr.github.io/rust-guide/04_language.html#integer-overflows) and [Cargo-audit](https://anssi-fr.github.io/rust-guide/03_libraries.html#cargo-audit)
+  * For overflowing operations, consider using `saturated` or `checked` variants of these operations, such as `saturated_add`, `saturated_sub`, `checked_add`, `checked_sub`, etc. See e.g. the [Rust docs](https://doc.rust-lang.org/std/primitive.u32.html#method.saturating_add) for `u32`.
+
+## Crypto
+* [OWASP cryptographic failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) points out issues related to cryptography, or the lack thereof.
+* [OWASP application security verification standard](https://owasp.org/www-project-application-security-verification-standard/) (see Section V6)
+* **Use the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API).** Storing key material in the browser storage (such as [sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) or [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)) is considered unsafe because these keys can be accessed by JavaScript code, e.g. in an XSS attack. To protect the private key from direct access, use Web Crypto's [generateKey](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey) with `extractable=false`.
+
+## Web security {#web-security}
+* Resources for setting security headers:
+  * [securityheaders.com](https://securityheaders.com/)
+  * [Permissions policy generator](https://www.permissionspolicy.com/)
+  * [Content security policy evaluator](https://csp-evaluator.withgoogle.com/) and [strict CSP](https://csp.withgoogle.com/docs/strict-csp.html)
+  * [OWASP secure headers project](https://owasp.org/www-project-secure-headers/)
+* [SSL server test](https://www.ssllabs.com/ssltest/)
+* Don't use features that could lead to an XSS vulnerability, such as e.g. [@html in Svelte](https://svelte.dev/docs#template-syntax-html).
+* **Log out securely.** Clear all session data (especially [sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) and [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)), clear [IndexedDB](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API), etc. on logout. Make sure other browser tabs showing the same origin are logged out if the logout is triggered in one tab. This may not happen automatically when the ICP JavaScript agent is used, since the ICP JavaScript agent keeps the private key in memory once initialized.
+
+## Testing
+These are some useful references for testing canisters which don't necessarily relate to security. However, having good test coverage is essential for developing secure applications.
+* In [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html): [test upgrades](https://mmapped.blog/posts/01-effective-rust-canisters.html#test-upgrades), [make code target-independent](https://mmapped.blog/posts/01-effective-rust-canisters.html#target-independent)
+* Consider [PocketIC](../testing/pocket-ic.md) for canister testing
+
+<!-- Upstream: dfinity/portal — building-apps/security/resources.mdx -->
diff --git a/docs/references/message-execution-properties.md b/docs/references/message-execution-properties.md
new file mode 100644
index 0000000..d22ad10
--- /dev/null
+++ b/docs/references/message-execution-properties.md
@@ -0,0 +1,78 @@
+---
+title: "Properties of Message Executions on ICP"
+description: "The 11 properties of message execution on ICP, covering atomicity, ordering guarantees, inter-canister call delivery, and cycle handling for bounded-wait and unbounded-wait calls."
+---
+
+## Asynchronous messaging model
+
+ICP relies on an asynchronous messaging model. Compared to synchronous messaging like on Ethereum, this provides performance advantages because multiple calls can be executed concurrently — and also in parallel, when multiple canisters are involved. However, asynchronous message execution can also lead to sometimes unexpected or unintuitive behavior. Therefore, it is important to understand the properties of message execution. Potential security issues that arise in this model, such as reentrancy bugs, are discussed in the [security best practices on inter-canister calls](../guides/security/inter-canister-calls.md).
+
+The [community conversation on security best practices](https://www.youtube.com/watch?v=PneRzDmf_Xw&list=PLuhDt1vhGcrez-f3I0_hvbwGZHZzkZ7Ng&index=2&t=4s) also discusses the messaging properties.
+
+## Message execution properties
+
+To interact with a canister's methods, there are two primary types of **entry points** or **methods** that can be called, update and query methods. If the Rust CDK is used, these are usually annotated with `#[update]` or `#[query]`, respectively. In Motoko, updates are declared as `public func`, and queries use the dedicated keyword: `public query func`.
+
+These entry points can be called either by external users through the IC's HTTP interface, or by other canisters. ICP also supports additional [entry points](./ic-interface-spec/canister-interface.md#entry-points) such as heartbeats, timers, initialization or upgrade hooks. These cannot be called directly, but the properties listed in this document are still relevant for them, and in particular heartbeats and timers, as they behave like update methods that are called by the system.
+
+A **message execution** is a set of consecutive instructions that a subnet executes when a canister's method is invoked. The code execution for any such method can be split into several message executions if the method makes inter-canister calls. The following properties are essential:
+
+- **Property 1**: Only a single message execution is run at a time per canister. Message execution within a single canister is atomic and sequential, and never parallel.
+
+Note that parallel message execution over multiple canisters is possible — this property talks about just a single canister.
+
+- **Property 2**: Each downstream call that a canister makes, query or update, triggers a message. When using `await` on the response from an inter-canister call, the code after the `await` (the callback, highlighted in blue) is executed as a separate message execution.
+
+    For example, consider the following Motoko code:
+
+    ![example_highlighted_code](/img/docs/references/example_highlighted_code.png)
+
+    The first message execution spans the lines 2-3, until the inter-canister call is made using the `await` syntax (orange box). The second message execution spans lines 3-5 when the inter-canister call returns (blue box). This part is called the _callback_ of the inter-canister call. The two message executions involved in this example will always be scheduled sequentially.
+
+:::note
+An `await` in the code does not necessarily mean that an inter-canister call is made and thus a message execution ends and the code after the `await` is executed as a separate message execution (callback). Async code with the `await` syntax (e.g. in Rust or Motoko) can also be used "internally" in the canister, without issuing an inter-canister call. In that case, the code part including the `await` will be processed within a single message execution. For Rust, both cases are possible if `await` is used. An inter-canister call is only made if the system API `ic0.call_perform` is called, e.g. when awaiting result of the CDK's `call` method. In Motoko, `await` always commits the current state and triggers a new message send, while `await*` does not necessarily commit the current state or trigger new message sends. See [Motoko actors and async programming](../languages/motoko/fundamentals/actors-async.md) for details on `await` vs. `await*`.
+:::
+
+:::note
+In the Rust CDK, it is the `await` expression that triggers the canister call, rather than invoking the `call` function itself. That is, a call that is not `await`-ed is never executed. In Motoko, if the code does not `await` the response of a call, the call is still made, but the code after the call is executed in the same message execution, until the next inter-canister call is triggered using `await`. Also, multiple outgoing calls can be triggered in parallel from the same message execution; see the [parallel calls examples](https://github.com/dfinity/examples).
+:::
+
+- **Property 3**: Successfully delivered requests are received in the order in which they were sent. In particular, if a canister A sends `m1` and `m2` to canister B in that order, then, if both are accepted, `m1` is executed before `m2`.
+
+:::note
+This property only gives a guarantee on when the request messages are executed, but there is no guarantee on the ordering of the responses received.
+:::
+
+- **Property 4**: Multiple message executions, e.g., from different calls, can interleave and have no reliable execution ordering.
+
+    Property 3 provides a guarantee on the order of message executions on a target canister. However, if multiple calls interleave, one cannot assume additional ordering guarantees for these interleaving calls. To illustrate this, let's consider the above example code again, and assume the method `example` is called twice in parallel, the resulting calls being Call 1 and Call 2. The following illustration shows two possible message execution orderings. On the left, the first call's message executions are scheduled first, and only then the second call's messages are executed. On the right, you can see another possible message execution scheduling, where the first messages of each call are executed first. Your code should result in a correct state regardless of the message execution ordering.
+
+    ![example_orderings](/img/docs/references/example_orderings.png)
+
+- **Property 5**: On a trap or panic, modifications to the canister state for the current message execution are not applied.
+
+    For example, if a trap occurs in the execution of the second message (blue box) of the above example, canister state changes resulting from that message execution, i.e. everything in the blue box, are discarded. However, note that any state changes from earlier message executions and in particular the first message execution (orange box) have been applied, as that message executed successfully.
+
+- **Property 6**: Inter-canister calls are not guaranteed to be delivered to the destination canister, but they are guaranteed to be delivered at most once. When a call does reach the destination canister, the destination canister may trap or return a reject response while processing the call.
+
+    There are many reasons why a call might not be delivered to the destination canister. Some of them are under the control of the canister developers, such as the destination having sufficient cycles to process the call. Others are not; the Internet Computer may decide to fail the call under high load.
+
+- **Property 7**: Every inter-canister call is guaranteed to receive a single response, either from the callee, or synthetically produced by the protocol.
+
+    However, a malicious destination canister could choose to delay the response for arbitrarily long if it is willing to put in the required cycles. Also, the response does not have to be successful, but can also be a reject response. The reject may come from the called canister, but it may also be generated by ICP. Such protocol-generated rejects can occur at any time before the call reaches the callee-canister, as well as once the call does reach the callee-canister, for example if the callee-canister traps while processing the call. Thus, it's important that the calling canister handles reject responses as well. A reject response means that the message hasn't been successfully processed by the receiver but doesn't guarantee that the receiver's state wasn't changed.
+
+- **Property 8**: If the calling canister made an unbounded-wait (as opposed to a bounded-wait) inter-canister call, if the call is delivered to the callee and the callee responds without trapping, the protocol guarantees that the first such response will get back to the caller canister. Otherwise, the caller will receive a reject response (with the code never being `SYS_UNKNOWN`).
+
+- **Property 9**: If the calling canister makes a bounded-wait call, the system may generate a reject response and deliver it to the caller. This can happen even if the call is successfully delivered to the callee and the callee responds without trapping. But this can only happen if the reject response is `SYS_UNKNOWN`.
+
+    Since, by property 7, the caller will only ever receive a single response, this means that the real response from the callee, if produced, will get dropped by the system if `SYS_UNKNOWN` is returned.
+
+- **Property 10**: If cycles are attached to an unbounded-wait call, the sum of cycles accepted by the callee, and those refunded to the caller equals the amount that the caller attached.
+
+- **Property 11**: If cycles are attached to a bounded-wait call, they may get lost whenever a `SYS_UNKNOWN` response is received by the caller. In particular, any cycles refunded by the callee are lost, and if the callee doesn't receive the call, all attached cycles are lost. If any response other than `SYS_UNKNOWN` is received, property 10 holds even for bounded-wait calls.
+
+    Note that cycles do not necessarily get lost. Even if the caller receives `SYS_UNKNOWN`, it can happen that the callee still receives the sent cycles.
+
+For more details, refer to the [IC Interface Specification abstract behavior](./ic-interface-spec/abstract-behavior.md) which defines message execution in more detail.
+
+<!-- Upstream: dfinity/portal — references/message-execution-properties.mdx -->
diff --git a/public/img/docs/references/example_highlighted_code.png b/public/img/docs/references/example_highlighted_code.png
new file mode 100644
index 0000000000000000000000000000000000000000..e7b1a1f7770f30ae4da721265b630be5108e547d
GIT binary patch
literal 32553
zcmd42WmsLi7A}mla4l|yBE{WZ7Es)!xKrHS-L<$DcP|dbi(7GbclU2~pR@Pbz2D#a
z<Id;FN>(z)NM@3ejFG%EOkP$T2_6p~3=9lOQbJS_3=E<hl)ePOfPTgA^0dLg5CzOd
zMC2t!L`dZAZA{E9jlsYq!oI4(sw)j*Wqpp16*Tjc&ktOM0zUwJ2*fH;gvNglhx#eh
zFULS!6nc)HT2Dkx3{x9{#6s+tK0I6-TU1$fw$ESNEdiqClx8jcES=}=WpBi1EQ814
zj1Y`f*1m6(KpDeVOTq60J8LWxKUa{DI|P+4JgYB_?Z)M0UwKLj0Bl(P>F)BDLeS{M
zNj!B{;OWg`aueaw4UB{dwdmr?tr?XV0<3B`j2s#a)wr#%9-;=Z2j1}mqhKiZux&7e
z+OTaJ#98uE??CN)YiL2SsNt_hU^(9JE+d6?V1CJ;h0JU8VuyoG=m{QYr>75uaK1D6
zY(^HWUU>HPHdD5LjdePht$8_8zdR+Ptr!aKs*h_K_sx|1)n#xr4*8)vScOgr9g8NN
zWn}5(xXl(<HK0i@5$hdN4SVldkY_VrFBQ2GUQ$lAc$DjdWeSU6$b9NJ5`4%!U=vkA
zRyi<UP6|8NmL!-4DwCdey;r0h<-$P7+csm$B;o^u>H&h4L~^ypr&nGz(mR@~8~L=%
zABu;aLzuRSk16g7CZ6cMn4xqCL17B0Wg^Fk*@W1Y^|(rjgVA`kaT12c7oUX*Xi$S-
zsIP0f9VI2or#fgke9SuLlce8MehNduH0lrecp1=e*>riop;cW5fkvY*As#EhZ(v66
zDI{NQa5~T8NA+H|<Vr^i6{id*LaCRF>66E@RxAef*64fZVTMSh=spaDb${jkt%FVf
z6j!kfR|PB=%ScipPv}rEOH?QvL3j(ipO6}Y^RsjFuxFTj?|l(IkU#=_^Wt&w;y#?A
zby*NlLHG!N0DI`!g4k(?kOw?4^ptNN0;YD_gD%k)*5P`aNeH%oc$9c1n$3SEbw$M8
z5NLDI-|2F7(EEDx=HVUs(qB!2k!zGMLWGMalGLkbfXWn!BV6BuWaqPt9pkG;QC``E
zeagogV{;ow8R*<iCJdXKU~3v)t$rzz7?*=_7((R`ck4xOYf*d<4ZG<rPe{GxxQxoV
zX+430fa06A@_tygpKcg_3-+XQbiK7Gx1NkAL7|o?Rr33bU4Bb@%TskY?cCa)IGV+x
zZO1|npTMK3PqG)kWsgsNFP0%}jl=xMV+dzV3n;{6sM$d6{^-H;^Fw!9U2Tz7gPjW_
z5yB0DXCyui4T`JGqYRHs0h&j6sA=Ofvmav^<FNo1W&|ACdoff-PSUJtiQuxjG8(Yj
zvxv=`n>6}2Ym)1TwWduDu=@*GSlAfvEz)%zfqGQyH_A26^sRHYT-YBE_F2k`#p|{U
zL11g>c(z5jU>JJfmK&a0ez51z(x{02{${8s@m)qZUKCn;=!{4s5LZGUsbFb-Xv)K}
z2UzK0&m$oF0&OufAWXZ+ZQnWidf47v`|jlsw?Sv4LcM>l92ks4QW*Mf)3=FKCsY7E
zQk0}df;m3ih=f!$d_)+FWalS!KKerVFVapD@mQsw(D{VT0gmt6f6{D|h39@LM*b41
znU^QekQfx4cd`G06*4m%E0=tq*^y5(;8X~ILTR789`ZyqI}Z})hcXklNidgz4i0`q
zzhbqcwEt+=P&IrxOxZx%hC@fRlY!SfY)0s`EzBuE%@!xi_v*alp1|{?PS{yD{<-Qi
z_iE7HmM)yKKU$aHy2v_eKL#^k8c+}j-;La@-;LXp><+LA6D7?w6S)rbU`kC9%aGLi
zv@EeK&MRq2>5Ks@@gW|3&~IBjoWf2LI$v=LW{PMEZi-D2<)A&hG`u9d>{IBc@NkI&
z^#Wnz#v!|}7SwVo{Bdl9sz${2tf_KYLOQamvep#3@9$y-6zZwiF$F&Hl1DIS*Jdfo
zafvj`xmA>weyKdH;FeV>=9Y76KlGltD%CC}{#8G7JTw0VV<!L0@Gs}mOy$<R+q6#w
zno6m^Fu#C1;Wi|>r#;3#>SPw4=8q}tm5r-ZDcZ<)7QPAxl<OCCO{J78<SXRb$!~=N
zvne#DH4`cZXEO3M3fx4ml6HNuWQN6PG-=c<N@lGq5H!c@B^PHGyB0l9&`+!uiyB(Z
zaYp_73opzN%$Cee&G@)Q3GoS|Ws_u^$8<8;GrhH~v^iEpR}NZKS_T|>4sce|#&Y*2
zlBZE7Y^DSbagS=Qq1>ge4{s_D+NX(g$A4k(Cm)<mpG~}({a^&J|72G;pD;WBfyz<O
zL14-`YMZcu+tY!@P39?n4or;VWZbMo`(k8+X~8;emOg2m2X2V5C2v@B0kbvT??vH=
zQ7D--h?lTM(O$@^<fD{(fH#d%=)>rUOAACc<jeayX=7r9WkSKW^kvrMc5u0$x2tX5
zGy4G&Av`Eqtfdbx0xQB>N@-YPSR=_P$))0_s*Y-^>QVWaMtj}&8rfPMqZPB45#U;|
zp^}l3sl!^*7koXQneY9#!Gx1z!}Lqmc`GU&zgAcHr#psT!yymXH%J`k_b2${8K*q*
z&5TBWevbYUO*<ewz&$`u*`gGvRHKwP9ifnvrwFVdaI*fTX6mv>uy-<cr&X`r--6l7
z+S+E{;Ih-K+PsP*LrBQ%e!5>c$*@AO3}v0ZY~4D&OtymE+}PxEaef`^`pe_mUDLhL
zUDadta_S=dLi5mRHGQ3MpKtD|_zspBB^x3elHccn`_bg-^wx{L-y~9R<d$j0d)Hg5
zv%)*`74c2^jqWuQ+ys2tH_caE8i69aIp87DcworjM86&2h@1#TgzPzRt3Pg%jo9rk
z95Cd+=-&{4;ZGAl9Gntj6!<IXI;16J43Q5P2tYvjjO!d>II>~)h3mzTZ(xjQ39k~1
z2wMmDm8zRx7=4l;3>Y1yMd&6lMEwbK1_$XI*JN29aqoPubku_rft}V!Q>mStfwqBZ
zUsgn3pG?>i;T=0aqqp00JJb@Cxv<nX;AU^{Vy}y&kYrgr_dpDufX8!zQIC<ny%PLK
zawcQ(p&x<ka2Ax;(vI2c+!wna(j})UwNorPxlAu>KH@1gDIpi4D<&wq6nXCg9W0t4
z%`@r`>%EE68>8<s#<#0B?%<!H%An+?U#8Rw1cuLt)iWp4abq>&7ATDnXo48(x@*}@
z+lQmaR#W*>5)$he)W|v5?m{I#C(?ZxWf@G*nxl6{O%CTNdX(1YY0yQdUx<s@mK(C6
zp70a6OfL976*N^T{MKFCeK(C>M3_;@rp@|tiTH#oWx`7b|MAg{f<J+y&NykI{GqPJ
zq|U@9GhjqAeVTdBz<O{w%PsfHd9-L`JnQXqjl)IhCI>=17Hcw2@(9g=4o*vTrE<Hn
zqPs=h*|*V%i@xqYD=8quLiM%<Zs)N<vxA%1!(KsK0k)6*gZYbG!0=RZ1Kpi^hdH!e
zkXhg8S8y7aiYZN%`ce<4?ZaTUNH$}O)$+{RTj8M3eY;MHPE$^qM`W`cR@KYZ20eR2
zBSX=pKT5r3fHP91YgXGfZQsM1OT6nYb}vVX8v%{Wt9UI9x&1AL2KaWLH@;IYVKinx
zEgbDF5(e`Oxp*#oTwG|TaaOaaFts`XY0vP{1h={NSyq@w<tftQlJc2)rxUT4?t^!=
zZp&MYuA)z~8_BcauuxUNO-MPi3UMJJy@ep23F|e73A-~pIY$FAu19{sLgT}Em2BrJ
z?-%F#!<5sSoq>-7Qqd?`RNPFqik`J+%Kas$NgwI%WMc%p@|?6RmQv4I_Qr!V_`IT>
zPJ7)tuf!SdwK(l3j|{fRW2BIhR~U$2M_(Fytca|T)Of2{wQo8Wm-!1{?i+k9iYj5X
z1v~;AwiLyc#h*q4(;IDM+GgC+eV!IFGk6%zuvT9jZC1UyUut2~P^gLU_{twvPVc-j
zi82RT{9EV+!aW?T(&t{D?OwOW`N-vp<*2jL_$$12ACJv!B+h08D4r*;w4R@pbPuvM
zeN;QEz3lcGc6F1V2JY_K659wo8?GC=jxueQSL+db5qUk+pKhmHYwuvrT)fU7ZBGrS
z28yx^y(qkN-uh0ZuIA3G?qD5YVf(b;)Lv<PyTS{LAkV*0g8ecAGduSLrsi<I4I+Hw
ztQ$hRms7U`CSs$29qN-kMVV$p=?Rq2UgfZ3fGse1@?zxViKEQr)}=jbeWVd}MV{|Y
z%tiKk<vkZs$l&UXcpAX^sl4(d=A;v>-q?N9DU9F*<WYnht4o^5$beCU(f}|ha6B+*
zPzoFr_`&i2Ndv*Dz##w1hX4Z$F$aVCFO4iH{{6&)!f&4c#E|j9V6dQn=%C=51MxRC
zM0XD4-)XQ*P#Ktzl8B@vC{{AGH#W9*Ftc&=X2VDTWx&}=XgGj@VUhn1;F5|T&O!2L
z&6U+1)n%l)4Q;IG^^I%{jOksiY=6rE<8|c*C9RAd^+{Z<EUg{5UHM4=qTmLle`hn0
zlKe&DXu(ISE+bDOVq<Si!cNaf&q&G-PeMY%Yj0%2ttbloFFWWTAE}w6qb)ZBgNus`
zy$cJyjlC%Y6Bid310yp7Gcz5Cg3iIs+EL$?&f0<OKSKVNBWmnmXm4)oXl`Ro@>{OH
zfsK<RA1UeYivD^2(@tYo^Z(Uk?eO2%0=*!^?-B+kdPatSWP@0Ff9G<`o4XoYYKWR!
zf%*(o2R}0_Gw)yY|G$#|)%Y(?_5X2lFtY!f^Is+ZC#Q;ovAu|m6{t!_{{Icvf0_SX
z_+Lg|hTm`gub%i%H~*Cj>Sum<UWR|hj33?y1?CMjj0EPQa>}3>G|B#Y+(5rnpzu2e
z1w~KsE5Ii(FhMX$Q6Xhl@MCRQPs~32m#JdvVgMC@YAV7}SybLqPYm^dR7}3q7ydB&
zn<6H-kQg+$f}nc>sZ8RksQZ~p8s^83$?0!*yR|MJE*|8`fq~oU#2e10MJG!O3mhzG
z>2ONN5*Z{U004x)@83~u7b*aQG@~o4X}R+6y#G)D1w*Tqp@alcQK6u~{}cHkhWVmy
zAU@3R6hi+u>pxK-K#K5xWWV!%#sUCnW3e&X)|&qk04fQs{`Chd)c>nONo3GAtd_pV
zDTWUv(RnEGr6y3m^SU-CAml7{Y)+qx$x)>v4d@855nnLte|8Ozau7RM;fv2I#@)C)
zx4T|JVShAMZR=<;b2k~vSP=igddPQ6i7%5zC^yLz4e`p)!y*RNal-1(@fzWDobv7M
zCL&K{fbb??B@ggr^~1gUrhpS^dX(9+D}IHhO_5;{=1yA_)tR>bwS0l?m-{b9Eq!dL
z^td~ZNpzq0?=QB-mb|Vf#XpKi6O3KeyV~wgydO$tAT}OK94vEfO3vVNn4)W3-gJ`T
zh4M>(=Xdm+yXL%&xsZDFV<n4^=G|~I&*<t{7zQO3HFdcCo@}eJG_`AqY~WnQXYuJm
znY@KM)9C`K<o))$)jaE!7V?`8YqRHz&iUenH-k*KTQhVq$VVX8I3%GFok!-kDlQ#(
zvg6*@)Dne&ACc9c$2swsXS#B#tcHOab$B0_2|6EWbc-;sweE;oY4AH8Im8z*J`YU_
zEEeAsRk}~L8e`r(khod1bEoacaZg^~DYP2b?0RRWW_hsNdeuhKW^q76^aLa25%M_i
z*V5~>r4&l13V)?hldUuEwB3OC`cWzP90?5f){zVtnWIvsIvEIu!OJk{1|zuMdBjw2
zKlh#@^3+PxRh@Ii>&Z%))W>>=;HxJj90&Xq#+%N!!7}!QOq-+5qe;vjG91Wser(34
zY3#SW&~w`%r_Z;(`Ux~Y28ey69d<`@H+n**$zpipwFV2D9TmR<1_lO{u69RDfKhnY
zn-L6C`H~3$Zw`F4Xk+WErA^nz^DE9p?{3*J@@|jY#e+M6lR!s)99;3aN^1Bdz<4UQ
zTqlD|Bmm`+by`N8^p1GlBhw&nHILAUpATaLhv-J9nktKb-M#iGF*7~^fP!nCXWi2b
zap98d79~Ng@F7w*Tg5Tal;-~Hx3dtFZ@g~ZQ(BN8pg-Y49nO@A^SNJ3OpD?K5Ix<U
z72&d&sQcSKTpG9Bt$LVmbO&8eh@fZ$qm5rj{CIe)oP3sPHS2jbOiU1$LD*|oS}U)m
z;T|)xzq??$9z%#x=<9y4(L_bg;+G@Cu0je2$Z0-s7)M9ux1fA&et+k2vdFgLtyjpO
z0q5G{Oe-eAV!c0+dl<pcA;GdEX(@zPAF8T+UwSx6!(OA1xe>u@uU*7sS37!;yo%C9
zmUD(X-`7`g*Q#<@0E`CB2i^UfUW|e{&0aIaC6}m+whw!_sD5fXZekU>o&2M#4?b@%
zMYX2ml^|8vZHxrX3gsqjJ6vo(g^0OQvGhAvaNFZ$=ozDZD5uS5@+u3Chyg#Jv64HV
zEPQ1<O8T|@!m0&4<@s&E_1&6J8Mo8n2XRGn{wQTawA*8S&xf7lL2l9!D>@{6{k)eD
z0;My#S->9JG$S6zLO&iM&rUO4By}R7$eNI>L|s8G#`K`pHLbrzC97fL^fQr6!1nsJ
zxtMND{bUVB^tJs88c_GzMaHW07KkXLfhKpx7XA$$C79=GFr6%t`l~R%!nL6OTb{jG
znb>s4^sO&hcb#`s(F1Rb+3dT{74G=bYNB7+J$#6GCV4VE$MsiDnWrN}z@3PoX{iP>
zvpFK31|OFA)3#|J+?N6yt<MepvOR8&9(zJ!rj=CGKh0+=(Q=*2tJ-jc-VL`7HM?Yg
zGiazfDo%hgnQgM-vn=wkM#(ER?kSNQry6D^T(75;shdpeJgyJ9X~a&|UCpM6%yQ-Q
zZ*dOIZ&fF@aK^DCzLg<3ncs>xSYII8ZJDsCj+(V@oZfoZQ(`qNQL5af!k_QQjQqeI
z&3;lleION1&5J6FVwcjmC^}`O6;r;fIeX|WFbl+YSv=t0ds&Cn|8*KA@fhs1Qa3k1
zIUIVPVpk5QV_L*zv30O)ELLzCq(ojhZL6<UUQ6Cn;_xJKI>~dY{~>vAxik9d>=%7J
zbt1x?l4H*U-$J(&snB;|z*95hn|FQGEK`5Vkj0RFrW=AAmjBtw6x+8;PdUC8QH7bI
zQ&(J9u&WKS&HeEP=SBCQvI-me%EzmW?l(bz$B-j~OjFWgOWdO-AYRvN7LQBxY^Ao8
z$K7cG1T_5qWTZbdg1gwBszyjyM1)~vcd<kqsch6?iBi%2^TQSQ*ow>A=*<`tys_-|
z`9@E@$tWJT^D$0L?OrZrmaA}#R$7l9>&|*tfa6g`;}oIGa&Cd{L|4aoH^Op~Q9;G$
z#zR&{j9}08W5n|;J`YEH*KxkPeb*wn?82EcHH;yZc6TRg?Us7_IxdE?t=>ogY(%;W
zf9_)x5nmd~4jA$)K^FNo253{rZF9SNL`b8ZBbgI?`N1M33;Xgq!gW!9J?{D#u@sQ^
zjJ%q}6&a2V$ZKqFFL|kNu!K7!Knb7d#l7H#D5aY1w<7P{8lT&|+l%~mnyGa{Fs1v0
zCE=c8d8qb~0*Uk>mpa<TVvB<3r5C+p_zg|23S-8TH6x8JI)7z(H|CKkYpjm9LeSgV
z=HZDc!%FpgUGJgJYX{$zI+WK0-%!!Xpsvr-!Ds97@27RsaaZA&dx&{yDx}5mjd=qP
zJPQ>LQw0bDv>M{jXDyjo?$yO}WT_3-JlbJl1%)vx=PfWXe3WD8KyAZKOLx&`(N|tf
zIIw3<3Fhwv{E|iVTC?bpLnzC`O#{;v8rm?N#bn~++P}Ehv>HuZTAgn%-?gBRA`!QG
zx@_l2$IXso%?0410o}%4T)ytUHAofR<ijF!)f(sWSPuqo$In=;wx#kvpNph%*yz+2
zrek49&562l<HyaMW$6V$Un{(=>;R)pyKk<`T$mMLDPU}2aGkV1wA`zyvU9_2p|nJC
zqu43iY7LKi7d@nHAd()l5X-)X5T*XiexDiVLSineZcY&`{XAlQX_{Ih#J9$<f=F?9
z!@qucwVuns(e|0*@LqKauPUp3%WNGg<X0DUc5+j02HWIJaY|UV%6;2%Q)OmW5ImM6
zWd_%fcG0kOZ3RKr=$M$sGT{31t8?ijX|78G>cI&%nR&0)>!;KsXptrdXDn)k<w-qn
zX2xjusGTP}D*5Hw;eNs}-4J6^xt@NMr+x(=Jw4gE&{TPp1nQ_JSB1%w@)`;YK;*L7
zRV3{-i3`=DOH=`x!@Um1@<?v#fiXq?QWK>7t+9(1GQ();1%DsV<xbhfQPGi=7h?SR
z-n-C#rA&9O{q$tfs%URDv_QnPLeLg-bEg!I)xp1v{sSi6qyU+CbiN-Xtm4UHLy7H1
zHxy({v%?-bKtG$`D?=0;E}P3C*fl?ZaYwDrM8@l7BZPR?&G~FK6N^qWzvvjGp)zNk
zZyj~C)%w1&(c;W(AE7l?>di4Kw3_1|Z%?G?H0y1H#a3UQ?uuyCD$V?#?zdtv0H%mX
zhPJ#WBRDeQJ`X$CY5ZO-?5HqZ-cKiu=4%~ZnnW<duUF#&)1Xj=q@sri`z@wkDv@eq
zWcZLooiqbyx%?7t28HvR(nOu<xUZz(-bh}zP!Li|N;a5O678fh#Gu~_ysaEP$Ct>c
z)#I~AXV*fWVi8QIJ>-IgTnvpe`Xi$|byi+D@DQg_(ahE8Uxf4LiqBd7EjnXq<YZ<G
z1Ou%qdowti=Zzl;y-lmE$AFn@5e3BFQf3(Ct5#!0$L$;SaZ8GFOGuqoTEY+C?RYfP
zVEy7ZpV2lhhB+oHG?*u)R6eyD+wD%h!()9y3E#^SUGR5NqWJz})!~wsP+;6yf<a&`
zGpu#FdutmH<B&fA+Z^IqFW2+gt25|35tk(8TYGuf^*nObq?I)HhG2YWMyvmHt3*^;
za?u`j(y!NhoBib-?y*;;z5T1*afP_n_A6!xSdl=XTeTA|={MV~{ieM^w=y*CH>|<*
zh*i(W_Z*$uoP!dgIPGh!Tk)Uq>`u}Y*F1@f!c`r9A~D{`idB{(uNeHwFJZq~SXWnh
zy$G~G(Nc*>;@$>W%ng)9uMjGYhB{o3F1ge`-RZXCG4sl{pQjmq;c<Z;`>~B^9vFu*
zmBQUq*zxpU_G?L8EXrP|iFVt^q$mCAsnE5z>XJMDa24&<E&C)RDIWU0ZS#&D%qNuU
z=Nz0hfskRfgEYKHm5el|r9wtN-5Yake#tneb=lX40dj}pr4O1Hfbul1fx<^0qOway
zou8e%2$R+vR!P8h_k>xd!{m?bHy6I@Un|PVkfZqsv(^$A#E(pa_98uD5H}fwAc&f*
zo$Y8_ao8wi8?4XVzyCz>`I^;MS!KQ;9A<G?)k!$MzZYir$la~%cGx0I%;|E1R%Xw;
zPlZ3^y5XM}O(NhxkZ5x(X9usC45VARl0i0y%F=Jls(DPsyYu7r>vUO-nQ>df2zS0N
z))s)>d=gP#H*O;KiJm@#e!g(IuRiiVr;X%nf*}A#M^C%rIt^TDhw29bnYP+#yk)$u
z?aI^Grwfl(Xk;E<HtvwjRd(y+4_zG<E{bV8v)@|C`|_0<td>-rP8MfIi7DCBW!S71
zm7PwPH7+E|uecNBRZ5jV-t1-jaKDVeN?VQ=J*G%DZq6VzWj5_QM}?Jbq9o%9c(+Xx
zn_rc3hTl{z+PpqLlsX;FjvaB{Ur)=uvoHji?-k09^-rz-2cL-EtF$_w*hg%+p+~Zk
zVlMMu!R=&-Yj@3Jx`6qIuQu5kzIX<}X9Nmb;^Yqp)m})bqbpuUyPwBu^L=K}Yy|gu
z8aVupchY?Yw}wvbt<vY=iFF<|bw<{>WaAVzd3Kq2z%HIXeui0@y42^^X?Gv^9p!9i
z)~XW9<v3C;hBtj;%t6aDc^%oVdAZ}W7~vHEcEDN0#i*dhsB9x#hQN^TEx`%+qF6o8
z0}anmumwVL(;|+;b1%VDJg|JtMVXD@xvs^2MH?B55Wh&%lTGradCOOg-9s)*Au2dh
z&6L5db0C%oG2^0DEu+WuRYmUhK{m71bLMC<W|+OW8Q;YnbWIrmclGY_YHzBR)t~19
z7l;>E8CI<T{<&j^l*D1TxijTnZ_c3BKl#=#M4NcWa6l_?jHDarE&;j0C-6E36C`kn
zfYrPQiEgqDd3iDnEfqL=apv)J^2Y;N_f0y_Y0WRgxf!RJ<5Y~|@CE{NM55i*_0%i4
zU3CoWewcetW=2(vPmU7nvKh9Xh`iZ;sel;Vy(|Gd_k5L#@8Y?Hl80|{S@mV_$~I?~
zq1hWYs$6H9zHYg3_)NF^v3^U*rsD=ec7_@=8)>PGp`brUq9AY!xCWbq#4ORliMCI-
zMz{GEpurL|$ldMC(HmqEh|Wt0Ftu!XG?76`kBZ_PR3}P2ZKb6Gw$jk{X6Eu#%1eA|
zJmlI~qMKP54UD?IE@8dbyfK<2A_;%;T)I{I@k}~sA-(#beu@Rg($Ea_H-;ls{2I$#
zC8p7`m@bTRzZ&IW!`*#{tvnb{{w}6PlYD0`h8#IuO~4iblJxnPl3eqHpC^NQ^^b#r
zOZdLL$uS24UqBuK$)#$vIL*vwn|5QT!2|4203|esDaCst-;n@Ih-^KAn31xlvrd7O
z97%YG+hdItrY~z9d@lQMl8Txgq<JUMAEC{)Z%x}Y8~SfvT{|51>$eDnJp9Ml7A5N$
zY^9PHu3H1{#*Zg<Ns+ntfUOZnKkvQ=MnA!NNi#6&KAHPpRO(Eh6m#*lok^esaGN9-
zMCKv6)#bGcbmwGpaF6x-`g2(u#0UjG$?2AwRIU`hb!2raI^nR1v_G6EOMT;VK5&Qj
zKOC-D^^)-7HLjU6-nWU1`TDuViNOcEZK>v3I#9oACRYTOhI1-YH<+}$AQeip*=h*`
zkBp+ae_&ZU30*3X3EphyyQR#}kip~u!59|TPiXpvtg{KvIJh>;m{p5T(UVar8`y_c
zLibK&(ZLyZ&~Xq#ed0f+Q^Tq$7cv+JCl4516eI6x)CP_wB~AH%4qu0$sneKxe~-X0
z0Wa@9S=l>8+~~14<vJ6{>*6?^y(O$P^_=kl6EY1z#vF2ELDwIDbU27dAdBS0KfU=L
zJr+7C#P}SwcC~lX(y@U{(bqK}UH}uWhIRfBf;Oj+2h=bLnAD4e2OVgrCCFtV*CU#`
zcK<wTJ?l_9YrBf>mLQk7_63Jj?hAkS?kG4)?-5&ce0m;AG^J=gbHfu&Kgo!*$Cb#J
z#L#FV8$mQMAw0da4N`k+CxsOaCaJ5*Zma*J&H!sljyXHxBE(3z-uB!wFg1oLRL|LT
zd@*x-1~*#VQi|7Id;C@}cxoDas#-Dn)_6i5d!r9AM>fDTAkroSZH}ayyv)Ogn8&a`
zZmAUOM9b<RjtuUs?ZCr4-}u>}_kIP%Ff#x?*oUf<q}z*vK^do}Z_PtsR7IvUBggfC
zX?UAECaXYQu8jRWv}R_lrCpr!RkW%}Ezj_piheUjs~%WXb8{{kgl3{k-;S<dPh6g$
zW|_WzG&}v(r)3s^&z-7jGcc7R#y*SIY@rl&#9Jr%U{T!>&Zf9GYckU^wPl%NYa?@O
zXlfQ1b>4Zoi_PF1eo=yUdT#&0>n7+9;zIq1&BFXUqd}t&8Uw6DXY1~}*RC&tXtTC=
z0t6LKDIKicj7_0bV-J^Svl<%3(g*qG-y=P}UJO#J<I2O*d)<G{h~K9VoODjtL^@&~
z<$tc5Oxd_Sb-*3&I~fDURZ3Y>q07neN9MxXhfH_OAbVkLzSLwOEiE$U1RqCDk9PM{
zPV!b;nW^JnFdJZqdkDb#jL%YGcvrCY?H*YVSO%6j8y7SqY#szfGquec;$*IDPsOD7
z%(`<0d#`2j_S*wn7&xNg7Qq;ZkHY0HkLz>M*r)WkXjU}G6a<i>s_jPA2#8_}2;LE#
z4Ne+sESQZb6j|^RiwwIAB;@L|PD!5XnsIsD9EySVtebS!>#T`UO|Ei71S=-TG8WS@
zBf9)n)#*@3I>rRu_FrV|Wxl}s$D1QZ&`}*8vk~A0wBK0|dv>8B;;GlwNY<H*)+aTo
zR%mi-SmI6Q2tit*nr=^5=?ZuOMBdR1=#p4vn6C2nuxOD)+1jt~rkYmo4JR|qNtqDw
zx&IpeIYEttGvjqRNU3RP<-}L<r2o*pSU#!UHe*&E`mHt?&E?Szn?UWLq65x!o&>pn
z6hW<Tnq9|!a$(i3{_{M){vb+fJEDpJF}nC!o!=LzJv%!Y)%LhCLKQ-bnLBr~@JH``
zolc)Dv%KAQgOY8&je5i8vM8~^mNsIkp2DT#KBYL;+t1>k4=u5q+f{hVmpJFN$zOgd
zk&Vn`7gnxHOMO3`!_%UzFmbl=<V!srcPP>&V+%ZcRYYp1ui~PQ)`x=iVvr&=o6g1P
zEmM?#TAbM*tQF%8m}(MWM~~deD%-DEc(dJv_;TS|@WCQ5O4>)GYq;p5Ww2`5cW1f@
zL$1vr!n#cJyQMki`<K^3a?R{zJpHZJj41$7SYKk|f_~cFPJi?Pu>>NbDG}TCu@G!L
zP|!qg=T$w6QS)aSgJJkEi`J(ofFUM0-xG2F<LQbpyl-bdXXH0wO6S8wn%u2{6HOm0
z={mF+^%PSt5nMEO$F&KaEjOGgnMkV6muN#wvJ^D^@k#Hi_N}yB<DgZnDFj`gV9ebg
zLUU$tg#bRnLYgS^zF$OW!5#C*{&7Gk9#TuQV<v?4@fz;;lF@4K&f~E@Pzag%y%!PW
zwp1=6u{-~@L&~S4FDy4M!mq!>_$?!Ytb3gIDpG}g5oNJ`fXHKH&q)iwN}8d({A@zB
zPFe-#msO+L;%M$08$BFLtz0bszPQ?)3AO&BKa~EutJS%cnr~5ZD{U|I+$O^6u&0B5
z0c(-HzDi=enyW;6%|jV8Z#)$}A0hUWCx7qzWZ&NI(srriP)6XlC}*^jOorrNE=v+~
z$w1dtU7nl$YP7NY7o$T1K6J|r${TFFZF)l!nn+}imTPX($fw>XjZSZ`@z1i!d$^zQ
za`6eW#!BXBHN7s3Gpvo^Rh&>o+vay;+9;rpLpbZaols$7Q>r>69PlKC9E>Fh7{#8i
zX^@4ZI8#1#*E58Y7y9LTjeeeFGKSu?a%NQb<%RSK&ILzow~a1wF2fbwSBl~Uwxqzb
zY~u7z{2WNx6gCVE{<SQT>zCO%Q7G6=!)wPUX@sM+(d1+1KFSPmq!@w0>K_2R=i~tp
zpiEl_i!>w3&>=qil4Z<p*cZV({6L+wy)V9gOvHbI3W(#b0@Cne*99P>*aLd|)(#tx
zm;LYyN%;s7wH(#66rt=`3(5S5v%0FT2!nm^&2Y!|M-mO`I3pF$X(u)yG`veI%c2EE
zj!Wj)rvSIuPLReSUGPI;tWoZM$S~(Oj#Sv)-(-J)%b|Mq5YNR1Z;WNuS!e*BJ5BR&
zc(HqO6Ciz_PnLJW16+VlS3FQ6k`7*?sq$5RbcJ@K@$h6TdOq*1eEXdjYK^;qcEJG|
z5a<CSA;?@WFi3d$S>BK4PBS8N5D;2<KqOPnEAVbrkb$ldW@}`WpB|SPN6au>SgKs|
z4dm@|^bB8eprXmbTPNXCbYldEx82k|zCN7=ga^rj$9#f*$NtgJ_k?53Gq2<EkfyR~
zwO={6a3y4rVKoRsrIKsOz8;owtn#9*jL#RmenF_z*VT%ruc<)>C*QAzzS8eplMBb`
z=q_fdJ9H}gEPA1OEHuC#NB@G3b&+Gsy{wV&gv(O;d=(G*JB0*s=Mj6;s)yEqOMJ4l
zvO)%fC3yTHXiv^xI!az^o5j&--3vXu-6Ei`D)|8pkA`nLoo1-pCD=0XdfHCUk&o9V
zm7!K&Hd#};GnYWeHnRI8j43I-?b7CEI9z6T|D$_G+$`Fdx+tgq4AhF?xzzEqu@4S~
zE4O+*zJ3l$kp5S@(`RFUR%31sZq+$Xlodc~Wv(5k*W!&o9#D4ddSr(=nu{Nhz7eTH
z^W3jbm)h*t?Xn{6sE35OVqJN8dIwEclllSQ4dw{}lC9C+PNe)wVqbY3Z%DshfzN|7
zQWfWJs58&Ukr%;XK)7ho9H$@K1kv~7>+&Vrl;LsYj9^B8WIx-uuI$^A!s!iInI29a
z4G_1!e=d(6oTJBTwVUiMva^mCkY24AFg^Y=y+;E#0oVNDNxLKdifM+fs-6oa)?O~;
zt59UMy9#oQ$K)KRHmVEGdp!Lp-8`}o?t>(O0jAGk0g3o_sK{lOzKBiwJ+CCkl6E*N
zflTj0D~h%bT!PTVPzma`=vHnHk!TqhJ&p`l7u6DU42@x3{f}2cv*qxIAEfohMa_>;
z=1^_>Xu#E!g?j;1xjVQF(=aWj6aywhdLi4Obx<`YoM<2#Ip#8LE&L$Dc%U&U_*U(;
z=!NDOzuE;LMUWH%k%(74M%l0)4<=%8XV!+bol<M9VdLW)_Zm_j-MVg_LbbkBPLJJE
zpvz1J-R5~pNv-|99)55eH@^!fgYK>OIFZk!SZ|c)gm;&I{el*-oLirhFCv+7J*UU^
zNws>&N&G?D%Bzk&dh9zIL!z#aC{CFGD-rjq#ZG9K!>c^x{Q0PoIHLXY!0n5BAjjD5
zW1%pyR^1$67>R~nr@d10GD(E8Exgn2jcMk#wZu9fzf8J~{~7y6tCKkXD?sEd(vdIf
zmR_s5Fbcq6$CWT`{DCy16i=TBmxM^tj$UuPA44<1Uu=J)y7-|#3g7F?tz!<!D+_Bk
z;So@=$32eKukm`tD;Aq|kFJ$?n+<vG%RBSt7g~JeX~P?XYZz=G`-HX%4Nm1v%milg
z9vfE3)olNb26lK9)_V2nra*ZnZ-T9LuU8O<I}Sf1#?J8G6wKZJJMnCpjT;jgO(wFo
zi}Y-4c3o!vI)~{P7lFt;hQg;9C0~web>{a7?>3N75MkRj#`*17O+K3L#+Px?*U>jh
z-bftYDJ0Ihw*#N`ylW=KA$7`{P%VsVm_pMH32mPC$V$#&D@XA<UdMohAy@5;909|L
zbdeNHSx#=#NT4G=UNw!Y3mANa0pmi&Hc6=239DK9q+M&r&bX&j_@ZN4;~v#HTlD}}
zqNDw4yWThcusk_Rd!6U;A>)lUN|c|X4EzJoY+UQJFL|7gZn(*P3es~b$eQgEP&ex`
z8r58Z8_wt79xB{cRvVsHn5dFCGAbQ952zUUQD9H5hEh}Mj<VyDs@5{wng^yw4fg|e
zqJ~H@rMh%CoZO4vjyq%-u<mSrQ3n^+oK74x?T;tN*lwnV%;{(GP}i-7<{^i$9kPG7
zJ-t-?fb>F(aWN2^Wr^3bl*xVC7s)mi#9m8mL;1pFfx6W!cd*-}IZKNs<h2_04R0o)
zQbWLTAN2wrHL$_k&5gPJW8djYtJ9J{-O_?ybi*F<1s7`*ZNNmjc1}f?X2%3<&qchk
zJE6V~n=gk^vs9zN1Vqnh8e7C-gGJHwIOsC>V$90j0g*`P1CeAQ$i!5rG3W!}&4X?l
zzC;lY1;{X>Vp;eKla1sxyGQ9KVsq=3dqm3cP0Sh(#s|ssTW<T+N@s8?6d~}@#poy{
zP{@QDL$vVjzE!_oY!4=6>Zk|c+y%?<uAf^pyxJPrI#6UG!cNFt{bb+hu-_XyVd<+e
z96-k>J4BNAg!xp6Pz*ca+w*=6bk@4RwS8|h^~?3ks~v4$>KbHaG=oa$#G-d5Y-fN~
zR&;)xE>{+A2NIc2!$l#I=*Zo2xSzAV;1N~3hHPNjf*r!uOe6atYYH}*$y}!u=FPUt
z=ybygrW6@=%c8oc1(t({LI#J%;VesZ@QC#Nm}?@^fgVfLool<}JdZ24Sx)Qa-FKA6
z8?6End+{-yoUE<AtA4(@h9nLIi@WrhVhILi=Zb}hz}(Et`Y$XEl`271U#HxJ#Cc77
zoYU&<SyskBv+QlK`N?VD$HeYJx?Hui%Bd7QyX-n9MMyF^5%5L8U-T2U%4OsVH=nJ`
zP}fc^fQ|%z2<(-(jfP)aK5UMi?*_c@e3kr+oSCl(eR+t)+tezwqEjx^d7ku>CnmEn
z+NpFB!<gXFpj=?tYq<*3)WH+m^44{8(r_qlw7{WKwGGwDyQ75*VUNiL-fZTyr;SU3
zK72DusCtH#;Rq;qMS(wRp$gxm5z3NFg3LU{-Cgo2Fu)aS5WQDAFa*V(l{rk(^^Cv3
zMY}cGW%c85unF9nQm5n(K`WlKUrwPrw#_MtNmN+<y{lrMUVyS25hQUQcURsgmLF15
zxu#a!diKHDm#-Q`G>iMVJk=*V0-S~43c>Id-We-qExR2H<d{*~EQ382cHadlO_F{L
zVTv5Aep+Q>&mT$Pkv{8nyj#)tK7!;{q9ShGQ4Vx@$9krRLtQ!e4y6^ba*uH9blY8{
zP#FiKD6tC}_>K2aM%?vIV09$wau+V|$<-mTP3tUvNxu#;wj5vrOOiuUH+Udu>6Ra;
zE-t+@^i?WuWekxNamp)C>(iEr6EP#F=k0>&L0$}hZA<x!;G@v%WNI@Sa(elBt^4Bw
zg^RaZ75YniU!{w3TgXzB-Wpddx2IIJeQUtkr;Vqkc6x%bO#C<U<7t8D$7nm8QEdY<
z+f`T!F@nfZ6#LIU;Y%$`Hk2(PYe(P2sv|7IjgpH+tu7*$ni1M?`+OY72^-BX@y$%R
zh`<XCEg4-7G+9@imguCzZRUVqUYYw(ZCazVXQA-$?eg=t6m-Xq5YL=V^B|;`l?>Fl
z5{X;6Hdg}TY~5Xi1E-%blAbW2Kv)cTzh5NXCE%#QF?_Z!qVo#lUkak%(WvgDX(rk3
z$KCy++8RyUBhQK&87za-FFd)rRk%LoG57ttTCQiZZeQ09brB!)t6E=V?^w}2kW3px
zpZ0|Ho(4ZE%XoTvAjm#wnvD0`=R((%)iLIjxRvYsiJdGEnup|sG*%&$F$?T$7iiOV
z5xm3v1+*ee)xxc^F`n?3vntn?uxy&YZn|z}`X8W5^&o1fmYI?s80s*eWO>B<z)&Eq
zbYPN0qw1vt@c2DBYr0BTllY-)B`_olEl7F2RC#C4#v&Fqo17AA<-dNCoTJeEK&SH;
z=;#BUUjQu1A)4ZTaIWdtR~l@oWM+&rQE|)2<o)Xp!u>*Emtp5q<(&pk$~1Qe=?d2y
z9?aC1K~eW`5C>_1E6qFBS8V(v<rVx8X7Zk5$sP$Szz3DTFiL*){$P>IISOn9k<0eG
zj<`2Cua`6cSJLx6cpkb(KAofU(Yc%jt3^hC9#v*i%YLzFXmChBN14E=^hDi1U{2sd
zKQO@GcV~tEZ2kihB^WFy7-}2rI%1#jKLFKluv8WZ>vStBI`$_hiWv$*IFO~+Fex4L
z9|YBJ=+n6<2n0n*YES<s5bHfEDrv@hqPpe$KPvU51WDmTi*xv+iGGNFzmZrMDLWK@
zR?3Se!HgCy&^pZ`!-f4vwWv_>k%GP2<OvzUolwFQ-6TKkT8k8)x!!lbf+bn}`9is5
zs48vz#?%*I_Tlcsa6uAvCe<XWiS>5k|7e`xB}weg<Z2>%Ue9}sjWQNpsVtrZ<-g%#
zf8)Fa0QtX)Z9x}2wW0f8y<RZY=;8i_K>OW+g8`to+3r$MMEj%3O@p95@l4=j{P-s}
z4OFe|H0s8&6D8$1p%nF>ZO4W8o7YxyQ>iuAxuX@GM?k;$6PYF<2O2F|IXR_Mu|JS$
zBxX>709YiILl^=9Z{DxeD&fBoRE|QzVHl2^=<@%f^-Cx4LzE0OG%(nY5qQnn8BSJ8
zqSe?hDa!g5LgY?0%0INfZ$_=~4GMIB9}U_(36;4-!Z4J((Wz!o=f7Lw6Y{wy)*253
zLCmhDUqzU){(k8x1PI({K(>HS*5Pc0lt!J&OsBrSKCAUIXQ^TVycY<HVt(1|eYfHQ
zg?>HCu?D5xA-@Tg*#ss14(j}w!)j4<IEgL~q+W%ea6c&hJzq%p-p6i)o`X<I!d0EG
z+@SlK*$09XXP)-Q!!qSoXR9wOEe+EGbOgNv0~V6KAke}A$jw73mB{Udqt=H@JOt>m
zL)JkG2P(ZNNPz!$Xs5s-aKiz_oVLCoxQr+W@O0(w_;h=c2Rg4ZZw{R6Q@&1NHirLg
zy->(z;5dH#PaiU>pn;}%>ABSIe@E;9(GO89@Zva85sE9YsMYm?RKMPJZ!9w_S@EXL
zpf8-&{o0ILtx{`Z2S6@c9rgw~Rlf$^CQX4*R|g$Wr+G!$-f4nk)}1fT*^)Vswcao8
z+zz{lzwuv0-uL=+GECxv?jZKu?jVFC(`x4v&58gzjoJ^|?e1T_UvAWfQdx?|7<hS?
z31-~d?6!c5ElxDro!*%syq^@vz$%bVW#+1)oa<_^m;>xAb$IctI4@aUuLq!fA?ruL
zroZpqSZ;Rs4e1aLIr4)gn!s6hn$z}<fGSU>)%bSS3BrK614&TP`Xw%ck?{9HR+e&`
zt6hcH-JRt#mLNU+-#TyrnoZ(?UVP&W9rymSncQNa5xjl39sI-qg0=-C;tC^R(E_;7
zKtr8y51MNwLIE)DpE^uN(;Uy*?+zy&Vzp4^V!L_H+NS9~-us+)!PYw-D9Y#wJ%6`c
z5C&nRIK19o?ylzzW4L-aEa&AdbcwyL6=Z6&Jx;m!;G_304vMlB3qE~ieGi3}!Mosv
z@eU`p!F)Q{k{w^AN+*-qbWGak<p%p?r8T)f5;t#)o8{9c_;s^(i{oT3Hahe+_=r%j
z&@MKerl`xBSL0`Tf#-8bBm&OZEYC|x8UMSpwJJF4yVI2t?N(=N{iuZ7lO>BS2}jl(
z(-3`12@Y<tcht(~@j%}UNDI_G&}@>=;&pRekSAK7%a_C;Gk<vZw{k%FK|xuwqV<Pb
ze#<-=L3T0*LJoI|QktOo4f=1QiT34nW2q^PgRToT!^70R!J~f4&|}skEz+zv+j!?V
z5KTx;P5tQtkU!S|>bVjSh_PgTUcJ$R_e)tg7F}ryX6r*8THfZQWncd1C%H^+6+1o^
zf!F&y7J?XxG7u1fbKI?7{i4?X%VNE`tiYD<VD+Ygh12uBT@Q_9Cl$vb9EL`f<NUf}
z^4G!YB{qsm`0+sTo|R{}Ky{`;70X}yyD<r4nLK46gqbc=jZ16)@Ww|FLhNqa*-y^*
z26PQkwz;{vOrOc`rFrqQDUHQ6I=wUFUpQSwCY~boOR4*!Kq&{&6!AsOnB$K`D$-$3
zNL(^mtFurPOmKndl=IgiNce>yWQsLz#?7!!ew4W642B$U?mX%w^H}&hnzmCEQP-JL
zm9cY@3=%t&0dDIC+YR9&wJM!<We~U_b1w^)#5W3$?eZG=AVWO;-O$M}NDoG%&M)D~
z!;Mj`y?2{PdT5~)NXmkj8Z44G<LtAW{5}LMr>}sJ7L_&ZPpL6)4|~Ka`4VV-z(f-p
zu76fGW?l%6G(ZUWMQ`-LK=z8{B+Zj1a9C%~D{YxM7DY}PpQR=T1n&4^RT`sLvKgg9
zi^pMIp6rV79SpP#v0F)yx&Dfy*KWyoD&qYnbss>4t8|xDDIP<liE?c7iD(MK%*tW=
zXKr5S<q*xUI#an)t>#+(kYj)G+_1qS7Ps<4@GzJUkhZbrj6y}A6^^GT1*O^_CLht`
z_L#|o@-aoc;pXLD3RY#QT;T1ban0=U`hfMzFRJVZAv|#0p9l<XIX!w|tov#2Z>sHM
zJ=eL?)uQ&Ni%^8NkR<~d?mFLIVko3jatd%ex<fnv-XLQqQJW^GLRm!uO-E9MKspyU
zyM{%p&M3p@f}`C2d^zlXqNf|Ip9PIf9&L)(m2tM(p3ZKwDoq<kLKOC4Upv?E_Cp&<
z+3)KqcKEBW^hsp_&RCC{P4c0(2U7(N`UH+$uLM8MKu33-B;HjU{A-?9GG61}kZJVM
zI84GW1cIkt&Exz}(l&?w$hZVaH)Xn=9jn`Y)X1}4K=Cf=Kpw~a93(`@8AG%98lGIv
zzqboPR9lkR_hF0{vgQ*xLW|WObvr!GE9rd^_4@)q081F{?|<z%*}gdM`(emw<tBo^
z0OgZt<#UCDo>w7N<$h43%zs3p$0S9Bh<3`2LNg$H+kWi>9UE6OeIhIu5eIiV0WI5?
zxI0lCt0Xw^{8u9^+=!7+dPV?4E}BO7n=c>@E5S#D8T{=$-<++jQHO(UzkjxPl;3NB
ztWy+YePtVjUphSt9h{Nt4tyWJDU}Z4`+b8Tbjtl+E)tu$@~C;wz6}*LWl+Da&|le`
zhpTa%yAjjk%1gg4Zwit{x&{XTQ`F)ZWpApAfGKl<s%>~ZNRyqH-}}RNkga!^vVZ)H
zQ5&~)e*x*NX8Q2<!htEj-eoCUuL+q9&Qcf2_}rE0)NuhCzujiwY_kXgt?d6y1b^{$
zphck4R{#njw{ijnDkcqV{MSX~GU#(f>o95{l^uElc+BJBJG6<gb4SzhteFp~b6B@+
z`D*-nd}W(Awkwr>ZT`pUYCeL#@}Z2I7iLYH3i^FV_nW^C^a%RXBdAc-$G_5K_@Uc@
ziLfW)!z5)zbMPrZ!(+;;FLWK-R?)u5xA8YDe6Hygy;z)pzu+ab4fe~fafhiigoeX`
zo-I=wj{t0OBVy^RhdT1Dv^X7MTExDqsylX*{Kts(LyY<nMbTYSiWYo|m5z76XaqjJ
zX4!RSc+R`it{)52PP+}!xaw{pj~k3mSsW<iSMAI&yVtjiHID<?qE)UmOctlffQSnf
zxyVb{sc{Wbt1q~p9xitV)x~k{V+eU>M+MQ+E%l=Gmm71rf)T;p3=9F5NnOMB2Xxh-
zE&-iquxvx_dRE85%yRC=sTgdQa**OO>iM!CU(xDP?WsfJ@}QcGXK5c<)hNJZVY5T{
z3E{CDUpTfw5w*YEF12XI1_;_jHpFzkK3cSYuQqkffP~bEml<Z#i)=EVrl5Pf2LZm=
zfa+y9K;JgrOqP~7lx==SBhiJNgRyvWgqx$e@uJiDR9}LBmSJ2(KYY3<2^G?e*=#z*
zBG-CN8(&mQ4UlbTxv09~3Z<SvgJY#%0E45eQGur)Jv;^9z7bqgM-cku6Q_=dS~8Nm
z2C7o5Q0(5eGs)^t$W~N?K7{RnXg`60;hzUc^pTl6sFb9n-MW|~S!NK3ql}2#5V%mJ
zOb!bm8?quBMWXdzN_zhL^9&A(lHDHe&xi9hWFTLeW}g|f2kiHf=ls0{{Wh%+a6qoi
z!TrWi#lN%&L~#FGfQ{vL_`iw$1-U`lw%p!L_Wy@R&;c^tj`8uEN&j?OqJLX-(ZrR@
zX@7|EwE@}EPyN8kfBNn(1<p4FWfyIQ&@@u~A!Z#P)W(jQIGTUd{4Z($*P1TjBI-IE
zHhsMnY*qiTjl1STr}n3hG6fCs;IRA&Y4~dn{M~Lrt4%Ap!d+rzD5HdJ@`4lwv@g^@
zJK0~1O%G_r-ag)s_X`8)PGkq+0H50@%}1-dE>Un2zds$aDOd>I&P&X%Lmp}q90`@7
z=UZeHFkV}KI20g<-0S_sH+x+7%r}20;lKc~Pu+ixR=)Y~o;w&I3j&=Q{OwnPmTZZS
zp#0AyPdic#w4QxZ|674TMC&G^Kjz@|g#+obC_>Kz9xm0j&=~%=%!9llzjP!&7ZbV~
zEo!yU>b?X_QcLh~*MC=Rn?On;%DK^HT*b5S0Pw27doMZ<7xzDn0F9UJG}&(wG<dX*
zgQMEze?BbwJ@>+dL6ZqWOE?fi#pXlxzh?*sAIPi4AkwE2<)o*NE|klb1sST1vIX`#
zL&{Y;eDDYeQZwNfCsg>ODa3L$c9jO#r$mx+zankjekzobo`W2LX^?_C;gXV)?k|{T
z%gkI#?5+aJHB5_$vN?6WjeCfLfZZFbe!Y|`Xq+Cmv}~61u^^9uhgvaTqBKd2S&knn
zjm-iGvbafq`$2=r#rcUJpenVRg=tjFNm^Gbrw226IQ*{e9ddgwz7k#X*{=JJ-+6-U
z*xxq1?&QlO0-CHZWsRuo%j3<jdUGZB%`nRS+z_H~Aje<=^t}m{#cX*!$hZRe66w0@
zN|y$+wR0aI)9i;04Bke56$@QrY!LFCD8Dw~JeEpfHdwtoNGi%uC-X&C2Gx-%>IyP5
zuR%tYCM^2{P+WW(WIL7!2f<V5a!G%L+NBRI!shPZ-`?{|NIm4mxPLKU;ZO4ZOe`0o
zYFbcSoJgITZ$V;vJkLZep95yK+!RNxT5je_d2|N)4CEkAoJew(m7M7ffJv{F0=m7i
z0y&%MZ@%w!#JoO!{!R<}X6R!tCbLdG2pKz#t?QW^#@L~T^D~vhCQFw@IBbii3xvu2
z?SeTK&9NX#TzcKD6b&nZ?wQAj!N-FDl!A%sq|2=?Htrii*u@~n!kXmnWGQ(90gu%z
zHvKJ%ccE@hw)4%rXkPsr3b22&;s0yzt-`A8zUWaDC8Q;#l@dX^yFogXu1zBX(%nc&
zNJw`}BS?35hteV4-SA)g(@($OdCukk;#{1Y{XA|rZ>_cF8gtAs=9?d+2-eR@VF(vW
zXx7vUnaS-~ANwKOsEjsnrqD0?5O<{=oq#dkPzw-%tT>Nge6Q}6CG#lX@SSSFctsHe
zPmF;|)1PrY9K<HwE%f=t1JsmbMWbyjU<{HV@wjFL;>6E~YlA7zbRS%~XG^R;VHtM6
zxm5V}c03nk0@U6DNnCce8tU27`_pUL5`q>ZB9-RTV!$keAmQ6zi7QD+cDpf}vjGx3
zsF!F1HF(kTb_akzXmStmobD;=rYe}_(!kTxFmwab(_H(VDcNe@;`i)5jV9krrW~e{
z^+X)^83^p|UPLE9ClZu0M#Ml}sfN2sYnMWO#-ra6EdMo}gB`}J<gv8xGFBme$_HX6
ziGY0+PoDO&s<mVnXzoaz9A@x-8NG=e-<(?PLpuerm%N1ebF1J8$il%O|6L|XR$BKD
zFCU)0P%TMKCX##yFAlCMv0K!aN-kMCb~BmFE^pFD5+$q+eer|T(ne?CLAhayFzoAU
z0}kF>6Ao6($FCNN=a1{JutEsUGP2B;O^+0~XCrunH+i??xx~)>X+9_=M8ArW0`y2C
z!y&A{HUzL9#|I5=S0<B1TCek!U-l&P)}9_+qbccXR9cLWa+n<FDHr0u=RzLkbKGD+
z@d0xjWbAr?H#wcQbf66T63gpyD(~vb1Jc^To%rHIE;1Lw2hUo%2+o48@R*H|p_GRO
zH4NH<HFGsAJhn`{Q3k6AV`wLq)=!18E1M6)n413oxKVbkH@1xj0&^aIB#J-VF5q~p
zN*|G@V)Ld8JAa$Sv?ioTn=EK)^HjPJAx~#g0T(ke%xgZo-yWZRSS*H)fKTKbF;b3E
zh}+}}$+?zleY327%sv8BBi~^3$5b9ye!pHjalCJ)7=rCVH9h8<NGrG}XeSV`<*NHV
zEYt?#!40smY^TjD)hGkM^Z~lyF`q=W^~%U4pPbeX_~-h63?70&7e29vWYkD{C6o+;
z#PDT5NdKmpQf$@+He644XY&n_o)hrNcW>+u3-kHa-rZig^$de#JdJi}371AWcp#Be
z7)X7nf|&#-lp9=~EaqoYJ}OFfdIcjMvYTA?qb`2Lc_|qlK4EvCi4xXKSFK2s^Tt@V
z)iwCA{Sb?Iq}|51m3giN;^UspYBq8FB7@UiFKjqD)%-zd6<TmZ`kXG?Xx?qAjIYQ8
zbK<F~7jN>;qf7)l18d+4ym)Q1OmYNeq3nuQSV7O#yvN;eIGK22%;C@O)}1D;0UHl^
zlYGGl`8zL?{TBAt86z@2qdAbci2x0MhQpkbc+7Aj-6nN%%x9^sL97#e9}35cSfb`i
z)HB#0*;J@i{4;1qPYz@=l403hx4cWO9(@?|dknwAVt@uz3|YYQ^-!Bn3sBXzwI|~$
zIv2?Lc4@tR?d2<DYQ<7t)BJGBMQ$fB#99M8zDdQ<9bc@aj4H|T8iu!ooIUbGIJy!*
z(dZa@H^HV}{q@Xmv@V7DsCVVEq;d~mifol5JEU+4&pk(tCXTz3CV4R>b{@c6DUU=*
z)cLe!<3`vyfn{Bq&OT7u1Vh=Qcox%$g!gyr!x>}QG6b{eAdCK&EQz_T@{)FzRF_W%
z1Eu5xhhnR3A|WV$ARXf8252(dwIqklbRSwE{SwSM18mz?U9gLH1&UShA>7C@+_M(a
z6%czTQMmD4U0?U3ir^6yXKu~{HfKqUuFokpOz@Kcam12!RIO}Gan;uMkYnpLgp8z*
zUl}GKZN=ChVwMypR8_wBocWJBH&|5prx=cu&JR0{x)=0^%!kW3%z5{BN+31Tv!A--
zPVthwns+xXq~h_=Rw&BT?0^~2!M~SYqa|icpa|nyC4YBdrBm@Pj`Df#mNLmbY3hcH
z)dc4U$S3e(Mqrwy<Fme94`*!6hV0H%*A#i7FTx%JRK3OJHGmg-u<MC+ci2m>p1#bP
z&Sw2n!aEv`%wotXnZwHa6J>A!qg~t>*IO7b2Ma(TUSgf#i1m`%D5H`r03JzYYs;(O
zpTs?PkKn`+Y)DYnZKN#_b5`Qzz90dtx91reM;sACelbuc@T0%X{K&5xxaL!_41hrn
zusX#@j_jy{qq1Va9X#9+!3VKA8*HB&{GZ;U^U??{N2_{bqKoR@+a`umVVBW#T6xo@
zAarX-l12@0YrE{Q&PFd@WGwr#nSj;p%l23-$OxV(j16mN6~tO;yl$U+N`a3l%6IxM
zj)3YaUluDFDgw2&&K)IXbyU8c2_@pr1-nemuD-wn)Fd4A_hUL^C}pke_vYbTk%sQ=
zlh;GJSXPUf?}VZxIV;9N_ra8!^mRbn<L{#1MCw82rmS0Q>fQ##p%|b8C#D>1<pqKc
zq!)FU4aT1^b)x;VE}YV@=^L+^(lUGp3i#psnRcHrbF5dvFUwPHxt^jJ(j0rL?3c^>
zUckmV8grKkYsC#W9S$a{_ghjv&u{GSykmqP?c{lud;akCyOOl@^mHutcx{N{Xhs*=
zBsO+K9;Ix>1+7?brJgOGZ$6M~h2TBOalhu2HNDfLWiYy<(h0Ty=mCrcCwDx`Z}N8}
z_*E{<@_Jnu2O5ib^~T4ZG#uGV(RN{0JW~eTM99*xTsw)LF)gvE{B=6_V0EbqARQHX
znD&mDQLFB~=IP0I9Glp;zCDE3{AM!T;$%TcYR;qKUX4t@MsL<Ko~w|NxV8!#g?sVP
zdd39}OGIa_LuR~CgFUw-?ZHx5=#m)u!o15~J+9=Tg%uwGVgA<Z&RxdMguUglK2A1P
zUG%cqh<7X9Cn%FBmG1*(3~9FZi?#UG&4FCmJ;_pO&mAv++5DVFyMAB2JOkC{+NrU6
zQ%moV@lZdcesh*yd2;1(7}usl?EqtkVeh;tvw5C|9G!<k=hfln*6@JCy}kCFl=eI_
z@$G0U%;oMj=>wCZrEtz-6KO)MNG*DgF`e6W8cKeP$xk@R6vZ_QtAjrU4{|^KvOnx$
zMryYwiSDp_+`6{U>Bk>|9uqv!UH~HfPDJn-;$g}>&Uvw2)fdcx%D|HTMtW}cI&#Z5
zFn%fAs<E4qTJaj=4Uc5@dFvWZw8}e$ckA1$#(a<wBfb-tz9hr;jM1PF_4<|&B5vii
zLGu2s_(iV@&%j)ZMmF;)14o*=tK=#!ddel3!FcZRM~<;X3=n<c-qWzaI?h}^G1pyr
z>Ir>kEgyJ?AuLSyVlIES=<ZxY!m_o>dG~z2n`5Q2m=(t4Sy0Saw?i>!+N`7Zcg$UD
zt}4Hku4YbeM3TmuwSYfCR<$wi0Ui;aqvbd73-i@B#_dVcgqL<aK?SPDJM6)0?ea^c
zC{cmkHOAJ_YdmG%7?|xujJ;dR$p{(^z5daOdz~j5h3V(VAAfMRN9eThQ)tFNZK>i+
z)>h<smR807MZn#0lY(NGGm`}tW3gXjDT&+>=&LUnm|z!EpM{2TcLn8KElJ^sFj+Y*
zQ8=V;KcV9s@OpV>k9|gaLphnRLJ!r%_s21dv%Vec+G0A3zz*wkylC|ir->Ser{%?f
z^b*KH1|z9<-nQpCvO0Llcnz^xtgJ_|dW<GHR+y~qi?1OU$-jXY>{q&nQlq$6H%K0}
zwfGUGa0^m$;W%e8EgR|zivb}c#&$qIePgzSQfzP|N+gmq9b}Sb)0qL$zBuSgS;BZl
z@6qaGT#OZ#iI)>k+5~I>f=rRb#HC6+{X59_z5AF6f^r~9?yIoKcqPcqUuRa|rxC(S
z`2sKc7ggEC&kuX~vFImPRxBOK{SbU$E(wqYjbTJ4W0u1?X5;ohWE49#pC1LJ5SJfd
zM;lMS2DG@F*6AS$lR?0ef)%}oBMkh{wGDwPMs$oWU=CqqXez_f?)J(};I>Y__gL6>
z^pIJUSFp2J#m$SqSCz+devOk$hbLkAsK)9kmLh>9;m@-XDf)-JFunu4y`RVA_-_ob
zSQqFwCF>V6EG3^2`qducccLy}c-T{k7H^w9c~Q;MGQ&MS%6+|9+P5a=0v90`OsJnx
zapUBKs7ycOgmh=TIG|6>rYvI%F<%`ToXPRG%q%5rME9j07La-Z=|NQrX(;GQ+xp=9
z(3!o=hvoj3ijXke4r%tlzQ19dt4vvw9#IENY{#+fbNXyJU|nPwkulZhl=dJnBOq{6
zzYz+8td|!S!7o?74N0mw4b3`%mx+K=Y7=99X1ZjeqD8<yC-(BPO|hA~)pV&u`gI}o
zmeb>z2!*&WTb)+rC$ULz4m~1T+|{-TfnZY|JvX1^jBZFV&d@bPVQ*2jm?%(lb|x52
z{Uk0x5=!m3{sZWKTNFG>JF@BF)iAPuGQN4#NkY5%qbw&ulw%Gl`Q@;)tFIR-vC_g&
zNDE|&c<(-Kw;N}dL#jr(vx;jwVh70<0<+f<b%+4|xu$Lp-sn;?>K?Z8g_pViXQT;L
z)UPlSPxevvS5hB#l(R;%^pbWVaj7MHeXUEzk|QP^vU_NrK@XqE!<sIQg<yvouP1>c
z&sJWjijOpcmv4+pjTq*MSw5Xi_X!Jm@o9BalpU$*gYwQ#OsTuVhp-!PbBNMsE}ISg
zD+m*+bcOs%T>|nkq-uvN1<BMc>2tzw103!@CM`e;-Xom4e|}|?)<q~3=);tH<4p@M
zRrzpPeog(`TkMkE*wM%O)el%AJ|d8D;yo59^TXx)rbYT}#zBDa<cax|Q>&cU*6V;&
zCncuZ4^_h=9C&(xb`ORHgmJeA502v!=!OuGMqp5gY~Pre3@se3`%e@+fdtPVi}(t@
z+lL_jOucFIXMBCuX+4o#0eNO7F`{<*nZgE7^oW$6!q$>EkRe|uSN^3x>REM=CfXg-
zvq<e4%Vr!tW7&FlYn(hyMorw8QLa3D)Gr@HqA+Td&|jd_;1vt5A!e}1p}d$#@>4*!
z^=KgE3m7^9NL&dX@dJX7h_{K?`lZcKnh<?rB3&Um1aB{GIT*Es-#_#ty*DoMtK*o8
zMzbMVA*ung#9QxbEuVWh+gbwqPRDNu_`Ov@0xD_dDJZWPiI7pkBbCnDXj1DaqGYBe
z=so<j^y@>xMBTvm>K@skvgR|<x-^S4k*4oc15+n}H=Num26Gm)N3^Xm@)*Of^aU3e
zZT+K7oV1L)pOJFqD01=`97Fw*zN1kr-UM*$@LHixdBZzPD13<IA+aYkQY4O&PY(UV
zGnS9BShK$r-cFeBC-2sSs)a5~C67?*d27l$iL#T@CAfJ-2lA1CwpPvZc;N~8><&9t
z<7Am9k42Kl6)hW=KRsi4yYWdNR;jTpQP@6pi)Qi%yY!U(j>`3mUKLG7q5jU#-ioF&
z_z=1TAaate%Wn9AAa>wCz??hHi3!(k(6Ir(lbLgiHiB^Ux-y65{uEEy>z26hC>#jN
z`1dyaKKtB8cUO;7?8M-iKJX|>;(D8ccv+2JQ16*S?y7w`e|MW>H^T?3s_A*$G|9r8
zX#fj{ToSPINsJ-wYaLD>FC0xsNuMWg+)vXGhHcRTO}$JE(~CH3`0vF9ottw9GqErl
zS|eX`jgy@^4&#3?W5o$SxB5gyQ1~MGhRJyEC^kfsF)E$Z19_rUu=wrGQE-AHez;K}
zgWO9RZ8otjKOZ;rZlc|xr?pcRyxMmw#oMH44EWyjr$h%m1z#E+hl?y;F^IfSyQ!Hl
zJA7%<$wtR@{nM0fJjbH|$o3NuJO+P0A%D;zeRtcdCu2{_CgooFMLVS<FK1IMUnZe`
zdBZdCnqGC8*;WWzQGKYTSAyz$uj5$*;aMGan3#)}-vPWFwabMtGvac(Zh#8|37kQb
zlCt1NW!<AlKOTYCDE$`>{0v7j?{j2-*tszVuWZ)g_p7^zyD_!kT|#7>e>@M};l*NU
zfn#Lb8jFk=+!!r7%W=2y#~^kOad<T8#<{G8e=bTp$uFK;f3^L#uZrWLHJVRNCWp3@
z;DIDOUu2VbLXORB(a{UEAeH#{N6fP5(c=AB#V;U^8(|Q=Kn7cT(iU1on{1m5RK<9N
z)^(ci6}~D4`(`QV2$8ze-U1t{TE-VaOP^V<=a8oG)@e~XrG%Zwsg~72ssu_X%kJ`U
zI;ctPIwuF!YspGHm`gNy2_EY1*+5Dz7Aw9!+w+cZ5j%9|9Klj!2NSparD+I48M)BI
z=_e~c7|qvvX%b?e?z;q^Dg>`QRt{$%GyJCa;5zsXneJ;(-0sm$tj`fK)}`dqtH(-*
z=UHNi6GwO}Cnud5jro%`5=%>2bUqwJ{x9cQn<W?`m`9xI3(uYt@g4eQ@$kNXv!TEp
z<|y1~&06rP`b;;F;n4FlS1>Mb2*SQ#Yi}rqHZ#Q2i_AG<{iO@nF_U0KVX!U^y>>yM
z?}acTjhi-|#7b8<nOY!2fwyJ#3XZnhLVyOw@I}iD{PTcW<bmoI*vY}%k;&r}h0YoG
zYT}nmHKtVx`h-bzzKp?>d{5RHB7Agob_?RPo?jq8+3jg9q+N9g+~RCe<HWn*TrOSI
zd@!GKL}(gSvr68jd;oh<+9#;7rNMf<UI2MWAO}yz75vC0G-6>ECQu~a2)75+ne<=d
zkr?Lxz?*pbcEtOQPQ-K;u(vg{7c2T4`keb1I2B3zpt91x%ylfZq+eDqXlRl$yVPQR
zN)gD=6Y|Dth|M`PswDt@hk|Rb3ceMBjjlb?$1&b$f+k3;>lzzR*1}-@)AYTRVyCl_
z)*A1$$Fi6zY_S!?K!{E-`O#ySjxV<|fD~ZnT3>K<#~n&*K7!0vCxpM~y?70DEwj5A
z5dQN8*mkMwEY4@h5n*o<RMXd$jq))kF1IXe$60Ck3zC~_))S%;a%xHmSy-SIS2o%v
z{6N)Z)EY%R^CtA(6nTEtS;^;%&c{I+gV`mklY@^NFPyCID3+OPU+y*<<|j?rhGn5B
zcSyyxtYc4TonAc;3c|Hnr|&nsGL+=0zkNm9F1T#UQBg}1O_ey+fb)uIO7yGO2dk%6
zjSMYbMIkh$6Il>Oha>e&hU+H##AMV(CubRgW&wKS9imA1!jIkx582Vx2aVf&(qbX5
zzM>sz%pKmls_@u@*!Z+~NNSt~PlCRQLE7MjVNFU>$J?AohOG2pk+rj0o?ve!#fR9Z
zRxT44A8{RuJ}KBlpRoLpj48(Y@W(m4Go49&Y6jDF5@Oac>@K}xnSCjXLx$Aa$MiV|
z6%Iq=tEwF;)$Lw7%K?V?Ghw4VdC;l#bZ3okvJ5q8zvh)%?jy_ZE#~C2N<KFnJzp8s
zaw#ocAyx8+aZJ3)@n02^HMH0sOP`1I;EOF^8KlFV)J>L)c;s0nsKz&T-^@LK5sbet
zYeQo9F`X$(%kWr&Yk``cI*VPfiK|c*9@iXglde2mI=y@tIar%#Hci++fZyF0g*n*H
z7Xy9^Bcq=QIa7DY&jv4eiAaFAjTNsqt-sZILiHndhxHIn3kRauYrg~X!)Cj-PM1z1
z5%XO5)*K+<Fcs$1NsxDp{xQjke9_loB$2=!Ae#V#X9FQa$CGYe)OujyIJiF-jK}Dm
z`o>R~>pAX}WkE>DNi;7J%cyEE;T~(t!dz)KN3eCOs6qNR&cjRdC=5rzj2>SFg4HFh
z52z`K{?pD)3}dbMCGVRCXK-L#c6rvnCCoA*9z5vKF`+Njrtk3!d83QuWv8ORzrVv|
zDf<A0i)D}@UC0rS=brd?F^2B3ooAZ_Xb2`mjGI_23leB2nE0=C(fsWnRkh-kpqqu3
z^3gK*wjQ<AZ2Q6bHBHwgzdUT48t`l7_LRXXv4U&KXh<hc@5{w>+-+dla-2K2Ux;gB
zz(2vRczSM;%J)8}sY~oG8_FN(nOlu<zSFxeT{^(KzdEd?HNRiTK#1vb6TClDddjrP
zyvdQwKY`$1%E`v`gwM5V;sY7+CPn#@iP?g#CVZc~2XZIuo0=m0wX`<ICFff`GL*3=
z-#5>#bLofXmy_D?$C^2|1wF0#XD#vCS8ZoMVz3t$lO=A7e1~~NgQC0qfTgWO`Q%%T
zCk9{PoseFcO=UWgwDRE^QpWwdKsfu0NBVkOg9m4yD|SjoUr|y9sC?y!#NX<lyQYZT
zp4@Lq_iB|2L}L$DyRT-T&*;`BsQ<{i*(?{%wdnkL(>j8kXH2E!>D9h8dM*4S+Q;z>
zuaal|$yOs%7q_svX7;nMUbvF%jlCfkpg=l+vv|$7x<tg)#~ry-dDNMhOYT67goSX8
z8n+D3<>!U2%-al)=0|r96U%Sku(X^3&*X!K7a%P8O@-lWOD8tc0$GZ#1H#dp-SUMn
z`+G#Nb@L|T_n$0#^V~BlM=`<OcMV1re>;yBKpKF)i`a%pgntC%Q|;=<h;P5t>Xu3*
zLvsd+!rbAW5-vY$dIJ1uhHWo6zb9e%5+q47AFz$EL5J(D>(&sZZl%(gg2$Q9T39Fy
zT%c!6@tS4B-58hA)q{GgM^p6gU()ywU~w(3n>?H@ddj2RZ_4NVc!$TKn?~(vi}t7U
zd9{IORsU11BSj#`xEHLgZxCy@7)`y%rOd`SNUI9R;*^dFYywnVin%Q2d`=y<?N-mB
zy2z(3IG+My{#%u!4uXkhZ2wyRU8-qR5a*syFB{*zN(ftLdjY=KK<$9`3lY2~@-?m&
zqtq4E|0y++nm>DARz#L)#L{AVR4V!9za>ia2lt<X3gNw{PcTqlzxi47&k4JIVC=~f
z7$8DJfz1pkwad-&G-TY{>j7_gA1~{g4w`jRQU>|fdm(f&*L&$+bxDF!27{2V+Zg)6
ze+#jsNx#aIk1%9&ST!yFr~F9*Re8dQ1(by0Kb!k+T{%+;luW63R6$j|+^^UCzva#a
zSWt(?Y2xwNq(IV1zvobp&J;JOrj050|EQWGd7%xcWE7UpY0$D)8?v+3*vUm$Qsz0j
z^}K#|fubDgcENI#^az73<7wyroLLT9tmRPw=ScnE2fu*~Ju%wrfRcyLmni;I8yDab
zCKbkj@YJqjy8%y_Y-5;0K#7jy&-DKe+s1vbD9RQ!;vE?bhtJaX1-EE0Fn4!v6fsv|
zV2Bc-JkriAQk{(9ZRf$fRiln|!egbb1$62!5^dzyrq6mvC3`+Hi3oj(4a!bqqRWc%
zt9!J;MkgBgG-m9*P+E9zl_(yisKr*J`(WQ(8T}xqaf;h1pUaLL-_{9$$Hv9qPSy8v
zoa!6aI2+g0Ohap5MNMzKJo?!;aS=y+;{k6`>dv<7{bnR}9kON2^2`(FJ_0H9gFL1w
zm#p7lc_RpdJDV}4yrJ!^q3R-wAH?dR`A9i0CQ|s>9Q#XlL5^BWQ&ziByO=dg)0Zgu
z%BAjNWWNtV>M3B2i0tGLXRytWWk2i|&+=(*m%rHJ0i^g8dGf=bGX=s3ejiZ?M$nKq
z5rVn*09^olC`x;hzT1%ZE_wKY^4B-$0;KH^5L%*9DgLkjP-cac$K~|hD>=Csnxd)}
z>$THtlhD$XK;?hW+{AtV0Ypki1k)Fke`$2wFS0bPyD2D5)MXR)vz2mWUjdEIO4%S^
zB#?QC+wu+*Vh#uXpoZK}U^9>KxIIcyOcy~k1<JmbA|HCOe{PX<7<xoBa6};R7rOwZ
zkd?grq6l1V$7bt^Hun1SrH|=PO#royp(D-GDdK8vFCE}{dIucohCrnARlhUTR})qz
z=$~iki3@!$+FhpT&^}0_z3|S*>rX+`q+<hgK8M}JCttM7O~S`=6<Vz)7iGY;x#OtU
zJx^^c-_U_aXwlv#Dnf)lbkbsQ6r7F32auOUL(bD5kZ|J_*oxs6f$pydl)z{JhgCXL
zT2CFXzipg8ZU!#D_yl3n2YLmc5bk-Gi1Jbio&%9}1SXYi7hu~BK(m-+B8&#0`7;E{
z)R9~TvR<O;gmlgh_w4-%z?$~V-=4Dn076Ag=Z!4uQ5p8Qk%+^UUjM!8`Dn|=8|8^Y
z4Jv<Bq6pxP?fN#UP1F7n7i~&sFy}@AG?coy+$uH%RjX{&3hjF5!{spk9(WR0Qc(0`
zo>xf~@JiKpvurqDLi$l<m66Efq)69zZEXsqYgp8ZZD&?}?zh0tzj_G-eb9n>IN<T)
zb@FacialN#q57kdM1#^>7ys=6+Lt%^(TusTzbHmeW=;T@%Y5e1iozb-h+u&0YnOQr
z+DyfOT96c=2!6(!6?GrSf4#Qm6ZvO^n_8hGye5M03kvMULeUc%(J$WglnFWlc_5S3
zl89QJW9f>;4j2%9ex>(YK&5E80V@3$k*?r8S%8cAs@MK#_)~tfk}%}MBW!QfkyFqp
zqZ_oge0RS9jz1|DI6>i@HnL(eML*))-t1K^qbglZ)j8Q<eg)b=U9n~==~z-ZzKhH+
zixUC`g8PM)bB823^tShb*Zbz@_Kz}aP|}bZP8VI-^SG;Z1<h6tH}i|*^?gvg+6f8=
ziFh1K5F6CfQ|HrG@%>o)JV5_aYoHl`b8Dq3u6wrJ85RTh=~(nSw<~+h_dwW62_6L6
z)a04bLX($~b>?k)S|dyDH$RJ;tX$B41CoV-KQONDV*|2AP*`}eI(6(kCfDon{h!s2
zE`jZ3fYP$mW@W~?g3@_PufOLYI6noXqQ<LzakmvtN2{EmPIuUN*7Ffe3vP@3p5YY{
z8)<T#1vpO7ZjTRA>kcZ8vY=5Wk;4O~?J_VYI6+C$PBw*)=s1r1?bcY4*0hzdmHZWW
z44YLMKSBv=WNJ@8UU_^^ZLk)POq#8AxC*mrEnTLgS*yypyk(n5Vn^oQ&Hc7qguG<d
zGcH$e;gI>m%IDp8CvA@#JDWlaJk-lRl%mknKyG~EvE5K~Zi_CvnO7l#JC~~tjaNxW
z`>kl)7A0txeTBvjMYX$JHgbX_RhDCyK!surs42|j;btFrA_s#RC!qiKnR5DPC3y-k
zAtAdPe_=i9*Q^{Kt^B-Cx_#?3^}y$7ZSX3s4$pU%-!ftASjXT2eL5$l_h`J<3^r>b
zR9s$DtI<e^Gc}{2*r^rXifD_<^S!VewU!^H1!%4h_p-f|gf$l?DlK)^TG9BA*?CXD
z>kq^->R;~(>zKf7&(*t_*u37G9X1j#<}ND)-UdOhGm!p<YQSNP;W!rfK`OD@hD$c5
zp=Hi0vX!_RQ;CW9BvsHJ79CtAFZWMCRd7wy{)b^GcOX+q+~n^~q)^~1+#(Bh*kp;T
zeHO;$xH|Kf-pmcT`PFv(#UicR9!rla4Xf6)J*KjoC;f~+l8+m?O-y~cH=lQgk+9qE
z1{AIH7mA}6o{bBO1>-?By~-{l>!NW?UcLto`u<8=(8@|Il#p5`o`rGm+ja}l2ey;x
z?B*Mwov-eUGBN4)v{27pgtM&%(X{_+=x!LBr928UU16R^va(*!ooBvFm4CGEp<`-l
zdV55t_Ep5zFd|0B{l`4crH~X^IdUclv#VrU&t$gZzm2t4n0EW0+AQQ@$nhNb5^~%3
zMTvY59j+M85bp)0XNV*-)3m?+uN@;olvGWM>@mKtU5hg4i6sK7vXGtDLi8Ea;io*Y
z)6ejxu*Zk$RIhJV*&7+n;EmZBX^&gLcpejm*Ui`1<r^3n1ZX^dx+{@sQlCG;=ntn|
zNJR{a0C8B+Kb*eNm)k3Enc01$M3^krnU@Y8tyw5wL&*R!qUUW4E&u3M9Z=@<^BPy{
zH~E9TiM5f#q-yY;3ur=;samSH6nY%5wOhN#SG`j){d2PM_S*@%L)4G!baXslplEVu
zZr+b+yv{no)5(}1-x@{y@q2;VgAktuUq*m2p}<V!g*<D!!GdBBwaA1LLkOLdRqH1i
zGHHlsfZPZpg(+VD8J`ml_a;JVsCw-RqEULhrAnniGfyFXzRS=!rtN2VH^q31;Rg_u
zg?g7Ww#Wn5d7`isu4e^g-?=1-HnJO^SAAPQT;spv92MTJ*`gZ`^ah1B)~ofOd`Skm
zkt^?}fuf_m&<YJ7W8zbz&6=#!<wlOV|B&B5`=LM&BD(KOt#~c;3PQd3y4U!N6E;B_
zW-lxXP1>Y9L~W#va4PJzz6ch-ilHhquZd^|y*owjME0g_5$SKr8tI-GX|%j+_I}9Z
zc4<3&cyAs@27LlPgy(F=W@!RNDl=oPVXt>X&h1eecVIt>x^UPX=xx~d2&X|oMGI9{
z#c{}`oEKSCC2lBO$L{2_e--AvEHDg4h%5;Sx8p)2--tM#6-Z@m1Yy;re<;Ff{(a4P
zNaSYdvgZbzg$k&%bu4PKDoE$cBzJhufoct5tFg3lc!z1+n`X))Lx?tM(?IlWsqFlI
z5(o9BtH5<(qKs?Txk@ml8jaCvMi;OA(q}g{a%JWa`>ugYZ9q%5|4v)SS2lW-&4Fdc
zN*u&UA|1D_d0Xq)tM?c=KsE)TQ8{<$X+}!w%AVYzGsLlvx*EdFaX#4$E!sw}+NiI|
zA_=W!v(_zJj*jKnof--y#;y5MCcA%Bn4Fff_2@AdbqNr3Kq6O;ZIViIF_BK{(h>*~
zi7MfKSiw51i`R+&!aURuV`+^q-caR`wOmrI0LOArQFETh<piQCS2eXlf~>@-v)W7C
z=fJxn5`)pth>^shOGSh+apH8ch@);?Xjjd3n7hSjR$me=xSm-t)PLg<EuFw7lk9e?
zrewXOA+9RUr31tPNBhY0jF+EKwDeW?rd4bT3=uAqE_D%zSnXm=nIl)`T=saGFSlt(
z5Uz>cKKT_{6=W20<rSel8}`p$Z);F}R|EHzpd-tmJ0g2dnItOhCJXKUFrw-1p%DbM
zWcUWyYlg|J6;gG}0y7f1WS$?vKmCXn*mAvU$rGqMhq?o5R=?ezeYva83om+85D7E8
zvT^Ny)sXXcJa5(gWU4${!|c<^J*K#EqAR&3q~GyEgj7x37ZZ%tmRmk%&hg;ZC5*2`
zrAcVu@l3_d42CXdk?lxy(O9Y>OvM|r`(fjqYFj{pBNsiIiXYamB|NE_Fwy&#VSGP-
zk#iye&hiG;?S67J%lestO2h&knKAMEMVGIM#7ZT)&9w9~jpDE+6UbYV_&;P2#v&hT
zYXH<Fb7x{=Ec|PjK11Q;T;E1O$qE*t`AD}j8qdDx>jG8ArLBO~*Z{eK&|lG=)YB9G
zA^556t5ec<)fDl+A_Ww^3xOj%CB2L$eJ7aq54eOLSb`B6LWB`paIpUT)C&uf6hVV4
z>i_@Y{|6qA5;el!k23MRH~Ex6;r|)z2HJFW`$D}$qrU&<YCrj*V>n2L*aDAA_z7ry
zH9~Q!SL4kxfqZ9T@bIe@*j$+my3o}?#&Hec^k;x1x`UrE>sccj4<v>IA>qf{0*%Td
zkd2U0u7w<v12`B7{C`ql3YPJZlaUFJjE?p<sO@(7|DI!?_Mo$oE{q&uFo9jJBb10{
zQrpG+`;*=3HR5WZ4Q`z}s)1_#m<)TcoB)UwEp`CLMgXweVl_K}40ffolNb{vK8f2Q
z8q(_5{<AJTQDhbf<J{taKuptN)=rI>$#z{{twh(WK&uus-1!o*(%>5K`-U&1plRry
zgwK0gpR5%o>)B%vJ-UJN={X4LpJTM0yQ9Q-F4r@v`79R@wH+59GQUVv5j+Pv$_PrC
z_^xc3giHai`(7~-8)ig^^B~s=Cg$ZDbvyrOp@EOX6lm_d_T{lJG;m!2-Q`L*RZ0{9
z%&!2#F>La@7tI~oKwa!p5-Pxd*hTggG};ZIR~J4Cz#y}>m2RUl7XO{2N~l9eW=oL*
zK`xe|c_t|uo(J@dw_f?I(gXTdL#mhWSWVw+S6U<ya@k4%v9GQqe-JMHZ6lG8_6Il!
zuk77MHftRaLq?aEmw(Dg_mDyloeL$yfUahc8>)Je5^h80MDcz3FW1Sc4>|}|M&<ZF
zgDfuomA*QO>#!)U+CaR6jQVXV#2&~NfQ}mjin<IzE~8kgC;A0E)|vOMC`PYY_k(1U
zd8jkQLLvZqP_?Mppe&mQpo^M-?Hz+5HfZ~cFf)6{#e!fqyANKR(Eqa<D8YMr=^F`^
z(7a1hl5zi?7gFGUA2LLc7DRpnelW5^^=}a%HAwi32u=Hx!ni>~zeUc~tJ0qJit6iz
zqA3)$A=W#Gz`~=l+yVGttgMcpHNG^!y~nbnE|f-A-5}HZ$f9<Kjrqqekj0&`UU|U5
zErMb0)^eDoc!-1(1?_1MY<jEn^vd)sv1UVqrlxJ6Yq;UTQhR9)^1v?u4|AWIQ~<rg
zR*zgz6>apJ6B70dEL%7&#X^U@IU{n`<FZtuqlJ)Y!5N^aAAx3T0pE<iSM-6=?v+L<
zy)FODxE@d`>o@utSBPB)eRn)RX2yA|a0IaOCBv&j`qoF<y}Y(d(<!&dIRSDuOKph5
z!y7x(l~N$9B;yMu`gg#-K?Cz`2n&J+Dyt0mfA;3DVEV`HJf5^CisJ>Wz>Ib8%fmkA
zK?#t%W}1#>8$Ap}qN@@RGIO_k7B>NVwmwWYx;666n-yWpx3)>fr^L@gD@WBV93BN9
z>)c9O$6;fn-E~k!$Bm-#yq(_Kc9&7VqYDV3`_+3u+bNsSP($N?XQm8vX6o1w_}XD9
z_fpvUvJ|ryBJGZSiF{HxS8bC690jvcFV@L9h_J^gI&HNUo0$AT{U8qB^819ysg?%-
z(9%1WCRLN9*V|=-@t1m9*)qLo$FJ-UzLy(a0O2<S1vSV%9NKiOZm*rb03Y4)-n<Uz
zAx%Re6&-x8YX2)Ahw&Q227ApVTcx0?Pp&L}?Pgv+t?^(jB}xO=D_N>OQ;zY@m(y(Z
z6H;{5B3~cH00nwP2m!k!5E6RJF4BYyjUXoRoCBd_e9A#Q!#P-{UFD{u(*4#$9}Et}
zq@I=A3QxKj{n|poqHzV;e~JiD2zl=xEO)kB5mE!IbCbfIlhgi!Ab11D$)t||hmMk@
z<(brc(e2q<6<bjRqVAj31j~Z?b3g|r3@f4p;l~TJyD?24Z;XOAF%)SeuXNET(Ci*3
zM61(k)v$D~AVH`qSxVme{w2u*BtgJ}^wJ@0ZKBsiwAc*t;=aC3&1bdUo11mDpLaV`
z8%PApl&k=A88qX53BoUCVevN^`y;JzKb4pHLsUbb>2>BNX@Po_X$1l3W7!RHZqaV9
zo`D5<1oBLM<$@swO`x6zvE?M0G?9i6^%tQ9;{|ii`#p@`o}s;<>e=Y<ILK}jFjNZp
z$Hnh9N3?-Qmn9>=!G>aU4JeZP@H^F2@}*LFulHLi$BgWGxmpS-;MMnB+Obv6Cov{4
z^t8-{dTH-hLdg{nLi$^oZ8^)D#A(gU%i&D4_zD4-qV$ZRR-)YB&(*>7&B$IB_&wVY
zFh~*nJ=dotyi4{<Msws6-eB5(VL@p-Q01OH)8f4N61faWG%9taT0pNH>3#$ol%dNb
zEh{~sN4=%$Z8uxesKAZrMg>=tudyCs5pGdaEc-Ko*;qEyzl7vBv-uMiI;A6R9{axZ
zcS(PxA~`fX3i?GQ;6t<og-Ei)A0_Zz6oEZ-)oQpReznPE%sT8IEL^OApe=BH?2~De
z{i0a~_;A6DyoHtc0Ps^`l<COu?yE@3S6~knoqRX&c2wa2P%IKaz284#rMA;+{BP)M
zgl>tql>gUx(Em4Pb*Rt#ea1(<t0<OUmA^QE^ppSnCs$}6+%!@sQ8Fv92J<!IugF=b
zv~gq9&_gHBth9d*2iQOM5YT<=M{zX~|I)(5kA7~Ex?XMVb)}KWtv+Sf`9lViE?|2t
z7RF1~*09!Fb3!IDCPxCQpJ*6NZK6PQBw_y^;w=&u{cCxgS(n-zOQs@0)xGNj3L3-q
zP~K#*g{8kpRFCSDc9u8G7x(ZSs-BJ64qk+<7(#9*NqZ9BBKqIC?LU08>Vo&<_AK=a
zrdL+}PLF*fg}guhjvHVD>{7Y^V9|Aac82!P1$fGNl5R&XQ2qHrpy4qo!dm|Bs?qNl
z{BIC=!2kD)!_P2+96EOF>>vL{RHO?40bh}y2mblu6O@R($g8bZ`}+)`FoCLB?#~xq
zt`q|311huq{eKzz^9MY*zG%ce&+}D^qoLMfU@LkKRG_uM`_b=EUws=F9{zM=V?(j(
z{i0^dN6dd{{$E^wv8S<j$ub9&mUKF3$ISvVcx%9?^@64P^J_0%B(Ti1OFM#>#C+9l
zzOPnmUkDgc3Zu0Zk>4{COy_Qjg*eigEGgV!hHJnhN`ervl*eH<K?`Mgp{S>5zP0=B
zgQ%lf2qZ1YX!5w|)#+=jO9h6iNKgtE!U3iyT%AsbzZd5yPr4|04&^HW*BP()0l?E$
zL<JVXa}X8NPkKuWR0bjwR;2z8dBJ@|w3e;O;ux@&y8Ggo3vuznIuhX^g>Q;fij$%6
z2P!MSxY_d{3F}=-{Cf*d&p+*x@|aJtK<W4_z$!A?Z>y>Sd3_>>l@RpBGf>hK^u1_L
z6!zKwz42otxd8Avk}ir=wg*BwJ@BUmtaI4^sbiq;7YVfZ?3X}VGXZ<cq~C!IC3%mx
zCgp%<j0z|)%K;pwTPlgi)I*s9taH@wy}XR~HPyk*BAUl1um=SdaSa1T{aqLY{?81!
zXNg44g8(j43ou}&Vjipy;4Ppa7x;Z70c(CgLI2RXFP4$X>Cj*po7@5z17Z^+BmX{D
z@-XOi0c<5A{z0Ws9XmVwDd_B8cnI2Re{hRV@B@US6fn<adEDJnnt+ZOOzb(!s(;Sz
zMUExmh<*ztJ_3phckKb!pDyUs;)}?bH69TF*w;84aqA@zy?cQht*@x@a=bVb%$ab)
z4!*z7n-~WiLpcH1yt={g_A|ZpQbyxDPyN!l172vQYg44NW;>3MRCU%2Pa*-}odJl@
zisdH5nmVvlzhEg8n@SXTQhD!Jm`@w*FEk&5?Nbs!sgN!J@cP@TQ3%+;3tvR_@}eS1
zT@Qc0`XZm^y*>zFfdq)L`pz#Ck)i1J7sO=*eS%t?w=C;VqIvGFkBnIT0sGetMrj3j
zqocv_w`o#R395>F+lf?}O%^dZ?9RmMAW{7d5)#4CRkU|{a*qITaS_MIw$#AuRm_>q
z&ktnSalqgOCL`7K(WWF0mttY$>EUL#!w+pN?!RO5Q@zPXkYmyzsvpsQ`}<SCG<*V&
zPZHqivL70mpkWD<$q=bhP592h_MbW(=_i)^7ht<bumr^>=`X@w_aA=Ud0wak*wu>6
ztSrM?`v05&40;1nOZO<NCiUOA#RH(?!Pv^o-+@U6K*^=Ttcu~^hXdo~2>RqLf9b9M
zyMlRW1kg|4O}>Zx{ksD!QiM*W7@ObQ8;EF*${<SqC|Yd!yF8bu1<*rt=+=J21~35o
z1t7YWX|;ZM`sc3Nlt98Er!^4rCn_$efi2g#)(`0q!a@(o0l_r6CXwLJAU2f&)HP_2
zg8Pe9gZ?qP9DpS}cAV^gZrIZp+;H*^KHYx?KN-Y#$4zUCKR0}D@X<9teN8~Flis-;
Rcn=`VD^XdIA|YMx{{sivUWfny

literal 0
HcmV?d00001

diff --git a/public/img/docs/references/example_orderings.png b/public/img/docs/references/example_orderings.png
new file mode 100644
index 0000000000000000000000000000000000000000..f2f62a6adedfa055df2a25330bb8ba6d47ba1e51
GIT binary patch
literal 34582
zcmd42g<n;{(?3p1mw?ozLFp3V(kZQUNl1qXT)Mjvu7F5LODUjqhjce0jkI*P2;aSa
z^7%c_AMoSF<sQ!2o!y<8-I;mMoG7*D@_5*k*hol7c!~<L8c0Z}5F{jIZ_In(&bueZ
zR!B&=61FljYKk&4bZX9yR<^G#k&qOk-s@uMY4$zHG)Rb(v<Xtn3tdD*-oj)GeehWW
zor)fdP$@Df+e}^-eTs|CL`L^1i4hK+-P2vJ=x8G{SuLF(UBO0P?@$`{*?*=Tq>0@9
z`860YoG#*WK#j!z+_`H7qD35Ns2;>5z#qpeE)*u^jlvR$%^%1PTRuMSDoIJfL>f^0
zeQ|vLP|{-0O+NL9#P2)1u@#(SFC;o%!os5yuX;jS6r|FPC}wmdLd&MEDwJ~E4s2H@
z9?3|u0a!SS?f~oq%0cp6XHNya1G?nX*n#&JNZJ0R$1&2z_r9wgL`>^<l0_qpnn><u
zrKR;mKuOIEY#77!3J%_%XFTuz$v+YPq<%iev?S$C(<d~nlP;loiaTrJTaUh>c>Jrf
zaBWV_`w!UD9uLm#?KZ(EbVBM>6CaS`l?!wpg!$Hsb+RyPQYK}W$;WzLy-s;788MwY
zf`=V3jk!Xo{#+|GK~<S797Y$;j+Vj2vD7J3LU3dz<qu0Aw|c|Gt+Rz=uaI1(uXHP_
z%W%Pda;Eknqg7-3TR#ab@jAs@-OBfVCrKnHPFR#WVX@3^Viq;o*D4Cl#6CD>MZAK!
z<&l9jgq<+#9@}YoyQ`u?$#@HgV1P}_bdn1FBc&(;5{vE#*5i=s<GSO^Wy7*!6e4z0
z1^GA$aWfk(Un#XRv;FDEK`ivoKc5&I5|S5_ztQXz;#KmQH;f}@TOFczAK;GBgm)3+
zECp+Au5PUar+7Y1_f&u2@j8Zq#uq&j=`|r5xg@q7WiP6}<n)iJX^aCBG5SCpCOTBi
zz}y51%6O&&qBc7S3rc`A6Vg@3D$05@iW=q>cSp&}Hs<(xbJ#J_%o0{-Jso7N)#tNs
zqRq4cgC{P<vP6@M>3W-|i^==5J0JhZKiy??#5opuGBgyFGD)2#W`w*k<kD3gcuoQH
zWN!m?AC`QrBik3_f9rT2`Y6=BolzPi=N-&Cx=im_CNVyncsqi{CH~xx3ugCe3y!hk
zuSU(b>N-ydU2zyCz#$0CT%aG&>E;~3Ud7n^Hnh}Om{Y|l@=m>iCRMTKk5gVlbHnel
zXpX6$zvPMRW??Ne9byvK)&a?W;;%absyZK-W0bp0v+km}lh~o*?xOt&HR^`<9Ug9b
zbG$T?Su|TevXG%(mbk$a)7O7^lChKSlOe%=jg2;8d0^8zOgs{Y`Irxfoa6E-ArF)x
zb3!4!xU!fXsp8<x%Gucmt~&?1(>FisRs@kQk1#MW-ukaHEE!8w5jxyG`Uy>2J$#ab
z(R$^asipC02{sdk^z%L?tdIhU*aZ3Yvaewf#v!^2A#QiD4Ix27n+3VwL&IP9dGH2N
zPNY~_FxXpPs9_0&*qe||<KPF%!AR0ktlOAjq^^NJu(Q*^U)i)x=vjnl^z>Sx;pB7$
zk)$hubqvOl68B?d>B<%O5~3~W7-XXdr616(_p;^PpNam?@QqGBPO}$1kGej@mA<)`
zeT^|X=hY|tS1~VgbJe&L!@_fqHktTQGol~lFmLj?ioFQgm!cZg++?mo-ILAAMI~?5
z;uW?E7cw&@r+U+^QRb==Jk-`-hFx;6xaY&NOAFl1%x@YaJ#qqeZy!?^MxGgXa`^cY
z;>&6rb<j?AsB<H{7<RGx5=$$Xs4ZwoW{I$ym=ALTGd~o&9lzbQouV$;8`CjLmLbDN
z<}}oYH#OyHx}u@dyu!S^sN(BK?!*`hObN(+L2L5S51kaz^EAfqjnj-{jX%*K*lLb0
zivAp3tQ4sf9j%bBmoIHu+wb(=j!jitJpM_ajs>kVf2wMxl=1V$=ME2F(qF_$s8_KF
zkVq(rGQZ)=s>sw(6_Tk}_4-m&^y=&O7vbmHpM+K2nz#KYPl}9+XunrY?oLj>BA(29
zHSpcNC_}3;_xyuW{tM02?<B8~-6*P)ygyvWT^nZ<?B@-u|0*8QF4b^U`&Mu(9a3VN
z-!`67qMoOo<D|A4EtmCBf8xcvFMX5gx%&BDvL{I!fe)SyJY|2uu50)Chr<_~7b8`Q
zvp;6rW_|bW@7d25RyW#`4+VD@9NFO5%-LGohzZM5Q&Gd8Cq1tpHqH>p@HetI5?qj7
z*lN&j=y4U<B47A0obzimd4gcnaa>}XVyFBR&0G0&`|Rsh^8{_q$ak{M<gJ5=gV8&i
zRvt`&UI9JZQJce7LcuCQh&6Nw_HLP?qlHMA(O3RZE-@C$v+|Ybm4zdT9sh()+L&c7
zvN`dpntA!rz14|szlW~G1&T?1l<!s_HW%<~259DNQBDvS1n{_0aLD1Ci{-u_bF{K}
zVD<3H+^Zi}=Y8|tqHRsnzFAkOIMHFrPaC=@-#mEZudF$sFrc60mgMoJSI1Z<RcEJU
zSiiZlru=z@vBiSTpFz2w;pUnan$|8qlU`Aoh)mXWpNCVA4G(b5Ipi*A`+Q$q5T9u2
zzl}!SURtJeo!%T3Pv9B%$+NK->NSABf^+mp_XziJJ!;Sl)hyS{op__3l&c~41>)xL
zUDw*<7v$I8@P%QOQFjALBY$I)bG65My-xii`7>&2KJWd_f-&v|$UK@u+Pp*K#605y
zS$%C?z|rApoac9+Q|}kv1>QP7i^t<f(MK<~-4@f9s5ix?et){ape4vc$wCzmxDvj$
z`n`YdC(vybV={QoyWqd!Z}{ztf5t8Doz@-aZ3eOx@_gWjKzS9MhgtO@SBaKA{bqZn
z&6uwEiD)$VzCGurBUV|s?ZMI^{lT-r)gi>e>>;$_DG?T--@{HL8X|^q#VF)3aR>}3
z+~1fFE<3#v`eQEEGfXo_`Sk$}nK8vJOS`!A{V_<C96Z*L+DoFJO^IZZ9PgvhSaB|G
z=X9q^?3EkD$#Af)$Vt`A$jrJc^G$Bov#2@h3juK+f3KTnv^g|eY2}Y{E1jLQogRu(
zip2@SJ#Q%`d~WhBIxI|`HL+Qlc`fDpTSJ$y>>iz}xMt}IA8jzDDNZ~xN_h<xvOX?n
zrPQp`#4ot7@lL~|(0@bD#jXz3Hoa=Q%AY2!7JiXFvR1l$fqjEkjHWvAXIwX5V&HH<
zFJml?B2GVk=8**sdl+|Rdxd~?^8kE!F;y((U1BA-F0<g1i%127M9x=3kNeUxr?}h+
zlcPlnuT_jhs$bscnu&kArrPhwHX0;xoSa`X9yb0}`mVjG{bJ&NA$9uKCr12#j&Xle
zC|ikgVzXX*JrsW@SZSFwQ*u?=U{z`5m=Q9lm^Q&TW#-T~pXrrz;yzS3IFfm1Q0{V6
zv?7R;@PI#=Jb93P%b2{O?5kF@mWH=o{K3beH%DFVUG~ay+%sisb`;-s&FWpeo?iXR
zZ^|bNaK5trqZ%?Wo?Oj&q1R%I?i6OzHS`{t-Q&yn3+<{RAGfvb@Fy`(EbSIcGAhoc
z!wkAM+!Ec!-7<C<e+b%_&6k;V{OTX<hZnUL`Ay1ADi{5<Uvq4#iK_qXUwO1~JVaZI
zSv$W-*-)L+-B4gg<z%p2^JtE^HtYAy&aYYOaFKow-x=1~nR<42UAr&V_IqIW4D5^w
z+Zr8YM)`c*$D5tgI?(&(M(g+T%D?Po!`<7L8UgiQbT^U%Ql%kh5heKAv<1{$c9N7<
z{HKCe0`3CLg4MJXK6&{wwO5Cw&%f=9zH+bHPT4PC?_upxh7)A62=l@;d@ByLx<BtH
zv2tEKe=Fga>t<*-mwNd4*GPD}m>=A2ztij6i9GkEA=G(n$844PtukKn0ypjL(4X24
zdm4K@UC~m0qqCOTdGUfjm(_uGg<mm@Bz!_#RyE|c<bMx^rqwz=Ynt>*3-~>gkuJi0
z@L=(etK*_y`=1Jo4+Ly9lwu`U3;P#-88jI^4Z#gu645@crD;=tZk%pcN5q&_KdG{1
zeh~lSw{g8|<EU^jDe>@T?8NZqM)T!X){6k0Z)JW?o7@{OlYjSITr?#%L42!EtJ`)m
z9OoCSa655DebauQPc&9s+&l2_JG_SNn~(PtW)=87^fSKe+E+fAIxM}waKXUnGQ`ro
zWe;qNE+|AjeDw(Fy9JWXp|4zOHuSC!=OeVTpXgFm&q*$ki~wodl<{}0brzb5M9Ghn
zYyo1V8E#)u;_O^`f~lO!4>yLa?6RKt)9r~l_<pydhcfEvLf_u}?s?Fwwb1%@?;BE;
zrT2<k6l4!X6w#J?idN5_A+dpLOe8d9N+fh}g$zF8$W;HnmP2MiLj8Lm1qms_776X2
zZJvW~#7`XfAo~2{8#N&u2?P9hAACHsQU28$6_SnmuWMv)@C->xQ$|q{d~2FJTUt7}
z*f_c_-nf*28(1&}eHSF82h4~MvZ4mlA)x=mR!h%S@0p6QxuZRosfDANC6}i?3_%A;
z)KeH-+FQDs(s|myc5o5)6l3_?LKs{lZgVrx{cYlEC&r-nOpQ*)(b<wtfQyHVhd~^h
zj*d>$*}_U#Lssse-NAoi3^uN=Fkx<P4-XG6kH=h&&eq(#LPA2^Jbc`Ie4L;Kr;C?^
ztEnfagA3z7i2RF=tfh;&vn|Zk*3p3uLD$sG(alwifdMhlzkmKQPfJhR|BU3|^3P>~
z1#%;vaPxBUaQ~Y&=qif1E39VgY57`T*47^I42&WESP&}uxBdTm@}Cj^tEb+7dI|~&
z{CCg)dh-A6sqJFvEaPYohIAGGkGTHX`M)3jv!f_CV&(tEiGQ&9?_I!WacoiUf6Gi9
zJIO6h6NnLFE32vnzJZec{b>e&S-=PJ4L+hyrILjpAQlx<l$Fx*MBdH7nEvto&+RvE
zDs`zO8&X1SzQo}6d~LN*9d)M=Eqiq2FLU3%7fFzPT#+U+sI94v#KFkc+mV*~OiV;#
zsI5k1iOEtib=NFId@Smi@W?CSo!h>PQQX?v;E3RekMpmRXwLV~Hx&ZW{>QH*au7B)
zKDt&a6ILA3fBgnZ1qO!@p#0Yz@HCJQg#^++%4d3?4*9=-vGK)GnIuvE`?nuc4aOof
z5UTh;$76wB;{K0ukg!-7CEIdvIf)<s50dw@mzEy?Pm)a8F-YhUd{rtb|8ogoq9gx3
z_5YtwRO|lb+B;Q?A0_(Z4Q_T@v(@aWfFt1U>4fTf2!Z&g_K&s`1<t+n5n4xu7+9Nf
zOO+$y?@}LID;4W}$up>RXwc3&V@Cdo#sc-tHER_m4qU3+_+V!-U1mxG@e<(Qc@Ww9
z?e>hDLeRnRJ#=rbHkrM&sUliJOhHl*g%G0q(y!Xkb2*Fz(m;`Qh9?^s%t**}Z<rk!
z8{YIH=?q&2+`tv<o(uxK#@Df;&ZU!VBSL>#5bp(KpDIYto*f9DpnOu{(*-kdwtTK5
zM~{q+9|lWxbq6xH=+WV@^#xB>%!kq|6ald`ck|Dyj{p$~myHx@K!lYa`%NMgjMw?B
z6(uhn30=M)uX80o99+CoX$xjTbW*$?6!`+EjK88tV&_C$m|-O`?jbH5=##h~05at!
zRu3tF?!@zkl-HFLXD>xk3q2lW0d!+1;a%_~K(0zO^@TW?)LI9;Bup6e*`DTG_a(|+
z>P;5YPvgT<gC%0Y$DE&m0jD-B*BKB?MV5V-gANwNIXI}4#30$G9!+?#qYxM@BVSxO
zECq<6<#d$^gW*PJu1gx91_pOXw-Mhj0}u3AJf%_KV2Y6P(RXM?gxO1<f<tM9fhLcR
zZI`&Pg7Nb)k6QLY3)cV?y?}4v;wHhY&JYmmt@hHd|JQ`7=)sPN{j5J02U<v@Se*I-
zTD=j}`fqH&lw}9reO`YHR(JclpYk)JX*j#)5IJJq6fs?~Vc-czN~&TwXlgO-$>CiB
zh?sQ^4UQ{;WqwIAtxsSAOk?uf$Up}((l5I|ka7=P*p{IT#Qj?;aexYTY&%1KG`J`l
zY-`U;0T<D+9Ur^o0U7ZhgRCNeZiP8}5<dm#-3PP&I)e~~SXy}}Hed!zU_aAiRnYY0
zp#?e#SfLtjO5ZPpj2%?^qC>&7iNa}CH{OFA#+(D*PXQwt*%DM99RRAw4yHdw$bbx9
zrjRQ<2Gl=Lq)+0hfEGM_a-)er{R+aZt8u^rNsgCDv4B2eWTD<ad??wrJQU%f*vdrM
zxCC}Xh*q)Avm)J6hom6+`wHojAJBRl+;;NZ_hzFWn<6XFJqr%8$H?m8zpwCa$z(3R
z`%$PR9~KKK#GvMNypYRA?@sAAE*vth#C+xCepQJ-7MSqvSgL_xkpqs#y_z(L_h!y`
zm91u_N;%C-pS>q-0}l<;1nl!X4i?d`R^Rp|vTEXf^FG_|qrE+h2>z}9vgxRsiqC$Q
zf5x^jW38leI9k}N;FmNVYunN4TM5eZ+rtim^$1#j9)Cv9^7cw_JUm|Y7^`=&7CLN2
zjr|#`eDvPy?&f5K&tV?Q{^#9uVa4sKQb(iJwRm|NUjHem#N|>*zTfY2Xl&<DnxJaS
z^)~y}e&d0~*vF?D#X6ibmdQpIQ$`+7{7dnu1Y($IAFil?vD<1oW@wCCUW+tserilk
z1bkSw*Q}vl^i8NMmW5@Pd){9CS`Q;Lj$>9%N-QDs7V$par0=2jNawd5&$GB>L7n$G
zXy$X<)?!p_`kvu3EQH=C!?ECZu@Fux+nV9As1K9q$7zDyUX27KRohKbn(fxiIlSTX
zDp;4Ib7(u-tNq!3d9=Fz=i+Dbvory(#Me8Vkpws5D-UQc6+o|F2J2K}-c|IW9B=#I
z;c(TpUS|+c3u^(kT7EP7A%u1>bTEeEvEizWFT`b#cf8i|<!AlM0z2p;OP1t35U;#f
zjoF+!O)ZOA7bkSu-P0h}K0+{y=|GMPIvNs`?Ce|a=KSQ<cOK)i(K3=oVYltx_2ida
zUkqxwTJm>=IfKp5wkMqz+@|_&u1;bbK3+rw%cRZ}GeHWMQpEilM1f?2_Z=TaBwL?4
zLxnKm;Gi~OV`EEqkl#-ZUGh8`5?ue<xL?H3sb*dHjf&7**Vrq6jGbHvX^1#R6IQmz
za$stXnBFI|F4q4{FYiE(4a)O+`+BD|*>WIB|Eyil6<2e6wz`;C6s;MJO3;D7C2}P~
z*mj)B{8K1}>F>Q-L1P;CpMD+_%3Hj6!KirMc!KkEFMW@~v~{uZah`HKa>9ZG)zZuK
z*{=^4u6{MCgfDRevt4YeAM3zaj@>^#_;zP(?02Ru#b|zj-gaQy8%K|B`>7$)0A@1%
z{qE1tJBnuCPsF$W+17=ch0nWr*iLUb^~xkOy*4OP#e8bC_nI#j4Y-<5$EQP6-a8Ge
zuH1*b7U}nin|4p^;q2FQ!omkSrDHy~JoE_9gOM0QNOajBdGw>8gNJp{D=-q~k|yXV
z5T3Mz-tLM=$scFn*sQ(%<BOd)tH?u6sMT;fYryZhpV+dLY|3ppgKKcC9(w4a|8M*H
zKj(8_ZjKsT30q$N+15?Un!sv^l!rs~4`b4OkNdjS7zz*7uYu?f1v^O=FGXNyle&$=
z2j1s1*6U;PwADo-uq8>M-Lj4nyUfr>gb_gf)iX2xPI_C<2@^~@|4VmGE`M&GjO;@w
z&!YG7TAz;JA*uV}Qd`S6s99u`kPuZ=x^q9PGuVbNwmu6hD#1z&>ovOJ)ONnj?nPAS
z5yYf!{zd2*-ha62*Y4|Azk078MeRN<#nrgWXFK*WtW;^a_%@P=vE))@zb^OYtTaGd
z+=KpkTM$i#X-BxeD36E5-JgrvuWwX&ny|$}X#Gy(or>+}YQiO1@q2cTu{!C2;-FO$
z%)w2Xv?6p6TAo-#HwPb&87E}8-xkDOMrPz1|D=Ty@9uE9!|x4VU~7t-invj^Sy)@X
zdafLw)gbx$z^{k&P@dt#th<}S>Iwq3m`QhG_g$Nk%`iJ`e6`4t&krCeQ=vKP1s#X9
zxWw2iw|@=-s2C<=LQJ*0ii=V&J_>iULV0|5Z+{;MM#C5J23J|u%a&06J7DDgXBXe@
z#72K+Xl(8HzpMrvCfda^pCgLVh2&`C{N->jg2Viwk+Lw+qfTNz({{9C@s!Kh<X_ni
zE1gl@hisi4h6KKQrynHYPJ3!K<ac(r9b^_9tkIW1oeNzzN84OfLzvJoy#09|EV!op
zbnd3G?gc7j*~HV972J_WJffbz6!@jQvs_5A$*9rYc~V;!{VVyn(8at9`f5#i#T+sQ
zM9q220`uNUZ4jeQWt-a5)3~MD>M3I%ZT*cO#$`}+44sgUA{dN?%sWu2{_ghT8#>2P
zJi}+^8s+y--dy}$NLwa$4RxDm7txD+#4$P&{95G3Nl93XDR{LVhr8;b|3P^VO}FQX
zGh6tRJ6<kQZVTgqRkOvOH{2~O<Q>hvSI#3Phh~$dFD0&q9Q{|xxfI)ijMIsqL#4dW
zcWo2*z{ymw1glE$R(&6gy0bd>?MJR4EX(hlwOFIlYKZUrW1wDZMVZ4sa3Kks22DAg
zxg$u+%VIb;LZO_TRE0~egsdt_J&u&cGgtahlxDdNjY&e&&1G0o1R3h0%cJZU;6Q>|
zAGr3AfW4c($+TLi0qz`H19NZ-Wu|7UT583?^X6Ca_^vLGC4iy1&U3oW9dPyL*Y(YF
zuPpEF&*O!vS!}flgb?!QAw&2C!kcufUHu#+=n;wxx4BAfP6M2^<iG8+bv#+S%jipF
z^ZQMa!+U6aIMj|eEh|T|co=(Fp@X6!kUf`gFKS-fmL!ldiFbGttNlG1D?J(pYC58n
zD*V~dG3M~yYAok+;9m^-bI>um6U~l`wzyg@&Dw^0i{_QNo0;w|dn8KME*3mqnp;xt
z>cJOrRX%kb+mtpPM=$LJ);maahnk0FuassfV&b2U0zYA>D8x&;%`_qM?vn;ATOPF|
zb!qgm(_ZxyTQS|k<W)f%VHKqwd8EPOc1M#x*Js@c-w&EEGRs9v{cL{53NG4k4B2&e
z@eT!}cCePK7t~wuc=H~ir*H|QAZ80+ayOeJN>AM;|2y|5Kg{QH!tFk5$>6|O?qQ`(
zn%)LsV;lw2(mkYX&xu$Xd_3Yh)Gr>78N_o-y}G!^h1F&{^3(r$n`t4@LA_F2P~U>x
zj}l(CwW>6~#3$7O)opQ1C9l_iqy<ykmH$FdVh-yVW!oij@USI?TpGZD6~YNmX_IRG
z={oW3_|40kc4Obn2qv|giv^Xhz+vd-+uU#y>RG9paZi+SvV+u6uUFzwX(E)E=!dZO
zYUSRiekQK0(coN9MVY3<*R>1oO8sw>ahkMRa|%(+Yn#t6TSLP78m8MG;GZxbj_k8Q
zcll4nbeVyPHM!e{oBEM27Pgz>lgK{t=3P2G`=*@Cm8qXIMPS#|A=E5epbazmde68*
z#iNr*zV{&D&gUedClZt74a#HvLhG)kUl+YK9o(PCmsy}nk2Of8--CJObep{v`3^gK
z_sXWtX+-Rzx5{>+q^XR`>gm%kH|lk)aHZv*X3rzD)#5K%e!^u=<SVW8qURT7BG~vM
zczz?=Snw6HbKrF?>UBz@+hW3jw@3bspkx95OfVySf9Ayh=BUSVJWnw^c_NsgYn>Lj
zApCYe1~Ws;)6Wu^m2o9b<FX57^L@5I7oy#%L@b+4pJJVuZ+>LXMr@hLVI304SUK*8
z1hzKyo7!Z1d9?v8ypft*ws%lJX&kuIYBv@o^Tg-fWuB8mpU&eP@??1a<K^@gE=|~F
ze(C|N2u(iy<>%lRm@=Oa-&6edX?^0jIDgqZJ;Ca5nm_{CEDx1z&-0ux-Ty(VYiK(7
zlkbmb3_MT?ICG4`BI+>N9zGkTA~c|P*-0>hk(!Q-XXzf&IQY9<@Z<**pCJ);8|uED
z9ie25gL^y|>z6BUxMP^5c>9K3BdFa|a3RpqCVn^x1RYw{ti}vQI<1;`UU|NxCKk~#
z6iBWU`7`3m@%H9QZX~N-5Oc+JI6}x`Oyv=0FzO2C%g(!#th<z_#L;*-VHL#h5gwSU
zRqj$G+;TKg3kyFH{I6#BPhRBt0$!}RedG<rl7VQ6sCaf6Lp;?(dt06B^C9T+tkTzu
zx~$M$AH2(jQLYl^vKLgw(q*(gf<JvV%f|8yW`TBZer`JZVXzJ)SrdIb@bY#%CAXpj
zUqsJeG%E9-{P6iFKmP8+>>n(+Kn`*8<GSG7Xi1#)K<lP~=!I7rUYt$6R9@|lHF}h3
zUQPS@<2f*82Fi=V>tRkC(}wovyEDQ0(m(~%6~+kAw6O7;I7U)<JCI_HS`HcyS}J}~
zEfKJ|<Md4V)z)i}yPpC--QZnM21g8;n+nTIVDz<X__6U%%d)4?X~|V0^2<g<4n#*{
z35Lo<!x{f74W>1f&ugHbv7RH^*uX5V&n4K)U+rpj;c`ONcuHbI6pLV{ElXx%e}I!M
z&vQkZ=DGLn?iS(lG8)}PeB~YNOA+z-x*n0t6(h!dtNYF0k8#j#%E&sbaH*{9C@&K5
zL%m7VCB;~Bu$ElJy@b~qnH@dDb0w-`fU8ljnnJ?ANhKXR*3hl^?%}hTpTy^DJOPgm
zI~;#)6=o$p%JLn@%o1n|id~kArDSH;DJk0y!F$ZhG5+keKC;(+EM#Dl&@JYOqEcfP
zRZ3b=BP_Rgt5UgW{&D^tzXmp5)S<}yDFd{Oh*n@Nq{F#-8j~>X5Z#UZHmLgSnQjwX
zh~HD{(5)X|(o8a5l{S^(2-Ao|n@Vsg`Fo*)cdHQmccF{&?}Jx+Xaf>~pFOu7k5d`S
zu4CSQ!vx(e4O$d;$%-YAxKVScTfR3CH~kJp44II^VOZQr@L4b_Eh(MApwL4?ay?W0
z-OUxozs4@IJ85@0GTdC~^CyJK3pNO~mxoz7bpc1jgmpNcQT~Oc`>f<(!<JJpDXa{Y
z50Z4!NrN0q`J}>Zx=SVkpBil{zs1#z7XQWuXa+~3C@TXHC0()I*ZOYqnlP8hV*`i!
zu1&Aj>X#Rjx-TiH&Qh1(1X#NtArS@pz2XTS7+79Ka`z4I;Nfgsig<bdUAM&Djf)J_
z^!<an*=jqgm+icX(OkwTMF<mOv#Z!fgxBM&q0S0bqX8!QOM6X+L@|@J90ODhhU?bu
ziv^7gT<(a#_#o<V7ZSzKbBEFxorZ5d1wvQX9d=#;)egQ|<FB4Eu!F_sSQ;W9$T@7<
zcGKtU3s|;#``4d(>Uj7kk8V#3CEm|J>ZroZ3^;W#dCxi_wPt>RJ28VU<bB7pJUU<+
z$q>$C7Ayn_w=x|pTL8XwSr&%7guLH!S=441*-OZ#V^s5vD1p3W^^)Y)w0meJk=fjw
zD*k8ek;e+yh^62M`~dFJTg`+V24aXOQTrR@4bxWiD>kg0;ALVf!`Dl0z&}$2p)`lU
z<!scl<_6B(f&Ybw(Di2Sm)~8FHYZz?k$>aNN?}klS!a4#NvUDOQ6RI%pB_Mve1OFt
z0AafW@BVy!WqQEv)sHxq9l0^AaMD<c$8uIfA1oJwOxm8WxLeaYOn%mURDU|IyjP1e
zTyDtkP59IA!f1f@M0m;C!wDPz=9a#H(9h-21BsysIF08FN1}2le`A7WJf$|GOw)Q+
zFeD4v9KPcYaFaIPB{jxl;cNAZBa=>TZf%a`MnL>8mxHm2yYQn=f#+8l?wWGJi;H~}
zP2GZ-hJwN^KlL)8`FpW$DKv$5>t@!j^hpwG_0M_7Z+~Kp;`jVXAnugcnIO>NxuW16
z9Z2S`l{9}+&G=SSqrv0AA<}h6ZXK)h2^#hW*UaitZ77Yb%YHZoMw-L(RKBjd67}40
zq5`*_9~<^Nk*;HbrurI<9sSyuV$(+H!K=WreXMiHchbW^knhbqRJKtLLXGaYCnq0z
zU}!6Z5ElA5IL!Uy5@rv#$}SWb5`0IT@_#N78(#~%5lKdtL<D!Lb%4|uv+Uz!dl(LS
za7PO-?aJxF&zEoz$gFI3yE(05j0G`!8t8nr2`k@LAR`Vhc%Jd<%j*zk_oH#Nh(A(g
z(s2vwe|3;1VhPDe^i9gNJ+}2bXy!|mS%=xG&%A@!-w19VM?6SfKKvb&vIuY!74DtL
zzBSL5p-gGa`zjUPzK=rXOKBgdwbEMe4k26L`7NQg0smL;u$?A(DG;-ru&nD1nZX(B
zFElZx^UN{lag%g=wCKBy4<2RGl-}Pzx`HURP_a#2ys?aT6)c=_4&Pe2d=IvfAosHu
z9fM5>;5A;GIT0~WZvW^|a%%wB?_H*tPlH@rNLY@p-cV6uM;sSNR#a3Oc_w-UJ!Oi5
z-OI`7;9L?#vHc!qs3h@#xOs(u&imsXx_f0R{NeYdZ5oAYlLZP7H>JpVOajY;lZ2$G
zxc{WwnKsm+$vcT#-AcVBfk;JpMZDF7WitU>W^dU&Ik+P>#`~@g4dYdNO>U9cjJuX)
zf(|WnFzWlRx|6MmLaN3f^T!f`5!|KZ&S9i^uO^Gu9}FJ%Oc~%(c>y0~tuV{K;%10A
zFCs@X<>y$o6lyNU`rCk;TxNed>BEnf!q|wzwFe43b;{!B&A=h(KCl2wE%0a~lF3Cx
zg1fb*S#-vPpEglkKGOJKnii9F_*1<ri(dqaZTAe?6Rkh3K>XFS!t03ErGzOWQ>n3W
zDHtbaQRxy7z%^ywI%>L2OzxwXR-RxeS^l0nbPT1T8pgUk7HII}H*9k0!5tir=fEt;
zX|vzx>dw1Q-BHZp-<9;^eO7@@<DhB77vg!>u;g*iS_#>2I&jp496G}Bx)0v~;9`-G
z#uKYOE)if!E$M6I@-8UAsV5fFdD9NTyAe1f==e1HCg>*yT#rHclZ+!>I0x5@s@~1$
z2*RF&j+Q~!QGN<z2}BnW%NlBTN>NqDASSekz99Pu#o!(e!pNsE3uLr`Pl7>A=n;!+
z`oH;!6<)ydQt<}lQ0U_Fma@?m=#&vis0C+|HU+>eEp1X^|HfW95ZG(mpo+630537*
zEJ)h{5{fwz$GY|}0Qadfc=94sg%g1WAKMxH;6MUME>an}78L+KXH!0qa=rr?Y3dUB
zGZDm%)O1pJfJ!gRhWR%jK<GbMCV!LxqRsL&@<P!Bp!oRWSWIdFLJxV1jHSg4@ay+j
zehRJ60Z#oq<QLNt;vxg@zy{#{GK}VxMJ)hDy_D+;{D6R|zaN&kn}AV*;(4WMz=O51
zq7qF#aKjXf&wmkdW1+p|r52d!M}|IEJ_K$)v0=VU3dUDMOX}PB7re^?px7L8o_8bn
zz*=5UN9D&PgEcfYr5c<AXxL)Jio=Ny5J^}bHq?{@L@e)_I%$A}6C<gW3B3ja=<Vt@
z9n(Ny!rB`qrU_ud@g!awX;xq=wl(+zN&g0{{{>-x0%?Q@=gvX85I~pDhW~+(4rp7x
zVr4}E<`QqZnzNafH2CC|TC-wA%oNkiiYAO{AgjI*!CT?I`%gblyUR+chXylJ!c~~>
z5H!rp`SGd5z1rFK3i1uY!q-hjJ}-I}Uw+c@Dp{<{Rg0Nks!P{^)dl9%{s7G@9Q|vk
zU)d|P<s@-yju3!lC(e%FT%*M=GjrWM_-57UFE{#P@AvQ6kJ?ad{4aw;{nr46UnbUy
z4ldt|oFXTI935LZ%m8`COV53|yNv2zjCu6_J?=_KdoCe2x;#CBaXb=&cRNBLEc@0B
z@+;QEkV-_V<f*&ng5Gp-KMjEh9uYQNnx=^X8IdpOc4@6)6aw)8Q%|Ol^&7BI>|INE
zd92x{*64OwtvNd{HauGuzheiXn+rNtbMZ}nKqj@w%5ivrcUW_*!`zw<+FeX1!eZf#
z3qRVkf@N?XS0*3>JwQWyU=FLH=50UkjSlWW#dnMkj0FO~lbbJ;qKe_fo27g@KV4C(
ztu;YFL&`4x_=Y{nQS8U%s|wQL5yg!Cj%uSZ&~Jpeou>iljzVGAjC)=W7YSsm99=oV
z0WtcF_1+Gn?-y}&DN}6R#=1j;*O7#ngx^+VrszR*<)6h8J`n|$bX@|D5hH<|C52=$
zy$`2Ai4|G}{J%Z7-xO8pC!%oBE)sC8;9kzj-OOHs`MlaJeGEk7s-I;q->@4rt_I5+
zdB~wI3|7?nnoI((yZeEk<q6GP__L?_vZtQkQzT|6{nwLf96E|wp!1n%*E<N^6#Jpt
zu!j`&fi}i!PW@B?WFe53nX&2s&tb^9?Q^OjL~f<w24Xj-?%zfBooYAhPYRcMGZgi6
zFo6JNk$8idZmOu+B(!FVTWi3k6oZ8Edp<=$q=n{ZWW5WuLQIDzBb_m|KVv7pg1WwF
z2KMCpMEh?<B1vI!TkqO^kBU(g=l)a#TP5LZ5taKSkU53J7_=s^3eS_M-TfjgRMCkS
zKTl{zeiu0;0TQVrQf)cgSmq7-h`rEsHto*jh+29drtqGOdXX{69*kU5uI8>&<iWUK
zs@X-#$t>)e0{W=mXdQk)tDEo~A3>Uf=W(hD2VetWkvtd;p)%pWT6b`?4ObnMwI}TO
zvhigAkCepdn@Smx&tXh<ZZ*_>#~1HJ&?9J-aAkl<`?HWsxwUMGs2-wmkHudY<74BW
zur9@;)c_5c?q=A3Ttn?d%*`!<4L`2qP4Y*Z?#P+mFn;+d;Y01RjwMGb&e-zW@#26~
z+p>k*^%gkC80#Me+RHodhODWy5rsbJ*apIp$vM;Z&!K$sDzWLX9mjd%nP6Yb?|mwL
z&L(f6<0cg@ba{)ngv9+sKnpBl`f3;{_Se@yV1)mqdn_I(uyk>$pI_+f7s6A#5j@RQ
z6NReD=5Qf70mnrSRk5=~2*}F9y%JZqCI{kwnQD_j)<rpE-g$t<_35S9%k#|-^t}(x
zg}jQ%WdsLtn2yKJeS*gxtBCBzDqQ5b&R0X*MA27mL9z>AHliib!7|GPL5kLhR3%@5
z`CL5ig|l=15=#W-D#+6Z%fwGMH*^kcEl4_ci(Sk!GRngfpV<A-%h#cYHYN29?Ub=$
z<L|_;U}5P2338B>XIRwl9d6T)*v(0`5dl4<utc1S45$rHD5n)6za7w=JSoHvnocab
zV<_aRUR1y8yFS~Abs-JzC?4xYP=nK{GIeZA1J?R0SMEh-d8I&Dq3xsQh8aL}St@Gg
z$mg>=KJ&a>4JCeFh9;LK?w9xSn?IlHrdsYA8yd!acPgFtQyBopBl$y^^11-AtsKQ`
zsE-~KykkU{C-;siCI)<Y`oo<ngvwRd2{U>^Rl<l;(19b_&^Zd1f=?FVAr7uej<G^N
z^3tKp^FvaVTENhqj;j9$6?oB@Cjj&<fv?Z!d1&(4p!Tc!EEC8lK7wn)Sgz@LW>kQM
zjQr`V?<g|AfwWP*2mZSgZ2x;~%ET|sQ^q<!j3FcA#c#_o$VI4o;?V~*S#Y!lU{AYu
zj)<xN6vT9s_v>@OUJ^Z@iG=!!^H?G{tMyY@-80C@jxOMTPtW_z4~Stdkio&seZb-j
z;ErI1iBUxU9EH7dObtof34k`y$d9j7zz&X_dhO*PBFXnwc~t|}`J2l0@1dX5>h5L3
z56x3*3u$9gq%#Ktt~?>1gL`_($5WxplaQo_<0B@apSlVo4bo2J@PU#9SyrTi{Y>=j
z>VHpGf9}f|W&_7p&7*{L{$W38I)}8x{oY4F>o52EYZ(1EOr7(VFlF94xdGFf(>ts0
z$X|Dq^${baFF`W=FT*+h4~DzXak?vq)C3#DdAQ&-@E4^STY9qRFsND1BdoOqpu{&;
zmUBcBCp<zLu+W^II$?xgV6n#`Na;Y_9aQxEVp*eE5##Ci1mz?bXoC4j`UJxH@t*^b
z+5b|tsaK4qznnhpFCX5Acp3g61pZRQM_QD3L;Q$E4E6l4MU2imm^%s9Y_g|aY#O)^
z7okTubbL0!#D-VU%F7M%{@w5c|Hp=Jbc<yi;1PirlR%7{sk}12A^WJo0#T^3NPx6h
z)`+G^=iqe;5hD@7jG{6H*%*k8?S8&ZNiZ>x1ML5q1Cpk3gl3Kd2_#!m9wiJ&3EQjF
zt*eHSYkc`6=dZK330xbQ@{EOs?s)qYV|>!CAJrbH9IQ|+QFWEaJD^8GWw!1dkvoma
z_v-O_gqB|0nt6KxXCP;~Vn@PXTEO=>&zwu0BYr0ZMv(~&D)Daf^2YIeW00^WtWH1k
z7EzC&Fns-5B*C1P$r|kADsmlba4hla{j?KxNXgMwf3RSmE3p>;tDfqi4Di9x-ZGT|
zi`^seKry|1Pa)X5Oq3NGd}L<hhuE|xKBY%>z2dfG%ahdb<Mn0_RJXh(By{2XEWl||
z?`7O)N1W9JnY8EtFp0@Q=vB(@{#icuQw1g0#QRjjrw)M<=ol=c@sgl61h^!MhKNBL
z?!X{7m1YXfh(T-uN)-cH<mNwi*pZX==f0ViG-8EH2Eoy=!BdiBg>AMW`=0AqhU!-&
z31goDS6HgVN)=iWeg+i<`fYwgPrN1MBPwyH-C!06v_U9?5|;;I<nRB}$m>af{vt1R
zdnahM--)HYj(2}ns}SLCZ!sl4Re)-Un-BPm%vae9iap>dLz~sdk@_T&_;oyu@oBcC
zw90rn(wEz@A_^Ha9dB|su0Q;vM5G_VfQL}@vGG~=rbF8>--bGAaeWPXDgpa1o+lea
z`2ZIhFE^K8)vI+dLYEzn2j`LSZmULK7T6vr0>=}uY(4dJ_sgwG9`)~A;)X?nTPDV@
zobr}N+XqW5B!S3~gIMu1&uh$$E2WP6YKtv~(}j)!1owh}w#MEriXbvhR0ta`s{hVS
z9XNk7%tmjk{s=%6KF-q+Xj;(Wl`d=65kzFhe%QOVdnBOd0n&Hbj6sO1n=sLF*!%Z2
z=6kc%;fDyQ(CG#wnDKmpMd8@|V>4N#O<9&?bPw#8G2V|>Kq>F@d&Y%#a6A;inb-RE
z#f#Ozeb(K$+;=BEW?RC4L)k<xN-J{{8q;qafI!tV-?bt<?k(T@71Qn<FI$=<13C07
zIs+Sl;d_7?XXHM^oH1&o^t5dmC47-d4TK-Lm<sdB{tr=$xZXJscV>8Mz@X|mSqL|1
z{5P6K^PXNEEQeWg6sN*@T?zFZlwBCoNmBCL#2GVcCB+0YPHvbkYaptZn7dhiz0oFl
zS~xwe6d%kOT^MD%29!kpn)5?)%_<_hMo32`sPnbfU<;&`^ywsDO?}N^%LTq)KZHXi
z8Yo*{FVqIQgxF*U8l1D&>I&|kZm61!IDd{+&6;-*kYeLYB$CSsg5}MWc?#Lf*FSl)
z3dSEw>q`F}wE8P6z=5<DBvO))Yysu<tnXOp@)~QYjz7Rbnm1}@BPzh1!Jfu;_ul#4
zFP+{zp~<y#bAhY-kcN>-*s5aNvRwGz{o9*#7E(nmWtX(}kpWbC@u5YsN<ZMxGa;dE
zrrsEDgx1)MG1yc~M-(n$#>QdUAgpv(csKdNGv!~N(F78~jD6t@U7k46a&78?A!JM@
zh!|iaWT|lPP_weCh8kpDI0@+_ZVp4#sRu90aN-J{rCoov`ou#5$vNb$kOO?@vv^%O
z2YD(-fH|LMOG_mN3821F{;b>Bu&n#V*~_2~Y=>9%onO?i0`Js82++Os0x?EJYQ`*n
zB?k4!c2|9Sk(R5CG!*0t@3U9AN_t2AT$1k7rWln)@zktP2ARH4XN2FjdM^{|^f883
z!g&ANo&RUuQsZvBcZNr-|FH?pHKu*@SSG_50<`=QCiXKGU6?Uq61ymQ0Daz%x@?jG
zp%Y1nEuy|i=56clOeMOx{@(tA$Ith*i{8q^&{bSk<L1?=Z@1NAEF)q-4xX*coc2J}
zHg?zZT99I+)OJ+)l5ligb#>Ec;s>KSAtr*S&LHa`^qpK@9tfJE^1A+4Ci_4VC%gVO
zv8t##T<m;0VVV5j5jLW5N&Dexp8)dig((@`Gy$3es0v~yqyy=I#?ojF*kyaCBoiH=
z<bz4$cdG6MY7Uf>K=sVnc!_@H|3!%`2w+uYn1s8L_*0+Mb5W4T>zvGcqBZ|vU$sER
zlsdX%gV@GM7I(6dd#W9Mv3Bu8y~3O00d5bx4k~T1IxS0ST41%79%oYpm9|_LNd}e}
zHU5w+n{#NSKtby$<ss-yf2`P+Ge_Khodj%euAwtlcjHPlyTxLYm)Y}BcCP->9GQF|
zkgmn1b5ISpj2uy0g|I_kw)Btgh$QC%>Gd`wh*bbOi;JuQatst8lYpou9RFe<cp~r?
zRDeE3^TokedENr{ee}l@J}i{!Ft>?<XJ7TFO7thrXdI!$fu0>}(j_l~`$Aor;^a|6
z?%^fK;0twnOnxMUJhmQA<TdZU9DawaNH>Hws*{b^J$5@ruy;?6e5qG}Y3PB)Og}wr
z*0xY_BvWi4>QxsO6SQm)Vswl)+9hH?Tg8UnMq7_4JOaf$TI)1oO;{%LT(WMzhBKJq
zLm!)zI~tj?!;#$0;07??KW9^Xmi;78NX?3v;^>0TcBXL7k=puo^_ZO(8r<Y;564OY
zF#1En<x)HNspStQ!su2+rNFt8gH?A6dIUvKk1HWL2sH*jJQ=tgH{%{FGwsN;oBHa`
zo%x%tm0nw%jyKXB?c?V1C_W{72`Tb#2!6?H%a_PIAcw)Php3=3K@sl6qy{yfK#_AF
z1gypiu7QFfHWo2=bx={`gLC7#jBtD;p5x{t>fxGqhi30RG9iO>xj=cQ#<?U%8BwO1
zyiQP%HEJCemM9+I!?FN1vhv-yRu9Nrp!W!9IH&|(^EBtFW{EokAn?VM=n>d69TM!}
z-y;BB@fxdV1B^?|&}dD5kofYv20-Dfg+-SUF&wl=w~$9nag2z)An?%pF~T#ST-q)!
z#TV-yR#K@X#>OAQ9p1i1U{N^4sJ1F}kxOOfFDk8KtB*<1FgJwTOm8ug7M>*kTrhtt
zwmate93>SfQoQ~|)L^EVfkV@gT<$$R#+!{a$6=U#0;e##e8o+w4<Z!Lo8aQm_Qp(P
zheq3#y`HH6$B9MXea2n@EbGxp*5x?z3K?4?${ck#*42jfe{v->%E9B_v+MLq`N88}
zUfh1U*(MVa3C+{}SIH$D9B!^v!aI;qNv+^q=tvk28Me3hps60a?pOX`6K17K476rC
zP<g}x|4_g4OnF0x)#dCVb<yP*;~e5#G?Bo>sS9ZNoik`ySC`!>GJGey&3ReMvE?24
zx<qrNVajr<V0<fJ#ayknnKK|03cNAchV)B>o3m*j@S}wvSsM&%&CzTJP6|Qnub`?6
z9R+RRB;4)I15UoAX@WGkrf=jMyev`E`Pr(fqET41X0sE<XPv83?^U=o{faCL6-WrM
zRujwKL%U~K-djdizfqKB(c|T^9?^VW>!T|~dnqv{b)=3Sy9@&4!LSx@Fo)5(+Y&!p
z6i|KTqgZy7?RQo@B5^n0u+ZY?qa0XeH#K}r;OxASYTX}*jEb^1v--Y;mG1@{x3mgY
ziU6$Q0AQ7j-T#{v0lzVrXR{QH9^R+udb+s(yVTOHa-(bU>l7g^2~C(M!sk7VMxX*A
zBgj~u#0t_dl4OKSfsSI)7K|<z2R0-5yOANR&FRa^#NXh=T90P`$`kB%u(+Ui<qQhg
zxJieO{J%@*LWwa6qTyz2Tg?Sa3i0;g&wOVp1v|ccniQ~49GbMNTW~)sJe&>>4>qU5
z$&3#KE>H(k8zUB!SRrJIg==O!U-?TtEqVA^2Z02+lsh;kz%dGn16Drqc^zALfg&xA
zfI%Xmy{d^k&$mSEfgMq=a@5nA!{mA6U5zzid97RoI`|oU5vpBAkij!@zg@?bVF9-*
zby(go6Neh2t~IX}lS8@)D^DFpg8CaMFE(25_GED^UE_X(T@X^+Mw{S*>pS1e<%nQY
z0~p}I<6#1kT^<T3EPMIa+0WT2c?B(*!lq-V2KnV>S!OXHRjfG%#d6cq>lAZuyXJOM
z^oT#UOF~$$!DeZD6a-Km3n>`M6q2QY?l)<I-Xu<g7&=g&_+S_A5FNYXsplUsnk^Ns
zz}iCgw6r_vo_)SqmvxsSMnl0SW+?lQRs;shHOTR4db-$FhN8@aiaj3weyYo1c*Qb&
zD*dTMul)O8m%paAL^}Z<cc9r0L&R*OeX}KYLTDABkmIcLmF~v2?qjP#LXMuDjlo4Y
zNVXeapUnw7QJK;U{Al5A=X^mL0JcXg=Wj~+li9kmKNv^q<-Wy8pN}Rj=BN)eqwyWZ
z6&LcC6e62`UQrhG!tRs#zY)Lf7+EiWd%MG4_w{2)aL3eYo8$+?(1S}Q4kjr2WRP=g
ziGNmuH74%}>2$Oc7F!iBel^@USDb>KQ&Ab5zULIFCKU`aCD?H_wqMj4TbB1VVO;>8
zuM36Iqc|)eH72CRx6_f*HYB=3rH7;Ht{|?E;B0z`{8gjNIuK2XsQ2Ac-Su`cy7KM^
znUbb$W8e*hQjL05-V_Y|px1X;rso$pD6bam;8Y<D_|}g4G57h~WvK)!Jw%j8((a}-
zJHk`+bMH)9XiUJhpEZNW-#;`0yrRPbZ5LIKNz+ByUG6Qm)Gz&nx%LzWtiD`0F2zbT
zddFuv+4N3@WTV<%MI(WM=X0cT@~Zd3pS_>URZn>_$&UF}qnVn7TDzWkU8aqQ(M!T?
zb$0Q$V#>0nf3eJ%x&puh<1k7UkiaA^A#s6%K~0!&U@TPS-qIMU>F>TU26nm4xdA$R
zH+g&M|M{i7MTD?Hp8xvBMs>8##@hzn+-#E?oWYY%S5l_+_O-E^!&@v569%84%d5;Q
zN8#b-G!$sO?%Yy}!p}$=%wLK;=`%Oh2ku8asd9O`B2n*~CC{t%WIU-LKS32!<hJEC
zB~Cx8<ms|xJP^u-u}9;Je6bj2g_^DS_ZrO!jI$2&VU?REAs4?ey6T_Xuza7(1tgvu
zy|pC;7=(DqgBih}#7_loK7V>tJ)hrKm42NP#?CCf?MgeWxc0CF4d5`mlH8MxN2iJr
zJ!;q&97<=dn><-SZ~j~@QTt()MaaCItK7K7+<XYtc}Bj3{SfS^2mQ*fF!2aQ)>ME!
z;m$XE3$A>qR4@8q{81(XfRAtuRm}e`?B8U9HhBw<(+QZ=YPbkb4-l<w!38)F?+_H{
zZA>=ict0s(3u9e&(q12BtBplDK_HRpE6YpvoCvql)?G&!2{{8TLieEiI`aZ8yFlPm
z@}>!Q#EWy|&zdmLv8bg?-2=IC8SuvTuP0fI2h9)?NS7)q2!V^WjwtAYG|*g$Ao`mN
zWpn*@Hl#j6yLl@jg-dF^!u^Y}ZzXOKrMp5`;NY|b=P9CMLjh514ji?L5%J%$Iygo?
zLM%`QpU@OFIA&P{qkOl8b|T>@z^Tq0(5RKF{r`A-9rr!51i@tY@4;|9syt9aI{wv2
zWb5a*Z{LCMc3-4Cnel#1{6pzBBG%#d&Utqd0=~p;;147ee{E1g<osqpvAgNL_qx-2
zC*b{+Bt(^i9($uwU?7cgGsKHV=V=?!p_D0%6C9E@rdB$9XvoxP@><PQ+|8#6hTdEG
ze2$Bv@+%1Ucpem@fnq`0p5Ibp011Vbu(9;nv}?j-JH~iPYnQd8(0W>fP}gUyv!09}
zOqb_E{7%QlKR(6DO*U^2#p>2YnHL4c?&}~b7C?(MH%0MmICEa}(j!He55x$Sss^h1
z_w5NjtW6GRS;%GhaEEXF@1+m|T>2my_=hKU{fdt=m@-5>9_*TkyKJZ+%mP|7bzLUE
zZ34t|DX3-q40~;Ipv_d<c<uXq?vh%Ec2l_KRYqeF?GgwI>=I$%$aMx~b;_}nb2TUP
zbxyg4u47O6+;{aDaa(ZH{jaxj>;QqI?U_dr&n03JF3lJlhvqogun9FtC#oU{&P*?B
zdFsv}vi+HOuh}A(m#KwaS$Ov5>s{6(8R3L6+tc>73u_>$3Agan{xUVp(c9CsBp3KF
z>JsdRXuU=(I9=Kea9LFgR8q}uE*HIiQGW)t+3&}{8q_{N2bGWdAbxf|STq7f+No@&
z!QP%&@Fx6Xkk!9V<Y_{niLPaQJLKV#i|9QC%r2H7sQ@9$@jz{c<RfbOA4Sl3e<FJQ
z{gXPMMK56w3xViiprP+kSGQQqZsf;gPz?)Ff3yN(2~3~qE2>L|GEm9cTclka^R-9h
zplPByF9d@iDT??Jb_=8~Hr6$E*SW)9Z?e_FXCS*jz{>@^sZ`0bLyW*)SXlUCMTvVG
zmkvLCTlQd`2kt-liOLbg#6}wcD%7-CW%B`de`0+Q@OR~~@BptNp=znA_8HtqR6zrm
z3V}N+1Uif@Y&c#nY!a+Oe)^s~L%jKr2g)B1VM%QXuGBH8z*PX{UFZ_iEFj7Qcq;Ie
z(?HLfy`J&nN7=<on0x^Utbnkj>I%U1RLxX+yWM?KF(&KJpt$t3!mgh*%OruZ4uY}b
zsena0>a{J`>Ve{oq~{sJeHE4iYqj70d=b6%<d0sk|8>;#9AZrn@$(UU*%bk>zN^-s
za>m?bg9dX&>_mKNezf*p*EpWbsNph7hc9MM6#qGdJBn)@i3AeAGM|)^wsa_B>T961
zXf3$tnR~>Hl=JbLA+U<&FFJOL$gS4?(f^H5C#A>7#3;1S8r}EUKus3UIRz;40OkG1
z#MKt$*zkl%Gc3>;>7>MwtnV)EG}^ph9UEVTrDxn(54-{J9UvFR;Qg5W6h}4H+Njmt
zWlW`nWktG1K)AwABuSJ8#fuDL_mY-AEot}*%Hw_-e837&wV;wAJlTuE_=Lxdkxjmh
zh_ny3r3MRK{Y5T<-v*?IE3}bfjwVwCa28Gw`8{^0@!(LS$lP6KL8Z)%lN<&I#M)qX
z$@4WZPCNZVlUHSVy2LqYNQYdv$Gnq#o$MR4#xGi3^x99eNnUEeSddCyz?y)W4#q<U
z6+PCu14O@JDayl7wW+b;pA`70@Aq;6HQJqpGrt8vjr>*m)K??BNW9$v<OsYNP%y9F
z!->>C@-$Qofca0!l7ktAlh9e~hn5c;m9(YIYTh8;jNocIly0l2pH5zF!=Q~Zd`$;R
zMX6jf69NmsB>A6+7Vo8jjS?|eQ75JI**Uo0bxXrs0V-$LdbYn{Km%R{>g~EWUa*7|
zwnhyyE>xcgA?H{tpj3>n1<hnX9Q)TpD1ha#|6g-&;tqBD{tw%YZ48oPFt!#X$uec%
zw`^IG5T!z5ELkJVFeqDDTI^(vWUojD5wdHs#8|R~?AhXX&V7GA-{bpxp63sEj>B<u
zA9KIwy<G3>I<ND5E$0kfcudnr=4{iv?F;+JPP^JuWfzvBj;A{=@_4tO%x{A=e+&#M
zi1a6MM_fb0c5z$5T=po&ScLu1V*nNGE^g6sS!3c9H=iVE0!ZYrx3v<QBib5>HA}eh
zRydxQj8VPj)PKetQpbd>N&DEbNb;RY^LgmUZJETl^hjUg%zj}x-yf2(rmXMVL+Hk*
z+tH-z{w-Sro_3k~KWj;JRQ9t2nW|wlEXrta5?anRRodlSPp!qq*h-wz?<dj$|C-x8
z$PbZn^TrE7VOTp9M3yuH1D<eIE^x<-yrbAH(IwZ_gE=E+uyF6=>EqT_eve;#y!4ni
zr<~Bl_CU%ANFc`?cJxeoK&irNn~>JYxbyQT-u!;Q`_R1b5a+PYmpfQa*Z2OLpF}GR
z#qYT8r5y3UnR*Q#?xZa8K{6wGUIy1W6DhR6sM64TbGJ^&!eBgtU}-DKU!@(#7dxjl
zH&?A@{@MF)uEp-Y$<3BZJ;16?P!@~~+lrZQr(t6U3k<O&njA#E|Av$|Tby$S%PW5q
zT)|VW$(GbVI+z%E?|qJ($tMkHyijP@0QW6ki>ezPhtEw!3X!9->`y0!zw7;d^#Ok@
zJ7;C@hlL6q-lKgA8RmH8Ch-m*A;aGM*O!vBLGe$l%}q=MK(4YT^UxWLHCaA01Mqk+
zyZB-qGXnFHS>ds^%Y<%c#Relo!T(QRQ2N`?NVj(OGZwhIhd7(JUI{^ecak3VgJ6wp
z2GfsNWBfoev-O&2_;Ub0^@9UdM@cXg%O{eJ#EWV4PdEp+53X8T`d_h25$p>v7vR=s
zS22hbW)BcoHYT0cyMQk+5)_Qm;=h85v12m1U?%wb_QNO*gN0%f`;&}_6KP35yi-R1
zj`<`Xy}6X;pP#X&*j@4C<SoPPR8nk4K>I-PXBss`_=n1wtNBK<t}+I@-!o#*D3<cw
z+nLLE0*}mm>91~ZdtC(h%%-(Fc5D4nQe~!#`KJAi`<qX5oE&G^`#qhMYp=C1z6H3@
zX{gdk`rg)Z<t6%Q`VbYw9=J>L8}_D8pL5#yJ(h8^^GSjynqEakmI^FQw10ofHDtj~
z*9WE<{L7$?>Kk6mi(}8eEE<1(ZPp+7a_-#5xO*$FHb~@6d~5=3{ic(=ewEa`jlRuU
zxNNX?KoE753+B#{>YtZFvqq^XBD8fJ&VCB2wr8?gBMSC2({Xb3e$I)LQ*5Qb)s?Dy
zf2)aKy!%SpvKac7;zp5q-}*;$E~|9?T?T~q&=u4)YZwJyh`C6|RG3N%L0|K=@nAo>
zs3Ya6tj%DVliBdwxVblfcmJ5CNZ7RfavKf`&)I*LQrP%5#h_!LZ0wxbw*%{bPwWvs
zN`$trOH$&Z|2fxBh}I7eeT7B7ZMZ(<Kl9|6!@dR!3TblX@W!e-1(8JHD@_Us7AM+&
z?Px4->`TbC8+_Mz!)5bv!?D7GzC>Cgn}_M{+%)2iW5iU7>!{(`!-00#yfL;nK4HHY
zNIf;O)vB4X6nJVMD#SOAcunjRwfFVtO`0&}2R~xQpVB1=;)M{=NT+Wb9@dftTxoK(
zHR_C{jA|Y|5&z$G{oy$L{Wt-_I$JO<_tj_P2}g!DVYGKW`ogHIqq$khwc|Y2bnC7f
zgY0j%Rj?jUX@Z(dQ^L+ZxN_dLecdJThClXY=xjZYwHtz9{%f+flLmv9s!^I>iU__y
zY*bkAKR3Z=H7(5Z<Q?f}Eb=rGFQiZ%K^_$BHS0c-Fpt!_tK@wIy{QTXr4S{8kU+nw
zf_Wb7LL?1zu%&nn3~$rQ?0H#uuQ~2oKGjoa8>YhxsjcfiLZ(-&eC=efb?(**i>5Z~
zFJl`Vc=d`cK~uJth(eZpe@#in4X2Bs;=$PIsmPM-5J??e7YCyooD{Z38K-w6hvfQ^
zn&<1<3vY$#hi92-4;?E#h0w-NrA1h{n`F<<Nj}H?@ap(F;5>M($Yn5D)T$<@|9zms
z-#zWIxOl_5%c|Ik>9~={x)j8OPH)x1N9rnCB)c84F<*T0y|PH9F{?NWmtt*YK4W#|
z*<1HYo<H~T+Pb4FSKhld_0+5<D0u88uHJ|Wh0LI+w_VaYkNsTM+~hnrd~Eu8L2s9b
z=!m%?ExnYoxq}+ONsi+mLWZt_IyrGtaG#ziaIHAoFo;0~yT{(VkxhQ#?HwIXbA2y{
z#$tKp6Z7t*%ni;Czfa!b`r5Z*6GLodBR)d%sSVmKb~I;rQ?AJ_%xVN6iEO9bL~2^~
zQhN3}GfeH~#!=0p78cp|77_Vf+%EzPm$?Ac3rKY2mG>T)3e(K>Tl;x4C4cn@UMT5v
zgc{)j1(8k4PB_D#Dx0yjF^rz&fPWbT_hNSjb9FhI4(Kbdob6r>58nC6qNgwtO*g~x
zy{ATHZx|K(WavYQ7j9*%WNJ^YEVm?|i}q%BKdxy0Oj@+lms(TL>=LW0_T`qG_h%}>
zcN=j!J(bDS3r0Enqne435CticSw>3lBxM3VEF;YMG@V;<7U&g*D$;8z)HhRO7uI$H
z53?d=Mt>=7%)G3=EH%Hl70T#+Ly6a4dO#Y(BN{bzPYrv`g{h{gxcor@qt2%Lk4wix
ziZgDycgDU+!`PaezX%jq;pzvqcG46h6I0b`;ibQ`VAQ-U8>L7`(sAj}v^&EdjB7^l
zU(OFzc@};hRFx4k+ac8Shkim_KcmnMZq9{ohi!A!4IW;qoG>0OS~6Aa$`I#r#)%zu
zzSsHPSXcNL2QeXd6K7Q~x*+&AiKW708Ed$~#kN1?o{o-=mQs{@yUh>foXk6gGp!hO
zloR72VO3aI49?7lL=tHFgwgUoOVSFjYVHi@N#5ztiy`@qmfF0lvz!s)^}FHV&UQL*
zxNPjr6Y%36Uur_d)?OLM?b}9J(waN)skM}!sr1w})@6@d8(>1jQBTKrpFS4C*{-RE
zLUP5UG|$7VoO_1m+|<E*BD&A^2sEwvetssSx5zE);)r_aI{Mb{Wz}7;WF&IuhG)rj
zdLKIVg3#+nE%Z>aWo<v7x*nQfi*U3wPdU)G<wX6kP(RrJTXnkbec)~p;rcEf*Brrj
z^!O8qu#GWc*&?ATeR#4X*UZ8~3$_;1^m-W?8OD6udVi;GYra6^SGM)W+nR&JA+|Bb
z&(HKU3!p<Lm?d7rV(DH!*-$mPl2vqX`FI@vbPtrWO<eXs3jDn}z3q=6+;XT@p@K(Y
z;67@;u8DCaeS@r&^rom(^i#*TUj&&osXy-cvS#XRHtpLx9UMeb+|}7j6}~uJ#lzCe
z_O)_h>OJcDovW+<4_o8rY4NQo9w#IuWbc_&I}f(s?n|Fk$0`Ul(Xyk0aXLM11=**m
zOqg1K)CaJ1e+Jj{$!VjVfQq7;Qyt<N?-HHcw>>Z0b_yKzv)Av`M8!5shkL5}nis=H
zJ18j8wQ!3dK$y8+kj*x=_i&*u^vBG~3x7(|N<JF6C3{qSXlQ6=#W937pr@G>Fbk-p
z1&dIkAt&(a2iDeaJYHPn=VO2IyK!8=)QPbuxZuW3wqC-{Q-*Og;}FZs-R9>+PNdU5
zD_-bx$#L9wzmdXy{p8jc9tBq$-jnpJZ*`}K7zg8MLfN7aS`<V9%dqV8Ash&G?3a=&
zw|w`_Ei6Q*e|{SE|1|z-41tM1OofWAtW2Dmo^mgQdvq^GlYM<#R1zmYxwV`^5T@jg
z6uIe95bdLB=~Y#PP<Y%usH)pF+=4!?IQ)jr6=HL1tCjwZ<I}g<R4^s*G){NUed_o;
zX|X{?oU}UUH9zoanRXPM@|SWk=u%06M-FhzBN=Sbucs<XL=zK}ECxE|R^M}e$h}a-
zdb?$hRRjjZ2%-MOsgr(+zShOIDrV@wo%P=LALyA2csPpE`|qn^*QLu?sP4j<YB^Ls
zqz7LiZGoMq>ej&ObVrrO?#8ct#T;KAN*WCj3KFX7hDa$_oX=nfeH>xBr@%yL@j=>s
z&GX<@kkLaSS!iWdR3HrX7~4_PTwt(dXa(qnxjPFo0<o|BcLz)&W{kmYbD_UQ6@`ik
zzD+Vt5$9x~m={u_eDAaURb+pX5O!WExwXlI717`ue}nAx&k`%G4UItZiYgr%Ft(xs
zEZE!T4+fu8R203rI6QOSNP{Lsnr#c9qB$sn^YkU&;DI&IRJ;XoKgoHyd}-b@B0~n^
zg@NgYu?5N)vAo*{p)0T#cMARD#S1U6(`~ggbA?eLf+-Nq+IC=rllGX>`AUmW!z%4>
zUEhK1>^J!;lqd>Hl+NK0DDwM&ue`_E{ut*n>OaMcdhgNFf{DjaK_dl${iNuF^^i+-
z6E#(<w{|xdH}YX{3xz*4T+}>;-uwM4Cr(LE<n$qKnspjqnUl5x3BR58UzU^%8m`f}
zEqxlFp=}VNhOriu1cg_V<odn&pH|paUG&#r6)Qx6Cl<huY%iW7PZeLZ1ikH|UV}g4
zRYW)iRW=7Ao1pHcRgh6jV<|pxi}L=`kNPWx;s>Y~O02#&3IU^d43w6hkk&&K7o9U5
zl@e@`_o$kuuc3^?um78n;z}-#6zAU`Ul^*=KX=L6`T{VOeSGKllu$JAwkYuGm4`J0
z7ZA(VLVy4Kh1L*Bv(R|q>-%4qr9m=ZAaY&C$@)Ps3ye}Yq+4=S2nU2EgSIT1&-=xF
zjQOQYVkWR+vlQaZ7)Wy2LcuCSa0h)qLQgbsPzLp;@1%9DX3|yBhbagASt{Y{+Q#Fi
zFpZQbNtkt#EumrMY&bErzXSxpp|EIvG7@27$aUz@ksy}qM^!08q+!>|eLZM=Q=aN-
z;6~DFy^V!M-n~_+dGuTFMdz&_-tPoi@lCO^T_GRXV3i7qmx-JSxrZ0x;fnihe*fg8
z5#K>aNQ&mbfz`*R*C-VX3wiN5iX`^NQk)L!8fz`GE9l6E#kuo)Iy+nNor8F{DptIA
zoCa|Op@L<`mI;Z4VDLiEdE*WSnId;2Lc7xBdHB5QJWx~!;RJ~1Q6-^L-`U3bn9L=%
zc2feRvCC7gut1A0s?s2|QHK&DnBjs_l~VJwIv8eBTUR3gg`(i)T6>x0i_!BVar=LF
ziwPVDm+MPPk%QCvN#$P>`3oOgZS5@56+AcVam8>}Dwn@X`=A8?2$p?VI-POzd&H^r
zPaogjSme4@UC|WZB@&^|p~Wn_a6GVe{$0}5%6vU7%drwvZ0;EEiK`dkDIWE)pU{3u
zlZ`?K(u#?SN^kcZFt)lW%+TkGVuFIgpP#*jG<YJZdb#gXMoq?@<cCF^Oi98;1~g3u
zLoB;#IT~UM_e-D8Msh%=s{L>|@aE@7XBxbsj&W}b%P9%*wR(x>WnET#WMnlj1Ib$U
z_S#H8IJ`^wR`;If{<w}H%=~PkeFSe&XK1;gIzeTCXy2Kp!+Y!HX7Dmo9(K0%XaydK
ztz)|v`~NBiZ1#W?G^@D*>`W~Bf1lZo<H|g?i4Pt3J_{uO>5pgq-I-lSMPw7XbKplS
zaMa?3-S+bETBCXzS(yNnorB!5V`?){YiHX%HDZT-Lbx+73}-od28*Q9f^AWVbwO7T
zcEz@jrKP#qjEFyxxSm(JM5;a@ychJ705H3s0l`LTV%pD7rUW3M9+4F5YusO#GKX>!
z+}t8;hITx~`DRyoICMYC;)RYbj+;eGY6{8!zSnY{L=0aa@$7aQ)7?{V1B*{`T3z|8
ztCaDyVJSj0@y(nR0%*Pdab?W74irC;2sQ^yyfmrp=F;7gEyyyVyU7FQPhP*i7#zLU
z;;EIYW|o~`gN)RcP4N9A0GfKA$Gg{`+M6nPiO!E(C~UPp2AJ}K-`4~yt$hLfSo>eF
zL#rujknPkLHZ8{72P$qE-QlBSl`|NUkHw&^IIdCCxWE*0SsBk2r+FlS-tjK;=WzwU
zedQbe({;;Kg-zuHw+Da3u5~MCbSbP|*uZt&vTVxtkSfO-$3J!aK~AjfAhBwP#Oj1o
zK!;enElcsEbGog!U)ASzel584if{1C7w$)(1z@lNcy-9S8q8)VXY}>-m_vKZZ|FDO
z)g2DO372RZr{}_K5U#pmT&ly6tBWmfT;5e0$hx%mX)-O12(k?)z=8&{)alg+?m6UC
z-?fR;y<7aYdq_60;76>G+rp`D8?=MNehy>tS)Y;q@-E{VUW`OGHpjT{WiHlhp|9!t
zPe!S>X#Y5yHTLD|rRux#D;X(v$9N%kH1n5H+FMp{&D|of-xWEz?<N1L=?p1SPz5VU
z72|Tz2=eWnV;Z!fnE0Edw$g)8S|+j)uv00uqI*r*m$Mk0l%g}p{XaER-lcT<AG2Jq
z>n6pdHX9(zyvibd*-$zJhBgGNDpnA`C?$4Uy}(j@%gs*rr-;va60UuIPDCu}1XH`k
zIZgAfH9d=pk7-3N4M2CbH!lPBa^6<ndEmq|kP}_66V`_Dd2`peS{SNR;X)bX<Zp;b
zVKf|jIw?6>^l{55h2nIg>Fl1;^TOUG&e&eoyS(}`qpjyZdPZlqYlq!EEwA~R`4tiG
zp{*mJ8H~fz$aXu7w!<xNhXn*YVlEbZeXo{1t~0)n|I0$I(T@N^XN2*M{BCuH?a?D3
z74KF`Dhfns7d>MNk0Hl6t*y56=V&z8W5H3Iuw&tQoH&1Qq|!;vi}YGX`sHKy)GGf#
z<Ls=w{Gcya*UF3eSak?`;zLFV?aI1E4^JT;)o3m6%L~mpP~tgP`7>~$zs=~$t~;&a
zSBXTmzgcE?)Ug)_txvc-giv{gsQu-W04AE;edG}|Oes92=%iT-eZ-n?f2$FHnf-Hc
zxIj}VJ2~cdQupr-X+3Q~C(<JfFHbx9q_#8_*5s^wI(sHz1bGcHgFy?Zd=}D`^OTi1
zGVq|QW8E2lH2LOFpH9p55P=7I&l|FL%sI{Cw~Mb{);;y>>&16;8<EFDhW{>SNnCS>
zUOByITG7{a&Kk(0Vx_ANw{std_?Nn#;ByTTDToFEg2D=Q{3UM_yx>~lm_^)*|E3{F
z^V-vVQoib_j&?=H-k{Op+ArktUfWJUGh=h_SG5~+oSN*q`MZ-syxxyH2BW6-lvr$=
zL#Ndb3dfd!A1b#>Qu-?m!_hZjb>em^42OH4_Kzs?aMaSyYsuE$5}F?u=B;yZoix3v
zWh3si7KUpcTQ^iM%uZ%WiX26W#h%^m?3J$cjN-QWW`rP=89a!lB^Rxd#=<FvROJkW
z(P*=g3O0gEflusXFFVI1J<&aQQCkleJ#>m(3T{;Yn(KLG{o*6n3dg?{w>_l#cvViP
zyjVasNCWTKT2fi^d72H+_jHgnPS>uXV#h6iKJIIKV`OD}_)@o)cSx82{NRH6(EIb1
zdh(cYI=uP^EzKk~0SXd=R*c<%hw>@@`k3d;6<H(8Vw1}^9X+#2`4!?<k3^amyL_Pa
zg{6$S5U2Zn!*$u&OfF98$MtBEhTL<V((bvKVu^v@j5RDIRH?2>Ry^!%YE%y#`ZZM!
zlgfUL>O6vHG9o>HJoq`)=mMr&m3<4|*SL<&amTOkRu+s}YYmS_M|!WF)A&6djMH!@
z2(YrjDKs242O8xlFXNj^eR5U<Sl|A%G%-;HkHn!s5V}=*FIqwW9-cHDkzsw&?f&yv
zr5(qwb6Cwv9;@&-Xv6ir3<7TJ))ON}?|L3v!o^dzbx&;Xt!Pe&RIu_X=#1@rsY$$F
z+(cl_*NTz)Wlw)-A;KbRq=S-#n59#bB60-d5M#{+nLGfwY5x}hoLKIAxANtRTd&Ml
zYjr?gJ9Hmh74`+>uW#zp7e$V9T<6eb^V1)!k@Psq)Ce36#hEza1$@(;-*g8jKK!or
z1$s0pCI2&WFZnmviX+Z@&Bh0cz6yM2i%humG88v;_uaT418fDtE?#EmQi7R@_HwE1
z@NLiYpe9M=@|STPc|vaL!wodvow4_6>4BS<MNgeFA1{w5^PO)p*RU7eX1JQy&UI2n
zm_IdPSORnen{0croZE2vh0i2NtMZPg`>K6P4mjJTwCe(Wqy(2%p2)eS_YL>H(C3;S
zy90{1`a|7Pr64O2d}T>XDy!qgQPGeyB|7xCge3AkRUIl#`4Izt>35Z&nVOJGI&D=M
zxwE-gJStUHRV58-H>)zc5RV1evh$S!cN}NdM$0&m%*E{~MelxL&`Vg_qa8~n6EzOU
zqFFmH9Pwcsapk&t?=|~k_5+D*paoO5KL2pGe1Gp;44<M^0=bn%Z^r)m@r}e+Mu=9#
z)jix9L?kR60gqqVuB8lZ7_`Nj+z2E6+4G>~;LHOVNhUzIKbJ>eU#Evc{(+^Euj3$a
zVNW@ZXHZ*+S=d{eD@l)Dr6%FJMGKy&GUq>&v=5bX%K<76ivGMkm3W)?R}Xf+uJ@?3
zvbB=7d1+~Bznduh9xkyInJ*Jv$N9cDz=h<(h&+;2D7qtzd5in@c?>6?IuA`+GC`yB
z00cBzaDs*cz>BmZ34dz8ULUT$v!28MHxiVUZrrWER1t(r*BYA%IGUzjebN5(`)Nww
zYh`BGPd61>t}E}%3IVinL=jkvb51KE+WdiuLE9ZyMQ6zUsJMX~b5eLkUvex?9b5NE
z;~on20P2L7n;Lgk$@gOUc?_{rG68$4Fdu7|B3f<)M{N_ZSmjq8xgzz>-uy|cy#wbI
zA6`i3*-{_lwf%_asd+{jhGg!wZ}&BHJ^NtsvYgvOWPY_48uxhC2p|zCRV<DxSS14X
zn<vBLml}3B75A2#^sc$R-#*52R7yA=4=9M;dMX0nbXIDN%aVaGyv^gv_#t#9jDIf}
z)Ve&}XKy}~eKYd8%FrEyHpJujXr_cINbwb;Ccng~${ESWU#_jRfnw~y>GE5zlZwE-
zuY+Cv<YUwAucj5}_=dv$Tr5w;J&2n0`{3orfNv5hpvbul7n;VEL=!uvO0PDg0}Rjk
z?Ch;rsf7fB@@n~;(RV&IZ#&oAi>KW+Z3-C`(dlk%)|itJ^>bO`oOu``CD5ubjc*8B
z)Z`;OjJsC?u=~)`r_U&8m1D!$E&~<&!T7Bqf=J>v$FMD06s!uN12z}30M_De_Z@L>
z?F9*=HdJGB=s)kMNz3}EuVKMYU{+kK7IU74y}3!Ktf}`jH00WuQ9dYKFgG_pnE_B@
zHq^50uR?RKMxSj!$6DWzaYrknwU5x&(~=O+3IhG@8R%b`ZKVCaM|dXfq(+ZK_b@iP
z@iwe=$y4*}v@u*MF$?EIvdBZxuLoK4$>+RDUB@U$ZO0~D?*o-RP<`i$h*U$y<VPMi
z;h+OL0^H=K%igBn8OD`oNeGJUR$&a9FJ${6UoviCtl=sf%YIF}SlcP<TI0*r&!%%U
z9~^FHf4fK3jiK_#hGs@etEeczWmbj`$+VMM2v)~qDFXuoJx6b)s`B4k4)I7nAZ&nB
zOEPNiFACozf41Qg83tbW4zwiNTSVVK*d6ogIyZA7e=9s)p-waswwh4EJ_^bei0{p}
zO$Sb}Qe`t~n{`Y`?HoYS?*#%<(Gp4MI`<Z|y{nE1Bl<7#)EyH)%Ngepc%c)Imik{m
zljfTeHFtIbwZ4Ks$ZL~qg0?e;t`w$s&-CkI%fwxkq}^E%k-%dJ7+%RfrUX~I_o3r$
zWqJ9dSYQCjL06EE+_1ue`S&}^!(ZhqFr|PusrFvsHeqZ9+O4#cG|pb`iw;<L{e$r~
zJ5R^NGnGaGsIlt^)PE=tl9avSLXmPYYpYMmw;a_PHe9co+8XXN*B9>VI|z!BJKK5J
zPy5*Zl{sw+3Ey+uP(GxocnBH~pjNM`poJT^&v4UgsH@%r8R-aK3F)9c-|0Xe3))&T
zQw4os+UNTEE>6Elvv42ftMTv0`eR4fH55>&#}xk9W|vC??Lw4K!*iU!Nl(bd%7>5r
zUGjm}LE<7qAbimW^!IE%zB`6j-r}4Ow8QFwCXp8={mwaxplKKBj3GPm*JX59gxtY5
znA6xyjC91zT7$fspW)h9%>-VvSusX=e<f~?+)twJCp3yO3(^>mniM}#_p)k?;{P?#
zgJ+42*iA*B_a`}%S(1_YnOqF}{7DeAq-WUqw7^A~-wz5OJrKTPf`+$11?n;3r)Vd0
zKgYhov!LwYjqPLgdnvGNBvfgSoQjN^EYdl2_^@b)1uF!WeEc4jitU$Y)D3dCKs|oW
zy^gQ!SwrJoo%>+8?PGn-dv#kN>cp!Z3x=sl851nnY@|X*D)ZmYxI!AYm=NG5>w^01
z$So1enI&E=cH4vIdL7yaS#P%_{@GSUL$gX=w;e`{dY;r1KR{$$GTDMcYHNgO!-iGU
zRAjl;`tYdwp7#o1%)QjC3M#GqSHH>=)p_51oy>dgdND%#Fc(+<uv>!xyu~#euJ1qH
zBqb4q-@|kaI%+Wgbk%d7ZPGZPknjA^t_1THo(ByuWyCyfpE!bOq0nvYedYC5q$bw+
z_HE7{1s}35AU8CWDqvZnYlwmVr&}$>tPmr<iC%#}Wrx?I<+Aer)}%DFi?|`d`5QzB
zz3rlAd&+HqculGgfZ+DUtw~T#S#18@Yn>0jpPE;&CRgi<LgociP<6owcRfU@Q;``&
zxtuY3^HjP6XMbq>*AKSOoISPn)`6b-0H3#u)x(EQn#65yS3YK8&R<pkGFpW~`lN=&
zZdlH-Kg-xY%j6nxZfgi^1pUCS81V;fWeJ?*b8b2Pb4qs-wDD(BJAAZ1lFT|8i3z`X
z!+tpcG#OvgVsh1#svJQWEEA2Gs7_I*ZCjJ^%|5A&yHe$>2}or=06ZIB7>Kzll0Va6
zrMr2(m#E~inD$<+eNQo5<92C3EjcB{6x^VRy3-1+q6K!xc?AEsN-86?jeXeq*wSDN
zTtBS!*P0F3r-cY}zo#7}#-eVWc$N$b>RL3BjiOoMaT&Ko%O{(E8AqS=ll1qW4vw&N
zF%a1l+;S0APOu~CTrbY*3?VaEM^bH0YhTQ5TGG64P2V|c$4H_l=i((EWxuA!Z`U!G
zl(!2-PD+t)VI4=~&LzNd6atNd<Bfsd1W3op%xNa_pW5%&j~o(0A{SxNG4A30<Q*Hk
z*JB3(^f6;W1qZp5um@~4Uf({^r5Fvoz`b#G4#pJ-FEdbW!t2_+hqGX(l478jbDCZa
zH>;X(OD^Hb_mbZ8I_%C$Fjx5<!TEF?a)8iV^D-?7o*9*O!WrA><S0J{U@@~<UtDxo
z#X`qt8p;3&-~mclF$T)-_^{`Lu8y1;aq8z&9jNPhMx=Ua5!zlaOFTTdtvCr@*iRq-
zLwl7J2@kj<2*#hI+VOyjunAfVr}0rqG1Aw>4obao?$8wBHT0CNRfuP)GS3DUMWb~{
z;&^_R`Mo=4KxEy>=`D3Dz}-4$UhS&QSu!L#_$2VBBlpmo=2AUkY8VdDpID&N1`jDf
zt+hIb!4%`LpJ&FuFa-#{8Fe<BAEgFPN@JIS6q#IO<La6#)HztZ)e>~yru<R6RK`xv
zwb7Y@y<bV~Swo!<l=R<j<eoWx|2Z8Cw+0CAzG!oL@DK$YDzYyMkP9RVPTjn?;FrY4
zQ`6EJ>UTb82FTZ5%4r-*xifPc_v1eyv8d(4Ej-)~8__!<Y4qZoosO`>aSOIAfwpxv
z#(u_g(?@zTpCMhWjO4u+jI$FH6MH~B$hmDt3H?p|HeVEu5pcQh8B9VVVGfW1i$?}3
zH%a5k?qa;?l$M-o1O68?VSnoBYO)*W)MV@WSY(y(LYC>Oxj!|}V;k;`eQi|a)~~sz
z4iLl}(dwW_*alSP%a<2+iwg@)`o>d`MO4JojGO}hmP7)K0H&TeAr#ll5pRR74XM*1
z3}uS*qhHc!Gz=v^|G_L{vyXR~b!x6)Aw?42nU=anT$<}2=VL`u>(BqRWEPj`%dn`v
zEQwt%JBj?Ro}U<Y_@K8#%R6y?-q}FGQVn>Pd=0>gqWadd7<KXu)5=d9w7~uTKLRZU
z(c~+gLVk{Oi&~My)x)=Q?7FmGZdG*(pt+-)@AxLgmWhtv4c!91fQ72ubH?z6BZv<r
z5juct5k);R=hU!NEm6%hkh`F2-A!cv!02mPY_EGCF>SlgTArZ%F7p*^m<H0{)+Z97
z$=rJzuzjeikRzoI_}~U3u7WP{v?Y!*kB)>u9ec$73?jhnPtEBOK(MABMO&TsMVL1Q
z&0JL7rF;|Km|zKS=33*@x&9L^VVYqC<M7uDi&^Rf=G7Hwn{`tBnd}|s*}t<;=-<+^
zw}C9>fp{P1fARNKK?+jY$Dig3u2;-5{BJ}=XUM&D%`Ujxe)krJ+Ymn?&q|7n3sgEs
zIK^j6Fq$@{|0@FmLAYCJ1N|ZuCW85^fo*<qVRu+-)>8>?LvSyBU#^{SI{^>fWqDZv
zYgV%L{La)tO<AzvqRnkFwD?hUPmcWqsm;fz*l*7<uc*p=#ebBAlZ%8`zc#qSzvpCi
zw|?GCxf<kzLTzyKdAwjmu(m`?sbI5nW9s^#I!gHYMg2Q91mER|i%D_MI;U0_7=GR)
zW^plhF*N1Xt;C7}NGh?~INh-dE*g?iej>~Wyo^ix$@?`k#YIIhFl6>TW!1qmnblmy
zSIYkhC6VozP3|dnNT78}qTWs!z*XeVH-*==4<6X8$?r7&iOpwfO{04)*`qrKx{AO%
zKl7S1Zul#gs~_={Dqll*Hq_OPU@-4|ep{4JPJ5egj~m&>%C*60KRVXO{uEx|)ECWB
zYbd>IwWg1(kjp_b&I>@_!VxaEN95}*Y^u(^WO!*?Z^aQ0J+qzJw!^~!w10s3ONSs_
z4Xw2WJ`j1?ihH9HIE=EE$vI(s6Gy3rb_7oNt)DSAg+^3NOlEsLg%t`0+c)Ka?naO<
ziHL|um@2Td5Z&>#)hZuAxzZGi?9zn{GU2MJGSq>UHy*hA(p89yie^ttynQ|H+&(hd
z3qKulmn-8W26hcqp{&Ss2AARL&ln8U2qt~A&>HN^Zeu+rhDXl(0?$97vWf}-EnqFC
zItuG|&ozv^g+jJz2sLVjK_*zbyoT@8eE-<^X^IRjzA`Y*9%p!IRi(!f4^|$hqs&Jn
zRXE~-(7oNd!Gl67vbcl=%fPFU;Ym%1g!Jd&<No*VAT8J{YYfIgikkcSdh5{tJ{yj~
z%*@PjwXx}ytjo7dhi@QuZdw+rqUR#AxdveFy2GSwcG4ecrUz_he>vTM{v-&hQ(QP|
zAxkX)z_{8SC*=nd_S0>S#1mFj@FM{-h&H&NBq}tpjM2fs6huJ#<N1L?>1)lAj!c9R
z6^tg0HIufJ)5*{2it?J~>L#imctVDTtXi{Fe_TvFE?ZH-WT;-cP}=fl908316SQK{
zbLSf|_(?E;<Xx_~`KF75O%-^d&i8A}iYXDv>POcEaNrB*2QF~+joG`8k8#VdJ^<e;
z7y_!0p55OKM&xF%(-jw^A}`bp%z;@`#P-jR1px)n7f*b8f>_}gzj`C*Fw&N77K-)A
zhSd|42$~DyfNWQ~j-H>eH&<xf8*dELLxzWklS`==mr|6&g8pcK7*z29c3>PT9Za#`
zg;*~B*l{cD$gxOYOuQD=k&Dx>244m-xb<XGLO~b@#ry1OYHMC5%3|+npQD{m&Ilz-
z37DdE*eU;_V}XqvlH7A1dmpH0^3H26+dye%@Rg+wiYz`uA-`LpH)Q_d-zIi2M%*)>
zCU-tGF&UnlKJ-k%uY6y!+EfFkC0ToNT_BSycHtcQUhMJowTvJ<LZ7g++6WSvj~87X
z7^zHP8EF`xw?!VobiQ9P0(~0Sp*ArwFo;S1Mo!&8E!e;LIza+vqgNG|9*-iWJgFz;
zCa5Et-4rg-IzWcnK4(#4b=0DPIKl1j{OxcQtkB#q8aAusf|DoBn?%lhJ!iTGH~lt}
zp}(o)?l&ENm_0i~%p$SLKx(&1kR8l2+jb200;CT>WBg#<Z^jL{cziPwgX65OAg7Uu
zaC^#Ku=h+PiNoSdYTl~n+1qEquanuunnmMPN5qsE`umGrAjoAXNq3M6;^xYGMNp`G
zPqF8xxkz56&+^n%n;?BdL@a?R>jK~sd5^x8)cnu`2!QpNeJ(o_TuuC2f>ShtMg+Yh
zy5`{dcUf$Sh13JTju95T%xL*PN`gb}M@8Y_AYbL-GR-&3k7KSRb@#;`Xv^=fam%>$
z$7&fq$rbUxkbmt)07wiMkH|hEa}#^AY7CPis0f_H*T|WG0#D_wHAoQj63Jje#MPCe
zU?+y}-LWl%3=!*nfwwa>>AX%(CNmyt*wmu}5j3!<mbfnm>U5sAQ7dwAxO#c7x54RZ
zYiZ@HitTx^No{5eiKn=&v%CHa#|f~~&)o@mB>Y(A5HZ2VGsw1(in#4b)=p&oX)^jP
z^~WrZUpbxJoF?t=k6qVvUc;!#?<9>A-)98SpIrG9B?QUYV9#Dz*<<FvgQvchX8t`&
z!VVNf?U&8TDyv}l@*LUSQN)DEn<@hA7cfXt&*ZmvKCkSz29r<St?#OHBm}McnV2N(
zOLg2yf6!XqSbPI~_cxkPyKZpQDahANh20`>S$&FRBI#(!XC68Ov+#+WiW2LCh+S_}
z^NQr33|8otrY5Qjodf~&899n_BZZLKa3P)^vTA`U`~BZK2rP7zCr_McdvErA=EdjV
zwUfvft@soyznm)?Ot*e{?u*EuYYS!i-Sg;lUJHjuK4@Y>ovdoqH3-F$YH{=S_MJ%x
z);Jfzl_m9mMR7(LCt`wu%l7K@&~kB-*d@{Y%d+dmS6@FYAb~DA6Y4|FQFEo;KfjGQ
zj$Ob6U4Lu(p`s}&z7EE0wOY}+6t+<;)#U5WJ!U>7&P(IEp}-JvU)pTDq)kE03JWnn
zNeaY!k$SlN06mTP5m$2M*Wul9lEwUTF#wwhwJ93>zJ9hyao+qi?`Qjo_B`E4YUF|g
zgn0+b#!@nuaCb4ioBF!(O2X^LojZoFU4D6s*l$!waQPghLEcO(vRJYV=VT(X9lo3^
z#uy?E6#p8eKRh(KP&dizb?w7b6m+gQLa%ocj0qsMXJD_93<*_Vg^Qs4{OrmsQ<ZCL
zJaU)^fM-ZsTYvO+X^-|s@j~{|F8jzNO6@6NQrZ%PniAP`DsT=twq<sdP-K{n{|Q;f
zuR_O9F_V=AoM6NnWELU26f{ya4qUNL-3_j9I!pHHOf;KH9A;k)x>ek(<phQ)-MSKV
zb&h^QHS26BUF^@UG<{GRBY}h*lBGG_*ul|GR=oBdJoABJPCjf{1S25Ia8Hk%G~?EO
znHgs%1U`Pl$;$ky{TSD0NIki`+C=KfEZ3*U$NQH?-zmyynXi4Rd^dwBa_JpfKd&Hv
z;kAw*iYRcSBB$>=jRPlAuH3yb)7I+;iDdeHBy`9}h%Y`i)A5}VJ&}~od97Vn<q*lT
z;wFnhhLX)?WJ&-QWTD)0t`{~Kd3u+IE*NPysZGBsa(d9&VH<G7l}bUL8Jjy6g44Or
zL_xt3Z-O0Z`*<oR?s!8}{>Tq|!@iKg;*m$p5&)`VlXY}2P-P=pp+mR^l;~{Wl!*3K
z^93ncmGWODH|3Q%#?~a}l?BvV&>vGV1cBeb*5U}TKlHDXf<7}n5Fd_v*XY*OrZqs>
z$0p;xyZ28Wc$h|m4Ow$)?&tSLrf7`~^&~4-1$i^}Pk-?^;hH<f<p_qhV`#&Ap6-3G
z3;6Yz%jXoal9lakVx6Eoe&Ur-ji7PhKq|;<)ZU&fq{a*JEw#zm(>Smr^Xat`ZAcb1
zA!%g3iL>h8ax(f*iy-DPZv4BzmwKMNcQ9xZ4(*^QVfg4_>Td209*r}fx~0}$a>$+9
zQ3-Ij`*Kq4G;ra#O#w6sr&%<Cir2+1FQ8`L$K)JC#bOJDx|{zg%7e1>9=R;DluNHA
zuO2-*C&@HBEt$i<cLt%od?6v*lE#4zX_C%+?@v8|JJ&|>Ckt8dLLw~T*CO=EEYfbc
zXqO+4MagZsO2&G$#XzV$l7xsAxyb$)bjl&O2v7dFC02#vG<13VM3RFSh-@0aKLU)!
z`b_!0Qq`T|Wat91|6yq7WxlP90aHCX&yq?JK|&ll&dw1JN5ct%<?ia3hXNsc_*32k
zGR^T-WU0pII$)|^eY(ecLC9JF)+b;H4u4~@``Qswy7EEt`7xS*gff^+ws=)|=$>ah
zJpba2O)p>^RIz!A2j>IJ-ESM_Z2t|99@7c<a`{#-{A|FBT;57x4W>Vo6{Y@UUWcG=
zoT_s{g$&N5^HTk&J!1x_1htpLQw8{lFnGkefw=O4nzd(ruD?o)#R`kHFXk+ke5u#O
z*ADvQLoapAF#q}PXxSMH&}R$Xb4Wu2v`QEqw*SkVZ$)NPxMiYYgDr$69qUl@&?@Cd
z|7J&MD;!v0&?`9Y(m4TO55~VIqz9at6A8x&*M}Rw*FgYCZgCw)|F2-Z`+>WrCN0o1
z&&U+VC2M!uq?DBYv)u|D(YS9c#YBbJx@X;knkeL@Cn()(aCvwd_OTJlOT7Q3IZ?>p
zi{8+JpbtD~h0rlz9qi40a5pTZ<=8X5fE}}sDx9#Uf?Tvtjw+q^$I~brEnXdOp}~8P
zBi<aln%2<B(d?J)3o@x$Xfc}uy%TzKbswv7AYJVM=Re~<@@LTvDv2g`7Q^6RH5Cie
zhYIQgiaJOpd_^L*)Ywrr*ih>m4j{{HXRif+V>XX#ZAfYTrqy(MFfQ_s5j9c3_Ib8e
zBl*DP1;l1h!Z{fPp|d3J?QMus+>EU;u(A_veMz+3O82n!U>PzqHqNx>sK!|uptV^E
z*B?*wQj+T;>k|x+o$p3`tY}gcW4o?~)o?K%_;eONlXqY`ES?FL$7rZJ^$y@?YYHHn
z849;&qK`0hDi9im#4UpR=nHaYWYa|YPKtfp_8Nm0tdW@i2~}>>(Lwl$p;`H{ZRFzj
z3Ia47)`VS4(i*1XIO-axu{F+SvkSljW1Ctknw};wpZTxKNyQ8NNR{??@5%r=oUF7p
zPJJHiB~kZF+L7)I^vNxsU8BZf6*s=t(7X2U^P|>a6<hpw6$j(K$$d&a=jjN&-P-TP
ze6P4=s;jHpMN3vc)B{05&X^}^;yfM4-YY^+R_WuVU#Wdr|A*;fD~!|!A?8@MulKjL
zggJ4%dfpc;n^R;S#=`Bv-Q5Z0^cwpw#r6#A%TZ^$uwnaqGs^Oso(c#5T04@Q6xMN1
zt}#qu@It7EIvRH5={;Bx_Iw?jA?_}h739%ux*U{50Rz*VY;W==aMMHor@<ukSvPbI
zlWw3Ry1($r%^3N?(pl^ba2WurT8q*GkWSr=Jn6dfL6m`nU>0H5I}7-J*znD%k>du>
z+dea;0!bP<<NhuDq-oxXj%n|OZwY$(`bh=A^yg^BEJ%3X?Q#w;S`nh_$9M9pVPTT|
z8wFwh)V?6c!JwE5avYo!`rS+p2`_EOr@SqbOs|K_IE}dO(*f)}AiCeBj@?^n8l2$x
zCyt;Flwz|Z{s-kz#V&lDcss}K<J??^r(TmwZ6o;b5!v{z<ciZ#9>v4`pII8Ly-i7q
zd`BC9Ul0M5DDzO!ZG}i^qDCgqshbLk2l><_M8+8p9Xa?$*cC)~tk+n+?g>S_5JO3@
zRI?#D#?Euk&@B&lutng&7ovhC9^Cq$?_7qf{C|Ao7dLBmicnhw-i1c@Y(pgmz3tv)
zzKR0;ba^3uCLLLvN7i5qj+&8ofLfD<phAy|YvyJwx2vQ$XX1XuI9dUyz;bKqku9LZ
z^fjn--nn|C$HpEAZFVcl8<A;bB=wIzr<?|R?qr@Ozw!4ki+O)&9hwg5pP&~&XW40H
zQ?dQK-OPTB$r44y9?2Bym?D4lWdHgLeaE1m-J)A*-S$bP&nLar3%C61E|0LZ*iEQl
zLrIZl%_6X;;lw7s3oO;6y+32n_8eL}g&53p94_bE-MF=FtpE81f7#j#vw;8p3zR09
zo+t0MBYM8xxofsD?*_<Pc8cxep}`M9f}z;O!ja^)yjlZDWuM0p&J^16#zWaG|ILLU
zaadl^84G-dXIIBQ>R~*gzChz}2pN%%rzecQlO5ohd}7!leS4&EUP4I-FsDd_bh+*+
z%A?_7JWSoO13$`Na{`jh<L{6v45TT2O-TO}>#DTSrA1tSan{cmKQI$GDhr@{SG8Q{
zgaA{;>65-Eyx*1Sg3C?h#?^7ClTk@6-0t{zZBR?o14mp?MK{_&T|Q;`m|8Q;TsCTL
z??NF=1rB!|zWMfwY&DfS_L_R!!^avb-lXyB<<;@=t-WlOeICocWV)M5B~(mw^yxW`
zjm~ebOy@2sAJKXd#@2rfFLZ3VO;!eSM5OBp1^J7f?><@?BeY*`CHRp=kMmZ<&$ZV1
zvey}aq!I7zYoc*KE85E+hSTUqpUVR>JEycB#_4MykG7Kl+TB<?Jqi+VN!h6Wa>B=N
zjZ3Psq0@86Au5w|Cpsu+u8U26x1S2B7lKF7wzSi~1|{vt$3H^`>CZ!JgcR`6H>lTS
z>fD*m0_1h!t<Du1^8dGJt`JILh(-Mmx81ZOi`XSm_Lkk`|8o?fJ#s2|@3A4ot5G#y
zZ_A2=6=uBpM+@yVPj~{4_$l-_p>=}g$}AL!o?X+P6xj)^RgSMh;Ft4w-n@u|=<??C
z@&fLrusSn>z+Ce1{CRRf7L?K$r$-RB3Cb+TPkCEPV(q>q(q_`|0XkJ?Vw|f1$-3`t
zNYv_9*iXv--?g^DtBb^t02Q-0<AI%@>=@^mp=t-i6fZAqDEGhkdV|s>;?TeP*)v}7
zd_8PJVTZ^ibXl+Qln!W01Y2S{FOq@5iI3{NVKAWoWKU2}s;5?K7!b)KAcELMPPldT
zI$6z_RVb#~sJSKB(&2-xV_LL<aI!6$$c`6qWPDzsiHSUny!?6Waj4`8FHgn!zXQ|)
zr_Z?Ja2yW!i&Xi`2?vZoVGTh)p@T+SMFlG5to)EWs4~D0%5H|8Wrye08TeLEbQ_NR
zT7WXS2><Hx@C|NW_)vvQOiu0t9BAnrwKWBm6UNxwToaJPyu+ugjP331xuYLSg$CcE
zx|MeKa18of-^N{4L@WGm$}EY%@11sB5S%aw^m(sHfMCOKX+Ps;xv_Bp+J#GG!mrwW
zTD!Z$q`=S$T9f>S!^0R1Gi7oNfNUl}FBKFN=sfYy62xR42RZn7Tli$h>4sbYS}$K^
z2E<L02IyIJNTFIP)Sn#I)a*n&gtQ8%2M6!=jWb_~r1P4fjX%WxA-?F4EO#{ed<e!L
zt9DvgiX!9)gPo4~!{vm#MKFW@5!G43e6>%|eCq_`q2u{0YrzBv3k}tyevv9b9;%6D
zBj3Y|yC<YUMFoS8_*PJGF%!NLGNEyeimXo>sV#UG07LfYCCZc!{`DK;miY`XP)OOe
zR!<2&*d9X5$o{7i?1OKR>z80^cwf|*RJxERI9DyF3I-6AkYNfM54e`c({Ti17XITO
zf5I0y;EM}Riwqe=ar2np1q7DF%_*n{ehLAnrktU4IFf8S5oEU`!N3_8$wHe}w&KY1
zA@F8E@{$Aa=TB>B%5@g{*IepyM^jLKN0i~vSe#0sY&vgwmD2n#5Uw{dooc52N9qr1
z|9}6M0p%hwa0&iv5dfFKzkj~)Fw1I8?y3|tD*x+GfxK{t;cXZSs{j3GOHLzu)U5w=
z&i|g=2p%gPCm{8obN=V#!Cdf^rz=rh|JRvSK5)Qr9k-5T{=d$Q8UO#$Z6ELptNpR(
Vf5-k3e)N|@SJP0VRLw5*{{Y^Rk6!=)

literal 0
HcmV?d00001

diff --git a/public/img/docs/retry_idempotency.png b/public/img/docs/retry_idempotency.png
new file mode 100644
index 0000000000000000000000000000000000000000..cd251ac853955634f13fc087edd69d73c5cbe9d2
GIT binary patch
literal 55032
zcmeFZ2T)W^*Di`V0Ad0}B#0m)lJmd-iixb`j6;S21{iYGR|ORXMS^5hq9n-~R8&O5
zNF2!^5{I1g+_k~)``@?DsXFyn-T&0By5Cq9uy^m?-K$rx@T{lj@hz1b)Q3+Wrl6pp
zmcMybje=sI5(UNXiG%y$in!cn7W}C3)X;HO!?>|JIN>a;ZOvJoJsiwg&E2gnC@9=J
z?QY#ZQq6jBbNQs??%jIgL3W0@j1wzzujPA|jt{K<;0#$?UsMX-RUcDqt5%@J|3245
zh^^mB$fBQtbLH;w@i!^H6e|AbUzpGRr9oJ29{d!B7t*r7?sOGnO!+<TcIDFz-Grv5
ze#=wVr;d4^4Y)jyyR6wUW&Bez<EXLq-tdCS_)Uuz$-oM^N3nwUuCdMTx4NX#`ZV>6
zZ9oR*;@3bX#wY%f)W7>;coS*9pma-_oa6*4D0V%xmXo_BFDLh}DZxZyd|se$R?D99
z?@N9nqj6?}_1E*)rB?K`#|&&}pWHgzdN>pH%3$q)^68M1^fx{h^!F1?+CF~K)jpto
z`RK+jM^^_m=NHGT6c6*5ln)jMELScMO-ah8Mnqb;e5Oz?YS3Wgwa863A#!^jeIpSl
z5UKk$hMi+TvU2KJ|GHtQ<tlMgVy!ji%iX&-&zSmKpTHee#dYo<@%hEi{r%#s#B8xV
zJ-hGk(qFTTBY)NHCQwC>wMsd@(z%qM)BH8V%I35B=VO{JT*lwrGn{&VWrU??c&KiD
zx}{>QJB-T2u)lxAar5ZwgeS+pzdx2_$ob{Ulg2^mt+PbF7m8=K4?R6YnJRmKV(lZj
z-wl_!@%ur<$tQba`GV#Jb~{h*eik+8%_6BXxc8v+9&OJ$<Fq|O@rgt|z265%`}Xr@
z=||-rFqopauj+66J?ms5$M5+M>kK~Xbf=2<c@oPjMF@^-6p3ltwT%7!M^EwGS}G-!
zm36Hz;gs|IWTxt!e*Q`*=?C5Ov<4m1QC32k;_P@aW;hdbUUxeOP(BI@DH(SMj49UK
znbpMH(%K%)HeFW5#%gVbX44i?=2v!*Gq<w7>FH#y?x~_->WMX#Fk_REJ}l*qf)4D=
zoiVKLcDD9-lslSjyI&Oij$GzrW8H4zj778QDBoh0!#SC=3iAr{^7CACw{{g|lRnHU
z<z!}oQoDNnPZ#hPn$61D*#X7J=jP_d>n6mDbF$<UkdTnz;}_%;6y$*xJa`X#XN)_K
zJ^mch#ZDhr&GDvA)(+0rID1y4PmBr9#Tm`U2KQP2H9k8BW#xZ&Z;$^Y1&{}yJH~-e
zfR~@o&W`WzPvD)exk4v@2K2vu0<QsEl~2tak8^P{HNWO+Ztr~V?_J!GSHAV{9*`+n
zTH85nPYQ(hkC&O5{=1!ni<9kk8#7Zrb6aye=oAm*6Zl7aXKRc964pP)hTPen&ff<D
zulslZ|7iWMxo<ayR?5n#t2k2^<fZag(QL?gQD!((YctgLuYv;nCL$&Rf;?gvaRDA-
zenAWm27@u-5j7Js7cv(y5i*w${99M@_IPKEy{S3U6?D#P4gH8nn41X*h)M96nFtH>
z2%Cxt@<@man($yu%uOsrF#<y70v3PkLe<F{v=U?c_fa8TnL$^g;sS!E=Hfy;;$r+3
zJi-=2qCDazf)YF?!lq`XLS|wT7}1@skaa*^z9o-l6XfOJ?tJ^oEnAGU1<uJ1&8Cbo
zWmQ%GuR9vncIN8N7({9UVuGRq!V;i`f`X#rqC3;ueq77k2@e{FbSl8lD<r=CxS1*H
zI&_Hv&9Sz_Seo-W*jsMjK-L8XvjNFs5JiQax39xwP;yS@7-yW51`cP7W<&aBMY{a=
zZDrU`W*BG8RgAMayp3N_7{xDv5)jl75J8Cup#&tj`2|t@e`}93v$pW~Kea}753AJ9
zn%}g>!}~q9FYRn8b#up^zjpq#wcg%KtgPF+0);W%nF1c;YHqeYPUvgrmZ=rS-qIY*
z#~*$D*LCavjV@SNm|F;0V1#+ZB}6cw3xc9NCKv$;9w7@8egRVpQ8Nn>(SP=i$5}YL
zVVuk_TY?-xR-m8TvSPikvxHp#Z0=@dj;s$zjE7%>=YN$L-=7)tAy(sGQ<mcUUxXsH
z-QaI#2A<ow2IdQ_A>Y5v;UA$PhUb6q^Jg*s2j2i)|K}zDE&2XOT>lZ*e@g=Yt;YY+
zuK$SZza@eHR^$I@*Z*tcI{aS=mAO5HL2i&Pak05QfK+S0iQ<i`6lCOILPg3;xN^wh
zrY@d>g7O6Ne-}km%qh5dz*%1T+JVtSRMa9TjMcU(C@5Gd<gZ@VaPOSx@p7gedQB!1
zo?m^Ledc)7z5uO*I#*<^FWd-KGqExFA{!KOQ9)K%VfWq@wU&jW1->Q4PaMQ)t<HuX
zKE!@O!TMH$7ULsFhG&<L96TW3M3M9GQRvsO5Ql|`3mp@EEFD5q9YqGklkC$(J>Cw<
zb;0@i`aDbNc>{JB)&K84hM`SNT7p7CEw#xAS_2>6%<}Sb-UvQ_*NA7!fyNorg_8Dm
zlh&j@q7mckZ{K=jZC0bBPSY|oH*pjxtE<0ljFrTqr`popA`G>irH|am8y~mXY-gdS
zwp?t}e%3xXI$C-7(4nOMtOS`Y$NSP-?&N9@4-fqd)X2-U^|b90zlGV|b@&ip=~LB`
z){dR(_R93*WPhsdy40+a)6J=>g{=v?qNy=)q;trP=55l_f$QtbRd2hy_q7jZWN;`b
z#eDeqNNc%FJ!R|N)@GHLF7B_^wzmBlGKVR(e+Cf>u*M|k#dFBZDB=z(?Rl{0-qmZ@
zxFuFE_xP?GM)0um>*HL$YQ2sy>A^cC@7;9roZ{PiUE5dY(6H%es#ZSN)zhaNZ3uD4
znb4j;>28%0Z=B$?7!8t~N_q$&5Paw#f5^W-P9kY&<QrYPMxs4&B0W;b?=`0Sx>57=
zx7x@zYip%}_L`B;`Fq!vf4n}2y0%J3mo?+bd;WZ3%O#ntr;0954UQ-)KhsL^6{yqJ
zbh$}M-)L1Jeer@$)?a@Oc`kKON0jsKMqZU5d6vIouZ_*S0;eH$y&Mw~2X@GH&a435
z&Rc8g63)9aC8gh#sgt9*=fKz8yn);^=OU_aurL*m5)PgWzkco7x&iqirRCA6?cN-Y
zfjAs+w8PR81R1h!I@(J?)1bV~)6T~yc4>m^w!-({cjG%+TT|b^f3H<j(p@w?nO-`@
z6l<0CdSJqQ>~v2RIU#**Q@hL{djVxM;pDooX@{2P9X?f}*44jA<g-7*Y>ctK^2uE}
z7DYV0^!oKchV<(1M@D`=ffu=#b+h$L=D3DNrtMvrJeM{ixKZ*itD7?BM+ic;$XqE{
zQ;)qWyzTD(z~x0>(X^Ye?a!OBl5Xwo$LB_ys-^d|+&|FQQZ`N3WyA;)AE?GP?V(XB
z+Q;|hi{Fo?w*fA{za41D-w5(f&`cjz3^}j#DiK!X-MjJUu9KY>73b0D8^%6usYK(x
zH~5jp@oz6^GCq9v&Tehy=pzb>3dgjiXWO^FILDHjoUEs&NLh%yU~@TT-L40bNU$_2
zK`vlvd~>-kU$6X2O>lc=QEyhX{pq%>@Yhpy<Ms_vmfpO6usaHEb<;sJZ783bn3#y%
z`EW<S_;=$aOLf;JwOA=#c&gKS-(bW$^Q@8IngRkjr-g=V6jXfQD^I(LM`^0fy<3|0
zt0@ecoqg*v_>7$V_(V&^6+YwjngXIfX|l*z-FoauTdRhC*9D2yT@N2T_&#9O9>6kH
z@To{vPI-m9ib?YDwjg|;Kj$|Z8<W^o{bg>>5ap22ov!H!E3-LzgR69PxXatu4O{cb
zYqetL)5WezJKwF;+mEF=JLU>}K`#sEgo=jLRW~~egCpw(Dl@wyvJ2+;BRYgGDJ#b&
z$-lJdj0=1^kr|DvRK9<JrpTZ3xt@K$h9*;P*!_}?t|I!MddX3P0)2SGxd@JLQXaW_
zEI!U33dx|3qyU+6^>a6Znv}(!vB~a3R(&t+?v_9Y^5$6K^N|)+nViiYm{ODoVI?Lp
z36?@cq|KAODQ0K5>Z3faW^8PU7PHZK<4^rkn!NFJ(q*|XJ_`&(q3pNcs~&OptUXqF
zyObv5`t)z-=rb^=u2AWX5LA~}W5dGMGaM4pJ@<XW!bawYoz6(D#Krk->BjejG|Vj)
zO~eg(BSVl+?ym8vI8~{4D5|c|ZCd}d*wohDX`GdK`j^0wy_W`qWwuy0CoC21&c=*v
z3Al_KWE!FS=zf*p-iC(O8m-$XD;Lo5#=L&@N(a5%typ-gJ#PaP@pm4{{n{6MCW*Ow
z!wu_UMCl(t9NMvwQrn}1m9`@h+fA?993q8ZiX`D#1Z2o7vsI%xHMx7T`X)Lky{AYZ
zg(%5oBfFn7$pzk(OPJ-MXp~D<;)i=<$l{~zBU`z8rb*|{d0~6Yjjf4UcBe%y-j)jp
znkl{AKds}!65Qc~<|S_7d@UVkwP@*an%)~$4e{|_*Yr!bEyK~9G*1!+rONgOGt8TI
z4Ni7ZR_KK#Cn|wSIH~XO{H4$}F!PDwbfIw=Loj>CkALMpiz#1Q7#qRs8o3V;rK_K}
zx3<SE9acO6x6Tb7x_0fFK7sb+C2h^Nvt6Wj?~Zg-3Q7Cs=jMiA5OE2gtl-v`PV)E9
zv(sb7qc_nwl{F20FTJ{ObFY0E5J*L@{;l^0Lqlb|eY3MateA)h$1F0?Mb_!4t7n3R
z+$CeWIKEma81(qDrp@@JE>A73sg_?~@Vk8*H&(}d@7F?`&O)9(oQ@$ppq`?#cf%Wx
ze*5N)T~}{+jdqsz_oW!HJg}thJnBkH873wZJR#iN%hroFUfg4aXU@T7wRKLj$moFz
z{j7Xj?4DkT<FhT;*v(|@wG{euNt3Yo!)G<CqHwW2bh=XC)=SFK<a+wOU+*#J!eT2l
z9zQ-&{;3)Eol#vpI03AFK_N?lw(pi-$9GnkJqW>lvMMu722p<s?c>Uxs1Km?vx9!O
z<!iYMM{WdHR<F5%2d1UXEPA*vkPeM2=shjz8bd4CMkJ1bZdm<%|3X1NG6R&ZaK>h3
zMqh7|*+{oU_4e&1&xNM=BJBB97gG37W=nIPoYD(@jx`m938|?UR0HWY8$C0<P90~F
z>0BxT+alt%WcV&STOAw#IM4jFz_QiTgqg<qinzK-=|WR5XIl#?5w=6*Ux8IkKXV2*
z{8c~|wdfacKIypVE1B)?Q!MaOz4v!A_aAwxDOasa3!aWqO@ZfL{s{k`DIRoSAo<R|
zEO_W$CVCRTvJ1}=`1o<#n`?yh%F0IWo5FSD9hPFFU46`>ZFBg($|8Lxy|WzVPnf+f
z>4)T7s-_uv&x#fD{(_)DKRyTk);?<MN(NI|(QB+*LKrvcZ8tSrU%JwTLbUbz^&oaG
zFpT<vogpFG-bd{EEB#(oQyO^L6}M;Vo2+kvVrOX8cXTLfg1X^Hdb_er#h?3a5=oL9
zy~)YfD^`BtYzdJ)>r6ow=+)on+6z<D(kjhNe|z@c5?J<;htT5=w!;Ygeo>!qMBgSo
zvVeEFAAb<0Sav*sj$gLzI7LfqM;Y2(BNLh^fv4-d@(7&J#q;Oe51*WyCo6Jm+gGFx
z8J6b1H@qhY(#jSP=&8X|(FFhSSys-w^6dL}AFWr-U>)fEix239oIHN~9WA$B`-qzA
zE!ZHP>E^!%gUQW@%RW_~6Si(v^4XXr>ttgiL(^MF+{31Z+_-Ag7O0eZ_Pm9#?R%rq
zX?}hemirnuhw^&%RQ&#Zz?Mg&&trr-TY$GG5`#4}!=cwk2^D&6SvomwdX*h{^gnl3
zf#7!g7J8lHD%fjM6HNXhDiGy0I?m8v5*&8=_;DLM&SmrN0<3<Sg|8b;J%=tPYn4eo
zrLo|9Rb{0Li*GRzTduKeT8*BmZ!~(RDzo_+wI70&-TT`oha}2xkhl6OMoR};)2hbn
z_^N)m5Et{?h1l6OOuugYbiG90oaW@K6)1yco}8uR+vsdx^qu(WcpByW;LY3hW+oOy
z+($Kv6{tV>bbpks54W5;a^^x2dh7Sg;KiW`<CV>)LCz^|^ei%^J(vb<W06i~G2xAt
zbkbU+P<$tIG)4iYtl!UF;9REyj_l)oTx<WwYQ8R|sT7sXHf)d2KHklBKO$X*@9eev
zeFP=tSeIJPxLMkF>z(#nrQf4pszyq$jou~t9*0HtAy~%89xM(njd+o*^=;~2)kx)U
zEY&SHIe%}$2>y#bx~^de4|*y+jVSk`FClAn>ZO#+1IxQ3V=UyA`sqIVibdD#k^NMs
zyqjt!!|tf)SlYLM61IUIU0)-}$e2Fc<t6Ynh{=+&9*omiEhkG8XbEDl)|OeW213=9
zf<pEd8-K-3Rhf$KxO8E+xXd1JNAW1h?&k5YjO5Io=~*gftj#-prn(lik|WM%9E)x^
zyBprSq<H$e=YGOgdymk2NzaA%gvaUZX~tE%BAlycL@d&?DLRB&T}D>Dv4gQ%8WT%h
zlVt^%(^A#)Tn?|g!U@ZZks%t|+Fi-HvlITkdRC-HZPuTil}uLT;sO8HMucal!>r0)
zJB_y*^XXEEd#~^m@-M}cGb&OEuHsRPpD5F9cMT7TLU^a2Fr6MGfAduKp%do|(ueqw
z8Bs(q-m|8F$f$I>(z<Y@yGAo~qex+XLamF=#f6FH8tVAUKAYL`U@z{5&z}!HdHi@$
zlF|e07j2MjuYqsv6?KAEHq5JUukKdiV$$ypPa@GwBV=I`M^ntU?nH=tv5PDXQCaqg
zCs=z*jB)m}M=LURp4nBovjtVcA|gg};UDZ~GjWR*mug<h#9_!^^4Dx30Emg<nmioC
z7v@6hJ$R}Wq@o2b9jm0dJ?6i5!I<~#r&>BapQ{@0TNp{8JRFXl_-U3+=M>lD(o+*a
zMHhD#bLG>DtE!Ta!<~$|dAIb!rTidfbjF?o-+hjl&ZNjxIM?nzM!381;hs~x>C3H2
z+zq?nJ^Sw3Q7?C1M0GO1U&W@4NwjB5652f&Maw-p{3VKY$SXCLM(ahElol^X9_Vd-
z|EkU1ROp`+*M+)xQEzp%Oj5aL(8G4ByM(KMrL0-(qm|R#eF!&ybZSGuKYLh_nB~(@
zDv@WW?;EZ6!R_kJo2i0=PQnn_#ELs=K+seGL6DIg!%5mqB6?ZMN%Pa6>gr;`!A?uW
z3*9`0^Ri#GnST5_tIGHJq$7Wj%P7Nfqxw@XeAaz$fF}$EhuBr<laO&~{n8Q#NA|Y?
zt4j8|p7tCbboEW+L0co<N`EaY8=D1B-dmA0EWUx0vwdV=L95_Eh`IY0V=PHnq0bAn
zYioyZ_&n3>(u(`2535a>qtV)2r^$Whp${$|GK2Yb&w#hO>DmNsxclTuJND~S$pSn5
zO7^sT=YYuqU0p?6o{r@yA5w0%Dx?_x)Qo8m$l45j&+IHO=_ZNyR*{)}?`$vT<$E9U
z_egQNzsu+z5z%e#|0veUT(!A`HHud^*f<atF|FpYnspa*^V*lGy5mb%Z!8x)6kJ?%
zF*3!)N$J|@tISUq6r^YxRVsEB4y7mDd8mB~<vJmrO_286+ThT&C)B>IXZYSDA|m2h
z;9Sw#Go?SsFypcR3OuyO_2m*(4_dz-b*2FcU^+!PRgEfcRl*ePSX{uE{8jqmT+K=k
zUEIq=i8Bo-XRGYV5?P@y>!|BeRn<bRc2?q8?kd?6XALu!jx-$u?{R}=vt+Wwye_w5
zoB@wEa>s;aCfP#-cV0y);<rzp#pg#XKYP6-?1#mnJNFqh%&z&J=Den+%eSTFnVEyx
z11eGho!esRw>ir{c^4du5zhrY9$ZEAw4dKop7&`P-6<aP$*GWOLE`+bc!dT@WFaX3
z-eB0@cA6k`(tCZ9h`6s2vnxzP+@X;IgDQv=A-YhB%V-bbz-JD1m*8JQQb;e)^YX{<
zVcuI1$UvCdwlw)rs~-ssA*<+=7CSfiSh2lFR4}(lP2I91E*c4myTY?OJ6k|n#@5!4
z3#$M}sQM+x*6p*bk?oTR(x+{0i1osKSVq#3!kT^i>I!Vyys<JrD=Th6K9cE^nll@i
z?yA(<szI8qnQr-be|oI{<FYUWMn;#rm#fIich*|ftCsYNkU7GZg;>^lX`-zBYefvo
z#l9@)7{S!JBi9zjfonKk<+<pszv^*>)<HljU@rs@g;zQXdpG!N4lZ>EoL4Trmaf&H
zefi_zhG?;CLKfX)np)giwgq|;Ud-Itm8DH66^r`f7LpgbniS-@xyS<&OnCC7M-TF5
zBzFYo0IUA)9m=fi@kv_R$%3jq$jUer@cUaIc*Z2DBI#zI`|t{>ohRoj1@)mrnp*A0
zhkh&NY#FJm+cA<`Ly=(AbqWFjyTQYB5S(BBICtckP-my7yNcNmPIUHKU|i9aS4hMH
zAv|_?>CKx(-<r!$pFGiWn%fhRzrm@Zq>Y5ALr3zd;xhlregFyZkjN2hNGkM;X|2w$
zfyU@FDE29Z404IMv}?v%cN+wQ^7(9`p~EizeTYrq;!?LYzpbu5DR#B-yWTI_;v(0l
zRA)}5KX@=(I5$@mEVVx2uZWVig<VQ46bViT$R{)C#<*`ikC9XjxA#&3&8s+H&oDc~
z>kuawHpZ>rfgE6QqNA>pQ14?q*-1o|Z=F5++H<Zp%yVOQUBlQoWo-?mZ#X*Ebi=Q4
zB?%GP-Gs}OErAF3O6k7`oT<<ylSQ0g3rnmVZady+2)Pk@YlW{OPF2Ns=85xJnnQ=$
zN?mXlIKKG3I(Fg&N$3{D-e+cf)D(44mW@~9O+5h%$=1!wYnxWRd1@M;n|S-}aXzmO
z|9~4-U!G+87Wu(C^f=z=*GlH%dbzmJlD>ON4y2GVMbxf?{B9#iASwz~NAkbRZf^G5
zok^~8DV~<QaE<Czm(x=-OFqr(Ur+3kkpbneJ1#1-^wV!|x4qplh7NrKdRZ-f$c#A!
z{J(-&pLg`+>b*UtoA%KwD@{@20*1A<GzN2P=cS~sC`Ql~>g|WjN(3yCuLi2WHO&Ts
zM_>7OiNc6H`kMtxs}(Gul<zki*lu~x-o_^XnNUZHYL(XgPy~00F!nt*gND3FB^LEM
zD$0gQ{8knzn<cU7?es13*8Sc4AHzLxDVp)pn+ut^g8EY5$%11~o=(^`DBzF)&W?@V
zZEBEtzg`OLR+P(l_8JnjRgt?Az@k~r^bcefmP5FtsjZ#<_67|JeBk1ETUo>OVhujy
zt1QnPn3nOG0dhM;a^rafmC-fQ0VH7ARrfh>0|{u36gbQqs2In$?0_}>c?J#UI6FyE
z5s~rFkKe9s%nJbsVgM=e4}c!#B<p3d>o@e57T>*-L+(izeFUp#mwBc^mx#rxBCiMZ
zPv`A*j{V*Hx7stcvwKeq{`P`sqaxMxGoEGj_ser@H8Rq9;dWp_S9)a7#2%unU7dhc
zc;5OPGIF_fJ+N;8l_Jyenk3n!rPpuH^tc5szGX>rXNn&liH4YVd}DQf*YeB4(3iSf
ze&ls|O|2;+gq81?`q~TmHY8o%>G4(M8ypE3EPTc&rge)AS*tAn`g$cxBO{}TI{HIO
zyYi!}KAik8bVCPW<FV>Ew|xlZU8SIKKK@`^(;Zfiz1mIj<IvG?B+>s6cKOa>3fbr9
zE+N><UG9JnCn@f-Uf+I}LYuDT#2%}niHRgg9TYB8L@;2upcRFIM?U{P3f6<icDiV5
zveSFTERh?WNlh_&GAgRFH5zBnvD0CCLf78pGB=#Zvj(_%>CBND{GVYAxkP_hD5^5t
zJRvHEbP8{mJym^j=T{1YgG#%0e*N$ehP3nf|Mo?WP`0}=^78Vp@9(D`pWf<ze1cOY
zEG$e!9knz1(I*F$F!HLZ(<kWYL_5Zu8-=M%A7m3hfBC}2%d4W2GXEZPYITGVPnN@A
z21Y`ecb+QUy}QMpmy3%_n3tDVvspoYlf9PzsaD^}VGZJghYvGr>+7Y?S@-6c);zKD
zK~@~(*!c8AK4V>deayw81dWh3Cyi!FW53Nsa;e)#v9eKPe1iy?ZOpYOJav=3;tV}~
zksvQ`Q2!qx$I{)i77LAw>*W*{&WDF5d&iumTe`b9yc4DtvyLu2AYqac`%0y;L6}oj
zq1@t3f@a^;#kw7;#Y@MxoexDq-q_`1&U}%Pk+Z;=3TO~eh*cR8diLxYdVYSM-i^Kg
z(xpoqQZh1rj;5xjswpk2Pg|P}WiDNsm{}NWIdQ>pXWq`|_a^r|N~hey6y)zk&o2T@
z`#e6r%6)#g!PscR64zV4TDP&W@dcR}bx7mQar)!O=Zq{YhE=&d{`5cxJv>M+7^w^S
z?Tk_+#LLK-v?MEY@-8mhcIJ;=g|}z4j9qd;7g&6K%0O<U+j&gZQua<Kbz(}&@}WbA
zJXCECDF(C1#5qaS(D#&k%tzD&v#1KlwJ@VS%U?uBG7!T5JoWw@|KzXc=H@I)N=nHI
zPxs-K*+DLCll|+txw#hFRyMwF@}8caEQJSm+W*CH&zhc|nORyjOJI9wzZ4!MB}3a`
z_&7Q}vp#+LbZHdNHWo*5_s;b@oe!0xMeUx0(4EmSZW3h!>*_i>D<#zf?zcjys@<(R
z^R4gy+$l#;9MsyIY^bB7^V3fuq-9JhCL*F}$cCrp>oZ2~`m9x0lvP`Xonh?d-rd4`
z5sj`0#+;&&Z+=Kgzct-v6bBGI`6_gKO3Y_%VQ=BlKVv=yW2Ob=)wQuUEOi|G`Xs$V
z3I>H50P%99-3Vruv7p@9wXCO(y>h*+l7dfWXYhZ)a<y)Okto=J`TO0=SyL<L*vClO
zRlaDQa8i19rDx3|!52{*+ifcYNH8Oe?gBgeZ!Mw>VSCNqUm^}SL{|xO`h{EtyM=u2
zCdl3Cq!qIXX1<NAbKj9db0Mm?^#!&$|LEo$)j8_w6{&;t(^ZCKmap5E3$o?+5W+^)
z^Uqar?es>GFnLhPF-cP)1O#&X&z?9ax;MGF`4>m+m~*(=->w-xmvFUyu9~qRq5tRU
zkNzL>v4=Y!hyCS!<>HRiobj+2T{El($ybTw$mf3=UJm$>Pl<x~KRU$h)YnG~3k%X8
za}BJmt%(f&0*#CBLwFE-470lfv)czk_vIaX%Kq@-!ybl9buN<y#9sR?Nj|>df7wQ)
zzd$EcETL>Go>^E@KbU#YkX&#6cY)vb$4oeE`gP}9x9m5Z9CGB53ul)&6U6q9<qeC7
z&>lmUlM6Ovu(p@Sr%#`@)I(xaMg|av^Zwz^q>es4s8seI)PxYKcit~b+Q;)#n_f_T
zeZ6}%KXXVTB|YzkaUs=C+rMZ*Z3?Yhl23q*TSg$PIR)4X@!S<uh_wt+U`OQIT>3|_
zAHjG9V(sm>A`^u|)*kx%+dJ-irF~URO>Ok~S-B@1i+G+ojel$-?SE|qn@9?qZ_m&2
z8Kq4#gIOXAQJKadQ|vlSNhxC)xHBBqSD>1Evg~JQ6p=M<h>@6YsOxAJ1{3Q%Tpy`V
zRlSl#N~;-rLbKieZsXk#`O)9%>bib8qvBs=geM>1t$CF^Ha6ztPsQN$A?7!XUixK3
z#Ik<j&I>3|d%$F~gMrJb9w=5uw$U*<I<4r)$ki6brcUHV!a_oL8`z+km{YI?K0Ty#
z8yXqmOa8sHd4A|VP}|#6hiunm<!IMx5u(9-rQUf{y%Y5GVluqE_C}_rgDhgW-VJjv
zX+9pF$<jxU9>w3(8(Wh~GY?7oP0c8(q4sNMFr!MaP_Mys#NJd;IDM3!KH}n-dBNUT
zz8hDsTETRaU`@mt8X8z2z5k`5tE-#0?)5Sx<jMi+)2%YX!VBlC`F-tG#(xjbn$`qm
z&U<eoZWI(h7>>SjRW~;`Z-D>$VD`37fh{A%B!F*n^v66c8;-)Bq^D0QE*4Kq`jWb!
zOsU2PZ;DJ#P7a&2dwtlz4p%iv#l$ZwGukAV7NWLiazxfkJa(<3C9NRm(qoRze{lhF
z_P^}C&2o1Q`A3l;oght-N`pG~Rx-oP!XjCSkB@K%za9}9dh#?qz1!QCvGP9trxJE6
z$HWI=vBaoMYrro`Ctu@2k!n?yo<5<L8@xbmaNSZRuJx|u6n`q`{ht9WsBBV)x?~!S
zLnPnRBg9s#lZ(3+cggz5`cOEBttF&e*zZlAsh#lbdwU~z>-Fo`Lm>-@Gh&sm1cw*f
zFgw^NefBKs($vwx?=gGB+FLI?3}hSM^IzjFRrC3wDI`|<yP8v*)zbv*bUPj~nwM)6
zxL0Q6MqFYx`V|DJo-vBw;^x?V+6+@f2JmMHw^;TTF`wLZcPiOZb@RbX7K44dHNleW
zx2ReVY&Y8;Co~e<txnMsgt6jCx|@EM{pw4ueSaTAD$QSv_qgs(Ju3TBd@)9)A@O7?
z4aNALe>XV@bEGJxEfw##fsrJf{HvyhMe@My!`ov?r2$cl?{R12-}fU^Sd4^H*iq9J
zxjz;d2m|o=&Zqy%|Ln!rCqK4{*>&b$CK})y`u_5f5E2rK{a9)Xe1iR6$9KlSOULtH
z!6RMr<^Io)Po(UpKJ6@bYl`*tYq7=Ara@}?wKY;U?hbZmE(zS{_^Edz`W&LNcQ6<B
zi!!|689P`lWzL^^fA-S%(U2XZ@PBj0|JOwOe|*uCyI>oeH{A5}I$c8l#4)9UyVdt<
zAO?7K`uX$c(tp4HM<pB%B^~^sg{)WAt;4c+0M+7<Z))<PJ^st^3zCg>m*kDNr58a3
zqkL=1K{!1tODm)m%Ke>-6;O~tPyon2I>$+jknp8vpRR~oF6yR0$;=m5Ep;Bec6}*X
z_O9YWbYGaSA}8P}A^CP)2QKTjZ#BkuIt8`S*6oWOSzdmr8kFiso>owcSY@&&xF|xU
z1uAD;7cZ9fkb1-C>G8VaTaH|gnoqSPVjKGy{b!#iy32=!9_;VS_FZIomzLI^N3j0^
z)x3(Wt#16h29(y)((;gsOLmpt%777%et0J2*n0V+ZV`48l$6@3Z%m2^RbM`T9<N+a
zwuYL;gA`f%0S94jPRl1QIU(^?lBp5PziVwoM12SHnD_nlrMqN#ZBrkhd}iO3l(ntp
zni+l1Lv;vfOKPte$WvOL_PbG1LKzxXa1}7r3&I92Pz}w;kDQ0%zt<)YpeY=jGC$Ht
z0i~sSq@N44=l{iESf8#+1Gs~<nwn}w4QOg}3%>JYTojQ9DbwXyq!46V4d{aW3=}pz
z-}1aed~q+2HRYFGD`FP)!J2@je*eB{M85{vJWw{|LlhK@W*J^Fqw=*woNJhtjb02P
z6ae4N{W`%kXD(<11U@v(`va2lHG}IEu>`1L=J0AE+!#%l3#rxLfR4cN_`}KAzeaFl
zUAU@bsBh^NUWyJ}R?L8M5um{rIm`tg-s`Wtn}tdQ$WV*v7>i#z8=L3&+u$Rq0DB$=
z7=3+dch#;tmP9CvmELBAsx0tvQY{HLnPj%;E67{X?^1tep1UFa;|Z;PSNE@c=vcon
zL-YFeBa)}G4u0jomJZ>}0VM8X3f+J7=V%j8Ky7aYZk6g%VtCm*0B&up#7T=$zkX$g
zBpy5G+du#LZCYB6A?L*-H}D^b-M|?_%6^*>fMauO<zJEm04%ezF9N{0s-Ba4Nrk-n
zc9UaAG7tO+J4rhv9|G0gn;}3sX-_uIK-Z|iJw>e>tJqyMd(RR2ny&@=S~6h)r#tNa
z)UdHHwQz$@45>Nb1M5IN^#GofbdGC^n*#vG)@`$<WPf*LRUUxXi0*--R|A?4h%7gp
zmnT2#08m9nLSj_c*BhX&(&hYA49eslcFo78Fk>yM+0AdRRjDg{H{&?3atjKhP;ubq
zNE(_Bq$gO<=bV7rGRzp|ky~2rVxk{RUTP1V^gyF%^j^K84$C(63uZ<`MF<JpAS5Jk
z(S9fbXo*7}3b`OIY?-N^Zi#Wo!suHWZTqR+K6ACldc5cDjOazDOxFQQ?%Y9F?fOon
zG7=C-b#)}ZptKjNXN0b{ie7^NP*I=RFJ!&CTtH(1f@_DxD=@wB`r<`beICm*K^9@5
z<?o=3Ur2Zo%#s<uX`9A&&MO@tW`tf58p>5DSv|ax9+K~YFPY>mTa5+mE*W@dop~u5
ze3dJV=}86va{I1SOD_I2?I>Kt?l3rhmde5&wHdBA{;8LNK+rJuOvCjkgrU^yM^=Un
zqZs}5-ab?ya1#LjPXQtai0?;ZY_tXtO7blEW+cON*K@*m$TjT(L%ow(X=%3+#C2bc
zMa5w6yGE&Y(16iEzSA0drE(yyC)?;LQgpfX;zdO!QJ&|uHB=5ngBz&!zSPH6^q^Rv
z`jO9sovLb?s%iLZA2ze^&RDeLd^?n8M5Pn59qW4h-u8K7Q(X3lo<FZO__b%+rSS*A
zTr!(u9Hfm;8_yQB1KeHHpMjvtrsHfRgB@iW2{Ef0u)VB+8{iDYD5&wz>(R{TS=JZl
zHOM`DHF67vY(4+u8bY?K4Jk1iLgRX~%k^?Vg)~9IwMt%%2yA`-f`9ZD>_|go-VZI_
z(I6tBq1|^N{n%B2X4^A5(tt<h$#miXO=SvTymkb{{H3M%+IeN_%Gd%^MJqcFw`lUG
z+^-lixeDu6x;~XwNSJZkii<)ip5RP&b1%O8=@Tu&K>!rDs^*hva6!gkQ59Mipb=b)
zTSN3RH;;k19N5BzZaiPX7#bW(=Gm5R^yb3FY;&w?#pv{g<*(0FP`x^v&wou8Nhl#~
zOBx;o|D?}F%laPP8j`3gEn(v2JKb9ZxOpZ-iSld7>lI@F^U140MXVjK7-5l?YE|*(
z&6_YVxj_5S$>a{_ZJ1k|0?YDVB^T-q@*z%mdMkkbJH1C*%CSH~Bjp7ufd*mEyq5M^
zlMiXn@c4@AKq_KBZstSMfV{r|mdWM&{t6+8a>bK)<T+K&6l^wZ!~yg1EpQRSqRV6}
zJQuY9A2v7VX}Y`XKJf80vF%c(lJ}4*2^f2XXY+?OgU|pS2B<)9=k!um=Ub4rV7>rd
z-76_j8VZGbc6rba+&URd?eP3cJbIm%q*M3J{R%B@S=dXVFC>#{;F$~t_oYBl0rr($
z+iiFrDKh-}CFAb11&>*@(Zb|!hCl_4)TS+_5aNG?3Dd>`<=F4v_1-|4Hs@H=nD;`{
zE|ORi`VtRcUlJ_6CP3`4Q%G(VV0$Gb)Okw-uGi%hX#&O_8q)044W$Mm!c*FJ5K1)d
ztJeU}M!8L8z*ZiZ7t+p-%LYqyT6%*HWPlKku-|qW*Ln5JmcSr@C89z!mbnQg|7J)p
z!d)Ovb*TSxnL2UP<kw!{;c0=S<EuvE5Q@=PTq8^t#tQ1x^68-vIH7M#oeV-#8c<Hc
zc6qOjael9j{3Ud$wl>lvoeXQ52HgYeXg!1c!{@<+2YOZJFnsUAZeV2099C>t`?x_Z
zObP(J8)`_|gh9L6UlMBzEvlga*LzNmx6NmcH272kJ;--4o&3InDCH-XErhHVm~tpC
z`50N|hcU4ALgi^!-Gy`Kp!D&wON#v?LK6ZD0><GYmq$SxF<LC5o-yA-_hxghc}F4Y
zbA^#`-4?`2NZlu!K<&Jxe(QbAU=`(A{)fgpIW$%E`{q5>{Nc9+W$yr;?u8l6RYs`2
z0bfpLV;~mTw+O*2eKDYRBE-~{l>H8s2%Z-#5n^V;UWs3ZffU&HFan;f3G&N6fmBG$
z&7@vKar;N2yikEfg9--_a*;x-!*5_~AT-MFb#7_p-Vud%b=oS8CxPI#Uhx(%?o4XN
zUJc(Zd&D~-d-KFwAmAcwN98DCb(oocUj^_vAly3%o*UGyaK@Fq<(Bc1K94qwq5Ebt
zjh}l8&w_6LsE2;h4WR^4)$3%S9I+Sd{R%W4WUMdGH?(#Z@Q@G=(ySgbQiSgcCFKu>
z7-ue?%o}<^On6(fc{0=pSExMdJ%5*s7^#8dv+Fg;+O=o@`azUJW=`!eflx4>O3kQe
z|K#M!OUvVHS`gI{q{}V?C#PUsD9v2_I24eP0u{pTVYmKp_ankI7EeCt3G5I}uyU50
z;dCc6e!v<bk_2vOSI~`lu?yVT$CKjxI9A(^+@&|+P|3`Lin0L%gT(i5-<lwfe9m66
zwI<eb^c5K)oq&Yjhkx8ayI95re*XMfuPO~%dajLWhIj`gAp7*i?1MtPby=8o{`i?Z
zUMFpEBWhiH)a9elUiTKgdOI8XH#W#2?4<4s5C~{xb=y!!-q|u-vltC|`jpeQ>#G!v
z<1&y5eru9T;<2`UMzZvq_ET|Q%sD+&To-g+Ben9b$({<|nT=TCVCCh(pTa<gAeHyo
zCfOBUbm<#u;BS+%sGoORCOrj$MIi||H9lfQzKa*va-TNXFq0uh(Pz5yAw#u?R2s%z
zq_;>6<lFj+Qt2_q#*tSfxAw%6Us3CizUdP=`s!15adB}+$l5m6I2FQP&3|19vf-mi
zdsf_9l;37hd@w5%6{*(9OOIo4FI7F*Rz+qd);5Y6uJq`8`agJpgwyi5MUBGGn4)c6
zZXW`o6cANI5|Nrpg)5X@)3J(Rfzv6!zYX5%#@&1oBKW0HYIx*4`_rNxE;q70UZP=9
zR6it&gof}IHeIjiQhEof#`cAzx4R<oTpmXh7wk*Wv`lkB;>Y=4>A1dWolFI(`@>++
z^u=x_r1NunIpK!rn3*v>^$s{g4j=rWMQiF+eYDeZk9vi4SNS0!uch7kMa57V2iwml
zU#Mj_yf4(N=QyyXdic}Q)6MU{R)?rp9}JCtRnnI)`kB0aQ&l`JE(Kae4$Eh`uUxs3
z*;g0HRJ9E3*cLjqR~3@=c&g?3mtc?UP_A-UuJ|yIRQo?`Ewp2?8d6wS?giF6cD-To
zx3ovnI<@*Ts-`^h43M50URJ)U8nM7;0r_vm2e^-K+XT0OxL(kvK3wup;z5WP10u&R
z(czM4NuiC!4D#C2W>7&^t96e)xOBQpI@o7zy5Ln{qzHdP1lM~KyiM*y8;i|;l3TNs
zD4J3KW^=G_s7cp>hQ8MIsb~wYUa4SF!p8>u{Nocs8%CDpi|viB*~>uTXkPM(cx%wW
z$PA<mniah~X_ssgyRPAEPq4aiHdLqEg8jVXi6c?w%Rf!Y11?*p`!j}Js8C{G`5&rg
z-Ew|L8W?00wOyI7j})R|^cP?Qgz~n0AQ#66GEGT`VFr}qk<s`16zMdJVa7o%5ZVEd
zX~IGTbyHMgpSK=IMah)M`?!8O%prBZ2|uEzG6hlXL>pW4{F~|tldZ9ocz2$3k52;(
ze*xv-2cpFz^<i<GM~uCj?yNH#_xV8NRJfRx(VYz?aXk_fq$X>Nj7UYkT?c33U}`i0
zM0ai2w1_80nCAkfz8Nbk`XXlEmNNwLxQ5$0#h<Vq^-fsZ4YDmE+A#E9)>m7Bp^i+S
zPY>jgw8gNju!Fb0{sSwjG@Ib?xkrpgCp=Y~&kK!d7c=%<eW?9v5HUnXJ)8F$*&*p$
zoM5nCH@w8t^BP$F7l2lH8cW!id>qU&xyUdjb_QJ|i=z=b=q$rITQgt0=xu9bW7E2|
zIsLQoT79338_|&1f{K{k=xuFPf=Xjc96CuW*3`8|Rk^`-+4DT7OajCtNT3U>>Z$qU
zl-20z^dx=Y1huVALn_|(qn|AGU3=4Ve_y5EUW8ePx-mcD^lZw!|AP)xt`Wwv%f^Z^
zl=+z2;H{~-PVo>jA;T<Xz=+Du&<cBQoiAgQaxW(IY52)0`E0E+P%|zyEQf_p&DdyQ
zm?ekFU4#04<6Q&Gg<%rRUf`RUfT&GyRO``?Uqc;fz={yCy9v2lM8Aq&QiVnF+9%2?
z`}tKG6z6XBm6LRI;e7IdJI>4w)(}g!HuEv3aHsrd>+<vS!=lA-TOlF4y~`HcyEK70
zdiW~$MOSVZ8VV!kSB#|Fh)=}zb%p3n9bc#9==@~cHWZjGYcl%dm=WhONW$}hO@u@w
ziN9&VwY4lQKYBzq^|FmKD>1$ll~p17$rXd~B|>It-JBTN-a~}IPmfavBEGigXZzG)
zDiEy{hDENM(ShS{U%?LVrJTx?*j><^1~d^vgH=7(guL`jv|Ss^*4OjS@f)?9zdqsF
z9?H^VC)3{gQ>`*H?l)`%H8-kCf}v(UekHx(kZoVNDoS$uY0N*y+%L~WsnpQdTsT8@
z%;#bH)QR&52^-TmGf?Ed*|>I?t|!<B?@vloAGs(c^=Uk)?}g`Cpk7kaWoUvw=g}3^
z2Iv9vEPblhSW#@*#fob_+^)a2Z^>rTV2?weaR4x;5M~HC9gz-QAi5(Fm%V|J-zIDP
zw3tWlE$it9S^{f9a`IY8Z@zGF#8M2S^Jh3kfbeY7N8<gou<h<e52&4$%J?kdah{Wl
zQshI<En`mE=dz@CtGh#KGv=ao4127M-xlXKHm6}|Xm}iu-s@^rGcz+DZ^F2a&iqPC
zxKjd&Z_T&`f>_vPBlJPokxt@KnOUP2lp1csN(*+kZ|8JP+csC~<*(q^C*4-5m3%U>
z09M3G%%>6i>JwTgm|LBWNn8VC+y<Fcb2F3HbKAJ*8d_7@SFb8^)8<iD)o!Y6rm1u0
z?<A!pNMI2X$WLA!F&uBzB~#8_u@5B*?*M{B5V$F`xo`qvbrNzw0|Jk(YZ28=wq;fa
zTMJr=^+bwF>)Oq^x~jGYu|B%@H34vM(_;VOQTA!0<4i*g<twLYW-^Oh^)P8(*)M^R
zFnO2~Y<^hG23VSQ5&$6=P^Iw@{D(!M(yN6WY0jL&#wtR7Y!izsSnU4hvx>&elv1{;
z1+CFA0WC!Eo;A3{p%HQf5*!r#5cPUhf}bw!Yib|a${#_!<>@9=psVkw4j*M=Vn{Cs
zhlfz|;Z@kW@B$;bC$AQ*AnqedJo7?JIgcLf5{yRoC{>>C6vWv>;1zbZqEsAAv@!w<
zh8Ve`>wEI8Uuv3`{ng@uU@UwsEiLP}Ozx6dW+8J-4@+xpp6rh8h;k;xsey>P^b!>M
zx-m;4D%J^)_rezp)YBzo8s06D1V)IRZ?MN-%d<7)!9}t8paL%))1ZAzO*al`0DFlt
zq`^_CilIul!*#c596y8xHehrRnoefUC#f0*;To$sw@-(h%>lR)DeMP+Ik%)&8qrS`
zy@-`xs*SJL8jstRmM!qSfw;EDSaX_na}vi>C1*i-Lnt&oEp2Iy$xUXs9=~he;;p5u
z&5}Zijs@kVml8_}Wy^iI$j^3-F%Jt9zWRiGEflPwgBmnXJL=WTa+g-1?_|hpNs-u=
z!)N10u1~pWWE)l3k%k$bue=+qw=<37D_A^3-6IF*Qk0{d1GO^eWWFX#Bx;)dE@Jm-
zxza^^_Q-EzFi)}aY1}-O`&2c39!r_(yWwd(at3YS6N6r{!}Wmk5g~~{*3S$l#gPVl
zm4`^l*;QHvabh>OR#m5$qg+a}9Tg<VV|oXb25#p(7%AKG82*`KIxj^A_H+)Lyd^uA
zu&}cT$Nqd@%pLz@!#XkN@%3l%*Ods4!VQ6sVDl8p9|y>V$1n;G_t?*R{53nC&S)oe
zC+bAr%J|f@BAnqslQ;505(8Matkbi_^uNG?3w4+h>GQYEvYr}MVPi7rcbFMXNWc*$
zgdPM2{T2W)F1zq>SgpDF_#&XF<tpX%IiKnYB9^Cn3$W3XZ&KiV7~Dgm3|@;LLy=-f
zcPl6Vl0FutTl0#iAI?!>nPfCI12R0n$Lgj`beGh+W&mk&9AW9zM-ECl58Uxr7=HCt
z)^gB6m;{`?j6Og7#59CqT0fS6WSp^CmX_8eim#}Z;&Y(63ACQB^EW3B&PyUk0rovc
zautE#o=7n%V?cjs-yr9g8r=KZ2Ze!NC}MvHP!NRfGuj?GFmNnN$ny21_jf2}+VuQ%
zlo12Jn*WvAg$38<JsHk}%_M4RGBpEAR9;DpIXSXOEOL*<*2np12asf(sn1>CkOlNL
zD`%P9@6xLaY(@y74Qou3C&hF_h^q?-(>>j{SjU2omq4PD*DDoPR8M|7<^bj9330ID
z>5$f`O0Pa5N_+w+jSGR4dwZL-qJZQUB{r=cViuN?UD~+$3NS+m5qVw&crpFn>TDms
zHeZ^IFh_gN1PuqG$d_kcD@tE#Nl{hhry6`6e!pinp@X*15Q>0!0|SHH#A<(xl(6a7
zrxC!+p0QM*nW2Mt2XT0CP$PXY)nnj}>)7-1vcWPp5dqGiQ;@H3gReWtP4<bW5HKSb
zF7o!;xTp)oled;DEInc+mwPGdWI9KV?yBU~s<*!eKn?<9U%T#GcbdovM}jibl_B<o
zvvQe|WmA`PSA8tR(CUiX8=M+&1Srq4&s_No9y!{FZJ1M5@s&+Vl0+gD2)Z&US@SMg
zG;UlAC?kV0_K<s1P^*E!=@4soMQs2IZ-$)UMETa6wq*o%Blx7&ih$cxg;7l>z@y_o
z-k(AMx#?&b8AF7+E!leTDAn%Ga3puw)PkckO~6b=BD?7-a<bi-1~6wmkjdM>mdgcH
zT3_z>!g!lLxN->k{cf8cf$%A{!mCdW9DTzp#}t<{Wi;`ou0%0TECM8Q#(Q5KX^bss
zyv&Z^OmSZJacb&9UBbTaRy`mo*81U*(@kPig%f)yr{8;k`nre`L$b`)G<+tp*Uzss
z=*;Se^sRZ3MC2IG!ctfEY9=|($8}HjZWmLSh6oT5k*WkhrbrkJ#R;UylDW?saDc8;
zm4G0J0ss`{?E=wcyD!s;6WDZ?jmddCIMs`Z)n6}doXIHbJO|+b@KM{~C>3IJ+g?nK
zkk#t=4dY%C3yA<)*wqx2c};m-1z_=K)}e0W5$V-TUB0MnkvbxA79hWyU8}((g$>{J
zKF#)BbNF&l9;*0iRyS{c<3^|&epSFBIqa9+P*;~8BY_{Drml8R1r`ZoOLMbHB*ozw
zQ6y|WVda-8$*EHRzSMIS#T6-RoxGo>@-`f@$^bispho^QRo8%**J<&o0t!NaQV`*Y
zturK(h^GcA$pXtUEGlYDMD%%8q)<}$Yl@JUEDJVa7L_%&n?t+;j(@?iwG;@vb<ZZ3
zNL8vlKvc$axyJ-pdtI(qnjiyBuSck*OL1_#YP>^8?ZA=HE|uY_GF(*VCCJslmhoA`
zk)!RyH}q(vFyy(wROmF-k`fOG<JMy@>>hm@6?Gap`$>I@zqqYdqmsNS&@M0n^&qe<
zxp@&b<E<rHfkj|W)9g#FL$&W*l!v2PDsYnZ{grmmv!q0&rf)AyZS&gqquRaOc$T~8
z9}yh8@7_6X_2vsgyM$HvOnT!1E)c;&9zNuTDaGs155w^l?O=4cUD<1T;D;ihxLdD>
z96(XXU;yC3Y-W{`!w;-ITQX<_L#bEdln!AWmkhZI=>PzQC(Q15N`c3j<8qk=2#?5F
z<ck--Bhf1&X~_KEAg4Z&Gopj7n+EJZN?xS#h?#e(wTCR^#q(%l1`elJIvNv2u&y=`
zO=z96*)KQzTYaj_qNh|0InLDv2RdECfqhPdBcAU2uFQ{&yi5G8IoU@Jnlvz->Heh$
ztg@Z&1?Xp#6h42hG#q&$oOeir)5-v;SJQbPfwI<ArPn)cN)ps03S1|#?OQhcUB!A=
zaKL))(UR%*Buz>OG|p+$uXsvBylP*JNp;z>@70(oZ=9)-8uob%r&mYfyyW4$k~VUF
z?^(3H@7AMZGFJ2M8TZCdrkPtES)Qj>M_}$uFFC&Q_uok?e*O2xj9yx<rqe4zO$@~e
zh?Uz#z&|15+!IGmzzh8$(9X}zQHi>J5Y*%0QVcoG$mmr_cQ-jH$&miovD-Xp@rm7V
z*gpRDlTj+^t)CL3o!CV&h27e9ZdKSBud6;sTkGxbPSIO{a}ohdrJx+!Hh$FsAwt}h
zfdXJC;Kc~2`r?J$y<04|SSSn=q(|RHGMc`+0+nk<c5R)DV*`cxbS@QN&kPE4L$N$A
zWG_Vmo||{;ezFq7+a$%jjQ-XEtHQ7A_~|1DDJE|NE8nJMOyaEw1;s~y-qjuhWXA%P
zjAfhsG(0kbvnF}LlnU!(B!qf^?E&dkQetA_?aHrcpe)78LAVQr90@?xi7!>9-vHi5
zf}_<4=^AkNr?vYMdO*RfA(CkyOo=ygX?ls?Md45aoE*HPqhlV&v*(FGD=I1rHpJuS
zTjAWf9zaCEk!;}Q=3eJX0<P+a2$a5n-mM6xqP+yqBlN`rfJ(`!;)qYXew;mYXwYSI
z@xHM8%(JJ{2Y`<X{FfYrUKP?_%q(4r(2yoKpCTnJ5C)5zPh%8Zs_1<|03yK0a~$S#
z*9Zob6l!%(o0b0BOEGGDsyd&MlA2nitS=tC@6Xa8-$tkwv_qM=It0ltRcm)RdI@=K
z{FBKR^{-~9f&YR>D^<SAxl#B1dlVS8Z7N+vWMu7ysXt7DP=u8OSt!YKVKk>{kzb6D
zFMG~Jre%?#BrAX$>|fT~#2seBj}Bnk$PEk(tO96;YWewdh0NPF!Yt`(8;9_tN-B3q
zmlUHK&}HP`8CXhv2wyQ`JP#QKpFuId;WkkajNPG7@ttv?P9RJrAS7w1J!VHL-?*Re
z2M7^slG`31sF_~!03CaLS&ZFjFPj3~$Y)dxg1^aWN!*oD(b0acC6y^@Y1YZ4_)UYp
zLp#l!4+Hb^Gr}`t@SjyARtEqlQl`qFZ)kj&{2mB_vvnYIY7@$x)(Jwa{FCPqp4o-%
zTph&wgm-y)XlTgJ5fvNIFrAE*{xe*JSj7t5sdwAFDWFQraB*{EE06biZEdW^-vmC_
zxnIA2sdfAzf*f=O>YV{XyOifs1SX`n1w!Y@YIQ5CBsmhRBMj?y){bH?4-gG`Ato*$
z#ajlk$ZW-HudN3&NfxR!GZ1raF@L9yVT3H|SKNT+<^*f32Iy5urI7A6R}w-cKg+tE
zp|a{A1V{v%M|&>(+@9Dna8$yyvAT0}a~FXTJH5@AM0{PA=|5<Cuno957GF9igII^#
zjF^dnF)v#A*w}u_bX?i#{NQz%*DWCDmnU8#R(l{w#+(gb3&M;ncNqBOOsu{{6#O%_
z%MXE0C$FGz*aa2KCl5ln1n!nH>T&p=CDtAH)CmCs)pxobMUv$QMx+Ty(E=d0D<QDN
zDf_$TN_f<(5a8BUU}pq-L2-D^5Y8!krX$+B{Qdix`8)d8iGt`U&*HBI^*gO(Z^6o5
zft8&@j0dwcvVZOvHX=+iJgjU_#2*&w!Tm6wtH9mWsOJAF533j)3cTq9q}*`$5szg5
zS>{Zze<Z?qc4#Me?|>feO9UgzX`MvE*aP?7{5{`1u;o;4es@88cN84i8Nmn5YtZmP
zK){INIOkYBsMfGc_>e0PiJ{14rv*jU#oa9`_Q<Y)aF<=4p4Z?NbG_j#8li4Wo(Vd@
z0hG3YWYze%4|F?}%nxl>?{q%q;NW-&NoP45qO;2gE{V6)4?sAQ;;@et)sP?uS$<nx
z3bKsXGRqllkCD}_`Ixuo_r8$7qs8oDa?$BY@h2J<mF2UT{a$qzH=ZAIuhDl=H{;+`
zO1&%gAjcq-J4}~Q@pG<$U+jzL8U6E#N*7Xh)zVHo<aG!3A94TQSaF=|;+ZsS>O)^{
zojb;AmBh9GI5tFy1m8sPdPF$W6+qjL(VBJ5q1-YTUnxS7s*JtQx<uarWa4*e4j*c{
zX4?=Y;w9q3UFka?-Pc{Bvwpj6$%4qaBboj^mp?hbSo^MB+02$!jqaZNX&S72slBqe
z5a&oEY0$UR>h65dgE6*zh~)eYc$X8|b+L+&@{Q|G_@JCeZv_`DrLqq>m2j4b{9z8V
z>^+_w_#;XLYcKM3Z-@qOgcx6#Z&=-sBuDM36B)XB!`SlXou0+}Zoc9bgxZVO%S8KS
zhpxA9{4ZByZFnuW0X^a5v$Gf!jf~KrlAN5J>-y#>kcihRlG<g6DNRw8e>T9#KA7ll
z0KJPlPPL3P_d0K^%+@Bg-yo($v)7(#@vLET>#pbiL-w412$Pu|;`1wMnlBINson!~
zIj#53$HhmIRX%P6y@A|%!M!s;ijh6g^{;A{tr?$?D2``aYs9MFlGb(7n)t=E)lZas
z-jDv#@(!sz6U*UpQ!Ogl*k>ZA=6twkJd4*v&SPQas*CbpUy0KHvE}_SY?#sycHPA}
zmz(oK%renyo6~;ev7u%_CCTfm`q<#o079wGzeYiIsAV5~-H3>BOKavzR7{MmvHfQD
zI6g1%kBA%^pYt1jsGJMS&c8YCL{lU+_wC$Z9nbzOf_`^3FFkxG6Y}YgVa1f*Mb?U=
zR!`p(zPTs(5>dQ-Z9M%(MnTf}tDRO9BfH^kHZYUPudif7z7Nd}57q>$@)C8<$oP8a
z8t~%6*-e$+yO7#lv;NS=V<_2`=o9$-R_mUHl!8cuf%NgsDYzC{&;N(H_l|06>-t9H
zvG<0EB47zkiXgpP4qzxENbib*A%tF(t{$<_G)Qksl`e)5S^z~sq(n+U5{gQRln{{;
zAp&;>&v~Ecx!-&5`+Z~FKQ3pCGmvEOz1Cc_&)=N;YSF+bzwb~mo1t(0H|RUTjq~;G
zr)s_*W05<|?1FqY?@jy>z4|kng*qIY6&4n@{O5+>i<yo5Yy1x{&H=hapkuO-sM?n)
zZtqGU<vi02|2PUXEr)X-cFedV<MZx-<6k15?_Mp6+IR1sgSWBUzKv4+p)-hx&GxE@
z;dRbWq-@T}yY_$jd~2}bvfI9ZpI@LtEqt;|?br8)<sNDSZUjEyRd97VdNSee`o9nY
zk3G)4bnkb+n|O_LJ<sm?n~28sQvA=jfk4+df+Z-Ydw99cE!azVZyx!bqp=Y_{E)j=
zr?K{fKh(GMOsvaz`Pnw6?!>mW=l^}Z@rf%{XIuuVe2TJmvD}*+qSfTj8c%qYHal1Q
zR(x8AUufj@ziq|$eO=&BQJdh(FYUKCj?p!G@qh2)-|m8N0seVy$^O~R`<7n~WO28l
z65;&)UGwI^J_%~=MT?6275eRk3{pOZ;H>`Kp$M(EQ7gabj~;9oURQq;b|b|v#Si4!
zE&v;{=kS-zZ;7ou5EA#w{E)*PIZRJr<b%(8fRs$Uuy14FmN&QDKf`M1HfrJ=+H(Fw
z*sH?+cy@Cu?#tQUklQ~*;}4qa*!xCWMbeb!e059fN+e5EW@Txzs?`$vC62chZ-^nZ
zSZ+-JmDSgNUw}i=zt<7588Q6&>y^0k!bH~r=iPkD*SK%;_SOP}YN!PNQgp+~yyR#h
zSd_KLw~x<{W!zqLpGv^qaP2vH+;B*Z^{eR%j2M_`@f%tWncEw=R9x{UV$a6L_5VEL
z@AbA^Q8nM8q>%FU-HB}o_k|3RtEwA;7_bvKWu(MF3NLZwZ#fM;|K@MdI^xK_e-N-Q
zQ!f3}#gt&z4SiB;KcRwAfBnti2u0+7!BdZ2`MVzgv1{vPM17&A;oIZ>KrNs>5Uw7l
z_1`?;^W%SRin#wj-}Cq5-7i4T*YAb=*P5Lqq8!e1z2xHD?)$neush&i#J}z2|NTMk
zJsBde{#>WK4i=6O2<5C8emL8JpZb)UjoT3RdH=aT&L_~F`meQgo!RoZay6KC^Yuom
zeO5q3caoZ0kq$2HC)OgMZf2*<*{t7}yfl_>;KF6qtzfDlkvEqlJZ~zj3kG9j<BQoh
z+r2X|={DMB|9tg{)V->OJ|87JK~x*Q;_AvmeNg$s7r(t}dr{D=tqhuz)kq$5hc8+_
z^5j5B9Tw^T`(krvFgaee9co^miWcu|FT4G1?Xpn4BTZo<_M)I5TMuPMDKT=D1TEM7
zO)~`I<ulM7jlRtCon8Y(-zy@Vd$sJhdxk*79p0DI@=04G-^2;8;q&*YzwCZ2^)5wD
z_Qk`sZz2%(qW_R76wj^sL~xt=HV%n?A~tZC?q38Oi#T-&fzaLgo5cV20hsguI@SM!
z^ZTkO|Ihhx9`pNP93$N#)~%hTecp-R+?gO#duAO%T<(8m+y7Ya+CA15B83Tb*ztSq
zx_tjf4Dr9ajdsg_PUPR^XKe-lY{SasH%tCMZsR`~c<s`E<4n#%q%i$g*Z+UNje3jl
z;ZJ)uif{a1>G@lJ>I*%>cdp4ILfq%?FL^Z{6hWLe<g&;J%?|yarM|w<FlJ4nfd`d;
ztENz;;q6?AdZYhc68}q0x%d3Hobs>p{!Mp|3JkT#6x#d$gQf5M3(;btp6>RlM_vcq
zt>J7V^qm)h-`_}C)7dKnD4gmgac=g*wO~Sgm&Xxa4pk53nES#P%tW}-W>wu<S<6?3
zSoggu`yZZr{@t1<OhS%U{@0ZX*IKe&K$?Gsh;w?IukM%m7t^^+cKYM)v6bJ$6BSD?
zBwV%FdgoaOYgyf)m4YirqFz}V*%u8sMxf_|LKGim5c(EsnM1>{klDUXLo9aSP~D1b
zvfPD<w0FMYA$xw*Filx9QNwA9QTj)k)T~R_$on~PI4)3JtkT-`K2i|%gL1X>r#B@!
z?2Xhf;UQK)5rMaVm>a{;LOERFDeoRE7YMr&t~<B$orkJ1dvIHWdn}DkoE}=8xHXvD
zPd>G~;bpeDc&#Y<m4DOGEr->}v`hGb3#R9unTtnlIQuc7WmMfF$d+g)f<h;8V{~`?
zb>-95h(w+vM~?VK_b%41wkTuCQ50iRkeaLGx7b={ogq_^Qu>~sEBxJ)33{aTSs&Fq
zM}I!1-_oD|fUMvN6w>b!X#0+DocdXe6`+@|RQ8c*^1r6FeNyGBC_Dov^OV?qX09<s
zgFTjf@}|38s+;y;IJ>UTXxedET(_2KXT`QIH4jvda*&ada{q{xaf#UaDlr$RftQVa
z5T5aVsa8Wg&&o*jQ3kO=szyo0lqam9UtJ|b<Ycwg>MEYe4swmT2<KU_|6!uFB(aaR
zJUGEXHqX{9yKb5yRa#H~m1R_J@chzE$@rF3cf1+<)xPy|LHzQKN80GK`i5Nd73EL2
z-Fu_E7+5PxlYErn>sNS%JlhB+(2%Qdf;KiFT{vl05`McV>UP&9;Gkw5fr<rYyl$Lh
zP(jrF$q>Oo$utGCSi^5^qn^SUB2>G99C7txEURjEzOvVG;B-YHow5BTn@Nm}x6N=G
z$s_alyf|rL87=J`lUuufsPq(L5W9GMm$}djL*O%KO~Y#s|A_lzUyivcxZt)da=XZ*
z>7t8VX<rY%ZlDk!1f;RD0@NQ2e*)$kR9iLk+0`XF{xVDA?%lgXK7t4&TK7m(j&u3-
z`C9=<Y~EmTyR@Gm$}?OxR!_FEOh@?=4F9~?<$W(}ePcq;#E(C4Bm3&LW01G%vBVZN
zmL}TSF)zy%gB8{9IxyXTJIk<_xv95z8TS;~yd=J<hl*pecblaaAA6Lc5FuUEL&X*|
zGjYn>?wzw1=hk-IzguB{xq?{cV}g~DHU%@Y@@(vuAgUxAUG?VOi@w>K0o`S4JAD?;
z4n|izHx}WVPMq}E)$f!nS#zf3P~N;AOHS)`cKo+PxHXq6^j*YXqH(cCd9qIg4-5KK
z9eV1fZCF+(U#WOEOjdujK$mM53RgYKejqLMf_UNbktSj#^4o~2&+wTeO#%5j+kP2$
z#(7rO;Ehk}@7T2~N*MKuygU^}P3@9h_AfP`5&)(z(K$LKiUKYi;g8<AYu8FRX7y51
z&TT?DW&Zgw6s{=-St(dOKr$C!;B`oQ+?~=k7LoC7n|_;K|7qaXmmpM6TSi;tVq4XU
zE!rOx<{t}yWvIbf40{}5diXfqRYoy4;~9_MeeD9`N#{@m@5WEtPv5G0f^=xLbZE6Z
zxb0rqC6Tv_fx*#P+nu~3IDC?0D46P~HJ-<lH{ThJK9vc>R9iO7w66mP0U!Eus^U)v
z$sG-ofkUe&FpSl!5#x`$_iA?BIMNi49vd0E#u26+4crQ|(pJquIf?nzvLO$RP)0bU
zw)2wAz74M{Kz0qet`ke`)Gt@V!nXI->1KES$))M(^QWAmq9VU$#}x-XtLK*<L`n}`
z?3$}gQqGBacXbBsH_5g{S!67B8C{QMuS_i>QMM)O=~)b?PCE?4q>%?g{gC`%b^Wf8
zA3=6KRPu%VVr_QA1S3NFl<qcFG6pAGYF+H*5b?xVs*x*0WNE07a2}nc{v>DoE-3NB
zLG^>y&)Ss3uZ^?mrcJlmQ$%IoBoD14Yue&!1855~SVpNv)Uew6_3L|q?%_oQZ9zG0
zL+?q^1&sT=#(kTeAN6ta7MPNxE9~C(v$Uc7;5}hq+AP`(F$@KpfR&)sWi5Pd`ow2+
zl51~w(UKU_Cm>D1RD{bmKS_<YN7FExe#-%;(?g{>J$Rkt&rrK;ahmA+L|DJAP%V!i
zi$m6Z{ZY)@M5tvl+ebZDWk3pkEdI*G^cF9Bw}ot(RgjrG9`xkJS`5K`!ZG1$JAcS8
z>KBnm+$PDxit=ao$o2>g=>W08ekn9YpiiQ^FT1Tu?I?-q76N@-{NB-4%dk5$&oZ6f
zdAYB$z=X1MKu${PWfQ@vD4+WtG(FMk;wHQJQ33rP(^8Gs=FgRQ5UEa0TQ_am6xOfA
zGHW^tJR3CR7BlC8I^op8Y`{?`YFy2#W^2Cjr~AsE*!W(|^i~=x_n@`=>vZmI_lSba
zb-1V-{EqRam6toup4%yI1CEGm1B5p9Mt{EHYMG8#(QhkL9WM{SU^CePE;-9Vz;-OM
zgd8!CSeYI&61dPrVY<Z09&VZmG70Llk9a~TAJ>a^D#EsM+j;s}5`n=ZP2?=`R^R=u
z`&g%<WxPQAo-o-zR8N)US<PkV_2of0%}Em#Py@#Gupjo75QyEN<(j8dr}GY0ym2C1
zvUwf!vdhN><E{H-)0-5=QbKO8S<ZT;vv0V(7P3!~Dwfg$THjxF_TtiH=}dr(y7lYK
zXrexhdZw54tPqfg9BNasOzs`dE%aHMpePDg#|o;u+&LJizM4YtjkJ1t!}#*U7N^<8
zKzr=+!-&R&t$zJ(o6dgEGG>{2fl;nvvT<diTkZ&hsJKn?kts*`D8{0<Q%5~-xk<*;
zj*UyAGC`q&s*W7KNp|__P_!JuWRncJ7$@Uf0yy%uXG3IT!hs&DQK|WnhZ!Qe+x)_=
z{AA$<e*~@8<~K}%Eh2*giUM+hnh<-G;fF)s8e}aCR4elNHpMa7ryGB1s;94>#UWQM
zg&j4XAjz|7I~u-Ef@E$qlmBuGGCBS;$<0P-TMuY<_@aiC+9m_u@OYIH7IJ&20zlvO
zkVz}K&{-Sgu|4xJ0+BFG-{Y9F9uddo3|@@~UTU|l^K4MvDKL`n!H^+iLBA&@$yrz!
zgDoi0#erm`(HVZ*g(7vF7uK98bqqGfYFRBHcvX+?hd0{I<M4;yblZHnR{>cdt~;(}
z^ddM_6I=t-FDujDLF0P3k?j<+8AU)%ka)D`_LMnrnqTXfIJd`<-Ie|&KZ5GW;FzHl
zve1XkF}f7#3tirL6<Z>$*rM|W4ylrzcdeA*YsF3WpW%2b2DocMzO^EcKH#bZ`J@{I
z9~SsK_E7DrCXITit19|k?Vgpt0zglg0a1h1bbk*82xURA+0u6HNE74ip8oM$gW#iS
z2%%88n&h1EXlExe?(lajQaj9aWBZ=RcpNEdHN9_u8(ExM@KL~*b@0d-igT|D?r5N(
zlhTaMz>nj*!ZRI{<*z{oWuyYG);M*>anA+=|1@G1_+S=ZHT*36PTZhwSJ}6vnR7g0
zWG6O#c9GFTO(oD#xNAObGv)Aax5_>|R5(U_;zf#|O7ZaUR7ivV9%7Zm%RU`Q64>y1
zK8-GST?TFAQoi}@OPTl<?3z|K+H{zQ=cg@Cn1M-C!)y(@)NAVq#`-JkgMW!hrFAiH
zx~x9Y3gg$KUT189v3uH$9QTWqURBfYy6NuzeJ`r+3u7%aT0brkP7^Bsop*UFaa?YJ
zftT2s7DlgHy_T=(r>p+bcof#Cvvdl#BH+;4ar^e|)!D$P&GRlaS02CHf)Q5kYe8k4
zb9>~W9K_2FU}~r1=dj1u;_Ldp=V77<@tysizaOT0^gq%fYf}7o+Te3UY5jHt;>Ce~
z#mQ?Q{}TX9IkhTohFBE>00eh#p!(3YH5n67p*g6{8`J8x7q4{P!rF0ZGHP_-!ulVt
z9*67(vMz!@os)&K6;0U&0jv47mCw6ZK5O`=u^=}|8!EPdrkoK-T92W{S69afsp;%~
zdetogBJdKlprrP~j3m2=UtbT_-K1G!AblD@$|6Qcm+U`=K(r_7Z!b0Mp$ZMLsxw6n
z$CjOl8a{E{<Iy2VyM$_v;M13<rosJ~<Q@7M=2|r_WaHT^7%_~vG$h=gZiu=q?Wp=F
zgCAw^&ZGbQO_0YBLoUKQkDA9!S<HisZ>Fe#Oc82XJ?+u%J#u>M>^*LnLvCz8%vuQn
zxNV4?9jwWxSulRj0fZvS5vA5+S!)k@AmCaS2+)Np@X!LbZk^zyAHwT>dTm(g&@Hmt
zE%@t0VRf#sW9!z1%5<F^KlBEX!pjLg5%$uD)}(4=J5Cwg?8FC<>;!84JgiDqdFjx!
zE8QX+A>~vQZ|&Kvy%h}H<E*QtpWKQD#%>MT?cLdZ9G<fsLaBlk#?T4_*VAKqM>=|m
z&8Bp9Wj=iP5FLHc(+U$A5pm<jjSKtt@1GbSPwZVFvu4~^uJ>w&gwzV^*ZzYA(0J`0
zyvhn$J)Hrkcp7vUkHZ}}?LTENMM88e?hek{Y9Be+bmvYlvAW)_t`iQeuMC1Y_xAj;
ztSKdM^Yc1v-z&}G;o&a+kdH#b!cHz2Ifn?-65FDqTV&PMizTeeTQO`p`=%mGNJ!{p
zFFxyo&rJRL-Qsz{sgXl$(ol7Z*hWOCmvEE=K7pzNE|F`Igat;Uq2RtV#O(IZcXy|;
zm=y<Br}XsnZUB_Tf3{6QjLaCSvukK*u!Na&cbq2y$)Mz5C1dg91s;DH=FvE#(H#J6
zEyKS2#YxgrYl8wtXYx%7WK~rQm)WdS6Tu9ai)UHat|b}ImNJ9f#|y`ZTM*1d@7=1$
zR!iA~sDI<zp?PrGaL)$%d`e7AOso}!?ojPQo3MzX;|IVDWYLq7lDa!PPty~t@mO+V
zdqlv>A{}-=Cakge5IIi8l$c!Z>K-^RAtBLKo+mFYEnU!yE-x8POkh+xVdQ605)u;T
z3G#MWmE_<wQ~-H|ioS8<lCG}q=;1`Hs#90m%*>1h;g-5%7{5kv$|@(ucDH@PVfN3N
z0%{tQPa~qEG2}G0s;O5k-ZSqG7LZ6b%gf8cf?AGvn}C4oh{UQBxw*O8@ixARlGRhE
z=jY~9<U5Q=%)GRc;QpZ@J2ZKLL6bXu+NjTQd1)S(MJX^dD<?0sm8-<?6j@gqHS!#C
z@E(p-NP8+$5Ji4;K<rvX$LqVBCmVC?>gqge78VvhV872(la|?WR<2Kw1D-7svFg_t
zdGe=EXE12Q$*<w3dfpwhvnI+mjErPK^|;J)RL3T8<{cI9L@tc+vq;9j+Rb1vV$*l-
z+?hurkvykk#mv%-b-jRXIa327qya{gO{LK&gM+pY=_4c8Mk|1w;WVpF3(cQniYs$m
zZQ55>Rz4`5f(<hI@bs)+1(iW~+Ae-obF>w<&Y-tkW}L2<PfG>^**EAfT|6-T{Y!&#
z;7|8apZ4N#m-ML_*b~8t%zwzC?CQI1u<=)(gK24LI=`HU3gF-;n9SZtg~1mG#7srv
zThOB)Vqv0?@_17Ipey_ilN~>oeY%d#Bk>oclUHm`#^%g}T16=Kax#xdeL*+QN^Por
z$BV0{jqL2wZG#uD7unU>5(j)~huq>VV1u=Qn8h#$N$?hed*v>D87-2@Lq2A%H8Wa4
z%aeA!4ZAf8qoQ{4DY~Cg@tb~%90+0!IAbs|vOe1b{QOuJ??krz5g8SgUr?Z1R8*ww
zKlehi?$-~UPLA-4nHGM$yIURLb1dlGGl0*j<=A8>AA594*L}Zt3a02CnE3YX<AC2#
zk&FC{9=51A-Ct%)0Gt&JaphC;{BvMn0GiG(@7X|ob-kr5s|!mUFhzC3*-ylp*(zoB
z(g6<(AB9_5SrO1(La5F(wSbcZlj`bf3XLX)vaAaZ5=>N7Qpy8uATOT-2dT!M!dF3^
z!sqArD+8ePamI<u0aKr(ZGsm^4+{vGnVH4wWaD~D>`Gt+zA5#IU?Ttsa;B$U2SBk>
z37B}$EkQ<q%))~?tUuST!hAs_5<S)GzQ5Uyccr<om15Ka7W6P~PEJnQB$$*uhjy?Q
zt2VuJ^pc++vAAw!=@6NOrOB)P{Csy}V#3JDDOXEdd;WgN&-+y{Ze_0fvOylK|A*}|
zC_Z_HWpi!dHwME5u7$51*zmgSPd6@2*chp?v9Y_iH@AAa3I>v5yMWgNwd^jzq}x=(
zI^Y3B%IzX6qGg8rt01<EZf`J#zT`BdPCLhS+smyXY^Q<xY^#iKaaDD75t24A5cGj@
z=jcnEOP+DkLLdfH5bNDYBM=A{sPfEA2dZ!1ET}b^azWadH<|1mH8$ob)(lP`TADL2
z20b)Ynb>Z@gfWsSFMBMlB;&E#+V^9xsi>$F5qf-meR~*o-03buUGH*jtuS_76Ii4^
zEr&p$$SWuqV6-c(%VBa&d1YmvC58dh)(Vll8_o)v_E^$rw1Cc;iRSWg219M!GGEOR
zT%D8_ON?$dF7_IYO3h)=dV8IKSYjR@+B<rC&H98ee&x(hpUek>uaTWf^yg>tONIb+
zgD!ao-BHQGJu!s3%F0{R+P+yz?^`|TwDI{Du3kMQQ<YO5^FHQ5SYIC>leCtrkJaMm
z3kU=s%Va#`l{{;H-lV)B4jUhN-onbcDchgi8z3>}46sjm$RMpats67r()?As(Y_;U
zGo+ZlFNUUANjP!@5S49&!j-|$05q9X90guGt3+d*=C~a>YVD5iNl^8g?OA|saUbe1
zuWQ9wT#iJFtiUb-^}?fDx<7pqK|606Sy^UZFQSlGgJLNE@2@u>*l-&xnJg&IMX%9V
zGacp1oM9-PN;6AFLG!@i;e5^vE=!fcz*&8ppn1w+K0eC(_ZPAy%xrupWtPPjR!$f=
z|Jab|=;#9Dljz~bNRCa*O;y=)=fk|$y8~t~Dl0AS?-uCc$P(6q=$Z;TP)xeL(27|6
zg9%*sp_bCy31f|N=V71%3eL_S9F2?4vj@zq4Hx~&znk@h^_5}EmkWhe26rm-OBIp8
zli7CXjCRx!rRx!7(|Ng+cX<m(1Qy?GBT04#<&x1=w`RxC%WdT?)L$^p#ejFW^YAjr
zf%GTva_nDo>K8A%xm~bWwQ;BPpKpahv7K|OwjoeQtjcZT%wf7Pj7uipig;!9u%v1t
z{}AzzfI#oJZ!bWQL0Z)q<lE~vBT>*+Z;;EFZ8iw@9Hb=;SO(91>xiLx!2dt^x{>DN
zkg49uEWL2;wk+kvIEf2BpX+bOw5JO06&4ce{`m3PeSu(e*ej?2vut^^fdLuib8b??
zKThynQ&W>zZzre+GrwxcUr87a^z_I}7+O?+?{%Td(}3#)k4+BPhEPn*(B9s2S#SNZ
ze=NGRdhc{<Ci}xI0|A|+s?@sjI-IPsvND5OuzW82`SUB5INtiseNCmuwjn~Zvu;Bb
z{?)bCPoF-aGy<3;R{PEB%ZUu%+|x=*w=S9yOX$X8kxs8RSnSyV^HGJJd{P$m{<<Da
z_Y2nUG`{-1mOWii-3A`WT!G!P4sH&-0}7+bx`sVnjmw!R=qW&pp#+vb-bbQf+9-Z7
zn2iOSIDTK_*YmWSU$=5REG!n=HBs18J$U+{jklrTRy(q_8Ct`J)}ED4cy;Zo3bV%R
z0|qVM+rQ{Jo*l1)tE#GUEX+KKN?+>EMWX5eaAB}y5of%7bQ#bU!SQ=JFp^xz^B_Wz
zd6}8#vyH~H4s_aqbymX0H#>G+fAwdV3%6UI?NLWh&sV2au(fW4^vK3WEkb#Dn(TQ=
ztLwGk1)P?FbRU|MZvqaN(m1*D!sDI~j@xQ~{b=!_eeCSa0Fc24Y-dT$j}K+bWMp%K
z#F^M;+-=UkMaeeRWDqG%|5EMg?WM|S6=h}r&Uvs+r5}n$ukh&PhgAE?XZjX5HziW#
z<AWVvRrJ;>AWe!(3iZyActZBP`fD6EE#nZ9&2nnnwQE-oDTf2HQcG{U(3Uc3wGaZv
zvyKD7`7FC;i%E8vxqu<It)LRe=gC{G0G5}bO3uDN5p9gK1HWQvfmkPj_CNQcC%$%0
z5Y@F`XMRFCEzf^zzRVNK^}@8}n<MY{!ck;<THTE6&v$hT38^ct96LO4b2w61aK-uh
zL(-J*V&x4qI<LE<(6(q9fWJK-V#NqSY+ux6B5L#5XMor;(Glf1vY@-X)ct&x$>Lv9
z1!K*MtpSC*Z~+H?i-<#O*}h#MuvMU&Ci#i-X_=Xs)Cv!W>viDh^8sMd5~pT`UD4Yg
zg-3(6voJV+{w|eD_5S(&3!47kw&3WNG1a?EU><WxjbmRMdEK5O)n?xAj~xLIDr;e?
zFB7~h)2jn;JYYrC=02Y9`ugLpz^^kn?_L`}{eV>gjo_Nj!G{mGaz3M%*)f566*JX<
zlFzcMulDv)iR5zQ6915#5Ki#==Uzn?2Ld-DLspfcn>@!KpxizB61Y`(x!Lr!y2sbQ
zcHVjR%HOa2bhWc-VHyK0SzrDPg=SJ>X=_kkRoU-Mv!LNAH5jw<5?hJd!C6WHjz}Q%
zm6n#ql;_zz49=mn;cGXay@WQHccz2O??X%!RVTbMd4pH)rO5~A7qE+xOc-F1u&%Df
zN5n8O&Za5ksMvSPlLm|#NBqfv9FBJoQC?n-rnghACF66kT@;FmQV1h|!Qu!$;TpEk
zc04%8YtvbGqm&6k<<eqbIaYo-1vNi;ndFA8^WG%()(Hk;U<w!$6ZzJ<eJg}$C;z(E
zGAx6D<5;u4sK`jlKrzQm``rBc_TdL#K0dy#!FbSBu`?M<BpleXNta*E(0J%!`g$Yc
zbN|DP_mXeqS^s6H>i4l88U&sLqUBl_UPwwh%j(oUg}!;yoH*!T!0{O87Z&oZCBegA
zjv%)5gZfbhx@P4i27^-&dtlV5v%5R%%a<!YzP`>bE_(1ToeFTbz1a+60l0jgR%{rw
zror&YSy%)ChI^TEZ_6j@FWi)uJ{hYMdz0hM5qfP4TDQ0W@4DbUhP8nG@*tE73JU7_
zD$})SX=w>B0+VCR=MSt=oTFc{$plRA1cNwaYG-FRYMz>!3ODOAO>uK`>jfv`WNCZ(
z_{4-VRuy=2BF?m8aV&WrnDGVpp%5){oLx{+5Rh3{`c%VQ5l?=!v-ESZk{Tn31cck%
zNfY@6FqniqUOlv2+}PAa85k&17`*8~eRGaN4_q9LC%`gebp%Osow{AzrAc{h6f(IS
ziwAGNr`X1dNOFV8@@2to-Glxx#n=>FDHBIg1$p_4w7P{EJ?6c{a;%%1S*5k9n_CH(
zRBym(6@Uv3xpB+pyDrt>Z}MpbTl)?8#E0F#KM&`juhKL~3IMOR0L;5(I=sGxvz>1o
zzuwA<R#sJ};yablQ-YWF&A(Ft!V-!XH<jtH@+kn!&>k^`o=+e)vNsQ>O|Hb`nGShH
zA3BDsuOwV)2oqlYMPB`7u<|o{^`;@A8p1e^?FSOJ>keEL@7R5^F{Nw^my~vOG4y2^
z==z_Ga*!0U=ZDhOu;Lg?0uk=1`XJ-Qeez~6qOq52E1*zPE_>NzA3=-(N;f$zzFP?W
z;06SbuHQ$u#y#3}j<dFGP_qu&@RP0!sl8HjBv^Pv=;gJ<LO)DTsFQ5;9fCjukf~iY
z-F$C<0QuF5(gfXe;I%RD{Ay<+-O8%2p*8kG-l=|^lY-gUUPN6k&We`E@h!0;x>CQM
ztGDj9y09am=xXVUk{|{q9><wvT%Y)ilcM@VV|9@ny>BBTfdn4|w(LAo7jEUA1FE|I
z_;(;T=>iwR-uD8e62HHGknw)s?>fKzUXfTGH`LWQQAA2(I1D7()ocX&N!bZC^Osxn
zE?&&Rsh@&+mQ*IFTE1*Y4pgX}J6wHT{qZXiiDf<Ix+hW2LdOwD0RlH?udUr=kRGzK
zxO(vw2Y=)gzLxUnv9#-)H{@E2;Nev=3M&mEKX+qFD!x9NhyILSNJh1^aXf(CYv=X>
zQ$kw!5e>bDy--1HijYR?-rjwIgQ@_?z&_5h6dNb*Wa$c`Jw1)c>g>X_poP9(L6U2P
zGzi(jRLa)Fl1two<@}1A?fYg|Gq4&m)449(z22gJ_%-l=kaL>l33Q}%SW-5uFrnA(
z%{s*P1nDs%Zdap6zgKa4sarZ0{ascyy{W%^z-5fGo*S@U@Ktd?@uk1vegA-o;IIE6
zGseUp9oL0D>u&uA1d~EgjM`~fZ*=B=3n}%v@a6aY0JuRPU3*4o*Z;i`UAaWJtJIIp
z$|ESd6!L%ajUE^FtpBlB^U3uu!vBTX$n{=bE}uDn@LR|Q=Tv>6w>*UA7mRv8m+@4;
z15l?GdUzaRU-~&N5EhQ8kN9s&mx%+_5-|Wk4&U^98)s~wsgzegQzyT2c}4GcMNhb6
z145kpZ}^9gjr(o+NpW2EA&2f;pVeu9{<#hjzJ|PlC+O8lO{Ws?+GL&DXNagjzPP%U
zMGdV=qR*K7?YoGmzxp?E+;I@mwFL5$c{cue0P&LNzX6i{kH8wvp8i|7ks{{b&?&Q7
zmqdP9aA~UHe;)0VNoKgOjLa_Ph&=M=04$gs5P9h6T@H+8_AQSWDXZK9{M{A?ccI85
zYJ-%El3CO4JI|yaWh~561fZmpB@Y>R!~eJp88y717}a+AoAcc)SIB~EI0;-*J@vG^
z&4dHE`+WE3J%Bm4-d#%oW5v0{Pf*C4&wl)NYcLEFy=4K;#ztNwhYG9up?tM4wnezK
z<5hQe_x`r&nogeCnAfjg&vZ=<K~*qcR=<f;moW)Qi<Pw~;p>w}C#}4IQgOFBli!v<
z?20ZFQt?ZQ7PJYzI(aQuTJ%9E4oqNG$?Qz3I$3A|XG}|@`T}G^>qyi2-%yUVbZfop
zj4F)3b0sJk3C{S%XI(^{<l2@EKw!!7gnZX#*na8r=U;rG_WNGY2#*bi3an?d1^^hK
znz{Yn9Vol>tr&7)QBZl!pM^qDgU68}A@u1T4JNhB-2rJt38)Q?IJ#;X%AQ1PA8FEl
z<ppJyb||j*%>)fW)VUcM1U1s<0EMt%l7CIj1=Yzw$>QBrk1XFIkw;oZgb*bqrNs+z
z-fdK#4X@t;KtdhGXM(L1g^MPFe*)S9-~@-<$k7?!2E`jCeYJ}S3=15Ew97$`eW5c>
zF)IG5MBk>i$6J~<mjEjyN{=lmM$rZcpB##Ug6-`;e|Cv}LZ&BQWC^~h+!yvmd5FaX
zzyW(RWfP<@0R(3w<Y#k5bk$WG@`sArtIZb$SCj?$;47K{o@S{stMl{hCUDs{IDT=M
zdLIvE-bm?F?Ajqf@6?)-ilBzhBa?<~o<O2{FwW)9L^?nW44}RhE*ER>5}xtxQBqJf
z66?tx{F*ks3*a%ba_hVP0qj&bV4rvwWZ{sN8-}@wOxR4MZk#ETw_<m*N`$lxL^$N$
zMxpo?lF;})S$(sLVL9EZhSbb~`LiBJlEq798#ez)o8SSI_F)H0H8SsZILis2OE91Z
zs=Fv$A+aY8$)N1}^+Pe890Etz4EUm$bI;v(GvD6JzF0IY&+13tyHWul6Czv<*cL6r
zveiJlhT>v3EBQ>`%Ox$9h2uLA+dHNQ%AW)B(eJa0Z%A)2+ZR$b)eBbaSek9OnQMSy
z-*EAA5C6|7#yHi<;==y$Nk1j9q4i2#LTFi#9uAX3c0N64d`y`(fG$#l;%pj3p@t`8
zg{*Pz-EGRLIo6Ux7694k$4)i%cd2|;oc54WTGhc75_p|``67oa1{mzJtYoBUf#w8z
zMU8|1FvB}kZW!Mc&y^s343N}9D4j0Z_pW|^?CH~u8w|OMiUtQQ+3`?+;9xDx+I~zW
zI7IArlIDjZRSm&6Ijez#vRInEi9-^v5tpm$1aRF)!oK+EGBWTzD_S_Wh{_(G+1`8S
zj!AHB^MFdHouJKony1IMHM~__Y<CK>S)zvuXp=WmH4nc9z6AUO&C8<e5Q01DKfpCN
z!i+A1E)_Be+Fa{kM<vlbb7i<UN*aUNy`4YuwRD0GB9}bv>yEmN+T);SU!-PPeG*pK
z%Co;))hxeQ)VU~Vkf$pSiMr111SS6;K^n=;ra{Tfvhpmn^2Dt)Bo^0wBCmP*Tdv%|
zAy3rpNx{h0kE3lI6nP|NIc5&cVo|3Qiw87b^sT;hb{tGQ8)28{@83B<4SacW%m6BW
zLh)s7`-m2}pZjr3@jnPRBBXKK8WYZOX|7ghU4;Vg3H`3kpqqG@J$+tsfyw=Br<x^_
zIbL66Jd+?7N<Zrb92frXYRH}q8c^XD21=x4<vQWLOecx9G<+?k2az_um_J<P!NmJB
zGs9dq1(2#*DH$S`&=<jMbx%RlTgtaKe0M}KP1K6bW-E??a*^pi=enigdk)p|BZY19
zE+77u>}=b$Ng<}rLZ;h$Q)u=WplzG2pW!aXAd6NL|KtF5z}hkBeoXm@So4nw;IP#%
z$}t+A>lR*<Lsb{7UTf~0NK9=^h|dlAF3W6Pc-uoo6C0hj{sC|iN=UDeJPx@S%ckcf
zY9P#<^L=}N<t1-Oji%l=k*Ts(q4+}a+)qwV7tk1j*bhrpdiVYXy9fc58d3>KG=te5
zRf5Q)o-xnL-oPP&1wi3}^p5TGJ#g>b7p3^OQ&7@YfReTd*EVun(;^<3s{5mWqkdT{
z{R-g&ycr@Bpsia8%Yc6=za&zFRJeT{3ap&_=(;;P`a=bt)<3gkz4$mj-wAjB%BOvr
z9lRDb)?3$EiEynH=GZWb`Lgqe%L<&YYD0zJkZT}06|`c_$cNCmrP>fbljJb`z9S|K
za}#zA`;XB<C|K7rSylTstI09!Mz0c-fXX&@{x(w!PPF&2Vjaf%^q8+35W3CFESgrA
zBJmn}R3@|Af4r$I{>Ihk4&bPMwiY}%b$V*y%ai~*DT-Yi(z(gPrY)cG$hCUC#}T)5
z`huRWPEWfc2i!KjI6Tc1Ms9SC>%L&J@9T-q=B>TX7L1RIQC`Xh_=5g(FzIzsw77xb
zziPT_4?pkKLQ1mi<9a=-2kpK&=UHGQ`fk16cyLObYg^sR9`$9v5I^l9iS$+VyPukS
z4WXGtr)zGzB)X5m4u%Z06{wM|4eqJzuQ1ThdQcR_u`LdI+B{*C7v;P>%lolEIdBlS
zs#C_hQe4M!kd>YLu{dAQ-6Tl%5P^8k5#y3v+w4?gHs<Dg>ri6>8q}C@s_JmFV5KHg
zl^k%vMCK}BG-9N4ns~YngnhYOyfC9bP4bZixEg@2R^fCmq6Q4PY~mvy!o!dCt~3DD
z2aJl=5GzELZr2kz{-iqz6bab+_p>!Z<XQgHjZeXIv75E@0a_}ea2j(#t0#J>O_9=k
zXZK8b2bnXtbFK2j->*CKZsWll`1a!#ODl?nQR`WKZa!18;`|RbhC|sKk+L4*v^Nss
z-VJ4|HwPFsKIPSfi?~cpC)ViLcFJyNClgZ%>W@1dfG2BurU?^;H^p_z22F6${f%(W
z2a`U)aS>2oWn>*zH*enDR74QOFzQNzYdOvq1zvd2_^G(CJm0I=g%=Qf=_8M97pC2r
zi9Mj^1)4mft-KlTI3%+QJJ{KM6|I7|eA_o=FvN0Gqiy=ru&js2i=g`<N)Yu*Syv>@
z_4P6G><@}VR2HiDJ_YJY(XFMZ&0iG<hn+VIJhj>(i3zttxOVf*IxhtCf$|Q-Aqxhu
zlb)j+v^H<rq|S6qHE8sx5iTHG%K4U6Dw7!&1H;ggBbBV>NdHiAT7-iNglgnC$KZg4
zDI_ptYD{CPWPo`93WssE>Nas>=xAe?YWoh-1v_Mh`FoD$P!#SzIo|Tfs+9Dmt$zxl
z$6T;b<F{<Tabxr5A7>Q<vPQpa?ku>B$&7AG5w56RJ9hLd3NXCFPYpnIfdvY{z!D=6
zpH;Ym2FLB#qvPP25wGwB6U@ccc{MwVl9t?6liIH70?tA~%ooZ>25~ysLzb8j`-t&Z
zJ?i{nUwXS_CEzxEIAt)-JMVn{AyYW|^HKPC5rB#{y2O<g#L5Bjl?Jei>O(F?lFc4g
zCTf&+sU54fomPPQ&1E@hPeo?jc#%I<kFu^l*ftO54IEg%HqY5B7{(U>q<s4L@uL{7
z%x&n*_7k7Hd#Hd2LT4lU#ow;vH=Q`UCn6xNmrK)-@zqt|$t&28Hy}Q%V`8?lHy{;2
zu2*;lzjAx2G>?pooPe4~3&|{40fjpOC|)NSm3gk5pkpz}=4w~#3Zu(}D8CC63#ugm
zuv`JBH&Zd{zH@uul_H5sj~wN}%XJ9>wwKk@>)w;#{YPSTa>-f%bb5}io2s+hG`b}6
zXfTgu*{kZ4HRfU3wdhbIgAhO82F>y+a-<&hm(Qf21t!!Bso&++EaCW+A_wrQyUA)M
zUmR~TaNcI74j<b>Pww2YBQUs@I&2zkCK<1CEbm%`#TV0Pf#xI}ve_TQ(5SGAY)PuJ
zSxCtGpwlmDXgqEP$bn73_5inhH`(F%@gFRJ;J&4PCFKE01&WpZm@!rYuvBufM<#rU
z)oISvHaOSss&3*1*&xtna&lH!k#J%GK~a1hz@cUpiKI5%%H-*4*>DtY3ZTDr2b*Su
zfq_?!>&9iM6Q!)ijcI>fx#?v(+-=F$*Qb0SExV8zj(_@IX9}XM`r}1I#)>Da<>v1-
z;$`?6NUMLaY8mebGmE+DDMFWwPs!4Mbra|gIIgCdz3}y~J~lWVLoQM(C8#Lr;o)y1
zOKnB5cBZPQ*rS1#cYMp62dNgzCU`8(+q3ODMY1e6W`9H7SH5-jN}SwfD|597FBZ8W
z@Y0$QRYi4qR}*}l7CyCUVRkpT=UP3xaRWSSr^Ub(oUA@C26rd`IY4*b8C*7)-v)lC
ze50POD%9SD)yP&hK{Sp4aD0ArQcsUmkZ{!SUC?Cns&036U+VQBk1YufeB(B*thJWZ
zuyAvHkt|&;qms^MqfrJ<Y@Nf8hJQLy=<lx@pNtI-$o~|pll?GIUBEbY=ZgX%Uj<IM
z!%zY;x)!3l9wRrNbteIwv@zi!#9pT;(#fJ>;ZIVNiWP1YEr0p^`Ey9j9PeO}(~*Wu
z3aZ9Ga45w5^46b#%34p$W?|CP+A6&&t>vwJ!mEAn19E!A`Svd7lQTrk+&sRi1?=uS
zpD&VU&yi<+c^#B9MEsvuEjXIuD?aGS-N7ejQKAd<tA-aK_yjHP`m}(37=jsya*&UX
zSDp$hPRtu{wL?{1G|EoR6+7?#$ix3*+h5sZkOE2A%Zbd#9_qTMJ+=3ed9HPln3~mm
zSz^a!H?3G*o{QZ|?eF!PJlLv1`L*5Ux8mq(j9Qs_(%@|FgBZsL16@v?=~VUZw=O@#
z-ON_%c^o94J~hW|7M$O)W5?9+z^$INr`<^q|GYYNy1(eVpA{yZ*t2rxa&u>gVwB%C
z6$^|4kHfX1)LDte9;$AnG#JpzsY=hvKqtxg>empbuzo)E@r6iPx>1kgNLNqRYNV5i
zybg`BCZ3tO6LCufPhzTy&*U<=7ub14T${K)Ze(B$>W|Us@~(jhwjyEvuPZ-`t<b^v
z99;V5{y%ggDR!-Z^fw}vh!q*~Hi$Vr=q<BsOQU1+4{f(~Z=z-8Zz#+P1LT`T4-3-j
z33hAAiMYoQNw}ewypBtUygE#3Ovp6k3IgopP%|zTfV<FW(X{>Exn|1N!SRU=%#X&e
zJi2+h4r_Lh0Q;OcSqXqR0I#KT+<r%lqZagAfD+?Jb(NXBX;l=^Xk!y8>SE|lOZFkw
z@Mas0;1PChAz=tGjf)VP17rA*hAjOw4d<XCNITz|&#9>rOtt_3cH_u&E1NfEK&?|K
z=1_Y&vUzB+cIZjVC_l7A<Vrif0qj4Hs!A3^eQ-?UkL%{v?6{efGvv8kLj3-I-EW7)
zns2nNhpK`pPxO`vqXGVZmSYKxDe<o0fYADno8ob8OT?aF8NhsIe~5>?hW*}5aK8}s
zot}60w4O4{^dkkBf52tqb~)kS;3-{#K8|vM13J@v5nb(-{aVww$m$X2O|V)aGdGz6
z-9pwR&b8PtLNUrMMmC8e6vb(57!os?Kscdl0gGSHTK)oE)=4=Ney)kn(b`BKCqh&a
z!2x&2#T4L=c2bQS(&&+pVIA<rN;;mvjo^q@g#@$3T8*it9wBtMrIqOI$H?Z3l}iQi
zJqt`-BC=VaM_vR>L~*(W->5!puea9~aJlhiEj(SZl=vRwt3SUdB6SPw1RV4p0~n=s
z4q&07@9uHj8F3Fur7I6MxSKLFgHgSZV7S<+4Y*yydA&D^Q2}?3-t3&M0c2xA5@V5r
zYpiytNhH&ADU(HJ$rYx6zQ1$y6X09qg#kI6MYLvoMxlnbLoAL=%@~^o_@!8Z^WsSq
zj*fBDh#tNfuxEn`aK~6-aA`HE)=0Rr%GDDBz_{eRC0nf0UY6oP&5i@O9wF2ZS8S`X
z3B5a3@#mi;-^wNi;4h!f%}iNO_bgGpY`GzvtYxmAE-(YjTgFq3bjn^R&0+yu&$Kr(
zEicN0L?2eHJ+-5uPN|L4gu=ZSlA&;-;;H%V-*?R4&ZRUI6}73*k`kvs&2x(;`H%*>
zC_=@4X;jNPO0<pLMU&mPPFuZjj`Lt>&=v|VN_@NgmTnBSmq!>9{h&_U@TOG9nNtXa
z6noWp4gDByuAV-0Y`o4KQwIRkp{F|8(iwkzUUg!w+#L}Ce>Nm7zej?;AlX>kbK~mU
zDov>X9t%w$!Cmb*N1l5dZIO*PBhMd{xYAR&Q|8r^m-buT-Uk?k^9^5jGPl^rGxT}u
zS1IRvhXO)*k8S?AD?%F={Sse&V<-QeW0&^dcyrh%R6KL=-E_YHbo4Kw*wp-q;^Gw>
z|GMMKuTD-j({KF{&C6Pvi!u1)#x4xt5`YZnR<Fi4*CaPzi@T2R)37VM(V?;V?Dt+6
z%&4GS722^5VeiQ?Pn`1m)`rJ~#3ojsp3rRHx#ur?l~~J0d2_v|p!6ZL1JFkMPpmbv
zhH{UlRA1^m2=x|lWVym>SQ>MKtHfKcrcXkCa9{jdw{88cdZpgP=4<j!_`YFi3rQf;
zSBC-W?Ro6PdPKcBr+NUX)@^s{PmQd2jVoBrkgL3=AGyc}ywf~rGe?IwZ!2?oKiHI^
zQJW2j(6!fQ-B5yV9+~8};v;-~LC%o>`)hAv|4qQLn)JCWG!&@@53>DIy$;@FhKP<6
z+m%*QU{h<aC6vlcc&@~L)i<SsV#_49o<?oB5_6=)MV@^fH4wvBSNRLizu`3>u2#wR
z5Odjr-p?kn>b?)wNhvE=v7mlY@*T>%p{2jya46gA=)ezn>K37Z;b%v;$m>uI9;mC-
zu<Cr<mv^IdYgi#xdB(v;dB*&FM~<kz`-VVV61dGN4@ePL1y1Q31GtNz;Euj|-bX*S
zt<hyfMXRXRT5c!3uPm`RME(2Vs<qMmtldiVl`5mWzhM8-7yRSvToDM_6#-ee3!<yl
z72$oRQw%4sTP3!m!4~yO?sT1a9xXt_JkPk+Se)C=`1rLcz#F~4b~*rA^rQ?jyE~NW
z!LS+skkfN5qn?a#Ziy=0PD#{eC?qU6vQr9M0*2@*ym7KnwDf~~=<}mn`~`h<jpUQn
zfG)SCb|~l=J-<|8)48*~l3+S;8+=~-Qgc-tPqehdegO>Ll!&4_({I`FghdzJMkrFI
zQK;UqD>uc12PSG2rv08@;(0pfo@eZz)$zToy`qLg8vr@;r0otFJQ@38BQ8pJDbcIA
zq^@q&?Wffi#2K$ON{1%mwJ4Y7cA_4g*WNxTuSAz@bHv}jdsI;gc7i_gRf+B|STsNA
zmS=pj1eh!t$*?TD0r0>RCa0o_<-0B@C$u?+Opr82`$tOrIebsTmFrN)Qv%L)ZbPx)
zik&z~@E~_Po=zNXuT04T)c>M(PqayUWzeH@o%4x$WBcg+y|4OQh*_GC?vV9y3s#qt
zAu*%MuVTFOxB_bFS=KV(&Fv)PHPqX$uVUf%Q|JO#@TE@MNw)o-4awput}WM28=yYC
z!@@K8>HW2u;oKyNJin8}UsI|Ljh<N~^r<`n<h2@Zdbs3BsO40=Zocu!&BE0w+uYUR
z?M-mnj_o)A8!M+>N3X6<FATEgSu8u@?NsPbi3WE50>x%4q}oRcg>nVYqW~W^Js*4y
zqT8=TwCE(^bU-c~Q96W~n|n57>M!^eWW_+hfeBIpTN~|&?~8>7C2%WMp?|0a=L!4o
z_^C_Wn7<kDXKs<}hoFtZUp_fVIh|~0CC<J3-jz?h8(s&a9yw8UaI6(A)ZM%pMIdrC
zt*}eQ*++KEooMqAzXe#tx*x;v<d+%t<-H$j#K&v@Ozz!q_A`lPXL9#8y2xYeozDqg
zu9{|My_&Pv;zZ;7*Yl9&+A9q}K?Q-}mt`@{PR0t0#eUdcRBOET;|_RL7D)0~N|`Q0
zkaX||s`D~u-8CA?Z7Y_z6fZGBHT!k_jX&p$i;H(LgQ~MG<2<=-ccH3UqXOhQ9GhXB
zHa4S9MUVmMC5=MklSJqTIEHb$QFHf=lwMd8HqWaX)%o1A$wDe6rcCCR-WyZOR=opl
zKb~d@f92yoT>WQV6y<P}P$NAwYZ_9&=b6imaA;Qw*gPR`*NMxvSB4`8lG+^InjP_2
zSiT%{xfV2NAWzupvs+Ra{she0i<;_NZ>i6}n;q(lrv&x6_}W#yWCh>)rC6K!Yr}lW
zldQQN+VuV*RFbznK!f~4pwb%&!d9*|jzaC$FEe#gPiM9QGg<uXlVUD6O?@eLk*~(!
z21vG?ksd0;K|`XDJ9BQ?C|d+0J&4&`dX(uG<&-56Qe;A3-Jy78`ogC=wI744`q@T{
zV)TCU&xnS_lMQPVKk#F6s2_uFqM*|{HDYx}H=!VHF?sC@y3*PfxH}$l+wTL0;tN{?
zR$0xbNL%COx+=kid;)-2F_7P@%w_I^5Hq2eL*0ro62O%Psa{IVp!C$HufV!hw}r@`
ze4UDBK<~9QDlNo5JZTV?4GlJg$V|MP0k5ez_x;902N5?!+bhY}@O`<b6I=6u%F#ec
za<KnRr~3Dw1K$9A2sj`Pq8Iw<#E29xfg{WuUSP2pBd$U?&7YnN<#X3ZX7oDW3NF1G
zj#KdJ%1vk!@juhKenvn4E8#-db;vK}W(ndh3iTe_dB=YCPX@HU9=v<>aaK!G#n$Hi
zIA2ti^+Un+AXrsk7jAcSbmSrjj%q&ls%gYrJrpV$sSCZP?Mg)XbaIJKp+NXnVCX{|
z?H6t_SBFsi`{<eixU7(w+7O>O!?%lnt(mI?K~UcfXZNJc4Gw|%6OiBzKMyhf!1SA1
zsN;mZKG#glnn=odrQ0&>Kjmn^f_4)D5CI!sudHfhEN3N-f4l~sj?xqI(&>bh1QS)`
zeaVQJk3T!yA`@cJ`Pj=9Y1pLc8zol5Qn0*HoddvvhBu8dxVRC|O5f_{3pInze&DOP
zK1T;0TJEi3*)f^SkY}bL4N|}EAKmh_`C7S;kI%9T1fkx0HbkGS%IksX&faa$hPuaP
z^2u$sqT`U3!jP|>UR5eSvE>e5o|l?7hY=m|O_+$5%g$H()?c{7qpY<q!3K^iulXr!
zFr-C^#Q@H5z|B>X@1;f@Zx{Z}{!>*gN`4_=Qfx)Imf!?q%ie;?66a1QoSvC#2EqDx
zMMl>E!rgf|S2U^`_D|-hfJ8mVk4i+jEq8VfvM<kM&%}_%V>YJF=%>4Sw=bI;-4_py
za599;20*AVLNSY`dp4Z9f2E?M-2n?M2`SE8<Y<bQN|6SJ(K$Z^xdyxUj(7t={_sIX
zVmFJ$()gTGeYq1qKJ(bSGhmhEQDu!QYgQr-Df#7t<<$9r!g);#O-_PF^DRj25_mf-
zf{w`$-0cf~M|!k^Bm}1-Tken^dMw_CzgCf0L9LRhN8T9O+X4b$c2L7Q&v-?k+Txf(
z@S9ta(DMPFM50H1K!_{}g84zI9jCws6{LDKJaXMZ08>^JQTL3>_sI+At4t3gv8+H9
zp903Y4^r-rN(Sjlo=M6qxBWKTUMT=ow0Vf+wL5Q*Op&!9?coLz%S>UHvR0y9{Q4D8
zhN0g`Ltj$@7D;Z@?9SW+_a1u)nBKo~Gny5gnWaC-E}@m)M>6#JdBeVxO6>^gZ5%#0
zb2B0;%2v6fP0L06py;-Xb_;73HXQp4T#M*WpQZ?<gMeQ2NArY{dWQ7jtlGdG(DJOA
z3JPG};tBH;Y#h}Rt!f===S6TIVFtb9=Lf~20I|jku<!D0!97<*+XL3zKZN5Mo-p2~
zTb0-BbfP1?eo3R6I@y?_6PCHfj*jYag)8TW54>s_8LBoOlq_Kq(pl!8`;wJQRGcYF
z9XBI-owlC|5WZZ(ciF3^livHS0$knCq}5f>NFhMSQ=jMxp<HX0<JrAF{X`+-Jmav%
zuR9P$%>k<?P~=<8I)#p@AjBGTp3%kga?2UH#!R$!LJ{8u<Tl{Y#%CVCKin<`s_U?*
zS)Or%2cQs+{=RAU0k9%kaGcLP4uyesTKhS^b_M6x-;O8exB5M6jyU`ldTh<6bN<-X
zxTbm$WBA_!j<2+qTzz3K&VS`k1VRR0xW@UC6w@2z^TLF0JJzG!<|GP;Er)_9gdWoT
z{nEySgPxVv><rCt*T-d-JL@>tdfoo}S||7@Kq#hCIi~rSU3=x~d83ESd_-vFTMZ5{
z2L?Z^N<u=T<ioYoe#&(9%+h0`LzmYfyx7rP=Q*Dv640?aD6q38LNR^cQrNgHsM{Nd
zOPh*SB~j^hi}W3v+PDA8Tmxk!=!e&^a>4PI^O#yWx@AG;FJSTCZ~JX^Bb5&%eCib)
z_e2T2><tj)i=C^NEmumNU-#h}mBUdYRV~Zdzuo$|LAO$ZE^nzQxV2jQ6Ktye*zM&J
zQ8N1!?S9j6c5;=jE4Wi|!G|WlOAoS5wPk6>T&|7RbHqNUOfQ9cfl@!l#t#;NTJ2S$
z%j+&Zt5^j1$gb7%n_x@!!4;;RT{!Ej>AJDaG+$EId7lr6?fRn9>^TiTp!7|qMqKl?
zmA6VP(Xh=3spQ{oX!B$lW2+|q^F-{T8mdI+aPbWF0mChRPMtPrJUm}fbS&W4Lu0k`
zc|Xtv$YsmUNz<ITU6_y?IEOvNzANl7;XdDLJ{4nn^@q;xTSd6JuZj-*@p*D%^Alq7
z9Yn`Qo){_kDg1WukNZf%#<Sn|GM6L42=CN_6?C26!HGCOzVyM>Waxg4*4<{Zb9=VP
zQ!C+d!GPtLS(jhwM(rPsqSf-@+I6T7?5h1GOq8m6+Rd64evMRWov>j@b%yRwyI1Nv
zELBvD=w0Y##n^9`weLFYB`&7$)d_bjFmS<2XK6&*$}ludEb$WSWIGxky{)W4(|h8S
zhxi`K8(7qt3Vw*)H}6B8ykE3?oaK~Jt3ReH?UOCFBN{wT)+cc&!a8!T#W)`mXb0{+
zy^Ax|orrmQnXBE$GI6Kr*wd`*3tndo_f)Bw3|XR*1sSn(&te()-Z)fMrj|e)ii(cz
zrOjGS$ClZ3?k?18pBT(8Rft~7n`eY(y~Ej-)+*%FqG)LP9wN!0^Sm6@*6BL6sP$Rw
zt-46`MM|=@Anm4UXOO9uuWLw>h*$SS$l!z(c3D|`Jl{A7gH#jDYodk^r56bG5w+U)
zLl)$W_1bGeWydg&Twi(LQ>)W5d{AZ7k<B`fb2a2Dv&o&fKFlj9VaAm;P*NK2GL&6<
z%sMdd=cQEj9Vq`c{?)4~p1fT5{8-2Z7-wkQX;##B5v9wuG0fwEe>9~oWZ&=)LCwjF
zjpdf91nNpyhHl}h(q)Z{DGhrmyF<MmmR5e6u+00GW1O15DV=x!aG6m@1lb^KiHI~A
z^3}XOzDcb2#?WCU1DI2U*t@1W_D^1tv)1!JLs4laiYCcXbH921$cjI3&ztWsZ-Tnq
z`XEMGt$Nl(Yp;3wyy2riG)0qA6TQ9nVN<(5NqOGG+U0dDJd3=I<ipdg7>mP?diL?<
zcU|;U>%<XgMIuLw{P<@ShhCIEA8R%a65hx3$PB{FsjfrR|M6CE5xB4ZEfuR`o4|8F
z3u9vAC%ZCU?A5B*e^g}G9zV)A?IUqQy<Y=We13gLQvKEE1K%lPbI-r!<=R+bWn!c2
z9o=qoe!gCjA=FZ9o7un4<nDxjP_fVYyoXEjiL?J#ZQmW&RJN`i8!93eKq-R5NR_Gx
zNEZbpARt{p1VlQ4VQ506s7FwwXpo|mU<_S|KnMy17*QCchfXLnMhPt-0s#|3?%HAI
zoH=vOJ@=mbop1laFC=^K)z^C7=Xuw=!0fS)M}@N_K6o#F{g%-BO@_p{Bej~ZYM4qy
zg$+f}@Yu+3k;Tk7Lbyp}$eq&{64F(@GeWAdh=lDQc$1vHLL-vgGo&Xn*0psnzZiS=
z?wh$0$o?lz_93TpFzBzJNKmXcj}OmD7~J9feAd6WI$?Xwr|wq>)2g1Kn@8q9^Q};9
z<uV#%NuRB~wRn}3L<(u2hTpp*je8mBy9u5YsSD)nuAJ#ZldkXt0Ee-2)*hq$3TAmy
zEm54I09Do2(Yj}*+zj={c@5pJW?{7Q!%ZVET3$Zlq8nX@8F_%P+kA=55cWQi+g5v>
zn{~{Jf1%9wj7ViCgH$@3|2fD>T3~!$rlFL1(okLAckp3Jxl(P{=z=kx*!+QZIpiCo
zq<`rlZG9!Nhsj5YsG~g`iV?Ns&n>qMrF+$ho-nLBC;j4agKA_hDDt)~<5757$ME*F
zB0TV9tw>}IO{DU4`0#R6!ksGhvU(e5J)4B>osMDB*Ve43{pz`>(R0lXb8~QbOuEe4
zF0w9yCTbUQx5P6|!r2d@hd`iB@KLz5x}mP6S6G*m+`<<HI`<Gw-M#)oheyht%4PZ|
zHfG2K7gkrfSSm-^^-8WFZTFjt3>Z%e>u|bq1w^yLfIoquieR8Ee>Sm91}{=>J#_@$
zs5B!4*E3CHqOb>syxomSkx9-e!PX@mmSpwplgmaWxqkeekz@YMXzcXY)lW$Uz_h#4
zE8kc864z~_S;X+m9`sWQ^Uo$wzQbd^b%yJ)ipcu5E<{nw>&X}1Wj$F4Et?mea{SIF
zF;!S5f9E+-pI6;&tR#BbV@?-5$eFsPs;?>z>4I&cr&DUrU}T!IiaKtp$7^2Kt3GC;
zvuLJsob=|lTVPIYoXE6aTk;|zPuC37VSq@HX!-Rv*Qki^FIS~b_K|<tY+EUNd<v{K
z`}S<THV3$Dy)G-G>6tJR*ET`vxgZEAbP-y?W50d81J-}1?BE!{2z);Q$cc>S;O8cP
z4pL~!1{NzisH@C+mCGPjBIgnQ61DsScux7n7Ogc0HvI)T09(<HI%Y&2yO+4fS7v6c
z+7Z0M^B5<2Pea8Fr|h;Hx_|&w)1vBrxDO49EpnkLQ8sPD7Fgk)aJE`%+pUr|-v*(b
zKdDn0SKlg!)W7hy`3>tI{i>l&A5LRzbm~z%cfzv6x0WT(VL+8R0nSa3J6j2a9N7!d
zQ0%=25YY_Fe8cu9IOhR7dC`PXj%5RiVl{q(Y2kJHsYp&R8*p12!2qo1>@E3bA{d7h
zG?Q1(zo#n~u@*2XJ99QrGFHVa<l}{-W-d|JX5DR0p}`J+@YX6%V5&$185-J*c>us)
zj|nCq>efsF9TB?7!U;(N2`D31%>L^&WMSEPoSTurvd~sD7=Qo`CyzXg>7ATBo(&Fr
z+%ds)Mr{sW)BTmmzG$=;G{sL^Ix5bg8o1p;mK|Ok9G4l41Dp7sf<jzmGMRxuhIqWT
z$x9uxs9*Dfh^xdNY_;jAOz{wbRy?G|#~gx>iWj>d4qd3A2p6kNOuCUnoM@<knn?SZ
zF^^^`O);4AK6CV7RbP-SaZPxvvQyN};1rrO$GbMjg0+-wCK%^3zqrV5daB~p(D~@n
z2Qj#pB+Z^*exZii7V2t0x+yKGqu`U#wcpln;F~S7;iu$MTPm?wlfpv!i!26O^P_Up
z@ZF5aE2JWf>lx=j#!Wzk&&~wpPj1+u(?cppH0%4<=s14mXPJvzeFz86wwv=3ycbu7
z!rS)p<awaVAFo6s8*Hgv9arUih-pG4)?ODeUFR$_BZ{#*2#qSX(WTe{)!F&<C#Lh0
zu1xx9gWt<;Fs<~iT<Tj{0?0CKZ9L#zicF!@dF#dMHCkV7d0}gsAiN_Ss?`n)B0aUg
zc>45E(u31A7QtCHDl1KQ=pJNxk?_f6<65x2TizCsXyS6#7PmUeP$myF8{JX@&C?cB
zL$F3UyCp<T=Nl&ob$rY?37zXHdMM54z*$hrW5c!M`x`?YkJ@9+_Fu)skdU-v3UW28
zatpj~t>pO;5RzK{I7!LZ43|o`*?*BNDVoBj6w8bywreY!u`(AJu#O!2K9?&9CfsnF
z&wK;dY;7B1t$^NIWvgULi@}=f?4G+d#gk7zUPT*t(280Sov?#t9+zLgwRm(xN2h`I
zc3<^MoAl=Ty5aGwn{P^So4EKIMDT?~{v%(H0_s+|rrZ`kfi|5FE<PPWF1J^m|A9v|
z_Q_|0PR{6Yy}&6?xZmvjal12qE7NDt%~}NK;)=$mi1?bLuqo+%m*ekz*RxMgV|_T)
zVxl$ARiA<a-pay5K6(hgCl2|e&kek;$JCXCr!*9|%mq0uQ7o{t@C*wlNuPTyji*fF
zyPT1)9-o>vJ~r8FK&DafWIIZ|ozF*?uY)4Xk*lhG5D?8o93Y4J__9f|{om>lHFD2Z
zb2oiL>=+gO%fttb;qVMHT_zAP;hFoOcD&@DBY~Snty56vllK2I`m)26&TxYl@;hUm
z@Gu}qS~5|=cwLf_FJ`}*+y`aJnZ7>LzxheD<homd@$bF>052X@ayZUamLpocJcEzU
zHd!g|b?^$x>K<7_9!5+m&Sdc6qv~jS0q(P9jX_LPKEzAo?Dnj%07UWf_+#(oC#!No
zuhRbvPjA2ZdIy2Cpt<;v?VlAbr`d>B*aCO>X{G%n6$5kyO|qC}KS~dsFbC~&6dDME
zleC2MAM_2wqZX_~GN!Ccx(vo#J<Mfmo0m@;W)z3XJ$synw<CEPs+5Y^tS0wVwubjl
zH=l-U(Uu~S*V>5*3-YWTa;a6d;l;H_N+ekQjIeX0>xOPW7sC_bHKH|rUE%>qG&bHB
zPwe`DcY3NXw;V0fm)%AD$+iaTB~XTYJxZr#tQ0;teX(qlS_ZuRaLuT4lYtr|l66AB
zUs6r$_3X_m1Cz3)l`}p%WHaZx7q|@@m4^eFi-DLfCST0%a2akBByDlj1s>^=8kN*M
zu3s8{Z=lY!_gQK8*Rbut^lK6Z?UuOcM}N=aMn)%L4u<AqC#^%OP)_sv*r6p8`jIa%
z)jPvwxkXUnp$(?)7hb!Oc?V{iA7O{)my}v$YxFH|hFe^p3`H49Mh%S4KfxPVx(db@
ztzBU;rB5lkScM#&AGRy4vLjDk#xMA4Kb&uU5PTNH*!F|sDYc_c&P&hY{s+wKT27qQ
z&1mq9>9Q~x#Y}r%>Kt>6maz5GrbPAV?u*Nsr{2f7{OC{640p)M;%D8tt0lXmX**w>
zxZnH>NytXL>=Iw{>vhtOlJb$E0`Ea@beHpqFCK>C&hagA{1%<(T(rt?2WG}p&oW=8
zSgoQ)S4Lw~9pt`XTjCze`7=$D2)hwHSnnxv9;U|<C6-}h!-Aa^di&(%cmS9ah|Bj|
zzZoU%SG6dZ)p~q0MTF+`g1Wb(`VcdbL5NZuU}({wU|ja_SX6ecA3f5nseY@>-m9K%
zkkd$AlX*tev2?NcG6))CqzMAn{YP=_>VLx3Kl7}p{s~v#@Vu{sj%>J|P3RN<xIbb0
zSXoKAWbH+2`SVEE?66c1zp|j4=LYg>uc7@quVxhmrfOKY>dF*vDoGg4S9|KF%!=CM
zx^Bk!Bt&_%00fpP0C6vQ4QCA!m3ADrKx3We>eaHUFm#hqXKHmHYNBY_vGoj|Xia*-
z_e97F|5CpWTPlgL=D!@~J+E2X?su$Cd#T|ab?LV7=Rt|C@YBLHrxVn@5URL+9fEkP
zNiwzlnxYe-C6Ov=H>Cy~4R1Sr^}14}E_X6_7xLRq*3E$r`GE-`-}pz9n*k;4qoonH
zG%RL?-=yYYMqan|s1*jsREYcrw!4UYH?uJLd;8zLw&<^E%ZBz@#_mc097pVu&P$mh
z@^hI)KWqHpwHj<V|1OWE&lE6k<qUg%?ly@mzODB0=}WnSo^El&Und+5tHjAKm53$R
z9K~uvt$I6?Ki1XatU{VGp2VVA24?OhE!lvq^>U2YFaw7(5p5h!w&>nN)H{`1LvFaq
z8aib7>x{6iR}7&vQhhNeRXg5@F*qFoB-ZSVJKudt-0rvy0vZ%%F6LZF23B2Qd_R#)
z-|z5LYyO+A;ZGx3B@>2`2u%4;nuvMxdfhbkjTXNj7HV{}ZC80m{=YzO06_&I4OqG1
z{~2<dUHQ*KZrH0>2=z?m|0f}L>@He|P|kXfVV^x3SAJnXtf{^QjI-E?6B+Fa!2N?=
z20VDvfllKEXtGQ#9i8$|M7p`tz32{GaQsAv6ErS5s`r7-f&oEYtOr1izF8Q&;2g&V
zX3oz!xk0^*9_y)ku^V6~&pxQFUCsHq?{%N04i-o5`2HNq+}N=oct{+)<91)+>iljc
zE3^obuNl5<H93e_*aKoyU)cjKG*zA;7DfixCWr{_LWFcV|9n3$4%OvcDgaZy7#VqW
zrkgz$!??pX#K9d&mqf44BANJd_cI{PT~L}vAm00XAWc>QTD&TF;YH#e(9G@Q;dPIR
zYm98ap*$&}XOTE!AloE-b>;Qp6MJD-WS~_0%55U;f##nj$sz-Bs#vP@8;EH&nLQW0
zx4CC28DqIc!HK#2O#L$KZa=%M&dyfnYZ7#-srxloEN02@sL$QhfTzD4W~ENdJ-0Hn
z7>g*>Y5~!fj|c-gwCR$@TsE>D$xaSla5;VK>~X-u@#!B_J_vI}bsnZwA75QrC+t(|
zCrP8%DU_p8KYXK>H!vE-CJ3GTPgym6d)UV1EdW48><qg#pSB%xG_)s$OS0mDaRht|
zVgQFZ1~|wez>A@Qe!qC>a;N=U<*{b(>$hbUR+P8_QD_ctjgZ@R>D~5zpkA-MwcypI
ze@b0DB?F5cTsLnAWUJ?BQ&W?L1j~Sw1IlVm@*=K{cfGj-3<o$n3uOBgw7(BDwGlAP
zGHn5?Z%lGAW;`@ieDevM3{d}ti#k?~QiE#(djZ|`X3`4_-M&S)Dtm!5G*?wnV%6ww
z;0bM^K^=@(Jc?XYa{Y@`8Bonp<ryKDN!BQ%!?<u0M;|6GJtQ9+FR@?!3iTD%OG4B)
zuPclUoc;YIoS*rYI+GOaru5-TCMO4qY9^MTRFqFZ7ME+T%ztkqWc0g{s|b1o5?xPr
z2FNG;yE6Fxsf7?y^{5I(cW^mi3SwJT7!hYc81ZEu^@wdSJf|t^Z&X?IX4(R+d^Qz-
zsW-7>jl5izaJ~&&jT&@%`dl+KOk$RY|K8IK6HQm9mi6Zv6G!J4T><bn?>6@n0&%pu
z7RFeijG&nd3#AK17+<zIxHH%CoZNR{c)9+{tVAGf_6uB;823rhOFyYsG+oJf95kDl
z^2T<+^z%iDsAjRr?30tyGsa1p2aGk-hhvC{aB2E}c;q{=7>Q7D@a<NGyto26tPU>u
z&VGZFqpjSBM2WcDwE>khVlivUf1urpdA!)V`=|cp05b32BX*FbDvpgRf2$pV)U4Kv
zp6E5m`4jYZ@X~|oy@MMH?(yo2&dX^o6I0c&sVNRN#*E~VRjaEnq~zx=0!Z&u*K*A>
z<_#hRpsc31hj-qlwphSo?Kq<4k%puG$SB_!ZKvflso7hSwio@=u%W&i$*VI$nC@XZ
zs((`s!PJCcHRyW~Y2NhqX!pl4>0*1}rGVrg550z3003`2lZ6U{0G_01`iebjV(5ko
z<%jT|S!cJ^1uOj2Y*jty#Gk3d&>~d!D+@)CaYTYn$A#RCRt=B;_ShgNOJG<2xZN7S
znjR%mbI$TUg_uVnmwSa@W=S}oEPm(2S;G}MG)<YC0ci)Sp)7dlbdrvw&r{(8S`^LW
zkNSODlg?a$5KU5KyyW<anF%gN<ei!$An#575apCt{ltbXWp=_hfKdFbsOmAnvjhj#
zW6v4Iw%yPNSksexZqtIh@Y^{e3iORK$JB;C{i9^^tmWA~P?KBa8mJ)IeRrBvxV?A%
zi$}m+zo{%|l2pMlJ!NrQdI)$w4^%gtOYnb{I?VM0;6Z+0+5g7}&D=ZB!_JlduJJTI
z*##-Y|F@FDVE=Zul|490Y}uBp6qMV4QQp{s3QuuZ-oWqDl<S8-V3<FYw4Mr<)XXkM
zeSd2afI6<?Tf7vA+jO-JNy{N{6XS$z!Ts_QoF)-${u_sqSN(@1Toa)+G32VrVt#`H
zdF+r8#OCbV%W067=|9sGKF+P)P-@S&Qqx#yASbOK`rL2eJxioFL^%%qwzL7ZX{(x4
z5#tMSlbU4@<wylwioJR>#IWS_G%`aVe776a=0{4@;-FHkUimWOr#CyZggAPwDBnVN
zskK#)wYVAfR02VsiW7ux#dCwck;#sebe7yF2Xj?)h}GoZxlJGX$q{mGYuZ@DV0q&J
znE-3LbtLY&JAV&1SYTZ@wWNxjt_r|nl>oYc^&!mOT#df#b`Bbk9l>sbn|CFEUR){&
zg8l;VA;wvOfO}DCA{UDDv>bdCFm#dc<N;-^+^tMG)^t9t({nK`1lqro*~@v4JPZWr
zAm;=h2fG+7ji9~PumY?CkmXUe?VrDf#qIC`jqnNv`4<C6iEOMY{eYH=8I;owIsJp{
zyLvhakoyW8xNv^0yk2qkomPDC<|E~uuvf~!%b5r4VCx1xL5m<7<p`1;N*&t=9D;JL
zSKK_`o6iKX^<D12<~a(Q8V2OL=wj?-yJwY%1Y&jKfZfS75bOJs)vf-`3&5kK=`GkG
zl44wY7D)D8Z{{Rv;70B{t|qIxfJ5w?7~1uf>;c=*0rLU1m3_e6B(nahB2MwhL#2eh
z(t^7|eaUMBX$dL0YBE|h8+a)zy?wlLrIO96ic!zWxwU~CQlgY?ceIB*2^2HFA$eoF
zcfgi6mt*C=Dmy?G@FlIFcA=}0z2-Ea)>-OUb>v{r=$-F=S=4~(9)Nv`h)sWIhKA}6
zT>n&>{e8Cir(>`{p65cVOr8K|;B2+^@AD0K-*1n43qxU@%l^p_E|A}|z5D<EIP8Bp
zadGCrsfm+tA|a{T)KT2$1r2BGsX03Dx(;;*SfBV`OHqZpVELUe^A$FL+!FBkjEqks
z)}milMIb1ORxb*JH5`N<um$Xy@*L1+3cceB{mEG;t4M@4r58jVa0hHkB>MJtn71mx
z&%S;c{l!a44uProt`F4%H_NOCgtBu`ig<)MDgOawl+T0GI-cN}*%IY#F_5t^SE9)>
zcFb>Mp|Co(US$k2pZjHt*0Yq%fEQ7BYEe}3plcK*Cp=!*DLs!v)q~U&!2BjyYDNkM
zil?UH%o8kGRqcnlC-@7bB5YyVSWyd*P5SARl5J#4H`xvqHbTiq1-xoimk=|xd=+_>
zlxy>Jm>WrZiEXAcvNYBEAt_aExd0PtsW;qo<sBlxIJ=o7jA(WL(r!bhC3wEitvnv6
zr{#-ZIwV59IfnGhzF5EDd#mAvoxN8QBYiZYAzgD3aQ?lJlmO)q`2H06+Vj6GO9PU;
zFI-xZmb%hx@CJR7TYJdVF<mD73bo5_EPwj&h62!`RtYhMqR8)UH)Y96S^-b7TC*#m
zmq~*LdTJwnt+xAb+B?)eq^+iy)=qR4Tdp~|sKJHJ@kD*gB9R*6yB4VcrlO&WM~!i0
z<Ek4jsjb#V<ZeQ`_|GH5A>;@NuW7M#e9Ne#|K~7=EFZnJkTk3xpL=x7$JO6WR~QWJ
z_24X04PSQHMi{ycOW6+X>y&-wCS$nG@gk-}oUDhH$rO2lcOdB$N8(a#DqEN6s#=PO
zchOjx>|?@(I4gcGDdv)#;kKD-Ld;zveaXOCL||8nsqnE3Yg9R0J7vdvKS@zjyn>;6
zaRRxagD!e0d&n8p@IuDbTr+Q$r^g*NVaGpv?Rt03fcLVPNGprpz#~1&MB3h+a!2Lb
z^FJzoMNL|v&2n|~!Meyw1}}k!D8K~oc&zhE+6fl{4J@!LLPX%6?+|&@MfTaMAp4!7
z>A)NNfkz>l@Aap%LK#bN^0nNvDOjp>?_hH=HE4VhJGz-hW5*(n<7pO%4NZi6^1w6%
z7LWSZy(PrlAP-r8o_Ix5EoRlt^*3HWyrqZ2y8Jq1c5qN~-pK|PmhldckE`+&v_82}
z+jjH4(5&CFOx^;<5}uZl!F9!nn$26#<)s~1m>XD4Thc_dJ_k`LGU`nMq6QKy2tH#Z
z5{S)hOf8YKr)qD?+A7i?YEpj;`8_ch?A*RzQMdAD1;~WCF`-93S!cqeX8pDDr%{Z7
zlDIf{(5vA>nKOvK;iu)+dzt2H!vqN(SG}B)@|;==QY@zDH2v59<>B7FT@;tmu-6Zk
zGda`{r;ql04?MnYblk`*FWboi<2pp=0odZ*gu$vyn~613(;-NWrL!aPe009u_bo=k
zd}h}nVYDHeJ;a9}FP}BbisQeRT1xvCXOm-}pWC|lQ`1iBA(!iVBTws-{xlF00_T@)
z4Z|}sFeC9y3D#|l(7mPnc^A{P2sp_h2f4O}e{3LPeF*o{$cx$0{8IihAI%cqM}oVP
z*G|@6YIL?-&&rA;u#p&A=mP>J?3y*dvb0yFi#Iu>>5aH*?$Ua_FZt%!ar2x-7X9Yw
zswhCnZE;axu?FZz*-pFt3#3*$R#~9}s%eif?MoK<A3pIrtLgSS_r(j0AJUa>D~<G8
zZ%Y{ZWuvHME>O%aWbZd~+vZ73^$;Q|+Ki+)S6a|R?=m1a+ThE*#vrHGbw{mkOL(`#
zakO1XF_TiP31UDvJy^QxPtnd6TnovHr)8`8{HTKbyW9XK#$EJr$UV%+L*P5$WtilQ
zs~n29GiG40F*YIgYca-8gzQ+M=7F}MEjKnIYv-ksh=)kM!X6)0&r%vDyl@93KP1X<
zd(@bYdPeDZGjYA^Dk>?-!MuQ3td2~>DmmrM5K?5hb#WCxHa=RB6zR4qX}BAvI49xk
z6PhuLk0`@v4aZy@a6LOt{dF&0eRRtg0`v#`!R^+0gcBuEd>E`dYN2R(^giZtb?;D|
zRkt5e_sqQp-hpYqz#XkTNy~szBgEV8&lCwVrgW1O%q|xI){z#756tIk736d+JWR2z
z_3HPpenb29=UwkP*vjw|;I;2HYA`_cD+Fp9Q&0e4vRq{z(HG#Mb@n#LL$_r;M|S~!
z0>GO&$xsdI1oI1UcU?TKO(hmeD5Qqmc@FNplDP-y2GF|N2b|^<x^A4#$_YjT_r#pU
zJuRm&73%!}HG(VCdS^lA5fGE~^-D;2^*H_1!q}0ce1acc#lKfJ?Bf;N7?a+2@2xOA
z1`rG5QYGsU9rAK@d&VlP8X&bUuoK}{?HoAuPj2;FR!kR+1Gl=6z}1WTh8Ld0v*Sp@
z^@^V(aj>a--|f-<YdKUd_2TDn>;)Av;SJl#mx0>A0oOOLWDEBcYyiB&`~7*#XAgvi
zw+IWNYXIyy=pVdUeh|znhr!7Lj>kZ7r!-JS-M~w4X?l8k5jchBn&h88(_K3v4ur;v
z-I55$Uz(4j0TP3*g8QH{0zl|*n~E!A(4hkIJk9KCP|rsfqZ-$u%L}JsF7^78=<ga%
zIIg=<RKq}$(3SZ;Xs1iaaDXo3v7#ujr}VE)bhW2xDF+phz9J4!k>fs_Y6oY$!czHn
z#oI&fIy$8i<2O<Q(^sBh@<7;SUNiMkx-7iL*im+-2zwV5H^11y<>ysHD;=OB5<H{D
z(pGff&8i>D9<3O{1L2Y9NfrHbB9cT)N_Hw!-Gni_^RqO$@pY~};*y@s%<XrZF_l3N
z)}&i+-p%QLq1qy)yEzoLFhlW6V@bn@q$lDpN+b<4UyXm52xR&asUq{*2S(9otJ&qi
zyQ>tM0rEnsJYQpmy_25H<CPO|rGin@!SG@%lC~PTNH$<?bxIX*a8RZ#h+td?L|p*Q
z6`{Qdfh-a)TuIi^I;aY(hYGnuQWDq&uTU}_#d#}`fHgf>j58$(BR6&@oPYgkse(lh
zwjm8kC}iL*NEQP3u0O}b{#d$-aQ`^mWq{V2_d;X!wbTf2KkPrr{Vo9Cs+9kMR<oHe
zx#pte6ZA1?=&bvwH=AzCNXP0T>rYoSUbM{29&7wCk<m=oMG(}kk%m7X_((yUiQ+V=
z>k1-kPBbD}8hC=wNf3P&DT;6}YgP(#Im$2Q&A?IL`T39P2=;!pu*sTeT-J@JwrX)M
zRn#nmd~~K}VbTKzNPo_^zB`EyMPdZD0BpN;M;Zzn-Wm~=g3ZP%pcK==!7&4LM~kGd
z?UD+q_#*SD1ICdPVv{8m`d*|wgo`=8&YpA_Ns}UH@W{HWJE85JSVP0hlBi82X3U)s
zV~t5#B`iMNpX_pMGXN~_Mg!;yji;M!badq@v*ZCsxSshukf!GqDk5>Of=6$JZlH@J
zhfY3|edC|K_T5N4&XoIQm#)^P2ue4AmBPMsHRtSt(*ugSBbqS0TsL1WFi6d@>o)Rp
zzuY@dHfn!IRWhtHqMY9S64w^1!aJ4WfYuG5q6UrG9B|vjBd+}ZmH@8pTWm>&_;E{q
z-h#U_@LG#r50W+U#y1agfJOgmBH}<%<jBS=Y^rcw*tDlyYCWEjS)%U}k8#M=FnsP5
zh)KFo(sdT`4kgu9_IOirwTO<|F$te{@r{BHI$4E2xGUm&%q39vu44mYHBEx$JWEW+
zVi1&(5?TpYS(^u!m~rB531aHaiO17x0ts(>joP0`u*xy8D2a+i*Vzp%1oJXx@j{p)
z{IBhDa1dmhKi)b@^_o_Z47S71|4VqtGp6#Bn;Q=e$nfq`;Y`2)@eWOoWf@2H6WSiF
zwW^M8RA5Y5S~keezT#w`6D(7LQ=mfsC&$u^6qU{0HpI3;<D3dn3v>(DFSr43Jz|)T
zcHfF!4zi662l(o_0o#0p(kelG1h|^hOH}Xr=zt9`^(embc5CWoKY8iC7*3Z_zOd)g
zDRk0N;pi)TlVjd$tgN7G50#!Chd*Jq3V)ucMAQ}NDI@SPosr1wA<e^~=<K*Pc1}?8
zw{ttFLUj%#;6$|=V5|D+D$ctl@Px;xz`Z=+E?1u-F}qmai&K|6o6)xNht7F%>GOi0
zZ+%!XA|`EA?@VjdrZjnz*y574j7Qkdj;$Igm0Cte%tkPI)&eV|J;|jZ3mpTWAFQdU
zIX#~|ATh3@{}hGkVco}6>#NH+daa0*a24>SwaIatT8zHtm2Np9%WKl7&;D#Zt;ZP<
za=#HLs+Uf==wM~;o9zBej4K)4S+&`sKjN6gGBn7-e5cUx5DD+S^e!NWx$ohEjWY)>
zrPoDf>*CEWu%Brx>ceAfUMOi8>VN!MzTrUk2)(6$Gfb=79NAzpkY)FN(G*8i*D$QQ
zE+V_^hNLaM6RZJ3G2&QugD-i`npIoewz&i5avvC|z%1qT;MEi4h5{KGN68sU!`qYF
zRKwdM>$zss%s|u?%yhskir*1E1dp`tO?;;$^`RvL(dgr$Hu|P*_Wq8Rcm%Tub1pa@
z+gQ>YRv$f$P7c17Ix~5Lb<Q$&9aSPu$)b<?PYy&4Z{Ct%2G?P$!gAX}_1C0Z2z@Ol
zSX4jE>7b@J0~6@=F^hb<bl_pS)khFqLiUf1WPedY!TL;aU?a9U;e63R!eE-e5e_r*
z$VpNZeOq_ZorN4>Y~V2tl}J^!v-8zIb~`;~g?0EQ5qX%0v<PGdi-3Jd3nJBQpw2DA
zU|iO41AQBTdqGU8vp6H>(0l~Ca?Pia7^snhe7foXT4MkmrKan2n5A*On^K_@K<SnC
zVM=`9DHS$YtPGC1X7y-P3Av~Sca)!TO7P5>=(+LxT%e((nDd%OAaA&Aes=lssqu$}
z@rEjezFR+BDe(sJHv_zn)Q&37M3v~2;+wAp5{`qlW?)Flr?^^=<VvQ|8JBm^*awng
zMj{y-g^^u+tGGVGh5ZYGE4MTeF(<0-`lTf?Z=LV`yp+^0GFcsc^Nz04;}yo)#byJK
zk9sF&8j8&w9NvKOKWtVa8mC5LM=V8LZco=bhOUFUUe8-c)nH12#g#oqHhMn`5B9&s
zt}Ip0$`ywhpS?z=tZF#7-sp}gp=w*Q<D}j+_AU!OGXS4@sn2DT15Z#iET58gvb?QB
zeAvQ<DuMBc$)f_DVo|raIV)Xkgg77@YFoT_LGG?9IEfivq;`?Fnop5;#C@FKM~7mV
zvQp#0Q{1q1ZGZy5hj=g1W>9;&f!!{4A+nn_LSW}GxTX#O_BM7zMc(H`Gv|w@jrSba
zO6VUBeVe24g0Ig3oxu=<$UxwT4-wgyEmGtnaKt{l=R?Xbpbe(5EB7HO3Pdzn=?EG4
zyd|Z9ulE7;2Ln-I8Tj0sWYZbq&@bs*g4y35!L)ykS$2wYB(-_YeX*J(H(E783?V>~
zCqcHGkpC@12+NN78;9$fSVkWI;#3$KWH{R2B*~B_4t4cb{^->Bap61pUF+v}LR1p$
zNG(JbKJxs@3&$!dY^`y=`8-{!-T!xj@HdM0($Cxb#f><5=$U;ju{C}Dfph&M)3biy
z;1>7vH*y+e{a^A-{}$5&Rm9&j>+EgYo2c8MME@nf{tx-_z5<Cgu-~2qWSJc#hizT|
zgwFc+bNT0D_W<q@SOHMQ-x7oUvJ5Lr{O5fA83m@E>RXwutmLH~%*<`=%I<woe5^6F
zPQ;U+v+~1wO!i#rcIPO&Tv^&15-0X#$8d=4->M%ZgFn69T6?TRe_~EN?zc1NfkCmN
zy_RLEgOT!lxan!LrV_c8jJN8}0_vN(#jq3k3A(z)cTYNkNTtalx?73meLk3Z9>9EY
zTYT+pj5O>1k-(9uWM$vqo;BQA@JIpyzF9w{K)<Hdr+(+Fm5ZSxdm%7%W{?(;*~{rW
zpu4>y2h=6i;Z>i5z6J&(=PJs#RZ;iM#FPVH#_JGQ4z3?`f0q{iT!~x1{|mYw-0+X$
z%0D#z)@%Ob&0IjcrO^w@*ts0WF`~AT`NFQ*9nYc6?rb*FIehxo5C5sZzewb}f*{+}
RP8H~la6@y0^7F2D{tG&~4aNWf

literal 0
HcmV?d00001

diff --git a/public/img/docs/security/example_trap_after_await.png b/public/img/docs/security/example_trap_after_await.png
new file mode 100644
index 0000000000000000000000000000000000000000..f611f118435f2ab4abc149e3f79a1ed2c10fbe50
GIT binary patch
literal 70597
zcmeFY19xRj*RUI#9UI-TZQHi3j&^K!Y&)HfZQJN1-LY-k_;%k9-|yV-8RrL_y~i30
zHRoJavs`tpa7B3uL^xbH5D*YVDM?Xf5D*9e2neVw3>5H5F?ePQ2nbxQm57L<l!yqi
zBEa6<>Z=(Dh-7$jDzs|i(kK6mkK)i^5ZKO;b%-N~xKA)-{(;UY$#D=cWCMbhuBMKV
z^MPS7>dr!<y^SDs>a?0DgHZF3S`bMtwII~g7tlyXZW|sK*&JL>=c%Ks>8&5FH@UDN
zrnnMcqyzRqBr(jxf_!)n<CT6puY&l4K%oTi{n~Vx5&M~!2jV|+`s{||73}^Qu;EQT
z-~I7!AeJ+%Z~z7ZNrFEtb5KO;4fh+hN-_%+<QT<xVSEfl?#d<D%D6x<I9JZG4<T08
zah3JQ?-~B@y*V)DApR7NoZAo}lFwn;Iiqrd+i{vOI&dCfBz+@pn;97yLn7Ft@KLBl
zsC_C|IF5ediI>f3j?-!Q@_|VflgxDPDa3k7eWOnTM8h8`v*@E=kwiqL!i_f!O~sA_
z+Y)D93u&Wt&^gD!)*C)pDWtvo&C@f_arnl0k;V<$ILwrKXoulDmZmvzPJe0b7kh>L
ztmCB9%%IUf9nCU}ai_2T!X<01uv=ev<%A~k*_=xSrOPs9CQ;<|z?-+wwf2jqwt&Im
z4pZuaj_3XCZFiPNPs;g(B*I;CPBx2%fWb&sWI7>LW%RIx$HY^x)SDO%;k0gk5^<@3
zz@UV+!W2UM`Gg?-?&>=65sU2hBjg0LAt(cizxN?A!XgM%jc^hqDf8o!iW|CnQ8-{A
zFn9og8|{dhKbvk>`{xfG9qknm#<_YHjct)jX9i*EgM+VDlE_R$ar{f{7LhcNd8Hsy
zZ>Ez)-B=*f{2<Yly5XEoL+o?%GxlI`d7x@}khlI!jL`EVnY}nIpD|tn1X1AfdzgD5
z!-+A%gfKNB=Yzl$A({dS^1x2Pp?i%S5VAnzHfdWRsseO2>D^&+0ttU1ulu7iLXi{0
z^a+`U!IcUx$AOwcX^9|=U|a`+<rz}KMTC4JCixPeE`*myS^`n#k0jXmi{Tf};U{PC
z<6uIO&R;0EgwJ3<3_r;Ru^EZD^Z)cuuMxn9V+cXp#BiX`Lbm@lzD4~=xe8+tXy1#x
zMfixw8v#a%lk`a%+APL6k5?(6#8Q=4I!Zf;S~U54nc`gurYhbse;G7e)N|BOeyJt*
zGX7cAy;$h?)<cX#wnJlQ$Y;hjR3AtmqP0juA-~}`CR}WmD70_U;R9a`>lh)^m}S}a
zS@)^;Ns5SAz6}~D*NAIES1_={Wd`eo(+!>XvKulO^VIq*D&Zp)N3is_Zh|@D>q1q5
zG{d{0yMekPFT}nCr}o<HR9>w=T6Uo1hBEXM_2v$5^doOlzyKh?1JOw0dOq)>G@&4&
zYQwm}yamJN^ZpJy6h<H;M_oW055F5IAFvoeW@ct?V~$~tG=pG1F&#6D8P`ocN`8`6
zCQeV_m16n=YsFIf%{l%y?KVJ`94}#Q^!F~pwK;(9iTMfgDUnufUO0trJW-EEhiZk=
zOW~d_M35<uk!qZ>HHmplYK&m42484WaZ)AbbF+Ar@_CeQ>S_tE+PXBqBEMRf=6l#H
z;*$_$R^a!*R4@e+gRQ(ivk-pjh%$-00zfHVNoa{i=^HEUMA%Rf+3yI;VM~GrR53^~
zok54euY=NqP7!?4lw=}gP0A6|n1yK4u}NK&Hq<Q1Ph*)$C&?F7vE?P@E#;SLaB8@!
zgk|1Jh2@^5<mGlMw#q(L-_%*ubShE`n>5bKmTS1>*0i$A^-Fw(-@>6PjLJ|eYL$2L
z#M_5Tic*SVizJ;=_su4Z=*Z~YD!)`JSKergEUVgT*ao<k-b0=(IE!&7<_I$s8+?yF
zv^;z~mUKosbUu_l#69|Uw132Y$iMLUnCW)=PWn#!PW-m<4(qsjx_ZXXSdh^W`wQ+V
zt0fCI2P<<F<ErJNDW_$D@c{c6TN#U|xh%UYi@uSr*=rAkO&_Ba`;rM@0iC^(MUJ(S
zwbKMDb14({=Y5*XWdBd6EQ%}*w(9XL(@EAT)@qiEM#Vaqnvr_TI(HreKi}I|+nber
zzvhN|*;-!Hr&;OVu_@}Qvccod#!|M0w&~{p#HFDX^Gdn;2_795ovt(e6+51?HR1MX
z*GkuoQ-agM`@4G)q-UgBq;`TfY*ulUA8C$js5^&SE%R3uI~EjP#R$b{@_yWzJQO@c
zj)b~~4gTGmzXJKO^sr*aK~o7e+H5LLd>05g2smPNl2>Hh_}p^58ec$Wg3||h$GlIB
zj!5n~&zR1Sc3YQkNZ|*sjWFuCJJ37&I;cDJ-A_Cz+!s7z9~Yl0Zd(r{ukIe!_E!ey
zO`Vn+Pf-P+yXSm0UZvhi-Z9=8z-7S)K<VJOLVV$y8N8cD4C5V?RES|rq3w{p2~E)(
zNDmhV7YBtRX|THCn&9*?RxyPUwFm)UOlfC7JIfr-Fzzr)Y1(j-@sfA2d-DcjD1G{k
z#w7r7*{!5(q!dzhVx{NiZR7TI4qr$hka;#aHHI@Lq+`?0=)4_bZZxABpQJ0MJ)jl9
zi42bp<NNfIj5bob9W_+D<2oGez}L#tYVUsDp}dZ=5n|9s6y_Gr5KbiPAhnpom~@z;
znZikXiLMH>PWD88CWEVhBwHnwBO5MhB{^6;RFs2C4U-t6G2Jj-H^VJvo)4xp1y_v0
zqaGFZHaK^r_&j~PkATaJ-zXDBCLrm_qQ^qRB48F`k^M7e3e&v#AZ`Ea7|zJu<eLYX
zCz+es33ayGiN;-(c@=*Rlr~y(kxS+J@@wPUiT6B#zJhLU$GdBenZDHeFd{0R_BGqh
z!rsH%=8cG6z}JA5JewakLp}oee(0}@wWH=URdO5f9w8i&w2@;GU6@Xh_V1>5Do+ZD
znL8YAUu!q&+-O|O9Zr7O+N~g^j->9U+}awnbk-*6Yim9`4qp>+jC~!yKl^f?bb3mK
zOliMf*llxCRgDpjflR|kjpu4}y58XBjch;F*?I1D@?dpNv;1JzZRqy^nhPGS_D#(U
zx)z!Rxr-a!x8%%XXsU6}dQNO^!#bFaFEj|*pwy+Lk}u!URE9v8q7;uC*Xj10X})&f
z^X3^GQ5sQfxYu#?YN31J{rWKYBYZwFD)FuuLH>+ij!$n92G~5uu#&Ogu}ZMH<y`U1
zEN`y@o;4y3Y$lJhDtU|D?Z!Q}pI&bgu>cHF`sjN2T}ck5)h-?<Gvo28M7mnug*#;*
zb0-TO)p~X&O?oZofVWe`Vmu2wW;^z^y6(9}y9M9prnR#ff_s8!H~e$f4VR9U>DIiP
zSH5Pi)bsjt1Fs%mhm)=R(CpYgLKn9|=R4<{HfW+^Uf+i=H=_eHE>nzCaJl1r3|`-_
z@{c(ZH*h^qy(aJKJXZ|9b$BlipLyMQJzp5S+!(|gBqLfP&mw6f=MY>Iw!L_cp1gD9
zbD;G@`i*?lzEobVsQ9&gEb)Khn*NY~wY&DYf}TTWBeE4}ih+vm!j>V(#AbLccs{zc
z7&>TTKsA6Ouj|_GO7UZPn!jHAc&Q(q9hE|r_?b=!sTkIGbp_H<4eE~%335jdGC;<{
za@Qcp@&R51`%00M-d;RN=pUp95?lpAyvYvIP8}DI8LkixN*orrm<{^X<n!Fplbfe{
z?x)rtAg3ReM;3U$<cJ_XlG3@}8C*V`AXSuXdj%H!Ks`5Mt&=in^MGSmbu&#Vb2&K>
zYTz{t2xzDk2n6s76nNkQ4-gRWgl{0w!1E{IA({vFuTTg;9{9hmL1q643aN-lNdeC)
zCIB-tJ10wf=SGmCI-scqD^*QrO*vU^6MI{FBU5{0GkSMhhd(MHyzbn<OItH%BVu>k
zuXaw{?tG+wNpJ(N|2$?OCH_mq*@ll)Q%;ds#2#Qq%udfp&q&G-M@&r23ote3Ru&ci
zr#kSCkJQrH*@2sZ!OhK$-i?Lc9$>-1#KpzMz{t$N%uENApmXxDb2f6Pvvd0V4<rAw
zBWmVk0<dy$wz9V){$tn3*xtpNkCgP!i~jxlM?B5kt^V^SJEwmp3z$HLKOqcE^o$Ju
zwhdI}{qvMt(aPQItCpyhEzmu{ckr{YF!TN;|NjX2&l~?sQ}aKXOiV1C|E>C8LI1a^
znv)qo#NHP8PG|oAWX(U7|2y!Xio6VelKx+=_=lhWdJ1$jKO8T^zcY;=t}6hE0|Z16
zL`qah)gAOS8#)braQ+)IDKRk&3`|Lw7E`E=I^*|1E`vMjefJ42;|~3PwwFw&$p|ea
zMO1XAAW+mV2Vb}rKRn9MmU41(meT+H_p%O_vd@ppj*qL$%FE@mZ`Ak{#AFdbMS4&e
zA^!F>Mi^i=))lNS_`i!FfQI^00V+ta!M^#E7{dI`Ns$C5jkH*pdMv`~?}GoK12lp7
zH@g2c`2U;uk8}UO_@bw75206rDE#&DN7zC5X<g)qIG&ltGBQ8P(-DOL0Ts6!=916D
zPpjb=438r+fyr=+2v(~EE?-*%p9{Wt1K+D$$5=kmd7bJe8P%JYsa%HZAw1HZ;TI1A
zrzputOtz`!PfnV3rs1^u9g7&9`kkKBHAekWu|m4j#CInPsb;BkCmK9E_2?(0XXOS0
z@dEECT6SFVNCcuy8~O!~JH~6Zb_XX`!?G*1SWhR_-KM|u#pd6~3xzB28zXx1$^4EM
zrJxn4$L9^iQ>cEpHL3@UUhT`gUz>*C)4{yyfe%g({Hw%LLPH!Mg|2^0r;1n!o24-d
z75KcA`FmYpaNW(8-8f5pmWZh6^1PnQ;S(eDVdbLrydR|?)oXkFPWfrMF>;79_h!Qv
zP0Q=7?3(u~c%=JX%|*XdVv6@OU^iZ^P(rD3l3VQ{gp>PmGia}@yh^#y(6f>lE*?!S
zGZe53+fxb2^>#aBcDdPWM=bBr^?Y33P?%PY8*#qYKEB%OWHw)+b^e&5V<&~zjgCd=
zz6t8_d{n%5HB6K$pUrL7vA6DZLD#(In%Q)u_+v7S^dYjxtp}9UWavw=?Xs%rqeFbM
zx-?RA{VmLEf%bL#MVC(3<2L+5OrGG9`%d&;X>pEpZV80OB=-sJ(`7$$q0K@SV2bYn
z{Wa$38EL(n{`u<hc1EFGtp&3~F~z7C)lihxxer~dA|kGa)pk~pyHUHBN~~{d&z;xw
z6}@%8aw@oYEm+HG_qfw7DSP24t+qtPd@6B%980~N&+J|ohsVTq+DD1f#j>`eVzHs-
zLAp%}RG~^8zc<mfcHl)upX;b6s+B>vLlpDSpni{;q098=m&nM^E;U}uR>h<GUT0(<
z?+@KGMTVz>9p%+s%Y$-wwP9G|3b|x6`-jrfP+E;<PF8cO8k*8y3d@Rhi6~Y)C)f-k
z?SajP3tB*(UXw(8U&rPok670$v)5%h%kk=Otz86yV;y(X#5P-<_|GwyCMhp)Zy7ev
z5v42kSWoBeUvsLMw{H(g`dHQ+f<_9YLKtqKt;_C!h0a`c+hM_N-9rMy<E#N+J5D>n
zkTfFaj_Bi2Vn~^`c%O{OsH^B2m{;RE_MOR0zEt!%&eKxXunSrn8$5e{A1?+&I_JPV
z0lYsQj05fEFzL(D8?S|YvWTP;ZCVoFoe~fekHxh5C0O8bld;?3T&UOL@IBAn>w1(T
zF^O!ihR|V{z-{Cp*Y6xXETk$~)(84xBV(EBW-`ZVk}IUEaZke-V!u>v!Di!~I_Mpn
z;VgqA*_DR&LYh$tgEUA&E{?@*T{&jiI_Og>b@PhtudYU3zrJ_+-`PaP1`sd@p2zhU
zqmdNPR()G+T!g&V`QGf_4c@ooluJHu^7J$nI{Y6#6%`%AEKgJKdZv4r6V`yp{Nm2C
zVWe|HN&u4QWwQ0f!>Iiav&UT=z;#TfIv$4}#PbX=zWUu7It6;0g6Y2ZOBOQCc5BmS
zJAKWo0GXqi;@DH*f>>kGNNfAWLfNV|EnUWAM8?ICYy$f@ha(&x9M{)r)+N70m)*FD
zh4Dw)kd8E4KBl6+F^}SGSL)rfnf+wj&Z3DPdSGABqZ}f*L=7l`tYGPS=jISYI*Q@X
z_{b;fJH_B?Auk0L5(}fZgjE;kws4HVpF9bys0j?CFXK5WHKqjEbzBWa(P)5v)5QG>
ztYE#RZ~NgO*v!8w<YTyxDO-0FWK2t}^_AYywaq7IF<jM-o2>V`S?1hJF`n;TsJnCh
z-k0R)^DiX0S~W4iFOQ#NSf+SYkhl+t7rN7QOqi_moITjB76s{7Y<OCqf*4F+*fiqL
z<~6w-Z;qS}WEdKMS^jQ`KkfXj9e&y7P;+U&uqw<yPMEEcN^et5-Cb(@V_^dh^;&`|
zF!10M>t%#x_)MpGHQ8bCS%%K-I$2?s_jNmx!4;nK<*eCY`73tu?eQGV+1+J``9ua+
z^UPAc#rXC3OT_5qoicuI)69O|r1UeY`jbH}gV}h@nHhyG-bj7WEx4ZXXj4uNdXZnZ
zo(9gx%f?5MS_MYgW9zKV_j9W!po<0fNEJVeAyqM6jvbO#X3W22p|vT}bbrv-mEBMA
zoKrr3N3~j-h7QAUY&@5B$XoU69vR~npT3AcG%jlkdAy?UUNvAt?vH4nfy4^yc&Qp0
z2<N{*too#xL|-q<X>K>%Vyx#?nQIYu-Ekx8y3WNZ^G3in=7*FdduiKX_1SvzqCN0C
z3is>fEbG!Y*-Uc4&BVJCfavYLOj!tm4EhP`++gc<^Gy);Zi0iq_-E6~vqys+K@3@6
zeIOSc@oN1h!qKAAZcV=^#VWtOWSlS-nG56A%_T}xDLuWObNtBNLS)B%hC%T#5d)wP
zRtWBQK;Vd;+tY$$WWF88hVJd>!{*qsw0G1qq0X$VL5zsZy9F#I5u`oO@S%#Qr;BCE
zZk3xtjt%en<)3wp^qMt>0f6U@t!vxal6d};{mIHB4oHq;^59HN^2sF787*};*EN>~
zZKuIBCX;V8JY$LT%Zg1Jb!oO%oT$B(@HP-F63gY)pUb^ASqytXZ0$E%FuK_0H9see
z2~4;GHbh}dV-|*PH-nJ5vC0>JUc(d!w4O4f&hc@kb13ZgfR{5b3u4VNwM`GQd+eeb
z9F@=Qt}{L3?ncmvcD>E#x^LD=y@;>-8SH)!6<u2rt@-kD%JLE01%qwhCS{te_S&-b
zF?h^#T}g3V>-X`_Y&M3zBnY}>k?WI`S|-*qa_*k*+GbE@wF~UagPUgB-7ZA4*q1@=
zg3@O;m@R)1r{{ImYL-Goa4r9Qfy2e*qbVg?QP;7>5Oss=*gD>5x|`SG$)TXF7pGFx
z%)e7~n7I;({*AQDM+W~Q!m~x-y4c&wLB>qCDa7srJ=I<3>aN*umf<~DpgDVGvHXjD
zZqgl+9|jVo($nH8VvYvWx&z*wv&^FSg<jNNh-j)kaF~idyx{?n<Mu-mt3|*>cUaTk
z{$~VDgs%H{%a`k^r>e_0BT(Z+xz`JZ4%fX~ez9C0PWw_!NDbEweR}V`9Zj*x607=x
zk4vUN8mVFR2{qV;h!@0Z3BTdVN0lyYE`48>$l!bHr}_mbn~^NYNYh4)^5cil+C)gK
zLN&JT#^uK#Ds+-ni}<E+j5z}9o#Ykq`pIYSkrpcEqbV+CuU_G&M=XM0!3D`}0=9M1
z?;fFb(%c2-Zn`#VM?W5399K=3zRsC$sFN@G_`QkftrkUyC*Q49QtB;e$sIHFYn5$|
z-L7Gu{Xmxq5ocH8Wk39-jcXl*q?=_vVQ@%W_KWna!F5<ve|FA3v8Y|PS+~-M)c07A
zIn;k6Pk_AT07t;al{w|PN9T}*T?5jPyI1>>l)#kk2LlHE=x-)bR=uX3Bx1d$jU8fN
zu2=IHexITCJX;WYO7!YGjD827&=tq3yM_qg5d)7sj05hKdJ6>(sJ81dnnr_}m`a!g
zn@-H{Fe!z=A-*aK*!X-wMGN2eV4?hVd~ODZh!8COOA0>4gu|>}#Q9frQm6e#3Cf@x
zA9ffybtH)IlsbKZ*MZ%s2KP6i9jru3+Ta|Fh{a;H@$$1L;z)d|qFC&onDvH1o)KNa
zie<VY@UMS+)J0*(k7z5N=FtlGu*%2xgK(lG=~627K;<7YTGi8&kN7-5GQAmGTjWcx
zG7dsYr_@ONL>36+y-$NF_!WSFPgw?m!nRaNjhBKPke4OY8eEQtwy7cyTeS(c>y%<h
zhYE8=<;JwjME7dfepWQl6b+y77DpnYdgPp-VrrPpsBIw>OO1-Q%Ia6PA)hp}4>9M?
zglYnS%Y{l@8&@-V^80x3lS*6;M6b$_Rs31A?bgCRtCu9^oxvWMsphq)>l3xv1gnsx
zq|OwO%L_~m9*6w7T3wkR6$x5U8efvxizS<1JFv>Eed)+pG4J@fi-kp_-qH6kl~$4w
zN$D{A%u7NE=zBxIV1|=zX}LwsnnQ{Q*Pxlxu=MbTB-@hZ1`lvL8N_<4cgP7Y$&uGv
z^M05V43~3fdWq3J34d&mdeqzW4cLJi#6JsoUggRkEjqV?ex1hTM1p`6*NhLUtIO>g
zq5KL~MUKu{kk0K=Mh)_ff-2DWHxm2<&oy>QHr!dl!|t4hfy>3LO&OOt01dOH{9L1w
zRac#oSjpknH!Uu@2GbR{U*CwPCtEZl@Sig!R3rNajDvl@z!^OSk@71#L$&lO47;H|
z^w;F)oP^?&9)sZw-1=#m3ZeEl6D#gsW*hw`L+SdU1Uxp?TB5-?PVy}@_t6$VP*EDJ
zUJ$8RNEgTDlZD-k9Bhog2t>yPap){iQ4N(O?7wR8Cv<Y?%EYXTH|n9bo@Y<(rG~3y
z2O5{l6R4sxNy&RZ>m3AM-yd<0JnHz)b5c@nR=1X{u+yVMPCl4Wj7E9fgp8j1NSxw`
zPCY$fsgXv{^X@ZfS9r+FOK;eP6p1PALU0JhH(HOI_m;j8u)Ha>J~npM8HKXfxfI{a
zGqE@faC$iRAOmIscw|Dm_0|GKyA{$&EO<Y<hR%prD!S@aBs;I(7`ZO?_{*GEgzlHz
z>9AbBX{!X_*g4r}uM5?52)7VTt+_2yw%X-pXMv6Aja+T~^nllW_mj<}(zGKp(o!%*
zv}FN~Y@S6QZ4UiDZgM|33!P({>0b_Km#%R*gA^M?r3&hOayRRqB{2f4eICm3>+i(t
zp32S&tbUjUKfkN4t?EDBV{y5qR(?9;-0)mh(kObG<SkFcz}&)y?v+z5xsqPe$jA5v
zoJ)<NfzG|})74vet)Dg5v+sUXwiX@uJbpizNZazr_1^YaYkS(t=J8tZ@OZcVhIGff
z9lxJy@LDq%$!GtIcxuHAOW<`*qdda-yww-`>S1a4#`pF2jrqiNhucQw*g=+4*>-4b
zj@P6DuwCI~y-VYLxxMNj<a>Qo;El%(jT=qmtG3noGY|D#ukQ9-|C#>Ia?zYiwBF_8
zz5G=;*Kd8wB$Cei)qN86Gw;Rq_}k^@7|F>HX8-ZJanJP$4zKlr@SKOcg`DP5a^FWC
zd$M67wy~S@*5R9V4`5V2)`qWwka??(M5f9OHg5KRO2r6xHXN)uhURK04!57}dw@fG
z>Th)AxSiJKaCo=ml9!ygEZlXhck<bfp-;Ws>rC-{cnkRK4Dss^<nXWEsOv8w3+!W0
z;j#a;XJP2v^*CErTVt>!dMB{HHxTHE_yLw4LOB&uO!H=Ca=g1RBUN0S!a?Pj)Sz*-
z05>A+Tz5j?&;yENLLFaG?0b!~6U;!Z5d)ly9E1cV#7M;8mo8SHMicO`Q)QtMB)PXu
zCw-Flm&fm%U|;$9R%#|j8bb}i`#v2`4KuAL4W|)_Y&*V96>q2PE~j9b+d#8?Ax-mi
z!F9pyX9VNEVAs+c`!MCFzUI;gG3E8@D8Q>*xeNi!zzgPa_w{HFPeMn($KIQ!l}Y68
zhxIb=h&49|x3Q+2*}aJ$*%D%OMjbH(Jf4Z<auND~gEIeHRZw&<I{dUMg6Z=l6AJt}
z0t442GeTQ4?ragsu=1b-#ju0Yxya%%LWRoJgg&)^f;R~sg>b&aJ{!*j+l}v8n9D;A
z@fcDub4aOfq8MB`+9Mdd^tXG+yqg}&7_Ij*jW=}P_3YbiujwAUP`X~PeTk;Ht~>-X
z*ls$I2+Fou*bk=%WBrD3a+*!0<{B6D%f~|PDV1X`X5=oAZ)cAO8Hmkv8y3C%4q@!4
z+H)ShDahLu6TPzb@m#)Z@b39Z4IBtkq_4j}be<wU^0jtnH#@{PpPWs#ooqpv6n`9@
zz4$E~iJ9gVbzgOY#w)(<Pi5?6zuxjtZEgAU@Z;_tiE`khd*QonEQWDGT~~w(ym~5A
z=cr)Nt*hDlW}tUz;=ys=KY5rcb5dL&zOC^b|K{j`8Cb6*^4;oWd@N3S)VO<}^|}e2
zwZDyz?bw>os$nF1-?P8H@x?C>>R|2jL2mijW7Q}R+#tAaceC&ARRgt(!IoHco{`JZ
zUi2u#|8*d3$77X17B~l{xq<hFVn)>#S9sClTQDYAQt#V+?9Up#`^+CdQ6Kcp{loX&
zM?oq|ugZFGe|Zh-^U&Zr*@|a`46gzOYun-OkjU*zNRsYJW86bi2XFx}?;52fUJQw+
z%TPVqka|325#@@sMQtlEC<Im=_Y@A20`Htf2}|#1Yj~>F0k*E!Y@3n>$=mA^AT!xP
zw{0;mIN2#o<_1+A?kPxxBGK?IXfDi?sANxAO;&BPTrEVhSpJG$RE>#+C;;b`V8idC
z-P<2Fi3Fvw?7&}}Z=iS>gC>tOpdnpNMKZ27?e|2~r@;11+(J$c+6w!cut3#}=N@JW
ztYx#txlg~dZD4k5VBohqJ)f$md$-*U34#Yvs>o-f?P4}{&%nlUS7jgjaU+v8X}@TC
z4AzBmtBRxtQw|2xAWvyqDnWkJ5h|rOs8Cycf|^Wm4opAG@j5@!mB@Eo<bw9Qbq<7t
zpmAss7c>nUm!^V@#C07w?pa?!HByUP>!?!n%Ws+UUA6Bq&;F%uJXa}hR0--qRHc$$
z@qO94A2=bf;(JAd|Kjcg`G%<OW$o~ZMis|LMfEUISYIT3JQ_FrvWlc7a@#cwg(#AD
z70Zzcv0%|h!hy)Qyqv=Q6EGrNjRTKdSw9J?%d#O-xHa1inbf6Q_21Zk*y)uWI=44(
zJ!8ROGB=pOQ1%C^p%z`7uBuCpHeG1iR5q@@R0O?7+461FZFz=4;#a9TURdxyUCV9p
z_zzQIHVNW78)z;Ehulv-q+Fn3*0sD|za6Yp=$2`_snz1(Z8k|ZUg@cc1Pyp$-#%e0
zK;q3MpS;YTOenaxbbqhupMYr`;4(~X+}rxmMj@#kMB%$xZ@&lFn+vzQil+Hx=4D6W
z_JCJ0Ppal~4nRzq)5}b8QioXM&{V<Yn2jxlYv<ydQ-Q{Ik@d}B6hmtHz<5waGoMJ=
zbFOhXx6>KrN6q>E-apL!{#|b#5mEGgD1YU-e0;_LDZW}lA&!pwxM$CP>#<9rJK3*9
zXV$u{9NR=`cbl&%-Ylp$f=E^U1BYfa1CavBN1`c^jm-4MVQq6dyV5Y;`=~IrO%A^%
zh1O#9&SzT-X``<GQa}5t4;nB^xH1+}?R)AQxrGbU`xbJ{Fvf8pc(<^h+3!|Qo?zcO
zznhaX59}bRi9r2s75xtck5DKb15YoFh2s55L%Xd<?t)BfyB%~Oq_c?o+D@L&k&X+u
zT}zGQv}BDyB6}v#Frd00-$M1$^Bv20h6jT{tJ^lX>u+nU+B~ycK%I06mFTm2ykNRw
zYjoYR1&*S=h3*va49$Rb#c>K*1;;U%4jz383#Gvd?4zPac-@+ZZFdmc*>#%SZRFO6
zB{yuj&+{JH{fIh&3Cic}MJ6Z|Qzi6$GzwtE@I_q}f3*DZ%W5pDIQY7g-B{P851(Rd
zWd{s=SRso!1Q43cx#fHm<JfI{K)q_dxiI==R^dCvR{FU{iA{ho#R!8UW%+}MFt9uL
zVpjk?H-}~y@D*pWsnJn*r6MMmgkDdsKR*KJI`Z3*cDU0;-~yGr;$zK;E(uv?SI`UO
z8~hau72ORTo~HBJGTX*3)zN0t59Ik))A_*mv)bY34s((V?&eJpdwEU8+mfyopK*su
zF%G0^e0bg#hCVSY3g86pZrZkeYgJJPwzYU;A;0{kuES1*Fd6lD{bu9AW$#OL&5oKX
z;gbe(>qou)Zh^(RV+W^0tFzL1iiz=RO}-V)nfIG(<(?K9o49W#uijeD>;tQ~16xqN
zIGww3RfKFd%hZ_zy85m^P8Mae53A(RRMuHjv_ZM843}@aoatKksEY|p`CiY<>_=R7
zLCmi+Ww#9<w}bO6D^yBKdR^|8?(OBoNC#wHJx5gGExpNvsh5G9nj4HN6|c3MKwgiZ
z>#%NR!U8n-c9es&fwQfn{R|o^qs{s@o(3|1mNb*21$)uC1m1REx<z1c!zQ7#E_e?D
z_T(Mt77SX{^TB>oj-h?oY`mO`xDnV)4dx-1@AJlXTquV(A;F=+DD-jYV58*UY&U95
z>}AL2)@0xNY~OuGW1MDc{M3h!lwgidj)G(oohTKkR@K5unTJA4*k@YjYdPl^mK>i~
z1r`!Rbo^m~fn8oK9N89G5+XVxO1cjv+f~D9^nmj^SDO}&R-sr^F{+MTBeeM(RTq?K
z(euD0k=j?j!p*wkWr~L^lU3f(rzIs#QNfNOU6b`F1e;Q(!v&%6s8LefMmc!S1L%!n
z2U%iVSt&{^0VC7vP!9b;Iibp)L>ZFu^%?10>Z7kcQGQhQ5HQCofKc^Vm4{~H7#M<?
zmGihiKy{`hJ00`1-&Z>H0Q-X;o!jRn;!{gxg06<vtzwr=)fEPpX0&nTC@EwhBvt#!
z9!;TdZcW3J+X7vZYD;uhl{alHL8n_FZK{QT7Pd^b*>v315TAvL8ccTkiF&w9f0DyP
zf3CzxeC)k?;jl04c!Fp!Hvq)w#_8F6v!xFZ{fP(b%H1}TEm@>l(;((&O{Z57Hccjh
zvm4Vpii9~2prd3ZC99#o=#$0T4rxlS0Iio&O^*+x(Mzc`GvtLv5kFG7R#z#?Xuk_q
z6h)aA{-fLad;oF8J0R72ogxSJy=-0Jl^pA|sd075t!C9{@x094R<mX}yR;x?b0lSV
zp-jt|WZ3>`-lmsul9?F-As|B3FkLt~<BG+68Q~Z4^FRe|q79T+3vDp%&RTHp3)Gh`
ze3rZc0+MV80%0*dN!Px&MIqQdC`|lp?m`)@76)}~RJ~bA%D7jQ4*|1a7_EaJ9<Xru
zt{&49(OEXjI2MmzdQrf40Fa<$Q<<?4k+Zw7t*qjoHD!#Xg8M4T!Q#oJNu2R!!FPvF
z^D$nJbk`BLNg74L7D|T+W!ANGEKKsICMiQOWmA_NDe$xm@J=5~41_32z`x6uziYA@
zUZKG7C<<E3wq54I!{;f(2Z@tko}wq8Gw2RwBq5)`s$-X{Y&*mXj;2J0d&rGprn3Js
z2zepn-LPw?qj$A4`cs;y5YJU8CxAQN3s7~X^|B8GccIzK`N}YnG!-FT(KBEt6N+h=
z+I43<hX#~7wXUI{3VVcrJM}ONgf3WX+C$xt<eOzGr<&PtwAJu*aO33uW`c2i-3%?u
z&Gx}QxM3p_{;HANvtx|?)$fkI+y_|>6|1o}Cq8}8;L2+f(B8SKhltC~DFL5{q)lAT
zBp<NkFMAa}Cm*_Nb4t#u(<G?4M4Gz};d1**PqWd=C;3rOMWH2OHd4uceX%U8FE^qO
zq*<Df*8RyoyJgYC7m;0odwec(<X~!%U$a_?c3;EjxS^$2zo;kM>eQFI%5-iQ>7r3l
z@>4%<g++8GbV@1AoQBd?alOVX4-nQG4ZiqBpZKeLJBBwkm0m_^orNIs#IOT*Yh9D<
zCOgcjyOP{Pi2mT2-%$nq`vFz!BOUZPDPQxNq`YEeg-VXcl-6MZjcU`K=tg8DXM6PY
zaQ%u2NiwI<({<?rapfECpXK)mK{+cQVh(cx<UR#IK8B}e6^h&%4)5Ih$?Kg4yE8O|
z>Ml<JE{y$#d;d+-@)*T6;sJbW!S%f7IGsi^)b+X`65s4i2K!w#hvnvQz)0%jt8L5o
zgJ`0Q;cq3V^z)mzS1njaFrRZ7vFLQ2p$RpUi?7!_p$T?9+As9QI%J<wu)Zo*RQP(V
zZ)$NYkK7O|suS{R5cW}d5$gsOq&b9<lUR#ww%Se)ARpime-S72D4?#e(U=Nqz<v#S
zxmu|!EZ+6<^$ycsX((-jzQfy`%?~-C;;>3kG!W8XCCZmMh6Vdc>>bNjmf&xL(sf+s
z>n)iX#OT{Pb+@2VSUMViz3g5lIZ6#5rZIO%X{##<t46X71NS3dwRh)8Iz2%USwVN2
zE{Sh%T`J2dkLR()y=_NL+5I-y3nSq)?bRjHij32T*pr5AJm>HTF1I*~m})^hN|9Ls
z*AFQ{X2}JMG}H=dNdqsLI#@N+RmQ7Kqq+=HWYKe0X;kYM5rhxaTwOnsnw6BoN6p8(
zFYa@?c=W6H=t%_4tHWN!t#;#e|B*lv@^7iy7o-n*ekvFCy8>_}GPCu`8M=<3g76LC
zy7i38%-ev+Be71MiJCdJFPx!dOR=3=Zpx{qMx;pXo5)_jQr{g<LZ3@2&6$qto%707
zfkWdv;6nQQXiWVXPYlmF=UFw}tPvSsy5FZbf^xCsV){5HCICG5vt@Vow0^tW!)SDn
zy~Je~<wfIXD2fAkhT9#dXou<3mLCefve;*QMJEmruN__kTNfEN%Hvuw7b;1ooRp1r
zPNy&)bI}wq*R$FE@#uam+BkWiug8N+*Y7TF72rBMr-&tfwh6)}^@9nW#5D8oUEyKE
z=zidkAnfa-kYh!hJ|<bL%aP>mX^|A}aZtCx|FF}oEt)TN55)&a-U7CHV@^3+N_Zqa
z7CN(|CPd!4Z|J=`b0ykp{F4E@?rmb8q}a?ylMB3uK77`~q_mtMJ9z7Fyqt2c{QR5H
z3T}<kSwVCK<9L?*A;dg{%yxBdm*Cap*T_givbo7jAH+H5{zp_;DKWoYoi=ufd7sPe
z3Ubcla1iCas-(jzwsXC&N2}zK_X=qfR3%)qPF^7Pq4_Q&ircHnlCkqm!kT_upvBi!
zQVdytz0FJcnWODZzGo1X2%Lyvo7M0l0w-bs6v{Lkj4JLpth#7ULRyDXBkSm7sias$
z8C=fKHLS3hgv5LU&Y2Cbbv;47!Zju1V}wu`6>-q7H4fK;Igv!Z#09;~Uw$g|Iyy|=
zZKgq15&OpF7@SWKVRq;ui&mDeVXloil2;fDljCFNYz4xL%9-_lUm~gpgp<JRCVqXG
zAQI-9jb5(weI|K7w(v(ZBSY+~5A6?v#8X#b3L0+9vp2w+dkY%DQ1Mikt^EmG;iQ?o
zw-hv|RYPhYyyfn28v0mXRWU>zTh*>0==#&8CAwxFjurqD^cAO1w#jEcyM2vltKzoq
zj!UOfCFRg3EHSp^TDUS$-f5upNVlkNA{E1J#MtG4NTLny0p3p8;h-kst`D9eOkNXh
zX)Bd*V2@iTu~}81qj=5~*2#Jr8k6UXF`ijd3qtT&x(h|nrs^6-73$gqh2x~_#G}UN
zmXsRlu`#|tJnTK#c3Q`(b``D%T-~o>{bQNumRquo{f<lfI17xrxvJ@jsz^Wk?0asj
zK>BV(-Zdp*pX2fnLsly31G(V?FW+jYXRMPy$5zxK6<i!I&-qzM5_J&m;`mMlKE&1-
zZe>08zNnmbeO~YktPgXAO}{)oMwan1V|$diOaCoY&Vq+*@}s?$D^O0|pG1X_x5XL*
zA54GQP18~(POz+Qq>-hGuy{gb8kS><X>2p55H}wUs*(M5wo|370!6K$?XtKbu?JC+
zB1+nHqo<X?0W^nvOr*VdwM``%Q0;w2yKdM0=K3JpB5s^L^G&+)yXlOZ;o5CN1~*a&
zLY3qv&9Pc*9hh>Wk!Z)#L1yR$9nta$)a~-n(vyQHs7peUUx7+ymp!%7Ez_c3AmDLm
z)%s1Jdc|zz#~?}DvO6y1F&;8fXI@w(=vd_4p9$9Hy^0Rcx$1;>_MDUbEDrbwS&UEt
z=T#qZ{e+$qTEFnS_MWG8pKJ+#(e-$B-lcyQ|CVVs*(b*AeT{(i(Gdra;jyVcc)#%B
zy^E;z!v(&%@P2p6X>ZsuanE{hPpj6-B%ds}GM(flga_(@zNyKs%1%nNG3#=c2k^Vx
zXRjOD+2yKuBAua_?;*#|qzarUS;}wH<(%Bj_cfWvpj0by@odcTrfvUhYB!|X4^Yti
zb)4_(HS6$7{aXf2d&8DrL$5<7f&qL?E)MIg)?kz>EeX%M{#x#&M#7HZy~_1rYS)w2
z+UR;*Xw2!kWNz$+oyi*Wvj&&yl^Hyssi=s4(cIgfOoHEG#wBn!M%PoM@mt%)jQyuo
z&bxw~dQ0Q>d%XLTgfKk()9MG_`_bmTn=KR5F5}yq;L?~>7+;L0$Zp?_Y*QyPMRC>A
zFZOSoypq%o%@73>5IL<kDRnp81ZWFfhZTEE+ToS4zuMMnL~PdPeZsdn^<)Zn`qx~D
zRih89oU81Er>amcJlL9LT3@RYSf)3G`3)quI=PiL%01d9-U<W`MtDSgQ}+a{58b2e
zR=aJcD*+z4>v-J4^d6nnPBZO-urWlu0EGkjyK?Q0UL7{O{oH(>VXlQ?m)lN+FDssb
z!zeU`_n@JIaRGk@2L2?9P%wwwI5W|&A)`Fty!*+WUI!^tBk^5;B9-E@H5%r<o;+m_
z?(AvM1V5-~N-k@W&CviF5Dsci;Kw3Lv`j|jrHnYD;out}ykNY*{%oFALx4}3@e#2{
z?m%Rcu9A^UV-M^CX^iC2UDbZ;yw@=+&ytiL4K7=O+?6RjQfH<HNE~sQi82PrrV=Fz
zjl|TGpqVO<?_z17lc%LiCMYH4CG}#psmZ~RPGj&6J0vNfY;40deNWJ2`b}RTJ5%{9
z?dyr_9!|YjZDVzv#}CS~QW=FIJTs4YDKd!T1})cUc+TuPS$*3E<9mX+bzbs7Z9}eR
z5p?$!RI_c1FsU3SNsXxN>Ck&MgmY|3iYE~qZArW0LlLzFw><P0U7w((-&LA{?c@*s
z8)Y7#cx3QjyvH3p`ff-&UR2vGzE6pRPVwZou`Wy%N6K)v57s*LuPSm0!&C3w^ULM(
zY@lA(t;}VV6&O)uJLl_Uw6E378VfGdZivpSzGEk`9|ezI#$6@OA(kgQ^-5z^lW!%e
zU9sq5U}h&h6zkm-;nZ*A1%AQ^u_bvyw2Powx==BPgQHK<n@cw9tKf?H47mqwW?v3h
zE_<Cw?XbzOT`mVNk&;Da$G<SEDT!g1Sn#{<&dh~QpvpJ|JuKlu8PgFnv@YJ(<wenT
zL|7_OUh`M)TZCA(*CJ9A!k5$ss@!eN_8b76O4VJ4%{%4>aINGR6Rfdpq*O<7c_xVm
z?9z$xyQrhTp9i-P7kDZ{fvaYA+HMR898HtMF!fH!kC?GEP)vf;0#F72a1zBB7}H}O
z#hRM&6`M8!G>8K7Q5eJQrN(lFvM93H^Ng>?z=<=PsGy!<cH^lW$68YDhLI2?ytw-Z
zq37ZEC^s|I6M&hJ#)3m*nE{oFZo4KvL|x^=_Uamd4LF687ReKjz*k=&^!`ObH?)dd
zj?UiS%Lj^Pizbq{ih^D8?vOnTf#4P;3-(0sxP&|V#SP;5{_Lbleabu(LD#Tmq!f|m
zdNuc_GHoSH!3j@N_0XB?0>QmIS}4d$bh$*4lUNqFn&}Wiu4e88NLjiJZXmF-#F2r;
zoo}C)Wf@tiFsAg%McRMegiEDoUdd=yOzhZMLhLV?M;R&7x2be+H34##lr#|51tY&N
zgd=z`z9FUQS(xPLsY_}a{Rhy@8-nQ>y<apbU8-oWqKs8MYZWa{84>=EKo3fZ>>ndr
z@g#+aXr9K=S~?wU$y$)=*8k!-^Xy3S2nnQ2@1o$#n1U;GKo)2Io4!;Og|My|p)y{g
zwfUFE-!P&9C}2m;5-?(QBL8nf%Mv~4T#W|M>R|u7RGqNlQiU;H78&!qQ@kU15{g8u
z+<zzMpLlA?I1H;D-LxYI+0$|xy+9#f=AZ3oVz4F0T?9Y1-Ao>u%d3i!|Dclp#!+WM
z0w#yUoX@p_5NJ#PqEth~h<O&um~zqYt5W`0`R~;Kxl8u%`87=QJxN_07;DW4lo9!O
zmZz0Mm``4+f0GPhm_=_&h;IbI)=|**b6hrQag&VI1IOP(wSOfHMP*m>^Z!EK0tNDf
zQAX?*%34C1rmHzsX@3H1)&KMdHAcYq*l=tL`NH{}<P{W6YZS)FtiqzQGa=yc@o(}9
zXmT2rQB1yYAust)9sQry{&|;z3n3d{KdaivSMoP5`OB}W++al`rMI{Z*LeR6@Y|yt
z1O$RpGRm5ufpzY0BNHI~r%WX42dVr1eO!Sq2PQ~tQdwp0KJRbx^RL`eJo>{GPuu(&
z`?H$%w^A~QKvZEUF@}iY`hJD9-a=#Ttz}0vgRPv~Ks%OqDlr5ei=41q>4$juPD>D(
zOv=diVB}h%=iRYX|2M>){A9I71HU)2NKCqf=erZ&UL$5TY#{t2@nDyR7U<WIaIww8
zYQGfQ1x+n=J0k))T0uypirt55Y%>P6ZjJDbU@#88@v0G+-Q}T(D}Ib8RGXwX1MV0+
zZjXka+MEjPdZmf1R&gHq8b30%jQ`<?fI`dw?b?yn-B0mo@+e#{r)Aw%GjKZ4Kq55|
zP%^z6FF_bjuh-Vn&2GC~Qb$v87U7WwMAK#l*Q|=OP210!BEyw@g|L9^)7RF$6u@z5
zF=nO1&B0Wv-C7&hSN4^!EUk~*k&&(p<D3`)t?*b<A6q87PrU-8he!3wpJ$0phgP5J
zb{QBB@a;YxX>j;G#3zrA0fFIY6!V8yNc@k6Pg|ix%GV{pRBD<rh;>Vdscv(S6oS%`
zfew0pL?9Z_+g4~^sB}#&HrpF;?Io#P%jw&;jXGIKJy=vFo(Onp<veYv96b*tUyqi2
zuRZE9KdEe%*Y1dnwhZ`J4hkZGHRg}B-YUo2RAc;p>S(aWP$>h0SaXUU`4Jltg{$WO
zQ#x%B2xc;XLnAr+Q4*IWdff^IJ<bi%rJnqOwRqnjcf{x>0poNOL_W9i{ZLV|(xE+h
z0z>0Uv3IT!S!T1+r(09qseVUKEja1P2}>!L>k3^dL_>0u?4G3h&3789O%oYkCR6W&
za9GSon1=BaIS`1vF9TkmPpa#Fi{lmUDve$k)Q;&#_{K(*4A=`xgKNWqMLfM@;C1OP
zYu2t8d*?a=;m#!Bg0V)|`}2u+{Yct*K5}l73CEgP4&Nnyt5-Ez!NXSSh}H!^Z9V2s
zIVos%o2u3#FAEiV?SFIhiim$ap=Ci3KhA*FdL<s;WLr*Ul#_Zeaf3D~_vX5v{)3DK
z*smR<Ji7k;@&`oR4fuSY1mAA^IrM8+&h2q+kZ#w)JwWV2!E`cEY|c#S%%#FHrNm3W
z3SjndX4dISv!78hIfUFUv3nE8VGaF$;rGFlTaYq@qIry3^HA-Y0b)0=x%>Li{Xypr
z`b`dx!5{{YJk++vhx8&jqbUx2VMRO#Z(0BqlfS3!=nv@JG7?(7RQs>iBMvrT8#T$a
z%_e3cNnY%{O=h=oLDct2%ychVjC}(i4G<sAAwPK<%^{lOE)3+I1@PgQ_fj8XQ<WMq
z)+ItN>u{J&!|ETg3&{m+Dr&!-c0R1fTok5%dZQ&;y}ZarB;cN{e7|f5dbquXPNzwh
z-W_%d3IUt=?d2hrN~LH73hyiN%V~XVgXM41LWu6S`^;A$5KZ3!1f|D}W@X70a%e9)
zZem#N*LB<6F7#34bBO$2m7Z^pcE)aE{a*XG>JgGL;srilXS5bK$Czy9X|a&8Dutz*
z?rujZaz}oqvlL3i5(+PAt@Vp~9%Q>=s=rK+213H`BHHF{_&j9y_%yV#8#6*20QaeR
z$h4a7k`iiCz&0UUfP2e;8BiXXlf6VbgL%EuWc;>4Pe6Zr?)cq{3#x8)7e1H%X7IAz
zgxczp|Hkl`0$S17vaQb8d^Y!p^h72(-{>Na-&i$T@hJA&o98S<I-9-FwkJ42mVNX7
zSRkaLCXgAU3}UNVAAz)Q0AwcBh3q&*oy-q+$0Tf!E2O$=e*@C0V)I`UUwvtTyf#!6
zHqAJPHKmU8SBl(HJe&usC3mhR$4WKRyZO<p9}gq<-itLx*Yi5|t!^eOw#~_UZfk1f
zav8hJC~pY1^tAnrJ6<1e4|@+Aer`0KKq$KX1#x&Qjk9C?7PQmrLB36vsBvD~hAc!(
zVI<e}bwATyoMF!gDHiHt7+7IH%Vn^l=A`;kWba<{W3*pLY7EJ4?M+`q1DPox03h@9
z{&Jy51muce#*fRZbCjK*C6=+Oh$%_*{oY&}-3iEUmu^Fj9+v>66m}Uh-Ov{(dqaBW
zeZjEPtxgtPoBrUY$Frr=r7Fcq79(t%^;7&#9xPA8dpHkfv|K|m1Si+A+CR*6?v*?J
zGz)#N2C>e)VA-Jwoa1P`ZoT^3AAk&0tDEQUNPJ*9yN_HO_XNhU?v6>NsDWUn&01UI
zS75QK5(wKD;Td2?ne4njTj5Ey?V_3me;WZ3?|VZQznv*^-1AScj=&v_7?KbO1$3MA
z%+``l+p0TTSGhM4xvXy1RH|(2C)l}*^p@^!{xH8|cP$_}FEa`P7!^$#nnocll$hrK
z=;Uh9iQ~9+=<7r0J-&TyD;@DT2={FfrC`b@vWyQU!dx<jkAFFrp}!15j_7!;JM0-m
zzF1JW1wZ;=GH8AGRPx*1Wo^yTa~#Boae^F#LPLb&NAOKgVsU^QCvaOONu{JhadcfY
zf-VLzWOR90a|`{EyqgAk*ZqFS@U-#qPElUfR(4u9PTxnIvk@!s&RK{cJCD6-P_?g;
zMC4Yo=DIS02$3HA3Z#`}r4ns=?zBlZXVm5D(@^rh7+;Tq(9lxaDROoKKa>dkgg`dJ
zA{{(HYzeGyTO}R@2g(Wv?g|2L&W)7qzmq#fLXqm0t;=E0wu>_DB02>k1RUPQ*y3fO
z+}9=MfNL$3F|G3|r-(BUKx`%((2vMr`sxMDyqSVY{MVVs(mLsJ^J%NW#{jeDyM?$~
z7M}-dblQ#B>@OT$0*d@^whj0XyDLC&v$gK-n7}lET1wvMp3mcDxVy2|Z^N~s&D=*o
zJsG+FVDyrTWtHjRedCKz>nDsP=G9QnScFIYE}TjNNvNmOW~S+z@MhDtq9E*6#~`!4
zF%E%vuNSh+ttp)b%^LpWyLpSh7At~s#YeuK>5K~#80Ow>hn5xKrf$(M=>;;J0B1k|
za2MeB8e;1K#ks!PFP$%|9-PI%j}Fvg_@6B~o|c`a__B?kMn1=)FS}}{-Ns>|DWfOg
zhkl4hVWY+ndc7{1#I|<jIqnSAE;u2I3iXJlOHo9CCG8;d-NxYqMo0obkyE#JC;+!m
z^3BHgJ9MA<(4QNa$h%~3k5UhZV>q{AicJv(;C-;(@aT<02|Y_x_J3K-Q1mAUE0a;T
z&Z<<st?RNii#f`tKVqt2E?<#ne$C(Tc>A>=s0d})*vr#+-geRknFdYhE;z}#gJ3b*
z>qf1)yUE^~)QNsUWc%I&jyzlYYuqm0A65V!Wpj`t>%@plNDAIDb(_l_`Dy68B;=Gb
zd<0IC<R$c#kFHs=nr`L^ka34gMc6Bhq8xe$mZla~uhZI4`qwowxlDGKHxeIdRdroQ
zu?77c!?|jIX5*nROTKe=$^hMVH7}f(gNCF_Vh~8AH@zmnv=jvw8GnRmk^}iaM;J0x
zVBChK`ueBG9>2RuV%2l$Be72^hm~6oqVaKvT6H)+p4(15^)J?QILsmrd|oOKvi-V<
z)>~>1-kxpLmOXBGtNr|@bZqE8o`1x8>gV#mZ%7b59hDm&_!bcPDo|We!MX_Vx|}Zl
zo)NMgYqa#QV)r=4B0!YqT2NzBpkSifas=fLyKh=Fj%<+$uK_klD?C6%?$beUKvh{=
z-HEgxO44mPFK!NXSw}yz0B<SpQVJbaeYXM>GU4gbrp}2H4KwMKz(+@M&@V~L*CSv9
zb#^4m_P)LGy-fFJlINl$%5j_Cyo^GR<hBQL6+FH8|1kEJVRba!wl*HzB?NbOcM0z9
z8X&j^*Puay1b26LcL?qp+}$C#ohFa$ea_zRcYQwzWUbZRwPsb#dyG-x^6J%m-aXlK
z-09S*ymhTG?^?E&Y+6RAL&TL_+pl9|C6m$WPR~0zrZeOYr{2CneJ(w%;sUSyM!8pd
zr(59}Ts$ayK+FBwxnoPy_94}H1d~p0Gwpn4DP8M;bQ9{`eCu`6?JU8T|8%L(*$Ky+
z{wlckLR>y&2ha7DCY{<Rdb1EG!DWMnz@x$k>(Gp~Z<9>A)v3IB&BOj&Uh={RmuKPV
z{w_t*uqnMT`sdbj!AXE91zkF|Jg@3@fWK}>&YXFA`3!mB5#idjWa^FYB8-?wnLTeB
zqo{BV4_O+uYfY%m%40#xZ#Qo9-;S4w(QE!l{QFe48cMF^XUa;O6Ow>3cEUOuQF`Ib
z<Vse8T4!H`u8p^@5jODdTY|20Qo}_bjz=-Cd~-f#QMy(IY2c2QeAA7`S=()TLFiDf
zhr{LamvJ|W3{M9sS9;K5=<_kY+vQl&-}BAW*|%5Y0u;K#b;qRiyN@o*_Wf=Qt>?l@
z*j(7GW>GXgwJ%D<7J?n#&%AXup)Ik{!*$`R^H}?SKMLlk(zSTWPEl|RaSB{^;?$uE
zBs+>dou6^N(x{zK=T#=RF0d$?7yMj)8GiezJH#V%Z{O<e10N#WG1`OGAA~k=>zW66
z#60-ih2pdl6WyB$_a^&O&_O|WIVata_F~$px<_fH|LiR;KW3KFIlSC~V}VS@nf#cR
zyP`9%tepI*txI?Ly50@Lz)9nh`XyrulAFS!GOL99g+LFw8CjX6E890Nqj24#m)dD&
zhCBEh7400uw4(>TjA0eEp-H()_o+H}XB;puQ18TR>{SxG01JTv9XK$JI8VSH6tmoy
zO>Zo;Y~`aV8m`S{Qm0M<I_6GB&!C3Z6+O$Ts@J62*yws6u%jfep<1=$L5Pg?i3=3e
zN<$Bjp?3*`DfJYlI?ZWH@{+KX6_~wDektt(Mk#@s-2FhWz@CaUd8<-Q{$>A6lH@`L
z&@`RO4ry;B(yV`Bb~pf}Jt+cDn6PxG8vp=`xpG;OQZrkoJP>QN)SWf*a1)VC$*C6l
zHs?@z2@)7sX>Kv8jJBcM3KX+cI6Y2+QpCcRLIb>@9oZQ&lmz7Ns&49BgDmy5N7ee<
zt!D$sbQdn_-_qQYF#>n*pXh-4DwMq5kO&C5A`iWXtJZQxG=w(m#R(FN^z+6enm0Gc
za;1uM#mDo~FAr`jnY*rGO0v%zVsA;(OpKL4SyBz?uy4mE^sn0BrTI;e3dZ+1ryu(p
zez-tc))%gaem6m}W|X@--DK}$F|h!*H-|%U21X{grFyAOPIjnzU9UH186>Pt_ILZr
zeFTX4O2<>f-}>tsh{Bqcf>WZIrJ?@Uh;xA7WU4>q@4Yf@8gwk1c!UxoXP1LYzq~nF
za00uqFTKG~IE_%VkV0&Q-_mBkXOYeH^-04TxAH0!!Us+hMDo2n^wWY8(=k)t({@VH
zZ11ZL*G4mRt$JXpuJxxyCx%y2AS5yv?~NCtjDdFLwSzO9D2f+mqu1iUM(6k%3g<5k
z@#Th72&Grf#CN7P-OqFCxf+t$|F;a7?UcEh+?QBYE!G&tSt~Zg@lo!f1hn|E!)SDh
z^AY&8%=S34=nM+EIO!V|1pDu-fd4AF#P6LRzBhQ0K7$?>{>~xHrs-n|&CAd$1`)_3
zk9}(O`v$B!8|f6jGfARAb`?q+D4o`+HiB5}cEru~_F!PSiPG`Q>)q{u=upv`5%KUX
z3_t3FicX1!Rp)G(c7sh-B*uLI&p=>s-v9QnOIZ){pV|c|lw*uRU8oaJRhGt(x`Oc}
zLyr+AM)v_hPqh3(&%qVf*zcE%m0mB7G+bcLqDoMR%7hO}fihv*0(A|tlc&y8a7GVR
zTrJOpw`kkr+?ms6&~zJf8fru2F*m0At*?kxLmQJHKG&*<mc;2HHgr8%lP?hiRdhlX
z{Qh^|j3xVNajUKU)+nLC<KO)i4Q^ygOVJ32d9JP@v6Z&z(1;Z&Vhg3T+Dr8nS)!$$
zgd_}m&*>flGbp?~bhXAr!9p0@#ic%kzG*S~&OjMh$a2FS^x)*smN<o{m7aJy<SuW(
z(<oHi>K&#lUkY74l@yNNlCCf?n#4k3q&U;dvvuu=HLn!Cxr$9|hRJX*oew}5I+8gK
zqx@GY%ibvPp1^70L4RqoVJd<#u$^}ETB|46f|h)HDIyt(D&Y|2T|q{;3`q@z?&1>3
zK{Zn<0$i;?Wc01sYe>T#H~KTQ9h%Q;KgO@rZ%gwIZz<o!``N`Bn!^@Z5n}1s3E3sy
z+R|Ug+IEPysNeFai<LUu@f*x`F@%PA2AmNNr8;&$V#Rw7<ByTdZ^@kL(>H$6zpE!K
z5Bh>gliFDvc_zYbqF25%%FeIxi4AxD4ARZuUJE+w6|7%)h<a2ThDTjA?{z=J<Qns!
z!7PuKSN#s}`>x^Mzs(7B-@Bb{vr;W?b$pH$ML|bY+Nq)#%7t>uNz>Vki22mv*`~dG
zOk@{YW6%ARp{MH}BrkPZUArO8_k>IX*nIAei?yXMP<}M1C28<M-BP&Me#7pc2)0$H
z^+&pxnu6XZ;u&tfY^o7jy06I`U|ZEpOKcK$U;dK?ph9?NgjLcx>j(3$qy>JYM+$c;
z@FHS2=ESY)2qq72JMkc3R=zYZ>eD<LxUmE+%d-$`N@VG5e%=!1Q_3WoQB240aIK`$
zXzs+e+n5SAJo?u`2bYenDWe{?81Pqqf6$VN>bz6_>(dF8s)bF&zA=r1Sl+4-W{6KP
zKSCtXZ=)Jd?A^X?L30zm_Ra90wjp+JhJMtKja-NAi~yct>@q{!ZzU_WRvcceaV!b?
zGv%tsh)kKLr+Dd(Zy3Zapj7kfLlDf`SdlX0Y0`W<(`Or-GLO&@mg=-zL@@njG|Eds
zBUmLlj(#QjnS`+YZopnBEzgXTHlzC80ZSZHFxqX(!Sj-e%eVcd23s)`l}7J{-u2g)
zv)5En>CE1Z^bJmX6H2l7Hj1?DkX~xbwvFG}sKB4q>oIw0-&fV3JB8O7b00J>23^io
z8e@IjydiiFvue9sJcw>;N6$0<rOKmgOuI|@ZfB6STq0q$`|n=rAtD%=`gSE3suVUm
z&qm})FAA?2=eHj6%uK_Lz?C9oO8j3YRhH_CES^4a4$dQU_9>^m+u5Yg)8X=|`=6B#
zS?HSS@(QIRe1I8|*dK~abo>FL!_7IUi-3nVk(8$EQ?v*8=fg(c07wC|`rbDUDEd*N
zE>$97Uy~-If+0tV5-d2%a%gvpTvo55@aKj=t4i)b)bDAQ*`Fum`R{X=G;{M!=$-kh
z*!cX#o^Erx=XPY2l778Yvbjc&rAb+nzFC$lcfV4`W~RS?-Y;2l^C{*LPOAxP4@Nnt
zu6JPNyRKhqPgyDTo}}wrfU#)T>c_23a)w8F^JA~zKSfFuHZSkfE1`Whsb`mxM2F?{
zew5vA>iW1+zn^8G=<vB|eKvBsSvPR&^OuoB8Z;(n({6V{IWv~y(r)@M$H@KbX=UvT
z8{c(<vi+iC;*Nd6--$5{A_+VZO7$h9t`@7(%p?80HX+Eq7$ZEl72#5378!R9(RE1d
zT=srEk&Lk=kJezlIbKkvv?Tm%ALGZobE!@Lj9)G}d4^n0qp`JJ?Jw7C3QVp8B=g=#
zd9W>LqL8b&w2f1;p^5?7#-BF7YpbN{c%0OA-v*xX#oJRVxT)W7J>tdb49h)yYV+9!
zdKQm|av6Jh8pz6P$F(7la)iHGq<RTboAt>=om<q&Ami5|ILy(l?4?-mQY!J`u1t2c
zNzu(3Ek7T{hnHYkgCx{(Hk4=L;;Ea_m6T10={@FIG*sy4N5nAnBgW)#9DERwzRzPA
zt*5PhWHRb&bm*=789PGvcdI^gj95Wlz-*Rbu)X#RHAq?{%E2-VTWd11llgo|a7VbS
zj!G<-h7(PNuJEr(Z5NNZxG0e*p3Xz4z|lDMP^~snedPyqRjoVY!3`Q58%l1j^DE`8
z<W>lN(E9DqDatawnps^^-(cP?DZQhYk`Yl*VN~>+_Y)#PV;&%`nh`SZ!YrWtimaB7
zE%Hvadz%0*)&Me;j=IPArxkb@n<OFp6qp=#cX`w92SY|Y%=)CjN<|lS2kocq8N+O7
zds2V(^mm4NF=Y{&lb@r$DUmUnf8If3IWBaPx#LfY*tj%M8j|8I=ZEKP5-71PMXkA}
zv+oACuW$S*O4mpMPB3MpncWiB7{{ho0G8nmB?@}LI1ZA5h(-x9OuaHmVyFg`imYIN
zA5eX7a<Ed^t@N*qnxD_t%5`}fs7FNjkPp+2D6I%nd#&(jNYv(l?tNT$OO!Pq<bA^Q
znc2>u5X!VwQ_z@+MXpv2?OI`$&ZL)zdAXsXVakObpEGiB^cwbM3p}=f=pvgfbxYa2
zWOG@EJEz5_>uUGUVvT!=U0My&^COvbzIiI2UpG(8s-$(+bG<*)iagmV1g^@L#!^8x
z=?c=Ic7(MU)->>W9T;42pN!ys)42O=(gw__(i5P6BylXcl4e_@Q@6wtL0gfPws}~G
za|w5K!J8XhQFm#KHp+0-Zl9(b=a{Je;WI6UfO^20i7?^p`bxwmrujq8>{g?s6Q_&R
z?<K%ljsWF1j*!->$x6u2wiXS&tS93z<5l%Vs+jr0%7<`mgcvmPj#d^K)P0ifW!Xu`
z*tGg#4_uA0z^(1emmi4pAM4vb1OLIC_M}qBuw@TTo|h@Lj%RGgiyD}8l`7#u^Y(8Y
zp2;U}4cfXItXh*R5P>eMSBwHXvs>Uda6RS#QIH4I2Mt#>$9FVXFEh&WO=m=>5}xyB
z{=VBv^0|X~YepW{vFDW3_wCibASVg@AF4mCR&i#vQcB#HU&_jHFcpO7P(Em=XV{g9
zZ4B^yE5TpeIB#H|uYR{fJ@+WC+lkk^33`SGD{CjL=mK<f;Bs$$8ND}_dT$e4K3I}f
z2E-u3QJlljI!nY@;tUrsOso{?w7}oxQj*NI#Nv@TFtQ6$eY1T3{0?ILyCv903$D1v
zs8c;nK_r|l5kYR)<H<}>jPmxmcV@siY0U0O?AB_dco_$d#1Z-E_R$5&b~`@BAm+(d
znY88rvCk!9A7#?z9-jzG{~eL;(rD~zxk(6s21SDS(?2u~TOU#b8;8cgzkn1Rbga$~
z<rvd|3N&!6w1oYyJq<$}oH6^ZDowZ|_i7@8xS|v^NuNx8!iDfd(a7ba?6M6EDzPYJ
z7VUEg<+8l0w@wpe-^WOzi^hKQmCW=UBDZGRWX$x_L8&>HX)$E_CB)Rz$#-0?7R(%%
zovv`0#n}^%P-CO^kwvm;Ryn^~tRf3SsHkRe$U4vP!)lV?kD6#|TZcG+^9%y6$6=}B
z#)DtQO*7-_EI41b28$=|tuGx5RJ3F<MA*m}B3Avp{V_hHCpN)`V#U(i=jLr=)G{@y
z5mt`w@)-&b2Y{WXRbETyS7$*OTn1Q*WkHnikW<P~bEuSgIGv_<)qK9<$EZ0QxV<0F
zTI(r8lcty0R+K~E(vFhm^ECmA^+|jP{~Bcb&xOX}%-}t@t9$$$!Dhe#8xsq)@i3lu
zEYu7XV$bP;6#e!qN{cC&P}DwFPwko$@Tncu;PcF5TIxxxOdaaj%Fe*y$0XBqP3!nt
zx(7vekj_hLoQvL=wS3tq0j!Z2geB+LpzE#vplzpNx(3d4fo0GVG<187sVaj+IZ0Jr
zd}lssfOE!>DPWEQB-8@UH&khRhFrnf7T70K@`AA`Zlkxe?qra}bMm?WwtM1|X|zyQ
zXlCsC1W7Oq4M+vbNxs6d#b;9bft5rpx_|a~z5Iv|XH@E>V5eF@xr^B7`N=nYSiKzw
zG?#`-N~P2SXam=wgFQB~YN+BlP6*jxsl=|3i;4gUR1{*qnjHW*!bDNtNtp^Rm7afq
zX)xi}k9+7&PFj_&AunTJVu+n<EEELfeflL{oOaN$NS2ioSvMd2a6or&>&kjT^=ZBB
z6ybxLk6?FiaDxQDg3R%21f9PaP6j?QX{XKCqkg+wc*L4fvgy!BZF{;L)}*o@z~*3E
zZiXxCC9<V$QA8JYA==hToj5aMQ$;*sDEIuQ*{q-iF+yBW>$<c8d@ezhuP#s#Nnep*
z6#zf$No|V?U0G&V7B~`uAI$*1$1#eub8GFU(YQ4<IvOZvGU2?*=5o82M?(*mj_O<M
zO`#tJVAR}tT{o^lf-8c+<vZozTV7MG4+Ni5#+3`6V=-d0F})$<%xIKK?}}*4@gbYH
zrnex}+v5VoZ7~LZ+VT6^q!uSFt76ARsE44fX6%lBbu<<bq5B5Hq=Y&j+N6r8XbS!z
zP;V^X2?<nrd!~(>?jEfw>|4m6UrD2Z&7IN7)>)5R{MA?gBLNU}BQhAt-ccn``|zK@
zG$X_mu|a5R?Zhw0|NJLIaKJmps(Wde|L*|&jfzWz0hoMB*a+)C{|O}naN){&*M@n2
zZp;6Q^$F<!ATJ3QuKORD{@d+r1z5VA+w8ZvzW+r2;eBhNX;W^b5Ey>raY#NKWc+oP
z{@L~XMI`ft4NB^1hV<~35)Pf63I1HZRD_@+I+u3aQ#*VzZ`n4I5eMu4g#HF67|Db0
zJY3>tli5a5zPoevHSGU+=~#SUzZNyVn_+0>&DeJQlZgNO4S}D|Ily{8zfiTcKTMwg
zxx!32Vg)<Vv900(rvK%pWU`|e_;R^iILLpZ`g30?nZO{`w__WhoO%B9<NE)ndk`h!
zi2(n}vvb~P00#`V|5w?NDF*H6wMDYT)F1|}^@j5cN#DLa(H6r)|9y!4bt{2yzjGNi
zabtWPFdEUJeWNwE1BQ9LTL+eG!$#6|G2EB!iAR%F)0PzNk^c$WGSREh<1+_1oV|^4
zQy;P2UK(+_!~RKK!T|SCuUJ(lG0D0)<irh)<eLL*!D(JMPq{!YPUSc+zZ4FOe&%+O
zqTgyF)0ehJ=79}$6Gb3OEc^rHx0@6aFwfz;e4@XCyGD6|89d#AR%$Z)oeBMCo+@_D
z+QXXf|A<O_vw=!gt68fZs^btc07DU+>g7DUR%;&Ew!tzUoQcaUDYibsG9C+P6b9sY
zPDlY(sC)S{u?7+j^Np4om1`*QLqk}<995Ladv!q)0~pb()$@}~8aEpg=n#b$S-u<4
z*4m!<h!jWHu&l(sV2t)B>IzVz7Y2(rZHCfp1B|3NxEd;u)@hB&_1u7KGnmA0DdG6m
z(ktme`Cj|WD4Wv{VRb5IfS2$_2LqD=j_w3>nVGSKX+ktgqJU4k<I&uxVbj9rl);}^
z`l+}?4)K<JqS5n12S7`mR=34D&iQ0<@K=>lm|9R?ku1RT)a3vrL$;wg_B;lJ)qHWY
zQp{VK)fFSWx>Ws<{xl^mI;S<<FyMAB^h21&p7Mt8HrVr}NuolJ7>@_@K!}=g$pb_z
z5TnuOX^UW%zYFNkZ;?kOWO}g_F@cS+Xg2Cw*Ntc%;EDnbdE1uP7nj|}d!4qMMavx^
z(<{Ncet|q=8zW)&@vI{ujJ{do4SN1;hkfb{&0Z$h2iQt1ut1CTV2T-1KWqmlyKdS`
zPf-a{O0{ag-(?13W?V|%nBAf_zR%M|H-X<}KdAr&K<c^f_j4k3HUWmGvFd(Q_8l8&
zcVn~AO#TFBWchxkjN$gjQ|%cZdRc3SHzh+lp9gFx-(tYObwQyBdM1?kT|)FQ!!6OY
zn<`KRu6FP5$J4ZnRF&~}`mFdEbr~X2Rh_BQ-KkqHx7>XD1*;ZqfBmFy0sfIz%}}2E
zAeWR3QC@|LUhU0T_fu7n>M;V~e=2?7u}Ofd_4&DB4EZ)YP7!^D!^h-$eLnNqx!=oR
zSP4Io`=?L{`l1wKh{~0ZSDO7e`*gWzN!;;7Tzxr|O+!W83{rB6GT7915j21%9}G`$
z`prnF<>~T;sTR@|P1VRZE!A-QxM9s(x{=f1a#<$C>rD?(%Fpqa8X&!!hsCH5-t8kC
zyW_rs`QN0s`lNnI%%Pk+EuUNpkokwe<8mr!)mu?{oHiA(S})EdoxDREU-Nm@4T8re
zrqilLR!anXg8(v#j9vDS$B-z}>CAwPKs~6U{Xt4B5})o3k8g`$yFv}Al}~kaKug6i
zbfD7-Ji!oKR?s;-91wrQQ&Y9zw0!t|5l3E9O6+hwOH5O?t*=hGbF(C>J1p{n1Cwj_
z{g1ZWn+m??+I`r{0gkocO*$<k;uITdzdFsCiIAHxp%|?}3K2dqokv-S07RR1O%bfb
zG_z^R<rom%fOvo`a;<~Bx|hEK*#lGpPv`#M-!ln6&`3-d$jcjp>Q4bVXX(9XUB*uU
zQ;8CNKt5S&Z~?T~RR+H2;rzVTR^e=O65Cx}Ky22*BK>U^-bq>J#u$1WARDrH_AHun
zvuxtk^S(FfatKo0$LDj0wxO`UoY(hha-}piJ4)kmQR78KUjCVl%iK!RO0(wuSY}zV
z;XL9sm#-*d+~|yd*74dd{jCH(@f-(ZRatGg%Lu@|u>khcwY$9oz9fOBJ)!yJXVA}m
zK$ubdx?YzbB377;9}k+>C@``p>?|rbWimuMFnDQpQVNo7$|ng7M+Lq7ZUIzAi(^$O
zl&`JgLATZp-i|gT*J3f18*)T)U{r&`832?p*8Z4idVVLrB{X^qngeOMRbHCsTObNB
zIo4{q(Z1Yz3jbhB5m~XLj%)_$>?oE>Stsds!IWVBR(x3bm>s)KpM7tkc91Z`>M?@Q
zyUM5L1n%;H;);sL#?|Y$|20s7_BqW=Zfy!I6TWj)a&NdiU(dTd+sQuU*tyk|6?i_n
zo(9%oj7$0m6ZlLBz2myA&Ln_K0D|#gr&3)vL(1j%R^)HfU^byTV!?UeD3L`|q95yx
z<v)uWbTnU+&?Gma%Q^d!6v7Ob^kDktp<KzAZO#6Z>Ytdzw<`&rSUPo%{DlNQ0<HQ2
zKHa0aIJ&(+a2Bd8dBNb$cS)j{@!{FrV9ATENCA34VU~hp@N~Boc{%R$!a~JE-W3(g
zoVj3<plggVi@99N;w0nI6ObU3jiu+>buphQC?o{#w#BuVx<#%lLl0(1JVyA<($El0
z{NCaad@SIrXAlC;u39q};ww|ufI7K3S@j3!KP-Ri{t|;T(F}+CbSfmd!Yb>zkmCpM
zZw1xz+IO)&wULi!w@Yev7{zdn@r^fA(!@Y~g#Ki4Y)%BK+l{6^mw&ZrieIK#ud?tp
zmZWeUP&rgjqMmA#KS9#q4&}NFQE)T3+)^O;)Sj57M2=F*t^>NCjl&-|0|D$h1-L8+
zuyA_;Ilu0JYusAA0M@oy%X}_eJDZc@1SgAzQ9)hwF(c~wUb9q83Yfe(gqz(MY9CO1
zTC3A*h~4Wf#ucEM-WQBs;oFa07mlc+k!`-EH`w@vJNRFAxqad56x{{}ztg;U_=lZK
zBmsuou%WVsRcc-|DLVARRv+==UD^ogZ!TY-@Mq-qMmg3T`zg(m%(AS6L3;xz^o5u(
zViO!7Pk9b5KbngYT!mS*Y;;&G)tB);?B~$a?k7-Uxvds`ka_r!jv_h+1a$4ha@$=z
zwFI?$-v7p%fwU28y#mAqb;`$lxeSLy-*A=af(+i`=7xY~TLR*Td3?pvN$>qgMVWM;
zm;2K@cF*@8{kpd)y}G(mU`RRr;GTH$oB=@lIN$M-_uT)QS{?GR!_&!djT!f;VQ~Ms
zm}fj+7RqgV$_2ta^gcyeKgv=dNxtcRmt`(<ZCAIeI)MEdP%Pvbi~9ufuo|JGBb_g2
zK~n{o=mTASc>?(tUaU~BSoU**s!Gw0@vAR<w15O5%H}7Ax?}l{eC1(6;Q6X;7PuVx
ziYI|gJQTzs9Ria1xEV0u<08I#XBH=5wYcm3wjIc+I%sZR?T>l&VBcY2uZAjb!2eE^
z&f#F}`Q2va>FB8Z$gR!8V>Om4{r03G-R0%p+jXli{r0Fr)f~{*wZ1&_*_PEk9YyjV
zx_Ld^`4D(*7gU6%y-oshz^w!7vI1U`bU9K~?7&DT<eh`!qyo~wkfSbNx%gI^idJU8
zNp=V^qP!!ynF^lf=-Rw_c92O)r9)wojz}Nf?T3c<1o5q^BWWrKt@ZbmboymcfWL(&
zycqYzr6X#_g?t(GW&3=mZ~AQ~c=~)r#-42Ax?2pn8<2GKX#Hu)x}-Xdcj0QW;kHNM
zuJcMP@}^am{h~F^<)*di3*T9O%9AC}$#%v&s=B*XWqG&NOrdlRqoBR#mzDzSu1JqT
zGNIDqH727ccGrVE@6@e`l4eZ4WbRqpqgE_BZM8c6#S7C6H+<{Xe1|@4Q`f_YXeV~=
zkaIKTry?baA956o_&&2C)Rw$yI=Ldsq6H1zurxqKO_JjYu&THyZ#iwwWt5Ap{H6R;
zO6m@fuI!}&ZaAt9p|8~Pb?vp?%)!(dymh#jj!t}3@miscduoufO0IU<L#Xm`+Ue9K
zys8oqUFqfN6cLv0oji9#G!?m{VsyUC&s(e5sw!qFb7FX?X-}@<byq4TqLecN$Fn5~
z{ra+GOYI*q7SpLac~$iamX+d+(=T0e1HOTq^*2kaEIJp4(p5+&&{tgx5qQsOng-TL
zdz8j-%46)9SA6m1*DY&j?t{@+nYzzC6Tkb=56mL<1w#*Jl?9=a6-NCLixuYmm?U{-
zF-#4zutRmS<Yb6xfc{@tk+*L3{7r9Rr_i@`cu2L@o|*q_+$>z;u&g|cgGWJz6uWQa
z>Jq!pqdO(isCDONp_#}j@1mfaB9lO`%eS-GPf$Q0uF71nELIlIr&{XKOc>P|Z_D?i
z3y5|-1QPQMLt2^f&SgP(@XkDn(Z|te%V(LvbRAOtbLmc_`jz(hM*PXWV%S6e+WckC
zK*!cu#(h94B>TEw+*r8KYAfj<h~Q_6>eFmiT(Xl*BkRpsPSGe2sh!lbQ;d%;`UBV{
zsJ~@p=C&pvJvFla1_EhS)zhbqB&Di^f0^ZkFH70F4y&l8X?V?s#A?Hke<|Pkl!dmM
z>!ErG^B&Lhyi1g>o&In*l`A_QHGA$|yQS&`d3O;0p=LHcX1f!@oSsE#RAoF2Z6{^n
zhb+$9;>-yJdxNqZD9!9X{6n?976W^}R3Bsl7r~dx-6A=yI@G$MOQRyg;PQ6$glyJ%
z&69pQ)3k~9gQWTj(;akm5H$hK(Ov{9IXQ(ZDmC36zY=szG({qO9S#jy1JQ1^ap)Gs
z+1|J)Ue^T8!3Z0?(IJkF)*21rUKkr8jkUlvpJgIxvf^#~IW~KGgW^KFIqAu2g98+C
z=kPirHJSzFTd}K=z0~S20*ewVW;o-;2RQM@hS7(1yrqaLML#yDKJ*&?Om7Y=L82Y5
z1d*m_)Y}*5nhdHkrinX0E%Z~;W%iM4A}cpA_|lP#qNH!H6k^Tn8u4f5&+@UH!rESx
z|E%q-s*=|VUTgk9Uh3&4pY1n{WsUi1U+uxLs}9z(HgoNJ-}p7}lKW77Wd9=kFbVBN
zwx7o-xCLfdi4h@N5rvL>mDGsX9r?N%hK7`BOy4G;$lpKtE5)1A7Gg;22U=ssKCYxA
zeYBdNt2qh!0T?}25`;G-Ihdhdgq^2O$$I(M5)$NP^;6|F?7BPqR00`d`}s!n%Q$Z0
zsOZfPJ%lVVozlJ@QssU}xLbmN851Rz{JXCr>Ps6;sC0e{1dV)XhX3I_s^2D51kPP@
zJb70*RcUXChqI3QOmrVY<A$wY3TTaY{g_EYDQ8x=I2rwS&U5Tc#;j)@*Nwo4qd-aC
zGq|CQWN3Ox`=K1dahavp%{er+O$c+T>o93Dn|JnL1sE+;B4ow9aOM7OT1SOAN4Wva
zT#ahq^~og;hQ^*}gga%kr>GnhT#c0+atcF~HGXiEmp=tU{zQJJ^W>}5*D0~X>Uj=3
zDVHW|B-?;ZkP`~wk;m1SP-vI3i~(lBt{TjT268VU_Ge@Mou8uAatdEJ!SFB#I?Q|Q
z{1x%hIcg0TRb<IB+(VDXx4Pf6Y+xqKMeyDH%9RG5z{B^#6g8#YA84G&(^QuviYGJw
zbX6!}z)Z>p6m3)~G!_bn9kr<DPkt`YC#s%==X@W@qA<*(rIl%(*`9w!8QVq~Lx8eB
zk7YD3b2R(}@lMn!G*u=hR_1-BU^wbKOPt-Ckv2Os;frh)EGpDv5O`lEHD1AyZk|*Q
zN)#M6)Vh~KsURj4H^W5X7L`>~@!+Rb4`O+KO$=LeUZon>{vFVH$zR+7Wxmsz+uNaN
zCt!LX0%lE41Fvy96ych5F3I(sR)!=JQ>4A~zK5BhiwrkG)2tl?sCv>CNfDJ+=6si=
z(1EMy7T=nr=+=#wOYF^N{r1$vy`gsw)x`i7iEKRKt7F#%*<~o{eeZ4H6mM>t);MS<
z37ha!*1<X^Z=a`{vOY{H!b_;x1tJhXbY74UuHOPh8jseqXI|lOMkQ2JzNtPbc?Qi(
zO!vL~Y%M=s+g}|!Ad$9Gh6_uVFVYcG&(V*#87KU#uiKdCZn`PuOB46)@=QS|9vn<d
z6QiX1I5OUPaCGy-eAqpKB`Va$acA@?!*QRlQ^ch!DMm;d72&+{3zGPLk|Wb7Ow5uF
zg_C);Lsugvy3+enCZVn=%4vO9)VSei@N5I<Dk4g;3qNKGyumv9<`!qMM?pvUV|3P9
zl<z_BAECYo?qpy%*L3HIw|T^Z{903m#cGHDqA0M1`||E20k6i<KPzDUC9k!7tc(UF
zaZf1gC@uslo`_Nz0Q{l-)HXyAVQl2|zKoLMgZIJ7@*CLzB=Ad2N>iF@D+x#_VH7gj
zYjp(stl<&>$-Ken>u!hO0=~=-mqj{|&!1>TogruUn5#b|o2I~V0D%Pq9XZ{^XIOO(
z?8@?`(`VSLj19#3X<M_Ok$Ak~l<YFHy$NCD=gDgn<xG@!hv{2JPW%EMrEp<<*xf|7
zwx`IYCtXB_6AoH&AN>I9N-#?B91%1U1Qt!HJ-{_->|L=ex#=mL`K*hz1%U1c#}={t
z9bc&=pW#oHv_SK(R9-YjK<ccs6zjkJw;@p9Xc~uKX5e}7a1u|Dr&LlLTVt9KpB=s%
zly)2AP9j9ic&_fTboqm{qttu$Eov0uE0MmR?=<mqL2MyF%h;+JzoFQo3W3G_N&~Zd
z=X)*4>9LHdaUJ+bgd7n!Go!fyVfe%hYJ}W>sH{=B+O-0ro+tR;xRXP%unS6CnnmF|
z?CCqH%J&HLVOIuY-!SS=Kb>&KINEDhU5CBfhSiS7QSFq>DL*gfyo%%M>IqmWUauf3
zI~+>&`*xFuLk@GI&SBx;r;2EJ93Qy83+aS<l14Xz(&*&p0^(mrc@4!4zB0K;#Z=^+
z?yp}jrq2D|Dehu;eJ}p;)$ux1Rl1RHCz>S&ihM@#%QXc?RPt#yW~~27&ITKBK}s6d
z=W^RLl$n*8IGlC{QkYhG<-Ijj8#}0-m}fFF>nb6zQt;%wtu=;1LL+kQ$B6!Llr%Gx
zL+ksW*gEo~%fm$<5y^<1ublxU1O?S*Vx^(x1Q5;IfA*uCSEjGhU1pwOa=bbR+Xlz5
zix@~~X!Id$Jl!Zq!9>T=*vh=4t^-7id=alyV`WG*9EZio!Z?EF0dV-CH^LJ1*45}<
z;`HMx5niCMh_SPVLiS^)k(8TYU7Ku+L5dEW*;oijQ^t?l$AAOa6tFX3+<n!Ef`v0V
zTdXT-1w0oa>z;t<1d~4PVA%_e<L;5rRbZcGsm>Cs&Fa7OGG&BsU|X-w#oK&uhBD1b
zY_Z8y>Tb-|lhmufXhBe<RT<HRNXmAj-lngbP%d%#Q&;(NER1i12$z4{Zzhy&#7Zqe
z!!J8=?LS5DsN>;fT#2L+;bM$v=?5YuJ?Og+8MSF@r~|LzY3h9~(c?j_YH;gB3?OA(
z2JA{?G_n{af?82Uhk<SOvBb0AAjJ}xKF}bvfsF40LqjL;Ys_WbfJK_~bEu)CFwQTv
zVEOS;sCPX*gryvX(r}$xC_5k+{yU)+Vt@zBT?Fh-fKGgzHMu%)B;DtF<nirs{LuoH
zy&1li&Tk0li7A<-UBqx*Q*eQBq<zrMzAWSDJBP?S1{XbcX@2fsJ!h7PiR_qvbew{v
zAn!yu<}OCrl2GarN{d~9<!+-e1)q}~`si*?pQwt0sdumYP2n`2O!ZtzE%Jtv<$aT+
zR*oWHTH~_thFG9G36tbs>SdnH8)eGsD+4$5P~%K7>u=oLAEOG<Uia%JC8o9Fi9jWE
zMM~6}X0K}HR+rry$e5Lt;NEBw8kEE~6YnC0lta5KP_UXhB|xlgawn<JGs*V*1X+SI
zz_aivH3U}MT0AaoyT`e$6{|I;SKO?Fm%;=N4(+oJj@!H<q5}I=3?`ZQFE$|;G>222
zZCTG)5MMz-Y0WE)JKB9qzgg1<IC4c$Ecj<|sj|u_C=;|$R9c!sBXV~QXCTR3n*Eo7
zzlh^Qa9pi@c5i1g%npVZwkIoc?Nw`Fl+`2RB9^x2bjGAw<+^ZDVN1zi2t~SvwW5M+
zW~EfWxL8J@Dv1}n7ygh`w}Sh01+y<aMCl)wZtY&%dv3?VBY8!~9|GFQADcrnLHxtW
zD;){>t#SAf0#u*uk}Bzisn9*04{F@h!G>inL!)JC5V*Z~&+vzs7Aeo5am6WL{9WQ6
zcc#hB8Ma4TdTN3OZwG-OIO&v;yt7OhnQpgRl=eY8dtZ)j7tG=6PABqtcj8E$2S1%h
z$;)xE_cWQj>s*Sw6YQ>-59AL<50I;Cb{*mwzQTx8CJz#eT-RTj(WLPtDzOR9`3alq
z2XzjqGWhW!X$};mrm-f@Cf9Nl@&pc6+dNPm-*&yo98RlL4>yMaE_H3*scr>S;#sBZ
z#Vr-O<4C^c-0uz&3=yN9%0CidVLxbC{HAX>0CAX}v4i_lm@_evDVvB3$j1w})J?m3
za6j&mk5Lyi-$Tv7JTaB`1(Mfp2+4*<f6*dWg)dAzKTz8Yfick$(^zNhH2oTm3dOu_
z0EUH?;fsyN1XZ;W;;ggm+4Ek9sp^x$Pm#jZ6&XKM5ty6@cGD2imDjRySo-;WtOOd&
zJNuQ7pwmrX;vQAQnIlMd`4_F0z1EFIg#wg{6}lmyA&ITO!I)%`+si-?ri4IP=TG>x
zz{KF5`l^0_%@&4@AtWD$UnOd#>tjK$Zry10t7h2%N#HC`5&WTyXXwGX<{A0rfTwa-
z_+I2ySRm;nH$;-xE5k-HRe@M+csKxlhcM<-tgk^#IYACmzI@(mUI$G;ie@cuQ~DL(
zddpV_Fsw-7I2cj7A!&31`xeL@t+B?txAvSapi^7tUwDBsVMu5P*<o&>m_$@KhJ+KE
z+%p^zT9fO*r>xDkw{Xxqc8Begd74^PlrW9fIShfM(HS2zzRv%UMIe|3;iE-0I95Ux
zuPf&-xPi_USwt)z$EC<5Du<531DJt*wL~(r0WWlL%*x{1lF^sjUyureD-R3-PKXxW
zE`fOvAJq9>ZyBtp7k8fEO_Qb!fbLK_lRsE0Va`=6q5~y(#ZPs4I*KJZmJgtQRFBlv
zU~iUVP?Ukmroyi-^`(DPDXEA~6_evWKgbet^7GR3c}QP%aCNGfW#rDO0Npj2kQf{r
z%ob*p&S-?O6suTHUZT^qNm)wjtHH9FzZ>gL2%sj*jDOGY8Xu55P4;W2<)n{i0$MuB
zheo`BoO{)$tu4&={THeiNNU^fzOMc3Mb^+l9_W8wj!l)8KC0aNLjp6a-{7OkY(m_h
z7)5wrey;~k)CH?h1jSRpBbgvO)4C~G{P=V=ZkmRPpN#}|b7rCRg9D=0K9zTtv~C#4
zq4NFOCNC|@w)Alh2I6owq@eQK+s$hZ2l(ls^Yh{~HgF5*NI(>swR22KC>@3*e?3zy
zRp$&)p=&yG85)={LBIwAFA*p_b@}g-1s(vj8aRIu#bD^lI&Pmh%Hz<UKiqQ$7t|xe
zA|h+Y06G>5w1Tyvs^u?z2ROv{<3^};O{M>V5(}lF6D?JBi)B490e!$5Aa2&GxzYKD
zQvB=aj3NR1{3C|M0CNQx02ZLW$xUhqUbJ-sUvMlmzI#*B+gMoq_3eFQy`PXPF{a)t
z&<^~yzaSJekOSunP4VZ&@2%AT^AQf=!R~1sg7Od0_l|Sc9VH+sb)RMuG2cQG{-3uN
zyn!BBQQxYU54Q~)EK1Y}2A10@ykJZgN1;CC9w7hYg8tl@w-0eh3bsJykX&05gJg?j
z^1r-r9pHU0)C#8c170x}(f1gg%knp+ZpiV!i00pm2YwF+R&qi$HG^3{oX1^?3w%c8
zVQ5V7;ZU5=(xwiH984xGy1%dXzr$`{?jXS}cH*?ii`T<nISX5FngA1$D7*#x6j{-`
zrQ_1WjGORCkv>_eaF_G`BE$dn2FRjRa!JUd)cywERY3^acuz}J2+3IVKY7#vZ2tf8
z9RH{VfY;eW9vG`D9^<R$i~4K-^6$k~{w88{In_yGHj$cIn<-K@0jL%RLSLw|=|DLg
zW<GCE-8`Z+Oby6K19QPlAkRb^5RpG)YuB0)SufSc&6Q~nhtiZM-dO^WVe%~P04jfA
z@Gp_W|HYjTLBRZ>5TZfBp$0mA!DG_%h5VtWs!gOd4FfTvyJ=30dobc7=`I0VyHO9_
zThKSWuNCqgAn4cWxCeUBWTF6UIWYmc`Y}MZG%Z!D3I$MBFsA;7`~StbGXtPyl39WC
ziTPijzF@Oi#5(Rz2)X~>-$3Um)2fpyWlX4)aHjb)il|XRX|cd9`zCY5hZFR@souP}
zfP+K)kE?LTd@5IRFug3jKxv@mr1blRmyvVXr5smlR72HU0`Y%;>YyJ95x{`sj8a=4
zPg|<(HiQ>EuSQq&t;=u=sInpd#1AM;LVE(h<PtzZg8=E-(<#4M^{`zqisX~Jl&Q1$
z!SXzO&urc4Y5uFYz4W2tvnJnp^nJR_35WddOO?hUgSveDk%GRK^_s>Z2RlKh6^PDd
z0)_MoJ6w-#wb1k8UP~Xv<J)OXfDuzSUbo&kc{^J)4B`vdNLYeq{teS$KD{)?J6#6<
zPQeds7U;N(75_B|VzI&AeD~i7ynmIU8+rL(=6gNfn5aq7MEv=ixJbcFQUU?*R^XaA
zY~*;Xelc=weP;=Mv8&@YO1nGNx!*XZx*Wcqu6Ccm)~Aa?nt%DozxE~7)8mp9+jB(Z
zpyQF#tz{HilhIyM&CM9+0N4!11HD%os)vChmYo)+nCO?Fhz#N{SoBh%>SGl1ZPWS@
z?xhX5_hz<S#~bs-bcfwPrMJiLRb%cf(6&)PYt{fCnzlkdx)!-iA|XS^Q#J4Pj54#e
zmM720AGLs4OtL^OEmyz8+YQSQIPc1#7e#zKtz8F=|8jt2Do+~gb{-(@Nqip8b)spU
z_MhtP{h-at56-Jmpx&&EPSKyJQXKDlvAG;_9nV(z@(2bf7^IE<DJQXDzJPsk5HND?
zsRhgPU8~&Uv5?78MKyQ;U-izZ?;y{#S3x-u+*0c#JV&K9#v_SLqJg>2BLpwrxv!>Y
zGM#0~s{${uROm^lc_SjkM(8H^XoI|wNs>V$SMotG`3m{)Ce$^?5hEs)H4>z#q1h95
zuSYeP_(#V#{L_4Us~)FbYkLc(XEnErmUrcKw|Yk{tGBw+b(%8C1iuC>XSbE4f>Sit
z#((5-=*h${Wc!Y!Gs%CJO(nU;)Rn+A*Ws0eU22e~ZxR9Q#3}J*djh~YERQzTPrOF?
zRui6(J}2WHro$y$?J>G@+OqCvGkPCrwaTLMcQ{VRMO&QC3z!OzoF8-Sg{A=i@T|!F
z!`|9<V+2lq8pCczUpS5jnDIs+7X9a1Fl-L9iOg8KJHUK?3<EMYTcIxyhnYS=WcMa|
z<yIf)qAExw=JU9r-Jbj4HLfU*M`i^bAjj_ep69r-r<L2KzEbCGDle@61z1uKd}sxV
zMKxf>l?I$?+kh{A{6jl4sF?urcb?NmBa`eZkAGDk)IuNvoSrQJOkx8vDQfZ*bCzpY
zN=U!NzfB{6zzW0{XcRnF{lQqKX-@IDUq+Y!^YvbIY^#>$x6dAQL{?1$$7_3o-{oH~
zK5J-qEa)80GNe&qbh5aHjTzuB8GdxLUKVll*)-;|UXoQ_5VPD#ZxD#4`PM;}a5~B4
z)Xt7;5Xx3Tyz<edYPb%Nfw*_)C0@J<>wwd=G6pOw+IC0tf^nwHy8PdHs5Sug5S@kV
zZLpaFf{qid8P{Q^YT)xo@zaQO>fD~LX!Ae+RtA{9(;V@~M5m)US;Ac@^UyaSJn$w8
zVH3dow-OcFK<K${KsEtI$OH(hh=0CWs%Wk;I{2#qnW7jJT>`R<ft1Eopp>SotQp71
zhDM0jA#(|I@Jf^ae%0N5xzEVhaRyh9dKjiF{J~`Uz<d9@Ro|p<?`qU$cPyFW?39lS
zQY7d4Q2K}_AubTJl?{VD1N_O?K+4a*Q77+(7;cy;V*7x7ooUY}Ul_AIL5^A0C0~-k
zhe@d2A(>7V)0Xf=i#0BMIi9p*{6SmH>oLc3f21+qLP4Lqd{X$soW6>h`IJVgHVy+?
zfowuWzD$f50%nY?R(WFRVUDE0FoVyCqgx?`cEtj*6aSjOz{^Yjj$yUuQ_uM2)^CCB
zIEMCT2H1p<aNQRij?&bM*o&=xk7`kpH{-Q(ZdiKQDU%B})2DzA+c;IVA8%*heaB`o
z9%Y-CffOx!UxvdQvUNp{E|Za1)eNZYx1&BH!Z76FjVH57znT1eV>=U&hli_JO`{FM
zyt`p2BvRE->?gXq9pN3K-X%Hrp=SP4It47}-Z!)#IOZ<`B7%Maf)$E4KX4`=I>p_s
zkUzW?BZWWm0x%39&JKYI>9PSi$aDP+>WWm48TtcjMaN6?INAYYjCvvO>(kZc)p$8V
zGp_(p-^?dVfudR6_rWqZZ3}62W%6!A^!Dv&7dV~BbikiW2P9Rf$D5|RiQNE=l>MFT
zXNGEmyX>7|Vjz<Dujxt{;%!cp-?RcSir8jA=dZugFJ^;5wo=IAHH3k^Db3sAXq%kn
z6SSD)_*9X&o&sh;GVXUsNlzmgMb@XKuM%mD#n>6IBwMyGy58RQ`2w<y=j|2cY2-fg
zNocD|MMh9(@SE8CyCgNA$5EiuC_}FL=GTTdZh21z;xwy&7Sjxdh9^Yvtl^UE@$w6Q
z9@kZv-dT|E<9TJ1cLy_xQC0gLFcLT3M&@x%K&|}wDQRfxcKY)`qNMWn(B7&{+SdA2
zhId?5#7NWr!4LDjt7q^e*14arCo^k11qVJ4oFOhR?4tRjPc&<kSkSKkk#?<y?1rQZ
zvuam|{&KhR%_BM!ked0~;#r~O_}>FQ@J`DW5lP(9PC$!9gN&GD3^@E9x*)Lz0QJt<
z6*SWiQe??U-pc{7`-yX(*XM>vf7VwZVg%;J==^g85;^|qM<hO#i5CSTUQ#q9FCc!$
z7|@Yn3{c(Fju(!kaw&5=A5#MOz0TB=W5rQ9LvN|xdIwl7NkD#+06PL=RQk@Y!Hkji
zh!_bxj+yw<ZuNli3J8i`Pq#?*RtnEZvk(E1*=nlS8uAMuERzTw8~ZoR$O#PeL2h2x
zB`qVB3z*rCM3Ty){w$?|r7Q3f9T}vN536)yFD0TR1t-?S(j`VX!?*=Mu3kF4ZKGkQ
zjccH)d*<nOZjqJ^Tr&o%HKqeiV!B?<Gg-Av70o9~U4IH{lgyk-3?-yz?6K0=xq4o(
zR19xu*G^7*zxLSrNSsmV#S!%%lhLp~*vj6o%<1dW``pMjUDw_2#Eu<Us3n?RFZocI
zH^~?gh!@nU{phLJ&~IM7G5a7n<6Rer$5dOr-a{UHdNOz6BhJ~u7xyDB!G^S;xs~ts
zfP?uZ!QA0#?t~gm_qYwXqiK~yW*Nq)18l5}K+MK)>>L~o6Ry|qNjPN65t%H!7*d+D
z+Gv^7#0YKHW9x<$av)*lcQQ{DT~ff#u3dLZ?x0`aAaL>%r5V}@a69$D3*<BSfyi1O
zAa))xdYo$yx2uRzBmy?yJK$&{%iqOdzzL()Tus+W^=v|O+|d0upz_N@5h!Jc<icR{
z=-wO2OVB$U9XoH-D-=u>@)Uyi9Ry@0@n2MUzi{S=Nn55l?KW)4aG<rLGxRdbF6y9S
zzYnT;OHBJ~7uSs32=pYMNeAAf;kufYj(^Wy%!FSvaF^NOv6)2xKXL{<(G?(E{=mga
zVN>k}uIa7aV0E{7@L9rsLH|>osL4VE!ZTSs?jHZjhf)<@)Nc^)t@@LE0`A?npBYkv
zMslk6tUu<hyq?~)+m9`|NiVdG0+twT)<ZNdv+3(830wp_se*8mfp_}3@nG{;DYaJQ
zE*)%Y-p^m+(=WBS{3DNvhw1JKuw$Dw#1TKRTkV^sXyiWu!oz79KdX>(RyOk~Qs2@+
zQnNM@7=&&X*KdrziH3D0R-}lx6Q3EcVDTuw@XJjccUj3x;&$6*tPYQSn6E1N4!g*O
ztPU)+<y(5Iv!l2Y4FhR>P5?`jo-_rW9m2DJ5|$ix7c<rdwrEYr19klb`^1f=!ywtu
zcr6C@X3UJgR;_|n$erJDUmfmxVJKWfF*<%Kw;%@}-OiPxYMI0PCWnB)J!Ue!sRkb|
zw5l95bue=^nu_~e-%D(Ha>O{=HaHJ0T!dxFN3}Dw(S-33uq)ng78Ef%<zLlZnyl-S
zL$fa3%iTL4I%--sy*{O<R;_%#T;G@9Iqnx5u&sHC4ovfjM@SP$#>eA;JuOZ7W|15~
zj<_px7uHo9y0aoI!~@Bao-Z5oj4TBIlWWMNNNxb<bNzXEOxVQdcrA+}9Y5I5^1ulg
zYM(T4S+|CvI=Jk?29amq=UfGy;mDMnM<6zVR`m`k-VIV=fqs-(bU^uub6hn1306zL
zu*mc>OJ(FYE&V@(iBKPckzsF1ULaUi2{5f98otP``P-fVTP#`SI&{GV#xdKD=eb*?
zNzXmkB$N1y52JT^A`{tqz)3jLiQr+2$QsC?YO^>THmSEx?wz3TXy0dIrfd2<Uq4F?
z0S?LN+cvH5#2<d33H<<N%;#zvx;d(ic1otF=@+<5U3NP!H(%tCP2-xCl)L(Tl0Qr;
z){uBrf(E<X1)5TSgR^%be>KMuv;DOtJ+=jLK~+u5Vvx}_ja$rU3s6hQ#9>c?XV8~U
zd}R+sW#Byixd$(2zZLKx%j{3=z1af+`>yXz@}`4szGudg2!Zi&f^^ZUX0%mPMak11
zF^<T^4)goOMfMZt>?faDRdq5^Rim*S&_Dvh$`R4dl)QliZJQ<?zdek6Acx};&_lU>
zn@nt){SwjhZ(yHqasUYU7fc4T`SQE`Gp(_`bPu^-D(PM~ng_tz^QF!UK^%l2^etd#
zesQW)c$v{K+!^s%OzqI53LbD*P@}j4)fplqIZtD-h<f;kt(J!3I&}aO?bhs2Xt)9~
z^rvdjkBO12wo?*gF8Qih{MTAQGE(`fPLS7A9jlJxkKQu9%xhogu^6N2X`91T5*O>1
z_~VX?X69us;W5!&PKqI)7A(iA-X_o??KcG`5b@@;dP}wfVu<!UaSpN`0~wC42SshB
zR0%<W=&}Wz6-s|GtlqEdFVPhMv-eXR*Is0?Sj&EcOFTvBBeZhH5Ulw}Gno|j(Td#w
zpR|2Uw%aaW<{A^~JEyJ$#IZ2Njj;0e0CJ^NckA*+#$>sCFV;~R!=`)@4fYzb@NcH*
zmr{c~eEOw)?+s5yDF*&M*|^XgT5wx%v+~2|qHQ1m=~l7kkW{#%JJ%EWJ(q)VXs^(8
zYCBg+UN-i5FPc0M1C+M+Sh1r_JX}PiunK+N9yHQLVat>|6q1^upG-Dhmr5wl_Oxj0
z^F5`b^bXF_`{)%(`vwPl-c+mDDkkGaIfx^JaJ<DMDrs$0a^=x6=i+jeD2{;lG5GcQ
z0N_0?0mIQF_XE2&qQxc&W|Rz`>_kpDa^affPaC(GGv{6J#+(@1X*fmH?l&5+r_N??
z+b|>2jUqpq$TVuvrP#ECzpK4e3OBBvUQ{$Zxac`e>yV01FBxeMBq`FnziffbPTanH
z7(}|D;i`H-CKrLPHN*`gLT2OKMu36a6s>!&h6N@9If|#2FI*CoSNXB)79KB}beard
z32={AV1QG_%6^1Xrebv&5NCSZr26^bcs`3jVsbe8ja(b{1pVZG`Du%&Au@;<&$O4W
zFu~tVTk_s-@f1tnb3+{qZfh&a9dMfUC>I%3_FOoXe_#*jhim;Wt@Awcd!Xmx3FIMp
z3n~;>%ct{dGJ<9z`5v%?F`Wa=hd64<u!aF>Payh&UyL<z97w^b2#>IpBrkF7rdt%J
zb-<+M25L(%AqeQ}&64e-s2*{`<%{-CzADBSYU6ZmVb4?j0}K4CmzUdD;Va{E{FY4>
z&U6a8R=E6I`t8!_-7%R+3R?(b4o0|f!VF(JhBk#UCmMzDha2&v`*B=1r)817hR+`t
zimok+2u-aznvTCb8rhH)oo!e1)!*z@oVB+t-wm1hc>BkxM~PyU@2UAdj53IOTYW>w
z(=?#2>-`kwUcEabt{1zLW@HqcBJi3-M<DYg>8#_Ty5M{gUsU^hU7;acHL|M*l420e
z`&l=i+iyQLZSirZpQ-=QXMJp{QOJwnDT1SKfJN@3#12jZQYw2%rJtH<gOnO&SqdFR
zl*+s2#yNd+u6s-1B<b5L)-I2cB%WS|$?|+kPu$IsufeZCNLmcgY2mvj$};K%lqmQD
zoEydBoFU!!w8`Y976CAbG_*{arh!z4bm+lRK>V1i14wkB5o>^f(BuFNFgm6_4*R#k
z*7qWd0!1pX6wuJGey17qnX2l?KblppQjLV|#dPcSgkIyz`oPNmf2e!QfU36k-J4jz
zqPx4h8v#k_Zb3>~P(l!pZj@MbcQ?pF0g>)5MG=uMK}iXTGuHF$z5nOzbH2VG-Y<T_
z#bVAe=D6p5{qE};Eo!4Uw<Yp9Xj$;T6TA4+gM*{L4ItOwm-rrx(o||I?>-uvV>-yE
zlHTWcg04zPa#25REh-2F$?4zh!E3?qTKDbAyufUjy@aLg<wnYl8=`A+PF_kMAW)14
zPcTE5-pkDL9~#10sN^1IIaZ8j+M7~6iE?>1D~en45}tN=l@P8%{P&qtSkD+Dh6f0v
z;Ns5|)4`cP0wiaj6$kgQd<Hn$*3E`R(B<X;36nnB-(CRPlWW|_DAmsKZ=3n5^}_6U
z)WJs$qarVV)vP?B!yn4?Q%b^Whfx=jreW@0Z;T18MRQg`P78}wF30l|DFl08raQRT
zq8jt66#X$vxCZyc@X~Qo+U!Xr+idHqZLD5V=t&*3J)5Lk-h+gQ9!jA<ELlHt*Mlx@
zNSqg)Fnh*pNQ7QkM#kldC?D=NSC8Ru*=9k6IdTcN_fA+0ELKHnE{hL(Gzs^dpYsR>
z<~l9oTrleSx~q$xAW=egdwD3w{Kz#-2QZHzG?xV2Go<AAAsCB_5=ah%tSJWeKOHfB
z#A0a2->EY?*(EiAhUiO-mmbcAd#@*CSWM<!dHAGR$hl%O<J0t~Cm+Y2=zgt9-8EbK
zyX`F}2HC-&^`6%YLLw0NOFg)?Xecq8fKaeW0^mNK`dNn_U+0DG_je^$k?AVQg}Cvt
z_rAZlqSSmV$T+A(x;X2R{7Z)C{ba;PfPinXqm+2ep6hBA&uQP|Z9zicAaS^a5<fm=
z-_<D`h}#k<B_(dZ;8q%50B%kDElHV%CH#YX!nF5%P8ZgLcCbOOVQ%?59dX#H5o13d
z!0W^Qn5Q~|CR&hfTu{;Pds+LBkBPiEN#O-E<qA1@9V_Fe8Pdx@9EluIj0qo+x_Y#M
zZKI#u>B`Y6){W2FiQ1F!ygTM%?P?z3c3BWm8o%a)#OuX&oY`9X(~FXP<13j+7lBEw
zl$66b#r+<&_kFmi&cc|KqypU*FzKexn7&1q+J0si5mM#+pGTc{nNOVs)f9zs$<a>T
zUjE+S{j(%1H?GrpF`$$r71_l#Sh?}q(dy1%NP_tpz>KZ@G6EvQa**;M<+&c-a$h{S
zdwf^Iu=!NK)jNYiLX1vjQPgkci$e!$JsgeAjc}3f0GmE94%IKg_qMnO2^3Dh>3)HR
z_hqaFTSr^;cBJP@0~~m*R0Z_YZv4sBdndiEX?Y?ol+S>-DEzuFHJKuDtDxgBC|)~C
zrO*BbKgmFI_q1Pw)bj@_w(Edq3D=q@e&7Jux0a-8W>hT@<ZZ*&-Ve1dYR=X56q5mU
zw%sAflB_#Ygrt*p4ZVSyURYLHa)=&d<m1sAmb%f6xu1V&0G0Qk61Jtib;tUvH25Z9
zCaHxbhuThH<cGNUll{4s_dnRgZzRP{bu<@nkGXQuz4wCRRn8MsE8U69oX^QU6PZ;4
zsGd$|k!9Gfp`TPqw}$$0#W6qC-=_Vdw+hcTxD!pBT(FL$?lx{!8^Ka><#Eq*Pf%4K
zsB)IF9XUrOWslc6f4XA6ir$XBRB_IJK<~Q}iuI1@iK}eP*DQ6T)=+;gOGmB(3bGE7
z`!g~(bQ9q@B6WrJ#Wts1!qE-xDbZDj{slQSr{@wA`)G@y%;#j#hV$J{*xT+8=SyBX
zu8)$fR3wZfj_Y~})tz_o!BqFQ_j<he?;BnB`QzPXt*y)7d&8YrD(T>hc}<Qo@LC=l
za0I<lTv|30x;RCQ>tH#GzLB#WZe}*+rr}IZr_UGX#XpeZd#ciUDKIIcu;{IIl4_t`
zC9#$HSpUc=V4qU>9{VEc<hK64_u_|>yDYK>X03qFhz443l3UYxo7yrK@HX|K_v1g6
zym!=394IxpSJ+FK?CdPH<`MdQ&7JF$<Z{zS#T)%iSx<||j7aN;M(P-z_Q+xOLi`Yc
zfxfBNYC+KMR^akFBl)c#2iojD^Cc?x>7+10xuXP1f5g=PR8yGH#ytZ4QPvU+T&j&Z
z>nJKMst8#@;V-JmbC1P2j;N5G(1q6%C}lbW5KXCH?+L#1jDIRAE7Bj9@qcE2KHgiB
z<Ovvb-vbg6Z-FAmGab0$w7(p7S@7MhrABxYGSw8+;c5nraN4vuF-+|KPgH?C>rb?G
zIE@<=xcG29Pf~cAnIF~xv*xE6xJ@V&u2{(q58R=)`5DEA-J5*0GG0sz%_hEf?CWB9
zX}qcAZeF-B9U-?RsTB+lkVyQl2ydE(vuhc*_m&m}(14Y}Nsf6txPqZ+W`yfT(Yq?1
zvaYG`WZoTc*Sel?vN<$>L}lpoYwlLytBO~Q*z4b#xdd;4Rp}a(wrlMNHh;&;pE9Ss
zBE1Lq(^%hBDZ-7X_pFNu7xAb(=U;LRbo0mY`)ht!??u98UnIL+y&uHZB-g!d4|jX8
zK74)$UV{R^&GFGRaU?)Ave0npWtW~bt#XBJqc<~(c+niKrxblF@gQbL_z%8gE9{DY
zj{~oAKk4q}1!g67qaPK0pV=1(AND;$JB#0<aBHs4klSwaEQK{RG`e2W@hAVn^=6fR
zJLJk1C07rfmbW>4mQ0WGT+@?ud`G=Xoo+(q&+mhhiv6y?#TH#RXlnLwXoLsVZfC$u
z4=$>w=ocI7MEqV|fi~Mstt-V$wtKup!IWVkxWa7c^A~O5A~qq9hGlHB(<GxBdo0u@
zk_AMg8$E?LgNQJ^2sKq1_y|-}wkC33dhu!IF%Yz3tWqSSwyj1{&!R_VmQ|WjZs4)#
zsybZe5CsX4hEaqlg{bOh;AhssO!h+J2jmzm83Lc<gkutfwQ07F3!iJbm;Zr!lUlCR
zpguyMC!pk!oRTv^(?|WDlv!e(&{vr6Lr98Vb#ebW75R)t>>ai<Hq0~=Ti#kgVCYn3
z;<QS9kIV#ho)a?FgF)XBl11v4F8~uEFo$}`M@`Fiqr@?g&F98pDy!0{VrYgbaH0p<
z1k5~Mq+?MlkPXz&7{)(HkriTdfN{ELXJ8q|qOR=&zJ!VqwMpYobS<c5UJN)N3=bez
zm2I%H1?a`~)><c!za_5l*!U`t(xI&}o^vKY%{bsY>68OUg^unKJzClXy57;RRD}~8
zD#=JD$8#XS|D$^%^Z=t6q=)3=#?6iLoDiaDWS;QV%KOylu^POh!Dt^@>S&JpSEQZ}
z=v>RMq@Z{zVe~(YQusOZ68l?;Od(6cAhKE!ihL1ELjD{w>m6lxwE#sK4vuRHgu<rV
zzyxC;NhEy40@4dPpp4;X_2~U$3RfUs>wcy!2&rRIY9TH5P=I*ghStUs!$W#|{46p{
zy)NNs@CZ|V+E683BKEkPt8R9z<WfpcpsAFr(tHrl9S<*!d28l|4aQw6IC@4u40P+9
z5WHijuht{AjOH;c$Y{4U^Zg(+R7y#tLS=H%v4YLc^@<RCxF2(2<~SB>(GzCi<h=S!
zqs(-QvWD8EqEHVr7AwhsQZPPuw9xVVKam-K3C91qIuS??l4T+_h-P?znmZE>>uU;@
zlBA-Cq7u4B>=jE9kIm38Gg(S-LpUe!?(MHkOfu3ysiXK$=?Z$7u9ZYz#SqPLis(&)
zpcW6qR`e`1X9Wt<aW8^3Lt^$1<uAR3##TtYh{w6#U~ZV@vI*HyJHNR=rDBCbRPE6w
z@-gpReh9#{xn8^M>f((Ovr3-&%U*Jp-V_#v7OJ7{rm?^sq4c=)xD^ietA56oMzP$9
zF1dv0OV6!vt^@2a?>l)Z6=>m(qR_&z#}{95N|QT<Dl2R8j~Fa@52zl+E>HboT=aqV
zNz%}jl#zZi6U-N0e3e`<b8Wa8oFB~WSxw}jG4|h%-Tx>oY!Fj3PW31fZf=~+=}dXk
zHd5id%F6E&F%S`rdHkrTKIuqGAI)0RtVmoNT^z<xAIKtA5s9acZ*b9&2kMkSJxedo
zQ#8HnPYmbFFB`u1`mQA~%9&E~nDpRdIcW1B>&WQg6L1WW1spqdWHQ?m5AztG^ltEw
z7|(Gj9lK#m4VxtMaB7{oK}N#VXdk*2^|wUAtYetJtu4wo9b%u5$t2j)S~{L_Dg6-W
zFwR<+2#C=UeAO5I!-K-ZlGWgY{4G<*Yr|JZxulC?qWA-g+>91k7n;l!LOWkR{GS^G
za4K?0-|4u<Bbx1rH0g?!@E+2DLC|V;KY=*~Y!rI_%!f_ifN%M-;1j1H!(o}M<AD|n
z^fwpZxT97GD7#ppsB<iCu?n*aU(qoJoR%xCZ3l!_Gs{*Cso0y<8=W&1&Woau&WKp0
z*VYE$99+OaIU#>^H@MRc*_Jq#?-{L@CMF&{{d4i=tJ}oof**Ibs~Ma!nx3zCzvO4w
zt`bkY%MMeXI<fkpd173<T|51jGGk~@*5o=}_Z#b*)4$cge^hz~M+n7Iu}yfRJ8FVf
z3ZxkQge!(J_dKdosTD(u3@-VZL1HO+Hi$F__#gNF`M!GXkmHtKo@FpBQ#!E1r@b~D
z+3G$Z5&a37jrRh%=a+VF159DAha8s$FZ_kEb*~ci4KoeW`hAQU<Yz_B9#%ERb^7nt
zf3WUBCB2&>Fu<<<SU<c){GdS*k3(Mf71KQAS}3iCO`6~4R^hwCs$W9OBm-}fzO18c
zsL-__Qw0w9#2eSY73aSI84_${V`=?h4uq}egJ$~N>NO1vVp1q@kzsH<v_a;aFH*!P
z5QQ7KTa2P}hU(xzG1A!w`>SCuV@zY?rggMpBJoiAyvn4@c?cxw!Pvd6P_1Xb{=U<}
zN-#$7y{rg%J_*JPX4}|<%0`|xDM@XrQk7pLr}SQAXM{>-$uTseuly+NLp5W)`g1w+
zTAxJ1(O5k}zi?KKO;$qrK`Kd%Mi<3)HE~zzb@ZaT=%(LHN40bAE&h2XArmm^0{*$o
z%buj>E!7rJCXe0z{kI__i`Li{=1jc6=9Vm?3~Q8b%uZ=!A_#I9K-1Uf7^mV^+LbfM
zxQ$#=%-w4aXKh?p8Y6yDN3t#Dy|+<f|HY9u<iVUxl}oyegQVy6s2#CLzTsF@S=ssq
zc%RnDi;^2Nnm1&VY8=|eyi_!0lJU<wDfI$afN%6CiLOu5o^?X{s^->N?zs!LofS38
z$|v1>w!qZ+tl|aG9)Of~+n{}&j1`vR$%?z4Po7TZ_~rK=LHhFo;Esi&Huu{Kh_1mw
zz?oI;5&wW!`l}8c{J3GxKJ{jvf5e)<HrIe$NLu6bX_9v&?iN%8M9`Xb4(HjHCnmvo
zD#I``C)0@8uHd_Qp^0`P1IBZLihA9MFJ!yiSx86SLfbe5HTqz(!?eM^ghfSl3nq>}
zii(bNXl5(gP}#TL+7ZRg`VI8fs)SrV183x6evSG&?=!BO0_TQ@R4Zoyy6|U$2tnF_
ze1di-@AM5JpE#cl?<tx9b7J+AN>Fl{(JnfSs`%D{I^0FAz4qP(9*u-R+-$~bV;|nh
z0SPb1sDVorA6U8?8JNF-t6lalZdKEK`&<!|=tA$od(khVunzDJWEPnhgAkIZWwO4s
zW7Y83VYg<@XyYu;*uS4Jf&?K1x^4*;u^`R%>m>i`J-=hS`@VxT*mX(Zt!o4{S$>R=
z2K-#X#yFvN_&gLxxo*;i5cQQ!N;x;^M#oo9fZz5p3wUGnjiN!gF<k3UOV~IJ@EA{3
zV})L{0-M}TAmJX>sC)lhGFxnUvOOm0xuF`$qX-<{c?*779K*px;6+*=L-lk3N)2!o
zpLsF@v{CBi9>H7BX-``tZV??%(zV`g=$0vghLh?y@TQBBg_1zvaj`7l2c?&B>MZ<%
z>`@;6bbNDd{DbF&qKHM2Tc|Xw0hAqP{=fG*-!1#sH0DZd8JDOel4&kZi}a}wFWQx*
z@AdK<v>j?hKI7iQYgRE%Dv=!m_U<?Qd0;w!+1aODLfs>tb<j_C82_@@g1F0k!wZ<_
z9{)-f_y(@2&Gn{_E0yG?@#FOW!gc?HBNeJbmw-+w%cfcFdB%u>S;!4S@Fp3kcE7!U
zM<1|yO`aSgPpJf&;ejkpnT3KyR3x`iD8J;1!$Y0H7m&g1DWvTUC3R+C06M4vNf&SS
zkj3u{JSKb?BLT?ly?HCX8`|Fk-vm?D=h>1jmgyR~2z4{py%*C`G0L~Hh7tUWODvMe
zATTW<f9RE3V~nS?2xM3um@;$`zo?5yg#K^}H8gy8OoRW!h8ivUXV9EK3lGvPnpc`s
z(T^xlSj2a*we|$i=H+o5wfN*+G(!l5TnQ>}ox?;nDPwe-vfiT$)=fOyB%_V_?{P#m
zFl~61=Hx`m8qeS*5M$@xDMGVX`=bB&Jjg3*8alykBToaDY(`{s^G-qgTSIYX*1>-}
zOqaD@6wj0sZ~D4?{{5__K=ES;nKOqwzG@TFryJR(A+Zf%ZDQBX-NE>CF{Fnvpq519
ziSN;*K&nJo8i8k+GFw@Fl8WX<n#-ri0C)W|`$Uc;Th^WiKvN5H4*~iilcn!uG4p4-
zy7wLSB9})$&XyreI&)Mn0hI3K6S-X3<TqAM<|{$h!t#dJvJYPB2CGxOF#1)4+NEg^
zq0dd8OQ=>*<TS86rFss5(A@ej!ktr2n)Ua$HBSskUj|6IHTIx~6;vq<#N;X@HUIga
z_3)p{C6r64&>|+6E22O7KP*7uJ^=@M(&KU?dy|87o4>ny{}eg@5h;NwObwJG$-v~v
z^60-G*Z&}!_R%4PlJ+L{|3CQ<9(`(TOFcbC09NQ!JH6(8Yr5B3PM^y4%WG>q2{1RK
z#jp9e0G^c4h5BMNBvq;|+cG1)YnB0~L(Tp1#4tOVl>L))^DRu!pffF9gO|UC?}LH|
zQ;X@pE;ryY2N`tR2?IsR5JSevz!zok*%*IU$29=-K4#`zC-W&UZ%^c~1D>O%7Nkua
z18bCxj3Q};E)X2Sxde8UH>H@XDcuY6>1w4F06(7fTNXKYf{M{|B@~0q|7Fkl=GQ^>
zBWcpyORm<V<tApkA^D6^1FM8&;%Ho0N&X)D-FO~x&M|9-h5qchylb(~?7s?G5ECCS
zSI6R+AhpMVur9rM3&LWIs7kBj3Q7D_P`3g8kYS)B(^9JJyilLl0i0IoUX0r4dl9yR
zNCmt3N<B2kL(o7;0%1L*0l`J$TmSt&+2{J-&j%Xr4~Lvv!A$Tz7}kGXb*J=MxtuLN
z^7LGPKh@9n0sM^`4VE7^fRr5f;VJvywOXhGfgJYIUtN$wICNee*m=Rs_M_x3nM1N3
z717ouF{_M%*baWcN%00VxaeVCbsS~VbRB8GvAaR9(mz|W#czAIUnBI+)^abG4$)Je
z1)yIWxNK*s2mkz<FoFv}M{EL$J3~89O0C&p!VbX#A?{CMtGf3bB3lAjslT)E-z{@i
z%k^1wzP&C<l+E_(Y`;aA|L{6rJ=w@P0R2<V_vr`t*%wPMfLQN{{qRXcNhDnwcwv2M
z0Su@~J{Z>By#(0liD<yZVe)qP$cx26gi*~goF{aaL6<vlg9POxf;t8M>tO-l7Q6v=
z-lO1{=F7Ba1*BL26QW0t5ONUN5|@XsdEUf`xXi1jTX>GZzapTp9+rp?gWpQkQs4qc
zmly`z=<A3AedT^k;!hA;LYET>$~^hy!1G6x_k3#ksl(5WOdg4fxpuN&3dGaNJVbcc
z5VL8*fT6>~w_l&$s{&%wL&N8Imj1h}&P%OLfSc_B15$ugcmwYFD8hjRM>U0|!2b$B
zxf|dco}R&%JjX@=YR3v(R&-uHyqN9;UO<+pu~#ho8az!A*2ZtA6|h;CGj@Al^LKK9
zOHCxAGu#JU2i970on8Ysm2|MM_z!&GF2K)bf6f&+*K|c$QHV4ivd+Ps4ZeUTt^Rq)
z3F5T+9&i$mIGTmr7UA=v?%!>qY2RGwwu20T%?M&`7=Sw@yq}$}0L!K0a_@q`-&s?r
zZgCx8r%%lS5Ei~t=K9zfbMs>RM?=@|i+K9`%j;Nd^Uj8qcZlraKM@ZRinrGh*lU>H
zs+X4%#+zQUd(jOWy>;&^?3<5lUyr$H8K?3GWwF#{=nUnBI2q@?SoZS-JG$aq#xDLZ
z)jf|CEwK@j@%q0y4D*bTN$C^KHn7?aSO@Fmje<}OFdZc*fY1&cYivVhsRB8#xIyE6
z-2KHazaSa%&?BEO$`sQz)6dwy4<o3_^S0aR@9WFEa~0eE8g-Z|^yIkDubzM)DNSzj
zb)mfv<z`Q<^?E-idpK47r_15SEcKJiyPYifh@jG>qjFTdyr!Y^VS@Crs*VdH`K31`
zzvnC1)1>B=*nF*WlYn~BaTSoWcgN`orKcLs(|y{yiXM8#io?>60Fbowp8{JZ0n;?v
zDZnv-%ppERMa<s-POLEmN&_Mv^+(m39HK&RL9=H+7NQzPYHTXcaj#QvzNjgR*Dm;U
zMg_rZg14=L2QVoDb^?_m>#LsExW_A?o+NhA6kGOvtYg^CbQ1b1C14Me2%jhx`2ws&
z?iEi!<PC%PuKX<t^Ep3&ZOI%d<zF5uuH^+??dFGsW^yQ9=o<V+Xd^N7wooPvCUpJi
zW2O5mFzbi`@;EFA-jQ6;5i)k9yu<?dqGSnu@$JJb!Vcpw6*@m91RvLLohb7=lU>m1
ziM7<r->%Pk`;P8zzTcI7GuabMPdCL21`lp2Nx=QcWI=D|f5>CdvPci<t)fDGfD6-m
zX&{r_X8y+hInVlw;IJAi3*?r<pFSLr5V!QoBDJ55JN+UvL2O@2yK=%ozAA%W)v{Zj
zGa7=7>e)8X``76??+Mwd;Ee4<O6?RNc1DCj^YZ(7yjCg5iTz}YMI5Jz&iCPTb|CI8
z&ziys777OMb3h!3G3joLdIH0ywT~n-+IqO*;Ay3Yh()nUe2bwSW&|D|vJC?S$<he-
z8^?A*18XF5tRUy&PUnk8c_q1g!<H4|@WcaP6O*J)WgFFjaC-@gvg9vJB4RD4m{)jS
z__3)6o!V(S?6;mzt~_hRBzR_Qj!?xvN3bJy#HA3^sM{CA*rikv4>>O9i8s*CCJF-(
zxem(V_=F;4^{s1IJ%X+rIQzh*#>4D!yy&&_B9dSDmjxe^sHsf~s|NtFs26dX?tY>c
zazkeBn$(_l4a0wnz)}mMaUNUWj0@jg%FB;o&0;9*g8s0^x2aGm<mlQZP<%?aWs)(B
z(Z?{uwWk$c6Fa1IqsKEy;UnDJHhwrYeE9uv<&wjj`t{i3S;@T<uqac(7G>Asj(v;l
z(Q~5p(qQ#NVIJfswX|;|yDBMlKKFp!FV2s*Q(uB5gC)iWA9VE+X^fn9ISyEsOe9%3
zl=-sTr|kUUHTQl0A8$u6L-B{Od+A}M+B;nFCEdG4S$xRzWVmkK&(_klK}L^Nm-RON
z6*Fp&H$rLrC}*SMKL$qpKwonMWKlh`KE(B!*uTEJJ@0}?OsB`>Gb1_NCm_c8y#^7>
z3>DoA)ZlGNH4#@fD5^&D<YMtqEx;c{y#I(|Cm)A%4gj+z>6(cU{P+Z0%>Hih$iLpR
z&05=fsJaG|-5xeKJg%w$I<m61^ijVEk;;0wNKY!qo(?*1ZfD>he@zjdMe59ey4JN<
z{?#ioc2=ruPD-B(O3Dl#g*`y``K9KPDJ^VGreZBeqVS1Tjq|Iie)g&#R7sU%I9``w
zOClI3$Waw@3C{FR-eAEFNZ`yqt!4~nV6IxQh&Z<KN8k0^ZyMV2d>#4M%u?khG{WIt
zE5YAGSsXGb-Vd2EjHZEulD{o0o(uXcAip&q^%_PTUi8Eg2V^Rtk*dLY+_eX5Z$S;V
zH$r2mU86W15<@&1DTWp9e1_Y<lF+d(9)&MlZbYDmv%wI-#ZAD1lRtxpOg--Ju9_}_
zq&@pQ7O&%^j{W*h_owa{7Y}v0x>ev=T5a>BRMi~J@7*__9Pu-zsSVs_sza_QmM{Cs
zc;0AL4+0HatWWR=vse%-mIqnccl_gL1x{~j?72~&Yd~205;vB*!{XJ#s?6rajrBk4
z=UN5K3~Vf99XVK7Y31=8WDh*iO(NeD-j8q`vl>h1jhy(qi1A?xxw{WHoOv_AiWDdZ
zZ^VDGwYB;#;g$g};^<>VuN_`?&uNxG^pw$bT<}g&bU^m$`ok8NO|6BGXYv-(nV-Dq
z14WK|S$H0ff<c=z=eh0r+5ixD;0bDim%?^emKU)~=JYSHitu|!OHcNjr~C_EXSy<<
zs_fDW`gx8E4)G9(c3O4Q-seBn+7V992>ktJ=rR3rHw!V<@&&t+ITy)QXDY5ZGBLaM
zDWJUuFEH*0UqWxA1x_5_;CH<Q$#5Q;JG%?Q$gile_DF4LP655+Yaqnd=f2vV$!&0l
zG8eek#}$I<c}*--U$j(2Mtmd5wvhE)VJBy83nexuj-8JzsQVY=)|RIG>OB&zW6hN2
zHd%Jr)fJ2-L7ky50*@Kk$|y~WzFAQgEm@DA$OVRAx<PS0^O=`K?1%;j_6lj-PN$h7
z|4>vs3OE{&#cC-&3=X4TN}HCQxxyDck%-=s`bBa)_%hNl_Ii~qyxp)zg+QGQdQc$X
z(cA0?=5a0rDSpw?vXeDG8Y(kSnf&O?6pgRNR>0u&%6h9fY*1PDp$H-@v7p64tbm*X
z)txlv^&SD;EKAQweNZ7~;|c6|P4PWzz=cP@u~{f&)xJ-00$X#0;@HG2nd7^ESa+`>
zXG)dnXFQI3{3^1Bdo1broZ$4M6sCVO3Z2|dhPZLi$e2Xy^5r72W9G5N@aNaL>Vxxz
z_h#ozbiu+PAH3|(M>F_;V7s&OE%HBJSo$L5xNKooy4>q*7WjB=+w-^a%d$M|JKX|3
z-VcZEw12ge=5ZkmXM!z5zsxys+C7w!{6c(q10O=PPHu1hM9beGWfPxndNO+MoXZO+
zvCmPIHhJQsN*xpbuAzX~8si@klLm0TA)1jBhYeNGb32i8;ru)bu4I$y?~_aIMCs%^
zGLPYW|Jw#zD_S~QLV=@krXr3=l7OZ54cbvLie9KjD4>)sJ)<FH<#YWLOjL|XeJpIZ
zaXYW8<RAjbS~Bawgz?@>)Ei8h3rTo^{%jFy-1819IW)5|GS2JOp&rp#omWnet*P<$
z+9tbcY6ZXIqw!QSAHSN?%3FzmLXRRy=I->EqFWhVrz=ftJgC^3dXR;<)VF}*?$ohg
zB|d)Imj+i&yh3eOxW079KS&xm+G#a5kqnmzb9!u(#S-fNm<N?GqU0ECd~RN+&)UFE
zQsq}YBTo095NU=Y9i6>YG3u7B5D`TRVj;XfDHI!vsQZR{QAZKUDz~<WiZ{A!%cAOQ
zB<~+#jC>sKdrlojl{GMH{|fm&o8BU<m~$pZ0herC&DSiNe`-f&oT;*LgPw{?q!HG?
z8jhr9NZb3Gb8-reU*@>%azk1B%Oy0L1<w!9sv|NT89gmgIKub>ndiaM<tJio=Up70
z&Wp8J^Gp>>_q}<Yv99A$?w9Os7o|n(FqY@CzG@E45I@Nyg*YsF?(y@}$N}#~kBg@H
zmv5ZSB4~*}uz$@r!=kx(U^VDZPk*SX!4@^8QuQ@+i*rFHkH(=+s3qKDeUv1@sMv|W
z_6o9V#IrkX`^fL-k5hZK;HwkyEYa-(r8~*eiE-8EpIA9{o|}%``vq56)Y0$oS^f)E
zz9O_f#+!`@LQ}#FH;0n4eaqZ0Y>4@dYKPt%cQ5=0sHSDp{NQX76~ce2urV=kE*Ly^
z7FLD`<FR8f!DFE?oWa`X{=WFkyYlboBi%@JxVY#)mNWuRzfjPaIM@(&#yjSEMBRNN
zWKU_nFf0wY=q}-(P~xSMPa_?s5?KH9N}zE2{!{#76u#549gXP%JBBd@UTC&V+sfp5
zj*#4%JAXFoJTD9OXZ^cU{I{1_b_Co{XXqoK3e3>p1kD(spuJCZIW+Fw$oZzlU7FP4
z7B=0J6f0}NqOu~7+#fs+zt;V($tP?YZDH4hsmknLD80xpe-9XlX)(q*Ug%gBD+JTc
z#z{95;H<N#vK^0=a^Y2$B>(a%J{SJo=Z(UGcjG*YZ+V(ig>g7qdQ*3#bS{nUR61Q@
zm*qEnZ;@+*!VS9ASXqdlp=BzFi#%5u@p|mAmUEd3uNPfjG0qXty@z&7A-|=LghEws
z<XejmhA5(Zusy=3Z+*82_gJ1Tshjzc5$@4(+Q0veIp19%rM00;Ut5f7CLfL;i9U**
zO>WO|F=A~*Z4^BJq;gO&W}CSbMR**Q3JW(Yn#Erh$6)kv;IQIg#+yUi9xE6Y|DY3H
z8@U^eYSbte6)OQ#(cxMT<ugI>PS+bNz||H&P#i|Z%fH_k=pMJexigkdj$1wa+-EJ~
zN5E%avlIO>7Pz3SPe-?J)6wj@Vzd?AqCH1t@B<UtFwv>f;@E84=Y#PQ9;eh&yf|~K
znaKCEHD*plXiR5DR+y==4&ohoYrpHiYZADzNXSyQet@)JtiYc1CBhc!jinadRl#DV
z7+LDIR(@~n<1<;l;EAlf_M2Bpikthq@A(SLN|1L9k1T#fn@_PHFjjztI-nab$=Q+j
zS8_E6K4f}pg*LHJvd6Wf-t<+J7%?qQJA<L2FtrJ)rn<Xjq&&?wMWqArRp4n3!Ic;c
z+CRWR5btP=ue_6(EUQou6Kf1!RP>QhB4W*c+RN1h@}O@<V(renVALK)(+uL^zo8h0
z@OqVxytkMe+@~2g{6j6waXX~-M&L_-H*GRzt)Pi*vd*7?`Nv|R8*Ap1A(Xh>BG%Kx
zLoD$gIDxtl+^ijI8S^EWqPqTcSNZqXZSmPIO-|^<$@921S+j!__vPgnP8Ahx8mDBe
zQT5Q8P%NDu&gev0beG~C(71JF#)TJXE0sLz4L&AfKfR+6UtvP!<q)t@wu<mooa<4@
zC)P@l*rgYDTQsx`I8wF>y6Pp+;mPh{F=H%Vd>}2n6643{Mmoo;S#5}|hB>9_%yFsQ
zmKA`f9QeGr4V4m&k{HX5ve?6YJTvJCKc%d7zHma{YMwq&XOZtlO(ga-=;xecW)qo`
zxgkTmz(VoUk9Q87U%f?cvX6t4vXhf+H^a&K=_vw_x+_m~s~@1b7S>-VW_NV>G79&}
z^=&IpXd>~0o2nNq(b28fti+o@PDfAez)eA5bFbFLrhh^(T$E1J@}Y<?g&umlG?H|y
zKzBzsEa2qlv(eRP3}_v(Yy?acM%*~}xx2Wfr!e;fRJ-<EVwS!HczIIZ$D2x#2^bOA
zLI&M~*g6>uTYXq>tDTj6EjzE6HkhfaCwd8l1)>7C!XpFu@R`qbtx6lH?lr!f=e!)k
z$3?YqkM1e6SV_$0=QpWq2-u5NIALOJn8&0>bzR%soTxRdoYkO$iH;K#J{^fB<0Z8e
z2{3GbzMI@DD7~Uwb^uFsWGlK3D9v(S9T>vE@m7VKDx{gMF*F1)RNX&L&=N2$E+5e#
zDkj3M)O9z+_QMG3u&Cmf<x6GFHN*Zj^Y~}k(_Zox%k>g9+Szi+!B14SF>j|Z%)j{e
zX0*p|{*gYik&jHrXQU^Aa_^DG%Lpvs7p142BhljJv-i#&8TD|s_&hwNdFg=TJOnSO
zY=2Hs4_g=GhNm)%FKJ8RN$b3I>U<j@w0X~Y4qisnwE8x7MlbPsm=Q6*VB!1j6Z}=R
z_n4S%n&+QI|Jw%+J(iObjo%ID<RsY2?V-MLMBhGDrXXSCJtPEu98-*gQ<)fXu2Y*G
z^SR*JUnD8`wG?W1aYlmc5w~c8g*$R0e6DZ3G<}kdor;yMwAB(01Kzg2^2qCCzj<3J
zkXeRLoM#sog?%@dSl)o$M1XasX%*A?j4?&*wBn;t_@Kre?F3&0sZGg|i+S&Sf?#qx
z!L%&rdR1$z{^2&&Yq#kNy#pLA@vn5VnDIrGA?*E3DCI7eMp@fRu>^zB1c^n{<(W9R
zBXNiRvw}A|$BA3mQ|h@95aYLwC>oeozu+%LTINsl@1##)P7(6dQRgAqK<P0!fFIuU
z_!8U3AH^nw_DT!MLd*vlZI&tSPfs$YGHCemN1|lK3jBPf{VKisQS|OY>iT%eNOtm=
z^f7Wzaw#v21UCXb+)6}g`t1r@$zHt2xqz-C!B|LKH1%6zA`U5u?UFu?*BL}d&5%MO
z6r92mebwa>kN%tOp4jSP8&q6v0tlGaTt?YIIubxd#*BzU3Ado*65W*-W+9>2lo%Aj
zA*Nf0;2SB(CaesrC?2>gzI^mE6lq010n7J?hM<4^UE3#Oo1Rcg)IF@(P;zE|c4$)N
zp^!ojnkxeqWo|e=<Pn=ncK}>>qKt>pnJnJw?&OUjljaob0VAnzl0gLwDuqqhNz(Un
z7baMO_6e@F_|k$J4=hawMcpYo-6<KpBAFx4Z8L=%stFM(=W!<GvQ)QP*fu6jChJ-_
zT2YN~z+x!QNn(^<XR(7LJZ<L>)A!c3UiwdOQ}#dn+)C)r;^57&w9Mvhv;On(&&7_A
z0a1lZtxc~?>-6Nh;fFr=zx5a0AZTS<>g3a*w2)hh?|kU$r@_w;Y01Shyl`*`+1A(4
z{VZPp7QfUU(uxoWeVvXO$Ri?7aBNm7kToKgAFHkkW#g6{QbG?5uV!<H(|FjSFQhuH
zd`<Xd_<UC9m!r=8_-kQb2c{e;M+=3UFn;26DM6~`j30u;-}Eraabmd@RoP}RR6frQ
zJ(yl9;#*T%FR@a;7n7{yalRvYRpCMOi9f}kD^iv{v#%;q?M$%DV~=jBQf2T#8y1_h
zX5#?nDC()bq9+G@IOcuyHUS!But771D+yH%^({PjP=!E}K!zX)Is}&yx$SFr=%5il
z!lsM6qqw)%%74{SoYr>|r(-nev=^M>>HIxyL^VzS-4m?}wu2|MNd_FP(x)BJQ+pUM
zovfV*#aq|jLdmDfHLmAr$5Q;h&|24C)I9867;k>*kB-LE^%RnFq3x3@_SvF(1{Y7l
z#?U3(F{7CKyJ-1OXw+6Oc6>ak3@@R=Yy@<dP&?A<oJtY)BuZ(Wx}{Nw>zC4bHy-mV
zj|Ilw;{hSQ{2j>{8V8{ri8OVpkI!~QJlF2A*<=Tl?zRqixAwaG<ERZs8|Go|`F;KC
z-6T~U1t;@k1P$*li;YmC8XNiofn*w~Xdl~T09pom=B$AHU<hpFv+af1e1L#n<cQ27
zu~S3IYTtvd<X;jgkxoPXS{KeVWuMvWR!WHLN~?@9vu0JsLa!BribndP1fY&96G)Oz
z-|!ja`p2skR7PyP(q4+P>An8p2iJu26b*!1CjMk3%Cw%Ukg*9OVL#O}62VXN)1G$u
z<U1c6H%R}pEge6p<XmA{-nY_<J6}gL5sOe{HFbFAkD!ergXerL0TH@wOuIq+ABowh
zKf~k@?uS2NHn5mi7z^u=2_MZ%zuOoqUb@Ed!j8Bufsa^asRvS;73DP4Nd^Wky~j3C
z35YJc@@sTadD;53JW@{5%FMtjAGNC4%J?Ip*U^K9pNp#MJ&U#D+yd*1ea73O-nsuJ
zi*JS^QDI0K(2K^#rX%4xuvm03P_ZrCwYw|i4n8fHpr|d1rP&I-C6YzWDlO$n^LSqC
zEDTfn0Y!<H=b)l@!fkXFp>}R`(SI&bb)I2MFUrg*f-7P%{ia(SyPk!ie_CW{{uS;5
zMkaS86@FWJni@67f&?_$2aa_)!D=b;<0L8Iuy)*wD48p3@g>bjTAehE8Rl7JM!Q*j
zFe~=O*V2<T72kK#gSvR}9N59+VAKkHo`%^P@o2s?{J}0#!z2TD6Uf1-6Jr=*m>#Bo
z`1FE3>~ky@@lZd8ha$aUERAT*E8!Au`}YZ34Q$uq!0u^2Y_o^J9eRj7a1Qg)v@V!Q
zAGSvet44=Wa;DdbjNl_n1&AsO@yY|VCtFT-U~_Epuim;L9x_~)Q2~^54-Z2OPusKI
zP1x+O^^47j#bY#Hk$br>p$afhA(6g-?$5A*Lu!nYTw{8Eh#jB$p++m0H4}C-G5Ta?
zaG{%CLKr=j$fM5;RMYL<nEctar^=Fv>HbC8l4%1h^Lv9Pc%6yW23#k(D=+jSeNyaZ
z(;CF^Qo5Y{PH^PwR~Cp3<k)`f)G)jB4tt34QuNA+%&0`<7JU$wweh5M<NY|gB?ZB@
zV_?%sjXj+)#zwnShDmIokuzVkgt=ml@UTfFwRRi@B;g$pP0$R>jMq)0gmt`1$zHBs
zKepJBWcI{TuBZAH&S~<s+x1JxSp=q0h0T}VuV;ITA?^C<ZC9Q)od3g@$URaF>5*#w
zk)?{6UTGXmw#x8cw>C4)QJKl%CMCj1!Hfsh3*Wd@zZq-%*la`L#v$VTu}frSx}GoZ
z!ejLE{_v{TSJxrFz5Hy{+|;YzlS0KiNxeK;U{4my@GzVezfAM#v%krV0TU>eL5~mP
zcSTX3pih5P-dJhCm>|$Bcgj&y!h=w|LGPDl=0`f{4Gg}S-iFZ2?cGIrSkNRX1|G(3
zGGCPIF_C=F@Ho)DxgvO0KLuga2T#Rxb*T5=JZG9{f*;vYY!w8jGhJc7NvQCKL3*gY
zRfmh{MTl|!)k)kKbp+u-$ad0oB^mug#Ud-#HJ%I~+VrkBLuXvnq2H{|poM%DY~pSE
zXUMfzxes6cpR|c6Ei!GX&4bhpL*tt@!PY^+r}oN$=*6pHlq!Z4pB2_t?jC4q3oy$w
zgs!R5pnJ9Z<DHXp)lSEjqb}a}AaZGm3SVe#Y|Ed!mFidKM2lxd-_txD{3tr<O8Uz-
ztqyivXj4{W_xr~Je~Zvl3UcoNKo?!K+oCbEl0r+$O$Sc%3_+1%LjAa9L!xJ!_#yjc
zj4Zx1w#RKsclZF8p=Ti5bS`pmz*o5~2AiA(f16Fo`1>x#Xf|bMMM2&o^zB2=Z`3W8
zoq}DKqv_eb?dTkhjra~8j+w`OAe0=CYkIZ5A}_PVE0{6n0~(1A7HU<mnxBsRpRnt^
z00a;zyN<1bRW_tFd7BHaZ{W>*AI3-1iku^&MqcPhN$?D4Vy!7TevOTmr)49DNn9NC
zSmB0^Kzm<R7mYx-Gr#;={_y_A;CL{4l1u&MT>#{O1R|UOWbCnq!qW4UcZh-ZJ7r-`
zn$obZ2nkF4jJx>U{%bP>de|j}o%T|<m^n?Gg~^?-b@&Lyh6x9l13s6fmdx1b5W}$=
zeY}J%5E}mpx28GDZ{Sj(CZxD7{B&oAxuu=&j#OtD4_afpVwSZX@p~L1?S{qPS%i)i
z0e#4Q`AQbw+5>d^O227eU%(@9jP&BAZVKQkU(r&O7okerEX*3QH7mMQ2P})6Q;eqE
zZ6!9nXc0d<P9{mJN*0<Fbep**SvR#}X=?SlF&!73c9hF<7rjM(Mc#_fRsX+miiaUc
zb|XLoSiu-0z`S_SlZw{GAkq7=EJcugmNlB&+!a0gLe|D751Gn&?J=qw4EPIGKq=vZ
z&qaCBf8ZbiBj=A=KYI!o{OrOz<Q3O}X!H9^I1)5A-Qpww<RV;xNn7R*{%6SmexJrS
zoC&ZdRS}8l-Um?*>aU3k?gJa8<LyJV<f-ZwiC}wJ;wNNOd-Pob;{me6Ld^xsmvvLz
zc!@oPb1ZNUfftI@;iT$<PpY&-c|u%myAwHSZ;jpSHDp%iRAQxK-c|16`7&L+2o)&R
zOvSh2i&VGIC)PY=K%0pOqfqXP_^o{lqIWh=B1epzu+n%72;5R}4cdTD=R%4k0axvX
z^4FeUq}f8SN15zL(i>bbR=7&QMu;SfAxCM6LlU@>q8o=5;fd7w7{e@!v>G{zw+Ib4
zpJ$75)lcPweWVuW;GVIrar6kReFi>kBH8kTU}%&k=Yh8Ubn`!+E`L#+q2RKI^PrpJ
zjDj9G{j=f-dK^`n>%P;2uM78hcpdc2oL`9uZd!*#Qx3rx6{TatW2eA~9xou#RJhd8
z+iR`+kO<;YjT3uIQ9RLv!g^$Cc&o}4oZ6FKu|%VedkP5m$#aLlfTBXljD53(>|a?i
zV&ftUaHp@JLg#2_9S+B>Y23>6RlydJNkWw`mr#HeJql$T03!yQKx5!ip7k4weM{D9
z%s|Y*=H886rI=SJ*;}mw53Qu6C^v@Po2N$^$-q}jPMsN*W|ubSc`|hZ0lJhjb-9e<
z{zmh2sms3cB!2^3QfMA9h4HnjwhkwwJ;?l61PjQI)}`jIc2l%iZL2gRT}T4L?jrw2
zm@(-T?&a#`)(r~h_z9Nts})rC9AmsyL&fOz%2Wez(0+j3VYfYaq&FO|cK$r**q-vJ
zFBOf?<n(iJsFzRg|AmBjDk7a=YbpUf4Zif0Lx2R*+v>62p@tQ%F@81U#8C!gLv<T>
zWN>{RncFHt+1VKODFTzYqY7<x-C=kA=fpXU19xfU1Ju{ig~&y>u4`+>LDNs=f7pVp
z8Hb&GM6;VjHtF%&rZ=5a5XwB>Gc6DX4VC8h&dxecIiULNL>-D#<n|^^kF6*U#>V3q
zZ?J8vUNnWdLFo{lNgO2`%atN-{5<Tsq{FE~<mpnY&<yFBWqM>Z!Pb|p%UCI{$#jYh
z{0O>pg#h~$Pp1VZ<~P}t5s!;(%Z>hD+<yxJGF)Mrs8XGAqSffd+A&g9gjj60#XuzI
zCrK!iX254pLd}$EKJ|z8oaQv8<lC)cUjrj8qC0v5s@t_HJtyvct{gF}Ki3^Jp3KnW
zECpxXF{XZ4ooN^)i@6p_z|MyGGaE^Ce7gO+H4|=f&UZd}8d+<-na)NuTt1Wk*M-Lk
zl_u!^j)@(=4+s%^#e@w#X>1p$p(M)1LJtI6t4Y(r$SA*w3RdX6F(0Dd$ny_?_4gSk
z=f@l(`59rUG(_X2=||r0`3!2vjB+v7lO!SQHD4rz*Z$g#$|PQyM}79e1_|1O*Z+(g
z{Y85L`#d3(i^<sfe8Y^R#y8X`kqjZRnS9(+H{agB;BT{PR5&*Kb`F5BZ=%-!H5B^a
z<^=x!8X@Ot-XMbMBCTHP`3|i4S8Y3b9-*Xn-C$kEKR@#KD9nHUyBw|(QpG2L+q}RX
zH=7tumb_PQc4pJ|zj+`2i%w%8L}vCRDr&<1e}5igwqu?L5;t7+|MkbH%2`k5N@AMq
z!x?p75C||;{G4w|`^R4WuZuby(+&Lege@D!$ic*hV^=mF_a0*M+8%iT82vmXyBtp+
z0m8O1&~23voE3;=GW=xWr9~+l;QRI~Q9~ENV><bO-1i+Wpte1SLVCE3AYOMLz4+#h
zwv=~C_R>Lk-N3wI@p!$Z#i7pPUl&C#0UB_*nc=yW<v7asejjkpr^83}?WFtQmnRc4
zKe$i;Xh-t{@*sc{dV*ja%<yXvc>HOn!(oiZlpf?i9`9BZl!qzkBBbN0yGuI24)b^N
z{Qx;1K2K&Z;c{r#mmrNLz#p)j&yimYeYc%*mFDx_bZv3jK=^8*U`st)?r0Btmp1pW
zC12?Qr2&x)LY^DLR2lqZx;9V*Zk6Aib??Pf8^Za*_f8q=YjR=<08^5^SV2YjQ9RM*
ztC8jYJ#H+sCCWMA!s_|7>&EAcbvW(@_>%Q%nWmQi!tg?+BIT5oBl&+RVDlPQj6O2Q
zHqY5JnD|U3;>3VZ9cte$y8Oq0&@QRn%|btCul22LbQzCH3y~y=YfatTWW-ULY7cMy
z8y)-m9D1W<{i)XM7%*0&Ao-06$frDGLZ;=op`#1}fmhFi|4==tWz;jM9PNJsCTce0
z<i5;gB66WboM)AQr_4vs!EeWZ5e5J3p?)R-`%#ihkPu}+9ZJz%kAT;z3@Sdq#FDuL
z%I=k#Q9w8Y7zIs5q;oxySwUX~pO_A)s?S#M5m9r%B@G5_zoxbwfzF*$|LDDX$%FW7
z?{Qx`{~bmI{{>iDZ7_$<0^qARwVhXcvfmN(AwK!-5^$(G1}hBH0fcqIlf^Oo!Fog6
zep^%f=G8u^_GjzN-zgou&am`Xqx0J!yuA9+fJQGS(entnr)?lI-2f02t+p9(4GKPJ
zIx0}no4OnUTL}Ylvr0OEnm$WFffpQu8Aw#v1nVaeSCNi#$Qm!AE29$jBH#-!;Ci51
zaHO3h<_3uaP&qwr{sp}iPd{oD)b9tNmhazwzq{Q&ze1Hqq`O^+bY1OnBRnJRKAe3@
z0T7lMc+?d3951I}EMj`h;!PhbymqK-`IHPY_4Gl^OIz+5(2mI?uh7IdhUkMe)6lH6
z5t%|3U`ZW=`d|c{b|imXSGaffY8rl@7XaRGS?|rAK^T308gOVE6P}V@|0+Aht&R=+
z5q&?+ANTNl6{cnr>%DyLfA-NN@X=x1N=fu~6Hw?qLG3mI@C7RLck4n5){GU&qE?A-
zRI`5mHPMdUZ#?t(4sFt7EzQL8DE?;gNkjYxy8Mk24^XqKgM#l`!x?bTxcp!L>&x{&
zyID6K8V8Uy;9P!d-5n{A=_mjd?CAtPgv$J1mB}Bm)K(Icq8}sj)vp1#34k~3;5IPr
z>AB=FR2HUSAxF~qiXg#6M`AT%zVIF?hr|wWH(3IKDxLfd6_g=~RHEtt_htsRl<yFH
z!L3wy@YyevCL}$g>_EW?$=i$dO#owks+|38{qfy1t1f-r#YmoDpk7PrpeRSHW}fAO
zdksu_GA<~9vz(ib<{`%MYk5JtuNxyNj}0VtOJ~c~r2h5-NV#U9$6<J=5DG^%QBADW
zbufM+1u#9Y*#~}L%*_sfYOf!x-$mC@CvAfv08DNV<w%i4KsfbGO@e0)-G|(Zf~)q+
zt(;9z4j)6TExPT~%?95gt7f_?NUQfM^(Bi7L~<bZ%m$eBh9OKEsK%c($v<Rx)^QZI
zb0JtYnLNo);IYxa|D`#yJ#ahk1(S&qu<6<vnFPAF-&%^JTp7Xm8=2<*8^DQ<A@aat
zjkLJip8+_LT|P(j3E2m`JB>Ib2n(MBLlt(Ki+J5y<PZiEIc6SHH2<;1&lZ9IxpDtJ
z<g^r!4qgMTe+XZWvJ#(Cs2@M%9RM!x`$mgM0FODlIW2Ks%ve-1r*8<)H%qUmJDA{g
zVve11b2w!n{LyrboH-ayl$F{*&L+mu=D?srcd~0#60sqSDJo?x;k>`v&~dEZrNRyM
z5{iNRjK$jl&xRnKHGy=w8VnRD(*{5{PpNpEas;MLnrR9`dG41617HUW$kI_HMKt)*
zhan4O`b6v+B7Tn^jM;(hf9@A;7m`^_Lx6(w`3MzNGP!h@SPL;Re{xo_s6#+I&u*_5
z`Wy)E{qjGeML5}i@@a!9b)8IkvD5u82G2&E6UE3VZce7|=bwfZDmL!{&#jXKOd<>+
z%vn})8<c_$MJ`6C<imoxm*+p*l=SRv7%nS?;d2ZR7$q1JoWdoZMD@p}C<u&gX32ng
zaG6-tt(&W}ltkI9;U|kp6)8HhUsB2>VC8OEsq82p0e3fcd$wS89-l+*z!rvHPVKGa
zz^*$b{O>Aa6b+e;UonL<Z(Qjs`U&lC36DDUp6eLgcw)#wj+WRL7BOrd)Cp^PE7l@8
zxPbMu&y7U|t5(3v!XSf@?B|DbOPzYT)WV}e7DX=DJ-HI(HHW*KyScS(3Sk=Kw#Z=+
z)9EIyy;RW;Q8K9v4dW#1C*QTLSMv8L*R)ym$MFyV5shEK00~;L>JY0Ft{b2$-)yFv
zv$-re(Omu%G)FZVPe4Qunz=R&1dwEU$X8qMDP7J)+44ZLlGK246sJ|NOJ{#8XYG`v
z*OspqTO%TG^rl!io9%4S^mRue8l)$D#Jt|Yc!N;h0LxYp%@g$<#Xch})zIl<bsBo?
zx5q9+<uz6Edy)3BAF8Od6?Ci9KLP_<wu8l%lQxE5PI!75YAn`_nf5Oo7<cFbPxT5g
zVyHwG4W|v6`N6)-5l>?Im8qGXN{{kUdxNKKBl*_8XDlm2Ni0pzQUZ~i{LgU)3RF2s
zhLAhFVQS6tL)vfwh5-w8t@7v7kLJcuiwIafhK0*1aqxB*qFEBsF^Fs9#TLP>wLT_f
zcPfd9h>Q9H3@T+-LyR%_C>c5wLTP%%W0MIj9v6<S&=aA?M_52oIN<&Ss!&#sQ%jMg
zX*-Eu9Ve%TW#<<Jy)W=kf@~;7JV)_kBi>@%x)ujL6|ty)dHrjej8L_-RRmvR1*w2+
z^(i1Eb7N@sR)9-b`m@eUwi$L!i3AN7jJEU=w#e`hMFym_e#{dLKQuK;(Z}4R4o*t)
z3^V17jO!2uoOi4(Rdj2kW;s(v_maZZ$>R>8+c6{mE~z<QKp4mkPtd=MLlf+d(uy{4
z7r8gtoLu@bS#Zq_r{DA_VGX@^vSDzF=*N7Bs&}l^C-?<BsYHoln^7V^=*s!mFsY{_
zczGhxoMn&^csE+!R_yVE&VT|U#8uA&E{3Hh69zFmDfG>boK-_n8fp@8)WVa?pQ3o9
zv0sdm<&fkyoGwb;{pl2-2bB^%xmW>$vHE&<Dpy^(=Zikc*SCcSQDT&A(M73P!ZdM@
zgGfm=(St8mF`l8s_Sv!Q`o%3jxqCu~xYa9ZR(aa?;nCz`leLI}fhi#e>}L!AE{m$=
z<YK9RpFSfTS7YE{cxI|qwZ!_hx=F%$kS03zVL-jy+J=;_Vf3g6MUhQ72W7t?+kF_0
zla%!*gtfz!TP$ljY%=fOpO5vwLFQin$NCs%656=OcquG6u-BY>^Vt%D7-MYeSPs}3
zyX{26wa|36`Tj(y2-ujnH*@bBThe;r`DcXODj$t|?votQj?DWAJp#8aQ)l%%rh;~$
z@kF+0&0AyTJZ_T~V#zipS&ucPu4|g=3LaX=f18jSlA|D)q3jWo+oz^xX=&D(Swr8o
z%6rVcH{T2GI(UYLFx#c?<B_xX5DG1_I57(}nskYI_;tV2NG`MqFC1t<`6Pk#Kw}Fa
zs3hst4w&A1$Xc{wBHHeY)Q&&Pj&>|ZqBLtnip+Y*wiJI&y-lnSQ@#M!ULU_lIiTBF
ziNy+skNW7GN`=3K^m3<E4pJ!5nDZ&&5&z8mZX;B#@NHGstmW;Rar$gy+2^5E%kk$<
z*qN$~ugom2)!2f{dT~-@8VB!^v1DIOn<|EDnT*XodCPwvG8#49qet008=;1;aM|-r
z62#U1Gad`V<jEnXHmah}4DUfaQ8AiagwkSR9N^6%N5^<qucA(Zdaxf|Q{nslOcO>m
z)F+KvM6BqhEUa8G2iN{FE^CBQ+za<ON;2-#Mt^*Wf!Ivz|ElgQ1FBrQaOswAlm=0{
zq`RcMHr)+U0@5fTAq^s(0!m4<Dd}zyX=xAv0cnIg+wVK)JLh=r{eS(nW!{>3*UY<S
zt@S()Z&}0lbAo>9RZA`sjowdY&F@YS9>}!LzJ_?T!@OZp3yo*@+-M0Ta^r)BMX$cm
zP0@9cDVo%~EH7PYnQyR4XOqPw&cV-M#M6IUd%{kCQ{YQ|!?D(x!KFDLVUW_Qm3mnE
z0YaQ6ifdbx;TE}^fAV%S>RgoTfeX^R%)a2CBcZA7`HxDWY+|}gl?MBNH`W1o_>_>a
z=3siYNn#$Sy2YpSgg*I*({4<v4~|~SVs&uMvE1IfpZb(q9?|)U3Vsc79EkRf9Yj2b
zQmgc!^7C2;4S3dZkMMU2smLOtq4wLNThYn$IA2fY%n~H1iK?IFpH$p>RzQT;nftNi
zBk)?nTLfcz7DB7&8`Dkoy*erfG_8i4lKR@w`C1(kddvWTw(8B~h4_B>^iWc?MK?Xq
zhrB#%qYPDh)N$XcpSs@?(dzgYs=MDDc+O!<#|RF_G>P%#Pwp0WIBt*Sw%!9}*O38M
z+x*Jqj-&aT<EOkN!4s3MWCPg8(F*ig<JIWwiNNRO?WX;=dFzKKt_hcopSo_E_GDa!
z1YHqB>XXOLgbWP6aPYkj@ZAJdLJS_?WtE!<;zyT5Sr-&nrKP3r&>KdRC;w=Hfe?&O
zgz~X7?9Oq~G&-kGmtoXK2iRa<ZnNHq&EV+_4aiXQYo$jrq_5G-M+Fm=Y1s;?OAsK_
zay(33DVd!CZYW91w_7P`kG(nV?`NF~(v6X6k~02zm2QMFF*NlFm0(|UfW!qi3y3}4
z6g2uDJw{}R>Y(r`PfgYBpY}=!Q=MZzjWcrP0)*2IlQJSjdv1WR=z|k!f}Cz020=NC
zwftyl4<<T^+-lC_L*V6KmJ+_F>~NcPou*bRlg4Iu$S~XJ_;DoJ-a7Hy63&PKgoV$@
zk@<(LO1}IGZ_6Erq06P%i2_RApBk;UGE=hZ*$+~!#FN$qKR#y~Z@vC`wtT=VC+U|O
z-Muc0e%BAP8@*K+2HaJrVtZj0dM~AB)7Wq28+5n)M(1cC@C8F7P*+X1ekXO8UqV*T
z|3UgA?3J<Y#;@<*^Z&3mhq5$?tpre?CM}G)L*=fd(L;e(T$mhuw8kepSaDV<myVQ&
zD-pE;`lW&yj&m<X7?peA3BaXXRW@GR`g0Y_4L;r_P|gR%kb`oZKxCT?XgfhX_+vx?
z&-M$3(s5FRTSMvEsP7~ostZEslC$Fp8oFeLO7^IBe4F3pbeGJLEgw_x&gR{D?(~>)
z1J_7Gf|`(%q2Lac&wBiWWjX1v6#RpvhRX^TYe?_7jn0}sz%oq^&GzAJ8iLRfNroQX
z7oyAY!~1(hEV#uwlkWhj4!cd<R2KUd1xwD~T!tW;xF9(C;54NV=6HzYLrNTpYJq(A
zb@8||WrD*m9zgD}C=NYT$3h`P+k{bvClRRdx8p$cGo!Tg^_+i#5{e^6sV|Wz1kz}j
zsa<abS4iKqpEIUA(t=%J;r+zN+3;e|EtTpd_tL;7cw#G-sDs+!F^-7<mI6#m8lXeI
zTlLw*6ZSBsdY^!xGEVE&$?jIBj#N)27hVDUbL*iZNl=M8C?W+nk@694nB+Q-gG_k|
zNDI)ol8fMmrUnMzk;b>w11#Rc7m^SKxG(p$hTA%75@S3OGM>h)IrV6y-sHd|eSrI9
z8=>Z<2lA!!Ivn-nBF}2>uTgKMKGA)ZTj23Sn4V(CwCcGDZQtFRys@r4$`YI!U+>ND
z42Wi0SY{_&emuEW2s@#*sG<&f<&+u`&wN05NBDtW^pDlmAT=}3Vi=ZM=)@YCYmQ@`
zY!t2l{}y1UhHK`Tqx2`Z6%Bl0mF6Pm2vFd!UR=r;M8ER7x393@dgYu=^_5mWosG5g
zv`Cglt&CiN7Xy7T`fqPYyi693fEtB=D?6|il-lLIA+vu8$KwowOI#Jf&r76@XkCkc
zz}V$sz<k~NA+~04lng8h<h_6v@}M85Mub{}l%M;tWe}hRLLGp~%cFi?h?NzUR@6fC
z0%FSN5{%3$A25hqInR4hW9_N7{cRQFM}XAlUadB@2MqTzTsdakzQZNzwmRg;6Vvb$
z#wN+D^ThmBrzMX&wHL?xHGcV~aP6kCVhL{4BV>FO{7~(XFdQn%UGA_SG<r{Zu++N~
zzNBj8${@gt3-g<W(er;T&R?xc_r_ku>OkRs_@ccj?W5UKWSvxZ2`+Wf8%_2p0c*qc
zT>Wb6h(kGcaqC0JJwWk&gZ~1XTx<%S{@&;uV5Yf0@6y)N7Sm|X`QlOd8#REX_Foj2
zl}J?!6yCx$mG{(%{=tjwM=~y|hllZsV+bDTkNezGN@zYFEL)k?C9W>8c?t_!z%&>t
za^xuTSS4sBoh81Cud1KDYt$@-q77R27Rs5@oT=#&a=#f-ZDpYgNUai2A`&?@`I3?O
zXAt+l-*kmgxaXuiaG%GLOyk18q`x4u<w1M6D_p1LQ&H|cZZ2+tAXjpcpr5)Xz9ep%
zGyPmgu1<o7p8T!)IUN)*q-nfBw3e~0ThGG_sY6W@O~tKsd+P!v*RtZ!LhZ8E%t7zW
z5z-AtlA=ImeeK8jLQmQqB_zB`yhclwdSeWu;}%CHcMWObF+mm9s^W0hYR9G<b`>_(
z<Mb_-$*PmauGbEvI>jASc&QtTUpCTY*;Z_$lCqzsIvA8<fwh{Y)9<CkP;s#)S{8q{
zKx0yW2O$akwWh>`WCQU-5WJ4eShV>Ye}vi^t||51G$pgNPE&F*MujD<r#X-{45J>h
zNPGb+L&8DmFB=x1QNyAwg7~kmYbjt_{_P5;XqMt|ckunhI4CM^oKur~bwe+k#<l&p
zq%B_m;UxuEiGO^VQB}-1Sn&5L@e=MWwLKSaz_oWEx@H!Lq%Ec^xjO#oQ%=dk!qKm4
z?XCXgVF#DYNudd9qo{FyA|ADQ=f?RvT}PyB>7y5$%2q!krnve_`Tx6{swD*RZhO0K
z$cI0k1Lm}WorT^{<T8qv6pyYK0VuRDk+0Mm$%nvbxOidEaOP+fe|d^|B>4}XTQ@22
z<O@%#)c(Fj(++}rUt0Xj$-M}(iUYB?g9wT~ip06+L2SW>z6zEMzjn|$KVUfUXVI+4
ze~ZNjW1)RHum<uLOX@J#<epU34-X&}e666#V&(K_?@1Ak@i=IEAu!3EUs($^Sv0@P
zog&eCfYH<^+nB3LV@3et27|n|`r+w7lViXVqb$8Y@jm8zg_VQNFVAsK)A*FrcpmI>
zK{o$z;(|43Or=#y;%dGB{0l7|hsU;>nH1#qST)|Fe)}Cku<Gv2S-)mmoIq{-*qcXA
zkhK0O5NkxLvW5i?L0n-nk?-WTJ6CYGW8zO=*j^Apc75sxdDZowxpQoI23M%SUa0fP
z&U^ViX;a(uM+n;W0IRF8`>AZOH4cP-mEI_ow51cXLi%7D=7aS>sN%IhSsC0P!!52&
z2cB1(&Uxq0t0Gf>;pL6)dH~mW1Vv8RuO`xo11Q%T$B4T_w|Zt6tFk{AzvRH!g-@;Q
zL3G|nJ8}aiO7+VKip^jzr1N1{)t{;)^fZ<Gs$vXA1Kt4*P0x&aaQjJOU0<Inw>s)7
z1btkJL26ux7ucY^<>wZ=OT_H+ye%CD#Y!vzDCPwR5>~L4-_W=_XakQ15YE~u`qpm{
z_De4fZf>qzKt#SA22#+@ZYYE)mxqbR!?GQZ#UVU@cCQ3i4YfD4=k|HiVK;)y(ua>%
z-|FUG!6BY~u;_i;M{&K#(sq56)eI=j{hQm;Lx~~9PoJ9>CIWo32F%F>nFpf+KtIAu
z84tcI#xP(i47A;1u}7Y5HuxVG0UdNX5iUCOe{TvCfubqI5Kl8TVt>KuHcM<`Z>>4m
zBf4=^Wm*}j_2;R93tM3t-|^;fB7iVz*Uef}sD3G}8hGeQkSb_suS0qTJSO3I%}KNK
zemkChfV}4wNly{`W#Vp<V7_FSR*C=F!wcH6Pga?%4-Xm$6xQ!<$J9rmRNi`0!q>Ea
z_e2E4Nm1jdXJrpm&rYt~IEzY-iS%jV9zJ~NH?)!CU+BZoxe>RFul+{G0Sq9ZeFQUF
zUIxPX*BM>Rf^d%0ZmG}@M(fvvegx3brz4Rh296&F7%k5JQs~2gTP!3Uqj{S=TP;Iu
ztOv3en%@*^UcGBNsb7}fZ<Jf_B5;shT<|GMPkDMgQ3lbzhccas&uzasn8RPImRQO1
z`iwGFz^3E@@T7<M{2rPMF%br<F1$iqsCzfB;$}cqFS1eRx$tS)$rq~JlB?v|>(#W!
zUGKm0=q&7v(ZB)vv)wsr5(~PNdE4V8*I3p#f7!IBT<=<*Jb&sw5AR%EQID951S0)y
z-m9{|`s46v=nA);&}x{sL?jU!^bw?s=z*xh%b8Y?Olb34tX};bj7rHgoPO*v@){V4
z4p2+s&E5MW-y!i!%mpwtB1wJ+A>h*)7|PUVHRAp{$d)Evp6m{SU=AZ-1t3y70m%Dx
z=qBbMKt%6%$_Dlgf*9_>{3^ij61IGsqyo@SfWDRt0AY@UCvQ%lO{vTEqfj`;VJriE
znu}G;rN_q`VHD1Bz#?_(mIHieHs(j_0nf1;kUkm&uuH!*VWEN(;NcH~nCdrOdrW0)
z0o4GXPaN_N8<%MSnvOR>95(4U_X|D~Opo+cC42kFWM+}v*4Gc3_g!5+(+j%^9f+!|
ziaJ+KX*7mb$mc3#o|yy^=|9`Kc%fguk;NsmUNb2jBU0BOt&(fi@&zG2S?3*v^oaXt
zgt(!Ar_UR1xfk$NyVrdsMQ>*)nKwSWeb`BTahoxz+PK3QztXwYMnSCxv^+poto!6)
zXPmZg#)0psr>s8(|Hb;d;VmPth=qWwYo1K9@ZDEYmXH<3<?n?oca{;hsHA0M2>B!*
zSSd`C^Su~&<vc&&WCGpOsi#S`e&uGMd&BR_YP^tc7_hENO?B&wW#*ndKY~{7dR{rd
z<VN8E|JE2+?qmT)pzDy^*|*C{wLux3&dXK<9cgO$RRZ66(=Rk|&Ql<QbtbLCkXLWu
zE)C~SrSo&bsV?1PYOUZWn2^REZm<0Ag5b;1_fFwgw;-kT9Vrr!46sgsyaUK9+yd%>
z6o7Jb-`)VEGK6*5_XNFZZDMvcw@;q#&Gm!mYLNtTl`TjVC4rb;Pk8WxJgu9t|B1G$
zAK21%C*CW0ywDEgl!V6g4uB{GW!9-r6M*O!+Kgto0g;#shhMPp7d&4;3CXotBBQcj
zdWDiPEEWpO%~`>GG=Nop3{oOERA)f8VAucg0|}`#ShWrS>N`AI2SINyqwp0sKpX`l
zH5>|8#UK*`3wN+1+SEPTUe1GkOuCrM(J=YbU1wrRQFr%OExtB529uIWf(NgS826d!
ztGbCBUpKp2xN3@A#EUg{8QbcE)lf7(QIUM(ZcoX`;H*tkd^`ntt>cA>Jhgk?s-W5t
zw$!6UJtV!7PEX^-9|e7RQ6o4AG1FxmNu$28`qPSRcs81N23-kRFN7_nsAa0;TUV;P
zb>HmXA?No@oZeE!70;M<b2SllHPO%?b`olGik?4pqgdTGt$4F$tF*IUSG}+q7yriD
zchm{1h}z>b)wjC0&QS`gULkzAFGh2n*X*86Io)r#bBB6Ha>Km-4PjW&Ws|y7kW5Ax
zSHYb*;`0`}p|j8Qq2fu8`(>-7E97qF*4D(3AQ@Bdbw?d4OnXqq@%B0Wg?3r8Dp%3F
zQ0cMla?3)<?xk_rE`l7^y(0jj?w7xxxz4L+d*5~uBrhmos$SkszqWu5vt6~hOXY3N
zHR<c~Ae>+YKA8L5jm7B{k-muQ#*}D`HG0(1pNzbW8h=bE7J^J&htB{Pa2FcESKJa*
zG!pBmH}xym!MHYHlxFAB)GA|?5TA`?cU2z6$2_scnmn%G@A2ACF$E4e!2%rx1iiNO
znft9IxNd8`v0le^UeBs9uo`g^24MjNdp-nin~@}d9d6bLEftbhDKw2-5cVoZGZ0WH
zIaay0eY#G^T&{OFgf-1N*Gh&tm#yz5-f?Y?B!0MCZ#<4I-y3?mFIoi~?Wma;@PbIU
z3U_0kl`-zSv}hY1s4wvNDGwP9k4!!&dg-yt7{aK@%D0&L)jqFwp4$3uXfk8709k_b
z*GFeO-ml2(6B(T?ifiKMA<$R#=;V*&psWw87bAQZP$Kd>4v(DYr=4CyoqX#B=BDUT
zkpRI`GS{1s<_kbmgM0_+F@=)CXDQO8bZPX2?OP@@{FaeGrNEBkYn+2Y>B<)c3Q3mZ
z4(CJ)(6?r*r_b0*R46@`({zn}7<Sy+x5k|%um#p}XF+v?#vv??Tm@r502z|ar19G$
zMlD>XRQ(UUK|@br$;w$EM5S>Sii)L2{bCGACmVuPaaLD*G{zmOVN~W~C*ZIx@nEr%
z@kCI&QTy6nJ*@GsGat|@%JhAIl@fN2C+4&Zcs|bLCDP0z3#$N;&Bg5?YkkH7NRJpl
zF9v!)t$VhlumW}QJ*l8G<ju_F_;>f+?h3JvxMpRyJ1TpPp>xlSiis`DAz-y!>3O>j
zH3Cm@S=wygshcb@^6FUxcL$N(GFbc|3qQuME5}W2o<B@|#eZcWrkQ1zGBaB(D5B)5
z$n|p4i*VN8%he>`Hu|`Nb4~PFO<z|8Dbg)Tn8dt}K_lgEAXUVajNeD$ivl!8#C@5)
z&iGq%bZ-tOxu3~}Vjx(OtCXuOwDAz6S@`*<)x;DJ1R0#6-2(D@p6wZlsNdb~tB!go
zR^J-lV6ItvS%%-6Ky5Viti}}`C7&2JEvO;;Vd!D<u1Z4=z%tud6W;FDpdo281~23o
z+vPj=C}n)DOm|LOR+0L~8)JA>Zg#x51ySu%6oU7iX+PZKb?hC%7A;$B-U@T*Qocg(
z#2dw6e(BgMAcq;5-gvwR$BHAU;QVPMeL+U*NGX3YtRW`qxcC8(sG_yiJal{x0zA0E
zefbuVE-ZcMS$0dj>wC{}y2_HjPGRU6aBLbLtNd&l$-nQ(Spgyzx2uxO;g4cf+32&+
zC|7)RP4`h+lMu@uEQQx7@+H20DKB~;G68g%hmxuDxzL@qHePRSA%FAMl{8dyQP%{b
z<JaWpRSnoRI230ALrKP*6&sL>&>DFj+&9yOcfK{+I5)mE=InLLJa^-s6d6sflu&vg
z)adR9e*v9#H_(DK5RBMrGd2#lxLR2Gd!5FmGVj|FEj`*shAxHR31B~`NB_AfzGT|d
zPEFy2j1q54lcX>fgVrAx$Ams=BRJxLgSbi`g1i?W$3JetAp5zRb!SO?Mc_`+mC_8F
z=3-UeZu*ySWcR#61=H2oW#T6&s6=S#@%#SBcp7~VtxBKhDB+`WbJQ5cRcBg%NZ?O1
z(JAQA+I?zMg*h&jE{Rz@6%wYL)I~E43Kk3*8$_wepV;no^#iq_o#7!pvV9*u#<|Rc
z_b}0iDFvi+Htuna0BP*!#x@6Ee>xfZ?p+VG_cK_+-)NIIZwKL3y*M5zpC*HjoNWXv
zh!kKQX1K@nN#P7rF@;V09kh&Sng_Z*%RWY@LfM`%r0XcP(<03=e}qudMIAAVu=QeS
zCw7ENDGU+k+B7cPb*;-sH$AZQP-30`WElD7U6h1%0(ZJTrd4WoEDcnw$CPn)&9kRT
z=$dH8=b3`T_X|j`xhgHGLEYpMjpcU|L^ek(!;4sQ4o3Uj9{3kzpT8)E24A$Dwu|}*
zipDwLp|E$}JfQJ!Ky|gR3>YI>6}cS<Y%648c8YE0$gz478cWKDnaqS`d$@y0R=JUK
z9MRHrK%A>Al_zl;n&7b1>FXvkQk3=bc#wU|;tr>H6Wa9U_Vx>U!u7kO1?kF))5)8I
zcd&@5-E8UPs6^U+Hj;5{**y`plbrW@IHIC!aFEp&u7==+#_5DOg0d{ezCJ1->v1{0
zbGCjN+l<TCg=?9Vp6ssqYIP}%7Lbm-y~fGRzR!?<G%VzlaZVN|cL)yxKU;}o>wGY)
zcI`vM#zl%7Y8LZG@gbQQF)ZRxz6$p}@;Sg0B}8*OlhDr*?c@-?iVL*O`d%JP8uod^
zKS-YVK%GblO6}Lj&1f^leP&kI*HrtEVfh(rjq**P?-?SGoc?|9YjmV*_oMspRZP9@
zJF6H_+&-vy2#WM)b5Aof^czHyIxIKi56F3LOeuzTG$BpvQ$kE}$$5m93>g$9O^b7(
z7?iZ*pcV=3y$1c07xUt1q>@^33kUPZPq)36cHU(9TxEi|+JWZu8+ldLv&rnNdYj9c
z(PLk<FVbhv2ZHa8P$7+;3z?@&O(op#Xkk@Evow02X0kxey=p+ScyBW01BuC9U&ny+
z#8l4rKAWF!V_)@Zb1sUV22vRlGi^4}cpuO6v&ZM8u#wjYe(5!*6!zg7iMTj^7`unS
z+<jI(tP>igi$Lv@Q*a>wkN8&j<HUow1oq|TR-O5*h~p!wn}y*r?l>vTG9lUu3IV&A
z$b&4+)eKquFLY}{_zoe2EyQlUQ~G^2iCek3C(7@uI0Di+PpWZw?6m`W4$7I3s?XC`
zTq?C!JfUGfGj_3}5HN=Hf`#S%0z?ly<!sI_d$N{$WhhNhx|?PWk+YD|8a_Xyml}kW
zj}3&bcOiK-Jn1`lGKm}%#RYN2WdXZd+2lMN`=@+u4J;({NJ0(XYm#|-XvL+5`WcfA
z)Df+9voe;P=k8yE$IFE_-Oc1H%}d{`pYxI2$UULE#I_;vr5_!}B(W-eT`Wu@-a^dQ
z{A3-I)@#LCq-WSGw5d$Uvm-0&gSlB39NR!6;5$c&L!Lpa9IpyxY&2~4e0YdR6TrZe
zvg+*9#5H|2V3S~>_<&3x_t5-0-Gmh1o9U)<rMk&cUx9C_!D9TIJfA1k?TG#D?k4{S
zSp+R5q)gkA4o+5Po9spJ&^ECnD$j>VtQQ9KXz?UBI{m?2HX(4jH}wO%%{|g%kJ99O
zooZzjvzk5SIH^-BD!$UeKm63_Y_xWebu3PgKLi=5#Qv(qviK=8Xw2$0@29c;qV!`*
zhxPL@^2ihXbH-qA(d<vk*DX&Ljwkkf*aJ;&9^X_ZQ02_hB2C#^$@w33G=_<LN7uz8
zyB}Q$<D)sLqz+#^YY(|Wb%TnOw*)XA(ye$-YYauHV@2xv-@?7VTEw0=CabtLQo`wy
zhTA$!t?Sh)ygO!{d&_Y;Cswa-O=yxAg<i&FoBT0W5~B3v!{aC6m>t3;4%K(yQ-p0N
z9yTPPDxg)aj~;Kl7p_tggGlfk%qZOkQa01X9a9<9#_i*M8R8y|&Q25?gwh_)=BDFJ
zwncUQTp!GhA`);tU+^&aT6%x}=0Tf8{`WUUiW43WtjZQ`t)yr^a0>Ve5*=;o5vrMP
zVmL;kAXP-7V6S7REA8Ak3co2kxioewf5ImM^vHK}cNHx^k3y|BNb(J(>meyQh$MxE
z-bsLky(1ozhmF6X;f+!*C02<M*6R8$T~H@7u2-Y)xyF!=6ebC@p2LH$oj|rfH}3dF
zRGT2C7mjUN!u;6L+w8*Zt2w(ibB_>~AU$yA!OCi~Gh_F}C=}<2|FB+aCgVJpD|hT`
zkSPl5#sEUjbwlH7<e|$jqTt%r(_1mf7^l6_VL3Hx_Yv1DbZfWdD&ExPSY8z8h!9aA
zQQ$z`Cd6pZjif8~0$svrNsc<hX|k|ddj(r$3j@I;dPycq2nroHFQKxk>a9&5r4RVV
z9Bgp2DMSQ07<(99u06c$l({7IWoE6op2fg?zscg#d1X3t^@74YvPJ2BH{r6kzUh5R
zNXk<&yQ8+xxOFe!SWRtNrCvX9OVvUzUxz0{Wa+%Z8$c8=L<2KDS=x&p;u;^mmAxvI
z*wh13mcx**V?f8y@8DXwhJK;QTk5SO1B5}m{Ck}v9#oz8^{rfF7*nD$;au~Q%B_p`
z>s8-@Q*JRGB>kPu&n39RwM;o5hlr?gP2_N&@goSV4?j@+C=eJx7big-o+wiGY#{I0
z@I1~pUvC><0uu`=;My+Dh8o7{cYP@96}DQnC|X2>OY*6^>2tT|SYfmu);hyZZJfdO
zakk6)aE>C*mH5oN&8C%>((I@v)qtw;J!Fy)S&#0O5d^QYE2Fn=CQY*>(0*xx^^{Pd
z-HUCZZsfOB`;!~|<BQQcC^dd|+P3{u<<oMM(M~5z{UiBNs+=z;n_K%owfOjZ{%o5@
z4mfT$9`PMMq5GnqLJ;Xr9~`j>XVn_Bx$ibq<V(AS4K+7Y{SxMmI`WexQKWp)kMY=$
zNKXfS{mET}*^|klO(z+HNtTzLI8jj+w8aGV%oCqk!@P-G3aSGK4Ys@ZT<m-tza`Tt
zye2Ip=|k`QVdG&?6CDi~d^ZH%A>Zm;E81CFmw_>aSS)5)h#vn&<vPZyp!7gScVD%q
zF>`_2Go{Me$MLzihP!~NV;l-wSlaOg5BvPyZBv<I@(D~!<jvxBgY^Rk8eJ<9w)`Lj
zZmFQ-GfU|EO^i;wJ{r=F*fkwIdp2`AbOW7+m(Hzy{bxyXpT-SuR@un~Fi0VdpF2X>
z6ce4|r4%zp{jB{+3O4uLi=J_XM!g66u|9VU8{*`ii*~N7?9}#)>UbDfy!71fA$e{Q
zALm4E_3pHGJ~NjARp2G`fu{D^jz`9Mb7FBuv$j>?;<C-G?<FVDJ6am_shCY7<}HJ0
ze7MVsVke_n8}~Tvnti>WMpccoSVFA`%)Z{_x8E~HqqYVD_IHEoiJX=+0@BwjRxeEI
zibn}J58iyZXmdIgtiGwW6s^9s`c`Yp?x1d3fNV=9^&U8D$s1NXC@;StFZ$f@9#wyE
zP9RU@Nd1U73CcZ_7!Iv0nPrD)S3K_JXKt|CAAPbagGBx`NjT?AHYZ_(vffL;$<ok^
zu^d}JqftK&j3vC23FSF~yzXFB%-$q%^gws8ksFIHC;n#Q`l4)t=qdyO11l5GNKe3v
z-Rw!8JTXM%tnG=}nElJIRnDpl8!pN9FNj%nO+-Ww?s#1{VlKSnI8yxZ1W#!f1L{ur
zoS&uBX!~iQjOHkM6u12ylG^pJOzC+K97aQf?vw>YhT?^6LnW(qWuxu1-%Vu-eXTLQ
zJQmCLHj|tQep)ziIp5MY?V#CMQC2tOOi7YI%-R$=IC)f%dYd-`C7IDb_2cR-am;KP
zDQe_kUF|E>IQ6+t^~r<fXR&YnR*Q26RN$Z%!oC<Xkid-Jur4e^nO~(LY_jC0n9qw{
zb{Z*hcLZ}0MSQSM*E2vY#=)56njc#`WUEFc&pFy-dfzai!WWH_>ZM>0-pGJK4`n*l
zO&!NtcgOMSq)S)e>Zjos_)z_&d&V!hD`kS?iK!#lFNgxPPK7EI?}ZWBeBQ^A^%}KW
zzjRRd&Xi=XH1Buctc-D1<P_`rxqxK*5J}XQXv(m!v6^aYlxb!>uT|z^+0}Wm!PVkv
zd(zf+|L(x*@X1~+8|xzxGvcR6J&)b|2oMQsm^_TuI`&^QJpIxr1CMO|7H&&0WYh&n
zcvcjCy%LFFl012(q?e#>{&-!VC3;BmXh<j2(izETM2OwFzgt8A|7!wbm~^9u#e=8H
zmtFTYE<g8@cdil7cn<RtuxmB+<p^oG!$ovuIleFD@UVHG$Wrz^@=8X-0!mYBA3|=z
zrtd(4PkRPAN4PJ+9{k+gY;o#2X6U9y?LJZnsX&n)TE;ke_yV?7q2tdQZ+lnWLPuVL
zP1TK7mCt(NWYM@iG6wH+({67LC_3Yg_4^drJx7=4cRtLlP1&^!S4>7XUW6p-kPk7}
zeWK>{!QxKyRCY8*EnA3`k4rb9`f*zX-CxW)gC1^gHqY3%M2pJggt<GsmwYdF)EMVb
ztf!YnzntNIEJ-r7>5kfHvF$b^EEYJbC8~1bI=nj~@Y+2fS<=mZB;3y{*;A&pD$A~B
z=z!=ezD@8wiA=wze((3Ub-J6+H=XqBdKPfH2v@$`3%xq*yLrSIz>tBTC=;wsOkIz_
zYSTd7C+CtDjf(#2*coE-YS|lW&u9qsSSe%o7S)F;|5_dEu7=~QPTvP&FV*j&$8aF|
zPj|eu_kr86I27r4depJ4jAgL&?mYpk7f6j)IgT5wZnn>m`Q@o?*NNjl8Mv}AMRb!=
zk8HHrkHB-%_cC5K-c2ZL=oAZ=W2-rf@fY)BgnZ>gwQmqoeSaV0B0TM2>NpET7R3}r
z7tJ(VOM?(5^-LAJ?(w^{y&~S_O`7E`&A-xqB5C!5DGa%Q8Aa+m0Vxp<L(JX|SrTEn
z8TaQF=6c;c`S1yP%y-08HZl507UCn*F@<mfMhWC2(I+&@%ozJzaZE|YVrA|PXx2%1
zn;Wcd=bYGV$7Dwt#5jhfn-PGCexAM_elVW!4e>({yHypI{8hri<sOm8txBI&8Ba6W
zu;}eAc#^B=bGtp0MDC9>Ee@03LBsiU(nau!dZc#dk=q<kTfP0_?H3$!AJZ6-M>34v
zJ<rHSGT>(9L?==?Y+DH=Ut`D?<?>G8$?+`7y{Cy$JY>Vkk2LZ&qpQI4q}RorA2|4d
zJH;H6z>|D6u;?m_FknFL>WFr<F~7y#6{>5@KZ4}S){t}9*cB<du)s^}-NU(6{TgWX
zX0_E%TCn#<G*d-GWk1F)FkoS-n6>fCmZ`8A_9Zr?=g^n&kqTyw3SXr1fATSFaFp#_
zb%}&y!Cp_Ng&VYC=d<!bh-;YSidh@=p+2yG+yb~!H`)gMel7~T%|x{!?&E8ih{pQl
z&YONvq&;pb5gH^B>x{muYbeIL#-B~3$hRdDVwT~1p22yvSR^{FM<AxNQ!bBh7XA2C
zW#_bc#(QS)7T<4W!MF3yg8=1LVADOBdN;;oA7YN-jZ*ky@vZ^yeUA;DNy;cX{8Pw!
z+*sx)dY}cpGo!%$Er}7j3$)PaXt^MMmwvgpBzMRXBp&bl^H#G*lOJDi?aU~B+1Po&
z>RtW9QoZqWHtIeese#rHREP4)CQ&=5sjCDDtKZ^QE7%wBX=Wf-`3d-TuMMP9MwDp#
zI1OF*rea6#>~S96_?pk*Yx*5&T+0+>TBPk*u{Of9V$|SK$4N<=LpGA`v@dS%5g0>-
zTL})L(%;pX)97)tx02``9FMOa-FBVfkx*mB`op*RV{DwQ39H_-g_q)EOfeJD#>iJ;
zHG=X0V2t)5_lilCvpMFf7jJ(wOe(7sd#n4byVmbDACa5X&x&)WQ?dN%W0Ri8l`~y;
z48BUfC;6%v6b7e2`F&;2G4_&kU_S7bgq$cvoBT-3K_z?7K}!ErVTnEKt)fUDw{%cs
z3dnPb@gJ#j#j-gOhL|J0Emr(+ZDd&erM;W#%3fVOc!iMqW#_WM)`8$a>B|O}3JaMF
z!59NqT}UGh8*ci*>G9G$&;1)k2U3LlJgoMwb%QYJLpT>x_;<SBurshdO;?E|(CNl`
z!p7A2o#`oRYNe?e3W;V7kC~4wU#^h6{)%KaCOI47XA=ZnPa*_dKXlw6>IXa#5xx7O
zNzQrpi#xPkBwX@Iv%Q(jH!pe;Fx}Hy@#)h=nra>zwQwX~&1uW@5WfvYkidXqxpEE{
z8(S5=hQ2O)?-NkbTjC><d83*WM~!=xw)OU*?<mysRf-}KDf*4p&u>X(71_r{Rr}hb
zzAgJMd|NH6k95kFA~MX7rjMu<4n4Eni;~^%v<pD&YOm%uGkOJrtQZL@oy$8dZ^X2F
zlfN(sOp}h6Yvx+f@!_F)^P&<6HNO@bd@YL|DuveZNo$pY<sNTcd0=Gkn&Ky4xuM&{
z4>JP+Ji=5Jfr4)<x(Iz6^S|926(ydO;q+&Id)7<1oVK%UKF7*9(2?3oHOau)BKkJU
z;+Y`hfC^{k-O1M$muH->B=srVWIoA?pG{P$-^jwZ`+sBlJ~KX${PAO8WKKX<c;Q<5
z9E*7Co6%l4^5vV;`f5YAi#&S006C<iSz}RqotruKd~Kn2TznetNb)kPK8NFU{+SIr
zo_LnV#Zb($AT)Zg#%&|Wh=+f{+AZWA0Li8dX8=$3s}`bkiAfhlvb-tdNP9@vfCrbC
ztoVTl+ofYSqd}sh)eYT4X@Or);)#Fh4-FE>8-WSI>(>nuSLl$w6hc2V@^}`(WnJRJ
z`RS%r6vhLW<b!Zw86WEKoEY#i4^s_-I|+=sj`zqeb%+aTM{#>c`P>*$KzruE4TC8s
z2;r5EKut<6QFLJ%oP-ucx+hfi8sXqNtM3AL`O7Oq=e>|y)=xEl7e_UZ_CFbu$4)j1
zlO#tyF(rN(F^}=Uncah>TYO~W15bM%8d(uqa?zObu{nA2k!j6~b3>1NTj9n=VyCj*
z&Qqs}pY9`ZZVUb>Y2L8DgI3e(!vZm^x<SMd=2$(&YdBCN75RFIc62~dmU`UPes76u
zWkW9SgoQ*XTxM|8c}BvBDl#R{xBCun2n5M}jwpeKK*`6bhQle@(ud2_u72^F_cXDf
z2&t!UMe~t|Piu251{22ug2}~zZdG{!(%apKlR|NwnTil$X@b!oIJaZlmlAv=&>*l~
z7KcavN<^*C+i0+TV_CxZ@l4CZr4LG`<13d>p&z?!f#jZg6P*&oUF^rTA9KqBeUd?3
zmb^52cKtG?7O#sY&H~p)S`1F)+oQ!a+YJfbdl1+j99;D6Yd9nE{y`b83&H1gyeD37
zXiIG)$@Z8u7qD&DHFFxpe2BNxEY-o0gvGi+3w%l`UlBYk7<9Gx3VW%s)B6l;OJ98w
z!_gV;pHyB%srfePF&`~HB8AtdFWRwu=<&XR#|^FSt1)Me)S7is<43%4`%GylmfXnq
z>0WN!m*CZdNB{&a4lT>inx3_S`(@{d@_{(^@aP-sXEcgp5k~z6nuT$e-Y){Tb!f;3
ztR7Qd#THzYs-f8@j5QglWMRA~OOtsVup|sM)Zge|mSPr-Lg3b-#@QSyShV2ZD9S_L
ze=uGaYe+^6o}W$ph7>BfNa+J59gi%R2Y*r%4{paOjWmSvb$?+FB+u`>p=`8vU;}SK
z^LRvMemWk_yZ-To9&g-a?(#v+qAK$z;~=3cKkRpe2m+oAaphGl670_vr<=bSZQdjM
zQQqheyCgg^BlGucx?n+h_ll@-Y59z+-o-k?3`b<YHUwbIAF<&R(h`w=_R+;E*>I5W
z5hm?q(%E1<{jB{E7&`2LANZ!{i(BS3oijasQS?+`*DdaXumEpuNhm7_sj`$$F|4lV
zy<q$G_|C|Wq+9zd0)Ot>0Wi=G2+L$l<UoTnoMU4Kng4S=*hM*%kppgyvy0gMcNFc4
zY+HQ4mK4oR+ow_9e_sf8l8QmZ{6Le%!K3msD@<!;C+9hK+QdDcIPSvcazoflf*Al9
zts4v&$@dN@26zlK2Le;lS8yzNB-73(e-7lq?xPm_vCe6J;_LML>K&4{a~VN4w^=qL
zXiZkKmtItG2DUiNOZzpWVIAebSODm{ovY>BfXfw}z*L~D+?Isu(O}{D%iy+^gV?k(
zbkSEGXR8=kAvH{#PdW`Q`KjZBGnQg94>bPsOutNs38`;JTs(Z|4JoT903gruc<nEc
z!ns$}jEY_rhydsW(`mN?Y<zzbdIMd8Ng#e+HO}iZlzjlQ)%tMZ)Yzj}Mp)}V3>Nkt
z{AJYOf|sv1fw&7QWgpw)EWe}vt{+pHs#XLf%>OZ-Lj*8bHpJhu_*{(V0A9N~0`5E=
zoKiE$))Z~h5PR!>ekf|*^x)3{ghxhUsN5}YdJ9U7{M6F3C-#6+bh*b_*eim%4?mmF
zR8qIFz`>@Uk)M*E-mAR%W2pWzXvJuxePqdWdjbD7m%lWPVS=Vhscmf7lKHn&KmLDy
z78XxjH2`*c05qlLOMpOjg0wvIWX);2IjJB>{I!bw&lq68Qsog4@2m@h7r#?dlr<m>
z3!gwj*q5)C&L&p7qb5NqO>&*fvgk&y{cM%hPO3$WJg^kUojPE>Da34ssW9xogq5Gf
z|7`z{U)%H?W8xzKL7BNZ^d@mSe#?DpWKU~3rh*+<D5!Jv-%)mXrrB$Czv&~evI#&%
z9}mii_iK77eUr-fwJV-!Ljl|S1OWe~+lKyUW&Q8$`tKc{;gNb%-^W>+BI?^g&Yd}f
zDHj2?jSD*f%G_^=%zQfc;2tQ|*+CUMm*}-J`g_NJUCNe$qiK35V3--j<&n$MLY>SA
zfJCS2l<LK!Wi?+;SEzuZIuAiGILz9fAaQR8KtQuq0Ql@6xblJkKbQ!F{{Lw~97+g?
z5!QaY2FnU^cU`3~zuAbTZ@gN$Pz^Xr^jMFVvxZLtB5~#!E5NWbHd^#+?X~NMc1><C
ze@s^d@UrSx(K~^GUZ^U&kz&ho9}&3ki^FQJ^kPAw-{<#xEh3{#(1ycd{R-<Wos@eO
zdNr@z(>L9c6T2Kosvt4;rpfgDq`xz0a^nW6G;NQWSw7A>vkZO%YFIdY7Y-#S6TuL(
z83kNy?7)PL0ZQ9$@_pjf0oW{N+pcKVR(=C=)bH8$|KnWz?EyaW2M5>m^*exAq@PDg
zRk;dKHt-b$l`Xx<u19Bq+fq~tph)X6q%FW-)L~%_rhx+Em;cd@6Hs|dJp$ykCV`%O
zCUS0%Q_XN-jL?1q3-!rl_D#*OMr*-8W+nJ<4KeBCsJoCpj%NgP0_uG}QeF=s!!Qzn
zoldHo?=f=|3LxX;w-s~CC+2fCznrDF8H9*!8}K0W+1C;~pslv^@H3Yg0|R&KX>CQJ
z=kBM%PHdr4%ZP|-9D((?AM1&#Z^3HAhPka|*dg$@e*StC@y3th2m%KIXHAm;(VYk*
z|M?M&<429@Jl3&MGpV8o1DQ0;?F0FVh<$ad&>6kA+7}~Ut%-UEfK?;Gd&&9bcbx+l
zzJmeg3MEie76=9P3{`CAdnv;vS3P{K@wPHQ4r2p_vp4d8Hz_rJQ);94*djm1q!q~_
zgJW}>;HxvhxY=^}%H^)^MSaVj(+;>X1t0q@j(pSsK!&iisfbpbpF?L_*bHugicf+H
zkZu0~tf1=rs33dtS+M}8dsFfRM#R~FoSQ#BTfZh&urU$}exF_WHkg$P;glxL-mYo9
z4myxJNBudV2M|;5JYV;pj~_ruv-!KUeg~yBNurnIvDU2abG7^Zug}!~SOfkyVN+ue
zCTZiOCf0yZQpzRA6p#QD%K~V?VwPBJ_`6wDfbU@kRAEq^wSvzBpJKGq>v!fp0BcZX
zD7aoC0KTPB>=%Fe!2WRqQjFl>^*)I(XY~r7VFxaHsPG<GFbYj8{5F^;LFHz$=c`LF
zuo(<;*8E4h&8tKNOVv+SI%+_%3i>fSC`|3rvdJAu=W{7<R!DIoseIQ=OQQA9l_EHv
zkW??~ZU_hLBgg&YtmVMpu0Mg{9?nPb*0cKFRGYSkq)24MFc<p-UmS1QbY`2l5A*JT
z3LX}tD^RVNR1WY=HTKi*JbsMJy=L3O{1*cg3JykgD<<rJ`2flG=##)~G|i>W#nDCt
zu~ZGmLuMfIBbf%un;$8VTm-QE%jxV0h`W$!MXRDUU)X93ieNM9wDV8Yi>&6#Kavpr
z?>+qYS1>NAZPeY^-{%?dp*-Oc1*XdkHU1dm|D8-)92A@peAMLnm+$m{Z6^l`n!f6=
zmHd85EUk~?BjOi}4gX@=Mma9|I``^V%fHsT$^U*;@nCcWf6VpLg-X|sp3Gcu?fIv1
zAK>6nAo9`@TK`;o)r>xtYyaP#TzoG$LoB0yM%=6K)n6Pw-~a^H+&aj>I%!=1JBa<R
z=jZ4bZbg5c6sF!tH_uj9IyLnj-hqekpi%Rs4tKh>-yz$fa}h0$vTrE<Tjw}@g6RTn
zDr&yg5KPdxKh3@#FnkUU;JAZq?G(#(XV)tEuUG%W-qMiX7RabfKDw^>+r|Flqln)@
zKykAd_aOS0w=aeSTr#Oyr+*FzIFlE6K_&3x+W*q@6PF`y6340@Hmv_>o}xCTE<%yk
z{g<X6QXj=t#F7@nemjXt?YVeaa7Llx>$d>hNY?_Y<#@G*|Lx8ggvj=H)?pkPJ7ZEf
z%3ceua;_Ajx_^wrU&f|bBIlDh_KALtt@`D@SDS&<v|;G)H_j1P&p8!Waoy0)sxWC2
zEi-O`4&=d7KmY7kbj?R`L;+BFuju04NikuteEG=(aAv&v5&UH9UnYqPLM^J>Q*b~H
z_+qHc4;%A6aARO3`HMsS$0KtE>(A#;*?q7YOsN6u%a2fYKblOB33)p}_2Q(fI`a-F
z)LNIh&9QAq{qvcCfBzD5in5P}%>y7Cih!VDArZ4q0n9_{idg*bPU$a0qLxD$JbO~Q
zxlt>8{^j|OZri0cq|t3-klX+5?;U31unV4ZUmsKc3a}96S|3ycFDLB)7+(?QguH7E
z*Dc&@iu-Mtn1B~kTi>^1z2(xlkx~PQEj&O4v)54J<nS{io!{4m)Ckz&C6Ur3r2vA&
z5A!+f4p+OimpA{-ap=PUy`63LaZdwuJ#uRJGzX1aSvyfC*XIB3rKwRDLYj17;-ow7
z*;j^;RzDxPd0vN41ptS~HJr{@u~x<QPd^?u5^)-3ow3V+pT=&bBh(J?CLP!+x~%~q
zmZ#y!zbrNI$m9sMC~nf)f4tMbjCracY!sD@w2i9&Ww7SJ%#^)4Z#w(!)pAIKrm$^O
zeeK_FNa_TZ*?j-&Mc?0>XhD;dM`h`|-)<IN2bS4!(VP92-<q)EK@*Ljo{si!FG$t^
ztiZNZfoI0QHHAF}O}O`1-ow_lzpn!Mtftg9HL-2J6~8q}(SxR!*eTk-4OZ|tF-IKt
zT<>zrZ__!L1|Kv@qYl3NeMe>s+mY?99W4EQX$DX95f>da<vq93{%wMq)*xf8N1q;g
v9sJ((5-f>W<Ly=N{?RG02>(A{*DX~_ROV-tO%*>l@K0VwMY>$lH01vPf$`81

literal 0
HcmV?d00001

diff --git a/public/img/docs/security/ii_mobile_delegation_chain.png b/public/img/docs/security/ii_mobile_delegation_chain.png
new file mode 100644
index 0000000000000000000000000000000000000000..3f12f22e2eca94e29e8356febca2028721f5e475
GIT binary patch
literal 95362
zcmeGEWmp`|);0`d!68_1cXuba1rP3S!QGwU8r&g3Ah=6#0%4FK!QCymyS+WRt}XZT
z?fw7zvFBipX}YVbtE*NmInPxc`Cd^P1rZ++0s;a>=ADEJ1Oyx*1O!wJJQQ%opi+k(
z_<?j$krsof8YSEV{;@UJlCe-wfB;{Bhk${^hj;}p0(^xa3I2I31xX75{pUQ;PPi2W
z%->}cfnV_F6YvGs`Rf<zGt@syz!83i{>L#?47jL^N5UfTgW&j1+XVswn+p7elu@BP
z1-gl3rKaVor6A95>R`ugZ02BM&g^OD2(AV3){`GNv@>@#CiS$lwRhq76eRysf*&{r
zpJpK^{Zqu%Mvz=f;XSFigR?m)H!~|UE4dINDJkh&XEO_a6$z=os{{WDl7Db@b>wGZ
z@$m3q_TXT4aJFP&<KyFFVP$7wXJ-ORFu8cyyBd2k*}G8u)yO~EkuY~Lb+&SJwQ{g0
z1-EN#;^5{gNKOvE(LX<b_0!eL;$L^NclrCVfCpp&UtwWmW@Y(L)yzGu{!2CRmA|U}
zd9J^1_ZHk3zlynwgRL95SL*gwu0rf@|J>vMJ^imvz6H0%|K7^e+*V7%%Ff*01*j^-
z#>>w7mgPTQ`j1t$|5cTn3%KXMYW~}mziYl_0T0)|4c}jL^XDuuIYNkUS^hcELWpdX
ze9jOMA`mhXqH3Oyhsz%6cG}t}4@mS;zeN*B@n9(BK25@`2O7b#b8~Xy4Ju2ZQ^Lc~
zy~CiSz-Sx96E!JRutvj2rhNxX6$u3kgX}4M{cWuMqC!W#?Rv!~yzELpV2Z=03cbsv
zif`qHXN7GC@A;wY<>6%yGYDRS6bd~;1cn^#|2<r!a0DGuF{uBCOaG|w_&P{p`uO92
zZ^K8FRN0NiD24OC+ygzL`{slr*dgFy@#Vhy<^HNV;E7=M7S!B%RmtLi7X6^7hDU)G
z^igRI*^;-HZ_I0y<UXI|{yWLzcapmVlDo)BVN3qW3{-!)GB)5A-9l(JbdMfg56cez
z7g>f63$xGLm#;r=t-d_1-sG3m0nZv9(*61o_^X~29*!q@s3j3toFCm0wiqO{l24HW
z#$t{EYV~2|W{wQ`Q^0L_z~`vPi@m(VPaP&&8}NiWP{Z-{xmOiG&|ncLew@X>+{Oz~
zr`UEG`_Pm*8@;9WWHEf&*X%k^seXI{ZkpD4S;P`>_fs!3KHzb4vAQuC=pz}8BZwpS
zEEuPKE&lm;eD2+_C3Q*eiSKUPuTW;!=Zm}-y<L8sw4H~pfD>ZW@OA+%pjTR$P`%-I
z{Q-~tT~CW$S83?ycVhv$9KA)x8IOy=sZ7U`EcCfoFu%X<^7iwM`d`<-oW6cxz1VEu
z6+H18bs-L5aSTGLQF0fBI}n2*uVFxlVB(1X31#fbD%p7&%JN<^f>MZl%-uZgKn=#7
z3Q{(LmqV=VJqI?tYRIdNizMN@q(ijeL3eLISpGft2^mvjP<=1OCN#-ycj?#MeG!9L
zqt|zbDamak_;T1m@Pr?rOpAY<o|r1`SO#2MR{LL-8}6&5@!zzJ*@1Q*I!_)@U7_iP
z!BcjP;HiSHR9XTQ3%G7-?uZrcg~BV2pqb-V$UD;19D<ivBSph49`NYAAd*}4<Vx!}
zG<WdqB``QN!P(r(-e$D4O1&Y~3oZkMxJkUbcVGB<Qy3=I?>s5*F}mwE`ljpUDew96
zt7NN}Bb($kcdMNMS1L6WIxjqoge^SrwmJOhscz@KdbKP@%MU7M<B7C}R_Rg~-GZ|I
z{($G*fGA17<pYD8``Ipo{4dx6bS!CIkK5|*<Ix6Fg<GVTP4vLZnZ{V_^}Vjoqf+v{
z?Ip3m_Wb-f8}O7yny?u!{LDYw5_g**C?uh=m@69%thAbB2-P2xdlV#h12Qx@mn%1&
zY5x10kZu`2^+2|0sy{BB^X=ru-PobRIUvK}R3$1vc`tW)NDHjy8!>rJ%MkV+ZHrGm
zERVrxiSh}(cZf4h@D&J<?h)ZBmQ$uA4_XEE2w_AfUaO%jzQ)A^+sqz(<95{EvmsK;
zG2Qm$Mwszrk?kjbCzw9Rvm;n{dwI`$n{fii-m`7Fkx7+DpX?&bupheCQ5-yX1y-##
z)sg@qAn`e@-BRnRgbU}xa~aUptj~&=O@lwAhB6)c@$q8{>CQo=gI_sGTVBiDCma0(
z9iF!Nk>Q-f;^&z(cnKpK4AQUcP6MT!I1GolJZbG)RPk@m-xb4?xuugA`?T-~)Os}X
zLD?u8u}eynJzp8VTn*CX*{T!1?vKg<hQ5`j^DLH++a|8$SQ=QssSu&tE_n}2S&A=@
zlfq9)fgH8Avz^zCEPi`(i;}U#iImPCSl%~E8wJ4M20bWGid2m9n3I3H6eqd=RHBY<
z;lJn6@>8ENXWj(igjhmdBd&B4Sc<Pm9@pUPh)nK7oh~?pFF2ZTS(!HHYlRh99AL;D
zZ_!RoX(|^G2Dn4BGgKA%`jnodG}{ZPJPTG|=ef@$0uQ+i&+3#;4kiBB82<34$}zMs
zjz5Z^_m^>$t?@<$LCHNqP>y0CUC*^q)Z_B%Q;rcTN%?6-7CMbdRI_$cj=!Hx0E{~=
zWH8e1yQRoRzb5ep$w5FH`X#k({2n=Mk{m?ssNfQSl0*2Va+D&EQOkNvbm9p&lJv^C
z+GqLafhG4tZNMr8@mWNXIUgPCk2tcifai<Vr(+L>=o;swtfeh_&6cPQTbewAdc5XQ
zX<$y!Y>(MQ^J_w8!paB<){VGfSn=dqP6spQBhwnWrH#H~vO3rb#^Fxi04ii<!0U2c
zdUXw!=i5X|)z-52RBEoAz|;NAGyE_Dt0YXW?(G<=aqKBqNLYr#`g(+pn{)2BO|V^n
z3lHp2r7Lq)*9hP44j!)Z-DdESG7l#te4fS#`Y024PRFc{Rhp)eAT4x19-sM}D)M$P
z@5t6tci-EVzAW?888duV2{8W-W|NPPV=s@f_O2AhHg;O>tkoafB-hq3PrsZJ;>9D^
zbLQPoeGQ3)N2zykZu2F4{HYv^u4M@&j~-8I<0y~i!(1!=V>FAoNqCUowDbghZW#u|
zSUs=z9Aheg>%YU1w;mIr<j~c#?6-HI4}&TWB_?kG*pCG(Wwne9{em*PrNPn`$?)~Q
zG8uHOH;~TzpEN=}(A4M2Oay+HiT&c%s4Xp#jeY_IauRH9EPp&MjXe=6h0$$#nxf}K
ziom#&Ko*oyF%gpoTxkYu1JyV>6-I}T+kRcqf*1NjNusLZ-H>J`r_fHisXbu6;@28`
zTSgk00OkJ%vN$5ApRwsFtLu(HH-J^nfB&mLJ(;PxCj$*&u`;{o2#%%!CEK=g#mpX2
z`7VrTLiK}<y&pl)vZzQ29zqIo4@s?k7*`LfajNYSjL{tf(T^}K8wzeSiIU~}ndWQR
zwxWcpwvU<}fD+}#IF;qk^7l+DLP4qQXsnH366K~okO#W~(4v7HrhTzY%S3Z6hk&kT
z3Z+uo5&2v-3{ThuQ_*D_<(UIbvGoH}>GGOhamaXa0UxjhfR@PRPEH0ah%i~PXTZr>
zKS{vKMXm>rTTLe*Ai9{WS<Zm&d~$DYBQpMhRMFnCA8q)!0b=|qsjiC?sUUFFFq!Q9
zRbY9Lx~zqbVBU=ysx3D#1J8wC9?@a*O&xup->gRqDqy?A5g@BaA5O!C<<+=oeB*tV
zJ{BxEXY_7OOvS(x%0pc<w}ZH<j4NY!1hs-5asZ2KG-IF-n4kp=G>!8z&5ohC2(WUm
zc5f`#W~gtX-S>o<NrgE1SU~@N8FXxLdV1a5<wp^<T~MYE{d~^yGSNv!9WGN(0IkP^
zJ(U6IfE)Chtr_vHVxEpt6m=z`JG1KOc|X4jY2Y5~GJ!-UERqgiTL5e83s{ea!R6iy
z_USUPtxO$K=4{VbOy9RLxX5(yJJ5w|1r5amrh>Hi$K=kGs?yVLz_VpM=|c&K5)cPn
zsM)UPt5;rgkr58(+bjWILA@Bt)67vM4|DzUuNFnS6^B>kQ)uc%Dg!8Ls9_$jJ3?+s
z0DUx>F?x9hcp~M7Pu2nu6@x|9S?IhCFuWWFO*Z)>ea!B)XYl+DN2S+*%|*jNBNiJ+
z<GPMi^6eRFJMq713$I~QCkleEfQGE+#eP;*n<vBRy6x*Iv>@`<Cjq>)BAE7uq3AX{
z2(i~>smx!r$;%ePQ=YAJs_kNIi)7`s2PV6Kfw)JjSsV2sWA^-x<ZNNvXp1m>f7y`>
zp1r6*rsWLs=S*yiD8e!eHL%|0MXS-<@!b{3>qvPOHy<A{=fvAk#tleKTRH^W4}L=d
zbRwr8=rc!+&K@|12d&saf*3U)!b+^qvLmsx+F8CBl9%~!GZ@xdB|xaVuv_x|)J9a*
z7n$io*J6Omg>Z*z0c*32HH3}38ja=ZdZ2q`WNXU3d9~N8*cPGTgo$$Ri_m#};aMeZ
zrQN5?4b+nkPe+URd>1t2faS0(-A%x*aFE$kD>3F8w>x%xU@90T0&^V&A$bM(aA}dL
zv5RO-=<1SX{!a&n%{$F=pE?TkHsB96pqeZ@H{MjgQ)^tTi?~@{7`cA~I88z@Qt4$}
zT|MIRs3bxt<y3#VW2DM10P&vx5K-)qm(s3e0uVC=_&L<^=(et>BL}1;;a$Kj2K1Mg
z0>1$dFbgB_HRA1Dnho<H7&*c>lU=FPXz!Vw6QXU0e}P4G89oB7_Ha}P!a&WOrQYqp
z|0z}k22}{s>1-#+PTcIK;G>}r7kD-ZASXb4qfV%m_rsP#y-N92#P&=Tf<Tw5$XF%R
zU0N;NnKG@MJ!bXh`7wf?$XE*mxl?N-)QBS6uXJnnLC9d8HxmmX*Ms@vdT7VC>mui*
zLigqXJgcV&@6}p3;ks6=V}N@rL2+|pow6<LT(u!5_SWY#(gP}u3nnBbeg5bbN83*D
zOalBN4WyF=H{_hw0EY6FYTkXaC+F*g*ir!?eyN~=6o81ageofR7@oNxE}2E=O@|4|
zze`_g{Iz2=qYGZ(#&UsG`y*~0%sVw5B3z76ZDA0W{oE35#R6{N^@IS);8B@1uQdfU
z-nRNwb)?BdeFP}HnkJZH?Nq>3@@cX))J1iB3wVv`Fmud8aP^>lV4_iVp)|&+%7~jZ
zzlKQ~@u07rd<j1+M$$1Pufc$tIZ-SdXz!*f*nd2T1LozgAPJDKZuc`jN_9;uU?9Gs
zuMK*N{!j_nakQ~M0tW0)6b8)iR(Zu>XjRrf;w(Vm|IcB!H9TcmRhVhf|9jz|ah#19
z5O^styDkGG{HM|Xrv(uh4RN3Z7a;@H|84qT#et9`vdqRg|G?tEv_M{i50ofh*P{DB
zo%>e{5#5<+@6_~@ko3WV`Jbc2X>bXYe%XIK{QplsXF@~@_A~W<x8nVm7T_zwfD+cc
z8nXYjpVTlI>a$y7vm^hx55ThE0!nE1)~fvHu>#I=k$oy@rN(Ks2giv2F<veQm%xup
z!T7KJL;#{?u9jbJ9RH;SbS)I1#I$2Y@_+580(j#8CmMgv!T&_#-((Tc8vhfGe=fcM
ziN^m#<G+}L|B1%`MB{&=@jqYV|9GVTb3^~lr~RKB`cFRs@cjS(Ml?DDxcVwQ=m2!_
z<!KoJWO_-SPrDv}c9A+A19-Tl|BmG~_Mq@%udwg^WZv@*PZt;#xO)rW1ClJ><H|h%
z<JTqd0-#UdyTGJbl~b&Z@5_zH^mXd7`{WBiSj+<8rLf=WM-oCjX0JgxgEc6eIs2Un
z$-nJIjV}Bju4(mgWYzb`#?W+!4R#bjnO_FtA0tLl%1;_56(4|RG+*lGnSJJe9;YhK
z#{XL+(?MFpvDNYdMsWck?Fj(jq{l`b!#I9nk2$B-`>x*jtzHWZu|Ll=cXAcI7`_|?
z&`BsyW<2p38K`dLUS#k30-TQ8Xo56x%j*LA?Mr|GdzKcySI#_S>nG%hEYo>TZEoKN
zaL~p?fF}!hjG%~nr?#9I-RNfEv9K$2(;_XnuS_uyVB%d8)0L4|c7LpZZFnG^ihG2z
zlnM5L_L%p~(H8v(8RaRM+N%b@>eZXhn-=SSVxL0=d*>t>HS;UMhxxH*023+nvTc%>
z7Wd33<Ns$oM<@m*Ag=bbfz#zVMEBKqi-H92OGy-%kPHA2TkEW{-(chppt5qnr~=I|
zk8iz1%ubPVk87`=*IX@xUjzKd{2s}+-fuCSh42Y5?)}(j_}B+<Y~JfghPM*{qo~#c
ze!7|k=}mwRbwMo3?%X%phUvWNI5|r$*4@6{j5qXp^9J{i2;00{!_2$=k+u4`1Expr
z{Y&Na_n86y17B=TTc10PMJ2^p3azW>O_foiPeXu28M~}Phyce(@JYqW^uoW*-4jg>
zhr~2^K=cy844i5>`1oZ@>G_N2^xiNw+*`a_*lN!{hGI_5uKQ^g0C1{!ua+abvI|}Q
z+*g8OHs-T(@jMs*G$)j%3VI?FDSiQX+<X~qobh(yq7<ILMvxUgokVc&OVV)eJ(zHN
z4nk9p3^W6%bMYQV#y0X>xL^p??}tJIrgty%WB%7EvnFySz;8XZw?YG$G_Z-B7(&oA
z`lof*LI}zsE3-e`4;Q-3|EYiMjMFyP$L-(f7$#%gJQ?qIXo|G^x;fxz&<$WW7Jp3Q
zzxd4wt~nlzqT0m^QjNM*xq#7e;-eQZNk+7gkO{z_0OWEY6^L;YLi2VV%*(|K9Df6I
zJ^Rh}FsO<Fk!9c&D38|#Ad6q5L@UZGH7Oa-p76#z!%R*9j?Li6T9aTAwW2BY4;T2i
z5t<8t5>Qez|H;m?3f%BH@8u$(iK1*FX4?7~yuz0PwBQ<G{N@!sP(KjRKf?L1!PzpL
z{gxKy$NC$KAd=|DsuL73d_GUJ;m8<^$|jn+&6!pUD|sUcaISu+@9X>UkzUngbZTD{
zEUm#d1@Vi#QMdi)Kt*)>WAJYJ?+6dfGX>TS@5flaEqrAkaN`lsOeB5*5cAc2_JmvR
z8v6gN!TSN`@F=&@<<|$2Ur~og$L0`l4N-_-%=+&~0>++*x(pHJ8z95BvvLk5R|X|u
z7To8HQCUF6Q!`zPruZS-lNeM!36v?0;_*=z;@SM7-b1#5KDWl=?jan1AzIAY{U)^j
zxF`e3=~I^stLV<>#+Il*H!zY$W9{^mE*hJGMxh$jO}WmO-uc?hA=&Yo>O>cNzh?AU
z+`t!C_`$*+rPs=)=i%2EFYLlcZa&QZm*<lg|6Gr({)ZU*tnD<$f395#qo8h7-RFQA
zfZ(U*X&Dq)IYTur1Ji<)_HBpeEN#Dv_6$L1KxzV0wWWF1!rlu;+BX;*-L?H>qrLB7
zsqf-{+Fbi-_{>f*$6pOBao?F8LqLb#uD(13_z0wO$XzJX+(Ewp%)$Afl7C{ZjVa@G
zt=skrzHz<UqN~B<22L}<Y_cce<I(DKWvq$%{`R|xnAleA3EQ*kn07iY?>8U-ahF7?
z5iHqfw3zi^YL2jtKGY2erF0m<Mr<uK%zJs<ed-e(Tqs3kL7DtMg6Q-HOzxAOR3d@d
zv36k`5p8Bb4;Y>X<1CrFYbwMtH}i=7UIqwO6r8@%uVD7W?euY1xGNRjz(A+1%ou&P
z;tzYym9-ht)y`bf4z?UScquVkB+u(4aY^<yKlOIlFJLyc<dUUk(zN2kaOuNzJeKI~
zF*<bbbr7i9_z};TD@^0~V6|9`AC`87zS7!u-HkZ({D%F-vPy3j@38=C0w^7@9J>=j
z7Jdm@lQX<e?0*J`zCxGmO+pX_G>lIOo~h$3g(04MwOgeP81lbJd*AV}e3Clsc}Wv+
zPE)uEBqG4YP{X2c7JfelsLmn62sXLFrmUBR*-i^z&a(R%G|*@Kk9D&a%zjC`bYHXC
zElLA6X#9JcDnXNg>hzOmH*N4bC^xt&19R6{ZVOgl@x1JghOWQua8(bk87tuJNl7F7
z;&l9$bPGW-;<-~!7_Cd5ljAq(T>3U<#;!$x;^w|`8w!wpVW!h;uYJSL3Vq#^oo1x@
zkhFJRhDLdfS89|v6W3va5j^vl+`ka*Y?C~Vlf-(e96jCvio~lnuE?0a`wFmO<`otA
zvTXR?mDsSbF-S8%fnL!Qy7qIa!=u(MPJeexP8T)Vee#mDC18@4U)83N(0#Sf6+K%7
z!zXSMSN?}~{i7CYoS_8d)y#ceUgI8Lt8JUs2++9_yc!CMe3FeUG|p(XG#u)?UkxVR
zRQDE&?6P%ruN;H-B3)-wnlILD-*|I}jMFk8De+TLk}U_X?m3R5uH+K%9>`2HGs+Xh
z87XW~8D8d0<IUw=GKw(>9ZSG`=`-*sd;-s5Jnie(lIrR%Q3fyfvlmjl+_pD#-NwJe
z%!Gsnuc|x*cdpt&M}!Ah!V2XpFV8m*Kiz3m&+i{Y^;K6da&Kr?<$5CmQMpq~1;IK~
z5n$5Z8IO;Ui8{YF+R_<ti`HEdLlC|%6mI>r9J+bri0bv>{<jW8Y#!(#F~=t8tK4SP
zw@##H$fx9w`zq%I%k;hkb&VEn{Jh8k;_fG3RIr4t)hf+8d;tH5@A(a02Wc5pkIy*8
zO(Jwv9C7R%W~5ucLXS52Q=9rgA(9|@*?wFSA!`<t%?e;hEqEdec(WIViOz)(Q67HK
z2th^{6gM$pO#|c>p#5rW;BoU~Hg_~)p^zb9V}d|&r(udsAwd?GQ#Cdp>c@6io;O$~
z*!pGY49}u8amiy1H<9mDuzSkM&Rb_Yj`h^2zT$_iJYP36q-OJjq+8^5>hT6jiwRJS
z7iyfCQ-dxuXWOMr=uqzW8$-*_^gB!wog>P;&wv5{?&%k6qt}aD76mrY{3c&ai*ThP
zEBVFl+kus0&uig_S88s|B10X^VNHWtheF%cb&Awgqqe0^I-=}>{JHD`Z&_0)OW}=m
z*L0=*_G%FYovDmRL=UW<KI`ZBDmKN2A=ZwJ=`Tnin_)KvZ1UUS5`N@*o{l{QPLuPJ
zsIVN;+EP7!mO$oXz(c#M7k;SUIvlqRNI`(AOnurj)Ii(eG@NYsqI(0<Q|m+YwZLT%
zTh(_$N%|={buM}fxGiZ;bRDG=sQ)k^z-V4)bfaRbUnQ9jr>(KF7ULx|T0y>&dl(C$
zQf2S=`}rl+7D+h;ngZq{#{H;AXHv|-zIjSw1EHfDFR?_&A7^%Pab+hR<11$nbfJMp
zg${MJ_BA-0M9Fspvot(}Tm2!s>en;$;%vB__=0J$5^;hv?(YI*_(IgCxS#1B8YaOM
z9+Ixm0fAF;nOkzKpCe=BFO1JF9KTTRoEzhAUtlx|6&tbtHoPprIYV@O&-*&Ip3DHG
z>HP%Er6Pia2oyPvji}UC2^tC?!a%vEyGmWt*`-;(%M|m}2C&eJ3?_MYkJisSZu?j?
zLXk!a9VKaN>Rg&nlZoW_WQu@1pXF~TF4cQrXOzzee@r!4a>Xfct-E7gqQ#()?JaYf
z)zpDXqM?51*~zK(j)EA0b!T3aRU&L*zHiZ9LTgDk{hL!UjHi~o2flAR^Ik%Qjz>;z
zxz`O}5!~_%WI-=ZroUEGHoaRq^hKFm{SCzW|B~Scc+Yc!J!CYHtVW3Pn%9^Qaqq_s
zDFd^pPxvUDJJf#ijuRr`!3d$_^K)#5_eXO^yVdK12mCa8?0+RO;KSr_=F(@=k>k~e
zcz!k5<q~nP??N)pO>Scgq04YHhMJ(Yg~=NtfvY3viSfX%Mq(rfrSQom#SKHGehiwB
zmWy#x6Ba)LXZa*4^2@B2#v&uc8r$5J^mPy6a$t>ydvX&v%|9#N_qb!EmYX$UzYkM9
zB237&;1{j8OHS}6UbLyu<UQB`{P|P_Q>yykTI?~9M{1-Lsz@VJo2<!0UL-ln6{314
z**7{hcg^@Gj~7ZWHMG8=tcmz*>@B{TyS=i;@0P&1M}QN!DHemFMiYxv_Hh&WBb+gl
zYj_Obp3_QSLC--aLl6GAA1ub=Fl27;k{csVkKAshG#{8#{f8LOk^FJ(1i;$SA4vTB
zK4mc;^<Im<tWH{cSRC41BP!o$#6c?R)$p+2(k3yDV_-RHhZY1nOobyhcaVGqq|(QP
zk%^~{)d#^)r0N=HJ1pM1pS;iJYjq#)VAaGJW<$toy0njg0HMs8HZU8HAD_a9tiiZ`
z$IjiLBRdrw^At#agUlwUWwhOu{Ls`T@68oAZKvclq^h<5+Gnme{c8AlWJr&9tZ}UY
zP0Dx|<2?d60|J3q8H$g<SF0h&lO7gxivdVZ;TJ+&cWwt#8n<Q7Hg2Ks8Mu?y1lp0(
z;)T1fHkh(KHzFgzap|Ux{QOm1Z=w5}vjk58X%fGN19E}1;YQLj>)e$=Mdcy~)K{2x
zIKNAk{OH#{$eqxO*r|7h(JA<ryuMLi2^W4`&qh%$a`CW%?76Hiuhxp9Pt2rDe}$&6
z!6gk3$GIeSFD5;65dL<HY$I~Ve@zXGML95r6<dV2s;7i21@rgL_Yj;Pn3zEu#2leD
zPX}BntD=8q<M2I{6m7kS6hC^g5Udb&RDOT=`j_uLb2r($Z>8bO5(XfQT{%qdXOdSU
zthlIE?%$<0Xqqmqbt|$SCZf+PhUsvBtfr(e!C#$cHSPQbVYbEf2~U17LFy$Iw+Nlw
z`V*HcJNJiRdB&trBswk`X#>E?`Vd*^Z>uLlZpQa}^aBlp<U_3YFtQyf(h892SY)As
z963-Ng%T>IP9aook=Z!SisJdWN#Zb`xSsxLh|$=IP3%&WBUws4Ss&Ve*TY|0Kg<**
z9ai-^(j+C25)0pfmgjRl=Z9Zm4y){oF$3^Q_d8-I+z)AjpJ!W(&yXSPRKFd-LzzY<
zSE%p2&u1+!`)OJqtej~x6jeA_=O_<>89o1r(>(hsdYUZb*hZK`YYD=2;u}l_{7wjJ
znc^IafT}x_7l0)ks|c+@zJ7mbW@tBaJ__XE{m~MDpMS^&37YTO9gp|tBseC%`39$J
zw_YxORo%F2v2Ydp;T_f{?h=rHhz?0sx2EXPis|EF+MAw;RbJ~Ei`(yP{)ALS7&zC4
zA>T6hE8c6^G`*>FTR1|&NJeRu|9vRD#>Q;Tz@94$07c+7QlMx`1oh6T2XkV;cYN7D
zcag$}yBq-rUUv*AZFyY64tykm3Wp5QO|*U#X<fq`K0p@l=z}BQyHAsvaa^XpeH!l5
zAr+%P2{BmZynlPwU64rd%Tpbmt$`y+`0s1ZXo5KBsO#~tD4AnG9v!^@s9G_D`C#r2
zWWm1SeUV|07gTU=iBeXb69`tlV~0p#UY~TOZ(x*Qol@RQ8b65D{-bhZ=LIv!s~Il-
zm6Vs;5>efm;ts!aw@A_xs>e5I9Q!TF;ZWjtPgMDeN6G>;cD6r1Yw<v%xZb-HzK;TD
zg{fy0N(X-Pz2H>aEOivZ2-TU!ROi7^I_GX~8Nq^iV(2<&_&g%V8`AI5zDeZde`rb~
z7b6rhQnC*a*hKK@U7RqU@B}g*(g6sW7PlZYM<D4WAYZitYcXCCIz;rM+5e!q#7C9A
zHwmMd6N^*1-~zIzg80BZ`E(6VINhITn+VPww<bgkiXu5fzi`eMg57mUY|<<*hU~D)
zqoe%0tHA&`X-c`%c$Bet;C)jPLZ26YzmDQ}Lb}*`#4lF+(Z<P<CKA;3qpyU-%OIw~
zLHAadaWDMV+w~AkDKbvg>yKW)O0hd;w8K*Alf^~3S*>1@ft*PGf_3ZN4`Cm)A-=-I
zpx9i8%gR-8O^w#eNriI-E6u;@!Qc>y$Dk~}Q*47?23(^&S$7dk%f%RP?Xn$dJULY;
zyTVtPj)RR8zYFo6_7<It#4=G2bfp-b+>M9Lh1j?+b)c5N7CeI-9zpF-wg~FCck)L#
zS8sW|amp4&UozD^e|;q0nsF1|Rr7d{V{HvMaTM^l&(8oR(_MJ`eACqh_Z;`ZB^I2l
z!U^ewfXu-$gY@R8PxjQ9l$bhz4|Z6an!R`SzBIPd#1o<aQ@7?;{owU-dSZ%F4%Q_Z
z`E;`$k?OsP+Adv2C6*F)Q@TX|u#+fE%z{_uUV6r8asU8p9U6I3cRGu>ne)Hq$aMQD
zPAZ_-a=jiXYZLk~K)Yi0L(+OhEtwZfYz`cYW1eJVVUq<Xe&nZ`yAO0Q^;*zcmMRP}
zXa6NF<(EI_ydrTm5sgr7yHqOAR>rCK!tanmo@Y6sl(Qw#Li<>|xP0vXmf13-z)`aJ
zusv;DZ9cLLLy1)yzY1RZ-K;0-BW7p679LGhxR@Zb;7d}{V0lIq5ghZU<A`T8nKIvB
zORz{**w0r#(T@(w_#7fSfDCg!F~i-#TkiJvTyftttC9t&b`W;@u{m^3OK>pNgWE7X
zE0aq06Gsw8>pcknKqze~fwftzJUiafBq+a&w<WmZ0wO=?3H4rHBWTgv8>QqD%BYyV
zrnSQlL>_|m7Qo5CC%j^JPUn~VsVU&}i`ANk@+@C&GA0SctD0LV|MA=SOvJGB=K@9b
z$pPZK0qHvRn9bfWHs*Q;MmZID6lGOBH&rGx?VUs1?G#hqrdOY?l@Q*6Ol(UVl7?)T
zC(N9z+9zO!<JPYL)b!2|fK$EPw<Df7QBKNBhmS}iaIm-O1qmYAtSr27{R?3>1$<N%
zrHoi8+_hvESq$s7DPTTme>k8H%g<`gV=^{Ivw8qh0QYzu1SeHgy&h6h+5f3AC5-5T
zUJL_u@2`w~62oX^gGVJ1-UPS)QnU{<H-ti%-$+*Ae$vA2{ABz1^X;1;S~L-6(6LsH
z@P^Fp-W`XUGJf`F1SrBg2M(l^NS3M@{_2*_Qd&Gd`eB<!+MqV}r7SO|MPce@glRL{
zc*YI3j6Ij$WiM3Z+29*?jTdDC$=tZP!6UVhTu-zBDp0u4x6g0s^N3~Nym6Cb+4&MX
zfIj$p$~Qe<RabB9_pbDax^jP@BYnvnekr0T59d-T;?R{^<A+T28V-jho2{q_)4Fdb
z0Pt9CkNSGVZOiE_lM+_jpd;PVwL)qIUqO`-882Dsn`15Z1cQR%H<_h(hE5WL-zKR)
zsG6YsqR<Q|DRB2CNW4ro;{WC05pgY$Uc>tt)EZE{7{AGL7o@uKS14fQfk_I=@XRuk
z&fyZl-G~(uKcl46DPX2{$|C$?#)>ObqzONs>S$Gw0ZY28Zn-muk;Im)OKQ?LHbEbw
zhowdLhTUNc1o}`<g*r7smocv4NZV_~Pq8r#KdO@jYobD$CAyAiwpVLFeK&Vl`bjq^
z$`n6kU6e1y!{ExuoJqLFJsYRRO3@V;w?arC`d1fuaQ;dOk_|+Ma|KCeT6>PEHSd9#
zR;|8C-f0NU@b0YntTc9T>AZ1GEpvm}K-(gno;P+}kGA$iy_vjDufSOOgZzwB5Uh&R
zFVmK>x7vTX+<$>)4@yQ~qskcHVe=^rQFhh*s15Y)F^0<fEt6u(=5xoG5(Ulb*XAga
zgVis<$-DkZNPJWG-HxGspy#mi)TcY{Vy7?yqlDWfWxT<#jB>%5p912=+0q7#OxDp!
ztrZ_t=Sn}zb^Zd$rjV`$JFEpNnLGu{hBMSju5U7+zOJ@t(2zhDodK1a*zV%-5f3$A
zeSIzH^gBk6lsGslj6-U?$)R_mDQJ(s?l}b^LZ|rrE{S4Al`L56Rcl;m(8YqfG>j(i
za(25wHk<)@yptaFV(NT)icc?9mgN*~Gn&$vfg54`D>m<3XTl_py8>Ta<Ym~m-Rp;T
z@};!i2fq_K16f_?LX)x72eAottXxI!KA|Sw3k5r2*WCa~gJ5q%0}6ygv6h~lbu&I-
z&h-&;K;~n@;HHdqHqD}^?R#zvJn??4!u2t=g9*`j8S>4VU}P_DVg0fj8IfwvZ%V3x
z1PpFrxgU5_J@c7Aw!zAKY2)9wy$?Q)S7+R82O&oXHx{#iX7WFwrg-H)CWLZUux!p<
zQbL=$=1tS^x_(Xyd}3`hTY;U|j=$hod~4yPEpEC=hfTp@`Xg%e0{^$0-9&Of%=O#v
z*!`I!4Xgq}6&lVp*DOauhm5^vDVNk?ILP@-)_djuhN|0P+`hPHEm-XL(%?}{Z`hz0
z7a#0p4VznRo8?ED;5sx-8zo?=)iddg%F}S69%MrbE~OOh(U}k57?Y@S(A+tYu_+mG
z^eGsqBlpERbxmn%)7sSsObcybNkJtb6|kq_&&WIasnJP`nOxQN@knXgSHLSh2j={g
z_)w-OQFCo78DZ9cQG6?hdEw>GrC3`qdQgnSi8bcM-v3tcI0Qti&D@XA_eg6WiDc=r
zxGv;XnG}J6Sb?O_v5kp3=$0??La$ISlhh9X3K5RDfd0fJBEJ(q@c`7Gm4hdEt_d~r
zD{w>>0w%*L>79JnOkpS~{_ZlFoT2It;`#Aq!cQK;fsxFqyFUXm=LZu5rO}Y?nFUJl
zB8epmOTWvoBhG5d-cdzi#*%8?nrI&;+ia|jDK(nX<;TDa=u2guCf_yR4_)`%{9Wy6
z7<;kv5v5cdl(Wl~Z}T~CG~JMJCK!6MXtUj-2F-TAb?SB;eKjuGn@#q#+VtYAcb`I~
z+^@{s-za&N*L@7r)~Uiq9(~zNpfv3b%x&->Pllrodqp%8Vs@u9x;}5yByS-aN2jjq
zszmic2_l|fu`@py?)ewkokL%?-+l{a(>8Z$tHFX(M;iCE|F%A><#1V}LOuwV9B=+u
zw>vSnR)A5*;t5+c8ZleWioNdruB8-HW^KmGR~YX5)8ro+0N-XizOcto)q_>MPwC{f
z$qlb+;?3}0Ty0ws+0f+PJsR34QROD2*V88C@QXDDx0{L{{d#<ZY_UY{E{DfUH`WS!
z4=t8`7F691c4I{DTF}5Y$DP9$^&n#AqS!Gtlr-~au|WOzv-%x9eCkJ=7{h{yf>Z+w
zD0WK-Rp{o}kY0_x5{(~PIJd^V>YG30cgpibGVm67@W=^!kWLGUnPOucEMtk*pQZ#X
z*AkqR#}4xUwTZATCU8Bb#QNO9s%v=Rp79CLIh?%pF-gT1MptDeOcT*oT)g<VzNuk6
z`1u0~K7=9&#ilp;O#AE+Ns+rBZ{OKcds-=F_$~-fur}LXnz^o2_+GRTbeRy;bcT`r
z*k2qrN=o1(i%Lb{j7%qx)AbHxE3_t9#q`x?!Lnm0c+8=3m)v==zetaz+;O#zw>n{B
zZ*{L4H#$(+zr~Jx0CI}|F<nL^@P|gq>W)DrN=>|W;|Dl#g4bH9Y>Nr=*1L>S+%|I>
zPczAUb5JNeA46M-a+KGTyvjso%5Z}!-z<iD586?-kUb+dqA9n1GJ1HizWyRSbOq-7
zvb<X0IEO0Dzn9W79CRRQRj;0g@%(046{)Xn6wKg!q*_nC&e-NkpmVeP46C|<K&LQi
zN$(O34M|i*{oVCT%QllkX=x2~k#&O-u;XD}ET+Wxq4xe8CVYhpm)=K!>J2~GoSRL7
zIO@GRS7sMhNUtXV?MtSOF*RHfkt0nt{mOYe!PHuFn&Qo;2(uJ=q4O=rXgyT#iQq4P
zE4Mo+UDFg_ArqfqPe#dm!kraAIrf%7^ZRRMH(U<g<X-wkQ@u(~)4NgZ?cpwVG$pb;
z7!A<i<04a>IUx)#&3&Wf&>q7~u$NwHZ;1W9bu@G+ht8q=_Q<%aI^8<^Mm;B?{I4DA
zCF~+5U&*SRv8i19*~fU}`u^7%$cZB}%13NI2>)0uz)YlK%zZB?d;aujD}Q&M)}_Z<
z_!;6X(RKz5%x(HL#&tv)*N5t3qVBMi+N(f(y&!m<-V-bh%6_?Z_itx=0&z@4$7Rd!
z$0A%G#hC0`pUi|JE4v+VUN|tFZK`=TSKuswiH}PQ<mVV#gdbQ}Ws|~Ue8d1pu(E;O
zOj<d5!9T;TQa9FfSM+kuwzJ;s>;*YnY465RTg4*q#G!Fnt}lBMcwReOrYUo4gT#SW
zY!VvmeN~C0HLpKA1L^*eh+&5_Ypt9`NKG@dLeo}xrP)4TPi^^ViBc6B1gT_u{KDwF
z_!lA!Y+se{_T(X9Zm#m%Lo0^C%<$n1l8-(HNII|H;?|h5q>@%mQ2Z+%WXWJIf^MlJ
za-Q977D0>33?_s7X>1yWC!w=QB|__y5BWF{XvI%&R(`@0dXZdyhC6zRrq%DStV}D-
z@fNh>Wz9MKS7<I_B#dxqt31tqN)g8!Tr$Kfbhnk1QD#E^;}zO-de3v?lF#0GEnj2p
z@DePPPYnKhBy&3*H>!4%_|P#1XT~4h*53AErea&fuU113<zA*$8P34FD0SyLIluSF
zOkAvRXARm@ykePqbN7>G{MAV#+){2+p`+|?Q{oHU(OxhP6xzebYN8J&x>-0)_qsl{
z5+WH!8rLpDjBAjIS$t#Irz(tY#G~t&O!b$&Zq)A<Ga&!Qy%>2l>wh$RC}80-2eA1}
z_`+Xwg~E8?+bomYxdc}V)Aia&<U5zdB(t8PuR%8swyEDP{$AS93f%@5D{otJbbe^s
zH=%!bud8N7adKfiF*22J!X!9>eC-)Hcy**^hCeMWEB9;%cM0Cl6JM^BjyTh1EA5}d
zvj%KkB3!)Zu+n0=0X70K#^K3%;o6$Lx1ba_4Z&1Q-(3hdHLtS+Z@{#pVX=Q8MRWMN
zHSw<`d^hTvUI}&V8cFrTJ#;hCTJ{U2hC1pTe)p{eX?EkI9Xj@4ZcA-`OQZO8TqvD4
z-*QU*-C5OLG1SeM!rv?fGfE-MjGm0~Ga7uaiRX%(de?>p>9l5Vj;p;TG^PIYqQiRw
z!1?n@e_0A$WVmZj!^$DOf=9w9LN8PmsTzPs9ei$x)v)Qy_V&Xnr@b#OAExjI;H2uG
zQ;zCBWGQ9gKRKNowU;r3&KJnn*wb2KvLu$upUA<$WYk-#M1Jh*{UR;hCHjTWXaQdn
zo4wXhGfw1cM)at_n^plsR}mHXUGB>kCobPyo~W04<wCi$e6<Rt`M4+S*Z{*s5>->P
zpQvdTh+xqoi{O>KpK*NcJ85RjmFwW<CCl&F<~~|6!gxulD@TN^l8gxWGZ8xO8%0Zs
zJaYfqh3<|BCXEw!+l7sFLPvUvL-lw0XVGy;^^|D~hzi@ki?CB4#ya?#&g>Fb!z}6~
zZ=g-V2xHh)x*KLj6VofY%zc-=)~4^9xTTFGpkPiZ-ChtbAO;cZ$}udA$`tIEi22Zd
zEFi|}Y!F<evwN`OWu3eKq~WI*3@3d1y?}2@QNPh+A5DF)ulGgt<MQjAn8j-I`ef$R
zZWWTW7{wtUa8gV##7l^axx>;cWjFf%E6L$-7^Mifp-^1i3i>Tz?{+(etF>&G<L9&E
zhH(m>^f8Nu91p%nBB~FpRNnaw&wm5Mz-}}O73ZlBAv)8aeSftYO%cnIyG@JbDYGQe
z=BT3n<6Qt_QJ53E*e(SGx+O6DhXW=`fg=XEeQLU`SKmQUyOzTXaYd|Kil8uBo#_!w
zUX8lgGEhNLX!Z3ii%rNG$9r1olAx|$-g(m%jDN`}d_{J5lY6V4SLK5q>0Qh#KC=<!
zh#Qd3zz#A)YJuh8o9NU;NdZiS79#N^?tQ^SilPtFsm#!RR!A8qU@{Km&E~yf;Z*F7
zPsPH_6m(>B#7ENI+++LoLv&GOvyhA+)&W1>L8hHeaFKTR*_#n32PV&r&w=md+dJJy
zeW!YgXZ?q+ocf7)w)9mf^cS0b-?Y-aa^YnPq&2o$%-&iar26$Hn=Uqqx#YqiU2Y(E
zR0)o954<7pdYGuE>O%H?f_tJ9LUG>X7LEFTqJnlYbmuk~kjs>{a#_s$otLi4?4Sb_
zR>JRUjEb9HmW7y2QnKtfVCbeoA-bkLg6aAf{(#Oq03&~b7ZX;>aac5hZ}iBONq~Jb
zV=-6JJ)LWLT_bpD4j)ae8ha~OZuB~R(j1w!6`0pTn2S17j0I0S>B3m-xF58G0^18a
zK^{7&7Z8pb8)jcd>TOagS9t2@cj$PC+k)kBmPw9g{aQ~!W}C=9DNX}u3&R!5jHbK)
zwi~8N#wa|pjKD{7w7%G<Vzqg?n1}=KJ9ebuHoc~?2Wp{<Y1JJbb+x(EP(H*td5NbO
z&MpFoZ814(eFR!ut&t3e&fS#VlCpmF_d9MS5l*xFJn#L|AF{iWLf+#uZ@(K5*)(|!
zDN+6AMR6)!mWR1iDF##61~Zocu9e5tH4@d{bpYNv>XLgw*fztQ61l$3Eh3tpo3__p
zq9nHxX1y1sRVM5T0zv{>I_-u%27|LG@D6)w4gSH7??YKG9XJO-f(diFoZssdauIFf
ziAq_blF)c#$rmKWmrpfmt)b2cWb^*WrHNMqDxLYCT7Sr{{0?(kgm3$dvaI(;Xi@nZ
zr{?mn2v5Q&4}sNm$0h1gx<1mK)SQTJ673pD1X{UmbHZ`~xfUxQ7P0uzwFOIj8?)mT
z!5h)QVEC%-lJ$ZnwVPC@+M%W_a47t8H`cru?>F}((1~BLUqh%x#JyqppwI$>v>BS9
zvKZ{S6MSa)=B8!xOx`|DZ~BqVr+w4KIv(VJjq$U@sAt5dzW}YoCTYevmQ_+KMec~f
zJ>te`ud|$vG|;M{AC&g*Hr4^*ux9&(psk+~yWU7izK8H2BY4LJ*j|2Y0i+Rte#nin
z{@Tl8R2#~1l;o!6Q*tLB_|$ugi>#5_oTiPis0Ob)lgNBRqNVe>BnbS@3wPHmVy31C
zG<UoiEcJU*4t>@_3}3lneVrb6Mf%iCUx4`T`I&}QHS%L*QWKOXCqngFwjOVz!aDX$
z7SVzSMY;U&R5E%=@r{G`WY#zJ)<Ui27a*C$jw%9*SkUC4x5ve2NHteXMvXK@J4tG=
zDmsk@J^`&xRBgM<%Q$)NQ-c0Q10G!H%kjx`)h8gM@9rIV_xFioxB%_<W+l%a%wIF1
z;Qjqop<U;#<P^M;M^$OjeT9yUKYzDTlO1-T_39J09c(b3oPIV+Fz|rDJ0luxgB++R
z+?IPOOAhmSSX|B3CC9oiBzY<!);~{7b3H*>C>-&nd>9UfZM(3S^HF7Fs!96WpufRj
z<&59P8Zxuh18fvGxq#IpyDR=4E;on;svsz4#1Yun{-Yt!cv*7-7Y}6!w82JY<;WBN
zVan&XI7w@50!Dpf%vXXg{$G}y({K50f^e;e&C|7iI-oUAmK?u+2-y~CGs6@*c8d1_
zveP*3{a+qd^D@48wc1Y1es=g`VT;>1*bm@=BY3td`}pEL7<gh|n$`FyMy>_=o+-Ui
zH>HvCsm<aK3J6{HvD8D<M;IZOWI9;s?B`=!r6f^7wJ_9u4z7g+8Mm`e9WE<p0Io;^
z*@TEkU4C41K>bnmMxO|K3Y?w?@cwQ?4gAtK^OTDx@96$rJBS<gOPB3`aeTKxZj(3!
zigN{psV22H6Cs{^d%TU-Gf{p${L51CK>KZ!u}sn~Zgs#ZT)^q4@V92k?!YTI^nbt=
zIasa77_p&eN}QOUqrOpE<mCgu{vbOcI!I3Z%PupMaTbl8(`UjsNYyOm=K*OUaB9*y
znqA80voGRJ55QhaHMVwJZ-ajDn<ZMBw4cFVGI83E_GobaMS=6V;5V4w_zCod0#c0x
z##TnWk*UPTQb&4vt|aWe0!KxAm#oEsIOzDk@VWghuy43tVv3~mBMhrbz}X3Y?~ClF
z@?2AjgE;gyJuk(>T+}*Gzy%LcJigQEI-_#=VB1Hg(kC##lxMB8TwOY4msp}{8yj<s
z{U-KvypzSAVP)O;_s_d4p7TEqc8YolzpiUp!<uXJ4(p$IYi@r$aW9y99Vmx%X!cjA
zZln$qW6~R={CRo3&mr;s(K?4+z6-EHczz$dkg`0?PfV@RzpojVQ9NCFV&ziFXJJx4
z8Q;#1O~UeV+wgh2XarNc6lP;{!r}F$OxcFAG?AnZ6}D<n<p*O*G=_f13IWiE-ZLQi
z*0oTWEYZ&BL+-FxA)khPTrE%eo44Q;NG<$B%pDX|4MsLkMc#E7*!Xtwl4Xmp@{R09
zQYNR3K~%6<J1`oeh2WH=3_)-fj-7}wKB=Q;nV*?iDs6u)aY9!{vb;c1?Pa!E9kJi#
zxP(?6qnvyOrNzaMIDP45oF)1+=G&pJm@UA8JzhEGLp=Fgw}SOnHzLB}?K^eGxoS$q
zR@}wR?fvwlf!|9))Y$cDsu_2d&*$P=-9U7hR8n&21}gD{3%h#1o!tWDhmscQq^2s3
z7s9efWYhyY_}?a_U5%AYb6+11n2@zZjH9#FHhi+now6mTehDWZ*80k!vrDy~)GTsZ
zq{F_UUS|Eu8h3EIpauQ8CWqeaPqce-4T-jBLIQzbL_FW0ny<u9xcxdmDUNT$q&Sf)
zUKk`fPC4>f_zzX;CbrK`r$M&Bt)@&DaE24$RAqY(sU|zTEjbX~Qg)`<#vu0nQj<W+
z?Q+C4UeMiaH|p&s-q^Q(!Q=0FYSALg=tTnUII{^n5h?NQ*$hL6@Vgm0o%2Bg3d3<o
zW%899afl(~6gbHm<?&?%Lh%HFFs}zJB;ADm0u5@!pg=^%iK;<gqy*M+BS!4;>$7?8
z31miU@X1j+hhae<ohH#NzHn3HPlkV|V1owspX;8McHaewjRIEHb~QVFclpH>nrGzZ
z#{c97c{Rky4%^yVDmy_08t`d@{Bea_Azq<RHmgp{OZe1fIZ%JW@5JK+Cx2v5QNR+E
zOOfs5S90Y~FH{8J(yLxGp)wjL{9I&F0Acb3yxat=VjW_Y4k-reKuPTY?@p51;8M<l
zI*zJIZYK+5Gd)f<;?GNXie0@$v759Jt111^XtTRX@^UNvb^{&C?MiL6@;m_~7#KD-
z<rhhERU)0SmHTCd34c}dpMVJ|l#iSdPehq7EdMN!X)S(knj4k&MYB$*c}&a%^c#3l
zjQG$Y@Fp9xusj_e7=hx`^gGQ=F1;mW7T$sq_TOo#W7e~Q;5Qq%cGp6dW6b>$_xggs
z{!LO|E2J-0Tc^h$XX=b1{;kTVR|x5Lc8vncuhHI|#Yrhk$kSf{ua!9f0$4HACZ#Y0
z`*A#i<#V>sBwmEZAuQ(a2kAo|VNx+MZ|+^n^(Faj`ZBsSeyEmvp<;|BSbq)m5i?OP
zO0~ZGP~SCEcXs3X@hytitK69CDb$@3KeMjMoMVYk>Z1e47-*edjO-I;cCY*ECvX+x
zFn+i63QVYpodRs9W$bR4!j-+#XSB0EU*d6*B}$&f)A=32jjprkU)T~ckJv?5>M+;g
zfdkZ{8?L@xSdbr{kCm*p0YBfJA5tnbHc~#cPB6kF29hKvb4&x{FeaTCM<c^C40nc#
zHSu1c0;@M$Mw{ca6dPvwg{aqPe@VZ=!r`LV5VUK>NUo1XHJ*PHJv)w2m?>;G=MX_$
z(Kx!6tL$ts2#reA6L{B<J$<G{6!avJwGb5Pj;GDVE!<dN#=g61?^FT#MTr$~n{lE&
z&AEUiSTnZT5v>kDuPAVsU!xi5Q#6Hen!RVg`Gz=5)>D4<a9x-NVD@mm%x<4q+&`0-
z-7`?9eV2LXw!&DA5th(fVP3J{=T_~bpEPoDEH_UB^`O+f>;ojZ!xy^$WNTO0kAXjU
zVrjwn8{-j(=pIE=Z-LxE+q3b7jh@xIK#IsgR}tN3?<SZn(tEdN7>agMG2kx0L-4bA
zcaV|Fv@goCp*1h|r>8nTN1AvKss$~Ydd5!jxAh<ZsNY32qvD8e!7KX&LS(7SB!$;F
z{{_h<f>h*cVCAep#Y@^3mG!w_dBZlI%dg0t`u5YVC;Z{n9s?XAnRiqKCAx~@bP>v-
z!+zO?Vj>cdO+-W-e0b6B^VTBRv_K}4Y54n0NtAjgt#SfU=8xm%PrsUMOhnYyhl8i9
zAcIBtIK2D4M8wx%y^?8mD2?&8zBjGV7ng)GY-C#3pWh)9!s=u46`-kq{Os}mAcu3I
zIGe7GyJS{obt1uwtBU$a=D}^AiSv9PE8gi{-ee;#edSsjq~#Km%ln0j`k`5RB2n@3
z2D>Fndtx30EOuFrG2XbNAfvuKQ`BjT)^^ahjm)njYm}*WKRj8-($Uuy+s@u1P90ot
zwmEBjJvf+%&ze6uFp@<UOL~WJZ0C_&Q+%BC(MwZJ6XrT7aJR*Afb0{VAGR#3>_WuS
zfH^$HD|>E{h}Vs_hG<1!KS2ow6gwklhCS3Kf@}*KNjnpbbgqvLO|!@QT`Oo{D`OK(
zwRl1@Xx&sy#3_-6259Fmle5ZL;RfkXPii8#eKz(&zZRU04^$bdUhjzv9ujgS<6G5a
z8MN?G;lhFDt$0&ypP6KdTQocN)$tHu^%#C%g$8|JQfW-$Cy&NRhiq-CEwzQk&S7Q<
zp=Myg8pi$jEr02ii99=ptG1OCBu<}ZA&RVO@fBxo_vo-4_e(23qe=i%nsQwjn~omK
zuNtm{v8eaKa-{83)A=&BaaxR>Dis)~<8&63E@HjN;)>RbzIV}3DTQ_wq-j2Svdd{W
zcqHx#hldPsNE+o6_lJy7YI2jX@(JU%*ZHe)57yrAdELXm1uWsh9XTU8;5f5c5P53J
zqx0O2Lh0K4?U+3%tpylZHoT9zLC?6c2+M@dV;l(Ogu64uJgI<lhV6)aHSD5=cG6(U
zsJn?<Lo=65fbt>qy|~mjNCq=2vO+_8{GHOSx*BaS^!KzHRYiVz*0W+LrwO)mB43(o
z@n}za!t=Xo&oFG#TRBw_Z2guA-_V6*a<o(AEHJkHIA?F6&GqFD6N1+N7(UFStzS6o
zcN>lH)1Y>V(z!lB+u@ML@tc7U=h~&odm^FuIAo%zeyBqgQdNrOf`RUVgU?lBf)eWf
zP+n>T#mNM(S;vh;J|$>EK_n#1axF(l>et2OKvK@MInkx14wpz~m6X|4r9o*YF)obQ
zV}#OrEd@=SdU3B56_SfewIXB+e3x9JScx4GK(qY8<Hdk)I6l)|^&C{P!OA$PeoBaT
zdq{7SYgkaeS#TTkFcTDg{QuE(4&H6QkK3=-)mF-ttJ~CGZQHhOuC~q9wr$&7&DG}i
zOF!S|IVXQWPIB_jeP4K8zK;%8FPzs0H|ffMAs49}HX(Z3W{Y_VL2Bky_64M}(U9nl
zK3Z)<H0#z1h-Ne?;$cfPS&l5PlXE8OBouYaON0geO(@WA1kB(hUjGz~_>D1?$FC50
zZ!LWke>lc?6o4TTx&<?<U&5=1o5Z_$lwYpk(jYLhV5d%sfGO7*t%B@a&bCLR#5rK9
z#m{A_mH}zOBa+I;*knJLJAMi5(5O%z6lcU|R-jN=5=slG%l;*4bvV=)s?bLPOtNC@
zzjMv8UHh2%3s%4o0u9+-{xLxT%wxEpD+)^89D|8hBf_kZfTwEG?wZUr$ZFL^UmCld
zM+mmUTM+pf9MLF%y~x^LL!$D`_)q&ac#!);@3EvMvm2DpZ6^Q8u@}wa>iL!3swXo*
z)NUd&zW1u1VJ`aEjAI&MV0C7&$Sfl6DwL{zt;Vz=;_-|p{wV<2J1?5{UHJ<1U`{tp
zliNL4Q6P`$-4*S1E_jG}>}H-YZ+5iuyR*0Q{-lc_p@9EPm?{AIiVeAHb<89xYfvSb
zVUcWqI=|E27Ky$ji4rH?0JF6{dsz(HKo*Yc=~z)yL)02O-zT#z^(Z5^uwH`m2XhQ&
zzvX7kZfW5A*W982Vmzte70hY1Gv1HXD@p1MIIn!t@4;y?R8yv3@$t5Z=0@;@#MmcT
zr;YjrZf|PRlB&?(RCVZ~yqsgHk|)31#w#|C5-!9-ZFEA)_3T8(EU;Bju35rfo0c6P
zrJq-}xQyAtHc$vQo}&`0Zq3a0X#GfPrnjH!A#cTL<gfji%msFZ1kn%Pyb*rF84Ck$
zML5A-dc*nvhN^D)UD^fU>0Ru{&V4PkTEOYtPFx$RHLcH{&Lv2|USYfY&NfmE++;Y&
z{>KeEqP&bnkA&HnaZorbmij=Q+0q)vnl(Q9nRd>&bw^XRn18P@#R0=}ie|1pGWNAj
z8TL54FrE5cyjAqJpQ8Wk;-Be<7E4nN5;1rK)i6ef%6T24FDurtM#nG)>g44<-z3Hw
zY0DH^T1D+Fq955*<T<TU5P`|Gv~g@oWcL-@>N&NW?+QAj3s;KsN!d0;yjd*PsI4Ih
z#5t(MH@PY>3TI@AFk!~-a&3PyA?v7w{8hJ!7zD2|gJ22%5+L0<55tenW>{1*6RCSo
zB3tj{OLs(G1>*ChuXaCVr%b)x{IpxMkue{ziWuw0bP;!~`wik)n(^MH&#<KKU$_=N
z3e87R|4*I-ag7jot&Afwmj%El5~&RD?{C__Xi2*}`GYTR{$~6B;6_yOaUS1QVxugW
zjX~nGkGJh^@jT(H>abJaAl^k2i*-d<yJs1chTnQd{W6PojZ*7tSQ%2sV_2{@DVL7r
z=k70V<a#~Z{F1ly_ZPCyi5n>0_@1?N(qjGRZmT812tMsmura*zP;Z{++yJ=)#5t1F
z+#>POyMP4oQGEPWQ$8U`u&crUiSlkaU-n%{psBed(;@NyuykSC(CRh|&v^+R<;?Kd
zjbx(MIxaV!nQjyQJ+6WSWrO&bq&Eh7nwl8@JKejY1bn9ZxGr1wk8slo0&HfDo9eqz
zi{}<B!?$0nwmm`DXc^5WwjWByb_{hIP8)7vsLe0KzmItF=OYy!inj-TkvHw~qubZ4
ziw;lVT?7=+YhkTc*!)stFuK<L<1i07NCRkYz%u?7_bL9Spn-5V5k>zg94RQPt^JFW
zwLZ!=*5lE2J*%KH;~csi&s<X8o$e3ANXz5Xa_&VEy`MXIStKg4>=Oh@>#BO;bfkRO
z0mxAwKs7y2^8aWwy}0PLu1j2LZ8`@3;IyK3K$VN{l_=m{JmZS63tmT$e2;apT_D_4
zZSK{St!o3TX)}Wk_VNfWAo1`m;h+5RjU?>R$uC=x2O<QBOT`|yAKsY^6?R5x<%y;m
zzd<f$)UrEz!Azg|T6J|`&2ju2NIKMG=$e{0HR)*YaIvKUQGm4OPCGt*d?yIiaoTgQ
z6FnMp>uNLNaJq|CO11_+P@?Mdtf(Go2A^5-<KwiMwvnK=>+VQoDi$EbLu7|*0IsEN
z8Va7dMXSsr*V8f*r1SQ3?pa!r#@mh^&9Kx1HR5q~T%TwePJ`WSD!zxSG^_3as*bMt
zX>TlweZr=vq#39Z+=@VVpsRV-`cb?m2d(n6%$L=2Ro6t%yl^@~V>vDOPV0Sw)+xHP
zMpP=TAI~j)mBdc(ziw-<CTeX%iG!sr8HXtw&NiYSv_?Wjwo2FPcsoF7Bllx1R|DEs
z`_8q7PE;3R<e61>eOO<=rINaP>Dtl=9|FosOp3DKtEnuvFWw-J;T%OY^&{r#EMj7s
zjCqz>5Mg!_vcIwCwN*qxx*qkZWvYFV$(pk{m%~u7na_3`BLK!P8h@z{>XG_QkW@^{
z8LK+D1{C6@VycdZZ0ZoT(Qg7&3|x0^%uEfWEwVkm3}d~*M%nqWYINcyUW_w$Hhf0B
zeUUtmRS@q0Wgn*uQMzrrOP6pS>kBz4rR_f$-8_E_FJ=3F0TCui?A1~9+3(Q3J8QH9
z(@q~R4Hn_hIY5oePVyba)b_>U5Jw&Bdm{-Xy8wid?VW*I6F~js4XBVcughL%#~{i$
z53hEksjC9hq%U5Vfca<O?G_Xj*FK~U+G$f`v-@3JwS5!g2IDx#R*W+fk(ejJ)o<o>
zBm+_-L9uRwwlvh9zkho8W-isY>BJjp`t?4R^iEf1RSxHC;)l3Zyc-QJ9o@gDQR%^7
zijFCM!gD`B(NvBgS=G5-?lVIHN3cQ+tn$D?JwW_1MLb2DbZW=uq4AnEI?EdC<X)>=
z*B>2PIvXd^G5>~^;+%F8Ee@Rm^8Ff0FewI*sm}6sKgwMzvjXB!kNy(W!DE<N=-4xa
zqg~Ca?zZDpP`0~pn^{eFi&U$di9F-@-`!uIhjrYm?GK1qD5qXG#!U*Ue&M)y52A|U
z+_T4+>pK4h(OXyS?GRWA0dkmzI7~R8$WxO(<JP3+YDOEIxqtjzt@sV_td1VRX`Fpp
z_XuRWJvP-$*=J;e-$6uAV0~nP<oa{KKv$cA%qJc9LWTKO^E=r-2wrP^kvehyFl??J
z0&bF?Y*M*`^X2RtgsH0r>v_=UZCV)X-*g>LD%Bi?TPRh2+-G+$W@*~I&en5xsI5^g
z$OKT(W?>x?8f#l_sIHwkw$P|tlZd+(Z$^s<ac1b;mgIT%P?AZUv5z~VoYT^EVRMwG
zK^k_N8p3-UA8V{7*?U=^m>ePl*dk=3g-9o6sg9?JH!KPrLi`4iAyBXJRsu@EfXHgS
za${zPQ+NDE$9MZl=WdO+w>0)&Q9;FP0qlxmQGGfXl>M}6X+=|ZE60(C^n9`B1^8hg
zx60cmpLiA!PkIM~`br=-pqTyHjJ^VOO%NvUawILDpB{Aykx~P%>U^A3#}=hk8p=QM
zn2u~Lrn;^BpFO=v+bjAVDaK7~P-uL0yjQgD(QrRhnu706bMXQMMSKAXK`DBDe|8ET
z8nZM|R3zGe$6Y6Y4l+}Az6}vro+VtvTvtdbAmJgQg^hLR!p^TlByyn#>7;*OFaH3f
za#lzvA5z0WgU1<5U>?HSLl#GA4qff>n3u2OS7pCRCDi${oP)e=A~A^4;ParxxrNVS
z?S|gm07HG_xZp$?;M;SQpU#wovP(1v&w){#-b1;X!$3$5x5)wD&EPv+Cm>L0h&{6#
z^re1EEud&IWCXuRLqbR_<Zd+4>?58)l>hG(3tBed*aiEzI=|2xbNiGGDk&A+14tF2
z5gMwl#B%{>Xfq7LfwOTk-qFR8Xt@j~o@6wOVyl-E+D!_sHd9|DV<;-zv_U8(^H-!<
zB_{1K@I*+W4;|CF3h11RwjJ~ZVHkDu4kNliYDnX^^6~tjmChqpWu4*4P4PHFa+_K@
zKJGy%ws6-o0#yW@fqQd0)|5Wxn5o5a*6{Lknxm8#BLs;S_+_NUOClMQWlxi$U*6@0
zNyG9%VFdZ2?Pr3n%|x8Zb;8Sq2kow;E6aXscDk}fJ*0rBN`l;*D-gq0j1G`boik{Q
zg(0L2DT=?{Y46HGTa8M9bw@lg{b|>^Q0zR>*c)fVE<S~WKyN|$Al~>+9IE~*@C`v0
z!BaK+nzsN$%JzFi`L}tMwG-<T;__RXAk8?jF=KQ?)fyPp{1SPXU-3VAzd+Qc5$yM-
z8cn@TZ2FA~5%y;#yY*q^Mrd-#$A8n%LYam05z#%UW;_Huaadt)hkUVnQ$sY;O%y(+
zPoYG!WMBx^r;c+nULjqts5uG22lH!F?^fYk$XZ~vgCr8t9|gIThE_IN$5d-L0<cKl
zhp%V2GXaEfk$$YP+T4<@AiOsj<*+FDI^#5@wyyd$YBQ(oSs0YJNFOPjfGAj{Id*h>
z!qe#29qQ+kO24rYmbG}d_b-p2enNAv`ZOBHC5r+lS4Ax8o(j8<v+#(=Hz(mc$D<KT
zHKd$(`!Me!=}2HGndeQUp0}hlsKMMJ>RtOQ_l(qS2#Bo~sDo?y43hoab*`JiNuJrd
z%E}`CU%a*k21kSE-x@Jte+Y3sM&He6_c;b#MXV;8@AIhuKoeFG$|M9VuA+rx#`_<P
zV*oLjM4}{z&Ea-dNk`2`QyAlXK>Svd3Pw}P1ZS0jEC)+&WfQZYRoC9eI$#Em8I)RZ
z-y$Qs=-4k8%UwD<50LL5S(2aw@4EA8I@&lX7$@l?EKG`!7R+fpm*32N<2%eCGH0w)
zfjv+_WDG&e5PPmF10{w{Ry1D(<uM&IH#S4UI3;J5cZ)>*AnVrGF!k#f@L>|Nw~@<h
zClX&23Ys5hY&fBuqfzrw*b~~!z{u0s(N;lXu)~oXaE?vN_+3Puh^ilfP4p)VEmkIH
zsVC@BKK;Im$wD)^so24mmS9Gpq0e$F`?daCFKA?<(oRFeHr64W7(&donM6R9;S$8E
zrCN5$T3NbTN3$RCEI;YaEzg`{7_~WC>3X;mFpMR5YQDb&20zQR9c~s~YO(Js%89-B
zhSXDfzXy@yJ={|8RAZi??iNt?+(#Qw`pPT5R`f~6IT~?ea##XBaMhL(uL|PtLOhzI
z=<WF@gQJqXNsz%uJo|E<?s1Ms^nz(rQy&C%>G~}1MU1e<bD7G;uMXx5<~ruYtI;X^
z-$19R!>x@#h5F_(4#G69Zhl4VMs4igdo?T_Fm1^$U4AaJORW{RX?vqP(YkW^m_Ma@
z@Ly~v9o4fXlzA)Z#iGM|JyEYY*z#h&vJ@<k*fx_guMgnD?2k+j^)X`d8;mY;cg<2Q
z_aqjG4I^Y;F&;jwhl!wIlo6u|u+V_Z>JLrmKGrA7@uiE<;3N{;&XO47Ha@~YDMmiK
zqpDs?S@Rq6dnwh5f3*c$pZ)<#HyvmLINB7;-6xF*g_g4<T}1~$Hsx&+75DA~2%nCm
zCxumq(2eE}YNK3A6{uuIQ*}U+o4?B|f6z?#Gr4v{StL6!4hrXg-w4(tD-xdv)y++l
zdIk2hVWm(VnWo*%fHLW4aEoNL^^Es7pud<Lic`{xenl~Qlu%(wS)?wsuiNbfz98B`
zs!l&qS`_3z$AH0P@o&7(%4&v`Y6}3S7F+7v;KHV#9>9CR#o8W2=rM?gyFDjHBy)CX
zB5^uJ-1Az|L)|-AmuYa|5-r>`TgfSvF*toq%}mV`8;{r*x;qB%=2G;If-$tZcV=(e
zTnbVFKC`3x+b}q&&o4sQc|RNz%EXPfS|C1Q`Bz$Xp+fYesb!L+kw{EnL0TE4S;8u4
z{)m?5mYo`q(ZrMLwBTC7k7llqphosD@&i#47KHJ7JjxcMh?5QvrDX`O5K<Y#+Jik%
zJfDFX)Uk2TJB&u%<nZc;{ccVyG}MC5QqXxGB3S(M*EYYkyGjRYA|Z9F;(HmgLLes)
z^!pp7<Q7?y*sm#7uP;Npm&HQVA7h+Ec!ir|g<fsM7|xrtH3+XG-$dZ?4ngtA?#rY6
zNA09ui|qG2z#3x1yyj?Rf~JMUuhbJ{tpeu$i70nw?Y|G6lO?Z(Os;95A9pwE$RRnO
zmuF4~pCrBoN`(*QOD_y)!J|tyi;ff(nsn5^hS9;J7>5Me>A)Xy*l*BeoylA;QC+WD
zd|I+=bbnc2Y!<-kIYu)|C__?W8tO&&-#VJ1S{ZHKe~_@V!R+h(Ao&4wi`S!kvf0-;
zvpq%uI((dLZd_W@`{(w&MP%;Oe6QNr2-vU-xJcVWvoA0f*sC;gt6_UicQ@=%nBuZG
z<{*_eX`!qchqTcRgN5$tyQxIsqzCIqHpuCfnfBPNbm+jB(>sk{MUtaq|Cb~J0nPIx
ztmoT=_&Mj!+`%gH6vK3&8@2JbdCea*dGC9TVx&#W(y`R;>RjEkrfXs%mI@tg@U_?1
ziyHJ%%bMcf2YoO5WLPf;z;k#gQiq%FqUOJ_%G#z*n4ti47#E7KC^WO~^;0Klljzfu
zGGdX8aOF~2hy4u=`sVSBSX30+En0y%ZQuw(MhEMmG5F=Q|5gy)N^upsK(?PJ+BMYE
z^CJQ)i6=jv3qm4ahyO52e_Hdo1uqjsbe-yoyKO$`5H+m)4_B2={p~X{5OS54WP}yB
zo7Ru)dmV_F8$!;P^D7llC&na=^^?F%RFb0GAd17hDZ{}wjYHbzjBZ<W;F`UWIYS~{
zY3$r9mx{Y3l#8bx?=I@&pyxB3Ge0>M1Nz-!1@@OPli0lA6u3$5w3NooQay`Eiehe?
zqN#Y$@+D4`pzJr!Wi$aXPyGK@9}0P=KIeck2p~Ju4)B%#RD-Z^7X)5`74>Oi#9&-`
zRtSq}I36^Qx+OP)Y%@mT)X!sFzt4b&;)6g4e%t={H<5zdZtOjc0AycMJZLu%FoaE?
zqy63BACzBk$CM~@B{IXI3^KK>|1)Ymukl+s{|w*dze0wpU@w>q?l(=KU=#*VuR%m*
z;kA%%7%)C+RDe8}jwOW3@SU|q()s~&qgR})-USLD5Ov;SwEKfK8WSA;PyeWicUH#~
zyou~TYVBbIDV&e!QBlR^m`BR=MJqba0e^D+BSlD1yLhF}-qs;fOPZV!9w3W<KF79K
zLu-^~x{5<i#nJO<)icb6dy&f|`}L>&lvb=?`d2c|wh*fRYX6}So_5m_;v+z!bOnn=
z;dky=^XoW;sK4iMLT!%4x8QT)#iMa4Q4iK_pPE7<omjfb#M<sLDEON&%5)TTA973l
zlQHyuno_Pro`NRqvdmy$USA4K(6p$IX_btT!1e<x&@A?y{F^SL2nI<31VLPdI(ESg
zeZaa7sn6Fn300EB{nq`MM2A&{LSS!G0Gw!Fd<g$!v5YbS!pdXK2&qNFOg}w=YNHn{
zBC?_zZrAN+gD}%WnrD&<=rhE{1L~9JMN6KO7Q}WqcpE=K#bsx)+xAm+9LEA;KoW>T
zop#y?NVfR7xz#nfuaMLO7e6txT&?H3egs{7j>Pjj_a@40mX{zBG1qtf?-F!26BLZ=
z4bQFy2lF98EG=PxMiKYsF4F$-SU98Bet~XJLHufiGs{NJ>1Vv)IG>te?SAYt+b|O_
zw=?HZWYIj5VK!9rK3?O_Pv@*H;!Qq>>Dyx{_728L+R4`a3r$$x{k&3GS)>;#A$Fvg
zxOZV-;dg=co_-9RO{}&YLaO6^f6Hsp6d#5zX;^wmz^K|gZe~l`nxi!PlfQ_lSqane
zSHhAbJ8j$#M^pl@gK2d9zataeuFowUSRe_9I|=MA^^3(OlbQHx{o+>Q`UtaU=%aaq
zDP9Ur{jd~l@$LxlZDV#ijNK83`I*j`H8Fs+2nzc9ewV+PIzleAb-@Iih)P5`r*uKV
z`inUA9_KY&algjKxg!=V=6nRRYshXo(NF>*0qWMyewsv;Yp}G9QW){_?6kJ~>Hs0z
z#VRY4tltZ4Lj0GhZ8#>AwNhu6UcK>x=JdLQ?gZ|&KbJvNS4q}fPOthOKWtZ>MXzw4
z>LJY`)|wrjKqh;mEAFVtuV^@C1&)ddo8iP=CfFcAuz6ahylYlhVgI&8np*t1<iPfs
zR|x!%AOhy4?uUT$f}nWo_di!W*hKT*mAWwes!Z?+;J@anB8_AVR>Jp;mIJmcKBCmJ
zGg22E{#XCO1E<gWWk7q)Zhor+ARgYF!f5xYIJ6%f`a^ixRgH=i6cVj^6K$ix_c{?w
zA%sGD6fZ1lsh}*4VSM6KtRNAGfk=A9vQB^Tty$Fzr^ndfhdlLEmE|zY^f+tCk7EGc
zI)4TWz12pcW(L-h-~fwV*51w)MvtkuiBa4;;p=RuWy4tt+dy8~2eigMheP5ab2`cT
zRRO6onjxasWLRY;pO6?%!K3%NtF?Jfu0eM{)0!i0+gyrJ&U`txG==N83w8Y!6oEzZ
zLVtl1t-y{K(}=SmbLElu+NcoN60D1obMwdfY5FYuwUWfY1i7bCTG=^P%NopC#s=l)
zOpjUdx_)B**C;9m#=wl+<>|64q~!>IuN?ZZFL`Jgx4HL&us^$o#H;hg+HidL7d(6e
ze7qz;V<$@dAsfHt=4*5nNQ;PIWD>nCz}J#i0=C22H!BDw_iqdnL@P@-+;b-DI+7wv
z;D-MltZ-bd9CI>Xy8dweA`AG^>i!CV-`s#pnrE=xJXk;uLY3XTN4W#T2b9bgI}SH2
z_Gp&Io$`F2m}f!ek}LdTNE*4F!FDIv3aO1IUEI0ONv&9H_GKhAgC|FA{@GG@F3HLc
z84TECvcMKm-bq;X`|t5CCnp8r5r#25_VD?7)^Fw1iQPw(V=JAVu)rHykdiO3=R50G
z5KEPQipp++|25|^ivW9C<u2%+2S0W%*f{jAC%ioLZmG-$b(I$iA-xiKmq?fa%_#Kq
zg^M&u?B(+G;NKQ{0h5R$P65}18QwNtLwMmZ;Xg&5sur}r`qJ6QrtEl~Rl$JcbOs?m
ze21@hN$?|^33Z(!uG1l56K%0%br2pD&}>+NsFA<+Bh(q}V&+;jhi05z@R@6-*kWPE
z%dpm>!*ER}odiMyn0&aAN=t{8g-B%*Eol!0uik0i4a9?J5sWtpk8(?Hyngk*^b9-h
z5<>g>Wgo+#$+d~zvBZE6N^+0YcnS{|e!KGsQ5%K>umzN_QQ}LXoo&X%XIGDp%nE?D
ztThL-SwGgadAf$%=|Ir974O7*c*Ys9)J#n48@`UUf}^P%hjGPxa%j|`cwTsAqZ34V
z<&^zAc0v+>86bCvn-T~xbT1L*6?#8dV#XYXD(_bJ?}tYD(#EKc7ap|(CG#4#o3H^2
z9?P=o$<(6`$@9v8$toA0-8_-12#Yq3+IK;xO(W^o)WMCng);^?&V^DL=3%t4t%!+6
z*CPic;MELAPhD5-CI|Q8Ixwmsh#7Vn`Rp?PC8!@_<Mm){O4r$~InTJLN+{0424mt>
zHYj;^$XOEB(|={6&Qe%m^ve2mDo=z%cNb&+i%CYXVu*b9i`fzE<4YQ`<e@@MOe<I6
zF%^uyF2!gypHiG;HDYmZlhcXJoiRZTB)A+hw`Q6+Bm7~BjTR$T<tX%1?MAqUZ9sO<
zxy>#9w|v}^aFia0_*mba{Sr?QTx0|RJahSDQc3=s${hNbP~fuMv=JEd6}w`x4zceo
zlzap0davq}G<u@!4EZzK6~<`o_gxu?lVQhVX1D_b*n=nU1uDbp*pg-WpcmUHd-_an
zz4XWNYuZ~WR9FGlqwbd}xO}3b^!*zar%DMzzWu^}1JtDo%ADZu$Drjb{u!tdU(Zc+
zB$#aF%(@4syFBy+rrYU%xaC11JNv}6{#%e=d6ncdxa69VM^0cLzL|B{6G{@UxY9Lb
zXIQc4Xwp}o5=E2?D81z9JSxOn^H6(8C>xQR|1#saP@zZVRBQ)UD%k7r+&jxpcF$rF
zXrKKdJ{=$bf_jyF)yA^M=X{-KqA^wQlE>Qe2~`6j<nS}Vd;N{&f$A}k`*1a;Umpx}
zGc7v}0MbVDwPXnS=U)813iY#)w|n9Z@~A?&s+4{9IO+)aQM?i5(vNk&Wh9Mq=BzAs
zp`{)iHQkffjp7KKxJ}t(o9kRScoKVnc7&0AwE6b?b%A~FG$W#(xxtC>|Ck6UR)Prz
z>fKC<r%eAT>PO!Q#h9&~jLs)<$u1HOjYC9gLi4W#YkW&}#BoY_$LZu`er4TttX00$
z)?CreK1gEXGu};a70o;x3Qe6D)gO5#0J?FQW|Cie|M#~+ORlfIZ{eip6Q%Jp_We(9
zSS`y(M%KY$1TG$EYGOh7oaKEAwiX;gg#`&Z@UHU9{?T%N`CR%I(~&k6>F`NWNYFfj
zlc=sB!hn%__#gxY_)AFNe!oOPbx}d5Lgux=a=fD6kqzMpv}bPg@v+$|r&0~87tW76
zs7wMS65&;gV^E4%7?%^1b*3mbNI}LVwAOdaWwe%GS*G?;&2X!wQT3XjY^WL9UPh#D
z`O#c{s$$~^*lfBGs$=P@S9qqpF9;h&NgaD+QAjjhtBW;%e^vdx*TaBr1H+x?t9nUF
zs{$r3`#ai}tg`G=1LkF=>LYdfJUp7Hd~oL_QAEj`jXRNQea9bB%D_%ZqiQeA%&1Es
zP2=jAl!!_X_YBrkdH;~a?BDnLcW7R4X@qCiImNbgLZu|W@;|0-56)fcE8c(~#%4T+
zlYOh(lbUt$bC7-eL&hPYXgaI3NmV?ZCqEnVrsl0?l#_H+CuL>+#XttIa#c&Li%K<(
zLEHMy2`Q^^FvMb5nL*M4XAD9DQ8-`3lq`IGcEk(zQ@}h8o%|XtjmD`aT#>}bOhZok
zt1~7F;UCRNRc0a&)#jZ%NYeO!eS88hEcW)xkm4=a`l?tK9Cn>wK*XnpBZ;d{4M25i
zg|y~FsaqFD{VZGXY$drpp_XOqn=$d!?mxTyvt7SvO9LoZ9B}BCo5@fRw}Fkt6AO>C
z*{<rc7Rhd2`-Al_pve1&MHsX`#RJD_XTatpA-aJDpdK#;p{qN2VyA^=%~`PyUnHc1
z+30cU{rLW(Kj0`@A<^fDMFH*KT^NZ;*>#TFXhCn2o#Se005;rH%`oM-ORA_?2pX5%
z(J;<G$ub~%qDMybNCL1e<a@8ELjxkbospy&4nA5`O&oh^tP$Oc?_GY9st(%^>vz+d
z>qwk1zQ&b0PZNu}Hz!4A9KQl`>&PP2edTV^`ipmOZO<P?r`})xi|EyU0Y~<W)hL+3
z2^=lUxy~ud+Msj1xU6Yyh4vX}v5o0-m?sH9i!>J3l<bXqX8ERwRub=Qv8T{VJCMTI
zs+BIFs-B^qK`i;Ytj}wF`7gE0E4GIr`_I201^Gz~oJCpVRTM#RMWq|Z%;L7@ERJwS
z!@p2C5tYbtXE>&vonVMdNJ0gpHW*KfwT_r2@+B0)0pZSkc>;<b_Z>aQDr#2C>s~!i
zZ?#WeS53KZu}@wXO*JkAge#{Ho;o#uG)+CQ9o1t|a*H)EEgqWp?H??^0E$TnA7Pw)
z#)xtG8U9@&=dM4-I10=iU`<6aXlaOt&Y)=~<-;A;AWH$~rr)PoNFi@$D29?_tp}=q
zb-KQwh^%54hZ_tiyE=>gO=o<6NNO|<Bl*@)t~R%bn#L_j889NiUtscRDaOov0sLl(
zqr!EhFf5S3+@|SQvMvv%G0Q?X5W`pcq0GFH#lfc)V2-%aQ0d4Q<;De}q4qty7%Mzt
zb~=9~-;%fZp486;fOpJGt`Pet(~%q5g9`VRnk;_fOwg?{UW<lg8n%cOXYfD++gxa&
z`6jSeOeG}<1KFt%T@c|5D-7v?O9&AceA(OpNvMGT_f|#56(rIpjO1Adv)eURPb8sf
zk5JRTyz{2^s5Vg%S;814qgi7}8z4?TsEI-5HoGH44S8NzO%nx=M09CR49&$S#Fwu^
zkY|DBSmCH~5X~n2JIh6LsYSWcIlpijLw=1lR&Wuba!4eq+)6=a%owJU3%r=*F3V%l
zTgbiYw6C|liokvezB%+gUElIl4j<~oF`5kMmdqt8msCtn!bo0=5Vp|oe3gl@VJt`Q
zu;;E6)ZTa2-YBy&nZ2oU0!`u0Y^VYNH_z}@iOs~8x|M$z&`dE?b?FcAP&Sf>qp#cg
ziG0U=Oz^_;W@*}=IbmV@8y>i?(eC_l);CY&&03Inb};+1Tw4LnTIZ%NcDTLe!6~ub
z#Az>Piggge*pv+TPww{Hu}ml#OPKfYzVXz&@!~l`k%K703l)^$Hz>AH|Cdo5E5$qF
zh}o1W0aK#eu_OMIWQ@cF5@}=YB1t^A5-Y97o@Dgp#+NY01*l}r@N@FH56cYnHj#z;
zZeS9JoPDXt3aP0Ou!2@kW;R)Fg?>=Uz}PF}=LH{Uq3Iah=9|`$@?WKMh$L5wcvn|5
zk&B@yYIOb%i<w&%<~T+KbaS<EaScA6=S?#NL*safP>AqoX~XSC<hw+I?n2bzFDp&6
zT8{-Od%E-o!YP{B<=MA@ES&G7g?$M>S7S_k4Qn^?*};FZW1~P?XfVE%B5n0nfpbVo
zEs(e~FSJ}%-oVI}E^qs=ST{Ei)9W5rdL?1+(XaX9<ZT($8qE+q!sL4$O1c^4C7}=K
zux>qCU*%Wy<D8g_dKz-CwLx(2_3lobkJj@_H)0#Sm8SweFoYW$F^ih1d`s0|B#1`D
z{FGfGF^25(6_y%kbCPO&>PpKAsLNMixw<rSL@J`Z^}U1w{@T7bf<cn9F0ajE6z#@E
z;$VAme<c4@JwyRZS<aA8i(0Y<s1PvqhDo=aA)cOXvC!d>tOONL2}fU8>JFB+XFMcm
z2lslSFmfjZPD!NftItkC6{9GsHRx7}0kIOL9;YZ2(^xZICM(w(zbx3ukTKWq2oN#L
zds%Ag|AYbL`?5xAm1NUN!&ulpqWbZQwAQqfaxJd$FU(s$jS-n{J}w3G)aHAV7OK&`
zP$MVs=Y5Ysnbx%Jh_&;QxuL8bq`1G%`UqS6B2S=PHgD|RG!mBxv!XmshD?Dvjvx@X
za}wjCIUdETmG6J}RID&5Yrdhklo$N9t5|Rx2jIL>0@WK)$}Tq=1RH<?6CgvXFV7l+
zE@JMVq-e|3>6<ZSzF>YoF2%@b(Qc7nvbyqGz1FZyLBp8s5h7FDzbGxaN@Hcgko>sB
zvVst1o6)8`&XW)Gt7sWXW?4}olWy7q8v#G*+5)$gGkdAGdwpG#2JI07<>a4EayK`X
zoRqmc5if*L;`r>H3r?k%*gT){FM7oMu$oG0@7C7mu?FP6;>rppX|(;Fqae3q)OhLk
z8CTNnIo5u~^gGmt>6OZF6_P5<$APeH6cC5Rzl5c)K_XO_`!`wZh{uPwd${V38{_-a
z-zzZD8-JTK*VSF5h1l()T>adCtvG*3Xo3CClPP8MR|l_;DjaD78-O3O@C0Xvmpfgw
zj?C}@HT$|2&7Pm5xcA}%&deQ)Vk3Wz{oDE)?Cjddd7LGb{VSGH#?wfJonPlJA-=8}
z@04*e%gs2jet*f}cXtut(0O(MG+=2xQa~r^5xjs{TzvO?%FpVc<`KmGsFL6JT3E)m
z<>yt@EBG>WtgXNrx74*p@SIvSG-j=rS3+m30?V4411p%IUL=@W*m>P3&=RPXl4-$j
z{I<Z>Va!D`fmde)nJL~FHnScjVG<WNL;BcJj|ki1^s2FY5`(@*p4Gv~-!)q`{TvUb
z`R<E|Y!~Y+8WHmF`hK%(X1QBzi=(idy)2;nv$AGi(vTJZ7|KQ23xo6-Bb?m!H-xcw
zo*Arvw&HI1DRwp~a)|8c>BLhQ#)c?Tb?jMaq#!$^q_+AI3-k%o?q;}`EJ}$}N(AwP
z-mNEUEs8j{%TGeytbWtuAPYCb#7$33r<FDn^#hnw2R4XItqwHt$ORuJ(R7)Osc>wz
z-_t2HqiFZX6bg*wX-^Xg+`xX<MBbul;8Ufv>qQQo^wm$`PpW3C)Klo%w?VvKn{^xL
z!B6<E?ze%fD3*CRug`Hrs0|-`?3DwQ=0Fd^M$8cTMMMcc=S2LXV)tmyj5rRReA2r{
z)eAn0!QTZNpccj(NrXQ4#{A+GVP}d<iNIyZ<O2oDtRv2A__h~S<<S(EU2F621!X+b
z?%nQ|@Uq%%8GOZO=O?a}!I2L3Xj4zUj{RV3O>U#oEo&_6sB{}jD}$p>MlOxr3beYQ
zJ=2_w=gK(u6h!Rk+fAYnjPS$g7q3gk5Z4j7I3=Y{w+Vtd-0uWOjE$wQOK0&4qru>b
z>@+oHuj~1i*dbwTrOlc2#;b9EDxoh+ySe(4k2XZ5OpY@KP{qnLG=W!u?GA;iXP2mQ
z8eIYIi5%Ts1dEw8XPvvQ?bPm;25GYURoJ-qN_8eqK++US=f6pQ=rx}egQ!jrRq+gb
z@1Wv@F1lj^jFtyGW2D+6zwwJseYQWn>9Xjt$4miFT19g*CO*?_F$>dIF$K%{<`?#O
z<RbKLJnh&PpJs?O3@vdHReMXYF@IV^fsIh8VG8j%OQ}ldkV`=mFYg@q$XpX;%pYG)
z(`USoc;tu|5^*rH@b|mP4bk60HF~!{bqJNXIni;2U5*D1KRfi1J!b=t%8J)G;|-d&
zLrgMqezQ1qbzvhrTk45%??*A8#C7S3y)6CBQ%JE&gcor>Vj5<KfZF;8O5rHgNL6!W
zeTF%IlaVHJ?SDoEX}GEwYTT#A(s|cgO>_v${%ZCwwnxQ5FZs0mjjQmu$NwgTBrF`f
zWdcT?uW94XeyCwtb^2R-GyA8EebVpn$7S92ob}~W&E){kIMkFl=8_!k92tsn&gk;9
z^~x=%DqU3qh4JG^XUnX*(?JlZ5hB8F{wl*Kb8*qj`%w))3annU&w66W{*m;dg6Ywi
z^EN8hdUh)fZ%~M_c4_^!5uLi}BB6TfZz1Yc6q<WZkZDl-g)PAp%;|UdV_Df!9u&1v
zMkt;ujEs*(7~iGpC~8v5(Qb@@b~CcFQr8s-R^sl}6hw|7%iUp1qPUH)3z{W;S6df!
z8h+3FL1<c#;ktNA@vhsIeF|FJ<?YCMPg6R$Ghy&bZ$!|G!M#4Bj1=lfyF~0{<pLCo
z^IZt98vqcMnwoy{Evb~X6Ju&zZCHSJ02iA83l5Y;#ehkW>EqxE1RfogNfPJdb3z)B
zcmON(C{`o|QIo`{RI`-zGhZi4&ln(WnalSE%Dzy>u8JFYXJY-U{Z`>>R<nOwo@_R7
zXM|De)|~d(cx18VI6zhO>_x0k%Xigz$8n#oE%O7x%!X@Isu4ZcWaTdXdBM>Zt-~!9
zWz3&ayBQLA9Y*GzN@1jWNljMiqN*wtzpA6TRU!^%qe!NO!d;3Yb8;1u<!W;!{UVS?
zV1{>9Nt5spdZWIx#5RskbqY!%`^G>k_3E-2*SMMCEDdt!)N3mbYh?MD@a5n*PG^SA
z#dx<?ms0)d&9cm1v1N$DG@Z)i>XQqC5zk0xp0?;aP@UH56Vbh0ZoEcgO?XQV85=dX
z$(?%A=N@XTynOrcxfxk|(kAckLSZaNnU#_RQcT*udr6oJfN)(jcPTZKKB#qAgC05N
z=~)ONF?jR&VI)UCJ#yA{aLn#r&M((|JR-jDU+x(o?LUeqvb)VHj}c~xN)Q<SsdjiR
zmq=9f9PZvCKcjL)+RsZh`9m>?Ml;TxU3}Oqlf<Q|H0`C~n9HUso86VG4m=S)q%c)F
z1I=jI7o!8L=HM7i!#t6vUy>0PvJ15#PmZ!;kproisOCanM5|l7H7`v9UYGPfR0zHM
z(c4+Pu!=N)5e?TCa0{c(BVp@U00|Okis>AFErxJA!U({q2+qYMXl?g;l`TBbJun{Q
z!iGD$`%QC)$ZK`Z@IGl@;;uW*hzcNmN1F|496<9d5vkyEHY<>9A#LfkmF?VyKwuE&
zt;yZ_|15yfx4~-GX`*F)j)zn+k#r7|rD|?)4*S|CKtzd4qQN8=lHAgK;XM;+!VKf;
zHPYND#IAj~)ZAkc>+SH+n%I1MGp@nJa?N*5W)(5Sgb)pzUbD2_T>=wqKW^@&I1?75
z9yaH+Rz&XZWoJ^ys{9PB(esso)#bzKOR;}0R0g*I2;$mUs7d2<+d;m&i15%aRjQAV
zz;Kt?2v@VUsom{Q&PN69k6Y3oh6>fiG|c(w^;56+;9B}H=x>UabIV8AiRn~povg>p
z&nfMkH7xXQr8LEIZW+ItzuYYZW9ycJH*#P6%(SEe6Lysarg$V*C%52PyM1>GAK%n_
zv}MB`Vv)GQ=AXjjcLYO~-0=N-m&@RI8@;5a_hhTA;{8%XC_F#!#+bD$BW*_|xjq@C
zA8knwx)ccNqr)tE76!~2;#{P5ZCJC;wKl`DP^8SUTnsI|_fgeBfcA%(m^zX*bt}T5
z+U89G=U|%*1?8h{6hO+^)v27Q%<TuAZB}3+x?KkOk{vqF<Shx16&W(M)g*)Pukl4s
zC3Jp5`r~qvt#~3g^Px4VEW7tphEED{(-_+c>haN<+kCX~IxDQ$fT}UwCK_u=n`UW9
z5@kJusLG4k>CyMTQUN3dvE~!mNn}3nr}5hS;5gXt&=XS*=#2j6?xO2D7)sb|Se!jS
z-3pHiRqj+4Y3S~fLW6t<8~W4_Oc2mJoTQXTEwGlbOiQpyj1`vl-6b7Y+4VD&oDrvT
zuEJuOFVj?g9x4vg!!73qg_Em?foG5<(VRo>YmA<9QTBSaDVN1qlV6}EjPg*A6k<J-
zz<))z4+KTw46~OMwB!6;?=V_a`E^0j-)Vp&Z837D76FYP7;ZQpNI79^sl#H@G@GN@
z5s9O+Qazrqi^3reQ4AHz1&EXZN%{>jhhl;`bfzIk9}igZDXcG$v{h7oC1pxy_)HV|
zmfHZA{wNVyUJ#k)&%JG3@`*m@^b4#pysMnzZDY{2u_`ljJWtqFagoj4zV)}e#5({b
z@w<}spS0FTN<ySGD1wHJG2P%4TYd;e><lI<JY(~+OaZBrQwo{tgo|)hh3H>cMu*EW
zKm2HpF83+N@Ulz1oYq-kqDr>(eo^B3=8uhzv4|0Zw=$J|X=qAFq5S63-N;n)(_aO<
z3;&h6GuUb`o6)45?x8X>+M^nXKQ6i`MKcf)o4m!6)McQ2C_swiF<oQay6)`^>S|Ue
zRqT?Ib_Dj0N+#{qVyGY8T&ht<G2bDW2Vg;<!=|afAkKkFd@EL10HhBt8uf0vDFg`-
z1=}04r8qTYi}0B_Ld!W3N%Y2hOoA5^D|LR6)za>WpogS!BQ~3hSk@A~aAcjhHx>F3
z9$hz3D1oMb#0)^C4(V(6U_M6s{VbH8mu>}1=J_G4Fz75Dm83OSe?6X)=Htx@FBP9Q
z7&*?v$5Nh=q0*B0=ewo>OH>98BDW#)j<b{cif|r?){n@fp(jH5eL&yk>+oe|VHDFO
zHzwdV0XAElXRh>&iqjyT*p4!35=EpuMxEW#L<h6MoYI}$MGsctvrdjvIL=hv+0cUG
zLS(lRgp!^AJp#v<753}&IG#jodSG8^DmZYo#Oz{)0{*2Oiv_R9e$P14uM#_=64N5r
zh;AolTtse8*v(9t{LlLR6zpQy6vx{DXh>y|q~E`J@ghz3rE=F?46sqtt4vH3@&hvF
zvRH}ZtMpZ#;o?C)_Q?>mMEbF2qfNVKVz?0a!#ChUHUV1wg%U*4PiDE%tzaM-t~$b;
zq}f$j{8XDX^$Nh;dFl7JSz%Vvkg{vkSoc956ZUmH@^+(cPwXDHZ=6nvK9C^tsJs&k
zvJj=o0>S>-C0rAnT$RJJ8o1sq3Ph$vZ<zJ_gMv5OueQ)_!;7yiC&IGiUlWs`U_yJJ
z7EAbCV&l(mZagFfPFRTIoTmn*T|Qa+y@ukr%*^SyMA!abR|B_MiPGXeeMP>PF*%Cr
zx?V-tRj4WUuF90cx4R$z?o27@a}RVZjqRHM@b1yTXD9RD0-0N)jc5ZE)%3dJq^m)x
znm;g+)N=-0gJDb@^*oAbl+d@u!bk~sOXCKaxMPQBD?SbS4AZZYrsdL#vZExD0df<~
zR-W*f6T;Pfi==x=s%m?wfFwzeJUU1zyt3Z>{IN725!rO&-SBbg&GUXbwX<pKk54=o
zC{(F5Y{krVOpw@a-c<LQz!0*jx}_qnPeOp?XryfkGSyBBVfc=i*X!>!Q?nOXS>MSe
zg!!}_%G-ZFeSvMmgeV{;)8@X1p36bn2K*S5ahD#F&_J0jy8=b&I5j7lVkTQrXo+jF
zAwmY}1P&Axf_7*8XF|-!8T){Z=>pP1(05&AyKA6ISoQh^A?e!wKE+QPBYDMqY{2BA
zsVUE&$_5x5)@UZE+9`+RGf_b{`vrVq|GKN>u3l+LbBjBdFIdF;5c>rhtJ32vz5KKA
z3(?E00b-M?<YUC=A@v6IiJn(fP8AuB##Qai+>vWh*4<dr2*uVa7AfosTyo(bEz;G=
zSOEgSH7H(g1zBdRmC6X%hO(Y5iOxbK#3Pj&PfX(Gy+O&4F`g<8!_qc9lJwIIZIgL_
zQzA4#;7&<YvCCguu;vl1Ml$28eo-*~Q26v&l@w>cLp9$bT?Kym`)<1g{woc@>}a?#
z=sM6=)5W;Z%_Nr;{BzQ17aZz_MPcwSVKcF#K4*-^wu>zTo_tNrBA-G~90O*uA!-IY
zAU3pw_rhXfo?yyHk^Tur*1LdeP8Uv)aM^b-?-Vzt9qp}o&a%t1PG7Tz@9!t^eEYPC
zrN^=q{q45-=E?|+SC;*rxRg714Qy!VqyT#~GY5qG`my!8AitlM_Ek{!L7)es^hyq)
z`5@DD@)N!;y@6G6!ZA$0rOjOunsHtlu=QSgKi?BInbfDXb*9<{w$;mA&Fca}e(0h#
z8jVn<mvMgVNDwGpQG!?7Ookae_(dqVJp7^LL<mTxkauL0h@Tyk3+f33Z-?SQYw&Or
zQ@WDGewcS^)qw3tC(}(shS>}HyVCvG^fv{`$dK(+6T$e$#T5VLM)1fZ9Cnqz<bJgJ
zG$E@|a;MeNBk_>uLQ;`}#I+6C&snYzMR9iKYL9YFUuWm|wut(h!tcD{Q2Y{<A|lF$
zstn}h@@NNBdN=U$3UzApx;Vz+JBwh@dP)Qey5Y*?8spC5TBMevRjbBha&&l5wi$s-
z;#^TF{G=ojD1}gW9N9tUhr9^V5m3&YsDV@|;{wv`Rd7cI3REy6vW-E$6$KIUKa%|&
zK|JzQh2-X=QgF-gqY{{2Rar7J)AFBBQDarl7o78a6Qz<Xh7Zlw^cE`ob@#Z4bJVh4
z+FcxnVrV(Z)ra?<&6rNZ!Q#|}2I?&$f^ftVVPa^1$IH<Igi7j*!kFje-UsF4y3W*G
z$nMIosN_5%AR>hCYD=YJv*XQu;R2Sv=joXr^Ht<79oS#Mq?tcgzor#dVr#M)eP;qs
z4@Y?5GeQ%QHantlGOwUO59PK_mG)XxW|sOe)&w5L!(D<>lg+&@2CQ?75^|;ihf;@B
z#ZW1%yS(HG<`krls#j*r#O*I2p4t{_u6zq;HMW@#Yi@ma9pj!IJ#)_w&}13~TW!QL
zO9{QOZ4M?ed}LOG`>T|(Wj;(zwWkr;)HdvcFls_LNv05Qb;?qWiYV&%WUXUz#ipaw
z**AG0fJQSpGOIYa79qju0E-tG_ce{9%0Mkk5RE!am!8b*YeI`{3N4w4!7BOG)@a(e
z%yQQGL2j8~(2y8l3F9unTT*s<>P>RIl-fTRM3?iO3Z%#Pv5NR{n4~0$gi&8FJbMe%
zrb)QjSkKo(#@|i@U-LY6ut%&>#(gu&lOT<Q8=@)yMn>X@6dvDrq&5aF*!qwZaknIP
z){nk)X7$$=1DviT>qjG;OvZza;SDPruk1vPY4KNBQRaCFov=QXEgb@jc=PL5LAe3T
zp36N!=zAu=V-M9cbRk?cqK^}?22NbE2Mm)E;7hriGJ85|8;r!8oyUZhwF~xdbuPMO
zKs@bUi5F-df@jLbcpq|wJd(y#qC6s*InX~5VEJ5LsG@;LdK>GXv89u;!{iF2S+GP*
zQ>B$&m_IBCq@M14_}J1ppt)5B2_TB7W1=vXyx{eDzziX=Dn1V}@c0!*n-lG~`VTws
zu%XXYw0}<<%YM~i=Yhpq2~f$s+poz+VIC92tOx6t?+0q=bal!1=OWby2!cEv-@Af~
zk^^Q6t)^4rs+?>y!o!)Cr8ph#_sW7i{id``g(YFM$WDW>znlEG0HCLwNIs|0RqLKH
z4D%=FP*$+!#M7R!T(ObEU!Dz0KlOfHn<3K?jgqG7&9InRzUv@yE^d-+gAT9pOYST6
z-RFQ<)7SKpbQrm|dVFfr5i}~Q!1}$nv*KRGo65<w{&a$gQcHql`FvUq#u4>149*3*
zY#D*HhA%tkW0Rht+?#z6mG0`AV<2J?h7>ZKG`3~6D9R1}%{K;27q`bXv;9f?%AIlZ
z81{vUlKtGgM697PX+1>|nxiOqVhdF|FcXP^yslB6jnersFp7lYs4-|WW2(Kf(SCV>
zG9YzKf)YU9&9YV`EfS;+gI*R;=I5gNP61OP6xe?(v!c9lo{M?wU7rB_R<|~sCC8c4
zRT_%&9Z1Q`93BE0M4_+L3WGs!X(K#GW`2)m0Dw%Zv#HW|)Sn*;lL@tn!=c}fE6U<T
zlFO37X6LgV`T%fF=s<&kK;u{tw<kUZo{YJcDJ}cMIA9@*2JJ`s$OM#<L&jc}Nd}_K
z9?up=ACI`WJW3)TcLBn}-DiT1=a0q=ngPRiLWZw2PrUTZ!c0IE9*odajW%)NAex(n
zyKqDj2LVMz(Ru5!M)H{?*tAL0@I{Q7&e6vR$n*f|{B%_3a70>+1AGG*5kla^zC?<W
z`l)4NWd-@bXtMjL+73G8s`nZ_rX<o(R3L{5ERmxiW;9HpeEkZ|X=6>3N{?^yD`@YD
z=a#zAP`_u#zZg7DVJTk4?4^Z|?oL=~$jmXh{k_(+Ay0+uspsFvT2l#m>f1g=Z$qDc
ze$*>GGTO$@J*rHpnq_yFcT05pI%8t~A<9RoN4e#ls#u7eMeczy-E6%)L%)t6xy2ud
zzqWXR)#V+4ZDW@-cAz?U*{|Y!CfnJEqww@SrGlbg{+edSmzG*vQDcxWjh!ACU6+Ag
zZN(9|HaRboX6sxQ(4d3lEP|5C9A*P`L0T)D7|v7_akp$11f?DybA-OK15|XlzrvEW
ziS;ikB@Z4EA7)efhI6l7wu`m4qah3A<G);Jvv!DI$sJEIq2mpZu|-=9_{+XX_aR7o
zYEJcSDdIs07tweQ`qa~+E3)@qYwA&>j_;7W_*mmmxGg97a}J9|GAZJPNzAN=Gz%Lt
zM`;GplFntM$Tmx)Q~2BdrD7BY_uG)ETEFj&FuTLm3lC2WvdH|KceC*<ic$h|gTT7K
zr&|AoVPaX%gI3YeQq`(#vh^Fv0y+!}ZSpJb1SzKA$m0IJ(p`R<)d)VpKn!zN2aTxs
zsL#!U$|#@_8%upWb`y=1=g-k+)kW_jlcuY>Lnmf)CP-39A66wr@$Pf(%L<2|Dz$JZ
zHn#MH5dueu1v$lJS&NxIenNgA;ThDx5@tI{|10zzhysjF5!`$IEU~juAhXexV-ONe
z6F|<AqRn3)ECio%Tr@6loF*+uIy4N+3f|HNM|U3!Tw8H4b$G#%%hDu>4xkF2Z{6z6
z*uJR=E;62FK|~;WE0iHwBFHqEFG#mCR-m@md6)YvkwqyROCKrBYf#^@q`y3r+BBqs
z(TMZUC~j$H#}a-I4MD0BzsuzCzmJe7NL00U5#u><H>^u3rkcLvAQ%&KT9VfZ%aV~y
zq^YUa)$FQi&zYNP81}$UZj31leH45x=T-*lOr+WJ(RpzNr}+p=A;klH^cr7B<qc7_
z!bu7vC6z~U;mW!3T704$J;`hNBGGxGOsVTkp-`N64MGmbYe`#<gael9by`HHKQQZ*
ziIDD)wS#S;{8U(O`PTiRjm8->%@xcuZL@qVq%URH{-_&^)MBhuX`_cuFVUoG%)^mL
zSZnGnkf!B~!7_O7!pn^8n5R#Yu<GC<HY%PpS`KqWv`|^E=9GXREV&N@%<P?+1~Oi!
z7R6%l=Sc58U!27zDY#=3g^UA#ZefZn5(L&T-R92As1r(I%+;E#rWvX0$18I|j4>h;
znuW3^W@t^F8l#Dje#fCH*UlILjgwmXrUDJqhy@L*OzL~QQf3V?$Tu2UjkX@MoTd%j
zW*aX-;t;c_xbovFIU-f%uqO5b>_A1ZS$ryOiGRIh%52{S?>vT;`E8|g>;JL$6<$?#
zP5X3rNl15hhe#t0hYsoP20=jSknV0cbSf!Gw}_;GNJ>gb3w$>me4h9Be*eL5eQUAK
zI>0&iz4z>yYp$7l@0q50D&!iM1Xx`nox<pX0?qtLMukY#Vl&~h3y~hz5N(Y(V!;vl
zxW@kK9l9Q#72X9Mh34a%H&5CFF@xi^j)D@P@$<iE#-TBM=-QFc=c)p&U$)u6HKKSz
zg@VvE!@k&sGw6AwzU4DR5BwEk>C|fss$w*%V21B~o8fyN-^xeq9QLFkN8QVve0GV_
z@#5>A@ItLro8&NuNV;sP8T`!BZ|f9O$;DpT^-|GlOl3U7=%L`0<1Kt0Lj40(Q;nI_
z2v45!h%jtsMvKq!^$12NNrDv>noaKKHxlyG6tTFdAQ`@!C7r4U{XI@qZP$J*MYLua
zW9rhNcNrzLXx!8|$}|)@nyWXqvDx|cB%|6rO?2j;*RH5*Cx;HHqBZh)(i~Sj+B+3(
zX6vAaPTnC|w>96mj&Lav+Y!EG!SFJpNW?}}JVYQi%e^%V=V2pM^x){o<_#_{LoW=a
zd=nls8jOD=VAY%8EpN7D{jKRj{uvs>f$BHqXE(q5w)t2m4Onsm^Am-(%*eP>37Ied
z*wI*Oye$toikR9tK53c4OYXC}z^h8jq{N;_%Qs2XP?GqXY%=H>W<T60OTeF)ZoMr>
zw{}*6+7bPXx>U`{n<G~#>r>m0Z%xa#RI})euu|s4eV--6)@Zsj#8skyD!mFOBo^CF
zC+z(yheaQs*leNGh=BfaIPIEt5%qf#oDWu}F-z$2gsB{;0DO5dlm?)K$Xl*3RI@1S
zAtQC{Xg<?pHhfeS<?Kz5E98)1bv54*LOo9S6nUt0gXH+I5XO%;OxjeOR6Y%fi!a_Y
z)Bo6}n;d9R=l_XKx6r^QGLGg@c_Kir?#Q?_&_)?Hn=`%QQ;C(J$`yHqgpdl|K*QZr
zJ{a>_!qtqi%{dCJp6Y`y)v6x5^ya;B3n4UgKm3)57Y$X3UG5HyZyiFV4~ZhuJn>=g
zrwsLNj^EA%n%RS4L7EEO7vayzf4p&sv0D9^&zJy*Cf15+R~fHlPnH^2{k(Q&ujxyK
zZTq-_d$Y5I{^xelUG_e4$>}4}@f_1&PD0N_f@ckKf<{C}*2f*1bHg}pp&kNnd$cB6
zew$h2m)=q-q!{`6ib}jrlX!iw^}3otEv9m;7UQ$}TtqbGbT=({m#CN(G?@90FMg-m
z38yYxrCl&klLs6U+zPbpJH|9D_>KE=`h#n^U18btZ-N|J2E+t%G0Rew#Ea3${S!v>
zZAYk^0@$z_nf$GjF}7~*{9Pr6nX$j&$s?cgP7kM)OW6Sj++2nz;XU_jK_3Y%zumsr
zss3nbk}bV8y^!fEf)<O(rG+lqm-2#{PdD+djgkodH(gJ-KWoO%KN|Ut3Wrn8O6Tq#
z4f(pAmR*rA?P;*wo<@N;7c>yjNY@!q+I7F+*>oMv*5*mU5fZn3429`vt1p@@`<dbv
z`^|c<B7YRh?oe$_?0^uFMi$CU=`)l0Tk;C%L=NZj$~ueQBIrwna9Sv98o!^>)id6H
zi|ok*A+g8{RCV4-llIj;w#KI#Hye7)tl6_W-cvb$%>TsmO9p2Yq!RI?m4?1MXsC{0
zE`gG)%PO0{yhJUB#_BIKge$U~Nch2&J(x@!5Rje{E?Gh;(nb^~X-RR(pPUx^VrLg&
z@H7<bvw?^C6;ho+JTH?Q0dk8_c8kiBsbEEC+8*nQ3@v1+*4ogbb0YoaKb!m{&I@v;
z;vAbg`zssb5`1mRSf<LezoM02b+<WKP39<dYvC1r%6M+hCGeAC2@yXg&D`Ezkh36V
zIXLjBYN>QgE#AG=6Y=TNOqwb)8_@4Ns>m9Y^aAy5=3q7(Om<q`PE0WCIu)BON^Nry
z!JuJ3n`DrPPFzK+h72v2r;AX3q*^kE41Yed=ZWOvF)nm$rG;;O-n4}d<x-HskrJHs
zE2#o?&RU)B3{DjfT)mB5LQU-!&oe=%D^~cP9IYFz0gB<@Jh=WtMwrZXO%~p!#~Y|-
zd0#i&G0CZ^lcUAVc#3o<3#~P9b3GC%6dZ9oLyL%7yBi5z13HkbDP_#53S+fo$#_Gr
z2vxSZQ)tIB`oAZ$CjCkL8gWW1uQEcv(d~)sA7t!MGTFYRHoMJ4M^6mXh8+JM4VR9P
z{De(@!JnLnuwQ17u0GCCQCi51-Au~-3gNN~u14Ybm?G~23!`^Wn;3q2>Fx32s~PPf
zM!E8Hx@Ry!LJ3c~;fj;|WwR3`&=_HGG0dAtkel+yq56W0b#^$Il1il%ny_N+^Q0&W
z8|MsU5-DYnURrQ+A<0judA>+Wp+<;xw{r2qQ`Jjiz6#wmXVdN<{zy1FMFE9W-?j8~
zrh%$v?S;~QQ>c{PabENg*z}8nT0-!s7y0+I1!^gjRXlv@>gX7*8q_#?J<w}feTFy5
z`e3{?ibVD!&~u65%vRjW)Jq2qmB1#7Jno&3S+%wsJ!Jx;&CA{C8DyVc$erys!$pQ|
zry-3<49t9<3T9@qjTY2qs-(<tKX*aTNpcdhgm<3QpFH~DDVJ-4I9WQU(duKSx)S;6
zjd%!0=x)x^OG6S(G`oJqTZ1Kk^8(k+(Aim}!c@U}U2^-0;e=a>HPZ@KT=DC2Lqgl6
z@Jds)qHml;<Qqk%1Znu<r47<*bYaHm7QR9Q%x|OL%~O3}3%OP3Eg&ZP%)!YpBvWpL
z-w>4KSTdZ|p_A>ORuEb1K1OKnsrph3LFO&1<BRn|wpvm#9WS^<L>bSuP(ACyvBtwp
zH*yrEaoPCkchag$vY95}!X3LW#Q5#ZsJ*>K%ykJ9<N3Z;pH60J>{`Ei^W@LRQWR2i
z*k$B1Ow|4?wRB+g{rrKFjGIySlj1_u3yHl1<DI}1EHr@*D4`GUx=cqzz#5t89w!-}
zH^weXI2AxRxUULC(#TKYC%_cA#U>h#`EmLh?O$4SwFuWVwI$+kdqQrhv`bvMLW}J1
zcsqt;-E~#)UUJAtcH4(@Vvj^*Y7+dw&oWF9$#Z%U?oP8slclBZgB5$|+IMB&wLR<#
z!z_kGsJxdD%o#s5xIO^Ika%ny$Rr<VzwJ`+W?(uby2*X3r7Qy<IbI(~oa>cvzL9;k
z=pCLA$Kc`{2c64QGJ2hiRouQ~`mOov>S!MWvh|h-N;(pc>j)HIPr3`zzEIM#2?g(|
zwasw#1kUL;>a=B}!w>k+wMtePOI+60a|=Z_@o<ioJoLxITmjpYrg6a+ysxMOG3qID
zEa4LP1ivpd>jv`BCL$m%JwHQQ2Z7$kQYF@}KbOBWCPuEH-@%(c3OQn43%%XY;htoo
z;8i;EU`s-K8A{RjJMZ|7<s4^DTHtSAF4(svuj%O{?TrmoeduK>8c0lZTBqN&>xNm9
z@v^z_RGZB6TErCD_W!QHr$b4l9N{ok)L4tGnZaB9ZDP)6z_8TYje?~VUR5qbgAT<B
z17=EziI~?f%;W@Dt6A(bR?yjq&Zr$(-0*nicrMtqszxXk%%r*#ieV5a^7vLQir8LY
zi4Ra9`+Uxmm(FLzZb4&~c?u&-1dkSAPmUmKHjGvXrm;m|)CflFa8W59?y-~Z`dK-4
zL0GPo>u$ytN6VaP-&pqp=O!psWsSc>u+;ClASEsCygyQ#<&&k)?W>Y07P^@N^qR^n
zudhZ2ljY=kj80d~HW3!XHmRj)k9VW3ZfKzVBWTvSIg28ht<d#wi8`LhY@$<$q4brQ
z$#H5~Lm84p$}&h>YJ`O&Tk^z}#o;H%4=nxxTFF0eE@yBgP70+C4OZM2gRz!C5aRUK
z0@<_SPd9$#T6_N1WIJwDT`x}&Cr$Nuw>hb#&tNQ6l5Jn@_DDNFbjrw^wjlKK!%N>J
zOYu9(xUsS;Bbv+B61Ya8gx^3HRRcr$!s&(iCyiEB%FlT5unv${7gNz<Ej3-imbxLd
zyKO`G3rvihshoo!c3ffx))t;E%?+53y{5<6kHr5{6O&xx_@1<(u)4JLvwm-0GD_a$
z3&ZNcF?Zy6h3rk$rRN}bsBdy3E^iN{L_b@&KYeDi9|{khf$-`3^L)M5DYhbsNas~V
zA43|UsMp<6>V{-kS2F1uEoy_A!ZWPIaYl{mRxEVYgPugxza5F*;_=r<f_}a-#mYP1
zJLrte&7Z$rq%(CfG6Ok~5~&-BpvdimmQ>9g<J5H3lbC%|Ih0{2ttpL-LDXq)jRR>7
zT2wHD45d{@XtJxMSjHlh_2X4g+w0DoG@E`E_7&J}h-=JRZ%@#Ml_8<q7heo=3zti}
z5+pGj4mA_z?%4GsDuE=Yea1A{=t?TqcBOCwZ26l^B!gqsM&?YrIP;@aXV28C30zl0
zpb&_1BR*#Edpv#n_GLLfZ@Q->j#(O?w{8kUfof}!d-D5Jr5`b{dth^>M2}zeu|EU%
zSWM#r5=MLNGn;fl{yg9p3UU^*6DmtA=rtAzAbW9fnQz=_gji^^2Z=KV?hQhIe*L6b
zCUs&}dQA>KBq>X46khOZT$!T^Pf(t4uTH3tNOxI_8`I5agb>ZjJ*hMsHR%u1EBrD5
z&FMBN+#2S%{REDX`-5@D`xpbgwq@Ha&OgN7+b~k_vZ)!@gRG$ziM$_`6SG;XHtXSC
z_@s%oFUNjTxJuBR<O^|9&xnlt9Ku!-v*_}x!fV9osNWdSd*{;AOyY%P<_X&-9vIX&
zxRybi@!KMr%PVns@2g4I2D;h1neXT?YeDu`6wQlEXv7{?HUTaabxDCm@5GHU)OlcQ
za`6n%nXv03ooVlM7*o~a%Vaj|o?5IY>Bj^~oaZ5m4hnFyo@8J(FTzJJe<JjwiMeb%
zv~z!Ewn3~pbI<_h*7su|*Obh`?#19*Dy%Two;%w~k=C^0SkCs@Oy7vDlEvoFz5BC8
zB3dpQ-4KkH*g<Gp@?L%ahzqRumWvC8W0b8bqSxv7??f_-6~fS=Y$b}k`Ls;rcrg}K
zI@W6Sg|v^sYF>>xpLXf;tSx$b*Vm^G_SU48A~*YdR(U3{eL=yOIU)|LU$b8c;ZJ5g
z&-zI%F`1!T+E-cNUvi^&Ua>dziSV6Y$<0EC%IEE2p`~0)17>36ek<%mA(w6|nVo(5
zLKiP_$8$GMEtn*$Yl*=cOBn*hlk#L`0v;u`S?Z-P`WJOvV4U7;X={Yi;G{^qU>?0z
zU1uG*y?(BfFNz}71L<Q91?QE@w!<YUIzK+Aj&QsPaL(00fbS<|vrJ%n?~)xaGxluB
zNQA5~TB+B%L=z>!+JiuT_u4`&nZO}Pn2B+IP8w`ENzI%{fHWWM<YOFHjD3m_XOd0q
zRyjD+DRE<%0%el4?n$pe2T!MVjSg*M#G~uo1QUP=j(QnZhg`zXSvt(OuS~O7dv<n=
zLmR9*CpDO7KM`Z}(P26C=={J~0-2I)va`4UBqTvbc<0PI67j8#E-0NTTn9sk28r{7
zx0Hk437u?RAZ|f#EPd^3_2-Rv&xV>)y148<I!~MNlSm1Nn9ga!r(rD<4z@zOiqb$O
zb!rf|DL+@9X)ODoC$Qifmh<!Wup9gPWMlK@-oE9&A=c-#AsjI`F}vVOOdHkL(J_*+
zxqMD6RMp{$r>YIPge{0$*qD~1vl+u#tGXds+|K;(2c3|ifeKVnha<RxBij5e5wmUM
ze|qO!-G<;mxyZ%6D-os*%d^4ev!8zPgc%52j^Ik$KA&BbEidhjh-6bG9SgQ7B)O@U
zc1-h_QV)94J-x}zO*hmFV(5v+@wA9Y0ZSBMb<r?bl73HPdHsaA7H6m(gK7&Qk-+Dd
zM3$zE|L4XziO59`^=BR<)os{(=5H^auat9!we*yl66F7his9%nuzvlkL=MRWw$3h0
zk#?e(zb>v38;VFGJU>F97ZyaghA-dMC7qbST(J-tnlqIilBC7|I+oehLZ7bf+5XQ~
zgtN%7b-qg9&f+uXKowQa-MTc~xb@OS4Qn5aT1yQ&Ut~!Ynh4Iy3gTdV0`-81cpCB;
zbD3qlFp?S$mWId)chtS!O(E)p=|7Az)6<oyH>1hQ3K?EVqO)j6>a97yi|C1(TUm7o
zuQVf$g+e#0w|0${-sHy;Ia+He^UTJ7I3m%qcDV`_sOmrb!Y}qED!i!i$x;ovxn|mz
z)iPTdTz`G`43qHriDUZeX}Y|QbX9*I;NWeHHg$f6t!33^l_zq4if}!KKIZh&hwfEz
z1TKoSOFh9;3(F^B8c)d;M@xJbl&^W8P-4NHV1165yB&VI;%;myP%`ZsH#o8=gF-*n
zP`GW4mefikztqlxHkmu$2(z0B=T8D^d&BZ7OUY`}qBD`kc(wC&m2gzI1`caOydA#{
zUhp=ZIqpIFpBERKRTQ~YoFj=uqf3=tIj4DtJk0XAn0m@+@M1YlA7g`J{fEf{W;z@Y
z-4fnT$uX1lf4;9W19z1|E3Tu+U|8gto}XD)SO0C;R>N>-{%WLlFlb!C6=~O_R0P+j
zB+)!v5^cVnm2f=T^4n$=$;qJ}8s0Obo@2>9O4FOsi9cvH@AJd^Z1-F=$k++#4AoT?
zGG55Tvto~Y9u6L+s8+XK(M(>khLvL3sj#1F^QB6`F)3R~daBb%%lF&F(ank&+Cks$
zh%!=jO}<4hTs|&V-7ah@XY58AOBKEslU(#o1tayl@#&p6EmE`Gd|<jwr}LZPuDb9n
znsF>0e;7+Rn78Q}Vzlp@0xD7+rWnRL91}Q$f5Fe4Re(lY?#n_b=|r2Rz!D*j`ELqi
zWTKrDaIw~7m^BL~GnuHLXfbHPoCz>fZTjMhK4B(ZL}Kw^E;kV9v%#Tx^?{m_o7k)v
zXM1~7s^J@&75r_Erc6Uow?U|XubD%#Qe4+shO=~;vl_V`8sne_#!E}ZBwu8~Q{bSN
zcOs`WhyUF#$-9$WBB{nrN4ud-Ys?pK;9Iu%OVsC7KA5XJv4ZqhY5O>9iR-acdAMMG
z;qx<t@gj6Kz4%K7_q=*k+UTz5y>u!pxTca-7N`jtki)ENS=wxz>Zsm}2G~BQ(+mTf
zu!BG8-D*=0D-eH$s?8vDQz&55iQ|#p4-;4TeJVGt#y+>;AEV~654Im5DtQqvJ*T)U
z?}X!JpzYLNc=;JcZs*h7)~7!UO=UB05hxT0p3ZvkQC@1)7JPyGvqNvFhKBHB;oSzQ
zXfr=gZK`f@J`U0^#<kb%;>8IcNfZJV?LT-CHkS|nE@uTE?x*xa6SQZQj(YMCY!cdW
zh}0@x7LUf+lnKo+T^0_RlQt!G`URdQ7tO{8QjRNg-YBpq27Gc)G|+eXEkK6lX&B!w
zpJh3X6CN@9t_Eyq3G)mn2q_9Y`wacUH$o@f*UnM|$~rB7pQ4s5t<GK@ytrPj*3m}0
z|7P&IHcT`+Nl`LR^hle(lpFN@Jlw>jKq>KE_wOO%4eeO|DHHzNgC-dDx(u`MRjjcv
zU3EX0jzJ%FsGm(B1ZH17ez2#~FZIT=Cbl%gMJN7k``@h&4YQwA+Ve;`MRDuQb!hA7
z#tG`oKUk?%S#K-z;3i9VQdy)!Z&y@)dtE%LiZ|qnM|dU{Wn@3!VGsLh&xp_WRDx!t
zR-~@8xucw{{JWl5DarV(ZBW9;eGTN=UvOyt76F{AlRqvyw@DEyY%hh_v+sb87WFr7
z{ro+JlX-tc&P3@WIN-E$1A|8XI5O4+N9JFuVE-=XGpjcr<4|(cH+rq+n<Y51y}nUB
zh)020P}S6Bf@bOLDT=D?+lYy;BBwHB>(y*}MB}7mV~K+wQ3~f4wv;F(MZg6!`g7a9
z5G{`kuT-UBhI3ulyV`IEcZ7|eM^zoSJg*+;0mk}V9^*y`J@pTewRV$RCxd%#oJ$6+
zRwt5BX<z?bk(ZJpjOt0lOVPPkz1nojIM^CZyURt-&_veWxu>&NTztux6A^Jl&O(1b
zc)fsoxE_ZkT}B<MX_5?M5|YdxP^#(AZ$@U)&c>NwFKLvqRqlw!{ED=2XIN|O);t<X
zdFFjYEThzSiU4PyJc=f@l7t^i;^DJV?)VCdPoIVw&Qf3HYodw<eO94tTvnISd`1+?
zVDlAffjDIAtA@&STWdK7*thK^ktTY1G1Hz3CGLn0k~Ie}W;*+rkAn`m!sSfi(><6X
zHkd>Yxx`#v{rWdG2w1CcFvh<}o@Y@?lconoi0!J?u5-a@g+fs#@RSE=zOzT4{J7Ws
zs~p9hhRP!*ICv#PJ$>TBDqVe7SA$P8$a<Oi=}~Il%TVe1HspogeF++0wxJK7PWq@R
zf1Zy0Xgo-So=f<khIMZE{=y=2NS-kL{YK1f4}B8&vy!2fPbkXD^V|a!+!~@(2PIWD
zAKZ_Vp-Eh5+uF!=?`O_<4sg&V*g3v2Gq0<vBQ}f<<LC5B;B9mMlIFdxApC&#>U(Nd
zS+^C?O2X)3rN9;}I>KSK4vMXvlCg}^u?_A<!U`=)NCMFgDf!5|ud2Pwc!9}s8e6MP
zl|uL2$FY3Nv=pw<bG14av8mWZa=|7T`6DXK6}EroT~mrvQy_m<!}Af`VV(T9&U>Gs
zx6csJN6`FueQz9}L~O=m>AZxoMDaI~xm6ky<Axc%OH^|yg)KY~R6$@%CcZM2T*|Vl
zr(3>2L#=lRwWvYAJ{2G;kr(Sh`bLU5Y~*lY!yonpUvV&Eo+PwJcn4Iz#dy(3xYOxA
z^sJ%h!s8nXOm8XZ)WIy1u*>9pPcB$z(-nrs>^%~Fs6kuijaHi{yj-Xi7Da$CK}_#N
zQ;=()VeXcX{^q`zj(*nS4_1}jbWT;A8HI1yf{5rfG}YcZCY8EGv1J5V)^i4a4i!Qv
z{=r_~SEC2ErIiYIEvaWIRpCZOg)=-pIglg&yq!@dI|`T8f&XzOrSLu`HE7ykgrO_N
zRwO<Pr5?AJZO#6}H`$8_TS+7=s&q6Rk!(*>J#zsL-Ao2nwX{N|?0#{E!6^q~2Xmc8
zotYhG#`#LanOuTALmk?UoE2t$@VikD5KfVad}bbVTBc{UCKO$JwJC>MJD*o7@-+23
z7-I~}ug-Z`L;1}0ubM5)zM+~*>cS?!X942{MySk7YLq^eThj3CXPD$*CD8nI#ewja
z#2`!a+3iv6b#k%HW?1)TyCk@7_q$+~vNi{rD{Oa=j~=5h=UhY0%%XX0j`hC756z&b
zw)itG`-ryZ4wR;)Y}g8RKe9_LGt2r5hFi@?u!%){z4vXT_va1vLZJGb*kiZm4RJrm
zesJF|V!LquaOi1MeU5;*+a{D$HzHue(@<?TP3iD@w(P_hI4=~}WgYF`Q$YHabhX;7
z#+I3eDAew7dA|=)GsUDev2VuY!=f%bj6J!Zx_7*)clg4)gL=0+p!p$G%STX?kqZMM
zjW_>|hhKfns}87r=GX+Tax80sisow`&f8Lgr{Q97q}59x_62EpthsSsrnu-yBDilO
zOtK0*_e3j-LY%ec#NQi~{4Hr*IVP0=7gHe)Gc!aj<jF)Yr3H4&i!4eGIv6@7%MV*(
z=Pg1{o=>&HR|J_g4?7OJ52_{kR}qct&9mC;tk=}oM>)Md$yBP@pIwG0k!tJt-5+Xw
zY>{b}-yl6cZ{&D<xq3Y$F}zH#?JL^A=#v`nKG$Y3MC0f)ZNP4cAVyVh0qR$U2^G0!
zfRWrfoKHzymYyx!na?L}2}wPvM#2ceL5~3+J5jcXPP3UuAor_SfE>=fe7l1}vXg3y
z_R#W*vVrokY*H+IQ~A=G>!USHv+&!4jEGfNq1(1-ij4=TYvlyu9TfIoc`2^tY4`+N
zb)gr3L>N#JkZa0Jn>5&{ZBW6@gap?8Tu%gA$(jd5^TO^Md|WGGy6fj;mLv$QivNi!
zp}gn2tNvx3`~HBcjAB<Ld&@{VYp*f^lPO^ocp@$GY2i+q?aAG6!Tz!6k4w{+AKPf0
zJQZ7qd1%8V;am*lJaG?f#O|KVE^3c5^L45<{uEp^Yq6iR(q`o9bM-M(!%u$;BlpK`
zAR`c1oe{dcZ(P|~?qB3R!8<LBt7*!%*dc0bDev2hm3%^zJ{+>NnI<fUBh8fzpbbRY
zrt&L5yOC4`#V%V#R!X`Wa1hlxp)8g-DQ7n|A|q%l0q27X1j{+#XIMt36|#&nSKcVa
zK^gCy*VSa1d;*Pg40M5G6|(bd+mOJsB+&MLb><@}wys{oU`%E*q8=g`vHG#b7uL<3
z78w&Z{1f)H7V;n&(;ku7uWP~RVs=YqI~fxTy|8e9m|Wk^9mbO`QJM<Q{dRDAmAU##
zb>FzJL}aY8Fa<a*Q(#2Y>foAEFfE5lx4H0jqHGvrJZ*QH$O2@cBRg^J_qFD5RFP|n
zY*ZSlk{ucrW`yxAW2z=tAf}%Zs<?_UJX&pBhv%y^gI&+s6#<_h=Ka>3c<dF<m0mwr
zI-8iF!IrsReAKf>xy({ox{BU1q57HYXML2Nug)ErNyY|HOWKX!1<Xr1oo$v6O9mHl
zl@6Pnrty52A}WZTdgmP<=bhCv2-ovH1{L}FciyS!E_ckfIq&i2c0fNQjCqj>nddaJ
z&_8C(D^yDuS0QsGaz^@WW#X0yL<*6|RoWb!xqvWs!P>&EK{UR;CTzl%uXNj`Z#R3a
zLwPI4w^JDUxWKEHB?Ju^<M5+6l}kEwj+=T2!id)wNIlfkE^u#rj<DNoGk3@KF#T3w
z=Z!j?hZJ^nh1S!1{mM<wY8=8+X?HoZ_(c^s=4Rw<qoQN}s3%DxBvqq(dE!e__KcY{
zz$2J{lhR)?G?4q+AAm_rgUn~YYWrE@n8!<yN>%rbCzGkiiOg#=pmN2o(SXJ;pjNK%
z-snu^P-S#`wmb~CJZgzv8|J1E+)PHGk!9a1VD}SxsZ{9?at2Pw`dp;G-cGe2vW4f*
zNi?^Aeke5N>Gt#qC-_|<8GWim&nav~E|TM`6`<rJp3|4C5BahDk;!l<_(V%>f7)}L
zT%%Jv6r8O%9Kfi&{W-!$ID4fqzTB`5kv&NCcv?&9=@*^IQ)DgnewPF=fDHgYBvOIU
zlWHVlp5NVcEm+oE2k+vGqoErySS@~==lKC$nR@W?h`HIfSe{g7u^j~5U1xT0J>UF!
za<D$~#wKQJKtGnHQmAo&4u2EGCFwus<8Lo$C2lUUe^CGacsO%9%-w{!m7n*BntS_|
zYV#1z!G(9o6;LEwU1n~6UIUBVMC4%p_(Rr>+|4kl$2jkbkLfoXLMnn+Y_e!FCV8)~
zN&|??B5toWg^nbj_tuwM<uv*>tI=9CZe(lMj5WOq47YH|w3ug9!O!oZT>>?n^yYFv
z=5_yCD*ywRP%o>A)7uQx)cz5?e1y!z31+LtC-oaOFs_7+I}W%^4Vc%1&JOc++bJ(y
znEN)8l^w_fJ&XpOt(nv#&EC~pBP6dai5to@LEan<{?Zf_ua=A%f-a2zR&sH*L<rl`
zF%&qLDvo5&0!_ekQYg9vbc9RXANY9q33We_>4fN+s_@v@$XS=GwE5y*4zn$G68Wyk
z;s^P&l0DyH{~4iv-B&in7E!IReraAnjg`Qf*QSEJUi@pu3d)w9zpguDRd(+?!8IGF
zh-o}K*Q5&LU>g@$LmN+K{nLwzI4H#N72yejZp2J_1g_+nV?DQ4gdDYDrW5;IXFxHU
z0M{+Diuao(!5W`2JG^v5d@9-vtwrTTr){Cra5KgL&FTU3qHjwFp8KUlPYgwi-sBg(
z18d4fX)vY7d~@|7KwX3XnUIEU1?-81?9l^WX|X6OT}#*M=vm+3swLWGPj4LQg77(H
zrfD0?VC6nl5awKcE&b9x$KxR6c1xU#eSpUP`Y4LjQ>ODtUS`#osl|LGWRc0~0+QDY
zyiIZMOm=g<+sWUen51S=ckM+_1uT}r{!Yjt&^!oxkZW*PD3<YaYX2(+r^|x+F<q=C
zxuLIvGuusaB9clopDvgQKaL9_8qaEY)>$w$P4*7#u_y~W$amQ%Ir*)TD6KBT^_isD
zBnNamn{`_0^7*f)2*yrSO4bwVq+dQ2u`O=q>kjv^j&tB;-sXyUk)21?cc$^{4Xo3-
zwy={<aLCbnW<3fzFcITf!P2&Nm&47EFuRD1#zF#6V%Ggm-4bpNH*L{o>m$ZB_V-#_
zG<&U`ADHwjHpx&c&s3Y<)^^;jmX<j)AJ8rx$35<IyqBa7F?2!p+Dgl!e7u~DSPRf^
zK)`^*Nbfa4hH5hsE8edlY2|KX!3}MRr1y3cnVj2#&0pt3@9I-K_TG~Jp&07S6nqUV
zrSR04nj>DqLCwj_T@iOCCpR;RV!_&qE4iefHBaWd<Y?1=GI9stAOpwI9!!0WLUr?_
zk?tHDYj}oy3++PAFKs%BcUhyJ)tPG39;_KNKG_{|o0me09YxEyK+8R#UORv83#wpm
zI5+z;!448D73D*UZwymR&{y%Xenn<FyU#a`xw?91<(uYoknJkk1mr1LLOTZa<>10`
z_nBJ?Xi%tRwHu*&-#DT+|9bMmmIRBszSUTwDSph8oQmMOq}XnN;<qw~aVeWVJ^A`E
zH?Si&+!JS&xU!ugexs=G{cIcDbdo*C@jFe!dD1!&{Kt7vI#a+6G7+>RD~R>#q5hyI
zP+KkcrEswS5uxsc^!@h5&;bW~6osd7d`w1n?i+U4QZ=w1JXYv0$quH}v;${0$0u;-
zXLkH;G~OsU$rEahi&SMiz@yz=ZX<w=;wMFZzs&wV>C^su%%8aL=D_RO_SvT`;HW&r
z&hemkQ~d-Tkgaa7Z-3pruE?=)-<2@7;^Dm>a>P6z8@I^7`yw);dkS<mY`n%mseRr{
zmUPhIF_yQTt^MwMoop{v1>?6xCA1aK``vuvJ2TH&Ju%KtGjHZ)iVyHpEwYnTLY3)@
z60!D<Qi)WSeqeYJ4nvt+pHB#GJ$-d&(W6mW7yYScuSr<3F2yWet8c>6_o(j)v$D@x
zGl$0ydc@u~O9@TeSh?ya{o2a)TJOSqc0;5Rd>Xyn#%st}h~y1x#khq&uG6x258DmM
z$u=VCpX!4Qq62Pb1F}1GI$l9n--t7L6@(Yp%h|aqD^rIi!#YI`P$x7f-oEo{e;dAm
zW%Rm@r3Hoq%+)R1Yg_4x{dZLWN=1oPxZ^57?#zTyyW$~%PZ_QevwWQLK5oQ^=R#kw
zu<PP;eY<j`qxh9qD6wd1TaGyID$Q!rd#}!uY&-<h4uP;2sOdSkUF<z-;3QGR80;%X
zgs-p|q&<g-(R4$90l^iS!x}i+P-78jmhA_0FTDc#9;CrH2>%#<SDrZE*skGkLD)3-
z>y63Rtk<g%^gv}Xr?ctC@k86wuLHAZCP5Z`4g7t(r8+lRr$cbtx-&9l?^FV=rdZ=M
zhKUffy{BJk(d=cavvafQ=U8Y{D*arxqE)_3HK7Xr*kiNQTIs5(EFw+z6Cc>V$3_U3
zJm_;^^koBs#lDhnJ}K88b(CPpaJJdYi-qJF(0Zhj->V5qxI=Zv2uC<3|C8IEhu%$?
z*l)_H87UU}FZJnEGxY<vc0?qeR0L7Yu<_o>XHqOO>KLUMe%?UQWL7hR(g+>VLhw3>
zN=5TcN@%wjD({p}m79Xa%g6>{Bp;@GrVRPvOB9a=lc@dTq1w__Ef8pThBe{akRKik
zPLU=E3w-^_Fhrp|v85gUf@s1UA-N0HRw33@`E(VDiNL?V4SVk;^=FM@y2xLPGDtV3
zxCytaHDv`F^Fs`Oq-LXI%HHB}J>G_mcBP&4HhRN$xOF(Z-_P<BuR_MVbgr=$WiE?u
z5zoCepG2Dk#u%dN3tc$>uZ3iNS;NRl<>U6d-3wI{e!8)*9PoCRcVFK5ntb4?&zfmq
zY1p(*5m+u%%mvyIj7T5A>n`$1ua*oD8FiGs`0^%wDqSfXTS^bBOPeTBH1Qf}sf^Mu
zC6=7*Q1AxPCn9o+xN1GA@3;zA&x%Ad#QaHfYF`4YM*ZqwzLl=t2$;cAInO>`#43Ve
z5#&ItLDdUZZ3Eg75b3dcVJCm7s~{8gO?t@zEsqhQ<9c6tS%FdN=dbJocY4QWrX;n~
z%7$^*Exz|HF@IjA2sVx9T4*$HvLaC7+HFhG8(5rwWp#8xJtm~CjJ=r8BQlvbmZ~%a
zy(D`mb^`I29a!ON9_+towskXL+rX*QV*55K)b$#53?3UK>V1b_bTBCRXui}FO4__I
z`m{pYg!gQm(NDR>Se5W6->2_DQ0UW3O{QkVEr~*NO@1>;E()A$@74HtY$XVs1AVVq
z5vsPK{0L0Z(NN?vs4+lY1n%UKtlhqZ8sF)PEZD9OL)6nx#|$TV429d2vK15UOU81O
z{1X{ZfSO<@K&=YC>iDhPfKD?X0dKDM6w&c{VIvuKG8uJ+qGy+h&umaEC6k_NWLwQ&
zGo9Y|H$K}|_?pQ|+Q%m1MwVEHuO)mFVx`tJ60Fv=7b|gZ>*kYYuPj8G#=c)Ms|5vi
z9}Hb5H&Sd_uzMypa!h=kh_o%%^0q<^pC2lUbRH01o}90=_)~>59RyAZo&bnVb6<qz
z0IUtu=<u;hZ@n+jK;y+aQpkNx<Ye-kK4py%JrDgZF<`fI5(a;>wiV2r+`6`fl`;PE
zoAVyBGmh82xFZtYX6p2@oIcu6W0I$1JwB$vEq^`W11YqF;RGKLFI|bs{j}OG0w0Oj
zxkRh?8m=bS_|Zy7dBOT`|G*3oFpT1o94Y8GaPEdL@)Kj(C?Eb-%mRLB@eDLUR;??c
zTzT`nEsyE*&x<P6yQdp6xKWsWJf<z=4{%s32&XvE{GPi*be$5@<OR1{23w2Cu{lpr
zJrkGeF@gs<ZsPVm3y#VwSqlx<ooU<jVacf97c+5KCmr%irl+=2i3QF!2)^gqx|xf;
z(dme)C)*O*c~_o`W{eqWyjRM1`f-!D2D@wRDgD?*H4z(8z=YWKp693XQ|*4Spvy#*
z6_<lz`;dAii8zz_l*ZiA>qTx|Cqt)eN;2m&fEj(ixZei+mK9ME!9sBmvz~ra0ksjo
z>Li5h?qXmhIk!2+(-SHTPnWwHO+<Ju>*FxyWSJC;<ENCe-1}BoK=Tnhs+riki&%YQ
zE%8^Oc#-L8(0cymj$JOyQQ$QSWx<UkPoXIek20cq{pR9|5TM@&e|R{rd9v_-&~s~G
zCD<|!)z{v`N9RV-ARo0W_~P*8Vw~Tf^Eu)0xJWfNcVT*pNMPF0)o$!vinFmT_Z#{O
zExC}V0%epvlsbCWs4mX4sm+K|T6*!^(I9ih+ShfXoNg|!_HQkKA9Z#erN_K~Q8Gw;
zEaAQ=ditC<V|~p$qv?3ZdV+%9ky3_dc<TF-sO2ojnax_8{G_^RG5;_q?{4f}Tj1$e
z;x6+`x$;Bvy<ylAr;o>!r<KJT%H>jTnj3(_7~ZD>=Q^JHv->Xnx;bET<b=ReZ9#ha
z!zTOfR_70;h?np6jPUDkXbhV_CaCZ92A(BGEvWP$PBG_Xv3B7m%9a))Frn3`)CZ?+
zL|)tSFQACmmZ$k|R7a^S{kl1&_@ySJcrKXO?0Wh}>Cb``i=~Bx@-JN~f+=oHjc0;m
z&F$9nI`_S-Yo%D&dfutSC*pEqqw@2PPk#6U6AVqvW9+l1JOUi3)zay=2pg?m220Ud
zrp!e6jF0_8>VY>QIB6{IY&=6!odPgCC>aSC5wk2sxaV&s<?kB~P74|oogE+u5x*(5
zW+@h&>)g_CWce!SQeS*bn@>1O@V&*@*@JR7by;F{>)RKNX9S3poPYgwBrXR%7j=d+
zDgE$)&0VK_;<J)@jd9(vxy?PKatCr;C3{njwG(NJw`Tb#0?e6&EU6hcOZ+ddYk#9}
zy*yKz5$)F^kZ}rU+BI^ZKgWg5jp!tELTus7*#o<7SX0bfHZ~pgy?x3`bRCXDc5XE6
zblvQ9GCO;gggRMIIK%fuaPNjG(6pf2oKZo`9GNK?>rHT6FV1m<2zQ!tlDN0s?N^l>
z5Us3Mc@Ii!`7E!geQNzav*T3r945K@z;P|efPvaw5*yV@@sFOC<z?dw!x>GLmX(*I
zE@`S#dS-oRKbUsuTkzBB=2UhR&>WSoe@n5DM5oo3!jIqlzw!lKLB4k?sZY6hgGO<q
zvq(C2sF=*uVL6A0ru<=J8&T}<*Y(hcH@^Zto_`S%j@CvZjR>7WO{{q|nA#t3gbQ;^
zepyy}ZMSwK&&<BtkLa!SulyW47CV@ua~ftV-1!{0KxXqqg0Jp*tHp}h67JS#)43ei
zAKH#N=E&qY68mH9!sYfV3VNePbsJMLw%%jTy3Gol->@ePgxyg|#iZwIr!BoddW8*r
z=|=6ybbIYkX&G!qwgEJA64&kp!{Wkuy7f~7^+3|I3wAH`PWwJ9cA9GMhYZdB=S(;5
zot|LUtUz);`_SGeRh)||Z^l|LUR7*e&}ILzO8O1xHTq*fsYGWyl=ybX2#I6Tb3%DZ
z4aAb;S-tl&9%VH6h4Nf^8HWncHrafZHiJImEqY<6r@3;nJ{3Xg`qs0%%iF7A>NIpO
z<?HKi0>1J`Z39Sp7XvbomKwGdt(9<Laxn;;`fPNwqwV(Uhv8}<2YmpkPH2MjqtgU9
zedV(toVur<Ml_N?GGRx}?%NN{owB>XcnFvvl4n+0ab?bKGk07<a?bYN)&G9gOD|TZ
z9MU#oc(7{m!E>}qUoheOzY@@)gpsOr8yDOH+VxpyWB*vnr_XjzXt2{}h#GqF?~UyV
zgS^3xIw9;OAC|won$fj#QEmGEo$}@SYuWty(_ekP%X7l}-c5b$v~`da!$ScqIV7yQ
zaRBL2+1um7J%(sgy#t<LkF<R{c=i2SXo`<&Mh-04_i&!>en2`Z0K!&VbyVq8cNC|7
zzAFv5Doth|2=)o-TO&LF@NIFEFG|45q3=cR9wfYZxQ7IA58#YkED!bwYPWZ3j!Qq$
z`_9uUYE#x=Z>qm52VB18Ue5erxGd!^1)O%j8RVC2)d1=66-=(VFGAXJN+pIjRkxA)
zuV~VwyM%iko!^oG2X9^;F0h$S10At@G8fnBq*zvGDhH1B|CLX0*D7%RR_}h2xKBX6
zp_}_2?VdN>V52qS*+Zd)U7#gE79(HYPe#*!zrzwK9-$M4L264i<5BHKiZCNxoa!z4
zmm&j1d6Nz+-QE#|ERY?TZ7ntxFv0$>JHmnyrZY}nuo{Tn_&41FjJ*%{!{Tb99Lj%w
z^1t76kO6{zSIVZ5@b6^*S%trEXzvXJIWAG^-vR$C^~Y?7HxeMzoK{8oe~A76ev=|j
z0i;{Rm2v)i6#t>LYxkj;_YN2Bf3VU29-0nJ5TRx&l;A^YHOT${*K2eb5LT>}k0jCj
z8*2Rbh>VfpOhJY)>oorn3jX)d{!c*vC!qh+p#L`a2Xp)X!Nf)=oPktJ4zRIwM2^ws
zahhESxE$XsKP|0XsZ2sZ`1T%6Y#x!+PGx1T&TN1@p#7tm-ODt*zc8(p2IaOhsql<B
zYrvfKQD;(~1CVE-s!R;Ql_+ZQwzWdNBXTi6Zx>|R%|~RLbB3`{TXIHXeEo>9cmTjn
z;Xv?eCQZDtjkmhpT=e0Z##Kn}TLztAyX13ozQ?<q<pRUIp5WnxI9!%6D8y;?op(9E
zpCOY8x|$2h(<lGE69ddxf$v3d43ifM$zuXc<K7+OE4_xmy^b!-xUz-XX{xQ)?e+la
zRZ3Ns<*&Qp8Er1elb6~VxCN#X!S`Z-yVBdmp*?v-%vvv)m!0PfIFgT3U`Z6$1r>Xj
zOMBRP9FCrJHlCgyngpEu1M73LFb?=9gP7?)>|U$V>2Bxojs=i(y^a~o5y)_DSYhT~
z_{OlvbFbyvG@SKsC!XB|Sk{@5FH>RHq@&woGP*w8t4jizCkiZ>Dt)TM0!Ho29)zsf
zOe7!_J59qO`}<GX^96b4kwopp3*UXm^V}<7Wjg{b?ajo0f$*<A?x1Svrh?9u)vCL6
z=W`<W0@Mdz3J{U`+mAV?DF*kS>)OO-m{x8f{n@Wu0v$f9C>j4ZH$KM>BN?^xx-ZN7
z(a9J;g}YT@B$f41kA#T+2>WM83Q&_-bIyA#x~5;F0P^Rzv>d>K{9df`BNcRAH*QG%
z`sntJ@sWBpJn(HPeIV<S_9D;W(y69+2YxIFEJ|@n{J46rD1i&KrV5-qOcR)Cbga0D
z=74r7quTwv0V8cF^L(i=&1{4L+K2v!@y_uE5fMytPh2Nh$C8P*?hf8>JAjyV1Rysv
z@K_S<y>`h+=h><4ccy^#2N}E#iCZupDMklYnu*$yLZi=L9h8x$_;x3&Tg3>vzfL7T
zbXZw^*;NH$$E<plS9ikoqXOz^!hF*Mxh;=_wG59TiE(ERI3N$sv6yK4FoG@~m<C|H
zufWS`E<Zo#FW>n6L*3F6yDY4h%ZW|LzojQyy$N|3uRYQ|AC;3XO}p2`S~9rJ`Qv9S
zLqB@L!uZ|jA1y?}SRXJkeES7dO6E|rCk~`#8OUDxImi&^0c1T&swEvU-X!rrY)l$y
z?`uH@tfqF+YC;TT<h-;TrP7+)Y#+QU!U1k-BTfJ9(WWV|RHmg>m9ike3e%~|w)n7w
zl^vuRlKo{+*|^pO(}nb;{QDts!m+$65J?Ajm0*RJ?v#9WAAU&mFe|Lo%eKtF7WlOY
zLImGiu0>QzG-Q^+UA8!L<<h)v2evb2u8)EXycb;HVWK-ka4t&anf^)oa*y8-N7{Q5
z#CO>*>+vy;E(bCTbQ+Et{?7;n^6?NgBT(w11bf~ngs217E}WU*nzvJ6M}Gt{is*zc
zHWqNYo9sM}dKu*VqBwKu2yFws$KH?H!UH4h&#L)~<9^==<fo0g7By<;0B2a^@lPDS
zfDJvnVp4{FuxEVay_+VG;GzTmF0ap{#hbviHJ6cHA8M6jkP0<^3Q?H(Yew_H6kF|A
z<=O8ShA#^$=HOy2_Wb;dB*^Pf56t%7?1}%-Y)=@bmlN=8`tO&BgADaS(%yRoRXW`J
z%4V6@kdb7{17JK>d7kv}NsLf&VW}n~1&@nhLuJV)2JOjr)?SDjQSy+Si}4cD-dI6K
z$f!rfuXTQiS}?+SmXEQ~I>|#wr7;Mu6<FurO(0RMCd@i7?w60YO92-OcV?=FuTQ`g
zCijmHVhyH)Z4e+s8KL-$p(g74#YOg@eU`RkA<TPyFy6vk^dA?rfb+B3`oRCzP#<mR
zudMf;1$BU%u5$}}2_Iz5!3MKIu~uW69dOmD18Tr@F;Jo@h5)P%S`bj!dvh!<sywR~
z0u{Aq_o6)0OoO@CzAh$QYkiDetZDxt+cU}o)P5-($Tb~du1(cQ`3sWR9>sYkL6HM~
zm7i(_nVcnd-uV0}dob(WD-o%tOhwW%U%*Na#vTCj!612HfO80<C+$^Bl(Mm84xC%S
z4he{l%madijFd;4!-Bak9!KZa1~eV;h8G$Kk47Pm#Nvp8@$C^Wkb-0YTp@`xfc$rl
zB<M_!DXff4%;edV!&R;Zr{tt?$kqGhj00G~^Q2t;d<k3-6WGHHx&gVL)5}IYV3~w*
zHge;vx}k6Qj+j1ZmPqlK>``Y?>1#g{XwHuv#D&c2;ygM+{d+g`4Xn`rpth$-EUQhR
z4)uPE5=5H63!R6=(pAvvk!L&pO&%8FF_3~H067a`D?C16-%Eosbi@X5dxM&d`#*3S
zX|GLMGYe3=5I&h{R+P)XkPrx<FDy+9BqXVIgNgdQ5!x~s1eT<0!F?R<NP0+*;6E}|
z0OZrg<4XGQ&sq|gs8_7hj;@JTe~lp#iDmrW!?3;sN<qxiWHJ7IBsi)7EbK|biw_V{
zQv!%h7VzijmTjvEG<guJ8TXj-%v3aXA(&Pw$*6zKRdk8m&k(a1QXU;EO+1g$HB}GP
z@PZ#&&G9c>ts*r>T>P1e754iirqVmWw&1HUJy|IGB=xTM>Ek@?l#Fvrmzyl(M<Ev;
zRRJy}t0HvpXDXF5b6tG;(vF@IqIEJVc}l%ewPgj`PUXa+{dgRY)Av*Y=FldSiukZb
zZpe+2AYD-Gq7UHP#w@ZE{th^>tAG`ZBXahm3WP~2#3Lud|0o>_xMn0NTxDU%lFvay
z50vsnG0mn~06r>j2V;lvIpqHR3dYC;nuqTU8>J5qfAr|z9sfgQ2=6f*O5PE&fQpo=
z1e(v-?y#nX=2^i@Nf|@?5b-Ke*0MzH%mjhcJ^70@iyys38x`O@3{6HP?_r_V2hQ5X
z50w1MCalbpXm-eP@}O1m@50)^rI@Kn^G+R<@Kz-~;?WZzeqDlZ6nQXR64^W(7eOhH
zwH+~dh?mwuhjCyt`kYy=RhTp+{Rr5V=t1^(FEha}WbS9Sl85AusV3_8sk^d&Lwx!z
z_@)R#3u{r}QtZ{n^ub#BUlPM0Q^2Qp=4d^Nl#~Y`;a>ic;()3Zhm{GvI5oD6d0Li%
z0C`?fJ9Piu5Fw}Xh4r(PN39u^2Ug1M&5PRmYt0G3AYSN!$#%2$W?&N@GliLw#+TR9
z^(ifaRm`*ypFf8h^!7+_LE+sayXnF~a*h=2npHnVNmB~{$C_#>;ZmH`;Q8#*NxrnI
zk3vQ(iUVXVVxdkR&@(zt{F~(ms+!_qx?XI)dc22T5)#J304XrMMHbN=S**4^e)T9K
zd+fopyT-SW%Zy+NV3nqgtgqC+92fbe;P_O`@1p+w$zOusub5}1X4p)wIKwrtSgYO)
z`O*z_?H-Zuooh}SL{ewzfs&xuXSdz~slV_V9OQvzBT#$5VSu59b_D^(lOmYmne+yt
zL@X%)2t;jU&OK<gArhd~>`i4x2ZzWNT+hvMS6g}VA)5^)j9(%>&6C!=1(dZDWJ(25
z$~icgiUMvYnB64K`(@Hf5kJS8K2dpDRZf|SrQJMFV+L_T*UBr#tl(>-EGdXT!GfWt
zivvmr8?-R$-HT#WI`23CbM5se(30Y85EuaS{pC@QM<D^^fC+Fq&&`vRm_r`jI9$-Q
ztE`?BGOpFbhX5w`PG$e6(*S9U8(oM^nd`Ght0hp#<EAEGch5qnimKY|g`hA86@a&-
zY8E9754L~{EX}DDX+dkEZ0eJ<pDp?}06{kQk*6z$h!{&pC@2|lajcpOHP<wd3Dh>j
zVYuSEJLJ;>X(Yg&&fpg8%Iz;-Hc5hJ$sAGsG8AFTS}Fof-En=er@9mJqrPw7+tP1>
zxMKh_>?wi{?8>!#MglNEOI`ixRQEX2C4>E8Pf(<yAcIuM-MY}0GUP8WUAotoC6|#0
z!c$ufH%uyXF!5}u|4wuA`%JRsF$9{iVA^PF-)tRzEf)^MBwuz&KQ{QQZ&*QPQzW2y
zMt}f!h2nmw6donkxyPT-_j7m;GLum>hGzv!3lmIZzi-8Z=$>%^G7umH_|QG*oQ@id
z!^j=e#}x3$!JM>@woIyQ^&@mi=IMg6?K_1YZhfEa%PyvYC;%!QfIjfB%D*3^1p}8M
z?Ga<7knCkqDc&Pb@Tj`EUAB6l^N(2(56T4mv0oXWQFXJ<!%qMaAHlT}Oi#On&0p9e
z2SQdxiKcd#U>XS1!13+Hwz%Ich9Q7o%X}Y8G28nv+^fM%5Y$+V^z_Sg!?sy<0D3&E
zO^3`NYJ-7PSud^034pC;iv8X9=P`8FkbhX>0w&$C`>Yt)bx6n_RMJv4LJ3|11K#nU
z$b=9&h>yMIs~{NN-f}sV>Mt$jpa)Pd7Z>ypGjs`IujKgxasTiUF=@fVMkcK0zYg>O
zPHV9M#mREn!^vzY0CL~s`-HCFru>5h2o#Lr!pb&v-uLmvKdNr66ikJanjuv*&EKs)
zYm{;OcmJdxu~zb4__)=10<d1eKG5o6vku{^#{S5aQPRA!=`~Iy3geLF!iWUIH_S-C
zFAv(~Pp4{|`7xEOz<2Qn?u<w9M4jXHA{UM!WL(hLI!~f@pnu5ML)MeBcKM#;EuW??
zK6pNCYuj%^K<uU+Avja@4{Mo;?;_6bciZ%NDRJ?0vT%1$(C2Sd_m--*`n4irAM^Ho
zCZP)jN9P>C+PF>eX|lM-Fib}n#?D;LP`G*M@56{nBp_R%T|@<ml;&uIj>;VbRXtLb
zC}SaHpb{adDKn!XtA!YyzU7fzao_8LC4S1@L&_qxOTb8BnpMq{!t)>5>?2iXOXL4w
zv8p!YRtSX%M=J;rj&?pl!h=Ve<9wtn)ZVPq?-X(nAsQ=TtchG%D($f=J`Ds0HB4XE
znICaSD+$0=W<Aa!t$X>6Qixlv6*7r;r0g6buMv$lz`DqEY?VTkSd*^y9f79E$?HK)
zN6-)?y$^6^!dSA-;iSa(_a6c>7>3#Vf2IcbqOA~D#rTq?Agf=?1G6-LIhZ}bC(Mp+
zh6BMyq##}@09$9v>Jz5#zbsHq3Xrm*wf@ouK>2x&Ab0hksht4=#Vtq5XRhmmLJ2B4
zka<h2Kp~rBpF;hh-+s6=gs1FWmd1WAXoV#}{+kS7mNc$n1v5)>68)tor__LnpH?)i
z3p}J!lB6}e0n%TG6W%bYW5>7gFt|D#9j_?cv+(F9ixLBfCMnzpwSQCfwe&D}&AzP3
ztaod|QXVSS$A4G;>C+&O_hn>HTZ;ZtIx`9&eNSl1X#q@;kTYmZZElr?d(|?l;9e8D
zE|8+l-iQG#EJM)!=jRJ12HL;Ek;VleR2o<L&jS*@f?1LTVdlnJ)Gj5CCjQm!SOA}<
z8Mo|2pOd#)M-2l3{yDbtW6lUE2%QoO-(QkRs1FTze8dg2-vk1zrga(RTh>niNwf0!
z=;!XdwyoTTGZO%nt3(X~p6Y!J_F)0<emP8-fQVm{nxk9ebXdFdIJw%rSaZbs7@*t$
z6Y5-L?py_GB>!PrH(&Ibi<?#VU_P3Yp4@E}aqW;^Ik`WM4s3|7Fx<E8ejx65r!VhL
zBUJo8eTS9hB#vTAxaaxYGSje5prNi8*m--sWcBL238VL6SlUXtZ;YM6+K%?etAN|B
z0Ch_(!QFd}>-vK9=RDxft5|yQ0$g(iE-r3MN1mMFI|S(YE?+~F3iIi#-`K3qC!lbl
z*h#sHzpY-{B7lr@3@~>`<abBFUdP~2*V<yTMCnuG|6%K`1ESob^<fxMK&1tg?vxH`
zknWQ1P`bNA6a=KZyM~k)8b%34y1N?$q#5#i2R-MW-@V^|3^Vi2-YcH<?6ub3TZZNo
z6G-i8HhjZ{*Sb{wZ`TcP-{ImpY2c{=nLXf`0rVyoU&~&!;`0<EwYryLDa(XM!%=><
z_<Zoi4tF#{%nEQIU@q30Q&RI>lJ9g9tT_-fQDd#JoLF$Xfzo|}Z0t1mbAh9xD5K)i
z<z%~%${HX8!)bL*fzloWU^dt&m=bgx2}6is6t<BD=gw-n3F}K4aEKm4@d4VId1<jt
z2ats?Ug!Q0=a7Ap4o|J2k^i>8JG0Na`DGsRF(doS=-UeCj9q2Z+h2pXHWwoBC8G@i
zVrt*w&HUmaCcGc@`K$4d6GF)2c~Vib?;#KsJavf*{C7kEb;$XE18c%03wiEv3zrW3
zxs%j`JpfgKuAn&Jt^QUyG+bxU<i)gn>w`DmHLhub9#}{7JHZf^AfOKCZUq;>VaYcK
zcee-D`sr_l0Dm$>@i~giy6$bi?lo4!`3#<Hny9M)T9(<r8u%O*6#aTi`ZEKVg#v|<
z=NWJXMODHJv&hP;rpnp;T$ai*bQS6*STirMH2emn^neH^36&B5Oq1w*yHk1lGfXiV
zK06*n$q4_85PyW_;8!i=ug=y-pBG4+_8mhYY!g=dM=>;Am|E{Z-6;pK%mYX4m{Wb(
zAqI0UPhc&o1wy33svv<kND9hZzgHPQ^Jn>3RTKQ{=u4FE%kQ6_mH<6iHqQ`)pa-}6
z2Q$}B-%x4w4!kC3i>q0Rs?_TE#7|Yjch=FfSdHHrC@P{eBoGyQDX(dA&)=Qj-DXh}
zRZ!er58er=_-Ie3)50kwuy2UbbCZA3^7K%*ZCy9fUX8dw!WC;go=41x6RGX8wEYsV
zzTu-Yf`@?CBC$fFYBV66d913omFV?Q<Yp!1d8Qw~rLH#YZ_T*l-CK9{9o-j+Pk{E>
zRWhR`qu~qS81=V~!8Fc$)`s3h>pB^#oa+7L;LR){V|jy&GG=C4*X*4fu@Jl@aT5a;
z&{%TX{4X;NM+<hK>BoD5@wmqpQ1vbLQpGL&g75=iOMrwoP!&%-{(jpn%n#vKh}s|;
z*I1BmLz7?@&6WyKIpuFZ=9i&_?5cb;!QMUua;H<ApaY;_&D^v_VMqG8ptV{_d5H<c
zuW>rtelyG4l;wX5GiaGb4?Yk~uLJ~=N9zDoy00hfZ}807CL-*wyX`q6KezqpeQ5*$
z=_nBLg7ogw9}VuphObf(@)#^TQ4wC!Kgv~*jHwO*xF9P!u-$`nY0p@`VK~CBR$gfw
z80KIuSmoW({O`<!l|eEGSg+wifY{Bl;kQPrG&8fRpGxFF#%(~O4QS;TJ`7dT1DXih
z4<qd77!Q#0z?f%qSlTU=D}!*|En(aSV2*mfy!Y@x1h)6~Kj35ZIRrd?;oxQgUaNL}
zdqorPJN&LT<r8?L@&g=w^jmmG%jGC1BM{mz>@N%LovIm7H(C#T?I+v`Q}p0Od5LUe
zzOnt>yIqP67D#%57~U+0BhfT^a-q1<W4S>%9;G^!fz3Mb+}X~1cGdv)Q}Y(M2|#SO
z84jfG1Tx<M_VPI(px({@H_$hJ@m<(XNqD}~Nv={kE&{B`*8COC4jN2xQfhd!6Xml;
z>8T)&q1P4+-9lwG=K1z3>UJyY7U*$qL$|)Wth~D%PV(Y?XoII7Qha+Z$9;%7zV4vN
zV66bnY))Ie-he~Lp4x?G%L?w@iPGJ(<{ceP3wBaaGuhG>x&6%g@-oYLbexjVbmp9X
zXHB@&&s@HhdZ`W0WBuANfoc_`=gRvoMf_~p4s2f<da1rafPbk@VWJ?;AQP_<A9#c)
zaJU^$UhR5m(GaRXtR6h~J8#ZPc!A+9)lVx7>sg3{C-PbCK#=P@!0tDm7+#1{d>jr)
z1D{VuH2>(O*9Vr^G^DvR5*ZxxO`J~i)DEL*3-P~9a+37Nu`A18%^Nxc%L}-|DZGJq
zP9XKIdtlAhopL+ZQfq_b)LtwJKD_alK9Ow+1p(x&DG27{K&&Bf2X3=yvFRQ`ucPxb
zi<4QmL-`yZ;QFljY>;pFC7#N`{>I)R@!}zHXRqHhkhKYMpKk=V(Mef-*&B#Vi}E|k
zgF|v9aCo=guFhoYbDmc~jF6OsHtzxLBkAy~Cb|(>KJozD&pkdp$CK3PTgNYIJuvCO
zP}z(1hn7MTZwvvYyTNm|n80y(bL+_)`sxc>>!quqK;UI$vOTu9A_uY)2&kA6euwz}
zhwq;-SD_{)9M_I2>PDtnP3C$9bQ!vg&<c55AD!NQmY|Kl0H_bDR_~!(D*SZoYxN8%
zmvG&=Z;qugViQe@aWKr}5CkBzqsp)YzhD4<f-3ytFF-?5VLeq>{;<zmHW#fod-nDh
z9sq>F_TAfc^Usz%o-BNpI(h>DM-$G{N=5r@*8X+2PIOMUR*`<B{g0;6w2Zrv(GM@y
zub9n}d}k^F-b;`&#{x=pwsTIK#grHjJfAxr;2*T45<U?Vew)B!EnrDb&Z+_8L`MfJ
zvibn{vvZ?Xi&3))zXmMtD|T25Io>#Rv^+LBD>_J?B3&I#T!V~gzc2F$zD@tYhcnM{
z%w84?xNXFN;na*_CZt}TR|y8+@o*R*^VUM;^g>NZy?t2gB}$ypQwjr*?=qb#2<Xq?
zVIQj0$-~ap9qRcL-av;-o1I3;!rXRYV)i5?xT?6xbhZ4rH=P8#(Ku@SyYx)}vH;Yu
zsOIL#@_WRAFMjie^VhCB-(Qs9iQ7(UcBPM&KB30bndCkFj#;@_XVT}{Z?xX2Zr#OJ
z9@((-rWTC~n(hT)-xQU38k5Qgp}aIwK9^7SpI&V-zdo1(4t~T{h^s^kFI+^ku>{I^
zeM-<D$90BRb!Ejq3Lao5ZC6nOl@D6q)I<qVgux%+l+G8F1@N5P3!rzi-v6q;hkQY)
zAc|iXR^i@Sx|(o$846o8d&c@{?sxF3{Msq^j@?t>JX%t@@^gb2o0ju1jus9?A}q|H
zUhxK?tF}}LD(6biI`H^V5!`+e-cClR734a){2Cq2Sgo#y+ALgff>M`3P=P9`?SMjx
zPVdp?uycJIP?1?<cR!{^;zLR=xh!A2EH{Adz2w+LxCYQhsJz<*1J=1|rP)ltf^AF@
z=90Y5jx-S*fUBqa9nKDwe0SdX@SNE3+wvASIme~Vb@GCJ#_5T_6jvxj(BzS`@_`Ik
zjCoeHB&Qr|bKhj%tts7pp#2#E><8M_Kk%CHWx8VxeQBIbKs@t|4hcO|q=#JZO^UcI
z`tVmzry+hig3sg{Zk4`!)`ZA~>!%*p-$wm*7dEqh7Vi)tu!K7>b;HBq$nSlEU2g5%
z?dqSdC}miPz~QB-$4RerblAx;9jxzy?Jph?+E}ueJ-1d%9PhJ2SIN+4`7XRB2kPU+
z>5pV+kIW1p=HN`Z%WAFfaip3asHL>GMqaE%#>bA|L6Z)8^daoSqxachgO1ib9T8?S
zM*Qd}KZcR_M3hUourX7fTx5qnQiUK`mJy?nMh{nBkz-)&MQte3Zs!Y&tK|>R4J?`(
zygpCb*uNandWATY^QrA%coNtDM9M#(uzV*<eN}67xks4{X+J4I(d^`D6Fi8)Ir2Hs
zALc)DH}95_p8r^%F|TNR`>26Ytv-Vb{OEYT=)kZI?UmZQf*ss5W>JAhh{R<(EaQu}
zdy6|>LR_^5>WkY}B`GHpcejgo%^EcnV4-f{T=EH&t&NaaaTk@gXX-bL<-r>9J6<>S
z_KQ1HB1ygJdiBGM;IJ}uuakN)MsXLJNW9V=JE^<73)Q=chBquoB%uNEC`|7r<@|;G
zfa@`CflI~4vu>ud9N$*`c$QZTVcR(pD_0v|4=Gc#4KgXk86po!9JkK+0bGb9yfySa
zQtTv63`<J<0q9&BiXl;}Ax6=abqC9`4g^np)R)SiO3eieez4~}IP}MHGI)SUY`-<*
zumAB3-r0P~u+@IM+wOvyi)(BBBZ7zwA<z@4R#|LUydY$&9$lI$cxzd;iJ`*z<8)~6
zovC72KD7;;CEg?fy9#xN3w05<X3_x{^B>Jh;Q7prMCM?KbVB|4*1>}96Q0lXgOU^B
zD_2F+{U>AjHm+6Fz#Zf7x=c%Ga!gr~2#`)DWhSS$W3c=I)XsV0>~bJM9DNO3byKtN
zKUQUegG5&41akYBfi3~}WUUa2OW~WfZ_xz|GugS9>$6p4!CYXuJ<*HlXNWhhBiP);
zAr>#fWGMKa#jsY>qda>Oh)kI+_txd&5Z)08=f%a0N3LQRC8alBKRzUYvC`Y3hbP%D
z6(!M_k|NS9#1KH|5+aK|z{q_$oa>yEuS7YyW<7AmF@z7bzzo6~Kh=h-mVuicaEGxz
z84!h~i*~u8%pnG*5rth$X6ZJs@+O7OeZ9lZZ}0*&5eA@(%3}{7jBm=l#|#ij2xxmb
z3{sb&fEcLTmx{>|(v+!1Y&<T}{FQ@-h$4ajqJUE0Wi%r)zT<n%RwgYH!q0ayT-uPJ
z2!GEObhta1bUvz>HIq607!k!LFhJwW_AFT|MENC`C;|u#L?p(!RD}w{3;?pIbl{to
zw%aV@mr0~&IHpucWC(~TFGZoa<A%3McEdG|HRSXCdMx{9Z9m#R;J_abB-jH}7}Z}X
zMjVj?pIt-x)n>CZDKit&zAz`FgZ_c!{zC!K85D7e1dQFfesmc8TLB12`{4*hH|Jc2
zZ=WEdl*I&O<ZPdN7;--wui!N)kjJNa^cwy#s1uU1nyZ-l^7VR>VPa4i?cc|_p;oE7
zHajb=10SJ4x_)YFt<=O5Lh?#YFoXmGe>xd!P=LRI^Xs0cUdexdkSrR<sK9FA&yZS?
zTyWI&Pb-IKTUc~i3T=p9sr5$>A>NA<pDG~N$^lqv{XW1DzIJ#$(GUzg5SX1!FhcH*
zSz)RuIYM9o>TfOZv^Z}`S_Hb-{iu><5hTV#ePP_3p0fE5a{fFElP3fr=`KqQW0nhh
z$g!s2^mKQUYePygN>s!<b<c+7AS-k6=;3&+XI&iMjZ)LtT@hp}xTe!`6l#HD6B}@|
z4H-$g#Hp2uK3A)q7mY8yy;<PD)M#+Nz3|vW>SFz)0-C^Am6esVW$9qjpa8`P7s<D@
z(ubVeY~Z}G1e_rSHR0<IxqP09E~@AIqi;)P9u-#19AJ<N$ydK)MI!qxjl`qqkv}a^
zg!fE+nE&p0QrLhRawM_A%TM)3l)s-NVXBjwlGLkz3@y5hY%R`}-K?HGzMI0s1GlmV
zlHNY&bro{*zWnWT6<aW`3Y~z`%-Tj^?^wP6SdZzU1|p&r*y$Un2#>OndUbkSe>lyM
z<<r8aMR2dDDh1Fd@ND{dbD7SjwA&ZeF;(guS%Gye7_)hNKDmPoNGHlPs^fC~0NuE@
zOp;|{lIYXWd*}nKC7$I#nmAPrS*RUZc9dpl`Jt}-*m#2CbIU)5^AVK{Z19|QKZ(q!
zNT#A-Mn{dg*#N{OL<X2Tgq0Rt%Aji=P^LfMdGcoM5sE{4RiI2^Cl~e)VFQ?r{;EI>
z03d+I^*#d{?;2Y1Kn1}pv2}K^^$rmOBe1L1OWWFl6SxTHG3c%Wfp7m7iIbssmnT!v
zjL|soV3r}iH}OJD5w#4_@GqKF(djgY9)XP2w9k-8vH}$Ee3rojHx1;_RV7|rAtJ;`
z91=TO`YkLJD$+_ltRs{-S+slMDANWM>zH>W&SDL<zOj9nqAH@;Ixm3v0)(L$;M|U!
zW%Scq4=&#QIn`-O%%#;+EVCE___#%~gAj79kg0<8Vnp;jj*c>mN)53DbI7XHLFrev
zt{Wv+%%~3O4oRbuBWYC7@4GZb8M$!(wF!s%AD;%yg43)tWkjAR`Q2SD-hKDK4k3{^
zy}L!1a7~C4SH<+;0S($OULTF7y=wQoIjU3|v0iBLJiflZc2HNvL?Q`9_>LOI8a`I_
z0(9vyZoYe*C2)Ayl)_u247b-bN~r93zXFW!N#qlyh6Vo&XK@Wo4-b&n=kaExW(Gq8
zgJ=y>zi#^9k$_+wq~avNn9?X0vFap73DL_;_iCBrM-(6T&iX3#WAWf~;X^Q~pGn{j
zWgk74$dVtb1Hh=Ar8c5uMZ$KP-4E1=fx+-~jh+5Rx~@?-)Y`G`4XI25!DlOCL<v~-
zEB4`CrcqpVyy6P?*dI?pgp^C0eq|-oQ+;pt2>>Zob!(H;qV!Sx-XA?@S$rhNjGWSi
zL3!_aTEvL^B~4BA(`usW^tM(_^mw3iQK;R6?}AJF@7jJG2LfOJ4ULntB&7P?eAn0<
z1Y5lBUvxk|M%zb-e+mp>=@5ksEVPimpdgV>Ki{twLx%*BBHIBQw)@=xJiT7<k=oNh
zLL9)@yKzK3Q1k*su013)TM>-(0O$s=PaV|(cBk%$(}#MIGScg9m%F280f@Mi(rA*w
zi8Nqb;VG&hAKbirgG=m3k*>M<=a7v?uMoR{c!k;E4{C3`!!BOBMR6!}@pqQ&#++h6
z6ckiq2?bwv)TuujLkqOV`MruXZ+`=0LN1-$P!d4VONEBC-$vXXOvnvpkH&2=6QkeV
z+bTlf6D*^GosZBJh%8wq{q`p?U*x?NPrP30tv@&rLMy4tHY3In#RH6Y^#j~^gP@rK
z<(j^JeiPq!+oJsMRRY9OaRimqOtW1!r}4cwwNGssk}AHRQ41aep$h?@!Ol3b#E}|+
zEUg~#=toEuBGCOWK^0yP$3DPOA0bc<(<oz!x_G5V7Fv-dp;8Vqc>quWS&&~&?hTgi
zyGW{sfl_2p$8VItjTR!=Y0%!QMS*tT5n==YP|dnU{-_lTQ3G6I!A>HCOU$(0_JQH}
zl*8(_W03oy=n^7oRrUrVZ9?pXI4}#Y{zr`>OR`AUB>Vz6N3xx$5AGvKFV=-UjT6%*
zrV=I{&XDF1aNEp5ovqJSrvoyA0bE-9;Xp2IGp%ybp#9qaE~hunwS2{wS_y)wC5$Lo
zEh*!aUUi#7A%^l&da3?y@UNS7c&YnBZh>pD^oMvW?!6oVgij59|22H23kJyMgjj3n
zJ@D*AXh>G@*r{*+z|B4c1v>=#KUS>w5#fBQ@v+(a`<Mtl0?a?jJnVaVzyNUJUe@A~
z12`Q`5U?vjEDt~axf=x*oPd3LSErBAFw`x7I$zDNj^DzHK8=w%XoE)7_cp*j=APO^
z9wGOVmq2v@+S43Y%0!`=Ygb3NGG5~EQ0DJv8w^d$YG<5GO2W4TIlOX~%-y8{RM4~;
z@{7y?4dmvm?pw99dP;Ek>7SsPhVXcD8pY8eEWmImB-iUP?ko^;ugJ2!g?743#;=l@
zs`Uf`v(^xnph5|>#;me_U8|bV1)hW|JpH4=_Xv#YN!g#GXb^S%jxJw3Y!3~M0OqBS
zW%Ol7Uje_TA{D@>(oB-rASf<smDXuk73#x#)jh!!+0;RxU?xEFfytOYO@qsMju;WI
zbYVU|<~JW44+cER8ByjwAcU*izt70NH-6SM;P=e)I;z4EdX<`3*-!xQ5(6Cw`Q9Bx
z@Ru$u_r)BgqBy)7|6?y_NLpoHSG;5o?#H@C1K^>Z+S7E!fOXo@6k|XJb7+AW!e}Kk
zq)p8-sp8~SG$6lpsQ%<6C({}zP!}7R1JgDR;eCvu!3JUs%ID=bDAz~5EN_B2@Zh*0
zh_%#tkZBgKrzrzisk-75nb%9*NEZV~_b>ui{uWI@@k~TmAP(xqQ5=SUza4iBamQZ|
zjDkC;RF?5h5L6xnak=TeNZkf;+z%Fj9F%M~{f8W{?+tJX3$-eB1Is)i_0P+0q|C(y
z9>i~Ocmd4Z3*~n<m_+t-idcY@T7OP38bI;wkruA6_37K&+7@(I)}H(a-O7>?qDplR
z*P;pTL7oVuO7#@_e&RinOKW7yA@%WlX-7auWpM#FIW@vwyM57RWL2V|YnGaCGUU`K
zWg!8Jh(?0+F{t<779j&-XDUaIIU)!E(}bkWyDtHZdhnTRaUkv^RBcR?*N<aYt$r}P
zowUNCVgs=Fe+h^T5D;Q0`6y}?=p7%&O8{G%si0P=&FS2+_k1wW6=#XR*L4tM`VZp}
z3GfD2lj?mycqQA6qLB^&bSc%Jn2~8<V33)WrI|t|^V-N2j$QNd(U?dYl2E%+aDIa|
z?5A0<%O3%X1SEiw@oEz(ejlz%HLe7M<qkVB?$<J9h1xKrn1vY>ht<=%eiWF9(MKc~
zaujz2t>u<z?E5*315_&J(H=FbgV;E=<;s(L9gzK|Luxp@%<H3ay?6S1Usb>n0eTQl
z3~Mh)Z!dE99ntS?|K5}Vdlz_#sGDnS*dbsO^X$?6JLmFnOg6VKZ#<3%*9|=N1g4Bn
z4y^$*zsD_#l7mL#TpXP`nkWCfp9Ng`P#To$uQcF%X_S|*my+83Z!UIsZImjr+!u|f
zIBeH8JCyAGV2AxwA(=sT?59V!XNF-H97t*(@p(#eSC*VHafvJP-!#bkhQnH5u;x}@
z&q{u*ML$JTJI^aoj!fiS<Uf-`2#mm~sx&y^>H}IGxFg@+uR=tOGLR<xK<$cFZ^vn>
z{1F~{Yo_7o)=P-U9)35hS3fEQuMhjArP_t*e}G=LOX}pyr~fM&VD=1%Z!4uTw08h3
zoe&k-4X-0Q?X9m{6C+8Yg!U^jf5#h)5)Zh0Lt@EY^6>8{0Ophk@O*o>9eN*jM18Pf
zv(94WQl_KCUA{o(Vw;~Yzt;6{+R=SNR{F<5l`>2F8axa7-zL))Ozv$5&`H&^Ku5tV
z_qJf|Fj~KRDH=Hf>I|oxZ|b<IyVKot$hmZNfL-5;wmEtef~*@}+4-;k3gpu85@idI
zv3A%B5m5}NG<Tvo`Oj45@DZ8s+ACocx_?lSC9u-4z2X%wdk~ZlrE1HD_*euFvjGEi
z1{`buYTp#{0~@ZnGk}xW*$<R>bRnHsoEB8;4yns;%h#KyewT0YjU05gNeJj0JXunA
z;U2(nZwo0cn0fKZ_#fN(_tyh=ah8tmb~$J%kRnl}*Q!Il9aIvNxQx%VYM=hd1G42{
z#HJ!Ezo5xnM&AxYBA@uql2>6@hm+*{7nefgMI=5f9a>9j7|lPHNg3UO2TjF11sJ}o
zs@v~@ub&<*y}rXO>f4liaH0xn^gn?89(}W?J@p3BOYb;k-AAo@eF8SCZ|Q>-^KoEP
zqW(dJ`s9n$|DPeA0t8)uP%pX%5B0OjyBr7lWNfAI+;M{nFW<|<Ep2r!O@h1iS+Y<(
z^>)!;tIVMm2SUW|5i8j~3}TjUdz!;~G>HiWjhu6CJTvI*Cz&0_4Y1lWt4sYDRe2is
zT|`M;&BRvkNz7%U>R1^f8vA#@1W8qsI<9n-wPDYmg>%&(X{UoYNUuo`BnqC52r2PQ
zD?iO=!`ofW=5HTBNfQ6dcK;PA;EG0QK**kCeX>@i0vcIracVY=UuZHZ2%ezDb5*ZD
zl8j%l!78>tqO+3MXG;F@HZgyqHC2P>)4P;~9mjF$XYxvY1(F5%S(Ae}`(jQbMek0J
z48qyo)W^h*$Q^xoYjXQVzh?Y7i_{)cwU(eD@iw@d)yuBd`n8}*o|ZG=xH$$>>CFV#
zZSe;fLLYW8pb^y7*-;W$q4Pjm_z&v-!F{;>&S3!@oj>)Zs;@jqM<mrEV?<TqjDV`f
z{-Gl)GI>Hj-|>3!NYz{p6=d_g(Y0=~xBfLwZ9mIFN7uG+o6Jeu+(-8MSpthVDhQ?P
z#Z-$Se<Gvi*4puw7tFEiUGqrrUXRlpH|@2Hp5g}qluyRiKgo;mye<*DKYjf=R7*@B
zwVQo;{-x9TNCTmjR;B0R*F$vvos+sR`zeq9_ee#IsF6kz^cZErImxQ9K!rop)(lDp
zZ?Zbr_T+DZ!jf9&axi*>pYiFTj6zgkf|t%YBC*<pl`7H1klr(C6=K`m#%(V&%{F=l
z_oEbt(W)=b&zZ9vtGrfb=QLn+gI}vp!XOgghJCQtRBQFK<VFM$OoKxQa~lt^34U=T
zJXiE0e0MW9lyf@hy8lnU1P;=FAsOn0LR3PvD-$jc9~?7xmsbI<m1Rz=7ZMATrOWZu
znIbPy0+(gv!mAwe**H&{{rp4N$Uts+_jh)E5&3H>`}rbOS#Fqa(i7h*+oO6e-SzFM
z`82NXf=;m-vr+{DQ#+F<iT|7h5QGn73ZU)MPSbd@Ilev|eog5!Dds%;LXZnxv}pdo
zqV@Rc!N2*Ge?|zv<ZA>KS2&oYQ4J|?(HwpPrHu9DR`4+de=Nv|5JAfrDA)UXl9{g(
zM{k>)mh}viOK3v<+2j5q3lDTVY<wqf8$r_ZC84?ob<Mh0HaKww3y+N`E#}s`+=59C
z&S!YtzOl}0bB(yk74YpBhfE(TaQ-Wve<kHE1;pQbl176f{d=Tl-aMX9&p=Q>V5gZL
zqT-Ua+%Ml<7c!oZLp!gCdu4^bie@k?L@hp{HUs&g`(%ErUY<{LhWmPqJ0o6*u<PgM
z%IU;WJjtFCQyfuc*28nCj`HPSdh{QttEUJk_F_Eh{0NOjs*PkfaAcW;47flbxaz$P
zXB;wKb1n_A0Q*zMpXU^n_9fiUzF^U@g=3^Dad*{^7~^Z=CKS!-1afV2Z?IPGAzbx`
zcV&*fy}GHFvf3BAc4^oQdUQonOs`B3zIC-nGzDbu{tE?wt2GcHR&=%ySb<(IRU=X9
z;2zMD*~$sq``sF}&|Qi0>MPo&$NyHdtS;Y?RrEcV5f0Mh`P8)->7=dE>bhB{8&A?j
zvMA5QeePhUWQ(E3G`aX-u<W7p|NfN#5jeY@^_hAc=uJVUZhZl}T5dy({SrG?F7+Vx
zHoUD)Jxq{1b1_r;WmvETj3;WOQaaUEFDuQ15FbQ(ni2-)N)Dsoa?|?CH|JrTl9b+D
zF|&PW6|PDMn<Ci?_l(1?MYh6r%?p5d%>N#w`9D7ol?4J)#ajyL2cU2))@hgXD=ni0
z@Vm!L`9>o@3c*GdsLUSo^?K93X6r4w1PiEj;LFwg)F|Zdx{P#QG*2?4gQ7ANyfs^j
z{ZqqBqb3$8WR>!KvZSwr`Yv}zkFQEM#s4h(?iY~%cwH`1!?nLkI!_SvCyKPs*r41{
z6(4EISV=B-q8mYIL(7RgciS&c?K_?x+gXjrX2WSLSL2Vh=i4ASio@e$191qmxC&_X
z7ap?@427fEcUKl1QU0&`;1Ed|Nc$2gk&^74bIauB@8&IaitJtR4Z&R1l!FhK%T(&)
z?WElL4$BvLc4y$)ah{UF?va_G{-U|dD!QPVnVzlwS>{YHCI7tO+(j{>X^f$ADnqZU
z%ZM|QVxQWUNrM?`AA^c4TCD$TyWyBXe3oEcK?1#^F`6mp&GzKZTYEM4uI|__fAt4#
zvrKV`kxG)w9TzUUfgKB0P5F65k9A+@fk!;_Sa&;L%wfBwPVR>SN1ZW?J%*5a!@JVO
zE*~osYc+)L<JAxMR80v+ob#8rX3*Yk*$^W5%A4-Y2I5VFkI))gO7!Q{O|s)2tQgI}
zoe7Uz`HFIJRnNbB4`cFT)9##J`I^qs`<TdV3L-c-yR+^Qczi9+cwRD)5dUIS7vk&Q
zbxG2&^qD36nf)JU47`FnqT#Uw1d|T)`QQnV+{cDkfznIuA705O%|RsOg*gX_f1GtF
zRpO2LZJKMapO^U<o9#24S=8n2wsgt5dabUQQIIksViXmW=`>lJ|JV?w!J!22d5kA=
zXY?jLzTCgSQr`(3n9pI1S{Stu$JOcxLzr*D$&NCF<e1DhhkfghK21`<1_lI8MD0`x
z;U)5$xjCH7V!xt$A@qdCfE3gD$6fwl&yEeDugSih28kVxOW~w5X2y%l+>M01NZ3_}
zL`^yG`GcI9SEF2F|AGx2u)t$7$-x1+OOjzN#kZEf9->d5so($$Zi_RAC1X?IO4y<G
zd(fEmAK5<~xe-y26d>wM>RX3!l$sve4ZUTeKAr8cQe$$?Qj~ci_b36Kj%mbB$10dl
zCX%Fu^`KsK&Y5IP!3xcoQ(NQQtUTh&Erp2dWx5ym1_3zsVp?ZT-Ns<;Y;D0w(Zc4h
z5hYPBWu4w``!{NN{LPGuEVThXx-jVz!-Vt`$q8|Pm6f%%3%saZ_ltTrfo|i8Vx3Ct
z%GMbx^UwH@1z)+QoJs^PUUs%g5&F+@1FE@7DF<(Mz-ob1kFUV0p|KFr??+s|6B^(4
z8K-Vav$4hY`Y{hDGpc`esC`uHN_BZ&XOxos9301a+8km+iP!uf`J+KlE_jWxS(cB5
zu?HfZ2Gl;5zMyU$D18yRyH(P)HtlA4*1I8*<syWQC~V`ApIiJ7bq|yPM$Y^mix#s%
zFpv(qKApVduG-a$rts;c6t)s@`1rDe>(nu>UV*h=T^fytmO2IB7u?P?8w%asT&6)i
zeCd@HiWj&)rg}=nBG|t0aOLeN`HIq_LR>;qs-9NS^b6ATgyc-WSwsh>O;{pWmO(K>
zOh})D5+1=`Dv0<4HLG8EYe~z^70XfWk1iI!yu1bZTPAe$UY(Q{zQiOx7Z>6GZ1~j~
z-}5SImjfN;AXg;z!=I?9mjYy`69RGe*-$TD?~KMN_9>=&S<0-25C`upIVAgW(wyK+
zTb26NB007Aud_lUPX`5DAkHd{?De68%HHJEuG$)6s|V`6zhwoq%&&d1W3En2lrBHt
zzPnXx0`3Z5V(#Htn5lL`+3BH#C?yw^{**;cdzJMJc}tKR>aY97pycv+NN9>6ac4?s
z#($-XmBua0qTV`QX<FB-t9AW@J2yNJ;9&u(Yd^-&KMBHjH+1$goEEyM5c9nE+uxY*
z%7O_2{mKLq4RO93dIehPDgOgBlwC(fx)wXvYOFaDm_SODH+Pq<kN4VFWRJW>b0$Xj
zb+pjf8$0Vk-^a^q4a!|Tn6QAB@6M4CaXG6-b>4GlpJnFGJh<zxGO9%A&t-u1^Z!tl
z`#=9<tz@im0n9!AuPU&|e-5Q4Yqi+<nhEsXf69mu>6a{MUcI|5`pF_$;prwmBNZjK
zrp|@o6;$@=tUXSB#M5xUm$ts2bppfRz7tyg$aRx2@sll!A!qsL>WnD^A#UR<^A*AU
zMQ^Y7XAd~*NhAi!zYEG|e3e9P>mk7Vu_=)eF7J*FR7vhbPhbdnK=CE(8yRw-=!cJ(
z!SD-Tg(Tv<8K>C&Z2M=7)WUuAhl=5#oX?Qh5u2Wyjh{P*c-w{?QES2|qg>n%)~GeF
z(tMFMJF*WX>_a{G%HPX|5|TzgpVMIP%jit6bJbj8we!;;r-r?#9@$;}y<0nIq)TUR
zxE;5zPl(&|^}JZ_5+Q0Acl%3vs8?~`$F)+8ETQuQQy0CMIl0znwNJ7+G-de+P_L5J
z*`689et&7P>Td8J1Kno4J`KN)lWWkPi;JmbCS&MtD7A?I40OUQ-HRMpuJDmg2}@Y<
zsDG;7J`5E<-5w--C^daQb7hL?VtvO?oGkSDZj5_VhSsn2dc+q_MjQHaw;?Sm=)HuZ
z2g&Ll{&SodhaD##-mnbD;I957dONP0ikQJ3Cjv-fsDQMfOI>a9!q~vs1BTfyowDvo
zV``;!L&h9I7VLFbq<0kd{SR*b3fdOH)cK8;H(W^EQX=6RE<#4M<Q<Kp9zrDr)T@^n
z5716ux`sJ9$o|Qokc30YID83RWPGipk!q7Fb;o8MMT}e5>?|&5ADipM6HLl=E9kt_
z)_d|opg`d&zsA6uE?4L=b(VIfqqP;UknRYwRs`g1wEtZ$;%MEfKHVnXn-R#eSfiSy
zxJvD*&6V|wjy;QH^$%r1i2WZgJ9Y*#?8Ux#zkx}iULi`d8BdRgaU~hVq(#w$oYoLv
zo+rvu=+7JEbsd4!yZjJOS?7t!T!-Ic-dnj%C?N4fvosy@DqD~n`;s~R`(;{zM;qyK
zFY6-`ci;eS6C-j|LjGEoB5C)HO3rRh&AFRLTh_MMhBB!ZHmCj`-?p+-a#U!k-ui3L
z9b92F-~3lTyF#V&iJd;G8nK&wa>GSobp;tmC2Kf01IH>yj;Ic?QJcU$tBzbWY)U_e
zCx!>zk0JiLC%$7PDI>pT8BtTE`obgH*pF+@zHCj;es2y-Xqn~d`{rjb#$}1&a`z9J
z$B<vz3OWwl&F6$uK#J_qpvgg<>Pt!C)#-z(9~J^)-m3mikCA~?9ekB35+Rc7HqDyU
zXQkoUE*Al#Ic*U0RkQqP=_vmNxM2M7m|1XXax;Ty!l0rW*E&9-udb(0U$D%x#t#<%
zw$WM+%-HJFUm2U^w<#t-dMYk)%9^bmnOE%lbMkWjZY-E%`+<j=&1ZGaNoM2SNUo6>
z$<pb)8Rjqk>65jB4sHa`?+Y+Mw*3>pjSnoUrE!7GVlZ_7q{K<JUjAvzKfYQ_@96jB
zpky3l$7(yMgpLxDA%*KCnOPwkIoY1{P`R<rxMycT$E1R|nIJ8S2=}dil(0?A`(Ffx
zQMM17seTO48gJXtpTvURMNMoY#F-q=G0*2|-%fqbQM2||8I1&z+VEHq_?<S|&++C0
z_YL`f!H!uzTT1)Q<2HdetFAZRV`ApCQ+cA71XEP9dK6%`o{5VIiNPstYxj{Vi5RC9
z>f${}-Vfc#A!+rrd{pj7ow2k`$jpV<t#x(M$j`$gga}W&jpgdPVEuy~B+uove)9fF
zR3U&cWPr3K25<SZKRNXKF*(qKm_ss1MNAftbqzD=5gpIzBy@+THP#2BGQFRxcNwb`
zS=lhQRJeAl7c_RX6fJWn;pagoF(sLdmFO{c1oxFK8TFz<XU{k(pl2TRKh7FzW~$s;
zxk^iJ!d8@y;>+>KqMm5BFIr)wrwXtBWhSqv02(NE@!=m@0vO5^AEN#eOU5uu(<`Dg
zjdpVj-EfqTP9ureJ~NM~Yh6}Bq)U8-Ua{=HeFcO+U)S>q(u_8dLko^${M+|$c}f|@
z6~&U>vgG@Dy^RP0&i{%VnHoUqY#cf5Kd<kZy}Kw>GoR*L;>bA(>8RnT$BhT9u-Hje
zk3OXmcMqd}>Bl=)$$8D34do|JuE@di_8Eq<!Xk#Fe8N*si8IZ$^>oyWi*xnoeNzwS
zQPKX`I8+P(D&HTL1$2L2->cf2!YC}kZ+85!;;lB?8RX4)tg;0`E@yR#JA*@kdN4<3
zjBD)0?&gHA&g_Pc?Mwqj8%<i6`CNXJS{_p8*3Rnax!cxlIeOLNTWZRO;tsV@p*3ge
zYYQkd55}EC^-ZYP<Njtyj2;ETLby2I8-xCzl?x}z)25v$dn%!w?-e)oUvK2d<~?Wg
z8(j6~_;@~v=JTgdemZ*Bf-4eLZ!yau^aAIglq^}4Z_b9?+ipC!Yk!|%=)f8LJ7cWj
zLYEDnB2e}WdK-qPgc|Z!w64IE^*39hasS7Vp{qF0H6Nl!>9Hj8S?M-2#nu)w#7bl>
zc&bubht%}VnhI!`=WUI0eLwVqRTmM6klI?a-t4&&*zz!2Sv&5!9+gP2{pu<&Jh&=!
zlMwp+&-DHlf8$aAXL?o4pxELCU#}4*r!W3}?9Ahz_jqV5cWH9YthTCvg;21?r{p91
zlwJ3J^}e4URpwi34;d~`oCxBrgy!?f_0HA|kF(CD0wPRsPx6a1_}j$?)3V(8jm20`
zx2+GblcX`S{?3vMNWkkK|B5CADk7#JzOO?)-5zahdv?}l1&a}H;;knN<LW&>>T$^2
zCy1vA5K$eNHOKQ?b^L?WU35oJ^=$iYE(DP|3(x5BYDP@D=VV4!zZJ)KS`dbeUz+lE
zvF(&4ta|urTYN5d>)?K&Ef({1R2O*)vo22^1Ipt!4FQ%m439T24{YD)LmXQEW}ydw
znu(W?m;eA?__RhV8(kf9{s<!TcSNd)K!%zL)b?Jr+Nk3BPGwW?N9OTUgfNPYW+kb`
zCqK<c;&|d6HbiwD$*rDI@Ylq$?ofs&&<Noi4)n&9$GR(Pgj32s4z&+AvFjv6#-G*6
zFFCxVw~NTI4Uid#r1okso1LD(ge|OicX5qU;{8#*Q9shHQGZViAR`1stfAo+mKX%-
zAcSlJhbbgLWk8aj3TlZ};M*rdG!~W5NM8=AX7{_M<}+<hSLvK9UyR4mFIx&rzEX>-
z$FawrY4e#m)z&Dy@dQH@GH$e8HNa&~Su(taZ3S{~5@b|#6doV4o03a*D?goz!e8Jk
z2<))9TP~Uu5Ib+7eS?rZxJ?xx^QmA#62d*n(Aa={iH{)nvHLH#Tv`CyO%|@6#tH-d
z9U^=2_WcR7FJ=-rTBMXUCB=E*-pfeEDi9^42dxm^z(zC8yp%s&|L~=Ko_l$)pnHvD
zWxX}mVtZYM%$+W0@AP=M;Bf!@_dZM{Z-(*b7+8cdypD12V$F-$7}nNr902aVZrbOj
z^`0+MhOUR<XY~dZzJdEfhp-?5*TX@3rA1zHk5)Af<Ftdo$1RyQEE0(Af6Z<i;M+wU
z9Uyp`pB_}_{OygK&7bORDYl2-)#d3P<`;8ZgUzLxbE`T(iSvZ0p2xE93bIwVHeScf
zF4NLM5`#W`8{Tv;ZQW=|Oz4gxdHjA!M*OIRZNxcF_FPCeL5Fvh>!Nu`&_QppOq@v1
zvhR3y-u32)G_aIOdjbbfWKrEKj0+;OCFnn!d~5fMR;bqeGsc-@$ImIC<3u&VmS5Lh
z@xh;}O4VzSy@6q`p|XASLuwY$rQRf#gN4@7*Mzwv6atPEpeBo9o)$m53~T-O;~uLu
zUk~+vji4#}N&4b{)H7jV**jjnyS?pQ6ubcnqrf>x4K6RQ#g;073a-QCX#K_-A?bT-
z#k9E@q+b(~EG#U8gM)i9HXr}4tg@hWxM91R(&8vK=>c!QdLo$-o`p1ve!6{Yv-bE+
zs?N8u!y36vTOKa4?)zFNu;$<Letl&rG8E9Q!TnEB2i}eVBw6H?yJ(SIve*SH&bMF~
zO_oXe`Gu=~`a0B-5xpgSdZyP420BK?z5UmsEl7_0qh4nl9jo*N8~aS*%^Ws*2Ihkw
zxHe_RVe=F0cVPk+Z3HEYGOh;kMdn|+58dW-?OzZy9uI)um1->uSucjeh#vBv7AAtv
zXI1wF%omjuC3tMI9{+sFgtI6%mNGa=-rbf!J=bi#NBo=Rub;6aUVWZe9_@LO^9#qv
z3E}C#%O$7_P=bP&qyyg|QEBegfjg8lFnowyN?$A1l?(gC^?5xvV!|nRaz5R%#Euw6
zJ*Q7$A9iLknbk9uG-ew#|74v)o4YAweC6(;Qz4A<tx2sqZEWW#X5#nZ8Tay%{qb&T
zcptHjZoA@$h6TRXF=}<E;%!C2&drfB(*Bjq`&?qSrg3Tiv><|d5|U}GdGs9rahTQX
zDu{8{2VCnZF+bnE;kTwd_emsx1d)I)%{0H0du`)LWr@Q!S1%4Zi3|^cGTz?_O~ToM
z!c6B3Qeg3Z3RRJMy5FR~r4m{OGZrw148^TPW3*|x!2IHw-Up4Hg~20?6-RW1Ov18L
zE!vdAanlb8sYUH|DJ$?ozZFat7%NKdQGF1;`+9sHW<u6eC$YJ&z2TK#naPfo#cxbv
z1!cmyxlJuuU_0U6^LS+8>Y3tHIutSfRc206+3X$XoEZJd=&|>rpGA6m2$9e5-(kAo
zR24~27v=kkq?HKWUc*!-Iwrm6m0$dmJ%oY)7se0x^aO<mk^UWX1TpdS-9>kj)g?mx
zQE(Q6^bVhn9&FXYwWU-iRw2APsXO_2Okm0?fL&&-%W5W8w&P6@q3q(8TeKllt)f#4
z9oO38Vqutr&W!QHpAOhuVDH<l&|D&c?irY{lix4xZ@atZgC>&>OJ1b5tvlUs3)*Pf
z>W8HGd+heWrBmbDilVOX!!%$dD-;JG&!V4aaQ`(aY(!#&4|&-)$m>fh4goPf`HDw_
zM*or+)*u87a4I4i4vHFTgLD$<v>a@NKCrWFW>?E|?8k|}(yOFjxX7F6-(#dU>`K43
z#gC&AT3Ua8CYfLw<gDwS8yu{?^*Wx&|4gIVnFQ^}E&&>bT|SItA>FF+S#h8Wu4}WF
z2Z*W7_a+?_rQTfsju57Z9hBP8Xd`}Hn8CUz_H4#<y{2W1WQE+~o~I)q(O?bHCXq%^
z1+Q-Ec$uHQeQN)2!W6oK6!|u(t92C<ltzIm(L|>rfuiHD<1H}{=I-wIbr7m{`<c^>
zxfV1&8VC8w#@mo{Vkz=v$I<u~vy)>01UF&A1R_)9T-;MfK$;`brE!kTYR_d-XA?)X
z(W*X_duOuQg2}~*9Q(A2UXkx~;yhYspd-1JW_C)<Y4D$7?j`D0jillG9Vx@S%fSoo
z8?)L)TFU<!p$*`sHN(azfeeAE(zFjsLL{~s!h9=~))8|ro-3^UNNuze#0&Af%7<7`
z>c{mbvC%x3tKo{T(MX!oR<5RRV=@VSFtexQS`Fq{Y_yqybS$h-G~joEe8NnNW-9b(
zZ+djIzOHRx^sp}cUG@x6vHDeGh+6I8?8)CH|84iUcfn6!!T9G70+~S>GjE19+tJrY
z)Q6RniYBnTHIKOM!uEoXo`)#d$`MRNEz&7$+|cEg37pn~M<I}6XRDOB?kwT12nV!H
z+M)(QsCJ|LqI8hLe>nEvFxE^14Fd0bT}t~EAW80(_>}u9b>He0o*9KkHHsvj*JgB<
zV}JB^Sx!ZneN!is(l$}I!C*FS5p}d{2isG#7=~c2IHh?x=ren@Zx##f8XGDp;p}_N
zl75W&zrXcwW;sek1Yg@9rqPD&uj<+11-*%QN&BMvs|tJgO?W-7w2qa6L;{}PY^@Cq
zZ>{s&t#{7e&+R8ueujLN0P;EiV$l7c4pD#;A2?3@fFYuGG8Pinzl}(!uk4DX<e$xO
z<ZtaV_8N()R6O;2!?Bm@sNX_*fUsnGNtn^2^pSf(J)kb7*>mf|oUrxhzj?sFHVj9(
zIeK{2HG^lwfD+NrPP>J5kt6c5#QpL}owr2L@+a~E;qd`$)j6v`XAjF(;u6p4K>mKw
za1|F=NF-`^oDqZ5)H4tJmgh19vEO#qu@VwH2`g)K%n^LsPaSv9!~XSQcuFl>IsjQ6
z_sbA!U=7N%ccT!g9(C^Q^254}zF8|q$<66Atq6CPd9?Uk23{^rHScTA?sU}hob>KB
zLR5j@g<Z6}f!Zp6ntlE=1%Qy`?znBF%Caazv-}o@E?mfcOiK%<hAucol-`ac9OY$w
zWRV-J9E$q!OvRDO<(KfZTc|dE)a0`!x1Ku8Vcl6VbOlHSO<wv0if((*&a_x<)>hG8
zbou|*0z#lSobMiRNZ&G2U~;vUG^vhV5R4==CcFgt5W1MhqjVg^Qq{z}1WQmhkB3c1
z=y>`1Mt6s=C~ASK3q${`Ox_pz7meV0-eTvG(N_9CpE*RZYTF*UyX-F_p{YL|nu6Fv
z%YirYmqTMqFEo-iMk@+hPe&S;N&irs-%xl0)WeB>?-A0k;GD-VEoDNgWFF~kOh>2Z
zHl)n{Oo&{a_xURIh}z5UaExMO)VFt1|FpvUGIks(JpCM{GBlwz<1y3YMLR~#FCrNE
zu%oj?!c@ns&eUsSZH0L;NMGX2JxquolXRIz$;Az`CEUnA&M(#Nvr<oLthGKYFa7C>
z?e^%e2T#ZVh1`r|QH^t1k<^Ud489NJ>YJ*&CzL%hdk`0omv-nhc{4m)UVPKfGl;4#
z1hp{q&1>}x)PjNb&c}Hf3satv>?%wf3#GeJcp1Glgc}3CZ$=y>2A$prC1wWW26`Xa
zT7;G(CMhYE2^z}8T6@eQxSDx6V%t`_{jmDXQ60`|iowhAs_%ZxKrinUEtkpS%>Y@-
z-|<1@moOlD0(D|b*hn@hnWfPSRa!bf!F7IIb^Gf#_AYM5Gz7=%X@c_$6LKVL(%y5U
z?|Y(-R+ua17y_e$&RsGJPpV&pV@iGTprymeJioN*Gt8vMk>eP*)*8B8-S=`P%<CQe
z_-)4QwxhmdriaKw`WC6yqWOVedL}j_jZIJ4o;%?f@3esn1}`n!pK=H=%Fcte{rbo3
z_e2`LFsVV(DruT7Df;~cJ6esFO;MOcOb+FAlrlKAoRB6$kv3F)P`AtX#z)I6Em=!1
zjx0_=(4HDkieQ-PTp%n>%FAwmsxeMPhzx^Vo7K&$*_eM|@^zwX+&K4<4z}{<TjtHA
zS+N0`r+=Dy{tGS8Q(#}j>1AJN11d;0TdnA(0$0G`n?I(3Z*rO2#<GcL^Fn*h)65p~
z02{*v($EBwVM08wmRsK>E&ht91p+griD|Z6gMKjoeeS}f=CDv)#yZ3>E_zsU8X-+%
z#s@RS*hQ|Fb+;B3)_cOA51i2*wZ7;-D7dAl-=b1{{VQs3Yw;3C&ym&k{{abjvJRRD
zPh^ax6jTsmMl($2y&tc*8RSR|z~wXLcR5HC%<=C2krix-xP4nEGS^yK%#J^oDQ};p
z^>sq**LN)`>-;n=%I7578GQ_gs|z%z-@hJH(2#V$NY|4#--5~-N9A^MTKpS?{$0+K
zBmhW~H}KMRJ~$wAIS<-2cB6$MNVO`*H9k&nMEv>BRsjH-t3V(>#~`QS_r7-`n(gm4
z1-stbCJScJr@nd=73g;Uh0S?BSHFHl!+$TD@*Hn95*;ID@=;U=x+Bx3PG@I3>?JxR
zhD7aEDeTD2y*-1VY3rJb^SmthX#zwPWs<66D}Q)jzE7?KcZ>W|s_CEP4g!*$D9}|$
zGlhD&1T<RZ&8Rdlu2#E64I@kaEsp>IMYA**=i@aK8bBK2)D~60d>bL?sB&N^oD}|a
zql50od?TXL6esI&S@G<d6tOF39}~v5%YIR^XJ*9*X>YZ>`A6pVLL1k+rQ^E;QKa7*
zDNS|5xA$82zM<E@Atlu)>3x}bUXObeZzj@<O{jXb>7UuTo}<LwJ!dl(I_)ApXkS+!
ze{jq!_0`ywg)as7!9Od52K2xk+Dq4OI1fQl;v#Yw*I-X#zTGMwjaQk27Ui84N?_|b
z**^`c04YeoiO#m<GtDeg`?lsR{K7N@k<0mX*96}%H+gDC*OvJEGwz>0&vbj;6*Wyl
zKfTaT@6!u%cGj&1E12qE66+V*7EA`m5&T*_7b*3GfWt%k2h6i3_ZMewjYeahW?m-R
zFBV~&3jAT7OP7H2dHHUL`@98tbw)GQJ)h9?@g7&H>nZDDYekRGT6CiQDYbx8jCPN}
zB%cGs`R+I;Lz;ySPv3#ngbjyFFm5D!RFa4=9t6uB<TcuG6+$}4A*ucxnzLe2dqqWt
zN-vL3YPl9_rF*CS@GD0rrG1rbDm|oEgM3T7J@l<;3nHY%Lz>a1ObLAt3pH!QYwwDX
zbylY3aRq72mXYR4A+hI<fKEtScC@P9aAhhSC3X(UO-`Aw_a{&XWzY%#@tz8}c`ziS
zR=)u88QlE_GK!P8eLt0;pTFMvJd$wbxI+5)C&t|1L_goON)qS9Z#ikKRB~%2#t+lj
z<z!My>oA5oP(`O%=kpKFe;hLNd&bAR7VXKjXFPgqoUD=L=dFZ2IY%>jHTxWPp1q3j
zu8#lP;m9wyV*-|hQI@^QiJZ;ts@e%J6N`|-fvq_~Z`a`(&*%6f=-*Afmzu+mTO_mk
zpF2wOE6FSNHU5w`J8kN&b=Q2kj;d?HqKzX+`9l6*gJFkvBC<Pt6BI%uuH2Q9>bM-v
z@wpz3sh@axv3$B(lP&sZ+E6jfPxa#N#>^UpuAl0Xto;d$c6E<q?3e`=W%Y!hUW&nr
zHcEv|A$-bTl3bQ`<_@Db944Ykd#E1dlAe?DD?!vh?PhXqDt4^NoxiaC9`c5my`Jrh
zRekC(9SvRv(3x;_Q1eUH1$%6haeMR6ZW4fd>{3OOye;F9t9}oi#~LE9^P|e?&bp>r
z+uxxu{yVNmsAFoZQfw7sC+_Q#DnT_l!*lkUsU9(&Bdd@uKg;k;NTf`d>6oYL_GmJ|
zw=pZrPTmk=-b`ZCo$(`CR-<iJOi98<Yzb4m$Gf&NGU__#Jaf;wSE1s!kWYfg<0*t4
z|H=vka5zR08l->LtpI+uV*d`WRu@r_8l_1ZiRI%@B5m^Ayr7c3<+cikX&msDoWOpx
zkn18^vc|}m6NEa4WET|n6kbf^bSc)C_Y4sbl}18t_8`uh-Z&u(r0Pb5tIgUS&MOgr
zOOF6?Ohh<WYi07!{SS=JAtP#b(iH6WV!T`broF$s+rHu3Dk%F>Ql_uA4(rv6^!5z3
zIwoj*wAD{D%2EO4U!lPfYs5N4q_e~3BX(kPj|Tl1pJ8RI8Tsd0u8i8dN1q(SyVK!Z
zIB*=E=G_~Me*T|H&SO5u7uK+s1GDp~*QC-ETkqYlDGMt5d@UsMgK-PgZLcw^AOMBn
z^5TdW_ND|M=PMj&kB0*kEhIGGgyLqTPxJPPHk`kAi`}emo@GZ#Wl4_s=IFhCkODLM
zr@<Ne9^TjUI=SJ0vI3YMoS+KD0lG4e-M$xo8rBqCzxxLl7k$IRc9^xxhibD*dIp2I
z2d%8^g#6TOZuDm?=!V<q+aCn9IPCd{#r{(gzy)>}?u5~XjQyiVV4ijgA`DuCvV*zB
z_(_#*Erv@PnH)ya(_^L_=Fc-ZV{!>JV`p6V-Lgg-9@T^xe6D+B!Iovx+yH(>x{VFC
zk0rQr^x>!=TVT>~{rvKctMWgEvRzt-m<MG*w@L7SDeV^dk~Ow9{>C{^<889ufUW>?
z5=d&^E!yssQf3Tyd>Tt3E5m#rG9tL?$+HOl(&V}3{OoJxjd{ur7XF{oG6Ir@62SjX
z--y5e&x3c#l=UL5O2(;L6eE-}_smN~uj-aO9Vs7|D+(G)GvOJuND4*TP%SERuP@7o
zwv09oiuO(89fLRDx(<i^%?BWWtSJMEn;<X9vz}mAb?kS4J%4DrO7M>{Tv1^r;c=_6
z8bY*7s|7_;%l75@Zfi5$)SVah&+DRLthUt+O<Y!{T6WJR)`D|qD)`*31>5>2Dq?`G
z{XJLDlU@=+;uu^9zYGuke|^1mT$EkZH7p1MigZXL-Q6uncXxMpw@3>}BQccJ(A}Yw
zAl=<9-OYEQ;&Z?6^Zq{m8XTE9v9EphUT3ehjj~UOunt(rBSS17i1nY4p|eN0{Q)<6
z84}9L$x>E+D!qiKb9EjXa>;-TqCe!WBZqEuzUYTwpqsp^*su9K?K<oIzQ}9+^K|N6
z=0|1`APC2$eN<{wKKi}Bcwr)_U@@L`64lhyGN@bQ(6T?Jv~DbHMm$T${<R5;FoE(y
zY~g2}g3YA>Lo(L4n!XQs8clZhb#|`qV|MM?3!%0amD>Y`DxtQzt-CVV0jQc!X*FRP
z3XsZEe}NsTBlLI6a`?uOXkU!_BJDFFj&=~8&fkn*8!FPdK^0HqQnb=rp)oR{F}C=Z
zG4=*ga#UQf8UERO0_IZWGc9k-_>VPx+P|Da9Yu;d0KZM?%&Ca5@vWe@FY{_*%Tnro
zC|cm;yQ5~|wVt~Ob$Wk?dyF#tI#yRf)boGARGAN?Z`nOs4-%v)N{DD-3!R>pj(ue}
zrjrUwZ$bMMV%iJ%fWNuz5);%ZEE$}yi(Ka7>hn3opA6`V-EZjR$SB3MMh&E9xu))~
z!QW6AtpiP}JlxZhKxZyvj)<0e=&H!lJZD}serSC`kZMu}Xvt^I2W7)yOjs<GV1Hp4
zL*lLgnAbiFsAXPj({~p_;eq7!oO>b$LV|fZCOVFEmY9LzAR=BIhIrp$+O#Lb)rtjT
zKUQ<pUoW6mM&Q!&w~)?Xi1)qT?!I%x(}VdNBDNVoW%VU;uri+h%=>zC$YxQoGcJ0Y
zXe*kyCi!)Ar?V4LDJJ!#PQoN8%ObFV;sH{Pm&|X5?Cw0w>l21U7o?*;Bj+*am!{yu
zj0G{P*f|#6>c*FK!7f6vXYIA@8*KJ1gF79G7YeoB1ZLD_ds6>OINORJ%ca72>`SEu
zVCs%I?q`-m{|yQ_&Xw42Z|^dKXTY+wwN=mIDT7qf5jex>u`J3!2XRFx^Okn&2i}$o
z1|jxG+tKfFYP(XiZ%sj>q_u<(l;frGf?1BJ;fBKB_DYCkWvj{8lj?D)7-!>POF>@n
znMc@O3IQ&frCb~5>$2~QUeZpynMDr2oz2~PFjCo<F7e7NX*@2D#fBU2sA*=!>id^w
zTmyF;=amM3SmA#Y_H#t18FLG6W9hJE@o1pE*wtwj=BkIBgbNR+)#o*tE0*a2pLC~u
z2qEwd_0jCAtcWe*mUz+LvXKV{5f<B^>4zNhE0U7dGrWykWAI+u*XHq)C+4(Yn-cIW
zD26iP|8*0Osg)+wt&O0tJDt8hJFPUAJHQ=(LJkh~9#d&6K}u6mfyqeH+TIcE1}91S
zSu0hOt2b%4Tev+7GyP3YX>raX8GH-2m&WZZxh`QjjtttxxezrX0{AP!zO0UjYs1Pv
zyYt>&-COp~O<?aci?<}yN4X*_j0(g-jcZo!z$d4$d#p|CMam;Q4|g<8@#ex^B@&*7
zjK%H|GRe~rXTsK*6$%46oPat^^iBni9*9#`4BjI~@4jf*9i~g7O)yNupl0MDa3&`D
z%`HQNyR6=fXw~+4?Kb>8?UCt<(7vf581z&V<O$RSdC)TpgJR+8kX92GPV^V64*=5b
z`I)v`-N);*EkCzU)Vy@^=IiZ2Un)7=4t(lnXZSis7uuKiwO>2dGO6CHM7{q!#CBGV
z=xt;=>?}b4wkYYAZ|m2n+ezKm+t`hl8;H4wZ6>5NraGZDrCZOK;WBF@vfx)gouWhx
zez+DN{#0;Ob%E~QJ;b0jp-j^)N?l&}T(gy2rE(so*kDYm{@GsnSedubo3mE&IYukj
zFyipHF5H8Mq~C@gjECj+uu$XNmL4N5|4z8AD4nA$w}%xKWJ_OXOxYK~7m{tRZ*KUG
zeO|r&TXziHqyY32_j7_K7l8kBSFV7QtV$==X*ehUh6`49zdKD*(&AO%un;IIRQCv%
z25S}Bv`<|rw=W7KU8I^l3iQ5**KHY_@?@nV%`8X%WpN#b<c6)!LNT_C!C6zkes3jw
zY!)_imh{27hwBFopEyv=pz-4SI;SL+IG>wUG7oTwp#}OE(+H((c^MS0f_xL40IH9P
z*#dm6LfJ$FYWE<0n(kS5*c8gz3X!>!`E!SxsNjr8-eN|&UyJ@Vlh2g}fxgS<j3|Eh
z&wV?-Y-eov{HHgjYZ$Ow+5NqrxTTJS>|U|tBmXh#!)K3HtA|3FDbPkhyi^g%lC4F?
zEXiLrp0r$K?nP5du-X9gdLZpmg_DxX9^-olahh4Z=2>I$j6wzIJSypMP1~KO1cPO8
zZ}H{wIG!+pp*y5RDaEJW`jplt)vI7r<GSLmwVy5)_R2miR^+;K*!@vdBU`IkarH(+
zNtN7HSym0J&oGa}YVHN#u0k^hX?j&!HEf29J+d|pBy^&&#W^=7sAy*zD!xGNb(`U%
zsg|BUaEOPfsoF0#&fTMi4nLM!49N-*V9*~RPC`u)wB0sVtqp3o`ij_m^z)|kEa$3Q
zc`6HOyF=j+Be~Fg{zXU+8IlV*W(QnJM#(4d6EUN>TbqGRBV?K4q%29sKfF_0e8n?O
z5UW~e)Z`(BtmxYm!i|+%8=3_MnWdz@{j}in$}?P<-r;4mXH8WUs-$EM<N0hZ_pfPZ
z5&;c^eX(}efUUATUW@AXHUr`ERFa%6t&^m<Y+iLi)4d!AD@De9Hs`K!G2!wdrqG9g
z)VYgPH67J<mrn}R;XaQp1(PJBwXih(EU)^uhv^<~<NL#_W8Y_!F7-j^S$HBhF)m=3
z{BV@Np<W8<Bcol0H;@21UqaGzPdqzk19y6NF@Lc%DS=0+X<VaUtEPlNT+1=k@!+P&
zSN5gpF&%o}L^}p1v&Q97MyuRS83*HB$b{or-43PTC}qcqCa*~^Eg4G?Y4fUO(^kc2
z<-F1v^>P_Er}Uwq*qss-mw+I5Lq)A(+~Cj?H`FN=75RRr*&m$Kjkwu}132XJKfc!3
zrq00_{d!m>xmggORZ|7A0mR;CP;?RkzKy5Zg%Ad4U(3Y;Tq69=aT|?4z9<_UqZmf~
z<4)^{A-%Xg9+~&-giAAu(gBsJUgCPv6ju2;5z?j@yAIZ~QRGXKWU)s+ke|;8?)^ye
z64@#s`a?<iWLx4r@&g60%~K;TC6Llv=89#kj%Ci=%6pW~+fr4PKD{}6FDn}#nWsM<
z<Nacu#Fm5t*Dyk8KXYoehg_3a%aGu6=%7-InzANN&50bj`0;N#s}<z+Ph4M<n{RfO
zP+qmu8p~sU9lx6xB#iXh+n?DKuudrX=0c$r6RX7(^bKxftNKTb*2{g4j&FDSpgc}R
z)09%Na?I#18|Zfw0^LG5@~X8vVPvh}qY35(w#TT1?^yI#4(jn`lv5Jy@`6?2QUl6Q
zd{c?~aQ69S{Qfs(C_~!s=L0~AXh4UQpQ4)J0rRg{M_}_O6KKP!IaMf`Y93Zlf6GSL
zLTpM-Y!l~Tt<B581AS0F8QNEk(9pJ=(aj4pMes~;nGj?*>sxqTMZ!!KIx%6pPN`f~
z96EWtdr+!pHE-RP#%?zCMj2VsvHdHf`E{R)orxN${eMrrzlE(yqCnh^&tAm#j&LW2
zypuT5Eha@(=R=%PN36q$8?A35ol7V@{f^>ER$=D_6n<vc(T-1Ol+IXWy2aRQ9a0Gi
z=jM-9RL(x7ZgioH_fey*<UgpcT8n6VFFZ~DkMsVw#s6g{b}k#D{6J6tI?&ve=(M<7
z3{?<yvlQW}xF0+>+Ik=%+g%}?2G;nlHT3czmoBGRG}WBFvbwfs-{==_V!VoT`bUy5
zJ-BS02E%QIH#Zl}o3-QdORmh}B>#)&k^-E84POd!hqj@*oE>B7cUr$6b7`a8x2H?x
zZ=!_bl7G~7%Ks{GK@L5%#(&`M(NM?Ws-T0|BV~gy0ygSDdaDr=WZbGN&Q*tP<0R+a
zGBGCRupb82j|;XBPTwhD;Jc49WOCI<(tZjapJIwf01h~Q2P;MQ6Uhmid#dw9Sm3N9
zio<Ppkj1mhoaONtN(VBl4?Ye(XS3&{Tbny$O|S-?e9R%qYK~wCe_rG`J>O=c-s-(v
z974+)Uoy_dz(&PeU*JeUalKuYR{nt2KK!5Rqo>V$w?u@v1d4_sLsH{}m_MjE!nW0G
zm~9zzXceg|NHOrJFJ|GUeHgR7ThkoeHV;WTG3XS;?mZ@5W25vwx7dYaZ1%C~@@;z4
zO4H9ywHJjVDsuUHGh#b@VP>xewNSg&P-4GKUlaEr=qaK6&%6^KCv5)xveg!{p<zy^
zMyyOlO6x)u$MMdmH7#evk|qnc7GK-M#{`@<Wb)oVzMphpt|xG<29)K+{-e_3G(X?|
zzyiMh8<{?jXv+S#9B|l;PTt<@45Z)GQf1gJ`m#GM(i!UyTV-n~#tnmA`h#b$TI9+n
z=|6@%4TA(Y6Hy790^5)wXt|y5Y`i!;^=X%nwD~Y~cHQIpJJ{`!4XnM5rT8M#-|U#V
zeasD(SSM%W+WeBozhhE?QIKmtc<!Ynuq{mkhE>dzbV0oiD>5SBrLREnXxclVEBA7t
zS!sehwm{XYrr_ga%d(E{SvTR#efJ1hwn@WoA?Dsg&JIeW)XB(c&koZm;)bQ;?VZl>
z&DJE&?sQ(ewkL*H7j3#hRTP;%RZigpdMi7IeZ<OIp9Qqo$wNiE6J6qLgKt)qXB)RP
zuo^-();sG!miD|=h#b?0onVExi?=*QFOL+_SYy^?J$?}^4H+5qq!fRkf=N3$Z44vM
z#-=b<Eb%IgXP&LRF=uI__=d(6<zr&zS~wIPzd%;!#fBp;Gd~t-wy;5~e%2tO75rdd
zL<e!&qo5s{aZrPe%Pi$5MVoN+drj>yp-$ln`R`9`z>b*ECHy_iQPvZ>gjjzsb1~im
z*QpraLSjY92-8m6Wnu8_)SwvSQs~tC12a!D&Ga`CZMo-%(DF-d0l6YsJ1dR&LRD2s
zogtkC$*TDrt`1(<0wLk=#)-|c6eeCg&4YnoxxPhfiVw=4jcSTJU~rwwzEr}+y?~0s
z7X|0bnaqt?u&ejj)jrQJdGBt;X>Ai8Xts2;yGtbUX=kJ-z9?B|G$N3q{d38KeX`WX
z0l#@z)1M-xGh~j<pOa_Gj)_<iVLRF;G9!OX#-AEB$tA{XeGL}IKOX6G(%H58$j<)E
z2?=$NEd2o{YEzbDXEAg{`;0ZGyoW@^WrNmnHXU0?p1YRwzyypVSxKq}E&YLWcTl@D
zj+4P>a)w6osQr=wN{cZ9O-I^I@K3|EMKd&_%^7`^Po3QOsZv7nCJ#}LnRlB;1Mq+F
zENY}O#1LvIqW=Ny>Tm%S5uHd{km@@D(Y>SOqomRN87aBBH3@!{?Uge#2Ri;?Yb(p1
zwcvSA+EVHt;WJbCr~wl%Ly^O+jq}fn-8ZncBwJ7;$Jjm5@8IpLtImt}IT^-Eatf#>
zL_L-lDo>nu2n<(L7cJ|eLw)Aloygi_;n&|=T4gJb(1~0OA&``FU8&fxcBxNaHkE9V
zkEzW!Vv~{wPVIi;#633^FRZ8XMv<3NuznSH;DbPmbzsX%xaeDTcD2{m`;#B&$Tsq4
zX4S|;i|)TwOMW~5C7H)kx9yJTb12By{W;|Y7;PUxWz{tCGk*9FX@*^ukt#)>73w)D
z9qYHGig0O8@mC@nGHthy4gyYs3O?W5$4T|O7yBNVUe=mQ(RxH#e~Pa%_VM!gGJ)Rh
z+GT;rjpo3^jh}C(v+ERVAVhYTBa8^sz6x);hBQC&M|WWsrHo$m4mqw?I%w<3WeDiK
z06<f$AqM}yXasQU<c0)UL(=-dgoZ=VIunZT6#Z^)Ob;#bkf3G7;*HcaTH4PN=0dd)
zVaqo&OT$;oD8XBq`j+f6<B8Vght2Ktm|^YBlZyx!!!m+uvYQ7<vY(tsc(5%FNoHdQ
zVj*t62k&<cpekCFv2N~<;+-c2Gjbo-r<1rpK{+*mWP<b0O4+^t8DcinSB&kTVIM;q
zUxo}jFWk>w^b0haD(5usc{$_-XO9%)U*LiDx!v$|-=4}eRBYl7v;_Ap937S_%<#W-
z*wjh`_&1Yrb)Tc$xtP2FXcf9#mZ>U-_jw@Ga3y=}Y~Vq<ZGAW&52}OLN>0_Jxa@Wn
zc4RoV*M23hz2U{&kTvVO5_yfd6W^%Dp#kaQ5v;~({Ebn7#q>h%e&YOOMyDZtv>jn7
zsDX22r8->}5%KTCH48ws{}(c>mC{z;rxa;}tz{UxQa<Lq_EjH8xQaL>j~q^|+f_om
zCf&`m=tXWoe9YG>Eo|=4?;X;LGKzUO7mD&?pp?wm{p_@RS9$~t5w={BY@EvM;^Yjr
zV8JF6)wSFLStXM%pj1V;t$O88)A{)kL|lJm?tq&AXh78p`PDy=2RNq@CEF$!#d}7q
zd9C5{plHx>&o~NXSmno|C?gVKXxCVT?#_K!kK;2#Lrj89EQ9pdcb6PTsOg%{ib!<3
zGN^clm5E>e6eSDK&e#70JtL@HDo7m&&493Fdqa~X8&Ia()|isblLJcykw3IC>a$sM
zSAQjjDz#Vq9lcsU9q%<WAscr~qD8R#$;rj!U@$jBov)?Zca=!1ajd|Zuejr+8~a)T
z-e*<QWCKrO+Y|?2sSyXy;{Hb4z*ANuEHLv0vq`mLA-~&*xJMRXqxZ!?j(?6_p@lRu
zqelggCGaH`b)QOyhUC_cR4#a518t?0<!x{(6|j$s2*hn~P7&1O<>0e1L^B0?zoF#c
z)nw@2zYp9c%YWCh(Qy;VvQVuTf^RdK5h`{Zieic|G&gg)UV~rNnrYV(Mamt(eKb8i
zN#xgvr_4JesqJU8Dt#Lcc9Hyo_7m%i??avJN-E{l&64iltB`h-e4oOrGIYiNg7-mi
zNeLv+Mh3#(ycplk_>2(@pB8#*vPv>uZ*8!R{pI??V1F1%x6Wg1_JRx}{zu?OTOw}5
zIr!d8`4g(V8HAzzCob8nA*$izy})Z>4ooQGFC2Ki-wLTGvLNhDNPW{|U6hp2OX`^G
zwh9E~@y_eO1FmoSv%Ri!zsjEzu<Qp}uY~=(%=jaO@}FyHe;9H?cX<gFY3^V2EiU#A
zlG^euahjMI=nZd3sggP&ss|{-gy$I|**8(V3{P|9#y;#!ykrb6tTv1gms?yL&4hs5
zx^^hWcwN|Ug_3orQtlN2jwuK{Ib|VJ4W@lRr>})3ljYeg-nwv2R_wO^FW-d+5G>}5
z{}#~Ol|qpSi}!#-)m4<Eu+?H4EVQ%?iwnw`oTf`QzD^x{(6Ej!QaA6+@-bMJ%%m{M
z84$@~jTOGevG<OZ4JP7hb2;T$mH%O**;$+xwv(h#RaoOK>Ws{WwR1*x=kY6rD9r24
z??ms>S&zX2l1$iG|G1=psj<ClgJue~M9HJeWONS+hjb3Lc0n5)RiUQ~G@#^nLTmW+
z>=~n$`1^NCmA@R?<=@O}Q<fTJ%YYdba$;v8>z0XL>t<8g2Eb#Ne6zi@{i-yoFt4eQ
zaZxxdf-L&SKR-etV$bBOLjr#bQ2uoyzy=gk#mafw-c9SE&b*i`aI6NZw8-PDIqIh9
zGAR&foIn9tOE#e;FP3XOLtF2YiWG?p*$0cU$a*UlUV3VA>;}<U7j_>=E@_5Gbhz8Y
z|8oK~l7ORC2f01r(17Px<Aw-TXD#j}{T`98lrc2m(Ly!f+Wku=mu}sXe2n$7l62`l
z<6rd@P)mZOO#cr3Z*BhX9GIH)^N*0+teJi(?S+w~0rYU@u)b2R^yRN+Od$c@s&Ogq
zh+)j>PP%=-G-j}zW~YDVkPADjC10<mu=5|-yvvxS;c2yn_PX=>=B433{YOOyh%PB1
zy~NUqI$Zw2me2fQh?XpsM4_#bhEIt($I-_n$2{aW(`pqWFyjkFnj<Jk7PMhHNe{{R
zVkK55>Uzj?Q1wokvy1Qg>CY1zEbw>9o`tf@O5HIo8>tP>2D#6n5ueu?!#`cC0les5
zo4<+0<9S|&4ylo{os*ofV{5pIG8r%%GxdhlRy2)zQRCN9cirR*wO0K09O#(qa*Ctq
z3&G)<@d-%=PAsP*h;j?p{b#ZZC-1g4`lGumg2t2=2}rCr`MfO|^)Fmx_^b!<Km1FS
zSt0YH(k&8B|8tut07MRTX3BjJU+Yw=c6P_m7po_~a3zimtaC=K|59k~#%6yXZG^H2
z%3fxJ^@P=>-r=1Hsqk#sp3ft{6HBszmn^cd-HSx6sgAZw32=GyGtVV42!D_jt-5df
zsr04|fYmF=fn%YNFe4T<4RI^ao~<tIeI-d;nXwLcdbDskMJ<(0{|e2-a{eIyTP+%L
z+{apNHB|qu#S_O7C*)$c&RX}9ZO~p_gUf8-aB>L7!^Uj&f_3!(kq)eIW9mum1njF1
zsOQv2==*P$^l2T5W6c)cOiX>vC^6Z9yV#{IPo2Sox8Q2Dst(0`+Jj9%X6BDDDRAN7
zWWkPqLBDaB97%IB)6?TNpeUASt;~=#Wo%(P{6p{}RR*(v`?0Xkt`%w}aN+tU6_W_7
z{QQE4fTw_5em`dGI(rY1K6!28MJ;RHQLLG2(JOar)cR)JFc2i`E4VCtYJyl@Mct1}
zt7$<VVXx$8H}*{xvh7j*DC)rpxPdNjFhkI*-X2>}S{i`HVy397RHNT`@c$(oJ%f6`
zgqZQiTri0kK!;{uzzJ<y6oTV>)`K4l&C4MkQ>0?JPrVy5Y|hdW5{0yfPMpfVwav|X
zy$#L<58f(H-u1?>;P+C5p_B1k$Cg}vGOVlflYwR~Om)J!wBI$-hGCEE)1A*2AvKQ*
zRh@flKVXZ5h7Q`chTB2D)5QDG82)TrJrxfJ7pviFH>hKdKHX(v1}=S(fQM2%NB`h;
z;H#CE_Nj?PJ?An+TKYT~;W8W!HH4RM-`k`9bNEQg(=d<zFI7??&$Kgf-|2i^Qy)vo
z{;(p==f0^(^LN(f_6)L{Y2r|IMwzGjj9mNqSAyvV`8&>WcB5Cl;_|9^X#{*^Xd0TP
zrK+r%LnLLH`OWy7iV5MNwZhAxogzdwUD9{f!Kp|I!9gU+&-$!qH}1AOqsw)K$9jh-
zE+wQR3njuGEgCIPv1U<(a>gU8w=VQeN8ijYuISl@E1*aQvtSSYRp@%=5BN*gk&H(*
zUp*#>G=xrP(%3!5KjHT;l%d7F$-w{*bYo)FPg#7V+UBiA2Vyc6(bbx28kE*o;xW36
z4cEpCHP+cN_>cESWiM2?l3Ul96ELnfvxj0vO0#=i5MB<Fut_POqQrUSmEa9y8MzWY
zc*5Em6n&k4mLE;rp5VUHzW{<-KeM>~d^oGRm$lzpv(M(-SAgS@9l3(k38UE_F!Ml+
zY{eAwbTdKws3CT|tH}Li=0HCfh}c0TFX=KIC(=9IR*x33Us$6dHX}RsQ|1ReCmQCV
zjUr5JBX}b1ASTbQ_vs6CBB#aGA|D3QoE+?GZSp|{HTxYnyhsM`*-yL5luM5;n!M(G
zTkE0c1J8f!TK+yukYJTs)8P%x{wA+~k`hKZv6BXUear~H@vE^Tb^r-E<#bLn<fiNy
z_-4A{nCosD^K?;Z^$}of0-~RB?)H$^8~naqf!au}$CCFQDwAr?*kEvn3a<$W<}BI)
zWXmeRCt@4Bj_*+x#MM6$H0>OC-uH1Xv#~-yA-=@#7k{!VqB~PU@k7lo+_M@t>uf~D
zcF_sK%V)1;VCx8kmY;{Yi|}Jp!iL6so&?<-y<)SpdPF?!S=(0GmPj%!8|6@BR2tfo
z>6DawJx#^npCZKH8~+!Ibp;}b3%-E0)|Ze96;kpM(_$vaFpz7>*->#D>qN=UF4z`!
zHia_Gle}fen^pVIoB50<nLYS!7#GSdcW+=cd1WSbT`G&!GANyHj$j;zFFCeAqOy8+
z{O&@>zZz`=VhR(z*v8aa4QCMZKv{&!uBG0pqlbOr??g%M#l(BFTjx4Fc}Nd>x-ZFC
z!x}#??$WPBsC2rZ{8;p%h_I1LkjU@peY>13s-yP(nwHZ|VIXI0>pv&)->DQOw$akN
zYS5!I1+<|-X5-exCXiHZi-svE&3$FOviP>8=8*t8{FR(Id;JD0^0~|Rtc$|vDKL2y
z^|oSr);N*%c*<otbo@j?vEkf25;aw3w5J&EwI+KXt0h5p5Hk<uny_&VY`4)nM;&-@
z^_QA)71VAP15Hg{_g{nZmu}F<b!>g?1)0*FN~>>dqb&WSpcX~6)YoIzOWs%4Ek>$n
zBzjN1K1Q0E;s1#r{qGR_m$@zJJZcf@n1u06O16#XWRJVAD#&e1)F@xaIhE&c6@cm%
zm`kYQnexB2D2Hj@+g-`e%ob>fYaxP>gl8S)A_L*=bF#M`92&1R1s6s~Wh|Vq*$5MM
zL#LBsA@j4~-*zdN3;U^rguBYmT94&-tVz?8mY$EPQXI-T?;GXYc->b-sAhD5Wq*oZ
zb<YxW&~YB5i$c^k3p+F!J2TlB=7vqhCy~-Th~6x`0YbUua$L!v#eahb&bL3Fq?-`9
zrsz%*1=nHu=Wnf3WqN4U#L{8t+T;&R4z`A_WP6;t?Bdc$O<`*QQWGjW6!{wbEz$2S
zOXpk;R*QVml@!uql>8?cTy^5iL&W7*m$bDgZFmdmQ4u@8YOmAS^mCJr&HS`^feqt!
zKe0WckGr}Dn)5pB3F<dIrPSJCX@Aw9%{h2b4ITp7RV;!R{WotwHC<Hzp+oX7<Lf_h
zirpj-lpQ>l_zOch1P;W+8j$Xp-*Wb{Q7MYze8)+Auvk%&ACGx%?#Rl>UY9;y1kIb^
z@pHhGWP*;QH$(m<O)&qywOKAci@XnSDj_a6_ph|?=&|%JAaqJ*mACReXL~Yjo<+!T
zV<RW`;TGS-4VwN^zXaOgwi?}UD1CZw82(69KOQ7PKq(%s$CRMJ@%lct*S2U0yD%LW
zK!E$2?k0zm!=;*$6<<A1f}E%IxnH_T^p#k(j&k>CL}9D<Va4lhdyxD7bo`2!VtIEr
zIa18GJE}Yf$4&;BkGR-s)@K>4oZO*48?)zo>Vr-TY^8fX)o~u@yu$Dw6P40utAT*+
z|K3VFR=_E!3Q1>llOT-?ZA&*q=X@Q{YQX+=5sX)Vj#k^{!biB{$12>%(=nGdC|PUi
zp@pJKWIjl3kx}2Vjjf9#jPir|69Qh5t#r|;i%#8~?8xef*GOq?%kxXV*r+e_s{^KP
zW@|LI17$TIJVoCBtK$0~$MowFGMr$>G;%0~suCHgW*gVDzN@K@wJw+ap2aV>rL#jY
zUiJN0C~;896KW)1lFKCOxX?KpNZUH%!zUFx-^Cv?9<lP(O4QaW*VaTz>|fYh@9L)p
z|I$VGWbg?|_%#4F@%lWoudaqDk1PBSkN@Kofnks#0o7JeYVd&q(SAmXz6?sZdNWzY
z+7WjrGc9t%I48HMw#u>ZxK%*|Vr|5cRHpBKoH$3P4T$zTy}`k2px9mR(^Nv?zGLo#
z)3PZ&MEZXK;gjUR(*npBt~^Ki41aO0{xWTX4Zm2UT0vTS{8&V{8vC@dhb63#hTOCM
z>$frIY~K1Gc|DE|dJk831K%gxxu)<{s~I;IV=var@$IMWs#*4P7T?WFeqa0FfWO*j
z06hM{U|;PFS#v)O#n-4bXUvg_^>K{ARkh#Jcs<d!kz7mr;hh3zGWjGgDS%e+4n}RE
z<du5yoEUhynk5%_o(Pv3!UZdrx9B)mPTrHpUNYQRD`5T)iRm9I#tYQHwFaXY5;A=8
z`>K4`<Z~ZkX{Yd9I|;{DlIzkbw2WV1jCx+*rbHU$<=N;P#R{r98didd{ZLt7i>Td2
zix1TiwP9Y>wym)oBaCE<ON!awYTk^J?Qghhhx9Ch_lDxyzTWMqz@cLPZ?k<1m@Ot`
z_-rxKXN#--QP;aM7BbDcnKpT57F2goW<>9V&3lFgcf!}8A0gWt^#|S&rnCM#Y1(n_
zY{L_U9O88eQMzp<aavgs4f-sn5S8u1wimN5X4czt_pN2x7e3*n{}1glK!U^~0{#wZ
zi-@q;TB~P@bxM`H%Q^A2y+m?cYSj0wLmrQ)VPdO#ShX>(aETJG)w`EGTBhxjZd9hm
zI+Z9N4dknj7D`{8->u(!zb&)fv8@x56b}kzC&=Jb81Ue{x~E_#P*43et$wvnLil=c
zCfX{&6y`h9@7b#e3jlKJ%a*z%g_#6r9qCxp4Oj59zf!b_G%pIe&Zvoqo?<6c6pkM(
zrd;1~A#unL_Z8I*9j;`(R)|C~cfay>GDgY=Ptw_w8Kf@`RG4ssc6NE(hbVqx#LpSz
zZ8}!i7oj2MY1W5wSqiTQ#NuC+g0-2>cVfQr+Tw-e#i?CA6Rt{>4D0!^*A&ra$t{(7
z&EdlxmyZUFuq^<2h%q$MarYIoHyK!;AnjU3;chjz2R&uby(Tt5nuS6lRmbW!DP@ZT
zZ=cVSpr8Qa;E8pnh6=z~k9x*)Zy_c{;u~e)V^(*Ag0@gH;hjygqK{y8Y}fmBTVTgL
zwM?X~x)tNV*uP%UN=H;%88ZcqdZ4=US1wzW?#_l%#$q|7jMgYMr+(Qsp_X+V5DzKf
zY!rgA=`$stv)%eKYg15X5A*9HHp<Jr6_6~k^}%-m6c!flyx#oDTI%Q_kCHl=FG}&7
zHzBak->DQ`K!CHMo>J@t(nFY^4edBkK#`9r8vQ}=I?j1aOny49puA8V6y>|#F2tY!
z_2m_MbG0k?@B&Y3O}NrfSPJ=LNipT4^JxT5YVp^H8bMCEt!PdMj#@oTZermI85FJO
zFj$<pO=+z*ERgcpoTh=7$HfepX`J03@g$ij(@Js?!oM5{KAd&|QOm-L8~WLDUb_$7
zrj7<~!hw%H^`Bg&4ioa|C-a^4#lfos(g$&OkUJU+B}Ty08rMBVf4-iOxr~%iSyf-}
zgBsAPhnr9oIUREbMQW@?DbJ->6iamY5r3MWC<P3;%h95qfNFa!E-3>UPF_UdKlF~O
zj$!-b7lIfiXb5r@yXANBYtUfU$i$<_h&Y8tsgh<=$!a#6&~Y1=OS!T3zZ@E7iVzGf
zem?Q<yH}|UUG{0!CR15S{S)@v8AJN~OuHk$Tpn!n#?|6X*9?5sxidTQ{G;Z&kk-?Z
z+sFXN<%XgFB*2;Lo~9CFirtUM2}<*ss@@@AXP({>6-=46h{&XU{>6Hht*R0dF>!4h
z)0G@m@t17S^sI(_L`Pg#@NgZY$gDTS22Ut+k4kyfklUg<hiKSy&|<=1#!6CiVSDQg
z)!W%kRpvtc*<G>bO}!dh&V;-?L5~~xbzf`FvSNk`-rlZh1i6~&3lMI0Dv(0%RCq7A
z%!_b(UfljEAV3t<Qv_P{DengCX2ks!AFm?;3|n%f^P&qDo@sQpd}I3;1oLc#k17dQ
zI~y}6$3$*>$`JT0_^ml}_z0Cn&;!dt(FOS`2sfjQyxXkJW)ap>Q%2*=jZeL5ZP>mK
z`8G$8V25k>MATm<xBJ=C68%nF9z(M>-bZ-7Tb<Yx)+*6&u}-fP-3Ajn{x@*a_8e&_
z2Oj*Ljv!Q(xk@s{6y3Wa_&#IUOJUZq$D*s-l_fo~*fYtLuR!hfxt)nyT83h*(O)9O
zGssOKLE}w-iw{&@Q6nFk8q+xJJ;cY5{e^}y-Y?CQ&tG-3Z{gF+5(K+0UewZ^NsC6T
zHYT{LyJt)ews%s525Sth>I)%U>x{O}NNH_bd|Dx<Af*q&v5T6%zn-CEQ1MI^QY{C{
ztLDeMnNDX!Ya4?<Y{22dV0SeT%oldk9UL;&*RStB-`#Ut1Z7fw2h#js2%OAN>&?{n
zPw|#s1XS<jRSBb_15lIACN7Xi!9_Y6H4uKQ6*(Fsz5fdBF)dzt2fHOCovbaV6ty!F
zoW^$?+0ez_BdX6NpmJP**#DK^Jq6CUanGa#spryhfhqxiJSou}dS+!V`60G5(qcQ*
zDhhpEC?9*dJtUMiMXtVh8ty|4C^apa^X@6SDvAa2!bwhgBLKbKh20`C(t7XsEDN0|
zn7!)nW?hH~C}g)*b&Z1F6yR@vBI^?mh$T!ay5lh?MP#zovf3xghEaacYd+*GTTC@B
z1iP1WK)-HrT8}Dnc4f)ih}`d+<$=>4fe;*`+oDV=7Qv~$yR<wSiw~{tN!pnlWa(xc
zgLH1dYctqR!ds<T&>db~%$Mg;xaCE?J7o4Z2Ez9PVuj~YM5F?GLQocybJnmBIe(dk
zs3AYm??xP`#XM4VN(wFRviViZtVs(7SUV^_k)=xUM7#?Q`Q|dlh4_y4x;wA^gWMqb
zQEIF66_byhroVzo_RBA`HR18~iwXk7mP|PojNYRTHABd8!-rcpBQBl$i`VBC+0n&T
zXzUX>n^il}ub&of4(^fL5gSS*4QmzOR!7%0Anw#!!--foMa8-E=gMvz`ExGDc$Zdv
z?2hSix<aCp8GVn7HTCOPKedA!bN6W~eY<4GPcQlDLaWi!zRXueCJE4afGu=kG)`yf
zR5o;qL|&Q?hjOvfknh%D50w>PS)F1|TQoWR*sNL({znj=d*y$cv7>WLCJW#w#86I5
zxv{)AJ+cvOkp4`67=?_mbw*f|wq!XG3QLF9S@_m*RwJ`o*;S0$V|6$OSw;qQ>CPuc
zyXv;Q5b^3xXwF?mey=L}tz>`3y$)p#b-UN>w2;cb#mqatt#f+{hL>u9km{l4HuQ;O
z@CRirVPkuV57m7aA#I&x<7p9*EMl%1{A&frr?i@q?xD!Mu2-1L@Tdl?W2G4qcUt5L
z9`F<|kuJGQ-|Q~JW(BQc{Hwd2cr41lbA12bYX4c%p@L_Tla9M3fr%BIExaEl5-6jB
zKu0E85t_{pe%vMEZRKjZ)jKK+m)E5Wsf%)86gB!ICS&#cRmV0uWY~XL_uOOb`Fa`k
zsTThcf(nNsq2%L@r;o5*;xMn?#qJX!Q=J;C1go0AM`kl|j#0*K64Mj}^S`q^IIOB`
zBIs%TX9@&>@4QK2X8NxH6Rf`*tG91YqGrH!x{xQbnU?A=zD*2GwS-@Mr9(quGhJay
zt8%EmrJwQNK6%ADB;a#i`FH*!=sbSG0I3`rfu+o3#@v<j-JVg{wK<K8*ND=j#Ne$6
z3@cyaR$>-5=6Lc)FgNWdN#nD&^5yb2Y{e%3UDD%k<WGT?D!@bVU>$?{5C3C|#os+~
zbFi%8zVje_uu!6|SYt+AUP(!J;Xr9@*yVT+kBgWI{%<%7)EB&I;r@5S^Czy>ifFrJ
z$+M_p=l7i)Y?NJ$T~BQ=HeHQ}xB1jGlPe;@3RyFvh&A!T?fCU3-^NJ9B}Fliao4{>
zzZ{V|{Cf>Jg#b)>ua7nUKe*Ohj9<yi+QSBDQ(DByZKtcIP$wJboe$UTBR_D!o-g;l
zn+ZWjzTyd|n0fyG5hhnm58o)<v6`#^D~Z2&8n6!#b>9`e0n(0Bl%W;un=j>IMm*9~
zG=l|a7aJYFwP}81y0^!xG8b_?8aE+M&C2ZP)n4-ww%QKT67sFot~N=Z>StyV`S%3J
zdyACcGS@0MvPo^xX<J#lm@teX55rUc%MpPNChy1329dD@fxa@I$mO}TQ)BCS`CU)#
z)a;2xtM54(%l_Wc&xQC=gEY*(ga_>$$;x_;MCWX)prASyQZQL~q3PQy7;6=QnNa-|
zt{O>_^T=moJA3n5>6CVRQV`W3?IVxfhm$xmL5{LQLjzY~4dhUUPsYO$3#dzQp%QL9
zS>>ba+#)4J9%><r^RE)F-rMnE9a{|pf9%|>4W`FLrN&A=PEzX$0L51YC1RxdOiQMZ
z2=L!lHO~7_F1TH*6swJ|Z>X%Ubb6=|S@j+qRpu#FWqTEAE+X8q>Aa>a9x*Zm?@w&9
zJ1cn{1n|ezjQlI*?|-b7@Omlsguy&MT|!Vg3lCkYmJ%E{$F$9@V5m_q2$L!ln#4og
z)HrVOFELk5n?bL0j*fLKX<aEvrXypH3JXizLFD1_;#u6AKs!RQC7E2I<NP)@9eKVQ
zCVqr$SI3>$tl8FNRN8miJ-Do4kL~aNU@5!+isDJZ2pB^hK17<RHvOCEzwgu%>Lr_N
z^_i*fveva@k0+%SS)m(c$?q5U5@f7OOexhy*o@nJGPhD-(iQz?j~iQuyEYF51!o70
znmOQaRPSeUW^RTGiWeG-aQnv(@L#g6P8j&^S}7^L;_8}5#{p9DK&I|{?Ho28l(JmS
zz5Ednq*?CmlV8xwfm&#40daI`n6G@TR)N%Q@p8Y|Pm6So?wa5dp8WAM(Xfg>IVCP^
zpT=bJ8~WsdltZT;ERD?4|EcMtHphwZ_IC#}ih+%$@o<;Y5l{7Vj#80sXZp?sNf3g|
z`fKi6Pj`2BA0Hie@Yg>ZgF^zO_OE5QNdI#?RTR?3qwfS7FYe`Io@MSYRXJ;3b7v)d
z@)JA^fK|hQv?M&eAT?g=%jS)*8@eEsf}&ax0xjiDkFM*y{AStQwr85}SS`70v3C=H
zu)<p_;#cW|Fr7zQ5gBG36`WPYiI1!_t4&lQuwmX+>a*$LL)At^HBk&$#W4IoQgtMt
zg6RGD&+<-YC^{Jd!P$Kg!*=Em>9>&XudD`JhMu+R_%xMHzb%~iTb4&GeQnH8pZG<+
zNAlFmF1b4FowX8U{`=*5W}>bvCg1T$?~Ha@X&&WiG(%<Yz}I9!z481`-`TOhV8hIU
z-QBN``uS?pwtG5oKa4EQ<~sL0d~j7g%z6qso}R47BhM~I;L7Kmy#EbgU`1hm6DA_U
z&Pd1Ke~vZFr_91RUOf{J{$?=wiEJlE*(RT{KJ!8hw`$A8Mv~jQ@VYzomHm8E>swX)
z9|oOD)#A18v=dVZnLDRzEAsMqFR=ZIf`c3f`{AL#IWogW;I5$kpqlBm=(EQ1i@^P@
z`SqXY=<%h1AfP)4hqNHLL<g6&!yaaXa_^#>@Sb;oWU}j7LHgi9ltt7AlN5+&LsPo9
zsQ7txhgU%n<Zhx4g2HYYYq)3J`$Zhm)dtf~tU;G_>%%(k5#;l;X;3UQ?@WUb-r26U
zdu7i$7&M;cal<C3L6v$kG>HnomX+cwr1&RN^&iOcvHPW30ap}`3X&Qz(7*=|O?jRC
zN<kr`S!yQMVKb)i^=FM*oaj442T%hmS>o;5oVB;nhT#?m3RE}puu3TFgc}APS(^NG
zpJBnm<RI9CL4oGAOdpPIwn|C{bD`MO`ear+Pq`0leR0@G;KO;ch7uz$*Hf<e6pjGv
zk_2?naz>$hA*9y~Mba$%Z44#8Z-@T%VGa9f9F=9t&d!~@SKRI9T{-ei^#l{3$->ch
zGrs+y6yr1K#6g@LlVHBs@$g$q!LS{Nu#?Fa2-Poi){zj+nspMPtay{`%i$A?6L4ow
zJK}!=xH`}v5+afsw13tq2D4)*18{LyGRk`Te!8Z%2F9s3x*GoEUc_JCW?%OWHFdGW
z_@H==J5zbyyPmflN9FT|)V#H=`CF;~D1-lT-zUJm?!amgI@E-48zwE=NZ9u*L~0j{
z!qP@7ig@e|P46bpnjl26>qHNn&JGRQ8>xh_`jhOT>uq(D+2{H}3^OIJ%NF)eZuuV=
z23QawfMY_!Cj+lUGIZ->zb7FMc=CL&Gj|>J%PNktVmWoo&&!*~gI~DSYKDGyD(9J{
zgd1BMpUGuxY3XK3<N(}S$-ts(Dyz2Kecy5?_Z_4Lzlr`&;lsZrk^#~@-p~*Tq$yko
zR3y*d$nR!@m#m+#l!kk?4Z^oWgA%g$mB-))>#00aW~Pyh@)`{OWpe*n2}xvt$rwfg
zC~x}XART(PQn?KBBC+fS^B2(F_PrW<-gx}#miF`Ql=IyI-?~fqS)WdOquL9O|AaeF
zhC&ELLdkD40q7kTY9>qPA$ek{Vkos4UlGycn#m#=g-dsV-Ya%XUVffdI^Neaf6N|i
zJ3wMr;|@Wl{ht9ny#yM=eaG&|8SMl*f!IMqb~otTwq+>`u~=E{yvFL<qaOsMLfHB5
zJ>-;froe3m5#*~*DqMs0!Uygc6Fodw|9y`Bu9*Ni;QnOf-~-xfU@vn{S7S54)i){x
zx_HUf9Nlb=Y))0xlC<2_>E~rxn_YO%o5He|dt}&4A^L3jmiUw-YX^~y{wZlb#^h9x
z=fzhiCnw+vBCJ1#>jx~Rv8-CsGZ@}i&zqyU6OpSmDl-MIHDn0V*Jg*HWM{}q!fd<8
zvm0q6)Lh=S5=E{%%`391%&WodD5H&54u}}o=seGN3{4XMv{FOhvje7>`CSBKM-8-P
zoCElM|9LtS0L{<_8rh~jSgjQet0kS-HhTUYN~uOaR_Q~ab1*2T%afa}io63lzJ=0d
z!phsOQNNaJJV}Gb+Tl)q4{O<r*E~j?<g-<nt!1dQAjNT1P5lNn-h{6KSrxtL($7}-
z7T?R|;GcnQ%s@}z#}14vDP#Ym+*u<INcC7dE)-xx=D}SuXE^OppUFv5YDdQDk>?D`
zhR#xxN)N>ynkMGUR`8~+kB-)<DPylNu!ZK}zuNSfDY#}}b*L@(dL07QCs$t7wbeZ%
zZV*fO##cJ{dEAd*OyyJ_J}Fc)jJ1=4?p#l*Re+6FqYfR#C>Xil%xs3<J{}`hNkG04
zME+oq^J{1`T*uje+aTJ$i3CF2jlc)HBr#EO+e5cyZ$=zG)T4xrEag;1b6x)us|HV{
zX68ptam4mjah{m@dT!26dDX~-@uK^(mP$gsvVNg!_H5z>v@>hZG}BQ>OtCer3HRXx
z2{%k#V~WKr8(hb1I7(Ub2h`SZ!LF-zB%q<9er}B5zjF;BodJy$6HL=*-r9Ze8&e1k
z$|czl8ZRw=Ev!s7L$yp_t2`(^o26XLjEI&q2vTw!%q{|4D4|WHqyej%bF<IAv{tf4
zlZ-DeCp_I1|Lb?JK8DvM2;lhONB`}B`*?EdLS248ZrKR`EgWMN_IM4=I*)c^2KBXI
z{bKZ!u*9*a`@v6~)dV5U6_Zs`#KD6clAY`8cNn+VrR~__l-@p^zQb(SN-^z&m-!xF
z(yPX=hY-2*!kmYQEbl;m(8<Z*6igiPV{F5#!ez{P%d{eGkjklE+A*=gz#+-UEvmt9
zw$Mnyoi2LljpqMiAOFU;hi4CS(%`?ui&;P=uc6<))oR>DebLx($y=7NByR2k@6Pl7
zSv}5IWkAMt*<T5!{)A%Tk_?f`*lwzVIo-ta-Z6b5{T7sLVW8vXnc5We_3C0Rfi!`O
zGU$AO24+#g>~u|$A={D;LUCMOf;o}EC52e88!krDLRHWz5*GU3Z~!TSw~u&2ySS!z
z@A>VonVg|Q*>tGK2T6)pPtqI^u#`7E4T77p|DNbO%>XF@)c$b69;#+NM-lqHpGyfq
z%xf#2KK1081oSMSc5z@^h0i8>^K^jfG@yfA{N<s(uWr5!bI@O{#u8xwvefumizZ4g
z=@Aii%4yF&NGqSI0zgj>HLmQT5vc0V{EU|fr}Z}AtyYS@d}02G4zu)39H9+s#MDd=
z&$JyY$fO<DkJ`yC_rnaF#0m#hfzp|Kw2M)rPm98gvaGB^HDuy}t9Ip1p^Kk0O@Kfj
zYStJgy;xeNi7*Ob8N7dCy6dlyQ{PS|jiPucSR}$BkY9#{r(sF=<1Y*#zgOT$(*hF6
z$KMVG1mw;jf^~tH0vQYt@5aBs_?ocs^%HHPa<MVbS->-Ya%e5NGjVKsBsYyVo@H~K
zQY6AMR545?=|nv;LBD4ZkWjs7msx!#=HnyK_k6{++jm1gklnAeZcXF)n$#EhIh%?`
zOI7l8_ZC{z7oFz|`F-4k7p`0&3R`M%s50L{oP2x%qn!xXBtfVxr<}V}IMnpz@k7Zl
zkd)HiG-d7>AXG(k2S=q;f7}Y{(pL5K|LIFW06%}TdlYy|dqh&`r>v`@6R1j~2a-El
z+QIf`fBE$l7-*B%QjSYNF7P-&b?Env6~}DaZd_%%FP}*tKyk@tJbwR-sM-V5%Q{E_
z5iMa<!r%WD3U&<>NvYp<&f@hpiWp^Zq4M)PvOn*DP#I+1WV$V(G|=n3T7Ln)X$0)=
z^Z0jwkRp^aCWF{3YXc+j0(s&6t$n8UkQK1LJj6)mU={DdOSjOr6UYs?!5g=Dfl9~$
zNOPAh=Tu;5;iyPT+H;?23%+e1I=tkfDVU#;@O$PT0IhYjr$=Q=a;OHZd3nep9MTpS
z49y<&<Cc}70o#=GX^d!gnmn^(4~#Jl5dn;`4HfceF<E&Lm5mLRLn$Mj{A)**5dVfZ
z6zmu^p>*{^`8YE$A|(pKe2wJ{jB(Q1ObQDQmY`?;<xn=hv+*R-&NQ;?EYyVR)zg`i
z_K*RP2x<rwQ(}(`X#5fuoWMzURz*dc*<npVQaHh!?;+^t7mK?097+UbD^|H5RRl#D
z-XHpvn4<RKk~tT!fyrn{O4bfjd3#kx<L1rdB7OpoYrfk-WhUOnlbJI-p$a(&C#LBA
zxTL_W<Q{F*-B3Y0{MtxaRjSa&$~i<J9P&u_i?VL`^U}d-s6Nz+VX7pcJrZu2)`*!o
zHSis<x1?najg3O@2y5G18hN?7!!>ML4%jR+Z|4?z$pr|r+jbh~(=Jvlz?98&hSFhV
zL!bQI1(}74v!Q~Zub(Gi<h2Xbpa5Ga5DocVQy4+gIU<ZC&WSs*k^uZG1p%3GC`KS%
zlsIc<r0kca3t+0i@CoH=1h}9{iZOd_3MP;r&Bk9Al1Z6g-7P_rFh-de-MBK+OL_Qq
zZVDKIo)?5W%W4W$G|->c{X2e89uzhT$IY_g+&CK%7(tDVWvAhBzp0=)YQS&00-aVi
zHpn!v9dqM$sz0k(k^xh6fwZ@DaA$FW2F%z1ghW}m0jC~~E|bCHuZG#7>wUWyo}a+R
zG9&c3PxQb(wTP{~HhlTD&H{>zh=<XnzLyA?or!-Tfh+ot?4G`&%L!-&rB0sAvpa!@
z6yz;LwXl3P<_)gLQGlWNqR#Y{@kYK>K+DL;s1zz|K`lM_I&JEf_SzIZ&UHzL@YrnO
zuHt8QJ<zpU&`*F5SQD=r2{O54f%i(Idl&}qJb?6A<D@DW7!DL{6U9<8m>$Kw{SuNc
znXRP&1rF&4*^sUTYg$TbF+MaZp&h**NKcgz=)(<cRH&s4gt>mvSv2ss)h{{jS|_4u
z8+7l4M^`FNh1r!>VUf&q1m0I)X+LX&2OcKojKY|<DoAs5!Yr=hhM7kXre_541xy@3
zwQmREP7$o>P7VQC2^*3>@V!I<60o{&Ab|`O|B(FL6vdob+OZkwJ7961`R_m*fmQfB
z)?MWACF%{cjiF$j(n7$^er-*_x13xTrU@YUx0Ym6WhDoweEID{1N@`_hKO=K{pVvj
zgP;8u^Cq;tt+uP2z}LZjB}vZb3v@QI3=V^1p&uGVrF)pw_A&$w-6BBf^+4XG6|8hc
zIVdIa#LUP%ZrTOpMy^ZX7ia?!bXCPLk&bzOVtT8MiG0vA{|#t^9?aT-Em_G=fx0Io
z&tUr~A3tv~g}jdwX@~4k#6M}X+ln8b@dQ)en>aV>(HRN6g-p+LQ+ZoF{D}>k$fR7O
zxaR1xTGQL5R=sq_X~+^1$^<inbg}lprC3ayg`AwcQI`i6DM?w+7i4#{ynkzX@=?88
zXdOz25=oT0)!X%AKXJa>V9(v&{-_tSDed>RqERiKJ_y3(elro4VwE|P#B&YP4dC{p
zLrqd8Oz=|WcZtrxMwD!E?-tyHdI4CiowGAK|EluI$9F_HaA*`mx*0r?k?%QJeK4lP
zq#w5c0<s(KhZ65Ve_j`6$fq(`BQbS6U6oM4fJi>0DEU5Qhj%WVot<4>T}h@N0?tM8
zRR_=8d$xYmTo+XWe?w?|()_N;!V~_;>Qhd@?2ssw1mvoR{LO3Bk%zY?B~|(7>#+qY
zJwHUECW*Ag*kYSjBfXIXP#PNXb)+BUpIbCbeRgn*`+|#%e*g8mw(SSfPaoLeVLK>&
zqU(}%>=G8AeU=7>Bb~wjmN6`pA;J-5v1@x2Di?!6Hc3Ov8wvqwsx?8TiMK^(K6d9B
zo9)|2!vZ=@gXx^tu+3{p6^Wl0r$FVRA<3jEXlg@Myi6iDT36=qZ->SYR3v6!IXz|h
z01i%EN_(^~0e}|!0UVA~fq~Q1YBW>S*x%YPO5fOjU5P<^`sJB_Hk3g*X8JE%Ve~=6
z9CGe63P}PYxm3Wj*$ZX8>xb=_{IzF0f9`wX>hZ}(l!LWJCk0|i{&8kz8o;`2FYBso
zUL;BttlO*mxoLS3H#8JQk7+=T!hP-dl5cynteEq?Af1MXSS}j)Na272YT;M6CmhBW
zC3Y6W?YZ`kBmDeMK#uh}n8@*^RqZVBbBPtz0us}W5H%{x6<sUO4Yr!_gndBD*B~t3
zSHL9JCBu(qs=T>k_>8UjHFsZ&2Udv|X*9rh05z+7TPktP`Q#(m6(S8sI^)4({=p_<
zguuJGD^tSsIx47y@NwX3aef&)SwWJ91TWvqNLYnruOPDDMErhwC@EQeLdoTT$w>p}
zN;UH2qB+!vDtI++)T}V@(Oe~fNP^bgscKKoKdu`43*{ZmNWz`f#677jEK<Hy24Ye!
zc{F`2*OYB(QEP*cUz;U#AF2-Z#vPPk#sl`*nT7A8kB0yb#1G&A8n(yN;_*`-x9Q&t
zJ+(GGpCD~3(*OCVfA9IVWdLI*43GFf|K#ucZ-Bw!xs=EMuaA6u|Ns9hmt;@uyd<r@
T6>mNRe#C`k-j@jKefa+X$9_L@

literal 0
HcmV?d00001

diff --git a/sidebar.mjs b/sidebar.mjs
index 4ef125b..e99f28e 100644
--- a/sidebar.mjs
+++ b/sidebar.mjs
@@ -129,6 +129,7 @@ export const sidebar = [
       { slug: "references/cycles-costs" },
       { slug: "references/subnet-types" },
       { slug: "references/execution-errors" },
+      { slug: "references/message-execution-properties" },
       { slug: "references/http-gateway-spec" },
       { slug: "references/candid-spec" },
       { slug: "references/internet-identity-spec" },

From 3db41fac686ced4cb4109c6659cffde7a34b5cd0 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 21:45:16 +0200
Subject: [PATCH 02/12] docs(security): drop redundant prefix from page titles

---
 docs/guides/security/access-management.mdx   | 2 +-
 docs/guides/security/canister-upgrades.md    | 2 +-
 docs/guides/security/data-integrity.md       | 2 +-
 docs/guides/security/data-storage.md         | 2 +-
 docs/guides/security/decentralization.md     | 2 +-
 docs/guides/security/dos-prevention.md       | 2 +-
 docs/guides/security/formal-verification.md  | 2 +-
 docs/guides/security/https-outcalls.md       | 2 +-
 docs/guides/security/inter-canister-calls.md | 2 +-
 docs/guides/security/misc.md                 | 2 +-
 docs/guides/security/observability.md        | 2 +-
 docs/guides/security/overview.md             | 2 +-
 docs/guides/security/resources.md            | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/docs/guides/security/access-management.mdx b/docs/guides/security/access-management.mdx
index d9bf321..fcd43f5 100644
--- a/docs/guides/security/access-management.mdx
+++ b/docs/guides/security/access-management.mdx
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Identity and Access Management"
+title: "Identity and Access Management"
 description: "Security best practices for authentication, anonymous principal rejection, ingress message inspection, and session management."
 sidebar:
   order: 3
diff --git a/docs/guides/security/canister-upgrades.md b/docs/guides/security/canister-upgrades.md
index d5323c0..3e14816 100644
--- a/docs/guides/security/canister-upgrades.md
+++ b/docs/guides/security/canister-upgrades.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Canister Upgrades"
+title: "Canister Upgrade Security"
 description: "Security best practices for canister upgrade hooks, panics during upgrades, and timer reinstatement."
 sidebar:
   order: 9
diff --git a/docs/guides/security/data-integrity.md b/docs/guides/security/data-integrity.md
index 8818067..d954a35 100644
--- a/docs/guides/security/data-integrity.md
+++ b/docs/guides/security/data-integrity.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Data Integrity and Authenticity"
+title: "Data Integrity and Authenticity"
 description: "Security best practices for certified variables, asset certification, and protecting data authenticity on ICP."
 sidebar:
   order: 5
diff --git a/docs/guides/security/data-storage.md b/docs/guides/security/data-storage.md
index 767bccb..ae96d78 100644
--- a/docs/guides/security/data-storage.md
+++ b/docs/guides/security/data-storage.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Data Storage"
+title: "Data Storage"
 description: "Security best practices for canister data storage, stable memory, encryption of sensitive data, and backups."
 sidebar:
   order: 6
diff --git a/docs/guides/security/decentralization.md b/docs/guides/security/decentralization.md
index a07e9f7..47bf921 100644
--- a/docs/guides/security/decentralization.md
+++ b/docs/guides/security/decentralization.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Decentralization"
+title: "Decentralization"
 description: "Security best practices for decentralizing dapp control using SNS, governance, and reducing centralized trust."
 sidebar:
   order: 4
diff --git a/docs/guides/security/dos-prevention.md b/docs/guides/security/dos-prevention.md
index b0d5208..5e79c88 100644
--- a/docs/guides/security/dos-prevention.md
+++ b/docs/guides/security/dos-prevention.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Denial of Service"
+title: "Denial of Service Prevention"
 description: "Security best practices for protecting canisters against DoS and DDoS attacks, noisy neighbors, and expensive calls."
 sidebar:
   order: 8
diff --git a/docs/guides/security/formal-verification.md b/docs/guides/security/formal-verification.md
index c04f250..7ec216c 100644
--- a/docs/guides/security/formal-verification.md
+++ b/docs/guides/security/formal-verification.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Formal Verification"
+title: "Formal Verification"
 description: "Applying formal verification and TLA+ model checking to find and prove the absence of security bugs in ICP canisters."
 sidebar:
   order: 13
diff --git a/docs/guides/security/https-outcalls.md b/docs/guides/security/https-outcalls.md
index cfd3280..efc5a3c 100644
--- a/docs/guides/security/https-outcalls.md
+++ b/docs/guides/security/https-outcalls.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: HTTPS Outcalls"
+title: "HTTPS Outcall Security"
 description: "Security best practices for canister HTTPS outcalls: API keys, rate limits, idempotency, response consistency, and input validation."
 sidebar:
   order: 7
diff --git a/docs/guides/security/inter-canister-calls.md b/docs/guides/security/inter-canister-calls.md
index fa5ce3b..a5d5d8f 100644
--- a/docs/guides/security/inter-canister-calls.md
+++ b/docs/guides/security/inter-canister-calls.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Inter-Canister Calls"
+title: "Inter-Canister Call Security"
 description: "Security best practices for handling traps in callbacks, message ordering, rejected calls, and untrustworthy canisters."
 sidebar:
   order: 2
diff --git a/docs/guides/security/misc.md b/docs/guides/security/misc.md
index 2fa1560..cfd0d4a 100644
--- a/docs/guides/security/misc.md
+++ b/docs/guides/security/misc.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Miscellaneous"
+title: "Miscellaneous Security Practices"
 description: "Miscellaneous security best practices: data confidentiality, secure randomness, endpoint validation, testing, reproducible builds, monotonic time, and floating point."
 sidebar:
   order: 11
diff --git a/docs/guides/security/observability.md b/docs/guides/security/observability.md
index 2f63c53..f7a70a4 100644
--- a/docs/guides/security/observability.md
+++ b/docs/guides/security/observability.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Observability and Monitoring"
+title: "Observability and Monitoring"
 description: "Security best practices for monitoring canister cycles, logs, and health indicators."
 sidebar:
   order: 10
diff --git a/docs/guides/security/overview.md b/docs/guides/security/overview.md
index b636382..d9ffb2e 100644
--- a/docs/guides/security/overview.md
+++ b/docs/guides/security/overview.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices Overview"
+title: "Security Overview"
 description: "Introduction to the ICP security best practices for canister and web app developers."
 sidebar:
   order: 1
diff --git a/docs/guides/security/resources.md b/docs/guides/security/resources.md
index 9da048c..6e299ba 100644
--- a/docs/guides/security/resources.md
+++ b/docs/guides/security/resources.md
@@ -1,5 +1,5 @@
 ---
-title: "Security Best Practices: Resources"
+title: "Security Resources"
 description: "Important security resources and further reading for ICP canister and web app developers."
 sidebar:
   order: 12

From d00082c4b72cfb961e5112c62abb4f1b7a05a728 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 21:49:20 +0200
Subject: [PATCH 03/12] docs(security): remove AI-generated encryption page
 pending security review

---
 docs/concepts/vetkeys.md            |   1 -
 docs/guides/security/encryption.mdx | 410 ----------------------------
 2 files changed, 411 deletions(-)
 delete mode 100644 docs/guides/security/encryption.mdx

diff --git a/docs/concepts/vetkeys.md b/docs/concepts/vetkeys.md
index e27d660..cc14ef6 100644
--- a/docs/concepts/vetkeys.md
+++ b/docs/concepts/vetkeys.md
@@ -99,7 +99,6 @@ The vetKD management canister API is live on mainnet. The `ic-vetkeys` Rust crat
 
 ## Next steps
 
-- [Encryption with VetKeys](../guides/security/encryption.md): implement encrypted storage, IBE, and the full end-to-end key derivation flow
 - [Chain-Key Cryptography](chain-key-cryptography.md): the threshold cryptographic foundation that vetKeys build on
 - [Security](security.md): where vetKeys fit in the broader canister security model
 
diff --git a/docs/guides/security/encryption.mdx b/docs/guides/security/encryption.mdx
deleted file mode 100644
index 655618c..0000000
--- a/docs/guides/security/encryption.mdx
+++ /dev/null
@@ -1,410 +0,0 @@
----
-title: "Encryption with VetKeys"
-description: "Encrypt and decrypt data on ICP using VetKeys for privacy, key management, and identity-based encryption"
-sidebar:
-  order: 14
----
-
-import { Tabs, TabItem } from '@astrojs/starlight/components';
-
-VetKeys enable canisters to derive cryptographic key material on demand so that clients can encrypt and decrypt data without the canister ever seeing the raw key. This guide covers the complete flow: exposing vetKD endpoints in a canister, generating a transport key pair on the frontend, and using the derived key for symmetric encryption. It also covers higher-level patterns: the `EncryptedMaps` abstraction for encrypted key-value storage, and identity-based encryption (IBE) for sending encrypted messages to a principal.
-
-For background on how the vetKD protocol works, see [VetKeys](../../concepts/vetkeys.md).
-
-## Prerequisites
-
-<Tabs>
-<TabItem label="Rust">
-
-Add the following to `Cargo.toml`:
-
-```toml
-[dependencies]
-candid = "0.10"
-ic-cdk = "0.19"
-ic-vetkeys = "0.6"
-ic-stable-structures = "0.7"
-serde = { version = "1", features = ["derive"] }
-serde_bytes = "0.11"
-```
-
-</TabItem>
-<TabItem label="Motoko">
-
-Add `ic-vetkeys` to `mops.toml`:
-
-```toml
-[package]
-name = "my-vetkd-app"
-version = "0.1.0"
-
-[dependencies]
-core = "2.0.0"
-```
-
-</TabItem>
-</Tabs>
-
-Frontend (TypeScript):
-
-```bash
-npm install @dfinity/vetkeys@0.4.0
-```
-
-## Step 1: Expose vetKD endpoints in the backend canister
-
-The backend canister wraps the management canister's `vetkd_derive_key` and `vetkd_public_key` methods and enforces per-caller key isolation. The context passed to both API methods encodes the domain separator and the caller's principal, so each caller's keys are cryptographically separate and only that caller can retrieve them.
-
-<Tabs>
-<TabItem label="Motoko">
-
-```motoko
-import Array "mo:core/Array";
-import Blob "mo:core/Blob";
-import Nat8 "mo:core/Nat8";
-import Principal "mo:core/Principal";
-import Text "mo:core/Text";
-
-persistent actor {
-
-  type VetKdCurve = { #bls12_381_g2 };
-
-  type VetKdKeyId = {
-    curve : VetKdCurve;
-    name  : Text;
-  };
-
-  type VetKdPublicKeyRequest = {
-    canister_id : ?Principal;
-    context     : Blob;
-    key_id      : VetKdKeyId;
-  };
-
-  type VetKdPublicKeyResponse = {
-    public_key : Blob;
-  };
-
-  type VetKdDeriveKeyRequest = {
-    input                : Blob;
-    context              : Blob;
-    transport_public_key : Blob;
-    key_id               : VetKdKeyId;
-  };
-
-  type VetKdDeriveKeyResponse = {
-    encrypted_key : Blob;
-  };
-
-  let managementCanister : actor {
-    vetkd_public_key : VetKdPublicKeyRequest -> async VetKdPublicKeyResponse;
-    vetkd_derive_key : VetKdDeriveKeyRequest -> async VetKdDeriveKeyResponse;
-  } = actor "aaaaa-aa";
-
-  let domainSeparator : [Nat8] = Blob.toArray(Text.encodeUtf8("my_app_v1"));
-
-  // Encodes domain separator + caller principal so each caller's keys are isolated.
-  func callerContext(caller : Principal) : Blob {
-    Blob.fromArray(
-      Array.flatten([
-        [Nat8.fromNat(domainSeparator.size())],
-        domainSeparator,
-        Blob.toArray(Principal.toBlob(caller)),
-      ])
-    )
-  };
-
-  func keyId() : VetKdKeyId {
-    { curve = #bls12_381_g2; name = "test_key_1" }
-    // Use "key_1" for production
-  };
-
-  public shared ({ caller }) func getPublicKey() : async Blob {
-    let response = await managementCanister.vetkd_public_key({
-      canister_id = null;
-      context = callerContext(caller);
-      key_id = keyId();
-    });
-    response.public_key
-  };
-
-  public shared ({ caller }) func getEncryptedVetKey(
-    input : Blob,
-    transportPublicKey : Blob,
-  ) : async Blob {
-    // test_key_1 costs ~10B cycles; key_1 costs ~26B cycles
-    let response = await (with cycles = 10_000_000_000) managementCanister.vetkd_derive_key({
-      input;
-      context = callerContext(caller);
-      transport_public_key = transportPublicKey;
-      key_id = keyId();
-    });
-    response.encrypted_key
-  };
-};
-```
-
-</TabItem>
-<TabItem label="Rust">
-
-```rust
-use ic_cdk::update;
-
-const DOMAIN_SEPARATOR: &[u8] = b"my_app_v1";
-
-/// Encodes domain separator + caller principal so each caller's keys are isolated.
-fn caller_context(caller: candid::Principal) -> Vec<u8> {
-    [DOMAIN_SEPARATOR.len() as u8]
-        .into_iter()
-        .chain(DOMAIN_SEPARATOR.iter().copied())
-        .chain(caller.as_slice().iter().copied())
-        .collect()
-}
-
-fn key_id() -> ic_cdk::management_canister::VetKDKeyId {
-    ic_cdk::management_canister::VetKDKeyId {
-        curve: ic_cdk::management_canister::VetKDCurve::Bls12_381_G2,
-        name: "test_key_1".to_string(), // Use "key_1" for production
-    }
-}
-
-#[update]
-async fn get_public_key() -> Vec<u8> {
-    let caller = ic_cdk::caller();
-    let request = ic_cdk::management_canister::VetKDPublicKeyArgs {
-        canister_id: None,
-        context: caller_context(caller),
-        key_id: key_id(),
-    };
-    let reply = ic_cdk::management_canister::vetkd_public_key(&request)
-        .await
-        .expect("vetkd_public_key call failed");
-    reply.public_key
-}
-
-#[update]
-async fn get_encrypted_vetkey(input: Vec<u8>, transport_public_key: Vec<u8>) -> Vec<u8> {
-    let caller = ic_cdk::caller(); // capture before await
-    // test_key_1 costs ~10B cycles; key_1 costs ~26B cycles
-    let request = ic_cdk::management_canister::VetKDDeriveKeyArgs {
-        input,
-        context: caller_context(caller),
-        transport_public_key,
-        key_id: key_id(),
-    };
-    let reply = ic_cdk::management_canister::vetkd_derive_key(&request)
-        .await
-        .expect("vetkd_derive_key call failed");
-    reply.encrypted_key
-}
-
-ic_cdk::export_candid!();
-```
-
-</TabItem>
-</Tabs>
-
-**Key decisions:**
-
-- **Context**: encodes the domain separator (`my_app_v1`) plus the caller's principal. This makes every caller's keys cryptographically separate; a key derived for one principal cannot be decrypted by another. Both `getPublicKey` and `getEncryptedVetKey` must use the same context so that `decryptAndVerify` succeeds on the frontend.
-- **Input**: an additional identifier within the caller's key space (a document ID, a room ID, or an empty vector for a single per-user key). Different inputs yield different keys; the same input always yields the same key.
-- **Caller capture before `await`**: always read `caller` before any `await` in an update call.
-
-## Step 2: Generate a transport key pair on the frontend
-
-The transport key pair is ephemeral. Generate it fresh for each session or each key request.
-
-```typescript
-import { TransportSecretKey } from "@dfinity/vetkeys";
-
-const transportSecretKey = TransportSecretKey.random();
-const transportPublicKey = transportSecretKey.publicKeyBytes();
-```
-
-Pass `transportPublicKey` to the canister when requesting a derived key.
-
-## Step 3: Retrieve and decrypt the vetKey
-
-```typescript
-import {
-  TransportSecretKey,
-  DerivedPublicKey,
-  EncryptedVetKey,
-} from "@dfinity/vetkeys";
-
-// An additional identifier within the caller's key space.
-// Use an empty vector for a single per-user key, or a document/room ID for multiple.
-const input = new Uint8Array(0);
-
-const [encryptedKeyBytes, verificationKeyBytes] = await Promise.all([
-  backendActor.get_encrypted_vetkey(input, transportPublicKey),
-  backendActor.get_public_key(),
-]);
-
-const verificationKey = DerivedPublicKey.deserialize(
-  new Uint8Array(verificationKeyBytes),
-);
-const encryptedVetKey = EncryptedVetKey.deserialize(
-  new Uint8Array(encryptedKeyBytes),
-);
-
-// Verify and decrypt: throws if the key is malformed or was tampered with
-const vetKey = encryptedVetKey.decryptAndVerify(
-  transportSecretKey,
-  verificationKey,
-  input,
-);
-```
-
-## Step 4: Derive a symmetric key and encrypt data
-
-The raw vetKey is not used directly as an AES key. Use `toDerivedKeyMaterial()` to derive a symmetric key from it.
-
-```typescript
-// Derive a 256-bit AES-GCM key
-const aesKeyMaterial = vetKey.toDerivedKeyMaterial();
-const aesKey = await crypto.subtle.importKey(
-  "raw",
-  aesKeyMaterial.data.slice(0, 32),
-  { name: "AES-GCM" },
-  false,
-  ["encrypt", "decrypt"],
-);
-
-// Encrypt
-const iv = crypto.getRandomValues(new Uint8Array(12));
-const ciphertext = await crypto.subtle.encrypt(
-  { name: "AES-GCM", iv },
-  aesKey,
-  new TextEncoder().encode("secret message"),
-);
-
-// Store ciphertext (and iv) in the canister; never store the key
-
-// Decrypt
-const plaintext = await crypto.subtle.decrypt(
-  { name: "AES-GCM", iv },
-  aesKey,
-  ciphertext,
-);
-```
-
-Store only the ciphertext and IV in the canister; the raw key exists only in the client's memory for the duration of the session.
-
-## Using EncryptedMaps for encrypted key-value storage
-
-`EncryptedMaps` is a higher-level abstraction that combines `KeyManager` (access-controlled vetKey derivation) with encrypted storage. It manages key derivation, access control, and client-side encryption transparently. Each named map is secured with a single vetKey; all key-value pairs in the map share the same access permissions.
-
-<Tabs>
-<TabItem label="TypeScript">
-
-```typescript
-import { EncryptedMaps } from "@dfinity/vetkeys/encrypted_maps";
-
-// encryptedMapsClientInstance connects to your backend canister
-const encryptedMaps = new EncryptedMaps(encryptedMapsClientInstance);
-
-const mapOwner = Principal.fromText("aaaaa-aa");
-const mapName = "passwords";
-const mapKey = "email_account";
-
-// Store an encrypted value (encryption is automatic)
-const value = new TextEncoder().encode("my_secure_password");
-await encryptedMaps.setValue(mapOwner, mapName, mapKey, value);
-
-// Retrieve and decrypt a stored value
-const stored = await encryptedMaps.getValue(mapOwner, mapName, mapKey);
-
-// Grant another user read-write access to the map
-const user = Principal.fromText("bbbbbb-bb");
-await encryptedMaps.setUserRights(mapOwner, mapName, user, { ReadWrite: null });
-```
-
-</TabItem>
-</Tabs>
-
-The backend `EncryptedMaps` component stores only ciphertext; all plaintext stays on the frontend. See the [password manager example](https://github.com/dfinity/examples/tree/master/rust/vetkeys/password_manager) (Motoko + Rust) for a full implementation, or the [password manager with metadata](https://github.com/dfinity/examples/tree/master/rust/vetkeys/password_manager_with_metadata) variant that adds unencrypted metadata alongside encrypted values.
-
-For the Rust backend, `EncryptedMaps` lives in `ic_vetkeys::encrypted_maps`; for TypeScript, import from `@dfinity/vetkeys/encrypted_maps`.
-
-## Identity-based encryption (IBE)
-
-IBE lets anyone encrypt a message to a principal using only the canister's public key. The recipient authenticates to the canister, obtains their corresponding vetKey, and decrypts. No prior key exchange is needed and the sender does not need the recipient to be online.
-
-**Encrypt (sender, no canister call needed):**
-
-```typescript
-import {
-  IbeCiphertext,
-  IbeIdentity,
-  IbeSeed,
-  DerivedPublicKey,
-} from "@dfinity/vetkeys";
-
-// Derive the canister's IBE public key (fetch once, cache)
-const publicKeyBytes = await backendActor.get_public_key();
-const ibePublicKey = DerivedPublicKey.deserialize(new Uint8Array(publicKeyBytes));
-
-// Encrypt to the recipient's principal
-const recipientIdentity = IbeIdentity.fromBytes(recipientPrincipalBytes);
-const seed = IbeSeed.random();
-const plaintext = new TextEncoder().encode("secret message");
-
-const ciphertext = IbeCiphertext.encrypt(
-  ibePublicKey,
-  recipientIdentity,
-  plaintext,
-  seed,
-);
-const serialized = ciphertext.serialize(); // store in the canister or transmit
-```
-
-**Decrypt (recipient, after obtaining vetKey):**
-
-```typescript
-import { IbeCiphertext } from "@dfinity/vetkeys";
-
-// Obtain the vetKey for the recipient's principal (steps 2-3 above)
-const vetKey = /* ... decryptAndVerify as shown in Step 3 ... */;
-
-const deserialized = IbeCiphertext.deserialize(serialized);
-const decrypted = deserialized.decrypt(vetKey);
-// decrypted is Uint8Array of the plaintext
-```
-
-See the [basic IBE example](https://github.com/dfinity/examples/tree/master/rust/vetkeys/basic_ibe) (Motoko + Rust) for a complete backend and frontend implementation. For IBE with a time-based release condition (timelock encryption), see the [secret-bid auction example](https://github.com/dfinity/examples/tree/master/rust/vetkeys/basic_timelock_ibe).
-
-## Testing locally
-
-Start the local network and deploy:
-
-```bash
-icp network start -d
-icp deploy backend
-```
-
-The local network automatically provisions both `test_key_1` and `key_1`. Verify that your canister returns a public key:
-
-```bash
-icp canister call backend get_public_key '()'
-# Returns: (blob "...") -- 48+ bytes of BLS public key data
-```
-
-For `vetkd_derive_key` testing, use the [chain-key testing canister](https://github.com/dfinity/chainkey-testing-canister) (`vrqyr-saaaa-aaaan-qzn4q-cai`) on mainnet as a lower-cost alternative during development. It provides a fake vetKD implementation with no threshold. Use key name `insecure_test_key_1`. Never use it with real data or in production.
-
-## Common mistakes
-
-- **Reusing transport keys across sessions.** Each session must generate a fresh transport key pair.
-- **Using the raw vetKey as an AES key.** Always call `toDerivedKeyMaterial()` first; do not pass the raw bytes to `importKey`.
-- **Putting secret data in the `input` field.** The `input` is sent to the management canister in plaintext. Use it as an identifier (principal, document ID), not for the secret data itself.
-- **Mismatched `context` between `getPublicKey` and `getEncryptedVetKey`.** Both endpoints must derive context from the same inputs (domain separator + caller principal). If they differ, `decryptAndVerify` will fail silently.
-- **Not attaching enough cycles to `vetkd_derive_key`.** `test_key_1` costs approximately 10 billion cycles; `key_1` costs approximately 26 billion cycles.
-
-## Next steps
-
-- [VetKeys concept](../../concepts/vetkeys.md): how the vetKD protocol works and what use cases it enables
-- [Data integrity](data-integrity.md): certified variables and response verification
-- [Internet Identity](../authentication/internet-identity.md): authenticate users before granting access to vetKeys
-- [vetkeys examples](https://github.com/dfinity/examples/tree/master/rust/vetkeys): password manager, encrypted notes, IBE messaging, BLS signing, and secret-bid auction
-- [ic-vetkeys library](https://github.com/dfinity/vetkeys): Rust crate and TypeScript package source
-
-{/* Upstream: informed by dfinity/portal docs/building-apps/network-features/vetkeys/ (introduction.mdx, api.mdx, encrypted-onchain-storage.mdx, identity-based-encryption.mdx, dkms.mdx, timelock-encryption.mdx); dfinity/icskills vetkd; dfinity/examples rust/vetkeys/password_manager, rust/vetkeys/password_manager_with_metadata, rust/vetkeys/basic_ibe, rust/vetkeys/basic_timelock_ibe, rust/vetkeys/encrypted_notes_dapp_vetkd */}

From c415dba1c967c605d3f770f04e6e346bf500f01d Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 21:51:18 +0200
Subject: [PATCH 04/12] docs(canister-calls): replace retry diagram PNG with
 PlantUML

---
 docs/guides/canister-calls/idempotency.md |  21 ++++++++++++++++++++-
 public/img/docs/retry_idempotency.png     | Bin 55032 -> 0 bytes
 2 files changed, 20 insertions(+), 1 deletion(-)
 delete mode 100644 public/img/docs/retry_idempotency.png

diff --git a/docs/guides/canister-calls/idempotency.md b/docs/guides/canister-calls/idempotency.md
index b46fb51..19ef45e 100644
--- a/docs/guides/canister-calls/idempotency.md
+++ b/docs/guides/canister-calls/idempotency.md
@@ -17,7 +17,26 @@ A canister endpoint is idempotent if executing it multiple times is equivalent t
 
 Given an idempotent endpoint, you can implement retries from an external application by retrying the call until you observe a certified response, either a replied or rejected status; see the illustration below. If such a response is ever observed, it's sure that the transaction has been executed at least once, which, thanks to idempotency, has the same result as executing it exactly once. However, the application may not be willing to wait for a response indefinitely, and a timeout could be implemented. Upon timeout, an error should be displayed to the user instructing them to wait until the latest message that has been sent has expired (as defined by the request's `ingress_expiry`) and then manually check the status of the transaction. Ideally, timeouts should be rare and not occur during normal operation.
 
-![Retrying an idempotent call](/img/docs/retry_idempotency.png)
+```plantuml
+actor User
+participant "Web Browser" as Browser
+participant Agent
+participant "Boundary Node" as BN
+participant "IC Node" as IC
+
+User -> Browser: Start transaction
+
+loop until certified response or timeout
+  Browser -> Agent: idempotent call
+  Agent -> BN: call & subsequent read_state calls
+  BN -> IC
+  IC --> BN
+  BN --> Agent: certified response or error
+  Agent --> Browser: certified response or error
+end
+
+Browser --> User: certified response\nor timeout error message
+```
 
 The situation is similar for bounded-wait inter-canister calls. Given an idempotent endpoint, the calling canister can keep retrying until a response other than `SYS_UNKNOWN` is observed or give up after a timeout if waiting indefinitely is not an option.
 
diff --git a/public/img/docs/retry_idempotency.png b/public/img/docs/retry_idempotency.png
deleted file mode 100644
index cd251ac853955634f13fc087edd69d73c5cbe9d2..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 55032
zcmeFZ2T)W^*Di`V0Ad0}B#0m)lJmd-iixb`j6;S21{iYGR|ORXMS^5hq9n-~R8&O5
zNF2!^5{I1g+_k~)``@?DsXFyn-T&0By5Cq9uy^m?-K$rx@T{lj@hz1b)Q3+Wrl6pp
zmcMybje=sI5(UNXiG%y$in!cn7W}C3)X;HO!?>|JIN>a;ZOvJoJsiwg&E2gnC@9=J
z?QY#ZQq6jBbNQs??%jIgL3W0@j1wzzujPA|jt{K<;0#$?UsMX-RUcDqt5%@J|3245
zh^^mB$fBQtbLH;w@i!^H6e|AbUzpGRr9oJ29{d!B7t*r7?sOGnO!+<TcIDFz-Grv5
ze#=wVr;d4^4Y)jyyR6wUW&Bez<EXLq-tdCS_)Uuz$-oM^N3nwUuCdMTx4NX#`ZV>6
zZ9oR*;@3bX#wY%f)W7>;coS*9pma-_oa6*4D0V%xmXo_BFDLh}DZxZyd|se$R?D99
z?@N9nqj6?}_1E*)rB?K`#|&&}pWHgzdN>pH%3$q)^68M1^fx{h^!F1?+CF~K)jpto
z`RK+jM^^_m=NHGT6c6*5ln)jMELScMO-ah8Mnqb;e5Oz?YS3Wgwa863A#!^jeIpSl
z5UKk$hMi+TvU2KJ|GHtQ<tlMgVy!ji%iX&-&zSmKpTHee#dYo<@%hEi{r%#s#B8xV
zJ-hGk(qFTTBY)NHCQwC>wMsd@(z%qM)BH8V%I35B=VO{JT*lwrGn{&VWrU??c&KiD
zx}{>QJB-T2u)lxAar5ZwgeS+pzdx2_$ob{Ulg2^mt+PbF7m8=K4?R6YnJRmKV(lZj
z-wl_!@%ur<$tQba`GV#Jb~{h*eik+8%_6BXxc8v+9&OJ$<Fq|O@rgt|z265%`}Xr@
z=||-rFqopauj+66J?ms5$M5+M>kK~Xbf=2<c@oPjMF@^-6p3ltwT%7!M^EwGS}G-!
zm36Hz;gs|IWTxt!e*Q`*=?C5Ov<4m1QC32k;_P@aW;hdbUUxeOP(BI@DH(SMj49UK
znbpMH(%K%)HeFW5#%gVbX44i?=2v!*Gq<w7>FH#y?x~_->WMX#Fk_REJ}l*qf)4D=
zoiVKLcDD9-lslSjyI&Oij$GzrW8H4zj778QDBoh0!#SC=3iAr{^7CACw{{g|lRnHU
z<z!}oQoDNnPZ#hPn$61D*#X7J=jP_d>n6mDbF$<UkdTnz;}_%;6y$*xJa`X#XN)_K
zJ^mch#ZDhr&GDvA)(+0rID1y4PmBr9#Tm`U2KQP2H9k8BW#xZ&Z;$^Y1&{}yJH~-e
zfR~@o&W`WzPvD)exk4v@2K2vu0<QsEl~2tak8^P{HNWO+Ztr~V?_J!GSHAV{9*`+n
zTH85nPYQ(hkC&O5{=1!ni<9kk8#7Zrb6aye=oAm*6Zl7aXKRc964pP)hTPen&ff<D
zulslZ|7iWMxo<ayR?5n#t2k2^<fZag(QL?gQD!((YctgLuYv;nCL$&Rf;?gvaRDA-
zenAWm27@u-5j7Js7cv(y5i*w${99M@_IPKEy{S3U6?D#P4gH8nn41X*h)M96nFtH>
z2%Cxt@<@man($yu%uOsrF#<y70v3PkLe<F{v=U?c_fa8TnL$^g;sS!E=Hfy;;$r+3
zJi-=2qCDazf)YF?!lq`XLS|wT7}1@skaa*^z9o-l6XfOJ?tJ^oEnAGU1<uJ1&8Cbo
zWmQ%GuR9vncIN8N7({9UVuGRq!V;i`f`X#rqC3;ueq77k2@e{FbSl8lD<r=CxS1*H
zI&_Hv&9Sz_Seo-W*jsMjK-L8XvjNFs5JiQax39xwP;yS@7-yW51`cP7W<&aBMY{a=
zZDrU`W*BG8RgAMayp3N_7{xDv5)jl75J8Cup#&tj`2|t@e`}93v$pW~Kea}753AJ9
zn%}g>!}~q9FYRn8b#up^zjpq#wcg%KtgPF+0);W%nF1c;YHqeYPUvgrmZ=rS-qIY*
z#~*$D*LCavjV@SNm|F;0V1#+ZB}6cw3xc9NCKv$;9w7@8egRVpQ8Nn>(SP=i$5}YL
zVVuk_TY?-xR-m8TvSPikvxHp#Z0=@dj;s$zjE7%>=YN$L-=7)tAy(sGQ<mcUUxXsH
z-QaI#2A<ow2IdQ_A>Y5v;UA$PhUb6q^Jg*s2j2i)|K}zDE&2XOT>lZ*e@g=Yt;YY+
zuK$SZza@eHR^$I@*Z*tcI{aS=mAO5HL2i&Pak05QfK+S0iQ<i`6lCOILPg3;xN^wh
zrY@d>g7O6Ne-}km%qh5dz*%1T+JVtSRMa9TjMcU(C@5Gd<gZ@VaPOSx@p7gedQB!1
zo?m^Ledc)7z5uO*I#*<^FWd-KGqExFA{!KOQ9)K%VfWq@wU&jW1->Q4PaMQ)t<HuX
zKE!@O!TMH$7ULsFhG&<L96TW3M3M9GQRvsO5Ql|`3mp@EEFD5q9YqGklkC$(J>Cw<
zb;0@i`aDbNc>{JB)&K84hM`SNT7p7CEw#xAS_2>6%<}Sb-UvQ_*NA7!fyNorg_8Dm
zlh&j@q7mckZ{K=jZC0bBPSY|oH*pjxtE<0ljFrTqr`popA`G>irH|am8y~mXY-gdS
zwp?t}e%3xXI$C-7(4nOMtOS`Y$NSP-?&N9@4-fqd)X2-U^|b90zlGV|b@&ip=~LB`
z){dR(_R93*WPhsdy40+a)6J=>g{=v?qNy=)q;trP=55l_f$QtbRd2hy_q7jZWN;`b
z#eDeqNNc%FJ!R|N)@GHLF7B_^wzmBlGKVR(e+Cf>u*M|k#dFBZDB=z(?Rl{0-qmZ@
zxFuFE_xP?GM)0um>*HL$YQ2sy>A^cC@7;9roZ{PiUE5dY(6H%es#ZSN)zhaNZ3uD4
znb4j;>28%0Z=B$?7!8t~N_q$&5Paw#f5^W-P9kY&<QrYPMxs4&B0W;b?=`0Sx>57=
zx7x@zYip%}_L`B;`Fq!vf4n}2y0%J3mo?+bd;WZ3%O#ntr;0954UQ-)KhsL^6{yqJ
zbh$}M-)L1Jeer@$)?a@Oc`kKON0jsKMqZU5d6vIouZ_*S0;eH$y&Mw~2X@GH&a435
z&Rc8g63)9aC8gh#sgt9*=fKz8yn);^=OU_aurL*m5)PgWzkco7x&iqirRCA6?cN-Y
zfjAs+w8PR81R1h!I@(J?)1bV~)6T~yc4>m^w!-({cjG%+TT|b^f3H<j(p@w?nO-`@
z6l<0CdSJqQ>~v2RIU#**Q@hL{djVxM;pDooX@{2P9X?f}*44jA<g-7*Y>ctK^2uE}
z7DYV0^!oKchV<(1M@D`=ffu=#b+h$L=D3DNrtMvrJeM{ixKZ*itD7?BM+ic;$XqE{
zQ;)qWyzTD(z~x0>(X^Ye?a!OBl5Xwo$LB_ys-^d|+&|FQQZ`N3WyA;)AE?GP?V(XB
z+Q;|hi{Fo?w*fA{za41D-w5(f&`cjz3^}j#DiK!X-MjJUu9KY>73b0D8^%6usYK(x
zH~5jp@oz6^GCq9v&Tehy=pzb>3dgjiXWO^FILDHjoUEs&NLh%yU~@TT-L40bNU$_2
zK`vlvd~>-kU$6X2O>lc=QEyhX{pq%>@Yhpy<Ms_vmfpO6usaHEb<;sJZ783bn3#y%
z`EW<S_;=$aOLf;JwOA=#c&gKS-(bW$^Q@8IngRkjr-g=V6jXfQD^I(LM`^0fy<3|0
zt0@ecoqg*v_>7$V_(V&^6+YwjngXIfX|l*z-FoauTdRhC*9D2yT@N2T_&#9O9>6kH
z@To{vPI-m9ib?YDwjg|;Kj$|Z8<W^o{bg>>5ap22ov!H!E3-LzgR69PxXatu4O{cb
zYqetL)5WezJKwF;+mEF=JLU>}K`#sEgo=jLRW~~egCpw(Dl@wyvJ2+;BRYgGDJ#b&
z$-lJdj0=1^kr|DvRK9<JrpTZ3xt@K$h9*;P*!_}?t|I!MddX3P0)2SGxd@JLQXaW_
zEI!U33dx|3qyU+6^>a6Znv}(!vB~a3R(&t+?v_9Y^5$6K^N|)+nViiYm{ODoVI?Lp
z36?@cq|KAODQ0K5>Z3faW^8PU7PHZK<4^rkn!NFJ(q*|XJ_`&(q3pNcs~&OptUXqF
zyObv5`t)z-=rb^=u2AWX5LA~}W5dGMGaM4pJ@<XW!bawYoz6(D#Krk->BjejG|Vj)
zO~eg(BSVl+?ym8vI8~{4D5|c|ZCd}d*wohDX`GdK`j^0wy_W`qWwuy0CoC21&c=*v
z3Al_KWE!FS=zf*p-iC(O8m-$XD;Lo5#=L&@N(a5%typ-gJ#PaP@pm4{{n{6MCW*Ow
z!wu_UMCl(t9NMvwQrn}1m9`@h+fA?993q8ZiX`D#1Z2o7vsI%xHMx7T`X)Lky{AYZ
zg(%5oBfFn7$pzk(OPJ-MXp~D<;)i=<$l{~zBU`z8rb*|{d0~6Yjjf4UcBe%y-j)jp
znkl{AKds}!65Qc~<|S_7d@UVkwP@*an%)~$4e{|_*Yr!bEyK~9G*1!+rONgOGt8TI
z4Ni7ZR_KK#Cn|wSIH~XO{H4$}F!PDwbfIw=Loj>CkALMpiz#1Q7#qRs8o3V;rK_K}
zx3<SE9acO6x6Tb7x_0fFK7sb+C2h^Nvt6Wj?~Zg-3Q7Cs=jMiA5OE2gtl-v`PV)E9
zv(sb7qc_nwl{F20FTJ{ObFY0E5J*L@{;l^0Lqlb|eY3MateA)h$1F0?Mb_!4t7n3R
z+$CeWIKEma81(qDrp@@JE>A73sg_?~@Vk8*H&(}d@7F?`&O)9(oQ@$ppq`?#cf%Wx
ze*5N)T~}{+jdqsz_oW!HJg}thJnBkH873wZJR#iN%hroFUfg4aXU@T7wRKLj$moFz
z{j7Xj?4DkT<FhT;*v(|@wG{euNt3Yo!)G<CqHwW2bh=XC)=SFK<a+wOU+*#J!eT2l
z9zQ-&{;3)Eol#vpI03AFK_N?lw(pi-$9GnkJqW>lvMMu722p<s?c>Uxs1Km?vx9!O
z<!iYMM{WdHR<F5%2d1UXEPA*vkPeM2=shjz8bd4CMkJ1bZdm<%|3X1NG6R&ZaK>h3
zMqh7|*+{oU_4e&1&xNM=BJBB97gG37W=nIPoYD(@jx`m938|?UR0HWY8$C0<P90~F
z>0BxT+alt%WcV&STOAw#IM4jFz_QiTgqg<qinzK-=|WR5XIl#?5w=6*Ux8IkKXV2*
z{8c~|wdfacKIypVE1B)?Q!MaOz4v!A_aAwxDOasa3!aWqO@ZfL{s{k`DIRoSAo<R|
zEO_W$CVCRTvJ1}=`1o<#n`?yh%F0IWo5FSD9hPFFU46`>ZFBg($|8Lxy|WzVPnf+f
z>4)T7s-_uv&x#fD{(_)DKRyTk);?<MN(NI|(QB+*LKrvcZ8tSrU%JwTLbUbz^&oaG
zFpT<vogpFG-bd{EEB#(oQyO^L6}M;Vo2+kvVrOX8cXTLfg1X^Hdb_er#h?3a5=oL9
zy~)YfD^`BtYzdJ)>r6ow=+)on+6z<D(kjhNe|z@c5?J<;htT5=w!;Ygeo>!qMBgSo
zvVeEFAAb<0Sav*sj$gLzI7LfqM;Y2(BNLh^fv4-d@(7&J#q;Oe51*WyCo6Jm+gGFx
z8J6b1H@qhY(#jSP=&8X|(FFhSSys-w^6dL}AFWr-U>)fEix239oIHN~9WA$B`-qzA
zE!ZHP>E^!%gUQW@%RW_~6Si(v^4XXr>ttgiL(^MF+{31Z+_-Ag7O0eZ_Pm9#?R%rq
zX?}hemirnuhw^&%RQ&#Zz?Mg&&trr-TY$GG5`#4}!=cwk2^D&6SvomwdX*h{^gnl3
zf#7!g7J8lHD%fjM6HNXhDiGy0I?m8v5*&8=_;DLM&SmrN0<3<Sg|8b;J%=tPYn4eo
zrLo|9Rb{0Li*GRzTduKeT8*BmZ!~(RDzo_+wI70&-TT`oha}2xkhl6OMoR};)2hbn
z_^N)m5Et{?h1l6OOuugYbiG90oaW@K6)1yco}8uR+vsdx^qu(WcpByW;LY3hW+oOy
z+($Kv6{tV>bbpks54W5;a^^x2dh7Sg;KiW`<CV>)LCz^|^ei%^J(vb<W06i~G2xAt
zbkbU+P<$tIG)4iYtl!UF;9REyj_l)oTx<WwYQ8R|sT7sXHf)d2KHklBKO$X*@9eev
zeFP=tSeIJPxLMkF>z(#nrQf4pszyq$jou~t9*0HtAy~%89xM(njd+o*^=;~2)kx)U
zEY&SHIe%}$2>y#bx~^de4|*y+jVSk`FClAn>ZO#+1IxQ3V=UyA`sqIVibdD#k^NMs
zyqjt!!|tf)SlYLM61IUIU0)-}$e2Fc<t6Ynh{=+&9*omiEhkG8XbEDl)|OeW213=9
zf<pEd8-K-3Rhf$KxO8E+xXd1JNAW1h?&k5YjO5Io=~*gftj#-prn(lik|WM%9E)x^
zyBprSq<H$e=YGOgdymk2NzaA%gvaUZX~tE%BAlycL@d&?DLRB&T}D>Dv4gQ%8WT%h
zlVt^%(^A#)Tn?|g!U@ZZks%t|+Fi-HvlITkdRC-HZPuTil}uLT;sO8HMucal!>r0)
zJB_y*^XXEEd#~^m@-M}cGb&OEuHsRPpD5F9cMT7TLU^a2Fr6MGfAduKp%do|(ueqw
z8Bs(q-m|8F$f$I>(z<Y@yGAo~qex+XLamF=#f6FH8tVAUKAYL`U@z{5&z}!HdHi@$
zlF|e07j2MjuYqsv6?KAEHq5JUukKdiV$$ypPa@GwBV=I`M^ntU?nH=tv5PDXQCaqg
zCs=z*jB)m}M=LURp4nBovjtVcA|gg};UDZ~GjWR*mug<h#9_!^^4Dx30Emg<nmioC
z7v@6hJ$R}Wq@o2b9jm0dJ?6i5!I<~#r&>BapQ{@0TNp{8JRFXl_-U3+=M>lD(o+*a
zMHhD#bLG>DtE!Ta!<~$|dAIb!rTidfbjF?o-+hjl&ZNjxIM?nzM!381;hs~x>C3H2
z+zq?nJ^Sw3Q7?C1M0GO1U&W@4NwjB5652f&Maw-p{3VKY$SXCLM(ahElol^X9_Vd-
z|EkU1ROp`+*M+)xQEzp%Oj5aL(8G4ByM(KMrL0-(qm|R#eF!&ybZSGuKYLh_nB~(@
zDv@WW?;EZ6!R_kJo2i0=PQnn_#ELs=K+seGL6DIg!%5mqB6?ZMN%Pa6>gr;`!A?uW
z3*9`0^Ri#GnST5_tIGHJq$7Wj%P7Nfqxw@XeAaz$fF}$EhuBr<laO&~{n8Q#NA|Y?
zt4j8|p7tCbboEW+L0co<N`EaY8=D1B-dmA0EWUx0vwdV=L95_Eh`IY0V=PHnq0bAn
zYioyZ_&n3>(u(`2535a>qtV)2r^$Whp${$|GK2Yb&w#hO>DmNsxclTuJND~S$pSn5
zO7^sT=YYuqU0p?6o{r@yA5w0%Dx?_x)Qo8m$l45j&+IHO=_ZNyR*{)}?`$vT<$E9U
z_egQNzsu+z5z%e#|0veUT(!A`HHud^*f<atF|FpYnspa*^V*lGy5mb%Z!8x)6kJ?%
zF*3!)N$J|@tISUq6r^YxRVsEB4y7mDd8mB~<vJmrO_286+ThT&C)B>IXZYSDA|m2h
z;9Sw#Go?SsFypcR3OuyO_2m*(4_dz-b*2FcU^+!PRgEfcRl*ePSX{uE{8jqmT+K=k
zUEIq=i8Bo-XRGYV5?P@y>!|BeRn<bRc2?q8?kd?6XALu!jx-$u?{R}=vt+Wwye_w5
zoB@wEa>s;aCfP#-cV0y);<rzp#pg#XKYP6-?1#mnJNFqh%&z&J=Den+%eSTFnVEyx
z11eGho!esRw>ir{c^4du5zhrY9$ZEAw4dKop7&`P-6<aP$*GWOLE`+bc!dT@WFaX3
z-eB0@cA6k`(tCZ9h`6s2vnxzP+@X;IgDQv=A-YhB%V-bbz-JD1m*8JQQb;e)^YX{<
zVcuI1$UvCdwlw)rs~-ssA*<+=7CSfiSh2lFR4}(lP2I91E*c4myTY?OJ6k|n#@5!4
z3#$M}sQM+x*6p*bk?oTR(x+{0i1osKSVq#3!kT^i>I!Vyys<JrD=Th6K9cE^nll@i
z?yA(<szI8qnQr-be|oI{<FYUWMn;#rm#fIich*|ftCsYNkU7GZg;>^lX`-zBYefvo
z#l9@)7{S!JBi9zjfonKk<+<pszv^*>)<HljU@rs@g;zQXdpG!N4lZ>EoL4Trmaf&H
zefi_zhG?;CLKfX)np)giwgq|;Ud-Itm8DH66^r`f7LpgbniS-@xyS<&OnCC7M-TF5
zBzFYo0IUA)9m=fi@kv_R$%3jq$jUer@cUaIc*Z2DBI#zI`|t{>ohRoj1@)mrnp*A0
zhkh&NY#FJm+cA<`Ly=(AbqWFjyTQYB5S(BBICtckP-my7yNcNmPIUHKU|i9aS4hMH
zAv|_?>CKx(-<r!$pFGiWn%fhRzrm@Zq>Y5ALr3zd;xhlregFyZkjN2hNGkM;X|2w$
zfyU@FDE29Z404IMv}?v%cN+wQ^7(9`p~EizeTYrq;!?LYzpbu5DR#B-yWTI_;v(0l
zRA)}5KX@=(I5$@mEVVx2uZWVig<VQ46bViT$R{)C#<*`ikC9XjxA#&3&8s+H&oDc~
z>kuawHpZ>rfgE6QqNA>pQ14?q*-1o|Z=F5++H<Zp%yVOQUBlQoWo-?mZ#X*Ebi=Q4
zB?%GP-Gs}OErAF3O6k7`oT<<ylSQ0g3rnmVZady+2)Pk@YlW{OPF2Ns=85xJnnQ=$
zN?mXlIKKG3I(Fg&N$3{D-e+cf)D(44mW@~9O+5h%$=1!wYnxWRd1@M;n|S-}aXzmO
z|9~4-U!G+87Wu(C^f=z=*GlH%dbzmJlD>ON4y2GVMbxf?{B9#iASwz~NAkbRZf^G5
zok^~8DV~<QaE<Czm(x=-OFqr(Ur+3kkpbneJ1#1-^wV!|x4qplh7NrKdRZ-f$c#A!
z{J(-&pLg`+>b*UtoA%KwD@{@20*1A<GzN2P=cS~sC`Ql~>g|WjN(3yCuLi2WHO&Ts
zM_>7OiNc6H`kMtxs}(Gul<zki*lu~x-o_^XnNUZHYL(XgPy~00F!nt*gND3FB^LEM
zD$0gQ{8knzn<cU7?es13*8Sc4AHzLxDVp)pn+ut^g8EY5$%11~o=(^`DBzF)&W?@V
zZEBEtzg`OLR+P(l_8JnjRgt?Az@k~r^bcefmP5FtsjZ#<_67|JeBk1ETUo>OVhujy
zt1QnPn3nOG0dhM;a^rafmC-fQ0VH7ARrfh>0|{u36gbQqs2In$?0_}>c?J#UI6FyE
z5s~rFkKe9s%nJbsVgM=e4}c!#B<p3d>o@e57T>*-L+(izeFUp#mwBc^mx#rxBCiMZ
zPv`A*j{V*Hx7stcvwKeq{`P`sqaxMxGoEGj_ser@H8Rq9;dWp_S9)a7#2%unU7dhc
zc;5OPGIF_fJ+N;8l_Jyenk3n!rPpuH^tc5szGX>rXNn&liH4YVd}DQf*YeB4(3iSf
ze&ls|O|2;+gq81?`q~TmHY8o%>G4(M8ypE3EPTc&rge)AS*tAn`g$cxBO{}TI{HIO
zyYi!}KAik8bVCPW<FV>Ew|xlZU8SIKKK@`^(;Zfiz1mIj<IvG?B+>s6cKOa>3fbr9
zE+N><UG9JnCn@f-Uf+I}LYuDT#2%}niHRgg9TYB8L@;2upcRFIM?U{P3f6<icDiV5
zveSFTERh?WNlh_&GAgRFH5zBnvD0CCLf78pGB=#Zvj(_%>CBND{GVYAxkP_hD5^5t
zJRvHEbP8{mJym^j=T{1YgG#%0e*N$ehP3nf|Mo?WP`0}=^78Vp@9(D`pWf<ze1cOY
zEG$e!9knz1(I*F$F!HLZ(<kWYL_5Zu8-=M%A7m3hfBC}2%d4W2GXEZPYITGVPnN@A
z21Y`ecb+QUy}QMpmy3%_n3tDVvspoYlf9PzsaD^}VGZJghYvGr>+7Y?S@-6c);zKD
zK~@~(*!c8AK4V>deayw81dWh3Cyi!FW53Nsa;e)#v9eKPe1iy?ZOpYOJav=3;tV}~
zksvQ`Q2!qx$I{)i77LAw>*W*{&WDF5d&iumTe`b9yc4DtvyLu2AYqac`%0y;L6}oj
zq1@t3f@a^;#kw7;#Y@MxoexDq-q_`1&U}%Pk+Z;=3TO~eh*cR8diLxYdVYSM-i^Kg
z(xpoqQZh1rj;5xjswpk2Pg|P}WiDNsm{}NWIdQ>pXWq`|_a^r|N~hey6y)zk&o2T@
z`#e6r%6)#g!PscR64zV4TDP&W@dcR}bx7mQar)!O=Zq{YhE=&d{`5cxJv>M+7^w^S
z?Tk_+#LLK-v?MEY@-8mhcIJ;=g|}z4j9qd;7g&6K%0O<U+j&gZQua<Kbz(}&@}WbA
zJXCECDF(C1#5qaS(D#&k%tzD&v#1KlwJ@VS%U?uBG7!T5JoWw@|KzXc=H@I)N=nHI
zPxs-K*+DLCll|+txw#hFRyMwF@}8caEQJSm+W*CH&zhc|nORyjOJI9wzZ4!MB}3a`
z_&7Q}vp#+LbZHdNHWo*5_s;b@oe!0xMeUx0(4EmSZW3h!>*_i>D<#zf?zcjys@<(R
z^R4gy+$l#;9MsyIY^bB7^V3fuq-9JhCL*F}$cCrp>oZ2~`m9x0lvP`Xonh?d-rd4`
z5sj`0#+;&&Z+=Kgzct-v6bBGI`6_gKO3Y_%VQ=BlKVv=yW2Ob=)wQuUEOi|G`Xs$V
z3I>H50P%99-3Vruv7p@9wXCO(y>h*+l7dfWXYhZ)a<y)Okto=J`TO0=SyL<L*vClO
zRlaDQa8i19rDx3|!52{*+ifcYNH8Oe?gBgeZ!Mw>VSCNqUm^}SL{|xO`h{EtyM=u2
zCdl3Cq!qIXX1<NAbKj9db0Mm?^#!&$|LEo$)j8_w6{&;t(^ZCKmap5E3$o?+5W+^)
z^Uqar?es>GFnLhPF-cP)1O#&X&z?9ax;MGF`4>m+m~*(=->w-xmvFUyu9~qRq5tRU
zkNzL>v4=Y!hyCS!<>HRiobj+2T{El($ybTw$mf3=UJm$>Pl<x~KRU$h)YnG~3k%X8
za}BJmt%(f&0*#CBLwFE-470lfv)czk_vIaX%Kq@-!ybl9buN<y#9sR?Nj|>df7wQ)
zzd$EcETL>Go>^E@KbU#YkX&#6cY)vb$4oeE`gP}9x9m5Z9CGB53ul)&6U6q9<qeC7
z&>lmUlM6Ovu(p@Sr%#`@)I(xaMg|av^Zwz^q>es4s8seI)PxYKcit~b+Q;)#n_f_T
zeZ6}%KXXVTB|YzkaUs=C+rMZ*Z3?Yhl23q*TSg$PIR)4X@!S<uh_wt+U`OQIT>3|_
zAHjG9V(sm>A`^u|)*kx%+dJ-irF~URO>Ok~S-B@1i+G+ojel$-?SE|qn@9?qZ_m&2
z8Kq4#gIOXAQJKadQ|vlSNhxC)xHBBqSD>1Evg~JQ6p=M<h>@6YsOxAJ1{3Q%Tpy`V
zRlSl#N~;-rLbKieZsXk#`O)9%>bib8qvBs=geM>1t$CF^Ha6ztPsQN$A?7!XUixK3
z#Ik<j&I>3|d%$F~gMrJb9w=5uw$U*<I<4r)$ki6brcUHV!a_oL8`z+km{YI?K0Ty#
z8yXqmOa8sHd4A|VP}|#6hiunm<!IMx5u(9-rQUf{y%Y5GVluqE_C}_rgDhgW-VJjv
zX+9pF$<jxU9>w3(8(Wh~GY?7oP0c8(q4sNMFr!MaP_Mys#NJd;IDM3!KH}n-dBNUT
zz8hDsTETRaU`@mt8X8z2z5k`5tE-#0?)5Sx<jMi+)2%YX!VBlC`F-tG#(xjbn$`qm
z&U<eoZWI(h7>>SjRW~;`Z-D>$VD`37fh{A%B!F*n^v66c8;-)Bq^D0QE*4Kq`jWb!
zOsU2PZ;DJ#P7a&2dwtlz4p%iv#l$ZwGukAV7NWLiazxfkJa(<3C9NRm(qoRze{lhF
z_P^}C&2o1Q`A3l;oght-N`pG~Rx-oP!XjCSkB@K%za9}9dh#?qz1!QCvGP9trxJE6
z$HWI=vBaoMYrro`Ctu@2k!n?yo<5<L8@xbmaNSZRuJx|u6n`q`{ht9WsBBV)x?~!S
zLnPnRBg9s#lZ(3+cggz5`cOEBttF&e*zZlAsh#lbdwU~z>-Fo`Lm>-@Gh&sm1cw*f
zFgw^NefBKs($vwx?=gGB+FLI?3}hSM^IzjFRrC3wDI`|<yP8v*)zbv*bUPj~nwM)6
zxL0Q6MqFYx`V|DJo-vBw;^x?V+6+@f2JmMHw^;TTF`wLZcPiOZb@RbX7K44dHNleW
zx2ReVY&Y8;Co~e<txnMsgt6jCx|@EM{pw4ueSaTAD$QSv_qgs(Ju3TBd@)9)A@O7?
z4aNALe>XV@bEGJxEfw##fsrJf{HvyhMe@My!`ov?r2$cl?{R12-}fU^Sd4^H*iq9J
zxjz;d2m|o=&Zqy%|Ln!rCqK4{*>&b$CK})y`u_5f5E2rK{a9)Xe1iR6$9KlSOULtH
z!6RMr<^Io)Po(UpKJ6@bYl`*tYq7=Ara@}?wKY;U?hbZmE(zS{_^Edz`W&LNcQ6<B
zi!!|689P`lWzL^^fA-S%(U2XZ@PBj0|JOwOe|*uCyI>oeH{A5}I$c8l#4)9UyVdt<
zAO?7K`uX$c(tp4HM<pB%B^~^sg{)WAt;4c+0M+7<Z))<PJ^st^3zCg>m*kDNr58a3
zqkL=1K{!1tODm)m%Ke>-6;O~tPyon2I>$+jknp8vpRR~oF6yR0$;=m5Ep;Bec6}*X
z_O9YWbYGaSA}8P}A^CP)2QKTjZ#BkuIt8`S*6oWOSzdmr8kFiso>owcSY@&&xF|xU
z1uAD;7cZ9fkb1-C>G8VaTaH|gnoqSPVjKGy{b!#iy32=!9_;VS_FZIomzLI^N3j0^
z)x3(Wt#16h29(y)((;gsOLmpt%777%et0J2*n0V+ZV`48l$6@3Z%m2^RbM`T9<N+a
zwuYL;gA`f%0S94jPRl1QIU(^?lBp5PziVwoM12SHnD_nlrMqN#ZBrkhd}iO3l(ntp
zni+l1Lv;vfOKPte$WvOL_PbG1LKzxXa1}7r3&I92Pz}w;kDQ0%zt<)YpeY=jGC$Ht
z0i~sSq@N44=l{iESf8#+1Gs~<nwn}w4QOg}3%>JYTojQ9DbwXyq!46V4d{aW3=}pz
z-}1aed~q+2HRYFGD`FP)!J2@je*eB{M85{vJWw{|LlhK@W*J^Fqw=*woNJhtjb02P
z6ae4N{W`%kXD(<11U@v(`va2lHG}IEu>`1L=J0AE+!#%l3#rxLfR4cN_`}KAzeaFl
zUAU@bsBh^NUWyJ}R?L8M5um{rIm`tg-s`Wtn}tdQ$WV*v7>i#z8=L3&+u$Rq0DB$=
z7=3+dch#;tmP9CvmELBAsx0tvQY{HLnPj%;E67{X?^1tep1UFa;|Z;PSNE@c=vcon
zL-YFeBa)}G4u0jomJZ>}0VM8X3f+J7=V%j8Ky7aYZk6g%VtCm*0B&up#7T=$zkX$g
zBpy5G+du#LZCYB6A?L*-H}D^b-M|?_%6^*>fMauO<zJEm04%ezF9N{0s-Ba4Nrk-n
zc9UaAG7tO+J4rhv9|G0gn;}3sX-_uIK-Z|iJw>e>tJqyMd(RR2ny&@=S~6h)r#tNa
z)UdHHwQz$@45>Nb1M5IN^#GofbdGC^n*#vG)@`$<WPf*LRUUxXi0*--R|A?4h%7gp
zmnT2#08m9nLSj_c*BhX&(&hYA49eslcFo78Fk>yM+0AdRRjDg{H{&?3atjKhP;ubq
zNE(_Bq$gO<=bV7rGRzp|ky~2rVxk{RUTP1V^gyF%^j^K84$C(63uZ<`MF<JpAS5Jk
z(S9fbXo*7}3b`OIY?-N^Zi#Wo!suHWZTqR+K6ACldc5cDjOazDOxFQQ?%Y9F?fOon
zG7=C-b#)}ZptKjNXN0b{ie7^NP*I=RFJ!&CTtH(1f@_DxD=@wB`r<`beICm*K^9@5
z<?o=3Ur2Zo%#s<uX`9A&&MO@tW`tf58p>5DSv|ax9+K~YFPY>mTa5+mE*W@dop~u5
ze3dJV=}86va{I1SOD_I2?I>Kt?l3rhmde5&wHdBA{;8LNK+rJuOvCjkgrU^yM^=Un
zqZs}5-ab?ya1#LjPXQtai0?;ZY_tXtO7blEW+cON*K@*m$TjT(L%ow(X=%3+#C2bc
zMa5w6yGE&Y(16iEzSA0drE(yyC)?;LQgpfX;zdO!QJ&|uHB=5ngBz&!zSPH6^q^Rv
z`jO9sovLb?s%iLZA2ze^&RDeLd^?n8M5Pn59qW4h-u8K7Q(X3lo<FZO__b%+rSS*A
zTr!(u9Hfm;8_yQB1KeHHpMjvtrsHfRgB@iW2{Ef0u)VB+8{iDYD5&wz>(R{TS=JZl
zHOM`DHF67vY(4+u8bY?K4Jk1iLgRX~%k^?Vg)~9IwMt%%2yA`-f`9ZD>_|go-VZI_
z(I6tBq1|^N{n%B2X4^A5(tt<h$#miXO=SvTymkb{{H3M%+IeN_%Gd%^MJqcFw`lUG
z+^-lixeDu6x;~XwNSJZkii<)ip5RP&b1%O8=@Tu&K>!rDs^*hva6!gkQ59Mipb=b)
zTSN3RH;;k19N5BzZaiPX7#bW(=Gm5R^yb3FY;&w?#pv{g<*(0FP`x^v&wou8Nhl#~
zOBx;o|D?}F%laPP8j`3gEn(v2JKb9ZxOpZ-iSld7>lI@F^U140MXVjK7-5l?YE|*(
z&6_YVxj_5S$>a{_ZJ1k|0?YDVB^T-q@*z%mdMkkbJH1C*%CSH~Bjp7ufd*mEyq5M^
zlMiXn@c4@AKq_KBZstSMfV{r|mdWM&{t6+8a>bK)<T+K&6l^wZ!~yg1EpQRSqRV6}
zJQuY9A2v7VX}Y`XKJf80vF%c(lJ}4*2^f2XXY+?OgU|pS2B<)9=k!um=Ub4rV7>rd
z-76_j8VZGbc6rba+&URd?eP3cJbIm%q*M3J{R%B@S=dXVFC>#{;F$~t_oYBl0rr($
z+iiFrDKh-}CFAb11&>*@(Zb|!hCl_4)TS+_5aNG?3Dd>`<=F4v_1-|4Hs@H=nD;`{
zE|ORi`VtRcUlJ_6CP3`4Q%G(VV0$Gb)Okw-uGi%hX#&O_8q)044W$Mm!c*FJ5K1)d
ztJeU}M!8L8z*ZiZ7t+p-%LYqyT6%*HWPlKku-|qW*Ln5JmcSr@C89z!mbnQg|7J)p
z!d)Ovb*TSxnL2UP<kw!{;c0=S<EuvE5Q@=PTq8^t#tQ1x^68-vIH7M#oeV-#8c<Hc
zc6qOjael9j{3Ud$wl>lvoeXQ52HgYeXg!1c!{@<+2YOZJFnsUAZeV2099C>t`?x_Z
zObP(J8)`_|gh9L6UlMBzEvlga*LzNmx6NmcH272kJ;--4o&3InDCH-XErhHVm~tpC
z`50N|hcU4ALgi^!-Gy`Kp!D&wON#v?LK6ZD0><GYmq$SxF<LC5o-yA-_hxghc}F4Y
zbA^#`-4?`2NZlu!K<&Jxe(QbAU=`(A{)fgpIW$%E`{q5>{Nc9+W$yr;?u8l6RYs`2
z0bfpLV;~mTw+O*2eKDYRBE-~{l>H8s2%Z-#5n^V;UWs3ZffU&HFan;f3G&N6fmBG$
z&7@vKar;N2yikEfg9--_a*;x-!*5_~AT-MFb#7_p-Vud%b=oS8CxPI#Uhx(%?o4XN
zUJc(Zd&D~-d-KFwAmAcwN98DCb(oocUj^_vAly3%o*UGyaK@Fq<(Bc1K94qwq5Ebt
zjh}l8&w_6LsE2;h4WR^4)$3%S9I+Sd{R%W4WUMdGH?(#Z@Q@G=(ySgbQiSgcCFKu>
z7-ue?%o}<^On6(fc{0=pSExMdJ%5*s7^#8dv+Fg;+O=o@`azUJW=`!eflx4>O3kQe
z|K#M!OUvVHS`gI{q{}V?C#PUsD9v2_I24eP0u{pTVYmKp_ankI7EeCt3G5I}uyU50
z;dCc6e!v<bk_2vOSI~`lu?yVT$CKjxI9A(^+@&|+P|3`Lin0L%gT(i5-<lwfe9m66
zwI<eb^c5K)oq&Yjhkx8ayI95re*XMfuPO~%dajLWhIj`gAp7*i?1MtPby=8o{`i?Z
zUMFpEBWhiH)a9elUiTKgdOI8XH#W#2?4<4s5C~{xb=y!!-q|u-vltC|`jpeQ>#G!v
z<1&y5eru9T;<2`UMzZvq_ET|Q%sD+&To-g+Ben9b$({<|nT=TCVCCh(pTa<gAeHyo
zCfOBUbm<#u;BS+%sGoORCOrj$MIi||H9lfQzKa*va-TNXFq0uh(Pz5yAw#u?R2s%z
zq_;>6<lFj+Qt2_q#*tSfxAw%6Us3CizUdP=`s!15adB}+$l5m6I2FQP&3|19vf-mi
zdsf_9l;37hd@w5%6{*(9OOIo4FI7F*Rz+qd);5Y6uJq`8`agJpgwyi5MUBGGn4)c6
zZXW`o6cANI5|Nrpg)5X@)3J(Rfzv6!zYX5%#@&1oBKW0HYIx*4`_rNxE;q70UZP=9
zR6it&gof}IHeIjiQhEof#`cAzx4R<oTpmXh7wk*Wv`lkB;>Y=4>A1dWolFI(`@>++
z^u=x_r1NunIpK!rn3*v>^$s{g4j=rWMQiF+eYDeZk9vi4SNS0!uch7kMa57V2iwml
zU#Mj_yf4(N=QyyXdic}Q)6MU{R)?rp9}JCtRnnI)`kB0aQ&l`JE(Kae4$Eh`uUxs3
z*;g0HRJ9E3*cLjqR~3@=c&g?3mtc?UP_A-UuJ|yIRQo?`Ewp2?8d6wS?giF6cD-To
zx3ovnI<@*Ts-`^h43M50URJ)U8nM7;0r_vm2e^-K+XT0OxL(kvK3wup;z5WP10u&R
z(czM4NuiC!4D#C2W>7&^t96e)xOBQpI@o7zy5Ln{qzHdP1lM~KyiM*y8;i|;l3TNs
zD4J3KW^=G_s7cp>hQ8MIsb~wYUa4SF!p8>u{Nocs8%CDpi|viB*~>uTXkPM(cx%wW
z$PA<mniah~X_ssgyRPAEPq4aiHdLqEg8jVXi6c?w%Rf!Y11?*p`!j}Js8C{G`5&rg
z-Ew|L8W?00wOyI7j})R|^cP?Qgz~n0AQ#66GEGT`VFr}qk<s`16zMdJVa7o%5ZVEd
zX~IGTbyHMgpSK=IMah)M`?!8O%prBZ2|uEzG6hlXL>pW4{F~|tldZ9ocz2$3k52;(
ze*xv-2cpFz^<i<GM~uCj?yNH#_xV8NRJfRx(VYz?aXk_fq$X>Nj7UYkT?c33U}`i0
zM0ai2w1_80nCAkfz8Nbk`XXlEmNNwLxQ5$0#h<Vq^-fsZ4YDmE+A#E9)>m7Bp^i+S
zPY>jgw8gNju!Fb0{sSwjG@Ib?xkrpgCp=Y~&kK!d7c=%<eW?9v5HUnXJ)8F$*&*p$
zoM5nCH@w8t^BP$F7l2lH8cW!id>qU&xyUdjb_QJ|i=z=b=q$rITQgt0=xu9bW7E2|
zIsLQoT79338_|&1f{K{k=xuFPf=Xjc96CuW*3`8|Rk^`-+4DT7OajCtNT3U>>Z$qU
zl-20z^dx=Y1huVALn_|(qn|AGU3=4Ve_y5EUW8ePx-mcD^lZw!|AP)xt`Wwv%f^Z^
zl=+z2;H{~-PVo>jA;T<Xz=+Du&<cBQoiAgQaxW(IY52)0`E0E+P%|zyEQf_p&DdyQ
zm?ekFU4#04<6Q&Gg<%rRUf`RUfT&GyRO``?Uqc;fz={yCy9v2lM8Aq&QiVnF+9%2?
z`}tKG6z6XBm6LRI;e7IdJI>4w)(}g!HuEv3aHsrd>+<vS!=lA-TOlF4y~`HcyEK70
zdiW~$MOSVZ8VV!kSB#|Fh)=}zb%p3n9bc#9==@~cHWZjGYcl%dm=WhONW$}hO@u@w
ziN9&VwY4lQKYBzq^|FmKD>1$ll~p17$rXd~B|>It-JBTN-a~}IPmfavBEGigXZzG)
zDiEy{hDENM(ShS{U%?LVrJTx?*j><^1~d^vgH=7(guL`jv|Ss^*4OjS@f)?9zdqsF
z9?H^VC)3{gQ>`*H?l)`%H8-kCf}v(UekHx(kZoVNDoS$uY0N*y+%L~WsnpQdTsT8@
z%;#bH)QR&52^-TmGf?Ed*|>I?t|!<B?@vloAGs(c^=Uk)?}g`Cpk7kaWoUvw=g}3^
z2Iv9vEPblhSW#@*#fob_+^)a2Z^>rTV2?weaR4x;5M~HC9gz-QAi5(Fm%V|J-zIDP
zw3tWlE$it9S^{f9a`IY8Z@zGF#8M2S^Jh3kfbeY7N8<gou<h<e52&4$%J?kdah{Wl
zQshI<En`mE=dz@CtGh#KGv=ao4127M-xlXKHm6}|Xm}iu-s@^rGcz+DZ^F2a&iqPC
zxKjd&Z_T&`f>_vPBlJPokxt@KnOUP2lp1csN(*+kZ|8JP+csC~<*(q^C*4-5m3%U>
z09M3G%%>6i>JwTgm|LBWNn8VC+y<Fcb2F3HbKAJ*8d_7@SFb8^)8<iD)o!Y6rm1u0
z?<A!pNMI2X$WLA!F&uBzB~#8_u@5B*?*M{B5V$F`xo`qvbrNzw0|Jk(YZ28=wq;fa
zTMJr=^+bwF>)Oq^x~jGYu|B%@H34vM(_;VOQTA!0<4i*g<twLYW-^Oh^)P8(*)M^R
zFnO2~Y<^hG23VSQ5&$6=P^Iw@{D(!M(yN6WY0jL&#wtR7Y!izsSnU4hvx>&elv1{;
z1+CFA0WC!Eo;A3{p%HQf5*!r#5cPUhf}bw!Yib|a${#_!<>@9=psVkw4j*M=Vn{Cs
zhlfz|;Z@kW@B$;bC$AQ*AnqedJo7?JIgcLf5{yRoC{>>C6vWv>;1zbZqEsAAv@!w<
zh8Ve`>wEI8Uuv3`{ng@uU@UwsEiLP}Ozx6dW+8J-4@+xpp6rh8h;k;xsey>P^b!>M
zx-m;4D%J^)_rezp)YBzo8s06D1V)IRZ?MN-%d<7)!9}t8paL%))1ZAzO*al`0DFlt
zq`^_CilIul!*#c596y8xHehrRnoefUC#f0*;To$sw@-(h%>lR)DeMP+Ik%)&8qrS`
zy@-`xs*SJL8jstRmM!qSfw;EDSaX_na}vi>C1*i-Lnt&oEp2Iy$xUXs9=~he;;p5u
z&5}Zijs@kVml8_}Wy^iI$j^3-F%Jt9zWRiGEflPwgBmnXJL=WTa+g-1?_|hpNs-u=
z!)N10u1~pWWE)l3k%k$bue=+qw=<37D_A^3-6IF*Qk0{d1GO^eWWFX#Bx;)dE@Jm-
zxza^^_Q-EzFi)}aY1}-O`&2c39!r_(yWwd(at3YS6N6r{!}Wmk5g~~{*3S$l#gPVl
zm4`^l*;QHvabh>OR#m5$qg+a}9Tg<VV|oXb25#p(7%AKG82*`KIxj^A_H+)Lyd^uA
zu&}cT$Nqd@%pLz@!#XkN@%3l%*Ods4!VQ6sVDl8p9|y>V$1n;G_t?*R{53nC&S)oe
zC+bAr%J|f@BAnqslQ;505(8Matkbi_^uNG?3w4+h>GQYEvYr}MVPi7rcbFMXNWc*$
zgdPM2{T2W)F1zq>SgpDF_#&XF<tpX%IiKnYB9^Cn3$W3XZ&KiV7~Dgm3|@;LLy=-f
zcPl6Vl0FutTl0#iAI?!>nPfCI12R0n$Lgj`beGh+W&mk&9AW9zM-ECl58Uxr7=HCt
z)^gB6m;{`?j6Og7#59CqT0fS6WSp^CmX_8eim#}Z;&Y(63ACQB^EW3B&PyUk0rovc
zautE#o=7n%V?cjs-yr9g8r=KZ2Ze!NC}MvHP!NRfGuj?GFmNnN$ny21_jf2}+VuQ%
zlo12Jn*WvAg$38<JsHk}%_M4RGBpEAR9;DpIXSXOEOL*<*2np12asf(sn1>CkOlNL
zD`%P9@6xLaY(@y74Qou3C&hF_h^q?-(>>j{SjU2omq4PD*DDoPR8M|7<^bj9330ID
z>5$f`O0Pa5N_+w+jSGR4dwZL-qJZQUB{r=cViuN?UD~+$3NS+m5qVw&crpFn>TDms
zHeZ^IFh_gN1PuqG$d_kcD@tE#Nl{hhry6`6e!pinp@X*15Q>0!0|SHH#A<(xl(6a7
zrxC!+p0QM*nW2Mt2XT0CP$PXY)nnj}>)7-1vcWPp5dqGiQ;@H3gReWtP4<bW5HKSb
zF7o!;xTp)oled;DEInc+mwPGdWI9KV?yBU~s<*!eKn?<9U%T#GcbdovM}jibl_B<o
zvvQe|WmA`PSA8tR(CUiX8=M+&1Srq4&s_No9y!{FZJ1M5@s&+Vl0+gD2)Z&US@SMg
zG;UlAC?kV0_K<s1P^*E!=@4soMQs2IZ-$)UMETa6wq*o%Blx7&ih$cxg;7l>z@y_o
z-k(AMx#?&b8AF7+E!leTDAn%Ga3puw)PkckO~6b=BD?7-a<bi-1~6wmkjdM>mdgcH
zT3_z>!g!lLxN->k{cf8cf$%A{!mCdW9DTzp#}t<{Wi;`ou0%0TECM8Q#(Q5KX^bss
zyv&Z^OmSZJacb&9UBbTaRy`mo*81U*(@kPig%f)yr{8;k`nre`L$b`)G<+tp*Uzss
z=*;Se^sRZ3MC2IG!ctfEY9=|($8}HjZWmLSh6oT5k*WkhrbrkJ#R;UylDW?saDc8;
zm4G0J0ss`{?E=wcyD!s;6WDZ?jmddCIMs`Z)n6}doXIHbJO|+b@KM{~C>3IJ+g?nK
zkk#t=4dY%C3yA<)*wqx2c};m-1z_=K)}e0W5$V-TUB0MnkvbxA79hWyU8}((g$>{J
zKF#)BbNF&l9;*0iRyS{c<3^|&epSFBIqa9+P*;~8BY_{Drml8R1r`ZoOLMbHB*ozw
zQ6y|WVda-8$*EHRzSMIS#T6-RoxGo>@-`f@$^bispho^QRo8%**J<&o0t!NaQV`*Y
zturK(h^GcA$pXtUEGlYDMD%%8q)<}$Yl@JUEDJVa7L_%&n?t+;j(@?iwG;@vb<ZZ3
zNL8vlKvc$axyJ-pdtI(qnjiyBuSck*OL1_#YP>^8?ZA=HE|uY_GF(*VCCJslmhoA`
zk)!RyH}q(vFyy(wROmF-k`fOG<JMy@>>hm@6?Gap`$>I@zqqYdqmsNS&@M0n^&qe<
zxp@&b<E<rHfkj|W)9g#FL$&W*l!v2PDsYnZ{grmmv!q0&rf)AyZS&gqquRaOc$T~8
z9}yh8@7_6X_2vsgyM$HvOnT!1E)c;&9zNuTDaGs155w^l?O=4cUD<1T;D;ihxLdD>
z96(XXU;yC3Y-W{`!w;-ITQX<_L#bEdln!AWmkhZI=>PzQC(Q15N`c3j<8qk=2#?5F
z<ck--Bhf1&X~_KEAg4Z&Gopj7n+EJZN?xS#h?#e(wTCR^#q(%l1`elJIvNv2u&y=`
zO=z96*)KQzTYaj_qNh|0InLDv2RdECfqhPdBcAU2uFQ{&yi5G8IoU@Jnlvz->Heh$
ztg@Z&1?Xp#6h42hG#q&$oOeir)5-v;SJQbPfwI<ArPn)cN)ps03S1|#?OQhcUB!A=
zaKL))(UR%*Buz>OG|p+$uXsvBylP*JNp;z>@70(oZ=9)-8uob%r&mYfyyW4$k~VUF
z?^(3H@7AMZGFJ2M8TZCdrkPtES)Qj>M_}$uFFC&Q_uok?e*O2xj9yx<rqe4zO$@~e
zh?Uz#z&|15+!IGmzzh8$(9X}zQHi>J5Y*%0QVcoG$mmr_cQ-jH$&miovD-Xp@rm7V
z*gpRDlTj+^t)CL3o!CV&h27e9ZdKSBud6;sTkGxbPSIO{a}ohdrJx+!Hh$FsAwt}h
zfdXJC;Kc~2`r?J$y<04|SSSn=q(|RHGMc`+0+nk<c5R)DV*`cxbS@QN&kPE4L$N$A
zWG_Vmo||{;ezFq7+a$%jjQ-XEtHQ7A_~|1DDJE|NE8nJMOyaEw1;s~y-qjuhWXA%P
zjAfhsG(0kbvnF}LlnU!(B!qf^?E&dkQetA_?aHrcpe)78LAVQr90@?xi7!>9-vHi5
zf}_<4=^AkNr?vYMdO*RfA(CkyOo=ygX?ls?Md45aoE*HPqhlV&v*(FGD=I1rHpJuS
zTjAWf9zaCEk!;}Q=3eJX0<P+a2$a5n-mM6xqP+yqBlN`rfJ(`!;)qYXew;mYXwYSI
z@xHM8%(JJ{2Y`<X{FfYrUKP?_%q(4r(2yoKpCTnJ5C)5zPh%8Zs_1<|03yK0a~$S#
z*9Zob6l!%(o0b0BOEGGDsyd&MlA2nitS=tC@6Xa8-$tkwv_qM=It0ltRcm)RdI@=K
z{FBKR^{-~9f&YR>D^<SAxl#B1dlVS8Z7N+vWMu7ysXt7DP=u8OSt!YKVKk>{kzb6D
zFMG~Jre%?#BrAX$>|fT~#2seBj}Bnk$PEk(tO96;YWewdh0NPF!Yt`(8;9_tN-B3q
zmlUHK&}HP`8CXhv2wyQ`JP#QKpFuId;WkkajNPG7@ttv?P9RJrAS7w1J!VHL-?*Re
z2M7^slG`31sF_~!03CaLS&ZFjFPj3~$Y)dxg1^aWN!*oD(b0acC6y^@Y1YZ4_)UYp
zLp#l!4+Hb^Gr}`t@SjyARtEqlQl`qFZ)kj&{2mB_vvnYIY7@$x)(Jwa{FCPqp4o-%
zTph&wgm-y)XlTgJ5fvNIFrAE*{xe*JSj7t5sdwAFDWFQraB*{EE06biZEdW^-vmC_
zxnIA2sdfAzf*f=O>YV{XyOifs1SX`n1w!Y@YIQ5CBsmhRBMj?y){bH?4-gG`Ato*$
z#ajlk$ZW-HudN3&NfxR!GZ1raF@L9yVT3H|SKNT+<^*f32Iy5urI7A6R}w-cKg+tE
zp|a{A1V{v%M|&>(+@9Dna8$yyvAT0}a~FXTJH5@AM0{PA=|5<Cuno957GF9igII^#
zjF^dnF)v#A*w}u_bX?i#{NQz%*DWCDmnU8#R(l{w#+(gb3&M;ncNqBOOsu{{6#O%_
z%MXE0C$FGz*aa2KCl5ln1n!nH>T&p=CDtAH)CmCs)pxobMUv$QMx+Ty(E=d0D<QDN
zDf_$TN_f<(5a8BUU}pq-L2-D^5Y8!krX$+B{Qdix`8)d8iGt`U&*HBI^*gO(Z^6o5
zft8&@j0dwcvVZOvHX=+iJgjU_#2*&w!Tm6wtH9mWsOJAF533j)3cTq9q}*`$5szg5
zS>{Zze<Z?qc4#Me?|>feO9UgzX`MvE*aP?7{5{`1u;o;4es@88cN84i8Nmn5YtZmP
zK){INIOkYBsMfGc_>e0PiJ{14rv*jU#oa9`_Q<Y)aF<=4p4Z?NbG_j#8li4Wo(Vd@
z0hG3YWYze%4|F?}%nxl>?{q%q;NW-&NoP45qO;2gE{V6)4?sAQ;;@et)sP?uS$<nx
z3bKsXGRqllkCD}_`Ixuo_r8$7qs8oDa?$BY@h2J<mF2UT{a$qzH=ZAIuhDl=H{;+`
zO1&%gAjcq-J4}~Q@pG<$U+jzL8U6E#N*7Xh)zVHo<aG!3A94TQSaF=|;+ZsS>O)^{
zojb;AmBh9GI5tFy1m8sPdPF$W6+qjL(VBJ5q1-YTUnxS7s*JtQx<uarWa4*e4j*c{
zX4?=Y;w9q3UFka?-Pc{Bvwpj6$%4qaBboj^mp?hbSo^MB+02$!jqaZNX&S72slBqe
z5a&oEY0$UR>h65dgE6*zh~)eYc$X8|b+L+&@{Q|G_@JCeZv_`DrLqq>m2j4b{9z8V
z>^+_w_#;XLYcKM3Z-@qOgcx6#Z&=-sBuDM36B)XB!`SlXou0+}Zoc9bgxZVO%S8KS
zhpxA9{4ZByZFnuW0X^a5v$Gf!jf~KrlAN5J>-y#>kcihRlG<g6DNRw8e>T9#KA7ll
z0KJPlPPL3P_d0K^%+@Bg-yo($v)7(#@vLET>#pbiL-w412$Pu|;`1wMnlBINson!~
zIj#53$HhmIRX%P6y@A|%!M!s;ijh6g^{;A{tr?$?D2``aYs9MFlGb(7n)t=E)lZas
z-jDv#@(!sz6U*UpQ!Ogl*k>ZA=6twkJd4*v&SPQas*CbpUy0KHvE}_SY?#sycHPA}
zmz(oK%renyo6~;ev7u%_CCTfm`q<#o079wGzeYiIsAV5~-H3>BOKavzR7{MmvHfQD
zI6g1%kBA%^pYt1jsGJMS&c8YCL{lU+_wC$Z9nbzOf_`^3FFkxG6Y}YgVa1f*Mb?U=
zR!`p(zPTs(5>dQ-Z9M%(MnTf}tDRO9BfH^kHZYUPudif7z7Nd}57q>$@)C8<$oP8a
z8t~%6*-e$+yO7#lv;NS=V<_2`=o9$-R_mUHl!8cuf%NgsDYzC{&;N(H_l|06>-t9H
zvG<0EB47zkiXgpP4qzxENbib*A%tF(t{$<_G)Qksl`e)5S^z~sq(n+U5{gQRln{{;
zAp&;>&v~Ecx!-&5`+Z~FKQ3pCGmvEOz1Cc_&)=N;YSF+bzwb~mo1t(0H|RUTjq~;G
zr)s_*W05<|?1FqY?@jy>z4|kng*qIY6&4n@{O5+>i<yo5Yy1x{&H=hapkuO-sM?n)
zZtqGU<vi02|2PUXEr)X-cFedV<MZx-<6k15?_Mp6+IR1sgSWBUzKv4+p)-hx&GxE@
z;dRbWq-@T}yY_$jd~2}bvfI9ZpI@LtEqt;|?br8)<sNDSZUjEyRd97VdNSee`o9nY
zk3G)4bnkb+n|O_LJ<sm?n~28sQvA=jfk4+df+Z-Ydw99cE!azVZyx!bqp=Y_{E)j=
zr?K{fKh(GMOsvaz`Pnw6?!>mW=l^}Z@rf%{XIuuVe2TJmvD}*+qSfTj8c%qYHal1Q
zR(x8AUufj@ziq|$eO=&BQJdh(FYUKCj?p!G@qh2)-|m8N0seVy$^O~R`<7n~WO28l
z65;&)UGwI^J_%~=MT?6275eRk3{pOZ;H>`Kp$M(EQ7gabj~;9oURQq;b|b|v#Si4!
zE&v;{=kS-zZ;7ou5EA#w{E)*PIZRJr<b%(8fRs$Uuy14FmN&QDKf`M1HfrJ=+H(Fw
z*sH?+cy@Cu?#tQUklQ~*;}4qa*!xCWMbeb!e059fN+e5EW@Txzs?`$vC62chZ-^nZ
zSZ+-JmDSgNUw}i=zt<7588Q6&>y^0k!bH~r=iPkD*SK%;_SOP}YN!PNQgp+~yyR#h
zSd_KLw~x<{W!zqLpGv^qaP2vH+;B*Z^{eR%j2M_`@f%tWncEw=R9x{UV$a6L_5VEL
z@AbA^Q8nM8q>%FU-HB}o_k|3RtEwA;7_bvKWu(MF3NLZwZ#fM;|K@MdI^xK_e-N-Q
zQ!f3}#gt&z4SiB;KcRwAfBnti2u0+7!BdZ2`MVzgv1{vPM17&A;oIZ>KrNs>5Uw7l
z_1`?;^W%SRin#wj-}Cq5-7i4T*YAb=*P5Lqq8!e1z2xHD?)$neush&i#J}z2|NTMk
zJsBde{#>WK4i=6O2<5C8emL8JpZb)UjoT3RdH=aT&L_~F`meQgo!RoZay6KC^Yuom
zeO5q3caoZ0kq$2HC)OgMZf2*<*{t7}yfl_>;KF6qtzfDlkvEqlJZ~zj3kG9j<BQoh
z+r2X|={DMB|9tg{)V->OJ|87JK~x*Q;_AvmeNg$s7r(t}dr{D=tqhuz)kq$5hc8+_
z^5j5B9Tw^T`(krvFgaee9co^miWcu|FT4G1?Xpn4BTZo<_M)I5TMuPMDKT=D1TEM7
zO)~`I<ulM7jlRtCon8Y(-zy@Vd$sJhdxk*79p0DI@=04G-^2;8;q&*YzwCZ2^)5wD
z_Qk`sZz2%(qW_R76wj^sL~xt=HV%n?A~tZC?q38Oi#T-&fzaLgo5cV20hsguI@SM!
z^ZTkO|Ihhx9`pNP93$N#)~%hTecp-R+?gO#duAO%T<(8m+y7Ya+CA15B83Tb*ztSq
zx_tjf4Dr9ajdsg_PUPR^XKe-lY{SasH%tCMZsR`~c<s`E<4n#%q%i$g*Z+UNje3jl
z;ZJ)uif{a1>G@lJ>I*%>cdp4ILfq%?FL^Z{6hWLe<g&;J%?|yarM|w<FlJ4nfd`d;
ztENz;;q6?AdZYhc68}q0x%d3Hobs>p{!Mp|3JkT#6x#d$gQf5M3(;btp6>RlM_vcq
zt>J7V^qm)h-`_}C)7dKnD4gmgac=g*wO~Sgm&Xxa4pk53nES#P%tW}-W>wu<S<6?3
zSoggu`yZZr{@t1<OhS%U{@0ZX*IKe&K$?Gsh;w?IukM%m7t^^+cKYM)v6bJ$6BSD?
zBwV%FdgoaOYgyf)m4YirqFz}V*%u8sMxf_|LKGim5c(EsnM1>{klDUXLo9aSP~D1b
zvfPD<w0FMYA$xw*Filx9QNwA9QTj)k)T~R_$on~PI4)3JtkT-`K2i|%gL1X>r#B@!
z?2Xhf;UQK)5rMaVm>a{;LOERFDeoRE7YMr&t~<B$orkJ1dvIHWdn}DkoE}=8xHXvD
zPd>G~;bpeDc&#Y<m4DOGEr->}v`hGb3#R9unTtnlIQuc7WmMfF$d+g)f<h;8V{~`?
zb>-95h(w+vM~?VK_b%41wkTuCQ50iRkeaLGx7b={ogq_^Qu>~sEBxJ)33{aTSs&Fq
zM}I!1-_oD|fUMvN6w>b!X#0+DocdXe6`+@|RQ8c*^1r6FeNyGBC_Dov^OV?qX09<s
zgFTjf@}|38s+;y;IJ>UTXxedET(_2KXT`QIH4jvda*&ada{q{xaf#UaDlr$RftQVa
z5T5aVsa8Wg&&o*jQ3kO=szyo0lqam9UtJ|b<Ycwg>MEYe4swmT2<KU_|6!uFB(aaR
zJUGEXHqX{9yKb5yRa#H~m1R_J@chzE$@rF3cf1+<)xPy|LHzQKN80GK`i5Nd73EL2
z-Fu_E7+5PxlYErn>sNS%JlhB+(2%Qdf;KiFT{vl05`McV>UP&9;Gkw5fr<rYyl$Lh
zP(jrF$q>Oo$utGCSi^5^qn^SUB2>G99C7txEURjEzOvVG;B-YHow5BTn@Nm}x6N=G
z$s_alyf|rL87=J`lUuufsPq(L5W9GMm$}djL*O%KO~Y#s|A_lzUyivcxZt)da=XZ*
z>7t8VX<rY%ZlDk!1f;RD0@NQ2e*)$kR9iLk+0`XF{xVDA?%lgXK7t4&TK7m(j&u3-
z`C9=<Y~EmTyR@Gm$}?OxR!_FEOh@?=4F9~?<$W(}ePcq;#E(C4Bm3&LW01G%vBVZN
zmL}TSF)zy%gB8{9IxyXTJIk<_xv95z8TS;~yd=J<hl*pecblaaAA6Lc5FuUEL&X*|
zGjYn>?wzw1=hk-IzguB{xq?{cV}g~DHU%@Y@@(vuAgUxAUG?VOi@w>K0o`S4JAD?;
z4n|izHx}WVPMq}E)$f!nS#zf3P~N;AOHS)`cKo+PxHXq6^j*YXqH(cCd9qIg4-5KK
z9eV1fZCF+(U#WOEOjdujK$mM53RgYKejqLMf_UNbktSj#^4o~2&+wTeO#%5j+kP2$
z#(7rO;Ehk}@7T2~N*MKuygU^}P3@9h_AfP`5&)(z(K$LKiUKYi;g8<AYu8FRX7y51
z&TT?DW&Zgw6s{=-St(dOKr$C!;B`oQ+?~=k7LoC7n|_;K|7qaXmmpM6TSi;tVq4XU
zE!rOx<{t}yWvIbf40{}5diXfqRYoy4;~9_MeeD9`N#{@m@5WEtPv5G0f^=xLbZE6Z
zxb0rqC6Tv_fx*#P+nu~3IDC?0D46P~HJ-<lH{ThJK9vc>R9iO7w66mP0U!Eus^U)v
z$sG-ofkUe&FpSl!5#x`$_iA?BIMNi49vd0E#u26+4crQ|(pJquIf?nzvLO$RP)0bU
zw)2wAz74M{Kz0qet`ke`)Gt@V!nXI->1KES$))M(^QWAmq9VU$#}x-XtLK*<L`n}`
z?3$}gQqGBacXbBsH_5g{S!67B8C{QMuS_i>QMM)O=~)b?PCE?4q>%?g{gC`%b^Wf8
zA3=6KRPu%VVr_QA1S3NFl<qcFG6pAGYF+H*5b?xVs*x*0WNE07a2}nc{v>DoE-3NB
zLG^>y&)Ss3uZ^?mrcJlmQ$%IoBoD14Yue&!1855~SVpNv)Uew6_3L|q?%_oQZ9zG0
zL+?q^1&sT=#(kTeAN6ta7MPNxE9~C(v$Uc7;5}hq+AP`(F$@KpfR&)sWi5Pd`ow2+
zl51~w(UKU_Cm>D1RD{bmKS_<YN7FExe#-%;(?g{>J$Rkt&rrK;ahmA+L|DJAP%V!i
zi$m6Z{ZY)@M5tvl+ebZDWk3pkEdI*G^cF9Bw}ot(RgjrG9`xkJS`5K`!ZG1$JAcS8
z>KBnm+$PDxit=ao$o2>g=>W08ekn9YpiiQ^FT1Tu?I?-q76N@-{NB-4%dk5$&oZ6f
zdAYB$z=X1MKu${PWfQ@vD4+WtG(FMk;wHQJQ33rP(^8Gs=FgRQ5UEa0TQ_am6xOfA
zGHW^tJR3CR7BlC8I^op8Y`{?`YFy2#W^2Cjr~AsE*!W(|^i~=x_n@`=>vZmI_lSba
zb-1V-{EqRam6toup4%yI1CEGm1B5p9Mt{EHYMG8#(QhkL9WM{SU^CePE;-9Vz;-OM
zgd8!CSeYI&61dPrVY<Z09&VZmG70Llk9a~TAJ>a^D#EsM+j;s}5`n=ZP2?=`R^R=u
z`&g%<WxPQAo-o-zR8N)US<PkV_2of0%}Em#Py@#Gupjo75QyEN<(j8dr}GY0ym2C1
zvUwf!vdhN><E{H-)0-5=QbKO8S<ZT;vv0V(7P3!~Dwfg$THjxF_TtiH=}dr(y7lYK
zXrexhdZw54tPqfg9BNasOzs`dE%aHMpePDg#|o;u+&LJizM4YtjkJ1t!}#*U7N^<8
zKzr=+!-&R&t$zJ(o6dgEGG>{2fl;nvvT<diTkZ&hsJKn?kts*`D8{0<Q%5~-xk<*;
zj*UyAGC`q&s*W7KNp|__P_!JuWRncJ7$@Uf0yy%uXG3IT!hs&DQK|WnhZ!Qe+x)_=
z{AA$<e*~@8<~K}%Eh2*giUM+hnh<-G;fF)s8e}aCR4elNHpMa7ryGB1s;94>#UWQM
zg&j4XAjz|7I~u-Ef@E$qlmBuGGCBS;$<0P-TMuY<_@aiC+9m_u@OYIH7IJ&20zlvO
zkVz}K&{-Sgu|4xJ0+BFG-{Y9F9uddo3|@@~UTU|l^K4MvDKL`n!H^+iLBA&@$yrz!
zgDoi0#erm`(HVZ*g(7vF7uK98bqqGfYFRBHcvX+?hd0{I<M4;yblZHnR{>cdt~;(}
z^ddM_6I=t-FDujDLF0P3k?j<+8AU)%ka)D`_LMnrnqTXfIJd`<-Ie|&KZ5GW;FzHl
zve1XkF}f7#3tirL6<Z>$*rM|W4ylrzcdeA*YsF3WpW%2b2DocMzO^EcKH#bZ`J@{I
z9~SsK_E7DrCXITit19|k?Vgpt0zglg0a1h1bbk*82xURA+0u6HNE74ip8oM$gW#iS
z2%%88n&h1EXlExe?(lajQaj9aWBZ=RcpNEdHN9_u8(ExM@KL~*b@0d-igT|D?r5N(
zlhTaMz>nj*!ZRI{<*z{oWuyYG);M*>anA+=|1@G1_+S=ZHT*36PTZhwSJ}6vnR7g0
zWG6O#c9GFTO(oD#xNAObGv)Aax5_>|R5(U_;zf#|O7ZaUR7ivV9%7Zm%RU`Q64>y1
zK8-GST?TFAQoi}@OPTl<?3z|K+H{zQ=cg@Cn1M-C!)y(@)NAVq#`-JkgMW!hrFAiH
zx~x9Y3gg$KUT189v3uH$9QTWqURBfYy6NuzeJ`r+3u7%aT0brkP7^Bsop*UFaa?YJ
zftT2s7DlgHy_T=(r>p+bcof#Cvvdl#BH+;4ar^e|)!D$P&GRlaS02CHf)Q5kYe8k4
zb9>~W9K_2FU}~r1=dj1u;_Ldp=V77<@tysizaOT0^gq%fYf}7o+Te3UY5jHt;>Ce~
z#mQ?Q{}TX9IkhTohFBE>00eh#p!(3YH5n67p*g6{8`J8x7q4{P!rF0ZGHP_-!ulVt
z9*67(vMz!@os)&K6;0U&0jv47mCw6ZK5O`=u^=}|8!EPdrkoK-T92W{S69afsp;%~
zdetogBJdKlprrP~j3m2=UtbT_-K1G!AblD@$|6Qcm+U`=K(r_7Z!b0Mp$ZMLsxw6n
z$CjOl8a{E{<Iy2VyM$_v;M13<rosJ~<Q@7M=2|r_WaHT^7%_~vG$h=gZiu=q?Wp=F
zgCAw^&ZGbQO_0YBLoUKQkDA9!S<HisZ>Fe#Oc82XJ?+u%J#u>M>^*LnLvCz8%vuQn
zxNV4?9jwWxSulRj0fZvS5vA5+S!)k@AmCaS2+)Np@X!LbZk^zyAHwT>dTm(g&@Hmt
zE%@t0VRf#sW9!z1%5<F^KlBEX!pjLg5%$uD)}(4=J5Cwg?8FC<>;!84JgiDqdFjx!
zE8QX+A>~vQZ|&Kvy%h}H<E*QtpWKQD#%>MT?cLdZ9G<fsLaBlk#?T4_*VAKqM>=|m
z&8Bp9Wj=iP5FLHc(+U$A5pm<jjSKtt@1GbSPwZVFvu4~^uJ>w&gwzV^*ZzYA(0J`0
zyvhn$J)Hrkcp7vUkHZ}}?LTENMM88e?hek{Y9Be+bmvYlvAW)_t`iQeuMC1Y_xAj;
ztSKdM^Yc1v-z&}G;o&a+kdH#b!cHz2Ifn?-65FDqTV&PMizTeeTQO`p`=%mGNJ!{p
zFFxyo&rJRL-Qsz{sgXl$(ol7Z*hWOCmvEE=K7pzNE|F`Igat;Uq2RtV#O(IZcXy|;
zm=y<Br}XsnZUB_Tf3{6QjLaCSvukK*u!Na&cbq2y$)Mz5C1dg91s;DH=FvE#(H#J6
zEyKS2#YxgrYl8wtXYx%7WK~rQm)WdS6Tu9ai)UHat|b}ImNJ9f#|y`ZTM*1d@7=1$
zR!iA~sDI<zp?PrGaL)$%d`e7AOso}!?ojPQo3MzX;|IVDWYLq7lDa!PPty~t@mO+V
zdqlv>A{}-=Cakge5IIi8l$c!Z>K-^RAtBLKo+mFYEnU!yE-x8POkh+xVdQ605)u;T
z3G#MWmE_<wQ~-H|ioS8<lCG}q=;1`Hs#90m%*>1h;g-5%7{5kv$|@(ucDH@PVfN3N
z0%{tQPa~qEG2}G0s;O5k-ZSqG7LZ6b%gf8cf?AGvn}C4oh{UQBxw*O8@ixARlGRhE
z=jY~9<U5Q=%)GRc;QpZ@J2ZKLL6bXu+NjTQd1)S(MJX^dD<?0sm8-<?6j@gqHS!#C
z@E(p-NP8+$5Ji4;K<rvX$LqVBCmVC?>gqge78VvhV872(la|?WR<2Kw1D-7svFg_t
zdGe=EXE12Q$*<w3dfpwhvnI+mjErPK^|;J)RL3T8<{cI9L@tc+vq;9j+Rb1vV$*l-
z+?hurkvykk#mv%-b-jRXIa327qya{gO{LK&gM+pY=_4c8Mk|1w;WVpF3(cQniYs$m
zZQ55>Rz4`5f(<hI@bs)+1(iW~+Ae-obF>w<&Y-tkW}L2<PfG>^**EAfT|6-T{Y!&#
z;7|8apZ4N#m-ML_*b~8t%zwzC?CQI1u<=)(gK24LI=`HU3gF-;n9SZtg~1mG#7srv
zThOB)Vqv0?@_17Ipey_ilN~>oeY%d#Bk>oclUHm`#^%g}T16=Kax#xdeL*+QN^Por
z$BV0{jqL2wZG#uD7unU>5(j)~huq>VV1u=Qn8h#$N$?hed*v>D87-2@Lq2A%H8Wa4
z%aeA!4ZAf8qoQ{4DY~Cg@tb~%90+0!IAbs|vOe1b{QOuJ??krz5g8SgUr?Z1R8*ww
zKlehi?$-~UPLA-4nHGM$yIURLb1dlGGl0*j<=A8>AA594*L}Zt3a02CnE3YX<AC2#
zk&FC{9=51A-Ct%)0Gt&JaphC;{BvMn0GiG(@7X|ob-kr5s|!mUFhzC3*-ylp*(zoB
z(g6<(AB9_5SrO1(La5F(wSbcZlj`bf3XLX)vaAaZ5=>N7Qpy8uATOT-2dT!M!dF3^
z!sqArD+8ePamI<u0aKr(ZGsm^4+{vGnVH4wWaD~D>`Gt+zA5#IU?Ttsa;B$U2SBk>
z37B}$EkQ<q%))~?tUuST!hAs_5<S)GzQ5Uyccr<om15Ka7W6P~PEJnQB$$*uhjy?Q
zt2VuJ^pc++vAAw!=@6NOrOB)P{Csy}V#3JDDOXEdd;WgN&-+y{Ze_0fvOylK|A*}|
zC_Z_HWpi!dHwME5u7$51*zmgSPd6@2*chp?v9Y_iH@AAa3I>v5yMWgNwd^jzq}x=(
zI^Y3B%IzX6qGg8rt01<EZf`J#zT`BdPCLhS+smyXY^Q<xY^#iKaaDD75t24A5cGj@
z=jcnEOP+DkLLdfH5bNDYBM=A{sPfEA2dZ!1ET}b^azWadH<|1mH8$ob)(lP`TADL2
z20b)Ynb>Z@gfWsSFMBMlB;&E#+V^9xsi>$F5qf-meR~*o-03buUGH*jtuS_76Ii4^
zEr&p$$SWuqV6-c(%VBa&d1YmvC58dh)(Vll8_o)v_E^$rw1Cc;iRSWg219M!GGEOR
zT%D8_ON?$dF7_IYO3h)=dV8IKSYjR@+B<rC&H98ee&x(hpUek>uaTWf^yg>tONIb+
zgD!ao-BHQGJu!s3%F0{R+P+yz?^`|TwDI{Du3kMQQ<YO5^FHQ5SYIC>leCtrkJaMm
z3kU=s%Va#`l{{;H-lV)B4jUhN-onbcDchgi8z3>}46sjm$RMpats67r()?As(Y_;U
zGo+ZlFNUUANjP!@5S49&!j-|$05q9X90guGt3+d*=C~a>YVD5iNl^8g?OA|saUbe1
zuWQ9wT#iJFtiUb-^}?fDx<7pqK|606Sy^UZFQSlGgJLNE@2@u>*l-&xnJg&IMX%9V
zGacp1oM9-PN;6AFLG!@i;e5^vE=!fcz*&8ppn1w+K0eC(_ZPAy%xrupWtPPjR!$f=
z|Jab|=;#9Dljz~bNRCa*O;y=)=fk|$y8~t~Dl0AS?-uCc$P(6q=$Z;TP)xeL(27|6
zg9%*sp_bCy31f|N=V71%3eL_S9F2?4vj@zq4Hx~&znk@h^_5}EmkWhe26rm-OBIp8
zli7CXjCRx!rRx!7(|Ng+cX<m(1Qy?GBT04#<&x1=w`RxC%WdT?)L$^p#ejFW^YAjr
zf%GTva_nDo>K8A%xm~bWwQ;BPpKpahv7K|OwjoeQtjcZT%wf7Pj7uipig;!9u%v1t
z{}AzzfI#oJZ!bWQL0Z)q<lE~vBT>*+Z;;EFZ8iw@9Hb=;SO(91>xiLx!2dt^x{>DN
zkg49uEWL2;wk+kvIEf2BpX+bOw5JO06&4ce{`m3PeSu(e*ej?2vut^^fdLuib8b??
zKThynQ&W>zZzre+GrwxcUr87a^z_I}7+O?+?{%Td(}3#)k4+BPhEPn*(B9s2S#SNZ
ze=NGRdhc{<Ci}xI0|A|+s?@sjI-IPsvND5OuzW82`SUB5INtiseNCmuwjn~Zvu;Bb
z{?)bCPoF-aGy<3;R{PEB%ZUu%+|x=*w=S9yOX$X8kxs8RSnSyV^HGJJd{P$m{<<Da
z_Y2nUG`{-1mOWii-3A`WT!G!P4sH&-0}7+bx`sVnjmw!R=qW&pp#+vb-bbQf+9-Z7
zn2iOSIDTK_*YmWSU$=5REG!n=HBs18J$U+{jklrTRy(q_8Ct`J)}ED4cy;Zo3bV%R
z0|qVM+rQ{Jo*l1)tE#GUEX+KKN?+>EMWX5eaAB}y5of%7bQ#bU!SQ=JFp^xz^B_Wz
zd6}8#vyH~H4s_aqbymX0H#>G+fAwdV3%6UI?NLWh&sV2au(fW4^vK3WEkb#Dn(TQ=
ztLwGk1)P?FbRU|MZvqaN(m1*D!sDI~j@xQ~{b=!_eeCSa0Fc24Y-dT$j}K+bWMp%K
z#F^M;+-=UkMaeeRWDqG%|5EMg?WM|S6=h}r&Uvs+r5}n$ukh&PhgAE?XZjX5HziW#
z<AWVvRrJ;>AWe!(3iZyActZBP`fD6EE#nZ9&2nnnwQE-oDTf2HQcG{U(3Uc3wGaZv
zvyKD7`7FC;i%E8vxqu<It)LRe=gC{G0G5}bO3uDN5p9gK1HWQvfmkPj_CNQcC%$%0
z5Y@F`XMRFCEzf^zzRVNK^}@8}n<MY{!ck;<THTE6&v$hT38^ct96LO4b2w61aK-uh
zL(-J*V&x4qI<LE<(6(q9fWJK-V#NqSY+ux6B5L#5XMor;(Glf1vY@-X)ct&x$>Lv9
z1!K*MtpSC*Z~+H?i-<#O*}h#MuvMU&Ci#i-X_=Xs)Cv!W>viDh^8sMd5~pT`UD4Yg
zg-3(6voJV+{w|eD_5S(&3!47kw&3WNG1a?EU><WxjbmRMdEK5O)n?xAj~xLIDr;e?
zFB7~h)2jn;JYYrC=02Y9`ugLpz^^kn?_L`}{eV>gjo_Nj!G{mGaz3M%*)f566*JX<
zlFzcMulDv)iR5zQ6915#5Ki#==Uzn?2Ld-DLspfcn>@!KpxizB61Y`(x!Lr!y2sbQ
zcHVjR%HOa2bhWc-VHyK0SzrDPg=SJ>X=_kkRoU-Mv!LNAH5jw<5?hJd!C6WHjz}Q%
zm6n#ql;_zz49=mn;cGXay@WQHccz2O??X%!RVTbMd4pH)rO5~A7qE+xOc-F1u&%Df
zN5n8O&Za5ksMvSPlLm|#NBqfv9FBJoQC?n-rnghACF66kT@;FmQV1h|!Qu!$;TpEk
zc04%8YtvbGqm&6k<<eqbIaYo-1vNi;ndFA8^WG%()(Hk;U<w!$6ZzJ<eJg}$C;z(E
zGAx6D<5;u4sK`jlKrzQm``rBc_TdL#K0dy#!FbSBu`?M<BpleXNta*E(0J%!`g$Yc
zbN|DP_mXeqS^s6H>i4l88U&sLqUBl_UPwwh%j(oUg}!;yoH*!T!0{O87Z&oZCBegA
zjv%)5gZfbhx@P4i27^-&dtlV5v%5R%%a<!YzP`>bE_(1ToeFTbz1a+60l0jgR%{rw
zror&YSy%)ChI^TEZ_6j@FWi)uJ{hYMdz0hM5qfP4TDQ0W@4DbUhP8nG@*tE73JU7_
zD$})SX=w>B0+VCR=MSt=oTFc{$plRA1cNwaYG-FRYMz>!3ODOAO>uK`>jfv`WNCZ(
z_{4-VRuy=2BF?m8aV&WrnDGVpp%5){oLx{+5Rh3{`c%VQ5l?=!v-ESZk{Tn31cck%
zNfY@6FqniqUOlv2+}PAa85k&17`*8~eRGaN4_q9LC%`gebp%Osow{AzrAc{h6f(IS
ziwAGNr`X1dNOFV8@@2to-Glxx#n=>FDHBIg1$p_4w7P{EJ?6c{a;%%1S*5k9n_CH(
zRBym(6@Uv3xpB+pyDrt>Z}MpbTl)?8#E0F#KM&`juhKL~3IMOR0L;5(I=sGxvz>1o
zzuwA<R#sJ};yablQ-YWF&A(Ft!V-!XH<jtH@+kn!&>k^`o=+e)vNsQ>O|Hb`nGShH
zA3BDsuOwV)2oqlYMPB`7u<|o{^`;@A8p1e^?FSOJ>keEL@7R5^F{Nw^my~vOG4y2^
z==z_Ga*!0U=ZDhOu;Lg?0uk=1`XJ-Qeez~6qOq52E1*zPE_>NzA3=-(N;f$zzFP?W
z;06SbuHQ$u#y#3}j<dFGP_qu&@RP0!sl8HjBv^Pv=;gJ<LO)DTsFQ5;9fCjukf~iY
z-F$C<0QuF5(gfXe;I%RD{Ay<+-O8%2p*8kG-l=|^lY-gUUPN6k&We`E@h!0;x>CQM
ztGDj9y09am=xXVUk{|{q9><wvT%Y)ilcM@VV|9@ny>BBTfdn4|w(LAo7jEUA1FE|I
z_;(;T=>iwR-uD8e62HHGknw)s?>fKzUXfTGH`LWQQAA2(I1D7()ocX&N!bZC^Osxn
zE?&&Rsh@&+mQ*IFTE1*Y4pgX}J6wHT{qZXiiDf<Ix+hW2LdOwD0RlH?udUr=kRGzK
zxO(vw2Y=)gzLxUnv9#-)H{@E2;Nev=3M&mEKX+qFD!x9NhyILSNJh1^aXf(CYv=X>
zQ$kw!5e>bDy--1HijYR?-rjwIgQ@_?z&_5h6dNb*Wa$c`Jw1)c>g>X_poP9(L6U2P
zGzi(jRLa)Fl1two<@}1A?fYg|Gq4&m)449(z22gJ_%-l=kaL>l33Q}%SW-5uFrnA(
z%{s*P1nDs%Zdap6zgKa4sarZ0{ascyy{W%^z-5fGo*S@U@Ktd?@uk1vegA-o;IIE6
zGseUp9oL0D>u&uA1d~EgjM`~fZ*=B=3n}%v@a6aY0JuRPU3*4o*Z;i`UAaWJtJIIp
z$|ESd6!L%ajUE^FtpBlB^U3uu!vBTX$n{=bE}uDn@LR|Q=Tv>6w>*UA7mRv8m+@4;
z15l?GdUzaRU-~&N5EhQ8kN9s&mx%+_5-|Wk4&U^98)s~wsgzegQzyT2c}4GcMNhb6
z145kpZ}^9gjr(o+NpW2EA&2f;pVeu9{<#hjzJ|PlC+O8lO{Ws?+GL&DXNagjzPP%U
zMGdV=qR*K7?YoGmzxp?E+;I@mwFL5$c{cue0P&LNzX6i{kH8wvp8i|7ks{{b&?&Q7
zmqdP9aA~UHe;)0VNoKgOjLa_Ph&=M=04$gs5P9h6T@H+8_AQSWDXZK9{M{A?ccI85
zYJ-%El3CO4JI|yaWh~561fZmpB@Y>R!~eJp88y717}a+AoAcc)SIB~EI0;-*J@vG^
z&4dHE`+WE3J%Bm4-d#%oW5v0{Pf*C4&wl)NYcLEFy=4K;#ztNwhYG9up?tM4wnezK
z<5hQe_x`r&nogeCnAfjg&vZ=<K~*qcR=<f;moW)Qi<Pw~;p>w}C#}4IQgOFBli!v<
z?20ZFQt?ZQ7PJYzI(aQuTJ%9E4oqNG$?Qz3I$3A|XG}|@`T}G^>qyi2-%yUVbZfop
zj4F)3b0sJk3C{S%XI(^{<l2@EKw!!7gnZX#*na8r=U;rG_WNGY2#*bi3an?d1^^hK
znz{Yn9Vol>tr&7)QBZl!pM^qDgU68}A@u1T4JNhB-2rJt38)Q?IJ#;X%AQ1PA8FEl
z<ppJyb||j*%>)fW)VUcM1U1s<0EMt%l7CIj1=Yzw$>QBrk1XFIkw;oZgb*bqrNs+z
z-fdK#4X@t;KtdhGXM(L1g^MPFe*)S9-~@-<$k7?!2E`jCeYJ}S3=15Ew97$`eW5c>
zF)IG5MBk>i$6J~<mjEjyN{=lmM$rZcpB##Ug6-`;e|Cv}LZ&BQWC^~h+!yvmd5FaX
zzyW(RWfP<@0R(3w<Y#k5bk$WG@`sArtIZb$SCj?$;47K{o@S{stMl{hCUDs{IDT=M
zdLIvE-bm?F?Ajqf@6?)-ilBzhBa?<~o<O2{FwW)9L^?nW44}RhE*ER>5}xtxQBqJf
z66?tx{F*ks3*a%ba_hVP0qj&bV4rvwWZ{sN8-}@wOxR4MZk#ETw_<m*N`$lxL^$N$
zMxpo?lF;})S$(sLVL9EZhSbb~`LiBJlEq798#ez)o8SSI_F)H0H8SsZILis2OE91Z
zs=Fv$A+aY8$)N1}^+Pe890Etz4EUm$bI;v(GvD6JzF0IY&+13tyHWul6Czv<*cL6r
zveiJlhT>v3EBQ>`%Ox$9h2uLA+dHNQ%AW)B(eJa0Z%A)2+ZR$b)eBbaSek9OnQMSy
z-*EAA5C6|7#yHi<;==y$Nk1j9q4i2#LTFi#9uAX3c0N64d`y`(fG$#l;%pj3p@t`8
zg{*Pz-EGRLIo6Ux7694k$4)i%cd2|;oc54WTGhc75_p|``67oa1{mzJtYoBUf#w8z
zMU8|1FvB}kZW!Mc&y^s343N}9D4j0Z_pW|^?CH~u8w|OMiUtQQ+3`?+;9xDx+I~zW
zI7IArlIDjZRSm&6Ijez#vRInEi9-^v5tpm$1aRF)!oK+EGBWTzD_S_Wh{_(G+1`8S
zj!AHB^MFdHouJKony1IMHM~__Y<CK>S)zvuXp=WmH4nc9z6AUO&C8<e5Q01DKfpCN
z!i+A1E)_Be+Fa{kM<vlbb7i<UN*aUNy`4YuwRD0GB9}bv>yEmN+T);SU!-PPeG*pK
z%Co;))hxeQ)VU~Vkf$pSiMr111SS6;K^n=;ra{Tfvhpmn^2Dt)Bo^0wBCmP*Tdv%|
zAy3rpNx{h0kE3lI6nP|NIc5&cVo|3Qiw87b^sT;hb{tGQ8)28{@83B<4SacW%m6BW
zLh)s7`-m2}pZjr3@jnPRBBXKK8WYZOX|7ghU4;Vg3H`3kpqqG@J$+tsfyw=Br<x^_
zIbL66Jd+?7N<Zrb92frXYRH}q8c^XD21=x4<vQWLOecx9G<+?k2az_um_J<P!NmJB
zGs9dq1(2#*DH$S`&=<jMbx%RlTgtaKe0M}KP1K6bW-E??a*^pi=enigdk)p|BZY19
zE+77u>}=b$Ng<}rLZ;h$Q)u=WplzG2pW!aXAd6NL|KtF5z}hkBeoXm@So4nw;IP#%
z$}t+A>lR*<Lsb{7UTf~0NK9=^h|dlAF3W6Pc-uoo6C0hj{sC|iN=UDeJPx@S%ckcf
zY9P#<^L=}N<t1-Oji%l=k*Ts(q4+}a+)qwV7tk1j*bhrpdiVYXy9fc58d3>KG=te5
zRf5Q)o-xnL-oPP&1wi3}^p5TGJ#g>b7p3^OQ&7@YfReTd*EVun(;^<3s{5mWqkdT{
z{R-g&ycr@Bpsia8%Yc6=za&zFRJeT{3ap&_=(;;P`a=bt)<3gkz4$mj-wAjB%BOvr
z9lRDb)?3$EiEynH=GZWb`Lgqe%L<&YYD0zJkZT}06|`c_$cNCmrP>fbljJb`z9S|K
za}#zA`;XB<C|K7rSylTstI09!Mz0c-fXX&@{x(w!PPF&2Vjaf%^q8+35W3CFESgrA
zBJmn}R3@|Af4r$I{>Ihk4&bPMwiY}%b$V*y%ai~*DT-Yi(z(gPrY)cG$hCUC#}T)5
z`huRWPEWfc2i!KjI6Tc1Ms9SC>%L&J@9T-q=B>TX7L1RIQC`Xh_=5g(FzIzsw77xb
zziPT_4?pkKLQ1mi<9a=-2kpK&=UHGQ`fk16cyLObYg^sR9`$9v5I^l9iS$+VyPukS
z4WXGtr)zGzB)X5m4u%Z06{wM|4eqJzuQ1ThdQcR_u`LdI+B{*C7v;P>%lolEIdBlS
zs#C_hQe4M!kd>YLu{dAQ-6Tl%5P^8k5#y3v+w4?gHs<Dg>ri6>8q}C@s_JmFV5KHg
zl^k%vMCK}BG-9N4ns~YngnhYOyfC9bP4bZixEg@2R^fCmq6Q4PY~mvy!o!dCt~3DD
z2aJl=5GzELZr2kz{-iqz6bab+_p>!Z<XQgHjZeXIv75E@0a_}ea2j(#t0#J>O_9=k
zXZK8b2bnXtbFK2j->*CKZsWll`1a!#ODl?nQR`WKZa!18;`|RbhC|sKk+L4*v^Nss
z-VJ4|HwPFsKIPSfi?~cpC)ViLcFJyNClgZ%>W@1dfG2BurU?^;H^p_z22F6${f%(W
z2a`U)aS>2oWn>*zH*enDR74QOFzQNzYdOvq1zvd2_^G(CJm0I=g%=Qf=_8M97pC2r
zi9Mj^1)4mft-KlTI3%+QJJ{KM6|I7|eA_o=FvN0Gqiy=ru&js2i=g`<N)Yu*Syv>@
z_4P6G><@}VR2HiDJ_YJY(XFMZ&0iG<hn+VIJhj>(i3zttxOVf*IxhtCf$|Q-Aqxhu
zlb)j+v^H<rq|S6qHE8sx5iTHG%K4U6Dw7!&1H;ggBbBV>NdHiAT7-iNglgnC$KZg4
zDI_ptYD{CPWPo`93WssE>Nas>=xAe?YWoh-1v_Mh`FoD$P!#SzIo|Tfs+9Dmt$zxl
z$6T;b<F{<Tabxr5A7>Q<vPQpa?ku>B$&7AG5w56RJ9hLd3NXCFPYpnIfdvY{z!D=6
zpH;Ym2FLB#qvPP25wGwB6U@ccc{MwVl9t?6liIH70?tA~%ooZ>25~ysLzb8j`-t&Z
zJ?i{nUwXS_CEzxEIAt)-JMVn{AyYW|^HKPC5rB#{y2O<g#L5Bjl?Jei>O(F?lFc4g
zCTf&+sU54fomPPQ&1E@hPeo?jc#%I<kFu^l*ftO54IEg%HqY5B7{(U>q<s4L@uL{7
z%x&n*_7k7Hd#Hd2LT4lU#ow;vH=Q`UCn6xNmrK)-@zqt|$t&28Hy}Q%V`8?lHy{;2
zu2*;lzjAx2G>?pooPe4~3&|{40fjpOC|)NSm3gk5pkpz}=4w~#3Zu(}D8CC63#ugm
zuv`JBH&Zd{zH@uul_H5sj~wN}%XJ9>wwKk@>)w;#{YPSTa>-f%bb5}io2s+hG`b}6
zXfTgu*{kZ4HRfU3wdhbIgAhO82F>y+a-<&hm(Qf21t!!Bso&++EaCW+A_wrQyUA)M
zUmR~TaNcI74j<b>Pww2YBQUs@I&2zkCK<1CEbm%`#TV0Pf#xI}ve_TQ(5SGAY)PuJ
zSxCtGpwlmDXgqEP$bn73_5inhH`(F%@gFRJ;J&4PCFKE01&WpZm@!rYuvBufM<#rU
z)oISvHaOSss&3*1*&xtna&lH!k#J%GK~a1hz@cUpiKI5%%H-*4*>DtY3ZTDr2b*Su
zfq_?!>&9iM6Q!)ijcI>fx#?v(+-=F$*Qb0SExV8zj(_@IX9}XM`r}1I#)>Da<>v1-
z;$`?6NUMLaY8mebGmE+DDMFWwPs!4Mbra|gIIgCdz3}y~J~lWVLoQM(C8#Lr;o)y1
zOKnB5cBZPQ*rS1#cYMp62dNgzCU`8(+q3ODMY1e6W`9H7SH5-jN}SwfD|597FBZ8W
z@Y0$QRYi4qR}*}l7CyCUVRkpT=UP3xaRWSSr^Ub(oUA@C26rd`IY4*b8C*7)-v)lC
ze50POD%9SD)yP&hK{Sp4aD0ArQcsUmkZ{!SUC?Cns&036U+VQBk1YufeB(B*thJWZ
zuyAvHkt|&;qms^MqfrJ<Y@Nf8hJQLy=<lx@pNtI-$o~|pll?GIUBEbY=ZgX%Uj<IM
z!%zY;x)!3l9wRrNbteIwv@zi!#9pT;(#fJ>;ZIVNiWP1YEr0p^`Ey9j9PeO}(~*Wu
z3aZ9Ga45w5^46b#%34p$W?|CP+A6&&t>vwJ!mEAn19E!A`Svd7lQTrk+&sRi1?=uS
zpD&VU&yi<+c^#B9MEsvuEjXIuD?aGS-N7ejQKAd<tA-aK_yjHP`m}(37=jsya*&UX
zSDp$hPRtu{wL?{1G|EoR6+7?#$ix3*+h5sZkOE2A%Zbd#9_qTMJ+=3ed9HPln3~mm
zSz^a!H?3G*o{QZ|?eF!PJlLv1`L*5Ux8mq(j9Qs_(%@|FgBZsL16@v?=~VUZw=O@#
z-ON_%c^o94J~hW|7M$O)W5?9+z^$INr`<^q|GYYNy1(eVpA{yZ*t2rxa&u>gVwB%C
z6$^|4kHfX1)LDte9;$AnG#JpzsY=hvKqtxg>empbuzo)E@r6iPx>1kgNLNqRYNV5i
zybg`BCZ3tO6LCufPhzTy&*U<=7ub14T${K)Ze(B$>W|Us@~(jhwjyEvuPZ-`t<b^v
z99;V5{y%ggDR!-Z^fw}vh!q*~Hi$Vr=q<BsOQU1+4{f(~Z=z-8Zz#+P1LT`T4-3-j
z33hAAiMYoQNw}ewypBtUygE#3Ovp6k3IgopP%|zTfV<FW(X{>Exn|1N!SRU=%#X&e
zJi2+h4r_Lh0Q;OcSqXqR0I#KT+<r%lqZagAfD+?Jb(NXBX;l=^Xk!y8>SE|lOZFkw
z@Mas0;1PChAz=tGjf)VP17rA*hAjOw4d<XCNITz|&#9>rOtt_3cH_u&E1NfEK&?|K
z=1_Y&vUzB+cIZjVC_l7A<Vrif0qj4Hs!A3^eQ-?UkL%{v?6{efGvv8kLj3-I-EW7)
zns2nNhpK`pPxO`vqXGVZmSYKxDe<o0fYADno8ob8OT?aF8NhsIe~5>?hW*}5aK8}s
zot}60w4O4{^dkkBf52tqb~)kS;3-{#K8|vM13J@v5nb(-{aVww$m$X2O|V)aGdGz6
z-9pwR&b8PtLNUrMMmC8e6vb(57!os?Kscdl0gGSHTK)oE)=4=Ney)kn(b`BKCqh&a
z!2x&2#T4L=c2bQS(&&+pVIA<rN;;mvjo^q@g#@$3T8*it9wBtMrIqOI$H?Z3l}iQi
zJqt`-BC=VaM_vR>L~*(W->5!puea9~aJlhiEj(SZl=vRwt3SUdB6SPw1RV4p0~n=s
z4q&07@9uHj8F3Fur7I6MxSKLFgHgSZV7S<+4Y*yydA&D^Q2}?3-t3&M0c2xA5@V5r
zYpiytNhH&ADU(HJ$rYx6zQ1$y6X09qg#kI6MYLvoMxlnbLoAL=%@~^o_@!8Z^WsSq
zj*fBDh#tNfuxEn`aK~6-aA`HE)=0Rr%GDDBz_{eRC0nf0UY6oP&5i@O9wF2ZS8S`X
z3B5a3@#mi;-^wNi;4h!f%}iNO_bgGpY`GzvtYxmAE-(YjTgFq3bjn^R&0+yu&$Kr(
zEicN0L?2eHJ+-5uPN|L4gu=ZSlA&;-;;H%V-*?R4&ZRUI6}73*k`kvs&2x(;`H%*>
zC_=@4X;jNPO0<pLMU&mPPFuZjj`Lt>&=v|VN_@NgmTnBSmq!>9{h&_U@TOG9nNtXa
z6noWp4gDByuAV-0Y`o4KQwIRkp{F|8(iwkzUUg!w+#L}Ce>Nm7zej?;AlX>kbK~mU
zDov>X9t%w$!Cmb*N1l5dZIO*PBhMd{xYAR&Q|8r^m-buT-Uk?k^9^5jGPl^rGxT}u
zS1IRvhXO)*k8S?AD?%F={Sse&V<-QeW0&^dcyrh%R6KL=-E_YHbo4Kw*wp-q;^Gw>
z|GMMKuTD-j({KF{&C6Pvi!u1)#x4xt5`YZnR<Fi4*CaPzi@T2R)37VM(V?;V?Dt+6
z%&4GS722^5VeiQ?Pn`1m)`rJ~#3ojsp3rRHx#ur?l~~J0d2_v|p!6ZL1JFkMPpmbv
zhH{UlRA1^m2=x|lWVym>SQ>MKtHfKcrcXkCa9{jdw{88cdZpgP=4<j!_`YFi3rQf;
zSBC-W?Ro6PdPKcBr+NUX)@^s{PmQd2jVoBrkgL3=AGyc}ywf~rGe?IwZ!2?oKiHI^
zQJW2j(6!fQ-B5yV9+~8};v;-~LC%o>`)hAv|4qQLn)JCWG!&@@53>DIy$;@FhKP<6
z+m%*QU{h<aC6vlcc&@~L)i<SsV#_49o<?oB5_6=)MV@^fH4wvBSNRLizu`3>u2#wR
z5Odjr-p?kn>b?)wNhvE=v7mlY@*T>%p{2jya46gA=)ezn>K37Z;b%v;$m>uI9;mC-
zu<Cr<mv^IdYgi#xdB(v;dB*&FM~<kz`-VVV61dGN4@ePL1y1Q31GtNz;Euj|-bX*S
zt<hyfMXRXRT5c!3uPm`RME(2Vs<qMmtldiVl`5mWzhM8-7yRSvToDM_6#-ee3!<yl
z72$oRQw%4sTP3!m!4~yO?sT1a9xXt_JkPk+Se)C=`1rLcz#F~4b~*rA^rQ?jyE~NW
z!LS+skkfN5qn?a#Ziy=0PD#{eC?qU6vQr9M0*2@*ym7KnwDf~~=<}mn`~`h<jpUQn
zfG)SCb|~l=J-<|8)48*~l3+S;8+=~-Qgc-tPqehdegO>Ll!&4_({I`FghdzJMkrFI
zQK;UqD>uc12PSG2rv08@;(0pfo@eZz)$zToy`qLg8vr@;r0otFJQ@38BQ8pJDbcIA
zq^@q&?Wffi#2K$ON{1%mwJ4Y7cA_4g*WNxTuSAz@bHv}jdsI;gc7i_gRf+B|STsNA
zmS=pj1eh!t$*?TD0r0>RCa0o_<-0B@C$u?+Opr82`$tOrIebsTmFrN)Qv%L)ZbPx)
zik&z~@E~_Po=zNXuT04T)c>M(PqayUWzeH@o%4x$WBcg+y|4OQh*_GC?vV9y3s#qt
zAu*%MuVTFOxB_bFS=KV(&Fv)PHPqX$uVUf%Q|JO#@TE@MNw)o-4awput}WM28=yYC
z!@@K8>HW2u;oKyNJin8}UsI|Ljh<N~^r<`n<h2@Zdbs3BsO40=Zocu!&BE0w+uYUR
z?M-mnj_o)A8!M+>N3X6<FATEgSu8u@?NsPbi3WE50>x%4q}oRcg>nVYqW~W^Js*4y
zqT8=TwCE(^bU-c~Q96W~n|n57>M!^eWW_+hfeBIpTN~|&?~8>7C2%WMp?|0a=L!4o
z_^C_Wn7<kDXKs<}hoFtZUp_fVIh|~0CC<J3-jz?h8(s&a9yw8UaI6(A)ZM%pMIdrC
zt*}eQ*++KEooMqAzXe#tx*x;v<d+%t<-H$j#K&v@Ozz!q_A`lPXL9#8y2xYeozDqg
zu9{|My_&Pv;zZ;7*Yl9&+A9q}K?Q-}mt`@{PR0t0#eUdcRBOET;|_RL7D)0~N|`Q0
zkaX||s`D~u-8CA?Z7Y_z6fZGBHT!k_jX&p$i;H(LgQ~MG<2<=-ccH3UqXOhQ9GhXB
zHa4S9MUVmMC5=MklSJqTIEHb$QFHf=lwMd8HqWaX)%o1A$wDe6rcCCR-WyZOR=opl
zKb~d@f92yoT>WQV6y<P}P$NAwYZ_9&=b6imaA;Qw*gPR`*NMxvSB4`8lG+^InjP_2
zSiT%{xfV2NAWzupvs+Ra{she0i<;_NZ>i6}n;q(lrv&x6_}W#yWCh>)rC6K!Yr}lW
zldQQN+VuV*RFbznK!f~4pwb%&!d9*|jzaC$FEe#gPiM9QGg<uXlVUD6O?@eLk*~(!
z21vG?ksd0;K|`XDJ9BQ?C|d+0J&4&`dX(uG<&-56Qe;A3-Jy78`ogC=wI744`q@T{
zV)TCU&xnS_lMQPVKk#F6s2_uFqM*|{HDYx}H=!VHF?sC@y3*PfxH}$l+wTL0;tN{?
zR$0xbNL%COx+=kid;)-2F_7P@%w_I^5Hq2eL*0ro62O%Psa{IVp!C$HufV!hw}r@`
ze4UDBK<~9QDlNo5JZTV?4GlJg$V|MP0k5ez_x;902N5?!+bhY}@O`<b6I=6u%F#ec
za<KnRr~3Dw1K$9A2sj`Pq8Iw<#E29xfg{WuUSP2pBd$U?&7YnN<#X3ZX7oDW3NF1G
zj#KdJ%1vk!@juhKenvn4E8#-db;vK}W(ndh3iTe_dB=YCPX@HU9=v<>aaK!G#n$Hi
zIA2ti^+Un+AXrsk7jAcSbmSrjj%q&ls%gYrJrpV$sSCZP?Mg)XbaIJKp+NXnVCX{|
z?H6t_SBFsi`{<eixU7(w+7O>O!?%lnt(mI?K~UcfXZNJc4Gw|%6OiBzKMyhf!1SA1
zsN;mZKG#glnn=odrQ0&>Kjmn^f_4)D5CI!sudHfhEN3N-f4l~sj?xqI(&>bh1QS)`
zeaVQJk3T!yA`@cJ`Pj=9Y1pLc8zol5Qn0*HoddvvhBu8dxVRC|O5f_{3pInze&DOP
zK1T;0TJEi3*)f^SkY}bL4N|}EAKmh_`C7S;kI%9T1fkx0HbkGS%IksX&faa$hPuaP
z^2u$sqT`U3!jP|>UR5eSvE>e5o|l?7hY=m|O_+$5%g$H()?c{7qpY<q!3K^iulXr!
zFr-C^#Q@H5z|B>X@1;f@Zx{Z}{!>*gN`4_=Qfx)Imf!?q%ie;?66a1QoSvC#2EqDx
zMMl>E!rgf|S2U^`_D|-hfJ8mVk4i+jEq8VfvM<kM&%}_%V>YJF=%>4Sw=bI;-4_py
za599;20*AVLNSY`dp4Z9f2E?M-2n?M2`SE8<Y<bQN|6SJ(K$Z^xdyxUj(7t={_sIX
zVmFJ$()gTGeYq1qKJ(bSGhmhEQDu!QYgQr-Df#7t<<$9r!g);#O-_PF^DRj25_mf-
zf{w`$-0cf~M|!k^Bm}1-Tken^dMw_CzgCf0L9LRhN8T9O+X4b$c2L7Q&v-?k+Txf(
z@S9ta(DMPFM50H1K!_{}g84zI9jCws6{LDKJaXMZ08>^JQTL3>_sI+At4t3gv8+H9
zp903Y4^r-rN(Sjlo=M6qxBWKTUMT=ow0Vf+wL5Q*Op&!9?coLz%S>UHvR0y9{Q4D8
zhN0g`Ltj$@7D;Z@?9SW+_a1u)nBKo~Gny5gnWaC-E}@m)M>6#JdBeVxO6>^gZ5%#0
zb2B0;%2v6fP0L06py;-Xb_;73HXQp4T#M*WpQZ?<gMeQ2NArY{dWQ7jtlGdG(DJOA
z3JPG};tBH;Y#h}Rt!f===S6TIVFtb9=Lf~20I|jku<!D0!97<*+XL3zKZN5Mo-p2~
zTb0-BbfP1?eo3R6I@y?_6PCHfj*jYag)8TW54>s_8LBoOlq_Kq(pl!8`;wJQRGcYF
z9XBI-owlC|5WZZ(ciF3^livHS0$knCq}5f>NFhMSQ=jMxp<HX0<JrAF{X`+-Jmav%
zuR9P$%>k<?P~=<8I)#p@AjBGTp3%kga?2UH#!R$!LJ{8u<Tl{Y#%CVCKin<`s_U?*
zS)Or%2cQs+{=RAU0k9%kaGcLP4uyesTKhS^b_M6x-;O8exB5M6jyU`ldTh<6bN<-X
zxTbm$WBA_!j<2+qTzz3K&VS`k1VRR0xW@UC6w@2z^TLF0JJzG!<|GP;Er)_9gdWoT
z{nEySgPxVv><rCt*T-d-JL@>tdfoo}S||7@Kq#hCIi~rSU3=x~d83ESd_-vFTMZ5{
z2L?Z^N<u=T<ioYoe#&(9%+h0`LzmYfyx7rP=Q*Dv640?aD6q38LNR^cQrNgHsM{Nd
zOPh*SB~j^hi}W3v+PDA8Tmxk!=!e&^a>4PI^O#yWx@AG;FJSTCZ~JX^Bb5&%eCib)
z_e2T2><tj)i=C^NEmumNU-#h}mBUdYRV~Zdzuo$|LAO$ZE^nzQxV2jQ6Ktye*zM&J
zQ8N1!?S9j6c5;=jE4Wi|!G|WlOAoS5wPk6>T&|7RbHqNUOfQ9cfl@!l#t#;NTJ2S$
z%j+&Zt5^j1$gb7%n_x@!!4;;RT{!Ej>AJDaG+$EId7lr6?fRn9>^TiTp!7|qMqKl?
zmA6VP(Xh=3spQ{oX!B$lW2+|q^F-{T8mdI+aPbWF0mChRPMtPrJUm}fbS&W4Lu0k`
zc|Xtv$YsmUNz<ITU6_y?IEOvNzANl7;XdDLJ{4nn^@q;xTSd6JuZj-*@p*D%^Alq7
z9Yn`Qo){_kDg1WukNZf%#<Sn|GM6L42=CN_6?C26!HGCOzVyM>Waxg4*4<{Zb9=VP
zQ!C+d!GPtLS(jhwM(rPsqSf-@+I6T7?5h1GOq8m6+Rd64evMRWov>j@b%yRwyI1Nv
zELBvD=w0Y##n^9`weLFYB`&7$)d_bjFmS<2XK6&*$}ludEb$WSWIGxky{)W4(|h8S
zhxi`K8(7qt3Vw*)H}6B8ykE3?oaK~Jt3ReH?UOCFBN{wT)+cc&!a8!T#W)`mXb0{+
zy^Ax|orrmQnXBE$GI6Kr*wd`*3tndo_f)Bw3|XR*1sSn(&te()-Z)fMrj|e)ii(cz
zrOjGS$ClZ3?k?18pBT(8Rft~7n`eY(y~Ej-)+*%FqG)LP9wN!0^Sm6@*6BL6sP$Rw
zt-46`MM|=@Anm4UXOO9uuWLw>h*$SS$l!z(c3D|`Jl{A7gH#jDYodk^r56bG5w+U)
zLl)$W_1bGeWydg&Twi(LQ>)W5d{AZ7k<B`fb2a2Dv&o&fKFlj9VaAm;P*NK2GL&6<
z%sMdd=cQEj9Vq`c{?)4~p1fT5{8-2Z7-wkQX;##B5v9wuG0fwEe>9~oWZ&=)LCwjF
zjpdf91nNpyhHl}h(q)Z{DGhrmyF<MmmR5e6u+00GW1O15DV=x!aG6m@1lb^KiHI~A
z^3}XOzDcb2#?WCU1DI2U*t@1W_D^1tv)1!JLs4laiYCcXbH921$cjI3&ztWsZ-Tnq
z`XEMGt$Nl(Yp;3wyy2riG)0qA6TQ9nVN<(5NqOGG+U0dDJd3=I<ipdg7>mP?diL?<
zcU|;U>%<XgMIuLw{P<@ShhCIEA8R%a65hx3$PB{FsjfrR|M6CE5xB4ZEfuR`o4|8F
z3u9vAC%ZCU?A5B*e^g}G9zV)A?IUqQy<Y=We13gLQvKEE1K%lPbI-r!<=R+bWn!c2
z9o=qoe!gCjA=FZ9o7un4<nDxjP_fVYyoXEjiL?J#ZQmW&RJN`i8!93eKq-R5NR_Gx
zNEZbpARt{p1VlQ4VQ506s7FwwXpo|mU<_S|KnMy17*QCchfXLnMhPt-0s#|3?%HAI
zoH=vOJ@=mbop1laFC=^K)z^C7=Xuw=!0fS)M}@N_K6o#F{g%-BO@_p{Bej~ZYM4qy
zg$+f}@Yu+3k;Tk7Lbyp}$eq&{64F(@GeWAdh=lDQc$1vHLL-vgGo&Xn*0psnzZiS=
z?wh$0$o?lz_93TpFzBzJNKmXcj}OmD7~J9feAd6WI$?Xwr|wq>)2g1Kn@8q9^Q};9
z<uV#%NuRB~wRn}3L<(u2hTpp*je8mBy9u5YsSD)nuAJ#ZldkXt0Ee-2)*hq$3TAmy
zEm54I09Do2(Yj}*+zj={c@5pJW?{7Q!%ZVET3$Zlq8nX@8F_%P+kA=55cWQi+g5v>
zn{~{Jf1%9wj7ViCgH$@3|2fD>T3~!$rlFL1(okLAckp3Jxl(P{=z=kx*!+QZIpiCo
zq<`rlZG9!Nhsj5YsG~g`iV?Ns&n>qMrF+$ho-nLBC;j4agKA_hDDt)~<5757$ME*F
zB0TV9tw>}IO{DU4`0#R6!ksGhvU(e5J)4B>osMDB*Ve43{pz`>(R0lXb8~QbOuEe4
zF0w9yCTbUQx5P6|!r2d@hd`iB@KLz5x}mP6S6G*m+`<<HI`<Gw-M#)oheyht%4PZ|
zHfG2K7gkrfSSm-^^-8WFZTFjt3>Z%e>u|bq1w^yLfIoquieR8Ee>Sm91}{=>J#_@$
zs5B!4*E3CHqOb>syxomSkx9-e!PX@mmSpwplgmaWxqkeekz@YMXzcXY)lW$Uz_h#4
zE8kc864z~_S;X+m9`sWQ^Uo$wzQbd^b%yJ)ipcu5E<{nw>&X}1Wj$F4Et?mea{SIF
zF;!S5f9E+-pI6;&tR#BbV@?-5$eFsPs;?>z>4I&cr&DUrU}T!IiaKtp$7^2Kt3GC;
zvuLJsob=|lTVPIYoXE6aTk;|zPuC37VSq@HX!-Rv*Qki^FIS~b_K|<tY+EUNd<v{K
z`}S<THV3$Dy)G-G>6tJR*ET`vxgZEAbP-y?W50d81J-}1?BE!{2z);Q$cc>S;O8cP
z4pL~!1{NzisH@C+mCGPjBIgnQ61DsScux7n7Ogc0HvI)T09(<HI%Y&2yO+4fS7v6c
z+7Z0M^B5<2Pea8Fr|h;Hx_|&w)1vBrxDO49EpnkLQ8sPD7Fgk)aJE`%+pUr|-v*(b
zKdDn0SKlg!)W7hy`3>tI{i>l&A5LRzbm~z%cfzv6x0WT(VL+8R0nSa3J6j2a9N7!d
zQ0%=25YY_Fe8cu9IOhR7dC`PXj%5RiVl{q(Y2kJHsYp&R8*p12!2qo1>@E3bA{d7h
zG?Q1(zo#n~u@*2XJ99QrGFHVa<l}{-W-d|JX5DR0p}`J+@YX6%V5&$185-J*c>us)
zj|nCq>efsF9TB?7!U;(N2`D31%>L^&WMSEPoSTurvd~sD7=Qo`CyzXg>7ATBo(&Fr
z+%ds)Mr{sW)BTmmzG$=;G{sL^Ix5bg8o1p;mK|Ok9G4l41Dp7sf<jzmGMRxuhIqWT
z$x9uxs9*Dfh^xdNY_;jAOz{wbRy?G|#~gx>iWj>d4qd3A2p6kNOuCUnoM@<knn?SZ
zF^^^`O);4AK6CV7RbP-SaZPxvvQyN};1rrO$GbMjg0+-wCK%^3zqrV5daB~p(D~@n
z2Qj#pB+Z^*exZii7V2t0x+yKGqu`U#wcpln;F~S7;iu$MTPm?wlfpv!i!26O^P_Up
z@ZF5aE2JWf>lx=j#!Wzk&&~wpPj1+u(?cppH0%4<=s14mXPJvzeFz86wwv=3ycbu7
z!rS)p<awaVAFo6s8*Hgv9arUih-pG4)?ODeUFR$_BZ{#*2#qSX(WTe{)!F&<C#Lh0
zu1xx9gWt<;Fs<~iT<Tj{0?0CKZ9L#zicF!@dF#dMHCkV7d0}gsAiN_Ss?`n)B0aUg
zc>45E(u31A7QtCHDl1KQ=pJNxk?_f6<65x2TizCsXyS6#7PmUeP$myF8{JX@&C?cB
zL$F3UyCp<T=Nl&ob$rY?37zXHdMM54z*$hrW5c!M`x`?YkJ@9+_Fu)skdU-v3UW28
zatpj~t>pO;5RzK{I7!LZ43|o`*?*BNDVoBj6w8bywreY!u`(AJu#O!2K9?&9CfsnF
z&wK;dY;7B1t$^NIWvgULi@}=f?4G+d#gk7zUPT*t(280Sov?#t9+zLgwRm(xN2h`I
zc3<^MoAl=Ty5aGwn{P^So4EKIMDT?~{v%(H0_s+|rrZ`kfi|5FE<PPWF1J^m|A9v|
z_Q_|0PR{6Yy}&6?xZmvjal12qE7NDt%~}NK;)=$mi1?bLuqo+%m*ekz*RxMgV|_T)
zVxl$ARiA<a-pay5K6(hgCl2|e&kek;$JCXCr!*9|%mq0uQ7o{t@C*wlNuPTyji*fF
zyPT1)9-o>vJ~r8FK&DafWIIZ|ozF*?uY)4Xk*lhG5D?8o93Y4J__9f|{om>lHFD2Z
zb2oiL>=+gO%fttb;qVMHT_zAP;hFoOcD&@DBY~Snty56vllK2I`m)26&TxYl@;hUm
z@Gu}qS~5|=cwLf_FJ`}*+y`aJnZ7>LzxheD<homd@$bF>052X@ayZUamLpocJcEzU
zHd!g|b?^$x>K<7_9!5+m&Sdc6qv~jS0q(P9jX_LPKEzAo?Dnj%07UWf_+#(oC#!No
zuhRbvPjA2ZdIy2Cpt<;v?VlAbr`d>B*aCO>X{G%n6$5kyO|qC}KS~dsFbC~&6dDME
zleC2MAM_2wqZX_~GN!Ccx(vo#J<Mfmo0m@;W)z3XJ$synw<CEPs+5Y^tS0wVwubjl
zH=l-U(Uu~S*V>5*3-YWTa;a6d;l;H_N+ekQjIeX0>xOPW7sC_bHKH|rUE%>qG&bHB
zPwe`DcY3NXw;V0fm)%AD$+iaTB~XTYJxZr#tQ0;teX(qlS_ZuRaLuT4lYtr|l66AB
zUs6r$_3X_m1Cz3)l`}p%WHaZx7q|@@m4^eFi-DLfCST0%a2akBByDlj1s>^=8kN*M
zu3s8{Z=lY!_gQK8*Rbut^lK6Z?UuOcM}N=aMn)%L4u<AqC#^%OP)_sv*r6p8`jIa%
z)jPvwxkXUnp$(?)7hb!Oc?V{iA7O{)my}v$YxFH|hFe^p3`H49Mh%S4KfxPVx(db@
ztzBU;rB5lkScM#&AGRy4vLjDk#xMA4Kb&uU5PTNH*!F|sDYc_c&P&hY{s+wKT27qQ
z&1mq9>9Q~x#Y}r%>Kt>6maz5GrbPAV?u*Nsr{2f7{OC{640p)M;%D8tt0lXmX**w>
zxZnH>NytXL>=Iw{>vhtOlJb$E0`Ea@beHpqFCK>C&hagA{1%<(T(rt?2WG}p&oW=8
zSgoQ)S4Lw~9pt`XTjCze`7=$D2)hwHSnnxv9;U|<C6-}h!-Aa^di&(%cmS9ah|Bj|
zzZoU%SG6dZ)p~q0MTF+`g1Wb(`VcdbL5NZuU}({wU|ja_SX6ecA3f5nseY@>-m9K%
zkkd$AlX*tev2?NcG6))CqzMAn{YP=_>VLx3Kl7}p{s~v#@Vu{sj%>J|P3RN<xIbb0
zSXoKAWbH+2`SVEE?66c1zp|j4=LYg>uc7@quVxhmrfOKY>dF*vDoGg4S9|KF%!=CM
zx^Bk!Bt&_%00fpP0C6vQ4QCA!m3ADrKx3We>eaHUFm#hqXKHmHYNBY_vGoj|Xia*-
z_e97F|5CpWTPlgL=D!@~J+E2X?su$Cd#T|ab?LV7=Rt|C@YBLHrxVn@5URL+9fEkP
zNiwzlnxYe-C6Ov=H>Cy~4R1Sr^}14}E_X6_7xLRq*3E$r`GE-`-}pz9n*k;4qoonH
zG%RL?-=yYYMqan|s1*jsREYcrw!4UYH?uJLd;8zLw&<^E%ZBz@#_mc097pVu&P$mh
z@^hI)KWqHpwHj<V|1OWE&lE6k<qUg%?ly@mzODB0=}WnSo^El&Und+5tHjAKm53$R
z9K~uvt$I6?Ki1XatU{VGp2VVA24?OhE!lvq^>U2YFaw7(5p5h!w&>nN)H{`1LvFaq
z8aib7>x{6iR}7&vQhhNeRXg5@F*qFoB-ZSVJKudt-0rvy0vZ%%F6LZF23B2Qd_R#)
z-|z5LYyO+A;ZGx3B@>2`2u%4;nuvMxdfhbkjTXNj7HV{}ZC80m{=YzO06_&I4OqG1
z{~2<dUHQ*KZrH0>2=z?m|0f}L>@He|P|kXfVV^x3SAJnXtf{^QjI-E?6B+Fa!2N?=
z20VDvfllKEXtGQ#9i8$|M7p`tz32{GaQsAv6ErS5s`r7-f&oEYtOr1izF8Q&;2g&V
zX3oz!xk0^*9_y)ku^V6~&pxQFUCsHq?{%N04i-o5`2HNq+}N=oct{+)<91)+>iljc
zE3^obuNl5<H93e_*aKoyU)cjKG*zA;7DfixCWr{_LWFcV|9n3$4%OvcDgaZy7#VqW
zrkgz$!??pX#K9d&mqf44BANJd_cI{PT~L}vAm00XAWc>QTD&TF;YH#e(9G@Q;dPIR
zYm98ap*$&}XOTE!AloE-b>;Qp6MJD-WS~_0%55U;f##nj$sz-Bs#vP@8;EH&nLQW0
zx4CC28DqIc!HK#2O#L$KZa=%M&dyfnYZ7#-srxloEN02@sL$QhfTzD4W~ENdJ-0Hn
z7>g*>Y5~!fj|c-gwCR$@TsE>D$xaSla5;VK>~X-u@#!B_J_vI}bsnZwA75QrC+t(|
zCrP8%DU_p8KYXK>H!vE-CJ3GTPgym6d)UV1EdW48><qg#pSB%xG_)s$OS0mDaRht|
zVgQFZ1~|wez>A@Qe!qC>a;N=U<*{b(>$hbUR+P8_QD_ctjgZ@R>D~5zpkA-MwcypI
ze@b0DB?F5cTsLnAWUJ?BQ&W?L1j~Sw1IlVm@*=K{cfGj-3<o$n3uOBgw7(BDwGlAP
zGHn5?Z%lGAW;`@ieDevM3{d}ti#k?~QiE#(djZ|`X3`4_-M&S)Dtm!5G*?wnV%6ww
z;0bM^K^=@(Jc?XYa{Y@`8Bonp<ryKDN!BQ%!?<u0M;|6GJtQ9+FR@?!3iTD%OG4B)
zuPclUoc;YIoS*rYI+GOaru5-TCMO4qY9^MTRFqFZ7ME+T%ztkqWc0g{s|b1o5?xPr
z2FNG;yE6Fxsf7?y^{5I(cW^mi3SwJT7!hYc81ZEu^@wdSJf|t^Z&X?IX4(R+d^Qz-
zsW-7>jl5izaJ~&&jT&@%`dl+KOk$RY|K8IK6HQm9mi6Zv6G!J4T><bn?>6@n0&%pu
z7RFeijG&nd3#AK17+<zIxHH%CoZNR{c)9+{tVAGf_6uB;823rhOFyYsG+oJf95kDl
z^2T<+^z%iDsAjRr?30tyGsa1p2aGk-hhvC{aB2E}c;q{=7>Q7D@a<NGyto26tPU>u
z&VGZFqpjSBM2WcDwE>khVlivUf1urpdA!)V`=|cp05b32BX*FbDvpgRf2$pV)U4Kv
zp6E5m`4jYZ@X~|oy@MMH?(yo2&dX^o6I0c&sVNRN#*E~VRjaEnq~zx=0!Z&u*K*A>
z<_#hRpsc31hj-qlwphSo?Kq<4k%puG$SB_!ZKvflso7hSwio@=u%W&i$*VI$nC@XZ
zs((`s!PJCcHRyW~Y2NhqX!pl4>0*1}rGVrg550z3003`2lZ6U{0G_01`iebjV(5ko
z<%jT|S!cJ^1uOj2Y*jty#Gk3d&>~d!D+@)CaYTYn$A#RCRt=B;_ShgNOJG<2xZN7S
znjR%mbI$TUg_uVnmwSa@W=S}oEPm(2S;G}MG)<YC0ci)Sp)7dlbdrvw&r{(8S`^LW
zkNSODlg?a$5KU5KyyW<anF%gN<ei!$An#575apCt{ltbXWp=_hfKdFbsOmAnvjhj#
zW6v4Iw%yPNSksexZqtIh@Y^{e3iORK$JB;C{i9^^tmWA~P?KBa8mJ)IeRrBvxV?A%
zi$}m+zo{%|l2pMlJ!NrQdI)$w4^%gtOYnb{I?VM0;6Z+0+5g7}&D=ZB!_JlduJJTI
z*##-Y|F@FDVE=Zul|490Y}uBp6qMV4QQp{s3QuuZ-oWqDl<S8-V3<FYw4Mr<)XXkM
zeSd2afI6<?Tf7vA+jO-JNy{N{6XS$z!Ts_QoF)-${u_sqSN(@1Toa)+G32VrVt#`H
zdF+r8#OCbV%W067=|9sGKF+P)P-@S&Qqx#yASbOK`rL2eJxioFL^%%qwzL7ZX{(x4
z5#tMSlbU4@<wylwioJR>#IWS_G%`aVe776a=0{4@;-FHkUimWOr#CyZggAPwDBnVN
zskK#)wYVAfR02VsiW7ux#dCwck;#sebe7yF2Xj?)h}GoZxlJGX$q{mGYuZ@DV0q&J
znE-3LbtLY&JAV&1SYTZ@wWNxjt_r|nl>oYc^&!mOT#df#b`Bbk9l>sbn|CFEUR){&
zg8l;VA;wvOfO}DCA{UDDv>bdCFm#dc<N;-^+^tMG)^t9t({nK`1lqro*~@v4JPZWr
zAm;=h2fG+7ji9~PumY?CkmXUe?VrDf#qIC`jqnNv`4<C6iEOMY{eYH=8I;owIsJp{
zyLvhakoyW8xNv^0yk2qkomPDC<|E~uuvf~!%b5r4VCx1xL5m<7<p`1;N*&t=9D;JL
zSKK_`o6iKX^<D12<~a(Q8V2OL=wj?-yJwY%1Y&jKfZfS75bOJs)vf-`3&5kK=`GkG
zl44wY7D)D8Z{{Rv;70B{t|qIxfJ5w?7~1uf>;c=*0rLU1m3_e6B(nahB2MwhL#2eh
z(t^7|eaUMBX$dL0YBE|h8+a)zy?wlLrIO96ic!zWxwU~CQlgY?ceIB*2^2HFA$eoF
zcfgi6mt*C=Dmy?G@FlIFcA=}0z2-Ea)>-OUb>v{r=$-F=S=4~(9)Nv`h)sWIhKA}6
zT>n&>{e8Cir(>`{p65cVOr8K|;B2+^@AD0K-*1n43qxU@%l^p_E|A}|z5D<EIP8Bp
zadGCrsfm+tA|a{T)KT2$1r2BGsX03Dx(;;*SfBV`OHqZpVELUe^A$FL+!FBkjEqks
z)}milMIb1ORxb*JH5`N<um$Xy@*L1+3cceB{mEG;t4M@4r58jVa0hHkB>MJtn71mx
z&%S;c{l!a44uProt`F4%H_NOCgtBu`ig<)MDgOawl+T0GI-cN}*%IY#F_5t^SE9)>
zcFb>Mp|Co(US$k2pZjHt*0Yq%fEQ7BYEe}3plcK*Cp=!*DLs!v)q~U&!2BjyYDNkM
zil?UH%o8kGRqcnlC-@7bB5YyVSWyd*P5SARl5J#4H`xvqHbTiq1-xoimk=|xd=+_>
zlxy>Jm>WrZiEXAcvNYBEAt_aExd0PtsW;qo<sBlxIJ=o7jA(WL(r!bhC3wEitvnv6
zr{#-ZIwV59IfnGhzF5EDd#mAvoxN8QBYiZYAzgD3aQ?lJlmO)q`2H06+Vj6GO9PU;
zFI-xZmb%hx@CJR7TYJdVF<mD73bo5_EPwj&h62!`RtYhMqR8)UH)Y96S^-b7TC*#m
zmq~*LdTJwnt+xAb+B?)eq^+iy)=qR4Tdp~|sKJHJ@kD*gB9R*6yB4VcrlO&WM~!i0
z<Ek4jsjb#V<ZeQ`_|GH5A>;@NuW7M#e9Ne#|K~7=EFZnJkTk3xpL=x7$JO6WR~QWJ
z_24X04PSQHMi{ycOW6+X>y&-wCS$nG@gk-}oUDhH$rO2lcOdB$N8(a#DqEN6s#=PO
zchOjx>|?@(I4gcGDdv)#;kKD-Ld;zveaXOCL||8nsqnE3Yg9R0J7vdvKS@zjyn>;6
zaRRxagD!e0d&n8p@IuDbTr+Q$r^g*NVaGpv?Rt03fcLVPNGprpz#~1&MB3h+a!2Lb
z^FJzoMNL|v&2n|~!Meyw1}}k!D8K~oc&zhE+6fl{4J@!LLPX%6?+|&@MfTaMAp4!7
z>A)NNfkz>l@Aap%LK#bN^0nNvDOjp>?_hH=HE4VhJGz-hW5*(n<7pO%4NZi6^1w6%
z7LWSZy(PrlAP-r8o_Ix5EoRlt^*3HWyrqZ2y8Jq1c5qN~-pK|PmhldckE`+&v_82}
z+jjH4(5&CFOx^;<5}uZl!F9!nn$26#<)s~1m>XD4Thc_dJ_k`LGU`nMq6QKy2tH#Z
z5{S)hOf8YKr)qD?+A7i?YEpj;`8_ch?A*RzQMdAD1;~WCF`-93S!cqeX8pDDr%{Z7
zlDIf{(5vA>nKOvK;iu)+dzt2H!vqN(SG}B)@|;==QY@zDH2v59<>B7FT@;tmu-6Zk
zGda`{r;ql04?MnYblk`*FWboi<2pp=0odZ*gu$vyn~613(;-NWrL!aPe009u_bo=k
zd}h}nVYDHeJ;a9}FP}BbisQeRT1xvCXOm-}pWC|lQ`1iBA(!iVBTws-{xlF00_T@)
z4Z|}sFeC9y3D#|l(7mPnc^A{P2sp_h2f4O}e{3LPeF*o{$cx$0{8IihAI%cqM}oVP
z*G|@6YIL?-&&rA;u#p&A=mP>J?3y*dvb0yFi#Iu>>5aH*?$Ua_FZt%!ar2x-7X9Yw
zswhCnZE;axu?FZz*-pFt3#3*$R#~9}s%eif?MoK<A3pIrtLgSS_r(j0AJUa>D~<G8
zZ%Y{ZWuvHME>O%aWbZd~+vZ73^$;Q|+Ki+)S6a|R?=m1a+ThE*#vrHGbw{mkOL(`#
zakO1XF_TiP31UDvJy^QxPtnd6TnovHr)8`8{HTKbyW9XK#$EJr$UV%+L*P5$WtilQ
zs~n29GiG40F*YIgYca-8gzQ+M=7F}MEjKnIYv-ksh=)kM!X6)0&r%vDyl@93KP1X<
zd(@bYdPeDZGjYA^Dk>?-!MuQ3td2~>DmmrM5K?5hb#WCxHa=RB6zR4qX}BAvI49xk
z6PhuLk0`@v4aZy@a6LOt{dF&0eRRtg0`v#`!R^+0gcBuEd>E`dYN2R(^giZtb?;D|
zRkt5e_sqQp-hpYqz#XkTNy~szBgEV8&lCwVrgW1O%q|xI){z#756tIk736d+JWR2z
z_3HPpenb29=UwkP*vjw|;I;2HYA`_cD+Fp9Q&0e4vRq{z(HG#Mb@n#LL$_r;M|S~!
z0>GO&$xsdI1oI1UcU?TKO(hmeD5Qqmc@FNplDP-y2GF|N2b|^<x^A4#$_YjT_r#pU
zJuRm&73%!}HG(VCdS^lA5fGE~^-D;2^*H_1!q}0ce1acc#lKfJ?Bf;N7?a+2@2xOA
z1`rG5QYGsU9rAK@d&VlP8X&bUuoK}{?HoAuPj2;FR!kR+1Gl=6z}1WTh8Ld0v*Sp@
z^@^V(aj>a--|f-<YdKUd_2TDn>;)Av;SJl#mx0>A0oOOLWDEBcYyiB&`~7*#XAgvi
zw+IWNYXIyy=pVdUeh|znhr!7Lj>kZ7r!-JS-M~w4X?l8k5jchBn&h88(_K3v4ur;v
z-I55$Uz(4j0TP3*g8QH{0zl|*n~E!A(4hkIJk9KCP|rsfqZ-$u%L}JsF7^78=<ga%
zIIg=<RKq}$(3SZ;Xs1iaaDXo3v7#ujr}VE)bhW2xDF+phz9J4!k>fs_Y6oY$!czHn
z#oI&fIy$8i<2O<Q(^sBh@<7;SUNiMkx-7iL*im+-2zwV5H^11y<>ysHD;=OB5<H{D
z(pGff&8i>D9<3O{1L2Y9NfrHbB9cT)N_Hw!-Gni_^RqO$@pY~};*y@s%<XrZF_l3N
z)}&i+-p%QLq1qy)yEzoLFhlW6V@bn@q$lDpN+b<4UyXm52xR&asUq{*2S(9otJ&qi
zyQ>tM0rEnsJYQpmy_25H<CPO|rGin@!SG@%lC~PTNH$<?bxIX*a8RZ#h+td?L|p*Q
z6`{Qdfh-a)TuIi^I;aY(hYGnuQWDq&uTU}_#d#}`fHgf>j58$(BR6&@oPYgkse(lh
zwjm8kC}iL*NEQP3u0O}b{#d$-aQ`^mWq{V2_d;X!wbTf2KkPrr{Vo9Cs+9kMR<oHe
zx#pte6ZA1?=&bvwH=AzCNXP0T>rYoSUbM{29&7wCk<m=oMG(}kk%m7X_((yUiQ+V=
z>k1-kPBbD}8hC=wNf3P&DT;6}YgP(#Im$2Q&A?IL`T39P2=;!pu*sTeT-J@JwrX)M
zRn#nmd~~K}VbTKzNPo_^zB`EyMPdZD0BpN;M;Zzn-Wm~=g3ZP%pcK==!7&4LM~kGd
z?UD+q_#*SD1ICdPVv{8m`d*|wgo`=8&YpA_Ns}UH@W{HWJE85JSVP0hlBi82X3U)s
zV~t5#B`iMNpX_pMGXN~_Mg!;yji;M!badq@v*ZCsxSshukf!GqDk5>Of=6$JZlH@J
zhfY3|edC|K_T5N4&XoIQm#)^P2ue4AmBPMsHRtSt(*ugSBbqS0TsL1WFi6d@>o)Rp
zzuY@dHfn!IRWhtHqMY9S64w^1!aJ4WfYuG5q6UrG9B|vjBd+}ZmH@8pTWm>&_;E{q
z-h#U_@LG#r50W+U#y1agfJOgmBH}<%<jBS=Y^rcw*tDlyYCWEjS)%U}k8#M=FnsP5
zh)KFo(sdT`4kgu9_IOirwTO<|F$te{@r{BHI$4E2xGUm&%q39vu44mYHBEx$JWEW+
zVi1&(5?TpYS(^u!m~rB531aHaiO17x0ts(>joP0`u*xy8D2a+i*Vzp%1oJXx@j{p)
z{IBhDa1dmhKi)b@^_o_Z47S71|4VqtGp6#Bn;Q=e$nfq`;Y`2)@eWOoWf@2H6WSiF
zwW^M8RA5Y5S~keezT#w`6D(7LQ=mfsC&$u^6qU{0HpI3;<D3dn3v>(DFSr43Jz|)T
zcHfF!4zi662l(o_0o#0p(kelG1h|^hOH}Xr=zt9`^(embc5CWoKY8iC7*3Z_zOd)g
zDRk0N;pi)TlVjd$tgN7G50#!Chd*Jq3V)ucMAQ}NDI@SPosr1wA<e^~=<K*Pc1}?8
zw{ttFLUj%#;6$|=V5|D+D$ctl@Px;xz`Z=+E?1u-F}qmai&K|6o6)xNht7F%>GOi0
zZ+%!XA|`EA?@VjdrZjnz*y574j7Qkdj;$Igm0Cte%tkPI)&eV|J;|jZ3mpTWAFQdU
zIX#~|ATh3@{}hGkVco}6>#NH+daa0*a24>SwaIatT8zHtm2Np9%WKl7&;D#Zt;ZP<
za=#HLs+Uf==wM~;o9zBej4K)4S+&`sKjN6gGBn7-e5cUx5DD+S^e!NWx$ohEjWY)>
zrPoDf>*CEWu%Brx>ceAfUMOi8>VN!MzTrUk2)(6$Gfb=79NAzpkY)FN(G*8i*D$QQ
zE+V_^hNLaM6RZJ3G2&QugD-i`npIoewz&i5avvC|z%1qT;MEi4h5{KGN68sU!`qYF
zRKwdM>$zss%s|u?%yhskir*1E1dp`tO?;;$^`RvL(dgr$Hu|P*_Wq8Rcm%Tub1pa@
z+gQ>YRv$f$P7c17Ix~5Lb<Q$&9aSPu$)b<?PYy&4Z{Ct%2G?P$!gAX}_1C0Z2z@Ol
zSX4jE>7b@J0~6@=F^hb<bl_pS)khFqLiUf1WPedY!TL;aU?a9U;e63R!eE-e5e_r*
z$VpNZeOq_ZorN4>Y~V2tl}J^!v-8zIb~`;~g?0EQ5qX%0v<PGdi-3Jd3nJBQpw2DA
zU|iO41AQBTdqGU8vp6H>(0l~Ca?Pia7^snhe7foXT4MkmrKan2n5A*On^K_@K<SnC
zVM=`9DHS$YtPGC1X7y-P3Av~Sca)!TO7P5>=(+LxT%e((nDd%OAaA&Aes=lssqu$}
z@rEjezFR+BDe(sJHv_zn)Q&37M3v~2;+wAp5{`qlW?)Flr?^^=<VvQ|8JBm^*awng
zMj{y-g^^u+tGGVGh5ZYGE4MTeF(<0-`lTf?Z=LV`yp+^0GFcsc^Nz04;}yo)#byJK
zk9sF&8j8&w9NvKOKWtVa8mC5LM=V8LZco=bhOUFUUe8-c)nH12#g#oqHhMn`5B9&s
zt}Ip0$`ywhpS?z=tZF#7-sp}gp=w*Q<D}j+_AU!OGXS4@sn2DT15Z#iET58gvb?QB
zeAvQ<DuMBc$)f_DVo|raIV)Xkgg77@YFoT_LGG?9IEfivq;`?Fnop5;#C@FKM~7mV
zvQp#0Q{1q1ZGZy5hj=g1W>9;&f!!{4A+nn_LSW}GxTX#O_BM7zMc(H`Gv|w@jrSba
zO6VUBeVe24g0Ig3oxu=<$UxwT4-wgyEmGtnaKt{l=R?Xbpbe(5EB7HO3Pdzn=?EG4
zyd|Z9ulE7;2Ln-I8Tj0sWYZbq&@bs*g4y35!L)ykS$2wYB(-_YeX*J(H(E783?V>~
zCqcHGkpC@12+NN78;9$fSVkWI;#3$KWH{R2B*~B_4t4cb{^->Bap61pUF+v}LR1p$
zNG(JbKJxs@3&$!dY^`y=`8-{!-T!xj@HdM0($Cxb#f><5=$U;ju{C}Dfph&M)3biy
z;1>7vH*y+e{a^A-{}$5&Rm9&j>+EgYo2c8MME@nf{tx-_z5<Cgu-~2qWSJc#hizT|
zgwFc+bNT0D_W<q@SOHMQ-x7oUvJ5Lr{O5fA83m@E>RXwutmLH~%*<`=%I<woe5^6F
zPQ;U+v+~1wO!i#rcIPO&Tv^&15-0X#$8d=4->M%ZgFn69T6?TRe_~EN?zc1NfkCmN
zy_RLEgOT!lxan!LrV_c8jJN8}0_vN(#jq3k3A(z)cTYNkNTtalx?73meLk3Z9>9EY
zTYT+pj5O>1k-(9uWM$vqo;BQA@JIpyzF9w{K)<Hdr+(+Fm5ZSxdm%7%W{?(;*~{rW
zpu4>y2h=6i;Z>i5z6J&(=PJs#RZ;iM#FPVH#_JGQ4z3?`f0q{iT!~x1{|mYw-0+X$
z%0D#z)@%Ob&0IjcrO^w@*ts0WF`~AT`NFQ*9nYc6?rb*FIehxo5C5sZzewb}f*{+}
RP8H~la6@y0^7F2D{tG&~4aNWf


From 62f3a3060d3daea0d3b433f86cc669fe2c81e672 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 21:58:05 +0200
Subject: [PATCH 05/12] docs(security): merge resources page into security
 overview

---
 docs/guides/security/decentralization.md |  2 +-
 docs/guides/security/overview.md         | 34 ++++++++++++++++++++-
 docs/guides/security/resources.md        | 39 ------------------------
 3 files changed, 34 insertions(+), 41 deletions(-)
 delete mode 100644 docs/guides/security/resources.md

diff --git a/docs/guides/security/decentralization.md b/docs/guides/security/decentralization.md
index 47bf921..6b99ae5 100644
--- a/docs/guides/security/decentralization.md
+++ b/docs/guides/security/decentralization.md
@@ -71,6 +71,6 @@ Note that also loading other assets such as [CSS](https://xsleaks.dev/docs/attac
 
 - Make sure all the content delivered to the browser is served and certified by the canister using asset certification. This holds in particular for any JavaScript, but also for fonts, CSS, etc.
 
-- Use a [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to prevent scripts and other content from other origins from being loaded at all. See also [define security headers, including a content security policy (CSP)](./resources.md#web-security).
+- Use a [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to prevent scripts and other content from other origins from being loaded at all. See also [define security headers, including a content security policy (CSP)](./overview.md#web-security).
 
 <!-- Upstream: dfinity/portal — building-apps/security/decentralization.mdx -->
diff --git a/docs/guides/security/overview.md b/docs/guides/security/overview.md
index d9ffb2e..74df11e 100644
--- a/docs/guides/security/overview.md
+++ b/docs/guides/security/overview.md
@@ -19,4 +19,36 @@ The target audience for these documents is any developer working on ICP canister
 
 The collection of best practices may grow over time. While it is useful to improve the security of dapps on ICP, such a list will never be complete and will never cover all potential security concerns. For example, there will always be attack vectors very specific to a dapp's use cases that cannot be covered by general best practices. Thus, following the best practices can complement, but not replace, security reviews. Especially for security-critical dapps, it is recommended to perform security reviews or audits. Furthermore, please note that the best practices are currently not ordered according to risk or priority.
 
-<!-- Upstream: dfinity/portal — building-apps/security/overview.mdx -->
+## Further reading
+
+Below are resources covering security best practices for technologies commonly used in ICP dapps. These are equally important as the ICP-specific guidelines and should be studied carefully.
+
+### General
+* [How to audit an Internet Computer canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister) by Joachim Breitner
+* [OWASP application security verification standard](https://owasp.org/www-project-application-security-verification-standard/)
+* [OWASP top ten](https://owasp.org/www-project-top-ten/)
+
+### Rust
+* [Secure Rust guidelines](https://anssi-fr.github.io/rust-guide/01_introduction.html), in particular [unsafe code](https://anssi-fr.github.io/rust-guide/04_language.html#unsafe-code), [overflows](https://anssi-fr.github.io/rust-guide/04_language.html#integer-overflows) and [Cargo-audit](https://anssi-fr.github.io/rust-guide/03_libraries.html#cargo-audit)
+  * For overflowing operations, consider using `saturated` or `checked` variants, such as `saturated_add`, `saturated_sub`, `checked_add`, `checked_sub`. See the [Rust docs](https://doc.rust-lang.org/std/primitive.u32.html#method.saturating_add) for `u32`.
+
+### Crypto
+* [OWASP cryptographic failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) points out issues related to cryptography, or the lack thereof.
+* [OWASP application security verification standard](https://owasp.org/www-project-application-security-verification-standard/) (see Section V6)
+* **Use the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API).** Storing key material in the browser storage (such as [sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) or [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)) is considered unsafe because these keys can be accessed by JavaScript code, e.g. in an XSS attack. To protect the private key from direct access, use Web Crypto's [generateKey](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey) with `extractable=false`.
+
+### Web security {#web-security}
+* Resources for setting security headers:
+  * [securityheaders.com](https://securityheaders.com/)
+  * [Permissions policy generator](https://www.permissionspolicy.com/)
+  * [Content security policy evaluator](https://csp-evaluator.withgoogle.com/) and [strict CSP](https://csp.withgoogle.com/docs/strict-csp.html)
+  * [OWASP secure headers project](https://owasp.org/www-project-secure-headers/)
+* [SSL server test](https://www.ssllabs.com/ssltest/)
+* Don't use features that could lead to an XSS vulnerability, such as [@html in Svelte](https://svelte.dev/docs#template-syntax-html).
+* **Log out securely.** Clear all session data (especially [sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) and [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)), clear [IndexedDB](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API), etc. on logout. Make sure other browser tabs showing the same origin are logged out if the logout is triggered in one tab. This may not happen automatically when the ICP JavaScript agent is used, since the ICP JavaScript agent keeps the private key in memory once initialized.
+
+### Testing
+* In [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html): [test upgrades](https://mmapped.blog/posts/01-effective-rust-canisters.html#test-upgrades), [make code target-independent](https://mmapped.blog/posts/01-effective-rust-canisters.html#target-independent)
+* Consider [PocketIC](../testing/pocket-ic.md) for canister testing
+
+<!-- Upstream: dfinity/portal — building-apps/security/overview.mdx, building-apps/security/resources.mdx -->
diff --git a/docs/guides/security/resources.md b/docs/guides/security/resources.md
deleted file mode 100644
index 6e299ba..0000000
--- a/docs/guides/security/resources.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: "Security Resources"
-description: "Important security resources and further reading for ICP canister and web app developers."
-sidebar:
-  order: 12
----
-
-Below are resources which cover security best practices for technologies you are likely using in your dapp. These best practices are equally important as our Internet Computer specific guidelines and should be studied carefully. They can be useful to reference when developing secure dapps or executing security reviews.
-
-## General
-* [How to audit an Internet Computer canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister) by Joachim Breitner
-* [OWASP application security verification standard](https://owasp.org/www-project-application-security-verification-standard/)
-* [OWASP top ten](https://owasp.org/www-project-top-ten/)
-
-## Rust
-* [Secure Rust guidelines](https://anssi-fr.github.io/rust-guide/01_introduction.html), in particular [unsafe code](https://anssi-fr.github.io/rust-guide/04_language.html#unsafe-code), [overflows](https://anssi-fr.github.io/rust-guide/04_language.html#integer-overflows) and [Cargo-audit](https://anssi-fr.github.io/rust-guide/03_libraries.html#cargo-audit)
-  * For overflowing operations, consider using `saturated` or `checked` variants of these operations, such as `saturated_add`, `saturated_sub`, `checked_add`, `checked_sub`, etc. See e.g. the [Rust docs](https://doc.rust-lang.org/std/primitive.u32.html#method.saturating_add) for `u32`.
-
-## Crypto
-* [OWASP cryptographic failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) points out issues related to cryptography, or the lack thereof.
-* [OWASP application security verification standard](https://owasp.org/www-project-application-security-verification-standard/) (see Section V6)
-* **Use the [Web Crypto API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API).** Storing key material in the browser storage (such as [sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) or [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)) is considered unsafe because these keys can be accessed by JavaScript code, e.g. in an XSS attack. To protect the private key from direct access, use Web Crypto's [generateKey](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey) with `extractable=false`.
-
-## Web security {#web-security}
-* Resources for setting security headers:
-  * [securityheaders.com](https://securityheaders.com/)
-  * [Permissions policy generator](https://www.permissionspolicy.com/)
-  * [Content security policy evaluator](https://csp-evaluator.withgoogle.com/) and [strict CSP](https://csp.withgoogle.com/docs/strict-csp.html)
-  * [OWASP secure headers project](https://owasp.org/www-project-secure-headers/)
-* [SSL server test](https://www.ssllabs.com/ssltest/)
-* Don't use features that could lead to an XSS vulnerability, such as e.g. [@html in Svelte](https://svelte.dev/docs#template-syntax-html).
-* **Log out securely.** Clear all session data (especially [sessionStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) and [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)), clear [IndexedDB](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API), etc. on logout. Make sure other browser tabs showing the same origin are logged out if the logout is triggered in one tab. This may not happen automatically when the ICP JavaScript agent is used, since the ICP JavaScript agent keeps the private key in memory once initialized.
-
-## Testing
-These are some useful references for testing canisters which don't necessarily relate to security. However, having good test coverage is essential for developing secure applications.
-* In [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html): [test upgrades](https://mmapped.blog/posts/01-effective-rust-canisters.html#test-upgrades), [make code target-independent](https://mmapped.blog/posts/01-effective-rust-canisters.html#target-independent)
-* Consider [PocketIC](../testing/pocket-ic.md) for canister testing
-
-<!-- Upstream: dfinity/portal — building-apps/security/resources.mdx -->

From 539bb847686f91eb02212d1b71fdf63e6ca43cec Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 22:06:16 +0200
Subject: [PATCH 06/12] docs(security): rename slugs to match full topic names
 for SEO

---
 docs/404.mdx                                                | 2 +-
 docs/concepts/security.md                                   | 6 +++---
 docs/guides/backends/randomness.md                          | 2 +-
 docs/guides/index.md                                        | 2 +-
 ...data-integrity.md => data-integrity-and-authenticity.md} | 0
 docs/guides/security/dos-prevention.md                      | 2 +-
 ...ss-management.mdx => identity-and-access-management.mdx} | 0
 .../{observability.md => observability-and-monitoring.md}   | 0
 8 files changed, 7 insertions(+), 7 deletions(-)
 rename docs/guides/security/{data-integrity.md => data-integrity-and-authenticity.md} (100%)
 rename docs/guides/security/{access-management.mdx => identity-and-access-management.mdx} (100%)
 rename docs/guides/security/{observability.md => observability-and-monitoring.md} (100%)

diff --git a/docs/404.mdx b/docs/404.mdx
index a0f159d..dfa8a52 100644
--- a/docs/404.mdx
+++ b/docs/404.mdx
@@ -16,7 +16,7 @@ Pick a guide that matches what you're building.
 - **[Frontends](/guides/frontends/asset-canister/)**: Serve assets, integrate frameworks, configure custom domains, and certify responses.
 - **[Authentication](/guides/authentication/internet-identity/)**: Add passwordless login and verifiable user identity with Internet Identity.
 - **[Chain Fusion](/guides/chain-fusion/bitcoin/)**: Connect canisters to Bitcoin, Ethereum, and Solana.
-- **[Security](/guides/security/access-management/)**: Access control, encryption, DoS prevention, and safe upgrade patterns.
+- **[Security](/guides/security/identity-and-access-management/)**: Access control, DoS prevention, and safe upgrade patterns.
 
 ## Other places to look
 
diff --git a/docs/concepts/security.md b/docs/concepts/security.md
index ef23dff..b281fd1 100644
--- a/docs/concepts/security.md
+++ b/docs/concepts/security.md
@@ -61,7 +61,7 @@ The following threats are your responsibility to mitigate:
 
 Every update method is publicly callable. If you do not check the caller, anyone can invoke admin functions, drain funds, or corrupt state. The anonymous principal (`2vxsx-fae`) is a particularly common gap: it must be explicitly rejected in any authenticated endpoint, because otherwise it acts as a shared identity that anyone can use.
 
-See [Access management](../guides/security/access-management.md#reject-anonymous-callers) for implementation patterns.
+See [Access management](../guides/security/identity-and-access-management.md#reject-anonymous-callers) for implementation patterns.
 
 ### Reentrancy and async interleaving
 
@@ -97,11 +97,11 @@ Users have no way to verify that a canister's running code matches its published
 
 ## What's next
 
-- [Access management](../guides/security/access-management.md): caller checks, guards, and role-based access control
+- [Access management](../guides/security/identity-and-access-management.md): caller checks, guards, and role-based access control
 - [Upgrade safety](../guides/security/canister-upgrades.md): safe upgrade patterns
 - [Inter-canister call safety](../guides/security/inter-canister-calls.md): async pitfalls and mitigations
 - [DoS prevention](../guides/security/dos-prevention.md): cycle drain protection
-- [Data integrity](../guides/security/data-integrity.md): input validation and storage safety
+- [Data integrity](../guides/security/data-integrity-and-authenticity.md): input validation and storage safety
 - [Response certification](../guides/frontends/certification.md): certified variables for query responses
 
 <!-- Upstream: informed by dfinity/portal docs/building-apps/best-practices/trust-in-canisters.mdx, docs/building-apps/best-practices/general.mdx; icskills: canister-security -->
diff --git a/docs/guides/backends/randomness.md b/docs/guides/backends/randomness.md
index ec94e8f..59438e6 100644
--- a/docs/guides/backends/randomness.md
+++ b/docs/guides/backends/randomness.md
@@ -225,7 +225,7 @@ Note: this example predates `mo:core` and uses the older `Random.Finite` API. Th
 
 - [Verifiable Randomness (concept)](../../concepts/verifiable-randomness.md): how the IC's threshold VRF works
 - [Management Canister](../../references/management-canister.md): `raw_rand` API reference
-- [Data Integrity](../security/data-integrity.md): using randomness in a secure application design
+- [Data Integrity](../security/data-integrity-and-authenticity.md): using randomness in a secure application design
 - [Inter-canister calls](../canister-calls/inter-canister-calls.md#reentrancy): async patterns and reentrancy
 
 <!-- Upstream: informed by dfinity/portal — docs/building-apps/integrations/randomness.mdx; dfinity/icskills — skills/canister-security/SKILL.md; dfinity/examples — motoko/random_maze; caffeinelabs/motoko-core — src/Random.mo -->
diff --git a/docs/guides/index.md b/docs/guides/index.md
index ff1a2f4..506a02a 100644
--- a/docs/guides/index.md
+++ b/docs/guides/index.md
@@ -20,7 +20,7 @@ Practical how-to guides organized by development stage. Each guide solves a spec
 
 - **[Testing](testing/strategies.md)**: Write unit tests, run integration tests with PocketIC, and set up end-to-end testing.
 - **[Canister Management](canister-management/lifecycle.md)**: Deploy, upgrade, fund, optimize, and back up canisters.
-- **[Security](security/access-management.md)**: Implement access control, encryption, DoS prevention, and safe upgrade patterns.
+- **[Security](security/identity-and-access-management.md)**: Implement access control, DoS prevention, and safe upgrade patterns.
 
 ## Advanced features
 
diff --git a/docs/guides/security/data-integrity.md b/docs/guides/security/data-integrity-and-authenticity.md
similarity index 100%
rename from docs/guides/security/data-integrity.md
rename to docs/guides/security/data-integrity-and-authenticity.md
diff --git a/docs/guides/security/dos-prevention.md b/docs/guides/security/dos-prevention.md
index 5e79c88..bc9e8e9 100644
--- a/docs/guides/security/dos-prevention.md
+++ b/docs/guides/security/dos-prevention.md
@@ -17,7 +17,7 @@ To protect your canisters from DoS and DDoS attacks, consider the following stra
 * **Bot prevention techniques**: Use methods like captchas or proof of work to ensure only legitimate users can access your canister. CAPTCHAs help verify that the user is human, while proof of work requires the user to spend computational resources to proceed, deterring automated attacks. [Internet Identity](https://github.com/dfinity/internet-identity) has a [captcha implementation](https://github.com/dfinity/internet-identity/blob/2bf92dc16371428a3dcc1115580a691842ec76df/src/internet_identity/src/main.rs#L517) that can serve as an example for implementing this in other projects.
 * **Monitor cycles usage**: Regularly track your canisters cycles consumption and set alerts for any sudden spikes that may indicate an attack.
 * **Ingress message charging**: While charging for ingress messages (external requests to the canister) is not natively supported, custom solutions could be implemented to make sure that any expensive actions have costs associated with them.
-* **Filter ingress messages using inspect message**: Certain non-critical checks can be placed in the inspect message function to filter out ingress update messages before they are executed by all nodes of a subnet. Since this code only runs on a single node, the execution does not consume cycles, but it also shouldn't be relied upon for security-critical checks such as access control. However, they can efficiently reject certain ingress messages early. Read the corresponding [documentation](../../references/ic-interface-spec/canister-interface.md#system-api-inspect-message) and [security best practice](./access-management.mdx) carefully for the caveats.
+* **Filter ingress messages using inspect message**: Certain non-critical checks can be placed in the inspect message function to filter out ingress update messages before they are executed by all nodes of a subnet. Since this code only runs on a single node, the execution does not consume cycles, but it also shouldn't be relied upon for security-critical checks such as access control. However, they can efficiently reject certain ingress messages early. Read the corresponding [documentation](../../references/ic-interface-spec/canister-interface.md#system-api-inspect-message) and [security best practice](./identity-and-access-management.mdx) carefully for the caveats.
 
 ## Protect against noisy neighbors
 
diff --git a/docs/guides/security/access-management.mdx b/docs/guides/security/identity-and-access-management.mdx
similarity index 100%
rename from docs/guides/security/access-management.mdx
rename to docs/guides/security/identity-and-access-management.mdx
diff --git a/docs/guides/security/observability.md b/docs/guides/security/observability-and-monitoring.md
similarity index 100%
rename from docs/guides/security/observability.md
rename to docs/guides/security/observability-and-monitoring.md

From 71f9254a3c05f40759aeb2de635297f6b95a013b Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 22:08:05 +0200
Subject: [PATCH 07/12] docs(security): reorder sidebar by learning progression

---
 docs/guides/security/canister-upgrades.md               | 2 +-
 docs/guides/security/data-integrity-and-authenticity.md | 2 +-
 docs/guides/security/data-storage.md                    | 2 +-
 docs/guides/security/decentralization.md                | 2 +-
 docs/guides/security/dos-prevention.md                  | 2 +-
 docs/guides/security/formal-verification.md             | 2 +-
 docs/guides/security/https-outcalls.md                  | 2 +-
 docs/guides/security/identity-and-access-management.mdx | 2 +-
 docs/guides/security/inter-canister-calls.md            | 2 +-
 docs/guides/security/observability-and-monitoring.md    | 2 +-
 10 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/docs/guides/security/canister-upgrades.md b/docs/guides/security/canister-upgrades.md
index 3e14816..25c0fce 100644
--- a/docs/guides/security/canister-upgrades.md
+++ b/docs/guides/security/canister-upgrades.md
@@ -2,7 +2,7 @@
 title: "Canister Upgrade Security"
 description: "Security best practices for canister upgrade hooks, panics during upgrades, and timer reinstatement."
 sidebar:
-  order: 9
+  order: 8
 ---
 
 ## Be careful with panics during upgrades
diff --git a/docs/guides/security/data-integrity-and-authenticity.md b/docs/guides/security/data-integrity-and-authenticity.md
index d954a35..6cafbd1 100644
--- a/docs/guides/security/data-integrity-and-authenticity.md
+++ b/docs/guides/security/data-integrity-and-authenticity.md
@@ -2,7 +2,7 @@
 title: "Data Integrity and Authenticity"
 description: "Security best practices for certified variables, asset certification, and protecting data authenticity on ICP."
 sidebar:
-  order: 5
+  order: 4
 ---
 
 ## Certified variables
diff --git a/docs/guides/security/data-storage.md b/docs/guides/security/data-storage.md
index ae96d78..9b9f1c0 100644
--- a/docs/guides/security/data-storage.md
+++ b/docs/guides/security/data-storage.md
@@ -2,7 +2,7 @@
 title: "Data Storage"
 description: "Security best practices for canister data storage, stable memory, encryption of sensitive data, and backups."
 sidebar:
-  order: 6
+  order: 3
 ---
 
 ## Rust: Use `thread_local!` with `Cell/RefCell` for state variables and put all your globals in one basket
diff --git a/docs/guides/security/decentralization.md b/docs/guides/security/decentralization.md
index 6b99ae5..882715a 100644
--- a/docs/guides/security/decentralization.md
+++ b/docs/guides/security/decentralization.md
@@ -2,7 +2,7 @@
 title: "Decentralization"
 description: "Security best practices for decentralizing dapp control using SNS, governance, and reducing centralized trust."
 sidebar:
-  order: 4
+  order: 10
 ---
 
 ## Use a decentralized governance system like SNS to put dapps under decentralized control
diff --git a/docs/guides/security/dos-prevention.md b/docs/guides/security/dos-prevention.md
index bc9e8e9..be35317 100644
--- a/docs/guides/security/dos-prevention.md
+++ b/docs/guides/security/dos-prevention.md
@@ -2,7 +2,7 @@
 title: "Denial of Service Prevention"
 description: "Security best practices for protecting canisters against DoS and DDoS attacks, noisy neighbors, and expensive calls."
 sidebar:
-  order: 8
+  order: 7
 ---
 
 ## Protect against DoS and DDoS attacks
diff --git a/docs/guides/security/formal-verification.md b/docs/guides/security/formal-verification.md
index 7ec216c..40e1909 100644
--- a/docs/guides/security/formal-verification.md
+++ b/docs/guides/security/formal-verification.md
@@ -2,7 +2,7 @@
 title: "Formal Verification"
 description: "Applying formal verification and TLA+ model checking to find and prove the absence of security bugs in ICP canisters."
 sidebar:
-  order: 13
+  order: 12
 ---
 
 Formal verification is the highest form of quality assurance for software. Given a specification of what the system should do, formal verification tools check whether this specification is satisfied by a model of the system. The unique advantage of formal verification is that it can not only find bugs but also formally **prove** their absence — including the absence of security bugs. This goes beyond what testing or manual audits can achieve.
diff --git a/docs/guides/security/https-outcalls.md b/docs/guides/security/https-outcalls.md
index efc5a3c..da7c50c 100644
--- a/docs/guides/security/https-outcalls.md
+++ b/docs/guides/security/https-outcalls.md
@@ -2,7 +2,7 @@
 title: "HTTPS Outcall Security"
 description: "Security best practices for canister HTTPS outcalls: API keys, rate limits, idempotency, response consistency, and input validation."
 sidebar:
-  order: 7
+  order: 6
 ---
 
 ## Do not store sensitive data such as API keys in canisters
diff --git a/docs/guides/security/identity-and-access-management.mdx b/docs/guides/security/identity-and-access-management.mdx
index fcd43f5..ddf4946 100644
--- a/docs/guides/security/identity-and-access-management.mdx
+++ b/docs/guides/security/identity-and-access-management.mdx
@@ -2,7 +2,7 @@
 title: "Identity and Access Management"
 description: "Security best practices for authentication, anonymous principal rejection, ingress message inspection, and session management."
 sidebar:
-  order: 3
+  order: 2
 ---
 
 import { Tabs, TabItem } from '@astrojs/starlight/components';
diff --git a/docs/guides/security/inter-canister-calls.md b/docs/guides/security/inter-canister-calls.md
index a5d5d8f..002f2c6 100644
--- a/docs/guides/security/inter-canister-calls.md
+++ b/docs/guides/security/inter-canister-calls.md
@@ -2,7 +2,7 @@
 title: "Inter-Canister Call Security"
 description: "Security best practices for handling traps in callbacks, message ordering, rejected calls, and untrustworthy canisters."
 sidebar:
-  order: 2
+  order: 5
 ---
 
 To understand the issues around async inter-canister calls, one needs to understand the [properties of message execution on ICP](../../references/message-execution-properties.md). Understanding these properties is a prerequisite for understanding the security issues discussed below.
diff --git a/docs/guides/security/observability-and-monitoring.md b/docs/guides/security/observability-and-monitoring.md
index f7a70a4..8de1272 100644
--- a/docs/guides/security/observability-and-monitoring.md
+++ b/docs/guides/security/observability-and-monitoring.md
@@ -2,7 +2,7 @@
 title: "Observability and Monitoring"
 description: "Security best practices for monitoring canister cycles, logs, and health indicators."
 sidebar:
-  order: 10
+  order: 9
 ---
 
 ## Monitor your canister

From 39452aef44cfaf09b04c357ffbaa9a7399987388 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 22:09:14 +0200
Subject: [PATCH 08/12] docs(security): rename misc.md to miscellaneous.md

---
 docs/guides/security/{misc.md => miscellaneous.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename docs/guides/security/{misc.md => miscellaneous.md} (100%)

diff --git a/docs/guides/security/misc.md b/docs/guides/security/miscellaneous.md
similarity index 100%
rename from docs/guides/security/misc.md
rename to docs/guides/security/miscellaneous.md

From 0d1164e2169fd5b905bff33e2c1c303bf41f6019 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 22:16:12 +0200
Subject: [PATCH 09/12] fix(security): upstream comment format, em-dashes,
 broken misc link

---
 docs/guides/canister-calls/idempotency.md               | 2 +-
 docs/guides/security/canister-upgrades.md               | 2 +-
 docs/guides/security/data-integrity-and-authenticity.md | 2 +-
 docs/guides/security/data-storage.md                    | 2 +-
 docs/guides/security/decentralization.md                | 2 +-
 docs/guides/security/dos-prevention.md                  | 2 +-
 docs/guides/security/formal-verification.md             | 6 +++---
 docs/guides/security/https-outcalls.md                  | 6 +++---
 docs/guides/security/inter-canister-calls.md            | 2 +-
 docs/guides/security/miscellaneous.md                   | 2 +-
 docs/guides/security/observability-and-monitoring.md    | 2 +-
 docs/guides/security/overview.md                        | 2 +-
 docs/references/message-execution-properties.md         | 6 +++---
 13 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/docs/guides/canister-calls/idempotency.md b/docs/guides/canister-calls/idempotency.md
index 19ef45e..baff003 100644
--- a/docs/guides/canister-calls/idempotency.md
+++ b/docs/guides/canister-calls/idempotency.md
@@ -118,4 +118,4 @@ Another approach applicable to ledgers (such as ICRC-1 or ICP) is to perform tra
 
 [^2]: More precisely, the ledger also allows for a small time drift of `created_at_time` into the future, which has to be taken into account when clearing the deduplication window.
 
-<!-- Upstream: dfinity/portal — building-apps/best-practices/idempotency.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/best-practices/idempotency.mdx -->
diff --git a/docs/guides/security/canister-upgrades.md b/docs/guides/security/canister-upgrades.md
index 25c0fce..0af030d 100644
--- a/docs/guides/security/canister-upgrades.md
+++ b/docs/guides/security/canister-upgrades.md
@@ -49,4 +49,4 @@ Using the Rust CDK, the recurring timer is also lost on upgrade as explained in
 
 - See the Rust documentation on [set_timer_interval](https://docs.rs/ic-cdk/0.6.9/ic_cdk/timer/fn.set_timer_interval.html).
 
-<!-- Upstream: dfinity/portal — building-apps/security/canister-upgrades.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/canister-upgrades.mdx -->
diff --git a/docs/guides/security/data-integrity-and-authenticity.md b/docs/guides/security/data-integrity-and-authenticity.md
index 6cafbd1..1433e65 100644
--- a/docs/guides/security/data-integrity-and-authenticity.md
+++ b/docs/guides/security/data-integrity-and-authenticity.md
@@ -626,4 +626,4 @@ If an app is served through `raw.icp0.io` in addition to `icp0.io`, an adversary
 
 - Check in the canister's `http_request` method if the request came through raw. If so, return an error and do not serve any assets.
 
-<!-- Upstream: dfinity/portal — building-apps/security/data-integrity-and-authenticity.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/data-integrity-and-authenticity.mdx -->
diff --git a/docs/guides/security/data-storage.md b/docs/guides/security/data-storage.md
index 9b9f1c0..960491f 100644
--- a/docs/guides/security/data-storage.md
+++ b/docs/guides/security/data-storage.md
@@ -91,4 +91,4 @@ A canister could be rendered unusable and impossible to upgrade. For example, du
 
 - See the "Backup and recovery" section in [how to audit an Internet Computer canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister).
 
-<!-- Upstream: dfinity/portal — building-apps/security/data-storage.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/data-storage.mdx -->
diff --git a/docs/guides/security/decentralization.md b/docs/guides/security/decentralization.md
index 882715a..14bcdf5 100644
--- a/docs/guides/security/decentralization.md
+++ b/docs/guides/security/decentralization.md
@@ -73,4 +73,4 @@ Note that also loading other assets such as [CSS](https://xsleaks.dev/docs/attac
 
 - Use a [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) to prevent scripts and other content from other origins from being loaded at all. See also [define security headers, including a content security policy (CSP)](./overview.md#web-security).
 
-<!-- Upstream: dfinity/portal — building-apps/security/decentralization.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/decentralization.mdx -->
diff --git a/docs/guides/security/dos-prevention.md b/docs/guides/security/dos-prevention.md
index be35317..5cc8a93 100644
--- a/docs/guides/security/dos-prevention.md
+++ b/docs/guides/security/dos-prevention.md
@@ -59,4 +59,4 @@ An attacker will target expensive calls to drain the cycles balance or available
 - Be aware of attacks targeting high cycles-consuming calls.
 - See the "Cycle balance drain attacks section" in [How to audit an ICP canister](https://www.joachim-breitner.de/blog/788-How_to_audit_an_Internet_Computer_canister).
 
-<!-- Upstream: dfinity/portal — building-apps/security/dos.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/dos.mdx -->
diff --git a/docs/guides/security/formal-verification.md b/docs/guides/security/formal-verification.md
index 40e1909..7cf2f42 100644
--- a/docs/guides/security/formal-verification.md
+++ b/docs/guides/security/formal-verification.md
@@ -5,7 +5,7 @@ sidebar:
   order: 12
 ---
 
-Formal verification is the highest form of quality assurance for software. Given a specification of what the system should do, formal verification tools check whether this specification is satisfied by a model of the system. The unique advantage of formal verification is that it can not only find bugs but also formally **prove** their absence — including the absence of security bugs. This goes beyond what testing or manual audits can achieve.
+Formal verification is the highest form of quality assurance for software. Given a specification of what the system should do, formal verification tools check whether this specification is satisfied by a model of the system. The unique advantage of formal verification is that it can not only find bugs but also formally **prove** their absence, including the absence of security bugs. This goes beyond what testing or manual audits can achieve.
 
 The proof is always relative to the model and the specification. Any simplifications and assumptions in the model, or omissions in the specification, may hide bugs and attacks. On the other hand, verification can require a lot of effort, and model simplifications can make it significantly easier.
 
@@ -17,7 +17,7 @@ These bugs are particularly difficult to find, as they can involve unexpected in
 
 ## TLA+
 
-The Temporal Logic of Actions (TLA+) is a language for specifying and verifying complex systems. TLA+ comes with a set of tools for lightweight formal verification in the form of so-called model checking. Through model checking, it exhaustively (within bounds, such as the aforementioned 2 concurrent calls bound) explores all possible concurrent interactions of a model of the code — exactly the domain that is difficult to test — and finds bugs.
+The Temporal Logic of Actions (TLA+) is a language for specifying and verifying complex systems. TLA+ comes with a set of tools for lightweight formal verification in the form of so-called model checking. Through model checking, it exhaustively (within bounds, such as the aforementioned 2 concurrent calls bound) explores all possible concurrent interactions of a model of the code (exactly the domain that is difficult to test) — and finds bugs.
 
 Importantly, after building the model of the code, model checking runs with virtually no further human input, making it highly cost-effective. To illustrate with some made-up numbers: if the industry standard practices (such as testing and security reviews) eliminate 80% of the bugs, and "heavyweight" formal verification eliminates 99.99%, with TLA+ you can eliminate 90% with a fraction of the effort of the heavyweight verification.
 
@@ -31,4 +31,4 @@ We have used TLA+ to create the following models that can be interesting for dap
 
 To find out more on why and how you can apply TLA+ to your canisters and dapps, including an in-depth guide to modeling canisters, refer to our series of blog posts ([1](https://medium.com/dfinity/eliminating-smart-contract-bugs-with-tla-e986aeb6da24), [2](https://medium.com/dfinity/weeding-out-the-bugs-with-tla-models-3606045bf24e), [3](https://mynosefroze.com/blog/2023-08-09-tla_for_canisters)). You can also look at the [DFINITY-produced TLA+ models](https://github.com/dfinity/formal-models) for examples and techniques.
 
-<!-- Upstream: dfinity/portal — building-apps/security/formal-verification.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/formal-verification.mdx -->
diff --git a/docs/guides/security/https-outcalls.md b/docs/guides/security/https-outcalls.md
index da7c50c..22e244b 100644
--- a/docs/guides/security/https-outcalls.md
+++ b/docs/guides/security/https-outcalls.md
@@ -20,7 +20,7 @@ By default, the data stored inside your canister is unencrypted. Therefore, if y
 
 Make sure you don't store sensitive data inside your canister.
 
-See also: [data confidentiality on ICP](./misc.md#data-confidentiality-on-icp).
+See also: [data confidentiality on ICP](./miscellaneous.md#data-confidentiality-on-icp).
 
 ## Ensure your canisters have a sufficiently large quota with the HTTP server
 
@@ -76,7 +76,7 @@ The pricing of HTTPS outcalls is determined by the size of the HTTP request and
 
 When using HTTPS outcalls, be mindful of the HTTP request and response sizes. Ensure that the size of the request issued and the size of the HTTP response coming from the server are reasonable.
 
-When making an HTTPS outcall, it is possible — and highly recommended — to define the `max_response_bytes` parameter, which allows you to set the maximum allowed response size. If this parameter is not defined, it defaults to the hard response size limit of the HTTPS outcalls feature, which is 2MiB. The cycle cost of the response is always charged based on the `max_response_bytes` or 2MB if not set.
+When making an HTTPS outcall, it is possible (and highly recommended) to define the `max_response_bytes` parameter, which allows you to set the maximum allowed response size. If this parameter is not defined, it defaults to the hard response size limit of the HTTPS outcalls feature, which is 2MiB. The cycle cost of the response is always charged based on the `max_response_bytes` or 2MB if not set.
 
 Finally, be aware that users may incur cycles costs for HTTPS outcalls in case these calls can be triggered by user actions.
 
@@ -94,4 +94,4 @@ Perform input validation when using user-submitted data in the HTTPS outcalls.
 
 See the [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) for more information.
 
-<!-- Upstream: dfinity/portal — building-apps/security/https-outcalls.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/https-outcalls.mdx -->
diff --git a/docs/guides/security/inter-canister-calls.md b/docs/guides/security/inter-canister-calls.md
index 002f2c6..5863fce 100644
--- a/docs/guides/security/inter-canister-calls.md
+++ b/docs/guides/security/inter-canister-calls.md
@@ -339,4 +339,4 @@ Loops in the call graph (e.g., canister A calling B, B calling C, C calling A) m
 
 - For more information, see [current limitations of the Internet Computer](https://wiki.internetcomputer.org/wiki/Current_limitations_of_the_Internet_Computer), section "Loops in call graphs."
 
-<!-- Upstream: dfinity/portal — building-apps/security/inter-canister-calls.mdx -->
+<!-- Upstream: informed by dfinity/portal — building-apps/security/inter-canister-calls.mdx; dfinity/icskills — skills/canister-security/SKILL.md -->
diff --git a/docs/guides/security/miscellaneous.md b/docs/guides/security/miscellaneous.md
index cfd0d4a..792e737 100644
--- a/docs/guides/security/miscellaneous.md
+++ b/docs/guides/security/miscellaneous.md
@@ -277,4 +277,4 @@ Floats in Rust may behave unexpectedly. There can be undesirable loss of precisi
 
 Use [`rust_decimal::Decimal`](https://docs.rs/rust_decimal/latest/rust_decimal/) or [`num_rational::Ratio`](https://docs.rs/num-rational/latest/num_rational/). Decimal uses a fixed-point representation with base 10 denominators, and Ratio represents rational numbers. Both implement `checked_div` to handle division by zero, which is not available for floats. Numbers in common use, like 0.1 and 0.2, can be represented more intuitively with Decimal and can be represented exactly with Ratio. Rounding oddities like `0.1 + 0.2 != 0.3`, which happen with floats in Rust, do not arise with Decimal (see https://0.30000000000000004.com/ ). With Ratio, the desired precision can be made explicit. With either Decimal or Ratio, although one still has to manage precision, the above makes arithmetic easier to reason about.
 
-<!-- Upstream: dfinity/portal — building-apps/security/misc.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/misc.mdx -->
diff --git a/docs/guides/security/observability-and-monitoring.md b/docs/guides/security/observability-and-monitoring.md
index 8de1272..79477d5 100644
--- a/docs/guides/security/observability-and-monitoring.md
+++ b/docs/guides/security/observability-and-monitoring.md
@@ -19,4 +19,4 @@ Without monitoring, it can be hard to detect attacks or vulnerabilities that are
 
 - See [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html) for general patterns on canister observability.
 
-<!-- Upstream: dfinity/portal — building-apps/security/observability-and-monitoring.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/observability-and-monitoring.mdx -->
diff --git a/docs/guides/security/overview.md b/docs/guides/security/overview.md
index 74df11e..1fbf3d3 100644
--- a/docs/guides/security/overview.md
+++ b/docs/guides/security/overview.md
@@ -51,4 +51,4 @@ Below are resources covering security best practices for technologies commonly u
 * In [effective Rust canisters](https://mmapped.blog/posts/01-effective-rust-canisters.html): [test upgrades](https://mmapped.blog/posts/01-effective-rust-canisters.html#test-upgrades), [make code target-independent](https://mmapped.blog/posts/01-effective-rust-canisters.html#target-independent)
 * Consider [PocketIC](../testing/pocket-ic.md) for canister testing
 
-<!-- Upstream: dfinity/portal — building-apps/security/overview.mdx, building-apps/security/resources.mdx -->
+<!-- Upstream: sync from dfinity/portal — building-apps/security/overview.mdx, building-apps/security/resources.mdx -->
diff --git a/docs/references/message-execution-properties.md b/docs/references/message-execution-properties.md
index d22ad10..6aecbf8 100644
--- a/docs/references/message-execution-properties.md
+++ b/docs/references/message-execution-properties.md
@@ -5,7 +5,7 @@ description: "The 11 properties of message execution on ICP, covering atomicity,
 
 ## Asynchronous messaging model
 
-ICP relies on an asynchronous messaging model. Compared to synchronous messaging like on Ethereum, this provides performance advantages because multiple calls can be executed concurrently — and also in parallel, when multiple canisters are involved. However, asynchronous message execution can also lead to sometimes unexpected or unintuitive behavior. Therefore, it is important to understand the properties of message execution. Potential security issues that arise in this model, such as reentrancy bugs, are discussed in the [security best practices on inter-canister calls](../guides/security/inter-canister-calls.md).
+ICP relies on an asynchronous messaging model. Compared to synchronous messaging like on Ethereum, this provides performance advantages because multiple calls can be executed concurrently, and also in parallel, when multiple canisters are involved. However, asynchronous message execution can also lead to sometimes unexpected or unintuitive behavior. Therefore, it is important to understand the properties of message execution. Potential security issues that arise in this model, such as reentrancy bugs, are discussed in the [security best practices on inter-canister calls](../guides/security/inter-canister-calls.md).
 
 The [community conversation on security best practices](https://www.youtube.com/watch?v=PneRzDmf_Xw&list=PLuhDt1vhGcrez-f3I0_hvbwGZHZzkZ7Ng&index=2&t=4s) also discusses the messaging properties.
 
@@ -19,7 +19,7 @@ A **message execution** is a set of consecutive instructions that a subnet execu
 
 - **Property 1**: Only a single message execution is run at a time per canister. Message execution within a single canister is atomic and sequential, and never parallel.
 
-Note that parallel message execution over multiple canisters is possible — this property talks about just a single canister.
+Note that parallel message execution over multiple canisters is possible; this property talks about just a single canister.
 
 - **Property 2**: Each downstream call that a canister makes, query or update, triggers a message. When using `await` on the response from an inter-canister call, the code after the `await` (the callback, highlighted in blue) is executed as a separate message execution.
 
@@ -75,4 +75,4 @@ This property only gives a guarantee on when the request messages are executed,
 
 For more details, refer to the [IC Interface Specification abstract behavior](./ic-interface-spec/abstract-behavior.md) which defines message execution in more detail.
 
-<!-- Upstream: dfinity/portal — references/message-execution-properties.mdx -->
+<!-- Upstream: sync from dfinity/portal — references/message-execution-properties.mdx -->

From f903e56c3c112106d9d81553bd2b3c145644eae9 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 22:30:12 +0200
Subject: [PATCH 10/12] fix(security): remove em-dash in formal-verification.md

---
 docs/guides/security/formal-verification.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/guides/security/formal-verification.md b/docs/guides/security/formal-verification.md
index 7cf2f42..502fb99 100644
--- a/docs/guides/security/formal-verification.md
+++ b/docs/guides/security/formal-verification.md
@@ -17,7 +17,7 @@ These bugs are particularly difficult to find, as they can involve unexpected in
 
 ## TLA+
 
-The Temporal Logic of Actions (TLA+) is a language for specifying and verifying complex systems. TLA+ comes with a set of tools for lightweight formal verification in the form of so-called model checking. Through model checking, it exhaustively (within bounds, such as the aforementioned 2 concurrent calls bound) explores all possible concurrent interactions of a model of the code (exactly the domain that is difficult to test) — and finds bugs.
+The Temporal Logic of Actions (TLA+) is a language for specifying and verifying complex systems. TLA+ comes with a set of tools for lightweight formal verification in the form of so-called model checking. Through model checking, it exhaustively (within bounds, such as the aforementioned 2 concurrent calls bound) explores all possible concurrent interactions of a model of the code (exactly the domain that is difficult to test) and finds bugs.
 
 Importantly, after building the model of the code, model checking runs with virtually no further human input, making it highly cost-effective. To illustrate with some made-up numbers: if the industry standard practices (such as testing and security reviews) eliminate 80% of the bugs, and "heavyweight" formal verification eliminates 99.99%, with TLA+ you can eliminate 90% with a fraction of the effort of the heavyweight verification.
 

From 6420bf91810d1baaa9648cd9a7d86603b05278ce Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 22:39:37 +0200
Subject: [PATCH 11/12] fix(security): fix Upstream comment format in
 identity-and-access-management.mdx

---
 docs/guides/security/identity-and-access-management.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/guides/security/identity-and-access-management.mdx b/docs/guides/security/identity-and-access-management.mdx
index ddf4946..a8a7f2b 100644
--- a/docs/guides/security/identity-and-access-management.mdx
+++ b/docs/guides/security/identity-and-access-management.mdx
@@ -247,4 +247,4 @@ For more information, view an [example implementation in the form of a Unity app
 * Returning the delegation chain [using a URI fragment](https://github.com/dfinity/examples/blob/main/native-apps/unity_ii_deeplink/ii_integration_dapp/src/greet_frontend/src/index.js#L73).
 * The example is currently being improved whereby the delegation chain will also be verified in the mobile app before using it.
 
-{/* Upstream: dfinity/portal — building-apps/security/iam.mdx */}
+{/* Upstream: sync from dfinity/portal building-apps/security/iam.mdx */}

From 51de28a1117b0320cd03a6a00d4a2db9b59fe642 Mon Sep 17 00:00:00 2001
From: Marco Walz <marco.walz@dfinity.org>
Date: Tue, 5 May 2026 22:44:38 +0200
Subject: [PATCH 12/12] chore: add product-security as codeowner for security
 docs

---
 .github/CODEOWNERS | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index dbd77ef..7e493ac 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -3,3 +3,9 @@
 # DX team members are also configured as bypass actors in the branch ruleset
 # and can merge their own PRs without a separate review.
 * @dfinity/dx
+
+# Security — product-security team must approve changes to security best practices
+docs/guides/security/ @dfinity/product-security @dfinity/dx
+docs/concepts/security.md @dfinity/product-security @dfinity/dx
+docs/references/message-execution-properties.md @dfinity/product-security @dfinity/dx
+docs/guides/canister-calls/idempotency.md @dfinity/product-security @dfinity/dx