From 3a836b9f3d4f99d5d0c9632775459e618623eda7 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Tue, 6 Sep 2022 13:09:40 +0100
Subject: [PATCH 01/33] initial structure of ECI-DM draft layout

---
 _data/toc.yaml                                |  8 +++++++
 desktop/desktop-managed.md                    | 23 +++++++++++++++++++
 desktop/enhanced-container-isolation/eci.md   | 22 ++++++++++++++++++
 .../enable-eci.md                             |  9 ++++++++
 4 files changed, 62 insertions(+)
 create mode 100644 desktop/desktop-managed.md
 create mode 100644 desktop/enhanced-container-isolation/eci.md
 create mode 100644 desktop/enhanced-container-isolation/enable-eci.md

diff --git a/_data/toc.yaml b/_data/toc.yaml
index 56f9d9ebeeb..df88a7bb4dd 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1189,6 +1189,14 @@ manuals:
           title: Docker Desktop WSL 2 backend on Windows
         - path: /desktop/vm-vdi/
           title: Run Docker Desktop for Windows in a VM or VDI environment
+    - sectiontitle: Enhanced Container Isolation (Early Access)
+      section:
+        - path: /desktop/enhanced-container-isolation/eci/
+          title: What is Enhanced Container Isolation?
+        - path: /desktop/enhanced-container-isolation/enable-eci/
+          title: Enable Enhanced Container Isolation
+    - path: /desktop/desktop-managed/
+      title: Desktop Managed (Early Access)
     - sectiontitle: Dev Environments (Beta)
       section:
         - path: /desktop/dev-environments/
diff --git a/desktop/desktop-managed.md b/desktop/desktop-managed.md
new file mode 100644
index 00000000000..13c353986ec
--- /dev/null
+++ b/desktop/desktop-managed.md
@@ -0,0 +1,23 @@
+---
+description: admin controls for desktop
+keywords: admin, controls, rootless, enhanced container isolation
+title: Desktop Managed (Early Access)
+--- 
+
+we need to think about how best to convey to users via the docs that these settings will only be respected in the VM if the user has ‘Enhanced Container Isolation’ toggled on.
+
+High-level introduction to feature and it’s benefits (can grab some of this from the PR-FAQ, when ready). Include that this is for Docker Business customers only
+
+should note our competitive advantage here, e.g. that when the ‘Enhanced container isolation’ setting is configured, these settings cannot be modified by developers (loop in Cesar / Rodny to advise on wording)
+
+Details on each setting that the Admin can lock via the admin-settings.json
+
+these details should include the exact syntax / options that the admin can use in the admin-settings.json to configure each setting
+
+where ‘enhanced container isolation’ is a prerequisite to ensure that some settings are enforced within the Docker Desktop Linux VM, clearly denote this to the user (Cesar and Rodny can advise on this one)
+
+Explain what happens on the developer side, e.g. once you configure your settings, your developer will see that they are locked by their org admin in the Docker Desktop UI
+
+Details on where the admin-settings.json should be placed on Windows and macOS
+
+Explain that for this feature to take effect, developers must authenticate to their Docker Business org. In order to ensure that this happens, admins must use the registry.json file (link to relevant doc)
\ No newline at end of file
diff --git a/desktop/enhanced-container-isolation/eci.md b/desktop/enhanced-container-isolation/eci.md
new file mode 100644
index 00000000000..6767ef1b65d
--- /dev/null
+++ b/desktop/enhanced-container-isolation/eci.md
@@ -0,0 +1,22 @@
+---
+description: Enhanced Container Isolation - benefits, why use it, how it differs to Docker rootless, who it is for
+keywords: containers, rootless, security, sysbox, runtime
+title: What is Enhanced Container Isolation?
+---
+
+What it is 
+
+what the benefits of it are
+
+Who is it for
+
+how does it work 
+
+- Who gets this ? (e.g. currently developers in Docker Business customers, requires authentication, etc)
+- How the feature works under the hood
+    - enables Sysbox under the hood, ensuring containers run using the Linux user namespace and are not root in the VM, etc
+- Dive in on details
+    - e.g. when enabled, Desktop uses Sysbox runtime by default, for all containers. requires an Apply & restart, etc
+- Why this approach is advantageous as compared to traditional ‘rootless Docker' or ‘rootless mode’ in “other products”
+    - workload compatibility, ease of use, etc. dive in on why Sysbox is awesome for both security and workloads
+- Admins can lock in the use of the ‘Enhanced container isolation’ mode within their org via the ‘Admin Controls’ feature <link to Admin Controls docs>
\ No newline at end of file
diff --git a/desktop/enhanced-container-isolation/enable-eci.md b/desktop/enhanced-container-isolation/enable-eci.md
new file mode 100644
index 00000000000..8ce5998951a
--- /dev/null
+++ b/desktop/enhanced-container-isolation/enable-eci.md
@@ -0,0 +1,9 @@
+---
+description: Instructions on how to set up enhanced container isolation
+title: Enable Enhanced Container Isolation
+keywords: set up, enhanced container isolation, rootless, security
+---
+
+How to configure it if you are an admin
+
+what you will see as a developer
\ No newline at end of file

From a909b97b5a11a7f0fb07644e53afe14371b2abbf Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Tue, 13 Sep 2022 16:23:52 +0100
Subject: [PATCH 02/33] PR-FAQ additions

---
 _data/toc.yaml                                |   4 +-
 desktop/desktop-managed.md                    |  61 +++++++++-
 desktop/enhanced-container-isolation/eci.md   |  22 ----
 .../enable-eci.md                             |  18 ++-
 desktop/enhanced-container-isolation/faq.md   |  43 +++++++
 desktop/enhanced-container-isolation/index.md | 109 ++++++++++++++++++
 6 files changed, 230 insertions(+), 27 deletions(-)
 delete mode 100644 desktop/enhanced-container-isolation/eci.md
 create mode 100644 desktop/enhanced-container-isolation/faq.md
 create mode 100644 desktop/enhanced-container-isolation/index.md

diff --git a/_data/toc.yaml b/_data/toc.yaml
index df88a7bb4dd..744cbc32b25 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1191,10 +1191,12 @@ manuals:
           title: Run Docker Desktop for Windows in a VM or VDI environment
     - sectiontitle: Enhanced Container Isolation (Early Access)
       section:
-        - path: /desktop/enhanced-container-isolation/eci/
+        - path: /desktop/enhanced-container-isolation/
           title: What is Enhanced Container Isolation?
         - path: /desktop/enhanced-container-isolation/enable-eci/
           title: Enable Enhanced Container Isolation
+        - path: /desktop/enhanced-container-isolation/faq/
+          title: FAQ and known issues
     - path: /desktop/desktop-managed/
       title: Desktop Managed (Early Access)
     - sectiontitle: Dev Environments (Beta)
diff --git a/desktop/desktop-managed.md b/desktop/desktop-managed.md
index 13c353986ec..78fec798617 100644
--- a/desktop/desktop-managed.md
+++ b/desktop/desktop-managed.md
@@ -4,20 +4,75 @@ keywords: admin, controls, rootless, enhanced container isolation
 title: Desktop Managed (Early Access)
 --- 
 
+>Note
+>
+>Desktop Managed is currently in [Early Access](../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
+
+## What it is
+
+When admins create a setting and have ‘Rootless Containers’ enabled, the setting cannot be modified by developers within their org
+
+##  What are the benefits
+
+
+
 we need to think about how best to convey to users via the docs that these settings will only be respected in the VM if the user has ‘Enhanced Container Isolation’ toggled on.
 
-High-level introduction to feature and it’s benefits (can grab some of this from the PR-FAQ, when ready). Include that this is for Docker Business customers only
 
 should note our competitive advantage here, e.g. that when the ‘Enhanced container isolation’ setting is configured, these settings cannot be modified by developers (loop in Cesar / Rodny to advise on wording)
 
-Details on each setting that the Admin can lock via the admin-settings.json
+Admins for Docker Business organizations will get Admin Controls, a feature allowing them to enforce certain Docker Desktop settings for their organization. Specifically, admins will be able to enforce:
+
+Send usage statistics is also locked
+
+Admins can lock down any values configurable via the Resources > Network tab via the admin-settings.json. For the time being, this is just the Docker subnet value (screenshot enclosed)
+
+
+Main usage for this is to lock enterprise related settings:
+ - proxies (so users don’t have to set up them / to know that they exist / to bypass them)
+ - vpnkit CIDR (to avoid network clashes)
+ - VM settings
+ - block telemetry
+ - auto update behavior
+ - daemon config (we want to lock some fields with optional value but keep other ones free to use)
+
+ If ‘Software Updates’ are locked by the admin:
+
+‘Preferences’ section is not shown on ‘Software Updates’ panel
+
+User cannot see A new update is ready to download text
+
+User will get the following message You're currently on version X. The latest version is Y. Updates are managed by your admin.
+
+Users cannot see the Download update button
+
+Users are still able to see the description of the new release as well as the associated Release notes button
+
+The admin should be able to configure all proxy values available via the Docker Desktop Preferences > Resources >  Proxies UI, via the admin-settings.json file.
+
+Acceptance criteria
+
+Admins should have the ability to enforce the use of Hyper-V OR WSL2
+
+
+
+## What can be set?
+
+ the Admin can lock via the admin-settings.json
+
+
 
 these details should include the exact syntax / options that the admin can use in the admin-settings.json to configure each setting
 
 where ‘enhanced container isolation’ is a prerequisite to ensure that some settings are enforced within the Docker Desktop Linux VM, clearly denote this to the user (Cesar and Rodny can advise on this one)
 
+## What do developers see 
+
 Explain what happens on the developer side, e.g. once you configure your settings, your developer will see that they are locked by their org admin in the Docker Desktop UI
 
+## How to set it up
+
 Details on where the admin-settings.json should be placed on Windows and macOS
 
-Explain that for this feature to take effect, developers must authenticate to their Docker Business org. In order to ensure that this happens, admins must use the registry.json file (link to relevant doc)
\ No newline at end of file
+Explain that for this feature to take effect, developers must authenticate to their Docker Business org. In order to ensure that this happens, admins must use the registry.json file (link to relevant doc)
+
diff --git a/desktop/enhanced-container-isolation/eci.md b/desktop/enhanced-container-isolation/eci.md
deleted file mode 100644
index 6767ef1b65d..00000000000
--- a/desktop/enhanced-container-isolation/eci.md
+++ /dev/null
@@ -1,22 +0,0 @@
----
-description: Enhanced Container Isolation - benefits, why use it, how it differs to Docker rootless, who it is for
-keywords: containers, rootless, security, sysbox, runtime
-title: What is Enhanced Container Isolation?
----
-
-What it is 
-
-what the benefits of it are
-
-Who is it for
-
-how does it work 
-
-- Who gets this ? (e.g. currently developers in Docker Business customers, requires authentication, etc)
-- How the feature works under the hood
-    - enables Sysbox under the hood, ensuring containers run using the Linux user namespace and are not root in the VM, etc
-- Dive in on details
-    - e.g. when enabled, Desktop uses Sysbox runtime by default, for all containers. requires an Apply & restart, etc
-- Why this approach is advantageous as compared to traditional ‘rootless Docker' or ‘rootless mode’ in “other products”
-    - workload compatibility, ease of use, etc. dive in on why Sysbox is awesome for both security and workloads
-- Admins can lock in the use of the ‘Enhanced container isolation’ mode within their org via the ‘Admin Controls’ feature <link to Admin Controls docs>
\ No newline at end of file
diff --git a/desktop/enhanced-container-isolation/enable-eci.md b/desktop/enhanced-container-isolation/enable-eci.md
index 8ce5998951a..bedefdc7db1 100644
--- a/desktop/enhanced-container-isolation/enable-eci.md
+++ b/desktop/enhanced-container-isolation/enable-eci.md
@@ -6,4 +6,20 @@ keywords: set up, enhanced container isolation, rootless, security
 
 How to configure it if you are an admin
 
-what you will see as a developer
\ No newline at end of file
+what you will see as a developer
+
+## How to enable/ get ECI
+(e.g. currently developers in Docker Business customers, requires authentication, etc)
+
+requires an Apply and restart
+- Admins can lock in the use of the ‘Enhanced container isolation’ mode within their org via the ‘Admin Controls’ feature <link to Admin Controls docs>
+
+To enable Hardened Docker Desktop, Docker Business administrators simply have to toggle on the ‘Hardened Desktop’ option within the Settings panel of their Organization’s space on Docker Hub. Your developers must then authenticate to your organization in Docker Desktop for the settings to be applied. You can follow this simple guide for ensuring developers authenticate to your organization before using Docker Desktop.
+
+Anything that you have the opportunity to configure as an admin, will be locked. Including:
+
+Registry Access Management
+Docker Engine runtime will be locked as Sysbox
+Proxy settings (TBD)
+Other Docker Engine configs (TBD)
+Other Docker Desktop configs (TBD)
\ No newline at end of file
diff --git a/desktop/enhanced-container-isolation/faq.md b/desktop/enhanced-container-isolation/faq.md
new file mode 100644
index 00000000000..38d2c52d5b1
--- /dev/null
+++ b/desktop/enhanced-container-isolation/faq.md
@@ -0,0 +1,43 @@
+---
+title: FAQs and Known issues
+description: FAQ for Enhanced Container Isolation 
+keywords: enhanced container isolation, security, faq, sysbox
+---
+
+
+## FAQ
+
+### With Hardened Desktop enabled, can the user still override the --runtime flag from the CLI ?
+
+No. With Hardened Desktop enabled, Sysbox is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard runc runtime (e.g. docker run --runtime=runc), container creation will fail. The reason runc is disallowed with Hardened Desktop is that it allows users to run as root on the Docker Desktop Linux VM, thereby providing them with implicit control of the VM and the ability to do things like modifying the administrative configurations for Docker Desktop.
+
+### With Hardened Desktop enabled, can the user still use the “--privileged” flag from the CLI?
+
+Yes, but by virtue of using Sysbox the container will only be privileged within its assigned Linux user-namespace. It will not be privileged within the Docker Desktop Linux VM. 
+
+For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (e.g., seccomp, AppArmor), and see all host devices under the container’s /dev directory. However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under /proc and /sys that are not namespaced. And though it can see all host devices under /dev, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox will prevent the container from using them to modify the container’s chroot jail.
+
+TODO: add table to clarify.
+
+This makes running a privileged container with Hardened Desktop much safer than a privileged container launched with the standard runc, which offers almost no isolation.
+
+### Why not just restrict usage of the “--privileged” flag in Hardened Desktop?
+
+Privileged containers are typically used to run advanced workloads in containers (e.g., Docker-in-Docker), to perform kernel operations (e.g. loading modules) or to access hardware devices. We wish to allow the first within Hardened Desktop (i.e., running advanced workloads), yet deny the latter two.
+
+By virtue of allowing the –privileged flag but restricting its impact within the container's user-namespace, it’s possible to do this.
+
+
+## Known issues
+
+Known issues?
+If in DD “secure mode” all containers are launched with Sysbox, then users may experience some differences between running a container in DD and running that same container in production, because in production the container may run on another runtime (typically the OCI runc). 
+
+
+Kernel Day-0 Vulnerabilities
+Sysbox can’t protect against kernel day-0 vulnerabilities (e.g., flaws in user-namespace isolation). There have been a few of these recently, but fortunately they are patched pretty quickly in the Linux kernel.
+Nested virtualization
+Sysbox is not a solution for the problem of running DD inside VMs (which currently requires nested virtualization). Rather Sysbox adds a layer of isolation by running Docker more securely (i.e., without root privileges on the VM).
+Docker Engine Limitations
+When running Docker inside a Sysbox container (e.g., for extra isolation), most Docker functionality is supported. However, there may be some advanced Docker functionality that does not currently work as the environment inside the Sysbox container does not yet fully resemble that of a bare-metal machine or VM. Fixing this requires further changes in Sysbox.
+
diff --git a/desktop/enhanced-container-isolation/index.md b/desktop/enhanced-container-isolation/index.md
new file mode 100644
index 00000000000..1e608b2b3ba
--- /dev/null
+++ b/desktop/enhanced-container-isolation/index.md
@@ -0,0 +1,109 @@
+---
+description: Enhanced Container Isolation - benefits, why use it, how it differs to Docker rootless, who it is for
+keywords: containers, rootless, security, sysbox, runtime
+title: What is Enhanced Container Isolation?
+---
+
+>Note
+>
+>Enhanced Container Isolation is currently in [Early Access](../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
+
+
+## What it is
+Allows Docker Desktop admins to lock-in configurations (e.g. Registry Access Management) such that they can’t be modified by Docker Desktop users. See below for more details on this.
+Enhances container isolation using the Sysbox container runtime (see below for more info). This prevents containers from running as root inside the DD Linux VM and from potentially gaining control of it.
+
+
+Enabling the feature prevents containers from running as root within Docker Desktop’s Linux VM and allows admins to lock-in sensitive security configs.
+
+
+Prevent container attacks and vulnerabilities via Docker Desktop’s Hardened container runtime option,
+
+Ensure stronger isolation, without any complex setups, using Docker Desktop’s Hardened container runtime option.
+
+Enhanced Container Isolation provides an additional layer of security within Docker Desktop's Linux VM so there is strong container-to-host isolation. With Enhanced Container Isolation, Docker Desktop:
+
+- Has a secure boot to prevent modification of Docker provided binaries pre-boot (e.g. docker engine, containerd, runc, etc)
+- Prevents user containers from bypassing security controls and modifying system files.
+- Prevents exposure of docker daemon on TCP without TLS
+
+By taking advantage of Sysbox, it ensures containers run using the Linux user namespace and are not root in the VM
+
+Developers can no longer:
+
+Gain VM root access through privileged containers
+Modify files before boot
+Access the root console of the VM
+Bind mount and modify system files
+Escape containers
+
+Prevent the use of privileged containers gaining root access to the Desktop VM and ensure stronger isolation (Linux user namespace, procfs & sysfs virtualization, mount locking, and more !) using Docker Desktop’s Hardened container runtime..
+
+## What the benefits of it are
+
+As a developer
+When using Docker Desktop with the Hardened container runtime option enabled
+I should be prevented from doing the following:
+Running privileged containers to gain root access to the DD VM
+Modifying files before boot
+Accessing the root console of the VM
+Bind mount and modifying system files
+Escaping containers
+I would add: "Modifying the config of the Docker Engine (and related components) from within DD containers".
+
+Get more control over your local Docker Desktop instances using Docker’s Hardened container runtime.
+
+## Who is it for: 
+
+Problem 2 - Prevent exposure of docker daemon on TCP without TLS
+
+As an IT admin working for a Docker Business customer, I am concerned that developers will be able to expose the docker daemon on TCP without TLS.
+
+
+Problem 3 - Control mechanisms such as Registry Access Management are only designed to protect against well-intentioned developers making mistakes
+
+As an IT admin at a Docker Business customer, I’m hesitant to adopt control features like Registry Access Management because it would be easy for a malicious actor within my org to override them by changing settings within Docker Desktop’s Linux VM.
+
+Problem 4 - I need an easy, intuitive way to implement this control mechanism
+As an IT admin at a Docker Business customer, I need an easy, intuitive way to implement the Hardened container runtime option on the machines of my developers.
+
+
+
+
+
+## how does it work and how it differs to traditional rootless docker 
+
+- Why this approach is advantageous as compared to traditional ‘rootless Docker' or ‘rootless mode’ in “other products”
+    - workload compatibility, ease of use, etc. dive in on why Sysbox is awesome for both security and workloads
+
+As such, we want to move to a model where the Docker Desktop user whose company has opted in to the Hardened container runtime option can still run all the containers that they expect, however they cannot gain root VM access through privileged containers, they cannot modify host system files, they are running in the user namespace and they cannot escape containers (bar kernel 0-day). These specific enhancements can be attained by integrating Sysbox, the secure container runtime created by Nestybox. 
+
+Docker Desktop runs Docker Engine within a Linux VM, which provides strong isolation between containers and the underlying host machine (e.g. the Mac or Windows device running Docker Desktop). However, this does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers.
+With root access to the Docker Desktop Linux VM, malicious users could potentially modify security policies of the Docker Engine and Docker Extensions as well as other control mechanisms like Registry Access Management policies and proxy configs. Moreover, whilst we have not yet seen anything of this nature, it is conceptually possible for malware in containers to read files on the users host machine, which presents an information leakage vulnerability.
+
+Enhancing container isolation by ensuring that containers never run as root inside the Docker Desktop Linux VM, therefore preventing them from potentially gaining control of it. 
+Ensuring sensitive configurations within the Docker Desktop VM cannot be mounted or modified from a container. This means that the Docker Engine, proxy settings and Registry Access configs can no longer be modified from within a container. They can only be set by the admins for your organization.
+
+
+Sysbox is an alternative “runc” included in the Docker Business tier. It’s included alongside the standard OCI runc container runtime, which is the component that actually creates the containers using the Linux kernel’s namespaces, cgroups, and other features. 
+
+What makes Sysbox different from the standard “runc” runtime is that it enhances container isolation by enabling the Linux user-namespace on all containers (i.e. root in the container maps to an unprivileged user at host level), and by vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
+
+This is all done under the covers, without requiring special container images and in a manner that is mostly transparent to Docker Desktop users.  
+
+
+
+Normally, to run a container with Sysbox in Docker Desktop Business Tier, a user simply adds the --runtime=sysbox-runc flag to the docker run command. 
+
+However, when Hardened Desktop is enabled a number of security features are activated (see above). One of these security features is that the Sysbox runtime is enforced for all user containers (e.g. the --runtime=sysbox-runc flag is implicitly set on all containers). This ensures all user containers run with the enhanced isolation offered by Sysbox. 
+
+
+
+Currently, the Docker Engine runs inside a container on the DD Linux VM. 
+
+Security-wise, there is no real isolation between the Docker Engine and the VM’s Linux kernel, because the Docker Engine runs as root with full capabilities inside a container that shares almost all namespaces with the VM’s root user (except the mount namespace). This gives the container access to all the VM’s kernel resources. This container is spawned by containerd + runc. 
+As a result, DD users can easily gain privileged access to the DD VM (e.g., by running “docker run –privileged -it alpine”) from the host. This means DD users are one step closer to gaining privileged access to the underlying host (e.g., through the interfaces between the VM and the host).
+
+
+
+

From f432f847984f376bb310fc40c8f8ea7b4c9451ac Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 14 Sep 2022 14:58:19 +0100
Subject: [PATCH 03/33] further PR-FAQ additions

---
 _data/toc.yaml                                | 27 ++++++++++--------
 .../{ => hardened-desktop}/desktop-managed.md | 22 +++++++++++++++
 .../enable-eci.md                             | 19 +++++++++++++
 .../enhanced-container-isolation/faq.md       | 28 +++++++++++++++++++
 .../enhanced-container-isolation/index.md     | 13 +++++++++
 desktop/hardened-desktop/index.md             | 28 +++++++++++++++++++
 .../registry-access-management.md             |  2 ++
 7 files changed, 128 insertions(+), 11 deletions(-)
 rename desktop/{ => hardened-desktop}/desktop-managed.md (67%)
 rename desktop/{ => hardened-desktop}/enhanced-container-isolation/enable-eci.md (58%)
 rename desktop/{ => hardened-desktop}/enhanced-container-isolation/faq.md (54%)
 rename desktop/{ => hardened-desktop}/enhanced-container-isolation/index.md (82%)
 create mode 100644 desktop/hardened-desktop/index.md
 rename {docker-hub => desktop/hardened-desktop}/registry-access-management.md (98%)

diff --git a/_data/toc.yaml b/_data/toc.yaml
index 744cbc32b25..0c141b0c7fd 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1189,16 +1189,22 @@ manuals:
           title: Docker Desktop WSL 2 backend on Windows
         - path: /desktop/vm-vdi/
           title: Run Docker Desktop for Windows in a VM or VDI environment
-    - sectiontitle: Enhanced Container Isolation (Early Access)
+    - sectiontitle: Hardened Desktop (Early Access)
       section:
-        - path: /desktop/enhanced-container-isolation/
-          title: What is Enhanced Container Isolation?
-        - path: /desktop/enhanced-container-isolation/enable-eci/
-          title: Enable Enhanced Container Isolation
-        - path: /desktop/enhanced-container-isolation/faq/
-          title: FAQ and known issues
-    - path: /desktop/desktop-managed/
-      title: Desktop Managed (Early Access)
+        - path: /desktop/hardened-desktop/
+          title: Overview 
+        - path: /docker-hub/registry-access-management/
+          title: Registry Access Management
+        - path: /desktop/desktop-managed/
+          title: Desktop Managed (Early Access)
+        - sectiontitle: Enhanced Container Isolation (Early Access)
+          section:
+          - path: /desktop/enhanced-container-isolation/
+            title: What is Enhanced Container Isolation?
+          - path: /desktop/enhanced-container-isolation/enable-eci/
+            title: Enable Enhanced Container Isolation
+          - path: /desktop/enhanced-container-isolation/faq/
+            title: FAQ and known issues
     - sectiontitle: Dev Environments (Beta)
       section:
         - path: /desktop/dev-environments/
@@ -1568,8 +1574,7 @@ manuals:
     title: System for Cross-domain Identity Management
   - path: /docker-hub/image-access-management/
     title: Image Access Management
-  - path: /docker-hub/registry-access-management/
-    title: Registry Access Management
+
 
 - sectiontitle: Security
   section:
diff --git a/desktop/desktop-managed.md b/desktop/hardened-desktop/desktop-managed.md
similarity index 67%
rename from desktop/desktop-managed.md
rename to desktop/hardened-desktop/desktop-managed.md
index 78fec798617..aa6ac5d464e 100644
--- a/desktop/desktop-managed.md
+++ b/desktop/hardened-desktop/desktop-managed.md
@@ -12,6 +12,8 @@ title: Desktop Managed (Early Access)
 
 When admins create a setting and have ‘Rootless Containers’ enabled, the setting cannot be modified by developers within their org
 
+Admin Controls is a feature that allows Docker Business customers to centralize control of Docker Desktop and lock its settings (including Enhanced Container Isolation).
+
 ##  What are the benefits
 
 
@@ -70,9 +72,29 @@ where ‘enhanced container isolation’ is a prerequisite to ensure that some s
 
 Explain what happens on the developer side, e.g. once you configure your settings, your developer will see that they are locked by their org admin in the Docker Desktop UI
 
+Docker Desktop users will see a banner on the ‘Preferences’ panel noting that ‘Some settings are managed by your Admin’. The relevant settings will be grayed out and the user will be unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
+
 ## How to set it up
 
 Details on where the admin-settings.json should be placed on Windows and macOS
 
 Explain that for this feature to take effect, developers must authenticate to their Docker Business org. In order to ensure that this happens, admins must use the registry.json file (link to relevant doc)
 
+
+
+What configurations can I set using Admin Controls ? How do I set these ?
+
+Values for the following can be set in the admin-settings.json:
+Enhanced Container Isolation
+HTTP Proxies
+Network settings
+Expose daemon on tcp://localhost:2375 without TLS Resources (Windows only)
+Use of WSL2 based engine or Hyper-V
+Docker Engine configuration
+Turning off checks for updates
+Turning off sending usage statistics
+An example admin-settings.json is shown below:
+
+As you can see in the above image, admins can specify the value for a setting and also whether they want the setting to be locked. 
+If a setting is locked:true, then the Docker Desktop user will be unable to modify it. The locked: true should be used when you want to ensure that users cannot adjust the setting (e.g. it’s an important security setting such as a proxy).
+If a setting is locked: false, then the Docker Desktop user will be able to modify it via the Docker Desktop UI or CLI. The locked: false should be used when you want to preconfigure Docker Desktop settings for your users, but give them the flexibility to adjust as they please.
diff --git a/desktop/enhanced-container-isolation/enable-eci.md b/desktop/hardened-desktop/enhanced-container-isolation/enable-eci.md
similarity index 58%
rename from desktop/enhanced-container-isolation/enable-eci.md
rename to desktop/hardened-desktop/enhanced-container-isolation/enable-eci.md
index bedefdc7db1..16e8368f0ca 100644
--- a/desktop/enhanced-container-isolation/enable-eci.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/enable-eci.md
@@ -16,6 +16,25 @@ requires an Apply and restart
 
 To enable Hardened Docker Desktop, Docker Business administrators simply have to toggle on the ‘Hardened Desktop’ option within the Settings panel of their Organization’s space on Docker Hub. Your developers must then authenticate to your organization in Docker Desktop for the settings to be applied. You can follow this simple guide for ensuring developers authenticate to your organization before using Docker Desktop.
 
+How do I enable Enhanced Container Isolation for my organization ?
+
+In the admin-settings.json specify “enhancedContainerIsolation”: true as per the below image. 
+
+
+
+You must then place this file on your developers machines in the following locations:
+
+Mac - <here>
+Windows - <here>
+Linux - <here> 
+
+As mentioned above, the Hardened Desktop security model is designed for organizations that don't give root/admin access to their developers on their machines. By placing this file in the above protected directories, end users will be unable to modify it. We also assume that said organizations have the ability to push this settings file to the locations specified above via device management software such as Jamf.
+
+Important - Your Docker Desktop users must then authenticate to your organization for this configuration to take effect. You can configure the registry.json file to enforce sign in.
+
+
+
+
 Anything that you have the opportunity to configure as an admin, will be locked. Including:
 
 Registry Access Management
diff --git a/desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
similarity index 54%
rename from desktop/enhanced-container-isolation/faq.md
rename to desktop/hardened-desktop/enhanced-container-isolation/faq.md
index 38d2c52d5b1..849dda1d48a 100644
--- a/desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -28,6 +28,34 @@ Privileged containers are typically used to run advanced workloads in containers
 By virtue of allowing the –privileged flag but restricting its impact within the container's user-namespace, it’s possible to do this.
 
 
+I’ve heard that Docker Desktop’s settings can also be configured via a settings.json file ? What’s the difference between Admin Controls (which uses the admin-settings.json) and the original settings.json method ?
+
+Some organizations currently use the settings.json file to pre-configure Docker Desktop settings for their users. The problem with this approach is that developers own the settings.json file and can therefore adjust any settings that their admins create (for example, modifying network and proxy controls). The admin-settings.json on the other hand, can only be used by an admin with root privileges and as such cannot be modified by users. This means that admins can lock in settings for their users via the admin-settings.json.
+
+
+With Hardened Desktop enabled, can the user still override the --runtime flag from the CLI ?
+
+No. With Hardened Desktop enabled, Docker’s hardened container runtime (using Sysbox) is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard runc runtime (e.g. docker run --runtime=runc), container creation will fail. The reason runc is disallowed with Hardened Desktop is that it allows users to run as root on the Docker Desktop Linux VM, thereby providing them with implicit control of the VM and the ability to do things like modifying the Admin Controls for Docker Desktop.
+
+With Hardened Desktop enabled, can the user still use the --privileged flag from the CLI?
+
+Yes, but by virtue of using Sysbox the container will only be privileged within its assigned Linux user-namespace. It will not be privileged within the Docker Desktop Linux VM. 
+
+For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (e.g. seccomp, AppArmor), and see all host devices under the container’s /dev directory. However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under /proc and /sys that are not namespaced. And though it can see all host devices under /dev, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox will prevent the container from using them to modify the container’s chroot jail.
+
+This makes running a privileged container with Hardened Desktop much safer than a privileged container launched with the standard runc, which offers almost no isolation.
+
+Why not just restrict usage of the --privileged flag in Hardened Desktop ?
+
+Privileged containers are typically used to run advanced workloads in containers (e.g. Docker-in-Docker), to perform kernel operations (e.g. loading modules) or to access hardware devices. We wish to allow the first within Hardened Desktop (e.g. running advanced workloads), yet deny the latter two. By virtue of allowing the –privileged flag but restricting its impact within the container's user-namespace, it’s possible to do this.
+
+
+
+
+
+
+
+
 ## Known issues
 
 Known issues?
diff --git a/desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
similarity index 82%
rename from desktop/enhanced-container-isolation/index.md
rename to desktop/hardened-desktop/enhanced-container-isolation/index.md
index 1e608b2b3ba..69a71072968 100644
--- a/desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -10,10 +10,23 @@ title: What is Enhanced Container Isolation?
 
 
 ## What it is
+
+Wait, that last point doesn’t make sense ! I thought Admin Controls would automatically lock any security controls I create, but you’re saying that Enhanced Container Isolation is also required to prevent containers from modifying these ?
+Using Admin Controls, your Docker Business admin can lock in Docker Desktop settings such as HTTP Proxies and Network settings. This means that users of Docker Desktop will then have no path within Docker Desktop to change these settings (e.g. via the user interface or CLI).
+However, malicious code in a container could still potentially modify these controls without the developer knowing. Enhanced Container Isolation is an extra layer of security that prevents containers from modifying any Admin Controls or security policies, so that admins have complete peace of mind that their settings are enforced.
+
+
+Containers will no longer run as root inside the Docker Desktop Linux VM and will instead run using the Linux user namespace.
+As a result, user containers will be unable to modify any security configurations created by your Docker admins (e.g. Registry Access Management policies and Admin Controls).
+
+
+Enhanced Container Isolation is a feature that admins can enable, which prevents containers from running as root in the Docker Desktop Linux VM. 
 Allows Docker Desktop admins to lock-in configurations (e.g. Registry Access Management) such that they can’t be modified by Docker Desktop users. See below for more details on this.
 Enhances container isolation using the Sysbox container runtime (see below for more info). This prevents containers from running as root inside the DD Linux VM and from potentially gaining control of it.
 
 
+With Enhanced Container Isolation enabled, all containers run unprivileged in the Docker Desktop Linux VM, in user namespaces. Root access to the Linux VM is removed, privileged containers cannot be run and there is no access to the host namespaces. As a result, it becomes impossible for users to alter Admin Controls via containers. 
+
 Enabling the feature prevents containers from running as root within Docker Desktop’s Linux VM and allows admins to lock-in sensitive security configs.
 
 
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
new file mode 100644
index 00000000000..834396e7449
--- /dev/null
+++ b/desktop/hardened-desktop/index.md
@@ -0,0 +1,28 @@
+---
+title: Hardened Desktop
+description: Overview of what Hardened Desktop is
+keywords: security, hardened desktop, enhanced container isolation,
+---
+
+Hardened Desktop is Docker's ongoing effort to increase Docker Desktop security without impacting the developer experience
+
+These new features from Docker follow a number of security related acquisitions (Nestybox, Atomist) that sees the company establishing itself as the undoubted market leader in providing an Enterprise-ready offering for containerised development.
+
+This configuration is designed for organizations that don't give root/admin access to their developers on their machines, and wish to configure Docker Desktop to also be within the organization's centralized control.
+
+In order to use this model, the application and VM image need to be installed as root/admin so that the user cannot modify them. All containers are run unprivileged in the VM, in user namespaces. Root access to the VM is removed, and privileged containers cannot be run, and there is no access to the host namespaces. The ownership boundary of system code in the VM moves to the organization. The user owns the (unprivileged) containers that they run, the equivalent of being able to run unprivileged applications on the host but not being able to modify the host configuration.
+
+
+We have introduced features such as registry access management, that controls which registries a user can pull from on Docker Desktop, as organizations want to only allow users to pull from their central repository, but again this cannot actually be enforced if the user can modify the VM freely and disable controls, which this model prevents.
+
+
+We have some longer term roadmap items around secure boot and code verification to increase trust in the code on the VM, as well as supporting trusted logging and audit.
+
+ a new security model for Docker Desktop. The Hardened Desktop security model is designed to provide Enterprise admins with a simple and powerful way to increase their security posture for containerised development.
+
+
+ As part of the Hardened Desktop model, Docker announced the release of two initial features. The first is Enhanced Container Isolation, a setting that helps admins to instantly enhance security by preventing containers from running as root in Docker Desktop’s Linux VM. The second is Admin Controls, which helps Enterprise admins to confidently manage and control usage of Docker Desktop. With just a few lines of JSON, admins will be able to enforce preferences like HTTP proxies, Network settings and the Docker Engine configuration, saving them significant time and cost in securing their developer workflows.
+
+With the Hardened Desktop security model, and our new Enhanced Container Isolation and Admin Controls features we’re moving the ownership boundary for containers to the organization, meaning that any security controls admins set cannot be altered by the user.
+
+ Docker will be adding more security enhancements to their Hardened Desktop model over the coming months.
diff --git a/docker-hub/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
similarity index 98%
rename from docker-hub/registry-access-management.md
rename to desktop/hardened-desktop/registry-access-management.md
index bce4eb1f5dc..5b2f48dbe31 100644
--- a/docker-hub/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -2,6 +2,8 @@
 description: Registry Access Management
 keywords: registry, access, managment
 title: Registry Access Management
+redirect_from: 
+- /docker-hub/registry-access-management/
 ---
 
 Registry Access Management is a feature available to organizations with a Docker Business subscription. With Registry Access Management, organization owners can ensure that their developers using Docker Desktop can only access registries that have been allow-listed via the Registry Access Management dashboard on Docker Hub to reflect support for other registries: AWS ECR, GitHub Container Registry, Google Container Registry, Quay, and others.

From e01d41aec5b8acaff4233d5e43df2c2513db0d08 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Fri, 16 Sep 2022 10:38:35 +0100
Subject: [PATCH 04/33] edits, edits, edits

---
 _data/toc.yaml                                |  22 ++--
 assets/images/lock.svg                        |   1 +
 assets/images/registry.svg                    |   1 +
 assets/images/secure.svg                      |   1 +
 .../admin-controls/configure-ac.md            |  47 ++++++++
 .../hardened-desktop/admin-controls/index.md  |  59 +++++++++++
 desktop/hardened-desktop/desktop-managed.md   | 100 ------------------
 .../enable-eci.md                             |  44 --------
 .../enhanced-container-isolation/faq.md       |  78 +++++---------
 .../how-eci-works.md                          |  49 +++++++++
 .../enhanced-container-isolation/index.md     |  67 ++++++------
 desktop/hardened-desktop/index.md             |  64 +++++++----
 .../registry-access-management.md             |   2 +-
 desktop/images/admin-settings.PNG             | Bin 0 -> 61008 bytes
 14 files changed, 277 insertions(+), 258 deletions(-)
 create mode 100644 assets/images/lock.svg
 create mode 100644 assets/images/registry.svg
 create mode 100644 assets/images/secure.svg
 create mode 100644 desktop/hardened-desktop/admin-controls/configure-ac.md
 create mode 100644 desktop/hardened-desktop/admin-controls/index.md
 delete mode 100644 desktop/hardened-desktop/desktop-managed.md
 delete mode 100644 desktop/hardened-desktop/enhanced-container-isolation/enable-eci.md
 create mode 100644 desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
 create mode 100644 desktop/images/admin-settings.PNG

diff --git a/_data/toc.yaml b/_data/toc.yaml
index 0c141b0c7fd..1ecd9793c37 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1189,21 +1189,25 @@ manuals:
           title: Docker Desktop WSL 2 backend on Windows
         - path: /desktop/vm-vdi/
           title: Run Docker Desktop for Windows in a VM or VDI environment
-    - sectiontitle: Hardened Desktop (Early Access)
+    - sectiontitle: Hardened Desktop
       section:
         - path: /desktop/hardened-desktop/
-          title: Overview 
-        - path: /docker-hub/registry-access-management/
+          title: Overview
+        - path: /desktop/hardened-desktop/registry-access-management/
           title: Registry Access Management
-        - path: /desktop/desktop-managed/
-          title: Desktop Managed (Early Access)
+        - sectiontitle: Admin controls (Early Access)
+          section:
+          - path: /desktop/hardened-desktop/admin-controls/
+            title: What is Admin Controls?
+          - path: /desktop/hardened-desktop/admin-controls/configure-ac/
+            title: Configure Admin controls
         - sectiontitle: Enhanced Container Isolation (Early Access)
           section:
-          - path: /desktop/enhanced-container-isolation/
+          - path: /desktop/hardened-desktop/enhanced-container-isolation/
             title: What is Enhanced Container Isolation?
-          - path: /desktop/enhanced-container-isolation/enable-eci/
-            title: Enable Enhanced Container Isolation
-          - path: /desktop/enhanced-container-isolation/faq/
+          - path: /desktop/hardened-desktop/enhanced-container-isolation/how-eci-works/
+            title: How does it work?
+          - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
             title: FAQ and known issues
     - sectiontitle: Dev Environments (Beta)
       section:
diff --git a/assets/images/lock.svg b/assets/images/lock.svg
new file mode 100644
index 00000000000..3719288ff74
--- /dev/null
+++ b/assets/images/lock.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 0 24 24" width="24px" fill="#677285"><g fill="none"><path d="M0 0h24v24H0V0z"/><path d="M0 0h24v24H0V0z" opacity=".87"/></g><path d="M18 8h-1V6c0-2.76-2.24-5-5-5S7 3.24 7 6v2H6c-1.1 0-2 .9-2 2v10c0 1.1.9 2 2 2h12c1.1 0 2-.9 2-2V10c0-1.1-.9-2-2-2zm-6 9c-1.1 0-2-.9-2-2s.9-2 2-2 2 .9 2 2-.9 2-2 2zM9 8V6c0-1.66 1.34-3 3-3s3 1.34 3 3v2H9z"/></svg>
\ No newline at end of file
diff --git a/assets/images/registry.svg b/assets/images/registry.svg
new file mode 100644
index 00000000000..06939007753
--- /dev/null
+++ b/assets/images/registry.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 0 24 24" width="24px" fill="#677285"><path d="M0 0h24v24H0V0z" fill="none"/><path d="M19 3H5c-1.1 0-2 .9-2 2v7c0 1.1.9 2 2 2h14c1.1 0 2-.9 2-2V5c0-1.1-.9-2-2-2zm0 6h-3.14c-.47 0-.84.33-.97.78C14.53 11.04 13.35 12 12 12s-2.53-.96-2.89-2.22c-.13-.45-.5-.78-.97-.78H5V6c0-.55.45-1 1-1h12c.55 0 1 .45 1 1v3zm-3.13 7H20c.55 0 1 .45 1 1v2c0 1.1-.9 2-2 2H5c-1.1 0-2-.9-2-2v-2c0-.55.45-1 1-1h4.13c.47 0 .85.34.98.8.35 1.27 1.51 2.2 2.89 2.2s2.54-.93 2.89-2.2c.13-.46.51-.8.98-.8z"/></svg>
\ No newline at end of file
diff --git a/assets/images/secure.svg b/assets/images/secure.svg
new file mode 100644
index 00000000000..5c829fb2c35
--- /dev/null
+++ b/assets/images/secure.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="24px" viewBox="0 0 24 24" width="24px" fill="#677285"><path d="M11.19 1.36l-7 3.11C3.47 4.79 3 5.51 3 6.3V11c0 5.55 3.84 10.74 9 12 5.16-1.26 9-6.45 9-12V6.3c0-.79-.47-1.51-1.19-1.83l-7-3.11c-.51-.23-1.11-.23-1.62 0zM12 11.99h7c-.53 4.12-3.28 7.79-7 8.94V12H5V6.3l7-3.11v8.8z"/></svg>
\ No newline at end of file
diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
new file mode 100644
index 00000000000..5468021c309
--- /dev/null
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -0,0 +1,47 @@
+---
+description: admin controls for desktop
+keywords: admin, controls, rootless, enhanced container isolation
+title: Configure Admin Controls
+--- 
+
+>Note
+>
+>Admin Controls is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
+
+This page contains information on how Enterprise admins can configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
+
+## Prerequisite
+
+You need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect. 
+
+## Step one: Place the `admin-settings.json` file in the correct location
+
+Place the `admin-settings.json` file on your developers machines in the following locations:
+
+- Mac: /Library/Application Support/com.docker.docker/admin-settings.json
+- Windows: /ProgramData/DockerDesktop/admin-settings.json
+- Linux - /usr/share/docker-desktop/registry/admin-settings.json
+
+By placing this file in the above protected directories, end users are unable to modify it.
+
+>Note
+>
+> It is assumed that Enterprise admins have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
+
+## Step two: Add the key value pairs for the admin controls you want to lock in
+
+The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` setting. If set to `true`, users are not able to edit this setting from the UI or CLI. If set to `false`, users can change this setting from the UI or the CLI by directly editing settings.json. If this setting is omitted, the default value is `false`.
+
+The image below displays an example `admin-settings.json` file.
+
+![admin-settings.json](../../images/admin-settings.PNG){:width="500px"}
+
+The following table provides the required syntax and descriptions for parameters and values:
+
+
+| Parameter                        | Description                      |
+| :--------------------------------- | :--------------------------------- |
+| `enhancedContainerIsolation`        |     |
+
+
+Once you have created and configured `admin-settings.json`, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
\ No newline at end of file
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
new file mode 100644
index 00000000000..ddd18bf64b4
--- /dev/null
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -0,0 +1,59 @@
+---
+description: admin controls for desktop
+keywords: admin, controls, rootless, 
+title: What is Admin Controls?
+--- 
+>Note
+>
+>Admin Controls is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
+
+Admin Controls is a a feature that gives Enterprise admins the ability to enforce certain Docker Desktop settings for their organization. 
+
+With just a few lines of JSON, admins are able to enforce preferences like HTTP proxies, Network settings and the Docker Engine configuration. This saves signficant time and cost in securing developer workflows.
+
+### Who is it for? 
+
+- For Organizations who wish to configure Docker Desktop to also be within their organizations centralized control.
+- For Organizaitons who want to create a standardized Docker Desktop environment at scale.
+- For security conscious Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments.
+
+### What can be set?
+
+Using the `admin-settings.json` file, admins can:
+
+- Enable Enhanced Container Isolation
+- Configure HTTP Proxies
+- Configure Network settings
+- Expose daemon on tcp://localhost:2375 without TLS Resources (Windows only)
+- Enforce the use of WSL2 based engine or Hyper-V
+- Configure Docker Engine 
+- Turning off checks for updates
+- Turning off sending usage statistics
+
+For more details on the syntax and options you can set, see [Configure Admin Controls](configure-ac.md).
+
+### What do users see when the settings are enforced?
+
+Docker Desktop users will see a notification in the **Settings**, or **Preferences** if macOS user, which states **Some settings are managed by your Admin**. 
+
+Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
+
+### How does this differ to the `settings.json` file?
+
+Using the `settings.json` file to pre-configure Docker Desktop settings menas that developers own the settings.json file and can therefore adjust any settings that their admins create, for example, modifying network and proxy controls. 
+
+The `admin-settings.json` file can only be used by an admin with root privileges and cannot be modified by users. 
+
+### How do I set up and enforce Admin Controls?
+
+As an Enterprise admin, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+
+Next, you must [create and configure the admin-settings.json file](configure-ac.md).
+
+Once this is done, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+
+
+
+
+
+
diff --git a/desktop/hardened-desktop/desktop-managed.md b/desktop/hardened-desktop/desktop-managed.md
deleted file mode 100644
index aa6ac5d464e..00000000000
--- a/desktop/hardened-desktop/desktop-managed.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-description: admin controls for desktop
-keywords: admin, controls, rootless, enhanced container isolation
-title: Desktop Managed (Early Access)
---- 
-
->Note
->
->Desktop Managed is currently in [Early Access](../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
-
-## What it is
-
-When admins create a setting and have ‘Rootless Containers’ enabled, the setting cannot be modified by developers within their org
-
-Admin Controls is a feature that allows Docker Business customers to centralize control of Docker Desktop and lock its settings (including Enhanced Container Isolation).
-
-##  What are the benefits
-
-
-
-we need to think about how best to convey to users via the docs that these settings will only be respected in the VM if the user has ‘Enhanced Container Isolation’ toggled on.
-
-
-should note our competitive advantage here, e.g. that when the ‘Enhanced container isolation’ setting is configured, these settings cannot be modified by developers (loop in Cesar / Rodny to advise on wording)
-
-Admins for Docker Business organizations will get Admin Controls, a feature allowing them to enforce certain Docker Desktop settings for their organization. Specifically, admins will be able to enforce:
-
-Send usage statistics is also locked
-
-Admins can lock down any values configurable via the Resources > Network tab via the admin-settings.json. For the time being, this is just the Docker subnet value (screenshot enclosed)
-
-
-Main usage for this is to lock enterprise related settings:
- - proxies (so users don’t have to set up them / to know that they exist / to bypass them)
- - vpnkit CIDR (to avoid network clashes)
- - VM settings
- - block telemetry
- - auto update behavior
- - daemon config (we want to lock some fields with optional value but keep other ones free to use)
-
- If ‘Software Updates’ are locked by the admin:
-
-‘Preferences’ section is not shown on ‘Software Updates’ panel
-
-User cannot see A new update is ready to download text
-
-User will get the following message You're currently on version X. The latest version is Y. Updates are managed by your admin.
-
-Users cannot see the Download update button
-
-Users are still able to see the description of the new release as well as the associated Release notes button
-
-The admin should be able to configure all proxy values available via the Docker Desktop Preferences > Resources >  Proxies UI, via the admin-settings.json file.
-
-Acceptance criteria
-
-Admins should have the ability to enforce the use of Hyper-V OR WSL2
-
-
-
-## What can be set?
-
- the Admin can lock via the admin-settings.json
-
-
-
-these details should include the exact syntax / options that the admin can use in the admin-settings.json to configure each setting
-
-where ‘enhanced container isolation’ is a prerequisite to ensure that some settings are enforced within the Docker Desktop Linux VM, clearly denote this to the user (Cesar and Rodny can advise on this one)
-
-## What do developers see 
-
-Explain what happens on the developer side, e.g. once you configure your settings, your developer will see that they are locked by their org admin in the Docker Desktop UI
-
-Docker Desktop users will see a banner on the ‘Preferences’ panel noting that ‘Some settings are managed by your Admin’. The relevant settings will be grayed out and the user will be unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
-
-## How to set it up
-
-Details on where the admin-settings.json should be placed on Windows and macOS
-
-Explain that for this feature to take effect, developers must authenticate to their Docker Business org. In order to ensure that this happens, admins must use the registry.json file (link to relevant doc)
-
-
-
-What configurations can I set using Admin Controls ? How do I set these ?
-
-Values for the following can be set in the admin-settings.json:
-Enhanced Container Isolation
-HTTP Proxies
-Network settings
-Expose daemon on tcp://localhost:2375 without TLS Resources (Windows only)
-Use of WSL2 based engine or Hyper-V
-Docker Engine configuration
-Turning off checks for updates
-Turning off sending usage statistics
-An example admin-settings.json is shown below:
-
-As you can see in the above image, admins can specify the value for a setting and also whether they want the setting to be locked. 
-If a setting is locked:true, then the Docker Desktop user will be unable to modify it. The locked: true should be used when you want to ensure that users cannot adjust the setting (e.g. it’s an important security setting such as a proxy).
-If a setting is locked: false, then the Docker Desktop user will be able to modify it via the Docker Desktop UI or CLI. The locked: false should be used when you want to preconfigure Docker Desktop settings for your users, but give them the flexibility to adjust as they please.
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/enable-eci.md b/desktop/hardened-desktop/enhanced-container-isolation/enable-eci.md
deleted file mode 100644
index 16e8368f0ca..00000000000
--- a/desktop/hardened-desktop/enhanced-container-isolation/enable-eci.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-description: Instructions on how to set up enhanced container isolation
-title: Enable Enhanced Container Isolation
-keywords: set up, enhanced container isolation, rootless, security
----
-
-How to configure it if you are an admin
-
-what you will see as a developer
-
-## How to enable/ get ECI
-(e.g. currently developers in Docker Business customers, requires authentication, etc)
-
-requires an Apply and restart
-- Admins can lock in the use of the ‘Enhanced container isolation’ mode within their org via the ‘Admin Controls’ feature <link to Admin Controls docs>
-
-To enable Hardened Docker Desktop, Docker Business administrators simply have to toggle on the ‘Hardened Desktop’ option within the Settings panel of their Organization’s space on Docker Hub. Your developers must then authenticate to your organization in Docker Desktop for the settings to be applied. You can follow this simple guide for ensuring developers authenticate to your organization before using Docker Desktop.
-
-How do I enable Enhanced Container Isolation for my organization ?
-
-In the admin-settings.json specify “enhancedContainerIsolation”: true as per the below image. 
-
-
-
-You must then place this file on your developers machines in the following locations:
-
-Mac - <here>
-Windows - <here>
-Linux - <here> 
-
-As mentioned above, the Hardened Desktop security model is designed for organizations that don't give root/admin access to their developers on their machines. By placing this file in the above protected directories, end users will be unable to modify it. We also assume that said organizations have the ability to push this settings file to the locations specified above via device management software such as Jamf.
-
-Important - Your Docker Desktop users must then authenticate to your organization for this configuration to take effect. You can configure the registry.json file to enforce sign in.
-
-
-
-
-Anything that you have the opportunity to configure as an admin, will be locked. Including:
-
-Registry Access Management
-Docker Engine runtime will be locked as Sysbox
-Proxy settings (TBD)
-Other Docker Engine configs (TBD)
-Other Docker Desktop configs (TBD)
\ No newline at end of file
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index 849dda1d48a..6a1562c6a16 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -1,71 +1,49 @@
 ---
-title: FAQs and Known issues
+title: FAQs and known issues
 description: FAQ for Enhanced Container Isolation 
 keywords: enhanced container isolation, security, faq, sysbox
+toc_max: 2
 ---
 
+<ul class="nav nav-tabs">
+  <li class="active"><a data-toggle="tab" data-target="#tab3">FAQs</a></li>
+  <li><a data-toggle="tab" data-target="#tab4">Known issues</a></li>
+</ul>
+<div class="tab-content">
+<div id="tab3" class="tab-pane fade in active" markdown="1">
 
-## FAQ
+### With Enhanced Container Isolation enabled, can the user still override the `--runtime` flag from the CLI ?
 
-### With Hardened Desktop enabled, can the user still override the --runtime flag from the CLI ?
+No. With Hardened Desktop enabled, Sysbox is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard `runc` runtime, for example `docker run --runtime=runc`, container creation fails. 
 
-No. With Hardened Desktop enabled, Sysbox is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard runc runtime (e.g. docker run --runtime=runc), container creation will fail. The reason runc is disallowed with Hardened Desktop is that it allows users to run as root on the Docker Desktop Linux VM, thereby providing them with implicit control of the VM and the ability to do things like modifying the administrative configurations for Docker Desktop.
+The reason `runc` is disallowed with Enhanced Container Isolation is because it allows users to run as root on the Docker Desktop Linux VM, thereby providing them with implicit control of the VM and the ability to modify the administrative configurations for Docker Desktop, for example.
 
-### With Hardened Desktop enabled, can the user still use the “--privileged” flag from the CLI?
+### With Enhanced Container Isolation enabled, can the user still use the `--privileged` flag from the CLI?
 
-Yes, but by virtue of using Sysbox the container will only be privileged within its assigned Linux user-namespace. It will not be privileged within the Docker Desktop Linux VM. 
+Yes, with Enhanced Container Isolation the container is only privileged within its assigned Linux user-namespace. It is not privileged within the Docker Desktop Linux VM. 
 
-For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (e.g., seccomp, AppArmor), and see all host devices under the container’s /dev directory. However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under /proc and /sys that are not namespaced. And though it can see all host devices under /dev, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox will prevent the container from using them to modify the container’s chroot jail.
+For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (for example, seccomp, AppArmor), and see all host devices under the container’s /dev directory. 
 
-TODO: add table to clarify.
+However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under /proc and /sys that are not namespaced. Although it can see all host devices under /dev, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox prevents the container from using them to modify the container’s chroot jail.
 
-This makes running a privileged container with Hardened Desktop much safer than a privileged container launched with the standard runc, which offers almost no isolation.
+This makes running a privileged container with Enhanced Container Isolation much safer than a privileged container launched with the standard runc, which offers almost no isolation.
 
-### Why not just restrict usage of the “--privileged” flag in Hardened Desktop?
+### Why not just restrict usage of the `--privileged` flag with Enhanced Container Isolation?
 
-Privileged containers are typically used to run advanced workloads in containers (e.g., Docker-in-Docker), to perform kernel operations (e.g. loading modules) or to access hardware devices. We wish to allow the first within Hardened Desktop (i.e., running advanced workloads), yet deny the latter two.
+Privileged containers are typically used to run advanced workloads in containers, for example Docker-in-Docker, to perform kernel operations such as loading modules, or to access hardware devices. We aim to allow running advanced workloads, but deny the ability to perform kernel operations or access hardware devices.
 
-By virtue of allowing the –privileged flag but restricting its impact within the container's user-namespace, it’s possible to do this.
+Allowing the `-–privileged` flag but restricting its impact within the container's user-namespace, it’s possible to do this.
 
+<hr>
+</div>
+<div id="tab4" class="tab-pane fade" markdown="1">
 
-I’ve heard that Docker Desktop’s settings can also be configured via a settings.json file ? What’s the difference between Admin Controls (which uses the admin-settings.json) and the original settings.json method ?
+- Users may experience some differences between running a container in Docker Desktop with Enhanced Container Isolation enabled, and running that same container in production. This is because in production the container may run on another runtime, typically the OCI runc.
 
-Some organizations currently use the settings.json file to pre-configure Docker Desktop settings for their users. The problem with this approach is that developers own the settings.json file and can therefore adjust any settings that their admins create (for example, modifying network and proxy controls). The admin-settings.json on the other hand, can only be used by an admin with root privileges and as such cannot be modified by users. This means that admins can lock in settings for their users via the admin-settings.json.
+- Kernel Day-0 Vulnerabilities: Sysbox can’t protect against kernel day-0 vulnerabilities (e.g., flaws in user-namespace isolation). There have been a few of these recently, but fortunately they are patched pretty quickly in the Linux kernel.
 
+- Docker Engine Limitations: When running Docker inside a Sysbox container (e.g., for extra isolation), most Docker functionality is supported. However, there may be some advanced Docker functionality that does not currently work as the environment inside the Sysbox container does not yet fully resemble that of a bare-metal machine or VM. Fixing this requires further changes in Sysbox.
 
-With Hardened Desktop enabled, can the user still override the --runtime flag from the CLI ?
-
-No. With Hardened Desktop enabled, Docker’s hardened container runtime (using Sysbox) is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard runc runtime (e.g. docker run --runtime=runc), container creation will fail. The reason runc is disallowed with Hardened Desktop is that it allows users to run as root on the Docker Desktop Linux VM, thereby providing them with implicit control of the VM and the ability to do things like modifying the Admin Controls for Docker Desktop.
-
-With Hardened Desktop enabled, can the user still use the --privileged flag from the CLI?
-
-Yes, but by virtue of using Sysbox the container will only be privileged within its assigned Linux user-namespace. It will not be privileged within the Docker Desktop Linux VM. 
-
-For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (e.g. seccomp, AppArmor), and see all host devices under the container’s /dev directory. However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under /proc and /sys that are not namespaced. And though it can see all host devices under /dev, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox will prevent the container from using them to modify the container’s chroot jail.
-
-This makes running a privileged container with Hardened Desktop much safer than a privileged container launched with the standard runc, which offers almost no isolation.
-
-Why not just restrict usage of the --privileged flag in Hardened Desktop ?
-
-Privileged containers are typically used to run advanced workloads in containers (e.g. Docker-in-Docker), to perform kernel operations (e.g. loading modules) or to access hardware devices. We wish to allow the first within Hardened Desktop (e.g. running advanced workloads), yet deny the latter two. By virtue of allowing the –privileged flag but restricting its impact within the container's user-namespace, it’s possible to do this.
-
-
-
-
-
-
-
-
-## Known issues
-
-Known issues?
-If in DD “secure mode” all containers are launched with Sysbox, then users may experience some differences between running a container in DD and running that same container in production, because in production the container may run on another runtime (typically the OCI runc). 
-
-
-Kernel Day-0 Vulnerabilities
-Sysbox can’t protect against kernel day-0 vulnerabilities (e.g., flaws in user-namespace isolation). There have been a few of these recently, but fortunately they are patched pretty quickly in the Linux kernel.
-Nested virtualization
-Sysbox is not a solution for the problem of running DD inside VMs (which currently requires nested virtualization). Rather Sysbox adds a layer of isolation by running Docker more securely (i.e., without root privileges on the VM).
-Docker Engine Limitations
-When running Docker inside a Sysbox container (e.g., for extra isolation), most Docker functionality is supported. However, there may be some advanced Docker functionality that does not currently work as the environment inside the Sysbox container does not yet fully resemble that of a bare-metal machine or VM. Fixing this requires further changes in Sysbox.
-
+<hr>
+</div>
+</div>
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
new file mode 100644
index 00000000000..8f72b1adeac
--- /dev/null
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -0,0 +1,49 @@
+---
+description: Instructions on how to set up enhanced container isolation
+title: How does it work?
+keywords: set up, enhanced container isolation, rootless, security
+---
+
+>Note
+>
+>Enhance Container Isolation is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only.
+
+## how does it work and how it differs to traditional rootless docker 
+
+- Why this approach is advantageous as compared to traditional ‘rootless Docker' or ‘rootless mode’ in “other products”
+    - workload compatibility, ease of use, etc. dive in on why Sysbox is awesome for both security and workloads
+
+As such, we want to move to a model where the Docker Desktop user whose company has opted in to the Hardened container runtime option can still run all the containers that they expect, however they cannot gain root VM access through privileged containers, they cannot modify host system files, they are running in the user namespace and they cannot escape containers (bar kernel 0-day). These specific enhancements can be attained by integrating Sysbox, the secure container runtime created by Nestybox. 
+
+Docker Desktop runs Docker Engine within a Linux VM, which provides strong isolation between containers and the underlying host machine (e.g. the Mac or Windows device running Docker Desktop). However, this does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers.
+With root access to the Docker Desktop Linux VM, malicious users could potentially modify security policies of the Docker Engine and Docker Extensions as well as other control mechanisms like Registry Access Management policies and proxy configs. Moreover, whilst we have not yet seen anything of this nature, it is conceptually possible for malware in containers to read files on the users host machine, which presents an information leakage vulnerability.
+
+Enhancing container isolation by ensuring that containers never run as root inside the Docker Desktop Linux VM, therefore preventing them from potentially gaining control of it. 
+Ensuring sensitive configurations within the Docker Desktop VM cannot be mounted or modified from a container. This means that the Docker Engine, proxy settings and Registry Access configs can no longer be modified from within a container. They can only be set by the admins for your organization.
+
+
+Sysbox is an alternative “runc” included in the Docker Business tier. It’s included alongside the standard OCI runc container runtime, which is the component that actually creates the containers using the Linux kernel’s namespaces, cgroups, and other features. 
+
+What makes Sysbox different from the standard “runc” runtime is that it enhances container isolation by enabling the Linux user-namespace on all containers (i.e. root in the container maps to an unprivileged user at host level), and by vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
+
+This is all done under the covers, without requiring special container images and in a manner that is mostly transparent to Docker Desktop users.  
+
+
+
+Normally, to run a container with Sysbox in Docker Desktop Business Tier, a user simply adds the --runtime=sysbox-runc flag to the docker run command. 
+
+However, when Hardened Desktop is enabled a number of security features are activated (see above). One of these security features is that the Sysbox runtime is enforced for all user containers (e.g. the --runtime=sysbox-runc flag is implicitly set on all containers). This ensures all user containers run with the enhanced isolation offered by Sysbox. 
+
+
+
+Currently, the Docker Engine runs inside a container on the DD Linux VM. 
+
+Security-wise, there is no real isolation between the Docker Engine and the VM’s Linux kernel, because the Docker Engine runs as root with full capabilities inside a container that shares almost all namespaces with the VM’s root user (except the mount namespace). This gives the container access to all the VM’s kernel resources. This container is spawned by containerd + runc. 
+As a result, DD users can easily gain privileged access to the DD VM (e.g., by running “docker run –privileged -it alpine”) from the host. This means DD users are one step closer to gaining privileged access to the underlying host (e.g., through the interfaces between the VM and the host).
+
+
+
+
+
+
+
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 69a71072968..18540306efc 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -8,6 +8,24 @@ title: What is Enhanced Container Isolation?
 >
 >Enhanced Container Isolation is currently in [Early Access](../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
 
+Enhanced Container Isolation provides an additional layer of security within Docker Desktop's Linux VM so there is strong container-to-host isolation. With Enhanced Container Isolation, Docker Desktop:
+
+- Has a secure boot to prevent modification of Docker provided binaries pre-boot (e.g. docker engine, containerd, runc, etc)
+- Prevents user containers from bypassing security controls and modifying system files.
+- Prevents exposure of docker daemon on TCP without TLS
+
+By taking advantage of Sysbox, it ensures containers run using the Linux user namespace and are not root in the VM
+
+Developers can no longer:
+
+Gain VM root access through privileged containers
+Modify files before boot
+Access the root console of the VM
+Bind mount and modify system files
+Escape containers
+
+Prevent the use of privileged containers gaining root access to the Desktop VM and ensure stronger isolation (Linux user namespace, procfs & sysfs virtualization, mount locking, and more !) using Docker Desktop’s Hardened container runtime..
+
 
 ## What it is
 
@@ -34,23 +52,7 @@ Prevent container attacks and vulnerabilities via Docker Desktop’s Hardened co
 
 Ensure stronger isolation, without any complex setups, using Docker Desktop’s Hardened container runtime option.
 
-Enhanced Container Isolation provides an additional layer of security within Docker Desktop's Linux VM so there is strong container-to-host isolation. With Enhanced Container Isolation, Docker Desktop:
 
-- Has a secure boot to prevent modification of Docker provided binaries pre-boot (e.g. docker engine, containerd, runc, etc)
-- Prevents user containers from bypassing security controls and modifying system files.
-- Prevents exposure of docker daemon on TCP without TLS
-
-By taking advantage of Sysbox, it ensures containers run using the Linux user namespace and are not root in the VM
-
-Developers can no longer:
-
-Gain VM root access through privileged containers
-Modify files before boot
-Access the root console of the VM
-Bind mount and modify system files
-Escape containers
-
-Prevent the use of privileged containers gaining root access to the Desktop VM and ensure stronger isolation (Linux user namespace, procfs & sysfs virtualization, mount locking, and more !) using Docker Desktop’s Hardened container runtime..
 
 ## What the benefits of it are
 
@@ -82,40 +84,39 @@ As an IT admin at a Docker Business customer, I need an easy, intuitive way to i
 
 
 
+This page contains information on how Enterprise admins can enable Enhanced Container Isolation to 
 
 
-## how does it work and how it differs to traditional rootless docker 
-
-- Why this approach is advantageous as compared to traditional ‘rootless Docker' or ‘rootless mode’ in “other products”
-    - workload compatibility, ease of use, etc. dive in on why Sysbox is awesome for both security and workloads
 
-As such, we want to move to a model where the Docker Desktop user whose company has opted in to the Hardened container runtime option can still run all the containers that they expect, however they cannot gain root VM access through privileged containers, they cannot modify host system files, they are running in the user namespace and they cannot escape containers (bar kernel 0-day). These specific enhancements can be attained by integrating Sysbox, the secure container runtime created by Nestybox. 
+How to configure it if you are an admin
 
-Docker Desktop runs Docker Engine within a Linux VM, which provides strong isolation between containers and the underlying host machine (e.g. the Mac or Windows device running Docker Desktop). However, this does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers.
-With root access to the Docker Desktop Linux VM, malicious users could potentially modify security policies of the Docker Engine and Docker Extensions as well as other control mechanisms like Registry Access Management policies and proxy configs. Moreover, whilst we have not yet seen anything of this nature, it is conceptually possible for malware in containers to read files on the users host machine, which presents an information leakage vulnerability.
+### What do users see when the settings are enforced?
 
-Enhancing container isolation by ensuring that containers never run as root inside the Docker Desktop Linux VM, therefore preventing them from potentially gaining control of it. 
-Ensuring sensitive configurations within the Docker Desktop VM cannot be mounted or modified from a container. This means that the Docker Engine, proxy settings and Registry Access configs can no longer be modified from within a container. They can only be set by the admins for your organization.
+## How to enable/ get ECI
+(e.g. currently developers in Docker Business customers, requires authentication, etc)
 
+requires an Apply and restart
+- Admins can lock in the use of the ‘Enhanced container isolation’ mode within their org via the ‘Admin Controls’ feature <link to Admin Controls docs>
 
-Sysbox is an alternative “runc” included in the Docker Business tier. It’s included alongside the standard OCI runc container runtime, which is the component that actually creates the containers using the Linux kernel’s namespaces, cgroups, and other features. 
+To enable Hardened Docker Desktop, Docker Business administrators simply have to toggle on the ‘Hardened Desktop’ option within the Settings panel of their Organization’s space on Docker Hub. Your developers must then authenticate to your organization in Docker Desktop for the settings to be applied. You can follow this simple guide for ensuring developers authenticate to your organization before using Docker Desktop.
 
-What makes Sysbox different from the standard “runc” runtime is that it enhances container isolation by enabling the Linux user-namespace on all containers (i.e. root in the container maps to an unprivileged user at host level), and by vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
+How do I enable Enhanced Container Isolation for my organization ?
 
-This is all done under the covers, without requiring special container images and in a manner that is mostly transparent to Docker Desktop users.  
+In the admin-settings.json specify “enhancedContainerIsolation”: true as per the below image. 
 
 
 
-Normally, to run a container with Sysbox in Docker Desktop Business Tier, a user simply adds the --runtime=sysbox-runc flag to the docker run command. 
+You must then place this file on your developers machines in the following locations:
 
-However, when Hardened Desktop is enabled a number of security features are activated (see above). One of these security features is that the Sysbox runtime is enforced for all user containers (e.g. the --runtime=sysbox-runc flag is implicitly set on all containers). This ensures all user containers run with the enhanced isolation offered by Sysbox. 
+Mac - <here>
+Windows - <here>
+Linux - <here> 
 
+As mentioned above, the Hardened Desktop security model is designed for organizations that don't give root/admin access to their developers on their machines. By placing this file in the above protected directories, end users will be unable to modify it. We also assume that said organizations have the ability to push this settings file to the locations specified above via device management software such as Jamf.
 
+Important - Your Docker Desktop users must then authenticate to your organization for this configuration to take effect. You can configure the registry.json file to enforce sign in.
 
-Currently, the Docker Engine runs inside a container on the DD Linux VM. 
 
-Security-wise, there is no real isolation between the Docker Engine and the VM’s Linux kernel, because the Docker Engine runs as root with full capabilities inside a container that shares almost all namespaces with the VM’s root user (except the mount namespace). This gives the container access to all the VM’s kernel resources. This container is spawned by containerd + runc. 
-As a result, DD users can easily gain privileged access to the DD VM (e.g., by running “docker run –privileged -it alpine”) from the host. This means DD users are one step closer to gaining privileged access to the underlying host (e.g., through the interfaces between the VM and the host).
 
 
 
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 834396e7449..2f765be3b69 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -4,25 +4,47 @@ description: Overview of what Hardened Desktop is
 keywords: security, hardened desktop, enhanced container isolation,
 ---
 
-Hardened Desktop is Docker's ongoing effort to increase Docker Desktop security without impacting the developer experience
+Hardened Desktop is a new security model for Docker Desktop. It is part of Docker's ongoing effort to increase Docker Desktop security without impacting the developer experience.
+
+The Hardened Desktop security model provides Enterprise admins with a simple and powerful way to increase the security of their containerised development and moves the ownership boundary for containers to the organization, meaning that any security controls admins set cannot be altered by the user.
+
+Hardened Desktop currently includes:
+- Enhanced Container Isolation. This is a setting that helps admins to instantly enhance security by preventing containers from running as root in Docker Desktop’s Linux VM.
+- Admin Controls. which helps Enterprise admins to confidently manage and control usage of Docker Desktop.
+- Registry Access Management. Working in tandem with Admin Controls and Enhanced Container Isolation 
+
+Docker will be adding more security enhancements to the Hardened Desktop security model over the coming months.
+
+ <div class="component-container">
+    <!--start row-->
+    <div class="row">
+      <div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
+        <div class="component">
+            <div class="component-icon">
+                 <img src="/assets/images/lock.svg" alt="Hardened Desktop" width="70" height="70">
+            </div>
+                <h2 id="docker-for-mac"><a href="/desktop/hardened-desktop/admin-controls/">Admin Controls </a></h2>
+                <p>Learn how Admin Controls can secure your developers' workflows.</p>
+         </div>
+     </div>
+     <div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
+        <div class="component">
+            <div class="component-icon">
+                <img src="/assets/images/secure.svg" alt="Release notes" width="70" height="70">
+            </div>
+                <h2 id="docker-for-linux"><a href="/desktop/hardened-desktop/enhanced-container-isolation">Enhanced Container Isolation</a></h2>
+                <p>Understand how Enhanced Container Isolation can prevent container attacks. </p>
+        </div>
+    </div>
+    <div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
+        <div class="component">
+            <div class="component-icon">
+                 <img src="/assets/images/registry.svg" alt="Hardened Desktop" width="70" height="70">
+            </div>
+                <h2 id="docker-for-mac"><a href="/desktop/hardened-desktop/regsistry-access-management/">Registry Access Management</a></h2>
+                <p>Control the registries developers can access while using Docker Desktop.</p>
+         </div>
+     </div>
+    </div>
+</div>
 
-These new features from Docker follow a number of security related acquisitions (Nestybox, Atomist) that sees the company establishing itself as the undoubted market leader in providing an Enterprise-ready offering for containerised development.
-
-This configuration is designed for organizations that don't give root/admin access to their developers on their machines, and wish to configure Docker Desktop to also be within the organization's centralized control.
-
-In order to use this model, the application and VM image need to be installed as root/admin so that the user cannot modify them. All containers are run unprivileged in the VM, in user namespaces. Root access to the VM is removed, and privileged containers cannot be run, and there is no access to the host namespaces. The ownership boundary of system code in the VM moves to the organization. The user owns the (unprivileged) containers that they run, the equivalent of being able to run unprivileged applications on the host but not being able to modify the host configuration.
-
-
-We have introduced features such as registry access management, that controls which registries a user can pull from on Docker Desktop, as organizations want to only allow users to pull from their central repository, but again this cannot actually be enforced if the user can modify the VM freely and disable controls, which this model prevents.
-
-
-We have some longer term roadmap items around secure boot and code verification to increase trust in the code on the VM, as well as supporting trusted logging and audit.
-
- a new security model for Docker Desktop. The Hardened Desktop security model is designed to provide Enterprise admins with a simple and powerful way to increase their security posture for containerised development.
-
-
- As part of the Hardened Desktop model, Docker announced the release of two initial features. The first is Enhanced Container Isolation, a setting that helps admins to instantly enhance security by preventing containers from running as root in Docker Desktop’s Linux VM. The second is Admin Controls, which helps Enterprise admins to confidently manage and control usage of Docker Desktop. With just a few lines of JSON, admins will be able to enforce preferences like HTTP proxies, Network settings and the Docker Engine configuration, saving them significant time and cost in securing their developer workflows.
-
-With the Hardened Desktop security model, and our new Enhanced Container Isolation and Admin Controls features we’re moving the ownership boundary for containers to the organization, meaning that any security controls admins set cannot be altered by the user.
-
- Docker will be adding more security enhancements to their Hardened Desktop model over the coming months.
diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index 5b2f48dbe31..f8c745e4d80 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -35,7 +35,7 @@ To configure Registry Access Management permissions, perform the following steps
    >
    > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature.
 
-![Registry Access Management](images/registry-access-management.png){:width="700px"}
+![Registry Access Management](../../assets/images/registry-access-management.png){:width="700px"}
 
 ## Enforce authentication
 
diff --git a/desktop/images/admin-settings.PNG b/desktop/images/admin-settings.PNG
new file mode 100644
index 0000000000000000000000000000000000000000..e9ef62b340ba9be2992a7264b37175d8492a1b98
GIT binary patch
literal 61008
zcmdSAbyU<{*9J@vJ(MtXDIqza<j|=!D$+GlN)6rJGn68dk^(A72#83>4AKqKFm!jv
zH{Q?vzVGwz_s_T1$6Bme=Ld7<%s%_<eeLVoCstQmjf|Lq7z+!F?1{RvJ{A@Z5(^8v
zhmZjCq=&`)6!U`ZuCJzu^{t<212e$0Q_xbt!m3OpxwgW`jEP*;joh)Ys677uV$a#K
z`e0%0tUOUxc<y7qed8T)?`7>CeAj(X@~p{y@2bIj*Z*vGVD>7j)~#Q14N(=5gq2K_
zltiIOMWw*;bUEugHNo^Ga?%p|?j4wbNm#<$b#HeryFl7|PiF3#3`|#(`m};ZUSsnB
zb;kK(tkmem_u(H%hR0huAAOdHsPL?g7Zw+J3B%Y3+c@Pr3@KFUZMm!1{*IN@{=XX9
z4O(w+UgE7R`{)NY%GucX8f(F0TtAJE%Xjyk+!qq!{_0SGO~=iB2=iQNwjEKUcJ9|+
zUfERC<{D8Y_O`P-gt<S?=7KPNr#7O%Q=o{*6SW6_6mE^~&(bawpV!R&@=)%p13f*9
z$A&(R&KpP4ii}g9pT-tXiof(25%d*JhkqZT9!-C*X;C|_{~}<tBo#_{@HUI)(!=@j
z3vT7iRNomqf4{-JCn_F4okijkNgoS{4qN6F>_AMjw2BiS{jb3=-y>k(@;?0Fcw=0@
zRN>J@w)b26iGChp5`V~0D{FswapGz(+Zj6{S)sj|0@n@9L9|axgY6}N22J-+V|}vv
zzyPh-0I_#5VsYa8UFq0dp2_FL+n?t`JCOJD^MS#NS{$K^j+C4`RiO8rW=0+hq_-P!
z|8r>2@pgw|eM!fSW}oti2(W#2Hv4pETCJ(6sc0nh>sP+MjK^?d5)!RqIl})oQP9PT
zgw%l_#Kz8~SkIoVy}XgO7*8r=X=z5Q2STXq%<cn>o0Q_)|K4!aC{k;UIL1y{tokCW
zj1|v|Uo!2*BwsB&jOwXpdE9(EuO%?zNvP*gdeojj)j;~r$y;yhz*mFprv7W}#FKJ=
zRadOWY2irczK^OwPh(De3i*{kJ1GQ$#AZ_g)!-?@t*=|6f+K|8Skni#=f8d(Nc|Zv
zI7^<(vCSnN|KrFkti9)QeOG}-5q29qP#$_S(z710qg-FI99UtU_3@*&MexmIvqr!7
z*4EaSnrDZH`S<t?1`~s?p~g)CzBwDf_HAWajAP(gt&<ufastIN<^niF<KT^&#he4@
z#~aF1-=*U?ICm03N&!_V%YB-0d7Xbgk7h9p$o*6@@T6C_c^bkxc3=6KofmQ6(}YjU
zSQdO>)%5&*%M1p(Cl^)<k3_*ysfii|-IIi==E?+i#T^HAo9FgV_s=Rva|$=VJX=wM
z$oPPIzP#w^CLzn`eSLe8{$w=cqx=I(b}u-cGMR`WJ$38W%*SNqcVl;X=8Zjrxtd1L
zK>}TxMXA+z4_{1w>*=_-aDCbVl-k_zhG&*2IEhbjAty3ZzwCqv2ag%_9KBGEJ`h2V
zLF~C5MK^h#JB6LLiS@_8msZ#^vcA^#@zhd`!q`I_NK1uM;Znj7g|ZyMXhPSY4CX2C
zdsnzn5zk7ES!HHv)di+t)*cf0e#f%H3cc_bCga?l!y+}zhH^}}$mayx&#Ju}r37h9
zPSvU<WxD1$PR`*@Ew=)sBnDfIpAvFt=1^!wTrHI;!l{klhd5G@&oQT|E5jQZaSCv7
zS6|;JpzOJPHf}NR<Hzr_cFXMK<*~}l8#6xntaQI$UR@oxn~S#c;vm6<pD<w$f(J;S
zgWdf_kd&`T=;6^79r{@@mHpi<Ph4!}-Kqucy>7jM9HG~*hOT~x8S#gayl+u(#_AxJ
z^So1hA4;egb8rM%9kOOxUqo&Y$e9neNY<8Y`5)PSxnx*hPoWaLv-wK(d)!z%(+7&g
zBd+IuowPD9l&)lR=4SbF&2G@8-gX3_H6n?Rb!`y4F|i~1o=45NEI3%+JSWFgQ?8zS
zFQ>%w^5(6rlra1JAqPXmVR~%j@w-T}2IqOF%qMqZ!L-FnY~plP-j&W&8sPDZ+AjdP
zE1ef2=gG!DEWUbn_{}<e%l}Z6QWc>X5d3BH>odhz8#azh?#Fv3V=Kqy%$^MbC40~p
zFZFx~e+a#576WH&UHr+P^KA8ND48NVY7+hWb}R1qbm^E(vt2AN!NR+L^?Bm$GRWzA
zrcm)xeg_&Oh*YR;o;OEbT@*1SHrv1Hk{QRRT<(<o47r^jJqS5z6>F4!6Xz$qUe-P^
zt2JiQVN=muX`xr_%&q<%Cga%J4v2s}Bf3DGt4n=Oh|Y@v%V%^%lF+T6Ojs26_G%In
z5#^n1O^kRq9Wfg>_<)O_rS+W&_iDew95n@ssQ!@7$?56zRDPnOqcv)Wt5ZT^@+Q{b
zkC)cgG{3%#9{x>zQ0-_$7#WrE;X8glA=vzjGT~5j0z&yg%@}`843|=f`A6gKuxg9<
z*|c=O6_3o(&r{h<z_&+LKaV|B*wtQV>Mt3-z0Hj{j;CMY4^F%DYkz+Eo=PhF=rtFT
zLNSJeqtl1i<t_q3d+_FIKVr*;;FWv5F?nie%>Dd^m^79bhkoB-3^vins%rj+!|%HW
z^21l~8_Z*ln?yVzJ?3wW!`?!@6V8LmB7iuElkhGDu}UXHIS3Zpmu$-AJ9%)^2qc{0
z#V;!pwyNfB$K_hJLK*oQ@YDgxgWTDl8&4ZJCEbARkK@4k`$=yc0r^O3j&}P*DjPz+
z&BwK&s_=v8rvV!8K~Uex`L1x)6qf1eE>ZJB)8tGfkj$PBf@gJAk$rv->uTA5vlVYA
z@pQ}@0bO|hLQ*aD&5OYD66gwJjS!49tt_!fT%|z#3;dLk9PDMVV_|Aq%0i*@IlAke
z$8s0t<vBX>b6Huusp+;fYp<|$GXCGq0ZHM~LJ9YNy2pB)Jgus41;CCcOS69cq8=N+
z9NHKmVlva#tQHyo$t9xgJO=!iLUPUyzMrzD%*dPWkK7E<in&FI_ihCRiRO1DS(<>O
z_Vct;6zCkKHBg@~7)#8E#3P8&?3NUL@1JUd9a+H6`GHR_JvQ+;@^kp~A}XvvTkug_
zWrcXQ8|;y<?|BrvD9f~u&sJ<WAG3=;O2QefM_%}j#M0X^@kWkXvxM*nj(g`&!Lm1V
z-4UMjNkyxn_Z3AN_f$Ao?;|HwWn3bu27bAJ9mQ><sbTKV@(be;@k<mgs>tm_SVPo)
zi*R(iJfw`wg)$9uCe>SJa^zRugBHrO`6b-IyTDVFJ(?uPYsUndsP+z*vD2kR`H65R
zND&JI+bGc&nHmr$N8%_&qsvfg(h6LZ+hjEm)cyd8rMJlYtjN{4Q+z%^DLXrRvqRK{
z(I5QZ*5&4Y5LxMbe7SYtv8>L2=VBnp(-le1g2-<l=+spRec6oTL{jMWOpn&=OQxoG
zN@?J@eqXWyA$<qM&(@^zaO%Ud)o{W^y8w*C_cx?pzmw~huQ%YmP$9<4f9Gee%+4OR
zMe^NeQWL@cp-W)=XyHLQFw?d|7Yf4h`tdW4vqUvPQ*d>|;dNtqiIZYI?)Zi(`uSY{
zpucZ#l6|Rk5vR=Zvzpn3>CIqubnFH-&!xFvn{Fp4KaG{vF`e#h@XsI-wUHrJ4R?JX
zmI4T_dYK-Ay|DNTpP@13kedHCeU8SH*9|aPP7E%9eLWKK$)*rcV`RyZ{m8j0g#sm8
zLqa0{be&FJYs!kzzItHPagJW4XKEa`p&&vwHTbz??^sE6P7VwtiaF18ZBWbIZ0JbV
za6Iy`pB+ul?)n@4*+{b$ngf1VDS@*6L_@o~d)=QD<eR?7yFa{ZmQ2Iq94z=?ne;6l
zIJ}pwjW}855vUEW&Y_Hnu+#k{Ppa-gV{9VgL1=EDLhSVmTkdIYq|-)hsxMalujXef
z`*IwGvp*e}lEuP2D9l)RiH}6zN(AC0Ydfx;t&YL)=zosIOj$Fsy)yLPR~^Hv9~X`+
zm{R{FFVoJB{KFoa>U+?}>Q*cF@mZ%+L^MGuswm%4gFcCV+vNeWMdLjxyi@w*eO6V-
zhI*@fPzB69J{^S4BM^ya+Gg!7Uy~ZVRY%L;_(+6-0Mp9GFM0EBKN;&BkCk?Ut}OP%
z$;P*s$Hb5@pmkjbDA}sP@+_S7I>gw-gqM#GzB}_%>4)<yhs)lrg>C@ozmaEy|4W)i
zm`G?rtL=!tMH8HLu*W+|L!GklNiiAQYeI!qAB57wPNDbr7wtSeG>X>Zk50f^pL|TM
zui4mw)}Mhsvq}-i9mgKkypvFYy2HqOz~(XGcm>g9GD7u{?P3LRQ5kZ{i8P&J5-jCm
z_F$h1`EEianE`@x?2v*;u55~VYh`D%O%YCaiLgdoTa+@cwhEsD&5=se%=~+St_mHr
z(+Qrf6=fi3K;3IPftyM5W9?Qw&j%MVPn!*mdZ(pD4{p_-3bV3gur>b14kG79uD{jN
z01tC}XoHu}zYoY3Fp4|7zI3kt5f^Ite-J?c2_T0UA_@v-*W<-gKzrXU5XtWFYV6~O
zAs;H(Tr}MDf3D#PAY<yAUYNDYusiB<z~=}C$LKEiRp`}dpk2cCqDso3*<|)LdZx4_
zZ=t31?!%vzJSI=>9H$J^wD7H3v);^Rq^es~kM7sL{;B*NG#zLE=+G5RK1`N;rDDhF
zjT?O&(;5eM3$Q5VUn~J1CQx1knbb(?L#jbaKGVb0>!LNzG27N=&r-4q_#PLA=W>&c
z#y4ygKP0XrktCgt1GC^%$f&Qhh!wnnG)SB^F?buuNU#OsUHq{xHs2sa2hJrYcU;jr
z(3VUjcYs(=Co8OQH4cV9X<Qx4CTC}Bu?8Mfnl%NaUqQsQzXSdo;G0*lr3sp8=D+yb
z#v|Bo9Ds{!X1~~GS?~5B*3VDzCpQWD7!b<C)<JCMq;Q{Ic0GYi1hA;$>;m&4oVDNH
z877-`yHS54(gETCEQV2VaKKAMUXkl*jqc<X0)-~iW5FDS=S$2{?8qeE0#E_TV|0&2
zi#eFUN0Oq^BKM=o>sj{j$^Mr`Df-nqdjp&5)V@Y!1sam-toMP6K31#uzc&1Ne31?j
zDw2_|?4pv4f}mAo_;DSGe2gf4hd|?!W2n7Yu(H8KG?Qb%pduWMRN*sHZQB1i72EL5
zr<Hu#1pz8(wp4CB5V=2vb4UbMy9CtI*$k#qxECf`P8uLEaM-zqX<OsCHgt}sVxVI0
zK!k<mVMQQ?)3PHvlrU#YHM<0=uPHI{wG)JPlzS|r3)X&dg}oFXP5*rZ$SEk8Fc*9m
zxQY4sp-~G%BZo3wnx5?J>=cc#M*NB8|EFdiq^|~X5;p_|f@CgUJ$hka-0b*1ZC&;1
zR7L-#9ih!D(rvPUfakc1Ve10Q_hy6gOu))7PUwc%x?*_Hxa3{oW_imbjnW=GM9NKk
z!IV1h6~v+I=43;Ly#S){iac-pLc(<$j;FEp#BF{y<a*l2nQ%g}s38qpj&k*vgGX5W
zZ(!PSV|BM7r3D`aYqI)YXHW3_L3$x)Ori*S<UKsgrcMPq|I7r7augz~i5emZ7R}N>
zv>ukAIQ>X{RdxmPr|qK=xmf1jjg3B^$;=iNbWZ~8Ss^^RABd_cBN+6aK|&TjDFpC5
zn3{m26uwYubq2&R6qHdsP_1UXatxi~f|fJbn>e-~*UjxtCy5-q^*dKk1|<g}lrjiU
zsq4RnV<{DJt3;ceGKR1fn8+?0mp|)KkWN*NaQkH~6{OVyndH7yP!ER!ju=ofPm@?e
zou^nvb->*nC=_s01@hm{thz_D?#sd6ntjJm?CT>@DRFf!;Vy}O<R7|@_1%FXhLt1h
z{EgVGUaOSc_Pb#US?Eg#+vA|?{G0<ZGy#rV7$vVN4T})Xl7_cWn*1{8vmk}jv@b<G
zsy$}MC-)P}G$~B&5tEzK6(t4a+%l83dY300-FBY4pBVMudrbnRi+OyBqk86`4wE+~
z83t1bAfvU8KU@+JALbrd(H1ta)gxBY-cz$6{`YN^U|LNDW!j%8%wf@&TeZ2bAC~ju
zLAH(XaZ^NEhl4OjXE^GA3)C18NgL1q)vNzM9sZNR3BwdI4AS4aTY-Xx1NrZ>Tng|%
zwK(Q+WK88hOj8&ek22yPT#ETuc54W+tCts-kdTm@r|08rK|&}#5Xjx#eOOpq%hvt-
zpgMz=bx&JMEA+X+s?ywCzrlzqiGqSc5n7G0j`rgGJWZRCx1q7|cVAzhM+Rp8M$#vU
z+1c68xw#?TJw3k%2FeFK5SbD%j+K=an9=k`LIfO6Vq<H2Xz_hRiT(clh|}#qN+%~L
z%gf8JjEm%SS$57wpXm%C=tY_GnF|UEHd;b)pTBrvBh@J9wKJviX5yR8P$B|R_(|i#
zaQAz@-}CeH)z_}!weZ+j`u#%)1X5B_kz_mY(J8OKJ|jOrU$X~DM?^$a?Y(FIrL>f3
zA9hq16CeMnqC$AYA>3;CzJ=dWJYK!uV?Abz@rjh{03p8<LngDIS(@%^1Yg|8{N~iK
z6W))HV?s@k46C%Q%{D%&cSJ`{i<z0ZXhe-9Y3bWH!6vRnh#22dU8~=MaaHhLQ1m-=
zU7Z9m85xErBMd`>?_(glf`^#PoMvonY+w=hg9k%RfmfL15J>|9P1@CShN}0c3Ye69
z`{q2kA_{?Iee~azeEs@0LkehZZS6>lP~1R0!{{f9=+$~xGAI9~?Z_4Sk6q5EGLs)w
zASIFUQX{2IF{k{H5Ui2Ib~0z}x;$}laiDqvEUO$-?VI~7;?E^UlQZYHM*~NW2IL0r
z1~SDHIWKLG$RjaUH)mmqxs-OUU=|P%sJ3jyNk~h7@0-$_CHaokXTRdnbKkQQ&-|4h
zrS;2SPoC>779_lDvWbgp*f>A%kve_Kr1rt77${yRxRCber#p8i3YD2!`N8PB?U3jI
z<S$sqSc%H?h=GyOVJKfE@D<&3bHIgL&%vio&|Bb!Xeu+Wt4yn89KcJB8fwbzy*Jkf
z98S0l;UjDdRMkYl4#JjY))hlZT!ZN(mAy_HK7RZd*!|~Ov%n;QGBX=Tcrqy=YpMgI
zXYD;`X=Zu=G~*-P-PSQt3Xq(9b*DNTaFR9_>4|;L>S^70T)`53i9kEHR_Xn4Vw6=!
zoK!iYaQ!<C%NbK$n1B_6e%S|fD;}ADa8u#xkMFmbOO9J3)}5T31k@6XwK9=z6@gb?
zsjrmp^#vItFZ0P*$NOuq0LR=&9)K|U70w#lG7Xj8ukw(&#9DOdH^5y1)6__5!fng7
z1bKx;WmE06Fa-{-*=TLVNaRs$mbR4v7Z*~CSq<!Qs+n*6@@nE)I23<vtUZA~a2J#8
zYxM>a@0`w<Z};}<Iv%Sgs!5}RXXkFRdrrfAD+Pg5!INCy-#iSOReH{J1?J>z*9VLP
zfh&_iSpdI=^78T*G&E>W#&t39bP!oL=nOaN<XV-$jT!ZLc>99}KiX=7i2qkJlogFQ
zvJUK>s*uz5R#L*9=Z5J#n$}jJV2VZwBI{h)Z>%>*KQlQ!<mFu?j6AT$=4BRlX2O*C
zftMb%lxP)@V)$`<Ru)rtU*8Ik&}Qo+(+Wzf&VZz};bHw>!G}nx!cU)u-agPU4A_1T
zHGMQPGV-~!6oGN<lKlLz5fNAFHV*;hInlipUGe;8djJ|2_da0yeMZL9&dyGL7b7F1
z0C(hhObnrhQMHkt9;FbFmu%8DWn@H8d<w5B%!788)}D2n4iP?>YhImLdBgst1h|t}
zUnw|A5I7=C4OM491=KS4v>iH~ZMAoRb|O#Jm?w+haqFx~ooEpT4}Fthsrvr?XQLkZ
z^xL;@tta}ZEpO<A%zJm<cyZRKz`;R!^3(LidEeq0#Sd%aS>@(lGn{fxF<tq!MG!Rz
zA(p}!`D+2wvF_M570iD1>7W9w%7MYANf#;WtL1k(ZjwyYenDB>_T1ZQrMOdMo(#nW
zEGez9D7To``Q*wW@mISFxl9S~UVJsEd@iFd&k~W7BkJiLJzVqV_vW=Y9eVkdx8JQg
zf8(j~bw~$@D(WT_ivKnYN;(}MXvq(_P?27ol=oklM1`m5A(E#epg<JPDSm=CDcV%^
zk_59*%AS^kylKiSa`Z7c!u@H^UftZHDKe<-?v&{RgDE4d$(nV+r{xlDYz1MhD6gEm
z%!oU@oC-f8p1804I5|$(uAiytoAqp^+27C+4gen3FG_^UFV%I{S_TE)w8O$TB!Cqx
z65qgcbu5Oo39uA}Tr8(ZC;^InbM#8d0(BCoXo0$t=7R0C)ZlF8_E;MEv2JYPo&IbR
z#5Mil+SlrrOL{6kjxr>;0(j=i=*nRRBxt9^oZA+uyc<71zd9`f{{+IY{dM0`YXlsd
z<4xTkwCZ=KX|Y=eN;;C!NMBclHZ3B#kwt671v_({<OU(D^Dc#`W_u)4u%6H+YG65y
zt}5gbrWZZB?#oIbXj!Mr@iZbcQie`;2123LQM=xJ{sc&;qd8%XU<8g6T_7j9t{=^h
zkJ}m%2xgu8vgoOghKjXmk<tY?3JLb}L^HB;OvgM|e55B-OYgZD6(%C>wY^{?zgnS9
z!JVQ;|96+SLScLcr3;=N0d;x{cD{k4%91G?ySuB5(%lOLRy5F3Ip>FlcKm8CtecTo
z1*9!?fLO5e(@EOVf;;P99@6<URW?07^oBx?bmIq|bQa5EqEA=aL(Z*O3uGKQ$7><#
zh)MxNmugDq1>*pA+DQUO(J9>N(7>=vnN{p}Tv}C3%_Sy#?lWn6(PbdC-J2}FN%6}%
zd4Frr74AtvA6Te^_~)QKUp3`8w#}e+5^hQ>83PKZ{~l90mQ$RKq8s3?RLBwSaO4q<
z+oLqbVBI8=G80Da4}uRqdp@E=N8ou&U7PYZ9;h}<xtzvI;}Ka$-sBbJ*o$sccV!Aj
zpQ?`1Tv6?W1mX(k=pic0bqP>{MFq3Mh$DgtMbZK-FgZ%1pRPCBW-%*A+FK9^&30|t
zdV_;0UB@XWSeQ8dW-oD3yVn;-zVl0lgA?SCnXRLHKzvLQ5WsIeThY%Ge&L$Mh81#A
zF<;qlNaslM?TtOKlp0w;mQ))Ka2-u_YL&_l$~F##(mO@3SW4ZZU{NRXM(WZD&-h7#
zVUC+eAQbsGCkd}XRi1)!w4sIR(XnSYt?8Mov*pjpd5jY)^}=D3LiR7SfPOhj`><YX
ze=u238!Xf*glFqiO&-@N#6Mg1gD~Q><>#wCT*+~g36bhqT^2Tc1)pk&0T>w%pffZr
z-LH<fQg(6GLq_7zfoAw!u~G5#;z7!ku2yaMB!_T6Fsq<uT`tGdFkedc(Ca1ZxJ=4r
z+7-4xbs-AR9Vg1=Tooc-Eh>^31rA06<>nVv!{HA)?rnuRwW!dF6Ps4lfY3{Dbt-3?
zm^n)+!BOM&YEVHSo5>`>s0$x5#&Dr1JV3r0oEj_EMrJZE;X2X^p?Ffwo*K=_y@~20
zN4uh1np$Ots_@d=0_uKSGIeicK6G=?BM|pX8L~!X64pZ7qsSV*P0ChFJKOr`4)GEI
zsi8BbmCiBBdE_@Oq4i)hIJlO1E8fP68CK9LwvKK$A2cWdOxq!5rVrV`1QPwOS<qQs
z+O61|#1qwNOB1%%N$$y@7(C~<6oRBmw63=cQSnyQ>EGy3WEj##9g?*GkzXdkN$_*c
zvTSrE<rpsEY%HNh(Tx*{e4D_&BHKwo6Qf;A^JHMxn21#w0mbTx#3Q@!77Msv%9wv3
z;aqJv8D3ugovOyt@21AbQzk}t?Yl3K-`u?a%Poaeu<Vof@aI>94Ox`iCQOWz(UYuo
zrwak{CJSku2SjXf5()bu;a>9o`DTN%7=rDH@FcHK*Lk+y6GD#q?yOeLx;fH(ACu=L
z1S`xX=3%|iM%^DWLXS7yfopsTT8@n0K1(E2u<(TMw7Mm6BVd!_bzTbr5g`~73Jv35
zNQ>ZC{8G6GGhKopePhJhJ!x0^Iza7pw)rx;tf`?Zn^~_-#a*}aWN-L@7z#aY<VX=w
z$!sWIO;QVJuNz;FmioR`NehkP>la{xOOV6N7p_~q79cH+#9JZ0!sOF%DArDbO&)1K
zBR|O+pnC&~)l6!2G5Mpe$!eOyY+^#(KLml6koV8K4b9>VV}r1;d<CJy!Wi+9i@~M~
z6lE<cAi9^m;fy#R_v1O>zMj>9c4GuA99$&5fD=iQ*2KGj^KEM)`MG~9K8ZL5A$h8u
z0l@-CG$TDnq9F^?%G~sr&8JTO4H!w*;`6;do;W`|lR66HqEQYFmQ!(HLFA-%b)z<Q
zs}gqYvvOSLhjqLQ$Z)Ib$IiATtm1+Q+!AWEhd*>aH#>fdXed0yN=Dd`4>{Rf(hg!q
z`mwi#2j<z_SXm=%a2m<#S{I8VojM_y^&Pc)Z7|*+2iORcwc}!=Xs0NFhPETEm^42f
zw$tKKN}_K#$U=d`e6OumzGcXHQisCC5irHr7RSidEf1-H^cG<FKQi$^Li~uAKY$^G
z1<bIlO$!xQ!9|~rTU5}<PK2j|j3L*Q4jkOkomLbs#qK9jUMb_(AY=K50<6r$K5uK&
zOGxgex8`%-tRbmT`F@(ppHikYaQg@C9PM0DJF54kvXBYtok%hK`kg^8pR`Wjus3w4
zU+1DPeU$0D9(MnU1E1o*dMbpw6dwq8f0@`W8Htw9`Ee5qPLR3L!2L#Nm`YA-32KXS
zA16E|8F%SU;pKNr0|0eOaIac?v^r&x^&4nn%XujM<bZ^rYxbxla?;j}e8DfoOGFlu
z5ex3NGC4VjLKE6lkdmSsS}LPz+YS<7Jn)^?8jLzPzLQihxOCm}7-UlsB%vBV;s2Lh
zzN9p54QdO=DJozwh3f*x8FvzoNSy2ubBcwPvUMy_LwF@Q3)VJumPK6=H2cKIU*3Ol
zDi#2SW)g=jfFP&OiDv>_lmB`OQx~q_`lWRo35PRnUDpyvajQgcG$UaIHl5#fmZK?)
zvtJBVF8`)l3T}J2uR8;skZBzoCWoiL$4)XaRgM>b60$SohM|g*<<a;cI&(y{`npx=
zuN|F9%qqQ5ryE{vT9j3eG?X)4!gD-d?cel58x%M)BBSrkbihVhYb~4CHy9k@b1X9{
zn1$D&xgx|`n!vk4Ggug8Fya<@hY>TRUPpVP+9@|%-E_sLp25M+#~9W|v)#)|=2*hN
zRf%Zox2Dfy`*J{RrEGttbKMigr<JmkKagUr!nOEenE4LiZW61NjrKt06^}+^#1H|G
zofkjG@V84@$`L)M4ILtttggKd;3x|ENZc#z!zd^Tj%C)J)q<(2NuF8F_Mh-~)Cqjz
zQ%wSI6Pg){YiF;s!sYk=P^-`haea;!x_&kH13~Yj8@`a6&GyLNrJ6UYGTtYoMFP?Q
zng*>2Mv$Ol^boLsH<b7iKPqz&Yl6zeYa#ueJ30u;PoqZ*0d25|mBj|s?TF;Is)r7b
z1h*@B9t)vJzZoQD-JN_o3_5ap-O<!}xg_*06GOH8WqZ;GnlCNVwoAo??2JwLhj?}d
z2^Z<F1FQp?)ovsPjvsf?nt)X$`2lN*vcMs2LqH1ZRB^C!Abtl}F;F=da}EWe$fDw#
zKU!v2TDX>O0fPN8p(;z|70cFZ167KMWT?6|!c_FS0S;$yuBsh@wYPRM<XbkBuo*{^
z5DOaA=`OW>;_SL?OSI>7reH7~-9J;XCUs4YUbYG{lM{ShGGFT$Y!8-aHlDh~rE@PW
zPc<N`Rk7%(0Zn^NM0MdIfzJ`xn^6JsA%n=YgqvK>;JRe&n0Fu5;FWs0@tEAk<E&hl
zyt%<p`or9NhNc1{fV?c$jrk1ASzJnF%rIw}+EB1YtmK<tcjD5mMux02R?tF6tul2G
zJHr<>r@7NW@f*MsuumEYdY4O<ycC9}9u7NcJ+N~G#sK>1lv{;ar>NZ`Z^E3Al_5?l
z^<+hFz^b!;49?p~Xo(zH^;br0WkQsdSq(@@F-i%+o?}S2oGG_%RV6nwlO>V8)Oe;p
ziW}y8=I!9Xa=b)R>9K9d^yli3d7Q*46iT9x2#kf2>^RUsHN){R(c>Ggt+gXWrv}8x
z+O~5Kif*Uq=T<LH)!f$D7VU+0oWG^N<@khy`ao;$NRnFK3F-l}z_G5Fr{NdT8i;tk
z7a=RJ!N?O5V5r2N$1=-8mZJY_@Hl!%@KQE!0J}Q&;Cx~-u978jiye>dioORag`NuA
z>GVnYaSy6IT{-tRQ7V3DJt3KXtP38WkO?dk=Hn!6>k_$-VUFos^wD9FSzvT0xz0@;
z#Zp)pH`KJ34TY>GFwJ6v*R3yFCz9X`GSro9<(zt&)t%dKZ0R8MSi9|sPy-Gz#JNGH
zr13UaxZ)hw$5HS{<71@=N(}tPPv&a8sWVzw4a@1O)M^(%QfS?{H?XL_VxkKaFbk)I
zl5#HL4T(8RPvK!SR0!CS21=UwNk3Phf@x;m;}-@zV@w`=ef_xy8f-0vESQbbK)_5F
zR%de7r-pMt=(-5P#bRrS?)pc)>iyit_%*z7)}1(58r_|eScMZPN<MFANSg;^N^!ky
z)@_|p_#^f}CWXri=Sdf11pC9f&zuZVo{IiZNGkj^l1G66BS{1xt{ATf-abltPRwLi
z!nl@jn;wws<10Dzwv*js<>_0gRo3gnSreBBlLANyIv9eHb+ASlvk%EeOeV%yLr8nh
z>K*miN|t%n$+f!G4Y7%d=lp=4c9>1-)6gBYskbcAP=X2d!k6oBVhE<=yhMs#lBpu}
zgc7Xyad+Z9I}c$uN@m6gOewa<H=2khUc>pecG-$Qq6fGYhl9}d@Ha`afXbXoffB$P
zM?cv%YXgNHL<h!<l#FQxu?T{ZKO@}nCbazfDYvCdi<|n<J{?lIG9L7#TSw*;5sOyp
znB!R)-nC>M&4?u^TSuv|<eIGLT+w7`EhVUV{*!5ijb0tQMTPKf44j&S)u$@@(IPT;
zOHl?C?RQBHEhR~f&7lIbZlbhsP83YzZTc|(N++ORRF-uLSZ$4`mOE33piD=S0mZ2Z
z0fMHO9k-Vojh|7j#=lP~RG%wY&DTw8fPmq)RSk|)2s;9uN$r(pQgjLEd@xY9^o*|%
z=Zaw~1V%wNBkw8hhJmrAjIT(0I&a%a1ShovaaDijVUjSQ5VN1(EhKvfF_J%pxLzqM
z3spsYlC>k<l<E(@4&p1;w{Ve3+G>(<=Bl_$*Jmi-@Dq763jCQ8*tMdtZXzv|iCe;1
zmky5!14e9IpLHC>xk>C+xC|OlSZq@(A9%`wm5FvD2zkc!;NU4b6tJH)<inn;ru@RO
zl4G!CW5sULLndit=BfO_0j$VILuq69K?9GCxsLu@X=X_#4VNZ|W)Q~kvWiz|3Dj*1
zu1u{79E?XYLFg!+@P_GZQm8I9H>&`nY-PAI<?X<<7c!#nDoss=T=^~ikAqORou}xu
zHj({`5RoJ;N4W%}EN=<98vcLa=oSr2hj5UvH9`zozX(Fs5CL5bxlK(%XrVK>t{*|=
zXbCPb>nY<D;TrIp-MJ@D59ahE+T9L9qTetj=s8MnV#oj~q}3goq0l0z!}l+P71@+Z
z{sI9@uw-;iu(YuJW4q$mdJ*fTO8zJc*1seb9++^%a*|6nM9zT<6AmCXLcl6Rauvy8
z?on(URN*9|f>L$7>%~w)Y-jDXD7QL^B}D{DMpNBFJ{-;_XpZH%m>-*&oM3p$jWi?|
zykA$baR~#f+#qAp=<B)`qOg9q;E(WB0CDBsSQ{A%3icXW@UtenX`*VaW?W;z9i(nC
zFnj2YHHYAWRCgHQUMaQnt9q83)bsET!+ACgP!yMH!)YC+EHGpQBO!GPR?Nbzwamel
z2|h-o;tx|s(5|92_n?}nc#5qs8|!8$qi%5%HhL)$4M2s_Dv{N0VW29bXa}vhWi|We
zBR)GgEtDVkigG$sto0Uoy5RFzbp-1bU?=gAg3b|;K*j{cpoj2%-4YbkWN5CAeT$CE
zsS~tN6mt@iv=xZyQL5lC<wh#dB)!d3!3rL#_1O<$%SB*3PR`z?QP7a9pWff?h@E;e
z5%=ffS@hQ}>Mwyf>xT~-2<g7n&R-VW9?OTa@b1GB$r#&SNKbhuEVYtiurgpL<R)|n
z-x#4sei-JYAf3nT%CuA;B{KQpvO$^Ay1p`y4VgBei8%4a05BWy3??)(yebEwjq!hW
zT*TbOoOHk<j+EtSpv~*<3|FA(cqknzDX68RGV-KTtRUMpVI5#>%BjnO!v6-govl&m
zuW-zI={Jj2i$T*ZHGnm?aUcrPZv^47oUH*BkZz*HtjtcttfWsoAqHmQ6#+3q{W2zC
zWFVem>>J9}&Z-Kh$-B#@&@I}ajgDKDX-lI?3rzL@y~*GV;{>%bm`p_K6u)&X-%pu>
zYHE2*&^~EPS|9`CU#gFQ((k<L^`^tKvd4HDb_6aZEyNR@pU5aH$X~~{p40fKE{08n
zz@dYTS#AhzZI?nb3eam;A)x~|Oh#p<ek8w8VpiQ4S+EY3(vuTJ@SF+r64Y5L+;?pS
zcYl?UcVi<o)N!O{A#e>Jq@*L19{+9NQ+W$Yg!4ziINL87gj%qYaS-C&bcIAth|^Xw
zx@7VjYT*_oys1GScBB@?3FwT-S=kT}NR4N2F&a%M;cV^qr{1h02oz0H^HFV2v>F?a
z6@@cCRL2jIw`|k}b}J3K9!)HfDn#*HrcVY-1hJ7B(iUNuX8NOb02WzyZUZb!pw8EN
zULNbXsS@CbJAQAgsP%AAbrN}-|HbfS%Ged*bi&T~$WQ{Nz86hktj-2gB{+37fmzlJ
z>G&BB5rNULNpDOxfIIVr0EnvZ)zYuwY>LS0+JjZ+L~HSJq64GdBxrXef%^;Lfi?p=
z?WZAh`?P|j1{}0yQ@!<O$rcT6Hat4fkI<1a7{NO)(S4hwT08+e#7mS#LqZLf#UT=V
z+7hIOVK2wm9!$~fxIlE+xk~0G$k#ZL4lu=T+|$G+a?5OCN648gb3_T$7kPA{umI_B
zb0uAzX_alQLR<l-V?2@IFo1xmv@q*8vwG5R_Y4JV8ByVL#S*K+<+9$o<Xa_)k4Hn%
zv`3rKrexigEZ2!gcuoLUEhNOAaTMQI<<avTjk-C@x!YZ8b)goq1u6Iz&MStu#0O&&
z)TMGo(8kKXIxed}wPy_57FqrhVilS*J&2t!e;|^voIVZci9Yw4tW5M|?UlrUq7&S$
za4UXl6jv%dFvPPXNP!;hX@F^r2J>5&wnl=)3DAAba<2Mvn%b_|?JE5r8LI_OM_rW5
zuPjqPwKf<Q9kgAQC|rSrmfDGGp=?fsg9LRBWS^KTd(|qn47q2r2<o+zR;;ene;nyf
zk>;{|mlB?Hyf8*k*0jeP>`70%0daOdtGtp3+0Or3yKaAN>Kw>|(QJ9K+qknSWqy1d
zFt7M_nw4V@@b8wSl89pQa)f5GcxiQ3-zF3QFfD{^ed@SM%CyZ{^80L!>R|a%>bvQ2
zmjO>EAjNqn4yL8ErxsP;I1R}{RVL?UaVj~uC{PffD&jD5VgbMeEQY~-?fCbB$uA4V
z*#vO)tP2U`<C0fx7@cbAMq{577D}(LS7RF9EiuY$M6m8Y36VZg5`pkkenHzhz6105
z1*=d3dnfkiS4y!64ktVZDs`D8!mpT)c$NPbdM1F#oTW9InFa4MS>^8Szv3sF(;A|_
z|02Jz_danPxyYxo#&|igFxl*X#ZQ!4hfk6`f|H74z1jcT8~0A}uKmbj-6T#@z`ZWC
zZ}r}P#8f6AC0fB+0C}gldwZw(N#%~a%=r8+--++m+xXWPg?|@mMYC98jYybEjtdc@
zU*yE=x)SCS*9Uc;6O{+&6;0iR-<}W24V?*I4|v@Eyo;=L$$DV@Pg6sfaGa|;`1IuD
z)8}W!!<Q#p8-3#Qg-2@xM=#@hyAx<s!Kb9xc2Z4e&BHq1Zgi@vckZ;Xt?tBYs>NbK
z|FrJ1Avl=y5#Ot-)^~o)7h&{`Dv-r5ulRq&&wt)ebZJ+A-FEjhC+l+HxxwY#3e0`=
zX~KWh;5Pd<_D%^fIGI++Tr)jAo#}DVTDCWn2_pP1{aeF%^KiEKo#=a-|NSUc%tx7-
zns)W{!0#-oUd6V<D}&eXv@Ei329Aef?-VaC?u!2vn%j6ftSp*FB&tAaT&jb2``3G;
z&#&g!_j0bO8*BIO6r6+Z`2WWS#FSu``xI#CRrW^a*<I{yQQ<j!<W6)<^G41vPUT;@
zT9uUp8IET?^Ji6Q!0BRsqY-)+*>tfWH?;fWPUnADsIQE`km@K2_KmxI3)4FtkDK>*
ziVhoha+J`2#PJBdn3w}La9pL!zT8L|`i>;<8W~))q`2{3@gMoz>d{h?^)?#)SCy`|
z?j-iZ5b;I`amUG)c8rEybOdomSZ^~Q4|r@`_}_p&V0s4raW}+Y%e1$(tzWF=6l;7C
z92)!j@&cFjgOJ7QB1S>V=s&6h$AOyyyd4LEKL!7~l+%0G7fk)HIuDAJaC{i~?%g|H
zTN^c;0+8I|iO{I-&0k~PQs1of%MAeqZ@8y^G@AdPyX{LN6XNs`p=vF1&y>dQq7!y5
z=GVt$?%s=)zxf~4AEXik0#ccPYgP1l|KrW7bQl{d|IaLr82w-Uf4TvXw158uuY~8o
zdHc%xXlQ7ZcXxOHbC%k8<o`J=be@9w7bI($!y_X~?Ck7JkN@p1U}D7_5)rF5Jd76j
zfR2vN&C5%y(^2*xgX6V=|FgT8t{%zf^WFc>xbXMk-$sRN&c)5;r$Np^%Ui1&{o04{
zG&VvgHD<o066<Y7CT(^Y@AB?S!FXSK18x|v1XpZyUpEjR$Qn$n(W@JLqgkBD)o_h7
zR$G|->qq&<@lZ_kRBBS)vRc(1^F3}mJ7S&g+{r9!u7`n4lE3QHQ<<Hw6*+ky$&PtU
zxl%IZDBdm(9Y@sf*7^E9(|z7x>>QDCYG1BIIY&8~A@yN=xh&t;p^RpU-qBbabETmg
zjq#1WJ)J*){yYl0_Ib$1SAY>a<KS>n0cm}SFCZPW+V`|fKjrD~jq$5~>Vtnq{~1Yn
z{%ENBT34O7tneaw;F+}*{(MPaH-aF`%#^n=KTeALv)99quO5?CJsYZgYwNLB_~ret
z&u#}?aeadNIIGq#oa<s3UuuGlB8x@{o>onzdevyb&`&js<pilndK@yO1f9|+E8|RO
zWi;35`F$$V8__D8K}S&ATX#ENVYmGWa&e$goF=216_La8Aw}!QT1Q3!pWFP6>cy7d
zosqO(F25S=>H($aUf*dKt~QqI@6?AcFP*M0&v*Wgq_y)L_CJ}h*V)j{NY~ZC-o-Am
z!Gup$X-vl;g%%;~<x4sNqpFC%!K3GcQ1R)hSE|i-UsW8nd+7cT--d6?Z_R$sJUk>P
z%|kj3jLZ#S0z^$&(Mq(U!YpLUca4!jykH|ab_w0m*_Zv)Rw#dm^(N}juGR?2d04mJ
z*;9RVx;I*FF*0t_oNMMCtV3o(E?33F&+<BzrP)EsDR<eRZ}Fr*%@8Ve1JnCc6Y3Rw
z2$(wBV0D<M3;xuYb7Mqymn_zBgnK*I>iDr0$5%@*y%)87$v0mdKM|yy{5ibYIfAQD
zfBKz^ZePaDG9#6<v8w3a#t-|%DY5Sk?V;b_&g0JC0*$Y`e=V=Ds;iJ4Ic)Xi40Vs>
zJPbX1lx-*B>h4wW@}Wf`^qG0SM6-n3i+o3ezkb5MkYtURW5K$_CMP8=EG^}yeYL>T
zC=&xp3<R6IZA-zmN4|YH=XNW6u&nv!6+0|YnWO4-$=k4_uZWDMu+FkkO-iOijXByX
zb|b}PwpVe+Z~uPhN~)Vb#|h?}u;=wZDWvqwx%BC>W_q8DS|XApM<5;x6ez^u){Zz%
zxeDuBZ-47J@7pLJ$%`xg-EQN<d5t-C2~kQ#`toA&ZLxRLQ&V*=3k#O0E+@tvYeYlG
zsoh*r-$bxx=G+zd!x0g2jV4f|JNH3(liJ8j$F-a{KS~()FZnD?KE1+R_mT)EQ|qan
zy~Kx`nV*<y(5pXnIHKD0-6D4iyrUy^-c~oONYRs*{blYKjnvA~`Z^G#VB&n85=`|Y
zepunK+c<S-)7@gY78v}gV=emmciSA}{=in^geMEW;%0Z^Q+``()%%g~EPtm`?#6~V
zg9cb8=NF2FbjFXhROpT{x70eVz1yx!ZV#qRg7k1Uy2t#vp09ry>CfG!tc{Hf^?QEV
z%^17#k(n^NWho!Ynk_dRm*n~yGWF5#odIv_pQDW&hxre|Yj>^NJ3=KpPnO;E9MI3D
zbMpIM2Rq&EPkbqB)_5l^o>W|ZGB8DSVN<=d98F6_!eyuhjML6dP_jEO4pvqa=k-<2
zrd}(reRvizrCojUMKlK{UG_YfgcL~5P?%9FaY0!;TFvBRR&$l;a5J`d1dfg-HzVg|
zmRd@f@rE*YB}YCNbChXIo^#riF!Ee=?@pJR{$eVxO#0)u?Y7C-T+BK&s}iw_p(LT+
zos6spO;{Qh!8!UUotkZvQt=4)*-v}JyE=Eu(sH-VWk2`t?Y+BD>o?kLZAUFfZk0}%
z=!jBfBq1Fr3~9$3^_;?8T+?j)5~Ox3WsTl@ZZb8sO-DUXT3-5{DuPRiMj%M1et8RJ
zOTfaeOvSYsd3O7EJzgV;{^rbEcF;Yc`Mh$=LVXW!@1r|g8y4||hsZLWrdEBU;nB~|
z9~Byxj&_^%`l|^v=)1V?Q!M>B$Y$jUDv8+Ec}nj5nK97CgVOg~9ns#+QaS(k%x`xw
z`2GWS!By(<v`_?!EVz9vc!h9lie$cMGK)hHy|k-fCe+-%RI|Bl_td^wSO1JpFj4(`
zkb`}D4Qs{Vp8kn~J-g~v(>3EAX?Z72kJHR0q=&QCVP!g}qI9q63UGM5^}c<*H^8{4
z78i%W0Xc9osokZNL}i=uJL`GRR=rY<LgE)(Ai%H|(>n1Ck#ocD2NJ`jdJJo2sJRJ#
zF?~jD?0%~;CsrzcpTuUrYV`0OYsuxEwzSJ#>W5!9;T8vw$6wFf)6;r!Xy;zo$*rAE
zpLNck2M<;sJs^(NT6KH;2Dsl8S$fhC_@TDMX7}cL;Cb@_{RxGK#iNlPyOO~Ddph&w
z_Zg?Z7Ke6KGo9!jyqS|NC7B}JiS%r1;0d3ZGOmGOx>xWw+bswsS?Uo$z|KI{(#nE_
zVmjGV$DyJmIl?T#Gd3_eBCcTNDJcw+$BZG|ndG@V(-$W1Z~E-=@99*xP90esz~E3~
z2O;ETOL&J*V+QLL>CrcRpizKqz@^&LOkt($k^Zxey0h~(k&3->^J}racl~tbhMNcE
zgiBETo$p)ydlwQSf`Elq0E!hOqPyID+B*o^?F-(GS43me@N!LZ`w({G(${`p8)dF>
zN;gIR8GEk+LJ>zWeHJlfh3HPLzSj8&N$<~*)4{ZMeR}+6+)#^=Cule5SOHDu_qq*x
zH@&SCfhi6QTNgV)pQ$e{F0x!q&CHyPZST822cH^<kp6Dbq8ZX6EC}{VsfW!a@+gS8
zj;MH$%iSr0rgLQa#8<LDf3L$(B3&wqw|F0e4=T6#oj$qO|9zx<eoO)txUxX68{14E
z=T<&@c6}-37J5KIVJcK3n+6my8~dK=vd;qm&t3hou<!r&!Pj(kIi3H(*Rl8<8?&+S
z55N5)mzYSnSHp9)%&R|g{%|&*dt`IKHAk-OK>4Jj9b1{yEj${pR0&;6=VOE}QtI_T
zQWxiq6^lEVX)Lc=Q1tVW)@%{+=FwADzNcr5;469a%<WtwffOU8fm1Dpn%>Sp8hLE4
zX=qDqxaWR+0YZ4*;|Se!+J5yia0+EwJ8uv%4qC!Z7*uR>?17rF)ne4a`_kn_k<*2K
zC$gy~H*6sv#Muwtqy%tKZ7*)=@P2w`A5GQKU-0sMDYwxk6l^dZ&eIe$1QZfbRNsjQ
zsg+d4q)fQTzWP0{s>41+@0%(TBd;WQ@FwJA@aiSEFC+UweHJF*kbYKv#42N8Io-YH
zc@(bSb30L{uS4+mY2|*T#!OT#`s>S`MYPxD;SK~rD3=;u%kOO3g2u4jF|gkADCPZf
zo;2WE&Nq@ZG5u%za{W*4DtMf^Wz51qq|W=G$?AQNxCG4Vs|P&%V-8}AW|CmlkNk<u
zzW&m5au6t5!N61`6}bR1X(=KCZ*zS;cXieF_IZxc&*T=p&Pf*6@3SWd;+x1T5%@gf
zV|MlV`!^7liyR)@p~!7{E=rk>y3ZOvsv3IN|8!z>Y<BLCPX&bq%K`{A*px}yv1W5u
zUWkuG)ZTj<g}E~uO3h@J`F-skEl)})$mMF`LyECjd^D`x;&|yns`x0GZ@U}2(7CV0
zgcF|RSM>)&(|JG2f=0eK2)Mtm<`lpds$+jxJn~5Qj{m_cRj}%7!dg$aHNUSmAflL<
z6_GN4jv-P3FBvC<u<|<`u7aRcnK&e^jKpJaR30eyO#&%_M7hRvliz;EEV#rgI4;<E
z{`09#fU`r+A%>|ge8xun6_ppy)(8@G*j$Rv{e*IHWgwiY^qR${6^9TmwyI13z{qy>
zvF^rHm@P)zNLCHCKN_BJ{sJiPyl!Jlz?NagF_A5gK68q)^1p85kQ|N&h$#D=`0TTR
zRdw#EU+}&$>qikK&_M<*FD@ql!p|{uzo`G3UJwOY{RgUWizoU>ofWanYF7bPAjXuv
zesgXoY>|O2jZHI*c0!btl+P_JbVz9Vb1^M|n2XR*-+rokkt2@4xquG|+OmpIZvAdB
zP!TCe&WEJvPfG)3V0wP2nVFr8oeM!_*4s;){WuXNf<bR<Y!351P02CDskocrNkiAC
z&Ug#8wQ3Mrs2<W@HyGjZKqz=ouuyoLnn|_KKY<r~j$77zEt9Ihtj=)=_%nEsM*+R|
z_;!><8Lu+8WAK14red*piT1(h`GrZ(R{;t(Wf%5IidWN4O2k+kUz22(;S3)hJG3(J
zfj`!)NTyO1@`65C;r;AL5`kEPP~Oe3%<0Jyp+OF$A?vc!mdLN?SDegk60AOdw@iHg
z`twwi#Zc9RGb}-ZquxKo<H7RmJ7-)VHG0ZZ$IYS+6fK67@@D?kk2;PRzXw57(@cAH
z2$4yNkg_2u#<xG8jd=EAra~{`U8xl_Erb$YnUF{Xsk8`@N;r>jX*SE{yfsY8IUD8e
z!Obd?10$8jXBttyveyqoAuFAzxs~W|yU%`<4a-G6L<X@_HaM#*fV~)_qwhoHm#nCP
z&x{et<z+pZy2A+;1_YeQb_HWgh8LX!xdM@y>*J+cqaSU9=7_@B5D%CP5bf>l4*gk@
zqf=8)F^$ROBaD%@)p20I#E|`^6`qEOd!TzR`1&lm<kqAcBl)Bl!3J7RgVFt}NtAJh
z)P!GQ>CIlJm+`ANTF>w?@*^>b?5(jCA2KQWGJfDNAkduZ7l30V=6rEQM){u84>As>
zd}Ys}A-*h=GK((vv(v?rJj^Y(JoO)j&Tn^f73OP`)_z_kn8d3&Kjc6r`3fM_Ex<w7
zR=L)st!;3#ByQy~&S&mCvMvpNgA((6NGS%V1uJXQ#@FQ!##(uhAQm}qqP?wrqob>8
zPL7|Ga`m#b&>E&f<Mn?I2R6qN_)jGNB$LgHrMT0UM}=ey55$$tN63VnIpVPn31i2B
zb{TVz-UXvEjk7+>(*=DLm1-F{`VQTzf;RNgnwhcS<x{I0cFb#iL3{XOzjX6j?Fjln
zckF86=f{!IYEYt!xizmS&0i*GWi9|y5%S(I6hE=9i13RXz9MUsM6Qoa{+sI9J3*}H
z@|$@2Jj27oOskR7oCT7YxUZI{GuPWK_4Od>o<JSu+T%I>$D=oUDs61m=jkj<5)@$M
z!1AA`_G~U>CP0&J>}9k3Xh3Q3EV9@)JIT%RngJ9Pr{+OPsUJf;uIF90!b<yF@f8h}
zkS;&KC%qq(r+mxX#7{`nu0}hkYF2KF&N&7%TStGmO_GaS42=VuL&6;yJE<eM?cAgY
z{FVmMY%j0d(3}+L>nYkff@!*S3a1^d%%AhMXPtG!BK?0kmVVAgL3IK7jGid(+xLmo
z{U2VUVb=;=J=6aDJK=&0!sJ_@w}uzO`6r`&D90pN9C#*OkN^gVBm1TkACmI75mWY_
ztY<W<>amZgraNM+cGM{#>dXPzG3R~1V)uPEqmM7<qE_7^Ei`~;<I@N8d=fgr!M4c%
zhqkwlin9ItMIY-yK|zp|5)f&SlJ1mFX;2X9&KX*yhm??(E)nS*P-2J?5QdPBp^@(1
z*WmBn=d5-1e$P5*owJtz=*Z%p`>OBvQx}dh@;44NkKgFv*^$EBrn8uZA*SJ)cQl1{
zIcjSYdGyv;4$xZL+U5ckx*n<ZzF8e<uPKa*?ukTbj06GA!>(l+?3?Yl=79ZGeCOfZ
zPWqlp@t!)WFNammv)thcuvmsV<|wkr>y9ewK;RP@!rcNj8NP6VzLiaEIH$Pt0R7|U
zZzG38Oi>isUR?1-YNkO468ird!}NF8+@{%cNN+88W~aw^g_mKy*b<RlXZK6e$7||a
zzb9a?jSOjG_1bv0e4f30b4Ys(u={i39i&#zbe9?wXV8l@9OSEvp`vA;kC-0&>71=)
zk7Hq3_11GhfWeBP$mdnTNZ#HG5pe~;5q6$CE^^e17{Yu4TlpPG2J5xL=BgGa_;tLh
z2|O0G$Quv6K9S~ZS-3{l%7%$JR}3KULDN_GT}O7aDYIvO%XNumHk)F(!M!78oQ7BX
zSr0znhtiIfMo~BA-kXyS$Bjybg^lduJsE{w(InhCyDhMBPEeq4l50Lo`on$x#$9tj
zR85S1+qhdx2aW&kyyNy#gcANn$)GuXf*4P_P^#9gT+jp@HD9f9%jgav8!5Napn;2M
zU4%u6dcR}Dj^iO1yg#xG1(XHL%o#KsI_p?3K$=K-uvEAc(A>MZyQdJ4pUn!lbaq%0
zo5hHj6U&j)w8cnwu|SD_i5+G48@h(Q8i8KP@HKt8ot)P2mK!f;YuHVvc}ZAp%16i1
zmTTEf#bBHT@8P?<oKGnP(mqiWgbAD64Vi(He0i1D&?{!QPIcqS`^wsu!i6oIl9lJQ
zo;bLf46a8tXu2;)9C{<H_^+zPo|r!5uq96nvs;I(f6YS*HW6ag%O#oqcCWhCeot(|
z%oxrZV}g<;*A`lFZ*_O%AU%Sf_*>4=*BGB{Z3N?ru;`8lnj8wLx*Q!e9~Z34H1j4F
zh43=o5}5WzGc>W<vPcu7G#HeY({!gztbNpQIU?U&9Nc<PL%k6V=@p-;j}ee(hHn4D
zFtn~su7#s_@Mt|fe|YXU2W+%)s#ilZ>G{Y$<Jsos|2|CmQnWU0RgL@j+&O@XM(tlF
zoWi!jzBPUcvGEn&4qctYc<6M}$~)ZkK!_^`laHDmC)_J!+z-AHaGE{n0(pF!s3m2)
z!u}E_m?6}L8d$FOeTbTsAgJHrH&*LEMVc7on-}ffg}*1QRSXn<=bcEo_>gSm40k=s
z?s@a~(4_5e89{CviB1n~?(&KTXLpW)Me2Dltg{MiI+HokdSqTsZti&u$U_zZ-$+Ez
zLQHK5pMcn$Zjl{8Cfb79mPmyJbBtg&e6xekXM=b)vwkd<Ue4XVnf$rE`<39oIJfb{
zdR-m|b-SJqQ4^-i@6^*LlAPQAKst4aRVy2OyA%87F3b46y?v&fs2dCaNWHFJ5n+B(
zu~I@7YgxG(ebe^Q_&tttkuRme?;}#lkK*tX5^chsrq1P3*~a|)C^p3$@(<bl<9~2#
z6g~V73x7D>=9E+67R@kyg}`^xSRNeuq#$VGlfpidmeU(V&e%F}8Ylps+w2Yo_aw&P
zsXwSD)20|%_#>>*B}Ky4H%}T4u4ZXLvPQ~(0i75RqZtnP0own9y=xx+2Lt`zd=$lq
z&?Uil`-@xuz<{+B>aZQMjoI1e%<=#56I4+E&Ia7dHNHz~fB}5}3+XNoy8fsJ&s&gR
zkS^1d3&)c*6N*Th*w!;WcQEiRoMm}u^(bG{-i`ZXjKgK}{2Pf4FYg{w6K)rsiPg0^
znOG|{<1?I0i$p`f`G6n;JN{f!IT;ysU={1l5J_G7nJo3-!Grjuq-8Y%W>Z`0W0>=(
z;?^&KkL^Aem6+NaF|roe77St%s9_V+ic@^1c~mq}bpp?Pu4n>(qi@gueL1;t=KK>e
z+%Zf{l`=2a^Kx#lYHi=*{KTXZ5`3%dn<utB6AcO8$tl2ufk~YK13UI+XVZeH838uK
zx){B3(>r)NuU@6}aTA1+PRIdp71V~j8vq2L!c~^fOZRBb$}5}7U4b=;E{24cgfN_h
z$dt#F!H<o`9S=;Dkq@v!J-6yE4D`L`CgL>&gXUcnt%j5PEsq%do?7Vep&-G5?Wb<>
zjcdxgk-c2N9|y*;b=I*fw7j5zAt!{!>)}F11{Hw2YnX*Jz!QXsnBEU_J=#_GE6w>5
z+CWPr744yMHr<Pgn1uUuO9em-Pw~}eW}oZ(9O7tlB6ig{G-z1ShKA6jyvxT(T4vbd
zYY6Bv7v6pn1qZ&<`rMp^v9a-jb!GbD{GT<IKKqP#E(<Io+dA<Z-7>;|{w%$zW|K!d
zx*w>mujP;bOh}s&>FzMHBk$46Z``Xo+bcZPHu}`bAGNH5HWGf`lCo(#B?`X6`{#+I
zL;{G1VUWEgbq^0dh!;y1C(~XXK4(odIN5hyIPE84&*;C+6zoDoUhNT&)Vg5H9uECG
z+}DR`k`gn|V`}{NZN~G~e!E`G6k0D*?czj!OThzuNGBi195gT+?bTW2^GVQ`xj^Qv
zQgL~_)VN$*Vq4WBqJL=DSJj5yTSg`lM=u75$#)(TqkFKzIW+>JC<G*z`!fsj^PiPi
z9mWk-r8_sOs&)4nXf+(YAo?QK*_MoxNmsTltth}Z^O`D2tuii~p|{|i*Fm#8iaZ{^
zK%Zz3{aIci)5D)uVHi3o<V(|zhN@^x?$akiCod!!-K`lGOCgHAejl%7RX!<xHNH&b
z`ujE<bvc9YhXe;}czX*Myka$O^86*a!}t)qj_n1d6acAPd#x!`$)-pFthnNrq%bG@
zQ}(b!?^6c-qFe%eeVEJMc6Q=LS>@Z{_5#O!Psw#`3}`%5wa3V7?-xK!3IDlQEpiZS
z4oSfZa~dv&S1nhHX-X@+z@sC0a59~@055!VBO1W2c|;E0T?ZWe&KW63%{^T3J@kya
zy*76l-a_rc?8`)pA)=HR*~%Bx*$`_3JGv6h0+qZ75{|*CMh~muV(nL`KlH^-2`I+h
z(Tq0&Dh^`eFRl6QPq}vQHeET+;*)mMMsT4MsSAb@r@%B4iYPDf_y;2QRDEuVg^<sz
zp57W(xO;q&skZdq0`hy9Atvte3-z5t^7#6d=U16y5a|akaswYp_QO~)oL8&v_ctB<
z&!5KtN0()H9DSPPz}VQ!fq{X1z+vH=o%uh3o?yimIDCh{v7kEK-l;r2@#_HVf8)YL
z%~V1FkM1-)X+JUj*k6-D?ZtC0m6xvA^~_;=5AH2jq?TQMI`rMqQ4~qZ3g7uqvsiVs
z*P?c0;88~s`Mr=oipQbpkWSzGj}bunrl>et#4o8kZ#b;O-@sXwU%tEt-|b;>UF;#U
zc5v9@_IdKOe_HZnz5k<$Vbm&coZTr_vYfu}+&}_9#8!NbUn2(#<YFmwMAIjl&U{jG
z-g`jXa_nSi@oIE$f$Xt`UIu38ff0dzDK<LH(n&(%#_;GUDqAMP5=gSIzbbl;zP32b
zyxLc@?31$P`jTtd{8$9PV1!f5lohf@V=u#O$Z6$1;9PDN@KYQg`t5h~QWcZ-i+Lv=
z`ki>tw~A?9W#-%o$6)OfV&_DGp%vwQA@~m;eqSZzw+}w`w<semsM)0F%ls^g+Q3JL
z4$3}m*<xQT6_r_~R8@zbN%ZJ$-zTz%gwTxySed_a!~Q!sb1v6REr|U9c@_el{EUTL
zk-ksCiDMiiSdK=|49=U40v;^k-4=fj{@Z<g*s6Sap<ZRCCRt3hu*X)3R<$!<QUK|C
zlS!|52fu}WP6Daa`y;;tz{srAtDHU87^{z+v`akVFV}%RvatIGVJaix=0qUfjyisa
z(IQidY_E(|euNeozLt@Gc?<Gyr|$4|^qpCN`pz!pCs7~40<9-&?_OLu0iOQ6ih}<K
z$B=~VsPQ>2-dWK8QXg%)DcFT)DbU|O@bLa=JLw^xIk^$R35|L_vbajp#nEa9*<yHw
zzVYF4ecQ^*n{9>Utu}<{C<|4WcK(uzs7C)v(}&d0e%vyGKm?BZDapvJ^by9arW7-0
zzg`18W_>hS<p@{Dv}uQnex%f#2El)odviUsJZ@&^Y*Wo~<f*eH9`RTEBZ=EHOLZJ<
zY>OtY6_sApFEHoqHAj5Ez76TIGLMaK<~kMJq!j98I)72SB}agdo?~DZi9Ynb)KQ84
zeRN{N50}ItZBU#jkS1ax?3$Cg4LP5rpJe%vOd8lx*4(*Qmu0}GZCvnH31E!w)0dRI
zwnDAwKr;dWXnT~l*Jb<AZ(RK0NK?I!FI)U?53SC)PPZVm`#JmioBN$ekCZwq#X`#o
zw{X@}momi{>m(Oc&kz|j<?$0PaVGhDQA%%ilvApw6<~qf3>tI!it&R@>67P@o@Aly
zLM*X}2uO{|;n_+~wCBX(){FzMF@^+}eS|q^-{dOKnm0By2wtvH8h>xY5?$&`XSpC1
z^B-VGh)TSv+MM^$bH(S3>Tk^K48M%fX@aDB73uCE<an;?E8!f|OaU(x^Zo&iT%Ao_
zI(3d$9l6$6b!;aCk#g?va&xYa$$3H|MavJ9uE5t@4QE~vq;zo8?wun~h)thgH(Y}i
zy2Djq|8p8Lq}5K{?igNf;*CpW=aUpp^l<D$a!EHGV-FXwhWuIEPz~cA{dFu-Yh`$3
zqY$Ucc(2)%9?`dH4E8j#gg;F$1&}6r$0-@p@(1JG@#7UChQdB<2Xhquq%-v{A%~k&
zHe?)_b3Nxl2yi;R-P_x%m&2BKGBcyYah8z@YTJKvUm6xdoy!#8x0+qUFf*I9)pYCr
zME1DAi-OPsHUal^;%3KKm#B3<u}<{EUfz*A5B0tp!=oFuq>?K}7KNz>4Mu9-n@md?
z$xjuo=yq@%(37ZE{M-VJq8oX}yL)ndPRoiqMF-#S^%SR#6=cqb#D4rJwLV%_AmVkn
zU2gXZVf+yOfTb{NXem8@q$XM;#UmyuE9tJZtLBnz&bMsA5)c|Do#%A<9Gd<;!Y!*F
zb!-m*)J>VlwKC2IH5JP16%yAo;!u0H{3g+qH5J9QnE>qaZ{}Lu)`{5+YJPJ49dmNr
zR5MuDx9DiR7SH9SB~PFHaMI}eo-gr=@K}4LY`ykb0~)Aa;W@_yntklz;Bo#g`KN1k
z-Se3At_IW3e48}G$$J-1*W<A#RskqDYq^67@NjY(j7-Ip8&EP{jv0Z+fbai>{1J$?
zdT}&kA@L&hx}M6x6w#QP82*%=-l;gWrNx_BA5(5l{V$5y|EA9UfA>)h9v-!r0;O2O
zU{C(ux6}f@yhP=k<H?<cO}DE@Gk}1_Oxols#|Is6iFNZI@HNxS#p{S9WpnQ;72w^`
z@xbdTv&veCn^sk9gh183r#&x+s*+6nA1_OjJ+fgesj%-d*?e@pX?Qw$aw06U*4New
zOG+X@e4-K(cAFM)7^|x*vCiSA+_-fa5F+(R!)iI*!E)7xue9BDH~XM!E23qfnd3_3
ztmRZlS^pb?%dW0FMMD*{8&->5B(CmfJtQSlTrcxhw&Cy%32FPtWjQ?7Z;5IY)2a|o
z1}X!q_0mif`|!Wb5^sE#sEO0kx`k+iBoWGs{rstk_?Sn_!UKpqJ3Bk;XAFxE3fjxo
zM1Z)9xBnLXLuAHKT{hL^&6wwky>W5QL5q<3KGqwU&ETeX*-%ON>D4=ZS<IgCp_#vm
zw6n8QQ&ACz&A91PLt~>1jJg#x@5<iBWMBvDzX&aVbaFe$Ie8&Y;j7S-)^nZPEx+!D
zBiYOcf@5U!qR~9KO5Bgkw!S}9f!vK!rnS(~L3-Xd6JW|qFwE2uk1>Djzhasi7tWxr
zF(9qbl_^fHH5EvNuBzezs*}9<_;^v&pC2s3Vdsx<7_CNRnI~P7vsuQwIM`F2G>{{U
z+btH3_aVXUaj6c^Poyo>#1%MC5br)l6qLo;sP1AbKJ~a#Q|t-(ScwCX%a4&$i_fE)
zou4aRLT39fNbah3(M5lkkJ2YcUbg_2p!WGaI+|2mTx<#2p!?YfS_IxZt+1V)R6<^H
z&O^NDd_9AVoZhXA5AKtfY<6B(Nkh=>NYVF{2^or&9!>J(GZ*-FS1Wu~QswiJ6Y<9C
z9VmdP9E<=A>{aGPS~xjLTxtkIwA{%ZIrd+NcwlyHUK)3AL>Io>xUu^HcgrYo{OIA<
z*QBx?t{V6i&YCbZ0h}FEpF56M269{v*0cqk7vwXo4r4&Ouvi934X-sSz#MF`ap?2m
z0#d$AaYcb#-KQg^dHXdN@k8Ijc3-t9(+fE`#|ylj<RPA|f?zQ!gjH91Ie67UPc-`~
zbQtXs&Wa*b0r-SMcAP|CgyiUj>@{{qY~n>7#3JgtFnY4*<3P(Mi+v~8Wx5FxpO&Wd
zh(U#rv*wl@A=<x7mpOA(`6Edw`puUA>y*j*4D5BGu1@LuXOGN4r<GFU-AFJbrZ%DJ
zprPJ&Go}8LY5Zh|uj=@>n|8j3*zFIUYJ1Z<37+63Y@)Q(W>h*VNz|u;3ljF(XSo3V
za=XF&YF*)#pX_kSVa3xNC3#z}(#CyC?W--z({M_jX2?A^3c=nsq79aApf%C+-IW^m
z+>qljDm7S5W7j`9G#bBJoMAJC$@3tRYTYznYf&Kg0grCkGq0R@w<flB#y53y8jkd{
zD;Se{ZOs%!GRh(#A}*t#@yJ?7T~~rPkPycRSAB|yzJtDTx?nPafvLfiDu`rQeLvS7
zyE|FZcc-4`>+<dXt@+iqy}Faz>N}ugnXF0(!Iwbn4~o<>K@N$lC-n&Ve3+1K(6b++
zvF4bT+tC%s$^zfNFNDL>f!e6Mtu2t5nOPdP@g2W|bR#f>%y3KQ4Nb5;mG$q7=3KH>
zRoE2V+p<mQN@1!%H2>2dNve>lU<^l1aws_;2QftC>W_P)3&31_dPll_I&~(@JO1<O
z?W6EIVl;i3ae<6nnRAuLc!gc!>TB74mGPqv6RWVe&EJ1$!{xi*mK%HQG!Eq~j3UKC
zbAEJ%*!vyY?QS1xPpl~sQL+f6lmbjJ!p==*=wQ11Ce4e(t~U$6vZP#>ev%1#Zhu~N
z_4>xpsT<+6ni0*&;}9G-In9H^phJI7CF&kl?(vp+vD7yryw+s-E~oTw24>}#yRVqX
zAQ9(}_Sle^9rVM1e_L32WhHlk+LKy-TH5!WVW8or3*Qk3Uz;X_G}@AL5P$#p&_Wdz
z;BbYtsFc~;1|TWcD#&mzYjHywJ{!VI^y1OR)!K}J46Ptaf1Vibne5dmzCechK}<jC
zH6-}N8fNJMv`JrY#oCCNOxBsQ+u);byuTnJCYB8dI6_hV+aumiYPwF80diYJOes?M
z(y{qW=HesYN0P98RvNohWn|1TOmIotlfvwYRKehZK_>8#c);e^+WLAj$n)IgmyTsn
z&9D`mLCdxu4`A51x1_PJ(Z`7woq90Elm^c_%MowlaYLbYQjMmCVUK#_yDv28T$2F<
zxV>+MtaY9)k99(&@?*mYW2Z9D1B!Jv%72n1#`nc;{0QH1eEyKLZw(qC{N4*C2Lra{
z(AzegQH)lfv+cGtWY0bl#);J9Z4PRuVU}x;BR{9Cualfy2$5nU>l@C^KYwx&2wBt#
z6(21kI=Ie>{ycjko<6k{s_qCX<-J1(tGPWA0S6NFufqrvNKywWT;esw2U7LvkwAv7
z(U`{pU3ry)HQO!3=#&0*bBJui?X`@->TcT3E}`k8#Tmx3cVDxjjMLJ*g2>@&PXOt0
zy2=ywvzyxr*_-(Q_<Ft35)WHaJ}K8?S?JIsi1rF!x81?+`SP623?JP`w}3yS1M@*w
zSWSkb;{`oP>Y?bir>ZeJx;GOjkB4XxD;?Rd+aL;d^;fT7{|M;A!7QL}Bq2Yq^^bqd
zSVK9R{cGnVqxlnP;Mpl&pT3Xo#pE;rrO_mvj7%ppdkFhbj4I5S?n&P#F;Lnq&lE4X
z0vH54QgzXA7D#2%SYTX;q^;)^KvzTCcsiLh`RLAV=;Zzw#e+@AI(t6}L8c@=lip<I
z?FKukB>N2C8%?%N{z)+=`S}(u(&YGCV0_d}ns0eBv48m-tl;4%zoU)p77`9?H20d%
z_!SruR&F7G-<;Jm5ql)F;PXD$W*%*pdvyY7P7=;flZLZfyQ=I96lQ(gQ7Q%g3$*k@
zmp*IPD4?7yP-ljciambvW2O2gN4s794v?@k>%1E1TRF9hjMI^RJAlXK>^pEkX6%XD
z%Q*^v-|#};<HT#yXMEmlYp`N;X8G#`&}BK3c}I;gB0>q4`)xJdF5VMU2+W+(X6jG>
ze4tu>Y~OGwwFW(*Tm!UC$iT!M<IjQqDkja5?uAaE{K%w-qN}NY0g<0zw(0$C0t(vZ
zmE@a#G~ZV2l~v{VY^?0gPKnH#K9FeEhiWqXA~M+Q;nR()#|rl{z5gEcCVk;L^@fP^
zg5>jR3r34oB<lh~5F^$8F+fISN<l;<BOoBKu(idH&xntf!)m5VGMP|7FSBcNHNt2$
zDj~v9cku-eXAs+@IT+5~?_9E^3x{F-LQ9Q*Se-1@M~~2*J5x9Z4%{Kn$Le^x9pSRN
z$j!R<nOs2nlVXZseT0CKs;?cncJX5GxOZr=&Q{*NQsjw@h&*SH=gA#4^)~Nf{rc2K
zH)Kf$(rsb5Mt6<su6&jyNNLhwzT^L!mhz@ip-f`$o9zKy5lZUCyGrE!rV+-Bus!Q1
zKj-Kp2~7Z2#k{2c`t<f!yn)wd0xicB;c3s4=8F?cDntlH%F|s^%R#O4ch8p%A{C;g
zMbKf<HW^<AT)3a)2RzToG>zZbk`ea$zT0#w5bU*k5s{zmbDj4O6@?MbHp936Y4P^h
zl9-hc|DgWL;{qg4VLF=sCulQ9jEniH{{==3favMz>4jBDiy}Mb5y7bVVszGY7#9HM
zr=ELa{`z0a@86POJ_0$c+?n)1d!cjBT?GaY3lG#a*7oGCqzO3FKs1zq$p|q>szUA3
z1>}S~DNFJieHBrq=AF()X%{d~bM#eV_9*b@btK?~w6q8@N>jZi&+?%8dDFi?R9^X!
z`=s$q-KB@(^z+=m)dkhbiPyEZ#KSL6@|;m1=?jFDt7&RJQcmL^kd%~sZ*>y;eZU1K
zB`mdq9-~$}s$0xQVI~>)V*?-_e73&cUf%T0yZjBLXN_m5^n5%kbNkv=*Z+L!$00;$
zb7Z1A;2F)$&DFiVo1_*=Zpo3DiSdb@+V)Y7>(_O=HvHFPw}m^Ys^TFzog+xt^rc;v
zerA3DE`I&w5#`Y(cvGJa*eOfA!{W|AcCFs)G*tcjOXPk4MLrKtJUH%|fG~e|ch?eB
zQ$tfz*P&yJayP-RTV_bJa^9DQ+91eXy$;V@^H13n@RYdOSgv2#6aGSwgV0Y=TU+Zw
zNH%EuYRL(`0u&buts<I+Wqu)j+AYck5igvmJKtf{yqKd^ofh#qD=VObpO<&o^%TS}
zf;8#j)UQLvxyuYx*^Xt;QCyz0;?Qu=9Uf8I0XH}1jm=Tt2_ZBCa_^Ei9v&XnHa2FQ
zvecajE4rYz7VqUvxy-(kPXM>&OWy=A_VDm<l@;n)6e1)j8CiM#idx06uL1q@bMHPj
z6$OQCAVW;yu_6HSp!hp|>d*p5S5Dl0;2^0K%gu0NQ7Sk)J41o!w3W@NM%VfFd-fKU
z&VQ%u6(fHd$e;DeRsJj&eg}tG&BB7A#dCCW@+VyTQ!h6G7)}c;iyezBA#Rcs6+CS0
zY!YM7fR5wsxwc9A487}R_wa)sAq7_g?UN_|^Yim{cxVv19Uc|6bhkinEVfm>qwe_^
zf86*D5WQ)!vi4JvN7T8=svg8sH9!xTr<#3Iz0Mq~e6#<)Pbxm#i(SfGlsa7nkV?|e
z$y7O<+v{hx1Y^fP6%tBr(MkfvvB&0QR+2F^Y;Z7_obT`0hY*{|AqF&=s1Wf?nkzq(
zxz9Cn#{N#e4}LsgiFI3&{IxOM{_*(#qqR+oxbpn0YDvOC;tZ8MtjCNDOa`->bHd9T
zlkgyCSg{c-&2N{b?Wv40Drk1IS)}{#7pg7(UK5A6A;-tD9^#If&TWyYmE?K<=Bl}!
z-?vt^$zjZ7MExBdm_1loz%;_h&;N<w(IX~$`k<B}VgdqFeRqt?59ph6^-?phd+w!G
z83EK|tEJNd#%Gn^tIjQd07W5!k0T#w;+epaoT0WMn&l?IYb)@j1~uWDF-J@PBw0l#
zJ$rB1VkLQ(0Rn=xucuZHIhdL9P8u2n7@{hXRZr5$$f(M8j4MUJB_Fd1fbrbRE2+9F
z@hb?A(q5n>m5iLoD1c{P1?}1xC?lhZpPV3#TV76x9n&ZDt<o}Bkm$SaV^ae7R!!Wq
zYE`%`VDC{Mj{uZl%Gxt}DX%)NEEO-Bo8@`|wyq#(I)2a0WQu7|0&xul0!b`%0u&MW
zz2fc1J6sy3u(bJxcKrq|m#Am5+MoV5;cskb9Zl~Kd~jq3-7~mBLIC=ufb5FeO16>|
zoW?o9Z2jtUUvRB`cAv5VdLW;5y1l*&(eU1s05muo@!Zt`*h9iDM=gB^bi8dGtZ_(;
z6t8IyFEb~o-y|1^lj0oIKIKKFtwv&433{UGBn7}j6<eCT1RaxxnwBsCrLvbqIvH&g
z;Cc5$70Bh>to4EpC~py?K}k5?>?2gFSDD{m74Q$|SJkwaBsP5-GDEljv!}xzP^e(G
z^rHOyV1N=LW9NY=3^Xd)U0ufbE`$_DFl2%!@a%5%H}|65ea|E3J*w9G_^Qr6idCdF
z)YTjG&=V)3fCeJ#AgLw4wANSRx>A2-Tfd`8-&Cn5zx>BHXn6{9R{Jxf|MKVhte@&D
zvq~JR-V+W?>G(0EObnPi)O~@g!0qS=D9XiJlt>akeO<fcF6BQcHy`^91e4YFEw%V)
zlQDWkqx(koM6Ck~Bq*LLk>3Sk=c=cT5twZeO{buI-QmA~{sL1RYk?XZ++?C(Wr<&^
zTmF7^bv5hd$7jiaZUo2M*}oy0x{~^3v&C+K6j+^4_2Hj`@9qH8gG#yrEBw~`E-}_{
zOp9^obHaxm3agG+WKNMM|LU8G!TpPkyta)gRnASR-`0Hln%+@;kzCuwz!<;0%I}(z
zcin<PdzKFz>xmqu^9!pC$9D!CEP=e0Fd@T+sq%35NVi#?FBrsbNScXuaU)KGKWM7C
z-aM)bnDY-MHI8OTJ6$>l9c!xS<*^y`>f-23sS;}e->c43?VXxndJ!}tqr@|qwy8}S
ziQx+{Uss+pL(ES!!qLTr`$#r6HdX?I<2eDLU;dtmJ%u)G<A!O|I@-Y!)L6(mGLc5h
zqbV^*>|m;b4o^UtGO{wYaZ&LXU3_p21<NR5@R?FA3@=LA^oQ)}hw}4DpR)4TQsI2Y
zXEzpK@#-mad~pD)?IQVcEqH0^jAaeUFHEjDc{iZRh9bhHJ>yc~(B7D=|2R@=U?F(%
zX5qGliz;Cz@66mZV?N@Q!d1uhLnFW`Z*OG<{?XZGOOB91C9TW!J`HaoHIr=PwWL!)
zWmy-IP|cdNL4BF>xQ40*hB5`@hSM%iweJ%N{o5LpG2yX>!ed-iCvEbjpBlIL>l?gu
z5od)vXQEdTaZ4?l>mMC-^KAbKJ*+wMQ$ecwiqklCr}@FUxR;+ri<8TF%Bi_1JQC5X
z$($~2luX5bq4qh%4Y%fc6EedAy~o#*k{r<XX;@nqn+rcBG!=GR(<<4e>#!t2gJ%lI
zUR%;bXuEz{uw*yRKmir)r~|a7KZIwyJaU!A{ae$sBrSb}6b%2wZu+b^;XJYW>t_I*
zM{3eFs7__oIr;3l#k#;;!^eb-b3ud1B{8rA0y1y;>WQm9b8>RZM{RU;_J$lr&L}(d
zdj?{+?*5-=cd+Hs^0G@y$DKPzVhWt*J%q&QxHy8p4`<dSA2Ln9U#FLfSN>~B$>tl(
zD~41^K)@v)vIWdF*}*4?Wdr6)U(|1&>!bi3rQ+C^Znvt%rT$}j(FJm;@A$m3o0aUh
zXf-OX;Y=*!g|lPwlwTuuL~c}fSI$lWO11x|vOh(omPCg^CyK(PP(W%ic913L`us5m
z+lhpwC8Nja$iTplo8d{DPXs}%EaAgnXS5^o+~XajB09F7%UD`)XT0Gr({kix7cn{2
zqQPHBsGcI8l-fQ9*pG<5$BxjXIr;9#QR7owJKwF&c!S}e=B*zqEyrwX>uSS~n|2oF
zHsrV)Je;v*%|~S~zf^whM{>jv3;P9lrToqv!J4XDwYp{ApCRIUv}tq-ND`%j37iI-
z)MPcOB<ucxT+7wY>&#sQ7cLV*zCd18)q>0zNE40}0`7A8KIUT)BY*)725>gawfv(#
z2^!tf8mtpIXqKkRNa?gqz4r*lozWKO^HhV(?nNyRjY;_MHcd;Nyc|57R!o(bu|wMP
z)H+=(Jd?ZWkM=&M5Bc^Ne=+0CfM48ER3!;~148RLCbgv#P$0{ykn_Zs$LPA4D-V$h
zFaP&F1u3aK$m%_B(Mygst%}$gNfpbf+GWOu!4~aNu&Me7gcc+^;oZ!+$CCuUVSQg<
zBA<`K!uE734Wly~+pB)c#}LFw>bx_~j<)a<PqHx1O^c!UKaO;L7-e$#6GTz4{fO-2
zed$>4(pY!zV;g<vbCD9!D7nWL3>FIes=0|n@7Abl(@ee1l#oDp3O1Ssj2<RO4>rKJ
zJsvTW_2IoUYL)IsF)GuE#972)Dhp^h<#Ho{7z~t{m*xNY&yRK)wk;Cjx3DtXgeDiX
z`}5-RRTR2d&_nkt|I<}O1L94BE2ZOlKyFK{MEv)%7$<2?Ts*u2prpBY@Ylh47Y}0y
z{-1tMw*N~*1LPf8qU4kmALW0PzXaNgwfsxfT>ouSXZ5Rf=ji~N$w-ROem44+U-HPR
zIm8q)1Wf)ej;F1zr)rMwPU>zJV1xGF`c}dMkhkq`C5>3oIFX83zdmS{oM5VH2~r4{
z^)xBKTd4Kw)jNf^3ptPS1D*g`&0KdfkHrz^8oz6B$VFRD(ZyJ8k^6=OG06M6AT1NV
zxQFst!(HsRtyChnpWj2Enk=TXnIia-Rj9E=C9-(7RyBEmuA3^Duz!4)f){8KW32=h
z7XC=?WeCcE0)Y<Cp+$5L4^L%bi9|tE-D+We&W!7NCf(-#d#qc5jNvM941#P+-5(&;
zHM#HTS}M}simmT=Vl(b@geMG>U+oi``2`f{8m_V#c@(rg$set)1_6O_6wxx6d&h<q
z6`cBo>7WXDgVfGY4w$D4h%K+W>=`{bm$)CoVE(JPGIJmwpd#J$A5YNq1`Zc#?nN)Q
zA7HO@1NFkfn#x>|TYUMf-fo0PnySt9pyi-riU={C>GHA#4Ui%%^=GPrePUsA(_XM2
z;A_|Xg={sw2GgPMp#?sgX7<mL#K1>EM!zXNY$X<MHabkhBxxcm6Xm3!fbHhyrfz3f
zy1IW&eSob*y~gxQXg|xk4lK4Mm9sqMRp!}y3`J|#bSTA~UYV;Z5TnDL1f6bZLr#J7
znIBH`ls%{bq%#eY5B8K;Vw6NZalH$xB(ICG+ES-4@FQ5)0w*PB4_sAS#EbP@{A-%8
zaK?A1RSTiR#$YQb2qZ=`WO~O<L)Y2H;a(mX0DrPB*;%JaRwlLV*D;)0^GAbAeB(Jk
zddbJH(Qx?6NwbmBew+XUF#~Z-PF#Ae<z$7~0(q)3h6C1Z$!Nv4?i#B;dNb643ehld
z*W7P+R}}d!#FgMo+#*dsQKtFhw31MJI(uOfRSc{+p!oln!Wh7*+S=M_viOf5TLUi+
zMh62tv_NqoSSoNtj|TvhUu%^nY7-wFzVVDFZmGfs`T*Ny8J+U)&L7bOPP@9(G7N8}
zo)D*Qgv)WJY}B9~w!Echnbhna;gUGYq@G^&tyU$66n*Er6L*U4NKz9ta2}E1Os0dU
zy5_ygJlb;EbCkg2r!p~pMUMkfSS3s}leY&p8_WIzzwBy~W@VO{%MYNC6dJ!8ZZT-*
zf6AVWAz>5Yz7ZzOt{TqKZgO6pSo>2t4lNfirr=&lSK}&`A??XFOcrBEt-4jNgw2!C
zU7Z%0F~umZm^Vg!bkE}k#}73J5=*q2HjL<hSuoX}x%C+Mgm;iIkpdBsn&bvEvFT6r
z(j(~(A$v7v)GI}iEC{!5Ar7BOUQ>btBd4fpUZd#eV=`n{N85x3aDf6I{T40<B4#cz
zkr*_`E{ykxIBW1MNcezOYBp)``F&1lhleqel{FyzYDySxdD4xi>+VvL0x{G&<sbii
z+hc3lk4AOIcvX>+(IU(USkk~|t%gqP>K@a(FzGT4=hBCfPzb2rIoP0p8|}}VBVA)m
zCRz!aW$!s?LD|c$fYGJuV5uK!lD4;_gKpIgr@8zw5H^WMeCZ8=%A917(mmdIMB2J1
zmCMQgL^#Eyhg&v-w=<f$09^j@tK6*fRH>50OM?lB+h;sN2-ZeoBD~7l8=zRuRllh?
z-S-~kJF!Gn`kM(nd?Ovry(CuJeok<LFgHkKz$~hq8zCg<)>cX16L!AQa${NoPG24X
zM{iCySFLYuS^b#XTUaEqB%3+e6>^=OxRL-YpKzMVM31RH@I~b`U&HnPaGcWIOxJ(W
zTdZ`(?J#i3an-j<B%e@d<mI1o)FcU<gyaR1;;tx`V!a;nS`mk24!C!)Hgku#M1z`*
z4U2N7=#*=N2w?BQAk9s)*cMFCAtcBawZ84pVsrsc+==Rj!_MJl`Vts^e5|?AdJJ8<
zMu^#s<vO#j2|gfh0>)lO#x8Ik(wLrGuBgI9;z_s8b{znRk~@41fNxz`#Jk?*xoka3
z)+%&<|BJ}3o4~yQ(e*p=N}~!`qzTbW(gU7fRk_E~7%P?kU9aQgf#Z5bD<E&lT^l}Q
z-OKWOJ0zmZNrn3_EkXckJa@NzWB(F_K7Z-pZz_xmuQASP(st0;{ln(79Twl50x*UT
z13^*|PR`C;7!_o`a;hv96`Wemkx&{&{b0q6l<EFQ;;)sD@i?b*o>qazf{nW8AE0gq
z_>7JNDf_3f{Pt50t(>>RsL>gXzEEN`5rbHEol{3zMnJ~X3YK*?^M}d7uhI0P`*7QK
zzNeBK9u_?r<KNfyTUPau-uLc2;x87~<wS7Mp*y1s_V-;;tA~yzuzn1>i2{?dQZQiw
zOXetflSC{E;nt$k9hurSTvFR&e&p|{0{>-7k!I9g|C7nZJtoybjXKS6)9?G8<(B~A
zBO)SFx3*@6Kzoo7Os#+hp&EbI))eUJ=_h3jG&Ht!P!#t7`g>~^vZFznUD4G$jGlrw
z=^5_~>N~%57{5Kp^5pYFvx_|8ef=ApG6HBUX~U_>Za)6BtJ)^-f~Vwd@?rk7?9d$o
zznI(TeD*0xFR?2YAk53p!}U)(;Lp_C@Q~jXrSCuX3@h;}TTwP?4%8I=mj%HA-zPAt
zcMgi8+PDz!dhH)08{d~7N6E+d<$DuD(wV7uyA}*ir^#ru6TxGD;^cg^wIOngWBe~I
zkwL?W5s)&EdnaT#HdEVS0cpy@!epxEgC;oK3IxqI*@fUyyMMau!hlCVLfe2FqahXJ
zmLhOAiJ<`M2)RH9d45c9gn9-}pfqApzkqD+y%YMHR=th1X@8RW$2AoB!+_;;Ry2m&
zCsT8*4%>O_C!7f#JyWl}WJ-Zw$mo~7ZLF}ll~f+O1K%9q4qE|C(w?w3i^s>1Xb!&~
z2(mO2s0=O@Sf-Cdtw;Y9B;G1REgktP^?I3@Gle|Osl6v%m_*egQL37;kii0jYut~|
zI#kG#@a4#E6wD?!nX(&JYzO(PCO;K3;0cJWs}B_<)Oq_5tRkgh3qmu0DA0UCYk?Z9
z>n)pa!0xMb+L@Izc+~On@vjUKFV6{;4B?j`@;%WCGw!pD{9i~r+uPOT<ggY&ivsRT
z`zcRrdcGph`biw)4L)g!F=$c?+3{TcT5Q30BwY?f#g1YK`8>zH?TVBcK7JUAe8lLK
zs^xA-1yZG{p9Aqmu))A!cg>5(X3r%NBKc_0667OTCB)fzzm*<E9qjVb4~YFKT|SKl
zm_k`$Rnf=BAgScpPq)9~s9Wd0W#xB{3WD$Dd9b?S-Imq_9Rbo0++`XOQNSUiU8N3~
z3`V~T2x55IH>0`Hgpq!vEGK>`J&pEFn$Dvb4aqS@<9U*O>=%Zga}mnL%^%O-r{|>!
zUgj|LqV30@%o)002q>gf8xMQ6WG;bg9H1N3qbq&sLRAhkq9G?$jhIuJ)M<sn48!v*
zZ13VNBuzF63};^*%I)*NXbh!|<F04nt>ilVho-YretQf&@NX5lDbNe1=?8qBvn_~z
z7eg>d1~Nu>Xap`*`WEmBJ2-Y%zs|sBe>VXUkP(QBF)6J6t8R|+|4-q3_Cqm<+V_~I
zK=VV8NQ&y4Yt5(Hf5hys#XxsC^!v9wAZ7j{=s)oPZ^Z2X4ZZN+esnmuHurMwB^hBx
zT6f#ADaB=HC)fTc8o~8j*49Q>^0A-eZ8R;ghB1riT!@`_Mir#8bOha2`xecBcLr_H
zwEZS_0uf!fMQL`M!$T(=cQ@zZ%yf;ri+lcYjQB7WybUwqwx0k>f+iJU9XwWpPm8~P
z%`YxyW@clfSM8rph0|e*aG-@R1Usn}fMA3vfZzsrsB%E4g{Hi>Lgubn<mW=ql*TP>
zOpOkfW_R~k5I}x{#OO9w*Bu1=)w&`hKDSX0S2>ze;i)23vMrW+Kd(&^I=g>1J5X0o
zp-?_cDfqQ()ger=xg`Z|P01SB5m*pJG%GNIvA-_{+Dl(w-=V=lNn|2h&dJ`gCP?16
z67xE=4Z&9jT3dP6FP|~U*_6lC_qMEiMOAwMT-&csB}^Y+aWEs3M(U(rz+S-5q!ieb
zmHODfRvnD=TP0cFn)y6;b#t<P|8_$)M06ufBspYRxhrd(e7T&lksoALAZ~p>(eB-M
zow!dWyMG>7ieqV{Oa`fI*k`&{%*kFiEXRT);Y2Kj;BE&)kPOt@8@be*DkmZ$Lh<rN
z>J|`p+Jf93Kqo)Cwk5n_1RjE<q$HPkej%X=E?*#?VMTx&TEKm~KuLK9tdVkL9i({D
zn&d_6iyoF|axM9kwSJ12Z3%SltmbJ(Q;c@4t{7kRIONQu>Hw&T+eYXXR>>V(sP6Qz
z3LH``j@D?PYv`&@mQ<~lJ7<1P`gAgtRAdNdh$vUD<HmuM81synI>MBreWqfdcl8eR
z3K~Xn_yf)lqu2Q)<BmbIyw+Hq)z`C@r6@6y6+s3zUBz?`cpGy3@RFnGTeHu1)AN0l
zDk_=V!g8kB$0vVG%FndvyDaP$T*T^?gdpW=VV0te{)(+Cx7`<(T4wadrh;-uvg?=1
zsIOlga?Fg}w0PN*C+%)OI%xX#EfM<>t(BtBopd9CkZFC+)ckk!8n!Xi@G8q^Y$@>$
zysAwEBO)&OYG)sugke0<x!=U~O@soLLnckh-`hF|(%tg5LjQEOW<zErpA_v^6rc5s
zzZ&PWC{7WRzmEDLCBRKqz$YW?HWjuT=K<I<nvqk3nV3z#9sg}51Vi>8-Z-%XVvfF|
z4#(GTDVE76mPq9+7EqWIfqeSphMTZQ;woT$=l2x!Qqt4Xm|S+164xTPE<^7?$HI=R
zFjYB#pLC6FZvkBnGv|eXUHu8SzTe{6(7~WKMhb5&qEh)=(!bVkpBx(&j^6zp0vZM_
zBfs39uaOIDn-UqKmsJbLUR6hxE#E$S6brsEywIVCx8(eMS-s%OVKNL9Cy#4e#2e#}
zrH0D;B8;1U?oI<7`;JVfCNf~uvUxn?)0dki6lOpSjuf<+_C2#}@H%3@s!o502ib|;
zZ+-uGEyeJA+rzPC!Qw(hjM@EiJNDjekN7{?e-ibGTwiZ$LF-+fL72&8$*A%8){>1S
zbw;ZPSQKDKeMN6Mo9m$Ly-eK|1S{1Ff(~}cstk!Q9LE?8@|`kV<RI)P#n8U5w)rR#
z<%KP`t2^Hz3Zd#pLw}x9sbJ$Roc5OwsT5c&_kKp&7_3b8)U)nDo8v=YL)Bj%lhK2j
zCZEu@D-O}8h*S;B3bZzWzKeG}xl2DNr+orZ$el8LdW|u8J_mb%XE(0K<kXa1H^;w-
zySwt3r4<@;dOIl2LwpM=ai8<gBFXpG5+uzoPPa_^t7x34msQekG|eIkg0+*!Oxiz9
zlyBg35(3Y;^uC$k_Qus`SU5A%TOU^Icg)hGMgSD+M$$p$RH#HdZQ3)hC`PlCkhs}~
z2dbD#KynQAnAPnM(D6~w%l3r$={^OpDw^w|$;EscG1|xEGF?B@TdLb#I9iUd@yJ}r
zf*noyFn2urD65a-Y1+ADEWyyxZ^&YT&dQX>OkR#$^kMQlyoayu7KYfA%}T!K{9_%{
zswU<zo+Eu!O<!qgXj^CQ?QQvwz|>g_k3g^rTV}6DIzEx4Z^mXk<s-!VGp%*kaO@^(
zyAaZrvUXA~7}fLVxbQc#9eiK#vOB=oX($^rs|LDmWf;9AiGPdrdP<9&?dwkqbrY_<
znAUSR)9=xUS2_vKRkb-ye8u;xNN0WzNgM>NHZ`lLs5-tS`^^5OBnlV(=E-;D$EHc>
z#9uwn2f#!FSdy2Q*D2ofbbnP#M@J6O9z0I-(#~*?Hfk#%6i)imBN#>M(Q?A6?QZ{h
za_!yjgZfNWT*%bfiHX328*sy)V+UNlV;5Yd@MB71bVH=7L60@3?1$gOa0k_AVRs%`
zZUi}?b{|piK8N=F_S^`e$Qv=8a9ZKn(5Yxt8J=-<&?Bt{ZJpLs%j<eM0XBq?=;?#S
z;VRukPF+XX=+Ka(FMMo&?)$`4q+r4qTH40?=J)SN%pDzw^}{86Bpy#qPW~Whc$06<
zLEj=@?P&mR7HsQyIgnWK>0fo3@gORTr-otdg97d^R7};`<U>uF<lqlITsb|wcUV<M
z{atfJzqLS^BRFZh8razox>!Fg45Kgw%6%dLb_Wwa(J<7~k`@&eC4Bf$97L$4nNd*B
zu&~obhVE?7gJc)bm*gGjH0J~5QY;4X$8cG#1Sp80wCk15RUZo9sK$H}HkQ~>1;Vr{
zg7)GLJRh9CGCn?+8NXP~>{9LK)1dqIlWa<ejfp_s?fdSM$icfzbASO`guMlE+bJ>)
zG}ap{PbwOVi{tzDe`c|)>nD5~K?RR<MX^f7&>-cbe@|(>MCKD41e_Z$++A;YQa;L8
zqiO7Y#etyOEX+1DI!Kcf_V9iIuk@u#c-pyL@vv9Mc-vq~xvIh1J9AND&`kt{z0;@K
zeZ3~J!PkCdw(zjFx>_A{oXd~bckbM|!-~+%S1M-~1CB5}G5Mssk*ZnoaSGtTF}U{q
z92CPB=9hjH;e;~QQVS{r=rE1o&FzYk^#N1Ef%0%o0T}X^(xzemDj}%Poh~_yA1aj<
z)+lxIOT#*qGp8){JegDr0xUT(YCK@a8s@rs&BVl%)%}sdrJwa3Dg@_lQDzcWOIq;c
z<VQvF6}a+7nq<JLps8VUvbZSK<}1(o#)EFoU{VX|5M9I=7d=ZXdzoDx5h~nr{Y%(>
zaoobE&(px=?~5-X%Pi~csg}72X_z8;&4!pDe-?Z8aE9-DnQBl_(D@UpN2tarP(QVb
zy#TvYZ*Om!U~Dqvs$gt<T%Q;n9*zyT1b}~U&(E!U_~}+#^;OCG;^T3Q)O(#gCm-HU
z*)vgBC^~3U2aIaUvM+9_2qy5YPu*&tDj;bSgXb6~_^+?ZFN?1s-Y;|L_J(kbK~Atl
zxj023yHDX)muDCi0BW`EhO=`dNA?@f%XZ<-UdbaWPA0mHoH`q8giG@`b{ra6=3uIS
z4?{V3Q)m!fEC@xH6;WK1qBfo{$dok=V`J^F2XZFQm6L9@F(HoW*WgFf=)=vGmFL&s
z;JMixfEdZh$g04-Wte-n{Z4RC5G$jetAlxjq`!}pF9BBQ>A5Nl4XW|kRs=O5uk~;D
z51{#AZ-Mav_jAj)PPm3rF}NYi*xv@YA$zAUg-Zp`fB@*-pE=NU-&m#<lZV}a)`<IZ
zHN=(Z*LPwhMI(mC;U?b=Ag7wvznwodzLkQz98z%SYTU*xA;qiK!S)Kp-p`TR&~|<6
zyG63Q9Y@|EEY-(p{7H(eivtLu2+3k6PZsNkMBtxXygYbRXicKeDr}=kbDEX8865kz
zs~^~DB|f&{6`|qr_bRLV){tB?l!T(KHug$k7VxNN<{Q&sr}sW?2f#<D{Y<kmMydcv
ztdwh}`m)@yD`^XyLjrE5AU`6pDjX2R;gQwN$x$HCuT4?L3y;m~!bcxuT5aCDIaQK%
zbT?Odh0C5QL+g2E<Qb!}+bOrc&nC{MLg~dXvRximpF~deu*o?W3_qh$+Bp%&T^f)G
zkV3Ihn5xc%%8@$KUc^&_4PB!@lEm7j7-dudLJ6Fm)+1A(j1nM>ERx{h5n-y)P(f5c
zh0Q2C6r=@M9&JwLqe5=&-wsIHGB#9GEMxz=>>GUaLOCmJb>!r1<(b_}^BaB|WCC3)
zDi0*5bmOgvoMii+H|R)}5hG3_pD;&KyzSyYB^-h4SZ-?=tJv}{^W;qM!;Q~U3)D=1
zU-*zyE_Cimt%RJ0EdvC^_pZcHT~<~t9|36L=cqC2g9pu?%UfIh9J2y({x^Xs2#cd9
zsGZ)0&rV+NIm@l*Y>a{dVi|LDX7WEgr9aETfX{F<@I+#rcU(ODW`hxTzQU(~q{%0_
zZ!Sfp5(h$V1mLPkQjx7#5GD8$KH<d~n77D)1Yd`IV$ilLU7)@f;sTA-^9G5`0iCag
zv6dKV)@zBsoJQ+PepOXGBAU9NV=h^l1VgRt{QuOiVfv~6DI&9_27q6@u9`|%5Rveo
zrMbLIjslRI<-E7Qra7&?y^r&`s$!KeNwc->n8(d|=jr7*Rr4<kgKJ01hk<CoV*$Ny
zUT!W1&STTB3LT%AD5|UbUG)cmakkVu5OmS<hN>kp5@R?%X<7yC`y5UZBNuOh>PhFz
z@egELAOR=CaqTP_4SUI3wK2kBnWyhTm7&`<@!aBwWr5`JSi!ktjL|1qgA4;1xxS4&
z236Y}J<8$yP8}I-rVR*$u2ifpjmuf{OMb^QnSq8|$klpO<Lb%Y*-FgmM16DQdElm>
zpb!u3r;$HKk|ERMGX0qooyduUc|isF$m(LG{6QMi{(h>E<w?z*zm4*BI3NWjr7|EY
zFp8AK`My4tH6Sbq51%f~x$ZSX3CsSsE@o;5<V>CNS@SWAT)AC=xoWzMm*^RHnGl|8
zvP`4c2^~PQo}Glq9WjY%aqVfWevX?Pofc}>I3G-4SRMAr%*vPHPN+Ld>}Emcw<(ya
zP71aPdqD9bGc_!=`@=VIR_lt<K@nIhdi2d4CJ==L5hVlMQd+*FX?YKCh5M9nSG9XP
zqQ*-&B!{T5)DXy+x)c7ZgMe>cuZ@%VL_ITVn4N0>;s|DUz`-aT@gKJfxM>fP2E=1H
zTyMwP+H(4Z=>kH_eSWhb0@R%d2~wp2Peqs*|APsq`Ntffrc9Y`345P2@`whte&l9i
z<&12)b!yKs$oJlipq@3m5x8;;MW4_Hqxf#d|27qQm40Cuwll-XWk-RBCDU25I&Ihq
zyem^v>0o^@f~$q2wZYZ3fP>42u%xUUkoOP3@)f8;<hQ$zqJQOEKv^rs%bjr*_r@=f
zmNO*=N*#6HviIcTov7aM)38OkQyTTV1%1HU;m1?;2oJrdX*c2ZXP$I=-xUve*jmk&
z*x+AKi)H6soSM^LDD}7BLIOEjV_n@ZaG6<AUS3dZYbz_71{wMoSex||sF{F%KgWbq
z)c0fdebXl3aM1TyZ5(P^CdJr9sxI10DnC>R&)AsB@9l4<SM7}BS#@sA3;_DJ0Aa_W
z7D`}lgx6J^_HxR>S4lI;HVa6tbL^<k<J_lCM1aXbnF(Dmm^Q_M3NE=)0Qe>jM(}PG
zSd7;OkTWR&-quB7g*)lS5ASkubFUtZnq0@#0=?NW=?fJ<Qh7VwMh7Oi_u@-z^{d9Z
zhF`@~My%N!hWz4>@(=Ry^WM^HD47!0d({oB!6TGAe#15?BkI0_W(T#(A52nehwj>K
z<vjwIJQws8&xY>ij&uF(`+tJy)JZ_*1Bnv~T}>*a@U<MwfZLtVQ2Rteh3-=lREH06
zbCTCHa>EZ3UcIkh1l{{pl3xMFD#)bx0`(_d?%K%IR4_BoSXLRqqHOprc+qtrBB`jt
zhK_g3Cn3n|a?YhV>g+7b^H7q0RIGrK`a-sQlQ*Ttm8ExOOorFyP}6zmEyx@Vd*<<V
z*>Ks%I{BgH{iMFtd3o+NaYD$*k`#~IDlyU#_)3Z_Uts}ln?d3o&@Qh6L<1uMC@w2w
z(9zK;0T)&aaL48}U`07(eUJGk<;zpTA{;N{G5O9iF-6on<tk>ehn!KcdpUL?I;e7+
z{+O~BHy$B&fna8fL`^%SmP(1|$(m-oDEk<f2q&0fEmZ+Ycl1cELmUu-pjQV1QyJjv
zem5t+CjIv9Q#Rdi{vDo!xi2wF958v>UT&!3IhZ&fttD_V6im-eQ!#DUQnq^nv_nk~
z=}aa2_|69s+CPs-B|(-z)!`s8hp(zK?HFs3SP_);`xPx5I;4eXtq+<utxi#^yS}>-
z9jKe50;igl5J1S!ZSNn{?xzKu#HP%xP4gvS;iCb}j{?X4zeJpUOg*!NVH<KIYVUlR
z71wIoY%HN@Y3Rk$n_}w}TkUCM&cofq-2A@e{cwWm#JmSSBPIC|Z1`>;D$V5nYI;jW
zGD`4y?`VIBCLb;wo;v6ZHP`#QWY+l?kRF_zoK<hT2{vQ1i;BW9FcL^ob}J;=25l8d
zC@0kCZWx@pJPpWAR6Ig^*-ewDL6)cGG`B-+L~3K+&-3NJL5%amT)C(gqw@irxicre
zUM~ngeBud(YDh}nEI2tnncBMeVO)WOTAf`tuo{h6x9Y^PS*<4TSJ!|FCn&Q4bzT!X
zAfi0Akwv+ftRJrOMW_zenk{)6e-9TY*Qq0!$DzX(y1M(Z30H;)zRE`baksuUTyH}=
z?IX<T8p&+c?F1Q5>Sp^&>IMdic6N3=0CfR!UNg>Xb@4LB@Z2O0<Aa|$O!|GJ;&Zvs
zOj}MBC`ttPUCjYPsdUL^?CNoZQ}-VgBtIJhv`lFEvht?bIRbQ6Tzss!kcnX@T=GeO
zZH@V35Cds;_!fFFWnpCvKWLk6YyUkq7PgD9Kt+(?{puqbQFnePdDU6;Xw9V{rCw9d
zdz4aF_A<b?%F>QSt|V3=U~}f5d}{5RaMwNWp03Kib&QMhL%BaVdC6klhH`!wvpoew
zx~C_I$b+A7hby#P&7$fq?hxzj`@k}ufjuV}<i#Mb*13#0jLbO^oqYS?k%=fvsAv(?
zP8S)z|AV!+jEb@i!$nmTR3s&a5TsPvp+UME>F$!2ZV*v&=#rL_2I&S77`l}XVWe~D
z<~-xK_d4gtUgxZJ_IB}OmJI8iH|BZn`?{|P034(Tb_V+TgKhRtR?nVv^}AmtReDhP
z_>x5(o*ZXqq^E1JE?NQ6vJ43_jXL1r>oE@7{M3L9*6&x>-Q23e--S+npU`uE+`x4&
zQ8m|Z_<bc!CE~|9mI*_k<|W1)OW*Mj05#vecuf29rL!U2gMPT=O8WV~YaGK6K)f*W
zOh?{AklFKCU<SEV-aF3yA*XS@*JQkgQn`0q0z8<ZlJTCC^NYGIxIk-<GG8!k6*F)a
zHe&*EMeRJRseY7dV=#P+*JQ4-I^d%y8a?yN(97qNnpQCtEv#9~T9^?}Rx{|i1jYv&
zdejvX2q>Oe%eV_`=SqCdT-JW3&aZ&jSZR0tD(_|gIA8NCCb!G{H}CeTGncyGUL@^D
zH!Adk7wa?&H`kY^sfwuL3`m^-(qLrt+<lr0fV`1EsoEg)gh(Xv8{mI~TJnJjOzlzg
zYmB=Fz_(<sxD!VBCZR-hJ&nG`medaLqN>j?q8cn8$A9J-USF_M*K|bO+Z|m7erZ~Z
z?aJ0JD-+I}rn@Wm&Ic^afwVdVD(-rDXmgGr*Ui)&yhf)Hn))KSw1SYijB?28usm^c
zAPiZcXz_`r>2Ao=o@0ex(7=OvUOz)bz%o@jTjb<zzVzVzv0RvwX)>JYp(lRn@GL7|
z(LVp<BSgtW|HDMf7jTd07T-&*`Tz9RvzGrT@-QL*x+B?Ct*q$Rh?LU#66gph-@ax<
z`KaKq;sSQuRTwa!bbc&>^5&{tZ_-L?@8%w9dp{4i<f(&<t~@GbjNd-?8&!B3r~YHU
zAxp{RD9kv`;{F(Hck=lJXr0IZN^H?n(~Vbe2ma{KK9fK*v=+x9yg-nm(KWpeTy^=a
zd>Z+g!(W}fjX$5J{mw1-Q2FY5C9`Ais1H;2qH)#6off&T@;<WFq-8l}$9C0D?!?UV
zb0W-gmW~FMj=r|-jp`G}Cl5{TXF7C?wF8&;vw#V=|9NU$-4O2g57`=RoN3R0{W~L5
zpZX3!XKs=?Jiyu3w2skOBEuijuTNH>9Q@PO@HP4lBNZs^8)5twxhiK5E)KqH^Lqba
z<qILo1h%|UBL5McUXw!phmyJ@oCtv-;qjpRZ()AMvKoG_z<-7Pr_qo9CO8xZIyf0$
zA4rw78NGyI?`PWr;HsfXXy#QNszB$r{*T|Z&*NB2g6-^@x3;{zuG!Gw!or)Z!oTa^
zLp##-85<5isP3nyk4LPSb2@xVC41J&y{FCT5Nm9JTYmpkOZ1*n=BC5-`Ia>29wrjW
zZ>RBRq_N?j0z*pdzs4gfPThJ@<Ln|fm2bf$zMewe=`oc(_T%iegukL6Fq>PnzeLTE
z*(-Pd9G8tQFSzaB9mL%5l^OJ2U1(-4x@9fg@U%A2tVwfGQsOJiJrg&f<}BR!(xx^T
zZuQ7|AxZtbE-v<6WD2?rm#!vQ3`8KM;8Ftvq$S6D(AMNc$sOz4*1S%F<szE)QQ5aR
z@XnFTjg6ykDd>)aZQNL+OZuauE^>pjZVn5RznZ6IKR^W}75q0Bnw=B2O$?;nXIfqz
zTmXuH-nW{CRN}ETR|kWCN3r>zN5TKIEGpOW^PR35fgOmYH%mPVe$M&qpjll(sR~bX
zpy_I%nd~CjJp$iIUg}v0!<LnFzg8C9c!p0M&b9L|Z~%_~|KZ60Z+ism-2X7^-{}}<
zjjqfe$WAMa;NRZek(*W}Lus=;3vTWDg|JPk!U}v0a6B)x+$AjTXJ)e$*yJA_Fi@P}
zgl7Y)%`1DoM-BB@{uy>o9=HklU2#!T4t@?QTDXKSB~%L*ugfpZyFaPg85EhHIjSTl
zNRud^3JnY3E(fB$^O0qecyMuy9ejVk_QF%PwGuo=f3*1Bpl+_Nc|h0##$|b^$&`Wu
z7J$IC69Q}{rKD7Wi-Nzs8*;ge!}GxGM!dRW4h(W_DM33}eRD8beYs2N!NWlXw9Dr~
zpyiJPvigg7N*2J19gXiwjqg0UUKjtr?Q+~Qtx~pu-|v%&^x%ZKy_>&LzfOLo{-vat
z&%b*6UZtdrArGgP<tuF6;CzlfKbED;DogwGMxs-bh2~i4;9>9l?=H4o$3NRg_w{FA
zM`i34K+|tta}6@(gNc{&+TVK%6B2O;p1PP%b3CSODgNE*M-)vEOH0dfRF1hv60@!(
zK)IM);A}THH>hzO%Kwyv-QumUuK=@QYuY!ZOnY^ET9l1a3_b#E<yMpFi_V{B+)_f2
zKYm=;rE|vcF*qsY3qAR-D6Zb0>Z)&UPD3#`0Lg)=s}_{U13f)Pcoaf@{0;T>Z-IgV
z#YzJnO>$KgtudniQQ82<u&<~jCma4ijo%v&fWL3GOh|c)ucI~;hlU7J)qCh68Lg*L
z0lC?sY0DpOV^U)D*pd&5*2aL9^;m||tvs-@_vCR_Va}KO3efvcSC8TWe-nt#4;BG?
zT&@KT&(sIM0mQUZ&ShuEZ)5F$ffPWx(J#m2OT>%%6tdE$ULUwP*Ay|bGsNf9?3j2d
z;zxvI?$L~wu?!JB{j0QM<*1g^H`pVSHCO+zX7{xJ%-i#=pD3-uTXSJAwGj1Zk}A|6
znfp5zKaB`Gsb4-B{})2>Y4oQlv8nWZ6>1+}Un?*f^zEF|o|i8!D&iTW22!Yg6OXPi
z!e1bJ0!*DXjw1-b+-kHOLfIyxj1J8Jc7}GXHxAW^69>Y!EEL}x*e=P3K3HMuD%+*t
zu$=7w1;+fKfT3*A17s=GAn)w<>-v3b0gsPc0iC<3F6q!)Xm!cFd@&mco>>5|{U)pG
z->CF7-+#GH3uEuYLUo2;*O?3*+*p}kG0^njXk*;v`oi_*Ga8OFd;_OL7Phy76qJUY
z4kn9QdasUrR(IY=DC486=_TTI)9e>){GK>eZmltphgrNfR$L^%b!O}2xGSJh(Y!tN
zo{z_!G+jq9Rq>Rg(24m-*7BKW{k)-j$bRc8{n5pkcF_R&%;@W0wn1rq5mGQ=TwO`m
zpDy_#mb%6Giux<J4(mT(IT(@T_DU0=52*w=I<F1oegFPCF%m!wESONq&S|aTf5?eo
zyK(%RoX`X7)r0TBQ9^(`nsanO0;Z@&^xTd&q+QmLXD<kqvH{MntwAj4A2Zj|-21yD
z4u#2TWZcB#AM`ODmhxRcLJ4B_Z-FvMHl-VR6&|H;8KY2Muxi}Qk)H&vU$<0S*1Z~*
z26g9mD7*T9fUgx@5^zY)TMl{<&zYAIj7Ebf0Qv`sXImc~QvhEK<qwS_?2Y?HOF5+3
z<0Ow}ahU3{oqL|Fim$;xkN+LGABMf@YmD^{D%emRlZPKO-61O-#afmR#-c2U)n$1B
zcG&_B-V~Z2U7LF`=bSE9c9@?pFW)EMalp~hRE4YXH}S+d#naNT&1obK#+bG68`iLp
z$VOuRsy^ka84o|SVIJq0h8iEaxj#);r51z=WWWm>_v<7=J<N>CA*Qq6%wH-mx44SC
zG+66B{(R=8{hJPjc+mivA~d^8K|vutF%j<1$jHdcO=1EINvp^}eQgcWdbC5ctNMMl
zx1ZHU7Eu#Jes1jUhylGYdBqNjGYJN!is|2_U=dSsrm%+`6PWan-^Hhuuf%2=(q;gB
zX@5GYiuI=0SiC&KHQ?7THDK`YFrCjeOqBth6pB8iwa^k$HvM|UM31wq&hoLm6zy3{
z#Lisc=g3ws?|Njl5nYC~)l?7OtQ&*OW`v8Fv^$q#c3eLxy^!FTN}H5WL%+xQ?tH|d
zd>7=Suc>Nq?3stb+QNY%d3&vR!SAax!*a?Y62x~@?ZERGp#7k&kq1VdZ6Ap7@I-(v
z=D(Rok!3E*VM-LC`VM3sj048rLcivpMQwY5>w6TTke9?ttHwPnjnT6xna;28UzI$)
ze>m<JL_J`J8=q1GlKd)|nisGL4aSZ))mMIyIGad3AGka%P%(!-Th@t7{fV%*-~IYj
zj<mq{Cl8U4et8T=D3aZdy`CaQ57i7X0Sy(591#?Ro@jKW6O)?Sk9hp}v4@_cV}-iF
zzga{8%Wp2dbHRMU0smccAiOXU*#W^7I~tWmT^{X+#0d}m;Tum{4*5m_8yWasyOtB2
zcAen_;+v9Z_Iy4)IiXOio-(M0V4Tk>t$fLd8))c>kl09*R8GO~s0{a6@_g##;URY|
zPPAf8*Wo4D4C98<WMtT;OFEQ(87#y{4JJQmF1CIK0mQ>YTZE=n=jdo-Z=0K&dpg7}
zcu>t3h0won73r6>^<`y|h7%n;;!#i*DysG()N|x<7BV!DkCK2m`yAI-KN`2%>Drqk
zHg(4V4s`^e_BYfvQATHNM=_M0p@Q!}p1c}`H`k5_>B2^zKDd}MXz}8_twa_?K4ONO
z7gq4Y2p;@>*w$oB5!JCT7jAJN_g+G#MZofT7_4mKb*3^bqDAQs4Yg9OylGZOa;61I
zIj}BwC@cSSo+4LO0&gl<Ax$#Ii8eWMh$Oa~ot-@w>G)59$Ik#ZPBGGvS#b>wqBf&R
zfc%Uax%95CuENc!X=oZUO`CfNC@F^<;Ne8f*#KM+91EEf2G5Ql@Tsr@5)<<c1;$K8
z8Hu<8t2O1w=U}#H-~>b(6qCSxtS?PZs>TLqtnAI=moUfip(L%^{@F%)*DJNKLHZXs
znG3|z;CzD-D{s6<OniXbo1ZZ@>z^H)3|WWLciF#s7Oq?UcL^FRYZG+fYwyePJw*0u
zx~l4lA2P$w8i7ArpgbbnTYEIC+WEwcNUxbTm`yrDxKC2Y>|xu7V1A2VflKlGMt%V}
zD<kt{iNVBo<l;=vx*C6edX<urAl@!$pa(bb@$orZBHr=Xnc?(1pZI@VlcuJos=wKW
zCgMRO+|X=0NbvgWzCV^~M}h%JT+1Wb06j!}{3Tv_4CuMf-aENvHC!5QB_IHlXEWq0
z1N0Gj%-nuImuJb2UBM<Lnh~k@2as08uWx-7lU_eXYy*P*=D-@$7_c3VLNSn5Amc!F
zuTFd+z%^lt6Qv6?+)b0|ZrqHA4K44E>hwFsZ=VRNt#(O_BxmrZ86cN`>hM)m2N>wG
zh3E9GpF+$>-gE^ts5Ye50^$TuA8dEVjYF~WSD^jkNLA<Iq0Rc|2b^ieu=2&FTd~8U
z0=BBtB(fuu(IVQb>=eot)vrlUj#2_HOg~~wtnoz752kWEzX5!|L{ZU;J#K9jN1Eb6
zls?K@&*dSzODE*{Fz%>{%VbbyKGL}cESxChp}m{a>D%zPz9B3%wx&2bt}LT_Qr@mn
zL_qb1A@HKQ^efPU9Q!|TFHbZu_?<5pAJNP3wfYge2VbM@IOW+x1!;sD){$gZ|7DQ)
zTkC0#;wYafOp5jW_LRy>wgrr+%`egs4_6DAvOC6|Vhbu>1?IrdaD!O_r5y}>?w>Nl
zHhQ3vf9s_a#QN^{)zfcCJX5X0FKnQVGyEeK&rSX3M$Xqm1ZTe3*iTnBHiv%GK-2b4
zi}v3xDJS1(EAemRG-Bvip9PP09k-{Tjm~S>w|umoD53pNghi(lZ07;>j`TqxVAc8I
zHn<)hQM<%haHT8nMEIBzcZmHGqQ=#1wzcHKdLA3TfwRec&sEsKwa!}X!LdjzhA!nn
z_@eio0H5>f6LSlT|Aup)q)?e`IVd}=4$QIq=vd$}ZgRX8^RMS)`Cn*S{u95z{#SCB
z|9`)l4Yj89iAIA2>(9-d-wLi!qMb#DG$nBZG?m`xJcrt11s!v<%C<b6r>QX}H8^R-
z<ENA&h_5<#o~|_yj=NnVQ(O#V&2ykrP*WSJ)AODrqeOR9-?{Ii?E@X=u?@O;*V7@$
z!lv<~Ti!!A{b;{KsDzCGc6q12Gg!}7sNkdH51w7hN7Ye|lv*b-Sp#)xdh5FFp{J4F
z67L@SZsBFx0Eq*(q&%#prG=h}33d++tye;Sd$8|M+;<RZrdQU+2KI>x-?LyTRf$X4
zl;(G6INlid3vVZtM@!BVl{kd#_hr^mI5n_>`>N3e+fDzrf{tcJcAQYd!kxZA31lyY
zMV56dalb&>Qvk5(E(_ul`ZsA;a>#p53pdVA(`TFwC0Acs38$K_UJE%C^(y2QPRsmV
zS?yC9)!>T!wniHl-V2S|=v@*~OHP*7kHaj;dYyjHm;W-JOs>AzMny!F0FaTg*Pjbf
zaC5$iSxvN1RWsV#f1iEY9$!M6*aoQ?xcKOj5}*77hxQc$u_Vb3&l^!wM+do%$f!Gl
zj*-6jB!A=#cFVvFSPrn#2+VjW+E#YO7K_%Yl8zT&ObRTH)L95AEgn3sE|LPeczLjv
zU!I-4)zKjx`~nT+d-JBStgI|*V5wLWBnP0_FQ}xBvND!~)6+Tz_A#K8`hU0LrNoFS
z<W+0&q69pc$2*tH4%HV|N#HVy8JRJawjFSys4?Rk-wI6M0Zjg%JmAs!Q;)e=&GPZc
z*|xk;%!wmrA=o?U4duD>hX4JSqfc2{*wmwOWy)FYzUE-s(5uO?b#4K^B5Ha1yR)EK
z|2)WnB~!uDYjvc(Vf<ZJwF%MFStrv+{;W7UygBh@4z~GW)jSmLCB<d#JOZss=UK~}
zb4@rI$=rdbBIX*@=^8uNdQyZ^8_F;Ee*|Y(rz$pCD18fo0?ZBxuS9QbEQ@%N+okfQ
z4ad&mi};@X7w}H1ASXqppSJ?8k9nEBl~8RwCRpm^WM$t0?m#s#sV7=kU9}+M1N_Vo
zVirAVl-$;dQL`);fSJW?fH70y%aaWe6OU>9;1Vg2c_Y)Q6^g9G_ev@zDS&VjnKO`B
z<$-?nm1u8Bd43aJ7_SB%)J=Z-DZ-$YFjihMoCT$2Gg_($N12v_>_QZ^o|B6!B@Ftv
z4D_5PrlwYa!UWnWz$3!|*4r_XA2>cuzll=mNbHCg$XkfL-P#}%1~sUP$b9p{)nD(!
zze8Wdz`px-t{%Ui2RD;D!{TUrxnO_$8LP^9v;6^9=ywJ*kP`s{Uli@688eMZfCgI;
zz}M=oKmp+oG%oZYyoR(^K&h&hU#cqt(`vlwc0vkfS{1J5+f-mR*{@dKXRcV*B;@<S
zL{C|{eN7yg$w`PG%>(}vHE7w8f-+m05-UqVo(<W|JNI!j9S+{iZZUG#24M#!YsUU8
z&fkbaZ!ahy(oscuv*n9iNIJ_9C2c61zpw=9U6c>~40eC938n(x*H~i;o1#NVt&BsD
z=4`!>4xZB9tKqz}=*!73xQ47LhB0!^>d%VRo~g!v(kQh1**KW`I&!unrt9p-T;VUh
z6p7+r7o}+ivgSoC5w3JW=uVeL-dsazKX5pBp~f2KcT_})<Ogz?IPFBOnQrkvc)rMm
zJ1&&jonzpUtjkq}vwQkgdlvIij0}14)#6y;OugK)dHMcQ3S&O$GWIVd!{5<da5(B%
zgrRq{2&q=|ZKK&5g%<>&+T*`iG=?bWIg6n*D+c(`(9qxA1x6vAdqDXyRDh2_a04Rr
zqzd*}!{&e`N@<f&a+3^l@uX(17L<52iCMFk%o|Xia$q{xM;+$5>?DU`yuZ7|Xro>H
zddYo!HKU>9yen5`vsG$15*g(uhBD)Y59?dg=K!0nrw9EWt*Zj%TJVTes4nyEC5PjU
zwUguNpQN*Bp%%bO^GJQ`2gdPZzy`?45cV4x!)44@s<9QwHRUU1w`l4A4J7YLuj~jU
zvJpWwM57#W@DaegcpQV$N4UJ@gjDF=j3VVjF+v3MF=3jhqn$4qpsR@xYYgY9GFpsB
z!etVhbsz4JO4PV`+A->@jkA_ot;B~1Wj`58kRXvpwkKNYtzH#1xJX<J)D>yVjQnse
zc`Ayw9v#~ah+rEZi!l2etG|7=ApEAAJ*AFNS>M@x5$Tkv%bS#R>9i&<`(&$SNcjGu
z^6aPc?{;gy8;xe4Yia&|eScTPM9<H`gQp_IarVj3r60(Gc~a48>6P*ut)HK-w6+Fh
zEcAWFB4U`9ATw<mT3|dZ(m5?GQbe#-q`wOm+hMPNrp!9?2e|XY)8>O?h)6_-Ycvbp
z?3Yly(bdLP%_Bi_8iy9;XW&uLR3j;Qns^DDNd$$e4Jk#z>sz`9ku_C}Yx`UVx<XOd
z?rN$k9=J*4CNNjj$k6yJY^vWK2j7$iz#)hb6Iccj5T4TW(+39Q?L^2Aev6)>RkR#g
z0aNlc^LmRxzXR-t-+;koHSir|N;9}=;pYE~E+&eS=7GeYED2VFZ-C7ifseT>r>{1{
zLzl2O%0l<mBWrMeHi`fG-YZLMv=yKSj~@qWE}5=44;>)Q(uM=l^+;l>P+ngdR*Qh0
zheu`eN%Qria@L6^#0bfM-g@LEwa!S!y-JQGF4k2$kt4`K^Tix70l{xF?I$3~?8|_U
zoC6VrGC8qh3-}s(ZWiYMGkV$lMbE&(vI~ry!2zSSLzq9Q_nQI4Qc6F<;Z&@LKOwg?
zMfqp;J(Bj<@GU0~l05;s@DKvgbrqVA8$DN~M4D~h^u)g#dXE;qxkXA}&@YMm9njOw
zadWvod8J9xFHU;5voMb%b@BnL5h0x<REww<OZ35pg8I*(jlm)&GwbtT)ER;-f*;NC
zOa$45A{La#`Cbx!_c2bNn1E@nwazFB8W50e5BIkpRFpl+3LsK`W{=--k6y2r;-=fn
zbQ)ezOoY%)U2_(P?1X#1zOvR7D1SLqz(b!Rf#+(Z=Om6huQpp#YMkx0zcEkr8lVje
zi)@+Z1f$OU1jebDYPy?teh|M5ifWx5?+_M)k76lUtAn9fIV8L?dgxmpgUh%RIaR`}
zP36mn6jrW7Y9*6viXs7?iR5xf(=I#FWE^B3%nthb#P56ijRdcF1Kzc}v#Z4tJWwB&
z(#`af8HE`!|AU}C&V(O#p%~vN<!vRy)+>-s%JxEI6j1N>`yENFAuGU4^i^GBvN_49
zX2{mj%53RoUui~vj7hHY*WiZ;4)!2wcnE`O%NiuRZ(YG;w$xCo6GBhnEp*9_3L2rA
z_L|jbKF33`9MtCOd)UfbI5;>)mO6q_A}9i4?&=;he-r+<8uE<U?6NS-z24B6I*lXA
zhg5c6a|eZ8<l2LBA!ea--0lo5jrAE$3DKKu(xbwkstaky*>;U-gV5jqI_ZpU#StMr
zq75+LOINib!ASNha^*|coA?o96aqEFRe`OuQdf<~cZyU$-)~CY9o~`#(dJ}kWGXZ#
z#V1{YKUnWVBy%Y~h8>|-^Qs8pZul3urdWqx;!x|rGSl6K^4@*zq^IvHzoToZene)T
z5u4nDLmAOULKGlTPHNe>w$J*gUG|0wp8xyxrf|x`?0M;45!PqK8g=jaKHIh6{G*5H
z{;R@~`!UMO9WjRDut~!k14>zo#Uv>J>kg4g&a?v~6!ne?-rCPqeDB(d7`?4;P0Y-U
zOy;cV;B*S<iLdHdo+b!Jj?-2{UJ}KR1H+N@TL1lG!P%OFqkLd>Sz*2q^T#m+O8xmP
zbdCqxB=8kw=Xl3pLZs^iQfY_p`kwrdv=J1pv<~;Ayic7ay)(sSlfB{cHZDn&JARHj
zwzOMhsIJKKc}Guh5X4Y#{HMM@*izM<gi>EvbUMdFl>1*Ml#pz>5P;0L7gV`kS0**3
zQyCl4-j*+m2Edf%ZbVwj{_26`4J8id6o$0K=%ENmE0<U(r{I2zTOk?m>u7#!B_wUv
z?gXQMb>@24iW;SOp;gD|Jo^<Uxr_e2^?8J<-Sdlt<VV)CtCh55Th$n-{m=G4@lgkc
z(|bG;1J6}<A{kv5|87M^0C}s51G^pxZ=t=2*QN%h`k#R&wyPAFEf-?Ltt_^0{^C@_
z#bGgISkMgrvov!(<o0J2(MA`DEL$(fg;1fliEN|E=NcwyYCJKjj6iEJV%dbNaDuga
z`E$JEN5cnV)lu*8;$mMR%TwU;Y?>=C42z)5{xN(7iE7r&WoZUljkVBaODBDF-&bO=
zn1!$1R9JViA5h(^rL6pMu=qCHUHrE>xx@X+@PfTq`qRTC<oNYTP-q(3Gb3EnquG+K
zdTN0o@ck(v1!pTHBor1FwoLpYxN-49EF7A>2v2&1m(^WM6%5%4ez?CSXMx0wX>i1g
zC#LLeXlpU?F~p^UN9#1dFX*2BcwKb*NQD~4yME_bq!Ia3&)=8PG}DMT?pH@JMKA}B
zG&1J=H`5lbsWgA52cU6;Lk+%~fvmt6U@7?d9?Z=_By=!N2<sTuguxlMCx%wrbHvh4
zKWqMy{}Dp~j*~DyS)Gs)3Sa=jcR7*KQ-^QUs+NvnKY^h<GiCoBpfCDXNC<wffN}-A
z`dRXsg`YP(r=3yB|7XYg=X;cMA6x*Ov&-?Rb>+uaqR$3$P);kO2GVUtI5srfwzBZb
zN30~u+1(+R=*iVtGPeVT!1d91wZ$Om?%r$(tc4#N>X%m>>FjmfuY_Cp`*$9B&EQ+a
z{<!C!oKM7D+=mPYh2I_^{_*KCkB^$E0v2^}70GPo>Zk+>E!jbs+Fb#Pd!_!_N>NXi
zHloF@yBdKOBk_9@(QhY%-5gv*gY()LaHzJLt+l%{GS#ps0P91UeQT_~0L6JzzIVzQ
z9naB8z;%VZz<ZCyr@wjVMtjhJ0DktxU%;haMl20omU9y#Zu*@_uO7e0XLTy79fZ~1
z6htMyt7gt_mCg*nH6=e`o^bX*Bv5of<+dz2f*}w@K;_S8s)wwC3juy%`SQs>5&Qz)
z4o+u3FdCgZctY4aA(WRt-pddCVD*ba5dh40TM<mzK%9wkVnNYro9u0P-+!EI@u{~A
zD^mA9Gv^k6N0q!@ac`_)|2+IEmU8nE43^`ml)0R=hjRSiz*!e9wMVeWYtGMEHn4lS
zIk&R4ehg+k05(u28xq{MS`$N2ZCOPL-YEavIU95pKrqdDa^C}ZJdT2(sb3dNIlJ5r
zRZKQexEJ*?T8rt|Ssq*B#x$`Di58ugdp}wo`h;NJ$b)%dfEaGQd)|mER%f}+hxO6f
z$58+i$E->(6weEL#C(5+?MVIuamjvVQW<8<e2eq9@2>-2w_SSn-x<SN68q$2i7-oi
zAx%8?V#N8rL95ua@*;DZE>jT+3MqQ-$%Mn#D*Vq!qC{a8i@S3TVtdVp*ek0Gdokub
zqb9HuxLk;|lt`Urv;lB0w_}yx-f_H-gX{XBg%>z|R<9X#LN50`=@!0FS}`G(OU6^5
zH?ALG?SwDL;?}@hwV*X$HZjK=o)|=Sw05&%o^jq~b=>s5rw#W*1-Jiq-{xzU&?x&8
z=|k6dEjILl_X`fjgX0sy59NTQK?BnT`8582&~5{PY1DC{^S|^3TrA1kE@?yIu=`$_
zQ+c0U0e<V0%WZ0c6~39BqZxm7B02lIb*E4@t?0G$bsRtTCE7KOd&?2_aFo|R8~Fv%
zkfw^Y-iv+A@Z5~LJtt!8=<T3VDJIW;)kNEGzD4#A-(>#?Q3IJaWGIj2t}jg{jHz(_
z_MOJV2!=yO#eQK_wBBuqbZ<7wD3^t9T8r`n+qyoQfHq{Zn<B&KK&G1jk->ZA+_=M$
zE6bEV##kIp;_?(7$|w`5@pD`keN_MN*G>DGdd7+b=R#WgMkRgkRkagF_#NJ#(V)<I
z10+rsL~h~~mV{rMY8TknNf4ct=tQi|@j-3t!^8p*Bfjv86iXeq*g^<R@MOKbH;>oR
zt8iqVTvE{7t&9IVXpoUf`l#x|+MS(UUUEVy5>|KaM1|cUMLU`kvQI?5%9JW5<PJSh
zI2Ta!OS=O>{@ocu{n@Ny!EHm35ec4aoN=mF2^r-%XLK*j_WsDdBDV!SL*orsG+^({
zb5dRkF@1xYH$t!_X%p@_*#;@I;c;>?9u_zqqK5&sLSULvvtE*licE5xg^ILZSnT3L
znySlTP+9*-W`!e#&z)TNW|8P$f+7tcLbUqQN5z4YD33mxvL&LKbUu$vm_Tb!m5Ke;
zix@VBB6?b`WQn=)$u`Zfy}|HSm@>EE1zw!Guz_E|6%@a?8cUsWf?fELZ(|XovlH{J
z(3IL^R#sL;iG!1qRYRkJzNv5`Qvk<AZ=Gb0)_p`jRmOVAcpw$w*(r(p`SYKz;Vdqm
z7ANNX@d3gsok7l%?_cGpK7&2q47K8)w@5*ErJ|!|<crUl!j()1T5VDh+Yq4@`bU!7
zHgJ}S@6V<vjut-LDr=lJY;TRu&VOOC!C6nb1|v--xcAAnr`aS{HL-z?SlGQ847=o#
znOUwqV!MEam;3KOs$s}?`-JS0o?@OFWYrSWGXcuH5v7qJ6VA@BTj(EA5n1cQ<)7N`
zka8cOQsn&-nvPnA@={6!JY`2NS5e2E2j6clJUaLU*QeMKx)iNPr5n1vuBQ&Y$3F}u
zz@7QNf9tT<+)>O|?vp;pHasxbFw8$(${yFCv4<s7z^!&Cz)S48@I5u~6a7h;@Y8w=
z_Z#~u#}4=d)9weVSa7UBx$RzBcJPx-8^_a|3$vV<Z=<W_k($9@hHOa(FH-KIS^C@f
zduRH7y3WWuE*-Ywgg<>226cRJ!^f}Q8Z*hT_-Z4@fxx|2z<|4-s3$$AzFrH&7?+b(
z?JpJ_p8Hc6985m?d@Xc}?w_tz(p_Tmh{~Oqz!W13@>En3Q})Mqqsrp`hMn_=RG(l^
zx~4>4!9U@OKBOvp@W1(5PaihF=Sb|Y<c~Z&dg{)78G#25fh($q7giBi-w07Ucoe6u
zswum6<W?xJ_ljzPyDpRtb!bP4G!U!V+tVYREa=+^h;myR!?lR1T`mCueJ3X;T2@vi
zz|p4T;+kNAPtReQ%n8~h@bj%1H>g~G`$elBo<Dmw6`6`Uhrh)}16`11F3TbE!t(MY
zkQPu_TpYK*zaQWjVqt8Y<>KNZ?e1Pz>9(T-;<-MXnVC%uuE_5Ok(#o)v-XA$B*YO8
z_niPsUJYYHDb$Bwehh1X45xA{NdOg<x<<JHGYA!9a9QOMA0Hq9abp`0Hu#h*VI{wT
z_>sM~4>1`o&0>nPJT~F8=sQaO{Sfe(KH+MD59KjaZKXpLz=Q;3ji3<d{?QQu4o+0S
z<nHb+K*6bfeSPtXh%AV=n0ASvk&i+qoWf`%FtDK5-(jdr_|Wk|TJ0IOYbQ|mC7SR<
zdh+Sv(H6yDDpu|B5YlbZo*pM?2clh%9vwfb`JaCPZ-LP0rX?ig)xdjR>vr)3g3N=K
z`4)5M6G_jyU1n`T^FmsTmoktC$*3#G(o;`lDs2f|V=clf&RCusU0pHU+T)qNHdXn?
z&w1*2UVoF4R_dp(k;|<O$3vZ#ycxU{BF2-GlT+jUAeV=V%2*o4-k{q#wL`&eC2tok
zCpXl;aFt%kQ>ddNrowFc2z4Sa*bo{p8ft1Y05hgAD=H}bjty&v4*dm3vfV}w#^xO8
ztn{-@vyQQ$V^ZfUrZXfbCogYp*^r2#E+pFmNs<XU0YR?H+{DB;eI|JS$2YpD3w9Ef
zD7DIO+k<Su|6{J-H#RrNG%RqMmd58Qn;EM91a;&d4@>Z9#OkW6)78|}j7?7$hHoY^
z>wfEgD+U{Q53*EBbn6s>gu}J{8C<?Kj8sRe9(eb#JlCLLe8XkZRI8B6)!Ve!$~akW
zm;{{Y{=2o&$e}OcP`}>`v$Hmj{OE9?aC;98#B(Tg6gZ);+T)tyaO3o5roGH3%J?-z
z&`L33j_-ZCn^3G--Um>nuXL|9ps2e`g?N^qpd#-AzCp^O$Uh~Qe?<pLcr_1$2EthI
z-0QMj7kUnauJ${ez{GC4&Hpyq5p@HiL+^oaEclzimOyhyr<z}RzxsZCe}Z&6t%P-)
z%mX9$c)+ocG0Qz(=Kt^gcfk916G;)eF==Tf;d@2J#ohXAsN;W%o((YBeokPDdW}2z
z@qhcZQyt#s(;~9AuiZ7jc~Ez5Gz;=3q&U2y&hSI$@T=(P0-lC$kEpxGc=+7Rnxdxo
zOo;A#x6v}OX}SynOUj9ez(-*riMiYO$OB{*dFH!MT`y#OELzVVd=5)(YPzo!nJ`tz
zyG%@OP2!*bBQltgU1voaDbnCS(Nam<0B4H?CzZU;BLS<xyU!K$h1((H@5;(X?ax|-
zva&Lp|BX*!VPQ;HII*0%dV-mSMI_@RS667HY=1mfxet@`3|ClwRCzo{Y0N^Lrujw&
zfROxGAj6)rOZ*$&8;yUNt!g4kI@8q2%sc9YV&kva`jMZKKgZS-7_8NjVnmPTc~c}L
z;IvWOMK!;OkjhM`j(zNSy3es6EkTAYdw9)?omE|<G#n)@pYZK6BWcwkBR)t>N$xkC
zhOKnKfazryUH?zlON=3X$3@Iak4v;zs5huRfA8|W*oruf)1Q9T8bHNX?%Y)3jSRfu
zNj=}?Aj#S|P@FgSY+e4O_JS#%o{B!v5%tK6gGZj{#S2Mb@1IvyrRwGFZGL{R;->pZ
zjDxD*X0j~d<it(8#jEC~rKw3*R!(kb)#*hU3p^U`eY+}@Ythf$H9Ks`z)g`TMtQB#
znAu=Ua;uJ5U1b?xV~q)%^f!ID_oDwxyIRS7F;aC+O*^vOZyUDVdhir^bW%eem72k*
zJM3$?c)IKE_u>ufZ4UX>zF{7+hkbd6@)bpfLFLJ3_v5LhDF2sILf4|$B>u~;aa1E;
zXsC*%BYoBuT_OX2KxVH`l=4;rR4+cGL3=&(#!e4{o&Jvd$DvL7F$cFDVx(KH<x$E_
zZw^Yz-wtba$E~fbTi&u%Y1-r7j=aB)bvlb%lv6x@{Oq=<K(Qn~YEvkBCcbNVY1R1O
zf>M9alm*^%M=XSlj4ThV@1&%pYU{S9S65dAhpyt{pB_6I8ZOr3DTg7amO~(mVKpzy
zNyjdNjpdlt!mvb2XI#wwXl+-M_cE2Uo6W3Qlpxt(7dK2sPq1>N^1q*Z4lUL)ceC%-
z@Wq;5aNLk$s1Bc?{AEgi?rhdkoGHCnh*N#lF*q+K>)Ps{<eFc$K_23q2$}rGqzug<
zR5jsM1mDH_$KVsn$jIQ6k}?DY1n4jr)4>Cg`}@(rw~G+bZcaS3Y>#isx|n4`j!($i
ze<BDTxQyQ_cMka}Z-onmJoHi`1z#>9Rn46G)HXb>(wI0+nlf6MF3WFJY7MV2=yh8p
zeC~Zj9}+_+G{1{GutV(k{8H#lPlwV=`{&bd>-8X44cjrD*}+HCf<=$(wWhLIUE*6?
zuWQx7Vc4k($LpY!jg`yH=u*qJ$;=f_ap$e`w(-fGsLX`iG{5uyFEwu$_Y&FtZJJxV
zEcr>H_It#pxCwmvkv<onZ9P_=BC(zTBfIP4@qnc`^#ONMe1RO3LJG1{h_|;l&?b~N
zUu+g1jELdL0E5!`vz<zxJ~l!`?7E-GOYn5-5#}?uHh~WqL^blNrKhiNYz)&Z8KavQ
zQ<E6ctNKl5IJ7RezCwz>*(dkCXRwQ)tB7^2pK3SN56nyKo*SFC*rTz}@QRx?+>Gd=
zm3vshnWGPUa20y!XvvP-3o<|7p*;JesZ+PTw34@G*K~$P*st$!9ak;ns5sGfwIp0S
z(J|Yt2vatAO)n_1<#!5#ZU|kt5o=w|r^%Q}HVS(a&Wqy*=&DS2iSUN(7PC()PFws(
zk*k+V8(S%*r*iTa@(~@xcg^CqaGp`}xNF&~!rB+y{aI#VtaqYM+D*21HwrN+-Sy8y
z1=&?6in$hTe4w6k>=U@wzx>?=U6see`gd004!XepkOs9Uv0DyFD=J2U%k*bwiTU!e
zTmMU}NpowhMsw8mx6A<31qygpooeaE#zqd+C(y{KC`$Y_CREWT(86I8%J#TfQo#04
zuJj;9Dpae!c5OaWrYl8&p`C}T&Np?t>7qZNq>LWk(+bbEEEE^LUzdLCtv^6Sl$7g;
zYud@QaPq+btuoklZ*@G=%ED6^CUg~HQK(CKQA;%{6!Uotdy4sOm3eO@hMK)y*HmJR
zEPcwZucD0~asfRGtNku?;R^0v)5>e3-0=ajSAQnvYhR^1DcAjUEn@Agp;hP?JA#})
z_&I{TJzGd`d{*cO?)7^_|L3~-IUwgpZTDbE84XmYl7Ovh!7WJo)90s|qI_XV#>|Uy
zjaJ&I0Y7Q}d4d0m5KZH`u!{2Xa$puIqpTdmq~EA!1G5CaNwh=SpiGSl>iO%!EHrgC
zlaEh2zX-=_y9xfQptz9)RfRdu@#9qVtcymD`aS7>4)<O-FRaz<urYJf6u4-#P>6ZP
z*#)6)x(zh!1<P9b^w@`ykN{7NL-S6^Jk{IX*KIc4(G^rY&*9NG^A5LFi6UQ2p5RHL
zlds_MVCakBSJ@{9z=&LYW#r}Kfk6HG^eMT|rEjpRn99oA(Yu}w8-zR36>K?O|F$<r
zI#7P40_l*fmev=GAHa+FC7=i-I+|j2)e9BtH6TM06=~OoVy6nH8C*+oT5~aba81J;
z_rmvZ(l9pk8!wd!J36;-8r4IPk=*{YepJR6q$Jio^o=54Ig{z(uX;ZS=MWgLtx(z+
znmRAE`;b5-S4rn-H{FET%xoWGhd^Z|!3vTkTLG*;6xsW>T(ILqx1kHBR&xHcbrta8
zai!S6I5Ri-!e-^;qO?LkeQKZJTYOY~QGX9%08=1h(JP=MEa0vsrL=hkzy6wL(w%zy
zydQ_Z(6v#EBT2K#$!LxMF=*Mw{r(B&sm9!8v+bK(cQ+E#0aKP9GDR4U@6j9W>ZR`l
zEPKCpv2}-hH2GU>`NXGQ>p*Mu@4t(!Gs~OcF~wW_Q$aQN4U%(sKbI^VO_|g<tYT;R
z4b#Z%=|Wpi%G$!HBGGC?&Rr73r%(6kSy_|j=H^&yjDCX}cKS<;fnZtN3(pwOL{ya)
zQv8~w%j3NUMBB8AQ9`!wY)bEg$y}6@(f35v?Y4^s@|*QKhT>Yza&R=J_PH#q?vdnd
zL@y?O#?&IzxY~q&B;lvWZvTl;7RlyrJ}Z{qaH4Lg;~FxYp<sNCnS?C}#=V(Oby0xE
z6@|E#%o`ke;Dm;(qk;<th>RUxz46kwJqs|^Fxg(&dbuLdRFm&$wdK_k#Jg7dWBJX|
zb*mS+%7VT+piyE*NXpsC+W9xtzN@vN0pI-@(8G9pdKNy(;mFR<m*U<N7BY27d-(V<
z>AS(8K><((nuCng#ydDIQ9ztsh|oBU<Rn0(e%-!<x%PJTLrKNX)CY+F0mja~QIEf$
zZ27K}$?H!Td&})qmn7zTOnh?SQ@C2QZg$bX7Kj(dw}z|@@@HwKXutJlyJ8&i=?)*c
z=V=|z&0aKSTPA&yT-5s!nvQsje(!vTjg~~8{yQR*H$!#2gpLfO>{h2qq~vD8Y8q_&
zM*<i3?-!9HfJ5(fhAhV}TIvT|Xqj%q()S_bFle9TTZWHopH4^IH&a-E?vNh7^&Frs
z`rYQMy=9EIx!Q<zvUxU1v`)xv?XI}y<F|2Yr6ziKLW@pmpf+?QgzLdZO>4@^hVVn6
zepq^1S_S1)Be<&|Kx3o)bGIChsW7zl(WXzumoh}CvztI*06m<{@G_Dr(Ls8z_cU*<
zlQ4O<LctrE;)o@cF>3#`Cw`f;a!BiJ!XzZ$4gNZVohZBJnYX$HOZ{{ek6@K>`Rw~M
zD<szAQAh}5B-S_k(;WN+FIArk=lSeo46|cXhjku4<v)Idj?v0Gg>U|r`rhb+S~JBW
zS()MEWgvu`+{>cJ^+N;w!wVjooJi9z`77;7)#IP-;3Q+=8J%)&{Iq`U*PIh~{JWFx
z@Yl_1e+u?DJyY=n#4g_Ve?G`3k1b-(C|A-{u3Q|Pt_Uv~^rms>Q(tM>$Umg&<aE@b
z?<y6xfUFR`D*kc1UTTu|sLR9Ui^-hp)yF<NE!%9C)~c{)<zGvvdDtYW<Hj&_^5+%K
zyw3U-KF))-v+CeibGNypN{u=Bzfzy1&V+v<3lfF>23iYw`7}_tTsWCTQ1$UkVrkJo
zXB#h3h0UDID>$|&l;YWx2u|Mp->H#0kxx;J1C028{{I25nN!JGFs%HN8r36_{GWs>
zUcqxZx`p1V9Q2#Xw(I#uFlXiy#G@Jvr2B0^{eGufa*I=oN~K9@r`Z5Gq-p%Vd|3Rz
z0bi(Msxj}4`TqV%3<;qe9ld*E>&XE!?u_I-*0%Ws>j_t6gN%;MXR~;gvGh9_ng036
z{gb#qxwgsiyqe8{_NLt;-0qL$d*XYVH}3*Cy!2mBOx#Xy0^7-8XJ^kVER+Gk1TM3d
z#XNuZ_E-}V62>MbUI5`~B6R432|r(~lSMClvX#br@w%ZETS+=$e(y?+FSF68$6-QP
zZ@Ngq=?t;R7%X^G`nZzUEk9X9qqGTGT7T-<k7N~-R!akg8@u*xU-tzc8?XLEi-&r7
zQml~FoB+T1Wfx^%1}M|-W*N>;OxeR-Uw{(-Dt#?){g1bb%erqULrE2^=I7wJR4lOr
zbf}5%gTGpsIn#fYMFS*1H&@!yG9T4KTfKYtHmfS^vrA%pe9ugcO<sAq(r`_fGdclc
zG$xH(w>IOtmAv_e%=cML{EN%-Ygw<17U~MsDvaeh7^~dE&D~fXJ(ggh^OmrGry%Gb
zYTLGtX65^b4s{amT$*hKPJO3AwQzj=H@>iP>35WQcdAf4{by%&n0wpxu+t9@^Z?@+
zv7t8AGX=#&5}VA#ZLEA+wmO}w9M!Ilmm_R$JacmboO1l;(=7CYPWo%#!@wdbs`nX6
zj5s)Ova+>}2PrM@;2yN78fkJ0_%$cI3q$tEn?bo`23TS`C~xhxpeNv~j2}|J(U9VZ
zoo04jg`nh<$yUji)3eBcQ>*T5%o{#7qJv)_TFCDI)e<uhK#xSY!W=Ul#}8cuGw;NU
z%{612P<2#{I~`qr6*rqbZ*$jzJ;leT<>XZNKf#EKKzCQ7L}sQ@<7s1Z=<=JN+dqP3
zmUZ*{+`B-)GPRX%aTC^l)EDC8rc(LE$SkjJ2$%`J&a=M+6bnz^4n&0K#oEtBj3oW~
z2Jeu)T&+hTGTbI(T`xIwqNd@fhJVNcfFTD&xVX<jSD~V+%3cDYK|g2)`sN4Prl^wz
zp23b1pPk=dNt=*E1htE}o<V63Da{st8x|Q&Q1X-=SdkGYr%{F12^l@y#Nn`Cylji+
z9B!d0>^gMy`3^B%0KIN6TvI3}`$Dla5RQz$njSOh-1a=Rboz5qZl3C>*frA<<Pv;p
z*nhUI%uu<h>(H}sdMk0#e5h*W{g<;PBgf=w$~3BXy2^58s=`zZE*Y3f^<$dMAilY@
zTrQNV>Om8$>`;)Z7ZXQ|mMQ;rAYE&=oD-L?Za3yhGyOD~VeGng#PZS`j$-~;i1!7F
z^Wfgdw#!Y~VIM35fu9!Z&OYR!7}KC0JAIhzSQ;MNcBzm&;V1v|TVkI;JPHRvJOup(
znG9@@^e<?(WaQ-H04FyL`3e$cLQa&*bjVi++H{N~S7EJBOq*|Bbwvo^6X0>u`td;B
zPLJXnp3VOK6MSpkv$mx&(`b;m<2{EvVA#LeJq&?fXNtWQuVz}j{Y257Nyq4At~e{H
zU3=<CueVSJtu@)EWRpqU^_1VrAa?K;{%L~GiSBO?TCRk%6uZ;@xs%edn=|d{+x9iD
zJqm*b*;Do;b5N$q4JJCsf<`z<&tEFi@1*Mk1Vb^5qpVG2m2B8Z#U~7TxXgm-eJZm8
z?^xb(rwO#_=x1$X0-eL85bAL&{~?2~ufi(xn=JSJB4KjlCRHfC-I%E#-lJ=%$WrY0
zue$g|Wiji^EAX?&$qVOS2q<ra!5Trqwgw&$eKpq47z+u%g0A6u{YQL{!Y4LA3bDVS
zZRx2`s-rF5%k3O=NIE;fCPZ#4u!bv5ooRCmqt<#kC^i;W0*JwSH~kqD<O3iM$Atee
zJO?6npXvkJvsbXSymH@?H{?%V!WaB*Dp$5o&93_?Wlc0<C<0wfj2B~+ZWVqm#~x|H
zw`He6hdp*N(jOFmO4-3lwbUMWNjE@%C_^~N_6M?B1=TrqECo2eZM8@u2NQRlg8-)|
zOxcWj6D+zB-s`@|qO%9Vvf?U@6Jq5)XN1gM@15N>c^CYT5AQ<ZH8BC`9z;Ariq8b^
zil9wauEa=D#7r7^E9|!2`t>76KOTfOKeJR9pXYDhhQEEYO$hn6g8eFR|53yk%pN(4
zLzi=2pw9%6f#oyJ(@O-sMfe;-R$WgINIV3pPCpUs`s<ola9Z;|kY$dw<{}Zjjua;`
zvHu6M4q42FRy0u&udCgKay7ku3zO>hAVAET^FV{-vvnWHlJPg&hf(AnEwr8E*tG>s
zHiYY{X*d_92A3LxPDFbpC(|#BI%39X_RC54(7RRQG1vff%4>J8n%3<0x1p@CR<4;Q
zcW+jdUvaX<VRPrU$ux2`%03Kf_c8Olvr{}YGP0JOl9?tH+D9xp7G`EW8^~6*=h-{s
zA?sAzoNbaeeO&Kb(k^WR<9h!f=xEjc4fD8$5R;>`CRX3QCMzk}GR-8+rkO#TOmXA*
zz%66kbVDK77R)0);jXdmc213ts}j$+0!-f3wMI={-Kv<&CGP`MQexuFAcE-?+z^W<
z6p1HhqB(c^aUS_C=cO79Gs%5@>uQFJaHga$DB#JCkvvrJV!EwAWv#3yX75S_G?fN&
zGy`8Uo;qxJtOSY8Xig_Kca<)0AQ-E3yjK1Mw~ay$n|tX=DtCSkcDWCk&_YkbrQ^3F
zSZzujF2ZQ=)$7$>5dS&}cN~s$t1#;9at|`Y$p70jP%|uxjHtEeO*M@94!aQ?dPjzF
zmu1RVgxZ-Q_`@YR+e_3|NDEH~Hdgh;#r@b-`npO=QErvr)4R3b!rDmjE5p>dl#^^3
zYZrnb09kO>pIaq+chcfE?$?8hh;N?uVrnW<9(Le&65UE3JPbJ3PBxiy+va5U7tS<h
z8WSV=G#!(Dp88U~b5Oqe8TYCTbDE{})n1L{G<pA*7HPMZV<qfxXzP<@%s+Dt*JRl|
zecw%NLu|!QL`z>rGTV^xP#8;Zz6T7F8iN%so@on_^ar~OH~5ANRs+6+_4eJuybm_R
zo$E5889RT<h)-_a_Gh!L#=rGen)g@3`nuOFc+pX{9T8|H#1!9(krNZ=-=f*t+fSUR
z85<j42uT(@Yso_S^h98zU0Hj1TMR#<^{chTeA(QhxA^>&`w70EF>~;V;9C&&49N*i
zJaDuaWRWGgFlc3IV!6$cPgkX<QbsmLWA981%pchjFD|*}Iw~|T?DuugNRd>g>5i9R
zUcXg>u@Fzyo2uv?M0i$KH+?dETVO!u+QSos1ORG(R+RtRcZmOVm-~y3unMF(TIt;P
z4Gf}1&tUN|2dxtMJr5TxsATXXvyZCQbymKw-A35g#L0MW3+R`hk!NAvQdbhowC{4e
zA~W+1Z!KdReWE5H-9uKRUKZs)-XqfqEC*5<DFnIQg~VTy`rL(Iws|14#U=e*eKSxG
zG$ZIJ0Bs)yBWjfD<W&N}5hK9)6B8IUW#51IjnaA=hFpLD04m8<-)xygmDa|Qdn(0H
zJS9pp%v<v=gT-&wO4?yfl~_HjBFDh<bSU6ZfWIZzNV_SFWhT2u$WO8{vz2ys@d_jP
zce94+w_#n|mv9OL!C1pO*)?n5eR#HjSmfyMd&y=;bOzU@<CQ1p?wsG;);by?xYH{|
z3R0ZtZ)T4(e3W#1fo5?o1ljysXUOOcdh+0chpcX~f}OXpMTw`5#fji7D|}w83$ljr
z7;QhL^S%xbTHpQc*9noc0qT%9!?Ke7zVJmH>riwq!bdI2vUmB>epYWuv}edM{Ncfv
zWSsKW&YOXCV1EH5mGM*mizBPhkh4uUbXrhjl|Y=Kl30N99Y6;xgA><`#sfjV-XMo=
z#2d6Qq-J;Snc3ju;k}tGqd;tOsR@tGG=`n$6+X9d40-DWcS&jmD35#C88)leUdu8(
zuLmeEWZfNR&{sg1p<Lnehuo$9l~$uppN7NeKsm2cs3T<pS=751_4cPU3`;$-sdU8e
zPBmu6@+)By9umjT_@o@gPJhhRq4|Y>WDPqTxAv*_z>u;wT>hHNG>AVN+2HLZ_f7{;
zzm8>O=iTh)gLur6?3(1JK1RGT>DRD+!YA|G8HUKR>cZDt$U3~!`RN;BXz=Nv{A=ML
zh^Y)GSxuaTiFsz{fHl5SYHRP=a=75oWSM>(NVQ*g+pl#-Rbhslip9{3^|!Ee47cxM
z*WVlPy5E02b$oAD4acs-b>R5pHFf_!^Gpe!{@0^>$@U@D+W!1_!n&Ny?vQWZ-38E$
z(qL$mHXoGVetCB%ziC%w2qOy7zXud+e?dN9Y<jvt*^M0-)-}BO3VHLe>r3<-%o_#Z
z6)!<NZQ@w=Z!UJAE(&$S4TDm-6UA#Ar{A5R(uzPeVuqamV`7W~Y>56(y;gi`3ep&N
zbT=JMZS-}Yr$We{43Us;fwexTgOx|#f~6#ByHC=0=P53&b^=x`)Fumg`iBZ>m?(p!
zXRGrqW|~GutJF7lu<a^-c(w;1=@%&E$>!bS*SEcChK$qd3Uw`L20Ci>10Yu~p!Hh7
zXFTVnjEv4ld2DP5{+9i~&dvta0=(@RH}@sfd9E9BdVHYP%pY{qgye{%g6~N_S#>5O
zaDL+f8NPR@t>53-{Gx2l^v{z0Eo|Vjw&mq4a`vt>jvspM9*(o=9FbIJz`5u8CEE@8
zRcp!X#bT21VZ6+j8R41kw}<VAq&^wUtL$|V9a|*GI65I-jgQwpM-acrzHcwKI0t#a
zMV|N%n2`aa1`rY7Q>0#;+t{cB9J#hlz`xw$V!6hqreme2wj?%WYx3YC(eOId+6r9y
z@_JlzU+_`WE1Vc!CLHm5OPJ(a;Dp{*(yk@Q0?gD5VUyVhc6G+tq1zVox%407vr;Ge
z*Lk*r*W9r>9ESK+VP+kSl>O~Ex9W2OElk4|_t<J3m1CNlyc6UjB1TMuH`jW}Qd4rd
zSWTZ}R}u)(Yo&x)_JrFc^;Jwru#HDQcP1D1E2>mkNoe(IXwFd|a?qv<P8^Pl?@7Id
zQwLs|JLo5;L08+VThv*|_-EA_Khsy#F)QJo|Lu9Zq5Jk#d6~nAjqy#pV<;X~WxiWv
zT8rZ#rfzCp4Tp{J=JP--iSd<$<Ku(XS|YH}w@6mvX9o?qGKyaNn*U$5U1eC4(ce~3
zKpBWAFhXDw5(69)l#mnzR1}a>%8hQMLlJ2hDIs0bp$zGg8r?|u2$c>QDDfWD|NrCr
z;k~YRpPuX5cAoQ`=j8pn@B8PdT~<?<CcWI?;lHx{K*ps_3bG_o?&>Q+{H}E(e+?z?
z9Tw{kPejNif7gN2g%BLv&>0Rr-O;Ix`nCmcAovG;ig+Zv_u(+QWMF=AOZ}_c$9-{r
zYpaM?4?5X}c)GTcTZFyHbywGIKfBtHXt{Y;HZ!Vg3|wIa1yS!TVw99sKZEz{TkcfA
zw3Q6T#x8OR1&Q<7B(gjj@9RsIF=4#I!Xf|`f`QRdE|4>V_(N9Kc#FvC<PQaOwB@<E
zMZUED3p}kw>^OUhIJd7<_sOQTi38LFVNaLtyit&Ot9P^6^nrTuYEe=lcF$m^(F?K~
z)&62z=W*exzOd%706c2yf$@q*EQCA33I8i2({cD=w2cD7XT85nDUgC38|>A5x47!r
z%q7E*<>^voBVCa+97qzu$}!xll!-}8vL$M5wPb;We5HjNSo|`kQugpSG9}~e#^sF*
zZ(a4(d||6N6Ku|tk8!9P8zg1#IfNK(EM?za$;a2>A6~Ox%x>;@P}{k{E&F+dal|#X
zQYOW7xkjhcg^G5Tcg8$F(mzB%cwf~Eoxl?uVxpNz=r2!|TGucB;!@Q8OAfthL%}+1
zpUv6cxf0VURy}?T*EOVuxd2<}M1XcoOZ*$DRebg8=o1QJ*VEB~6_ZF#g@%Rp2W%~H
z53<)gW!}qrSSof~9Hx%tWn>quJaKt)FRDxH)6<}Y;kJS$J#MfBpacs%<%w>{b>KAX
z(cCzd+_*^HuQ^87mWunnxwJofD)6E>(5d)>-)cG&dN@e0J=ZLTimivK`r2vUtypl(
zI}HzWt7VObglJ%5X&$~S{L1lbxi(}m2IcWNO~?1*7)W}==~NHP&~z#q+J-PSeH`71
zMDJ>zxU9W6gvho{Pmg60Ui1ht3~MZO`uWOXZI`an2=OBH5)=4i%gWoH$-2PW@AwUz
z-Pve!DoTD=NT{83u@SXC<JydDe-z66enn$8xPjc_$3j|+Z@h?bnCyG2PH|S;jId9?
z#~RsL3B3U$vdyvXM}jubB9*u#1loSsPnE{R**_5$QmKDf5T7IzPLa$^$E|qzC=#*>
z3A@!b(q(6yc;v}~rZ~83j*))7g_J>X`h<(Mz7MvuwfzK=T__kBq$)MqqG|w}Rr`~H
z*N1EXXXqpjLnm-|7*G4J2IjF&#Ct|mqJ}EWedc#1eB#7ssuF<Fh9l2U*wrp}G*30D
z1;sdbgg%f|rJo{rd2KDno6N+R+2^nI5QDw^WT+K(XFH7JI^vOjb!BDekcc|=sPU3f
z7Od4+#|~XyAokO1^<>t*_T=uy@x%BHNsctc(Y9sK7N;yG`)UuP3PweA_i(4TbFniv
zv$l51x=R^@_M<}^B4MTBHCA6s;4S+L@ka5r-I(gQ1K%2$*!a^#Gdc_M4&=134`tkg
z{H-})C<PH}sK{OhF8VD{Bl3?{rr{8L?INR$UVO4aBHb-k-~AHK8@ipm57Szat{#r1
z67NPo^^c@~geT?hT+POr?J;Ivtl&4dvBI<BxKgAPo0w#us-z3Xj~hJSoQBO(sTj^}
z9WZU^6rc{{x9DeIQA&_*koV%v*m}Bvvom#cov-i9{{2Zo3Nzub42KM(VMzBAwx%N;
z=W8wRsbtn!m7jY!^CH$)Rt8nc6`DJuc{9t(G(dvr)%icL?7qKW=dNooM@fx_{_lO#
z_OA1t>|d!Ak?55xR5{q1pOb`^+n@B`5;b1WTpP8(5{~p04E7D}><QuD?ddub%R+ck
zFCfX)bqI9?fzu;3Ns)<QBvfGBR*Ul0p;$K)UWm5eC}yPntnBNZ6^-x3?|0+;#7{CV
zy01slDz>MvIaad>u^(t+ZKuuxa>n4!r%g)LkQV3HB>Q5a6nY+-dV2geHCui<^{;h>
zEk_M*lZ1CCiSa2Cz52CyUe&*9Fef}Mctf5Vtw8rf*~DZrN-&B;3R4F49LL2=<uPkl
zDwK4{<rc>v%E8%8UY-UUG~h=!!avw0xPC=7$WjP34>^$YgO(18#YUMwx@ma)1z6nu
zw1JfN#D);u^wE{#CX<(x9w)CAsRt%r{dSv*6!Ch(r9Q{(*lFgaYaY6Ih)#I~{%OsF
z%?lz><h3216D~Do;87`^v}HY{%D7R<KXZJW^-N<Z;rw@@dZ<>!<ts&zN27T>)m6)%
za};0ZImgwpc<i-3oCrd^CJ#@7avX4%1#irk?lu<4a)Kk0I9?UQ#>Q5f1sy}dD=e(6
zq8(R;+d&qJzwd9iBE$VHtZeV&+R2Tn?JwM8o<C!WQ5RLFUeA$Y=j-U2JInP=pNL`L
zd{x>~=4#u<ouR>!Q5h*m)l)jNok4a}>*$vYVkeyWEbg)#;u1*BZHV;r{*N2jgRYr8
zGD3>Q$uvp5aC=u*)bI7`#~^hLH!y2t77QIAdafd4Y<I_wK@l^typVH_MN3$dll1ok
zWz^^4wd=uw`rQ+__=3cw%s55E+-uR<5zSD7_e%Xxwa!YA*wWIs#ybWvVp0n3OUsPK
zg*@Nd^y<s%w#w+5tcrMsEp(^r2Eu!<=f01)-b(S^_x;Gihwt|Clhaiq&&s^0171hy
zrXh0Z%YN*>kjsPRw)NQLbN9czOy*g#b!@(abl?{sX;_}6pJOu2Aq|U@GTmZ4x07sz
z91ANd0JIX}d*ZjbjRT;>ll5!vUwZo$s6hl_ffKYdDSl-oUmI;0p^|S#gB*T>*?>p1
z)AOYBfq3WG@WE8|uA`E49Af$e!=@(q)F}+`4iI~!B8Tl8>OmVv2`7D!qBReF4UAYy
zRgQhaNU;%sG5auOYl-M~1r#JuhUDquz!^`OPfsK<qNoY2HUg0>6U<yo%9vNPyi)<?
zVa8Ymzx4p!->n*IB~-GTtTc#MpJ&Z+36Xm%murVDFvv?B8_J2ac+Ts=E384A|5Vna
z8_mTn<xgqo&<+1#U~5C=BF;8s^t=T^5_}L|+agnmzjm~EnaZQfmtnpklh;>me)ovA
z$<lq2)`R2@O9~_H<#FRr`4oz{noja;`jnFDs~?)pxm#Y~$-7NA0F$q+?I9V01lTh1
z;LOa99MgLIP#();PIIKs27}}Ar>vys)BDc@6_iF0k6HAsnn<{<#P;&K%=Lg>QjB>w
zqIq<pw{C%z6)sa!-6lH0Od2fAG@xOPpg$7oSx-)mtgdKL##D#a=c07V+)DO1%Qy-v
zWJ*TL?58j8uIv#Av8k!40=fc{kx=3`7Fs81%7`Sn<$ys(2B8Eq94k^Ml0o1`RZLEw
zy#IJ-!3A?&HgDq3$i`Vw-RJVu_>mBc42Om?d`q6l7|&|BRHD1>K@Dt!G%}b04Hv!@
zcGe;H%h8*LxW4IaBAQ7#qz%7qBEyv;qF{KHy4gi8!4EW!l{vja?ux_#Jm&s(d`zve
z7wq9Majge3tkqmeZ{DDpjHq4e%Ls2=LrXQxmqX{UEdkPnLbN>V&jcrmc8O~$oGQyw
z+%45h#RoJpRV~Zv+#S@TW9&z9;7nBc3YQ7JG~GsA8>S);U_lx2351C>qHd>aV;ro9
zN0kne_S#N>u<_Jd{Cb_&QN7aryW9P}b>Zq^bwvq&vszDoIOyIp;lSzPRvZO%2N?_}
z@CMQw5+eI^Hc$Pw7<Po1+{TqLv1{%!$l(%=f>JR$@}J_?88iusN=iWvPEH*l$e)>-
z`bE(A^Q02SO1hidJXmE!6ff^gtbnLeO|{|gfMhW?is~Gkp)HX<PDY%oGEl-8K>+f&
zVe>52YJ^8njU+UUgC1MariEu#p|)*g727f<4cfz6(%=hm?m}VG%>8a_X86~(k73?|
zUvjR<Yv1cVtnor4uW;s9Tz_zlb~ao4XTwIhAg{VbiAs!tQ|FoQ{d4023?nimP;!dy
zVnv(|l~%x(C_ed91%-Xex4f?q@gF|jT0^wJDIC@;ZcLuc@&Wp@-!#KtHLwA}NEZ#&
zXI-LvgT1JLp#7BwAtB!&NdaWfg*|{3`0b{%AU<G0SZsWJ{BtNY&VcMDkj}gx%zE?=
z#OtlB)OB<U)+VS{*6vDZXsBT}#J^E{wOIK}9w!YmK2CU!yt%YCQ!n*#WAPG)g^IUv
z^vWgX5lSiz6y!-cq>|72TmSht#_o4M>jRpZ<O9GL+GPNsLU>Z_Yr`8juDLI@map;E
zRTeD5l<i!)hFxC^jp)h~5OrVYtNYJ<m&qn3<20m*)7m|3Nw3}fl2F*d>dJNh3lZEf
zFoN$@#ZO}vv>`l#UT%;2$OplqM1S+rxL@4P8OshYYEm*DVanob#8hfK$*iWP(SGB)
zaHd<Gw6+2{*W}w95;6B`X$=|I#;7swUaQu*{3`7edTMzbM5bnYmIUfre&N2GA4vmo
zjp9tC5z>1pV#0#bio~=Bb2W!i(83WpV;WSjg|rr|ufoPd`pfTM#%jJ2VJ&`%<HOo$
zrser(3B18;*!F$#JnZ1Ye3|i4`rA-OM_2l1BwkK#OX3yFuN;kjy}sg~8z)~aR^vJ3
zR^Ht+U}E^Tu2o|hqKQ5Y8QTH03s!dR+O_z*O`ObHPyKb*Y~i<VJ#BFX#NP1;qTuzu
zXd*=Tw}pjc-E<uBRlL|G!SZX56E*wSL|-eWXYH1+6H)d5;3MRcZPe_dX@>bsjy3jb
z2s_6N=$W*;=s^>{@HIM5E`Nz%NypkHKVRQvrcGc^Y85a)x)~}P`5WMdq(w*LRQR&v
zosizr54rc9^bZ18U6-@5a}z9P6Cz~pAkaZfPISK$_*^dn-GIIl=BTFj7B4x>uQ|;R
z8mIMHM)rsYo4T(q@oPs0ayfX5G@j0M_$r$9Hup2ROB|%8+Q$4o-lOZqx!vbSS<j{W
zyYM1#IHvFylUL?%-WczKC0Hp5f1sdOH!SQIg%I40?cc?y89)f<w0#SJ0$b!lm7<ga
ztgB2g=q07$ePB2qt&W$7NNSPis<>_c;>C7|L__$a$<9t(ZEF6x<jW{n-JEv^9V;%N
zlp6g8&i5lSA_Au~8g*`wdo*SY(_rGg>}6u+Uc^WEnA10IDlWUTbCcehAQ@$yiYNKA
zab!|%hh{J}UM$(8CSMKb2J-viM-r^fRCQbIX{RrsN+dN4TG-E-{qQU0)iQhzqrBMX
zvBDLO@+|FnldGn!WX+e>U!E1OsbRNvD+(o^pt!f`9HrW&SE*Oh5WcxEsa+M=*1c29
z@j^b$IAFP8JST4H^Zd&x$byrkv&Z))8=05(_CHOgc$PGzezEG9whBQfrsj+puAdhv
z=zcUZt{o*jt7Fepzg-?roI3cHo-};!Rx8O!4UwU5F<<E#(-}b%-iQiLAEr2!n=VWQ
z|5b!wcZH2%t^Jh@e|U}eVaCZv*K52mAMuRj$}TE{T`&3U3uFb_VHo!wM2}pnKQ8?{
zF~PeF&OYVDKY6?E>Fl$npQ1Q<W-3#7sH_>e8$$xRZ6IR_IyM{OMDtLn2Qf2f;I|@)
zS@!>BCLY#6cm%pNB2feF!OP05_32yzE{URLR3sHg*NCBzEWp{2!mAkJGa6D=m$OS-
z@ZWZrFB~$=?8plbn@?&>!3!4#&dmq^X682jEah|Gjl@NMdf%q&S_SPF5ATn@a_%{S
z)&iZEPbR)aoDLrmz{X?VcmfW-r;%rJppW?fxCUf4QdiRUbRS>r%`}+-*}>+CDK`Qi
z0G@y*p}`CUcA;GT{ry!(C6zRv`9?)W+1c*_=M4@ROnM%VcYHq8VAs?5wdKyZq!J~~
zTC65*ExXN#Ze*pM(fqow!*AWc1-$@~WEt^SzZ`M_L;}40w6TWmRB_%{Z*X!d0S>2w
zv-1N@&Da9%68XHmJg^521T650yVmn7b8Pk~rNxP0<@Tl35S)d6r`F#Bfm)&hNLt+7
z+zfyI_{xL(qqrzTfOO%fm<k^spX!q*tiaWcXHY~$#K{hb2XYai<N?vG9n2BlzQ0>$
z24@8QPT|#Nn$tC8vgbWQR#jE?RB|BO3{3}$g4{TiLa|kxuX?+0$tla9ll2*M(#|I)
zZc(nY$!Gtty?`F(%lqJBkPR+IDfL5oRu<TQq9I1Kz(S9w_jLVPU0sD~8=2Ub2W%PE
zx4*R9^WNUAxxq0i*7l#9+y0mr<3;RkZuSXYG{mS__m7PHVMzQTTHA6u2SYQ8_HFym
z9^@Poa|iNZ|0~?cgaWZiE`-e@F(xJ}lO~J(zP$WtL<}e$NCq3TI?6jj>0f$0n$D}`
zvQpE0_Fp+hCR8>c0wI6F*R`gg0AvdI@WF8QJ+d;PxkAt`A~9ctuQ!GzcADOTT|jW;
z4~GzDcpbUk3>Cte&iO$Q*p?+b1+M0b^mNqe-+=y@d_D9kOC))4uab@w*hidp)&Sm{
z;2-I6v9Z~FQ<f7Yz%}b}OGS>U$57=oABt&>g)gkjRe_nOR-dSrh!1_*)ns(M5OnA$
zrPSE1$x8dun2L-H*^)0@5t~2PW~7K5o4GPgK^!T@3Tk0vGjiSqgp*{K97sU(w30NN
zzd}rup2|&{ztY<y_O`bAbytUrbo1#A-qaJTxxsq1Y)#f(OhPjpCuR>4Tc)n#kd4Si
z-yjns_jQe}oz0T}G-{%%(%G$2lr57Rv%kOp1Aw?5zuK%o+Bt&uYVppTi7K}cXg_7l
zsx%U9+1i(5{wkBsg9$;rAN(qLK}=CJyS#IpekxK@<Z;bZEg$~x!<`4CcaksjDtJ&b
zm^1nR0V)TEMKM2DMpm-en&vh(Y+TnhTU;U?P6tDHAPJCcd`faOb;$8(T4szHx;-3L
z33Obiw{8WJ3bJOGmofnlLw}QB2s|X;BHQN$P(G+h+c`g=;h@4}$Bwrr0RflP`8c;A
z@5Dav@vr*7Dv$6BL2Av=(oaAT5g8rL0T8cKoz3l-<YfNJ%F38~r(JFl&WdYkIg9l?
zN@<U?Ig0Q&ULP@XCwON6t--@5U>DHT)MPYW<2o=j#18T*VnHVMz<>ZK6u|tkAk)(K
z_4P9J+IZ=}#6<pprC3VI8>oMaPr&0geI@I?lgOD@n?kPJUsC?few<u@?GD_4cq+jt
z$C`iT0c4^+VRRV+Fk5;0IHC99qIXA)W0L~c=BxYKJz@231dHvV2FZx}y|s@*S^sJU
z2em>93Vz01hr=Jz3g}sK<GcZdJ_5{5A>|CtB;GCiJI-~St(T4h4<-LKmrt`<@CLBk
zQs=kfz~zYORoJG*s7xxQwnjFf4hK8+-;qB)j(DheB#A4oPyctHn?PZOzEKVm44GM3
zUDIUL8VxG;9M$jOy>t|DxX}Hvv-bJ%(~CPNu@27sF>lWNyVJcFlfej46@x8Zz}8-@
zDEUN#cRxH<;^{c{Kiog`j1-Xg6@NJ2F|s)3AH>ep*Sf9q=Vc2XLq|{;RiBOyrSCs}
z48$AeLrq@r;-(usx$g@f-9A`;aH6O@O=uk`o$obT@sp#bnl*9dKkW)+^qv?CgtD^o
zu=Uj(Fofv!$26ZKC`0$j4}K$0w5KJu^f{0_o-2sq|F$0>-~(PU2-ERbHF2`ybL*g^
zL3W;+K_5E<**xLQUY?2oIs_%hy*UjByYxF*jbV+RUH5t<0hA`ETvBQ(s+&~)$1Qh4
zL!>sHCq!_>Whf@&fGwM8G|L~2QFve%5KbvwC)qGJK|Q~p7#^Nl8@#i#qn>58480_U
zX~N5VW|LFiJBbmHIE)uB4ilUCD>{3csG)@D_kwEjZw@M7t@rr7vOUIoA~()>oQMJ|
zE5Ki*{|t*eHw2#S75+w!4Q$OAS${tnDzp06?*lJ@A!TWSDNOy(^ZsER{&^rfzW?R=
zZDC&VL7T#V`YPo=wUi9xpMcT_`tK_;#J{4cP*Q&z3fBDQZ|!8-?h@KgNRjZl8mX+}
RM`yrCQBL_@k&MCH{{aa`F)jcA

literal 0
HcmV?d00001


From ded7288bb32e02c2898d4e769bc3b91f049c64d3 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Fri, 16 Sep 2022 15:22:31 +0100
Subject: [PATCH 05/33] edits and fix broken link

---
 .../admin-controls/configure-ac.md            |   2 +-
 .../hardened-desktop/admin-controls/index.md  |  10 +-
 .../how-eci-works.md                          |  38 +-----
 .../enhanced-container-isolation/index.md     | 123 +++++-------------
 .../registry-access-management.md             |  10 +-
 5 files changed, 43 insertions(+), 140 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 5468021c309..c1bc96c9b1e 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -20,7 +20,7 @@ Place the `admin-settings.json` file on your developers machines in the followin
 
 - Mac: /Library/Application Support/com.docker.docker/admin-settings.json
 - Windows: /ProgramData/DockerDesktop/admin-settings.json
-- Linux - /usr/share/docker-desktop/registry/admin-settings.json
+- Linux - /usr/share/docker-desktop/admin-settings.json 
 
 By placing this file in the above protected directories, end users are unable to modify it.
 
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index ddd18bf64b4..8bc65c1dc23 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -32,12 +32,6 @@ Using the `admin-settings.json` file, admins can:
 
 For more details on the syntax and options you can set, see [Configure Admin Controls](configure-ac.md).
 
-### What do users see when the settings are enforced?
-
-Docker Desktop users will see a notification in the **Settings**, or **Preferences** if macOS user, which states **Some settings are managed by your Admin**. 
-
-Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
-
 ### How does this differ to the `settings.json` file?
 
 Using the `settings.json` file to pre-configure Docker Desktop settings menas that developers own the settings.json file and can therefore adjust any settings that their admins create, for example, modifying network and proxy controls. 
@@ -52,7 +46,11 @@ Next, you must [create and configure the admin-settings.json file](configure-ac.
 
 Once this is done, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
 
+### What do users see when the settings are enforced?
 
+Docker Desktop users will see a notification in the **Settings**, or **Preferences** if macOS user, which states **Some settings are managed by your Admin**. 
+
+Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
 
 
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index 8f72b1adeac..9e9951519e6 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -8,42 +8,12 @@ keywords: set up, enhanced container isolation, rootless, security
 >
 >Enhance Container Isolation is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only.
 
-## how does it work and how it differs to traditional rootless docker 
+Enhanced Container Isolation takes advantage of the recent integration of Sysbox, the secure container runtime created by [Nestybox](https://www.nestybox.com/). 
 
-- Why this approach is advantageous as compared to traditional ‘rootless Docker' or ‘rootless mode’ in “other products”
-    - workload compatibility, ease of use, etc. dive in on why Sysbox is awesome for both security and workloads
+Sysbox is an alternative “runc” included in the Docker Business tier. It’s included alongside the standard OCI runc container runtime, which is the component that actually creates the containers using the Linux kernel’s namespaces, cgroups, and other features. What makes Sysbox different from the standard “runc” runtime is that it enhances container isolation by enabling the Linux user-namespace on all containers (i.e. root in the container maps to an unprivileged user at host level), and by vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
 
-As such, we want to move to a model where the Docker Desktop user whose company has opted in to the Hardened container runtime option can still run all the containers that they expect, however they cannot gain root VM access through privileged containers, they cannot modify host system files, they are running in the user namespace and they cannot escape containers (bar kernel 0-day). These specific enhancements can be attained by integrating Sysbox, the secure container runtime created by Nestybox. 
+Without Enhanced Container Isolation Docker Desktop runs Docker Engine within a Linux VM, which provides strong isolation between containers and the underlying host machine. However, this does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers.
 
-Docker Desktop runs Docker Engine within a Linux VM, which provides strong isolation between containers and the underlying host machine (e.g. the Mac or Windows device running Docker Desktop). However, this does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers.
 With root access to the Docker Desktop Linux VM, malicious users could potentially modify security policies of the Docker Engine and Docker Extensions as well as other control mechanisms like Registry Access Management policies and proxy configs. Moreover, whilst we have not yet seen anything of this nature, it is conceptually possible for malware in containers to read files on the users host machine, which presents an information leakage vulnerability.
 
-Enhancing container isolation by ensuring that containers never run as root inside the Docker Desktop Linux VM, therefore preventing them from potentially gaining control of it. 
-Ensuring sensitive configurations within the Docker Desktop VM cannot be mounted or modified from a container. This means that the Docker Engine, proxy settings and Registry Access configs can no longer be modified from within a container. They can only be set by the admins for your organization.
-
-
-Sysbox is an alternative “runc” included in the Docker Business tier. It’s included alongside the standard OCI runc container runtime, which is the component that actually creates the containers using the Linux kernel’s namespaces, cgroups, and other features. 
-
-What makes Sysbox different from the standard “runc” runtime is that it enhances container isolation by enabling the Linux user-namespace on all containers (i.e. root in the container maps to an unprivileged user at host level), and by vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
-
-This is all done under the covers, without requiring special container images and in a manner that is mostly transparent to Docker Desktop users.  
-
-
-
-Normally, to run a container with Sysbox in Docker Desktop Business Tier, a user simply adds the --runtime=sysbox-runc flag to the docker run command. 
-
-However, when Hardened Desktop is enabled a number of security features are activated (see above). One of these security features is that the Sysbox runtime is enforced for all user containers (e.g. the --runtime=sysbox-runc flag is implicitly set on all containers). This ensures all user containers run with the enhanced isolation offered by Sysbox. 
-
-
-
-Currently, the Docker Engine runs inside a container on the DD Linux VM. 
-
-Security-wise, there is no real isolation between the Docker Engine and the VM’s Linux kernel, because the Docker Engine runs as root with full capabilities inside a container that shares almost all namespaces with the VM’s root user (except the mount namespace). This gives the container access to all the VM’s kernel resources. This container is spawned by containerd + runc. 
-As a result, DD users can easily gain privileged access to the DD VM (e.g., by running “docker run –privileged -it alpine”) from the host. This means DD users are one step closer to gaining privileged access to the underlying host (e.g., through the interfaces between the VM and the host).
-
-
-
-
-
-
-
+### How is this different to rootless mode in Docker Engine?
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 18540306efc..5948c3db3a9 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -8,116 +8,51 @@ title: What is Enhanced Container Isolation?
 >
 >Enhanced Container Isolation is currently in [Early Access](../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
 
-Enhanced Container Isolation provides an additional layer of security within Docker Desktop's Linux VM so there is strong container-to-host isolation. With Enhanced Container Isolation, Docker Desktop:
+Enhanced Container Isolation provides an additional layer of security was it which prevents containers from running as root in the Docker Desktop Linux VM. This ensures a strong container-to-host isolation and locks in any security configurations that have been created, for instance Registry Access Management policies and Admin Controls. 
+
+With Enhanced Container Isolation, Docker Desktop:
 
 - Has a secure boot to prevent modification of Docker provided binaries pre-boot (e.g. docker engine, containerd, runc, etc)
 - Prevents user containers from bypassing security controls and modifying system files.
 - Prevents exposure of docker daemon on TCP without TLS
 
-By taking advantage of Sysbox, it ensures containers run using the Linux user namespace and are not root in the VM
-
-Developers can no longer:
-
-Gain VM root access through privileged containers
-Modify files before boot
-Access the root console of the VM
-Bind mount and modify system files
-Escape containers
-
-Prevent the use of privileged containers gaining root access to the Desktop VM and ensure stronger isolation (Linux user namespace, procfs & sysfs virtualization, mount locking, and more !) using Docker Desktop’s Hardened container runtime..
-
-
-## What it is
-
-Wait, that last point doesn’t make sense ! I thought Admin Controls would automatically lock any security controls I create, but you’re saying that Enhanced Container Isolation is also required to prevent containers from modifying these ?
-Using Admin Controls, your Docker Business admin can lock in Docker Desktop settings such as HTTP Proxies and Network settings. This means that users of Docker Desktop will then have no path within Docker Desktop to change these settings (e.g. via the user interface or CLI).
-However, malicious code in a container could still potentially modify these controls without the developer knowing. Enhanced Container Isolation is an extra layer of security that prevents containers from modifying any Admin Controls or security policies, so that admins have complete peace of mind that their settings are enforced.
-
-
-Containers will no longer run as root inside the Docker Desktop Linux VM and will instead run using the Linux user namespace.
-As a result, user containers will be unable to modify any security configurations created by your Docker admins (e.g. Registry Access Management policies and Admin Controls).
-
-
-Enhanced Container Isolation is a feature that admins can enable, which prevents containers from running as root in the Docker Desktop Linux VM. 
-Allows Docker Desktop admins to lock-in configurations (e.g. Registry Access Management) such that they can’t be modified by Docker Desktop users. See below for more details on this.
-Enhances container isolation using the Sysbox container runtime (see below for more info). This prevents containers from running as root inside the DD Linux VM and from potentially gaining control of it.
-
-
-With Enhanced Container Isolation enabled, all containers run unprivileged in the Docker Desktop Linux VM, in user namespaces. Root access to the Linux VM is removed, privileged containers cannot be run and there is no access to the host namespaces. As a result, it becomes impossible for users to alter Admin Controls via containers. 
-
-Enabling the feature prevents containers from running as root within Docker Desktop’s Linux VM and allows admins to lock-in sensitive security configs.
-
-
-Prevent container attacks and vulnerabilities via Docker Desktop’s Hardened container runtime option,
-
-Ensure stronger isolation, without any complex setups, using Docker Desktop’s Hardened container runtime option.
-
-
-
-## What the benefits of it are
+It also means all containers run unprivileged in the Docker Desktop Linux VM, in user namespaces. Root access to the Linux VM is removed, privileged containers cannot be run and there is no access to the host namespaces. As a result, it becomes impossible for users to alter Admin Controls via containers. 
 
-As a developer
-When using Docker Desktop with the Hardened container runtime option enabled
-I should be prevented from doing the following:
-Running privileged containers to gain root access to the DD VM
-Modifying files before boot
-Accessing the root console of the VM
-Bind mount and modifying system files
-Escaping containers
-I would add: "Modifying the config of the Docker Engine (and related components) from within DD containers".
+When Enhanced Container Isolation is enabled using [Admin Controls](../admin-controls/index.md), developers can no longer:
 
-Get more control over your local Docker Desktop instances using Docker’s Hardened container runtime.
+- Gain VM root access through privileged containers
+- Modify files before boot
+- Modify the config of the Docker Engine (and related components) from within Docker Desktop containers
+- Access the root console of the VM
+- Bind mount and modify system files
+- Escape containers
 
-## Who is it for: 
+For more information on how Enhanced Container Isolation work, see [How does it work?](how-eci-works.md).
 
-Problem 2 - Prevent exposure of docker daemon on TCP without TLS
+### Who is it for?
 
-As an IT admin working for a Docker Business customer, I am concerned that developers will be able to expose the docker daemon on TCP without TLS.
+- For organizations that want to prevent container attacks and reduce vulnerabilities.
+- For organizations that want ensure stronger container isolation that is easy and intuitive to implement on developers' machines.
 
+### How to enable Enahnced Container Isolation
 
-Problem 3 - Control mechanisms such as Registry Access Management are only designed to protect against well-intentioned developers making mistakes
+As an Enterprise admin, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-As an IT admin at a Docker Business customer, I’m hesitant to adopt control features like Registry Access Management because it would be easy for a malicious actor within my org to override them by changing settings within Docker Desktop’s Linux VM.
+Next, you must [create and configure the admin-settings.json file](configure-ac.md) and specify:
 
-Problem 4 - I need an easy, intuitive way to implement this control mechanism
-As an IT admin at a Docker Business customer, I need an easy, intuitive way to implement the Hardened container runtime option on the machines of my developers.
+```JSON
+{
+ "enhancedContainerIsolation": {
+    "value": true,
+    "locked": true
+    }
+}
+```
 
-
-
-This page contains information on how Enterprise admins can enable Enhanced Container Isolation to 
-
-
-
-How to configure it if you are an admin
+Once this is done, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
 
 ### What do users see when the settings are enforced?
 
-## How to enable/ get ECI
-(e.g. currently developers in Docker Business customers, requires authentication, etc)
-
-requires an Apply and restart
-- Admins can lock in the use of the ‘Enhanced container isolation’ mode within their org via the ‘Admin Controls’ feature <link to Admin Controls docs>
-
-To enable Hardened Docker Desktop, Docker Business administrators simply have to toggle on the ‘Hardened Desktop’ option within the Settings panel of their Organization’s space on Docker Hub. Your developers must then authenticate to your organization in Docker Desktop for the settings to be applied. You can follow this simple guide for ensuring developers authenticate to your organization before using Docker Desktop.
-
-How do I enable Enhanced Container Isolation for my organization ?
-
-In the admin-settings.json specify “enhancedContainerIsolation”: true as per the below image. 
-
-
-
-You must then place this file on your developers machines in the following locations:
-
-Mac - <here>
-Windows - <here>
-Linux - <here> 
-
-As mentioned above, the Hardened Desktop security model is designed for organizations that don't give root/admin access to their developers on their machines. By placing this file in the above protected directories, end users will be unable to modify it. We also assume that said organizations have the ability to push this settings file to the locations specified above via device management software such as Jamf.
-
-Important - Your Docker Desktop users must then authenticate to your organization for this configuration to take effect. You can configure the registry.json file to enforce sign in.
-
-
-
-
-
+Docker Desktop users will see a notification in the **Settings**, or **Preferences** if macOS user, which states **Some settings are managed by your Admin**. 
 
+Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index f8c745e4d80..26d77d09d0b 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -12,9 +12,9 @@ Registry Access Management is a feature available to organizations with a Docker
 
 Download Docker Desktop v4.8 or a later release.
 
-- [Download and install for Windows](../desktop/install/windows-install.md)
-- [Download and install for Mac](../desktop/install/mac-install.md)
-- [Download and install for Linux](../desktop/install/linux-install.md)
+- [Download and install for Windows](../install/windows-install.md)
+- [Download and install for Mac](../install/mac-install.md)
+- [Download and install for Linux](../install/linux-install.md)
 
 ## Configure Registry Access Management permissions
 
@@ -35,14 +35,14 @@ To configure Registry Access Management permissions, perform the following steps
    >
    > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature.
 
-![Registry Access Management](../../assets/images/registry-access-management.png){:width="700px"}
+![Registry Access Management](../../docker-hub/images/registry-access-management.png){:width="700px"}
 
 ## Enforce authentication
 
 To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this:
 
 1. Download the latest version of Docker Desktop, and then
-2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](configure-sign-in.md).
+2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](../../docker-hub/configure-sign-in.md).
 
 ## Verify the restrictions
 

From 1d85fc112bd2152b8b6cbfdbf7968dbe34a9ccb8 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Tue, 20 Sep 2022 15:27:44 +0100
Subject: [PATCH 06/33] added more known issues

---
 desktop/hardened-desktop/enhanced-container-isolation/faq.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index 6a1562c6a16..4efa8eca50e 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -44,6 +44,7 @@ Allowing the `-–privileged` flag but restricting its impact within the contain
 
 - Docker Engine Limitations: When running Docker inside a Sysbox container (e.g., for extra isolation), most Docker functionality is supported. However, there may be some advanced Docker functionality that does not currently work as the environment inside the Sysbox container does not yet fully resemble that of a bare-metal machine or VM. Fixing this requires further changes in Sysbox.
 
+
 <hr>
 </div>
 </div>

From 769f9e3380827f248ea36a944878afadebd6eaa5 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 28 Sep 2022 16:03:50 +0100
Subject: [PATCH 07/33] incorporate review feedback

---
 _data/toc.yaml                                |   4 +-
 .../admin-controls/configure-ac.md            | 108 +++++++++++++++---
 .../hardened-desktop/admin-controls/index.md  |  36 +++---
 .../enhanced-container-isolation/faq.md       |  14 ++-
 .../how-eci-works.md                          |   8 +-
 .../enhanced-container-isolation/index.md     |  35 +++---
 desktop/hardened-desktop/index.md             |  12 +-
 .../registry-access-management.md             |  46 ++++----
 8 files changed, 176 insertions(+), 87 deletions(-)

diff --git a/_data/toc.yaml b/_data/toc.yaml
index 1ecd9793c37..1f235bbfa86 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1193,8 +1193,6 @@ manuals:
       section:
         - path: /desktop/hardened-desktop/
           title: Overview
-        - path: /desktop/hardened-desktop/registry-access-management/
-          title: Registry Access Management
         - sectiontitle: Admin controls (Early Access)
           section:
           - path: /desktop/hardened-desktop/admin-controls/
@@ -1209,6 +1207,8 @@ manuals:
             title: How does it work?
           - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
             title: FAQ and known issues
+        - path: /desktop/hardened-desktop/registry-access-management/
+          title: Registry Access Management
     - sectiontitle: Dev Environments (Beta)
       section:
         - path: /desktop/dev-environments/
diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index c1bc96c9b1e..dd22cde093f 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -8,15 +8,17 @@ title: Configure Admin Controls
 >
 >Admin Controls is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
 
-This page contains information on how Enterprise admins can configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
+This page contains information about how administrators can configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
+
+Admin Controls is designed specifically for organizations who don’t give developers root access to their machines.
 
 ## Prerequisite
 
-You need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect. 
+You need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). For this configuration to take effect, Docker Desktop users must authenticate to your organization. 
 
 ## Step one: Place the `admin-settings.json` file in the correct location
 
-Place the `admin-settings.json` file on your developers machines in the following locations:
+Place the `admin-settings.json` file on your developers' machines in the following locations:
 
 - Mac: /Library/Application Support/com.docker.docker/admin-settings.json
 - Windows: /ProgramData/DockerDesktop/admin-settings.json
@@ -26,22 +28,100 @@ By placing this file in the above protected directories, end users are unable to
 
 >Note
 >
-> It is assumed that Enterprise admins have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
+> It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
 
 ## Step two: Add the key value pairs for the admin controls you want to lock in
 
-The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` setting. If set to `true`, users are not able to edit this setting from the UI or CLI. If set to `false`, users can change this setting from the UI or the CLI by directly editing settings.json. If this setting is omitted, the default value is `false`.
+>Note
+>
+>Some of the configuration parameters only apply to Windows. This is highlighted in the table below.
+
+The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` setting. 
+If set to `true`, users are not able to edit this setting from Docker Desktop or the CLI. 
+If set to `false`, users can change this setting from Docker Desktop or the CLI by directly editing the `settings.json` file. If this setting is omitted, the default value is `false`.
+
+The following `admin-settings.json` code and table provides the required syntax and descriptions for parameters and values:
+
+```json
+{
+  "configurationFileVersion": 2,
+  "exposeDockerAPIOnTCP2375": {
+    "locked": true,
+    "value": false
+  },
+  "proxy": {
+    "locked": false,
+    "mode": "system",
+    "server": "myproxy.com",
+    "port":3129,
+    "exclude": ["foo.com", "bar.com"]
+  },
+  "enhancedContainerIsolation": {
+    "locked": false,
+    "value": false
+  },
+  "useWindowsContainers": {
+      "locked": false,
+      "value": false
+  },
+  "linuxVM": {
+    "wslEngineEnabled": {
+      "locked": false,
+      "value": false
+    },
+    "dockerDaemonOptions": {
+      "locked": false,
+      "value":"<json string>"
+    },
+    "vpnkitCIDR": {
+      "locked": false,
+      "value":"192.168.65.0/24"
+    }
+  },
+  "windowsContainers": {
+    "dockerDaemonOptions": {
+      "locked": false,
+      "value":"<json string>"
+    }
+  },
+  "disableUpdate": {
+    "locked": false,
+    "value": false
+  },
+  "analyticsEnabled": {
+    "locked": false,
+    "value": true
+  },
+}
+```
 
-The image below displays an example `admin-settings.json` file.
+| Parameter                        | Description                      |
+| :------------------------------- | :------------------------------- |
+| `configurationFileVersion`        | Specifies the version of the configuration file format.    |
+| `exposeDockerAPIOnTCP2375` |<span class="badge badge-info">Windows only</span> Exposes the Docker API on a specified port. In the example above, “true” means expose the Docker API on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
+| `proxy` | It will be used for http and https.  If the port is custom, specify it in the property. And auth can be either basic (username/password) or none if not needed.|
+| `enhancedContainerIsolation`  | If true, configures Docker Desktop to prevent user containers from running as root and from being able to mount sensitive Docker Desktop configuration directories from the Docker Desktop VM. |
+|`useWindowsContainers` | <span class="badge badge-info">Windows only</span> If true, switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers.This overrides anything that may have been set at installation|
+| `linuxVM` | Parameters and settings related to Linux VM options - grouped together here for convenience. |
+|`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If true, configures Docker Desktop to use the WSL 2 based engine.|
+| `dockerDaemonOptions`| Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). |
+| `vpnkitCIDR` |Overrides the network range used for vpnkit DHCP/DNS for *.docker.internal  |
+| (End of `linuxVM` section.)       |                                   |
+| `windowsContainers` | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
+| `dockerDaemonOptions` | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|
+| (End of `windowsContainers` section.)    |                                   |
+|`disableUpdate`|If true, disables checking and notifications about Docker Desktop updates.|
+|`analyticsEnabled`|If false, configures Docker Desktop to not send usage statistics to Docker. |
+
+
+Once you have created and configured `admin-settings.json`, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+
+## Example
+
+The following image displays an example `admin-settings.json` file:
 
 ![admin-settings.json](../../images/admin-settings.PNG){:width="500px"}
 
-The following table provides the required syntax and descriptions for parameters and values:
-
-
-| Parameter                        | Description                      |
-| :--------------------------------- | :--------------------------------- |
-| `enhancedContainerIsolation`        |     |
-
+In Docker Desktop, developers see the relevant settings grayed out and the message **This is locked by your admin**.
 
-Once you have created and configured `admin-settings.json`, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
\ No newline at end of file
+[screenshot]
\ No newline at end of file
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 8bc65c1dc23..0e10a639267 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -1,46 +1,46 @@
 ---
 description: admin controls for desktop
-keywords: admin, controls, rootless, 
+keywords: admin controls, rootless, docker desktop, hardened desktop
 title: What is Admin Controls?
 --- 
 >Note
 >
 >Admin Controls is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
 
-Admin Controls is a a feature that gives Enterprise admins the ability to enforce certain Docker Desktop settings for their organization. 
+Admin Controls is a feature that gives administrators the ability to enforce certain Docker Desktop settings for their organization. 
 
-With just a few lines of JSON, admins are able to enforce preferences like HTTP proxies, Network settings and the Docker Engine configuration. This saves signficant time and cost in securing developer workflows.
+With just a few lines of JSON, administrators are able to enforce preferences for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows.
 
 ### Who is it for? 
 
-- For Organizations who wish to configure Docker Desktop to also be within their organizations centralized control.
-- For Organizaitons who want to create a standardized Docker Desktop environment at scale.
+- For Organizations who wish to configure Docker Desktop to be within their organization's centralized control.
+- For Organizations who want to create a standardized Docker Desktop environment at scale.
 - For security conscious Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments.
 
 ### What can be set?
 
-Using the `admin-settings.json` file, admins can:
+Using the `admin-settings.json` file, administrators can:
 
-- Enable Enhanced Container Isolation
+- Switch on Enhanced Container Isolation
 - Configure HTTP Proxies
-- Configure Network settings
-- Expose daemon on tcp://localhost:2375 without TLS Resources (Windows only)
+- Configure network settings
+- Expose daemon on tcp://localhost:2375 without TLS Resources. This is applicable to Docker Desktop on Windows only.
 - Enforce the use of WSL2 based engine or Hyper-V
-- Configure Docker Engine 
-- Turning off checks for updates
-- Turning off sending usage statistics
+- Configure Docker Engine
+- Turn off Docker Desktop's ability to checks for updates
+- Turn off Docker Desktop's ability to send usage statistics
 
-For more details on the syntax and options you can set, see [Configure Admin Controls](configure-ac.md).
+For more details on the syntax and options administrators can set, see [Configure Admin Controls](configure-ac.md).
 
-### How does this differ to the `settings.json` file?
+### How is this different to the `settings.json` file?
 
-Using the `settings.json` file to pre-configure Docker Desktop settings menas that developers own the settings.json file and can therefore adjust any settings that their admins create, for example, modifying network and proxy controls. 
+Using the `settings.json` file to pre-configure Docker Desktop settings means that developers own the `settings.json` file. They can therefore adjust any settings that their admins create, for example, modifying network and proxy controls. 
 
-The `admin-settings.json` file can only be used by an admin with root privileges and cannot be modified by users. 
+The `admin-settings.json` file can only be used by an administrator with root privileges and cannot be modified by users. 
 
 ### How do I set up and enforce Admin Controls?
 
-As an Enterprise admin, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must [create and configure the admin-settings.json file](configure-ac.md).
 
@@ -48,7 +48,7 @@ Once this is done, Docker Desktop users receive the changed settings when they n
 
 ### What do users see when the settings are enforced?
 
-Docker Desktop users will see a notification in the **Settings**, or **Preferences** if macOS user, which states **Some settings are managed by your Admin**. 
+Docker Desktop users will see a notification in the **Settings**, or **Preferences** using a macOS, which states **Some settings are managed by your Admin**. 
 
 Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index 4efa8eca50e..bf54e840376 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -20,9 +20,9 @@ The reason `runc` is disallowed with Enhanced Container Isolation is because it
 
 ### With Enhanced Container Isolation enabled, can the user still use the `--privileged` flag from the CLI?
 
-Yes, with Enhanced Container Isolation the container is only privileged within its assigned Linux user-namespace. It is not privileged within the Docker Desktop Linux VM. 
+Yes, with Enhanced Container Isolation the container is only privileged within its assigned Linux user-namespace. It is not privileged within the Docker Desktop Linux VM.
 
-For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (for example, seccomp, AppArmor), and see all host devices under the container’s /dev directory. 
+For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (for example, seccomp, AppArmor), and see all host devices under the container’s /dev directory.
 
 However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under /proc and /sys that are not namespaced. Although it can see all host devices under /dev, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox prevents the container from using them to modify the container’s chroot jail.
 
@@ -38,12 +38,14 @@ Allowing the `-–privileged` flag but restricting its impact within the contain
 </div>
 <div id="tab4" class="tab-pane fade" markdown="1">
 
-- Users may experience some differences between running a container in Docker Desktop with Enhanced Container Isolation enabled, and running that same container in production. This is because in production the container may run on another runtime, typically the OCI runc.
+#### Incompatibility with WSL
+Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V.
 
-- Kernel Day-0 Vulnerabilities: Sysbox can’t protect against kernel day-0 vulnerabilities (e.g., flaws in user-namespace isolation). There have been a few of these recently, but fortunately they are patched pretty quickly in the Linux kernel.
-
-- Docker Engine Limitations: When running Docker inside a Sysbox container (e.g., for extra isolation), most Docker functionality is supported. However, there may be some advanced Docker functionality that does not currently work as the environment inside the Sysbox container does not yet fully resemble that of a bare-metal machine or VM. Fixing this requires further changes in Sysbox.
+#### Kubernetes pods are not yet protected
+ When Enhanced Container Isolation feature is enabled, Kubernetes pods are not yet protected. A malicious or privileged pod can compromise the Docker Desktop Linux VM and bypass security controls. 
 
+#### Use in production
+Users may experience some differences between running a container in Docker Desktop with Enhanced Container Isolation enabled, and running that same container in production. This is because in production the container may run on another runtime, typically the OCI runc.
 
 <hr>
 </div>
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index 9e9951519e6..9d8256e280a 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -10,10 +10,12 @@ keywords: set up, enhanced container isolation, rootless, security
 
 Enhanced Container Isolation takes advantage of the recent integration of Sysbox, the secure container runtime created by [Nestybox](https://www.nestybox.com/). 
 
-Sysbox is an alternative “runc” included in the Docker Business tier. It’s included alongside the standard OCI runc container runtime, which is the component that actually creates the containers using the Linux kernel’s namespaces, cgroups, and other features. What makes Sysbox different from the standard “runc” runtime is that it enhances container isolation by enabling the Linux user-namespace on all containers (i.e. root in the container maps to an unprivileged user at host level), and by vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
+Sysbox is an alternative runc used to create a container using the Linux kernel’s namespaces, cgroups, and other features. 
 
-Without Enhanced Container Isolation Docker Desktop runs Docker Engine within a Linux VM, which provides strong isolation between containers and the underlying host machine. However, this does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers.
+Unlike the standard runc runtime, Sysbox enhances container isolation by using techniques such as enabling the Linux user-namespace on all containers, emulating portions of the proc filesystem and sysfs inside the container and vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
 
-With root access to the Docker Desktop Linux VM, malicious users could potentially modify security policies of the Docker Engine and Docker Extensions as well as other control mechanisms like Registry Access Management policies and proxy configs. Moreover, whilst we have not yet seen anything of this nature, it is conceptually possible for malware in containers to read files on the users host machine, which presents an information leakage vulnerability.
+Without Enhanced Container Isolation, Docker Desktop has Docker Engine run as root with full capabilities inside a container that shares almost all namespaces with the Linux VM’s root user. Whilst this provides strong isolation between containers and the underlying host machine, it gives the container access to all the VM’s kernel resources and does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers. This brings Docker Desktop users closer to gaining privileged access to the underlying host.
 
 ### How is this different to rootless mode in Docker Engine?
+
+
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 5948c3db3a9..a97f29c340d 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -8,15 +8,14 @@ title: What is Enhanced Container Isolation?
 >
 >Enhanced Container Isolation is currently in [Early Access](../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
 
-Enhanced Container Isolation provides an additional layer of security was it which prevents containers from running as root in the Docker Desktop Linux VM. This ensures a strong container-to-host isolation and locks in any security configurations that have been created, for instance Registry Access Management policies and Admin Controls. 
+Enhanced Container Isolation provides an additional layer of security that prevents containers from running as root in the Docker Desktop Linux VM. This ensures a strong container-to-host isolation and locks in any security configurations that have been created, for instance through Registry Access Management policies or with Admin Controls. 
 
-With Enhanced Container Isolation, Docker Desktop:
+### Who is it for?
 
-- Has a secure boot to prevent modification of Docker provided binaries pre-boot (e.g. docker engine, containerd, runc, etc)
-- Prevents user containers from bypassing security controls and modifying system files.
-- Prevents exposure of docker daemon on TCP without TLS
+- For organizations that want to prevent container attacks and reduce vulnerabilities.
+- For organizations that want ensure stronger container isolation that is easy and intuitive to implement on developers' machines.
 
-It also means all containers run unprivileged in the Docker Desktop Linux VM, in user namespaces. Root access to the Linux VM is removed, privileged containers cannot be run and there is no access to the host namespaces. As a result, it becomes impossible for users to alter Admin Controls via containers. 
+### What happens when Enhanced Container Isolation is switched on?
 
 When Enhanced Container Isolation is enabled using [Admin Controls](../admin-controls/index.md), developers can no longer:
 
@@ -27,18 +26,20 @@ When Enhanced Container Isolation is enabled using [Admin Controls](../admin-con
 - Bind mount and modify system files
 - Escape containers
 
-For more information on how Enhanced Container Isolation work, see [How does it work?](how-eci-works.md).
+It also means all containers run unprivileged in the Docker Desktop Linux VM, in user namespaces. Root access to the Linux VM is removed, privileged containers cannot be run and there is no access to the host namespaces. As a result, it becomes impossible for users to alter any settings that have been locked in using [Admin Controls](../admin-controls/index.md).
 
-### Who is it for?
+For more information on how Enhanced Container Isolation work, see [How does it work?](how-eci-works.md).
 
-- For organizations that want to prevent container attacks and reduce vulnerabilities.
-- For organizations that want ensure stronger container isolation that is easy and intuitive to implement on developers' machines.
+>Important
+>
+>Enhanced Container Isolation is currently incompatible with WSL and does not protect Kubernetes pods. For more information on known limitations and workarounds, see [FAQS and known issues](faq.md).
+{: .important}
 
-### How to enable Enahnced Container Isolation
+### How do I switch on Enhanced Container Isolation?
 
-As an Enterprise admin, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an administrator, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-Next, you must [create and configure the admin-settings.json file](configure-ac.md) and specify:
+Next, you must [create and configure the `admin-settings.json` file](configure-ac.md) and specify:
 
 ```JSON
 {
@@ -51,8 +52,10 @@ Next, you must [create and configure the admin-settings.json file](configure-ac.
 
 Once this is done, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
 
-### What do users see when the settings are enforced?
+### What do users see when this setting is enforced?
+
+If Enhanced Container Isolation is enabled along with other settings in the `admin-settings.json`, users see a notification in the **Settings**, or **Preferences** using a macOS, which states **Some settings are managed by your Admin**. 
 
-Docker Desktop users will see a notification in the **Settings**, or **Preferences** if macOS user, which states **Some settings are managed by your Admin**. 
+As displayed in the image below, any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
 
-Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
+[add a screenshot]
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 2f765be3b69..4570aa19715 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -1,17 +1,19 @@
 ---
 title: Hardened Desktop
 description: Overview of what Hardened Desktop is
-keywords: security, hardened desktop, enhanced container isolation,
+keywords: security, hardened desktop, enhanced container isolation, registry access management, admin controls, root access, administrators, docker desktop
 ---
 
 Hardened Desktop is a new security model for Docker Desktop. It is part of Docker's ongoing effort to increase Docker Desktop security without impacting the developer experience.
 
-The Hardened Desktop security model provides Enterprise admins with a simple and powerful way to increase the security of their containerised development and moves the ownership boundary for containers to the organization, meaning that any security controls admins set cannot be altered by the user.
+The Hardened Desktop security model provides administrators with a simple and powerful way to increase the security of their containerised development and moves the ownership boundary for containers to the organization, meaning that any security controls administrators set cannot be altered by the user.
+
+It is designed specifically for organizations who don’t give developers root access to their machines, and who would like Docker Desktop to be within the organization’s centralized control.
 
 Hardened Desktop currently includes:
-- Enhanced Container Isolation. This is a setting that helps admins to instantly enhance security by preventing containers from running as root in Docker Desktop’s Linux VM.
-- Admin Controls. which helps Enterprise admins to confidently manage and control usage of Docker Desktop.
-- Registry Access Management. Working in tandem with Admin Controls and Enhanced Container Isolation 
+- Admin Controls, which helps administrators to confidently manage and control usage of Docker Desktop.
+- Enhanced Container Isolation, an admin setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM.
+- Registry Access Management, which allows administrators to control the registries developers can access and can be locked in if  Enhanced Container Isolation is switched on by using Admin Controls.
 
 Docker will be adding more security enhancements to the Hardened Desktop security model over the coming months.
 
diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index 26d77d09d0b..bd145208c11 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -6,51 +6,51 @@ redirect_from:
 - /docker-hub/registry-access-management/
 ---
 
-Registry Access Management is a feature available to organizations with a Docker Business subscription. With Registry Access Management, organization owners can ensure that their developers using Docker Desktop can only access registries that have been allow-listed via the Registry Access Management dashboard on Docker Hub to reflect support for other registries: AWS ECR, GitHub Container Registry, Google Container Registry, Quay, and others.
+>Note
+>
+>Registry Access Management is available to Docker Business customers only. 
 
-## Requirements:
+With Registry Access Management, administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. 
 
-Download Docker Desktop v4.8 or a later release.
+Below are some example registries administrators can allow: 
+ - AWS ECR
+ - GitHub Container Registry
+ - Google Container Registry Quay
 
-- [Download and install for Windows](../install/windows-install.md)
-- [Download and install for Mac](../install/mac-install.md)
-- [Download and install for Linux](../install/linux-install.md)
+Administrators can ensure registries locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on with Admin Controls. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
+
+## Prerequisites 
+
+You need to [configure a registry.json to enforce sign-in](../../docker-hub/configure-sign-in.md). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization. 
 
 ## Configure Registry Access Management permissions
 
-To configure Registry Access Management permissions, perform the following steps:
+To configure Registry Access Management permissions:
 
-1. Sign into your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account as an organization owner.
-2. Select an organization, navigate to the **Settings** tab on the **Organizations** page and click **Registry Access**.
-3. Enable Registry Access Management to set the permissions for your registry.
+1. Sign in to your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account as an organization owner.
+2. Select an organization and then navigate to the **Settings** tab on the **Organizations** page and click **Registry Access**.
+3. Toggle on Registry Access Management to set the permissions for your registry.
 
    > **Note**
    >
    > When enabled, the Docker Hub registry is set by default, however you can also restrict this registry for your developers.
 
-4. Click **Add** and enter your registry details in the applicable fields, and click **Create** to add the registry to your list.
-5. Verify that the registry appears in your list and click **Save & Apply**. You can verify that your changes are saved in the Activity tab.
+4. To add registries to your list, select **Add** and enter your registry details in the applicable fields, then select **Create**.
+5. Verify that the registry appears in your list and select **Save & Apply**. You can verify that your changes are saved in the **Activity** tab. There is no limit on the number of registries you can add.
 
    > **Note**
    >
-   > Once you add a registry, it can take up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop. Also, there is no limit on the number of registries you can add. See the [Caveats](#caveats) section to learn more about limitations when using this feature.
+   > Once you add a registry, it takes up to 24 hours for the changes to be enforced on your developers’ machines. If you want to apply the changes sooner, you must force a Docker logout on your developers’ machine and have the developers re-authenticate for Docker Desktop.
 
 ![Registry Access Management](../../docker-hub/images/registry-access-management.png){:width="700px"}
 
-## Enforce authentication
-
-To ensure that each org member uses Registry Access Management on their local machine, you can perform the steps below to enforce sign-in under your organization. To do this:
-
-1. Download the latest version of Docker Desktop, and then
-2. Create a `registry.json` file by following the instructions for [Windows, Mac and Linux](../../docker-hub/configure-sign-in.md).
-
 ## Verify the restrictions
 
-The new Registry Access Management policy should be in place after the developer successfully authenticates to Docker Desktop using their organization credentials. The developer can attempt to pull an image from a disallowed registry via the Docker CLI. They will then receive an error message that your organization has disallowed this registry.
+The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry.
 
-### Caveats
+## Known issues
 
-There are certain limitations when using Registry Access Management; they are as follows:
+There are certain limitations when using Registry Access Management:
 
 - Windows image pulls, and image builds are not restricted
 - Builds such as `docker buildx` using a Kubernetes driver are not restricted

From 503558252d4d8ff152868585b63c3b29f3d50f1e Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Thu, 29 Sep 2022 12:01:12 +0100
Subject: [PATCH 08/33] tweaks from feedback

---
 .../admin-controls/configure-ac.md            | 24 ++++++++++---------
 .../hardened-desktop/admin-controls/index.md  |  6 ++---
 .../enhanced-container-isolation/faq.md       |  4 ++--
 desktop/hardened-desktop/index.md             |  9 ++++---
 4 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index dd22cde093f..6d7701a258c 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -36,7 +36,7 @@ By placing this file in the above protected directories, end users are unable to
 >
 >Some of the configuration parameters only apply to Windows. This is highlighted in the table below.
 
-The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` setting. 
+The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` parameter. 
 If set to `true`, users are not able to edit this setting from Docker Desktop or the CLI. 
 If set to `false`, users can change this setting from Docker Desktop or the CLI by directly editing the `settings.json` file. If this setting is omitted, the default value is `false`.
 
@@ -98,23 +98,25 @@ The following `admin-settings.json` code and table provides the required syntax
 | Parameter                        | Description                      |
 | :------------------------------- | :------------------------------- |
 | `configurationFileVersion`        | Specifies the version of the configuration file format.    |
-| `exposeDockerAPIOnTCP2375` |<span class="badge badge-info">Windows only</span> Exposes the Docker API on a specified port. In the example above, “true” means expose the Docker API on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
-| `proxy` | It will be used for http and https.  If the port is custom, specify it in the property. And auth can be either basic (username/password) or none if not needed.|
-| `enhancedContainerIsolation`  | If true, configures Docker Desktop to prevent user containers from running as root and from being able to mount sensitive Docker Desktop configuration directories from the Docker Desktop VM. |
-|`useWindowsContainers` | <span class="badge badge-info">Windows only</span> If true, switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers.This overrides anything that may have been set at installation|
+| `exposeDockerAPIOnTCP2375` |<span class="badge badge-info">Windows only</span> Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
+| `proxy` | It is used for `http` and `https`.  If the port is custom, specify it in the property. |
+| `enhancedContainerIsolation`  | If `value` is set to true, Docker Desktop prevents user containers from running as root and from being able to mount sensitive Docker Desktop configuration directories from the Docker Desktop VM. |
+|`useWindowsContainers` | <span class="badge badge-info">Windows only</span> If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.|
 | `linuxVM` | Parameters and settings related to Linux VM options - grouped together here for convenience. |
-|`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If true, configures Docker Desktop to use the WSL 2 based engine.|
-| `dockerDaemonOptions`| Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). |
-| `vpnkitCIDR` |Overrides the network range used for vpnkit DHCP/DNS for *.docker.internal  |
+|`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](faq.md) for more information.|
+| `dockerDaemonOptions`|If `value` is set to true, it overrides the options in the Linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). |
+| `vpnkitCIDR` |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal`  |
 | (End of `linuxVM` section.)       |                                   |
 | `windowsContainers` | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
 | `dockerDaemonOptions` | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|
 | (End of `windowsContainers` section.)    |                                   |
-|`disableUpdate`|If true, disables checking and notifications about Docker Desktop updates.|
-|`analyticsEnabled`|If false, configures Docker Desktop to not send usage statistics to Docker. |
+|`disableUpdate`|If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.|
+|`analyticsEnabled`|If `value` is set to false, Docker Desktop does not send usage statistics to Docker. |
 
+## Step three: Re-launch and re-authenticate 
+Once you have created and configured `admin-settings.json`, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings.
 
-Once you have created and configured `admin-settings.json`, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made so as not to disrupt your developers workflow. 
 
 ## Example
 
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 0e10a639267..ac54a4e9c1a 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -9,7 +9,7 @@ title: What is Admin Controls?
 
 Admin Controls is a feature that gives administrators the ability to enforce certain Docker Desktop settings for their organization. 
 
-With just a few lines of JSON, administrators are able to enforce preferences for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows.
+With a few lines of JSON, administrators are able to enforce preferences for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows.
 
 ### Who is it for? 
 
@@ -44,11 +44,11 @@ As an administrator, you first need to [configure a registry.json to enforce sig
 
 Next, you must [create and configure the admin-settings.json file](configure-ac.md).
 
-Once this is done, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+Once this is done, Docker Desktop users receive the changed settings when they re-launch Docker Desktop and re-authenticate to your organization. Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
 
 ### What do users see when the settings are enforced?
 
-Docker Desktop users will see a notification in the **Settings**, or **Preferences** using a macOS, which states **Some settings are managed by your Admin**. 
+Docker Desktop users see a notification in the **Settings**, or **Preferences** if using a macOS, which states **Some settings are managed by your Admin**. 
 
 Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index bf54e840376..d6892ec843f 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -41,8 +41,8 @@ Allowing the `-–privileged` flag but restricting its impact within the contain
 #### Incompatibility with WSL
 Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V.
 
-#### Kubernetes pods are not yet protected
- When Enhanced Container Isolation feature is enabled, Kubernetes pods are not yet protected. A malicious or privileged pod can compromise the Docker Desktop Linux VM and bypass security controls. 
+#### Kubernetes pods and extension containers are not yet protected
+ When Enhanced Container Isolation feature is enabled, Kubernetes pods and extension containers are not yet protected. A malicious or privileged pod or extension container can compromise the Docker Desktop Linux VM and bypass security controls. 
 
 #### Use in production
 Users may experience some differences between running a container in Docker Desktop with Enhanced Container Isolation enabled, and running that same container in production. This is because in production the container may run on another runtime, typically the OCI runc.
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 4570aa19715..69cfdf6f9bf 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -3,19 +3,22 @@ title: Hardened Desktop
 description: Overview of what Hardened Desktop is
 keywords: security, hardened desktop, enhanced container isolation, registry access management, admin controls, root access, administrators, docker desktop
 ---
+>Note
+>
+>Hardened Desktop is available to Docker Business customers only.
 
-Hardened Desktop is a new security model for Docker Desktop. It is part of Docker's ongoing effort to increase Docker Desktop security without impacting the developer experience.
+Hardened Desktop is a new security model for Docker Desktop. It's part of Docker's ongoing effort to increase Docker Desktop security without impacting the developer experience.
 
 The Hardened Desktop security model provides administrators with a simple and powerful way to increase the security of their containerised development and moves the ownership boundary for containers to the organization, meaning that any security controls administrators set cannot be altered by the user.
 
 It is designed specifically for organizations who don’t give developers root access to their machines, and who would like Docker Desktop to be within the organization’s centralized control.
 
-Hardened Desktop currently includes:
+Hardened Desktop includes:
 - Admin Controls, which helps administrators to confidently manage and control usage of Docker Desktop.
 - Enhanced Container Isolation, an admin setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM.
 - Registry Access Management, which allows administrators to control the registries developers can access and can be locked in if  Enhanced Container Isolation is switched on by using Admin Controls.
 
-Docker will be adding more security enhancements to the Hardened Desktop security model over the coming months.
+Docker plant to add more security enhancements to the Hardened Desktop security model over the coming months.
 
  <div class="component-container">
     <!--start row-->

From 72ad09e897dce64a91a00716bfa9de1fd8d425c9 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 09:15:25 +0100
Subject: [PATCH 09/33] review comments for hardened desktop landing page

---
 desktop/hardened-desktop/index.md | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 69cfdf6f9bf..b76dcb9df57 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -7,18 +7,18 @@ keywords: security, hardened desktop, enhanced container isolation, registry acc
 >
 >Hardened Desktop is available to Docker Business customers only.
 
-Hardened Desktop is a new security model for Docker Desktop. It's part of Docker's ongoing effort to increase Docker Desktop security without impacting the developer experience.
+Hardened Desktop is a new security model for Docker Desktop. It's designed to provide administrators with a simple and powerful way to improve their organizations security posture for containerised development, without impacting the developer experience that Docker Desktop offers.
 
-The Hardened Desktop security model provides administrators with a simple and powerful way to increase the security of their containerised development and moves the ownership boundary for containers to the organization, meaning that any security controls administrators set cannot be altered by the user.
+This configuration is designed for security conscious organizations who don’t give their users root or admin access on their machines, and who would like Docker Desktop to be within the organization’s centralized control.
 
-It is designed specifically for organizations who don’t give developers root access to their machines, and who would like Docker Desktop to be within the organization’s centralized control.
+The Hardened Desktop security model moves the ownership boundary for containers to the organization, meaning that any security controls administrators set cannot be altered by the user of Docker Desktop.
 
 Hardened Desktop includes:
-- Admin Controls, which helps administrators to confidently manage and control usage of Docker Desktop.
-- Enhanced Container Isolation, an admin setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM.
-- Registry Access Management, which allows administrators to control the registries developers can access and can be locked in if  Enhanced Container Isolation is switched on by using Admin Controls.
+- Admin Controls, which helps administrators to confidently manage and control the usage of Docker Desktop within their organization.
+- Enhanced Container Isolation, a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that configurations set using Admin Controls cannot be modified by containers.
+- Registry Access Management, which allows administrators to control the registries developers can access.
 
-Docker plant to add more security enhancements to the Hardened Desktop security model over the coming months.
+Docker plans to continue adding more security enhancements to the Hardened Desktop security model.
 
  <div class="component-container">
     <!--start row-->

From b6c3db1f835b7ff307f3620c7dbd1435ee49fd14 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 09:42:41 +0100
Subject: [PATCH 10/33] review comments for the Admin Controls landing page

---
 .../admin-controls/configure-ac.md            |  2 +-
 .../hardened-desktop/admin-controls/index.md  | 24 +++++++++----------
 .../how-eci-works.md                          |  2 +-
 .../enhanced-container-isolation/index.md     |  2 +-
 .../registry-access-management.md             |  2 +-
 5 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 6d7701a258c..4f9dc529fe1 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -6,7 +6,7 @@ title: Configure Admin Controls
 
 >Note
 >
->Admin Controls is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
+>Admin Controls is available to Docker Business customers only. 
 
 This page contains information about how administrators can configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
 
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index ac54a4e9c1a..ffda32730e1 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -5,11 +5,11 @@ title: What is Admin Controls?
 --- 
 >Note
 >
->Admin Controls is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
+>Admin Controls is available to Docker Business customers only. 
 
-Admin Controls is a feature that gives administrators the ability to enforce certain Docker Desktop settings for their organization. 
+Admin Controls is a feature that gives administrators the ability to configure certain Docker Desktop settings for their organization. 
 
-With a few lines of JSON, administrators are able to enforce preferences for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows.
+With a few lines of JSON, administrators can configure Docker Desktop settings for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows. If administrators also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md), it ensures that any configurations set with Admin Controls cannot be modified by containers.
 
 ### Who is it for? 
 
@@ -17,14 +17,19 @@ With a few lines of JSON, administrators are able to enforce preferences for HTT
 - For Organizations who want to create a standardized Docker Desktop environment at scale.
 - For security conscious Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments.
 
+## How does it work?
+
+Administrators can configure several Docker Desktop settings using the `admin-settings.json` file. This file is located within the Docker Desktop host and can only be accessed by users with root or admin privileges. 
+
+As the `admin-settings.json` overrides the `settings.json` file, which contains the settings configured by regular Docker Desktop users and is located in a directory users can write to, administrators can configure default values for several Docker Desktop settings and lock them in so regular users are prevented from modifying them.
+
 ### What can be set?
 
 Using the `admin-settings.json` file, administrators can:
 
-- Switch on Enhanced Container Isolation
+- Enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md)
 - Configure HTTP Proxies
 - Configure network settings
-- Expose daemon on tcp://localhost:2375 without TLS Resources. This is applicable to Docker Desktop on Windows only.
 - Enforce the use of WSL2 based engine or Hyper-V
 - Configure Docker Engine
 - Turn off Docker Desktop's ability to checks for updates
@@ -32,12 +37,6 @@ Using the `admin-settings.json` file, administrators can:
 
 For more details on the syntax and options administrators can set, see [Configure Admin Controls](configure-ac.md).
 
-### How is this different to the `settings.json` file?
-
-Using the `settings.json` file to pre-configure Docker Desktop settings means that developers own the `settings.json` file. They can therefore adjust any settings that their admins create, for example, modifying network and proxy controls. 
-
-The `admin-settings.json` file can only be used by an administrator with root privileges and cannot be modified by users. 
-
 ### How do I set up and enforce Admin Controls?
 
 As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
@@ -50,8 +49,7 @@ Once this is done, Docker Desktop users receive the changed settings when they r
 
 Docker Desktop users see a notification in the **Settings**, or **Preferences** if using a macOS, which states **Some settings are managed by your Admin**. 
 
-Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
-
+Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or the `settings.json` file. In addition, if Enhanced Container Isolation is enforced, users can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM, for example, reconfigure proxy and networking of reconfigure Docker Engine.
 
 
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index 9d8256e280a..71459a0af20 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -6,7 +6,7 @@ keywords: set up, enhanced container isolation, rootless, security
 
 >Note
 >
->Enhance Container Isolation is currently in [Early Access](../../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only.
+>Enhance Container Isolation is available to Docker Business customers only.
 
 Enhanced Container Isolation takes advantage of the recent integration of Sysbox, the secure container runtime created by [Nestybox](https://www.nestybox.com/). 
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index a97f29c340d..1dfff202bb8 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -6,7 +6,7 @@ title: What is Enhanced Container Isolation?
 
 >Note
 >
->Enhanced Container Isolation is currently in [Early Access](../../release-lifecycle.md#early-access-ea) and available to Docker Business customers only. 
+>Enhanced Container Isolation is available to Docker Business customers only. 
 
 Enhanced Container Isolation provides an additional layer of security that prevents containers from running as root in the Docker Desktop Linux VM. This ensures a strong container-to-host isolation and locks in any security configurations that have been created, for instance through Registry Access Management policies or with Admin Controls. 
 
diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index bd145208c11..43f9d21ce55 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -17,7 +17,7 @@ Below are some example registries administrators can allow:
  - GitHub Container Registry
  - Google Container Registry Quay
 
-Administrators can ensure registries locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on with Admin Controls. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
+Administrators can ensure registries are locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on with Admin Controls. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
 
 ## Prerequisites 
 

From 85810dbd099e78d6a7ae6ef1e3de1fe89d799e4d Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 09:48:28 +0100
Subject: [PATCH 11/33] review comments for the ECI FAQ page

---
 .../hardened-desktop/enhanced-container-isolation/faq.md  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index d6892ec843f..b69e3d2673b 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -22,9 +22,9 @@ The reason `runc` is disallowed with Enhanced Container Isolation is because it
 
 Yes, with Enhanced Container Isolation the container is only privileged within its assigned Linux user-namespace. It is not privileged within the Docker Desktop Linux VM.
 
-For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s /proc and /sys, run without system call or other restrictions normally imposed by Docker on regular containers (for example, seccomp, AppArmor), and see all host devices under the container’s /dev directory.
+For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s `/proc` and `/sys`, run without system call or other restrictions normally imposed by Docker on regular containers (for example, seccomp, AppArmor), and see all host devices under the container’s `/dev` directory.
 
-However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under /proc and /sys that are not namespaced. Although it can see all host devices under /dev, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox prevents the container from using them to modify the container’s chroot jail.
+However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under `/proc` and `/sys` that are not namespaced. Although it can see all host devices under `/dev`, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox prevents the container from using them to modify the container’s chroot jail.
 
 This makes running a privileged container with Enhanced Container Isolation much safer than a privileged container launched with the standard runc, which offers almost no isolation.
 
@@ -39,10 +39,10 @@ Allowing the `-–privileged` flag but restricting its impact within the contain
 <div id="tab4" class="tab-pane fade" markdown="1">
 
 #### Incompatibility with WSL
-Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V.
+Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V. This can be enforced using Admin Controls. For more information, see [Admin Controls](../admin-controls/index.md).
 
 #### Kubernetes pods and extension containers are not yet protected
- When Enhanced Container Isolation feature is enabled, Kubernetes pods and extension containers are not yet protected. A malicious or privileged pod or extension container can compromise the Docker Desktop Linux VM and bypass security controls. 
+When Enhanced Container Isolation is enabled, Kubernetes pods and extension containers are not yet protected. A malicious or privileged pod or extension container can compromise the Docker Desktop Linux VM and bypass security controls. 
 
 #### Use in production
 Users may experience some differences between running a container in Docker Desktop with Enhanced Container Isolation enabled, and running that same container in production. This is because in production the container may run on another runtime, typically the OCI runc.

From 0cb0ed98f08d26163713d205a97f6ae718968b68 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 12:12:36 +0100
Subject: [PATCH 12/33] review comments for the AC Configure page

---
 .../admin-controls/configure-ac.md            | 49 ++++++++++------
 .../enhanced-container-isolation/index.md     | 58 ++++++++++++++-----
 2 files changed, 75 insertions(+), 32 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 4f9dc529fe1..2990517a987 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -20,9 +20,9 @@ You need to [configure a registry.json to enforce sign-in](../../../docker-hub/c
 
 Place the `admin-settings.json` file on your developers' machines in the following locations:
 
-- Mac: /Library/Application Support/com.docker.docker/admin-settings.json
-- Windows: /ProgramData/DockerDesktop/admin-settings.json
-- Linux - /usr/share/docker-desktop/admin-settings.json 
+- Mac: `/Library/Application Support/com.docker.docker/admin-settings.json`
+- Windows: `/ProgramData/DockerDesktop/admin-settings.json`
+- Linux: `/usr/share/docker-desktop/admin-settings.json`
 
 By placing this file in the above protected directories, end users are unable to modify it.
 
@@ -30,17 +30,30 @@ By placing this file in the above protected directories, end users are unable to
 >
 > It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
 
-## Step two: Add the key value pairs for the admin controls you want to lock in
+## Step two: Configure the admin controls you want to lock in
 
 >Note
 >
 >Some of the configuration parameters only apply to Windows. This is highlighted in the table below.
 
-The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` parameter. 
+The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` parameter. You can add or remove configuration parameters as per your requirements.
 If set to `true`, users are not able to edit this setting from Docker Desktop or the CLI. 
-If set to `false`, users can change this setting from Docker Desktop or the CLI by directly editing the `settings.json` file. If this setting is omitted, the default value is `false`.
-
-The following `admin-settings.json` code and table provides the required syntax and descriptions for parameters and values:
+If set to `false`, the configuration value acts as a default value, but users can change this setting from Docker Desktop or the CLI by directly editing the `settings.json` file.
+
+<div class="panel panel-default">
+<div class="panel-heading collapsed" data-toggle="collapse" data-target="#collapseSample2"  style="cursor: pointer"> Additional <code>Locked: false</code> logic<i class="chevron fa fa-fw"></i></div>
+<div class="collapse block" id="collapseSample2">
+<p>
+<code>Locked: false</code> is similar to having a setting be the factory default.
+<br>
+<li>For new installs, <code>Locked: false</code> pre-populates the relevant settings in the Desktop UI.</li>
+<br>
+<li> If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting which may have been written to the relevant config file, for example the <code>settings.json</code> or <code>daemon.json</code> file. In these instances, Docker respects the user's preference. This can be overridden by the administrator by setting <code>locked: true</code></li>.
+</p>
+ </div>
+</div>
+
+The following `admin-settings.json` code and table provides an example of the required syntax and descriptions for parameters and values:
 
 ```json
 {
@@ -100,21 +113,23 @@ The following `admin-settings.json` code and table provides the required syntax
 | `configurationFileVersion`        | Specifies the version of the configuration file format.    |
 | `exposeDockerAPIOnTCP2375` |<span class="badge badge-info">Windows only</span> Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
 | `proxy` | It is used for `http` and `https`.  If the port is custom, specify it in the property. |
-| `enhancedContainerIsolation`  | If `value` is set to true, Docker Desktop prevents user containers from running as root and from being able to mount sensitive Docker Desktop configuration directories from the Docker Desktop VM. |
+| `enhancedContainerIsolation`  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). |
 |`useWindowsContainers` | <span class="badge badge-info">Windows only</span> If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.|
 | `linuxVM` | Parameters and settings related to Linux VM options - grouped together here for convenience. |
-|`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](faq.md) for more information.|
-| `dockerDaemonOptions`|If `value` is set to true, it overrides the options in the Linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). |
-| `vpnkitCIDR` |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal`  |
-| (End of `linuxVM` section.)       |                                   |
+| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](faq.md) for more information.|
+| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|If `value` is set to true, it overrides the options in the Linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). |
+| &nbsp;&nbsp; &nbsp; &nbsp;`vpnkitCIDR` |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal`  |
 | `windowsContainers` | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
-| `dockerDaemonOptions` | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|
-| (End of `windowsContainers` section.)    |                                   |
+| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|                                |
 |`disableUpdate`|If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.|
 |`analyticsEnabled`|If `value` is set to false, Docker Desktop does not send usage statistics to Docker. |
 
-## Step three: Re-launch and re-authenticate 
-Once you have created and configured `admin-settings.json`, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings.
+## Step three: Re-launch and re-authenticate
+>Note
+>
+>Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.
+
+Once you have created and configured `admin-settings.json`, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't sufficient as it only restarts some components of Docker Desktop.
 
 Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made so as not to disrupt your developers workflow. 
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 1dfff202bb8..5c055b89151 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -8,25 +8,37 @@ title: What is Enhanced Container Isolation?
 >
 >Enhanced Container Isolation is available to Docker Business customers only. 
 
-Enhanced Container Isolation provides an additional layer of security that prevents containers from running as root in the Docker Desktop Linux VM. This ensures a strong container-to-host isolation and locks in any security configurations that have been created, for instance through Registry Access Management policies or with Admin Controls. 
+Enhanced Container Isolation provides an additional layer of security that uses a variety of advanced techniques to harden container isolation without impacting developer productivity. 
+
+These techniques include:
+- Running all containers unprivileged (via the Linux user-namespace)
+- Restricting containers from modifying Docker Desktop VM settings
+- Vetting some critical system calls to prevent container escapes, and partially virtualizing portions of `/proc` and c/sys` inside the container for further isolation. 
+
+This is all done automatically and with minimal performance impact. 
+
+Enhanced Container Isolation helps ensure a strong container-to-host isolation and locks in any security configurations that have been created, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Admin Controls](../admin-controls/index.md). 
+
+>Note
+>
+> Enhanced Container Isolation is in addition to other security techniques used by Docker. For example, reduced Linux Capabilities, Seccomp, AppArmor
 
 ### Who is it for?
 
 - For organizations that want to prevent container attacks and reduce vulnerabilities.
-- For organizations that want ensure stronger container isolation that is easy and intuitive to implement on developers' machines.
+- For organizations that want to ensure stronger container isolation that is easy and intuitive to implement on developers' machines.
 
 ### What happens when Enhanced Container Isolation is switched on?
 
-When Enhanced Container Isolation is enabled using [Admin Controls](../admin-controls/index.md), developers can no longer:
+When Enhanced Container Isolation is enabled using [Admin Controls](../admin-controls/index.md), the following features are enabled: 
 
-- Gain VM root access through privileged containers
-- Modify files before boot
-- Modify the config of the Docker Engine (and related components) from within Docker Desktop containers
-- Access the root console of the VM
-- Bind mount and modify system files
-- Escape containers
-
-It also means all containers run unprivileged in the Docker Desktop Linux VM, in user namespaces. Root access to the Linux VM is removed, privileged containers cannot be run and there is no access to the host namespaces. As a result, it becomes impossible for users to alter any settings that have been locked in using [Admin Controls](../admin-controls/index.md).
+- All user containers are automatically run in Linux User Namespaces which ensures stronger isolation.
+- The root user in the container maps to an unprivileged user at VM level.
+- Users can continue using containers as usual, including bind-mounting host directories, volumes, networking configurations, etc.
+- Privileged containers work, but they are only privileged within the container's Linux User Namespace, not in the Docker Desktop VM.
+- Containers can no longer share namespaces with the Docker Desktop VM. For example, `--network=host`, `--pid=host`.
+- Containers can no longer modify configuration files in the Docker Desktop VM.
+- Containers become harder to breach. For example, sensitive system calls are vetted and portions of `/proc` and `/sys` are emulated.
 
 For more information on how Enhanced Container Isolation work, see [How does it work?](how-eci-works.md).
 
@@ -50,12 +62,28 @@ Next, you must [create and configure the `admin-settings.json` file](configure-a
 }
 ```
 
-Once this is done, Docker Desktop users receive the changed settings when they next authenticate to your organization on Docker Desktop. We do not automatically mandate that developers re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+Once this is done, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't sufficient as it only restarts some components of Docker Desktop.
+
+Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made so as not to disrupt your developers workflow. 
 
 ### What do users see when this setting is enforced?
 
-If Enhanced Container Isolation is enabled along with other settings in the `admin-settings.json`, users see a notification in the **Settings**, or **Preferences** using a macOS, which states **Some settings are managed by your Admin**. 
+When Enhanced Container Isolation is enabled, users see that containers run within a Linux User Namespace. For example:
 
-As displayed in the image below, any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or by modifying the Docker Desktop Linux VM.
+```
+$ docker run -it --rm alpine
+/ # cat /proc/self/uid_map 
+         0     100000      65536
+```
+
+This indicates that the container's root user (0) maps to unprivileged user (100000) in the Docker Desktop VM, and that the mapping extends for a range of 64K user-IDs.
+
+In contrast, without Enhanced Container Isolation the Linux user-namespace is not used:
+
+```
+$ docker run -it --rm alpine             
+/ # cat /proc/self/uid_map                           
+         0          0 4294967295
+```
 
-[add a screenshot]
+This means that the root user in the container (0) is in fact the root user in the Docker Desktop VM (0), reducing container isolation.

From 58691e763f5672d12a9c4a08787817464a1faa90 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 13:57:19 +0100
Subject: [PATCH 13/33] screenshot add

---
 assets/images/grayed-setting.png                | Bin 0 -> 73194 bytes
 .../admin-controls/configure-ac.md              |  16 +++++-----------
 .../hardened-desktop/admin-controls/index.md    |  13 ++++++-------
 .../enhanced-container-isolation/index.md       |   4 ++--
 desktop/hardened-desktop/index.md               |  12 ++++++------
 5 files changed, 19 insertions(+), 26 deletions(-)
 create mode 100644 assets/images/grayed-setting.png

diff --git a/assets/images/grayed-setting.png b/assets/images/grayed-setting.png
new file mode 100644
index 0000000000000000000000000000000000000000..a163646fe866832d66d628288bdd2dec7da159bb
GIT binary patch
literal 73194
zcmeFZg<F(c_dX6NARr<jARr-)l(aO6NJ)1qjl|GBG$<h*(n@#3&>`K@JxJ#;bPdD&
zM$b9#`+kpJzrWzab<OZF&$DCQYwxx16+@`9qBJfx88!+E3a+foD^(PfyU{2pXbJZ)
zke@^k<9|Ux!OpdklvI|Ll%!U61ejadn4zG^geD|ns;lh~_#wO|Bwykf$Zacl;!x8E
z5sU9=sJ|qjj(><IA!XCIid}||kFQMZtn#WugSm?M)gzp6KeTgnok#I5mDJCkLD4=`
zG(np$MpB(NN8A`sM#WAtVO#f6ObO(vWkPaMWmYWi1vW1h;K!(_FFJ|eeJqag=<Sek
zKF&5Ost-yGI?V0rJKh%^uNhOmnKs0&kyJ>hg2f#abm}LAvKIN&-VesMZ2X_!K~Wc2
zoiR*(`gub$Xd_6*|K4)y#-#^k`o^rsEf)zPK^F?jC+A?sO6_m%C^AJKGgJB_rH`W%
zpW2LU9bVoWo!(1}jUAA<r2B>;6M?cacT+RlwjPSm8_{-9BxW%jI%yfg0;eaj%b1rU
z#G=-G<>jg@-{Fb8lEr!nrS6iWv2Yb*p3)k+nI*c#8Co0a9(4%l6LR*S+leSZ->g^!
zc3a13U9#Cf8I5BeiR-wp^VY6W`Vb9AEwIb08;kT5-5iVLf`~pi434Fr_rh26rOYLo
z#ql>yR(ns?3aIgY$$gTrfUYyAD?__*m}i)mk}N{LO*qfp_Vvq;pnA7yW4OL3kki65
zsGje^%#sNwgZdMWK6^qaz08A$y-sm0UAL!0Z;$5huLtVulT(X!zDiVTM+<x|j+xm0
zp#Bbqcr)pu3u(2&b5-=c;O5Jq`_CvE4D_GHjq(}D)$)L9?!G-Q8}Y@49*izY$e^}u
z%Y)JVfDarQ`B<-CbffUJ-SvA?zda!m*i3@@y~j8_DEUP6bpKA^4UP<|z?b`z{(R3-
z7-WET?fCU*ct7skNZk8)w-}Y2&hHWRU26%xS?ptR)Y&`dfvU==k$!7G9=*7e(vEJA
zu8#?l;NQLz)lU5wwY>fAB}(4Yd*38XKcX>9l0~zd-q(4_(?@#jck_jsi6G2>^{FUb
zK-E`UWmNTh2`>|raZkCODI3w2f;_)qet*b=(Go1$$@KZ|V8{CkN*j!cw}SgPAKHt5
zxWB+132<65u*cFz&kQ18VL7y|$D<4~>WE|Vixp@7!lS~#L>A_MEG_kQRr%#4gSu$Z
zV~yY<$=WZ1%5Exw1rC#pJj4nTYGVwR(lz{okA`38f93z`mL)&dJN9YY_0-_>p(h#~
zSF)$TID+%RV+IB^!YG~a{?11xMVz>wtv`zn-P^oF9Iny6YXYeN&&t@)xZZJPJbze6
zxex~FcwoZl@FI<C<ndO}NpGb+X}$2G#G>q?nLdZz-3xpU|Cx5ZRgohVcTrJHqX;qo
zwjgMCTe}ir4p!q`%m6WeNo}QBg%@&`PZys?Jj@H_dIiiP<P7>Ovna><bQ-@LpNeo<
zRz}8Bc2@qb+#y|^OuS55V*OK2x}#7!c`h1GnK3$iE0UeZg$bvAr;%?M_F@eBRo3qx
zvpeEmJ-cGQ%BGVVSC3`xk6C2ZVVGl@W4Y1|qt0cKO44OZpx0n^(cF!ktml!?RZ4j}
z91Es1U;r9=ihHVt(3m`3<A|fFR@)33Qb<<ONh`@H`M@g8r*-~uUt{hac376eJLTDU
z+xYBw>v(*DlC;(*YV0ay;s^2iNsB?vCC#<opKk=OxURyF1F@OVMbPtJR(-Pz=EjC&
zXA(_4+6mL|rU-KhYY9`6laJR=sF%BvJCg&-WhN93P!7lrcqOF9XBK?Xh)_q<m@ayv
z*^tN8`pPbJjo>`?hTbAkSUp(dlX{>!e*vWmL_J+yP3uIJuz*6nsfe$v?8`w>MuB0D
zk1X&_VAe`W#{|=OeaTVmGo@U$xI+3#*WIAJqC8NZOtosYypyiH5sNyDbg|)HD4$Ad
z9!0)E&QhMp*X*y=`iy${np<DlC6e+|zj%p*B;Dkcj5zcGO@?vcg4S43H8J@%O++Q?
zTzfb5@Rxxf8BeF9%|DyE_f;(1<E!G7d;W~O(d0h)0@+Cf9_a;ZH*2lYfRS#kb9<2K
zOa6YILS9lXjpt|F!<@EUK-)YMVzauLlFt3qhEE<<S1Kpc#8t$i!~(=@!~nKWtaFKG
zi5De(ni-m@r75LgZE`)QQart7(AQa3(45_b`N`Duh^D2Ug^+o^35ki89lv;7Hu`th
zal2WQ{iS{W1)~bY`rEze75knQC27K5x?aM_?7`C{ha?IEzWtnyF2^EgGUq(O-WP~%
z;q9!QZ;pkI9-Bpw0f$mopag#o<G9keQB!gg))Lub-s1-mpCUBf;+vAZTD_7!lt>py
z7xt<tv5mTq>W*S@keA~cmVzGxjG!&xJ8yUyQgu4h4l7UQwkHnck8#i0&VZX1>x`$?
zIuAH5bXoydYebDKmn<na{$dlpnTR+PxL=K*5n81`s=t~4Xdr7qRiI!1bBA?+(p}$s
z4mfiZ$4ryd>W}7$8Hk7}Gzs~L4k!&Di#~owT*<lWnj=TYQ6+#)LPV@V!P_uyvT>V0
zJH|KWF$OO_)hg9<ajG5IU7sSEktuywDnK3>iWMb*e-gYgT4b!y!(}pP!Z>^X9QB+f
zk|qBmcaO^|v7=F!KsQm(ryikhXgHO;y)2XB<1J42+-Ckza41ozn(VD?Z>)K2XWX9J
zAu}iQ)>YLFosU<M=WgR9rGF*0((})o(RE_BFSl7r6hDk><?>tfJ(X0+?-M^ww`7_S
zsAfG`o3E&~nCUNBE8o)x)cEvXljvmVh}nt*-U2KKr-#5PA~i9sm5zip%&uw+=8)lr
zROvc*TY=VudS0u&a)C{OU;!v77+~G6F}M^fbdx^gR_hV#@vYe(61l+AD(yQ8YqkC`
z6&Wbhy5V#TAo@)5h{SuYAMCM*8BQhV^LdU4RBR1`9CUhBcwKs3Uo`HE7&57S)_Bnj
zxN7a8d9UI#27_ClFSFLMm%R`drWSmzy{a|tt-SRkBhW~WP!2Y*IIugYG3XYrM6vp0
zS7hI_zU*ab)|b_jsAejtmZt`v=8gstRR?9i@bQi1>{w)`rP!2uu{w#muSky=pS$q3
zyVoZJg<-5I!Y1n#T@}b||90F`{-P4^O!B10G|MDO8b-cUzR~TI6DI`eGPkXTmBrr3
zP6i9$3(q?L%TIgcj41>u7^$?WUL&wHfVG2-)n)f-k_ib9N4!CNTRn{6NcA8$c~B>b
zQ4hUzO>4FMKB&~n%b9m|x8=P3yv(|F#!mmD*{3!T>~Iw_@d<~Y!Y-pts%gr3;oQ|E
zU%{fYoUe_~dCrv=T-h|SXuG^LUR|=KS}qSwXgY8!Up4_ZErGJi^Tlcqx8kSmKY%0f
zG0c8Eu<(%g3%KQ=$<W#ja_@v?7KxT#4<CZAB^EluB@ZOiM*}iN$jtHDu0`M%9JCFi
z{iESVmdypEwNF}}ZwgGq9XAGJv;wpy);xUsZd7jPf1EXl86fu4K7M}eLF>(Z;<_cY
z;noY*YXhX-|LlGJbffcB{Z@J-s#k1G)W!P&;>Oq$Lb8|?TOMMh*LvmSB^<}aP5Ty0
z$0-{HTjd4&13yr2w7^pW6ghsBu7s27(=_pu6T}mLMAym5dD<+R@*KAK<1Bx@hpy>V
zX8j*=#d*4j+BG$e4L*BqnV;%(WT1;LJ10_R-rl`sJ~@FI?cV02SL>8^h(X#=igxc5
zi>4k;B6+K(nYOICf&$7j<n=ui)DKoDcac}9$QK#%g@SS?HUtF|`I`Xwdi4eEpSyRX
zzufuf8ZF`HgA!_zva-nEY9@|mW_C`N0B7~j3Ejx9W~|h;owXI-2$}$F+25H0jLq2H
zZS8+HK@oNrL|)pOIlrTJx3#fz5_A`#`SpY#^7`k;95mFw9&xr7q0v@Qrj`Uano;wy
zKWBeVBZ^H;O)czbYA&ey>h<5vk$;KMSUNk~3vzI{xw)~sakB#)EjTy@1Ozyqb8&ES
zu_2#ebMmlre&^0+=S2HgC;#;G%FM~c(aPT03SdY5v)^~d02gNw8k(O2{paVed78Of
z{dXigr@zHQ3dr&E4hJXubB_P?jch9X^HV`(D|a&+omW=2NO+KAi1P7q3jcckw>$qG
z@qb!s|F<P4C*O<zZTdgA{@ql=$;?p_V2d2nS@gfE`MdG|-u%0vFvm~P{|Ab{aQ^iv
z5@=CuVUGVOO%%IRi7y8QMI1%;m4v!G>i!bCpT^X5`;inL=W}N_H-5QiOdmfju`wv^
zkJ>#VBIHySeDx@X0Db4+;D9nD1W+oHHkkgd@w3p$GIV&+Nol`&6nekUp!!^p)bSkb
zqG)-K+7AWo-*2yIqd8N~N?xO&-hC+kueWxrhvKW4sDHRa{TdZbhV!@r{}1>4Pzc2C
z{Ck+6Lvv!A-owSs{^%O<%I4L-hC=>14niT7*@4|Uo&DZeyaerTv@yLg=I@iF2I4#v
zms`HbESCPgPh%o#zeg<iLVu8aN6!yM^|}?IFY+5E)DMeMP;<0HXa69&%rbH&;}`I)
zUHpH;h2pP`evi6auIs@c1h^)q_KR<YifKjtu7j>;;wa3TG_JpO_zM)&oKqm8!SfH2
zYa*3UNl<y`cLAbXku%AK!bYcPf7f{>_CxWogpU-z=^MrWlnpr(;IeNS<?o99sDT8m
z<kkM~9p1}f_a`cz?y(YgSmLM~K@;_R<huX4M7!lRpY7bUt&#L_i0547?{eR*@k0*=
zUtO}09`(*XF7K>c@R7xTHSlCDnV`a9E-azSdE=RzDMml_Qx8Y^BV(yt&x8T2ZMIFx
zYdi|}OyGj_NQTIstM|ne$wrZ@t%>Nz(mw!?f}>ulFJaf5*K#BHKCLN?T+pq4`#r0>
z>4L4;f><S6{~ehL^Whi(?ACFtzDT2tF0&aP@`zpiFv}K8$Kg_@;Pj>uv_6=sbvtv0
z-yhEz#{*bodTQWs|98|MDx(>GXDXtO^*!uc;HV@?T1TY=h>r?iN7vYZ-)NTU(E3JD
zaB!QCCb)U|Ftmue&n(cZlo!v0jGi?$>kw8&643W|{3gP~k7$PWePSQupLEbx%hsW&
zwl+UiZ8XKY&;V&F?96UFNN%!^QREk5B;_`b26>*whqzeFPlVv+xGnosc~8CfxQ_Xd
zV+ct($Y9g2Qol{+QqZ&lW@B#*$Sou$!RktNt2HsA9`Bs%HQO{aAD?@vf?U}e3Z3$`
zqiQK^b{9H2KWtRO4q|*HL;5Fms&ie!HywM2`FpM|?|gVLxCC0H6T^K%BcD`mZ_=DK
zwV?{qWOD<S(ZXF<yRfcoPao@Ktu3}%gC4Qy%arZ8*YcET^+Fs^EkEA~_yi0YR49*Z
zt2cY{S`Xl+3&}<9&$Y0dZl-x~S>K}RRCza;;tjBCuxP~Z2^r8!;gFm|I?;ZEJx2@`
zK|LNewa3$1HLaj`GR>GE6ZU9~J(?r)t{GlzwMB`hiu>2SHbyvOc27hSX2vdqr1b66
zRFK^Xx?!G`_|{j8jJRb48Ozn#EW&&wRvK~9{ANna+7}LwvH@2Ovr*yV#EE!a^vBRj
zFT!RcYtuJ53~4%FN5=At-e`LQF9J(+KoW}Sf<)zOn3fNBS1g(a+gE7UXOGsn_AgZI
zh61H;Hm@rI#KNA}8;H0lPau6Y39I8CM7ItyyOOAsF37fI2s9AAxsji%2DGKAWEui}
zqAiR(6cjUrcg{&U-`5C(;Zn&jJi;EaD~l_>&je!P#z>O2XFdIWD-yF7<+(&6S9iHA
zg)rBO>7e+r-EuOwMUGM%s&O(O?%wnm^;q!dsUeS(T&uwA@vZ7812$Tro`7c@%}0^z
zLot%KWP<Hxt3i|^&-j;4zIYe-e<oHS8?25JVLjt1?nh(O<bf4_pt8>oAFKq|M+Suq
z+(^lrDrW+69J{fPL~nC2(q1}lC5{Ec<U7!=4D9y`NsJOW2@wekfX0q9{<pLDl0^Xi
z=1&ah%Uz(GLcI+q5;eDyANrpR3-4aH1CQGcKur+%hx<tx%cqH0WN-J}&4iLU-7@r+
z*Ggw{9D|ST=7b$LhISIKLVhzSJ9_PTr5+u$UbPpp6tCp!P-4x_Pj4IA_UBuq6*EQI
z(2uv`wlWVq$0&gC?k(>Q+J$<%P7Ev|*EhO6wk3n)Kv)v9!8p3f14_XhCD*|<J!sp*
zWs^+rZ6Bk<zUxrv5ue#`fb=xkOgYC~mHE`(5(K;e%4N~4-}rFQ+6iKpPsCXdPYecd
z7}eD%D&ZKhYd>!m^GZoakAA;BvBwJA&IN%JK0q7f=WClIe#9unq5s>ckAuY5Q>4LO
zYO({=<H44%3B0z(_S3R-p}kxY0}1T(>E-V^1bB-3+U7)qoplp^^=e(yy@XtPSS!o>
zY+)k?V;Iq^UN+sw8#K;T%WK72rK>_<G|9PIyO=5W<9Y1Tsdxb=b7uXDXwb87dqpR~
z?M*G$uY=Cc&G$yq?UoEc&M~wp4yI}whSR!AnZA0;l)gU<8}d36?1YwoJ1wYz*zO%!
z<mFaS9AXa%TEw?`*{^Xns5xGCEjog=Q38D{nV;4S-mC<mFB#{bYgwv5Fk7ZtwQvNb
zW>&pQ(A{qIyrV!?uAH?u9w&|WSyLSog<i}^HO*hSLg!cl+Yp-76)$OQMvLa&Oqcw)
zB*X)AxV`s>e$@r_WBaw;O5i00PhMAT;zzFF{%#WR{0jo4!3m7g4|iTl&_G#}E^A-c
zK8t-SiIFVo6}gU!<sem48eMlmB(S|Ew%GN=8cuiaj;Nfi5@8#jk0<3`vR()97HcFp
zZH+W!fx%}U<sA()7-=^1;LeLhW@z(q)?N>`|HSW@z_Cic3rZ)xThH`(q|*@~Q@3<p
z4JTZn$@@W92cmlc4wGE=>~!JUo>^X>#-vIZ5!4vmy>C0;tl@evx5o0CVyck9spKqa
zc8xZwKM(RL;}GP1I7d?Teo2toFz2J_k!_1Qlh(As+NT-kcurrX_))Km7&8{FeluO_
zo5L7dF2IWMjw8^bP^~(odFI5aKV3+>NWFxb^wgL3HDW_iE&KgOU;f(flqctof6;YL
ztybpVvvV@FYU)@B;erq6*@~^a3o0GC_5~wV(%baovzg1#@smBUUCCTv08fEqDgS|`
z5usCwOUmpT9MhciwaBuMnx~bYWwdAvWN5DXV8`*(-i%XI0<(r{ruapu_n{Ss787jL
zfpGB}+iYMv9`qLUBwj>jzu)G3lHWQp`E(n2(MMFO+i>A6`ENGof6Dl9=8LlaMYzIq
zNlVMw;G)q=2oS4oL2U-Pxw9wcj%D)RB(L%YAl1nzw|{gSSj#v_frXoZCP=|iwD+R8
zBiA71U4rx->6q|OnSw65=TySfI$RbF1)8x40qs99;8;oODa`2DwX7Y&-|3Jz^#NL8
z*+<vK4<i}Bo!Lmk%={EdrRd`YFn?Q})DPQ{91`tvlhgU%`~RUhHT_*Aa|`0y`U4q6
z(?&8dlx5+NKX9p>AS7jtSKfT``&`6PkPI37M{4i)KTy{Ahe%#ZFpzfVcM0#kMe<8j
z?~})Zzl#t}fD}RXWwO&Bm^CUZQgS~4rQ{z7x#~-#2y#qL5B?yzACj}89}b&r|3L(~
zdq|RxWj5mfo6)~_w*o0SN~_0xir+<$!9t3_{B=m+x1EaOk3!tnY&~;;LMi&Ei9VFE
z^S}S~>$|O37~Sa~I6L*jdbBt1a2CCK`~HCHBYY&PG(%~3f1lDledLt<y`YZ;{(vgY
zPgH}F<NkoEKMN97dng6%pHO{;L^bTW6Tu%)wf~9gL5s=yA5abZi7LLiV!$6zEkmN(
z-r^SV<aZHd@PDHEZAkVHsJ8#~xauz=WB%ZHFw-DKkoqiu^}FOqG?8240?g_72N9%x
zZi#!`j1vDg38;6`w2+ej01LhT)0X&%6yedkO}alw{sZX)VgH}<{$H^D|4(`UxAXpY
zPg6_X<;w5VdGYs#Wv2TMujStunsaKc4qoqPGm}q<SEZMenRty$XPwB}YRgLfPzKEe
zk<Pw`NZ%oMysDzlkt{YhF6a4Yol!TSa|MNj7+h+(I%a;l{mXL7nEPYc&dVd6zg*}3
zL%b>Jmy%`|;1<W5ORPf8hS*d0Jzi$rdV8*@fCGFPU4Iwyx&bXQT$gmixyI0vg?bH}
zbY8FJuP)r6A^!i4bGJ`ij$P+k>Zi%5H$|&0(u(5{^Bi@%jmuZ;r!wj3hh?6}S{V5l
zU?2`l0pvLM?gq5a%1$gj_iCMD`)1$NGCg5Nk1rn9{*C<aPGvBVR<GYrF6oy!DU?V0
z8cUN6aX)=nhBwzr4=6-gJsh_p9ixR@A+gOKFX@<=^x_v<67rQY6BYD8av#s*`02_`
zhdy^KIFIcieKOO9$aK{#?MllFAvbp6r!OQ!3Sa`o6UQ`}w8xDtu=7FxKuniLLx=uE
z$m-F;<B@bBmSAk+2-jzsXAQQ!510*WK4x%is)kBOh4hbzH08d%MT`AOp=Z)R6HS<p
zB$f(3utxeR2?6NG@>6mNbVlIlE@yJ6iF5=RTW=&)l8{|1C%Bhk12xh1(Udyxpy+Yt
zbYlEg4#z(zwj24O#I|7!{u0<q_sg3dRWfk_M(Y_s^tH=-SlL-uDB<xO2xz)Hq{IF_
zj$YopP^Yv=*cH*D+UCl(>{Is^H8?abzb_zHeyQe#9!V@?)S@$l_xKWiF{@{k$_r?{
z;c_ov)os-O7D*BJL%*S>E#<hc#Z7)AjK~`{_pR1#u~;Irglj)v6n}alwT%(MINEkw
z*Nm7S9B);yUOs;f5tIS-QpK2mA{$_VHgm9OmOCu8Uad=7>9=L*fqj4Yd0$>7arqvp
z&VhW}^ej-5^Qk<P?OKjJjg0i_Y?I1c5h^xAA0AM}=nFW>1vb`h<XU7nc8~*l;~16X
zpqa2in<YSQ1{6tU?c&f&GrYG^trm{C05h*zZm+kDs%$po3iZD>r+we~kO~4M1!Cg$
z|MU+omK^l5t|Lb~7F-WvD=I23pTw@iJk_QKl0sXjRh&`t=&0^f(ER1Ri#H+<%y>J1
z2+7YAEJw`WcA=A7cOZdzt;rpSsRilhBy*W03cD_gsOD?p&efO|-+wInGQX*XK@516
zZ0-{T6+4IeuBR)B#%Z#p^e=F<{HStvJpi*gZF0oFygIqMt_h|e)at7)Z)Py7algP(
z5_>9zO*Ae(u6kv%e|P8lMt=OFc+}vvYEU4-p*bYv6Il)!!^U8IqE@2_ge$5j4NsAx
z!f&v8$?PJdW&CKsm5isD-eNQ@fu4ouxswl-(8dbw*W=0X@{eX3Er*kYs#Wfs{I^ga
zQfj5WYpB;*{1XAk`Z3_-9t-K$j`St~gvNlXUdeG|fElTQIOYip*_D^*g!brTRO1D9
z6dteylBEZ(nXR{#<=$gk(uMgFE%UrZ(!OsA>^zRY!s04GK`yoCYv#-ThR^%;-ql8z
zc)(sI<gP;oS^i-a(T|ZEHFRuE`{z3L_rw1TvX6;?S;X>8et89s7H)OGyMnl-qw(l)
z+h)Y4mhbIP&lKoNkxdn|@GoCPHzRa7u5M2<?BJ&jCv;AmL&qb79G7U%G@fZp`l&h@
z`PRMF5maiqEPBMQE#vbYMg9B>HK^rXi{N;xEqMc^LwbW0R}mKq0|u=T9GkCibB;^(
z!m}d99KBAml}tPHhL5jc0Qqo+Pr%f2n~4FC4G!SqvI~9KMtFngp;>7oS^W6RbtPd$
z)s3*}XPmORYf`7p&@17SZOQX#UN2vbraJI~sYh)g(9NYm2jf0WgP7HD6-|bZ=%^Pp
zaAU5QGV#b0fJhfqkbB=gGI&?WeLMP1ilD(Jht6&u8Q-+me6uX=@}<wdm`vD?ddmY_
z4pSE$hUw_#*Nsj(;x<Fegxz`6uJ3(wp)YWT;6i3a<}Pe81Y|bWr5DRwxy{6$rv*cw
zMP?L|g$qnr%hX5~KvqQWr~u2K4cWBUiAL(+HbwL94Tq2T5GF0Qk0#Hx-jV)IAY)aL
zR895$ILS{vi5ESr_#%rp9AD}BDxb<0T%|$Gp?82rB?9(l`}UZP+W0I$u*RD3UCY#B
zVg8&<^(I?%wV=Y_E@}dc#(>#QMEYg<qP;@zJs7M_r`oQixZ0Fd!4MgBwVM;+cRiqk
z^DvpH4IFQUe{NWZkj!X#tuCtJi9Osnz~QwYZ+7Us*OA>Pq-#Dp)NryCFT&xz4lz+%
zvw5~qMO56Zp{kjWnzB)qP@IE|H@BWKS4MM7yZ(&);;hbHy{yHE6PS+|#-XgW0jm!r
zVrOoe>1g1I!o~XYCvf!M_k5nJ^MrRsZ8SzwtcPNDR);-{XJJ_~@|`dPXs{ZMENvmY
zppwjaN;@Z2h5K8bXaR;O{Q;7AqDu-@rXyK<^ZlB`@0$>z7F~I`x<{@j&4_-Br8txY
zkX^3HFx{Y5sb=Tlj{A|rF}6kT*5mVE=i5(LF;*Ulu4Df=AQtDz7~UOtNMyXQZoye3
z`wYDY!ucZ#nw9k1HsaU}VG&`qwaFc|DhsG+gH9kH$Ic^U=x8H_mz{Pe-(Qjj5WD1=
zMx+d`_Xr;xYB=A0z^?pmV%A3}^U5TdUWeCjWw}}RRRW7)pWM;1-NbN-&fAr$JcS$n
zZm$OKIj&Y4CPX0U{qUDg>B#NVrmEXw4&Azl)NC@-!K`GBmR8tG7DT7od~9B>7`R6@
zA*hrn;sRY$>Ngusks~REPu5F_gqB@`pzU<p75mwQWJ6Z-1rkBvO-qMU|79SpX48PR
zh$oOancFN8AO=}s!LZX&y|Ak2ts30lJ2qEXpDz~dD<<RFML@JtmU#4`SB6)soo+35
z?4I!TLBJxMa&n7&nQu_e3sKF{H9hAnQCw+OTe1(%aX!hb$vyQDp!(a0<N*C~5aV*N
znE|3a<DbcmFrd^-k!BgSZ)7?XPEy$^Bz94Pj-|+&s_5mZ)ti`1?{)H5&vY-ZKeQfn
zMk~;NeHsl$FF8C*qH5WCTvDc#1ak?S$U&?hVM4<XPkC7)Z8~xnJ30h;t?lA%G+Fxc
zp6gT>0{GHxCubeF4riA2AvvS1@DT;K#;rQ`R_cM*!|qkYv5X+EPdCGZc9rewX=pMl
zc$VRdpS-9HFea`~T%5v4n4fGofaS;oYauCLola*t0kzQDxBh6Y5mb6sI?|H9H;Nda
z9y7Pya?0g@RB-CxW%*)DDlR)m%x=Jti0^#({T+YzNM4Rkdj7EwZ^^#5+b-ewO`vq$
zNTlt;u_H1BIz2aAyc;i>>S>NjXT3z}t8VAD&FKMw<C%@ukRELHgr!T*Y_jRn%ve#6
z^{n#3yk_!V>gK6_4M5k&EsUzMzv9;Yu{a|ApUBR50MbFLu_u{m=dDK>-*p)?3`LK2
zh2r{pMnjy}`^GFU6oxQhy$F6WIE_=S=0MMIs?@1uD)7=~X4la}&pIP#lh0+^rm$dw
z6X_ssHg(Oi2m6_Q5Js44c{Ibqk3FE!joO1H@6L*E->;50r{;M!){7~rE~k5I-uh#w
zwwfDN*D$DN`rP4h+VV;ts4*}E9_YAP#ssW%=YaMIo8^*NJyhI;+#s%dtS<<Y%q7Y$
z>j=8T8YSy8#k8Dz7bYf3bV4-sGwsa%d5XDDe;9xUU!;#*ERDi*7K+Q8+8E1QvuvI7
z!!EA(1w}^RKhjY-Ociu<c8S^#b&JvKKbiSaDpsVnfJ_4vsy(#!EcPzXb;e%V<t6cX
zhyN&EA;WjqVP_srpC0SlEv2+{LQ#NoPS;{9<XXR13p-fe-x{h)lCx}~WofokI%@*$
zsa;oVNF0m>tjV4^3$ny6owc$bOd{F%!7j~JRG`^Etd6<?=}yxpvBG=ge}s%s(CkB}
z$d8P!w&8AlAh8GEmk&0P%ux24*@jUmJ=WsvPP7@B@XVPCl8RTsKGgxgSL5AB^7(uE
z{tUQ#O^o^Q+ZpX75#!qT&E^tX#akvF#yDtQ`Mh?@Mr6~)j7paF?@xn5$v$rH=J6*m
zQ&95gg5G8G*gke>OgL+^TVrrb8Q0C3x9(_gZ1fa7cT+}&@S3L%Tu$n2@xi?t3Z$ho
zre{ghzwn-YTrx6tJY}7=KtF$`Q*9b!EvR3ZEIqtFFLZ!^qA-A>YE~+5>XKt@oy=tx
zQ6Yc6FL3~cX1^mrRIT`#b6=6DfbL-4Cts;5D2a?k&j_>r{;Y^No~>_+&+|G4bAuth
zk;I_-%eo$i2uIy=bWHYof*Uw#SP#@AAWmY?R@dsCj3dU)3F+ng50ZuGG`Ha_g<kn$
zcL}JUn}4HgXxqaXcl&X8PdbT1PtLO$9_#G8`>qmCS9YoO`j+v6X-{bxI0#Q%NPVD^
zWB(L*>H@i!U;Pb4`}$L&QtP!QgJQ-icDbjJ_UmtQaB6cYb6YQ?(qd!Y*EIZI`=BZE
zO0<gG1<29LbiRnec2g^S{Z47|yWxQM6Fh@`c|~(3C8aOQO0%E(i7(#0%~wk(85#8w
z@shf%o{-6mF!#+XZB=}kqTql#{wDd2uBnh@$RVPHugFL#vspv^`T^N97~YeJ@1<~3
z#95Ts(j>!R$x(_zf)D}OZpQP?(rPUnW4*D1OFnX~;av?gB<I(?=j~JTK@XCJ;bOg~
z)}7bT2FhCE48fI{t7`m_N)(}pJB*#7^?hC`JgM~K^Czh(&F>+Ch5D_{0QlSVFbm#{
zR@kY@1y8NkGMxI`=m&tb!Sjjt2`v4~2!$gf3P_a#N6nj3X=syP&znoec{o9%zo#@-
z!rF_!@t651o|k0gv+*hDNgwAuy4?1UVm*yyG6GJU(MoN%WAHT~yoXKoxvya|$i5K6
zx~D&W$I08s%SA9%!CHR6Tus?-O!{3fANr8!eK2C3`#@Hx4q8qoqgytIV@MJA^?G6R
zYg?3KRD79QcH_QKg%S9+J|FfrmY=Q*_i9T*a<L`}!{z->{KvIx|8pmi)=F4uJ$lCV
z?zxIdZ#a7S!1gH#tle0R_WEXV8Mr-^t4RE+3a@i&L=3&ZM+Id5NnW*vml=8o_%vGE
zA9^|(sz4i-hGl|G-c8tl%jqxMR2hD+u~fJ}S~-O{3TV)DhPC@kl6h-ya=q`l<?e@H
z)utnq0&$#b-&QM_RT+;UsX;7$Hp0=@aG|#OO_}A=_?Z>yD?W|g3(hsu>wN*o)k`dq
z3t1rDjo9%H|8l<yFm}cZaZ&YXDj(=Ej3%&ls;`;Z`<`3J?-JUN=+D<RVQw?8ndRXV
z`hfnr*?i``+WI`mYNIsla9%mk1aZSZB@*TXZG}6^mHST3*B&QfaMxMqebUOzx9SWb
z`;tKm|L|ZYYlX23jcvj0V6x4ZWTz7+WRQ~WzQJ1a3>%&>&G}=mVtltZ6#L9BV%yH_
zEcbktA)xE)i09FFn>oWv1Pv;NH`ua7=F#i|Ylt;S;7vlyS8YZu={Q7v93pK85FcVW
zVvaJ2Z+DK5l8gq4f$!(_I9z7#=dz|?)u|Y|!)^J`Mp%dT^8EvsYI$EE!tV^qRh2wX
z9k3a$O1j1+E$e8__C#PeWYQ0+rngyEYELJ@4Mg-5N=6dWO=dDg#sP=V`6DkCO;W4v
zlXa=i+51~`zgsT0aW87E+tx|8HaFy|Ebabp{wewq+R@;YQW*C*Cfe9NZE>dKnt)~x
z$u7!ViUxX@!@i8F8cnJugO=T3Y1IYH90k3)OGR6WCtl;@Gh#RElvDdt$Q8m5DQnX?
zXj#)-{?LIdXl8nx*>;up^~pFhAz~X)0>Pg<f43@+dwVmDV7&1ErucRX^kpoS!_{p|
zugW|4^kA+N`1uG!S=+kkbaJ1md`>-;Q_zed&*~AlwVB3GyuKaowzwG}vV3z{tv^<j
z3xjo|@dJbrVwHZKlcd!Kbx}!67QP1u^;Z~FnN!tQR^Q)}mY~PAnEMwBH7%}t@ic>4
zrQ&*ixr~07Ct%=u1V+&QXeoM$C~%aL!l-9qs%4(A1MI#cP-!DG$WxOj$(`D$?_0X)
z*;zZjlDDwfc<Ehz<hyVpxl=e7o!yIIyYnH+{=-6iElH-w_>6`furXI8<aPq!*_85H
z4EOQ+f@bbZkA^&WLhA+5DU=hZN;|sWnwYhcSx-}vsg?(4x9wyg{2&E<d1xY#f6ME#
zyNcH$>Y!9A<g#0XEN8$R|7vT^k3QOC%YJ@wNI2TYs^H>jYzwCsUpK!vThcO$h5GJr
z+!?hfodedkh3nN?mZ?1*wS;Fw_00?6s_XR_>ts{q#ptzEk&8soe?tBKegu6F$;e#U
zzq}rLJJH-ez`M5*)y5!G{rW6NY9a)`Y{usf06`7H(~zCp2f>qEniYNESD0{IM|Vi9
z6}QEpme{#V^6TQ7AG-w-aD9UaJt}wgXBw>KYSaT)A%~I(iQ`>FhC>@OXxY7dq2lRF
z32?_X`SIKdNj*xmNaZ%t-Je;WTt;ShDX&^|?`WT!W+U=O<N3v|wHYEKUIdT2)>-lK
z(RT(Y6X#q5dRR%hZNBVnoqwQ8g4s27C!wzFr6F_AACtrj%rWP(XHTq9gp>{zTN#Tz
z($j?8M$CRZdEu;lysJiL+cukmj_(SYW9trk<WlQlys(Tmn`of+Ci4sNa^st^Gut(A
z(HuYDaLL=-8_siU9UeaOLGP+ICtChul3K(M3I5lES#rB=akQBnmCy^S7t{i^Z$0a5
z<_H!vg4Rm4-3q34kRis4{)0?2W}UZO$94D8yABziN>#zbZF;}+rv4L-^moUJ_J0K6
zdVtK!JR=&EO~|Ke*yf4L8;TcgyYH}P1i1}TjH_4fT+K>fYxtJYWg2X%Wo>((!*3Gl
z?^bf89*?hw6$3>MmfDn_$$O+@JI;d+4)pAZp|Y>*s?<Yeq!f8OJFNLWb>(GTQ32Fc
zcehWu%caiZpQaj`L=7Jxs}R!3)bztcKZtGg3x#OieJDeQI{31(d^^RARp&bsyFYC?
zp4YgRx{}FBowQG_%}^g{a?C|2)Qj9rHeHh>Ns}otzf(uN>pax9tv-!~{=714x_^wd
zo>;?gc!Vg8B?%@MdD1g!@j-Lgcz)==6r%%~7a@4l>o3cEc+hKP1&^p5a~1e9n$Kn0
zmDvhu`$Wc~ftZ=P5M?H|Df(9K8|kX^iW6Q}FV`J*-NF9q;B1gOZ1k$wGW`?qdf|{<
z$SvaJLwKC7^~NC7H$DpNu8^<G<C0Il${)-ix@BSXD`L|AaQk~>vO25Uvys5seOj{r
z#8vc>bBUEt^jV{~@8pGaw;I1!aFJW6_x+aXJyBuUm7mq^tgjCefz8q$|A-qMu!aKZ
z+?G76)u$V&&gnAObl2zGTr3yltRKVaKGo()tzDljsd@0(%<pr3wn5D5(nCN&qUrtb
z(}eA}Aga{9qWl_NT&X380QF()WApwrDgNNm7fY>9NjK+Pp9@^gD1HSJ$Ox#J;zR5h
zlKx6!iTnLbb{>*{)(oLa%9?dsb`6YYGE}d2b+mNY$-$%6!Jp$0^D*KE`oxle-KD8o
zfZ_oG0gDsvHlE2^YuRzcaUzcE1<fZ%7T1sR2(O(ps#TS#rWV^qXJUCDpyrfZt5dQ>
z!*{)?`jF8{T0Vo}4D-`<$qV_=kul8Z4DU-+kE7BH{r3Khd#7@s{H3+NiGfj+nSZ4%
zqdn1?veG@FxU@}OXqb2uj@?eBky6gdQb+<8Z*y&0xBdQYmn)Vg=Faz(&a&xHGt%zq
z68lmJ;7qtA0}J<G89D#|-yE+0EKc3s!|p%jno<0_e%4MlKNa~yzR^k-8Bj=RZP9=7
zkN*E#Z4~YPGs4E7^QUr5g`ZtcfRe)hcJuse7%G6higPs{^14l|Wte|YUbO+~`>Fc`
zKBoMq`yW`^huc&9U>BpiF~UTKf1BFh^Wg-{KhUG<Y?c_1jv2$pcp0S!e`iGfFOl`C
zVVNXe|4BVEv;UwHK2}tG*dO<U=%0cAoq?wIM^izMYA(A+<3WHtB7dbq#T|c2VfXI(
zKgm`CriW^WeS5Lgv5X!6L>lSx#Y4V-uW;)3K)e2L`GCylc6gL9v*rmCd#TLI%W-Hg
zV6BP;_8*9kkd>f64cXrbe*c2I(<KHRa7^3;j}wxC&^X5I`CylOcZ0<1Y;<ycmINKQ
zYz=aZgB?*h%`rm%G&^dFdr0Kw4mb#3$YEXxiWp>}$BM$YMFM1YcJiG5s)-!KHjQ+}
zA%A#C*f&KRw=5LXF_Zb}FoXXd^}|cF^k>hr1rDLBxlL$;!Zdr^<5y0b>-aAmR&xf6
zyiO2?Z!!qK|1C2roj5)OrBUbpFF2{+p&_d~31M0EnSKg-*-xX1(Kp$CSO~F!waT!5
z;!S;vW=h??96|fbjH@>Ik+2>cwybzUxlQ|iXnK@`T@4A@#m`l~L0)jV;Aj&Q{Ij-S
z-J?EI`=yI$^Si9#>p-1|KD1ZhVgu7lJ};4CBe3fNqwtq_bL#qs|9E3RgJ3@kBnSe>
ze_4k1T>L{cX)?;#H_2HKusu-eaVZ+!j?YyS+hbF4NaV;nEx-6jk;r)D+k47)n4cdI
zX8)>8{wUENAZ;<K>)?w+X%?aOItD$$#z?3qvR3r}siJ;Zi!51IX{sRpC9C+|<{vS`
zFLChhbpw954t<sUu+i=xxRu}BZ7Z0H{)Nk8gmtbOQ?^XM!}H*yQgOsG(=7Sli}Gin
zdXh~XLv^=REaJhh-Z1<>PD~TrX4VKJi(ez3%oz}?>T}1~w5cKUS1X;;roE9Aj;GsW
zk6)+o@!KvoD}>w#?#AltkE99Ey@Ki)>mjQ|V?~&@v+QDv5aEJ~QY^@-Ic5(>M(}eY
z0|LpvQ|bPuk7O>}>f#)foj?7xwDj*b?`KDl5+X9Io5^JEWnz#daZ4}u_Eh>JZeO9t
zv|c&*EneC4>onV#b&ZU+!S+)#7teY3_+B@_RZE2JfA|gQ)v%7_w{Dd!<T&PrIe^9T
zC;%;27#^()YMc;)d|Rq!Sfl<}*_jlq@fMMEdCRf;f~d59FOvOuUoEQJ>lM*JQXJUm
zJYvEjUC1@sBGa2k5mrU`w~@%P^Y2203%M9kW&biSGTCUvHAk&n<`D}u)t{NFO#5jP
zT~^OXCtAmBtNjL$Nw%zoCwte%!8il!R@LnD(8CyIom$WIp!El>mU`5s^}7Rgszs)i
z;$&PVpI*M5IaoS|6|`l|Ivy3}4r&cd?vNnfz@Sz-$|7Q(y}laFNo}{yA4~@mdBMF7
zzwko7bs6}P$vA+Fm3|$b>I`o?GU#MPj|~zOOoTj7KTmVZX^Ri^5R!SmI$p;*IwQ>t
z#yET5KO2hZAFD8lRqI`?wc_5A>%6Wtz5VuaP83#aH<5M~{xjR6TJ_4IP_H;eQ5GAI
z3$j=%U1zhvzA+FVE30NPu%nibv<|wetv1X?F-H!bWuCRxGRTt4W;LXrTg}_2rZ2ab
zRQq{kMTiND7+E<=r;y4MyC`@&=d?K(mQd{7G7oGh(II3uDl6HaYf`$su}%Y|g1+ZX
znGxjKaa)W|WrjwK*EmQPYSvbj=(R~OC?y}@?CX4~n3#g(+J6n;0``<Vt{&O<nJ!XM
zAmc6JK$_!N&NYU{!pIr@C5hLOWRMYyEe@@^h{;L#P2jWPQ(ffRWU1a9ItyW%F?6bB
z)oIk92Fx;z832CPcKfsl9`|ONc=s-Ouhnu{9jm)RZ1s#7!V_7O$fk;9KJ993G*S7)
zAQN-f=e1T=Y#i1M^ru_zAdN1&oJziVo!$$!sYrpE49np!SKRmZ(pvcug4f)YKAjAt
zh>JGWCQTPB<?=FCgSwZSLwY}+*bW#)J`wN+f*mK$xIFjW8(tf5TNzaJtL614vMnsS
zHn~Yi%z4A6i`C>|<vTtYTO&qH#aiVFu!B~Ef!)y^2(t1yl@AbO<!QuvXMYA6E}B==
zl1*eyHv9e^U$sW&oz+-#sG`9TEe<hzVsLm;<B|ScT>^Rar!|>vl`F`F*wR&zdRdOI
z-R?l8Nw0pUkn4ftUW>IzcK3-M$cEjdS1BHsoFCTH_fN(1tDp8^lD*_t$X{jy%`i_{
z^^MU9JFi|H^{{wVegl0og^;Uo2PWp$0Q1x{t>~TVO{wipG;y}GK&SQnJm37GXi43`
zLhrfpDxWn5kB!nO1B?U;8>&Q1#C3l2@(DTC1gB0V)UX9M(A7Ty1V&LJ$}uv}ufPl6
z+SDv|K3tZzx^Sj<g4Ae8<dU8-i=7|PE09ekm5}|o+HRTI7;r7sFQ2QnNE#LMSVjl3
zzEE!U))4@1ItOus?U#6u`vNZpc6qIrt}UDgChuH;pJL)s#*&xq(Q#ZVNbMcnraF$M
zgX-JIa7IPw>BC7*&?jk}ivX<O9eYdpo2KxVeL*+N@}pLMhXoh`W#jFVILilaOFq@=
zg-;yb8`|5md#p4t0)cvO3t-g-OFX@w%Rp)1K`&_I)C`DC__$q!-Q9R_#%Mv-(6^y!
z(OJ@h1f@z)|8^KnXNsrZROh9ZTfHjS{S1A1)9avF!_X_Y3B$CikC$RWzV`vd*?T3G
z+&X%{bjHYehM0_uK}qB`+IxP@z~g2Gw)B8Q1QD_54(GL-E8FOR9h{!QP6_eC%}^4?
zVU`jZ{y;BlWv;dbJGkLgYdX>}OR0GnLc1l{bbXK4nG4m5LuMz((6;V;PEp(5J1H!~
z3teKtIe#MN^Q{!HkeB<jS`{7IBm%G3emi`7lf<Ic<CX^cUUs%|JY_*;`K7`yvN-7G
z5VFNCW42)XMoIYgOY^lce}5Wt^)y%b<;nWle+bK~N7Q$ivoN8*PGd9~YT-M~J3b`F
z$q%MWjJyVPU(WALgu<TBS9#E00Z*45rS=X{y64YQomoi@Hopf)&8*NiRi0?HKIOC4
zHzH>DP(yyDfkT5O!EMj&0L%htJ&iyXr_Q&GmZ}AtTiO>H6mPb!8S8z7JgKChN`iov
z9kYkh+hh#A_JAN*O6}hIPFa*C#t@wqSiL$nAaJ9SF*B~Oj@Z6Je8K><#2O`XmNuC9
z?2CUmc^QO>f5|n|92b&^g?JM?)`lB9+O`V`Apb-*nV<*tl;H!+Jp;mUV?#||zY=;?
z9C|ix4QP5hk=Agsv1cf<9uBy!-~Uo9r2jO#_l^A=FY#lK>jo{F)01-Z`#O-!#uQs_
zqiVCVNkMt1Ew;(_5lW9j826YVAV@LG!z7t|)Y(g5pp@Huc+5+<*EY4(gz`q7Dv8%@
zPG|F`dj@E_PPH;I+IqFRb`Ll^3Lh+QSu2~lWnC=gjV;@Dk7FVBy}5L7;|O^`MY{4B
zI$V#1==1C7Tv|9L`)=jpfkVo->ISIxDm5t1BTidpHtA7}Hkr?yVO<+SQwj{Z*)4S}
z$025m$vmU<C`Gh?1!p}Gb67NUp5x4Z9TnGP2c?nprP#sY6FL6ga=gJW)(7y7IHzzz
zlE!t&MQ8b3fV+WRo6*aOcSl}S_i+9yh3i66D^=l+*<TftKgMxpF%7J-*gPpFh_o}2
zvGZ~2*vl$z<9V?{(9~2(1QiT74jBfQFC^$*JmtoDCN(wG5%wNB`K1fLG%j8$9}hDA
zC5A-2D&@J^VEieCu3{1l?~@?Pj|JxOmo{4;YrF!$nnl`Rbd%;ltrC5<;9AOf5wl?~
zFU>Mtpvqz2Ih#gRQ1kIO#QKL;xIsnVv_{cGN@3XQ1m1pWc>=qJ95&HVIjP<UgTp?)
z*~xO3J^t(S(B`+v+ThVyM~XO|M=ZM9`PK^2A1Lb=&_#-@6Jr&MtC<aNhp#EK)v{S(
z48nesa=ilW5Q2%b>kIs)WBqhFVuRv>8DFUdO~Kr<BA7>Ci5MZ@(vTq=%lrOuoHd@U
zo2%pN#`$`yaHuC_C!p9RB{gZqw4>hJgJXYBX!|AraRyj!ok;RuZ(H`0klfH1UcCmo
z`;wl`xL@TW-nxn1TpSr?aPzOa@B!wvb$P5=iJrw14o+9MzgHiApRAKOnMF^M=gn?Z
zIgXy(42R5PQF@U5?Rz}rNBUL{PR8Y?k7jE<O84igdeXnXJ}F+$>@e!yv6)J>!VOm?
zTCL#_LWcS0i7HAS!R*r>4Ywt}c?px>*G95Ty5W?`Bt*^U^Whnn$u|kz;~S79cCtu?
zJD$+E^4dg2i9*BNES$ThgDJe<e1ehRiFo59m9-kHu_30w&c5~0{@dMFtO+t+9e7U$
zixxXciGa^)5Kcq_v%#~03|n2W5S4d{+GNHw8Gp4wOSa^$v0Chb*QKlxUl@hW3{hHf
z>v~^CXZm2%OasqDe1qy8CBwmdf8td3T3>_&Kd)VwB1`je7@y!qMJz_!?YV3C;d|bg
zR>Y>$mBAkA#%Pk#ZK`0WZPbn@o4u94c)1Rox|nu-S@CsB-KK5zQ49Q9zKmE6w1pU*
z;=Z=+8?~!exKoXyEh9q-a69YU(5piq?b0K?Y5|EB%_z4C%B$FdTr`!67f#CM(9=UM
zFKO}m7^zz6@kGzxI5$Z@R;tXBTC9abgOOj%5rYkwWh{BkKvXEbR=Z@~+Tgx<0Z!=F
zY&keON``M)2Oenu<$s}|sbIf?7pF40nbD*5(^lAAztG`wN!tfkfz#j4<na<Dad2$M
z3ukBj3=<8b8B%wNK4&z86R_~v0CnYm+~?D>W~y{$;~hjsdOWUqwYcq{Z9gjeNOf9@
zK$c52cuFiaic&)s49mI$teZS#js%dIA3-wLukBS7P14phIuAQ_Rnusj^Kq7|&HJBe
z2F<~$*d}W1-Fl1XLy7$O5ah`3dng!HefdBnSNCmD<5}>`<Ej(^uzKgzwP_<3A)|bo
zMCbYvzmX<vKZUn?S|O@&=X#`!1LryMGwpVCCCyTuH8h-aOAjHXxYxKm*#&*U9a6eg
zR*JYaUux0O%b|-Z=MXXK1sCkZ+8DAY?~8+*$O~Yfk5n+DS+jc;dc9Wh)8+W*NFIjn
zc!KN}7_N8^wXSZ?TpNpkIVw_!>9PszFG^E1$bV6CX|8tFY~JxjL${(aTd{>37TahP
zc<s_W%zUg{qK&`R>bitM%4L%?_@j!D>V^AvHm?ibq7Lnr9AtSxeF+WDeV684xn(=e
zy@3D|dii+!z5R^Q6cHtBJ{QNiAY#8g=d%RCT0j}}G4bDFM5I4T;?qrpFcCoWHzg^U
z%W8SVsxxLrrjr+op2}KpI*jvzev10_&E;3t6#Uz#)J)Qf%*ypSlYlvuU0!Ikdj1zG
zq)LrZap-gy{LQlHq=Y<qCSBIh3sx8MDU#&5DF_z!RW7bhg8SN6eESITmMP5Kh;J&X
zlN2he@J4-=QW!qewmW&JD8!@+Son*!ls00>av4lYBh`8AZaDU>`+TGJd}gtv*70?t
zUk|kHJc&Dhw4Twp<q9lqmn20dUd8z7Z2u_I3ox^|5sBH{xn$jjDw)%Yk(>cN&uP9o
zkUmxiC9S)#5d-y-$QLI;whL~3od!(}LtiN~eV&erOlVL}kqNM9m4_bTpPWzD_EG`c
zMPd#PSCl=@K3$~MraRvTNR{0pXEJD7uJ|sz?9&t8o=+PShRfHkNOjuIFH-4F<d4pX
zxP)nZ9{MaGozEPC2<V=X;KAV=9@>3<20y^L2&xyWeI2L3cryPX)B7p3<t*&xYC&A9
zZ=Ng5CgrVME%H2H&zN)-za#2#e0Olm=-f5mu);oce+gvt8ZP+VEY`y%?539&xM|a{
zvAO4xiOPO&*7wjJmnVeetgg^<jp2r688|f|!UnBtqDqYN^jX0UiMlfRh(n`r3uru@
zVRrtf;8dnw90NGsbG6LP&`cQl28Pz)X&Po96Id=rz5+A`&&KoOU=y($sLU_UYhVB$
zXN-V1>lpPx#5`4+1*QU(%y#nmpBzZ#!MAoM1m4vss`eQ-;|C#_>)&ses;q_yt|0l8
zjuVm`vY#+YV}IOt_7~qJ-d2BFaqIL}f-p7F`R0<dQdjJDLW6+DHtHH&5OrL~SZOv8
zuM)^jR`}6kFn=Q6@jbD^%XxmW2hm(9M2=HLrHd<Th-4byh-9V~QSV_h+t~r>OrXZ?
zMOUC|r8lX7^Y+Kn%c>|0j&r>!K%o{WZ+%icWy;5DDy!1`kTu~c?dw5IfT26~OrovO
z`Y@hX|3wSfZL7jlHq(1d`h2gZyd=d;E#I8iLRTTbt9DX!)iF}yItLU5_EZUHTmEtV
zW{7`Kypl0Ur(>%iMWL-~Uf9qetKj^|XiEVewwP%~rIY@on4Bod9RBK{(?=BJ0%qvx
zyR3Da%tJqKH*bBk-*mQP;kF3tlY(_Qx168YNVN2AwG_lLY0kPUSyQt&GFvt{VK!NV
z#3Y%Q_D74%!gQvUk*S!OgHQy|Kp$*&79#7e0>7_~u~0aX&jZ`dfj$?Su`)=SebbGV
zoy}2qAVm5%i^*|7<%%A^#C<S1Sp6e<ivKu3)|G<Tw5o&_hifh#v~GFsF(&#bXq{uf
zRg?WQ!(QTO)I)LIHb?&wBT=QQtsypzJ-#IG;II#PQi!Lm4#UQC6^=1aggmveAF(m>
zlGlyFzg6SE#G{Iy3bz>e|9E@LuqwjseOO8b#6SdTkVZPCL+O-;O-eV?T?#1ONP~3e
z-gKyRN^P1=!=}6AKiKD--*vs;-f#OFn3-qRtY@wJUNyy*_?fxdpd}3%kI7I!!U*-p
zVv+^2PTHS1GcIM$Dw^0#-5QXWI<gi@?QTnD_oy4pRlbeP5!5psTy}NZ;^X1yoXD~>
z*e<q=R2}8C7*{VhO@3gGN?5}4$@*@lEyDSJg8H@eSb%KeQPd}h%)94iGVSkw&jR33
z22kP2olpw`7jUzU@H;V%t@f=ZvadTO7IyJtabD*~LpyW?AY)vD?fSu9k57FG?A;;=
zm9=2=)yK_dC&a~Jg^X+HMB}#$cK0Kos^!u+1$FwwTbCf=zBw;<_qffMp3=kz8ED)s
z_Mxl3jM(lU%z=K#<L!1|Ig|tA-juIKmV43gE%rUmf+8iLY{5m4*y(zR5sA#&aa+Gu
z8~tka`tk5ZJHGNA?Dus_y}mqG2t?O!Tb8cc*p6}o-+**K{qEJ2AQQyM%zT>}M~+>J
zI38<?RZ}w|&K=X64as`NgXb#lTdvbV`H9=H^kRIQwG)@%S&nQ<__lzv2A#9MW#^Q{
z-e_70`3q}LntX)P<iyd=j|+2Pkx+sODvudAVQdo)<*To)hMVOzdkbRyUAv__Fi+x9
zQ`YN?tBRz<bIa08?J=mjO=kkihwM<oXWyFK05#|;LMYy;CB#={j3nlFSGjKnReIDr
z$X)3bW-tuX07<PnPk(WLNfLvu_8mZySSjFgQ0lAL?~u0(l$=lcQW}>J@j*I}RKspH
z(N_bXMIJxl4cydZwyY8qc~enhYsw+JI2&=z6*W(Ab&0ZP3uL|)yZiaE3Oa`_vqm#|
zV{01is9b;;>vt;1B|XQJ(BG1}i(CuD7JWSL4DFmW;EBbC7z~YGRD{-BN_d>=r3V;p
z_tD#)G!tR$^+aeT?ArHg%_*)~OvA`LqjP39pP!;(+vV^(>{Z`3_3t`7c8JTWxQ=m+
z)1ts&Kxfp@P<^MXo%mvpisp53{?x@zft7NG%4pZD^-TEn6&|(f%t2`tsIX)`wl^vV
zcCK!_Si6Ij4D;H`^WY^v)X;n~chVBfDJ)hmMDhe(?O{8Mu*F3D6O5T+uvH)&tN5hS
zauQNED>v}DRr9ujCK7;O?wn^6B6OR4)O<&iU$D+;^I;6<ccAy7_;VnuG}x6atv{+K
zr&d8n9{1M%D$inuVq%!1gdwtuAx}H5Kb1Cdlp$)NJ+zkYeX;dX#FPtq?N*hgW|mLl
zRJqxl9~>><!A4B-N-B}+b$NlIbLz1HtgmP=*TI-Zt+LWuZ4z1%NxAtoC(-5k^AQU=
zbmQRTnKn4s{m}K1uUPDtO0Q$bJcXQbk#;JhdK`x~G-QQ5Zxpve^=0|3DVNIPE+O?g
z$7J+pOC68+Ls)Cm1K>mLbhB6lNt1;5sT&!qX9oXvRGKP#(^!}u_T4^lQ1_2O34A7}
zT=8|{h>ZiCjzY}b=5%DQ1tcIo%6V2zW9H^)ag@B=k$xG;tZ0;6Y%_7JT>VPjbU3?W
zGDo3^a%-$`yu6Oa@TFT5J(V1R)1(DjVjOtU;c4b!a45ltt4==0l#X73{SJtF(-Fdi
z8M%nnM_lX0M&~d=Gwhx6aJpMqn3&H{(6GXL6RSD~v$|W$gXrW9T75UybD?MB*<lho
zwf6Co?MGn!4Yh8AJw%1PQ&(L4-zga&03RppeJ@igy^l-(N$IT!zT{psqsgdIIuio~
zifvSjGRN=^!a_BN#PzKhfjbA0#nztNfd|+_dG=xth@)@EIR&!l>gQBiWIeZXmuF}?
zb3BDFT$}c0lnquNIuvgW%xHl!En>JEBQ}R-l^TWT6z5osJJ+DZqpo7w;j7Iln{(%F
zJK;$eeo{dDa8J4QF$axWW^{=)NW90H%)SL58Bwqq{n@yAUs6q`Qr;kU)@C)o$VPaf
zPSfkuVQiuv3^X*%f)&Mj=eL}jy=G5ce8_yo5NtAVpZ$5lW{SroNbtx3yZJF>x(^0&
zdKH3^GNu)(*WBV|gsEej*wkH-?1|EZtYZ$!nFc7m&uD2?`a4*>3e`zBFISNGc&ZBR
zaPLF-EBHORUit^Sx`#K!_!kvNT#G)4CcE=3jHlE%Kst4&V7Q65UR%LN+>?{fDjj<q
z(*8D;%R_@QjA%AA1P*Eoj?c8+q-60lvDW!wRj^=xHY`D(o4m8zW-kjN4c9=SyS0cC
zS(s}NBoDY_imH`z<%RN<f%uBWICPw2GGO-g;B>FWn#4;IdbAcLU4D9P#?kjb1N!zr
z21bPH+Zonlz~VB?NK{w?ln76vbA02SVf$oiv<|<AkQt{bl?%JG{k9!(cZonfV``Io
zRW}y*TRQ29=@aiob9L$L5aQ)EGIi|1bfh{k!)v>|fwUO>H_4Q$tM=fA!S(B{m<=vp
zt&l9}=oH1snwImcV~1lts;0}62x&r2={`7FHb~np$6~-$x(vL&?Ik37v6JpTc&Snb
zw*&fP1`G4}F_WmgeB1FSxyC~U&7SP|iUYaTgocTO%8uS{jy-KM>lKd+l(o?UvLWNX
z&}$z8A3<82T%BX#BO6*`+HXITjU?(n+KXD5gecYfWmXW#!wbY(9_RvaFEKNtipC6T
zk&sYDFo|jblNzCWNxiX33iz1Mxc6`@fbk8a?V&^wnl<~PYTNiZBf6*<0)15sgTkwG
zNN*HZSxg(UPAV&m`>Sajx$MLUq7EZwciW6_ZQ$<!>9fq~YXWBk3PjP)WBppAO;;Dl
zdAIHSV&@_cDj!++SHxJ41Gw0>L@U~o!bwlkkNggh@1X*^ArGgcl(;@G-Y3cG3Nn(v
zo5|`^Ngya`T(uXeRg4mG_5hD|f0>ay+`e-QkxCW~0i8g7c_6vUfz&w~EA8M%RymyV
zraSWE<fjW9p<6VkAzVm^aX{*JFsl(MiTL02(sLklH|%Ep6!(wr|IT2Lgwx(!BXF{r
z<QGr6>6-eTpB%nvJUyJj7yaX!{-iSRW}*SXioAIarn`Us|Ie8uhd_^|WW%w4#Q!m;
zBJU;(n_rD_5Ao0c|GB4l1K<%9wj1;eenzYQ-tI@=0MIT&YlZag*Yf^7U7-ZXDgXcc
zh&LmRc;Z|G+B<#=?B5kJfCZPO_-^(6Y#<g?xZ9J^^vX=NfE>szXgZ<C7Dm4jL6e;G
zJ)J)91v%a1t1>O%^RH8^PEsFdX@}4%6iW|JHoQ|Q9;YrCwT_g=WtGg@Gt7Kb6FHNO
z<uP4p7+?Uf2}!Kybc#lOaoq{S`^f?atIX;d`h`l3mD0%#->YUo)DI)Yj)-^{8x9*d
ztkpm&MU&)i$HdW^T;=QFm`Guiy-xU$vB6d36QBVH1J+3QSKgV72-&4sCFi{(H+gYW
z72V0B>2jlQ*iIfm+Ba(8adua5jg<Q+j}{UQP%M1Z5LR!qwV}?Ha~+gNuK}4rF`$z-
z{1U%FCEHTzR&H6b{*+_Qx-*V5jHi7OzE764Zld<7N2^j8XndeEl)|>t*+2AnjgdWm
z?u&<2J~}Ug)|qtL?S5|187Z>Npvi!;=O<pA#I;!Rame5RrbuD8Ed2(dnth#9?8O7?
zztSHJyO|@kqHULT(`S-^otul0%#P0?)tmpspc|s4P$O)r-ej7%odCda22Smvz6PBl
zb&h?U5};GbH&Z6apF!;n{t@8|>e!lSR%1ugnbOe3`+abp8Eg)V83qh9)rdigAW=1I
zYok6bI&*e!<$4oR)A2$dptDbCnNBlXUEa@Nq7a24s+}cmLVIS6&|IBw;VPMdu%uer
zahs21h^^USZJ5S1TU{_#*#IH&F_m1cIU0|nu+`cy)Txi+IaD0nWk?}*L;|bL#V$AM
zok!Gy(1RcrH>tkPywMFXaE1i5P~GF)d0h&JkrrhyKzu}UX)%NGOtRgPUekYwc!9F6
zklb3}cM%1!wf;vc@{r6z*i#}VjWX8;bWg1B_mZdGj=TAjBcDW4sR4=94PU8i>E!2x
z6KqjyF<nyEb6%&K*o->QH$j{+wpo%L50J#ppl;|6W=gST*F9L>uejZggdu}otjnFD
zeCLaz7<+0*L$E00+Ls(=&G7!+>l$wbMT~p&nh;UpF#j6MZinDl3Hyr{3EZ7^oxxIB
z_L_1BR@}38WG=^z>Wy(PLI2C$Dy8AHFch1M$*vLnsizGNIc!hC79-rSIF$0p&xE}8
zWAW-be(1|~p~mcrL4VCt_|=U$YjW#*a#IOnsz6c)<uA`u!A?`pQY<R;lvC~<REO9m
zchBc#ZWqx*H<E=>_Per+c*vD<TsJ2wV4UDy-xoI(=^GSoU=6{mqF^H;KKm7ia;pWE
z)5SzjhJ_9YkY_5DMF$nFfD6-}m~)=pH`gr5MsGA2vLNZ!F26@*zHgtemf_0YVup)i
z*quKv7hvyFXYc?mvNu7<uqe{#^|-?r__XTs&I5B%MQs=@`Wi5$rvLbf%Ty!bLN$}c
zF!JeHjvj-z!#RfPX($>rxR43MYTzF&Prao$HVETe2?PpdeAu4reu)*4Qk7EaWh?iV
z83|m<gp~?VRNa2ZV66euszMPg<Oq+G7^=Bk`drbg*`4cG)(|U&By@g6Y<uWk?{Ji$
zvyL?Vy)0y7)Vse*;F^|Ez^>`NAK?%`OErImDbs3Ktc-gAvN=6z$w-No3~QoioGUoL
zGyQvp#=G1!bZWz%Po118l!xZkv+}FUOvxH?(>!cn*Ws+j4w4!wFzz}iM;!ZJ11xJ?
z-YfXL|CqlKJ(;I6^0OaWwW;$}yHTIPLVdW)Qd7vEE`?h@l{d4<EMYpuH~vyw6)^^U
zKT_u0Y$7eY&I-LbX@thG&K?i+@r~b9?I1;9hri5ZmQ^n;&UhiLa%4oFI|Bi)Al@Df
zrP{OR;G=(cJFw7j^j4J2#|o9&SFfuGlvAw&_F;ug4mQOEET$6#rt$^(AW**ZBU}N~
z?BT($Q%6edI+O0{o>A7*r+&OOc3oe-rEBz4uia8yyj(cvPsARA;K@czlJez@g#0s!
z37AHOC=TCFv1|QdeV$Nf$YJw1pL{6rTGYxkq_Bk5wBwwZs^!!sazOVd5h4Z1tFR;b
zo>fhM|FUW2LzY-;I5eBUneXxX(WZ{rH5rf7c1#j???&m?P>qL_ljh2O`mF8Q*DP*d
zSjuLDM)Ygz)t%d-IPY(R-%jHdZw(eq6WJEfWx)3+9hMeK&Vk;_)5@y>)S8u8*_o}^
zjT83u>>78cSUxG_tM7EkJRYVa|5M)QEqM0$rl?hv!S$?eTk|a~<_r6iQcrP=Badns
zk(YLgW*hJ9w`Mi-Ox1!>e8?Y_>PGM#(orjTkb<n~g*n1uxN>Vz-F+s#=^YLqEpR4{
za3!^kB4K)OH7el_DoAkmNX5!_V6GIU0LGbC?TnXHbiD8Y(Weg>K(jch%l<O-4Q%A`
z0D8c$5-b3mAm@AQ6uYNsBQA)NIG{;iSO;26VV*~YySnd!`TgLp^6NhUbGan88wGN@
z%9yE<F`w%qeD3%{wmt+E!{II8j4i`b26_Txzt2VxTBB6!10fJk4)zkmA=h$;a|XA>
zjm@5TR@<`;Twk$HhF+j}>?Z{A`Ga_{n-K%T-gkMi8g(^Y%V5kF=mN7z!V^%;luO97
zDpM3CE2X(DH`gHa3iC?;Oi&?-K?913VrHKDKN&*=`f$U$6WC(a_m|D-V=@xx!-t%N
z#16~m_Oa<>qo`yhr#0AHq&PouIi)m~<jIAid6f^M_DX708|1M8O*Hq3xju(I(^*P6
zP|6eLqQ9-#BNJ67II_j(RvB(}U%mW|9~O<0xOtP(Fq~E0eFX$GLw3LK%3og_&D(4P
zFsOujnHiX0WGzjpSWPGpr(uWGesqhkxWr<-93C(<-{`6KUqDK{2_OtvFt`2~stj+G
zP&|{;Y^z>87N;-5uy|Rs+2x^<rWha_D9KS&x3?dzXS;SlQ{{13>rgI^B&uC8JFs@R
zK0OI^99O%(I^ACa0+QD@U&tp*ubUBYU(9pjUagpTlq)i*H=4yjMR4aGNHf|(<94H{
zq=<^j4A?;yc!3@s$5LM7r7jikfe`~p0oSySR^~U&+Kguxvuj_0=>c6#e1F3SzgN!^
zeu67V@(~4UHAX^8>caLSO6;bi7j}$KU8KS0WL(yh!AnYNyVA>9b9~d?{J_lv9*aL(
zLiL#PnkwXAWWoZ27i>M$g`MTHAi4$Q=|=>=&l`4UiH_`ug#)<<d2Q!4)VLZ0kNP8_
z2W9ujCaq(Qgd1iWK<|Ued7$MH#oNx{byjioBiVRnDcTsuk}&L4$~bn*!WGL+h`Lb}
z%D4Zh90UB)p8=E}EO*D0D)rmLx^KF0XO0PZXS2g&Xw(&swkD~Tq~i9HN3xS#hI;9|
zSx>59OS9?UY`3P=$4h+D1DCpLJVvdj7R!Si*AB|%lM&;jka)D8Yggu4PXMG6cbX%S
zqsr?VfktCd_<H6F<h1c!EMYqun62hmAe+ozw1V#Sbis-~!BU92B!*Vq_f}-UpJIWZ
zFfcq6m>-k1kl3F^)c~l2N|6>7P?O%^nDQl=gc=mylf)`V=WX!iGg-Qr2Ni$O7yLv8
zqh6xR=~62~pzS6iY3Q0Ax<LVQTHSdB=d`HiwLR8SsFoK}ue6Wv8S$uJ9+BRgaVr@=
zG?i@+)48y(N*b?_0!zj$#;%tfIvzG?7!3kdQjN#$hpzuEKcHamV=7SdC*SNV0M1t)
z5{AZTGMhg)@eo;$EmuO<1YKs>avNG6PJr<;QSFSi>fLJ+&6Y8~WY+^2L>k*Hyd$=#
zNWDom5SxKc1P#Y_+tLiAnLwyNGzqbS%}q{cgO#aORbq=Z;Sd*mI`qy2nLJP-&~2e|
zqEz!_hT(Uq=x-90secoV-tAo(jM8q-E}6Eyba=$wmyRnCLmM53a`cKlnMftWOxa~+
zK@N<qKt%I8^8?l>W66__xc(8Uu5jjez>LY!qGFA*$O|5aTKA((C)<s&x2DispW87U
z&H=B^&BCTVclvlTufOX>DyQZ;Dx|JCp3897QWa>qDZ8Cs)NNB#VUI#)U%#Y3nO-i(
z9@J<myn75HK8~hyb^o?6RA?gi_4a?#G#`7?a8foly807|+G<S(OrK%WSsAVFY@g(6
zNU451x%hDvx7e<wW1);(cM{i|o-vkm3pCBe!*=$uXpv(u3D%z|-tTRQD1LG8FMs&^
ztA+aEwUYnSI(@SLWuM-H8jk@|2i>9`efL|Mf6pW@14teD?JS<3OCL;Z23XS4*zRN0
zMvDS;9M=Q2%J$SDvk<XwpJ7CsJ{G@M0$>IfpASzQq6$IW!oLiAB}1v>H*DO?W2JGg
z+3@E(!~oRQV9TdJG*=C>fty3EBd)%QNu8_697seuxKAE!@lcbs%SMi@bC?TV(`i%-
zWK50a6%7|^e5vYhxi;#|gzsxz$2*+UkAmYQm!wW16~Mm!MOwpIZdhzve8sPQw2T~T
z4t*T}?PW_-)L=1qs1A0FIv~6VP%6>X_Vq3QXn6k;=xPS|p|tScVr)m4$8>{JsuEQ9
zyGNCF2Eu1)V2Xw9sY?g7%l>IQxp63odZ|GcK=8zgnzoIA@hIK^?2+*#IH}{kZs7yQ
zfEXw2FZ%xVXmsK5r8pfIGWG}IWk2coLsg&neQfizXKL6CAPS(tKEfjbS20r_0Z8{p
z_axPcW0$BE#51T<$ZhH3?0jO;Z#3vnk$LxI+#{#7@Y6VYtYo}GYs<Rzc)kORRv4_z
zE)1(DwcoIN48gcBDT0P|MJjJz#IP+%r1lyU!yYSo1CN&r6A!58D~=pTkAoi+GIbUp
zMANB%^|G$8ft&SCa8aY6FYYHh9bIJE3b)rNwLcyD<bLOb9vJa565_I3KC)Hc8iZ{N
zvNRhTj9ItWlrrp3xr}^n?ARH>*Wr}u<ni{f9O*iq1thy3eKS)~Jl*#+Q?T)&vFW6R
z%UM#ZLZP^jL)UXExs>QrDV5G?E$+@*j6{kiD@Nt|51VTVT3&EW5iQ3El(ZhJwL(7y
zl}$^SS5999W-GeXH|~+?E0>qH>wJ9FZpVb-dxlae+kQBIb`wy7pLYAtTr(f6N2RkO
zsaH*%(9OD5U+R7AlIX^SfxU0d5qS15sJYlm_lMG8h6Cj>R=jm=51CCTrtaz|vY7i=
zj0#4uuW#S!bylzNtiYoAq(ir}zdL#f#HoQ1cVu3&pD5pn21fv)0!clLTs7~torsLR
zQzs<$+zM$lQxZe4(X#vLH+h}pG=SB2dF!-yZ8hAPa#1OqA<@5zXAnVKi5qKMyuWj9
zBor$|)+Q<1Ig7{*^dGzh^{4PX7r-E*$Y_&`;7us9n+44E;ic|4M89f#^~81Dr-JP}
z*!7Z9hxiJ;VAOJuWK4o4Ply<pFJm}DW2{<h@wsDM?5f?R8{3B4@uHfs)bSOPHIVpU
zhSAx8-L^fimFfOe<=@Tp2DppDt$4*BTO%_`@HNK46hJ<B^x%=L0FCv69v5YaEYw;}
zb0w>SEtXvK6f*+ZEad^;_HwbdU{YMA_kMX=H)0&~&;aMGJ6`ju?PkoDhg}hD|KsiO
zY%^e+L3*dTyM?>r7{fG2C@&g{2v}_Ey9;Xyq?`pDr{uW7>()gpcD*rib@!5=YjDK+
z;5obQgsvNOY(HKM#peNv#j1lllhv9C`7vp|WRfVS>t^WvF3RIA>SV4bAo^kTS5q$&
zNHgJl6B`=-SG!fb=N+3{4IV*ZahujFT}h{31&BGU#z|v4!KxJvJ*DfHT5Ll!0h@T+
z99Dz(fbyGqBXg8GeW@7gXF+Ua1@Tbjayud($0-z)cXms`PB4Oh%*YGCtzfRS5BxAI
zdD3b2ou3;Yx%hktT#`J8jvwS(@*LM5w>pd?G6vaqC9)UH=?eks$sip@t6Ez<x$IGq
zr>N~8SyimvOFQ$~ZMxoaMZ_<qK$Vs%5wf+jIa;oc6jyZ6$$6QjUDTyers=G=3OxGy
zO{BysUk%7zS;8{)bJZa48J!K*^Hmsf^kMX|Tua~+=W*sMVAQI$;%#%)5^4-{)tEw!
zyKYHF3Vx<(RE?H1pO?xFPBm)s6nS9jmLRr4xFzo5ArVYsTSv5mQ{X||8x8bMmd<~i
zI?YX-(XfH*NA^LG1^r}{bx(FF^-&b*%a-c{c5}5M8TJYf`VRxSRt`Ec#Gp8K5VqSc
zu+#0jC7NypTYhktP5f%a?tTGsEaJ02*?A44l|n1Om-sT^r4}U8`W-_H2c<RaB{x0&
zUQL4~$L#`%MHt<Vt>`)qAqLMfh;U?=+2!;;Z_~p_p19$BZ3zvwyyp+5T^a}kTqKtn
zH6FQCJ%uq2&}B4TrBH^=*kvHE)P^@0AmkMvJG@nwOP<tWkQ2a4;Zn~1?l<w8*|A6T
zuXP}Q{Nbczm3%!m^ruC>d(Wr#ChO^{u9a-45d^sS@QcZ-%YX}57f}&NY4Liz?!if6
z*ZPCmCi3uxmtRvz_1-raJ^<1dzMtozZ?ra3A)zXuB5)Bl*s4GQ{aLxecEho@-eV4*
zhmM#mb6$Oqx7HJPD9M@EF`8DcC1!Y1&!@IAP7{arlkl-44M9gSXrw+>!|;zhPW)2x
z@YUU+?C-}z502ZT$EAAh*$Pr8Lpr&OC9{|m#Ux;ku??n=%nRBg!P|wwTIeq4=cgKp
zXqSrU-l=@4$9N(G3X5)M^-IoId3VZB#vVw&Q#!-uC<?38S)*eQ&ed;9?8ZvFg+eWe
zfF|#a*h<oTOM#hWAM?jCc~=y+ZeXXoVz#J1v%XvKLDyv{&I45ELRI*6xXgH=%=Dbd
zMaE+bA^4~$QMa=z1d<lsh+*Y7jB3Wn9#?6a4lh$&maxnwGMOr6m;jp@1e$?-(x%!n
zt=)!vrza}qooj5Z)au_fbkYr4CJba2Sq6z>J`9SeN=;^4r-{U6GajI=v>d0F@{bvh
z53@cR9i{QgGlef(BxC2SYv|CHAP~_L@vBdz;&M0F<I0^6GM>{oLcg;;&Gu_2Gt5sl
zvMPJ+jrjZVuu7Wym6?K$YwPiTK5p9ZU6VPpB9TnL!iuUo4UV?B>qG-IiyWyh8;uIQ
zlliLAmult>%0txg#j)PU0{9rowXsP_zB5{r@wyR2tPXt&!?7ANy?7!CimpzUVRDV9
zkDf!VL`Uxz^+1x^Dh);`<5{rve5n&;4tx!^f|Gf1x+w&gme&Gx<KJ*z)TA4oO+>vs
zn-ilMF7o>pMPV``ot<!4R~H3uN`q~blqg<RzNjv#!okeiifF>B@^sdfWBX8;oU;YK
zReig@lBvccC|6NyYh7p`!sC&s<&VWFCnfcg#|68g4qPP={U5KDd^R#Xe34|g;Zt#6
zH}IZsWFqO)9AEA1&S8r<<Fe_(+S-jb*wjQ6M3g)s9<eHpYD6y4K)UU2xNRc(`i+8u
z&x~a3&?n5O$T|4jea@;viI%)bz07f*Mt*JRj%6z9$I(R$Ya)ek?sYB*(q38k<yky?
zOyukmJie8ISZmoex7NI(q&s>YbxPugru|efa>O1%T1*v3$sfo1$V-*VT_+?RgNzOg
ztf7_VzQ|0K@{U4%L(Ge8l*HEk8!y?`xi@8+2-wAhD8$;AfUUA_PEtT^PWxn-k@5Je
z{x3DYx%eJ~&AJ!O%B3dJuN&H!`EUiPF0|xT7~zd{_ur>^a;$*Yu0*T*;_i*=|5Otn
z%qO#05X_~OR+^g~kw%VExmp1MMqIt<nHjj$OaF2gZRa^eZ^lZxmE)oIhd;^%T)+|W
z9?7_#O$1^qMR@opYIbSf#Z8GOUeukzrS7};?ot=0?{ojW$zK83+(En8GfQwH!LyD>
ztU;yIF2htb?l1G`O=$W~!0*w=o5breK^GR!hAS49+EJ9qyM2BhK)iA~Hg%u(F-}0L
zQBT+A!>x=z`}fyF@F>m3<p@lr+tgd4Es~cSp5LDu$p%ZiboQVPj+&X9s|jEV`S@@p
ztISU#U0g0bSvZt(Cm{H*t0167^CR32mxQs-edzKQG;k(VLPPJir8*1TJU9rZn=Fh0
zQhmCxFE5Q~H8Rc)GqHo}z}-jj)FtIJUaJr1=NDd+l0TKf<ESKz3lIN5&*S(>AHVA~
zos`swi=7^0;QVMo^TK5~R|Vyf!&*l{({xW`5s%|D$xy8(7j$<IkKRT$7nJG|$kvpf
zIG5-C(dJG#+%W{7EquYfXRGqSe)V*sq$KQtrlyuWz}tq4)xU8kr~bEm<^7Rg_!Zsb
zlb(@;W2@D8BK0MQH5rDx9T7K&Mdf@Qoy5=4*WZPeE!bS19fCsfPrs>=Q&OaB#L!aO
zM5VlCeM<2q@vUM`e1aqmX6D((<n?^l2(sN(*<-4nvY6-odJ9m?((EC4Umi==*7-+)
z_yxp^OPjfQ5jvd;XyJO51gp`T;S<zqhHa)MT7-Nrk1GlmD{Z^sYE%{|>xV+n9iHPY
zKW!?eW|$)b&Of^Q<7b)$DwDSoB!y}_JNho2Rt+BOav!Ho!dw(6u|}7a2=B!$OAUx%
z(@cX6Jr^!ujmwiF6A}VX&~bp8EhIKGdE(=#X`~r#?d7K!9MeM?JQEPJkJ{6<X|)E3
zrh;OLMg(vUK5Jc=Td96OQH53$g_e}?=zXVjseq$gP#wgw4xBc+F%D*}by{<-fYH9N
zU;Kb-waMfB(8Fyyq+`d%-fR>*K}$IyXGQ(ErN5kh2k0OWY^vOix_`kn+k|vQG`sD?
zvwQ44!-@}>Tc6LEv!Jm+$=J)8GQ{h%1G~y7-OxiLHZK7IR`7bkYgk4cvH_c#er%n+
zXc6AX?t~6Z1c(|~XeXeuoiuuy%v48MCNfyS2t#VnaWZP9Mb-yu9_K6N8ysC<F<R@l
zOnQ|y3|Q{<jAOpa_l01F2MTxrh;91|5W0#W^~rvRdFyNx<mKp`f_<1m@ud)U&kYK>
zZfL4U4NDw?Z=7H51eMsRuB%}7n0e#wFQ*F`AZu`1TlFn){xuChcP+IWVxf=HQ3}m=
zF4o=Qpj<a8405q=gRZYq6m(X{#R7zLB9@>D?17QBVi=|7{o3w4Ms)ssSJc38s(Y%{
zW4>ZXE3oi9W9|{@ikMnQ3u~6dnM>+*{K>AE?o(CoBXg9njq?#h3>$bQ7lt&u`EZAU
zh@pW0`u`}l<Bei(@Jh{me2i9IU7co?JfTK^7*SX&reQ4pPT)wU3LaNbKTwp19QoB8
z8vSNsW%EIe;ptvXLA5iS1rHj;=2yXKHSXBWj53|Ju=#vwnJqk1am`-S;(u?2Vk;{^
zU3c8WlOdRg>1?obdE)t%+{95ntx2FbD|6PViO6Wi-3Wt?l=+d4J7*VGexoBjE;qd_
z(#slldNVD7at2ZNBNR>Yp}YtJ9a3uQD#g8e#!BJ4o(at871#_cJ|$+6sD}sN11znb
zyY0ky!~Zp_H_J&9_GS-HnrD6+?&K@z>dLJ!G-%OURsqykQ&3Q7y{il0=~`hqq&s(^
z!3?*JxuxLQ*Eth#c?M0cD?M&T;5}>Bom?K+gFuWz@Vo6H)RP<xe+>RFTP!&KXtqA8
ze4oyRN|qt*@IxVI0axvl<gMj}h2(9)@PJ`8+QQk0P$?vJQ_NM#DDODPzQVzIa6LN%
zHB)op{*8+Nwd%mnXg&lZl9&eLE}qYV5ojj2Oy|m%K5#h_;0@<v;RX61l0CvD(#{+;
zT=^eq+X8MRCW)^^`aiDsYrTLV6vuuD;=j-P;jI>d524a>xoOA$w*YTe_rmWMlDO>d
zrx)V?t<!*nspbE_?u$U4<19@;{@)LJvoLC|8$Z#PqMH3bE(G|qEUA1SjcBKk!cQN&
zM`A<C0PIa-L0dE0d?hrIf^3Yr`T58IR`ly|43Ja0={Ip_SJzK{RhtvWZA#2+ErrAa
zF1K-UadWjQ^1lVG@2)Ut3YRc!5^Pm*Z1Ff_-FXxGrFY~>#2onH>zrC}fto-GCHeg7
zt{R(_8cqS!S|rDj-eOcvyx#vEOIycIf?C7dI>5TglQP}fjbi{6K>F_&CBC_y)Bk{T
zN5`76rV8(F!9$B9ohDDDM96j<ykd9fa8Gzh^l)}<%@-Y~q{G2%>}(eCuOI~H?lK|e
z*$|AQ|2P(1+T7Z$y8BJej)FuHLndR5l#DN<#aB%7?V3HoeIhPBC9A1w0E(#SPcLh6
zWPvfoC1j+kii~xt8CC>+$!oxb19zkaMUj;8k|bm$IyZNoO>=r|v7pA*B$^kh)v<Sj
z0Tfp1(ykrNsCpk<pvtTRGHfVE9<t|C@)bT)2P-_~und6^DmJ>iSj;rudE$#Sx4sZk
zBL&s%n;*&EhTFx>U$l0c&<lN)eDa)xiwot8&y`yB8$veSR?)vYCtrO7%{1kXejcMB
zx1r^@4>ngSGfV~8*EmNcQe<nn!wSE%o7-o%b|~f3be;zi-oUr;8pI_eM8f(kBkbwb
z%YBP8w5Jo6r|8Q|BwOW?Z=dMpAe(EFf1_~S*5hT#4eO-SXmZJc1D`!$vNwfw88oZm
zgoJzdeIaWfs20*ndf@;)z_r_m2IGs#Cbi9;Z*i=1g)q|dO(RR&Yi?5D=j0nGk5`ek
z%Spv5dkk0BshT%slvz#?(W}ersa5DDb}kOwqi(Ragk#!(N-gNOHpfxl?&6e*B5InN
znl9Il<SV^5lFkx0iknd!1Y_}jF9~p<(X5U1mQsBz;~#FB@eal5c#raXRvj-d??dgn
z+wP0;YV;KB7{DjJAo_)y>;)>Ke&K=uDu4GVHLR_{$?5&fxt-iS|I`vrdv_Ic(s=R2
zCH^``6GO{+s(<u_^hRGEJ{(8+sW0_{&P8S~+z-fOOUCKqU*tg$Om~dnYrU&O4Sb)U
zePedq)2!GY`>58VQ;R*#0~WgG*OEEv8n;_{OSzS_sfm%G89V#ow!$)<_PgO|Hs0?|
zIjEk6npG%ewimjnnI`@N^H0_-SKz|a6C;o8*jRNdj|GEKJ(cdFh0pe&B*oFF<3-cz
zG$x@kaN(sMm06B@R$2_+N}k|oZ-JxRESdRQLBK|sbn#90d~A;;a_rUVbIJ%~(z-YN
zp39W3GoXrFhVfI6b4x5&^0A2aeo&|*&gl_ZH^LYw0J%vg)Z85<_jcI&DssVQ$NY?Z
zH3Na*9I~x@Z%urs&&(7vIB>>m>?q5p_Nz%8gATLNgzEY-2D8zi1wqV;35>0ya;5pv
zxs2vNhJ_j#Fg9oi5n4Y?qF^VwvqVw)HU7~DWQF2|iipS3ghYfReGPXWVdK5mr_zrg
zQOxU0snbQI7`Ssk!>(@G$W_U^sia8dwXD<UcoxDX=U(T5a!EY*JZi;~`z-_kRdG~D
zMBE8WN`!I%JEat?&<Pzl<HJ}R5j|-9Mj1q<00l3x@lTI3m2=Sg`F$$E4q4Z?hBSXL
zQpa$!NJCBXI7lUy=7>&-n;e^fm;?u=f7uDQAnDZ})R3BhbSRZ^(BlaqnWqqK8M%%z
zcSi2*9kjef{c0K%-9y*#pn>z;ac=NQyg#<VWM==Y#gxlr9F*ydVlziQXlEohRr;3s
zYMPt0YVx+(N4Hw1@Yz{W_tPc`N_0sl6J6PNp8q;;zvlp#pK~q$31O&(5a`v4a7CKV
z59JGC<sdX#9gd+vO)X6sT?r)oOE)L~o>wnF4|kTKX|Av>+Q$nUu@`;OhebvfO9(Jz
z>pVcMenIP4^aY!KZIdBh6tC3u;p;o+<lpU2Iwaz=mAmb8hK2}2<eX~7^(+cZZ#~!E
zqH;rzI1_xgwHaz0aKAYdH>hW8s%_cWiI_gi^Ser?t)#SMn<0&Fk>X-xai>R3?RfnJ
z*n)g$n&sU~fK!e$T0<QsQgfvFDiUT2`0uP2Xmz(iixEA{{Kxj?_`Ty&aDCU5y;6!*
za#WOg_d9M?nvXo)w}OfeeuigzD)|(*ME&EDZ83E*GLsCdlYjWdBuT-X2z6`C=Txl;
z>@ODAmi-e(Xy-c0hD;c6d5?-}hkFM&-A#8*3r<hZbgz4*pCw~DN@tg{TRqg<?AueX
z&@g08rgdvNx-$~h=rA#=g*p2@8{sL2RZ@(p#Yq19cuOuo5JWNeNC*QOwKjBnP}vG`
ztoq6t$6*z5214-Y7nUx#i9|U<%)Pl9jYf|(I+eIA+4EJteqCB0c!g$HS93|w9LYvr
z0UM|i6wv9sRl8=Qnr^Wl{$|2V7q+pj_3jN+%|SB7LyO|vuKFLCAa8TCGpyQKe^OU0
zRFk>I5qzg-&9L@*zk;`yHppGWmC)YLJ(Y!CUYBITi}YF=9qK{4>-I&cL)f#4%!)EL
zpUux>ja;F7U=Wk-2AiER=@$g989l(_Fu8uEvzWrhz_2mt&FC8p@F<|L#vW=8gf5jO
z7*Qni+x1~@beX!lx-XTYooqBM7`hi5ZOCMl->v|<Eoj*j=jX_VdWywoGrhJMmRSG+
zu%|$J@#Aady{;~qDkNAF?9E^SI+xyodS4W-sZr$khx@sw=8RuCWAwyU^}s93=gm^x
zd9<_dyNb_t$e1Z*Eu<sx^=7eC=eGT)(%(cn4(vvHziuWr{EGerDhtABvqjQ8>aCN_
zvW5yPpE@3ynsdv@RJgO18nAD^%+XWFm4P~nrRMD|Gx7CxUA?uJ)`kGvTtY39Gc#*t
ztVvtoW%jaRiB#t3MV9^$+(83L!kmA)*fiv`*w%Ik3F_bz)uH(rt4PaiMdYHR%?FCi
zxz<kmP!4l^fgf+<C-(8I0U%h@R5;%+IJf1D;PEaQo7S2PSB7GwFS&^trByCXtDBO7
z9a%f>4~UCa2VQK~M#fS|Omy?=+s8Ir7bq_03S2HjuTc(G2PODlqC31`77Npxuf#nW
z+V%wHUY4`|56JT-L#SK(6zXUPfYopv0D#1%$@b!X$jAApn4`bjQKBsvS<hY11p0)W
z4G<HZPg>=S|8ot&P(%S7jE>!hTWQV76s6m`!SypdkE|3bA?i`Nh|})-lp(Kkfc)Ir
z%oEjO?bal}pxxQ#E44BsLX9dD%2e~W+(&dN9`3pDYalhE*5ndYkI{)kH~|qAw_&P`
z?XKk7|6Zah2kMPQk%~(<Rf^8@i;RqXgP+*w=(g!EqwwkY-UQf+!aAmlZY&WXyE2my
zGFKP^GRjFt5OVTYTBXwDc9j2Jv^Mf5pJ*HkBD?mxbegqj+o2}}*H?R9CyN3ZWfmi6
zI_}$7o}K_LDu){n+Q&N{Re5!-SBHHT1?L-0c7fNKFG8AT{jqi%>`z(zF}zTW7y9Bk
z(OZ*)+H+vRm4uvcC!|e|2J*&Op9*m8)4x7DN{2P<Vnen=V?EMO*4@ZT->!4m^~J$L
zIDE2hM>u5NwZ7e#6v8@r8uI52|I!EQaAJTqEQtlR$GZ4f@_e>D{zPfbr%`F~q}IXA
zcrtd>5BR9x%Xb2G$D7|GV+xqhy5%f$pauA$IH?|8kgL;<?VZt49ieU`nO+W69My{#
zF0`K4^Ci3MIYjM4j1K~gh&=er?loS_dhBysPj;4<noYYpJ6A8n#OW|4Ub?$8>8;&!
z5pl8G2u~X<Z6_89aJ1Zzn`8M4U4G$v5*>h~ECmJKftez@INO0=M*4Nfk||{eDwk-W
zJZ?P4^Fcs>EF^HAo??h_w{Bz(OPCRie1|mYUAn5VuenuhEid~wUBcP#dG4v#Uroln
z&QcJWd<*@`kE%i#%;ig^(?ge={H%ny$#bE0{BlL$UOP<S3|XI2`fJ8ZBEglT(+B?Q
zqjUd2s-NqcssWZYUDKc9v?ZA4GDN*GRRP<e(P<=bbzEPZ&7HJ%bs4M3z8#rCHr*Xp
zWy!$U&48Izn?j0^nwSW1hURZW-yD0~JNeB<>S?eUbVBdko}$7PSO2ErbLF`@2Emw#
z)_r}XQYC8{b&1vBL@erl6=NWh%<5qv5c)p^UC?I=Sq+JXlW?nU0om1I`+b%6ImXq_
zUd7X^uZpW0-f;6%A-jmx*XPh8Cbzj~lcvB&2cv~2;uZTGMYkikrOkIv&#wiYdlQ}>
zE;s|S@s;%el{sp~o{1)mXKrfPmY)U#As(djBj$KXBc!H(;@rP<X^*t|UZ%V5?suM-
zY1*%r@p}T-t#q!NV6*+#?!-e&A?6<?M!##6hunraF#?-x=jfbxzM<&?6~MMn8Q3F;
zJhnstpZcu(du8_E&PwXHil$3G+V{vWb4sTt3+@nktqR?{9?}U<i1puNdBPy!3)Fe-
zy2jeo2>;~}zbJ7>khheu@L)(iK?e|^_4)kdyLZIxz^<6*&YH)2G0%7Q_IxkdYTmcJ
zVztqsDenD;g#5Yy^#{OgqP$+<`oBo;?EM?(&a<kwukw$j{p0)vg>E?U2fY6DU%J~&
z8BS^)Ss$D92GqYT3<MJ}F-w-5CotkIO4#Se{+tKI$7R!ITU8{jdg}jdfGok;?-7qb
zRXDRVXx86TRaFHTO}c(!w#j&<UhDv%x;|x5D``%njwZ0|cuSp&Q>jn<UR?JH`0qbB
z-m|f@Yn}Dv`wkGBNoFY(t7gE-%3LoQT)#weBV(!ew-op{1Q;mhjgUG2c3Jt?iVS5*
z)XPK9?9CYwk`rv+A{-HO`wu)edX}&Kf|rjkE&ipHs%5i((Ez6Ap4d^9V@qqQ7$53w
zzRMjCOcL8~&}6rr%NBL#6)?{1!sbWIx+A^AHbUoJ_?_1^Z%|qYc>JzI5`9LsJu$C5
z-I)dB&wb`GeyfyxKFZXL^8zr!VC|8u&Cgfh!;1!h$RUF-7GX1C7$C>FdV@A4v;yzN
zXtqLFJrd6`FxCsl3Hjta-n%{D0kqWXM}%3pQ?4ac@rJ`{GDL$tzj=+(^;)kmW?#QQ
z>7|KyX=m)fV-^;cQnO2y;am;eb&k#O1t*C#GAwOO-kOB)_k?xF`U^)U@hLIyNl??G
z8B<T2CM{qdg5{13q?N*@o3;2=TcUx%c2&X5Rm|hEr67P%W#aDlts*VgDnAd1Z{TLP
zIBxvLQat^_X$#TaqkeXC$&_cPwyE9~{t=Mft6FJwbW}7!H4`RU<U4p$(>dMdoSUy=
zB-7`y-VYBeSxke8<?g`)fYx@hS4Y4XDI^}S%WO9pfx9T{#F6C9s$9Q04r9CVIgYQ%
z<f?$5X>bOywBJEF>t=0uf3lDBNW1Q=SNlZh@8*yvxCtZ@bk*PfVP3I<yl*p#h9>(*
z<t(HLMbq;f>s1<5x^r69A`>!v0U`2awDmWKu6h{p8dE$hbMIZI(+7d|@MWda#1oH>
zlMU(#g1JH^(@DQK_X99Ww_r3XCB<hv2&#KA?DE2M?;fqBpa_zZYBA;fkafF+JQbcE
zrZ^W#JQonK>r|nlE);&~nZ!a2u;X5bBcd0+E>feP6<QxoSxGM=*IDBk;0ieKYtFqv
z<OWz8yIYA)Q|Rl*Mtab%%6G#pl7m!>=PRydoAbtAOpc!(4nF1-Pg@u4VFnQ&q2IYr
z97Uo=n=kcUEHNOUPMT}ou>51WG4Xh+F}-;+957_`rH;yo)})xu71nswfk92WO&|Xw
zcSX`nW6|o}BlVN-?V>8h3ihYD)g_`s3$;<m8c(#Lb?N$(%SMwJ@v2W67;pFDjkIeO
zC5Y=9Kf8UjdEcq?{$N@+M-;PNiDmN_%;u*oX>sb?B!_PNk+%lTI=R<|GTx16tBZg6
zf>52~wp?qK^ui;(v(Uv|+(^K6hB|%%thRPKHCj;7`5iu<Mc*bd3s()h-_n8`w6i+P
zPsu~gsLz5EYYj+NcPo<J`7n#>p;26K=DEY!Xx^Be^LdP3Bq=$ZZ}32yvR5-0cIld{
zK5BisJGgMDvD9^Wk@`SPu0@!&W}aeF3PZ=$=z{^b%X<2$6?$yROQlPjPUs%%3N%**
zm4}?HpkY{f&|JGN*234<vyuOFE0O9qZU7AB1q%QjE?ERpWPa#amUNoYVHf0)y3dCX
z-0YT<_O2s&th+`H`E=&9h5^zpL)q-^Y<DrW*H_@L9n4hN&kL=&9lE;Y%OPMBO_&B-
zYP(!=P1biiB?CeN9$a&tVxaDd5(Lk<4i*WbJbd_?s)EU0yUoDCc79l$RhiChNBo#L
ziuu)Wu@O2E9CG_`tz&E<EnZQjJ1j0mpO|;hfj()PjTW&ek;A(V>#H_NypjawYNz#N
zx&8ykO|JKM&ZaGSz+&wjEDgOV)?PdGjkv5&u1`H#^2O=Nd&%|xNpVqY186vKG*R`(
zF`sAHr6tA&T3!5PZLJjR*X!o6+Ol}F>~^z<88Z9SAQ|H6<*nD+0v7b-9mIK#2v4UY
zE)%%@WXw;-I2rT!?3W}zTSif$nELlFJx8SkbwXZZTX9mZk9D)q)1QNjJh*QcNf^M`
zb|Og+gD|6t$2oYo1vnWeKXT$AUV03W(_#`%vbUGEZ;9EO;X$^>5-&?NN1Y^M2c}xh
zcP^sd&8?i<9Yx;G)OL0K(CNAct7E;gRx?^wQXA_BXV`9j;`zsCp~;Y}dx_v^RBimq
zE6x%i_8QVA${r5Zat|m3<;Ea~Z%q23$8D;<m0iPDMnmr`r$3kU3vULk9ke9#q*CPC
zADoyfuAajK&h@)CvW&PBM*26~3<y=T6h7r;WLood&s2T@E9-YoIH|N1`_*4wx);g#
zUFD%P_owu`g?u)l+2aEyuJK+EBdNP@+{qTA^*~RAicK&&#Nvq#m%(}s|AK3uHxG4h
z<vk5|LH%)zx&bj^Y4Gz~KGb=-2+sG)uS)CT-Hk=l^^aBb*2XG!$0|L->a+QeZ;75m
zWl9Z}L_zZ6u-jF_YslcZ1gVM2?+0Tv`<Wby4{oBin;PsaBH$uHc`N<Fss__9R+bvn
z^_pCqKz?+_02|KHYcdFhh>)RvXziHnmrXdt>b#dwVe(`GVi8U8t!tyFo%4KsJ-TVQ
z(%udt8#Lrl#27PrD-8QVD&1E9Jwn}?;2aNl+$9!|xe4CAp|1-OEF*HPRsZ__K-Jk5
z+E1-+TH3!by1W^3r41PRY)}|FKB+~IztDXx!-4`C%F=bzaccPh{XGkSCdG2(d6#D)
zcqZR8T3S`A`8+kmUsg*>R#s@ccvHGmJS?8un8r-1DBCFHSuagP9i*KKcJTpdQOPh5
zP%#3@>T8snMM>iZF$rPyQo0JUIJL>91TA5v+1fdXluDQ3UrougdTe%*UhZUItwF!e
zbz)YUQ7ZPHO;2|o=zRZKBcVYsH9Cp@QQ^2lClDmSTS|rZ3fiZ5tZ_>dNn7L7RHMjn
z9>eirn#*KzV=u$Yz{H%atn_5wpqc53N#d^mc*U4D65`^v;V0VCsw;-SkO%;Rq&0c@
z@wpJT>yPT==M6F7Fr6@wFj>n?ar;bU*2v76aHqy{C$<b~W|}-fYl?1D>5mefI|nua
zi6AKXyizCA;0B=%F{Akjr2l=3`JO-L0~+z<LxM?!Q?(Ay%bo;DiJiTJo;Pt}40e1<
z)8O$@!>&W*t<1m41!_#d);&Re&Xe`ym@%drtva72MV$yM5biS9P!~dcszF^xvI2i<
zix(AEWqd@M;E;TjtrMD%krtV;um^0LL-ugxX!aPiwYWI9Ip%+Wr3+5=VN>+JCqvk;
z8@>QHC$$#5y|Hs4YfHuf(SdF>A^NmWm<W*n5+lKnXf|k|k9+&`KQ1L7iKua)4%)<1
zCNSDwy(;~#3vkpYlT6l}*>CXgGQRo?0|XIx0CTp%R4xARu|M0)rl6UzB-_P2bqc`M
z(Y8K|(O52Iijp+M6aixYeL|K902v4O$X|rAkd->ON^bDkFm+$9uIJ#;X~i0XB#H~Q
zs}P<;3+X#acP9RM;vYX}Ujf{SYv9|weDX`(?jypdoQC=JdprXivp}vLz<MK)l*z9T
z9(#3JavuLihQHuBkUk330&e|=Y6WE**$3L2ptn}YRWq{&^cO9%PZyLqtT1F|XV3fB
zKX>13lX>y*@jK;pC_vmjTL}07ydyVxHePXkE0jn;4+L}CxhWm!JzILNTBf&;9i?th
z$<XK66H|ctg4&}kRUiytnhUERQ~Rs#4>GstRO=S)Mg1?0zL5kSfo3|8nz4u5;JoQi
zY29i#CveR5Nh79`^DC+1lx=UDZ_;lk)hds+&rd8Ucn*{t%)#M4L2-=w<7@2M4=|Wy
zQdu9^Vbenn^VTQ&q;^*JBd%kB&r~F4PB8=D5;3unnDh(6VYa&xmIm^ejr{yOM+YpE
zMb_wXMS_*VtmM=k6D@LRFS44eV4g^qgKcu$J1gGT_fOoso9=A2z>r+~e*~@qCB3cn
zp3|xyxwWHRtPl0?er1&dZiXoulIT6^bza`da5fuMvU616#l*1fb%f%7zm}LiUzvTK
z*yE6$sL?CUCFI0OAov?`z;&C&sHqJZ|23x9`GWZi$9Zy~I^K`<?F!R{-wOFybZA)9
zRoelVA=KhToGD)}Y-_pxagMD1d?nm@X$eQBZBR8sbRl_E$1g4?XS~VzRMJ4R-@7Uf
z2cR0k#zY=1$i+Rfp8q)Fo3tUI0tSz%<1CX4u+jucQHKjvFo1$6z2$n8RWCVfP)UL*
z7L`z1C+0!fM5|O>k5Z+XGA$^vC&%dCsT4<~ti&X4!=2ZM>!eI1x7;Y+Nw7xZy?XU&
zK{hG0wSmuVtPl9qG-h8CPe5?+y^10QwNLcU288w`%Xfjcn?QjpSob|5b?S?M48zYQ
z1>C5z!JH@>R;VB>#Yz9Y0X|`bhNz02o!z^ffIBH3_S8U~Mq%&re$p^a*UXw!`0DK3
z(~a>aV!m2?VR>B=sO3cP-com>cO+5C5R{F{5UdoBwz52r)({J^U9!5&(bk6WF)tzn
zUz(!%U%P(#reAn<@=smU&yC>(xn)i=J>H+{q|<`9g}LamdWG<b`+UWBf`Ne{7nH-H
zQUdc{A1z6IWRe|jgawZ-mr^YmgRJ+RJ#r{>7_~Y%J59Kp1Dnsa<SDXbZ6ZJWy8dY&
ze<Y}-t!T2R+;hl~kFiRnPSl~&WC9uZfMz@JK|DL2=<|Ol?2n(b_i=P@!S7!q%x>Z|
z2);_@h6si^fW>aZ!XEEAf}I4;o~C-TViLQb67N%T6zLBOA_@?TPiNqAzT*a)Lj^51
zaM^+aS#r!HHi3?vFH)gkGdy5Syl8m>?`~L_Kx@F@Xdj;&(`ut9bjkLTV5}-^Sb{rr
z6EpM8|EkIhOx;J8Vzg7DK5sC;n;LUZOS6V;fCj<l-!~}46#F;Ax*H4QrQv%^q>2;&
zy5nDu<VOKyH1s6OiT{|#zZQsEUK9nWhzRCao5B8Tmj7`Xbby&flZw3j2QvTp>BB+`
zTp8D+w4VO|ytEpiP)}mX&ws}depieAu)u~&fU#jY({%y;w@tlSU0Uf){DDs5=;eQ#
z>zn`X$^{}Dh6i8vAio~5@0ra)8-_71ZTnw!+EN3SzBMM+kDmiPkNgobQ2HN+(mkqo
z=x_PL^%*uCj%&D08FU(2tR>avn`Iufm~UzdKRF7>+hfOYdq8m7I$CYZ{z%75;1uWB
zuI_%|I(KMWnW-CFb}z`^<4zd&#HLLmk=N|b+kkU4ef`&0!B}l4V|RW_(U0sVkMyD(
z=O@lXK`h|hdNr*v^62U84fTJs6*-cntCZz+7q7nT!EBFuJ>F=fVo&q*^z@@g+7;qf
z^Q#|+?j9VsmZUy?e>(z<ZjW(ZhR7NI_R`hotP>{TXO~Ql+PAb~Y(JXva?EL#dID?`
zJRYPnH@H;bf_LPguVAmPEpo~lnS;M5^jpFJTb{(Xu0I`pQ-jI)E8;}`2BDW1&sk3O
zz4BerSDSdBSlnndIK#f~u_r##E=Z_x6&1bBwh9!BQCN&O-eGQ+eKT@q2?S+;=)*%z
zO--BES4=w9?tC29L88Kg>`Da+0~Vts-Gj>bWgerR&d$zh!ZvBB^#(Ab>FnEjwzd97
zk+&E=H5p(q=*S2<;D#A}q|>eu;t!K}*z>@%apuE}*V7e7&Hu;VTSi5>eqrMvp@>+N
zAf>dF(kUoPclW5k(A^-dpmfKO5<@dmLx+J#3^gz~G}7H2^FEyO)8p~D*8A=M;lJK*
zGq9d#?!NcF_O-9gZ;TAPN9}d!Xe;Qmbmcr?D4!<gMpM5}%{^UNO6|o@6AIuqM;!H0
zNl~vT2k)gAE(@&l(#&%iNdfhR6eiT?*gpVnHI<kTrERHg5*LN^{CBR&{#>?vjj{__
zx$6Kk@o`%!1QPMO69p+dIz9v_Sc^@jMf}gDcOI>b(FOvQJU?`H;&f`;eUbCvY*YRs
zXAh$^Fyz5h7ab5L+8WK@1;P$*j$Evgl^ZbtS-oA*;QGBD)s%<gHazn%zh>OjfX`AX
z;3*T@B79vnHMKI0?zgc%RzvwO($i=%PRDn3=LcmYtMue7?>RO`;BvWi<pF@stlV>Z
zF3{DtTTUi+s`BY=$~@%L8-1}ae8~XT-1n_`+~A(Bx;0rLC10NuzQRZV?SN#gZuM7Z
zyPnKY7&|EhI4`NP7GHQgGp|`fO|iT!-;@yIanpH>OWb$xUhwk@YyDbVw*G!3037Gn
zb|p}Iy|><FI&^cojJ?IaW2PatwZ&7eca~P7Q;&CijrwV8?{$EuAWSJ-{lj!ok;6;!
z*N~&V68!Y9eR)VOlPF%gPb<vyC=4g5_8FdVwbfNSF69*=cihC8NGBUF#)YT^NKj=Z
zuR@~V6Z>aaYs+JJ`i$nlLH*Dv4Bs3GUcS16<9SEwtYt_%f%s<ZdxNtBYIkLUQD3`j
z1ZsFfqhR5hLyl@I^Y`GrkMRrrO{9AKHgAl%XO;3MT$+mTgexsVHj!i!d2$v~gD(lb
z8AQ_|8*;4}qDagGutT-1-y2#2e36Z<uA{aZ{MU7I6Olw~R-JTuwYG#W7{Bq>fUcR3
z-AUUbr<$<~u(HwP{pk15P_^3C1sCsVYCJuy*XYZ;{Y;->=Pt_ki~UWE06z6mxq{5h
zHnGeu;o0b?{e7wFpedR70*hUGOWDj9*|;i?H$MlS_Ch`Ai8Z*HzgAC5`0|E_NO-r4
z*5ye{GswTU>H3U*Q>>0O@H$Nxo6}v|Ovzd2sNZ|xhkLO|{(g@ox~*`8PbK#e^y2#R
zTf%v+WGslSoAY{|7);5t*t>I4m{L&KQ<Us<#;nk@O751J15}8k{xv>bia>$g%Ei4^
zTT!a;)-wnqYiUZNi{Qj;M|oiYo_vUgPuOu}ycMy7*19ZzqXcfg52cO4U8SR8yXex<
z_oO(-t~~xtH$V~o_<2X2J)egaMI2NE-VQ&O4A_*wq?->`VnY#zVEF8;*%O?1<eZ=n
zy&v{7rRU)ryPMqeTR*8>-N3mQvn|RN5%-sUX-l7}?gAK+k_{%hCME`n*2%n1QX&Kq
z*3s6NZBiHmv#M};D)HJis-=jQAPOP2)cWl^nOzcZVUg7eC0n0v9A*!HLP`dRY_Y1>
z#;B{kf4<BaOHIsxeO-D)q0MyyI8bQ%wV-!3uMj2pbfjF#;z!(;W0J#*O}nAld=;P#
zaV9IR-D1EFTK|IhjMx6ea;W?*0hLC=3jJv|=4kgeQ}0bpuF<u^o0-vG`c1AprA!PE
ztA*~>7-|jGa!-KRAmF_cuW%i4sh?|qYj%ornuYlT4+7rzz=BM552Y4B13{=YT7tC_
zz`Be~jL8zIG_-nmJ|}FdKj6Kz%rL$9*#hytAS#!w5$qw<)L`Oc5!C&lJ*m&w`CbZ`
z&tk)BJ{@N+)w$hoacq}!I~8ERIPsz;GqHFrZei25+ggn0V0X*3D5PWq`mG)={l=^M
zN<-+fc{)#53oGc{B9B8f2000GB~&!;KOX85sM2zhHZE(Pt3!xfr{jm*m|?|cu>mmQ
zmbdC=tJh+SYi<!^4bqvN17r$CCVTVX;)|6r641zMa>|YxzBh&98At5ABJ6VqtVn4h
zf{?|5TK7ZU0c$2{L|@MvB|u}WXu&&J5kEQar2eOw(ozfD)Q+X|t$lwn)g(ACP~t8Q
zzl(3T@3l@c+-fTXEAiSH&>jUh;)^&N2GS0Xj`?1V!j)-ZF@m~S=rbUPpz>4C#m4o|
zdIznk5ntR7lY<p9XW81Z`dAer;K^54nr5Ae#6Bxu(9}Y*Dp6XOLlSX|Z!#{+rhsuR
z@HOxVF6pe6YAKdEjM!4eJyUs-w#2kyyo&6R#vcnjnyR{QF?Y8s+EZvaW`?r#W`3_k
z3O>}+#lj3eKcAu$SPn@^DIypcjHQ$%|Geuv4Sp7{;8CZ4fn}KYn+pim4W$_rFow$T
zs{?}k8~|Pa?WGzaK1DZA_c-YQg~kd9{_a-)%N1^Y=a*4fDe%;_#!RJJLuucH;yKoC
zZDQDL`^P?=VxLNt-6bNCje$?6o1@c#?`5Dzi@flv7;ml3ISr|09Rz%Pf453Yu~$~x
z)~p!qIn0|hJD(!Nr#dvK>I(*FYnzK-H@RKzf5D|&&D&jc&~n=0QPbq^^VwaH;4$5Z
zwQIY>IqtC0z7+VA$^8!p{VxkC^Ez&&L>Yc)!%XB0L~$QPdOK%aCG^X#b>lK^8D&kM
zt4z6fq1+g`jTNKS9Cq@B!D7`Mo23ZbAwSi6Eyaz4!2K7ECU<8m5i7u9oM-ioHoKEA
zmnj03UN-DQaAh!GPd7lj<<%nL=1i22Ae(xuvv3+*xT^537OIL#@pi#>T%$!$D0o{G
zGlLV;?$o=JJ=E*f>j&}CeO)vtjYFb^lrV_F?b$+dmzqs3O5-P4Snr{w>P~uF#y6tp
zGu4Y6EeB_fT<S9Mmn$u(SrD$ZhMmhgPIdbyf@8Mqbs*pFtJFfzuPP=COCFt6!4u#s
zWWugqZqmjNm^%bCW#boL)#do7x6v$w%JPsUPrd`&qXiJR`d9dDmON&_dn%8@OPZ=>
zTkgsEK%Iwk@%doGcn8JCj>iL;8tZGTeMV<Q76=CZA2x2PJODU42o8M{();^Q5@h~Q
z2m)U6Eis#OFmO<b)_~lSm!@qaYUR(&Pn~CQ8+L<1=<YsY(P?P605ZQ)XHWgwgxMaS
z<@JbY<GhaYP@AK~0yZAE0u!eLh(az+nqG?E*GlUV>$C}juZxuENaTwNVn&r5Sk;h1
z+Av>HW&(+y(H&$jud!Sp>$SaR{V#k(Tn~5YoG+_v=gU|ph%Z%rb=!lwIG)U2b4B=A
zFg@ZSQrcNZ;$<^;#dPJGyUT1mwz}k!;3=gV?Q-9BOO*Jamy(at<Tj55KjiDqL+YVb
zh*Ea_OU4_tr}GzM2}qf+iA!kt%*q;ASNb&#5;KGGxeGNqgu@X{pfuZDK<N6wHjCiM
z0@bO~o>lj+slgbv*Ff&uG_ij3mW7s%jZ|bOX9*aeZRxZ3n?g)i8n$m8BdK;)hOes6
zvp3Er>kbWMs_GYX@_i3|aI;}k0Le;Q+k6dWJsM%7RxghepoN^Tvs!;-j!Fdg=~Bqy
z@xhP6FTwoRnY*L2Cgv3q)DWV$2gOc&y|tPlJyuc^t!&zx?{P`d|8o;a>^ZT?Wv}&|
zWE`bhjZ$&^ZL0%e`6D<7$K%s5lXi1t9k2KaFFBVO&u82eXSqag`RF5Ay^CKwt&-M|
z5^qtD%ArRym58Nz*P-_j6_|m^Xnf@rm{s$HkH_Fq2@_v#EXjEHIBztwkPuoyvvWKV
z71X~d4GA~lE1}4(3Sz$~Ce>2`6EdMrId$6ktP7Qjj`zsH>)H*s(vz3Q@!*7h>F*ip
z@M$`&qqM@h@1+%f`T(7{&4XImPY30#40T%=uIq#BVE!USLgnvEVablD@`r&dJzYzZ
z-n_)^m&5c%sJ)kZVl<gMe0(2;m2A6&v2NLA((#4ua0DFjXhk`dEN}lne*9yIzmE7K
z;ztkM{|8^TaNX<`&)Riaaxy*Ao1mel+B3ydTye8}KD~m_G~%!WA`+(&a8q&RA!@@<
zeGYq%sHKlxQc#k@-b~{SX)C#T!GfX+IOLRZ_5;oxdVA1EYy#C8f#wkr?LHAzGz?Xt
z&T=teip8P@<@5;2jJ0HxN26U4*RHc0V!}6l1~~g75wKXk?h$X{Iy>o+6_{Ofsyb#V
zHgPgKJp<XJ26Sk1;T9n!R{t|CqYE*ps-NhA#Ny3o_-c!uG*m=?O)5#bA1X<=_WA9*
zRzp!1&oyltt@yu2Ea3DG4UuaC1+G(L{JuT(Kx*+M!%6PiQL`;V9|?PZN@&7{Iku_{
z6dO?(z3kMI6(=*w_=%E{6ar4?>yGyBAB*XKK+fL*HZ(DisL?UbGfVx$R{q7wmhgW}
z3ZVWfLTHK~?%@xY?EGmUIRYTB|HXR$$MgQ@?XS<h?01fT;3oa;*KX~nkCwY(8nV@x
z?z_yLu+v+rz&Lk8|4WmR045w5rFQgo$5q^7zrJytV8zM&V!X&bTG3ZM(q}y%(nNZo
z*=@>`KzwogN)r9wIPs5j4<I3c*a3C~Na5?%%jzv;_aRl8-*^CxWjkCzA?yk{Ik~&1
zd!~<x;gdmFWE%}obocU|*N!P>J*~!rb-M?M_hy%K#ii49_MbQRO!Sa<f|aT!G$v<<
zCJsetXt%JAcGq+#AG+WDeS`!PfpPENZRprBcR7N9X)H!6FxSsErxLHOyY+fEhO*b}
z%+Oz(s_qdB1;`L9W4_mU<`HeMv-SOhz3FSJ57-B$+~uafv@x`7_ruaTW8Qh6_FXcU
z2>H+WtWli<2B~I-_tu?ZxFNjDGU9nMsAz8_T}(ELj=SOO1sT-tOYfJxbx(OJEyqcG
zPltjJI>pD^sxy2{R=)tKCS$BQ&eboUGku=m3Qr7PJv;M(pVqxMZBw!yhEpeU8cGFz
zy>w+^gt^nlP*zs<17K$LHaal_$y|dg6O}F^D4X$sOe|mL)o<8?MOqI=BGUxlN<NV8
zN@7w<^CwK?oQnM9YrJQQnVXx#2dvQwJ1IRqVJ5{4|KsD`)-a)M2X1~c8-2J$y%xvh
z+M2D1PkV^wH@FpfzZ&xTEfRCMfW<c~fHn33s5aeO>_87Bf8hv2fyjK;^F|qk6cObk
zWk~@Fr)>OPMW)2Tsi|z~GRsv@2BZ3*h<<6Llq!nT=YPovKX-s1@um0pF~p)d<)TlB
zsB}Rdjmm8DvOR1|P$W9&O3k(Uy)~W><c&rrhlK9mUr)S1oxIN1EulOI3e6bh7cCzL
z*a)8UlSbCPv9xQFBs$SGPH=D3IlsinW7+PFm=lUj^vLJr$;tM#@{PNXQmoop-H&Fc
z1RYmugq{ZS88e-|A_pDP$Ed3VSq$(&&2({OzuM-eZ&Ry0?2KT<ZJqx^LA3bEo92^k
z5d7g8+cGGUCJ-D>d8fhECM-pilz`xEz7``-)Go3M-Rl>{PmKh~X`i=!-HG1DRLw50
z1`eGaaWeHJneHuD+laVL9Zobyuze?{qzVui_rA8B$X>BJ|4UB8-`h9N=RAw$%uHiW
zT98kFu5Z=$n~&#6O6x`t{7v1|*BT${i&v>1$C;pB9*(g9fje42Odd+H6o_*?Jy<>d
z!OghM_+a~!J?EKd)4@86!qG%^zGimar;%EpQ~Wb_T}AAes-2^a35aobx=1irPRm|p
zS+?~DN)9bCy#TrOlTA&hu2M0tO+>T!eYEOTk)~P)e_Zpul?gkMoTt-Y+}8@)5JxVx
ziJYq=Qw8s?rR+wm4o|)_^RX#^Cz`Vti}Lr}D|=T{Z)H~DyWivu1|gOPtxwThKw1Ii
zgzs*067T(#K*j?;yLPqwP`I1a%U6k}!fEmTnpJX)4f~t(3&`vgbdMbgi?x5?gEk<F
zVMM&Mip<8jhieAzBi(b6D{MZLN6C1@>uzF|>ZnOhy8IH%U6VN9gDt^E!?wCslotG|
zO6sWc$m(~v;XA1(`03^Qu|qBb+S;Qv4mj!Q>2q-l-p3D|H%@hx*1wf<fH`!`;j3t0
ztSSZ`*1Sp8TF2Rqsd>;{r3;Gm;)mBuOF8En8Xb)!B(SuKb<LKK4PJ^~rHUvkxrm29
z%I}_YQQ)nmANKx<s41tQ;8#>ICx8%thL<Kkoi(jXX)-J^dSZBRbo3p_ONF13n_f1m
zj##x>Mw2&uewz1Qm!r@}?B&kj5WpT7#63^053t-k*vw;19$_F}+)3uCahzS^K%Nyp
zJdpJdxcs>l^cnL7A<=A<cKz1mMRD5o09Q@Ro)M>wOF(XqDOSP2!#h{QeqKFsiomFJ
z%sFvvyJ=D(huEK_L38a)iwrBE=p6NLg_;G{tNa-N8Ix&SMw?gXCd+Q9qos5N4bRj3
zs`O~^x{g27YIOr{Vx>~_;8F((cZq;Wl?1{4*<8(14T4p@>aI<dqVX6PzpjCbs`-qU
zRCbtUoD~uGOXQ4EadFN>-d^K2BN^WB3Jv6~ICT~CPIXsLUK66SR+}0`MRQdSVUtT=
zC@T4>I7uKaeZ+Yx1uyWN&5^~uM<&w0-g22(Em${wFUx5>Q^9nxQ*h*zfFPQ2i3$v2
z$`iv{R5mk7W#;2K(H!bBfn3sz`2&TAJ-(SVVm?%Zwq*4YmtcW*O|(|!2`hoDC>=>Q
zjTUX%6GF_f1C^2YvE8lXUGm-n<K5ieJrCAyu^LR{Ml5?~jODv`qzWqXc}Y(@b{g+f
z*gZ;7@<Lt#*rd@5bn3I;SXANw{n@nEh=oAzS#HvE?noM?X0DbFkyE>*w9@2c^t8Q`
zLwv@vUcRQ7)%63*$1x3f-1vFj>5^3)&jAYXRXbQ$v81%Il1u|rbJ5l5nZ=5Yoh^wJ
zaJb4H2B*SNAlZZw%L_LV#&ov<%y)PQ<7gJ=#(@Gw*FGm#%&Y1K7~F=haT_jISq|pk
zMF+K&t@qwI6d-@aL`3h@*c7@`ZPjz<GnKeSdGT<i`4u4cJEEf8`X%{+LA(R1M3X3b
ziZ55i2mIWdT5<*L{%WW&0?_ww*JqBspAWh=QoBbO9GT8*E8DMJb&s?U`V=goZ&kA@
zWREKyks<Zo#FMXB`{Er}b-W=v^jj%zgl%L}dffa?GRiOjL%G8tCTVp4x{WoZz?&#x
z$N1dIrc=_|Us>~dcu5yj^fJ1r1v!c68V@_<4;*INZn3Km*bWs>B3C2WzMgezmp*G-
zGe0>)RNE^+pEVwTS%%xvEKDc|h)>&4NarcFy(m`bp&VT|a#A>bQ#VIsJ|X+S@|0d)
zKh=a$7lA~6!p%<iaLy-*zxw4k!{@oH#d|59l%^xwN+9?Dc5H6cUOO_cM1A|Dz$Jn=
zw*8C^#ta*Ke}iUrY&KGr_H$ZjupUX}A}yk^&c&aMRNUR^UOLLRJj9;75|l2DEqx);
zRL=xRR@u_LitY1|$w?(rzs{0gDm;S~L&L+M->rGp*!>}hBl*MaG2f>b#4>zDuHLSG
zO3%(9vy?{tiF`tl`}K;8?;cd0NBp*s(S?U?Dy-~J0$R81G{^JvS2v<#4`xyvVhr8M
z&NIczJ&BnV^q)oaodRUB`%WJ&D<m~Zd|9w6zuJ7}!wr!A18U{9=)X=VLw9JR&zKjc
zgy2uv_@AwRxTQW}F+VPOuu()C#expd(l2++Zog8jCqz;tVB7YjHhs|fN+-(t%Q;LT
z!90drQS7~!(P^?Wo!2eEh0}}G3zU3B*q)wpTYhBk(yQqZ1d;6boQYslR+bL~7~caR
zU*YhSG`R3))JVA#t(0==>-8^+i4%5-lN`+#rNcAsU^jcCSbvQcvdo_6xXoT$P@+!9
z58mnQyFDDjZO`jDio1}AqO{b3rJFo``rYoPX#ca2!L?PF>SQSYLc7`I`Z6<S+52v~
z*VY5)_0c}6Ec6o)#tV1+;Mi*`cu8aXq77;C9N(OHhQ48va*6lOzBuN_HL+t+Fqh6N
zpGGgp1+?$k{PC@gg;;JPPKh%*g^zYYVu6;YJQIEixq${+yw9>h07T^4X{HDOVW-7x
zc5cV(*QOOVt;AHU=mtv+J4a*Bo~KXj&Cv!;(_+p@J_R*j;A&rxiL(y2O%wihIdHyO
zoJQF{6_=7P-|7M{#B`w46r2VNy}6UrXwG+bFp|em!Tc?CScTi?>~vR$*G5A*Kw(X7
z$2+|J)j9F)x=vnmIOINYsJ3m3cO!Rb`v}PCL%9o6pvA(Z*NQ-jDbba&p?aR-YFkT`
zzB~%?hO0>cEdhC(vkGJux=$5cyiOG-#JKBh(12TfZ8B}h=ssF-b%eJyW!>BK0*97X
ztWe*Ye!j`^6^h<Y>%PsU(_*7$qQ-hN6r0!gcRuiJKH}v-t~NT&fR43U9t;t!$PG4Q
zcNOkRD)OTtI<$d<2f(tkw$%zAab1ml)+f|(+5w!2;3Jjy3L|Minwii3@;lV?d@9O-
zNBgb<%X~nN<W(RMDJa4wCB;ThpVJc**05RDv`Y1B8gQJE{|Saq$8-HPJzL-f)ByZ@
zP1QL^eF4A_&OYqyWJe}dCt27(oe)lF)J$Bo7ME#}naG0bKB0{2N9m6HKtWoBS1*6e
zDj+V=e5G~i!6OC)Reu+)SWh8W+^NBcESk)*{+gYgowZ>T%LqkFd2;fHTtF1z`!wcd
zC|)dc%RG4VIdx|&S3}rr(GWzSBK&xdZR9ZGOAdCvrW5#EL|-Oy1a^vT*LdU=tD9?=
z?&RiHeQvUas7d50;~gA>2?7>&9*Bczc}|OMSC`JiO~TckS1fgm--Z+ihL2>I46<jm
z<@Thf*`>uKC&gI@ND3QvS<-OZus47;S(#|9pyi9Mjc`)Y{#`nPrYBzoiwg{n?2G~p
z^Gt;em9TS$`6}?^tvdOX(uDHHlA#~6ZYBFbo3l&X*E4s*t{B8;M)4sO^6F<vMEkGu
z2Hw*sFDuT}2g8ylBHwC1S+#^uM%&uZsec2@faAd)7Gz0qh$|8|&;*hKe<LhDVt!|%
zr2cBs>d7zkZ<V9-knWB+eZ>2?%jR_LKs7p_8a+(gWg4_y^O&PY`_268H?0Y2#?}r#
z4*RNwcv`_@fad!k`;j?DvH>3IBV4r+o)&&#AF@GNU!AtuGLw1le5fYN*pFe=IC3gc
z1k4?O(js3(LcJqnpB`e%<52FxONLu1jfRRcypKrJ>cA6~T+4cOV{ON%VYxlb+|Dhw
zq@2zO$XUdDJM5cra*FaiDbAE*;t$WR*5^vap4Au8q2+`T-A#w?7z3_$pZcm|B({^V
zRAZ&`F;u;u8-N9qrREo2g6gZk*UCU|{R}pcWcqDiGCAc^nWqqt2GmeU{Qa72Y);}9
z&z%HwmZyy{gT{MR@~-dHNB9?<hkBCLpW0iv%KG2Ekx!?~3&aGIu|i1W`Y0a)F~`TR
zQ_z8s*=!eo-rMb#4r-S~yj0qU^8j7G=^lE6a{CqiuLxF)&Hifdxrn_I3aQs<Uc$l>
zl5RLq$+n0jL3hJvyqwRxFNX$yXVKC%BbwDw*pOYk1kf8|ebRI%G{vO}%+%Tns?<Wv
z>*@|=CNvMY`~=a@L4cGCCm9&P$eT4(&6K!sbaC?4defI<yJm}V?je{m7Z2&Wax+GJ
zM1SG(zyswh2?7Fh6`5r!4#V6JQMUmtSd?f#olLl8d{;hjzFgoCE<wu;S4#DTxajva
zX@aR45yi>P)*QT_Wb~);r_^XI=s68K*zd!T@Jhd`vttWn!yT}^gGJh7D2M07^KEE3
znc{88Zoo?<RutKHRGGd_Mgz7YPk1FDWkC`gkrpG+Huzw9wliM9pVqK%(F&k~cW{q&
zQO!(_)G3OX6pm3;NE3pVH7Z-#P$^w^$MTc4hle{-zGcm>TB3H<)sXl97AabQC#yqo
zex=9Q%K^@l(5&%vCaX&21yV`LcOYvLdsl4l<>3l|Kzv}aUG{R7?5jN1Y>Dw5_oe7F
zc&1ztRF&J11AE<<f0)E`sLmAN2TD!{xgb`TcPfAgZ+1|_7b8M@tG=ZowJSywaOf#>
zUe5OitohWM;#4?mi$SavWYeoRK%XQnz2g(<x_Bb5NMsH?zh^GOUKRF&@lB2$U*#|m
z7tAr=eav7e|KP*eL+){a9^AENR9<YCHc~ZD7sFVC)V^%hmevD#V6tnBseN)mQ8DYT
z!ZXFd=XwiXD>Jn^oF8}vYF+K4#Dl~I1{6SEjxypWf-dO<9gC*|p&?J2>qXFRZNJh8
zxtY$B^5U8s_PFs|M*bpE_=`wN;82%xM<NU_>x)<lcgjz^GzaCi2`g1ZRvx(QK>^w8
zMo|WR=4A{`?474Yd^~OXOSGr`P_(pW&W79k9*5oHy+u9lN<eEvtmh1ix}rKUk-!mc
z*JGg@>SqN{z;9jAFB}a9YgkOJu5jGhgw*;TPipNM*C_qN!%*SJEk7f-L)S2m|DB4h
zGD(I_6fuM1y)@0@o-;3anP$<|w^=_>uFh~GXKpqAke}NS!^oi+Vq9%aHv2ww^n!*^
zIQqGCd7r9-otPGmtq|TA6<)mKQpU(Hu3)OZAB9Z!>4~7{KLFG(jhMNhyFCzk;@I#f
z$P73aDhTfT%~&gkP5%yJ{q>Gkb^ud*5V-C5Zx7{f?5PEP9@2s{f7$#U?>PT0{}*Hc
zmY4LwL+DTKnzTM=QH>B!yZ_RapLmJH142NYrfaf+>aSlS3ID&c+*%m#+*y=Tb?Nr`
z)B6C8577B2VXk;w{8LXdW$*wRjhd0`FVpuAE(tt~%`op9)PVD+o~Y!U(|1_8M9%3m
z|2*`+kKJ77VP0{`aqK_*lY~VLa9Bg)64TWG#rgSP6XyYDRr_Jao%KKc^D;>RfcHJ^
z=<NPehyAvJ0h~GMiE{f-i_TvjqLFD3z1Q8%8l~)S$~N?T^-GEQb&7~br^hqf)--<@
z1PRr1Q2`bWw3$C%N4!&Db8|+jFHUeI6_>rZX!K79{2$8GN8)pCZ=I_9SQ#@wlxrD%
z-MKNX%=5tH8R$w)wb_(&htYori-aW#izn*x=P$7#dMyC-2}lf4#IwC7-Oc?b{)geK
zzVQsd-^Q<|{s0f!o$A~9^!7jz;pwlJ#Sd^e^8iohN&NxBqgC{hLUI*drz+7ksxK*S
zGFYsDLIoguDbW?3ZB9x0x{bz@E)-AuzfEi905*a{=(eW^nK=t~_M`n>{x)*yy*~Z*
z@D?Bs6_6MS*qZGC)Mu^(a))i5pVA-6*xRRn@#edOT~JWq@o-!<4|6iZlNuiSDfZem
z|H$g<Y{{)Ej=dFKTs+*5NF+UIe)HLXmX{x63#Ci~uDE<|i$?nsZqQX|6=|zq#><&I
z)<$($@=(mH=H^Z56>+M->TwKRPa=fhi<684lsrF8O<m(L;wpOj^%IaR#s}dKadehx
zf;aAOnhAOwIX87refaM_@B(fWw3U7B00D^^e#|MtOMXr{6dJy{fD^dUK19FjHU;1r
z=h?OqRO0^No0E&E0vrQF!!iK4RY>8X1+dsJ0FgFdTY$<?c=UCS)zEwASxc%nZy(7#
zqZ6)fCIt9?U;Fb)8JL)!FBT38x^dF54V8WZ=zW_j#*r-u1W|A#O>1G*ax{y#i}eVT
z{4>_PGdn=c1Wicxe0z^NNz{oyATXe}#Mn#Y3gM?$1;__0Z>1IC@kaWQ)IxL8qTKFu
zCojFvdA$e6$DbNsdUPdKV`<*g{QM~pf9YLq1moEW9*{pqQNO<yoI&!~ZlaD9B4A<t
z2N@=Nqw~vky@IWReu8Z`q7nehF8N|M<hN(@-@7_sne(g26ENtmer%O@pA%^Q1UIY)
zxG)@H8QeseqZy|Pkw;KiJli}z$d2|^5bmd;p*HJ@_a1EU&dq3-B{~i<YUPHF+f+iX
zqf7mJ$x%sfoY7pW)VTP#Ne`Wc$KYx88z<|aHqu3LUO`;DhGUvJE?uw)SKb*POU`L-
zo*CW!`xWBXu3a-|^dtoVg(Y#ri<M?nfJ(TaVITq+w%(@vIb-~k`2u5<My?uTg;;f&
z0U$QRbvETfaGzS5kbv?~?z(N;n%JD^ulB^>TV<Z?8GekDcr&-aQR7YC{ub3eFzF!8
zK(q3m;p@649cTu1jKVvBE}Qz0m>JCzzA>-uV^;q~dm{XCY<`gYe)tdqzLqBPeeIa`
zvwGx1cC^$gBhu_DgxB&7fW23xWmCu<nN}Ic)K;3KFN^LEOrw~#b%Dr3s=)UOE(f=v
z?tJwkDEh4XP2|QFEd7gLQ}VviuW)IGK1Mj=MuzX}dJ(tBW5QL4O#mE$^o)4xbNRy-
zjir;HCAe7I8Vj-50>m3`<H2IqpV8<aTbf1WJcyKLwz%V#^?@EC*im3{T{hH$-1O0^
z)b8^0mPT)dIi;24iX>j+1e3Y24{Th`&w_H*EAG;N+?-ZcxBj#f9hTjAd@akdH3V*h
zCVvq@6Ns<l95VD;KCyhg+rf}0AR<HbwbSM%+{%)vA0VmQ&vs}ggXhe;Im|IaMmny5
z=A@|n#)7MHUs$pIA?49%sQb&W&w!+Mgo1zPD&^>ZnD^axfE=~%&D6Cws+MIdBUPgp
z6sko8xQ^LmOEQ4kFqwe^6rRsoyboS{7Jp#7rJ<uMvPs_k>8Y@synMB{*k*5FzG_L~
zr!~IV#og+O))b68ZCOko3A>#ua?!%WM$fL@62;djD!Mr`?}Mi;pdHJ)D}Pjdq|_5t
z;DpxOa~QW}hq&wjnPii%^D<hBJqY{UzGmw*`bff!YX4SN{N*U=W@)*?VD{3|)V>Q7
z)kQC@K14NENOL^L#w9eYxiC`c6NS3d|9x<HN%{$$%;o3ed^_(_VYzs(ZTU+mD%Ap5
zoS06Yh3G8L<rbk@kYi)Q3`0E-fEV0}Bqq8`-}lZiML%MYQqf}(w0uVwaXME80}{B{
zWK8hB=G>2Q`Nok^eLFP$TuG^vS|kZ}7@GJUhB>+(3RNm6U2e)%xBYP;{Jc@~t^*5R
zT@+d__BC~hX4ZL#(!Ad(q}*aI3g7qP*^(6xAIEp_Y34(*y2m*5%ltM$WZ@_%UKx<0
zXq!-^T@bcfpN#;>(piH7wrj{;>T<i?qwu<<JgA-9@?Z(!7lou(fx*UILY{`+Y$@=D
z9gyOeoS`Z`^Vipj1tDU-(X2To$%>fMDQPRWi1W6CS<q&z9v&VaKaB-`$fkN)8~E?L
z6>#J3<FtFEYbH|{pm;4=KpqH*e&f)>t1(R;3W0pX_kx15R0BP4ozCXL>0|))z8Mbi
zTeYG^;+!1lSCaDOEpX+tFzQ3nQO0lCPm4e=ca<0RH>MYywe=g0Qpo$%FTdFLnsLBA
zIFuwbZ3a^30ddC&QSlxD%zY}%!G7K?{u5Gj6{ZId+DT@8<|AQu<t+KfN-=rC55t;e
z@2qXA=Se0W@2<VA1|0{QT=e!^XFg;20K0O<>wB4K;{%TBvQ(kl!5FV;E+&AIVQ}Q@
zTgE1lK7V`8|Cbf?*GH8lT!Wi8V;s{f)RuxevExns8^ENbnj0+5aB@zgm@Bv44i4PS
zgf#O)Ey`9hTd?BT5-GA3V_5AMV-}4`8@nAJ(`Xm_;N;lD`G^q0yRN5J34OVpiSN+T
zd%&q3y0O1q5svf$*>(zrKgE$wgc<mwB)9gr5haBGk-NlZz6qFNZ)wPa|FhW7n<{rM
z9w+xWZRkIF0_V565(8lV5sR^3jsN#N{x1Ob3NYaq-*sF4$$tL7|1Ne;jLJOUAI(2v
z0>J!xaxGNyk5)b79l)58&EJOnKJ4elV$0iet3E5Z_1&LZ<sWmNm&Y*Rq4*zT1?ba1
zX+D2ym4xgiz^cEw)WGxyV~)iBE?^6%E<AV0|5K|n8P19B1TIEDNE!dQI6$KXqk(}`
z+IcUi@uya)+&n+>UkSthA-(^&4S)$ul>w}KW=|cedw*&b3jxro|36Nz3-eW%rLMzo
z^_bo?_vHq&{|uZ&!HvI7cuT2I{wfl<yyiJJ9mRNa>dinvggkI<IUIkh{TDdxhod2}
zc^R1HhVceH&I?Q<3oXxA+8L+c_~#g4)rS6O6R4c$g^}K1uSeAT;YX}ggs=3R0Pzub
z=WpvP0?DRC418~{v}K-o+oIcu{;(`aN`ZNQz1%*&#X89%Xfo0IEE%4lZr?7f6sYj4
zZqJWLNzx>0vz8%Z>U3_{$KSs}R87QP6mg{W*1sP0r$glw8J2GyPxA#9RGQpHfEq{^
zDJT|(>dn>!dK!Pc;irf5V|!}p-Y&#{RSbq^%l66y%28hFS02MaaifbRkSVYR6MdA8
z*8TRS=|rEV-SJDWwDSD`anLWQ!5yLPjb>WrX9MK4^bCUE;9_~N#V%gG%fV5ifgkk(
z)7*IM7n$XLTktIB`UU@95t(((>rX@cSm*-oX5IY;@><7hE!8;~@gm0-VUa5fCBb_n
zEVEAinDAXr<F>-LX-9(&j*B$ti30++Y7w6L?J+;M9x<MJi`ck(s%qb-3Fn=UtfhaJ
zT>QIe23@{{b8m_DlgV3z3%q=o$-Y=gqkX(LWRTZYX{V6roZXYWs>L(=_^vKV0mjt(
z9w7~fQ*B#E+kxApqL+t+s7ieBn-4;Y4V%x*U6h;uR|n&Vls%pfP)PQ|O9y&ybAO5_
zlvMqT=12L<ltRhUO0F>xZD=kZw7mc6E8|g2S2~;W6_0lO$n$V*{b-el?!()M;Ra4<
zthXT{<s-b4J8QjDj+=*#x$b2zT=kuuE4%a$U?&e|x!QR#Y3PFNfg(e;5sTB)9`-}0
zqbspD;#ks#tBL1t6%<%(9p>BR_)a`z!m$cFsW&MwaFO**8LYH!m9x-jP7k9L>26xH
z9_F+7*5bzL>1WEO-SNa}6euz!cdV|IFsDcvnm)ZRe!_q>LnOeYe7SPv<72v4N94u=
z=i`vIf~SgUXOYEvjZ*itShx&@)0vnxN@4)``=6R5e|=&(07@*8o>);u(>n)9cDJMJ
z3zJ)-!DJSD(ZnneVebSxZ~C#)W4;y=ol2jYju_L<*`~JiI5S#rne(zv%dY!tV_OOB
zGFv@r{jV6updT3Xx{~<Xz?|`1`chgjT{i7e=c2CrA8zNpJXxII+6m>7PgY|zU2i&d
zoJCZ3hG-V8t_=*}Y%SHVcV^~g#0xQ9(kzm4k!8_)qLu7p<a2CTdsgZNl-CebD>e@p
zJzgN*8myiW8tdp1a+*C7S&ubrZ&xdIrl2_Z{EPzAX}9+h+27B=!C@$uz<y`8BQD|N
z>k4SutSjej0UP+Ksfme9CmDi4$P~6N>V0vR;75g&zgLDIGwxT3t<R<r4UdjszB9hA
zb?$I7!;2P+Tbf%PBeb2yx$@}DK1nbULtYx@?(o@a<j!GG`0ZJ!7i|=Z10r8EhcIxd
z9>KK_YB~)0+}bKT;pEj$XxCtaBe&jo5@0=C{?y28ABTc(MY2Foh^@k6y~%qkn&6(8
zD@JV39r9YEb)|l@u(N{N7g4vnwRsyRgOnm#-Roz<;#*4u%?6Cme;bMv+ZV4rTw<FY
zr5RgYz8BBdF-Z=JUo#Z$^bqs<>I7@LW0s0~v@}p?u|My^*{qbxzyaZnk>^~oT6Pm@
ztni+>_Olki-_=3afnsA@<9v}dH$>bFki<?X!TzwjM0Xn>&N#5@X4N2M`cJ)6v0^<2
z3T(RdWTx~kT5Jt8&!Uz~`5$FeoAiU!bG=j4ci!KL2XX<>lhMe0(+VbT%PyT`$EmDV
zwX7!u$@dSH&8n@@b(&-;#mt!g(;cNVuGQ_ko13neQ!26@0*|)DoznGqaV&R-UEr`O
zkWX3_0=FEM;`go8u%7WjS<ToSM%rk;zsyjd;%ru?)_d}kYsffjiQbXGywGnm7>t|r
zaqe9xwXEbWs2b1)?ylq$lV)bg>G4gwuS;v~0AJn_C|RfF-CFM{Sf49fuNBK(7ZRII
zPqB-WPWLc^+sb!TrBv=ze%fnG>7vJ|!4)WE#iH&}P$a{fAD5MZiL!Yol+z%5vmXO>
zpD5MGFnuM_Dby%tdGO#t6QWyKq3*eU|GRDHBTh9zBiqJ3%eN5(XF~>U2_v-{1sbYN
zCkuu`RW58EbGh2Nn8Be?@FUe9g>n8@tF?hy0zYQI)Z<B*PDMnjUlj34-_R#TR5VYx
zVntM{uxGy#v|pXcJ*U+ouP2TF=;W&$>iak0S$XnApN)bKTXRwK48p=4iJFyG`?j&9
z@uZWw)jpD_Ddz_{fu`flp=o)04&5hsYDGr`@JK+pq65A<GJE3Gy~k0PR#M(cK3Jql
zicmQZ2Ul7-IYu-dz$W4{oLKd8-WWKK*YdaIx;c2QrtQz7+wf-}ZC<(eLkr-WxX5oE
zxeS%q7<d&Rq$NfA=z_2qhfc3_prmlP;{I|rF|VW1vJa*u`l{^m!kK;I#q~Nve(O<o
z+VF!eSHn_kiraz!eN5T)xg}!9V?A~%nA#O6oy9%ZmVw9`wAd>(pGX$TbTM};EYa>^
z?=Y-#Wb~LmjeLn#JnnitY&Ary3yvH=EU}u8;NGd=dP0spltrQJsm-6a;9%C1vfdEa
z(EXHr4dvt%!r5Rb*z|roM*6osaqWCh^tMJ+zQZTHEA-(G;-TZ(05r1O%B-0uAsYz0
zoe|#*85SvP6t{k5P8OXYz1Ao{PW$k2UHXJ_9jLd5)7%iPz_HC$oy-^4bUY<pfq7AT
z5~QDN3y4{b%_a`tb9jBZeS}Mtt5drq#_6H~ry0okZHa)(k@%Tmjb|w~tb<9$8L{ft
zsY||>sMOfagPqIe?QMu|&bZ>Sswjln!o;pCs<6SFlKH1;dAdWbPdOX8-s1zBMsH!_
z>Hie0`s<UsG~GQRq1oQi+v{N|(Na-<zFN`ahKl4JD87gbq4=REd6gDp7ZGXbv(Ok5
z=sQL-F3vKrSazyh$9N++{M}=<e3cDh$cIX&Ax>7!@+a`BaK|OC<`EYNq|{F1BYSFz
zTfjD#XBV}ITL@VFFfq0JX+=JK{hP%XJq2Ezw*fz^Q2lkrPAUR5DaRYuZU|Un=+u0a
z)|#)-%+8<W|6XlN;?d1#m-QdjLD~Rq<7Jk(o0g|4M^Mgx?{?tTCggNDto0XRXOh^4
z%U^Z(S*nqOl!V}USJAz{YfJsO^Dog&x&S|Igduu%@|!sTe3hWNpzypC=gruE|K&FX
zRGsrU74X~qr)tp85%#!rU83XvJ@)Gy|Gy#mbu|83Pac;(&y{72T{<zlKuFF})rM*d
z+FkyZfmtyTy#M=(rXhPHr=--rvvEM-iF-MWO3bL~Y%Q3oXXV6bET>0k%xSde>TjnN
z?)6JBpw9HvZca5liM!?3<?<F2D!%@(Y|kohU1=r$82p6P$(xUI=s!b$yDqUV9FhR#
z?vz;ysl9=O;{Hk1_gCoCK0==cN}W;2Nz=cnbenjHu6KjQv8$?OWoJL8Jb<_?&u*(u
ze1&r8=kDu{<r=2MN?L-V?llWICso>dWbxYd*U%A#mi^o!e~myo36Ko0Y_#|Fb|o>%
z<tsE6bJ4NhGpSYh;k=TvJkb~Sg<M8OIgQ{3M<DM;=fyGYZfg72&I=9^4Vd;fFWusk
zlUW5uT{3d=%w#5v%;bS;2_|li<<|0Y9d5LE1>a{Zkfvin;fIuJQc}=jy$U9fOTnvu
zPlNpmu#Ks`oFZ;Lq06(dproUuFcHgn2&QJ>_^^k!_z;w0ODiZ-mp-n`6i&@S+~&gu
z@;*rigj)GQHdXyc;VBApePp$}bw#srv3l(UOn$se$7Nf{b>Er#YcMT?8uzk>y|s%*
z)DNen{^iQtHS%M%zTx}!@)?1!?h}Z2+(ef8FfXBOUc>8b>#+m|z%EU2>Rz&hmYB9`
zvT5eq>kI*<Mq(^@%;bv;kWd#k3sg;XNyT#{)8Y4&KHw}aez|q1t@h49w?HqqJdBdZ
z2yjgp>Rp-TPlc-he2iMHN0h%1)HAe}QZ{Yca_G%)Zb0$799=<I`!+jU525gLe2$G{
ziglYGEujio^Qvs<0oS2?SF1#qO+FD86{}>;nGt!S6{9e*Kj9NPmZz%>)FowQ(}G2l
zfiLUMUtN7UT~2!S?A`n>`m5axq!V98Lj&b3hRE@BTd=P^I2l)K(0S0e&1%$811O<%
z^bj-285pEGuR22pU@3ehy^HJXzTo!H%}_aO>#&^_Pbf^>43otuZwlCzs~+hCS;<7@
zq;Dh1)Ashe+de74`|*#HbQ+R&mXRa;oi<dSh%?AT!#NHElWtg2rHyw?>bK$oCqbGU
z|MqM?vPj^o-FmRtk>*D%;W(uCkvm)wAdGe-MBe~K-XzMzWdp1Yg*D2ZB%&PiO!G<N
zz}b`s)7FDFvLlR4Oj0khjB^Z<`@yF<Ph|O#L%d1n?#Gx`u}%QHer<<|V)&+u_+A@m
zX8J}(C#~<<;>g}qUPdUsbY&PXg@S&yT_Tj|cG5HSi$yc&w?$_z4oV5iqr*hU>9PIJ
zCY)m%KiO(#n~6KxV~)XHsUpft1I2eTAP>Zj`-|$9-<Nys+j=a2imV9N4Tg>I*5o|R
z%Oc`moj6<|F0d^x)GF3vOq_5pQaCmPh7M6#x8KK{^WxAEHFfTXAoSr!d&{xcf_yD;
ztcesR7eiIEXUoijzn#{134NweCQ>LcEQn!T*&F@x4qpJW7|^LznvlR`u2F2Rnk;7L
zZ_`Hm+Z{M{e#M?ZcaoH`&Bo~S>YReBT3n)dJ7t#fIg?7<ERf#a7e<uCZE0M}R_1BF
zbk@99WDiY0GEnsHi!Kf}7Ljlod~?l1%fcGAo5HA${09WzLB>!`2v+XNx|EqNCF<O_
z1RLgut}B8<FtcmN2ABiOom&>DoM^idpIF_T54ZA8gdJjb9v-tFdiRqoqDzXX1nnij
zJ!xElYfVV4+NqAtw8H+=Fr-aTPgku|uI4t_^>`GIaCVhET_9AmdSlRQ`t+I&cz_sZ
zy#i=xNn@(RIG$sxpU+M9qK={aiOjN05_@Nzn2JZ~P4jy(cVLar0~91@O)6wurKExy
z_Qo$dj<{%#l$i@a{GG>hwZY4qXz7cGM%CuSI-CtldgyAqW}rUu#QeNn;)oz`O?;(O
z@aW6kc>ZUz%Sp_?ji&TdKdgS$=efv}OM=*U%ueZTh;NB*!7A)Gx%)DsD-=P&6${Rl
zeV>9mBAZWbD_qC<k%dOybFvmHuu{YsD+pf9<(|`4qF<j7$7(3&e3~AsBudiKzM9Ir
zQPFBLw-8s&vORGGIHkFH8Bq@t4NU{3A$%GiOf~`kqt7)Pt#V!jdeCYJy=ZrCgi>yg
z63|(|BYZbxZZF1_db(J3Zg4g4rO5@f2k6z9zg@;sBPIqa3*5=8<exru9lf@fTY6mS
z-KJ#WaX&xzc9C|`J;s~FX-j*mflo1A$@I6o^i=C(_hpv+HPDbsMW7N)YDxO`-D(GC
zYqvrmcSZ6D<dtpUId$l|davr;zb}bPRMgne_tezdo`^g@{J_+zNSeB1CXoHt=2{fR
z*;**S`wSrZV+ZlhS*Ckku`p0sQJ;S2)3}deo!cTi0Mqoj!qhtoAyr`)<g;{dn|H!(
z{8OA>mQW}P&sq+LC2x&<Zts7$THv~5KwZ%ktwfMw318NGsJD~k4Xe?6c(y`_t}u&C
zrqMF`j(|Km%Qbmhyl8Yb!po9fM3D=H9{O<BFI=e4ul8+BP0!2CqlU9J$?Q#QmFo22
z`#IlB#t(EJV@Ye81KraWtqd9n)2+zW#&oXKDb%52^zbuS-1CEhEr-OLpxR0uwVyTJ
z8mpnrZF`Ml5~J(;yOnJ33;+?r!lgTu0e<*zoGJB;)caDq=vRkpk0D?N>Jmq(wyRsG
z*Tjd{b|Wl{P{kEictW9yd3kv$c$q`9Nsp#QV19h@N@9l$eXTVv;TeQIB12ls<`-m%
z^G+BsoQ6!=py3JIW5*pg*UMvs$`8Sy<;`@jT_RAmkeG!^b*Zj&evUyOCM&h@04}2Y
zwC-v&ahRSN*$TXMy}`xb3X`?WHCX5qKtS~r-IAaL$bP&_Kva;Gp$a_ZwTn0SJdni&
zIoP%JwsqsS`tTRIX-9KK&(d*A#o~tqcfJ7tScUks@0lhIpVhrn-mTD2Wb1q4_&vWJ
z;G+al{xjX-TF=Ss1ElLv(PuLnyxR)}cVHtc*)5B<LRIZOu4zHL>)#oh@Cw!U)~ei?
zt(?@@Mhw=Swb<X~FFYQGxMY7w9YW|y0)q2=RtF{}z9cJxgZH#!fcocVBe~v7@TZ*#
zodqQoM?<W-zDgKr-uL~5Po4Ce-?VG>E8HdO&dJSfPn_el6LDMXLTSGzAFFr1NtAzb
zxbHmS4xGX^#{|VN!eFb(h2u?eG*$$dqjA4|qs5ZDv$&Jjba=w`*tSCOKtwWF){A(j
zKg&(g3R#$&yeFWxQ)=P0zsiH0mx4GcRUhwOLo_&Ecrt86omM}#=#%z^A2ZR)Z!8D0
zY6q@6s#6C!pzx%oV7EJULu_hA+HcOP|Hh>#e-avLPl9Ye%!}dS60Vw^v1|PHIU^q_
z07sSg_Cmrj{;){oBK3fCWBS#+^t(9gHHvO2^#!evst}sQ;EUpRYcKcWiGl_SG$qr0
zPi~~VHfF;+lq7%Mw3&V}$E;c2#&>_rwZc$D7Kg7yQKh3DtI(p{!&y&jI%qf7Jo+x2
z+3@r6JOOd8{5oORvO<ala{XjGfQs>$$uP`oe@$#_CMwaSxmHBq(=#ZJ%}_6>@i^#n
zask+XHri{Q8!gh)*_PpJ5umW>h%im0a+R*20qbRqKV99NH+qkq6|p+fv8!#cw7m4r
zYc1{=abZTd`!Sd!tDAaQb{{EnxCgR2YOw0f&I%36%UOxP4Xb;s1*u9+&3aS?aA4%B
zn@$z(7sOog-qx(ocUPM3eTuNVEhrO`#Oh7ii^SlMc?Tn@BY!)jpZ{%yTd~I6r;S;=
z{?(9fW6k=k$_0`Au(9qiK<@1L<L1lY_6?yZh@~wvh^fswLCi~yL6~V6pKHrW0nyO6
z8|M7Mis;E}J=e8i(+aEa(-mu%$mP6<!btf;LCi@j1r2ijd#g+-`3KME4?f<u8^LQ@
zZ$2fv{S28IUP?+@Z0;Hzp}LIA2I0#IwVI#FoG(H@@m~!Lm&B2_%=Q;R1Z4ewc8USs
zt#nU9`X{<c1+&f`O4;XvRED@Wda+_kEp}R{tMSpDOusn}T$gZ_={G)prI>cOGudpv
z=iu-$mEm`X1W&~eOAWgr{|bS>{pD0|FuAM%p@;f!U{3>E3km<ak(X4&zpd_b?|Vjm
zazmecwumDBw}<}v+Hh9_tDQ|7;&AsLPyNRyPQYZZeU(k|dy@cPp7h+8uk8;b{vT}i
z%d72Kfj2TzA%6MO57Q6^xa(UT@!-_o<{S9xCl9=lbILsEza4M~uIw1?Qr_t&|FZ1=
zdcVQt>k^Ix(mcP7Ebz634Jf+Z;FwFn{D<bN0dJHSg!~Rs03A2FLFYFU&xR2E?KnLD
zwM5{J1|R#b{I|~=Az0W9FawJ(Z~xo;8o<SyxfuceL!Y&A0cc}Zjz{Sa&Cdnim}t){
z`QJYOe>`QMJxw#iwhwOT)R-5D3eC89eVpH4V)E`@^f^ftH4FKz!xGpebT|cAMg!B{
zGW5;I9|T^(5Kcrazr(E8B_^AR>HKyk&`vW{xMaAvVVCG;v0A~u4@5+?godM|+}s0U
zvfxLP_x+=@+d4nCc9z>*yF$lT2x1=b@!p&q6QG8N6a8m=fm>V$XK|sX-|8VQZ-q==
z{;cK&963D@j<S)_Z3}(1m>e?`nZt6^?eE6ozpoK#b_uM-Hw255&DSq=>0NFU5*0lV
zqS&79LD$K#8!7nQ7ULd)KjQ*a#7z-(RceiTRnO`_HLV6tWys3Og@`&%j6GjZx%&GW
zx&$l*5|)ov%7g}v&q1||OKg(-I)Ll?lJ`50$JwUzW7}ou2gHy8BgG<xEu<g+w}s{(
z1#HOI3Q~aq?AM8j=>hwZn*Vc#PYT`U=Ih)~1vW2_o2W(3{n5MUewN!q8m47_>-Uk6
zssR|FkEomnQA|3?E7ob0(&M#YPZOz(U05itT9)<}M>VDM8$-JwfG0FmLJt@S@i*VT
zZ88R2Ej1``FKZ?5k+Q`la#AbD5*KPk3vJKI>v`5yip-jT#sErFdu4J3BWh>jf6lVq
z#K0ntb@N3v_1U}$OcZynTym3e(l%_RC>B}vlGOcoL{b-f?c*F;9y4*R;hip(*Fim3
zha~vX$}>XKdDoyi&VF@CqiXTC@0>P+%K1#!#CD4TfZ<CzDyJFRkwW{D-Nh0WWmxZ)
zlBr&N9`dQ>&dt?mzX@0B-=lUM<Z%0{Kup!|nc*V_6tP*<tXIYyIPUB_9=8O~R;W&N
z5DXS}#98>tPq3BVNV}S6It@iQo~G?54^i}&Kjo2CLbI`HmB5dglv6lk&miE8Wm?Fo
z^H63R!yxXP%gIjXQLjUAm*9j?31%P^_LaUzlq(l;XrnmHM1DF^RsM4Jo<4K6@uBe4
z?~yJuJRs7wk{g-oZ$-EGXq#seBJx<671LT(<t^B8t@(tBkc?x?Ww6{ry>>4|KGz5U
zt`WI7Gw<>;ViPlb9;e^h$`XCB@laNQoim(xSw1$1$U0@)b8n-{``p(ei$WnCk1SSa
z!?ro2*zk8^<w);+vmqdOI=efMKQa%gaz?#AHQj6QaC}h#-CF)E%Vbp$y-+F4F{ZR`
zO^bu+o$O&-Z{VU2_Mzib$ds2q=Fj`;w`?23BjQ3L7L-8Bq{BOPteT~(1zfMAjLl~c
zRDoQ~^mSu&(24)Q&x1)Jpk}$KTRXj5%RBHLA^Od03_>HL5BaS|RZ17!qSy0clO5;c
zu*uW82%d(@V61GTY=KZ(JBPBfE1q|1wSDxH<VBND%_qZWVKn=J78!H^fVVj)Uf{tq
z;pE+4<0D4gqGw(00>CPwpcfT!(C!0feK8EV9%%i`9B!mD$dGvBo_bx}!mxspg>8VU
z(uPbmpRJ1cjIogS=9}M|$^qO!<8|XVMD)^v=J>BW`@n3U-`36zAzeLsR2LL=W<D3K
zo|ToQ(3|UTJzl2?;j>-<h<K`bZ=WVN0`cUgj84wFmeS`lyoF#C&lZ>GmAs!Zr@_=V
z9<IiFr?95+(M6laijn;q7yTHG61DdIVUHM{h8k-$9N}RRp+C4k`q06lc!hf7^1nAf
zaGfbU-|mQyXmPOY{i@r%u)OYbY4Hl5enBJw)#6UIu_id>bx|_~k5*8UNQv0#_s;%N
z_K*@na}h=!9;?;6^DcpPE(lK<#@UcFa-o#RKJ5RCDLFo0cQSeZf7<)bpeDPnT?NI0
zh)NR>L8+k%3B6122nf<qArJ^fy0i!u6p-E_Akw4@fgk}X`bZBgK<J3{j`SAt-8j#C
z&Y+(E=bL%`!AxeHeebf?Ue{XdT5B7Bof8J%Uk1`jHj65BeHIl^<lIl>DFckLl`j_K
zp;xh<p;U$vzPNr{w&`L|nAUHX?aeDJq%EX$;?cn$0yA}=t8{pWE3c{26>fK4@0m3L
zTKTo#9_nl+RE|Ev3-wfllTifplR3KAk=f4>s|V11coV>dWIOgrjt+e>&JW?{XG|la
z(#!0zznuFL`-v|vvp-f*nOTX?|1+c4Ug(xZ4qGG{VUY3}Evz&6YJCINXb_+t5D}MN
z`+F)wcMb66xV`b4pO~Yx)fU~fy(BMVb$xn99G4%&Wu*Jx+MlFGl5HP&u}&u?Sfa=u
zr4LqRj(PxTqE;LHIPcfmU3Gq8T+dKyuX<|&56|fSHn<^6U1$?)lx<sC48)3Vx*Z9$
z9FZPqS#c_~#_{ug9rIWC(LSX5G!6zG%`_S()I-G`$4m8rdzn{9+MW0i`{?mwAUwc)
z4E+TZWQnb06+piDR%eQ4-rSsm{*TKJbCtL1n${h@=>KL8DK99pbLLv7drf9EfP0CC
zEV<vi6uib`9qosjyC*5z^m;&W%4DA?!)Wws<ZY!N*{XhiXnoxB%gG;pUW#pKZ~`6h
z7~%Vd%zu7-Qv^q@bNg-seY7<<A2xLsAXg~29_-D>Nc?uRXB7alM$i+ch_-uYQi5^<
zGpvS5&wW^AR(b?7&$sTvwZeS6S_2q`tD6x>_BwO<bdJP4xRb_*CRg7ZL%#v68wh~y
zz=XgT)+0+%k!bKofO%$dfb^951ANwZ131jx-E5xbq#7KfA+9?lPfMmutzNat{RLy5
z83911Yo;>eZ+i#)tXBX4oRoVhJ@@bC9ze9p03>7-9{LT|AOF004FGT%p;+DD%{c%G
zMS&4VK6L+XsexIpMFIeh(j5NkcZ3AoI-ia~rt({n-?kd~`7HPt63#sW8~kPZZ-Eg-
z?aSr=goILT0OnSpOUd|SBTtby0V7u3%cS_rnr{I&-c8KFrN3;l3o9_<TL#C!?C`(Y
zS?GtqOrH@L(W%$&_jDq#W^YwsgM;}+6qNp){(q0`q}cuU$WDsgf3@s{sy+L!mYujA
z>;HQ(p19oq|FLC{L>-5gGA4xnV$Dtk>YjZc9iuO#;Hc<-;yC}c53A?zyu?c4lcWA(
z(~6I6+M~>?CzkyyZ1tV#7{yohhf)6t99-A|n?}R<_T=UA>)Wfxk*SUfXx0fu`{f`!
z;{ir29<ci@p?&-{Zxz6%c@+z@{>7%50URdRZ_2EHF0EejI5Oo{L=XDQ^woh8c|;g~
z15U^0VeA+*ARVx(e}N%J$C0Vh?(=`Hc`Y0O4Xb7j%723)$G|4!t@2;i>~#!7W=+6)
zf0=$9FrpD0a`#U=UULi@{x=`lKNx$Z-%c#>^|i!OwW*(=?)A1-uBh_Y5*3eqg=X}f
z5*U)!U4}2g?%$FM*4EOBk@nqg4kSIt1_pzrkUedJbgx4~qCb5S11eu5@4h@A{KDt-
zvApjtQ{I2Oe`3q!&Rnot`!M<XI(?700zWMF*0&#;S6VXJ_vCUenO@=ZBGU3v?dLK-
zxuW)5Ww_Fr)5YLfKsqGSAm0EKq<YIjpG5Um&^@LTXa5=!=%%97W-JVz-lv^9Cx)LX
zGQKC|q!jDtYw-%z(l;5-BxyrDA`}nxaJinnNXO61t`Yxwget5a{Fox^d<|FXwG+a5
zCFGg5DXyKh_15XFkGQ?dj;>ppxkdLbrk%nIZ#t--0=a`tPGXoScB_7=_4V=!E4r^f
zFCOx7^-EpM@jY~&#JmcixWMw#NtygFvZa5F&^@Z?c~5-(mu6qVoI0J=g|+)F!thHE
zkF_S3U-bE3^zben5Oc%O^ZiBXb&hF<z0=T-Cr;y+(#y>O6S*szdG_Qy>hDnxl&i48
zR_{s4ot~Efc+Qt^i0R5Hf4y_toJFKZCvxMrc&(TS35@=BdOOvg@8ejuTxB(!YmzH$
zQZp~n1s=Y7V|v6nGg}Q7wS!5a;$~4Il`a5i9{>EKn5SE7_CUG9b5vrm%qFy4Chxu~
zVR^LLsNZ>j3-I9dax`He(;Q9J<-8>=Aiz@dbd+BB#7rZ#SODoMr@zWqsrfp}fT~iB
zHx*QZ4UNZw2J?S@$*#}Arr4k^Y!{kUwAxTkz~TXh4{D}8?(@O6TE^X%)(u|}HUPDJ
zVqPl20tj+WmB0|QdaSGFKq@YJkDPACJc<Fxq+iO){Gy(FV)yEQvahxG+U<Ec#I{#S
zncK&;O6=g-MnzvM4J+0fGuV)-Gv!;iCJBStGjwAM2W|-kD8+6TB0;O2Z=!ea-u7RF
zsx!sNPsL`d-5%$Qh`ukW#1KbQg)z=iRC&WI;vZ1WtG=BRvUz7&Cx5P-%R3@P#5pSe
zetvUug~KoQO}@37WV1g<B#IBD)*8ph!zkiJO*I~Mk)~B6YS+6Ov6WoG@i?yrK8n7-
zy(-IMqn;3bja~f)S-BIz2c(zvI+j1q<0qtA6&2PR&&R5S^~}AYsugFj;dZx=8)z(H
zwE&MS-&DX4=FLj2j8y6OXsvOMrFJ&HO=<tBkuu2{0u^)wSVauixg9(5fSLrf8fKmc
zcHqev8}jB&1--V9AGWrKmzPNg4lgt)Hn^v!$vlj9M9pR<8QWi@qI!JL?GwjyKf1`Y
zGT91mk*8NxR)G`2lq8CKN%Kz+04Z7br9$!FRI`+1RUkY*l+k)ONF|VSza@yvIF_3I
zo7S_r=<!EWE8}G{+WeyO8NLB;<6otJYbHSvV-T5H-@2|3#@OG!mD4`L*7L|a%&&s2
z6)Hj~lV~N2m~pxagQ1Biadpom8$Stu2G+Wx$`<iJh0DW>qt!9&?CjsP&2gt9pseCb
zq^fQ4C6RmNw8^J5^5H|}YS4~k$LHM1d|C7wZZjQmQ&ZCK8&ZLoahoUAy9>M^kguaG
zKzHU?EAzoJya5|4A7#6krN;6a-!&|@;M-^y6n<?Wq$<}6Ljf!Y<5IoOhiOZKkGtH4
z0CGTks&tc#eZ3vJ#ct@~0<0Uuz}xe^yOwZZjW0ImSgROMMU;(}H1JS3!3N<sAXl>G
zGp8G^_Cn%3tHCRP*uK`rX$Wt593E)OVss8vJDbJlY$PWlK9U0&Tu(iTlli4^fzuRQ
zOCm{%TgfwiV>+H)z*}D#>lf%<SF`M%W-c~R{)Dy;hdK&PF#s$Xaw~iQSUKPhy^8-r
zXbptbWFf9S_6<P@{=IpAvI+)8W|k$b!#WE+!qH3E*h;8M+k78+2Sz14hb-(`C|#wo
z)O2fH+&7K*5HgEYIAf7fk;(mP+I#j37uIKcVI0ln->gRs%FOL@w3baOmNw{#?d3^I
z*_WXVgKuXd)M<DIE^#2k4M%P`w8a;Rn5v@u4@1eULjIvE^_T?GuO0>Q*Jx<iB`L{#
zS`#Gw{5dGDBL`}dmW>Wf%DvyPQS)(AEZ|Y*4st4}T*#eld46nKPguslKq35gQPyOC
zd%;kJ{gBAM%G-rL|4t8y(boF~*-przT1SQ#_G1fO0@-BWAlIkIgG+>T!ZC8&<5`&j
zVwZni+W+^@6&MLrB<Zy=m+5m^@wkT@SZcIQ_xeT-ml}={u}l?n*7d`7UK}b&gT}pK
zSuD!Kw;ZpT1dn#~F>FgN^ZbBrPUj$nO>T36w)Y!Yo+mXL-V!XJB>FTRxKRw)eb026
z_)_LR=n9_Z86}HwH~n^z#_uZ*WNZS7e1G~ncI-(A^a9ZPRG~VC(h~I{G3jm&u303>
zBYyJ%!xj6H4;i@jolky1CT<I!GFmxeP2e>vS7i{kv+Cpn=zC|#Sz!IqH}Rkr-)OCw
zE*ZwT9!H6{d}BBCL&-3-e8#u+iATfXCCXb=WoKLA+0PMnk-ROM<HL?+F+!ShTHu)8
zHjoY0U0i(%K$#(_4h=~sO(ij@9yTpBl`DKN+DWFqY2bBFhQ6^~KQ|`8EUczm+FWM-
z;YzQFtoq8K;6Vr%JL<=|U<M{X!v^?xtt?OCR2?ecI6n8@8%^L%Zfys_!RpPDfDsw|
z)?3J(_dv@qsUE#v>s7c&0~PU9v^K8QWJ{IQjUKv?^yUi_Z%3?ve_jIv(O;X%zwkln
z`$8f8G03UxKrUM(J5ge|9ixO9i!QdwlIKJwi#(p;O&P>}dPqvlubu7g9ux@MX0jBs
zSil!77O+NdX=EC!a;8*&nGc%aX^(|qwOxhc4!MUx{-Ij$@+?Lr(9GB#lQQ=t1kIa^
zVoqpejo1v(osK+wZ$g~qgz<VN$98@M;hMuce2pC+77<@38e+cY6K4F~XEq=zZxPk;
z(VQmA(N}3qDAZ=Q(p`w$3E|i;yZ`uYGw_r{C9{!rg;arZ&LKuf{m8_*|GtoXjx-=U
zTg8XlK8L+199|QuL%?`wePmnA^{KEIQBcKiJ_+FuDk3*qG`M39H$eramOa5iyDOsI
zeUizt4gq%TW@$|lM@~bo$728R%SsP>6DyD&+t_vny}IY=B|Y|K2}SKL(8qv}c!orv
znyuP%89k^Z!Q@PA2m_541H99gSUcL`{!`JkNd8=#1bPJ%6AZmZf3hmZ+tc1YdG7iK
z_md|tm#XYPYDK7tqmQGcrq1CfbK#0v^{_rg87WEgG*Jgy50OyQP;DKsXupXc3{&+r
zxp`w+D0}Y!TCEmCKO&-VbHLl%<@P}RO;`e`&C5nTqD0da<>|V$o+MP4W2`VwZ7u*(
z;J@Lp&HxF2<XPvZ{0bu61maS9&N&>@j*+c!fHLYO31usxd_+>-y`j1k5*`wtHzTrx
zA)KMI>Umj&oHqmVNsjT6WPa|;nfCV!po^VPGaR^K-<6;1`plxOvcr=eZ3FBekqy-Y
z{QQ&TTUlNrDUyglh~o%X6UbH@;p0c)NvQTNrI@mNm#@8Sf)+4WG{tL%2ob;0gvXGb
zL&d5m%0+3Hrr6Mq_k%q7Od+CMp{<+r#DVIv`9xv4c+>7u*t_}8x}2e(Hl5E}i`Wmo
z+`1B%nyTk=<oQbBh0F=W7dWZ;ZeT+&+D~U!NNDr2{kfjZtXOdF!aJ4d78!NO;N4RG
znX;_pXTAJXT-<JR;p=E4f?R%*nh&oiVa7A>%S0K7IZ3bzsbF#7nHa|O88rkdGEITm
zmU_xNaJs3IN>Op@2+Ak=cwV)qVA&I>VJdVse`mV7+y8~v2MKf&D<{_Mw-r&2=E@71
ze;5|G9nGOv#vI-MPBMlO_*kpmiE~?XF4=PB84A|Ul<d*VxVy$O9JOt#I~)^epj*N_
zdD7c5yU0cz68(ZDy;I}d8N}WB+Q<tMXUQVUKhFrp@i3_CoUJG}wv!4LMnIZ#PREY~
zNw+|6*&}b}IPeI=AIR!trH04ZetmYafkgbs%aZ&<z=Q9c4<bPywZ1P}HC-zFy0}Ju
zMebr9NcwlzJ5u1ZIhVv3uq1u5@RiV(riCAiqVUKmX^<x-l|NETo@E5U&0qM`5hp+)
z0I8?+<?v)Z)$wO}7z|ormRA1e?^1&5yQy6S-L~w~F8lwbxZ}KHGJyD1t8b@Lp1dB8
z5&D&fz=v)x1-bm5uK+$QmjwX(kaC_cdnfPNUvs+3A$JP&h5vl+$r$wuUMr`FSU)-E
zZS5y#3RSK<F~;FWyHh9Ey!|e^m@Cvd{ly))a*xE^-n#YUS-+Z%I<AEbeif4+KYoOl
zlMku9JNAo0uf6hy&z;Nu&54lPJ#*73<rb65KZ%#YQ_;%wdc6GHen@6pX@Hhb7O`@~
zXTq_mBl`oT19*<4=Ps*4XQIw!hVNR>vG9@r>`Q#ywd7+~#6<-8U2vwziM_e<gaj<|
zMoNa=B)}LJqyoF@<<qqCLNoaV&;nk!=>E&K8zREOTH8y53M?S0RHCr}gIG^HE5%J3
zZbccb4|GAN^gcZ5{k<3%aP*}(>e-AV%w1lE{&J5_{CU9*?5Kg@!e5T?CcyESDkbl5
z`7>q#gns}s1Gn;DVn6kdkG(+82KqnijaaVa12Uoe?L)+gDf~KTZ%x1pY~mOD`Zq6-
z2Jiy&uW$W1kJAyyUf{r4+fToXEFef9j=eydOqmmV{0q~37X+e0H><y2qC4St|6)3w
zzYkEh{$KkDL`WXfrB3{=S-_wf0GH|F{jig<fnUpf)^r?>SqcK1{pm8Z7yuK=2)W1n
z=RDRDfk@5&>O*_ITzxpJJFE*V?zVxI8P1~Y>EiZzX-RGJldJviO~XPu@BP^|RrJrJ
zatQ-=kBQap@=1;VB{MflfD;bK^E5sEi}W@DDXSjApqV>=N=7|`{f=A52&)9-bQbH6
z(2+*E*do5i*q~OU*b?R{&X%M<0(f!{&Oqechy6*XpFd<>ia_LIR{NhH999Oer=HT|
zGHEg%tvK*xwzX}aKNgKB&UZwre&*aWwVr6-y(jqM(K2Fv;OpB1rEa-ERflq~_!FW3
z%&NZoiVKMf151yP?~2r(%WiJZM4`nGYbNms%s8>Cw!`@i)>&ymsaS4s!24;IkAvE4
zKDHLvIkwirN*0^yrB2m|k(inG+a^{6be3v*deQ$hHmU=xhvPyUb(@VjOQ14^RrYYd
z+RS$^`zS?enD$LX!bazOlA|vano~oVXwu7tYKdpMHNg*{9cipo#6zB85&!O7BORbb
zX8qyt&hoebYwe*)$BIvm0heV*C8DKldL8FnrvXr<+@(LGAPzkPl{)Fi<v3s{Hol6S
zt~JpAAltr=+qIuQSEH)T#^y^FNXU0g3aI*z2DmJ$Ky&J>z`Zx2p>6$5r9P#S;>L}H
z%}`#`(l0m5YQ+=MMlr1m6^qtO5we3Dnp}pO3;1GoM;-COTJ51)^Txwnl$lTW*+K0M
z{F|68za*iatb1SK!&~1Pu_?<QnnP$UjJwqG9Wap$h#o{cH-^VB7Gu6t?qPRirIr+Y
z;#%XDx5ghA1Kq5{;;F(m=9z|u-FjbT)-tl%rj4nEu(R#%gXVNxF=@oURijUzgKLgn
zxi9ys4W;|24`BKc8a}CmO6m#R(~E8`>(hYOa#6eu-dP}ZG(wyz3!qaE&Cy!VZw>fY
z)z?1NU*9;A5aCe9c!*1@yy>27)QD4$%eo&rQ!AmL+ZkC$OadKjFURPcq_gFg+tY7u
zJP)8v7Ms>dTHkTcGcAbUE9_AVN!eMS;ARlBA1ut%ys=}B<`<??+nL`k;GcIU)!3gy
z17vSQ{x3s)Ad{XKZx!{xV8wKYCpVWvpCinia?0l^&jya1ft+`{Tan-MLEfLy>eEDr
zuafMiy@V)^^LJ)~)2+X?-akrlJY@?AQEP{Jb(v$jjUGpx=oT?em}l72KjZWbLgefr
z1U91DNLVlUhgL$WvFJ24K}DAsg@5)&AK-KIQBnpN+T#l!k{BSTvMa}~QfP|X%&*h9
zensvyFL*3w=~ttBuxG+Inb$vaL}uB{j8sLZrSWqzAF2>Duco(1Q_9XjWOE{Tj7p*k
zoNCRZJ(nU^W)P1U1_rAnjW5!0vn}>JM=EI~05WkW5ECIo7zwC;$N8zPcdz@*7D=cC
zuVoxT0)_<MU94J-YRcAZi9W7Z=!ciiOFl>vT6U)2+yt*LCq5bU6m{%v_8Q&XhjrP_
zH@w43GE>B1IIP5){78iy8)eZ*vOQ=LzUlFrYF*xw4M!~}JeY9?arh%!bX=rPVFGJ5
zTK+V&#)hQHDdb2ps}6Uhgdh@AWkwNH|A&Pi$a)PRTmsC%LvWHLLcS|tld!CyLlNJp
z62MC2H(n?}`Cv_eG9Sf_vnGt<ZGNTFN3)jGxDu7U?E~5Fow@NaCIRV=xkqF8)p%PA
zzi)`0tI~LusQ83*|NV~vkOx_T?3^iMd6P5JMV<k>xu~y~TVAQs%-zdR?&a6hyPT+*
z$sB#zU(5_8YuuyBqE`7$xv7~iE@kLe4JM!%qRqvp6&e>O4l=cYuA^0%7-j)NFkiAr
z90R98jP~;IAY~jv^9ZNhw$*z%F^^k6=ZKH!1w&9#@85H(T1kf6j;u`eugC1ElsT`u
z`3(zu_m=vbGM2A7O6@A5!VbZ2j}oPnwC%g^a>olWKj=GC6cFp{RHX*l_*Qr5G?WTG
z`srCK{An?Vaf&ns{qzw~ab%AjeSR}eerF_UnUR#}Oj%w6ydazcFEB(8Uv?Z;T|J$k
zmVcp)Iz$>xG^pL(PjPKIJKI)en?B9>o(!F;hjxegruh`_%NClh_{;Iv?cTQas%1ui
zlhpPpR6AG99T~A42VG}6$Yc+#&@%1}U8_`_ZNxM`P5zo63-ALHuy*euz@|rg(56^*
zJK`;Q07|CTGp97^*-9<l`EbUPwtf}1x-R12(PI)7lT?*izb!=n-X0le$zop86MftE
zk4bJtrs#6S>gII@7IT}i#8_2cC!x(8b?gG?gRfuCp?+`>h5MjkT0#d9tAZrE<mGAV
zWv|v=n27EW8rw4G#$<fz)Rj;*MR^0g4(kjcE>{eOc0^NeI2s27>^=UNpWBPfR9bf`
z!>Dz*IA%BJoC^3&OM3ze4Ey2E&ifIf@)~^f^z`c+t5nv=7Ig=ku~<bFrX&B}G-+S!
zxmnBR{5}VpDX;NRGRDQ^Fmb{wZPJhed{IIphpPX3*lLblz1NbCtVYSos2_HVvA#8q
zd&v2mM`r)t{En>kWR8}rYa5jkc#rE}qXnetuvdEMX^vK-0`6EEEFN%RPxb7u3w+)S
zKW=nT=DM};?#{mWhs?dQ3a90v!R<x571CAAXr&f7J>7q=@7-#f?2Vs!{sKkxni3j6
zl80BQ36JiNGcv)t=k1Lye-dkQN=^}YS`n@f@t(5g6+g{xYiSV?TsPTPaQ1*znWeGj
z;p)AdSJZFb#5rXbXt+^b&o}&(=zr5;dmjCz+t?$SMsl-3{@j{77A;f^6L?xYlXn$-
zQ=858Y&1|^b+`L{Emi8f(`oU1Q(@XnHbH9NdRamd;v1VCLXCbO-PFtWSn}vKvF+!Y
z4`U}R!(#(x)9K0=D2QI!gkX`c)|7h*=FrbnM9StkZo?~t$inIIZyH&TUak)YsT?_y
zraRPINAJ0eeUg9v_@-2khbb+;@$JtY5}O%fYlnxHi^N^e#P5Mn{g)<?l!Aa!1tM!N
zCB6XL`%nG*B%OWPCV;#fSY7tHpD3Ro*ie)#oIkwW4V8FDd`hs<^DIa?r2>liNxh<(
z0O!2cNEay2N-XxUcxu63vRD-`sa&-;cHqci8MS+ReGc3?`0VX=fj-&Ra9+Z=k5OwP
z%q;or_Qw_yw^lp{`PxmY>wU0r3CGP9`H1HC&&NYxGo9v?(s1w>cas?=N-67H7yIEB
zjt`q_xK8yjH5{;vZn6jnS89AbKYIx0elg0TB=>0Ny?+tCA8ESx5LtM6L=(^kq*i$R
z{d}(~HYmk5=Oq~}h4%cGfSH)KdK?#sVYg?}u0Ms$V{>&e7s|bGkba30o?L?8-`U*S
zDLWV4l!Wkd4@uF7SXJSy*OgL;bTVtZ`tR#9ssCe7!|Q?CY3qSm%YCvMr>|sBz2@#%
ziX1wu)^O4x$4%7}cXGvPkP?WTqzS9BfhmJ;wJJR}9409Og(RT?85P6U_Z`-nLHo77
zeM1!;ZLB`MI|WbuZ_N_Z3>Oz-(E#_+C%S3dVT<)qMrmFB8x9r&X_<QgqqT;Q*oI^z
z4n%K0;CZQeN^R$x(zo61vnd!6gibUrOyx}3g}KcrfR=~F$ZgnEU$7T5<~ErJ>Y7@G
zIZTg>e0pl0JgyFiDt<B<YtNCXD%-W-{=vt?J_Y7TwFKea5EtnbYPuo7Ezt_)m@*zL
zx$6*<v5~fyE>FHe`Dh*pP?Z-0shuGPVsd%!{)|-W`@G!!i3b{AeLR2?bqUAi#qRO8
znIh9H_`J}1@4G^!xm3@lA5VaqZchphLVb#U_p|OBF^{TkhDBlq1(o;HaJXWlIDJAY
z+QFCT{1_saMU3$<RrV9s<FEQyQc_iXE4v{ik7GEis70M|e~@mQF)29h2JaINE{|IA
zRV!l5mWS@Cv?&kiy6am-?!wNhshS)F+J!13i;b$et=+k|M%k)S-qkBQ=^7=mpM7@*
z@vWJ4t9Z+&RdGEP4Ul&Q&Z;s8K3T{k?<eCjp6Rv5`=i#WFvE9ba0sIg(P^KKV$*I0
zNyX*2@jPNWP|_)mY-aT}Eg=V9l~k6GsN_sqlsH=KbbMB!f(K{KDv=&mmvsuuWg+Sy
z&r3F7#zdJplgA8){y!QH9Ff{gLrH}|GUW7QB1;8saG7I`hLLfy1~PtaB_W<KdCy{Y
zD=T!*tEJ^duT|1fxP<YmrxiB;DJZx>B*9R>2vF|YQTzFle7Hi^qcJF;A!l&poE~n;
z1i3#QpK=^(JYXLq+xW05Nn#7NOHaOUQRBV66|Nr7bt|RaBx{08LTNd30y^{ZX?va>
z(uJBtbwc-$a=+`+dsYysk><mT!%?Sv-W4_CJ+3bA5s!GB>o#RAV=eG3Nhqrf>>Y-K
z4FQhtANz`5PBF{r-8BDhlAACWY~b%Vbms9o7;h;1eQOaXY5kBw*Up+anvt&RXZ8^0
z+@opRp8WU#WR8jDy(7<-J4cj)G-oXe!Ct-I2wV?2B23k!NiUVtndi=0pvZb8fzGHx
zP<1h_i2Y1$ond?0JDo*^qVgQbR->Wb&+WX4%c%$_$Dm~m$e;#8m`kfgjNto0Wv37_
z^1dEf7WXZigx1;2+NhXh(F7p*)dHJIKJMgYK2_~kRp!~?LELu=XPkFj$D}QI0#$0e
zuQE=vA$3X?^<jBHlURWVS@a4LNG+uByR7UaV}W)M=G|f0wDF*5D0cD^YC8@}Za-M+
zmar!cgV9M@KF$fBj^i&HlrF$lKEm)v>x-mV^)tj&7?#^zt*);DSLlyF6PM@6b<&Oq
zP2g)of2e@6_lZrMN%>ObV0Sh?flPKjr6>0Q$iW-C-`hQmXMhf+>nB6t-%SPD2OC-c
z^+2iNrwKv%TW>g9vp|SJ#=W_ODTOp|19ZxzX@GVN61W`j<Mk=`_^%(m#>xqAMJ&t4
zi32fc1X0_g@fp$AX|&RL)dB>oEu>WG2H7Xmm!wyaJXghN?M#b&<BN3z!WkikXZnyS
zHGRc4Q!}wL!{v$JqZq{^D!L2Lo0F>L-uk@1?OO{^UDdLm5r_K3k-<~f+cioO&+o^>
zy%cd_&naI;eDu2B6-H*xC0X*`%M%B)Ww3Jr-t3)+_scE7Qx-;Ma^9j=Bn<1cnY#0M
z_cI=lvPtk0)O0%UIJ6gvFX`^fo8wiuVI(S{3H%;R@5Boy{oq|Ja!}<QiraHF3s%|p
z2tMoe$lw`MNe@U@#Y0>poSqxw9BNFS``LJw<Kvv)nwDwhzKFA+eA>DV<!E0=B`dQI
zWX&rhNpi&!(wreLPGFv4B4v&?N@wKNsoO2nI^DlSO%Y4I8I9lS6@Ga+aa<$U?urh0
z4dPwE-eA2qZ3rR1^PqdFVa#?X5-f>~cdXO~;lk1gP@q0o&yCy1Z~34lm`r_8C>wPj
z_k98IQ&5h$t?+ey_Zo@pzPdT41y@NrB4#ix1(6~|vLb@{nrf7@*9l4?1k}Yuqlfd{
zJ7oUT>7bsG#MVm^2fbw^w8*xQ;42ZQ37#}6G37BD^Da>8N+LhlVUDCJz&9@{q*2f-
zC)jlfcvd438Rq%&<Due8<HR{Srw-ezqs6P$gu3(Y3z(<9nx5v9&BplVI!Yu4czr+{
zT}_k`?Q~0HoyZX#x<N<6>}=s~mdeRVPfvo0L}??sL6#DTohC~Js<N@akZv}&z<5Iy
z6?GUIunX@iOqwey_f1BWZ|KVq>|@PboCK;Z-soG>p>Z(xj98#iL8~M);t}0foM#_U
z)kCY5+)Sll5qap>)kitFf6Ey7f0rU3n-|~c>KysGWIUcM?BiF_Sz!0BILG+>VL|u!
zUVnCvAg`b?bF%-{2gk+El0|CIFPPNQgZs4~_RKO|aqo}p!B^2}jrQdQn`?CmKA=D9
z!+SDBk*xv^7hrUd{ycM_dgr{M^n3K@Yg10N9T#TMoq3rNRpvSr|AZgRca1ZB_6;Tm
z%^wk7tRJ!g&v0)&+bq7N-MtmOi4En4E+aI}ub2YG=0w$!Y}%q++@!L<Y~xOKt^;y@
zoPr=(+NX)=^@u8;Gtu&~t+&d4@pPlSTR^&6YteAMDOT2h{L6f@RyCHvq2h9J3Qb`|
zDjL?MhJWkYp+Fovuw}5XZh@8}2!wvYqentOH+6}_Re5a!>OVxAi?5zRr-2TK7RnKf
z&QP_~hvz)<E^LSG`MvPlKN{Yijdv)C=bs4`C4A9ub9X~s<zyXkI=>zaeJQz`>0UWj
zlVun6-jn`{|MIv>lV@(L*Ce6~%i&#qKc_RzQE10>2tTo_fCpcUx5;W?6?I^mcGtFM
znP#J!7?vF^8@Nvv4Q0M}<-C#{{znzz)uQzpxj@@nBTJa9)WY4CBPCKrFPYufW>;M}
zKcd=YyYw}`=b1+?(Gj=z{Zf+9!Zt&Ys;zy8vgID&Dc+1mKOo)O3YR2U*eP1Bmgg`h
z?j*-{`8t0d^y4ae=r9*Nac-qX%L1|EU$wnmtx2YQ>rE(+b?(-#PQpQ#wWj|b*3MUy
z47r`-#Y%poVEk6Z5RTj@-C+jC{4tcpAwCuwX6G_DZJXA*kr*-N6(L3Vq5-8yz4spX
z&m-*Z104z<-D}sbU3Mt&s$z7Jx2)PmS1%C{-6wuFF@GBA$JGaFd$e{+=%z>9uvs0V
zf$ygjqp~U$39=j5*YVoRL#-OlpIPs5TzN9x;OMFH;wZye45FJgKDSFZN}G6lscxM3
z)CrHOywFu_R-w*cwN2(54Aw&3bni4j!kSC3;uhgl1A}%4MS6K<dmQkD5s!_xJvC~N
z>FtjAr8cL)wW5L&qXziQh0)AvDXX4hkE`yVC&%PaN8QKOUWB7niI^nAM(fMj%_#y>
zwz;S=w_$9*BEoj_G8{QvN#T>m@WQ9Fu*w}Ly`v$pv8w3hwm1}ekje?P5J3^hbWu?^
zYj^lJb_DtD4r)Xekfa{StOX8J9aIj4Yr!&E#GWewP;cx)zClJ1Qhl*5efD1uN_Xw-
zChA#0_uk8=>4@MxvrMJR`G}Il9dNRFX1c%oXSUDuE$2!;-v;{Zuid}k_kK`%HPQGo
z#&cntX&C!f;bPlHgzTe&v)dV~#+&3n1Z9ul39O%1(WZVH*UoG+cHkvG^QE%qAEb5%
zyMF#U2=-_4IQ==)1V|97STn!8?RnVOH~t1|TFH#yOlzWFq^3hkrWy^}<dpnF+nVeX
zV`{#vlbbgUA#hfrn}G7W`hH^7SyL;qO1JJpax862XD>@pr6nCLWWGYX8y@4nF<FNl
z^va6xks_d#OB#OaIe~#!Hdbg<*0r>?@%o=}?YF}_hLk5<?=2#s-5y$*m(3E*Q3vkw
z4#c{1`%smVw?q+&j)h(cq5)i5cG;B3f7Xf8b7h|bNhXgJwI4F%Ti@7`cz`$>UYDR8
zEeUlF9_}aJ@cvJ^^jQtL)$6J0J7W7X3X2QAx%C42&$lvG>mXfIHJlf7ht7Rf9>{|q
z`P-iYnc?u|mO_z-9ucTn%oWc7T3r8DG~_W1h=WYRU!?Mr7?bP~B9rWBuXpIQI3xDv
z7wzyMS~fQ>*{0raZ#GOf5mteL09$O(m`%KnFjbj$bJhFe&1o;Qy}Sh6mXyhueUaDR
zc|($ts{RYKF1?}(fzGeXi?@;KqJ}1-Yd6XrKONni@wkae{~l#=_Ts--W6Fr7ZuQBg
z|EmBs+QKu7tOExnR*s`^oLm%ta*>xc4(PTLx`7l-AD@g0jJ3==U+ndCZ@)(@!yOHB
zWPtSC{mvC6Fmg|<A_(ZPLj7Ux+KK2omkSB-+?od8lvmYD-BZnS7nOMKE(!r}e+yj7
oefe7&re2Wx{A_GRJ?;n*qv5+i%0>F)6!1??Nn5e_u2s<g09lO)!vFvP

literal 0
HcmV?d00001

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 2990517a987..785fea3d2ac 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -8,7 +8,7 @@ title: Configure Admin Controls
 >
 >Admin Controls is available to Docker Business customers only. 
 
-This page contains information about how administrators can configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
+This page contains information about how admins can configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
 
 Admin Controls is designed specifically for organizations who don’t give developers root access to their machines.
 
@@ -41,14 +41,14 @@ If set to `true`, users are not able to edit this setting from Docker Desktop or
 If set to `false`, the configuration value acts as a default value, but users can change this setting from Docker Desktop or the CLI by directly editing the `settings.json` file.
 
 <div class="panel panel-default">
-<div class="panel-heading collapsed" data-toggle="collapse" data-target="#collapseSample2"  style="cursor: pointer"> Additional <code>Locked: false</code> logic<i class="chevron fa fa-fw"></i></div>
+<div class="panel-heading collapsed" data-toggle="collapse" data-target="#collapseSample2"  style="cursor: pointer"> Additional <code>Locked: false</code> information<i class="chevron fa fa-fw"></i></div>
 <div class="collapse block" id="collapseSample2">
 <p>
 <code>Locked: false</code> is similar to having a setting be the factory default.
 <br>
 <li>For new installs, <code>Locked: false</code> pre-populates the relevant settings in the Desktop UI.</li>
 <br>
-<li> If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting which may have been written to the relevant config file, for example the <code>settings.json</code> or <code>daemon.json</code> file. In these instances, Docker respects the user's preference. This can be overridden by the administrator by setting <code>locked: true</code></li>.
+<li> If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting which may have been written to the relevant config file, for example the <code>settings.json</code> or <code>daemon.json</code> file. In these instances, Docker respects the user's preference. This can be overridden by the admin by setting <code>locked: true</code>.</li>
 </p>
  </div>
 </div>
@@ -133,12 +133,6 @@ Once you have created and configured `admin-settings.json`, developers need to q
 
 Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made so as not to disrupt your developers workflow. 
 
-## Example
+In Docker Desktop, developers see the relevant settings grayed out and the message **Locked by your administrator**.
 
-The following image displays an example `admin-settings.json` file:
-
-![admin-settings.json](../../images/admin-settings.PNG){:width="500px"}
-
-In Docker Desktop, developers see the relevant settings grayed out and the message **This is locked by your admin**.
-
-[screenshot]
\ No newline at end of file
+![Proxy settings grayed out](/assets/images/grayed-setting.png){:width="750px"}
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index ffda32730e1..78141035c44 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -7,9 +7,9 @@ title: What is Admin Controls?
 >
 >Admin Controls is available to Docker Business customers only. 
 
-Admin Controls is a feature that gives administrators the ability to configure certain Docker Desktop settings for their organization. 
+Admin Controls is a feature that gives admins the ability to configure certain Docker Desktop settings for their organization. 
 
-With a few lines of JSON, administrators can configure Docker Desktop settings for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows. If administrators also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md), it ensures that any configurations set with Admin Controls cannot be modified by containers.
+With a few lines of JSON, admins can configure Docker Desktop settings for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows. If admins also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md), it ensures that any configurations set with Admin Controls cannot be modified by containers.
 
 ### Who is it for? 
 
@@ -21,11 +21,11 @@ With a few lines of JSON, administrators can configure Docker Desktop settings f
 
 Administrators can configure several Docker Desktop settings using the `admin-settings.json` file. This file is located within the Docker Desktop host and can only be accessed by users with root or admin privileges. 
 
-As the `admin-settings.json` overrides the `settings.json` file, which contains the settings configured by regular Docker Desktop users and is located in a directory users can write to, administrators can configure default values for several Docker Desktop settings and lock them in so regular users are prevented from modifying them.
+As the `admin-settings.json` overrides the `settings.json` file, which contains the settings configured by regular Docker Desktop users and is located in a directory users can write to, admins can configure default values for several Docker Desktop settings and lock them in so regular users are prevented from modifying them.
 
 ### What can be set?
 
-Using the `admin-settings.json` file, administrators can:
+Using the `admin-settings.json` file, admins can:
 
 - Enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md)
 - Configure HTTP Proxies
@@ -35,7 +35,7 @@ Using the `admin-settings.json` file, administrators can:
 - Turn off Docker Desktop's ability to checks for updates
 - Turn off Docker Desktop's ability to send usage statistics
 
-For more details on the syntax and options administrators can set, see [Configure Admin Controls](configure-ac.md).
+For more details on the syntax and options admins can set, see [Configure Admin Controls](configure-ac.md).
 
 ### How do I set up and enforce Admin Controls?
 
@@ -51,5 +51,4 @@ Docker Desktop users see a notification in the **Settings**, or **Preferences**
 
 Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or the `settings.json` file. In addition, if Enhanced Container Isolation is enforced, users can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM, for example, reconfigure proxy and networking of reconfigure Docker Engine.
 
-
-
+![Proxy settings grayed out](/assets/images/grayed-setting.png){:width="750px"}
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 5c055b89151..ccd4abe9ece 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -15,7 +15,7 @@ These techniques include:
 - Restricting containers from modifying Docker Desktop VM settings
 - Vetting some critical system calls to prevent container escapes, and partially virtualizing portions of `/proc` and c/sys` inside the container for further isolation. 
 
-This is all done automatically and with minimal performance impact. 
+This is done automatically and with minimal performance impact. 
 
 Enhanced Container Isolation helps ensure a strong container-to-host isolation and locks in any security configurations that have been created, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Admin Controls](../admin-controls/index.md). 
 
@@ -49,7 +49,7 @@ For more information on how Enhanced Container Isolation work, see [How does it
 
 ### How do I switch on Enhanced Container Isolation?
 
-As an administrator, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must [create and configure the `admin-settings.json` file](configure-ac.md) and specify:
 
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index b76dcb9df57..6db16522aba 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -1,22 +1,22 @@
 ---
 title: Hardened Desktop
 description: Overview of what Hardened Desktop is
-keywords: security, hardened desktop, enhanced container isolation, registry access management, admin controls, root access, administrators, docker desktop
+keywords: security, hardened desktop, enhanced container isolation, registry access management, admin controls, root access, admins, docker desktop
 ---
 >Note
 >
 >Hardened Desktop is available to Docker Business customers only.
 
-Hardened Desktop is a new security model for Docker Desktop. It's designed to provide administrators with a simple and powerful way to improve their organizations security posture for containerised development, without impacting the developer experience that Docker Desktop offers.
+Hardened Desktop is a new security model for Docker Desktop. It's designed to provide admins with a simple and powerful way to improve their organizations security posture for containerised development, without impacting the developer experience that Docker Desktop offers.
 
-This configuration is designed for security conscious organizations who don’t give their users root or admin access on their machines, and who would like Docker Desktop to be within the organization’s centralized control.
+This configuration is designed for security conscious organizations who don’t give their users root or admin access on their machines, and who would like Docker Desktop to be within their organization’s centralized control.
 
-The Hardened Desktop security model moves the ownership boundary for containers to the organization, meaning that any security controls administrators set cannot be altered by the user of Docker Desktop.
+The Hardened Desktop security model moves the ownership boundary for containers to the organization, meaning that any security controls admins set cannot be altered by the user of Docker Desktop.
 
 Hardened Desktop includes:
-- Admin Controls, which helps administrators to confidently manage and control the usage of Docker Desktop within their organization.
+- Admin Controls, which helps admins to confidently manage and control the usage of Docker Desktop within their organization.
 - Enhanced Container Isolation, a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that configurations set using Admin Controls cannot be modified by containers.
-- Registry Access Management, which allows administrators to control the registries developers can access.
+- Registry Access Management, which allows admins to control the registries developers can access.
 
 Docker plans to continue adding more security enhancements to the Hardened Desktop security model.
 

From 35a0fefbaede999433308940f818210c8099b88f Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 15:06:39 +0100
Subject: [PATCH 14/33] review round 2 changes

---
 .../admin-controls/configure-ac.md            | 32 ++++++++-----------
 .../hardened-desktop/admin-controls/index.md  |  2 +-
 .../enhanced-container-isolation/index.md     |  4 +--
 3 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 785fea3d2ac..cdf870ae7bb 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -37,21 +37,13 @@ By placing this file in the above protected directories, end users are unable to
 >Some of the configuration parameters only apply to Windows. This is highlighted in the table below.
 
 The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` parameter. You can add or remove configuration parameters as per your requirements.
-If set to `true`, users are not able to edit this setting from Docker Desktop or the CLI. 
-If set to `false`, the configuration value acts as a default value, but users can change this setting from Docker Desktop or the CLI by directly editing the `settings.json` file.
-
-<div class="panel panel-default">
-<div class="panel-heading collapsed" data-toggle="collapse" data-target="#collapseSample2"  style="cursor: pointer"> Additional <code>Locked: false</code> information<i class="chevron fa fa-fw"></i></div>
-<div class="collapse block" id="collapseSample2">
-<p>
-<code>Locked: false</code> is similar to having a setting be the factory default.
-<br>
-<li>For new installs, <code>Locked: false</code> pre-populates the relevant settings in the Desktop UI.</li>
-<br>
-<li> If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting which may have been written to the relevant config file, for example the <code>settings.json</code> or <code>daemon.json</code> file. In these instances, Docker respects the user's preference. This can be overridden by the admin by setting <code>locked: true</code>.</li>
-</p>
- </div>
-</div>
+
+If `locked: true`, users are not able to edit this setting from Docker Desktop or the CLI.
+
+If `locked: false`, it is similar to setting a factory default in that:
+- For new installs, `locked: false` pre-populates the relevant settings in the Docker Desktop UI, but users are able to modify it.
+
+- If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting, which in turn will have been written to the relevant config file, for example the `settings.json` or `daemon.json`. In these instances, the user's preferences are respected and we don't alter these values. These can be controlled by the admin by setting `locked: true`.
 
 The following `admin-settings.json` code and table provides an example of the required syntax and descriptions for parameters and values:
 
@@ -122,16 +114,18 @@ The following `admin-settings.json` code and table provides an example of the re
 | `windowsContainers` | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
 | &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|                                |
 |`disableUpdate`|If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.|
-|`analyticsEnabled`|If `value` is set to false, Docker Desktop does not send usage statistics to Docker. |
+|`analyticsEnabled`|If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. |
 
-## Step three: Re-launch and re-authenticate
+## Step three: Re-launch Docker Desktop
 >Note
 >
 >Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.
 
-Once you have created and configured `admin-settings.json`, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't sufficient as it only restarts some components of Docker Desktop.
+For settings to take effect:
+- On a new install: developers need to launch Docker Desktop and authenticate to their organization
+- On an existing install: developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop.
 
-Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made so as not to disrupt your developers workflow. 
+Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers workflow. 
 
 In Docker Desktop, developers see the relevant settings grayed out and the message **Locked by your administrator**.
 
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 78141035c44..e6252ef56c4 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -43,7 +43,7 @@ As an administrator, you first need to [configure a registry.json to enforce sig
 
 Next, you must [create and configure the admin-settings.json file](configure-ac.md).
 
-Once this is done, Docker Desktop users receive the changed settings when they re-launch Docker Desktop and re-authenticate to your organization. Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+Once this is done, Docker Desktop users receive the changed settings when they quit and then re-launch Docker Desktop, or launch Docker Desktop for the first time, and sign in to your organization. Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
 
 ### What do users see when the settings are enforced?
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index ccd4abe9ece..4773346520e 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -13,7 +13,7 @@ Enhanced Container Isolation provides an additional layer of security that uses
 These techniques include:
 - Running all containers unprivileged (via the Linux user-namespace)
 - Restricting containers from modifying Docker Desktop VM settings
-- Vetting some critical system calls to prevent container escapes, and partially virtualizing portions of `/proc` and c/sys` inside the container for further isolation. 
+- Vetting some critical system calls to prevent container escapes, and partially virtualizing portions of `/proc` and `/sys` inside the container for further isolation. 
 
 This is done automatically and with minimal performance impact. 
 
@@ -21,7 +21,7 @@ Enhanced Container Isolation helps ensure a strong container-to-host isolation a
 
 >Note
 >
-> Enhanced Container Isolation is in addition to other security techniques used by Docker. For example, reduced Linux Capabilities, Seccomp, AppArmor
+> Enhanced Container Isolation is in addition to other security techniques used by Docker. For example, reduced Linux Capabilities, Seccomp, AppArmor.
 
 ### Who is it for?
 

From 44297a2534ad829da03b69f47573654a06000128 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 15:26:36 +0100
Subject: [PATCH 15/33] more tweaks

---
 desktop/hardened-desktop/admin-controls/index.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index e6252ef56c4..a9293eff156 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -9,7 +9,7 @@ title: What is Admin Controls?
 
 Admin Controls is a feature that gives admins the ability to configure certain Docker Desktop settings for their organization. 
 
-With a few lines of JSON, admins can configure Docker Desktop settings for HTTP proxies, network settings, and the Docker Engine configuration. This saves significant time and cost in securing developer workflows. If admins also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md), it ensures that any configurations set with Admin Controls cannot be modified by containers.
+With a few lines of JSON, admins can configure Docker Desktop settings for HTTP proxies, network settings, and the Docker Engine configuration, which reduces effort spent on securing developer workflows. If admins also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md), it ensures that any configurations set with Admin Controls cannot be modified by containers.
 
 ### Who is it for? 
 
@@ -21,9 +21,9 @@ With a few lines of JSON, admins can configure Docker Desktop settings for HTTP
 
 Administrators can configure several Docker Desktop settings using the `admin-settings.json` file. This file is located within the Docker Desktop host and can only be accessed by users with root or admin privileges. 
 
-As the `admin-settings.json` overrides the `settings.json` file, which contains the settings configured by regular Docker Desktop users and is located in a directory users can write to, admins can configure default values for several Docker Desktop settings and lock them in so regular users are prevented from modifying them.
+Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by users and ensure that these cannot be modified. For more information, see [Configure Admin Controls](../admin-controls/configure-ac.md#step-two-configure-the-admin-controls-you-want-to-lock-in).
 
-### What can be set?
+### What features can I configure with Admin Controls?
 
 Using the `admin-settings.json` file, admins can:
 

From b2295385ec8077005c236a5d7a6af9898226d910 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 5 Oct 2022 15:54:05 +0100
Subject: [PATCH 16/33] info from @ebriney

---
 .../hardened-desktop/admin-controls/configure-ac.md  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index cdf870ae7bb..920e33ad36b 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -55,15 +55,15 @@ The following `admin-settings.json` code and table provides an example of the re
     "value": false
   },
   "proxy": {
-    "locked": false,
-    "mode": "system",
+    "locked": true,
+    "mode": "manual",
     "server": "myproxy.com",
     "port":3129,
     "exclude": ["foo.com", "bar.com"]
   },
   "enhancedContainerIsolation": {
-    "locked": false,
-    "value": false
+    "locked": true,
+    "value": true
   },
   "useWindowsContainers": {
       "locked": false,
@@ -76,7 +76,7 @@ The following `admin-settings.json` code and table provides an example of the re
     },
     "dockerDaemonOptions": {
       "locked": false,
-      "value":"<json string>"
+      "value":"{\"debug\": false}"
     },
     "vpnkitCIDR": {
       "locked": false,
@@ -86,7 +86,7 @@ The following `admin-settings.json` code and table provides an example of the re
   "windowsContainers": {
     "dockerDaemonOptions": {
       "locked": false,
-      "value":"<json string>"
+      "value":"{\"debug\": false}"
     }
   },
   "disableUpdate": {

From 627327308c308e64b4406cd85d41314e762782f7 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Thu, 6 Oct 2022 10:56:01 +0100
Subject: [PATCH 17/33] minor tweaks

---
 _data/toc.yaml                                   | 4 ++--
 desktop/hardened-desktop/admin-controls/index.md | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/_data/toc.yaml b/_data/toc.yaml
index ba652e5ff22..e098a4f856a 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1191,13 +1191,13 @@ manuals:
       section:
         - path: /desktop/hardened-desktop/
           title: Overview
-        - sectiontitle: Admin controls (Early Access)
+        - sectiontitle: Admin controls
           section:
           - path: /desktop/hardened-desktop/admin-controls/
             title: What is Admin Controls?
           - path: /desktop/hardened-desktop/admin-controls/configure-ac/
             title: Configure Admin controls
-        - sectiontitle: Enhanced Container Isolation (Early Access)
+        - sectiontitle: Enhanced Container Isolation
           section:
           - path: /desktop/hardened-desktop/enhanced-container-isolation/
             title: What is Enhanced Container Isolation?
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index a9293eff156..8afb271dd47 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -7,9 +7,9 @@ title: What is Admin Controls?
 >
 >Admin Controls is available to Docker Business customers only. 
 
-Admin Controls is a feature that gives admins the ability to configure certain Docker Desktop settings for their organization. 
+Admin Controls is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization.
 
-With a few lines of JSON, admins can configure Docker Desktop settings for HTTP proxies, network settings, and the Docker Engine configuration, which reduces effort spent on securing developer workflows. If admins also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md), it ensures that any configurations set with Admin Controls cannot be modified by containers.
+With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) to ensure that any configurations set with Admin Controls cannot be modified by containers.
 
 ### Who is it for? 
 

From 9b56020adbce558a5c6029c0ded1da5ab062fc7c Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Thu, 6 Oct 2022 13:20:40 +0100
Subject: [PATCH 18/33] consistency fixes and tweaks

---
 _data/toc.yaml                                            | 4 ++--
 desktop/hardened-desktop/admin-controls/configure-ac.md   | 6 ++----
 desktop/hardened-desktop/admin-controls/index.md          | 8 ++++----
 .../enhanced-container-isolation/index.md                 | 8 +++-----
 desktop/hardened-desktop/index.md                         | 4 ++--
 5 files changed, 13 insertions(+), 17 deletions(-)

diff --git a/_data/toc.yaml b/_data/toc.yaml
index e098a4f856a..7f983f26db7 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1191,12 +1191,12 @@ manuals:
       section:
         - path: /desktop/hardened-desktop/
           title: Overview
-        - sectiontitle: Admin controls
+        - sectiontitle: Admin Controls
           section:
           - path: /desktop/hardened-desktop/admin-controls/
             title: What is Admin Controls?
           - path: /desktop/hardened-desktop/admin-controls/configure-ac/
-            title: Configure Admin controls
+            title: Configure Admin Controls
         - sectiontitle: Enhanced Container Isolation
           section:
           - path: /desktop/hardened-desktop/enhanced-container-isolation/
diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 920e33ad36b..d8ae1d4fcea 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -122,10 +122,8 @@ The following `admin-settings.json` code and table provides an example of the re
 >Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.
 
 For settings to take effect:
-- On a new install: developers need to launch Docker Desktop and authenticate to their organization
-- On an existing install: developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop.
-
-Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers workflow. 
+- On a new install, developers need to launch Docker Desktop and authenticate to their organization.
+- On an existing install, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop. Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers workflow. 
 
 In Docker Desktop, developers see the relevant settings grayed out and the message **Locked by your administrator**.
 
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 8afb271dd47..617a5b81396 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -9,7 +9,7 @@ title: What is Admin Controls?
 
 Admin Controls is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization.
 
-With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) to ensure that any configurations set with Admin Controls cannot be modified by containers.
+With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also use Admin Controls to enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) which ensures that any configurations set with Admin Controls cannot be modified by containers.
 
 ### Who is it for? 
 
@@ -17,7 +17,7 @@ With a few lines of JSON, admins can configure controls for Docker Desktop setti
 - For Organizations who want to create a standardized Docker Desktop environment at scale.
 - For security conscious Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments.
 
-## How does it work?
+### How does it work?
 
 Administrators can configure several Docker Desktop settings using the `admin-settings.json` file. This file is located within the Docker Desktop host and can only be accessed by users with root or admin privileges. 
 
@@ -43,11 +43,11 @@ As an administrator, you first need to [configure a registry.json to enforce sig
 
 Next, you must [create and configure the admin-settings.json file](configure-ac.md).
 
-Once this is done, Docker Desktop users receive the changed settings when they quit and then re-launch Docker Desktop, or launch Docker Desktop for the first time, and sign in to your organization. Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+Once this is done, Docker Desktop users receive the changed settings when they either quit, re-launch, and sign in to Docker Desktop, or launch and sign in to Docker Desktop for the first time. Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
 
 ### What do users see when the settings are enforced?
 
-Docker Desktop users see a notification in the **Settings**, or **Preferences** if using a macOS, which states **Some settings are managed by your Admin**. 
+Docker Desktop users see a notification in **Settings**, or **Preferences** if using a macOS, which states **Some settings are managed by your Admin**. 
 
 Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or the `settings.json` file. In addition, if Enhanced Container Isolation is enforced, users can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM, for example, reconfigure proxy and networking of reconfigure Docker Engine.
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 4773346520e..5b32c46b62e 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -11,7 +11,7 @@ title: What is Enhanced Container Isolation?
 Enhanced Container Isolation provides an additional layer of security that uses a variety of advanced techniques to harden container isolation without impacting developer productivity. 
 
 These techniques include:
-- Running all containers unprivileged (via the Linux user-namespace)
+- Running all containers unprivileged through the Linux user-namespace
 - Restricting containers from modifying Docker Desktop VM settings
 - Vetting some critical system calls to prevent container escapes, and partially virtualizing portions of `/proc` and `/sys` inside the container for further isolation. 
 
@@ -62,13 +62,11 @@ Next, you must [create and configure the `admin-settings.json` file](configure-a
 }
 ```
 
-Once this is done, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't sufficient as it only restarts some components of Docker Desktop.
-
-Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made so as not to disrupt your developers workflow. 
+Once this is done, developers need to either quit, re-launch, and sign in to Docker Desktop, or launch and sign in to Docker Desktop for the first time.
 
 ### What do users see when this setting is enforced?
 
-When Enhanced Container Isolation is enabled, users see that containers run within a Linux User Namespace. For example:
+When Enhanced Container Isolation is enabled, users see that containers run within a Linux user-namespace. For example:
 
 ```
 $ docker run -it --rm alpine
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 6db16522aba..d89419fe5f0 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -9,13 +9,13 @@ keywords: security, hardened desktop, enhanced container isolation, registry acc
 
 Hardened Desktop is a new security model for Docker Desktop. It's designed to provide admins with a simple and powerful way to improve their organizations security posture for containerised development, without impacting the developer experience that Docker Desktop offers.
 
-This configuration is designed for security conscious organizations who don’t give their users root or admin access on their machines, and who would like Docker Desktop to be within their organization’s centralized control.
+It is for security conscious organizations who don’t give their users root or admin access on their machines, and who would like Docker Desktop to be within their organization’s centralized control.
 
 The Hardened Desktop security model moves the ownership boundary for containers to the organization, meaning that any security controls admins set cannot be altered by the user of Docker Desktop.
 
 Hardened Desktop includes:
 - Admin Controls, which helps admins to confidently manage and control the usage of Docker Desktop within their organization.
-- Enhanced Container Isolation, a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that configurations set using Admin Controls cannot be modified by containers.
+- Enhanced Container Isolation, a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that any configurations set using Admin Controls, cannot be modified by containers.
 - Registry Access Management, which allows admins to control the registries developers can access.
 
 Docker plans to continue adding more security enhancements to the Hardened Desktop security model.

From 0b9f180bb7804e84b469ea87e9b11b3c8a1bc0f2 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Fri, 7 Oct 2022 12:43:24 +0100
Subject: [PATCH 19/33] remove trailing comma and add more WSL notes

---
 desktop/hardened-desktop/admin-controls/configure-ac.md | 4 ++--
 desktop/hardened-desktop/admin-controls/index.md        | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index d8ae1d4fcea..0bb61023d3b 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -96,7 +96,7 @@ The following `admin-settings.json` code and table provides an example of the re
   "analyticsEnabled": {
     "locked": false,
     "value": true
-  },
+  }
 }
 ```
 
@@ -105,7 +105,7 @@ The following `admin-settings.json` code and table provides an example of the re
 | `configurationFileVersion`        | Specifies the version of the configuration file format.    |
 | `exposeDockerAPIOnTCP2375` |<span class="badge badge-info">Windows only</span> Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
 | `proxy` | It is used for `http` and `https`.  If the port is custom, specify it in the property. |
-| `enhancedContainerIsolation`  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). |
+| `enhancedContainerIsolation`  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). |
 |`useWindowsContainers` | <span class="badge badge-info">Windows only</span> If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.|
 | `linuxVM` | Parameters and settings related to Linux VM options - grouped together here for convenience. |
 | &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](faq.md) for more information.|
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 617a5b81396..76e5f76abd0 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -27,7 +27,7 @@ Values that are set to `locked: true` within the `admin-settings.json` override
 
 Using the `admin-settings.json` file, admins can:
 
-- Enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md)
+- Enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md)(currently incompatible with WSL)
 - Configure HTTP Proxies
 - Configure network settings
 - Enforce the use of WSL2 based engine or Hyper-V

From dcb6bbdda75f34415d42f08f82b1a08cda1200d8 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Fri, 7 Oct 2022 14:49:31 +0100
Subject: [PATCH 20/33] customer zero feedback

---
 .../hardened-desktop/admin-controls/configure-ac.md | 13 ++++++++++---
 desktop/hardened-desktop/admin-controls/index.md    |  2 +-
 .../enhanced-container-isolation/index.md           |  9 +++++++--
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 0bb61023d3b..da3a2681213 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -8,13 +8,13 @@ title: Configure Admin Controls
 >
 >Admin Controls is available to Docker Business customers only. 
 
-This page contains information about how admins can configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
+This page contains information for admin on how to configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
 
 Admin Controls is designed specifically for organizations who don’t give developers root access to their machines.
 
 ## Prerequisite
 
-You need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). For this configuration to take effect, Docker Desktop users must authenticate to your organization. 
+As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). For this configuration to take effect, Docker Desktop users must authenticate to your organization. 
 
 ## Step one: Place the `admin-settings.json` file in the correct location
 
@@ -123,7 +123,14 @@ The following `admin-settings.json` code and table provides an example of the re
 
 For settings to take effect:
 - On a new install, developers need to launch Docker Desktop and authenticate to their organization.
-- On an existing install, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop. Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers workflow. 
+- On an existing install, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. 
+  >Important
+  >
+  >Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop.
+  {: .important}
+
+Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers workflow. 
+
 
 In Docker Desktop, developers see the relevant settings grayed out and the message **Locked by your administrator**.
 
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 76e5f76abd0..9f505c05f2b 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -27,7 +27,7 @@ Values that are set to `locked: true` within the `admin-settings.json` override
 
 Using the `admin-settings.json` file, admins can:
 
-- Enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md)(currently incompatible with WSL)
+- Enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) (currently incompatible with WSL)
 - Configure HTTP Proxies
 - Configure network settings
 - Enforce the use of WSL2 based engine or Hyper-V
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 5b32c46b62e..374bb98c0f0 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -51,7 +51,7 @@ For more information on how Enhanced Container Isolation work, see [How does it
 
 As an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-Next, you must [create and configure the `admin-settings.json` file](configure-ac.md) and specify:
+Next, you must [create and configure the `admin-settings.json` file](../admin-controls/configure-ac.md) and specify:
 
 ```JSON
 {
@@ -64,6 +64,11 @@ Next, you must [create and configure the `admin-settings.json` file](configure-a
 
 Once this is done, developers need to either quit, re-launch, and sign in to Docker Desktop, or launch and sign in to Docker Desktop for the first time.
 
+>Important
+  >
+  >Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop.
+  {: .important}
+
 ### What do users see when this setting is enforced?
 
 When Enhanced Container Isolation is enabled, users see that containers run within a Linux user-namespace. For example:
@@ -84,4 +89,4 @@ $ docker run -it --rm alpine
          0          0 4294967295
 ```
 
-This means that the root user in the container (0) is in fact the root user in the Docker Desktop VM (0), reducing container isolation.
+This means that the root user in the container (0) is in fact the root user in the Docker Desktop VM (0) which reduces container isolation.

From 1cd35500e7401d8bc97017fdcc4f02da64edd509 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Tue, 11 Oct 2022 12:05:24 +0100
Subject: [PATCH 21/33] review suggestions from Rodny and Cesar, and proxy
 section fix

---
 .../admin-controls/configure-ac.md            | 12 +++++-----
 .../hardened-desktop/admin-controls/index.md  |  8 +++++--
 .../enhanced-container-isolation/index.md     | 22 ++++++++++---------
 desktop/hardened-desktop/index.md             |  6 ++---
 4 files changed, 27 insertions(+), 21 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index da3a2681213..a8ddc1b262d 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -14,7 +14,7 @@ Admin Controls is designed specifically for organizations who don’t give devel
 
 ## Prerequisite
 
-As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). For this configuration to take effect, Docker Desktop users must authenticate to your organization. 
+As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 ## Step one: Place the `admin-settings.json` file in the correct location
 
@@ -57,8 +57,8 @@ The following `admin-settings.json` code and table provides an example of the re
   "proxy": {
     "locked": true,
     "mode": "manual",
-    "server": "myproxy.com",
-    "port":3129,
+    "http": "http://myproxy.com:1234",
+    "https": "http://myotherproxy.com:4321",
     "exclude": ["foo.com", "bar.com"]
   },
   "enhancedContainerIsolation": {
@@ -104,12 +104,12 @@ The following `admin-settings.json` code and table provides an example of the re
 | :------------------------------- | :------------------------------- |
 | `configurationFileVersion`        | Specifies the version of the configuration file format.    |
 | `exposeDockerAPIOnTCP2375` |<span class="badge badge-info">Windows only</span> Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
-| `proxy` | It is used for `http` and `https`.  If the port is custom, specify it in the property. |
+| `proxy` | Used to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`.|
 | `enhancedContainerIsolation`  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). |
 |`useWindowsContainers` | <span class="badge badge-info">Windows only</span> If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.|
 | `linuxVM` | Parameters and settings related to Linux VM options - grouped together here for convenience. |
-| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](faq.md) for more information.|
-| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|If `value` is set to true, it overrides the options in the Linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). |
+| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](../enhanced-container-isolation/faq.md) for more information.|
+| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |
 | &nbsp;&nbsp; &nbsp; &nbsp;`vpnkitCIDR` |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal`  |
 | `windowsContainers` | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
 | &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|                                |
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 9f505c05f2b..533e9897a7a 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -39,11 +39,15 @@ For more details on the syntax and options admins can set, see [Configure Admin
 
 ### How do I set up and enforce Admin Controls?
 
-As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must [create and configure the admin-settings.json file](configure-ac.md).
 
-Once this is done, Docker Desktop users receive the changed settings when they either quit, re-launch, and sign in to Docker Desktop, or launch and sign in to Docker Desktop for the first time. Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+Once this is done, Docker Desktop users receive the changed settings when they either:
+- Quit, re-launch, and sign in to Docker Desktop
+- Launch and sign in to Docker Desktop for the first time
+
+Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
 
 ### What do users see when the settings are enforced?
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 374bb98c0f0..9615e13ef64 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -11,24 +11,25 @@ title: What is Enhanced Container Isolation?
 Enhanced Container Isolation provides an additional layer of security that uses a variety of advanced techniques to harden container isolation without impacting developer productivity. 
 
 These techniques include:
-- Running all containers unprivileged through the Linux user-namespace
-- Restricting containers from modifying Docker Desktop VM settings
+- Running all containers unprivileged through the Linux user-namespace.
+- Restricting containers from modifying Docker Desktop VM settings.
 - Vetting some critical system calls to prevent container escapes, and partially virtualizing portions of `/proc` and `/sys` inside the container for further isolation. 
+- Preventing console access to the Docker Desktop VM.
 
-This is done automatically and with minimal performance impact. 
+This is done automatically and with minimal functional or performance impact. 
 
-Enhanced Container Isolation helps ensure a strong container-to-host isolation and locks in any security configurations that have been created, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Admin Controls](../admin-controls/index.md). 
+Enhanced Container Isolation helps ensure strong container isolation and also locks in any security configurations that have been created, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Admin Controls](../admin-controls/index.md). 
 
 >Note
 >
-> Enhanced Container Isolation is in addition to other security techniques used by Docker. For example, reduced Linux Capabilities, Seccomp, AppArmor.
+> Enhanced Container Isolation is in addition to other container security techniques used by Docker. For example, reduced Linux Capabilities, Seccomp, AppArmor.
 
 ### Who is it for?
 
 - For organizations that want to prevent container attacks and reduce vulnerabilities.
 - For organizations that want to ensure stronger container isolation that is easy and intuitive to implement on developers' machines.
 
-### What happens when Enhanced Container Isolation is switched on?
+### What happens when Enhanced Container Isolation is enabled?
 
 When Enhanced Container Isolation is enabled using [Admin Controls](../admin-controls/index.md), the following features are enabled: 
 
@@ -37,7 +38,8 @@ When Enhanced Container Isolation is enabled using [Admin Controls](../admin-con
 - Users can continue using containers as usual, including bind-mounting host directories, volumes, networking configurations, etc.
 - Privileged containers work, but they are only privileged within the container's Linux User Namespace, not in the Docker Desktop VM.
 - Containers can no longer share namespaces with the Docker Desktop VM. For example, `--network=host`, `--pid=host`.
-- Containers can no longer modify configuration files in the Docker Desktop VM.
+- Containers can no longer modify configuration files in the Docker Desktop VM
+- Console access to the Desktop VM is forbidden for all users
 - Containers become harder to breach. For example, sensitive system calls are vetted and portions of `/proc` and `/sys` are emulated.
 
 For more information on how Enhanced Container Isolation work, see [How does it work?](how-eci-works.md).
@@ -47,9 +49,9 @@ For more information on how Enhanced Container Isolation work, see [How does it
 >Enhanced Container Isolation is currently incompatible with WSL and does not protect Kubernetes pods. For more information on known limitations and workarounds, see [FAQS and known issues](faq.md).
 {: .important}
 
-### How do I switch on Enhanced Container Isolation?
+### How do I enable Enhanced Container Isolation?
 
-As an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must [create and configure the `admin-settings.json` file](../admin-controls/configure-ac.md) and specify:
 
@@ -89,4 +91,4 @@ $ docker run -it --rm alpine
          0          0 4294967295
 ```
 
-This means that the root user in the container (0) is in fact the root user in the Docker Desktop VM (0) which reduces container isolation.
+This means that the root user in the container (0) is in fact the root user in the Docker Desktop VM (0) which reduces container isolation. If a process were to escape the container, it would find itself without privileges at the VM level. For further details, see [How Enhanced Container Isolation works](how-eci-works.md).
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index d89419fe5f0..17f10e0239a 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -28,7 +28,7 @@ Docker plans to continue adding more security enhancements to the Hardened Deskt
             <div class="component-icon">
                  <img src="/assets/images/lock.svg" alt="Hardened Desktop" width="70" height="70">
             </div>
-                <h2 id="docker-for-mac"><a href="/desktop/hardened-desktop/admin-controls/">Admin Controls </a></h2>
+                <h2 id="hardened-desktop"><a href="/desktop/hardened-desktop/admin-controls/">Admin Controls </a></h2>
                 <p>Learn how Admin Controls can secure your developers' workflows.</p>
          </div>
      </div>
@@ -37,7 +37,7 @@ Docker plans to continue adding more security enhancements to the Hardened Deskt
             <div class="component-icon">
                 <img src="/assets/images/secure.svg" alt="Release notes" width="70" height="70">
             </div>
-                <h2 id="docker-for-linux"><a href="/desktop/hardened-desktop/enhanced-container-isolation">Enhanced Container Isolation</a></h2>
+                <h2 id="hardened-desktop"><a href="/desktop/hardened-desktop/enhanced-container-isolation">Enhanced Container Isolation</a></h2>
                 <p>Understand how Enhanced Container Isolation can prevent container attacks. </p>
         </div>
     </div>
@@ -46,7 +46,7 @@ Docker plans to continue adding more security enhancements to the Hardened Deskt
             <div class="component-icon">
                  <img src="/assets/images/registry.svg" alt="Hardened Desktop" width="70" height="70">
             </div>
-                <h2 id="docker-for-mac"><a href="/desktop/hardened-desktop/regsistry-access-management/">Registry Access Management</a></h2>
+                <h2 id="hardened-desktop"><a href="/desktop/hardened-desktop/registry-access-management/">Registry Access Management</a></h2>
                 <p>Control the registries developers can access while using Docker Desktop.</p>
          </div>
      </div>

From d0cbc6e26f1d81fe9e4d89a91bac764e85f9f4f6 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 12 Oct 2022 14:19:09 +0100
Subject: [PATCH 22/33] review edits from Rodny and Docs team

---
 _data/toc.yaml                                |   2 +-
 .../admin-controls/configure-ac.md            |  16 ++++++++--------
 .../hardened-desktop/admin-controls/index.md  |  12 ++++++------
 .../enhanced-container-isolation/faq.md       |   4 ++--
 .../how-eci-works.md                          |   4 ++--
 .../enhanced-container-isolation/index.md     |  18 +++++++++---------
 desktop/hardened-desktop/index.md             |   2 +-
 .../registry-access-management.md             |   6 +++---
 desktop/images/admin-settings.PNG             | Bin 61008 -> 0 bytes
 9 files changed, 32 insertions(+), 32 deletions(-)
 delete mode 100644 desktop/images/admin-settings.PNG

diff --git a/_data/toc.yaml b/_data/toc.yaml
index 7f983f26db7..e4c416ddc1f 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1204,7 +1204,7 @@ manuals:
           - path: /desktop/hardened-desktop/enhanced-container-isolation/how-eci-works/
             title: How does it work?
           - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
-            title: FAQ and known issues
+            title: FAQs and known issues
         - path: /desktop/hardened-desktop/registry-access-management/
           title: Registry Access Management
     - sectiontitle: Dev Environments (Beta)
diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index a8ddc1b262d..5dfee937d92 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -4,7 +4,7 @@ keywords: admin, controls, rootless, enhanced container isolation
 title: Configure Admin Controls
 --- 
 
->Note
+>**Note**
 >
 >Admin Controls is available to Docker Business customers only. 
 
@@ -26,13 +26,13 @@ Place the `admin-settings.json` file on your developers' machines in the followi
 
 By placing this file in the above protected directories, end users are unable to modify it.
 
->Note
+>**Note**
 >
 > It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
 
 ## Step two: Configure the admin controls you want to lock in
 
->Note
+>**Note**
 >
 >Some of the configuration parameters only apply to Windows. This is highlighted in the table below.
 
@@ -117,19 +117,19 @@ The following `admin-settings.json` code and table provides an example of the re
 |`analyticsEnabled`|If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. |
 
 ## Step three: Re-launch Docker Desktop
->Note
+>**Note**
 >
 >Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.
 
 For settings to take effect:
 - On a new install, developers need to launch Docker Desktop and authenticate to their organization.
-- On an existing install, developers need to quit Docker Desktop through the Whale menu, and then relaunch Docker Desktop and sign in to receive the changed settings. 
-  >Important
+- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then relaunch Docker Desktop and sign in to receive the changed settings. 
+  >**Important**
   >
-  >Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop.
+  >Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop.
   {: .important}
 
-Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers workflow. 
+Docker doesn't automatically mandate that developers re-launch and sign in once a change has been made so as not to disrupt your developers' workflow. 
 
 
 In Docker Desktop, developers see the relevant settings grayed out and the message **Locked by your administrator**.
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index 533e9897a7a..dc8673486e3 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -3,7 +3,7 @@ description: admin controls for desktop
 keywords: admin controls, rootless, docker desktop, hardened desktop
 title: What is Admin Controls?
 --- 
->Note
+>**Note**
 >
 >Admin Controls is available to Docker Business customers only. 
 
@@ -15,11 +15,11 @@ With a few lines of JSON, admins can configure controls for Docker Desktop setti
 
 - For Organizations who wish to configure Docker Desktop to be within their organization's centralized control.
 - For Organizations who want to create a standardized Docker Desktop environment at scale.
-- For security conscious Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments.
+- For Docker Business customers who want to confidently manage their use of Docker Desktop within tightly regulated environments.
 
 ### How does it work?
 
-Administrators can configure several Docker Desktop settings using the `admin-settings.json` file. This file is located within the Docker Desktop host and can only be accessed by users with root or admin privileges. 
+Administrators can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by users with root or admin privileges. 
 
 Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by users and ensure that these cannot be modified. For more information, see [Configure Admin Controls](../admin-controls/configure-ac.md#step-two-configure-the-admin-controls-you-want-to-lock-in).
 
@@ -28,7 +28,7 @@ Values that are set to `locked: true` within the `admin-settings.json` override
 Using the `admin-settings.json` file, admins can:
 
 - Enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) (currently incompatible with WSL)
-- Configure HTTP Proxies
+- Configure HTTP proxies
 - Configure network settings
 - Enforce the use of WSL2 based engine or Hyper-V
 - Configure Docker Engine
@@ -39,7 +39,7 @@ For more details on the syntax and options admins can set, see [Configure Admin
 
 ### How do I set up and enforce Admin Controls?
 
-As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Admin Controls feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must [create and configure the admin-settings.json file](configure-ac.md).
 
@@ -47,7 +47,7 @@ Once this is done, Docker Desktop users receive the changed settings when they e
 - Quit, re-launch, and sign in to Docker Desktop
 - Launch and sign in to Docker Desktop for the first time
 
-Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers workflow. 
+Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers' workflow. 
 
 ### What do users see when the settings are enforced?
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index b69e3d2673b..3de99e0c751 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -14,7 +14,7 @@ toc_max: 2
 
 ### With Enhanced Container Isolation enabled, can the user still override the `--runtime` flag from the CLI ?
 
-No. With Hardened Desktop enabled, Sysbox is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard `runc` runtime, for example `docker run --runtime=runc`, container creation fails. 
+No. With Hardened Desktop enabled, Sysbox is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard `runc` runtime, for example `docker run --runtime=runc`, this request is ignored and the container is created through the Sysbox runtime. 
 
 The reason `runc` is disallowed with Enhanced Container Isolation is because it allows users to run as root on the Docker Desktop Linux VM, thereby providing them with implicit control of the VM and the ability to modify the administrative configurations for Docker Desktop, for example.
 
@@ -32,7 +32,7 @@ This makes running a privileged container with Enhanced Container Isolation much
 
 Privileged containers are typically used to run advanced workloads in containers, for example Docker-in-Docker, to perform kernel operations such as loading modules, or to access hardware devices. We aim to allow running advanced workloads, but deny the ability to perform kernel operations or access hardware devices.
 
-Allowing the `-–privileged` flag but restricting its impact within the container's user-namespace, it’s possible to do this.
+By allowing the `-–privileged` flag but restricting its impact within the container's user-namespace, it’s possible to do this.
 
 <hr>
 </div>
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index 71459a0af20..dc9c1523c00 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -10,9 +10,9 @@ keywords: set up, enhanced container isolation, rootless, security
 
 Enhanced Container Isolation takes advantage of the recent integration of Sysbox, the secure container runtime created by [Nestybox](https://www.nestybox.com/). 
 
-Sysbox is an alternative runc used to create a container using the Linux kernel’s namespaces, cgroups, and other features. 
+Sysbox is an alternative `runc` used to create a container using the Linux kernel’s namespaces, cgroups, and other features. 
 
-Unlike the standard runc runtime, Sysbox enhances container isolation by using techniques such as enabling the Linux user-namespace on all containers, emulating portions of the proc filesystem and sysfs inside the container and vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
+Unlike the standard `runc` runtime, Sysbox enhances container isolation by using techniques such as enabling the Linux user-namespace on all containers, emulating portions of the `proc` filesystem and `sysfs` inside the container and vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
 
 Without Enhanced Container Isolation, Docker Desktop has Docker Engine run as root with full capabilities inside a container that shares almost all namespaces with the Linux VM’s root user. Whilst this provides strong isolation between containers and the underlying host machine, it gives the container access to all the VM’s kernel resources and does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers. This brings Docker Desktop users closer to gaining privileged access to the underlying host.
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 9615e13ef64..b858e1ed64a 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -4,7 +4,7 @@ keywords: containers, rootless, security, sysbox, runtime
 title: What is Enhanced Container Isolation?
 ---
 
->Note
+>**Note**
 >
 >Enhanced Container Isolation is available to Docker Business customers only. 
 
@@ -20,7 +20,7 @@ This is done automatically and with minimal functional or performance impact.
 
 Enhanced Container Isolation helps ensure strong container isolation and also locks in any security configurations that have been created, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Admin Controls](../admin-controls/index.md). 
 
->Note
+>**Note**
 >
 > Enhanced Container Isolation is in addition to other container security techniques used by Docker. For example, reduced Linux Capabilities, Seccomp, AppArmor.
 
@@ -38,20 +38,20 @@ When Enhanced Container Isolation is enabled using [Admin Controls](../admin-con
 - Users can continue using containers as usual, including bind-mounting host directories, volumes, networking configurations, etc.
 - Privileged containers work, but they are only privileged within the container's Linux User Namespace, not in the Docker Desktop VM.
 - Containers can no longer share namespaces with the Docker Desktop VM. For example, `--network=host`, `--pid=host`.
-- Containers can no longer modify configuration files in the Docker Desktop VM
-- Console access to the Desktop VM is forbidden for all users
+- Containers can no longer modify configuration files in the Docker Desktop VM.
+- Console access to the Desktop VM is forbidden for all users.
 - Containers become harder to breach. For example, sensitive system calls are vetted and portions of `/proc` and `/sys` are emulated.
 
-For more information on how Enhanced Container Isolation work, see [How does it work?](how-eci-works.md).
+For more information on how Enhanced Container Isolation work, see [How does it work](how-eci-works.md).
 
->Important
+>**Important**
 >
->Enhanced Container Isolation is currently incompatible with WSL and does not protect Kubernetes pods. For more information on known limitations and workarounds, see [FAQS and known issues](faq.md).
+>Enhanced Container Isolation is currently incompatible with WSL and does not protect Kubernetes pods. For more information on known limitations and workarounds, see [FAQs and known issues](faq.md).
 {: .important}
 
 ### How do I enable Enhanced Container Isolation?
 
-As an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Enhanced Container Isolation feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
 Next, you must [create and configure the `admin-settings.json` file](../admin-controls/configure-ac.md) and specify:
 
@@ -68,7 +68,7 @@ Once this is done, developers need to either quit, re-launch, and sign in to Doc
 
 >Important
   >
-  >Selecting **Restart** from the Whale menu isn't enough as it only restarts some components of Docker Desktop.
+  >Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop.
   {: .important}
 
 ### What do users see when this setting is enforced?
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 17f10e0239a..3bd9ac6da27 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -7,7 +7,7 @@ keywords: security, hardened desktop, enhanced container isolation, registry acc
 >
 >Hardened Desktop is available to Docker Business customers only.
 
-Hardened Desktop is a new security model for Docker Desktop. It's designed to provide admins with a simple and powerful way to improve their organizations security posture for containerised development, without impacting the developer experience that Docker Desktop offers.
+Hardened Desktop is a security model for Docker Desktop. It's designed to provide admins with a simple and powerful way to improve their organizations security posture for containerized development, without impacting the developer experience that Docker Desktop offers.
 
 It is for security conscious organizations who don’t give their users root or admin access on their machines, and who would like Docker Desktop to be within their organization’s centralized control.
 
diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index 43f9d21ce55..11705135b78 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -13,9 +13,9 @@ redirect_from:
 With Registry Access Management, administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. 
 
 Below are some example registries administrators can allow: 
- - AWS ECR
+ - Amazon ECR
  - GitHub Container Registry
- - Google Container Registry Quay
+ - Google Container Registry
 
 Administrators can ensure registries are locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on with Admin Controls. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
 
@@ -59,4 +59,4 @@ There are certain limitations when using Registry Access Management:
 - WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series)
 - Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel)
 
-Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop.
+Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Docker Desktop does not support blocking these forms of manipulation.
diff --git a/desktop/images/admin-settings.PNG b/desktop/images/admin-settings.PNG
deleted file mode 100644
index e9ef62b340ba9be2992a7264b37175d8492a1b98..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 61008
zcmdSAbyU<{*9J@vJ(MtXDIqza<j|=!D$+GlN)6rJGn68dk^(A72#83>4AKqKFm!jv
zH{Q?vzVGwz_s_T1$6Bme=Ld7<%s%_<eeLVoCstQmjf|Lq7z+!F?1{RvJ{A@Z5(^8v
zhmZjCq=&`)6!U`ZuCJzu^{t<212e$0Q_xbt!m3OpxwgW`jEP*;joh)Ys677uV$a#K
z`e0%0tUOUxc<y7qed8T)?`7>CeAj(X@~p{y@2bIj*Z*vGVD>7j)~#Q14N(=5gq2K_
zltiIOMWw*;bUEugHNo^Ga?%p|?j4wbNm#<$b#HeryFl7|PiF3#3`|#(`m};ZUSsnB
zb;kK(tkmem_u(H%hR0huAAOdHsPL?g7Zw+J3B%Y3+c@Pr3@KFUZMm!1{*IN@{=XX9
z4O(w+UgE7R`{)NY%GucX8f(F0TtAJE%Xjyk+!qq!{_0SGO~=iB2=iQNwjEKUcJ9|+
zUfERC<{D8Y_O`P-gt<S?=7KPNr#7O%Q=o{*6SW6_6mE^~&(bawpV!R&@=)%p13f*9
z$A&(R&KpP4ii}g9pT-tXiof(25%d*JhkqZT9!-C*X;C|_{~}<tBo#_{@HUI)(!=@j
z3vT7iRNomqf4{-JCn_F4okijkNgoS{4qN6F>_AMjw2BiS{jb3=-y>k(@;?0Fcw=0@
zRN>J@w)b26iGChp5`V~0D{FswapGz(+Zj6{S)sj|0@n@9L9|axgY6}N22J-+V|}vv
zzyPh-0I_#5VsYa8UFq0dp2_FL+n?t`JCOJD^MS#NS{$K^j+C4`RiO8rW=0+hq_-P!
z|8r>2@pgw|eM!fSW}oti2(W#2Hv4pETCJ(6sc0nh>sP+MjK^?d5)!RqIl})oQP9PT
zgw%l_#Kz8~SkIoVy}XgO7*8r=X=z5Q2STXq%<cn>o0Q_)|K4!aC{k;UIL1y{tokCW
zj1|v|Uo!2*BwsB&jOwXpdE9(EuO%?zNvP*gdeojj)j;~r$y;yhz*mFprv7W}#FKJ=
zRadOWY2irczK^OwPh(De3i*{kJ1GQ$#AZ_g)!-?@t*=|6f+K|8Skni#=f8d(Nc|Zv
zI7^<(vCSnN|KrFkti9)QeOG}-5q29qP#$_S(z710qg-FI99UtU_3@*&MexmIvqr!7
z*4EaSnrDZH`S<t?1`~s?p~g)CzBwDf_HAWajAP(gt&<ufastIN<^niF<KT^&#he4@
z#~aF1-=*U?ICm03N&!_V%YB-0d7Xbgk7h9p$o*6@@T6C_c^bkxc3=6KofmQ6(}YjU
zSQdO>)%5&*%M1p(Cl^)<k3_*ysfii|-IIi==E?+i#T^HAo9FgV_s=Rva|$=VJX=wM
z$oPPIzP#w^CLzn`eSLe8{$w=cqx=I(b}u-cGMR`WJ$38W%*SNqcVl;X=8Zjrxtd1L
zK>}TxMXA+z4_{1w>*=_-aDCbVl-k_zhG&*2IEhbjAty3ZzwCqv2ag%_9KBGEJ`h2V
zLF~C5MK^h#JB6LLiS@_8msZ#^vcA^#@zhd`!q`I_NK1uM;Znj7g|ZyMXhPSY4CX2C
zdsnzn5zk7ES!HHv)di+t)*cf0e#f%H3cc_bCga?l!y+}zhH^}}$mayx&#Ju}r37h9
zPSvU<WxD1$PR`*@Ew=)sBnDfIpAvFt=1^!wTrHI;!l{klhd5G@&oQT|E5jQZaSCv7
zS6|;JpzOJPHf}NR<Hzr_cFXMK<*~}l8#6xntaQI$UR@oxn~S#c;vm6<pD<w$f(J;S
zgWdf_kd&`T=;6^79r{@@mHpi<Ph4!}-Kqucy>7jM9HG~*hOT~x8S#gayl+u(#_AxJ
z^So1hA4;egb8rM%9kOOxUqo&Y$e9neNY<8Y`5)PSxnx*hPoWaLv-wK(d)!z%(+7&g
zBd+IuowPD9l&)lR=4SbF&2G@8-gX3_H6n?Rb!`y4F|i~1o=45NEI3%+JSWFgQ?8zS
zFQ>%w^5(6rlra1JAqPXmVR~%j@w-T}2IqOF%qMqZ!L-FnY~plP-j&W&8sPDZ+AjdP
zE1ef2=gG!DEWUbn_{}<e%l}Z6QWc>X5d3BH>odhz8#azh?#Fv3V=Kqy%$^MbC40~p
zFZFx~e+a#576WH&UHr+P^KA8ND48NVY7+hWb}R1qbm^E(vt2AN!NR+L^?Bm$GRWzA
zrcm)xeg_&Oh*YR;o;OEbT@*1SHrv1Hk{QRRT<(<o47r^jJqS5z6>F4!6Xz$qUe-P^
zt2JiQVN=muX`xr_%&q<%Cga%J4v2s}Bf3DGt4n=Oh|Y@v%V%^%lF+T6Ojs26_G%In
z5#^n1O^kRq9Wfg>_<)O_rS+W&_iDew95n@ssQ!@7$?56zRDPnOqcv)Wt5ZT^@+Q{b
zkC)cgG{3%#9{x>zQ0-_$7#WrE;X8glA=vzjGT~5j0z&yg%@}`843|=f`A6gKuxg9<
z*|c=O6_3o(&r{h<z_&+LKaV|B*wtQV>Mt3-z0Hj{j;CMY4^F%DYkz+Eo=PhF=rtFT
zLNSJeqtl1i<t_q3d+_FIKVr*;;FWv5F?nie%>Dd^m^79bhkoB-3^vins%rj+!|%HW
z^21l~8_Z*ln?yVzJ?3wW!`?!@6V8LmB7iuElkhGDu}UXHIS3Zpmu$-AJ9%)^2qc{0
z#V;!pwyNfB$K_hJLK*oQ@YDgxgWTDl8&4ZJCEbARkK@4k`$=yc0r^O3j&}P*DjPz+
z&BwK&s_=v8rvV!8K~Uex`L1x)6qf1eE>ZJB)8tGfkj$PBf@gJAk$rv->uTA5vlVYA
z@pQ}@0bO|hLQ*aD&5OYD66gwJjS!49tt_!fT%|z#3;dLk9PDMVV_|Aq%0i*@IlAke
z$8s0t<vBX>b6Huusp+;fYp<|$GXCGq0ZHM~LJ9YNy2pB)Jgus41;CCcOS69cq8=N+
z9NHKmVlva#tQHyo$t9xgJO=!iLUPUyzMrzD%*dPWkK7E<in&FI_ihCRiRO1DS(<>O
z_Vct;6zCkKHBg@~7)#8E#3P8&?3NUL@1JUd9a+H6`GHR_JvQ+;@^kp~A}XvvTkug_
zWrcXQ8|;y<?|BrvD9f~u&sJ<WAG3=;O2QefM_%}j#M0X^@kWkXvxM*nj(g`&!Lm1V
z-4UMjNkyxn_Z3AN_f$Ao?;|HwWn3bu27bAJ9mQ><sbTKV@(be;@k<mgs>tm_SVPo)
zi*R(iJfw`wg)$9uCe>SJa^zRugBHrO`6b-IyTDVFJ(?uPYsUndsP+z*vD2kR`H65R
zND&JI+bGc&nHmr$N8%_&qsvfg(h6LZ+hjEm)cyd8rMJlYtjN{4Q+z%^DLXrRvqRK{
z(I5QZ*5&4Y5LxMbe7SYtv8>L2=VBnp(-le1g2-<l=+spRec6oTL{jMWOpn&=OQxoG
zN@?J@eqXWyA$<qM&(@^zaO%Ud)o{W^y8w*C_cx?pzmw~huQ%YmP$9<4f9Gee%+4OR
zMe^NeQWL@cp-W)=XyHLQFw?d|7Yf4h`tdW4vqUvPQ*d>|;dNtqiIZYI?)Zi(`uSY{
zpucZ#l6|Rk5vR=Zvzpn3>CIqubnFH-&!xFvn{Fp4KaG{vF`e#h@XsI-wUHrJ4R?JX
zmI4T_dYK-Ay|DNTpP@13kedHCeU8SH*9|aPP7E%9eLWKK$)*rcV`RyZ{m8j0g#sm8
zLqa0{be&FJYs!kzzItHPagJW4XKEa`p&&vwHTbz??^sE6P7VwtiaF18ZBWbIZ0JbV
za6Iy`pB+ul?)n@4*+{b$ngf1VDS@*6L_@o~d)=QD<eR?7yFa{ZmQ2Iq94z=?ne;6l
zIJ}pwjW}855vUEW&Y_Hnu+#k{Ppa-gV{9VgL1=EDLhSVmTkdIYq|-)hsxMalujXef
z`*IwGvp*e}lEuP2D9l)RiH}6zN(AC0Ydfx;t&YL)=zosIOj$Fsy)yLPR~^Hv9~X`+
zm{R{FFVoJB{KFoa>U+?}>Q*cF@mZ%+L^MGuswm%4gFcCV+vNeWMdLjxyi@w*eO6V-
zhI*@fPzB69J{^S4BM^ya+Gg!7Uy~ZVRY%L;_(+6-0Mp9GFM0EBKN;&BkCk?Ut}OP%
z$;P*s$Hb5@pmkjbDA}sP@+_S7I>gw-gqM#GzB}_%>4)<yhs)lrg>C@ozmaEy|4W)i
zm`G?rtL=!tMH8HLu*W+|L!GklNiiAQYeI!qAB57wPNDbr7wtSeG>X>Zk50f^pL|TM
zui4mw)}Mhsvq}-i9mgKkypvFYy2HqOz~(XGcm>g9GD7u{?P3LRQ5kZ{i8P&J5-jCm
z_F$h1`EEianE`@x?2v*;u55~VYh`D%O%YCaiLgdoTa+@cwhEsD&5=se%=~+St_mHr
z(+Qrf6=fi3K;3IPftyM5W9?Qw&j%MVPn!*mdZ(pD4{p_-3bV3gur>b14kG79uD{jN
z01tC}XoHu}zYoY3Fp4|7zI3kt5f^Ite-J?c2_T0UA_@v-*W<-gKzrXU5XtWFYV6~O
zAs;H(Tr}MDf3D#PAY<yAUYNDYusiB<z~=}C$LKEiRp`}dpk2cCqDso3*<|)LdZx4_
zZ=t31?!%vzJSI=>9H$J^wD7H3v);^Rq^es~kM7sL{;B*NG#zLE=+G5RK1`N;rDDhF
zjT?O&(;5eM3$Q5VUn~J1CQx1knbb(?L#jbaKGVb0>!LNzG27N=&r-4q_#PLA=W>&c
z#y4ygKP0XrktCgt1GC^%$f&Qhh!wnnG)SB^F?buuNU#OsUHq{xHs2sa2hJrYcU;jr
z(3VUjcYs(=Co8OQH4cV9X<Qx4CTC}Bu?8Mfnl%NaUqQsQzXSdo;G0*lr3sp8=D+yb
z#v|Bo9Ds{!X1~~GS?~5B*3VDzCpQWD7!b<C)<JCMq;Q{Ic0GYi1hA;$>;m&4oVDNH
z877-`yHS54(gETCEQV2VaKKAMUXkl*jqc<X0)-~iW5FDS=S$2{?8qeE0#E_TV|0&2
zi#eFUN0Oq^BKM=o>sj{j$^Mr`Df-nqdjp&5)V@Y!1sam-toMP6K31#uzc&1Ne31?j
zDw2_|?4pv4f}mAo_;DSGe2gf4hd|?!W2n7Yu(H8KG?Qb%pduWMRN*sHZQB1i72EL5
zr<Hu#1pz8(wp4CB5V=2vb4UbMy9CtI*$k#qxECf`P8uLEaM-zqX<OsCHgt}sVxVI0
zK!k<mVMQQ?)3PHvlrU#YHM<0=uPHI{wG)JPlzS|r3)X&dg}oFXP5*rZ$SEk8Fc*9m
zxQY4sp-~G%BZo3wnx5?J>=cc#M*NB8|EFdiq^|~X5;p_|f@CgUJ$hka-0b*1ZC&;1
zR7L-#9ih!D(rvPUfakc1Ve10Q_hy6gOu))7PUwc%x?*_Hxa3{oW_imbjnW=GM9NKk
z!IV1h6~v+I=43;Ly#S){iac-pLc(<$j;FEp#BF{y<a*l2nQ%g}s38qpj&k*vgGX5W
zZ(!PSV|BM7r3D`aYqI)YXHW3_L3$x)Ori*S<UKsgrcMPq|I7r7augz~i5emZ7R}N>
zv>ukAIQ>X{RdxmPr|qK=xmf1jjg3B^$;=iNbWZ~8Ss^^RABd_cBN+6aK|&TjDFpC5
zn3{m26uwYubq2&R6qHdsP_1UXatxi~f|fJbn>e-~*UjxtCy5-q^*dKk1|<g}lrjiU
zsq4RnV<{DJt3;ceGKR1fn8+?0mp|)KkWN*NaQkH~6{OVyndH7yP!ER!ju=ofPm@?e
zou^nvb->*nC=_s01@hm{thz_D?#sd6ntjJm?CT>@DRFf!;Vy}O<R7|@_1%FXhLt1h
z{EgVGUaOSc_Pb#US?Eg#+vA|?{G0<ZGy#rV7$vVN4T})Xl7_cWn*1{8vmk}jv@b<G
zsy$}MC-)P}G$~B&5tEzK6(t4a+%l83dY300-FBY4pBVMudrbnRi+OyBqk86`4wE+~
z83t1bAfvU8KU@+JALbrd(H1ta)gxBY-cz$6{`YN^U|LNDW!j%8%wf@&TeZ2bAC~ju
zLAH(XaZ^NEhl4OjXE^GA3)C18NgL1q)vNzM9sZNR3BwdI4AS4aTY-Xx1NrZ>Tng|%
zwK(Q+WK88hOj8&ek22yPT#ETuc54W+tCts-kdTm@r|08rK|&}#5Xjx#eOOpq%hvt-
zpgMz=bx&JMEA+X+s?ywCzrlzqiGqSc5n7G0j`rgGJWZRCx1q7|cVAzhM+Rp8M$#vU
z+1c68xw#?TJw3k%2FeFK5SbD%j+K=an9=k`LIfO6Vq<H2Xz_hRiT(clh|}#qN+%~L
z%gf8JjEm%SS$57wpXm%C=tY_GnF|UEHd;b)pTBrvBh@J9wKJviX5yR8P$B|R_(|i#
zaQAz@-}CeH)z_}!weZ+j`u#%)1X5B_kz_mY(J8OKJ|jOrU$X~DM?^$a?Y(FIrL>f3
zA9hq16CeMnqC$AYA>3;CzJ=dWJYK!uV?Abz@rjh{03p8<LngDIS(@%^1Yg|8{N~iK
z6W))HV?s@k46C%Q%{D%&cSJ`{i<z0ZXhe-9Y3bWH!6vRnh#22dU8~=MaaHhLQ1m-=
zU7Z9m85xErBMd`>?_(glf`^#PoMvonY+w=hg9k%RfmfL15J>|9P1@CShN}0c3Ye69
z`{q2kA_{?Iee~azeEs@0LkehZZS6>lP~1R0!{{f9=+$~xGAI9~?Z_4Sk6q5EGLs)w
zASIFUQX{2IF{k{H5Ui2Ib~0z}x;$}laiDqvEUO$-?VI~7;?E^UlQZYHM*~NW2IL0r
z1~SDHIWKLG$RjaUH)mmqxs-OUU=|P%sJ3jyNk~h7@0-$_CHaokXTRdnbKkQQ&-|4h
zrS;2SPoC>779_lDvWbgp*f>A%kve_Kr1rt77${yRxRCber#p8i3YD2!`N8PB?U3jI
z<S$sqSc%H?h=GyOVJKfE@D<&3bHIgL&%vio&|Bb!Xeu+Wt4yn89KcJB8fwbzy*Jkf
z98S0l;UjDdRMkYl4#JjY))hlZT!ZN(mAy_HK7RZd*!|~Ov%n;QGBX=Tcrqy=YpMgI
zXYD;`X=Zu=G~*-P-PSQt3Xq(9b*DNTaFR9_>4|;L>S^70T)`53i9kEHR_Xn4Vw6=!
zoK!iYaQ!<C%NbK$n1B_6e%S|fD;}ADa8u#xkMFmbOO9J3)}5T31k@6XwK9=z6@gb?
zsjrmp^#vItFZ0P*$NOuq0LR=&9)K|U70w#lG7Xj8ukw(&#9DOdH^5y1)6__5!fng7
z1bKx;WmE06Fa-{-*=TLVNaRs$mbR4v7Z*~CSq<!Qs+n*6@@nE)I23<vtUZA~a2J#8
zYxM>a@0`w<Z};}<Iv%Sgs!5}RXXkFRdrrfAD+Pg5!INCy-#iSOReH{J1?J>z*9VLP
zfh&_iSpdI=^78T*G&E>W#&t39bP!oL=nOaN<XV-$jT!ZLc>99}KiX=7i2qkJlogFQ
zvJUK>s*uz5R#L*9=Z5J#n$}jJV2VZwBI{h)Z>%>*KQlQ!<mFu?j6AT$=4BRlX2O*C
zftMb%lxP)@V)$`<Ru)rtU*8Ik&}Qo+(+Wzf&VZz};bHw>!G}nx!cU)u-agPU4A_1T
zHGMQPGV-~!6oGN<lKlLz5fNAFHV*;hInlipUGe;8djJ|2_da0yeMZL9&dyGL7b7F1
z0C(hhObnrhQMHkt9;FbFmu%8DWn@H8d<w5B%!788)}D2n4iP?>YhImLdBgst1h|t}
zUnw|A5I7=C4OM491=KS4v>iH~ZMAoRb|O#Jm?w+haqFx~ooEpT4}Fthsrvr?XQLkZ
z^xL;@tta}ZEpO<A%zJm<cyZRKz`;R!^3(LidEeq0#Sd%aS>@(lGn{fxF<tq!MG!Rz
zA(p}!`D+2wvF_M570iD1>7W9w%7MYANf#;WtL1k(ZjwyYenDB>_T1ZQrMOdMo(#nW
zEGez9D7To``Q*wW@mISFxl9S~UVJsEd@iFd&k~W7BkJiLJzVqV_vW=Y9eVkdx8JQg
zf8(j~bw~$@D(WT_ivKnYN;(}MXvq(_P?27ol=oklM1`m5A(E#epg<JPDSm=CDcV%^
zk_59*%AS^kylKiSa`Z7c!u@H^UftZHDKe<-?v&{RgDE4d$(nV+r{xlDYz1MhD6gEm
z%!oU@oC-f8p1804I5|$(uAiytoAqp^+27C+4gen3FG_^UFV%I{S_TE)w8O$TB!Cqx
z65qgcbu5Oo39uA}Tr8(ZC;^InbM#8d0(BCoXo0$t=7R0C)ZlF8_E;MEv2JYPo&IbR
z#5Mil+SlrrOL{6kjxr>;0(j=i=*nRRBxt9^oZA+uyc<71zd9`f{{+IY{dM0`YXlsd
z<4xTkwCZ=KX|Y=eN;;C!NMBclHZ3B#kwt671v_({<OU(D^Dc#`W_u)4u%6H+YG65y
zt}5gbrWZZB?#oIbXj!Mr@iZbcQie`;2123LQM=xJ{sc&;qd8%XU<8g6T_7j9t{=^h
zkJ}m%2xgu8vgoOghKjXmk<tY?3JLb}L^HB;OvgM|e55B-OYgZD6(%C>wY^{?zgnS9
z!JVQ;|96+SLScLcr3;=N0d;x{cD{k4%91G?ySuB5(%lOLRy5F3Ip>FlcKm8CtecTo
z1*9!?fLO5e(@EOVf;;P99@6<URW?07^oBx?bmIq|bQa5EqEA=aL(Z*O3uGKQ$7><#
zh)MxNmugDq1>*pA+DQUO(J9>N(7>=vnN{p}Tv}C3%_Sy#?lWn6(PbdC-J2}FN%6}%
zd4Frr74AtvA6Te^_~)QKUp3`8w#}e+5^hQ>83PKZ{~l90mQ$RKq8s3?RLBwSaO4q<
z+oLqbVBI8=G80Da4}uRqdp@E=N8ou&U7PYZ9;h}<xtzvI;}Ka$-sBbJ*o$sccV!Aj
zpQ?`1Tv6?W1mX(k=pic0bqP>{MFq3Mh$DgtMbZK-FgZ%1pRPCBW-%*A+FK9^&30|t
zdV_;0UB@XWSeQ8dW-oD3yVn;-zVl0lgA?SCnXRLHKzvLQ5WsIeThY%Ge&L$Mh81#A
zF<;qlNaslM?TtOKlp0w;mQ))Ka2-u_YL&_l$~F##(mO@3SW4ZZU{NRXM(WZD&-h7#
zVUC+eAQbsGCkd}XRi1)!w4sIR(XnSYt?8Mov*pjpd5jY)^}=D3LiR7SfPOhj`><YX
ze=u238!Xf*glFqiO&-@N#6Mg1gD~Q><>#wCT*+~g36bhqT^2Tc1)pk&0T>w%pffZr
z-LH<fQg(6GLq_7zfoAw!u~G5#;z7!ku2yaMB!_T6Fsq<uT`tGdFkedc(Ca1ZxJ=4r
z+7-4xbs-AR9Vg1=Tooc-Eh>^31rA06<>nVv!{HA)?rnuRwW!dF6Ps4lfY3{Dbt-3?
zm^n)+!BOM&YEVHSo5>`>s0$x5#&Dr1JV3r0oEj_EMrJZE;X2X^p?Ffwo*K=_y@~20
zN4uh1np$Ots_@d=0_uKSGIeicK6G=?BM|pX8L~!X64pZ7qsSV*P0ChFJKOr`4)GEI
zsi8BbmCiBBdE_@Oq4i)hIJlO1E8fP68CK9LwvKK$A2cWdOxq!5rVrV`1QPwOS<qQs
z+O61|#1qwNOB1%%N$$y@7(C~<6oRBmw63=cQSnyQ>EGy3WEj##9g?*GkzXdkN$_*c
zvTSrE<rpsEY%HNh(Tx*{e4D_&BHKwo6Qf;A^JHMxn21#w0mbTx#3Q@!77Msv%9wv3
z;aqJv8D3ugovOyt@21AbQzk}t?Yl3K-`u?a%Poaeu<Vof@aI>94Ox`iCQOWz(UYuo
zrwak{CJSku2SjXf5()bu;a>9o`DTN%7=rDH@FcHK*Lk+y6GD#q?yOeLx;fH(ACu=L
z1S`xX=3%|iM%^DWLXS7yfopsTT8@n0K1(E2u<(TMw7Mm6BVd!_bzTbr5g`~73Jv35
zNQ>ZC{8G6GGhKopePhJhJ!x0^Iza7pw)rx;tf`?Zn^~_-#a*}aWN-L@7z#aY<VX=w
z$!sWIO;QVJuNz;FmioR`NehkP>la{xOOV6N7p_~q79cH+#9JZ0!sOF%DArDbO&)1K
zBR|O+pnC&~)l6!2G5Mpe$!eOyY+^#(KLml6koV8K4b9>VV}r1;d<CJy!Wi+9i@~M~
z6lE<cAi9^m;fy#R_v1O>zMj>9c4GuA99$&5fD=iQ*2KGj^KEM)`MG~9K8ZL5A$h8u
z0l@-CG$TDnq9F^?%G~sr&8JTO4H!w*;`6;do;W`|lR66HqEQYFmQ!(HLFA-%b)z<Q
zs}gqYvvOSLhjqLQ$Z)Ib$IiATtm1+Q+!AWEhd*>aH#>fdXed0yN=Dd`4>{Rf(hg!q
z`mwi#2j<z_SXm=%a2m<#S{I8VojM_y^&Pc)Z7|*+2iORcwc}!=Xs0NFhPETEm^42f
zw$tKKN}_K#$U=d`e6OumzGcXHQisCC5irHr7RSidEf1-H^cG<FKQi$^Li~uAKY$^G
z1<bIlO$!xQ!9|~rTU5}<PK2j|j3L*Q4jkOkomLbs#qK9jUMb_(AY=K50<6r$K5uK&
zOGxgex8`%-tRbmT`F@(ppHikYaQg@C9PM0DJF54kvXBYtok%hK`kg^8pR`Wjus3w4
zU+1DPeU$0D9(MnU1E1o*dMbpw6dwq8f0@`W8Htw9`Ee5qPLR3L!2L#Nm`YA-32KXS
zA16E|8F%SU;pKNr0|0eOaIac?v^r&x^&4nn%XujM<bZ^rYxbxla?;j}e8DfoOGFlu
z5ex3NGC4VjLKE6lkdmSsS}LPz+YS<7Jn)^?8jLzPzLQihxOCm}7-UlsB%vBV;s2Lh
zzN9p54QdO=DJozwh3f*x8FvzoNSy2ubBcwPvUMy_LwF@Q3)VJumPK6=H2cKIU*3Ol
zDi#2SW)g=jfFP&OiDv>_lmB`OQx~q_`lWRo35PRnUDpyvajQgcG$UaIHl5#fmZK?)
zvtJBVF8`)l3T}J2uR8;skZBzoCWoiL$4)XaRgM>b60$SohM|g*<<a;cI&(y{`npx=
zuN|F9%qqQ5ryE{vT9j3eG?X)4!gD-d?cel58x%M)BBSrkbihVhYb~4CHy9k@b1X9{
zn1$D&xgx|`n!vk4Ggug8Fya<@hY>TRUPpVP+9@|%-E_sLp25M+#~9W|v)#)|=2*hN
zRf%Zox2Dfy`*J{RrEGttbKMigr<JmkKagUr!nOEenE4LiZW61NjrKt06^}+^#1H|G
zofkjG@V84@$`L)M4ILtttggKd;3x|ENZc#z!zd^Tj%C)J)q<(2NuF8F_Mh-~)Cqjz
zQ%wSI6Pg){YiF;s!sYk=P^-`haea;!x_&kH13~Yj8@`a6&GyLNrJ6UYGTtYoMFP?Q
zng*>2Mv$Ol^boLsH<b7iKPqz&Yl6zeYa#ueJ30u;PoqZ*0d25|mBj|s?TF;Is)r7b
z1h*@B9t)vJzZoQD-JN_o3_5ap-O<!}xg_*06GOH8WqZ;GnlCNVwoAo??2JwLhj?}d
z2^Z<F1FQp?)ovsPjvsf?nt)X$`2lN*vcMs2LqH1ZRB^C!Abtl}F;F=da}EWe$fDw#
zKU!v2TDX>O0fPN8p(;z|70cFZ167KMWT?6|!c_FS0S;$yuBsh@wYPRM<XbkBuo*{^
z5DOaA=`OW>;_SL?OSI>7reH7~-9J;XCUs4YUbYG{lM{ShGGFT$Y!8-aHlDh~rE@PW
zPc<N`Rk7%(0Zn^NM0MdIfzJ`xn^6JsA%n=YgqvK>;JRe&n0Fu5;FWs0@tEAk<E&hl
zyt%<p`or9NhNc1{fV?c$jrk1ASzJnF%rIw}+EB1YtmK<tcjD5mMux02R?tF6tul2G
zJHr<>r@7NW@f*MsuumEYdY4O<ycC9}9u7NcJ+N~G#sK>1lv{;ar>NZ`Z^E3Al_5?l
z^<+hFz^b!;49?p~Xo(zH^;br0WkQsdSq(@@F-i%+o?}S2oGG_%RV6nwlO>V8)Oe;p
ziW}y8=I!9Xa=b)R>9K9d^yli3d7Q*46iT9x2#kf2>^RUsHN){R(c>Ggt+gXWrv}8x
z+O~5Kif*Uq=T<LH)!f$D7VU+0oWG^N<@khy`ao;$NRnFK3F-l}z_G5Fr{NdT8i;tk
z7a=RJ!N?O5V5r2N$1=-8mZJY_@Hl!%@KQE!0J}Q&;Cx~-u978jiye>dioORag`NuA
z>GVnYaSy6IT{-tRQ7V3DJt3KXtP38WkO?dk=Hn!6>k_$-VUFos^wD9FSzvT0xz0@;
z#Zp)pH`KJ34TY>GFwJ6v*R3yFCz9X`GSro9<(zt&)t%dKZ0R8MSi9|sPy-Gz#JNGH
zr13UaxZ)hw$5HS{<71@=N(}tPPv&a8sWVzw4a@1O)M^(%QfS?{H?XL_VxkKaFbk)I
zl5#HL4T(8RPvK!SR0!CS21=UwNk3Phf@x;m;}-@zV@w`=ef_xy8f-0vESQbbK)_5F
zR%de7r-pMt=(-5P#bRrS?)pc)>iyit_%*z7)}1(58r_|eScMZPN<MFANSg;^N^!ky
z)@_|p_#^f}CWXri=Sdf11pC9f&zuZVo{IiZNGkj^l1G66BS{1xt{ATf-abltPRwLi
z!nl@jn;wws<10Dzwv*js<>_0gRo3gnSreBBlLANyIv9eHb+ASlvk%EeOeV%yLr8nh
z>K*miN|t%n$+f!G4Y7%d=lp=4c9>1-)6gBYskbcAP=X2d!k6oBVhE<=yhMs#lBpu}
zgc7Xyad+Z9I}c$uN@m6gOewa<H=2khUc>pecG-$Qq6fGYhl9}d@Ha`afXbXoffB$P
zM?cv%YXgNHL<h!<l#FQxu?T{ZKO@}nCbazfDYvCdi<|n<J{?lIG9L7#TSw*;5sOyp
znB!R)-nC>M&4?u^TSuv|<eIGLT+w7`EhVUV{*!5ijb0tQMTPKf44j&S)u$@@(IPT;
zOHl?C?RQBHEhR~f&7lIbZlbhsP83YzZTc|(N++ORRF-uLSZ$4`mOE33piD=S0mZ2Z
z0fMHO9k-Vojh|7j#=lP~RG%wY&DTw8fPmq)RSk|)2s;9uN$r(pQgjLEd@xY9^o*|%
z=Zaw~1V%wNBkw8hhJmrAjIT(0I&a%a1ShovaaDijVUjSQ5VN1(EhKvfF_J%pxLzqM
z3spsYlC>k<l<E(@4&p1;w{Ve3+G>(<=Bl_$*Jmi-@Dq763jCQ8*tMdtZXzv|iCe;1
zmky5!14e9IpLHC>xk>C+xC|OlSZq@(A9%`wm5FvD2zkc!;NU4b6tJH)<inn;ru@RO
zl4G!CW5sULLndit=BfO_0j$VILuq69K?9GCxsLu@X=X_#4VNZ|W)Q~kvWiz|3Dj*1
zu1u{79E?XYLFg!+@P_GZQm8I9H>&`nY-PAI<?X<<7c!#nDoss=T=^~ikAqORou}xu
zHj({`5RoJ;N4W%}EN=<98vcLa=oSr2hj5UvH9`zozX(Fs5CL5bxlK(%XrVK>t{*|=
zXbCPb>nY<D;TrIp-MJ@D59ahE+T9L9qTetj=s8MnV#oj~q}3goq0l0z!}l+P71@+Z
z{sI9@uw-;iu(YuJW4q$mdJ*fTO8zJc*1seb9++^%a*|6nM9zT<6AmCXLcl6Rauvy8
z?on(URN*9|f>L$7>%~w)Y-jDXD7QL^B}D{DMpNBFJ{-;_XpZH%m>-*&oM3p$jWi?|
zykA$baR~#f+#qAp=<B)`qOg9q;E(WB0CDBsSQ{A%3icXW@UtenX`*VaW?W;z9i(nC
zFnj2YHHYAWRCgHQUMaQnt9q83)bsET!+ACgP!yMH!)YC+EHGpQBO!GPR?Nbzwamel
z2|h-o;tx|s(5|92_n?}nc#5qs8|!8$qi%5%HhL)$4M2s_Dv{N0VW29bXa}vhWi|We
zBR)GgEtDVkigG$sto0Uoy5RFzbp-1bU?=gAg3b|;K*j{cpoj2%-4YbkWN5CAeT$CE
zsS~tN6mt@iv=xZyQL5lC<wh#dB)!d3!3rL#_1O<$%SB*3PR`z?QP7a9pWff?h@E;e
z5%=ffS@hQ}>Mwyf>xT~-2<g7n&R-VW9?OTa@b1GB$r#&SNKbhuEVYtiurgpL<R)|n
z-x#4sei-JYAf3nT%CuA;B{KQpvO$^Ay1p`y4VgBei8%4a05BWy3??)(yebEwjq!hW
zT*TbOoOHk<j+EtSpv~*<3|FA(cqknzDX68RGV-KTtRUMpVI5#>%BjnO!v6-govl&m
zuW-zI={Jj2i$T*ZHGnm?aUcrPZv^47oUH*BkZz*HtjtcttfWsoAqHmQ6#+3q{W2zC
zWFVem>>J9}&Z-Kh$-B#@&@I}ajgDKDX-lI?3rzL@y~*GV;{>%bm`p_K6u)&X-%pu>
zYHE2*&^~EPS|9`CU#gFQ((k<L^`^tKvd4HDb_6aZEyNR@pU5aH$X~~{p40fKE{08n
zz@dYTS#AhzZI?nb3eam;A)x~|Oh#p<ek8w8VpiQ4S+EY3(vuTJ@SF+r64Y5L+;?pS
zcYl?UcVi<o)N!O{A#e>Jq@*L19{+9NQ+W$Yg!4ziINL87gj%qYaS-C&bcIAth|^Xw
zx@7VjYT*_oys1GScBB@?3FwT-S=kT}NR4N2F&a%M;cV^qr{1h02oz0H^HFV2v>F?a
z6@@cCRL2jIw`|k}b}J3K9!)HfDn#*HrcVY-1hJ7B(iUNuX8NOb02WzyZUZb!pw8EN
zULNbXsS@CbJAQAgsP%AAbrN}-|HbfS%Ged*bi&T~$WQ{Nz86hktj-2gB{+37fmzlJ
z>G&BB5rNULNpDOxfIIVr0EnvZ)zYuwY>LS0+JjZ+L~HSJq64GdBxrXef%^;Lfi?p=
z?WZAh`?P|j1{}0yQ@!<O$rcT6Hat4fkI<1a7{NO)(S4hwT08+e#7mS#LqZLf#UT=V
z+7hIOVK2wm9!$~fxIlE+xk~0G$k#ZL4lu=T+|$G+a?5OCN648gb3_T$7kPA{umI_B
zb0uAzX_alQLR<l-V?2@IFo1xmv@q*8vwG5R_Y4JV8ByVL#S*K+<+9$o<Xa_)k4Hn%
zv`3rKrexigEZ2!gcuoLUEhNOAaTMQI<<avTjk-C@x!YZ8b)goq1u6Iz&MStu#0O&&
z)TMGo(8kKXIxed}wPy_57FqrhVilS*J&2t!e;|^voIVZci9Yw4tW5M|?UlrUq7&S$
za4UXl6jv%dFvPPXNP!;hX@F^r2J>5&wnl=)3DAAba<2Mvn%b_|?JE5r8LI_OM_rW5
zuPjqPwKf<Q9kgAQC|rSrmfDGGp=?fsg9LRBWS^KTd(|qn47q2r2<o+zR;;ene;nyf
zk>;{|mlB?Hyf8*k*0jeP>`70%0daOdtGtp3+0Or3yKaAN>Kw>|(QJ9K+qknSWqy1d
zFt7M_nw4V@@b8wSl89pQa)f5GcxiQ3-zF3QFfD{^ed@SM%CyZ{^80L!>R|a%>bvQ2
zmjO>EAjNqn4yL8ErxsP;I1R}{RVL?UaVj~uC{PffD&jD5VgbMeEQY~-?fCbB$uA4V
z*#vO)tP2U`<C0fx7@cbAMq{577D}(LS7RF9EiuY$M6m8Y36VZg5`pkkenHzhz6105
z1*=d3dnfkiS4y!64ktVZDs`D8!mpT)c$NPbdM1F#oTW9InFa4MS>^8Szv3sF(;A|_
z|02Jz_danPxyYxo#&|igFxl*X#ZQ!4hfk6`f|H74z1jcT8~0A}uKmbj-6T#@z`ZWC
zZ}r}P#8f6AC0fB+0C}gldwZw(N#%~a%=r8+--++m+xXWPg?|@mMYC98jYybEjtdc@
zU*yE=x)SCS*9Uc;6O{+&6;0iR-<}W24V?*I4|v@Eyo;=L$$DV@Pg6sfaGa|;`1IuD
z)8}W!!<Q#p8-3#Qg-2@xM=#@hyAx<s!Kb9xc2Z4e&BHq1Zgi@vckZ;Xt?tBYs>NbK
z|FrJ1Avl=y5#Ot-)^~o)7h&{`Dv-r5ulRq&&wt)ebZJ+A-FEjhC+l+HxxwY#3e0`=
zX~KWh;5Pd<_D%^fIGI++Tr)jAo#}DVTDCWn2_pP1{aeF%^KiEKo#=a-|NSUc%tx7-
zns)W{!0#-oUd6V<D}&eXv@Ei329Aef?-VaC?u!2vn%j6ftSp*FB&tAaT&jb2``3G;
z&#&g!_j0bO8*BIO6r6+Z`2WWS#FSu``xI#CRrW^a*<I{yQQ<j!<W6)<^G41vPUT;@
zT9uUp8IET?^Ji6Q!0BRsqY-)+*>tfWH?;fWPUnADsIQE`km@K2_KmxI3)4FtkDK>*
ziVhoha+J`2#PJBdn3w}La9pL!zT8L|`i>;<8W~))q`2{3@gMoz>d{h?^)?#)SCy`|
z?j-iZ5b;I`amUG)c8rEybOdomSZ^~Q4|r@`_}_p&V0s4raW}+Y%e1$(tzWF=6l;7C
z92)!j@&cFjgOJ7QB1S>V=s&6h$AOyyyd4LEKL!7~l+%0G7fk)HIuDAJaC{i~?%g|H
zTN^c;0+8I|iO{I-&0k~PQs1of%MAeqZ@8y^G@AdPyX{LN6XNs`p=vF1&y>dQq7!y5
z=GVt$?%s=)zxf~4AEXik0#ccPYgP1l|KrW7bQl{d|IaLr82w-Uf4TvXw158uuY~8o
zdHc%xXlQ7ZcXxOHbC%k8<o`J=be@9w7bI($!y_X~?Ck7JkN@p1U}D7_5)rF5Jd76j
zfR2vN&C5%y(^2*xgX6V=|FgT8t{%zf^WFc>xbXMk-$sRN&c)5;r$Np^%Ui1&{o04{
zG&VvgHD<o066<Y7CT(^Y@AB?S!FXSK18x|v1XpZyUpEjR$Qn$n(W@JLqgkBD)o_h7
zR$G|->qq&<@lZ_kRBBS)vRc(1^F3}mJ7S&g+{r9!u7`n4lE3QHQ<<Hw6*+ky$&PtU
zxl%IZDBdm(9Y@sf*7^E9(|z7x>>QDCYG1BIIY&8~A@yN=xh&t;p^RpU-qBbabETmg
zjq#1WJ)J*){yYl0_Ib$1SAY>a<KS>n0cm}SFCZPW+V`|fKjrD~jq$5~>Vtnq{~1Yn
z{%ENBT34O7tneaw;F+}*{(MPaH-aF`%#^n=KTeALv)99quO5?CJsYZgYwNLB_~ret
z&u#}?aeadNIIGq#oa<s3UuuGlB8x@{o>onzdevyb&`&js<pilndK@yO1f9|+E8|RO
zWi;35`F$$V8__D8K}S&ATX#ENVYmGWa&e$goF=216_La8Aw}!QT1Q3!pWFP6>cy7d
zosqO(F25S=>H($aUf*dKt~QqI@6?AcFP*M0&v*Wgq_y)L_CJ}h*V)j{NY~ZC-o-Am
z!Gup$X-vl;g%%;~<x4sNqpFC%!K3GcQ1R)hSE|i-UsW8nd+7cT--d6?Z_R$sJUk>P
z%|kj3jLZ#S0z^$&(Mq(U!YpLUca4!jykH|ab_w0m*_Zv)Rw#dm^(N}juGR?2d04mJ
z*;9RVx;I*FF*0t_oNMMCtV3o(E?33F&+<BzrP)EsDR<eRZ}Fr*%@8Ve1JnCc6Y3Rw
z2$(wBV0D<M3;xuYb7Mqymn_zBgnK*I>iDr0$5%@*y%)87$v0mdKM|yy{5ibYIfAQD
zfBKz^ZePaDG9#6<v8w3a#t-|%DY5Sk?V;b_&g0JC0*$Y`e=V=Ds;iJ4Ic)Xi40Vs>
zJPbX1lx-*B>h4wW@}Wf`^qG0SM6-n3i+o3ezkb5MkYtURW5K$_CMP8=EG^}yeYL>T
zC=&xp3<R6IZA-zmN4|YH=XNW6u&nv!6+0|YnWO4-$=k4_uZWDMu+FkkO-iOijXByX
zb|b}PwpVe+Z~uPhN~)Vb#|h?}u;=wZDWvqwx%BC>W_q8DS|XApM<5;x6ez^u){Zz%
zxeDuBZ-47J@7pLJ$%`xg-EQN<d5t-C2~kQ#`toA&ZLxRLQ&V*=3k#O0E+@tvYeYlG
zsoh*r-$bxx=G+zd!x0g2jV4f|JNH3(liJ8j$F-a{KS~()FZnD?KE1+R_mT)EQ|qan
zy~Kx`nV*<y(5pXnIHKD0-6D4iyrUy^-c~oONYRs*{blYKjnvA~`Z^G#VB&n85=`|Y
zepunK+c<S-)7@gY78v}gV=emmciSA}{=in^geMEW;%0Z^Q+``()%%g~EPtm`?#6~V
zg9cb8=NF2FbjFXhROpT{x70eVz1yx!ZV#qRg7k1Uy2t#vp09ry>CfG!tc{Hf^?QEV
z%^17#k(n^NWho!Ynk_dRm*n~yGWF5#odIv_pQDW&hxre|Yj>^NJ3=KpPnO;E9MI3D
zbMpIM2Rq&EPkbqB)_5l^o>W|ZGB8DSVN<=d98F6_!eyuhjML6dP_jEO4pvqa=k-<2
zrd}(reRvizrCojUMKlK{UG_YfgcL~5P?%9FaY0!;TFvBRR&$l;a5J`d1dfg-HzVg|
zmRd@f@rE*YB}YCNbChXIo^#riF!Ee=?@pJR{$eVxO#0)u?Y7C-T+BK&s}iw_p(LT+
zos6spO;{Qh!8!UUotkZvQt=4)*-v}JyE=Eu(sH-VWk2`t?Y+BD>o?kLZAUFfZk0}%
z=!jBfBq1Fr3~9$3^_;?8T+?j)5~Ox3WsTl@ZZb8sO-DUXT3-5{DuPRiMj%M1et8RJ
zOTfaeOvSYsd3O7EJzgV;{^rbEcF;Yc`Mh$=LVXW!@1r|g8y4||hsZLWrdEBU;nB~|
z9~Byxj&_^%`l|^v=)1V?Q!M>B$Y$jUDv8+Ec}nj5nK97CgVOg~9ns#+QaS(k%x`xw
z`2GWS!By(<v`_?!EVz9vc!h9lie$cMGK)hHy|k-fCe+-%RI|Bl_td^wSO1JpFj4(`
zkb`}D4Qs{Vp8kn~J-g~v(>3EAX?Z72kJHR0q=&QCVP!g}qI9q63UGM5^}c<*H^8{4
z78i%W0Xc9osokZNL}i=uJL`GRR=rY<LgE)(Ai%H|(>n1Ck#ocD2NJ`jdJJo2sJRJ#
zF?~jD?0%~;CsrzcpTuUrYV`0OYsuxEwzSJ#>W5!9;T8vw$6wFf)6;r!Xy;zo$*rAE
zpLNck2M<;sJs^(NT6KH;2Dsl8S$fhC_@TDMX7}cL;Cb@_{RxGK#iNlPyOO~Ddph&w
z_Zg?Z7Ke6KGo9!jyqS|NC7B}JiS%r1;0d3ZGOmGOx>xWw+bswsS?Uo$z|KI{(#nE_
zVmjGV$DyJmIl?T#Gd3_eBCcTNDJcw+$BZG|ndG@V(-$W1Z~E-=@99*xP90esz~E3~
z2O;ETOL&J*V+QLL>CrcRpizKqz@^&LOkt($k^Zxey0h~(k&3->^J}racl~tbhMNcE
zgiBETo$p)ydlwQSf`Elq0E!hOqPyID+B*o^?F-(GS43me@N!LZ`w({G(${`p8)dF>
zN;gIR8GEk+LJ>zWeHJlfh3HPLzSj8&N$<~*)4{ZMeR}+6+)#^=Cule5SOHDu_qq*x
zH@&SCfhi6QTNgV)pQ$e{F0x!q&CHyPZST822cH^<kp6Dbq8ZX6EC}{VsfW!a@+gS8
zj;MH$%iSr0rgLQa#8<LDf3L$(B3&wqw|F0e4=T6#oj$qO|9zx<eoO)txUxX68{14E
z=T<&@c6}-37J5KIVJcK3n+6my8~dK=vd;qm&t3hou<!r&!Pj(kIi3H(*Rl8<8?&+S
z55N5)mzYSnSHp9)%&R|g{%|&*dt`IKHAk-OK>4Jj9b1{yEj${pR0&;6=VOE}QtI_T
zQWxiq6^lEVX)Lc=Q1tVW)@%{+=FwADzNcr5;469a%<WtwffOU8fm1Dpn%>Sp8hLE4
zX=qDqxaWR+0YZ4*;|Se!+J5yia0+EwJ8uv%4qC!Z7*uR>?17rF)ne4a`_kn_k<*2K
zC$gy~H*6sv#Muwtqy%tKZ7*)=@P2w`A5GQKU-0sMDYwxk6l^dZ&eIe$1QZfbRNsjQ
zsg+d4q)fQTzWP0{s>41+@0%(TBd;WQ@FwJA@aiSEFC+UweHJF*kbYKv#42N8Io-YH
zc@(bSb30L{uS4+mY2|*T#!OT#`s>S`MYPxD;SK~rD3=;u%kOO3g2u4jF|gkADCPZf
zo;2WE&Nq@ZG5u%za{W*4DtMf^Wz51qq|W=G$?AQNxCG4Vs|P&%V-8}AW|CmlkNk<u
zzW&m5au6t5!N61`6}bR1X(=KCZ*zS;cXieF_IZxc&*T=p&Pf*6@3SWd;+x1T5%@gf
zV|MlV`!^7liyR)@p~!7{E=rk>y3ZOvsv3IN|8!z>Y<BLCPX&bq%K`{A*px}yv1W5u
zUWkuG)ZTj<g}E~uO3h@J`F-skEl)})$mMF`LyECjd^D`x;&|yns`x0GZ@U}2(7CV0
zgcF|RSM>)&(|JG2f=0eK2)Mtm<`lpds$+jxJn~5Qj{m_cRj}%7!dg$aHNUSmAflL<
z6_GN4jv-P3FBvC<u<|<`u7aRcnK&e^jKpJaR30eyO#&%_M7hRvliz;EEV#rgI4;<E
z{`09#fU`r+A%>|ge8xun6_ppy)(8@G*j$Rv{e*IHWgwiY^qR${6^9TmwyI13z{qy>
zvF^rHm@P)zNLCHCKN_BJ{sJiPyl!Jlz?NagF_A5gK68q)^1p85kQ|N&h$#D=`0TTR
zRdw#EU+}&$>qikK&_M<*FD@ql!p|{uzo`G3UJwOY{RgUWizoU>ofWanYF7bPAjXuv
zesgXoY>|O2jZHI*c0!btl+P_JbVz9Vb1^M|n2XR*-+rokkt2@4xquG|+OmpIZvAdB
zP!TCe&WEJvPfG)3V0wP2nVFr8oeM!_*4s;){WuXNf<bR<Y!351P02CDskocrNkiAC
z&Ug#8wQ3Mrs2<W@HyGjZKqz=ouuyoLnn|_KKY<r~j$77zEt9Ihtj=)=_%nEsM*+R|
z_;!><8Lu+8WAK14red*piT1(h`GrZ(R{;t(Wf%5IidWN4O2k+kUz22(;S3)hJG3(J
zfj`!)NTyO1@`65C;r;AL5`kEPP~Oe3%<0Jyp+OF$A?vc!mdLN?SDegk60AOdw@iHg
z`twwi#Zc9RGb}-ZquxKo<H7RmJ7-)VHG0ZZ$IYS+6fK67@@D?kk2;PRzXw57(@cAH
z2$4yNkg_2u#<xG8jd=EAra~{`U8xl_Erb$YnUF{Xsk8`@N;r>jX*SE{yfsY8IUD8e
z!Obd?10$8jXBttyveyqoAuFAzxs~W|yU%`<4a-G6L<X@_HaM#*fV~)_qwhoHm#nCP
z&x{et<z+pZy2A+;1_YeQb_HWgh8LX!xdM@y>*J+cqaSU9=7_@B5D%CP5bf>l4*gk@
zqf=8)F^$ROBaD%@)p20I#E|`^6`qEOd!TzR`1&lm<kqAcBl)Bl!3J7RgVFt}NtAJh
z)P!GQ>CIlJm+`ANTF>w?@*^>b?5(jCA2KQWGJfDNAkduZ7l30V=6rEQM){u84>As>
zd}Ys}A-*h=GK((vv(v?rJj^Y(JoO)j&Tn^f73OP`)_z_kn8d3&Kjc6r`3fM_Ex<w7
zR=L)st!;3#ByQy~&S&mCvMvpNgA((6NGS%V1uJXQ#@FQ!##(uhAQm}qqP?wrqob>8
zPL7|Ga`m#b&>E&f<Mn?I2R6qN_)jGNB$LgHrMT0UM}=ey55$$tN63VnIpVPn31i2B
zb{TVz-UXvEjk7+>(*=DLm1-F{`VQTzf;RNgnwhcS<x{I0cFb#iL3{XOzjX6j?Fjln
zckF86=f{!IYEYt!xizmS&0i*GWi9|y5%S(I6hE=9i13RXz9MUsM6Qoa{+sI9J3*}H
z@|$@2Jj27oOskR7oCT7YxUZI{GuPWK_4Od>o<JSu+T%I>$D=oUDs61m=jkj<5)@$M
z!1AA`_G~U>CP0&J>}9k3Xh3Q3EV9@)JIT%RngJ9Pr{+OPsUJf;uIF90!b<yF@f8h}
zkS;&KC%qq(r+mxX#7{`nu0}hkYF2KF&N&7%TStGmO_GaS42=VuL&6;yJE<eM?cAgY
z{FVmMY%j0d(3}+L>nYkff@!*S3a1^d%%AhMXPtG!BK?0kmVVAgL3IK7jGid(+xLmo
z{U2VUVb=;=J=6aDJK=&0!sJ_@w}uzO`6r`&D90pN9C#*OkN^gVBm1TkACmI75mWY_
ztY<W<>amZgraNM+cGM{#>dXPzG3R~1V)uPEqmM7<qE_7^Ei`~;<I@N8d=fgr!M4c%
zhqkwlin9ItMIY-yK|zp|5)f&SlJ1mFX;2X9&KX*yhm??(E)nS*P-2J?5QdPBp^@(1
z*WmBn=d5-1e$P5*owJtz=*Z%p`>OBvQx}dh@;44NkKgFv*^$EBrn8uZA*SJ)cQl1{
zIcjSYdGyv;4$xZL+U5ckx*n<ZzF8e<uPKa*?ukTbj06GA!>(l+?3?Yl=79ZGeCOfZ
zPWqlp@t!)WFNammv)thcuvmsV<|wkr>y9ewK;RP@!rcNj8NP6VzLiaEIH$Pt0R7|U
zZzG38Oi>isUR?1-YNkO468ird!}NF8+@{%cNN+88W~aw^g_mKy*b<RlXZK6e$7||a
zzb9a?jSOjG_1bv0e4f30b4Ys(u={i39i&#zbe9?wXV8l@9OSEvp`vA;kC-0&>71=)
zk7Hq3_11GhfWeBP$mdnTNZ#HG5pe~;5q6$CE^^e17{Yu4TlpPG2J5xL=BgGa_;tLh
z2|O0G$Quv6K9S~ZS-3{l%7%$JR}3KULDN_GT}O7aDYIvO%XNumHk)F(!M!78oQ7BX
zSr0znhtiIfMo~BA-kXyS$Bjybg^lduJsE{w(InhCyDhMBPEeq4l50Lo`on$x#$9tj
zR85S1+qhdx2aW&kyyNy#gcANn$)GuXf*4P_P^#9gT+jp@HD9f9%jgav8!5Napn;2M
zU4%u6dcR}Dj^iO1yg#xG1(XHL%o#KsI_p?3K$=K-uvEAc(A>MZyQdJ4pUn!lbaq%0
zo5hHj6U&j)w8cnwu|SD_i5+G48@h(Q8i8KP@HKt8ot)P2mK!f;YuHVvc}ZAp%16i1
zmTTEf#bBHT@8P?<oKGnP(mqiWgbAD64Vi(He0i1D&?{!QPIcqS`^wsu!i6oIl9lJQ
zo;bLf46a8tXu2;)9C{<H_^+zPo|r!5uq96nvs;I(f6YS*HW6ag%O#oqcCWhCeot(|
z%oxrZV}g<;*A`lFZ*_O%AU%Sf_*>4=*BGB{Z3N?ru;`8lnj8wLx*Q!e9~Z34H1j4F
zh43=o5}5WzGc>W<vPcu7G#HeY({!gztbNpQIU?U&9Nc<PL%k6V=@p-;j}ee(hHn4D
zFtn~su7#s_@Mt|fe|YXU2W+%)s#ilZ>G{Y$<Jsos|2|CmQnWU0RgL@j+&O@XM(tlF
zoWi!jzBPUcvGEn&4qctYc<6M}$~)ZkK!_^`laHDmC)_J!+z-AHaGE{n0(pF!s3m2)
z!u}E_m?6}L8d$FOeTbTsAgJHrH&*LEMVc7on-}ffg}*1QRSXn<=bcEo_>gSm40k=s
z?s@a~(4_5e89{CviB1n~?(&KTXLpW)Me2Dltg{MiI+HokdSqTsZti&u$U_zZ-$+Ez
zLQHK5pMcn$Zjl{8Cfb79mPmyJbBtg&e6xekXM=b)vwkd<Ue4XVnf$rE`<39oIJfb{
zdR-m|b-SJqQ4^-i@6^*LlAPQAKst4aRVy2OyA%87F3b46y?v&fs2dCaNWHFJ5n+B(
zu~I@7YgxG(ebe^Q_&tttkuRme?;}#lkK*tX5^chsrq1P3*~a|)C^p3$@(<bl<9~2#
z6g~V73x7D>=9E+67R@kyg}`^xSRNeuq#$VGlfpidmeU(V&e%F}8Ylps+w2Yo_aw&P
zsXwSD)20|%_#>>*B}Ky4H%}T4u4ZXLvPQ~(0i75RqZtnP0own9y=xx+2Lt`zd=$lq
z&?Uil`-@xuz<{+B>aZQMjoI1e%<=#56I4+E&Ia7dHNHz~fB}5}3+XNoy8fsJ&s&gR
zkS^1d3&)c*6N*Th*w!;WcQEiRoMm}u^(bG{-i`ZXjKgK}{2Pf4FYg{w6K)rsiPg0^
znOG|{<1?I0i$p`f`G6n;JN{f!IT;ysU={1l5J_G7nJo3-!Grjuq-8Y%W>Z`0W0>=(
z;?^&KkL^Aem6+NaF|roe77St%s9_V+ic@^1c~mq}bpp?Pu4n>(qi@gueL1;t=KK>e
z+%Zf{l`=2a^Kx#lYHi=*{KTXZ5`3%dn<utB6AcO8$tl2ufk~YK13UI+XVZeH838uK
zx){B3(>r)NuU@6}aTA1+PRIdp71V~j8vq2L!c~^fOZRBb$}5}7U4b=;E{24cgfN_h
z$dt#F!H<o`9S=;Dkq@v!J-6yE4D`L`CgL>&gXUcnt%j5PEsq%do?7Vep&-G5?Wb<>
zjcdxgk-c2N9|y*;b=I*fw7j5zAt!{!>)}F11{Hw2YnX*Jz!QXsnBEU_J=#_GE6w>5
z+CWPr744yMHr<Pgn1uUuO9em-Pw~}eW}oZ(9O7tlB6ig{G-z1ShKA6jyvxT(T4vbd
zYY6Bv7v6pn1qZ&<`rMp^v9a-jb!GbD{GT<IKKqP#E(<Io+dA<Z-7>;|{w%$zW|K!d
zx*w>mujP;bOh}s&>FzMHBk$46Z``Xo+bcZPHu}`bAGNH5HWGf`lCo(#B?`X6`{#+I
zL;{G1VUWEgbq^0dh!;y1C(~XXK4(odIN5hyIPE84&*;C+6zoDoUhNT&)Vg5H9uECG
z+}DR`k`gn|V`}{NZN~G~e!E`G6k0D*?czj!OThzuNGBi195gT+?bTW2^GVQ`xj^Qv
zQgL~_)VN$*Vq4WBqJL=DSJj5yTSg`lM=u75$#)(TqkFKzIW+>JC<G*z`!fsj^PiPi
z9mWk-r8_sOs&)4nXf+(YAo?QK*_MoxNmsTltth}Z^O`D2tuii~p|{|i*Fm#8iaZ{^
zK%Zz3{aIci)5D)uVHi3o<V(|zhN@^x?$akiCod!!-K`lGOCgHAejl%7RX!<xHNH&b
z`ujE<bvc9YhXe;}czX*Myka$O^86*a!}t)qj_n1d6acAPd#x!`$)-pFthnNrq%bG@
zQ}(b!?^6c-qFe%eeVEJMc6Q=LS>@Z{_5#O!Psw#`3}`%5wa3V7?-xK!3IDlQEpiZS
z4oSfZa~dv&S1nhHX-X@+z@sC0a59~@055!VBO1W2c|;E0T?ZWe&KW63%{^T3J@kya
zy*76l-a_rc?8`)pA)=HR*~%Bx*$`_3JGv6h0+qZ75{|*CMh~muV(nL`KlH^-2`I+h
z(Tq0&Dh^`eFRl6QPq}vQHeET+;*)mMMsT4MsSAb@r@%B4iYPDf_y;2QRDEuVg^<sz
zp57W(xO;q&skZdq0`hy9Atvte3-z5t^7#6d=U16y5a|akaswYp_QO~)oL8&v_ctB<
z&!5KtN0()H9DSPPz}VQ!fq{X1z+vH=o%uh3o?yimIDCh{v7kEK-l;r2@#_HVf8)YL
z%~V1FkM1-)X+JUj*k6-D?ZtC0m6xvA^~_;=5AH2jq?TQMI`rMqQ4~qZ3g7uqvsiVs
z*P?c0;88~s`Mr=oipQbpkWSzGj}bunrl>et#4o8kZ#b;O-@sXwU%tEt-|b;>UF;#U
zc5v9@_IdKOe_HZnz5k<$Vbm&coZTr_vYfu}+&}_9#8!NbUn2(#<YFmwMAIjl&U{jG
z-g`jXa_nSi@oIE$f$Xt`UIu38ff0dzDK<LH(n&(%#_;GUDqAMP5=gSIzbbl;zP32b
zyxLc@?31$P`jTtd{8$9PV1!f5lohf@V=u#O$Z6$1;9PDN@KYQg`t5h~QWcZ-i+Lv=
z`ki>tw~A?9W#-%o$6)OfV&_DGp%vwQA@~m;eqSZzw+}w`w<semsM)0F%ls^g+Q3JL
z4$3}m*<xQT6_r_~R8@zbN%ZJ$-zTz%gwTxySed_a!~Q!sb1v6REr|U9c@_el{EUTL
zk-ksCiDMiiSdK=|49=U40v;^k-4=fj{@Z<g*s6Sap<ZRCCRt3hu*X)3R<$!<QUK|C
zlS!|52fu}WP6Daa`y;;tz{srAtDHU87^{z+v`akVFV}%RvatIGVJaix=0qUfjyisa
z(IQidY_E(|euNeozLt@Gc?<Gyr|$4|^qpCN`pz!pCs7~40<9-&?_OLu0iOQ6ih}<K
z$B=~VsPQ>2-dWK8QXg%)DcFT)DbU|O@bLa=JLw^xIk^$R35|L_vbajp#nEa9*<yHw
zzVYF4ecQ^*n{9>Utu}<{C<|4WcK(uzs7C)v(}&d0e%vyGKm?BZDapvJ^by9arW7-0
zzg`18W_>hS<p@{Dv}uQnex%f#2El)odviUsJZ@&^Y*Wo~<f*eH9`RTEBZ=EHOLZJ<
zY>OtY6_sApFEHoqHAj5Ez76TIGLMaK<~kMJq!j98I)72SB}agdo?~DZi9Ynb)KQ84
zeRN{N50}ItZBU#jkS1ax?3$Cg4LP5rpJe%vOd8lx*4(*Qmu0}GZCvnH31E!w)0dRI
zwnDAwKr;dWXnT~l*Jb<AZ(RK0NK?I!FI)U?53SC)PPZVm`#JmioBN$ekCZwq#X`#o
zw{X@}momi{>m(Oc&kz|j<?$0PaVGhDQA%%ilvApw6<~qf3>tI!it&R@>67P@o@Aly
zLM*X}2uO{|;n_+~wCBX(){FzMF@^+}eS|q^-{dOKnm0By2wtvH8h>xY5?$&`XSpC1
z^B-VGh)TSv+MM^$bH(S3>Tk^K48M%fX@aDB73uCE<an;?E8!f|OaU(x^Zo&iT%Ao_
zI(3d$9l6$6b!;aCk#g?va&xYa$$3H|MavJ9uE5t@4QE~vq;zo8?wun~h)thgH(Y}i
zy2Djq|8p8Lq}5K{?igNf;*CpW=aUpp^l<D$a!EHGV-FXwhWuIEPz~cA{dFu-Yh`$3
zqY$Ucc(2)%9?`dH4E8j#gg;F$1&}6r$0-@p@(1JG@#7UChQdB<2Xhquq%-v{A%~k&
zHe?)_b3Nxl2yi;R-P_x%m&2BKGBcyYah8z@YTJKvUm6xdoy!#8x0+qUFf*I9)pYCr
zME1DAi-OPsHUal^;%3KKm#B3<u}<{EUfz*A5B0tp!=oFuq>?K}7KNz>4Mu9-n@md?
z$xjuo=yq@%(37ZE{M-VJq8oX}yL)ndPRoiqMF-#S^%SR#6=cqb#D4rJwLV%_AmVkn
zU2gXZVf+yOfTb{NXem8@q$XM;#UmyuE9tJZtLBnz&bMsA5)c|Do#%A<9Gd<;!Y!*F
zb!-m*)J>VlwKC2IH5JP16%yAo;!u0H{3g+qH5J9QnE>qaZ{}Lu)`{5+YJPJ49dmNr
zR5MuDx9DiR7SH9SB~PFHaMI}eo-gr=@K}4LY`ykb0~)Aa;W@_yntklz;Bo#g`KN1k
z-Se3At_IW3e48}G$$J-1*W<A#RskqDYq^67@NjY(j7-Ip8&EP{jv0Z+fbai>{1J$?
zdT}&kA@L&hx}M6x6w#QP82*%=-l;gWrNx_BA5(5l{V$5y|EA9UfA>)h9v-!r0;O2O
zU{C(ux6}f@yhP=k<H?<cO}DE@Gk}1_Oxols#|Is6iFNZI@HNxS#p{S9WpnQ;72w^`
z@xbdTv&veCn^sk9gh183r#&x+s*+6nA1_OjJ+fgesj%-d*?e@pX?Qw$aw06U*4New
zOG+X@e4-K(cAFM)7^|x*vCiSA+_-fa5F+(R!)iI*!E)7xue9BDH~XM!E23qfnd3_3
ztmRZlS^pb?%dW0FMMD*{8&->5B(CmfJtQSlTrcxhw&Cy%32FPtWjQ?7Z;5IY)2a|o
z1}X!q_0mif`|!Wb5^sE#sEO0kx`k+iBoWGs{rstk_?Sn_!UKpqJ3Bk;XAFxE3fjxo
zM1Z)9xBnLXLuAHKT{hL^&6wwky>W5QL5q<3KGqwU&ETeX*-%ON>D4=ZS<IgCp_#vm
zw6n8QQ&ACz&A91PLt~>1jJg#x@5<iBWMBvDzX&aVbaFe$Ie8&Y;j7S-)^nZPEx+!D
zBiYOcf@5U!qR~9KO5Bgkw!S}9f!vK!rnS(~L3-Xd6JW|qFwE2uk1>Djzhasi7tWxr
zF(9qbl_^fHH5EvNuBzezs*}9<_;^v&pC2s3Vdsx<7_CNRnI~P7vsuQwIM`F2G>{{U
z+btH3_aVXUaj6c^Poyo>#1%MC5br)l6qLo;sP1AbKJ~a#Q|t-(ScwCX%a4&$i_fE)
zou4aRLT39fNbah3(M5lkkJ2YcUbg_2p!WGaI+|2mTx<#2p!?YfS_IxZt+1V)R6<^H
z&O^NDd_9AVoZhXA5AKtfY<6B(Nkh=>NYVF{2^or&9!>J(GZ*-FS1Wu~QswiJ6Y<9C
z9VmdP9E<=A>{aGPS~xjLTxtkIwA{%ZIrd+NcwlyHUK)3AL>Io>xUu^HcgrYo{OIA<
z*QBx?t{V6i&YCbZ0h}FEpF56M269{v*0cqk7vwXo4r4&Ouvi934X-sSz#MF`ap?2m
z0#d$AaYcb#-KQg^dHXdN@k8Ijc3-t9(+fE`#|ylj<RPA|f?zQ!gjH91Ie67UPc-`~
zbQtXs&Wa*b0r-SMcAP|CgyiUj>@{{qY~n>7#3JgtFnY4*<3P(Mi+v~8Wx5FxpO&Wd
zh(U#rv*wl@A=<x7mpOA(`6Edw`puUA>y*j*4D5BGu1@LuXOGN4r<GFU-AFJbrZ%DJ
zprPJ&Go}8LY5Zh|uj=@>n|8j3*zFIUYJ1Z<37+63Y@)Q(W>h*VNz|u;3ljF(XSo3V
za=XF&YF*)#pX_kSVa3xNC3#z}(#CyC?W--z({M_jX2?A^3c=nsq79aApf%C+-IW^m
z+>qljDm7S5W7j`9G#bBJoMAJC$@3tRYTYznYf&Kg0grCkGq0R@w<flB#y53y8jkd{
zD;Se{ZOs%!GRh(#A}*t#@yJ?7T~~rPkPycRSAB|yzJtDTx?nPafvLfiDu`rQeLvS7
zyE|FZcc-4`>+<dXt@+iqy}Faz>N}ugnXF0(!Iwbn4~o<>K@N$lC-n&Ve3+1K(6b++
zvF4bT+tC%s$^zfNFNDL>f!e6Mtu2t5nOPdP@g2W|bR#f>%y3KQ4Nb5;mG$q7=3KH>
zRoE2V+p<mQN@1!%H2>2dNve>lU<^l1aws_;2QftC>W_P)3&31_dPll_I&~(@JO1<O
z?W6EIVl;i3ae<6nnRAuLc!gc!>TB74mGPqv6RWVe&EJ1$!{xi*mK%HQG!Eq~j3UKC
zbAEJ%*!vyY?QS1xPpl~sQL+f6lmbjJ!p==*=wQ11Ce4e(t~U$6vZP#>ev%1#Zhu~N
z_4>xpsT<+6ni0*&;}9G-In9H^phJI7CF&kl?(vp+vD7yryw+s-E~oTw24>}#yRVqX
zAQ9(}_Sle^9rVM1e_L32WhHlk+LKy-TH5!WVW8or3*Qk3Uz;X_G}@AL5P$#p&_Wdz
z;BbYtsFc~;1|TWcD#&mzYjHywJ{!VI^y1OR)!K}J46Ptaf1Vibne5dmzCechK}<jC
zH6-}N8fNJMv`JrY#oCCNOxBsQ+u);byuTnJCYB8dI6_hV+aumiYPwF80diYJOes?M
z(y{qW=HesYN0P98RvNohWn|1TOmIotlfvwYRKehZK_>8#c);e^+WLAj$n)IgmyTsn
z&9D`mLCdxu4`A51x1_PJ(Z`7woq90Elm^c_%MowlaYLbYQjMmCVUK#_yDv28T$2F<
zxV>+MtaY9)k99(&@?*mYW2Z9D1B!Jv%72n1#`nc;{0QH1eEyKLZw(qC{N4*C2Lra{
z(AzegQH)lfv+cGtWY0bl#);J9Z4PRuVU}x;BR{9Cualfy2$5nU>l@C^KYwx&2wBt#
z6(21kI=Ie>{ycjko<6k{s_qCX<-J1(tGPWA0S6NFufqrvNKywWT;esw2U7LvkwAv7
z(U`{pU3ry)HQO!3=#&0*bBJui?X`@->TcT3E}`k8#Tmx3cVDxjjMLJ*g2>@&PXOt0
zy2=ywvzyxr*_-(Q_<Ft35)WHaJ}K8?S?JIsi1rF!x81?+`SP623?JP`w}3yS1M@*w
zSWSkb;{`oP>Y?bir>ZeJx;GOjkB4XxD;?Rd+aL;d^;fT7{|M;A!7QL}Bq2Yq^^bqd
zSVK9R{cGnVqxlnP;Mpl&pT3Xo#pE;rrO_mvj7%ppdkFhbj4I5S?n&P#F;Lnq&lE4X
z0vH54QgzXA7D#2%SYTX;q^;)^KvzTCcsiLh`RLAV=;Zzw#e+@AI(t6}L8c@=lip<I
z?FKukB>N2C8%?%N{z)+=`S}(u(&YGCV0_d}ns0eBv48m-tl;4%zoU)p77`9?H20d%
z_!SruR&F7G-<;Jm5ql)F;PXD$W*%*pdvyY7P7=;flZLZfyQ=I96lQ(gQ7Q%g3$*k@
zmp*IPD4?7yP-ljciambvW2O2gN4s794v?@k>%1E1TRF9hjMI^RJAlXK>^pEkX6%XD
z%Q*^v-|#};<HT#yXMEmlYp`N;X8G#`&}BK3c}I;gB0>q4`)xJdF5VMU2+W+(X6jG>
ze4tu>Y~OGwwFW(*Tm!UC$iT!M<IjQqDkja5?uAaE{K%w-qN}NY0g<0zw(0$C0t(vZ
zmE@a#G~ZV2l~v{VY^?0gPKnH#K9FeEhiWqXA~M+Q;nR()#|rl{z5gEcCVk;L^@fP^
zg5>jR3r34oB<lh~5F^$8F+fISN<l;<BOoBKu(idH&xntf!)m5VGMP|7FSBcNHNt2$
zDj~v9cku-eXAs+@IT+5~?_9E^3x{F-LQ9Q*Se-1@M~~2*J5x9Z4%{Kn$Le^x9pSRN
z$j!R<nOs2nlVXZseT0CKs;?cncJX5GxOZr=&Q{*NQsjw@h&*SH=gA#4^)~Nf{rc2K
zH)Kf$(rsb5Mt6<su6&jyNNLhwzT^L!mhz@ip-f`$o9zKy5lZUCyGrE!rV+-Bus!Q1
zKj-Kp2~7Z2#k{2c`t<f!yn)wd0xicB;c3s4=8F?cDntlH%F|s^%R#O4ch8p%A{C;g
zMbKf<HW^<AT)3a)2RzToG>zZbk`ea$zT0#w5bU*k5s{zmbDj4O6@?MbHp936Y4P^h
zl9-hc|DgWL;{qg4VLF=sCulQ9jEniH{{==3favMz>4jBDiy}Mb5y7bVVszGY7#9HM
zr=ELa{`z0a@86POJ_0$c+?n)1d!cjBT?GaY3lG#a*7oGCqzO3FKs1zq$p|q>szUA3
z1>}S~DNFJieHBrq=AF()X%{d~bM#eV_9*b@btK?~w6q8@N>jZi&+?%8dDFi?R9^X!
z`=s$q-KB@(^z+=m)dkhbiPyEZ#KSL6@|;m1=?jFDt7&RJQcmL^kd%~sZ*>y;eZU1K
zB`mdq9-~$}s$0xQVI~>)V*?-_e73&cUf%T0yZjBLXN_m5^n5%kbNkv=*Z+L!$00;$
zb7Z1A;2F)$&DFiVo1_*=Zpo3DiSdb@+V)Y7>(_O=HvHFPw}m^Ys^TFzog+xt^rc;v
zerA3DE`I&w5#`Y(cvGJa*eOfA!{W|AcCFs)G*tcjOXPk4MLrKtJUH%|fG~e|ch?eB
zQ$tfz*P&yJayP-RTV_bJa^9DQ+91eXy$;V@^H13n@RYdOSgv2#6aGSwgV0Y=TU+Zw
zNH%EuYRL(`0u&buts<I+Wqu)j+AYck5igvmJKtf{yqKd^ofh#qD=VObpO<&o^%TS}
zf;8#j)UQLvxyuYx*^Xt;QCyz0;?Qu=9Uf8I0XH}1jm=Tt2_ZBCa_^Ei9v&XnHa2FQ
zvecajE4rYz7VqUvxy-(kPXM>&OWy=A_VDm<l@;n)6e1)j8CiM#idx06uL1q@bMHPj
z6$OQCAVW;yu_6HSp!hp|>d*p5S5Dl0;2^0K%gu0NQ7Sk)J41o!w3W@NM%VfFd-fKU
z&VQ%u6(fHd$e;DeRsJj&eg}tG&BB7A#dCCW@+VyTQ!h6G7)}c;iyezBA#Rcs6+CS0
zY!YM7fR5wsxwc9A487}R_wa)sAq7_g?UN_|^Yim{cxVv19Uc|6bhkinEVfm>qwe_^
zf86*D5WQ)!vi4JvN7T8=svg8sH9!xTr<#3Iz0Mq~e6#<)Pbxm#i(SfGlsa7nkV?|e
z$y7O<+v{hx1Y^fP6%tBr(MkfvvB&0QR+2F^Y;Z7_obT`0hY*{|AqF&=s1Wf?nkzq(
zxz9Cn#{N#e4}LsgiFI3&{IxOM{_*(#qqR+oxbpn0YDvOC;tZ8MtjCNDOa`->bHd9T
zlkgyCSg{c-&2N{b?Wv40Drk1IS)}{#7pg7(UK5A6A;-tD9^#If&TWyYmE?K<=Bl}!
z-?vt^$zjZ7MExBdm_1loz%;_h&;N<w(IX~$`k<B}VgdqFeRqt?59ph6^-?phd+w!G
z83EK|tEJNd#%Gn^tIjQd07W5!k0T#w;+epaoT0WMn&l?IYb)@j1~uWDF-J@PBw0l#
zJ$rB1VkLQ(0Rn=xucuZHIhdL9P8u2n7@{hXRZr5$$f(M8j4MUJB_Fd1fbrbRE2+9F
z@hb?A(q5n>m5iLoD1c{P1?}1xC?lhZpPV3#TV76x9n&ZDt<o}Bkm$SaV^ae7R!!Wq
zYE`%`VDC{Mj{uZl%Gxt}DX%)NEEO-Bo8@`|wyq#(I)2a0WQu7|0&xul0!b`%0u&MW
zz2fc1J6sy3u(bJxcKrq|m#Am5+MoV5;cskb9Zl~Kd~jq3-7~mBLIC=ufb5FeO16>|
zoW?o9Z2jtUUvRB`cAv5VdLW;5y1l*&(eU1s05muo@!Zt`*h9iDM=gB^bi8dGtZ_(;
z6t8IyFEb~o-y|1^lj0oIKIKKFtwv&433{UGBn7}j6<eCT1RaxxnwBsCrLvbqIvH&g
z;Cc5$70Bh>to4EpC~py?K}k5?>?2gFSDD{m74Q$|SJkwaBsP5-GDEljv!}xzP^e(G
z^rHOyV1N=LW9NY=3^Xd)U0ufbE`$_DFl2%!@a%5%H}|65ea|E3J*w9G_^Qr6idCdF
z)YTjG&=V)3fCeJ#AgLw4wANSRx>A2-Tfd`8-&Cn5zx>BHXn6{9R{Jxf|MKVhte@&D
zvq~JR-V+W?>G(0EObnPi)O~@g!0qS=D9XiJlt>akeO<fcF6BQcHy`^91e4YFEw%V)
zlQDWkqx(koM6Ck~Bq*LLk>3Sk=c=cT5twZeO{buI-QmA~{sL1RYk?XZ++?C(Wr<&^
zTmF7^bv5hd$7jiaZUo2M*}oy0x{~^3v&C+K6j+^4_2Hj`@9qH8gG#yrEBw~`E-}_{
zOp9^obHaxm3agG+WKNMM|LU8G!TpPkyta)gRnASR-`0Hln%+@;kzCuwz!<;0%I}(z
zcin<PdzKFz>xmqu^9!pC$9D!CEP=e0Fd@T+sq%35NVi#?FBrsbNScXuaU)KGKWM7C
z-aM)bnDY-MHI8OTJ6$>l9c!xS<*^y`>f-23sS;}e->c43?VXxndJ!}tqr@|qwy8}S
ziQx+{Uss+pL(ES!!qLTr`$#r6HdX?I<2eDLU;dtmJ%u)G<A!O|I@-Y!)L6(mGLc5h
zqbV^*>|m;b4o^UtGO{wYaZ&LXU3_p21<NR5@R?FA3@=LA^oQ)}hw}4DpR)4TQsI2Y
zXEzpK@#-mad~pD)?IQVcEqH0^jAaeUFHEjDc{iZRh9bhHJ>yc~(B7D=|2R@=U?F(%
zX5qGliz;Cz@66mZV?N@Q!d1uhLnFW`Z*OG<{?XZGOOB91C9TW!J`HaoHIr=PwWL!)
zWmy-IP|cdNL4BF>xQ40*hB5`@hSM%iweJ%N{o5LpG2yX>!ed-iCvEbjpBlIL>l?gu
z5od)vXQEdTaZ4?l>mMC-^KAbKJ*+wMQ$ecwiqklCr}@FUxR;+ri<8TF%Bi_1JQC5X
z$($~2luX5bq4qh%4Y%fc6EedAy~o#*k{r<XX;@nqn+rcBG!=GR(<<4e>#!t2gJ%lI
zUR%;bXuEz{uw*yRKmir)r~|a7KZIwyJaU!A{ae$sBrSb}6b%2wZu+b^;XJYW>t_I*
zM{3eFs7__oIr;3l#k#;;!^eb-b3ud1B{8rA0y1y;>WQm9b8>RZM{RU;_J$lr&L}(d
zdj?{+?*5-=cd+Hs^0G@y$DKPzVhWt*J%q&QxHy8p4`<dSA2Ln9U#FLfSN>~B$>tl(
zD~41^K)@v)vIWdF*}*4?Wdr6)U(|1&>!bi3rQ+C^Znvt%rT$}j(FJm;@A$m3o0aUh
zXf-OX;Y=*!g|lPwlwTuuL~c}fSI$lWO11x|vOh(omPCg^CyK(PP(W%ic913L`us5m
z+lhpwC8Nja$iTplo8d{DPXs}%EaAgnXS5^o+~XajB09F7%UD`)XT0Gr({kix7cn{2
zqQPHBsGcI8l-fQ9*pG<5$BxjXIr;9#QR7owJKwF&c!S}e=B*zqEyrwX>uSS~n|2oF
zHsrV)Je;v*%|~S~zf^whM{>jv3;P9lrToqv!J4XDwYp{ApCRIUv}tq-ND`%j37iI-
z)MPcOB<ucxT+7wY>&#sQ7cLV*zCd18)q>0zNE40}0`7A8KIUT)BY*)725>gawfv(#
z2^!tf8mtpIXqKkRNa?gqz4r*lozWKO^HhV(?nNyRjY;_MHcd;Nyc|57R!o(bu|wMP
z)H+=(Jd?ZWkM=&M5Bc^Ne=+0CfM48ER3!;~148RLCbgv#P$0{ykn_Zs$LPA4D-V$h
zFaP&F1u3aK$m%_B(Mygst%}$gNfpbf+GWOu!4~aNu&Me7gcc+^;oZ!+$CCuUVSQg<
zBA<`K!uE734Wly~+pB)c#}LFw>bx_~j<)a<PqHx1O^c!UKaO;L7-e$#6GTz4{fO-2
zed$>4(pY!zV;g<vbCD9!D7nWL3>FIes=0|n@7Abl(@ee1l#oDp3O1Ssj2<RO4>rKJ
zJsvTW_2IoUYL)IsF)GuE#972)Dhp^h<#Ho{7z~t{m*xNY&yRK)wk;Cjx3DtXgeDiX
z`}5-RRTR2d&_nkt|I<}O1L94BE2ZOlKyFK{MEv)%7$<2?Ts*u2prpBY@Ylh47Y}0y
z{-1tMw*N~*1LPf8qU4kmALW0PzXaNgwfsxfT>ouSXZ5Rf=ji~N$w-ROem44+U-HPR
zIm8q)1Wf)ej;F1zr)rMwPU>zJV1xGF`c}dMkhkq`C5>3oIFX83zdmS{oM5VH2~r4{
z^)xBKTd4Kw)jNf^3ptPS1D*g`&0KdfkHrz^8oz6B$VFRD(ZyJ8k^6=OG06M6AT1NV
zxQFst!(HsRtyChnpWj2Enk=TXnIia-Rj9E=C9-(7RyBEmuA3^Duz!4)f){8KW32=h
z7XC=?WeCcE0)Y<Cp+$5L4^L%bi9|tE-D+We&W!7NCf(-#d#qc5jNvM941#P+-5(&;
zHM#HTS}M}simmT=Vl(b@geMG>U+oi``2`f{8m_V#c@(rg$set)1_6O_6wxx6d&h<q
z6`cBo>7WXDgVfGY4w$D4h%K+W>=`{bm$)CoVE(JPGIJmwpd#J$A5YNq1`Zc#?nN)Q
zA7HO@1NFkfn#x>|TYUMf-fo0PnySt9pyi-riU={C>GHA#4Ui%%^=GPrePUsA(_XM2
z;A_|Xg={sw2GgPMp#?sgX7<mL#K1>EM!zXNY$X<MHabkhBxxcm6Xm3!fbHhyrfz3f
zy1IW&eSob*y~gxQXg|xk4lK4Mm9sqMRp!}y3`J|#bSTA~UYV;Z5TnDL1f6bZLr#J7
znIBH`ls%{bq%#eY5B8K;Vw6NZalH$xB(ICG+ES-4@FQ5)0w*PB4_sAS#EbP@{A-%8
zaK?A1RSTiR#$YQb2qZ=`WO~O<L)Y2H;a(mX0DrPB*;%JaRwlLV*D;)0^GAbAeB(Jk
zddbJH(Qx?6NwbmBew+XUF#~Z-PF#Ae<z$7~0(q)3h6C1Z$!Nv4?i#B;dNb643ehld
z*W7P+R}}d!#FgMo+#*dsQKtFhw31MJI(uOfRSc{+p!oln!Wh7*+S=M_viOf5TLUi+
zMh62tv_NqoSSoNtj|TvhUu%^nY7-wFzVVDFZmGfs`T*Ny8J+U)&L7bOPP@9(G7N8}
zo)D*Qgv)WJY}B9~w!Echnbhna;gUGYq@G^&tyU$66n*Er6L*U4NKz9ta2}E1Os0dU
zy5_ygJlb;EbCkg2r!p~pMUMkfSS3s}leY&p8_WIzzwBy~W@VO{%MYNC6dJ!8ZZT-*
zf6AVWAz>5Yz7ZzOt{TqKZgO6pSo>2t4lNfirr=&lSK}&`A??XFOcrBEt-4jNgw2!C
zU7Z%0F~umZm^Vg!bkE}k#}73J5=*q2HjL<hSuoX}x%C+Mgm;iIkpdBsn&bvEvFT6r
z(j(~(A$v7v)GI}iEC{!5Ar7BOUQ>btBd4fpUZd#eV=`n{N85x3aDf6I{T40<B4#cz
zkr*_`E{ykxIBW1MNcezOYBp)``F&1lhleqel{FyzYDySxdD4xi>+VvL0x{G&<sbii
z+hc3lk4AOIcvX>+(IU(USkk~|t%gqP>K@a(FzGT4=hBCfPzb2rIoP0p8|}}VBVA)m
zCRz!aW$!s?LD|c$fYGJuV5uK!lD4;_gKpIgr@8zw5H^WMeCZ8=%A917(mmdIMB2J1
zmCMQgL^#Eyhg&v-w=<f$09^j@tK6*fRH>50OM?lB+h;sN2-ZeoBD~7l8=zRuRllh?
z-S-~kJF!Gn`kM(nd?Ovry(CuJeok<LFgHkKz$~hq8zCg<)>cX16L!AQa${NoPG24X
zM{iCySFLYuS^b#XTUaEqB%3+e6>^=OxRL-YpKzMVM31RH@I~b`U&HnPaGcWIOxJ(W
zTdZ`(?J#i3an-j<B%e@d<mI1o)FcU<gyaR1;;tx`V!a;nS`mk24!C!)Hgku#M1z`*
z4U2N7=#*=N2w?BQAk9s)*cMFCAtcBawZ84pVsrsc+==Rj!_MJl`Vts^e5|?AdJJ8<
zMu^#s<vO#j2|gfh0>)lO#x8Ik(wLrGuBgI9;z_s8b{znRk~@41fNxz`#Jk?*xoka3
z)+%&<|BJ}3o4~yQ(e*p=N}~!`qzTbW(gU7fRk_E~7%P?kU9aQgf#Z5bD<E&lT^l}Q
z-OKWOJ0zmZNrn3_EkXckJa@NzWB(F_K7Z-pZz_xmuQASP(st0;{ln(79Twl50x*UT
z13^*|PR`C;7!_o`a;hv96`Wemkx&{&{b0q6l<EFQ;;)sD@i?b*o>qazf{nW8AE0gq
z_>7JNDf_3f{Pt50t(>>RsL>gXzEEN`5rbHEol{3zMnJ~X3YK*?^M}d7uhI0P`*7QK
zzNeBK9u_?r<KNfyTUPau-uLc2;x87~<wS7Mp*y1s_V-;;tA~yzuzn1>i2{?dQZQiw
zOXetflSC{E;nt$k9hurSTvFR&e&p|{0{>-7k!I9g|C7nZJtoybjXKS6)9?G8<(B~A
zBO)SFx3*@6Kzoo7Os#+hp&EbI))eUJ=_h3jG&Ht!P!#t7`g>~^vZFznUD4G$jGlrw
z=^5_~>N~%57{5Kp^5pYFvx_|8ef=ApG6HBUX~U_>Za)6BtJ)^-f~Vwd@?rk7?9d$o
zznI(TeD*0xFR?2YAk53p!}U)(;Lp_C@Q~jXrSCuX3@h;}TTwP?4%8I=mj%HA-zPAt
zcMgi8+PDz!dhH)08{d~7N6E+d<$DuD(wV7uyA}*ir^#ru6TxGD;^cg^wIOngWBe~I
zkwL?W5s)&EdnaT#HdEVS0cpy@!epxEgC;oK3IxqI*@fUyyMMau!hlCVLfe2FqahXJ
zmLhOAiJ<`M2)RH9d45c9gn9-}pfqApzkqD+y%YMHR=th1X@8RW$2AoB!+_;;Ry2m&
zCsT8*4%>O_C!7f#JyWl}WJ-Zw$mo~7ZLF}ll~f+O1K%9q4qE|C(w?w3i^s>1Xb!&~
z2(mO2s0=O@Sf-Cdtw;Y9B;G1REgktP^?I3@Gle|Osl6v%m_*egQL37;kii0jYut~|
zI#kG#@a4#E6wD?!nX(&JYzO(PCO;K3;0cJWs}B_<)Oq_5tRkgh3qmu0DA0UCYk?Z9
z>n)pa!0xMb+L@Izc+~On@vjUKFV6{;4B?j`@;%WCGw!pD{9i~r+uPOT<ggY&ivsRT
z`zcRrdcGph`biw)4L)g!F=$c?+3{TcT5Q30BwY?f#g1YK`8>zH?TVBcK7JUAe8lLK
zs^xA-1yZG{p9Aqmu))A!cg>5(X3r%NBKc_0667OTCB)fzzm*<E9qjVb4~YFKT|SKl
zm_k`$Rnf=BAgScpPq)9~s9Wd0W#xB{3WD$Dd9b?S-Imq_9Rbo0++`XOQNSUiU8N3~
z3`V~T2x55IH>0`Hgpq!vEGK>`J&pEFn$Dvb4aqS@<9U*O>=%Zga}mnL%^%O-r{|>!
zUgj|LqV30@%o)002q>gf8xMQ6WG;bg9H1N3qbq&sLRAhkq9G?$jhIuJ)M<sn48!v*
zZ13VNBuzF63};^*%I)*NXbh!|<F04nt>ilVho-YretQf&@NX5lDbNe1=?8qBvn_~z
z7eg>d1~Nu>Xap`*`WEmBJ2-Y%zs|sBe>VXUkP(QBF)6J6t8R|+|4-q3_Cqm<+V_~I
zK=VV8NQ&y4Yt5(Hf5hys#XxsC^!v9wAZ7j{=s)oPZ^Z2X4ZZN+esnmuHurMwB^hBx
zT6f#ADaB=HC)fTc8o~8j*49Q>^0A-eZ8R;ghB1riT!@`_Mir#8bOha2`xecBcLr_H
zwEZS_0uf!fMQL`M!$T(=cQ@zZ%yf;ri+lcYjQB7WybUwqwx0k>f+iJU9XwWpPm8~P
z%`YxyW@clfSM8rph0|e*aG-@R1Usn}fMA3vfZzsrsB%E4g{Hi>Lgubn<mW=ql*TP>
zOpOkfW_R~k5I}x{#OO9w*Bu1=)w&`hKDSX0S2>ze;i)23vMrW+Kd(&^I=g>1J5X0o
zp-?_cDfqQ()ger=xg`Z|P01SB5m*pJG%GNIvA-_{+Dl(w-=V=lNn|2h&dJ`gCP?16
z67xE=4Z&9jT3dP6FP|~U*_6lC_qMEiMOAwMT-&csB}^Y+aWEs3M(U(rz+S-5q!ieb
zmHODfRvnD=TP0cFn)y6;b#t<P|8_$)M06ufBspYRxhrd(e7T&lksoALAZ~p>(eB-M
zow!dWyMG>7ieqV{Oa`fI*k`&{%*kFiEXRT);Y2Kj;BE&)kPOt@8@be*DkmZ$Lh<rN
z>J|`p+Jf93Kqo)Cwk5n_1RjE<q$HPkej%X=E?*#?VMTx&TEKm~KuLK9tdVkL9i({D
zn&d_6iyoF|axM9kwSJ12Z3%SltmbJ(Q;c@4t{7kRIONQu>Hw&T+eYXXR>>V(sP6Qz
z3LH``j@D?PYv`&@mQ<~lJ7<1P`gAgtRAdNdh$vUD<HmuM81synI>MBreWqfdcl8eR
z3K~Xn_yf)lqu2Q)<BmbIyw+Hq)z`C@r6@6y6+s3zUBz?`cpGy3@RFnGTeHu1)AN0l
zDk_=V!g8kB$0vVG%FndvyDaP$T*T^?gdpW=VV0te{)(+Cx7`<(T4wadrh;-uvg?=1
zsIOlga?Fg}w0PN*C+%)OI%xX#EfM<>t(BtBopd9CkZFC+)ckk!8n!Xi@G8q^Y$@>$
zysAwEBO)&OYG)sugke0<x!=U~O@soLLnckh-`hF|(%tg5LjQEOW<zErpA_v^6rc5s
zzZ&PWC{7WRzmEDLCBRKqz$YW?HWjuT=K<I<nvqk3nV3z#9sg}51Vi>8-Z-%XVvfF|
z4#(GTDVE76mPq9+7EqWIfqeSphMTZQ;woT$=l2x!Qqt4Xm|S+164xTPE<^7?$HI=R
zFjYB#pLC6FZvkBnGv|eXUHu8SzTe{6(7~WKMhb5&qEh)=(!bVkpBx(&j^6zp0vZM_
zBfs39uaOIDn-UqKmsJbLUR6hxE#E$S6brsEywIVCx8(eMS-s%OVKNL9Cy#4e#2e#}
zrH0D;B8;1U?oI<7`;JVfCNf~uvUxn?)0dki6lOpSjuf<+_C2#}@H%3@s!o502ib|;
zZ+-uGEyeJA+rzPC!Qw(hjM@EiJNDjekN7{?e-ibGTwiZ$LF-+fL72&8$*A%8){>1S
zbw;ZPSQKDKeMN6Mo9m$Ly-eK|1S{1Ff(~}cstk!Q9LE?8@|`kV<RI)P#n8U5w)rR#
z<%KP`t2^Hz3Zd#pLw}x9sbJ$Roc5OwsT5c&_kKp&7_3b8)U)nDo8v=YL)Bj%lhK2j
zCZEu@D-O}8h*S;B3bZzWzKeG}xl2DNr+orZ$el8LdW|u8J_mb%XE(0K<kXa1H^;w-
zySwt3r4<@;dOIl2LwpM=ai8<gBFXpG5+uzoPPa_^t7x34msQekG|eIkg0+*!Oxiz9
zlyBg35(3Y;^uC$k_Qus`SU5A%TOU^Icg)hGMgSD+M$$p$RH#HdZQ3)hC`PlCkhs}~
z2dbD#KynQAnAPnM(D6~w%l3r$={^OpDw^w|$;EscG1|xEGF?B@TdLb#I9iUd@yJ}r
zf*noyFn2urD65a-Y1+ADEWyyxZ^&YT&dQX>OkR#$^kMQlyoayu7KYfA%}T!K{9_%{
zswU<zo+Eu!O<!qgXj^CQ?QQvwz|>g_k3g^rTV}6DIzEx4Z^mXk<s-!VGp%*kaO@^(
zyAaZrvUXA~7}fLVxbQc#9eiK#vOB=oX($^rs|LDmWf;9AiGPdrdP<9&?dwkqbrY_<
znAUSR)9=xUS2_vKRkb-ye8u;xNN0WzNgM>NHZ`lLs5-tS`^^5OBnlV(=E-;D$EHc>
z#9uwn2f#!FSdy2Q*D2ofbbnP#M@J6O9z0I-(#~*?Hfk#%6i)imBN#>M(Q?A6?QZ{h
za_!yjgZfNWT*%bfiHX328*sy)V+UNlV;5Yd@MB71bVH=7L60@3?1$gOa0k_AVRs%`
zZUi}?b{|piK8N=F_S^`e$Qv=8a9ZKn(5Yxt8J=-<&?Bt{ZJpLs%j<eM0XBq?=;?#S
z;VRukPF+XX=+Ka(FMMo&?)$`4q+r4qTH40?=J)SN%pDzw^}{86Bpy#qPW~Whc$06<
zLEj=@?P&mR7HsQyIgnWK>0fo3@gORTr-otdg97d^R7};`<U>uF<lqlITsb|wcUV<M
z{atfJzqLS^BRFZh8razox>!Fg45Kgw%6%dLb_Wwa(J<7~k`@&eC4Bf$97L$4nNd*B
zu&~obhVE?7gJc)bm*gGjH0J~5QY;4X$8cG#1Sp80wCk15RUZo9sK$H}HkQ~>1;Vr{
zg7)GLJRh9CGCn?+8NXP~>{9LK)1dqIlWa<ejfp_s?fdSM$icfzbASO`guMlE+bJ>)
zG}ap{PbwOVi{tzDe`c|)>nD5~K?RR<MX^f7&>-cbe@|(>MCKD41e_Z$++A;YQa;L8
zqiO7Y#etyOEX+1DI!Kcf_V9iIuk@u#c-pyL@vv9Mc-vq~xvIh1J9AND&`kt{z0;@K
zeZ3~J!PkCdw(zjFx>_A{oXd~bckbM|!-~+%S1M-~1CB5}G5Mssk*ZnoaSGtTF}U{q
z92CPB=9hjH;e;~QQVS{r=rE1o&FzYk^#N1Ef%0%o0T}X^(xzemDj}%Poh~_yA1aj<
z)+lxIOT#*qGp8){JegDr0xUT(YCK@a8s@rs&BVl%)%}sdrJwa3Dg@_lQDzcWOIq;c
z<VQvF6}a+7nq<JLps8VUvbZSK<}1(o#)EFoU{VX|5M9I=7d=ZXdzoDx5h~nr{Y%(>
zaoobE&(px=?~5-X%Pi~csg}72X_z8;&4!pDe-?Z8aE9-DnQBl_(D@UpN2tarP(QVb
zy#TvYZ*Om!U~Dqvs$gt<T%Q;n9*zyT1b}~U&(E!U_~}+#^;OCG;^T3Q)O(#gCm-HU
z*)vgBC^~3U2aIaUvM+9_2qy5YPu*&tDj;bSgXb6~_^+?ZFN?1s-Y;|L_J(kbK~Atl
zxj023yHDX)muDCi0BW`EhO=`dNA?@f%XZ<-UdbaWPA0mHoH`q8giG@`b{ra6=3uIS
z4?{V3Q)m!fEC@xH6;WK1qBfo{$dok=V`J^F2XZFQm6L9@F(HoW*WgFf=)=vGmFL&s
z;JMixfEdZh$g04-Wte-n{Z4RC5G$jetAlxjq`!}pF9BBQ>A5Nl4XW|kRs=O5uk~;D
z51{#AZ-Mav_jAj)PPm3rF}NYi*xv@YA$zAUg-Zp`fB@*-pE=NU-&m#<lZV}a)`<IZ
zHN=(Z*LPwhMI(mC;U?b=Ag7wvznwodzLkQz98z%SYTU*xA;qiK!S)Kp-p`TR&~|<6
zyG63Q9Y@|EEY-(p{7H(eivtLu2+3k6PZsNkMBtxXygYbRXicKeDr}=kbDEX8865kz
zs~^~DB|f&{6`|qr_bRLV){tB?l!T(KHug$k7VxNN<{Q&sr}sW?2f#<D{Y<kmMydcv
ztdwh}`m)@yD`^XyLjrE5AU`6pDjX2R;gQwN$x$HCuT4?L3y;m~!bcxuT5aCDIaQK%
zbT?Odh0C5QL+g2E<Qb!}+bOrc&nC{MLg~dXvRximpF~deu*o?W3_qh$+Bp%&T^f)G
zkV3Ihn5xc%%8@$KUc^&_4PB!@lEm7j7-dudLJ6Fm)+1A(j1nM>ERx{h5n-y)P(f5c
zh0Q2C6r=@M9&JwLqe5=&-wsIHGB#9GEMxz=>>GUaLOCmJb>!r1<(b_}^BaB|WCC3)
zDi0*5bmOgvoMii+H|R)}5hG3_pD;&KyzSyYB^-h4SZ-?=tJv}{^W;qM!;Q~U3)D=1
zU-*zyE_Cimt%RJ0EdvC^_pZcHT~<~t9|36L=cqC2g9pu?%UfIh9J2y({x^Xs2#cd9
zsGZ)0&rV+NIm@l*Y>a{dVi|LDX7WEgr9aETfX{F<@I+#rcU(ODW`hxTzQU(~q{%0_
zZ!Sfp5(h$V1mLPkQjx7#5GD8$KH<d~n77D)1Yd`IV$ilLU7)@f;sTA-^9G5`0iCag
zv6dKV)@zBsoJQ+PepOXGBAU9NV=h^l1VgRt{QuOiVfv~6DI&9_27q6@u9`|%5Rveo
zrMbLIjslRI<-E7Qra7&?y^r&`s$!KeNwc->n8(d|=jr7*Rr4<kgKJ01hk<CoV*$Ny
zUT!W1&STTB3LT%AD5|UbUG)cmakkVu5OmS<hN>kp5@R?%X<7yC`y5UZBNuOh>PhFz
z@egELAOR=CaqTP_4SUI3wK2kBnWyhTm7&`<@!aBwWr5`JSi!ktjL|1qgA4;1xxS4&
z236Y}J<8$yP8}I-rVR*$u2ifpjmuf{OMb^QnSq8|$klpO<Lb%Y*-FgmM16DQdElm>
zpb!u3r;$HKk|ERMGX0qooyduUc|isF$m(LG{6QMi{(h>E<w?z*zm4*BI3NWjr7|EY
zFp8AK`My4tH6Sbq51%f~x$ZSX3CsSsE@o;5<V>CNS@SWAT)AC=xoWzMm*^RHnGl|8
zvP`4c2^~PQo}Glq9WjY%aqVfWevX?Pofc}>I3G-4SRMAr%*vPHPN+Ld>}Emcw<(ya
zP71aPdqD9bGc_!=`@=VIR_lt<K@nIhdi2d4CJ==L5hVlMQd+*FX?YKCh5M9nSG9XP
zqQ*-&B!{T5)DXy+x)c7ZgMe>cuZ@%VL_ITVn4N0>;s|DUz`-aT@gKJfxM>fP2E=1H
zTyMwP+H(4Z=>kH_eSWhb0@R%d2~wp2Peqs*|APsq`Ntffrc9Y`345P2@`whte&l9i
z<&12)b!yKs$oJlipq@3m5x8;;MW4_Hqxf#d|27qQm40Cuwll-XWk-RBCDU25I&Ihq
zyem^v>0o^@f~$q2wZYZ3fP>42u%xUUkoOP3@)f8;<hQ$zqJQOEKv^rs%bjr*_r@=f
zmNO*=N*#6HviIcTov7aM)38OkQyTTV1%1HU;m1?;2oJrdX*c2ZXP$I=-xUve*jmk&
z*x+AKi)H6soSM^LDD}7BLIOEjV_n@ZaG6<AUS3dZYbz_71{wMoSex||sF{F%KgWbq
z)c0fdebXl3aM1TyZ5(P^CdJr9sxI10DnC>R&)AsB@9l4<SM7}BS#@sA3;_DJ0Aa_W
z7D`}lgx6J^_HxR>S4lI;HVa6tbL^<k<J_lCM1aXbnF(Dmm^Q_M3NE=)0Qe>jM(}PG
zSd7;OkTWR&-quB7g*)lS5ASkubFUtZnq0@#0=?NW=?fJ<Qh7VwMh7Oi_u@-z^{d9Z
zhF`@~My%N!hWz4>@(=Ry^WM^HD47!0d({oB!6TGAe#15?BkI0_W(T#(A52nehwj>K
z<vjwIJQws8&xY>ij&uF(`+tJy)JZ_*1Bnv~T}>*a@U<MwfZLtVQ2Rteh3-=lREH06
zbCTCHa>EZ3UcIkh1l{{pl3xMFD#)bx0`(_d?%K%IR4_BoSXLRqqHOprc+qtrBB`jt
zhK_g3Cn3n|a?YhV>g+7b^H7q0RIGrK`a-sQlQ*Ttm8ExOOorFyP}6zmEyx@Vd*<<V
z*>Ks%I{BgH{iMFtd3o+NaYD$*k`#~IDlyU#_)3Z_Uts}ln?d3o&@Qh6L<1uMC@w2w
z(9zK;0T)&aaL48}U`07(eUJGk<;zpTA{;N{G5O9iF-6on<tk>ehn!KcdpUL?I;e7+
z{+O~BHy$B&fna8fL`^%SmP(1|$(m-oDEk<f2q&0fEmZ+Ycl1cELmUu-pjQV1QyJjv
zem5t+CjIv9Q#Rdi{vDo!xi2wF958v>UT&!3IhZ&fttD_V6im-eQ!#DUQnq^nv_nk~
z=}aa2_|69s+CPs-B|(-z)!`s8hp(zK?HFs3SP_);`xPx5I;4eXtq+<utxi#^yS}>-
z9jKe50;igl5J1S!ZSNn{?xzKu#HP%xP4gvS;iCb}j{?X4zeJpUOg*!NVH<KIYVUlR
z71wIoY%HN@Y3Rk$n_}w}TkUCM&cofq-2A@e{cwWm#JmSSBPIC|Z1`>;D$V5nYI;jW
zGD`4y?`VIBCLb;wo;v6ZHP`#QWY+l?kRF_zoK<hT2{vQ1i;BW9FcL^ob}J;=25l8d
zC@0kCZWx@pJPpWAR6Ig^*-ewDL6)cGG`B-+L~3K+&-3NJL5%amT)C(gqw@irxicre
zUM~ngeBud(YDh}nEI2tnncBMeVO)WOTAf`tuo{h6x9Y^PS*<4TSJ!|FCn&Q4bzT!X
zAfi0Akwv+ftRJrOMW_zenk{)6e-9TY*Qq0!$DzX(y1M(Z30H;)zRE`baksuUTyH}=
z?IX<T8p&+c?F1Q5>Sp^&>IMdic6N3=0CfR!UNg>Xb@4LB@Z2O0<Aa|$O!|GJ;&Zvs
zOj}MBC`ttPUCjYPsdUL^?CNoZQ}-VgBtIJhv`lFEvht?bIRbQ6Tzss!kcnX@T=GeO
zZH@V35Cds;_!fFFWnpCvKWLk6YyUkq7PgD9Kt+(?{puqbQFnePdDU6;Xw9V{rCw9d
zdz4aF_A<b?%F>QSt|V3=U~}f5d}{5RaMwNWp03Kib&QMhL%BaVdC6klhH`!wvpoew
zx~C_I$b+A7hby#P&7$fq?hxzj`@k}ufjuV}<i#Mb*13#0jLbO^oqYS?k%=fvsAv(?
zP8S)z|AV!+jEb@i!$nmTR3s&a5TsPvp+UME>F$!2ZV*v&=#rL_2I&S77`l}XVWe~D
z<~-xK_d4gtUgxZJ_IB}OmJI8iH|BZn`?{|P034(Tb_V+TgKhRtR?nVv^}AmtReDhP
z_>x5(o*ZXqq^E1JE?NQ6vJ43_jXL1r>oE@7{M3L9*6&x>-Q23e--S+npU`uE+`x4&
zQ8m|Z_<bc!CE~|9mI*_k<|W1)OW*Mj05#vecuf29rL!U2gMPT=O8WV~YaGK6K)f*W
zOh?{AklFKCU<SEV-aF3yA*XS@*JQkgQn`0q0z8<ZlJTCC^NYGIxIk-<GG8!k6*F)a
zHe&*EMeRJRseY7dV=#P+*JQ4-I^d%y8a?yN(97qNnpQCtEv#9~T9^?}Rx{|i1jYv&
zdejvX2q>Oe%eV_`=SqCdT-JW3&aZ&jSZR0tD(_|gIA8NCCb!G{H}CeTGncyGUL@^D
zH!Adk7wa?&H`kY^sfwuL3`m^-(qLrt+<lr0fV`1EsoEg)gh(Xv8{mI~TJnJjOzlzg
zYmB=Fz_(<sxD!VBCZR-hJ&nG`medaLqN>j?q8cn8$A9J-USF_M*K|bO+Z|m7erZ~Z
z?aJ0JD-+I}rn@Wm&Ic^afwVdVD(-rDXmgGr*Ui)&yhf)Hn))KSw1SYijB?28usm^c
zAPiZcXz_`r>2Ao=o@0ex(7=OvUOz)bz%o@jTjb<zzVzVzv0RvwX)>JYp(lRn@GL7|
z(LVp<BSgtW|HDMf7jTd07T-&*`Tz9RvzGrT@-QL*x+B?Ct*q$Rh?LU#66gph-@ax<
z`KaKq;sSQuRTwa!bbc&>^5&{tZ_-L?@8%w9dp{4i<f(&<t~@GbjNd-?8&!B3r~YHU
zAxp{RD9kv`;{F(Hck=lJXr0IZN^H?n(~Vbe2ma{KK9fK*v=+x9yg-nm(KWpeTy^=a
zd>Z+g!(W}fjX$5J{mw1-Q2FY5C9`Ais1H;2qH)#6off&T@;<WFq-8l}$9C0D?!?UV
zb0W-gmW~FMj=r|-jp`G}Cl5{TXF7C?wF8&;vw#V=|9NU$-4O2g57`=RoN3R0{W~L5
zpZX3!XKs=?Jiyu3w2skOBEuijuTNH>9Q@PO@HP4lBNZs^8)5twxhiK5E)KqH^Lqba
z<qILo1h%|UBL5McUXw!phmyJ@oCtv-;qjpRZ()AMvKoG_z<-7Pr_qo9CO8xZIyf0$
zA4rw78NGyI?`PWr;HsfXXy#QNszB$r{*T|Z&*NB2g6-^@x3;{zuG!Gw!or)Z!oTa^
zLp##-85<5isP3nyk4LPSb2@xVC41J&y{FCT5Nm9JTYmpkOZ1*n=BC5-`Ia>29wrjW
zZ>RBRq_N?j0z*pdzs4gfPThJ@<Ln|fm2bf$zMewe=`oc(_T%iegukL6Fq>PnzeLTE
z*(-Pd9G8tQFSzaB9mL%5l^OJ2U1(-4x@9fg@U%A2tVwfGQsOJiJrg&f<}BR!(xx^T
zZuQ7|AxZtbE-v<6WD2?rm#!vQ3`8KM;8Ftvq$S6D(AMNc$sOz4*1S%F<szE)QQ5aR
z@XnFTjg6ykDd>)aZQNL+OZuauE^>pjZVn5RznZ6IKR^W}75q0Bnw=B2O$?;nXIfqz
zTmXuH-nW{CRN}ETR|kWCN3r>zN5TKIEGpOW^PR35fgOmYH%mPVe$M&qpjll(sR~bX
zpy_I%nd~CjJp$iIUg}v0!<LnFzg8C9c!p0M&b9L|Z~%_~|KZ60Z+ism-2X7^-{}}<
zjjqfe$WAMa;NRZek(*W}Lus=;3vTWDg|JPk!U}v0a6B)x+$AjTXJ)e$*yJA_Fi@P}
zgl7Y)%`1DoM-BB@{uy>o9=HklU2#!T4t@?QTDXKSB~%L*ugfpZyFaPg85EhHIjSTl
zNRud^3JnY3E(fB$^O0qecyMuy9ejVk_QF%PwGuo=f3*1Bpl+_Nc|h0##$|b^$&`Wu
z7J$IC69Q}{rKD7Wi-Nzs8*;ge!}GxGM!dRW4h(W_DM33}eRD8beYs2N!NWlXw9Dr~
zpyiJPvigg7N*2J19gXiwjqg0UUKjtr?Q+~Qtx~pu-|v%&^x%ZKy_>&LzfOLo{-vat
z&%b*6UZtdrArGgP<tuF6;CzlfKbED;DogwGMxs-bh2~i4;9>9l?=H4o$3NRg_w{FA
zM`i34K+|tta}6@(gNc{&+TVK%6B2O;p1PP%b3CSODgNE*M-)vEOH0dfRF1hv60@!(
zK)IM);A}THH>hzO%Kwyv-QumUuK=@QYuY!ZOnY^ET9l1a3_b#E<yMpFi_V{B+)_f2
zKYm=;rE|vcF*qsY3qAR-D6Zb0>Z)&UPD3#`0Lg)=s}_{U13f)Pcoaf@{0;T>Z-IgV
z#YzJnO>$KgtudniQQ82<u&<~jCma4ijo%v&fWL3GOh|c)ucI~;hlU7J)qCh68Lg*L
z0lC?sY0DpOV^U)D*pd&5*2aL9^;m||tvs-@_vCR_Va}KO3efvcSC8TWe-nt#4;BG?
zT&@KT&(sIM0mQUZ&ShuEZ)5F$ffPWx(J#m2OT>%%6tdE$ULUwP*Ay|bGsNf9?3j2d
z;zxvI?$L~wu?!JB{j0QM<*1g^H`pVSHCO+zX7{xJ%-i#=pD3-uTXSJAwGj1Zk}A|6
znfp5zKaB`Gsb4-B{})2>Y4oQlv8nWZ6>1+}Un?*f^zEF|o|i8!D&iTW22!Yg6OXPi
z!e1bJ0!*DXjw1-b+-kHOLfIyxj1J8Jc7}GXHxAW^69>Y!EEL}x*e=P3K3HMuD%+*t
zu$=7w1;+fKfT3*A17s=GAn)w<>-v3b0gsPc0iC<3F6q!)Xm!cFd@&mco>>5|{U)pG
z->CF7-+#GH3uEuYLUo2;*O?3*+*p}kG0^njXk*;v`oi_*Ga8OFd;_OL7Phy76qJUY
z4kn9QdasUrR(IY=DC486=_TTI)9e>){GK>eZmltphgrNfR$L^%b!O}2xGSJh(Y!tN
zo{z_!G+jq9Rq>Rg(24m-*7BKW{k)-j$bRc8{n5pkcF_R&%;@W0wn1rq5mGQ=TwO`m
zpDy_#mb%6Giux<J4(mT(IT(@T_DU0=52*w=I<F1oegFPCF%m!wESONq&S|aTf5?eo
zyK(%RoX`X7)r0TBQ9^(`nsanO0;Z@&^xTd&q+QmLXD<kqvH{MntwAj4A2Zj|-21yD
z4u#2TWZcB#AM`ODmhxRcLJ4B_Z-FvMHl-VR6&|H;8KY2Muxi}Qk)H&vU$<0S*1Z~*
z26g9mD7*T9fUgx@5^zY)TMl{<&zYAIj7Ebf0Qv`sXImc~QvhEK<qwS_?2Y?HOF5+3
z<0Ow}ahU3{oqL|Fim$;xkN+LGABMf@YmD^{D%emRlZPKO-61O-#afmR#-c2U)n$1B
zcG&_B-V~Z2U7LF`=bSE9c9@?pFW)EMalp~hRE4YXH}S+d#naNT&1obK#+bG68`iLp
z$VOuRsy^ka84o|SVIJq0h8iEaxj#);r51z=WWWm>_v<7=J<N>CA*Qq6%wH-mx44SC
zG+66B{(R=8{hJPjc+mivA~d^8K|vutF%j<1$jHdcO=1EINvp^}eQgcWdbC5ctNMMl
zx1ZHU7Eu#Jes1jUhylGYdBqNjGYJN!is|2_U=dSsrm%+`6PWan-^Hhuuf%2=(q;gB
zX@5GYiuI=0SiC&KHQ?7THDK`YFrCjeOqBth6pB8iwa^k$HvM|UM31wq&hoLm6zy3{
z#Lisc=g3ws?|Njl5nYC~)l?7OtQ&*OW`v8Fv^$q#c3eLxy^!FTN}H5WL%+xQ?tH|d
zd>7=Suc>Nq?3stb+QNY%d3&vR!SAax!*a?Y62x~@?ZERGp#7k&kq1VdZ6Ap7@I-(v
z=D(Rok!3E*VM-LC`VM3sj048rLcivpMQwY5>w6TTke9?ttHwPnjnT6xna;28UzI$)
ze>m<JL_J`J8=q1GlKd)|nisGL4aSZ))mMIyIGad3AGka%P%(!-Th@t7{fV%*-~IYj
zj<mq{Cl8U4et8T=D3aZdy`CaQ57i7X0Sy(591#?Ro@jKW6O)?Sk9hp}v4@_cV}-iF
zzga{8%Wp2dbHRMU0smccAiOXU*#W^7I~tWmT^{X+#0d}m;Tum{4*5m_8yWasyOtB2
zcAen_;+v9Z_Iy4)IiXOio-(M0V4Tk>t$fLd8))c>kl09*R8GO~s0{a6@_g##;URY|
zPPAf8*Wo4D4C98<WMtT;OFEQ(87#y{4JJQmF1CIK0mQ>YTZE=n=jdo-Z=0K&dpg7}
zcu>t3h0won73r6>^<`y|h7%n;;!#i*DysG()N|x<7BV!DkCK2m`yAI-KN`2%>Drqk
zHg(4V4s`^e_BYfvQATHNM=_M0p@Q!}p1c}`H`k5_>B2^zKDd}MXz}8_twa_?K4ONO
z7gq4Y2p;@>*w$oB5!JCT7jAJN_g+G#MZofT7_4mKb*3^bqDAQs4Yg9OylGZOa;61I
zIj}BwC@cSSo+4LO0&gl<Ax$#Ii8eWMh$Oa~ot-@w>G)59$Ik#ZPBGGvS#b>wqBf&R
zfc%Uax%95CuENc!X=oZUO`CfNC@F^<;Ne8f*#KM+91EEf2G5Ql@Tsr@5)<<c1;$K8
z8Hu<8t2O1w=U}#H-~>b(6qCSxtS?PZs>TLqtnAI=moUfip(L%^{@F%)*DJNKLHZXs
znG3|z;CzD-D{s6<OniXbo1ZZ@>z^H)3|WWLciF#s7Oq?UcL^FRYZG+fYwyePJw*0u
zx~l4lA2P$w8i7ArpgbbnTYEIC+WEwcNUxbTm`yrDxKC2Y>|xu7V1A2VflKlGMt%V}
zD<kt{iNVBo<l;=vx*C6edX<urAl@!$pa(bb@$orZBHr=Xnc?(1pZI@VlcuJos=wKW
zCgMRO+|X=0NbvgWzCV^~M}h%JT+1Wb06j!}{3Tv_4CuMf-aENvHC!5QB_IHlXEWq0
z1N0Gj%-nuImuJb2UBM<Lnh~k@2as08uWx-7lU_eXYy*P*=D-@$7_c3VLNSn5Amc!F
zuTFd+z%^lt6Qv6?+)b0|ZrqHA4K44E>hwFsZ=VRNt#(O_BxmrZ86cN`>hM)m2N>wG
zh3E9GpF+$>-gE^ts5Ye50^$TuA8dEVjYF~WSD^jkNLA<Iq0Rc|2b^ieu=2&FTd~8U
z0=BBtB(fuu(IVQb>=eot)vrlUj#2_HOg~~wtnoz752kWEzX5!|L{ZU;J#K9jN1Eb6
zls?K@&*dSzODE*{Fz%>{%VbbyKGL}cESxChp}m{a>D%zPz9B3%wx&2bt}LT_Qr@mn
zL_qb1A@HKQ^efPU9Q!|TFHbZu_?<5pAJNP3wfYge2VbM@IOW+x1!;sD){$gZ|7DQ)
zTkC0#;wYafOp5jW_LRy>wgrr+%`egs4_6DAvOC6|Vhbu>1?IrdaD!O_r5y}>?w>Nl
zHhQ3vf9s_a#QN^{)zfcCJX5X0FKnQVGyEeK&rSX3M$Xqm1ZTe3*iTnBHiv%GK-2b4
zi}v3xDJS1(EAemRG-Bvip9PP09k-{Tjm~S>w|umoD53pNghi(lZ07;>j`TqxVAc8I
zHn<)hQM<%haHT8nMEIBzcZmHGqQ=#1wzcHKdLA3TfwRec&sEsKwa!}X!LdjzhA!nn
z_@eio0H5>f6LSlT|Aup)q)?e`IVd}=4$QIq=vd$}ZgRX8^RMS)`Cn*S{u95z{#SCB
z|9`)l4Yj89iAIA2>(9-d-wLi!qMb#DG$nBZG?m`xJcrt11s!v<%C<b6r>QX}H8^R-
z<ENA&h_5<#o~|_yj=NnVQ(O#V&2ykrP*WSJ)AODrqeOR9-?{Ii?E@X=u?@O;*V7@$
z!lv<~Ti!!A{b;{KsDzCGc6q12Gg!}7sNkdH51w7hN7Ye|lv*b-Sp#)xdh5FFp{J4F
z67L@SZsBFx0Eq*(q&%#prG=h}33d++tye;Sd$8|M+;<RZrdQU+2KI>x-?LyTRf$X4
zl;(G6INlid3vVZtM@!BVl{kd#_hr^mI5n_>`>N3e+fDzrf{tcJcAQYd!kxZA31lyY
zMV56dalb&>Qvk5(E(_ul`ZsA;a>#p53pdVA(`TFwC0Acs38$K_UJE%C^(y2QPRsmV
zS?yC9)!>T!wniHl-V2S|=v@*~OHP*7kHaj;dYyjHm;W-JOs>AzMny!F0FaTg*Pjbf
zaC5$iSxvN1RWsV#f1iEY9$!M6*aoQ?xcKOj5}*77hxQc$u_Vb3&l^!wM+do%$f!Gl
zj*-6jB!A=#cFVvFSPrn#2+VjW+E#YO7K_%Yl8zT&ObRTH)L95AEgn3sE|LPeczLjv
zU!I-4)zKjx`~nT+d-JBStgI|*V5wLWBnP0_FQ}xBvND!~)6+Tz_A#K8`hU0LrNoFS
z<W+0&q69pc$2*tH4%HV|N#HVy8JRJawjFSys4?Rk-wI6M0Zjg%JmAs!Q;)e=&GPZc
z*|xk;%!wmrA=o?U4duD>hX4JSqfc2{*wmwOWy)FYzUE-s(5uO?b#4K^B5Ha1yR)EK
z|2)WnB~!uDYjvc(Vf<ZJwF%MFStrv+{;W7UygBh@4z~GW)jSmLCB<d#JOZss=UK~}
zb4@rI$=rdbBIX*@=^8uNdQyZ^8_F;Ee*|Y(rz$pCD18fo0?ZBxuS9QbEQ@%N+okfQ
z4ad&mi};@X7w}H1ASXqppSJ?8k9nEBl~8RwCRpm^WM$t0?m#s#sV7=kU9}+M1N_Vo
zVirAVl-$;dQL`);fSJW?fH70y%aaWe6OU>9;1Vg2c_Y)Q6^g9G_ev@zDS&VjnKO`B
z<$-?nm1u8Bd43aJ7_SB%)J=Z-DZ-$YFjihMoCT$2Gg_($N12v_>_QZ^o|B6!B@Ftv
z4D_5PrlwYa!UWnWz$3!|*4r_XA2>cuzll=mNbHCg$XkfL-P#}%1~sUP$b9p{)nD(!
zze8Wdz`px-t{%Ui2RD;D!{TUrxnO_$8LP^9v;6^9=ywJ*kP`s{Uli@688eMZfCgI;
zz}M=oKmp+oG%oZYyoR(^K&h&hU#cqt(`vlwc0vkfS{1J5+f-mR*{@dKXRcV*B;@<S
zL{C|{eN7yg$w`PG%>(}vHE7w8f-+m05-UqVo(<W|JNI!j9S+{iZZUG#24M#!YsUU8
z&fkbaZ!ahy(oscuv*n9iNIJ_9C2c61zpw=9U6c>~40eC938n(x*H~i;o1#NVt&BsD
z=4`!>4xZB9tKqz}=*!73xQ47LhB0!^>d%VRo~g!v(kQh1**KW`I&!unrt9p-T;VUh
z6p7+r7o}+ivgSoC5w3JW=uVeL-dsazKX5pBp~f2KcT_})<Ogz?IPFBOnQrkvc)rMm
zJ1&&jonzpUtjkq}vwQkgdlvIij0}14)#6y;OugK)dHMcQ3S&O$GWIVd!{5<da5(B%
zgrRq{2&q=|ZKK&5g%<>&+T*`iG=?bWIg6n*D+c(`(9qxA1x6vAdqDXyRDh2_a04Rr
zqzd*}!{&e`N@<f&a+3^l@uX(17L<52iCMFk%o|Xia$q{xM;+$5>?DU`yuZ7|Xro>H
zddYo!HKU>9yen5`vsG$15*g(uhBD)Y59?dg=K!0nrw9EWt*Zj%TJVTes4nyEC5PjU
zwUguNpQN*Bp%%bO^GJQ`2gdPZzy`?45cV4x!)44@s<9QwHRUU1w`l4A4J7YLuj~jU
zvJpWwM57#W@DaegcpQV$N4UJ@gjDF=j3VVjF+v3MF=3jhqn$4qpsR@xYYgY9GFpsB
z!etVhbsz4JO4PV`+A->@jkA_ot;B~1Wj`58kRXvpwkKNYtzH#1xJX<J)D>yVjQnse
zc`Ayw9v#~ah+rEZi!l2etG|7=ApEAAJ*AFNS>M@x5$Tkv%bS#R>9i&<`(&$SNcjGu
z^6aPc?{;gy8;xe4Yia&|eScTPM9<H`gQp_IarVj3r60(Gc~a48>6P*ut)HK-w6+Fh
zEcAWFB4U`9ATw<mT3|dZ(m5?GQbe#-q`wOm+hMPNrp!9?2e|XY)8>O?h)6_-Ycvbp
z?3Yly(bdLP%_Bi_8iy9;XW&uLR3j;Qns^DDNd$$e4Jk#z>sz`9ku_C}Yx`UVx<XOd
z?rN$k9=J*4CNNjj$k6yJY^vWK2j7$iz#)hb6Iccj5T4TW(+39Q?L^2Aev6)>RkR#g
z0aNlc^LmRxzXR-t-+;koHSir|N;9}=;pYE~E+&eS=7GeYED2VFZ-C7ifseT>r>{1{
zLzl2O%0l<mBWrMeHi`fG-YZLMv=yKSj~@qWE}5=44;>)Q(uM=l^+;l>P+ngdR*Qh0
zheu`eN%Qria@L6^#0bfM-g@LEwa!S!y-JQGF4k2$kt4`K^Tix70l{xF?I$3~?8|_U
zoC6VrGC8qh3-}s(ZWiYMGkV$lMbE&(vI~ry!2zSSLzq9Q_nQI4Qc6F<;Z&@LKOwg?
zMfqp;J(Bj<@GU0~l05;s@DKvgbrqVA8$DN~M4D~h^u)g#dXE;qxkXA}&@YMm9njOw
zadWvod8J9xFHU;5voMb%b@BnL5h0x<REww<OZ35pg8I*(jlm)&GwbtT)ER;-f*;NC
zOa$45A{La#`Cbx!_c2bNn1E@nwazFB8W50e5BIkpRFpl+3LsK`W{=--k6y2r;-=fn
zbQ)ezOoY%)U2_(P?1X#1zOvR7D1SLqz(b!Rf#+(Z=Om6huQpp#YMkx0zcEkr8lVje
zi)@+Z1f$OU1jebDYPy?teh|M5ifWx5?+_M)k76lUtAn9fIV8L?dgxmpgUh%RIaR`}
zP36mn6jrW7Y9*6viXs7?iR5xf(=I#FWE^B3%nthb#P56ijRdcF1Kzc}v#Z4tJWwB&
z(#`af8HE`!|AU}C&V(O#p%~vN<!vRy)+>-s%JxEI6j1N>`yENFAuGU4^i^GBvN_49
zX2{mj%53RoUui~vj7hHY*WiZ;4)!2wcnE`O%NiuRZ(YG;w$xCo6GBhnEp*9_3L2rA
z_L|jbKF33`9MtCOd)UfbI5;>)mO6q_A}9i4?&=;he-r+<8uE<U?6NS-z24B6I*lXA
zhg5c6a|eZ8<l2LBA!ea--0lo5jrAE$3DKKu(xbwkstaky*>;U-gV5jqI_ZpU#StMr
zq75+LOINib!ASNha^*|coA?o96aqEFRe`OuQdf<~cZyU$-)~CY9o~`#(dJ}kWGXZ#
z#V1{YKUnWVBy%Y~h8>|-^Qs8pZul3urdWqx;!x|rGSl6K^4@*zq^IvHzoToZene)T
z5u4nDLmAOULKGlTPHNe>w$J*gUG|0wp8xyxrf|x`?0M;45!PqK8g=jaKHIh6{G*5H
z{;R@~`!UMO9WjRDut~!k14>zo#Uv>J>kg4g&a?v~6!ne?-rCPqeDB(d7`?4;P0Y-U
zOy;cV;B*S<iLdHdo+b!Jj?-2{UJ}KR1H+N@TL1lG!P%OFqkLd>Sz*2q^T#m+O8xmP
zbdCqxB=8kw=Xl3pLZs^iQfY_p`kwrdv=J1pv<~;Ayic7ay)(sSlfB{cHZDn&JARHj
zwzOMhsIJKKc}Guh5X4Y#{HMM@*izM<gi>EvbUMdFl>1*Ml#pz>5P;0L7gV`kS0**3
zQyCl4-j*+m2Edf%ZbVwj{_26`4J8id6o$0K=%ENmE0<U(r{I2zTOk?m>u7#!B_wUv
z?gXQMb>@24iW;SOp;gD|Jo^<Uxr_e2^?8J<-Sdlt<VV)CtCh55Th$n-{m=G4@lgkc
z(|bG;1J6}<A{kv5|87M^0C}s51G^pxZ=t=2*QN%h`k#R&wyPAFEf-?Ltt_^0{^C@_
z#bGgISkMgrvov!(<o0J2(MA`DEL$(fg;1fliEN|E=NcwyYCJKjj6iEJV%dbNaDuga
z`E$JEN5cnV)lu*8;$mMR%TwU;Y?>=C42z)5{xN(7iE7r&WoZUljkVBaODBDF-&bO=
zn1!$1R9JViA5h(^rL6pMu=qCHUHrE>xx@X+@PfTq`qRTC<oNYTP-q(3Gb3EnquG+K
zdTN0o@ck(v1!pTHBor1FwoLpYxN-49EF7A>2v2&1m(^WM6%5%4ez?CSXMx0wX>i1g
zC#LLeXlpU?F~p^UN9#1dFX*2BcwKb*NQD~4yME_bq!Ia3&)=8PG}DMT?pH@JMKA}B
zG&1J=H`5lbsWgA52cU6;Lk+%~fvmt6U@7?d9?Z=_By=!N2<sTuguxlMCx%wrbHvh4
zKWqMy{}Dp~j*~DyS)Gs)3Sa=jcR7*KQ-^QUs+NvnKY^h<GiCoBpfCDXNC<wffN}-A
z`dRXsg`YP(r=3yB|7XYg=X;cMA6x*Ov&-?Rb>+uaqR$3$P);kO2GVUtI5srfwzBZb
zN30~u+1(+R=*iVtGPeVT!1d91wZ$Om?%r$(tc4#N>X%m>>FjmfuY_Cp`*$9B&EQ+a
z{<!C!oKM7D+=mPYh2I_^{_*KCkB^$E0v2^}70GPo>Zk+>E!jbs+Fb#Pd!_!_N>NXi
zHloF@yBdKOBk_9@(QhY%-5gv*gY()LaHzJLt+l%{GS#ps0P91UeQT_~0L6JzzIVzQ
z9naB8z;%VZz<ZCyr@wjVMtjhJ0DktxU%;haMl20omU9y#Zu*@_uO7e0XLTy79fZ~1
z6htMyt7gt_mCg*nH6=e`o^bX*Bv5of<+dz2f*}w@K;_S8s)wwC3juy%`SQs>5&Qz)
z4o+u3FdCgZctY4aA(WRt-pddCVD*ba5dh40TM<mzK%9wkVnNYro9u0P-+!EI@u{~A
zD^mA9Gv^k6N0q!@ac`_)|2+IEmU8nE43^`ml)0R=hjRSiz*!e9wMVeWYtGMEHn4lS
zIk&R4ehg+k05(u28xq{MS`$N2ZCOPL-YEavIU95pKrqdDa^C}ZJdT2(sb3dNIlJ5r
zRZKQexEJ*?T8rt|Ssq*B#x$`Di58ugdp}wo`h;NJ$b)%dfEaGQd)|mER%f}+hxO6f
z$58+i$E->(6weEL#C(5+?MVIuamjvVQW<8<e2eq9@2>-2w_SSn-x<SN68q$2i7-oi
zAx%8?V#N8rL95ua@*;DZE>jT+3MqQ-$%Mn#D*Vq!qC{a8i@S3TVtdVp*ek0Gdokub
zqb9HuxLk;|lt`Urv;lB0w_}yx-f_H-gX{XBg%>z|R<9X#LN50`=@!0FS}`G(OU6^5
zH?ALG?SwDL;?}@hwV*X$HZjK=o)|=Sw05&%o^jq~b=>s5rw#W*1-Jiq-{xzU&?x&8
z=|k6dEjILl_X`fjgX0sy59NTQK?BnT`8582&~5{PY1DC{^S|^3TrA1kE@?yIu=`$_
zQ+c0U0e<V0%WZ0c6~39BqZxm7B02lIb*E4@t?0G$bsRtTCE7KOd&?2_aFo|R8~Fv%
zkfw^Y-iv+A@Z5~LJtt!8=<T3VDJIW;)kNEGzD4#A-(>#?Q3IJaWGIj2t}jg{jHz(_
z_MOJV2!=yO#eQK_wBBuqbZ<7wD3^t9T8r`n+qyoQfHq{Zn<B&KK&G1jk->ZA+_=M$
zE6bEV##kIp;_?(7$|w`5@pD`keN_MN*G>DGdd7+b=R#WgMkRgkRkagF_#NJ#(V)<I
z10+rsL~h~~mV{rMY8TknNf4ct=tQi|@j-3t!^8p*Bfjv86iXeq*g^<R@MOKbH;>oR
zt8iqVTvE{7t&9IVXpoUf`l#x|+MS(UUUEVy5>|KaM1|cUMLU`kvQI?5%9JW5<PJSh
zI2Ta!OS=O>{@ocu{n@Ny!EHm35ec4aoN=mF2^r-%XLK*j_WsDdBDV!SL*orsG+^({
zb5dRkF@1xYH$t!_X%p@_*#;@I;c;>?9u_zqqK5&sLSULvvtE*licE5xg^ILZSnT3L
znySlTP+9*-W`!e#&z)TNW|8P$f+7tcLbUqQN5z4YD33mxvL&LKbUu$vm_Tb!m5Ke;
zix@VBB6?b`WQn=)$u`Zfy}|HSm@>EE1zw!Guz_E|6%@a?8cUsWf?fELZ(|XovlH{J
z(3IL^R#sL;iG!1qRYRkJzNv5`Qvk<AZ=Gb0)_p`jRmOVAcpw$w*(r(p`SYKz;Vdqm
z7ANNX@d3gsok7l%?_cGpK7&2q47K8)w@5*ErJ|!|<crUl!j()1T5VDh+Yq4@`bU!7
zHgJ}S@6V<vjut-LDr=lJY;TRu&VOOC!C6nb1|v--xcAAnr`aS{HL-z?SlGQ847=o#
znOUwqV!MEam;3KOs$s}?`-JS0o?@OFWYrSWGXcuH5v7qJ6VA@BTj(EA5n1cQ<)7N`
zka8cOQsn&-nvPnA@={6!JY`2NS5e2E2j6clJUaLU*QeMKx)iNPr5n1vuBQ&Y$3F}u
zz@7QNf9tT<+)>O|?vp;pHasxbFw8$(${yFCv4<s7z^!&Cz)S48@I5u~6a7h;@Y8w=
z_Z#~u#}4=d)9weVSa7UBx$RzBcJPx-8^_a|3$vV<Z=<W_k($9@hHOa(FH-KIS^C@f
zduRH7y3WWuE*-Ywgg<>226cRJ!^f}Q8Z*hT_-Z4@fxx|2z<|4-s3$$AzFrH&7?+b(
z?JpJ_p8Hc6985m?d@Xc}?w_tz(p_Tmh{~Oqz!W13@>En3Q})Mqqsrp`hMn_=RG(l^
zx~4>4!9U@OKBOvp@W1(5PaihF=Sb|Y<c~Z&dg{)78G#25fh($q7giBi-w07Ucoe6u
zswum6<W?xJ_ljzPyDpRtb!bP4G!U!V+tVYREa=+^h;myR!?lR1T`mCueJ3X;T2@vi
zz|p4T;+kNAPtReQ%n8~h@bj%1H>g~G`$elBo<Dmw6`6`Uhrh)}16`11F3TbE!t(MY
zkQPu_TpYK*zaQWjVqt8Y<>KNZ?e1Pz>9(T-;<-MXnVC%uuE_5Ok(#o)v-XA$B*YO8
z_niPsUJYYHDb$Bwehh1X45xA{NdOg<x<<JHGYA!9a9QOMA0Hq9abp`0Hu#h*VI{wT
z_>sM~4>1`o&0>nPJT~F8=sQaO{Sfe(KH+MD59KjaZKXpLz=Q;3ji3<d{?QQu4o+0S
z<nHb+K*6bfeSPtXh%AV=n0ASvk&i+qoWf`%FtDK5-(jdr_|Wk|TJ0IOYbQ|mC7SR<
zdh+Sv(H6yDDpu|B5YlbZo*pM?2clh%9vwfb`JaCPZ-LP0rX?ig)xdjR>vr)3g3N=K
z`4)5M6G_jyU1n`T^FmsTmoktC$*3#G(o;`lDs2f|V=clf&RCusU0pHU+T)qNHdXn?
z&w1*2UVoF4R_dp(k;|<O$3vZ#ycxU{BF2-GlT+jUAeV=V%2*o4-k{q#wL`&eC2tok
zCpXl;aFt%kQ>ddNrowFc2z4Sa*bo{p8ft1Y05hgAD=H}bjty&v4*dm3vfV}w#^xO8
ztn{-@vyQQ$V^ZfUrZXfbCogYp*^r2#E+pFmNs<XU0YR?H+{DB;eI|JS$2YpD3w9Ef
zD7DIO+k<Su|6{J-H#RrNG%RqMmd58Qn;EM91a;&d4@>Z9#OkW6)78|}j7?7$hHoY^
z>wfEgD+U{Q53*EBbn6s>gu}J{8C<?Kj8sRe9(eb#JlCLLe8XkZRI8B6)!Ve!$~akW
zm;{{Y{=2o&$e}OcP`}>`v$Hmj{OE9?aC;98#B(Tg6gZ);+T)tyaO3o5roGH3%J?-z
z&`L33j_-ZCn^3G--Um>nuXL|9ps2e`g?N^qpd#-AzCp^O$Uh~Qe?<pLcr_1$2EthI
z-0QMj7kUnauJ${ez{GC4&Hpyq5p@HiL+^oaEclzimOyhyr<z}RzxsZCe}Z&6t%P-)
z%mX9$c)+ocG0Qz(=Kt^gcfk916G;)eF==Tf;d@2J#ohXAsN;W%o((YBeokPDdW}2z
z@qhcZQyt#s(;~9AuiZ7jc~Ez5Gz;=3q&U2y&hSI$@T=(P0-lC$kEpxGc=+7Rnxdxo
zOo;A#x6v}OX}SynOUj9ez(-*riMiYO$OB{*dFH!MT`y#OELzVVd=5)(YPzo!nJ`tz
zyG%@OP2!*bBQltgU1voaDbnCS(Nam<0B4H?CzZU;BLS<xyU!K$h1((H@5;(X?ax|-
zva&Lp|BX*!VPQ;HII*0%dV-mSMI_@RS667HY=1mfxet@`3|ClwRCzo{Y0N^Lrujw&
zfROxGAj6)rOZ*$&8;yUNt!g4kI@8q2%sc9YV&kva`jMZKKgZS-7_8NjVnmPTc~c}L
z;IvWOMK!;OkjhM`j(zNSy3es6EkTAYdw9)?omE|<G#n)@pYZK6BWcwkBR)t>N$xkC
zhOKnKfazryUH?zlON=3X$3@Iak4v;zs5huRfA8|W*oruf)1Q9T8bHNX?%Y)3jSRfu
zNj=}?Aj#S|P@FgSY+e4O_JS#%o{B!v5%tK6gGZj{#S2Mb@1IvyrRwGFZGL{R;->pZ
zjDxD*X0j~d<it(8#jEC~rKw3*R!(kb)#*hU3p^U`eY+}@Ythf$H9Ks`z)g`TMtQB#
znAu=Ua;uJ5U1b?xV~q)%^f!ID_oDwxyIRS7F;aC+O*^vOZyUDVdhir^bW%eem72k*
zJM3$?c)IKE_u>ufZ4UX>zF{7+hkbd6@)bpfLFLJ3_v5LhDF2sILf4|$B>u~;aa1E;
zXsC*%BYoBuT_OX2KxVH`l=4;rR4+cGL3=&(#!e4{o&Jvd$DvL7F$cFDVx(KH<x$E_
zZw^Yz-wtba$E~fbTi&u%Y1-r7j=aB)bvlb%lv6x@{Oq=<K(Qn~YEvkBCcbNVY1R1O
zf>M9alm*^%M=XSlj4ThV@1&%pYU{S9S65dAhpyt{pB_6I8ZOr3DTg7amO~(mVKpzy
zNyjdNjpdlt!mvb2XI#wwXl+-M_cE2Uo6W3Qlpxt(7dK2sPq1>N^1q*Z4lUL)ceC%-
z@Wq;5aNLk$s1Bc?{AEgi?rhdkoGHCnh*N#lF*q+K>)Ps{<eFc$K_23q2$}rGqzug<
zR5jsM1mDH_$KVsn$jIQ6k}?DY1n4jr)4>Cg`}@(rw~G+bZcaS3Y>#isx|n4`j!($i
ze<BDTxQyQ_cMka}Z-onmJoHi`1z#>9Rn46G)HXb>(wI0+nlf6MF3WFJY7MV2=yh8p
zeC~Zj9}+_+G{1{GutV(k{8H#lPlwV=`{&bd>-8X44cjrD*}+HCf<=$(wWhLIUE*6?
zuWQx7Vc4k($LpY!jg`yH=u*qJ$;=f_ap$e`w(-fGsLX`iG{5uyFEwu$_Y&FtZJJxV
zEcr>H_It#pxCwmvkv<onZ9P_=BC(zTBfIP4@qnc`^#ONMe1RO3LJG1{h_|;l&?b~N
zUu+g1jELdL0E5!`vz<zxJ~l!`?7E-GOYn5-5#}?uHh~WqL^blNrKhiNYz)&Z8KavQ
zQ<E6ctNKl5IJ7RezCwz>*(dkCXRwQ)tB7^2pK3SN56nyKo*SFC*rTz}@QRx?+>Gd=
zm3vshnWGPUa20y!XvvP-3o<|7p*;JesZ+PTw34@G*K~$P*st$!9ak;ns5sGfwIp0S
z(J|Yt2vatAO)n_1<#!5#ZU|kt5o=w|r^%Q}HVS(a&Wqy*=&DS2iSUN(7PC()PFws(
zk*k+V8(S%*r*iTa@(~@xcg^CqaGp`}xNF&~!rB+y{aI#VtaqYM+D*21HwrN+-Sy8y
z1=&?6in$hTe4w6k>=U@wzx>?=U6see`gd004!XepkOs9Uv0DyFD=J2U%k*bwiTU!e
zTmMU}NpowhMsw8mx6A<31qygpooeaE#zqd+C(y{KC`$Y_CREWT(86I8%J#TfQo#04
zuJj;9Dpae!c5OaWrYl8&p`C}T&Np?t>7qZNq>LWk(+bbEEEE^LUzdLCtv^6Sl$7g;
zYud@QaPq+btuoklZ*@G=%ED6^CUg~HQK(CKQA;%{6!Uotdy4sOm3eO@hMK)y*HmJR
zEPcwZucD0~asfRGtNku?;R^0v)5>e3-0=ajSAQnvYhR^1DcAjUEn@Agp;hP?JA#})
z_&I{TJzGd`d{*cO?)7^_|L3~-IUwgpZTDbE84XmYl7Ovh!7WJo)90s|qI_XV#>|Uy
zjaJ&I0Y7Q}d4d0m5KZH`u!{2Xa$puIqpTdmq~EA!1G5CaNwh=SpiGSl>iO%!EHrgC
zlaEh2zX-=_y9xfQptz9)RfRdu@#9qVtcymD`aS7>4)<O-FRaz<urYJf6u4-#P>6ZP
z*#)6)x(zh!1<P9b^w@`ykN{7NL-S6^Jk{IX*KIc4(G^rY&*9NG^A5LFi6UQ2p5RHL
zlds_MVCakBSJ@{9z=&LYW#r}Kfk6HG^eMT|rEjpRn99oA(Yu}w8-zR36>K?O|F$<r
zI#7P40_l*fmev=GAHa+FC7=i-I+|j2)e9BtH6TM06=~OoVy6nH8C*+oT5~aba81J;
z_rmvZ(l9pk8!wd!J36;-8r4IPk=*{YepJR6q$Jio^o=54Ig{z(uX;ZS=MWgLtx(z+
znmRAE`;b5-S4rn-H{FET%xoWGhd^Z|!3vTkTLG*;6xsW>T(ILqx1kHBR&xHcbrta8
zai!S6I5Ri-!e-^;qO?LkeQKZJTYOY~QGX9%08=1h(JP=MEa0vsrL=hkzy6wL(w%zy
zydQ_Z(6v#EBT2K#$!LxMF=*Mw{r(B&sm9!8v+bK(cQ+E#0aKP9GDR4U@6j9W>ZR`l
zEPKCpv2}-hH2GU>`NXGQ>p*Mu@4t(!Gs~OcF~wW_Q$aQN4U%(sKbI^VO_|g<tYT;R
z4b#Z%=|Wpi%G$!HBGGC?&Rr73r%(6kSy_|j=H^&yjDCX}cKS<;fnZtN3(pwOL{ya)
zQv8~w%j3NUMBB8AQ9`!wY)bEg$y}6@(f35v?Y4^s@|*QKhT>Yza&R=J_PH#q?vdnd
zL@y?O#?&IzxY~q&B;lvWZvTl;7RlyrJ}Z{qaH4Lg;~FxYp<sNCnS?C}#=V(Oby0xE
z6@|E#%o`ke;Dm;(qk;<th>RUxz46kwJqs|^Fxg(&dbuLdRFm&$wdK_k#Jg7dWBJX|
zb*mS+%7VT+piyE*NXpsC+W9xtzN@vN0pI-@(8G9pdKNy(;mFR<m*U<N7BY27d-(V<
z>AS(8K><((nuCng#ydDIQ9ztsh|oBU<Rn0(e%-!<x%PJTLrKNX)CY+F0mja~QIEf$
zZ27K}$?H!Td&})qmn7zTOnh?SQ@C2QZg$bX7Kj(dw}z|@@@HwKXutJlyJ8&i=?)*c
z=V=|z&0aKSTPA&yT-5s!nvQsje(!vTjg~~8{yQR*H$!#2gpLfO>{h2qq~vD8Y8q_&
zM*<i3?-!9HfJ5(fhAhV}TIvT|Xqj%q()S_bFle9TTZWHopH4^IH&a-E?vNh7^&Frs
z`rYQMy=9EIx!Q<zvUxU1v`)xv?XI}y<F|2Yr6ziKLW@pmpf+?QgzLdZO>4@^hVVn6
zepq^1S_S1)Be<&|Kx3o)bGIChsW7zl(WXzumoh}CvztI*06m<{@G_Dr(Ls8z_cU*<
zlQ4O<LctrE;)o@cF>3#`Cw`f;a!BiJ!XzZ$4gNZVohZBJnYX$HOZ{{ek6@K>`Rw~M
zD<szAQAh}5B-S_k(;WN+FIArk=lSeo46|cXhjku4<v)Idj?v0Gg>U|r`rhb+S~JBW
zS()MEWgvu`+{>cJ^+N;w!wVjooJi9z`77;7)#IP-;3Q+=8J%)&{Iq`U*PIh~{JWFx
z@Yl_1e+u?DJyY=n#4g_Ve?G`3k1b-(C|A-{u3Q|Pt_Uv~^rms>Q(tM>$Umg&<aE@b
z?<y6xfUFR`D*kc1UTTu|sLR9Ui^-hp)yF<NE!%9C)~c{)<zGvvdDtYW<Hj&_^5+%K
zyw3U-KF))-v+CeibGNypN{u=Bzfzy1&V+v<3lfF>23iYw`7}_tTsWCTQ1$UkVrkJo
zXB#h3h0UDID>$|&l;YWx2u|Mp->H#0kxx;J1C028{{I25nN!JGFs%HN8r36_{GWs>
zUcqxZx`p1V9Q2#Xw(I#uFlXiy#G@Jvr2B0^{eGufa*I=oN~K9@r`Z5Gq-p%Vd|3Rz
z0bi(Msxj}4`TqV%3<;qe9ld*E>&XE!?u_I-*0%Ws>j_t6gN%;MXR~;gvGh9_ng036
z{gb#qxwgsiyqe8{_NLt;-0qL$d*XYVH}3*Cy!2mBOx#Xy0^7-8XJ^kVER+Gk1TM3d
z#XNuZ_E-}V62>MbUI5`~B6R432|r(~lSMClvX#br@w%ZETS+=$e(y?+FSF68$6-QP
zZ@Ngq=?t;R7%X^G`nZzUEk9X9qqGTGT7T-<k7N~-R!akg8@u*xU-tzc8?XLEi-&r7
zQml~FoB+T1Wfx^%1}M|-W*N>;OxeR-Uw{(-Dt#?){g1bb%erqULrE2^=I7wJR4lOr
zbf}5%gTGpsIn#fYMFS*1H&@!yG9T4KTfKYtHmfS^vrA%pe9ugcO<sAq(r`_fGdclc
zG$xH(w>IOtmAv_e%=cML{EN%-Ygw<17U~MsDvaeh7^~dE&D~fXJ(ggh^OmrGry%Gb
zYTLGtX65^b4s{amT$*hKPJO3AwQzj=H@>iP>35WQcdAf4{by%&n0wpxu+t9@^Z?@+
zv7t8AGX=#&5}VA#ZLEA+wmO}w9M!Ilmm_R$JacmboO1l;(=7CYPWo%#!@wdbs`nX6
zj5s)Ova+>}2PrM@;2yN78fkJ0_%$cI3q$tEn?bo`23TS`C~xhxpeNv~j2}|J(U9VZ
zoo04jg`nh<$yUji)3eBcQ>*T5%o{#7qJv)_TFCDI)e<uhK#xSY!W=Ul#}8cuGw;NU
z%{612P<2#{I~`qr6*rqbZ*$jzJ;leT<>XZNKf#EKKzCQ7L}sQ@<7s1Z=<=JN+dqP3
zmUZ*{+`B-)GPRX%aTC^l)EDC8rc(LE$SkjJ2$%`J&a=M+6bnz^4n&0K#oEtBj3oW~
z2Jeu)T&+hTGTbI(T`xIwqNd@fhJVNcfFTD&xVX<jSD~V+%3cDYK|g2)`sN4Prl^wz
zp23b1pPk=dNt=*E1htE}o<V63Da{st8x|Q&Q1X-=SdkGYr%{F12^l@y#Nn`Cylji+
z9B!d0>^gMy`3^B%0KIN6TvI3}`$Dla5RQz$njSOh-1a=Rboz5qZl3C>*frA<<Pv;p
z*nhUI%uu<h>(H}sdMk0#e5h*W{g<;PBgf=w$~3BXy2^58s=`zZE*Y3f^<$dMAilY@
zTrQNV>Om8$>`;)Z7ZXQ|mMQ;rAYE&=oD-L?Za3yhGyOD~VeGng#PZS`j$-~;i1!7F
z^Wfgdw#!Y~VIM35fu9!Z&OYR!7}KC0JAIhzSQ;MNcBzm&;V1v|TVkI;JPHRvJOup(
znG9@@^e<?(WaQ-H04FyL`3e$cLQa&*bjVi++H{N~S7EJBOq*|Bbwvo^6X0>u`td;B
zPLJXnp3VOK6MSpkv$mx&(`b;m<2{EvVA#LeJq&?fXNtWQuVz}j{Y257Nyq4At~e{H
zU3=<CueVSJtu@)EWRpqU^_1VrAa?K;{%L~GiSBO?TCRk%6uZ;@xs%edn=|d{+x9iD
zJqm*b*;Do;b5N$q4JJCsf<`z<&tEFi@1*Mk1Vb^5qpVG2m2B8Z#U~7TxXgm-eJZm8
z?^xb(rwO#_=x1$X0-eL85bAL&{~?2~ufi(xn=JSJB4KjlCRHfC-I%E#-lJ=%$WrY0
zue$g|Wiji^EAX?&$qVOS2q<ra!5Trqwgw&$eKpq47z+u%g0A6u{YQL{!Y4LA3bDVS
zZRx2`s-rF5%k3O=NIE;fCPZ#4u!bv5ooRCmqt<#kC^i;W0*JwSH~kqD<O3iM$Atee
zJO?6npXvkJvsbXSymH@?H{?%V!WaB*Dp$5o&93_?Wlc0<C<0wfj2B~+ZWVqm#~x|H
zw`He6hdp*N(jOFmO4-3lwbUMWNjE@%C_^~N_6M?B1=TrqECo2eZM8@u2NQRlg8-)|
zOxcWj6D+zB-s`@|qO%9Vvf?U@6Jq5)XN1gM@15N>c^CYT5AQ<ZH8BC`9z;Ariq8b^
zil9wauEa=D#7r7^E9|!2`t>76KOTfOKeJR9pXYDhhQEEYO$hn6g8eFR|53yk%pN(4
zLzi=2pw9%6f#oyJ(@O-sMfe;-R$WgINIV3pPCpUs`s<ola9Z;|kY$dw<{}Zjjua;`
zvHu6M4q42FRy0u&udCgKay7ku3zO>hAVAET^FV{-vvnWHlJPg&hf(AnEwr8E*tG>s
zHiYY{X*d_92A3LxPDFbpC(|#BI%39X_RC54(7RRQG1vff%4>J8n%3<0x1p@CR<4;Q
zcW+jdUvaX<VRPrU$ux2`%03Kf_c8Olvr{}YGP0JOl9?tH+D9xp7G`EW8^~6*=h-{s
zA?sAzoNbaeeO&Kb(k^WR<9h!f=xEjc4fD8$5R;>`CRX3QCMzk}GR-8+rkO#TOmXA*
zz%66kbVDK77R)0);jXdmc213ts}j$+0!-f3wMI={-Kv<&CGP`MQexuFAcE-?+z^W<
z6p1HhqB(c^aUS_C=cO79Gs%5@>uQFJaHga$DB#JCkvvrJV!EwAWv#3yX75S_G?fN&
zGy`8Uo;qxJtOSY8Xig_Kca<)0AQ-E3yjK1Mw~ay$n|tX=DtCSkcDWCk&_YkbrQ^3F
zSZzujF2ZQ=)$7$>5dS&}cN~s$t1#;9at|`Y$p70jP%|uxjHtEeO*M@94!aQ?dPjzF
zmu1RVgxZ-Q_`@YR+e_3|NDEH~Hdgh;#r@b-`npO=QErvr)4R3b!rDmjE5p>dl#^^3
zYZrnb09kO>pIaq+chcfE?$?8hh;N?uVrnW<9(Le&65UE3JPbJ3PBxiy+va5U7tS<h
z8WSV=G#!(Dp88U~b5Oqe8TYCTbDE{})n1L{G<pA*7HPMZV<qfxXzP<@%s+Dt*JRl|
zecw%NLu|!QL`z>rGTV^xP#8;Zz6T7F8iN%so@on_^ar~OH~5ANRs+6+_4eJuybm_R
zo$E5889RT<h)-_a_Gh!L#=rGen)g@3`nuOFc+pX{9T8|H#1!9(krNZ=-=f*t+fSUR
z85<j42uT(@Yso_S^h98zU0Hj1TMR#<^{chTeA(QhxA^>&`w70EF>~;V;9C&&49N*i
zJaDuaWRWGgFlc3IV!6$cPgkX<QbsmLWA981%pchjFD|*}Iw~|T?DuugNRd>g>5i9R
zUcXg>u@Fzyo2uv?M0i$KH+?dETVO!u+QSos1ORG(R+RtRcZmOVm-~y3unMF(TIt;P
z4Gf}1&tUN|2dxtMJr5TxsATXXvyZCQbymKw-A35g#L0MW3+R`hk!NAvQdbhowC{4e
zA~W+1Z!KdReWE5H-9uKRUKZs)-XqfqEC*5<DFnIQg~VTy`rL(Iws|14#U=e*eKSxG
zG$ZIJ0Bs)yBWjfD<W&N}5hK9)6B8IUW#51IjnaA=hFpLD04m8<-)xygmDa|Qdn(0H
zJS9pp%v<v=gT-&wO4?yfl~_HjBFDh<bSU6ZfWIZzNV_SFWhT2u$WO8{vz2ys@d_jP
zce94+w_#n|mv9OL!C1pO*)?n5eR#HjSmfyMd&y=;bOzU@<CQ1p?wsG;);by?xYH{|
z3R0ZtZ)T4(e3W#1fo5?o1ljysXUOOcdh+0chpcX~f}OXpMTw`5#fji7D|}w83$ljr
z7;QhL^S%xbTHpQc*9noc0qT%9!?Ke7zVJmH>riwq!bdI2vUmB>epYWuv}edM{Ncfv
zWSsKW&YOXCV1EH5mGM*mizBPhkh4uUbXrhjl|Y=Kl30N99Y6;xgA><`#sfjV-XMo=
z#2d6Qq-J;Snc3ju;k}tGqd;tOsR@tGG=`n$6+X9d40-DWcS&jmD35#C88)leUdu8(
zuLmeEWZfNR&{sg1p<Lnehuo$9l~$uppN7NeKsm2cs3T<pS=751_4cPU3`;$-sdU8e
zPBmu6@+)By9umjT_@o@gPJhhRq4|Y>WDPqTxAv*_z>u;wT>hHNG>AVN+2HLZ_f7{;
zzm8>O=iTh)gLur6?3(1JK1RGT>DRD+!YA|G8HUKR>cZDt$U3~!`RN;BXz=Nv{A=ML
zh^Y)GSxuaTiFsz{fHl5SYHRP=a=75oWSM>(NVQ*g+pl#-Rbhslip9{3^|!Ee47cxM
z*WVlPy5E02b$oAD4acs-b>R5pHFf_!^Gpe!{@0^>$@U@D+W!1_!n&Ny?vQWZ-38E$
z(qL$mHXoGVetCB%ziC%w2qOy7zXud+e?dN9Y<jvt*^M0-)-}BO3VHLe>r3<-%o_#Z
z6)!<NZQ@w=Z!UJAE(&$S4TDm-6UA#Ar{A5R(uzPeVuqamV`7W~Y>56(y;gi`3ep&N
zbT=JMZS-}Yr$We{43Us;fwexTgOx|#f~6#ByHC=0=P53&b^=x`)Fumg`iBZ>m?(p!
zXRGrqW|~GutJF7lu<a^-c(w;1=@%&E$>!bS*SEcChK$qd3Uw`L20Ci>10Yu~p!Hh7
zXFTVnjEv4ld2DP5{+9i~&dvta0=(@RH}@sfd9E9BdVHYP%pY{qgye{%g6~N_S#>5O
zaDL+f8NPR@t>53-{Gx2l^v{z0Eo|Vjw&mq4a`vt>jvspM9*(o=9FbIJz`5u8CEE@8
zRcp!X#bT21VZ6+j8R41kw}<VAq&^wUtL$|V9a|*GI65I-jgQwpM-acrzHcwKI0t#a
zMV|N%n2`aa1`rY7Q>0#;+t{cB9J#hlz`xw$V!6hqreme2wj?%WYx3YC(eOId+6r9y
z@_JlzU+_`WE1Vc!CLHm5OPJ(a;Dp{*(yk@Q0?gD5VUyVhc6G+tq1zVox%407vr;Ge
z*Lk*r*W9r>9ESK+VP+kSl>O~Ex9W2OElk4|_t<J3m1CNlyc6UjB1TMuH`jW}Qd4rd
zSWTZ}R}u)(Yo&x)_JrFc^;Jwru#HDQcP1D1E2>mkNoe(IXwFd|a?qv<P8^Pl?@7Id
zQwLs|JLo5;L08+VThv*|_-EA_Khsy#F)QJo|Lu9Zq5Jk#d6~nAjqy#pV<;X~WxiWv
zT8rZ#rfzCp4Tp{J=JP--iSd<$<Ku(XS|YH}w@6mvX9o?qGKyaNn*U$5U1eC4(ce~3
zKpBWAFhXDw5(69)l#mnzR1}a>%8hQMLlJ2hDIs0bp$zGg8r?|u2$c>QDDfWD|NrCr
z;k~YRpPuX5cAoQ`=j8pn@B8PdT~<?<CcWI?;lHx{K*ps_3bG_o?&>Q+{H}E(e+?z?
z9Tw{kPejNif7gN2g%BLv&>0Rr-O;Ix`nCmcAovG;ig+Zv_u(+QWMF=AOZ}_c$9-{r
zYpaM?4?5X}c)GTcTZFyHbywGIKfBtHXt{Y;HZ!Vg3|wIa1yS!TVw99sKZEz{TkcfA
zw3Q6T#x8OR1&Q<7B(gjj@9RsIF=4#I!Xf|`f`QRdE|4>V_(N9Kc#FvC<PQaOwB@<E
zMZUED3p}kw>^OUhIJd7<_sOQTi38LFVNaLtyit&Ot9P^6^nrTuYEe=lcF$m^(F?K~
z)&62z=W*exzOd%706c2yf$@q*EQCA33I8i2({cD=w2cD7XT85nDUgC38|>A5x47!r
z%q7E*<>^voBVCa+97qzu$}!xll!-}8vL$M5wPb;We5HjNSo|`kQugpSG9}~e#^sF*
zZ(a4(d||6N6Ku|tk8!9P8zg1#IfNK(EM?za$;a2>A6~Ox%x>;@P}{k{E&F+dal|#X
zQYOW7xkjhcg^G5Tcg8$F(mzB%cwf~Eoxl?uVxpNz=r2!|TGucB;!@Q8OAfthL%}+1
zpUv6cxf0VURy}?T*EOVuxd2<}M1XcoOZ*$DRebg8=o1QJ*VEB~6_ZF#g@%Rp2W%~H
z53<)gW!}qrSSof~9Hx%tWn>quJaKt)FRDxH)6<}Y;kJS$J#MfBpacs%<%w>{b>KAX
z(cCzd+_*^HuQ^87mWunnxwJofD)6E>(5d)>-)cG&dN@e0J=ZLTimivK`r2vUtypl(
zI}HzWt7VObglJ%5X&$~S{L1lbxi(}m2IcWNO~?1*7)W}==~NHP&~z#q+J-PSeH`71
zMDJ>zxU9W6gvho{Pmg60Ui1ht3~MZO`uWOXZI`an2=OBH5)=4i%gWoH$-2PW@AwUz
z-Pve!DoTD=NT{83u@SXC<JydDe-z66enn$8xPjc_$3j|+Z@h?bnCyG2PH|S;jId9?
z#~RsL3B3U$vdyvXM}jubB9*u#1loSsPnE{R**_5$QmKDf5T7IzPLa$^$E|qzC=#*>
z3A@!b(q(6yc;v}~rZ~83j*))7g_J>X`h<(Mz7MvuwfzK=T__kBq$)MqqG|w}Rr`~H
z*N1EXXXqpjLnm-|7*G4J2IjF&#Ct|mqJ}EWedc#1eB#7ssuF<Fh9l2U*wrp}G*30D
z1;sdbgg%f|rJo{rd2KDno6N+R+2^nI5QDw^WT+K(XFH7JI^vOjb!BDekcc|=sPU3f
z7Od4+#|~XyAokO1^<>t*_T=uy@x%BHNsctc(Y9sK7N;yG`)UuP3PweA_i(4TbFniv
zv$l51x=R^@_M<}^B4MTBHCA6s;4S+L@ka5r-I(gQ1K%2$*!a^#Gdc_M4&=134`tkg
z{H-})C<PH}sK{OhF8VD{Bl3?{rr{8L?INR$UVO4aBHb-k-~AHK8@ipm57Szat{#r1
z67NPo^^c@~geT?hT+POr?J;Ivtl&4dvBI<BxKgAPo0w#us-z3Xj~hJSoQBO(sTj^}
z9WZU^6rc{{x9DeIQA&_*koV%v*m}Bvvom#cov-i9{{2Zo3Nzub42KM(VMzBAwx%N;
z=W8wRsbtn!m7jY!^CH$)Rt8nc6`DJuc{9t(G(dvr)%icL?7qKW=dNooM@fx_{_lO#
z_OA1t>|d!Ak?55xR5{q1pOb`^+n@B`5;b1WTpP8(5{~p04E7D}><QuD?ddub%R+ck
zFCfX)bqI9?fzu;3Ns)<QBvfGBR*Ul0p;$K)UWm5eC}yPntnBNZ6^-x3?|0+;#7{CV
zy01slDz>MvIaad>u^(t+ZKuuxa>n4!r%g)LkQV3HB>Q5a6nY+-dV2geHCui<^{;h>
zEk_M*lZ1CCiSa2Cz52CyUe&*9Fef}Mctf5Vtw8rf*~DZrN-&B;3R4F49LL2=<uPkl
zDwK4{<rc>v%E8%8UY-UUG~h=!!avw0xPC=7$WjP34>^$YgO(18#YUMwx@ma)1z6nu
zw1JfN#D);u^wE{#CX<(x9w)CAsRt%r{dSv*6!Ch(r9Q{(*lFgaYaY6Ih)#I~{%OsF
z%?lz><h3216D~Do;87`^v}HY{%D7R<KXZJW^-N<Z;rw@@dZ<>!<ts&zN27T>)m6)%
za};0ZImgwpc<i-3oCrd^CJ#@7avX4%1#irk?lu<4a)Kk0I9?UQ#>Q5f1sy}dD=e(6
zq8(R;+d&qJzwd9iBE$VHtZeV&+R2Tn?JwM8o<C!WQ5RLFUeA$Y=j-U2JInP=pNL`L
zd{x>~=4#u<ouR>!Q5h*m)l)jNok4a}>*$vYVkeyWEbg)#;u1*BZHV;r{*N2jgRYr8
zGD3>Q$uvp5aC=u*)bI7`#~^hLH!y2t77QIAdafd4Y<I_wK@l^typVH_MN3$dll1ok
zWz^^4wd=uw`rQ+__=3cw%s55E+-uR<5zSD7_e%Xxwa!YA*wWIs#ybWvVp0n3OUsPK
zg*@Nd^y<s%w#w+5tcrMsEp(^r2Eu!<=f01)-b(S^_x;Gihwt|Clhaiq&&s^0171hy
zrXh0Z%YN*>kjsPRw)NQLbN9czOy*g#b!@(abl?{sX;_}6pJOu2Aq|U@GTmZ4x07sz
z91ANd0JIX}d*ZjbjRT;>ll5!vUwZo$s6hl_ffKYdDSl-oUmI;0p^|S#gB*T>*?>p1
z)AOYBfq3WG@WE8|uA`E49Af$e!=@(q)F}+`4iI~!B8Tl8>OmVv2`7D!qBReF4UAYy
zRgQhaNU;%sG5auOYl-M~1r#JuhUDquz!^`OPfsK<qNoY2HUg0>6U<yo%9vNPyi)<?
zVa8Ymzx4p!->n*IB~-GTtTc#MpJ&Z+36Xm%murVDFvv?B8_J2ac+Ts=E384A|5Vna
z8_mTn<xgqo&<+1#U~5C=BF;8s^t=T^5_}L|+agnmzjm~EnaZQfmtnpklh;>me)ovA
z$<lq2)`R2@O9~_H<#FRr`4oz{noja;`jnFDs~?)pxm#Y~$-7NA0F$q+?I9V01lTh1
z;LOa99MgLIP#();PIIKs27}}Ar>vys)BDc@6_iF0k6HAsnn<{<#P;&K%=Lg>QjB>w
zqIq<pw{C%z6)sa!-6lH0Od2fAG@xOPpg$7oSx-)mtgdKL##D#a=c07V+)DO1%Qy-v
zWJ*TL?58j8uIv#Av8k!40=fc{kx=3`7Fs81%7`Sn<$ys(2B8Eq94k^Ml0o1`RZLEw
zy#IJ-!3A?&HgDq3$i`Vw-RJVu_>mBc42Om?d`q6l7|&|BRHD1>K@Dt!G%}b04Hv!@
zcGe;H%h8*LxW4IaBAQ7#qz%7qBEyv;qF{KHy4gi8!4EW!l{vja?ux_#Jm&s(d`zve
z7wq9Majge3tkqmeZ{DDpjHq4e%Ls2=LrXQxmqX{UEdkPnLbN>V&jcrmc8O~$oGQyw
z+%45h#RoJpRV~Zv+#S@TW9&z9;7nBc3YQ7JG~GsA8>S);U_lx2351C>qHd>aV;ro9
zN0kne_S#N>u<_Jd{Cb_&QN7aryW9P}b>Zq^bwvq&vszDoIOyIp;lSzPRvZO%2N?_}
z@CMQw5+eI^Hc$Pw7<Po1+{TqLv1{%!$l(%=f>JR$@}J_?88iusN=iWvPEH*l$e)>-
z`bE(A^Q02SO1hidJXmE!6ff^gtbnLeO|{|gfMhW?is~Gkp)HX<PDY%oGEl-8K>+f&
zVe>52YJ^8njU+UUgC1MariEu#p|)*g727f<4cfz6(%=hm?m}VG%>8a_X86~(k73?|
zUvjR<Yv1cVtnor4uW;s9Tz_zlb~ao4XTwIhAg{VbiAs!tQ|FoQ{d4023?nimP;!dy
zVnv(|l~%x(C_ed91%-Xex4f?q@gF|jT0^wJDIC@;ZcLuc@&Wp@-!#KtHLwA}NEZ#&
zXI-LvgT1JLp#7BwAtB!&NdaWfg*|{3`0b{%AU<G0SZsWJ{BtNY&VcMDkj}gx%zE?=
z#OtlB)OB<U)+VS{*6vDZXsBT}#J^E{wOIK}9w!YmK2CU!yt%YCQ!n*#WAPG)g^IUv
z^vWgX5lSiz6y!-cq>|72TmSht#_o4M>jRpZ<O9GL+GPNsLU>Z_Yr`8juDLI@map;E
zRTeD5l<i!)hFxC^jp)h~5OrVYtNYJ<m&qn3<20m*)7m|3Nw3}fl2F*d>dJNh3lZEf
zFoN$@#ZO}vv>`l#UT%;2$OplqM1S+rxL@4P8OshYYEm*DVanob#8hfK$*iWP(SGB)
zaHd<Gw6+2{*W}w95;6B`X$=|I#;7swUaQu*{3`7edTMzbM5bnYmIUfre&N2GA4vmo
zjp9tC5z>1pV#0#bio~=Bb2W!i(83WpV;WSjg|rr|ufoPd`pfTM#%jJ2VJ&`%<HOo$
zrser(3B18;*!F$#JnZ1Ye3|i4`rA-OM_2l1BwkK#OX3yFuN;kjy}sg~8z)~aR^vJ3
zR^Ht+U}E^Tu2o|hqKQ5Y8QTH03s!dR+O_z*O`ObHPyKb*Y~i<VJ#BFX#NP1;qTuzu
zXd*=Tw}pjc-E<uBRlL|G!SZX56E*wSL|-eWXYH1+6H)d5;3MRcZPe_dX@>bsjy3jb
z2s_6N=$W*;=s^>{@HIM5E`Nz%NypkHKVRQvrcGc^Y85a)x)~}P`5WMdq(w*LRQR&v
zosizr54rc9^bZ18U6-@5a}z9P6Cz~pAkaZfPISK$_*^dn-GIIl=BTFj7B4x>uQ|;R
z8mIMHM)rsYo4T(q@oPs0ayfX5G@j0M_$r$9Hup2ROB|%8+Q$4o-lOZqx!vbSS<j{W
zyYM1#IHvFylUL?%-WczKC0Hp5f1sdOH!SQIg%I40?cc?y89)f<w0#SJ0$b!lm7<ga
ztgB2g=q07$ePB2qt&W$7NNSPis<>_c;>C7|L__$a$<9t(ZEF6x<jW{n-JEv^9V;%N
zlp6g8&i5lSA_Au~8g*`wdo*SY(_rGg>}6u+Uc^WEnA10IDlWUTbCcehAQ@$yiYNKA
zab!|%hh{J}UM$(8CSMKb2J-viM-r^fRCQbIX{RrsN+dN4TG-E-{qQU0)iQhzqrBMX
zvBDLO@+|FnldGn!WX+e>U!E1OsbRNvD+(o^pt!f`9HrW&SE*Oh5WcxEsa+M=*1c29
z@j^b$IAFP8JST4H^Zd&x$byrkv&Z))8=05(_CHOgc$PGzezEG9whBQfrsj+puAdhv
z=zcUZt{o*jt7Fepzg-?roI3cHo-};!Rx8O!4UwU5F<<E#(-}b%-iQiLAEr2!n=VWQ
z|5b!wcZH2%t^Jh@e|U}eVaCZv*K52mAMuRj$}TE{T`&3U3uFb_VHo!wM2}pnKQ8?{
zF~PeF&OYVDKY6?E>Fl$npQ1Q<W-3#7sH_>e8$$xRZ6IR_IyM{OMDtLn2Qf2f;I|@)
zS@!>BCLY#6cm%pNB2feF!OP05_32yzE{URLR3sHg*NCBzEWp{2!mAkJGa6D=m$OS-
z@ZWZrFB~$=?8plbn@?&>!3!4#&dmq^X682jEah|Gjl@NMdf%q&S_SPF5ATn@a_%{S
z)&iZEPbR)aoDLrmz{X?VcmfW-r;%rJppW?fxCUf4QdiRUbRS>r%`}+-*}>+CDK`Qi
z0G@y*p}`CUcA;GT{ry!(C6zRv`9?)W+1c*_=M4@ROnM%VcYHq8VAs?5wdKyZq!J~~
zTC65*ExXN#Ze*pM(fqow!*AWc1-$@~WEt^SzZ`M_L;}40w6TWmRB_%{Z*X!d0S>2w
zv-1N@&Da9%68XHmJg^521T650yVmn7b8Pk~rNxP0<@Tl35S)d6r`F#Bfm)&hNLt+7
z+zfyI_{xL(qqrzTfOO%fm<k^spX!q*tiaWcXHY~$#K{hb2XYai<N?vG9n2BlzQ0>$
z24@8QPT|#Nn$tC8vgbWQR#jE?RB|BO3{3}$g4{TiLa|kxuX?+0$tla9ll2*M(#|I)
zZc(nY$!Gtty?`F(%lqJBkPR+IDfL5oRu<TQq9I1Kz(S9w_jLVPU0sD~8=2Ub2W%PE
zx4*R9^WNUAxxq0i*7l#9+y0mr<3;RkZuSXYG{mS__m7PHVMzQTTHA6u2SYQ8_HFym
z9^@Poa|iNZ|0~?cgaWZiE`-e@F(xJ}lO~J(zP$WtL<}e$NCq3TI?6jj>0f$0n$D}`
zvQpE0_Fp+hCR8>c0wI6F*R`gg0AvdI@WF8QJ+d;PxkAt`A~9ctuQ!GzcADOTT|jW;
z4~GzDcpbUk3>Cte&iO$Q*p?+b1+M0b^mNqe-+=y@d_D9kOC))4uab@w*hidp)&Sm{
z;2-I6v9Z~FQ<f7Yz%}b}OGS>U$57=oABt&>g)gkjRe_nOR-dSrh!1_*)ns(M5OnA$
zrPSE1$x8dun2L-H*^)0@5t~2PW~7K5o4GPgK^!T@3Tk0vGjiSqgp*{K97sU(w30NN
zzd}rup2|&{ztY<y_O`bAbytUrbo1#A-qaJTxxsq1Y)#f(OhPjpCuR>4Tc)n#kd4Si
z-yjns_jQe}oz0T}G-{%%(%G$2lr57Rv%kOp1Aw?5zuK%o+Bt&uYVppTi7K}cXg_7l
zsx%U9+1i(5{wkBsg9$;rAN(qLK}=CJyS#IpekxK@<Z;bZEg$~x!<`4CcaksjDtJ&b
zm^1nR0V)TEMKM2DMpm-en&vh(Y+TnhTU;U?P6tDHAPJCcd`faOb;$8(T4szHx;-3L
z33Obiw{8WJ3bJOGmofnlLw}QB2s|X;BHQN$P(G+h+c`g=;h@4}$Bwrr0RflP`8c;A
z@5Dav@vr*7Dv$6BL2Av=(oaAT5g8rL0T8cKoz3l-<YfNJ%F38~r(JFl&WdYkIg9l?
zN@<U?Ig0Q&ULP@XCwON6t--@5U>DHT)MPYW<2o=j#18T*VnHVMz<>ZK6u|tkAk)(K
z_4P9J+IZ=}#6<pprC3VI8>oMaPr&0geI@I?lgOD@n?kPJUsC?few<u@?GD_4cq+jt
z$C`iT0c4^+VRRV+Fk5;0IHC99qIXA)W0L~c=BxYKJz@231dHvV2FZx}y|s@*S^sJU
z2em>93Vz01hr=Jz3g}sK<GcZdJ_5{5A>|CtB;GCiJI-~St(T4h4<-LKmrt`<@CLBk
zQs=kfz~zYORoJG*s7xxQwnjFf4hK8+-;qB)j(DheB#A4oPyctHn?PZOzEKVm44GM3
zUDIUL8VxG;9M$jOy>t|DxX}Hvv-bJ%(~CPNu@27sF>lWNyVJcFlfej46@x8Zz}8-@
zDEUN#cRxH<;^{c{Kiog`j1-Xg6@NJ2F|s)3AH>ep*Sf9q=Vc2XLq|{;RiBOyrSCs}
z48$AeLrq@r;-(usx$g@f-9A`;aH6O@O=uk`o$obT@sp#bnl*9dKkW)+^qv?CgtD^o
zu=Uj(Fofv!$26ZKC`0$j4}K$0w5KJu^f{0_o-2sq|F$0>-~(PU2-ERbHF2`ybL*g^
zL3W;+K_5E<**xLQUY?2oIs_%hy*UjByYxF*jbV+RUH5t<0hA`ETvBQ(s+&~)$1Qh4
zL!>sHCq!_>Whf@&fGwM8G|L~2QFve%5KbvwC)qGJK|Q~p7#^Nl8@#i#qn>58480_U
zX~N5VW|LFiJBbmHIE)uB4ilUCD>{3csG)@D_kwEjZw@M7t@rr7vOUIoA~()>oQMJ|
zE5Ki*{|t*eHw2#S75+w!4Q$OAS${tnDzp06?*lJ@A!TWSDNOy(^ZsER{&^rfzW?R=
zZDC&VL7T#V`YPo=wUi9xpMcT_`tK_;#J{4cP*Q&z3fBDQZ|!8-?h@KgNRjZl8mX+}
RM`yrCQBL_@k&MCH{{aa`F)jcA


From 0782c73512d0fea7ebde676e003a1947797b1079 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Thu, 13 Oct 2022 10:30:54 +0100
Subject: [PATCH 23/33] bug bash 1 fixes

---
 .../admin-controls/configure-ac.md            | 63 ++++++++++---------
 .../how-eci-works.md                          |  2 +-
 2 files changed, 33 insertions(+), 32 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 5dfee937d92..3d56b67011a 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -8,29 +8,30 @@ title: Configure Admin Controls
 >
 >Admin Controls is available to Docker Business customers only. 
 
-This page contains information for admin on how to configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
+This page contains information for admins on how to configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
 
 Admin Controls is designed specifically for organizations who don’t give developers root access to their machines.
 
-## Prerequisite
+### Prerequisite
 
 As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-## Step one: Place the `admin-settings.json` file in the correct location
+### Step one: Create the `admin-settings.json` file and place it in the correct location
 
-Place the `admin-settings.json` file on your developers' machines in the following locations:
+1. Create a new JSON file and name it `admin-settings`.
+2. Place the `admin-settings.json` file on your developers' machines in the following locations:
 
-- Mac: `/Library/Application Support/com.docker.docker/admin-settings.json`
-- Windows: `/ProgramData/DockerDesktop/admin-settings.json`
-- Linux: `/usr/share/docker-desktop/admin-settings.json`
+    - Mac: `/Library/Application Support/com.docker.docker/admin-settings.json`
+    - Windows: `/ProgramData/DockerDesktop/admin-settings.json`
+    - Linux: `/usr/share/docker-desktop/admin-settings.json`
 
-By placing this file in the above protected directories, end users are unable to modify it.
+    By placing this file in the above protected directories, end users are unable to modify it.
 
->**Note**
->
-> It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
+    >**Note**
+    >
+    > It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
 
-## Step two: Configure the admin controls you want to lock in
+### Step two: Configure the admin controls you want to lock in
 
 >**Note**
 >
@@ -38,9 +39,9 @@ By placing this file in the above protected directories, end users are unable to
 
 The `admin-settings.json` file requires a nested list of configuration parameters, each of which must contain the  `locked` parameter. You can add or remove configuration parameters as per your requirements.
 
-If `locked: true`, users are not able to edit this setting from Docker Desktop or the CLI.
+If `locked: true`, users aren't able to edit this setting from Docker Desktop or the CLI.
 
-If `locked: false`, it is similar to setting a factory default in that:
+If `locked: false`, it's similar to setting a factory default in that:
 - For new installs, `locked: false` pre-populates the relevant settings in the Docker Desktop UI, but users are able to modify it.
 
 - If Docker Desktop is already installed and being used, `locked: false` is ignored. This is because existing users of Docker Desktop may have already updated a setting, which in turn will have been written to the relevant config file, for example the `settings.json` or `daemon.json`. In these instances, the user's preferences are respected and we don't alter these values. These can be controlled by the admin by setting `locked: true`.
@@ -100,23 +101,23 @@ The following `admin-settings.json` code and table provides an example of the re
 }
 ```
 
-| Parameter                        | Description                      |
-| :------------------------------- | :------------------------------- |
-| `configurationFileVersion`        | Specifies the version of the configuration file format.    |
-| `exposeDockerAPIOnTCP2375` |<span class="badge badge-info">Windows only</span> Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.|
-| `proxy` | Used to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`.|
-| `enhancedContainerIsolation`  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). |
-|`useWindowsContainers` | <span class="badge badge-info">Windows only</span> If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.|
-| `linuxVM` | Parameters and settings related to Linux VM options - grouped together here for convenience. |
-| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  |<span class="badge badge-info">Windows only</span> If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](../enhanced-container-isolation/faq.md) for more information.|
-| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |
-| &nbsp;&nbsp; &nbsp; &nbsp;`vpnkitCIDR` |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal`  |
-| `windowsContainers` | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
-| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|                                |
-|`disableUpdate`|If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.|
-|`analyticsEnabled`|If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. |
-
-## Step three: Re-launch Docker Desktop
+| Parameter                        |   | Description                      |  
+| :------------------------------- |---| :------------------------------- |
+| `configurationFileVersion`        |   |Specifies the version of the configuration file format.    |
+| `exposeDockerAPIOnTCP2375` | <span class="badge badge-info">Windows only</span>| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| 
+| `proxy` |   |Used to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`.|
+| `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). |
+|`useWindowsContainers` | <span class="badge badge-info">Windows only</span> |If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.| 
+| `linuxVM` |   |Parameters and settings related to Linux VM options - grouped together here for convenience. |
+| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  | <span class="badge badge-info">Windows only</span> | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](../enhanced-container-isolation/faq.md) for more information.| 
+| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|  |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |
+| &nbsp;&nbsp; &nbsp; &nbsp;`vpnkitCIDR` |  |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal`  |
+| `windowsContainers` |  | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
+| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` |  | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|                                |
+|`disableUpdate`|  |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.|
+|`analyticsEnabled`|  |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. |
+
+### Step three: Re-launch Docker Desktop
 >**Note**
 >
 >Administrators should test the changes made through the `admin-settings.json` file locally to see if the settings work as expected.
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index dc9c1523c00..7ff2f01c4a9 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -4,7 +4,7 @@ title: How does it work?
 keywords: set up, enhanced container isolation, rootless, security
 ---
 
->Note
+>**Note**
 >
 >Enhance Container Isolation is available to Docker Business customers only.
 

From b2021a877bfa8bfa6b3bf723515787f1d5767945 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Thu, 13 Oct 2022 11:46:03 +0100
Subject: [PATCH 24/33] bug bash 1 fixes

---
 .../hardened-desktop/admin-controls/configure-ac.md | 13 +++++++------
 desktop/hardened-desktop/admin-controls/index.md    |  4 +++-
 .../enhanced-container-isolation/index.md           |  2 +-
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/admin-controls/configure-ac.md
index 3d56b67011a..f0f3f90ca8c 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/admin-controls/configure-ac.md
@@ -12,16 +12,17 @@ This page contains information for admins on how to configure Admin Controls to
 
 Admin Controls is designed specifically for organizations who don’t give developers root access to their machines.
 
-### Prerequisite
+### Prerequisites
 
-As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+- [Download and install Docker Desktop 4.13.0 or later](../../release-notes.md).
+- As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-### Step one: Create the `admin-settings.json` file and place it in the correct location
+### Step one: Create the `admin-settings.json` file and save it in the correct location
 
-1. Create a new JSON file and name it `admin-settings`.
-2. Place the `admin-settings.json` file on your developers' machines in the following locations:
+1. Create a new, empty JSON file and name it `admin-settings`.
+2. Save the `admin-settings.json` file on your developers' machines in the following locations:
 
-    - Mac: `/Library/Application Support/com.docker.docker/admin-settings.json`
+    - Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json`
     - Windows: `/ProgramData/DockerDesktop/admin-settings.json`
     - Linux: `/usr/share/docker-desktop/admin-settings.json`
 
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/admin-controls/index.md
index dc8673486e3..bb51e0ff141 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/admin-controls/index.md
@@ -7,10 +7,12 @@ title: What is Admin Controls?
 >
 >Admin Controls is available to Docker Business customers only. 
 
-Admin Controls is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization.
+Admin Controls is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization. 
 
 With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also use Admin Controls to enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) which ensures that any configurations set with Admin Controls cannot be modified by containers.
 
+It is available with [Docker Desktop 4.13.0 or later](../../release-notes.md).
+
 ### Who is it for? 
 
 - For Organizations who wish to configure Docker Desktop to be within their organization's centralized control.
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index b858e1ed64a..2ce54a49532 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -8,7 +8,7 @@ title: What is Enhanced Container Isolation?
 >
 >Enhanced Container Isolation is available to Docker Business customers only. 
 
-Enhanced Container Isolation provides an additional layer of security that uses a variety of advanced techniques to harden container isolation without impacting developer productivity. 
+Enhanced Container Isolation provides an additional layer of security that uses a variety of advanced techniques to harden container isolation without impacting developer productivity. It is available with [Docker Desktop 4.13.0 or later](../../release-notes.md).
 
 These techniques include:
 - Running all containers unprivileged through the Linux user-namespace.

From 390c75d1fc61081fd8c376d14974ded972417faa Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Thu, 13 Oct 2022 14:44:06 +0100
Subject: [PATCH 25/33] changes from bug bash 2

---
 _data/toc.yaml                                | 10 ++++----
 .../enhanced-container-isolation/faq.md       |  2 +-
 .../enhanced-container-isolation/index.md     | 22 ++++++++++-------
 desktop/hardened-desktop/index.md             | 14 +++++------
 .../registry-access-management.md             |  2 +-
 .../configure.md}                             | 12 +++++-----
 .../index.md                                  | 24 +++++++++----------
 7 files changed, 45 insertions(+), 41 deletions(-)
 rename desktop/hardened-desktop/{admin-controls/configure-ac.md => settings-management/configure.md} (93%)
 rename desktop/hardened-desktop/{admin-controls => settings-management}/index.md (71%)

diff --git a/_data/toc.yaml b/_data/toc.yaml
index e4c416ddc1f..3c2b767e385 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1191,12 +1191,12 @@ manuals:
       section:
         - path: /desktop/hardened-desktop/
           title: Overview
-        - sectiontitle: Admin Controls
+        - sectiontitle: Settings Management
           section:
-          - path: /desktop/hardened-desktop/admin-controls/
-            title: What is Admin Controls?
-          - path: /desktop/hardened-desktop/admin-controls/configure-ac/
-            title: Configure Admin Controls
+          - path: /desktop/hardened-desktop/settings-management/
+            title: What is Settings Management?
+          - path: /desktop/hardened-desktop/settings-management/configure/
+            title: Configure Settings Management
         - sectiontitle: Enhanced Container Isolation
           section:
           - path: /desktop/hardened-desktop/enhanced-container-isolation/
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index 3de99e0c751..d5fba44bc4d 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -39,7 +39,7 @@ By allowing the `-–privileged` flag but restricting its impact within the cont
 <div id="tab4" class="tab-pane fade" markdown="1">
 
 #### Incompatibility with WSL
-Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V. This can be enforced using Admin Controls. For more information, see [Admin Controls](../admin-controls/index.md).
+Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V. This can be enforced using Admin Controls. For more information, see [Settings Management](../settings-management/index.md).
 
 #### Kubernetes pods and extension containers are not yet protected
 When Enhanced Container Isolation is enabled, Kubernetes pods and extension containers are not yet protected. A malicious or privileged pod or extension container can compromise the Docker Desktop Linux VM and bypass security controls. 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 2ce54a49532..abe12278199 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -18,7 +18,7 @@ These techniques include:
 
 This is done automatically and with minimal functional or performance impact. 
 
-Enhanced Container Isolation helps ensure strong container isolation and also locks in any security configurations that have been created, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Admin Controls](../admin-controls/index.md). 
+Enhanced Container Isolation helps ensure strong container isolation and also locks in any security configurations that have been created, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Settings Management](../settings-management/index.md). 
 
 >**Note**
 >
@@ -31,7 +31,7 @@ Enhanced Container Isolation helps ensure strong container isolation and also lo
 
 ### What happens when Enhanced Container Isolation is enabled?
 
-When Enhanced Container Isolation is enabled using [Admin Controls](../admin-controls/index.md), the following features are enabled: 
+When Enhanced Container Isolation is enabled using [Settings Management](../settings-management/index.md), the following features are enabled: 
 
 - All user containers are automatically run in Linux User Namespaces which ensures stronger isolation.
 - The root user in the container maps to an unprivileged user at VM level.
@@ -53,7 +53,7 @@ For more information on how Enhanced Container Isolation work, see [How does it
 
 As an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Enhanced Container Isolation feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-Next, you must [create and configure the `admin-settings.json` file](../admin-controls/configure-ac.md) and specify:
+Next, you must [create and configure the `admin-settings.json` file](../settings-management/configure.md) and specify:
 
 ```JSON
 {
@@ -73,21 +73,25 @@ Once this is done, developers need to either quit, re-launch, and sign in to Doc
 
 ### What do users see when this setting is enforced?
 
-When Enhanced Container Isolation is enabled, users see that containers run within a Linux user-namespace. For example:
+When Enhanced Container Isolation is enabled, users see that containers run within a Linux user-namespace. 
+
+To check, run:
+
+```
+$ docker run -it --rm alpine / # cat /proc/self/uid_map 
+```
+
+The following output displays:
 
 ```
-$ docker run -it --rm alpine
-/ # cat /proc/self/uid_map 
          0     100000      65536
 ```
 
 This indicates that the container's root user (0) maps to unprivileged user (100000) in the Docker Desktop VM, and that the mapping extends for a range of 64K user-IDs.
 
-In contrast, without Enhanced Container Isolation the Linux user-namespace is not used:
+In contrast, without Enhanced Container Isolation the Linux user-namespace is not used, the following displays:
 
 ```
-$ docker run -it --rm alpine             
-/ # cat /proc/self/uid_map                           
          0          0 4294967295
 ```
 
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 3bd9ac6da27..5a70504e369 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -14,8 +14,8 @@ It is for security conscious organizations who don’t give their users root or
 The Hardened Desktop security model moves the ownership boundary for containers to the organization, meaning that any security controls admins set cannot be altered by the user of Docker Desktop.
 
 Hardened Desktop includes:
-- Admin Controls, which helps admins to confidently manage and control the usage of Docker Desktop within their organization.
-- Enhanced Container Isolation, a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that any configurations set using Admin Controls, cannot be modified by containers.
+- Settings Management, which helps admins to confidently manage and control the usage of Docker Desktop within their organization.
+- Enhanced Container Isolation, a setting that instantly enhances security by preventing containers from running as root in Docker Desktop’s Linux VM and ensures that any configurations set using Settings Management, cannot be modified by containers.
 - Registry Access Management, which allows admins to control the registries developers can access.
 
 Docker plans to continue adding more security enhancements to the Hardened Desktop security model.
@@ -26,16 +26,16 @@ Docker plans to continue adding more security enhancements to the Hardened Deskt
       <div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
         <div class="component">
             <div class="component-icon">
-                 <img src="/assets/images/lock.svg" alt="Hardened Desktop" width="70" height="70">
+                 <a href="/desktop/hardened-desktop/settings-management/"><img src="/assets/images/lock.svg" alt="Hardened Desktop" width="70" height="70"></a>
             </div>
-                <h2 id="hardened-desktop"><a href="/desktop/hardened-desktop/admin-controls/">Admin Controls </a></h2>
-                <p>Learn how Admin Controls can secure your developers' workflows.</p>
+                <h2 id="hardened-desktop"><a href="/desktop/hardened-desktop/settings-management/">Settings Management </a></h2>
+                <p>Learn how Settings Management can secure your developers' workflows.</p>
          </div>
      </div>
      <div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
         <div class="component">
             <div class="component-icon">
-                <img src="/assets/images/secure.svg" alt="Release notes" width="70" height="70">
+                <a href="/desktop/hardened-desktop/enhanced-container-isolation"><img src="/assets/images/secure.svg" alt="Release notes" width="70" height="70"></a>
             </div>
                 <h2 id="hardened-desktop"><a href="/desktop/hardened-desktop/enhanced-container-isolation">Enhanced Container Isolation</a></h2>
                 <p>Understand how Enhanced Container Isolation can prevent container attacks. </p>
@@ -44,7 +44,7 @@ Docker plans to continue adding more security enhancements to the Hardened Deskt
     <div class="col-xs-12 col-sm-12 col-md-12 col-lg-4 block">
         <div class="component">
             <div class="component-icon">
-                 <img src="/assets/images/registry.svg" alt="Hardened Desktop" width="70" height="70">
+                 <a href="/desktop/hardened-desktop/registry-access-management/"><img src="/assets/images/registry.svg" alt="Hardened Desktop" width="70" height="70"></a>
             </div>
                 <h2 id="hardened-desktop"><a href="/desktop/hardened-desktop/registry-access-management/">Registry Access Management</a></h2>
                 <p>Control the registries developers can access while using Docker Desktop.</p>
diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index 11705135b78..677f8f983e2 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -17,7 +17,7 @@ Below are some example registries administrators can allow:
  - GitHub Container Registry
  - Google Container Registry
 
-Administrators can ensure registries are locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on with Admin Controls. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
+Administrators can ensure registries are locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on with Enhanced Container Isolation. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
 
 ## Prerequisites 
 
diff --git a/desktop/hardened-desktop/admin-controls/configure-ac.md b/desktop/hardened-desktop/settings-management/configure.md
similarity index 93%
rename from desktop/hardened-desktop/admin-controls/configure-ac.md
rename to desktop/hardened-desktop/settings-management/configure.md
index f0f3f90ca8c..e00897b53f4 100644
--- a/desktop/hardened-desktop/admin-controls/configure-ac.md
+++ b/desktop/hardened-desktop/settings-management/configure.md
@@ -1,16 +1,16 @@
 ---
-description: admin controls for desktop
+description: settings management for desktop
 keywords: admin, controls, rootless, enhanced container isolation
-title: Configure Admin Controls
+title: Configure Settings Management
 --- 
 
 >**Note**
 >
->Admin Controls is available to Docker Business customers only. 
+>Settings Management is available to Docker Business customers only. 
 
-This page contains information for admins on how to configure Admin Controls to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
+This page contains information for admins on how to configure Settings Management to specify and lock configuration parameters to create a standardized Docker Desktop environment across the organization.
 
-Admin Controls is designed specifically for organizations who don’t give developers root access to their machines.
+Settings Management is designed specifically for organizations who don’t give developers root access to their machines.
 
 ### Prerequisites
 
@@ -32,7 +32,7 @@ Admin Controls is designed specifically for organizations who don’t give devel
     >
     > It is assumed that you have the ability to push the `admin-settings.json` settings file to the locations specified above through a device management software such as [Jamf](https://www.jamf.com/lp/en-gb/apple-mobile-device-management-mdm-jamf-shared/?attr=google_ads-brand-search-shared&gclid=CjwKCAjw1ICZBhAzEiwAFfvFhEXjayUAi8FHHv1JJitFPb47C_q_RCySTmF86twF1qJc_6GST-YDmhoCuJsQAvD_BwE).
 
-### Step two: Configure the admin controls you want to lock in
+### Step two: Configure the settings you want to lock in
 
 >**Note**
 >
diff --git a/desktop/hardened-desktop/admin-controls/index.md b/desktop/hardened-desktop/settings-management/index.md
similarity index 71%
rename from desktop/hardened-desktop/admin-controls/index.md
rename to desktop/hardened-desktop/settings-management/index.md
index bb51e0ff141..887206f2c91 100644
--- a/desktop/hardened-desktop/admin-controls/index.md
+++ b/desktop/hardened-desktop/settings-management/index.md
@@ -1,15 +1,15 @@
 ---
-description: admin controls for desktop
-keywords: admin controls, rootless, docker desktop, hardened desktop
-title: What is Admin Controls?
+description: Settings Management for desktop
+keywords: Settings Management, rootless, docker desktop, hardened desktop
+title: What is Settings Management?
 --- 
 >**Note**
 >
->Admin Controls is available to Docker Business customers only. 
+>Settings Management is available to Docker Business customers only. 
 
-Admin Controls is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization. 
+Settings Management is a feature that helps admins to control certain Docker Desktop settings on client machines within their organization. 
 
-With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also use Admin Controls to enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) which ensures that any configurations set with Admin Controls cannot be modified by containers.
+With a few lines of JSON, admins can configure controls for Docker Desktop settings such as proxies and network settings. For an extra layer of security, admins can also use Settings Management to enable [Enhanced Container Isolation](../enhanced-container-isolation/index.md) which ensures that any configurations set with Settings Management cannot be modified by containers.
 
 It is available with [Docker Desktop 4.13.0 or later](../../release-notes.md).
 
@@ -23,9 +23,9 @@ It is available with [Docker Desktop 4.13.0 or later](../../release-notes.md).
 
 Administrators can configure several Docker Desktop settings using an `admin-settings.json` file. This file is located on the Docker Desktop host and can only be accessed by users with root or admin privileges. 
 
-Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by users and ensure that these cannot be modified. For more information, see [Configure Admin Controls](../admin-controls/configure-ac.md#step-two-configure-the-admin-controls-you-want-to-lock-in).
+Values that are set to `locked: true` within the `admin-settings.json` override any previous values set by users and ensure that these cannot be modified. For more information, see [Configure Settings Management](../settings-management/configure.md#step-two-configure-the-settings-you-want-to-lock-in).
 
-### What features can I configure with Admin Controls?
+### What features can I configure with Settings Management?
 
 Using the `admin-settings.json` file, admins can:
 
@@ -37,13 +37,13 @@ Using the `admin-settings.json` file, admins can:
 - Turn off Docker Desktop's ability to checks for updates
 - Turn off Docker Desktop's ability to send usage statistics
 
-For more details on the syntax and options admins can set, see [Configure Admin Controls](configure-ac.md).
+For more details on the syntax and options admins can set, see [Configure Settings Management](configure.md).
 
-### How do I set up and enforce Admin Controls?
+### How do I set up and enforce Settings Management?
 
-As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Admin Controls feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
+As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Settings Management feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-Next, you must [create and configure the admin-settings.json file](configure-ac.md).
+Next, you must [create and configure the admin-settings.json file](configure.md).
 
 Once this is done, Docker Desktop users receive the changed settings when they either:
 - Quit, re-launch, and sign in to Docker Desktop

From 1f2017e87fc837f43b101b2d9d473682c4e0d238 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Fri, 14 Oct 2022 09:58:52 +0100
Subject: [PATCH 26/33] Further comments from Cesar

---
 .../enhanced-container-isolation/index.md     | 19 ++++++++++++++++++-
 .../settings-management/configure.md          |  2 +-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index abe12278199..c105e59d75d 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -57,6 +57,7 @@ Next, you must [create and configure the `admin-settings.json` file](../settings
 
 ```JSON
 {
+ "configurationFileVersion": 2,
  "enhancedContainerIsolation": {
     "value": true,
     "locked": true
@@ -95,4 +96,20 @@ In contrast, without Enhanced Container Isolation the Linux user-namespace is no
          0          0 4294967295
 ```
 
-This means that the root user in the container (0) is in fact the root user in the Docker Desktop VM (0) which reduces container isolation. If a process were to escape the container, it would find itself without privileges at the VM level. For further details, see [How Enhanced Container Isolation works](how-eci-works.md).
+This means that the root user in the container (0) is in fact the root user in the Docker Desktop VM (0) which reduces container isolation. The user-ID mapping varies with each new container, as each container gets an exclusive range of host User-IDs for isolation. User-ID mapping is automatically managed by Docker Desktop.
+
+With Enhanced Container Isolation, if a process were to escape the container, it would find itself without privileges at the VM level. For further details, see [How Enhanced Container Isolation works](how-eci-works.md).
+
+Since, Enhanced Container Isolation [uses the Sysbox container runtime](how-eci-works.md) embedded in the Docker Desktop Linux VM, another way to determine if a container is running with Enhanced Container Isolation is by using `docker inspect`:
+
+```
+docker inspect --format='{{.HostConfig.Runtime}}' my_container
+```
+
+It outputs:
+
+```
+sysbox-runc
+```
+
+Without Enhanced Container Isolation, `docker inspect` outputs `runc`, which is the standard OCI runtime.
diff --git a/desktop/hardened-desktop/settings-management/configure.md b/desktop/hardened-desktop/settings-management/configure.md
index e00897b53f4..cf5728fa692 100644
--- a/desktop/hardened-desktop/settings-management/configure.md
+++ b/desktop/hardened-desktop/settings-management/configure.md
@@ -23,7 +23,7 @@ Settings Management is designed specifically for organizations who don’t give
 2. Save the `admin-settings.json` file on your developers' machines in the following locations:
 
     - Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json`
-    - Windows: `/ProgramData/DockerDesktop/admin-settings.json`
+    - Windows: `C:\ProgramData\DockerDesktop\admin-settings.json`
     - Linux: `/usr/share/docker-desktop/admin-settings.json`
 
     By placing this file in the above protected directories, end users are unable to modify it.

From 9a3a8ca5c37c2881dd89606f04f1a9b7c670340d Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Fri, 14 Oct 2022 14:07:33 +0100
Subject: [PATCH 27/33] proxy change

---
 .../hardened-desktop/settings-management/configure.md  | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/desktop/hardened-desktop/settings-management/configure.md b/desktop/hardened-desktop/settings-management/configure.md
index cf5728fa692..c9fea518673 100644
--- a/desktop/hardened-desktop/settings-management/configure.md
+++ b/desktop/hardened-desktop/settings-management/configure.md
@@ -58,10 +58,10 @@ The following `admin-settings.json` code and table provides an example of the re
   },
   "proxy": {
     "locked": true,
-    "mode": "manual",
-    "http": "http://myproxy.com:1234",
-    "https": "http://myotherproxy.com:4321",
-    "exclude": ["foo.com", "bar.com"]
+    "mode": "system",
+    "http": "",
+    "https": "",
+    "exclude": []
   },
   "enhancedContainerIsolation": {
     "locked": true,
@@ -106,7 +106,7 @@ The following `admin-settings.json` code and table provides an example of the re
 | :------------------------------- |---| :------------------------------- |
 | `configurationFileVersion`        |   |Specifies the version of the configuration file format.    |
 | `exposeDockerAPIOnTCP2375` | <span class="badge badge-info">Windows only</span>| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| 
-| `proxy` |   |Used to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`.|
+| `proxy` |   |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
 | `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). |
 |`useWindowsContainers` | <span class="badge badge-info">Windows only</span> |If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.| 
 | `linuxVM` |   |Parameters and settings related to Linux VM options - grouped together here for convenience. |

From 3aee65c8d9359b7c8ac2d2b259ac323e97deb4f6 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Mon, 17 Oct 2022 16:04:18 +0100
Subject: [PATCH 28/33] tweaks and installer flag addition

---
 .../hardened-desktop/registry-access-management.md   |  3 ++-
 .../settings-management/configure.md                 | 12 +++++-------
 .../hardened-desktop/settings-management/index.md    |  4 +++-
 desktop/install/mac-install.md                       |  4 ++++
 desktop/install/windows-install.md                   |  4 ++++
 5 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index 677f8f983e2..e26434ae4db 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -13,11 +13,12 @@ redirect_from:
 With Registry Access Management, administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. 
 
 Below are some example registries administrators can allow: 
+ - Docker Hub. This is enabled by default.
  - Amazon ECR
  - GitHub Container Registry
  - Google Container Registry
 
-Administrators can ensure registries are locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on with Enhanced Container Isolation. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
+Administrators can ensure registries are locked in and cannot be edited by developers, if Enhanced Container Isolation is switched on. To learn more, see [Enhanced Container Isolation](enhanced-container-isolation/index.md).
 
 ## Prerequisites 
 
diff --git a/desktop/hardened-desktop/settings-management/configure.md b/desktop/hardened-desktop/settings-management/configure.md
index c9fea518673..69432596646 100644
--- a/desktop/hardened-desktop/settings-management/configure.md
+++ b/desktop/hardened-desktop/settings-management/configure.md
@@ -19,6 +19,9 @@ Settings Management is designed specifically for organizations who don’t give
 
 ### Step one: Create the `admin-settings.json` file and save it in the correct location
 
+You can either use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location, or set it up manually. 
+
+To set it up manually:
 1. Create a new, empty JSON file and name it `admin-settings`.
 2. Save the `admin-settings.json` file on your developers' machines in the following locations:
 
@@ -67,10 +70,6 @@ The following `admin-settings.json` code and table provides an example of the re
     "locked": true,
     "value": true
   },
-  "useWindowsContainers": {
-      "locked": false,
-      "value": false
-  },
   "linuxVM": {
     "wslEngineEnabled": {
       "locked": false,
@@ -107,8 +106,7 @@ The following `admin-settings.json` code and table provides an example of the re
 | `configurationFileVersion`        |   |Specifies the version of the configuration file format.    |
 | `exposeDockerAPIOnTCP2375` | <span class="badge badge-info">Windows only</span>| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| 
 | `proxy` |   |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
-| `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). |
-|`useWindowsContainers` | <span class="badge badge-info">Windows only</span> |If `value` is set to true, it switches Docker Desktop to toggle the Docker CLI to talk to the Windows daemon, enabling Windows containers. If false, switches Docker Desktop to toggle the Docker CLI to talk to the Linux daemon, enabling Linux containers. This overrides anything that may have been set at installation using the `--no-windows-containers` flag.| 
+| `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). | 
 | `linuxVM` |   |Parameters and settings related to Linux VM options - grouped together here for convenience. |
 | &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  | <span class="badge badge-info">Windows only</span> | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](../enhanced-container-isolation/faq.md) for more information.| 
 | &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|  |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |
@@ -125,7 +123,7 @@ The following `admin-settings.json` code and table provides an example of the re
 
 For settings to take effect:
 - On a new install, developers need to launch Docker Desktop and authenticate to their organization.
-- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then relaunch Docker Desktop and sign in to receive the changed settings. 
+- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then relaunch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect.
   >**Important**
   >
   >Selecting **Restart** from the Docker menu isn't enough as it only restarts some components of Docker Desktop.
diff --git a/desktop/hardened-desktop/settings-management/index.md b/desktop/hardened-desktop/settings-management/index.md
index 887206f2c91..b9d499b6fb2 100644
--- a/desktop/hardened-desktop/settings-management/index.md
+++ b/desktop/hardened-desktop/settings-management/index.md
@@ -43,7 +43,7 @@ For more details on the syntax and options admins can set, see [Configure Settin
 
 As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Settings Management feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-Next, you must [create and configure the admin-settings.json file](configure.md).
+Next, you must [create and configure the admin-settings.json file](configure.md). You can also use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location
 
 Once this is done, Docker Desktop users receive the changed settings when they either:
 - Quit, re-launch, and sign in to Docker Desktop
@@ -51,6 +51,8 @@ Once this is done, Docker Desktop users receive the changed settings when they e
 
 Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers' workflow. 
 
+
+
 ### What do users see when the settings are enforced?
 
 Docker Desktop users see a notification in **Settings**, or **Preferences** if using a macOS, which states **Some settings are managed by your Admin**. 
diff --git a/desktop/install/mac-install.md b/desktop/install/mac-install.md
index 80e9837c29b..a0a11d796a6 100644
--- a/desktop/install/mac-install.md
+++ b/desktop/install/mac-install.md
@@ -106,6 +106,10 @@ The `install` command accepts the following flags:
 - `--accept-license`: accepts the [Docker Subscription Service Agreement](https://www.docker.com/legal/docker-subscription-service-agreement){: target="_blank" rel="noopener" class="_"} now, rather than requiring it to be accepted when the application is first run
 - `--allowed-org=<org name>`: requires the user to sign in and be part of the specified Docker Hub organization when running the application
 - `--user=<username>`: Runs the privileged helper service once during installation, then disables it at runtime. This removes the need for the user to grant root privileges on first run. For more information, see [Privileged helper permission requirements](../mac/permission-requirements.md#permission-requirements){: target="_blank" rel="noopener" class="_"}. To find the username, enter `ls /Users` in the CLI.
+- `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by admins to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](../hardened-desktop/settings-management/index.md).
+  - It must be used together with the `--allowed-org=<org name>` flag. 
+  - For example:
+    `--allowedOrg=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
 
 ## Updates
 
diff --git a/desktop/install/windows-install.md b/desktop/install/windows-install.md
index d657dc2d8bd..4ff90537c36 100644
--- a/desktop/install/windows-install.md
+++ b/desktop/install/windows-install.md
@@ -158,6 +158,10 @@ The install command accepts the following flags:
 - `--no-windows-containers`: disables Windows containers integration
 - `--allowed-org=<org name>`: requires the user to sign in and be part of the specified Docker Hub organization when running the application
 - `--backend=<backend name>`: selects the default backend to use for Docker Desktop, `hyper-v`, `windows` or `wsl-2` (default)
+- `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by admins to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](../hardened-desktop/settings-management/index.md).
+  - It must be used together with the `--allowed-org=<org name>` flag. 
+  - For example:
+    `--allowedOrg=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
 
 If your admin account is different to your user account, you must add the user to the **docker-users** group:
 

From b1e263fa27997e1086e75b419d48fc01348fbb4f Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Tue, 18 Oct 2022 08:42:30 +0100
Subject: [PATCH 29/33] typo fix

---
 desktop/install/mac-install.md     | 2 +-
 desktop/install/windows-install.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/desktop/install/mac-install.md b/desktop/install/mac-install.md
index a0a11d796a6..b4469f982c8 100644
--- a/desktop/install/mac-install.md
+++ b/desktop/install/mac-install.md
@@ -109,7 +109,7 @@ The `install` command accepts the following flags:
 - `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by admins to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](../hardened-desktop/settings-management/index.md).
   - It must be used together with the `--allowed-org=<org name>` flag. 
   - For example:
-    `--allowedOrg=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
+    `--allowed org=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
 
 ## Updates
 
diff --git a/desktop/install/windows-install.md b/desktop/install/windows-install.md
index 4ff90537c36..006591526f4 100644
--- a/desktop/install/windows-install.md
+++ b/desktop/install/windows-install.md
@@ -161,7 +161,7 @@ The install command accepts the following flags:
 - `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by admins to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](../hardened-desktop/settings-management/index.md).
   - It must be used together with the `--allowed-org=<org name>` flag. 
   - For example:
-    `--allowedOrg=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
+    `--allowed-org=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
 
 If your admin account is different to your user account, you must add the user to the **docker-users** group:
 

From ec748c6360c8e1cba726a557736ac6242c63fced Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Tue, 18 Oct 2022 10:37:57 +0100
Subject: [PATCH 30/33] typo fix

---
 desktop/hardened-desktop/enhanced-container-isolation/index.md | 2 +-
 desktop/install/mac-install.md                                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index c105e59d75d..0c8666b788b 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -100,7 +100,7 @@ This means that the root user in the container (0) is in fact the root user in t
 
 With Enhanced Container Isolation, if a process were to escape the container, it would find itself without privileges at the VM level. For further details, see [How Enhanced Container Isolation works](how-eci-works.md).
 
-Since, Enhanced Container Isolation [uses the Sysbox container runtime](how-eci-works.md) embedded in the Docker Desktop Linux VM, another way to determine if a container is running with Enhanced Container Isolation is by using `docker inspect`:
+Since Enhanced Container Isolation [uses the Sysbox container runtime](how-eci-works.md) embedded in the Docker Desktop Linux VM, another way to determine if a container is running with Enhanced Container Isolation is by using `docker inspect`:
 
 ```
 docker inspect --format='{{.HostConfig.Runtime}}' my_container
diff --git a/desktop/install/mac-install.md b/desktop/install/mac-install.md
index b4469f982c8..3b11f337ac1 100644
--- a/desktop/install/mac-install.md
+++ b/desktop/install/mac-install.md
@@ -109,7 +109,7 @@ The `install` command accepts the following flags:
 - `--admin-settings`: Automatically creates an `admin-settings.json` file which is used by admins to control certain Docker Desktop settings on client machines within their organization. For more information, see [Settings Management](../hardened-desktop/settings-management/index.md).
   - It must be used together with the `--allowed-org=<org name>` flag. 
   - For example:
-    `--allowed org=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
+    `--allowed-org=<org name> --admin-settings='{"configurationFileVersion": 2, "enhancedContainerIsolation": {"value": true, "locked": false}}'`
 
 ## Updates
 

From 5bbe30e181efc43e59718b65f2755bceeeebb701 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 19 Oct 2022 10:22:44 +0100
Subject: [PATCH 31/33] Cesar's additions

---
 _data/toc.yaml                                |   2 +
 .../enhanced-container-isolation/faq.md       | 115 +++++--
 .../features-benefits.md                      | 289 ++++++++++++++++++
 .../how-eci-works.md                          |  83 ++++-
 .../settings-management/configure.md          |   4 +-
 5 files changed, 467 insertions(+), 26 deletions(-)
 create mode 100644 desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md

diff --git a/_data/toc.yaml b/_data/toc.yaml
index 3c2b767e385..e15edca5054 100644
--- a/_data/toc.yaml
+++ b/_data/toc.yaml
@@ -1203,6 +1203,8 @@ manuals:
             title: What is Enhanced Container Isolation?
           - path: /desktop/hardened-desktop/enhanced-container-isolation/how-eci-works/
             title: How does it work?
+          - path: /desktop/hardened-desktop/enhanced-container-isolation/features-benefits/
+            title: Key features and benefits
           - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/
             title: FAQs and known issues
         - path: /desktop/hardened-desktop/registry-access-management/
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index d5fba44bc4d..e5e37de0b71 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -7,46 +7,123 @@ toc_max: 2
 
 <ul class="nav nav-tabs">
   <li class="active"><a data-toggle="tab" data-target="#tab3">FAQs</a></li>
-  <li><a data-toggle="tab" data-target="#tab4">Known issues</a></li>
+  <li><a data-toggle="tab" data-target="#tab4">Limitations and Known Issues</a></li>
 </ul>
 <div class="tab-content">
 <div id="tab3" class="tab-pane fade in active" markdown="1">
 
-### With Enhanced Container Isolation enabled, can the user still override the `--runtime` flag from the CLI ?
+#### Do I need to change the way I use Docker when Enhanced Container Isolation is enabled?
 
-No. With Hardened Desktop enabled, Sysbox is locked as the default (and only) runtime. If a user attempts to override the runtime by launching a container with the standard `runc` runtime, for example `docker run --runtime=runc`, this request is ignored and the container is created through the Sysbox runtime. 
+No, you can continue to use Docker as usual. Enhanced Container Isolation will be mostly transparent to you.
 
-The reason `runc` is disallowed with Enhanced Container Isolation is because it allows users to run as root on the Docker Desktop Linux VM, thereby providing them with implicit control of the VM and the ability to modify the administrative configurations for Docker Desktop, for example.
+#### Do all container workloads work well with Enhanced Container Isolation?
 
-### With Enhanced Container Isolation enabled, can the user still use the `--privileged` flag from the CLI?
+Most container workloads do, a few do not (yet). For the few workloads that
+don't yet work with Enhanced Container Isolation, Docker will continue to improve the feature to reduce
+this to a minimum.
 
-Yes, with Enhanced Container Isolation the container is only privileged within its assigned Linux user-namespace. It is not privileged within the Docker Desktop Linux VM.
+#### Can I run privileged containers with Enhanced Container Isolation?
 
-For example, the container’s init process will have all Linux capabilities enabled, have read/write access to the kernel’s `/proc` and `/sys`, run without system call or other restrictions normally imposed by Docker on regular containers (for example, seccomp, AppArmor), and see all host devices under the container’s `/dev` directory.
+Yes, you can use the `--privileged` flag in containers but unlike privileged
+containers without Enhanced Container Isolation, the container can only use it's elevated privileges to
+access resources assigned to the container. It can't access global kernel
+resources in the Docker Desktop Linux VM. This allows you to run privileged
+containers securely. For more information, so [How it works](how-eci-works.md#privileged-containers-are-also-secured).
 
-However, because Sysbox launches each container within a dedicated Linux user-namespace and vets sensitive accesses to the kernel, the container can only access resources assigned to it. For example, the container can’t access resources under `/proc` and `/sys` that are not namespaced. Although it can see all host devices under `/dev`, it won’t have permission to access them. Also, while the container can use system calls such as “mount” and “umount”, Sysbox prevents the container from using them to modify the container’s chroot jail.
+#### Will all privileged container workloads run with Enhanced Container Isolation?
 
-This makes running a privileged container with Enhanced Container Isolation much safer than a privileged container launched with the standard runc, which offers almost no isolation.
+No. Privileged container workloads that wish to access global kernel resources, for example non-namespaced, inside the Docker Desktop Linux VM won't
+work. For example, you can't use a privileged container to load a kernel module.
 
-### Why not just restrict usage of the `--privileged` flag with Enhanced Container Isolation?
+#### Why not just restrict usage of the `--privileged` flag?
 
-Privileged containers are typically used to run advanced workloads in containers, for example Docker-in-Docker, to perform kernel operations such as loading modules, or to access hardware devices. We aim to allow running advanced workloads, but deny the ability to perform kernel operations or access hardware devices.
+Privileged containers are typically used to run advanced workloads in
+containers, for example Docker-in-Docker or Kubernetes-in-Docker, to
+perform kernel operations such as loading modules, or to access hardware
+devices.
 
-By allowing the `-–privileged` flag but restricting its impact within the container's user-namespace, it’s possible to do this.
+Enhanced Container Isolation allows running advanced workloads, but denies the ability to perform
+kernel operations or access hardware devices.
+
+#### Does Enhanced Container Isolation restrict bind-mounts inside the container?
+
+Yes, it restricts bind-mounts of directories located in the Docker Desktop Linux
+VM into the container.
+
+It does not restrict bind-mounts of your host machine files into the container,
+as configured via Docker Desktop's **Settings** > **Resources** > **File Sharing**.
+
+#### Does Enhanced Container Isolation protect all containers launched with Docker Desktop?
+
+It protects all containers launched by users via `docker create` and `docker run`. It does not yet protect Docker Desktop Kubernetes pods, Extension
+Containers, and Dev Environments.
+
+#### Does Enhanced Container Isolation affect performance of containers?
+
+Enhanced Container Isolation has very little impact on the performance of containers. The exception is
+for containers that perform lots of `mount` and `umount` system calls, as these
+are trapped and vetted by the Sysbox container runtime.
+
+#### With Enhanced Container Isolation, can the user still override the `--runtime` flag from the CLI ?
+
+No. With Enhanced Container Isolation enabled, Sysbox is locked as the default (and only) runtime for
+containers deployed by Docker Desktop users. If a user attempts to override the
+runtime (e.g., `docker run --runtime=runc`), this request is ignored and the
+container is created through the Sysbox runtime.
+
+The reason `runc` is disallowed with Enhanced Container Isolation because it
+allows users to run as "true root" on the Docker Desktop Linux VM, thereby
+providing them with implicit control of the VM and the ability to modify the
+administrative configurations for Docker Desktop, for example.
+
+#### How is ECI different from Docker Engine's userns-remap mode?
+
+See [How does it work](how-eci-works.md#enhanced-container-isolation-vs-docker-userns--remap-mode).
+
+#### How is ECI different from Rootless Docker?
+
+See [How does it work](how-eci-works.md#enhanced-container-isolation-vs-rootless-docker)
 
 <hr>
 </div>
 <div id="tab4" class="tab-pane fade" markdown="1">
 
-#### Incompatibility with WSL
-Enhanced Container Isolation does not currently work when Docker Desktop runs on Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux Kernel. As a result, to use Enhanced Container Isolation on Windows, you must configure Docker Desktop to use Hyper-V. This can be enforced using Admin Controls. For more information, see [Settings Management](../settings-management/index.md).
-
-#### Kubernetes pods and extension containers are not yet protected
-When Enhanced Container Isolation is enabled, Kubernetes pods and extension containers are not yet protected. A malicious or privileged pod or extension container can compromise the Docker Desktop Linux VM and bypass security controls. 
+#### Incompatibility with Windows Subsystem for Linux (WSL)
+Enhanced Container Isolation (ECI) does not currently work when Docker Desktop runs on
+Windows with WSL/WSL2. This is due to some limitations of the WSL/WSL2 Linux
+Kernel. As a result, to use Enhanced Container Isolation on Windows, you must
+configure Docker Desktop to use Hyper-V. This can be enforced using Admin
+Controls. For more information, see [Settings Management](../settings-management/index.md).
+
+#### Docker build and buildx has some restrictions
+With ECI enabled, Docker build `--network=host` and Docker buildx entitlements
+(`network.host`, `security.insecure`) are not allowed. Builds that require
+these will not work properly.
+
+#### Kubernetes pods are not yet protected
+Kubernetes pods are not yet protected by ECI. A malicious or privileged pod can
+compromise the Docker Desktop Linux VM and bypass security controls. We expect
+to improve on this in future versions of Docker Desktop.
+
+#### Extension Containers are not yet protected
+Extension containers are also not yet protected by ECI. Ensure you extension
+containers come from trusted entities to avoid issues. We expect to improve on
+this in future versions of Docker Desktop.
+
+#### Docker Desktop dev environments are not yet protected
+Containers launched by the Docker Desktop Dev Environments feature are not yet
+protected either. We expect to improve on this in future versions of Docker
+Desktop.
 
 #### Use in production
-Users may experience some differences between running a container in Docker Desktop with Enhanced Container Isolation enabled, and running that same container in production. This is because in production the container may run on another runtime, typically the OCI runc.
+In general users should not experience differences between running a container
+in Docker Desktop with ECI enabled, which uses the Sysbox runtime, and running
+that same container in production, through the standard OCI `runc` runtime.
+
+However in some cases, typically when running advanced or privileged workloads in
+containers, users may experience some differences. In particular, the container
+may run with ECI but not with `runc`, or vice-versa.
 
 <hr>
 </div>
-</div>
+</div>
\ No newline at end of file
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md b/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md
new file mode 100644
index 00000000000..6f95f020895
--- /dev/null
+++ b/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md
@@ -0,0 +1,289 @@
+---
+description: Instructions on how to set up enhanced container isolation
+title: Key features and benefits
+keywords: set up, enhanced container isolation, rootless, security
+---
+
+### Linux User Namespace on all Containers
+
+With Enhanced Container Isolation, all user containers leverage the [Linux user-namespace](https://man7.org/linux/man-pages/man7/user_namespaces.7.html)
+for extra isolation. This means that the root user in the container maps to an unprivileged
+user in the Docker Desktop Linux VM.
+
+For example:
+
+```
+$ docker run -it --rm --name=first alpine
+/ # cat /proc/self/uid_map
+         0     100000      65536
+```
+
+The output `0 100000 65536` is the signature of the Linux user-namespace. It
+means that the root user (0) in the container is mapped to unprivileged user
+100000 in the Docker Desktop Linux VM, and the mapping extends for a continuous
+range of 64K user IDs. The same applies to group IDs.
+
+Each container gets an exclusive range of mappings, managed by Sysbox. For
+example, if a second container is launched the mapping range is different:
+
+```
+$ docker run -it --rm --name=second alpine
+/ # cat /proc/self/uid_map
+         0     165536      65536
+```
+
+In contrast, without Enhanced Container Isolation, the container's root user is
+in fact root on the host (aka "true root") and this applies to all containers:
+
+```
+$ docker run -it --rm alpine
+/ # cat /proc/self/uid_map
+         0       0     4294967295
+```
+
+By virtue of using the Linux user-namespace, Enhanced Container Isolation
+ensures the container processes never run as user ID 0 (true root) in the Linux
+VM. In fact they never run with any valid user-ID in the Linux VM. Thus, their
+Linux capabilities are constrained to resources within the container only,
+increasing isolation significantly compared to regular containers, both
+container-to-host and cross-container isolation.
+
+### Privileged Containers Are Also Secured
+
+Privileged containers `docker run --privileged ...` are insecure because they
+give the container full access to the Linux kernel. That is, the container runs
+as true root with all capabilities enabled, seccomp and AppArmor restrictions
+are disabled, all hardware devices are exposed, for example.
+
+For organizations that wish to secure Docker Desktop on their developer's
+machines, privileged containers are problematic as they allow container
+workloads whether benign or malicious to gain control of the Linux kernel
+inside the Docker Desktop VM and thus modify security related settings, for example registry
+access management, and network proxies.
+
+With Enhanced Container Isolation, privileged containers can no longer do this. The combination of the Linux user-namespace and other security techniques used
+by Sysbox ensures that processes inside a privileged container can only access
+resources assigned to the container.
+
+> Note
+>
+> Enhanced Container Isolation does not prevent users from launching privileged
+> containers, but rather runs them securely by ensuring that they can only
+> modify resources associated with the container. Privileged workloads that
+> modify global kernel settings, for example loading a kernel module or changing BPF
+> settings will not work properly as they will receive "permission
+> denied" error when attempting such operations.
+
+For example, Enhanced Container Isolation ensures privileged containers can't
+access Docker Desktop network settings in the Linux VM configured via Berkeley
+Packet Filters (BPF):
+
+```
+$ docker run --privileged djs55/bpftool map show
+Error: can't get next map: Operation not permitted
+```
+
+In contrast, without Enhanced Container Isolation, privileged containers
+can easily do this:
+
+```
+$ docker run --privileged djs55/bpftool map show
+17: ringbuf  name blocked_packets  flags 0x0
+        key 0B  value 0B  max_entries 16777216  memlock 0B
+18: hash  name allowed_map  flags 0x0
+        key 4B  value 4B  max_entries 10000  memlock 81920B
+20: lpm_trie  name allowed_trie  flags 0x1
+        key 8B  value 8B  max_entries 1024  memlock 16384B
+```
+
+Note that some advanced container workloads require privileged containers, for
+example Docker-in-Docker, Kubernetes-in-Docker, etc. With Enhanced Container
+Isolation you can still run such workloads but do so much more securely than
+before.
+
+### Containers can't share namespaces with the Linux VM
+
+When Enhanced Container Isolation is enabled, containers can't share Linux
+namespaces with the host (e.g., pid, network, uts, etc.) as that essentially
+breaks isolation.
+
+For example, sharing the pid namespace fails:
+
+```
+$ docker run -it --rm --pid=host alpine
+docker: Error response from daemon: failed to create shim task: OCI runtime create failed: error in the container spec: invalid or unsupported container spec: sysbox containers can't share namespaces [pid] with the host (because they use the linux user-namespace for isolation): unknown.
+```
+
+Similarly sharing the network namespace fails:
+
+```
+docker run -it --rm --network=host alpine
+docker: Error response from daemon: failed to create shim task: OCI runtime create failed: error in the container spec: invalid or unsupported container spec: sysbox containers can't share a network namespace with the host (because they use the linux user-namespace for isolation): unknown.
+```
+
+In addition, the `--userns=host` flag, used to disable the user-namespace on the
+container, is ignored:
+
+```
+$ docker run -it --rm --userns=host alpine
+/ # cat /proc/self/uid_map
+         0     100000      65536
+```
+
+Finally, Docker build `--network=host` and Docker buildx entitlements
+(`network.host`, `security.insecure`) are not allowed. Builds that require these
+won't work properly.
+
+### Bind-Mount restrictions
+
+When Enhanced Container Isolation is enabled, Docker Desktop users can continue
+to bind-mount host directories into containers as configured via **Settings** >
+**Resources** > **File sharing**, but they are no longer allowed to bind-mount
+arbitrary Linux VM directories into containers.
+
+This prevents containers from modifying sensitive files inside the Docker
+Desktop Linux VM, files that can hold configurations for registry access
+management, proxies, docker engine configurations, and more.
+
+For example, the following bind-mount of the Docker Engine's configuration file
+(`/etc/docker/daemon.json` inside the Linux VM) into a container is restricted
+and therefore fails:
+
+```
+$ docker run -it --rm -v /etc/docker/daemon.json:/mnt/daemon.json alpine
+docker: Error response from daemon: failed to create shim task: OCI runtime create failed: error in the container spec: can't mount /etc/docker/daemon.json because it's configured as a restricted host mount: unknown
+```
+
+In contrast, without Enhanced Container Isolation this mount works and gives the
+container full read and write access to the Docker Engine's configuration.
+
+Of course, bind-mounts of host files continue to work as usual. For example,
+assuming a user configures Docker Desktop to file share her $HOME directory,
+she can bind-mount it into the container:
+
+```
+$ docker run -it --rm -v $HOME:/mnt alpine
+/ #
+```
+
+> Note
+>
+> Enhanced Container Isolation won't allow bind-mounting the Docker socket
+> (/var/run/docker.sock) into a container, as doing so essentially grants the
+> container control of Docker, thus breaking container isolation. Containers
+> that rely on this will not work with Enhanced Container Isolation enabled.
+
+### Vetting sensitive system calls
+
+Another feature of Enhanced Container Isolation is that it intercepts and vets a
+few highly sensitive system calls inside containers, such as `mount` and
+`umount`.  This ensures that processes that have capabilities to execute these
+system calls can't use them to breach the container.
+
+For example, a container that has `CAP_SYS_ADMIN` (required to execute the
+`mount` system call) can't use that capability to change a read-only bind-mount
+into a read-write mount:
+
+```
+$ docker run -it --rm --cap-add SYS_ADMIN -v $HOME:/mnt:ro alpine
+/ # mount -o remount,rw /mnt /mnt
+mount: permission denied (are you root?)
+```
+
+Since the `$HOME` directory was mounted into the container's `/mnt` directory as
+read-only, it can't be changed from within the container to read-write. This
+ensures container processes use `mount`, or `umount`, to breach the container's
+root filesystem.
+
+Note however that in the example above the container can still create mounts
+within the container, and mount them read-only or read-write as needed. Those
+mounts are allowed since they occur within the container, and therefore don't
+breach it's root filesystem:
+
+```
+/ # mkdir /root/tmpfs
+/ # mount -t tmpfs tmpfs /root/tmpfs
+/ # mount -o remount,ro /root/tmpfs /root/tmpfs
+
+/ # findmnt | grep tmpfs
+├─/root/tmpfs    tmpfs      tmpfs    ro,relatime,uid=100000,gid=100000
+
+/ # mount -o remount,rw /root/tmpfs /root/tmpfs
+/ # findmnt | grep tmpfs
+├─/root/tmpfs    tmpfs      tmpfs    rw,relatime,uid=100000,gid=100000
+```
+
+This feature, together with the user-namespace, ensures that even if a container
+process has all Linux capabilities they can't be used to breach the container.
+
+Finally, Enhanced Container Isolation does system call vetting in such a way
+that it does not affect the performance of containers in the great majority of
+cases. It intercepts control-path system calls that are rarely used in most
+container workloads but data-path system calls are not intercepted.
+
+### Filesystem user-ID mappings
+
+As mentioned above, Enhanced Container Isolation enables the Linux
+user-namespace on all containers and this ensures that the container's user-ID
+range (0->64K) maps to an unprivileged range of "real" user-IDs in the Docker
+Desktop Linux VM (e.g., 100000->165535).
+
+Moreover, each container gets an exclusive range of real user-IDs in the Linux
+VM (e.g., container 0 could get mapped to 100000->165535, container 2 to
+165536->231071, container 3 to 231072->296607, and so on). Same applies to
+group-IDs. In addition, if a container is stopped and restarted, there is no
+guarantee it will receive the same mapping as before. This by design and further
+improves security.
+
+However the above presents a problem when mounting Docker volumes into
+containers, as the files written to such volumes will have the real
+user/group-IDs and will therefore won't be accessible across a container's
+start/stop/restart, or between containers due to the different real
+user-ID/group-ID of each container.
+
+To solve this problem, Sysbox uses "filesystem user-ID remapping" via the Linux
+Kernel's ID-mapped mounts feature (added in 2021) or an alternative module
+called shiftfs. These technologies map filesystem accesses from the container's
+real user-ID (e.g., range 100000->165535) to the range (0->65535) inside Docker
+Desktop's Linux VM. This way, volumes can now be mounted or shared across
+containers, even if each container uses an exclusive range of user-IDs. Users
+need not worry about the container's real user-IDs.
+
+Note that although filesystem user-ID remapping may cause containers to access
+Linux VM files mounted into the container with real user-ID 0 (i.e., root), the
+[restricted mounts feature](#bind-mount-restrictions) described above ensures
+that no Linux VM sensitive files can be mounted into the container.
+
+### Procfs & Sysfs Emulation
+
+Another feature of Enhanced Container Isolation is that inside each container,
+the procfs ("/proc") and sysfs ("/sys") filesystems are partially emulated. This
+serves several purposes, such as hiding sensitive host information inside the
+container and namespacing host kernel resources that are not yet namespaced by
+the Linux kernel itself.
+
+As a simple example, when Enhanced Container Isolation is enabled the
+`/proc/uptime` file shows the uptime of the container itself, not that of the
+Docker Desktop Linux VM:
+
+```
+$ docker run -it --rm alpine
+/ # cat /proc/uptime
+5.86 5.86
+```
+
+In contrast, without Enhanced Container Isolation you see the uptime of
+the Docker Desktop Linux VM. Though this is a trivial example, it shows how
+Enhanced Container Isolation aims to prevent the Linux VM's configuration and
+information from leaking into the container so as to make it more difficult to
+breach the VM.
+
+In addition several other resources under `/proc/sys` that are not namespaced by
+the Linux Kernel are also emulated inside the container. Each container
+sees a separate view of each such resource and Sysbox reconciles the values
+across the containers when programming the corresponding Linux kernel setting.
+
+This has the advantage of enabling container workloads that would otherwise
+require truly privileged containers to access such non-namespaced kernel
+resources to run with Enhanced Container Isolation enabled, thereby improving
+security.
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index 7ff2f01c4a9..59573b0b856 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -8,14 +8,87 @@ keywords: set up, enhanced container isolation, rootless, security
 >
 >Enhance Container Isolation is available to Docker Business customers only.
 
-Enhanced Container Isolation takes advantage of the recent integration of Sysbox, the secure container runtime created by [Nestybox](https://www.nestybox.com/). 
+Enhanced Container Isolation hardens container isolation using the [Sysbox
+container runtime](https://github.com/nestybox/sysbox). Sysbox is a fork of the
+standard OCI runc runtime that was modified to enhance container isolation and
+workloads. For more details see [Under the covers](under-the-covers).
 
-Sysbox is an alternative `runc` used to create a container using the Linux kernel’s namespaces, cgroups, and other features. 
+Starting with version 4.13, Docker Desktop includes a customized version of
+Sysbox.
 
-Unlike the standard `runc` runtime, Sysbox enhances container isolation by using techniques such as enabling the Linux user-namespace on all containers, emulating portions of the `proc` filesystem and `sysfs` inside the container and vetting sensitive accesses between the container and the Linux kernel. This adds an extra layer of isolation between the container and the Linux kernel. 
+When [Enhanced Container Isolation is enabled](index.md#how-do-i-enable-enhanced-container-isolation), containers
+created by users through `docker run` or `docker create` are automatically
+launched using Sysbox instead of the standard OCI runc runtime. Users need not
+do anything else and can continue to use containers as usual. For exceptions,
+see [FAQs and known issues](faq.md).
 
-Without Enhanced Container Isolation, Docker Desktop has Docker Engine run as root with full capabilities inside a container that shares almost all namespaces with the Linux VM’s root user. Whilst this provides strong isolation between containers and the underlying host machine, it gives the container access to all the VM’s kernel resources and does not prevent Docker Desktop users from launching a container that runs as root in the Docker Desktop Linux VM, or from using insecure privileged containers. This brings Docker Desktop users closer to gaining privileged access to the underlying host.
+Even containers that use the insecure `--privileged` flag can now be run
+securely with Enhanced Container Isolation, such that they can no longer be used
+to breach the Docker Desktop Virtual Machine (VM) or other containers.
 
-### How is this different to rootless mode in Docker Engine?
+>Note
+>
+> When Enhanced Container Isolation is enabled in Docker Desktop, the Docker CLI
+> "--runtime" flag is ignored. Docker's default runtime continues to be "runc",
+> but all user containers are implicitly launched with Sysbox.
+
+Enhanced Container Isolation is not the same as Docker Engine's userns-remap
+mode or Rootless Docker. This is explained further below. 
+
+### Under the hood
+
+Sysbox enhances container isolation by using techniques such as:
+
+* Enabling the Linux user-namespace on all containers (root user in the container maps to an unprivileged user in the Linux VM).
+* Restricting the container from mounting sensitive VM directories
+* Vetting sensitive system-calls between the container and the Linux kernel
+* Mapping filesystem user/group IDs between the container's user-namespace and the Linux VM
+* Emulating portions of the procfs and sysfs filesystems inside the container
+
+Some of these are made possible by recent advances in the Linux kernel which
+Docker Desktop now incorporates. Sysbox applies these techniques with minimal
+functional or performance impact to containers.
+
+These techniques complement Docker's traditional container security mechanisms
+such as using other Linux namespaces, cgroups, restricted Linux capabilities,
+seccomp, and AppArmor. They add a strong layer of isolation between the
+container and the Linux kernel inside the Docker Desktop VM.
+
+For more information, see [Key features and benefits](features-benefits.md).
+
+### Enhanced Container Isolation vs Docker Userns-Remap Mode
+
+The Docker Engine includes a feature called [userns-remap mode][/engine/security/userns-remap/]
+that enables the user-namespace in all containers. However it suffers from a few
+[limitations](/engine/security/userns-remap/) and it's
+not supported within Docker Desktop.
+
+Userns-remap mode is similar to Enhanced Container Isolation in that both improve
+container isolation by leveraging the Linux user-namespace.
+
+However, Enhanced Container Isolation is much more advanced since it assigns
+exclusive user-namespace mappings per container automatically and add several
+other [container isolation features](#under-the-covers) meant to secure Docker
+Desktop in organizations with stringent security requirements.
+
+### Enhanced Container Isolation vs Rootless Docker
+
+[Rootless Docker][/engine/security/rootless/] allows the Docker Engine, and by
+extension the containers, to run without root privileges natively a Linux host. This
+allows non-root users install and run Docker natively on Linux.
+
+Rootless Docker is not supported within Docker Desktop. While it's a valuable
+feature when running Docker natively on Linux, its value within Docker Desktop
+is reduced since Docker Desktop runs the Docker Engine within a Linux VM. That
+is, Docker Desktop already allows non-root host users to run Docker and
+isolates the Docker Engine from the host using a virtual machine.
 
+Unlike Rootless Docker, Enhanced Container Isolation does not run Docker Engine
+within a Linux user-namespace. Rather it runs the containers generated by that
+engine within a user-namespace. This has the advantage of bypassing [the
+limitations](/engine/security/rootless/#known-limitations) of Rootless Docker
+and creates a stronger boundary between the containers and the Docker Engine.
 
+Enhanced Container Isolation is meant to ensure containers launched with Docker
+Desktop can't easily breach the Docker Desktop Linux VM and therefore modify
+security settings within it.
diff --git a/desktop/hardened-desktop/settings-management/configure.md b/desktop/hardened-desktop/settings-management/configure.md
index 69432596646..b09429fd2e9 100644
--- a/desktop/hardened-desktop/settings-management/configure.md
+++ b/desktop/hardened-desktop/settings-management/configure.md
@@ -109,10 +109,10 @@ The following `admin-settings.json` code and table provides an example of the re
 | `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). | 
 | `linuxVM` |   |Parameters and settings related to Linux VM options - grouped together here for convenience. |
 | &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  | <span class="badge badge-info">Windows only</span> | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](../enhanced-container-isolation/faq.md) for more information.| 
-| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|  |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |
+| &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|  |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |
 | &nbsp;&nbsp; &nbsp; &nbsp;`vpnkitCIDR` |  |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal`  |
 | `windowsContainers` |  | Parameters and settings related to `windowsContainers` options - grouped together here for convenience.                  |
-| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` |  | Overrides the options in the linux daemon config file. See the [Docker Engine reference](../../../engine/reference/commandline/dockerd/#daemon-configuration-file).|                                |
+| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` |  | Overrides the options in the linux daemon config file. See the [Docker Engine reference](/engine/reference/commandline/dockerd/#daemon-configuration-file).|                                |
 |`disableUpdate`|  |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.|
 |`analyticsEnabled`|  |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. |
 

From cc5af440c59d32955fe00060430083725e359632 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 19 Oct 2022 10:34:38 +0100
Subject: [PATCH 32/33] fix broken links

---
 desktop/hardened-desktop/enhanced-container-isolation/faq.md  | 4 ++--
 .../enhanced-container-isolation/how-eci-works.md             | 4 ++--
 desktop/hardened-desktop/settings-management/configure.md     | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index e5e37de0b71..919d7288d89 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -28,7 +28,7 @@ Yes, you can use the `--privileged` flag in containers but unlike privileged
 containers without Enhanced Container Isolation, the container can only use it's elevated privileges to
 access resources assigned to the container. It can't access global kernel
 resources in the Docker Desktop Linux VM. This allows you to run privileged
-containers securely. For more information, so [How it works](how-eci-works.md#privileged-containers-are-also-secured).
+containers securely. For more information, see [Key features and benefits](features-benefits.md#privileged-containers-are-also-secured).
 
 #### Will all privileged container workloads run with Enhanced Container Isolation?
 
@@ -78,7 +78,7 @@ administrative configurations for Docker Desktop, for example.
 
 #### How is ECI different from Docker Engine's userns-remap mode?
 
-See [How does it work](how-eci-works.md#enhanced-container-isolation-vs-docker-userns--remap-mode).
+See [How does it work](how-eci-works.md#enhanced-container-isolation-vs-docker-userns-remap-mode).
 
 #### How is ECI different from Rootless Docker?
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index 59573b0b856..274b875c42c 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -11,7 +11,7 @@ keywords: set up, enhanced container isolation, rootless, security
 Enhanced Container Isolation hardens container isolation using the [Sysbox
 container runtime](https://github.com/nestybox/sysbox). Sysbox is a fork of the
 standard OCI runc runtime that was modified to enhance container isolation and
-workloads. For more details see [Under the covers](under-the-covers).
+workloads. For more details see [Under the covers](#under-the-hood).
 
 Starting with version 4.13, Docker Desktop includes a customized version of
 Sysbox.
@@ -68,7 +68,7 @@ container isolation by leveraging the Linux user-namespace.
 
 However, Enhanced Container Isolation is much more advanced since it assigns
 exclusive user-namespace mappings per container automatically and add several
-other [container isolation features](#under-the-covers) meant to secure Docker
+other [container isolation features](#under-the-hood) meant to secure Docker
 Desktop in organizations with stringent security requirements.
 
 ### Enhanced Container Isolation vs Rootless Docker
diff --git a/desktop/hardened-desktop/settings-management/configure.md b/desktop/hardened-desktop/settings-management/configure.md
index b09429fd2e9..eb1fc029a44 100644
--- a/desktop/hardened-desktop/settings-management/configure.md
+++ b/desktop/hardened-desktop/settings-management/configure.md
@@ -106,7 +106,7 @@ The following `admin-settings.json` code and table provides an example of the re
 | `configurationFileVersion`        |   |Specifies the version of the configuration file format.    |
 | `exposeDockerAPIOnTCP2375` | <span class="badge badge-info">Windows only</span>| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| 
 | `proxy` |   |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores and values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. |
-| `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-wsl). | 
+| `enhancedContainerIsolation`  |  | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/index.md). Note: Enhanced Container Isolation is currently [incompatible with WSL](../enhanced-container-isolation/faq.md#incompatibility-with-windows-subsystem-for-linux-wsl). | 
 | `linuxVM` |   |Parameters and settings related to Linux VM options - grouped together here for convenience. |
 | &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled`  | <span class="badge badge-info">Windows only</span> | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. It is also incompatible with Enhanced Container Isolation. See [Known issues](../enhanced-container-isolation/faq.md) for more information.| 
 | &nbsp;&nbsp; &nbsp; &nbsp;`dockerDaemonOptions`|  |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/engine/reference/commandline/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. |

From fe09c79f0c7ed5fad92212e3557c4ef0f9e82ec2 Mon Sep 17 00:00:00 2001
From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
Date: Wed, 19 Oct 2022 12:55:08 +0100
Subject: [PATCH 33/33] final checks

---
 .../enhanced-container-isolation/faq.md          |  6 +++---
 .../features-benefits.md                         | 16 ++++++++--------
 .../how-eci-works.md                             | 12 ++++++------
 .../enhanced-container-isolation/index.md        | 11 +++++++----
 desktop/hardened-desktop/index.md                |  2 +-
 .../registry-access-management.md                |  2 +-
 .../settings-management/index.md                 |  6 +-----
 7 files changed, 27 insertions(+), 28 deletions(-)

diff --git a/desktop/hardened-desktop/enhanced-container-isolation/faq.md b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
index 919d7288d89..3e4f5b72fff 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/faq.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/faq.md
@@ -45,12 +45,12 @@ devices.
 Enhanced Container Isolation allows running advanced workloads, but denies the ability to perform
 kernel operations or access hardware devices.
 
-#### Does Enhanced Container Isolation restrict bind-mounts inside the container?
+#### Does Enhanced Container Isolation restrict bind mounts inside the container?
 
-Yes, it restricts bind-mounts of directories located in the Docker Desktop Linux
+Yes, it restricts bind mounts of directories located in the Docker Desktop Linux
 VM into the container.
 
-It does not restrict bind-mounts of your host machine files into the container,
+It does not restrict bind mounts of your host machine files into the container,
 as configured via Docker Desktop's **Settings** > **Resources** > **File Sharing**.
 
 #### Does Enhanced Container Isolation protect all containers launched with Docker Desktop?
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md b/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md
index 6f95f020895..c912044c867 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/features-benefits.md
@@ -134,18 +134,18 @@ Finally, Docker build `--network=host` and Docker buildx entitlements
 (`network.host`, `security.insecure`) are not allowed. Builds that require these
 won't work properly.
 
-### Bind-Mount restrictions
+### Bind mount restrictions
 
 When Enhanced Container Isolation is enabled, Docker Desktop users can continue
-to bind-mount host directories into containers as configured via **Settings** >
-**Resources** > **File sharing**, but they are no longer allowed to bind-mount
+to bind mount host directories into containers as configured via **Settings** >
+**Resources** > **File sharing**, but they are no longer allowed to bind mount
 arbitrary Linux VM directories into containers.
 
 This prevents containers from modifying sensitive files inside the Docker
 Desktop Linux VM, files that can hold configurations for registry access
 management, proxies, docker engine configurations, and more.
 
-For example, the following bind-mount of the Docker Engine's configuration file
+For example, the following bind mount of the Docker Engine's configuration file
 (`/etc/docker/daemon.json` inside the Linux VM) into a container is restricted
 and therefore fails:
 
@@ -157,9 +157,9 @@ docker: Error response from daemon: failed to create shim task: OCI runtime crea
 In contrast, without Enhanced Container Isolation this mount works and gives the
 container full read and write access to the Docker Engine's configuration.
 
-Of course, bind-mounts of host files continue to work as usual. For example,
+Of course, bind mounts of host files continue to work as usual. For example,
 assuming a user configures Docker Desktop to file share her $HOME directory,
-she can bind-mount it into the container:
+she can bind mount it into the container:
 
 ```
 $ docker run -it --rm -v $HOME:/mnt alpine
@@ -168,7 +168,7 @@ $ docker run -it --rm -v $HOME:/mnt alpine
 
 > Note
 >
-> Enhanced Container Isolation won't allow bind-mounting the Docker socket
+> Enhanced Container Isolation won't allow bind mounting the Docker socket
 > (/var/run/docker.sock) into a container, as doing so essentially grants the
 > container control of Docker, thus breaking container isolation. Containers
 > that rely on this will not work with Enhanced Container Isolation enabled.
@@ -181,7 +181,7 @@ few highly sensitive system calls inside containers, such as `mount` and
 system calls can't use them to breach the container.
 
 For example, a container that has `CAP_SYS_ADMIN` (required to execute the
-`mount` system call) can't use that capability to change a read-only bind-mount
+`mount` system call) can't use that capability to change a read-only bind mount
 into a read-write mount:
 
 ```
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
index 274b875c42c..153c922bd9c 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/how-eci-works.md
@@ -40,10 +40,10 @@ mode or Rootless Docker. This is explained further below.
 Sysbox enhances container isolation by using techniques such as:
 
 * Enabling the Linux user-namespace on all containers (root user in the container maps to an unprivileged user in the Linux VM).
-* Restricting the container from mounting sensitive VM directories
-* Vetting sensitive system-calls between the container and the Linux kernel
-* Mapping filesystem user/group IDs between the container's user-namespace and the Linux VM
-* Emulating portions of the procfs and sysfs filesystems inside the container
+* Restricting the container from mounting sensitive VM directories.
+* Vetting sensitive system-calls between the container and the Linux kernel.
+* Mapping filesystem user/group IDs between the container's user-namespace and the Linux VM.
+* Emulating portions of the procfs and sysfs filesystems inside the container.
 
 Some of these are made possible by recent advances in the Linux kernel which
 Docker Desktop now incorporates. Sysbox applies these techniques with minimal
@@ -58,7 +58,7 @@ For more information, see [Key features and benefits](features-benefits.md).
 
 ### Enhanced Container Isolation vs Docker Userns-Remap Mode
 
-The Docker Engine includes a feature called [userns-remap mode][/engine/security/userns-remap/]
+The Docker Engine includes a feature called [userns-remap mode](/engine/security/userns-remap/)
 that enables the user-namespace in all containers. However it suffers from a few
 [limitations](/engine/security/userns-remap/) and it's
 not supported within Docker Desktop.
@@ -73,7 +73,7 @@ Desktop in organizations with stringent security requirements.
 
 ### Enhanced Container Isolation vs Rootless Docker
 
-[Rootless Docker][/engine/security/rootless/] allows the Docker Engine, and by
+[Rootless Docker](/engine/security/rootless/) allows the Docker Engine, and by
 extension the containers, to run without root privileges natively a Linux host. This
 allows non-root users install and run Docker natively on Linux.
 
diff --git a/desktop/hardened-desktop/enhanced-container-isolation/index.md b/desktop/hardened-desktop/enhanced-container-isolation/index.md
index 0c8666b788b..c04864f9c6b 100644
--- a/desktop/hardened-desktop/enhanced-container-isolation/index.md
+++ b/desktop/hardened-desktop/enhanced-container-isolation/index.md
@@ -35,7 +35,7 @@ When Enhanced Container Isolation is enabled using [Settings Management](../sett
 
 - All user containers are automatically run in Linux User Namespaces which ensures stronger isolation.
 - The root user in the container maps to an unprivileged user at VM level.
-- Users can continue using containers as usual, including bind-mounting host directories, volumes, networking configurations, etc.
+- Users can continue using containers as usual, including bind mounting host directories, volumes, networking configurations, etc.
 - Privileged containers work, but they are only privileged within the container's Linux User Namespace, not in the Docker Desktop VM.
 - Containers can no longer share namespaces with the Docker Desktop VM. For example, `--network=host`, `--pid=host`.
 - Containers can no longer modify configuration files in the Docker Desktop VM.
@@ -65,7 +65,10 @@ Next, you must [create and configure the `admin-settings.json` file](../settings
 }
 ```
 
-Once this is done, developers need to either quit, re-launch, and sign in to Docker Desktop, or launch and sign in to Docker Desktop for the first time.
+For this to take effect:
+
+- On a new install, developers need to launch Docker Desktop and authenticate to their organization.
+- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then relaunch Docker Desktop. If they are already signed in, they don’t need to sign in again for the changes to take effect.
 
 >Important
   >
@@ -74,7 +77,7 @@ Once this is done, developers need to either quit, re-launch, and sign in to Doc
 
 ### What do users see when this setting is enforced?
 
-When Enhanced Container Isolation is enabled, users see that containers run within a Linux user-namespace. 
+When Enhanced Container Isolation is enabled, users see that containers run within a Linux user namespace. 
 
 To check, run:
 
@@ -90,7 +93,7 @@ The following output displays:
 
 This indicates that the container's root user (0) maps to unprivileged user (100000) in the Docker Desktop VM, and that the mapping extends for a range of 64K user-IDs.
 
-In contrast, without Enhanced Container Isolation the Linux user-namespace is not used, the following displays:
+In contrast, without Enhanced Container Isolation the Linux user namespace is not used, the following displays:
 
 ```
          0          0 4294967295
diff --git a/desktop/hardened-desktop/index.md b/desktop/hardened-desktop/index.md
index 5a70504e369..f0ce2b0ce42 100644
--- a/desktop/hardened-desktop/index.md
+++ b/desktop/hardened-desktop/index.md
@@ -7,7 +7,7 @@ keywords: security, hardened desktop, enhanced container isolation, registry acc
 >
 >Hardened Desktop is available to Docker Business customers only.
 
-Hardened Desktop is a security model for Docker Desktop. It's designed to provide admins with a simple and powerful way to improve their organizations security posture for containerized development, without impacting the developer experience that Docker Desktop offers.
+Hardened Desktop is a security model for Docker Desktop. It's designed to provide admins with a simple and powerful way to improve their organization's security posture for containerized development, without impacting the developer experience that Docker Desktop offers.
 
 It is for security conscious organizations who don’t give their users root or admin access on their machines, and who would like Docker Desktop to be within their organization’s centralized control.
 
diff --git a/desktop/hardened-desktop/registry-access-management.md b/desktop/hardened-desktop/registry-access-management.md
index e26434ae4db..81660f83506 100644
--- a/desktop/hardened-desktop/registry-access-management.md
+++ b/desktop/hardened-desktop/registry-access-management.md
@@ -29,7 +29,7 @@ You need to [configure a registry.json to enforce sign-in](../../docker-hub/conf
 To configure Registry Access Management permissions:
 
 1. Sign in to your [Docker Hub](https://hub.docker.com){: target="_blank" rel="noopener" class="_"} account as an organization owner.
-2. Select an organization and then navigate to the **Settings** tab on the **Organizations** page and click **Registry Access**.
+2. Select an organization and then navigate to the **Settings** tab on the **Organizations** page and select **Registry Access**.
 3. Toggle on Registry Access Management to set the permissions for your registry.
 
    > **Note**
diff --git a/desktop/hardened-desktop/settings-management/index.md b/desktop/hardened-desktop/settings-management/index.md
index b9d499b6fb2..f74e6a0fd49 100644
--- a/desktop/hardened-desktop/settings-management/index.md
+++ b/desktop/hardened-desktop/settings-management/index.md
@@ -43,7 +43,7 @@ For more details on the syntax and options admins can set, see [Configure Settin
 
 As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Settings Management feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect.
 
-Next, you must [create and configure the admin-settings.json file](configure.md). You can also use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location
+Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location.
 
 Once this is done, Docker Desktop users receive the changed settings when they either:
 - Quit, re-launch, and sign in to Docker Desktop
@@ -51,12 +51,8 @@ Once this is done, Docker Desktop users receive the changed settings when they e
 
 Docker doesn't automatically mandate that developers re-launch and re-authenticate once a change has been made, so as not to disrupt your developers' workflow. 
 
-
-
 ### What do users see when the settings are enforced?
 
-Docker Desktop users see a notification in **Settings**, or **Preferences** if using a macOS, which states **Some settings are managed by your Admin**. 
-
 Any settings that are enforced, are grayed out in Docker Desktop and the user is unable to edit them, either via the Docker Desktop UI, CLI, or the `settings.json` file. In addition, if Enhanced Container Isolation is enforced, users can't use privileged containers or similar techniques to modify enforced settings within the Docker Desktop Linux VM, for example, reconfigure proxy and networking of reconfigure Docker Engine.
 
 ![Proxy settings grayed out](/assets/images/grayed-setting.png){:width="750px"}