From 8b584f626c149001c893757c67ccd33f24b04cbf Mon Sep 17 00:00:00 2001
From: toutdesuite <guizhiluo2014@163.com>
Date: Wed, 13 May 2020 18:46:25 +0800
Subject: [PATCH] *: update the recent improvements about tls/security (#2491)

---
 TOC.md                                        |   1 +
 .../secure/enable-tls-between-components.md   | 196 +++++++++++++-----
 how-to/secure/enable-tls-clients.md           |  56 +++--
 media/sqlgram/AlterInstanceStmt.png           | Bin 0 -> 29557 bytes
 reference/sql/statements/alter-instance.md    |  37 ++++
 reference/tools/tidb-control.md               |   3 +
 6 files changed, 226 insertions(+), 67 deletions(-)
 create mode 100644 media/sqlgram/AlterInstanceStmt.png
 create mode 100644 reference/sql/statements/alter-instance.md

diff --git a/TOC.md b/TOC.md
index 0f7a437a6e90e..73628dc0f1d09 100644
--- a/TOC.md
+++ b/TOC.md
@@ -171,6 +171,7 @@
       - [`ADD INDEX`](/reference/sql/statements/add-index.md)
       - [`ADMIN`](/reference/sql/statements/admin.md)
       - [`ALTER DATABASE`](/reference/sql/statements/alter-database.md)
+      - [`ALTER INSTANCE`](/reference/sql/statements/alter-instance.md)
       - [`ALTER TABLE`](/reference/sql/statements/alter-table.md)
       - [`ALTER USER`](/reference/sql/statements/alter-user.md)
       - [`ANALYZE TABLE`](/reference/sql/statements/analyze-table.md)
diff --git a/how-to/secure/enable-tls-between-components.md b/how-to/secure/enable-tls-between-components.md
index 38ee06ea70329..3b7dbfdc068af 100644
--- a/how-to/secure/enable-tls-between-components.md
+++ b/how-to/secure/enable-tls-between-components.md
@@ -1,17 +1,19 @@
 ---
-title: Enable TLS Authentication
-summary: Learn how to enable TLS authentication in a TiDB cluster.
+title: Enable TLS Authentication and Encrypt the Stored Data
+summary: Learn how to enable TLS authentication and encrypt the stored data in a TiDB cluster.
 category: how-to
 ---
 
-# Enable TLS Authentication
+# Enable TLS Authentication and Encrypt the Stored Data
 
-## Overview
+This document introduces how to enable TLS authentication and encrypt the stored data in a TiDB cluster.
 
-This document describes how to enable TLS authentication in the TiDB cluster. The TLS authentication includes the following two conditions:
+## Enable TLS Authentication
 
-- The mutual authentication between TiDB components, including the authentication among TiDB, TiKV and PD, between TiKV Control and TiKV, between PD Control and PD, between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, and it does not support applying to only part of the components.
-- The one-way and mutual authentication between the TiDB server and the MySQL Client.
+This section describes how to enable TLS authentication in a TiDB cluster. TLS authentication can be applied to the following scenarios:
+
+- The **mutual authentication** between TiDB components, including the authentication among TiDB, TiKV, and PD; the authentication between TiDB Control and TiDB, between TiKV Control and TiKV, between PD Control and PD; the authentication between TiKV peers, and between PD peers. Once enabled, the mutual authentication applies to all components, rather than to part of the components.
+- The **one-way** and **mutual authentication** between the TiDB server and the MySQL Client.
 
 > **Note:**
 >
@@ -19,68 +21,160 @@ This document describes how to enable TLS authentication in the TiDB cluster. Th
 
 ## Enable mutual TLS authentication among TiDB components
 
-### Prepare certificates
+1. Prepare certificates.
+
+    It is recommended to prepare a server certificate for TiDB, TiKV, and PD separately. Make sure that these components can authenticate each other. The clients of TiDB, TiKV, and PD share one client certificate.
+
+    You can use tools like `openssl`, `easy-rsa` and `cfssl` to generate self-signed certificates.
+
+    If you choose `cfssl`, you can refer to [generating self-signed certificates](/how-to/secure/generate-self-signed-certificates.md).
+
+2. Configure certificates.
+
+   To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV, and PD as follows.
+
+   - TiDB
+
+        Configure in the configuration file or command line arguments:
+
+        ```toml
+        [security]
+        # Path of file that contains list of trusted SSL CAs for connection with cluster components.
+        cluster-ssl-ca = "/path/to/ca.pem"
+        # Path of file that contains X509 certificate in PEM format for connection with cluster components.
+        cluster-ssl-cert = "/path/to/tidb-server.pem"
+        # Path of file that contains X509 key in PEM format for connection with cluster components.
+        cluster-ssl-key = "/path/to/tidb-server-key.pem"
+        ```
+
+   - TiKV
+
+        Configure in the configuration file or command line arguments, and set the corresponding URL to https:
+
+        ```toml
+        [security]
+        # set the path for certificates. Empty string means disabling secure connections.
+        ca-path = "/path/to/ca.pem"
+        cert-path = "/path/to/tikv-server.pem"
+        key-path = "/path/to/tikv-server-key.pem"
+        ```
+
+   - PD
+
+        Configure in the configuration file or command line arguments, and set the corresponding URL to https:
+
+        ```toml
+        [security]
+        # Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty
+        cacert-path = "/path/to/ca.pem"
+        # Path of file that contains X509 certificate in PEM format.
+        cert-path = "/path/to/pd-server.pem"
+        # Path of file that contains X509 key in PEM format.
+        key-path = "/path/to/pd-server-key.pem"
+        ```
+
+    After certificates are configured as above, mutual authentication among TiDB components is enabled.
+
+    > **Note:**
+    >
+    > If you have enabled TLS in a TiDB cluster when you connect to the cluster using tidb-ctl, tikv-ctl, or pd-ctl, you need to specify the client certificate. For example:
 
-It is recommended to prepare a separate server certificate for TiDB, TiKV and PD, and make sure that they can authenticate each other. The clients of TiDB, TiKV and PD share one client certificate.
+    {{< copyable "shell-regular" >}}
 
-You can use multiple tools to generate self-signed certificates, such as `openssl`, `easy-rsa` and `cfssl`.
+    ```bash
+    ./tidb-ctl -u https://127.0.0.1:10080 --ca /path/to/ca.pem --ssl-cert /path/to/client.pem --ssl-key /path/to/client-key.pem
+    ```
 
-See an example of [generating self-signed certificates](/how-to/secure/generate-self-signed-certificates.md) using `cfssl`.
+    {{< copyable "shell-regular" >}}
 
-### Configure certificates
+    ```bash
+    ./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem
+    ```
 
-To enable mutual authentication among TiDB components, configure the certificates of TiDB, TiKV and PD as follows.
+    {{< copyable "shell-regular" >}}
 
-#### TiDB
+    ```bash
+    ./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem"
+    ```
 
-Configure in the configuration file or command line arguments:
+3. Configure Common Name.
 
-```toml
-[security]
-# Path of file that contains list of trusted SSL CAs for connection with cluster components.
-cluster-ssl-ca = "/path/to/ca.pem"
-# Path of file that contains X509 certificate in PEM format for connection with cluster components.
-cluster-ssl-cert = "/path/to/tidb-server.pem"
-# Path of file that contains X509 key in PEM format for connection with cluster components.
-cluster-ssl-key = "/path/to/tidb-server-key.pem"
-```
+    The Common Name is used for caller verification. In general, the callee needs to verify the caller's identity, in addition to verifying the key, the certificates, and the CA provided by the caller. For example, TiKV can only be accessed by TiDB, and other visitors are blocked even though they have legitimate certificates. It is recommended to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee.
 
-#### TiKV
+    - TiDB
 
-Configure in the configuration file or command line arguments, and set the corresponding URL to https:
+        Configure in the configuration file or command line arguments:
 
-```toml
-[security]
-# set the path for certificates. Empty string means disabling secure connections.
-ca-path = "/path/to/ca.pem"
-cert-path = "/path/to/tikv-server.pem"
-key-path = "/path/to/tikv-server-key.pem"
-```
+        ```toml
+        [security]
+        cluster-verify-cn = [
+            "TiDB-Server",
+            "TiKV-Control",
+        ]
+        ```
 
-#### PD
+    - TiKV
 
-Configure in the configuration file or command line arguments, and set the corresponding URL to https:
+        Configure in the configuration file or command line arguments:
 
-```toml
-[security]
-# Path of file that contains list of trusted SSL CAs. If set, following four settings shouldn't be empty
-cacert-path = "/path/to/ca.pem"
-# Path of file that contains X509 certificate in PEM format.
-cert-path = "/path/to/pd-server.pem"
-# Path of file that contains X509 key in PEM format.
-key-path = "/path/to/pd-server-key.pem"
-```
+        ```toml
+        [security]
+        cert-allowed-cn = [
+            "TiDB-Server", "PD-Server", "TiKV-Control", "RawKvClient1",
+        ]
+        ```
 
-Now mutual authentication among TiDB components is enabled.
+    - PD
 
-When you connect the server using the client, it is required to specify the client certificate. For example:
+        Configure in the configuration file or command line arguments:
 
-```bash
-./pd-ctl -u https://127.0.0.1:2379 --cacert /path/to/ca.pem --cert /path/to/client.pem --key /path/to/client-key.pem
+        ```toml
+        [security]
+        cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"]
+        ```
 
-./tikv-ctl --host="127.0.0.1:20160" --ca-path="/path/to/ca.pem" --cert-path="/path/to/client.pem" --key-path="/path/to/clinet-key.pem"
-```
+4. Reload certificates.
+
+    To reload the certificates and the keys, TiDB, PD, and TiKV reread the current certificates and the key files each time a new connection is created. Currently, you cannot reload the CA certificate. 
 
 ## Enable TLS authentication between the MySQL client and TiDB server
 
-See [Use Encrypted Connections](/how-to/secure/enable-tls-clients.md).
+Refer to [Use Encrypted Connections](/how-to/secure/enable-tls-clients.md).
+
+## Encrypt stored data
+
+In a TiDB cluster, user data is stored in TiKV. Once you configure the encrypted storage feature in TiKV, the TiDB cluster encrypts this data. This section introduces how to configure the data encryption feature in TiKV.
+
+1. Generate the token file.
+
+    The token file stores the keys used to encrypt the user data and to decrypt the encrypted data.
+
+    {{< copyable "shell-regular" >}}
+
+    ```bash
+    ./tikv-ctl random-hex --len 256 > cipher-file-256
+    ```
+
+    > **Note:**
+    >
+    > You can only use the hex-formatted token file. The file length must be 2 to the power of N, and is less than or equal to 1024.
+
+2. Configure TiKV as follows.
+
+    ```toml
+    [security]
+    # Storage path of the Cipher file.
+    cipher-file = "/path/to/cipher-file-256"
+    ```
+
+> **Note:**
+>
+> When you import data into a cluster using [TiDB Lightning](/reference/tools/tidb-lightning/overview.md), if the storage encryption feature is enabled in the target cluster, the SST files generated by TiDB Lightning must be encrypted.
+
+### Limitations
+
+The limitations of the storage encryption feature are as follows:
+
+- If the feature has not been enabled in the cluster before, you cannot enable this feature.
+- If the feature is enabled in the cluster, you cannot disable this feature.
+- You cannot enable the feature for some TiKV instances while disabling it for other instances in one cluster. You can only enable or disable this feature for all TiKV instances. This is because if you enable the encrypted storage feature, data are encrypted during data migration.
diff --git a/how-to/secure/enable-tls-clients.md b/how-to/secure/enable-tls-clients.md
index 1ec60ada502a5..32d884c9e35f5 100644
--- a/how-to/secure/enable-tls-clients.md
+++ b/how-to/secure/enable-tls-clients.md
@@ -6,9 +6,9 @@ category: how-to
 
 # Enable TLS for MySQL Clients
 
-It is recommended to use the encrypted connection to ensure data security because non-encrypted connection might lead to information leak.
+It is recommended to use the encrypted connection to ensure data security because non-encrypted connection might lead to an information leak.
 
-The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2.
+The TiDB server supports the encrypted connection based on the TLS (Transport Layer Security). The protocol is consistent with MySQL encrypted connections and is directly supported by existing MySQL clients such as MySQL operation tools and MySQL drivers. TLS is sometimes referred to as SSL (Secure Sockets Layer). Because the SSL protocol has [known security vulnerabilities](https://en.wikipedia.org/wiki/Transport_Layer_Security), TiDB does not support it. TiDB supports the following versions: TLS 1.0, TLS 1.1, and TLS 1.2, TLS 1.3.
 
 After using an encrypted connection, the connection has the following security properties:
 
@@ -16,12 +16,25 @@ After using an encrypted connection, the connection has the following security p
 - Integrity: the traffic plaintext cannot be tampered
 - Authentication: (optional) the client and the server can verify the identity of both parties to avoid man-in-the-middle attacks
 
-The encrypted connections in TiDB are disabled by default. To use encrypted connections in the client, you must first configure the TiDB server and enable encrypted connections. In addition, similar to MySQL, the encrypted connections in TiDB consist of single optional connection. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. Most MySQL clients do not use encrypted connections by default, so generally the client is explicitly required to use an encrypted connection.
+The encrypted connections in TiDB are disabled by default. To use encrypted connections in the client, you must first configure the TiDB server and enable encrypted connections. In short, to use encrypted connections, both of the following conditions must be met:
 
-In short, to use encrypted connections, both of the following conditions must be met:
++ Enable encrypted connections in the TiDB server.
++ The client specifies to use an encrypted connection.
 
-1. Enable encrypted connections in the TiDB server.
-2. The client specifies to use an encrypted connection.
+Similar to MySQL, the encrypted connections in TiDB consist of single connections. The encrypted connection is optional by default. For a TiDB server with encrypted connections enabled, you can choose to securely connect to the TiDB server through an encrypted connection, or to use a generally unencrypted connection. If the encrypted connections are enforced as required, both of the following two ways are available:
+
++ Configure the launch parameter `--require-secure-transport` to enable encrypted connections to the TiDB server for all users.
++ Specify `require ssl` when you create a user (`create user`), grant permissions (`grant`) or modify an existing user (`alter user`), which is to specify that specified users must use the encrypted connection to access TiDB. The following is an example of creating a user:
+
+    {{< copyable "sql" >}}
+
+    ```sql
+    create user 'u1'@'%'  require ssl;
+    ```
+
+> **Note:**
+>
+> If the login user has configured using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB.
 
 ## Configure TiDB to use encrypted connections
 
@@ -63,7 +76,13 @@ ssl-cert = "certs/server-cert.pem"
 ssl-key = "certs/server-key.pem"
 ```
 
-If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started, otherwise it outputs `secure connection is NOT ENABLED`.
+If the certificate parameters are correct, TiDB outputs `secure connection is enabled` when started; otherwise, it outputs `secure connection is NOT ENABLED`.
+
+## Reload certificate, key, and CA
+
+To replace the certificate, the key or CA, first replace the corresponding files, then execute the [`ALTER INSTANCE RELOAD TLS`](/reference/sql/statements/alter-instance.md) statement on the running TiDB instance to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path. In this way, you do not need to restart the TiDB instance.
+
+The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before the statement execution is not affected.
 
 ## Configure the MySQL client to use encrypted connections
 
@@ -85,7 +104,7 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t
   1. Specify the `ssl-cert` and `ssl-key` parameters in the TiDB server.
   2. Specify the `--ssl-ca` parameter in the MySQL client.
   3. Specify the `--ssl-mode` to `VERIFY_CA` at least in the MySQL client.
-  4. Make sure that the certificate (`ssl-cert`) configured by the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter, otherwise the authentication fails.
+  4. Make sure that the certificate (`ssl-cert`) configured in the TiDB server is signed by the CA specified by the client `--ssl-ca` parameter; otherwise, the authentication fails.
 
 + To authenticate the MySQL client from the TiDB server:
   1. Specify the `ssl-cert`, `ssl-key`, and `ssl-ca` parameters in the TiDB server.
@@ -94,9 +113,17 @@ If the `ssl-ca` parameter is not specified in the TiDB server or MySQL client, t
 
 - To perform mutual authentication, meet both of the above requirements.
 
+By default, the server-to-client authentication is optional. Even if the client does not present its certificate of identification during the TLS handshake, the TLS connection can be still established. You can also require the client to be authenticated by specifying `require 509` when creating a user (`create user`), granting permissions (`grant`), or modifying an existing user (`alter user`). The following is an example of creating a user:
+
+{{< copyable "sql" >}}
+
+```sql
+create user 'u1'@'%'  require x509;
+```
+
 > **Note:**
 >
-> Currently, it is optional that TiDB server authenticates the client. If the client does not present its identity certificate in the TLS handshake, the TLS connection can also be successfully established.
+> If the login user has configured using the [TiDB Certificate-Based Authentication for Login] (/reference/security/cert-based-authentication.md#configure-the-user-certificate-information-for-login-verification), the user is implicitly required to enable the encrypted connection to TiDB.
 
 ## Check whether the current connection uses encryption
 
@@ -131,21 +158,17 @@ The TLS versions, key exchange protocols and encryption algorithms supported by
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2
+- TLS 1.3
 
 ### Supported key exchange protocols and encryption algorithms
 
-- TLS\_RSA\_WITH\_RC4\_128\_SHA
-- TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA
 - TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA
 - TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA
 - TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256
 - TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256
 - TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384
-- TLS\_ECDHE\_ECDSA\_WITH\_RC4\_128\_SHA
 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA
 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA
-- TLS\_ECDHE\_RSA\_WITH\_RC4\_128\_SHA
-- TLS\_ECDHE\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA
 - TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA
 - TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA
 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256
@@ -154,5 +177,6 @@ The TLS versions, key exchange protocols and encryption algorithms supported by
 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
 - TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
 - TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384
-- TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305
-- TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305
+- TLS\_AES\_128\_GCM\_SHA256
+- TLS\_AES\_256\_GCM\_SHA384
+- TLS\_CHACHA20\_POLY1305\_SHA256
diff --git a/media/sqlgram/AlterInstanceStmt.png b/media/sqlgram/AlterInstanceStmt.png
new file mode 100644
index 0000000000000000000000000000000000000000..99ce13d7d7504b7c768bffe40fabc171f8f4eb6d
GIT binary patch
literal 29557
zcmd?RRa~3f6E@o2?v_#t6ev)<SaB%sPzhe#y|}x3TS{@aLU4B{I23o600Dvphu{$O
zy!`jx-|xFTH|Of)g1mv1C9`JDJTvnwf)(T>FkcYAc=YHIrj#T|>CvO7JHYe$^T)tX
z^J0G{;O&XiCn=TZ&!59q<d+{kdizKU^ijn<WpB|<2k(Le?U2q|vV-8Sr$moKmLFeq
zwEUT#N%yL?Oe~!d(5juE7bvRNvZ<Yc9O$AQ1ccyKFk*f9>#1@1%kw^Dq&eTG*(jNg
z&D&!HlUu`j+Ikvk10B3Q`n3rTFzo+c1&l0^C;xr;Hjv@{--nC|h1S3R{eyx9J^a5m
z1zd4<|2?Y^5Ago?%!r8~`R_UY*D>b5&)=j!qn`cy{2@2<|LWeEcvY$#UazR3@K&4j
z{nrnl_n!XSE`xnpGNg(TP9@B8dmKMF#NF7~Xw(x{xK0@%CznJ-RMlNl!swdmO~|G<
zG&EG=O(H5PN=;3T=z0<_DJ$FJdA5@+5s8b7D@GNamPQ`gTU}k}<l?ZszS!T8%L)7I
zLGr+htE5O9eseM^Dq3>$(Ka{R-zYGG%(AlW=g*%>)u#Ofiwg@pm)Fo$kDaYR3N;ZA
zTs0Jru-Cb9u{Wp7&Q#5*^W17%Z{+Uwb|o%)Q&x7Cx_8^^P*Qbww-~;Sk&%(0<9Z)r
zu#J<8E3Qnl&Gxo-_j?tluf|bJVx9WuK*nq;BCLPrk({%0JpBDL+F<#D-|~n30bY*=
zkGdZ}qzO-sEsto3k$1PtU0r|A8A?f^hqhNB4p%zU{Y3IJ-nJbN<Kp4@-rv@FoNNpX
z@Zv;A50MTI6=fx<-hTS^&o+K&DK^|%9g7+xjE+V?DFl5>Dk>@rK0VIBAY>g%<}MzX
z|97807%7PDf^X5V>2=bh(|lJt#Ps1Sn6F|uZmLW|`RKqwSY$%=Zb-ektC`Y8KfR0U
zQ%G(utzbL1CoL`Q$)?}1&SXyTG;b*3#r9<He2;)An<xYS_CadXCYw&Z^L7kq;tlxS
zKkD=$TS*g@myxl2d9+p~h9wc|QRscR{GB-7?&qhK2B%FWC8Z>$$;nA<G65Rxy@kT+
z>{x0i|Bj9hV9ra;9-JH;9GpzbGBSf53t2Wzkk4q?M+fV=zHD@IDMO=d`(?*%_qXz%
zYlzUqNODo!&}xZGR8kVS-_v)o#U~JDZ-lp|C+wwmVnK0taX5QqG@2f`xq+CUpT#2P
zvLE`*K0iPILf_Zb^}IWj(BI!bJKN|d6=h&2J3EhqtE(jpVl$d1Y-4Sm15Oq4U}R(C
z<>d`T%>w$iz0)eJgvCPI=)C_4)ZN`JpDu!dfe{)O78D*XBO^Q9KR7);&d$MARc*CY
zq`Ld@2^z%NLQ^CLR%hGW-P=!aeZFsHVuDXW;kSMm9W@peHuS}bv)XpCQ9ezmzpD$h
zVnvw+yo%M!ms;G|sDy-M-Y&n=)X=DLu;Vn|8iUvf<BO~>EqbY!>H3@=Dtd~08hrd-
z7+k1btmbodO3q;%v;cO!U%GV{{|R#5nd+Y@)t0eyYS3}QaB_3IAfgxv3Xaf3twr`m
zQp7H~Y@Vmi*3UvK%abBo9M;6In!f)G3#<3_Z3WT1dOnga$_DEh7$~xXw*o8u>o2pB
zR6#-t3Nvf#iGG;ZKpX=>0zuXAr_Z0TDfn@5a6W<#4od0d)0jg;EYnsTrMTV4zAAGn
z2iTGQa{{;=<A;TSGqug2{BDpSUoO>iZ`PqwgGP61dOGwuHgDZ~w)+nOobqDgAlHM5
zhGTOcyCn{no!4`#M{B)_EY}CaVD|u$i(RPS^*J2OWub&BLoPKmS)<(AFOV`&ohHw4
ze#_Cubm(o(4&9t#Vwo=6`?4J-&-uQ-zVf!atEoa|N3e&77X`nw#(^*c1H)Vug3!;;
zFIrNgeRsqAay;;E7m61h8fs-}Dg6|TgX449J}Y`R`w`@33nvn=HmB9b9Usf=^hKG3
z>TqT;DCfPW7WKVxA1l>vyE`t{k*8%U&I`mQvxH~1EI1{^#qBLLoNT5;b8~ZJs7keJ
z?@mTjZRTsDOFeG*tPh$Sus?mqw?(e+-E2|_CZRo?`06*=_qgN!V`y?Ca`-Jnf^|se
z)189ya#5eFFu!|Yy>U~Jv60dB4T_V>^L$V9;$YEa*Xwi-)fs}^^gimYHj__+X=`X5
zz?;ftpseNky{uX_TQ?}DA+Oq+nmX$_4vPuUwxKMi4r`(9LcOLU0^^^ZA#NDxY2|mX
z7|Q6z>ydxMWBuE@vZ7*nwn+^ebLE=C_cyzdxL7R-Rio$GKvd@EfQ}GLDiG*y_cjod
zg0*;YD$#baDY1O<m7=+1--3rzk`)bZ|LOLmdWnXf!~U-z8uoGaGm^}y1}8I#us50t
z3JU!^oMyxG%Se6SxTLtab#y$sjg1Wsb%NKgzx;mhu+kBLKW!UCFLdLfqhkR}sx}+N
zBIT>dn#aTulMurs<Jmh}n+X0hAYaXGu-XM2O4A&(D5}Lqw@E0pd<#{)CZ#c((e971
z<ORj0CGdC*#63a7Iz3pFDRcb{qNVLV*%%HDQ+Ut!`k&Q*5H70lj!jGOJz5o;Gd$UF
zO>J@}=QQPV0u1Hr$gu2Jft}+M6EhPrNNpNj)Bzmke!dTDbLf0F$3sq@MsmYT%I|1A
znKxXj74NDZ?1?(gPghf|nv54MV`g9|^NpGYCZRU23n;wrSy9c&i0J*Eh{th`wW7Sd
z-{s+ozAp-~3D|nesjYXiCF|s6+1bh{ZIxE1gu=q@Z+|_>|B}REyKs4Ti)P;-w9x|C
zC1K|+`+Yr`PaWX3-g}cW&5Ezzb?`sS%eQ^*jUa1j9vZ^0>GZt2K?PFy((F=A0T#O|
zcMywQsNSeIg7UL87z=?w_+D-2S9QDE!1{&d-7ilfMXvh#=NhsTp@465y=@3Zy&E*Q
zlEDk>)ahR_?_UxoBkOK?`t<QfF{jx492&ple!9osKdiI_1U&V-y@fWBO~38@7e*A7
zcU0O%kPB+5s0h?eZH;I1k;>iQ-O9?!=B8!_ZMC6cQ*}@;Xf>#s$+MQR5)o~WD~^-3
z2n?usdU)wKcx&1Y?(Oa2GpY3v2zq+x^7-khtE)F&-d!U-JUr;==%fhUkV`Fw-HvlP
z;{z+p%kPbP0&QTm2zx%jGhA9hS$k4rn%t0ld^J(5q#{ar&c~yoe%NGMT97D78fcj=
zti~bMI=se8es|_zD7X_3cj?WWH+|h-4Gh@5&U>jP!nWp1nX2id($hu#?z}hLhoI&9
z=|Ub#V&&blv&Qo^g^P_YoSfWE6r|0T(?!kA69l|&2McL@4nI!Mfs=cGQw>JVqT{_Q
z0Z`l26zEE;Ouwzwusb9Wn__@Rqt!dWnv?<$FP2H26$XRJ5CS_UXuII9$-dPeTcQ22
z&hvEdBPc>HLd3`WaXDH7h8ivzK0X<~%X*&ym7~?P<@{9PWWIc23%{V-U8U0|1*h4F
zK!-all9XTQ>z{8SdaYm5mwfWRq#8mOSQ!O&u91F{($dCDuv{x>Fy6by#(ElBy4xB{
zd?x{jpc_)!PDS*;eY4Ez002rAi&ak;`DYM-#adfihbI02kVTzYU$2clRnRSh|8B6i
z+H4RwSY2yJ-nZWO3k}MRzrkQUV&Zw_araKp>52r!+4f?-SSUeWUY<uoL$FkEL`1}k
zx{~OzF$GPg-y$tufHgb4Yw@b`ip7mJuA3Zy*Z^=qu3WFhy}1t47|@nB-`lIR-QGPL
z71=V|GAn2qLz|wyzTZsA+>lXRveMjFfu@VS^X*9q&nBz7GR+?)n0I$oUU)?1CdfM<
z5bm7e1-UT9c5z_E-nhKGw|DaxF=*v?H`mjX5ClLeHofMzFyHmQ=&Jefsd|TdBM72_
z$XQvdl`=~f%!^IL0V?}NMMouc1GZ~L8EuaEcwKM=zA6hSTWm}fI)g;3Y_g`-*48HZ
zBl-9RIVC_Gbro+`HtDp#$VrzCmi>1Ka_YVD$jL{nKd&rr(UWMNw_Ge4B|O8T5V%>a
zGC70MuJ?qK40YdLW2XqJoAMcKPl<8>_F7G$g>u{d5684My$Wpu`4=)lXX6ArN1{n|
zetrQljx6B2gAkjxS}XX-WM{Td(>ZY5g@lFqNF!2Hb@!>FC20Ux)!=h|9-A+}2Jgzx
z%b}sme-9pgrKp&@*gMchuwh8PR;$zE8Seq5qwu3DUhLc2+G0kXYj5v^dF?omo`=hA
z+mmMRp~lVNSJFFYyBc#gXn_RZze5RFbqegmDD$=o3Zkhc78`uP{9-Dy{VnK24vE2%
ztSzt_S2I=)cowk-YBd0)q=i*nU_|(jf&I41B#z4CHR|cJ1zZ+vqAJ*Weg5Z9US8XU
z!=t0Z-rt5sgIr?hFPqg+=T##**6i%1_CNNeV&C;+5-6*vydlQLCB~)Ft*NWiulQ;}
zn+j%hxVbz6Ohi{tk6MdGt?IEBF5W;*z;@qnCh5%js@@~uEYZn#FwXxTAd|4N+FfjN
zllUn?D&TmzGhG}>AzWtuCL3@&Hf{G1>+OkwwL%f{Nd37MZ#~)zHGMIsp?`y;KE*N1
zyqui%!xicwZnSfX!-FZQE5Ngs&CSi390=P-?WnrSxlWU?zb1s<FL!Yp8k?((>$bLb
zir#ExOOun3kO-QMZ0`E%sZXX}m0zR-UKBMSURfFZnM@$afytfa>C>ku6L3;r<2O~1
z4n^;HX*|qrFyX0Q69E~S&)#e$Eu3{5R+kQec+auFe_tVfU6c|bXA*!Pr~9wx>VI9+
zivIGYaRgWf<QVEGmoBo8Y-=3|MeT5MvzxG%Y1fTphfC1H>fCwd-fItBP#PZVxB1SF
zWx^o0u4_Hv9iO_L+{?Awd{=XVArQ#)g3%Y}A^BqI{DoEf8q<*!)SVZyq0V9R$Q@8l
zh!qrab;PN9s&#sLTCbz$3ekYP6J}ZL%IU}xP&wd}OB3?wxI~Y)wllST*Ag8YYxMQ&
zTc}C@)Krci-~g^K=(75P`f#WvI3#+cWJ>L+oc>wGBbWRPZ{^7uE`I(wz)2>*&#YoP
z38A;PAFs+i$(6|sHH@y;zOb!zcbujy6<kLk0)(-=j@SFMdn3zqo6fIXwx^(gASo#`
zsm1A8;c<S6BWZ%Yds193^Hb@5dazf~ocw}<!oD{e5cjnnOggiCX^7q2L{h`$hU_Qq
z$n5)Hn7npN3+KBt39Kymw#z#kS4&<-fB|9DHZri#9Ivi~@fF9kPzbs*v$5$z_^h`S
zH2?Y+Ien9AJ&BW~dGY-D*RsmWN|t;1vbpZ>w`c{P&S%a^p@2~{j96miHXnPtvAUrT
z0ZE84c|(E@gB;d+I0KtixwFM1UZDF54uyaJ{xN?fHE;BHtHmS$A}I!j6KDxSjqA<^
zT4mVT*&XGXpyWjXslwdN?Vo?WC%omgmXw!Cgl(t}6$8P8ezSXY(ADX7c78rv)9%hR
z6Cg*m%ORp|q7wl4b_K^)abF-8cbBqzQ}~_IfVjx_x@4#%BjfExa+z*ppRGFTfV*JF
zxPA(XLEwEpmtW=QaC9V%{_39%nu_$^1;^6KBQ`er2o@J%3#~rIH=Un;e17(l^sRO?
z(d*ZQgzBl=vCJ$i{G=?wIiSYh@kyv#Y|)`){@9=ccpGx8Bhx4FTtq}<U(nh867E-J
z<9&60dl?&vhWTc;BQqcZA}1{^Z7<nZsGQHL*DOhcTDeAAT^3pFC)Xa?tp?LGmkfPv
z1b~9m#!&Q<9;#Cs2rQmrmjz$9w?BD?b$GOW4FCjeQoam8dR1iIZ62KqRW`7R135KW
zFb8a-MC0hTDBYK%?!DjnO~YH6<;_hdD4PZR`>n69?*xPq5RQIT$<nhUlPmk4FdOZ<
z{wsMP<T>AmUKD%iyX?=Xs!Q;)iX3zVV0fMH;fIO=;qZeCG#ySx?UuI<q#4ZDSm3=2
z^Fy{=EG#V4>)4u#Z%mrWj{+d#bgOb<fwX}r^~H<hi@iAj%%%~rXr1oOO=br82Ly=e
z`Q8l{Bm&^&>xfovx!rqz_WbziCSJ{*I=HVDysQNbhV9PIqGe`siZF9ttF{!&{o*zM
z_vB=FtPk>{VI^2doRAxhFuX&`EwO0Te2sfU6Np8A<=GBZJs2Gu8ykc%(eP<NOecH7
z!92EcOF(=rbB(pnPdYNA??(o}{SR-W$_QUP6)o4jKAHF2rEnH_`(cGyvapZ=SS}#&
zW_O3hL0%=m4dk4dZSRtBSxnH-@k-c^?0tWN=HVU}ft&<j`119INoXRQexo<a#;pol
z<jwBprl9%ZGKJrjBBXtgkgZwJ1Du?MzfQP5W&dY+ry2s$t2P}@;ZGl&0ZjQwDsNp(
zATtoM0KTz`RUJU;UKa-@azgrK<@#-=1l0p8CAv)sbHhbuk>n)2)?Y=u`^M__e_2~w
zlQeoOr@pis`&TR<PU5zO@JUF#m<qmVgW2)p?1Icsx5kIMp9B^O8jb+@3n#u8rp<<y
z0BY~Yqf1RmWrBa%U*FsW&_e&TZKDga)#%!FBYCdcRF&g522QQbF2Bz&Zz3utPGzm8
zqoZwY`J(}_kjF%xEEtn1%|Zq%ee@v`1b~ZG4I$pzfH=sMgOe9tyE_W#BZvC=F0|Z=
zmj_LzNbcW^%_9~4q|hOMG%Vcsh{^HR&u9|)FY+_UIX8qi45tPY+b{f?=6@FgW)m<4
z$ET-p+M_Gx4h^|3-_ObB;V)ijHMy4N=hH?1*p7OM8Gdy^QQ@-7gC-HUvzLeu_;KR*
zU%!f-VPRvB%7S^&QbbsIO-sYWhf&p=&#*{ya%n{+xFhdff0du@&amjz^!@o0<x%c5
zm;hi`FCaELyLhn<eD7>zAI2$iqp(t=jD>}TLBP7Vz9<FhnV2}fJTd~*Vju8K5fQei
zKywQVx2;)+?qhsk>YE&^)=R??KpE7_ZpNFG^N*3=;)=nr7`sHF=jbf@2J7~GfNI_x
zW=GcRpytLddv12xCbWu8|BqboB$VR1XIf)pW3%<dO*W0KtgOJ`q^9~t`v#o=ZBrBU
zj<lb-`MKx;R5ms?0FWkN+0(AI%q=d?AkFyk;>8QSR&OGFe3n<wUmTxchQBN=DOp%t
z1Tr~{ei@Q9A<rXUJ%0-7+B^dGoOuv3&_95?(BehM%{|=J)zzJAvO7~sa%d8#s-$#G
zb=(b{%g5g{>g&6vrly9cr>BQ&V*&v!5%oDfmHqSsI5d(pLgaNG)f={@3t{2mOdfrM
ziEMbdxLt-0A3uJN#({P$0E4#(+|C0NqoSgkn3xC&33-W$xxcrkU8B(RW|U)k)czl(
z{U%+Z`F}F8-xv*k{+l;^^yvRpn)UzVEbjkryU*)%eKhcj3?B#AoAau>I;ZQh>t}sV
z&gGsp4(wy)uR(;iHg8>JZ8gN=V10F|(8*4MP95T3#LG9c^PC^uC36mihePgqJ3lve
z%^NI9g9{S>SxFZCxXd=qyA>VB!{uN)ANjscEzMfuZ$J++zVpRoF++^Z=_xPl?z~Qs
z%h$Y|6Uws@V!4_cJo{4(&@JpdFOQ3_f(cq3l{4@AqzW)(`_h*)zQtZYDNn-*{oA@%
z$w;U*SiWtgm731oZKvOr`9Z&uKXVT99yzdsXV@^CJ;fW%C%equ;TyVwJS!*8;U0}W
zLc%^RJuoZgwhRzG>#GoqfUFL$``ok!g7n|X)GdSgZO8=_6Bx!{MPd-XtYP(Non|WF
z7efBir@ddb@V?{T`GK+g&{}zQ5~@`vm&KGY&2YKOAoEQ6rl_FD$al|{WTd70<I66#
zd2fovifwH6HNzkD`@?7RuPD>W##}GAd&U-F$Bf&8kLPK&rhC6~R>=d+$VD#%mbFrx
z9d=F|oLaToEkV-(Mx}*Ou?mDcV9`6PHvWnWUaD21?FfpME#5yPGXp{U8J5hHw40}h
z`X~8@UHkzcF5d~d6T(tcLHY+d)aEN9NGdfhr#C5tp0`MVS_HUn4U?O)$s+eNro_Lb
zxSy1nea!3!ts@p~)@G>1#fz>Fg1fWIMZE6YpO9L~_6$kcArD9(<m?=)Rb(mwQL#nh
zEyofxuZPmuxj0sda8T#9V9{#K^!!0r1s5t@!mIlu6)ljHi&eD`RI{}b9rp1dLM&h(
zW`NVsbosJhx2Tuv{XRZZV>#Vf7>U^rnwnS)ER=x?_u=C62{hau!`Q808`cszk0M;M
zf290uR0zEZevW;86&f5ITsfom>kjU!HcYNmi-*IK(zfHPBwZFBetX4o{l19(LBORJ
zlBjngchfZvw^e@=?Jo{PS&t#_C(Q(@xD%42>+D@5H9&clmD_2ZP%yVuyDP{9n3f#T
zuD{V@L4mtmPj6c?PpiHffuoXGq5B=^XW(!eyACsMBi|dO#<cDt$zmKGF5$@4`FW`N
zCu-LF$hOg}9}nS^f?%>jD^94`<hxTpd^~>3jN1wR{aGxD&)#jQm2D=6cX=E6Y(ER-
zBK@12n=SCJTD*^5_BP@u4X1RWBy<Z*?}C0lZlkp6ruuHD--LfMUri?WM62@1;7=_d
zYa)gH5xS@1gCM7V%*%fRN(sl)n`?UAAXi&6)V`U`9F~L=Gk9`jaPm`BJiGU|CJkm|
z!IZiL)~iEAsG06OcYCGn&xB!%&3y}ozJWJ98Q~%8IeRz$DJniDClXz*e0IZWD@+9F
zI;3ITO+e0&X`|N7;r+-60p`K(JKQ3;^%gMnqY~xo<KcE67{$+}s_K<1w(XqUZUaHm
z;mq9bBmIf~r35Bi^qxykI@+#kGMw9LE2rgYPFKjn8Q)BJOag(~ZH(MGM5mHoM$GYe
zABDzWh&8YgnaH?4dc_?|P2Eva`qHgrXT+6xpu$Mi&5Eh>$B*U}e<7-l&RHxpVDt~e
z1#X)RnQsT(6u>Dddp=;#CjLxz*ISH8+%L&){+*N}=?He}38mOTY-?p5of<o33Rz+(
zo+YD@)_aQsOsv35p=x1?$C^V@Jr9HPsL=W0;u=c4w3PvcGx||w1>kM!(NTS-UK;Tm
zF(4%cM*Oy;jGW=suDgkfjTJWhMrO&2nG;{#f7m)qi;Mfbs`bX%T278fJ9_V`v#q|~
zyz5a@k5lTC7qyO_iLo7DT%BSZ?mo&DVNUm_V_LOQQo&opnfw+~!hEjhaTIMM-0ukS
z#zG$os2NvNK=OnP-*@kj)kk=rUs=1FEcD&Ax3rayFbh_oo|pu43U5PB4hY2#q&LV#
zuM)qvo~INZ48R2ol1K9)JY$m^_FJm2t@w$^@E!KvJ1Vin52rJftjkN<D*$^SM7@aO
zgwgvU_mY8=3RMUMvO;U7qlYGf5377so7sZ^-!|3ZjF+I7nZEm-SN9ip<@?`9-<fcv
zXq+$3r?Ug^RD53sp4+i8GN<q_O%H+OQC?`OlU)m6uh3XQG?X)rj`s(pAl&sF0Y<Q>
zx<-HcH@xd0^PA@q!{B$#(%xwYKcnS9UC|20pjlwE=OUg1!+sDha6oO$Pd}m}799G%
z|A7lWyMhJkT6u+I1FKS^SJ-iv0urFT5jSEWB&LJHhVRFCDJLaq6u%VcyZY#>@mYfi
z=_R%)jPsMtc}=QglCSyew?)slF%s>Ag0K#*g()c$5Z@lwH}$<S!7feIhrVy%(3z8y
zYs^59V7Pa4yRqpvu43@dF2fb1wmO3oQl1<wRP3=lFJ~G~1a~v-uoPBcYKr&WsezhW
zV?H=3^E-s&0^=-T@xdJ7h5ikgB8Zy!z(V;>MJ-1agk$}c6b%UZ>wjg~Zv%x^sCQdE
zPpNh$TG3(Oxd?RUwQ-}J4cD^+UBx8=m~5bcZ~AG3iKzG;%Xe@7tqOHw=B)B_!j;UO
z_FIs5qXv^rBx4Zj81QlE=vapAZypv>n^A@UA8tkl_f1#g$j-L25~3MV#oTFVDJeOc
z-(%(O3y9p|uV{ScXWpP05hc#BzI#nE-==HPgoTMkMU`I0BMr-baeVHrEfUM~CmQS7
zg9CmPuK+!k^%Q@Bqxsul%#gP7J?C4h{w5szGJV0~8eJJ}__BsSDS;F2CIzNKvM2~Q
zSm^{UD5%#*(6svWge2&K0_Y=yaYw7QUs8sW3PV{(gaQ4eG(nP{g<ER=(MR;91UvhZ
zOy+-k@EjE})clVNaLEVCnYxks5=KoWQa3)#-+g+Ha0&{d0U1WWr4kBTjCz=#N(!)h
zF|qJh(JpwOAx|urnFqPK>WSRt_?sfU$i(<&6tF`1lVVan^ht5|8s5>o>%xr&D`y{g
ztKT7H0{?y}ihm0!utMe47X$@4J5O=@)>7MSvDzS5Z(F#ibfnr;%*;Zc_Yw~nu+xQx
zyg=tK+|U@Ji0X`f)k1>%pr?-*e+*(5@T21>ii;D&93D0M15W9~U4?Xqf#Cm2?k*YB
zb>3H9zHN$lMfaD<w&hiNT|unRa{CBsUHGbd`5pOQw5mwc#MpRcn}q7lgT1_x8N5fl
zusJ_<a1;|gO3&vsaSq)PwY<7!347@>&`aI964jcPkQAH-riL#DlpoekiHVC_-ijD>
zqQ8*xI@M7aZ((I|_xI$DUlQ?Mku{V~+hc|0J<CSpHnP>xVMh7*Z8xz9zWBo5AV%n~
z1dO8B(vM?CxV>YZl(Z!<=K!n!?Y#eWsY@rFQN$8|8@^Z+&#7-~vb;D2c&MuG4W3`r
zXtRvo?%swY{e!_n+}Y3Od8%0_FE&T~PtoM7bLxb3!mphbg_zD;0*Rmpc|wu6xn}t0
z4t>ANVH0V9kC`dg#@o<Voa8Daw2X^YVV%q2Bb}HY=h)b;F*lvc3@>a=gDgCo9wObq
zF($`|An*|wZ%D=o=@v`0r9%tI>7_#$zrYB8Sp)vP>vsB{WOlJA_euFcAe2@#SW-RE
z$T-Ky#$tJ+tGb%K$aKghlNF_W(Z)P2?;nHPUpjW05mnRort*W1B*?og;xi{TubFS6
z>&D2rYW~Ms$sj%&0*vA%Twq^6XvQh*7HqSwv!%4^pKnLNXNK;aE0KMc!ZNaT>Y8nP
z5dyDX_3Esx7%oi0s%{dxyJPUR)A|VrM_r2xyqyqo13kKIMMNK*NIq{T?pccL+-45v
zKwBJ-=%+en%u$2~zPGz(X<8O!^qjgjzJ(%g!WO;lze5hlxX0AgT2Uu`#n+J>#%>OL
z#%4xcLahN}v_o#%uCH@KLZl%F;q#{#G7heaVokdfOG3+$<kS3?UpDeQ5re$?<-Rup
zloAkg;{xFfFn(fj1~D!^n5C`>Olg6}>t;~a;LL<bTx83w%MY_vZ1r~H<g-ELnHfYM
z2UK9heF5oE?_>Ys(Z8(?tdUWaove?TVx=q8sfq_oqBqaD$AL4U&Hlu^6*p&~$KOf4
zpJYOnQ+Hj1LC3Jxt#H4VK3sx<MVD2j4mXnYtFvlNZg}VXKt>E*p^Wc<gY^iRU^A-3
zA)=@G8PS1y%W?jJpJq|gGqWdnZLrHQk5>r3y5)V%&HYt+Kg%M9?MRGhoHvaR#!W@i
ze?~wqeYS0_jyo8=lA94uza<p^`&E<ScD}Da>{-f!erkTf_BkUxUES7{Dhlq4offQI
zUn$_38pUbk&<F3;n;xBX2nwpI=Dtr<3jVoqds<LYkt0AtNRaR)nc`+`=1>|a<2WM?
zOw{+L-8MfqE|{pw**c)O%KGAA485amg?9&cLZl~mn{I<pTjMIHkb9AH0ns)sr0VTt
zSIX<)&>8E<OZT}aw8*-O3gexQC<Hh?zI?GSr8SxF>rQwt4*texvJ+*wFW%?#`#2(a
z<$<cry#nK1H-*&qsnN=WKUI{PD6<Nnt8ro8xdH!+evB~{clmq_+u+L(INP;~K&n_c
z{oSJWG3(eqtVq?SX#2cqW2iP~j}#?y@U1x5iqPFL+!D_9r|$y{aKaG!XvyD+pT&R8
z52fLldJ8N4M7{i?r4=Ihd2Wt)o{OECH6f@9Bipb#G?ccgDZ$2@$MKtun0!I|d>xOE
zog^n!BYtvP+!drLq_EQV{y+^hRrsSvS!qQvi{-vK<v!Xf-fOO6w>ut|dyBLN6Ju>J
z)-==_*y=f08;+cLSybub;RJR@3%&yE4C-laEp~&~+1WZ%Y2Zj#V&uwLQvH#ytLiVt
zTI0^x*2QEMIttdMFM7=f=uVhW$$SY3jNNxvg-K6&{U;gAH57*@>nqt;b{qMRWTa_4
zP~GDWbNmh6RZVg_(r-4c=!U0{Ut-o^o+1P_aBxN?+XpPQs#dle{?N>2MPQlPm*?3=
z+<Y-u>CRZ^m1>wc>$gC~wl?~?*ddRV`4ktACoB1(V+w+888i&skshWIGJRxs<E5N}
zUha)aQ<th1QJ$zlr3S!oaKosLLv^TAGkua91rCGh8Ca0#{-=lZiZ-7fFsK6WnZ|BZ
zZGC2)Pp{P%2b&+CX`){_6p@$%27~)WITxTbqdGFgg3TVK>8=OPi4Bvw#-WcD4F-KT
zO+w+`6FX~1a`B@6(V4F6h<5Jz?LefUFAvJ5`0~rg_ERy+x=)k2p}^vScc1HNc|u0+
z<MxUTikDV$AiRym*l7i=S>oH)DkB&2Rs(3L;uD)xZ58%`PJIdeep@$NGvD<@R>#F3
zkCAz{v-lpHZ7-=NW;XiB=4kKajfI;pg;ED1y=?W4`kBxXQ1}bkNSUF+jSrL-Nl)Q6
zp67$d=ka!G3JM&4E=fclJ=gQMd~M++B%vBQr_dwy-MgTnVJ5ZHziXw|dh(nEt8Yo*
z=O#>yjGCz36Ps&kwE6~b!Q8Cl;Vezts!^|&OQZz>XRHmFn0$UgY{miE>tVA|?(2Q1
zD>~T~*Q^Tb;AOU;yP$Cy8f5{JhV$(|f<i)RFUU<wu2^(tOj&r#-Df7y)Lk!%dMRV4
z<QDI%R4ky;>Q%6J-iyUvUNBe!zh(4zmi|TG1>XY;Z%pV+X*Y^#A?l|kFNY04sd3=5
zdlIiw-md^`3|Vl01Md%bghv0$*kS8TRnt_<eOyxTl3DD4&b(A_+D~EzdS;a6v{5if
zsh@{P^Xazc(<-q<g68AIL=jzZ%EHp^D7T&q_O{N~n3DF;YGLSNw}va!K&-Yeg!E-l
z6Om50JB0*W7bgr8^Q>~Is#)0SIWD=p*+^Uh^!)7n`2E^f)+T|;@o_D_!SDw0w@ORB
z=TKp`q)=F^-6*NEl)SuEXPwPriZm4HO`Zknlh=BztPP%Q$?h)PUzB*?v+s$LzJZQI
zr~PmX0tm~yt6&6qo~}H<97*a0j_R20{7lWT^EY%5zaB)9VeL}r^1ex0Du@PmRe{Bd
zR|V0v5}q04bg9$4*U_wvhOzN2;v=O+RoY`~oS+wj_k)A#3qzSgrke~@mZr4#EToJa
z1!l@~`!MW@i?oswt1Nc;K>pUf@89a}W<(oq-|8MnI`F07+~Ui(DpL=2tp08v7H5BV
z%I^&c8C(Of!w|+Xs+e3oO^(p+9VcPps70wgr<vChs?Aev>RncZ#lmb{T-@y}PpSRS
z<>nj10HjUnh1b5`_MQxRS&wk@dY~P2dODeZMiHW+q2hSb>ix8W6{VR51dwYJuHwIP
z$$ns^sv<iYcQ`p&OGm|fP2_KO?&kh<F&lheFinLe!MM8N4@4L9*Opql1@Mk=m0DjW
z=pGf;iKF4^TbP{9urVH^42|=;PB<ISjw0X!fYUj64^wEdkZ^Pi<+)RBq)pGC9Pg}Y
z|1r%4V4th^rutfy2oJ~P8?I3f0Rb)YvRv7h($X}7*xg|%KCto4g>U`533i^I`?k`G
zinlL!!70gZsSfQzo*DZEA9E9X0b|x4$wWe?DG^%j>!3Yn2)KwwQ7Wc6k#(trJxJ)2
zasuV2Q1)<=Ow~4t_k`E3stZmbL4dnaxLlfHoy*b-6<eLCH1$j<UToGy+O+H3AT<e`
zDkD&ZQS9<=Un3_RcTN(iaENhva<FU$!k)V_(3|Z1c$IiZ*x2fJHb_BE-gYSd4^$`4
z-I)>~&a$Ug^)JJE@uU>+Flt>Wq=lOC5KL`#ex9_=mxmO~jApHF)t}p9r~C!$Gg>zI
zsq^+Px^(Z0jFaER*l7uRn#1WU^B*P;EQ`_!y#{(-5`?^H)4k7$2`8i{UaBvUJf_#F
zu+cxA<-eFm=`Fdet0Gb>iq`rX+%<Q@c*=TMBfNVz7F<hZ(42(dD2PqCTG)wL<g{2j
z>@F41;eTPEjh38vqiaOEKc<-V5hNa(Xy@5z-8tzYDzd}PYQLE|;c<X=UbC|_o)yzO
zlU*~!G0c=4zso^wq77*mvouW_QFa-X4@lV`T-OtV?Nf2X^6^sYL&V!6LWY<81Z>YI
z&}@F`XszDUG!?NAK4ew6l*DQyelaabPP?B<Y`2>DUrae)<I9NZR-R502hM%{9e#7|
z45@iPNtea$Z(X+^9#a<P$%2JBcv|G_NEPpR{qbraZQGHlwuVoC*uD@>DHq%aQ|^Qv
z^YLtsq#jhAFTP~XFQbVd)i8kOx3`o+nGY{*C#!$Fct<QRHL8E=G`nWso@a9Wxn-u0
zQrxSO-9NeCR><=X^0(8fV@FXr?7dk!1G0&~bW~S9CIYIg!<=+6xkesh`FB77uIatt
zXR%n)!q?ox{ZMrNp~?`GXJ^(|y+xLo6}oK4F9w{=IO%!ebFi~3lbJ!6AH|6`%<{Il
ze?mk|TypYI%E)9McD{<r!6Dkrev6RJr=x>xOAhbf(R1A{qzmsjys>D$f3Pd!15kmS
zGh+13#pSLu;XzxnR+nk#qT+ek@ad=*7&3P)8Un%tTW;#a`&wWDp3R;vGZ{kc)Nr$6
z@9gsY+BLeTgmx@ev)>VYY`UIqwn}HN3L}KdTI9m_?{*eHq`^yyOa2-OG$KR0uxvaz
zEUx}8Rdo|xja1p2T^Y7oOj}iSCvX~AQbZ0&0Y{P*e)Gjso1Rg~k2+~Cs6>bpuLWPf
zaTIlz>3p<OUGmfT=`hjhX-(M6T9XqEvjmcxEP)-Sa1wC2X}$M}RPjI^(WVt|jr`>C
zZW1-SYP!XoR9=8#w+++!445cUq^R|{y1Az62@RMSYARw~&}vJ@azM6Ux2dvMd16N%
zh_T*d6ytgRsouqI>PM0-0{K7AJIJ^e3kygA#QZAq2J$)7`zXp%PEFW6o$B->3ES(r
zbmnssRcyQv=%Af5p??hL)7-@Dds06Z5;Qu&y3?z5c&MFk3RJxO2SpZ19E8X0xBT!1
z3h*9QYlfuYD7?NmKThjz$6Ew69d|0{2yk!$ewwJZD5h3kdzGZ6&0KY-Ws5dY>wb|^
zztOJw;zW`S2&DXSLYSTZVrgv%O`gO5(?sWhtE_;ZaN!IB{5dRwu2DeC$<JGbxTq|l
zM5-f`(?L~_Jo2Pg@XaeauzG7&;!H{5N~pSBv3g`024L>Aw76w*v~nCu3oYb$s(JR{
z!;EbezdgJGAfC=WqBu`eK~<V^d3L!pKbNqLe<mbdU|+q-HdtaN_qSdoiXm{WAZm27
zvd$(7$7!0&kNA0F@yU^Ueq^s;a904}`bFH6J&=k$rDM*fq0J}I*xgEiBXJ>0EzB*b
z4a97moD=sLE%@HZp4f_4b1kjZJ$`&%-&1{b^A#VE+3+hul9rQ;^wAU%dhNB9?ZrYF
zB$l4=&=8BekP&O5ovq^hR^|ZG8ev5Ss=2M>o}db@p_RKOaI{otRn!P7T&Lw$Sji*r
z54Xa@O(?XlW;R#}0QdXe#yj6?O8DMdi-7lZR8&?4Ph7WR>&mx|OXJQ2sgFo3_D@eC
z-hSrQ*_%r$RkE(G(R_6Ug(llCKk~?8N?>xuK}7gmMef#2?)wjl&ML?P0%&{L;(jS=
zs3?usz}1mCc{!WfnkudcdC)F_$9a-{cEyB&t(UuI-vIAp#g#&);B3aNkLQP)3He~D
z{dpfQ#{(AB9UMYSg@Grm$yW4peIZGPoD`K?Jh7xC!|9_gk!H<TA@h*|z~qRgo|MLz
zKApX#aUIX>r4!{1HS_uG!wKT8F_D=wy|8C_TlLm-Js;G8{M<KkwI`k$IO8XYpV~C*
zOsc_^g3qHH#PH_aN)Cjt@f79cT*tyO{E!Q8h;Rt(cRu_ne3Cw@&2H19L*V}q$*3M)
zq=S7IYd(3xriY#8B~Cog$*ql52BU?U3SBP4lkKm%?w&EOsuYU_gFfM+JMeX_MAeo8
zw;*7TS%u1S2$U!HHKWs#{7`C+(=eQ9;t}QI?Ci7NqKKZGiSHrMTO1FB>x)pz!di+A
z2>XgU&(6t-xgzwU{MKhLzJth59NRK4Tlp%wmaF_gwK#>TPB|xgTBWdF!*TDE$=N#w
zLW#Rg<)Sw@7N>tqhq?hgtk>4h&?X3kW&ZhS2!sLap@8O<<}Q|vwACsQkf`00mkmAY
z!Lnj)VtIvM#vq7BfFtZhd9!(GHJA07Gh5CEo?y2lESmeNlf#V7=dJeC%!ao}VOrqP
zV}235GPWbXEPKzw8J2M2MQOAw2$y=Pp0&96!pF}&d!n8vb*cHy&0e_U<s|Auw|jn6
znXBV-fD`(#7X0%^L;9^eP;fs!K*2_ouOpX8xs1Q;Tk=l-Pl&JVSB?OQmDud(QZGw-
zsZ8tQm)cp*{}4aZUg#rji&9WIJ!hGMPHMeZ_MOid%h%j|9Gg>Dz91(xI8>)H6-vph
zWWQYVV>JRyU7jtWD>1~t7(?&vNJY#&HZzt{RVlh}9R^{x;<Z_UC9LD3`!w&h#|yXY
z+k`WE#EIjEhE|<~1ktx;)IgL}sG{Zmwl&YtMf}u}9Xe~fZa%x2j%0$#xQ_qeHUQuG
z@_Xd?wArcwh_10w3v_xV8*x7(sab_HzO47+8B-zFh9s;kLTDo%GIbP+KC0KeKkK;l
zWq}T_=z#lh`eowUCcIfLs=Tky`J!rT+lJ`%F@#7=+SB*GpLavfia)2$MOo$+2qXmW
zO>TVOUm=<Z1Q64-;Upxwx}~DN$2)@Cjn<Em!+ve2=kG}-dbL*0vD3{MyzR6h%L7G>
zUvQ-YdRJT8hXEI1+KjBY{qSX{>AR^fj3PBv`=)y;fhCy;u}+ZMkWgd2ro2(nj$zu^
zPmDIL?kn<=a2=8O`gH<L{$^@hv^SuX)paAh6iv0Z7A1$@6=YTOJ~~ty18E+g{MDZ8
zIn0B(n%I1z#Ny8&Ag%};>4BrlYp7w%dLf*#E~$;D2UEEh-&@-3&h-hL*E)JBu5N3Q
zF==`%GMf(`HxD4tn2jEWhdrMhpT0gWrs$Ess-KZpozx117oeXl;pTT7hd(2<&B0<X
z<9c>(eudy7Y`_H2q6q?=Mb%%4VP_htY+vcHp*4|YC53>F5^ri;9Ls(*=qD5vQgK&r
zvz0AsJ|J6yZgf^+`H}n5>JH%&jA*>Zt*8$CJ}^q5(xzsI4R?4iZi|?d%<LVL0dZMo
z>{Aps7kS6@XYXVG-K9F!DYqf3bdbD{V+E0T6^*W6SD+D-s%)A9{U{7RN7|}Z6Mg`J
zl79RM<&}ZS%leJ3WZ&}-*ch3X&=s=_hrbpHe(heLtdRTiwAN2=57owYpjtINgTId^
z*TO(TD)E-_<}Ps)et+DY9Q}Zg!34u$JZv_iMh@Gr$kWR%k;ey1av`QRq7DozUAaGx
zcONodA5p&;1qeF5OU_PfE`=6Ti<_6OZz4*T>#yO^rhA{#^8D@+U+HkNCGWk%I__l8
zp-~f(G{&%~pdQq`4|}bN*u^Jq)ud+=usMD)0OCvLS8ft-Z<#w8`{d;SX%Jt2*<9@2
zODPI3$Zn1M-Bi$F?_i>LmFFTWg!%yp<X#<s=b~{8cp&F@+UHG;9#aQWJ4!$#LKU$(
zqRhR2m2;(=yAA?{{-$OKBQN>NjJ-)9gbkg5yJMquCBnteeC~6-w8cMPNUZ$m7FFkQ
z!&Uj&xl*FP0LfC6d|ieg^a9}dcV25jJ;}HH*xvO$D;%F#4O8GcF18aTG5r}hs={P(
z?NUvwxIHEZk;Rm^K`sp>>7!1zw(R+sUmlizzqx{a@q>Sa(Bl%yYQIT|Ep{g_@PsZ7
zt{x@;<sTD)?zr+r?^Ds<VHsFI0ST*UE|57$Z?!xDG6ZkV#L)-ZdI7;W){^kj-Sxwp
zRF{fX@ZH@#_ir{ICl0nb-(A85d8^1Cirw_1z@uKP`wu(oD`@MWOX1>F%S>jypz1I~
z>uiyQy`@Thw7?sM`O{xkIh+-Nt0T-qlv)%L&)0$6F~*hWykE)rDsend^}HLS>u4}E
zUg&SeiJocqbNB8=;bx&>R^-7Mq9%cb?DdylrN!CY8G+NSn5p-74a%tRUyFn1ICBFN
z13C=!hh@(^-KyeP0H`Uxq9KGRO-8n_sS*5k!dOBqw#=}cJG&{4+2zJ_`i)!H1?E4S
zx|;r;5`VIggjm~T6N|rCEY=55*AoBg31Av#WM8fyOh6}zXD4@tM#ziX&d0_XZZVXQ
zsKV?{fLfqK>JDfgl;!*eIrU8w-}@?KX_0^aBGAL8v4&TjZ&;^k=A9LxryjtC&-7rC
zxK`${0-FxD-UkFhY&DY<rk#@>PCgMX-YW1}3dE$2tf(oGMWPjYmbmm0I#}X_<rEAF
zr7orAaa&@kOz!W7I`<SuDf<pASWs^YuhuLOo5)oai}z|VvxbD=nW1Bx9EW0_*5+2D
zBzxP(Uv4L%qS;r!7<^Q$?20SjJuob>*Py5UAjkMorG$@_l2=B>yr6u#O9u|5IE*~?
zsr-sm6cljD5>peB(qolNvIp5YXPjJ?9hg|o)Y4<%_mO6o0e{22@BJuP^>*O)UJt<(
zex)Zuy%!6)GhYfX7mR=&5E0kRQ0~g9W+O$9^*a*E7u2$sEgOZu^{gE^&)4#ldJ5K>
z805jjb3HNX)2oF?=kz{;Im}-I)>(`HB)DjcuaH0_rR6Qn<wo$Dm#N=Xcv6GOG&V5O
zquTiRB;R9r3qZp!DYv?%!PMG~3J+G!mguj0USQ!}un4sI7P32)>t=O<B^L1X+SSfP
zkO26lxrQHdUPVP?45GV<wX_I)Rl2}s%9${EGV`IBpFveEs{IADIZ9?E_`nG@*Z7O>
z9B;ftp0JusQdk*!9R8g$F~~8V8y`c`tfg@Aa@M754g4yCJFe4EZuKVnFQA0<Rc3U_
z-$Q6E=jUw6kTb*x5Y4w=F)63-n3z%r5pMfSk^34uNkDOnnK}8DqNke3LzxiRAC<xW
z?cE{|C$x^rUyd3>QYn61k3vyKHdYcKbOwIwJsnjL2qRb$HC;VpBk&5iJOz`6a{_au
z2RPsgRF<$-4A}Q6Q5P2YZ*2`6*7P`fVa~|e%OY72WLWF}n&GTa{@g5{;wMK|5<zwR
zti4ZEtMs>z+-uI>W%WiLFnRSph=JK4(m%K$JfHC2E+zeLNB$sUt8z@L&edQ%b|3#K
zzXhK}KKsh<_bsSvE}&$uE?h!_D#VLycwp%P)}R~ei{V5Enn^&O6#4;mLI;-<nygL5
z#}Bo<v^Hj+;#|>0>A-u19~;A@|JLCg?#3TkZ^$#rQ@v;g7o;o}=0#O-8D^g;SDUf~
zNzxA}U8OzrEcLVF3zg-}L-BYg9T24FDKQ8HMZT*flQhC{XA9n1{D6Z?MI|G{gxJ%X
zzk1e7y#7zQ^%22IuiX@gs?nEMlfOw>b|{gJ?8AKb^k?*I?$zU9$=~sXKYbolnd$Ez
zU#K`%k7u!R?tqGJ&tkTJVUn0i$(F2RHu<e0KW>bZUK`G26BF6?JwbwOeD%dSS(8J9
zH>uUv5cwffcDhAjf#1oRRCLqopQJ~2c@1MKVnuCBg#fkano1ED^mO<nEoW$nB^A`k
z_sF|77}s?ealExyCjg8+Ci$b}rRRl&ekV}9{MET~y2t%H2n(&Nf-H0c=EspdFkE3}
zkeQ=j6dqPj-TUPoFeab7z^~aspl&@`4SoAbuBh~uE~`*ylq?s4je|NRkptzk^)dj3
zWwC<*CZ|V6+t?0Nlmha=Ld{FUPE|ai>uUcSE2u~Aw-g9S<L8)cR02!{8M#4W#{>NF
zrgSN|?n!;EWpT}$cXB8l3H6JyB=t8ouY>6MS&&-|>Y&_75hhVOc&cAi?2ZKfajzR7
zWC42taT-&zzx4@#I1f#(`&BgP{0=DdHVd4obS#~no(9v4wkgVA1Gl6zwrM~)xw$>H
z5g`RfGLCkWnRb3{0FpVs#j)<q>W3gB=~)vb2W|!CvoGG}c8^WX&p_?G6%~O7E7CBA
zf|C8~&d?BA+~B>PYZjA@^`;YSN2S|>Pj>(>Y!0BEIk;xtQ^?0dl<`;YdzBsJC~?+q
z6JG(MxiDd(0YnZ|*n1EpR9Ab0$eNlOIlYij`2kaaEO7dcfAch+&ycGndWnaf+iqIR
zqfG^GJZIY}h>wn~yPJ-CVw~#3j;!OzHq%kgV}8`!!b1nqu{*h0H|*TC3XXR}`pv(B
z9+!2CfiU75^j(3sCuRL^L~Hgzy_~LAh<<6whw*nlwG8rNMX*wf%d;{>d!IO&>-n<7
zR?L%|Z&m|}KhwlieFjMe0mOH*y!Ef7q&gy3?gmo9>)={|Vxz9-dz3Xzi5m<Ob9C(5
zk^<`CN>X>H2ZAd7?X&aqk>E>q9G_cdd+O~^w77)6x61GPZ>6GnTDEypQhz@TJ{9Ph
z2=IoNeo&-pLwxU)D%@>?evpeOXw%Zh1Xz8d%6bY?$&36eFvz@PT|S;-Vo#p%Vvl>v
zLuF>QHj{5ETtO<>csx1k(EKkcX^G*thMaVpESJC?J8poFLO(=--ZGfZkj@~QQ%+d!
z;BY4SWjJ>31;8u%=l=pEwX8#qFUq{D6Bp#Z3`fW9^U&Hnqa}O!PX#{n96`dG*tQ=T
zJHzApk&?m67sCi39vw~2^wxb=mQ*rzq}bm7%U`0-*+Jb`63AapU$v2@F8ufu1HC!d
zK>hWo$#?$hGJ%VZDA8|kgC=nh206*8EhTeQI%^rGppt4(RDbr89Jp*`rIs~+1SPT}
zY3h5k5+aMOiT=St&D!$~5p^7WvRRQl++azXsP3U)`JvQ-MlAWgkEylw)YQ?fSVxI1
zS*aS^DL~GvAd4o(+kDNUMdpZ9WQ<-2z`}`6NSFz(#<l^^RpXN2w0N9&PRxn`n-&tX
zX$*8wb95WfC#9;YcqbVo`3bnHO*e9DW;LkwKmJ*=0GFV|-i~?mZT^9G8mo3R*Q@Ay
z`|}uBH2WtkfWX2YywU{AXBAT0xJK?<NP{R1k`ECNIgx?M<+d|R_?7s;(h}-V<y&(2
z<%oY=;fdWl8Y7x<tq_^MG%n;7Y?m~qP3~P5JH;2XBY~u#WNs^m<t-Kw_&U(o0%)8A
z&>!pTf9^@0*h)GnDFJs%8KYv)&quDKV~eB{L{q9z)HcsLR>po~=T&MnQBncqPQg2V
zvo3^K&vQC&kI$Xr91%eTa+k;A#$izdGq%QS@Gw9bn~<Ww9KSV=Ma}Rk6&6Y%QJ#o(
zV-n)6FJ5hk9L13<PhzEXr5}Li1Gw$hY0re#ze1qSy2T19#+q0@^yjs-j0`d7f*_ql
zm{Do_x|5RPzIePNhsTgT+j`DUf!ZBk-BK+QH*rwe*WD5HseRek_9@B(v<@4!y_2w+
zY9We{)Y)n~vG_C1=c&%jbbr@W?@7u>khA`W>ynTknA+R$JMD6SJxL`kFGD2Qs12dd
zF3_0hT3D_wEWLKCX6G6+6=aQ10IPc=<W|}IMCC_^CTC_CSy>h9lS*wu+s<{XDr%G*
z-SOKiXTClVSGk8Nq7~kIM@h&*f`Z(|8}Y;iQ0I2GRwiApI@}3SF?ja0K!j@!*d>M{
zuvC+*CTy0BkGPAMN72!p_$K}VQcGsv&sb@pe&wtwe0f7ZG_Y*$kmIE2VrezEI5;pl
z95y=1y|K;1&ihqRoCkp*46VWlSp5`Tf9T-8k&4F99yu8l)VU%lP2&i!G7(KmPS(7s
zy@*L|!4v$b{-{@r^DSK_D;I+wz_}Ai7NFs!(}wiq1xL&CTCrhch{z|J<?L=44;i}S
z2L};^IK2>C?HHrm{_YlotITvDdRdmxi8yw<@tG-&&!6}aH@;l%49xfg@ok;nlR@BS
za@_0txgka1hEN=9f>k-DNu1nMrFKEY`hw*kQlhjJ%*0->18{sLcT!`6?L@%bz|}Rv
z2`1I`oMYABqPQ{kL7&&xr+~J-B{s>GuXI#_S+-sodMg=vBPjlge@B^BXXlbM4LE$P
zz~p%@cm?7SQ!R;7Y`HVeiUG7d6|==JHV8!Z(fDsLo>gO`$1&<1XnndtJ-xMaR=^&U
zQh<?)=F;>u)J!V)C>Y&AO6q8Cjtb)cgLv5yH8V48W4#ZIE7(x)wzB{m?~mWl*uflm
zGVuN6gG<4pnJmlQ3^c+t!7hlNPNLcU?iBVhF~=$N6;7bCfLfN8FJ&1Ua_Q$Wyfg`H
zzjO<4+5D5vdt>yqpb_)Zp=3Jk*@p4?|5M#pKSb4j`x>tzp-4+BB@GhNA&gSe-2&3x
zIfO`;NJ)b<3=EA3%n;IDLw7d<Ll1K|`hL$jH~xY9+cUHGerm5?pJ#18L&XMH0s$b5
z-<L_%^so%MVEe(M5OQwy9st{>h+e;4CHR^k99lR+(#5Xbv}@a5<P(qowNdwAdAni-
z%H4CoO`p?axFzu^@SegxE`WJv#V@Cn3-a(G$n<RkODQNVY|TsVFI=B(F0`E4o8=ai
zQ(}*CWB2B#3!agoT3k2|r~oXr96v52#=w2o+~rJO^&4G7DKcGHtRRWQ$KzmA%OV*N
z1*Qz)lk`WXjVRX?NjghoQ*Qef#lYZ5BcXgNfX=mU>Aa>t6KPFMJ$oj^MCGjA-(}GH
zBaGUw$>VWDOX0fa&(EJH0X!t;A5^xj>E>wrbV12uyx;Y#?kN!fT~%U-F&^3(FE-`o
z#_Mf)0h5R8RO>V`Jc)>jn5y<I+6C8I8uK*TAD2<4N(<GI9iMQnHhOh)Fye({e_ocz
zE<Bv~D>5%@?-jJaJUL4j@-uZ7l5(Sk;H6>2-`@z(QEC`WvAQXRl8_m|VyBPKIE4Jr
z+S5<VPNXE%QKYKLvVO7bR~ZhT9n^lOdw`o?MW%1Ns8u5LUjT3jI;9<;rv!G{Z&9Ii
z;birN{^6f?N8Kl{+pX1>SYTMbdB=uV{Xksj7OLP5pdjIQ-HL@jx&kKPR<9#q0!fGD
zQ;BWGT|{V9QL5G0=+wC!>>K9QNj<5i=IxpX*m&+s*1X7*L1Ev0R{;OJwLG@vyx~*x
zX*{$Td*kj}vu75p@Z4Pf0U9xp^iCP}f+pZO_u^Q9b&{f(k3-0wmYNO*bRUHgO|gC@
zW<sD^Yf?l{Vg2|Pw>IQ|4d4l}_$xRLw@E9sy4+ZKJ61@qPRRF#tiEsalxr42U1+jD
zoJMBH;ths&)j{X3ldZUo8UaxWSWH_a?wWP4XWY|GD<t(2ei;vIW;UT0TSREK$BVW|
zMrSGaJZvx?JZ5B2X!M+@${PAeb9A~7GupwUrDdOaqy7k(`_qUZL-0*Ypi&yfHo<Y#
z`hQ^O%)iTu#}+Ox$F+L+xU`eEk~q@6Nb!P~ib6ws*JdUswP$$hYHOTr*QTKGOaL}A
z^Jbi!!rJxo?V5IP5t-PH_)p0wKp>h}aY6p*V!*=i5Nb3n$Ph(=)g3(K#xG<^@Tg9a
zBm@KmCZ(k~DEJ;EWi(u!okoY>ZyW`X8aeqDQunlIaf#tOK%pFF@U!i4Y*pBNagag!
zjCLg@9%J|a1yt8nPusuq_l>+MS~Qn;1*Aa3JI&i;E&lK1-oi%S{vY^peP0_6MLPC0
z<lY_$^z%Et8){bhhlXM2=bED(XT3c=76*1Px7fO%WYHPC0F^wmRW?0JeBxM38=IdS
zhe)%2opMTLQh-IJe6C9@S1wI49jGkCi%+#xW8uihcmGr>vS0;>FkPDQkbFdg761IS
zM)ws|BqDY!iHMx~p<cv_)5Tqq%tD0&%nB_YTM4x0t5_hR#*sc6z31T1yI}9@aVeV?
zR&=q2ZB#rOf%Ru`;>l_oRry$cJLHcZB5pwjN*Pn!J^)lbBCx_tuL^HC+;dN#BC@LL
zZQ#|<u+Pk|W&rWot(h6)O++x2rypl8X5H(?-<)siJniYNgH_2D{Mdq)xI{M76yQm5
zH>%Cq0sM`-^jfbA(vu2;p0k*o-*I=PC|6|rTec~SZfAluI`UCfE!S*CvCvG#SOI0p
zPhDM7V#3wO)T?-SR2^>oE)EN)7}<5ZHuXD6E+Zo<-Ja9p+SS$kz^}@>weYvvCO%DH
z@s|PYF))&+H&yx4<%)0?p^gp(nm&Ekww@;TLnO40*$2Uc`?vU0&zCPxy&V<~K&xn5
zb0p=4#0ycy3G~bWC_awu(qdc54LbYz6J)^;6&s3RJ$VgS1F!Iv@Puj8)v=pG8M$dq
zTd$gcbBF!LoVV|5%kx8QQg*<Th*%zG0FSMXJr72RZg%gR%hUcX9+ibdj_{QP!N7ZC
zj=ssv^#Y_<r!}<SXDNPPb1;-odK>Q~Qad?SO5qIkosn7<B*gs(ht3WE4-S1%IEy0k
z*uNO(*Qj*0lkb@}!N-a#?NRB!MXq>$d|AwDE-?oTk7M&%Bca4#E<ZE!vg{{#^b8#U
z{J&QgXIL4p^9kBC3o2q>EW~oxzvt4&%KE;D?JWlVEr3DK`-4Hh9cEa035f6jaj*>T
z8eW#WJWiR4mbZb`rJ<6|(4b?6sw3@DwLjyEn`9T5i-RsMJbM;go5R4s`IOH&!LCUk
zmXBRtM!L|@M1Q8CZACz}A=l4N59Vd*lK&fFj`%Nx`A_ewo?%HpX0e9=#h9S?Z9zQN
zpGuN3^D)ie5MT$AQvbk@1xdKu8>%0f%U`}UxZE%}{!2VjK@}BDcwwJe-!qVT?6Klq
zJT6zgDNB&Kyhl$#^F8p&S5Z1t-RaK%fRq;oRkTrltgExtW+G&~Qu9CdchYMh69<`u
z2rzoWpVOisj{G25G(-mdOAbA2P4%a4SXRYi>Not@Bj^-hmi(d#s7c5!O^E&KUiuLL
zi33n^3YxIbn{%Ahvd7n3Z4ihH05gx&!om9O`E#E=pW;b^v@|R64a_xx>ns`=PuTBL
z=}W@WmRT@fgf<-tf>&{<9d{F!bW=Ye{O_*5KnW-mo*?)FH1CCW0Vk2Zp7mm__u@2q
zG0^c#1CZ~Zjsc-RtL?v6i+q~i8kzqZnj0rgEpqY~WgZ2L0lY?<9$&;CIJ!ApqWaHS
zydfY8!Gzb|`If~Kp55{Wv^qNeuKUU~sBU8hx;sKWpBD&blsZ4|1flH@23Eco&x`qs
zaqn{Oc0FMa&AJz!m8W87nWAH*k+QCmcvI=rUo*n0%F<i;whF+{%1tdNuBU_>W3jU`
zGcJDGy~1hZ>P4YmaXOnz<}S?}oi`f7yc|P>oS(D_yd2=(5Dxk2Qr&zX+^i-c^g~JV
zN{yMQq1JvKVi9?NwweC}L-kdP)5NL$4<=0{++!TQ&xYH2TeWRSqx#^f1jw=|>AWnI
zo<LxH<D<H%h!XwP;yW437kHjOX|<W2t!>#Ug5I}5j_5-6s^nYv@1(#Op404K>R8F*
z<GF55CZ{g*2Or)R5vwK=@kY{ruO6d|?(OewkOK`U5PKtVbWt%(&uNT9>6XJ!c9>=f
z^>qNeafaQu+5qL0^%u`+nAv+Y*$|6&I_}zqcL0-}gx?EZDud=Ryu?=?+=NlYw~Ktf
ztv8od8oEE86v|ar&}GWS4vf$w2{KBb{$=coqE<~f3cMfmpdRp91_Dx-vv`k2bmJW_
zGXrM{qa6KHzhh(V<8|ESZk98Q>-|_PZscMEPh^iEd9(oZE3Uh=zEApWR)#$(ebuTJ
z(SiBwdvH88#g|@F&_~-SxP1%bcs|v*-IMX@FDE+`r7+7Xeku$?Cjlc0&ijogH7lK`
zuOchKAxfH>XSbbNAa1ud7>8UmI@Im@gm;0+lHl3h1>QRr|44$=baeXMMOZ01?k+;0
zd*_w}c#kPX%kr?7BY^vW=k6>HI1?CN{BC%h#KE8k&!C{9YIk>~YCiB==w*Q@8(v;b
z#!wPB!`@_ncx^jDQOpbW@s`54@3%GA3l(+BUtD0xd(d99%v@j6)v*Ae<~Rnk9p^8t
z=g=&{(&G3sd0~dN^jnRC%=hk2X<_Sw5PSD2avB<@rgV6Zuw?0-k9>xUj@wD==<?QF
zC9<2_`fI(-Hv({Ly!od`7gcYX^isa5Xc#7bF-RvI>Dt*?l{us6S2c_#Uq9F|amjqt
z#%YMk^&U$R7r&R?Jn(LF-->`}oovKlOxh9TLaXb;4^skLnzDTp$j%XWK+9afljIcB
zSQ-<V*qNXNSY7Q?`Of8xuSdWR3vRm|-M)kOQ4|?oeVHhl2kpEKxbv!p)6<U%V(jf(
zYl!ml-sXETMbj5(Qi$n#tm(X!@wBx~9|2};lBKE#+4$l+|1h;sq4&l2SCXjvJ~d>D
zt?geUEZ2&mv_F5~cytkV+Uxf4XSK}%(2?PmVkmM!mnb`-xkX`f&yoa~^yWsP-~EPz
zD(#s^6nmxjd?>tJ-JP8)Y#SMHr}5vbSa4Un7|OvjzB;Wn)<o@95tvn5yb+c-zg79u
zPZc>1mK24ZKP*J=&A@b!Eex=d<2$e`B;tZ4Z(A<F|I;;v2`%qVo2k=U&mgpzqci5w
z5avQCePu$X;T-IsOmASb@jM#kPPtoZCOqTV-N&h`8z&#BPH-LR60MS$@_FD2GN}Dg
z#9O6nb}L&$<KZ%i)H3$`#qM^$E`E9^ZhD^~dM+wsZdO!lsL4G(WWYU!p3wIa^>}<j
zB0KB%q5OI}^C^cQLu+a5VU$Emx&7-xDa{F7lDDVfoIfW%tkm{VUL90Yhdpu)i$Gef
z@+ulK8dNM<$-WC3Sn*T6izgtUBf?GN(BJw<oiG@cAvQ7-K?#fPj^|*LzdWm4=R0Z-
z&&Us-EA;g<r7yKd_D9+L9*G%M$l&87ov&n>8JzLmf*gkB1iHZTMx8=8U5tMZ3{n}3
zIjz25>agWgH&i5@nWtMKkD$N^Wz21ori2aq*&{_L_A1<rKAy4bXa`J!7oKM;9iANe
zj~_QQG?0ZB@IdLWJ0(&BQem}wSA(IOVakJE9w{`t7K!Daw<pJ@6E_MPWkDEc=&ugz
z&lX%QMT4_FOQ2mJdl=^ZIN+DRw|>vu{K%nhP%bJ{wwZN1F48vdW!ZVJDUVH;*fn9N
zkcm8fi?X)`u3UI-AWitJlAwuVyxc}fZj7JZHOtf^!MrV6HF@JlO`WbuM7zR6lQD;L
z98)WXLIpslC106+&-dJH_fWbAGvp(a6{!NFf?|BK?(EY(_h`Ns7bB{fKZh!$bCA6j
znO}_5r-zoWN2w=~l*yPqYXj={Oir~f;LcfJQ*kCZC&@}R68f!qUECLuEBfe*Vln?E
zXU<Ijlk`k}5<kVjg1g4YP$<b^`7nDS%%Ug4S*MI}{>7iNo3?UV9;=_b(Vd(<Z;uN;
zn&uztr>{3;Fx^~trpnh><!ih`_G9yD9Xs=pq;5!Iuz4_@B)`0uPQe@Dg0I?R)&!O*
z@+pTS*%C^s<TI(LDq{EX^z|qxt52U_d(xdvPDz~7dPlF9O?yP4q=D=9@Arhgoup$N
zG?9T^^-cp<n)vLA)fW9xmInuueA6pS7BNrm>Rj>Xj)xz(EpVO3-+y^jlIxU?aYj8j
z>Zi1Jxb=yiI<GSIOI!}JoIjJvBv1<Hgh)W7c^Ykq?zz|}kuQDs_(=E0%40OsF1B)C
zLtZzHv1p|6BK=dELGqB}d_=b7O5+sywC^?Q)Ld-V&qwP<#!CAEO>I;~E%A?r>20*L
z^J}k%K4<LgU@wo8-F4z!==gB4HDLsTOh1V3sS>b=+Y67}kuIY;r(ZpFD~(DJ_M>WS
zO95ECx>MSu*c<PSpRKJHL0vbW_PD$1JbiteBoI&KwqLs1nkdtg6}&nc!y|`X(sMB<
z9+2^lzFb&%#yy6H)yu)=62NOe&6q%XkO^Gsj-RjlM6klG83qKP1}u)dHcQkY2O=WE
z<w4uC;U`;5Fx2Q}DZNwuQ4>cQ7+J*-(>GidBzfss0!!5BC4r9i_1HjyQs-lQokGnB
zhGO7z20v<V#)yJGCBqpm`pN<%UQ7t+7sMQJUIksIYh#kgWu$p(ph_V^!I}%Zf?smb
z9}?6Y7eO~ww65eb`sq$BWTkDU4AEF#esA1Kl))x((yO|DaO7}e<Tlyc6?OUk!f)t+
z^*pc74Zat4gZXr`6*j#S1>y85q*uG$FYMt6^`;n(S9vzAX?`rfkSq)caNG^RuFoZz
zG{?ewx96uETvx&~*fci~c0+A@V=LkWwp#N!=6rnP6QtV96;KAk#Ia&_j{Jlq^)b@f
z_|*^gu8T7_+r6mH<9rSUHA5;9-NS(${qdxHD@<IqLeHP^@#PK!xhYnbgPS1>-{9c~
z+tsX)Kknu0&Yqs_l|kQABsQdw5$w4gItRB|Yk1eM_EL2Ky(o&kk|4Wots!dyQ2oI~
z$B#-;zSG~83ztTa(x~;p)+ltZP1tm;6#~)v7W%n@T3InF)MDc%?W<EiesKM$P?ZTE
zhzGfK$`OgFVL0DNFW|xqZ)cvN1ABW`irJhYD<|MDp}@h_pvzLydv~KKR!eRYTTrSE
z=z(sI5jr2rS3_sVL?YuA<TUtU5W~!oi(i8=9iSiBk&2)mmYw{jWGz))>gC_I=IGH&
z(TA#zbxd2@%Q@ye*09S?kFvDUsPsT4KxfW<e}v4_D@z!d{g!@pkO3RI#J^KRtS=}a
z#x21z)J-Kw_R6X}Q}7`OL}V;qo*$$mu@aP0kUj%XMviQThpSL8_#?^P9|aLpEtDTp
z-{y>)p92=n0ot9eSc<w{ulBUblRF<r%=waWA;GHH$We3~I%vRpVL6!o&Q3uFs^oVl
z2O5mR8AC7Df&FQ{%`y^|wUt~lRW+xdr;C{06;1KL@TN^jNchlEMTyKTi~FKwen50q
z>0CVdq5w14spr~>Q;L#&mwd1L25*@l;$Tg4XV&lB<?fYJQ0(BI<fpeGwH>6`os0>6
zeRb^f0|~|Kl#~$Po9Y;7UBIS_ZqBHgnZj<a-{7RtUDzH@-TPW`v5>>3=E${AxL?Ox
zxQ1RNaT6IQ--y*W78P|8VwGmMLA#^0TV&PEY?`yt2taZc)(e1-4oF_&UU~G>1W8cg
zjbC-{b?WO!tsB-o`)ezbukEdzp%g<36f)&NK;$L$c>6p|v6E8ZBt%W8-F<xDq)!PQ
z03k5a@bxXtnzX218&NNPpX~T57#C;6Q*T3C97Jt1(i6|KX=IO_*sUwk4UGs%4M@jJ
z7Yg;!sw$GRe8+uNn<iOsoCH<Wzc%WL%##UxnW-XTVM^~|?|TMo!lAIb=`~DAS2YQ_
zIE!}D%;fIpJlT0O2UZU&N;!K`9mq&`E;@6GqthUO^7zC+zB5tsJ*QQVydJ(cw3UD|
z!MX1FEb&GRadDFDUW{XwSwoB^YJi^y>l-M#w2%wlva(WENMqR+KL2t9=a!N0`H%oe
zy@>G`fY``{`*auPP3m{A7Xqmekrxa$nDQKB@1^t9L!RtraF(GPCo<$<P8p#<ttxce
zpj6}Z#q3!<aaJkE8vyy}|9T&J!4eYVwSL966GL%{diQR7gs*@=`J>vwq-YGN^Thq^
zkT6UyEiJ8o@A(LB5=iuDR;<QVmZq4nHxZl$VAqBp9<Z{H_Q(}y`0gA|i2D32gdi4e
zZDrpjeryls$@@yD;%RI(g?wLesS61HE8bs1&w`COOfV0*y&~)2bxmH{1RMv4^>TR|
z>|0bJ*MK}yz7Iy)!{RkEV)ZkhcJ|0}dX;C2Klj*vg@*bTFX+}Cix13hrLbn>v=Js*
z`4&dMQRpu;vU*4FO*<$z=;mRZWyo#NNmFrES=E)hqS=-m!-)J|^^qTb$mby4&I
zIo-tJ*Fzx$7-X+4g8PN48bx-uSKr&cL54ZM-F~n58qsQsHs?XPrN6H?mL$WIu_olR
z*KB`jCHM&*)7Cp^i8x6vr{`%>+8;+CG-Q}dihtqDm}*;gw*%EiuzweIlZ^4<P>R}h
zK;FK1Vau2!@Yk_J1i5X&)^iTb;lEE2Y?*2NFnHy6R{9GG*`uJ+1>aWp@yP9Gn>_Ab
zn?L)JJ8w>@dcCa*mx_SuXpg*g+ajQpyERnMBFk-<e|~6`O9NVdeZ#FRKD|WCRx52V
z5!b7T!;~wy3EDF$^d9uYEk$vz-yGV*f#KvU<Z`e#r9ZA6r9L@j`|#xVkxL!zcgHrK
zrPRKeuetG+-?}azV{?(V&C|8s7^Ny~5ax>EZVV)kObvEgfcofk<gPx}k$SJN@Kfy8
zz|>8I<xYg4?jjyshD1JUjNd#<;;zVbKASR^u7Ph3+^BgRC>pA|E_d8>u1*d)Pg(2J
zUhyw}t|qZXSI4AAn8{~i>Pn1a^J2zT-{s>Qd?Wcz(c9BNT>J`sV^xa%XQ%FfKml(k
z7Yu5C@2QhlagD~s4H_!QcGbtxmq7}P6QxV&5{OKFG?gaERRs@3T{w>2P?w>3)Olo$
z@*6HQvSCYV@q$x4bNW#kVKW{5ey?1LPB%7cYb7weS&$gJQM*coAHcnHW5?g~pAm12
zLX!$4x)}-I8(HqbRy>Qx#jze#9UYgX&j^X!SfIEllHXr+F6ki&I-g)GfroQSbUVch
zcGE5&2RGdGD2LeF*ak&E(HPmjJj;fR{L`tN6hG0g<?A?@4?`fjF2wEFQw*5OxKdO#
z>Npyn?e*@L)v|23c%$Zei-D6%z0TM!$E0s!%F2!nc^rsc0h>qO4^NSACQj(#`7_z4
z^FO4#y!U1gzm&QuO|G(KGX)*BwvW#Z%dD<GcXD%ljP+!TbhJ)tFhtO$dNrqoJminh
z@1Lmf!YEy$wIdSTqQ)^Pktr}UjU{G)FK~*+S4-Nx{$=y#Mkl1*pclVnV@4-tfv}2$
zT+HVD4Sl{ttW4+XfwMof?F($ahO4~{l`=*oguB|vm7Qb76t43nGtet@xaNJSyNW!6
z>U?9KK$=h&+*C9E*%&nGrFU3=Ym$U_j8K`V?|FlveNh`<$O`r(wh>_J)e7P&sMnbN
zJnvlcJ{a67%UFMK&Od8$P72j4QDROuqlku`_J>lVf0WvN*?`6a=Bn*@<38@Cp!|f+
z^vecK#27Q6l>{G>O=fr41)RER7*M%go)yYJBdT^r>${SXn6!n;R41Nkhtw6!1@14B
z3v^A4_V4>R6?t`<%6QI|-4_5X-`TDz2;`r*3>=2<O`T4FD?!U)&XK71p2eGA$67u9
zU&^$b_J6P<_WjmvywguWvcu~O5??tx8J&Mzab{80GIN^VrRryEZ%#B<T598L0je7q
zcqjw8x^ssB^Y$A7J4tWB6*QOQGAV)jPT0kU2ENK0jLA2UUxS`OykSfa5muDZ97=1<
zDq9oxRC6$ZSk6RV;QDzsL?|V9P6*c`k6z(DlMpyt3mGHQ#sQ5-^$XgDr%TjGu+Dh1
z#zg+`snOdIQQM+iyBVpXgkL@H7=BZAu(GqKjiK-iTvRLhQnIuKrl+Qp>L3%RQs*Au
z5Y-Ph^Py&ou5MXoh)WS-b3s)WQf8hynzH%op~jINxE6I)L}iA=HNM(oBrIOV)BsnL
z_I`EwI-2@N%yD9D7T)ef>11*JoPIjFF8;zmTQu0K3lNtf3hO(wReNVMmZS;Wy?|Ta
zZ#30-;bHAIvALh(f!M-sw|=c}zHqop5TJAB_f<o)AVFA~CKi6y&Wp@bVtmGTE$Ybk
zL``OG%ANNGxw$f`_4;e&bdEVzq_E6H8Jvg7spHA`Wp*M|u?ehL><pJ^fuLWn0FL29
zZpX<PZ9HWQsf`$7sS0X8@VF^5y7cu<h41`+S&E1|c^v?u*@89MgTFGEQ(i+xxgKNf
zZC+2uf4Q1}h|4@Q=t#@L@Li3IgG0`$=d`+$8ksJj9LN15>xWxMCEcmO8rv}bzAodp
z`!*SW4#>1mdrmeT>r6bb{z_iI(Vx_CeQb|6dYE(_X)4oe?w-!iJk;M_TUdP>vS0_k
z-g}JfcdKo!A0^jaT6j1$`KS&OP0DkT3$PF1^h8EEP>W{ymMGigUI9Uo&H>_L_BfT^
z4tQeuGSaSzX7*VyK6^qVs(buBVmc9%_Wol#x92p$MsB+e)`z-^VpLhw8bXOm-_mo0
zoN2#H8H?OUx;3v6YZ$_G6hK%H;#}*jj-w$eh$lsN!P{*<aCCY}#`)9~)`Cxc#J~<+
zUIO)Xf#@TTT^l1u?b4(MN<3u5@5l(G3blc%mWt47kg9WmE7eUQG$u*kz(~F|Z$w_G
zYBIGe($nqZ2Os0#(I}*SkQR-fqvLYR!OCuG0^SrCzkm*0l>Xy*$0h%VAg$Ni2~{N<
z?tTz>U3%#_5Nh~o&vjZ(Yz*juD0`iFhnt9OIQ36=p$T!xPqVFLf%+qFKZ-aFfnTdf
zJzKmwa;B`??a|OrjGt)wL1%fe?t2y$13%WO^Ml6g+wniYo~18k`^+|mPsTymclWQ(
zD4oGJ33T6uTRXHx%N{Vsn4(EwmnD}EXlq=1+(qTRH%589g;-EP<!l{%B79b>mhD;v
zAkZe}U9u4&hd&<E`15FF*fz$^il53GaDpTa_!Bg>;B(KHRJIODR!U1B;7AHKd~OvK
z@GIwR)p~;?X%G2n1H22IlkrTX?WEV}V!xO#VF@+t!p!`XPpIng{K1x4i9$qGgzNg)
z(2b~b{uTpPe<K^9GFF||>);3dX-aVTZf}A}h=NGz{0H?HiA@c^ryIzj!-2XDjLXa8
zM<<ZWYsw<h1UWHT)JZ8-zXwyqE5LOJUcm3qG~;Vc*V~p6_z&(?RuCh)tBGa#1+{GT
z$$<mPgMfIXW)Jh(kMff@TtRTK<&1nt!m;G|X@4FZssS6`yG|HknP5>%k|{E^2dA7a
zEq8Tfnp(5WR{oq=BvB}m>@c(+3=ebh+pf4Ic&PiGezs0&kutIUmJO=y?gcEa&?{?b
zM6HFU3yGY})z7&cb#4E$v$6eb2-y^HbWw^Jt3;BE{Ib71f3huC0TQ(xeqbp{wctkO
z<_De;lepp}t4|van>&d*ovbQ?#^rc|gMoPD$wt2Kp73rcqlg?N!wP?Rvh#7@ti*K0
zq}Ub*WNhF@^ocj$88)sX!jCw$rbgTW9u}Gth;+9$o(!QzS8oiIp@NebYVaho7ejEp
zW61MszJ4;2Ht*Qqu!Xxj!^_gC7cFvIz)hJHM;|b~vY7zAt&8{-n#QB=yR#2`5FlZ+
zOI1zqA3^X>Jr*s2jiz4G$HRTZR+v#FSdEf@LWo)8JM-<P>%SDD7LK=bzl;h!jHJeE
z&X6tyf))y-<Z0#JL(Vx*8!Y?0kAGIQ5l`5KPt73ip(xPvmtCE5-+#Ix9veLRXDp}W
z*7`@!jwx=8F~a~E_TXF)C+c|q&@D!F2BYvkyO8#8yq8it*(flMD7a5aUhAbm)AF>u
z{C@72)9*PmR2LR9AM2Fv$8{V&-Du}-V?O}*4KLlif|M%^>=0X)s(Lu<V>LitceTu0
z9d8>ni25<IBYLNG_$<hG4}Q34oKNWodbxlXcUP!cLx-p-7U4V3Hcz^_O7#@55p-3f
zQKZLXCO4{`HJXMRGDNB*FEx162<Ii(vVThi7~XpqUDa@_3v|A0KcD&4lygxgEfVxe
zra@a<NsTtPM<4XscW<{%GA-4yx$0Gg;{K@T=id8){i|Sh)}kgyIXxYAf=6AW{jY_8
zC8t|e?=do!^mir3t0TIJB2%m6>y$`1U^$wJW1=OwM<skL5xv{nA7$N1QUM$PjhE2+
zxv|Va)dlxpVzVZB`G-f)KNQKPq4BAZQxnU1t$`-7Z)S90W|UQ9>acfou8d>hHyQT&
zs>Pg8PvC*h9rO_X^rOGx{B{kT)_?rR+vc5bynpf;cbf4hh4}H5U3pb(J}DQ+wLV*i
z@kv+*IX1t~g4X==_a2=@sNYk(HDcL|vPUE%Rm@?bN$^P#kr_N?8BaFqAjusi6%9EM
zgWM?UIp-6H`z!v*ixp69&i_0NH{=8!Ry)?mV-GF)2%=jwnO|SplK)owCP%i%Dzu>d
z9*}kUK*32Me9DXcH;Z%UTV$?mhvsmx;+)(o+xsiwy+gu3{2lKMP3YYFEB@F@<UHu`
zP|oZz2jLDcUgdrBxcpTkr$vXS-wRpHaj>8)n;YZ7RcBGplU=&a>iqBhi}#X=nBn84
z3u`vJzx~mC^GaQYMX~|ppz4B_3dS4mcD|S;#3&sWL$4F?(ye{~(65b+^-N?dclh3#
z{BIK#@5RE70sO_I@Lb}|8lF0(6iqt%;D3t6rXGMm0|RBV@$+mn)BSTS$I<5o0YUJ=
zA>sO<k(o2PUr$RszZN9n^5vOOEasos;SJmEXFS6=Ptbi1D1M1wiiTAm{=Tj19|3_<
z_`|RqcYyYKM=tIPDCjXieY8wP`VIu&9bB*eU_oDtPJZhp<RvUpuZ!pJ=zsrS!1Mjs
zPRx}%(AtA;nkLn@`d#Zptfkv8Bl#2aS@qG;OjmH|vM#aZn9C8!eH1!1BfuMVP=jno
ze4BSn8(*5*Fl6|yk74)1nqiZXv1|%_NF2M)Xfi&=#VQ<LCHR42@m(AL7kxdAHtp;z
z4JAF)PKz$+aWC|I^S_57nGv#U&U#6wUWwElIWLow(}vT_(<H>2x#^+#u9{!u@Rvx|
z?GFQBq{QBY)H=frh>``-YkN4mCMQmtRVD~Dh8{Lb8@~%|I$6hEv*S~j0jvi#{WGIP
zSi!@(uI;9VRce2C$ib-PYYnIx{cG+7A`9Cw_S(`;xKiA-!^C?eP3MG(9kW`=P_+T0
zCDhpyaN>JOoy?In-*j&aW+L!Q=SkM(bbmj0BTE6xJ%D&kPSf0h@Bd`bx;r10{9q;7
zCz3v+Y>@K;_mB4nuE5M<pZ>|aE`Eah9e$Rn3bk0;#wM<Hm0*o!(*p-oSA`dfdZ`1s
zOO=o(*^1HW5H&8j3HtFdW`1@`K(dt@|4sn~8&#7t;tl5nzH`tc1#+XCL$6M{D>#6V
z(g^OWCk_Sq8Wk4uG;Lpe4aqq-F*BG=mH!>HtCijwAktML8FO~AUU&WXmg`4Vo^Ms&
zc{hCC&e2q_#EtIvc6ODPp0G|{lS9yNaV&<sep~dB7%JbGq5cMkg&cdF53y0uw+@qi
zhVkRoLI0VgpnH>Bm2vk^(0w7#=COELv*GDqClD-}k?EYmZEKFk9=TFhoWC45dttV7
z*ASi+x!aRK&VH;<GOAU-<n+#s-el7!`EFoF=o+VCQA%9gW{LgT`6WjCOJWF0F!>70
z|3V98dX$_iL1TPUSs{FSJ~@!yaHPT#d7r|;$?3+bmkQ|g{8wv@VS$5TK&=@vsoOjb
zD{NTMAzb;aX2{M*z3=OzXPyEJuD5c_LUIIJ(8%QqN>Cfg%jsPoN2R@e?K4rB{0o1o
zZ_S*$lH~zNHrTaGx^2Q6t#EpVyI$huzW-4nl|Q$#veBO7fH%Sz6pip1|HtD+Y!3-k
z=K4$)FIM9)_ytWc1OmAc_6X}d4RiD-zkMj39~9}BMNhh8%`B09I0$FI!Z<`cWX06D
zP1)XYU}hCQN~OjX6b$34WXa5QE>1Axlpiei@f|3N+?5^4s47yWdjE|lqEmnz?*T@L
z%>uY%YKnKsc&Yk9fire&_m9W*sk*$L^F@A8LQJ(xbd@pRz2JZDk)8GN_|Cipgw{V8
zA-m^n2CKVY9V#5QKaJKuc!u$Q*UoNy)$`?!312QbP@u?h@V(S-hg$jNt^4MWvD_2h
zi4ihBj(9p;*zyM3%*CFK8V=MGLN4U*iTNgxF|=L!K||caCV%S+<0gy(l@~efK1QlB
zJC@gFyoMdGzIx$SdwxCg6`<LhGpThTh7VEHvMvM%e|ACLY|ttw(Cn8K+y{6vJp3q=
ziikEr1IR$Xn1h)~OK+4dpj{@ryOVpv|0Dd*Uz9<f39w4&&@<4)=JX#cx{~qI4K2*X
z9(a)^=rYdvv6^3Hu!gC<3tn$8-ouCaz7cZk6l(Z!q#^^RZx0%b-qWRLPhk1xMs-?M
z;6^zzG1xL6e&7`lrar+KO}}b;y`&?f9hH!vl&wV8*uMZrAu?k;ygZ%tL`?o_BFvf*
znAzQb8A$#T8BeMjqA6E07IR+XOffmZ$Iv>e{gKwG8gpm0)f`#LOs|rxMI$H6cJcCs
z7_{pg78op$78iHSCw5IlOx3MTpSnDd-e)<8Tgu8o^yon`w}qFKC*Vs&<2bt$PyGnB
z0eq%oeJKx4-Wn{&1c(X^AY8jAdhywb4W!u_XadBW8A;PaKY4kErZ#LKGNb=_;J#ci
z@(z%v4?6<ZD{^6o>Ay*`<^lkwaJ=yCTV|4~pK-+e!+*G2pW?l`cb~eJAXZ#l)Hfj0
z2i7*bZo_=xd1eOZS_kSv7n9}-!25@UQ%qu9$SuG*dt*%3$MW!t%Lj)_^;a$Y%~99a
zX;U0A^{zYl+aqZUX3l2SP~J^K{F{sXIT$Q}LZet-{Ey}5Zw`==W`0a#Y^>}y(^EXs
zl;@7`QG8w~>g~%Kqfko^;cB^Ge7d;b1`RO5Dwg9TL8Aj{qTdC*L)CaSGaVz6^>#)M
zBdl{%3lX0RZ)VW3**ggPDtCv)VqaVwfOc|Ky1zac9qcfnu&Bh?wMH!m`<{2loIY7^
zxLc0=o4;;m^=WkL9?0a2UD7Ktlhq%`j5A}?t4!RO=IL)i!F^A=XWHLhfbIo93uMyF
z9xpL;q<wBY?Rf=AKxFyS%6XY;+@D>&8)sPqF6I5VQ@z#od2P5`cQ=7w5&IMd6@kg7
zr2UguyNa6H38b8xVGraGN8Ya;xUUaFq898f%Zp{-@3uei;c)g}AFh_)TgZv)GDYl~
z61*H-u5rWdJLJ!rKzal?W<^z%!w}og|KvA67~pgKIzR(oql>2gBF%hJ7NJZN+uPhi
zD;1SYI3pB&@RLXN?c1rFCLsliIrj_Wdke022_mAm_&#o`Dn@z@w2wytw-EfXS<Yiv
z0W*x|ubTT-1kePUVkXn&MMmhaWh`|S9N1^KFb6j``tN|+z8@0FHQ1QjuWF#-bka4S
zy2W(iDd1V}ethh#mf0a`y|lWzyFs$LL$bL;Jw`9=bok}g<nYn#`S^!b#8tK247vUO
zr-k_9FB;@l*7<k*UEFQ^1L7|~-M0T<Cgtt_ePn-?#%<f|@gKwEwt1)OU;7Sd`fLAn
nGj9KGhWsV_+xGvD-J`^+GV*54g%`_jS0M9N0aPaO;nV*DlsR~N

literal 0
HcmV?d00001

diff --git a/reference/sql/statements/alter-instance.md b/reference/sql/statements/alter-instance.md
new file mode 100644
index 0000000000000..e647d797f13d5
--- /dev/null
+++ b/reference/sql/statements/alter-instance.md
@@ -0,0 +1,37 @@
+---
+title: ALTER INSTANCE
+summary: Learn the overview of the `ALTER INSTANCE` usage in TiDB.
+category: reference
+---
+
+# ALTER INSTANCE
+
+The `ALTER INSTANCE` statement is used to make changes to a single TiDB instance. Currently, TiDB only supports the `RELOAD TLS` clause.
+
+## RELOAD TLS
+
+You can execute the `ALTER INSTANCE RELOAD TLS` statement to reload the certificate ([`ssl-cert`](/reference/configuration/tidb-server/configuration-file.md#ssl-cert)), the key ([`ssl-key`](/reference/configuration/tidb-server/configuration-file.md#ssl-key)), and the CA ([`ssl-ca`](/reference/configuration/tidb-server/configuration-file.md#ssl-ca)) from the original configuration path.
+
+The newly loaded certificate, key, and CA take effect on the connection that is established after the statement is successfully executed. The connection established before this statement execution is not affected.
+
+When an error occurs during reloading, by default, this error message is returned and the previous key and certificate continue to be used. However, if you have added the optional `NO ROLLBACK ON ERROR`, when an error occurs during reloading, the error is not returned, and the subsequent requests are handled  with the TLS security connection disabled.
+
+## Syntax diagram
+
+![AlterInstanceStmt](/media/sqlgram/AlterInstanceStmt.png)
+
+## Example
+
+{{< copyable "sql" >}}
+
+```sql
+ALTER INSTANCE RELOAD TLS;
+```
+
+## MySQL compatibility
+
+The `ALTER INSTANCE RELOAD TLS` statement only supports reloading from the original configuration path. It does not support dynamically modifying the loading path or dynamically enabling the TLS encrypted connection feature when TiDB is started. This feature is disabled by default when you restart TiDB.
+
+## See also
+
+[Enable Client TLS](/how-to/secure/enable-tls-clients.md).
diff --git a/reference/tools/tidb-control.md b/reference/tools/tidb-control.md
index 0d76df8b896eb..f8187f4e7d25e 100644
--- a/reference/tools/tidb-control.md
+++ b/reference/tools/tidb-control.md
@@ -45,6 +45,9 @@ TiDB Control consists of multiple layers of commands. You can use `-h/--help` af
 - `--port`: TiDB Service port (default 10080)
 - `--pdhost`: PD Service address (default 127.0.0.1)
 - `--pdport`: PD Service port (default 2379)
+- `--ca`: The CA file path used for the TLS connection
+- `--ssl-key`: The key file path used for the TLS connection
+- `--ssl-cert`: The certificate file path used for the TLS connection
 
 `--pdhost` and `--pdport` are mainly used in the `etcd` subcommand. For example, `tidb-ctl etcd ddlinfo`. If you do not specify the address and the port, the following default value is used: