From 691493e945f846073b0ff83fe8b8a16570718048 Mon Sep 17 00:00:00 2001 From: Shiqi Wang <464045584@qq.com> Date: Sun, 26 Feb 2023 22:00:40 -0500 Subject: [PATCH] docs: translate the document of jwt-auth plugin readme to English. (#213) Co-authored-by: Shiqi Wang --- .../wasm-cpp/extensions/jwt_auth/README_EN.md | 399 ++++++++++++++++++ .../wasm-cpp/extensions/jwt_auth/process.png | Bin 0 -> 39394 bytes 2 files changed, 399 insertions(+) create mode 100644 plugins/wasm-cpp/extensions/jwt_auth/README_EN.md create mode 100644 plugins/wasm-cpp/extensions/jwt_auth/process.png diff --git a/plugins/wasm-cpp/extensions/jwt_auth/README_EN.md b/plugins/wasm-cpp/extensions/jwt_auth/README_EN.md new file mode 100644 index 000000000..4626b2f63 --- /dev/null +++ b/plugins/wasm-cpp/extensions/jwt_auth/README_EN.md @@ -0,0 +1,399 @@ +# Description +The `jwt-auth` plugin implements authentication and authorization based on JWT (JSON Web Token), supports parsing JWTs from URL parameters, request headers, and Cookie fields from HTTP requests, and verifies whether the token has permission to access. + +The difference between this plugin and the JWT authentication in `Security Capabilities->Authentication and Authorization` is that it provides additional capabilities for identifying the caller's identity, supporting the configuration of different JWT credentials for different callers. + +# Detailed Description + +## 1. Token-based authentication + +### 1.1 Introduction +Many open APIs need to identify the identity of the caller and determine whether the requested resource can be returned to the caller based on this identity. Token is a mechanism used for identity verification. Based on this mechanism, the application does not need to retain the user's authentication information or session information on the server, which can realize stateless and distributed web application authorization and provide convenience for application extension. + +### 1.2 Process Description + +![](process.png) + +The above figure is the business process sequence diagram when the gateway uses JWT for authentication, and the following we will describe the steps marked in the figure in detail in words: + +1. The client initiates an authentication request to the API gateway, usually carrying the end user's username and password in the request; + +2. The gateway forwards the request directly to the backend service; + +3. The backend service reads the authentication information (such as the username and password) in the request for verification. After the verification is passed, it uses the private key to generate a standard token and returns it to the gateway; + +4. The gateway returns the response with the token to the client, and the client needs to cache this token locally; + +5. The client sends a business request to the API gateway, carrying the token in the request; + +6. The gateway uses the public key set by the user to verify the token in the request. After the verification is passed, the request is passed through to the backend service; + +7. The backend service processes the business and responds; + +8. The gateway returns the business response to the client. + +In this entire process, the gateway uses the token authentication mechanism to realize the ability of users to use their own user system to authorize their API. Next, we will introduce the structured token JSON Web Token (JWT) used by the gateway to implement token authentication. + +### 1.3 JWT + +#### 1.3.1 Introduction + +JSON Web Token (JWT) is an open standard RFC7519 based on JSON for executing a type of claim to pass between network applications. JWT can generally be used as an independent identity verification token, which can contain user identification, user roles, and permissions information, making it easier to obtain resources from the resource server, and can also add some other necessary declarative information for other business logic, especially suitable for the login scenario of distributed sites. + +#### 1.3.2 Composition of JWT + +`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ` + +As shown in the example above, JWT is a string consisting of three parts: + +- Header +- Payload +- Signature + +**Header** + +The header of the JWT carries two pieces of information: + +- The type of the token, which is JWT +- The algorithm used for encryption + +The gateway supports the following encryption algorithms: + +```text +ES256, ES384, ES512, +HS256, HS384, HS512, +RS256, RS384, RS512, +PS256, PS384, PS512, +EdDSA +``` + +The complete header looks like the following JSON: + +```js +{ + 'typ': 'JWT', + 'alg': 'HS256' +} +``` + +The header is then Base64-encoded (this encoding can be symmetrically decoded), forming the first part: + +`eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9` + +**Payload** + +The payload is where the actual information is stored. The details are defined below: + +```text +iss: The issuer of the token. This indicates who created the token and is a string value. +sub: The subject identifier. This is the unique identifier for the end user provided by the issuer, and is no longer than 255 ASCII characters, and is case-sensitive within the issuer's scope. +aud: The audience(s) of the token, which is an array of case-sensitive strings. +exp: The expiration time of the token, after which the token will be invalidated, is an integer declaration representing the Unix timestamp in seconds. +iat: The issuance time of the token, is an integer declaration representing the Unix timestamp in seconds. +jti: The unique identifier of the token, and the value is unique for every token created by the issuer. It is usually a cryptographically random value to prevent conflicts. This component adds a random entropy that an attacker cannot obtain to the structured token, making it more difficult for the token to be guessed or replayed. +``` + +Custom fields for a user feature can also be added, such as the example below adding a "name" field for the user's nickname: + +```js +{ + "sub": "1234567890", + "name": "John Doe" +} +``` + +The payload is then Base64-encoded, forming the second part of the JWT: + +`JTdCJTBBJTIwJTIwJTIyc3ViJTIyJTNBJTIwJTIyMTIzNDU2Nzg5MCUyMiUyQyUwQSUyMCUyMCUyMm5hbWUlMjIlM0ElMjAlMjJKb2huJTIwRG9lJTIyJTBBJTdE` + +**Signature** + +This part is a string that consists of the Base64-encoded header and Base64-encoded payload concatenated with a period, followed by the encryption of the resulting string using the algorithm specified in the header (where $secret represents the user's private key). + +```js +var encodedString = base64UrlEncode(header) + '.' + base64UrlEncode(payload); +var signature = HMACSHA256(encodedString, '$secret'); +``` + +These three parts are then concatenated using periods to form the complete JWT string as shown in the example at the beginning of this section. + +#### 1.3.3 Time validity + +The gateway will verify the exp field in the token. Once this field has expired, the gateway will consider the token invalid and reject the request directly. The expiration time value must be set. + +#### 1.3.4 Several Characteristics of JWT + +1. By default, JWT is not encrypted and cannot write secret data into JWT. +2. JWT can not only be used for authentication but also for exchanging information. Using JWT effectively can reduce the number of times servers query the database. +3. The biggest drawback of JWT is that the server cannot invalidate a token during use, or change the token's permission, because the server does not keep the session state. That is, once JWT is issued, it will always be valid before it expires, unless the server deploys additional logic. +4. JWT contains authentication information itself. Once leaked, anyone can obtain all permissions of the token. To reduce theft, the expiration time of JWT should be set relatively short. For some more important permissions, users should be authenticated again when using them. +5. To reduce theft, JWT should not be transmitted in plaintext using the HTTP protocol, and the HTTPS protocol should be used for transmission. + +## 2. How to apply the JWT plugin to protect the API of the user system + +### 2.1 Generate a pair of JWK (JSON Web Key) + +**Method 1: Generate online** + +Users can generate the private and public keys used for token generation and verification on this website https://mkjwk.org. The private key is used for the authorization service to issue JWT, and the public key is configured into the JWT plugin for the gateway to verify the signature of the request. Note that the JWKs format configuration used by the gateway requires the public key in the figure below to be placed in the keys structure, such as: `{"keys":[{"kty":"RSA","e":"AQAB",...}]}` + + + +**Method 2: Generate locally** + +This article uses a Java example to illustrate, and users of other languages can also find relevant tools to generate key pairs. Create a new Maven project and add the following dependencies: + +```xml + + org.bitbucket.b_c + jose4j + 0.7.0 + +``` + +Use the following code to generate a pair of RSA keys: + +```java +RsaJsonWebKey rsaJsonWebKey = RsaJwkGenerator.generateJwk(2048); +final String publicKeyString = rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY); +final String privateKeyString = rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE); +``` + +### 2.2 Implement the token issuance authentication service using the private key in JWK + +The Keypair JSON string generated online in Section 2.1 (the first of the three boxes) or privateKeyString JSON string generated locally needs to be used as the private key to issue tokens for trusted users to access protected APIs. The specific implementation can refer to the following example. The form of issuing tokens to customers is determined by the user according to the specific business scenario. The function of issuing tokens can be deployed in the production environment and configured as a normal API for visitors to obtain through username and password, or tokens can be generated directly in the local environment and copied to designated users for use. + +```java +import java.security.PrivateKey; +import org.jose4j.json.JsonUtil; +import org.jose4j.jwk.RsaJsonWebKey; +import org.jose4j.jwk.RsaJwkGenerator; +import org.jose4j.jws.AlgorithmIdentifiers; +import org.jose4j.jws.JsonWebSignature; +import org.jose4j.jwt.JwtClaims; +import org.jose4j.jwt.NumericDate; +import org.jose4j.lang.JoseException; +public class GenerateJwtDemo { + public static void main(String[] args) throws JoseException { + String keyId = "uniq_key"; + //Use the Keypair generated in section 2.1 of this article + String privateKeyJson = "{\n" + + " \"kty\": \"RSA\",\n" + + " \"d\": " + + + "\"O9MJSOgcjjiVMNJ4jmBAh0mRHF_TlaVva70Imghtlgwxl8BLfcf1S8ueN1PD7xV6Cnq8YenSKsfiNOhC6yZ_fjW1syn5raWfj68eR7cjHWjLOvKjwVY33GBPNOvspNhVAFzeqfWneRTBbga53Agb6jjN0SUcZdJgnelzz5JNdOGaLzhacjH6YPJKpbuzCQYPkWtoZHDqWTzCSb4mJ3n0NRTsWy7Pm8LwG_Fd3pACl7JIY38IanPQDLoighFfo-Lriv5z3IdlhwbPnx0tk9sBwQBTRdZ8JkqqYkxUiB06phwr7mAnKEpQJ6HvhZBQ1cCnYZ_nIlrX9-I7qomrlE1UoQ\",\n" + + " \"e\": \"AQAB\",\n" + + " \"alg\": \"RS256\",\n" + + " \"n\": \"vCuB8MgwPZfziMSytEbBoOEwxsG7XI3MaVMoocziP4SjzU4IuWuE_DodbOHQwb_thUru57_Efe" + + + "--sfATHEa0Odv5ny3QbByqsvjyeHk6ZE4mSAV9BsHYa6GWAgEZtnDceeeDc0y76utXK2XHhC1Pysi2KG8KAzqDa099Yh7s31AyoueoMnrYTmWfEyDsQL_OAIiwgXakkS5U8QyXmWicCwXntDzkIMh8MjfPskesyli0XQD1AmCXVV3h2Opm1Amx0ggSOOiINUR5YRD6mKo49_cN-nrJWjtwSouqDdxHYP-4c7epuTcdS6kQHiQERBd1ejdpAxV4c0t0FHF7MOy9kw\"\n" + + "}"; + JwtClaims claims = new JwtClaims(); + claims.setGeneratedJwtId(); + claims.setIssuedAtToNow(); + //Expiration time must be set + NumericDate date = NumericDate.now(); + date.addSeconds(120*60); + claims.setExpirationTime(date); + claims.setNotBeforeMinutesInThePast(1); + claims.setSubject("YOUR_SUBJECT"); + claims.setAudience("YOUR_AUDIENCE"); + //Add custom parameters, use String type for all values + claims.setClaim("userId", "1213234"); + claims.setClaim("email", "userEmail@youapp.com"); + JsonWebSignature jws = new JsonWebSignature(); + jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256); + jws.setKeyIdHeaderValue(keyId); + jws.setPayload(claims.toJson()); + PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyJson)).getPrivateKey(); + + jws.setKey(privateKey); + String jwtResult = jws.getCompactSerialization(); + System.out.println("Generate Json Web token , result is " + jwtResult); + } +} +``` + +# Plugin Configuration Guide + +## Configuration Fields + +| Name | Data Type | Required | Default | Description | +| ----------- | --------------- | ------------------------------------------- | ------ | ----------------------------------------------------------- | +| `consumers` | array of object | Yes | - | Configures callers of the service for authenticating requests | +| `_rules_` | array of object | Optional | - | Configures access control lists for specific routes or domains for authorizing requests | + +The configuration field descriptions for each item in consumers are as follows: + +| Name | Data Type | Required | Default | Description| +| ----------------------- | ----------------- | -------- | ------------------------------------------------- | ------------------------ | +| `name` | string | Yes | - | Configures the name of this consumer | +| `jwks` | string | Yes | - | Specifies a JSON Web Key Set, as defined in https://www.rfc-editor.org/rfc/rfc7517, consisting of public keys (or symmetric keys) used to verify the signature of JWT | +| `issuer` | string | Yes | - | The issuer of the JWT, which should be consistent with the iss field in the payload | +| `claims_to_headers` | array of object | Optional | - | Extracts the specified fields from the JWT's payload and sets them to the specified request headers for forwarding to the backend | +| `from_headers` | array of object | Optional | {"name":"Authorization","value_prefix":"Bearer "} | Extracts the JWT from the specified request headers | +| `from_params` | array of string | Optional | access_token | Extracts the JWT from the specified URL parameters | +| `from_cookies` | array of string | Optional | - | Extracts the JWT from the specified cookie(s) | +| `clock_skew_seconds` | number | Optional | 60 | The amount of clock skew, in seconds, that is allowed when verifying the exp and iat fields of the JWT | +| `keep_token` | bool | Optional | ture | Whether to keep the JWT when forwarding it to the backend | + +**Note:** + +- The default value is used only if neither `from_headers`, `from_params`, nor `from_cookies` are configured. + +The configuration field descriptions for each item in `from_headers` are as follows: + +| Name | Data Type | Required| Default | Description | +| ---------------- | --------------- | ------- | ------ | --------------------------------------------------------- | +| `name` | string | Yes | - | Specifies the request header to extract the JWT from | +| `value_prefix` | string | Yes | - | Removes the specified prefix from the request header's value, leaving the rest as the JWT | + +The configuration field descriptions for each item in `claims_to_headers` are as follows: + +| Name | Data Type | Required| Default | Description | +| ---------------- | --------------- | ------- | ------ | --------------------------------------------------------- | +| `claim` | string | Yes | - | The name of the field in the JWT payload, which must be a string or unsigned integer | +| `header` | string | Yes | - | Sets the value of the specified request header to the value of the specified field in the payload, for forwarding to the backend | +| `override` | bool | Optional | true | If true, overrides an existing header with the same name; if false, appends the header to the existing headers | + +The configuration field descriptions for each item in `_rules_` are as follows: + +| Name | Data Type | Required| Default | Description | +| ---------------- | --------------- | ------------------------------------------------- | ------ | -------------------------------------------------- | +| `_match_route_` | array of string | Optional, select either `_match_route_` or `_match_domain_` | - | Configures the route names to match| +| `_match_domain_` | array of string | Optional, select either `_match_route_` or `_match_domain_` | - | Configures the domains to match | +| `allow` | array of string | Required | - | Configures the consumer names allowed to access the matched requests | + +**Note:** +- If the `_rules_` field is not configured, authentication and authorization are enabled for all routes of the current gateway instance by default; +- For authenticated and authorized requests, a `X-Mse-Consumer` field is added to the request header to identify the caller's name. + +## Configuration Example + +### Enable for Specific Routes or Domains + +The following configuration enables Jwt Auth authentication and authorization for specific routes or domains of the gateway. If a JWT can match multiple `jwks`, the first matching `consumer` is hit according to the configuration order. + +```yaml +consumers: +- name: consumer1 + issuer: abcd + jwks: | + { + "keys": [ + { + "kty": "oct", + "kid": "123", + "k": "hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew", + "alg": "HS256" + } + ] + } +- name: consumer2 + issuer: abc + jwks: | + { + "keys": [ + { + "kty": "RSA", + "e": "AQAB", + "use": "sig", + "kid": "123", + "alg": "RS256", + "n": "i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw" + } + ] + } +# Use the _rules_ field for fine-grained rule configuration +_rules_: +# Rule 1: Effective when matched by route name +- _match_route_: + - route-a + - route-b + allow: + - consumer1 +# Rule 2: Effective when matched by domain name +- _match_domain_: + - "*.example.com" + - test.com + allow: + - consumer2 +``` + +In this example, the `route-a` and `route-b` specified in `_match_route_` are the names of the routes filled in when creating the gateway route. When these two routes are matched, access will be allowed for the caller with the `name` of `consumer1`, and other callers will not be allowed to access. + +The `*.example.com` and `test.com` specified in `_match_domain_` are used to match the domain names of the requests. When a domain name match is found, access will be allowed for the caller with the `name` of `consumer2`, and other callers will not be allowed to access. + +#### According to this configuration, the following requests are allowed: + +Assuming the following requests will match the route-a route: + +**JWT is set in URL parameter** +```bash +curl 'http://xxx.hello.com/test?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ4' +``` + +**JWT is set in HTTP request header** +```bash +curl http://xxx.hello.com/test -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ4' +``` + +After authentication and authorization, a `X-Mse-Consumer` field will be added in the request header with a value of `consumer1` in this example, to identify the name of the caller. + +#### The following requests will be denied: + +**Request without JWT provided, returns 401** +```bash +curl http://xxx.hello.com/test +``` + +**The consumer matched by the provided JWT in the request does not have access, returns 403** +```bash +# consumer1 is not in the allow list of *.example.com +curl 'http://xxx.example.com/test' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxODY1NjczODE5fQ.-vBSV0bKeDwQcuS6eeSZN9dLTUnSnZVk8eVCXdooCQ4' +``` + +### Enabling at Gateway Instance Level + +The following configuration does not specify the `_rules_` field, so JWT authentication will be enabled at the gateway instance level: + +```yaml +consumers: +- name: consumer1 + issuer: abcd + jwks: | + { + "keys": [ + { + "kty": "oct", + "kid": "123", + "k": "hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew", + "alg": "HS256" + } + ] + } +- name: consumer2 + issuer: abc + jwks: | + { + "keys": [ + { + "kty": "RSA", + "e": "AQAB", + "use": "sig", + "kid": "123", + "alg": "RS256", + "n": "i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw" + } + ] + } +``` + +# Common Error Codes +| +HTTP Status Code | Error Message | Reason Description| +| ----------- | ---------------------- | -------------------------------------------------------------------------------- | +| 401 | JWT missing | The JWT is not provided in the request header. | +| 401 | JWT expired | The JWT has expired. | +| 401 | JWT verification fails | The JWT payload verification failed, such as the iss mismatch. | +| 403 | Access denied | Access to the current route is denied. | diff --git a/plugins/wasm-cpp/extensions/jwt_auth/process.png b/plugins/wasm-cpp/extensions/jwt_auth/process.png new file mode 100644 index 0000000000000000000000000000000000000000..8d5e883d04c2cd362bc00679a42c8a6b906dc803 GIT binary patch literal 39394 zcmafbby$>b_pORbNen1R!_bQG(nAXjB_$;w2vPz{ICP`r3|)e>0#ZsV9SS2MB_Sat zLk!)W=N^6E@BMz)`JLpz8PVy6=fa=Beauo}ZNT+RHdTTQ?~&Yg+dkuGrsqezc64cxK|g z`boOCVa-*BJ&jzBfF+0=I-`sZ{{1c2RW{7;m*lSFQ6Ruu;D@k_sOmqz_w{Zgw9#YJ z+iplTbOC*DY$ke)K%MjUZ{bDtGEr@=G=X|nHlLX1A7|+9x zT$|nD)!RqQCD>zzr|mt{lius%^b%&2=vVc0abW~p!MJ8Rgl?SCdu94z zrCsv6djX4gNW=c*7zvF4+waSM#v`kaV^^(hjikdK`#x>Ycqws{xi!Y6y|p z8?l(slsQc}fZGx48zX|@k{9ZcnrSfpP1FdL^vQ<2evOkA%Hskv=F_ubH&fr;SEr}P z>rHj8%R@D(j*X)v4B~@D24&5s>;C7?=j-REGIUK+CtIC-4&5ojYgJQzsy^BWK6|6q z4xe9KEcQP?^E@tRAIXcP6Rp*hK184OHc}*G_A^P-&XY|2YP_d|sVOq;=p~v>fVt>j%^R>m88G{moYr>r-uDe-~sYmV;KUS+}qSm4$ z)NSX6Ym=TlNlzeuZkMh z-6?b5Ufsqf@|mtRo*g~gFY!O^?9P;#YGwIgJTU1oLlT}7Kj5|dL%+_fC8UPh)Ti(C zWV<&p(4@pf%BVG8E1Tz1H#UMv+NZj1xwvjzbjrt~)2Pm^hz|DrjrZYP(rQ)ceL*RI zQ`aAQ9BdyrZ&aRw0C2HRcTJS|^#X6)HZT3j7#TdNq<-t(n8;(JQG8medVK9dUGDhJ zy7fj0P4wt6Vy4xwheH$Z#j5-`r+SLz{ul5NB}&Y`xQI@;#HWfnX4IYTjjdK6AYtn& zS@+wq4qttrYF%y;hSq!TF>&BmFwWn$GWJQ)z!8JNn@)W8eN* zo1fEoa>h(++5CCeOe``KM4WpJ(wh9gA0qbnCs?XlhEzLC0UeTcYPs=vZJD=r0ebA+ z5ywsytk`wv|D#ZEmGR}u>28U?YqaDRvI7mC$co#PuedWeq4xT5+e&V7vVA(laLo=AGUSd*Z* z_EKs@R&$s4H}1UGpIP5HHXi2M8-0xZ#Uko+e!5@9C2GskE=+-U1$6+z<5?#swEL(Y zd5rWQE`DTRhx)}jzq>qKMId!N`Cgwd-eIVNB*8wr@aFa%qe>o4^vm81?=`V8N48{( z7O8}G*tX2UufWP~!6#j%i-x=qH;>g%!&~sQsR2@nmB%Eci5+fR`|0kJw#V`e(=_CVIW;-0wJT+yz?SwZGZMgza#+&X#Ozz_%i#ME)d<1OXOrnTDTEjaE$R3Si2rV49h?LS3%7$~Ei z@lhUE!7+FVmy}||Oq1V0%u*z?_R<|HWM%qnsoZ|6cs=pyEhMZtJZ92;%9kTenODoi zso{{`bM}~1IG{I~(NHm>qwfi0PU@Us210E{AuV5+8RNP%SZ3v*fgY8f_006$~*>^>I@SjZ>c?ljk(JM`__1ZPTG0Xw+j$63$y1@U&Hy&@`mraTm!>j67+X;zhVZ znzvOvhq_%8GK}@4OVf*Z|I)l+_4DaWC`Kskwa6`ukNyg^CpKbc@xoZRi#KGyp94b1 zgz{J;H-calKPw>VC3qu@xn73fjJ?^4;D?4rafLHANtMz&5GX{#C9hQ~qGO4A)N@|i zyb0Z=H2md!)uCMS0oM6fnanl1E#$t*!Uvwexh^F&sIMf4IWS2PrrZ?}$W$yPP-*o@{4rvSOtP6aKtp8w&+&F6T# zVnv@F@w8aN+DQ_&lg_ut%xD?KbdsS*2U9Ix5-tldqI_5x=+@csI_D!vZCTxR%2kkW zGB&6=e{X&@eu3g1vI`p5r^p(44~@(0m7a?^5v?3p?47D{^I`Lxgym0377l(Nvei>X z5-EGO+Rda_N?TUmwSc5MdZL=d`)P_)j?{Q8R=3C2RHv^=%D%@^l1VO?|LHro3o5P!@OiIiy){q&-s1xQmJM8uUc}hOQL@T6xqm+-w2+GKtOpfrwtA}^{MtI-YXUOQ;pu_ro zERsB4sTg`OX#$H@(aG+sxf4Mn*jjw$Oq3>g>N=l7Mf3^B0g2~95rS#|xThiM*^Tv@ z=jj-eZXpHr6?j@AIkg&ZT04KUyuA^W+IU1;Auaw@RcFJC4F#t%_GZjnaJUS$Mef^A zZ32hQH+!Ww749=WYY8C{@zr91kOkgB!LX3S(zH1VrJ5{c8M?c5Ic)JXGIQ#>mN&0Kfik* z2ykPBR;tgOr`~FX#q__PX>9dWd+#>nRVOpN7S`uwChm-nK+Wq_hc$y1r(r8+`Ym-f( zE6_4NqqQN@d$Q^L)Ui%~`+D?hw;=@Ecj1n}`K3twf@xyS8wf^GC?A{^nZmsB(auAt zLzRbsQ0o%otN#A1xj+v}-^YIU95zMgO2Wi%@&4JsJ4+!XbU&}y&9=w7IUJho)FZd$ z_nw;|qFAO^=7rV2I8*l%a<9IQE!j&EYe+#5_95hkemuozG*Vr{=mP z{akjYo}>0la00OeHQQdaRr$5qOsj2g`3yrwP2}t7-3`8N#LKPYjveD1)EdhIZU<$d z84}`H#R&1_+k&m%5Ex!-#Ti~;sU_-3#g2Vf-)w&6q1Elb9ATC zFNHLwt$-`UAD;Y$WuvCd7_!qqdlt4R1Q3YCsIF}f`DlpsJ-eLAb%C0VS5Ei!FMdXW zuU-#IOzf$jZy6qvK;|BM!+LAJBfeOrB5R!|k5{u|@1~m*z5{RF-)#S&Z8zKfpC)a=ZwRux^DKU!1K3{uQuk=MK zbdlf|S%t3&UtA?A-cRyO*F(V?bW1hjbmAQeaUq8fwIW@gJ0<@#8DwT z+m}Sgk}IH5lFXR2>&Wu9yg0B6w!ZvKrhD&_OrG-nWTvfu5s2KLJ1WXUEFM-hYmrPB)hBI?w zUevRqpMzt=FTc8ZQ`EYL-rJ{rJ?_M*@?{dHy0knUDbYlRPHw%mtrb#a-J7vT$9$eZ z%zG^V?rIjviH65$I59IdJM9ggB<<(%u+&ETM#1)(v-)}KrK*-GRl6MT4bhB6sZq9@`wrx)S1e{R&kJ25 z;N2{~IsjqANVocidqWpr*)er)|H?f?!PYa$g=S39I%XNO6lI)x$=+i7h9}W;0?+Gf z)>)Rs?qGaW;N=}UTTl%zLQZ1SaS)S~L5Ch{&2$@n%yLMia{!A0GlcqzRt%C-iX$`1 znM0g;vi%b^B9m3a@`B+$b_@K)V)cbXV)|&p!#m`Wd(fVGg1_R_3M#-JVrlxGRZg9g z+N`pU!s|w*{RDG9Zg@|pU&~c`)A3b4%U73Pb|0!S`_i6MJ-99GWPS_RP9gw0HjwyU_+1SAtKsE&qg>fu0-b;Bf)%%JE1nbNE3&pKvyKar-3+Orx zdZw(4_IyiIGiUYGp9#7fH%PtqsD7NJt4(|~F(0{2)33(PAtUorZ%yKIaJ9qX>a5?Z zOl0&;evIb+)2mxwlc_qMoL5&NnmB&0nb!8$La@I!+5?b`VshhyVp{EFn4s}Aq_Y;g zaBvdVMrD&LC|op?8tl7&5?@WeqawxTUnAiCMwZWMs%fT-JzD65r&rS)kq$yilHb5i zSvh~1ZVt9_{xWl-R3B^EV+K#XM`_$%O%6TJNoK~(ZfJD`IA^+0K_MT{YD%APveI5K zwnGa1RjTH+4Les6G^2}ghC-$9giNte>(jOfk$S*8&Iay|(Bm*d1=4xV$$74IC0kEO zQcRN=51o;xm%~prBrp^4=fL*SZ*rNSec4%0!atJ?4BXANxv(#Ni=O2xJif+#>*H$| ziu%YYYE3N=!uCzJ^wG_is@bgYxqUu^!>Mw6em^QH_JQ0}q8_wVu&!np6Z1Eo@MES} zuQl8Hl7w3r_@~1a0Or(u$_vbTCGNxL4LRZ%x*^eV15i?3%e$5bgwGRyHL2huq0m)OL*Xb8k33veG%5 zji`Hof$gP@P^>NQt$NR>*YR}2RgR_-p~;LYif_c)3N*XcL%A*=P8knYUvw_Jl-RO0 zioX|X1)Y;_OINVZ)ax_wl9NlSP#?^l^npF`_*-Ohn0EUzYyg>qc=riWLs%f?!0bmhgiP|tRY z-Tt1Y#;m{+uIaX~5YT6!wa{Wso`&(q%v%xGn``O*O;O%AG@sXqZlbvJ~xi)gF! ziY(7obu?;}iS5ALCzaV`Aygp|1V%N->syyOdPl?rpGvH6R_a{3BC?YFd+2qk3|1`9Ey)VpVgX>_8O?y@GdayxyN zgfGRAN-J@l)LkF{br|95+%j*=Ge)Bin&4PM2=(S&Xof8Ko*8m32v;R1K?f?K`r76H zzW(;)Wi26iY9WD3REva^@?WvGTMuK+O(xBmkYNZDr)Ug{B0!ypMoX;6DAPR*whg}p zf@m>Ha!c9Uu6xEY<7C4>%SDn#&fGILrER7Dwc_QN$va}bp5r}~0#Fa32Qy(HtpAjw zKv3ZCLeH$pDNGVrUIj0h$>N|>F|>b6G;f*fd!R!#SL}Qqy9Oe+Y&_PnuRp%V+Lf)GyGyu%|#*TT)l_l z5mj{kX}Adja86Vdo8tgn{Mi6aGLX*EhG^7t)~Lp5rJ(U}!T!$k0s;69rmOdYpv~ji z$_ksz1B2~YU;M05moZIUsau#?WZdnrlMDXaXXKsoXiu@xlF*mNPMO&~#N(3e=4UWd z!T*(Q7$<*$vP2~bXdR<^wBx`=~SbyId>|v?^k_d zXfvSbl)4He;g+e_slH`v6)jZsN>@x;d$L4O!?-tFJJai{yG~;~Jy;S>TueAD3=s)Fl{YM^42HCfLShTbyga?tdCuN#b!!m||uN8~PAB^{FeS^QzTFAQ-_*u{Q5G)O*k=y z6_w^~c~;Vp2+M*N-zSr3TIZ#{YI4T*h_wkZDt-{g4?X*CtLHamCPG#ZQ&)PFF7Eox z-A9BBaB#|))bl_e1AOEb+RYAV$_S(0wB2Pv@5ypX;o+02ov;US zIV^lR1O({&A4}ALa5oQ!8zXn7376i;22%JFvV_s0JOpIJV2?<3X7r%E54=zDVS#&iqiKTF5mQW)-*Yyo3O$8QeD@Ug%V ztPo8OWr#ilB9{0-90LeP8w@22x>BwrrQ%8Vy+0qSB$>>tV2o2IM(4oU*^UXra+x8f`vnUX+<4Y6r&l_ z4^#=X#`B-v6Zm&+pzoj)e4_Tx+7!W!sDVqyO1Ck3f1nd}F#hKqutTpx_buh`d3en_ua`PH}3xa#cXj*2e|Yf9VI9V{`Xy&-~H#Q@RR2tOAISopSIjm zGPV>PgqYTQl>Po3AVPdxxv%aK8L{))2Rus<)VMy!EL51T7mbCI7Tj~H<;RFfr{7o^`E_n z!iCu163<&!2=(uUXWfkX&!*${k(Jl!qN$Scrw73!eu=z~mZXmsveBk;NDSD9+Nx98 z7-(@JHIRT)Z%s4SXmx7pz*D34YQevHmCU*)ad!2o@*s08Ui- z_rnM8{Bue0h@rmVqbxiza!8N644ab;-gQcho@|>c4wN~6uMi>*Hsk-&s=$iGF;MC^ zQ3sTol5Zcrm&>`h8zyr&8~=ORioTX?-~--24Qs!mE3AOrDKKfMO%=4(`11(=dzV9} zzWeS^B>mnjWpq4<42TYp$#OIS&pk0-n{m_|GR>_xC`o&w#!(8jg3ij?+NS&H+tZ2M$a78Pi-iU*mHSZ!fy5 z?%WsM21nFo%KzLK6ED+pRPbJ9auBE$sRtjQAAmoxryI%R%=GC$1ymM_->A2w>FjCe zArMq13iaMoWIE8y9|A^pb!6UMZ3Ydrl!`}fxm@=dKy+ct+88_QT8UZ0m`s&UPWPuY zed5Nzg9+9XzA|0AkQJ`RBkC}|kgJ)ww)Eq@^$bqBai5J<`bjur=8Mxw#w?FW4u;e$tqFa1XqWf=SgGdxFShI)M-)w&=Y8+H@xwtFNV0hZj3R@&O@ z>QJ}9>(HiTvdt&r(iT&=T+hJGvPCbNYeCz}^7HdYo;E%@)Q3lPm8ZXYr1p*7fxPw; zYsa+BFXLZ9wnDc&ckVN9HtN?js#N*Ik$QvAf4fFz(oeF}+WR2F^H3&J0lU5Z!L(`8 zb>aIL6E;+FQ}v&Ccbfa=#jW<|aL#^2vKr@Q`qkdC-dh>190#J~7z|zps7D+l+>Q7COFGx4sqyGB0?7F#Q5;c1mY-O2`-MOy9(+Vk5_f zAG14Mg1s&ib?#L&h~w3&)N54$U#iggxfCjXerWFJMTE-9$ zl!_6NBp$_z13&O0=E5Z!!^#r=Ker*iyBUAL$m7|U_Bs`U$e2@3sPIzl(DaMovxxRl-7Jinv zJk``>Pdv3PJZwDUHfAq+Jn7St1^b<|k=3`z2q8=$hv1%s>-j;O428e_y|*x+TvGar z4VRe8h$1j(v}tNTRf>=;rtxG;HC_VRg7i2&+MRgKZ!r#-v2iUW2CG;Tw(S~hhVwSI z*WIc!QFvP6x0va^@HR9h2O8DKIAtIML9oSaMPSpMql$=MX7F2tC_Lk8rkt-f*&7dj6AW-Xfst)3S~Um0P?mTkhUaLDb3Fzh`rF6ueG+YzL+qaA)r6> zb4!*&_rKJnC^Df>7I&a0oow)FmGM>w%W^B#l z9}ER4oo26J^am36$`pu#S~`d7FKkWbU&A=o8Tl~qlvwqw&K1_aH9E)ozI30h4u_?| z0#t!03bxEHr}l9;92R*29&dGQ9}xx{i(a7=Q$l<1ESNzop;PdrQNN(He5nE+(9got zJx57rQ%@Txz`9BxUBDuA;Wa)4%YCW5`$$`X-YmCoyVw70AnVZ2$X0UW z`t*eR)F+{vv^FN_jv1v=2!d9ZKw7&~x(NteiC7JE#(IfnrgRx4VhKrEq%Wk2Tn$x} z875?bOMd2j&i5|D9;yuC~26wrQ#WyR+tUVu1g3nNPz5oie2C&dgE zL)o0=p`vG6&S-iXMWO~Is{uZv$D4O)a5_p8G(hUdtnb^!j+X~uHfb<#e+;8y^pdwIsy7G7kjF8aQ}@5T$ZaPE5O0TiB|? z2bEy4lZ_VjjnOJlJ^Mb{j}3up*IAjGFN()~TTK%$V5Z#%=xd11#5)x;@a!lX8tg@g zODhSJbiJ~Ujz_>}em1?(kh^Brgw!Bzjhwjh93-m|4r>mH@QS%RB`1$2moinj;wg7Y z<;F$$9!N(beQ?E+x;63e$CS2KCeVtU+?Y_cFoI<$JD!$YHLAXGf6}{>hisWMl=jP$ z!<-)GS-A5-#17>UR#pw7Wl584=^bMeMDbpf{}6L>~1@>2Y_X6qcM?|(gRK(aud zRH9Z*OCP`V?Kx5|VWCyOoTe<%X+6pl7(#HY5G6cN!B}Yx*q{eRFRb{SPeFvt~#Qc!btBqm6OO3 zSnIv=m{KHwkl~=+ZOmXAM?+u|ldui4^KSY!1^c~`yRYcK$!Wh0K6(C4@E$t2od?)! znoJ&3K@|bwBGg86TPtyrB#aNdVbQ=7_2t9(jR0@NN|wCXJU{DHfg*(RUeN6hf6j@RmpZo~uW%*cM%4ua@!&L=_>chtX7v(~8R z>BJ^ryVez~q_JNY?A5umNu_J{uY3_`IzKzUqfsSQ>d%u&T6}O`*<4>Q`nhT4d?>Ni z(rc(~XUutAAW}vHJjBY3#|p+sn1IW|eSP31S-x+(GE(-Sjb1j$?i-M6pi+6|jxHQ< zPBl2=;YsC~L&Y~mEplh^ddx(WebG%90CfyC3$MtMJ_otCXvoh@?nX*qwvth#r?|$? zjP@mv56yh9F%P(uEBweQ`Z7Fe+TitRm5wC6S`OcMa5f1*VRR)6ggT4-tvqY(ac?xZ zMa$)-_a$zuiV>xx=?i*8`wREhGhD)ioMzk6gQ;(}*}b&hVYS8e%xMyevjpE2=;S@L z)`fRLZ13@zfM$89jPjCC=bftRXT>$G;xEh@p|d;W%bj-xNE$lhqBRFoNHba^Xe>xB z|UuPc7^T@RGe1ejMX0e#xlGuR$SR%wgx*-E7QqNmFIY z#tv;KznS=6d|V+A}ZaOonfkner_r_7elX&P+k;DEr%On*j7y zS=`0ye+Z5GG~!nox*lYKt|R;4j6tLJit)C~8bOmkH0l5ACa@C34yn+znGk@+8Z-vf z4*&!fP^m=1%EMjyByOE6ZIIv1xb&Tvr>U3f&coSvk2fS31T2vXXim+H6%E+*WlCMP zVt~o^W?#&)tP_Yz{e&j@DCYbCCtJ;h*34nNy6j!cg>wr2C#Qouj$@TYgj`Nh$^)s~ zuLQ|$_`>Wcm)|4}0gN`0lj+*Wavj>UX_1OgN^isP7t7?1$xq-dIlcxc)kXGKa{^3T z-I9LC&xVWb`&Q0QkH_kbD}a6EFYkNJ;dOcGZYgwsJ$_-2#kp0sc}?m^Xhq-{REACn zh2axJN&8=@X7(gw^Rc^ylq4jT(Rmb7UOUQ5+^-jJ>*hbkGDuw(lxmB`fq67J~N*-xrrB#f*|wCM)|EJ^W-xW5?7MVq$J6oy90>BlNu# z0uJJ(i+>Jc^*8D;@(wCU9uKQIQnI<$by+O{)lZ?K(6uO=pnMBJY#n)qiwdN%uJC$` zwx~S`4k8WxQ@9=Ep5@IiR>`0iN?*=Yc7BRx;Gdggg02Gq^vPxu&=+?uMZ?M);7(E> zoY%%{IMRWsF^P~1+9Oi#5ESnkLltNlN9BY;an{atCe`6`_|TX0&LqBdQt<`m@Ra@4 zvEfIabFYSe{eqFp=9$UCQ$A8f;X$KLw)u{GYe#tDv7RcMVgRxgB^l6Cw)1Klg0@%h z(^I{8$9dcS92CPdT6UozoDIq-uPq!#0!cJ2HWt$_GglZJ0xjy;8Ot<1aeo-7$%F8z zUh!ofN`x0_E=!9Kd{5;Q%O#UaJHumXpyxPLG$86ZDyDFz$=|(iwMfC!Z%iPYwv&%S zF-T@}^%VSbCEeIxp4;=u1;QUwbSPv%457n)No>hc_RxFX?oPvx+>>3(9kdmz zRhV+5ACT!_f3EG15 zt|^Q5xuL0Qu+>{MZHdZ4Z2|3jpy6~RAlDZ<>x2kwHDZRfJ2+pmKT^4(sa@t+ z_2}Ah>t_Cgq7(+o^Xo5mu176{K9uKc$f=q4K{2e#^H!N~1B9ANh}UM2e3Z`y*wv(X zPC1$oeP&+*uDE@0F@T(!*x6rx)g~j;#ZeBZuN@CnkFjrz-({U+o)J(T)pTNUQNNk5ug!v z?Ul3g%wvhyj4!QEKZFk6C^l*r6NREvdkwE@S+&M;1b*LYPfWA#H;yqa+$4WxZ7Ae( z^FZbpy)(NIKO`qK*%D72bwiWz#ir031N^aXpKF@S4;f*5LT(4VBQmri^s2NEa*ml# za;|Kq8@r8Kxv^T&&QHJ7?l&IE%?g?6i4XAI8*MA3SOvXGus{O0PU|bsg1IjCfAu{( z#G*bCvJm~vB0_R+7gx(cc>|zEz;VW)t&~E@eY1eMXx7+~5L#I9=!`Yc&fBk(Juaep zOBYe6S5<+c+>ZVlDyy1CN`9_&9UUA`YuVcaISLtrg(!G?4pAa~2K_==vG!W9=Uwvc*&Ih2Z1gmI zxAHH;bJ96^i1vWfm=+Xs8fYpY3^6aLUBQ{KgM7*g(q+vgWeXx#K!MkRht^XUS7iORJ3n=BN7b10-m86i2I zekcEVx8o~=+sL#gRO2iCHy(gk2ylB0IwXN0ZJnSI0cl|?aJpP^px%`Wt|akh@H$Jg z5;Q~Y4=V)+{E;2alBdpq5AbrXy)S9J=Tl1v?tWVSN4B)@QMD42uh8EV7X*rHyyO9S z*e(M8%#r~7+9CuWaz2-2%H!Lrv|MnqfeGjPd0urzoYVZ!#qN{KV!zz-9k;`+Ift3n zNK_M1NZz;K{1A?O1@bXe9>>K+!;lAnCtAk!&y*(BpuL^zOYWtHLyk?S zPiB&%cFTPSt+CsS19^3CxS^poeA7CPlrA%IyCG)z_s7C#gFP9LIU(nJio$g z0X?t=vV<$Jj#~FOtl>J`DcH=2hPX5^v}UOHmLKgdTWh)9lZ6iPHJy|{8!dl#46IfY zhSup;nVC-CxT(H^%{jF<02bo8IlvE0?Ol9Jot6LQ%Mobb-$!`_0PYkJvB#i+2nHGD^(^RO1joUCiC$S zfD5~}m2bC8K5E2r03)(gk~V4FVJI1sLkl4N?e}p^-&irjbvSue{{0^bmj4|foGAeJ zhSr2K`Hif}TC_$Wl1#h`-uaWqDh9pREx<5(&O#_x0E1j(JCHj%)h866kEHBVtORU~ zuBch_<>7oSR-B9Yr%z5X94o&t{K0Uh@c=`-d|(6GBn}MDq8kb90_y`VD__0HGhf}- zuLa1c8f4B>6*TH|1<8kKGte|v^00(m`sZ-qv;brv(s_#IG_ZcH(f9bF7hwShym{=S z?F;~&uFF0)eOU@?fP4DreZ!VBCkP&#k}p~wSzp1k^$~)AVn9Gw^tQ8NtLW3CGn7SwxL^SL`w3Q z)Wb?BzHRr)IJ%C$>_s+GcI5Sau804CxNLQy%6nh)w`f0dalD~`T0(N-xb45!#0xb^ z+Zf|GHztT>_>Bwxq=Uu+2T%GcRf00#|Gdb`D~6GL82vzC^ug<@`~jK#wXExupu7Ax z=j15S!_!;^d-SM$w?wJWm@&Ccxay};Yh_4zSN;I|*0CTJ>FIG8Z|?~r=R+Zp zaHnJ4s>pG~bHxMl=6(u*5bRIZ=oraF|@&H-!Wry2B)nkoaLu%T2#e7|Ns<=Hr> zVRnp_nXA(kz*)^%`B-Ns(`sO}ceQHD;SxK%_Mdzl^gEd1kprsi4TfF?Qn(ohG>Y<3 z67M6mCyO4TymP%`*t8s{7wwMVxE5^@?zV9oDl192%*$)O2GA`>FcWaDb%5I+woDWM z1!hk^6><{5*srxkF)ZJD@L|EkYmxnSQoAD)OvffdbOyACU4VZJ-W7IGV+&k2Zs2Tnz~08ZZN4 zWG&ehdVRoE@=|z=Hy4@5ub21_7eC*7b;~eWZq3S=ZXs$i5UGkRxJXL&33j1~8wrRUHK^-+>DQw^^8B`-E!ygq_@yPDBa3?^zj$^&$l05i_xn-pw zyBfJX`n@8YNH#}d3mF1hdwbVAoj6$S zdI`PzLRn~A*kOERb{yEZMh6RY)Z$G#hxFf9p@UdJUDrFk@UI zblyL>6K+B|q4;E!5nc%fOgOrb`#@uO1Q_%popdgjjDbSE+sj9OAR7$TJ(;L=od_h8 ze$BRmgmrSzNhEI%y0RoRGGnpu<~{(zD#`Vh|;i;4ll zS}fyRWHq_@_C~@25Lujo4q<|cAIFKJKd%4h*!MJqrmdd52_uT#Xs(wj<&_`GdVU_zkg%`FYAkx5nJv%YH$2FhS4cR<4A1|gT*b2B zlq*~oh(d62BJC(obG?Xuz^Ql)9@k8}R1TDy$;UtWwxa!N7HnuKsmH>dcxthvJ4R20 zo7*C2W}ft9^)L%YG;e%p*`L)2x+Y2QkV{DRFv1kYiy#CLm#U@ zK1k3Xt3`)n}ZY&U7~)i$mvr3iKT zDKE7RXP>8Nb;=bI9T=1gQoY)fFZIJnij3%uTyyagqO#< zumKTNv(i(-b;&aJ=~f%W&1)*>h_KHEI>Yl`zr-X_e$BAP=^gksW4SLo^xa#am_*d{|~444A+54_Soot|sRKXzT#c%UY}w zW5;d2_NIDtM}1e7*Y4BzoEkOq(iSv8Y%cSfb(xeGzEO!!lee#7(qlOR%;50E?(jEY zXr{42Qrzd@`E6fib*INQrhbR-jA~s98gz+HP622!uu8;%QfbPpd@Y7eOVEh0$iZ=0 z0mMA&`8GT;%4Oj>7BtCKQQil>tgQ+B#uZN@-V5+4vvMxwA`ShI~#|sbdCl)KI7GhwFtqU_T>u;-{r|ZdCj+1Qf~s$p$0emSV^st z*CQ5*7c~dOO?Hgjb;^HFN+7an@8>gzUa5T-=lQNOWg&A_%akd4Zbo=#19ID&lZgt# zX%*aF1u9^SU{o)%oE3u;u-_$-_w7M7^!IYI!SIf<=pi;I&)9eO2gexFRTq6IK?||= z)7D<_A%I{_p|i8`WOO2G;2H5l{<}8fL-Mxi#jz}3bHFU1!^y#BVv;(iB*+FP`V-~gm8b!Vj3gEohVotnT`!*#)9Ix=i!+iiw#qykY^d|(L9QTmNEY=%qrpkI}* z2F$$vl;nvoM>W=Yn|w5`_du8=?W<|_rVLVHEBGy1tHG4b`&+@}7yr9Yg|S}&Gso1o zrI0TMj5rR9L7+!_A1&soe*m5z)8(=_ia-~=^|vl&!9+L4adN6d_4HL78JFt6@cr!r zs#vGcuFwS??HKW22{++`o^RvQ9@Z9GKT=boX$B(XL$c(ZYLN1*=z7H$e#D!I1e0%q zTAUYk0APJVn*)^VpQ`b295(&FXTrh+0PG2#YZ{omw$ebGpJ<-nfiMlF zzoW&WaE=0QIPH7A_fHb&!m}?E$2it58F%B28>%-HW zXXaBKhom$t*&Cw{nuCccGiOC`HXfEZFyVN2+^O@zj`dYL$mo5Y*=utx#?c$( zS);&TfOV*%!;|Z6@|$Sq?%bVeAD*)kr=>>z1hy@kff&55Bit}?YP4&qMrG>i{@4|t zo=#uALftZ7_Vh2JLOXwh<09b(tM0|qDrF!wkN&FPiR}KFJRn6 zdjXl|?NJj&;fx!z4Y~YogZ$x;O1jOw%uIx!+EZ@FVE}W78-2aw{WEUe-;1(O`^zjq zUEbn_uT`qeuZ=9mAHpMfz@_tTN!@vJlV*(WMkk=LQlD?Z->4-EB&K!|zreeCt<<8W zGpHW6ppZ7xS;m~?iAF*y8D`lkG*|G)hCoU`jT^4uCJf0)l{3^|Aj{59I>AOrBo)-F|>i ztisbM`4!{HfbJ2mR!PYH2sG{;TfndrOU(|3G~4V=QE#ej`kH6^C63GitsSWY2*5pCtg|Ahn`=$xm#u18XtA9+k9r2%ki@2YyNFr+Uo%uae zBy78!ab|>rR;ax$R1wn2T-eS3Yfe_%7v?8KYJjgDg><&dUwG-VUC!M0GG){!R0wWk zAY|K*o|kVNrQXX_8~{umJWmF=z%?uP|yGkjk7q4|ib2z`sJEmwEKiIAaBcW)Kxb=?yZUb)bC#72Dy4 zjR*t_nADWKh{~gp0|aIg(&_d7i@yhRwv2wj8MXKQzD9b{xdqjq$B1J{FRTJ~5m;IwBd)Or%h=A?2`B&=IB zNSZySdp#sma~F-uP2w}1q@@lH1_^j$It5rt{Xv<=aWk>T6bNV@{24?gD0aaEh{box zBi=+YO8txiI?)lifwsbuihPW8+Dz(}(d@rH6&Q7+aIip8miC`nr`7i2(Je7uGi0mLM+TLi)lW|Y;lzN&@8 zSc?cm`cpEI+Za|Y&&pS;S!HtYw0;-kf%Z|3@`(KSpK@rLmmHCyq^2?QQ7j}kF2AO5 zMGCed31DN=U{EVHQSqAQB?IcX9%-GDpYpS52^5y`yA?&sf|04tJz{M^N$a2Ua>+fF zHVA_@9P>2N?WTO?U%0%^N5)gh%LlGkl>UY^|CFX!kbsSG94^Of`?c7|L8RRBL*ypV z_Rrx7?X}TE(9#?q<{qFss?R3&B6Z^{WgP>QMZ{)us$zI$a}qsc5l*$JTic>qmhe=o z!^HwGxyv_WIm~-Sm^*lqTu9*2yImPlW0mQ>uS3q`8)cV>%R7XTzLw%yXKM1-CuPdy zcMSEf_q)VcHTmVTvWK`=Nq1v8i4PgQ z<6fZRrOX>tAdTQegx^&e+&U?ek?&G&Ku%et^c{ukWIkk)H|{ouUvgTGJ#WT!9S48B z6R4qlK>0*gBdeoxsD$CqJG3;eY|39!*lga7&zFI$W_^}9Cx}dwQ%~uH?04Ie zQ>~CjAjC~RD-zGd1GfRSnS3+^2M4r_p&FOd=*^|G{q}$l@iCti5rp>N1ZVjWts?fO z`N|I-x1YA0`dM&7y8NdQ-DVAi8S%me>RA&xTgk(D zET6)N^zIYU_HJgeGRef4To0D)TsRo~S+C1)#^9&C`q)}^#xwK9auJjE_VMUcK&y^x zua`um>nJ!!_Qnh%7);; z*RyC=G{H;fArL|xJrKdMoil)rb>O_r_7)^!zrFY z5vr9BY3k&ynl5_xQe2YjQ86t0j6^n4o3laWL2X#K5B zATjL_&R2n6-(A))|EIGzkB55i|He-dDq>KwGecCOWN+-lAWN20DJff2$eLYc9otxw zU6w4JlIRGDVq)xBl6~LTELpPMuaCN}>wK@@{rmmy$9?_Pbl1UeE2-ra!sj z&&>4ZU>+v3h+(@y#5rJ+PS)=yuXCABUz!r_6D7U+eWFD6aBjUCeZ^?zENBr#5r@+d{{pm0@8kkeUt#^9pd%2?G$Vn5mGfwiE557ms$cd+GH)r6s zQBLj#eW3K{1#~|7`1N%=+9^~FRgzw^pP*;)ZFSNvNb_+4f_YEHWiyX|`Fj&e^3Cj= z0){j@NIEjih>GEr(NXF>Z1(K2!u@Aks;;66HL6O4-+Z1nr~LqD5kuOgUi1;{T>)pm zvfI2$euPb=K996-4Vs*AfrPTgM9~Ei(`mrKQiC%UKp`K=>Drq2dz;$sIc1;o*Tb%AgQP!RkKhT^C}q= ze)R_rND-fjGH(p!dZ9;8L6M5wV@SJbSlo3b&uBv@nG#$j^nYrppAb+1mwfW(RCen4 zw$^>OnAhnnQq%KUmBrGIa zt>w!B_pT2~1+bJ>EvQ<$EPJ@D7HyA;}Q7h zcG}Y`u)QxT0TtR5EcIbZ_rfs-WA_eBpMTRyHZiMPoF1-m-k{F8d_6Yr>l~XY9Sa4Ms%hR{zd(x-2{QST3;PRLM%RB) zPde|2Qmq%S^fZJ&OLiR&$^-2G#IRa7$dAX4i5Mrvb;tKQ&vkztErwoDf-W`LeL8oQ zH61V6P96qK!B+gv{jx<>7vK#_kh=A^s{`S|EW@xpWGNa}c`Vm*s=`?YR zI_8;b)`QP$q;b(dZg_8uAw6jkXRpCzgO5y-lZe(0E57>({SAsSJ0N-sCS_ZD3oUgL z=@-o}AVlP5PqDq3OXWcUK9$`m_c9>*9xSH^Vu|}qb#y{;>sMZ09fDHpwkQ%zRSJAU z_fJFmKJW9KH^SOz(ju#hT65Au?1&qmS#DZyJ`Qa)q@ts%e#1Q*9%y#)-Ox%3LOQ~G zGNZK%MqD5)tH-_TCdiMgc7cz%SASa;Dz$P1D$}Zu4n-vD#0vwbYuFXDXIXD};MxCx zFcl+0LuIsf9`%N-E|U^7eQ)-!-E7fmaX6TODPL(1h~XW!1MP8wng<~dou_u^{e!t) z5V)G`4>X5BlW#a?MFGYTh3Nis9;?>xdTif!)zd(ljSB)Ry$3An2CSSy-Sta^FNl)& z#K-phSKuZ{eg?|-x9&v%R3#yZsdGs$V8Bex(2n=>#jZpm%z~{bt}*@ryh2P}e!1cN znFKG;2b2^x$<&ir_o-aQ6FKhmeDL0O_c-)1M3ak+%4wz{!zg`5KU*6xyH}2&KmXf+ zg|vl8Qn=V6T~|HYb97f-;7_k~3xI)?yxnkI(tFF*1hd-{HZ?T_U(tAO;E%dVthvMxDW6h^FYUmqFzI^lDK&%*J?KK*c}mr z?+2wo&)ZvmUoX3UG*N5h>P(>B6Z33aniP%ru|%?VLxRSM;Uq+0PSPsl=OB7wIWcD?Y%K+xNeq6ERY z&S8&#X(h!|t*LV_s(&nE3oPrcjoxPm20!_p@%L>$uA{u)Eev$uxGJ9j>K?T#lQgI6 zRenZVBQzsD~J4mW08gedlgt)tIzrRYI%PFSU zDZ<7@#->L4RJuw{3>+4rf=&-AG@!lnRMmvV{6apQ063Zb! zcuo}MLKF`>;?Uuy@kwrp^6>)E?DNhBhdrAdp(5OAneverzR8e&Klf4lR_o3O>67tD zp$7guK@fH9F9Ne*2-%h%SE#PCn9qU!g2Ssf5At8U8B~S;3+1G6Ox=Y?G%P|6QAQ9l z-{*6f$L5GK292UO)dpY@x7o$#MXJ7d%~O@>k*^tBv*KCgFsAWWu~LfoazQWj{+*r; z&0;SDtM~cTzfmx*oxAZf8eyH<}X7!sRH>Ii8X(KJ%M-vFL%ir}d zo3#~X%ymw)+&#*NXdYrpUZxt^6GH~*i3euP+0v)C8r_4O3L9~?Zc2)5!GU+&s2^2_ z?%FcA#@7Bc6q!1^0DsGyv3wAi;#VdMQq*aNu{3!qlv(TeDvPN zjqpYS3Gtpw-~~O7Y|Aq$NrHmXjk?GZO2%;? zWpa|8yd4@>yW(nmDpap`#I5UGVs*4B^Yh{w%>J18%mPjCk;Boeb3NDHw1275UozOg zNWL^rq;WN<+(?}7dMx@Nre&GJVqeB3^-QRU=Ly8@>^ec5ar(%~H!S{l1zHwkc0!b1 zC$%i%#4|1pi^!x*-eq1I%osVTc-;SmF#H)Gs`TT@q^rh$)ilwIPM$9&ZSG*dnxv0J zwhHEs1evO&F+GRE`%iwE6qy;_oF+z2oqO0rUk%_3YL5HIdN^U78#1u)fUA$>+H?8W z(IG1HAB=Ub?kCP1k_yjt)3JTIC&<_8z>!e8rQ+F=^*N!Kj|wbv?Rl#d{4^QXcd*Ir z*7dG++bU_;p`y_2%dX5aOI=_B z_7U!XH-b36&P!xh4Lv?o2l80hwPP37 zC(pVqncsVMY$cHa{q5O=xr~)Q_&SGufp&(Q?Ff!sOIHraHe)Ifn=9@bnVZ1&s(YgS zI*%0tuCWp!1omNI^$M2$F#3OSfxgzy2x*m?a~;FT9u-wp6IZ{~yy z3rMFpa*0qI!p(|E{(mKs(s082k?n@zGmsCz{J^F_<$^%{+nF^T>0xx@2JmUG%y_?E zJ8HW5EKBag_zUDy9=k|PGV81r{SOzg?D`yN7w~`T`w>vTF@(51*#U?$MyESoora@A z90yP_|MGZJOa25+w>lVZQSgJ{8gvy}BF-u`lFDTOWt1|hor5>m78U@|&L#vD^pzGoWkWSo}ZnDg(Vr zK9Gai0S^AJju)`tzkDn+yb`$x{oa3B!+D`^|A!wOqGfwvf%=#ImqE##eeWy+8AZ=2 zV*rMBHn*GBahd_2G~{;GtvJ z`QE_;7_y&a4_vuzL)j1ff1SDZ)(-rBg-9;wCK!pC^e=3_gvKQgIA)1H za9k|dR%}0rzIe@pEK#`*Eq7M|_~))CrY_O~tm+JJd)JIor+o5s`O#ElKEmGYq{_%Y z#1yDaL)_@CW!Fw&QY=&Qo%O`2tJLcjg*RSCkDWU+(sf(TjE%UjezAVyd=_G4w2>*A zATjAU(aWtr3!|1p>b+N0{IOM{SA~1#CT@a+;R0CLKpZqe* zsM)-D=1N}D>6_(c+o>b<1;>H(aG8Bm)4e!;{$Yc(_txB6;M^_FS(b;(jHB?h*pwl6 zB`yn8T?)s+tU8hcDvW6Hon5eX_cbD|!yK^PPT(|fGo99|^Z@0h;h%@AnbP1)EhAD7 zBSfVHS9<|cFohAI?E}NnAOlxPl_BeJYfm5=vzidD_s5$ZAO+Z>rWDRV$H(CTkV$_m zLNNC?#9$=p0qp^&8FEtTd$ljjnKOcsn7b6Xpf;_zv!BrUxXY+c@OB$gvU=jmKq+Gj zO^Eo(ha+Kz(yZDy*5A+V7?<6sy0E4NA1(Q5D|G} zl{fE?Q9aBz4kn^>*oz{Yp6*>FnAojDOsezdI7TF_#?+IZZ~^6s)LsNl(D`Bh^uK}U zh*u%0dnlMjT2e;PEI^$-7b|2q4C2PPr>V1;;WD+FvP^S^uin$S*_t_#b%@oAGM0S0 z(i6J;tE0z)pxtV*$g-3hAFz4Xr)eHkjp@*Q*rp{JABrIpq_XYHrmK$h7<2S05+IJCEqTxipBTwY3^fe|vqu=USE~E7KzQFe+Q6;N}(!;W{r;Z^<*P$(*tgM|^rZ!ni1TEZ=%J zif_LTE)ijh&W+aYUuuY^@OBmXuo4v{MaMNhaUAm#xARVwv?1L2prh*Jgq*m)l{D%h z+sUUl9>j~EhznrGn1ks`aR@Zg=7#oOCb)m@j@W&Sgtw79pB#d?qVb_|%aT*aY2Hvv z^U<>^S`O|KL{c&DgeG3S>n~tthz;W@#G(r|s|Il2YNt+=hA@k!tT5o>G+1fSEq0@A z&Eb=UvTylN8tBQ;wTR0~KdDnyvN1}H145}b{83sjXnN`_5$5jsXNKh4n-K~mR`sk! z#TeF4{3_JB7KVt1TsHoeJC9G#^NTD@rV6EQ*A$whH!EFP{H~JB{E4Mg*+1L zt7E%GKw*URDqcn8WkP`n<-oxd)o894GQ){LX^tGKoTtV;jX6T4cS7x`3D1ir1(^e_ zb&qH<{J%mljI3(OJO_LqGaXkn8ywT1YSpz8JR2e3q|h(+N}I}|KPXR>r`90A zWRM?ErKd>VxXq&#pe9Tqa#NH+`UI!{J~si`fX8C&l+lmHIH*!iMGz|$t{s`;qs{a= z8)2%HKpW|*cSS8MtpR=VTv@R?9-o;Mp{GNXdz^3>6%CPnIugMZ3fl)d-c`_nBv4Xn8Iur}22xF4V z$DN1)?Uk~#RDQ{3RcmLEW$Y}?WfH0}Ct|S@Bi)OLTK@c`P$zgZFh+OI_Y@zj(8)op zUo{!dr%#hv#Y^0BqhyB2U5M=1v<;+9Ok#E4c`tyH?(NgVZf_!CGi7p8Qzj2_t5rbG3wja(|0hAnZ05*-R+sgLnp}W4){BAH(3(d zx-*}AFBn1LIZU2!x}J;bo`|`gX)E>oSgwYW1ryi4$l;Im83yh{{Q4RqTn=R34qjBr zaLjS+M*EBCN#h0Zn7tvFFWDDfLmtv<5+b zM960S%^g#bRK3$>2Dy59=Cx6mpCHbpw^rv&>nc2}#Wb7CgaR!JJUePiyN-ad-RyeT zgVhXZRf-OqRJs9R(diMGilfirRUM zjbijsh&rKEM}t;pJ2=Hh!+-KbW@3c5&()uAnIn6?eB|v5SQb1qC5WpGQL28I(q4e)X{FkmiKbjZ#NV@ZahW9Nebqj~@JRaB0ys)yL(u;F;RP@5)0*!JhES z@+;uZUG*g^ofV|3>YIe#O(8Bi8eRv^-|bca;90QgJO4vT=EqP% z{C5+K7`XoP0YJR@2@i8W+?ktp18L;C z5|@En`*3Cfs(L4ZBs(93T~N`Cn?U5t*M&bkk^sVoZ9lTXBHA%X>qvn~8;!UWde1`IihKLsWx+Q2@CO(5A|f;sgoFjF#o*C6ri_i;hP5B)epZ2*Tox)*3{ zheFHd2gryLB+%^!ICpLUMtTFfryJ0>Xp(~NGJW<2m5vsvVq={BN`<%AyW5RyA;I*J zIYe@+^g9^Df1hz1;_ZteJ|R&-(z^4@IHrKuju}3B%D@h!;ICCazzhb8E6+8K&Zsb( z;FmU%e(+3<^7KO@PtbF?g9sGusEJxZ9dVUszizVv5N{hZJ&_wGV0sZ&x6%VTlK1e_ zuTIe3^j!20l0w;$bx087Gy!8&q>z-OizgRdQ3CYIpz!##a^AA(?H$x&)sYJgeV`Y8 zz@h$__s?;#Z$1DE|KD2<=;6%Q3~vPZ;m+{`YV=mzy3}>cUiwOC;54DSgD{)DQ1Vu?| z3n(Z0vJE%v)(WKZ?L8{Ph`NauRZ75AJC*ucBaj}Dn&pKoLMRLO=22aYh{4hhl~2O} z(7vzL&yT%GKPw_)r)S~Ma@z1j^41qa`mg$sKy{v7N7jy%=$!9u1yqT;l!%$$yWVUTZRn_7wDFHwDF2U^tzUPvxiglQ31P1j~Ne^Wr3fn_uYH3{xtqyRA5#5s?9JC z_L)XpoXjwy<-IF_l+z#l)K!j_7T`&UU*fCYBuSvVp8u=%WInZSmN_q@miRIE$=-Yu z-#;}r03fr$4r^J&?4zKH`{IGJOddV1ClT44b6?Kt%d;}!?;i;II}vlwbrmExUR{4z zG}dxnP}gJip!7r^lMD}|5{<6Ye-JH(gEvS)ruuAl;CsJ3@*c?MV+R+y3bWNWpntq) zdhw+4uBi6z&bC$zVwBdkZGLja_zvgyvwbJClT4GhjGS6j=0V6%X!R4uDcy|XHXmRvOG(UlzokjX|PO27#TW(IrNOX_6 zlnwLX(x)r`>&{eSvG=}DBiYxg|HIEpQuZ3-=Pag_EnJe7m~=OQ34e#Y2KoG&)@YoX zCt`0%_+QafY%6p+$Iwu}0p%SWt|Ho5#xOUk9RuAsK(ao@+!IR^NQ1PZ@Z z%bjhn$od%(gvXw_{vs-bL5cYs>|Tfnf?(}x7|rn=nE)j-&HH5ZneUN;w?{;V38H;p zbW*U=B6v?nbdwX|T%>JlqiyNbi4bGQ(5rzg_IwE|EPe^t1p`zz??+E0hV4xKYe;WE zd1hH8TkAmoF2w0iz}A}?Iwk6iD1BoFGx@b&cr~^hN!_wdKnucC>BbthcHT8NQh02t zF=}84xM+*0rgbD_@0Ia~UtxB18;^9bi+(CEW!28P^$3M*5L}tUjA5je^V8-D8aa`> zdDs4~OaGRcou3B*6+Lgso8XC__TJgBd{+mk~}08kY~JvsoISGcP?e+kj{^qls=>wtpYuV9xc zKoX{2RdEz$!|W(H!b31hYoq#x`_%K*yi^(k;0_`|aLB&_h=r-FF|v0&5!6NBc~(=W zo1tpRvcM#u?ewnKAtX`8`GvEjJTUgiNTL~D{eP4lcTfV;XC22ik^SsSsnZnj&o>$* zVb|n@yq9?bhM2GB2GLl3$i%TdNao`{>bMwWeMq-L=rP{l^Wy%X6F_gvNjL(?=V`}#OCuF32>;tc~40l!?I`(7yn6WkEF+4i0Hz{s1` z_rcor9xxc2?#55WU{Yy#;ZH&gz)A!o{I9isgi@peNdT)OwVYiCWU?3T)w|+JL$KN9 zGuo?(rk?L#vn7i)_~HtaKonjHj#?Lq)WF50w{Lk+TDTt|O?k6>-V+q}66N5Ioez`j z&p&b%*(%rIh`)Kkx-TJ5@vzWy+)^PW(ss8CK{*lAQ{|oK+5q{Do3R^m_t4E!>ov%* zhAZg*oCg!N3lc5Fa&|q*%T%T)vZ6~n_VZ6yUCg2MJ_s0`nTq_eK2`<&YcFE+4+}x; zhOwIfw019=Ned-D_OiI(rndxB&AQ4U>G&6m&A2F5f(VR2THbrEhQll>m~xRk24_zK z2zhV#P47W36HjPm%)IRgVCos4Mlp!LDQI;7&x>iwN+q0a>-uS^&}P6Gc+duToilo& z*qg3H{wL$n#ILdQU;lb)!vYNO`&rQ*mh^1|SVsU`c6skIEniLj zQ?J2Vop-x20hu;;VnitQjv;p#l}NXk0)j&Q{g+$oIj|Ha2F@wJ1kg*H>8i*uhdxmm zeowEuK=LSp(ILA0(u{Dq?f?pU>?O1?@+9;6K*IP52w2&Kt**!H80FDLoE2Ph(`akT z0uYMZLWbgrFl6$X*2BGVTK#rabSJDb1H_;V8)YP{ltUihF^k*M96im3C;f z1MKmd`SD1Bx-c9_h*~;SoZ^lc5;~)=gy&;+$s(e=U>q-nNpDSZ%Cos5jh!PxI z7Ll41JbC;<>tMSXzWnlPC{f6V?xGk8Hn7<9fWHi_13qr*T!;q}QR44TeOF?K5?|(dVvm6WcBUu8y0VXZO z_G9V-?|wp)aSl}h{K78Z@Te_PU+Wn%c;J$9L}oBQe2u;%r4rxq4V9G$D>=x4(4b9z z$CG1?p*w&pg99m=gYc$nY&5t6@akbqZj4$*uNK_>dMa@>H#?*9g(ESgW z8K}Q#Vzo>%X^X4~BQPb4sFAuPV|5^F=Y-JdKS^CDQiOSCIqs#;fp@BC4h!scm@&wVIKQnc_?7Ny%g24V!LbP$E=SzA+i*1OBeClS!!Lx2nvCQCnI~kt$ z!VN-xp|-QNQ5 zy{$8H=GWFaav9j#SBiVr@mpF1#n%?sQsMna7hm!I&Gn7}vY+>;aoqxKQmtW@u*9FL zegwow3E%*(mJKzbOD&?QC!2u_V!WKDOpuD4LpL3MUq-60FGO6Oe{QC=9uX1LuS$9P zAR|IRZQ{~ON?k~4qA!a#t83TO7%^js{$pw;%ObeKCWxx(zPoz=;O_qOBD-?H(Olkl z(wTesNKNP=wX%k!Lp46-N0vNF;<+48N|wIbtgr6|miq6f1! zD(jb5OgYw;g9jKy8kR*plZLJ-{V76UVIr3?-Py4<{*Lk+S1_aX5sjT=Vsi4ua@t8! z_KC0Wp*;XY&BbVcMF}4<`W|UpH;QB(@omAVwji4^THP(Xwv13Tx>CV{O}I0~sm76F z!turXONLbYGD+r;OJDIBvDlpI{oZ5!EibvxX!7kLw=|Y3GLFGY@fYiC^`@f}QT5M; z!(UV4EI5d~e@}|Qyv1mB4R7?<(PKZ^S(XCVmu3GbP!Q)K1vTf?DIe5jqw?f#pPk5R z5ciQ;H<%u}VCIIn(wdJq|J;jc$WRZ`((o#{(cWg+)5TpB|Kt3bKRrFg(*=!QgBj}H zCe2IVsFWn-mm$uMJ9fRD59Q_SEoEQQM@Z~sy+F-8_hCGmkaLYxw9LAR&j|FQs!N4w zMI{e7uFC1q=5~`LzSx}t7SjfQDu(Vk?dj$GZK1@6hH`XgRs%OWsa8KNNDe;))S`2P z*iiV&Kxg>=EiN|kovZ5`8Jk-E{QVRfeZoYMo(6}mn@vossTO~1l07|%YL30@{hh`| zzBcCalN(Q`7%uLN-`u(V!J0x;MW-T(C6v193F6h5mn>gmnqVE^gs)BVO_H2FJ!X`v z`dPx!)~OD`Ec=_(_HE|?n1!f`H7u1~H;rw%|l zShfg_npU@5it(4e^4+G%?*xZHE@AEVGixKcbX3pM&rv87(UAE%_-!?Wew zowh^qlamRlk8Kw-2Dn*n7d3~!zLciax>lnSGq*f4HFf?}eDAH!a%8;dUbz#%J8=`9 zx*9)r=1uMP1PFT>Dk)j=!2C&jaz#>nXN+U~HZIu}_jrJFNfL51H|ZAHC#Z^m4egSy z(<%o!LC0UGQ{QlzBXOszUP~8-sMIizw6k1KS3o!X0F&Jzt5aVry_BdRn)9jIt&#CTnV{++65?&0quJt|9`~xk4x<2#WHOfdU*?Mz#nW5nX zpW}-?Ba-BE&sv$40+Zg*U1zi(H|s&XtQDysi|#r%bo}g*#i4bFhDn3NQ)4cbYramG z7E*1VQwS5e9mtj(0^aAXMZRT008%%WLo%;VDEc0DLdjs%O5u&Xr+hC-THvbO0R1`r}6>EY`BQM#@K z5TG;H<-^Xiu?hJu`_A-()?@ZvvrE0JyTrKrr-i6{N9lM|B=WJO_=P9;9w5oUy`vnr zb|W2{9Lx2a?u@VXRLS}|_Hqv(!UR&3S-rjKrlCX+*};&7&Wx>ot6$1RY5+31%x26z zy0pvh{Y?1oK(;rP6$)`o^W0ckm0iAW`o8$VQt}&Y(-mCbT1P`k?GK`b+hmW=oXLf$ zdY|pANUfVJLa8%bnd;HAWusReyatV{)|BsmHDZxEGAp?m5V4#%&NUo&RpY?cg(O*&`3`weGXkTii^Z(CjfOXdG0|pVL4-v zy8fezkPH_pn~6(4C4`+tQD@o}ZI44?Lno@$-!0M_;Yy@DiaRrj;VFLC*_!>s!P26W zLBf+CZAd@B7MR^KBxeV1WQ>&D;SuJl#;7H->nNk)`PW^!-Moe4FTQln4x_A!%^lg0 z%Lw-~lpB8gVZ>0bgYG6JKyd1{jhFyrHmo4j70DV7Xci{LGK+x$huEL z^Y&UrsEtOkbJlQ4-9*u}9xpC|OMdz$3NMACK%1&Dq60KV>6RDCT?21R4laMd#P@y- zI&05lo>;umm?YhXK5H#Nhc60aKU-Nv=Qq}-fIkr-I_k@Qrh+a{nsBUMA(%lPebY0Q z;0k(>S&m!Wh5>=gk1TjNd&?jYq2eY76Z(PC=`FhCshE8CjONe7Pt}r(G^Gf0zSbewwHVg3DP)QtYzNl(b|}wWGEp zN0xT-U7w2>BGMF?6K8l(ZbkkJF;i0C*1>1GAtyaiTy5WQRiq|nfMHFkiM@%sgBo;H zrzdH`1pf5o_6#?AA8C{Kb&I&sU&77XN0tuLWaIC>*h$6q6zerEb(XjgG=Qljt=h|X zLIT~~h0Ki7Nf+`$aFnxW^&(o~(}VAQ1@uXY1gZ4Kb3>kkaSqy%rk~#oCQW$YC#8#$ z271j(<_qR@Q4^9M#W*~w?M2Mlw@W_SkM3GC)g;kK>%^>w*=r55eR7*i8(OFkX)^O3 z@TB(CNvbenXVBdJU~j}=o24?nA)7DKE4jY?<;(EasQQ6#B@u8^vE48WVD_iKHB0qJ z>8cX)LXwA@1mjDBBWjrXGkpTPoWMs!o5R8*{8sl3Bl?JWA%V#Ybn6R|)hBhNBgAZ{ zdq<)0f3I>JW^@{kWL-25OFYp-jKMh3u%+Y7VlB|udykhKL^G35n35aA1J1Sxke(ct z?5P?Mg8UH4>ujUe0=p0(!Puhwk&uG2m{9F6ah$-SEW1H{85hbct0t}#&as$`HX`uS z9dwTXp-N?dW+=COzb$!|MOV?!H&IUSaVU>wZ+l66TioDghN5o_)8o;r=pqjKq9aL(t_2X<2x%xkJA1Cy5t023_M^r5jbbaEH@R&DM1!9d2oE0jK;d5y za#|lv^bSo~fz)emYxu${dOlUD;J)0KN*7HMcL{C~jKswSvK;rkPbXnGDA+84McRQN zw5x*`%v0B2eHWQvs)^s^+5GILa*6WliKQT^<%g7Ua~6FB4Bf?YdcP+l#E%7D;8PDK zoF{szp4#B(nvk;B;gWX9wBcUnv9NXo3?$0u7RTXo$)V5|Ak$)%v>X{66p$zy*1_RB_YxP^W z97Af;%EeVz6g7^D*VNGSKH=oR;fZ}c^&2=df3LA(2V0(Dj)&zL(?L#jP5gY}KMKRd z5+bbGZdtR}&=CrloX76_J+W}GU3`dcO4`JwqYT(C!xwoURudU``m_VU2I={v3!c=t zM8M`30!L~q$ma&AH=Esp2kk*4z_D-Q{g9`s_lB{Az_7JIO%(;TCKk2;F}ZcR z{Kh1_E^1Aw&V^ir^EKr-Op0@p-Vsac;wpEH{T%I|LvWO{qjg=XY-3nWtfpLEX1BoV z@Jl@`G5*5S3;pTlt>js5Ik9*i z>8QMCU|HXHfNeFcQd)JSH+4c~-vB=tEnN%3cvQ-G)<4-RPGn(lN#xt8393*jdyI}h zyR2kR&ScQ~BO`PI&7Tqq3RJnLH5tS+MSr&6x~_=6^Btv&FE65u{0!4%np2_}A_W?G zPYsK)WlWvteMHzaV10A2T$zmld*{&6lt+vVf_JSnQG&G+&~3{aN%<3)V7pat3U=~` z%zcczT&dvj0knbvRxG!NW3->iOUT+)FH*Y>)8du4@A~F-9(N6m*r#@_yfB)2wYay?~c2g8#l`qqPP1-k8D&Nh-{#oEkYfy!I5;08irn+s%8 z=&J-z%9d=6e%oZR=O3N|o_yJd=I_g1P6`AD@>>GaV~k69?+rT8kbZe);z8Yiba4AZ z07RX&oEndKsAGF!O+09Q6;y)wzp`jhhvJXfpE~kg6m?V#dA*`!rF#4br>4ggbN_TAS-+IQ_|~EI_j0)2$a2SoK8)W1f$WX`Z^N%Sl)}&Nti>j_`VE z90>lvs}z4}IzvB2yjzh+5Ra7w%zT=#H_QwPg9C*YF6R^Xs~K(;bP5+D{YFv%f9bZ{ z5WnbeP9G%Hd!a?YC<;VHzVbUCg0P37L$-!a_8gN0#FEN8A|a@eDo|Hr4oxUqkH>i@;B z*mLau5|01(ul}!}1Yjg+IgqfZUs|_p{6Ccu|GQuP|M(TZX(s)b|0@XY-`D70{^$Sevk5YhJ=w_KJ@;Q{|Mv|Qc`-s}9oYO*;5JLc z<##%P+HDHhBSMgnAs|aMG)sbDumSIVwk*r7jx26bkr}lFoKHIx)>nyIoZ_OXaRv6RUko~d2#vG-L~%w2vG}!;RLDE$D|*T zkwf2nW-*8X4gSP`T!6@nh~a4-2%pCH+Dv14;PFH}56gVXRwb4&Sq+J1%inzn6yrP$ zv460;z3{LPw4c*}?NPh~Ln@*U*_;I|*d7Uxir)o>z86B_W)O`(s4mzg_B0KvA`h9) zRKW7Nr%VUR_IBhdqPZWpOaZd8Kh~>?PI7OM1TdsBQ~i}Pal0@B!x19obG51pf_e+L z5vOZaAiWEsphj4(K3J@VAeVA*kKzz!qedt&t*Q?pUM3r0kNDsLre|chST8iGwms5j z)wI`l;B5*Lqa@#ItA<`K>X zzLpPZ=(r(-6;Ze30m5*ii7Ys=1X2pCf>I#Hijjn47@AZJe=7Maue5IGc0Xd^9gVZ- z1$BFoCtu2Ls#B}_>V5Fu_Cb8}Eaa!jC+^lkdNaW*oJ+Ph-ZJHm&Na|&$1oc%bpQR= z!H?Zq|#ip1~9op20r`&BH_7!%-M3M^oDa#G>55t*ysGs zkm4~FP1{$9t437uHxRbJc!XG3eV_;LQ~^lYJe&*{xDzF&QX&7b_DGF3p%_-l-z>1O zLlAIi1G11xu=>!CEtfBSb_$3k4-nDAv@FI&gqqTd7yX>xhQx1f!i*%d3DJVB?t8CG z5Sb!+2Jk2sxWGA^Fy(R@v8wY8_p&3oR7{<3%xbzT;LdeGxPBAJHhYcv7-~xIV>+8}-Xpqr@voJ2oZ00?LN%0NuU3FNA1S%rP zFoe<%)~!*-Od~8{K&!im)Qj(YLa@(ZRMwDU7D`+1f^Eszu`92xi8I~vmh64B`D11R z@#N_>Y3+it;?3lFUHkMNV^WYXhGa}qKdtB#q>31KTlKF>F0i2vaLYL5s8kzLjl^+B zuAM#8;>yOPCf2eH`c4Uvzs2X4XL zz>U{`IB_a0sZev=l8Z`Di_jfi%6PONNpnn~Im_9y4&M0dBR<>5#jGO05)%JBo#Blt z#Junx@HeuL{Q*ltDI!M-0C!NgW!c-{@0h{S*1}{CkyVsQc1vaX8*InK1QXhJ??QN=}NOp{iN5r83D4!d~CkYq9^b%Rm!6Q z4mYsDe2h*=9P44#vM!w_9@H@hrl9?Atfvh;92LhTOD8|A6thp2_3H@3>WFGvgb z#%(mb7O6;d&0&5=Smwk6!5;g52IHy3d~}OgTQT1KWH0#p+Y4(y8p&@`ybcGTAVH|a zJecHxjBP!J;{Dmkz6NO(f6Lxg5p^?H|8Sjt|3zWGP2Y$mwJ3aS*=&`AYkVO7R+k96_)O3=m>B&pR!ztOT5a3E)xq;T3?`mS-7myrn#CD2IWr=p60#Ym7Y2wQqSpYQHMi5GXD0q6E@s%HD*N&Zj(0b2SOxaAOU& zV0y)U{&whxb{t#S1n_+iEb3y;Z6G>=MiHmrQwq!pPBy9@OX0OdWZ2f zr6QDfM^*hL8u=Lke9V-ahQdmsMO3Wsqqb*pFk!IKH%Y%dw3=ezyvW3D3aF2{_hqBr z0_9l(Roc%|i&2QTFuQgiY8;$TE-w|U^C@clAOF)r8b z+`*E}%P+&1(8KLnI26C5?(i% zAR0t3HunTY>H zS`^L+JE6h6DlU@}V9xyF8nal+(_Jt=+q3wy%oJH*E2adUTEYITq0H>Pb|7qGjfJ!M zzQiHP8XMMTam=BLF5o7zgDS;O%A}~?WKMajQsek4sIslXr@GB9oH$X+;Qy2_V?=+s zK);45i6Ck>_%UYL=PB4(VtEj(P;2*5vNw zIlYOe)JPw3i<%uu;NWcjAt95JU5J(bF>-LQ46K5{s-zUC)GSAx9^;n{ov5{S!mg>( z-$^j|v^Y{Czhv-Lc^acLzvVj5+M@TgSF+^(#v&xdYq9A>oRUdtzvQFARlOV|DI>>5 zK)d>V-&kx9zgc)&%XBtNU?Ar8%1B8zBjqv!C9lS8js7bEnUs~5N!NLQ$}((kV#!V5 zb)Zy&BhbTUjO50L%ex+L_TrIA;YkbR;jkU9Sr(I(N!gV9BqpCCFw}Ag?|N__^3O#| z9{mNB|G{qp^Oo)N%}}oU(?%L=AJe`jJgX-D;WKZ+*1BbLO7hdJ{YIC_s0pQ-p7qRo zJTJEy`IgC>SUzMqwsPJrQh zXN{c5T5EP~!ay%>KSOyFB^|V;53(4b`*8V@oE?o?1a5S_@={PI3{IurY_=a%1w^A| zRB1sa$xEqw{jvR`!gx?@p&WX(<*+6hZZUOww34Ek@Tp<)E9yuKHu+0Kyc*N4?wC*? zvTBV!3?!OfH)z2-!Q}=epEY><$(VuzVR&=+4=VD`VD)!Q4kGFt_2NFTq>TKnWij)f z%8=xZFRnNV2!UEbbxpzt=y0Z*~q8h#Nj=o z`Zd|XSTsBG9;4I97o{+Nf=`K@D7_3H``<4?-fl2j;(~tR&7s4Sfo}f6s{3Q4WCyR3 zyvedgE1$xn;e<_3mXSNP6pAjl`2sf6AvM%;-i=l&dHBa5sAipIYj@SJMA; zk!)(vjE5S{2jo*c?i#e)Q)qbnToe;aA3@Dcx^nQkr&?gw)+g6k z=AEVLsQ){;VP8{*)gc=MQL8B-O0fv0m-eod#M#>qQiTW=ejroia&l!2QIWKg9w*Yt zi^_|PNTFDZUG2|}1vDJ26EpHGv9d#@719dd>W$doT{fE-C(#jh&l9KO2kz7FE=jVu z#V!m5R)@tm#}R+LF%mwp)mX3A8)qojQ~zKQW6sr4<4>3yp|15bqKpe?Ia@Ng{7|@8 zO|qvN+feTiA09xvY@uJ9rx`32cAR*6>9dLxI9|k16Bk-T%n^AY)BKnim--!kP8NIN z(8n=1d=kYpUENc{kZm*&f2%!4>p-pw=}x01JMOfaKCip*l0X}JKFwb3Z9+CJj$Cr} zr+_GY4$eg3OK7kWh_ao))$EZ*yTUq1@u({pS4P8=o|qcpfVTK6XGt(3r-btUGV@b{ z2O(lP<}tqf)J;K{w2d22nUXl+}#LSIYQ1A{@CS!HkKjaM2JuntyhGQ9~5_zw;D)n>!J>g$i z%sLHXq_q&q0A0h9&R0$lqnG7t1mT+o(kC+s)q)m0ZicEitP$l4#=v^7_}+n%PXL+F ze$>9MdxJ)5X|BFdw?BZx=9vt2+d8lK4J3quvf#`}##sELL;O9Wa@WcaLPUiImP^*WzotM#Y&W#s;LPL)X+ zQJ%A%ZqU~b)+0jP4nB?6=u6Jgi&GkP;>NIG74a2kuR$xdl+Undf?i(HsB6jW>4HguSg|BRmrrEpHk7=d9UMWi^bOS~uG zK%;1#lQKr!lw}SLz=wbqkkL#+k#hp}oYTQR5wPgsWe*{*h#V7aw->g;Iw!zlyv*e< z)7Y|DZp}X?nR`p=P8MYRr78Iz>L4RM-ZCdQ=hb84JsHo>A+lMdp@N`jfp;_qGm9id z+2`I;@-B*`>!$flGkB}Lx~kVXlKX+v|82ZATWW%fj>&dJ%|nO=S09;zjX^g|;CZkN z$lZM!>9C4vZ45GM|bz?=koB-9F9~(kK*+B z`QWdBi8Pt}6DV};(up|oRDx_b=U#Y;AA>#S9u9j5pBm z*0~Qd>IXrs8?}yuuccv!lm`x}OU@)F`1-vAQSu}HJHrDa_uxi>$MGBzZ2BucpSde55A=6?*Zl9M i#Q!@}By^;Am%4Z^4>QD}f94PPpSp@RE>G!}&;J5kMJkj4 literal 0 HcmV?d00001