From 0c4ce18ed486f2ff07153b5e823921cac1ee9358 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 15 Sep 2025 13:06:26 +0200 Subject: [PATCH 001/120] new structure --- guides/security/authentication.md | 134 +++++++++++++ guides/security/authorization.md | 2 +- guides/security/cap-users.md | 314 ++++++++++++++++++++++++++++++ guides/security/overview.md | 62 +++++- menu.md | 6 +- 5 files changed, 514 insertions(+), 4 deletions(-) create mode 100644 guides/security/authentication.md create mode 100644 guides/security/cap-users.md diff --git a/guides/security/authentication.md b/guides/security/authentication.md new file mode 100644 index 0000000000..fde9281b4e --- /dev/null +++ b/guides/security/authentication.md @@ -0,0 +1,134 @@ +--- +# layout: cookbook +label: Authentication +synopsis: > + This guide explains how to authenticate CAP services and how to work with users. +status: released +--- + + + + + +# Authentication + +In essence, authentication verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. +Briefly, **authentication** ensures _who_ is going to use the service. +In contrast, **authorization** dictates _how_ the user can interact with the application's resources based on their granted privileges. +As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. + + +[[toc]] + + + + + +## Inbound Authentication { #inbound-authentication } + +According to key concept [pluggable and customizable](key-concept-pluggable), the authentication method is customizable freely. +CAP [leverages platform services](#key-concept-platform-services) to provide a set of authentication strategies that cover all important scenarios: + +- For _local development_ and _unit testing_, [mock user](#mock-user-auth) is an appropriate built-in authentication feature. + +- For _cloud deployments_, in particular deployments for production, CAP integration of [SAP Cloud Identity Services](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) is first-choice for applications: + - [Identity Authentication Service (IAS)](#ias-auth) offers an [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management and single sign-on capabilities. + - [Authorization Management Service (AMS)](#ams-auth) offers central role and access management. + +- [XS User and Authentication and Authorization Service](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) (XSUAA) is a full-fleged [OAuth 2.0](https://oauth.net/2/)-based authorization server. +It is available to support existing applications and services in the scope of individual BTP landscapes. + +::: tip +CAP applications can run IAS and XSUAA in hybrid mode to support a smooth migration. +::: + +::: warn +Without security middleware configured, CDS services are exposed to public. +Basic configuration of an authentication strategy is mandatory to protect your CAP application. +::: + +### Mock User Authentication { #mock-user-auth } + - Test Authentiction + - setup + - testing + +::: Info +Mock users are deactivated by default in production environment. +::: + +### IAS Authentication and AMS { #ias-auth } + - setup cds add ias + - role definition / assignment -> CAP Authorization ? + +### AMS Integration { #ams-auth } + - setup cds add ams + - Define Reuse Service + +### XSUAA Authentication { #xsuaa-auth } + - setup cds add xsuaa + - role definition / assignment -> CAP Authorization ? + - Define Reuse Service + +### Custom Authentication { #custom-auth } + - Service mesh + - DWC Integration (internal) + - pointer to hooks and properties + + + +## Outbound Authentication { #outbound-authentication } + +### Local Services + +Local CDS services which are meant for *internal* usage only can be easily consumed by in-process function calls. +They shouldn't be exposed via protocol adapters at all. +In order to prevent access from external clients, annotate those services with `@protocol: 'none'`: + +```cds +@protocol: 'none' +service InternalService { + ... +} +``` +`InternalService` is not handled by protocol adapters and can only receive events sent by in-process handlers. + +### Application-Internal Services +- internal-user (IAS + XSUAA) + +### BTP Reuse Services +- IAS +- XSUAA + +### External Services +- IAS App-2-App +- Via Destination (S/4) + + +## Critical Pitfalls +- Endpoints of (CAP) applications deployed on SAP BTP are, by default, accessible from the public network. + This means that unless additional security measures are implemented, external clients can potentially reach these endpoints directly. + It is important to note that the AppRouter component does not function as a comprehensive envoy proxy that routes and secures all incoming traffic. + Instead, AppRouter only handles requests for specific routes or applications it is configured for, leaving other endpoints exposed if not explicitly protected. + **Therefore, it is crucial to configure appropriate authentication and authorization mechanisms to safeguard all endpoints and prevent unauthorized access from the public internet**. + +- Clients might have tokens (authenticated-user -> pretty open for all kinds of users!!) + +- Don't mix business roles vs. technical roles vs. provider roles + +- Don't deviate from security defaults + +- Don't miss to add authentication tests + +- Don't authenticate manually + +- Don't code against concrete user claims (e.g. XSUAAUserInfo) + diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 1a53ce52c8..a7bbd493e2 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -21,7 +21,7 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ -# CDS-based Authorization +# Authorization { #authorization } Authorization means restricting access to data by adding respective declarations to CDS models, which are then enforced in service implementations. By adding such declarations, we essentially revoke all default access and then grant individual privileges. diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md new file mode 100644 index 0000000000..32fe0e9e2b --- /dev/null +++ b/guides/security/cap-users.md @@ -0,0 +1,314 @@ +--- +# layout: cookbook +label: CAP Users +synopsis: > + This guide introduces to CAP user abstraction. +status: released +--- + + + + + +# User Representation { #user-representation } + +A successfull authentication in CAP results in an object representation of the request user determined by the concrete user logged in. +It contains [basic information](#claims) about the user including name, ID, tenant and additional claims such as roles or assigned attribute values. +This user abstraction is basis for _model-driven_ [CDS authorization](../guides/security/authorization), [managed data](../guides/domain-modeling#managed-data) as well as for [custom authorization enforcement](../guides/security/authorization#enforcement). +Referring to the key concepts, the abstraction serves to decouple authorization and business logic from pluggable authentication strategy. + +[[toc]] + +## User Claims { #claims } + +After successful authentication, a CAP user is represented by the following properties: + +- Unique (logon) _name_ identifying the user. Unnamed, technical users have a fixed name such as `system` or `anonymous`. +- _Tenant_ for multitenant applications. +- _Roles_ that the user has been granted by an administrator (see [User Roles](#roles)) or that are derived by the authentication level (see [Pseudo Roles](#pseudo-roles)). +- _Attributes_ that the user has been assigned by an user administrator. + +In the CDS model, some of the user properties can be referenced with the `$user` prefix: + +| User Property | Reference | +|-------------------------------|---------------------| +| Name | `$user` | +| Attribute (name \) | `$user.` | + +> A single user attribute can have several different values. For instance, the `$user.language` attribute can contain `['DE','FR']`. + +## User Roles { #roles} + +As a basis for access control, you can design CAP roles that are application specific and that are assigned to users at application runtime. +A role should reflect _how_ a user can interact with the application and rather not describe a fine-grained event on technical level. + +annotate Issues with @(restrict: [ +    { grant: ['READ','WRITE'], +      to: 'ReportIssues', +      where: ($user = CreatedBy) }, +    { grant: ['READ'], +      to: 'ReviewIssues' }, +    { grant: '*', +      to: 'ManageIssues' } +]); + + +For instance, the role `Vendor` could describe access rules for users who are allowed to read sales articles and update sales figures, a `ProcurementManager` have full access to sales articles. + +CAP roles represent basic building blocks for authorization rules that are defined by the application developers who have in-depth domain knowledge. +Independently from that, user administrators combine CAP roles in higher-level policies and assign to business users in the platform's central authorization management solution. + +::: tip +CDS-based authorization deliberately refrains from using technical concepts, such as _scopes_ as in _OAuth_, in favor of user roles, which are closer to the technical domain of business applications. +::: + +## Pseudo Roles { #pseudo-roles} + + + - pseudo roles ? + - public users + - business users + - technical users + - provider vs. business tenant + + +It's frequently required to define access rules that aren't based on an application-specific user role, but rather on the _authentication level_ of the request. For instance, a service could be accessible not only for identified, but also for anonymous (for example, unauthenticated) users. Such roles are called pseudo roles as they aren't assigned by user administrators, but are added at runtime automatically. + +The following predefined pseudo roles are currently supported by CAP: + +* `authenticated-user` refers to named or unnamed users who have presented a valid authentication claim such as a logon token. +* [`system-user` denotes an unnamed user used for technical communication.](#system-user) +* [`internal-user` is dedicated to distinguish application internal communication.](#internal-user) +* `any` refers to all users including anonymous ones (that means, public access without authentication). + +### system-user +The pseudo role `system-user` allows you to separate access by _technical_ users from access by _business_ users. Note that the technical user can come from a SaaS or the PaaS tenant. Such technical user requests typically run in a _privileged_ mode without any restrictions on an instance level. For example, an action that implements a data replication into another system needs to access all entities of subscribed SaaS tenants and can’t be exposed to any business user. Note that `system-user` also implies `authenticated-user`. + +::: tip +For XSUAA or IAS authentication, the request user is attached with the pseudo role `system-user` if the presented JWT token has been issued with grant type `client_credentials` or `client_x509` for a trusted client application. +::: + +### internal-user +Pseudo-role `internal-user` allows to define application endpoints that can be accessed exclusively by the own PaaS tenant (technical communication). The advantage is that similar to `system-user` no technical CAP roles need to be defined to protect such internal endpoints. However, in contrast to `system-user`, the endpoints protected by this pseudo-role do not allow requests from any external technical clients. Hence is suitable for **technical intra-application communication**, see [Security > Application Zone](/guides/security/overview#application-zone). + +::: tip +For XSUAA or IAS authentication, the request user is attached with the pseudo role `internal-user` if the presented JWT token has been issued with grant type `client_credentials` or `client_x509` on basis of the **identical** XSUAA or IAS service instance. +::: + +::: warning +All technical clients that have access to the application's XSUAA or IAS service instance can call your service endpoints as `internal-user`. +**Refrain from sharing this service instance with untrusted clients**, for instance by passing services keys or [SAP BTP Destination Service](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/create-destinations-from-scratch) instances. +::: + + + + +## Modifying Users { #modifying-users } + - UserProvider + + + + +## Propagating Users { #propagating-users } + - request internal + - tenant switch + - privileged mode + - original authentication claim + - asynchronous -> implicit to technical user + + + + +## User Claims { #user-claims} + + + + +### Mapping User Claims + +Depending on the configured [authentication](#prerequisite-authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: + +| CAP User Property | XSUAA JWT Property | IAS JWT Property | +|---------------------|----------------------------------|-------------------------| +| `$user` | `user_name` | `sub` | +| `$user.tenant` | `zid` | `zone_uuid` | +| `$user.` | `xs.user.attributes.` | All non-meta attributes | + +::: tip +CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. +::: + +In most cases, CAP's default mapping will match your requirements, but CAP also allows you to customize the mapping according to specific needs. For instance, `user_name` in XSUAA tokens is generally not unique if several customer IdPs are connected to the underlying identity service. +Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you implement in a custom adaptation. Similarly, attribute values can be normalized and prepared for [instance-based authorization](#instance-based-auth). Find details and examples how to programmatically redefine the user mapping here: + +- [Set up Authentication in Node.js.](/node.js/authentication) +- [Custom Authentication in Java.](/java/security#custom-authentication) + +::: warning Be very careful when redefining `$user` +The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. Also consider data protection and privacy regulations when storing user data. +::: + +## Programmatic Enforcement { #enforcement} + +The service provider frameworks **automatically enforce** restrictions in generic handlers. They evaluate the annotations in the CDS models and, for example: + +* Reject incoming requests if static restrictions aren't met. +* Add corresponding filters to queries for instance-based authorization, etc. + +If generic enforcement doesn't fit your needs, you can override or adapt it with **programmatic enforcement** in custom handlers: + +- [Authorization Enforcement in Node.js](/node.js/authentication#enforcement) +- [Enforcement API & Custom Handlers in Java](/java/security#enforcement-api) + +## Role Assignments with IAS and AMS + +The Authorization Management Service (AMS) as part of SAP Cloud Identity Services (SCI) provides libraries and services for developers of cloud business applications to declare, enforce and manage instance based authorization checks. When used together with CAP the AMS "Policies” can contain the CAP roles as well as additional filter criteria for instance based authorizations that can be defined in the CAP model. transformed to AMS policies and later on refined by customers user and authorization administrators in the SCI administration console and assigned to business users. + +### Use AMS as Authorization Management System on SAP BTP + +SAP BTP is currently replacing the authorization management done with XSUAA by an integrated solution with AMS. AMS is integrated into SAP Cloud Identity (SCI), which will offer authentication, authorization, user provisioning and management in one place. + +For newly build applications the usage of AMS is generally recommended. The only constraint that comes with the usage of AMS is that customers need to copy their users to the Identity Directory Service as the central place to manage users for SAP BTP applications. This is also the general SAP strategy to simplify user management in the future. + +### Case For XSUAA + +There is one use case where currently an XSUAA based authorization management is preferable: When XSUAA based services to be consumed by a CAP application come with their own business user roles and thus make user role assignment in the SAP Cloud Cockpit necessary. This will be resolved in the future when the authorization management will be fully based on the SCI Admin console. + +For example, SAP Task Center you want to consume an XSUAA-based service that requires own end user role. Apart from this, most services should be technical services that do not require an own authorization management that is not yet integrated in AMS. + + + +[Learn more about using IAS and AMS with CAP Node.js](https://github.com/SAP-samples/btp-developer-guide-cap/blob/main/documentation/xsuaa-to-ams/README.md){.learn-more} + + +## Role Assignments with XSUAA { #xsuaa-configuration} + +Information about roles and attributes has to be made available to the UAA platform service. This information enables the respective JWT tokens to be constructed and sent with the requests for authenticated users. In particular, the following happens automatically behind-the-scenes upon build: + + +### 1. Roles and Attributes Are Filled into the XSUAA Configuration + +Derive scopes, attributes, and role templates from the CDS model: + +```sh +cds add xsuaa --for production +``` + +This generates an _xs-security.json_ file: + +::: code-group +```json [xs-security.json] +{ + "scopes": [ + { "name": "$XSAPPNAME.admin", "description": "admin" } + ], + "attributes": [ + { "name": "level", "description": "level", "valueType": "s" } + ], + "role-templates": [ + { "name": "admin", "scope-references": [ "$XSAPPNAME.admin" ], "description": "generated" } + ] +} +``` +::: + +For every role name in the CDS model, one scope and one role template are generated with the exact name of the CDS role. + +::: tip Re-generate on model changes +You can have such a file re-generated via +```sh +cds compile srv --to xsuaa > xs-security.json +``` +::: + +See [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/6d3ed64092f748cbac691abc5fe52985.html) in the SAP HANA Platform documentation for the syntax of the _xs-security.json_ and advanced configuration options. + + +::: warning Avoid invalid characters in your models +Roles modeled in CDS may contain characters considered invalid by the XSUAA service. +::: + +If you modify the _xs-security.json_ manually, make sure that the scope names in the file exactly match the role names in the CDS model, as these scope names will be checked at runtime. + +### 2. XSUAA Configuration Is Completed and Published + +#### Through MTA Build + +If there's no _mta.yaml_ present, run this command: + +```sh +cds add mta +``` + +::: details See what this does in the background… + +1. It creates an _mta.yaml_ file with an `xsuaa` service. +2. The created service added to the `requires` section of your backend, and possibly other services requiring authentication. +::: code-group +```yaml [mta.yaml] +modules: + - name: bookshop-srv + requires: + - bookshop-auth // [!code ++] +resources: + name: bookshop-auth // [!code ++] + type: org.cloudfoundry.managed-service // [!code ++] + parameters: // [!code ++] + service: xsuaa // [!code ++] + service-plan: application // [!code ++] + path: ./xs-security.json # include cds managed scopes and role templates // [!code ++] + config: // [!code ++] + xsappname: bookshop-${org}-${space} // [!code ++] + tenant-mode: dedicated # 'shared' for multitenant deployments // [!code ++] +``` +::: + + +Inline configuration in the _mta.yaml_ `config` block and the _xs-security.json_ file are merged. If there are conflicts, the [MTA security configuration](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/6d3ed64092f748cbac691abc5fe52985.html) has priority. + +[Learn more about **building and deploying MTA applications**.](/guides/deployment/){ .learn-more} + +### 3. Assembling Roles and Assigning Roles to Users + +This is a manual step an administrator would do in SAP BTP Cockpit. See [Set Up the Roles for the Application](/node.js/authentication#auth-in-cockpit) for more details. If a user attribute isn't set for a user in the IdP of the SAP BTP Cockpit, this means that the user has no restriction for this attribute. For example, if a user has no value set for an attribute "Country", they're allowed to see data records for all countries. +In the _xs-security.json_, the `attribute` entity has a property `valueRequired` where the developer can specify whether unrestricted access is possible by not assigning a value to the attribute. + + +### 4. Scopes Are Narrowed to Local Roles + +Based on this, the JWT token for an administrator contains a scope `my.app.admin`. From within service implementations of `my.app` you can reference the scope: + +```js +req.user.is ("admin") +``` +... and, if necessary, from others by: + +```js +req.user.is ("my.app.admin") +``` + +
+ +> See the following sections for more details: +- [Developing Security Artifacts in SAP BTP](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/419ae2ef1ddd49dca9eb65af2d67c6ec.html) +- [Maintaining Application Security in XS Advanced](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/35d910ee7c7a445a950b6aad989a5a26.html) + + +Find detailed instructions for setting up authentication in these runtime-specific guides: + +- [Set up authentication in Node.js.](/node.js/authentication) +- [Set up authentication in Java.](/java/security#authentication) + + +In _productive_ environment with security middleware activated, **all protocol adapter endpoints are authenticated by default**1, even if no [restrictions](#restrictions) are configured. Multi-tenant SaaS-applications require authentication to provide tenant isolation out of the box. In case there is the business need to expose open endpoints for anonymous users, it's required to take extra measures depending on runtime and security middleware capabilities. + +> 1 Starting with CAP Node.js 6.0.0 resp. CAP Java 1.25.0. _In previous versions endpoints without restrictions are public in single-tenant applications_. diff --git a/guides/security/overview.md b/guides/security/overview.md index 249401071a..db379fa830 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -5,13 +5,73 @@ status: released uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/9186ed9ab00842e1a31309ff1be38792.html --- -# Platform Security +# Overview {{ $frontmatter.synopsis }} [[toc]] +## Key Concepts { #key-concepts } + +- diagram + +### Built on Best of Breed { #key-concept-platform-services } + +CAP does not deal with user login flows, password and credential management, user sessions, or any cryptographic logic - **and applications should not have to do it at all!** +Instead, **CAP seamlessly integrates with bullet-proven [platform services](#platform-compliance)** that handle these critical security topics centrally. +This approach not only simplifies the implementation but also enhances security by leveraging robust, well-tested mechanisms provided by the platform. +By leveraging platform services, CAP allows developers to focus on core application functionality without worrying about the intricacies of security implementation. + +Most notably, authentication is covered by [platform's identity services](#identity-service). +Likewise, TLS termination is offered by the [platform](#platform-environment). + + +### Pluggable Building Blocks { #key-concept-decoupled-authn } + +CAP divides the different tasks related to security into separate and independent building blocks: +- [Authentication (inbound)](#inbound-authentication ) +- [User representation and propagation](#user-representation) +- [Authorization](#authorization) +- [Authentication (outbound)](#outbound-authentication) + +**By separating these concerns**, CAP ensures that each security function can be configured and customized independently without affecting other parts of the system, providing maximum flexibility. + +For example, authentication can be delegated to a separate ingress component, while authorization remains within the application service close to the data. + + +### Secure by Default { #key-concept-secure-by-default } + +CAP security features are activated by default. If different behaviour is required, you must explicitly reconfigure or add custom code to adapt accordingly. +CAP's autoconfiguration feature significantly reduces the risk of misconfiguration - **override only when absolutely necessary and when all effects are under safe control**. + +For instance, endpoints of deployed CAP applications are authenticated automatically, thus providing a secure baseline. +Making endpoints public requires manual configuration either in the CAP model or in the middleware. + + +### Customizable { #key-concept-pluggable } + +Due to the plugin-based architecture, **CAP allows standard functions to be modified as required or, if necessary, completely replaced**. +This flexibility is crucial for scenarios where the default methods do not fully meet the requirements of the application. +Moreover, this integration helps to easily incorporate non-CAP and even non-BTP services, thereby providing a flexible and interoperable environment. + +For instance, it is possible to define specific endpoints with a custom authentication strategy. +Likewise, the CAP representation of the request user can be overruled to match additional, application-specific requirements. + + +### Decoupled from Business Logic { #key-concept-decoupled-coding } + +As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any adaptions. +This safeguards business logic being independent from platform services which are frequently subject to security hardening initiatives. +As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. + +For instance, CAP allows performing outbound service calls via Remote Services while handling authentication under the hood completely. +This abstraction layer ensures developers not having to worry about the details of authentication. + + + + + ## Platform Compliance { #platform-compliance } CAP applications run in a certain environment, that is, in the context of some platform framework that has specific characteristics. diff --git a/menu.md b/menu.md index 53a289d38e..162c65636a 100644 --- a/menu.md +++ b/menu.md @@ -76,8 +76,10 @@ ## [Security](guides/security/) - ### [CDS-based Authorization](guides/security/authorization) - ### [Platform Security](guides/security/overview) + ### [Overhiew](guides/security/overview) + ### [Authentication](guides/security/authentication) + ### [User Representation](guides/security/cap-users) + ### [Authorization](guides/security/authorization) ### [Security Aspects](guides/security/aspects) ### [Data Protection & Privacy](guides/security/data-protection-privacy) ### [Product Standard Compliance](../guides/security/product-standards) From 28b426bb5327ce2bb03ff2b4d3c08058c44a2e62 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 18 Sep 2025 09:00:00 +0200 Subject: [PATCH 002/120] restructured, auth guide in progress --- .../security/assets/security-overview.drawio | 203 +++++++++ guides/security/authentication.md | 394 ++++++++++++++++-- guides/security/cap-users.md | 27 ++ guides/security/overview.md | 4 +- menu.md | 2 +- 5 files changed, 596 insertions(+), 34 deletions(-) create mode 100644 guides/security/assets/security-overview.drawio diff --git a/guides/security/assets/security-overview.drawio b/guides/security/assets/security-overview.drawio new file mode 100644 index 0000000000..78c3a33e0a --- /dev/null +++ b/guides/security/assets/security-overview.drawio @@ -0,0 +1,203 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/guides/security/authentication.md b/guides/security/authentication.md index fde9281b4e..e333060aca 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -21,62 +21,390 @@ status: released # Authentication -In essence, authentication verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. -Briefly, **authentication** ensures _who_ is going to use the service. -In contrast, **authorization** dictates _how_ the user can interact with the application's resources based on their granted privileges. +In essence, [inbound authentication](#inbound-authentication) verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. +Briefly, **authentication ensures _who_ is going to use the service**, in contrast to [authorization](../security/authorization#authorization) which determines _how_ the user can interact with the application's resources based on the defined access rules. As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. +CAP applications making use of remote services of any type need to have a proper [outbound authentication](#outbound-authentication) in place as well. + [[toc]] +## Inbound Authentication { #inbound-authentication } +According to key concept [Pluggable Building Blocks](key-concept-pluggable), the authentication method can be configured freely. +CAP [leverages platform services](#key-concept-platform-services) to provide proper authentication strategies to cover all relevant scenarios: +- For _local development_ and _unit testing_, [Mock User Authentication](#mock-user-auth) is an appropriate built-in authentication feature. -## Inbound Authentication { #inbound-authentication } +- For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services: + - [Identity Authentication Service (IAS)](#ias-auth) provides a full-fleged [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management as first choice for applications. + - [XS User and Authentication and Authorization Service (XSUAA)](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) is an [OAuth 2.0](https://oauth.net/2/)-based authorization server to support existing applications and services in the scope of individual BTP landscapes. + +::: tip +CAP applications can run IAS and XSUAA in hybrid mode to support a smooth migration from XSUAA to IAS. +::: + + +### Mock User Authentication { #mock-user-auth } + +In none-production profile, by default, CAP creates a security configuration which accepts _mock users_. +As this authentication strategy is a built-in feature which does not require any platform service, it is perfect for **unit testing and local development scenarios**. + +Setup a simple sample application: + +
+ +```sh +cds init bookshop --java --add sample && cd ./bookshop +mvn spring-boot:run +``` + +::: warning +CAP Java requires (transitive) dependency to `spring-boot-starter-security` to add middleware for authentication. +Platform starter bundles `cds-starter-cf` and `cds-starter-k8s` ensure all required dependencies out of the box. +::: + +
+ + +
+ +```sh +cds init bookshop --add sample && cd ./bookshop +cds watch +``` + +
+ +In the application startup trace you can find a log message indicating mock user configuration is active: + +
+ +```sh +MockUsersSecurityConfig : * Security configuration based on mock users found in active profile. * +``` + +
+ +
+TODO +
+ +Also notice the log output prints all recognized mock users such as + +
+ +```sh +MockUsersSecurityConfig : Added mock user {"name":"admin","password":"admin", ...} +``` + +
+ +
+TODO +
-According to key concept [pluggable and customizable](key-concept-pluggable), the authentication method is customizable freely. -CAP [leverages platform services](#key-concept-platform-services) to provide a set of authentication strategies that cover all important scenarios: +The CAP runtime will automatically authenticate all CAP endpoints - **you are not required to manually configure authentication for CAP endpoints!** -- For _local development_ and _unit testing_, [mock user](#mock-user-auth) is an appropriate built-in authentication feature. +Sending OData request `curl http://localhost:8080/odata/v4/CatalogService/Books --verbose` +results in a `401` error response from the server indicating that the anonymous user has been rejected due to missing authentication. +This is true for all endpoints including the web application page at `/index.htlm`. -- For _cloud deployments_, in particular deployments for production, CAP integration of [SAP Cloud Identity Services](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) is first-choice for applications: - - [Identity Authentication Service (IAS)](#ias-auth) offers an [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management and single sign-on capabilities. - - [Authorization Management Service (AMS)](#ams-auth) offers central role and access management. +Mock users require **basic authentication**, hence sending the same request on behalf of mock user `admin` (password: `admin`) with curl `http://admin:admin@localhost:8080/odata/v4/CatalogService/Books` returns successfully (`200`). -- [XS User and Authentication and Authorization Service](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) (XSUAA) is a full-fleged [OAuth 2.0](https://oauth.net/2/)-based authorization server. -It is available to support existing applications and services in the scope of individual BTP landscapes. ::: tip -CAP applications can run IAS and XSUAA in hybrid mode to support a smooth migration. +Mock users are deactivated in production profile by default ❗ ::: -::: warn -Without security middleware configured, CDS services are exposed to public. -Basic configuration of an authentication strategy is mandatory to protect your CAP application. +[Learn more about authentication options in CAP Java](../java/security#spring-boot){.learn-more} +[Learn more about authentication options in CAP Node.js](../node.js/authentication#strategies){.learn-more} + + + +#### Preconfigured Mock Users { #preconfigured-mock-users } + +For convenience, the runtime creates default mock users reflecting typical types of users suitable for test combinations, e.g. privileged users passing all security checks or restricted users which just pass authentication only. +The predefined users are merged with mock users [defined by the application](#custom-mock-users). +The effective list of mock users is traced to startup log if mock user configuration is active. + +You can opt out the preconfiguration of these users by setting `cds.security.mock.defaultUsers = false`. +{ .java } + + +[Learn more about predefined mock users in CAP Java](../java/security#preconfigured-mock-users){.learn-more} +[Learn more about predefined mock users in CAP Node.js](../node.js/authentication#mock-users){.learn-more} + + +#### Customization { #custom-mock-users } + +You can define custom mock users to perfectly simulate different types of [end users]((../cap-users#user-representation)) that will interact with your application at production time. +Hence, you can use the mock users to test authorization rules and custom handlers transparently from the actual context. + +
+ +::: details How to add custom mock user named `viewer-user` in local Spring profile +```yaml [srv/src/main/resources/application.yaml] +spring: + config.activate.on-profile: default +cds: + security: + mock: + users: + # [... other users ...] + viewer-user: + password: pass + tenant: CrazyCars + roles: + - Viewer + attributes: + Country: [GER, FR] + features: + - cruise + - park + additional: + email: myviewer@crazycars.com +``` ::: -### Mock User Authentication { #mock-user-auth } - - Test Authentiction - - setup - - testing +
+ +
+ +::: details How to add a custom mock user named `viewer-user` in the configuration file for local testing: +```yaml [package.json] +"cds": { + "requires": { + "auth": { + "kind": "mocked", + "users": { + "viewer-user": { + "password": "pass", + "tenant": "CrazyCars", + "roles": ["Viewer"], + "attr": { ... } + } + }, + "tenants": { + "name" : "CrazyCars", + "features": [ "cruise", "park" ] + } + } + } +} +``` +::: + +
+ +In the mock user configuration you are free to specify: +- name (mandatory) +- credentials +- tenant +- CAP roles +- CAP attributes +- additional attributes +- pseudo roles +- [feature toggles](../guides/extensibility/feature-toggles#feature-toggles) +which influence processing of the request including authorization step. + +To verify the properties in a user request with a dedicated mock user, activate [user tracing](../cap-users#user-tracing) and send the same request on behalf of `viewer-user`. +In the application log you should find information about the resolved user after successful authentication: + +
+ +```sh +MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' +``` + +
+ +
+ +TODO + +
+ +[Learn more about custom mock users in CAP Java](../java/security#explicitly-defined-mock-users){.learn-more} +[Learn more about custom mock users in CAP Node.js](../node.js/authentication#mocked){.learn-more} + + +#### Automated Testing { #mock-user-testing } + +Mock users provide an ideal foundation for automated **unit tests, which are essential for ensuring application security**. +The flexibility in defining various kinds of mock users and the seamless integration into testing code significantly lowers the burden to cover all relevant test combinations. -::: Info -Mock users are deactivated by default in production environment. +
+ +::: details How to useleverage @WithMockUser in Spring-MVC to use CAP mock users +```java [srv/src/test/java/customer/bookshop/handlers/CatalogServiceTest.java] +@RunWith(SpringRunner.class) +@SpringBootTest +@AutoConfigureMockMvc +public class BookServiceOrdersTest { + + String BOOKS_URL = "/odata/v4/CatalogService/Books"; + + @Autowired + private MockMvc mockMvc; + + @Test + @WithMockUser(username = "viewer-user", password = "pass") + public void testViewer() throws Exception { + mockMvc.perform(get(BOOKS_URL)).andExpect(status().isOk()); + } + @Test + public void testUnauthorized() throws Exception { + mockMvc.perform(get(BOOKS_URL)).andExpect(status().isUnauthorized()); + } +} +``` ::: -### IAS Authentication and AMS { #ias-auth } - - setup cds add ias - - role definition / assignment -> CAP Authorization ? - -### AMS Integration { #ams-auth } - - setup cds add ams - - Define Reuse Service + +
+ +
+TODO +await GET('/CatalogService/Books', { auth: { username: 'viewer-user', password: 'pass' } }) +
+ + +[Learn more about testing in CAP Java](../java/developing-applications/testing#testing-cap-java-applications){.learn-more} +[Learn more about testing in CAP Node.js](../node.js/cds-test#testing-with-cds-test){.learn-more} + + +### IAS Authentication { #ias-auth } + +[SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is preferred platform service for identity management which provides + - best of breed authentication mechanisms (single sign-on, multi-factor enforcement) + - federation of corporate identity providers (multiple user stores) + - cross-landscape user propagation (including on-premise) + - SAP and non-SAP system [integration](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integrating-service) ([OpenId Connect](https://openid.net/connect/) compliant) + +IAS authentication can be configured and tested in the Cloud, hence we enhance the sample with a deyloyment descriptor for SAP BTP, Cloud Foundry Runtime (CF). + + +#### Get Ready with IAS + +Before working with IAS on CF, you need to + +- have an IAS (test) tenant. If not available yet, you need to [create it](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/get-your-tenant) now. + +- [establish trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication) +towards your IAS tenant to use it as identity provider for applications in your subaccount. + +- ensure your development environment is [prepared for deploying]( https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF, +in particular you require a session targeting to a CF space in the test subaccount with IAS trust (test with `cf target`). + +#### Adding IAS + +In the project's root folder execute + +```sh +cds add mta +``` + +to make your application ready for deployment to CF. + +::: tip +Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and hence adds all dependencies required for authentication transitively. +::: + +Afterwards, command + +```sh +cds add ias +``` + +adds a service instance named `bookshop-srv` of type `identity` (plan: `application`) to the deyployment and binds the CAP service to it. + +::: details Generated deployment descriptor for IAS instance and binding +```yaml [mta.yaml] +modules: + - name: bookshop-srv + # [...] + requires: + - name: bookshop-auth + parameters: + config: + credential-type: X509_GENERATED + app-identifier: srv + +resources: + - name: bookshop-auth + type: org.cloudfoundry.managed-service + parameters: + service: identity + service-name: bookshop-auth + service-plan: application + config: + display-name: bookshop +``` +::: + +Following properties apply: + +| Property | Artefact | Description | +|-------------------|:-------------------:|:---------------------:| +| `credential-type` | binding | `X509_GENERATED` activates mTLS communication with IAS. | +| `app-identifier` | binding | Unique identifier for the application in IAS | +| `display-name` | instance | Human-readable name for the application as it appears in the IAS admin UI | +| `tenant-mode` | instance | Specifies application mode: `dedicated` for single tenant (default), `shared` for multiple subscriber tenants (SAAS) | + +Now let's pack and deploy the application with +```sh +cds up +``` + +and wait until the application is up and running (you can test with `cf apps` or alternatively in BTP Cockpit). + +In the [Administrative Console for Cloud Identity Services](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/accessing-administration-console?version=Cloud) +you should now also see the deplyoed IAS application in `Applications & Ressources` -> `Applications`, section `Bundled Applications` (display name `bookshop`, subtitle is the technical id of the service instance). + +::: tip +In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows direct navigation to the IAS application in the admin console. +::: + + +Find the following trace in the application log as feedback for IAS authentication in action: +
+ +```sh +IdentityConfiguration: Loaded feature 'IdentityUserInfoProvider' (IAS: bookshop-auth, XSUAA: ) +``` + +
+ +::: tip +The CAP runtime checks the available bindings at startup and activates IAS authentication accordingly. The local setup with mock users still works as before. +::: + + +#### Testing IAS + +```sh +curl https://--bookshop-srv./odata/v4/CatalogService/Books --verbose +``` + +HTTP/1.1 401 Unauthorized + + +service key + +curl mit cert + +cds add approuter + +The AppRouter allows UI-sessions to interact with the application for initial testing. + + ### XSUAA Authentication { #xsuaa-auth } - setup cds add xsuaa - - role definition / assignment -> CAP Authorization ? - - Define Reuse Service + ### Custom Authentication { #custom-auth } - Service mesh @@ -132,3 +460,7 @@ service InternalService { - Don't code against concrete user claims (e.g. XSUAAUserInfo) +::: warning +Without security middleware configured, CDS services are exposed to public. +Basic configuration of an authentication strategy is mandatory to protect your CAP application. +::: \ No newline at end of file diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 32fe0e9e2b..415f2a20c8 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -110,7 +110,24 @@ All technical clients that have access to the application's XSUAA or IAS service ::: +## Tracing { #user-tracing } +
+ +DEBUG level by default + +logging.level.com.sap.cds.security.authentication: DEBUG + +```sh +MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' +``` + +Never in production! +
+ +
+TODO +
## Modifying Users { #modifying-users } - UserProvider @@ -157,6 +174,16 @@ Here a combination of `user_name` and `origin` mapped to `$user` might be a feas The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. Also consider data protection and privacy regulations when storing user data. ::: + +### IAS { #ias-auth } + - role definition / assignment AMS + + +### XSUAA Authentication { #xsuaa-auth } + - role definition / assignment + - Define Reuse Service + + ## Programmatic Enforcement { #enforcement} The service provider frameworks **automatically enforce** restrictions in generic handlers. They evaluate the annotations in the CDS models and, for example: diff --git a/guides/security/overview.md b/guides/security/overview.md index db379fa830..2f7e3a4b43 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -27,7 +27,7 @@ Most notably, authentication is covered by [platform's identity services](#ident Likewise, TLS termination is offered by the [platform](#platform-environment). -### Pluggable Building Blocks { #key-concept-decoupled-authn } +### Pluggable Building Blocks { #key-concept-pluggable } CAP divides the different tasks related to security into separate and independent building blocks: - [Authentication (inbound)](#inbound-authentication ) @@ -49,7 +49,7 @@ For instance, endpoints of deployed CAP applications are authenticated automatic Making endpoints public requires manual configuration either in the CAP model or in the middleware. -### Customizable { #key-concept-pluggable } +### Customizable { #key-concept-customizable } Due to the plugin-based architecture, **CAP allows standard functions to be modified as required or, if necessary, completely replaced**. This flexibility is crucial for scenarios where the default methods do not fully meet the requirements of the application. diff --git a/menu.md b/menu.md index 162c65636a..846adf6331 100644 --- a/menu.md +++ b/menu.md @@ -78,7 +78,7 @@ ### [Overhiew](guides/security/overview) ### [Authentication](guides/security/authentication) - ### [User Representation](guides/security/cap-users) + ### [Users](guides/security/cap-users) ### [Authorization](guides/security/authorization) ### [Security Aspects](guides/security/aspects) ### [Data Protection & Privacy](guides/security/data-protection-privacy) From 4d9d55d79e2e66127a9d2555cf9ee446c2e953a8 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 19 Sep 2025 15:12:09 +0200 Subject: [PATCH 003/120] ias cli testing --- guides/security/assets/ias-cli-setup.drawio | 111 ++++++++++++++ guides/security/assets/ias-cli-setup.svg | 1 + guides/security/authentication.md | 151 +++++++++++++++++--- guides/security/cap-users.md | 2 + 4 files changed, 249 insertions(+), 16 deletions(-) create mode 100644 guides/security/assets/ias-cli-setup.drawio create mode 100644 guides/security/assets/ias-cli-setup.svg diff --git a/guides/security/assets/ias-cli-setup.drawio b/guides/security/assets/ias-cli-setup.drawio new file mode 100644 index 0000000000..123acd39a8 --- /dev/null +++ b/guides/security/assets/ias-cli-setup.drawio @@ -0,0 +1,111 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/guides/security/assets/ias-cli-setup.svg b/guides/security/assets/ias-cli-setup.svg new file mode 100644 index 0000000000..1253e6c433 --- /dev/null +++ b/guides/security/assets/ias-cli-setup.svg @@ -0,0 +1 @@ +
IAS
IAS
CAP Application
CAP Application
IAS
service instance
IAS...
CLI client
CLI client
IAS
service binding
IAS...
service key
service key
Application Deployment
Application Deployment
mTLS /
OAuth 2
mTLS /...RR
mTLS
mTLSText is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/authentication.md b/guides/security/authentication.md index e333060aca..c8b9b20b1c 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -299,8 +299,6 @@ towards your IAS tenant to use it as identity provider for applications in your - ensure your development environment is [prepared for deploying]( https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF, in particular you require a session targeting to a CF space in the test subaccount with IAS trust (test with `cf target`). -#### Adding IAS - In the project's root folder execute ```sh @@ -313,13 +311,15 @@ to make your application ready for deployment to CF. Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and hence adds all dependencies required for authentication transitively. ::: -Afterwards, command +#### Adding IAS + +Now the application is ready to for adding IAS-support by executing ```sh cds add ias ``` -adds a service instance named `bookshop-srv` of type `identity` (plan: `application`) to the deyployment and binds the CAP service to it. +which automatically adds a service instance named `bookshop-srv` of type `identity` (plan: `application`) and binds the CAP application to it. ::: details Generated deployment descriptor for IAS instance and binding ```yaml [mta.yaml] @@ -345,14 +345,23 @@ resources: ``` ::: +Whereas the service instance represents the IAS application itself, the binding provides access to the identity services on behalf of a unique client (multiple bindings are allowed). +CAP applications can have at most one binding to an IAS instance. + Following properties apply: -| Property | Artefact | Description | +| Property | Artifact | Description | |-------------------|:-------------------:|:---------------------:| -| `credential-type` | binding | `X509_GENERATED` activates mTLS communication with IAS. | -| `app-identifier` | binding | Unique identifier for the application in IAS | -| `display-name` | instance | Human-readable name for the application as it appears in the IAS admin UI | -| `tenant-mode` | instance | Specifies application mode: `dedicated` for single tenant (default), `shared` for multiple subscriber tenants (SAAS) | +| `name` | instance | Name for the IAS application - unique in the tenant | +| `display-name` | instance | Human-readable name for the IAS application as it appears in the Console UI for IAS admins | +| `multi-tenant` | instance | Specifies application mode: `false` for single tenant (default), `true` for multiple subscriber tenants (SAAS) | +| `credential-type` | binding | `X509_GENERATED` generates a private-key and a signed certificate which is added to IAS application | +| `app-identifier` | binding | Ensures stable subject in generated certificate (required for credential rotation) | + + +[Lean more about IAS service instance and binding creation options](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/reference-information-for-identity-service-of-sap-btp){.learn-more} +
+ Now let's pack and deploy the application with ```sh @@ -362,14 +371,15 @@ cds up and wait until the application is up and running (you can test with `cf apps` or alternatively in BTP Cockpit). In the [Administrative Console for Cloud Identity Services](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/accessing-administration-console?version=Cloud) -you should now also see the deplyoed IAS application in `Applications & Ressources` -> `Applications`, section `Bundled Applications` (display name `bookshop`, subtitle is the technical id of the service instance). +you should now also see the deployed IAS application in `Applications & Ressources` -> `Applications`, section `Bundled Applications` (display name `bookshop`, subtitle is the guid of the service instance as listed in `cf service bookshop-auth`). +In the Console you can manage the IAS application and, for instance, configure the authentication strategy. ::: tip In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows direct navigation to the IAS application in the admin console. ::: -Find the following trace in the application log as feedback for IAS authentication in action: +Find the following trace in the application log as confirmation for IAS authentication in action:
```sh @@ -378,28 +388,137 @@ IdentityConfiguration: Loaded feature 'IdentityUserInfoProvider' (IAS: bookshop-
+At startup, the CAP runtime checks the available bindings and activates IAS authentication accordingly. +**Hence, the local setup without IAS binding is still working**. + + ::: tip -The CAP runtime checks the available bindings at startup and activates IAS authentication accordingly. The local setup with mock users still works as before. +IAS enforces mTLS, so you need platform-level TLS termination, which is provided von CF via `cert.*` domains. +The validated certificate is forwarded via HTTP header `X-Forwarded-Client-Cert` to the CAP endpoint. +::: + +::: details Application routes with `cert.*`-domain +```yaml +modules: + - name: bookshop-srv + type: java + path: srv + parameters: + routes: + - route: "${default-url}" + - route: "${default-host}.cert.${default-domain}" +``` +::: + +::: warning +On SAP BTP Kyma Runtime, you might require to adapt configuration parameter `cds.security.authentication.clientCertificateHeader` according to the component of your choice terminating TLS. ::: -#### Testing IAS +#### Testing IAS on CLI Level +Due to the autoconfiguration in CAP, all CAP endpoints should be authenticated and expect valid ID tokens generated for the IAS application. +Sending the test request ```sh curl https://--bookshop-srv./odata/v4/CatalogService/Books --verbose ``` -HTTP/1.1 401 Unauthorized +as anonymous user without a token results in a `401 Unauthorized` as expected. +Now we want to fetch a token to prepare a fully authenticated test request. +As first step we add a new client for the IAS application by creating an appropriate service key: -service key +```sh +cf create-service-key bookshop-auth bookshop-auth-key -c '{"credential-type": "X509_GENERATED"}' +``` + +The setup now looks like scetched in the diagram: + +![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.svg){width="400px"} + +::: details How to retrieve service key credentials + +```sh +cf service-key bookshop-auth bookshop-auth-key +``` -curl mit cert +```sh +{ + "credentials": { + [...] + "certificate": "-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----", + "clientid": "2a92c297-8603-4157-9aa9-ca7585821979", + "credential-type": "X509_GENERATED", + "key": "-----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----", + "url": "https://avpxtt84j.accounts400.ondemand.com", + [...] + } +} +``` + +::: + +::: warning +❗ Never share service key credentials or tokens ❗ +::: + +From the credentials, you need to prepare local files containing the certificates which are required for both, mTLS with IAS and the CAP service. + +::: details How to prepare client X.509 certificate files + +Copy the public X.509-certificate in property `certifiacte` into a file `cert-raw.pem` and `key` into a file `key-raw.pem`, accordingly. +Both files need to be post-processed to transform the single-line represnatation into a standard multi-line representation: + +```sh +awk '{gsub(/\\n/,"\n")}1' .pem > .pem +``` +Finally, ensure correct format of both files with +```sh +openssl x509 -in .pem -text -noout +``` +These manual steps might be replaced by tooling support in future. +::: + +The fetch a token on behalf of the technical tenant user, the request needs to provide the **client certificate** being send to `/oauth2/token` endpoint of IAS service with URI given in `url` property of the binding: + +```sh +curl --cert cert.pem --key key.pem \ + --data "grant_type=client_credentials&client_id=" \ + https:///oauth2/token +``` + +The request returns with a valid IAS token which will pass authentication in the CAP application: +```sh +{"access_token":"[...]","token_type":"Bearer","expires_in":3600} +``` + +The final test request needs to provide the **client certificate and the token** being send to the application's route with `cert.*`-domain: + +```sh +curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ + https://--bookshop-srv.cert./odata/v4/CatalogService/Books +``` + + +Relaxing mTLS during Development + + + + +#### Testing IAS on UI Level cds add approuter The AppRouter allows UI-sessions to interact with the application for initial testing. +Cleaning up + +Don't forget to delete the service key +```sh +cf delete-service-key bookshop-auth bookshop-auth-key +``` + + ### XSUAA Authentication { #xsuaa-auth } diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 415f2a20c8..81a4d50e81 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -177,6 +177,8 @@ The user name is frequently stored with business data (for example, `managed` as ### IAS { #ias-auth } - role definition / assignment AMS + + Neue AMS CAP Doku https://sap.github.io/cloud-identity-developer-guide/CAP/Basics.html ### XSUAA Authentication { #xsuaa-auth } From 6cc3dc27aa3002ea849d1eac0ed837d31f1da304 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 25 Sep 2025 08:22:36 +0200 Subject: [PATCH 004/120] safepoint --- guides/security/assets/fetch-ias-certs.sh | 39 +++++++++++++++++++++++ guides/security/authentication.md | 29 +++++++++++++---- 2 files changed, 62 insertions(+), 6 deletions(-) create mode 100644 guides/security/assets/fetch-ias-certs.sh diff --git a/guides/security/assets/fetch-ias-certs.sh b/guides/security/assets/fetch-ias-certs.sh new file mode 100644 index 0000000000..40d1012d8b --- /dev/null +++ b/guides/security/assets/fetch-ias-certs.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# filepath: ./fetch-ias-certs.sh + +if [ -z "$1" ]; then + echo "Usage: $0 [cert-file] [key-file]" + exit 1 +fi + +SERVICE_INSTANCE="$1" +CERT_FILE="${2:-cert.pem}" +KEY_FILE="${3:-key.pem}" +SERVICE_KEY="${SERVICE_INSTANCE}-key" + +# Check if cf CLI is logged in +if ! cf target > /dev/null 2>&1; then + echo "Error: Not logged in to Cloud Foundry. Please run 'cf login' and try again." + exit 1 +fi + +# Check if service key exists +if ! cf service-key "$SERVICE_INSTANCE" "$SERVICE_KEY" > /dev/null 2>&1; then + cf create-service-key "$SERVICE_INSTANCE" "$SERVICE_KEY" -c '{"credential-type": "X509_GENERATED"}' +else + echo "Service key $SERVICE_KEY already exists." +fi + + +# Extract service key JSON +SERVICE_KEY_JSON=$(cf service-key "$SERVICE_INSTANCE" "$SERVICE_KEY" 2>&1 | awk '/^{/ {found=1} found' ) + +# Extract and convert certificate +echo "$SERVICE_KEY_JSON" | jq -r 'if has("credentials") then .credentials.certificate else .certificate end' | sed 's/\\n/\n/g' > "$CERT_FILE" +echo "Certificate written to $CERT_FILE" + +# Extract and convert key +echo "$SERVICE_KEY_JSON" | jq -r 'if has("credentials") then .credentials.key else .key end' | sed 's/\\n/\n/g' > "$KEY_FILE" +echo "Key written to $KEY_FILE" + +echo "DON'T SHARE GERNERATED CERTIFICATE FILES!" diff --git a/guides/security/authentication.md b/guides/security/authentication.md index c8b9b20b1c..0880ff6a84 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -296,7 +296,7 @@ Before working with IAS on CF, you need to - [establish trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication) towards your IAS tenant to use it as identity provider for applications in your subaccount. -- ensure your development environment is [prepared for deploying]( https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF, +- ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF, in particular you require a session targeting to a CF space in the test subaccount with IAS trust (test with `cf target`). In the project's root folder execute @@ -436,7 +436,7 @@ The setup now looks like scetched in the diagram: ![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.svg){width="400px"} -::: details How to retrieve service key credentials +::: details How to create and retrieve service key credentials ```sh cf service-key bookshop-auth bookshop-auth-key @@ -476,17 +476,33 @@ Finally, ensure correct format of both files with ```sh openssl x509 -in .pem -text -noout ``` -These manual steps might be replaced by tooling support in future. +All the steps can be executed in a single script as shown in the [example](./assets/fetch-ias-certs.sh). ::: The fetch a token on behalf of the technical tenant user, the request needs to provide the **client certificate** being send to `/oauth2/token` endpoint of IAS service with URI given in `url` property of the binding: -```sh +::: code-group + +```sh [Token for technical user] curl --cert cert.pem --key key.pem \ - --data "grant_type=client_credentials&client_id=" \ + -d "grant_type=client_credentials"\ + -d "client_id"=" \ https:///oauth2/token ``` +```sh [Token for named user] +curl --cert cert.pem --key key.pem \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d "grant_type=password" \ + -d "client_id=" \ + -d "username=" \ + -d "password=" \ + -X POST https:///oauth2/token +``` + +::: + + The request returns with a valid IAS token which will pass authentication in the CAP application: ```sh {"access_token":"[...]","token_type":"Bearer","expires_in":3600} @@ -500,7 +516,8 @@ curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ ``` -Relaxing mTLS during Development +Reasons for failed token Request: +- From 81e81f319054b7b3630f41d6bd6af0a49c1e5c0e Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 25 Sep 2025 17:01:02 +0200 Subject: [PATCH 005/120] UI IAS flow --- guides/security/assets/ias-ui-setup.drawio | 142 +++++++++++++++++++++ guides/security/assets/ias-ui-setup.svg | 1 + guides/security/authentication.md | 106 +++++++++++---- 3 files changed, 223 insertions(+), 26 deletions(-) create mode 100644 guides/security/assets/ias-ui-setup.drawio create mode 100644 guides/security/assets/ias-ui-setup.svg diff --git a/guides/security/assets/ias-ui-setup.drawio b/guides/security/assets/ias-ui-setup.drawio new file mode 100644 index 0000000000..8b6d4b0ad3 --- /dev/null +++ b/guides/security/assets/ias-ui-setup.drawio @@ -0,0 +1,142 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/guides/security/assets/ias-ui-setup.svg b/guides/security/assets/ias-ui-setup.svg new file mode 100644 index 0000000000..7a309349df --- /dev/null +++ b/guides/security/assets/ias-ui-setup.svg @@ -0,0 +1 @@ +
IAS
IAS
CAP Application
CAP Application
IAS
service instance
IAS...
App Router
App Router
IAS
service binding
IAS...
Application Deployment
Application Deployment
mTLS /
OAuth 2
mTLS /...RR
mTLS
mTLS
IAS
service binding
IAS...
Browser
BrowserR
mTLS
mTLSText is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 0880ff6a84..e8501424ea 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -278,26 +278,26 @@ await GET('/CatalogService/Books', { auth: { username: 'viewer-user', password: ### IAS Authentication { #ias-auth } -[SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is preferred platform service for identity management which provides +[SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is the preferred platform service for identity management which provides - best of breed authentication mechanisms (single sign-on, multi-factor enforcement) - federation of corporate identity providers (multiple user stores) - cross-landscape user propagation (including on-premise) - - SAP and non-SAP system [integration](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integrating-service) ([OpenId Connect](https://openid.net/connect/) compliant) + - streamlined SAP and non-SAP system [integration](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integrating-service) (due to [OpenId Connect](https://openid.net/connect/) compliance) -IAS authentication can be configured and tested in the Cloud, hence we enhance the sample with a deyloyment descriptor for SAP BTP, Cloud Foundry Runtime (CF). +IAS authentication is at best configured and tested in the Cloud, hence we're going to enhance the sample with a deyloyment descriptor for SAP BTP, Cloud Foundry Runtime (CF). #### Get Ready with IAS Before working with IAS on CF, you need to -- have an IAS (test) tenant. If not available yet, you need to [create it](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/get-your-tenant) now. +- have an IAS (test) tenant. If not available yet, you need to [create](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/get-your-tenant) it now. - [establish trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication) towards your IAS tenant to use it as identity provider for applications in your subaccount. -- ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF, -in particular you require a session targeting to a CF space in the test subaccount with IAS trust (test with `cf target`). +- ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) on CF, +in particular you require a `cf` CLI-session targeting to a CF space in the test subaccount (test with `cf target`). In the project's root folder execute @@ -305,10 +305,10 @@ In the project's root folder execute cds add mta ``` -to make your application ready for deployment to CF. +to make your application ready for deployment to CF, initially. ::: tip -Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and hence adds all dependencies required for authentication transitively. +Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and hence adds all dependencies required for security transitively. ::: #### Adding IAS @@ -368,22 +368,22 @@ Now let's pack and deploy the application with cds up ``` -and wait until the application is up and running (you can test with `cf apps` or alternatively in BTP Cockpit). +and wait until the application is up and running which you can test with `cf apps` or in BTP Cockpit, alternatively. In the [Administrative Console for Cloud Identity Services](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/accessing-administration-console?version=Cloud) you should now also see the deployed IAS application in `Applications & Ressources` -> `Applications`, section `Bundled Applications` (display name `bookshop`, subtitle is the guid of the service instance as listed in `cf service bookshop-auth`). In the Console you can manage the IAS application and, for instance, configure the authentication strategy. ::: tip -In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows direct navigation to the IAS application in the admin console. +In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. ::: -Find the following trace in the application log as confirmation for IAS authentication in action: +The following trace in the application log confirms the activated IAS authentication:
```sh -IdentityConfiguration: Loaded feature 'IdentityUserInfoProvider' (IAS: bookshop-auth, XSUAA: ) +... : Loaded feature 'IdentityUserInfoProvider' (IAS: bookshop-auth, XSUAA: ) ```
@@ -429,13 +429,20 @@ Now we want to fetch a token to prepare a fully authenticated test request. As first step we add a new client for the IAS application by creating an appropriate service key: ```sh -cf create-service-key bookshop-auth bookshop-auth-key -c '{"credential-type": "X509_GENERATED"}' +cf create-service-key bookshop-auth bookshop-auth-key \ + -c '{"credential-type": "X509_GENERATED"}' ``` -The setup now looks like scetched in the diagram: +The overall setup with local CLI client and the Cloud services is scetched in the diagram: ![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.svg){width="400px"} +As IAS requires mTLS-protected channels, **client certificates are mandatory** when we follow a two-step approach: +1. Send a token request to IAS in order to fetch a valid IAS token. +2. Send a business request to the CAP application presenting the token. + +The client certificates are presented in the IAS binding and hence can be examined via a service key accordingly. + ::: details How to create and retrieve service key credentials ```sh @@ -462,7 +469,7 @@ cf service-key bookshop-auth bookshop-auth-key ❗ Never share service key credentials or tokens ❗ ::: -From the credentials, you need to prepare local files containing the certificates which are required for both, mTLS with IAS and the CAP service. +From the credentials, you can prepare local files containing the certificate used to initiate the HTTP request. ::: details How to prepare client X.509 certificate files @@ -479,7 +486,7 @@ openssl x509 -in .pem -text -noout All the steps can be executed in a single script as shown in the [example](./assets/fetch-ias-certs.sh). ::: -The fetch a token on behalf of the technical tenant user, the request needs to provide the **client certificate** being send to `/oauth2/token` endpoint of IAS service with URI given in `url` property of the binding: +The fetch a token - either as technical or as named user - the request needs to provide the **client certificate** being send to `/oauth2/token` endpoint of IAS service with URI given in `url` property of the binding: ::: code-group @@ -503,7 +510,7 @@ curl --cert cert.pem --key key.pem \ ::: -The request returns with a valid IAS token which will pass authentication in the CAP application: +The request returns with a valid IAS token which is suitable for authentication in the CAP application: ```sh {"access_token":"[...]","token_type":"Bearer","expires_in":3600} ``` @@ -515,26 +522,73 @@ curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ https://--bookshop-srv.cert./odata/v4/CatalogService/Books ``` - -Reasons for failed token Request: -- +Don't forget to delete the service key after your tests: +```sh +cf delete-service-key bookshop-auth bookshop-auth-key +``` +#### Testing IAS on UI Level +In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the IAS token are done under the hood. -#### Testing IAS on UI Level +By executing +```sh cds add approuter +``` -The AppRouter allows UI-sessions to interact with the application for initial testing. +the deployment is enhanced by the additional AppRouter component which is already configured for IAS usage. +The setup is scetched in the diagram: -Cleaning up +![UI-level Testing of IAS Endpoints](./assets/ias-ui-setup.svg){width="500px"} -Don't forget to delete the service key -```sh -cf delete-service-key bookshop-auth bookshop-auth-key +To be able to fetch the token, the AppRouter needs a binding to the IAS instance as well. +In addition, property `forwardAuthCertificates` needs to be `true` for the mTLS connection with the service backend located at the route with the cert-domain. + +::: details AppRouter component with IAS binding +```yaml + - name: bookshop + [...] + requires: + - name: srv-api + group: destinations + properties: + name: srv-api + url: ~{srv-cert-url} + forwardAuthToken: true + forwardAuthCertificates: true + - name: bookshop-auth + parameters: + config: + credential-type: X509_GENERATED + app-identifier: approuter +``` +::: + +Also note that IAS needs to know valid redirect URIs for the login and logout flow, respectively. +Both are served by the AppRouter out-of-the-box. + +::: details Redirect URIs for login and logout +```yaml + - name: bookshop-auth + [...] + parameters: + [...] + config: + [...] + oauth2-configuration: + redirect-uris: + - ~{app-api/app-protocol}://~{app-api/app-uri}/login/callback + post-logout-redirect-uris: + - ~{app-api/app-protocol}://~{app-api/app-uri}/*/logout.html ``` +::: + + +Troubleshooting: +c.s.c.s.t.validation.ValidationResults : Token signature can not be validated because JWKS could not be fetched: Proof token was not found From 722354aeba01ba73db11756616947033888c3c18 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 26 Sep 2025 10:45:32 +0200 Subject: [PATCH 006/120] ias auth beta --- guides/security/authentication.md | 82 +++++++++++++++---------------- 1 file changed, 40 insertions(+), 42 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index e8501424ea..beb24e9d1b 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -52,7 +52,7 @@ CAP applications can run IAS and XSUAA in hybrid mode to support a smooth migrat In none-production profile, by default, CAP creates a security configuration which accepts _mock users_. As this authentication strategy is a built-in feature which does not require any platform service, it is perfect for **unit testing and local development scenarios**. -Setup a simple sample application: +Setup and start a simple sample application:
@@ -61,8 +61,8 @@ cds init bookshop --java --add sample && cd ./bookshop mvn spring-boot:run ``` -::: warning -CAP Java requires (transitive) dependency to `spring-boot-starter-security` to add middleware for authentication. +::: tip +CAP Java requires (transitive) dependency to `spring-boot-starter-security` to enable authentication middleware support. Platform starter bundles `cds-starter-cf` and `cds-starter-k8s` ensure all required dependencies out of the box. ::: @@ -200,15 +200,11 @@ cds:
In the mock user configuration you are free to specify: -- name (mandatory) -- credentials -- tenant -- CAP roles -- CAP attributes +- name (mandatory) and tenant +- CAP roles (including pseudo-roles) and attributes affecting authorization - additional attributes -- pseudo roles - [feature toggles](../guides/extensibility/feature-toggles#feature-toggles) -which influence processing of the request including authorization step. +which influence request processing. To verify the properties in a user request with a dedicated mock user, activate [user tracing](../cap-users#user-tracing) and send the same request on behalf of `viewer-user`. In the application log you should find information about the resolved user after successful authentication: @@ -370,15 +366,6 @@ cds up and wait until the application is up and running which you can test with `cf apps` or in BTP Cockpit, alternatively. -In the [Administrative Console for Cloud Identity Services](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/accessing-administration-console?version=Cloud) -you should now also see the deployed IAS application in `Applications & Ressources` -> `Applications`, section `Bundled Applications` (display name `bookshop`, subtitle is the guid of the service instance as listed in `cf service bookshop-auth`). -In the Console you can manage the IAS application and, for instance, configure the authentication strategy. - -::: tip -In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. -::: - - The following trace in the application log confirms the activated IAS authentication:
@@ -389,13 +376,9 @@ The following trace in the application log confirms the activated IAS authentica
At startup, the CAP runtime checks the available bindings and activates IAS authentication accordingly. -**Hence, the local setup without IAS binding is still working**. +**Hence, the local setup without an IAS binding in the environment is still working**. - -::: tip -IAS enforces mTLS, so you need platform-level TLS termination, which is provided von CF via `cert.*` domains. -The validated certificate is forwarded via HTTP header `X-Forwarded-Client-Cert` to the CAP endpoint. -::: +For mTLS support which is mandatory for IAS, the CAP application has a second route configured with the `cert.*` domain. ::: details Application routes with `cert.*`-domain ```yaml @@ -410,8 +393,29 @@ modules: ``` ::: +::: tip +Platform-level TLS termination is provided on CF out of the box via `cert.*`-domains. +By default, the validated certificate is forwarded via HTTP header `X-Forwarded-Client-Cert` to the CAP endpoint. +::: + ::: warning -On SAP BTP Kyma Runtime, you might require to adapt configuration parameter `cds.security.authentication.clientCertificateHeader` according to the component of your choice terminating TLS. +On SAP BTP Kyma Runtime, you might need to adapt configuration parameter `cds.security.authentication.clientCertificateHeader` to match the header used by the component terminating TLS you configured. +::: + + +#### Administrative Console for IAS { #ias-admin } + +In the [Administrative Console for Cloud Identity Services](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/accessing-administration-console?version=Cloud) +you should can see and manage the deployed IAS application. You need an user with administrative provileges in the IAS tenant to access the services at `.accounts400.ondemand.com/admin`. + +In the Console you can manage the IAS tenant and the IAS applications, e.g. +- create (test) users in `Users & Authorizations` -> `User Management` +- deactivate users +- configure the authentication strategy (password policies, MFA etc.) in `Applications & Ressources` -> `Applications` (IAS instances listed with their disply-name) +- inspect logs in `Monitoring & Reporting` -> `Troubleshooting` + +::: tip +In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. ::: @@ -437,9 +441,9 @@ The overall setup with local CLI client and the Cloud services is scetched in th ![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.svg){width="400px"} -As IAS requires mTLS-protected channels, **client certificates are mandatory** when we follow a two-step approach: -1. Send a token request to IAS in order to fetch a valid IAS token. -2. Send a business request to the CAP application presenting the token. +As IAS requires mTLS-protected channels, **client certificates are mandatory** for both of the following requests: +1. Token request to IAS in order to fetch a valid IAS token. +2. Business request to the CAP application presenting the token. The client certificates are presented in the IAS binding and hence can be examined via a service key accordingly. @@ -466,7 +470,7 @@ cf service-key bookshop-auth bookshop-auth-key ::: ::: warning -❗ Never share service key credentials or tokens ❗ +❗ **Never share service keys or tokens** ❗ ::: From the credentials, you can prepare local files containing the certificate used to initiate the HTTP request. @@ -532,19 +536,17 @@ cf delete-service-key bookshop-auth bookshop-auth-key In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the IAS token are done under the hood. -By executing - ```sh cds add approuter ``` -the deployment is enhanced by the additional AppRouter component which is already configured for IAS usage. -The setup is scetched in the diagram: +adds the additional AppRouter to the deployment which is already prepared for IAS. +The resulting setup is scetched in the diagram: ![UI-level Testing of IAS Endpoints](./assets/ias-ui-setup.svg){width="500px"} To be able to fetch the token, the AppRouter needs a binding to the IAS instance as well. -In addition, property `forwardAuthCertificates` needs to be `true` for the mTLS connection with the service backend located at the route with the cert-domain. +In addition, property `forwardAuthCertificates` needs to be `true` to support the mTLS connection with the service backend which is called by the route with the cert-domain. ::: details AppRouter component with IAS binding ```yaml @@ -566,8 +568,9 @@ In addition, property `forwardAuthCertificates` needs to be `true` for the mTLS ``` ::: -Also note that IAS needs to know valid redirect URIs for the login and logout flow, respectively. -Both are served by the AppRouter out-of-the-box. +As the login flow is based on an HTTP redirect between the CAP application and IAS login page, +IAS needs to know a valid callback URI which is offered by the AppRouter out-of-the-box. +The same is true for the logout flow. ::: details Redirect URIs for login and logout ```yaml @@ -586,11 +589,6 @@ Both are served by the AppRouter out-of-the-box. ::: -Troubleshooting: - -c.s.c.s.t.validation.ValidationResults : Token signature can not be validated because JWKS could not be fetched: Proof token was not found - - ### XSUAA Authentication { #xsuaa-auth } - setup cds add xsuaa From abaa8d436cc0551bec8dda86730dbc24eb085e0b Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 26 Sep 2025 17:46:36 +0200 Subject: [PATCH 007/120] custom auth --- guides/security/assets/custom-auth.drawio.svg | 52 +++ guides/security/assets/custom-auth.svg | 1 + guides/security/assets/ias-cli-setup.drawio | 111 ----- .../security/assets/ias-cli-setup.drawio.svg | 389 ++++++++++++++++++ guides/security/assets/ias-ui-setup.svg | 2 +- guides/security/assets/ingress-auth.drawio | 70 ++++ guides/security/assets/ingress-auth.svg | 4 + guides/security/authentication.md | 138 +++++-- 8 files changed, 628 insertions(+), 139 deletions(-) create mode 100644 guides/security/assets/custom-auth.drawio.svg create mode 100644 guides/security/assets/custom-auth.svg delete mode 100644 guides/security/assets/ias-cli-setup.drawio create mode 100644 guides/security/assets/ias-cli-setup.drawio.svg create mode 100644 guides/security/assets/ingress-auth.drawio create mode 100644 guides/security/assets/ingress-auth.svg diff --git a/guides/security/assets/custom-auth.drawio.svg b/guides/security/assets/custom-auth.drawio.svg new file mode 100644 index 0000000000..cf518e5a3e --- /dev/null +++ b/guides/security/assets/custom-auth.drawio.svg @@ -0,0 +1,52 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/guides/security/assets/custom-auth.svg b/guides/security/assets/custom-auth.svg new file mode 100644 index 0000000000..2e5c0826e9 --- /dev/null +++ b/guides/security/assets/custom-auth.svg @@ -0,0 +1 @@ +
CAP identiy
integration
CAP iden...
CAP
endpoints
CAP...
Custom
endpoints
(same auth)
Custom...
Security Middleware
Security...
Custom
endpoints
 (diff auth)

Custom...
Framework
Framework
Application
Applicat...Text is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/assets/ias-cli-setup.drawio b/guides/security/assets/ias-cli-setup.drawio deleted file mode 100644 index 123acd39a8..0000000000 --- a/guides/security/assets/ias-cli-setup.drawio +++ /dev/null @@ -1,111 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/guides/security/assets/ias-cli-setup.drawio.svg b/guides/security/assets/ias-cli-setup.drawio.svg new file mode 100644 index 0000000000..9ffb9090b4 --- /dev/null +++ b/guides/security/assets/ias-cli-setup.drawio.svg @@ -0,0 +1,389 @@ + + + + + + + + + + + + + +
+
+
+ IAS +
+
+
+ + + IAS + + + + + + + + + + + +
+
+
+ CAP Application +
+
+
+ + + CAP Application + + + + + + + + + + + +
+
+
+ IAS +
+ service instance +
+
+
+ + + IAS... + + + + + + + + + + + +
+
+
+ IAS +
+ service binding +
+
+
+ + + IAS... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ Application Deployment +
+
+
+ + + Application Deployment + + + + + + + + + + + +
+
+
+ + + mTLS / +
+ OAuth 2 + + +
+
+
+ + + mTLS /... + + + + + + + + R + + + + + + + + R + + + + + + + + + + + +
+
+
+ + + mTLS + + +
+
+
+ + + mTLS + + + + + + + + + + + +
+
+
+ IAS +
+ service key +
+
+
+ + + IAS... + + + + + + + + + + + + + + + +
+
+
+ Local CLI +
+
+
+ + + Local CLI + + + + + + + + + + + + + + R + + + + + + + + + + + +
+
+
+ + + mTLS + + +
+
+
+ + + mTLS + + + + + + + + + + + + + + + +
+
+
+ + + + 1 + + + +
+
+
+ + + 1 + + + + + + + + + + + +
+
+
+ + + + 2 + + + +
+
+
+ + + 2 + + + + + + + + + + + +
+
+
+ + + + 3 + + + +
+
+
+ + + 3 + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/ias-ui-setup.svg b/guides/security/assets/ias-ui-setup.svg index 7a309349df..5941891df4 100644 --- a/guides/security/assets/ias-ui-setup.svg +++ b/guides/security/assets/ias-ui-setup.svg @@ -1 +1 @@ -
IAS
IAS
CAP Application
CAP Application
IAS
service instance
IAS...
App Router
App Router
IAS
service binding
IAS...
Application Deployment
Application Deployment
mTLS /
OAuth 2
mTLS /...RR
mTLS
mTLS
IAS
service binding
IAS...
Browser
BrowserR
mTLS
mTLSText is not SVG - cannot display \ No newline at end of file +
IAS
IAS
CAP Application
CAP Application
IAS
service instance
IAS...
App Router
App Router
IAS
service binding
IAS...
Application Deployment
Application Deployment
mTLS /
OAuth 2
mTLS /...RR
mTLS
mTLS
IAS
service binding
IAS...
Browser
BrowserR
mTLS
mTLSText is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/assets/ingress-auth.drawio b/guides/security/assets/ingress-auth.drawio new file mode 100644 index 0000000000..6034d10d7b --- /dev/null +++ b/guides/security/assets/ingress-auth.drawio @@ -0,0 +1,70 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/guides/security/assets/ingress-auth.svg b/guides/security/assets/ingress-auth.svg new file mode 100644 index 0000000000..993f2c181e --- /dev/null +++ b/guides/security/assets/ingress-auth.svg @@ -0,0 +1,4 @@ +
Ingress Gateway
(authentication)
Ingress...
CAP srv1

CAP srv1 +
CAP srv2

CAP srv2 +
CAP srv3

CAP srv3 +
mTLS tunnel
mTLS tun...Text is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/authentication.md b/guides/security/authentication.md index beb24e9d1b..67db0857af 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -439,11 +439,12 @@ cf create-service-key bookshop-auth bookshop-auth-key \ The overall setup with local CLI client and the Cloud services is scetched in the diagram: -![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.svg){width="400px"} +![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.drawio.svg){width="500px"} -As IAS requires mTLS-protected channels, **client certificates are mandatory** for both of the following requests: -1. Token request to IAS in order to fetch a valid IAS token. -2. Business request to the CAP application presenting the token. +As IAS requires mTLS-protected channels, **client certificates are mandatory** for all of the following requests: +- Token request to IAS in order to fetch a valid IAS token (1) +- Business request to the CAP application presenting the token (2) +- Initial proof token request to IAS - not required for all business requests (3) The client certificates are presented in the IAS binding and hence can be examined via a service key accordingly. @@ -593,11 +594,106 @@ The same is true for the logout flow. ### XSUAA Authentication { #xsuaa-auth } - setup cds add xsuaa +### Hybrid Authentication + +TBD ### Custom Authentication { #custom-auth } - - Service mesh - - DWC Integration (internal) - - pointer to hooks and properties + +**By default, CAP authenticates all endpoints of the microservice**, including the endpoints which are not served by CAP itself. +This is the safe baseline on which minor customization steps can be applied on top. + +There are multiple scenarios for which customization might be required: +1. Endpoints for none-business requests often require specific authentication methods (e.g. health check, techincal services) +2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio) +3. The application needs to integrate with a 3rd party authentication service + +![Endpoints with different authentication strategy](./assets/custom-auth.svg){width="450px"} + +- For CAP endpoints you can go with the [model-driven](#model-auth) authentication which is fully automated by CAP. +- For custom endpoints you also can go with default settings because CAP will enforce authentication as well. +- For custom endpoints that should have any different kind of authentication strategy (e.g. X.509, basic or none) you can add a security configuration that [overrules](#partially-auth) the CAP integration partially for exactly these endpoints. +- In case the authentiaction is delegated to a different component, just [deactivate](#fully-auth) CAP authentication and replace by any suitable strategy. + +#### Model-Driven Authentication { #model-auth } + +**The auto-configuration authenticates all service endpoints found in the CDS model by default**. + +Model endpoints that should be public can be explicitly annotated with [pseudo-role](../guides/security/authorization#pseudo-roles) `any`: + +```cds +service BooksService @(requires: 'any') { + @readonly entity Books @(requires: 'any') {...} + entity Reviews {...} + entity Orders @(requires: 'Customer') {...} +} +``` + +| Path | Authenticated ? | +|:--------------------------|:----------------:| +| `/BooksService` | | +| `/BooksService/$metadata` | | +| `/BooksService/Books` | | +| `/BooksService/Reviews` | | +| `/BooksService/Orders` | | + +::: tip +In multitenant applications, anonymous requests to public endpoints are missing the tenant information and hence this gap needs to be filled by custom code. +::: + +[Learn more about authentication options in CAP Java with Spring Boot](../guides/java/security#spring-boot){.learn-more} + + +#### Partially Overrule Authentication { #partially-auth } + +If you want to explicitly define the authentication for specific endpoints, **you can add an _additional_ Spring security configuration on top** overriding the default configuration given by CAP: + +```java +@Configuration +@EnableWebSecurity +public class CustomSecurityConfig { + + @Bean + @Order(1) // needs to have higher priority than CAP security config + public SecurityFilterChain customFilterChain(HttpSecurity http) throws Exception { + return http + .securityMatcher(AntPathRequestMatcher.antMatcher("/public/**")) + .csrf(c -> c.disable()) // don't insist on csrf tokens in put, post etc. + .authorizeHttpRequests(r -> r.anyRequest().permitAll()) + .build(); + } + +} +``` +Due to the custom configuration, all URLs matching `/public/**` are opened for public access in this example. + +Make sure your custom configuration has higher priority than the CAP's default security configuration by decorating the bean with a low order. + +::: warning _❗ Warning_ +Be cautious with the configuration of the `HttpSecurity` instance in your custom configuration. Make sure that only the intended endpoints are affected. +::: + +[Learn more about custom security configuraitons in CAP Java with Spring Boot](../guides/java/security#custom-spring-security-config){.learn-more} + +#### Fully Overrule Authentication { #fully-auth } + +In services meshes such as [Istio](https://istio.io/) the authentication is usually fully delegated to a central ingress gateway and the internal communication with the services is protercted by a secure channel: + +![Service Mesh with Ingress Gateway](./assets/ingress-auth.svg){width="500px"} + +In architectures like this, the CAP authentication is obsolete and can be deactivated entirely with `cds.security.authentication.mode="never"`. + +::: tip +User propagation should be done by forwarding the request token in `Authorization`-header accordingly. +This will make standard CAP authorization work properly. +::: + +::: warning +If you switch off CAP authentication, make sure that the internal communication channels are secured by infrastructure. +::: + +DWC Integration (internal) + @@ -629,26 +725,14 @@ service InternalService { - Via Destination (S/4) -## Critical Pitfalls -- Endpoints of (CAP) applications deployed on SAP BTP are, by default, accessible from the public network. - This means that unless additional security measures are implemented, external clients can potentially reach these endpoints directly. - It is important to note that the AppRouter component does not function as a comprehensive envoy proxy that routes and secures all incoming traffic. - Instead, AppRouter only handles requests for specific routes or applications it is configured for, leaving other endpoints exposed if not explicitly protected. - **Therefore, it is crucial to configure appropriate authentication and authorization mechanisms to safeguard all endpoints and prevent unauthorized access from the public internet**. +## Pitfalls +- **Dont' miss to configure security middleware.** + Endpoints of (CAP) applications deployed on SAP BTP are, by default, accessible from the public network. + Without security middleware configured, CDS services are exposed to public. -- Clients might have tokens (authenticated-user -> pretty open for all kinds of users!!) +- **Don't rely on AppRouter authentication**. Approuter as frontend proxy does not shield the backend from incoming traffic. Hence, the backend needs to be secured independently. -- Don't mix business roles vs. technical roles vs. provider roles - -- Don't deviate from security defaults - -- Don't miss to add authentication tests - -- Don't authenticate manually - -- Don't code against concrete user claims (e.g. XSUAAUserInfo) +- **Don't deviate from security defaults**. Only when absolute necessary, only experts should take the decision to add modifications or even replace parts of the standard authentication mechanisms. + +- **Don't miss to add authentication tests** to ensure properly setup security configuration in your deployed application that rejects unauthenticated requests." -::: warning -Without security middleware configured, CDS services are exposed to public. -Basic configuration of an authentication strategy is mandatory to protect your CAP application. -::: \ No newline at end of file From 2907a71a9e792a5572f5e2c98a7c53b691e4f899 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 30 Sep 2025 08:39:09 +0200 Subject: [PATCH 008/120] restructed chapters --- guides/security/authentication.md | 95 +++---- guides/security/cap-users.md | 337 ++++++++++++----------- guides/security/remote-authentication.md | 47 ++++ menu.md | 1 + 4 files changed, 251 insertions(+), 229 deletions(-) create mode 100644 guides/security/remote-authentication.md diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 67db0857af..4a6bf5e5f1 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -19,20 +19,17 @@ status: released -# Authentication +# Authentication { #authentication } -In essence, [inbound authentication](#inbound-authentication) verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. +In essence, authentication verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. Briefly, **authentication ensures _who_ is going to use the service**, in contrast to [authorization](../security/authorization#authorization) which determines _how_ the user can interact with the application's resources based on the defined access rules. As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. - -CAP applications making use of remote services of any type need to have a proper [outbound authentication](#outbound-authentication) in place as well. +CAP applications making use of remote services of any type need to have a proper [remote authentication](#remote-authentication) in place as well. [[toc]] -## Inbound Authentication { #inbound-authentication } - According to key concept [Pluggable Building Blocks](key-concept-pluggable), the authentication method can be configured freely. CAP [leverages platform services](#key-concept-platform-services) to provide proper authentication strategies to cover all relevant scenarios: @@ -40,14 +37,11 @@ CAP [leverages platform services](#key-concept-platform-services) to provide pro - For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services: - [Identity Authentication Service (IAS)](#ias-auth) provides a full-fleged [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management as first choice for applications. - - [XS User and Authentication and Authorization Service (XSUAA)](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) is an [OAuth 2.0](https://oauth.net/2/)-based authorization server to support existing applications and services in the scope of individual BTP landscapes. - -::: tip -CAP applications can run IAS and XSUAA in hybrid mode to support a smooth migration from XSUAA to IAS. -::: + - [XS User Authentication and Authorization Service (XSUAA)](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) is an [OAuth 2.0](https://oauth.net/2/)-based authorization server to support existing applications and services in the scope of individual BTP landscapes. + - CAP applications can run IAS and XSUAA in [hybrid mode](#hybrid-authentication) to support a smooth migration from XSUAA to IAS. -### Mock User Authentication { #mock-user-auth } +## Mock User Authentication { #mock-user-auth } In none-production profile, by default, CAP creates a security configuration which accepts _mock users_. As this authentication strategy is a built-in feature which does not require any platform service, it is perfect for **unit testing and local development scenarios**. @@ -124,7 +118,7 @@ Mock users are deactivated in production profile by default ❗ -#### Preconfigured Mock Users { #preconfigured-mock-users } +### Preconfigured Mock Users { #preconfigured-mock-users } For convenience, the runtime creates default mock users reflecting typical types of users suitable for test combinations, e.g. privileged users passing all security checks or restricted users which just pass authentication only. The predefined users are merged with mock users [defined by the application](#custom-mock-users). @@ -138,7 +132,7 @@ You can opt out the preconfiguration of these users by setting `cds [Learn more about predefined mock users in CAP Node.js](../node.js/authentication#mock-users){.learn-more} -#### Customization { #custom-mock-users } +### Customization { #custom-mock-users } You can define custom mock users to perfectly simulate different types of [end users]((../cap-users#user-representation)) that will interact with your application at production time. Hence, you can use the mock users to test authorization rules and custom handlers transparently from the actual context. @@ -227,7 +221,7 @@ TODO [Learn more about custom mock users in CAP Node.js](../node.js/authentication#mocked){.learn-more} -#### Automated Testing { #mock-user-testing } +### Automated Testing { #mock-user-testing } Mock users provide an ideal foundation for automated **unit tests, which are essential for ensuring application security**. The flexibility in defining various kinds of mock users and the seamless integration into testing code significantly lowers the burden to cover all relevant test combinations. @@ -272,7 +266,7 @@ await GET('/CatalogService/Books', { auth: { username: 'viewer-user', password: [Learn more about testing in CAP Node.js](../node.js/cds-test#testing-with-cds-test){.learn-more} -### IAS Authentication { #ias-auth } +## IAS Authentication { #ias-auth } [SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is the preferred platform service for identity management which provides - best of breed authentication mechanisms (single sign-on, multi-factor enforcement) @@ -283,7 +277,7 @@ await GET('/CatalogService/Books', { auth: { username: 'viewer-user', password: IAS authentication is at best configured and tested in the Cloud, hence we're going to enhance the sample with a deyloyment descriptor for SAP BTP, Cloud Foundry Runtime (CF). -#### Get Ready with IAS +### Get Ready with IAS Before working with IAS on CF, you need to @@ -307,7 +301,7 @@ to make your application ready for deployment to CF, initially. Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and hence adds all dependencies required for security transitively. ::: -#### Adding IAS +### Adding IAS Now the application is ready to for adding IAS-support by executing @@ -403,7 +397,7 @@ On SAP BTP Kyma Runtime, you might need to adapt configuration parameter .accounts400.ondemand.com/admin`. @@ -419,7 +413,7 @@ In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows d ::: -#### Testing IAS on CLI Level +### Testing IAS on CLI Level Due to the autoconfiguration in CAP, all CAP endpoints should be authenticated and expect valid ID tokens generated for the IAS application. Sending the test request @@ -533,7 +527,7 @@ cf delete-service-key bookshop-auth bookshop-auth-key ``` -#### Testing IAS on UI Level +### Testing IAS on UI Level In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the IAS token are done under the hood. @@ -591,31 +585,33 @@ The same is true for the logout flow. -### XSUAA Authentication { #xsuaa-auth } +## XSUAA Authentication { #xsuaa-auth } - setup cds add xsuaa -### Hybrid Authentication +## Hybrid Authentication { hybrid-authentication } TBD -### Custom Authentication { #custom-auth } +## Custom Authentication { #custom-auth } +::: tip **By default, CAP authenticates all endpoints of the microservice**, including the endpoints which are not served by CAP itself. This is the safe baseline on which minor customization steps can be applied on top. +::: -There are multiple scenarios for which customization might be required: -1. Endpoints for none-business requests often require specific authentication methods (e.g. health check, techincal services) -2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio) -3. The application needs to integrate with a 3rd party authentication service +There are multiple reasons why customization might be required: +1. Endpoints for none-business requests often require specific authentication methods (e.g. health check, techincal services). +2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio). +3. The application needs to integrate with a 3rd party authentication service. -![Endpoints with different authentication strategy](./assets/custom-auth.svg){width="450px"} +![Endpoints with different authentication strategy](./assets/custom-auth.svg){width="430px"} - For CAP endpoints you can go with the [model-driven](#model-auth) authentication which is fully automated by CAP. - For custom endpoints you also can go with default settings because CAP will enforce authentication as well. - For custom endpoints that should have any different kind of authentication strategy (e.g. X.509, basic or none) you can add a security configuration that [overrules](#partially-auth) the CAP integration partially for exactly these endpoints. - In case the authentiaction is delegated to a different component, just [deactivate](#fully-auth) CAP authentication and replace by any suitable strategy. -#### Model-Driven Authentication { #model-auth } +### Model-Driven Authentication { #model-auth } **The auto-configuration authenticates all service endpoints found in the CDS model by default**. @@ -631,8 +627,7 @@ service BooksService @(requires: 'any') { | Path | Authenticated ? | |:--------------------------|:----------------:| -| `/BooksService` | | -| `/BooksService/$metadata` | | +| `/BooksService` and `/BooksService/$metadata` | | | `/BooksService/Books` | | | `/BooksService/Reviews` | | | `/BooksService/Orders` | | @@ -644,7 +639,7 @@ In multitenant applications, anonymous requests to public endpoints are missing [Learn more about authentication options in CAP Java with Spring Boot](../guides/java/security#spring-boot){.learn-more} -#### Partially Overrule Authentication { #partially-auth } +### Partially Overrule Authentication { #partially-auth } If you want to explicitly define the authentication for specific endpoints, **you can add an _additional_ Spring security configuration on top** overriding the default configuration given by CAP: @@ -675,7 +670,7 @@ Be cautious with the configuration of the `HttpSecurity` instance in your custom [Learn more about custom security configuraitons in CAP Java with Spring Boot](../guides/java/security#custom-spring-security-config){.learn-more} -#### Fully Overrule Authentication { #fully-auth } +### Fully Overrule Authentication { #fully-auth } In services meshes such as [Istio](https://istio.io/) the authentication is usually fully delegated to a central ingress gateway and the internal communication with the services is protercted by a secure channel: @@ -689,7 +684,7 @@ This will make standard CAP authorization work properly. ::: ::: warning -If you switch off CAP authentication, make sure that the internal communication channels are secured by infrastructure. +If you switch off CAP authentication, make sure that the internal communication channels are secured by the given infrastructure. ::: DWC Integration (internal) @@ -697,35 +692,7 @@ DWC Integration (internal) -## Outbound Authentication { #outbound-authentication } - -### Local Services - -Local CDS services which are meant for *internal* usage only can be easily consumed by in-process function calls. -They shouldn't be exposed via protocol adapters at all. -In order to prevent access from external clients, annotate those services with `@protocol: 'none'`: - -```cds -@protocol: 'none' -service InternalService { - ... -} -``` -`InternalService` is not handled by protocol adapters and can only receive events sent by in-process handlers. - -### Application-Internal Services -- internal-user (IAS + XSUAA) - -### BTP Reuse Services -- IAS -- XSUAA - -### External Services -- IAS App-2-App -- Via Destination (S/4) - - -## Pitfalls +# Pitfalls - **Dont' miss to configure security middleware.** Endpoints of (CAP) applications deployed on SAP BTP are, by default, accessible from the public network. Without security middleware configured, CDS services are exposed to public. diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 81a4d50e81..f0260071ec 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -19,90 +19,102 @@ status: released -# User Representation { #user-representation } +# Users { #users } -A successfull authentication in CAP results in an object representation of the request user determined by the concrete user logged in. -It contains [basic information](#claims) about the user including name, ID, tenant and additional claims such as roles or assigned attribute values. -This user abstraction is basis for _model-driven_ [CDS authorization](../guides/security/authorization), [managed data](../guides/domain-modeling#managed-data) as well as for [custom authorization enforcement](../guides/security/authorization#enforcement). -Referring to the key concepts, the abstraction serves to decouple authorization and business logic from pluggable authentication strategy. +A successfull authentication results in an CAP [user representation](#claims) reflecting the request user in an uniform way. +Referring to the key concepts, the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategy. +It contains static information about the user such as name, ID and tenant. Moreover it contains additional claims such as roles or assigned attributes that are relevant for [authorization](./authorization). + +Dynamic assignments of roles to users can be done by +- [Authorization Management Service (AMS)](#ams-roles) in case of [IAS authentication](./authentication#ias-auth). +- [XS User Authentication and Authorization Service (XSUAA)](#xsuaa-roles) in case of [XSUAA authentication](./authentication#xsuaa-auth). + +In addition, CAP users provide an API for [programmatic]( #developing-with-users ) processing and customization. [[toc]] -## User Claims { #claims } +## User Representation { #claims } + +After successful authentication, a CAP user is mainly represented by the following properties: -After successful authentication, a CAP user is represented by the following properties: +- **_Logon name_** identifying the user uniquly +- **_Tenant_** describes the tenant of the user (subscriber or provider) which implies the CDS model and business data container. +- **_Roles_** the user has been assigned by an user administrator (business [user roles](#roles)) or roles which are derived by the authentication level ([pseudo roles](#pseudo-roles)). +- **_Attributes_** the user has been assigned e.g. for instance-based authorization. -- Unique (logon) _name_ identifying the user. Unnamed, technical users have a fixed name such as `system` or `anonymous`. -- _Tenant_ for multitenant applications. -- _Roles_ that the user has been granted by an administrator (see [User Roles](#roles)) or that are derived by the authentication level (see [Pseudo Roles](#pseudo-roles)). -- _Attributes_ that the user has been assigned by an user administrator. -In the CDS model, some of the user properties can be referenced with the `$user` prefix: +### User Types -| User Property | Reference | -|-------------------------------|---------------------| -| Name | `$user` | -| Attribute (name \) | `$user.` | +CAP users can be classified in multiple dimensions: -> A single user attribute can have several different values. For instance, the `$user.language` attribute can contain `['DE','FR']`. +**Business users vs. technical users:** +- Business users reflect named end users which do some login name to interact with the system. +- Technical users act on behalf of a whole tenant on a technical API level. -## User Roles { #roles} +**Authenticated users vs. anonymous users** +- Authenticated users have passed (optional) authentication successfully by presenting a claim (e.g. a token). +- Anonymous users are not identifyable users, i.e. they havn't presented any claim for authentication. -As a basis for access control, you can design CAP roles that are application specific and that are assigned to users at application runtime. -A role should reflect _how_ a user can interact with the application and rather not describe a fine-grained event on technical level. +**Provider vs. subscriber tenant** +- The provider tenants comprises all users of the application owner which usually have no business access to multi-tenant applications. +- A subscriber tenant comprises all users of an application customer. +| | Business users | Technical users +|-------------------|----------------|--- +| Provider Tenant | - | x +| Subscriber Tenant | x | x + +::: tip +Apart from anonymous users, all users have a unique tenant. +Single-tenant applications deal with the provider tenant users only. +::: + +- switch +- typical tasks + +### Roles { #roles} + +As a basis for access control, you can design application specific CAP roles which are assigned to users at application runtime. +**A CAP role should reflect _how_ a user can interact with the application at an operational level**, rather than a fine-grained event at a purely technical level. + +```cds annotate Issues with @(restrict: [     { grant: ['READ','WRITE'],       to: 'ReportIssues',       where: ($user = CreatedBy) },     { grant: ['READ'], -      to: 'ReviewIssues' }, -    { grant: '*', -      to: 'ManageIssues' } +      to: 'ReviewIssues' } ]); +``` - -For instance, the role `Vendor` could describe access rules for users who are allowed to read sales articles and update sales figures, a `ProcurementManager` have full access to sales articles. +For instance, the role `ReportIssues` allows to work with the `Issues` created by the own user, whereas a user with role `ReviewIssues` is only allowed to read `Issues` of any user. CAP roles represent basic building blocks for authorization rules that are defined by the application developers who have in-depth domain knowledge. Independently from that, user administrators combine CAP roles in higher-level policies and assign to business users in the platform's central authorization management solution. ::: tip -CDS-based authorization deliberately refrains from using technical concepts, such as _scopes_ as in _OAuth_, in favor of user roles, which are closer to the technical domain of business applications. +CDS-based authorization deliberately refrains from using technical concepts, such as _scopes_ in _OAuth_, in favor of user roles, which are closer to the technical domain of business applications. ::: -## Pseudo Roles { #pseudo-roles} - - - - pseudo roles ? - - public users - - business users - - technical users - - provider vs. business tenant - - -It's frequently required to define access rules that aren't based on an application-specific user role, but rather on the _authentication level_ of the request. For instance, a service could be accessible not only for identified, but also for anonymous (for example, unauthenticated) users. Such roles are called pseudo roles as they aren't assigned by user administrators, but are added at runtime automatically. - -The following predefined pseudo roles are currently supported by CAP: +#### Pseudo Roles { #pseudo-roles} + +It's frequently required to define access rules that aren't based on an application-specific user role, but rather on the _technical authentication level_ of the request. +For instance, a service should be accessible only for technical users, with or without user propagation. +Such roles are called pseudo roles as they aren't assigned by user administrators, but are added by the runtime automatically on succcessful authentication, reflecting the technical level: -* `authenticated-user` refers to named or unnamed users who have presented a valid authentication claim such as a logon token. -* [`system-user` denotes an unnamed user used for technical communication.](#system-user) -* [`internal-user` is dedicated to distinguish application internal communication.](#internal-user) -* `any` refers to all users including anonymous ones (that means, public access without authentication). +| Pseudo Role | User Type | Technical Indicator | User Name +|-----------------------------|---------------------|---------------|---------------| +| `authenticated-user` | n/a | Successful authentication | - derived from the token - | +| `any` | n/a | n/a | - derived from the token if available or `anonymous` - | +| `system-user` | Technical | Client credential flow | `system` | +| `internal-user` | Technical | Client credential flow with same identity instance | -### system-user -The pseudo role `system-user` allows you to separate access by _technical_ users from access by _business_ users. Note that the technical user can come from a SaaS or the PaaS tenant. Such technical user requests typically run in a _privileged_ mode without any restrictions on an instance level. For example, an action that implements a data replication into another system needs to access all entities of subscribed SaaS tenants and can’t be exposed to any business user. Note that `system-user` also implies `authenticated-user`. +The pseudo-role `system-user` allows you to separate access by business users from _technical_ clients. +Note that this role does not distinguish between any technical clients sending requests to the API. -::: tip -For XSUAA or IAS authentication, the request user is attached with the pseudo role `system-user` if the presented JWT token has been issued with grant type `client_credentials` or `client_x509` for a trusted client application. -::: - -### internal-user -Pseudo-role `internal-user` allows to define application endpoints that can be accessed exclusively by the own PaaS tenant (technical communication). The advantage is that similar to `system-user` no technical CAP roles need to be defined to protect such internal endpoints. However, in contrast to `system-user`, the endpoints protected by this pseudo-role do not allow requests from any external technical clients. Hence is suitable for **technical intra-application communication**, see [Security > Application Zone](/guides/security/overview#application-zone). - -::: tip -For XSUAA or IAS authentication, the request user is attached with the pseudo role `internal-user` if the presented JWT token has been issued with grant type `client_credentials` or `client_x509` on basis of the **identical** XSUAA or IAS service instance. -::: +Pseudo-role `internal-user` allows to define application endpoints that can be accessed exclusively by the own PaaS tenant on technical level. +In contrast to `system-user`, the endpoints protected by this pseudo-role do not allow requests from any external technical clients. +Hence is suitable for **technical intra-application communication**, see [Security > Application Zone](./overview#application-zone). ::: warning All technical clients that have access to the application's XSUAA or IAS service instance can call your service endpoints as `internal-user`. @@ -110,95 +122,23 @@ All technical clients that have access to the application's XSUAA or IAS service ::: -## Tracing { #user-tracing } +### Model References -
+The resulting object representaiton of the user is attached to the current request context and has an impact on the request flow for instance with regards to +- [authorizations](./authorization#restrictions) +- [enriching business data](../guides/domain-modeling#managed-data) with user data +- setting [DB session variables](../guides/db-feature-comparison#session-variables) -DEBUG level by default +In the CDS model, some of the user properties can be referenced in annotations or static views: -logging.level.com.sap.cds.security.authentication: DEBUG +| User Property | CDS Model Reference | CDS Artifact | +|-------------------------------|---------------------|--------------------| +| Name | `$user` | annotations and static views | +| Attribute | `$user.` | [@restrict](./authorization#user-attrs) | +| Role | `` | [@requires](./authorization#requires) and [@restrict.to](./authorization#restrict-annotation) | -```sh -MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' -``` -Never in production! -
- -
-TODO -
- -## Modifying Users { #modifying-users } - - UserProvider - - - - -## Propagating Users { #propagating-users } - - request internal - - tenant switch - - privileged mode - - original authentication claim - - asynchronous -> implicit to technical user - - - - -## User Claims { #user-claims} - - - - -### Mapping User Claims - -Depending on the configured [authentication](#prerequisite-authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: - -| CAP User Property | XSUAA JWT Property | IAS JWT Property | -|---------------------|----------------------------------|-------------------------| -| `$user` | `user_name` | `sub` | -| `$user.tenant` | `zid` | `zone_uuid` | -| `$user.` | `xs.user.attributes.` | All non-meta attributes | - -::: tip -CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. -::: - -In most cases, CAP's default mapping will match your requirements, but CAP also allows you to customize the mapping according to specific needs. For instance, `user_name` in XSUAA tokens is generally not unique if several customer IdPs are connected to the underlying identity service. -Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you implement in a custom adaptation. Similarly, attribute values can be normalized and prepared for [instance-based authorization](#instance-based-auth). Find details and examples how to programmatically redefine the user mapping here: - -- [Set up Authentication in Node.js.](/node.js/authentication) -- [Custom Authentication in Java.](/java/security#custom-authentication) - -::: warning Be very careful when redefining `$user` -The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. Also consider data protection and privacy regulations when storing user data. -::: - - -### IAS { #ias-auth } - - role definition / assignment AMS - - Neue AMS CAP Doku https://sap.github.io/cloud-identity-developer-guide/CAP/Basics.html - - -### XSUAA Authentication { #xsuaa-auth } - - role definition / assignment - - Define Reuse Service - - -## Programmatic Enforcement { #enforcement} - -The service provider frameworks **automatically enforce** restrictions in generic handlers. They evaluate the annotations in the CDS models and, for example: - -* Reject incoming requests if static restrictions aren't met. -* Add corresponding filters to queries for instance-based authorization, etc. - -If generic enforcement doesn't fit your needs, you can override or adapt it with **programmatic enforcement** in custom handlers: - -- [Authorization Enforcement in Node.js](/node.js/authentication#enforcement) -- [Enforcement API & Custom Handlers in Java](/java/security#enforcement-api) - -## Role Assignments with IAS and AMS +## Role Assignment with AMS { #ams-roles } The Authorization Management Service (AMS) as part of SAP Cloud Identity Services (SCI) provides libraries and services for developers of cloud business applications to declare, enforce and manage instance based authorization checks. When used together with CAP the AMS "Policies” can contain the CAP roles as well as additional filter criteria for instance based authorizations that can be defined in the CAP model. transformed to AMS policies and later on refined by customers user and authorization administrators in the SCI administration console and assigned to business users. @@ -219,18 +159,35 @@ For example, SAP Task Center you want to consume an XSUAA-based service that req [Learn more about using IAS and AMS with CAP Node.js](https://github.com/SAP-samples/btp-developer-guide-cap/blob/main/documentation/xsuaa-to-ams/README.md){.learn-more} -## Role Assignments with XSUAA { #xsuaa-configuration} -Information about roles and attributes has to be made available to the UAA platform service. This information enables the respective JWT tokens to be constructed and sent with the requests for authenticated users. In particular, the following happens automatically behind-the-scenes upon build: +Neue AMS CAP Doku https://sap.github.io/cloud-identity-developer-guide/CAP/Basics.html + + + +## Role Assignment with XSUAA { xsuaa-roles } +Information about roles and attributes can be made available to the UAA platform service. +This information enables the respective JWT tokens to be constructed and sent with the requests for authenticated users. +In particular, the following happens automatically behind-the-scenes upon build: -### 1. Roles and Attributes Are Filled into the XSUAA Configuration + +### Generate Security Descriptor Derive scopes, attributes, and role templates from the CDS model: +
+ +```sh +cds add xsuaa +``` + +
+ +
```sh cds add xsuaa --for production ``` +
This generates an _xs-security.json_ file: @@ -268,9 +225,7 @@ Roles modeled in CDS may contain characters considered invalid by the XSUAA serv If you modify the _xs-security.json_ manually, make sure that the scope names in the file exactly match the role names in the CDS model, as these scope names will be checked at runtime. -### 2. XSUAA Configuration Is Completed and Published - -#### Through MTA Build +### Publish Security Descriptor If there's no _mta.yaml_ present, run this command: @@ -306,38 +261,90 @@ Inline configuration in the _mta.yaml_ `config` block and the _xs-security.json_ [Learn more about **building and deploying MTA applications**.](/guides/deployment/){ .learn-more} -### 3. Assembling Roles and Assigning Roles to Users +### Assign Roles in SAP BTP Cockpit -This is a manual step an administrator would do in SAP BTP Cockpit. See [Set Up the Roles for the Application](/node.js/authentication#auth-in-cockpit) for more details. If a user attribute isn't set for a user in the IdP of the SAP BTP Cockpit, this means that the user has no restriction for this attribute. For example, if a user has no value set for an attribute "Country", they're allowed to see data records for all countries. +This is a manual step an administrator would do in SAP BTP Cockpit. See [Set Up the Roles for the Application](/node.js/authentication#auth-in-cockpit) for more details. +If a user attribute isn't set for a user in the IdP of the SAP BTP Cockpit, this means that the user has no restriction for this attribute. +For example, if a user has no value set for an attribute "Country", they're allowed to see data records for all countries. In the _xs-security.json_, the `attribute` entity has a property `valueRequired` where the developer can specify whether unrestricted access is possible by not assigning a value to the attribute. -### 4. Scopes Are Narrowed to Local Roles -Based on this, the JWT token for an administrator contains a scope `my.app.admin`. From within service implementations of `my.app` you can reference the scope: +## Developing with CAP Users { #developing-with-users } -```js -req.user.is ("admin") -``` -... and, if necessary, from others by: -```js -req.user.is ("my.app.admin") -``` +### Programmatic Reflection { #reflection } + +UserInfo + +req.user +req.tenant + +The service provider frameworks **automatically enforce** restrictions in generic handlers. They evaluate the annotations in the CDS models and, for example: + +* Reject incoming requests if static restrictions aren't met. +* Add corresponding filters to queries for instance-based authorization, etc. + +If generic enforcement doesn't fit your needs, you can override or adapt it with **programmatic enforcement** in custom handlers: + +- [Authorization Enforcement in Node.js](/node.js/authentication#enforcement) +- [Enforcement API & Custom Handlers in Java](/java/security#enforcement-api) + + +### Modifying Users { #modifying-users } + - UserProvider + + +Depending on the configured [authentication](#prerequisite-authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: -
+| CAP User Property | XSUAA JWT Property | IAS JWT Property | +|---------------------|----------------------------------|-------------------------| +| `$user` | `user_name` | `sub` | +| `$user.tenant` | `zid` | `zone_uuid` | +| `$user.` | `xs.user.attributes.` | All non-meta attributes | -> See the following sections for more details: -- [Developing Security Artifacts in SAP BTP](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/419ae2ef1ddd49dca9eb65af2d67c6ec.html) -- [Maintaining Application Security in XS Advanced](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/35d910ee7c7a445a950b6aad989a5a26.html) +::: tip +CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. +::: +In most cases, CAP's default mapping will match your requirements, but CAP also allows you to customize the mapping according to specific needs. For instance, `user_name` in XSUAA tokens is generally not unique if several customer IdPs are connected to the underlying identity service. +Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you implement in a custom adaptation. Similarly, attribute values can be normalized and prepared for [instance-based authorization](#instance-based-auth). Find details and examples how to programmatically redefine the user mapping here: + +- [Set up Authentication in Node.js.](/node.js/authentication) +- [Custom Authentication in Java.](/java/security#custom-authentication) + +::: warning Be very careful when redefining `$user` +The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. Also consider data protection and privacy regulations when storing user data. +::: -Find detailed instructions for setting up authentication in these runtime-specific guides: -- [Set up authentication in Node.js.](/node.js/authentication) -- [Set up authentication in Java.](/java/security#authentication) +### Propagating Users { #propagating-users } + - request internal + - tenant switch + - privileged mode + - original authentication claim + - asynchronous -> implicit to technical user + +### Tracing { #user-tracing } + +
+ +DEBUG level by default + +logging.level.com.sap.cds.security.authentication: DEBUG + +```sh +MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' +``` + +Never in production! +
+ +
+TODO +
-In _productive_ environment with security middleware activated, **all protocol adapter endpoints are authenticated by default**1, even if no [restrictions](#restrictions) are configured. Multi-tenant SaaS-applications require authentication to provide tenant isolation out of the box. In case there is the business need to expose open endpoints for anonymous users, it's required to take extra measures depending on runtime and security middleware capabilities. +## Ptifalls -> 1 Starting with CAP Node.js 6.0.0 resp. CAP Java 1.25.0. _In previous versions endpoints without restrictions are public in single-tenant applications_. +- asynchronous business requests diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md new file mode 100644 index 0000000000..7106b03ca7 --- /dev/null +++ b/guides/security/remote-authentication.md @@ -0,0 +1,47 @@ +--- +# layout: cookbook +label: Remote Authentication +synopsis: > + This guide explains how to authenticate remote services. +status: released +--- + + + + + +# Remote Authentication { #remote-authentication } + +### Local Services + +Local CDS services which are meant for *internal* usage only can be easily consumed by in-process function calls. +They shouldn't be exposed via protocol adapters at all. +In order to prevent access from external clients, annotate those services with `@protocol: 'none'`: + +```cds +@protocol: 'none' +service InternalService { + ... +} +``` +`InternalService` is not handled by protocol adapters and can only receive events sent by in-process handlers. + +### Application-Internal Services +- internal-user (IAS + XSUAA) + +### BTP Reuse Services +- IAS +- XSUAA + +### External Services +- IAS App-2-App +- Via Destination (S/4) \ No newline at end of file diff --git a/menu.md b/menu.md index 846adf6331..2a2151c3e1 100644 --- a/menu.md +++ b/menu.md @@ -80,6 +80,7 @@ ### [Authentication](guides/security/authentication) ### [Users](guides/security/cap-users) ### [Authorization](guides/security/authorization) + ### [Remote Authentication](guides/security/remote-authentication) ### [Security Aspects](guides/security/aspects) ### [Data Protection & Privacy](guides/security/data-protection-privacy) ### [Product Standard Compliance](../guides/security/product-standards) From 411e9d8bc6cefc13faae0b5f765cfe9fbe9c1ba3 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 9 Oct 2025 17:32:18 +0200 Subject: [PATCH 009/120] next step --- guides/security/assets/ams-assignment.png | Bin 0 -> 95300 bytes guides/security/assets/ams-dark.png | Bin 0 -> 441533 bytes guides/security/assets/ams.excalidraw | 5982 +++++++++++++++++++++ guides/security/assets/ams.png | Bin 0 -> 426976 bytes guides/security/authentication.md | 10 +- guides/security/cap-users.md | 430 +- 6 files changed, 6387 insertions(+), 35 deletions(-) create mode 100644 guides/security/assets/ams-assignment.png create mode 100644 guides/security/assets/ams-dark.png create mode 100644 guides/security/assets/ams.excalidraw create mode 100644 guides/security/assets/ams.png diff --git a/guides/security/assets/ams-assignment.png b/guides/security/assets/ams-assignment.png new file mode 100644 index 0000000000000000000000000000000000000000..c3945bb4b104e32e10c36f1e8669576bcfa0dfda GIT binary patch literal 95300 zcmeFYWl&tryY?F+KnR}T?j*Q7!65_)ZowhA+aLo8!3TFIxVyW%Opw7PxXUmwz+h+o z`+fGipZCl8dd{gjQ#C`aRckG}dv*7H_jUa`?5naI<{OeX&z?QQRFIced-m)V{MoY? z#AvUPXXs^Xc#wadyQ;}aKC7H0J3t=1vXoGgc=oI&8spvs1$m6_B(LlG>={ea=B1{O2PT(1uS< zP4}u(u&!73k7T;<8O-1RF6p?#=WIB&MHrmr%8*u6wC973jV%o#zzoEZM5F#+KQYA; zZd?B7{~Z12yeiropMPB-Ex~k*`@b*8!9&TZmizCUaU|v61@=<>`(~W~CvV>NPx>+c zlSst-jZ0#2RA=8{-*sXaRDO1Q@TAS^Qs46(lM$*dpTp2{49?d7)al-zZW_&Js|YL? zZZ{Ciqo|rtvG_J?-f{Ec?s_oqiTtPI+VAV%obnDV`VU5}n+LFD2( zsAeOjN(=tmuTEF}1502@8@m-gPkM{nVz8ug*$;W5gjLfxdu)b1ZSsHkwuf9`a03nN z^K`E$GES4=+M%Ywyp6?{GmcuqiU4z65RGM+&4TB?fTY0LKb0EhmxvaX%*BBvRm$Ye zt*YiID_-vNzo@zwKeM>mRl*tklA0$rk4az3(_5@i2Zf(pU+uO%opa9FFWM7Wl_s%= z)t9JKd)Heb93{VOPi7IzVC??Xbo(d*gunPW?--PAGz(9n|6iR%n&STcrPIl-0huTe zw+%b9fAZy!|Gw>f559ogCK;ReTDPlXw*RULsF&h4o8JHQ*lOxG!RA0%B*Rr{o=#4C zD23<+7CP>}!%FL~hY*#&y%s9%{!b>g)s2m^tB3Eu3K+4`DZiss(geoQD+O9j<(7au zdIrkotIz(R^R}!$o*MePbeyzdZ(g>5yk96L(lCD}`1p+Uh-i=-?e<4qJne@hw%27u zT8K0IQ4i&;jvp~N-Y5UG(<3pz!}`#`$9Y_(ijx^HI=NWiMb+A`r<8~fhE$BT7V<9% z8|H8&ptbX?uTW4)6)(4to&V9Yrm0Q_tlYKPU#WT1W{KL|(n=I9t-MzD1pHvmX;Dj; z!tX_dWp5b1q&b!z#ETw+c{@qrodmc;Y;;fI@7BH_PJhW9$1s&kLya5D>ngMj&cxKx zn%bbm`LR_rNquwDb^Vw2e>Lv?lhi9-g`y-;SH1ktNoZ`!Sk(x^3{UeDTSrGwKl&!M zN@GNIq;=ld1q0JCU@)3~`i)POA&T+gN&%B@181BCYj7*85U~qq&?3$!kw7d;@n4Oi zk8|m-hg)t(=OmlDf;VptU>lQ!0RaIu7JFhmXMZqsK^k*jIpLZ%Km7U_yJ1Tc>@Ml= zaLtz53*=44n;5FlXZE%tRTC5c^#9CbD7)aFwis1w#`8OwMs0&rPGxE1QfH~isbmdQ zW!_P#|9mrSRLK_{l^MLp-Vtf(`!~qjarAhgc&#|HvvZ~E`wTp#!3ia+3k}%0U0*xC z<9WWoOeWxhhv|0`zP%Wp<95ZMQ*Zk6#mjXfai}#Nzj0{>LCf=b2fn7or3qoF)uZ#8 zneW(~tEX-7JnM9dRzH{aZxy>jUoKA{LJ%U>>77!8B_6!nM{(6NKG+myr<)Ka%?V=+ z_cYIbPDqmrn3hqw%-e0|w&TOY{YNdw75KpDO-Y?vwAyYhoB9<;n7Z2Bd)uacxKib* zZilM=vGD!vH{OD5cQA$r(FP^+s zyO)%NFRwh0Ma@t1YSi}*Vfo-YOj5^269X&=Lt#6>l%Im&q|W&+3vFodS4gzeB222X zr<{2DFl;=qen(8xpEz&P&7r}RsSE+UufG-Q$~kZis9)b7aXpW>5wDqedpnlb!){RR zcf{7-SPcegi%e`8j5fMm$!2u9y+83gbF}NyBN8|JNkHE9%6fga<#YNG$&_t>e`*fm z>!=VQBBzRVtW-)7a&IANr?<2?%g-tdAIuw4(a7}3lig~3y~B# z(`I}n7hn7njC`3lOBhc%D464@3MWFY_PZiOeM{mPgY$loJFIz~R{>6S8*Jw*tJ2e# z{Z9>Ck7ortQh%}>lbxJ6BYNMn7&J_=*o2+e*UEUA_0qY)<4J+Y?QnABUT8!aFyOPVLGQsX_O)6slZ;j zx-~F$9aH^9cQ%}f8f3++UrQJEwbC3H_^^Thy?bbgij1dNlh|ILZ`RP5=Fk1yExX;a z>z{9as*xQID}!lD!spY=s9vrXkQXZ#4U~N2p_Jlmg%bv)g!8rC$?fVi%AHzQ2{8Ne ziYu>atuFUlMUWLXh3M27dacvC>p4+WmH>#Qbkf;uX!_(*jWtCkpKDdFy~(@|4}8>g zN%L)#x;L6>e38rYk0DR?W=?C-jx42x;ycOUdJ2T0cGYVCoWb41kc}o=k(3mD>f?en ztlrA=Va`BP{Fk#h@KF+@j%LMtB!xgh^X~IPaXaJ52?c*t<$OwstNS|oHHAoTgTCji z=$b9A(kpVoYiPWsUiEki8*g0Mk?&+7rI^-LwN*0Lp!e{49brYkk<^g2s%rjgYs;E0 zSaL_gYRBB(P~=JQML{@Kls?NtQ{cPCC$ncBC&Cd!D%l6ubZ_Blhn}}~0XNW?K`U*) zD#H@7#nPbOA3x?>vuGJ6`l0H34LEdsEI{_5i`~)OqfW^NFKJ2T&TosCiqe9_QqydO zwP761nybqia*F*?Gx?vRl$Nj4#;EO+>811x_IT4hKIjXVRV9lmzUC=4cwbpLxv_Nh zr)I``MSd}Vm2|G6bnxpp7!i5ypw)WLmh%8i$Po4QAy`EH!Eb+oS+sFF|8vgJ$^~zF z!%dUV6Yi>?X*w7BTIcnrWYzxO^3>_F8oMCv$L9;4=K@*7UWeXXot7nHb#`4+aw-Q; zyCbPPb@+FELn@Iccg|p0;$PE~YE??Y@LbIzad&|0LT&hi(N$|$hA#JEwL0@MGNL(2 zFVm@!BS&*$3>Tq}Z+)Dc$AN+!~~*#AN`xPiBL z?NKm{r#P}jhjMrERfL$LV0ztc*Ujv)&PaZi&ZgwIcW7=!+dN7%vS8MjQ(;kLuGVY-Wt(cP&SW)LsUGF zrl>7~3@4+s0ck$%3x{GGj&4smq3Xf@V}dniC0wQcAf0Bb0ikjI*4?~-)KDO@J58Co zUgU@2%)Ms=ZTDz_t5P3(ld1v z<{u20TI+DcVPVC^J=+g+-R+c5<9MD+e5cJf1u%d2`k#f+wk-g0T;O3Bw*rer(G?zw zCPZcL08T{Vi-*gThA%hRy8S{;*Zro-O#}>xsA5QF$ zIvRIi$r97^ksDz&uW7&QRz2Z$xmyDsuldim16Z^KD6#By!_yDB&0b$k8`1@^qr|_Z=k5LIg07uOCy_X z^v5$r6$6Dk!l`HjqJ0@0$oStP>M;DYcgW|egfI3+3zu(d_uMnu+#qC!HeqO%W0sMc zz%De1{|B?lm&S)axGfBCPx3mtbBX&1LEGTS1GCq^y?&*AU&aJoUi}s`h~c^o$?!}Z zP3&F?>-*ZNp=#gMsx13cMuaU}95%P6-E`)MGkOs|um7scHZkG%FyJFt5pFig2zr_75MetU46QSvvM}8Xy+@Ze(~SkFL6as z;5LMzr^dg{8VPnaS4LDUg1wcO8eOmoqfVKD}c;dJXByDrNWfe4IG8X2}p? zH1vJVZauFv>Al7`A^!MSr73zT{@-H&1ckyv;(z_}vd7hRa`y=I?>=%;mRe6A*0iOi z@lE`ws)JM)UNlTv=KH8yg%Y3GMvJX%Aktg`FIPI&cjFZu?hsx6B;8wu1+xRw zAY)tGyuRfRNz5dpF-p{>Cd_3^d^tYf9#Z3EU?GTzKoP~x3USm(iEz7M5zj*HYrj6| z2dZ||>0~M(a~n8qsbq`tSB#J+@vQxnZb;>4A}eWI@0y^`7K&6qKRB+D>5fx~1pqP& zpz@V{(lP+9hI!E5njTRsxjDUODl>Nafkmn!I}4tW&r@vRx}Vk7X3&N8hJsy9O6@>( ze9-0CN!#^=J?omBkY`$}W0o4Po3fO8w%oQR!)&?6;KFs-Ti{cw)Bah|f-ME4QaS3i zBP$fI&F?OX;KpH%6HQi^yHE}>TQUy3X5J6Ykgc{eD;x>Q|IxW_bMFd z=)Buh_c2eZhFALTJ!ZT`I)>_lH=*d<^_JCClA28(6A<1l8{tIGn>8KA8sQqLl3%k1 zyYJ9t-b*L&0<3}?dC4okwS9=AQ!cjS@930W2&}~GWik9+2o4v}ZT~DK<=2}w;r1k- z`tb15t@*~?;wbUxsT6jlJLhyszfif)LJJdJ=aLUTD<_l#wU_Lfh>AbYe9jo z{s|m1_;Yi7)vD|>26Q|eG%D%U<*W7h{Fg6QoGP3B<|?$F3)Y2NLPEGegnw7)%ch#$ zJ-=i(k@cALp1%?XT}VqW7^t2c+qs7pqC*pEdCa7Mee)8p-e?LuIBHv4KCr(OAC=K) zZ%BLmMw{`&`R0cCp40eUn&)xQ5pH0KjYN0t4}yLVSBSmczT2kk9Rj6AQzs$#rf$$YC6c5GS*L@G9KN$Y(8=C00H`A#P z6!x@Te{rBzG;5J0*y9pnGShA%iI}QQTr2frWN94LvRLse6`Z)ftu^(JBeGF0RWE3V z!|Ux_Q{#784M2nT-d60}{&<}ZVdLzDcLKtK)QvJm?SPF6bsFE~@PA%d=%(VF4-D&$ z#&GW_bZ(k^_M;{^UBK%uQjecRrT&vxyyG8opf4EmY@5^$!me9-QTxY&}3(0audOFX>V^D z{ATN2|J`690OJ<*RZ4O?md#JL09EPGbEY+ifWX&dgYR;C)8vr?(ylT|I8^FMI;{6r za)%#3$84+;=&kzDAg%sX_iiwMJXogo`Qr20Y4dz6+!EByt6~z3C*fnu`h{Eco( zq;krJ=;?KSNdAbcymDWK>)iBp?b~^RqC0&m!_1fi4os*)ZiJYHl4@@YghvzF6^$|jRa^v4VS(q|qY zHd6rTx(+GS8x3$=J11(vobS<;fi~j6;h&7@%KLZ3;vaKYdlN}72XR~(um(m}%b=F? ze7ho6G$Qg@B`U1Bw36+3SHUj^FBFT{;i9NGL`36B+(e0?cns`$)x(u}G^b(1 z&8}73%=gBjBY2E~6_JsXJMK1My^PhSwR=RJqOHI}(DjFJUG7b5CfXk629121nfe8l zWqfw?Ez7Mp8Cwkl}d!F2hQ)*TZ6vJ3;7==;YsU1g>kS+Div|}B7_C``^>GxmS z?mtIy)eMM^60j~S;;4*BFO|)nH(i1v5osU6Ep*o%RFxui(vXn3{{qXMxgjVjnCD-n~M6 zyyl@PL-$&Vu@QqZsm0!WTp%u^2Mf6$TY9$LY75w|tM*o*z=eJyr#Ijii8j}3C6mWm z++aH=8d8(cM|M(E^?7w!#x`5Kq+y<+TY!+_zJY~c9~`f)<0!b0UjLLiUN-OawB zQa=~^M$$@PQD20v!h5RRRuko=;=W4DD9Q-@Hmw|$Yme_!8ej#9;1$m#yOl<{v*3?r z`W`V!od~jN3hh}-x_hs?(_hWLSFK*-@{;=KQ<0%`wW-0J{&fE=PVdob>BGX_q@JiU zm;Lff95s&Cflop7`T@OiOo?mH3Ge9TCNh+(Yr=!If1b^zEdtKP8Kx_9Wxu3^@pz5? z)@T^ak>u@-x9bkmxL{oKLUVa9y^$kX=R+ z+UwN-pgvyoe}ys%`6*Yaw!h|?LV$vz8>49Ie}pCi-|Y8L$2fRZtk#*YiWZw;1Lkxb zvB?zwEU8Oar58<|SF|sp6=z!^6Jn^-?()ma`6Epp015m3=H0-?D^{t!xZ?q^m$@UFuId0HCYS(7eTaNNErcK)YKT6rkHBwZUn6yjnT~tKW zGvo4CrneZH#5UHiuwGvs%@0oCuJx^oVvWB0XiNZ?{)Q-+$!=u@X*&Es3O&E)f2ito zI@A$VD0$*gE4XmXJr!Ui6+6S|H#TTSlPlNWmAEDkBITY5;mJ{voTGwWbf__=Eruy2 z%|$pS*r=6nw&Rj4ztVD4``WdPO-Q>4u)&~kpHt<3#{Z(kB}omaiY*MM;PJsqX489C zqQ-D%syd5@4oMWr+0@2AFA=V z=I>%G7@Zc;Mn*@e61=-EA+W}SG%PHSQl+c^o#Y$IB;5+Lp;BFU3s>8p1m*UfZT44u zYUgG93HL#va$R560nB3aGKhB@R?Xkoo^Wp;`;#_h0Ykssv4FGs?wu@2`n;7OlEg8;OKulz^sX^u>TfdA zNfFknr8*MsQ5!04~yVaumk8f9xU;XlEl9$bUZv{2$R`*84v9mm|=7eo_4WH`z+3q<@Xq3X?z zJk+L@02_;u7=l}vFPc}!v6s@aT<6MS?1#k=a-g^@AA~K5`iy~OzM^ojv|hJ=YqfuV zJ83*+@@0q6L$JAmxR_SIdZq3!y`{S=eP%rl_N7L8a%>gk%h{#rMGKdsb z#InT>9e=03#n+IGVx$%LWlO+5^UM}Bx*&pe?Rk$7% z>WBb&J|uq3=}-<#7>WDs)u*S!?T?2{tI7EY1Y1qZjxbMGQPgGO7>Q5HuhJ(g(oJs5 zor`q}Q@o(Joc;KPT8S=$tNfT}ta>#Rb9{41<4z#>5u$X4X8j?aCBjy_?1x3&pez#! z5L2+${OdJQa2C10#CM3+G{v+ma;-I(BGJKN@8+Mc428yk^%BR-R$|0sKk738l^<6G zIlPV8HCT-B8{$eLx{wv$6hp0f?&lu7kDcED?xlW=5CG>8n-t zq+IhXGTo`C=%`kaB;nM@{=O0Mh4;p(T&mIXJmlF(S=q3cH!R-NoyMaRT6?SA`V5{q!V zY2ZAZzgJl9y3{^BPBpP7Z>31(&Y#NiDZB{V(?X8QUi2^%g-kByl`Rs4a&JtP_bNvS zIJ|kKNMHX8IfODX5jX-!f=!n}=PK+mSkgtcK>f8x&RrBIR{{j=yfxG{7}or9AYUg+ zDG$>`0}q+E__!)A)0hV{?^#Lb9|)!T6hR7fL@(&uDI%sS;u$|8R0;s+Z8 z)+wHJit&VP;jWnDsXT8dNFjXda)AQqu%|K~{V!w)!Z;m3xNP9|e7dl6N>==60+Ze8 z%hY%qP1fiFZrME90|1&iOu$7uf4H8#4r{$F7lMbZJn(z=V|Y)|Fv5I>h9hn1(^~s>9O=QeTrS^Kh%WZ zI}_Jq$ix;}NXk?-_#;kj#6w;#sm->N^xkyMpWGOXj1x&)sag?_+DNRAS4KYR`=KYs z1#_ZtL&>!5MYsOvkw(VF5#{qF9?Q)Mz+cwk*B+Z5O zDe(BsMI5+i4f3%b`X`oE+a0R4d~>dwUrU=1c7`0aV#U+<$I&u^O_wWQ>Mg`8anos+ zfXcXMB>uZ+32b?K=glRc7K?0j-ZmWBJgcQ^?DsyFEq7`gYL%GyS2SDx3y z&mmo5A4&L?4n+QPhg;D2so~kB&h0yu`$zpEg58CG0D}Jldg5q{*r*h}qbbvdPW59h zHRM!`?l&y*hW-WagvIsO*Yq59Q*|(#n{T@RC0)=Ny4i?wdk6m)>yywwF!J2*@ey!+ zx^;X0h|vx->gid-(yARe#r{7qAmq~`@iA1gyQH0*s-c-r6zF}x%WYz0;z%2umJJAFQkax*`->}PMdJ0^%_SaR(hq)d9QP_Z13F(t zlKM$8Q+vkiPQVOQLrjsb4E=IYV@zpS#dvd%e9H*ur2y)le$oJCj-qjs7>Me}nM`Sd@7eAquwlZPsd_Ui(9 z@!9itO3xPbh_N3*(t0LU6B5Q-qQAXte%sMdMSe7vdXoH~PJKZMgOfYWU@tu2q#U4_ zyS|j&Mp-$DV7yn9{%lgUsYO-E%JG?Z*gwbPUnAjyK6IG>?^`D*Jx2pa%t8;~uMySs zZFg9ap@_b*uV1+L|GZW@7kpZwKm4dMBbfXCB!K&+|6Hqv?h~i(2op61P)LEbE!^v4s|FVYHfivB(4>4okYt|oL>qW*AaEzx<%_?;AeNO@SMB86TUauh*EQB1HpM`! z86)&m7!ifI?dUCaPj^0h>_b})x+j{@*)Ij-K%%P*Z_Ta{tm{DE5#I)v69!TK`+eu5qoa_pncd%CAl~xX zWkfc-_b3=i~8Xi2M#P)#rUt%tR9joOKUCORfYQdhu|<7?{xd2EPn$MqSRiD@lYY(xX zoxkmY3U5exh|B%*=5=;j)+1YNq3CL`3N%XN?any~?n>t^1?^9XujYfZeax0m9{}(F zQZjcHcc~jWsALF+l+8O7^F6@XXKUrpgst8o-&V=d?FXu7%bsTgFhcf7%NQ^eNqWjE zWd!3FO>VAY>#PjFP^=WSU*X`f*CFII)gg|KDGo+zfF8$dAw^GLjavYV_)>C8Ki12% z5od(#zSTgm-wnyrqv|UZ6tmrXdcegcabYxRRG;vi$zLN;C)lLuO0(Bp$imaLwBK-x z&lxqrL{@0{&gasacYT2VZhGtaDg2G2JxkxcJL=v&WeC#Mf4JKOD_T$r!%st^OOwa7 z&5FkRYw(L`JLK__MDMVu<&q*s;lVw$7H=|IoY1vrxzE=thYCI#5{Z4sYX|ze8Fc~< z%9gIF+BNTF2hT8!KotgGbjoU|#V;{QI4P1vJN$~B{%Z_ebV()v^;J&)%iu{2;^)Tpfif9M(}A-5M++(-$PlgRrnQ`;~IIV|uS21&ngDRx?>z$U$ld zxVbVQ-@7M0ef>Q3^dzf$SJwV&gh!5C`-35BJKrM;ol|tkNL~n)?e5#y+O^o&>qCE} zhw7iQ7tTWQYyCB~VTQn{$4TT_TybbbRao9@YM;4?><8x!b)?Wv%XIULUw&zpnbYFZ zIA1<#J0waU3TX3qAo!5L{1drOJiO(Jl>2`Je>LoTmB&y{8Hg4a zoh>G{(puKI1e;msR+;p(Bi2m+XQFGd>-yZe%t_dVmWV1_DUH917 znk@oU_UD{Pr2Uvny3EdTjtQp}3SOu⋙YA-M<)G7w|Y_;j)wm=~PwFgF36bd}Trld3)*9L`A0AHJyx1O%HUB?QVd9x17 zGoAb}*_sWY(s}S?c^yR*P1@u@YoLei&MF54tB_wquLh8GnktjO!@}~i$zeGP;QSm{ zt>|+OGH?8&de7@5@VL+aZfMp^0gwId$wuI{>9MCx7s9)L zOuq8|$2MBH$KEv#bpB%tR8qIZK`E-W&%9*0kKWQ0% z>sLK4)S5->g|?;1U_cFzxUKTBVub6L85Cr}|lKZTwErY{U>OVck1iv2GAg4idyB6oR}i8f%H$27NmqAmA(D|mLTGHCpcYci;g&$IjsFmUI{Q9 z>fSJ$YS~*CYL^dOB4h`CrE+9jSXdykHAb7VUnmu=TyKtC#7NqFXuA$2XC!zXO%{!m z!E^P`9!tg5tc49bZC-lA$#XkU*}t{s9;Tr|XK8c}A)bHbU%l!aG`HyTFNHS)@3I=B z(UHNzC;PcT<)A#mtwb}sEwIkIrXt>Q(k!OcQrpZQDI!T+m@D+Lnigax=_d5S5K53C zbR5RUbok9eqfgagbnK05x6>*mbhDXSwf6=gH1nOkA7}xl7#yexG;%*&RLQ1=)19zo znO=C2lG*~ZE)9$vwjqecV#C>QtaTC*n*fLC*%EbG9r2B{4|~JtGny@^ zCQ}!@OZqYhZG_>dyCKjI{IkzHOQ+5RgN*DrL6qSkcdJNaS+KN4@)d`;xc>=tI*&CC zB)C#&*8igXc4^Xr`gVE<^k5{skOQkB4+`2mFX0k>gKvx;;HR^j<%f_UUAN!DSJ$$)Xo>dGZgtg{Z>>vEE0o8Lq-;m(db0L!$dA z4~eN7<76hXr;E7wJkG=e#UA9WgoQmfxJ1fY2A z4g_(Q@yx4r=o9p9;H4H;vRLj`DrWgzRluvrBosRuDg306s&S zn?p;O`tCYyXi1Nc&r^8)OBw~el+P9#u+j19KBaETocG?*2S;ZGygissIiiCtnDWlm z6(1dInrZjuUzhC#h5i(*wdmPmRN<6ukOBMsx`L^83g>INR*cV2EV~Va%~*1}o|^KC z4`^*cWJMW^O8C_0J?rNUQ@0W(;2Ll)|B*Kjo`(s{mkSA&J?EV94apl+SIBKJGZV|6 zmoSM=b$~%vLA0W1{udg)qAyurz+NWyhm#Meh*Wym$pwUT7PgUT1KLJ-(SUPv%os{6 z`=8mZ)V`dYjFOM#3G-8)OzV;s{Z(0lDD}_+#}t%iB0rbhb4pioYb%Smmkc_hmU70h zD1*|>IU6vPY>}H3v8;o2tL(DBuK?_-Deb(-+&M&QCU5h9fLgOM7&ls_B3yftPJG-* z>7xI7v4+Z>7uvU7Es*nha7~s9$)}Q&lO{S-U846#zL*EkQPT?*N-Yg z4sz6{DpgQ(pf@f(hQ369H4@o3`MSPdV|Ieq@i(>2s)c~0Yx`y>2K*(x;n|6webfwU zV=gjFaN4LXLQE5rNu=T(a4iZin8>eZ6>BuU<73JG_1Mwc+cP=2g4*d<#UTl7QBI@7 z^(Z$A;01j@3|e%%+R+s83|zK}bvY;{lzn^r%OE|ejQxnST7s2ktpufvJ`9iXM_0DE zVdwcANKH5Y`&gRl-fnErZvDNx{YBe;8lL=Jpuzv+($lm?2*+z;|DWqE*Hku|6`_?U zez*gYtYnrYC<>nq=5J>PH%sS{-eH4W@>zK47IFs|r`IeMaJ`luWD38xK*RC_IgtCw ztfpyl_#*_yQ#i<+H~V|NA+HIMA}h6-k4763cvl96JwAU9IN#?S{E`-hOn*1Vdn)$V zS|SMwXx^BOC(+aHDv^UsgJ5P)Nsv?7Ikh-0rW#KJ@& ziLBa8`jV`lEsOa&s+O1MpArf7T0QI{H8F~gV%m`lDv5^C_towYntWA^8hc^5OiCA6 z|7vLMSIAVYGcbb}9dTE@dom@El;Dj%VBHeR-Q$DX0WZZ0J`Yih)rrd_@k zXt*l8&u3S4NP}_iN?0kab6tJIpQwa+A76K&Nag4! zYZ-y@r!$9A3ex&+f(@v6A7wO}f5S7f3W7eqInHXo1G{oPj+bmvQO!ss9?8ppSms8C zG`1OZ%|d)e6z%+$Ws;`$TRie2_bs#D!S0g)v!4Abn1}U_c3%GO74meA%~u8fjcN zJ|ZXO!b#cicO%vASCTAW&5jWj`iEIQwBttZ=jWWFAx~=sn3H5{QBf7?X5ncsC$qZB zhmQaHi9+jan(}=3iff+KnVdOncOz1`k^4_F4|Af{RYBf0Wjzm%-JKI3HwZo^5yYzq1 z$4)_qwC~#9&NSC`S?i`nOVdKijKg))iM82&sZ$@r17GfK|7qk{47crf*5J@?rUyZf z!!HS1C!VHf43`?Nrw4U}^`RuVLy&KLQWNg1>2pI+(eythN*Ju?sIOmd{Egkxsqw&X z^}NTl#Im0mDg+zkqmZc!RG@iY{8}2^ah=L@wPh6$^SbzUWq~oPzLO;Ot-*>a61*o?dW@Bic2m2%3KY0Nd;Nk3~NR_X_Zo^tKSUz8g|B#*Sst5)E77BG%;fN+&_#PwM*_9 zy^~PypUMroFuM-kArjnXM+S4F-P7tVZG=-Dl9XwDLgdAt_8lJHx;@O1{{=UVO# z^j99)Q2Q7HRU;}1j;ablv|2|XbnD3IuZ-PT9CHUjO+TrMA9=D-??9Q9A&tv$u2Q=< zoqsMsNQcH<7;q`zH*FuM+7t$`JLIe3mWQIi_9XcrhRVuO-Z}I}+luc-uzmFP$xk&q z-OwBUw&%-?+v#%UROo%}kET@dakWqdIgv-b|M{EgO0XP}m!U`2+%`02Z&>f-cM^N8 z!}?W*!!4S0{x5SL0oH%mpuQyt?WOSzktykp;`{lX1h@!r_l1o{MRAZZv(d)Am!^OJ z&-uvo-5}(q0Q!bK#W-p7hCe!`026Z@_6{AkrFa><<1X|!>{Os@)#S!5D{NxhvB$5V ziE2J#byg=z5%2u?BgJJ67X3FnvoG!*?mTU%-3<45@!6RV=8sEHU^^2*+slMhYcI}e=p`meqRt-QsG)&Dyk$I=81bgg; zklbIsNRgrJ-pi#|H&MI2f4UIb-4PO9@AM={C)$(J1FW&>aWfEuHkU2eM>@DdN8dd+ zl#Bws|L}W;YWSh-QRB4l0mABH0k&)Is>>s|sVm{b=hU-P5=l4zb_2LO8!*TU9Z&9TJATBUMjai_Df`RUVD&Ikj9pbHOZtbRVq&jZN7A|58Wn0Jyw)D3>z{`cj27*o;^tV~k3^GYlhSUwA5#()?}>V4 zDe9DoNS&?vgffD&tgCEsCq5@Ll@A4r@WV=kKq0^Hi&TB;hM_x~0k!nu#e3Ct6s~b9I$4aHm@6AiyNJ6V3kCNAjIJI(omUZ;lbzPuULj2?i? z1#69`5|QbAECYa=L&ODcu)C=9n+)#=)yb6b zqq~HuKUnNPiIn;`7$^X_%MhhvNr-SJru9263waDnh>@uq8EVG=goo0W$dv!DrNy}Mc3jHmMm zdtH>Weh-b_Jl=mr*icC=Fg#9qq% z)+iA29vb$ZSPDeE_?VmMtIH2mNFD$MzD^Zc5kpR}=A5h)Vk2>MQBKbpEfBUbAJliS zE#l6zz|@9LcuN+x8v~X%wFnBw0L&LLp!hn(G$}&cS6AornxJBRb8cs-(O0AWfxJ)s zRhKqU`#gehn!}Mz)n1#746;kYlby1;ypgKR7-~;v^N(L&V4p)l0~%E!7lzoVBvuq%6dv6KJUWDT0U} z<-IN6+|Zb&?Qj2)Xe)HOolAf6AKxq5_Aka7-XxbqMe2M0Ezw(0ShdKZnAw#wWYWF# z%}>GIEF^Hl`@otfdCHibIFMOVsl{1-NkjK(Rnf`AX%@sb))+Iep1h)V9b&UpSStGE zp$2JSpatQf#~wo(M3u9|KqQ!Yo5@jK=^Z{VH2s^0!eBWOr6)2soM=4RMqgTsYp7n- z`WjxJrFWyb8mC1m>}wB-(7WC3v8WmPM67nY@~<=})}E~RJnJg0-DT5K&1R>tOfr+k z2$bE>JZ0QiaiPSg6n-qx3#0mIl3RO&t&b{|inZCKOgYM zB7tkYG=mC}t5DaCZn0g1gg52u|Y~g1bA7OK^wa(73xa?wpmq_xtUA`(2$n zH(f{%nU$Tq+ILzHg$g@mdhft?9VaHO>^=1(8J{EPn2A<6-;`I z^ARn@@H@Dr0romClJm*+L?D1i-;>e~o>6-w1Gtd{cV1P^Ygw|^)jWO~i~Y6cU3-1U zPdz3{aJfXCD7(9pe^KTh!egbT7%VEwXB$X_0o6R0wOg@2PrOJD`9b9#d}KyS)?~}2 zQ@a-?H^@`7%@)CrmKb=q*869a+(#~U$hSO=S}gtO4(wNj&Y2;@S3TD*=-VCnRmyGh zCc*yX;7m__3}FZqN;*i}y`ewxC7?&SH|wqqzj);08tT^6esw4kUZ)SHwhR4yXMhW` zI`!esJg~aZdy9UFG2U4aKw;S6tPXApI|})d!7l2>;`$kL9hy>?rLBf@_I8Vy9f`7 z?ulVGpov%a)rEc>{NOU`ve_649;si{55ET%oZB-bB3I4tS`C+ zL=~;ycvvJstL;vw7%P3k&al?P4J50GI>dw0Oc90*$9}KE&UR&^U9_+}IM8~>Z8af%l+a+m z_rA4Ki_BmwZ_ylkIaN(C+3fDEk-n@1Njfi{rkLtk()3|~|f zzMrBRR>K#h%AFT@I3MA0_9X!YwLk3|A7jCFBKo_O@bz)SF2Or>b1j~f`!j{5p9Z|A zJJq^n;ox;7u`M@!0IMJe*asDdv|hbWgxhMsSgYFz zg&bWMNj2HWYFR57S2npxI+^M;78SBt>6zJ^%xo#2^j48#K-C;|;2}NaIyV4euuQzx zUWtc3-88W?#r-tQ9JlN4;F!%R`k}HKym6+q;dr&F3_?oZqFQ0!#^Cw(3#~SSkvO*P zZdnmKxuiS)S>t@lgPT>(G%m@VT_PUg6ihKjt!ujCd%geTTuN-E-jy2#?Xl_pb2@uf za*;`JATe8@`U2z>E+&{V1*M!?pS!rfxeXc|}LcKs9_t$>F^$~F9=Bk1WCiIm2b zV$5^^W3Ey{;6be*cVC6^{FZuQk|MsvY78Y^ zQ!ITa(LO?5ftO*xotiFm?^z+bS3%1(n{Dw3;;VE?Xw!^RD5HL;qF`2e4L@#iI!PbB z*DZ22Vd4BtF6}ETpjo8!8mX=VQ$0BA@#!NF&woU(x!8Q8=z^li)@^#0E7IM%-cdUu#)I|XlzVH=J;mpXgs7t_YK!nGy9sn$Z#Ftn!?lyn>s0$=I* zjyn2n93A;@9q<%A-|ds=0(#yjfHHBh{qpRUD!Cz3pEs58@ebr3i#+HqmJRYKcI&to za8WR7@MlZV=?NEbMG6F`G zZGwG48C&lmhPhC8da{>BF+7Yvd3kwuc^V0eu{8GDA2V<#_&y#z16FB4=xDbt&g4GI{dicM-E0Sj*{}j7;xt>0zp+58QN! z6@Jqp*SX)_Y<3yMg5&wy8-*%&Q}dCn5jg4LR$$`@(AM&p5PcGO#;ax6{6df~5*buY ziHD2III!bAEhZ&M*u5arD~GP?YdxRkBrB65oes=N751>*;eT-0%0Edd6b3$jVzI5z zYeg}bwf#jPmni)_C`s+u3h2~vnv$7|o|iDS#)v+>_BpRg^< z-aT24vt0AiPCcv894hqY(L58RL|4(@qDL__qX-z(%5M(j?GOwQFl>AjyXxtsaS;<2 za|YJz80O(T{Vr6xM6EvdMZ5dsM?T-R>SOS2jF`_Ne1;z>g5JkWyn!j2p5C?a{6a>Y!c6N{TE z52ZK79w7}<)?DCROT5F`u!nnIZ{b5FWu4PrG3D%@jLEa~Pq@fiF;lJ>z4_`dPqhwn zjXsPz_14x`#)*xxg58ltpnfNXK^p!Y;q4bpPCtfaf-tHxC+$O|>bIO`zt9WAa^`WX zv^@;$mYa0PPH@W`9gieii$4FjIS#@1IY)6b_ zOSrFDcce$<;oAwfdfPAU49Slk8PekcU&#Thsx*Rb%TwcXRkooD&6MM)jw~{&rxUZY zO2L{H;VxR)=f{IJ2I3t{V61%%p0AOxqETR45wI`fU*>Mm9Jyu1Bf0A$^Vf^?ER@|+ znZy+Ob}$#J0`Uec|6T|y8*SGDk7vrynD@{EH6o@>1dGQv^=hfJmd_Vyu`lC4bp z!JG-4iHv!yabE9SogM!)9>ScD0%P`TJUOgd^8IzDLUv-^-zF665lj=;eq3yD_*3g+ zbJPQe_Ghn9OK=LhKd3 zTdr&@Jbs_(QB8=ZTUsoFrb2x?d~Z05o$jkyJ6*B7q~gyYy(anmJ)RiH0EvAV95{2L zc{TpRP%g4nZPk_>d?VvRn6>G+Q0IhIO~4FEJZdg^l@mY&D-KkNwnfwac}2|m8b~-z zKuSMveYSEaavJmLH!McQuh8;8)aJBgV;}IJJx(!Ue! zTADjZf19b}wjcO1ucTOFgv0q{PI6~BcH6qLae{1-_ZTNbeZm(4n4rs~i+`^{Zshy<9sW=vdqA9~CSdZEmt)F2V&SYH)E8=vB7 z#FY9YOnTt}iDOO0%S%M=_QA)m!LSPpl`hfwc@YxV4Dn;#dX2Yosoy*du}tqBR}@#Y zd{X<9g=(JU>V*+p(m4iXwb*@aAD(6@NO>5I!w#|8cESj!nZjTcvrw98KLUrkmdN3#|{TpYni=pD0{b~ z8WKX&so^)F?%e;C%*Ae=U!R9EMrmC~{e3aWT714(QfB~7$nTE#BP;~^-Jo1p;mC&0z!3$v$%=AeeAHl! z@eEza?Wua%S*k5K;J8e2W7WK3X!2<6#T`Gb3+m(&OgOjotJLXw!u~4kQnyeuC+ta> z#!0k*2Z&}_&A%4`23f2jyy?w%tax?pJ+`!V)&o?prb$2~xIS#n_(OWu$r=f;e9)-J8ETZ>3ZZ zqG4kK@(sHo7Ebut8qm*oNK(KQGinL=k`hSEJ$A)!mi)yv_CFg|m%ZkRe>KrSxN_t7 zP?J$jjS@?5H&k&|7{?;XH`ZFIHinC!>s#~eOTGWs)wOv~ZIn_?TsCTRb)2@m_-V&E z+$c}zRb$MHTf&N$FHcw3OwvAoT8NCm__~2-RYHhkD+jzQ0Q*ew#+ULi`KR_6Ce|H) zw*BBKW!-w7TSW!+Hm{Q5;IrZMufI~k3bD-IscN9gPj(xg>bJ~gZmf@Gs){u7sn}aX ziQl1zu+P$n(qVC7Te3!j;kTetee0cBg?4IXF}HX&)pZ~P@UOYpO6M~~N$+1j_uns6 z2+uWH4IJ4oI@Wll{wE1RGXc1ig;VH`!MH^Mt(&92xedLhk1hZ8A^(06e{I|Pa`EV? z)qD!@xvX}S2HfrS1m(qmC zvBV!k1HPZP*BWX7-r}LMeIz1-9H`*Hj|E#W^l2qyd(3H=R_sDe<|Z5#jl=g{C% z7^f#;u^*u-*;AjMas21^d z`1F4+<{7!kTMX%SjC9|8Ig| z|9c4n{y!UIpen1Zw>+Q6r~HjQH1dFemaa&Ig39aN z`4dkpauHur4~F!r+D!RW{HssAe;?MP&S%ud=UZQsYGx(0{miL zw&mhVqEF;?=lR`;ouyf$hSUc1>G^6R>0AtUeiFKy)f-%Y!nD!65{z;_V|<(63S;$} zzR{}o;k8`?U+DMs!JRa#e0FdUU$t_#oj+=|9{uw~#6{3n@c;*%Vmy)6|KqZN@$snc z@v_8pZ2TwGn(M*f6+rRy04TGsqV)2_BFH@+7mLxzL_8v0EWIv?_;mCqS8hTpy833Z za_B}RBiGeq+VyPE$++H*rMLgFVXctWtjLnTZu^^-e?NWy3IHYaq-0WT6!-zy-E6aG zoPNDs`uOr?M5b9^z9$|UMB@4r0Mp45Q}yvx?fw+8*{EShv)c;K@vQB#AHcN?whc~9 zgYUw*Y9ba}pRsMg7hNa5QA#{-V8UCeXi2R~ir(L*aL9Fl|3`{6XU|^QUq6Wz8|agK~_sGPFV5_m*T+BwtuQF_|-mr3#9lpL-+eN>+oMk z`~tiJ7>{K`vwMmpf{tf3HdH$mTJ>*7rl2PxUdG4Nc*Z4wi9z*|8x;r>wwssx0@18H z%y+@5w8eYX81dCb*PAevs6N$@|QX$pi_?~ya-4`o^aCByi z+xf6I3ih9eUIvv4D)`CL$oXml|SHe~O*;+YC- zeLd~-K4NXdY<(X}yoRquWM+qZ;%*d95|KMvg zNgxx**IXexieYi`Y-j+z7|(t;_Tc&O_{d>C^`^yrFGAgk-ngd}j(m#sJGG|-PRBq9 zWDI)^0nRMvo6agyCiYA>dVns`$B-LxbBFq=S3!b=m)F{mpP2gYITE7Ta=JQ>$MUTd zR*B)1R4RE=Zd2*jB^J-DgPj9pFCK$eu1tcEIlX=DqT(zuIiNk8F^|~13e3~!=qG@Twg+i(CnYI6E>AmrVoWQJYnl<97RMaa>1SQ!(#OQZ7^h)np-OIxU7rL%L( zDj~wVvIwAL<^YU?VjE+lgR}Xc{I=K%>CGX~6j#fI1(#KZQNy#&Im*_{)VX#uBxb|b zcl2X=H?slFV{3<-nXoLW!mH)RZ>)pw!Tr&_2;*gK$0dHXQOM&|iKA)ka?@ZIA1fU! z09mIx_9F%M&Gnc+U~!()XnE5}I+k5HC?dlT5cW*wORKc_!9VaLcG&bw0?#Wt4ubY` z-X36+NDgy59B%TL&bMsj^mS1IbgFf^T-i9lE@yM1#g9~_m&#$%;dpcFZSa)qnGR77_(bPs=P|K`(+bo zp?B1;Ey(J;tfAl^1L9u)6&wH(z566fT3f37Lc_2zx=I{B#m}LuES@+T@@s%;Vhx3_ty+aDw4 ziX1M6>%oTJnD592jZ`hihCGNDbzi zPiDV}rIiU0M_B@_7L1Ec_x}LCP(FukD#w!hcott6pdG80+0Oo6n50@g8;v?<1j;5-BGXuWSCsF)HM!CvadAjZzDwX&E z)>^TZ&HyFcrJ@0|tiX#s!P=yiDBPiTd<$wb`aY#Aw}VlHhN3pP;zL@`+6pjPuhJDP z*TCh%d_@InWvqWfqRrVkF#bYVxD6Q{eZs&V;3fu@)YRCzMQsiWr_9doSlz1~dF?!X zYB{@pHYUc!Q4(Lu7<{97{UPLcq970mI;cCGa%IjwNjiPVt3TfO;o;P&5Md^z9{jSg zW@F~){`CGwb?aMjxNV>^!qZ0|Q+hgL{9La{%&RPz{xJbIA#&840kw9e|7?v66?5NQ zVWu?&sL9|_=IMNC=yUC9Wa5P{Go;8c*vyJfR$3mscsT1bpR(ZnryVQBPXMd?e*L_! zi_>S6hujl#LF`MX6&XBz!_yi#; zbKSC4x3x`%qxDP}3#>*;%p}QX5#mqJR(Oxm*?~t;={V#Qp4JLu_AE zzp;1W2w_hQsnlrnk^zYHq#BYqEFZlk#dV~lq`ceWbHFP`pm0sGcRS2Fm-FmhfTJMG zq~Zlgur|3E5|Wzlkz*OCBK?czMYaS5A|#W6Op%H`h^2(WMTXu**(GZCrf<&sl!4^% zNKL3F2-ggkE+kkZ;-HX6!$sX!7A#8$W+tFNiZKn1e=eSt7xcIzN#@KQKcYRN$ZC>c znx6FrdCVApGKbUWYgs5JBh|bq&s}i3>P+}H#?#nGraqIQ>oQ|B4NYsQKm(vDay^4LnGXJOX`iolOf(n|u{K2e}&7SQsUX>!RO$K=j ztKDK-uxtCZ)O(lq{3D;fqMD@PF?yr14(iH!s6?BdHqMNsn98w3X#g23X}~_ ztR|JidIc^>GF1iocTC=cOAU(9*LxlAOIu~${l(;vBy*XM-)21g5&hSO?8z{zbK!bY5GblvH}Dg~Rb6#!;Gy*x6>P;7Oo?jqi++y~C0ohglC#3lA%ah}(n7 zp@1v?Q2n9Qo!dMl8#r3S*DP^|IHpK^1hyf>(u!yyRttmaY3qWDtl za4mK>Iw)a85J6iTpUX0yZ!Jfygy1y3lV)+9(vFDN0}0-CnP}+4JiF%fUKGz|)xqgI z68;?gsp8dg%QYQoefq5C1*xu=1Qmbb`-2B0qOppWzxxMnpfW-pHzWXgeuAo_ z4Fhs2wPRT2z6DxrewN-rji5z(-O19kt-#uuka3{{`u|4qc90&b~8F=qH`qF?ZG#e%3eDicyihe zWFFOdlO`U!CoB&75xnmp`G20yHSNspn&FmmZWab;eWM1`v(IWCB2s$11UEM~2XF?l zPj%r%Q$rgyWJ*-O4;Ot2Upel4WY#1&pPO&H|L5@Nu+sJED|0Fcw{J}EH-PP|J@wuj zoqM-ZE(Oi3CNYM5ffA1Xg$0iNZc3@(%1IPHH8MZOz3+ zuOERivjMu3PT}nvdbNzhMK|mo)NPC{c|MOTs@wt9*J+*@V*W7oXpn^CQblad$=URQ z7N04iYguw|H_C>|^%HgR2sI`pfrG_C`6EmhelwcTBm~59D`1n+aVPz7uAhQV06E<} z1QN`XrQ5vSuke%%v0dGqK;v z<=QXDe7X>`oMb5srR!-z1ojh=LsSs|9wX(uv&W!u?0eM`NtYNw2daz1IaG`TwVuKk zLRA(6&NfVm=?TWZXo(e~aIxD}U~}n3;3*fPxl$x#rIh8&A(v9GCRC3uA}6DD6Dbr7 zY!_wbV7(uN97m*y_25l@u@Yxppm3x^;HoBISaS#YR`iZ>zc&I(MBGnrLa#UvA9Ph+ zj{N(zGN~rE)NNcJ^YN*G@XWd90jr^4#%Bu zH%AgA&<_4RjqyT@QJ8D?xX!}Qjiuvxh|S=UFuu9D+bGv5Ou={O*+;Wq$_S&9`QZ*j z$a5@uaKBqbx+Z@Yt2+b-W$=;V#A+U%77a1PbLHUwp<$L2uhF=Czwi63#!0R-T~^ro z0XPdrvw=Nt+ED+XohhyzkbfVVwap28|0x#HVftm)=U{;*5dSZs!~jPLN9v-g7OMPE zf;jh4uSmUQRjZSHVo4mymUv@W_n+C=t4SN>s-L&8gj^N_LfHCY0O@Q?eG zr?Km3f&YVzaq(UI?=&!$Gpi`dc})#;(nznG@6A|YWyoxZyD+e^MrMqoABWJOB-H?= zF6HM+hO%PVTRK<0R@_Rnjw-WvoVW02wpgd5;VrBFKgdvi$>%kLV5EDz&+&ze|Yb_I^KC;^=Iy zqaQ_3Wm44#>`~Vn>no~RHeLyLCRn+x?ym=M77J3T(1jBazlCi3&5nRyugQ7~Yg4(s z8Hkfe;#GxhN^g=OxsiEk`?Ro$S}XP%VB%Z}Z-hGSEPDgda80&Tc>{Z~f$UplfP&K< zwiWi5(Pg}63`3Cb6n84*n1t8U!TjX{Acx75R%|RdgUkoOKp796R0KhtDN*uialSS) zmLmDp6@cl2 zKMr72>WP znZbhv0IkOP=b6WB^y-Nst@XgG!ud*{0cpRt$TA|9dLT*>2M0cY6PqG0wbO`^s z6N!)qekg8_)EQ0a^mV%QwM+QF2FKz!RMWgNx5vJxQ?%|&p5GJOqbAlWkM88VkC39E zAHV1bO1rDIG>~_ee>Gz5j32Q27}=~#;)dY__*Sdl8~Lw$5R7+93Leu8Ylu1I>EW{8 z(4vjHIYu_=G0OzmiQ^yhSavX_v#LjmDRiL<4P55n4~XUS-_K9%tDe_vDV3D^x5##pM!Oo3c20h-)Ff4`h!injX2| zFjl{vB@1|WmNd&>ZM)Q1(n@90>^%>CnvMPgCw3z@-d~RZS*ss@nNCD#*z^FH{zR_I zZ)0i0%rM>Jc-~Z~A1!_RFgZpV1^C^ZTig4ng6PzEMJiy{ux)mV zg+8_3h%8TccxWu-^ z<71vLKC^yFYa|G2TfA-5MM8gKx8SXGqVnG8WS|-jp5G21ez}q~pW|XSAqtBo=I#iY9>~PepwipQG!K%l_qw3bS_ewp zogDTs^(P4smzH5%IovJM=8kD9BxM;uMqvU9=_sIiTri$}%KYJ$whAbqCrjMuT|?bzM!3D@LbkT23E%i6kCJO&5>nr?lmeO?b@? z!!MEg`F#0)_gDH;H8%c6rHTUJnSNKyte9EgdGUr}Wn zL&Ho@Psddky-$@yW;cUhGnN!tb4rq=9g5siOKOR43T5`T28ax~;s0AqYfAu>umR)! z?IWb!xmpn2^~rZe1kk=_4Q$I{>yEU=leBQuvqFMsK;8_O#OvV!+LvabjD6Km4`O{O zHYedvTg?C|YAcm37o6OY>%TN(SqTp>iZkksF4y8&Q*^e`K7jZb%{HSI4+;64O|&d0 z1_m+@eudw`w`P(k(I8?ToEtN(eWxuRSYzq;6lVET``(}CX&$s-V(OotkB+R&(crl_ zW2I9Ac*glv3i-3&S>;_q;36FpcytuMDZZd~*!im)dTW!_>=rAMiFjw>$FJiUyN{hD zv>WsXsj$7FN`&>)_MG|vM3Z6LMgIEPhuCO6_$v5}<^pO^WF<3kRyliTxY2!E0?OEG zXtNnMv2{LKaW*fXEyK!+#v&8pg@Dcyk$udRSvak+rll~i<6 z$8ub#si00CUU?rYsD@cr=YG|R^iX4x4nHt!B0PA&ZjhuMA`Z?YD%)HQCv(Jmgjb5Jm`hbk6 zWKLZO6V-kwA)F)kNMaagjFp~VDlJZqXZ7Z1CEW&ir1!{^cW!26|3IEij;aqx`2Vc` z$_;~B=YCqZ%UFV}2s~v2Ua*Eo&)U8SRe{U7Qr*^UZS=Zs5sH5RzD{u3a7@O@v0^N% z%V(BtNgCwlCXmtH+=~Ve&m>mGwTDKBE1)_{w+3Y%qCQQfGoG=3ps#QqU+#wxthj3x zO0Zdp!gUdZ_3C_^9U?ms2>@|BJ94UDEC{I%J>a!9TAtuGpKPI2IML35IbnIa-l>a>U9=QfKSo-XREp$E19xG1 zG5>|?%c6ihI-oX?F_wl0;!hQ#FI+8=WCRaa{#!hOnYZk8%6E5Z9c4xD`uqHbr*$pt zqGYaX@NxmjIwzGEP$aoK}oTM7%Lox0!hgLJJpHd4~;Zae*QGpDZBn%0oESj8>ku zm~~+8IbESGvn2Cwu`flI+Bp9rrO29UB9y>J&Si;BVvw>fUN}OEPx=F7@5%=rp%>jIWF2lzBvolW)7XJb(kGjLX*($ zmhlnr|7hf;x>kz6JkOQi+msgUu=9l1g5n7o0Y_R@vFqNcH3=F*Hv8h1ejtP!xG>`O zX`*@QGA~sk0sQ@G1C0Ek{kpkoa<*`rDgzi*T^37qzHHG@v&ERQz9Ad{xSB;QSAN7# zULWALfzttnNuu%S5M&qOeVB^dfIuxEavYUWQ+iRcHuZ%@cn3!vteQ`69ic|xRFQbwiS^9gGg!Nc*5mG$*fml=cR z%BsDEA&gX={aS}2#@YCy-BzD_kBTvLm1%r!g$TaMB@r3$+U_mdIX+y>Lp-T}EY71h zqSqhJ6&%+S+vrTqlJ%`y(9I_O(W@fBamh6_^%2PF&7lm|>o(A(S|6YTp(U2}Y|xL@ z{%QO=O(!JDmCIpGLnV+mc$r6LY#3{%x=*#ChsctQBzH}q2*60_9rd=i&{dLB>Z|U5 z;|Rtzr8Wm#F1S)^&d3e6b)vm*=f2lQ)1<31I|&N(bc!@t(9BkP(rY@R=~jb@2@=uj ze=oAx@`-I$gc%54o(e!VCK0xxXuXV*)F$fj)X>CKf|0| zD`dq{mYR%F)C(G!YU3|&?yoVk?(CO-44B_JVf^Lm3Z-zGcc`6d4!&kt$6=(L#>;2> zV;X&GHGlXuXP+8nA*l-LxxvGt((4vg(pM;`3OEU)0H60B=_&wOEfE@{?eRZl1i$%u z_}OrCAcjA_;Qha8aw}rFI9KTW$E=iTQk;B&D6%mlY~qz5hh}-{4@P>e=hl$) zoT*M20n2_OFL=Of-<|4u4zw~;n9O9~Ffx>zO1=`$)fjDzz>&@^j9XYNdi8JrkZ?~QO3A7l1c>pP* z34Q!W)+VNG;oupRM)9zmKwT(Ep>JEL?;=~H`%mef>Yn}Q0h@28YvY^w_^}iC?Iq`V zEaH3?$^|V~6f&8|D_JrwsjXfJBfjKCZrBM{GP*-zT?^N574$E1LX&m(D?mv|5g?+xPl<~|K;0V3bCX{LpB9c5(evN@tvUs)1xCO7W%?5bqS=%? zi$KpaG@VwrgP5h{MJvy4Uvr4sH7jCxOk?dKLnQA6?XNpjk3#9PGH$EQ{-l(AI0n7h z*eRE|HTI}Aw>itaxA)R&*zl;y>k2I4y*zHD^7^Tx>qt^(ry>urKf0HnGO8DDdm)|l zo`W-2A!v#bH*4%?W8sPgwks(p$3`^(#HhIafzjc54bSdwR(VJu47mej4yS1axHvs4gd zk1qOQaaQ%wa_^vBawOD*ijsqMm&Zi>x2E;ez%~$N$mifJX%vjl7D)_x znm|mcI}#;RPihZV6hFU%M$?-m+MO*6IzN1TQR2}dO%N;xtD>MPp~&#N(`8T8pXTj%}aztjd|WT6EC-P=k> zjM?Sb^v+U+F!kkSTI*>F7~0jy}Qj>Fzl+e2~XvdUC40|5KQ|_3~f(M!(4aHJbZtimR={j*vhETGtxTOU!s9AcOW?(H}%$RYyKS z*%@0Q7hU%=AC|2vJB?rU><0Vc zWzUhbes=86gDQXd#T7gv)INH=8#rI4XCC>S_FgwVs}M(Cx%Rp}>qn-w{ut-dq}p5( z005qU{RxjC9?8Wy)?T+KeKKL6FrWn5WaFyU9X>&Pd%pRx3#P7=?=Jcmy*&035Ti2> zGW^#L4+GkSU|s5uv)!-}f$^f*k1YTt``OhQ=+Iu|Ked`{>QCmT&X&R|LuglfoB|}a zLt%TwlW?0@c2PmK5+x#_Kq)Ayf(>>}5^|nY{8T5QY*{l=XWT;7M{0?SAZ}fi6qns?i-rE?@*6rXo zb@di>4azRY)VSm7yGxY#mGLaulKS?7|9Qoo92b3z_R-#H$(-iB3KnC@_3xanlITKn z@3|&g&iWN!QRy%Lj7Hi7h|>~L8$_Nx7wP|}YOB8~I0l~mz;VBLo1%>7HdJlw*4)qJ z$R6Yap!N@B!k$E*)tdKRNXuDS0kcJC>pfN%iY?&T>H$1k7u;7iS^f~YaZ zTKLIzcj;SgAB<%zH{+KP&34@Eq1gld;5A=v?5J&ER=*kC4cdzi9tTDK(RDrUn*2*W zeXv{KUJrPYmhx9m`#IGv^gdxY>J>1}UM+$=Ya2>v7@NHhGL9?Ho=TNs;CRGeJXhF58us~@-kmyu?^J!@*qYM@p9iMN{E9b08p~3U)$d-1g40t z;upKm5!VCfNz13+TTvN<_)?2}wtr1Ug8bEAzEmhkC(>liH_HiPV37&r2+f3Tjs;TF zkFG8?|2eYyw*%>p$icWzEa8kchQ%sK5fvPHRd?s*ktds`0!C@OxEdFWg4C?(L`Gg! zhT-UgUkt9C`Jgi~Ne^tcvlc(Yfd z9!%^M@p(8-?W<}Z+PI8cXj=TgXQ;3|;G2o1bCd$SQ&m2FMu_c?*x43hGvHta1M%Q? z`fP=Tr@y|9nG?Yu*g4YNfLlgRw*{xGfaOywCc=324g;W7zc|;hlj>6NAFn*e_O^+W zT8%Sf8@D?Y^e!h!sc|I!@x%YJifwB!qIp;F3+l0m=Qo2WVc$K70s`H}%{-GpgS*_As5&l#?e|2AOs(6*3xmpjL-57)9^}}ZU zg8m50rjn4w7?7{Hw2@GhPFAm%VQ7m^e{~N5+y2nXlSB{5@nfa)9P2Kzw@%x*+)uI0&5uS}{;M zf^3?Vfkt|oF&*^3ZT3%Hed;2?*D6g8_pG2Rl8}Pp6Zx}_Cg8biwaTyvz99spO`t@4 zLAgl>?_!r%tbG<9<=0?&u^RVhXBk0~Qg{4)zhOB~Px?PBV%4O2aIrAS6-TF>Lo8A*dcgb zR4t^?uMO`8HGtX+K-)i#Fg8}N5{nv|P4HcLv8+SSx*|ngd{@H2w@xh`GR_oi= zalO+qfIM@O-{Z9SGC2*+&UfU!BVC2&l8-7ry-KlKIB;BE=In82@z+eBjcuEoVQ1x0 zukZC^ZG=B`lC^jr1#_7Yt;4Ha_=GcYuj+=dv&`viD3${pk62tt>}|ccNZ&JWp}TwG z(ZAN5KBDg1Z29QYrq^|HWm&x(Y7UeNudJR33(7#|{jog*U8_($0Vw zR_MbFKq6}dsCTEGy#K9;V2fqHk5QS!6Dp9)B5}Vsq#ZTnKxRw?*6@yHlb!KG&v(ou z_ef39;s|+gb3aVVlsQ9FVfe~DKGH|O8s5J34azom8-WQ0~UkO9X9XP z>-Ya`Y?n%g(V(!K*lVJn%%jfQE%gPZ#qu5x5v%}n9jQYt1=!>twIHi{^4}e-bQAfX ziw~Ty&M>-b>w4$fVcB-Uk`0;rbsMV|-WlF~qx+{Dwq^TYp8ClcG(QmJvn_w8A8U0H zZa^m+sGYMgIj1yCM}bcqoLb?PYSl}i8R*}m_jKeGbcTBEuz{(7P)B#@5m0D^+rjfq zZn4b@8;e>@@E8DXL?K8iP|q6N*djz8^9MCTx)!R${NQi`G~(?LkQY`ux5T+n_F zk1OLA9#m+(T65ScpU-XvsCFI(dOc&aoHca&{Hkg}l|aa0{G6vcR~D`vrEb$#gzieh z^-_Sx!9#(UW!SouNWQ&p%B4Fe$7Gg(w zrRa^1rzP4Uo_l6@ZHlz|0hY@M>uIA8ZlGj_MzaM#*Qs7 zUIsMv$+xrsHCNBe<-)$C<2Kd~R+BUhrp(1oIG}?5u=Qec&ieH7Rzd)+wHsIh%%W@_ z{TSNUG0q;K@9Yfk_x1d7JkA4Y=bmX>grcYvS8Sv;t~3RO8fBmZe4D#<=%z_G7FaSk zCk7&|c@o{kRzZ7hEPM}z`v>&J3S|4|eQGNY&1(byS!vFMLV*r5Y~DJi&u@qQpaPg( zY^zYd$e%ITzth{NB}V0nTnNpIb5T~yN3YNCS54zMur#F8OW%lU3CE5O;r!*wPsiY=efiepz9cF!iI~M?hr>hD7L~2H zSovKAtW^5NUqNc>;#pr&HnJ>}UxLCpT*A5;V%g9X49|Wav7)}B)Vgaj zXwqo`)bE*ADINCPqW_1szlw@$>B5H51Pv|;5IlHrcS~>!4vo7*H|~}I!JXii1b252 z?m-)OcX#<0d++xj-}%P5ITxpIl4h*2y4I?iRkLb7A|~{1G!spo6icDfTs{iNvB!8R zdsQl(j`ziF@UG2?(=!Pk9)5kNpsFvGBFw7leR*A#__W+^%`1!Dv0Aq&1d~3HUYOIG z<#fxjUA2t{Az&+vMpO9$VxV!q?P9kEs0VJ3ck4_32?xRsM7*-9qHN9zSZ}PkEc3WW zJ}Pne)(_*^*w_H47Zhniu2{B9a4!hJ7jG@xp~!TByeFm*KuF!HsV|w49q@Vn9%tTW z`&8F-O}f_zD6(PON+8jfYE^KQE;swDCM52CQt0=t0D+&#P@<|;mdR?EcQEjy8NJwyM z4M!TbIg6WLLwzT&8WST+%c&1)8$TZA#ThF$o^|kh7x}$L>F8`H6anEjZO^91w;35r zpmcitW_?PX?^KXTheoF9$O=qub6&A1%QC@3zXyFQC1&x> z5j&|Qf-$3+4~DBAWuD(q)OJ&*HP zlTF`=U)5YA_7@1$cp1xXzD%e3LOVtB08F|8E=bj9>>~E-WJuZ zC+Zn1&c6@!+?@m0ynC>d|KnDHwI~uCo94#FwdyMPu48}K(UwuYuV#a4$vZ03-PgI^ zAh(*fCV$g;KjW&}^XB3^?!KH~lIMbkUHQxyx1kPqORzWL8Lq7=uez;ZaN{B39vjEL z5DXNu*n4;%6@juiN@0{BIbd>=V^7SG#)ZABlGk;mi&$+w1qi#@9c*ZFSS=FwSK&AB zH(ufY{@y}Un3n6Q0m-m`YDYNGU2NW^iEbsXZe>Z5KKogA`ix4-!(% z`}Q|V)hv|D8m}OzvUeP`r`N~Cb{Adv00I=|%iL3>iaGNh%L3FE21{5^CrdxQLzKZx zju5c1h&c8l_4D(?oF9h2s;%8>#bH&qB6x37jt`>g@7^hVy6ixpQWc;Bzdw zo7lpCdtWD6;iakc!CXR>8MG5e;-)VP2)ZybCF=nlF6!=F-8DrAi4&1TNl6!Ak7&Yt0EC~#aW>Le8^?(Q0O6PWM*66jj^ z&FT5(QJV5F!SswJH!TWT~l9z0Z-CoG>L#_ z#C>hNM%ymxEs8XD7dv1xd3Z4=!r*ms0dG@WQiGTBhGJ>}SM_oir;w$W~8iJV{JEV{1G4#@Dqaqs$9Myzm7|yM%X}?iI@pSh_ zdKpLF-72TXQrfu+ame0{b)8F>C}Tg>O#!FycS1rwCr((dUs*)vyRpE|g?hyM5bF>dP zMOA~c$xvs%R=3$?07|UzoP&5BXwD<6afz)(k{jE>hQ~0^z1)~a6=VT!P|aCB^2SPi zHJQhyL<3V}#5_v;nj3ZdOMX?IbG^1u`R2m!G;wcCL;@tRvS2c4`Kv67K(0)dhDyzI za_7-+3@Y6Nb(=R%@}~%0T}P&W{ap5xT-Z@p-oAEwyr{h^Tb&~>Zb7?{L~R;9o@4}L z-kg#7>Gu;^drbu2COroklgCO|X=u(9F5O6UO^h>olj)?*zSg#yUw^3Pl2R!nC5kgu zhH?+Nlf7Q!w5+dK;4XHv5@|mAJwHdG+u6Za44sTRlhG_mMaRI6Ig7Y{>&)AEDVFqO zSg_UN@7sUR*rX__luv1X9fW4|t_l^vYr&y)8N%L}lj6A@!}@&)3;n&vHY64tGc ztG&2*ulJo!@Hkz(L*5#O;7W?$oP)r77Pc6^Q%nGaXwq*9aI-BpQ`sSMBY$w;7YKiv z+aD7Ha9B;G7yXmJXj2kC|ZOJwyaAIj(BonG>SsZt9i3A1HR4U7rL+ey#{~%Uik!}wdCqlOOYGiyWplmaJCKKfkJsqL1HpJV%7Ggmk`HuV`qAKp<8s1J`>15DMx`~LXPOOs~^?*P5!TH!8-oD4= z0&V4lYoBSMtt>SqwK#;5++F>82tYUmJo^_R+|Tk73PBYLu5Mhk|L3gwoFc`15W)?L zABV5zF&#%k-cm+UBD5wJny(*JY>^fxzvjU@dVkNGMs)DERhskW27U!9+`9%{GQNP+ zTB^wK%s^2%$o;w;oF_#T3r#{qkjU{>XgU`W6~-Q}v3A(4YOjvyRd|9%et{?z)EQ&t z^ed47vP;ho@%3A_E)JilwSpLt5o9;=YAZe{l8;M}Eie zjI~lBZw=;f_qkmyXb0^Emc$-JdiJ05WeEBHdO~I<@Ie}$zZR?g9UoI8MKuYYRSGj+ zoa2I~T6ozi=SUTb3(nqhiCkBX&CwMPq4xtG={qLG_!wL`mOzm08Q z7{uQ^D6mEEdHDEtYQ66c;E@x`@C_Z49Joh0THQ!h1u9 z@0BXVgg6S+sDJPfCp^rufB4)yqfre>#9jD8&Ea^9TYY5wUg0b@-Ol?#&vH!r4Akm< zZ@QF*Mdqh)C67{lQhjI+BHGKqIC3xgAl`iyoZA9zCBo_kwl{$W%Xu@i*abv`r0>OB0l ztS(%#0mNU{_My8m!W1|0b*DRcKTFe_Mfi!2JnKQMHU;|ul8A|9+CdHF3Om0#qt~}S zM#-}C?-E-sH@p43+wIhVg8xDg{PbG7j`UUbbxoI>y-IMu{bxe!_Cc%KqNnc3^GLwW58m2kB^C;XYeW0ynWmAiRLX+9 zIRHmr+`!F|u%!NVaw8<>*mLopdeWY!CVI?Nf+aaCu~D&*-w$kUSUjfbn$?Vl#Q=(!DpNeEDay7;`1|Ei zE?+ock!?@ER~XAR+*CA;w`cL1V-t*OW}j=JV&k$(U_Q$nq7`Z1|5Q9%4NE@_=_qi- zi{bSqn9SF~<)n-M9+%~RT1+arlFI#Fz=N*RL@o>{7Zp7D7CmRQ*_1rhMe|GIs?uo_ zP5IKHnCC?$(n<}pHUYMGey00&D}DBqUw*vdEczi16u$uf&*ClE^^pH%t*!JiBgUfu z;~h1rToFalo1denzHRR3r%2SK7B3WaFz?ss=o6F+(qZwkd7fkUw;g1G-A8qm07eQZ zEFzE{FYUI8+wu6S=|by+pT<-fGVtP_AW_nf^I4y#VtG7o5uS(y5dr8S=nyOr@}Ph{ z*o_6t$KAd0nz+V$@+0U?Q5{KptMT^9h((#cf7CMl1E&iUlm7Du>gV~Hp70R)VXOQ* zr}iXaZ3=K9WxfVEDfN|g6m4M!xz1DK@1>K|i3;OmGJweNj>fg@Gr$uD$}X0u`0O}B zt!3fnPxlXtRj~2}XK6rPMt7d0lT0m_ZEWNIV=IyDcf_DsgUqvWcHNYW3;)&xE)TzKCl|$X0)ELww{AIN;GkOtDo?%YFU9T z7$M-}I<~hJJ&uug=BBk@KY*-;r-u+5D#W*mjV~>=cj$VnsE%m z+Cwh4WqT!}oDdR5KAkk;)h(m)sPXR(WWHCZJg%E&0ZWif(SwJG%IjzBQ*1|vYA6@; zpPZU_oC70*p0CYaSI_ife*s<=*4_2NR~UDP54Bc~r;&sUP3*w(7XqNztfQu%VJz`L zAagZp&H)wkrVD%#d z7KQ7{F&GsSU%!6hOvGRQ@b3$Y{urp%wFnl0k9Vb>kVPGWIoluv65#Yw$3UamOrOQ$M92ggTGG|<->P8=EYc<&NeCD6k~ znS@j$jumfevqDDb7#8dC%qJ`4EaN)Ime8RP;r10;*^A%KT^FWFZ61gK2S#MeiT2`D zP5b(#uGp8(3H(G;XsLg$QF3F?*_ZnZ>+97j07y@KaA*U_JOI1M3K+)(+m1k8Nvuw~ z#ztSG;#nU>->nhyKxsca}fy)-{`wlv2T+-Mb3Eb{m|K#J-vpSz5c*_M`RMWn-{#>>^ zb6bDCQ&0(I2gYU~N#>~DUH&;JfPZ;u+HRE4m89^r4rU_JX8h`~q{n9NowNa%7#2^^ zcDH;^(@Lkm!koEz$~>-JVzxXSg|zLJ+DP?4E%{T4NKY3TC&F5N!w&0*-xoLTMQZp* z6ry`3Tcgq%$1#?yu8qbxMt}5KuruBrPW=F!{Nn={luxY-vj(P0W)<6jE`hy7 zL|8L#WdZLg)*U)=nb0|ccTfcM`Kr+#1u#6bAX6{(1ZaW}oK9&3=AAEDA2C}hnb&C{kNLL$puJlRQ_l9MC=SlWwc;>1Ji6EF~8;L4n zO{Fo%Jw&n$3BHF|4J9(GiCxDdC1ap$4u01tWok?Vbac8|IBlKO&U+8Ki%u?PQM^fc zkEa(scZ6+XpB6Ixdw*(Y{_+?yAO1lC@cvh$o^kH#FSY?%-CxmRZa^62D?1(&1;Ev* zZ)n`}6b3W}*3B6{-7h2Vc(z?!N&JR89rOHaA*e8{-6#>^pVya4Z(V=)UzJ|Ugj(7C zKu|5rSyQejico9vEz!Zj3JEtZP@c?vVyg$GwYs5A4ZIVBCe%!dEF%tb9f&{DQI(tM z*gDL$g@2^M%BHx-b8$C^8 z@znXk5v(!qvDt^cw?bCk@IIcouH`V9qda{%+C#yB$SUr{j{i;$qwL@8Q(uo{UTGQ42kmD z)4^9cUTW){nJubj;qq48R@|1=*z2TWW-*(V$(D|Jqk`ztwQ@8ZuiHAles}fQn^b8b zcxECS)IiZ_{KCI|JfdLGsgvDadBCNFtCKn!;_=<2eo=7X8}zbY-D7;$7mo#aicc@wql@yxrwoS0@Q8p?_MLu2FVp)|N&1E6drTnc$3z;#;wS*l zZ-CelTOz)#mDmx$!xMGOmMav$FVB|CPz@_7gN40Z2JoPr07?Gh{cM{(Yb>Qqux6OL zg+dje5M$goW0|j5_+I`%C&FIT!+5<`kf*da#_(va+?o4qb0}1BANMC{d%4_cSYiP< zf-BmJ;DMC7U2GIEHEnK-9ke~4ASvf!em?il$HPT(CoUXF7OR1_MxazU-^z*Ag$4r0 z4(-A#HIQd*z(IaZjX4~D5+$gXNyXbB>{8n$#ZfpVGAdzRTZ9xKa-$}cE&F|I;a{yz zVct_M3YMD_$3P$scZ1zELG3#2q!o>=#1dG8GoFWioN6HzGeaD*-aADebD|RBWuaE~ z`^q6Edh%g*q7%e8;_oN^(W4CS3=j_btW)z9$F`9uS!I270?)&q6kw!UwQ6m&sf4*< ztr}@*?_>5X`xb?z?NzPS#L-#8bcL-W3%9*m&m))U633zq+vpERm59o0o*kzsk;Fda zwLt#<19MYAbG)O!gT!6!Ry-dd&*TVQ2?C-yBm^(C(zO^9uTkvNcLP6!Y6?|s7{g5l z)AZuI$#n9~%B?1{Xhwg%Xf9;(<&-Ln93(5T=rg4WxOOn`02C~2s<166iNx$w%~MoM z)2ryhy|q_Q=1pN}jfB~sMZ{>4;3uP$6;UbQ$-N`w|E%~s9vJ1DR@NHB!9)bTTR17hNMQH*6(+?)S6Q} zOfxv&Kcq536BL=*^Z7jb8~`GsIY0V8JpL^e7X?SL^K#;t$|9`%x}U>Ky0waXmh?YA zJv;fdoUu4`s)^m2d$3s_+rCinm*rrtO5Y#Cm@*wyrI{GIIj|C$@a2-HQZ34Mwit_G zx-6?VS@k;J89gdgi2jpnjssIA6OH_Li&xi2kzhIZhF$x`7DrDaUKi|DtnnW6NXWYU zp%%qYH~Sx`$e+Tr30Ed}S+cEIuo^mH&(RcE?%M}yQvbF(qYR5Vacr-dMeKJ@&2|rQ ztHNesnR$CU9p&d{~SVn`7e;KE+R&B4?w@4>42$PlRlRi@13EjW;5V}McdUV;-JQQze zZ2VbYcd_KQMXdu_LutH?uQOxT3Ii%7Yav3e);P*!pFb7!@SjYv@a2Ywf>M z11+kG1`rmb=MDw{9L5 z_ikL3L~O&&y(gQo-g+<_`?W{nGFpM^i)HG+IAm_LQ>g9i9oX(Sk`D}L^{IA}j7Lx^ zpU#Z`OxSvV2jXCA-FqQBImJCG&C5ky+eaB;bKpnUDiFO$p<$hpQCVKe$^<*_u)~r6 zGMIT6d}ig{?yJbOh|Hs9-~J^(*rZenvGzvwJvS!e^^swJGTAegiRYpJnzJ1-Xw!DA zDwQNJnb5CJBI0+HGwklR{EfnlKgDs%UFy&&@39+ zlcm~*oxfEH)GoZ-lZ}s$ix@g!sCrbcne)vF1lOQiaqS1|Kc_`dNGezuu>7@AQK-U5 zzceI&`TS1(^b7f*|4X&1u68Blo>#D2Mnc=k>$lnHJ11-E%n~EWfNxSQCWgRy>uu93 z@1~m1fcX?hmD$>)d%kXsK5p0}>rVx|l28ln3>?B*cMv0Xm6!v^dir3_W2n zsEOg>aspfjI2@L)!hRUU9bbby{&Zg+7=$C7>gd>A-1IM`I-p%8r+Qk74oT?E!?bRWFN!KuaU+*~TGZ@io<8yv*ou9!Hy5 zKMnj{{ErDLa@U*99i(KR({64|1aVOa^kF=d57qsEQHbwC{gL6dZSq$9mDPN{yjqDm zq1Q%$x^RM3{S|tGWo~XB1vxd-b<&SVwH{}V^Z3g|Qu3ZwUN~Q`)07OA4c4c{yvyEz zhyBb%lW9)dam+!e%_j{v6Nvj8OBBdysB;P${d&mE4O~}G#_m^Z2W}#Dk8cna!8K&F*v~R3ufM7`7Poe)YCJyo%MYqDCu+taBYK5PD5xpvC^W zp1mRE@Kl^z3JVVAn%6HB)Sd>xR5?I?T-IYdw8k7XV=Q~U4yt1iDkAb&hKi5!uEva| z%$m<9i2d{74imwdi6eX<(LL$|f7B;{CR%y4jp~ISKPLs%4io+q*^Px?;vf~o&qZ4m zUVPS*d$NJ+iSR;>*jIse;MX{6XNQ60nyv*Wbb~ z{58nGtGhvp{5sEpChufCjm|Xcz|2B-W}ywYuA;s3sTLBWA<=KZ=W;MU@bTf*##FPS z!oHWRwTzh|+=0S5Qx0HR8nAjgIudlW7BcpJ;`s^D^NM(~uwkDI(w%at{kPJxbK!u@ zlGM6C)On7zy;k=ga4q2CCU{1@0k@a^#Ty0Y-UxwSbfG6-M(!Cz4Fx!*QN@*d&axx-u+aqfd9AEYd`3)rL{5+egJDW1Sz86$&Q7{O|@E^Dxwv5eyBcFf1@+~1h zI6e-;_hsgq7uL*syw7x0tkN?5F%akeXe%`}uRcs@__T)OK@zit<8mnYb(BVK{6oHp zu#7@Wr42Suyu0u9`MYA)ZOU0m_DZ&)JDH{sX>)k$kl>e3s2?zd-;TRISt|(Uzh<}G zww}?}HyTb5)M7k&k}nw=hIDX${oL)na7_~T6$eKH( z8;F?UgK_MA+0-z`@N3pQQ9E8?Zap+owhK>qbg0A+>U-0hayU_`1V)ob_qHY?@p+;+ z1cUr=X=!%}4hpqfVqIKVZ8j3;T=bUikLFXSMX#?Ihn&oR9y8+0M@5UW zFSBkGnXOmk=dy^7M6=r>H3t7xSP!eOB2r(C29FHH#Jcg4W|eD{;TiO+up;Ibil&UM zIgbOrjkZJz-edfkn9%jd5tVHA2OPMp2|)@13xu{lH@t-$kSL@riMvg6L@Q^#`MU*I z*B1rICAnjv=9?|a9mi+EeC?tXb}N%kRv^7XHK*OZ46f0ZF8Kd!*HhUe~KGJG)H&)UQD{z2w1vTvU}xb?ziN z@>x2iI(N=bUMgM5YV?h~x$!*2Y1AorHQW<#sO>^5_KYVyMt3>>wEReH3ta&{rl?`! z5JxEtc~LeUI$R;l;t)<3{O&bfB)}OhJfc@K+lLm1N44F;MkU=sW@<4ME?Twc$A4V< z4iqbh7$IkPO*qJXm+anUrMj=HeylUSe(hcMb2DaWa#a-Zr|v%P`^!xX3nz2e=Ewd- zi`nYedhU>DGle-RMLCZK;+vs;i|Jp8A|jn9ZfzNM?3-`jDeCkt*PG_yPrnr;!AFop zRLP)XXt8`IwDn@aMH@bwY!waaoLI|iYOES7)1S= z)qU=4H(&nrz0&k#m2foG6zOYF5PzWXWjz9owyQg4x`!aTzA$MOiQo|L`9M`{D!1j= zR>7v!%Cz9UFZ>px^_2_CBW%Zb86K!eNYeF1y;*#=mX2js;=31pu$Oz2?JIZ^YyP9H z5=P_S=S8XhS;FaTLg5h+w^a+2Hw)pTAU~3yi>J9R?_8|&_OUaQ0ytBz4X$Eq-0TgQ zhbw9K_T4C?j}wjCp77J>mrFH8VrlX4GJ`XHo>8Rx3*78?jI|yU^7CW#Tzj9{2oBR z$o&1q_qS!fig{Y_vYyET3Yh=gR0+#r0`98O)uMFj0ipFSIY)ACTlf$8?#gdhydTH{ z6X-;b{CXKAZuubBhlhKolHW9f3QO02Bh5V&sOXS$nRRm1CUWRJ>aO7H zNG1PW@l=x*In?a`ojQQo<4G2h5-#}9OMOX=p0N?G{+U(&nOQ#kfBAx3k(QPw>!Cvr zKV0+^@uju8z6S#S!1ei+M=Ahcs?i3A-T{SLa++?w`kJ|aW-pC1wW zw=Iwl+JEI>Ebx=@`=mxcIq3+HXRSx4#Rgu4qZ0eDMxvwJIotcSWpan!yLI-@_BU_m zzvi}YwQe~d79JQ9-qjy!t50rwHXX`*dB7*Z|89z@t;k5vPne94FC{J88?&Alla%I% z{o3aZ>Pb*y6aB#f(*i@K91SZk4pxj34-PI89*v~xM-VbeDU+R(gI~+#`EA)Xa>}z3 z`!n49!{hLSAd~TvlG)R*L?PdociYH@dhqfTiyyEttKg?%RVM6C`jCK1?pgvte2vV0 z8`%V)-pqm>7pGL9W9in|w1oggMm|XAe9kg^LXXTh-eSggd+yo%x7nqrp4~5T(D<72 zmDv;2q9}{gx+S8qlIXQ2b_gvU;i}|xS z`?D|MCNbt{{c1_@6_XJYlE32y2Y;hm^D`rQ zr~&(1_e(fUUZ9$on{Jv7r?WpN@eDp3GJ&74kTfl>p6tB@gb`@*;mucfAN-5Y75F`$ zUWTia^M5yn-AH<_99}LimOHHevpkCE0%|~O{JPdEr7$X{Zk9VDyJhJ({h(5EUUy~S z$+~)~87w#SXV6#NU`Tiy;|Tsnb2~HMe&oN#vi{dt%jpz%Dcn@m@53Cvf(yE39^2S# zUv`No=w(S_S$X8Qk@G=cBx?|5x**qGi`~u-)E* z`15I;Qnq}N7Br3A*%V~$4%2Q2gYn4J?B=~ZuqU`^3{0SF!4Ji39-OCLeX~mN2-i0I zKa%6U|F5u)u2!w?KENPQa}9RN;FZ|ohQ|;{}FEQwxjc+|YlhD<` z#OeRV&*R$1o#3=!cIVdljhT&X^TtX>H8}BEc<_EZ^Em*=KL6$n3vI*H6!uZujm%I7 zXTwVyjoJ0ezsQ)?%eu$iMFuW*ymECL5|yB)v#RmwnJ}fmJhe>I)$H(}uqFO);D1WQ zUY~QOBZl=s7L~R|EcPj2AOP8Q#I*$&FB&2>>UzQ8r39hV8@Mf-Wz;v7@~0hytv-4_ zvbNe{3Z#wd@G&hWhU4Xm|8%Fq3-HpCF4|nu8^%G0cWUndbk%@|s!?L#;o-@XiKl~R z>*BpkWwJS%y3=nIpSEk;@CYIIo~_%r&vPUW#7?cN@Peby*G8RS-_4lx^az{V)cA;t zaHp`IaG@A&hqj-2Xwv5HiIdFaGtvYioD}WJz2tmhIa{KU=@YJ zWtrTJ_d=X7C@wU{DapP#RdU<=icl_J?WiW@>Dw}Xa2dFBgUr;_Gs9P730k}TXJn)@ zvewYO7pr#L{dtRc+p81B19+T@RrlwYvl3nKzi(Jql3<|<;YxX80*eqYN>ozem+6GZ zHry35^4=_r#rV@=4%{_mxq7YYhX=3b)x85$e(SFaFrE$P!e(2`Geg4q1`6-qEyOuT zUt=p*oj!Jcesku)0*#%<*vL9(w%j_lPHt=QZ_x~5|IG3-qupI=;3U4xN3+upSjJRkxvf$urPQM1t#stgR@TG*xRT0&qvt6ahL$9^e zoc-%kAKm>u{)u$(e^J@Fp|RJU(fhW}bNxm#{%>KS^|x6!XBqz0zlb=e$~5}*8by7$ zQrk*@!;8;_N7)V%!aJB1$e5@IeT8)io~<{&#Z>)fadUVdDQ^DT;j6zU(|#YG!_t2f zoxwk=&ko-p*z?O%l~Ced2`E*5;=vX)G{Q!DyZj(%{n+pFmqRRO%aO^bjA9@H&zV*!D|992odp|?*(nu^|;10>p z*Eza4h())NDvys>fT2DnCT3cajb5>|b>6NlYuMOWE8DPm<}^HfGyBaP<7SSnx5ur> z=gY=hq`oo#_CF3iE)h|hN{$T9lZOn@V@~N(CxZ`B2L}wmy~qRwi3=<(rKIE}+)Oye z+1QlGfAYv6AXso}?y6mhn0SmUiCc(K$_I)6St@-G6MFw=uoDenj@r4n)WSgz4jhfG zx6^%pB>OgkpPtN~juKg)Ke9i+8GLvgdKj+6KW=q z&USyTYUI!Csvn%o>!6aX>^e->X9!o2jsMRj(%-^v_+fZtKt$c8_9~P<9VGSXiyt^e zDKQ?5_9tDqoEl>{O@wWYBYJDafaGdR@VuP;Sk_>e52DBI@$XPD{jUqZ*>uzpAr)KN zePP>Rz;Fjklp{I2MtyrpPk$2* z;qt^;m7R&PZBmx!c5vXEMf~n}bDu3;4wc>+5=cxW(1@eiBAYU1RA5|BAN?{!D%t`;-DVdGX6uUlsCdSl~iggq|`b{VWV~`Nk@QM97 ztzg`$OmM)eta3b3HzVlK8^4#U)k{6sFm)-X@xRwU`0wjiB6FZ_H$y6wwvqc|eD?RN z_P>|29VL%GX}jmyQ*8Y+StLgO`#2&Dw&e#RQPw#>-El5Hy!`6^zYhxh7x+RR{Lf|o zKYzJXkd~1aH&aizoSKSHPxtTIc(<{kvHXF&F(fB9mrRgi;x6QV0+H(T);H7byV<+Tm2a93s}k0j#& z?Wg<&W23hxTS=Lm?ObQcL70jQlGNVAhx}eJq!G`=fb?Y#d(;vJAknuUU9^79E6ci{ zS+g_WLd;hSLFI4yjm5oOZ%itbdV|+kWBu*fxsmwl3ZD78i}t+2Zpy4)JF1OtQ}*=c z9z$083;TVjU>Xr|@o}2IgA5(uz`bhF)23D0&4H3yMm^dy5WycE9}o6MwBy?Ml8p#; zyJK0+i|1p0*sinpO7v_qI)-p8MgkIjrk;WnX{GV12~f zt;Z{Is!)sM%6(*l)jq_{b%D9jc91UtnQp|9NVg(j(uRlsoqwFW4j5mPS8BNLTToT{ zEU3g57ps4FcI&3<$6z;Z%f~VrAQ8D#w4lHM)FMUpbL)PZuJfIop8YitebkB{yPIyb zn9b*E7F@8eXVQiJ<&-fKFC)#>@E^}q0S0OKt3Xg2%KMmb~rC|FTD2B z7kb-4!kxdTw4-C(!E7qx8YbaK&&<9L#J`Q!n3HlEpZkzdiFxJyKLH1S)2?MhPZTu6 z9BmvE508aks#uCN8yFzm%Ry(4css}bjQkiYMg3Jn4UFA}sFW0^8ZggUmNQDs6!jte0{tK$+WK3vMBhsQt$m zB&pG6k7e+@eD<#+ZOPLWSF&KKp+8d((?dfe9kLVTN`_sALyPhG9c4v~d2;odqT_^bcco|{F&LVyeOjv5_8_5M|1y10_Vd(3Y zrk^H1m(?)Rv-8X?KI~iZxgBtj5T06o>k#Qjjvnd)3dR)t_XEswW#9h>TM+T%L`pap z{#K7aoAF-x_}gfmX@8A_iV+PzIT>{6cV(1a95;;SyF|{c&Gt&aRdDD4q|5orm5MT- z>UC)|U$s>Lsjxd%9cO9QECY8O1&s(ME{=aKBjL^|AXZzRa6Bv%somhN*J26f?ad{s zv-K6iS9#L&QKz1YAiqy}xKUbwqO>k$1S`n()U}OH5k41NJLy%xI}1?duN(MwBt@o% zG5$P44>~vT*JE+KVLWN?%47VQJq)j5Zn=d=$R*x=lnk-cv(g!|58FLiahk0`k$X zS L8+9WLb#SLP9g?1o0H?AtC^J>CS%=Asq*Zx~BMP~jSg9r8Egd2cIVIEEsK)BWPo(3&eho&zfJi)T~#)?34CQE!A~(_v!k# zd#6_8L!;jE!?%+@4b+_p{7Y+frXTYw$2o*2gW=*HqWHjRmh=RkrTgMoaVx?*%2#I{ zH_M7_?V~oCdM8eyfk&6{sFDzA)kQ^-Gl0cY}AnCpSi*r^u^NdY?t2;Zv zuUq)C%;FsyNdv?OB7VywE2M%+6&LVGeINN{G!myehtZ0-kGpKE63E%8<%=#jtrfKs zM|%f}0eVJHHvaR6n?C85)nct*92s8ugxGIYPJSgvGE_ys>XbFppY>cxIuczR_K=NN zZ!&VxsB`AdeQJTpqxkJiY^BN+6m(=A<&Xozi6UP}DVr?KVz(t+1jwfrWo_D(QPFc| z-ULv}B{vb#b03X+OTq9)JsdMFwwZc{-&^L+Ciey*bfL4bIse|e9g!ma!I{C?m~g} z_$gn5%=ZP~yk@r7H?^fp4yvAz0A}QVtT;uwG29c;t*yS0D-oH2+6+=VTkl2eWuAi! zPE){AGV)`G=TcEkilant9R!|O&GDZ!8#G}HGPc~Bi=5vsfFnJTMu0yz;MYnA^;gWD zy0902VPB*MSuKpRS6EFj37FQpqc|?eOj*&MD^SZ#h1UQDV6jInHHZc#i0x{L;J&KX z{;H?k$4pzR(3DBD32ph26-uOlb9#_0)Nb+r3qaq$uDM zuD1oD4Ur0Ag#stj#PLJd`tc4_thTq*l+-j?YH`{_6;P#AS}FN2-54skMvqs5cjzPr^`&dnkRF<^CjC87eeMq5sdAhPTc<>rrnn{>kBg7G3qM|Ba2+p{ zZGU?uY>S4gR-}p>m2!LM;km;%*T;J`>P}y7)F}@pRSOh$vh{R?6j%o4B;6`ZZ(59% z*JgD7HhQZ#nD)Gx6z`Y?SDTmYcqX#X``a+Ruy1IHW4jv@9J#uz+AU}!bU#?!o$`%o zqKskFsx~Srkw(Io8$Kv9DCs!$zGnKH+TpB3;2ekT&+T?gN6;Q;a2kK1 z8bes?b*(s13C2u}4!<6HFxAv&J!b}QG2idZkmhAUE@eJ~_%N$*OQsxi^Oakxc`=?9 zpq$SRdZo5L$^M&W`kuhq?W2%`T{#rYKc^#{jvUd|d0huRYZ_Bqo?vrev2%D2?29`W zF9lev3{j~sQ2w-_2{1Jj?vFqA*Iy4#B%LT?HbU#X0M zIQ`}IlXRb47nj~l4Sz{p;CL=mp?7M{3PEV@0?L>}cYvDaU$^=Oquy4EEi*g+B?e+) z;z;J9;cyewfm#d00o&U^FoDU?kU-pb%FkVx?DFD{6ttSCZ6jL0xy7%Yo4>#sW7~QC zRxnrP=2p0MbxF=x;K|F*&C-0-%GWJ{iA>{(cx$#4YY1S}B!KA8a@^M*`{|;FcHu2- zD%30>Xs6J$Wyg6R1b2^cabyE&e;A#8rp)JFT43m=rnFr70wK@g+s{AFwKV9%brSI5 zL!H=Sgc@Z2=#*DMKTiZRu*_TaK2ex8dXC*BSf!AC9OSj%^8yz7+z!bYGsqovvO{c6 z%#eCR@{{S7(c&=`yYU}eUkWa!*O$Y5@wBT^;ziv0ELHT>Oe6qUaQf@l@a23L9FuJm z*FIo)qZ1Y_stw~EK1H;YWqy;J2 z8by2;PAR)j3C;k61$xwUpuGH6c|{G#H)C=-Hfi+mBcKwGUwNvS-z3+mW(is^?K7O? zRz8|);*~BG&+2#ww&YDr(yf?f@;m9|-fA9kY$77KKUVOTJ@ML7kr1*Xw*<8mO~iy7 zlJ#~Zkv@%^{%{w%+``+sNkbFv=b{hTUT!uaymG%2)Xf{)dQfVW!z4Lg6d&!aoi3nk zXY6=yS*04OV2QylK!;AO%_$-3SS-tO98`c(td_{wd&uM{blYo_cb4Nn#5*SqYe86d z%zgib+9$O^&i`_0%Zuh)brwx0#|M{+gR|xdrx;5J$HW3w@kE-F zYMh=ITCXuHhaRX{XqRu#)@8tsPl?Wn=e8y`&AdS%=()+s*juxzuK%fLlDsnn2%(`>eZP}G$k_F`^ z+c~?X4d^o4yRI+^=)XV9*pG(QT67Y(3sr~5k<4N{>5DQv@xJ>&got2`GcU|VZBecy zWmi6Q(&^?c@ou2S={@OCL{Dy3LH^wymeb7vrF`lw!)#)4=BRdwTHrCt7w+ZGt)|JL zvcvp1KHoYTjFr`pUv~|*psru@^%KEgMkJ1r$aZWJl$M}$U1kFPX>km#eO(OAY=YQS znZj^QGz@BH!umx1Zr0A5i+K}Dhf`TQ_ue0SQm*O4d0@6X5UXVz<<4?Iho#s%0k0Gg zs{}NqzKpWox9}n!N>3NoFio2tUu{~JgzEfVO=zs$yc*gB|qC2I{i+}cQWOgyO{I6~ z9YmB~q!T(wLJht5qM&r?9h4>=5;~!Y5PFpoLX}SF9TLKhzWaH+-eDZVGN%j5f|~L_Jc`fCh|TU)I0Zq~q6nz4-WmdnrWqFA zZDax;=hzh9!t*oO&4{RydA09!w@TH(VZ6W!psnKqb1!pxb^@IZ`+%%3EuE;RGM;RL z>{-ufU`CAS`e|p8f6JyzBThZtdKiGiZRY0B^iG;L)JY$M1<=8mAwGQ!MfAam^P~s; z+&MidmE!9&|E|iXM0-NzCTe91{Vp^V^o6ogmoL7(A_!w@ydK%+R#a9VGlx3x5@8B5 zAPMD#uia=B0Sa%sx7AwkpEG^<;S*-q9HclZ%kRK!zUy=b?$b+Nd4JYzf{wF`Zw}n$ zIB=GdNCXtM2BJ-C9SteN=o^hj3SF~uJl-4hVR-?+$BRm`7?_~i8`mxA=j-!LvLGU5 z<=2Lu4l2RoN_gjxc1mX(HZd8+_ez0W@vkS3NF}OW{Hj4h>KRz_`W=!f21lkJOgMDK zdVk-)MURzd&;h)oB%iI*HSf062;weI`!Mpfz}~n)T>90bbpkVLd#8NkH=h$pkKDP} z=sKtJ1$v8|Ic2-$>Y=G{3OHnGDoAqeE0P!(EiN%*?Hu@ZCEAT+++-LU8zg?->AE~pi^hGC*Qzs%Iw z7L$wJ$1TfkI}E3~JOh)!tm#p%*dzwPs=x1SR`FT{JA%Q=hXI8EjHD-gVg>Y^-SA)V zt{oeUs9y{wp}KAa)@IA1u-;aj(^qvIFFHmPpbaY&iG%0XY;RtE9~6@J@osFfKwRxU zb58p3w*QpbZ6VdoSI0ez-V8vwRbvup@b!ZVBx22<3*fImTmIIRVlI)yk?2C^=uh!g zS2X^qaw?l-_Gd0+>i63fXLWP6$~O5&JTv}+PgpH^D#RU;8IImN!n}>5PrD9U{15FY zWiA>s_hq2I6tqe8b5^>jRF9s%G*y@YEAhiafGBVs5oF1Rorw>gnw&e>1TTEn=o{Pq zkdN4_@sIB*1m4?xf5Zwo+)$dF5jjngXH`aWkqT8&#|2-3Z`S%8aXXP;U3f21`Q67RPVOR^Nk019$$8& z6UJ^L9^gj+^E4i5xR-5&6t1^Mw3ByYt81eiGYzyI@l*lIx1f&H)+B-hd*Gs$ZF6D@ z)uvUcje%o65Z$6MvdBWrI@<5~gT3J*W7deRwrYnU{)JqcPo5y78{s@ATsro3BO=_j zl8e@l4>!9`>f>ftEwF|!2=;i-v2s>Dx3v{7P(bAK2uy%pqmAz=@|m2*^d>B5yyaY5FD^*_-CQBjNq0{C-7{-0VU^=JTeb zy4pmK^#oL-5FQu@uw_(C;0UW(6^Q$s1wt<+U4>dXJjGZN$$y*oot<5Hy(Tjt9UEvm zPk&Qy+@j=8-0EG=CoO1>1RoM%MuXNq2WO8K|Hu-4XrO%}{70tz6!g z8q0UHSLxs~(^Mju+B#sX1&`h0CH1{E(hs{~Jr)*m$@H=XrP5ME_C16KFh%Ug`nkUE z@!0s*8^3-)`LBxl9&fch>)4uYYpQI=PhN%7mb}^CKvn4K3H|te@^oImfR@-#;Z?ox z8I$Pga#Y+my-8PJV`bq2Zu|PT!A^UJ%pr4T*4#b85A)pw*b29clWZ4`Q!xiGvWfd- z?RhseQ1uA`%Asc=pj_TPMz}j4bT@lx!|jkGmtRdKZUvO#Q`)55F@#Iajn%j`$0<)@ zabK5q@dkL|muKvNK@X#I^9#bo%{FdSjr+XtHQ)37OZDO0@u}}zsaZ1M0oD*H+o!J~ z7pt_a=<+D2+ujw1<|u$|nrs|fRAH>~@#98HS&}}EK|76j+V^t4meD|F`nx80=q!;z zk;$*Mv8s?3c$362N%14`wYS9#IdkJQI!9vYP>;4s>eBoh@wU>E-CiYA(uwEm3aw#h zuX?$G{>o?WNLQ}Y1o5~ZoBN+<3$vHa&mwxB7?1w+Uzi*l@5#h3&p|DPQOhZR=t(Rb z&C6nLq|D6-y9;VFiY;C)5nf2ccoX?g@ZK|%qWaM~kF8^Vs5BKV3*}sz9PZ}3N$2;j zEyRB?f>p25{7KC)w;x9-akcGJ>B-LOf7E^}=@p9UHiUtJJw%tW-{LK+3@oThrXMY4 z?qnm5k)m}sCUk3M>{La%ZZIQUD6&unaJmVCWc~rlkGTxoA>-0yX?5J1&{YR`(B+@l zG^yIhMQMi%d+Svb;azbiJHc_S)l)4XFq?P;dAHy6GK@hNrDMxWU#o&DbXznxDddNn z=?EK8aV=r;4VDGoyl|;R-{y^C$I(irXPzxnSwn|2wWgGOD3Bj_O(6WnKpos`n)_Z zA&k)tx#wczsCT( zXe7Y$cq}F_rQ-i$YS9Yyhg2!{6zJ@>W*vK*LZtR=k;Y*?6O@%x_14hAS|*hy2PLS+ znvpQkAFNnVA-4A=I4#h2*lS#V_Y)-Q*ww>jN)=4>K8Gac_i?t>q|yZGhQy*twACcH z>4*M0cOw6*{@2|4yS)R=J4Xtk-mdCN*Qk!KiR+E`U#$?PA0;tBV1i3jPaozlrn{0Q zm;TZ!(ps-)C|<4GeI_4>Vf!&ywdSF$56xyWYE|uvvbMqDl`r|LPrW(LA`0y%Rfzbd z_}Ep;Muvy9>CTmPNRyV*G4I(n=unwGIq~kKPnA5g@$bIFZS{%!^@-jV-Bf*gDZY4y z3)jf~m$&;VZ=yR6H&vtes6Rhr##v!#J<%XG4lz^HeehMsaITXw4Z|%J4|DmU3Et=7uI^Oh!$4{P&BMs=)q=*c$0Qr7%NiT93 zcNxfpyUWpF~pjG~R5~6hF9_vzXWTiBp+o6a2lk*T*a4qwW#C z>Fai>ZF+HGj@kF#A26#Gz(abJU@WnhM_l*}QXW&EYUaF!O7u<2t^+QQRio1{QW3mG<~SJLjwQObm_M3@gt|7h-LKLk(wBuFT{y*vh=EqEFINlE*&EQMP{$yNvO-& z8Kl?d$I1qsRR8{F^4<@Mi;fu~th)+I9v!$)eVXm+(tuJCSCFW7%D85P;5u(ihYFze zx|=B)?L%OSIWUSATIowku(Q*8qAh+m-Zk}boyVjqoqIf_A4dgG4Bt-B8W&{j(Q_Cl z`+XUHovQdm##TVbmn0Q@jNAL+S#8@WmO18Nz?o>O&-0PikO5?wsZ6=wR9x_ff%rWw zI{i|^fjEZohoQ7Vmwi6^8BZ^+TCMpuJN=fdO;t{fZLRr&o@yb+Z)apPBXa7maeTD9 zcOQ(74qUuiCO<5jaLu~=LAfO>_eNAMPH(GGk-vyo`{4WYD1E2S3p3Ex;pyxq!wGD2 ze$4K3}!(%i@OW|&jj zcgqEHhI5TaUp=TWHF{sI&VRh>&x%MvlhJkQxV0s6xe|q&5SJwIs<9}>-=Nvu4!bo3 z4%TOKhs0FGTN@9=70Sh7K$T1`Dg;QV zRarQIEoWni*g1W~KXlru3QV)72tT@^(W6(K;wtB9X#DU)sN+P3hM~f<`OKM^Y`sr3 zQO!Z(Tyb(fRM@9&F`ef}N_vFVz^-U|N+z{8m$+P*Qb-Qj>;S4TOP+r))L)R7z|D)v zHU$vH!6REsxANoHc+5R&<%s*9C!Jj-jC1KT zLG~!{?;q4gWF{In81%FnLt=59WS4a--m4x-)9uwL;wfO_!WT|L@#o@V_u=2IXjW}n zKKi{WAa;xek(hFM{}|Y_X`_585byhSM;f=ruGR`oF_V7qnOY;Ir@WXe4o%~i*H}y^ zjd~J1k*m{_urZLQMk<1V@X!yOvziII#p7taAI*Jt{D#*F8nQvR`(iBJ9bVG!Ovx`& zrc(phs8@?cGRK#LPnOts6{Qwbd~dtU9$yKark+;+pxQNge~0Zx*Jy||>BNw2_o3M8 zm9~XX;9*cDFJHc@E&0J2v4}CT|I2 zfEnQ>p&E84O&=FN^e(w#10S30-L2QT+ghyV21Yvd{G7}Pa5YM7-muazQ7nWMj@@8e z24h+>7nlZIz3c+Y9IG&$QcWQXwVVd26I1Al7^{P1A$VkMo%iM@d&PJOaBJIYYSJ*J zh_;ZcP~X^A?m$nwXq@kh;3zNHd$L4N6KYVP_NqjfV^=Kj94;w!RzRrXrLRAqYlT)M zWT41PE?qiboK!~YCDEM2x;!_iJ;i`WW=v?uzPvvMO}4DkS63qb!iO5FS@o~uzT&oi zwmncUwVC2aO1)%JmzX#>K6}&cS~xsQ?qHSqS5-o~-WRfja>J6bXQcb6C=gl?`IQbz zAo-n&qX_qINUt?tNZe3DOmC;hv1Vf71pzA0^^mSwnf*JTLL-n)SBD$sugG zeq_;1CaXWSd(O|Imnjgx)O@1jSAyc`%r`YLLy{YZ!ji zrO$Xw?T6wQsnCCRoIO^v{)CZxJeam+<-|AcHH-ueu zC9eV)B0~~?9{d`y$apcGU&AVy#k)I`0pp=J#_0 zm(RI(kib!)f3w4}i#@ep2lwYug<~kb0gpRAK2SAy7*#5(-dIr@ML^3OO#L;jWcONW z%4C5*)vkwhpv7h#7+0lXZ%q%DmMWR(m#J*Xq}wasD@Fg>p;LPHKB@kq&G=c_!;uR3 zgrN5R%3Z$C%7bs-1rfSQ8p^2Rc*sPK{}+&4-bqgW{F(SE4%%<%!IpQfiG-g{ko1QR zub5#a@0SVh{=x;@Cd045viG(=X+vxZXPav2*ma4~9!?Qgb)~DI_exLZ$l*6dfYI!I z*b{P3a9Kz)>^LyMMkb4xbb99nwb`AY6bJj0Yh*YCA;*XJF+;#{3xOR|@C#YogRzyw z?o7~Ic&g7p9RIjnw@;kok4M zx(B%cIr-p)wNMeJ)wt{lwrXN`_AvY;p%kGJUVF2F+ART-_2<9B8N&!9aMu z=+5A!j7&xEEkA#p>N#EBRj}LQ2r{_FDgLp`6!+pres#%ww45#x{LPCB?ew}>ssLy< zLc=+G&d7e3R^tVdO_&-xRjh{g#U=luRIxmm95=vR*buo_?SJcRs|00GNG3*Cm&(S9 z(r1T!705r>NO@aeWtDGAZ4L9vm6_G?3QLsZtB{v)RN@NsF2Lc*OW*dDcx&g|B?~7% z6kbbiC7%xfYYaU^supwEN)Ud$s$X!||I2}wS4Xwy!UfRePAH7_FMb@$+WD5qdBJdu z>wJZI2*WjzIn$26Cvco(K3$C4_hdfO;B6)__4!7xUu3?*BMs7yzN0zxnyt=(*XSD8 z+HUZ^e)n<{J8u5XXUGBX-xnzsSY#aMG4m2=vtq#t6(oVC)<&K`rtmhZ6`^KS6LS*H zDD9ls1Nm4jXaxY;GFU32rumOtYo^!eq`8d;riJGZKC1328HDCitR?|d)!#BXUrp^O zavLGe&V^2Xn{QBQrUj{o>+#)xwCMjAdi4KP@Wa5_*;zfAL${pwf2CqS z*hV`{*ZPwyc)^i?f7*lp`PUXnnKk<5RAD}UheSs->+|qyb_RtR=rUEaa-+uoUJ9JB zS4TRBA*=zU@Ip)qc||rhd1&ls7QJIgo5K^m_xHGvMVo(h{P1sno*^sM%p!mDDD0Qu zo)Kbgq!%dY+_k#|UUE(r-2E%+Q0JSJrw^;Ic40`1t+)r+l;?ON6^N+ z%Bp01Dpgn&@s~yaS2zX*tMyCWsZlEb{pBSGu`4cM{7(|`Kh;GNNTAIA&)aW^1A20} zQo~xMc6N5nt#bsRxW~2sDUOe~{DqC^0f^rI{_zbF$1-kx!uLIIA6mNyP8B|Fz~jYR&go z3$Yr_KcU6HdPSmcRR6D+?mqtmn*Te4BlQ3O7yksRNgO5w-M9|5d0aO&H5=qUAw#_k z&J7D;e$lZk`kWCi9{gXoiAm9xuL0zFx(^P_pX7Ncb#yO?S3gixQj=33uDj30SDiYd zT^1t78Uio9e2o;{+v}Wqv z*TI0KF%Th}>X^xY1KRwG=%}@YbcPO3)#h%JX9HPdNTr8)T$7DnLJ8&O9sh+a+5beL z-@o^Cl2IWZ{8+gUYkhK0qlT>U3tzRhVy3T~#_e1|A&Jfy732R}@}2Xgx3tuWxXs<&rLjki+kGH0poO$JxUKJdq5kwtCKpyy{Vl43T0KAasWP zOi)xDl7&|#E+1;$nKP3-wm}2=EfcCt_F4b;lPFvgTgKO#Daq8;v7mb}hSn{Ws@O&9vMZQPt?)X0*26@@ab9_5FpT!C4XwW^T9*mblYufeX!* z4YvNS6@*=nQT?`aWwjHu%SL;<_ul^;9a$6W;nv$f+|xgas&VWBS!HfeCT1l>YRKF? zQ`_GR-GXkIj9XWx4w$5t+5RL?Je+Khc_DDTZo}@5jGZ@Vv=SQ^5UAM4NIcZkym0GT z{2Uo61b18}tsOCG#9wJgBOKZ}jm&6F_S4;leBs8Er)_!@ty(TFMBbM}6ta(Ek3*oUc|g|vSO^8`SuCf{e%)!XVv&*zFk1HIfGT7LCiPKi*s|+<-^rFinx&;2%w4ZM&-be+oPoT_}~WV z3lc&yh9<|(tbk6!8t?|aRgoE>gIQes=?$0BmyZSbD2Y#92~X?~hJN+wbH}Hexw~go zdiiU8Kg|xZK3_2R7xbm2px~b9%dR~2u&CQ#dNCiw&jY#Hkuay@#W`;75E5}wV30rO`RkYLf1eD z?Fl!mhc>TPxQ04e*If3O-lTnMfp56nZFOJy#3Ysuu19Zn&K)Ahp!4RyFZtE?dSN0=Tb((X|xc!Cu}jNM;uzETz&G!3UdmADFnU(K5$|WtG?h;ozDtB z!1oDw^q3fT(VkF~>|Cp?=oc~yug%?WxcE(5i{_yAidK<#zdh*)yttU$x@eFoZD|(m zg2Oq_m)F*O=mYZzX=!&V_H)b>ZK(VMS~cfJrjz2LPUmUl948YJ zv|abztW0wHOehIaE$?#YqKnf`VL2l1tvA!8ywXxsj*gX6Uc>QAe=ywxJnXOZTJ3=T zQtNU!VffUXH`39FcYbVz^^Yin^ z=X_0X*>Wp3!uA*WRh%|gmF>yk;Rv@K10~<>3b1)$2Kqlq2!Q&-Kf9b=!ZB ztoqG_4={>xD+JB4fjl4kTw50Zxi}n4VB2%7BBf$2-dG);I77hP4KEiS9i>=BR*0oV z79+2|gOpgyWw_E0QlzxPkttm)=TgVIv~fL2D*l05=;Jb(tg2pXma1(=1(f0=R+^VxMUBUz!p_fum2dU;)^d}*XV z^C<9kmwO}dz{jWQsa$Zel=78m-bjV1!G!~LR_w^ne!RZk>I$=*tu4VdHBKMj;R8ur za61#W-^aLbJ$(M^hV#;B)c+%9NQTR+@lxT86oK1h{Bk`P-FB%kCBZns9~gUCtm#8p z?ps2OQxWq`15VKa)#C9Uc=)}h-1_q1^<{Afx6yP*82i{&~ zO*57D#48k0uV<&wfdK@u@L5OjNPKBykj!$pf|JLua+7pL_UBt&$mogdr-Y5-roQRc zAfUx*vl`pO$H8{G9NExTtBX+Pfx~r)+&^_*GM(Yv$cL-@apQ%`n~f9)GxY(Kfj4eX z^(v5`i(uY?>{?pdbyw>&`vIXVaE7B9owvGl@VZ;b^s-R!kX5{K@%an@7G_KQaR=w~9g85c0OCP0HiD~NBtb^X;1 zG9uorxiWMVk)_F;cFDgkqf(Z8$5y=0)*2290n$WEx>crk?+>DRGl0k%dtMgIK~$yF zn(~us=PhEWL;fHnz##>k2}CHTj6S!)0`HR?z~Q+8pKyi>u=Bo+3!6cG9L*kD93ioA zb8=tuydNp*!h!FB`aPbfW#}tjG?Gz_x}GA;ukkXg2E=hVdw6sf=LUr>77zU{{bJ;` z^CrqD)BI>ZXuDa550&63EwNT5=Iyf@L3O=`k29hp2M#332M4*#t3Miq++~oAequkh zoc@rJ&*O^rG4Ec4@{|6YM;*y|<2Vd!f#&pXc>7gs%GcbgI06GJVb(+bTBj)luj z0qzyEVpRnLZ~P2lVRT|*qDLPWQ=;n$CCD!hbE{n~n@E9>aDIUdw15sHU+x-PIVeR) zLpQKtv``t{N*z-?BcD|E8P)t~L@`EF~3xS6{s=i-hApuwxpPd{-e?Fhz z+4FTjjz7rtpnLk!A*RgfLkmL2E-hes1Wp52&-z7}8~Ej_;rG;YU93w(x{JMDLo_E7 z`bZ7Bz_{Sga6h&DS8TT5C>rbczT|r$?XkE`ir4Q(ryQ+tR|@$3&o3d)re4Yj{jYCTPC> zVx2Ji>?bqlXmubRX*`3tD@p!fy&uA%#jIF;I?uhXG}(h;OJ)-=-_U-2sGr33@Se3b zs~aX-VSYAch4EtPq5la&R7!ePG@ifGu<-jH!|{oMX(=3%bealkJ8DbOydC0{4j-QP zt8th#6u?TP@%go-N8IN~3oz){88E+E^ggYKJDGdA(vN+K%E-z2hB9e41wTGNom}}) z!+zrnx(2q;$#@XwMqkTMYo=)H@NLAt8_?VK_NZ7&rMeubHYPZHJlX!l_&P)^a22NCiWvh?`8jm_;<~_ zl+fsIXGw9qxNEA&5SfT&^yHyQtKY z;1?4h17eoS$gV5KJ_CrzU9{YU$1Is=_h9qu;u{=}+n67od08pxwwGvu9Fo+>XU#Xe z@6;%PT;9)CYMhAP0QDr6*0r_~$*#R-#ep58=3ka^`HAp6-xdvd`qmWV> zEF!a9wrm4?502CASsXQc3-auTCP>Gw8`SA&25z>zm$VHJfW9Q#Q}+aAXVsAa#gF1$ zH>En0y2{yxdh89y?k1{=!9=<5*pmbLzv1wWauW5<)zd>8-635WnE;hL^cOt%Bbhz} z{sU;S@88=Q`60o)PvLos=P#%Zt?@yQYOljwhYwt#@H{1pv?lI{?M{jvztz5MzK74N z$`GU9jBAdR=UeT@m{P^GftssEqJPms=W$t>@8#*9s#?PIX%8$b)m+_kG_Ie;+GbLW zj;gkNWUqpuze*;8u@Te@-yxi(_+nduypkq64?$;fQpFQ4)*d3<#b$%Pea$dYp*Pd- z`fD=~WDvCp0k?zQNCU|O@IBLP`fmd|Wk~{AySoQ@K2XuJJzp4)qqU zhV^^JsKJ9Av)rEgN48WgZ1QnLO+_>|^=gU4l?QGO@V+z>leQ3{Zgo4Ela1Cn(xY}1Z<{3ia$nNP zYU+{}sVoj@)mrdm+x=ke7|qo_v+gzSFDzZr5oeY(_j(;{y?^Q@Bdg`guUBbWEYj!% z!*F?4nni!pIDv00stSrUqg|nqPkGH^a?TfGD8tEcJCQa4G_-^?@4VxcmcS3XKBD`+ z^5^hOA$J+;==EXw#7wi!@-CNgEiC{5FtByBEbha|8*GTYUqA2i*+@-Hj;UE`pUzwT zgJ}OSF7lyzzeASG0Jf6=NqWj-8uAAlcwv9!bpaZTNNaZ{I@^^99;TaJ%5N}}&AsvH zDtdD4yf2kq?K>||O527V7if0qB9Qvt8HK?K$66}5j0K&&PG*Rr18>wYqJe@_<%^+C zEZFY|v8kq1i!E*NxVAEZn#{X=xK{W74XAh!utIW2GplC3t^T3+m!*(=6 z)JI&(@PFvZNy2f(A3@Z9hIb(mjm zx9mQLC{0gMOF;x3C4gaSp(hIB^M;SR2rN&3rZ*Pq zd0=eM^!p+QcyAg#fOFJA_VH+U8!8s{oY33k=bh@@E7R_PCPS!ofGk&EPVy}zm^;IAEwue$;v?TZVWfKoy9Ut#5r7rvjHY_+bEl0O{qSkJ&#n;s z=(1n&PJvLVZV${h@t_hBal?<^<$=a2QY!`rM2T6)&|K%Fbk1kbZux9(eo5>dHX7m2 zb#}ujkGAQ>*cphfh+qy*ZGLsb89DT3O=@GUdcE`8vVuLqj`04=pg$AmW+EHklV>0v zgntGDUxC*bsV+9dX6ixT#1KsN1d72f z%(dlD@*f6mv`RezI$%rc~{Z<`8i2#Zzvy6=bX2VvC0P?sa* zlrLLC@RbQPh$p!6^BMGej+TKg&$;Nneo3*ba47*$T^WgPCwcaKCFit2(LAX>w&Dmh zd=zoQrIM0>Z_PwiyHXK}1Mo<&vl*X-BD4+^Re1ep86Sl0AIJ}G=#Euy(>d8J#*Us!9re5P{n zYlxn7pvk6V{jIya;{+8y!~7&zup&X?O-7%A<`iOHo>5)2} zJ6wYpFcnxW>qO&w{v0d&!um$KBKmS9sfU5)PmQ@(0*I);;6`}u!74Crmyy#lmOX+R z$+b4x{wYZ=I7RMcL)Y1fQ3IFGwYI7#;Mna2XnHqf%Dhp~@1!Khx0tBWA(gCt*nj#MOc+8bx+#b^|&h91PW6b^h_G8chc{%JZi?rU<{N# zMwi<4|I!cpRx%|Y;qjAM2;alm=z=a{u|1E@)` zt(m0ZB1G#i9M9ut?6LjHC9dZxQqiUHeB8 zoVV!gV|j`0rJQM<`2FCz(0&_Ju}9-y;s@^XnE;BzbmB3wfp{` zF$)>NS!5apywiFz_+V&trq+YCIV01M=udBqXV+Cj-epCM5R?V!+cgdG`S82Sh$bh8 ze%(@RB-xGLYjN^vp)$Vhx<>1)(AeIvUPddEt_iadFV{u|-U|m%h)2 z7v{HZt8E)p*R8R+`Q`IGQSk<+uw99>=aX~y%v2M@J;q?Rj6*3UnyrzbUZqz&H$&z4 zr zDm!Og zagUf}G@2XP-0Q2H@)hUe_$(900lL0cgE_;Gd4 z)?<5=pu)-i8;X5J2y9F);k7GkX-QGP&Z82~qrwU0V!m_j0pMYt@qNKFJWO?T(PcAv zq&Gy8JXkqfSIWr2qBmf~-(tm(Q2!8kT_}k+1Ou8dx458(r3`U-F}vcY{!wr06N^w(%*2%Ggc9U%6~V}(|m2kkaTSt3i|>wOW5@? zYZwMKRUoSX+W2?x+Dzqv(RDVU*iK)Mr8V6HKHdRlSr~YI#v8LtxCC5hMDdB<_@;Tp z#>TX4`YMJ4OY&aNS)7UWN#7?vP&oJ7`#C(19tuqVaXUnwbg*Ww;Onpo|0&b49*zsk z>DRc^QDIa!>hZ(=Y&m5p(=tkIu{(1MJl{rh?ujZu@^~?%@QeBjo=fV)x1z~ySnS}Q z6&}sZL;NzfXPuBjm6WYs`nWvn{7e5J>ZtyH7MK$)HML!?-2;O5L3*$)32E26<( z*g>AgjV!s`2qCQYY$_ruDyk5}Q{8q~>_JKh&Jg9qahu4AQX=Wdr6VdEBRHWLY3`&b z{*!`#tmO-c^|G+n4-LQWgg|JoQ**k9FNOxK)t>MpRRQ&u3* zEPOD^@gw0bdjaiU$;P)_ux0ab3ZHMDtGcwx@+4PUnMHu9iYeYo4Cr(vE zg&1OxcJ$1+d+xLU+C+pk!t$AaVq7t3-Jl4VyipRV()aTyfSt-eg1j{2^lR{T0I8H_ zTO*Ef1{%t6bxzwcXFXT~#`)3s+C0#lI?p09z0=oY1QVeq7e4%1QN(4HQ&HCPJsXg# z3kv$8+WQlht>j%A6GxCRpB?qh$&HtUZ-5OEcZsO~wp&$<5TUnQj?n@!lz%uQ>hn!B zcLpEBT!RyRMu-$%PSnwLiAf}k&X;Sn^7E{t3#i2B|2RrJS)Z{(rOM%oK>#mp;pROM zZkZTU1DZdrb(H^Fv-%>WS;Lng?ZdD8^uwMwPQM^MP4f@{GLz8OxooK5@^bbjpqOwy zN&EUi8FG+gvm2KGl{%x3bwkUfYJGvtzCK3M3J~`$bEFW9KBL4XiZ|Q8gtP{Ab`i1d zf_dg0^s`e-qA$x+kK57SSe!QEf>GpGg305@590l_IYhE3n8sd*pT21`P9NW}qF!6u z+AFyYgK$bPv8KH)B>LkRsctWuD2f?tvQhao(VdDiu&U?jxcT? zB@ckU+lOp@y|bpRa;u`$$Bk64^4d+icb*?)6x<$hTJ8T61bzb zxA`4uR2ro`^;M@e=+D=-XZL*06Kjev^uM>q66$n@VCUNh7BespiM@S^TX;hoh2pl@ z*B|OQp42r=eC}m~Ist9s3mV&b=jOT7f0)wKH}h_gj$5UB@UUIDw7D=VKJV-yf%4$e z2=DatiU_0%!L7HTGV63^z2dy4fqUZC#m&y^avtyAI;5S=x;(*p5lzJup>Zo!Uc=A>ctuw!^Zy*N9|eI2I% z05F^&EBnlRxSj4e;f%j{Bs~t~wUEE|JWhWBdrv_<>n$Il1nl7C`Smx;i?aRY1wwi_ zL(uT}%F&yG`Jvm_46kGCbPqZ=dB?We+Gf!;_BwOixbBi#J$5rk6t=xj`0 zLPAEU$O8It!`!T1gpkAJLv3tEA)<$}|2@}dtGi0NN<`&~N_}#rkCgquFS!Mb!u;wM zM2S;7JDuqtN2B4nJ(Uw%I33*7AMV``()$hw;remmmJzYcBUshYqx4w(I;KV@+4R*D zhjLHavmH_U@? zNIoxAHRFF|pOjQu3QD84@w>N`?%gr+jqUj7i`|&|PNaemThjUC6fa+4Evy!ZBKkM~ zE5<&S`X%>}nr&qxZ}+M&W0wV~QYwv- zWDW)|Xs8Npa6&7OJOKiZH82#%Bk0$M#Fp|$ZbAbn+Y%NBv}#_em0GS8sZqM}(}Iy| zJZC;6$5MJ&8dQp?MICTw7_uh|+4GU+9Ppab50exjC&E`|eZ?&;PEb`$wpq{6`bxfx zFIQ;gPC@$0z+%@hMPqI3o|W*&+V0c@5IYKn0y3I;P@E*zv;U<{c#@m`48ZWH{aGP^T|X-26SRVhYd^cyL0>+UW*n3g(Lxw_bI7?fUrTaa ztP$RxyZG*$uunV@7z)A6 znWaT-%4o{0S5mI4tCp^M4){gX4^U8Anpx)-GB`*AE*_K@;H&`p@)45JkDs0A(2g>o zo{o%zujjNiR_pUwCUXmCPtI4QyBTDnr=#<6rsj4_YT^x4hjZF#BG;5BZS9$bgi=-R{PM7${54b6CI_uIsZ;j4A@s9h zvBqA~ih3JN`}D3{*BSl*XEP@b%9l2Q3>zYVNVCS-^-G&m{rSK#h{dTCvaJA)VHWj0 z5pBa_ttDq0;y??tv%`=I_!6AHXZD?dhg1%O-Bj11YG&33$8CYmm_yYNAqb2c|=!tH-cZvo_gkt)Ye+F|F_y5808GPm6+VmpMo8!UhVxF zrM!!NUJB(#;u7as%yH+7-b4#IIR~eQvhC96ACA0oSE4lc?H=8g@Z24cS|3&z&YjsNubpsD7j#y`9IW}_?wM?4yFe*4n) zGA)nC_W+8S4R>pYEi)U`WKre|iKQK0Q_e!iB_AK#Q}=!tuI7K1 z)U+vh)GJZi8o+mK0xaIGR08WDOu*zNT36UP8?cP?0ICSnURtF4jdPXL%O_)_a9leK z5c_CcyV|2!iv^O+e39m7U~C1r|NR)pAIROwynoJQi^MTVdeh80ZBAT_{q+fFmy*Ui zLzn#&@ri??Nd7H37Q5an!}`><)?c-54f@#bVL%D#GCwl)#tpVZ9_`P(H7%zg2km2_0%~{cws!v9x_9yXUFHp-0VP> zR2n?f_yi^5APX%bb#t1jdYW!FV8nflw9j6YM`1EV_>Lt|u_NF8)5qBy9YYKAKYqNx z2dmhP?+017Ue2xQy=Zx0QV&uq2fB1X95NjSrk2W88-wIhbj3U3xBbR9+sh+rzfjUp zdQH{&s5)@{Sy^$zqj+-%#GN7ZGil3B(BQ?ySCXpUUbf$*rbEV?W(%GP^)RO3<-P49 zKqhL)SK0iXh*@_}pdGLrTtFbr#!rk8H7^ zKH&trtMS_d>TWxVK064nTV_EreOW;i!=%P*nxoH&W|hto+&dmT%`Ks}%;k-h4YgVU zL=gIjFQL|4?rHSCRds#3ko~A|7YbijHX%XiGfHpaIP5w6+^?fvMmOY)|)G$*?6SCn>F4feCn zbzQUHz>uu|iwdZqcI`Zq{ifS5p*CA)%U}hu*!A$4ea}#DcvTDjV5Dt}^CSIk zyXRA99_&GHRv?4ohNYio72zb=PA>3^!kQU|gvw(~Kmd%#3#wfCY;xAPORa3L*jmA{iw~ z&L}F9bIv*EoO2Qc$vNkohnx{43_~7ZV90TRArF~tpXdF*Rl8ODZMSy&Qv*}Xp}RTL z=kDKqUB+`n2jcy?-h*bgA(AG=O6+8f)UVQ_3*N!w^Q^KOx4!Ix4jpQGBbmZAj8#EN zPN@c#o>ke#d`k`z-_kz}WSMA42F7t-EAln}l9885^DfGk{CR`OY_&~xNZ3-)=_r&c zn9bLyso$WxuKXD<*`#iRoj!l=aM|dAEf#-TI}nsm6UH?V<+S_JM8DqUwE=cyRy*0K z)cCu5OCV>Ji_=_7Kj5pjR(rlJx9Culr0QjXCo^EYrewus0Dh!<7g6Uj4XjLWrjbW` zGqkuz-#g)MsI{76Seu~Fh4Yh43a-b~j9IY2gXy>EqA5$B6uy-wX~id`#VNv%z>vjW zGRRZ+H*7~oO^A+;rXmy-NzgBs-XDZ^dG<6m))Tz$wv|vc)0>cK z-gRJzlk{-HQPzUrB&pR(nv~lwErOlzzKUYr6%lybjm5bg&pljexpl75P&KWMS^*+o zJ@+k(KlvI;Eyva}qxS2WSYWl~YVGJOLWYS2M%kF89t*Iqbq`<*lQ?UgSw=#zM;&mX z)S=~-ok}tW0nQuFip2CzzJ^og`9B|q1EZf!o3rSEo&ZmfC(DKZ>VNg!Zd`?P++meX ztx&3Y9X$jr6|n{In2-D}we}0GSyzg5>+?cxl#So3(nn8Qa_1@!T+5XWl9@Sq(mf@; zYXM~>3jcDTd2n;Hys{aU`3!fc;%+u?Nn|9Y^Ysp~scOx%bEPlN72fMY#E14WiLIyj zN(m<-89=42_N(Gkp9AAl_fzrNl(ew}SJx41VY&J0g?3ZnmQ%OKny%^Q&uZT)ymC$3 zcl8`LaofFwI{N@ZolzBugr_ar9Zsw33?DQ)NLW(5>!Y08f%Wh=^UjK#IhWf^xA|If zN!9E`n^q^s#+1BnI(5(}N;qE-yoq}u&IwZ;x%+VaQ>m50EGpV$bHPb=3-1x88OvAH zsH^$(GCx16%hH76zQGrVhCY{3oly z`n6h(g|&^J@*jten>|G!Ktea~iVVEN$O=wNBb5;61S+<4YwdcYWD|+HuvX7qP{OkH zFJ2uQIfkt&SK*Ia3nu%Av%j_)1`N%SY*b8SmfSWoT}>*)qoVWV<(B8c*uqj=!wb0D z9zx}UcEh04 zIzz1Gw-*WuRT3ndrbCNB(dG=j4;{BT6<1l^- zJq9O_Y6Tv@%8455Ack9VlB|hM2Hs9V&}Gf{aoN&kv^BE zZ196GjO1Y62fjbOz@aH!lrXR>T5@Q|5WWewuCkv zNyP|+o@DDJm}gCfa^QccE=-dOdU1(qJ@brcI_7^rW4R^tSAdZ9bcyEx^tp=sXhER3 z^fzTlxjh$Xb~v_?@vFqU70==JE6c-w@R|2o-MGe$-HpQJ%1oS% zj7=<5R#+4ZEz`_opZO@k1Y1cqS#%29vm_w3_-Zjytv@wgm!S;4D?gJmzc$wv*lstU zn4tEfJKxcdQDpGfgK_;{5yt-Xy6F>l>MSD2*B&I5MkydFEv`FalOFANfU?E!R<77! z)ej02T(8`P%huLOY488&-Zr(F>b!X(3+);$&h!V=4^E@Cb3&$?A#KNaah+Fu&tP8h z&P`DkcQM(yZGQlP^+Pf-@~gt&C{t1s?|X^i?r-15^)KO#G5UNd0=+EeEg;As&gH>;ppKTegi`GtU4+>*km52+6OvMy;$Zn8`J+kMc9xE&~_F$~t;^Q#>yhRiWrOn5}HZVot#yCnh=9q)Ou?iry*Q z&i|fPF8d}4Gmn*bZb%m*{PE|{YXC`asV7^iC^@Y^IM%kn1>WuyGc3 zPEeOsyvWeqJ+ZCVYI5}Y4_TsV(;fJPm()EIB?tun>Vt$D+gaDm;iz@lgRS+3n*_S! zg)6@MdS|r`lw+tSW)`OwJPz8N)zHCw=y?3+VQL zghTa@f9cPx9IK|I8qRQGh?~hF{*fz%4R6T#!a4CA_p!{t`5*pvV8E6zT}s~*Ul|}V z$&IwksXF6!Tdp{3;ieN)T-egyxS_5Y`Kmw!&SHoyAZT-Z<9FHTYd|Fj$6zZk##Uf#6? zA@$M8w6m*j?2!DD#7M)53wY6HR8=YdwW*wDz5Ud#NcjRlyZJ{qe`;tn-5`9I8!VM@{1G0-`*8f_P^)&Gz;M1KL%j)7guh;B=^NBd=F5H4Gd#+ z=wyDElKBM4I-DQBAjE9T{p&x;y${-MdI% zhu@d?V(7%OKezMCRoWmH#40v34lgFF45nMaz+YP%Ae3IU0&+78t4 zR7z9ly3?&!F z^HvKmqMozOp2KG%Im&1fHT3H305G zrqAeYnIDM6`cwO4O^Vy;0IL@(H)hS?f-p-6a8Bvj7>IF_DtibZ9Un|#Pr%99|N-LuNoSBI&Nzi zZC3|oR`3qVyvcv1fHFPXRX!pBgSW-SBH~peS6`p*U0*lVz^n=eaJ~s8uAgP~X=cgx z1VY-PGiBQY>6R`YL_n>+dVDK%jzky&D4#a2U95Dxh?aar;rbLu^4jgE83hi`U_MtwR!1k6@g^4T`_RlnI&)K`tY@Hd@)P_gjE#K zxVl4!r8iJ1=ytae!((*t+eXRG_Bx#7^n&l9j_9)5F0W+ zO`SPdd`qiQqDa**GeH)AF3%Ulj+2xR%_LbC6y}K`OB-0isGgYLncT&uCkIRNuN!`K zw@2vfAsN$-Z(qNGbvzw#{UCPOAN=}gL`1q(tHq*SrJx<(T7$E0J7B!w2Mm~W zo-etf{S!xM<7c&QmyA+(-XuCcE9PG3-I_r9Ki(4#=zjVUEJ6`g{a#@}JlG(dn0tDm zPRCaAoF)&JR8+kx@`T)GB{=%vnMigL2ByrD-Xfg57fB9hfxL>`G|Ql989i7y$AVRj ziz*$z*G(r{zRCLXKCgV3#D|N!t3dbh!aYSP_v<_th9X2_g)61PSAbb1|F?Fst%Lsf zxOM=D3FW#f%8o1~hKat2T`?s~8SUgd5ZL>>?tSdY+1$Z$o|&5@XZ#^5ur7}3wMxq!Ue@F3W0aHYAa3c6 z=73D_THsOV%5u%5M}@4DP;5n`I|A=-Jl&c+I&!}#TSdt>bq}o`I4eQQ!hZX%xOI%U^UxD22SG=X`KO6nikd&`1HVldD=vU zc6X-Krek}t+GvB%8Vi}2I$h6K_HeIoG(8&VKFM|-F0^xS>bnaRa}ts!o%veVe`bH9 z^f=S~QX3b4$TUANa*a;ba#IUjnjl~M#Sin+We;wfh+x*P>=lzWdv2ehUU+?A6HSY2 z)7{U+&$cAhDBnJ>;f>0W?d(yg6F|9`N1waaf6?%0sWd#HJ>yhMS=t%1lS<{oDHyr& za6vwleHQI_PR9^|EqoVcTn5e4tvUcawlTb{`y(LNzDn=z*;+$x8{6@RG#D5*+a2G5 zk9_W`;$*jrOE(<_Fjh=rj6Wg5^)06$MnjnjEA*4hmR3=In*AozQW%8xE*x-a=mUIm zdQHaXcS1U;InE!c9}xItMcDde1Pb5jgoqA^%H=tzJAyYNIn!L%Ld{QV?8R7VA!?CB z8xp(V5f=6&J;2a#1S_YRZ9|{|T7bOaTB}8u3wQTb=$s@g;FtKI)qqVn6z|uGoSW0b zNAtRl5a)4t_cG08Z=gezPOeJD7+}!vICWlHa}|zi+azu{br`E>4%Ily z$XTQ1fm2Ve!O_aalHEi+3;>4ZZB#q$bHy_ehpl!vWErV*m&^!IB3n}S-=Qm-^Lvb^ zR$QzW5nmiZ9<_WB$~*v!NL@XIX>yGw#!4SF@yG44Uth23KK>c`>1*90@S6`8ktc^| zRdq+9>SEZlfDGarl#PlV=LGB#dAq`*UFbeMLj|}+oRD^;rSUAm7k$(>tja^Ci40i< ziICI{dq=@WukB7T{EsFhnW2oEch%B}L_0Q=+ar5ByRJKo&}vs(*3_l>haEz2qD5b$ zB^2j1=#8eT!B&ZrSHlN9?^L&3No`j!7XjX;mWwB+Do5FRDN@{SZ|#yz4T$bQq{Bsi z#>zZCbm{`&9b=}SAM0GP|J6C>xtN=Rk7H-om-yqxk=JqpmzF$2>dynW*R43{w<1eO z366TE9>0nF)5Sf!=H%l%%(n(%3U^zEJr}t3d{}5DA)+pf70+_;80-2ZDcEV-j#Yq6 zxH23dwf7z~+t~}ScRU<}r;+|NNzksxc>HV&L6q?1upYYMi9(ubCs}*~;PQxf%Gy}c zcmrKCLI4lg)~!YB{`(vN!jpofhjDQ($PHMrt5@DI8>i>ePNq**6(BlkY#jtCJioDT zQBPL%SGel$aSKz?|DixRS>+L1E9{>_=5XrU+b9OSgLLU4`|Gp%SAOe91Ag--C$Fle zbk&%@$*4&tR{c&S^BgPlq?5W`am+}RI$6;{ttQS-LwFg6Sy=JA;vfR-O~N|fK4B?H zw6>#FMIMivc+3;(GS)$_7cWsKUx!V8vSsVadYuh^Z#x-c-!g*FeJ@-bH>7+1a{HNU zqhndfpWmbF4D3fI6zpTy@YeC`j#fusa~EglPvKo6Uy^as#}5A>uHOH>86OY+?pFZd zj!3*n_>OVfcsEVU7n;}`EBM;`Q)*rVhJ|i`0I?Dp9cnpdw({fWd`HGZ2WtB1d>d!4 z+q=5gmm|GA#3VWBB<8l#waqdiUvgD8YTZzmcZVlOJ;lhv?(uQ*tPZ~ChD%=f1pz;( z04K2irUrumAKr`2!Ye@Pvl>W55g1(*I?7LVvIn}O9-FCiv{b56`&Ne6dFdqlWq^A5 zB&#s*(>~+HdEgd!i$d(X8;6R`Yzfr2<%7wbMXIs;z=w#3q#=>MFF>R`YTdgkl9-dGLK~Zl*o6$V}l+|4EDRZL1+q4AOT7wOIk)`!DV z!(47F;h7gllSKAnbyvxCMj4p@2!_Yp_mo~Av^5C9U(d*5__$Z8QjNGBKaL3Nu8Ur@ z-Q;~ugK=AJxA85%&?MOzhZ_NsNwQxRV@Y;KLFN-dPyUoIznvS_#HCJJ^{> z2{GQRxW$y$NDnByc$4V=BI8DmrVD#5>9@s9N}JBTg?s#web;;6ud8N8wD00-Sv|$x zwM?VB0K(cfk8nkJudXJ(y{n+Bz`_I$U?SD8AwJi_qNs?y>K~y$HCqn{S0#yt&fBvS6eIvS7s-r{a&sUw;&l=Kzp*}B}yhRpdIhv|WCzrBqe6e^bE zlR-kSIUhT>rDq#$@^jZR|9&~g5D-_^$gJE@M*tIS9LZzLiE8qNip6-XV+a&sEAIomOuKO98jbfUd0>+626q)E+8mhxnOip05~)|#R4flwNY>=32(xR0h>hptxRPrb=gKR zy5Ja~$Ft*v^85S1504K0LYr+Q0ijR~0p<2oONq+K*~$5YR9!5(Pt$#+%4S26%5?%` zXG3ZHq+hg=g`k%%Kl?LZ045zA-N^sL(qy?g=@h^Cz2ZkS9da9zr)f2Ige21?Ke)gM z%PxgY#U26b!-VAY+~J9%^FlM*#NQvmb++}u3MNZ7dmKZuc<71SR$~Xy|TU> z^k|rSm(Ru0H?0GSL>LcE5RBW0Z+e{Wk?sq257;gLF+c6N##3U2i3~LZtZ2SW4s8O0 zB)`ec`PL+2c)33K0gP_J^N>d(cY*WW?;e`VbV4S=& zJ@ZVWhUjFRI6%j)V(&=a40uo)_%@oKl; zSkpfr3?iLDe?Z7wE1STm{-D(rDXQkS?vBC{r^m*L7SYS@oOw6wYxVLKP1_z@OOY^n zJ9rOq;G)*X@(4i3=ZYE1a?m5nyBp%zh-V2>3za?T0Lf9A_KjT{@z#+FyjXdH7_foc z)v{o6i#gs~kJ?V?2Q5S}&nATJ(!3e3YA#?8@2>C$d-GPGHStE9Y6o;8{Eg7dPn+-ZfBESCty>U&XGf7t^}H7)?;>b#1;Bdb;o%Ik)rP`RnNNBh zkx^n*IY^7>=GgX)oz2ou6eUltcN!JPeJ|)tF8E)c&Z|{?W>7Yz$&(DQXedpDrarB) z$DZ}vZUTjyUXM?H`?#8)Y6c$KSl%-tenmzaou99SOTSr#Pd9BsBd1#M+58q=U5J#N zEW(5H{T7!$m36&%D+He>0%|J+ks+* zUmAQQ_qY>f3VlK0Tf_~lYL1p>?~pcOvJvppj=)n;f(J<#sOxCwmI zwxBlAeaqCcwffWk5Q$a1bKFKuW+;srEwrEiJVU)vXT~{>VqI{g#d_Yo>*GDzl4B*R zU?eK@Y42%p*|K3FO-ejyL)by!WnO2N$&CE@Pgl0>X*QA%iEp(*DV;`e@oD>#jt0Y} z7wlPj^;Sv)ZCNpzLeZ&^`601V9?9op9e&RF_vAZo^5g?sX4|X>9`W~&;c@w-g;*$$ z-1%mtZN)O?9*nxolEy}zM%25j!k1p4>)?4T1phXr#iS zo^UJ`$X^Q^Vxbt2xAyk2$u@$9oM6t!y459D2uE%>&w>4<#u2%qd5! zZjIow6$QEL6garMd8pMQnZGdaN?=|h23^+@_rFVkj4p$}e))UTMk&Ckp}S>#8Ciha z`eS2wxyDD3?P46ufdYRojs@LZ44K(_&__WqU@%;}<7P6}t0C>yJ43d0Bf+>g@+c@Y zE$y=B`&W~Yf`g`VXnOGQVLz6kT#glS+wrMLJUfxnW#@+v8D46obxp0UJAbiOxjhmA z_UOOcSC;jPQj`Ja_r&&#bP_p)W95-@WOT-0LG(Ew4^ns0^;H#DGNWq-qe zt*EEIFsOcomb;7%JDj9G#!v4KQLudh+~@qx)!Gr^QNs`|8fi#*I7)p%oduCB1rIqS zJ~?HFn!8+SJos|JY+C3I5IU);3$jbq$<49klD>M_fVr6{{d@B0K09Irf1aO@EAJB# zrm%u}%9ZuPCqd0BUvI7V%9`5EwWrDz@G6;QW?c`1DvPG*V=hC#eY51!7O|(m4Vio3 zJyEHvmAl|)s^6Clzi{4r-)wvZ4By-(&8TYb&kfB54LYx8NKX99RfQ+GHgRH4z+AVw zsmk=A?If-?LF0X_zbPp*!iA4x!m8C`9(}N?E^+w)1U>|=Z(VRpLq|iVdSh*2`G@_V z<|3@Rau5X*N;Bi3l|dhE`x~bw6W1Z<&eQm7u&v`5U?=lBJ7?AAF5zQ>^$ZM8Y7w-W zeOm|Yf~zq}LgVLH6fISPyVK=CZVVK4Ou8gfi1g#;I(Ki}czo>r*LkS>!|o!(qrG9< zcN`x+aEpt6JcD0eus?M-d047i;n0o8RhaSL!UllIp#5pD1dxBES z|Kh3Ce_A9QnPpwS@H%{aC47cY?zYOiFlqW$=!v;RYDyQZV zV&r!!8wikcf-_6iW+qO5IF;5I?W@Eyt=QVI?sKG-8Hw0CdK+VdE^0Z;_;3dk)NL~2^4C=ZK6x%m-E37P5I`<*J^YW-^=?a;P$ zF-z>%5}0WK3_qE6e`fH6i;2WcUEKqp>tqzF75P(2x0bG;Lc|=8Zoz6RTycwveoPg^ zx-}r$!mrvYT%=;+23333Vq+}v&`go%1Yb{n2{vkIBE~LgwzbqE;Su%D^16$U7L!e%KlxU8Y2X}0a8OTB7mlM)p#iX|8# zLpHyPyu8nrndE;Vm&0{44E?-gfy;V6Y#WmtAH<2^Ufo(Me893?tp zQ2#4AJG~Wp+3OP_k|s}gbdXLT^xHV)M1GXF-F`HK`LJd-RKJfHv>nvD=2?eAF>e;f|}a;MN?^~(g&~QeS=;D* zH*zASl^@<-_ubCc;2!_NQ_Z~MPNS>jRQNrOASqzL4M7(Ue)n!=#C>;*6Wi?k&fbdG z<<L)s$g)o^d=9Y|Z^$kuYUkr0p3_X7VM3v6S`RzBy+Z{dQnYAAj0W0C1 zX!Xs{td9j-oG0{XA^t#7(1}S)rm876nC4RsZv<3-Gk038-lOc!>`JXlrdTsCRz0~}mMaw{=uOqTPmu1t0)*9;RaK2k8mgA2Bf1?g&MZ~O zyRy7SXGZ65Hqtm)>-D#Mz+RXb2ws4zrJY)EWi!mJXj zmU2##AVba|BY$yPC}0(~T((4Z8*a~S-~q-h$ikk9MRZNe2jh|2^|ZvF zsY5LH38WO9`bf1?#n@U?t~5kKwzZ6Vf1Um z8-mi9C)<_CI*XN&8C?>1Ds}R$p&r~B0BVg_c98+iVg5dx)WrdNSa&mVGUh@AT`k6x zDt{(b2zxG4Pu5sRT(y)>z$zY676ArdfFVB^`Kuh%YLVt> zZS`vNK&l5YP^TuMB$8I$O5#|4c=G7&+!+N8nC2Lgxn4BQA?#TM$A$!Vi6RV-c6wg# z@uY;{nehD_xjq}>Gt@Q1>}USbjU*)idyf8XBqG-H)Nlk~4*N%}#ZxO71mB{pR^3&eweJz4jtOz_@J1PwTSjM zE+6FQS`S6Kzdkyrdp*?|ectq*=u?tG>E(jtrekj?UYDPb;K*;FwEy~zbW`Nr1JoMUO;)4>S>I1;q`USSy8biI!YrEqC&i1PI)WpS<3|X34#9}o*cp@;L zN3}as{O2~QvZWb^Xl*VDE&{o3)xW6jK8&S~J9+%?!)yBELEigEG2!alXVPJqQo|R# zdb`;Q#j5?ps+6?XRX1&1%h%iOh;~U5G;(9^qGMo^aS(li(hEF&@pOM zW((l;VWKUja z!Us;_n5aL7;hLu;cSPzTOug=EZ*FOObprsnYwE)RGJe`jMbtGvXu@Kh+k-efxkk+C zveLPq{69H~E&u~Oo}jN6y?tE6$ox+URQc^RlcQR1WZ1TDj80`nLn;ruSojkH%=5no zWLvl!0wcf{7yr`{(wR!|VzGRcAZ~f(UWdqVu*uYnC?go`tTh5r;&d8G(M%$S3X zc7ONNy`vREC%3_$HGJ(~%&Pw{f%P=Yeou+s^v1%%0x3#3@y@yfev^N+9=kp=fIzX+f%Rvf%u6BLx3nUTO0Ec8ND*8@wL zv{4x0sX{J%b43SW?kWs3YYb6BryhI6R`Vbn;2CAlG7-EFSX};cNm&{kkjeaF3(;Dm&Q(MzTAQiO|tr3<6` zG$@uy;{W6f$+IPS+)bw=^2I39Sqi|ZzO;Sn`=rzRn%L(JiW2xFiEb1k37tD3qGD&C zb!6nzcCq21p@4k751Q@hq9L8Z zR0A^afD7a!kXZsav+cu&deN1$b@y+%tQW)g1k^o)Q>vngd|0`T4;kI0509ycFX z6dzt(YYb4o%axRGcX-5MsYPLJV;j}@?P)Jrv@BT3)!&>MNI(cOv%Y4?Q8e`U85BM zAP)k@1hoI)o*0i~Dw=}D%A4(nSlHj=46E9TEcvr!d$sf10jV3dooM3kkUwKANl-XN zpzMHmbQahX_h38f9CbF3imO?zHz?t>d-*!mbuT={k!XiS`W^L$2UQ*XPtG)5C-s+P zQVne0C_24<@nX>}DhluL=zN00bG`HM4}B#0J>c%WMYCw!j-<=<#=XWPpFvAgTDr76 z|GcnxjXlNIi<7zQHnW4yZ((JIdNex1sUH1O_#lK z6wosIBX(I-?C1tTk*zU_2Q2FBtQKpyxi#Sm+UM#O%>0&j_-z-P1Ie9kj}Er4-um2l z^S#T>JsO^x+cxM3e9vhWcunpjfrPCKfoZvz$tfalF&jZhf6yXDKZhekRc>0VdF$GA zj#1#E@1%I5ID>h(MH&_p(>-zvbXHvBStQt*w``17db9bgRso>Bam!XDovi5f^>v=i zF!Sq+1=87S<4}{-Ax`+3Z08S*(C8h`93`apc>;>feOHQ_rsyq`Aeo}+2#}+~TuFo- z^#5A1HIO}|TzqDnb$bzEJHA($Sq$4Hf9iWewa0I#7CP>WgW;L<$%kQgtdLM91F!cA z%s=AqdM+!XP~~$ukGnn7%=GGx_r)zm6NMq&P2}GQ2WXhvcvGt{1>^7*ni*Ks%Afg> zTW{i3--#&s*GWw0qe%*OyJMwf8N}`Q+Ka4TK@32#=#-zu5H9?lbq)D7Dcv8aehzw2 zC3QZrxf}Q=J3;`!?@i?8{?=NDx z5gMNl9O=GIfPco;=KGEv1oy0Zko#8e>lfAMt!g#p?>|&N3CQgUP}=#9toFm-0grh~ z`iXelLasMyU*fC^zg6wX+G>W-vZF>voO{!GP2s2!dH#g$4b!Z#n?c>#oldIG^yR+X zNj~?hawck(5+xbZSF&|A8(Q1$)5RL%fT`SaKSa;_=90(ReCc!9mW)!tlMRj@_xmG) zqN*Jt9JH&>8hDBqwY6DI+;co7xz%)BT3aVIscoh zL+}=%(uNLyu>tI$UB;?|OZFoMyAUyZ_aF|!d?(U&kN$3aNou0Icc97Mg^1lZVw0pY z+i{=EcEYUvWJttQky}VeUf6oEgyubz*VosZ!*g}3R4XTvi9}adwkfk&C9T!2xo}h` zTg=0Gy8J#$NuoC;f-k*x({5&G{YIJn#Lt$lMVH`^-y zJL09nmJ68E5N;4063lx)tM&d(v*YF%DMYx!hD@_eYS444L)kEaMZ3p+DY*V&sm#yP z-Nn2*4Q|V9T3pK#vz!MWmG`|C^VLx;{8{W^9m7?Fj4ubtDpgDQO5|nzR2f$a}9xb*6K$Q3{B8Za-Zt5)g9bNXujVebXlrLUHx1;tW+x!uUJZ> zD$)jFFimi}%6;pVO6R%|kG&k5p;+EHM4ajc&(Z9_fM#YUaRR60 ztINx)+0XD_-Li8ATECAA_C=m5IyJv}5tCTtYy(>W>3n430$ldmDPGSY7eUraWAigIh|%V&dt zeJ1lt_S+0Z*QeX-Qi+0Nmv7hy%rDPvVngGMIBk`na3&3qMMTY>BFFy3^41}^=k(%eBu!eib?LVA`8;m&fkN6oL9zl;tzFn4ax_yA z`7oXo>!~gU1xyzi&5C44VxcXl?e?-u_0-tStNpy$mL`1q#}sM}YgUDH99LR5>WwbS zcAm;eWKnE=zQ4JQ7)s+$iqpH8N9jN!|B&+^@$=K#E&*%H!$sH}-oUL56SA5TK()$i?Gf~RYn z)_kNcnXS$Lb#64}iL6IrXzwlkGXHH*=#)0YSOf`~f06wRwVg}sNCdO2k!jDI_|ZVR-!PA4 z^F+UJ9mS6dafGViag}h`|>WX@<)vD*9@rI3s zozWjSM`*4w@5NlS+nm&s_8zy!ug;0n9o)sZd^Y*9{->&A`uE{5iQpbtnkG1vRl(gs z`}%n|FfA8Kx3<3~udLhpypLO777=Q4s=E?!IaMOf&XmS^mns03dd7vYM=>hr77KZu zJc5yLL_{x5gS0&xTzY9e*&8&AW>N+1<7fC0BOfA(PZDPtR-uh^Pn;|7r6}ibm{QSs zOgyZYuv*RbQBa-Xl&^pp;uLWvc32fWet(TLft!a_<%M zso1dO%3o9lZ)FX<+VxmmlGop2v6wFpcH#dP8`qaSTk9wr_ANTis^}T9>1c@g3`)}a zUQqE=lg}~T!x^DRfWzLN2lNwykV``i!aUgHH2k>`ue;q6F*LLVhEd(e(9Me0di}|n zdT5m3bv(DN4gaBjEP-fJrB2mlgsRzIkhx3$lr7sNIk)wqjhIx5j!C$9IA~)$^Ov{F z!>P0VpC+Tax$Y4v+rGk9GsRVOI{^gT!|{xnE*Ow?{le#l8rI1SEhZ*2?xqwlmxCJa zb*VjC5WL+W-4Z0P>uu?1uZY9y>!_2d19GW$A0UT$`XWZ#K}3%Ik;Lg63|Yf*?~_ir z-MjGcKR)wf^F9VoIZj@WkDQjNSHybDrS8CN@8D9=1LEwP^Ta`ts<*Pbk!c1LZTjcP z{r$@#Ov3J4`Pu6@sRuI^iloLPb{oR_16<&jYBlMZ9xK*@x2rI&Pi2Z!W9K3*>T`7_ z<7JRDRZw}#**1ICypW6uxwnsL8n*%YiI3gMPfvvQ{q9Un!bhz$Z!|PtE&rQ4;6tPG zyr--;@V4G=&I0BLIaOktq?vED%2mzWFXF{XL=1M@&KGTLj%4l=5$P2gi)LZ*!PX5> zkn5>dF*<(2V(@J=jJi-pE_+n>X(MbTeh}K9XR7NhONan9CBPjychVQ9+^rYh!##V&%mJz>7o^#XS3&z)C{JEjy7tym zTK>?$EoiY&|0>`1#=I=kXUAHziQRh)eEsCndZRaL))kIJrg@Ydwrr8^$I0uMR65N z=gQ2#!REDlxxek9qb(Oom4(VLNzDv3 zkXq##pY$!3CJZ6&My;oF#l0`D+*;w-z>Alw?8?OU61>{h#+@euk`xJ|K0V|&HleT?kAo*R--)|Ep*l4DwT`H zK(Pcmp^KWF$?({3fAJ&ohXd2)+K4F;vu4Fb&_gIbT2}>!?U4koyKhhri>?ckxG+&K zi{&BWek$`9hJ=KK15=rQqHQLl2wX|$u69N(3czKW+lbs$JwrqimW}Fw!E+Ghodw}@?GxRmat#Typ1gS z=jbhu#?L`yagr+J&1T(cmh_f;GnQ|H?U*#{bo7as8M(M*vb@+nA-EpuDkeYtb%&S1 zQ}hA=EX%e&W60zikj|-2ii#o^W*{g%Ku)O8$!3i2Oq$xNA9`%x$$0EH-yNTvI5Yh{ z!+!jdc~=eVS#(J=w@vD7H8qt5u9XusKg_4ZY$>p`M> zWdnoUTlb4URh;(oZ>B9_q6xc=(569lLL!JZ4cd2Ez<-m<;hjlR?1;B8@E-XTdh`4JlxvqHBk|OTj4Nl& zabsa!>MRdXJ8AID&MM{DEB+)ZG`3=>TG$!#hR4dWY=Tpx*!7;Mp3==y<3+bjlJhx{ z!}2e1O+UZ8auu*5tMY*$mRAgAZrbu~X~A-J%-&A6iy)8lgq%*EM4$@B$9ASn$K2RB zaCOoV$YtBAGi1-Kd|kihb?@3qbm$7LpJ`{*Zu8r$f=k&WX@RSkZY7D?5(>X9)v8Gs zU^h|9*!90Mhsp4J0ZNM9NTHi`9AGi@nKCWW?9T~C{Xr-gnqChM6INWl_L_yI-fVO> zxOi6!IpWtR-5mwpHQN1%dqWFAy7g%8hr;2fFm~6TS5mhUYeLsWn@k!jZy*i9U(vem zArs1ob;MSg`kL4djIFo9{hFLfqoe;7a;E%VUeUy-id*M(_OImvkCl{xbjOP?nr-Y~ zJ9ivknNKE?U9GOUHaLT|=*T&sVdG1)CwJ2|U8g8E?~|+Z?OZ<22MzaQFRY#MgO2iq zln#HWTfmz#qcV6B65oE%sgdDzG=eUK=W*^ttjMI#=4*R?-V^F{+;RtKqOzB-A+uOf1CD&`${8-q?KIgmV0%S6U%4GW^RRj4r>y0<8 z+WFUcVVm^*35^BE=f^YIciz)m{>-U79?7&(#G78xJu+HL#!y*@N{oOch|=$4V{6$C z$@6czwai+N8w1&ONEdY9Z%HX_cn(|i)bqM5sSc=|)HPF@T^;>&Ln?cw<61m2U!CIR z`yaJ^cT^K=zb+PRsB8pu3j*><5fl+aF$qN!L8J*uK)Q6L3ZX-QZ9_ncw9rC_K#&dz z9g!wo2qA>fq<4`(D50ETyZ2uAyX%~F?ppVp_phusvoe!;Gn3y_=J#B3U-tQRFo}ZVeXHLJ|L$?9d4`CQt2d#FWO`a$B@hAlkr zlegyQ_E^EvcC=Woi`CJ49sWe32dN_y8ukO#cxWO&lx${o*zV_AndOFYDB;7&iC2vJO zzqKp_DTh>uR35~+nJ9E|W+vkDi%ZPd~*y{Vnh(bes%hjRgd3m^(iW|FfsLMx17D) z57YtDBdp9={83 z^3v)l;E5J2O|fICFLd4;^4@A-M3WW5eNiZQhV4VBF}dkE^16PK?arDR#QHq|Z2=fp?GS{`d4x!hGn6kGw@ zo83lqFXWAmMhRQ#y*n$i2=osZpt?-FKKP(bG03++Z=L;BSxHHxy{#5_&a?`Hw~N(t7}k%n z=_IxhZR}Y>lfb2v-;=5o*b8C)bsvufhAk|I%fm9lYT>d)L6{Xg<-x2q7xM}N0Ug?) zJa97}X!7qKwrM+~2yl?82jenu(HyUKXX(e_Zg#9rHa{S5z6gp5$9oJ3TpX?AfETWwL!Qlyz?tm&}VL` z@&?RE!|WDBNI4#~on^es>Y0fhML9%Ri$8T#;f&i%P|C2+^^vq(WrAj5wZb*I6s)q@ zA0#zcoH}@LRk1h>!(dvWBs)$LV}GI7s&sa8sr{sYDs za|QM0SOttfP&3!K5r>0Uy%&p~Y`MOa^*Uvf&plGWG|@Bu`vCBd1LUr8K3@FN+yU`h zi>4vOD0O^Q;oEGC-G zf)~~Oi4_%h_kOFDQS&uEVrAeO(b0BYLM#vwiiNP^t^6dgPet#J0D$d%O8 z&pwD=eQVxMv+R}QP82h~_m(tbN0riNM@Ic(F49e`C>YgWv z>ro|I77Lxs5ci2PjhCI?u-|T8c`}}$%?4CIfuA&MB#HJKz8~IyD0?dfGM08qHj>UZ zIm=2Y?vWkLefsg$nNweFR6dWLh26~Ke* zQSe@Wa|_BaEOE)-^V{A*dpU0lmD^63tZ}tcy7rQA*L5NZ zf8eW>&wX5{zgiWjZ5tLg65-|MUO=M~+e+lL&U|FEy=hj!uGhveEPO7}$z~8MT&pmF zB<1tw6cw?Egc=xogaFq?0gz(6xI}p(Wk04S$IG3$fVhFv9!a1V_$)6V);)hPHbz%_ z5ZTIVD0#<{6Re)_X*DcIF9dIk6WXxL1uk38!JMer!qHT{6Lc8Ap3?w4yNLdbKzHvS z&b&;EuD@p@eEL0nQ{^O1soa|0z$I6W*W(p#iR(RE-)s+ZOVN@$h#i?NAuVq7eHOOw zkt-ctm%tfcd*bA~%7@4qX_5XH-|ACw#_jAeZvG=opHmQ7I^Y;lZS{}Z67FwIX4K=? zJK1ZO&t(sc@ag5PgnuP=sG+=Fb=`$E_cU`D2qC|6htVhJ76!gWY%1tJAu=SbcR6B2 z^o{)F<=r0_UFKKt=siQSA0@SXUdvJ&d}Y*$$k;kd1?VYIKPFpBjNyAh>=+8hJLYbPDsx5z}d+)st z=d5wV8c5q02mk&7p!R1P3e|?Mp z(MfThrluC#uMEDtr!g&}I=SDa3PTg|*TG=Qh9*-$bppXN3t7OIw%UOyYXxeqhC7XXgSzfN%s~6f?~e!g$;L3@#523Gon%3A>_@hBfh2 z1LS1g`}foB=1pxF1+`od`^@en7Gh-)EdlHlq=}LDfJsp9y6k42sM*3xJB>~I79J<} z-RRuWdv~6kmLcruO=Vg&1n#LBo9|??VtF&qsR>>$3T+W9F@b@Bi#&u@y0OCIvOfy< zHRn1&5CEfM571g(d@qqYa}N6B;xXPsF0@2yk<-W@0Pw@UzFo2Xg$xwrAV2 z4tX*VX2ms2jf0pIKH671{aEBd%h}-IFx?BFq5#7JPep%(C=AX*w(q4!WN>Uc9(`L& zy(+o%3SixM@~OYu|IiT>5VD=pW8c^&M{#iT7521fej7YZTrbqBgU7t%A=RjvcJ27( zP9(X#tAt8=wfIUc_N&A!6387t&Jro#ZpW{>09uzEZS4taZ~5#Ys-6_?f)fG{(oVx{ z@{IBafbQBY`^U*k{n6K7A+bB)9)WucPCLV-89TEKpmt_Ah_}v z*LrM8ReXKf6LFT-6J=mq=dniI6Kp6ipQMr@{>L^6xekb{8$c%!Kr_(**co@!3LB%+ zCdt!W*&6HDZM3eQQv2i_bR9l@f=AM2i4YtdRJ^D|2kVI$r=WaODYK4(kQ6DRe~SO! z1C)%%N6dLQEmF336J^$#>k6}7uoQyoPL>R4Vb-mm$QdI7WeW-;r^tWLQWw0qNk z)8~l4hlbrqUSBiI^ZkXcUu*8Vp2U8;V5O8y1aGIXRHw>TB5|fEya}?CJ{T}JP9u?E zchHbgRgdJ}u25b_O&_Fz&J@2Pgwiw?%Un#rY z>nNyo1#p#R07CTO#7M%1f^B=}kBt_VV;mQ1;Nr5hIC*Yp@5LYLy*Zlq>0a|LZ)U{xvyOz* z`(hELB%JE8P|R&aTH1<)@foIZ-W3turZ%(o=OaKcby(O(p0sfn@W1X~ljp-4flKXr z%Zd%wMr7J!r9!&Gfds;-rfc&#?3?a;HKq?td2-xXvcD>L+~W3M#ur#jkT=!zsN9GH zuLG%kQ%S^z9fIhO?bMyyW;wJh05$-Va|`|7Vq;1-Rw8E0s1$egrSd)7+S(ea9Dmad zuhbBsFy8DSi+A9$j3Rcj2W2BFX)$1Y8iXkJ)u%@Nh^*~Je`2}x#esKoXnfxQY?CfJ zW~j@aG~B(!SQxbRla@KIp-{*6qt-UOR5AamMiQiTCISFk`Bj8Z`7VNI4rw^JZ(lE< zW-FuCvt6J^+HXIoG?dOS443E01GFPz6pF7X=qc`eegaPQ^-z0)VCm5tF?x+vq-A3< z(1oUT*XLtZxofjDbYXaSg7l~55HzAz80IN*f&9~pNv>n8Ff(ehR0 zS40d3!|n}M3M&Cr&|+&BGzsZ!5px4}-y}I1XHfZS0TR?SfT?zy*LmYNRMjzRFLEVf ztiWkbfP;CBVF&2%FW%N7(=M%l7dFKqh$nEcQk*PiGrnn}DHr6PX>4!*X+(v3F|@CH zv;37P^t4(;iA@LYLUYLAUdmlBWwf}8s3-N7+w!2!TNV?FO+aZ+#A`h|kOCPd3d2?G z`Iff0#r&26G|9LKl%N?OF5k&{7_~E0?ol7=GcyAdWuNSvTaVS?x~@XE$LEj>9$GL~ z&w#FfY5FhVb$YsmpEeVSI`n(ZLqO1UnJ_&9kmZO&U81rr#c$OAYg?}i&bs_@dvu%D z!=%mir6EQAJB&*FDg%Jy`GI^jT3&m!uVk`{6i&B{=%(>OIxw=iZMMq8)*>We#ybsA zf8C>ZMQq0O!iPYuj%&5b8@9NYY0;CPOobn@0Y%OaOx&X@EhA#L__e>YX+O^ViUR)Z z|6FnP$Y_W`x9q))f~d@R?9J(pM8oFb<3_Y6p%=P?#y}Rzj8c7*tETc$^$}UYcG=^T z4Xr10pHC~h3p{%gbt{4Jyb=>;H`V^J@iZ6Mk?{b+H1258P5TpP6aH6lwlj@h#^MJO z9d0F4_mkQM)Mu>l5!ZYM7U}aD*Gsh$eJx9xoBL7mZh-Hntu1}&2e5?bquaZrbZ0p+ z{YuU6-}RDjI}M$mb~TR?vCnF`0r=5`rG;)t%XeQ~DY5BVn3APnhDEJvKgK0l8fyBk zrbvhy=EZbHb#hPu^WwvY%6VhRLh6fZYcEm@M#`&279)#lIiK`39+Vi`kjnu5glx=m zgI~_&jPB2Yq!tF%nvW$8&evJLF%}gUe&^%kL;2l4?hkIEQ6XrnPkFSgxWV4Z`ZOKI zE?8KpcDr-(-IzP)E?01C7}hBIoKJd!&L$!1ZS}Vy2g$39>q{d-LJbKLHXm{Dn>Me5 z;u@f~ar;!B@6+$(V5s@2}MkK_Xk!7gfP%ABeCAD@M-4DmYK16A*3g&U)6D zg&Z6SU+=FjJlD6x+(A^fN~HNxbT*%V9Y5m!SSy7WBk9+!{x;bIZ>9FCzI*uQ9lNgg z@A|XHL>M2+uW_hv-EQk4!CrSlXdL&%eU3czJ;Ib(SS59glkIX=7t|dqXEnglaKG`^ z5dF8@pQ7@&8iMZguKnEEdzBa-PB8Jpr_ddZENRz3k=-19qrm5A@zQperTVx1z?}|dNUOa2ge&yA#mbu=x0f`Rt`u42{Yqrj=*K>p9$!MV zSYmF=N9no*wkbhK=bRtl@X3gZ>p1euhdC{=b~98lf077FEbnTsBh`UDtaLI&@H z9X|k+n2xbR~;LT%ETMod-U4vMR?kg|X2!r4MTGt;B|&+ zxH(vgThim_8EE8?HBSC!)c zRhAjzvXp6D?@Bswow1J-jTX!La2Yi8<=MwCN6wt7(c{Ee%`{xGUeH{P<>9i~ISW<| zR6SW@**zg}Or~zIXGuWHI&-TG%;M0{yM&A%vB?pQR;6Gi+-8pQK%Iw#?poK1oVs}a z`pd4IQ$XqTKv&o#;RRkuURgRi=@n z!Wuis=$xF%)_exAnMQNWu zgrILx0=W~?F_#se8<@xW+Kr}jy1V+}P6@Mue(ulpvR5rFIRWkJ=!|JvkAn>|{^(2_ z4C`>E;4=In3r6;vx>nuHU2)^fy{Cr74h61d1wQS?6Mt}QI9>qgs`a7j1KnpCVf1;G z+(L=T?7^d>&u9JlmPsUfBdE(lBRunGlnn){JL9fNIG*l=3?#llsxs&*d5@4@w3VLPCLJo3fOXFLW~+7k8+R2r4+l}@N_=&xc-+LHFzyu7_~wZgmGSDJFiPP^5&Hx=T$ zxN(XjTwH7Wt!G@;@+2m)IqGc_YqX!muvcBDwktz)bF66v(kEg858=fr^8&7B8&7Df zcD@TUYMr9TwKc@R&kYt>UGr(|l4aYh%`n?rxoh(B4IAvgwjHmV zU|%WulDu8w{PX7_&HU%sWKW4motmQ3WP_mDMK-_*zT@)O=Qy_Y<2x6n&kmHX=7fEB7HvHQv|3%7F5J!st nF-Yu6|7R!lf6UE6{kYG1BOeH5EU*M09;WI;O{IeS&tClp{rG;# literal 0 HcmV?d00001 diff --git a/guides/security/assets/ams-dark.png b/guides/security/assets/ams-dark.png new file mode 100644 index 0000000000000000000000000000000000000000..043d6909adce14e7dec96f0f5cf77da97ef8c056 GIT binary patch literal 441533 zcmc$`by!sG+b)cR5-JT!2n;YtiL?Wf4$`1>gS5babPpmT11Ly$h=eo}gXAEhNOuk) zUD6FRuou5~zt1DS-?5MHkNq9rU%;$c_qy*Z&+ELdMd%YX`5VM^#5g!OHxw118aO!k zARHV#Wx}h#C$aAysslf+xN6AD;*@kVtl;1<<0wL9w7g7yPZIfQ4UI`{EkQiXGeLxk zFY8b?jM)z6=i+4ApWcF%uFZ ztidwH#+8*^NiPWz`itpHJxMi>SgkjR$R1I^caOKOM2jz_?>2~bcyB;@zP+Z!XU4fg zD2;Q=R4d6%krM7y-nV4304smr(t?mrukJ9*%V zB9~^)nl@6pj(_QhN2vs4h@;fNKFkKoOX-#k=QMt$OS>~$0=_Wn{iqV>iYzm(=#@*$ z;{=vm2wRwgf#8bi6+loye+geMte@qr|l4hTF+j23vf=he$Q|Bp~5z%Qktkx%EK|5(Dm_Qy;X z==<+q|C}rE4kfVZ)=$o$OJe%3ZvrMM@qgPSKS_}knKbw`o$RlL*x1;VGV+_Z1f1;Z z@r(Sm0dZD9f!)h94P;yRbaZr$+#t^|1&gOopR$%;9!JI2BN$EWZ9 zb%E@q^d^-wbC#zG?H=*prpnyQ2e{jELIQQrt4lJv*v6jPg$9<~WlI0v)c=LYjZ@=( z)+>62kh~r&8@Um-JD2*GPn^8EQ1lGfhsXw#%+H^l-wgYdXmH)RewD<>Kcr9QuT$13 z0D3USj~qDQ3)JH|umIIgy;b6jqr835P&@L@)Syr%2E zA7;BX=tm?I>X|6V*R4zHyh7;4^->z&@j9Vfko2QR-#q2!)dpgRee|52oi#;;!ohzD zXiprF+{q;S_m>{Q(mXWW99ed*8^goHd=YmfPE6~vm>zIkvU;4rse8bNoKUjMrWs_2 z#~-K77q6+<-~~1zzL82{O8v9umf8Ng;|>j=)R3>vwP&1U;osFbvgGUgs6%8w*q$?R zJ|_4tGyAWELMUyv1bD(IM5>-1S2565$Oj}SWp!2@OGkVCYC_=Ezl}nY8#wC*@x@vF z{r&Sb>>8i9JE!Ke%18L+(T;_z4Cuu04!DNB5PzADO|_h54st@nr#I+ZnWDZ`<|{>@1n=Y9S02(DEmq)hjnRaX#+6c z8MNzQLdeB2(1aO^_I>@J8rQ#)vs1z>LwgC+Uokdvx#8 zyE+ejHzz+;Ng}^|@mh(fwEA(}C(lHUtgf!Uh8s8x1@ZHc5nA%Qei#-@NeZEOx{ZVh z?)pZ|b&CHk`$i*BF%{)HCvizBP2E76{Ok(%62!`C<{LWR@z*~thQ6rt70J)u9b^c*r9BHwr2o-uE z-;=W9kB+FRL(BVK5{$GpU??vn|@}5+M;;TkEf=iAMO@KvC21E zjtioBBr#jxC_u^II|n@OZ!~t;DG+7@luZbZgOkfv>{8&lM>@)1#w?h2n>ZO=K#zGcY zhl4xG+&h9xzQ4cE%FucogrEwT3Pb=)XAYk{1Bp!(j&JWjxm!7#agMRs$W={oWX;<2 za3NB0kIbu{e{~-%OXE2~W4@zXSy}l|0V*%(+OSqTefQoykwD`5OCd2(k{O6^OkWh1 z%{OV6)dLZ>LbarV)ACRb?;Y`a;cxSWwhj*UP^e1NjAji>J$`%wdEbo{?xI*9o+t&Q zr-1rBatmnCMWdrLjr(VH#1enT0O|9K{1#xM`?es2;KYl0Ruck3-nc{7cT@d9x7eU6 zW3Bcud5C0+9l}aQERo#!Fr0>$?tyJ@W=E3u1HlnX8yoq~_#3E>5NRms^uzJ8!p&`?it)pO-v2IpMpTqmwf8TK0p1wd_Y_t-N$W!H&?EO_TmxlNnJ5yHs4&@L@^_DWtQSukdQhnfY~8no?FPjsSwf|uo_Diu z{F%Leive-PBTb_FdSDt28Tn9e?~9ij1^)9tqwH&w2?c1vsmc2?5IB)H`)4@A-e_(eqz4ZnquMmiam$0XSh1brCoinHp zDBcNqIJ0{>plx2%G@eG+_Hc30yk@TmnBYemxI$iG$C65!~;LfBUT((mLEum$76==-M3-i0CeG zAN>*0b2+{JV-1hYLI{wGcat1#YKBj8B@RaC+Gf6mR9oBCfBw8(Xt35QNC4_={n)px zo_K7q>tx;NHjt}2#E7)4FRVI)2wsm^m-&NUl zZgtL$V1Vr8z&0iQ9QG94#Y{{XO^%PBSdk|UvGmQ;E9I|zH7olZBMohR9m6Q) zpFji!oCoG;Yx~8gW8>y-Ud0G0F$u}JsprBQg^bLYIOf(jvL9%D@EJJ*FCiZf13(;U zU??8hs5=0r9rQp^4;}*P^h-{`ViMGC=V0$K^d4!jY&ERTuDSAaR~W*rBBS8tQ&UqZ zRnGlH{VSilyfZYEw66wzB}L{*8ACkK(omZ=k-Gky5q~}D-9^RpgV82fx|$?0jHVQI zc0yZGUfwN4bT{;_C8X_!!5V#7c(~NY?=L_GqtKq}opIf~iW|6lQwp<1uo5{mGP0Q; zTbqt(oSyk|ST(#vMN2#4amw6v=e_9Etz-o@6_>6#l~a&Q$lQa3Ye8R;J#&7xlz)aG zvSpJCA&*cNum1oJtJ1ke8QQ`ER6{;Cx*7-tGXPYW4jZVmW`#n9!Vr%WCB4zYB{za) zt2&DW_XTOf8SjBy8!TftDf)5%q9YPkH`Gk>7=u7G%0uY|8Apuo^x3*GSvN)^)C86^ zmHfqTT?bP-&0faQdl!24ITw~CJ$-or>shi8BSSClQWdP>O(H$`>E6NH+$Vz$MlB+% z<=@`gW5c400XMQ9y#K0PZ76yvq4Ndz!n-t~-^j(Ws! zL6R^y_w8-4_L}06*Y!}hC|oK?0@En~x6jLVPKWaXi51mYf9o<4)B6s9wr;H8<0^s7+$B5$O4&gA%QVhQ>5&UG zo=h2WQKbRg)1SpJaB~pw>EufUnE563|HIXPmevCZrNqRbSdDK%Uw=&(IW=9m6x?v| zJstrP_xKhb!4e>eTiS3i{&j3@%ojiCt9C}u?Ov`wGc_|#U?U$Oi)qxGTYs@ez`-+n zE?6v^d(>jYm&9;UmoJ}QFl$(Q1o>Z8I*>$8-U27_U)1>U@voizfBm=yV`iH0&=m{7 zr!5CRJ>A?pILiw7YY!g5z~<^?8JB*0;@-G%BL-?2bvqHk006~3a}+(>)xVfR0Q3Sn zy9yP$a!~`a36^fLsoe~gRhJ>SWPQM?|EK^hEG(YbPnso2f47C zZqm&+(i&!cS#o&SZqQYJC4pkf%F4DpdjHmPlMUb^O~zLMeh}Dw=deMwkE-!);$X++ z|MOWXF1XV?1Vd3Q7s=J2T@P)k7bbs#0^m6f7w~b)&%L)=lD&6y^uZ(ORbba=dP2%8YP+zd61o*Xz7Y08v*dzO)S9o%e zC;4&;V(u-yuwLB+%Am1-%l1DlWtsazfN|Wx@C_HBj?$T}UdZAOBpi67Q9$I)=5f3L zy&R?jjoAPK^WLl0=cn;a@yy?b41N4=2ud00>3Lb(G*lCSfY>xv;#`FgqM@dyKH$Bw zM|0Uvqz^A*ibRBMP6o-~$jG?@r+dZiTn#&~`?oM?L1#N(`Hp%+xnEdyi+V0G^(Mv_bvsC}u zM#BY*IRy{yMVYVyWReMU*2kpdQXo&V*3u#LKAV4+fj}TnL3B`PH2~2&e7Z7w$^TkH zf(M8Jq(O6T{<;^8+BG1Ri@tjF=tJ+ccm$a4-94*CXDHQ%o-r%kJCp8C)csb0-BAFw zE%@tRkqEg2YnaPi0Y&~!WtwWBClV47i5N5x^?6i67%VHy7;-*tU&^Qg4U&IHx9`&$ z*=o*TK?j0D)dAuw#)DPhI`w50HC<4^O{!M{*U123I#KiyTA%qpdp1+;;8a{%D)oqS zpTjj(qk!ku_3ny>YZ-rSq&EZbyX78TT8lN0i;zh#Xj%{(2EY?sG!dZMpiYdcX8C~o zWb^FoY$R;+>(Zqh4G^d{KpZ;R9r`|6dlAjkRGh-BQj+I`K zs}8G?DRW7nnUNO+vOFI{ZG$~N4X=UFi{4BbCbGUepq&^19B0_9DhknIrK}tK{O%}n zd3NnL>tA|!;M7G--mC*JKjotZqMDzUy+0j!0~v8}MAzV?9uM*@;s>*$6(1^d`OYQZ z?frP+MR!HjhM6w7`tQ&^Zfmu>IXCG5n>gzj;v)a3+=N-MMajOYUDMUpFS;nqHjvlz3aAKOj6LOK~K=!x_kM-a)7XE34^~e z_dW%LB_Rjppy*ozIPutHBcOaS0&$T?nNswrhuRWGYt1(P6&<#o19!iWmo~e0kx+V` zC}G>`wV{o=Kq^ep;{ls!s{6_iv*k}*F|5Cw?Utu6&bzr5-sc~2kwnSK`MH_t049of zAdry!m|HL)36V|`EZZ6oVJtoHXS}&U2dNk6U?cj&w+6Wj1wVowCY{~i%>lX8jZ}Mp z+Cf>|fCt=Y$U!Y%yL4E9@Vy{JoW2k*Kgys6d|x@qn?dkg8`{Z*DCWxA;^=7=q=S{7x)*cN$24LWZrl4 zQUTW}NE1Gb%KcY}4WK@lzDj?2b5{ucfYO3+f}Ctr@q$hF2MMr?S2sfEF@WifiH`|Q zUB;5qnbQ|-xy^f=R|f}h|C?QjGt`k`7@wJ71w=qEF-e>LvS}-6;M#2I&Q6`1b38@i`ShKJYzJYLJKCB;wwEiK(fQ&el$Dtn=oBq2XcV{#?FaSpEn{hF`P~Ud3~#HB?ssP=_p6RSarW~dOC!|iec`4k&qv!M&+iAQ!$w8+v+C`Qv|9W{8*>b;=!g^rNd*vP4cMxh&exfdn~@7 zXv$$;PjwdriA6wR$%ABNxNb5+|tyV>gCA5eRqn-+mp38??3SKTP(ueMw53G3YN zJUWB*^!5GNe7Lfmce*esYHpGqa@Xpf;p+LKfZLIUpCDWkduJD3T=gKLqN>X>$Rvev zeA*|%t!_oq?V-)8jzZdqpn7$~{yFkc(A9^b?FW)kv-Ld1V!&eAc9wBB>Cn@*?xSI~ zKU2AIcGa04XH^7Zm;g6$etPj7kTd4R-f~|GY_s)JRD7Sx@tfZXqPeBc2`wnYZr-=nm{#{A!6pw! zzdL|cNi)$NT_cw$jP;2?*a3w{uB7B0w?B~8FIS4?K4~bxTR$k?@9XrdM8x{3S;$sg zIKR)wmqfYX{(#pCqNUS`Qp_B_SQ9)Kl_ud2u}X=kE+%WWGuYK~k8g|hhbbeGx6Xnw zx~}CF2AHddhvzLp;2#*NYxBYdT4Ri3!UpOQkJweXf6Hhnc+Q#dUr%jv1og58BHp}tQvsd73KGi}98pa% z)NQD$U3tkL60l89{=DCyR8$$w*s2e7Eo!IgTO9}p@p1L5rG(A}s!=ScDS8sZqho9cWhIpfnQ>!f{ zf5AxaZ)(zuR9_Db__F;AZ|CZ{geXU0mtV=;Qo|5MTO@2^LTu0hf7D*O`^TR5K&#WP zr!M?>TGeq<5~3m)sKPfivN+8PTgU5kIZZ8knMCM_P1X0DcD@a7c2B#(RDFHSx93XN z75StFk+z)U6;#6^7>%*j?D#c&&~k_1^mmmHde?noqc>f_vN$4OZ^8e7ZY#t8>IS*G zlk&2cNd;>Q=3Huf|FjfccAWVL^}hO{sCWm@*AbApq)qqp12o$?%%o%5&(qFB$IPNH z;lR|+BftyhfUSpg*B@dR_r1B#Pc|($f*bepWPEQN{j}%yP8~sVgBGzn%dbXyoEi4p z@?*l`PLeifiF^%vpI6Q>*y*ls=_cb_-=3OEW}bYSf$c%bHTedQ3~tm`&gMXx&g{aO)6xi$4B>vO34+~eTjcxD2&?VXxR z9|dSkN*D|lD$V>p(feC{=y_Oxn>@O;m{L;j!APRD-$F3A3Cm1em%H}#wz%W+;BAXo z4L-4Xzx|+}sRWI%_}IzzqTKujd@)llArXl7X|tq1j&^m39q>#DU5Ool~te@72ap=No__)tnl;i0S1WWo~$W)g8~R zA4Qy{jbe2Y1E1yZK)BaTeK}0XqQ@71PT2bgwDEDGp75Jen$cn5uqyBIkri$yjbrKV z++Zli`k{t@ypxo2I|t>iAe)P9eTj9{dCLck9a!>SI%?*w&(Sl%mDN4rqWM>{UF+f0 z5Za>9PI&LE+egB*INt8%!&PezS8BHdI)Q~EJjSXe?v@>ghZ>q2Bi3Il+d=E?G06tt zl0x5K(~TBf#a|+WuePubnQp!s2+tZENm=Ug?q6*YvXJ)eCOT--&V+>|dZBXbBbBflOW4SC_a`Z9_uLqk z=7ssXBaWvztagR^5YJRoa!U;M%ZOIpPq-3wAS#vcI7MSLRetiiuT+9oIxCOoXyb+| za~bo)T?jeWyuRcFj1mcn?|h*0dG{5~VPcj0?$jP6J|s>{64Z&8vNO!Ixm0QT{5vhB zEH@Qox_YvQV5VJP_9U-pFiLf|aM)7p{Abia#R%2!D(R=gliRgphkA{Vxe>>YyVgzh z4ShEQ1n!9Y*Sg~SZ!cKFodSe19jkaxqY13z-7nVK)U*S^brNNNXG0T^_`c!qUWznAg;G|yq%oNO#*jlQItd%FcV{b^-;27X3fF~ znL^!T+n+M>crkrO>L5%}c2V+!lgNm+l%;cR{A)Gk>$Yi?8%fthEX58;D7oHLF7}&K zoX7yCpx=S@tNB&{s+O=XnjUE&DpD}V%2I?1$rS`FqkH=GTf@FY+U53FRSk9cp&oyu z_T*Re0NiWEbK)zz-~l!XF^fwJ1oVp}?ECZcGChTf&PYTvRzr#k-eDmY|2)=sGl-onb^tJ^t87nRHAHN}dR9 z?Eo0X>0A8f(8XVm&(Frf`~D%50w)bJ4e`iCJJsppGdu$7Tr-+E(j$=yqCWw-hxRZZpAdZNJGNX?w-)GQM zfa;zvG>VI%H(g@NNg&q8hqFUrxfQS{JCw-bjh@uiX!wLkjR-eCn_>Lj8BvG8I81-o z3frE%#zyQB#+yViE#O7l+pqfBCZI(I(Q2!=)7gD0TW+Tz;ldrl_V)I7c0H4~jloL- z==t%7H=H~v!CSkr?(B~r2$K(kT8oMcz54{7rxhlW%to!o_?7zawAIvi7Ini4(ke#J z;RRn}pb;8lkHAN&bX@~p#a2n?`)j%5km{3Z-?%)Im71Fn$~uAPLa^fev|ZKnwteq& z)>$4~4zcI{*|}2!HH|5ukAZ;1uux55VJlD;-S9Ta$-bbt_Qy!R+v0VK!(1MY`-=^< zHs>AZVsX4rixzVf>M`|%GjpQB*o4@j@78x0O_{%p`{ zd`uOy^7ie`u2P?`=k}EtAGwFk2NIsP&%f)jYvd)OKIbA&_!>v@vwtg@yF2D?MqV^_ zqZQantQTQ;>DE>Q`X8SB^tAu!h^3?p`nM9pYGtBv$(Rif3}=8blLr=96^?_A-S(lH8V1DdjU$`qPGp6xVCl@xD*I-i5|`8(Tc zll5<@g?E}4SQEW!z$eG!3j1AWlzlr~Aju)*>(iIdX>Y;?cuNUaeAm%3(aK*EEIB0y zoMxYBxTt1E>B_5^KS&uU>o3>fU4`iGLDp6m&sgRXm8|C%V+0E6Z{9%owp;^(?)GgI zoq@(d(Kn2&X7(b@IgyFW@fqGYjK1z5=QKJ_Ud)$0i1{}Udo<~+H+|kQukv)Y<&UpK z9y$VROh4?Gx~o#pIa)BP9A!PX(DC?`de5TmVTCk1-{NRV+Ncc-ejLH%71f~VVP2N# zxb4~+LCi^w=}HkRMYP^v_r~^`{ib(Yz$;x~%#P8i?jRp~22-y5DTg$Bryu%t-YA;A z`z{J5&e-@kVH8|E4i{lLA#nJKc)j~gxLwVhZk&^mM21)C#aBXF5 zss9M_i`SL1xX$i(NVBK9)n9t|R@7v6f7ygCSQ(aqtEdro`m$QbbPnc2xbJ{I1YN!1 z#rOLV>ukGHbFB>D#EJ-$;h*xoXjiDp)NFEABl)^r5{7!@`&vQ3f{j#m_HX)|h0~*r zQgnHgJ7Mu!=>jw1rjjr8WLib!<_`cx2Y?|qQdmg%vwxz+6+#ErUfw{29*;;AqEoYi z#pKipOc6@?7+|WB6id9DOUrFPTX%QRaLkL|7U)P5{k)s}sGGF-^rPxcJYMpg2NOal zu2ss>tyj!Dsq4=%WiJ*Yg;xr384`b2PfIoM7(q)bd1t0jmO3Wl9455U=ww#c&8-?% zh?LPYTw+Rxn8$npEgI&veNM-Xw4+{Oh}`n{GT}1Hk}vkk5s@-oQL7bLj!rPgRf&w8 z!F+fib%kid^U*01eOo3^=?+^|+$|Fm{20`1l2`WPDYEUo`Mx19uUz9XcfI0AvY{WW zuJ9T08etjUVkYzNl-P~DV#=qW)m3-^#Zmw)=Et)c{b`rBhOPtQa*0#yu7-urlRDTO z=9OIAX$@>rhR7d#CEaj)FAn9i2LX$)P>3!EMGS)`^0PnFDCP^ zD?EN8)c4VzRap1rU0X-UP92c1KVo&5^hOn!wmVgouY*A4fHD?C~rSUYCl+nThH>L zam~;%3<9NeZ+2X%vC}P*M-6R;)Z2+r5?^fK}#|ebnDgbtc*CC*&;%6 zi-|Cr+nXE}4F$%wfpZV?^kQt^*qD4}YeoO4lqjU>B*vrEnv*s&!URvly7G3D>{G56 z+$ga6P-VYbpms=b-Y*k1QzQ+@;t1P@}2C+=OsT=BqeDUG&Re`qFqJQw|wa`Of{Sz z@=LIGCJ2q_VEZ@Y+emaLI$F*t6Iz4{Qf%4~!;)E-pgNK%Ir4VK)uR;0H9sTkkH58e8Yh6}ZfBu7)vFeXC z$CJ3Fv8Hs-lv8{Z*B1&Pox! zK-|dI?V6!BZ*22eCuv@g>TjNA9l1SH|Ki{jzSKjSFcS4-B7W)H+kDkE-O4XkNXxwA zoH!J7F=j-QXS%AS*wHlxCQbyR;9Pf-PAyRUIY`~@nCv}gIK)JS{&w7u}6%zB$Qq8CoQ30m#UNim4=3))aLh#7Bb&7trx3%%-aJJHctkZS%^z`CGxl1cC zxHM-lU2yYMJVJ1em!9K@eL(q4)Rl~AOaqNB)*=!aYxF$p|68wh@um^fza4@-UjZ&nkXuw9ny$N5|+1Wb_v_(ph zp+A#ghBw~pYUpr6sqGb;;V>{q^I*B2;85|qL8ITBv9;<{1G?)(#N6q9@E5v*@qL`S)N?L`Sy^O=EU`$toN@l4dTcN)gCEZ1z;~yE(YFb#tvd zwL@9xG?R6MO*w*E^Xrm6%l=c>>{a?ktP1;8V-SdTyz#M^;j>f--U!$Rkg zmEQt;VNfsUFk5n)SyaUnL_At)j7EhwgE=fi=Vr!x&K`My(larzkE!&s4C$T(rk?yz zhX1+`CC566=y&Ig#2#e@xw^ls^OEZi{_3vD?MFFVlKi&t2uHko;)Smxun-& z=AaKr@!Ff+s+#L26NLCY^A(eZ`CyZyrG_w8EhrT6>Rfd#E!J%WC8&?Y8U;zqH8JfnJ} zy^O2c7NWKnV9xpzB@}{wl$`OMKf5e!u7qDNgDL)0*U{{CO_~=oB$ADxm5DjUu}@mA z>uPpzZoB>EW#Sx?8Ig4T`J$99cAE{=^u{yIE;N5qg#4a@_KsK77^EuS1L^eRd>$S! z<68dn_F4kz_tXGe#j)s@#Pt@1(NErUNgc28ID^N=_ckcYi}Bm|c)3}h3U{u`BcTy( zL%i9MZ>t?sS84BdN-bh$Vig9f!hQQsYQ0NOCw&*~W2+>SDni~KDvQ{?l2cRO5MaS( z!mJ__5_iSe_2-5MCntY-p0UjAT*GTAgvk_ZWf}S?zE;~gHHogzh%Tf#D)Y*=i=M7g z#VL3b$8e283=A^SPWwvaTe?a0OQ~Y5jtb?jg+nA`pyHNQ6Azz@r z)sWtrDrH0ws!P?Tf)**`6omWCbn+xQ=gjKznr{B5 zaeLh9S1k`VSPKQ1t2Aq*XpHY3 zZG)CD_40Xx%=#DK@mhr1hjXh%;kUzGLwRQ`3$k!}z%#783mjdEo$e=D05ITM`EXk4 zjzW#yw1|Eu5a;$x#hSZ6Mt1L-;YM`*i!pZS>M4?^gBd3cw|ZN&t;!IqIDtZe!{tRj>N{YrRB zB)kwYp^53v(ACgy=HVl2vnIBDccAJgpABHJJG6_Rcu(PCgdkZ>OgbTHy358V9u9jJ z@`h(AMkyRiQv(CjqdKZoueluupjJrY+a`(~Ir?FIJ0v*lL2~R?y2ORy4pw3VlsrI3 zyB@hpjPf1ietxVX&Y@POy47iiL!R`k@cpysM|QgL;#VXGbo%>?n#prJU=}+i1LhPy z>zVJmwNTJ#la2Sjie7#R(Rb|jxq-sTxL*Sj*mf}go|=?@8-DTALf@7pT(H9fPKnQ= zW|WGuo_nobc*n8BOLgE1p3dQzONdv@S^-Zk>r`nmd}K+IpUCoDR`yhHy_yx0-DWI1 z&tP9T8*OS{F!`dzU`O;=INGgt>HyovcJ&=8{g>BJb09#`>Wvv>3IA6I)qTrHf{Hk& zL*}r8so~bme;OX64FpK>3%2-05@KThGmPP(*H#%G>BFrUwOiV7#qZ&U?P6+{-z{M5 zWVEZ$8T>@32!nUjj-A`J~iH@j4-p*}9W zow{RS)~SIbYT3Q|O-*Y)%?6sW9-1OW?Vb0hiAR`Rg`wXnScYVk`K3YfrxB0r#sQ*< z#1Bt=CaIcaB?w?sR^aNd8_Hklj_D*MzK*nZzeXNlUReL0_*P}Ig=tkuGNEpFKO5?) zLGB4`QX!$zE!MSE0%GAZ^wS^7buXWq6_1wl>E?KPYMzoofv!=MK2XdjQxx4c1rVoS z-a4iYD4W;fZRK>)N(LKJ#XE@}ypj5pYK{$Rm3>I_A0!2Gu^%HU@MStj1~ii`b9g^3 z6mNLxho?FkR=p=~s*tQ4a4>!cCg7MyX^i zncT4O`=piEWW-8qfq7{si$&!DN2PquuV%gYLfe15R<5~WXF7U|4O>{U|1s!Q0X`+d6sLd4-xrWyb=waC+|FTw+qS5P6I4 z-g!XSk#F+ya#hsoaZ)#`%80QI51Ad%2D>xQGmt$}Qk)|G)k(!WhdT0eFF#Vz!sMtv zCJ|RXY#EIypz^XXZHGQWd;;CcFWJ5!o6Y6c`8Hg9jBjP;eg95UL?Y~}n|FPQ7$f3D zWq>hSZ)1r|qC5U4KPuaNJ05d;Y&-sj{4p#6w2!qlkL9-h)>x4ShK>38qj z4;bYkjo@+$I|{aMr-`reLFNVIx=H=2*R!jG$TlY#@&(kZ1$~q4ZU(lvSi3jy>H)9m zz)L`l!c9UyoPuQvQa>d!+~-3h9TQ<@5sP^WN4GkVw`103)F{O6o9JS-QT*QM-gwGg z&)KRW>q6BZBW3+b)2?!+bC%o7!acfJ!MQ+m6hpt^v#pnl2b^$2qyEEBWPD}Dd4t$& zT5HaIcXWGJ{fmVz>$R(j-E8M}qEkr5+`4LGPB17CXg_-POIaiyZv)djrTZT$sJmhU?#vk7k)LO$RBLBMw!vIp&9zflhYHKtshnM%)`cs|K@%He zdApINjuaVYX=lF*453{u~Vn<0KI+CQ1-2iQZUydx-a+1hYcVzcdd63NjF4*W#p z^9njWS2r=PlKhjOh>7EV{#**kHGMbjEl@Md%3H;_zRno<6@A;Z&3ws3bMRz}f8kW~l@3=H+QBgD4TU^a;dWMbr8iuaZQ$q-;&YPuQv3xczZ6+% z@mWo&W&w1yZCgP#^!)WCcMbPWR`Fh5_4nl-kW1w>@h7dM&UiU!J?EYL^xvLvKF&4e zPOV|8e0U9s#ff#j)tn_tdTh8ULLtsHvpbdBX}mK=zb?SiBLW#W*h#9J$h?sb!0@2l zxByONSD5TX=`s6NY$;`NwK0e0!O%>qZs<{134zc82eO#Ha^LrLQJB0Pmw1Jft?m8L z-~rPZ5GVwgiNk(7@TdKAW@=gd!odOXyx(bL`Gx~@2+Xy2je2}CIquL6UY0SO72hP9 z+Ff@%9o*-eJWbx5XE)*(XNj&tmVhlnd$F37G8H)Qovi+Q7U0H=S=@IEY`PG@6{*uk z%O@V&s8(r@Sc-YB(jMw)mXs9NSUn0YPPH{DP+1=N&CSq$@0mt5w+?M7z)r7qE~%>} zcF{yuW4fKdZ}me1!(Z3DS4=NcZ2@@p>)@YhOw6qgleV31@J%{^xFkS^c9cc8%L{ir zPo5wF`WurAQZ?%FVVDnH&ws{N+;mHo&>@3#z~WS*(F{TXtvX#S+Ta0WJ1$cppupS8 zKxGsKF18zF)MtFvuXU=|huY zl>mK1L;tu1`{M^Jhml2tPm$SWKn*zLWkRq{}wE~(z>ObFA1PG8@p25~Cl~J zM92H)wRg0IB12!8e3|W0aVsdsd=#yTAlzm}=CnOhZco?k{8qts|A!7&pEBFArYc4l zm2(Exlpw-Jg>E{8X&J}1we1=?N;-)L01{MgaifYFv{`rWZ8BbIGVlGw$ar#rWO|kcVCI4E+v#0==VKjY z$YLJqP)RH+tv!XeS#;Gz=Sb;av{Y2KNmg@oL^xx_=i|MySI>{d;$pifb@KG8Azo@> zmfOh+LpR{C)=6)hg3CUR9{1`fdA#^i z{~&ys9lWH1CjJEUrRWux@zKLKcKu6dD?^dN`s1(^0B~BjTmP1PcoGW*Z3y1 z#r$(hwU)bry3v0o>O9%*=j@+VRo5kkUPFV67xS}Ij$S~*&nkF7q$)P%3QdbJNBL(@ zQ`Q3o$7bRn5BRv&=?tNDaBLO!z`Cu`Nr~%B1`%QX;WN^IK40VADvO+7&NLfG8dNjN zC!bSb>C0OyvGbIc9kY&OZJ93^eio6_k@JSUFBX`B7%wX^)!x~3pu_1TF!=)@0pnza zn3*@o;gqy7Ii?7w;Ve@yW#L3r&?4sWn%RUx>WRFoq zQzzQx-;Cyo;Z$LTwPEVxBuIoiAV|y&>u}OgOeM)7(NbKj#Mh!mbLH8jR6>sV$gFXW zqxC~|0u~KL(#b2lAF;SJ1Z~BXC-L`;^ZMKEp?jhZZ7d{8J*Q0MHi0g<9HRv$iKkFX zQ(JCqlG=4HHg4du>Xv#;f0%fr0l0?N}+`s1*4^0Pfx~487t*~&#ZNygUPK@oWp)X002k2 z7s*t2i{Rg^FP(r#4!lkyDVRVfU@Zx}@wPP;;paUQb}eyv6lcKJu&wq3yH$_CQ+wA* zBSG(Yl?0Z3EsgX=X|vR6{DD|5wp`P37mY;r&XkIA6Ep>nt@=FNCEMu$3zU9{mDv)N z7b*wXm-r@ZSs_^P?R-T;GlI|}q>52=+_l%X$#Yv&C?XyBm-;XSx5|q8I`ZA;hYkDS zW`;vUyA08Mzs&Zm@5$b;i)H2P+(R%jiPM#;8w1=th~?X8OCG8H*i%E~ZXPb!C;w6R zbzk@QVJSj=HGnWz!Z?zbX;6M_`OHmkDMM4`W4}FHgFZ-V(!Mw7cp3#TY$=3%Pa<6F z-CazRC&XL;lorcnr5pgBO>7^x$(q&(pw!arL{X?QtkB{s#;3U(cGAS?BMWHTUS@3> zQP9DNR=u?y5I`ZJ=@(=G6xJsuU2boL^{CRF^Rt@rRlS+w`oEFZB{eQN@b+5_oe@-C%8?9_a+Uzu$QLY-^6;-$BgG zO+q&a8F~2k;gp63Yg>c0X8<{(y7DZ!m{P^fm`0rPw>r9glXR(li(2rYQe?^@(AbrLE#|aM;R-ani4BW#Q--b29X4`AOj0*3Cs# zJgm_SXw9!~FTPUy$D1CvVzxTD5taJpB^6XmP91g`26Vi0b3m`sD*0_(tP!Q{{1DiC z#!{|(434(mxft=OfOs@;^M1s{FF5fIaAF!WG+kUwH9XiqpVX{lR-)s>@I=Rvhi+9W zxhpoxI;R5UhgRqq*V60-P?sAL2Kt?b8aFr@bZ`QB-u~@OP#SBA7wG@??_}Yn74oF_z@>MJ{y=#DN7kPH5lTbg{9ZCt~zOKQY;#J8Dng6dI zt+(plTnT>o>oh}HoBe?LoZ`_6Fp{BO``iUq;P?9aP=vOqIk=aS8Y22$pO|=@nA*r)QcP4*; zpeM8!in?ffkIt9=q={;SQ{T8LG4nb#QgTd6mgn>sk`$F){e^Iww~<<)zK!g2{qF>a z!OG_weImT-Q5wKFYqr9*LWY|TcI}1%_0ut~g3q<0_r>_J?K-L;tgx)C?uoY6{iVnY zf^2-?!wEU&C2;t zBXM7_p|*wEKg#q8FZD|S?v#0XeTt(nQ_1*e?6g#Nj;2ak=Y!wP`dE`GV|WdXqSfa@ zZ9f+8*@zvD#%Ysy&+KH}-~NuQziv|AM-AOcbgwh8Tl=wDH01b@g9ZEYBJ_$b5iD%+ zBjY5jt2A_xj@hqDYa6)@MTwi^DqioYi|b4RKstoqRZOZi8F&ZZN$MymoaN$eAYcmh zV(8vYSlv{dik5;DAUw=~;NNRW>?DtyjecnF?la=Vcu*vrl}yIo~U zu<=cNEHBHfD3;6e`v2yp$p+}qG2O3Td{>oqOEN!MO&+(a@W~oT7-=Pp(n6O{JNbin zTnGtpE&Qt^65pP+v?f7e+qJ7Uf@xC52U_8syTv!7{V4ABqmzF|jdymDzb~*YQ@C1$EqecD2ITc@*{2Rm+11c`yWVo*PREW$W-lqb zP#+-Ag#RJ*V;mA@!IT1ZdCxKP{~iqCY+p=g3o$4{1Z9O%x4yYqVrGOKoyShKcKunJ zM+l8|$E-~VW;`7fx|KV{>m#2pt54nN=x?ltU|GI>Hhno_Xcjd8F1PWK(MSH{`DfD% ziNg`__UBZqGM^N7%xDjfpUG0KhMq*WK6EUYqh4}xnU+Ha(f{z)*cshDJNE)xa&}Jo z8@)bdeCYqO;ed<5hHB6XL_&3~-t2u3nsNTIdiL0I68c z^}Q(PEu~zGbNynWmaZbS&I&TUopcjkaiOdT@s6r9*0Fr=swsyZ@k<@K%2?c%j1N1x zSTcm}9tIy^E#b*b&K%G6t*N&?x_<96!7pGp@h9Bhw=xif%$|HLkq8h3nck4^klv_!k=r!1bQ=K-a_ErO*hWMVn!ckAg?~PRZMDP9#zy&oc*DAUW5YF4J^(%X#j={y~b<+F2*jE)^@TnxLg6tUQHgC10WJ?Ja(aaUHl)}7Z&&Y(P% zoTgr74;tF};J^T0Mfg-djvmhi*xzmz3R^naxO`;SFZ!NF_rTJurqOSE_ZH5kN6>A( z1#N{9)2?ql!y~4=-XR^;XAB_Zao~844ugdT4xEFrj?B8W>?xynuS`aJy3qJR;@s+K z-OU=|(0B`)$E_$!v9)mONyJky4I5@g$bNb^q-k=mQ2-Fomi5(oza-cBzm|1Lpo)G!A8(M75Zc0iMQ!FWeP0o7Wi(W~9aG z0!i#;jPJdDEzQk&2%>wqB<1cl2n$bC z)5)R=^REc}1KfSxx(1hLlaW>16)UbOBhcq4X^bVKTO@?cF7k^nv+}opN%ADuc!q<6 zuIUcPtvvU78Kehjc=%u`Z1&@{EuOp&q-kF51eKIINvQ{=lO}3HleI~|N2uQ~<&&7@ z>OKAVAK1wPY$b{MB7c?fQZ~&2*J6hT=$&R~(fN#?*!S)`-HpKBrL?agE{+ zaq$KNgx8PSty-_LPYeHvy2eRc`LFeA5p2ch`IvVjvMxiYqIQEFKXv;Z!fjdR@Ajm} zizTrBEy!upr|_4t5432zc1*op>R{%8x)#Bd3iP%Qr!-hi#HDI+#owTbT>ZShzxB|03<10)OG?h9H?F)h*M94f`UnGo z8AOXl2)hT}Rck#T5Dwwru2JC?5B9wo(1(Pd)P=XQ@CNkfWXP$cizBvHA%eAekfD6C zX^v&r!3^LR%SAYG8-MjAQ`7PMky&z0>#l#4B>jxi{L^Lgx#pU5O!3R#`(sZt?x5EU z96;iC)M=8(mBb%^_ykl@N>^iH()X??Fcr_?Kyf8I;S}%mb4-&~M5?iR&qC>G=Ev}2 z4@bP88=F5kfL%>zR&TS;_jsK~Z%62w-As@8uSbkmuLY0KtwjSpThSW*K?1Ns_1nk@ zLw230a_{>~~L&BwOqr~9i|>c9A_-<_-`h{J9(LjC?@bqEpo zhk$@&Q4+gEn7wBi7T{HWsUF6mrQ0q|`G#J;^kXVvErHT@9)F^jL>BZth(AC&)a9I4 zvD{V`H3_1~qvw&m=`W}v)eq|SJ)LiB&kgQf<)dUnY%B4jVAc6?PGL7 zwA4RWO<=R7Q8Sm|!_5PvL_5?DF2PvOOjp(i!6hE8muad+XHl!#m^diHNk9=H0S8Hk zNYw96Kw#8#8Xb)Wm9+%;K~hv6?~iv8Sf5`_mfISSQCmW?xJAX)?}_mIMh*yt}&2d6ol(7sSZf1WJNJ3@nscnyB@+RTIl)+oc@ zIcmq`U&RB;Ba(6n4@zgb*_o|~fT2nZ-R>`bb^`?If3=k9f~eu6#q~1P@GD@uh*d=C z0WBr7CkKviFPkF1v1~a~$7b-tTZ<6_!p=BMYx@$bPU&S~9>n)xNOKyxanwY$$%xm# z@{gFD9KmeMLjKi{r5f9`7i#_jU&c!Yg&W1SeyUF2?}+Ey%WoAilL}P9A}!s#1W36N zAmaU|n)f8;f3m?l1L-3GIJcpnN=*VL{w@{_eT7$qan;SQGRh9243)b2q$-fCJXW?uWx?Q2@(e_zjJs1WIYdYr)Ma#uWk1s!kvHL}Rx(L7VM z>U4HQxp{7X2uY^7b;oF>pj(NV2Kvu{H{zOzUPqSG@r*h57U);w_moPej!AN~)t@t> z{tQLA5LzF^D+df0VmjFZ{2;8qTI-JVuomi(*XEn3-Da4baK702b)r5I4{9HK=ee9x zkY?$80>G%i@k3u@a<*tkU^;bk0NFz-))+Pq6eOY%;k9bVi5B>O`*NU~k-}mzWo963Ore#?o{rMvU7S@KKQ7-iWfo!G=4zLewO@ zrB&0r_whscynhIGD;jUq!Kim4X^b|B#m^YoqFA=C7?`x4%Z)Y86>r$nkWP-?yG7FT zj#-CB9*UrPp|MLdYNgQ~Ds|Vle~>?YthNJ;tcr#eq^)?p$OscsSfHg^E=wu~q5N>- zxo7ud#Tql9mL%4Jtn-s$j31Jzvpqs!rBK5l6@A~bW#)NM#W&^19&fL^ zw?L8;mix_n#{P9J0IP`zZT6G(mt8Ny1bFdGPsd#AN*!<3fvynqJtYO9ar_*n=Ic$8 zy!Z4Du(gl=X0JYLALbc>6czxetB8MK-edENHaB!H*uYRMBm-GQtAelL`w=gOsg9h_ zT$}4m{!e`}WC=t$QhSkG`2URt?I`~*8eodLE@?ijUXFUznuXAI3pbjH5wDR_X*T5^ zvXF2j?uBBhTD<~zSxHj8{`lo$&Cz5Qd?2I%TV+XorLuz*ZL+&Z7lQI_;bo(8!|5y zLJVXh3-K;dBhO6cGNp(inF~TZ=_n$R-Hkv$IOmi{C0{?Nt2z8+2;??mzYLgMUy|%d zB5c%s=v5z=Kg87hI(8ZGBVzv%@AJ^#ffJ3*Y|dmhK(<%wB@^5ZR$L>teHP|HM1>qz z_}D-9lgSRv7<@5Pl3E^OoEiToYv}tE@kI|M-sfMk!Y7F_qJbN)t3xTnC!7j_n_+Io z{1F{T;g@1Avrf9jrqYzZPw@Yg8a5gvNq4*z?{im;_Smh)kLN56@m?uwID+n>8(F_X ze$DK%Wjk>|Y)rLg9{QE8wVG56>V$!j?Aw)a|HB7F?G*U(qCC@924_?z$EhkFrPbWH zsFZ&+i>g~!oQ4Hb)#W#R-sFfzELVdDW~@ZP=_5?AMRj%xG3&X@YuX?7uA8Gjy~bYg z5Z=A#-~19!6{%t`-C?=p#c0etPpM#3-(eZx9PsIfR?{Z^}J<;dv0o;@I zeC~B?JM|Xz*KWE6zeT2w2tHVCl6mkQcCBVcFYihC`nFop&1FO(cMV}4@>2D`IsK+y zJP1C4vfMXW&~TUHJtD!+a)e~B?>72*P6&W=GKgIkJA5C8^UhB{Dn=()ssEW7csb2T z9^%H+Kp7nb&KPrA#{6M^SC1^b9O9};Ix>o6UaWZgDP5pONEG*11jO!k-qxdeR`#!k z-j~09bV?|&)EetzCV}@lQ6F(t z@4b9)kn0K%$yxDGtr!g@h;Ka4oNg|%oPE{v=2D&5*DP~m;>b4Cc)mB3Hp6+xx6u9Z z!kMA1{OKL)!nVtnP!2KM^^m1>`Z02s+NCo#mf9U3_3J1f1cqOJ}My^_-Q-A4j3V+e7qBcRQTcc%M{u3(5cVIjb*MN zBp$@&1D%hI8qx!vBTf?9kIzo72B-(P>CRvek@Pt(Ikt^JKKXcKi~6t4=PJ-9e~mQf z3D2FUOP?NoQ3JVNm+l{9x^_ps9~_I@>;#nU&%W||0@gnEsf#Nq#TM?`Qv06#7X0^k z|Ihp9m#7d~C?@Ca5R!iOu&EY|(>cho1$*HA_(5icR8HMuk;acxZUTS~=pgJUyY53F zx;m;oob1=%%Rv&*y@`Nix^7(PDx5$c?I76z2=FpBW+XHenbR2cIjgw$*A<>HZ}lX= z{~CURjakjd0VC?=3EgF;#x0LDry_C+FpT*jEGN(`EOuCfhCyak)#oz(;(g!<`i%iM zG8ZRqdU^d`d=V(lcB;l)#r38E`o0J&GMs={qzHWU(CHy!RJo$JAOZ-B0O5bijsi4I zpNiGZF2=m7s^zyZ-XSss@6T$DZZs;QB6phqRatZf32ASSv@0^=*p2)CE=Z{M^|a4i z;}kGZ>gi5FEaJZ%;&2Qb2?JC+Vl7?o=}!O-VhnzwL+0 zy$41tkgrFj>V}FoDIQ_@XjN}5WRiyR~p^=62J!*F?zivP#Z`hwik>? z(;4_PIK&r5fQkJO2&2Ndr9!{S*Ig?->Z8)9GM*E2llyCQgcMKCX4r`uaDdIu$9p0w zjurNkV+UK3jSQ=a@G!jwkqGkQ)V+V9IUVSa@TzEyb^=)MH2~ETl~-&lnN=@iI48j# zD%(==vN{$V^6$Xk{374d5J2}(QA+esH(zd`Qh*pgwW!7!WRG3DArH8D=wPF4d|OZT zkXONnC5FU`jbAqW5}tIKCq>dht;&3ujH!w&uyT^Fh3k28>s~+NFs03RA!UAGsj(lS z$fXoNC~2Zb`orMCQ+LQs2@gm*HuXzj7qlX1&DYHCDLngwuYUtm3=NA_zYUO5l5eFB z8M7`nO(LXL#XZ%GDIa`qm=t0b4~&R5de>CS)ra8g8`IBa0QL*k^)1ijzBj*}k}>~t zJ=g(5IDify01={l2FLzX$z;lcD832S?-yy0n3-|#mKYC?{lMDtB)?q)fnX8I6j5Tv z?oN*vCn7*8kzf5L9!RP!ROdvfOGv^JpM3vVcCxx|BF$}zTLbE{a$T~eC@WlJ0X)QF zN_4P~u0d$k{@`bvn26fwC6S8lhf+$>+|l@kIZ1%fuIE@9^Z$AQ5^Q^T)1$s9W*pg!GH>wbk9<5gC|n}CG>ZR zgd?{AemEx48}5?|^o~ApENoy1Xz-i{>z?RnVBv!qsEahb>Pu@j9zeZCz=#1toZFCz zM$s9InvVZ#L3!zoZB6Wyt_~f>8!~GR4UJ#1adEy9(7Wby>SRL0qh!9bHwxI*vVy<1PUf&-s*mV2Vi>?YB>95!0GpAHoS1|7zbV+6;H2m{kA2q2NH z%meNc2c`iV(d?c$_F1}qc$McDo3D{$!*~1q^{Ianw~v`8X}B<~^)&1&<~_gY$@bUv zE2tJGtQ^JKwf(~}(6R6aOfu3dJhn06q@>3j{GCV}nL;$1&N&v4ygTsl17Jt(w<*5G zmP-=&@MI%tFMNC#oykIz$f+sPaStBnXzfreG1BWd$?-`+`G(%czYnSIxeg&G%5_yK7d*Y-C4gPxf{si*$m0uy7vdRmSLHJ{s2 z3&*>6``*w)zYrtDh6>&Do#P%4r2hc85z!C?cre`vO8BbfIiNE$pNdcg`)h7|66Sj) z&5djoh4MO*S_79gmZF1*sEY4N&OT#zz$+3k5fN~J*h+L1(X!^2L6Df%%BU>It3IPA=0;2zi(a{aY;lCocOx3m^k&Ac$^}pMmV1mUZbQ9o_Z)T*Q(msFRaX7efKCa(8)3Cl?=Keyd| zYt(?xw1?F4fD^lxqlZ1s~B!2D=6)cuE7F2KXL*hupNfXbeO!B(+@ zJ4<(Y+-@es^T;FkFZ?TD{G~n*^X(C8z)tJY(p!%x?aCer&B4%M!q8iqLX!xp+{W~q zbnuZ^&OUj4=mFLH20UibOJ`tD=O^o_H(m*7a~+#-v;Y&3x##s!t9WewXb62mh-$dU z(Kk^E`ScdITJ!GtXR7#)9Cz4o+l}K_^9>VA{IB|=mcv16iy0V8xK^HA0 zW-UHB@ezm4CkqjXQ`IT;hlaFyqjm+Te5tBH4tv38;kHQ862XiTr(gN)kUOXWUk6NU z_7-4I$ItnxRR8%{vH?R-{|6lH{ES9Ex%EnN*&WN#+|wN=+5Jn^cwlkeHK|EZj-Nq& z^v-E#HDBd39K9?3#&X%?8Ie)uls{<#WHxr2<*cr`pwMazKYp2tZOw3l=|AZ3fSmm>+vbrm{&n@vb6tjk0R#Y=Ie7`!He zxB49fyD(D7!o8n!LPI8fwRzs}4T~}RG74Dm$cy+3w@sLH3w98mt;-4X4w zB)!=(KupG3qUNgzE7Xq!SrO-BGX2!<=Q z7i?)V6dFuSyH65hVOTtBKGsR^#rvaw(;YVW@m2)l!B0c8wI%sfnd1HLSm>YkPxF}2 z_z-#~CjNjBX29CJwBf6op9O&&JIXx1Q0Ws8gzRpT5Y;JCD(Dm;^LM;hfeS&QfPh=(JpNB&g8b?HjAtUZqqogXoC2YTSq(yXAk3nn|$xx#1eXjdY%h!9Gn;H&zYP^d&oXF2IbY}$#lJ}~QQdto^WTWlSEN95RGt~b8oH78p&VZi6+?JdK0=BFucxXl4 z37EOR>)U7DvLUr~;n*@U47{Sh`fi0(CKwu?^@7tK3@E&d3C?^saL=;Di*gNq zrG=F9O0=aWpJE3LJD^+0Fv412ekalxM7QMrHuaHYeiSso&2IRd5W~&nv~@YDmAMb6 zj&^R>9Qu3uH5HOuoF`XNnkVSqk~#d1J3nW0uZqJ=d=_y*K}A98)Nz z&n9?UQC~-PI9`Czk)xJ{9V&OH&rj`yj?^G|F(IdNdF*h24&DMV9?eE6nW?Dsg4`scmRLHpk)lA{f8%NflLH zdwRmeAZz$z!28v;4R^1Dzoq!P}Txp67kr<#fSMs&!CLiGv}yW-hBOj z?v2_qaWJ@7;(07mlx5?0;iw_9((K_4zB5@yPR9q2$s&-QNs~8e3M1g8eB8r!dq6JM zzhcAD#8*HdzNhw(4C)02z%H830ux}SR&%W9Kjx*59q)w9nrcpxIP+3p3`AMMn!fzXgq1g~}g7g#nM zewcuE{Kr}&|0bLt8X^i9TQIE3zeqWerla7R#F)CSWwfi<&X|+vr}p~-z$^h(vS=cO zDs5LH0jSA;EngzfKqY4Eku?pe4NGQ@i7i0IM)LMNVjCh49S8u^n0jT8<+@`ky!#qc z8KDTUnlCpat~tLt6Zq1T<|D539S8CaI?mm|q4l-06~5jd>0Gi3^klyW9u7ns&U&ZLiv#lf_2w4nGLbVlH&>~ z-UBXEJ@`tnT#MB6E-$U$_qu{F%f9qBcmdB4xOd$k+`J=ts{#Qr-C&E(oZBH0qJZ+5M8qbg!3$ETdE^y{?W| zeYhhYovFk6Lmoi8gy2kYy{!NM#`AIm1 z(YNsE18B@%-=_7?aZynU*qCt4l>F|)#jMgcC*UUU|Twy9kI`sY)vm)24A3qPlD|kZh@()S8elg$uTRxP>S^= zxeOu)O~`18*fgR&m+t1(XZQ!jKTO*3&ri+Er! zZwr*Qch7En;`ynBpR95HWZ!!neaVO_IwISUJ#eX)(Ss*U}?7h@~2jqRZyDgF?=QmU5 zhU0d$G|z@WR~W#uW%?EE+N&ayw5v8kxr@`a&TprPR=?yFxh%a};c+4L?0s!F_Lo-~ zw|aJWu}(bsJJg_#sm!V%%6gQJX%D_)2w|+r6P{*yYh4dl!fgj4R=i z@(6YW1uc~gH}AYZfq-rW`T3Y-qx-ZRatPjp;?TU7s$5+xk}_cS!gUl+Hhg}dGEVhv z>_@+BSvt?Kp@a-hi`%Pl_R!ze^R6agTy}CY6?BneJ+0MDtN1Ly93FX|mtt@JYPcbF zefWnBT1HjC?CvP8xZ`*7W0m`PmO15-7+7FrF^NuGD$O4o&ZHy;>GHgbg2|?Fn4$jdgnS=(>*UJc_Wsjpl?Yq()Hun6gb&&PMej~j`BQw^;G)t zC~%rMg)A;rTm&%(nzx5TJqe8h{I3#+O(&g|-ao_B{wtw+@WctB2cABzv+Zj`gZnfy|~KrdG$Ow*--=p1gj9ICtOjPiO%hU zKY#v|Fk^(KhtRC z>{ZwfKf7T0N`StC%vYbI#BtGPx6p`sagOJW7NG}KrMGGoBiIfR2dpx3a!;f{l<@E| zS|}4zHaX7WEV%#W#94vM0HqGz;#ALS<|z?`xJYdUjM;OT(h6|s?vS&|az8v0aSPh$ zBy2{+nUW@WyM^WqY5J~F9w=sUC%^9kY&NZ+LK~P|WHE#(`J!ZEb|Nf+>}-2swLBm(G%8CiJ@`VeK~R6-G1oO)VNf5HvN4#vP9kpZ?2 z&%M7?E>qs%`jt-FFqfR&(ze_GQ7T@eLS8@x$f9u4t-gm?{QC8a1*V0K&T@f7>7}k3 z%_seV(2+;XqQeGo0we1dS;pHGhF!XD^^BM_PSf?=vLsL+TGdh!EkzW$ygaE~k+ZY^ zPMnA%Y{B#5wl9MCfZK9v7YpLS6tL%NBly++LD|mto`wQW9q`PS-4H?Y4!3OZcHMPE zELufdn?EQ-_f2b?Y6m_h3+c#PzvP64?bxPKK06*2ZmuQ`RHKUVpb){+`^OIp4R(6P zwA4NByuw_7^ax`(;Krx`-a^yVsh~N-1M&D=(ISBrPyq@2i{FP|p2ArIee=fTXx3>X zFFc)m>OJ`<9(oNTHx`Y{g{<|yGM+EiXF2J%#ujgjj3(cD*aAb4IxjKxTl0LAW^3#Y za}rm|Yt@;k7VB+1KV7gQI5Q31JuQ$;9p-wk5YQle*z}%SJ695GP6t08{cTk$?&l#p zW_m<6&nT_U)4?fjLKYfX&a1+=1oq1xFC8nLdEl-xTXIzi>)CN6Yc4|uTIcHhba_k? zV{F@U*%>MJ7W97u#Nv{%YG=~>dKt%gcDF3#dgFb`-&r|kIX9JA2Nhott#GC`{%b>( zUoJ_A4md<-R!#VrEQ}*(ua?il-lHMDi7SI^H+iS!H(>Oo322=7>mViYF=C}4X5?|z zK|9pVSWc{iT{U(g%s2)icxcj9u=hE}#l}`Y9o-Ke+ClXHW1WnO{&SyYi-zgzM-Q7~ zGkz+ZJMoqkJ{a5>eKnQK-oN-EOQgrbpS%Zer>QHkm*4`7&jF1RWcATcqMp&}$7yy9 z1d4b1-H04g;Six$qvcFi1uW@x>*&dZAIlHa+jr1XC5 zo5P1lqx%tmYQJyMzs_mdN^2K7uCVUIxhCfQLf^Uej2+i2Ae(RY@~;ovs?uWj2bTmn#>IU;q@lnMHa<3kp8;%zIdqI<$+x-aK;w9+V5ut~BLX-g#$%eW&QF zau%E+mAxKta*;Gi!5{#2@XgGEM%)#OpX5rYYDNeJ#Nx7P_?RooN`W*zbmA4HsoS(B z)TlIV%uau)2}NOKqUIbIgMNfbi&rUl{5)QN^eae_$Of^$S&5u)LrsYi8bS^*W?L^- zYJU?;T-o?eYr8}scL=8qt3Hx^Su{re`r>T> zk4IxY_M_hBLM}(4yUXAs{wkx2d8iT?spx$7%vLk8Vng4bj=~cONtgYdlfufI&neWG zC67L(oYBIDK{yA*3APUzf&TP1qJF31CiVf-rVLTby`jFvYLSpWCXfPX!waEZmmCA5 z`ahIdYG7h7UE6Ri3V86Ot^PNu@W6+I&|j)B0C2E>-LNSb63?lromzuUrT#tSete?1 zVP?ePM1uAn*DsQA`aVpD9gx0{P|P!Qwh^t7Bb`6s@Z;M`)Vi)wB!f{~3ecEaYh69c z(DngD$OGM$7`9#R8&f69tPsOG^X*ZImUeA#iy9F`y8S41C>|F3sw%EX;Ri}LkNef= z8G(>`mC&%>gseB*~iqkhbr#^&7sdhN`g&*Ll7xkWC9A-^&>mg*LoMn;v_U zuL+ozFYa!h zTAHTY0Cw`aUUrnPFEe?HWT=^N^vhyCLqkF=sUZ6W1*?h~>PYo{2O}A!+*xX`-h#Xf zTYAM`{D^pwHfFg#L3EDG^fvVkY7xMoVQd~j&5?wLl+FycAiA~5T1=Ntqp^=TdnP@C zZI85!eM*?Z2cMB(mL^=R|oh0>;*-indSRop`(l6jR}bGt*xc7M@5g+6hg++7^1Im7N5*Hjpq=*;wQRBqgT1)JLzJO4OngQ9O32|M+e;4Y?40`Fyi8_y0 zkx&a1m1M4|tX5wu^jS3o`s8_{B+a07@M5XEG4shgq$@?9#KegD6EUeh29F@@BpKq9 zB~xD46n()Kyw3E^GoP$BUVI`_Q;nvxY${8m|Bm3$+$eHy_;CQXi*CEuZKUwOV}-KB zcIK;yLDuX|EiKv#`(7@FH zCX-KjmTs61f9(x}OA8=K>9|~epTMG+NWtjtvDB9~v+#^$a)m(Lpa_ds+K7oZd8H)W za9FCSNCF)0AatV@di)J$UX)LqS^Fqp2$4QE;TIStEg$n$MIe1f4&JNd z#P~GIT+WSE*(FIp=~vQy%L~y}^jMdXXU11(5g3Y;)T0__Mg1x_J&&0bvim2!H!#`Y z(PLbX+1tHK3gRJcP5(Xo7%OcUe+&sz)2{lj2|QiGISV*F0n%4XVZ7G$K14|+VT@7s z70^MY`H4%!s)hLN%?BCE{GL94w0J~ZQ~3IIJP|SRHAHiSuzACLKE+^olc;C<<0^08 zTnqXuB7SBN=SFk+o*kEsc}eqiQbT3&G&o;ndj$*7MCr|t{)D{7CCgOQ=>*0yEd#OTbpt@8{y z`11w#GOr7dn9^}S_^9ROveVV@q1;O~s*Y>~au7=;&FM#HHoT<~51sugvCWA|f2d7f z>Mf6OkCykk;W#)rIy$QVC0=&1@v-=ids-iI67|nb-Qx<_Ek8t5Uj_?>n10N|*rkYu;1>Bk~au%+Xn#Jz zs<)t(x;&5?eSw@{usxcQQT%#;`apY*{h2d3PV<`6;x3>tslmLqLa)e56lJty&yo%j zuM`gpFAfLf89gfM1Stn7@wF?y6|Dp0zRMp7t(cJ}!U1Ys43{cK98Bws@xu)$fJ$4I zRq-Kxs-eGhsN<8@>`fu#xW3k6@&cM3b;^JaM0qL3QP7s=dFq;dn@&NFdl3$;&IhXv zb||j(>l{VJJS_gc);pWX&; zSJu+fgNXEuzxnMKWc_3HOtEvGgXT64_Bw?8SF3z8!4H>$`Ba|wLiK*}3j3OD2wqvT+`igc zBG~9M)_H>@)IwvDXAJh9Z}D*|wf8PmEgDVvZ`gacC$Xz^L_zF4l%svH>tZNBpIX+9 zD(}+9=l^Du|5)UD5=;HsiGdL^Qc}0-FNJV8?&R$#a))U2TWbklTfP!PuH^#hVKaoP z7f5WX1Z?36*G7qP?!hIvUq4W|@|fXtP(dFq?S-5Z_Vlq{7h&QlW^*|Bk5XFom(`(h&q8AlYkA!S|!i%b&^!-Yn zdLOi9{_EG3rU%9TP0$G$1=#-)BygaZQ-=h2L%at;%>?%+^YIQC^oma(^t~Cd_V-z$ zMCFd@K*ImLqwslh42lXAShm~v%?KObpoYJx7KV}(*`92Gfkp!KpdYQQ1v9qA&2>o5W|^gJt% zO@Pvf*Kv&rPg-A6%a>UB>+=LMr(tbyY?FO@4wvkqL|NeM5S*@|ef`5`!WKCs0+sGG z(hxz-AzU00V0SPbku4&Pm5J}P=Pk@F)6K1Hazt;oedG>dqc|9~z+D znT)vzIvg4H8zc1>P}|qce)p_5#ocqeG5cQ4))#ipV1iBz*p;sqzOSBkm$*EMXfQLT ztVR>QXq?SRg7c27y}tiSv9J!~ndK(&Zu|L@=NIeHXTlB64St~q&9ku(;=5V8UZ4v%F9z)4CtqWGMvo5@cYIQg0aar)YU5Ok=uNyAOTCwGbm~Z@djygQfpr zp+j?t8nTUmk51djn)p*QVcKti9SgSuCQ1hVrQ)LqP8}#A2*iH^Z(B z{wFdtblz!NMJ)p}Bd_D0VfYpo#q~SuotGOG{_E?EB~-tj@(9nM&z3LHqx&~4cucMc z9sF>E`ys6+j*v3niF1Ksn*D6>P^;GA(-bl`n35RLO3tC!&M|dmuLg|JbjAs7=aMK3P8uO zuA1B{x}dSD;vY}KC!gtQ1Z(AO%6`Y0joO)O3tbh)$H#{Sw3xPj02yQ3Rv1$Lp)}}= zU!1IebC3ec?o(^D@Y2=LNSQ8CE+YD3qSyuycEVJ*gOMMry(SepSZ_vueQ43Fw9Da_ z{Z2wmEJDEd$qTGYx#ZoWVEk2Pay!7(9 zY7`o(ICt7-0O4Dn&5CV!YybcO+cufOov6t024HNs69qE8)rRpa-gR+8;D1 z>XOU+O=Z2$-imEJhBMtSkuCW9s<-i<{4&j+uvF)|t7kRHU6*0ipI09Ga)&`bek264 zsk7eF!gHotj?E|7T=zG2`fh-VV~;3UO#XNPFG*+^x=iM|q6%_83xy7rUzDd#qv1}2 zIARoi`j3#&&^KmYwP(K<{@yEJ&XIOG}>r>czlYt|2;-*$edVnQ3r zGX(bXaDwIL)OtbJnS=6b#~vpg)f!G0D>Sl`)ko2xDJM0aN$}wk z7DffoUCcc!5L-Y;7DmlQznZo+#G1d@FNxwC@r{N9s{SK1z#U2d&lL4o}2zMT0Z z3*~qVtROIEl!_%YpM~qx^_mAP^J3u~5qQvhgckUT_6F_BlGux-@Ld}Sq~n^-69~@F zUSHf@2T@d+TBRmFV$rSiNP?-%<%#Qp{EiS=Df1*>5xpI{qFB*?K2;HvCTv4)HHFvf#W~VaWUL+z;ah2`0| zXv3vtP;83^X{s^vI(dw0PkJSR%qW_!yfIj^PF;m?dCjPnsl?A+j3pDWw+%gs+qBtJ zCMTz+zAL`*uO_V;V&dSp4D+68%iPD+|588ctUt50B=ITAxMVKo)uyykME@UxohLe& z(M0T!7KZ`yo3P&ZXNbvyuZGeUN%e@PB6858mKvFI98hGLg93CgSj(5)*ZfVKGD|7- zHSaUObWW1}QnPh8_|4{TG)Fxb^g?fIBS5EL$mQ={P3}^IcGI%zwbS5jM4%Q2xg0=XrG~#qiPj zp~gy+v$aqzTpCa+*gU3?GGDBicUu~rzfs6eHAAqxxtSz!hnOwQg8~TTIS^4aq^xBr zJu{9f9bsW?_^b7-Fk{nXm^Vx^?`^U+M1=+4L|9XC=5z)sJi;I4gOlK1nd&~uAkr4p(fAldGZ0_AI^SmK=v=`d(}HVfLSn_}{|m&k^5 zTuk3*m$zh{GOdod4v#mrzdd74E*Iv$cY7|?*x9`mYKfwMrJWQTn|r`z%%S(+HDv!= zQBY2q>x1U$b8`{&U}q=M0W5&0v)0;*xU>SYQGE8axdmRhw@__bpk5WfDekvW%Pc;B zy|{7swv4bE3CiF6J0mL(Bde0r7(plEl>h#rQ|lU}(#!)0In8OWh?J#&nRT;qc$ns~ z>?>tx>ehGJVhqqm3sb}8Z(|2AVNyD-cI}YenBeTMl^U*dUiXI`P_Vl^&qiR zCr&rZ*-A4&%&_$Ax%kf?*nNk(Wnj&QcuIz<=Z@~D2L;f)@4G( za9`!ctJCB1K_@6R?zs>}Zb3;&iEk+e9Z&iyMTft=VO9=-p2*~Gcl!5$01(wy~)8O zcH7Z*+*V7#d|Z}rk2{o_NymxFD{ znnVa}eNC~E1}L5?K2ldG<{j@xR5M<*iu8l(0Mh~^?H_#4r17VQJu zG;uvB!?7^=0NKF*XAc_&&<&?#dTh~znaZ_@{RMITly&CO+X1u^c8DYIjv{iqT`UW9 z=$Y|?zobBqw1n1&)!+lNH&SmDu2D39*BnC77Pz)mN9bCW&(=kP#E1ybm zQ`E;>P^;ox(&)uk|Ld}~uX#p;fZo8lU$36vUnt(5uLQ(3QJV-bSFKCoPEuXHH~ zgO|65lKPKorIm^c4rf)i$h1lW<+h&57>HHdZDksI`YvfMzcSCpu*?7c|H%5L@Hp6Z z>q(k4YA~^F+qTo#c4M1Onu*oMXwulWZQD*`TmQU!@BiTazUw)ilbLz2?zPsvZX5q` z^=PCor)w2Ke=~bj(DC8xvO=hk-?QVwnMashLWprZNR<#O5R3cJ zFyfAUM4wy+S4`ZY$TXeZXF4?ZgYX2i0$r9|Rxw+U!B(VjzDJZ?-JhH^C#*W1MI#wR z2pyORE|FO8HWmfFBG?{dmBU9}Tm-p2T{cf3>50YLsKD-Q^WCZ0AOoj5cU zd-ZfuRz8{LceGEGle}auI{3%GZ+2saD1Rm=BaBYqMx{i^b_Seu82X?2=%;U+j7PdS zPgL$@Y!?6IRHvfn^m^Crn7+B`LN@d^5<6o#Uu~?6r5_EttMN^Q*?9Z5zOv6Yu-S+0 zL-AVyt>BmDBj@^CPmjB~YnOwlazgirg*B_uF_CxqSP`a5x&(6{Jp%Xc2 zV`BoE43UF|Si3pM1DdKEQKmLPJBNDP%@4QhsLe4knj>`1hO^4j8J%=?8oyAzOwh&=ws=G+MSNa+D3)k-@kl zO~r+nN`v{r{-lnG{c>r*4}^+eX5o&|I6lW~Pvd_IJ2$UlZ}uI+?#sc-={w9mMM=(6uTIu(Yb3U@N zY*)L?drV;IZ~33}^aXh0t#}Anac*s1L|7dGmy=a@M<#`cua*r6h%k!m!jr6uce$1T z1hB&Zl^~T2_R@uT$s`Y*X-lJMI8~TgyH-*gPA4Q+2(WL%0_=Ojy&r8Ojp%j%p)wpc zD=9Qx=JZLu(^x@Xek{{&rS2-izefh5>sl~~|5wm$MC_h{Bp>MNK5D;f=@)-Xn=ZF{ zKzC9V@#^J@U+>~_g>7-k9Qd+UMkP&wnrHZ^-S17Pux)1NT#0B!BD}X-^7?IaK8pMU zBO6U*c`_`v4QuhYeV0gH+suRY`Vuxtlm~F%KmnV02NP#6Mk{=Mlyg55p|S3hi^O9I z`Ax+j*B*@H^fxe3xx`{msE?#ySI5^^{ST80`fFToOEnhb&p|k{hD_c$XMUCeS1u;2 z#3+l~U&tdQ9NZe>FVn4?NJZD(jAF|_fc>JRqN36TO*tL^gb%S+bWD1>+1XjSd4W~I z5@aT>Zp*<(NqG>@X}6-*$HNM4n7d$>Ic|84e(^5qi4+x9O)@W({sKi{NN-Q76F4+L z*~fMCb~LB_9p!2trA%_kwn2C~(MXfsUaN2-0c!xhdPsO#np?8Zd@=Upv6>IY?JU(f zv6gF8cH-fL*SEFZdK}F9 z!yVDk*pZ10A2Vs4Y%ZHfu85mZ-T=L#B7R*iPK&?@m!&&&R~E19U27bKbPj9k18FuO zNd^`Q&MbU|7#a|)k3L)awvDv!za_(j7%c8yfy85_XP`p(I83j8^c$`Yc&D9 zppcB^|LTxf|G#%YkJcYMa^(nY$8yBXpr6R97PaCg-Y!z{mGR3d8phY!JffI_()mC(G!SebYj6oY&>(d>@1_n z3^~g{_OJ!J9rOkm& zj4hd<13JFvc~5X;N-S$%A@^`5xUm=pJiq)0ZBQh4zH|nxLMVXnjdG&xQ(QYhILyRv znxG@yBir#i-055xZyNd1;M%9Z*)dUWYU}7w{hi>_Fepy{^ew8|b?|W!54IeEt`|>p zGOI>0X+Ih06v16sB?;yqvS{!PY0WzwRff$2A9QhIP-57Ou?Z2(wL2WT_Lh~OVVHlI;>$21(h#V#-O1)3$0xHs}6z``vZIK&o zO9lG(kk?iEo9+PSS;+CpM7f!Wb9;6DE0Qr04wDW2!)f@OzA4Jr&3nD>rNRq6`5;%X zN@#1i(J?Z1M7S_!m_zcNSNgX-PhK>j8x}T7k_hO_(%aOLu0*VM_`UgGG5U$7{^`Om z$ydGl#H#z{e93Wywrb@u7kr?j9bk`u9NO@Q+H`t6% z@1dT-eVvq$?_}BQ%%Ql-&~+|&u7g5tPQ%DZI0l|e8}$bEZf0(zj9vWKIU@L{Kl@Q7 z2cgrfb{SHrK}?q!+Xxx*s<7?cS7aV(mDe5LR6x(r07iP+JLo$tsWc!#xr>$&9qWr; zhwyLn{0e>%o`dbrzl-)_fuw29@)C=V@*!PLM@K56+HduMsZg1u3JRM8pKma#x#Yx_ zM=jPw70dO(uvwO{v1~sru;&G+cxwhwrff-%)ek00yKTQ#5*TU(sK@Tnc_?5{KU82k zA%42`2WpY+;Ac;28dqzTfl}nf$H6^bZVsh=1I7|m{n$K*IP>gp=SS7W$#pAlee2&V ztv$4Fy4J#0jj^)1>Mi|5hA0%5vViLa6h9aF$Cp=>>hvLxG&mfm(muGQ4qTypwGyh7 zhSTtsanTw$WLpbkL+Nee@@y-8I*f=x1a}R=Erg`+*j;27tqS`0AB}sd@t=4Zr0r&9 z$*G<-*F9bwsTg_O>|auFh}?NRI(FE#==H^C@`{SAB1*!9#Vf%t1l2BqBA=L6Pq;@p zfzjD|>w~j6`tWbz^5^$nip0Ur`(ZZFtH?jSaE_Yc5fP|Jun;0ZQrs2G9X#DK>ND~{ z4p>J4(hlqr)2%DdAD_BV&Bs~`7#}UBB`0HdC8nD0Giml7UP6U;CBk9j=|%RG`X9^m zJF@uB1v!i?qt?N=L9Lh9Y2a0919wG$M>tHA!JtV5#i)+C_zf<{ zH+BiPb(Bd|7;jO;3UKWn8Y5+Hcb4FOHuFa^s`iCxkAr2T1hSGGySR__x*4+ znZ%4-EyWTWCS(nECEbHNxS++xgrLg)TA1{hm3qel@A2itxYc{)?5(HW!RF^~AJ{W@ zWZgRR)RThu$+X-AX}-zQjd>mk1D0naSWf{9W7<##+xH7prYjm9fPOl@Jt0u@m?FHN zC%rKGXp5>7JmrsBAbzv!?hFS3ZkbqdKl5&6zU0midmMc-!Ml=V=^cE(sx19)G)bq*!AFhbvJ4`X8n21Gg2cyb4P>KB z$^Q2;Ku<{2>`EYe^1=J%{_Il>6zMyvZJb;>Cn2xTwOuDy5uQspD!YCjPh4EmT|&{5 zWbO}8QnIYx4Rr5LF69!#zQ(3I)P0l&(H(J42Xf!F*-qoh*~Y-Kl;LQc9a+zl`T1Ix z&W$I(LVX4_Y2V@6bj>Usk@rg^$)HlkFLI;r5;Nk=`2Tq14!U+nyubmLT3l}k59dtW z-5|$(2|Ou#KaO zX*BFpT>w;aBQe+4Z@(L+Y5?6=}5`ANhwNEKH1V0X$al)F;8B>&-p+w4@K9bBC&n_x!7KFX7ma)&W7 zU}B<#%*##{?<%>P3DTn>cAjR`PgdyP_|*^Kba|{bO-`WiIxqtM-p!=oCA%qfkbboX z&U6?@nNv_u5MX7)VWNm-+$|0HHzJ)U(I)&V2E?ft(0$0mwe#8wPsiVpV%1H392`YmU!HmAX(=7g=KbHyPlDKU3^HS-R)gG! z9{B|Ym?0ZR83H#faH*=y^tZA(r>Uw!sm{79XPR{==S5$|m?&<2MbnLawvk;bJJ?yi zCMcUL(?BVQwjXkgbe5t)1|=}q>?0}GZHMqNkwHzygNl;8p_d>UlvOLMbNB9ZJ|wI0 z3?oBT#K^>8L6AMFlRT9H&6?lR19ugv1&`eXb?S2EcAI!lbSXHI$Zc*>ff4TGw_1j3 z9zm*h4M?Pd**|~Y+Ulj z{doDmMKTuW%R={=KE2onS!@@TL>D*B4@?w?NwxMe_q;yk5*9|iWj+Dmk;~@Sv8_HM zDRbOsb+i616~6>npu&4e%_T-06xaB*>`}H_Wu(w8pawT0%wA`aC7FJ?eh)VZ(68kX zKX^TMyb_;(NlwMXg@bY^iTa-T#ul7|1tjkExNWn@LkPB@oV$0nd9q8!JEnluvdM@c{-GIW$>7fS7a|-+-i>W~ z594YwV57Ri;cz#TT7l8l9TjMJk-@0nqQ)iIQ6EhGhDScN(??3@gzxbsuaKj;;<93T z({0F#ZDb$U4!MNO?m_s^@Gy1Ke#kQLx!vFUD2@z&EI z*w?53#zWr41PTvJPrKX65}0CJ)TjnY&>*1KQ~o5=IA-)$0kWtZ4l7!Dy|DNDE^n$) zMG}-l>-hSLP!?&8UP6=|47}*_>55tLm+-^qQbwK4y6|kx4DFqoa6HtNI_n!Ta@1kj zzTF%iqBqoyTXkOGn0pKTBX@M?RGc#(Og+{VM9z-}js%O>a#(xc=*EkDT*8NH@A6D6ub2Y?(oubqF(5A5)J8pZ8Zlk@B#X$@n0=XQ(-2bRf zH^3C4?t(r%U#Drtf@(erwrWOo*w1aVLSGpa%pAZYeZ~?(t;~bZR1$W~|@h zTAe446Eu|=a&0SHd2vX~@ClHzx(V3qtsjhxw`6mHTU6s+KGODO_!%)8m(B22tge9OwrJmc>y8NKyCAldrY zas-jZ(E_{a653dKYF!Q|c9nQvPAOY$_%4YC6#kgqJDrGwKDP0>GTCJe{(RfDBcgAT zf)s!xKm5BAji-|cp+xyRi(`AIGGQD4fvGBD?hCPL*)CU{t?j~AFn)qF1K@}HvlU}s z8poC4hww)8raSL8C?`WL-jV;FS}OwNa1nd=q77?2H)wVbV?%o`_*6t6a1Te&Atg?U zrp3rIZ*6%P6QnVoKIwb(-o`PWUck}!2Nj6LWO(J|Xy+W*J3xjT{l2-@k7vL7xR31fBg@gZQzmhMtFDZ1cPWDz7~34Va7O)PG=Dsx&lfJ? zZ>K-^S}Ult+F)LLaPM>vPhyc$z$3uNmwthzuBPUw``8Pz!dMiqiv=;7&8i%(g^Tx1 zvkeyR;Qw&&J#;M4w+|^@`3;Gcv$Dn-DVz)nex3{n@>A_5r)9d> z^iU+8`2?z~tAl4Y(R`@3+3cjfcs~zoMgWvF!y?bWMa5dDCG!#D(60l;>Run0@vsmA zsWM+WvuAgC6g=9P9(_=MRpt7vawfOkNsE+Qr!AsRb42fc{q&LI{h6fQ%ng11{Om*G zYR@A48kdjr?l^{k&wtlb0Je)}e!J(hQiOOhBB{Y_v&&(#lhPL+Z7K#+rYs^I$z%j{ zp_+iuV~;qpb(A06a#Y_(zx*&rCXaR7qqZNki(3LPe9cF_dQS>~#+fYUWofWoo{@sB z{sAHd_g!m;Jzl6?T=PTyd#MN$tCI#Jej0=&iQscPM*o)0cg~S$Mm)~!{n21XX|tJV z?=&k@4FqK=r)qIZQ^EGMxbHp^Rg#R>2E%^mFb_2!R`gff{JQ$=swV}`dg60dwBUh- znB%_k4rh41Uy_m%x|~7iJX`C42Sorc(+-U8T_SgC+X>HEXKj3nHO%;;z!QF2E($Rq zqi?OiSxhAZ4G4R0Fv?Mq*_B*)(%0X-?d%xP=rnR{954y>2l=`2!dp0_^Y7dfk=X~x z+MY_!4Bwt#iYGU3CeOmTNa8_{95pAg_hI$ilNS$4OH3q9#QiT%Tz^D1sH(ThpN&tB zHL)s%c7tABJPM!uip%y0e@4xusA*U4uQGgZ$(kvxCNU+e?VtCG?WlVhEMJY5ZW>~3 z-m|+o7$1Co^H1{CQvUsMc0YBBOwx9Aa?xz1cij^bQ(#@=D$B)WFdaZmMRkZ{@aBL| z*0P^&SaP0qWj{a^aCY2m`g9`1)lneMe{yVEZS4@6Jelc?AcqMG&nPJ=sSO92v*Ula z&R@>p*lylbh_h+>L@Ki5Qeuqlu+)KosE=m*`x{C|thL?CPr*cwjGxXM?>~S2u%`kT z?KsNOTZqmh>-rGQcAUkA)!Pod(?%njXu^>Uz&K>MlgBq>!_sGH9drrejHh#1CTu%r z5s@0Kg3AukQx9!k4+x-$wn-sU>~f9ys8Ni6{Un>|Z5|Ji?Rxdid=U;olg-mw-gFz1 zJ5G0Sa(vPEbKPU#Y}G{jz0KIbKLk7xtF^tG>n*NEn<*Eiy|wR{@hhI$?%xOQ#f{sf z%s#6Zi;p5EZB>LfB`05gc`xZqy97N5;#3U)cU^j`l_Be(G zd1WB--myAjQ0AJBY7;J@|Exouee%SWjJi@tdTuOW!lNJ-Xn2J2d!zD*XptKk4R zh5_7=Zj;_OO1CU4hn5Cb{W2ce=&Ym;C&wEKU`H_a6(x6&>MI0BjW$K6?SBG!2BGZm zO5w)$*!i>JMsIkXpG}IDYK&`QZn({V)LT!xe(mvp$SW*V5_sB6Jjn=fVZVj?8V<0H z!6}2os=+5o71`POXnPtaxF{>q`2t%G{p7>ngcf2sZL(K zx{>~rnVvtJkAqYY({3>$Id~Jc*iXF<9Hp^iw&VRYa|=?*^;QeF3A0K8f#F#cd%7y(DllpY&CTiq3D zQeiM_KlqC7NY%(4R%EsQ6O#738b2={xUL?3r24VeN>e%UgCU{+xj<%*^M=A8`4 zvVCun+eb2e>o%ArWOZcu55e23l@vfw=lA|}C{pY8Tss2?6) zFp>~ZrqA6g$HyiGNC=dZcG0a5nH}gZEl&DpL`?0`u69v-+3F-C_r%YRB5Hhz}k2?1F|?RmRTx#>{O zGtA`p=pct6eBmv6WuoD|1()AhA;Opa?5X|q@$!ZKEE@U9eE8k?$& z3eU+ij00@u>P6~otiamjplf95smpvPd_}9{7Q(ucK-%utM((p`d?js7O|EYN#v_y& zn5o^X8$vcmgLZsLu7VxC<6tl2dku?m+%KQ;a2_hc)}z#PNu7R`d5_L=!CKuxlC^mg z53edNNIWi16o8QCMVZYk|650|P9wdw{7>#f0#5sxPKPElqjxwd3!R#Hv#UfsaZL@4 z11W{4wU^R{A!IJ!4ePVh!HmA2-|f45Lgiw8E$zIts|KwHaHt6SW!Q${FWQw=HQH-m z!GoW*8}hx(9yTDt&t9Tb!S9}2IQM#%CEdH;=#2e$9!;r%}*Q>UNiDS2xiMG4lj~Bnevt7c}8+ek2Zy95|Tb}@vD9YOs z5ABavS?%=>u)T}fyIyFMT|N z#ayN*5LI?xOvMr;bey?BV9C`t8~jfcpr(9hZ9F?WNmA^gOqovc_1ivXplW}=I^gT{ ze9&%m$Z~tiXfginsc3ThMV)pkfNXt>T3_f%@HU6#>mB2bjYWV5Op4m7I>zkNX5QIl z1}~9EU*DlaYc5$jqNSxJ-%PRCokxj>{=ZKRAtViP94b&*Tbt)Qs6t=)-OkozyGQO@ zPya=63_)yXNXIby=7j%RxY2;Sy>RYs$o9#46SkGF@8C(Gw4kc0hI8xc6I(E}67duP z)TL>ym5%1GmjDaFN*3eo}KajsrG#2uvxUYCMN=Qw>YkiMD} zE~T+PdUZN0U^K2tgcHzRq#A226bI5EBgJY;$Hi(YGv1Lh8uT&n#Q_b-##_JI5EG-+XW0*NmgCEG{YeMiOGhdS0D8 z@mB18I2$ncmP3!b8y~ZCg+-~yd47w=d+AjAXZo)ir>U(kBEgSnq80Y>hx=`9yWr9Y zB4Y>i#&KF)xN38^fr@Q=apN`Nx_w!|X+ea3eLLgI`s-<1b*H$yp0|19?Ds^<^{UCU zy#}W4kpqSFwdZSrKZZOvV{8u`{s)++@Kv7@}`*e<$D>>edzZh?}OEM8Wn{1XV*v*zBq%$;u2Tl?1+h4dp(JB zoaPvBD*e>xL=R;7vTNw` zQPzI9-+z+c-rDB7!j#>%gi^oq*ks!xBaQ_zl?({6zs8Yj5v8_R{E6v2+H#Tv91|jf z*xV1!t4=l9Q7nf!%#NdUA^@~u!C{4FWG|O4h~@npJO^uRhy!Hyq_U-fTiepw)4ORm z+3+FR#G-!b;5eC1HgjJzQh1Ub)l6Qu=f+v{8T+mILIg6qI~l3QPP+pF%_`eN`o;=4 zK|_ryqg3$~WmO$l<(ZoYf@OBHc6FSf#lJ`kuXhKstB2~JCzc*1#) zV>o7%vVd~CRC>wqj{c^@o&OXb;G$;IC||Q{ae&DWuabojx51=xA53Q)hXdOV14{ZZF z%e-Wpm}snp)U6V;$m@1o$C$+*|3DP9lTA+DXkpDlRZPCl`dQBh3j2T;g+0HZE(Og* zkLzAcgxOx)Fdbr5(Ek{@F$mw(Cf_12Dv^as0sE~E4x@X@1kO2|w*5zC@!3{e%n$TZ zX;7)#rb-N~WLG>dPR1`;r~_}&8y@{*3I1y=1d*+wp&8Np3uRw2cmqk|>~p@63u;{J zNMGU!?dLV91QiX4K=27UQzh8^@2&dr`5zbqM*5Ry9`v1HF{QS)77Y>OgHvvG%*p=e z*n8`UMZm#l5e?>Bc8E3FuWNPXu1T{$E_9ma(hqn6&ux@?{7dcFTZ~Y>GfIE*{O3m_ zwBh4jBL~$+B%s)pG3>A|PP@o}mmZMZG^mVqq|a-dQavKDkv6iCsL_~s?$sdZ;6J9q zN{@g|j#q5gS$#HbNYo1vD1)~R@NUX1=M4aJN~_W{s^Zsg18~6b7j35!RPY2Ms5hPQD9Xbuig@OYL2mxT>5#bAq?y$6)p`WAG3#v zbRs8l*N(KdvY5AIO|^Rlorm%(O}L;-Bz%1gjWq$PyrJORy(raqS2Sn{_J@H;pz0e# z4B_Kyj|>cj>t%h_f*~qg(9X?yA)((98ke4PuwOI`5J%w zedIe|J9b!2t{B%r2tioJNSBt=qI8uDEa2{dwKrvhgq{T+@yf94;GK|bti=qkOT4#O*a**Pu8zPnX&4sP<4$t#^Ki2$*IUmPXegv}zR^vW&0gV5Q|vMq zOIGXCk#{GgIc{f`+^qUjv!y4Vo>;7nyjXs|K7`oGFV1_b!{II{-MkC~Zt2~NDNkf~ z3P5F&x%t2p=f-CqY7+|@=<9InyN$Vbzp_9Yl}t2-@)_^+;o3Tr31;4KZ>m6eR?aT( zy|0gF%ZG@O8XfR%5JY%*l^br|(bJjoq@wJ|5vFHmX3kvDV<2rz{+kWqhkE}Yi<=>G z1E+M&-dBolh>J&po52$>dmE0-mfuM)Mb%qtGh4pO6I(8X$Snnqx$XA!7uoeln957$ z7><|heCPe_dFXkY*Zes!jp7-RoUf`Kw^=mO~STq*P)J)GfC7@HYsSbq_>tkpX5j@ zDbIHFTeUoKgYvL@nGf&j{XvcYAg;J+x{9EYp_&DAb~GQEEiWz&T}>M+(u&r%sXU5A zopc^jP8N<&0Ne!hj5pR`FEn5uw-Am#&l~YF3ETIlP*5%&U@So#ExY5rC%~2Ot*OzA zelXfOIYO14Z^aYf$;whvedR=!YbZsgBu7}EFF zR2mM*7Vg?_xqowSHjP2wGi3VGCXVqj#PB54m>>shh7ePyhOrnmoBjT*1a$mHuJ`CL zpMj6_Q#_-lz3#7Izg9d3ej|4Hy*(XW8@YXcf^Y5X*DmT`Mh7J`_%*>fgK%3DYEGip zb_wEKr6y5N5v-rQ9#A8kc#nQiWNsg78(HVo4b{Jd$KpJAOUtwbrFKufz>+H5F;e+^ zz-_IkIZj*cH?Cb*b`7RUrn{>8N#X4YOHWG3%E>;aWCy%I4HsDJ3}l1x{XL0^%4E*R zN2g*t-M@96OB890pr0Vn_4Rcz$PW3RTZU`a z_s=|#Q_00!eIc~O9l423OOKNpsfR0zMgo(sn=KB-cI<33w0!^H3()$x3%@+^Ol$p{ zxERMpO?2W~Fu;(oc96?;wjfox@#2p{a2ujvfMMf>!cGQk6>YU?ep}lslz1Jl-OTLl zEZS^{%A3St^v!>AQg#1uQbi>t-YT-gS&*aP3kNb>)iDAXcP;kofY0UcV#uq@d7f%I6E4Z?AeXHB+eqEp26Nf9m^+hhvICj0Uy zdt_+VAl?E;UKM?*(%ahDi?s}2CWPj%jEH9?avw)0SWA@SOo}A=$z2Ye(ynHAB;WNq zM>`OXPnCnRzCJ`MC?!dJK_l*z$sE`J^-8-&5Z9%k9?*IM&+;Ws5*7A@OSurC0+HQHgTZ&3F4UZ% zx)A{(wogX*fVXG{r1%4xN|1X#*M_9PG=l~!;fZAh^H4xVxEmMgZ$r~B%|Jk7RS-BA zk1YtqlkX&NX*#xZm3;{e#)hCabX>{8i>-~EMjkE`nk`4`S{}StY7$OZ7F+L`fJRbC z7PmZ7fj?D@f>9x(uW0|Qydfn#{sl#|1%vlWbgr%asvSJn?_&0Ubg*}Fcuqh$IGy6h zI(t3mj{ysDuXH@gGiR}OsBRU&jWghiKj<~q^slD6x?94}Yd64OBtR&bDdfs_8$@`3 z58Q6aou=Gmb(>_}-DHgWU=nX*oZm?UU@iW{a2m6iiAF<(H5P!(FHA7$-NTD3o5xs8 z4YH{uVYe(!uttTS9t^Z9LZYG?mV|tA8|KC=meeX@t8{CTlV@Hmox!)w4x3-Q$c-#? z8zL3o^;C~?^3}r+kh%8GbR|0vCvkX4y!gU392Z)g=pEc7O0{048orTacCXStilm5Y z=0TLY?$4Bdh6}_?#vWFH^z|tD5`-K_%+9FNYH4Je(2|?GV+D8&AAAFIA>}-b9KQ_h zH?WZ*{N^Mz!WD9z>y13HaRhIzW$ZF&y=^dXeF~;{U+&vRrr`(=3e7H-UjEQ zI!UWdRv4?;M6_HKcI*005CH>xLAW>Pgh5Z2mq3ov9)HMg!a^RRO=CdzyR9Odf(GKqV)gvWAQvRF}*OATwd7!C3glpW*|M zKp=hGC?|H)NPUB>bUlHRrpCQkWr9i}5C1_YAW}xHYDxlWP^lYVf0a?lSD+87-R!0Z zutV&Vo#zF)#U8Y{C4n1_Tn2m01P_?zTNw#&rcMXpoPyF*NzxT$ukD0Gu7n+_0P5tZ za^cR%=QT}UE3eS|o9~`s6;@`~h#EXpmT)z5*CW zK}KoNhD-5Zku~4|kmaDM?!5thrLHrGFaZEsmDEF>5Q$emZ;6Cu%^L;c## zZdkwZ%L~@?UyGddAEkTRFXO3$2Q0d3dh^f(n({hKl@D3${V)&>rpv`1ov+8MO38Dm1Tvi)V2B`S;uzWNpMS|J{d zSQ|YTS~MFS>P1oB!lEul>2m#5>u16203TdQ zMO>aRb9$asu#HWFnx?uI;eF`8l+uwaM`LwaLF_GpH9utf$E*Sv$n^~lp>%!KNM`5) z3fr9w@l@lXiX3-aG6{TT>mdQ;zjd#U3ca~KuZ{}7_!aLPI>&AH#D90N(xkHC`ZQz- z>`P5BD?Kx(=ta$*?PEkx9TB?lztVSk!`h_LOilGgqb6Kzm-Ef~DDd0#FR1y|0XtE` zW5fl8U)d|Dh`vJ({)^A#s^WzOw=qpmwhpjsQB&Vs#q+^p+Y+Rj%p18Q0hK3>~slj~7(8R<{J50oN;yky`-9-mQA`UpCS%lM3D1=4 z6L%bQ8>umFabkVu|s(xW7tFZ*QE3{V|~0MkbCZx8owHwQyserP}r z?Z-O~3zWF_XKK;6^z!oZ5I39cBoq8FKFQ+EWgEx{NXnN|TI2m+ z&DK)zf)~(?2Pb8uvnn_|#zRL(=RlHM-1f29sn+Rwb-BjRRT!|^b;n@6fIKH-oWVn~ z9X)Rz%2axh_{*1NLrIcI{l(vc_?D13N*HBQEzEMggttHey@R~?evH7p@^y!k)3mEz z>i49c60EsBOT$Em_ICtl=^5vs>m9p%iu{rrOQ>riVM>uM?DB7Sv2xwVi;%<3@ihrj zbKDqu^1`v4(FJ!-3NElw3X@QO&{3Wtd)PC_y8WdDL21)l75gqi>Y3RTrovO4DjGja zaSz*+q)md)HyS4iJpRaBa}red>lx+I#-K48{2^6wu<6BLw&^_wH&KM;3!eC;kBxUT+^N*E|dEv7^ z>>BOiEQ#!2-kog5OOSBNVzNH}uow?Ga}gtx59TTM zY^y`q^P~TII@SK5XbFS>hjL*V-F{L+m!t_Es_MZeq+5ya=B6BHY$J#OC^^oUMa_WB}8djU*@2kql7RJ z|9u1%SDEO=F3wEa;56%3d&3Wik_wqx*9mof+G`*a#AkrXJM3uROxk{xMeEs+_2eWM(Nig)~{{{%f^q7bQL%Yt$QOm z0_jU14Smc}EChV+bvoT%re5)YQ>YLRw4p}sf>}f*Mf4#n;OgZbA{G}9?@1M!XMnhG z5!io?OzAGcE$L4=ZO41m1(DGgOM@9L=h^|=K=T(3P^Wz;XN<;oLO$)8zicIXS~7u^ zLsEbq?E$87QubWeamjT74krhbdAN{-Ic#Bd`FN$FLCHnrgc=zXUFF3)eFk`tjuDDG zJ)3ZF&NYfH@mtWf>Rb;Wk}cge1aOWej81*=O@MB$!BdXU#U{L&iah%Amc1D$8l^2I zWgdcYo1GH1w-Ofu{(dem5ImH8d@qL|>xRu6;Hhu_Mk!hxDzwaC+_pK`KX<<#u%Pe% zQ8qlx56swIBJZ+%(d=(%RQxFKENR+TTm>@$B&38n$Kuk=vwTUyg1=`nsKjL()G)NJ zQWUjDfSIs6N$6vnT`@-ZTbRp(0U(51p<%j=jund=h_Tqx-hL&@-lg|X*{$RU5L47&mCHc%0Z>K6&^l^j%}R{!J3Q-{4~!=QLnOKwBqY7KdUdQ8Oh859fl{aEmVT`DFz zEWos0wg3jLRnS%JI-{?I5DU(ZZ*u0hi-Sv0eQuR0eOgftwm2flKGFN!=~OFTDD2>B zc`B!B1%9l&pI=PT=$@Nnc~s&)YSs8zmc-GfvC|3f9#q;N5Ib0i{aPGC#Daf^Y|Em_ z@ttD>e0dXi$x;GnAuIS8OBMXD{7iW!uuZC$uJl{o-4u?c_a9QZ2E@AlwYENl{yEZM zLR2qLpypw+Md&pa3 z_2zeBSZtQ#yO)TByaEd+B}hF4C^o>h1u4HF#m$!KU?hH1H0bl(PmEgY_05KV+&t)_ zZPqI5fFSD!GB_X&oylg{cTVsr{{i449Rk7*n9px(N3J{C#W4|Q(4$OjYUuQ3eTK2q z2*O*hhF2aVPQU^fbE|0Fde&5f=c4%{!oE-^V(oH?UtVZBQRR_j?{y87LN1T4*$WgL7+)#n(UF` zVXx0X(^DxEQ~@biON3l5R8!tW<1`?3N{nz}%|^gz62o{XiW0N^4`aR6YE!AC4J};@ z=35}j>(0F|IUyfgeRfn7Rw~$C#ohh>qxk=^^_D?xFzxlN@Yr$%LpQ%Gl74QZnUShs{qK*@!whsTPG{J_Zh1i+;^7LxIAXv3^ zg9_6}0+@x-TgWiDy*Lzp5f|k^)l^a2Yfb#t;Ekb>U42dGfB01ons9DSbBajdM&hCZ zhOs&oceE8#knHQzG*<*4)!ZP%plyBL_4y=_#b#6%66!yi9N4CUbE*Sx zfy}8(X$R8}hJR9c2*tibV z>{auo5jXU>0z_oE!#B!6kc?oW9`L?uREC?G_@eIp_1E`33yseGS$_MsH6R#%Ve7h1+jA4Wjb zyX*ASc_(H?A`Q-<4w^`pXDfL@v|PxNj)?38mp}P$rOWFM>NHln>w7a$djr80kqHEs ziXXF3i0T+$@zZpUq@jro437*Uf$cp%RF?!VJMtO>Aynf9_;a3YiSo(C(Sx%qz6161 zmctJK-1fCA&)J~3n~OgU930t`_ZOV%XJ4H4x&ut`1HK0U(s-ixlzL};Gp!UO-ItAo zW~b%H6ohF674qwkO1U7v%@J(TXC_m>!p6`P`8C?n!p<2o`olHRP%$d#zih(5 zM2n3Uf`}`WAfhLIScVG}Z4|DjUDDJ0lV?^&KfjRW$=w_C+IafmC}o@%u)Qnqc@xYRs=!>riRfbFg)!)O$z2Cso55%rsc?O{?S6=sw_0B1}dOV~(`*=k- zlNe5`upa5j$s@O1kM7w|7Q{ntx*pW<*hn+F(^qD0<$#Fs-ibF;Wj&gZMbmc>Em?CNUK?nG)7ynZA-9s`Q3_-yudcTE2{g6LZv{)E( z;J=$;0g?C=Mtx)a2lOpe!4)CQ+PKjyLBBj~H~bNbOfK6f*T}TOmhz0oh_16t9lr6Z z{inT=BmkRsjaxa-Ml{Z*gTe_>VzXY}b0)7Oq(^1>22EnAl61%-fMEttKc zKa=52Sv)WX4zl|y8P?ToFE^@z6F@hh1)eymG@PgvIRa+QkmOQ!4(ec=L{AdTo>>9ew7{_FF(i{ljSV7J zv*5^`Kg_c^@o=2eKV2J-jij2hE~g5Aw=v(6;D1#-?232nqtL7Hn!_mG5_ z6W#gz6lJj+CT8ZmhgGT2QMihtWb)DM!uR-Jd+lsZ_g}@;2WH%A$lBQ9p?!bbQd%lO z*A6!`u1n!4LWXu4f-@FvWK06#i0h|9(_o5hEvsGkzbM1~_zk{26U@bdB% zX@GTDbd^bW5T4wdNizwNMWxE4#IkW)=Ra~Ogs)gX>Rgx1v;IkLEjPOOQ0&{UC-IQ- zMhhJFs>Chs<~9uDOoYG`=LC^+B?)qW08xCQ60}jAHYwGA$hG%tqx7u0pI0Vh+7JNP z0d$fHosTdi5h8R^CsN5vg~%pWG>MrE+eT00GM}knrqP5QYsG4!s_~!V8EVHqil%-- zY;7)>#yXFGej$`JF|su7H7gk2-VH1 zKo|Tdr)e@*KJ%R^l?{#`Zz66Ao!0|SgG)MV-jTWDm>?j&_*G6V6q^eeAC3YJpb?4$ zNc8hW6&gM#clee=TDp$(j-=djAZg4v?3040!pH~+)8E3Cyb?cDb2tY@PL#^?EGXYQ z5J~sT!dp*wJH;KjX&QH6sDdU@U%)Z?>460|VWzTPg)~n?arEAIrm_!=apHh(=TE~3 zgAceb1n#C73|%PLQOXJLtPHd(<)V4GZ1sFu09PQ6!Zhkt?H_J@=~=tYaPbh2huX+K zqArQ-g_&X3zKMdoof`$p758}nN2G5_U1Frk3MSBn70={a!0^2a-P?%&*BZJ#|&>#*`PqL5+YIt90964w1y1*CikYcfdc4DA z(=|LZXh|*-u)C}A9d{!rj2%hd-HlF*92yz$x~-yV+iJ!L*Z3tSW(&a_NpnuJ{~A8m zK|ea3LljeCeEpgCDsGN}CXdiqE!6F6g$azKKH>luKs~+nImcmj3~hTkkXj)1^+EN9 zC$W5x7Y`+(dk8XY0@oJaj$cH2nDx%kgkrTErwKF%in>AMznh1^rwGf-S}!oP;^Ca? zQ$TGPr|cowv+(;U!l)n3jfd817iW`RK`;(Wo?DHN0&FL?9D^fR=mia~S14|dr8JV= zE$~dJa`I_Ndlaoy{PtRy7k0LPD|CAR3o`b$Ni^QR?V`X94E+fAXTMa}{ce2pe+ntF z|G{X|BuDzI6uy_crO!<4wQ6t_RLQ4>jY-1qdiToEj zjncDdMN!1+V^4dgZKo^rb8CLEe}rBZM`1Nh!E?qeY$-GF6{JjMa|c z_d4EUAPRF}7;707X#QyN$5ikIf@ry3TO+6`sU){Lrxn4ZolV()$H^3Zj#aI(v61Nm zjixbBzlNI%(5M)hnZq>!pE4FU90Rk=;{$Oh#2uE$r{)L7%i_B*qTJ3&z=~v08%F{rqiZ-T@w zOM#QJOk>&M;pkVPry!b-9{ay+9&?^cr(31|6f-c22v`e}Z`!TN?~i;A=)lCG1N=e) zoWOa5@a54})82f`2_JD+15*#sHr8TKE$jDq2RQkxAfW>Ur^zQ!G=?a$LHXG1-uN27 zI{ieP+T5bk6KS%G3?#-w7IM{Y@{G7|?q9~DF2d;@h1*4MC4!6EXvKBuU972T0+EUE z2EqVM1d?SQ+~{>alzsUmuTNH!h996XUqwqq`#X7AM+=GjwR&v@jv~-GD*bCKymb^! zB`YoGrBA@~boryq0H$tgZh>PTspi_kx?S64#+P=^T@GrKQBo#O1iI!PWo3{!MZ2F0 za}s=emPB24b5p^gDARD9;@2Q7;%gJ)?ssW{T>P+1DC;DbA6K?O7a-Xwb55NcR0WV*M~f2mF67WxHVD0ouY!E^?l7e8Bc%u z4+;}FZD=qp5DhI)eop~j(J|Dzsj;<(x9FE~yKKvCjqo9=Zk#pV6=iEpwP?fqc>pBM z6RwyMv@KQ{{GGkyy>+B>E@i3;M*od8=QHUR!6Q|MmZ&gM0;t0e$~+xZ>!pH-H!EsJ zlmww-uimY~z1~&iV~hWe=1(DiIRm&oiYg|Q{amE-{(2~*)L<#^~jzwI1yn zo2VIjOxt?@S7Q0|&ORf|;&nE)zx)Z_T6UUqj$MQ!9Px;S*r4^s2b}6AMz7v|5=j}m zJN1ZNYuT^KC5hUZc3=CJ7d+vO3^1Y%{fM)XBHwhX)Og#7u|2Z0f$q-*+3+q$^7#*8 z1IV?~Jo7zr?QgRTj3lw}hID=Bg|p@oHB#)%*J*h4w=+n+eYPDGr@2y46lZlf_-}zMH z<#a@LjjgK;$ZEyaAFYKHkl{sbP|quf%P+%n=9F++r7H%s3*~T?+eA zuZ%DD5_mNU>#{(RD)1lI_E25?k%fEAA)q>IiqoI9&@3v4`8i{yHu_ngNOj1Z3n`~H z2*+Gw;=2gj%CtoVU2b!W3h`BiJXFuxXJqf+cnj9ShZw(*( znQ?jt_D{=x?0fv8rK&_txcym|chg#z4rrf=?Hx^@4BEXsnAA0H%~(}=sjEnBJPkES z(YZejBb&*;_3;mVgllVtfwhhQCa52<|ED|`j1ILt7a8j~2zI)9)P4S5QPrrQS+u9d z?kW2v)JR@7D?`xjVGt+6;mzK4c`i+gI2Hg^;fpU&r-0kfm6kf}^fs*~SD18Fb!P1T zAgw$WzfC&s8&T*OFPuwLCX5}tKQ9qQ$iVjZb5;nch+3TZhSV8S;_k=bj*0Uq`O^<~ zgL$Ou@LGEQaFxusl5QCgR6Jb}Jf%5irN!|KModB78d9&Xs^wdP^W=zY;w=e?sH)Vf zm!w(PCY2Z}1K%)a5>d`Bj`H zJ7E$W=(wN36K~*N?(jh(Eg=kvb``VE*^M=PS=XlarkQ(M2(f1-5Qyh?^6ki!1L{%k zF0)69u)%4VU+|dD0)Lcywbq{f!c$u13jglK*v>Sg zSCSBB^Hs_>lEq;QIGv-f?0KazEeuX>Uc(HVs9*|Hl$JtX<8Sd;X}>njFc^Bu6d4&S zQfZl>cA;4{{M&6iO8PS{<-g-&aH&KM>~Z7FXc+5PK#IK3 z+~Hj?i%ZqgJQ<%N(Mk(Gz(`WMj8oY)hsyLzDFnjL9%D|0yUPp=XnBFnSb^iuS2}#X z;gVVHM*2la4bk`R-M=Lt;zHqE#z_{8v}RRG4OrRwv;Gt zErK({@V4YvY?B{y`V>#n%wm-1Z&yJ`C_=kF?-Q<;R2b0uZG5#y3R726 zfR1#Ux{w3nSn)d+LJW8Kh}A>C8;=T)y?@t(#f6p{nwr0%uUIK=D}_DWiN&1PwD|ul zV3JQwJKbp0t&PCTr{&I4Rif7mC;+h7pG)n>*fGnG;`KbqxZT$!GbUf>Jn_)Pkn?AR zv>%a}2i~i0H?;Z0muJ_6QRg~^guzr@>vD{ViCPTp9v;qFCCy&ZSR9bw9Pxzw0MuzF zN_1}GtiMY&@(6$XwS9&Cv~M+u&^PXo(ix)>RA{Vi(tA1IhoX(xC*~QrzU@wtsl;+) z`_)k@@b7UVI#{VHGwI@j)=}cVZpLLs4aM@LSJUH>^cWtN*tL{s8jG4U%R(+$t=7uD z36=L{!C58z>{9r3Hq4y5M6rFXdxd9D+NgT^woqU!Bka#-tr|RbQe)&m%J41Z#m;!P zN!T=pulsp7mnm_N=Ip|_F4F1OiY7;SBkI*QAv5}wFdCy-Tm+T<&k|>O(ZDbdhh8z6 z?k7h9LFO~GaSTb8;um8=iis*E?QQfEaE4NnvYmPxk`lj`p98Xe4K!|s$XWRfFRP)z4fi>Fj=|YH9 ztqdGw3Ud4WKc44r&o9|@UQ5Weq?VkOup+qe|H!Ov*BK%RHB*BN363oKMMMND;z4os zLrd$ic3f1^;WmmV;d$P=AuLfA2v)?e zBZ_=3v`CNSUzG@f6u2C&Iri=jHJkG&X+!?m8TyS<8@>%It5hH&tZ~sR-L61E1}MDJ zqP}xf*``}JV5ISe`*3hnBrL({JfE zP~rI_eo4iV=&JM)QLYtNChT4hh}k&?Ctpf6@WStDL+M+zt|KLOp)w{HKck)q<*@G@ z*7L=eqlbDGFn^PRCO`@&UpnXhDE(nY&UR-a0cSBrPpLBFL|(%tqsmNnl@N7o@ECqN z7DSqK4Ix(fz&vN(5U5;vSdrv5eTT!(w%7Lw;@CLsvc0MkvzGoPIASGE-y96_beIDQ z9pLbx5$x%|HmjOZ`}mkxTufGk&Q;j8*pm;=5M=GgVvp?4?$-bC1@7T*?5h@Ahj$tV z<@nMc)UBdZaldaH0L>{Ch|9wEEL?|G%}idq2SrqBh>dksKTB{uAs0@xTK-Vd<`Ryc zT0MDuLffObr_0Ai@;8N}tx%}W@^#n$&sqBP-#mdV{5pzKPr*I_Z7n{Y4j@)nLC*;ld_ zRRzIuoOUf>HOXM)`HQm8=4lmppJFIxi@w^?PiihIMyx`w!r#FqcZh-NL7f)`3Hrd$ zu<#xBiYU~%QoSgrU1FL|1VcvuizR4We~AdDr$I?O8fY@pSksV~kaDJV_C0-IO3sIq z^cN8bLW2pL{W(2@X6WY71-(y}y%p1~t~$;>!kyR8M6^al5!|qrM6_Kr zo0)4RhJ*K`PF|vA(*C7z-uyzdqoOQSE6`kz|B?0PNRDc{IjVld&KRyso%|4@6T~z@ zANDt51VVpf%8;)#yIK{1c5*Hbrdz@P?k)L&YP7UJhlb?natWm6WEi)%w!D))JCPjf zQnndfs`}00dT-I_2)e)`jdq|&W)wdCni5>|s<{l;z>K2+AL9L65GLkhYs`#XV9RrV za1l;8Fv(Nwf2U(zPYxJw(M|A&Z@U8DHHq3 zH>OFoJIt{_ZzJQ<Z>m*oEX-2{oLfaDe57owa zHZ>&HmU)nQ*J5+8lwOzse|)7)=0TpZx(eeg1ji)-{?PPVgh_k80)7>i2od7A7__Fb zu(Jm~$jS$JmN+8}(K!VMJ`|~N{ctr)52gNVMF_$I6qG&)+@w52qV?JYRUZqv4mjwt zCV~F65rM`&{yJ)QA{yujz_LWJR%H^X$HpH{mRHv3tM+F5`k;pl$NClc;pQ7;V(o+D zHab^%dYk?*ZrQ*Urj0~sTbBMHJh1hY*RjUsjpO`?epo`O|jiW?b7 z+xGEW-z;7{T$LPwA;eM=N}Yey2q5q*7>qVY35b!BNpjTLqlNMh-PDZGA_@W}#7IHO zOPgG37RddqNjUc}f}C#p^BEZ zYiZMcb#siX|GXO!kWg|=xAQbVw!&dZG#XHW?9Ef}1~wJ-b7W|oxpgo%fXr1~=v0rq z7RN<-q1iU1<>D0k(YcweaOy)cnsY7uukT6G!N8bjdYKd57f#7pPW+DRcI+V2KX%?H z%uGx=KV1X>k#Jq9ukm&J2l4+i0j2JLWPwfOfSVXy94WVb_;bzD+dh8*eVV0gebcf3 z5SKsVw)713KQ4Ce=3y#5Yxuj={tOUhZZrYMvH&`HfFI!^g@=4}$JVHixYSAt4GTNF zI}`q;d7KwINE30EO}DI7XQT)Q{{E0K!d)Sexf}2sgFHGj&qNYQa#G9N{|xbc{2q?L2E7af_-hbJ%a5=e#a%1j1eIZbYWJ zYwU;SOrVyaAm@NB6h)Kow$-9^i-$oOIDGn~^JM|RZg4jtp|LyKR|GqYTKXU#(40v= z3H!O@C;G1tCq5}~Cn+eBh{dku;MRb9IgVpWv*+6PnrQVN_WbVom*RABNv3b6(3qf& zim^oYTRo3B`{$jY(7xTkzRBG`_W(*8u#1L|$0CO~)#m{HjhdL_cAs>X@Cztm^I$MW zWEU*ov4;BN*L8z;HFd)^oWlaIBn^^Ho#QOT^cv}o>8F*-a_yZBh2wEZkNA)G$?Ne{ zBYyz#cjx3pp`m5mBS#E`Do&lF5lY7ppPj5%Z;Mv2!8a9qkGqLY94^Ck$Kka~+3?pQ zeJSt?lX+=w{YP?MHM2O0rY}L{@t~Pyir^Fey|^4wDM#{yj1c45%|xggtnC!YVF`4D*g6(`74Eymex$k)6sFbs6+0_2}Oq3M1Vc* z_^MKC(LSB=;Y)+j;Yv3KQor?C1kHx7Y!r@$PdDWnxz$ElK?5A9TAzML2ztCROl#}$ zPR2iv=g?Q(|3jFd{8F(!pfdw_#yIt2d))fa7GcRop*KOLq$7?(aJnmc6NsLS=xr-k z^L8G~_xGs+zkFyiOe%bzHn;<;xf5~uJLd$)6n2qV_+8~!_gh27Ap%G*>ya|n^?sFy zETcAex*Xu3hSt5$Cnf!UuVU6Sj5g%AVDlVPYi5@6;kXX&id{l9Yc8UG6$~x3auPXJ zcL&)@GNtTQOZEiTp`Yy}`v9;9HGNxzg>}6;Tj?W*ks9kFBUb4^!3i_7eus;8)AeC5k~GA#@YpbpqR9RO zUafjDtBZ>+2Ih(_)3URyk~Y%leBor2>BQXu@i*Q!s%gDDuBFFJHCt|h6@h4sG)9utqD3A~du9n$OCsX( zEfEgLmr-p76EI!`I8-8jAv7heJh-dWj=HRbLUM%!FOcb3(A#>P zM^%v+ofLQ~7B5Npn+#=Su2aCw`wMaMholS-L9axalB50kx0RZ(EFR`P>RZtJRjup zq)3OnbA3Jck#TnkT4NWa#dRYo9;<&MXtei6?4&;@cHv!MFKSDD*|9!(aSVr{ z7l{expm{7|V&GWKtylD8bNy#zGsR$^vF&PetRB6a{!(hXdX6yrYPFM{-91icV?ja@ zmG8~E9>U1-&JM3N)L-Hs%byDI13m4+!a@Sftgk^0jkDpr#!DC-QvU9=P3X?oozc5r z&;LqAc<-ljMCM1;=UC%ev^Vo>-7%$)_;X&YyE^D#sz$|DwPfIF3KDhDqkGjdIO0)$ z{5Q+*a~?r;UKK+4Co_(6({4$mNn|=PJ+1@S4&Ub1LnhoRW$pG2lnp0E_dcXQ+5Xn& zct&oi0MxXXzcRm~Nj^x*nO^tel1%a)pSKRsnK%-^7IiAC_KFn~#Ml>be{X3Y50n>r~DVIT;B#z&yRteJxX?#22Fmm*V z*aAK19Kx-=V`g+&hU~G-y^GE87#e47h$N}RQ!RWaP(j?^US6&Yg7}4`j79t=3<5-a=P_CM{fe&c=r3hdm$_hs^cA=5y;RiXpw|Mt_bm74hFj`{~sqmglg zwfR`sQ*Bw&G^~K|Y<_sA7*nuwtgyDu@@_1F?X!ae<^63dyZ3s8-^_?PE+-KeIzib#CU-XT9Xs-Jfd5({v?LXL?oSgz7fAP(m+40N;HGo7_)i-uj!-|W^aj4l&@dj2OGdo;WRr;r zm)*UTASkXF!F#CF`Blqp$G*iv*B4xD;oW|sGt+BC(>G}H0JXX;tr!!U^KK8~zGJ(i zcrxX^6ptIO&7U&Nscj#wt7o`E&&N!iqjya0K}Se)G)uPN;Y?AfyFd9hnW$osLY$<7 zAO!-I*gDw`BuxAkGH@9P#&LUHQcTn1d6D4<59vS|8zx+;N>O$@#*c}6%ioUQl9v0W zbeSugSI(>`dKlDL#sma=;ZDSS#-_@gU`CGy1pIS7H~%d!bUJ(=!-mtLkfmRzcayT^ ze#ql62a__^Qim`PS)QzO9_+8cpRwoiVARfaY9^Na3^Q3 zaKG96otT-o8a2hGCaX_+l`mPw9A@&1d&0PDZZg)s>7{m-0&R5x_2E183T~g0)H|v; zX=db!OJCO#NSf(1`D7&qv=4oMXTr`ulgwR^G>?WDe>+bD@XY zrcE=z*B0cMhuq>bX1<=*hE@pa*M5l-I$Uw%*&_J=;|<-`$Lar?VZ(*kz)Snx3dXh! zJ`p@l*OOiASEg;9KkHYT(i`RCywU-h;7gKEWu`nf7#-un@51sO$L7ZH}Q|un5n-% zE;Jm|Rsy`*RZbe6$iUcPN(w$%Pf9b84`gx^&L!zX+!gxl6KIp%kV&21mk4shvqD+J0lqI9exoryj~I z7cs(dQDe5N?7$pE-S@mh^}KG@aeWl9GPvo%TrX$p-dX`3fOst{I1N{7gDe{)zIIF(Fwr z>zJPAbpt=I{hzOSwvj;f0O)N8w#pc2sD#T}eybp2O;8sg0{Ft1l1`NH86g&y02S~4 zvES^?!g}%Jm0f|5g_!hfW!Ev76*PZPaDpc*fim2`KIFx-y&6*LBqvm0WLHIv`_amz zy_0Q8OfC71CW05gU@3BMJc9?=BT9sMzL*1|#pPb8#3O$_dNvbBZC79+Hl4tt=3aw& ztB&KFXdC_9dtFo@w~4H;_Cue+rk-I5rW%(g^jX@a?zk1GN1tkyHb<~(eVA9h(Y4R<#-r{AcC>1U!@dCm7V%Qy^1IU%cDi92y#0{dqZV zbT4;i6n+F1!W~?R1Ab4ljW#}*4HFaY{^HEGr!?%NF}pr#T^1fdALs04<@#`EIK~=g zU;tdGPU+&ueJd{Cj_|VVPu_T|l0O;AO`Jb})aBW+3OAB+%Xwm%CY`KwkgG!&GNiZe zYJ1+6|CU+qwR8?uQf;=}-6HX$z!- z8}Cq*!C!bWTe6Lb`fer$YTau_72$bsHVN?^jD#U=f1`HJ%2@&2yCDo$2sIYPu6D1 zFWog$%4BaLmGD`yCt{O5Aqur9xYJUI^Qd zK99s0IXnD2A#_j$dj2vdoQ-_=mk;f_|U$U5_iLGk@8V(mC#~@EeM!c@&`ovx*J;Wi3uUS^H6{qzG!wJL#L|wo3!v9cI zlGS8pSe{b39pi;ZNkA%{PVREQ=R3#z2DZ~DEAL!)_`UAxo6HTC*=UQFF_><@r_>FQ zXeO7z-Ukb}wI1rEDD-N!b+DWNfEjsa(NJ;iVR^FQT7)squPYLJTe1;6#ih-Wm^`t5 zs^pm`Eg7}M@DUv> zq}u+Bywpjoj0>rT-u2pPfKLof*1*(C#R7&Z7=9d$~!(ab?s%2(gnFm^ye z-FYI5^9>CRe1IN=U&)Dyw+y<^kK)CW82`kh5P|2Cf8%=#?7%h%NBI~_6>b$D()n;j zKL7FhH|8M~L*z}q;FHI4PpwqaLt9*wK9ktZTJW*K&c~T}KzpKUsvLV%+S4(SNYmwo zVQ&+5P*7Fb=EKWBjwY48uf!2N^-Js&>yPP-UyX+d{9)_N;+&^@MC?BNFmqv=TW#}- z3dOqK_)TFMyMusi#-L#T%b8}XLfdPDH|tChHmQ8oo5;$Y9ZHXT)i7ZBP`_F&gwzY~ z%K~jL;>%3P@T0WPE;KBFyY%Q%;ZSpvcIuNbJLl%5O<+Ca5v+Yoe z4^g8fZ*^6{>m&hny#wihM$RN z+F`k?E$U5P0=WA8seyKtm6rM>3xxadQ=>e$!)Pb2 ztBUx35sZzd_U>%>&HnkA7n#Zq7oqvlW>Gb+rT;s&FBAQ}*C%b)Mi6}TS9i5SzB*c3 zh3SMJU(j!%f#q}wm3hMClU^4+t4XP_n%E_*s_b<2Q!buFRQM#ny!1fPN^)EhF(MLp zH@$&ce1UqyiL1akZM-KiI`N1jCagS)KIk2=s#4j1Oudbdca&pi$2Tx=%!7o6!OSzm zKJM&sLKHF}B*Z#pg%^gT9(J?WTo_VwfYf^iuYU{RXX8jg=xV1_=O?=xLSf_3X!cX# zlV`vu+hiL#oeXvIa-VeSs|1!1w9rBgF5jIBpY#0z1QtHz*?m2J>JP%oR};-C7(VV% zJGwz~1ay+%vD0Z(=bccdN*h(4mEA^&VPEJ1ulPch9b6(~=9b0-IWLdWPD7*SBp7xm zrqJ)(k27w|{WMz8verVxJh3`(>g*EN>8r%# z9Pf7%BD|i=FZFO}H$SOKoIwj>TS)QTU>+qtn6327O2tNXhL74!t;E?mzE>x!W09c# z$I52^i#fn=>?ct4CW{8qv29jT`R{_S7r0?$gc&XkL82H+bg-GPCDA0EHo^px&vBMk z8f-*iVi~7F&wcU=RIw3Z*+3rFz6=F{w}s;Rz!##sjZ=$qw;gW;Cj&SYW@lJjdwi*~ zeE>T$9sV4xbR$eU?MegVl;Ay#M=)x|mn{dRd6M$Q-x`Pk((1AoEH&+USR7vNx*41d zhi%!oYdx^v^lg%_AKwAf`-Y!GKuGV8a$9_iTcKc!bUA zv}YA!&NKiq8SRtlQOf$QOg}Mq0a$XKYvD;SP|San<|P14TIJ)!gd;j3zYByI zUWXmCFq!HSpuE-kR*iaNkJs93zRt0pYOo*%&&GCP)uLp_|m&E;i^)Shd$9d@=)k^MCm?C7)KJ9sVe-ARUCojJIC&#)K{tB*jS^1{buQj z6Y>C^bgARcj56p+ z8VSM?=8{yY4~3>MxvHI){M(S7N4e;8G`d4m3e)E3De;g4S0?uwzO`E_8dyiaI!lEy zk}M6cfn?lVyj(vyy;&JbdqXc41zUi~C?9^bG{806k)>QM4etMq>QP6<@Si3j_%(xRXGg_c*+2sLs)>S*T zqia@ZDak|KE8?HwDxZ^uhq>K^yWz)dia37`$Iyn+u-Rrp-L`-F`ps`bmRmM)hQI@n zs!$dolDH!9l!u#e8+~lcy{0oLJFDk?T17c}c$_sHVyCcj&Kk(<=c4cOK&v72#~t}m zbE+WHEtOsYzpVZVGDXknG){cTDL*H1A&#y(neTREhy;2sK&KjO+jFB|A-z#1AIjC| zcrCS=d*!#b$5HO&5ZBH{0_{A*D7rRId^hvKfWY2nCbT8WDB{|^%ecPrmxHdi7(r(yfQHb|Rw>k7u@aV)Y1V<&`k4&!sQ>>lf;O}dz zslBT`XuNXKLDTt*x$x9F>GrNUuak+%u3#$d=MO92DVpzo&CC?aM96Vo#QfbyzVeB+ zlmBxi`Txev-4-U?R=|5n#Cfr-O9bNNPE2_;ZrMrx z)k_K3eBbpaoNfF~Bv!zrzisOFkTVS;+GIP^Za_MR6I$#FGYRnJL&`!nirPFmvm< zL0XAyChoyvnj5NHpW>O_K30YWPce@UL@0qYXPN#iKeH?Hi}Vwy&#N%p?lKV24ilnXBB}Fe(6TOv=V%Vd|_?NsZpkCUO`@j~~w;jNlHTcB+ z((T&+IFLyk-RHkFR3n1@@}B0iHxsV*FQ?TWWjzt}@kx!`oS!GX8`ejvARd^PfRDzr zTi0UXZbj4xR>%CMcOy$S@>-)>nBeU1DG%_U+N;9PUXPmmu?Nc zwdlC}vmx&j6l(l#9Ad^vzO_U_8+nD19wJjnflFH&R^Y0%)7@;#&%2XjeKjmFA&~4P z11(P+PML^}6fYtxDsvAP5GGRZZFM|3tEX29)k1WmCT=W%M;cb*~E=*~Xu}tbhgk zCgW{B!8uyyBhupH)-Nf?Uk)ROeur-wmaYhnJwI$*_FOHQ`vJsX!L#>@_Vw_Z)BlMT zsQ-x-mB!*}+%q1XPG4tOK0MU_xc@v)da(0x9ahexcTLKTr9i*Q>$`lJf`Pcf0m`&d z+t(HzP|`sdZ>0$POtszO}5E*#EMojkSq^g9WI&mta4 zi^-V)YCdX&-ak<$uTRs7LQew+ebtupAz-`D65PZ^lH*6kg(#W|7m0ZSWG2ILL5r@S zv7?W^HV}6Nykmg5TZI~`2fsUKkJv12wPDR0P?)t`uHD&oI5^f9OHPo6#r{yed`*0RhkQQL1zWqRsvynpangbvS%x%rJUt{|Vk zY(zk^jCh*$VLVITrCn1LET(i8X-VFs+pK+bTBFvGDW%<0qvc!76F1{sq{&SmJY`aN zspjTBlcDvj=twH}v^ePbsT?xXvTt9#TU|{9>#QOxY$dHtn2gIuCgVxmfBHB`eJUs6o!mr)0 zz2?@$V$f*%+&)i#U)?|R7W04n_f^32@AXybwq8mRi&;E=-^lxTerhix@GiJ4wLj@+ z1nJ<%7|Z-Q&`dy{MX^Ke1nVE?we-%ce`-KeY}e z>~sEuDhBHguoBPAw7(vb#Y|*{`GjQ0++PQ_9i%szPaF3eKj&kT;6rV>UR{HVR&x|I z@zCQJ5)TZanW!|CQWu_kNtn9wWCl}uD;|cqGNtUDv=)!x@nlJ`umatiP?-#uZwM&K z7FlMxcsfTxxED0oXFdOnW5w3*6i*uMosf90KWef0m&zbR??(yVaz?gGGKVtjL6E4? z8Z9|*bIwS6?Tdh*%4NKgm9ZB=Tu`N4b)@Rr1*nrtBqg?HEf1e|Daf7B|g7Ffx2wWx`99V@{K9gr%Q3e zP5lM=Aw^Zy+F!UCyztn!00ZT>W9f(D(bv6Y{( zapXPX!CH6(T*X|#pyXeZ_8!Jbia zy`)9*TERq-+Z1E$q9Ej7Ck*%)cJkaXi$k^;6fAtD3f$Mt$MS4b8d2JaK>}rSRbt6l zACJWpM&?^jaz0&5Ax$oKHw$tNb7Xw@$9%O(0O=wy54x3t`7z9q5Ghd(%p}Pk+Ni)x0LommEao zHQp9G3QqMdgK#lF5H42Xz*Hz>EF_s>wQ~BhD|NviRFwqZ;aNouw;L&DKpVJ)`g9yC zwpXmbHZ59U>0=LHv(UV0GirrL^f2`YlQvIpbHdkO~PJ`AnQ2QDA zZEBpn!^_`e$p^%8(P(Oq)I2i83|?+%cepfJ$9f5qCizGW4N%ooe8Mqr)t*~-LJ#`P z%s**v*a#U5p^nLeYR9}da$!sm=2rdUy~rM9?EumQ`ek^2MFN7u&y_DG6hHo4b^rcW z`nhcU-F!H;NKl`T^1ypjSrC_ME|1Z8cgW3)tY-QIo0lD&<2mL0&R4>z_yH;YUR<(p zN6&7n(H!|U;{-}oTF42+ot34tVe_>lLUFoN;9gA&^pv)Ik@Gk*mCu$JC=`irvo*av z5A!+lZNZaFspTu9T^X%;mCO6qY%Yq;JF{#Tbd3N}xrTlnZJKy>OIkmc;rQd^eg9;P zY353voI|D)Iy#S6Bvylm5F{N)lVn=GygxsF7Q@g3Q2*b5!?6EULC~xMem*?po~zBj z9Ssc)*|9)->3))4ZdFMnPy*pw2)Qz_jjTH1LSYr7&=W^&2|$ipOZTyTufbP^uwFBw zSLeu~d*)&CFKjeEM^hR94O15fy$1zhcp+)3dF0DQ)iq2~A5M3MZElDCTuLBSmC@8*W-SG(zM%?T1d_WUJ*x>f^i!(N<$QcJXRcL$KY0Eif?q{%REJZXBo%FjeOEf8DELbH z4nytUS1S*0>b^;xy-zRqFg$r!_HodezdnluQ@hB`*mjB0W2&@j)>)Z*(D5DPCFS1p zLU{xT!!R{9%Mz7T0oo~-zxuwyLh({#J|m`I5qM^GU1e4#LdgSInpMdlYNE6-+zGRk zXv6Tqgxn~#vxqVQF`u~o6j?>`)lM`gVRX@I<6L!f#! zS&nN^c@y+ks46%0piRVfhkb%1)MX8Day~eEq5a%rzHug}msY9-TomAQLZlZXWZyP@ z8$ZRWlgj{gy@4;@_BYVHu_5YZ-^_~ty%SHq4JOMjZPcF-@PC;iUlU}4UfNtfVogg4 zpkcOvBSv;``1aRr8oOQC(N1?2c@J5fQi^ui6M4w^<~9Z ziXf+m3fp2$K}f|ckdMcH(_m&9%~4-C%EzLE!Zw@?^+e%bYCtk*Hn$>qCY)j$Gs|u5 z$wLVBQLtFrSlS}d;AvUrdNn~o8TW~0Do8!P2*??B0(rNvP+rhvXRoJ{ARvPSEdj{? zARltoE!ZeL_J5^$;{PlgSVAABb*F5O$6dqJl$4G2M~N=pUC$EI8OLVA@s-&h_%(BWWl?k=g?Sm;xQ_ zKxI17(xW5&SAP)tc?v}$TjbWt(68P%>J+KdI`MLqhogm z{%9djss+5yh#Eod1TM=8GJ!1&K&Lsy&xjKWX&>Bl#i{zJ)64bIq+7Te)0iD0?m6hxOSs~Hj&a?so|2*v6lk5%(zSS&VE#M;&-=XaBqPMw!s ztY-bsr2QJ6%v#-6GK=3`c=GB!ehAlcSUV$DN5l{hnwa>xYD%oV+@EckTc`scqCnSe zMxWyM|8`+NZU3c#w##)pOw{J3WI^HfxB@;;NCvH4_)fyRgcV|XE7pgu21+FeghmQ34c)yrHGL(L~>nit1 z%K=KH1!dkok|I~5iL7sI&O6pxuOi3HGeBO?L72dR(^%im)+|xwz>zqWK-GZ8uU)Zh zsB&k5xyBf7&o4RkA6|BWpK)*0G!?D}w~@hz`%R{tr39p0f?|sp& ztFt#FlLfORBAWVs#vg!`j_p-k?>>`{L9^h+YqBWxROv&)jG(hw>3huvGjf=6ebTNP z+{Igp_sFUg`bz{CtEMe`&%E|^Lb^OQ*nZYnxyD8!xkU`s3{h#eQlPpw2+-SHMh~lz zCeQO!;mngIVJ&4@@xVy}<0ohMB{x()I^HFsPk)y;#FN$h@vX8%IgT9?^$-HJF3g681YF7hif>Gymp|KQJ zSxe{G2BnWkS|wfGHD0jNC*~WutK9z&%@7OXnS!L7vE*(5@AGF>)j3Zqt^vKvi19Cf zwv1mZ51-S~{Ib0(h~HHuO(yAizW$0cp~zgC!4qV(G$E#a;b6a57DUqCX@y!@@H6r9 zP5%lDv`QFZQG^~KM(&c`cGr*bG(?aRGN@fW!4jf|ZzXHjtn?fs)5rIaxC){x>E0@o zO})EpxRvbCw^%3zaWYYIeM%HxC#NT#6_Ll#APT8dqW!BWI$Ozl@z^T8J32QQ0b@96 zw2r5;`dAu$f-K`mhpKN7mT})0wGE2aVy0mF?ug)U%&8=g`yz}c=B&Tooy4_pbSoy> zXGf?fwOf+8GodrWsUCCbJ6^_VvP7f(5n!>xZ#(LN<(hNVVS`syOkNmZ7_l-b7Su%o)|O`C`qg*~eurZP zS*-Hryp@O%#GUdH{RWE=2tbo;1xGbKjHHj1=f8VD8%+x+*v+)e#Y$>Ui`=}yC%R67nGw?vZ zv|QnnI8w>KEU3bP7Sp7`{tUDZYWwya#-d7@aGqv^wNSn1hZOyt;^>DhQ@Jfa^+=t6 z`dARt-XziYA4DCjWCK|nv5i3ihQ+{ZiJk|V!BFu657*9XP}NAAk)uhc#m=LNafMBu zpv8*dGXwfO#lwWeV@5@Xh}D<sCBl+=Ph*2Z}U zLt4*~q)4}3ou9FlQ-}PWD_7l{&&X>?JRXVTuN9>qBo^O)ju4CFoN+g~lHp+d9D7{; zk22;AC!D>In_e9RGO@T+1f#+wv(DvGN=kn8rx2Z+Hk^RmgjjIn+!5)bGR2U0`8{nA z@eKYHUx$hFe%-0)Q+%PSMxOk=N3D>#kXMm;Iyor}%mM^dFFob_OeA_214$W{<&(~B z&CPBEXcb$*S!1K4e%4-b(Ecd@m548Qp@CeVdi#xzD|q6M{Eq(d$CR`*!xL`!bUnrf z_uR=dL^7VpR=g5Z$a4Js2V-x#FXNEqMzv1u5S;2QLK=O10ScrVC8%w5DbZ7p!R=hP zJ5}jlf6a&$J-Ek#pZ`P;zx&orzB3ebfJ|{lK-+Y5tamY?(w4(Z<`MHj_k1qMK1W>S zAuI-a=1$JII%M^3BX8w?ygb65SLAN16ZxgeSOOZ0PikOxipM+}S2TGIEc2+Pe=a;Ltk<-)G{yN%=ddGQ&TWvp2uLFQ}gCc7LmBni=p~Ca*qwGJd z$qA|Vb9Cvu@XqEYpKglyKHskmD>#O+-w*7;NgW9lu0?U7(8(NOHDtwHDjrEhPBr>% zzQqj2+vFOy?lq65Rd;U1BbL4o4_nW{5i5JC+`n*0Y=R10Nm(CqMaN(Xe@$P6^|W5X z?S26n1x~K3m{3mQ>7tUy1K8e&g38$F?@dMRJK#M>-c@j+K8y4InqTic!#X9bHhI-R zT1`qIbtw>Kp%kP_7()28MCi}n5}2YnD3}!rAOLFd>{&js!dEl5q zUHrp@lasl6T#VmN^o}mQcPAicbp>_khzuG^x`Y5{++m#*hcC;T<1tOijHURzg}&~K zG&ja@0@b|@gQxD~QAPJts84tnk?v%;i5=F}*;rtfp*0*^otsGO1jMDf;NRtIa!$HP z=a5~csMdNIK$h+0*@Xe?*z-liQ%d`)4lt%m+NhI%##1G=X%JtnteIzwQ56IzI&ysRZw<+AD3XflV zoB`rPl+(Y197{u@t#sUAE1sAn!LHQsuKvGsEn+Em*E8MFX!3e-AfK`-Tt-1?~q zs^fmiVs5O5`Xm7~nfG#;jQeXkce@UVmh+(0kH0Nb)#U^7QdqJUY zEkIBHYg_@&DZZ2;(15-R8cCvfXP)+vrh(9f`A;bp!Q41?(^A0@MIPX_%iHCd^3lQ; zsQ7(pt1u3%L1J(zq)Q3^*E#|0#0)tjK8{vX{TFBR6j1|Y8VxKH=hQ;C; zG(ywJr9w!&yOhyR5#~LrnVBSA1*VT5@$~F>;VK*8mvHr>hRgv{rsUx!x+t=nd+K0n zp!W4ag}X=0I7x%#^U2uV_`&hr7I*_~N_bw)Z@=RK>!Kg1S0Ke;Jfgn?CcvZ=NU7OV z2u;M1^5l8N50O(!dyS2g<6a+d4?s7ZpILuOuTlKnkecftbt2{(LF0zPnZd_nHm2N> zSpOdwnt=qUd7>qBnp=|a;&Rn>J|7m#W%fzj8A+bC=<)aQ|H8Y_{|PxD4(tkGUL_y37^7|)i(V6g!y3>h+AL9v0nPVv%$79lraiqv2*jprt82#-uko6 z>Vd@e8qN@#Iz9v_vXabNR8+5RJ#u!a6_fYaQZN%avnU*?F{n+LQ*mKoX)h)z^jmeG=y0V7HITj$Q z)Yhj}xa+46%969Y+Q=Y1X2)!dgN1d*!h~`E)%$1%3lh&B;?E}2VV}_3JkUYkjYq(4 z6FxH8qZr$Sx()7JHM@ilD$5{^u#rDctV)74q|3RS@f$I7`$U9K60QJ^ou6>p&qf_BlzM%G>Lwx69;);#J zl1?^~|Dij(NkfLGoz^~XYEvxpe8#md!n{M-i4=yzL@qmUepRiV&{tRVWMqUvnjjIy zDU$Cl_)T5W6Xq8{t(Tz7s6GzEuU;1!k-6=9M>hAK&tpY`qt7{qIrlz+!h@K@W1^6} z-vPj2O&@LOk5M-p2-a5n$PUBRV=$U-1o@LLZp)T-G8ZWji{!ZIif=l+CwxwFCwwwu zX&ud1j8|Ur(#4n1s5!`oUi!RUXEG$sJz&aRhSE|a#V>Q(H|QWq{D&za_#nDb^ut`| zS70?SA0nGHb=*Q4G8L~fjyZ5v_2SOa2* zS-ZZ>0B@Yob*XeWe_!pRH<>#Xk|l6$>UAWTFP+nkgqHzh?)`4X7GBFn4E~V$mCP{? z8|kR(j-hIf`04Mx-I2=JSm6CRHxnbsIOqa}4Z*nyWz6u^c*ZayigYMROjBsGZaH#` zJR==a8L0%Q38s2kkQ`*IpQ*SKyP)2dNaSZ@vRnR)GQvoukC-E53NvRV*M&97QXl{8 z8FAY@hsZIt-nbfS4=KsBy6m0^ir=i^?OxASj*jS$z0q!2pA^W~#M$7w;Iw`z*qF6; zhazk~*3_Idvqwz{V0X8`}b8m8Ab=BdB&?OqRv2pZM_?=Z{*wj(*i$bQJ0^Q zO7`Kt0EiD!2nG1+J6&l(pN98UmxmD*#)~e8=QcN}w5fyWF8w9HHm6Lr5zHIyK{-d$*;g(h?s#t2%CkB`|GGosi!WX>y7;=xt_X z-mkDV6qp_Ab34QV-{laKaU#E1B_voasC+2xVUbxWEx2b?tVjpE^e;~3NEJIY3D zpgmpd-F7*6t0g9<@4kn8eXK2A$(2x;q(~DxOWqq6d^->Aijw&cEn;#1$;OM>p+Yxh z7fuvA!|m#Mi`{GJdTaK#xFZax@E6fEp4PCPf^_?)(n3xlotC>iR!w!xl!M+u33ax(F3Vssr{x zOAVuNh@1F()S?u%pb|)L)z|MKWdAm=xgIW}E}jQ=r`TyeW~I+7vH)oh5tRkU#=p@} zBJ5$`R(bp=r)S2v($dr7u-9)&uUw}ExR&!8`LgBk-7U`XpjU!|XDO8rIM&i^y{4mn zM=eCSLa#e`Jc*tH$p9oHAP1(ErP=x^`A-RtWgG-f&f0n7PU50CvN8+i7<9;Qm7NAE zvdn37+-lKnlrEIOt7E!>Jtb{4G>g2xjS6c9JQ+avW!ta3)D=|If(!K8uT);lZAs%Z-RkU)MMgg9p#RZXfLBA;5e?Tv zGH8BMqD#nfXN^sS(xBUdG?$~vRC6p?^5YTi&8NeB?fa_B&j(L~#J51lJsuAgK@-H~C+>-wN#Vbo{wY!S*Iep& zusmBZwhP$USX#nhp0SA$HvlQO#6NywSC zmZV&~hAMRWme}QVTP}9Z&qfS;r{WXRo~5AprL#nGY+czfO<^M&0dV)hO0+lFB=K)B zpH}B+0k5p(Szk41u=BcY^1PNwdJ%ZQrLTB6N0|JNkYBFbW$@>bkC3U;;Qk_7=)mqC zpzezF^sZn6^hV=d-0naA%v21ai@5ZsvX7bxmak^c;1FL^=7a|FI7m&*!xqs*)ln+&FD*^Jare_e+u)yqfQV zTKD>-U}^>bk<#%>vw<-}C$}5^n*<9vE!o~;x*imf*xPe!n{erv9e*^GL)})+$I_#_ ziG*fs<4no`oT8*1)tEKD?go)?nF`2FzN;;Lf{KC6nz%;6|;_(;T<13|3)1y zk@P0n^?enDMjyE$`)fKM^$+ooli`>vHZ$OwU)U={l=qkJe{^?5h9Y?(FNo#6%xZft z6%6Qm{vT6^2MT24l%CJ?sE#NKcAoYy8f@K+oO2#UdtXgeTN*zHJs=kw3f z>-JRh*4BARRZqC?FLBB}uP6u8;ORgi+7aWN32Bwm$0& zSk~0ydCG?$Bd0#7S!yq-b{vJ#MhSo^f4YvPURhbHihs&P4TunXx_gbJtwMRUecQeT za`h#wA@{Moja_v^l9GF0)pdR#rXpOV+UZo&E3y{M0&&P6~ zEZeg?!3#29^Bt1jAW~DGhcoKhXjss+HORrL`RYoD(5(mHY4*PUQXTImypZ3++{U}n zpgtyds>#1CrW?5gc+2l{T~oZ{Lb8pIzQsFq(t0TA84-s01Sdo*nlpGg0K6}w{DP75 zK($((bh{}w=5H4H8-JH*2YbAvYOF7%rzHR(lv4-c` zLCn=^>lHX-bK?4Ph(;=5h3@jH--7{?5kc=*Ep%b*SODblKQ!NfHP2B((_`dQuA(EQ zo#Oo3DwYksjMuk;etLfp+Z$;=-%#tND0hqiDnZ@;4nm+fagPJFd47{@N)__wSQ)#o zr#)xn;+wqcUb)qR+gjj}3#Kdl`ObzSQ{<+}>{vfiAfk=x*A&(z#PW#yuk*!l;ya;k zk1ttC+_9~nOlvReDnO2{yvuWrnI}q(oq>GjWemU-ld(ktOj<*4TtKal+51q`=$l1#R=Y92L9v z8T_iv3Bf*+~k7!#H|78me^TeW7GK3WO5&D7O**YF&K=1 zBiZA7Ce@xBM~<&8OHW$dfdfUssG9LC!$@>j@|l{6wB?+(4l8JgO*JMMX2O0s;cLZ_ ze&KqOmftdGJ&5Hlh0vA|Lt$uo>-a8+M7svgF=$3-+n99>8X^|%6b7Io|bRN1YF z14u6zj+CmNZ_s;OU^P)TT@cpnAa)Tzq1(8_`{5^^<1Zwy4PaZD_Xx+uD~FnTG1aEz zvc9gYn{WT4GU}>JyvbL(dfgVhva7k?3^09KvE$^+KUqzIR^{J}c!>nqn3>@#Ve(Gu zZt>9U8+BX0<)pz^!d5qe+80ypUacVqPd`jEs>y?nV=l>co$ZypmclAwHix3eq_u|D zWI3jmVEe^;V9SX%8pN}hsLE+N#34ABXJd`EHH!%5NJ_FE`S*}N9T5?b7+z=_eTKAO z4yZf4zo?;fh&KFM4dVJPIhML~?~8M18Gx_aFQj(YqX#$xhcHaAUn%Vt^^H?H2w<0M zs-0`FBm9knjWSHe+GBsJ+UB)=Fn%W_Kv%4!p5R=|J3L@7tlqOH0{B!2xID36ac*v@ zUVuCb7XN|2$$}yMM1d)~2Tw_gk;%A{ORL-AGxl?#v40^r*W{28E&KW;^}1&TSO#J z-T$a7VVs`!g!aLLtoYZBC0>Ukq7C^kIwhq3due8lZVZP+7&tjPe?15F2dOOEOiJDM^S{PO)~foI*=6(W2A3f8r8 zkrLHFgdi(>Z$M#CdR7L#YrrT|$gCdJNS+ezf56{(_TDvH!?q%sH6U@TPrBKWmeG(SVg7#R4e}3n zcTkO!?ayDsyJA^aTr0_>GOr21$5bNPW;=|wJV0IyCz@e@G#m~kI!(-C7me`Hs+l6k zZnD$g1i>-ya}N%ph34B`&4H8t$J1 z%2*e!;5CtKjlwJ3S1Wo)8B>b%CX4b5^W}7)f2JRZlpV<0Nn4bAO<(o;G|BV9%eMGV zbX8wLg7WgpCX;mhOMlcvYQs?TP~-T`8n&H7PF@}^8c zJsFW2I}>;*ntR`3SAtmD6_@!aqMCK%dc6G#hr*JAvbt*^7y;y5%EK)EQ0_B`(p{&^(CZ)9681?A`uefXqvbX2lpZtlEd0F1ehRU&PYADVjgtdRklr2(yy2y;F~J+g+wyx})r0E`@@|;v*V& z3zj`xAvLRY78C(a+HvIv;`~$WR~#;FjiBXSoGN!WL!PIPG-%hG-d9KscDzm`TckM8 zw&vys19#hrdYhN6`=xHZ9S`49D*3>Min)@=z)df7L-fbwlN}1&;Xca{J zvz9m~U4JM^FTr8F5rS4?yYSY1pV_Nn!ikW0D%2WJbN>o(|D8Di6}TMX*~R_ECvi|-Zm%+AWXbnz_!GIJo>k94VvL$sU7oS{Mt6^tO>PQE0b z$pz|~hP*#NEj*=RwU{*w@9SJ0jczu~yh2x0l4>*Pis>}@^Sg#p!Ws%W(cRi%T^f+H z*61tI@?F3uhaN7m_`-_uw0y}z76Z8|;5}P(!ja%9?lG5mppsGIwM|Y%^{sH8-^KS%Lo2CIGU>X8;&!9SXDQjZWcx5fP9@n>=MZxNJ*2pzhZrc%5qw6%7e?n+b4iHx>V>J~JH*OhxLEG;?#O+VyhQ zH+tCE06)Tqx@KI9#Lxex%F6FA+&dR|4yVxe+Dzw$1)&_zjAw2stz}huWCQge&Jhx5 z|78n|sD`|6YF|D_#@O}u9UWz{ezsEB&Hjrn61dN33kf#$_R04KD12y-5icD2om=oJ z&ggmzUW|$nU|AX3PMc3IC(UBh2!B0Ghoh#xB`vB}Srd0?G(Y5s|3A)PvHR8?^Knxa{#YPvVK{1)FBUDd~GEJV1zJq z3#O`y?M>yY20WT!Y`VUs7=mZ68DPj}c&t-IA8sx3!N-k2Xy&pv<^FyKa$&_BCM?Jrzt5);K!(-;q9t5ZrQ3Usbw zyo$LMIVJBj00?LtyfGQA&x42`d@xTZ-QRL0=`u28_BBWt>!49l8Ays95mr%Xe@!4d z)(#))*C_4w4|CnH=!Aoa0jPRgN{o%^qb!c=^OO-*(=VYJ*xZKF^zdId78eZkHMYB8 z;Ntpz`I)YBOj1k6V6Uu`jea}D0SrXi)*v|lrB2`*VXjrq#-lu30c|*PL7bjjWRkW2 z%9`46eWVsVz26bMnSDcn#_MUzv5_bS0dw85c?^MAp5v1U)+U&BCStPT;8x#vtM1-V z(yS^$qy)*#WB)ryTSk0icC{lcV1R+!-GT!vZPqDiO1xhd;o=vw zJx5JLbu!nUO5k5Jj#G)#&9Nydx0Wd>hh~D8m^?N$^kp$H!L4Z~+2=o-J?=O3h>kp9 zY^+5NLMcp%9RR2%8v<)mwfU6l-FQSs&35g(TK*#+nAP{L`ZswSuCIuSO4ez^Ph~lL z>7_Bs#5SYfC_h!Onc9 zJqeReudaGIz}Nh;>pa6YrA$jpb69|<`MPGw80JFlwQi3Rc>(DX*ojn3b<9hla0dZt zC$YY|3qQudF6*nC|5N>x1?hatvWK0qCc(rRJIdnAM(}XyNq*iI=4w^QK5nTcGI8!e zKpp{#+lM?RQ$!{a@DJa5!F=s7E59YYks{dkMC?LMF}IXH6cNw(N#q4Mt&j?+FuMCp;f?(ThDNGd}wx7iMzh3FVt}9L5s7{FJ zw)yjj*HHpAxiri|D?gLDOiN6~Uw7ZP3X^5Tpl)!dzlJ>cRznR&)U2YGj z5ln5v1>XwV7*d`nRP*7bD6mDc?{;Dey~ToOW44;O=+Q0;RT#gfqDJcDhe6a8@6jK; zO%zU{X?2>4zmJARR=~Oq`$Gn7Txg+{P=p(MY2N>8#Nah<4yZENu;c?Au_HBmcZy!r zykNddJko9!y45D$eM5_-RuUo9`;cyRUP;0dY9S~W716)NIj z8&3?P=Eb0Pk0{O&4L}pAmo5>?1HLC6hs|y-%OID_uVMoG4b?7WCON?cGqK+X6C1xX zgKwn5aVH3LL4|OyD7>i1JR^aLVukz5+51&D%8_Sp)cSuR&7#zS$0nA|(%1!IbnJ@@|I%^8 zVN_hfHa6gJ?Q3<~H3swh#^EY$JyDDe@Jx@~ZMY{R$gc%^x)=<75iA!7iSVZR>z;CN z$&z}rxp&)D-y~-Z_*H1V+P6}UOAWqY9pLD(*6+0hn=RH)bV3U?^Jhh2Qq_y9tU}>p zE<8cZ7PZD&SIfVVMqy;mlSB8QBcV;;$EDGLfCqYv{NwGFkAzCztE#8)qZQ|w@``=t zt_acP>h#}oph<>1C2>G=P=`c2+-_;JEL7z6N)tn(%dR}wot*A(I!(8~#iXcGl8=_4J&Z@gA`AU!gYiA@@2eHC1G7+C&UE z!0osjyRDaZsCxB2dJA!(D6Jodn0U~fQM8`~nhY)9XO(QVmUaGi63 z2Kx|3)uZcIeuV5j3p}ZP?HAh>GFx?8X(Di)dnG5bbrqR09&OL^MTVAI&fL1tnvvZ& zz0_&8+0kh^_?Zh?r?IBuuv{?8YGBHQ0{9&NJ!4q$!YOx!2f>xW?P%m;{rf{v4aof;gc6|b)|CFJfANijg+asY9GJit8uTdfXvI4qw5851GCKbLY&7u0g&M%aMtIj~yFXtG>Od*6${->y@m)eo9DoTm{1B}!1T;lY3L+#p zpBpbEDeq;3oeEaru?Tf2lJ7|`YDIz4joV8)_jcmN-O|c3u+i&Y&vKhs6?r#%a~fbc znW`u4fCD{qvI0~x2O%JkL3%E=<%{zg%+mdqYdB{qr|T6VBm6MdupK$8WmX6`Y`>Jc ztIXB_WgJUUZu5iY1>8p3b{n!mVm-DHmDa?6Hhm=abu7X?EYbhUQ3}uMP*&d0_gLHz zBP#2t4<^(zpJ9!=Hh-hRgboS%$E60{N8@$6lb-m^(ANf0q;z(=8}j^YaA@i z4Bh-)gEef*&L*8c0k?)chf3V6M}^o1COXTRA59-tC=YY>`L}nlJ@ePxpE9-}aDS4x zkaa&QbL&cz#=w7z@%Oshf3o!+?7-C2FK}6#2Kg5TJzI?Jb6eCMC;HJ~re4V}WxN`; zuw%E?DKDRQFk$ZWksYT6*uq!hVx9;P6ZQ1$WQMcC;oF>u zE9Ger1o)bQ`_9P>fOUlycK!NBx(wCd@~t~WVR zg>}eB=RB7ZvF_Fx0JTO^mV=_q5s5DJaAEMku$1tAUrr7?S4{6ExvL7qZE1!l#F_aF zajCjv@r)`oq8gyakm#s~%-k&pB;K}`a>=%NWb7>gkyLljyqF8UPVX%=iT$M4H^Eg_ zrKKHoq?P_lI=j&rDpWZSu{SlVNZPF=w?-<&UKm~t*MJ*o<&>kPX|2h4ersK{lJE{= zuT6@9oNOgE>9s&+=-GBh0&xEEYUBgB9(yk`{ZAsH4pLnRhJ+Adu92B*Fe|mSkZ*y7 zabH<@b%7EHF9Z^W6<}P8^&~P&>=s_#CLuOCj;0&o4WbY($K^WXM2nl?G|-_J01fSKsHv&BZ}6z7 zIkXq8Yao^8rjWYN3$-EpEEtYkHp_6tl1XRWr`l_jKrkwfiqozTg zxT4jFV4O7$o@QZl13BNy)`tVhboOgudhgn{f9Qqx^YQn@CsARL!MhE@Ln{|ZXh}(_ z*p?#$K12et0Oj$-Ux48vM08>UIbc>8U`al#LIcEP16WY=BTB3QpfqGK`0b z-b3kQei|*vk0RUMf-6T)O5$ckwXm z0^d@jncBndh5&Bt+hV2+ztD^t$e(_Kok-xKZI>fvJrCLYB_l-bGosm=dQ82g>7AJ z8LQH`VSnwt=ARnBy-<>~v$lTOghYK_d3p#v@m2%N1C-|tfznXW`QiuLl<)n*qapT; zKQLbCf^F4`#^vDjQ}r3&7AlI71n3WhV8D=9mM)plGc);f?GqV-zmkm-`AtT0@S=tS z>Ff<3bPWlIvr~1EGN`on zS|;T8s%<7w$BC|ZukZS)k}eMg9XbCQYC1-?S|lru@YIUf(^tTePFaO4^`u?;W*O9s zlSD3a@lU75PA=2_(z!>Z1kbQA(^39J3$H`sx&Tr~6r~f+`Q-D8wOBpeT5b)tz+n&C zSz-t&HH6-@Hq0(1bxjnnS_+`1OD~Vo3}50Ih{dCFLB2p+|0U2E(0wk;>6>WaPh0TR zT*q^z8n@7>0yrLOROXc1x&?EEAe!eXuqv|2QYYxC5l$jn*4o{FRUf9cIn#vhO0&-IbC1VHB1Y{13Dp zg5{Kko1PBu_a1^+M|AKWFVo*eC}x$NF~{2w;I6J3b^)s+tl)LXffJf=1f$(Bi`lxw zO!jEo7K49@IGKk&O#KBytiMO?Tl)|k#9&d;aMD#xS?MP2`sD3fT@-On<)N-=T%SO#clM_Ew45a}@axcS`ZLp^7RsXP+jMR7A>c47#t~Tcv=R?Y}73DL6 zrx2Nv`|?AZ>v53}G;Ve3? zMS|4p#f5jXwXdlCH7TDPDp_#OO}P{?(XC}MrAM}^-Bz?ExOdehcV3u*VcIb*clCfG_t1cU#g|#r zk`Ov_U)-K~zC^bqB(hrhNm6{;=T@=tRvVWyw+ewI&5~EeKRoOd+!Egv4?v}K((&Hf z%gD9EtwTl2e%(PAu}tJ42@C3thYT61Fooj&`uOZEBjs21k}m!>mD!!uTr%I(_D3w*1T__?B(NW%E)#%TKB; zt2AwEQB!21)zH`$`>!n$bl2X$c?t2$SkHMHD)o5i9mSGA$rHK7$Uc*N436Fzmry*Z z=Wo`~UN2v!+Y&@m$9Qf8iJ`Dqw1bbiVoi?@4z6u1KK6DeF7Q9b6u8gNH(*nmSO?EN z`7SXqF;_r<4hP9ZE$O*6g4OGtGlz~V~HioQ8 zDeZ~<_TIm=nC4O~>Kd%vp6~lbhS=WQ0^I~cT7#;i2L6sNm@a6;;zU@1u29GUiJWI! zRgA;5%cIR{JXWG%$o$e2AFW7g!fw|wvH7xK1M)ItV$O3nXyA7qk+%;4nj6;09VcDj z5eyQc9s{Dvnqh$N-%yAM#HV!{BBZ{7UssIx^(r^-;# zKUOmB?g|2w){d0)b0AEj4Pimc#s$n0PR{M|fc0H17ewm^Tg09~DQylDo&rqtv%u7V zzrQ#q-(ZS`hAP}F`5<~wy2eEWw)m8+ELZV;hYCP4(X=1^a|2)Dg@^k=d)yX zeER}-(Nv6en!tNcUP9F|Iga*wc`q(w_g&}xl?uT0NLx4tTT9LNy|D4<5P}6FUYJL;pDZ1%Wdop|144TyR^-$n+6orF_@+yJuw8t-N}3634UN?@VbbsmxT zc@}ngv|PAhx;u#hw<1y8NlPMICPdV=`eqZQw0`^to&D6Y;vgRn(Q&0DEq^qGgY|xj zyk5<0hzOtW-)=}AeE+pWovCqwOVe*!CK0mO$&=EVAPfUEXRr;1+0>`SI8t45Nr@7A z7M0-0FLHy)Ny}i8Gtd$^)DmM=-=m~FcZ&Eucd^PeqjhtOM-m3U*VNFUGfMMUFQejF z{EvY1#}BBPLDzM93-Kpz9|NSY4xlr$u*CYCtHMn1@o&EXw=Zp~9hg-A@{)@fm~ygp zH1%rU#Qg|)&pK`Qv9HsSF(Fj+95b?SAE93a6QYp5C96a1DpWo_numvw%K`A$%)R&l{fPA z5A;|)oGmY!C4}nwl#u(;ntB9~M3@QsC}}S!ZImJ9g~l6Bk*r_U=$Au(02YR1c&FxN zQ|Un*@3RmD4W?UFM$%o)*6u41_Yi))su^>nxJ2T|CwY{_JeSa>`I6exOjxl=)0JXF;M=S}bnFI)+3fT1Ec|lq_=jP5dqUzmZD3f361pChb!4jb2 z`TDh_3zEP)?0AcWKtJf9Pd|RY0WO{&^ZYtjswokIX{zn}bSnk-^mIqhcyh)_xrP)(!0By z0Ef*5)MIxDhft_(ox|M?w#ejIA%|GiR!klLnF^4Dn{(bMx5e5recXnbGMt+2;(KUl z=idV|7JeKo8nknm&W$QT%ZGDAw&tb1f3qkC9u%pjRNPGiF8HuWbaZteNurB=W}N9{ ze7+z(=>?niYWf~`2bRIq9sk*K^^sdJwR5HEfeA39`2F3DPW@P`%DCLUe5~I(!Ol_u z6I8&aT|ptVStg$E|1mBMsWU1p&&r@2bf6I0M4!G6`id_k+f|6UjVy@kSRaw%9I5{u z|NnadCWEqQM5|Lx`)Bj~O;O!vi0@!1+Gxuc11i}n7|x0~E|IY~&7D6(a871;q+@og zSs)>h4H;~RrT$dA<~;{Zj0Y2zWlN=|JByXOI|h;m`V7cWs>?gmL9xU%X%P%7fB~eJ z5{%Bd{|f6#h#tnTrE&PpEUkY6^J0g1umn`FCZ7t|d-IB#zY~d9raC5KU*}#txn(Qq zwT#|Bt~JM{c+LTIi28Nu`&F&Tx~C5*MUm3U?Dhnu%DrbQxa_C?6kHab(CnN62~`U! z=SRBX50Ru7FNE>qsd_lF<04c!AR0~R)s}aFpQWNJPmk`N-0B|G?*N+ z(iruM;b{R-0{r&Q)mGGGYFH*kh#^>3M1@kn!Dfku;N37>16lqJ1J=~!q^i1}-cLW? zu)lttt>#yK;d+M%Mm;l4fo>vgHJ49OkwrFN*5E~N7|Bm0WDiPhE)b%!)#b!L$vN$> z8Sr3ZJ-_Fa1iKeCq&*)3uxBNIPdjND!Gmg`M?AvMl{my&HQM zRAD=E*Pu?n%N5?~uh1^rn4TXT z#@I|4iq8voV8))sq?pEyxA#8~r?#Xl>HL#@wL$&z?b!9V0WFuF`i!h9?Qp)|8=e* zsZDR0&6oR)4I0wek^6RF>SrW1F6c&qb3vT;x%FHF*c7Ts#3kOpo&k9~K+_4B$u(uV zeJi$4%}Y+TQAlJ!Jhhz>Dbl}Qk#6GY7PiFq!@Y&GJD}@8J7M6V8IT8`3-E_6aReK=`^yP-d!?u#) z&tz|AaTkb z`nS(!7J2Pc%6zr}pOywGY-=iYe<2#?Pj44wD-F%WvrjifXg52p6=Rht`yq3}GatPq zkS^1Z+-K=m6e*=kZF79PkK*u)KR~rl#cd=WHe)H^IBv31v5lye5FqEPKGt_^6lqVl z>FXsK(Q2K;I7cDY9oO?#WQG)py=u-BZns6pHZl8XF;*jx2S}f!vL!$-`P@VFH42a> zvxQy&DzWp*h7X+T%2`L2s?r|dgw%p8LG?2DOi@23R}&$s12 z_pIU~1W%mRnV!X4mp=>}6v~QDqgt-_@7#RLv?>Up8|X0O>sT0;xk=M0NiOCQjk>1i zvU>!`e303(;u-%(c#;H63mdXB-iICyw|{-`JM;Ps_LzB4c)f|(oDBxuw?g?Fi6u?%bNJ<(8s0GByVP{u8CZQ^;;t3?QfR-TB!ZL++Y} zxO)Ja%kF-tE~Dm4>fF4L0)U8{bC&i2yh6t-vU~rW9I^DaQuc}G`QK51C;_2Q&t9gF z)Ar#*=f)ce*sXKwC8E*7pllB&%2bju2kVOzVzlv=1+1B)SXC)Ex@TeI7l6DuuQBvW z>(UJ}jq22|kZa_wNbI_rHsI1x0NOn_xD|~^0@9Y837p$;&Q$XdqKu~=122TBU*u`qq<(yw9@|d! z-gkAt8eCh^+>Q%JYdxm|BqV`flGxB5#>MiN-qjsCT1U2mAr=#&5@E6MVsrwo-8?v= z89`l1v+&JdWe{SKv5hQ|Vi&a(oB6mE&&6Q{jW@(vPwTwSth6JdGgvr;-lhRmO9@a| zU<>H7!X>CqUoNPy-8TtTLEIozZd1FBnuJ@g=@R8XD0dOJqD3n)fa$X0yFmErs;IU` zD@5Tz|1n8)Yn`YZtumZsDU|f)6MWD4;yQG1GAZ*IgSxMeu9{kn%!D}=J>@-F3Y4PF zHx9w1bc|y0O@>}uF!=4LvCi#^3&1Ny^X|t*l)H`RPX6p#TSKUBWp^Sj>Y0rfPWT;S z-)B5XXrIG>jw6b71ku}4w}OgXjYA%t*R&>x-his2L8HSRdWxK71R_N!^v$vt3bD4c zdrjVDuqO(NspM^2oke;3(n2U~kT`ie`hNwN+!QDX?`f=s9=a3w`Vc4No>IxSK@UYx zhpSf)g4Va!{s|u-Q5etpOzeM207heGkLmM0SfKlFzp2+7u9NV`e_`+K9htE?=4mzL z>h!qKyuVVwxKv{ZmRJ@86SV3;0n1>#i%fUCZ9)8{W#lx}{4i6Pu2=~1k_2<2+|G~r1!hS zOws^7I2)I7dU}3DtiHoi{Z*H=tEE^$fq9WZgP9GOt#lLD{{qkRT|~NzBO4%dckkt< zd%xV0X8l%Z&xZM!*#e=_*5A*2W^tt6-8$#I zVZFylPB@hf&U2%Ah##s;8rC#XM~Djw@}cM?4^-{L9{qOji(zM8)L*`3y34n z`^><|nCyIZ$|DcODU8~cH>?BGgHQHPFRwuj=Q+?JO_JOTGd|X^^P(oIhfyvpDzFhi zP6p6hAv~gOLU-Agtng32*9<*TC2#s&QS<6Hmp@H<58$n;$TchlnfZ9KlnEWk0=QeF z`$*x^NY5^NTA54(siZFB&Vnt)>XR9@(I+`ir?S3{&O0j9_0FJbbulVcOfJ0ywf?-h z6W%}i4>zcA!ako0V~+E>XqewtcZaMf2Y}~C(3+u4c7Xko|Cco}*=mCDb^GI(sL;aZ z%F>az=^mK8l!k#Nd6jcqS5peW+QvNVNHWe3r`0%%>a@*EHKO-ITUM>y9zDT-nGAx& zgL!F*T)&B)CRs|l@Uff_K8}?+FV9@+)LYFdQb>|e3V%^kyBx`eRE(nu{3pEoV+KH_ zop3N+3Gnxc@mvX_APY=j9l3}u{YPy$_|Q{Zny!EtDugoQCF$xR%4r4{g!k@DF@itY z-r&w>}oiCcJRT4O8vXfKJ508~7_2kdf zN)xaE?o!#!EcxI7MdrOJZ`taphP>z2=+FFQiFgZE+4f#%S%vIT^Vmtx9AxgJ=$3!rZDJ#oXZKogev0`> z*YYF6?x~PUl>{*Yl}f8Ze*O?<;yZ}9*Z8Doy#G{QK&_aeNld~mdVubifIO6M_c>4i zN0y2rznxKaXorI}?sQ5!N3K#f&fj8&Pr4iv2aruBR#q$5+8~#WYY6cUL*%RPKU5m9 zWB@pYkA7Opqv&qu+dvSO7P=$~qqZ{EjlpFar)Pq8%MR%e#|Tzo{C)N?#*xc}q<@fT zaM*mw~o5KF_0DC z1z+Y1VV7B|-5g*+M)@#|JeZWOFm@vp2nZ@z6iCpr4dZFG?;FHN z09jK2y;d7c&X9vjxBWr~HYmhne_g_9|@O+nu z8SBPDIPjnE(1LPgFf-`R`1bMFBRWw>!Uyr2+7w&b0E5oD-iG4?;avTo2SM`ZM4X7G zqxqqjtI~Gbcu=$Cwloj!WEh!W+Q!@*%>j8gFvoH^Cs!h@MLomoIRok*+n!MoVFFA4 z3diArMl{sa97S7#0=N#ekm@Af^@sm}pdEU_LG@r6(W_A3%s~`s|N2coZTp>R$Ir}S zlz(m?i%{0cS5ofmg2`)P;(fGOS1ZjH6&z)saD??kL)W-uK4_i4*P7{*{Kzu>Z~dnMhv*9f^sxGetXTP_WiCp}P$p zu;aJm*7A;-fDBmF()Kn!H$s{Z^47F3ACSv*3_D9*tHvBcdhATy+tj|#{E+Mr+oo2N zTa!gAg?6^{5X@el6e-%`1adfxAN%h!Sj5F-D*a98(W{rBwLJ_=twVC`=J{nfwPe+4 z_}_8-0@T2=u(M0CsAZRIYlnL1hg}S~3oq0QE&TyG8+=-$nyrfSJc<)Iz!ML#@m|W+ z!>5Goe{Kjm&*FWZnvLe@5hSm-QTXUt%sOFJo%ZhK%~Go@^QTvGkTy&;g{014FP63e zg6HrVc`Bj3J)hRDvE~<-nOb5%7+kNFrU?z7|3(o2ccPFYPNd;McD!FfcG&9jXcc)^FBA}4p~_JM*olLI0xOEMT_z!+ zlGPKMqJKZi@DBGyWJtvF9uk3Am$x`kewr{<-f!Iapn%pG`Xrz9)^0jf$WfZ+a_j0w zd3>K8F~>j;7__*V#Zi_y51f*h)HzMv$R&q#UXzWu;ErDuaV4kuiDA4k$i(}lVU#T8 zq3i|^!XL3mk{}V?aaHHL2H@aq%t_$K?fT2YCTm4s#K$LhLh6vu1-Hk4N*@p4+h~#V z%?Y|r9T~aTDk@1o3B$?`QR^m}N)0lIsED2WkQc+F?_|=bY5Pi8?x6t0UJ}$Q>NuDZk`T+tU&8SYl(Q!;2E3 zDUoIU`9UePnXgpjA@)%aYHg!F=Z*Q|RQW{CPc@em_qPDJjRm-&tY&Bg%E*_zI(F|M z7Hkbby}0UYH+FmjG-V>kS+A2DI7>NS{`~L7dS#(>_@)W}#qX&Rk^N_3CTrbUi|2Rv z4om=g?bL@x&n;7Ry6O6%VCJ}{1UBw+9=E|@okHjuv9ce;z&_l@q%$=&p52^X=WLKc z?xC+tNdh^$TvUG5r0CmiOK2EJmQ8&_!|M-lA=|(a^kR|ZJjJ*7_f!jJ|4!ClcS&O? zbG#=G4u0ULB-Kz;i{Fhzyi%T?@<;*g{&|ESMw9OHP6Y7A1~jP@P#6P+-s5b!B0c2U zO69*e3{V;%0aI&RxR_axjlr_X>!7tM>^aXF4TN1p;F%vw{y5x8<*3w zhbCmKohs+DZjGjj=D4S@^X$9XB&dWNC>4E?FgP zZOMko3gz*CgYLycT`&NNvhTDNoauS#k(5Od8u@bV&#KUNV$%k9AnHNZ*`&NFhzoF|C^1=K3*HbGf z|2`Y?ry*-^!y6hP?C@!h&(6-)A}~0;e;!d7`y)Ks%L6~vPDEth?3F9u%8f4GqiB=9 z0)yvjN|Zj%wWNw;xy}Kjg(-eJ5OVv0jF?JVk)wkS{~G?{p1?8^emaB*OqLOjPf1T2 z7#V_KItYEmp}@iy%dtYT(&y?nbnM_|>koGN^?Dz-HtoOa3H6O{!s6f82 z4>PhUgrR-74iy(V)LVvDorgQ@>~fCXkqRx&4i{D{#5 zM7D;8VtO@j6ol^|iIvw(J1jGHtoBkcfeoFy%z&(o#eZ}DGSn37S5+ZyC6wz^soR$H+=&tD9YFo@L-!pxcG;6sfmUU6l>t?*?n3;iw_j{V& zD*ImqLyMUXr+yHew{##31Eb;-i8*JvYr6)OLFf;qO&cdYD$VyEL(%0(&`7VjF16eF)Ls`Eo zAU}qs%vF{iHSKg|Ayt<|QMby_hcuFiro51-8X81w z_kGm73723`hQ3hZxUWybDa#*p&)a>Zp$C{)k}X8wUZaw>7NQFj+@Ho_;X6L*RaQ7Y z7CeAbaB#+BXnn`t|2^d=maxeQL9(9L zlg2w3E=lt!q819F5@?X4ld8)R$zvKCE}3XmYN%^Cb1V^l2fW7)Y9;Q5OD7^*3s9Lg z|GS&Lhx`RbGPRLwyi}zzH5AzB?(%kgb8L2&g_D0W_Ir5lze-L<3Cp9*hY*-7*Lr+> zWE9wc?&IRDZ~DSj+VD)~Gfp?aX({C9q;KlGY)8LC^S$1cJ={kaQ_-P}ktvBw5wbJ1 zdb?a_7qdc;uS93%i3)Q8L4$hEr2g#QLce=WT~P@I){o!0{o}dZjW@OvKbY1IL(BQ= zj)>%{vn@2bWhx`uVP0QXH%q=vDh@7!Uah<@U+`2jcqef$BU#?u>`B(k8U@XamWwAb zTZt%JLWeG*7m0Alzhxh(!-lRi3!!xUP)pdMPmZQ1Eu}>G*^6qyt9@F(DUuWt@_OTf zR9LUfWTvItbYXl@lQNuH&}L(C@C|gTEJB9Cz>X7y=hl#m+szQ1Rx%Cj?YGdGrjXj^ z!0)~J(gRZ^1=188k=DS#H$d#Gqy^1r5PL0QaR@OH8j~fbOZrVVve0^j$p+U#{Yl)> zIR{1=#*wPciGPXeu%KF50**l;MIYZ*FD0>SQSfY15~Sgp4OVUeb?;BjS1&&?0Q;ju ztZBbS(N-+X=3!Us;G%-ff_G9zt9>ZuwmQI(0mGf)w9$3unHzBWI}y@4n5tydf~rf) zowtsG2~$g9=7mj^h*@KZxk}YDrLa2xx#N&83GOcr43hw=Yd6vpA;`ib*VwzHPq;t= z2qHk~!W3=Wp)1A-uP3`1MKtNnREp0u=AyIZhmz~ehz$4!H9}wEoA}Woh385DH965i z=Q0U(diGQ-DFGt*3#{CRNo1)Q$Cp)jq4%gT3$TIgxw`*6`Y~V@a!VT2n`Wr@qtZ+L zs8EJ<`20|(24*R%n1IehSK^l!?UZ?rRVG2FM1 zr6SwL|J;@`5Zdz#zXHfee5S}YzJbO=L%p=c;`1e>U)2GtWXR(N8#-_1jotam{hyHe z@B_)}E~90V=NS%D&Bfa^3VIBotF-ihZh_I`{rrb2kUk8R>9M?Rm_sthQFtoX(+G&VG7$!ZvgiHVJLdcSnm8os6<7jhp7E6toh#WbkrZbTH& zB#U&pS^c&5iyDtea$5P9W+xG)nXHeL$SNKA(2+lj%sJ@Qbii_NIN6lIl%3)NjWP?0 zj(Uh_Lu(9m4 zZ{wp_n+(xc>QASmP2BYi8<#_yj-r>9b;fSu&>|_@-typpxs6A8iJ8Z}%0{V9zu_1e z4b53af)1=jXkPJ zc;xrgr*|{YSO81tq7+7jH}xiG7+CN5hGiAU*!FXL<-hJ-HyobDFLIjcpHy8)O-~HT z+n^5VMzbaGI2H8ueCO}(p&*Uedvi-4p;S;yuU@)bP1G$+1ze&);2nel{#n^tV|TQ= zd(6eZHejr=oAIweobFt;yWflQjeK&0sJJJRF>a9v(jB%^Nko_VV8$2Nfav;)JDO4* zOBj0sEc97Ut)=$jHN3T7>B63izQvd>KU8z{)nO|)So0@#a*L0D&X=N0h${ILfPa!O z9>pxmffKym1JvIkxemf5tvCLEFF*u?)K{*Vdss}7;Ln40lfVtS1-UL~9@f8jNaj$h zmQ%r_yqXTRBNxT9CSl0*@-lxIcs%aZ-Q7JkikOf67m~Ss_FB7=q%pMjh>Nwi*Lq(& zcKU8s{EK4XZkv{u7upGv&%*Yc+M*seM!aurvTlT}HG}NOAa~t?=xfZ=Kc0v;M1HX&OdJD`t55e!MWx}I^w2^s4Z9??b zC0l>b8++2lWQdHy^8MZG-v9Vge@`HTA2-rjGxeizFTqMtTbtmof)vGKw-0yh053mZ zi5Gj#uX0NSoj{;Fw4cdmpqMd0+e@T(Q`0l7C=9z+yI=RH*@7DmcW!?q(nBH#xY|-Ma7n+H1^?Y=M7? zM>f8BB8%=Zz!(Y3fXcH}3J(a>7x?;}`0Xly7vbiT|=U60-FEY|yu!-|4$=H_bV@t-!9jODh-kEqL z{{rwJQF$f3C3subZ8O4~sn$lD zEf%=&>m{c83WqB!V5&lp_F@8pG%Me;&I?E$T;P+p?FHu*>U+Z%+DE`$fJObHkz7~H zzdZlC)iYqxkp*!y&RqhS4yCqIW~BqhY3qo4^ddQKO-I+|h(e7)xam?Ji%{Kpe7dkMU2`SrXO;w- z$u*$=prKp3WIoZ(%LtGI3v6gy>o3#1VPJx^8<9QGDrRJkd|dM62qXHrg5W7 znG_k-NYiy;hFzBlZVY#DVZ?5P*4T)%kJu)q?$hhSGf-p`7Y!YFsNJ@R8vC}3)*oy{ zk{@*bB?ZBXrAW|tO|knJ((s+U^)aa^=o(}(+>iuT#F0gj>v2Z9*nSGtRrmR5YL@eD zm1Tf1zY_$I!Rh)Gx-G~f6Z@ZWLR8?E{>$g*sj@0Np+i0Bj-~Mo=kTnd^y_8zve$y@ zV~K*s?(w;i|DpH}72w(1Z3*kQ31H@9C~3teiSl?p{sT0249?j9BKy|$*ze*N`sF!GGLv5%BE3u(wnHlSn9qZ+9kuYtecY^`t zcI?kW16@PI%3#$uOzSr26SrC!O)T1^8n4n*>Wg7E&YGI)x7Kd0&)$p+ss6rFF-YBQ4cUWYq#bxMYC>l%Af*ru}*#SNEHL==!bS7-79*qHo$p+FS2!&Ckv!+8}a!acTC zr?a@eoqGjs|A+X~ANIKKqPZI6d|?+T*CfHlzfIkvgT5=vfASnWf<_slK;sS`?wBcy zl~2g(X;TO_s&Lgvi=u-OL!ZqS4*1Hh1jh)nz_UW~-;fwUt5N6Do-KO;*L!kmY|LiiE3xdc{A z6txb;?5U7=yZ+4FyVT>Ld7w|m|CwMh{YeUDS>8R%!@ih9#chRC<-&Q=X)RgP6xHPM zO@*5zk-d9#Yg*ClW5+5h&4Y6tNTKMl5!mf`jX=L6nX!$0Pta3-s>TWx0yBCD5>t+_ zv1$f~;;Ftn-Fv6{3t&-z=iil;yM#!i75{L;r}#7TOO@|bYh}@+{rHax6ma!}E@pEFX~5zP{N?BT7CO${dgCp_=l=Eo*k3Zqoc%7}tz|hGSlTDAw2jW=JEE=M z%PmE~a3O@sSkjX_o20dK!Ad)fFk?PI`5%*+M{ja|R8g%d;x!j9@qYb;#sf^K;T$td!qAgeG6hecd(?xy}CV| zkvX!E<+YHcJoyKzjxIAx&hOW~?c;WMv4?f2-eSPrWH=G85(7JfR*X`;yzjC0N)&n+ z6xArBYOom2(1H;UL@Kli3|4->sd%83%1Fo+HkrZR4&mUNTjybZTR@Eep}0S&^WQU zV>80j4@c{fnc+vo_Ofu}oLqK_%Kz031Fkv>C%Z;wkC2_@`am9zoZ(zghdhZcJa zq7J|wp$TavUz0F;HR-np51@b%04zrjx2>o$AjJqSYj+KfVvNP~cNI)4 zZoekWd_Tr{z#$nrLSw@#80;a~N&>kjyZ6sD{FmOThP0GWGZ8YI+KYAPh6vr~*cWTs zXtS;qB+Rm4e6D}_n_(jQikE&hq$dR+uek(tk%oaHLvwW!Rz=ON>}17SW+`p5W3*iQ zxIWfm4Zy@wf9E7>o)S9OB_eO4Q$tr~=ybx(HrLnRexUqGa2(<9H)>C+>UHaP4mn^R z{a^p`!h$g{y|^Ojgq2vJ#;t6D4vsL^Dc?m;cZrZMqHL5UXt)lN2;RuNH(=KKl5hRb z(?2xJ<`GTfBw%9OgezB5cZJ4X6}+Ej#GGc7<8HU%Pyc;L)b&v)ou)kucmnz+0So+; z9vrN+q``{ZpAc!bzt&m#=@Qx7%tj|+?cD$G_!e;t*Y*Bb=9I-*duQOV3FXi|i0^1+ zxagCBny*4(25r2ZL>DjSr{bzl&cQ)vWDVu`d^G5n@$ymQYhKBvoq^_A2Lt| zRN7aln-A>q_DYx~ISIdG)hK`=mYo|DtS=(pW@l&L$w_fwHRdHbJl}!z_XFs z+7vyH(`+a-gwa`n;Bx&0dhs@<;50Ui$($oD>-m4SiB-AXjl0nUJm%Enr~o*`*N3oG zg3eyC78I;b5j2_-#-6pFYcju6$F%F$8J-WC(~zDMVCW9j92=CYbRp&eax5TmzOrqv<1Lt1>b`QzU#;CZR{E+U zcjc{%=RV8+Imi%y85MJz#?0fIL%H!c;f;@?q?DOvTjLIs5o~kmnXUqPYFfOsz6_1_ z==k#xo-#*cGtXsmn}aI1yERle_b2G3kgU4KZp{S(B%yw>n0MNG>5^2Pb|T%Vy&@Z-{CX6hrnKF<7_e{T`|C1=%bG;5#wB;&Hl+lzL3oB{k2rb1L% zQU2^i0eedMr)jF(YTvAV53{?C5zwa#8<)?SoiL}=FpEqV>WjBk36tYKCTkjYhF8H) zYs}wl*#w(K8GeBbsAQ!?OL@YR>o$7zmR|@1d%d&{wJX1;%$uT%)QrgQdE(EW7^GCw zj}|s9JdG-CP5@CCv)a6b?TIYG^N$od>&g@(c>s$1rtw$c0jPUZ6<0~pIQ z)pg{p{$8GI{dOe=dx@6hGT9P4QdTklAzJ!_)o<_qE0$w>|D(0Qjji@y*29%ZE>by+ zu$eJkLhp&;exWZ$lKowHe0iN!uoU}KSBo@;7;l`UDaOU&IWUk03KdYJM3FBfMnUqI z$va2hT6l`M(s;jNcf$Vls4qBa!j0PGj~+&}-ZlqNZxYKjXhJT~&yTx>iZJ>r_Oig= zg(9z^;SPmz7-FD!`{<)joXqdNmBM1wQB-KjaxvoXm7VA-oNek}QS1En*0gqz?Jqpe z`mUj9j1!QxSZ6ttEuO0?vF|ej4nG8^WoD3^Uq9NA)V;2lCP!n-IyGuDL^y>eIn{q9 z@YU2j&6cH38s)S2SvY7?1A$Ea;(2S#P91y3qe6Yn@{9N7iz1!U$9p zB;^UkAnWjyu>j4^&ug)=AI2PKfj`VciSB`QMSGTF z6Th$_lEBM_7)gwoix->_WC`p@(^20>61}14diw9R8j4j}bDiqlD!eE*4)5-p6cUmnei3=o$Z!1+2@Z1>fiaU>VM?H*@3Ig}zcfF}A5 zT!)J?cwL3tLWNCc<$WTyspjp~TzrikC>Q`RJX}d9#OfQTDkeud>q4i2l3$ zYOPEx>El~v%2Wd`WtvI1NO0$qPe+9X$}_2(&UoRzflj6ih}`yOdAM_K*`dti~Kw-Mjx9+1El363(m%1Pnn+lkl>Qi2b1ID{1F;! z+sEo`zi+e6>*dZAcVx49sJ>0!o6i&iJQ#@?+mxKouy%{>5=={N%Uru?J8~N^6Gp${ z0hr-H=03t3y8eB0r6nbYC3Ny1X4nA6t@R|!E-lS*yL29ZpnC#39`aJZLNCH05SRSB zJ&y|LP{rMw5(`3DD)oNDa(onut#R5L?f~X(In{s=vZ){34+0eQ>#|v0hy1=V5tm2FSBu9fHwrXm-C9LreE4HAoKe>>$v!(O9 zQzRzBNhnStf$#}YsoymdndX?1fs`kRON&Rccfcaa?iF>) zEy@;+Cu&l%bE#j!Vvi`MO*NV9)pY6DNtTzd#=D6xt`jLh!89CDuUqOV5x7nr3m^py7PTd%O~Jaii)_g zK)G%?Yr7TDB}*sGv^d>0&32l!qH^4D#+R_kITM8uKx14H=Bzq#ruW%|24;UBC6=WD zlB$7j!Z#z)B+`*;d|%>{gJTs)d#=y_hz2Vt52JRa(Emw4AS*E84+d<68bAX<@?ar| z7&Td?{@L+N;H#BLLLIKCprH|4q^3TT3@4#b4B7nOtq+YN@FMd?+iP4cl#_S?l}LXF zDK}TlwLKue<&5P&h}>MsU~r0Q!Sy6P!GCwo#Gh-tSzSTe9aHAcw27yedyxc$Ad}N^ zvN@f$Ep050r8Cp9s9`dnEf#XzK5ue3r_1o;aeE~xla|AFl%O)Kad!GJTDSfD`4bT< z-YD;FNW2eU4*?+9YB^IF`MdQhvmMLI%IZ$0&)?zQG(Qd^2B~0^!IlM-^0%Yt`vdmS zQkQj!n)@r4c9U}EXdatQZB*$4uN8Xc&lK(2!HfAm^e|TL_N9SSE-+PP3*Wg2h-`A_j2UE05uI5@l<<&n50^z-T&9k+J24?WEy`VAdPz* zPte+_gN}8vN)B{Xf59Mkl;1F1cNA&A{rqd~POo?+Qqm<*%!yi~UwhHEC~8~?HRK5s zNzW?yw0Wzo6Z<9u2xQ3viMUJ3$)ZYT*${YPeX^`!j{B_uAg4;so}xk{nLet^xhKN; zRvXoaQT>v|=DH^_;RX0R4d#q;dlD`U_)8=PmIyD#f)U}OtRb>#WTC$(mflH48d4^_ zGjPr#-xdB0{|$9uFj_VvJ2?e90X{DIC;i-Ew$ZH~pHlve+I*gxuoeJa$-{$8fc`V( zphN*5_Q`^Ma6#jxjEbg0^8n5X+Tm+3Ki$af*W`zspo&;=$rL@UiUU5mD z`YR=1Yh=bTJ5+_xhRePV)JlvAjC)ANd?JcR81Jfvy)_<)MFR)h5`RImzW zN{#MYO-Jz`ts6B|uPoZ&paRSFE!lA6**Bn#0%Wz^|J|5yZS%o7A7OO?u-(qExil6Z%GAHnAkZwnPAFFw z3m`}a_YwEkC4v_pI$LB=}w`T7w-Z+91QwDjieT=MHJo0?`~rQnj-*EeL#{nxR+UG{b$wS ztELor_Tf-rt^Hw=H%*s@R4mlb)WG%C0M_`noFrElX6&FRw=ODE*_aT?`w?y-^#qGcrnwi-uw zm($MPgOXL}IoA*?lE}I0T^^IhahUjiYiC0F zVL+&JferJTE3^G+(pun)*m*rR#13ZrM)F&20k{w!!WKOFkOaa{Lr2!%Cnp$s(-5m^ z#R@;&b+O@sJWf&n$SIYU`5AXNTZWLy&4J<735nw5{pkttIBoCe1AOnkBN}0S{&(;1qq^+1*XST2U8fg~1~M1TV;|f+ z;@(`LRv&E%-ih-pNX(G=WG@(1=N_Z@n|*p+@M{Q(F;6z^N}>O` zU6R&8$R=YOFI6?r6er4*d4B=*@Elg9;PNCPrK=_+I8*t(zU}_N?lo;WL)_D0`oA~W zU1sApzSoeO4eV8eR^xm9bzaQ-Ql|ucAzqYLO9{I?RKB~b+clomz1eF-U>07Qn*tp! zWPffVZ(QNakIwzhaH!o0k2g%%O^HqoZeS4^+dx+%4TrCRD1(XK;shW@^Ne2(w5s@yi9`9;3Fx0fsUu{Rj+IH?&Ec$aIiCF|t8 z484#~FIngdQh5oeYUm440m%=(!N4idh}!HQ#L+az2Dbyg_0OBQHD88TBK8~1dJcR& z`Ojf!mq}NMUsc8P>X063Ph*b5d++S%c*=|L2E7j7X8X#d&2<+{0NGuDOrpzZIJ!23 zd@718V3>wNZA2Zm8;BtLIFo2HGBT$2YLij(*R#5&yF7e+WFgQ}YV$7z3@t6i(@idM zb?sqd2)(=&72PdBHv20~#BS5Cwxq)x19QQ-W&m0(cSp$1sxl7ybU#coAiK)Zx z%nTVMfKh;qu{aBjj+oD$9~0t`gAUpdqB1wr)Jb|>+P`vm5Q(NSN-VFgR+;p~lUcO< zlP^KC{Yr|ocT!?gFq(RxslHYwM`XP$qBN6#YfPnY3mdqNu&lcgKFpcf%9axUT#K+l z9qcauewFtpTbtr{4rD9Tq8Q~+YxU2#vFEbOw>v9|UJVki1oEA;W$~7%E+^^4*LW4d zRbOQLized@uzpBrxrx}pao9=|9Wz20_d^^bgA>nCKb$Isz1K%mcyr~YAyNL7;+2;A zf|67ueKzry)rP3Jt-s6E;!{`k&upSgHn@TpS(>z|&_?2#j|tl}?-~)ej*>spQ%`Li zXi|nc&J_^bXS!3cI2t*=calw~WQ6vtIB)FPNlXlahpB$eze|dEB$)_ue=&;=bwa_O z@CYN)kh*t+JC~PODvuhLl~c*qp;Qo_!sf>#7_?`#^>MKMbM;01i522lCv#h;noo57 z#1bV~G)>EJMB_^0gg+TCm0eGa7-WmKcRtgr0mA8N2ai6OG zk|ck}h4Z51Wybk|ugc3iZA>n4-3=YttO{bYKqbBANzS{|MGmc@NR;D0Oe*?EoW(8v zZOIj`t`|BG4-*L-7J3VfrwDEoDljXTIP(Cx>u!=Eum_wzl-{j54kaEO_&MI(|F<*$ zO-y;x8tL&7!0M}o>{dTHJg}y(Ev=922sw#>KXCjB4P+R%Uf%#A4)t$`` zbgs9cKTR}Yr;e*LY74FB8F&+QCkzY%`;0i|sbe-|Ct!?-R63cKaNQi&KTEHSY=TdZ z9>fN}+qZ2*_iHBq|IdUNSxAGOTI5T|bx4>EnV|nLwjrb(*p%zRpdOEgL;K>MC{a)o zZX(NBS^gLgKgx%NBo%9eqs;)g(F{9gs|NMLn{PY{haKHRj}!+1^f7;4r6~(aN+NFF zyo{l}l_W9N(>qw0Y!H-~Ben&6Dg+R2vU9_WhoirLWfd3~-!NMw{M1QRqr-_Bia;m4 zT>VFvPf&wPj!dZ;^))q_myavzP%gS4dy$Xv*PJOuL6)}mbBEbGe=GsG|BzKi=#ZU{@#OT=jdO`~ac!b5W`vAY_=S z-}pZ3u|P1R;2R`swQ_KE&rItFtz`n3!+(iuR zS=U?%e6v3l1U<&(~G@sgw0s8cDhEV>w$9UkcvOQG(zc0h$2=1h) z1DdZbhZqaoEjC3i0ARvqjA?g#NZ?9BczzOVkIzAK5LN@V2NN)~L@SuK%q5~YqbkBI z<-VPOCCbhqQQUB2Jq++KsmMboc^Q-^;^9URxbrHqsAU7f#$q$-j6C@Qkx3rR_i0W1 zfqB4ep9lKHA2n0Fyo$7m)>E!d z%f-z;-PLiC=YJdJ_@~l5f!`sEAiFbEon)V8EW=k8ag`bT(Ucme(Or6sL=MeY6scEO zWC{@R*2^%wQc2u#P#8IdZQm|A9HF+UC4p{nw~9ZGzSS805j!{zyM9>_Kg|`4W(RK= z`qBiNBkfPz_ELep6%qziVXH9yS7dF9w_e>GRGf1Yb;Z(U61V;!&MEAsgq)Kaf&;!} z^+5FCb~ro`QYM0y1P!Dhn3LwhmR?Y`UGI{g!q_rwJKpo}q1^*Dc9nmYjO8*z6(vR1SIhTU))u!j?_`IO=KbP!1`@gq)h_`E=JO1C^ zew>KB;;}Z#(O%b6xM4Q>QxCr!*a^mxV0<~nTBp`T5#Z=TY`Zyj1~+M}nM2QoP1^4~)+rKe<_4uD3Ie%(V(0r&su7&i`;_NVbt}3zSV^EIyL>BqrGyUBa z=a{ee3(W7xtB5v$Z|jd8$hfo=nsT-iqcW+EBp%Iy&BEtu)8zLem#V*szve#82Fk%y zQR0cN1K}Bv7$ph+O0#eB0&kc0Q!EYz`&{KQB6)NEJ_?F^4dW(u8LZ`H48<2I(KnO7}A&bg!Y8hV1Fa1FOFkHNw z`|%x0{A0C(9K;ag%LjDHTwj`%A~~Xe9{yxt*V_*o+h<1>@Z%ivK>9{|vh^8F@ulcQzY=$tOy_$9_@>y(p@(ZD<}+$=M(7T-8p$w4Cxd zVdcgVa{-5$w-2)BR zf7lrK1Y&+x0WyR=0}Js@Lr*whJ#7FbXPg-nx)nTbax_p1dfGlf9#&a)-J0GdP*~fTG`cERiOzepMDUVUQ zNakVTg?qZ|E(015SoaJ~%%^fL2oGt*JXqU^bMbUKO3KQhH^iExE5GC2r=CCQ$UQ94 zd`-4tHQck2dTY}{C#sXx-<$RWSEJ)zu!FDkWC>3cCWPYT7wgo0Pxqc6#^tHS_jO}H zIL`ZyPK!jZ)7#~J!jKya#HBALT*gPQ;7wH-GoYR!VGsL=D*0wLxr;<;N8#TarF6FO ziIEXA4JH`rdUXHv;=9t?6GrIp2PC!%j?t~r{(ea|$)eMcCTzx-o?JB0FFlIpy1K;Y z-4-Gna38ON;;C^4R&sc(T!+_LpbAV>#@Lwj>i#TM({Xd%%^%}Os}~Ub&#S|b0dNE6 zZ+~#)S~HJ->J+R#nOx-8a~KNG0}PF+PywoVAbI>D^)+wKfIm{c+gyiti9mW*{C8jQ zlAq?3RKt=+_PG?e?_lK>2r#~pkFAw?o%>N{DL`*&Pk=b_`m!a<| z56m>~+iK=is`pu9LQ?V_g@Pz0bsXb|^wp1KL7D^4$myBf-)%OXSm>O39R76SfxKM) zW>-o~5QE(DkQ)c|X6%`{CXig>F34DEJLyKe#dUZWFE3|EkGiUbGe20lU2+%C8X*y_eNqfgx`*{X1nx z)J9cj`})y@O5H~cvNj;kwfsF?*tEg2m@LZWV#)@Ybz|2K^uUJk*t_xp()G-6@oy5R zE>-;$Guqvq!39wyC{6r571ZrU{tM6uo3HT2$n@n}WSZ$sG7lR^WtP2$itVrvDe}AG z@3?<7>AkSe!k+zxvV!g+!Uq7}J;`K%zWhz66Wr*<8?&IgNdZXT)0MtOVRId}Q1ut@ zOKw+E(91M*KvO2i{fi|EWcL0!a0uQ&&h2V{SrfWp>p@0)A%)BKe3Y3@@a|d4Bcu9! zB<-zcaPiGoOBlRJC)AkUXhw)KD;*h+6{ViDZnLlrHVX?)W<&#RX6+z!Cx8uL-RAMT zQn0hukwKbsYWVGe8+^58RLqMD{c}xd)C)$qH|n`BtKy4w|ulxq^LiUfBX4<=vo_0l2vI}*ig;2 z?64l~{7o%5vZnT%!z#*0X~R+c!xm%^(am_)5I=tTW2&+MA>@UoDffHx)oF|nVokog z;$2B2=8=w|e?Ar@qi1~+Yd^jf`<0EVAnuvolv`;CjhR2l_t~jbhAZ7Gf_r_=gKBXI z2+TukI7GC`6-G;{4EfG**UszIQrpOp?O6Qp_ zIH?XT;`k(!)*ed^{L|zHw41yXF_ISLa8qv%H=v?XvW3ss7b8VoR&VaxXS4tNtk8vh ztZ|O;?4zoh2DrR6w|47gymn8$&5^?wrMJbJaojQ*KkKn8kiFTYgFC`{-`_ZY=|XnQ zH#J2hT9Ek+kWZg0$A7TlfHdi`JLpne=CJFe!%kdx*zS+`>;rL;siYe~AiqrQ3$5%q z_R!p~@c9W^>5aUQkseZYWr@(1n~DXVQUPO$vsfCcQ(MaOg@J-MCD27o-UFX-c{1Df zRFM<@GsQnw3{=Xr`6DH`U114aB>yyAuXHJ+-^V%I10em^;C--kCK`jc zFt914*9Gicj=L{Ht&B>u##=!|av}yy2(%RZIuyBowkQP4-)Om~8ZCyX(AIvn!3>)* zl@ACbb)fgCedDS|uYQILA9!5W+UMC&lBz+GJ+Jfbt4vCYy6@bOPygAiZtG89HhPp> z%FSI>9xMVE>EI)ckQ7`r3--k|3R)50viAEfuv>F1PlI^%4MPZ7=4lPM-xd1<3*38m zX;X!_A($L=Ku1u^k{114Fx7?$ojSU@8=mPEyx*i8?ScNlsR;O|fK}_roR2cfPA(ip zu8#Uj5_I6s$5G(!F^L5)4lc|uwyx`>oOwr78|Sxpfe%i32ceB{_m{KPgoVE_3mb>* zu394JS9}ONt&K8IMb^II_%B}`&?O^P+I(rcW#0V*P;6!m?XQby zzx+k>o|{iUUta(3Hm48zud%z|e|cPplDynEBw>OY99QwQRMqYruZWiU$AUYuxB@qv z&|V!!Ms`jfWAiRq6c*KFE~>$rN6e$F_|A*b@$$ye(D_@bs`F4X=5c>@V< zs#tETYS3IDHTY3Rd`X@nP_h8UN;^A=5+;SxDkhE>VpI^2y+R^Q@d{5lkQZ`p_#fKV zi!gYfGMnm%zP3>m)fcnnCKY;A6kIswjPO=|8H0BxS2g)1mf@6_ic=2n4W3jklkl;y zx^bTo*Y1IXevRo+MR$Ek@ismN8C4J!iq3 z+QEaJL1IEIcn3vZak%V1j1c~R=(`}Dbn}UE94y}3uAx&DmXdL&%p1Y`lN2*U|)Ld08G&D8SVtsPp_1`_B<_5=wMl#(N*S-Q_loyJg;lOSpM;Jh?*t(A^4+<5{^W+j$IOrCjS~r_6@J|EK^W!`{UAYd zdfmC7^WQNeLGfIJds_+Qt%ttSoe?RnJ?m$8lI?{x(y$XckUcI@ew-=-eYg|OWE(*2 znd~=pyL0*Sf&50CPX6{r<)&WN6ckV?g-Lt5DodYHQ}tjQ2pFB?v`Phate@@gw39yn zkR<<@WiQooL)3&{NmG#JFG?Px>xj!+eB#2oC$f5WYiNK0TYZ0mlN^#J_CM|)(5#I< z)B%(P4>3K|(C_+ylUmAnxI0qsI%QSv*gPd}Z6Q}OERL4pEykJ|GAs3FIQ9zuxVou6 z`b`sX7(=Upca zZ5Uwea}Qs!#Mxj;G>_Go{m4vE0q&He9(|j1j?~4;hpHnkF zA}8dhTlc7dGuES&`hLWjS_lp3rx*N;^A%0~rACg(9+9VoL~P@kAkiQ@jMESEY_W?{ z?iCYUB|pVXg2rnw>_-kcmZQ0X)GYy%uprH`c7yI|&-KHsJh-Fd0n=R(Y)E;$6)66Y z1&LqY!!@W|7DFD}#>jXFH``wPIdE?Um>6=vu7b!eQQc)`X{%l7#0T}IA$#Vazn0=k z*i;Xi|KaQ2bI2k6@vsy|X`W`D0MCAhQjCYgmb^WoMJL;kr=&1Nu!QItP4uYU6u=QI zEvn5A1ggrsW8GmzN`}W4sv|<;ThPX|Y*9#((_Eo;!Y(t_!_47hRm4gVeCT1=c{gGFazTaWXMC-Q zl)?13piP=Vo}aJ}Eem`hGx>gG!SA}(**b3ZdA+n1mw!5b?(3WcQ-y|E!Whc7p1xNA z{Z@7ycy2T-_6-gXS1!^NLGhtmJjS|m{q)4TR^%N34TM8=c>@KMHOrFb*6Rp@z!h&l z=B6GhW)gM*(l?@^X`NZ2Q;g_egdvmfx*YqaU)>Gl&ywB9APj7$!&8l>hfP|v8Mg}g zk%(Itnbx;}RKugPxK2ajFjXe3F7P>&OU|yt#6oS&7}-l2a(Ud0wr4-sQ&wKyMhJ0w ze3Vl%+slHfGUdd%%zOUd`z;TqBZmY}W04J#b~OO&=w32HVLSFr3(BTP$3EFI&e3PK zH1RXk-jt|=Xh6vpkD{NK?6#(<{?rL87=x@Wces!8!f%-1Yz^OBS?hcL^3FNrm8R(p z@6k!s?|;KB@z;=RS6H&uSSuA$rJ!MG=!XU2#NRyw06j>5rxZK}$ie#;a;tsDmTa#C<7j2K9&*sMQ}i^@O$x`uqFS1&`bt%m<^tM;CDLbg;@jQZnvhEbgyP zdN@gq*UkQr55igz%}baRdezZj%F1-v&K7&$({a~D>-*I$beZW6`U5@c`MYnUWs(ev zPl9;Ce(;8bH2-YzZd{D++^ac00`Gy@z;s`jHx^E3a6ilB+eJf}cF9$zL>ebK8`arL zVh2Qe{c_WSHe`tdNezUkaN=X3A&W~do#F z(q>hvddx*4q`HS)*k$tr@DNp%SZv)(#=};Wf}KsJv~EL24KfH2J8<%+W%hA}YJo;XWHeOJZ9<=tuf0+of|RK`0m3*qP+(M)B8K>uO!uduuyDxh}RHQJ7K`($qp zVo*M@!x_jY*t@dW0^sHi=u#DbU~!xPz5oD)t(6!vqFWitEqP&u`vG!!UhUYBIN6N1 znVP9U&Xr5tJI;a}2bH`jw;FM5ufr0uy2hz7mNE~+PI7ED*M{q3&X=lsqH-r14}T}b zFePIuubG4^^2gb~0}o%71GK45Ox8Pns&K_J5ZPsvPR$v29eT8X+YI?sR98Q9dwnvw zJJr%Qjc$*q z&8Tp?SrkZU1?ltJsmrdUKHmcrONHabzx;jVQ4Vf%s~*hNGX=shED-yc!Iw<*GXwb& zDMmNXowMS9f82cKCjDBk)&C8dy|OI!*{5$T^-<2j;bfI1^-hj}O0TN6rskC3g>{3s z&XN{nl*-DN5uh>s$D56agN5sh^uk_P?MXH-FYk63_Db6bo4h@(CvdBk ztrg+`1$cr@<`Rs?-2oMnqq@;@E8F7i_wl+91DL|OTjsx8_@O}@WTdB&6jK>T>x4w8rU)_`WVBQ!uNQzgY4-P+ zLyHPbZx?}G?D8gi*-EgY%Z`#==zF%+J6Ajwo2I#+3XAU1G7&Rp(_#Ig(c9N`H?Y`D zb#)s5lJ|+6cz-m{7>2zK?PAXE|uRtKL6lRGHo}`EMtnv<8$u!Qz;-jE*U@oQ|i0 zMrsqp;7e@$)IQdvH*=rsNdN%4$G>vFqQ)#TmCT%35Qs=gtm`X_ek4sGbru6d(-|ld zY@&FUG~esT$WR!8@{LeFcOyl(l%=SY{y&8gUP$g7^~HxDgN_`lAv7%5p(ay5Fa?(TScutR?g@7n|Do&c zRCQ8R&LbDJd-dB93{_t_PNxXxDawCgt9wmZeylKRs4SsC4FM4gxi&H|z(K$c!$!L}j3{y4BI-?`1AyRjnqDV1e@PtsvHz7u;}U z6E)%su@_uJ9MPhRzm-5L`?}ZJT31_reLV=0VAd7R(t@~_#>!vI!o=h|UVdbxt2<7C5zU|n-%Qjp-XCVPN9yWUN=n+$ zOgMEFNKyP0vwmg`9^&&DTqZ~n#7)1xX=VF$dPPb(Fax}`AJUg4#eU4GzV|bfuKJ*T z(*#7)ztUHF7aKF(<QZ^M0?O0dW1vDImb5M-)-3EBp@F#g6kLULOP{Q{4By zIT&%X0Wdnykt_xo?%|Dc?U9fXu3h~7z(xDpngu>|9&XbdaYx^CM6Ys#D(y=VwZ=yQ zij~7p<%dKk0^&?f@DLLZ#hSaNcF8p;xUH6A_f6L*+24u%3dGesgUM3E5 zDu!s;n_v9p7VV_)n%yzT?1!7*sEzApH9xQ+VQWxNaV#AM&W4@}(Dh0uUdL8BDj#+& zV6Yzeq=MME#KlOcSmOzTf*y`AO!GuHcV61R2h||&F7$mtG9+M?{_~sxa&HP$UL~iT zC>g zn8bI+S8#WsHcNqX1xpjL=Jokg@GdxzQ6Tb6^VXF=%#&ARo-!Tk(|AzBk8vmIWtTbL z^*bgVD^saoQw6Vr&K;!}wa$ERAf8yW1_ za-fl4f=u>1@h5BRiF9wLNj1a)ytOkksI=#KwR{_(a1scp<3u# zVm~o0HPpFISj4x@)SDqUqvdbFkf^8%~m*Fl+O@m=PKC{kRDTDb#Be_4k8{jO= z>5^%O9sPIH1NV`Q0{#xDM8>fl=W>kAV|HC`B7mH|Z0KZP+RqoO1?w{`uNg)5M`)aU ziX<-45S_&XWHJha_3b1US-8tB@0`9)yngf&wCUJY!!9eKo{`Q=2I||xRsjfbp=Q+c z*!547i2Jl&JVlMEE~lT>zle-24p8UL)ji4n;$%9-_?5MH7wOpQ-^BI$9LmZRFK|FD zuvNT+ki!MfN=zj2jko>^XpbH#?$p!9~$aK)yDFe!5TuCTQ_!Vw84Q+;K5X zFl!c}KLa#w-+pIOIN+?$Liy971VjJR-elM+BTtsuu4_^p zkC%{RNIka8j+?3z*HUI?VcC%m>Zl2@QX#;kdYW98L>94tWUZxrFZ_?SXFVF@T&|j* z(kKEjfV!e_E2g$3$P7h^k36H+mOYE80l@JG&pz*?`l_Y|TY|4s38U(DVs_OLPFvu1 zh@wU%qSeW!0R93{}>R4hy!ob_a_C^_g@FvA89K1k2iF~+8r+R50 zNi^0Y%J|7!DA_g2qAne_VjR0iQRlsmHZLnY@W7_i%y5CL3?**(Yz z{aA&pVT^hSIwZ3N<&TvTM~&iC_L{rmz`Zvh+@pq{JxaR6E_K^#tvE1IN#3&3F6=6{ zu2dSb2DdUNBmdRT;_e?mskNgxLzLX5p+H|etgn-?Pf1il{%DFFQ7BW5yt@w7RK`OV zQ%XDrQ5^EiAy_1JW@PH+Hc{0l0f-=-cZq-MXGOVSp zj^pR6b(U&KTOL*a^bOi5iy29VhrLT9$e^{R;OX57Ch|87fsGzlZ~yWhcibgb?(M_agl<3apZvyUuTPd{98Udyd^+*JtFD} z0*Af?P^dR~F|8f(6c9r-Of=>#>lq9f`Ga(^%VWD)yYD>uU>-^=R{Azqbz~ zRt`eIPKW%tg5Q{l|6^{Xo|eoMe2@ri^e_@h0R znRplBq6AwloQ_+e+q7nT+RiKyX;=?@e4gPeSE>y+D_+r1l;8}`c3hhISl5j$nmN{aU2ds6t7#* zA#sVdPNX{|jdDi7CY_K>meuZDy<+uyemC}LfJkem6e;fnU{$x&n<(PfN&ij2**iC= z*l&}Ie#HLe?;r;FxD6jxMmq1NlJ-y)@>eSbQ}r*aqS72vID_R@t$hT>y+|68Ya{Zm z1j!HiCe2a2PAqau9y@~Y&*?Z+*d@Kt17kjX`IP}SAIc0b0l-oZMXN{V(beW4Jhu44El6bL^n_sn||j-4^woO zwy}}8MTI}EP5$dtW9vi@jIvn6davEDhmmpI>x?mhH;OqHR0l*y0`chn8RDW-lg~wn zA`@***|@Ks_djN({#`VlCR$QT0_1#@q%vpho{O@4eTS+Mm`l0v4az>T_C+j$R>%0& z&)c=x&o<@Y0l;L>L3KA+UN?kWMyVD@^OutPLPYREl{-KVbb5-@79JNfx7;3826qeS z7EowZ`6`Ll>T+86Z|P(h-cvJq5p9mQEUlO3CKU5TR`&DKLKZ*SSyzO2ri4J72}G%| zg}in!3*LyZeCqlcg_^3Lg4}*48)^sIrQx3Xq@Zty?_4~sjZMxc$7g+9dD3%BiG|kM zu$<6%q|ht!e7Viuc2@O8i|sEtfU3u4Y09OK{ksA*{>~m%NE0(tQ&ScLP)L@Z_9_pb ze>AxH2H!FsKl?u}zC(tOT`o8XziL$&=z42|VOIbs;Th;77K)V@;(3|}{;qxfjN>(% zfL~C^s3zQKQ!_rde#oNdHEWK)Fl2?ws4F_h{|HU7WF_!0s`xz_w-rZfmoehR#Ij`L z>M4cS$$|@5HHROkgp4o@E3GOta!*Ixt)I{O(7U0AwVmqx)dqa}&2vUKq@W8)y5Kb| z%c_U7EwC?JAZ_C3MM{E9|6=e;c!8m~ww%EC!PfjLKv7r(wNVXCsk*6y)$UtJbE?z2 zEwF!8TZ|4Uju}YUJ*=60MHMq!Hr^DNzd3>-!_Cd>rq<{A3FW!~kqyoNh=HvGs_Z{a zkg^XC>KU{80nx8D>rPE};96&8Vlv0{EESskPlD(6b{+oT?=A1KuWOea%9mUjZ>Hwd zo<8PHq%+AjD{N>gSxYd2yk~jF%TlL4;Du{|k?70e$4kycs7GV zj~_E26o4W4gW?DS;&QslT4ah7<$x&~8k(u&GQ_eSu_Fvr6xJ_D#BzNbmU>Cp@k#KP z%zwcheqT}|5DQVUlU5b()_hjBFO;2>9L8A~h~gT84fX=)Wf0(lo1yPMNwiiKy}rPP zb|1NuX~ zE01o3_rt7r{;HAfA3uB$&_-!T^VWhIV~)fVR`y{9Utww1D7guX;vW~aiyY5escN{L zTv?j6i9@3WCS2rF>fU|dfwk|{ymA!#n)tk)fvt1ML#z(ZTtlNMH?31(i-^S0>8J{o zv_TBrVMDg4c&T7wKsp4llaT~}MU9f{!N~op1jS45&ORjb;EJ!d z#m29<&8yP)_|4lz(w>BC!GCo~v1dIHi3whqJfxRn!p*Wm$u#qK-&l?P=pZ_mNr zx@KWoaf;wMCH5NZ+vkDt+;CqnVBdi?ujwEC2A?q@B(~==ezcBn$&R)Jwo*qb2KKhARrW~oJE+FVJ}|D# zwf|ze8GH;_EB zfB1qx^kp6}2c9AHfq$gNo5vgcdFBb>S4{TlsC zADP?gcSmTKe#1xr?4BgLef>P_4`U5S4rKhB@ltSo3B1mGYd5*K;OI`trLLxiOP$Ax zj|MClMKeX1AvZ~`%V}QgQ;fIN(NYSTnyB9P&!Lw+`Z@CJC|Zw6slTvO8$9qENhoas zhE&+-LMFcV2B$a$)F!*B0xZGvON^SHsC&<9M7_luA#3-zbuoBr5-!x=0>U8X`6pyA z(Py%%^;Gy3_qhMaM+#>67G=?=bQh^N$JaM%M?C@$iBnzGp+A-|ri!p2&Vq2OwZZ)T zD6DCW3~1Q9M+9T-6Oq;kKGtor*$eBIA)o9AGNg! zA^q%qRl0SO$QMxs3`$6tBzG|>FK|OX|CtD&{EPDXdZ$_XB-4Tb-Z`H49!QyC7b=wL zGkyj-ma+iEGk(t2KemY)xr1y45Et{z*Qf(^G!;22)1R7RQnKKvdD+e%pHDt+FRsp3 z_4cSpJ7tw*Y=tpLbEzY9hCmn0xrh-jKLMGhc}8q+?P83QntQ0n>5cQZG0jVcrzsV~ z_G>CD?UXWXylU%eWT}$){TAxXR3{RFP;Hy)m=78WP^-J=K+nxZuBQC-?UX_}A{JhV zW<8pBy!BuZl|O>SshRZFtA&>{?~d7clT*l!tT+oN)rDqhcm<&GlfIG1J)TnkWeVhH zW638RZ7#$Cj;*C-j@Z1$JTaS{-(TWbRRZ=qU+rB?R8Q6RNnGD(*>kP8c=-ZMEpv)d zW#0;R(nAe4zb=-LVHCirrbyRmX<9hSC+7vZHQ6slMwkgttlO9z>j<*^=a{Nc`~dHe zhB;RWT&QDFC5?e7`mlJW$7x308&!f}{p*GtveBNoXY8Ki$;!(f<45Bt4SWkurRDG7 zOL8f^eVlLf%O2G}`_`s@r;C)2n0x(MC-O1<-IoS;Cxc#{&bRQ%$!O{@s?6&B83&$_ zSkP9-dS~n3fjHv#4L_ASB*E0Oi3b>r<>5ELhf%$EMuj7_h#+<_ZU-`X2Bm62p+ninMwGOzsK1~e zYXGD1?1MVOeG4dB3GP6F8mDFU)cJpc4HL%TQJM{X)D1m)$Yc?e@yP!ETE0{2Zz;hj zIU7nEGTv+5G_8#Xw%ITJ`>z0*OYnjFeHMYMm=vgVPu@Yg({`JH#;hZYGqIyI6!qxm znBn~ny%;t`jQZtV5-g-$1YcZXn^*t#WtScFE*~7{&cwpu+JwIe3dG|dE648TFo7Sj zJ+*^ukP2DeruGDEwb)9=*3>d6ZAu->{%pw|7QUVzEwx9KS;y`ctsH(yRNZ$IJO z4%nfYIm#$DJ@@z?Pu9|Bd!924yV;y?Jr$qdx4?SLUYqxm7^R=;91&IwUNHTiryqd+ zc~90VX86}~WFxnwKIelF#(Fm;c_V`kvncV-r29JPrLWM8^j{J>6-@)Q(K{)m&=hr! zz)=zLb9%T@8&%|{|Gdcf#X8j}yWe7u!i_r(Zm6L$5s~~+=&vpKRDlUcd514qB_r%H z*)#?y2$$d6K699Aq|zI+>4syRP$5>om0Zc5owVz)SM6*)`j_-;_uqmaRi>m5BP1BqD?Xw1#bBtP;G6uORr7 zL#nsCj=?IR^MA}Vgi1h;;*C4CC}vtwnaD{5&b2U{v6>R${ChZDH7s)S+0h@;?XxKF6qN=TkzA5aCW5>9|ehkH$JD#UGziOY<_R z=Mqz6zd0XQmEiVWfW8ee;8IVWr}LGuipnxq9PMSjw-xJo{Yv3{ z({KJ+FgNy^T6f{@yFibtmkz8?L{F8lgATyI!(_{geBDeIh2bC-z7*>J3*&lWT6`NV zkJfXNY5$Mi+2XAfTTq#QeGt4nAgZ4-oS=kmt;2d0a?{a9gtUOGM6_ktao4Eav5T z^DNnsl$3;iM-YDF;GLKHcUyc*g13^R=x0n|w)8SGTJ$`&&G(GNGLgx(Dm)jVkSA3) zKa3l_Dz>3_C`)$mgZ_>G^u!AEbc|K^Qwzj()+K+IS zrhZNLR|DM}=s>u4Y{k5Ah_kWE0`)Z_n%7Yw0nw{S=rRI6)^^FyDvXD87-o2_T@j8} z)wl+7r}&XxilL^KX)SVySILXC@3mvExk{%AFMTv_m0v7kd{z9{fC<^zYFM5!HqdIW zC@)CNJF95Q#46OPlXbaQdrnhxE2N1qVvb8i%aNbF_mUF+m?9VhX{zK(Ap)Irfda}R zpXc~je?`#DeY*j97>3$8UKXE;^`~gvBPZP4a%pBSw25$pEFsdSVZQrCMsUo~0UcPS z#b1q=1q=E&`;LBxh}M6#6fw2j>0Q3!&R_8|+S;OD>H6$P!(;RLi?JV8NJWMqf4FcO zIdp@3sOOS!=h@!(HQPDpRg0*O0e*?k2|W@m<|gR%$fe-wpeNvoZq@mB{R~;oLKnmM zq5GWoOMP!GRx__O4;q9G5ibT!N0qxN;7TkHa?k`Et%N*;bEHrfVT%XldZw?5(1;4c zwLqlLh%zCKmvURG!ri=VmnQrmE9tFcyNe=gp7ruY`2F+rird8L)~EXZ*49?R@`%^< zeYhZgGJfaa8-{CFdCbb$zZh6p>p*U6V3TO&d1pc%A_!!inx4+AeR9|T<3|wS5%|%! z?V*16Dq8bO{$To*$N3(s5r+hN7d5f}SOBD-*x9K!si;OsR5vs<{DMNyf~?C_n49SM zsJCz^2W%+^9)9Nt9l;K?kK@=Y2y#!OV`3ijMbVSQxM2VRTgutGg``rUm@P_OaBtk< zxtn>|!y`Jg^!e;HM_8$Ipa){=-C2ZilgY(S`EJ?0_n#<586*# zXjtHIjPY<*M;qc_@Ky-L4mvC*e(x{wI@$4vve@#|3JUsK-g2TOz-;FJ%@wW{);{sP zU!N)A7H0e_sbF3Me(J5WM*=N;7f<=iM1{SdBl3AKrI5^;HEmnvF9Fq-5`GE6#ovvHggd`1%382ZU^h6KWiztm&^V^Xy`I(C*Z1LBMojN z;8~ZVs6t~!MQ1Q}7$ZSZay4QK5lzqZXIr488UF1vA6tCZbNjQ?s}$7#!PF|rEGnm1 zZ9u$^K}meH*;YqkIBa#@r}Ec}lFWUk?)YT{tb68{VZm>yk3vd%wN{yEDF#NcVsMj6 zaR2R)g{aqeGgo$_e~j{%W)v=8(~PfujNixdj{M`s&QFSvD&{CNQlXFtZmyjOm`VLj zzGv%Q40gZ-1yr_om0bPK{JbuSjPb!s!|v1?@ZI}q7f1ZcQQgmPe=wOp8$yugfS*ex zCK0r;-P|nPje49~=e+*Ddy-ik+nx@}!$qY#HWVFKzo{Q>U{wiy(#CdVmCrMSj@6?I zhaQ|!S5G8e-|CA`bC_%Xtm_)R4sAMAjzTA#JtYBIz8F{~4E-40*6n&aRMgwx^ADQg zg}n}+jYW97@7z1vDm_p2!nYu;WwsEFzDUG{PaE=v)BiL9$Cn{{A5P=fxfW8ced4DJ z5g*VZXA9XSMjv5*9d3QWMXF~)jTIJyi@-QWF}ix)%Eouz33?ZM$GkTw=Cb-SZsGql z3@v8Ol)X}-o<0Oz>$?9RO=lGqR~KaA#)1Xth5!MAy9Rfs@!;+d+}&M+yAvc>aCevB z?(Pt@k>Ec4&#Zavhx^d$-a2)5eY2qlmAuv5*h~{=_5lSqzME$fu->>R{mbMSSkk)sb8fjjuVgY(ZxKfjs!$VHCZ~Z z3E20Po*?$a-@J;4IzXaqVHPwSm+nWcqucZaU{k4GYh1#LA^ROnmv71gIRB^h3)dbi zD8kT9>m|QNm-mVfbb*qM{;_@#Y#M}u{^YIktBQzU-UuiSDr5FJPTCKDJECqH_Db7B#nZm1J!e!a5+^ueFW=B-1H5V z6khU{4*}|nl=-DCWEub?V)_u*tEkHVqmHE`q^d)6x> zqR^4pSXsiKG_Wb7ax?IJawZ_OV-=w(BQ5Qo5~O$6M?JQaWusDY5c1)@dU@r5pOA=n z?8z>r*R8;Y?@2*o-I8&qk&hmiwp*_oTmR99GC7$rcX|Jv3lTzDeE0GcWj~oBam4foAU#cuEEz5 zk$?|7ndsEIu(@ZAOB&Ca1-6r%<6`B9`c&zizqyi-nwm-oaN`k<=HgJm8rnwCuF=?) zmrtZ8&&(m`oe8hHsEG6w(;9n`41c7(8VoKkW_uoI&Mb<}_?B4p{jYA!Y1SYZRUkWxK$Ami%V%y8=jv9I6yDh zmyxz{5JY)W&12O~>EdDp+^4m7hMi+1ylOXHjr3K*8ftl(kwzushYgtKPT8TubL+U` z;<3)Qz?6^WNC-ps0pysKFLhK79B9HziK)_^VvRD@*KO(@Wcnf~wfSVEL?_VcEM-N6 zYy8A}nJlM)OWJy`gLJa#^2-wi9W<~6Y-H67YOS>yKYnL;wNb`%iw)X1a^ba3;~5B^IB{S; zC@qb5Xi6wDUFb0QNb+2sxrnfs9EP(l@5bKvu+0akqgB3PW&A2#CnN&y3@~XCzABi4 zpfMVbVGwI*R(wc}f&GIk=$=r@iFB_fUFRPSuMsTnTv{$;b?oHI-7NMnY3$7kQ&S1= z0d9-hIQjO$LldRp{!zn<70Y{C?e?7yh z*(8tn>785*Bx;~!K7{Q5vL^iJsj_{01S747#eT#wW@S40+~KLqZ5CZ{DBBx7sL(6w_I(IVmIV6qAt=qQAu=Lt<2mlj{g;3HoYYxjED58eBVeA)7y=Uh~#H(7vb0;TZ;3j5}gy2H)rj4+O$AK`1Zp_z+<@tn5g z!5GjW#;EWLy2*E|`H{`%#g5l4``6af$(wt$0dr`JA*gAjlA;>VnN1rJHsjD!GS^2@ zMVZfqUO2_9ha4_V$OkLcg+m3NqO6WK2bD^Caxe-CZZ@Re3cd2?oNbMOxOrgTCy_k( ziK_gg8JOtx(_JJ_ghgu=Cm7g$a>D75abfR*r$SCDNtzbw7oz`67-6XgLV0a*peCmUx7`g{ksG9YLl-Wmb+ z?M$(9<8_Ghq}pM{4=Vr%J4N2C3PU|@4~~p62Z&*DF0%**D)#u#X2;>#!J$%&}i zVVLx)W~;E1IT5dX*Jw_;OU3CAIB$_$nGCh zd~PyGepz<>V!IkX4#PH&uq$q@j@+;!Wxl6mO&Mfmgn zDI|m|bu(Nb-S4uDQ2&aLKP=XF>*~jQaTfGcGcMEN(>!S@s9>gJx)|)Gez4;VU;_kH zgED6IOsv*>ev~;RuE0nM8ko&wm<^#jbNEOFJ(VPTG>TO z&IuWr!~{*PqEm#5c%*)es-H&C+cbsed?l=-rpW4zki{6O*EGB5K5FGhf2*Ifg)sa+{jJljuf$WkX+nCx(#&6yt~4m(;k?~~pcY*Qm3OY5 zWPhiQmmyvylA!zUt6d7iaxHW>&qp%bx!l>K2d+t>hjeP*IFI*;rChiP005tTEi_W$U3f8Mruj8iwcmjQZq6R z8y{!x%Hs!5p{2n}f>}UC2aC79T-AmuM?2kT>YvUb0=)FgP`hbcnGS0||3iZ$^-D1NP9Mg&L`KMvFcqi|B-nl5+Y&Yx-OrH+vJZ}@mTtGRnwU7$_6u_Jt;OA#F58YnURkZcmZ(qIgile~=p9!_|)6{p4%Y4M+CpzukdMK^; zt?)O^3^lJta^XRNC+iwd$GBj8yUg6ewK0#0iw9+_w=_;^bXE3gQTMBY8&E^E@Oji> zdih1U#YjS)Sy5MB`C!$Sr6Cux9As>+NI=3USEyxzh8U3IQq6Gi{{B|`SV&59+4e7*Y;g=3PbPowJ2)Mg zWD6nRc|HvEYUD_%i9^Q_(L}6BGVcnNggAtWqSRZIc;5teBYG{4=pHKsn()OfgPtvz{ zb!nA;ZmYXf?W?_1rDy$k$VtdvMp@QE6o7+UIKf<4>_EUWLcWFg>4oK~z1Z^^el{46 zZ-dO$g^#$`jP!D(?Iaf32meIO>(EWJ_buW>tVI|PQM9#Nz1grTS34f#Or(Dc*%Z+W ze$#k~4R`Pp{jx4l@wfeWs-i5{!XFlEnAq*&$I#aM2S0jdM%fD2Vd(39#U?UoGxss) zi+e2-=BVRk32x4l1B=b3os>H7jO=Ukxj)%;_$}w4?mn#9;)AhKD)fTfjxX~r(wW@t z9DrnDuxjl-QT^}RRx6-+#aQbnuXGY*+x3SIU!E5`)xtql4B6yy& zr28zhChwaXZmfsTqVF?0v0NPr|4_w*Ou6DCGRn-*IH*)M?U&JW7S}K^pvX2hB9MTq z%UrX4f&a0XJEDst;GbLfo+MN_AP?t0pa5REPu3*a=0f}8a}cyB>auMbZrl@e6#R&7 zAjqkt&#wef$^zcL1+0w={=-hQrNyigE4;%5XRMsC5MyAGEop{uPaNKzP=1s!l52>G zmzqKbO8O=;vC-Ef$=2zS!X}4y00dlWNfvbYL1JS)RGDlTiM-pq84|u6A(f(Hyi z76LKzveB5w#m*1yhM|=N6v<97u+|fPpqv@B2?0ZQnIP;3Emhb?jj^O<2+%aZ8%RVL zb+%H{o+y!+!UDgk*P|G)Td7D#eu*rE=8k`@TP~e(!%2gf3V$Kz@E}P?Rx~C~Yy2&` zsD=`WOW8L8LVArVW9JcVoG`>b%_y6QQGE?jypID|QCQMOJ=m9+t7v3cKn@UH1 zVfcdBGlj{SUZ|9-m~VT6f6&9M8z;PW_j|%{hEVJ@Bz=A+DIkCtN3t*E=yff!R49Zu zp-GyHi>~o$Q9955w2aR#fw!t%W)&7yG(W@MH)&r94q;armIordIv(FOddg*|O$;)F z@R$ygY2Id&Iv<0F-a_sU)eQ7s5B3?E-)u>~4_zP{j*g38j&%uX+9m9$1H%<{|L&!U z4qv0sw>=n`f_-W{(0p1H0Cek#6?RfIU zXC}FMXM_z5-^-T#IF3d&Vl{9h{*qYbRsY zA=!uC5aUyG7Ac-}gk1yyOn0qOA2&|vk_aR*1I7Ws^0{0+ACdkrw2VGqJ@LMzgX_nt zE4JVC;$IqVM4!N8H<@)i=^P{pUL?X?iQLL#OeU9laR5o&MbG8N^XHg7oJy^igJe*W ziz4kOpi-m3wdOPzM9oLm;>&UYR8fJr!c=pi>RhbBz zOI(JAe?kOd9n1eR{WNQ+x==8FADt7TazfmI1+*+Mi>8nVALRB zO7eJ2OYC#K7~W{%Ao_6UsU%hHU(pVSRD+(ihz~~VC%XC)b-}~tcOQqR;0@Mh8%_PH)TssNzr0OA z+@EREor08GI_$c|0!N>(E2s06mrSVe7tjZ<=!;uwJ=Vo>@;lMOxbx4LPi8Y#Mc{Pi zr?+hH75Unb9US=OfyMG)t0uU3WVep+G?%5DU~+<;0P80@vd#0k{l}WYmOpeAGG|x` zZUj6>4q1ZJD3h#U9EuJ%1w7wKv8a{oKF#Q;aW+qnx zuO-?$HnGl=iSgwyIWskeqz*c!F+F&Ux2@9a?#03e5#0|rgvMuBTlnkbUcKrx?ZDrL zIY0MY_BL*jyLa9p?7uurRfQu`#ryQFc=8z@ZU#^PQv2v)v-AZYe2guykkE9D=~#Qk`__zOF_v*oLcRe4g% z&BHsd-+ztt`f}iYexXNrB+}f_uK9;SGlrmzXX|ADH^%#et&I}ExWU^h;mfxU)1^(Z zlcV2)T_QnlLa+>5xtyJ07P$A6TwM43q<<92cJYsT;y%4)SkoLn`*c;qj-6!|Mt3Oy z_+c6ZhXJQcN%s)SEUI#+OdEW?OeRGi`%MX~(y*6a6ufk8?-twv?7!_ba z{`Y6RD{mv9hYMn816|PGol)9JUsci!8dwq5tkOnRAt96zi;1QjnG|i44iC!p$IT@p zD1OU)E&s)xx*O>Qr?d_q=~UHrQergQNB>V*#LXv)0#n06YX}EVKf~{CQawgf(OOdP z_O59^U1ijFKntEsIps6z%8=CpqxP~g(2xSAPP~}5q)!?Zxi#>1!zVcMd$WFHqf!7# zzFk4-Dbo>IP}3H20t7=&W1LaC$s0cWlrljNxs{T-Bgcz?E##D>$Jb% zy6dR_!Jh5&S{SD0Up^4N-L0b+n=x}2cF6Ao3FcF2yNyCK;`0g**C)LDb8G(k@Ej*V z+52rl@6ROE-*8ilh6uw394IeqpRREUg79-Fn~@L00(=&6DX4}=ob>gH(uR&GS=rKj zG+T_;iplLa9#0NzmMY51RMk?1J}4N&SmKC-!EPusuB1W1;fr+zfpbt&d{l?3*~ZFx z_ULfQ&KIOJ)KEtN13Ig4+-i`f$G{ij&CzdsL2kL)=|4P=Usx}G} zuV+(oPl`!Sh0?%pBr;YqJ5Em8i2h=$qlack9{&|JPjYl)^LGrBu=ue&E3m3Ta#f?k z&+<4${`a+oVTN2v=oO*z=nv3Lm*3i;SSRn@5vKA{;CqVSUQP0bATcl zMcX)-r?vBv;`sr^@YobS-LOn2X*#bKxM~LPq)FPLL*tJA-l*B)Gvf})Y=*R548IwC zxFZD0yxg|vQ~jUx>@NoPeeCR0E>eMZ-Q@!K&>s3a@6VEH=?J^NT)_fT0GRto_=#QY zSNz`*KRTv%)kui%iq!`V1nywhsU@;4Lf;y!D4d&%iD`0Pw4v*Mb_4=F*P#_)3;(|gz~&uel~u{K zmJQf-lXu3hDaQAWhJHdb0WLzoPK1Ew4BK*Qa;718z+;Du3%v<;w<-Hcj5n8^!}#tP zY~E*ho|!`?PF>R<`$rZ#*9Ry)NNSYS6}O9Sm`L0}DhXS4#XtFqPYPG$|7DOQac`CwX*9LzHn>-PfLw|o8TdOSpUf z25wfBn~d!`?ZW}1cB#s>#KSTT&nT|{LcaR$M#>qwO+dA=2mDM1*KFgGty45GRAtpS zTRM#kFJXIL_~$=V80(22UPX<1%XLWXM49QYNNtt=7cNiy?MueidGg?HVDn*r zTjgJdOd+-->NF(l#zcQOMBr)0yep;!9*p6MUI-_8|QudlDC z7TIk-ld%GnY#wCbMPA!No!y6etv&Y(m}wims?ecEK>T4m8bsS*clMsia`Hc zz=9JVimOb)gdhM`2M{bTvgleg0#}eFre2^Df{?(9JkiBI(#!q-cJAf7i@kS4KEN_$l3ZciDXFq@b6ci0NeaVI(!b2sU3Cv#^F5YsX$mJ)qbMees zz{RrjzV_Ew^Fd)hzqik1Uezb|Izt^EW9KnzTo@mIQQ3Pr>sf)h6F=iCbnzUHi$(ka143{+s3T42BChl>uo%QR*#^R5DiD^jL zXA=0j{S?*F(b0k;5Vs4hM=v3@7LA-vFT#MG>h*^{%8?Dd@kFEIVcdg*17okdGtc>9 zwNSh}U1deFGgi{N6mc4!aF20Z?1K=~=Z}r_3`|4UfI4#6FDc*wZFR@te}1oB7q%Dq zTKiNmqlbd-q-pdSVN%iQu_e0ImM%&q|ByGt!$#M^^NPR?rJRF>!w#dHC>!IMWZTT- zG1~U!4ikpnH(C@ai9d+G8KG>^tNV$`PBhPcs~h%_MCLgI3~T(q=PXf}7hN}Bp05C) zH$-kE((lH`#?7i#Zab*(^M}H#(NA0({iGHx+`5eQO_PJuC4$JL~2TAB`6S4bDK-K);ivj@j@k4{{CekDX3w3f% zTcq4<#w+pS?ggHn%Z|@TNsK82xmi1}a9m?dVh#uN0jr7#{&kAgJl5vTh|8zhm+NfV z8L8>LjToJX@kvLQIbD3__C}rg;cRlcM_r4z{z8#-T<100ZzH;a|KwV+bc)k|iN9>B zR?N14DYiEON6saT`i#fpQ!JF2I#|VID8n;T`*y1wJqZJIC*NYGxYFwTeGRhdubIv1 z?)qcMu4|uCe}_CjbN4eKiwnZ%VIw@ac27jl$XH2BqvD!3vF2|pXg)Al z+Kuz&3L>C7eXIC16xOH*Ei3vsB&!hF+`$TXvFc@+2_gu;iySrJ?KSHwj^wLS!fEIdNwVLOZ`Rcr`qcJ9kBs_vlfc411qHO+$pDlB)S!?Q7&VO z1&X>&_AoTkB5lR|^?&B2ClgJ)VUQ$cXNl6ZC||ltKp-aXNR*nyIS=7)YHU#-Ge*6H zZq;<8DB{I9+^?422B9+D*F@!$SkTY299NaxQy{hm+`{VU{1fYlW3i}q8_5+M$vH|B z%|@H6wZEELhUd_y%RYBpd7azyd_1wjH6@S_NiUD5ErD8 z%OgR4$BOHQWsM(2x^}jNbEBB-{Gr&Mv&lzCN6p-{_JS>~ki4aKw1iP##t!qIL!j~{ zD3P=;e|0vnCOv#~;wQCcNnK4LO@T;qLE@q=A4mD%Lu^O;W~+V6;o(cKa$i4! ztUrrSvoBbKSf}FrLI4N!{kK>4lTOt~?a< zup6be{(At|YX_Z&8HWl0wnx>}Zddi2Z(l=%-4=vzR(Wk-Hv^pVig2P#xzlQaGvB~x zw#+#SLjwa>_aV@)S=z}4Azy_-^jJUBb3Pu{-gV`C77#{HF^g<+M z?4p-XlxXYSRuWA{UtRF+;fg(POct(R>3`#u9dODLa-~b@M3#J9>Ha4mp^ipQ<$A*= zyj=mEja!Z$xdXQ)q}hj|-NZp?Qh|?ndu#5*p^&e!37n2elDGc5vO(v&LPSsENBO(l z7YAgU_eOwSYlA^&0Fr*hAvj%Q{#08_=qo8Ym9BuI`*)As;DLoUEJFGQB&s-GgRiJ8 zkwOJ3SMG42UpH{D&r_e?(ggLC3Unzh-9ND8_frWk^cb5Dtc0UJ3*Q>MO;56C+VIx>#GM#_sl2YsjO`Sdo^FrbOl+%& zbsGos4UD*srH3sXh`c;^^@ln%lz(#+00Apr`>!S7V+9V{)U`M5qP(7-z zPv>a}bxPqw9MF*yG(qI@9QBA#cS>Qor{3*(fuSs;^33wyf=rtEXK*m=hF^~8^|Eki zNcU2zL7?oP1ao-5_+}iFzr_hp;{MOzV>Ww?&1lG=jI69@W33$F(rE#Tl8G;6F9w+T z78>r8%J|QPpgF+J13TEd_4U0)z5NqNwlI0?1AQqXQQ8_UJ-xSzjAhyPuOXLz1_l;* ziT!onpwXx?t&3&jTezfPOL2kvHw-{z2rvtJIH56awsb-dU7hgZ3L%qP%~?M8^YKhl zQsaqC4m2B1g5Vno;(#YVZ2g<^-QC@fzDwnU-AToky`uIUvE`PlQv%+1`xu}4w^^V& zNOtjU`@_S-xtCj=%~de0s?1}fqoWZ6oM=rW2ENnYdUY15mp3*P78cHb<<}T`;eEV* zU;d9bSmZnf00^?>&2JIg1`dWL@|ZB^b=ci4rF2Hn58aTqv|4^tqRas}A7 z!P+5vT(k?hrfw0Qtnt9xnor#706XOk@w9Y3oT#y0!@hKsh>}NFEy~D{VZM+W{xT9@ zeH_v8YNrAGhxRo1X~F}$>e8a(T_~mkIFt=|HjQ5tfmZKZaADes0K4(OKKn&R9%>oT zE2@SDuYO3hNsZ3D3?nyyL75G8MW&4xT2~bklv$G$6rR-mnoq`_f6KQ?sV$fCn594e^ zY3+`FuRUvCgADkY1yRnp5t9fa1HfgC6B%zrB7Ma`1kAd26qX{3FgRFO^e#guMKh&KalQ_h}1Fpdo^&@5b6nn5I` z=c1kS0}OqM`Ck`I9>0+OL6kV4i5$C25KbtOerjXFB@j%75{RR;vYuuMrGCL2BZB%e zUaBMvH_*6-1lN^+fSMSEBDU+|>TH$X9_cDz@$1O3%fIWJkX?@eq_>`Fp)W$ZZGSWG zaVtF)VD-J3Z8MJ%)xP~JnS!~BZ2L1+7D7=UZ`k*Cb9|ARt(Nlocf$2?kxQ14FHlMl zgGK_U;^$MBRu;6U=>AanhC&lzAn0o>0jJ|pz-RFK#mWD>WV^r6YWD2s^L8_!i(U0; zXrHXJdQbitKT^H+2?CfoYxfB%*}96+Aut&{n6%~?hN5h`?LQ(rOyrGXUR$EBGe7Gr zij{ryNZeKU0Xn=3v%QZO<&w~|hrF2K@s>K~k|07} zD=vSdJpdNl`=C^FxXnVtt*lxNW};e!Y1Un=o^--Aljz_!7e@ohz4QEZH6!rw`DRKh z2*>8L`Q_*EriUY@?t0o78GUe)=Le2-Q_$z1(VITf1~rlrM-0)oI_`Y|IoXEm;wk4` z{DW+`rc2ZQ+&L^2);irS2fqD?S+LUU@-)npExu-;8cw9Caz$QTe)KcgzC4M%;(;xm zxD$N1_X`QpT#4uUWlC%3nkaNQv|oJ~n=De?mM2SIk03-gM(7)AJ@bzr7b|Y(Q!^u)_8|G})yT)cesXi6EPys_4aeQp-R2&@UrVF!ll-AP1{VM)6 zNqvpevdgOrL;}w@6K-xDyWn@7{x=697#v-Pfzwb|U!0^_x%1#Z!%_SF8Ji2bN&;uD z)_5o$V+1-CaV|`LA=TFS;>epF2FnJ;d5lAV#bp<2h}?f&cMYX-a?jL`+Pa_ zqApx~)zDJD09KV&V~^D{H8s`C;I(00!~!`QhW2%>G;6_-ZJJTE4cdD16Pe*%{m3^$ zB8?^44Ow2+6cayRU)PoQYDXa*1=gz0u@fGZ=Ut|<)TkrW5kialL%h&g40>u(l5;Dt zFS(CCWEq=)z?#k^EiKKR6!eJoxuE}Q=!zk@b(}#*9-R|9Me8ISI7mkUr=g0d_+F^)HK0m}Wz<;rcOfaKF%UGoLT4;a{w_J6C+IUylD<*_^Sj8E`fYuuwBKvf6G% zJQY1#Z9mN_&&7ANv-CW+$!$NKvM*bSV@r9BU?#g zaO;7W*${%n5sg?o>pctTuB4b+w@-B{>l+Lwb_o@HUcTuVWMm$V37S2;eK$h|xqRs1 z{-ybpRxN0QRHmI|vxG+Maf^7b>j#b8bS5K&QlXT|ja2rs6q~Sl*k*<)3k#PL0EjJY zn}Vyi!L}P*k|+2Z)ZpUWzYtPkc>muv*oL1MxCaHY4#Xb77uKL=2VEE%I*fd3rC=vYl&0QiGF*9 zF9R@#RK#06fK^7b@^x$uT`tyf_>t;{xZL=;!rMgVavm;n1{%0rwb@;`1X6z9 z&Vp1EG}KweNe||q6A|T-%xK)$iTQ!H#Q|j>P{2w}>dLL|N#>#0dM}s7=c}jfOB6yY*S; z{)XXmNKXO5QwRP8$QvXh;PD6r7FztYr^hyld^B|$~zW~Lzn90amV&)eqG`fDd_%AFwMLNuIGnO#7c~pgWyTgKb=F?77#&rICK1)gNNq=qLpJ0=nBXO40BE(eVD> zB0L43n*EuA&BT4T34(6#wS(8gkkC+HV!9QpO#U+J>Mj_gf1^tm`?#$;qYsDlTruPS zUiLTY6mDL8d-uN=m>>Q|O%-UeTswcx;&9vlc)rl8-lwHx%s@YB**bST{$1E}|IwF9 zpYP%9NSGvOZE|7)x}gFRPLnU1PA7^4`emtIm`?+G;d(;^(EpS_Op@^3QF}^E#Keh@ zV)4}?`^%d>dF9#|9A5eIYBX~a@cy?8yg+%mf8~)bkrfkO{7Rbt2vyQP`h`S8@73^N zlY!T^c?VqXZ25ltS-C7u*GBEig`9gcV^s{2pwkes1>+@)CfE|*uTWGM7=7izU!jDp z%pq9fzeGS;1f4R+6eau9P-Xr6oF)k6V}F?VoiEpt=a-ZWGkbotSvBeVCoS2# z^7uHG9n|KY0<{bzT*f`R;m%JDMacqfZV-Is z`KHJn;|C)`5A@ziySFW6)$&G&M$@eGOM@0Irm0c0h zg^nwQ6ZTuLOZh^p24odOfVxMTb_>I(w4tw}*uPu1L63Z)0l*%(@k4WJ;9SLeBm{F)QLJUlWMRvD0(Jm-a54j?1FcI!Y;AiA z-tJXbrk{$v_;bR-hmFS!3GRP~F<*aub{`A1#ua$E6SEh@K6zmLYJ=DKuDC-7Zvh6d zsk$3gLdupue+yjF@)UY|!}4u$S%h5cKP58Cpg}{PX#p-o09Tk#X>0_&4=?22a5P#N z2G5FbMOCP-@l45n!GgJT5ZyE+K-?76L@3V~5epAY4g|2lYAlrt!(|H`B9dwT!HggE zInR#`tVl#L{1qk`vS8{j30r$UgoBVm+LangYkjU|T)$#t1A#30lxz;2)R`MhA9mQq z#dx$ld4~*$M;zT5UaC5-2#WWNohhMtn|3sWB-!Y>qkx>DneUNupca>+ag8Q^G6pg) zkvpz(B7Ap$jvj46`PeIQ`thvK>TzzsN z5jz|)DO6%rt2H69ypZjA7AZ^1NckQSQi2fz>?Z>+Yl-9i_=f9Wc7x*tIwCO$R=h66 z^aw!&IHaxSd9pIRC1j)y-Y1Vu8qTH&YHh;RjiJFXN4@#Pms9ps&(e7bd;QuOt>q}) zK?Sc?23b_(!u-ARSib$yjd0HmeK9G!&0asgRc;E0Kv|px318R$2Ay)RC%4jJk;NTy z*w#B6CT0N?dKpc?+*G5DllOYrl|Zle`3C+n5b zA%7T@-T^Tz@5_kVPV;T7M1jNd-MpANMkOVuz7a(V#_6z{9N`**ioYEweiu5gAK*X^0TS=0y#|doqqajWpgth19?&Twm(B$k#oL(P~Kb|#~ zYhN#KBxP@%GPjY=>8A>ox}|>Dw%=>O!Ry+wT|GIM4XsE$%uk(to-cR$^`qL;?G4>f zaj!Y3pBK8ld`I+i<|cl?DyMowToPiPzAH#X!cGV4vAL+_DW;m6}Iw^%m?pje*#BSsC zaQ)s64l`m1*t_WZ_uh`r*t`et&sOGu;bx~QB!=0)Qt48QM2o9GaN`!DI<8MuUid%y zRbIOsnr8F5q96yTMY``E!^c;)q7LB`l2B9szRl_PX4B@d9BCu_5)9RLq)yeWzt2wu z?8*a7vLk-`ocEouhH68oB^p!|SFEC<$6dRB4lYUJ3VcKcA04nk&3ut+rLN{b5*1%f zS^Ax{?%)7s<>$u1aLvf@_@Bg&iG`Y$WC6?SDdLdyP)vC6I4^YVN~N^4bSM;K*ChEU z+@}S&2~e;aNmhID*4NkPkWzL1qUTOpQN34*Wc^U0g)u%X*m+>-7q(1B`X_x`9DOI! z2VMHxw6K20^W-XaWd1jE(vh;eGA+D<-_ZnKeizO{d<7}`FwB(|6=&%0>nLoabY#8$XV7(5%W4_Gx<(m1#wK5YfB&M~tkAPgZ_TqenKNP<-iEwGc z(#(nGRyfRzR1<1(^y|VXIU%uXG}-Q6T~4V{DP> zrI@^vVJg_=wrH^6a(v33%Zy+iY{K+MiD73g?mZC?vtAeN@UoFwUVZE5fULy`(f13T>gS^&_SM@Nr(`)_X zDB>fv%aq?sC6n1v+*1|VbtI29UxVEul9S&HTF#4MEfW}z4mNJ2+gX4w7*0aTKs{`Q z8y^Owx7r-g{sV1V<3(&>wozw$VQNlv@xnQADuRQ0`PX3VnsLqU|6yw>l=KqYBFw;A z-oqjMBGwLNL4Q~Dk8%)wh@o<>a#W97FiiT>WP1-h_a~2@#j1N$ZExy9eq>Vlk~ZjAuoj9R?I})5yZ|3sOgkFpiwvWhnKfV&-oslQiE&# z?6qTOPT=(JUMMD-sbQe(_jFS%x)zF~GbYGR>@V7dXpoubxZbT^j5GQNGW0LEi#02z z5HuV|LhoPYnHj1}o!HC7@LoQTwz=6*aup4?aXy6n!hZ@}8*F4*o8#Idv%IcI!*`bNzfD32M>Y{*OdI%UKj7 zx0RjBO45eeR%bhelNJ2~!2JFTaK!;bQx>5{PCS-*l+L8I830VJXu}|YMUDSFGa0$4 z20xvyNLXo_%G~pXb-7Ft%jguEVx)S>FigYB5E#e=G_y6)kwhYt!dkLg3B3*`P}5bi zM*_YgZDoi@{J{NW5-D-MPx+}c_G<^&YQ5Bsl630COba^FpgWc zFMdeX#KDPRVfS&upY#}_iZW4Fh}ld#e7{(3ulE_;#SqNA-#s+eG7iuf2VIG!1{hMu z4G#}nW=pvEij%Za^a@TuI1pZ+V(}ax;m%dBmuIm8x4I+YwTc<+bSm@>Vt$EvjO_JR zCNtdz3qiRFmkxL3#}P(GMhqyP;w5(k6zmqdWDPOGeTd;p&+9{rpR+p>Key^2IgY0t zR~GeRA+dKnJX&X&G3IUzz@~Bw!3{zE6WkB3k1alyn)i;K-a%wUfV`nr3b0zEiKb3R zLbXCl>;UoYFyP{@+k4u6C=!*J?>1TG;wRrDmYu@V?Y4VUv1P&D-d?$eR3$QKPm0FA zT=`pmh4Iwk;bGiI2XP~bKLSuz=Ih?d-QUVguJ@e-ot%{HHJ9Cgy$rci?lD_A>?K=o zzgpR#q)nqC{fw~s@S1_bgs=6kb>M3?M}>NtF%C)XvIQcEcBL7%0?U`@(bM-(5|7bn zt%EHC>4w^z0YktU0ZKpvmG~W1oe5BCntcU#F}Z@nI}=r7zY|3(2U~QKX6z=GWnCRt zsj(U%Z!RVWW5L&Dr5Zl|f}BovVZ0B2To&p=`X=kf$#deuTcB_wr(#b+W(^4wi!E`; z-jxOm#GEh{BuTo|=O-cyxA)7=+*;q=#P^x6%g-ezT#!X1U$Pz+b;k1RD0{BW zv@tremGNuQk-&xci_dA}&DJV#WfIYllR}A#H$E;8ac1b#StV6HmMgzb23EGm+MB+E zze;Vt1-1b@M8C*vGcnhG_YF%E(m~d7JFgU%uD0(RqaSt0AkY+3=v83j@=;o>=l^44 zlgZ(9RQ{w(x1&I^#$jJb?eC}eQU23mv3(fl1VMiQQOY+eeKkLm)gbL9TJF-@mlr;t ze-N)uaDc2f_k(WrH;9tljJeUQxfx?{5V@|EI@?PH+}mj%0|vX>a+&p;kbV=opnj9S zeY11B%62Uau4qyir)HxkU&rN0b8#%`Z6}kNF>X5G2PO(+rk0W4-w4Fj?I0~4l3ud4a3t=skg_Ww_hHT?`PSgS( zL;f^OSTjH{2R%fIt8_JQH3R;j2Ma#;@zNP_6drlLRKDE_h#;1v3ZRZr_FnvbFO@_*$(Z@AfImRfKi6H=jB$sh`pR2~mU^8m1} zaL+pxm?y&DSXRA{R+^&=wmVyZX#p#%mzxyY0MeFP^uzH(YqD z9ZqK5#nVD=jLOGJ9kSay?n43*|E%{#-rEsvisX;TB;SIUyVH3tVw?V0E7AEzL<>a= zNqe%uTxXbJKroR{o`@hc0|SNFJ~a@p*{y-orAHe1EFdtZMs1cpslCbbpSzP# zsPIp5+X^&UU+KbY!###K3V!}S#fjH<2I3L=_vd;}=d7e&Sjm{Yr(<;Ki8(nRR3O;o zetz;o?+8t)TV~M zdZoZr{MW4e*2L>UfxmtHw=o^erV0L=}ZdX z_Fwujm>zzF4psRWXup^L9zkdPW5%*G>swob~^K3NENQSBbRhBkB(VTrs z$QyKGWMs7S6%9Wg0BpH@&l*qW&MVgOj^a5te_zDEfjm5LN)Z} zBvS>lbu!C|9?tl9TrG97AV@ZtHAti` z)!h`?e|fUp0U1d=h3{rR0VI;swMgqrghs<|0Ew`;BUYaZr{{nuWWGm`UJCMMb ziq@Dkq$Mrg`$hI#Y1nSp`SVJ0ISUuA!J1T35;l0Ww{f*aV&aY|v488+DI-pgrjdY0_(lzUj4l>z(DScP4^8CE=wfQ)rCxeA^v=+32~2GA%^#c&)4!pJ z05)-({c(`(H%XS!Eb02g$)frg~lBxyvC#kf;hC+)~&=Awo`&EqrzX7qA~ z|ALQJkDvPtKg*|AuaP~K0>ge#tw`P#ocfsReUcOKz?=fBt((htFhy>@3y|i2LX?sJ z`@#c~ON8MVRtSE=M#sgF1WvpEO#Boqyclvd98f1u^HtA&w6!B+-EjO$QCHW;;e{gf z?P29&!TV-(X0ZcdXXH<|Cp#s5G-dv*5kCL;u7F4fUe{{T^Mvyv|3BT1%N~w24u1>* z8T;{ls4J1m9C2JcKA)4$;+Pe$luo}i&ND#t=k}!ffxl?k2H!5$E|@*e44>3(ce{H32f8GoIS;_5^6MSSiBh>R16sL!-A!iUi)JL~;~&Lm>Mt}WIlp0Gz6vXY`LZFRmb%Ryq_eAQ3%qK*!dp)yE-YlzQ@f*h`ke%#d%F$uFr3B7a$AU|XJ zK6ZH1;u~K*UzT~)Lq@?Fm@R~Y+5_#~rdJ~!0t^@0)OCF3b39#Zr? zie#ULvVn}adpl{7mN>BOR20PC?$s@&4=-t+06p@mr%ZVSkYc0ba^3$4M(9jy1RbQS z`Ym&%zG0uaP*?!m&3fTChuGND0lk>*iH5RlrmoGBghg?KTl3ShE5J+t5zQC5ISJp9 zX(aZeKH8dA@U-n_Vn{xnsUrw)C+$J4`ycn+iOM0-h4}rV@Ogg4zDjqqk)5J(}Afd?As~eJA~h7SVYmZWuKWJ|Vs}rB0ipPCsq5^Sa@Odbs%d z0@j!g%O+GtMj2d+U5(U8Uce;TvC}3}4g6 z>;a0Gh-n`OYli2pb=F#|aeTddti5GO8zt&qOi=jbhG#~1B?B(4a(nb&x>F7hJNLLL zUir-vd+nbAUshh8HtlO|?6k{48WLqr+9PEk)y;wI4~NzZP>q1rD(jVrPXEhOP$wQw zB8+gGnI~>zBur^+3nR&<3w4#37s^%Q#3p*f_Y3?<*#B2NDc!3&a1_~JWO%Oc+xVXZ zi{sFet?lcWuRyExaw!2x+bSj$UBEvQnDHYmyGcv<9Pew%xS?I@()Xf+GG4b8Rz^Mp z`6l2gUaxlj42$%`rr*b>e@GN$ChXBmaxaV-zE4lRLkt%$^NjkL#&kCJD({AvqtTsi zsh(4jtB&yJ-#qczEx6ELc`Bz7=Pm`CfVLGQk zTeS#|zZI7aXrG)FeYW_Q&EwZ&@SLH+S)U}FCPqt01OA|2zM;lW3R@7KiRHUbR$}S6 zpY$gXUjA4j`I_ba)##?QqT;sLtY|YUF4^!#m8|y3!ootGor6OkU6>WTqnvD-HB=Jn zTBjItb5j&v9&GaJVq_jhY-aJ0E0iFECb~IU{Z5P?zJ?6=_GA%yB7O?Dxc^z_ZGaj+ z6K!|2jf0eQHysKZ&N-+ViQcM^W)A9N<9>zJqt#>WGc7T}GJCWta5({OuO58l5bK7MiS`E6GvYAhcy-h>{&(-;<)uR+mD*=;)&@ug=ydhN3znA?uS2DLK6MpL9z$N zACn^eR1`d?*trvTvGu9`Avgj7m8MPv+s5bZZu@|RX%|y@u2Cn4O`pLmhamDw=mZDe zem+O?US`|I@gO)^xz)cz%_6x=W2o%4uLY`NYGUcn7vSN z{H%s?-s|W;$dV`?O=x|g=R^%%K!4V(mg!wQd$;Qrloi;HT?SV4UrLf;btRyD^z&{N zRNoUM*@(JM`?(|q=O!9zoA`x1ANKxj#F9BKecVfBLOeCdJQA&9-d<+ z4yJIC1zrz5OgF-i@G+U?IF59$H48_hC(1oETg7*W5635%!$*xbd+;tT!85A__ zcy!N0&(F{QLW@JhvVtu7VvL5DL481e8ESApK!B%P@jZ^CK9I|+L1SWGh-xfr@4*P# zXhs_G+7+N_^%GaOP<57llMeY(1JOBVj3E4iY(~H(U!SR47Gpk)_b-KRFj?E!-+~9XP9}^+5)#^`meE>QUdA=-+OEyZx5c0B zSZffD5h_fQvW845{;0FTn{Rb3H}5zic8G%Zp~pr_;3?z!|M==j`}GL&Bzh5 zv5{Uyxfi*)eNG$GN#^zXH(n9P0!OB8dAc`7e|Dm6UmCiv4jc! z%0K&SZ4o6@Z<3+HdWr~tpx0<2-7clMpOpEInadfDKw0xzI165JyHJDPk;fLkb58&B)z~`CIbE4UlnU(*IIl~VQ*ip!krrfl;p@|OMdK{%YmXDA_vQj$-F;ue z)lUkCPR_6cy(|)e5RML7i=O|gF`ZjJ(0qY=Ids8kC(i<27M^8KJ-qK||LDz6LWF*H z=L~)8bKQP z)BZ%T;JZ6!YHnN-s}T>;NTSI5(f6I&!G~#fhglcG@r$e5Uel^@9ACbB3m@Cb4{6CE zo;DJpw$a^dPTPzR20E=L4bKDK(>qP}bvLL>)({RiQQ$V%5~0TkkajuXJi% zTlPevIWxx>py4Zo9SV-U-T#MVagkT`i^uD#-(Dz$h4VNIPkpgWzShyE^cK66UezFX=zQr;>^w zRn-nDrFZkRQ7R3PYhu(LjL%_wur~QLcO8vq{;Ib%i>%6qXz)bY5Nlbfw^i{21&p^3 z4}vruSQ*e^dNNH`2;MkM9gYL&v)x_phgZEF7w1IR{Z{>_$U6?dZ8C=DK=2`_%l`0; zQTC^FV!6Y`iK@-SN#@@)UknI2BA-V_MEUXK@H(ofA5)g)kg^B4b#X>E(NeV74R0%eV7^Yja6b<%Xu5! z3uY86m@X_3i>l*55b1uY6<9NzFYqiy+ky1jBq7?Oxjg+dZJA8lPKiPlquJ(a(Ym9P zYtiD45;k!^7Ck*ZKV%Dwm}GK~FXw%0dEj%$t35TEu0=>bKF?~C>-h>)k;SAP{VD=& zgrjB8tzjfh+b4l+{X2t!8%UAUi3G8aIG0i=g<~NSQJIW0AQ+;`z28HSwwEU*Ifyq; zFxmL*s9J4D4d{{vn|WgL)RdCcEnQ_>ZWNRET&2Z+V?%$gTqwVHZJ?SDeI|h-gOguq$l(!_f7P3 zfa(_2?%}jIBf5YBkmq0e>s*~{o7W2cCJ~!=U{=ZK#Kc4d`4`={EyqhYa*~#iUw7-R zn_Y!wI`jdyV!6f~$rCPQ%Hcj8QZ--gXfh6w-nL`ZV^s7NU@_aT#F^T9>q>wElhO-j zIWrb+=zmQ|6fk&-HAr^Oyt3UALtZ;SxqXjGdm2Jrh5sQ(xJZ1b{&cMVZJPLFmj&=i zr4Lnh9f+5_+~M(T=(;Gk=Z2DEwlk#B8wmQ0{M8R-^P_E9&KIAf6*YXT}Lb|$nnkA#XvI>S?m}urZ6t#5sox4H;a$()K2k}MF1JR}u%XyU7}oc+b-jHQn2N`( zfSW^P;va8q9;*wxcBwbh2OYybw)+_0h?x+QwR~HvtmWK>ZC_B2R9Q^*A<AY_8_-UE?Ivth2?=C(P)V z9t?QPEhe_BLxP#L6~tr7MJlXo8!Dy7)SrLzY#jtZWU`yq_GSgytt3Rjn=LO)cL|ok z_&%@^Pk#}kI-zMinfA_MP19{k`}P+#{xfN(XxZo+lC*+TF8SOJb_*5MCbPdI9~wiw z&~&g;TI~~cPld2zgc+dcGjNDZ$hKkBmq932hDG1_=)Y%A(+?x}GSs9nFO)!9#+A>x zThkB6>#<-cCTneLY){v4)l4RK{O-M%ZGsyjiTt>UHu6wVY|NBL5WQ7<=!cDEo#{;UexK67g#_mSnAVhx}ueG%_^YuEbAl za$>pEmsO5wp)o0e+MIxKZWUeNQkdVP>MVt;w}nDCM)Oxyw{=|Q3fVrvW~c9r9HWUE zy=)M%N+@hb?Q1!yEOT4Xf4H4!hJ3CNgwJj}WZO^88kco|D@FCR$*MQxiDo&dVYb_0 zTNxetLY~eqpc+OHFCimmE?lQNU~Aj|l28iY?hKQ`MOoP*rDR@)wF8+hw4bQ=JV+6! zC+3fzmDgKiF4~arx-ptWTR$^9+d6j}`L)3GCeiE1?c>>ti(Q&$u(TLA4kg>k>1k3v z4(TUx|3A>-FS5MeX|p#~mha`->V0>WFXtSoo-IKTcNV5ce37%qt=(?IxGre)P${PB zy4xbNtY=88WKl9V10gYizH_5C%cl#@m&~p)kVO2BO1O<2X%$VvPq4o=?AEG?Tx?!_ zo*RkBJ|#Q%0uh)B7hG6GsCV+%h3pAm4tAC+1NOiu$6VH@|HY&~C59c?CfnvE#oWH= z>TkmOUC!q&N0wK^mg_0vuJL9q|@kpk5>>qxr!)&GDj>B{RK|v|=bNc^i1k-g{H? zC#mBpsiBWb5tzQ^*6eKPZ=a%{@Jwyw(8oq6~+64)Jbi7ZU`weDtCTfM)Sgh@s#Fv_js*E>^iuau%Te3X4_g}CNGU+2U zpsN7>6gH+4Qod#M%_$;X@iikTEJXpLb*UR;x`yU+z|x+?=TU zGbYMXh{sKVcD5cuj_+NPO1WK@Du58Q6ge3Gji&bdPP%o3uhLgEo@3yv~SMz^+(@_ z_>7CcCUmnvjm}k>lGZkriuB)iRVtnTe-SnU4Uu#*3ho-TyDuk@faz~G7Gl$~*%cja z@9U<32GSJ9)VvzwQoQB|^DZ=~uQf3F8P_n8mk&xRS^)^{kSJv%2D|re3u_#$m|R49 zX|zk)zEc9=g`K^3v(q2K&p#0?%t$gVk3kGcM<#?5+?yoWWH9f^)+ws<-hN2}v$2=7 zw3rs<uD?=@^98oO}ZC-#ym-Qq9BU!>yH zwxh9c(Wq-6sAn7sSVIrzpjnMC^t)s*F4+L@+yN-W8Q;w*D|$^H4738kV^L`+Hzrrx zU8U(+8JcfMiCU^>YJz@rvfA0EI#L-)yhU<1fU~6F7Jr$wUC-tTh}N8%v@K}sQ-*tS z*{7h~ZEG7}Z6SCOF5(Uk;tLEc!Xc9uu(QX+Rbc^f0RRljH15L z;Cd>ReKF{Mw z?D%`%DDyn5U<|6|b9A~Cq%1JPk%>L`4-eZZUbz;&7l$|Vmx;c2;Bwo5QSt?sLxy@);f&Qa~lYJ6ZVS^roidXm!yk_$o*ZzlMbq7%cEO-+Op1}(k^sGs%6mPEZXg0hNxc&_ zrYFbio;VS;<@{kBoH84Ojr#I$g=5((Zngs0!M3XTOkO~}h5(GY7xa`a~hEDi)p7kT%udERo!yp!Db4t#A;R12<-&@l^ z?a`**B>!8AULC@i`JS}rOoUb0{@fruI{110@a*es8A02JZ?yeZ6B#p;(7D&=(!RwM z{wMiVS)C!~cLb5E%fY&3o#IpTPU)!@WWns>d|YQ~^r2_6eqHn=&3=7@(0J-MSrtBt z+@UpdnP0m)Zkj%fD+17mrrqy1i*Pb5_D%}cu@KU7Sv-wX{dNh6eE4AM)P80V2$o79AMAtw8 zz{R)B$P$apzY4;X#R@QLdd@Mo*sQjOh-*K=siAK-t5G>t?PkIWrmyt9kOJPVPvWA3 z)qC&BTU!bHbmRoyWPe2mo1#XaPzl}4Bjt8jv-fL(XD4Q^Z z-&vpVo8qQ6)j$n;i}HtQKV)oAcza46?aD2_4A z2KaTvwJ02vRC(|@zdsH&@nXH|c+op6Qn(b)%sN`*b^C|fEW^LHadlvjHUfi{SPijg+IF1~ zv3`>i39R*f)Dn-vK^f=m4mj;Kwb}|r{o{gc@AX)}byhIAr0`(E1Ja@CDG4AGoXEJO^EX_=w9ajcM(eJKkd=6A%>SUiER9 z%b!dap0zn2bN0Dusnzy@oR$}rAyo(X`seeXy8fg{`<#XTZd7GTE)vzp?{eH%waop` z2LECqu1DPrhmt1vfQ$CkPfRp^ZW#>;k}~bM)qT~Ac6DyIn=@A5qj;15rm|22emV&9 zP%7|gT;X)6bbU7*L87h8^x4CvVpv+&+r8PS0`?tvoLK+Y>$SV`X>m}p4~-WcuUkZD=&fcctY^w!4i5JZ_(bF0sJ6 zV8OLdN)~5NGWD;I*l7OZ#U<*#p9-8Wb+TIY0~xdj-0|l7NpjiLp=(TmbczO}VU?dBs|%Oz9CamniKPLgFFV+uE5Zq@ zKwze3OJ7}D>VXM3dr41DZW`lzIlHM}O^qjj1W1OB5&D?EMYwD-E-QUoOp>6iHaTGv z=%ADhi?emi<{9pov9QDFe#jU-Xn9B5OOi82SRsS$57Qs};bQC)CEIeCy8D7S&<+gv zh9ECLfy&-*o_R$>DZlHuP$_7>gyP#t~aJ#KY?Obk4ku#w&HW)nfn3i<-{Ye%2U(*v8;%9CzE z%9O_2$-CwFLS01cR#(51-$tpNyNiAF2VdercvV;pJX-RJQ$k-co?;jsImMSD?U-u^>by0>3w z@znm(PAmEJ?XBQ6ta^mc)USrIg@-I{U}fmQSo13z8=mBaZk=xe!J&wTcX+(E7cl>i z9M|6a4DpN3`2JT&T54Z=(-fD%384kLhgl^DB5t$Aw9ZglcgIX=JqT=Pyu4<6mwNSf z&%kSg9{Bu~ST8ZsB=rTR+v4lUZgb+4*R&0vN1^f<)L->Q75)`e>Sp2N+gD}Es2O=K zdl5MrP@J`BVRZ3-n zR_Ke8TU2A$FC}Z00ONwU?dxeqMY0hmJ_RC%W=zEKa4h&>f8wShybuTWPezbXve8E| zIA*kq-%KXM6l){E2N1f@X)Cf56}*UnVzXfy?RiMntm0lZ1^1K45OYxmE`4bQ*swiQ z!)Y;ShfT)`k3 z^r{#C<`A@Jt-EQTT)6kv)uoA?E?nS|&FC7oPlo^G{wm=IrX z8vT;=3nxjXVFh6snmLE(Z2t>yp^h&SlkCEZ8Nv1C%*?-GxU@i{ee}}0qh2d=dtR!c z!8v$&ObHd=)61SNgnpBfPd6tMnvMnrFN6fwY7F!#AVyn!VrRm!5Ryhd&>*t zuceCdg-X_f(7&M#t5&c3PI_>4Mc)2;Z|bJ7e9dXt;Nn}d>t?9Az9DLpw0);tq+f9| z+zuJhHI@^;HcG@9$Ht~7K88X&E#y=an z*co~tSbh7^07v=rq)F_3DCqCw>5c8{o`djKjRDB|7u(8FVBx%ePYj;#OA3avU&z#Z zmd|T(Re@iz{NoCYLDHKIg&)jiReuDeT8_IijsO8M{_6QVTCVSS+++@Bs(*i@0iOo9 z9b8H@lXXY$PU0KIYf1{-B!GYqkY}qd>OX=)GbCTV0Wps9L*=UcQipTjBSMu|ryt32;Zb4pFop0JDwK{?t(*C=c7Lhhpmab&dH|EP9 z;8<}gf6)ogM<;cCi;Y#NZ8kFRzQ3eqTurF%)e0cH_?b2xHFlO-W5_9eL?Y|8B=MX^ z5|wvtZ$iK1gZDSY>>p*WPES%4*F4V(`82VTdNsfZv*0LgXHV~Pq(8&IOKE%)BXNyK zig|wPGvmS|#dJD7QV^5oFcF^et7;}EYcbpn1b_>M6<#A#O7c&MV;3AVrwWeQ!Yh7i zPSQw~4!?APV$w@GCXZ6hAb{??zb*qR$JEFamphOsfF~&ZKWAq9$anjFCe9K7>pKYF z_cQEGd%LD3=ZWhifC(qOK!8cIZi-pxbmeg6w&boDSPSVeG6c*;+%{w+%B|i0joHfn zih2}YBTB+0OH0cZy3iy&PPvtO$inUP=7{&;ke@n<(O6TFq;XK+rbC+m_coamZ|2V6 zUH9Q?u;t8mcAQ1wNPBdNG$r---vwRAfAh>deaDlD(Eln(F4Roy%U3!%!T6cu&3MX^ zsFnfrHV7&Z=$a&Q*1Mgckf;%}9v*m97a9c|-c2|@Jz0ByuQoWOooF)C}nIqo#{OL?e1WztuUqgV6c8;vgV;8b|P!vHOkb7xoCQ#DNPs;WxyH&t5~8S5Jl!ik5^z*MlL z9=$N?{bcElxA#!4KbGQ*lNf{~oMC;>{6@mdDG3EGpjJXE-%1hjSt)_Fpoi*31DI0o z!YKs3H~Sw6%qA8Xcmx?ciq3b~A*-B_kL&{MD>9@4aBnxImGof9qMOQkt6L}jRC>cz ziJ=j-gEVQNK0sl&=pe``bHee4z)hAKn@wfPDjA+FQA-m&Gl3i2qAH77Z?htZm+VkY&QF?Zn?Uq ze9lt~(J*C%Er9xbsQ(3`Na`n(BGzfxmom zD&c_pQy8HrW?GRctYI4TlsHpyD7an*YMZj|p!KSv=KC*;X%eWN^<)N;3)Z1mLs-0JmD~IF$kO|A$6TRlyNN7YLRD97@QU4ZNKdu1M z>Z%Oor+tYS(rbJ|QA)lR_-{b{O6k6JUmw%ryVt#LN0v`6Dk@4|%iIV8&MJyrSIX|+ zV1G(O`!O6pG?ULku34}i-#~DL6dwf{;hnRLO2-<^R~bSYkgD>ya$P6do(JLR<7N_6 zp>|qqr}W}E$uc8HQKRVZpf!zer_br>xV{&~=%5e8Urg*FiSX|+p5WxL$Hy`GlcIGm zxgta{z9ZS_c3CN~6*`y>+-+A#IN_FcKU|R)5rLw=X(DAsro#UHUtI*G76@?W1^e2m ziG{Sm<7kG0Bh=|E@@Nbq6_R_Tlz3r1EQzy~D|19@dRP=gQNP@p`uJlUxGT5)d~ zQi8oC`G8JF%$&xJ z=8c2olYod~CRk-})=iif!-0pm(s*R1NJej~ZjLJW*e92q_3yW_~uDEyez18St zsRM9RCuIJP`4(aiKTQqBwkhf&nY);aVD|wE^614a#n4ZuEZ&Vz zp7`8hRIfHZK@73L`vH(cjKO1n<*-Z0uR?2teFzVcE#G8Vs!diV{O#!hJ||b_xEdb^ zsHowC=^TcG0H%ppvhO{W4N+6)%ASMhz?DAf1^eb1#D57gPOX5o%moorzq0gQs@*xW zwOc^kT(h`XtNiiYBDv99(SVaR?+c`6;y1i29E`p0{;>Hxx3JJ9BO=bIr7Oou)b5R` z!tR=)5+PfQ&{4MeLY~5i?P;REnD+T6K~iLeDv)Wl`ztC9DusZIxrNqbE&9HWbh;Jw z+))|dHsS#ad91X5Hwlw`^X;H|o9pN+A_8ZsfNuf{;ufN34k_YKn3hRL(oVdDW%j@C+s$V{n{4*9pHK1LJhs}(-?P@m0U2V z)vF!{YSrvx`52?stN~Yc6h&(jzDpgXX1}477viG%GSQOi@NGk~?6j(K>q1+JJCMC$ zqkC+;jE<>ATKzHLk_of67VKzafRt`rKW39_T=GIg&Z#H%ZhtRU`Naw z8pe^96ooV_{P)(Uv~U)thCIPWT6n)AJDGlNZVXrdhwyQ~v#+aY`d8qE6-PZDy4 zPto{xWe4kFfK6;q=fu@OgF5+uYt@83FHB3$ahEF@xPkhOAt;SsdE)qaFWCkM5|S-2 zfM&$tvB=S*&8%k#-zASGs4sv^Bhfi$bGVXhiMb;NlWCAwYDLN{{%47GY)j|ahap4|%G6Cpn2XZf7 zS}Spfv7t*C1b<_#nXs@*IlkbDjhP|ryqR=iX&uNwok#*OZTEkcIMeD%;U#@jps~mS zZ}Fq>TH6J;q?LKlh8aNqCK|q!U5GsopOC>}kAaxw19=wdp^W}Wiydal&KTwB9Y{rR z*H)`XeM=-&fJ5s_kr1T(_OGcwBo#*BPpW6IhZ?@@v^OyfRWf+W71!#2SQheLopeP` z^S`+(Ccci`?+{HN=B^+pC`fs*&=EhI1MDUqX(4<^eEQPd;)8bKa@ljdn(kUA(!GY# z$GQ_bI)tC5w3^rR1!-FwZ`7=wErImK;!IdO@D?1tjpY7mS>fHCl9HiP>s_>p(W+ba zW+UKwUjG&JQ8X$0zkd*HpEH?!kFJkHV+bWhs-x08F5Ya&t^NiBp`*Q#2NGCsSYDI- zAzzc^N{0hvsaGT=)jZlw8eP~c2S$U6ENY!FO%AY>Sm9hCf2@*B$lWt;j^AdwU4O?s zG?4309UaDRLtXe?%46%#BsAnl@eq~rNJKM|gAlbia-Sf>TyB7~zr~C_hom&O{md)A zcOv@V<77gI;EQJ1d=*%LW|-99q(=uT_cB*o03B~@`za9Tm|lsu1&ClJ!@DNiQ+nD8xnH%S zE#+(uM8)8xYUZg@(C#VVsQVP>Y z9xyK%8ZDq^nH`N>fctPVM%s}kCzO=%?G;hwg9cQy1VF#>0W zXbdL}G=$6M^>=0_CbU%z$r{5KfAsR;QGo&qlN~b|3YOv>7f?-hNF(ekL7nJp-Bzxn zabE2nTq6Qo7Dza&tu*@~4D)qiA~L|h;4E`6nc{e2xGm<7epuKdV*#u(jQ>w%$jpw+%M=i3PWjtTXn;Yg7JQ{Ef`M!aqqvLToM zIO8xGMiYlwx_=#htr7`F+u3@3^~QVaUVuC8R{K3 zz``(12Gx8p{yOADXWvVbS^b5khBh*lkVo;TWyACXA6|qT__q{-$?vkd-rH|zHr%%R z`Z&6^pSFJ9S~rcp2spp8`ya{`^5zzMYzx90$a-^|BlL|Z4&mJ{a2sVe~kt;Dv39m?fhC|biGCNx_~aQ!aOTMw3Do0 zo8r|aEQ-Bwmz4vN$`;a8^NNreOe0}QRh2IRC{6gVr?*!K-lFqt2w@N9XJSyg@alI` zzjk*y#AiZC)K}r}aud}(koZvaMI0%vb~1ARdqiTDqsLlk*^|CtEHt2>GCa^Q=72W} zUZ~i_2qhb<5+Ro*GwKRd87n*+lf)aom zRb|*p+V7_I-pl(lx zyu>MJzhDq3;7tbtf{V;Iur%gje>;TXSi0(XoxkG51a;F+6mGY#F;u~HTp(e(0G!b! zso2X&q%&83`CnKET$aF`I+k*5oUho`+SQ>weiq=GDv5O6B_}4)X?HyjP?8F{+CoarV@vKb3pM|Wva9?e=RIzO? z0?e^Jm+qeLSuLe+ds_uAb8#Zb5=T@UDrkVUp+M(Q$d*%oXu%h=2bJI_Wm?B=Qd*O- z@bBsQPlQ;JX(ZOer~5gOgyB2H9Dedx2PC9BKCps}|MXV+()BtWXc9xht);Z&GB>(o zk8yL2XWx@s@d>gAhc-9w(0g~$wJQiKZV#@dU zw)U#hxt>J$|G=ZIso!BvPyfdP+;{)p={=B^;{?yT zm((F(B^n9k_A|M zuruz@K#wng3_)^zXO(iv#rHNXLp^e^84n$@OJ7LcPL@^p4w)2hh+ZlRK_XFjfa0vn zW}-$*4qV`|@M2QDh?+^bs>whHboZMViiTuxdX3^xYFFK^QP<}|`ER9BS)S)+@t}e1 zf<7Ns7M9v|iwS=sgg{=#$~W7pt>cJ5i$*n39CPob?E>E_lXdu*dn_;2n<(-QVPeGl z>@$-#`rU<~#y^j`R=p@eTayd;ujD?g-od>tk-ycUytn6y$|$UNzbW{zpz&R#sYd5k z!T9xo&Ciw+x`}y$+Q&!|wvfWc6eSs)ggHuJyU`g!+rSlr$ScW&C$mTdJMh8v+3xG< z`iekd&ni4*G7!MP z{KYx!#(AL7^}I%qtu|ndbtG1e&tdDV407*lq+?9>Jyj9i`Ri*{#s>zR_)_Yu)6(M+ z^Idpr@IJF3Ku46(_FMKML-d-*duG@|V`Xi&v!wW0LQg8yZh0s+zpJYI3z@${Zub8S zqDewdHbnq7Q2>oGWvEjfJ|!gB}9!OPhAy3OoC5zX1?Z1UDqm(|A-B);a|hv?a%9+*wWyluoSoD}+yQqAfg%;&-GLY0VLJ}oSI9KJ3eLxJaHbHyo>qc6_ zwO!eu`@}{&MK_ev3d-I*C40OZ8NQjbqBvw_@n3v0bJys8lEQm9%f;aM7W^ivq#SUb34$2Y!dm)FKV1~d66pRNKj*F`o3LMQ!e28afWA4%-w z$_<&3Xy{o0&lA!CnzUk6#pMKYtz!dGVhRW>+CY=+hx($%5USI+aB{DVBPo2qkq$uz zyQiWRh{wj7c!@9$)51Md{1#1A4~kNfX;nPzC01dlgSiR3FMrN3mjfnqLJnO%b76t47iO%R-utKaETdbRs@?L#7wTN=m0ut`-)VcgC5FLP^ z+6_(iRV1uXKbaZNb>XZO#P7f2_L1!-8+Sy5iNMaHI~zN;ts#A4dE6|>-7q1Jr+Z#g zJYKKnF6PRxzd-`i8~=Cd3;cqVh#^G8mj4zOrO^BQvZWHYK5QimN|L{TqXfVXDA`MG ztog)8^vY$Cx4xCZ_pPv-0rUU zQ}LE_oD32&RMovpILd_2eV6~(cotGxlEORC!RD5xVF9%gW*AmOqY-6$lmBLyQM-$W zAqF}cSe&Ek+-`HBJnn#ps-PGK{R>*~^9)zG1oz<~PGies&PGU-lCtR#Lnva40JjJt z@$ydH*OCqf@lo_=qYIu0TVpRNN@w9e_q{}jx0jW1-BQm~*>>rnGD^V+)~Y24=8@d{ zv8H&XL0x@de3s|)(K#WL)%X}FR7rv2E;_|f*2FjVo^XfW+P;{f%@KeZ)Tpm^^ls{W zQV6ek$wObEILDU;x25Y%4wSy{UL=+46B8mO#W7bE5}2LnjaI|-ASZ<0fv1XqcyRGB z9uRWD2g=02PIXk`E#)_(V}>Y2^&II82jE?>N+}J z&`6DeA#TbO2tRVsInxt40j`PJ+)~<1CwNjT3;?#0)V{+r^1FNqKu@MCK7g|MR*vaP zR2V&IiU*1|9pNY8a-(ZiQ4Ur9lqH5@xv=zeDU~_mcCiDz$0ZwIhFgZzGbwm=s&`6< ziY^xdmzFqMRCO+yS3TI*WvL7ttVDhCB&-C^X{A!u-xmi$n$lqWa4VO}4z99b!gD;D z6o{z58Pz#?*J{4f`I$a~skE%XE1K8&ld`q7u#lE=vX$4@&oO(Y*z&dX6}6USGUTrW zMLb&_te`9Oyj0+$4&RLzbnp;3j)Y>-oZv%1Y+_A+jGS3tvgA&}9o~URlZM*rq6eB> zcPen*FMv@>+PVmVhNsX9o}kDnh}RA%+;v^{_;Gq3E&XvW{=iZcVl3&xy9pqB6E^A2 z^L}CK_0UD!Ro$hFZl&74hybMSsl0xdGr#?M37`qW8uT_kP596pY07@U<1uSTnIMIn z7THd)rZ>u=bP-7^PO>V->`HBIc^Ze85U{|r8rk`swKY+|67id%MNZI?8WOP~HYDYH%6^iVT1SizrUgpn_e8X>ce3 zcPAfw=xJOMdl8b$N1Iv$ay)-Z(KR6(fiKI0l0+XeFxA}bnYyjjnmC#Q!UBReDtIL_ zlKc%PDOQkQ*pi)&>_G1g;dKJq5INc~jE>8I*n|U__5yHi2Ws9R-2!186kyx*N;4^` zNHe}TIib|@bmX!+VgQFM@8V4k58FT0D27tWeuqjFads8(E;)&FOMy=eqBr>9sc8Mf zX@oD~E;_ppP_7Kbxn^fbE;$=CSy#-&YeK{r&1tr~_NqTlxLYv6ccCHnglK9q8!P7< zz9!8oAiPqd|FVUM@HTzD9;uubpgQNUOK~Vrb;Lwl!u#onhKWr?2KJieZA#VVlg~WD zG1DBFOjC_GHV(bIs~&&+8Rhi%2jN~Lj>erOunv4IS$1Zn=m?RlIgR9(%n!md^{77c zX*{B;GDLot=N2f>)CA)nN=JWuC{6|7BlWQ&JX%$M=&7NG9d{{##XuGVgMUkNEQl%e z`*4%Y*ilgSOe_t0w9ET*{`pz@q7D{RS-{+=}xg0-8%Xi*e9^Um25#29SG?Fo2Jr;>AnUlB4v5h3?tU z63zytx`JIJsKi5UMoQWx!m6n~;c`0uCQ^2L){BVP1OoqVAgkBvv{cy6RM^Y!{B-s1 zg`>bHh13t zB#;$h1~&~D6%i){%1s=|?6Maa^P|dZ=wh=B6YMq|++UyV(&MairM=3)q$Usl&<3WE zeQoHOJ(5L3s^lJsy&!QIhygdvnhYxLt?K8Av!|#9-!VxMOV*KFZH8k#B~)`9wSS$fVw`>rJQ=Iqj=X_43O^- z1J~Nr=6|LOF;U{)@u6NKfn7{1F5PTvD=QbCk4RkTcxd#2+=|3naFzZ5DEJq8v?&(d zIV5)?3gAv9xB=;$#SeteVutq6vc!IgC?)G}cFy#>Ht7*lVne{d_VsE+9$;&+71yW~ zTYjqY4xLDB902)yf*V6YMt=dS)ODWDx~zA@6R}MHX41702s1i8rt8fIQxyVrM|g_k zzqSrNY#;a>md7&KPz2KS^a@=Af0V2ASt}V(*v-fcNFv=v#FeFuBqQu%u z5%WYKdV7%>dZ;)YbxImX9oK*blhQHRU{lvcbAF%wy4aL&gx3;rAB}%To?e8q2O4ZN zx&%sc!$_q2enweUfgi46rdLM5zukF!BWm1I>*S?C|3J{OCz^4N3Sg9KJb9&A#hct}AN@Cwn( zKMi$QUrL)HbSCr9#choz;|dLN7I{GA^79cTC|%Qp zKN>!-3;2iLY%S%TXhDHuFGJPlZq`|m?xMv}Q)DLDDp~OAHWd8? z(1q=jz5XJ{5~q>cOn^F!V{+DNZ`#|yza01kKHl{UOk81#UJ8mJz6IpJ+n|QFl{A9J zoe_Ld^Xveu~>?_$C4 z%M1A59KVV{C^-IM!~1j z%?R{x`Z0=lx`Lllg&tH-FjdJ=u*Dzi$q_#)V|-oERr)M(;n^Jwbxfl*G*%G{J?cc) zcBp9!!2cc~3DD6F@yS1nOcCbFkiXo7Q$*SuJ`wL0>Rk zY2oSC)?fLB* z^lubb;HZ+GUEj$}%*Njd_B2})Z{}giZ);dS&;d6Ozj)nC*o6;KMd3@G$>8Gk%r@@cjC7TZ|0_=_n6 zx5wzZe1wa&bKBC-dZsT)3;6RR>^=8KnkV3)DO+t*tx7!>Q+Ud5E3yA<)f?^W)t8YD zZZ0Tiz#+=BI*R8@TzNYNn-oz?+JN0Hk3du%dn!h@=J zH#(=0)y8eX9j{oc zqq;?QbqS{C|02`MV2FlTDllfb&)+8B5;Z^s|8tu*s12~RxrmB#|1=-;B-A_;H>Bsq zpOOS9_6^E3AV-5<&q2_h>(j~wZX~vI1PH5D7_?=PqAek#t(r&KzBrrUd*V(}39hN> zClceNe!7UT{&m7h_uMOfT@D7W2V0_4T@xOzvWacwB4pt{BcLi6;g|75qvvIt_Y8P& zp!a2Q|dsDi&^RrJJbYPDk4_zTc`QY#H@uL8Y{jOk2uYz4*+q zE-c+S&8iz9JDGXpPL*}9ddno-tI)q@B$jlvzT!Gss+WU!ed$h~nb@U>@Jd7(1V`?a zd(@D(tofQT0Kc{&Eaq+_hNgu9n)Td(HhC!t?GkIhAku5VeBd1XY%zv|Rb5r(;vonP znI7WEm+^T@$&)oAs*0gc8rrUd?RC;jzwzk#dN&-6js51^OHlE0>OH;}PLy|}Z86CH z@nO$HS}2q50KhoD%G97y|UNQu1=qOk(ZQ6%N==`ZBdb_z>( zLVFCP3c&>hw1ax2y^I{K-Npp4w|95@rnlB7iJJ>w z`MF0q7dbvaZT;30tL6*Q?D%nxZY?<<(*F?XC~WvDWC{qMv1`5yQsPy^KtcmFU1` zyOR|eiuE!xz8=IEBI0Xk;oAzkc}h_GM$|qZTarwqW5KuQ(=@ShFMY#OPNK0hGF&2_ z#8UfNHU^w$e)QP|9HcLfZ84ODju#3D(3HXxn^2KZ2sTNp$16;Jiy5c9NreMZe_iD= z)lG0qKZ(HL=+FeHHwP5YAg5+D_0ErK9(Y*8tu+c1BMQA^MNuJVy}8ukNA4?|?PN+g z-!lth|4{kFyi^05mW+%_jWdGcH{tLI=+HcNo3nsqu7Y+DCropjJ1LytME$9*>wuSC z3-Ja5De99{i?iSL1wvmA*>J6#V5vcSQsoWL~rl(wl-UZn)vB_}S zqr=#Kxkkw8#yUEuW;f)*)3mKE^rAd4Y%c_Mwl1n z5;%_DKb*;pBS$oBN0EPd>J|v@4MSs76i27fe@JPnCP`F;rOb|)AB-BoWG=Ts724$q zwiMt=I?cVza=(_V-(T|_h;>xs@Y4X_Up16%DRNS1TwSPC{$#HbBZ!jtBdI$M=)&T| zY0r%a01GyQz7^klm|7^hya0{{zLOE-F<5hL%iK_;eu4In!e!*fZRhF4Gf{oyRF?Lk z5k%%p6m6p})}&99=AdI_+_e)3-Zb^-3h6)~mGgU|{-#P`mE}Is9|XyIj+(Bn(3`LI z_ac?3`jz_9mxOX5ZkzYhh@v8;p*VuP;yZ+R1;&b!&apsN;yuN7dq~Z;`a%v&6K7F_ zy>=8=yA4f69!m^yYO_?f>jrHrz3(5onEVD!TOzOu#pFACFQ|N5=hWuu);O2l6O=KM z1d-o5LWY0pMQ%2UJl@^cTeoda=YCeGHl>K9TLsr#@mg?x>M4kFNV?0fD|1Y$mFbU120ONqoMs^1m3keM zr>VhH`r;y`mj=MFGRB^U|~gRoCy7mZenI#>xgct7oo6T(&)YK2($@(NeFp)2W5NW8EDH^ya`c<7)D zOQ^=CzuIB|#+wrgq_f#`_ZS$4-%S;sBN%f1i5aW#kfTseJwX4Z$*WVc3o8kMk_@-57Y5a|}!5l3-cJkbp2D5#` zrK+V+L^B-k(=cGzQ1<|M<(*`mJ=~Qe#oVe~fNCXMo@620rd&}DPaqEL{wj-DYw;$+ zVn727Fl5j-JBIyZro{kro8**CaAn=-DfxP)#g#@7o7oZNt50`NyIHMHU)GsMW0L~h z^`)JDHzLizbY2PL<}%nF#U^=2fvCd3iO zlqNl^fZ-b>86C|kpNjlnh|wb%88@#dP%MbZ@ho8Bs| zre`{_9X#M_ZBNv#l%MBW^3XMncQlfc7tTuMDe~+sCvaMwoNMWA=S~k|qy&+cJUYH5 z&D@>-4D)4F7>6;WUSthtyOndVQr`&5=ZldMqkA#>fn}5O-8FsZ+3p6{Q_N8NC#Hlb zJ=SJw);v)EIRx}l7j`dybjnC~N^;}T2W_T2zVnv`_ujJmlTbMA{E<8dCeyIF<|sKA zB6lPgl~(Fj_uLkXNGajpNwQIR(zWvS4M{vYWdm55#iRr_&{Bm`;Ms7&NZK9|Y&;Qj2=6`wqJqco#=QJ2%+ zZBgEs>HI0y#-y8+et{(y3RseU=q&Y6oDA?ptyY+#eA*g^zCWpzCIsE*z*N%HDKSys z1GAJ1;_!YCtRPMLQc?pSqR;GPqPN2%WWMp0J6fMS`jU^YtbaWUw-uneg3B|37H~LJ zK^Lavd*9O2H-5j^r_;w#)tkdB8ENlv1ZPWk z_dA`J80~V9)?4)4Y5DYBshu;VRzu}rYg)(2uixDfi*lyRimNeNPpMr4@zu9lP6xJtLY-^ zr;%!I60N@F$d33+0b=6eFS`@*l|xB@4^4#S>pym*<}O zHZOZ^L{AbxxW2D$$`IQ)o#d1%#24~*D^3Zx^;d| zva3gb#v*rG)*9C4!ShwFja3*Jo?)ecqESC2CeL=0qmxfNEi}-f3M+3N%iePymRf%O zDGSh*`Td|S(}?CUIHB4n;y8kZav>fTq`y1b&MEm^eom?)Ylsr9!MvfRq;;T_N0FFO%-35V8!h?o3_&@ zSHEq<_fkD~+N~aj|6>8}v67q{)pif@n2XOZe&(r>=e`j8nrh)>IxXsJHJ8ma!^bpt49ol?2%piwWdyISI$hiCAY~Ci2Qn~l+_sy zEF(a@*hnQ;=HgSHScE|)?7k3JXN-?Cp$m(mWvqoA?%%O(?j_T#UQ^|eldA8K#(Sv9 zbHxn#3ubd-#v>#%9+1=%lgTE?zp2S_H(@VWR!HYPWpQmu`nrAmvdA02q+YAbrLx$3 zr|x&%;kMq>q*4~&kt9O=pK}2NaRhrA=JV}rEx^HY%YU$=jrXzJHK&}M-(&I}x0cb+ zfZG6dO#I9G-qdm$>s)D*OL2O!MPKFJW1Eyucz+eX^uEdVScps|6@hetS+JG;ibd}} zgtKR6>Ec=TvAoU}<_Sp2^fjD2n;fG&_k{`4W2q>$m`(Be&J_qrPc-S=#9l78m2ll8 z62GoRkxzD`%!%}ZsNyzJ-c5L_Z}*ki7FhY0{Xle~a>dUqS+qdyv4B29LYP9nYIVX` zv%gXJKhE-J>3tIBR?K;fRz-lZ%C{rcRBf2h$!6W88Urzf2) z#Y6H8ODiwmMrfjvd@4XMek5JenKr+~>#wRHye<=(Q=&Uea@gYgHCMxtLou=Z6YxJ(>yc z18Ak}(-SEbNF{n2M>U-fze>Faqf50*ThpDXq3uI#CSvyw!u`g-q;qic>NLa?BwRSqpg!jFwJTneAgF<1WNST+4vkC#j2>HOy&!xplV z@4zSle6E2B+xWWw>Y4X4l=jm@=^TAl`sELF2L>+Z4Z8VNXvcI7?ojVze{K2`mP3?r zXH#}z!?asFn1^+SO!*#$2eKoKR>a-cS9Dw#KAE_@rF>g$N-h7S%glUb?Z#G`(Fvr? zuXJ1zLjl%iN3YW)*V{tGSkV=Z?*%E&e?YAbtWqTKMz8#8&ROeY_qV~lL{cO`h=P?b zqp9~@HuDmgF(z_8xx`r+UXAE-#XI?3X(=iq#w-z!ZS&lCs5Tus;aO)sIT^?ng$(lK zUNNg{1NSv(1!z1;Ym;}ZkPa=0aAx$ z)PU~*7tMVVs&kT)3irNL@Z=I*Vw{?^Luq<@=Tz12vY)%S)GeE6W|}Y@-)V-4uFbn* zP3&msQ0>$w=>A@e-_L@(2v82UB({%L)f&C7O1nqpS~gjPhMf;G`7u-8yCRG$#2-}s z`Ccwpx&yARl~`Pr6@^9586L{7(&&;O!)9=7eFA0q3Ih@^bT#x!IMT1FQr|F8@_D8_ zJQLfGq3BSn? z&BM01cC!3E|02t&4$7aD4DLbqLZ5p~|K$Dle$qQn&BZ&4^|tRg!ti(z77357>)^=g z!nxjGr?osR>3m!PFc$$aiL;0Kx65K0T0;BJl8tPgIggMEaf-Tvzgprw*uB5V<^6>0 zTB>^fr;Q*mPY|K0VWNz%@w>`51~`ll`^V`M?5Y3*x6eELUH_}(6l2NS!~d3@0eC@W z4mrX6d>_xo7c!~8DKRy&lKA!Rvv>F8UG4dI39b)gY$Q zB{6J{OjCxIIFdx^T_Orn#b1KI&JwR-sd*jwT>R>%Bd%>FfhAs8k{jT+^Y}!6!?xS$ zECP=ab7%9?ZKbmgg&=AOwUamqZ(qJl8U!-4>K$}gAsiFcCI6InSM%gsPYm^WjnG;$ zpt|&9+G!xWnYTZ<_!W$o0E7{A!Cm_;y04;p@*R=F+sKfQ-1@S-O+{*4VZ&4cZV4et zq46TwTF#6<>nvYEFoMmmxW(}ezRkOk^i!H7hDRCy(ejQ${~2Fs*A-A{II`QrNdqc% z#|&U2N!$|~h>q=DC>rILzkjrV{aE`zr^rAWU4}_bBeud68mh6o8Ep81i=3J|2u40Q zlJ06)r_B8R3n|5ElL z-<3TlSzUIu8ahnhob1m~D)YRLS?(URR5p9bp$JD4RykH?TvG`yJdfqo8Kcp=3n^i~ z(d*zSVD?8Z19uaUlby+4+~an>V=pekk}?YKa5 znShh^d+dlW-&I?cQI%nSkWJ?+e)5IWJj+i-?|v%Gv6#A+5T^P_sT&5@1x;xe6RJ_ z5-ms0Ru%NF3MAG`+y1)xDP0tLJGrn^-Sj0jsw?xIX+vyhP*?}Qsw#LZ1;FC>DJ7CNu7u~EYX!n;E zE|q#Yr!bXVG|z5R!pJGQtT>C?jMC5mM!?1*K}MBi-Kpn$VIh7-i7)1JN;N~SqSO%5L}vd$#r!n4i;mDbBzk@o{3_o+ljOnzxn}r_A2Gs`a zdw)ydp*smI$sZKOFM`zWt5!aLNg*I*7HPt;(C{xE3(20IF3gG@5^5K1pc)B|1-|vP*=zgz_ezg0gZV1y>jPt(pn(h$ zL#%gce89Qr#2)DlIG?WYk?UyDtQJC8dG=F&Q}>>BOylaks8^^@BTkWoT(4RLl<> z+!Kr^cmMVOjc)^?-w}|HLw@OQ@5lW2ZDNnfE@ZH_H9i9m zuw9>PG!i;VyVe5hK7|eLSr+o9SLfq>82y)qOYBQ>9u^j`^%BcNtZZls=tHsDHf8!( z?BPk3ksfG~bb_3G$-d63?zyu!Hosm{L8p(r+p%M>S3)CC`@1VspvC0mB%gsW5YyMi z&E;Rd`j>c445qyo^y>Mronc1MD9)|y_E?pD#b&7~t6ntWeGSY!7+RJU!^YkO!rXk_ zrxoliwQ={EXtsY=g-Ys`91SLNoL1r?mpvqYY8aWObu>=59!l-Ka+2h-8N-AuYc9Pm z@&x#ze6YhtZz10vYFNP^P-dsm&$a_Y6fWr;S5@7!(x~F(UG5Vb%x{0#Wj@F+-f60J z1CcV!JmxXV5ygCO7-FMGcy8G)dLLJXV39pCYCtA*?k~(D=K5E4PzjM1A#WVn)RTkn zt#~6F!QYb*P+tZ~jnST*$w+m5q)vWD%afhech(mc$cpnk^r)PqC|I>+ z5fPDV8PN8(d7)NT09D%=!39)1R6#qd%lfUdvnvN*5Im8IV>W+74!JdirdO~bijWpS zWtS!JVaAxEY)$CBiALJp-QoUj0a{+KMMv%_*MfJ-y=hKAWwz7VxY3Mw`5ZMG}z;TG#7`NZN{Q9@t0|*bZa! zt+-k8nd#4r;ytN*9qsQgXefWv`s+YbNEckx7xGc|m8_!YW1|V({VHTX`QH!UQpx0r zcx3qkT;d|OwK)Ha61a*OPG^0WU~cl}X#VgIFzn|Fu?N31L%gJ?Y8+IX={YFb=0GmM z)4Og@6O&p+av6mg^*~1LMOGY&B4;5qJS)9YfZ`Ts>2)lGTTQSnE`Ftks9%xyE;mK{ z{OxT;7xlyx`kwI%lu9r3C_IqbzyO8G%huw)#=aigU(M@{jv+(WI%a&%;lf?ZwB0-; ze8L#Zniejv19(%jAOIiG&A*7fdMvU;n6B%|xgv=x|442vYnhfyg8d}t_TscE9MQ+{ z*jB(P{dA(_pEk!kPTgPVFjA=`Qi-_f#FUeF&+aqAick6@8gYuLkQa@S_|u^V=DAvO zfd{QfBv%xbiZ(Sk#+uH`=Uz1nwr3;(lnGMKE`_}-&PTQuW5eC@^K9e{8=)yGeLs;I z*O+__rQ--Dyq$$6E0R!AHFKD*D{Uxg@Er<-0U${Wk z%fHK*x$ng$qQ9fbbElx6QSN&z=l71lRydt)W0CXjCNN zCbCL)x-Y`7*89JzTo<*R{}x5J3gnk9)70j^-nL?=*Q_Ccuou?vr>ySM1|{A?DAVg> zByVxqEE7(izy20i`_U{$BKu(20{pIDFK}IgK^|bPXn(Y!Kiej&ffKk^40Kj$ZoAdr z!Mu*DlJ6?^(38mq9S0T)*qDbjRI)RuiCq@|L1)@f49y!re5=^TN#8|>PZ>Y|NyVMV z37aOAAMNfNqF_$y_oeN7K1y5@sR)lhj_;weKcWggPw@7z!K5bBiWTV2)8$ zwV4>EDQzq>dgC`sI55w4jr74H4fl?Mo4d#z6R`tCD&rHbbYowPz`f_9$n{c@V-yY1 zGxNYxxmo4Rka|j^zOBG@0V^TfKRg znv_(pZ8$nX=kIUBOn&LorTE|X!#7B!G`_YCjhuRIj6@Fo`cR!B3M^5S7S0Iraw>DRvlWHLV^zBT3=0Wi^ zGS%_Yty_kDdZ73cz&Z7{Q1egU0XYy#;ZD)*M&XPbqPZi^KIwv9nGDy&yIH0s(4vP` zUnL{Y^CSFqLFU6ma$^_r*|xiAca!na+mG53NydoN>c&Qv;jx{XVy)#!Q5Kz@y8ZYB z$2_n}8@zM#oqaRc&q@U8jWMk}coUPn1w{@M@6y+jWt!4wR-D_tk&Vo}&KYZ3zp7H+ z6O^lEi^Z7<*~5$;iF}vmx*0D2qh}?FL#@^W-RE$sg9{FOsk5?U>Hn3a=zy=?9yEXZ z-eqw*e^?wdjD|3N>-3b_j)|c{)l+4BoEiyBc0Y!=#w}K}&H1di@pPhXtnLu(fx^VA zMshp2q^ZfmFfR0hFg9wn@Sl*fYhIQy|4yU;@qO6sm+9_|DRNcM+k{Jmq}7CgioU-8 zaR9`fZvMaA^?g_3pMwZkM>p>Vmiz7Q0&l5!&^-9|G%Qbl_1nqLluWhDif0qv`~E`4 z`VdWUNAJI|BV(pT&n&>ANe?@>>Kt)@%s*kvtLc)tqUbtCdW` zd)&WtB@b7zGO&nz(x!VwKRm~J(mVU|3B}GSRYlE@kQey-J>J81YfXNmb0m&jS4~27 zo44uNHo7L30ooyBwPf-eW&46brOayr3AROY?swtdUx=vSE~sm@ zjYSLy+bah8V;)#CH&7uC4MlJYH&8u=hV-Geh2TJYiG7LoTC2q;G}buCp->Q%2eQON zg)G+Nz8-nWf#NB)jX%^8GGC=uO+g1>GZ`DcI%(?7J1N**ePufM{1J+<IYm!jr%lX&Y{5&Aqt^4-aMwLDr8CYJDzD4 zvD{pj15=CCExjHLfl$-{^8;_{n!IknRMXbiajR^ZDoP^Qfkkr5`(v*~P-)xqdJc++ zHg(N9dO@%Y2dXBBCq0_-O}|{rN5bVb6(Ds^J!2CF=C{(RzE|WD-^%kW6pu~n$>^7S z%8s+iHNI<7CZ}pf{++;21wDXX>>a!Wb)!|YN4eU($B2n`NYy%8QNtn$YIPznRIw{` z4n4T)!sA+4)mZcb*+5Tdv=D1m0KUUrs8ZxVlHCI>`=|Thon&g~f_3h_KbhUx_BxH0 zrUe1N#fUG(jLW8NTyzwdT>>^6F+Vp!X^~UbXb#L-CqQN_0OGznz1qmg>;@n+0SF>& zBfW{#PhO>i5CZsXu~hrc5UuF;iQNpF(Rbo1o_`Hri&Hrk>!kjdJvCQlS{0(l`s8g~ zknHj$Nsa68WXn}HYi2u6$0Cj5eMq#0Zw zf%^`NYqcW=mJLUZdhb`6NZKIlO{WDyBvugVNs>M^7vg&g6JqB1!lgI0Nkct1;79d# zlT-L;PGG9ukn^9|;KSM5MK2=^_b`K-v!VBnK?K2Ff^G(I7xk`%`0^`Nqe?|o2iEp| z5413@=GFx!bn&wym@3ayk>c)Qrg4yTKn2N*38m5rR!}OtBm!2RGN&4urc#+{&Vt7z$9okN$}oaxX$iPpT}tk!ZBib(As}LQUM#jcQkoV zzDuz7Lb;Xe&vhg@o~OOA>WU~W(pUx$QIEf0fDi>;5u@d`+-^P#OB9p7^4!jg@bZh2 zb4l1e56z=*$$V4OBd*!KYASga`vJDKxqqeaOU@q&JcK%2|J0l2WW{CuqXnQ(o;o5T zwx<6Dwf!7IhW|w}75cXFwLvCe&ms&!`GFDtyrB->XH`6Ch0+1U#|5V)H z%w>DUK6F4@?zcaGm%6F?>|Kdc(fDS_m9VQfBc%e^P7w~1%uQ5&DE<_UkC1o3Q0Rr+eRQ? z>^!4)f_cjkcoRe*)y^X%Ubr^*ZUk#c=CBy!KooOeq~DHn@QpHq{}o)$!vOV5%j zUhWxYTGrP@(@|$LBwlv&<1C(eZZeLX7gITAqL8daR8+8fx2}B`g@aUqOw$)5xhVs8 zmV4e7l_v-p_fH#Hq`!ee&?k3mE_tCDl&*;wNhZAP|FHmQ(hQ^~O7jF49=;8c{gXA8 z3wK!q^yhWVJtCsQ;mliV55x4Yd0$@fS*M)~Gdsu@Mw-inKQe@x`fp))Hd1Z^dG$0{ zAs08ugyL*8lD!t_;AL)f1Bc16NUQ$XpRb#|3Q!5NWTQ)0F;OO_eKN7?JCjDn%*)Zx z=-KPQm)eQGPu3Q}^MvgGbwwUQZwhQirIP-BiH zjiV~DJien#PLzd~LigPI^9Z}>sBt<*tITmbUtB0qCQbOfA((!|t`#L}#9Y{j|bd zZzuHDQ0Nr1aC$E7w2Cqb-?qKfbNQ=3^tw6pT8DQ|=ufU!7frT*c6;kQi*n@POyF$y zA4{k&7K~Me9?K^?;zuRZ0f?1D-8R?Vqg#dUxvck1E|R12CMje$A*OhX%Vm$0Zi|2_ zITnmTZEaq4_KUti=>Bh30;$q8-H0|{Y;)?OFZSD%<`4nwV+XXc$k-7V`=Ww&*4ckr z*NQWt810K(0wa4tDUcm7ORM;HOak2zl<<4sHk_3Ppa#}JeYIWJJ(!N(3y24sjw0X6 zB_^mqV3bPpX-nSjyAn;#qw(>cd!o6VvGT=)N1W^n4ia%Qw3Q)O0+CsKhh6vu(a;xV zZDOq!u9hVmar9d{t1SV6*V63rF#iej3Bk*EKt?{Cgd6KM-e3iLLO^-hA6r;;1TexS zg~vaiS|1j*_~`@lK7UNO>>R2t;~8>|${l7r0SijA+A_aW^-!VW3E?CQ z``_ZTNtGD##_2~9l!vM#v%CKvRo@sLY1c&Cv2EL$*tTuk*2JFJwr$&**mg3>#F*H( z-|w#b{Z%mJ_#nX_rMHx))C!t!}waPeW=Xy&A8`=vl}%K91+OTl{P&(^>TMi8b&w9thr|Ct)3MToPaD6oha zF;iFPJheSd=7dqB$c*11sDpyJDC)~bGX>t1N~m@UJyQBZ12=%hy55>Q`yYIiyC4b=)ez4-mLzsEsC)uD`kRqb(s4ZjI zY#VFcLku4k>JBK1Z$}#ms0WN$s1uwiRcO&fylozgc|gn%mg!+lJ=YK;#cZ?d?;{1&;c>`&55kUnu(01gvV|MNcO93b$4mTZTFq)ZeGxQ%I!tb^m0x4|%w0@$4KZ5XT^BGKlw`oW%r}NixaN|i1;4Otsm?xk;BNamPHV4& zM!Rpf{yBaq7(NXu7W@3fEyEKeNNj0k)tG@jrM!EX0X4 z4L#1s)L-l2`MF)ryKIjltF;d`uXk3tkDZ_Z zCsJ71G`RNV8NS)ty~XnhnI~7!AjWMy-kH==NPRG!r5&n^pQ`ASV5r9CYInER~AO zV_hkJZ_HtlCw5W(6_>ih<^2$SSAq~{n=98yQz`f<$)3p%1mdFV8Ykahl7Q+&B=Iq9L3l&%oIMdubxRPmNHf5%bVhk+UB0s9FNrW!D z(EzQ&VFL}#dP;#`lW#`($3I%2YDcFWN8v=#!zQ<99@tT`v)VzS6e13z`4`BE^$sZr zyVUS<;&>GYo)87(J*u%|2QhzGWPU9ru*DN=;0I70D=s-TB(14`s0!u zC61cZ5;NMX7bE&0+m;T(f1gnl4rYh4W+fBs?!vL>?s~whlYu1Lm!BG!9r0F&VHJ;E=yM)9tlDxSHWpS$W zt_*o(+nQS55UubwxyO4+EF>rVPRP*oCh_TtCyC$B;2EV`z89(uK)Xi1JZm8S#V}P zaK9&z-cF|e->Tzd3%W+T`DFbm`NmD{66W~$xV}oBECkept52~lZY7c)4Kci7d?Q+i z<=^S4MSOAQl_vNC)#~gB^hm>uDH&Vx;1P(5n1>-u^p`i@&cisH$lR*a(2~M1eb)4R zS+G+oL7Y$N&0xjv{)DhQtiS+k$)o_MX4bt20)|Wjb78v6|7bo61lh6zhJlDG<XZ_zj_Xi6!It>ONo|`;9@e>JRn;2cydaS8k>Us@FNBify0x!7^g|o* zvHG97=Td7uG*ON$;4ba2N`3IRBYpybfLcV2;L}RGre@#=fv&&Oq0}}FOV6>Jhl0kl z+-J7g5dh)&7<){metE>sofy)5e=MpUFuxHJ_DtKTcox#eoA=R^_X$~&w%4lj zjGwR(x#lXxbY;ooU1G&}uwT6mzaf!#TZds-w_GLb9}JyH zAZwkHW!ld){>=;&B2Kh|zez1!nd+SDta{eAn2bh!y6bD=(*(`VWqVw%FEF9Qjy7*} zb?*hBNscu4R#WyBiprWzy~|IzUC+Yk=orKSat9^ZS7(2B%=1nx`%}ZT+hq!V;?~2I zM{fRKte-kA+~I&cN(im3SFMRvIiv%oWCpmEA6?r0)!jxDM4x@$-=z26mo*cpN2!XIzeW52kd-%!`JP{u zZ?XYpz-bd_o05_QD_AOift}5HxRM)7%yDmepZe-@0eQIXvIOiJYpRDk`qO9L)~L$v ziRyLyu7C3@rxXnRAt7ZS`O7cQDz>!yT_a1j%KFj?pyn#)HuJ%on(e)r{mgS_k<ut#Z@_0d(@1b z*%g0XwrE!M;b&G=%Sh(N2@*V}EAXluP0aT3I!iy-Z1W>ojjr z%H_5vz-5--huxrs+<=yibNE|L4pFgqGLBldMW z2f^eyD+B_PMXg58K0Fdkg1n+@YcrElF{|Y^lkpiZ%z%3KWd+T`nL1-H8eM`qES^uN zrETlzUZ7U}T$+>R#~_^v*;V2kH)&riFX@`(f1wW+Nb}R!n-we@Iz~ft_*i%+^8H%) z@*wSF(imPDtlqQ+Rx==F2m+Xie{y1&UMgDH@{4l#_0gTJ!D5846xM`xipXLuzSE!d%aKh%A=vHndH z_NO^Hq$LQZCQ`1+S7eo-0Q-C7Hd zhDrp{&shi9UuVu@^8wAoZwSeJTQF4l|FTr`a5{8A*Q9RsS&}+-YwH{!zkWOUgB0eT z(?@;Jpp_Q{5TX#Ywl8$gy>&hARDdqp!_j%)n8S=V4|?I&M6F6yR}WK)!%hWa$ix4B zQ$u{4Wfel={j*I*HnXchy~K$mgdxSdi+D3FC7Ph~Ugk)V%(YHQ7$hF)u5Yi^=i8~Q zq|^|T3FZ0vQ4UNYc`RevfA3mhyRRaE;1V-{W&%T8L)-mMpEjnw%T2Xsi0(!cMOsD} z4tylPm*c5w?@JvkrKOZ`dp$X0oMU-L$rpY{MtY^>VvDnt6S@qGV@2L|h2z>TgVe?~ z;`zMU+R~g-cclY!V=7~W-^i;7fC{W;eD@Hh-DD!rKj=o)`W<$<7UGVmQR5xMgdYrh zBRb#y*8sT@HCk#LDJSxM8?DMF^y_V!NkZb7&Of2`D=nHc+gkM&Z%c`VD;M?9sv}jh zUWIOfL2FqY3w#^I6&8t6QOV3qxJ+5{h1gd|V7N<2r&Zq6pmFL=PYTB^XLbLh5U%^n zq1LAeZ^?Hv4VY>p^62U4c;5r|R%W$x{=?P29ieM<+Z_UrxM=lYSdX zV#`pn&e9XL6;JSPQ>tU1^DiE*{s3XpLW!Sw6ncr}|G4?Fv>SZcyfrjaN2`pj?p8#3 z+Yab3Ce)5Je0sGr+_rLa;y`};=jPdnD=vwSW=C;HBVKEyl$`LS7b-vr$# zq|W>|Im&F{pQEd{l8av`=YM+g6)W>)vUZ1K!rDxHOT$*H1&<&>d^-3 z$*1Y-6$W@#VA@4-8PLx)`v>zcyo#&TLP%qeP_s12O9hlQnN@ z7UoEk&yecJ2s)FrGTEPiz)YslBYayXhs<|(GSkL&{wwh2eyM=3eDCkKc6=13urS#CQs8r}WUKlv8Db=%drwCOmQa;&(VMh47fO1MSW{b^? z|7clBw{K~iXFG&-jau{-zvJ6RlYutZQgPeOp7D^N?+C-cS=p3tXHAjHhxVgI$kku2YNu6cKV)gFT2wvWHR!ojs+o#4@KpU{0a z7G+YJOnLm{aMDJ5MRJAH^y4ORV1$WdOwpea%Ki?T-<2R1Y+E{-F za_=tVYPEkw&kKM0FkNkRkDs_1TH~$sw~uD~)av&aHc`)6*|p{j+=@PDnqqrbZ>^^> zw2s;e^3}Cy-a&=mtU2bYLE7qU3b#0jk>;h^tt9nx7XHe9-M~%ZE+LWv$yH~*XQm*rm^ za~Sw#<66zwR_5=td=vWi4wcWD;<&TnmY^dE_I%M^(=cGAzUThM)b*jCJUuoxMgVou zMfv{l;CR}ixS|f{sM%i?n_{OGcckjfxkuh~lD%7f_LN2@Xm8uhNtLbJ_UG?$EyL6C z+ya~Z!h&FT`GCrzW8cbZ3Lj;b41Fc&F}aZT=Wk|b zSEIu(7oqO7Zp+y^0^W~?s_$i_gLd~?*U$gRPq+PWK`Ygon#eRO>=g;Enm{g|elCbk z#Vw7Lb6442rG0c3OJ8x-242~>HRM>eo{eH%c%t~Qn zq(|un9|)CqD-sF98szUZ)fSlcMwAq1+|w76?p#JA%n9~XKe;uQ9h)2=Nx>PN11(F# zv&MHZe6ajUJnT$G_Z{&U|aThflRm360 z3$&aDhs#LcV4q)G#E7I( zH913upkM3RsGm)DoTp_05Y6=0<7drX=n+5M@#mo-jq8wG}?+ z2^N@n!t)lWcS{=Ux{o4AZ;qrxj*%~yZS;xQ-oFL0_Gz&H1= zyc?`l7BsEJ+ih?Vh)p$@I$B|f2Y?*lTinTN=XdPY?)4b$W+ugylTY!QwRC2eyluAH z#wV+IP)x;Qprhln8w~&+^S)}+0;W)$FOD3qa+=L{egK=wY*b*)+pF`q-vO8UFuv%= zul{?E7MyF8LX61b%ihA!6*&`->j*zdZ0L#}s}jI#p6zR&wJ(%wCHaYAezwxCc(1}W zp)|n|7a$M3OC;KXN^$&I&%F8ko1F^-cj=2(`>nBsl=co&fCw!hv(#g1erQ=Vmm{>%xpTK5PkTnzUz^*n zx)U8{Vo+cQ0itCmF-pK?jgn5sl>PyYT{TO1(@OVVf zp)!}MR3WQWN*!El5x*)$PA*|_9p8*@^8A4;ge)}-j82C#65=`~B(I^_U8!idof}X0o1dH6gEZr<6 zX|V+gHwI^~x_ve~#~2QEJ&GLwiN@4C$SJt?&kyn!dsTaN6`3+AO47r0+D2K^0w&2Z zLc6L=pY)x(_H`ZjQzrRBo2|Ev92iS@;ZfZX03M)%8MR8m;lhl<0LE>6#Im6V6)**| zA=iE1`PUzl9!n6v$l-BNs^VO4<2A>S=YoaQpDM`T+SST`5eM;t2c`eUU~FtNmuS_) z1q=g;#6^)@&E8g-Vl%6h%w)_?LbYOX_i38ziM5_FpXcjvDGomu44{aKiJA9R`~};U z+X>wP{h>%UzrIdwb*%`89C3Oh#%4Mafx??=3H`PlQXe-d5h`%&wLRp9Nb4h3cc6Fm5xQdxU|4GlEpI z-1|M{&hKWa)1%7>=V7SuP#3US5Vj>Dt!NYQCWNuB1O7&d>Ak&Pk|N66i|GwT- ztk~S6>IdOJbpB6Qv)f-9?fN{gRp^$}W)ZH?2OhPIv_rX}x!jP^BE74Cs8dYBFGQGTyi03x!GR2_Xb zYC%PoSv8Qqo{F#rd#z^K_AzF9%gZD>p#!&$|H?DXVV>+^5YozIvpw%mPL&F5jse9}EGPc3uc1fOC^?cb8~G*QHh z*0gpx!ZGSG{pk-ASfqgNfC6>`F%=f&V9QeKZM)6e77JxtA@3nm_XooAGcVaACs}_F zv5OniL-WXR4Zo_5zdTf*M6_pZ;>jI~0pGA?2@!=O$VPHgCawh&22oQvleoGNi|fzW z+(IvDA?*Q;!-a}b7kCdyLH<7VByLSd6u_cvjL+0enqBrN6vP+#zp$~P{g+=Ay+4^% z{#$6&75@e3&`6}})TGbQUn(yY=tZa&Wu}!`)UxJ$DEn;vC?`e9XB9==$0&u5Z=6Nu zC#c0}ksgOkc&V~5e72POane_haytQiN!YE@AZ9$m)coL0+@}y#Ewx%|u?nJGT%+GJ zA{zh|xC$a;^fixKmG(CB7s6r|%FL3qAxyym zw=>y7Uc9a!8gPG=MBxX<`sS^qEe!CXgH>=^^hWlWg6ET*x{e2pC#;1VdM9gDe=0J% z1Ak;g@jOSKE5bcdbmq{68)L#cl6+5aj7Wn_cE^yh@TYEvN?A zxS;K0t%|aDE7zw5BA2Rh4W-7~8{VrHE3P|0azRkzk~bV=cPz2Wiz{ncWpgu5=TKKv z@1}gMoi{SJ=-@-B#74JR)QEqb(oQYlO&s;T3w zlNcp~jgs#)6#42`o%r%q$^0R{wPi2;nC<gA^rbN(Sm*8&x`T01J*v$KwivdPbAne=N+-T+ zSUC+87&kp!^$YZy1-K!XVNbD<>uC(h@^J|Ra*d_{l z*VNhf>u=Q>^me5%Q|2Ksh`SG-=4ohYWvIdZ9e)u&b0;-<%woU5DN5ucAg56&Mp4h~|S3cIZ3=m!H%G$2gGeD;B5o=sf z1C9}iabo4`~B16s_(?t114l;sYB5ZP7A`OIDO$9~P4xKlaWcdM!kMS07mrqoYG z?`fY3Fw@dM53#%MtlQPvn%UPB+*CNA-)Az%Ulhm|t z6s{a0=+2y%4Uchl;cTM})y07hi3FJEkoc=4I$kk!k`T1d-N-(s2P428t@vQ1LQn%n z#MB7-z06d-@DOY3@>8OWq>a1hP?4gl)%8J=ZR&qF5D_B-nlFo{U_cw`exA3@I5zL9 zff2vF-%NT8n_92$95){jLf@-H@N|6p39z4U8rvAyESm@g}w3)r5xeUd? za+=?Yr!`w&Np=l{0Vh-3^(?E$o>n<-|k2mD7k>HZm2 z`&)oZ2!?Ii71R3^vow^2{6Ol<5_aSHHSU13r_7H*0DM$KmDfj!;v31bj)q)4}w>r56*65#y z3cTC!VA+K|=V+mo%}xLq@Cm4U3!+%#lu!(hg*@+_vh~D(Ur)Zh?X?y5P(4>cfzf~O zU4jqIVTZv;0bfx=S>wqgEC7&0s^gcv?4il-{I)Vs{H$lhT4?vckI%9^Jsk^JE&!hK zCKA=l2N3cnp_)E*xeRjsMbHf&>&Dr5WF}{9YZQax2w(8<_PMAq+a2r7F8tvhxrl=2*FdzY_n2e z!rp~tvYnijnM3pYjf&Da*kl_fQU^+ZYj5SCB1>kA|2i0j27Rgx?yXFTn2AMS4KWZ2 z%{3D_W}71Jqz5UcxvA|qX3z5q7kEiZ{Auv(=UZ78?G{nUS1GHkyU9J5`-{2S^Y-Gu z@t{EV@GAV#<>{`AcCJMng&?PIqgQ-HEo2h=q+E|M<9?{hDG=lMU8N4!VAfe-wb`YO zwju^NEMH4ckxX;4ziw-P_SV%@X?jtzOIhatgChp(kCED8uG1U3TiJ~TU96+JiUqm5 z_}U8(F24Rn$XV=4MN9I_-G zyDf}f)GDgxbRVYHXv9rZ=32)Jv~Z-7i4V3Gg!s*8u`;HVG|r7<5dg5j0u_y2Gb6_? zHsnE?nO60-NX3O!6GXs3l+<_|%mk`LS>JRo?3t-s*#{;!0T2g9uk@Su;24owP4w?j z?cO$ey?1t&5>O%`Y@vf_o-8w|kWXQb_MV*gE(}ZNtUMIkZvg-}63Sw%4OlFTcV4js zAvawlkQWwtK9kHQK!x~Fkn2)&i6EcQEMqL>Ub7VlK>n%}upFG#aghfIZIAQg??DE; zjy4(s8N01T(}(~){CqvVLdR%xngU&Yb5N&Z%Vd=dc?qVpcV?yv1}v!+P7;MqbVgH|A2Otyy+JA%yXab#d6e zkm!K=rQ(fMT)HG6zvjz}sQ<08<`-e+-g9ii$Kioh5!#@`&&d1GAQw*193nVLq6DI) z7*4=CS8c7k<4-IxP=;63-}f~7TY?twoa5(3h#)>EvQm85rqu41L5cI@$ys;qo;3eN z81OObLZ4)%H!Eoy#uN6xfG;@faQ7an9mMr4E?wq!hi>W5Xyc27&GkZ@d0MQJ!|2vP zc>xV2^s}1_u`OC9=Zl@xc5!Gyv~*qZ)D`^n%{Hfn>Zf1$!-m)+oCR7`6VBNyeOq~& z89mt0!Ef{cy9v)CHnOurn#rDQ>`2s#^cE+#EVml*KA(t%*TBnkZ~bbcVZ13|lzv9_ z=7`8RMfValHZJt@3SSa_CER=FL0JG^-%rQJB7r{P$ZR^GA3ly2^KXiE*yR@wn5eaJ zfP5n?BVCSMXt%H$4&9h)$#l>Mh{XAx5)bw=`M+DxKOvy}(NOj5(;JZePQWejr-dqw zt6WO#I0X7z4k2?dBzaQFu>D|bq5k#A7VKGQX4?}C_Xxe-Kp)uQgl%P*$Jk?XC__C* z4cVvEHh9qsEb~YXd#=%!X>NZ7Bv|1%;?>mrthX}KWU?1JKWD@=U_v=4mM4J ztlMd4hMcvLI-oNX_bpdW51Os^%t{mOsqlXLZCy+jU4!{wsC5~`b}(Kbppjiu7wnvy ztx(Izr^Kb0gI`i;Zzz2DGGZ%C(x(Yn!6~ ztw{7uO5u!jhQ*ALITwMr{Uu*0Q(4|Mihs)J`Z{#YgYt|Al>XAvmg0^`ARpK(ml`CkE8WYZ`W@@~n<_s}|f zFFcrkW{enKX_R4Ls?zvW#-{jWKV_9uOmk&|;KyJaO!#X}Q{;}!p}^t+6 z=;`_HeLluI<@Le!fUA!a6gW4vH~;s~f%dfLh|^vF&o_P!;Go5)5k&O>Z+-x;*8P5v z(v}U~eqG$uL&(qtva>=Bqj#E}lEuK6Eke;S34GgA05U*5_LVeHqW9fQJ6}dR|4iz` zTIeH0qkTp=ePHc(P?MMBmOuk)=nt=drCja}py#;18kkp6_~A8%Ji5z79^wNHYtix` z5nSHISsT%!-Nlg79QvvK+9ub@axSp$et8uBbL@`5^#}FuGXB&i(zn~XjrhW`*?MvW zoY_;!@l%{3q3+ws-{b%gbb8(1Df%9v6E@VbQq$t7ziMcpKPYC;40h+!u<@@~d*|zk z3z8G@Wqc2DfmR6v>etrqVKI?KFMiJ?1D#c%;hywyl;)|rV9K8YgVZP>@5YPKc5?a3 zRhouT_?RQ-#pP04n57I#nJnss>kYGS3YCmO<2SmJfDK$Rq|hH)L$}@TOiAh^uUn#D32Xt zum>vQ%GcD?)GseSdu##wu!1^33+m!gWR#s%Jza*GA}yrN9V%~fiMRFI*860OTbB^l zdQl@z9taVWJ)iT_L_Z7|b&AKeShz3uI?~`*(#&806I)o7hbmlaL(JCxf(t2ay7CSL zg}(SPW_f||LpPaK$>>a>*CG*Va-U%&xT!r3B#irAZ=n;MO;6oLE1?=<`pVmQ2=7nK zAO>gZogb(|pqg<`k!an+=U4z;t}#UGN-sMq8>Klfe5?iZHl1kF)|JKSN}LFRBGQ;P z*_x3l$Xfx>j~tM#6E-qBQ2JO=Q6_Ln`CJ6tec<&OhLChnRH60mE)<0CqU4@rGN^Cz z5H7JmT%(Q5iCxwclSM77o2VfxTO<|j>Kadi8@9YVCke9bv9^H)*Gjj`IH%aprpqw{ ztqUT5*D~)?nZ+YKbsbO?z(o=50e-k_tO;vD5rF)_ihkR2HehHGr9uyvQ`WG=L2HSx2MxX~!aWB+XD82knr)L*z4y5(rPVgUt$aiwJ7wTvS|g%(YZb$BnXA z4c{0FO}S1X3;f+5qX5N~X(QsuPF%zd!G zbI=&pF1AWwz*h3T%-bU#>~ZJM_6uYOK5&Sjw<@&sAB4P!Gh7PBi|Y z2-C$X5^pITeyYtPbHH0SypvH{TGRK5d3M-~(PCI?Nq#i>$h9(;wiFI;(Fg>{+r^{3 zkMvw`BhIIKsvrD7I`3Id#VAeykyeNe=wfO+n4#J4!e zz5A8rL!+}Qv~vH`)}q6zhv(HJX-e(A%Ei+T^eLS+gM3~Vc9hguEU zE?dffHECZzK?k@uX|%Vl)~N!gGiJp3LV)U)g%!8W{WI}vjJ+IIFI=<#FdEi>q4v{1JBF>zV;2n*m*F>#YS ze$yB`-};z|s}XMGO=BK9P+!5s6SwS^)NsqZPB(uz%nQ z(y~F;%^M0?5Nv;gg;GYbDZ;20y_!HSVc0B&;sT$dKwjYzl&&#oK)`zPvu;@dU1NXQ z6bXL68BG~u+@-txg5cLBi2lV-@swAnj z5}q^zsIg+Fly|`8Lgs+6f({q&x?zi80*k0eJWB)1wzd%@^Kr+CxT_DfSLAc+w$X+& zG%@{|Kmrh^?v*<|pstv9HKEJgB#B2=j!c#>Ka**>*{z)%5i49`w_VkvnjDTeT>vVV zWFd6F1^uaa1pZ5@U!Evdc6R6@e!=G5y86%Icmlz3vvC24-{J=$KxtD*5j6vuM9jLp z=fKgkp9pl81{S~6FEbhCF=gB#I`9t#gFQx!@Q0VBJ#wRBaKF#$`aYSBHv8ja)BSQf}H>l04)&98O!E@siigdYZgSemD2u1J+45 zE%pojTA{U{U2|(lju-2@mg{{G2M;MN9Iielc4GmJ5o@v8oaX)S6X%OP0-Z#$eEajI ztIu6r%*f*361fYv)1MgiJSZ?ZrV$mNubohJ6oFUi za=hQ(iBNxX@b)6VW0>XF+>btE6+a3OqvZ`1hy>j(Uo8o}EJD^UVk5;{&Mq%wO3TZ~ z(ZwTM+uFt`zppdA7G~Ry09I8RYfo8Mjrh6DLXS;IfY*1Oool%W;Lg4*r=Ap=ea&Oy z=y55lvz3HEf)RUvdo!avyT=$?$AExHmpQzcV z_kck5J4I)MU3LLG_9Pu@Toy0R9$t~I#ES_ymZPNlAEtt|ND-nZJfD8ou zjiWsCBGkVb9Aj!=PKP|9#B4xR8fR2?A+75Gz01!xI<|wjOKBnxho>J&;ld20O}z~aJT|mpK>=$_2K%&xbE`8V<8M(U6~PrbY}UXRuH?w~ zvL5dZ%SOE<(v)z~eWI$403=K(*D(i;>cn@(Kg2Gmtj2-qojfWkI?WM#S`o8r< zP3Df+NWh=hft`xzz-S>*(El`K3iOzC;$p_HR9Xlup1~Yqb|{y_&wW1w1amv;jcyZC zcXT*O3oytb$*iz$W{5Qp2KWn|-qGF=riT<>R z3<3R#XfprF7MKYCywzhj7^NGIIgK6*A<_9n zOp>R8H|8A-B-YJDo*eSf`7@z&jcQnCJsEc*KdyHCxYUAya=+T_Z$SJi?BNB=-~zz} ztd<18@6wK^)|s~A4^OK79jmGoR^30L#n7c;NNUpI023C3->LGQ7hTXF_{hjX&7(#8 zTfAGWZgtJmY6noZ$K;npLa0?0ck6;|KuXfK?OOAlG zCQS{A)ssFPKe7DaT9a1x&5Qt3-SH=S`8AapvBCw)gZ_xhfGTN`K?yIJwMU3>e3#$6 zf~Co4@8qPr7rT)mGlSn<4Gp(vTsv6tS2OTguLb&X6>`>9nfDSb$T8aQPs4IDs+l>M=Hfh~W=Lr8Mg}Nm}9^5w$XxjA35VLOs&^aE#p3GNc&fzkI1x%53 z)+Q&Vc3yIyZRaTLHo}5DxtP#ib)+9)^wL5c`ci=O9seOUW7)?fEuZjUWYHiEjyORe z66m=se;_-L8xQe@Oir)Du>-|hR{ z7ts_VXphdSs$ffpR21y1(LD{p$cxCQLtb&^k?IxB_olO{9AU4JHm$*wR(U#V)_1nC zgiGG)n8Q846tuI?;A_WJ=m=ufp7`;kJJdk4JzbFcjae-!XMO!OaU#eS!8_jS*q<1C zH*dK`)Fswgjef59{Pw787<-Xz5+(KyTWBAD*5(@{*H>pLaYBm2K`E4OODw z5w9!u-olQ4Q9WOP!Ckeodg%0%A8{(JJ!P2Y?-dJo3Ht4OKvBi!T~n4I1dm=B`o&+z zmH{Uz%vw1*YNE=P_ZZXz=gwBqTk9qHjbxA&71_yPK;^kA^Q@?Hh>KNG`<-82qOYAg z$jZpb7|Jibk(n@}z#t^aM-|zb#jv-ww%X&e+oaSoPCW0#6Lo(gDTvAS-S+t^yj}HX z3O82_!rv{+v!@2gwxRu!(oTD#1f+2Rkpe$iyg(8`f7O|ulB&8iBz~x#R1iI^CDWsJ zM*nFJG&As_6262oFG+vx=Y-$;6uLD4QE>W2ZP!K@y?i0RTr`3UwHu=R!7zMn`<~+t zl1r*w>TQ#ENcOxX>BQO9#tC|aT7nh}ZI~AdAhPiMTY+uK>p(fKk-5zz*#gP}Rcu*3 zYGccE#_rf*Cwn4Q3I5SE7aNkFbqDot*vr@LC%}m~!KG6*Q`8Yc(#K*rk^j=n(gsH1 zDJl{rgF7D#|4+%i@fj&s>J@ZgSTZye9}>tS@+~ee<)p#{DO4}W)N4>6smDYrIP<3e zUa{MLok0U7JSHOYhk{knIzvY_4?ljHzd&N{WTBoyED8P5cgMh}IMEno&P?}7#+Kqm`UYz%K}|?%jR?X zH+MX7@$kajZyy~<56At%o!(vl7ry^*5C?|wIpW(8RFqaa!H&l=NyFZ(z&J-l^?qtR zZ~ulva8Ped0_t(fZWBsm_1~9lqit_Q%8g9%3oJq&;w2W>A7)#eTl7%-t{}I1#C+WU z(W|}^@oKOmh33G7l{oP7(dfG|K*oU0n6SeNw++|D8ZcgN!ze(yxQMz4{jA4-ybJLI zx1O}svv#y_^ybFA*#}4k-wGhMr%;Mfek#`fDn<0{b>*u|q1I^6JQW4h9>JpKKPCBc^J)%58x z3n$Sqc>pfj0DW+yV2=1HYnkRUo2Mkilt%NW`+~L*Ri;$BEHa-HYY<$Jvy7hg-i2Pi zsGW}Tw^{XnM6#+G5BnpLxHlGnhBZ};Rjn;ckbg6F`2XVqT%%Da2;KHfdy#W$-GPJV zLPi9n7@HfA4gHHsFm_%lnq=>eTfrtf1@@i{iQjxm+Pu3SenMJ&Bo+Qc65;9YEPFH7 z-s%z3<|fvFWgczGXs6b0n&(Oj{f+>UyG4z=z=Z1l#bz#dpTv!K^)?HWW*7wc%cV~R zM1v(^PO*f3Bvk&aBEX|)Z@FxjdO`k?L#VCx>e+pjB^QV*=8Lq_cVwzOHnm-D;A^fo*f(TT)m2bXuzj|B;eSKA z|NpJqC5e4tx(#JWEPV30{|IOc*YI;Im3xqHx$v5Y{MkUG=3YsF?iKWJ4`hfa7nG#Y ze{UeBk5DO%tf_xv{);%5&kyp2t0ITkrjkgU!@x7w|c_LeQuO!!xa^ zmQ!zR;)h>@I7Izk3w*ll%RP&ktU+4rC;^?F9(hLe>x^Z&XDpDH^yT|J^=_;1!~#fx z0-9{NK;DX%bgjFG(#}D>!k`p>K!-A>)))l2^l~yM+Wz}Y;pC259h&D4pT+6I7*hmi z|C(Hf356H9&xp+`6&!_)prt1jVs-GNH7<&Rf0XJuQaLAFHvH&7qM`gum3V=>N9)&W z#)$hk&IcGsJLxOLz=O^sP1@dj~2aT4Ko9`g`3sMfCBn^;Azqbw9U zXk<(UCJ0f|4pEGc^w}j@#KRg$g*b@-t@e-J_ z6)Ki$W~UMQCkOTv(XzG)EuHPosuQJ1-`eB?9`VZ75x zE$t%mKEriDpf>X|B@gqjX>d^*kTkY%T1`qkQGijtm6u+@2Dy3#%V6>`r zGdMG|e~L?7dQsi679z|q3(8V=2cW>H=bF7I5CQwlL-v7A#8BQEY0wQxnBZ=$a&9by z>vVHJk;ffsDwEcDGp~tb*0B`cmv!Iz%!AhPcvY8Zib#HKvT4toq{S`+7QCrsypeV` z2WQpr(PU|ef;NMkN(hEWP#4GxVin98F%?+CVXF~}{^iZG+W_fVk5BCM4BWMV`8k*6 z5$H6*ut2ihOF4!?QE*@7lMYg+^IGxhin(dHwEmbt0V>(4j(u_lr~yY1spKZquqw%?&a5M}_Sr5mKXyF)^{ySqDt zK}rNcT0lCb8>G9X8|luWxySeY?z-!{>-;@4>&)5DbN2JAU3V+A*osj)p{6=I+0(QhX(<7OSc>rHLa>AwL~i%AJTE{ zJ6~+ku3o6|dIfi8%jz_5=!`E8VX2eadmi9~QU* zn%CFVxH z>pyAKecL2E)C+9G;}WYusB;KsEJxTFX!Y5o17D@k;z;vI>YP32Nl0hQM?ECm9Ij)l zFF66y)Ski@98yu`_H~d0pX>|+6maalqNgl_`dT@+)ukNWA2USRy?TEHYpgi|n*DX8 zfWzg*_p9bWCF+XTe*22>>KweNg^9^VS$6+;sen8n)A?VQ0HSXuw5Z(f_I+VIi-LO( ze!8Km>X+6VK2}Pu>|$x3u(FedAC+bY0*Dhk_?)jqs3`Hx)Qh8~c_K^o5|35&1G2Is zfA}kQs#E5aoL5UYq0(cYei=1P^SC<&;(V2{=1ukPeqV^dt-C0D2AnT=?*t{3!%opvw%#F!YDv&`dTBmqs^SEggEra_t&{$5V`w}(phPeTVh zR$T{FRUnm_^0#*CSfmBDLMIPz6K)TQinF29KWMrQl2HrqlIi`83GS^(HiM0shA+7j4KL($mDSIgp(xBc`19&V$GjAn3t$NL7!W>!fcP>AlU0`#_^Y{pE6LedC~Hrg_D!vE{L6!EPo(hQTpTr5cp1QdDc z6S)-`MrR$ma*mrSAgcoJs@A)~rd&B_&wmMTK^=?_|Kk{#-Cq|{hT<+feXw71m-Ru9 zTDz)Tbk}__KKwh5hRv5>NiW=6QB0{X;7X+SOf1KR%pa)sZmO;+!0gnW*!uB#E~J@W?-{lOuf3 zoPskm4^7;0(d`1QF5#AZMb>zdACCKomK~KK9B6m^=w;DQFQ9#+g=9S>zEw)7w`o>45HS3ee z^~RbEMcK}ls6~~IlTFx7WZCdJQhn)V8a0#Ya2=Q<(7@ptoN}98MO0rqHUN43fVqG$ z8E>g5N}J)HBJ1D8ql}0$kIT?Ecx3Cp)P~hTRfs+}K5=ZwiGN+rXsmjQ)G(i9e}RtBKdY)scq2QyFx z7aK~Em=(^v-~5)*IWh-ckOWkR)eGvB*62y3NT@1o7fJRd0p1Q%##GN_?~p?aQTMe~ zH>!4cN;`fDjO;MMUXLUS$>(Y~&9+X{(7K3HHoi_$vV^j*A%$T+^Z+L4OWhmqAZ4Oj{QyAj## zlvTIkj=F*i*&_kbCJ)+`J!m9&k2Uourb>LEVP%O(Eg;m$00`?+xz z`9|7GT)US2YMDS`!O(nnow9FD9U1w`$H{@8V1kL(Qpd6CQ4SIR?fyLXn0%m46slwf zhy8q2&2qN$|8CxRA=y0efEJ+3y}dClp>Y1ai810)#CO81Q(V-j`T*L;9o6_v9Slhs z8QapsuVR^JWbNRnIJ3Xk!}U&MLqdaW++*(>!Anu&wNnGKj)zp*RiYCs4tN~aWxKK+ zF0aC0H`hpXQdtlFleWVzcJQDfKpH`v+sfNy=MFUsZK(-wC|ua4o}oVT zJ#zggFU-jTM9WLnNhapB&YwCaCTN@;K=b1n1*8_WE*2Hn8ApX%Rcd~d-3B45>zhCJ zp6uYsM@VM1bb{Y_G+x+7^o~@-=~aAW22;~vBvHccyQb1ei&Ol?C{$zZ_6Q}*1O?_4 z4Y8%a9kWsNtmtuY+GhX>YkCStUt)^-MBx~n{3J4~Lkb>^OQUk>o1O9w&DokTw`U7u zo2m1mC&xqx)dQw@ajV~+Y`x^!+eP07PU4fH)L_d48AC)Q!LQ$4Nw77Gq_|j~A;v}xb_h4G1-kc+xMC#Oo-evX z)*jK=mTg(5$OV9&H|5^A z#FUNvHijpAY~talrXkA9q6f5_zrO0}xY)4Z)3n zLyGD1G<_HF+WNiq!jZD0_Y)WaPrZCm>Bc~5A2h_X^Taqa50xWCawtURA8YV*%eA|U`C(?<8+J5p8Z9(Y==SWb~SZ|H|jw z5cLPd^ff4Rp134%5;H3#`8(lxe`aW3dk8^*P*EA#di)@K3ebdk@J*E)zTO+k9!(W2 z4$;~-kbci3k}%M|&!n!os)6_WbgR99P!Cxq4$w`WN}xEpPv$#TciMkQ=KYb%`n|sN zc;6~JAi3FLi95fp?%T@E++r83rR$k$q@C5a++}tBV2q0`@d^m?uTIZ>q zTfNPF(`L=9yD2!*8u{LW8BocfO~2C2bJ)$z*p*bNFmJ$k>rovg7GbU0l~p~?Q*Nh` zyp~&<7SvThD!?&Z6E9Om(KJD>3t2mv;$@S{%Y|{7KT%LQv=r~n8>+-w} z=PmU&Wq|M5Cwwl?lVO0r|Me0~sZ=N`&Xbtu_N-J1C8)_}*hFW)cr8xQdO|NIYK4~F zNGkVJw1cO6Z)^10-Cm=z(j|$YcW2iVY~(@KUs*CYR=d~w;l3KCvPkH##MoO}Pt4~z zkVjBlywtlZU1&)piF%XwZBT8mO~>ScoDcY#G2}Sbp5Ef|EHLQ13EPIy`IC z3%aK4f8FLX-|pvcQU^KieNpLHS%yW;rL1VOddJJaPO_iQqc^y`l49mxn)CWG4Z8Un zzAOBsdj-Tu$SW!3TZs=xvKU_PlY}Io=sWAXnBtP3?9YCZc}vTPvZXz&EKwBw$!)x9`8`xd1=EcSqn; zQCnN)?%%&>AGYUqSpiun=rhWOs!pymN;l#~CjQ$^!GYIFYYXK$&c(oR(@^{9@}ZjY zNQXqeKE^M#kfSX`{m50OUhSV_QH3@an--5eM=vbcM|q6*4rll?)Z{fAcbm_oz6nCh zG+<5hW(1*{Oh%%kqmMtI-V=Dj`u;;y{39#=UF$(uAwl$z1R^E@RJgSr$quLD^5FvynPNBmuh$eax)w1`{MK6Z1a zQ?vYYm3CSRoa>aKjtY%)_w9_+wI4r@Ok|6L3Cx3CB&dybOOxxFz@C>1?F>2gJ7|t8lA*H7j<%L& zQB>!X?5=>2akTKJsW0!WO*YfyU|<0Id!Li!1tM;z=y%NF{2Wti5q`MI_v(Ts&8BH= zOrKT45EAZe{X+$Waf0;LV6|LJL=Lf)u{Xh}JzJWXeO8;Ie0~jk?VCB#H>MnIg(iXH!)(e1u-__)QJaC$_Ce zlYy8Hg51fEt)JbP+Ow{0Z^Ft7Ma0}8Prfgtm*FehZxx_LeTUb=&JzIdNh@x`-^2v} zqyI?KU8S&M$`l?#393SdtO20|z2uR^7i00QnWXtGfE?`>9~4Mlzc{t%dmyK! zY1j){v%%DS>hq*3c%p_o>b_LmEW$k??s zwymuLPfxPtHEdoITks9wy;?zAXk9N`LpZZYsP^3Z34+9B;L%M5!D6SetoxVeK+03sP#PZw!v#o!;>^qdafOHajI&>{HZ(7tmu zIDxgyXhgteUX_(_py|0V#|>(XX7kh%6BBbsL5O8>D9-efWY-6*$8eI}7Y%uMn8M=L zH~h%FQ`LjDZ8Cl3;Y1+otik>Rg|k_*IqzTp(2v>v{3QLx)F48Bx&J5|NnYI2O+Dbzg%16Dw0tao8c* zgC;IvP)(ilhw9y9$8kL&x22opAR{E|q1m|c^IR5e(@j$GQ6K793T;#u0Nu(dYd^h^ zpWOVXs9wTF1wdt{FGlX|CzE6W=qFlryK%HJUKG@EYq(e9$B&pT z$Gb>YZ5W+A0E@G&EYnlVRVE(M+w!VJ=WqvkNLk?O$L~T#0v`9FzaLOe!_WJYPuKrM zcuZ8CsNeoQ%%l;>O#^2xSKuOo|dDhwJ#z->S8^U_-w(qi`>UJdbInk*s3 zE1@zL(0Wf-SJ#{O=71GNJerX(meA2$Jj_02RSP_c{ab%4BgkdhgI4&m7oC*g-sYvk z0;m~+=OqiZ70qsX-i?1=byR?!WrDk|P5 zoQWndK?rpU3be-k&QmAGs~5F(bvK<3+vtgAr^j?@&)v>biYzg)!jGHg}UF zv`huq%yaUo7gL`Iwv-A+^ADTz=PdU9j%PX+B7b2eSIoWN;^@OqnKbS5d@<<1-mND| zu)-nK6IU3SL0j5yyA^(4`PRwICV;vg@32=z$+1>xg5c1`sSe_6u=xemfkk0yEGhKrh71oqdftv|{75~vPGut9Fm~#_)H%>No z$1BN1k?X>ZHd?5u+2%3ugcpKnNE%cOX0{^fPjU@bhA1^qQT(ReFkJ zRc8G-`q(1^=%Ec@!4#CPOQ#~|jC;>9Zp~iN^{z$iR4B}HJHpM?g(5gv1^WO@Ptq^Q zf0&D(t6OmSx9N*~^^hQd)r7-zcXlhXt;TV_`|T`FrIax&Wt?j(E9x6VB6X3 zVeM@>gLch&#ki*dN06FSP{s5Tlod6>U{!+y_MV^}*$v)0F4yg)L18CKr}gJ>R^r&` z{wB#Ve)X94&<%yo<{Vu&LI59y&^bO<3D>*qizIf>SBW2&6 z)F&s}Tp4_`N=j2+w&1hdfK#`19bfMU(FN_Bj9RO)IS1y{s@g5LLblT95rI1AQrX}~ z>*&pK{>89cF&Xhr)48U?9+-65`?MsNl*X}DYCqUR8qZqEoRb&RH}xkS7+pA)`)m;H zChGp?`NL}Tr#y*_Mf$A=MKk?uVssgj-snGHW9D!T1S)HC)LC1OQwE>zi;jQsGZQnr zFShF*wWNwZs8*hOFBg~hpFTjpWLExh@Kc(d7059%ncHM;Lw^++iZ?5fGF|^bIw@i{ zO_YwXhiX;_2wko1jHB z-^M4teqkhs;(4u-KQeY1iv_pS@rPIDGolVXY^gtzZw;ppa%K3g(J09cl!keYO6}at zw}F471@86}p-sP7z%FBTd#qdhmyg04FuQ~#(VkZzUMd$7Nq@lVNc5tfPb5MI`DHU) zuTGqi0Yl3c&oF9*1}KnT-|p57m4vbDEHFWY}!VLi@lRE@mT$3Y60){y9ro9X`q|N4$Dn# zUXR1tm*rWt9Q7QRmt~IA`SEI`o;_G?sn5pWD z(bvJ+d*H9-O?`@D!h7LVwh@Rl|3Pxa5*Ub z%E9_X&of}>ogp`v%by4?tEA~=6Cd(avGn@p8EBg5?N||xdcazwLBz&^tZ;bD0qUK{ zotJ{A2bJT04lyj#m_MEZml&-5WZJqgn>0@+b~s*@C?_G>p~-Fs@uI0fw5#LNzS?-m z`lU86zx+E+bA82NFNF1N-A2tc#g7X9CLmtb(&!WKb;VhqUo1vax5Qwh$phWO;rdEk zE5Q&{S{pWoi0vf{MIw!-b|=0`WWzOXwb?@5BwuFMYnrj^Xm5#@nP!6{99kgJoaDyF zzt8zw_mbponIWl=X0yukNF=0)_&eAY8iRjcdvHJ=-w_V5Ow`4E47cvDC#np5 zpNa$5utCJRpY+@;mXxnyOL~zNSm2zp(u!}>ET#Wf3vldo5g;D~O3<`s3kcGlZU1eO z%}pli#zeeAf4l5K@-G8`{80)hj4kmx-aH6CrZYcGaO;6sTHnqXI_~vHN+sElw$}zm zKQMN~K>tw3vdYA~rKP~$F5dOFFyJC)yo?Of4Q@leyh4+39ayB>pxXGiaVH<8JEj}^ z3r}-gw{Z}kU4dwWX0yHQUeJltD@_B2rNn<;R+4Eha&I5cp9Qu+{{pO~iKv`!Ky4Uz zY=8-W!Lkg4Nbtl)RYQ<|GRJhT-HmoM?X!O6L99}tv6(&0y$t~oJI~g)Nwn5^BHQ@g%%9np$#*TE;mu`^~41bNn9(QNNi#qM@?TgeG3y@2y!l2vMhI z!$aZ$llRx8q_1UeoKr8M;SJW;lXeyX41sIYphxdNiEL#x+@>$83e5H&o{s%KNpR+G#+KlIRU@xoWRz;zhO$GH>BZv`7{-m+sq-Z=$QKHKnt0&MbTzm2{`}&kMCc zbZ&6xUD_-44}beP1CZb_+)c@gdsC&t{n;op@Je}x%FK5MOM_Vr)%9Q@x?g5TN}pqt zf{)z#4+paWamY$kaE(*-q}}%yQ#=Fopl(_~;?Uy`P*1D`^RW0vp<%>c0LmiyH$7ycm!bnuYn!zLq`h zgG)mKBajjSC95^Ucw$z@(R!cu@hmfRFnaN~a%x!py|fIv~Ud3|nsyp{R2e z28`dig18^q8Q` zc78pn+gM>7J{yHk)4b|gbvuCq+^v}5AAvHnbFY?fgVz{2KUG9n_Uxdl@t^cy378K0 zi`wzIOdF!(KmyCOg+r>yF*ov&JaU$e!A7~-5Z~p)EQ4q};F4|*sH3`6BWp$vc^~y@ zDZ^4n3*mP#_IQzyot@p*TRXY8`SU!lAz5PKGNv9MZ0;g-GkgTd43vMW0QR`-Z^s=6 zFbC1l(O>s_&N>3U*}_O6ZCy=)SWearFKv({{|*(_3M@{m?yVa~?&t$pKz9^3KfBoH z03L)cE{vqamaa84JjSJ7^&>qj40XWzCVkhkV#W#Z-6GuPU95eJN~cB(B-vhMIm_>_f+SKsTR%FVSBnveTl# zZg;0$h61|yzU11mucYd0ZlFh5p@Ji3=3!Lxof5X&7-;16J-3Zccz-rqHbUl@D09@O z200z{zU%O$H>GwMXVju#x!z&ou|gg==a|{aG;~IC%Q(Zy&&4 z4CfAVJ6s#Hmn#^CwquGr4s@$E?;m&0AKq4av--1`9kGE}P5mVwzp{Cb00)*iFk<~& zddV`n`L7Gy5s#ZIp0qc9f2{Un`FqWd)Qb zf!ZxFuxxZSngD0ma^LOCyx-|9UEF2RqmQN6pOZL-kXSqWtx)$|N_Vf|aJZC4YVMOa z8*ft@`{Eeuw^p|tDLbj(lSlbEBcL@3g}@>3qv35DvdSX&tQ0Swj9pG=C`&@q`QSV+ z24P;8zUNqJnVCMGo=!WdUgY#RxO0P_o>}&(YD}xbsr^lA=VLQBj$L%gV}9 zp>%H3pUE~EK-y5K6MSch=YXxQuxInbGjY&qGPE(jsAw-a#;tEms=mJd231nA%wh>? zW!1*fQMj1#xZJK(q5yO7-hO2+I>edNm3y{ifx-(hZKk1N(lkg?w#`1Ayo#6M&qjzT z{trLFYy_8SOUDfmP)y-*Z0l7aq;5HCE z>2jAjqmBKx^_J}Xhr`rfqH^?EsxBv3kJVe*e$5kqRXt>rhlLw4f(e7 ziL1|7&r+ia!s#Cn;Zl`MQLv_e7zncixqnw0`wh0${M@)7IL?k)YbDTZ>h$>O^RY>$-c?oQ%#qon(WG zX1UF_5AKedP=YHE%{!C}>vA4e*4%=n9i<~n7R>`;#~6FMlDz$|`g)}GbvZi@g%Cg5 zEEB|0cZCN!Uis0gzk5En1b0Uj_tom%-O0Qqsajfs z8Mz8p{iNH*6XEPag0-X8=P4Eyv^eaXrlOite2EI?grAPT2@^GrIvt_LYM;7a@FJ2o z#}v+t#h?>`!C?v-*)(8)y3T2f2VT4-H1n}@7evU}6>sJ?BhE>nHj zw5?f4h-3Jo$C9-8kip_4i;2mw3qo#39cfU9DK04vR`0jM&uMFQVtX?4``n@V3z3k6 zOZ@6xCJxtn+jZ&ACtQdUim^pKfeurtUD6F9LJSIDmp(1NkkX%m6R!?TQ5kaA>^Js0 z45h&7mBfER*zT79gtN{##$u{w5yzi4q-<-K z!tF6G#l)%h4_;D1GSSUROd=Oo)o0(h;|FhXN;;*7S|(_2zU%VPmJ$+euoi}K1iQbL zXq$P(U9JlIbB)9|VLI27gqt0dr?)OX93zi|?DPC6=3;FS7ks|ig@97&?fdD9Qr7X1Vm8d-b=Xi2#XJ`$+d3`k2hR{d4wD%P?lAHw=|y%chf9ToK~Ak?&}@5=&+nx4Z0n# zwE>W$)X$nJYO(Njz?L^`|4}W+b?6@1eyM~8vnHd~9e0ihwu?Sf4 zQ?zJt7hLS~w7Txz^=Ix4?St!_9AhPV4OoJISeVPx!2es|X9`lHbNGV(3sKGk!Y#iW zh`4nM*Vz2#`|fJy22NiANrg!^35BAxWFs;_VzI(zmx79E-#l`Vu8sUhd0z!Lu|@}$uFlw$1#V2+fWN;v4H zbdb!`YhTTx725eI zUD@m#6oy(pu2;|o|L#1d_f$Ic-$w2~y~7UPOePSL<-_h^lkYDh!`8D+O>jWmX*TMA zY)auUhf$mlGu23y079W!tqx0RqXvl;yCY88qqH?HBB=7TtN^_sj*sT-9F@OdOlL1z z%f;WfeLKn4ggA0vspAN6beX42Z~fZD2jVTbG2&UG0-4Hru`gnXwS?d-VIdh|grj}X zvWjWw*h1z);-W)`RzlX<5Bk`yw_(od~B3n9bT7+vx z;j65&P3sjaF?~GgMRcypRPJ%JUxhUHtzus(Fybb>C?|`uNWlDML4MYRan^dZ7Ufqv z)B({RLhp&2o*j|Q$zCDD3t6SIS*XR|RaeeTG~x_2O}(lU%=K4> zgAtOA)Qv#Ztf+=l{Md7DD9AgyF}c@%yh|*M2qshh?v?$5>Oh)a3ECK?4Tp+5i@8Ib_>g)UWj0M>EdHzwRrT`g#o;wUMTFymC zQ-IA|tH@IZBHwNA>c@3fh(}PGvzmtJIv*(we_01pm2{T{nrXJ~23qW9{3IVUmhSja z;yc)T7Wn!uLBixjU*=8Lv&A$GTMtia#C9cOy7oRUWnG1G^Np00lstnX>{q#dlk4}2!!AOl`4UOq z-3|hN_afKJ%MR>pqv~w&pV4eLh`avf1vXu_o=RGJ(iBs`h~Q-w^Nn(|NwRjO03On7 zdYlUYUK2rI2`8B$F1{`<=SG2p+D{$xo(2Y)q8O-f0u?s8cVEaQes;B`jXzP4u~3E< z`p~@|Sv~b74fzJ1y4;t1xeC^^X8yZmso~>_ZsvCLhbw>{Ub;*v!K4cLC%>SaK{yZE z?H2HWv1`n_$h$Tk^-63$^827ZA&c*tX72OUGOtp+2!9hJUGWTx0i~B2yF+bP%~1qV z_$5R6e+}NVxk7CzOCDA>vpQ&}g0{kE{9!*Yf2%GPOjdDzWIU8eUh^PC@y~)=!Q(L# z_mkD-G^#YB+^XcrMVb1;^_ay%EUzLrq2Nb?JaR{i?KdGW6N%QCMcIkt5ECEV>#`q$ z0F9-q3i7ZPk_==dnwTk8uhRV>YYS8xVLBv++ z2|vn|#E5M1HYzA`KPl63%RLapQfI&g1~3pnchca+Q_c73G5SGjHg5q^VUH59^(p${rU|k#63+eHw%)Wsm{Di zM{Y>?Kh!xk({ghusIe`y0%<)NAd^`xsrvf*k78mvy&J)-@gbgz_a%i!8Xi=|FxJFG z^?UVe;^HaWNHqasG|{ydX#9PNZ(P#SN9VnTEvOv}SXcOshz^y)m)pDgw*)QwVNFUy zf$#X+zVoJH)LvSc@oyjaIX0h+P}U!4G8tUHc|0F{xA6C5sAfn%JxcW7+r>V%)2APC z{jXdeA_F|b$^G!2$Eir&>;5W83P{P`<_X$6d@Yg+P5h$xCWGoP}!FlO)gtIJC!#Y!RDEVZHA{L)%Ou=TsXlb zuR3@2EEVM+-pm1~wf4DCzN;yr^`T%_e`TE3lih^ScAAC|B}mD0^UgeZmXnE9@_B>Y+4#n4Hi zcy#P8deX)VKo(My<%!i);U7<~2`9Ba(j||PY%`Nxk=xGc{-)t;rWNCG4k#setRE>7 z#gvN%Y9IuJR~y6-?eh^IGNX*!)c9+HNK7D&augu>AzIR=l5=-v_zjsid z_^|vO_^BL>EI$`sQ-#EiR?i_br6A>5ttt8m{dhvaFEPg@E`FkcGY z{cuzHe!LwwkrD8FWaW-}JJTgua`zx`#2N`8iR4ji_f>gALgOXgQJlPT^NKbr+0^a8 z!>asti(bn^EuEJlj)j3iZE@}7D5a@C3hK=JsJV;9y8AeB!T9d}!*V!%tKAc?cAki$T*jM* zqrr}#Fx$bSUg6AC%ZQmN{Ds#D4ysbpcXc)F^r)eGTN;?zEp(dI(b>_SXa_ky>K@cj z`EO+mP)sakqE{}f!RbU`20i=zX&E1BbY~>hnpoP5t3ib-tCB;)l?ujc0b_6&hQhRs z5->b4(QKv@m0B_4S!5E5V4U4wYjWhHKf&RQU!z&rkrmk#Ra_1B5dwpSoya+!>a<^* zVdVwlVUR^%c(;j*D|yd%lm-D_X6jt^2uzZa$5?r;`U;|HPh%F7JZm&#CBfbE}-i!pKbJ-?f~02|+vKXx6irEEUl_l&P4$DE&peB;km?=wN|K zNqV*_^EPqeYUku%iCP>xzLycOycFEOWEfqMu+n7)2RKE}(B?+0)rEs$4PhUC zqolar)`?bfK=xcHb`ARNKYl&|CT9kUb}i)!J6Zc@wWl)h^o z{yJOt#KTQb49>pu6;bqwt4!;@_|VK8xDKW5`vlDczV95mAs~h6%qm)&x7p4=BCgUu z0y(2+MCSL_c9WJl0u;=?oo$$?9W|o^9pyJ_GqVcSv|)~|=(4cI-}780+^;(x%s?Y@ zGH9%i6}xCv#KBoLqw^jm+%=C`Rj*rFRLq`=AKV<_XPm?_Q}l9*(wbTOxRR=!kzBqX zhv&*iVgUQAB4ja{L9J_bbniff9wTyPmWwn?zEM;C)f4`WNYU>O{l(hU>uJY_Z5?4_ zuP|%l(%C{Vzr5XXGa3g!OPXizhwE-DQ&8yaU;1y8^?DOBuEil{T$1H_roLIesB(P_ zoO=-c>-L2d-tv&Ax*0xdvJYD}ri0H?u^7edR`6S}`;LgC&s|*r%E>hS9x-6;mapv{ zd(Jx2px7KHd8omHSM%U+`xILJ83ANM0MVbm-(3?0Z+xjCf$4+h>Xr%_4nean= z0~WDor(w3|D-FvDuz6yTl0DwRocFtfi2i7ExqWgjn$W9O zigOMy`@=*oOT~<|{RZHR<2y0eRIf)qu4HTA{Y}w&M1sS#wO(OY-u^t3b8Z$S*|};{ zmPTKfJIs>p35I{=-b)j9HOY{$MNRrXXyjWuGabguI2A?nXH1Gs2LN#BdJ>f*I(pXs z%AF)`T?(9tX}0@)C;wGsch`<>DJu!YKuuqtX?v>B))B~yMPg=VZa`m@zBq;S%@Y8h z9-8hn2v}>Or2w;?DP*c0+Zw&F7#bNF1#$2C*YBktG#$dhFsKAcg3AKm&lO#tmd6kF z0gnNOke3&=ZnqTkyd=*2XNP?~mGNsgcb(#=FNx0K>a`D?`-$W5{_f6btW#_${ZutsT8@rZ`PC3vj1Mo8$^ahIPt~RWZ3G?Fgyj0i(`&i%a~DW z?jcXouI&1vgZs$V%aaMdwY#01KVjKyJ1{nxb^Nx|Rnh2`gFcg=DFho=;MgXkGd(OL zxJzGW?8!KCGpgM7K2^hK=_=P2zHUVw*&+SOcI|Uw>xJI>b%3uMt#06&vga1zL>KWO zaqM}Lqi?#S_lFbQU5jUxPE;D};|T*i{_5PoN=;6)nDWy3w$PZWKnwz28u5O(93E(0 zc4^`!Yn;`@bEz1OzzcP#&a!>MIkNe+J?CMux^OG1z1MN1yrGLyH=9d92DlNq+ znM51TILz{GbF_Jy6LBo^mA;!?*_w#H@Ao-WL-e(k_`~$OTTus@gg>CVm;M*)9@;2n zN2@74<@dUrX0>}4Wu^!RD>Mqj)*Rb{DLb9zh99k_@8IxbHNVM^O(e3kJ=bddhGfb8ah^C)*{Soa zX>0?eLSYS?&taC|&=XqsMd4+v^TQ$rT|QI4u~J-pK@ruqLdm1lyp-%oa@#eJ)X5{K z%Me$?TRCk)L4yBe7WU>dY8w$fb{}e^Az~K}Q!X3$vz!g`g76$J<`IeLbE`$)m^|zq zd&ePBM6f4oeTwS|%7rE9S2}?;ZU1P&4{jXo|EmSiGWT#3SpE?Hws)?cfS|xu{j#Zt zeAwIgNQ0IRPfw{&7*RA|bPQ2ohCzx6Z3aN_dJJh7mnHmk#2wE$a?5R^}zgHT?%l73Ndx&19$OYtxaEf@~vUrW;G^E6F zQjGdKVvrx)IUt|2Ds4@0FsL&(jlxf3@jlLG~;kdaZ3 z{pWkQ?2=}o(w+U#cXFLvC9!^R6jX6gk_;zA5%F0M(zx|#W@5ilNv8eab6b$=R6)M3 z1mI#g6An6Z+Bi7+62UO;kE0rDB(H|X1kfj*IcN=Yr(hw#X!-p5#0SI0x#FA9X8Jk~ zJx|@;v&}n8Q7AYP9|P;f)jamGuWFIDc4>XTweBkQA&eDw6dnX~+vm z`lG@hcq=8|b9mhjQ&hf>_iT@A;;tZrRS5o*5c8Ao!r%E)-i>p3}liGy61!!f9>A% zY$qvr{K6ofS5e`}38DTPP<;vw_Mt3X2sXyqv4-uGi%@xC_b19(`{n*s< zWwQz!Y@}?ZKIrd*$8PRL*4Y9;aXQ!joE^J9AS(uE&j@v#OvcjE2f;beRAzm55Q;)t zesbLU_<|maQdvJ&Y%QBZ4oxwFpM@YMi`IfRBD6Mj4;*ZU(o{IP($u| zX1^(`HSOe*qxHsv+b!@@1|V_XU3bUiWX;)X@5HZGz(*O;syeyzHVqQruB3Qzz_l#E z@#BcIos-DxAeu@_@P?r-^V^2Z8c*X@H|spF!cY-0-7*q46?C5&Vy$c{*?Nd^pgT)8 zOu9JZGpB~AplImdy#Y>h=jGM z$sd?$o1+Tz;;5K(&t)Z_1sL%YrNf{U?*E*n)aO zz3KSv0YJ%gW(#bzsz*T=>()qu7MO+jmPvpe~W zXO)pCQe{*roEwX``UJLYBT*auJ+j6Q8TeOvMx5}4iiAkJ?{I?0+YQz{f48xWIu(`R z-oKv0iC2z%C4F0Rq4x^ZC58%FtDnru7<)qxDEtNY`idf8+443hA3t(SRQ5ZSE=s{8 zU@YVx;tA&cO`<8!S-B*Ae&UyG#ekeLFfiP2u@FwYh;9MW8!PM&yA-f7p!`e*8zpKn zCP#5YQ|MK;6VshsY$LWc-};^p>vkq+`GO4taHmQsIKnwL!dSkVxzVu(Q6s z&TJWwlsPv)i-lNa=`|z43X*Mz7P2qdf^JH*@WY1mP)-tR6p6Y&-lM3llKWWhN zTD^ly=$G{;j=ne&cJqNHAh$@1s$8`-nNh^vf>cUk7udA<7lpOO{G|QM?IF-rksYid)kW%^2`73qOGR7ddxgVi99z9 z%%&)L>FVm5MI`9$tQ%4awAd%`2P&N;*1OD{rmL%_W81do=H>-SaZOVDvAcIG$NaB@ zPCsOneG0#QO?eYT@>!6qrEtfM6l?SEm)~}2U=j@-{zoc zjln!;5K*0265^68iH`I;8u1^wo#v&2-Nwbpwr%w zITI;W3AMo%+;VFILhEUf86?uEH~^S(B%a@k>RsUC`p)F1P>yTOz(rFuFQ7}%cSwg& zdwjZEPGJxKKQw)1RGVG2bZ{*txE6=vP~0sPcXxO90!0fYI23nxm*Vb);_mKNifg~; zz4v}Uvmz^5EBl<;duH~8@m+0RDPLokKcj`9z$(<+FBw?`qzP0n{&E@i2NSmUV|*^U zi~XJBn}(P^)vz21!e|&TeK=RpK{wh69ay4T%Omzykk3|r_XT4vNE0+&(gb{~YA7)w z%p?;fKbjb$iVz(^T4#55K@CN4w*bXYh0+5zR`J3g_Q_oQOyQ_;ipOA2L{ULwegt7XN^*4!-Yzwd?v3;cz*yJEH&Ne}^Jx+VCCE zmoV@D`7L8=$+5uOf}y z2q^L7IsBIOW@6Oob1Rl!+$j!`Na!B7!o|fETI6G>yQ-?G$&rPKOPE%)#@czSvgpJ>(IE9AHE$$(BQX*@~a zLqb}bi*0h;6%^gWW2L{k`{h7P3w=o>vBb4&x)|izpytuVHizK&)P4g49;{}pa6I4> zYP+lX9ZnYR-vhO(s6m4TADmxSb_`32m623^lrll#5A1_S05XL1Qp+!eTDnfvPgFh~ zbYBnAlyU~2ZV-bjA|oQ2>L|}hkJfp_CrlCN`cNbUad0Q;EvDs!gpC`gV7i7t=ld;$ zD*49f-M&>{`ZUuOBDXKOlD`>*j&QFAVv`d*$}b=tc;!rjE+q?7s*KgC&s6b^HYrJW z8KGNbiXS~A81C9OJ5vK?N$LaO@|p(3Ov_Clt{IS*&3b-Hohv8I$m+cRQVj{-1giuf zUWp3gq|E4Z=Gehd5?eHkywwsE{$i(!7$mo$wG>DO>oy?KZw6T>@LnLCV1( zw2i+z_u5GZw{ji0)ZRo0Mk*~EgbBWQr`|Pv8YZh2R zhqP(5J+m;_toD9nf@@-`_vO{q$!!Jh19Kj@CeAYd=UaYvk-5-<3=dR-DiVD^TrE&Mc>&= zou71QqJ4?^9J~ng_)V5URSL_T9&~Y^u^zkRaIx0<7cP9JV;j8;QB3b7Bp+M-l@qr5 zQ1nO&bgyICz^RhL!xC`M>r~~%`%m0*zuo8d#E6}?(j*9`C&REtt9rN&o9y8O9c3^V z8TY;CA*%KFj{u#NfrZLuywj@XvV(uhP4>FGvpf?kgG4Ise0oIH-+A9cwvkEUm-eif z=^3K<02N!&PRiBse_Ylgx4~a}N}fKp=SNaZ7fu%7%%RBa@E6<9C|}x7(Gm=U_tg~g zdF0BP>e99&iD^ARi6>nNueDtJq#n?!*)~f*5dIZN?od@%U&sJT(2V!cz+_sF zlpK;zPJ)pW426y8d>3K}dRjSWJhZT~3P?^!z&<|?|7s-yg@*QTCxBJRbyXdl1uA5Z zKdi3_D>ga!mQ|m^nr331Fif#6FE4Yb(r|h1*%Zk_cw-u5XE|L?sI&}}{1Te&SG!z* z-9PlLb3)P!?oPLAy~BW(Ff${fe5UI1@}$jw1#p`E!20n49Z{&$_a0AO%Y~AGxvx%g z@s{H|I${002pQ_SzU@Crlo#tP7|o~Rz%r8@CxRiZ%xh`j7p(=mN`07MRlf&pS1VFC z8l0>@%wU7&ZZ+FBuiwK9LqUrG2bb%snw(iL{LG)+83*bT3yDpV3B-_oqNHR1df3if zyu#oVKJ4eS-9|n%lm|l)uZ)LlRgzDPM6{tNNmr_E`aZvdL{HWI?N_-0ErGmLRg$Sc z?f+zht{pl?{1+D1I6<1q$H2gz<4iyeVcsK?ONv=2neTm>>A^;6F)Ay^f0YZ?=-3$g3nskrNKn=a{+C+tFHJX)JeFRg9lS{SOSl0rHYIUBmJ|-;E zJl|k{!a$Lh&_DO?91$HS-hPvkTI2_5S|Cx$rqGWsp1MPTj^H)6X?gC|Z`CK#u&DEi zi-YCp(`^&sJL%nHubhuJlAuT3ts5nQxwT(cn-@RMt~wC~F!0TuM3Z5}$ zCgb9UCF0>_l{Az68tpA&;yLWy8p|y7ZOAVVU)1k;!C;KAP-bay^AI<~bX3YTBVh$- z`)?EL*p1pP9s1_V+{zsy(H6O{zZ-NWpqGatwELd#GTpON1SUj+ayx)&(&+i9$jw?o z+_er7pP7Fpuvecv{0*%NDbkn*t^=q(`J&j1!0=fsP_K=r;@HSZd(E-_T<`Ok@OOb6 zt%%?MGAHS0HUC#HLLS|d!zuudxFd$YHG27S`D<8l1H=E>i4M(Nn(gx~GcJ*UU{~FD zm}f2ilc7L~5`64KIq1>V(8==5Y#qS4vzS6-n*!t(`CF?B)O7{n=(0JcDZWmNGU+tu zs%F+l%*w+^;YX&e0^|iw#8Wq$q(93c90lGH?}Pz#$;N?h>y8c&A3uO{XDX{HK585r z;{IBli>gY)yR!Yp`m?{#>5osR(Za$4o^?7cWDn8}f!%v7E-sFQ4eH^ZnsVe$pM?=+ zs^*tG%bw*tR|59vN}H0_nGT{(j>J<*s!GW6og6pR)YOOsy0N&kVTn5%Oc8{+O-RmI z3Ji!xG>JGU4XveTWITK6m{O-9WBSlif@|NAetsCC%I7U*2Z`qDw9&bJu(7pm>+=0A z{J57O2HPqIF*T!CfKcD^T)=>~IjJI`uT^#0XUBl&&f37h0BmNDcqo`Rl7s5FDx~-Z(L`KEM~qW@3p1yu+m;St^7I4!+xo{>zqp`N>)a9ja)@Nw!m{uqDU)Uxpx zRv6)o7=Bm_1jl~IDw=$MA{(ltHUgM?0co~)IDrNB=8 zx#&uM__utEp~P_I{+xRnPy;guzxG1$!K45z@`mWZJ?63xBSC!5pZDK{+s0n`K>m&y z@$BXPCoq$$)Q0xU%CK@~s{A3=RPCJ4AmUp#%8I7(5%5XtPB~tpa64C97^(r~4>X7} z3bdihxbeEZ$zb+rDN`o*_!4F&mV1|`wsc=_`PIYd4hQz!;rki!SRXq>7Fa0mo{rqp zKoz3KuM~PZWNH111rlkPwH6`}zBeN|f+gL8HYwXzB+PogGM~;4*H-E7q*_>+fYqh; zd{m40X5EXmT(@{!8g%Hh?H|@Fkd4WRzvPV)T29UgxlQsuW=5AN3bISxj5nQk0WDuj zTiMx>*H4SBZ7IR11)%Qa`237qD! zC&&c@!Mr3GXpVnLcbsBhs)!5?sBsh5rw`-Ga{dpSyTextdSkt;Xu(G-OppE*EnAv% zVD=lGxG>A5eJQwK;3TPeN=EJd1rzPJ;WFa+eho7#H^28>&-2bvWlj_JYCn3uVUXT* zR3TqlnX1PQzD0-5Duh8ru=XsNGDb5gX2rzd*cA}S@doPuIN@|F`F3a2=4|Etw%)$# zpvJ(R5D+=MJ1Z4UG*5j(dkk95{2Lh(w9C6#G$VXu!wX!X6wn7%I#S3Bt?R_)ku3eu zuU~#zoME}NnA35Ee|C2>uSH(gg0-`D<;1LHw2dR+$I3M-Xph=hegG>^@PlK86WA9% zx|0I)=>YX`yJAf6c}J(Vy`ho1I`tYc)@7vhM~WS7%C<@l_PELp1Cq8|Aqz@MdItKl zNB+SDRaL2zlamnT(%MU0H!A^$`2T_hE_h>dAMHJ`%%av)l9D`>l-y~2_;cQ{Z-JLO z(onjjk7lH&Ke^L>sUPx=+08t_{9_q?MlX93xOt0@*dhRfQ6D}e@v%*8;l5Jz@|2IS zc^L?Pt)2T3xe+d(xOrU(=gv#@wFg7;B6-LR{Y92XkPJ4?5e`1F>HC|Zkz4J%Vfzn- z5j7Xr`r*<%;3=lnC=XiB=Jo-uY9|-s=Fra9Hb39Xi`SICTe0^o)f5L1i&!25XMu&K*BhUHUt7I@v$5lCF%;ycV}KM5-^Q1$UB{o%xoz3+BRu2 z!7n{G^mjY7Wf{FBP#VA zIG^QSYw=N0&H7gWJWoODA5=B+74>VLg#ZPs=+Lg&4ws8}=1aCqUZDhw%< z1GLRg?Y3tU-{r@3MS41G4X7Q=_{ExmplKqfxVz#QAMeB9mg;In=k*WR_buDUJmf$E zea?E2R9sp5|CO^Yd@ON|ckVHN&pGI}o|47@k5hk-VIn-iptIvu z7USt$-$;kOaX@X^8>sBRMEGK^Z(!>lF))s^$&b(U7o(k1 zSh~l7C5_tJAAgFi%}Y_sLEM}4^z?k$C{f`j7E)23#Glo>OG`A<*3WbVGW;{yJ!xhI_@9+ei%pU`hUl% z%&O^nIovXoP zeN=rXnBl-qKnYYCRQmVvSun?Ct4D&pNHp)l>mMmhOcUt)7?yIlIaucsYnX?iz_lWJ zsJ}k-MxgxpIvK9k&p|>&^q7C!Yn(PjZDjk9mx~$pv6$)mCi4yBox5uTMjVYi1Wqr( zL)uD$tx03C)OQ!<1o@DRqQt36S)RH=EoHiTJ&H+RIp%53USnG3gCl4K zMbSD^-HtLX1UnI$!pxD+sV+?$dDqM%c^}9{UQ}TtJXr_50T!K^XPh{N9JozNA!2hX zN|kRshb+MTtU}m|1n9bG@vC-2(ZB@G!p$axjHDU(-)ch7s1|K`wfO9eXI9xCTkP1+W-INTqeMxmM#h2>RD zsyz}+lE^IwBsT3jdI#x|AgBsLAzsBcG`yS8PFt5*63@Fro9gmnN+dQ{{ryZU2v+dFf7Z9LZ9nvjbTmm>?{#dq7t@rh#B%x@ld&r zY^veEdYeVc9kLk}9{7*d0n2=sMM;`a+i$b6_C>QBhQv#wln@ekI zE{FN>FXgn5|CB`4jRBqW-)i~9`UYPa_2AT!@YV>Z8{gq!Nx=Yh4YoT<@9aGk9vPhV z$^B@GRZ`#>3k)fopPxsu)jVvoaS-^sL#r^maXI$`^H-rl2Db)v=QaWj;}<)#V|R`;y5?(1rIy#-RapNv*+8b`fD{10vC;_vSu6vkyy!$ty={6?hBC#( z$B;ARQXY!zQ+TSGZ*}%Ym#=&)x5y8kYf-3PJT@jp7uN*XPsEKQ+y%pBC$_>Vxj&*1 zjJvhMF=$Cp19MP_$gEiH<7xf40yg3Yj%(0esz_}WsV!BLRY&I2^vI#_#iEB+BXtY8 zT}=B&TB#sf-=I%0O<=wmm2kP1~n42W}d+P%edCC&b3 ziJx^M3HzS(tD~1x8)z*0YTPp0HmR)D7M-0xYy*R(R^~>Qz(2y``lU1P!RIGkYhf_U zgH5|603Efj8NHLCoUT{IUbV#SdauG4P9Qw#7xLoz{Uzi}EzSO#oNY?SDdum9J$&BG zAqj;s&u)Z&AKFiI0@>pE?6o^+f8_oxVrXN%REo=etIL=@ws(&bx#SXm;gT>*#9iyq zU8n}|JR*#d)yPFS5>=nyM-O_$lYeT;|e`q84~o6`w9}L(b3VH z+@GfG1bE$-mB1@4)|huRkBf?E6^3< zP0zu$va{i`#%kte9TMFou=LSpO*J|INt@BYFy_k@`KX zNLaW9uOooJHsb{>>=o5NS-^rc6Dxd7euFhzD=)JS3WV9my~myk9a&m>cWqU? z7jdAJ&5e8x!7{}}YTGR-*KrN{Ro~$DS49uGM~h2y98XhkHHqa;r5U*S2>*>W2rBPv z|9>q2d1zDr6)U}01e#}6npjfeXa8MAH@g)ifS{fN0hQxh{^!^DI7fn>GnM7CJ6|#hnrZ2Og@DV z4ujY?dKMOcQ46xw!CNzd`*$YuvJfv|liJtX3h{iQlRt{;fPM=_!zKPV6Y#pqeihJ% zy}h-n`jgq$3s;a25=^%%@`wGr(ly5xGmbx`Uf=d@k4*a zxERUYF#84_AGVU`Ye&jH!k8&vWn@LqT)a$jSbvkMSd4E0y`C}LSriMe*^eM~S$Hen zyiyVu!3l$0?B7x`W5~xJ-#LHHAe3P~;92>ZksX=?+8S;mq}LEq6uSnQmVo{WK_4Dt zmVf*epvMx$;O7FRX21id7eXYXaQ>~hte|2Q^yro#H1`EVSyV^$eQv;U<*bi-Tvfq?QqSK+@zS9xHLb{w^_ zpQ*+E-3qIBkbw?7ewh|7io3Oxa86UD`o&M&3U1jikZl%Y)WDqoIdR`>eGG<`3Q5s5 z8M5DP)s^XoJ}0~laRO+qxB_7oR`|>$kcp^d1KUgXA@dC1mNzamhQ_#C({POQ_aQcjp?2IlV7`OrwVy!6et#CA3v(W@zpVb9pSin3wgqpMvC{$hvQYi>p zB;Y88Z4vmJcHu&q&r!fc!)$$)w3NuBt`YIBZLPVhLp;-mBsMVCp){Qy zHx=vr#l7ofMzeM$iiy47uhxFdHey>O-uXYol&F zD;lEQ{JjhfH}w9cU}4E5N|%gp{o0WGdhLRT56UZ+ zf(Nj_aEP7fxw`nGnTC2UcA?TQOX#EO6KDVvl}ozM9TGU{@!PWOS!Uv)t3*ff#T&k3 zmb+l4u%^Xptv-bvG|X22`KP*5Vm4dkI4R6a8|k5Y!)RWv#Nk%Pd*~lC(L?mCKfLrI z9q6v^t3UBz^eT;vM*Xm64z~yWTtA~2F%byKs>OsEI;vh zgecm*7QWoe>`gUfvYnT8TKE6)ouJ&BWQ*|{vdjNF{;EC|MW%lmxCOYuu;)}lr<7yy|z){)eG8 zncKsO^^&>lM>S#%20>^%&Z|iCZmNAXkad{-!wvBsC-GdK|LnYfILbDQc#|Z0R=qt> zwUf$y`WmvALXYPb2VVsmKiqgRH@;u(*wUeprD8M{%iJ0r!5d)IswOEueHvx;w+=b> zk_n9tsJ2S5q5DtM^$C2W0)I!G_@1Li$Y8FDv3;+1jBrN))VT1=hEc^&4sDbHgB-pt zuj3G~4$Icn!eAFCxzh5cI`=DSB<+}gZCCwYZOI^|l6K^L`3=>;Aj1BvC2Y?hclTDH z5#+WMFE~5^YDv!*C-Gl@5&)6W_zwFlHFzbZnOWN3Q`ks+G_9LI{6Bg9C9uMa8TuChp`dOh(S9jDglK+rAh>hgyLqYP+xUGc`p zwKM_xOl9u3)3*cIpaCEZ?x}eekv6(x>Yn`5Z<%I7wvby|V+_i#rU+D&+qBFm28fVu zg^3`BTkq*W%xtPH2~6jR(c*?(2$7SW6akZ0@OapmW46|Yuesm_lUSe@6G!?3SXu*7 zk??4Rz`^iW(B&`k3$?5PvFfvDX}-)z&S6?Lso4o}=(rI8)hqUf{20k1J0;>v#J8KK}Dr9vf}(FJaljg|n$ zzx18)U1J1klM|mFp>Mn*B|_|aRvC3w-8p6afH|%P`%gdVTnA>&WSCOb8sg9v9xcSHbC~CpDPjOAp-OAdhC( zZEfq5krZKJw8k{ak7{gII57n{UhE{4NR(OG@ZLy_pV6z@ulP2}P5lkombL?OGt2H5 zn*NS?aEeek{l9ASOl1TS1ZrZ-jX+3k$M%Nr+Iy!7Yen21pm6YXE!XiydWzo5tn2v@ zJ+S>5l$-@ z22n~H-BGcqdMe&&B;nRaJnqjLiIVq{zD!6?Sf}|zhIyKIh{Ri_6ehGagjDX!@Qwa0 z9j;$)sh_-w$btU#N4uBs6=F-sqY_5Uwy(CMC<*`O>-LwDq!S3sD8wW|2kkUAKU>-n z^F&p%;6rY5i)|KxMVYb)tuvuF-APdGc25T}JG+W0#$)xw?gjwBe#Yezi=rv3axR)u zISyv~lFfb>cCnLAf5hX3?2zE@9s{t}Dw)?({L?J!3G(F-$i46AN4n$ev6vU3GL#*l zwGM%3(ZK}~wF2Ty;Z`b?deT-erBm7j@o=szUI;O}>3}T(%6Hq@AI|mUh9Strq#WEj z9>6FQuO#G9&sYi6ppmI43sebO%s=qJwmlsVt}Y{e7rB+iA06>+)fzC!({jcP?@-1s-;iJtK+Ef%Y?SUcdlu9L zOv9ZKFr?^F(arc$s#GJg6e)RQ=1^a%9b(z%F${|F8W{TY2?|(QeK?P-aO^9ub7M}E zjEr(96gJzkJa6QROct152)CDIm>>I1A*7=#fDNTB5$&=utScA%HKyup#(vU1?#Cs>SpEUMqYO#zp!J@v< z5$|6pTyl#vx;-A{xm6(5$n(Z5Sgt1N+G0nJxO)Lg+5^jP>qPH*P^FLgDOncas>8zj zX)so#f|i@2t?#&_pVvc){@`XF!J+ORyuyMFZc9)%W?vWmB=VBuT-l`bJ*Egmx91LKUjsIhkYa!|8SrKRh1kfJ~w3KhrS z5s1uG$*4G#7Lpn)BOzC3R}gT0MN*QhlJOiUcI(NTMZ!81KXzaE4h)ZyZejLkC*^Xv z35Z((Z8G~rqQz5mK=$)9_L$Pc(X7)}`LHK+W;MYozAWMYX36UCh&Q)AW6kQw7@YEL zXOqlCwW3wLXjso|K32=i*XRJ&Q041a5X5q!)`mZx`CFw=#rvw9nL*2Ez zH5FK>(q<(RP;Wi?PYT`JzwRX{J?SKSq=v}WWjR>hPg7&RGwqM|d%DqKD!>}S!ZP6L z19Bxlj1gdq|A0NH!QnlVQ3q@~o*`XR33nDA0Hl6K4H{=D{gHTqT~@7BL>vUI!Jd9J ztnteDDZ!(a5Yhxu1k#e%RVZavr~J_SG2IDa@bO@Oh}@|v;tGC)8gui!G{=C zf9l zyEC`e?(YZf~O!q zjBv;tT|Gx&-Mzu4HS|BgdO=Gb!UuPu6>qFBK(j+M7NstGdG3~_KpMmT^H{MTm@?&n zmkl9HBZ0)pgbB87gfREB5HcJ6zkKHu>e9}J2Mo(RnAQX^zZ=I(vHVINU6UzKx@Bq6 z6OYKoFLj4O-OayCA1>q~YXkNMo_TSI(YfMOoz?DJKfszl!-)NK7OAbL#4ha1HCqqk zONc<)9r?#c+)U#Punny8_2FA`kS8$`QLYQO zVkn8R@I6h`^tYa6E>G#~C08Xv-dsK+y#fk9yEOLJB}R}r(wY(<{2|s3yCU0<9}^6w zg-AZ67+W0(@FGOZ9fcNRKe>Dbo`wACyo2-ZQYCmZe0mvd1NpWHx+((KYvlce6l zXmN2kv(@pib6AiqVK;&&h7=x<$X0x5K2LCp8ArJ?L zb3};zL;l3qii41_e_yiITWC$n!uiN(f+N{{)`MlY&9dsxbaba{n2D2@qWrsUdVzRo zA3%tiyIllKc_Icg8mX&96ks(MwYk(#HL&09k@;Mxj67big+Kf2-gIc|7cn7N%rXqU zBNn_)jwt9s55V9NE^rrIj<<>{`#<~k8DLXtciWy9;CKJP>U(o(^*g}!`wxL+k-8m? zy+#qyn3}vNm;JKgz`t&rNV$G)OlDEPXE*@;Ct4g^FP{bSaHWwl{j2C5YX)~XMb{(@ z?W?**+1@qA#~ja}5}d71@r(l~5nHqyTem(43|j$R(0A6nBzRw+>1as&=LxKCj%N?E z-5v4AQdlHsin>Qs;m}j*Tnv7Y+&viZ<{Nfn2S`)yItiG;k6Uj4~I@ z=aEXR0>Aw>7Ay2@NT5};=!0szi*?stIONO(#Jz}q_Cwc)|N2w=+=5okXPgXw`^I(H ziueOimfO>vp!s>!PgUu*d^(Zv+$f3sRrCy4=#By(xCbjaSVWr^qi%Iyy|cO<2H`aZ zpS)I(3bU!;{YxlxQwDWyD3Y=&ccaR60f|I6y&V+iMBS4>Fdtj`ej#OWwBp1~7!-m} zE@~n;_np`9y44DEIt}z7s@LK@_Qti&hZYyTmx-s>>ny*$cW_reDfB*2kz1i5B}*>Y zy2dA~h=d{_KwV=FJcD4FEg->VErg{` zB<5YmAiEk45vB=|0OQuEG;*~0H;`2@214M_*_47rvv5oja@(C61K%uvc(cRXS;;<= z?EKbL*Zmdv`o&r{Q$iz%;$N;zF=-5 z4)q*2PD~cstx4S=+to{sYubQ8WtmUSTBMFvv%flIc+k=jr2J{_wd6<{8uREST1=Ux z0!fQy==#b}mL}Lt_Y8;27;Monor}T9W4F?X;^paEKz@#pM)AQs-gzA5XDoLwB{Wgx z_|Y?X^Rcn9Fy{#^$CW2W5|Q&cx^s8Copljrk|d`KCO@zz#3s7a`@~uCs7C$()@* z=k(#-c!uFiFUo)8q@2sn5eCjdf2}uAnu$X(Vf@H}Q(_&61#h00uy*cP8sZBer=ZwQ z$``t`*H?%!MT+1Z(g!z~D+vKz_Tb!1BL z{SPNuG;|#b?AthFsUwKm#;8+52-@V=U?*X|xBw<#Sy!cm%#(BnRgH}|xCk7qk^h93q7200y#36+5?9STj8yX7Y_PEtCuZ;ToZk(d(ynJs@epa1l@`UH13Zbfu zM0}qrfAF#n7`X_eg^ya&ss8&#kiOnC{UTdl+ADIfv%KeM1=pmEMO4*r_}jbL2NGyk zBer0aaI9ao;119lZhV3>p&(&+7dF`%fqi2ZayY-*qFySzh_#n!7dVd;{Bwpf_QYcY zex%stQ_glTQQ1;)ppzR88inO2$@x<)`;<5TQsKkfeB_?^NmZzU8HkKxc2L=My@X=7 zkMal82B z!WaDD4PPtV^*!*~ALQBatBNDHMHlC!Flb{S6nTZs@v6XB0}|1q*->2r)0#_}X^&8D z#=@qabIlLxKn`?7jNt#bbP`o+xR^ph9;y}Q+iQj8qjdAZ11a!`K-9DTc=Ohz!>S@* z!02;NgMuQRgbQTF@Rl!DqVGNOl9?w0@5ndwdG~6&S{V=eLi8V~-%#t+`gID)J?nUd zZLMZeT2Z9R<*{#wktEtGH^?4K&f2iPUKB9rV}Y1B;WT#cWr-qK`2q)?=nKtPQB!@g zcKLcphPG7NeMQ8Sj%?zZNP<*BRrH#QfsE>^m)Vkq!HUVromGUE2O^HQZ`3WU4 zi}W3ON3|lVDhfE%yS8mvR=~2`O5baO-b*p{Zen7jnrKs5h;PHMzB%X8gTnN7MX3Ut zR997PSjtB*JC!8o<^|=Nu$Du<5c>=hBR}W&i%c-wy@W+CQ<<}@T6-v{u{Ga#V&DsY za+-)thiJ6yCz96sb%ANA#c8$nMZELMTOf~f0QXb5D#sW&WyN`1GdXSz&zWqC*Z`l-vF8cS&6&-nL zEF4@;?pUZeMO|%cDs&)!QB(aokoInKN{53v80whFOM*_XpuPPNL?qjy73UNZP@j!^D}j1rZYz1Pjj&Uc}FNm*0V69bGw=5^m4nNBgJ z1w5>GMgrqtPdpZ8W@avFe&d$GZvDv0Dv|>YNnNoRpTKi?Z&TkT*a~yuj|h&AP;tgW z`{kuDs~;C1U&rv_Q-Q?<{Gk9=xV*!0%S^8QMk~d?zSqJc<~(iaBvt5SZD^)r&O$$IX-(y z&)c3Xf@{%X(@hcjR8p{X*w!Dv!4j~;nye0rQiW|WNbFdACjT^7tt9Ey6*CYcQJ4`e z`o)W)Z6gGizKYc#)}1Nzg;Fl+C1Az6otA{cTLW23di-(?n2F#2%^{+Q%<*q7V` z_T@)nX0B5n*lAWvwi(t5ubX%9FC64ioUbPIgCp^a6p_TmqDhIVLFK(O!eOmX)+7hm z%KTUvmhcsO(0D=RwCyLIBd?{qW$94wZo_fNlGYQFm#K#@bmlllzQNJjZY1nKCkV%O^wAF(efdsgHB z^f8Av*yr^IEB)sE(Any|kmjjKMEIDH{W(|Ib8YWn?AHic0BNvmWCYtt3qQ03>VumoF zTFISf&ioxJu_>)I2`S1zvy$}tY%#69X6!_vOVz~WOQHLRg^>|EF|Z8QHajbec^`6N zg!u1TDzZ=J7Bd|3I|vTxVukD;1}5b{t#zy$i=p#9qQ~?nurJhvo4IEg6)Axr z6ww9?TvsT@bmqFfH}zFWLEu6BrBTbnii7oQN3T`>lsDYa)@gS26#}MIr&{F6QM@tb$dfY1KB$9 z&4kmK^-F86Afo>%81sfz%uelEI>wL*J?L6=G_uv_7^0!*T%4FNE(za(jN`HK+w!V+m$vz{D zU3&>}i3p%Q9tUe|@({wb1}Myj7|0@FFBGS!_=|xRWgpYf97<-!Bvvo3CL2itEpzUh z9#uS9-~+y8?aIQzWM2ElP9Q&K4NOSf@1laMmj^*i9r^k1%X!@Se0Th@8en|NKCPkZ zKgJ(JQ}LoO*1d&c-jYE48L+K5$Wo-Xrju&ABBnz`JAIn$rgF~<--`@oGettJ4ecK6 zLM}f4mj1&Z`x6rnJk7+YO`3qQ^QUcM57ZD(Ul90E0KX7snX4NyaZG~o|Fr<t{_@*$$ku9-y=QKPGGn9}iD{|z!5~*0gfJ(= zPj(g!m~*R=G=E~fXLb&p(!%b{cFaX5g<(5%!uru7HT#m!RToR{1e>h3{y89S{Cl>D z%RCAsYqHOA-YMO#^8Yw1rO1zn5)qeJh8xOZSSzPW%reEuggF?Q)O4r`;PtGi;PF~4e$`3{zzg8Yw@%fzA;;J~8E zxTNijcY%JyGj@n)VP@U+rNlzcPV1ika3gv^je}|tnI!{Sy14ps*P^81G`b%6@`?N* zj1Ya(=HHJ?pLful_>l0|{vd}Lgo-1Hc>^){QSOs%X>C$)wHv#{bz3zx&KwhJYS0ME zU$2?HS@odU89jLk$YzGP*L+*qna?Ej1l&J_i4~6;z;3Hq zBKGxV>k_4Be@gteZzauv9`N%c;t0<2RKQsI)wqr{KZTV-}X=lyL?##y+md zAb~%kd&aAt8--y63<-gM{5iB~UJbNv_w>MtWzoWwccrL^Ql)l=U& zm5PE{w{fg^NRc73LDGQupQ{?fqA)iH9svE%BMQ+;4!sT~)g zVX~fBI$@*Fjfh_2tWu;sCS7o7>m>*EO6|2+|(N1%)*SgOtVw4Sf;gA7qHMqfCY zk9HEbe(@ViToIu+_J*W6ozB4IvL-JN>MUBQc%R5^3=f(}XbFDh1M{P!$N`V#RtNhx zlfS?Czc$(m2@2PMY)^|;1p5a(aDwkn8fB6m1%dY?C`n^K1e1ZLRKt*&J>G}h%I-2m#( zsvoqjgyB9$CoxGsaID~))&fe+>pV0pU@UP+D12&HT3%kT&AW>fBg`WGpcybRiqj25 zt%^k=ia(p}4n-dW+Ya(YsvfC^mhQis*smJFPj*FFIIScnC!?}YS&4f5ECedW-^s%0e#jy${lTKIv2K7aDwU@DV4Rllji7u-jwrHF5TVBqul8$$9WSfqG~~MY zmZ~us=0~XLBH1$X8?o`Rh%!i7Cm&M8(dKWqZWF>{LGtg%7z5_UvGJ4IBWWUD_a0 z2LHw5NaZ>9`93N{n|3c=s~J%_eY5uqew6B+cq^Gsud^Jg)^Gm;9IE~obZArRI%Vg1 zgkFqEbu3flcRf^649WRmEE>X!(@)|xjJN@MsU6@}ZxxgT% zC|Lg8Dv?)e3l4G>fSM|hQo@M8I&A{=NI@QSQu91R@faF9TO?weC8c!hJoW@a{>uoULcfsNFry`6+^`%Mew(qse8Gp*(ceBR z^3PFge?uo*s&`MWigo_{Hn2)q>*8Vry`~j{BJ+Uy&T+>qFW)|eiBnu%+FYXwhgxme zvO<>L2uQZxv%bu-vu#6I6YXF47;to3XYs(^fs-2>2EK@I&m81u0-@1|?Qc^rHYwTo z%#@r|_&9w(udJQ>97aAh*L)6^w%uXvijKq^e4!ZsozsXMf-hi9hp>dwjrTjToZad` zDN{1g${P9g{K(Zb^R|N<8sasa|NnS;%cwTHE?PUdOK^90cW;p5P~3_XcZXs@8{Asl zp|}Jn?ovu|Deg{jiu=j)e&>9DGm&)bu2 zMNq^ksoi964?lvMP-R%md?hX|QBhjI^t(@^<1&76YZ*UG76?mv-^tuVNXy&jYB^_9 zkt83~X@a}g5`OHfkjWJwlI0N3XT3rw3JKPtePbzK>UP`)w65AmL@(YE@_m^nUKmAU z?)p6|y2%iAA5Dsi@!4xkX;@7(h2IE%@O)S4g%rxAK*O=-|8rXE^AHSrn@@pH=%C~?P6wMA2huyOO;v6ile`t3^fb&uc zA1r1=_!iI`7czE|0JVXN)V{P7@VI#FJMmFodksEW$R~6#ajJ;K` z9chGm^Y3$q3F?k1wsazfTgZ@im!pd+&F<8|0=c}OE4x`N9RsTTaz}BO%(wS-E;*jA zXEi(p)SfT_Y?4$Of8?)Z2D@qKB3`r{X5V+9PM**wN=sSTj?2n}GvsarTKRYsV=~VL z96W5de?+m0=uJ_43YX?^4NOO6s{$ToaUyw^5EX9w72XugGu7;wb5?O=I65}X^1Ajf zp*Jw^{8jvvki!E98Hd~E)*+a1-itMXDHlDPEN`B_$ub^lb?6Ue#zx^zivtd@-CpZ| z$)vms58*OJAn$GrN}!tZq%NPx!T?G;FJaFfa74HU15+4Jr~eah1Z+3=dep(Sq!mzT ztJCGj(!2l;0a{`Xm${$Cpx(uL<%|BK>EX)ZRwuZ@3KLhi^!pw{BFp3;JeeQYsL1y6qc7Lqj^n$L3Vmg=VD++CtE0CQ9~>0q zweU`%I=@9qNb++Ad#bxpHK0=lk&GtK$7|utzu`7(@_`4}Y!s-`^sGB0pGv>57R#;! z=*>s6oDCfV+CY60bGtAl2f7fB))fmd9Y9!0oO0QoWq)fI-Y?eDNjf~zYje{6JT{R- z%|zd1zD(kY;r^SiG_nNItJTS9v_j*3X_uMH`;ol* zH6hNBn%}&RUtz-oTZ1=&{!>wE^nfY7T5K9T6zB9zOK{;7DY8zc-xUiL2Mie86JhC~iKez~6_3z#UrJ5s^8FCi6_iPZB+21Ecqm@snAQ zoiF_)I)F*;)cx*cCn~gZs&aoGS$KKtQ=wraWBJ#}a9AjW$U0nkSFtB1mSyn^uI$a= zGv`v#L8q1SQK20O;VqQ^~E6BPg&tkO3ojWz_ielBLl*(2iA(js*!qn>6A89~Lk z*G9y2`n@QMw+z96&9jvr7VX*kmM9&%bdFK75fajxiocnLkr-YWM1G^T&dL^QyUrE% z*(!f3<0+`nzLr5r!yC3F-UVScMg7~g1gtEZhOrOp;0D){mX+Ydrmk>=Y`Cq%sV+~& zMKfK>mszSF4P>*{Q#z574=DG3b5TXd%=zEaGo|fm;jYz%C|*t}A_ndFu9zq6&GU27 zDut938i&WSz4&QN2js|G(7^ZNPtnO|wH=cGi+ZIS7g#5w$`t4gTyHA%f5uHw*CnwLzXK2>+fQzEG zNn>S)5Q0`DY1|?)2XeoxL(!8X{O64ZSuD`Ue?hg}(KKs_jXf`C73_eBrL3Zx3d8zS z#U%>6_9rAcv20YX2G3_m|5zqtIgPj~UzhgrWM}~^+QiR@RulQheg;1<`8?`pPwMTnBt z1zwV?zPJ4o{fHE{j(D=*7s>eZ_z?xrgD9e2uczSD^o_!7VI^nFF15PY+Nab~6+1s5 z;b+Zd*2pKK`trkx#7LJYw3~CbU4ueaw?JpDPxdF?sk6m=CP<)<8GTA2OWv`OO<^M= z?!WT#{nXd6^=gA|D4(X}r zQ@&VJ=!`l>W`p4CuyE3}v5I~Wj!uU9YT};rKYPF}l?S64#tsHV|E>XQI)!K9Mv^E5 z!)Mtd(b=lx+ZT(MunFFT3GL_&ioQa_z^xTMocjttHgGKV7>J4t{R_5NW- z$HUH-l5NUN|I`GA2;B&QrL#zbDcOu7w2~oiJ zt5tvWRIy{R<6J-}uEfhcdij&E0|&)4C&F2#2RiJ`Z6zoqR>+!~ouP-P3Xy z(wl@X@AOC_WEJ&B;CpW6Oo!9pK9W%dJF}kHaVtD?&E7u$h?NQ4Ag)`2{(B{s<{gzl9w?)Q1j-Pq(< zz5os&2i87D(kK6rGc+<1Ljf{F4qWy0(*DF8`@VMyDEnWPM=gZF$jF#VY8AGuyLaiQ zO(wr>7iZtU<%4VE-j{WT7xvYK9`}rj8?N%~kubVjI7~<&cBp>{9YAJj^c91>>Sqy$ zjh)niwCJx!pk|Bl57bk1nO4%!(j^Qf1tbCtpeCH$N@P-H$2wfmIiUIhT#0*)FW$w= zS*ZKb(hQ;d6B^!F9CQ0ZYwyq;){i(~oSQ`#h=#wiUbd4M?(9cca;p-gJR8+OpAKp% zUKw54K}9$p+l!W~N?AYK^FedMD(anvWOn!s9xn2@`8T)nuN1;^GX_VN zp`~8F)>-)0D3k$>Uk=RG#G<`=RqO2CIHuIgIu}0kJ2_x7e@`oi~h=Ay~#z}NzRWr_mjaa zOh%ggGLj)2ATaggP{4pSUxQKjuf(Uyg11#yVf8PQ{#?v~cwpL4-X-)u97zcu&ZpME z?UT_Lo>Xy|(9w?43UUEAE*Am5XdPTCeLjtB?0NNHxxyL_<>d=` z*w?b&RSQN=rugqCB%dz8r>Ndd4T;hv7;DxoCZzNt6ZIE65CC#mD_KutR*)$F3C6G1 zK&@eB$H+_X_eXM$@WeA4M#GjT{WqFI%KIQ$sCh_@MMtUsnv4!?KR|5_h=KCB#mSSZ%L*juEe31QnJ@L^+ds7ZRS#MUA5F1NL+Dvq*@jVGXpX|r?4tdTzq{}X;uS^a zw`UH)ur13tLyPhNocsn+sn_&_mY3!Km3={zGBBsRW2eZ^@Dx__ zP1Yl>t?@H4bj#mWPQsQEpk%I8VJG~DN7O3IRPKZ-33mX+0&7ErPA>A1K2f+LA4{b* zS(`0LqW7!iWT)0_FB4mz7GY5Iw&e_9QemF2x2+a;314aw5=a-MD4WN%7^9+jMT(fo z`q)Zlvg<^UAHO6oo?&$V!6wU;#_RRq#|8fUWN+7gY>jO&kTgi4luKQdmV!8dYgk0j zE6UyAHEOdGOun^`1Gg!>zt5Jh%Ah&71|KDzhv2PE=p2#zV*9n9#%ChB#|o*+m~&`3 zL4I~E71fRiux|GSW_v2}XW``J@rBm|$+ISJC=R|lc*o|{xp>q7`tQbM<`8)6Ld1AZ zt@KGz#N=qx=!=~pR=WA(GM})9#s2W$>>1lc$FEBRr;B5Xp1;GgvjH5+~vqyWFW#Y?O@ha266JJXH8K zyB#DcJVM?R^C3_2%|tEI@p}AXvSuhHfbU%%30v}b%3;b@2MqHKkF06kcYghdj~+RQ z<+Vip9k-B&Xf2*70e}25p9@sIej&N~wEYFjZrO3RX!ZJQ9|x?WK~44YW_XUYIrp<_ zXLUKGGx29pmtuN?rtSxn9-T8px{7zx)cf1ZFfRuq>wD%hE!Sg*nsMkG&hFk_M(|xsy^LdL%MjuLuBF9>PLcXPrTW^mI3x z!0L8W7seH2YRL18=rKJ{`Y#iboAQ8*dTnk%iioem`ruVrym;{KVP6*>8OMFC3v?47 zY3tT*QszJ223HsX_RT_6&;?v_f9(K$2Hf9Wi5(d9P96aKajWYIRrS3WECCb_Mac-S zMy$eXh2rNesI@3VT+PoOp%U^M68WKG=}A=eJ5Xk96>>jLx<=c8P z%}&GLE>v=>vl!U0HCx!h+~V;J@T*>)HbflUU*f90+5HG{!^crTUS`xqy@u=4l5vvc zIdpuidTkP)-|j7cq1noZD<`MhgGq8w({E8l%=uujE1dcF%8GVXn#O2yZX!oY@NA}y zd&xKU52N@D*czu6MxBUYp{!77prR3t&A$|sfzL)C+r#4Na>!@g@PkSEM(#eS6fvNajfX2n}y1q3Cy#uPy$K`38 zKjk6}xnB_Z$INd|XUJWljj>1OAK3toNASAZg9$<$e@V8F@DLxfaEY>Bp%jKQkY2nq zD?7yg=H?do`Urre=%uyZ)DYGD@lgp4GSCml+^IEJ9J24NQJ-{XDU2AAryShid?$5_mUH&lmm!3H< z0etr_V!5#14txAG%Zqd!QTJxqpjSS-EWXpORpCf6=Ww?s(lY|RfrE!XWabHV45%nw zv{ZV92sqx22|M`yOy*uhOcV%p>DBsj{Zvdq*IrWAdrC}+(}g2$=bJ|r6lDK3@A5n@ z4FcIPf{;j-6R(P$wH`v>@PB^Y5dYZkbNT405Gn)JS(p#cD6`HFe)z(zaNhobDeUYBYYE1{-{#|zSD;{dlY=w%#GLo;UzlAECMIi#{WEiX+SHmbT^GGTgQad&=k%n&ZQg%@A^8CMYFhn0Y zYi(k%T!Knt)z@rar5j6h9Vt$&ft>{MDo__7M4OL_zA#QG=&=P|-Hm1&H~?I_`oscZ zZ_EMWPqsYRz*M_vA{Qc}#t386;cLaHWowfg*vP~fD!497WIF9%IJzA0(NQ>_m{h02 z^PO-q8`+`5O%2_dXKWw9ZSlRe?@lMrJ4w;hTSP+CESx$E?fo@dt#HucU^bTyZXIoj zi}`egjXUV1Q~4cvnpkhcQ7qXBn=Z{*>Wu#NEp;p7goe4!RZ%vT%4>vrJYgxYLfjC9nrwP=so?-92AgcrJ z5?4GXy0qitw)qPwL=75dQSr^m3J&!b!lmN4`HdvGkdsmiI|zhCCR&3~WTfVKUB$Y3 zn|jiqv-Tp3uo@CkD*Ac33IA#Y_l#+~&Y;hsA~>S7gKMkzZ3KME_XCQ9E?cQYO{fi; z3EgDu2r!B>om<0zd&o~>Z&Pqf_d@wFx7Gqbty@{dRl&JTD=z|(3$5%3mIFISjrr&n z)D|W12eP8P($nu@&>L8fqAxlJbcn8w&p*x{=V8gTMO=K(-Q$i!l7IPmih_s}D%$rC zwr5di%ro-gNxPzNJ#OMT6Lf}Oh# z44}Qe{coSwO_cZ?vEI%3mBF}G7~lA8D3mwGOH7Sasuf3}o`6EDK1se2TX=!2S69iB zW5G@~%NjB>01{xz3kE5qsxiZxb$&NbBM74(%Fh(ODKh3JyShGu2zd^0}mO{>kko$kXINk29sCy>~c`KY|KD^Ws(=BV;MZiklRNT8~dc_sF z!R{i%1gR4IRq>lY@q8gY8Jjo4W8HT{{5U(z1!w~i;1>wZ*_z%FVI_Kv-6PphXC z1Q{KP#YHMFW@eT;_55p9k1!u(y5`Cw;~Z|k`zFR0X_K~K1OVnNN#4WgjA5)5w%dsT zWAO|ppu$P)|FHnAJxiA+(PHsApE;77dZBR^;(DE}6K7%MA=Ii{1p@YerE3X0l!)=B z31K#rhuu!FHS}fke<)c9C&Ku$*>?LjA>CJ#bX@VkT$#3X6yM*zpyHzNidm7&kiC9Z zx&FIEt_Y7cGtdRX4mbHLL?-)ZT*PVwJ?Fl`7n$r+A5cf$s-XX9bM8i=0Tih+0Up5W zrF|nt-2ztE(qa{W-M*DMrQ&s4h-Hk~Cu0urrTpLtAE8_=W+ZT^jj0I!eArjpD*xP_ z(E1*auqQGi(GaVcG~!siX(c2m6)?LGRb-sVhP$DR*>_F`4NtRlQMTn-*Y&4zrJEhi zCK5$;UFfDWRdt?=Z-`=zbl*{3lIXB{0gqUn+#tcBK0j`>?d$^~En}8o@_^NzvZgqh z097gJ>af17I61DmFbpPm&&ssE+X45@Q6$s%!aV+~2UiR^zz+i+^{Dr|@3Xwj|J&Epscw+W*swH4JQR{Ja}WS_mnvj+OwQpM&O`Y zYinSlIfclyZMp?MpW3$?BEmJ;E4%%ST3b!ga$C3aevd#(MfIE_+zFa(oRx~6*sIud zTlIPAjrQ~HegXX%(vS!_&_Mz#kMpWKO$>l@N7@u}f19q{>Uk!2Z*kQl5SD@`U=GnV zwN(NFIEjzmVj-x!8aO5%WDLv-J(kl3hOf>#8djsXt=K9kNB(ZTPxi(TKZ|K)zsq;D z7pwPY40gnpua3v6JRFXRR~W<)ai%=fFT&9^3L&aJD~O4c>;SDl4v8Vwn}5kCBF)ys z2RdF;ux7cs3KBVlf0;?F)dgTrN_iWof9qd7LqP<>_BLk6)eHaQ3IRQDdIP`%xR>3W zqc)QC$K3oODdki7qoUOH-VawZlwZ{8nfCDp64go?o4K>;39s=E?C0-*7t=6TIRs{L zbHnu_LHzt-S_dat-Ams8EhVRNLN!?!@`$G+4fOPgQVq?;{+R|dlZpkTGVc}gex#pRTi~VCB>+PeEQ*~hb+gZ;uTyA=r3e7O;~QVv&yY@rl+97 zv9QUl3)T%%t;sudt(x@bXKqb_s}@E8vW|6WxoP-MfyVUFCIBU=o{!gK#^P4aWANcq zpJ_^@vmIVES-u)0p)Z4a20ZsS1Yeu~{c{!Gt$y|xXT*4YT|Q}E_`WZeNRRAFzoicz zVYe~2byADiN67a59EzoIT+m~dOdVNxw(SOKLa!z1O~Z0(+A zNRPZ93gVt#ZGy$`G9YUm{DpEcc0%Y}@<;29E;~4Ecek*i!~}vN7vZ2sFQ4=6FKM{o zq39fYJ-Ix}1_hBuntnpWXV8k{ooJmR-f6GJykbsv>dN zWg>Evq+X-mQq@jG739py@usS|2S98n+eltBAE_89iapuC|JaFgD}1hD>Wh6XRgKa4 z;d&{(#ni`QviT)auCP%!u;uUT`WMPSdO8kBR!%N37CN8!7cAD`hYc6W^C=8!SjCb< zA9-N2tJaACJOgYpFKMkrK&&MXs*)~7V3cRX$PWph<6F&g7@rNA<{?0jwu%^@x5j#% zn<*N8-G{#1|9_83b_8o{YtLxAz}b$fC`bSYL=5|HMuUoAFnoco4UNPQ7eb8i9w_SB z8J^{bb2dt)Ln|9#OL3NZqWKtBH&wy;QKx2$YMQiY&FkHWN;6j&Q8H z8q2CIHs@6O`HyhzK{@>Uep@-qfTjD@oJBM}xJsp$FHv7GvfcOSa_dTX{COt#1TPzv zJFC=R@$L1c$FW;VUPB5gw96juEeU?EOzCRZo2rWM8SKesuY$x1L%vfyLnQ!(f9s9u zqWL-T%=7IhR;<{+;&@s+P=p~S z;Y~giY7r1nAr{=g{tII+Yx8!x?_KfwuJm{$5B}H?8n}QMU zE~Yic7&JMVre1VV2|+5N>k*J*oDs1V4LE`s;#axmt1-LwF<%t6J=OkT?d!VC)(anO zi*lmxnBRu!(!rB9q&&VmW4U*Q?}`a2c}vBo!#19~J@umkM9f~mh;*gUk!-nc;`kDRim-7dSO4`nrLaz$=*Ft zAQvOw#;s4r>ZP^7a$fICU=gd0)RtJOr^nk-E{TScl1~6D)n3fVyT<#cB%v>zlcFK8 z2^zM-h#ycf@!jhKTG3FObqOZYx-Vd6JY8#fLhF7bA9<-efREhYprLXLLp-Ywz2 zWpq#ZXu9}|U%E3P%t}B4w7_8VU?0N|U1uin-8rVD)79I1SZbZBQM@nUQ0Qgbp9;K*Tp6`AO~ut@P-US> zz!&(YpGiRsw}qNHAC__~fs-^ya>nP(f*r3E@fdccn9qOSkXp8$@inOga@E2K65xuc zw#K}0#QyOUHKN$_6EV#6cqC;;=vVZ?V21Nn?AHOTvqrNI`2I%cozC^VW03R90h>Xe zx7NszK@s^uw@ZatrMdDTOIhOY;=w%+DEFUdTM|vY`}Tx?E+@g{)I&PO&IH_AXiQ}h z(ren*g;;}#*kJ9$Tny6p^7=jgx`6ibw`5VW7F%wd7~NW&^c4^^pdv5bOxTEo_r7Kr+ET%y5XZBf=l zxFma$!$^(F*Cr9W*~YYN4@_1)=$085l$`)w5_7gekH!KIPPL)9NTjniKy-$4@Bs-1 zW&Qw^9iC;%bfVBDz}xI+$_xD<%zt7~xaPur89*JuaEr+cl%Na1K&2bp!mASDnEO1{ z`CcE$HVfIrU?*|Wxl1H$W2GcDQXvTgmoC7Hm9EpuGY$)|Dbd?$_!GajxC9&cH&voy zOndyDq|4I-%;rPXQQaKkO#D^cd|K|gzKaxbeF_WSEUaMB(T8lGqWUTSUl8j3mTghu zSh7|?%Pd6+X2S_gzcs(sbx|@{W{n2A7X<|H_YB20u6zhbQm5#L6sVDxLJ+jtA#pLflASukJr_|Ewa4fIZT=CzHNX}XO zCG)%&)896|He@jE{Acg)P3JAX9I75yc92Eq@8RL>3tS!_IpgG=nVA`V;H3#&yNI~> zirysiy6CdB>whBb>)WS-&dxx%1BoNHJ`&Hn(-nP@-qVDkFgQli&|!;a!{2j{jvQOo z@M1ak34IMn-7rWw^#!0zJzFh?sVB>h(V2Fj>3tWDIKLNn;XzN5$u8bgUGR^(<^4ZUMn~|u?I{Tak2oQ!GSu^u^M^Jiz zrW7N55b5w^^|lz`wx3s8Tqoawwwjr7XY04=b#*7t*E;T~Ff4x_i=iZ$$ywrL_pw=! zE{nmq1EV5GG#Ux#h=DquGS4ESw>fsW9UIsn^>fD31YjD^nP!Vjb6-+u3#_#z00Mvp z2P?~ikE@;{Wm{nAAbP}J0(}v**AEDH3T>@ep^Y;4o1xA6sSI#S1)|=4TQ7sT^bUdw zv;c1cd6rq~WCv#fI^KI#K#q$(hnDx4gbhAl(N-<` zgC&tV?fFl1keTJ$fK!jv@Cc;ScFL4LFg z-uSPtmmDi%dm4Eop;WjIJ%o{s-!+>Oe&y#E{eh)^3R>9E_mv4l$yupb*#U=#$gb<5 zK0*C3imPno2M*f(d`#FoOOU&N-^0DQo zso!e{I#8}o=Hw7VK(V!yt8x+-M!U0*DyeCi|6>(Ht(s1WmmcWi=7`x>jF2gN7Oj(x z6D{@iO6E#ptCD`Bvgx6Y$cIgf;kNpC&aCAmBEnCIeVjr?d8dWq8+NUuPY^l7hd2U) ze0l2YIy$sBD znyv=C-dwlM`7h3Qhq_j@2g5EGvQSL*3!A2++UFIu`Q}QczmQoZC(-k4(v(a8Z9jK#!ax0!yMP`Ybeoe@JOSh7rj8WE;8V$Gd^-@mm@e(~w~j|3 zQLH2tDxc?i;5Ti*yQ`u>o_BS3rGS%_nRn#y^pDHVf4gY?1HoP)jH0cEl6%_QSGc{2 zzylp2<$BK+aq@3&6OMz_y1LTGD=l?3WKJ+~ky~DiPvoEpEAMzZSar5qO;t7Sb`h_XKh$j$(RKos|UVn6g9mK)j ze7YmcGZ*`KDqvGKiI(uoUj#k}RBh&N;jXMU_ zBH^3T{i*ou`r$&cVq!7YKn56MDeH2KICHV`Pn!X+&GK-nuqL>Stb(bU1b9IHdXWb? zA6n(!>P^3pxiO6qet0L>oQBdr3xmx`ojQg&gk=G);~2Ah%)+B@V9wqKoK z((_%b0GNTa7Sb2>YPTh#*MGb_?lbvGQgVH|emAIJHg3rIGERw_m3Fvp4%gNe6?96p z5VP<=OG`0=D#hnKg&IvShRHwvD97Npj;c^nOI&&O8tcYu5y3`>s-jXM!muk_-Jig;cQgF?nRnd`I5!>gckN7ITxZ;x3k0Y*gi>aj^!Hh>Bi7s z(m~tN(~&J4!LjN;&kZ5C81D=9dC%@?wVuYBr>h+=WZeyQJ~bNJ)jM~jeMYtH3pvP% zy!h}FdswQ79hR&<%(#y5jZxmrY>6#chg9q|{xSejMW9v;*RhyWtjcN7t((%rF1HXX zSGnE6+#J+3abG~B;5_^Bk=o)9XJU}UktGqffNtn}=D%+9N^Li{{pO?+qCL1rxBouh z*;G5PP?SG7o#~HNy@Meewm;fk+^Hm=P&3?~H4mo+5yA>xH@6njdT%R_Huz3nq)OXx zFSkZKL|p8=_`&^ig52tUo8R!+n$I7d9Jfp^`MR^u8!QH*iq&SHEnU@}NQNvBkTLJ2 zti}dw&HKwxp}F>yu%Qa~g-S57hTEj>TwYol7T?HV!75xy4f;cSF6s9`8gOM&bL}Tl z6GO#0X{xO~6VA&-=;7d^0{TysuaQ?a@*+TwM66qx|J7aLp9!0@(EhdBxaEvTUQ0?A z#A~x9#aOU4EnNf+g>0Y02JE+5>F99leN9XAF^`k{C7Pa)$*Yiag#*h}zA+t_b#|^Y z{zyRlz&nwH1cRkj$?NuaV4N6E3&-f~-dEn+AXuuWCBQx8hp_!*FWjUI?C8M(1jeI0 zrmaVc7cbKN=euB1rfBWN3BCy>EteYS60JN7CI{mnn`>l*vQ=zadDhEtz~YEqsNfJA zWV)8&$9b=G%}bn>Gaf}G3DZe;br-{+QW$jdGSbI zNEv}V-Q8v;A6S@~6(vS}6}4SH3x~`9e7BGtTDfWv6ir76_rh>ZD6sY* zL9-Lp!&Vv2P)?H{^6H;vpM@i&R3Sf28bF@!%(3+EWL zrAPhFUY5RLD^ciBmVf=%q${~+1t4=En;J;ND-^F|G>4az8o(TemE?e5p&R3X783D( zGXtC&T;&dwJe26HEu$(HhjY>eDc-WThs_(l>V))gX`ma-YWM| z9)l3EuOb0VsY4?o@nlGYvvyN`;h9Q4JgZq7DQ;_{QOoYNVgiz%Z;I7|2aQ7QN#YH0$!+BdGFXPP7=;T(Q8F`;_DJSp2Psq?W|%2yO_ zarz@RT6{Kw3Gy|**#awNKBwh&3^t#L9c_BhX%O}6@0`e=yty1k zM0AMTTSH~UfCC23F^CYI@A;OPAmCo>n|Sp{GxkzHyfj>W1v?$irJ%I z-63hNSgXZ$ber1=Z#}EIoYk&tT_DA5n673xm!vaEYYHAMjOEmGy~kF-IzsxOaVh`n z@o0OF$JfH0{pAb7Eu&rQInHiij62%Olrh&mKIY*PrI~R9lbFxe8SU9sGD1R><0RD_ z+oUV;H;|T+_l>qXJJESSOSUt zMpgm@^bN6FzLVit#0{u}&=C>H(ts_IesU?jhyR42G|A+Jlnl$kC#@xYvORk^P;GE; z%v_2%zqxsn+{k{CkaF;V4W{64%x>#>V$Yp)GIa)WM+{qicJf>pCW(_#=XOvnzd;4@ z9~>OC%zNkh&Q|t@e#EAV33X$tm)KqY`X*P)C@-2cv+hWa^hqwMujfe6BM$7!R52Wm<>d!1`T+ znSx~N($5ctyCzLVoGYSLgp2FUwkkN(>zg^W4DZkadO+~jg1emv>yF(qs}18*^Yf+O zFWj81=D%%S-fxV>p@9|mvhh$HRNP>sKQW%xN1JWL3{ki=^-Wvtk+mi`!E7OC2MQpt z&s?8%QdV~kFMm?svT;dSJy%Q@ubtociT>Zl?7+@tH8NnpN>zDDikH_t1SyDGfz_^~ zUEt~dZmY78X{ASzz!cToLImaW+}t5A;DzwLTg%v`5!uo5qu`Oc_D9oWbpb`dvK=wa z*-S$$hp)Q-*-0)Psgyfk!{I4Ku)1` z0A~;L1E`W6Cd+vNr;ddf|6L(zOd3xW-WU$Si%;S5GF~Qh3#0X);a&U5+=#6OH7I=6 zc5ykQgosGqFA_^-6$ItJyz4RV3B}C}oqpL%{J0_-GN+&azD2m2Sj)>{R&7n3iK$!2 zravJAIf0AmrzPdFzV=8%riD%+jbv#>OeXHOX=cCBF=KApexI zwseshJ{ob{R7Wj)k|PnHS^XlR5vbDkw8`xuJ5Q`3E%mIWPHyoLB`pTZ@iRv7QW7Yc zlayrcFrS~Dy%HWuNDHd6-vA_F>)(=Y2vU%LPIxw3TCp z%wQ*iKy%ZP=9(4!`}-N)Xgu!R&wp@7;;m1;ip=quy{tmWj>Rcx9)m$H*_Sykjen$mJ}dZJtCh$r>16!R_m%5?1Hn%Z+xVSe zEkMY8Bk(X{m zw?>b)OWKxZ=?wTto0;H|Pa!^q-vLq*DFN$0_L zUa$Q**tmVHr0{?Q@!W~hacxB}Ssfz!zRl$l{2~Ddtgsv}0jq@X$O+8jW;kI^*`b@> z2~HTkv^6sd(z1XS`3L8&J8O-`-R2e&zZGX0OQF!fW*Sd*gBM*H`Wm`xv9HNyJB*9~ z5QkA?liv)pN|8p{)Z6dwzHZz=s&(rF*krIwYPk;>)e>};Mf6*j+1x^^cx|v=3YD_4 z84-cMwD-J>RS`A8UBGxu$l318w0`U6wiIEk?JZ?S1I?^CAcL30kCt?$P%y4bsL6=z z-R9y)YzidP^r_+X0)++ySh{sGP4iM57SXGuZk1R`K+^ zU~HD2OYo?{WyKYF^swZd0I@MKjCtTLlT;3~_ht6<^yy33)oSy_~nZ7W!U5_0wo4H@CzPPxG1pyNL))5bbVDst>=`I%CjFTjW1sCGR@Z`rw{umkgI-hthaM9%0ky5 zJ^b-ff+=^20rs|aK93|~csbNjugXnYggCM)QGW@l(cQ{TtC1zb7Ni-|v7wRC(WiJw zKcB#TtD719!^4Bx_pfO-c6|r(gQ1s~mzi&8-oWWLG&Hm{j=av!PRYG)t}RJSz^jg~ zV3XrQZCbus;;$&uF|fg%_y;_#UOBZR z-@c=5=upeIjZ@8}HBC!l0SPtH7wm~fr4j$#Up+%2AsZY)H%1UmLa-ZO- z?s?>Nk_(+Z*UCr)z?_22wz0Zs_0>M@6dSJJ`bwQNL+NIoLRVtbKME@U+UW7x4Tv_1rNRt9Rqcl)u6wHstg& zutEJ7X0B4h3I@-7H_>LAziKx*9|{#F=cteb8Kd}riz`CPYy0?8WtgojP^MCkIaA11 zaUgdBZ1E@lfdiKg-28Cf4YJ2p7)Iq zxb3lNRR2-U7ANeK-nY|ts4hFqy-(unE9HyXKofR?9ZnMfdCEPIqN z5ZO`t7_mx&68g-=i^=_h1`!HCkj7+b;M=cG@`JLTk|N$G?@QUEb<39seAZ6sq)1W@ zHIF1hF8}bsatNWXG0MMcCBXGUV)RY@N;HqYXf+}t0;J@UgeY1@a`@7+{1*UJ{k!*y zq`xY@^!FVjc|`Ea^q!}FWVUSVkK|Z1kc;d-ha(n+Cy2YPzOY8%vtW`J^@J)8IsJ@; z_a7daj3eSdRc;SXqtfe~C<$#zN^fXz(h@16qs!(f0FfOt^k*sv7u#@F*ZN781Qky4 z58vmcozUO;m*Nj^Z$tHo3*Wu#mfhEz?{GVBe`~`AV!QOw^iri^j6L)v5l1v{MoPV% zEnS~m%n^AyVk2`>wO#hJkq*HAXt>he=B_lYu2OldybWI$oX)$skxJ78Z0D@L@C6(` zJcKZE?wQP>daL}t!RqWf`7BiH5a#GstBs+ zE}=-G*_sXY%m_Fsub;o*n9}eEY~^w{U~)&farS<)Ak~o38<@mUboO{@6~Y9#ao(@< zv+zh;(U*jrBlqah|87yJ5uFZQ`Kzo2k5G@sgaA+OdlIfM_4qpp5vk?v&&#JPt+f8@ zqtAMTxP3G;_ZH!_OZKn9!!+a7u4`|t9|y&EYJ~x*ZPK-`e+Pa#hQNV=b!$O47?K@1 zKch(txfVJag-!|1RwW}xg`GY?c4xw>MR5!z={aW<+;@-60cgI6QD~Dt|8d^MNmy#+$8=89s2cL z$JDs{L(|j|h$``m?`O&;NmPi46zuZ;(_53`uJeMi___CBR97Wx$=7bB!CFOy7BntB z!4xz~kJ7=w#AFnf<=w?a3ubkeT$*u8E9dx2s@Wd@Mfw2q^uRU0%4TV&x&_C zI%7Z>s@D^Nt3e!5xA~BoNsi*RdXr9 zzu0-OnWuYd+>Ap4XGY?{MoE%$E{V4Hvd^m)Z1ivWj>2_Z5DUcSu|1TlUUoHW&a)j> zpUxSuGZ7u`hp7&a=I0YJkxB0W_v1W5bN#}W*sz-z`XxMSS%K1v`eDxH{}A=oL2b8B zxOebSpt!r0;_mLQ#ob+tyF>8eTHM{;wODa?DDLj?=J}m-=KVLBNxqZG?!9~M=h|Dn zS38kN9uHF@xe_(EaUOILPLN|3!inFi&Lr|LDr0Tr6A6(mB`N8Ob)q;0LV5>%W8{vT z4yKzHrTDqQH$@npLt~-}`tD1hZKPp`h%>f!@!w@#<_ecwkBBjDLzrI5wJB`C@t1ye z5xMEkO^8}t1x;TC)zm#%GSB2l4=1bELHyJ`Gk6!=2CNWce5K}_R?5-|D_-EV8l?Ft zxS)Qd(uv%=xPfkbrI3jup}XtwT@cXeb8c=Ua7QD_v}a(4V&^BCk_B8*0BqehXHID_ z7tVn&2mVwkEghm!m$jW} z7g^uQ@&y|~`!f*H2RIMCfK%49fsy(so@;SzgK3|wldc8_BqQC*S|C51NDP+frPdYq zv%7;|HvtYot+lI}S%`OJRRC!DtKD{=Q81nRRTb7q<2$WxE6m5_ULbl!XUsJAb(n!Nh`{>LU&N6~%U~oJ9uriUPgkk2XtEVYG;={cWlZu*SNpGFJB4eI5^U6U0Xv3UX;6o9j@Ipyh9<&*Eq6g^xL!Q zrKSJR?Z2dCMKdDOFJ>75_O)Z<*-*vu@=k>bh5H~!O{gx$R@sMiSJebOM9Dlk z6_h!)04|CQ>QcG|I<>$!4ZVkOfMWu*XQ~UfMxqpSoP(@WG-Xi9cnp~XNkUx8rJ=*} z+Xo&pD)WA3x<}`0U)wcv&qrO$+31~xbIW_TGy5yKrXD)u;L2m)1Uae4&O~lMvE)Y@ z9ww@*&Xwj)04R28P~hezU>?6 z2%A+pfq+ViQ2&6zG>ET*;fXgPW@+I`^+)bP6J@sZUA z?{CJ5-qi9#))i(HloT?d*sXK+PI?;bQ^Xe-&94*Dt$&YQ@bD|Z1?(Wv@2MV>#o$Z! zgU=RdGTj-AWq>~^ilFrc8Ak+%9e6uh`C5-a9AH%v_3rw>W3p)-b80>gjYOEF6J72e znNai2d7Tz$0Kww(jR^6bKRC6#TwnVyqAk0_%E(xzfr76-iJw7=o@v|gzb9FURwX#D zd?~NZo_3Gs1@;x)*yj+BvM?9i%A1TeAkIB%dO&LsD9rLpVZTgG(PiFA&DpCHPnDDWIpS|bcf1~b*9UFb+r%zHrGfkqn1UMR0K^m`Af%Bl_c*?+Rz z!In}Fx{$0^wsm1@pZrS6%zUMJRZ1EU=5Xs^eU<|s@b2CNEPIuIvEOdzAjlBeo(eBj zN7WQNKW}EDT_hyvbfV^!!JPRYM^wka;Ft}Ld`;9Dwus58N?5yio^o>1O3K2Soi}ox z!dT05Q8PmCreozIUy&}NpbRvN)>Gj&ek_1 zbJFj-inO%#zI?jh!9Rp<6WYK+vxpP|`=nvdrmha&5SQB@_T_^vAW#G3>oqP21p?)_vwXs_0rP2=f0H#o1JM7KlO!em;CK;jL1RX zO$=i3{%LzQ^V3HQBjlhK+R<;5^agqZ6517uxB6=_u81Lnt!HuzbmOh*w7=6CZ1_z1 zsVFkThm6siv-x!cp`e!Gk&&g*t?kQdhj)*A%+i`(|6)kn+%Z55t`d0>AI4XV9o%cO z%GOpcVW5#z4NfIIq;1-X16?mF&FFY~b4;#l%ip3@vX4hR3Y&AHTG=8A+{5@KDzh<^;>Q&Kj_)?>3hro)p=sWO zyU@!g2h4heNS`1u<6%V-|6yx^PWIJ#`)8<`HIm}rU{N;_TLuvMw{_Xa>QrQW6N1Xo zm1uO#tG%`68a+XO{IKYpJf19#`b_BYTaNs4w+(mpjumS*?`Eb_5Jj1BmE&Aa=F5^|LLRXRwCAcl@nLz&GcZx|C?q#*9Z+sBWLx;XY3QAVD!?s% zU}prCLRQ+ZgaqS%nNbw4CL-Ikz%k37j_IEzEo6)F#ZVEcjai9P;hX;Y0P@J1Ut;9| zp6b8}6%3zT+oGlU5(W9#6Jl?3pT&;Ho-%ePwu6v<&(P3N6R6vAyq=zdigI#qB!YR{ zO|d^L(Qz@u`Yh$;EFKtFN-Wk`-fPe9GVqGXCjy3Z|9JJ0Y$r16=`m8@neyv3#szQ} zQ^lm+=p+XrzWkBxKfj@^PCFL5K@)oWMgS}-WW$Lh5fJa6dbhufG3v2G43-F;Lvv)(68By{oQpgqkb3_dddadud+PCJF9Eal$LMBOGB@r2J$Px zI%k9|=#nQIGo%J}?>9=Z8d5qE$abJueL+nMn$MYCO477%E**`4pXgNQP_?l-PEOP>Kecq)~%Fdv51j zdS36coS*tSkqUaB+F2YZ%187M#T57Oi-b#D*q4UM(i!_CT~nKtZARQrlXDURF#z{m z6#iJc95d-TUUFBtTbB7H^j>cx0~cCjo)y)7#E6euD6o(KW3+L*lM;&w`la)WdxR;R z*@oXMy6!yYy2j_~1;I-{eOGnKZtZoXV6MA5J5F;c@>Bj@1R~HdkuNsBQBo2wER+tZ zm5j2F=^DXacF8Wd<VYT|y@pmodT;n5@-o5i;v!R+Uc}Fju0~wYOCgtY zw6|EI%1%~#GI|SC9?=oR^vwBIpAoOPG+JM>SXCi0t+!vU=0j_Z!jEAWtn?m_U9umh zk$TJ68U1Q4*WQ+hnO*U!5j^PT?=(a8Y#l@NbZ7zI=sV>qw`7;8&>+xHr{XPAj8H%{L>O6OCiZ(H! zsRh|gp3q;bNaD`CWX?+Zl<&9K!edp9kT1-~rAF`GwIf^Mb@#WBBlN##s?rf{+7M|} z5p0mYg%<*5)XsHn1Rbuq!1QxoglUmxqe5vM@Trcn)94ucLPqITNx}>hK!l()J9(kd zQRs&BHF8go7GNQZ!FjqOUR-=3!AB`!_A4a5S<0;8Vo6Rm3Ukf)Z==C zT!=R*0320JhT}kJ7i>MY@^@NGy*9MR=P06{ey4vPeHM_%P4$kbRqw{S->oo7{7h3U z4V~Ffq)AfI`{iHC@{^mtzkd1c*xV?k8{s1Ewn(~rNc*CH=5I8}I!ROW`TX?sbXf7s zhiE@5g^_yj1;Y)g@nRxqbZRPYnysoT|2rKq9%jM^GxvF36i4%_3452U-U! zPZ#TN%V3&K&k;xYAU#?xg-V3WZ|&!jwn2t6VI8pE0o(xr%)I~Vj1xDmotG!oe^0vC z8olr=Sr^^8c8o?E!h8<}@QDXNNuMAeS14+gL*m^#xHfAru11ph0o~7)-wC1E2~%W# z>A-x?vAoFFs1)#S#u)JxGUkI2NBI4cT2*Igd}lW;sWxvWbcaQ@LEJY9Xv0)HMIvF}*{q;|v#T+Z;^!4>g9?msN<|y`R zZ$c(tw$|0YH`A59{;-KUw$1QbyZ;jDBJDM0qUB8AGEW;lYpf0xe`vXwd?fUa;U-;&G zJ%^qxp+n!XJHmY^*9NLbAdkbf_5dGq?j^GRkrr57yU2q3tAme%+Ah^_GG#d0WVI1E zM<%FUUyWxIY=)}1@v|;ozn6FJZM!}zK*!RSjPdVEMPS*@`UDwya1G~jNG(GXqB(yE zLuD`}!$hNp?aLCZZ%;M-c4+VWBp_+qX+j88qi)ZUz$HS7seb6N`3FLA(+i%$%@!dq z>U7$q-PIaSas6im={T^lT}mp*##rqXP_Z|bBnHK{+TKE=zRsoQXdRgjH{gHb2P>-# zxik?S4lc-o|*LEDc&^92Rfag%uhB?hMrqyI14rw`P|}({of_>(=kB z-nclzD)=MXP^{Fz@C%_QIycGQw>S8NDfe zglcN?rIdP78NW`)hkOKN;+YAGh49{IU8&kE>_6fC@)I7FXkud^%kS%5_>qEKDc26# zQ4LmPJ?vp}o>|wLyY$w%T>t2F%c!=){9X-zcx!Ze*n0YRTtX4gd8M=$VYvBbFntL0 zXS=!XnK}fA#cy?QiI3;3?=+LsTHV*ZO2qz3PDBKf)i4?>{tT1~;oF%D5fO2aG~BIBsJf5>Cx$=fJ^(jg+CzIHhhI7l z;h4XrmsDNMg(a(JpHvYwY4uz-y?hY20u7q%@!PpYp0b@`AgS`upKGMcoIHq%j$W^@ z%6MD4pNMA|Kkvy`Jfd2qFpU#X{^@V*>h6RIbD#`QmBg5?@ph5PH zGSl1j5|cyxz~!TT9utHDo_WFE2#fKeqoK(W`=p3@C~E~nyMr}W0|I-pw&z7t`Dn$&no`2h+`bP|cag!Z8 z?ugP53U=Et&4)|DY7)_X*T2UC`)#%_{hGz_`b-e{ zEV;1wJ`h?nBGZnx-ok-WR-Lmncg(pLkDq7KfpxXnU#U^d@9of(n#~Fu$K4>ev;;XC zw<3k8Oz1^n5>}?AQy@$}b-bB(9#;6|JUHEG4^y76+V&InP_hM=>x51aqG9R*Gbu|h zbOC{`>DY(R7AOaqBAYM}XExa+mu{KLR&Hg5@eiQn7GM;gn)=9o${cYt91;R;?mXY} z@?~Blw;Qraon-mXEX#f&T$W8#wAR<}5h%ss8<_IVjIf1$BITnW3sm$4rgqg~zVI%a zPMd{ozKeI)0!XXWUoM0O=_b!jn3n3P8Af=49)u9glfPqLt(!GLN|{_N6r1ueB-f6^>mrP@KEBfu>?50 z|5i?k1PY`pCKb1C29bO_?#vx>@XQnY4voIaAYgt?`+qDzRN63c58n;U*+!8Cz%UIB z74=%%%IcU-j4isw@7<)PWLjrAPiI7oR{en%Jl#~pr$#Shp0xARmJgthuq@2ptGb~l zBdc>gRo5pGz{wg$VWZ;keuG4%8X6gKs4=F*35YR4hJ1RncbIhj)raN81iU7^v;}KE zZ9*jP+}+m7#eGX)SYinh?AMf^YJGc!H>j^}QCByzL+(P^tvKGA@Vf0HHmAb?Nxlnl zUd4KV0gjktA!u)tH(HciE9aq!F!<61Y&pQo?j+SAYg@yLJYs6 z`QZ7;p9TKN&SjGW*0FMMaI76fN<%@&2ILAgmHEonE1V%sq}%jZ&3#kI=kcD3-y)2g z^f7+8lzhbIq;+=L=<)Jjb_XtCHV_2Nss;#C3MYW>PnU9V!M_x#toU*x>+$CNvWmYJ zxtj9Y8{2gzjJ$D1ZK||mCIKeqec|ncz8zanHzrDo&5C$l*rwY1!oQRV ztuRxtBUr-R0fQ2n%uqPYrtzL6Ej9wUD$U*_v}P~X-huCjhxaF$E%>m_;YOfbnNh*) z1q}I6v|UW+S1w#|))Q z;^|cNftt+x8|X0-KcSWKT#9)}>`a^c@YC++FPY(C3+SJ)vYgAgWqeU@GvE&A>-y`# zp`Fbu%TtHHLy9em*H;dOb>Hppwx8!rj?k3jNNI$Q%4U^C3y{>B2*f89C|~?)5kuZF zAoYQ+(jwq=!vw_;q=jxiif1ka{kW%!xOfuYy!~O`D^Yq(Cd-P$1zf@jY4uY=ZoN{~M!QQ7Vslp_&YDysv13WZ_;s&P^&@hMU@_IS@7de4?A9Z^$tH4CPU-iZU0_A`u z8f4@fLHELc`3S7>G(mzVW9)bF$%KqF{(;qBd-a#cseNz$O|*Gi8rU5= zIBjaoh}>Z&i5REZJZs7$ZRJk}+$S~~%PK3Qi-;tOTa#{*yB~|cr5>+V7c<9%`9J&% zUt1w3>%2CWL(A1&X|W-G-|*g=#>^Ab_#f&Z9JXq@4{{_&A&{HX^}faMOr78VPEPU*(z@?Q1|F7Z7mfOqTCFx@Sr@buWO_J= zC+_lTf^o1rXP6^VZ?+bPtPJBEAO#wmdwdZ@PyZ+!2>VNd`@dp`Kc)o=WHMFvdDSa{ z20=?`$`a4lTI40MZ@xc1nsZyWbXq&# zt-u60RsP_*0bkGhZ1X9%iQk6gwQD<+coT!u3B?Rp?GD2LjX&}7*y^d5E zBpiI|9#P=k;(EA+og5!kHf1OGz7>NjGk^75fvyIL$mIAq!n8Ht{YyyR^v({Hf-R%mrs9+7H9Tmi|^0Br9<*xW~M+`&eVZ>c)Vc}tT)LZ^%^o+hE zW{CK60D(gPA0}q%yp%7nI9f*>;f5@e9~&|NhLs4*)HY=6gA0}#{;>Z(*c(p(eS*O- z#$Po=+w4IzH7UUG5{mU$vbH981u{$iNgu~ooLx(Z>xX!3+rOb(b|@OYLXkv%5pcI= zLUy-f!~q;fl+`|2mmPW}J;w@kU#qz|xJ#^hAIv4%gX9yhex#_ZS_{Bh| zjW3Zup}SpIsU0wcG9k9z{pRD7-URPcB9mt}7dFkfqucteNhf(kN(go?zpj9We_#xS z&GEv}ADP3=^y)j#osr>weW3^Wdq^g(CKey;BYf5Af4v-(Wm9?vEdIdaKC5zx!_nLk z+v{~^V1aE3-Jf=c1BAzJbgo9T)g#P=yF}2g9GRxdujG%~m0G$$-r4dU8t5Y{bdNgB zAM~YLo*?Zha$MpNS5LEotsmAat2cUL=3JT=h<(#}GEqTcTja(S;Pn(b?kAQR3SN1opc%k|~7=A`jwMZhPDEJh(QnF(64 z8-0|kM*rlgj1>8R^6?9ZL1)ym8o@OS+&Sum0)HqWQfD7bo*z-gt@-w1N+oE*)!8Ou z5g8mhktSgj^{4h*G3DcZ2;F`eYrNAx*G)$tg*-zQhMayurEKjrC#A&;-Eoc8+enE` zEJ19p-etd%lS0e#Bl7V6*kttGrP-gZ6YU(xoGr5}q0SL}CuQu{`fB(WbVTUdTwBJC zq^gtH7B~5pC)@EiY>pEOQOpIZWc1(R;Ufbz{WEhv7V4EkX*+=!LBZ+EST7j{z)wZ( ze)wsIzXaIZEp|r;#j;~v(M~`lV*7ev$5>MIAVU}g>I{QtAAhr(eQWu6<2#Mwn!P77 z`v#8+1_xe645J0tIJ5RtT!VB9FJwcTt~4sOr^UF4umBEFh1gBDTmRPA*NOI>db6gD zPNtNKlap64@W-isqA=I!*4O7y;)C_@&FMk{%9XzfDVtJHrGh1v=G%>JZEX`+o}`X~ z?OO|+M9N0P&$JmGN26md^aG;#H`%cfQBj!-xdwX;?6aJt{Scot4!X5eUxK;8@Y|Gz z4DoghV=+Ni%UJ_X0-KD%xnA#{j`qyJV<_J}x%v*I{M=&P^eE(V(MHSX5?M*}QKA{*XB@C}p4 z_N3ez>5Rgl;A4c^U0WXYPcMP5J^&ub0C{M`_^n9hp-RG`Iz)J#W1$?`mef5i`pgW| z9w0P>NQhSEmO+IS^)ul`4jkEHje!HW`9-vKw+EL}3yq}ou(5vPGF>BemE3YU^>^BU zV0P3*q=1fC^I{#`SsWOnULg`6Y7F-Mt9sm&m0y_I7^sy?I?9<#q7Cz?deD(ge)Bb4 z@z;Ga6=R=6%en88vQaP4-$(YPe?(XEcQ|i>6IS=f6a?xSd|!NgL5-tYAj;Y0)dy$A z$v+qrx*ywmm#G4}x}q65y^rS`B(HSI$6nBM8YxA6)d;zcyzM3yDdPr~#DVw@s#ozt2#z<6Zl zbJ4mm{Bv7-(?ggM$J4W()PP&h|CeJ^&G@B&ryE71{UXZd^UtAk*6fav+IwMH1o z577hqKN%+Cf`chm1YGCkY@9cm6o+#*7kTR+_sfRbRC&$QjQL4B24c z@Gf33PJS(;j`)2wfEnWV3u60oo#92eoN!)) zzUv|Ep{AuU!>R77nn=b-riyiPM4W3(ae346z7jeGh7FwR1C4w}d;8KjFE(53m%c>= zoCE&FWozMYB1i7(Vqs#kcm60*P^*5o&~=iyix-Ug$@OtvpB=pE<9Qb~v1&L4Wv>R0 z+a+dbKLs%$9|2B9t{CYFVm6^^}JK(*22v~e-{jyhTZ=J8DkX)lsZAOJ`Z zNdu6>g*Jd7C|I|)2RV<5#oBdV7f1t|B!~H;N;ueal(%htOL2J zc6MDhhiyKvoXrEF4i#Yq2_Ic%3*ttcFz|oI?ql7 zlqX7rSO40QFS-Vr&Vx?}Rzz0ddW1?;D?I&c%4bw(@EN{*z%A4J5A7WW^7P9PtL=`({3^nJ3{utZBK?a2j_a(vwP2sjufF#+B5WUzBaY& zZ|ZMe@vZ9bTCH=U!*lV(ah&ca$&Xa1jtAKg6h-uzh5b$JxNDqKcl$eUUn<@$@9{2g zxl84rs{TTuMd&|ZK&pZfs;pRY+nP|CBCSzUZQAZRjnQ=Kddv<0B?HJ6d6J@+21VwI zk;XEH5fve8V94u$=ftvZtUE9_2JoT==`yn}AS!6&rB|IsjCw>zqP;hD9aDcYBG^(S z_DG_Vwi930;fuY0aPU_`EOx?`_qW0vXv%R<>%Ceb8t7)0tO6_Gar#@qBDuq>Xu>F~ zmfbZpYV#jFn{3CqtZ@F&Or?vgSn4ag0)DzBlx`?V7}03f=rCV#Rf1j}1Vk(WJ@<-W zmP8xaBU2?c>m_u3Hxr%iTs6$*c4=#Nn)Z_p`r)g&F|@#74-wt6px3VC`3Dt@;D!mf z%QF|^Y~9}#P$Pl9)NCLYl1?vsl#TfT%~))GOJ55~j#aZ^4S-pCqE$mrjSljel7E<%0d$_!qIuoYBX8v`f0;BnpPV{n)9%kXbICT_R02E+&EYI-h}7KTk~*S0v<^V=cW z7W|)CxLa-E-M53_wLTPRJ2B9$M1efvud%l2Zm;;zKM6YMh$l1n|DI&g&q>IC3xI>S zloCF$9rtMKy#_O#lc^*oYB~)9O=7G)Kq-?D`8)njQ}q~ZD6mr8k(PQLrL3!)<(Z|g zhoH7q^FR5#rc4M(o*$`P)J`x3*d7QnwANCHuj692Nk$l70R~ON(-PFu|HQeFP>s1~cTQCTH?LM#)8g)&1So`01^X` z=+so^ulwZJHFKcm;4uc`qGO@8v^4zOTY6}xxD0o>bmBK1s3YvD=v%frUU7EaG=@szLAW zx6^KJu@=VtN7}dHPm-V6v9?t};*VBGt|J2X4#@_`CO+LkB3C8VGp)A5BQ$mKw^1Z)n z$8`A1=}W(GfICA-54b?0yN;?A6;x{GxP(G{$^dMj!JG!RmX{ed!>c4@t_e5b%W6*d zM=hpY(^T>(1$a%82HL)(RRdC3CHeyRC1-H=KZO|lBmceWc}D2xycSJ)ChAeZ)_K$+ z>CNr!94#*DCm%{3*h29KyhI|HVc?I2h)57=LJeEin`VBGLu;Dc#Twsz^AhUNKGGYi z^lNLG?-INy+^^9lfVtdM|Mn zP<@Y*4YQ*1vgN{8}+6kAd7}NxWwEKp@)Dewf|@3KWB2ribx#xOt`HjZo$gtXhNjuz7Hz( zYz+U$_kW)CY~e-U&umbywrk5x0*v~bd>+T?pa8EWtL`-$NQmn6`iZFzCnK_JWc_PG zOmQeR%Iqt1C%pAw6rm3CS`Yf=LF(X)RQ(p|j(pGw2Dc%4Bi1nnDKOr$aX!lXz3qlo zHUoTl6uE;2aO)=Vf+wEcy`%}3GLOEP9Rw2 zm6Vi_P^Xs|pYxX(92xN^Nx_XvD$@m_z{xrxwj3CDq!-+<09Pe{w@5Tr(~|p zZz`K#S-&P#7*Uk$=3mxfq@Q+2p+;GUW%z#L7Uv6t8s;Tn)Pl|Z8oI*Ix~CL^P&+%3 z-Dy4wj;BR%>X(Ugf~2YGzscXc?hHyQc!=Uko9K9VaAFBT^}uZb+C9Nov;_#PUHUcAmx7=epKK6BpB?I>ST3TfF1p3HEnI(W8Fj8BE`&nP+>rbY)oh!H6 z>YnP-6$u48pB}C2Lr_R|-~IL&EHCJ(cN@!TC$a_2iPlW+kNVrPJV4h+Ar;H|=$)?I#uv+hs*w2g$hUO#%@YR2S~y)>oCxVkIncwuy~Cj2`Jbf$Pa1%;YSd>4>e#tgwhJg4kb&?~zbzCS|`Lk%PdK2^g+gKfQ9QBbadF{2PJ(vUe)H4Y} z_V`>2$Jys$Go?A3ZC7rXYlp5fasQM0(TUXkXVr9+ZTlk-W`}s>i##R3 z{LmZ_Vn#oS&l~+`c2$$2bGfC=dO@kPm%{`#q(fm-oH%0<>8+jZ4NHM)DF0?0HJ{ur zSGpX6i@C$(35GwJ-r#gM z69QgMxqmU`wRZF{27A#b6#)+HRQP>~+|oXr_(Ax1>vDqK>MzI6yD@cqoK4mExjXtO z6e1rApY!2(Tfe|tf;Mdm&8%=@Hma^X28Q_c5P^bBxW|^GquuJ2^#@kuHDUoZ@Rr~3 z9~U{6u);i<6vRni!d_o{52->NFq5!}|E8Hdj|gybx+@nsd$C))+TH&D$p<3#E>Q&w zM$NEs?pTh|LiEqimpdV~1Q9DmvZ-N)yUaFFSScQHQx*dx zRjv2FW*Cf9<=Pf&hkLWAruxF8R3`%@p?AMm68JfbB?6*CsWW))7KSNSV{1{ciP7Pjx!G-3Mb;n*XM1roSW@(#g<2msJq_y~+ zlrx`+f|n|e^9^jhU;3La{-9UD${|3gkhSLXPwtgS<}11JQ7fYauVi74 z!DHX`Sjl{L?;(0~9Z74s;5~HQi9i13d?L_*2kxsllrcixH;|+!PwZ@D8(OO6pRU@{ zd4rLtwfgk5wY~hue1mn4j;2m>mMLA@kB`8{`{9bCcFZg@d|*(8Q?yP*O=>p@W+UYL0o6P9oC>(byoB zFpd@J_4KT(3Jx#3lhRxhzN2C`DKa4pgVDWK=wO8vg%Vae-ZPhO{1b{vAS@Y|@zE@A ziN5ogdb2hOpAQ%L@1~BFs?px~)Y1@yWq1xqxLP_DQ>*2JTh5WB_p} zM%u!Qm6eXZI)yR2$RhnS6L+=ZHt{?s;^syGYVyhiKFIkp{_rnfB)V>tZ|A7*J{uiw zCBAa?{NOdI!^La!#E7sOTU9!IiM1d+YP#3v>emmset6iCSC7&f~zy=e79j=ZE$04@A~tRga$= zSGq5wg0a7Sf(?!+X4psS%`*?=Isb=M8^fStaS2^^aoSuEn_HOe>6iWZMoP!hIM^`;kZ%!RCZhsg9(yTh&}$ zXiXf3p`fX}*8CEZZ6^4;Y8UKGo~^Y6yF+vdGnD?)gP9rG*yqS+y(i~MJ=1KNq%X?l z2g^_ivDVz(N(0Zt%qC3b_3mKJ}b!D6cXH9IHAzb@%#yTR>v$wB9`{qe!R)<-fGV5B}FSusF3PA*NOq&Wn7O?K3H^!9Njz{wf4r z6#4ILxx-|zHloG%PXsGe7Papt9xt_vbE}L0Mmimuq3lw$8;eAV^L+j1+b4#OCIupF}-!=NXmNIDz%k*!Z+gI~r zi4)MRU1=o-kaH1Mvr!748v$q%7bL*6OwaG~0zUm>!QO;QRIt6*PW!2snI3NQ14Wv< zI1p=wDvO|SsCP{gFv<qt-dJQaT5Y&oF)w7))$tN9NT23Owh zssWV3vRmcLrmgoy$Xi?P|E5TRSB1%)F-V>eR!9I2p+IT%%1|uq^_d7ZJ0!ICpN)-{ zLR`c|0`8}cYkMx!&cLHKM}K0PzsMEvmNH;TWX`g=r+dVK-+gvt$>DUft*c6g_st!n z$}jpqf@k~F1%|_JbzW0#f#w?&>P99w9PO8*{Jw^0T5pj9)}Z=@z}$S-%0h`SZ)W+; zC1wx(7`&Dw{qf)Oapiyjo%f6US|Y1X@-IN-R7q67qC=07w7=~CgJW4-;1l<)FA>?f z4|s)^i54B_%%;c-%~x}VEVPa%pLNT}1t5f6pv1l7+2TVB4R)uvo5&a$=2^6v(T9jfIByFF#F+Tb}KPSHanuYwAx}j5@j4*hcf*UF2kviobm@YUODc? zryCb+R%4fML}BPC(XC$Y{Jr{i=CJtzUU(L?k3amko8g{)Nx(hWcPhTix$t#96V@_V zBOlY5szN2<{Sg3SoF98X+CWhF_pG)0Cd?gXDF$QH!8`6?8fPvoi zRc@bay=eueifYq)VOg@~+#mC^reyZX)BEbS$!t8Op{t}*kgbsu@yK5=Dl)R2F^#)V z4g^jL*(GBNlc0KWwZU1nW|Q<(4ct*n^gBr)1aOCQFesq+qS_@%vI|MQPY5nfM)Ekb zs#Xbf;GOES^;}%-?d`D@6zJmcUD0MTBlG#Nu(37Nt;jqXP^bfpD-IaEDApfCGHkbC zL6hLXDbD6~G#t83rw%#aE?Y!=!8<4itEfVIp?-~6^P(O? z`xJ0o^2-3-#b3$WL!l70OEv_A;MxdK4R{imqtNNVWAi}r8my4Z3Sd|NsPOWk2&F4- z!F-c6r{9?F{Xg7E{GPklc=T`wUn~1s&&eKF^b_Rj{~M&2;2>p>(myP<38)~->2CO= zanqFC3HAZhP0E;!NHIv(Iw9L;#t+*`=Pq$3-bJXiGu&!21*Xdspdq1-HAJp>cPSYFvt}+&hQ~5>y zsrA3NKRCd10#uYcs(xj!*i`waO1xFwSUYHsuzbU~*<>nD2-{U#h7pEXzB>!=DFlrT zVCuUByfI#YZb_RjrsrZ_6`WWF5&^L+_0o9OZYrk61YIBs>fg)0lvzjI_)SIHTh~z6 ztBM5zu>=!3AWng`8K+J8IWNWg=sB?m786o8i`NW*6syL-tK2urtz+qYc{;T4oO#HS}B&A)(S*9g}PQ~Bb?&IHaj=2x>*T8P_phfN2 z8k(kl+rRrPQJBDax_04-u`|xpdh?a52mnAdXy8-1&C#6v4-MW*UEmuJ%tU7p&=96vGO{PV?Edc&$)efzGj$W!5RR-mMa5oH?19K= zuXP&_{}4&a1@b0y%=LQ>C6Yv6;nddHJH_oSE9S43>dfYE@g~wxkELiJZO9488{P-< zY5Sfvi!AcAGSsVA5dKQy$iKEuxInrqR79Sw9`|**Le{DXcFV>SrCDnf} zRxbwGO(h=?dg2`82Sx}$n9S+{5#Znq8<&6fZpm)9+WnIsrfo`9VN?IYm-gPNAS70F zTNZeCaIxusH>_yh0*^hQZuIr}&FL{0*WFl6xtUYs5&R=G{!u3oxv@o9KE@d zz04czvl^wPh+Ij`!SPaaSfJY^F&$ovl^2I)rU90){9{T^jyH{*LOqij!s(mox_(hk z0l^Wr(?^#`gZ~4 zR1rKR!k3O)lf%+6mIq;#{`@}+pCh8^KLu1{XydTi7~7fFx8j$V^H9TeZiszISvI@3 zqCimNCL`5gStKi0c?*18_q0Q1;enUkdg1rDj0_K(!|9iPYAC*ZF8^~oTb}8xtfbR4 z`K$#~AE^vD2+>DnA;ztccRnP3)8!P_KZDHz#z@pk%P1=pa8w-{ii^3Hzjs9)JcK3R z)-#hG%M_!uu6>rYbR?%|W$ZqE33#X*Ek23#Oc#1UJbdgGf`N>I%qz04kfA#)19vqs zV#v8e{?C|Ab;1oqB0*Ql;$Vp{-5(b^u#rWss>QBZ?(sGp-m%Cn%?Yd=orp5VV-w8z4Sj**bo4Pn!_GP4PKPf7zJe@2)iAR7*?T zrAKN4j>8o1M*3k38wm!%rzE7`z`QmgBXztF_bp8w%{R;JE7^URPbJe2F&oJIq!#h5 zq3ifnpfjn{1A-QBsY3rQu))P2u0ZJEh1{%Cb(c(~~#i6(dm*QUBU5dL~i@Uo^ z@dCxayyx8et#$uqEy9z)wwc+pC4aEFwtJstrdNn7f1VzM#z1#B;`4HIGj~EY(pb!0 z-GyHNTU{&d2^R4Tq4&A*xPL4U>IELipg9@XtT7>qSrOQ+UNVJf3`;|#paX% zk{K;F8ak1t;SEE60%G3;#@m#P7EVQe!in6XqXrar+ z+fAGNd93V$;oBY2O~O&fO)QkBLblud%(|dMTRkXc2BfKq5o~&R8sns~dbR7+Vlq`y z3QoSwxLfP!%<`2z)hx2rnD;()%w*Uw&j{l{{N~W`5n1Xy=Six{!!Pb{D7~0N*QynW zhj^zzl?;n58GyYXoBteK1T1!k63eH*O@)tJ?j|hLC(_aUZn0gRU}ttl50(8MmCyJg z?!2Dcu%v=fM%dw(>HAsMoAP8AN7;Syaokr*p9FmOT3xOe3e{vB-+_EOhBX~xaE*RW zH!-ymgDGV5Yx&vJSN8}rR$Z;K23~=yE1>gloIZbkP3ls3qp1AOcZthnj$Dgtr>`C( zZ9dDRm&{XWtjgibH}4(lnD0<_&}szW*zWOI)BF(VHs01TK_4Xfw<5i#Cm}>=$%)*z zZOZlixB$c`J$K_%k*lMJM{d*SsWM1Y+OK2%Q={o0B%S>_wv>C<q~ggFL?})FPl4>m3oWHkjXX2WNwT}S8!>90Qq7hAg35rNEF3UC2lTs~6WxO)j6ots$u^1nJsCg7YHxeYNfm0`BL=s^m_cLYEA?-6!)!wEfWUDZF?vu zK^V!kb6E8`6K^9Sk7=vQG%rI9ivO0fHbJIJ&4W*fnERs112uI~t6QUEv#V+0-QohDrxJ%Xs!~-9y~a8cxs|5Yv6aTzUb2GLp}uaiV1A2iUj*{+ zF3U8;U#_#j4M2Y_=`7#BxI~nvqJJ-&7Vw@>hNW$=Eg`x-J2)U;;lXOX|@928eaMKe`-qo7ZHqe(UT`7?Pb%Ut_wTqi!+ymiUw_@Qbr@AhaZGoXt%ZB_;)ub-7j*T9i z%+!!%m--^fz_&1>mom_*sMrxADN^IJnb%M(aI391QA+~6!6PC6x~seXd>=lj=#GQd zpt`2 zY}j9|tnqodcxk3vGPXdkB={P4PvoGWeglb<{=gF_{tATd*<4HOns5!kScxO~j!L_> zpI@L=gUDf<8_+BcAfKrrE~z=<;n?Uf03i#Sy+>PKY>B--!FX8_s%)Zw1;Fx zME1hitZh274zDQP)YS)ggBtQx6>BmW02>_d3nQ1pAnc&P-{y?nb(bSeo@iA5>6sJM zQG!OjNf_SZcc-;f-k$ir&A0G&?yjC_02a0+E0OziO7&>u=>Bf2KE7gPST|dVFuGsF zE1IbUd5K@_sq1`UDl4Pc5wati8_j|$e-UU(Q<Ld$E&5(v)w!Ix+d;=L zuzNV*U^w`VQYEQ;*EJsX8<>BFbBqbqO4D4aGPb>82w1}JQXAkQg`~P z3GV|6KLNmh7}AgF?2+ssAIkeT6nyU|`xZr^;WD+6)g5>%+?eiQ(%;=XaOGXb#Kz`4 z)8arP@L;zJqFzFOrrhE|c+gufPL=$v5ZQhOa@W+l>-*7W2ufd7xh_7z*mc!%=+B?W z>MyP=7w6$M0RAk@xv!pn>ks#4DMFm)O=K>WD4M}I%`@C3E}uL8(sD6WRwbqbx!7{W zNE3Lu2!7Yzz%bF=^1l(?Wry$A(Y|v2c&)bR-N$%!w{$7YvyHE%)B=!Lk%N@sIfr1o zSO-2Qs#PUG1%TbV7_+t3;x)DR?GlXgcP)3(u#?JYXE->^j=JdMB+Y%q=TL^(0 zX@LBK{&y@*-)wA7_zv41&Vw)wZmx5`Dq_a{%>W;L3C4{Yb6LqeT%$on?6Duu9DCw5 zd)$nmP;=v|24o6gjnu1d8AC6*9e?xdw!%iw-o4LtkEArCq>A9{sZPBioO}MUJk@ml zPxdr>Re1&+*B>n??KXSESl@ersXmsRN z0f}NFaT`hnCQ1u#{sPFNk-xGh&FQN|NC}CvkMHr>2CL2xPIGNxp&1K1I$h4Gv`uO_ z-mPj5RhRWuRih~orxuaXGxz8i7lEFOHy$o!niZEM!QH74aRNL%5zc>gNVbX4qB3|0 zpA3%U$yWZq)j`k@19k#4!=x13L32hZJIwFPAz!sjMka%6wyPZO(HZ_8e!0HaejAC@ z$4}?A7?c)P!Zr3OrA*&r4kF2sgS?X-^Nuj-=;)Gqep*gA3&f--1+O#KTImd?d$WTf<#$jVo3S<9c=@*%m@vP1=J|ehgn#zvEALSAXhavq*0qO?c+xZOsg&)T zmkjI;+}XlHdRH~IX{BJ}znU6}C;R`vXWrAiT6J0;XJhz#@X%A(VPi%7^~q4tr9e_r z(sTZnA+WTtRXiE?bqauC;OZcH=zhn947lgfJRps zEv)eR&(f4!W|fEWUF3At7cSVb>RN3h^UfgPUl?{&qH8H{seN%N<9EnNSYZ+&c8fs; z*4P})h3_Zl6oR)Al+Xb7t=?>urQ>*~uWRw{jbWSPb;Uzt|%sLe+0m&9XmXE zaSpxZZ?~$jcQCc{jlxuLtpn?K z0()^xKzdE}pWcw9pT);n0Lnkt9`7*rw3t>u!|Jri2_#3DnV1eY0#fHZQmXPC{_O=t z>#8PB)hg~jxu9|$2-{B4QgY#TiPW%kWh?LQq=CC*^>-NFuZQy}Bk}HMcYUAdNU?b6 z*>0{$3zi<*X6!3|9of{-aAObix=M2vr&nq{M4PYrhWahz|ICM-oFJr!6M(XwH%Us| zXViqdC8(;8KpK5@P16sbNmX?-&wpaUkVPE~n_m53|Z_s;_t)6{3 zK^E&CYsGKr3Lf85FWD~r<0S-)F|x7Mi`3V=GSsvTHW?ELphWn|lcay37q9N$#@8X=C<8 zvgTFkG<3ViuF-j{3T=ykikSqHvIPNWCo=)Er6?9;mMKfGG!iv%c4@fVMiKYIk?$eJ zG8D;H>&}kz^^3ITsOlI^r=YG?$PO9p1-R6*pu>%4*{%U!%nucd2eSKKR#0P9fTe+L z0B#;!LYu9Bzm{1?sFwqXB32U%Q!k4e@tqV!)WdOxX5QfUS zKh}X(GJKfHR4TFTIb=z+*2MlgT|6N%N_<*Hc9^gX(O5#4Kh6X}TSqVpP_(9O(fN`!;z zG?WCDG?re;te%b4?K=#YmhsDv%?jmZF$&=LHlQW~anS^6Yy0TSj5uq7>Boi8`C|+x z=jhglTU#Ku_E0aTXZxC_2CtY@SxSunRol9MsnSFBJ(skSwZgiCnjJ7s2EF3eo*}0u zLXm;Wpv`#mgG^b0rhRu4S`g7*g6m4r=SvCDg$?LknF2#}`1CDdHfw@W)bc0MBDNQH zn!lH$EsCQ>tAE{mTm#a}lK+EX5ItNH_JYme+WA7F?`P@0V5Fg;`^!(PD`mK>GT8>S z33>diZZlIhxlP|LeIWmUSl)~HDZ@`Um4XOEKjh&sqp{#4?c@c0twKYP<3MofJ69on zUmeqw!(egHE~ZtnPd3sCH%TNnvcRwAQiSPs!@-js@wVRj%PMwpRh274{O@*rDPn{< zh%(GNdZD#dEAiTI#jKWmMd^@7-Gx^DI4 z7x&sGs3ETJ5#45ZVbwo$3Mk$*U{;={?g!fi>u|Nds_6gK0z?q=^eJAQ{!4+c1V_=i z6jiSXnoXnSA8q!LE5$3cGI7=lng*JLXwR}i2u^;`=IPKi#i{YnWP6Iqe)`DuBOtK^m;JbS*I*@{fZ842|Gw96GOee z9vu%;rT79D#x)KZj6OZ;R)5NzN81Hca!p3`8B|nMybTVu9&T6j^oG!Fc)XEi4jsa# z?3RSL?R9)%T15tD9e4QBm=@S?xK8m5og?r?LEcqL?n3re`ELsMgkrBmsydxosCX z@G}xU>!*}D4}S*uubviMBDMa!h4x*Is8Nh)v}T%;8I%8~nvSE%_vz^(3yL&hd)(Bi zaf$*49bWE1rKK8%KAn^4Uc>R7eJI7Pw+vbwgnoM9Z`cRiAkWu~!P?1LuT-a8&CELd z#1GFW)&N`b!fcsaXz{4oeiT1N)Dd+~+21BY%CWmOyl?in^vfmcYtKekW@0VshIG5) z)Kx!;WPOC6)sT-QF6yT+)J8bsD*I8aY7_?xizDoz^|fYY&r2ADQ&Cs`outNWK-hr_ z!@zq@=t4KkE>04=wQ!^1cheap+s21n(VK<508pzw=kd`IJ7q2&U_T!_c8+U9jp>>H z4h)DgnZ13%6*v^=_*I~gOt6PIFH;TTh6eJt%pcN5E~=&y{-Rqxbx4)=a1#tjE@*Swg!`)$pC~(t;PRYzH1F z022?!u{6MNTn#?0AW%iL4`Neo7P*V;kts=ON9D&r)g7W{?2^`DYTg@Xl3WokU&adw-`UCiu z4{MPQCLva@V|CA49h5`k$Un8B_3?5|>fCbWkOT%41X`KV+8%r5qJ+}}QtVhHSJw4v zXANYXz<-J@PiHB=)?>?a()2eJ``mI%UNQmZX?w$TPv+~aL_uDaAsG+bH}VtS6gZjm ze(bTEf_Bz9?P(#oj3%g<>nknn2yO_GzGTaI=BU&tXC?02)K*s62a5}!H39!xQO6$F32DYiCZV?CSd3uQEXrZ zob4EKKJk^DItqv-GL^{JS3+NZ)f?8w&UWU}zBX3!VO4vAz!?E|!ty>62+JWSho0Wt zc@bJi&%I|M1sdRllQ`k<4lg*>C@E>pWxZynWX7fz>ShvmzYU*u{gB;LUxUK!=dn&*_+>C z>pEcm+K~f?Q5w682hj&=XY%8t(tC17OF)Pif0Lbp_r48Un>;!z2Pk`pc+d9_iQgXt zJbf81UOV<8Et({(oP2NsKY+dO4XxUK4-z^tijC`L|sE zp{)5O$a^vD;B(ddL;39Qrs>z36*_!#oUg@1bvX*s4Ky{)tz4g$^?&=yj2|X^SDT`Q z<8D*U#U0@iNVb`z?zM(C4IE$Fj&%sU{z|zuSz6j5?smSR{LjaBv8DhITL6Px<=1Z)GHKw{I;7cweg*!gE4e)+vX1rfgzdq(t)svXxwqk#=F*0sJZ&u zih_R_<0#rd9K9|*LD@Re#6{uSLC|gY)EL+7ehPUjMD0!mkS#I5DP~sJB3Y<}v`Of7 zpQV(u&}$JNOYwKbIL18+YsiVg56ZVu2?qOwP=J|Q1llYEP2LKmAZBz$C?AzrSR6f) zY+>N|w-(&g&V5MO05wpOrc0iN%*0%}sHcRUu_XML7a-`{Pxc%T^~DTTk=YY`UlHw_ zmS0mpq+grnmu8wIMoTY@SN-GVo4UNSDQP|J+(Lr1Fs06b>)nx%N6_p zkWJf#-TEVFmHvzknRhEoia_$cLVpl9 z*nonN@Zic=3GUK@d%t8SK;$m5oQVFFqv%~-jSHAZZ)}z(Z1B%fLk%48*WN3uva)2B zTB}{j-=Xuhor&?7Is*O@{a%l?R4zV#K{4C&N$?Gn2)dUh-84BzuZiKNNh6s_9)4mW zJeYm#MVSJlB*6I*Fe;l@n+7f#17t*m3r!^_9YYd>``Jxt?I@rCk>aLx3Dn zszV8i;aFQY2uN5VoTW%i+4S@$qQCT zp6W+{*JgTP@}f??Iws#zeODZ zWq;8zXU3pketGJo$9j2>YomNsPjo2*^U|EZCJe%&u&x5o)xMAaO}qcQhK>S>_{%a- zK^xjvB9=AIO(^gkI~IxBXV)1gQhNE5u1zJe#JmKSyrAXiPUOv_zPym3)b*djiM_=J z(h#G~dgy1ASob*M#W^`>wYM;~eFYw%Ap6(kz?RMHN*CrfAh_rAS~-HN!Us6zSF;m4%Vf*$btZVy;5Sma z8O~Bse*McG)$ORj+wXwCsFd5BG*i|r<|CPW1@p5L5xVUdN?{|E3%l4t7S$i509Rc08h6T@upiN>{-2Y-;NSt>wO+~nC%{u zIVc34EDkY=Vv?}zy7Hr4nl{_$;3DmoIaNl#Nq=Ly_5tcD^e(Dc;#LMau?`u0aJpV# z-W64n%o(GOsY=^~k=6!P@FF^ph2Oz1o?o^ii#jfUH)iQeK|g}-SC}dhr5RDo23r0p zxs1!KeZ38fgF922%jMFD6l>a|*({pAh_rsGqa2)n1y_ql0AN1;Bs(6zbTk8Ab23OG zg7*>L{~p*C1Q9-lnB>sgGJP(+)2{_eU~PN>@D3g5JBfS}%-ccM_l*a?hxF|OrnVE7 z5_BkhFnL&dpmkHByi1l;783J!u&vjA)?M@z!*k=I(s``VA^0GwLDelHXYM5*W1Mt{ zSI+s(uD2q?$_?66ZOph2@fst9U&vuh(VQNi(FD9<#Jv)OET!t7X(8rUNNxfL02j_|`qOAVhXrTs5ngX>+9E)rY2q!~XNRQvCTeN4aXExWEHl=*Gsicm@WG;Vxc#_ik+musX6 z&*M{-e&>f@;%d7~Tli!k5r}D1ocV5)o&Ryncc-U!{;b(?U6QIV1(9psB-wOoeDJOC z$(v;Kbt>Rz%)skzeJ9IHB8mbq*gA6IcU%2)^zvXioXjB()zEl8-%bcumw=g1ijYMQ zzKB}RFfQ9ARr;$L8jklQRW%&D(qU)pTzhDlH9j>%!GQFGYmc|r4K1l(PS3=pC`lqO zQN%c&IOg5k*NFA|8Ekq5)Bs{RGJmG2JR(lL%h}^OKtpK}D%-P4Pl(7X1MvDmo=v5< zICN$ekuXC@akotB-81C?PC=C^i7sjO^=(EXIVs;64O~Be;9Px>S<+h0X!cRFme~~s$U1DgiVUP``I_4aB{hyil!mCU{M*$ zNwqskQj?U?))Yy1@=2nidFxsyk1am`Y*8@ydxY#CNRcOE{uRe&Z0RT2@Tr3zbHts? zOBpc|hhMa=Hz3jl33TeON>37YSL7`GLBm?{BWbFWESKt#s0`B3KH3gCcMY3!i*dWA zTH0{{a<|`a*|sr@D4Cbtg?Nwaqo=x@<19q}#4tPIv!9BPKzTKG@9`v1rQCL?9Aams z)E1G=7#!debbjlmDY5$rN|Fv%d_!QT$n~j4;Z^?o zrdU~@2*xDR92moVGy?O}4O5+OcRELN4zXl3h&@1vkm z=qC5C>d}}G_Wv(cCvnOPxswNSAFg*X2&v~%3f;eHYyT*)Il0mMs;{pP4_%Y5)#X-P zpK*Q~Khb7C5wC1kr9WG=WJQVH|=V4}PE-K};e67na<0vlpJ~SFN_Fu(h^F4NN*#KBfetad9;6 zs_p3)uQ1eTqB3%WfJ4Z(4VimtSxiQQ6ubgr-iky zJWna}+tGIBl@iWxwu^n{Nx_`pk1KY8CU5?_-Hsf-5%t!1$5Ci?6A`~xx=h&Z$cp6A05UK_0jSpb$ z^~60%oleu3oc;&lLn21M9$&y_GhirINrxi+bFUQzgj!lK@s){o0(ATVYsBJJxAEv3 zIF3Na!Oid+;_CIE0tzk^2~)E)xx?)SXK#PFYA=1h{hg$Cvp(wcaM9;oCH9vY`;Rei z|6mXIL3vis$Rjjb7f+QVKK+eZt=Nq*T8#Wg&0=;ehl#&%B6jsa>x`CQYAm- z(d3X2F5ulfq4w#vSheBSC)&n#zqB4aHK~9332n#W`rqLH4ldP>z|(n^>fmcVEk{evKOtC*eyq$`ncfEy=y*QfHnF*ipY{fYEkcJ5 zmFB*cT7)u#YWv!~t(9dU2ebbbbn9;{q{HOO@Z2o)f9Q3N zsIFKbg&wB^nb*Ayl49%0;?RF3_k-bq7T2}9q=zb2M@^+i;kF#Qa`@Yb*D+VLzr}@` zsSEVO43Z%x0_^E#?*0kQzaj##0p2DAyvgrsj+l$qP-JCTn;sr*Kn@4Ky3dax6h2L9 zg%;yKC+MfY1z`;)CnN~gT$K~NN6_2Pp}(3_4W1u-b;*1#KKdYE6WJ0; zub!8uoppS-+^9d3aG`%He1+{S+x`oMI{j3OAFF%a(;8O^*4nsp&J)>Slm6G<3d=!W zNha6Rl^uc4_9i)xHR+vPdz`3YNE4ps%bW30&JyP|O?M|CAaV+<4IWW4S3Dcs-BTXy zU476+mWLqMZ_ByE$P+zEvVfi#n0%t~kjdt%G)lWrVy@BT8!ql#(1gv`qf?dk=Fwc< z)*1pQan>+B(78THaCqV;PN~UT)ng(R0MNT2zY!dMF#vZ9ir=7*?tTNN&k99q+cAA9 z{!ekG!U0=AqHQyU;WRF;zAI=O{LPrKOgCwcd`=~b)9CE;3ms39m+_s9#IBhrS)=pn zMm3)ArWT0H+@hU?bxDFIZvfoFp*-xl%sUc9xr^b_0=WZ@`_NB3fM-$|(1Y!CYbG_l z4AGjh-sk5f+E~h6)v#qb*MHXN^n6XpD%r>36cHIn@-zRuX!`{*P7cL*putjY9+W0e zfM*i`j%9-IRbzpW|3i^dPetD=T}Zgx8e({`gW?)#wwhh$;%!XS{~l>{$Sju1u(#O_ zx@^~cAAN_&hvSsFqXI9hqtp-qQYWzCj;xlG`_4^-!+ zrjZ!`oG0E$S(-TVK`!XAKG6H4kIJs_+l2oR6%QRma)k`~tuVOn*Q!P`${2!+w2Nwo!IZY=-*YXDwpFXaz`1Rze^0&$& zLKVedCr5_A%3eoJzN;P!$O0v4AQ7;RWa-vpgtoybQBmr#aZAg}Fv@(yAJ2P9c@WIUur+;&>Ba|;m?D{QM2tG_+z3B9+zEuf}?i ze;reO$SapQm3aN7^FoayE^drv<|x6H2nt|ffq z#b=XMx5~J3?Dco*#^YSy)hT8jk;6TPjWP;W?eWfkg*!t30|M!R8yG;-&zvYxRb;Pp zah5wEQ9=`Oxr>dThjQTO!L)Z02oyDX)wM_a0iMG_=PxXvKHh*obR^(Y8ciDnIha8p zKZcH}t}g*&f90q3Kv4SPrSo8SOx-DPbM$lKmrQGa_pE&S^;}PmFC+(?H_r$>OQC^* z|0T`2w)pXdk&&^8z(HbOR?l-724_m-NUHvV^O$eXuI(wJi)>JEln8gDVfq5GIn7^29QB-B*p zGCs&L-AckVRn8g`837-zJ=&u{{+;F`zL6a%B{kNIHJONwBBa;7h#}1IH8J-N=~~1i z$x~LR^n+;C5P@G=IhG9Ti(tG8t9)%GbNv&`#I1{XF#e|ATI05 za&yA|Sp~BW#t%;Y>4btpChecMOGzCz6>rrvW8nc{zGzwLxCVx}(sge(V5EkMx2(T= z6=yd0oxx+?oA~oqC47hgRj51YYaRQj!%x$+lfBgCQs8_ia6$$;Yc6Q4ynah)pa3_) zrg{U(5=1+4NJWDrvcbf$WclP!t)ylRIp3&g1K{5gph)@j{l|b)GuSr^bUSIkWTXuTbHV3tT2>;y zAI7~uFs&o3g%~$NQp+D^Dv@T-n%~B-^L}{x>ejgUEHHm2^hwGqL{@C0&ce36D03Dt zqcwdw)S&V5b(EYm(Kn&=>kBBqwFO7!!|mO(0n!c8MW0!;k4B2&LK5@fy^v&RNZ5fP ztk1f8rq*GyH<_VKla(wlq@n$bdzGpV>dzGTUdrY_ViztAB=U};GP>WdkT=mp(~V-K zmUF>+<<-^QkU{GT@lB{Qg(40411g}pAF^CDvV*FJ`#O6bJK?Ls(XTXVM%y2Ildqst zUJ^$zoJ)QMR8o|uAy0C~ppS~Q>@qQp3x4<~94cr{M}!pL4c;AMcGjsZ%PeMN!z}?}%RB+w7(og2Uv6%$f^V7C=3V{QI{TKh=ff}OdRgON?lM)8GH-PQ@oxX}T6iL?l)|Rp{m1-` zBXuEpk}R={ciiSxtjVr1-cqXlDhSTRNzQOlfE| ztkime-}#^ca3`XCTszv~omN73E969y)Ho;aO;9cYY^U~IL{-8N5Et`iC(xaTu@Xro zic>P}t$tXFv=Tro1zg4y_Y)bIf|d(uf`SSFf(%`tA$!l^1D zRQYb^t0zf0vPjW|xpww9XYRWGkAHZaGXlCRu3dZ~IJfjtRlJs|*2q8VjW*w@hCg6k zs3I`u3+Qm1z|<}ez8hvx%9*L?P-J~}QMf=ZK)(5H(^d)VS{2t~Q%(QJ9X>?laaj-M zqKK3`tFWu+{d~-!ODjltjbd8cx^(}~`ec94#7_L((`>6jT?1pq!K}i;z`QK?){aLG zScC@|K2RbGRk4D7P8L>F$G~Gp#zKm;Zxgl3Q^Q5DpQzAMh~?&~=!2Hm{ajHJ>Z`{U z1>_XI3v6tk9)h2m+bn(tGE_u7$WwQ5=WPU2PgWUZ)_`myy{gp_^Ng(DzJQG^zXN&( z!uXj_d9SL}HQI3Uo4P~$SS9#S2>9tq%CJn?`~=C-FsEpA7o{rH2kh$TkeLp9WX&7tnS@c+hj=KV1(k&0g5Q_)PsGUm+7Mv13v zh8u1k9WuspjZp)SzmAVr^p=0-tn9>sis*MoV>X4dHxtpuV7;FmmPvWe>V@p+{LXYS z%_jYat!YfdX1iM-EcJOw%yi3<0Fqcf=rMv)Mjs?WYbV}X#Wq{`McBp zVF5RwOBH_(eoajv^l{txf5b$@3ydmqZk7Uc9v!xj4qW*eTKcc28bLK2H++XF04AdcM zd2OhQX4-`ok3}q4$(Xj70Y3uLsS6w;^=jA(!g`p#7FsAVP^0WEN|e6WzPSjwLK1ty zc8QSaH~hzz+fyEdWStca-Mj|mrq46Hz?{v-%TV;HuqWMc5&9GUnl>@o4Ka{|mXsRv zA3b%C=s&BDWvO~FCBNq|G3TTOftJ%oArDpEy`3oeeC)kb|3CtG`vz|J z&Z0U$^B8`N7r*f_C$#9A#0o3$_@bUBd=z>~q(2q*Gk@}ak>a&&LGm#l-bSiR-w)BT z$5m4f?AZsej;YGE_SGlPMtCSwyj}M{Ql6)IULsn0&N`573 z1z=oL;cM-&$UVeVl`a{#LC6jE%$7}9M`IR-okKi(z!b-MtIn`?lKR8NGoafR&o5`|H}L>xF84eb{<9 z0;me?4c%~IxY+8z-*1xR?c{*0Sz_8EK&}ePTyB`i&$_x9occ4%H!st^cAdoL^C)vn z3%)N;^R{OqQ(ND)sHndieEVUjqGJEeQ~EtG$!fvwvVTy%wRk?yHuV-do6E|VJ1;Q? z#ry_~LVZRzYhkm0o{iRv-!wRhc2?Hk6o|$Lggzf#-PuBdBr|h!sm16-#;FOon0C86 z6RzWsVNT&%H%%kz2#$b!n%8}L<@-yeMXGJ;UieADNPhj|o$9ySXhgy%w{Y5(b_LA!@OBHz)brKJ(`ewKii zJujt;wNx7{DPKqV`}>#qD7C1%X5}INx{X*DDwWExqJLguD5%Tw$AxHPTC(I83`!|F zm`ql}Z7j-+`@D134o-e*NI}>DF0zkF$2kLdG?cA%;qQCMKU~a#G6w0jJa_1KfnnU;2~y$K87Jf_$uXxm6o6jJV1IB*i{fnidZ=zcndad zLxPjyF@Z)E8hk9@`NanHsw-;4OvS<&LDD!Z-QCQp7)@m#m`uV|Zunlmo740X!cFpk}&QY!jGz42TIXadNt*}zC_ zrtw&qnP*hKEuvu6&B)_TGaH1jU*qKps>ZoDNAQY$ZLJ*k{8RpF*95A!K-cS+!3)1c ztZ+%i*RfbmjE-N;GTGDNG}ezJJ~M|RXT$GveiuClRtxlBq*%Lo9*mQlaO#XCmrujO zfzx?Q3)t(n|4!51dR|lTnEr}+ebv!RWI3VFLU%$*gZ7+J%Syc=h7K=8_jjkX_ocy8 z7QMQ;Mt`A7F*fR<8fd-I?6BoTkvts#E#-Y8m(aj-UhttiGm#< zaoSDxM)I(+6v7PDK2YHTTy@;`mv7HhKJ{5SIe)KJOSZ}>tB*r$e8WS(^0p8HObvuG zuy%7V;%`Ud&pQCl_bsI|LTx*>3~~3rkUuUZ3hq>PTL@cE$DPUN4*u73&mQ{UYbg07 z0tP8bdgnR3Rz70UR~Q=es*k$NG#`lW_37gUF$qsBh>hkqG&EH1zOOVrJgVB5LS;RP z`+uWd#T=xiF z;#vM@`3%GEYgDB36maXtn}uO~XBwN*tv$zM?xPanO5?Z7WiNchFfa5NIyX00Y2D0E zfsHY~v-Gmn^)&F-)TYPK+95Ml$m^fIuF;^a(0}E6Xm~g+EOfBoSfm+Y;vxQp|9SFj zop@Hvg@wK*g;&poGLsnuTL2-`WLtJD9RvId$7dNREgec@*Oh0BW-4f#*}q!-&9Hy6 zACsth33YV5N<_@!=}AVvvyHpxe|*SXTl3r6Unyk8`dVO-iaR_sw4`S$XcJsdtfPv_ z9D2YAGd1o}BDJP&QT&)-B`+`EqTXsJKF&&+8}MmQhQhlp+L(y7XAnBUf_PhO{do?C zT*v0*~e3Vu(ov@5=2U)Vo#cc zE@bMAzm68blX4&9jKFl(kH#S7k6@#=ks9$Gb6&15DJ%0#4dvEM9BfbtU%tHN^WEf? z-1ULFhhfVvSjrUVp%3`0-yyyD@Q`Jl@^;Qe(q%#^wVlSeeGUJuP6xrKU-OWw2ki?1 zv@Jb7hKkbvM;!Hs^*jkXYWe$Xt-sD?_YM8BoFQ0Iw#Ftw5%!N&i&q+;N_WUF9nm~G zmBiNq24_x+m6O8%;#9vZ?~ua;=WKZf{6mEJH57V+AWn6hIox-)D|2Yd=uKHP*_i<9 zud z^P{BOnX>ewu`s*T*nyEVjUu+`TAdFfXim|9J3`T#QB5oj#JC3fRR;Mf3m4)e zUbAjJ6&yvCNcidUo$70O#y|*((`rDVFt&s!r8?1O6Wy^odJ{!l-#7~OtA!jEBV_+f zZw-Glz~2HJ=1<{hAKePTB65HMz&VC)a6jin0%)ETLWG+AJ~qw|Ke}>3SN;wZPttC{ z!Slx_af*%7-&augPZhUQy|{b3fe%&TDd<(bP0TOQluAayhO+67t)buZ5S4*)jx{gFwsXl4%)%R_ ze2cykJ#$L3IfLX}Zk}*1J1Hup1th-kOT&u#Q)m{$PcU;N=_q*^OItit15e7IJ}W4(Q)x5!GPfLx97) zH*=95Gr;Z7QgC5KUOM!9M`HXLu%{Qc_U8TEXuIg-b7~%u&DSu|D zNGMlyJ2Ji7-|1;owv#n948gs+u^>I{^zC=@s+w=L_k@T1S*Xydw=72lZAx;^+_>3s zB|_DVx$b!;+Bm$sHTsr^)MJ@TtVVf0?5o3oX8d&MKVBus$5B#mf>|(p=f?KF;?#Yv z>7?wuu$fC&px1o$93?fY=%H3%6hVeKF@=AFem@;7GN@{d_g*@hEz^#P73dnd|1(ve z*U-Rk7CU_Pk4}f0ARA9@zUp+gY+eBg_05b{`6q03jl|Ar?kFr&L?&}TsS+oJQRRAK z#VU8Zz2!`C%uBe$HxK`b0&W~FKSr!3^*Gw_M~zHK_VMU;eRKicQ2@zn&dd-pzxESo zCYo55o!I8cj^NA<)973?x2rRezbOF8rjJp(wF*%*Y> z{eL{Ybx<39v_Bkz1rJhMw765GxCThk;_eiRd(onS;!dCxcXxM(7WV?h-HN*udGp+R zfA7DUoypAZp8cNlu~UX}H-$Y=WR6&gm&u4!%)FBy(EOpPcqV5I;cZb2rblTe3`n;^ zugu>ib>bih%Zd-02``@3A!wQv0{h*Hf>egt_-RC@hP2e~yhZ3$1apH={2DUHPOQXr zyV|mV7m-QFmj>?%EDhnf^r(ptbsVZO2nHR#qb8B+Lc3>KfmJQ((N}~^G8IL~RJxVm zrz<-ufiT&|8^=FwY>WH3)>LEqx`a?Xej&=J2-u-8Dpg4+p|^lr`JLfJ zSk9e@-hN&M>*kGIJ``}Kh`2kVfCa{+o08=|yx=9gE%S-gAd2FPjAfuF-5*F4lY+%0q# zw)Tdci@d9G0@@PiCN5UCn2!xCKBsb|97tiO80$(1xwNfzes^kb8Q@HZ+KDsnOFsVU z^hQSNfia4g0hLO67)%+^)8c-UR@&u+mitCZ_7t#jI^uQeF+mOW!@QUt_?F!P=|>bBB33K zS;__dN1z?cD(@R|S?2;hzavs0GN0m?sNvR!su*9&zZW1_=#^k-qU3nd>I0EaXX7_4 z1U#w!|GSA+!eKNhkB4)0J(_VpN|m4`c=qo15=3@&*Pj2mhyD%O4~mrLAVz~pouvAe z^Y_`MwCUs=&CXfQ2`^M2BZS+}fjiVkS9E||S?GG)vB9}hir!@(Z`MU<>izqVJbj!Y zcCn2T9;SEtv-b#u?^kkR$^&>JpZ+nu#>UomLf&yzeJmK<#lg&MEo^Pr@@2JE@4U$@)a z?^Fi9!s^CBsm{ZX@eqpFLZ%dJUV2OKvuwK6{sYn0+V+-Ylb&(9m>Q#e4X1Rdce9xa zth5aH0}N()r81!q(u4>p*+Y%2gwy%QLWBY96!BCV&Lj;DU5;N?;ABx zyQ`v|%D*Y8?E+_EmH{ZGNzhYfKvf>iFA`oZrLGeV9jR~7=YJ4p)lqI8Gz2$qK}{8w zbD!&U>p6yJ7y)42$;^{To?tH4VwBRSPzU{n3HL9`|4RC^s)C*YnaHXfbHf4{t$vyI zYbOcsvhq;(*0`c9KJ=mhR?PG{>ldc&-j32F7Lfr$B?UgU)HsmQuBTD~veW>Zt#f(U zrDU5)TW|Ld@@%S$gC(vpmfT1WO<$cc>qLl^BHi+WJVjw59jLGx_c+1H85yg39jXqT zpx40C?=gtgR0hHk3>`3FXq7SN%#DNtMOKB(PiuxD!V0zz2vHzQI8(vRbN5K( z#?Qa$CObE5%?2y~BXPT?aq1Rp>(1DFqMM47rHhDZzt}Jf=(j^LXz%nK5n#M|Jwa#R zMPj}2GN#jYrmFwyL~9QxPabKf_&+{>CF=8POQBpO7$Ot!e2rzX7{PPVwhR!|mMyI& zq>GWxyDnKafz@WQ-rXI3=Xa0{Sz@%2|Dq}wi&<@`(KT7adLXu@j7zKZ}u`c@Ryi`7O zJsRxGQ6SP#UOqa;NaIL@pdj;Mw>m%cwEa8ndWl_$R=2lj#}Y7dWF)sKs9Wz3 zx#yjePYvkfvmZ66M#1r{KmZ@kG2X+AB4oce{YPpk?cXknBc$VE$3(P7Rg$0+;U%Fb zj6TlFh7qKfg4?AM1kUhuz&_Uy>zuK>ySoyC_x8Dg)T!z_bZtb|G+AArci$_P?#M!# zASUABKczRp7Yy+Dd%OLA%+$i{ByhU7CJ~~6p7>Mc^>r*km`szd9*Hpb4-z|Gih0Ka zg@{;>5H<1-h$((>vP1Y!ZmGol2goKAaQTXE=k}?jcyoz<&B3MBk6z_YEwaKA06MKz zU)#G$U2_qpPNW(%1e{Sb&IJ-PrDIaPL+*VmH+hJl!bbA7kTZqpC+SePZM~Y~gTL5E zlAb-n082+~n(7XiAYjlJj+9@LaDgEM0yF*n@q%1!4n=+&jLE#g?XX??u{p0d%-N-T zh{&XS7M6rmN&T#S8}|2P67t(?OM0~Ar|VXUD|{ULei8)a1yo*X6i|%@$OaMcycn{R zT4^AJ(Ar@Eh#m^>#1L|x!gLHYq%aE*k)==owB){aYXCRX3d_X?9X0XOSUh{4+~SCH$(QExpyP?L_eO zt1(oy_-p-i0ubP=N>3b?mOojedh-V za;!)#erU;B?TW2w@MX@iVhltRCRfeXgzrbpBa|S}W9RS3(JCi8a!32W#6d_+ND;IZ z=K5>+&Ijf*HRRtEd=|pkZWz;yUEbiU4ulI9f%W_u>VG+u`+O`hOSd5mGa4m2 zW@TbtBLkNP6;d=lABU2xma(B06dB@DIRe4jJep%>o-R$b2%TeRYo#!q@kWU9M(J01 z)U3?aZ>wG%#QP19DpbED)XKZ39H(^wnUt6jM)VAi2|KcFQ^143%ZqFTqwlg8 zI87a{MYR_zY=IuAR(qD4NSmz;NZ$LGbW_x1Wv>NP_FW6svu8pB%sa7UU-M|bbH&9v zke3fsp1)S@3&rzT8Sqb{enEciCJn7#Tim-eY#*TXu0NL5#=*g1i@(MO zma|S%mn8RaaDD7<&oC0kcXmArL7prBRy%Q#zOSwxDQggS*q?-SrC`h9-859;n z#%uH2U1j~Hkv6yNl1gwwT!Fbv-3o_c7}~D@r^^`)RoyxFR9f{|^KJ5;Hz0d-^P}Teyp)*L}+apfF$h@}}I%ocQ_br>bu@9_UQ?cG+%i1b83? zUtGf|frFJ?)k`LUoj=2zV06uk(Xw&h+1LX00Zy4{PJz~{y4t-1bP3PwC>Kf)=K%C; z0(wkZK?U~Y5rX(G3Fb_0TiSMqX=2g!E)ZA=3L{RNLfhEqEp62s^lzr}k_2*LJcT-J zduPVoLgk_=dw8`3hD$kyr}2*~&;q%%1pdm(xUpkryk^3!&-aB>*URho9y<)bmY!@g zAovI&Qm=3dnlYUw-UU--eriZA7@K=ok+Osj*=ELq79+tKqg z$k1Gpuox_6w~1`6S<5c+n=}WzAaHU_s6>uxNlQ6z$HVNKH${67y%bY-U1=Npr-`=A z`&oNbHnJ!5;goVEE==>*gSVmt$rb{Cy)14^ z4xvr8gst8rNR)Y59?Z1r0o#?tVNx2H)QHaz2k;08vJKdWRkrgo8w2ot`E7m|XS}bt z&GcKPm4TX>ZGo8SW%31tzE~Z6^*DvnIo?<;_Mfi$CA;iRC-o#)66>_;gacmeN=s$2 zG!+a5itQ{?=zON=1l?S&Y2|fm?ClB4ZA&Yi#^zlQ=TWyBQr!tNmMp##R+4Dfr+U{{w z-;F6&Wu$;`d!MJmic978!c767-B3Nhi?3EOz|K|#76{b<<_y=W6dCEf7FG7oG%9BX^l_9k6Uo7@*W-@xFkVFk%sDT-+bk+s;D?dl4iWB zAIs9OQnzu|S5=Mgv!0442!Lh#IA4A|c(1*9K}sXQH}k0*^dJ@oc{;ABdCKmgraIQT z%Dz>yK)B(yxR+{KC58{j7L%vXSt49mQ6kLf21iyBiE4{(((Kaa2*|7}0YWlwGHX4r z3mY=fv(bIbsn!*le}0f06b3k#vQSXF8A{Rzj!S|alQ+T$!n09*2WY1=8uM>aBC2Mb z)$$iVUJz&?(FhMOm8TZNKk~Bfiw>fBQh?|6yjV5M7#M$crvF+J1S zHwLwD@TQ7BpSt(gxq}EA_QY$Z6T&dTL=3b{F5e8ruE zaj$Sm2JxCG4QJ7OMN*T4lt^GAOr?{e0j-Cf+7k)Lz0NJRKOm;ZXd=E?QHC>|t2R|- zXkKhZTx}<-U<>9_^a4>X9&6a65(EvfZroclmc-gSX^z2QmS)!NKTdgJy!L5kt1B(_2*i1%=@` zl{WnUB_FW_nUw6jjfjZwdN52lpW2V7HC<_S`$(`0%`w94^6wFy&|0J7VPB8nl$Eu4 z_W_)S$m}pfyQ=2|JGelGO8#N|{!2H7-Ly|aw}g^g{?P!BR(kY|2j^lQ>EJfMeqVEL z{WnesJ{DME#gn;t>>Alup^{y^ed701DA&g~@BF!a*arTe7GR%Vr{-P7=11wRTdn^& z=e^j^T-crNheEq0wwjokbO#LX&u-Hie_aF@Dvt&|2a>$6M^fyZM_D&%>fmYEqeejd z*OCkkYMt#Ko7kyA01wxswId;!%75S2jDWJ|g^zJlk2IHA zo3HL#ZYA6dU-wEfL-m!Vfd45iYrE$I{Yy4)i6k%!Axwa}w#bi}V<>@Q*>;XDfSzu0LIUiMrm%{;t#GnS9X2{bsbO=$ z00?&neH@UBZ{=&tKRs!**2eF)p&>Py7m`Oh$k|YTh@oD>^pNFxw!$FA8_`SLClTH5 zKm~CS0xkM~xW!VE^@t^a%yGa;z{y~gv*@(H;h;MQaM&L0FzZoiQ65QOCfy=vFTA zLIJ(-fe15#LyBz?|1{xo&%M{G#}>@~3o(q1MHPG3ZkB_v@-fuZYf$SStFe{deZmz)`n7r6yD zWJG6AaM?DwC&)S4*?pdkiZwf~QB3%yxOmb*Gvnp_uU#f43{UJXd$5*`ap1Ps`-Rf* z^8Cku<+@k*BRr*wYTY4)91Xc>j1sC=DG8oOC=6bzM@%yKkeq#FT&-QvD$&U`xc_~X zeDIXg3|4bY`M3ESN755LymN?WPJ+J9mofX$lt*Cwqp-0;oqNPJ$;I_M zUPWYTDT@GRsjJ@hk0kMMl&$0RMrVf--}{2PKlkTn`W~6{rM8PFP@Z;H?B_1?ON!%A zyp8DS=y`CwOS0+^y}Lbs%D{xGtk|*;dQ+Cd$zU-iROA)DZf3>d2t}V%6&nl7CMZ;W zx`60xjo*GzqxaZ#5M8J?ioymwJ6ZvOMz#|0x@Rcw?LTx$Ew<3!yeJFPa8pyZ`edr| z(yDtKo+?`I$p}qPs^&@iKK7u$jjCpgG%i;VCK9|kp{g}6nj*8ex99jQN#iPE^++?G z7c2hUoZZmyJzSgPXp`J5v>!Rl^AK@}FMK+SOj3#gF|o1zHo)g9Z-rf<=H3-)5;}hu z=auwJ8qL6wBu{#`wv+*1MEcu z`qh7+#XN^3hGmxM&P$AwP&MgQ%nc}WeA^##0it=VAnRrDmS3eTwC8nqLe|hlG!6xW zW|PP**D!%W%mK6(QBIn5VM5i_$ZSLFf;#mJQ`-HPKxAZ#Xklhs)922*uysDF_6fw7 zY(hsbd!h<_V2yEO30!y7YBo>HRhs8=Sp>x|uehhgQvTHke(nf{#uE0bu#zk6C$UC= z%#Fj<+Hkuw&F32n=;OB)8aC4jB|u4x?;t#_!dF5K6BlU!Q#hUApS%NlmY`tDD`Q;9 z4E_eP+;&}GO}#aP*W|4S)HeJpBT!h8 zTYkmSYCM`-p#1SKxd32$AAHx2B64hem!L?klnIQ#Ql+)lv6;(EWTG?wBm&xWe zXqs!%Wc}vHDKU$vdB~EB@3l_|F|%<9iS)8*zu=DrNC0{>LZ#`tt4PseBU2>HLqq{wneM5GYWF8Slg?enLE3TU|Jv~swr+WnTLUL@?6oJxXCAGy`>TJ^ulcmc_c+w& z)l}4;(IL$&Ge&wUeE%${godc>KQg3@2bkCG5lry{u8h?6>9$#BbhZ5G@eT6T24!*l zAiDP`5-Q9EhI+nhKiL!-e^eeKmQ{)wq-dvEpS&DT%s_Vc5KEA6wO*Bey1&@*Z8zd5 zLNi)n_Il({oY{2^emNa9_(Pp@_~5K2?`OTd8@FFtJ}HC7jpQdCny4XdA0^e}a41HqAaK^JWo1u}})>XCTE;9`GEw4=?_r-jI_kETVH2=XI zIO8cIrU2?u?HX5Y;OA8oW;BdYR{m99I+HTbDlF`6V!899a^9+E`4oJn&q_{qI>#sj zRt;N{9Ul2?XuBxN&$_=hkA`W>WGOF+zI#I2!G1$oN-a{BbH_p%Qw)|JuhuD4r7FWQ zsTrFN+}Jm6i}^vlz;wZ z^^{+soOv~Op$2sN+p0E9nKVcO%A!z2)NQsmc;;1eZ|Kg4{0CjH!CszwDd?)SC7DjM zc$$VF&Qs5taQiaTa$frTK5mDAH!0{?G3{u+q;YHo349S8V3PbQ2KQ*Fm8d6O7~_lw z#pwfX^_Ep%tbP|Hw`vTVu2ipkBrN>gm)g5{S{DVdAYojBTAd8qU1(6HZGC4nCwA8mqpYH#@^ zpS{9JY5(E~7nm)L%-`vky=df|SjPgIBx363qqlqDPpbf@n81NriW&zx>(7F2=8LoGzKRZjPvQr_H%qq*k;uYI>OTB7i)+3Kynr!I; zKD{MbelNP0s_1WZCljvM5`;v*{O2e4@;98PIKKHPbaGGs-ja6nxG{V4?Q0H=zkj~y zBYrXdKy-|lOIJRJ2;qrM6(*yj%%qjF>KG~LUW`~|NWhgAKpL2{vBlv%@=9Zr03CW2 z>>r<%7j>S()I1uq>wSp9%T&RFVjpsKjg9@OXoTQ={$)ORlwNY-^?!$a_bX;>1OBHf zWrzi~ikY1Z7LbQjp47bVzN}fa2Qos}wbsmxqUw@HSI2 z>=U!BS8UYvON$!3Iaco9yAvKFiwDF4<0y}tCC4ts!?}u?g2Z%rt}5 zgp1stB6gtcX3hVFLz5hQKu(Y`MJ%^Z-xbDHc86P#Q2cQv*m3=Jc%@})g<%{;*WgCG zOI8Z_wc&#?eULzp{ffJFRjMHSe}7=lvF%{Si1o7fj;Y1-yG(3F2C zq9nTSA0Yd@$nfUSouj3)?-Ger*fdFh!%DU#8_u0k-U@*lw<&z^azyXN;u#ZY_dQ@J zKm-EOyb`C)?hB4mc9R<$++I20@A3yQBipooIHudWtE}0>37sS0IRE;~p?%Q`Y!lh&TS#sOVDhx2HZ|LT)RcY9JI@)mr^Ju>R|N zgL!MhjjuTeIhC?eL@YE8dQOX3SwU6&&2BBUO$AL3Rj6LrTf7*(RWts7A#GS`@ zczCcSp&`yMu3KK5D(+xF_kw7+!~Fbw*0-=*2074aqy0bPrbG;PgZieXwNyCj@!+Qp z^_hBcFA+*RTic~wf%_I_>WrfK1^j@p72E|;&Y!s2a(SuFk_Z&3tbQrRwfDx>*47&n zAP_iJ*6F*S?_JgepoyuoP>m zW!TbYP(%I^!{!P{1o?rhDcv`W26R1?DdGKK=>YB9uiAkLowPBHwoT9K=8mH49c18J znckrwo-s_B@8h3$^&v`F1l2`=Rwg4tGY$Pk)1Y?cg#H7jb!7|1L{0a^4_Kc5kN|lM zX>>TQQ+wit1JPneZ;09}i7eW9(p&$*pwL466qMQQZHX!57Hxucx70+&Uq6~GmK6k8 z-eItS&%VAV7ag)!@*31eCctE87aBe09L|sB>-i43k#jd>J>@9vEfHR$?!GOIgceg? zt)a=j#thn;akg`H5GlDk7X#Y!MgIX6qnT%GV|f~%Qc2$ssJ7WYK%7s=neW>0-^Dj@ zxfd21zm+)M0?{-{+3#@1xh879R*%FZ|HGl|*dT_Uk5`^*H931Cu|^;#pd#bROBr*P zS+L(VK?fWfCNy>iOQdXSq}SC!qL-+ZQfleG7rLAX&{Y9EXa>u|`;FNo)N>dbfBBX_ z{{(%>4S8TH*i`K1=TxwAl#TmJcQA!bm&8kFPDs^=JQeG1uP_|HV*f^u^A?1(Sx{8z zneWzRcsqs)V?;1g2J=@jM+=C9*mW8g^%c(zqnzSX`$ybwkJBlyfnk@T`Oz-l9t#(t z-J#rwdKPk0imyNZ08#mS!#(Y2#;QI5WB$t50hrTeDMdR1n={M{Q7U)HF9 z9_z~YA5!GwZr=XA!v1@83)xwH$ESc!`^$v)YkZCs6+vT+DVLimx-Q(kOFb)!{av5k zXZzn;?#0$33mUr40T(AiLH*C9a`nz;*S%8ev5Q&Ja2f$RKd7s%Q#%-tovuqD7H@|!}(9G)M%~4Nd!}J zdD7AH9945QOs)CaXDWZhCJ3j-DaOexVwFG0&9LauwLngw{WI`O6P^(_wPExb!Te-x zQ$*`vR*+aO@@xNfmbtEFEXn&{ay|BTb|RAUEsFHW_)>@(FR$Lxn=a0G^4+Cr=|FyU zv4I$zo3MoFhuCfRn7W3@Imx@*G0>te?sm_q*hPPg4NH#MBA-^Ioc8~&Iw8`3&=Oy@6bY=zQsiSYqnewa&iio3w2NPsaL%N`>j z-7!>uT*K{z$${#lM6V%i8^^)s{c;HYl`jj@5U$LPds+hig*X~?3+c@8J^29}N5_hJ zOV1-ULp?`BfGN-_J}tk5@=6o2haTc;BcnH2wb)nVuqGI@%rZ>?X?_LZsAls|U8)km`g`!&&; zSkK#hu)t|`JlaW0nZR%d+;19bfllTOm7z%HU27x-sznE$%MVR^@7q7>V#@EP1Fgh? zRFzhxsRM!{)(XmUJoDwceH5DF!r#;^|ZVIiA27yNvOaHaxpBo`lM#6o|x?O>O ze(utY!+ll1p_vs1yllwM9Qky-sOyW@vzPt}))QOED(bU=mn+gg|GAJKd*GY!r)^`1 zYjJ2uhdn627{0CG{bz`A5jj2{%yS$WIDMgw@d;1yl)tmir64CK!2H==?)E8R!RzI{ z4IN%pxmPy_$k3%*Fk%e-$zPV)*zH?=QJNw=0fyIFS#9)ML8SA)?U+(I;Mi~UBC(7# zF&`a9He~wE5rcEh7u*C2=4A2=%d03UlZ6sH4^B(QD0AKN{+?^UDXBsmF++0HPb0NT z4+Y;z)R<6cQYWn7m7zxns3H>r{n$Om6l`f$^Cvygg<+++Et_;&bHm%kw#)CyL3x0y zw-}Qeiu(4Okl|wicvEnxF+-Mv#s)9@?jymPCrGW8?DW=MF|Y+K z`|>oY8GSWQ0f)vAVXB)d%%C+r4B2K|uX_9|aY;xQTDG|U#vl9P=g1Dmzog4CL0oC; zO1fme5KVrPWAp9)AMkxQk{F}B(lYeNA4t=0@y}a6V&Y3rzF;6-HMO_2L4;g~h}N7| zesRK|7zs9o;7)~Ul3~PG7k*z2(5t5K9dM~Y*rdf~M_9m?LENV1!uU&(Xjn}bG!GX; zywS!iZA#FKxVIh7rYcku5j_-JLN`TZ5_)C(%0O5nQ@@@KuV0p`dBy#7FhV1*Rw2&PBfI+VXzB^>&+*rSEJC1p(DX@I zXcLnv8G?hZq7pHnX*Un0We#<1qTZ)o!-+C_#biUbFvCu(mkS@5mGZ?!ttFuj?!hOF zZ8>dkQ@6cpN2n~MO`d5A5GWYk25}#>hchZec<)^yqMkP99XMKij+M+^aH|JP2~q|6 zXFtUy9vt0$sYbI8Q*u*SdET0d3 zI(3;bMTlVjQs{yNjOVY@5VEq$QRcNN!M0fhO>pG6baUk?(s?9aWAR5CvEt2U&{~j^lD@&8vJ{?8 zGX0}V*pdYz;z;G4T5GMKM+~B<5|niLTEC5&czqvqC*KrFX=R`Yyp~wCRuCcmYbqZU z40@=P&cyNC7MUM~~>m-bc|H{$!&$ z7bB#Q#f$3J3*yXBX5GyEc37TIT|i1rMqf|?DH&qHsVwmF8$ zc!|GU+r8kS)Q;m0s1@hb&qin8I?Fk=vzxSI{yk+%7!)Xa-GMlLxrbfUoDaDS_Xqm+K}PV%hGG+A}#TbQtt^>?RTCPK6}zzto!MVl;4 z1~I^f_@j2$DO&$1o@Dpx)|O^6mYOt0@pO3VbBiaEAFnOvV!m4DIL}y7m+6Nx7kuNH zbQATzJKJC`RFhFl09?Em#CB(4T^pnEoM-qNqkk18%7Kxhgm7hf{c8RqI+~n=V|VgT z2uY(ghs<-Cd5{aK!fHI0y!>~Ca$`6&K1wzU#lN3blF&TzwADn&f5_RG_d2V0EVc`` z;&_+CIo50GfB5ESJiTnE32LWZRrN;o0h9M4b$5n(cQ$u%A0KfHnzHND!+%O!ru{KdPdTuc@I4Xz|z#Yj;RVM&nu)jhp{*b+`jgUPGSu}>^vXJutF&_Av= zY$zQ|*^!a3`LaH(q9k~*ZL-~C9X6OwBwuk#hyIf=+N%a3z8%Bj*ePIy%lXrzBoAOu`c-%IUtk2kIP(T^y?n3*BT0eGnCXq?}kTbYSI4XePHK5y1^XaIUv#L zLp$G`DCrX7rJMA?MKVwZL>@WuRFqR`TMEi4=#~Fd*xdYoT7bB7Q6%=JzNt$Mm*LcD z%Vcw5c;*r3g30_ZC5^dbs?Iv3EM%~4xzp#sv?r1l7*z~yb&U29CO2a!WceegoKD4l z7P?ou_#4=12Hs!>-fIgl=ceNsJEC-)5^k83@jWC!zvpgr6rE;V@626aqi{n1@JI|P z#8W+r043T#0&ZIuc${B+*MO=Cnq^}3E~5CO9ZCQr^X!|pxzq~zXOK)G;UIUP>iq9u z=-RV>_;w3y(*U8%q;anWu6|?B*9Jq=z?^MmiFTF=f`c?LU|Zt{MNECf6if|G2FxLa z@v$N<7R+!Cd2FJZGKcVt@OCgIdQio6fB^dJ3QFz@!H9X^MIvlQLapvYO^M2$)2b`0 zp7YIVFlQx0qA?)+mJM}2hEG(=`1M@f!r-YMu+T700&NuiJoB6nSnf}{@@iAKFescHr2=y&CM@#pl zK?l3#D{9e24c(qqFY`|+N`Ta86hiJVqKTuf7Yp1S*p3QykQ$`x&V-e`FYn(X_2+)1 zOJyDifeHx*_gh(6tp~gD3)eP6^^d!>tLBXK9>n?=6AjXZJ=?s>ZvWGLy)3a;FRed2 zJ;W#MVLau}$o{(iDMmoin>dyh(RnCL;3+O5EJB8Cb98IiDWe!l-M!WcX7-gV9QR&%%L+0mFxm|L6yx1KFBgMWz}6!IyV!Ur|$>UhbcOkR@5@GbcY z!oGfc|Fg!$;l?6%;8O0duZhgBIsIF4#{eS#Q2V8SDTUTfu|6+#wY6f4-lrY>&u|WS zibcY9%%7Foa*2}GkWc-!wY8my2yy*qLmrjFXT-$qZO^UpTMIG8+y?oaE&`qmUG^!G zJ6?Dsy<`KQWJnw|3*T`r&<8$-fEZ{u%`5~8Kdw|ob=(t-S8fSt!H0O|N+X&RIbfp^#R(cUM(5Vius`Oz#`zTg*;dx#GOby(_ z=q^y`s?*)`t(}J0Fc2jTU!qkyHu4FH;7d5*T(J>jYnkrN2ddkT0h@jSi}vTK>};aT z6;3>)DkvZ;ESbs`nmuVw$8;21!9dSG#h*dKpNO!j60f zv@;ez-Aaak;=1$GNzD|7@uE-Pjl)g8gKWEqmub_=1ETtKMXMb!uz|>+>2y2$s!>62YoHxo%{Kd{K`Ur zd66NFTxLQz^!?5sKrVV)FFe7AG@WMC^WSD6PGnM5a1mnWQB0$FQFJ``Pjc=x%h2m7tTYg^-Kp@8F90;^Bw%RkxjPNqwh}N zaQgUT?ZRuSDRve*$vp{&t$Au2aOU$*2iz4T^ST&flnJa!Wj*8TYHpzfD!QBUL@2*q zxly+@z*<2{s_&L9H{W_O4xd)~Y@(xJ9{4|qTP&N3v9Wl@cNqNpw-1(Rsnq-z?Cm9D z*dz%q3~|3p^Yedv&UgT4#trw!qa;ScPIWelQyJ}R9fPQMgkg(lUDijZ?%g}cjVK~& zR3}y6#46a^Thb&y(2$mj_OMWf<%(rQNLwOvrO*?wHAwggctTd2U70CM9;7F4`GJds z0DirVVq19_XQj7&gJagC|$@Ob-u>nZav{|gz_jZ;>2{AAzl~gZ4~`33YP<^=Z!)DFL^icZe?`# zDGA1f4uzAK5W&ymBdsG*jrp^;(5vz?Kp}mNcPp`y2FCMnUe>M)Hx?h)`5dvnoFyTE(?yF1NTMGJ}yILBEn2Mdz;q_fHivk63v?6xhRZ`}2dz=Fgh*O2lvu;nh zFTJM`dUh54q_(@jE|ZzhSr7V$By&M#RSJ2gAF-so^7oZvxgnOsFrOcBtY5q=l7#Kgp!g#@nz4&w4?im!XM zaxk&KFd`9IVsITS{k#-Yi~eMCaI_|y{Z&_zsBKokNzKkwzkOaqQ#G@)z|zAQJzqya$ZeHZ`)Dvx4K zHzp8g6jOL)S7lTc)Kmu59D4=ymUR0g=WbswH4V)dRqnVWF-^JGWA0M8gme-yM9l3ifd9JpWO`f8II&UNOvJxXu>@>}$-L~JQ0wElQiKpd;Oz*V|G z0`qrHDV3mX;QHf)OI&{zLY3?FIDblva>ZV@ zoCWPYNELGJDY51i3?}S_U(y@9NnRSegw2wa(nAlIlzcIM?+95|8a^jkh5j3`w`W*f zzw!Gk%o}6x@3EVlOcZ`WNY_WO?4OGfX+Dom_}lWGFpECeTbvbe+KGzVEz(a+%N zS;o<@$z)0wdhvE_77K6Uw+9?+j~zwCLTc8B9!bmZpqv(bW{x7H6%3WV{w{8>#VlV= z2jlSlto)Gs5dSvO+gg&Lo&bE}P+G2HQzRVJZ_}s$*sj}B(n$Wcv1lhdFj1zjZVe zU8%X#S~n6ULM-W(D1jCX{$~Yr=h&o5Ia(u=vXz47=qO(j<4RUVd?gx|P9Vt%d0&sb zRLWo1tJ*YO)U5oXMXgORdD42qY^`5wonrGG^O0q!f$mtot&+ZCIu3uBOyTpqJX{%* z`lcQ?DyheyA*kVmNzTN-jJ=hk9C+;``J5tK4+-=w!EP#TA%lOL4{W)mvZ(|AEZD7O zuas9uP{gm~!t@$y@Ew%1@h`;a!()(w%#Ko%{Fx4gmfs+P9Ij$0Vwfj%hIqcQVjO6A zr+6>o2DRt$=6ZnpFL1xkl{jpD{)q>D^A5wvLxF1w`8g7B;2t|UZsS}NpEoM$#0?@x z3RABz$8S(m#=n~Rcc&v^t61nvDzR2au>Be3*a*=hi~lqG#38!0m;Hi&#{HiBtHym4 zn(ud%Ke$v_<%%@~I_N9oxgQPWlRL0sZ>V{fOi}Yw!!F2&eGjN#FsT+-FlCx@2BxDW z@E%y=sruyvEsp0L;Qb}Ge~?fm?SR&?)C3$l4e|Oj4Fi9voUOdS!8*4RQp}-6MY3#% zhlelSB9bwNUd7qljSj7TbN_3G_{>aC7+bH{u^v;CO4I<-$UN9_Gg&xlA=np4ndLk9 z&j}@&)+py6=&ry}i9T2HgIJV4Sn#Xaj#(vm9>r#JrA%qx5&FD;i$dHfy$3 zVLV!Q3?5uzW+a<^ zp|g9f8J@k#%JUw5I^4xnu=vw>mbLhksOG%czHlwE*Wt~7ZL@eE@VF4Q(EOYE$o5Nk z7W)WV!b_9=KuJ%;>w8~c?xjmYxf}(LPt^T}>Ju%OE+|9zp|QbJ9C31mbuaZPv^?Q% z6u5aUW13js&(;yTGBbRu5fN1J2C=Vs*VDtU!ejMHQci~M7h{-U?sf8E7d*C-HyR=r5} z`|6N3R9DB*+Yqjv^86gild<8l%^gP0Q(d+Ugtp-VjMtL`%214G=DR{*3_109HGdZq zp>SP^QwhG!GI+5rGS|Gu_AVKczfK^91a<9-8k?ureUHxzv6Vi%#0eW%(n1l75M0Pk zlk5_Jw&@cIstZyrjH+kYb$ta)hXB5*&fxL z>EKBo`HyLcnW1KKqhTSci{Ce@Ok{#4-3EMf6Bx%Cst>Y$JSnOP0^7m$IMm15U1fy` ze}o%+n*a6tb5&F&_)Zz6bpU(dokl}R@S_avlt@fMJdWjp+ldQ*U=(S0^Q)MXLz}$K z<+LD%|Bt7$3Tvy2)^!2_f)v-{?!~RRySux4(c(}j?pCz8yBCMz?(P(KcR2a?e)hS} zRn}T_4*A~k4GZ)hmnt6u_}*D_@Hgf_&!utW9`wQlr(dWIq02<{fyq;ZjVuW5t((nA zab*FQA__N0o(kpq7rsLuWT=F8jp7eK)pNxBYy#Ip(Q4P~justeepetvfiwN?$Vq$? zWa^UqkVdZC$%1^X zeMX~ab4s?yqDA1&#;4>PJ^m1AS&QFdG>%;CzONpRf@3qb*0Lf+vnGxT>Z@L@3$ z(Ii5Y79I^1tWcYX(*>`F#^Xjl2jgYPb!;J~#Q3hKFRE2cZg-IS%A1@}?S zsm%xTl&VIE{Q)A>$5L)DMdpX@%8E;u{YG7E?h#`f^7%ucPy_Fxd}A}^O8UdzGclq| zT@>-dvU%K1$Y1%d$P;4HZ&4X!j8B4gYjqxehMSr&zHbEE>-XAa4%a$i4Gnj;8|bSY z)m#TJe!kx_n1LrwD{@FYSKbAU{Eo5>=1P)8*yi7(wEX?gpC{aS@3y1NT^f=*vga04 zXUFbT-U^Qk{bHM%9@rRpsYgv4JnQ+#>^dtQ4(@eV<-5#fW2vSlhFSB%jop5?QJ@!D zA6TWwwNkAlx)JQ9Zd`9R1IYZu#ZKFO>N`4ouUedUn~->%CaQ|;J0trOm6HHl<=GjUfPc>K)hJ3}UFn1Y-wPYalP}t4i?yFA)?O zAtl0OLJn?)EL(& zOpr_%s)Y)4C8?a_m^m&n*t!D@iN(OVixsvN#uV(AhPGD&!f91z%O!@dF{O3MN9Oan@%ly|o_PRP{;V4d|$tD5mmIc(G zF^EtFD-jjWDbhx4WwJbP)DrIu9ydS zpT1u}1-S_8glfB;$-E;#mlQhD!vezv2ILgV%cyG>8OEKWW`a9(!f*g+SxbF7;Fk$k5*nH;Un0QOj@F!-dJpq4NPu6S z=RE-*anWz(_Pz&0BJ=ymExaM_&+X{JUF0ZIUfv9|yd@FvOTtTb7p;SiuOp4%PD6Y9 zT8sT^Q`Je6x%PzM`||G9&=V6At>>Sj?Qy1!Ar8&2A ze*t|Wgw8?uX@sM9mBfd-WJ*41;RmKufi4jR_KRrU19F)JPn7jqE{}A9*IReVi1h02 zJ3kVoYd!;Yl(&HR*prHg;~PIKNFP~Mk$J0?vu>M#|9bb!LTtDx0n7-4P1f)MK7Ezv z-5`oLd4LU7z+`$kHnVC=9fdTMWK@B^OnLbM-PQYl&q6Xl6WDzMfm*v%DoY`ABmTme zI2co2&2B4Q|2#xF#w_-Cw5S9yiCzQhuJJ)VM`@2n0w1q8rwR2A`ch(p=WBu&izs?t zy$G>`$1mcTZ7)MayD6>lB(=eatY?M3vX;@DfK68Wn>h0a!)I)! z{x4GOuU@W)dO}+gkD`>wIG7duI^8e0F+k`!r&K0k4Qe!4`PaG zX+TQ`h)zpcXZWw$8n`fg zm99bAD-20ar~!&psC@pKw^_T)K-_pnpTBvdeo`526`?*{altBLzd#^3?MCIjwtTcP zo=~AS)s=hVf7c7VYbot$*S>w<(;#>b!)$&oj7u?jgeJ_?>Q(wuZq?aWJ$$DE*l!Zv zE#gmv=~zQ=$LDTTZrsuPIM);48dqseb>7)B6 zpNHc$htQ9?M$yR8muAbJZ{eOt17%N4ZP6}9N7jonNo=fzEtpA}d(d_$(7m<}f0kpi z2&|fXet?nXsZ$rf^T8DEO#*tV5)V#;(>o$i>y#F$IXdnZW7U%}!tlHZ zl*a7JG7n0A7tq@kdvaFA2|=%U3iydE)q6aCf5`N{ZJr=#m;vUlUJQ@Z+HqV zt!18D;|w=G8ePlTk6IuN#sbfc{8LCXx`nX4Ok&+UDcETZM`s5~PZ6tND4+&MqkUFI z1S|C($`c6@TVPO`+X$TUban>;7&gC3(X~y|?#F-gq5)1!fxp)DI1J$rT#r+d4dFqH zh*N&WWHhIOd%^nb<827wJnb{)^NiMrh6JgYw@Ax>m}U>!bd+oL&e9<&2$h?GY}c;k zlQKe|Wk9NGCp;V;6u29}iL_O{j;$3rCIV@d4VZ+}d@c>agcKg0_!tsRs4W1=uT3?5 z=k&65ASK%-CNkX!|9p^YH(-kyedki{#mZzeH& z^)H^45X@jvT9E8m5aIwJpLVW$aq#~c#~jFSc)NtwgUHt-{{gnE-^w8akM)2nI129d zis&&_ZAFylD(HkRSWHm{pm_~LtAe^F;-jK?us7P)g#|b3>{-kq=|`kgUnz;Y1$Vl} z3KQ*13u-_eV-6mwgEX2`k-ZMecSkt%V(FTy_-zgIGNPyltDr!A8nhT};JK7Xps>!4y??Qk^YK#gjOI#f{lBohMb@KiHXZXjx}+)ni^>O|{Dr;eFrASP+O13de)&iQnmV}giI{S|^x3k|gFDRZT%0h7Aao`NwlhR3bd%_Btq`{K5_9voLltd6v##bR-w9c$R*)Zl8bMffT6GS z1TNIEpT4I;Z*!p={ZfpWsdUqw?X;x6hsy*6&GX@HS`@^=b~1Pf=P9 zblup`l1uibbJ!Nalj4S4N<&!h8Qr0&EnJ(i0Kd_JW0;4wPZc=@uU;a*xK|B*o zS#JygpJhFc57uT*)u&-0rA0OUZMxV5L!I{m01LCJ-?!lk=P<4D&jS#Xn4*yDt6wTo z0Kn2eO7C`EvA7dz0{WHu@#LF}ZyB=zrF+!*0lJip(H{^7#^HH7tD2D}>+UPS!M?1F zd!ll@hqCzGAzzDBcx?C|h?XYnJ4O&Ed7{_}CpEZRK;*9q7y2xu+d>(pHXpCzboO)P zNv6XxTXaTS?R4Zu`J0V9(B^b}9R&tNBLLQTnyNz^rK5J!SlBqPhewB*g;Xe>wFbIQf_y%$$ zpW1)wh@vcjG00OaK3n=(Kdpk9KLLqXl{h|<)W`q_&7sCq!WtrxXjBHa<$P#+%NnZWtVwihE?2Vl5j2Cj@LYA5`91gU| zA(sFP_fp{l1j)Mz@yqB4o~YEN$ujm^d2BP?1nuu>5-_Pq6d~bc4yAUM8k7*}r6%~4hs}Hg~kJFVBde(XH6OL2@H6r^!8b?NQpahYnd(MRe_R0nM6bd8} znfY|Zka-K!4x_ARwP2^tdyNsCi0}Db2QP{JHs?YDs&!3hQr(^-!$GZz|K|#M%8~Z- zWz)#G%#p+3J@A7uz=<>ddzJobkt^Mv+)DnVA#ksfKIska%||2ML_0o9 z9f2;q(|3`icNlbAh!yi^gBtARUkoj<0c812|94s~LcNs~O#V-ozHm)8fasenQ&7Nz z(WfIUGjrUUNYb^G6bX{}hx5C@!H`LaS zTtYTPgy8`+QY>a&qs<4se;4|O^6G!;3-6;gfA_)j(2-_`vA__Kr{Xc3!vIWxXHLx7 z(a>DOsSA)@FK;~8vDH7;I6;sWs%(tV5I+fu!y`$oiJ$;Bp6Ah|1vA1^q&=KJxooz> zmF}`kF)YW2BkVg`94GkB=OcMXHs{08GHXFP)TtTvpj$1CnQC0Hi7! zW(7A_-qc2*9yHFWWl{4h24VT{4JoSh^wx{+i9r9OP+%9ASVhB3)T-J_5&pu;siVQ* zbVy^8qAhM%6G`a@6~@MXonf2(+-I-HIllWTnh%3ZBHQYluA`IF3aN-OK46DPo_MdQ zerJgoN(eTNlMy@ZNT+rTIawXr$l5T|`r8kjJ?AJU$}O()NsP!rV%VHwlkMXTOQIr$ zdDuZ8N3uF;-`az5_~cDRfOlz$P+m?Lz><6`q|SCu`!lUI!OiaxC?qIB@SL^6G{qSZ2nv}$rKNpm| zynHjpG$R>Q=FRLi)5r%e%LN_4N8_i?CAQZMw-?OyI7#r0c~Im=(3mLq4=gg{@jYk> zAN7yqa)TIyq$gR0R~rh?%?cNf!zt*rNK_*xj4_&6hg9sD#=M5osHNH9+g9ba_4OIn zT*OOEAi;Pbkt&6!NTxF>Dj`UuE6?wR@I1Umu^qAVFRDggKB3B70Ck)*CEz_9)sfX^ z_57%Ed<}xZ=&Y`u{3%?HVZv`b;~JhY!XA1QfyNBa8GD~X&!E_OU^San4om%W45504Uv(8%T{=Zy@wV9T>#qX7pYK z$5p{5#;~WjOIe>*(D=fB^8o=bSdLd<-WJ`ap*!cre7FPr>a?53-BdJ~uHS%RU*@M( zXSCb;)ibAgdpxKPF2Q7W5iT@At?tTEM{a0~+3?S8NLSxEY(%EYOM(LwIVja|X-4>@ zsC6WS@Q@n9uMRmiaq#%#o-`>&$aA=&T9FrDIY~)moz3E`ylx99pE9mvDOFWf z0krU6zk-_LQ&SJljjovl6rR<>tnBPCU(vSEF?^Me$d>q?nW?`T z6yC*21xJt8b2VWNC7ckw{v)N+hnl9!b&ierZRcF-QBWm@$+Vk**8}p=BdFMRW{+r| z7$TTu}5b$bRZ=SxBeTEYZsY zL*F4i;jzj`WhO-E?dY}Reu~Ms>Sc`leVz=RF68lRr?~@dYh&LjnZ9`5j$uRFZoE58)Am$Dq}0(*k;lcf?N6v2skJ~fJMdv zg%L%Fm+8;{3h|y)FrL)~9zv^MDM$G`T|Ie|9+l&Evucx_N5KblreHOphx0d|$7UW% zHNRxrN4{cHch+#Q>XOjw-I-VHCRsi7bAOf`KIetE!5f1qxYim!y-@G)Hqe5fgEB-2 zD6ivkppReo@HnaH)=N9wb6_NC>T4{428b%OF!FEQn+F45Y)lKTld|7zAg{VVRBk|P z|8o0pVaoW&4jap#@2pV6;8z?;qqpZfYuzS0vCfCQ}J1NKwVw_ZA-=dql7valf3y!VYA+G~EQTU2hN zzNn@@Dj$76gCt{wBEdNmVNHn6u8ScsKFw?aksjDM?+mgvV$j(_`*u)Y(E+~`DHr)8 znDJRZIldQ}XXqggt_1rH23n7?g--@QE66T&G>ape@lB$>WiqdXUg?VbgeGy*l5Hql z^rRZtZA-%7i<0tZrf@)3@W1Vik^pe_O+}L%T_NXk%)GD)*k=}L>)=nyD&vQnHo^wf znFS@9P?v^un*8YT0hJ_Z_Z7jiGBF2Oxa1kS;N+?n&(dN%>zjY`4=$ zEzq8c5rg`U)(XlC^Ge|LBa#E`{GqrNHPq%JSdD~cC#;@2h2f|P*$?^t0-WF^ceE8ZN|Q;|NxB&Zlx z<$%ZDjRvcQO5NsSV_aKQ7F|qx$tYaXalH5W!G07*vAL(W_ihi5bSyf5B;d9ArCV)u zq8`S~9bF|HBKG*WBwr4eL)chSSpf<{@|!j^AGRyMAuNvq#p0vPT9l%b?0IIbIo#;q zum(t|u@`<=!;Y`{R*{IqfkH|9cFW z4xPtYn=G}0gDhCnySX=#k(0uT8;MXma3j^)CcORy(^ zSI?{1;noSuC8Sk`vP-niJ0-$su3SBD zbNC%4#0vHChW2>*7o{Fz+krr~Qtc}lnszMBV+27@f44>JQ9z5ivI7LH#8%H!#HD`6 z8CZT>;SDLwT>N7e$@^AIVqfu-rU91oc#HNl%HbRfdjesW$pXo7gBEJtOrlxVez%{Y zI`pv(@aX2_(nh=xNdI*KV~Bw|=mpK%k8kBm;mvX27%$M12iR%SdZ?+zg2w00Xv#=Z zbXaiUvG8XWickDa(uFnHV4jQ?yFr@{hL6yYW!~4`7v*Y7m+RXpr2<=vX!#@%sEuCFiwNb9UuT#32d>F%WVMltn zgS7Cg?LRi0Arq*vDqned``ZrDL{f|(lz%^K`L6%qY@T9B7|}hUao48dn#*7~&bQVX zQLoMlqb((B?zCzdj0OD~t6h1f*@!L!?vsnUz^`mODxZLW8pF(d&;So>CEN*RSIaBj zKUb%Ua{Gh|qd0v%KQ7cTjJ@VssbtIrvvK$ITM8R3l6;UByl_o}foO*TWQh)@A``{V z4cfBuI7fY7MZ*ahhzWjd*EGvsypDy39YgFMu29@oq)%0C-5?^QTtStf_P9DXlNhn>=Snq$zTy$d-VnU_w)jFv+>Spld)@i~k@g;%Kd)yZON^1ogSu?0m zW?a>}Cu5Xpi3z>^vNVd96C|fsN|81wv+SN}XK<^?@DoP?E-uq~8^kx9lysCO@*J%W z5iF*PytK!ncVDMW*b6t`@RS!Y1QUehxl;qNOZzx0T`0A_+)~{~B=R`OnkiJ9lvlY1YI`(dmnpqZ2X-ti92`k9&e=EI^Ef?3Z><7fM@$DH|352rzV)H z5O2e|Be(T4K0XWr+24bkLde1!IXbHQ3r}XMRVfJ)yugohaD{I3xzH?oh?eQ!joI5#xeKxZT>(^ZGqytLqEG${#oKBlY97o$9&#j3D9g!p z+f+p~#2`Wt`%Ln6NTKD{w#lFPhIM1_7BL(aY{ieu8`VK<#>m1yA z7soeP-J%0rq{Z<>X0#KaPO|2oiD*u^U4d8y;c}3%HVxQwa4b5Jq7;No#91FZa~!Nn zkA5SjBIG-GI}Tmxzo9`zi#gG$JhXV~uVH;MI_nz3f$mjQ>;2``y@&)R#%ny=%wRaj z3xkf~A=#_9-}IRP=rXfN521CfcA}cY z1d%}L<>&qNgz7{AlX#;D7&&U!Qn~d8NW*dkL$8d|(W`gR?0(r{UZ>L$TMhBFua@o2 z4U%-n?h%L{bZ*z}>BczZ%ATr#>8%uF{##+|FYR@XWv-S;Qvsw;%$3byZq$-|BZT$z z_kdh*u_bV<8-Q*!z+=f++91XyBNbqK>`~s)S*OG64j@09Eh-i`^tNzv_x$0%RQQo2 z0wU{7gP1E;VElu8BaIyizioeYo5x!+j4+mw@QsEm#%)Ql%n$0c-`s{3b) zfmh3A%T_1-%LQ0STNC?I>eb0)#TVFX8KP-$4YhT>5%rExkM&3?3@eS>Cyp6W#DA=} z?KDHoZRK*Wao~k*OH02!tjSZz!2xDej85~GdPfXMx!VTWeLtghtxN86r-c>OApN@< zZ{&Rnx})=Jm9IsU-k{SaV|b3kNPhXk&A~um_+=(jh!!Nnt7bGl(9yP76}5gG?-_&1{2E#%k$m)p?DHVL+y9CG^O3 z17A|4)cqK_KBbUGkQ9&V>7AN(5dfP!rSK2jqmk)o`Q>)CPy*fxh7yQ?*b^uK*C>U3 zt7Z|YSQc}@-%^J~gB_g}OswHMg_Q+8P2lpnRBn4GrYy+h?`*Pxq8PpTL1I18K~ZU4 zoxEPYhH<&p_h=$Fd00GM5V|QY>c3Gd*{0Pg3^OZovoD<5J=dG$A~1O@1M-IE#VZ|! zs@o4QFSla}{E-P=l;m;$#c?vI7>KOHKpjD9Qo4Du+3(+s;VvBQE1$eo6Lh;t`hz}v zE4AI>Ww#D|5^_`yKONgGBGDka%4gTj=MVX`bH%COPN&i@95B~9(ds-^7$FtOihH#($0Ki&_utkpo@Mp$(v_Z?IP-7sb_;}I{Q6*#)xP% z>DeDvS;^_28o%Bt$TE6xv*$Yc*6&0r%He!A&kN8UV>1UN>+GBXp|r+!rn^Q#r|!Vo1evpZf={Q0YvLFdoaXVcR?&q{Qb z8&Wc3;^*&d(Crb>{6qO?DlJ_azwQahcwuk}Y#ENU4nNNtt!#Md8Nzi7vgZ*#)h$t% zkY57gpK$PO{%RhM9*J3jf-nbibG)s+FP_eGVln|0nk|MtqSI`TLy z(R5vKaL%$iHJtM|f=e@m-WJKPIs^4TLCma^$!i7sPge9I#j}M5>_n6+0ys^-d0%w(=EO|uRoi{>pzBxQjXjBL9*0I{ zLftwJ{z^EGkc_A>-BYH`LXBn-_TW%a>Kc+8=1wRHRG*<)!DO1q%;1orkbuNUs_A^z z45?bj!8_p+(!pN!&6~XQ?*R<5vg;+LQhTiWfZFK7NFi?RkUpn10=XS^2V@upVsz(T z961S$7bQ?FQFqz$>^r5o;LSI^fjAD2E6;BGeXRx#ZmoO7pO0Ws12X)NFNHqA4k*^U z>*#WU70cU4*fpe#g%|@Pr^JMh+`#rCI_$fE^vE=C%?w%=ca%XaF!K<|%R#l}*=`wz zhgE ze@1^MMB zao~UB{R2EW7bOcFFld(U?(PO0`#6cLZu&wy+oI$vRPs&@y-_!)x#$7>6(aJ7;%U`r zSF{1AnDtHLGswsGJ-xS!9A^DUw=Qk@x&@faeMr2#s?dI}nhm>zi}@BkJ8S|Jy=u@; zG+_>#TTNA#A}d-Gq$2?w{h_W=@swvoETgiXfx=h6MfFq5<8qf$skdI@Fci7knm)$n z=~!wv;4%*_k@iG_n7@!~E-GWvZm3~J@`d232YY4%odw0(1d_7WHv%rWcthYE#qwl# z%X(EvZukM6mNq{pHwFCj%MZyA3-m{XUdRFOBVkQ{Y<`FP9R-eI0epzbSK{f^+w{QLPhamhSSRV1(>4d!j{i{00{t&b$U+kU2Qszd-4hij84DV>{(2Tj&px zXbU!qY?g-IvZJ?SR-bSiHdUF&BRa96$+^vbb!vKm5MdZ9BO6}#fxjgMJj7*>F`iRV zxi%z>E^w!tObcF^Mzk!Jby&%*7>-;EHQ@)b0ATbU*|HO&f$xg5ZWn7=3vC_`MWa*o zf;z^}IAL}fX!faO8tsAamQGvAVXt?d_Ji70gKTl%`GLtmCCf}V%)jW5aApuY@%)-k zZUifxCQ>|s2uv9&o9t;0&mk2FHx+g%y1VVBp_kRSl3Q#$P#o&ytC$9Z3j%;{5Wbj= zCpV%PRIC=_Aid<;yDY{o{PT%(X>U%3rTz#o$ zB7L}k+tsL#j8|5nb36J>a$Q*Q>)=d7%<9eaucJ1U&Ej~YVKj=+oEl|rN^wo86Soqe zl}u|-$q^8>_)HjJF$0i#W%Yt_4PrB;1n@3}{q<9E@acY_1IUw_6lb_0P>3iGzye+e zO6)bKNT2nE`-oY?Msje%#Z0h)8JByAl{uQMM zsn2%3k_+RUq*IYSr}Dpl<<^IB$*%yw8ftL9qSVzd70RpW;XuXU6T#G|8dg5!mzTWI zBXMt2Za(Au-qVc(?453vyz!7|YMJ@YXb(!{0$jyLw;~^WzG$?TBv28rMqgnBoN7cX zYiWRL+*wz=!?KUHe}MhfD{b}j3GO*gzTU@0uSb+BL=P?3dFp4-6H3yL@u9_ML**%c z0yv*vq+98>x!a>1=wbE|SY}|gRuQ`#=7zQ&YrNtrh6`YkLHc1_)9mufST7nyfm(z5?fiz#@j2UK8 z{YgblmckDa0H3GEjVe~{8eDSfME4xYrV#MPHe}Ax$1(^oKX- zny18=d}!xdYm!@O#^**S3zt;(Q3}`Mg^bO#9wsl+EYw?yr80N(a{Z*&_x*Fm38U$Z zaImkX{f(bni!*~%A(1LCPZ;i8VaiZKAGQ3P4%_)yZJN)WvR6#LOxrKs%sDSqjXktN zsox5O9)7bKs6y3(#o(p#3AcBWYeDVLM1fi82pzDdohd0;-xV{@#XK*ROyftyXpwC& z8`@REe!7h2VJYL5muse6U`qToamWn_YITF4s$DG`q)QX!V&)32^+h>DDs%{UJBJx9 z2J~joEhg*dH2@|@8N}-&M!$%Npk*+!9tY)%_lEB`NR-K{b3Fu$g7x>OZ+-AuDIt9{ zLXx#;p<<5E@2bDjB# z4+AKe*OWuOO2aHqRI%&U>uKo6eI?|izFoDvPQ#U%B){_G1)6~p&>nNqNXYcHywAl9 z;B$GYnyB+)vZ~n>A!{>VPg zZH7bPN!o~2vrU2KTJ<=Qy;GiGgjyycnX%hAy1iB4Z7S*|1%PuH62|hDK{S1;NmuY_ zMc&%SLuax&oz5peifKBcz?Q(8wrH!>=(^5h;HU;miS3FL-naba|Nw~@Qtm*NpL1`uGfEF69HS0NtM4P!;yp?f#nl$m<0qmES2GC-aH12=U@LaeKpJ1EyA0^3b0z6_nOt=io2pE^+Y=6 z9ve@Ss3?YGtpXZ(kX)Xa!w5l^#+X$BcFNVgNQ`(~AH@R8AdgNl$zT$=X&7)QR-N{3 zE5dg#@HKC;-uu)nD2~n>4~Mr|{JK}}FFDtjlB8@3 zp8nZtU>-(#eG~R517RhIjnV~=^n7T!#Xe|E2h!07tn3-g43vnmdw8~PQ06Sx;n*4b zKA9K&2}70eR-#uLXSEEG`7Ot-rj|v^i~EB*+k9wAfLlNEb?0DBs{w5U9zHfMc4 zM!OO)S7wQ?`G^Kwq(YkF&sd92dHL%1?SFD3@VS+Q%*`{f=sI8m*Q-R3PbJ8v+UQ0N zofVc=7-iLWHw%Y>O1zmrf0D(oMr};cww2sa0e_|cOk6wn=6tq6LuJ@3md|LgnICI8 z{XG0>oIB%(@-Vya+5ik2{`$hY{cL!1NrHEv4zrSXD)3!fAB3(Wbcp~Ipw8zebYD_) zbaCjS1UHbU%xmnpGvRzC7JHU~@)Q+MLvP5M9mMjvjZ~%H1H&A&xAPTl*%%W04d4AI zOhcMmknmhvTU+y8mLZ*ur0qbFifjRGns4GsHk8<}rBJgQ3eV6gAPW*hduBlSHJi?1 zdKAry1NmoFoXPN9aOke1ZW0ap#};v{wVQ!O!x=(jb^o0%3jUC^2bV2P8>C6KBlH@f zXBpU2Ky<^jzMHO~Gk&UoaW}=*)n}0BSE92x>{`n^aG%>7DOc;2Q;jOxew_}4tU-)VEXPUi0z$NxVEVUWWmhP zErNkttO%F+oh`fxfAMI4Ufv;Pj9Yp8OB}=>WRbnSpcyFT0sg% zjIw%>uJc9gQA936y?D)nECM_X0eRp1gxF>Ql}w1Uf9N4&$^VN z^eMV_*@*=8EX-|jpwjVbV$Q8rnYA-2n9poLuN~4(EOU;jod;eBZ21IZd>D`5k`vc) zxLc7;vASSm?LzHE_uM@2WjOp?EdIWfR+Fd!GtI~=W?1X)v^#C97|NpqFlROV(b{4i z`G_KcXb6+%PFTWn)kzDcDnx{T3**8x)Y-wne8EHD4dQJYJ;yFD_j)?x1q%2o_9|~+ zkbO(=&hi`6mriVn40~rM_{NW|_`KuKgRHtXVWT_j^Bya>+G;ZB0KIEm?u0JkY6zo0 zdS(%IsmGalP{s{DVpKr_ozIIdi83f}{8ULiDNaD0YOGiK$JScs82bwNN8*bZypa9! zMB**%yj{cItI(w`#@9iI2tIoLEAdRgGUvQ(r~Mg@#GHb4RT__>4s$K(Q|8~N%E+>8 zXI+m}DWbF!(`}pF_T$!nNoubN-0Q{PvTzA9-O)wQ%oSWaWHA0>ceY{jU~w^(VfV8w z_Ww-(J;2B9u=^^bNlL+M+=&5bvgw9m{S*=$Ml;9u&vGb&Lm^Xc#~VE@q)MD*)fpP~ zMqTa4+RilwcMl(yn-Hk4c7vktX~ab^a0PX-tL@MPsn+nThR zMio!bH6pxlw}@c8brd)C-?(A6`|ykb1cl3=NbxlpO~TQbp#d3%g_SII1b`Xf_N|t@ zdNrBaA4zqjU1u*GunAp5%;5=9?op!L78+J-f9(-Px20}x^1;Z2cc=l3kgb^-#mRf7 z(>@w@lMR2SQvVH2-^|R{!It$=j0S;DwWZNgF$avv(4z}IHwmZBU1)L;`VM8+CX+AE zD+_VTa8u&{uq5PAzkTnuk0F-xlRKG_6y;n)A8<@xzMFTyVqFw0_}6%X=YEtII>`u+ z0AXj-Q5%}0tTNcGZ$YdZNENP9AXS2%lHCUQ&R56?KNUm_>SWC4x}h4zE>r zCAbHRhW=+qi`Bms#Ii9Q`Om)3{(~8e72N+9src(Et?IhAAt|6nT^H|a-*}5Cu^WTZuQZ)j+ia!4#!{&y!SIBY)$ zmVOL^HQ}nP)9*6sxlgLzOxAM^IsNyD(>pX(H~iWjpW42$^TLwcceT{s<3?LsC>!J! z!tK27`#{D-qFB~en&z9IXE|~MJAwGGf3G*({F(W64o)pK1y5%NegaB-zsrOgzb%EIUbA~ zYP+l&{CMzrOP{UIJZjjzonF?ccsUu#aE!3GhbKxi^m&Jo%w9!}9TX?76dd?<*9;kY ze60T6(P4OYyn+(u*@1UfABM&P0LdS`P0DfT0J5$L*sib-H+_EEL zeauo`{em^W2-S&$b}6+#4ZR*eE?@P=FxF08zS(_UnyZRE#@(dH-3^~{mkl$!k`;P; z53$ld3vIkJhj%dq`HnO7; zs^CKpYiGwmIl9OQfq;%yHyrk&ivu=>) z9~usv#00=mZH6Iek7LLQa12c~q=b(Qx%F+WC@VD3$6yHmP1ZWOg`9Hp43~^}u}wQ1 zse@0OLEOp~CswnO4D==3pA*dv<_sviaM#9pQ_*_lStr`CW`pI;q{P|KzR>Z;s}+~o z$z*Y(ZM~*ACEuD$>g7MjB+*E&m3)05G*%(8O0qWL)<^?i3c0i#r_SsqIT4mlkhmm_ zW#xzR4&$=|=L7rA2M>cqmi1&pot`NUp=rl3_A>p^BGv9HkUm74vslo&Q&|V`0=14L zTnbSKK|zLtWa5>URCy5{i2Fq{2wQ!cf?mt(w-OGVJ~5&9fi&smeMceOCz}9G*>R70A2&`pOa$87 z0qE39x%oSnkT5++Fmf&05quMpKNtM3%6M-hBSGy6^F$*v*kWZ>W=54Zz(5NZ^G>!- zzaaE`+$Q8?c+mwtGQSf#w4-jz%gV}f$+LBom(%ZRs&j4BceqFniw`F2a~|g?>!PyA zzeirE3HQfQKlrDm9XZE@CkG*WyKI6Ez*&XrgQO=mKiHH_S zVZ~-2HCp&xn|R=ERx)Cwsjlu%BHs63+HW%;GD}U}g|7-3jP{Jr&@La3p=0cu$0w7m z8aY@y=|ygze@+XFozc?L+CxwvYhppaS5E9p2yEd%!mP-V&+87q6cMzuKc0bd@5vX6 zI^A<(dJ?;niEzJaY8Yv)EOv;kIDwC4PZr5L7gw{-&C6BrlFCBmnzy}7jyG>G=)E}(BOapA6d=7_dZ5x+I`M@&U;hTm=uaw7{9q(Or` z63($k%ei%2!QzlDiqatq(o@b+SYnSRvIWOF&9-WKqZRaSwCII}{i+huk-s&Z^Ix?= zxP;U$?MUiW5jOhmvvq|t!vuR4mg(F@DT$+rpKH)Hb2m#>8!J-Ap1|D5uD%7jwY_+j z3eNrgVy_PS#*z#z9|*>O7%XVduV3D{N{DQRH~&ioAlbXW2WX)}J25Z}1E(GT>1-;K zG#?p{&fGL?-TxU9Y)+Gpr9+IpiW*ckc$E>+aYfu;4M&&D)N;D(mB@kbZ*_m4(on)*4?t9tv$0 z)tQNGMG^g1GB1ox2L0FpHV!!m~z%5YP&j73XSq#I8K*358+$FZxhi_5D(>gZ|q%PM>9HU5a^AJO$6epkDYW4o~|L6wrBYyJ2 zj~^mvYS3wZAsEyoQkqA(VULz@vInR;m?EYPr)xMN$qaMYz^TrhzcgI(QGJbTl;{ic zkgB`Vt(GB1q7+HHF7j(Y(*I-YD}dr!nzn(E0D<7{?g<2!pxFdiBm{SNC%8)>?Bebc z+}+*X-Gc@9;Qk-(eed^5{nXa(DQeH2nV#;R?w+T+LxV#cCr8RszA90*k$Q}wVs!Qb zCrC`hClKsdz5&b6zX-5kQ7Qb8*zP0{%6;2#`;IVF(*xZwcGO}v{2XlO^$LS+n$HPS z_!I}N`ZdJ8sbpt+^CR8vmKw$LZS~YivBq`#7^s;N4gCE);ai5nHS5cbX2_P0&{UDk z7UxNS$a66l+1JKZq7!YxqRPGq&Z%N9LIogNf%AT_HQ^HnPrqNV*B}2CyIKipn*wA= znXBmnDq-)nQDiv!ZR9&7ew24bnHnBa7e>i&t^B<KJE39{KfQV z&g6oF!Hx&>l_@by$~jJsj%EY|1Zrkx1vAUb#UySU{bbj2lemITo$Rwa4JA;aPF9X` zn~~}+(@aw`kDKwfMy)!pU-M!qniwC7PRvCF7V@*#a1^K}IhxlS&y;Ix9wF7*O+tpZ z<%W8Cp!?QptFTthC#}c!f_~l?m0U-0jitiUJp1PwE4L%OUrZOrQzwNowUe5EwfZVy z&W`jVD+injKHf$}PX@}g6t$LmIZx$%WlL%D+Elo%wOj<^UIQ^q0>I7;=Sd6sf)}6Hdw~s}8F6%jUTwQ3x!`$-k|>Ek}lx3||EkaPUUx#IU?tO)J10Us|8g zld&L$m5CJjLz03Fb6xNyHa7Lh6}~B*SA*fg4Y%Ny&?GK@J-V!F37bae%y8XX@1TZf zeKGm0pKTVY+)7Ej4y~>?sM>?(f3@ zlCg2PY;hYRe$X4gb@`rcA@og?$J~LWj#wE ztgm1=i{t{3HUhVXzUoa^{ewx{f&V9fAX`EIDO>0n=JE=+{%b_?25Q@JpuaJb@i{^O zSX-~{o8lDGVos&h3*2Z`RP`&!dSE5b_y+BUe-iG9qvDl}hMS@FVU{0oB-}9Pu|kpF zDMx~=Twl<*_-TOOdv!o1YY(l$yekK;7%szHFJh0ew?W>b6Q4-X{o2NK<;n6(kHN?1 zlj88;Ho*D>x|nKEE;PEBn>!wP7g}g-E;N^vPG}28sLoMl-=*1-_ngm0qGJtkDu2J&a_*LG#h8OvETD- zE3I|p=&Jg^IbGg3g^bR0qVf+-1fIaVe?b@K%{+=&c33XC#Sp4qy~szW;9H)WqOPL} zI96EHIJ&y)y&x8sDO=YFJ$I8yxdBsj%XX)E4_O0H-qMJdov9I8BR)peKMJ$KrIhtX z-u1(4s&Ww+Zd*;E6v-@=LIx9c6)@Gf%1-J8Y(0X zd0oFPiUSOZcROYh_u{gV?8*+5ejI36(}mm>w1D%jFB<^pJuJm}cq)q>NqIg|kb*=| z%qslgKB6wZu6wWrmmt5&B{{iF*bAVj6+SdUKb>q%H`T|VP5N~%qA%oPcn!>5l8b{z z5iZt7hqa3Qc5Q$?>wR?K(B)&^ zb(OOuA$yZ`Q7XzMF*FV%^R)e*v6&W~wc}7ZRSvbUU_^4PA^QtQ;7B&9Qa;q(n_7?O z3jZxgt}&1Lbqs;QR->sV4`n3rwYGX^Wp<5bMrrIEV;dAK{ljnb=z)00cgE&ovO?e5 z+_EV&IaKkh=(mrX?7VIEF|0+FE=|}-ga)o0-+i-~Q|^Owzg03YVbPnnz}iqGTwjj-a*5M7VS6hOZaMNt~4 zj5U?X4a{REo420<&ax&Y|H%tc!vHrJpaLm205kt+7?W(`%p@!R17s6vF8b&!>3sQp z!hl-E_8rAT`4>tTq}dQrit|N{vuLJVlhVjt1P9xeXo|ZOaF?BI-oYs0DzqT}2shb4 zKC!bh%aQG}=z*TCs@#JC*EZv52JkXGZfq6o>?Q&aPtpQ~v9eEj}#lLkeYej~QfPr^>ra29j5830T;n%rK% z+&eMCe%W_reAk+U_@ki2FjrbwiSeT}&jLa6HGjc|>2fCKxsNhI$Ee{;ak1#w7Y{N@ z_Xlg#<2}Piw#7kdw&!+_YuNZ4r$gz9vE{E}T7n&{lE|lz%BpMz-ii9In058`aS$Y* zBI1!K>WbC5;J3w@Ama7)yyFuD@I2-}oZ|{ibf6W9DNKF=4r)vMJ<@TMK2sU2=u?9u zZgeI{u2_i6$&)Eh<|Zc2I2c|nXP!*}JV_FH_$iLGslSExZ(tgbHe&sJTCRH}V>>zN zSGNoFTmSROof%H-zy=3JJg-Lw+J)FqP^u}s1~HEe4k81tnAtCSR!7gl4%Li~?FIt` zV+|M+EyDdJuCEuOR=lqfeZOWEs4N(ro|}U1-{D~D_aW70_b$$|YzaFQuk8(HTmBgM zM6-(tIy8yN&ZhT8Z!^K67BcS$7Wm4o#M%|4*zX;Kh^e(?oX6j>r&0&r+c3uq($Xg+ zWk`Bc6T}(@C(8hvM9vh?qvwivU_HDxAZhrX$6^6y34!DorIh z#hqh&QAT&%Yez`(cra zqDr+uqT&9i6?|?;+i{p=R$$z}emqtPBfKZ8mzjweklWU6z2i6ftQxx zr9e<=$J?U(dkFqfJP!Y&~Kj^H4cYLt~=?+f{7=<3ozEv z47cjg@a&7SdQ@04#cl~i8A@Fm%-|@R+6>%iq9SJ~Rd!d0BAs}z!N&()x%|k6h_b3C zG{n%Tjw`3Lv!ocxSSZ{S@idB?FV}`D7*wfHMWWtki%XZ7VUJlJ_^C;B^LNC*QY>Na zKhtc*$-B2dg49UFK8Vm7#G{i`*`r*_R@V>a$fr}4NycNXI>c-Qj@^)tD9>Br8iSEx z+bbxAQI4^bJmi#Az&kZ^t>Un$-;>JOmcZN&V=y*h*rD*)V+u*xe0>2m1>&D<@7v`^0aLj8)PAx=w z9rGeG65WXF3dlOC3|Pm@G$Rrxs!vsK(!*BV<>$&T8s|1!+kFu}O ziy@y1N+W5hpzvpJ#stLj6_+KgVRi5dIpB$l5%dl|;9!0ns=|oxCS4KqXG8T06&OT; zI28iYu$0Alh7b~$M z64p&UzfzZG_Fi#Ix0|h8dhwItOPJyy|HAJ8M&42=j!GCzoF`jA0teGL>Y+xBRdy(n zcKtb3VQSFbLn3 z1eGlxZru}5Gv8XBR_EvMhJg&yi-GKcOQ09`(jR%xc-p(zXGrqjMyfX>oIt8&v1hB0 zWVPp?DW3%_XoQNCvE}k*TPn|`>aeDZ!;XR|gUZv(;DZUCM7+L(ThJmG zvpX);m$jZgtP-=d5oT-caD1+?$5+$HHSB{!h}&1g6LM|=Q7%~v*}`=UZ7qybzJ?DH zWr^Vfiv5

v~HJm7G;FDvNOFkWxin=z;17eZX(|4TDy&dZ*exafd!Hp%u#~6N_?K z^XOM!VX)(^A1X1wz?+5Z9Y63mE+P%Hz7ZOqve<1(W%LWqH&ZXdY|VFUUysH&z9A9j zHou7QlW$z-Ip6yI*Yq8h#`nMd29CF3fDBxy#S`kVh>09ZZaPKn{57fVpM-qP4Fhbn zcpz+GN^pYfQ(tSg+;su!@H~^BeMVEyEdtv+2Z;=E5ycz@*}~uyAU`{o(q^@`#Y2ER-g z(=L7bge{5+JXDZtq5)3s0U~>YtXHy_X{yh~9M9n1u8F6+FAme|%4wNwv3&4TSla&e z9%5pC3fAwtv`4;=_%p*b*aKDUn3j%E^K;agnBupu`N34|+O#7(LuGaulIm2`U``$N zbJhTtSFa3Z7?Jkn2M{_=*%+tZ4aABHwKMD-R(&g0+RahfmhYgo3)*w9(KIMI2$J4j z)!8K@s5mXSlL^!Jsw>b`Uol2SZ>G09?FY*?lFIJ7L&}lU7p+Fjk%A{;Pvk|j{*c82 zy@u4$$1@($$9Jhd2Vd9Tr9X`dUPQh4@{e}E4*T>IkbhK4%tW!J<16#0@=$80OeCUFYz>3DK3{I)Ibrm;=K}Gx;tle^zmu zk{e7k{oMZ7uSS^JVGX?E((aq}H%=ZTyi~HuD9&HC{SI>xA)=Y=;yEbG{}sa9@(E@2 zBaRt`(;pNe?vMqZM7q2&8a=L5?@+^35q$$7gWYt7e^SYIRePZBR7sagq|%wwswb$0 z-)){<3D>X5OrO_q62KoRd{>365Y^=cHeL+ASg80eR=_uL1^0jl7L_5%pX0 z^KV6Q<$b#580v0n02B7T9jb9bj{)6G99##P9;c#m!BIlZgOShca{bYzG#u^?|B5qJ z?5FkQU!q-{d1&#gjsmK_Rf!BG**P4^aTQ!(vdmxVWUJxq3xC zNCKuna2pyU2olP{$+`Tli?Q1YM4S{CSG(Rw0#wfs8h}m!{N3?t+@U=3GizMtk1#Hl zqN;FQD@mok4Bp>`8r;Mqoa9Sc6^vDHX~K33vuP-}^74@NlsIIzR{9R!DM6>6s}ihs zA>=V5zP)feQiTm(Ca>g_qUMQxxq3+J5b_J#<&sHN3V?NDq~9S$t5MrU;iD%z`XN+z zqpT6f><45+Veip_)CI$SSu2yCdEz1CyAG;aPKHqNUB7beX=TfABvI006y7+D{L@7` z-5U`5ufFS4cxRGxgcVqNYXjcQsV`_#g(fmxVqs(znKeB87aKBE^t;sK-s{|%we<{+ zy_HE;a7ZJJkFBt62wY5LCKhUyRsLbT%z7X+2 zS<_M1p1JTBOC@1^Ac1WxLzAHl2Xf;5Vbd8+t4HWE5MWIlnKd+N1+IKIjVU`UZP|LQ zp+ocQgt<^-)ak187??T`Csp!K_%`gwIUzNFf4@&An%eY8NYW@C5n%B#Gj4@TBDlIA zFZ|UyEB%ioOM|FZfdfF`*k03AMNfb6mIE7EnS?6Dc*l1G{d^WkM0vY5kJdoje(5ZX z7=PLSXZD-1i-MSC1`4Mhl@dJ8PYtC!dw2!dpJXsNReps+_5zpb6+-OZdRA7WD^=Gl z`-U5}$dYL9(L#ZM>cXe+P5A2ysWyd!!J2K4C<-Af{b7s2+d0ernlVlrER0s|&+osL zxWPz8K%0$7RJq_$obixq3y(&jZk|ssg{SsD&)+_0jW;wluHbdTdB5wK3x7^n!Xxu4 zqSLQf{@eEdKPLdVAmfA+szax6odg;mkyE~o=dc~Q61qR>6vBE+Q`hi>v%O7Wtgnem zS4Ltj0WVaD8VZTEXo7Pa6?~Tbv}XVM~Oe znV{dTkOmj#mYBREw@rjbyjF^wuXN>%L=sGFA%x4{VKDlD-*u z`gb%ze9W-km&zIl-rc?%99h3RsMeR<{Z*QNR&SZ6Q>`^nGjqClUiMhhu(hN~n8Arm8n0sdrD|h%b~X-s05o_Y;S*N+_|; z9X7Rb0||1*=OTEzr0B$CK?=>A3#0lYySazrIIiT!1@O0i-ubZZf)pwF-!RK5?px({ z;pP@7B$3L#Dwg%V(TX-kCS#gJ2g)&ey@B17X z#K;Z1{TUD`nOq9j#;5v?;r92*Lxhc*^^$w;3R21&J5E@yOqvgOqVqQv^CN`k#yAx{ zn5>^HIbY075vMv-CH)W;)i*dZ6CP0HwGlHi^9{WHwZUWKVQ zNn59UFjIp|Up*n7AOJJLDePF~(_`Ro^#=8I3}BYag!AG*mxqE~zw3HGH&OEtl;K-0 zBx&~X-Wl!5VDNA6@BiGuHZP#ogaU=AeO-C^*D(fC+?85KdqJ0p(lj0=!&$nS>ZqPV zMTw-cDh@=Y#4eT?UNY*1D$v5ah|~CP*G70a=#w-Js;Q}f&0i=EIiHs08PDB<-+a2J z`ER#Dxj<$C9{p?F)|v2_L5nxVpo2VfHYxqH*Rtv`zHe5%h!ACBaZr*e5y=;|W2+z+ z#JMo!byAGiJPrl1%aQdqxi85J4#+CQnofjS*O_?RH9eSdhriZK@IdL|?7RAjsWMd| z@Mv!|+QZXwe>B96P;@c;?97XGD&Vdokrz83%lWQQN9x8e0~4NK!S3KE0&82i$HRMz z1Anh&I@DpNPfwwR#;UbT~&__33oxj5r?;Y<0lv*z*m`XpCE#rw^p2rfPei`8P3EhZ^?={NeaHHnOB2X-f?-+l|D+L z<7Z9wE*rU8PD9*$Z;MP_*hkrwymt&=Iez*rbYmlR#Q#s^=Kr+!YHv`RkS3%o2t$;;%~z%M>x%uX z1N%sW$jo#RypVg2sbg^5SIk#3sSDcNcWUs_)Ou@qYLqc7N~z= zS8&n(I<-pQ?)lcI>5B@7L&`o|0B9!5cZtM)2|ujSga2zlb{5^q5V061ez_Hvn^jSl-)u=MK%Jv= zDO0+M_?WKDuo!`(7*@NYL(9HK(X~G-Noew?bM!f5;pt%n{Fc zVl)NdRCP0!VsXmLMDi0F9}AY=vUHS)NikJ<+~-gx?#9H41Xv;B)=EyhhpSJA2%tT+ zm%ZgJE@jH#PBJqeaS+n@(j44(ZCavB{AV}l%5!I?rmX2!k@Dt~{-Km6-208}v>#&n zd;uaBuJVTud^b8hOf8o~Vl_;}IZb;w{R-PL=DPNuF0QiVyl|Mq9M2MM2B7cAyP1gk zOKjA0I|2(N#mC=FSP4uq{n9FJF5dBLHz2$BT(;2MV?B)FDeD~s&x|a*E4SEtFMUeZ%}5KD!< zw?tvwa4{dTN8hmLFI&;Ygcl|sv%{&!NSC*(lj zbp=OSTz)`|RSZ#OXy1Mf6Rj9p2)cCk8!n|_!iC4;P0)>TDw4)v&Q=(C z2@Z8ehy$ls!-$7D-1MSlI;tkWvC?<*#XkkD5^~2buI)U~_cY`0&CSfW4EF5Ik5IFt zK0fvqvJKCS$~S?E)?zH|6;!8R2JX%Z=6ql3C`=xM`e*HA_B14RE^P^B6n%?rU$-d@ z&o6dV8lmpKbGb;E`!eJn5m&3QWDb(co_#V@D}q|xizCx+sGdYvk@7>E#XzHt9;pt_ zleBEVXfvFeFQcNu3{cs%;~1=EfZmG+6kS+q@*zR!U)?-CwMP2$A|pszKeU0-VPMf= zd_u9Vfzm~eACz|^IScc(4U4KS1=KCG zOvInA(k0a@C?oPUwDgiYDhf`!&Ks!tCJ)DU&Tq2=UXWWR&vl5}ZsF=bXECge z;T9$FVB~N(l(f99aKReE#}{yeUi-ala$CLVnzGg}=(Mv~{Nbv1x&T+=*{&t+?Ofryxcj5wq!E^F zc^`?^QKY$Va_2?nSAMmlM2jj5GfxU=oFD5e7k|nS<}^o!h`K-=k^`kw$9>Y`raT?8oXHtF0<~yD$*tWLETIlPMQ>?UF~INHzge{&@;neLNDP zHw>b;uoo>lY5&e(@*zY)WvxeAvxt z+GEEnp=#HWV08_&S;J{#rr6rMc(ijVR8=L#!g!%m*KY#f%Lja69Lygt0~<%=q_0WP5F4QztghF~zAzQHxBy$dAR0B-b*j+2bI5zMV8Y_kEyPpJ zXNAR-BSaaa8KHlT`VE-~9E}+A?SQ_NI+1FSaa1oyD3I88tYF)?OOhzJu|CpQt+ zvydT;H7WAXpqLy}K?qszzqI+-ERsrWcHzEe=C)~~QEp1-Eg$z#sWs-#Ihrt_EyhJ5 z0T2`AYz6!IfWlaWmYUvAz~31gDKTS?qBsqye3zJ8{jquJ%j_wYQff>6(9{;|!f0zo zB_Z=f{xhrEO*>RnAspV$+&TfnX^)+;H?*h6JqrYP{ ze|O2sjo3-L<{qvv7L5_h-IK7C=gE>C(I`3>KkVp_aA#Y#_GDR|@gasW7xG0xfhJ^K z^ht?Aks&TW*1srC4_}AgE%4uAjb0Aib4D2CY`5p@Fsgo(R|P7*KR}F zV6NssS1YylNV=5^Y!9)=DMV@ho|fU(Twilo(aOW>f;HT0zW<-^*^SzY&em-6 z*6--k;vt-Momx=ksfXOxhZp%%)4Wnq%YNWoz5yc9Qx<_{$r`1;>wH<>fYO3S{$$ff z^}=NccXUQjQ%76P59*VRK#)J6;;9C51X$wjnwxBh(Z1h+^O2i-Rv7aF_aVFIJ@uSn zMv0S3u*}CepEOn#3B>72X(C&7+5wgH;q?ZTH%VKUE79Y7kAnN{ia9r3Pc3s{G{ke` zH&$S4QM8!?*rPHl%fNHx{xne42M~MU)piL_4$=|xZi|EG(}av^icvET!vh2#eTUnAWngC`fVeQBPCHYM5t1`W~iwv5qpUU9pjU2njo*Hy4M# zAdP5hEw`EpvD(0k{UQL3eoxhFEOjZ4+MhXC@I<3pVp)`uP@hE|A%8pRti%>qoS=S| zGkC41aC5$Gfg=wr+OA&|o4k5%V&|gowXv4ro0Kl6S(g}(IC4JKb+hrqXo>J zLHaKl>Gl+~t^-8YcSg;Q2kGUk9+tYd&%L+#cn$fo<-(kyW>jIRj}EbyLRryb^)&tt zf=<>L1UPU~3ls*jt%D%JdvU0<}Qk>BtcQ*O6qTb$KW@9*6?O_nl>EO^QZzs+4OSIq{KoD^h!q@(&hDIsYYxa}_PFk}ibwQAw>Mu&A z$l9LU`m-FxEB2EG^;gSlMnxMfPjnHT2#xjp`+~1)8{D{EVyf($Xw6hlpjKaQ?b8|* zGK&vBChZw{bPmfLR);g~N{h6Rx%l($7`R66#C5EGUmDo6Op%{v0_~;rEF|!4f9e_R zH+zzb-r*_b`SW#Cu{92i>o#nAm-zFzGfv`^PK)0--Lc272ODhH>?j!6q=iB zIcVn=(8cdW0e1#1FYw~9X(?j!cUG>0mtF+Ux;$t{qPNB0aBGLX&(Fv{NzI0WL~W$x3S5|#A|0aAUnHCRurno-1_>2%<;Us)AZah)zjS{i=l!) zuZQ;JQQf|@=ByYS=`PklK4&r~?{8n-Z-367I$6InQ2+lj}K_bbq)iRO;?cD}I}HdC}>amZslz?gkZta^0@%b6F7H zUJnL&HH{uoY4d)2LTca(95Ymh(vNE$Q>0*lhOC{R!qJ4(-F9pdaE3{12HQg925Pcy zZ1q*WN}~g7r@gkCst@=DzpD?@O1poqwY^=sZ1I#{snp$w^{xGNbJF#K?&zXpOyp)C z%VYNn%Y&vzyXroZD&u{EcEd{Qnfnh4tc~7~F*>rv(8UTD$^Evmz%QXo`UdS2@BLqr z(H(s`lz(zFoV*nvoV6zAwjI@6899Zn6awaxoVP8JeezV*V_p|DQE3xgzC@wFJ7VHm&xqJEG;;yd-ZG7R#l-6oZhH; z{1`*%wLip!+ZeeQigvfIyj+;|%93-{x)JO&xg?-WbQZWMlmm0t_Ppx0P)8w%ZayAE{DeX}0rxOSdiX_}`!Ju^P@XPw7&Ady->0a; zGc>Gm)kIlDKV@%vYID~CnWzMjG`@Xs%DA|zo* zUytJVVa-oJ)%_p_8&naHm6}5~imtE4<8$S_f*+qm_gy)y=BVvF)|Y+TUntX{wvVLK zdy>oCt6p_)jcZ$25xmc_*?B^tIA=M4UY&o~Krnt#1e?0I$yBP_eaDsku6A=Si+99q zthMi1xVMqBqc43Ye(`)|FuX6cv*s|9RJ&|1K-!vh)XrO(EagA$J@)`r$sm?1@rSUU zxn@T{dRnsL52@r-X|fAb{iB~Yp7qn|%bs&S(9d3fL~e7Se=)-5_BP&Jjerz`;?L-T z@uQ0o0VJn0Kc+^{8>Uj;!;LGRquujWJL_coBc!M_Y0tMezq;_51U32HyNwH-SQfoj zUXi$_FYaGqK2U2+U$kngHGMD%T{&D%e}P~&`{%Gn@<`q5X}u#myO&fU3v0D|aTndU zD;aZz=tq0VKG(s-65$|$JP-3Dvge;V=rPt|oL7bGP>WlzR>BTl%-4#-#{tg$ABTKR z!j1mDon-dv0$P!8Pmj5+tVrUc^yhBs1wHVgt+9w?;zwT=E4I!;8iVHyPw+?F0#Q;9)*4S&UUa8-ko4YJEkAtki z*UF1E8`=mc_+^J_f@v&|-hZf-6C2=Q;A z1M2zH`+xBez)2Os0KYJ+v&JuG!@E|ak7u)sZIh3Mz%vg{XbCj{2L=N`7Sevt+I#H3 ztjxb{O<^=FM1N7^_h%o6H1H7N2i)d}QPAK7z%Zhqu=U>62mfatteA+W`}aLrbU&M$ z-*nQW!owlAA;RDC!y;llcp&IJE{g(p)#~(+|7V;ExKAkhU6kwcvNq7#yEVDBI_}6g%8uZR5c*=-Ao7R=q8oUH}dEuX8h{BK^ zj01e^{~r5KAq)tJvRiHd5u@2K(a6**k$>woT>i6#|K)Fk@89pjcvxl3`)ZU8pV9Oa zX-9N5hlrN1tl+L;&W|p99R6p@9^Syx2$n(OMRT90W=cPf@!wO1LCm59h{^u~zJ(h2 zY=r&qfx*Bx!~?(Z?p5$nWgu`-r1lOU`M-%09s&&0V56XYtAr9*pu)Zk?f+glSacg; z)@@2KJ}l4FvjV6`siUftKsvxN++anB+4=9e0fsFmur#jyqHV!i&#P6c@(O=^7KvG{ z%ET*ev{rnS9XAN*VP-n9-Xdr`g!UhUU6llGEF%*B=kq5KBF``M>Jiz^lfa!Q@u1Ch6w)s{ThIm4WK3uSrSpd z5QxxsMxXWD_H^%3@%rWUxZqR1bdf8W&9v_U76d@aGk ziDmRJXY(&LV2|M=PR#}&*h&vGj>g|28oUASRjpKD{U2r~S4RR-M(8mZ`ayoNNmp{H zZ^Jf<{A7RTe3U?-=;HqjK?6}G*5NINW@b`+4%80cQL>fR8%?-X%TtQ5Bq+yl07V*L7#raK7DIyPj_%+6(6Wqm|ix`6gn7_g8En$e~ zllKeM>z^c+8`9*UsyOV0znR0H8(@QFY2u9wqi4}Q+iR;4{0I;tO%*I-;ZWc|XXu zyWol{5X3T{ST2qJ^H!~@FD)wSEWtFfaDo5TzaH(~7K$!@FPInYN`;Ri^D9Eo1`Y8X z=UEsAz*XBV!hWE_6$b}Hzb62=|dJqQ( z2eIkmWiyE5{mTp#R&-+bP=G;4W*X&UjmIZe{CjO~@-B2$nbjC&Edn1J=u0>sn;f~cblDwdBhS9w+GSCY*r93ZvI)X}JnBRdAbJ^-Frah|qR`W$*#N?F zg7XU(e2fy%*Xg>uyGI?mJX%N|G9<{T(4n9nNrtD-AOtqMX3It6=;&x>^HGlKtBxOU zh^*wmn(GjJA$I9AT%*wJUun!B`s@F|8+JfzJ%{Kzbin^zc`#3-*;z@*IBuQj`e zX7^{~Z<>V3PlOvb#iOY7_>=7EA%?0SQ99>-U)`yfXZ@!hOc4WwZ@V1yh5WeU7~>)dAhrkB3iLHD8A6Kn7ZhEY;QR==0ZgORXtsdrg)=&Q6v4phmw)S)zuxC~ z0bXznB|CcM;|N$P=IL^bLI6Rop;&aD6Gudi>AF8&6AVVnInieu85dZD)8=nl!}+vv z?&@7N>Js8-;9-fQ4)5flN5seCq5&00b31)oMu&z$9PHH-pDNHP{CK*Lubz4_gzD1M z*UXEHi`{n6sVEl$ATrYOIJ8usj2^33j%QPe9a%m<;7kIHxT?aeL=UtkL@Z~+N7;+a z)9x>gkhb$J{y(D4O9K>hEF~*K@JXQ!|Lk||4e?Zzl|3mf*YCBmB@!0OuVLPI8*;CW zV%LMBuXD7nkj#NU{cu zBvGfo>_Yy2tXgAkSa+BTw+9^o!~<*}0I7~tu5!?xWfP1_mx|&q+KJMcC-FN*XKN5x z084(uIVHS1k8>%5x@jitS9YLJIX%t9?D#ml|gV!scLuqEQzrdd4uwIJzcsh|S=@izjrv~Gk263dx zXe9nYV8?wh)MEQ5PGho$`8G_eunxT(z)7S7v~U$%aoE=`Esp-CrQT=*Y%Nt!k9S^8 zR2fqp{>WED!@~l~h_=acW|Zve;C$mhXJ=%6_SeA4T78Y>Q)mK<;TB)osMCz+-QiV! z&FoG01)a>U{M#(|_My?&6rKt9^Ri&1!HQ7ht(E;1Tg|Oo5oX-G8Ne9CJw~x!`r8^F zdk;5{Ua(kBkj{yCzyoZE{3EDNzQRga;>tPl3^C=*8H)x{sDEyC9!FMhiG1f#DPXJll|vXT6$`l*B8leUOjCLbgB^c5`4!oZ-K(*Hw>7d~=f|NG(_01)Dp z%&IFYX(qIrnjuDs(Hi|HHOnu#zg8eSnhy}fl1Wh%cA@ybm^DQY3Ky%;@b{(F)fY<> z6BB4o_8)mkNv1*PFDMhK{OSgdul93qNLnT!@+4s9gbzA@TEsn55}uf|r?NR`9p;4N zh~)kV?sPuww(HpJ{@ENnOH4|#w%~8mKKgbS92*-;78e_9_3LXAvCpn(_EagGvlequ zw;tY6>(is!!CXm)RK+3mPY$q)q;v=2k!_ycRP~N`aX9|l+_6xdQK4+`fs9;Kq$QBW z$Z3tu-#7Pk-#rWE*vhlTd(01WwsLeOvI;meW2xD`8qXE>auywRTjI78oX_@ft_*h3=y*Xfjk?Wnk}%{R z5U|*cOEsZ%DUM4C*%?w{&cU)4j27`5`?BB_2lN0b#^p@TO7XIk>~fB;QAD&21u$Pu zv|6!-FQGeWAdYs^vsmO8ZNv!^I2K+SUC01D<|fY*)huTRb6Rge0dcTvx1XlMrQwL_f---0-TA*tbVg2wng zS21!6Zo=BFZ{Xn?)_YJly_`2=lz;p`!rnTns;zq;M+E7X?(UXuI8qXFXq1p{lu{a` zrKB4q4hRSc(k-FV4bsvj-Tht1`@Z+y_w)PXH_jdRGVVBM@3q&SYtCmr^I3CYQi^It zP)_qREhn-T*}V(HUpSIQ&HOI2mslsH)&px!cBPvV>sZ`pv1}=fDm;Cl+>*tR>!-*n zuy9gfmfMy!&m4&@KLH1UGRYI=C0wErg?^Hrw758pUHI1kXLj!yANvq^i>^m3!~ zwFAod#7bO9_rYCwVSV_0liXI|@497C4Fz6=`Eo7_W;-^GIY*^V7j$dntRIFAyn2zg z_U>T&=Gm+%>U=F}{( z(smzbELZ;ea|Rtp{*IIfM{i|un6>yc8!_p>!s|d~laMolO5=LmYSAd^)uI zEPthRh>EP$G1SM{X6a4-ECfO<;`5LYpOf)>nguFTA0^m1dPM`n;-0Mgen==5RCVDB z3Z>N7n7t2&M}}}9Jo)l*`IHho#FUYLdH_NU0M>)y8$xOdJDy}2iuOh9L@clY)fK4X zLD(B!DXF`wqKf_QPzz3P7Fdfe6pF9@Gr{vQU2GsMK^=G4@v>P(HmGd+YhMflrK=x3 z>{_)_H&hLQB%+IoDR()1Lxj@HSWByl$)nF)Lw+6YsWPFMnU`mHege!@qEEEqwmXZ+ z;9P|N>njCffvE>`3Jt{%r)ORqEOmKdQV72UJ9`Myq2HYk?PkCAi86;+-a5g?kPB?e zrZpOmeg1&y{a;_1H+jgdu%_oS)r!G=eYK#_!-^Kx&9+Vr-C& zYr=4zP|r`rhV=(Z6&9X9K#Ek>bLYgb&Vz zSYceRjGnNQ2~%NQ+Pu;zxF+ll?aX&LOu)^ZWFu zknTRVO!LCdHbr&I(-wz-76Ou(?&C+26xi8C2@R7XeZE6U<5x|2Tvic*5hgFUVs|Yu@9H1%f;o1@RuM;2P3m69b-^k&vE7xQFjDm~B3{MNuX}Dr3?_2$VlnuykiWDL9^jC~L?!1Qsru0T9%g5xGQ_~k za@;IB6AsPK#v6Vz&HhzHdh6$@Q*uH=pHiktW)`_1l}<=`CTkf6!V6Hyy; zc!qR21anaUDUC`j)b{HtjRK4C0*EhLXfurHD)F^4jT76msGn%RSAMl`rXiR??;iQZ3zFqc09yp$aGecO>%mf0ICv_qH4gNV}! zBe-swCz2T7Na)h#i{o4ao8?5kkZV^&q!CY17N?_wrifTQRLx>7U9*#dGkOD@V!ZK^ z5fxwTM5Ci09*aI}!ik!PlC!hl;VGOM#=Fg9Bg9xm^Xi1kr>MOBduM~YN>4OktlKGqn9LrL4`ad{5}!8xR&2^=*WBvT7sN zK!To2(K?3?7nLKJX0cw&`VXI(sRo=#&Kj-5xVR-Hdoq-*Y4WTT1&eRMl zs`;jR{xV+^avOMuIgac~9kaHw@?7-QQm6XJR1y@HXPCnl?%Na;_9z_F?JkQ^NvuH% zick3sXH!kF4W`VxLl{@5gHGGB3JNe|+#LFqD<46SmV4r=*oo5TtwV$RraEugtJ=8k z<)XBqWMWwHOnfV?p~}=f__Mex)q@}<_U8=B9eiK7qCD+*NW3L%b_Pu? zGmqr;Wu28%6$0h zS6hIw)!LrOnE-w)Hl7C^hz5+c`97>%H)Vtp(Dk*XD>_4Mob}ttxBbz(yDQHL!=I)< z>K0#~V|IS1mn0wx`@Q@pnaU)Mi%n5)I7~=YuCz3L&+&)_mId&K7_-QM<>A#1p4jxV zOojbaWh^HrCl22cTG5iiyK|Sig*`t9cqAYVc_ql7tpbTpgo+M+qp-X!OlFo<*l`*( zdKLFx&BD@9$JMk)q9LQKjOR$h>r$5dFNQvo8RYiwo;`ae^jh9}ZQxlTmGp;o__7f> zC8^KG+i;K#IvUej$EuUCVQs;cogJN?_FTWc+AGhFcIt)w5+}`CIlAyoWRXj03QCQm zVVY)0CQ%{egf=}mj{kK8OCU(O@Lcyb)Hi*`qM*DvT-D7hR@v+>AEsEeU%}a(w;c5{ z1ge}I-=~EB;=miafHxC=PBp{S#^7u)o0y*Nr3$=?`)~|1gKF7>_P#F;Gc87_ISZ5O zeJA5KBJ3km*-RAHjRFpX84Dm4Xm)mXzTHAqWlw}Ipgst6V%*)?kdcJ7)&}8PUEbWj zj(1Qxfd16cr^gRpnXb7Jvz&mvP(pq6ZedxIp!vUAfW13)ueI1BRfV0sA9|PkYeyGq z$`i%g$r481654siyOJ&wfo4dz! zWcloBxEe~u5wH0kShfHvcKa}9hViXRRXBvsmvuEy&G_JrTL;hX#NHEDZne%T{-eFa z!^1KM8=K+K^EU$T#@NWaxh^S{Hj-_opuu6MT6jvwgy_K`HV5(m;~Y)%6(%gtJJe+6 z%pE5}Yx$2_8Ys*Pis{5Y!)h8CAENJk@4FkC&uS1a#x)Js6~@aE;=N_X}iOUI*nWo#!W>u(_AzyM~{IzK&akj_TOG!w7(e&{MVwGarG32c@S z|E3!PxZuQnFP<3!?oZ_pLg;wYT$K1PW==~X$0wQ3OCrY+TwB$koxRmVzxW2IVF|5c zF!ap*2&;_1YjWkHy~KosPeW$~RJX4MznX5{n=Eaz7M+oBwwi^Nu>7nko%UHGFFP{v|4=0O?;&slT<9Z$5n~G0*?P%lN9m>h0K=WZaR8^#Q{;JzceD z81eQa#Ia3)NQ0seirJGaw0Vv&Go|PaKPuP;CugpvutDBj1m0aD{4B z(4IWiH#Rn=4H^nZT!vA(>B$yQ5MMs62VTK2Z+Igd;)=;1qoLf)5L7q6cUD_KWioTw zRQTb;uMt3tY`vq&O4f8ggwl3uvxcMlEgxMtMs=C$immcDGH}qpFcHm>Vb-7!b=^qx zO0L;r7N2(xxWRt_XL70kK&>Oi`r* zbZZitsc9|Ge#C#IF|bXI8|(heI6uK4BRN@!yZ#cQJdW)1#@VM~m!U~qnboajd1v1q zU0nN76{W}J{=6QF$YBxUz^>Br%%!8IxCXEGmQ#t3Z z=;$Cz275Je8D=_4%iQliJh-UWh2Z|CbPTYPc0PPT;kR+VJwD-P9j%E_;*^4Vw&8C| zMsM_=ktp!u-Oz(DVp9vr%B;Fso?}>N#FOp2UW(x6+OcMlYsZjbt^QD5UENSs`RyjyqJ26i;k_4DE7p@_|#YtBdx;7FAy}1g~u{HOv7vunr~W z3z09~2pUHy^I2@uWYv3o^k6Om+1Y#v$!X1QreWQ~rq?g~MStg11}^^+{HHcZgNpYP ziDpO@sZu8FC*H&G!;njp%>@6k3u-{n9>qp?-dT~&D4FYPJ$;I+bYwnB91c;lJIZTi ziW++VO7zmEfe6zzF)%19x>lYLZ>QGdXw6R4Q(8?(&-Oy4{AmE?Vzy@t5xwNy^$`eT zW^Po`^E!B6@$65jz!G2yi#)-`3ta!QT$M{u%8{ELndiC=3|xswtU z*xUJ;t%^Glsm3)9S26cdu)Rn6CqNDCIjb8Cs?7YLUu#-$?og5?sBUEM%rEH;KkY*_ zS_9Ym(P$n(pk9%L9E7@dn@gNd@Bt8Y#=&^dyZUa$PBsr zqCm~eRdi_h09H5sij>6r#a>*@XQx#{a6>S9C{GSnz<|Y?e#;-{B&l zx+Vbc6OAwD1*-8?NXPN#C)<C*X495!PjDmY?9o_^q$IJG>@1u<02fXFb%tnHubNN&b);p7a5aBZzh!NWLvp zp*p0ky=Wem|A~Y+_ZZ;X*RkJ(X@+o6gA5 zghKfWrFh$(!y(?Ee_9ye6>6@cohGPbnkD5q5ZVLHL2hfA_!<_XA*8Ll`lbD|$g9Cb z=RovzzdHK!Wg}-~G3~^LKGQ9aWeyy#QEGXrqlH=IDJS zkmANnbhCzAgTgmalzgjS+dUM(SN|hCx#WeX?QafvPs-ua3e|gva}b(`=sxXzjqETr zoCkq1?xUYc3ewSnWOGUY&Xf2A-O2{+{x}QE}n3Er0RVQIa^Q_}b-8gOx1WFqIEIaPKL03^67(r z;?-Xl*)RoHXdvNf7-WNA%C_EwB_+>rh3qDigbk)ZMZUy&dSmXO94l(KeqW%U{?i3k62Nq?q}7;Xj_ME97E$-vz` z`=M>`Th!VrInu*|aF@U-nRg{ElE(j67X#|XxU8$*>xl;iHZ3TUG(*O4!z^cy@pvr; z){P+Eurysm*Q0*+hB*XG)c>w|xLxKUxu%p2uFuQ>Spby)QeYrZf`I{aVE8Xy;eel} zg;^ue2eg4OA{^c%!^XJ8j!jm04zq#FVBqRDC(GT2NN|(dMD!QB~ zk(<5XeH*AjmQydv0o4A~BCgwq^{+|zvo!dCu>>^3od|gPh%m&yYdsoV;p+5|E}nlT z_z%lLGgJbfX6@d4W|w?m%%J-ME1rZ!+S=sR;d5T0|NDM_00)V5`T*4x?oy1HaywEz z)WDSs{{OBV00>5Qeq&|GWNLwjgK-x7+Jk@13Fy=Pr4O?HpwMKi73%)+Y-S}7F_}h-*PP-gT6Les9k#@#d=-wLTf8u~A9vHX0 zor}uo^YMtjx2*r3jZC;Oj#(N)>;o5=NLECqK-9rnWLJcoK#qyc^76WJSslzPUab zL+D7;k3mh{75SLv%1ThUH4omLS=w4K8v5ePIvrN+Z+&h7(jUYRF5zN*A&2RF z3D#3BZ8&|?_b@NyCy_f=wH5=c%@vV4tCL}{4u=uoNzXl#vv*qjMB=@!|~-0Wz=S=dj)tm~j#rzSjaY#z`qRoC!D%OygO-hKsM zLybuO-^-~J>wbOxqrmamF&U+7PCLyq&0I@Zuz7yO<~s9=ZuRdM+X!+Hn9C1ypk zVSb`cv({;A<yUhkpBk|dbB3-eb)*hrPJ;1TSf3;fI=gkwqlzE53YZv-&u z8bs^83oZ0<@Q0@y%Aa)boU(Iq8D$X?1jhb*P1~SxJg?(n=H_-{#oOuV+ncGOWMO5U zS_x*y506ZSGWilWbv#m~Y>B`?y5s;j(#PF~w<3$_S0~yQHA_e8#cQbY*FIe~m?K@T zzAWk!)>Tbq2|UaPt#hNNrr!U4A(_l3`boEjdxZ_mw4Ff6AvIGn3A!h+f9#q;qg6Y) zx&7h!!4ZorlSC)dxJemB45@1eeFJg zi9TbOD>BgdO@qNkleZr4`8U{$fj!+EPXVg+O7&NUCy;O zv5XYg!4EPv;QuD8HFBP^^!54DLh^8PKYsjZtr|m)asS^gLKN)q(^tnER%+n4loSS> z{>vcLRm{(Z+Q1xLp}lB8;{fb8Jku0O^j?4woZII%qDV=)f!}1>7rV>v7Z}ZG$_4cR zPC+ABEL~GlntlHUoHR1P6{;jcnZ%8p1XYiEz+wXaFC^7?2=I#K9IUMMqzp12%HdF8 zQkUdt`xRK+poU?EKU`8^Lq&xhdI#KhKkp~FnvhBe|G_^gFUTRu0^rU$a zrPg!dq9&YWrkXPS+l=q@kL5So@49ue0 zPQpZ$nh}(7#py($%!LV1BK%=Xy6M43{V|st3A~*DSjEN}94L<}7ri-Df@$ILbHDn~ z=@J?YqymXhU6FF1jz|4<>l|FT8{5Fm9G?(=yY@s5SaHsbmhl4$IIre*VUm91z1A}5}okhd|Np(2%Ha1oHEQAYuI1rXA z#&H&=67Wc3FB^X!yh?0@te3;2C(NdykU>NYk2^*a=&A}z4!0eY6uYS zr_u0@y#Z+)Wme7(o+LKd@m@$?_{QVWM=?9jay$T7(7}PluxZ=Fe2b|)+l^{o|qvB(g9F!rva)Vl^8k+!RpOosG3DW!m)i5M?)PG|7U(@7D8vyis zq0lXStFXW@#q}^@CDxMx|9kh}5-_P)Z?-QE3!om0!f!qo*GBVyZw>+2hPph#b0T## z5aJqrQ)dMpBm|2;q8?xRU>82_ay zol-NIsTXN{P_LT*EXLx1pY4x&cq!& zA&RUhKyqn0ps8H?Vr?ASqYW9`@V=8#QtF%mbJI(^%a1E7|Jt595-h%j}^!xDxl| z%Y|73m~)>nX*oH$wwfJu%QB$pyVt%$`%{$8;8TJ@UtjhaEoO?c5P`|s{qT=qh9BZ> z`UGPjHN5qYNyPv~HRA4=CIY(@S0wVGPAyT$=&NNip!8*IrqoaOc;XMNq+RmJ9@^))%~aYW~~Eb1H= zm*<8Qw8y(>>{nN>l;o|y&-a$HVBDJqDBFUE@!d1-)Ay$X$UD*>vhjbaKzMJ~Bl`OT zLoxfDTyH5=o5~X2@wqfb5i#qQU3hap<`cAB`Fs|x$Og+lm4D)0-il6}-?Aq3N%;0d z?yJEy61w7qO1Eb>EiXt$YIYpXd_H^bq^wexrGYUGn|0r8`VyQ8FU-UYK670gqP>5o z`>L(ez#%z-?^|EZt>osy!K9zWRjSvZ*zK?E-}N)7JLtqfc~%PcJN4A;KtRpt&3NCP zj*`+L4zb_a;IQ>0z((zS4Mh14OxF}t2Tp<7$5cc_q{7gBs*9_%>9$m$`itub`=nj% zGM6MDk%RBRfD={oX= z$6009GOGeoO*rsuZwCa0q}#jSp`f<3Wjw+^TZkO`ST^jl!_3L0-7|_-cZ+X-5)UGmB-FBS1JnuonalJJ$8xEb!Juh@5Qqz$;oF! zK=*(AHLqjxM_xfcEiE=^dqukD?xH_c9Y}vX+(Xh^zin%kxdfUh4nQ29{OujTld0JCGix~7Hr6SO-%nYafc^Qs`fuEV>fh{8jd!o%4K_WG~}E7`0%=wx9hs` z*$goem)LE5fm>+Co0kWad7*nt#cWcC?d?yn0-vds3lEv8Q73TSn830$cVZa{jGW2u z4w8wo8^QiuM=MId{k^&AQiH3D&+Eh-&DI;gu3xu`Fm8wz5)*SsEG`Rd<4BIRPTnW@ zzFUCvvnY84#m0xk_t)lyt|GK_R88_X(@mPB-ge;Uf%IIQUzY+mC*jFNlrNgkY*y>$ z6t0)OzEd2l`+OJxL^bud%$m!r^Rvk@@rxPNX9n+_?z%~tH;999!`(02%7m=1_ix+Z zG6tVX9bJyzcXlzl=p|fel%`%g$)=SH*|0p=JNYU?6w$5edz##6kXNx6Ng}$DaCg1P z?B*Cc(SF!N7&m5Fe*bhouOMr}UHVomzM-thv8Jpm^MDPsV|vU(T$&~(SJFmWUh&{q4eWbHmZmb5tOnK0@m3!0q+AGFO3JXFxY3cN9@pp$I1$QTcY~TW=3jeSKj`9pEH9U;?(aRN z+qrrF?K2Z>45RPb6ez#^ULT(g8wtE1`J5H|)n)kCV;Tu23W)h%ymXfe9 zC5^7>xZnuU0o$8&ZS&E*&g%M{Z8eadp|(8)Os!BpWpT?r|(V7pd}#3+t89?P?!6V!B6@yC{e{(EcFDRTz( z?(;WaaA(I*{;LI;718E2Uy{(79QZk2J@}`;jXGu~<88>D$P)idqoYdR9-!>s5hoZ%^3?CmwZqoHD1)r&5twhikl5O>TViSyqeR-|g1s?wBWQ zED|wNJYou_)8=NUcYIw>DmX`cLzMb}Td5!N*Hcf0(2zz<1CH zI_FSqwVaM}X?ObJzT>w0RC1Abl~K^_`1zoEyqaIWep+8g!00n7JM_-LP;8mwb;0N@ zqhiL2*|gK@ESc^-NArs+?FZq6CAM}W5;qHiefyO*x+ENq(X3Y}+gp|kJC1g%=>|5A zpVBuQ)Q~MSF`R?<2%b$1mK9~X6<@8lTynqL*@V8DYG_C;d*yBLQ={)$+SkzXcs%bm89KS0_KDNr@1 z4y5VTqT+#FI()FPeh35D+hf_{v-~Z}F9mD^)in%K7wac!w%ph(SsQrMX%`pX;jiVq zmDZqt=0*A7;gQ~;+%u2WPL@|GiV{Ed#J-H&_-l*Aga-zfNK(%Y?ORV%5MACbEsZ+s z#*j4`e0KV}HGLI*A{;g+(?^UZ*fKACCOH{Qr7yT+NbBuo2JfAf1FTow7(|O16>TPpLymbPStAuDlzMCCHosi z3M>|5mAPJIc6P4236YaO4vYQxhj~SMer}I8c%}0RQ20DQ5hm5ff_ASrO%#1@Dvnd^ zH{mPOGxS<0-L*5Qf8M&FCFJt)-Rf<(H0xWO_rIn`G1 z#hIOR*dwO$n2#O7b;07>H8K>F!@%Hj*O7SqE;=$!!rf=?H`sZ25(p&EdaQ0Dc#KH- z)eei+wbJij(ubb`8*7LIXkYYwsxeKjmebT=%EcO}?A{{NS{T+NZh*X$CLK+<=%H(o z{tjd8cHd*KXU0I-?6eVC?^XogX9cpsm{bBPglx1w9F{1#*L2C}rY#AW`4i1Kj>*E; z9Wmm2!h(@jdPOs7Tb724zHKSD9}_C#yOP#kl`OnrFpFH+Cm5U#PCt@-Xx}s^eAePx z<~0+-`st%@Lc*ndR&LvOHv!W1JSP%;ofBGq2kTFzyoNg*<<~`Ym(3>2-{Ap+EP}tX zX$y;q47BxJzFc{8uCY$FMc~2BS}75nh_{;PC#d+G!op*up`PFHF|H480>gr#rdaQd z&6}w)jMS)BmL>LdTPtf`wxfH6pPU1rwu1#8U*x?Uc4JqyFO|MM1LjJ#JmGHcaUuuV zdZe@T{#(NppC{)~xKtmz{rq(*9ieS;rboiF>_$qL#e-7!?a`enui(|h2&IFMphe%@ z+$9Igm5vN{%()_O^X#L^IiHr#-X)W=921_`A<5KP@kI-NT2m%v{Pco$!$3F^x2E27}XM*am$Y6klHghUGUQzo-;Dl zUep-fO@2El7>2E9DE38i6y&&#FB2l=7sgZLK&7c5so(zEd7%&Zg%K$iswbQ37`UxC*HT`_ zRMd|Xt9=GacNu6ZVU2+sA6e?8MeB0I-WOx%eyoeCW8Y-Fr!hN8N=)(Hhmsg+WDe~u z`!2cTW-$U+9!;EDn~zLae&hWxM5Tu9EN&r&qYK-uq&=KuPwM=wz-T7}WcCjDw zXB^2XL{nVkjORAnzTu^dQp8)pi%iog@y)786yqVjBf-P(58vQDB);B1@jupm@G>KF zB2c~LJfqECb^FytcQq0I@gXUC9h1POOIL7(J(a*Y6&<_scEv975!IDvFC8;oXfT4S zm2ymY{NvuWQQ1NKU+1dzH96_Y9Oo0o%W8QY_h$|lpGfPaO_&i_n4RkOa=#38P7imz z5S8GPz&d--o{fmY@6egA5_t!j$Nks#VZ)s&0#IY!BHfYm|{)g zz0j;zY%Y!K>>roy^|tH!3f`vj>LsY-EdRk`HgdPvcnCpi{#!PqoTpJwzjT&ALh7c zy67IrSE!yXNsLL#*LgTMA~Pt{_UH4#3Q4Ej$S|dMwUhQFKx&J36dcyKFtf9NUCRhJ zybt!S5v8DUMh@7$L#@|hUa~6S|3<#08~b^qFq4D?yOx|WFOpYj=*SSJX;0=()6FH8 z+tDo(76oFgP`EV-ABWnwJf}W^q<}Lo%8}sXSB5{IKVvL?eOA1fjPQb^dekH}B|`y= z(m$;I)$(Q)l~^~EbzOFty7t3Ky#8wK@+W8ck2}%sCT%2`yel|oOsWs-IMUQ{O|_Zu zB%X=3nsCzWWDKuX|vII%v{Ks)jFP-k*I=#LyAExVdepta(PIMb7 zT&QALo$!Jtg#>}c6)9Soydv4*l%a=WmXy9F{gd%x9sij;TjZRGgRkzri6)_)jbz3b=+!?e zP^&)EyKp{|SwU-)?sERMW+HZj9*baxdgi=TTSFqCt5~jSbKw%n8erx4sj1m1dw$aW zY)3Ra!FOW!!sT}NFRPOK(9+U^j~DE&`g*2~M9i%-3~ywC14SF<-d`UP#Hgq!kBlQ> z1XsH+XfjtLz?CUh_n7D1KEuZ=(J3XfN-G$4z)^-M06l7xdG&j`(nD^h6#jto<46t4 zYP6S0y#AEw4oH^|l8{3i>kcKEZ_U4jWwVigVYj~KN1%!u&gfLSk`$BpYT%HR@13VXHCmzr4< zlT`Yp50Ow^RD+SQ>G_%KHW-=*$b@lJ0Co7>W+3#V0rI zGtIx2f<@^=QIKPZ9A!S38^mC2)AZ_)pc>}jHim~K7Dm-ic=8la7vhF^ugXsLST-w* z7N|#P;SW(DPZ6qyvlVTJ7gk+UBFuJ`*;{XPruwwn-E5K5ec>`2L$yNNmMB{N?q=O5 zZc#W_Idk57<>O?T=@fZ+Ot-e|hYX0%9R z>%NE+0yZN2Gvg1h$8BI+WefQ|>fDa3;J*{n*`MKQKGOJOZUItAh?GP>=xR14h3^Ep zxy#K5CC;kGO5y_!OPJ{zIOcWkN!Kp7O91Vecgf?2iK-G)EA3aY#)vf5Im-}4`C$r!AT)1kGKs@W7paeX$h^5c9og3Qv1 zmu*-$si=<;Y;ewpJjE&fNC2j=ZV<(4eS6_BhN?1^qNb(PMJlF`@!m`M#qWUvh*nv6 zjyCG+=p0gduJT3d*K6}C-CihRlC^mj7_adWB)eb_DWqH6vXv8EBFJ<<+0-5x z-M_b$FgnNK6o7Uek_7q9wwV&Juiduk6j?E9AzN_&d*&f?a^+2EhI2J(o&nisuluqo z@hG#Fw?=lvgK_WZvBzY&S^Qzml^$Z{`j`F|sgGaSTwt2~c6`vIZPVQI?G#647I8n(~^d~GRT+AGo~SvdrftnT;UgqVv7 zbk4o159!eo*YSSMyVAJ_Tu+BmGx`(!u&17?d~<6H+}brB-vf8klB~*id0+b^)}gbt zLgNF?DrC<~z6x+@2?}lxn{Lj+R?Px1 z+QzVk>C+E~_VIl)VJaQF$3rE^PDt(S(;serM14cFdpEbz{jMB#XO)q@DQ;k`j`Un9V+MT%?Iw(3efi!OuQGnB%W2y_NrHjnRV%|>^ETD7mex<@+_|ki$=;lu+KQ3zlpOMujRp|>O!5T@mJvURQXt8P(xR`M1sA>Pw}gO zNW#%0Q<{@|AEE4CE;pZ>fHPAF**iMTp77E0NIb&dl-<{{UO~bPycXUC?q%S+h?>mz zocxmB4>}I7E3qEXS@YAr7Gkb5&!mcf7E_$Vpzu3+*bEw>mrYb3b6*?rt3E0H=|_9@ zw=ddI%eD398C9!s^w334bqjaWzW0qYt=eZongaIwr5W&%YtkrMq*vtVxPEIj8k2cF z-^C8t=Ms5~BRrf-M9)RobzrlY$h3<7EYbt|?cGr4MwE{fZBUnc`v)pcaSYr7OA*T3 zOuXbIS j613PqHY%jLKkvB?vu+&`B3|{B*%vEDh-cjQWpMVjDJc79u>IoD9L6(h z#fV5=z|wQCzkE>Dp!6$oif9zeYwCMOHtaO)pQOSK_~om$gse)aRKD6#nCL`M5es_U z<)L9nB=<5-jCnXvd7jMeIkgCnowe?tP3l($`Ukc-VZsfn{^;=VHazUgopT2poS!K1 z`69~Ut9~^20{Ds_A!4^VG{FUfz+cjI5#kC}QVM6mxHYae7Qn0UJlPs~&NWFnR?YSf z%IAH)ua@4LUBhJ<1naygOl{Z#IT;o4o<>I@O*=j2etEy=vHTRaPrwf^X&zyPXV~wN zCm$QE$}pulAubY-O4yeAN_je$w_oo_nIcH#W7UUQw8}-#G}A21{0NY;Dm?i$D(i&% z>sCbrI{_KX$jy_wy+$A-9cz2bHlI0;O5hNIPW$B#N-l{P+2Z;KmY47F6HFn3YVOXv zSXv494{Yg<8X`6LHA8%o<9`f?)h}t8&KK(VG~$bup#91wm0;@suv46bGadAsAHn-8 zwkCjBLH>D$B0bWj*G}jxy7v#CifR}-xJYHHcJ86HV~oo8!QAFW=>VCIbm=%Yb6Y-^4Be%(9`&W6a!mJ$-q^mkbc#J)q@7add_||SwxQAN4!QJd ziEFNMvCGo1Y&GgjfBm7;LbnL2%X-fJyKJOpTWijHKIy#0uusS_qO17Qlcih*fP2hj zcbnU{%}K^fkb`DXN_>7<081>_3jwE_nC4{qmnvWY5t7wQ|BsLEO>XvS-XiAaroB(E zRLf>oruDR!ZEf#L4fs(!D!9u6a19s2PR7JClsNs?*27PT&Dh0}$zaQt$|a zdE2ZC7YSpYm={jAWJ0wSxe84zkFXpWYDrEq8t;30m$3(V-$sfxhRz6KukRy1OB~6A zUUka~)IGpEI=uYdG&8+!KcH7*Czs;A&ftW}Y$AP#v{^U}otOyqhY)PHyxjZkZ?$rZXWmvT zphAW^{SCu1q8-X2B%COpClQ|yogkykXACbxLs5A{6fgwv+LAdvpKmq&(g<{-UwXPm zRrlnmq}Hi2&3FSb#e9G^*KT5b{5f}Hws*igIh7txc@x=Vr!?(_T(nqP@h9ve2j7U~ z9Id8xCCscP*T(PvimRfE7o~oKY>uoPRuN!(Qa)ZB~-kV9EGJVa(A z6FF$HArFzs5w*CNyUoB~d*OfbgsP~vzQ8z5Jd{(uI>C?*iJEkXKkRpzR<3dx3OxsB zY;X$3cfnSwYSw4PZvt3|pB^UQ@!epT>%3w_%p45gb|({(g(QTjF$Ogn9NYFff1vDT zJGEZFmO$_pDpi18;sMq`oQLRV`|32~vsQJspwUo=sUe!urTqABduMuGyrJ&KxdqR; zYR_6g_kcyAeXlK!uW&m9VX}6?x6x^DzFC)k>6b$e${n%e+#inzcW4ywhApjl!{es3 zkrfqpGxrOOIq@o-S9>x^%#7Wq7*~bY#iA)h_)au~YS_i9KN9cVU?YOF)g-uXF71ot zLQo;3U#(c_eZw$!WCgUa6s?>)m9`09z2F`((;QDN(?0M2j>NQ5VT9tX>E#!pZLCgH zNg}fI#6SM`#uXLkIV*me4Lw(N)v@j36y#Et;FP3V*J;<}t5Ryw{~eZ1TPG z3;Im`l?%d~CrLacJig9SwNriq%r5bUtnW=~5vqLqVhzB%sSgPNFAbq}IJ#QnA*woE zyMl1Lm%G5Vk%0I^+$3I;%{hasgr<`T!)F|OJ_0O=TXTH!)#{hCHkv&oEQ17vwR~>l z7KaRw6(q!4B)Qd)HHh|la+3Cu?V_&#FI>Jv33E>#fIj-s8@QPB<43|%67Y5MwMi(+ zxUbeKW*ryCB&{!IaoEyD#d~LTdD_=U<*y+Zw;jo>{LUOQY?IFs2~RSPZb{{g1R0dQpAVe|EcJL5pYD=M(rvZq?w(xTNU^V;$J|wl zV*GJg<b%-L!7G!1nh_`dkmdcSw1$Qb}C48)ZMV_l~%KVW=W9JK#G)9yUf0`!Oncn(eY` zXaRMfPkJ@Z)pXZq#KgKp)ryx-{E;?!wYbDd(V`WC4PC7B)9H_u=DK0^;sHOz6d!fY zG`;$+T|#6qQrR5vgHZaIIQnHwsc;^dQ4r?$SHU>(yz-E6414Wx-!U~inX!HPUk~X# z*-F0;RH)di)R~L%H{KE;S;Hy2v|g%4Vk*z+H*32m%AvxW_ERZK9Y&l@5B;yxH?Jft zu<CR=iEC~xI_pNX6qFI({w0%0n0shq{?{mf~`wk*V7wfRwLRQiui<8zzB{FCry zeMD)AD=5TmEcZ_LCO;u{($TqSMQG4hj9^K2yrC$b>{pY3 zMQ7-btj1ilb?n6{&JvQZ{QdGOyQX;|RxZC1QH9mkgqP8R3TPMaBmCz6gU+sT5i=4P zkEBVT*?u)*{DvWwv zfvZ<-JC0pogFf-`bHa?@%8yuR$!{ql(E&$FB%sehx^=?Ut9M?7Me@F?Q_VPPh7-Aq z+?f};N)Xo~EA;KJJ6)aNe|s80lDXPhkiJJO|@B8Zl43G*i@()Pz080kaj z5c1!;_ccAO@HK1@Kk~esi2jinL%L+gD#11WcpsTg9e31QMLoFYgz#oUqBOv8U)HSDjpS+~``jneiUT z%)T-a8V;#i99nYA_ckpWD@iNPWI0{s6g)-=f3hx-`YF2K00dkMsbU0qe>8U>v&x;O z*HscuEGu^bf%7B=ZQnZtCthrv!pNVgI!6)s#Mu9jr?ZZVGThq!Fm%s=q)K;}NHfCF z-Q6WA(%mr#NOzYYA>9awbV_$BC0&xj_jt~Ezr~-kSZiWG_r3SEf7jmeAcCgR<0AE_ z)@uDfxSGlvmLJ+WPRRaHq{y$>e;!gV4$s?$Cn;`3R`S}hDahQ#Wx2!{ypQS~Hexn1 z{>W3~HvA&IRpP}>0lUwYxMQcvnhgA%e%#5zYBiv*p+QUC{yqr-$gV~U#^UOL$HbQl z&wsV3I35@m7x$WAvK8_683~EP$k?MmnSikSe^a$CDbxL_lI81zd6i#CKAtZ)v;d7w z^Kpvkfh7uI$-`XMxGE7)4VY4B1KL2;JJLbqknqEhVC4k<5Nu3cm^Q(t*7r2z9`~+6 zu*!lsfniGMiZ>4~Dzt%WGG&m;fzeX8Ec{qaHRDaTO0un}7xLy%@2yD0a67Z8K1;j6 zTGc_vI6Sk71KO+|b8z_g|5$*blR7uL4JD64Uu1<+6r!Cr+@Pt^9G#_y--mfAqi)r< ztoBIKmP0STj1 zu;9IcJzcb6xL)@{3QGD|P`F?NW!mKKS0+7HV%r2h^c&SwF6K<wrjEtJgl0~ z%*%4=ebHIlukwsEH40W9bre+(G;|*5T-gcAy@%;i)h>nV;VbvApVzY!vYH#MRaGW* zG*A#?wWlg2k8}0vfS3}v?bxIg+q3z!k?P=p5ZL&ZU2|jvNl)>Ohd&E6CA!LP(+bpJ zuY4PDeO1l*Fpf6;3>;ur%KekfpcR>EaTceRyJUbp$yB0?TA>&@IArjPo$_d`{@4jC z?n@P%3MHpDqf!45wpz_+WzS-w>Z9@vKcUm^OhD;{m5Cfj)co}K)WIFIbWR2z)it%x zaGV7SQ!>7HRm29)eJ$0h(8eVs9x*EMJ5cFl;HRzMj12c_x{Ms#-~HE} zx(C*DJ7B;?3R_whc)mT}OZP11{I3qB2tMwu5ugG%_v0r8_NBlS_&=D-oQ8ZE^*ajS z&=U9C_t)fjiinI&16dYkaz^9S|Nf+YE3Sf`cXNNl8TS9 zi@w#0PTEEhpL6MrOvD>>BMN&cZ%|`bR%2hr)87u)<9mm`m1cQqr*Pj_Soh)VQ-&{5 zf`7J0U?XM6U3p3TmiBAp3o~VBg=lDV@h?ww&+M}NzOqz}t;QeRFBXbGmIV2klSMu3 zMFTt2G%7CnMM!0IMFS-bb5X$^w-JH(!>tBx4K*aE#|_hR;+ilX?SR>1}e#f z?^S*u9Ua^!w%leIfk$=7$(3-@ti7GSMYMUZmY#@mNOIM{1?AB#Y`Z=!307Fz6E(H> z{F&pZt-BJ$4U`7~dBBm~E9)*vmFMw!^X;huS8puiiZ9FU*}JY86fe&HRDO%c9Zv9e z2fkRvIrsXSXU?l@#S>rq&pRo_TTOBopIm7!kcHWEk(QE+p1Fw*1g&PsYZ|fiF+*BE zOA2qRhqtOI&W`)LM0v~s0^n(ARfV>O_PAj~w zaYFtxAQMv`D_OrY&c6D0)dH7oGp(wLN!N3l4|N7~g~$M;%Jy@N^29xh5DM=lCnpa8 z1sQ{CfVJaKaY5fpr6_oU^T01g41SwmSi$hI6rWqEYrhp>OJ?r7X2m|**=c!!;K?}A z!He7;sn`CAH}#1^&UF0sH$UMb9qg&c8G03ybi8FD%N)I*Er0&qS zh8jFW7=DZTBBAM|Lcb%gvH(<|2#S%jl?Ol=HCudjRrZZO$ib_>ei9v(t@VCaIy9E8o-<48xU#5ene$rjrezxu!2D!>B_$r3vi=3S!{9n@ ze|@i1CRBA*!E$CbD`q#={!=^ZP~;nfrr$KOSu)tONRt7AbJ`u$XEl)XqgwaWqff`8M^)sHIFJ@2uwt?~w~K$wAaM!7 zr1;33U`>NxU36>sTpznFt%sJ1f4eS}W;5z}z*|S*%MIi^s=|`Fu$OD&>;E#fM*$4F zBssI`4pFF)p1Qir1*OgIxblB{44~|1&2ALg6`Z7`fE?;dMJ#*SPCQfZp>dwvSm9O6t15C>xS`;Yg2t=1wKT~ z?26P+8cD_eby(P&Ztu^E2L*ZjR!<_%WLPXGuYg}$;Wd08B$K%?{-|K>f45Ha&albdN; zx8VI>Sk}54OpmHQ4=AT0)GHMbvAIf_5~QE7#s^chmS@52a?iP+SM>g%#W}mtp1yo% zXn0Xe|4DyOJE<%LseSRI5lx~M)+R4#A^yzowS3|VERJ}bs{3~X#eG_}xr#kxNC;(H zZL9UI!fMAp&%?i#`S?)BB3*q)Xd|uFo7<)(H@wk!L3rxI`P;ez^|@Z@ z<$<6Yu_Od;TGcd3Sqln=lRAj=UOUfz$brDZt6>lf%3P7ok_mVxV$S@B`R)!(G@I?^ zjpthOoZy1kz*yszNM3w|YoR+Jt^Dw=bsIPD902a}e}4-9<_ugDg!B|5@A^FqCeW4~i{T~zw=aeVehNSV4m+pgAA0TC zh+I}?<^(%*k7{cmAOQqR1Ny#+6at-K=HSSse>8el<`tIY&BK^ZU4$Rq*`xIH=L0S) zhnwEWivc)#eaDLjkgU(_(L99(H+;K z)lzv`p1~02TodUTa@C!aQtC4VWxpsA(?5R0;A2Jk7m0-<^lDAbPAW6ts+!w0ojFLlJ& zOw_`BuF!2ot)n!qBf}3cAnSrf1L$(04D21ibb{Z={*gny(69QxC_!!%GC~FP&_I21 zzF1tJdXAegq%X1u?`O-ao$FNNMd#GkXynoH(qb3IotHQ`em8;<`aHmlpF|!2Qpkdw zerP&OCG0Y&>sA;4UWCdCH=So1q;Qni%wf-3FAbO85eQ78c5*|CO|>;bOd+9+mR#=T zPH`g>MW$PFn1xk;!j;<(GfjJ&B4b5;ot@Qs{2x&_iAgiGnmNbBKw#5aVd1cfvjH6Z$X2+1CI=A zWKyGeqJAMzZ`+EYw2OA?_A~qvsp3{t|5TYu6{`2HIU{gksjoiluUedvh;Q$$KzQr< zvX@6pO2Ej*`{}1-tEv+!i;b<(uDSHA+FbDmHe`WpV+pi%wvoaP<3!S_O?lh_~LOj{I~}REX+-*VVm@WoHpUR!vw;- zHU#Zm9N8P7ucRBhJP`ow??*|(^7PA8tX;WUP|oA~GdqoOjc)(fAmhZT3buXz!Zpze z`nQiWscS7R_jBN%CE%4d`ZazdHTGp@vu6GYDA<5zt7EmMGYeSR);^sI71b0L6d?t@N63qjCR zEOd3!p|`qbrJYx(->t&bK{$lvc~@NScrE6}FT`6Q4d?0gLux!but+ z=gW|!h$O;rP?C=uCT0CmY8k@$u6tv`=)-}P@ZFCTPb#(VNbyP`vE=vy^Aw8;?FRn)EnZ&f2cg9WBP)Xm%kj65#g?6C9}#g@nRA6EaV#c}_9xcAvq>mYCs*1@c4j5sgG92S zB0n5@ADvzzB2W*u_#(Vo50lmWjCF~4y151I#2s_aHVCyX?ixN!2xM4CMn@*^aEh6f zp{<)EzAq;v*)0y80%q^dP zdjhK^muslQH%E=ueF}0xV!PR_6lB(s?>^Wjg&*ZJo!3}+mJ%?{w@$UO-aLhW|Bipd6coWh_8l$)~a%!TU&& zXP6a?_Q>T>hj$bQ zA0>iLql~~VrDwZ$24n0ahGimi$?3kS4v#eM`rI`uF3NOPV_q|+Vchex3=>!MzY^Tr z8W|MS^ynNicV;ot@o^>;7|pTSyBNVl6Ub*Ea1Om|DHL4CFtJt`bimVYnWGXt`V&^l zmFj6){wLUH@$swO4ZTGAAP6soAy6UI6{5$4ezYX?_uFgWcAZ0l1%lq5dfs>q?>Im1 z{3rT=W|)+1wk(VdaM7ox4&tf*{|mYKUwW8;4B>dcd;j;*_t1L%6TDZ)#DCWQdjxJ) zAKl9#L^v>Ng3-Id8T$ha9(QE%x>Y86)Td7CiH7|=?ZxQ`sfKlleZ?aU zt~7Y_R+bABR4sR)rT`MLJN1WYCr?@kF95_NHrDV%ZMUtPg3(yJ_FsSf8@!KRG_+g* zN>M(=sT?Y(j)74;jvit?fwZm$%5#`2Qim$!k>@I5^ku(I^9wt(XV2!0P|i;8G8-{f zlk5Vn*FSZb91&oNx}V9nDa1v00($F6cCE(}R&40ri!r3%OQpv*WG{%iyX5<*8&7iz zI~ZkJFXraQ>Wf>kvq1~(27R|%sn_b)cYq`l4tK5u*HowcwMz3Ca0PMwaO|PBCm9fG zRISu6Ag(m)e#9xxW_68R{Bk%`xYlt!;IR$MIi^CqQV#q1x zOU)+(ATpP$=E>S9qdu|VFf8!kG@LGngik3y?#^&`6xY3 zxhZnZEje$&V+2v#DF~{_CS8p$k6kl!Kk{VD@^H&q{PO~7JW+5OF@ZfmMAbI_>&T|k z`PV=@Kc@NcrOIcuyh{iBs|qNT z2X*-f9DVFq|GT-d7gdb0TZPx>kZSP(x$(z$j7u9TAw6w=+J4evtr#vOZO}G_^7Gm4 z)B~I_M#9}Vsx9@5fKXFUE;ik8SdV+R`fhrwRk2-iH4*?!uvEO#=H4$dGQG~>8Se=hv~dY2V?%0s^%iG6 z1a5=$ePAkT0Tobuiz(3Cs0Uo9t)gC@-3I?o4v$&jX6VVAe?FUWh`y?U|#dbh&KA4GzC~wDOHUOmQo;OMJMe^P)i#`NB1i zI~K)K5No!G)p)*-lWYL3kt*oC8VbQ=mqe+cBbjY7O4omAEcYidvM=Jh!Q0g5+8f zhy;U97E0dSQL|7Jz_)^gA2j&G>&#;k%#se z!y3$AhwsFoLm^cq*fN9KxTBZ;7fYw)94=e2+H0U zyW4z9RlQhH-cm}D*D%W;*!Tf-QN!c99`atQTLzMz%Wp2DA9xbhPrDT@%H1At*nt9K zM7LfM?HwoT-x2P=t^ZekoIC?$LBXn@6@;yBx2|cY~S~z6H8|742IxYu5?SvEz z_q@O@oJ9lGX&+lt#5mn#!{#Dlwaibo%pGE$o3@PJzCqLhY8=BED{zdt7T@ECF(SXo zMg%6_it(bQim&UjTut+P^|bn0)f=q64$d{Q(P-PkhL7)LuMY>y95wL62~Z%%48`?F zd@uZh2P1oJ?=Sy+E;#j@ICyrF3N-i?U`q>yI@m{KBMf|Gif?@*3+i}EWE_u^PXD4n z-b9p^+83p^ahvnx5eI}2io0km<9~1JXgqzMwfl<#1*r6LE&EW&{|i7=rv^=dbT=Fy zk57UAc@wZfwU_L6jXld9bcdF3R3GIi&9emm&I?an2fZDd#PBjc%;m{s=o1-s zS#9lms@)E$jWf&D;mDIfb#dJI92*;Yhijvs|E*E3BViU67V)kWB*GRkxIl#)Ri8$ygHio)r0Md#;%{LdF~u4@j^PIJai@N<%RKL;{CJ1F(#H5JHjgp4BPbJbm0 zX(vEC>TkIbS$v7kBy=q%eow((Ck~1tobIdB=r24=2yK-^18XSqFgB6CKX5^O|Ac2D zcp-}SP}D%NZsK7E014()=hvLN!h1yi+Eyw# zTJF|wXe)0K@pWWh^@n>;?KVp=D#O}Gzw!X4mtltM@@aJHk$}P0jKrvaQ}$NSPRm!{OelRlFt-{+fZ-iB{+M? zSGQ^NcgZ?rz@mvXd8+(I(qsEWa!m$j&cXOB_DHqVNr;b0v8}V8G`*8C!jyKor|yf{ zii72OQdYp)(JNBk#mb;9&UlBI$EgVrmi26w4>q4NrozgK6n2Ty0%U z=)iav_2IEZI+cprdl|1xonwn zm)OH?sr3}4@>|X>s}o7MLbX0rZm{Ks{(^2wvAfsaY9Bn4@Q}BEL(2$8L-j3<)k{6Z zt0wouihnsYv@+2D=^O-COgHTu1vQWC&89Ye%$+*NGI#J8sQ%LksIeuyQM!Qzhl zHKJ)$o|^jAwUuAlW_qk}_FjP$hu{8LP5-aFo4tGd%H^oy8nf?!A`5V9RDbV(H~7hL z`E*QySa-=AP<&OOXL3%2(u+~D9%#D3gCy`|g@f7xZC8@=Z>~mVh9kk8DhFq@mT_KY z8<*LSb;2wec6azt7hT7E6!nGF_^5e$M>F3c zzbVMtM(tD@t@TrG(oddB1)fENrc%6|$WS8HR8WZXUi^nKyc~i0lm4dad4kd~qn@6M zR2}3xW*plN#TOcMsh~j>!Fgk{s1*BMf0h-!AB}`R7Za4E$4F8qasfR6#}J>kI|S%J zuU(`%=99-T4VELa(yV^lIVD{k$%8vV+2YAxDw>{sx+?!h4xh(Ed4PP{Fw>3-ANSS7 zosf5na^!n*U_I&=LlT;0l_yED@H{zgc{7S_E38W{=X1qjz4te|E#$ z{WbHdY+z>>_iOM6E0|vkcsNSwZiS@k&bRT03l(WL|JKwxOWaJ_|FHm(+b2~w0ux8% zcY6mT+H1~cKeYF5nr|--Du@47G3&A2ad_Q>C)f3X*M8$S|97)L3ICJAH4uAa+b)uS zRy|EdJl(i|1NF^6kW1hO9mED8V5xj-UzSc$-n$}mk2dVh1~x4v%HVcJ3`%G9em{u$ zJy3av3&3hCzgmUN?jyRD<@U9D7Po91?Ym)|&<$E1q0SrAQka?e1v1SVW86xrcDO_@ z^gR7dH#SkX99QTF+!l#ic zZM}xTp3oiHQInjf*;0(~(s!jQ3jXDy1|7PyYAV0?!t=LjT>*Um=pw0?S%j0nC%ZMT^J?Z2p`1QDMUn> z>Tva{WsfGrw1(9Ay0a3Z_d`r67=3E{5bF-!PxhN6iuuTpg;*XNs@=K@f8P&3I3l7tPEZM*jx~XApVzZwdY^+La%P2qUZ6 zW`k2MnIp!^>a3>@E%7|!wgy_=b|{%Kbv^Upqo3J+ayX9BKx^wO*TOFSFKxl}81MbX zEQ+j3kj)MA$OF*g`(47ihTWjOe+Pm&&AM}y=*!`lYH?%B`wXyGVKr#pk4#x~2)DD1bZ$Q?jJyN&f3e&UD$>hiZH&6KP4I?2(3yLsj`m4oaDaD5o^`(( z^U-86U&_#Ro17n9Shf}QXmL>SmrRc~8RFIUun+Ugbhpk>V7;@ov$pF@Gkw|LP6pffN+a#yiU@{4z#U69A7X-_n* z+Z~9#uy<&MBSEJ<4N$@;s}TkV3Fs*ul`hl$@dYZ&j!Q0fM)K_3JbMkB6agWoXCmu_ zkl%(G`tfS@&nI4BR;7Da!McVG^S|Khq6V1MUnn5pvx@<`qI&B3ySIzu>i^9nAG!Vs zi_n3WRZPQY-y`t@rJK$i<^QeKHC%t=N%C!53uw0tklV%)&ykrTArU!PXT{YJ7+=^D z%|p|7sZ15E?dPwyGC^Tx2vQ~bLeb6!r$)rDceEQM%%XO-Nej5jp55j72MY}TAB*Xz z`Qngbz&)QDpwq>{y8Fp`C<3Tt!tGLV*e|0gmN)7K%^X(@e_4CGX4>su8rDr+$*H{? zM+AZmRfW*iJ^9%av4-k*@9*R^LERv`9biD{iOFwRj~I5xZAnZk8| za9X>Z+B~^y-y<6UBy`~g`9inH8|#hPal&$K!t64|R^KpCv4-K0eanLT>GhWp%Oz1{ zIltHh3<5#+M`3TI_OU>QV2t_UL{*6wiQ9K{Q0|Eo+AcoKdaX2bT(IAKQv8+*2|FK~ zK+m|-*1c{@*t7C)%p9K{ViDMLvX1g`CKioPU+89#dv7%c7shQ@h0OLQL*_v>z~)~L zixeW;0t<{}MyRQAy)nJjo2&U@N$gwjU_IHuDM4tS=0XgRfEx1Cbngh6O z(Lf!*%)kKwuK%Jp0DRK~0el~M(Fh_qUsZ82oTaTxDGJfw-@h!d+rzv`0L)Y!P%$Gd zOI`2701xUK3x^hU{$tGuH4RX=U>#gt0QJN;6#8k<0Re9U~Rq5+SDSUo8|`xWGKN0{%gW7MWy>+H60IN#a(hZ0_cCS&lR zBay$}X!NC^v|?kNZUbhy&)8JT3q!aSkjWLRBA(GQP^=N7Xte|i#u12|Pf)eS} zs_8;vXEe~<@FAtB{x3T^jz5NGHln|0d$^SiHvsxd%|Gu_P;KNyy4N*f)2uFRY;Kp6 zGYVv48S~q}s{ci?R`O0fBO?D(pLAEj$oVxThC^@;qD%#s9`ijZ_+@e;R~GOHMIg~U z&jyAYkfY`J&z>s0xPjt0XQxoaHuLd8NyVh#Lf`V_)37J{Cjnul9e$+jKaqXOLHn-@uLdvXl%2q^H+R{YPmx@i9=j<14v_ z;c0=4Ya|JlQU{U2;Q~oIY@>~ULP_|=95C2{;aP`%A2!JFXZosS*L~tos9LhO$j0@3 zxMSt?|H|kHpv?ZMJKp*O?z0R?i>rw*ZvOiUfa{z<0fXhWXYxB0#zHcnu$fvg&mw^S zA0q4Z9+=XcBfeIy0`!EDKJj)}%C*XAFJXl1-(upVtHOw#2-Fh*^`SK`R1g}>-Yl<+ zVJ53%U%idOmrlAoe;lT#OGGf~h$5ii(Q~NveXGQW1u0`ALOnx4(oF9cPCp<$`2sL< z4s|=Kh#gn>;9SYog7H*9NrCXQ@S|^0=cF5T)}nVh6_3X3=Mj*5HdP<|Ml6Rm@q@`8 z6Pho(e!SG0AkDfs8G08jk=uAR-Ls;1m~0^S;mfs>fpJG07@ zn0i`o4es=*nVDVG&t0FMc0YJ{MFPUj0w1ec&oMr6`Sv!4+p2BiB2`uw6GSkDQ1lS& zG2QHw!jx0zV9+RRibf?p9koDI*NHrHZp)!bu@NuaC6(tHSIh}mMdC1FZ-zOWSa_kC z&$3&eN4YN76(HH2zC~TsK(J*fYYx4%nc29&F_N*I6tVWF=>*1WNU&c9ha9S8)$e@K zUZQ?_%Kfks34)sHI&BO6RFg!fl3)k><|Jh>THqq4puY@HoTt+9QFg7z4i|8vDW6@B zO=QYsxjcjT62v<)@Zi_pajfpw)GHX&S508O*=T@rCK%sy7aZy3I;#iwYZeYC*3$H! zmO)df>4Jbv$whXl%%`ig_Wp(6`5NliyN+tE?fspl)>7Hs`JQ@ce&MQv_+fkB1tAbZ zTj&Z8&Z2wQ_v}f2PuJq5<1zoas_9X*tMp%u^C=}X1Olrc4H()273@9cw*ISw%ShyB zL6Jbaw|@gZYi$3gMET_a&8FS@*ZO;!a${n{&5Oc0HVY!dd)SMic&aJIrUFZYb#Y+! z=epI%mTz1c*~wCBz&Ez_@RM&9Qfu3$#|I2neo0WGOVJUAL@F#MeB>Gub)VTN?U!Hm znLc)Zq{|mW(X}fXq7oAaSpT7*F^Q1ZN62$O?5IXnp4YAxAF$yXf99I!X2_s%?n$O# zZ#J~IJ(V+8bmg8eP-=A5mJ3C?daAwNK2y`$y$41|<-Lc?y<6ve{6wjx<;2Ba0LjMm-1 z+lq++RpYJG6KNB>j3%wSd4FhkbGKU+cKjzU#8i&55DqBr(_$VWNfd#5`Vc;n1W~O$ zKK=3C$xv2|f{^xzk8e$UG>rL&zi3^^SbFJTgZ%7v+o)~-=zE;D4=&6P>4sL7o~SmFR&$;AR`KF+oPnq58A1ZAt4goTdSd(9 zN|BDqdeq&4r^(cIt#MqSeqp)Ms)}lfUSV!6YfCB1;o1^K487ZOIA-B7e!|vKcQFl8 zOPVlWhVojWLYe&Atui~xOd@~LtcPpby=35UVoN5ia8cgu?9>#^)5jGhc$}uTHgN-Z zE#Wa=*!Q2?;D!>VQzP^2oCFPejt-7xDFFF)?X| zdJ%&dktX-U-~Qpjq`{y7K@N`W7eWUxLeNVzz}(ir^o|_z@@J`ySiz3+{wXW?+Twq! zTvVjX$dLSxtR+7?*5$W-`pA702kzB?Yc6iy-pT6L^$vT+4w!g8C&-b5^QxZ>x}t&; zb`fRe&v{Zz`cHgKTE{;ZxQ1K(MFOqYS+HN4n0%V}8dr3HlG=#3bZTy~21k4``P8_@ zXrHhU^d{5ySLDc-^~%ikBmB-#6bh2Fgr?zpeK~2P?mKro>AYhZ+;u6kM_B>%eS*aXECNFJuuy^}g0N*V-=m@6twNm>;f&F{Q+P&iAd73ub|4cDQsKF<6G-9W>e)7V{M^<0Qh5nl# zc<`YRMD`BG=er@Q){V zc5Q&SF0&6)--@higA9b1l}fl|+HfJ&Q}L?@6!b!J@XJ1vX(@9!N>syZ(v2O(q154V zo0BJ=_4K+mePjv}#7kn`G|&D*+~E!FJaHW7gXiG45S}AQdm@Ak0sf&FYm2^&%C`2q zyBg&?ljNgL;bBzj)zRfR5&jNt|BCdOAj+Y1?3wFQ+Uo_Dbp<03RXM%sV*{>z@hHaV zo9-@f56KUypV*6Tc)Y)>2UT}yV$U>=9E3(n#|>=tRxJ#df@)3J+BNpuHeX4Mq44D< z*cmHnxnYME?U#s1 zF$+3=VsqR}Zk*yInaCfN?>*?HzaHQQgn&#wjUuWxDrE4DF)?;+_k<3j7gm2?_hQIz zj!u&OUhvg;z`XkW)mUT8`ay|CC?4+NVsr78HN|%xxs+xL4Ev+WGUr^kiXKQJ%2kDN z<{fc3{zvzFMw9>FMsZGtPWkx8;g74oChaLDe^~}!jbz8$h?GA=zuIe53Sz>j!NFKl z7@!SQttwEgHX0^dPeWmEB9y)&{TAtKe*2TmLZ*T9ohn0+%XNL5N2?o}d zL0Vl_RzrleHVK@O_y0R1*L)7xfh}gtEMLcWFOD`%|2yw(gQ~`#I$oBp_*c(o&?$P} zglE#~?w%B!l}>d4A@cW2`yA~5Au0<#*Nk!r zTXN{=L6dbm2%Zh&LL*bGCp(6Z%yhB3~ue6X_nENzc zHJ=?eNbLIK%aSRFYCFoW5QaNk=p zd+}1D8PjU2&~Y$+Hb~sh?Ks<(%3Ctqon1n*)~58(y;}|N1qt(3O=_;9DYsm-*Df7ty+*iVfR=+A;ZV2qvZep7zBfo4w*i z-?tp|6^Iqbg7g_^bceR-Q#G{i@09gIYU6Zi6u}NCaM@IPTq_nx9Vp%uTd)zNl)F?t z+Lt7uBWJ^?z#b=Zl*k9(@Fo^A`x-6PG@8s83dLLp=b9oem8)x>nLaMJFm6?bF8Wm2|QY7LVDRK?bgF9mhQ8z*8Y< zuO`^RrDkRAq?3wMpfgmiU*6+@`nic8ELDm*YlQ@ZJDl53+*Ue;rp>=Zc9uiuY+{a6 zi&xtP{7HAFKZsu4+VcFGQJIcFeMCy^XZ5XL=h^Z+a7e!Tm$xosgV*KYbpB#_?8x@M zdiC{q|Dnu-Ut$KsX{cE-mEpY?tSl@}HOu!+3^bOGS7#vSwu#+#gQ-F6&od*G-({WY zkl5swXR^|?!likX)yecM5EojEhl$oo$*jv>t*Xum*t)U#mkr{IAjK0dT5n{tp#@W^ z(Px(2phr6)3bEBcGVR9qd{h-4)b~|J-FsK_V`zoG^)$Xw<#UGP8rrXX>COw&L2U`h zhAa>}A@j+Bi>d-c@hS<^9e4O22c9|80|su*JYN>c08U8{NfzQxSYv56g3e+LrHuR2 zOQXS0^=`wTi_*2v`H_=@TSkMn9eE&r6uOL^7FX+g*~LXR#Ar?62~vTUh|#m zNIbAZDXPmGC-&Ju91^DVvYIIlA6Zluw$q(xy~M$qNNV~{~2G48rpy0OsJDtWn;^E>uWlveOwtM+$+^dKuYmXm10zHLTwsd_!r5Q-#VEBCg zjVGZ|96T}C)1 z;%D?w^zGO@@o?QG6$W*|Bj%SD-BML5uJwBK!%?0GeHbVU<92l&%N|sndxF!uDl@WesRtE^aiD6 zq!z}3tKjI$eC(F>@iVD;PFCB#i8YzRcUpxl0JO$t~1XAH@vl{Krd~ z<;9AB2uENf4A@IOsiDn+U&4Ry*Gc`fs-?{NpGX8Q@+T9FhNdPlMfkbrA!{)w#?`}MJ{59G#1o8I*e*cy}AF;<11o4}ZgaPVJ>VG3mhtQ_Z5 z`AH~~N-xjK2o9-z#@>*h&y(i6xu||n!pl-WfWENkZe*atvJ7{(kr82;{T29wPMJQV z&@-yn_vM+i!Sf0;pL~YUXVRwlC1VI4J*rily1^_YIA)5O4!JBftHt>2fvWikj7=U8Y4Q8{ zUw^Ey3B2cRXN-fuU+N$`%eCPy>#~7H*a@U-Ig2jcJ88u4Mqe8%D2yn={k$Z1)3#tZ)L*>&cWMeV{5v%r&TjpXJr$p28wvl%g6PnN(a_Mq_6E)z_GFVcQOd@e zCcH2Q@2y986+;T0M$@^~-zqMyJpNdW>FonA)Q3O&>lzHQxR<{QoE`dFY)OdN6*wPv zk|yNmj0<@CI`FgDwLA(#;4hPRX+xbTmbOoAKs!zI0ec+pQRXMY=Ict;2VW z;S`Y+?0WVP`c*?zF6;I5ABhlMr;%=zXacj1l+MS6e-^+7-#&>&e((hC z)hCm^{A{>;xi9S9=J}f5Jx>+>q>wd^kHnPqK_=xRal10^%UtN?3(2E|KMSIau#P?AVtK~R;{YCSx%^gUtCkaw5_?BN9Q!0Fh%5 zTN~3tp~eomR0F1EpeXA^ooj^G(7lX{(0sY-Q&rr3kJ+8GUA9dBTK;da5XsxuvefO# zWEp0!yXG@-g-oYTt4Pp?g$C=vkE| zn_s%!(-aK>SzrRxKy8mK!QwKuJ(Jp3%4%20T-|iOO6rskiVI^1$Ds|Z`z}6EgLLqY zr^OALmye}yGwzo@Fg;O43=$)${mhcJVC)g~2Md{nC|*>|k>erqsQv^$J0eVnAj%ze(;p1x~rzbH~4(Xt2(wZF)UcV1UCd>?b=1Udi=e}KB&y!E0UVOJe zS*Ic>Iy5A|gPR#(o_e>}#jc%!8L7@OFb|4mf^zU`0ha%2sT7)_3@;_}7{Gj`M`dmG zjl65oux06w=+%4XQHR?k;&BjXbwpUBS<67UD`E?T_C$U_P|)tK)lGrE5LI=| zd-Pz`*)VkgF|`_wd12;z65CCR`yLf*Zx6ciH~K?3eNONo!8=IZz_hh)hGw$sP%#H` zcKDzTlcUT%vHKLIlh0F+pv<8H+(b)T8?VWr;(tdU2bi6meH!Abtgfo2Rv?E|`;r9L zX7|4_xl9R;`hQ%#bySq^7xp_0AVUcQNauj4bVy5&lyrxbv@}ZBfW*+Oh03rRtuHMkXj#Uz;i zdd3VOXH!Ae-B2)fB)hsFXFvBlXK7_R%J$X zSl_{9`P+=OYMR(gbf1F)`^Fz{B8p=D`(zzx+^X;7WVg!#EtC_U%k`WM2)%?@YS9ipT-2juQly^4Vq-?f%xD~7m2@o`8D){eZX+m)?YNvvW>HO1 z0w%@idv<6@(qZhgrk$ULTGA5lP3XMGjip`?H5Qf)Lq5aSD1a*DNcbFsM%v#5|5~L4 zG?hEHnqsss9e#=zTm59Q>G=iH6!rl_%-oBs{sc8`=kHUL&s-?)4acbp1sym!Tjisl zvE=crp9ViL%#$J;`OUVKG`Hncl*3}G48%sg=hs=ALoroF?q9Q;vT|FS9ZB_CaGJi0 ztqy9{r4dL|{ch%u#u0!n%k7c-@p0?nMyV!#IX~GtVLyqribRhGTvJA$z?F+JzkHif z_|rq~eHj@hm$z)L==T0`200T+VjVH(3x0u~ixv~K3Q(sgc>Or8`b6KwJAeG(O2zYW zePPP?)g!f;XU)!2`kZl$xocMpKPn=iN^x|H8l6>by056H$morruqbV){qlX&W)UEV z0Cq@Pa!n`%`HqR1+4h}3fNGp#f#l)cP0yY^6CHma{lY1&d{aoKGepNk=)>i9x$BXF z#Low66(JJVQemAtoo6iiHzSwO1L5VzGM(r-R1`afzFgnxd(I`#!7EtIRnpv~aQoTx z9dCxJj55A{1t+gE?eIHRydinT6-HKJffEw+aV;4Rk!Mk@mA@C0I5$UU-yl~TJIGs;8~D|~3h*OMx?5&bl`U&rUTDUJ0N z$5~B7JWbK}ULmnR^Gi5QRyfb*vx#B!1COtP_|imLp>w)n+XOF_ny+bFlRxwlW&|ag30Dxm0E1!ffvDgmeYY&zA&-P*ZLRkr8se_w~M%`qM z50iTB(cWYb&4TrbR+Ni1djI^MW!gY-J>>2QZ1nF~5?^bf*X6lUI6{-7ml=Kh#hx~Q z$4bv!HQU%4Cwnx$B-xaKe5$coh*p#6-&$J1P`a#HYCR)8EG@eL0#zqnpg{4G#S2`C62JT2u)E5_^MUHc-Pyut;U#~||K=#p`9J}o z$h)@hts42u_cLk|7DG!bK+d=i;&=+$zVd3PnZs_r&z_C$4;CXlSb80#IVPOKeP}OM z%k#syri3A9xX7CbvlsMT&Fb4J<)WC4ho$}C_x+d79Ir_WKRoS6jKJJLm@}v*4U4Z< zla%ldS(^jp+v6=bOl-JFWTj+Qcxyk79;Tm8g`DnDRXZ3gPAuU$(tjq7hL{aB*CShw zsvrf0BMt^w?!fN_>W|q}9gShE%QL8L|zR=BjAO6V8M4?T2rXfzVh_ZJJ*Jj0We7(@U=aI^Gm~UEg1#;?NPNRy8-G!n5RV^eN8A|+}C7pmt}xN+Z#LG*A;MZ=1%c}11ao}bb<{6&iTsy<*I1iM)uml z+<*6}(e2xR_vsKI7!iqS)dRp0P@1hvQtHs{iKWxemFG2?_I&id znsjyhoJqJ#H|K?w4xPdwyErWif7A0{elLfw4@bIfPz@q_ibUT=JI8^nMI;|+=XW80 zvAZ1$mTQf#{ab(TJ-7oIe@$lGP#AiMm~^XSHdo^yx~qc#iU)Gn(hPrzuhUM=SEyRg z#$5+eTAb@{Y;gZ{e!3Lnm>7cc#4R>MA&_SeaL5|%0o1>bFlsapDLH3`+0VCuyv>L){Jy?W9Z@lJ%9d|N0}0{z87QSp&?h95 z`|Uuq(Lp_v=BAO$OR>1?3xaFUP--a%GK*Qxc3Cm5L69d0Tt@dRE?wTmKEIF1DXwZj zoM_N5E(g?2^*}|;Z{c;rcXckZ%HsP~zs{fm%1`Vk`d$1@TUWTu&`Rsbex;`>^5ECo z)P0LUISf9#V4fdL`auYK*Y!TX0dX49yq!(#t8t zw(n2mV$8_#_7b;G7cTfl>Pvoj0q0E-O9uir9`kXBs2elNfvms5RyYl}+<|5}lk81a z02$)VB5F8o4RIuq1e{}>>sdKYP~PcQ>{^&yb_m(12sxa z%V%kH<=}Bos$i>yL&vJ2V7xTJM|`?w!zZ27vfsL9dZe2_acuITPW&-_^QY8x)w@A3 zZKQY0Ltv*RlAPyv*x{v8**C6#w<-;`A0YpbAzzXOcalLYP6`j#dcmLl=7NE%j zDW<2lXd;0$q+3q_Vtvw_aV;Pj!C@0mK!1o%MG2q=zPntsjpHz8QxZs$#t3yt>+W+} zPDFIpl5tR$I$DwzBu5S3-E*)_$Nl51uWbsob}w0)4CIrBAD}p(-Vzb=p%ncf_z;o7 zkw>Y8wF&J6Je15Qt6#y+SG7}-{m5Z%h=V5+v49>`)wB|c={*(gEi=QROT?*lyYhH> z{w|gF-)7MMKs;HU!gri3L3>S2(<8I~O1mhY_ckQj;Hq1{GKK!yFu>Cp6ue*&r$F_p zTgG|kH+kn*q~iM24{%~zY$VI*D%Y}FIg+%&oD|CGDl($t7fHjo5{+QYhvZP{hgADN zTx~9Fs4lFuII#Xqb!AG`N?S40C!lg=%-ro6U8<`DBT_T5j9sR3^$f_)94mx`%incz zq{?7-BOdz%O+%a3?kJpZdm67_*i&lU6dCN2eKOztV;FFf+qSF+Cg-V0wH8(`Du)j7 zmVv%Vx~g0ca3AF~kKw+V_K6m#J2jq60PcM(>8eeuI7UEOt|6h*N5QJ*`iyd7&4x0z5)N?$K9DGzV=27+~uyoZEDf| z(k>wH5Llu4>#dPOi3R&*IJq+kD8vLrha*N}(ZW4VVQ3Jq)hC{q!?|ez$;k$QPQj7D zKYBM`w$EpkUeshhgI^NgNV!LJK0|ZkgpM#Vtm_c(1^6%6IlllC#zvZXUG8HD~#T8f4zt&*g;b`x1HZBvh)tQ+YKt*2` zHeDRsIeX5M>}z;MY!0PR=skn-ej!fny~SbPJ3BQ!}xH@53SR z){>kY39_(3DjPLePJX_bZB%1gt?ivFEay_Xz%B1ZlY=+Y%4a_;##g3|J=1mJpi2pa zXwmNx;mOIUZW=$dCek$3m-wfoenoHB`6Cz1m`ZyosXCA;pby_bc@pbhe;6`Bh0t*| zm%2S61>q*I7Ylom;(sL;!YKiq?ueio&?-TOmFLl~k^+?d)fQtNTS$)@=y z8Kj%c`$KLv(D=c9M=!n&iF}BSl(u~()C5whY$HJ2%Yv4tpi$f9*~fJu-F?xPsI)D- zRzbG!v~K+Cb&yv+T*Qeyh3xByXfuA zt6w$yw#8dDpM!FTvhs(2xNK2y8DZ2Yii_nRnmm4Z^DrJu4Xyma--$}`;n&%Lh{}(< z^Flq-Wm(!$*|dm;qMK$syn|33FFkx`9a^t{Sj3<6^9w=6rSV)@$AUq}>_@={=oL0T zvt=mxV9_SSJ=~q5Q zr$WzF`}B4d7QwsEr}EOzBFV7QS2|50f!g71Ip`Er*|l91amPY&KfYl%;f%>b-jG zD6mSPmyR61cP;!Mso_QPub%p>BLecIa2tY`!!uM0<8 zgKLKNoGe~}ixb&RCYIC1hPgh2I_6-?hO#*ltx=9uapSXQSdJo8_rk&Bn=p0acZ$L7 z8EZb;wZdYzzseeglO=Id9K0MeCKK+$u(U{otdO5z6!jfGnR#sWiJ!}-cXA$@CN!Y& zeV6rc)i^OzF3u;7k)YW-KHdz2fBLS*Q}vq4lI>PLOn=od+RWD!@e-j;2+V7J|L)vC zITEL_5Nc8k94$Y5W{r?!5e2k387~k*iAc`Q?Yz?paYuk%#vUe{R)(dUpN5g`M&>7b zJ3=os94K)7=eR+ndf=IGK0g&C<%jC&Z9KT3ZOmu)39TR|zE zER|XqA8v{Z`uuJ(d@hV|`?c)JXV`-L@@pN9$glfJ3AMijuiqSE;8fD%?({FUNIfzah!zBHI3Bs1C=?qGg_A@@P4!3@X4Vd0{z; zGdt%)Uy4eI{==O1lp3s;N1&Q;{0h~ENNm>#ZXVzNFsX&2tSbbjS6&?WQY)bSq zbc6hqr=YhqHl4yb#>>2u!USv=&u>;IGj2> ztZ9s)DI>A;C&9SgHDeFLFIyt*gB%yszLMP5I(xisI!ZkH>_3Q?YO*PVho80s3y`7;wtv?W&6lJQk9 z#o(4)a*5kaDj!KZf3ynm?#1VOZi4%)#HX!mM2ivZjFn^mNRg)aN)-cyK``D$bz0!N zjaRXaM}P2fqn~%KiOucrS`6aEmDY{(SrloY!3THpG1hVg$o_`;4}#VF z{ytFCe1_Pigy~ub`>}AxbhQN?Yy-J$>#@wE$k5-;EPnsbHCJz}w%^nIS!f@8a5B^m z*vIS+t(||Vlo&q}H`O90NbL+u93UiRs3Oeo5OR+_h*;+mZSfS^N}$! z6M+~5_+Kq`_2j^IywQ$-R?mUkKb(zy(N39fO@mZABT=JMe%NB@xx&iItHL3sxvqTqLjwT7SDm zwIiooHa4;F`Hgo+`fVP5lP-$Cb&_il+Wq8 z*s*iigY(?HwO_1c$|WXs3@=sjM;Du{p9&8`e@p zzhaseaH?3Ih2eihOO!;y#QEE-VmvJ1%2bf}TBH43t`C<$qIu~J3Sy(?Zs>Q!P~s-* zw*djWPCiEPdko|Yj!wRX5eJ_Ov8T)rU^zzOiCY)>WCIIQPV@nu3Sl2t17f+y1y4AQ zsEPc(d@s38oY>^e71dpB3J9GpPvbUe0IR%cmny7GBjdEd%H{Is2Hpx58V}mKQ_COf zWd2Wx7SpPqBV_*l21>o;zdJtR~-TVFqA4%kRyfbBVb+mS zonKHV@45}?exP(@m)OPuR3AnAfp#d+U9x zD7gwk(|XbnxlE*I!_5B@un8pCvA=SDwZbTM_(SgZBE$ioHsR@d=0_p@AOpS-6m}ic zCjM&X16#p;a!mL$0#7%m2FP{F;LMS2{D z7_XU>%}~&dHmW0N0S7IqU|l7DMa>bvOKZ>{s^w~e{bmrC8|6qsJG>4+2HCMPhtn#CJNkuy&?%wAQ%P3!Gj9b&h z6Bh@(ynR(?u;gKj%0Y~u=xhoQ#Mt$#B5n2PF-Zm3OG*Mk(s(R%UyUK!>A!DE$TivK z|J+w!rg7$8m6o^o$Rqah$S&r6UBCF6qWOZm-@f9$YXPqoNrNo;U<uX- z#1fmaY_n`0cFXG&4^`6H9WVahd$LUD+qPTp9KF*H{B=!D4HvuGr#{Kv|87g*&|dff z_hqBjZ)tF61b_w4>^Y{9{>v+$+~+?kz;e7kF3U1}_3QWG+q(V;W6}Ar_2u0YSJ3A3 zuXTXhNhBomN%3i?>B#9(zk@#){)}~`$!;iCf5lEXA7fJRV-C5igT}~1PkI{~0teIA z-lCX)xTxhlNZ%h)SljnKHYm2i{oa`mYcLXq&&NHU2}jV!ns08k-p&I4(syTgj-ork zva4~i!BoHB*!nP!mE^(EdvE6z&QC9rKI4NGtB^h_09-U%0;PG|>3Q&%xmBuY0BlW+ zacDV>c{x{oUg7+uC(XYsCfp%(F!Q`+-(|lpcG(GrGBsuX<+IjCH=AyR8)$c>ycH#1YrPEJ%n%bIQr|I!`sutPQ1u(O&a#@IpPz)zj z!6?}nf%n41IG?{*3vZMjZ9wF@P``?8hk44{CkSEhR8amgif0qo?soQhR+rKfGm)MC z4p!?`FGOg>20%TLRXL-5cnUo$+%Pr+*8p;LJc`c~q@I|V856aD+A9eDT2?wF4sN8QoeQqZ8DGqP8|4Jfz>1&|+KQ-?2C4O|5 z&$grXV^AFJd9vv^Nvs@ydg_^bK`wPL{Jy3?{BF|D&T0!=MkLHK0K4d;Wa}$?VON0a z7{lkhd`ka8;qBYNNtZc0k)73lT(Hl=ze0T&-kl!kq$H8^0Z2yOse=E1O1+hpl|*+_ zcy*do6t(TUmjK)mkjH|@7LSaU+e4ayyQK9(n_mkS1aM3jn%O+ z%AR>@$Dkka7>gW?w$>u9*^B?~igV43yi#gWn*boQFfIl*#wwpxW8UTB?qb1{RZrF zdtO)lIlDT{DxR6&&zo%f4qJGu>>_IcbQ8MVx>D3#(pJ$*%zH3x|6dlMUeJndI1Lmx zJ9HV(`C3*RQ>ZPNk`Ud2d@Qt$w{@SIp3T`U8U; z*n%*2=trz=LIZ9F?cGz*o7)@s6 z6?*Nae}41l>x}^B3MPY`pW~|>L5r$wPIVi~8f-w;`$ z<*W2Da-*N7R;(5HCz#GHH_y$a#29xAI6FDPYr9XmW3>)6E;2aw@1}8g#%|nKThF{j zR`nN;v$QSD{-ZyL|Jh23%on~{eSk}pNMp@9+WJ312|z>OU-R>yha$OFZoyt zXmkcplYe@Svib4J*D=VPg^Tlio1gZ`Dl~&yb==;e3(uHV36aI z`W+B5Y78*-vzHG!ssl8<&MPkoWk)EkquEj; zuh@(lbU??1xd=HK6+t)z&HX!7!#B&3a;t6mBSpNAPmDYzmwJ^)NHM%*dV zWgEvthbO1KN}HHsUruX~(y8eb8$S#f&v?F{srcVb~wQ&&a|gqbSU%flL=vH zX6&rp-7%vy;9r6aUEfSIzWqZA?Q8oWgEZ%TEiC+>??aIUo=VOmL`Lsx;35)19g1vt z%&4Hsf68+aIykfEpqyePP)}a)n+`rCkZ|5_C(;H_^D$(O5^>ne5WGu1FHMD zke6DzX(Q%%B3El)Z1rPZ-sh!f{EwHr`>!h~Fc4oH*4$K6GdZJR4-A;m2PvDzA&me& zBH{GX6pGY(^@ z`BwW+S`ka8%d(7dTTQfE+V`raj%mx_ogT&W-om|v#?V0RtHoNsV!=Ij@CrPJR1Ta` zoN}T}W%Yhw9LCZb(EqhY!y#0bz;9I>FHoCl{n37W{xUrgY3KMgw0+egp$Q9;sj}y_ z>2H>z4HGPt9{w!OL|m^SKXTa7Y>vgHz;q*;SChrU_ge{Sw2TZmZ1OqnKX<82&TB@M z5XN_I5lhRd*<;Dl3Cj(m*V9ipRgmhPu{b56?WwQMN|IJF3{S6(7 zO;#n%Wx1F30b6TRugEJi;j|Z7dY1IiE1QWnH#}^Lv*jWDfGFjYkQ@ zLZn;zGWpjD+m{GINIvUy-Cq0x$$amT|KASQ7Ym7 zk1D?K2eQlP#Mvfb!$CxzBjCLc+D}~6m|IZ&@1hhU00Ug|CBBLkETBQ=BJ=KA~{fkRdCngM6yw9S-RnJdv_Mg%d zaMJQW#g~9Ib}3qC2md-@@8t)yB8)lVqI_;es^JFWN_qs}0ReMnF^^j3Iw$rX=TrXf zqu0&8B9$r)s>&`nAqUzCE8i7whK*4jPFliG=v%(Z>K4O(IWu&h0m`wSOK|$?epU;6 z4CAx2RmGH;R&a!whY`8-151n>Ch0ri8nu`=)&R6++D=@Y`O#&Vkh@yztK(wX>spU2 zGaXe*XJ!=rcrN-0uZ@enH)W=XLvm(ny3Ho&Qd!?n%cii`&kL<+=zxt$BL8%xxFd<{a)9364Lvm>@8wP^|aS;F=GEb z*kG?oi;!o#&;ZozhKoE){c>4W3VK=#~?V#Me#w(%;^j zyuX-7R-qE1Q!q;z+@Bjj1kY)K&XX~{Gp>9b_6}*+=|z+`Ky(jc5!Aw0*&wHc7aa?; zqq0(1K3oV5VkAJKe6G0vMw31WVkk9X2A9b&#VP|)^E1k4j2Eri3F8T8jfFq)r0v?| zX@m4Y-2b{#24D@GmzJPIPSAUQ207K!U3+zF*4Zy4Iyh_=2#Z#?S(?n>M@ORx^w5dt zz}eI~lJTw0XcPRm%f$7c@F_Q2mmY*;Vsp1Uk!wp9@VHzAAn|^Os3@?>g@pxk{0YC* z0%1|7&HnC-YA%as!0dnF|8jzZtfwH~^J_1QMg6Ao5XkS_U;L#tHGdwC6*p(T@WH;5 zAwKvp&CDg+LsbV>Brdo>cGHN})4--R;zh&&WEypy6%GTMS*1&Fn$H)~AdXnzqcPIo zE-wnrq(;0H@0=t+B;%Xs=AX+yzSpsi{8u!&C6`1IwXm$GzIwKWX_fOPxlX8wZOU4U z%k(yX7+E;ZdO_OdjN_oz5|PtJbh;tWJy4Sf+Yupnt5JNF0UU!2wVxJO`><~MS#~_; zgq!>fMo>bY%mKz}LHTuWJWwS)fCl5n-Tqcdc&757UZSqBU;pt&i}(9VWO*mP&l(6- zH8jZw&7}ezxNA}dEOErhE1c+Ea79L$pxLVXjg7sd6gL@1BodFoUH=KT+Fr zu>&09EaiU3?s5z^vv3S#0FnM(RBQmC)rCP%SBdT~A`B-AD%gnmqX!|PlS#70XL-u8{y*U?4Ydi!iaf?)0j40QK{)k|9nnF65v? zOTs+h2D-I3;xjZt8w&N9X@Js#`%aq+N~)=YcFC|33Bp$z{KLfHuo$A?@t*+Sh&Xta z-pE3yHx9LLr9W=Ju@S_iWu{U+XjcQGDZ0FGCf)2VfX|~jdRaElZ6F&NJKJYGK!dj&%ijJnsE85q2Bfai}o`M_0ACzWiNc_52Aa2?EHAP;! zmi|?{0%)yK2u7XfdZikI%s;}%DN)AZ@ogf{?3=%qm)j=euVXhoz4lR8SAYNi300B7 zfHkidfe*V(i$y*yEi0>aCSE+ncXGM&CHpU7K*}U?Jq06_YUU3d6|W~Aw}hHaDue-@ zzoCcQ6NlCA?Aohd*W+;?-c4cO`ilwJF?ICC4S-KtDrt_=gHS%immT0zF%vUUVJ&$a zVm;wkr)`VorLeVLHY-NO7w%5JU?-^fq25)uSR{ZE9UN_BkLHpt*R5JHtw(kBjMIhz z;fJ&PJ&&wSh3YkWCJ}OqbX|mrPWTlpIs3@h;d?Mw{4zR9q+(BQa8YkOCa5>r*ZQ*I z*4D?Wy8MrKG1M&$buh2juH-atU*bs(XV3vI%DN>9ZkYj1$B&tXL2I z+8yR;Yc0!u-<2Nt*7nu}-dVZ$6PwN}ER^*#*!qV0=euJAy^`71EeYEw`}g|vXCcYk ziY7cmXavWgDq~Nt9$*@aL9~i7?IAn5HZy3h0o*gqr0~@J-avZ9kkk5x?v|#?^Llne z>hKxmYs>NdRosW$ofFco2K*D+Cq<>*4>z}iYUT{l;_4+~lWM#@S#y7v>wH9^#+Mexesk{^kvSNT3 zi{+;qYyLTQ*=?oxyiZ57AO>Yo1|C(ImOI#7#U<>3A$j+V-m6ZSy57Qu)NcbN`6r*Y zO`mSGHAUIjLM2+LE}}Xq7C_Jx@QVi!oeC&3gdlC%Wz!oZV!{ys=oK16=&iobpV1wJY{?&q7Z274EO@&ER*|revwv3V|4l{;Dn!G zcqm#U{{x+DZ!+ikqgZIfO&{fiu+E!CCPcOi31&#N9O=bT^7Tq_6+H$kMS5`m3|HaZYPcZEc zJ4%QG`GniFRh2Ygs^Hs68Z9FZJ_rRP+tn0h2bA0EcSnd&^Lsw)b2h?v zsg%s|Ysl;Vjg;8YBW4JLzV{oZQ$hSK= z5zzdZ&en6sXr#)RgW#p06Nm1y%y3{=1pBs06xlA>W(fTT-WPlmnHtCS7{TfLnB&(b z3#Kq@1}@&WJ>5)~v-+=O-h=v&SkymkR#fQxNFIuNP2p1KdEwMZ?)MV^p=^gjJ5;@_ zaNX7J>Vch9#MM#>G0D8EABt`F4BN9rVKxb|Aaq*3uGhp72<(a4iEor-6#zC*M=eyUj3v= zs8@R$NJpN38@2-aPZ;zfk!-M>HvXMoG4#?RAxHt<3#IaMop0tZMz5*he~-B)Xt<%` z@G`)V7K&8DjVMzrot^I;Mpph7}kU zgh*eI|EGhGS8Y;7nD`-LZ&1-(b)%<+MgraM%ZKi=r^qHU;GZ+);1#}yTT(CO5Z_pd z;tt?%^8a`%Wq2ow$rFH*7IZuYtMk)B&}RsdSL$5EA_jpPY?zX6f*dN9Ox5$}$wNyD4^k7u}HhHl=M^--daQ+;DgtX5Kk z+kk(Mu9}V#7ZYD0H;40YvIA&^^!3+n!H1J9t*rO=XDF!!vg9jA@LC9TOGw}e=mHIa z`i!vRaL@G`_;-_N*E^hHK=6bGEy#9Smgx(q8d5!O&~{@3WyMxV<1D0{$n-ERlF#Gt zB6BhBD?i;M9C2)pNC7&!*n7n1A5D&jHquHaAF_6q@>s)aUR$AD>M!IWVL6s*6z`?_4xOcX z&~4+0mY!XjE%oa6>8n^y`42S;ZLoceBT{h?_p3!zZdAym5$V92H#2u;cVbV1oW@ww z1Vs<7y{^7&r+*rAKk~>t(^uYgnT;RPI>kb0GoZm_7p4@`r}MSs;RFc;n?{%%iut)~ zOst~Mcp}hW9M`^^Ie{;?hc~@Ok<7PFi zwET>iDSV~d_RWcI9WN6Ck1~2eot{2A5z_F&x1wa|gA3ppjxeHl(siaV0W+RWz%AP{ zWh6*Zx!7+66Xefn%r5DphV>`vz1!lYBE=4WY+EKc6-K%LR2|$4Iw;c7eN1+G5&srV zRy72*P6&r1hrvj`rh@S!4}1MzhFCRFPrT{tboWNxpw4`Z3iQqn!T~3}?x4zbaWT^G zi9rOL)=ZA=!{YCQ)7#kv(!b%?xw{b7pcK;1el1~Cl!v@1N z20{<&586A!R6y>5p#+_g7!YlS0n#7|AwCr?+c2p$I6exlB>up*<+O20_4dABDfIL+ z1F1jwT`r!yY4;$js$7s~304@oaE=75icO}Xpe-2DhO&k;ZO2hIfoC)^oFUXt+7s5} z_GT2DD|3;0zf=BFsNgd4=x}A(QTc&aI+8`#>-`?bM92((-Vn$>L3KsYX0A%Z+JsbYZcX7W3vmf#;a9k}%=OI-bP+VqK-LvyhlIXR54T1|@;oJ)$4Wlcc8>@5L z`p@q}UZ!6ta#=i(b)B|?-e+(b)n?2*u@3f%xjX}7a#adrglfs-rL}Ag?hKOOPTgln z*-fmI#j*75PkvFt!f!%z3TMd8dCr?)c$FBa{~5xmB`2VS`evYMB(lAyaw%FIQ9flJ zZQve@^2Zn?_woDbcx>}4JU!>ZNbZ2w6yk5P!h;elIqim!oPPX@2;Sybf?KF9O*^+t zqf^Q)(dX6-0~>_ZCuy4J*!P4Ypjc0Sy{)6wG1a~)c_MlZF5Te?*IU);)@#!6@6jM~ z|8cbOKjsvR8$9IP(ff9~)tMYS!ztVid$W~>PqwDY8)Nj}c=+sxh$*4fuRws2n83>S zZSMNu)avt0i_H0*EZ-wLTU)cz85|G0<{!WKZFk4BS<|>bxlE@CxgIGh7M?LkQGSM5 za@Y2a1>iT3JbQLpfFE}HXdc-26L_*>kX%o-!pFUtA^I1BGn*hd4-Y>8mD3rnmdE>nL?(&a3lrrjn8;TNUP4`4vVXQ5 zJqudxhE%H|sC;)vC&#z&xPsk1K@;&vO{#K(xpZ#G+ddMA`Ychgh^EHa7B&aQHV#Zc zoG?;L)%1O%I^9j5rnl5SyCHNSa6r3URmeX|V;3*ugUp63=AXoT&brZF@-+E94B2-O z&Iy82fid2KVDum(tR1=7@}H&4xeGBaw@jDf0Z}+IZA%2@8ZgH99zC0i4PhHGYku&u zi^L{;_Q)I*avrX@Mx^58t9S`Qi>3e7|lU7&^$^wCO`j*`5 z#=EY*m^JlR5h|?bYN9nFK5KR;sTk2NM_(gbd_xsYh(gUA6Exn?zqUmfk8iwOGanH% zoC^P4S;kc9+>es}MT}cRGr_u6Q8f%gyOQyiJuHJ@{9N%Dge62>p)PDn?0&d|zf0gP z7*qBSOym1xKE`7?9d(La-C?d%&##R}uPqBY%L1O4p+D*57D8pwv6n-{4A5?npi3qA z4{0Wo5)6S9uGi92Z^Bkn{@BiX%tKn9zta-&)See#Za(~cS+;lG_5v&nox6c?_&(g7 z;ZNLAAIQS*ns<_{pk4t0%v^v&wGM1t8?&{xZc&zVe*$ZV!hOIGNo#g6-Ta{>dcSFc{fBK;WnOX-HV_$+vG0$L z{e&W@tKW%x50>BBnwPhkxhhB(OU6f!f%Bu03OcLHZZ~`{1z)(kK4T}AII+8GyT856 z$`Q2pGSCDTD-8XfF7=%Q7QbD2EZF>3Sn%Ei)kmWt9tR|x%Y=E5{9_#9alyD01+QPt z&7IAu`6{5TpYmgmpLuMlRL%|^kqy=igdl-Kw_T`O%y7vP00H)?&pu@l+7L@PNe!{v zmHw0`k1O%3aY?bm@0Mj;5>NJP2W`Ku5ad%f``;Wia#MugI}d8HEbA?z-f-@E%_ zBgUI`i3?rd_1i@*eWa@`VSM|&`>ucXizsY-9bRiL z+7kC&78Fv92Rb1WO7?80eiNJ_ixxr_8~)w2EXbaB@l1cM(k7bL)#a{}Y-mWlUvWNS7qGn9s!y0ESf_r~N#=+tfi%kj#spG

8I2j zYv+W67qa1Vo-Y#OFfCN=d2vhzvq^+cU{Dm417mwE%aFjmj0LXm(w(R$BV465qFooLsJY3K~BP2b!P} zBh04MuhC7mHr23xQ1z>ph!R5z+o$l4uA)=?C%MyLSTqR zEJJFzgiTni&0Cd`^*9bd6=Smmp^*`T|`^~vgSeS zNwv8&#Yp(CYG9FjM&)G9!nmLLl*6PguOPGwd-81F`-YZT-SMJ zJJMTnC%Kp;s?Xhq{p2xZ7ZoOG_HPjh1uezmWx-FwTFZ%Ob*6I$=rz|NA0u?)*+`CD zndx(utJ}bi@_&nueYnzGTC+C*>l;XFkauci*EW*&ye;rWN^(6Gw>?GTPEaDeKt>3MTdc%K|Kr z=<*nG3NgIF0~PW~myW7Cr;fz~b<69YPd3+h+mGolAHJ3hy~Y3wHhp^G6U~^OU-Fi} zf&Fikp;7dN5E(A>E5>{8Es+!=2IN*R={gCzq6E&u<%YKrt zT`=~bZo>U^v0--#X3tWN@gj-PRK%(wd0zU?nNO}IL{Rs(=&tY6G8;w4LA3Ke@zVzG zTC~aNtK7kl-cCABlV_Y8U*4|1S$(fn4$o=y?n;CFqNMexDpfF>g$F$P-@42OxWqCv zm2*`6{P-f1&I>p=aZlr*)%HVwvKIf`o(s?IpZk=x8hDA%{NjK8d{;Yxu@B#O?Zl;% zkMv@JpuAe6i6@3%>i0{rrMLKsmKBxPNz>K#jegxf&a*uvmSXa}x)oaj7fG&|k7H@a zP+qai_kJur%zOnrC9bC0$}uE|iAQhJ=RPJC>)}_46E2V_#4zPsMtaKcR?=F2L6earL)|Z~1-iKdpqt?7iAT$!*JoB1$Nj7SD#i(Uu zH1t!`F0gGT*;r=aZ9@$m;vlv7qktDD4;2 zQHJQC2G}}LR9|jAay1txHa;ypWgz36*ycJvJ6j_6CjJ14^?9?Q`{NALZ@qI{ zT~KT|%78h_I^(nNey-&iHUAG!Zygn7`+o5bB_I+*O2Yus-6aDINOvQGw6xOQFesgp z(%s!9-JR0i9ZH?&{hsqX|FRYfSj=-j_qF$D?@JpWEV%VIVd#1CM7V(6=*R+j;i&6} z65HLe&^_IIHVX?;it)BIO~Xnf1dK|h5g*R_I@jE9j%luJhV75Hf!Ocec0A?}NP@c7 z(ANn{dgNRnn{{`abuVswT(81hkiW#gJ1k(D?Ia$$J=U*D!J-tLfl1*^>H^8yLHNIrt5y2l3^j>sBeA? zu0TV#T5IC+ji}d0@lUB+jxbJoFvf%J8NCbY;BsPxH{#55T)3A0J64ysj<*+O(#t=n z&i!GuBlujy-RRL+i(rJ#JT$isU{?)q{-q`L&K0@LOHNE7qPheBW36Vto#FXwiTf5D zH)lr!=a4%q!I1PwfumUMm#^iF-@@SPq7+eTHuWtQisNVhd-Kha`UA5QBj~5r5zI+N zRyK^z*!C!*vqFr!WW^yhhpTkOiJJy8r|JRd9Z59@WT{-6z>Da1x%5{8SZ@2d0@#JF z3Q_(mpuiZdcDdvq6QzZ3`K+77AzQu1musvWswQ~x`#7obMp@Tk{MqF4`%zNs)nkY@P zhg>;-j`MTVlyf(fm6d(U&tz#Pl^j2t0|U#j8`I#Y_nLU%U*5NiF2K{fRv<>!?e$!8sUb$$K=$YWGAZ(M$CFEhznaCV8gZapegk^$gM`*XMNvrc<5N&9_3mdfbX?=CC!3b;N|&G~2ZXly zL?U*{q2tz^Ahyi89*K`7dieJg?n@Hg4({_+z6;9#qD@Fd)Zj=O;)7D*z3wk5=Yk#i zw%LTw>ycG)dJL#3)MIWRQgMZqX>m16eLb49{GFL+|)LSSy@%XfmFoq+kYB=wtjWg_q}Rg$Gp;dmncTmy&yr=l^TKHQZNNXj>vHGKObYZ$FGLC`CJhV;&iZOX@z> zUU^GQP{csN$f`f#!OlB>o-9tyWg_r?XhV$Pe#XVt-ya6vj}lij7;EuIx+ipwK`+OEdY>Iklh8nLg%KuLOU| z$+Q_4To}JQEYya9o*^-xYH}pUVgPVT;~NbP%2K zfD=UFI7nJg{nX!oA@FYCGe0dI{aSAjW0b%-ehwb@lGz>*?`7?5JeiU>ItwNFgJkU1f29OB%`d zdAf-x=;b@%d%nA5j4=prev$))e2^!1Ge03m}t?c4DV&6 zf6JY!`ct@}gIr(rh(H-^%S*;o!sdvjvnae|5y>J7$p~~PTMTmT>c;ijj=K^CU0E^dm&3}pk0_zHjVli_MZ;x;FUWbAH#ao z?S11*eav>#M<+=f8$M`WdixXc;(yRKaR2Asf;Gq=gQUg2@8AAC4h3qvhxBX+2qy`9 zt7WLZRN3{WrRLhpTmJ%SREOSX(?~??#e~mgSaJ6;lQWEQ4d|#%JUSK~Qf%BFze9kZ z(R8-Lcx;$Ahhlly40{_S1QPj~2~TYBl5z26Rjm*Z-N}jc(q7(5teM5GsqAiG$xqC_CQXy=K2oWHc)Bba125IX9@mkzgtGIaWO;-#DJfoq?~$u#@v^;EnxL67CNY@0)hn^lP;)R>flH zz(vf;VkFU8QpUQ_j8vo+r89d_9Q@Zm)6(Z*NrL#+PoTt+|M?rzvNvl?KZ`Ttt8ny4 zXPJNWIIAh}-~^>tA}ZfO?K6<%^Ci9Pz8Xv;pZx0=k^H#D@!Pm?DzDr z3ptDK?ccjH1Q_mmiHM?3i2hy_!CU3K&5YVQT6!j;f~06JNC*hRSnl~xpteT@%sNM2 z`~u!tP2JxOH_$q$Dubdp+1579saQ>6JUoH@+W5PWi^Rq~+kYb{GT;=kSFH&3qJPM8 zP*9;udX=d8haIO6V}dEwWH#T@)CB?|1#?!GK5{5pR^WAxc_IMO3v^8&H)$vSO7IZ+d2Sp1g8lb4Y%@J}suh@h~+psPLi!`~hwa z2u_onIiUt#7qb5t;g*oMK{)+@$y2ej-ZDIdEj}tJi8J;QH+^dM*3tIGPE;Tc6hg>T z_SPneyy?la zl_dUjVMV9{_uLEGh$8592k1I>h^|jG{}G1+CJG9{1F%)3#t9-1c?dael?nT74J|jn zdXgjwJ>)y0q|C3w=5GgG_R*QFV2rabuB^#}%00H=^Sxae-rq*7Kawj4y7)mo*0k#G z4Cj8ZTAi759kxHEyOzXJ4$exZ z<>ln&mc7(FAGTmTT}L-#&-N?em+NU|R~G@Y$Cc#2?>h#zE=0~fBa(`+F5Dh*VXdOx zV{S+V+9bqPU3L(cuq+!4mDJn-E^yX4=*t3&KZ46t=JYR$Gm~@BbOOQ#K+$ zzW&>v1n>Z7OC7#7U>QU%41AY!0+KiM&^z7-{GYD$Q^ zWd<=$Cv=?e==9ySgDr_r*(mv`=2lNTA9Y!P*B9#R6E}CxULG)J1%7;28j;1fAw>#0 zL$LHMh|z9#>!X!V_}q~E*j$T~p5>$n*U+}a(HMB zS3-E8=!=vVVf5~wn+Xl+V~#ZyM6yX-OlFj*IocAKJz|b3l88qr0oGcYp!%FpylH=+ zDk)s$gC8Zr0J}yC2a{UduTAaUtI+(Y~~qw`{b4TG-l?{N1? z5SJ)W$WpwYoQe17LA7m(aUJs0`Y$T4?FjCf7sbu#qx3RG!7}L)^(~Nve&MwaTd64oARReJR?hSwCE7~|fvVWMo(r>QWlG_z_WnF11G5ezBb&Lbn zGclowDk_2g-I9P0Hw4)pCkk}A)|&hHZ}^F5=ALW!&p8xI*e;DnR!$|Hk&A- zET&$(jS_za7p{DmYUI-un3^>||>*h9G9Jbv1tU3+(^;(XrO5S<`5d+}OGN zQNj;i@`sx11`?UBlJ4+hk@gU=Tj%bWT1#J__bMo;V@}cL9e@TXm1&)ie2MHptr!9<2w3`S;U9 z9j*>)k-qx(&g!NWrvo{#@9Q7c9a zoA`!6R@2yfRZBLQtQ^4DhskNWBpz(fzX8Rk4|3`6ptAI!mWTe;pY0GK%A7O`C`p1JU z;jbzbx8A7Y98*wQ;|&@DY|V{Zl#V2-IM%8q+!oY|VQnALY!?I6I@F|IieFaR{KFpg z320*t;7~85=%FPPH;p?~%FwbHOs-ozxF_1s#Uh>G>+7Kpbi_~4Kt_fOXY{Fg+_JjI zbJwG;rqX1ZqS+Rn+uS0`T&7Y-YETqnrwP~Idx|J-NWhwGgix<4pEWExUC$ND*x+@;bvaT(WfVdDK%Ic_*UMT*^3OE$HD`^4(%dqJAMNca}! z@1HSwYn5GL@V{4kXQA*4C$&^mq)y>C_oHYd5aW>zhqU^;RZsSMhuwjo@wt3niYOw; zW}pEtOlKH|_O*W~f!XlB>_nUYy7fi%5Rg_}NJ^gpY2-hnBEcwTL9jX)qd$Clm%h;H?vJtN;Csh0ZwcnVte@k(tw6By{mQCqKHRXk)pWDokE{ZLmOc$Mkc2K%>hM|A#lS*IOJ{a(Q(eU)N z(w1nY0~c|9!PhcdFnssk_gVHi2b*C@Fv)ih)g4%CS4S{1c7pMT*_V2yoX+^B`>PFBv_AaXL8U&c<1%G%E^?D&#=e17-muZC>+^(H^tN12 z_cE}Hbvp_@9ZO9KiOa4=9-16NM}2|6tzBV`F=mZPG0||wxS5#6 z-FQQld<4CIdW)Wln5;#&M$}jxmnx!_SuYHJ;ss-L6cryaF~8sh*E@2aaL^LA_>1|? zGnaEBkkef%?W-bR65`*-r(>oAjt?4+t5T`uD*A3~H=p!SYz3+hZqTnK-5bn_ak4W| ze=i9f^-Z+)4Xz+ijV5XwhCD!K30+KnnNlJ1XBex|Unls-OcT4^-X`?T<*&;wO}Ly+ zMWeSr74>Qu2;-OsVUADa^6}%{p=K#+v`mi`i)+x;@X#HR#0(PG+MfaWKC6Vij0f^{ zY_bC?uNYor9EKUPGWRa4(l7q4Z*f}12V9Ehy3@*kBT7;QW6E5&S%oi#!S6N=eZF4R z@_W|R)m?4YGvnKwr~v1!Ct7$M7OC#zq-Fu-*!+9uzk2`P?HzRu$7~bBb)3}qf9gvo z9ov;qXE(y<$R+Gu;v zkzv8}dKk3x{mct9$ec&&H;cKs?t%v)dI{a2BM<&8a#7Xbe(k)*4aQ@FIy_ty+=CV> z9?FsduFo||ZpNqjKswXh0BDAI7(qPxNGAv8!6)YCETz9DUzIEXFP{~d#?|;;x;y6U z{xwXw^e1(vB@aZyWS}aLRy=Z6WqB3kt|(tC&6t@gO_&{;<$?2ec=UAjJ5Ls z@6sdlN(R1lLKZ&vQJnyf*Wsf)Xq@ju$s9N(qJK-_$Jff8r1_(|yt=|M?eYJQX%zm? zt|oHW4ZSp zbf<@jLd71+)6&@-TO=WA5PZLQqjT;O>D3!I7U2UwI1$aJzS_{<)F67kJqH)hRYZfh zMBx|Jk+!gXF4&`W{qP6#!!!*9KhN*qzptK6MlJYZ7-MJ-(n54*=8kUk=w8iJe2K#Y z1BDVG^`Izrrl@|$ie<{;576=YrZw!pWT$35|44yUXZX)W>W0PLF++Q}JmbnH~)sFJ&Ivdxqlj{J!< zPN)brtp=6EpUA{$7fXTcS&mj_a|HwI4NGSwgXal;mVDrXa8o!YxJ)b8*)P=DxPYF$ zL=9Vva-Ka~GN1uEcizWdYCzo>h|74hY_xjIP=7-mLL@Cw3t_MokH4yDOFw8MdLjJw z8q@kwdd*m-cZT~FHu1C%MAKNpx^%8n^*?Sx6ub-3Z7YzybzfEe%#%dB8&>f}%3MV- zPNsF&hG_l%F?#cw`QIMEazbm~_;myHhg6Mt1I0Fx1x4NT>foJ~8)wI-K_!^Ni&0mx zEc=|;)6P*`JQ;lh`+yU{-0^**pq{scq$HBH@lQ%Q1Mj%2;ef56kOmqA2wZ-x{Y7NN zG?M@Jd3;xF*YUA7;Qv^FBY%D54HOA@Nh*FJ<{bM(?fV}xLps&%b1wahnp&S2dHVBc z4}K_ZcV`2HW^eID)hbA~3A;+lp8tpSbZ_u>AW#g67i-TxBKS@N5qD2UMzrADzQY3| zDw45AZ20RQd%Q`K9e3j+T}F<4f343dhkZ&s6DMIh5p>-FdqZJw5e4)>$8!;LG6Yn} zeuXUHlH{WAaYdBW9_-N0sAJsdKN&aN#)Ah{V^MkUVc+Z^dM3%LE`I||zz4qq*2nU7 zMiYh{w=vSO&|Gm<@Nh)Z;lat$rcYkysLHefgAnwS|;o%?o4SzVZp;Jv%)JrWXTh)aVT?!n6;`%u4@>v?Gg>~uf0Tg zV0;C=32%OMO!nFX&N(8&CIf+S_WAh)TXo|^teO|r}xm4eYrv$X|B2&ZGaS7N(ra$=T_G-dA^$6MN zjSqW&Hd#tHk48&7d;w(QuOrlXT^r;iBeb3NF=_?0#_D@6uIa#=4vp&6Ugb!oHz)jG{1vW5vm+&TrKXj)zt>z^u6- zszHY16qGF57(JG0_AJ!4EygIMel1BG-BQz^ePF^S__ZV;5C!yYA5DF+fjl( zfF^z+e8x@?R`h=2-nFbdV6E^uMRnrI#KQ5Nxb!${*^WTPGdMEG1vC46 zN#+0N2d=MeS8UbxNV)k>#(4SlA+xILf{k$}Pb4A()?@F=MM_HQnxs~p-{oUqJIe2j zPuOy?CO{U+9g0QXthLM}49@zZr>m+u86F`>L1}XOr%CurN*{y9Du;3E@$n@l*Z`37 zevPVp^@t2q3^}0zgm@`ms984n}u9Dq0 zjfPTh%fnCSmJ#w9c~Q=Bwbi|a3PLZSP|(1(!;Tf2^FBe2(|ZdImS*v`Z}4{rrg}M8 z!!e!T{*yn>=C+b4A1R4b-oVxFR>XfG<@H)FQFYbc$xGN+4oI zWsa@G3U78C$IyT^dG&P!y{?o?8<){_BRTn48jvcj$0w$yb>ky0X<9y|tquvGb#DOV z4sh8j zMJ?@RA)Nx3E#Bg5G$ATR&6k&oaVR-rGi_%->m{%-J*8I;!uX#GmKVlHdIG=Y?a&}H^&&78-hoTJ(R*>J0Jn0eWx z&;WTNTu}}3xlysbVpE@XBKD?kSvSIUfRq2)?&0q;T1*T+)kneQ<85u~l1}XmZK^a* zs=p8r1r#nu3(6LyT5_wg{w;!^@bky+T-FyeZ~uBE{5o7&^JttdFs z!_HG<4!Pb)S__362w@1P5{Y5nf}rGo2?nb%4}{IQd`kihAH75g??(jWYApZzv}fZa zjUjeS%vrMgcZddz2nJATcRBrohHroVhlPb6y9LPjtg4BzA{Es6oQ5Z>#K#sTqse#vfRSHfFBGt}pFUzy3$a2d`t~z? zzUE(qZfhQ&y1JK+-_ zxlVAHzq3$K7c#})&-#KK&n3e)qmq{9;IkLluv%T)HGGGHMF6*_namljBAI3tZ=*s} ziZN9a@fw}1+zI3{iDU5pL$59Rb?$|CZCQe9`jS6oD z`h?C=D3hq#T0QNPkeOxz)j?lzz~RRqqcf7=vwDY+H!P&CQSZKu&C{ke=e{3F<1zaW zs`0qD6K-{Qk)q!<)fD=3bW=`q*pJag#=5tnROW9^-)$yl{zV&*dMjBHm8sc|`GojiYmS8N&9TLf-|M99(J|CX$PM zKgsfxQ%3%ubm)vdp9J=Rq96ELgs$(ol7!l*9A$)d)kxQ_T`{M>7BITVSPE6!aaqirVEk zH4Uy)Y2@F}5&i~c%l=bE5=u}!ptu;74-~;2n&sSok+xiS;vKfV5^R-`og@_%O4B}Y+bEAl?o)HehR(Z z@7n$pdJ>>Dy6o9S{!O7-1CM=ls^9bz;8P`7G%413`qyS?KM$&qo%MHxD*TTu0Al+c zMqhJBgYZ5zTx)r`=`c%}w?_<5Wx2j-`QiDh4>NH9tUgKELk*fqf@2P zL!-7+fEAxqOjch$fiG6lQJc1Nl78J9l&dduKV7yIH8$Q$0|Z4QC6^C}Q1~5MX2+`~ zcg0CYYoZM=!(25+mm!V~3)uB#5&xXs@=SGriqR_8u+$>ped)xHvlwuVaop4`YAdEc zKaY}x9q#J5k#lw&$MIgnF9KbcoLl;al>}{;0}z%g0c`-=`)cV*`~7S($D=itkn|%? zx`?v7*k3O!{?kv&Mm$vT3##xb*oua{A}%)q>isLKTJ#|G6v*fLFKR$M;v1HXiGY7w z4wCEoTp$ado>grf_R~RIe@ETnOc^TWJE|zCZ4iQ*eOOR}vDtsw1Vtm?Ks5~T#4q?9 z!z2=LH}Y1k9p^CZ$3`T7O2BX>G_!r$@kFewYul*;PGn`A0rfXr((Dn6npS@tR=f<| zn?PSlvv;c%QWxfaO{<_m37js;F{g~AN-=;uT0pNB9*NNAUTiCu^lorb4 zU#qp~MlL+s>d~=Uj>`5L{*Nw^l>99T>#4M!;2G7|&@i=w-^3g8|EK1V_bH^Fk4n9B zT8S8MM>S*fv-Ufu+szAZhm25fj>d+##Mmq zfeUfI8xnVbsSUUs&e4ZgyQ4=rUr5$ccMkq4^1j(>wZZVjU>cJn#3$#o(IIa*fJs&B zn1yf+J0&kSrw)fauL6-h898@)P`G@QecS;hsmF-ew>B17&v1G(S$*N6qSAjR-$bfh z-fn^YC;gvV?G%lApijdC=)&UMpDIbA7BmPgvJ3wP0MgxBb|@XqjFUK}!c6)`D7ke6 zW&LVp-7?6&gBvFWh%CgnnrJzG=$xi&F~NB+j^-g>nJX zxgsGt1BC;WeDT|7bKQ>~`$`b^@6exi^!G_$MD8omX#j=EhRREiPDKF9E;fs>M4ms& zO#K7TCGfQHC!BT+HS?2TidO!Tpv8k!V7Ma++#bzRl}pbA{RbtNdG}}XY7-$GfVXhS zTaol<S7Pu7pJ8@RF3 zGSdC9H2ajoO#kw*qMQ-w1K|lEM^V$&o=^HOZ}RyQnZC^By`AUdXo9`(^j{ikg9L~d6Y&ZL&+1RL z1*Mys`@+LW5Y1n)mqeK7yTCJFZSavef(nGavn}n?-B%1`zNjtVv1Dr|;5!4Gt53&hLJnC>uurzRYpHmHN? z%fR?!nW!~+MSMaACFQ@nkcI;)z$`1n&+P{X$-BSrTJj3_mTChCn=A4rLqR@4QIJa$ zc)IhgcaFb62(PXl0DiNczST7a-Hs775!DaR-Gyx%FjcKdhzhjC)z{n=Yb;L~u6lP9 zDjhO0S6I*j`MC<*DYw(zrS zJeA+xQ*ruP7DgOVeKRpeI&G+I;EY_&18J@^Sp#NC!WSSEl!zGfHVMXxXy`?vPFXT>J##o3D6|X0<*0!e{J&_Cm2=QJ7j7+G_GkSn+=hxx(=ZMx zzXdI%4gG8#IAJ`>Gb(SrLC*nfDoY}w^sDIL=aODaS9rooln9rr`w`A+*=n!<<|8GI zW>h~wndcQM^?xo4sL;p040NFlxOY`I9m)gF->i${3$%_wy=VxY&GcHoodtN6B0{8U*@q;L&aZ?Ae>mNi$jPFxBF{oe32(F z%+Rq`It-0*A`qJfZj62j!b~@lE5kGF-Sg{~I;qVWat_|(sXQKeji3EG@2hq7bJfxD zn1!z>#|XL(HkB4+s*FjIY|dERZyMPWl~<}j=bh|d0XEU=a4MW2r?&{{01Mh$>h+$h z8h&o%a^Y~`FGS_0O?L~V8CnaoToiRZLAauUK~)4_K=`315`Xr^?K ze9yL3u|*V1z_U0Y9e%8|_#qM1U$ffJhcQ!DwH8-V6hA+TZDA-SlgTF)8w0~Zr8EAV z$6wXd8C@ig0%d3HNnmxJedAosVrST^AGAr;9oeQ)x$WgUzz$zEpY>$iaVLR$wp3l4 z_%}XHfGWP%$56a!zBc*+3NO)kY5L?(L81&Lvc@e}M0ZmgimcANi7IO_8qF{Q;J@#* zg1F+q_B_41$PlQDXwoN6VsYeL9xSyJc=HYDj7=M1J@ym1U`~7bUzr9D&LoO|6k%Eb zX8|ec1n$kBWN^5n4^h_Fw@Cy`euVun$wJ`?Fy#o}MS~+iVEu zrPLC8nesUDM?Ln9_?LpEmDQ<^`6caY=>+dNfz=BJo9B`$b{M%w3JXt;HPVwWl|H!b z?ss?y^rh+i4bDUd`PLGA{U{mCgxrbUEcvtX`tk>QPn}XXePU1d5Hf94)~~Y>BP^j} zaIaVjjbr|pIyNh{&kMQ&@8J7KZV8u36fm0!q@VO_Sl#ARcV$1WN6V!~7b9kG0gO&?(V#zn$;Tj(lKwNFR zMY}R}W)ck(hVF4Z!7j6UEW353sPtdp%cN5a27ZleSXHqVNxx{IX}>br@7Oz6DBnes zGx5x%4%6z~JY2iKS^%j} zeeHyd2A}`Nzw`cZsELV59Z))H)YdY8q$y~MJRsh&pB~T_7IEuZ*Cf^3m=wLv=2S}-TS3GB3e_q z+k3eNgk5>fBnkhvO0oqRG5Mj-qx#*c70n#zPmR?uW1@iC#e1gtJ~%n5k2(BHP24Jk znd40sNT7Y1_YQ(z+}^s39yqNgy*JE1_t5^jP|HA@BRc2P;#60*HgVzec+uac%YhH# z;yXT~B5YRSUr5-Zgu9K0z`ZZ?f8lI?n}f(kg`(^eKXuRRDKB<|2jpO_TQ?rbb9pSl zxOl%EryL@fJ{B%BQTD0AHNAJ*Pg41~!1?+q7Wuh=PS3<_-Wba&LSAy23`Ft=o$h@F zose^^RqgS=Xv8f>$ltn<`$nt1#AU#}<^UzcDUg@yEpQuC(=F%F_U19Hi!erLC(S8q zUjEdjs&MRgc!Nux0H3Wa%&Eq|M>M3iDpQ;+R(R#q)(j~7EI6X?R4_n;AJi?=+IWOc zP+EKpJkC{-1zxE>s@GX=-3C4;B$3dbLGZWYVwi6C3@Y&VyCz>vyg_J`!y%i&$8a64 zb2{pBhiX)A$@NDr>Y*l&82|`8{G%#+-lGBs{|fbRto=NT*65)3LXaq+HsK6vNqqI? zQnOupc4DQT_BBx-D)&r^Xr%`0DIhav6Bih5q7Zez3Rp>_!h^Cr|;?kG#%-_}80D&-x2}vY^(h&&VLh z6CT~h=T1%nDPYeOv`>Fwrbs-EP0B%>C5(Ea`7IbB zs%Ru|iQh1YhW_i-=BI=mC|5YN0m#$F@4s$fcf+G5@A>oUOQ6j<=g!d%J=JGSgotmM zCLar+r|nGJI7g+?@ps_wC5zwY?3BW7;$YYgkqB_CDo-V>Ym`r}XsU8t7OpNI0Uvzf za&GHlK`pNNhxPxZ@`(Kb@uf1JtFz{4e}7?dXwvE^?e7^kGocH>O>T6BeC9ax>#%UI z8b5=s)@}wN+V`367s`jh!MXE5tqSL87mGqa;6Jvr1r-k3te!izJI+6H!$zcfe7~gJ zUVQRAsmo&UX}zb4-TotrZwP)hQVfLbtB0I4skAW#xPUf^!{y83hkJM z)zU+DkwEkaZPH*6kn{;ZS%*`j}I-Ap{(w@#1)EYN_L$+@7ZT%|nPMNE9P zU8f%cMzfxt3jqd!1ex~7kF8kU)fgT>vA+~)*JphlQQ~t_v~&Xh{BOMxR3A;2Z=Q3Ms#f|CBwC#9pURP%ExXM$V?P1qtC{R@9qlVcHztK#eEN z%U`@xnYVAzzP=*vTjSY4XtdjYFW>2)8ADtRL{bj-}dzVY2dq+iFqH0cx zf!$Gy?aZ=;Von)$nFpgy8`LNl{%Gi)fl=oneojM8wuhth&%~fEFWNZE_wgY%Jln8` z-LtINvv`m#<00K^QEcpe*6|;tXG%{)iZzXd_LufOTHBcPcZ`ke?c(avsvlq}p6Vgs z`Ln{tH%zv%guUKQe?ENW$PX&`KNf)U&bBYlb_&9lv)`DRE#asR?FGO30_r8!#_V~pHvVuVOX^E-+NAlR!|=nm=S|5m(P78&wzfUdvnvrA7uLh4Dz&+R=Po3_rLI8K ze(7JFPf$cScvFqm@l&-vk?Cx)W;v^Vy-eMD2BVx|Ytv(3eZntVmolNtiQ^g>7-n#A zu`--QO9orO#eA1DesIx`hPhVYz!nd@XbEU zE%6maljdq-ZTeAi8C{sNe6-WF@BAq%`Tg|+KSt&_v16$c?8v9W%D(@C_qXs!t^a=O zj{y<#puZZ$O{$EMLK+xf-c5-}Jkr1Rpd-e387w~OYA;qN4;Kv?s8EDivvLz|JF7LI zxc}-UBOip-me)4$()E6BdW@#IPhvvjfu(vem`GJ{c7MQ?e!|yG{e7K+!5y89IPffG zT3-+zQuj&RaQ;%)F(=64Wi2l?34E2_iLbzx`KBm^pq;*w1T@?o5 zy_@WH!6KG?;=N0a7v#qLB5LuMEUG^b*JEwWRiOfWy;?c?lJS8ms*@e>zkRPV4Sv*U z)GoxlRx<@1BgxNeqgKGbM%Z?-TB?~vv2yUSmegqA=*B#FvBdzx2NlHS$)76DR0c^` z+FN`$Z8@`O8?6?8&=bm*#SFE*X7oWGMG_1;=8vC0@;>i>gX3g@@n^P4aQs>HS-D!) z)L&j)k$(V;a>Pb+o67t|V`QqP)!->(SH z5U8;j0AGe{`24D3*RL;?_?|SB*)_MB^+H{jyT@UNEAeMWUFPZ`oYSzu71_fS_7=!p z+Pn5*W5KR-&7FKiR(EeaIu?68A7?8Nk{>V`NZMP5ZlG90IiVyd6P##nwo`>k1(u0Y z-=_J0RG6jse)p?eS~@$(+Ikyi0beiIsHua0uD37RW!t9=suV`Ft;VyAFYtnKNaC!- zeGg_;?{`ERFCLFOSUVm$zSt?@#?!)!CC#t>(g*6jp>@FJs%IfCd(on@I65*V;iczG z2d!z^E^YJDg{Gf!{&-Exel)AW!(#ZnoEWx8*vx0|LGB+Sf3utmPE@s829`PAfOHbF zu-5)9C=A;~m!`k#j6_^NUu`_7=58SLqVRV?GL=8!(^WgiL0CdNZvZ;EY^z=kYxqWe zdWr{qWifG6$u3&evaz(38eJ4_ezoc#Ia*~yG@gmjHrmmD_5;jwwFed6BT zl|r+LbAThAaDA?}o~8V!6MZlA1s1O>X(!512Xz6N>K}87RL?cgAz^~N5d2M5wvK{S zD{5!s=Mq62l+mk5op*840!fDttRuMs1z`tt;p?(3>xOs2Qr~qFY5DER%tJd$kEQ|| zsHY~;CNdTp6$0tx+rO#}VjBGvYqSnALP7MT`8>m@z8rFx#jTJ@x+9BkQJTxE=No>w z>iM{Lie7tQhSzh0b}k6wQxhhp4P(G+?k9jrs>zyaj2IrcByf z>90p>R%6}z-=1|PtmA-;uKABt52?>irVDBVU8bkUhD22Zv1>$fLyZr#;)$mB~ zS#09du;fNTYK)Y}qw8rne7nd=U0ht;t>fude>%O&feS3F*N?LpUF%Pq?b!CI;zV4v zeA-Qft%&$?nNh!#Oqh`UlSpM|CUiuz!Tf2ew^uqeN`ZFpvAsTn||Tac0#1d$rLB&9ng1*BsLVd(CZ zRJsw6lrHH;xjHI>@htEHFQ}Z;~b0wjrYL4bbiMeW|!y z;iEK&5-lUfDyq+_xcWP*I8#85RMF3qu^N75pIqfHXXH2x(n?O(pp|U)#|O40&h5yO zw>C>4A2%buaO$?RkDG(dLN*do)15qg)+(4~YBn0`sfc$+l}c{J;DRUo;DgP1b2J!kg=TZy30HXyFXL~L$s(u@6e zZ)mOQk=`IESF@$uMB%gUlXwf%YXY#4dIIX-QbsxSKJ_toZXFKgkVzXk`~jRyloZ02 zvI-sD2j8;@&7hYMwG0WQ+4z8CanF8p2?DXS(OEF$7D^dBsfjsK} ztDxegGkGPXfT_a$Ve-WwO7>&9_Pw{%?TFAHB6%hb&^zB`FaoDZzNpDhjuHc|CulXA z6J4)#X!yhZ<3Gn*|HMZsK0)2gQ3>fM-c;GOr`f{F75B`FX-%}{XZ zNLool_t(c*!|btwrzZ_?q+;vO4j(+#8pkOmYiA?V0gy&P!g8&%4 z)Q?mB0BH4XSr`4LpAY?F7P&#R(ZthC-t_dx2}R$Al7Ymyq_L%5N=Zq{_x9{^%siiy zU+Oo7|6C;rM~)L{P`$KMGYjT4J-}_GO>$YyXzhyzIkaMtqdsszU{?TJbhh}glI_0} z_ZxLsj-^-`CO(;-kUBw?&eeZpKM?N@ZxxAs0ZY031~8Ff4<-{{;>fGRSF5VSlrMN7 z2zHCUb6BnO=fssS6l%|wb^D$jHp|l6-f|s{l|0gjF0LBgWqeYsoQZ+Tia;TU`sSj!x?GK6G&tkm2RzN4nt9&d^%H$F_z$1;_tJK< zmUtwB8@CK5X2!oBPAnt(+h4dw9wdsOf$t~w+!>gN7@69t_YXZ0Dx7{SpY;@fC z#E_qM!>g&97v^cgPht#~%HRhC8ZC=;RKmw(V5&ZZl6~Dr>zz&(&JbGi1{Cwln-|ko z)R%32%K0T-RSLEIU^%T=~2D5AZ zqsNQ*r(lbSr+(RrhpxDbZW-SEiQ-uT@?uusP^u7I_2ayX-%OteuHge`)XKs7zPj07 zNGer~72mBKD0xl0@X^CFBPX5=SNma5p<1*nq;$qqK^)z?X`GOsaQ1a&5In#IsWKPhT0 z#@T0;b|5mG_`8Bm0%Wv00amYAmxMxA{62aJp*0Z8ZW}qR?c|MaqaiH>rRLkDW<~HZ z)6=P~CrF~RqmJ{zb7M#n8ux4Sej-yEc_JCZ?rq+F%Q{Y00|SLy#_1$o&9A$`Wz7*1X}?_yNoj1qwgNvYb;6 zZM*p>wuUL*^yX=#_s^%b6cR~mD2bRm@+8KMq`wP^Z2W6ryZG=*49JXH)s4enjjJD` zO}+>ORz}q`9)_sxkq+PH2v7sncML2%#;%sv&ezj?!e)&RVRgm)0xMaeT3x2iS@&NS zLU-V6u!L)S7BdBP=_LX;;W9UUX}p?7(j#wpUnFdy8&p~hquyO!^e@$W!e0!tWOGA zxNSbu$NQ)GQYMgHc^qil7+!J3-+aHtxx++GGe#a)l+K6ut{ckVj?^8J8>FuY-8nY< zp0#bl`sgct{)u-AY&4Vpv;tuhVy{;_4+$f)uS%Pl38hmD|K40Jpi0nDN;V4J5*{x8MGjmmYwt0^G*K)lk@Y+^D!+#XKKH zru+dOTAnaJN1EIPFaGW7VJ{ZbRdW0&Umi6b=&kKv@wVa~k?{!-=6&B=m-qK#AN zm;Tt1Dj{>g-~Aa?^_aV*jm0$gmf=)0e&uD%raDCOs2?q*2Ll`Pq(q;ibLj)d#LUd(`Aw0E&68EtlaRMiR>9MclLwC^N< z{X&)6{u<{@)33qzVquXum=-ehh=#fgXBD<1h>DfLfCm77AJ_`g>7}I6W6W0}{ zeXngd3oaD{E!r{Fruk%@kJ8JCkEe^$l-lvoZEFv=E!?Qv-(khDSJs>*%rxJBNr&Z- z$t*f-?~H2jyFZ2MIfNVhiMdt3#tlPZ}kBCa$_DRS{ToV^) zEjVG!NdDshx*MY3h!Xa5KW@x%TGo7jZ9LFV0zo)#Ms?>=%C#+bUiM);w$J!7+EvwP zi=cyOgyLE4E8%?C(^1GXn)Mo*Z%Zz5>dC{#>6t!)W97u3KvQZ5@?wITfd%WC&e&%u`} zOUZYS+rSreJSYidN({2KPHfBtjx_vR+{owFDAI3FDh7*aL6G|vJPbEsraMxk%qcJk?;~OvTpO3j zBVB<&PM*T_b5tjjceik~aG-w}112UE5*)0;yp5*5>SC9J^Wo!2t*pw+A3bGgd5|tJ z&YYy{S_Ty$s-vM=Vh+BD&2*K#YQg73h`_il!p`~Zs-#E-RFX`DDP( zM_};dmwx-1$2T#IU~OESjEONzr2XT@!dEz06yPuC^4 zM&CC|;(CfWh4hYo0I+LapWau-&Vtb7d)CQzy?l?R5TZG`_#tel8|V75mh97V^|!sb z%As&yPn;Bk&GRCbxpuL_M+k(B0d%CXmvJ4)L%O@mbri7j~qcc_pF%FwZmx3$HUBdLU6uNuhn(RplZOOHuKq9 zF3XD*>jYlhC}!`%CLc=G6bs^zok%Las0wi&>vfo-R8`^YG&YHdS&Bryr$egg`FodUUzw!@8~-j` z(1C!^t@gJX2<92usGO8-Vc3VY=|C_lj=Z0>kYHF5ojN0G%arW1@H&3}c`Q%!KY*)z z1RUVw-x1FeKHt$g@qwcB7)-~-`qW0Cdn@xSg+?vR_9zH6sL{lJdSjnHVqtPlPT=wa z#Z}$utY=y4wP#-=iYQ4al|mQY>xz$q#(iG+2tRND2UeG&t8345Psdo0K*~po1;Gm6 z*x?^aet)BCs9go!ryoiH9A4b8E%@m550@`cLxfRa5mlW(t`{#G(0xaE4C-y?zC>`z z<|SRmJIIw>sN_k>GBtbm(^oFhjM76-(*D_C=O0!?;cuvtlf1Nj`Apfkfz6iuZSz6! zoLf(1#%m5nFs;yD&+*S+WIy`nX!&sr>D#%5TEGo$O$1nbX0H%?L7$8yjiMohhFg79 z%4&sS{%6YdL>PX@6g1ycK}X8WL8Q(lU*$9KFBQpP$sf$0-m>6ZM37Tl_mdJO(~Xw& zTV10!Cu)^yJf!k$e+#gR%~agQTaTiip5fZ@p>by>4cFRZLKI${RkjpxuD+w`m2`Ff z71>{)(TeE1!|S@&us)*ltJ~HpKq6sQ4cjsextAKy_UzY=OoOgscf)4;7`@XA6PN}fs_NWN!}UtY zDtZlhGW&iE5bXltanuh|7vB3fOLOcs+rNFXRwAnY5X>IoUfuoq2W)FQX)S$xR2xrfl-2>u#p{Adq^sio&-fUnwU@Vx?aC@k}1*6tIPp4n5 zE?L+L)T?NM`s?EW$nvm+yoez4pp#`(4o+PNKwH8S0zWHPDWu`+7-1u6hyKVst!yU| zsL(_QC82sM;rJ&wLVE=9XUJb4_%F|6pIiI)Vtp%B6Ine>fQ=NY={#-Fyl@jU;iC}> zqJI!JhTGSaKP!zl31LiGpEr#hAk_3IBNBF@X`>2y-B9;Bw|1CqI`Ap-_z8hoW%9&@ z?|Sj#=cv-z9YG~q37gX2)8n5iH9r-g%xPdA3)ZrY(i7&FChNOtgEdYV5&e`u zc1C|&y#;cvNFn(IuhLzUEB3I=Yz@V)M@Qt`#`Br5BQ`QTf?m`SN15zc0g(E4nfH=% zTG!Gy|1%gWv?I-o&E#;DXIJ*fI(f@3_LMtjt*+xh+i<)(>N4 z33quAZJ&tgiZd(iaLNQY00Y$A&$QXuoO{vl_+G&)n$if#f01No!*&fDy2*U=iWkgb zZz|_dJ$taCHW|$x7@FFjF$hQ+3q6K^&yL}n6|9h_gMgIr9Ipg$4_J171;s0p8Ug(MXYp;r# z+d%w@dgb%eni2Y#f25ysG!Sw4%VJJ0U9V!MWO1S|_HHHlyLy#*#AX*2^`&Qvw&8Y` zIr6P}K1zl|I)i~#xTNjjZ2pP~`Vb05J1Q$lZb`x)jNPJJig(9!C^|`;bOZg3wWBDA zQR-&zAVc|{PF0_&YTy+O!GdCMSiB}JBe!!4557ieaPGto9q%nL!Pk946-A}LerJYY z&ZID)6HOMaYFe|#(isN-+R0?eS_M^%`nufTGdDCs^xLMC!{!_uz|E8 z2utwx@M+lZf-k1;?N>9Ln{%YRS7wC1hrYT)o5TP z4Dt;`tgA;6YQO27!jT9el`x8aGLZ3e^rL3ySFicv;g>Unmn3~OII5pIky_J(1|`<_ zi{H0Rz$P3RL@&CfobLf*V$k16RJYXl`-h{rC!ZsfcP4TFE-p2RH4r=>)(14W%8*eh z$YLav7}(gnpDPndrt*Y@x`N?kvO>4&uYiiii(Z-`ARfQV23T-Rg(HkMh%KU2cat{C zIZob-SjTCP#Q1QEAL!XnH4we)hInVocqfJNQRM73YgJ_QAmu;ylR~=Xr||IppB7;E z^Twp@lI!`38t9x9rPnl5?59<5S3k=~&15RQVbJ^`MAAvm-cCoPot^6&&retz@HMfb zw0A$O&_;-kcRW};^ByvfpskJuW}?^=cRkhM{I{~xc=JaF8-9bpp)|UM=U7U?-$JW= z%Kh(3&oDP&*B^**zi)lMkj{}UgsuIG!Wii8g{~OzSj8pXxOj-D|$K7ztC_lop;FYK*Npu$+o&Gc3qK~?=G9yl68a7#S|sVt4e9zh%FFD6AR*!j1VO>vYPX1%|{d4 zBtHI(nc^`T#N0Uyg0+54R$SBQvWp^)Q(fEx{NEHQKy4=mvIfc#XD4l5R{hp0zm2BJX%wy-DOliEE02E=4&nx3ZXi(1 zR)F*@c`qF$xEs*V$ZQwm<(0kZ_X{|cE6L%&MVXwS_$@CUxE0ab7E`w@lYko(xM3fa z{(-Oro39uMNua^adW**LDv*Z`V1X`0yRK@earIMH9ogHNCf=S;jfQUv4cE5`aC&8!yH$=Kub(( zb@?Hh^B1R`Q_NO@6nD94M%OgGF463ODn2NXN3*<|`C{h_8RP~9GD0YdfzP6&W}j&M zj(as@NzyZZl0G$)x3rGX$rPY`@WdWPjc`bWc+Kf^cc+UDp1zQLteiW_vY7cMa&1XB zS^!i)Tpw@~EY4edfr%gDWf)Ye&&n>1A7G$)n2{T(ir1P~&sanI1LXmYYf3bnvTGI_*nDvNycP2M_DR&GHt_WkK+rdL z+v7Zc*y{!FT)TKqfDf^$hWGlk%3$yWNVN~D|F4(VjQTDl$9b=-%^6d(elNX&Tsdt> zLqk_1@(KxL&v*Q{F-Nn_4x7a$cEI*ND8!YHn7R!?mrehfeqRa{;3dP8m zq$y+Ojr!k~RA)CW+B;Iw#UBy5rCDr!zx>OSkC|lt(WXNlyz;$u^s%qPXuSlWNDC3Sd+yegE=|{Nns~ zSpP?XZa`qFm34qFKvVq@1B33LZs12{ z?Edb=U`0YBr*xIajMH@ueBmVzf=3b8SD8!cpvG^0L0krL$mxaCmV$V2j6eie?*_c~ zh*V=4rAL8GRf~6pkj@wYG#?b7q=te7`~zR>L({S0t!8Z1@22csd902qK{4nAV~O>9 zXAj@rV-4v25p@mT<1!owIHSQmu-O6@ew1V?0b(STlo3B+%C?Yu#|FSq22Z&Q z>u_Sp{Fzf>tDfmU2*?G?KmSDm9;qzg=sQ3MWwuI8BX#jJXHvDDlU#O1&9)ixjO*%F zgRp$$xqrTYLJ)=XXwr4#QIjAZb!7WQSSaa>fY{~+UE`$!QU~M>?2i)zDzy(TiiN;) zNAS@RnPaokFXI*yWRhkmik!&}q_K8Z8p0LMHXZxmZ|G3!2Ir6cQDWG?gJqu43Mea( z;NLG5KicafJWvx}!F(+(?{_XkiV-_3=*Jl#!DCy)S%;F$HGHMDc4`^5`F=D_#x(k* zUv)SyWBL@<7e5AN#zz1gX*+3ifm+;E)3j9?QI0C{w<{2)12nWlNpr=J+~8@>2T=mz7J}iu|saN6zhAZJ=W})vC&Z z{V@3oPs~uX7%sz#IZB;lPq;u5ND2~barKsUxd z{5ET??8N=ev&z;vAmj;s^r88IXj?k{-vk;R2}HpnIer-YK~Oi}dwcx@RvZ7;wAr-B zZE>(FKz^1fC@A>$kZLd9pn{(jeP=AtEk*R10Lf$75=QIBR#AsuA0|HxSppE%-L1?G zj+)09W{#dVYMF0NmI@C9S}okAMj>LUGbDnSjzYJTjcbX`^BV7(&PCZVd~-o*S-g9j zp+&>!^p*7!<7YMbu(vXES(;D9jgmq9fkxF#;MF?=)txFhet+bZJtNX_0I65;VIeOh zKfOZ@GL$}V!o%iqGG3T~ec1%sbBOzT{brhE-;NZ>FvLKz#UrN=^NyN5U&hV`MI17X z@5r-%)wc=UZN*H%{ehViJ|BTRSN&ZmV=u5Bg&hQaga<8*TYbouw$!qpZw;6HP##!X z@S^hzroe0CNnQJZ=9wM#fG#e~>w=oc75bT>R{DZ8wTAfad*m#75I&>ns+XrWs{`yO zEMZsRtKGv;X-bL4$6bG+l>F!Kw%$z5b4(YhbFPeEo>P+dhT5LRZP6f=M0;?dTUJ72 zlF`H&vNH6jD$SWYUu@m}>B9>9^yCrPUU`3IKE4aSeumlv|3t8y7#EEliv*NViSa=P zx;pug@nzUw!-8q#PwgECpNozl&ocC0i#}TmBsJk`rrndW_%EKr*$M-C*nKZ6y)Mlw zaj*(3r1F*ontKGxs7+J-Fb58TA&jgjG&-BZUDwZPjGS1A>%Eg3eFl2gV$f%#3LDF{38O;u|5_v)3eTp89Hs{5rhwu4E2FKtQE>cYQNHK3?MG z<@euvZ*(h>6C%|GtU`s%ZY5|$*8go=0mT0Urd4mNjpSl%H1_D z+BUsO91_n6P0P4g@l)F@a8vT`-A5XX^EMaAwu~P$Myq%U9ca_kx?!* zixPbng}E0W`20Ma4oW-&xO{U!X*SZ>F`gK3lb0~ziriG3Q~?i!sdM&o$k!B-teI)` zM;QnCTCI{B42k*$nR#>Rg6SYCBxY_VX*Cz+3vcpV+(-2~*3VaPFq=`31c~WY@hf(T z0p+>RXRTbQo}&zcGyWrk>LcX;SWUVk2g}$ra%Ign@Qwi7Rhv%d5#f}fZAk!hhG9c_ zHbZwJ*joCE&FUC2(}1haWrE*qui10GP(v6S*$Y|;dPTpOPZ22M$Vkvk_`*4QKt&Wi ziK6R~HmFhX>0n_a_NGAHs5N9)3jURlL5bO<@J~%)2>Ul63dtRtK#?IBPg>`Cn%zpK zc%FTlHCnnog!J@^pqm^oSi8n-?+2fz=Y<1WShCD03Lp_9(p)Tb3FmnkGa|qk+E!1x zs;hB`JC2ekpb|kijfHM0kTTI$zDp~g7Gj&1|EAU}xSs}9mjhv7#Y6XACyF+`O2XNH z#lK$bXJhdLK=gpl_&_P?yq$zzURipcIapwPv%Z%qcE` z(cwZUA2?7tDo{t$UeV_g*(dl@qL-$|Z0Jd$bi9~yFBo|O_97Nt%;Kc0pTr=&Lxp|< zm1c6ey8QxltXgKfqL@sD%x5-2p6Sx~_h?XMI6k zfr0XU+_V37QMP`V=a_H?Kpt_2H=O+6X$6oIDQzW?^!$OY7!C0mFuY_ejrwx(nf?=7 zM@2;)FrvdO6SF^^xrF370zOs;zP$pwkm~OjE8&>m@j)X>B%kC|xTC2k^DdtRqH=Cd%INGyN} zGX-tQf<~-SYpeOWx=qUV-u4?mlNt2-I3e0V71NOjJSym$kuHCW4N!wr5DFhCU$ApK z2fEpGY=fC-MGUJ-#V>D!Am&i*(N!nj1!P#{r6 zn7@i&<#GE^!u&953wXb+$Q`kSL3QT= z!G7eBcNAOyaHqudP@7*}@zF|E5&pJPZ!_w3Sf)@E(HnS<4;pe?O$yHJnpS}FiKq*- z^VHwP9$ajV=cM4Jn4xw3xA4m_1u2u+AOM_MN~(_3Ke~PlnZ2tLAO%lNFQ%cS+^2%k=A89wJd2BZfz$q`3{vCs?8hve!fzJJdSm-fOS$7*HYZ~ z^qV->;CMsKNphX5wXf@bzug{-)QvVa`kTK5EIi~A=AN>UPaK6e1!P0%bDrXK**1e5 zlf$8R9SnkX!qdk=p2DBYVQ@?C_V;Dgd~ffLf97(u-8rdUUA%V<8}da3T~QYZC}#>1dHcxfRT3CMSCP(`xCHZ4D(Rv z;c%q0#wYV)e%d$D@IQ>V=fWggiw%;0S4%^vV50GG>8`&Vt#n~51w8+S^w`? zv6L)GR~gcaWmo*UJ@I6!YeE7|TGLRtaqKU99AJIuKm!HzL5i890r(J8LPhTE8ll(2 zxIgnS9zQ@bt=&EVS~e^!ZjM2VU-94hrWUQzJD1okim-Fhfct2Z@!e(i6kN0(9T5!1 zDo`xat!TpXH|&8aYuV&2#p)~19YDUL#XjoSfrqCj#L04z1S_5+6cak>RI2uAfEu{i z%%}!*BPTve93Ii&g=Fv%OG#abIT6yy`y`jHl}s#vq)jG+I53#5I$a3j-bv6zY(elE z2p!m8ium~TV5fmklxRNkK^`;Z;!TlnH&HQ;b;Krn&D;YrU;gCut6XI84nv~zY=ktB z)j1URumsANV1(6?^4uGEo#AXc@14A#fyBN9{l3HdB|{kN{>y(Po+k#cjx~V zQ^D<@AkqDJsSV62Eqxs$T<+HCkzBW-6zto(605x0=N5~v-9-{39m}I%-s1?wW0Gm4 z;k;(T607aAXK%a^6$Z1efmqQ-W9hA*DJGUN+;W_RSfr!=;S3-aZ))W6l2-2NT)>na z5FLJ&?sgLa{axdgY_Y(Ge`xO%CR?Qok6?=M+-)`0UVPYd_U~E}-AV+OqvoKkN0B^t z6iB%Y$wiW1OcJ~9bTU`cr#1JLMl_d4jfs3K^VWaUCV=pDF#%YFyq2}L-YxfV|8EEd ze!cx!R9=2i9qtVU;Z)4*H;^v@MuLASMvv|OC^bwDjiPV|P9lJQ5x|sySjmoKQWq49 zSdYgqT6tZdNWCDCS~@EBq+%D)0Q6p$DBq%sa(1nDX9l(r5nBu%vR zT~7-+m94Wy)@4f``0ScY(aNK^+LJNAAW##TOpSFbg`e`NeNJr*1}P9e>G7fRI;P)T zJa4zbv|ZNB`(5Tl*^kZ#vVqR&hFUG1w5pqX7?BbHVm&zerZC7zgAes#j0tWa#bwgE;P@thIZD$l6ff0s z_|2+{N-zp6ECy0-6D4Jf+1-ablA@e{dZP3@JxtQpny1@yYJ$QM3d3736!!Tdv~q*g;uJ5Gza3d8{WiNyKEhF^Um+6xXv#f5 zYNTP9)q@>83`!9tm|-xDt#m3gJA~i1g<{?YAk@@#FdFyubyiS%w2bL=D&C}?UQ0}f zA(2$GYhTE;P8q4dGG*CqlcC@Rr z*(82rqiXTQ@}DK=az;?vNxuRJU`y;Ea)Hy=p;nm%@d`;FR!NUx61KpbD6c^&|DKrU zCXwcZKln~rspehHp!mmKvA+R-ej$W$XtGeud=rn&io%E6-knZIRF(yX6M21lddUOT z0S{_U0~vjizYZvklT^>AvDlCARJz4_1#11?m{0q5s%TNZZqI^m)F z4u2#tBm8-%rFE^rudWPu(+Lla;*+8<-KlAO`Z6R24wc9Nm#HGdYBKiI!R58vpXvqd$UiQ}B1 zIVVkySjrY2TWtDXH=2lWK~>p$E!xYFsJJb9cpjLcbu0)Tvfb~d6?eMEvig!URIK0T zNR^X2;$k<8(M3`XiQnn|Bc5*Dx54<8$ln`_{3d{C$tl-3VScNYNOFk>Z2v-ejo!$`fcNNN#?pP(+*eqgPb7nrX|L_{?5jOG=r-PF}a zC#p9uWD7bf7GTvRcfiGO-$3k+4Gm_BM8*~EpK55*yDfqO=AXEaegBpAP+Z%8;IxQ< zjc0bFx>o_Hh5-3Q4~$yGg&K`jSg}+&qIbG8<%~5XapQb-jK8&%>%tXF!~|F_{;pA2 zZhxoS=HO8fI8GJ4w%{h7*7#K|joszXm29&Vtp87KHYGaS^iQim7^;>(f_WBmJ%GDxE|Oc^83*0!wCFYic%C zN87u_Y|3x~HI$D^d{?wOQ~ea$^szaRj-K*V>ZGVwNt+uYcOH`(8q((Mp`lhz+S+rb z#Z7-7|1C+4ZY6VoK^X=sf{u9s5B9Bn8$gEsGnWC2r)(x5*yyfwg#GiIv>1YloFdv%wGQWQ#&1A(lH{Yq2dswn6}{6Dh!hE#U(TX$ILy! zp;nao$v?aFBw3S>IyMnDHup_yLq%iBWO*YH44?35QJ*4@j5Y)DL=2| z+e+K__;M{VtOAunJPC~fT&p#L)+47teqag^ylxxLH~UhjvC)-?h>ez@5D^uq-cfv{ zI3drN@{^)HnaRZ1BP^G#yR~?b^k+QSu>xnDLFgtRe^a2+F_q}-tda46-)34?j#j#X z$`jXL$_;d{Q!qICsY!|d_2`KsP-D-W`vT+7IOGB+RV_vv**702b!}TB`^o&!dmaZK z2%EbLQemP`7+C8c_dXUNAOgZWlaAOL!<+fUyp`6P%R;Agnxej+GfRW3v=O%Pfv2htWWm7-l%y}{AiG8D_?|oOQq3LR$;s7$Urya`ENMLKw)Q;ZC=!}Whf97*c zUEDAKj1v6^3kqdXEjdrVS}+-tu)s8G8ouZsoR>QMI(5bz(~vWg&M$afu{L?D8B-?> z^M}OinNdbc^efR&qr}X}kDA8>$K$m!*#~ALOvs@H^-1Oi5#DfxGc6;nByPHrgY4~< zK+(1L$f5NOJ+<99nGTf~?a?qJbKvCpVA_^v z&KCUm4cH68E0~ZUy(18ODe9U)FN7C6w8h%e=LIFd3=#|O5*v83jK%qkF|sFFeelce zc_nE~EX~Jw{Vge3$rmy~7mO*%4U%P&e}W^k>-~BbPX$4^3KBYxiz#!q4Mdyhem}P; z%?qXew|qxjxxYFk< zo&#TNC@SPjZh~l+V>tI(T+d>^9hGJI4w6(aVL94zbmkk=agjk6RHgDe%a@LDSL-m1 zAY+lP=V-E&AMDd_@nGLG3Y`=5p8x_yxevdvklrSAI=97BB-KYmLD6*8UnyH84TRto zKSsbKT&g=n2-g}yp+q10RRdIu0eeNuY(m*=P>LMG7DFVmY}Pi^K%YZK0c?Mx5s)1? z@Jpb*KNB1L6`$*?44-7aMwxjmT`tlQ1KOg5!(Wtp38s&3vw#o?bF|wM!r#|+lUZo- z>E&W@JcIK?OkP+A(HB27v$Jouv@sg5Z;XAONDxMQ{aZX>cq2bh)tTO=bXhGC7cxi6 zz#Y=SFLD>GLHSsRg6?2Bm#ZpO(NsIthqu&#cqry)VhS|eLv^hBdXg=trE0FYsg_qb6r zT&vL$Ck03*6_|B)`wS1=G@xJosaaokND+LeDGv7oV31SG?8X0`O~Y3ZR?X6{&%{wf ztt7RzQ{#><2c>95n*R?rdBgh9=%62!fRQ!UmHu8C1*UpX1%f>q=;(YH{yP&WkM@p~ zphTv7ub?u|oOv3>(s9KYbY>xx=$iUgf#%W#HT-aL+nh#T8oW1&4$hVee0 za{(~MD=)$b5xTWJA1PIEzXL5heTO0V z3>w-4n5FIJ3JWh-dzPNjR%Rl0D4GwV7B7I7Oj=m#H?6=p>bH}I^z1B|qLur^^J@!M z>#DK1Yz5Y_ASW)fqWlQtW`BV+egs{+#l*pP%+z%

(Ba;+rB-k~Ho;w}ZnfmT8De zumBz^Wx8$DkjigXcK1Nh6CsB7VKmai!S|Mo>Yp}ylKQ-49TvBK ziSdV6{F-#d!t!x-K5cHIO|yKWbcN}+sOX?4_AJhc#zQEr!Fxp13R&KWlk=Z%n29m6 z4m76SNX{vxX7d<7xyE>kVaCyQ3P(o=&D7^Ql?gHVucROdkiIy zw@hjLDa;&JXrE+6wn=j1KhYyXD}%SQUhYEs89f}gKVo+H+ieRg3bE-R{_K6%u12pp zp9=IO1`s!ybLKa=!5^;d#SW+bpBCWXG4yTx=ct>c%dHKz0bsqFZ^gY6tnU}we`J%0 z11i9Sj!1R2f!f0jDz2=W#~zCOksP3$?65RiJ36dYOuDoDdabc;?{|?I%tM2vz`dQ=F18`a&%f=yXj->V4DtIl@wzPmhV= zJ_dhb32z_}RdXQM1f0;aIV2-USzPe`3IudesL#2>dbdUhzm%fWxzgPXRw+q~?8Ad2 zygY>(4D+VvQPK*W6%E+MvMfY23*=Z2wnd-D6iLHq zb85pDF}}WgzZ=oVb@+x+AU`iA&A*Bl(ps2X`5jNhl-f~n9eM4|ts^4ac=_D?Nf!iq zF2_P#6*)Wb>W$|PE<`Yav#s|M zk;%~N@eYPQupp&AnxW|CeJawaJG|70qVKZkq2M{tGpn{40J@%$!i+Md(m6JV)rkDW zDv%&T&?bIKh1`TwKrwN2GRt*n7D)&KFCY2Q`qf79q2$cKNxDnDge9{vkp=P4~iru@i| zF`dp5(2ttHeJU#~6vtF8<5;+4U0J$p=if*G(y@KrtFuA}5~TL`5v=@0rr$l7WGBau z7IjPl^-g1+cX7PUkghqRN}@jUTrmf|!TIVaT`-$FsU=gijbgbS#~F>WM((*#DJO>s zjzl-2W{MPCu!>nQyl0NH0*p-NF3SZNe=q{_Vyi6U$C}POy+BSB4-n1T5;+>qW@~~} zAy6#+KY3H&_&9g-$1xP;CjlP=c7E4y1*cD?$BL>IN$x{XNwD-?LzC7MHFGns)qOJm zI;|yRQ#BN%eD~IvftWrc7*}MOm%Fk!afgI~-ie`iOcy%+CxOj+9>f6hP37*a#~&OG zOWRj4Hb6xrGezEbX`CgK5;K}_fl{Lzx-GQk8!eWIBbb13H8K=~oACOeA_B}%MM>cO~iy*K2`RD}5g(y~loz$k%g@^gu z*SC@>CX8U=#4yQH6twwTUz`aJXx^N-C>A7Y=i)vG0}%IY&i)%OFwYl zt0;d?@Q8wWB^Q|u*sG50(zd*ou57*oSzCLU7neta{};FM%pdUXd-P6#jH+h#g|Cx^ zChms*kNR8={daOno81WiXQq@>aem$W$P2B~42uP~12y7T2^4y#aI%=AjdptllGXhK zqx0($5k>-QA)D6?A_7=|;rHF%{!kK^A%{Es(nfou5Entr?UK(k`q7GmdgK%6UFhlL zkJl#s>q+E2@O}guXp0c%S_xvLETr39KJ0i*EVf2s7Ntm&@wQpbAT<(iXUh;AJE8+GrU;-^P zwO?yPygBlP#9dn7Vi$sP^220wU9nIf|7Isd)3F3=&0A;*$D>TX(RHR#yDjwsD0CfWC76mD0{nun1 zsav{}oB3Z{)s909o)d&PZ(R>I70$~ixJQ+c1~1y8LwPWb_%Q^x%6ayH3UGZL8Hs#G z$Se&rtl!E#sd%YlU77l*kBE&x=6RpdkIdk}#l@Oo$!xlIa#{M)k=Zec27*vEQj?0J zRc_rUqGq5uhak>-*CtdaJk?$VZ4yLG@Nf6RTdisaJH7_{61gniPOld;XDPBiZ+y^O zY@Wn(y_jD<`kP?am%{>9M;Vp;_O&ipVmVArJ`5haC{tn2LzeKv96+_{w5>los$QX_ zPQ;!24iS&!E(SwBQU69kI%vpc7?XV&HFnmTIV#B6Tg2J3>JkYovBb9kHFB{CM!aUhh6gNSH*Kzc_J=Cu*?CF zfh}Jr-{~We>%k?CStb6E{=cXoYRSYppOLbo%CDID%_!yTtuawFFUs?a0|m?1xxeGZ zxwx%`<*m1_3kV+FqVFD|x=Bh?exitV(EvRok(9+)>{XFwSfUiwquFh`@@~xRnsGbu z;%Q5EGq|rkGCY=_($CUq8fpCHL6sY;p`oGUI{BC_GW@$#81)V6DVh9o?^ zxVZRoe)QqT*}p&h`+0DKSvfd}gdpw5WckmdzkdluDuayV={)m`i}$+LLP|c#MS|R@ zpbRc9>%Z~uZo1(nAr}uvnd*FZPBWSyKT=SuxY?&UmvyzK99-`^KJ<4gqJnbUp3vGo z4s_@Yckl_GB&FNOC<_-niTVI&L2y@9V>w63>eTCfb!W_}u3yi^EI}Pc$G64K9K+s* ze^2bYAD@Wcx+Zo^+ZeLluf7#j6-gv)`~P@)%dn^(=Y4qTkXS$jB$o~e0qIye1tq1C zMvzYFk_G9m1w^{LyF=;j?nb(v`9)sR)L_|1k%r#d0@b}ggLP5W9xds$#> z0J(CGB+dDz9rT&q_f`o?_{i%vWY-ky@^P zzLKu=oErJVF}zP=P;!B7C>6daDRLV+-pb${(^n?7_RytZ&;qEPmT1pn$&q-;kJ?a*2!AXIqGv6rM@7bMJcRIBfr^+nYC};fd(B$xn3A}BLGZ9UXVA*F zS41q(nP0G=I`+jUXD)=W@Ti+A(4hurQnIb(p*ezQnU&>4NFW}xktk|uAX=wLJB8Nc z(4&M}rA;vkJ-(tt@ZgP#={dil6geXCZ;V>CXychWsatq_&=s|AHd6Tu- zI>yh3yxe$aerno@f>UdDH@rHM!*iZ3pDsi|ITuP*wPX+zX(Ghe1YWv_1?P#l{Y!>z zZsZu!G{k65vs^k(Z^WcibN1$Djg_GSP3Jxa<5lYo}9t89z*H{(xIf& zHJho&?b3yGigOxyW+fC# z`ocF64WGWGe0>H~`KzAM`q138ZEVjdj3ZCu^{USAb~lCt+Um=EF_tSos*l4>O}(Y= zTWc{c;e;9w_(a_el0r3u$tCYWD8)(DDUbLFwa9^C`}#-hj-bqsAg8ucT5B5CJkg#Q7Vlt_>}|dK?!~otkRX$ts$5~pnT!FVLSb&|T0708JQ*qC z<-$e4^`pf11J2MM;C-w_H^2z)q9aKZ-F#@S_+L)-K1Q#ut22N~&LFi1tl7C0;zVM< zm+W8SmqTh5CBspEkvvvxcu0BcWTgCv=6(3h&yE6LKYe0~KDDL{|Bl%&U*v?Aa_Y*m zmx2np%68_)VXC6*n%}+d4jIs?jI1a*z0u=cd~6jLfN zzIyB5R~0e;WS33oHA^+C|Al%pExR^C=mSB`hgBiu2M^7)RN=NyH+FK3PNSg|FOcgT zKi2=|cyN9F$*fdyrS8V#M+#>T`X;abXWuiqVEE{?%d5Q&wpKb=BP!|f?1=Vp;x}44 z9S-~q34dGM9uM|{5~Y$h*_@l?}f|oW0A_38j0#wcK!P$cFIG1#lza!9Dsi}ekWEFst6er?)rd2y{kwc!;f2zU2yq)Wx2}w2 z`^YOW4tAAV6aOwvgqBX0PsaGNKs59PuPOM6oLD!tMpZdM`%?qSMQokUJk$s_XnIr3uGIE6VbH z8!Q*JeP66%n}Ig?9Cgo=U-DacVEv zmcAQ8l`n9Tt^a(S^!4jk51K5+{!+}~t}W4PN_*Q!3PcLT9K3!L&T$OcecTo@oZ$FW z8Vc`!fByG~Vj%+m6a#sbq5c9OhR}Vp3b7Cv5b|^|J{-K%KYP4&ka8|3ZCnTHEwitz z5;T4=P4kJ6BDH^o1sAD20DM~Lw|gK~brlI~74ZAJ5B0Mc4c(UeAk$i78TRGy&+qRv zFZxOK?5wa2nIv6u*(x{|i^+#TWJuxcD5pT8{4=;(JIh<|Lv6ylbtEbG)i;Yx%3?!m z{6iP?nFQ(MPMzq@s+iSucnm@jmLx;b+i*Qx|7Vp-2v!$|x*tr)hwI`uTyMHYHfj}A zUB_9^^Xne3O9O(LN4(n>;;W>g^(`UQ*_Ngf;x1UQsCSYoh+1;DgSX=#iS3}-VrRA!I;u*Y9$5h?KeElsqEs0G*J~_2&-g z9o)KH4bsh6ZJd*x!%4S47fzJ;@6b2VoaU<(Dr=;*u!Au(Wd_;<{4N&IyCoWt702Wx zF*gu(d!yhqvWuyzi+Nky)kEM}y2@^blkDv8p_K#Y%+$pUfgoeXjK`SiU%!6O8`yC# zqx$nYDyb-VBpl*@w-zPpc80s0qfV`=2qhs1hqhz-a+IjKFD=-%=^ZteZa9qDukyQE zi&L?YGJd@5dT9Rk>)SsF5QPrxJh@HJfLwm{J)Js@$&>*dG))fuy094c zz7JE{$eeo36tTO>T`*^oJ*p4w&#ngytIEX)ZAv#-S-?GQ<&+(2IDy=dNbpfb)0W-! z_$R4#T=<$qZOjM=A zIRxs1hO2Fi#|Vix+3%F9VmeuSFv2eb5`Bv|7z#D`xz!XyZ8tcVF=c1oatu3kw3yZi zH<`#Oj)u)4S}sZli7jB6OptIJTblgF?~msRae!}W93s*d%CvVZeFt`4UC%a#V0~f% zwFDRn#nzCqyRoSrNPu_Tazjap-*D~T7PjmT&J2Z^iyI;x5MfoPkC!bzl%3ois zy^PN#a%Rp6)oQ&B)xRnFRD{aAdWG1i@XJ#`^sFgXn6}u%0VIf1HMr>I1NUgXKA3fg ze?YF$yoPbOzsIS|P~J~G`QgrJX}1lb@(AyY7Ve_ZA9^h9TY`Ewk8D3Uk8$MKIF~(9 z_lEdjhXBmmE?a<)2H|qSge?6)#x;k>aaN2Ip^J*qrT{QzT)GZ6aMKlx8jP}n)Luz; zR?=?CRxp5{Un)$QY)=k`=g7ab=3(L~HH?z@&4*F%5&E*=_dHV$2UAi_KtTI8L8wf0 zSQo6@-_uHU;9l)ZUp=iE9&`elBMaerB9(0JLYd+CG*_m+MWA!!Iu9$Y>_kgzqTJL; zW!OKC_9bb;Lr|jr9=SDvk>hrB+Fvc_ecr<8tm<2#Lbt3&$FF`gyv}Vz}M_P z9sC8_Ds(MeArd@ubqx*XB`jJsl@q_)!0h6-f)|qhX56Ugb>Q`k3rpt^Fd_Ic=J*dMe&VdT?Tfun8Fc%iG+y#R5&10BDcSoGeXWQ$JAHq3ib zoXq2PZBzn&SjHoZ&G*Zb;pCO;RS4am`@^`LxIGH=5MZuUqq*px;5D(FOd6HpX-*Fb zs0;b(R9oQFa6iO4!)*P8S+Z_WZ63{)j@tkCD;{3UuH#3vSByE`F zpG*6>oXe#~zNEupjgn;r{w(l|Qp{ zG3s$5_$fr-ZP%Da7eC5s9cZ2Z)=9i!XgN=T11E}2y@GIamh{Aci0sh3gcew+QMzA! zS<0@OD`dlWOOz9D<%^#FM{poU;B`zm1oJNs=#j=e&qYJ;KI@3lFZ-cxmrS(PEB&_x zDYZ45CwRCmPWxlw%KC-mDfe5KCT4WpscsfobTq%EP$&V+5LRj;A3?(^9@5R=%a?+# zS@g!=)JTjY1>0Z$w_t%p^@!@2eC;U_t?ql-I;VMog{9d(+0l5%7{UF!H@pYKCjF(7 zh9z1}71`m1LIwi;=)=$QlIQbnadojog?C=-?Cet~)m!;mJ_gax=bC6*UEa;2Wy`<+ z_4VGe$ahn-A^A0hg@X@}o%Qe|AZGtPr(VdM$zfq3rE$X~08^k+uQJEOh&MJpeT79$ zfdFz1?E1V%QfTcb`(TVZ8~>h{S=3?Z&#npT4I))bT9xWNB{7ppzpwr)+Q5w4>w6(# zh2zyk>!16L!LSNrSOqg&zNOmnC9EtU^A8E))?r+2DV;@+3A{mVz#vyOBQX{;$(fQW zv!9=7>rO)B@dUJsXmX=1qp%T;w6xe`2(}QXvlf=$${lNBd7(1qjSbf2kIFG^;6Dj)!s$C4Z8Bjm^VsPP-VdKQ#o|aJVmXiJ-F5vEy!5lmB3}CivQx2B ze}66k+J32Jf1yu^?>!!|8Ipmd;V@aLpooPOWvmijpw#pS%Y=9noXj%_^}Y7BNOY2m zW9!Qhkw5%QbUOJyA`q7Oahj~gNQEVjViyX=y@wAXOsy|o|9$1>rj)3L@oDVUcWZ>G zYM<5nts}K?n@}`dbXTP+AA1gpT(qjW6y7(~%+HA?2j% z5x_uhi>d6VXr1RRcBfJ(0?RjKL=QEvEzsY`X+yW7V|jV=56gT{gQ#wTm0oJ<=j|`m z*|wSNccfAoDVUn(R5n{@x@KLw{_B-8co2asnny6U1lv^uk{^nz&pe}B(FOPvcy7+9 zN0*nq-{I-ehf^@Ku&_`6aSFi4OIDP|l$Fdw%>P zo;ovmGW(~8)c15QH$e07s^bN_Q$awxTM)P!9l;-K%?;l6C|h)O9d^n|S+Su}OTUwU zcUUuRECJi)`p&0ePB=%p+H(v6PeE^Pq1;B6C1{er1P&#^Ao=<6aBk(N8o#HPphvHX zjtu3=k~Z6idokEX>rZD7FRtgYm^T6MuY?LcM|)|AsQkpBxZ6jQQ}dG0%Yinu?F<}f z-EKq)Y;t8zwMkzLmVq$JuGUD_VuSgYn5s!6QOUwqvSCO;He5WRldphF{o=6fr;P6< zvRf)!eT)}!$?OKA1q<@--~!X_SXMPkoc}k}%4EbdeexyUv6%y5F_0B2;Y-ZqM)8dU)Nmq4joWPc?jk(D0& z%S#r`DLZwXSyx6`#EYoog)Judt`frH9Rd;v250o=5#(9MVw&l3ffhby5}R@SlFpM; zY1W9I{R*{9q8i-o77Ea?W&(ZH?*&%v7`e*A<8^z=U9-bW4|JM-?6*vaKKl~-faTIG zGPQ|a>a_$HWo{sl=9xY2qmpJBkE6FMNP%=9w}djPLQOV{!Gaaxnl=feKBQG$@p;j< zry+v`dDJigw{KBp&)ck^a|G;V)}6&Fm8rb6BFbc>Knc9Pv0`|mIRA>QZlzr>X*Y|e zz@O(26z0>Brs!oDtL_e79-BnJ@0vF&dhiK0Q2fMi+RYU)$v$wI4_D9;eCYA0hAKqN z`taHhSG@b>!5y4lP+UyLfpNd_czbEK{Vz9WNE!mm-kil@afz@S<*dWY|7FcnQ5mY( z0o@lMqM`G!!9n@2Ob@7Z)IgEnj1(iMe)?HiS(&XGw8+m3!gVAGS3T~%I=1s>PCVQR za4~rMoW9;RMR`1?fxH+LRXTb!uPM3CfSwhMXa8NP31ZR9j`9)>w5IC&;o!B^d%aa^ z*FS!%w1{`PVb~G7`NuIf;h`@V9R^Z^{97l?%okSTU9}t8M zk5);0N#GvuJ(SjROb5jE3hN~|D)pGEhkpX8@9tT1Y^arg!jGu#HRO7YDB@*)6JrAX z`U?-aU*~eFu5ZJ{6fn9~`2}+>qkzzrf`z%mPCaD=?CXI}4JYGm_32bzNnkmiJUra# zocb%(n;M+Jq(GH|3{;)Q_L4|bDg}-7$vxM8l>mr{Cn-pDXl`IhZ6mmN_7Yi5q1~)V zQto~PTf0IAqnilb+7*zgc$OGjT-#>89|@aoMnSrW>O09pEf!K!ETN+v!PUiDQyWG2Tm-7b>Pi}YYpWq$^MuKA^;!l!c6Gy9{MY$|A*~CX z%ANw;EdbA*+qZiC_yHugY!j2vLzmio?0-WnZa{Bldn;2x4xP%Q@E8g|+k!diF2R)s?!gbUG9Vh1&Pm zg7)2+mEp_O_z=q1_xr>aVqCx%C&STRqW7ep9T#3kX0kCcU9|B3yZ}gf-@m^cT&BX0 zYu!i_rCR^(%>q!rM~{F0@t`|DpdKFgXOe$mK$PAtBP|d9W1hSh|20lbhTbB0div_> zmuO4Yyg*?G(klbrz|w&NkV}7iKh(Wq*8Vas2Q%$6nYb3td2oyDHbB7N@Vhl;?r3{* zl+b8ShAN_V=BCA}%{xT^)47_EO&oTS+!~QM!82%^>p;txVJi!$UyWa~pC2fl6M?IV zh*^=cNsUwtCQ~b&e$Ugmtuz|*Rq5VV&}=FwJwH3D9nG)qyUJc1TzP!@7FzrHA@cl6rg&_jpOO6jb&f_ ztI)bnqjW4-lty22?%kl(#3iwTjm)%}n3UP1g`{z4IZzDgu5+5Hc7qqsqJW4c0-?PA zHQHIJ1m-Dzr_7nAyon^LiY|B^|rmaPENhm+*YONc@# zw(kn7Q%^xZpUoun_$W{imAP|X!u0izI-|-n19e3kZkUy5o%xags5FDPzx7a-ml~WhRM&Go^ifap; z3}C(5OGRRoi9HG^cG^Ic%-)?&_rP`?7Ehv2M zj|@JG$12xj2;&!U7^F?q)dBX+uIv5dhL;$F&gFq`U-&ynCFb~$izCZXm9fq!kIT0y zdd+<{dXNUQ#VjPmKN24w zwqN13CvG0)64Z>yu@h{%A%7X<|1%$x)XEtQ9aj2U+AYHQRgijx6k4ss;p#tp`D?LQ z7(ePA68N>@!nl*X)!PjD*KI%rw^a<#*lzfE423y=Kr6~t?j`OOf7G%`* z`9mYN-k*Y1?XB5PEM+&3)B^67ZQVi%L<3V^cbx$NQ`;INw{*ep?l8{3}b>5|MF#?KM;SZFJ*lOCSq?3bU)gX|3`AZ z``4!1NOf0vv>uJ%1a}SEx-=YP%S-qwb@48cOfXcZGxI%nh_1`ITU<#RGliXGAlF1 zoz@ZL!2m9OSzI1Gom&+d6KNqNK~)R9r+yVOX**Blz4kmn6>Yf&Ua&Z#JsaW!-46HE z{weOK3U_29+{0ehbN0N}H_pY~jHL7R*wK&vpzA*iA;4J^IrXb zRffUmUS<^k>UZQ=Ff#x*EU~uE+(~k0NVX?y3I3eKWvct4Y;L${1X^qvSNcLilR7O~ z$4XEiCi{B`SWo1T8Le@&fl92ZJLc8BKaG~o`mQaCa3K+--LQ&wPn;@dD3n-5`kdc# z{U-?<-3QG-w!scp@14)pqDmiHaib$>4vW%oW6)_`NG~HM#E7aXj$nic^{wO4j{)_Z z2ujQMf~bB#k{M`T%61mS)IL+l_AOOB+!~joLn^vn-T}l^s`e&9xY|JAKp08)v1N&Y zB6Q;c+EiMuIxdHCH|H#Dsy3skq47nb)ccF*?DDt&6nQUXU{VyS{}l3)N7i9Q_OeT94`6U znT5tJg^Mp5VLACd!zT7si^k_3O8Ryti`C=CJ1_UF;?FzXxTp7?_XWEP=k+3ZLpmS} zFlTLB>9Rg1TVu182!dz0ZygpDnCS@LfFTo(a)!}}pDKda!^KY+VX(Ex4p(WNk(M#i zA(DL~ZMcPn^|hs?dJoy`Hv_l|)-A#oRnu#!uUcrJg{h{Nj`Hw5-`WR0EH!GKL_gXB z$737dAAlVv$IM`YBS<8lyhJKa)ES71cZHC`zMvjzvK%GLFU&lVd-q~(b`uDs%JP@# z>r8Y~gKAMYTohY#&KguM;={-dZF8A`F>yLm! z@DN3AI+ZajwkVfn=h%Ar6l2spE*Uht@prv0k0*e0r*ji0iAgy{#8R5NtN$z z2q16gHfGSODuQ?rM;(%*_NrAA3nQ>!1qs2ygB7xjV0JjX!F<0KUR?B{JZwSDqEp#k-CImmS zw2HBKzd~I6?Pu^4qx7wXlmS{h9AH;#c;K;0E0yhy+StANo3s&`;vIwR&Ce|{V)ca2 zghsPT7NuU}&~{`nfKPVTehGKjx2lLTR2=xqhDxMo8Y2WzUsfT* zV!_?X4Nj`D$E}G7^q>fF-<>L?a=g%scfZQOoy179f8$-UvP%wRFS1#&$QE&+l-q}K z0tlMb=Rukw-JNN% zOKKm0saslt>ZL-%++Jd{SA^oV$=M%(VzJ=lHAp^3@g8OzT~W|bJwMKE(Q{0n6^)e) zZf{c=t7rMLAGt$IA&xM!k1V;B1{h0r-kQwZMCmoEtl^B2eo|h*>3^;SA;6r@eErHv z?tefl-XXprgV|7&XH|j96MQMl6kh)ouskI~&;K}M4(RbnlJp?`664R{XvI&})RotC zbZrc7RcgiYz9euE^aVQJ!>XuspY(3k-?%%%15^h+rp90Bjfr5kv5HsXW)HgJjhG$v zB32{g^R3^DZzRaN-H>LfmxkS+g-N)7DTA|6V45r^Q%tI1hTgHbpwUE{RwTYZ2MS9Q zF(G1XZ_EQ(9F!bp{Jc>RH6E~0%WwCl!c+ew`O%f=@)q*{G=dS|LBOp2f&~HUUawHZ zP@a>(CK%nD&2UZxU$wr-^4xbfV?NAalE52THh6vMWQ7+7QUTG~rGU>hU%XqMkS3?S zEwC3vn)F26f zA?oiwT-hAt+i8j<7t~13eBLWr)`|XK*^ZvGVUtM-zw_X;NEjKDr2KMbZtTz#?_Y{p6 zNSkJ~yxf+l-)(hJKR}Y-@{p@}g`U@#6~!|;3o&QFouYqL{3!;HT)bcV+-04&(fFRR zPu=~FBirF6v6gCG5oDJ7)^FvH;Rw673f+-V8}@AR>;`QKCrOb8#@v80lE%YZX(MH* zr;rr``=k+b@(alwypSIPI_3)TcQGZ+jmJj4vye1bcFs?85zO1YvR3oN0b#rts{_rk z0%E+i*&_ty=1J|z4bySsDqx&+5ytYT)LZDw2iH%GVk{|OC>l*=57Nh3nNKymHywO0 zi1iBz@Zvj!cbW+io^mH_cNMIs5MN*8noKYy^I;_+Kw~l7T9`4$b+&!W5JJV!57*P+ ziUoE@toEyAT!yIutFe_OOvzDW4G+;z zRk?YG=OcK+P02HQ@YX`wmdTeZV zFN9iTCGX?>Y)SRpH5u`ri}OlZ%j(R-0S5@~>+iPu%1ooTS-w-ZC{-ewB{K9>2%mAl zCcYh>@t4+yE4%co36f_xypMA>4q-?Q_|tpm)8NYOVXQ0{QZvi_iS zGRza;*HQR~A95(0IcRPV*|9lNH0HzSY0se7DgVd8Qy?lNvMmA4*Bb_tu=gZfW?>E+ zdwF%=Y^DBBvh+s&mNqJ|wakSF2S8;GVZ;j1pZl17o0>0cOLNdN;vi`aX>h-0s+s`c z9GWgO*^l2u8gr9gq}*yUC(^wUc(lh81tYd*=?#uV-Yt_!>~r^Gk=}C?2i;W1I3OP6JHhdSxlrvzfGvExzVLC@|N_4TD@!hM6rph zte{ly?ls~Wgnk$LOs|v7k`6x;mid7fn`iyy^fM)-Ll9_8YWB!%q+GdVkBv@=1mSb? z_E7$jDD`J#Kq3;ro12F}Cs|lK?L)LU)G&O?*Mu6kl=wJ$g1RdIiVIyxOnM z>h*S2iRKS(!2O`{c;vq!s`@Ctdw$jertJ}d8_44tflfLi@Vn(wyJt^n?J*5XVnGgk zHO^$5XS=LC6ao(|6dePJ=Pu`(gFD?}O3*ktFpp@W&13@q z-}n;UKv0ICPkn&`bnq-Yik_+oj6g9mAD&mZ4K6PAzz0Vn`pOBwV>7jyqCkD5BG2ha zmN8+K`{qqlO2j5u@V|4-f(nf-FLx}YR`8)6N=d4}4{o zeGZN*M0^5)G?S)dZ%nOAc6+-VszQ}G^>hO~V2d5PwCoQlSPS9Jf+sL$zouQ(uRVrN!R6xqQDyh_ z6S-CWb2nMD$p5n~%hOQJtpIT^)%zBYTt{8~olNi)K*|4WoCu5$$=T3zb*DdFKUKN% z6rskd*&;khbB4tV>frY@x^4wK(t6`X@u8uoPc_)|lXrOb&}R^=Ri?$JW$%|oHn#f8 z(t_vgVWkC*u~C1WrL9px&M(7iVl_rmFM{r9+K#nB&Hd07dzOi+I775zw--oBFsu!7 z*6_&vX#+fd(?+Um97OL@wsyvU3NCC0TE_Qt`u)$v&?yez2IyZkCF4Bpm(4F7@?uLN znfX?k1@qAfJaDyYxb^tF)1aOQ(UL1hxX*4k4;_8ak}3p;%hyyOt$R!$ZPQuYPZQKB z;1?t(kO&-tz8erfZ2;ZmrNJl1TYy&kB(VM5#X%>26)@zw)Kj^UffBIQx+udYmC@GU zQayZ+((hkjGA)n*SWFI#ibUu)fE$G8;J)5a#$12rzjiCo8|B1YKNRB3Vdj|x(6Buu z67SA1!A2wu{lG`@HCduT-GdwH*PLPNJH3OpIpqe&36DTIcH&WcS`{A#29X|+ zqVud=PH(s(G5UHRMmv%dPi>F+Na#`@=vUgJu^@aqZ|Y=c)>*cm4uO2-m%h&jKxA%K z=|lb9$S1K3|gCG9NFIW znot{Q0IKHnZC}8@(ERV`XBo1{tEoRZ0B*JkERv53~p|qA`iM4Ryv6Sge zbF9j=(2$--M$-VI-zwEA6IOCgB}SarB}!5x^}05Gwa>8JE7yJbnoPnUh)@-f9$>;P zRVOE^T<1a=eF?I!Q6g4JXLrWns~fx9cZO0xK$Neb8Lnjpt~ZHgBGd==^0gn| zNB zINyg`wztNb1f6?Or@ROR`Vsb%nkwN$aQbjw?B$?H4h2rfiSEA5rwyS@MZmBPe4ce- zYuIT`iCa3U@fw{{ufVP&lD*$wK!y+8uSL|pJeaR zPX{_Zw%qA-M#KIj7T)WWy_0S^>n%3&vM+eWagZ+6O@=V&%aO|xg8u334C)D?GWK`7 zWX{u)Tf>pszee!apdL$eoa_L&+YDQ(ra&ld)n2!I#!GojMBcU>JhJ`X7DX4JXGdD!&ctVlC4=CAHy+LP4|;xH6Rpz-!36L<)%-PQj7dOF^0Z?t)X9 z|1_3IY;fIR4gul(#_vzB!B^X>N}m8jh~<_xSyR4&*bkD6aMbpIDuClS{Lz;>hJk9# z{vs*{r3Ch2QXtgQhTuA(d0nN4*zh}QV^(aHwkq95Gv=4H{;uYdV}An0uEt7 zY(hys39}yh?IGVPa}{pWIXKIr=lQ5-+M8K`xXa$SX>9)>`v^zo4hh^{muRFf`?mJ8 zCg+X~U`o+Cft5y8NLrB*mFo;mP}c#;55sa4S)B#cU7{V^U+ zuxUDUj)(6*(UJ&HZmq)|Xw!Xt$eAppSB~uoIGi-x&(oq~BUZ*ac)lSa0G!&@ILZv9 z=t&Ic_$6}j;6j0`deI9)J<4ti@mdy|dUexyhLM&2G|n&RSUO?oknbEhG;lRDJO8E> zQq>+8mb*jVc=UyX638z>W zYnCTsMDlPbLFMa(Da@kJ)CjC`rW7#in1~7$tUx`_K~OCc9z5Qe+f)RwCiyM)o*=IG z1|$h?S0&uvi|V)X9z_wh{qR*XMwi(y^=c2TMO;Uw7EwQ_hYXRSZxf86`3JU5SgM?S z*BLX$sK7%u4L|N|B`*`od`Wx&v;f%}iBfBGjGo@T9*Z`7}%kOi?pvs}@Wf8m>v^AxxQi=pbs zN_Gvlx8)>g8Bb9N&x-Cw@7VAy?QkV2O1=cFMQAh$E?gwLk9&_x|H}K0-#-n#PqI2* zmzDY$7(>!>8aw^}IZoXF6m}tM=KWJ=XXp6$NgQHwuNYgqc%2&mg{zzp2z0>0!oquZ zEMwAM?1dA3XNyuY0I zEja{2hoYi}(_X&q-B66wC_-Dh%q0?|fYR@+uJ3Dj5S3`xB2Lntp_X`mvT`gR$%UJK z>L7%akla!9&xg|moiG)YL~7b)vFs! zf6P8k|0g0r%UP+L4bA^p6BcNm7hR(j3t+7v!24DPc;A@JK27GVP7aH03c_>s)V$;?R4K=(CF%7PtGC{bruu3R zjE>S@npAf7eQ#xvl|@j_v5^`h2{JTCy-^m=@6RDnb+RhU=ilPP5ApzG9U|J4e573q zJwaExz}Pi@z4%VQCy7yHC^q-F^V6JBuiX^yL92+YdMI6q=nH?~i2W8opN59Zr};O0 z&cF|NcUwJwr$#S2gZ=6PyPX}B)a|5QaH$}S<#(VjVJLVrHmjpqscO=O$C^)3w-Kx< zjl0xZ*47r(wIe`rc5T)*e1ri>s8Wr74+uSNtR|lL)_5KEt$RxdCk(DmuMeP*TS&;~t zbRe7k>R4Wj04$beC0MG-M7T~-1Zm^5tu*et2L(K>4!fRDOE%Sq5(1P|?K}V@Ivy@O zo{|u=?gq899F|)y736st!oKDoxuuw7HD0w-6oIWZcELY3hBf=mmwKs*wzLPXdd|8* zm3~s48ZkEPI6m-^+cO;c5UON;^={sMup2XkoP?{CoUtC*Au3*f4;hu<&$~6!YZK$T zGKUHj`|7qmtw(SR4frlieP)PTj}ogoR)M-uQ2i!j#GoN~g=hgx@x4HXB;wfa8q#61E}uWuYG)7cVhdYR=Qw@c4EgQ;~m3n-rhw0Osu2@WTz$dh^p` z!*SDI1E4B)i@M0c#UanH7w3~RC1QK8dy||&gpt$*te7iRiSa%z2Px1l9ef;%dZ)-` z7sU_w)pWzXoNWE7eNA3rE~dP@LMq9LSh9BL(pa+j{FWLAkCxs=;E#MbQGw$IQP%>j zJJ$?tfNJk$=dt zjUj8j4im3N0}vlCyS?vVZY+QQXXae{x6XM^5+eC=8ibbtnCsMR&M!w?0toObe*s*) zs|WAVTzwN48BWH#&J>sY$S`x1Q9`&i0G>P=^4sRhG6y9KW|kObKS?Vc51_6d0){{+X_)#<4Y>0dt~4Qgd!P3} z#rx~4Z#@!cTGCg!>b<)|?4+Nlt=dg`$F^UvgUsSYsFGeoy5qSb!gL?*K|ZM*Y-k4Ea_f#YTRplsYg^_xb9kd7K9-)o!*=Z zl*|uAP_rd#_LmlVMFr6-Q%H(Str1iR6~*`PrgFvK8}{$tbbR=>tc1ge^(w#ABb}Hm z@VBc8phNOc)nI-)dML3FB89DTG)^ z4$BelwdBn2rrbQS<#D533!wI%b?d4!D9)E<`1KE>oDswg6U2l>QC^{f)bRpRJQWIe ziGO|p+$u)U*(Hz$;P+=|iLBb6Cozm_{Cxi~#FQMZQQLYwjG#A3sDB`o|8f%>m^=oejfx1_PzqT!!`l6sW({ zu)OlWk#&IN`G#eD7$QQe3+X;xa#?t9xpV~ir&#{yZ_oJW)s$uJ_U^c_0@O%Tr0~18 zcvw_N?@!Pu+@P;kC=**uUP`{k;vl!syOA7qX^N8i=T&d?p?v3q`ohR81;Q{M}C z4f$7iw}P}gK|_u%^4i+W1gHpH-)cK%x6)RFn&DA&^nCAnBkkF(9`o z^}XIBL=CzH9im7^i6_WIdN5g*k7H)5C*-~s=#1pv!}&UGvF^~g!c6C!#NFX0lmOsm z7CYVpjmEf6hS0fNm+{f)?@Fx1!~>m$pNPA4(3D*W$QuR2yFuyEAOSfFe1c#|Z_aS7 zTB4930SO%79lKWsCm5Xi1KN!51l(zIhWIAdgoxusZCcr8i$Rj{Pw&_{@ zhKQ&*j*_K9j1M;W>>HWCd(m?nChBQnF%hZ^vv?2aeU_>%rIfuipvl4o>=T1LMK%%` zU~f$t{P^=arI&&(lZiHP+FLb&8Y8nsSAW*(&%^x+*{b`u*9bVohb${=6NxsTehTnd zOo^gV6(;+1Gse4ZOTS}K!y=S05W@#10Q2xOlYzCnSay#qk|wE0l`kCjq;nLcq-dYs z5G^9Nt2z^3uKndka>)mID=sTBDOig~-{?YayaTXSfZ5a6D-#=Pt}l=_(k`o?R%?a> z23^%S@S7CT1)?D~%zR46X&H=K%WBnoCanw6ryV#R3Dfe*l`EiC+1^?9on?n@=HA)5 zB>XWEAQzV5{Qb4{fAI0Y`kb(~@;;N|6;5!*v-_|0lI8zVL%~w3O{R`8H*tV7QW5{@ zll!a_0xJO7wH^K~n68^%Jd?buYMxLl2%vds$p?m|6LlL53Nn4QBdN}^MOw>Di(S-M z$RkV?_qRfZkrQXdf0c8}4~X8a07W52z1zV^F8{!zW!8x>OhB6p41rRpqLyeZv7);% zQ^DUx4R`1FGZ8sBl+k2QIMv)bXePW!<^Y$O9L0^_eHbpN4`7ijqDorY%idSJcr)I~ zpNNs_5)dk$^}6Fv(#!J&%7=R6r<^#>dKT38(KmgP4@F8%mSH#})Jx>6(hW2#(KeIQ z6$%~7h>D<)wto&vQhj)p(v&NEm&D=<%?E+13ConyR0&{E7P#FtzK3tEO|Vp}m|30s zP#K0zQ8bU8uwnf=*(KAUJP+?o0dm?rJe@uHo@tKO7zMWOrNqhUmuHQ@a>WfIQ|yjZ zJuX+MmR>;ojrKMi_hYGFu@~EF%Xl*8ykWe(tU<}jN$H4dqv|4%trr?w60|74u>o43lNt6 zo2J0#{(?96ZqDhK#$ioXE@S}Z85>VjijG33Io+)Iqc7}!%)GRkR3X9t??@gsehCpW z7shN5V8E>2dsCOiz}0yGf>?l3i}&mPal`)qUt3=p)mGcA9jth<;vT%X7KcKx0-+QN zrC9Oe?p~z9OL5l{ph$}ooZ{{lAV_g9?qB*m=l$`1=j6{`S=sB(UVG1;xvp#OnQ24q z1RBa|#L7&RNsP*R2+MouD8YX6C-k4O{n*HlrFs-a!!1uh<}D#g_O<`D?`M z@SZHxl^L*vdx=Q<_iPVTfptdoW`1N&Q9HKfXsSFFQJ=_P_xw^p1kX|Od*;@0Uxfax zb)U=2HH$2Hd1D3`03gB`#8dcESZs^#I^>~6WFQ*Zn_`5)H2zLjoIW1ekK}O1yUAJz zfHj>yP;M=Z=jTFxAusK9pDi9NZH;s`|z&DgBvv&{SY(yM65I z0=vcRg;ZS@=-O4eSZhJ3DxRO;GN|Y-ow`UYUB6db>Vb+%ww(LlzxA9hZ@McjZ8|D( zeP9c*AV{Iqfk~lOQDdbJQ$#0Io`cL9EjDIt)JRC+m=?2c4_(%iV)a(UWAql65%6_i z1^Hoys!H6?pQ_Ex#OG2yS}-oqGOudw^I)H8E90yFJTGc2V`N%=`?mZ(&r}&y#5-32#nb;2y8O{*O3wI*P0-ljU*B#1Z7M>XLB&Qc>PDU`tyB zq3=#Y)J6^opv1otRKj*IevoNqIZt5h8(8(4B9&t@d% zSHJW?#{hTGgcsZAZTXU#lVY;GVd6C_o(>&e*cl!k?#?{Tre_DjYLPATG}(1Tcxp9> zUZV$ip{J*(KgfYpG{7TbGImqNnk|-=H>=~COgiY#P>|l4Wo&Wr4s)atYnbqckUBCd z>hpoB&4yz)AtRN&jSVao^1wD8ETI%jGygp|t5=ZeJN8WFMo^Z%xChx_j#FLvk}Ol?08vU)5bOzc^vk#_@a!3LJOUe-^N%!%D@Hr<}72!I_5;dD*d zrooQeE8J#MBk;aE^|qt_&`Ma9mdx3iar7byycQLk3?vuqx{;uYY=7T3Yam*5Ub~=? zH4sa|FUDjr=7=U=&SGH9lm&s|KN=H$R^@apOmL(;*Om z6T6fm+G=Z)^C!@NO>Z6vVm_@O^%3H|ip)QEI;j~a72{d*a=Oi+b==wOso9*psqcp% z+-7RG42H^(CW(yhcd9m=Qy24vtq%VK5sMg3ZMG3S5c!x+C4VYMa7UAE5i4HDAR+N^zvi^xC3uVS;gWJCudZ8hAan~Pf{FT!lIyNY zjS8cuM%A?W)F{SUPxfvB!t5reHphfce@=;Nyp{con6-6z zY}?w4apv25L7t(w7IcCb%LDpiCkVl@=N4%~AboGTN6w%#vv465%PA5IOdlxNDV}U? zG2o~Di9zqJc`o!$H0wC0-N||iujdr^vJNW*1+`@`!ssI|Mj$Kot?Vf2FSqS?-LHKW zSVeHM|CC8iy=RY^v+U?9RmnWvBAn9))UX=XWuX@Qkr5j^qFDQ0eqI~f6NYNG@D8=L zMwO&M%=AfNcxOntT5 z&^?VmWR59sfDlNHs_gm;xm-4dclaYcx)aqW?iQJKd+LW#3Y&_Vn_amRZ{&0urTMxR z@ib{FB6>`*uiSXkf6IU^#Yh z-WHAiq+X)8hTFSYceVQJ_e}B4PyCBPs&TZ{*Gt1yD!71_FaR~m{3B@BmhNlEpr9Y4 ztVg0cZ7cWYI___adm{8Y5xW^tYH}DpZVsWdv>kMBo0PNEtV-NfijFltNr)N9N4I~m~#Hq8#Po{fxVC0xG|Jt7v(yzNWG zLqrwQUd}U%E0d?8#T!YVf#5q_$)roC-))h4{D`_2be_+MpLHUuJ9skSm-c#+TRc0$ zYvt+KnK|-Uj!MJr-@q14X*My24iEEGC+qrht{@7nN>%Xu1{>34icKF`*q*IMO0Drq zdAb#eOk0a9Je7CZPqDCm-wWC8XZhctEEzKS+fvrEewRLy39s2qoGT)I^taiOnlzZ9h(!YKx^#D=7 zTd(VOe{+!NSKva6as)~307C0rTT%#~RJ05S38Qo#LMX2qqwjOEH&`gsZ7JDW8HsUd z4zxw$2QK~bDV+ysXtAXh*7{2H8BUpG>v-N6GvVs}LM|qVVjr6tJYE&hbHt|6eG5sY z=MM?7un5bGMUzR(yC@yPViK5RXeY&T(h_}^nzbo$`4Z6l%Iu~%S)p2&h{)E)hIq#y z0r9;{OvV%$v193scY2@~NJDHVNRZXin(PLhnGb9`KIhU#Pz z^K=;C^g93C>aU}G%+vC{E~omt8Dzn6MK=B@`zz2(RWX*vngKX^d1d9U&Q~hLeOfbf zqjwH2exlJVULUd$=KE+neiO7#GA=p#789kW4Ff`nb>{Z|^4v=qHPbQp0AVwta=&`> zN_SDQo2`93lIJNMlf*X%jj$g*dDkBp2^e*?PV2Qdx+*R(vHAjCqoJKo$P~rOYyP2kTc*`=tvD?%8;LZCZ)WrY zJLz9Nd`EGZAIxFUi^lLHB1Nz3RyBjg>_{rmg=>tpFn3hxw;kST%ZliO2 z zzbRU&DUb!-H(5m0n{+$1f$2wtKYn0Cq7o~rpm(WOSF^+)ET?K$DZCDZd!N}lYrb!P zK&ukLH@+R$Wv0 zPl^Uj6RwuMNncWvPuAhj!<-&GdT*EY#X?;53*r8%$=$4@`kE+RbikGAs@JJr@MY^+ zfSw>xO-85XFq)~py!z@VLL&&0u|qo3W-VcG zPe;q37?bKcu3>K&72y%u7+rMg^c$j4NsVqttQBOJ<~;7a#`?is?lZ7&qiX7@5ISqt zBHQ8t`JDNz9rkczXUPa-LdCJ$!o^-@Sv?Y5^+In?Y^U~e@X%3!4-v`n63ZMI=FMfR zkJKoc-x=?eZ2eahpchT<(l?c>i{aeHHKhHWT%jv00O?nm2r6uhLexNqU$b%`>IFG> zwt>p6Kh=O5a)_6qkhU(%J?crKRimbHlz)DG0 zblhSqdjohTpaQyPkADntVrP%Wjg9Jq1sAK20NEcTpDC-KUwkwB6H|(5_oJ6zwqE_f zLSHU09w&Q)@?kni^!4Bn9mi>B{|moBw)SeSLf85kOk)+-96N@tR?0%!Y7TAMB)_9B zd|dI>)hd@YuXy(m_{9cg5Yz!rjC%KvR8op_VH(!hzVqXpVBiCWhvUIkvid!S8Eg#2 zM;ICO=Z!+i2;#;+V_l8@_5_)k6&xR{oP*#tdNZlx1xgY|4Ph%ZC;>4# zNWNnOY!SAS|K!G0_QIpERq?rHiler)T6?A3ltcVC0L`|TV=k@>Layfqb)Mk!a4wf2 z!T`NFwU5UhclcUaqzLt>rZy99u=$m4%Q`VfA#~JMEwHGzRWbd&Y9TJDONMD&i%5_? zdq|w;TJalJd8*C)PkKi^fmuyu0bjZ9u~s}CPfAX*fzX$j(QW3hi#Tn$*%nBLZ`Yhs zW!h#VQnz1MXfm#8B0#1Y0(qkx)ba#k$h!IPN9p*|FAe_cupwOUa7PRP-ReZmo3s@u zU)fyU`Ey2OGubU8mKKfZNLKV2UYjRR6S7BDCSUc{C6feE@`qRz-Z~6i>Qu0T@7Wc5 zK?po?96Xp5DX+lP=yuRZLS2TduIO}z;}tz)(03uZ0v1D$smqU)x2TTO zlOiYmRBJ3qTzHzvb`fBl(mO-jsUMLyI9au=sdPZ7snojan}DU-@hvW*S=u*7t0gS_ zF@Sn|z+Yt}W9y`?{Y%zJL=HJN21qf@C>dwRoluZV=Nk zqLF095^3ron|Q-_DqhqY|Ft(1Hq^ls-lK%HG!99i>YIULLVWjr_P?0%2R-)Rsq%Pc zYJQh6;$cFfEadcr=T#L4r&Y#yMEU2No10c*TP1m2mSzxrF#h`=e}LpF_>Kl%4zva7ISO65qs zbLoy#9qh~NUj`nQJ4GyU0h?2^4&@;M^bE2hOf<7dTD;jie4?!ld+kesLT|@!OQTg2 zS%(A|G87-7?h9FF_1xY={1N+6CIA5CtqSO+w!{$O(Rql($6Km!I}`EXPCv&DTaaH_ z)-=C%GSEGB3l?nL9xF^^vYsqdBGYucYg~as?V$gTizLIHnzTCp$1C}JHg3yvnaor& zs<*oH?exGdY71+PCbs%kOtE(1^geUb8Bv?&XH=7;RmG<)_~&f;!|8*W3nS+@8s_M7 zvTo!+L$1?zMDD+-ljPdZy+#hS%=HZZ;I;7;N}(nb%XCHD9VLx3Po?pN2dr9Mp(LxX0U7Tx~d zLHBl!*T`3LU$j4!?;FIL^2k%l+V6X9YY(S<_IjF6%991h*RFxIxx1`&(RqkAEBHVL;xO0Q9t|2h4uqw zd;l0Q3K|YFQ@h22;qkcdRf0YCJCJx!IeaRWxCV^kizXvUnir6aPwG~7a z^1XZKvE?FX_far}tv~f?I^Tv(O13ab&|xCSji<)@`y2)af{fadS%hvW@3FSDZHPY) zzsDnk}`szT#BG*W%lhW(0lW*V`3!pn9I?rC?;I428-c=WW?%dMOm~ZmCkO6 z9La0z;pk@In$fI+y!#ulSoR-1Dw}{Ji_8Vs@o21KEjly~>p1sr=HQoZc{+lFwyoDV z4zIWF^g>gDxkQ)XLT714Wd<+&=3D?pZ`H6fsHGc#S~ZoDuMzPB!02~12+`Xs&H@Tq zihJKaVQ6I_E|owyOP;7v?favP^vMO>Cf|IBvD?Q`+)xAGQ32D53=KS?TJv%Rr9-T6 z^w8^gp%TB-m{MwFL&Kx>5BJY)Mj~w4&yWE5s%HW?^NNfFT*yhN*?<3+)WZ{kbKc4Yeo`s=#4B08>;U%bKp57Qq zWa52JB~BI`!?DJ5`#4Lj7bHPy?w8B`6isCf4ObYNJ%%FgR094Yga%00PUm(fC~f@* zFibZV-F|DGn>B%aQ7y44gslGr;rX_|2m85-pZnKC^NHi9ovIuhafeCuWPA*9z-=X! zv~U;-wvLiqu$DRbht^ek%yzlVGO?YtgC&cNC=}N<~=lgcm7L}Uoef$&3T!nxZKif*~}||$dQ6#>)o)8&c8}dE|!pp$Wxa56heOC z>LnO*STTPuePD9|11x$mKo|rGkHE^v$gm=eC!|-iKkB|d=gdhvzgv5sVT#NHh`s4h zVJw6MtqV;>lT};(w0nK6xIqO@6eA9Qni59v%!{)*bIulBl2CZBXmHmpuIl3tT8SOaA(|jA{F4=B6=#;1sMi2)CNEPv`Q*2^$cJhCBov!xBD}xr&P6hb+(uc0IBtp7 z@NSOQnzg=@ba|9gr;ht;XocJ75IaCFZIyO>etE+R3lxgA9sIEveB&lMx*ix6M2`fK z`L9cj`5(Tjq{g=Z#D){q9TaYnKzcpY$@vKkoJdKwwl%f>T|PXeKz$2DCK1I$rdBH1 zUv=)H4_^&y=^)F>&e zhTAvZfO`_F@cM+}f5MQ|0Qv$c_u&Fw6#8w|e@ypSg%B~(Nbyc-H2)J`5s80gn5>A$ z45_yfqkqXUL3*oo#;(`D!Sx6|JtL#nb)-9l({tdRzOZ_R5RxGGzCL#|xM*So&IkAO z^ti%0g+hOrJx+oBYg%i|y{;Iy1|M=a6O%B%tXfd5u$Ty5Mcch@RP2W1&HYU8j&txX z;91ia>2=*9%sSVLk&T+@hDWjWlIaz&H=Xk7HT(O0+Bva*(iO8)74Vz7RRa6iBT7HT z&QNkzQ;k=;<5;H^*PNbAc&||7YCW5xuM2dX^+V6sCB6S#0F{DR7;QpDKgW5CZsG;g z5eb72M;2c(yx0qXQpr@5MQy0PzAa3+Wqy?c{P70gyMObh-3QvrYH%Qf@rgA4b^90a zf@JG^^vrY~xBRxPDkj5i8^y8gxb#}`f!%0m4SI8L(Fno;Uy6rSH&(T^{#94;=AJ($ z0pe^edI^ky%c{=#)7}?@Fij`-0nSHGG{UTX!oStOPP9aB$g&uI3aowWj2|kV4*&=zT zVGR(}9}4pF*>2dkeNxat!aI8KyF$Y~%fET$!PXWgR~6d(i-?1??W5kz2KYvHr>E$z zsP|W0#yYzQBq7?Wudh#`54<~xZ5uX*;=k4ThtSgF{KaZGBaO#ZGYMvge zb^@D@h6owOTP=svn=dXrPT1ah$k8*7Jq01d+Sqx`%TJn#8P$8 z55qLMNF^Xv^_RBfMpj0VHH%Z4Y$zO=bz8RzvSoj_{tf!{h{)Z8ByWaTODg$n4 zZ>)lEY*Lt5L+|yC$&-L5vh<*#4>o?&y5X}~`J@%qWwEaHttX)cD+Qu_v&D18!OO%V zwgJrRQ*HZIQG$A#3FuzBQ)Nj$pBnHH2g=71Ko~!)VdQ!_%Ja=oYmb+6LqNq?w6nn<$=0~0L!#*LPj9l~opjbteK z-sKXn%+o34whH~X+N7<5)OY0ULOrojoBFy}yVO-tV@(T8bG^d@xl!MUAAFT`oK{=8 z8=#2GVkhA{sHpz)79h?7H9lOK=Dn*oBO@VNlf&XAJSLy?HvR4UU3$|TU)k#J*#UvX z=|G_23hkul03}<5ouG6NYy|HeHWv*N2IN!I!2 zMD}uBN^XWZhT7Uw7fa`gwS`F8F0%bm29;B{Lb8ODYQ+JhhJU#f44I9k5t}$!{XI*$ z<7op?_SpYLATzW?vFu^>a^z*_lBZ)xC_5QT{+5wH^m<)pNdF2Gm`RF1{Yw4?k_kEG zw4q{+B!6pHReLgnBFkm^#3vxvCnVWc`z{^jR_com9roK%bwO*N5Ju{8WQsAzD3T9t z#99pHzIGVz)lwD`vFf2WzhTNup!Lha{Mp!E@EjVYNUKGKF-h2F9hny1a^Mj(|_dWli1r)a%^7FNg4dM z1FO(WCN&o9sX@Ly>RfH*{wK-Y5}q2;CS7C3x1$`s(3TcjN;5S#sYYf5Li6;^57pGK z!^b%X8vACZS&NQvkGp%s5J7a2#tS2VFOx$-tx<86k5XMxQNmlz(B>=2)14b%u1{qd zJlV{hjBhThr>ge!>o;4jdIltJ=o4#g2I6`nq0J{gZ}wu>Sv$9q%bNL`EpFomkVDJ% zQuD6mTnnK0ptS6hVPF4we6?S(xY6`dp%9Oh0j?t#>RMrSlB0Fr9*V&8gUu8CJ?XZq z?K}*PtQV^dDPmhE2c~UaM=p(Pw$69aE2@GL;^hyX8WNXsBVwa{eGo_Ts3L1qmVrOe zVGE@xUj1A19O(+($FnG02O_uu4|zS;V4ZzNRLT|C?gio$z4amvbfIXhTij-iLd8VdM8P9-o&XH-aR313)1SNOx!Lej+x8ez2F zS9@IFy>KWcW)n%AB0Cck&p?xH#C+3LDNmEp}V`aHRw2U@UR|jjT{Vn5{H!+keNEJYDaI;2Nx| z`o!Dj`hIdDCXnK*%*qZmPx`ZG2^Rd7Bni8TwW$=g)!F(kOR-A_1%V=~4Tz^Q%rAg- z5iX#@h)dI9G4ce>`xA_#<#ApK*VF6l@i>;tZ^W^j+@hj0y%Y#Vr@)Su%J#JGD8iTjT!pKku93pc!lD%Z;~6ikbH{Ot^G zkiwe%!8!5$l(?CW@y`*bbFWpuC0o^`$5moNMI1)Sh0{pAy4I$a)7&9Ee_fq$TPR;5 zb8~j9HkgKF2`SmL`zjv>3BxMf8E|}w$T!w4NP1l|NCIkFH$u5mTHUWcc%lK{W3R`u z;E4bjr1b$GD&MuNcJ*EG#?tsteQ6`d+vTl_>l*x+&N?Ht(OuWZ^WNFQSEi=v&Rm3-5F$#xH}fSw1d~) zCPp=zjb?duj_2U6$5rgrz3VmQH~IZjLPDZ^7sK*U^_;$SYr=4JxNXpQzAZ3NVtPBl zM}-B$9Ho)>jWL^gSlUtfVqas6FjXlvM-$iI9O=7{h_dQvYJKwI0H=S`&{ENmaHjlY zH6po|mN5TX#LxRh?*G#%dwL1{=uR;0{ouoj#9C#025Rc1&45r4% zO-jdN0(&Xn*dyzR+S?Lj&CJY*%X^H?KmuYJ) zUbP2vEDvf{8)tjfZ_7|}N9*ymr=kA@iwD;B2=N68(==F7tyM#fVdvc1*#gayNKMP+ zfOr`nG@hUA1&kR_1n6f=U}lF4u$!-QCE&i@p8Wolvv1ygYU~p&fDa_{6zJ3D4jym&QDf$4UE&9uKed8kX1B`i+;>o29RwX$m8dhY2?%{1*+GBRm(#I12!axI0?_g z#ZtUyh|s$Sv5QF!nV1}T!`Yv;wZhUl&W#4_(ovWC^$szW-CMs!)F;>AUE+poVr6$inYyD2nI;*xTE=eD)xSj3oZ861tjhQ6L8EbtjE34-0XO%129&aS=)^8QW z2CMkUqWm{fr#yUobDqVK^+FF3O$W;hYO%tcoT{OQks$OFmJNFsEx)#ky_Q2&nn~B@ z!406MNUgN9!xb=g9$Tr4d&Ig!)W5(_AfrDuzAkmiMir?e#RTK&9phK7cmfrnxz zE2^dBNfT1>u?Btwb=VrPqXszQy(@O5-pQk}*9fb;QP_*JD;k270}r{btGX_9kyghe zd()6&vr3;ecPL#(8IwhZ*Slgeg_X~;3_C1b(KNrMo=3G(-hIVT zd?(|%Kj-{|?-hfo->{e`TPww7IBC7jH=Yb2+?BxNGVZYUnsbAg?MAix>ss1lidh0# zd%1)svdY64p?x1-Su;#=J0N0G0{7)=NkUH0JluG`$Y$B^3^kj9zq>ep_t_=C-{15? zeeQ5i>`L5!u@*Wx%{Dll7MoUl+Q`Dm_F&gptiWMG+uQ7ac{qgPf8)kH5b$lW^-pZb zLEWccf2Q{cWFAs~Ns}Hm{g!EcV>MBgDW2>$v|z^1jZ85xl33q1n5@^m{QQ(|Zjao; zaeY38zsHn6&vpV%KU8^UWqgx5U~7C>@Mzmc;==$dvi1SGsnv6-T17`F;hS>HHGMtm zejn<-Q)hpfs1h33EyZjHU(UB)NPfpvmjtOhL2|jK3aGo!Y5@7qdZcTmHv@ z{&SEONA2{@M`D8z(Jise)8MSEEID1(h7nwiPgk6I^Q4zt$_^y34{J$xTr(Uw>l+h^ z5xzhyjgTpyH_a4ZfpeXGG?%i3?va055_jgaxtL%`kkxEAF~~Um{bjR;mttXZ#HGZ% z;-8i|c1d>7HOTm@YZP7lQRoYW(Jk{-**9krl*wO?yC5m5Q%QI#U#3~WDsib^Rpl+W z6Z-UT>dvR)%f6?$J6ibQpQv~m(yrWgliYcI4Ev?(_Q-kL6_VH`56|{*u_M_Mq!WoZ zI5JGpl5)O+NHNkcrRZN)c{cTbiBCK*-mRYFp<987f3;oJWRS!oUPfQ@UmTRR+w&ma z9e;lN^)i^9X;)=hP?d%pkzB^qs1E7Fb-oG(_)kQ=oT4NzBhRajIG(@q;ms0YG{|}O z{b-y;6=#mky+0J3=9SYt;%4~RSyi@OVc4|rwC3}x0Yc}XKUE)8B(5#>*GOht+UY7d)=gR*3O4=_Yf&@T* lIU_|>QUCX!I0cbh88@R;?}2`RQUS=1iUJr^A@||a{{!U`Eg1j+ literal 0 HcmV?d00001 diff --git a/guides/security/assets/ams.excalidraw b/guides/security/assets/ams.excalidraw new file mode 100644 index 0000000000..c0894909e7 --- /dev/null +++ b/guides/security/assets/ams.excalidraw @@ -0,0 +1,5982 @@ +{ + "type": "excalidraw", + "version": 2, + "source": "https://excalidraw.com", + "elements": [ + { + "type": "rectangle", + "version": 628, + "versionNonce": 1269076189, + "index": "b3C", + "isDeleted": false, + "id": "CLQz447xlYODqsxfVtoFe", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1695.6428571428564, + "y": -567.3928571428571, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 142.99999999999991, + "height": 280, + "seed": 4040323, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1732028516263, + "link": null, + "locked": false + }, + { + "type": "rectangle", + "version": 112, + "versionNonce": 2087756254, + "index": "b3D", + "isDeleted": false, + "id": "_w8SZsvQQMMcw4VeJ6XVA", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 912.6666870117188, + "y": 527.666748046875, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 213.3333740234375, + "height": 45.99993896484375, + "seed": 2115800158, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "AOy--JvPpiFRdl8lpn9LF" + }, + { + "id": "MUkMzmR6mRd5LCNAmlyLr", + "type": "arrow" + }, + { + "id": "DM_FpJoMN3XDQyIIw9CdM", + "type": "arrow" + }, + { + "id": "K026ufvFyIg5TqTBlgOR8", + "type": "arrow" + } + ], + "updated": 1721913807396, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 44, + "versionNonce": 1309236226, + "index": "b3E", + "isDeleted": false, + "id": "AOy--JvPpiFRdl8lpn9LF", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 951.3734283447266, + "y": 538.1667175292969, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 135.91989135742188, + "height": 25, + "seed": 2083758786, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721912955025, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Organisation 1", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "_w8SZsvQQMMcw4VeJ6XVA", + "originalText": "Organisation 1", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 139, + "versionNonce": 1234172126, + "index": "b3F", + "isDeleted": false, + "id": "OVMZNmul11YJNmqruU0_b", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1079.3333129882812, + "y": 642.6667785644531, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 213.3333740234375, + "height": 45.99993896484375, + "seed": 446066114, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "2RwBnpkqRQ7Ohk18SUx9H" + }, + { + "id": "Sc6fRGgVOuUQnPMXC5xXC", + "type": "arrow" + }, + { + "id": "DM_FpJoMN3XDQyIIw9CdM", + "type": "arrow" + } + ], + "updated": 1721913799815, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 79, + "versionNonce": 1909731230, + "index": "b3G", + "isDeleted": false, + "id": "2RwBnpkqRQ7Ohk18SUx9H", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1144.6700286865234, + "y": 653.166748046875, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 82.65994262695312, + "height": 25, + "seed": 1992779138, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913125344, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Space 1.1", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "OVMZNmul11YJNmqruU0_b", + "originalText": "Space 1.1", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 198, + "versionNonce": 159138398, + "index": "b3H", + "isDeleted": false, + "id": "CDuhzzGQ2yvc672XDmbzj", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1082.6666870117188, + "y": 733.3334045410156, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 213.3333740234375, + "height": 45.99993896484375, + "seed": 456990914, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "C5HE86j5Ww2PXDWsFPGK_" + }, + { + "id": "K026ufvFyIg5TqTBlgOR8", + "type": "arrow" + } + ], + "updated": 1721913807396, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 141, + "versionNonce": 36374274, + "index": "b3I", + "isDeleted": false, + "id": "C5HE86j5Ww2PXDWsFPGK_", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1143.593406677246, + "y": 743.8333740234375, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 91.47993469238281, + "height": 25, + "seed": 908048514, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721912965445, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Space 1.2", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "CDuhzzGQ2yvc672XDmbzj", + "originalText": "Space 1.2", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 77, + "versionNonce": 1213257539, + "index": "b3J", + "isDeleted": false, + "id": "pfyfK216xyZaKHIMr_Anh", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1480.333251953125, + "y": 378.6666564941406, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 188, + "height": 66.66668701171875, + "seed": 1111249602, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "ViMymxROfJ1Ru7Xqlx0mu" + }, + { + "id": "MUkMzmR6mRd5LCNAmlyLr", + "type": "arrow" + }, + { + "id": "tN5LwAGRsKgnQl2DQj_RH", + "type": "arrow" + }, + { + "id": "NXOozLUuIHMinfBgqIGXf", + "type": "arrow" + } + ], + "updated": 1722495267550, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 69, + "versionNonce": 794490595, + "index": "b3K", + "isDeleted": false, + "id": "ViMymxROfJ1Ru7Xqlx0mu", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1517.3132934570312, + "y": 399.5, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 114.0399169921875, + "height": 25, + "seed": 1159641758, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722495267550, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "OrgManager", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "pfyfK216xyZaKHIMr_Anh", + "originalText": "OrgManager", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 52, + "versionNonce": 1489561054, + "index": "b3L", + "isDeleted": false, + "id": "TQ90SZ_KJREdVJ4ONH66i", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1476.666748046875, + "y": 507.00006103515625, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 188, + "height": 66.66668701171875, + "seed": 624015966, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "lhtHYltl3-1VxuGewOjk0" + }, + { + "id": "Sc6fRGgVOuUQnPMXC5xXC", + "type": "arrow" + } + ], + "updated": 1721912981582, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 60, + "versionNonce": 1351851138, + "index": "b3M", + "isDeleted": false, + "id": "lhtHYltl3-1VxuGewOjk0", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1495.6568222045898, + "y": 527.8334045410156, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 150.0198516845703, + "height": 25, + "seed": 1241955998, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721912942404, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "SpaceDeveloper", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "TQ90SZ_KJREdVJ4ONH66i", + "originalText": "SpaceDeveloper", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 68, + "versionNonce": 1901235458, + "index": "b3N", + "isDeleted": false, + "id": "-Xzx2qQspYp6E786HcHvg", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1482.666748046875, + "y": 626.9999694824219, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 188, + "height": 66.66668701171875, + "seed": 742640222, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "Ys1XnkFFx73rcgfw2o4U9" + }, + { + "id": "KzwZBboAiesOG5IrdqS9x", + "type": "arrow" + } + ], + "updated": 1721913011883, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 86, + "versionNonce": 371646110, + "index": "b3O", + "isDeleted": false, + "id": "Ys1XnkFFx73rcgfw2o4U9", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1512.8868103027344, + "y": 647.8333129882812, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 127.55987548828125, + "height": 25, + "seed": 1146539678, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721912939843, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "SpaceAuditor", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "-Xzx2qQspYp6E786HcHvg", + "originalText": "SpaceAuditor", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "arrow", + "version": 177, + "versionNonce": 348052003, + "index": "b3P", + "isDeleted": false, + "id": "MUkMzmR6mRd5LCNAmlyLr", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1477.6666259765625, + "y": 415.0313058518204, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 336.333251953125, + "height": 131.59772081641626, + "seed": 1899146882, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722495267550, + "link": null, + "locked": false, + "startBinding": { + "elementId": "pfyfK216xyZaKHIMr_Anh", + "focus": 0.49612315862114903, + "gap": 2.6666259765625, + "fixedPoint": null + }, + "endBinding": { + "elementId": "_w8SZsvQQMMcw4VeJ6XVA", + "focus": 0.6750141336135725, + "gap": 15.33331298828125, + "fixedPoint": null + }, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "points": [ + [ + 0, + 0 + ], + [ + -336.333251953125, + 131.59772081641626 + ] + ] + }, + { + "type": "text", + "version": 7, + "versionNonce": 1168677122, + "index": "b3Q", + "isDeleted": false, + "id": "noiI1WPon5FpXqp0cqyId", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1264, + "y": 459.66668701171875, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 54.179962158203125, + "height": 25, + "seed": 1241506434, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721912974332, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Anton", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Anton", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "arrow", + "version": 118, + "versionNonce": 1120164702, + "index": "b3R", + "isDeleted": false, + "id": "Sc6fRGgVOuUQnPMXC5xXC", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1475.666748046875, + "y": 548.948578919285, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 181.0001220703125, + "height": 112.85562853797796, + "seed": 1899183198, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1721915268481, + "link": null, + "locked": false, + "startBinding": { + "elementId": "TQ90SZ_KJREdVJ4ONH66i", + "focus": 0.550538675784344, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "OVMZNmul11YJNmqruU0_b", + "focus": 0.7138181393599891, + "gap": 1.99993896484375, + "fixedPoint": null + }, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "points": [ + [ + 0, + 0 + ], + [ + -181.0001220703125, + 112.85562853797796 + ] + ] + }, + { + "type": "text", + "version": 8, + "versionNonce": 2130757726, + "index": "b3S", + "isDeleted": false, + "id": "sJ15vR2f0X66S8wNh4ze8", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1342, + "y": 563.6666870117188, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 42.39996337890625, + "height": 25, + "seed": 642714270, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721912986294, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Fred", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Fred", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 166, + "versionNonce": 1338907458, + "index": "b3T", + "isDeleted": false, + "id": "hxL6jwoK5bSRYPWEQQQAU", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1889.3333129882812, + "y": 501.6666564941406, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 213.3333740234375, + "height": 35, + "seed": 1247923614, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "OhpAO4TrXau-3wa3XZPUT" + }, + { + "id": "tN5LwAGRsKgnQl2DQj_RH", + "type": "arrow" + } + ], + "updated": 1721913024489, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 101, + "versionNonce": 1781859806, + "index": "b3U", + "isDeleted": false, + "id": "OhpAO4TrXau-3wa3XZPUT", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1923.6300582885742, + "y": 506.6666564941406, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 144.73988342285156, + "height": 25, + "seed": 1314023902, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721912997569, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Organisation 2", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "hxL6jwoK5bSRYPWEQQQAU", + "originalText": "Organisation 2", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 189, + "versionNonce": 1957737602, + "index": "b3V", + "isDeleted": false, + "id": "cSWNHl1f5yMkqBOhGwfZ2", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1867.3333129882812, + "y": 646.6667175292969, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 213.3333740234375, + "height": 45.99993896484375, + "seed": 63826846, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "UpgvXu4B0V4nO_MR0vBeb" + }, + { + "id": "KzwZBboAiesOG5IrdqS9x", + "type": "arrow" + } + ], + "updated": 1721913011883, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 135, + "versionNonce": 32203778, + "index": "b3W", + "isDeleted": false, + "id": "UpgvXu4B0V4nO_MR0vBeb", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1928.2600326538086, + "y": 657.1666870117188, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 91.47993469238281, + "height": 25, + "seed": 9095134, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913092464, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Space 2.1", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "cSWNHl1f5yMkqBOhGwfZ2", + "originalText": "Space 2.1", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "arrow", + "version": 48, + "versionNonce": 850892674, + "index": "b3X", + "isDeleted": false, + "id": "KzwZBboAiesOG5IrdqS9x", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1671.6667480468752, + "y": 665.0235691263217, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 194.66656494140625, + "height": 4.58812085973716, + "seed": 532093570, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1721914244922, + "link": null, + "locked": false, + "startBinding": { + "elementId": "-Xzx2qQspYp6E786HcHvg", + "focus": 0.06895271525895426, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "cSWNHl1f5yMkqBOhGwfZ2", + "focus": -0.09730390131362829, + "gap": 1, + "fixedPoint": null + }, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "points": [ + [ + 0, + 0 + ], + [ + 194.66656494140625, + 4.58812085973716 + ] + ] + }, + { + "type": "text", + "version": 8, + "versionNonce": 1926515294, + "index": "b3Y", + "isDeleted": false, + "id": "WLDXVUwuafL6hLH5NjUHR", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1748, + "y": 638.3333740234375, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 42.39996337890625, + "height": 25, + "seed": 191550530, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913015567, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Fred", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Fred", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "arrow", + "version": 157, + "versionNonce": 1114828131, + "index": "b3Z", + "isDeleted": false, + "id": "tN5LwAGRsKgnQl2DQj_RH", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1673, + "y": 408.57749189525543, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 252.11200871589108, + "height": 80.42250810474457, + "seed": 2003655170, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722495267550, + "link": null, + "locked": false, + "startBinding": { + "elementId": "pfyfK216xyZaKHIMr_Anh", + "focus": -0.5513095922844917, + "gap": 4.666748046875, + "fixedPoint": null + }, + "endBinding": { + "elementId": "hxL6jwoK5bSRYPWEQQQAU", + "focus": 0.1465999342928739, + "gap": 12.666656494140625, + "fixedPoint": null + }, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "points": [ + [ + 0, + 0 + ], + [ + 252.11200871589108, + 80.42250810474457 + ] + ] + }, + { + "type": "text", + "version": 9, + "versionNonce": 1242526686, + "index": "b3a", + "isDeleted": false, + "id": "SnUPkqYKMBfeFXP-R7hPl", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1774, + "y": 403, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 54.179962158203125, + "height": 25, + "seed": 1403872002, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913027834, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Anton", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Anton", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 13, + "versionNonce": 1096192834, + "index": "b3b", + "isDeleted": false, + "id": "Z_ZdF7byGV2GU1jiiCMXC", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1679.3333740234375, + "y": 527.6666870117188, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 68.93997192382812, + "height": 25, + "seed": 1444538498, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913043777, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "WRITE", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "WRITE", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 8, + "versionNonce": 1948981342, + "index": "b3c", + "isDeleted": false, + "id": "3hP1y8j4poQ9lh2cDdk8W", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1683.3333740234375, + "y": 680.3333740234375, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 55.759979248046875, + "height": 25, + "seed": 590325314, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913041193, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "READ", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "READ", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 76, + "versionNonce": 1613005982, + "index": "b3e", + "isDeleted": false, + "id": "MOA9-VImJp8lkEnHLbDxM", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1517.3333740234375, + "y": 848.3333740234375, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 275.1197509765625, + "height": 100, + "seed": 1405257474, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913167418, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Entity Space {\n spaceDevelopers: Users;\n spaceAuditors: Users;\n}", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Entity Space {\n spaceDevelopers: Users;\n spaceAuditors: Users;\n}", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 114, + "versionNonce": 1714802498, + "index": "b3f", + "isDeleted": false, + "id": "3AQ8uFvCVRNFhRhehrwWT", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1518.666748046875, + "y": 1012.3333740234375, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 283.69976806640625, + "height": 125, + "seed": 1521336002, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721914300393, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Entity Authorizations {\n user: User;\n key: UUID;\n role: {SpaceDeveloper, ...}\n} ", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Entity Authorizations {\n user: User;\n key: UUID;\n role: {SpaceDeveloper, ...}\n} ", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 161, + "versionNonce": 1009075650, + "index": "b3h", + "isDeleted": false, + "id": "fsha3Keyz0jru5C7YATqa", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1474.666748046875, + "y": 231.66668701171875, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 188, + "height": 62.66668701171875, + "seed": 564680322, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "SVAjeWs5agHFXesyDumtV" + }, + { + "id": "NXOozLUuIHMinfBgqIGXf", + "type": "arrow" + } + ], + "updated": 1721913564000, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 160, + "versionNonce": 1963193474, + "index": "b3i", + "isDeleted": false, + "id": "SVAjeWs5agHFXesyDumtV", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1543.2267684936523, + "y": 250.50003051757812, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 50.87995910644531, + "height": 25, + "seed": 1025390146, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913559951, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "Admin", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "fsha3Keyz0jru5C7YATqa", + "originalText": "Admin", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "arrow", + "version": 174, + "versionNonce": 640364707, + "index": "b3j", + "isDeleted": false, + "id": "NXOozLUuIHMinfBgqIGXf", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1572.0757824731695, + "y": 295.3333740234375, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 0.21186410793393406, + "height": 77.99996948242188, + "seed": 525734978, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722495267551, + "link": null, + "locked": false, + "startBinding": { + "elementId": "fsha3Keyz0jru5C7YATqa", + "focus": -0.04041367296209274, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "pfyfK216xyZaKHIMr_Anh", + "focus": -0.02736045776209609, + "gap": 5.33331298828125, + "fixedPoint": null + }, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "points": [ + [ + 0, + 0 + ], + [ + -0.21186410793393406, + 77.99996948242188 + ] + ] + }, + { + "type": "text", + "version": 15, + "versionNonce": 11153090, + "index": "b3k", + "isDeleted": false, + "id": "fitv6v1-bJdCMlckjQB9U", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1684.666748046875, + "y": 249.66668701171875, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 10.319992065429688, + "height": 25, + "seed": 493099906, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1721913583354, + "link": null, + "locked": false, + "fontSize": 20, + "fontFamily": 1, + "text": "*", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "*", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "arrow", + "version": 31, + "versionNonce": 1313840094, + "index": "b3l", + "isDeleted": false, + "id": "DM_FpJoMN3XDQyIIw9CdM", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1073.4007280651817, + "y": 574.6666870117188, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 74.59927193481826, + "height": 63.66668701171875, + "seed": 1537779230, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1721915268481, + "link": null, + "locked": false, + "startBinding": { + "elementId": "_w8SZsvQQMMcw4VeJ6XVA", + "focus": -0.1941847113209475, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "OVMZNmul11YJNmqruU0_b", + "focus": -0.04470306498300194, + "gap": 4.333404541015625, + "fixedPoint": null + }, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "points": [ + [ + 0, + 0 + ], + [ + 74.59927193481826, + 63.66668701171875 + ] + ] + }, + { + "type": "arrow", + "version": 34, + "versionNonce": 939308574, + "index": "b3m", + "isDeleted": false, + "id": "K026ufvFyIg5TqTBlgOR8", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1000, + "y": 571.6666870117188, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 86, + "height": 166.66668701171875, + "seed": 1521850846, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1721913807396, + "link": null, + "locked": false, + "startBinding": { + "elementId": "_w8SZsvQQMMcw4VeJ6XVA", + "focus": 0.25451926428332955, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "CDuhzzGQ2yvc672XDmbzj", + "focus": -0.793399731093657, + "gap": 1, + "fixedPoint": null + }, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "points": [ + [ + 0, + 0 + ], + [ + 86, + 166.66668701171875 + ] + ] + }, + { + "type": "rectangle", + "version": 589, + "versionNonce": 1844997437, + "index": "b3o", + "isDeleted": false, + "id": "56sRB7V0asfVGDUFKEstT", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1526.0833333333323, + "y": -568.8809523809523, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 142.99999999999991, + "height": 276.66666666666674, + "seed": 93876547, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1732028516263, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 508, + "versionNonce": 93052051, + "index": "b3q", + "isDeleted": false, + "id": "CGq8JhEE4wdd0iVr8esou", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1892.7424325167995, + "y": -507.72393689557146, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 969.7179565429688, + "height": 114.0620958195481, + "seed": 1699730701, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103792217, + "link": null, + "locked": false, + "fontSize": 30.41655888521283, + "fontFamily": 1, + "text": "Entity Findings \n @restrict [{ grant: ['READ', 'WRITE'], to:FindingsReviewer}]\n} ", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Entity Findings \n @restrict [{ grant: ['READ', 'WRITE'], to:FindingsReviewer}]\n} ", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 263, + "versionNonce": 1350316566, + "index": "b3r", + "isDeleted": false, + "id": "dNjKCJvmsjCWTEVvFJS_g", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1514.499999999999, + "y": -918.5, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 338.9999999999999, + "height": 203.00000000000003, + "seed": 267718339, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "-bPXdTmyEeA5iW-EppOcf" + } + ], + "updated": 1722604795798, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 78, + "versionNonce": 93945686, + "index": "b3s", + "isDeleted": false, + "id": "-bPXdTmyEeA5iW-EppOcf", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1588.872039794921, + "y": -834.5, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 190.25592041015625, + "height": 35, + "seed": 1516973517, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722604795798, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "Business Role", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "dNjKCJvmsjCWTEVvFJS_g", + "originalText": "Business Role", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 933, + "versionNonce": 1130249427, + "index": "b3u", + "isDeleted": false, + "id": "Uv5dFTYPbSoEQEd68ieUy", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 4.715576599245854, + "x": 1507.9128271983582, + "y": -448.8945963910432, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 193.86334663030163, + "height": 44.93131288574775, + "seed": 1295134083, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103606282, + "link": null, + "locked": false, + "fontSize": 35.94505030859816, + "fontFamily": 1, + "text": "CAP Grant", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "CAP Grant", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 901, + "versionNonce": 1794858045, + "index": "b3v", + "isDeleted": false, + "id": "VLjzT9VWHGXL84n0c1rg7", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 4.705194859894398, + "x": 1673.7560745081366, + "y": -454.98373545871226, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 200.89242518752332, + "height": 46.56042810243335, + "seed": 1638353837, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103613709, + "link": null, + "locked": false, + "fontSize": 37.24834248194668, + "fontFamily": 1, + "text": "CAP Grant", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "CAP Grant", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 464, + "versionNonce": 1123166675, + "index": "b3w", + "isDeleted": false, + "id": "80a9vQIiOVxTPs9oOVe2o", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1902.5119047619037, + "y": -240.34523809523807, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 930.2437133789062, + "height": 175, + "seed": 2004505283, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103573721, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "Entity Findings \n@restrict [{ grant: 'READ', to:FindingsReporter,\n \n where: (exists reporters[user = $user]) }]\n", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Entity Findings \n@restrict [{ grant: 'READ', to:FindingsReporter,\n \n where: (exists reporters[user = $user]) }]\n", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 194, + "versionNonce": 2135751882, + "index": "b3x", + "isDeleted": false, + "id": "hj6T2SrOYKL3_lXQV6DYX", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1217.999999999999, + "y": -1138, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 639, + "height": 200, + "seed": 698420685, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "F54zdy8YQggyKKgknlV9r" + } + ], + "updated": 1722838631203, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 158, + "versionNonce": 451335050, + "index": "b3y", + "isDeleted": false, + "id": "F54zdy8YQggyKKgknlV9r", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1463.7940216064444, + "y": -1055.5, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 147.41195678710938, + "height": 35, + "seed": 881001443, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722838631203, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "AMS Policy", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "hj6T2SrOYKL3_lXQV6DYX", + "originalText": "AMS Policy", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 141, + "versionNonce": 1275590835, + "index": "b3z", + "isDeleted": false, + "id": "MyAbHIGWZ5aUCVNFlImhc", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 953.3333333333326, + "y": -1389, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 897.6666666666666, + "height": 215, + "seed": 2018329965, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "Up1Tyayq9RFmuU5UX1JeR" + } + ], + "updated": 1732089929891, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 92, + "versionNonce": 344746579, + "index": "b40", + "isDeleted": false, + "id": "Up1Tyayq9RFmuU5UX1JeR", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1325.7266871134432, + "y": -1299, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 152.8799591064453, + "height": 35, + "seed": 2021295459, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732089929891, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "IAG, IDDS", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "MyAbHIGWZ5aUCVNFlImhc", + "originalText": "IAG, IDDS", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 166, + "versionNonce": 77256348, + "index": "b41", + "isDeleted": false, + "id": "urk17AqhtlpCFrqDleJ3V", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1218.999999999999, + "y": -913.75, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 273, + "height": 195, + "seed": 1345046403, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "zArSfo7N97D5WZANeBCWt" + } + ], + "updated": 1726146194854, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 153, + "versionNonce": 951952156, + "index": "b41V", + "isDeleted": false, + "id": "zArSfo7N97D5WZANeBCWt", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1224.2380676269522, + "y": -851.25, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 262.52386474609375, + "height": 70, + "seed": 1288512131, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1726146194854, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "Business Attribute\nFilter", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "urk17AqhtlpCFrqDleJ3V", + "originalText": "Business Attribute Filter", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "line", + "version": 404, + "versionNonce": 1359011507, + "index": "b43", + "isDeleted": false, + "id": "rv8u4P7VPvQ08FUWgAEj9", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "dotted", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 655.9999999999989, + "y": -688.6666666666667, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 2921.999999999999, + "height": 14.666666666666856, + "seed": 636187469, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1732089962928, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 2921.999999999999, + 14.666666666666856 + ] + ] + }, + { + "type": "text", + "version": 527, + "versionNonce": 639264669, + "index": "b45", + "isDeleted": false, + "id": "yUBTYKTpf7fBNLpRBA4VD", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "dotted", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 2968.333333333332, + "y": -1124.333333333333, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 551.418212890625, + "height": 414.8484848484845, + "seed": 2044584717, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103762896, + "link": null, + "locked": false, + "fontSize": 33.18787878787876, + "fontFamily": 1, + "text": "\nApplication Policies:\nRecombination of Business Roles, \nFilters on System Attributes\n\nUser Assignment\nProvisioning\n\nUser administrators\nProvisioning automation", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "\nApplication Policies:\nRecombination of Business Roles, \nFilters on System Attributes\n\nUser Assignment\nProvisioning\n\nUser administrators\nProvisioning automation", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "line", + "version": 197, + "versionNonce": 2107795885, + "index": "b46", + "isDeleted": false, + "id": "P3yMXQ2OGGDb7oMSWB1Jj", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 3616.857142857142, + "y": 411.85714285714204, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 14.285714285713766, + "height": 808.5714285714283, + "seed": 1572187533, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722499101469, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 14.285714285713766, + 808.5714285714283 + ] + ] + }, + { + "type": "line", + "version": 129, + "versionNonce": 472777859, + "index": "b47", + "isDeleted": false, + "id": "qt4dAjNPkQXCdSukwqHD4", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 2466.8571428571427, + "y": 507.5714285714279, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 2090.0000000000005, + "height": 1.4285714285715017, + "seed": 1258420813, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722498482329, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 2090.0000000000005, + 1.4285714285715017 + ] + ] + }, + { + "type": "line", + "version": 119, + "versionNonce": 538944643, + "index": "b48", + "isDeleted": false, + "id": "NvolLkPRXRzXVUga4ZPeT", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 2878.2857142857138, + "y": 423.2857142857136, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 2.857142857143117, + "height": 795.7142857142858, + "seed": 115249645, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722499094331, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 2.857142857143117, + 795.7142857142858 + ] + ] + }, + { + "type": "text", + "version": 63, + "versionNonce": 322369069, + "index": "b4A", + "isDeleted": false, + "id": "0R8zwy_QfRtJMY-fvy7Ii", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 3686.8571428571427, + "y": 423.9999999999994, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 410.6718444824219, + "height": 45, + "seed": 2061227363, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579317181, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Dynamic (Domain) Roles", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Dynamic (Domain) Roles", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 262, + "versionNonce": 1576829724, + "index": "b4B", + "isDeleted": false, + "id": "P-Tp9BW1Mns2OgqUfIG5D", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 3645.428571428571, + "y": 578.9999999999995, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 918.1636962890625, + "height": 180, + "seed": 1179729891, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1726060433862, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "+ Nice user experience (UI)\n+ Authorizations automatically derived from domain\n+ Flexible rules\n", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "+ Nice user experience (UI)\n+ Authorizations automatically derived from domain\n+ Flexible rules\n", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 545, + "versionNonce": 97909796, + "index": "b4C", + "isDeleted": false, + "id": "CAWm0di4AoZ_fL8z6M2ak", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 2936.6785714285716, + "y": 593.6428571428564, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 678.707763671875, + "height": 585, + "seed": 333855245, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1726060426270, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "+ Low dev effort\n+ Low security risc\n+ High integration (SCIM, provisioning) \n+ overarching integration possible\n+ Flexibility for user admins (filters)\n+ implicit access control \n (scales with users and entities)\n+ further dimensions \n (environment, location, time)\n+ IAS + AMS = XSUAA 2.0 (comp.)\n\n\n", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "+ Low dev effort\n+ Low security risc\n+ High integration (SCIM, provisioning) \n+ overarching integration possible\n+ Flexibility for user admins (filters)\n+ implicit access control \n (scales with users and entities)\n+ further dimensions \n (environment, location, time)\n+ IAS + AMS = XSUAA 2.0 (comp.)\n\n\n", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 164, + "versionNonce": 684110861, + "index": "b4D", + "isDeleted": false, + "id": "8xiZTfU_IY-tLVDXdTxor", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 3003.6229291643413, + "y": 426.49999999999926, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 464.02386474609375, + "height": 45, + "seed": 1234874509, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579299209, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Static Roles / Attributes", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Static Roles / Attributes", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 183, + "versionNonce": 1118829596, + "index": "b4E", + "isDeleted": false, + "id": "zN1XqV54yQ9ELoMcqFvJs", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 3664.2380952380954, + "y": 891.8571428571422, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 915.2356567382812, + "height": 405, + "seed": 306992653, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1726060450047, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "\n- High dev effort\n- Security risc\n- No integration (SCIM, provisioning)\n- cross-sectional roles/attributes hard to maintain\n- no filters ootb\n- does not scale well (#users, domain changes)\n- Role check requires DB lookup (part of filter)\n- IAS only - not comp. to XSUAA", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "\n- High dev effort\n- Security risc\n- No integration (SCIM, provisioning)\n- cross-sectional roles/attributes hard to maintain\n- no filters ootb\n- does not scale well (#users, domain changes)\n- Role check requires DB lookup (part of filter)\n- IAS only - not comp. to XSUAA", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 125, + "versionNonce": 1013675597, + "index": "b4F", + "isDeleted": false, + "id": "cMDRtgn8Ll3EiDfZRTn5d", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 2959.952380952381, + "y": 1079.2380952380945, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 509.52789306640625, + "height": 225, + "seed": 904574627, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722584353439, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "- Static view (static roles, \n static attributes)\n- Static UI (technical)\n- Extra tool to assign roles\n", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "- Static view (static roles, \n static attributes)\n- Static UI (technical)\n- Extra tool to assign roles\n", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 69, + "versionNonce": 240630285, + "index": "b4G", + "isDeleted": false, + "id": "0WzIbZY2NQoLy3H_Wnjal", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 907.7499999999993, + "y": 1577.0357142857138, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 878.5714285714284, + "height": 841.4285714285713, + "seed": 1747854573, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1722499323124, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 134, + "versionNonce": 1190184013, + "index": "b4I", + "isDeleted": false, + "id": "DZZAUoKKPEuIU-WKjERjp", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 963.3758380223821, + "y": 1608.464285714285, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 517.4618336511048, + "height": 43.57142857142867, + "seed": 1895291235, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722501303882, + "link": null, + "locked": false, + "fontSize": 34.85714285714293, + "fontFamily": 1, + "text": "Domain (per event)/ permission", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Domain (per event)/ permission", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 137, + "versionNonce": 1227938413, + "index": "b4J", + "isDeleted": false, + "id": "qgIobbD8gC2wr3jLm8bk-", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 957.7499999999993, + "y": 1984.1785714285716, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 374.285714285714, + "height": 392.85714285714243, + "seed": 1451810115, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "bqT4iZQNdiJ4M1BNYJ-aq" + } + ], + "updated": 1722499374576, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 114, + "versionNonce": 73729229, + "index": "b4K", + "isDeleted": false, + "id": "bqT4iZQNdiJ4M1BNYJ-aq", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1058.1108976091648, + "y": 2158.1071428571427, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 173.5639190673828, + "height": 45, + "seed": 1421304109, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499374576, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Permission", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "qgIobbD8gC2wr3jLm8bk-", + "originalText": "Permission", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 119, + "versionNonce": 1107924973, + "index": "b4L", + "isDeleted": false, + "id": "DWTMjpGS659DE3RE_hM1F", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1369.8928571428567, + "y": 2214.892857142857, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 369.9999999999998, + "height": 164.28571428571377, + "seed": 499296611, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "uzWFq6hdoLFF6HWWfzb0u" + } + ], + "updated": 1722499369942, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 96, + "versionNonce": 776606285, + "index": "b4M", + "isDeleted": false, + "id": "uzWFq6hdoLFF6HWWfzb0u", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1468.1108976091652, + "y": 2274.5357142857138, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 173.5639190673828, + "height": 45, + "seed": 923632899, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499369942, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Permission", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "DWTMjpGS659DE3RE_hM1F", + "originalText": "Permission", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 168, + "versionNonce": 427737229, + "index": "b4N", + "isDeleted": false, + "id": "3KHYE-qW6FmESTATsUukG", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1371.3214285714278, + "y": 2022.0357142857135, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 369.9999999999998, + "height": 164.28571428571377, + "seed": 99418637, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "UfbDFeSdnOrZKQXVkcgKZ" + } + ], + "updated": 1722499371893, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 146, + "versionNonce": 2052138733, + "index": "b4O", + "isDeleted": false, + "id": "UfbDFeSdnOrZKQXVkcgKZ", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1469.5394690377361, + "y": 2081.6785714285706, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 173.5639190673828, + "height": 45, + "seed": 310065261, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499371893, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Permission", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "3KHYE-qW6FmESTATsUukG", + "originalText": "Permission", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 228, + "versionNonce": 439380013, + "index": "b4P", + "isDeleted": false, + "id": "B3Sbgz3klNO8KNyg7k6S-", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1369.1785714285706, + "y": 1687.7499999999998, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 377.1428571428571, + "height": 299.99999999999955, + "seed": 41369763, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "aGJ3cIJd8GtmRqPLIDJx6" + } + ], + "updated": 1722501300017, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 205, + "versionNonce": 833411725, + "index": "b4Q", + "isDeleted": false, + "id": "aGJ3cIJd8GtmRqPLIDJx6", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1470.9680404663077, + "y": 1815.2499999999995, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 173.5639190673828, + "height": 45, + "seed": 531444803, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722501300017, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Permission", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "B3Sbgz3klNO8KNyg7k6S-", + "originalText": "Permission", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 294, + "versionNonce": 1686849485, + "index": "b4R", + "isDeleted": false, + "id": "_iM8mNFtEIEizwso1mJaw", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 964.8928571428567, + "y": 1689.178571428571, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 364.28571428571394, + "height": 259.9999999999997, + "seed": 357807555, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "HnpFF6-Q-K1IBbeNi67NH" + } + ], + "updated": 1722516874132, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 272, + "versionNonce": 1921492867, + "index": "b4S", + "isDeleted": false, + "id": "HnpFF6-Q-K1IBbeNi67NH", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1060.2537547520221, + "y": 1796.6785714285709, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 173.5639190673828, + "height": 45, + "seed": 1165886819, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722516874132, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Permission", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "_iM8mNFtEIEizwso1mJaw", + "originalText": "Permission", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 351, + "versionNonce": 341403309, + "index": "b4a", + "isDeleted": false, + "id": "u2LkPyYegNqGSqGEA02Tn", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2377.0357142857138, + "y": 1590.6071428571415, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 874.2857142857139, + "height": 822.857142857143, + "seed": 1731328707, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1722499830596, + "link": null, + "locked": false + }, + { + "type": "rectangle", + "version": 401, + "versionNonce": 1107824579, + "index": "b4c", + "isDeleted": false, + "id": "EmbN_EH5pdwqx0cMdoqbn", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2469.892857142857, + "y": 2112.749999999999, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 364.28571428571394, + "height": 259.9999999999997, + "seed": 1583631715, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "x-Yxnp0ne69gv-FmiNaZx" + } + ], + "updated": 1722499747632, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 397, + "versionNonce": 1318526819, + "index": "b4d", + "isDeleted": false, + "id": "x-Yxnp0ne69gv-FmiNaZx", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2512.943764822823, + "y": 2220.249999999999, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 278.18389892578125, + "height": 45, + "seed": 1004185859, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499747632, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Attribute value", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "EmbN_EH5pdwqx0cMdoqbn", + "originalText": "Attribute value", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 543, + "versionNonce": 865287779, + "index": "b4e", + "isDeleted": false, + "id": "EEcHjKvZq3WTspVQdjMeb", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2455.607142857142, + "y": 1681.321428571429, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 375.7142857142851, + "height": 391.42857142857093, + "seed": 1191196259, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "ETIOJcbqklWGx28BquLW1" + } + ], + "updated": 1722499746348, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 539, + "versionNonce": 1342405123, + "index": "b4f", + "isDeleted": false, + "id": "ETIOJcbqklWGx28BquLW1", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2504.3723362513942, + "y": 1854.5357142857144, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 278.18389892578125, + "height": 45, + "seed": 1527869955, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499746348, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Attribute value", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "EEcHjKvZq3WTspVQdjMeb", + "originalText": "Attribute value", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 593, + "versionNonce": 1737460035, + "index": "b4g", + "isDeleted": false, + "id": "BPqIERsHmj4uZ_cIG7uVM", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2854.1785714285706, + "y": 1677.0357142857135, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 108.57142857142766, + "height": 695.7142857142852, + "seed": 2014762467, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "yBwFlY3HB6u6-eWC-x5mO" + } + ], + "updated": 1722499840350, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 599, + "versionNonce": 401828067, + "index": "b4h", + "isDeleted": false, + "id": "yBwFlY3HB6u6-eWC-x5mO", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2860.0802982875266, + "y": 1957.3928571428562, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 96.76797485351562, + "height": 135, + "seed": 2133336451, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499840350, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Attri\nbute \nvalue", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "BPqIERsHmj4uZ_cIG7uVM", + "originalText": "Attribute value", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 734, + "versionNonce": 2027350093, + "index": "b4i", + "isDeleted": false, + "id": "iP1xy1DYFHD3osbhD9h3J", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2989.1785714285716, + "y": 1679.1785714285709, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 232.8571428571424, + "height": 207.1428571428566, + "seed": 1914289037, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "YFWDKZdJmP3UoAXItgqMU" + } + ], + "updated": 1722499853638, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 750, + "versionNonce": 1406031533, + "index": "b4j", + "isDeleted": false, + "id": "YFWDKZdJmP3UoAXItgqMU", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 3013.393168858119, + "y": 1737.749999999999, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 184.42794799804688, + "height": 90, + "seed": 466928109, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499853639, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Attribute \nvalue", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "iP1xy1DYFHD3osbhD9h3J", + "originalText": "Attribute value", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 812, + "versionNonce": 101622819, + "index": "b4k", + "isDeleted": false, + "id": "C6sfLhYnxV8ksbbpLZKUR", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2988.4642857142853, + "y": 1909.1785714285706, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 234.28571428571396, + "height": 464.2857142857136, + "seed": 1879075299, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "28djEhOxqvzfPX9mS4I_R" + } + ], + "updated": 1722499863176, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 829, + "versionNonce": 294397891, + "index": "b4l", + "isDeleted": false, + "id": "28djEhOxqvzfPX9mS4I_R", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 3013.3931688581188, + "y": 2096.3214285714275, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 184.42794799804688, + "height": 90, + "seed": 1824470403, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499863176, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Attribute \nvalue", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "C6sfLhYnxV8ksbbpLZKUR", + "originalText": "Attribute value", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 103, + "versionNonce": 1599368013, + "index": "b4m", + "isDeleted": false, + "id": "o239FaC8lQdyDbCEXYra6", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "dashed", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2843.4642857142844, + "y": 1564.1785714285706, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 451.4285714285714, + "height": 898.5714285714281, + "seed": 557929219, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1722499892425, + "link": null, + "locked": false + }, + { + "type": "line", + "version": 30, + "versionNonce": 967572035, + "index": "b4n", + "isDeleted": false, + "id": "g32J7eA-jlQGKO33gj_ff", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 3294.892857142856, + "y": 1609.8928571428567, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 94.28571428571377, + "height": 24.28571428571422, + "seed": 61604771, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722505038111, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 94.28571428571377, + -24.28571428571422 + ] + ] + }, + { + "type": "text", + "version": 43, + "versionNonce": 1425961219, + "index": "b4o", + "isDeleted": false, + "id": "M7wxfTpoRxW_ZtmfbZJa_", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 3406.3214285714275, + "y": 1558.464285714285, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 279.47589111328125, + "height": 45, + "seed": 1189284227, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722499915790, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Attribute Filter", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Attribute Filter", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 45, + "versionNonce": 2129376077, + "index": "b4q", + "isDeleted": false, + "id": "xEXxC8FChbn2f5XQaOzwj", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 922.0357142857135, + "y": 1479.8928571428569, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 394.49981689453125, + "height": 45, + "seed": 420035277, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722501213080, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Classes by permissions", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Classes by permissions", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 61, + "versionNonce": 428923661, + "index": "b4r", + "isDeleted": false, + "id": "JZ1KJ5YA2TuQ-kaoLx3sF", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2376.3214285714275, + "y": 1487.0357142857138, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 544.0317993164062, + "height": 45, + "seed": 365071235, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722501210561, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Classes by attribute dimension", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Classes by attribute dimension", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 85, + "versionNonce": 296306093, + "index": "b4s", + "isDeleted": false, + "id": "VMAOVJcRU5ELtGvAJ0TBY", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2423.4642857142844, + "y": 1612.7499999999998, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 341.25592041015625, + "height": 45, + "seed": 663806211, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722501288593, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Domain / Attribute", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Domain / Attribute", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 289, + "versionNonce": 142319363, + "index": "b4t", + "isDeleted": false, + "id": "rDDz-qUAPm6YSVoNsiysM", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "dashed", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1352.0357142857126, + "y": 2002.0357142857142, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 485.7142857142855, + "height": 479.99999999999983, + "seed": 1253044877, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1722505035014, + "link": null, + "locked": false + }, + { + "type": "line", + "version": 74, + "versionNonce": 1417080813, + "index": "b4u", + "isDeleted": false, + "id": "AnKSRFXriY-uDmm_hWbR2", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1842.0357142857138, + "y": 2024.892857142857, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 94.28571428571377, + "height": 24.28571428571422, + "seed": 342787459, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722505040963, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 94.28571428571377, + -24.28571428571422 + ] + ] + }, + { + "type": "text", + "version": 115, + "versionNonce": 1745879107, + "index": "b4v", + "isDeleted": false, + "id": "eGAZHEcJDItF_l1jxAnLs", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1950.6439136323465, + "y": 1967.3928571428569, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 243.47190856933594, + "height": 45, + "seed": 2078364835, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722508453520, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Business Role", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Business Role", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 88, + "versionNonce": 1274278986, + "index": "b4w", + "isDeleted": false, + "id": "Bfb6-RpCauj8GHnNCB9wK", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 544.7738095238094, + "y": 211.61904761904816, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 566.1397705078125, + "height": 45, + "seed": 1628647491, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722838850553, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Dynamic Roles via Domain (ACL)", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Dynamic Roles via Domain (ACL)", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 48, + "versionNonce": 128094061, + "index": "b4y", + "isDeleted": false, + "id": "nEqgcxtai10WN8sU-f_C9", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1672.333822341192, + "y": 1470.904761904763, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 97.37997436523438, + "height": 45, + "seed": 1126698467, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722516876996, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "RBAC", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "RBAC", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 96, + "versionNonce": 852024099, + "index": "b4z", + "isDeleted": false, + "id": "g8HxOdNeLGg4eSDVHI5Hn", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 3185.190965198335, + "y": 1470.9047619047628, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 96.58798217773438, + "height": 45, + "seed": 1269651501, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722516883031, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "ABAC", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "ABAC", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 435, + "versionNonce": 2124897933, + "index": "b50", + "isDeleted": false, + "id": "BbkQPNpwf9RkwZqR734Gw", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4001.3763645717036, + "y": 1605.8043808710006, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 874.2857142857139, + "height": 822.857142857143, + "seed": 1066276451, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1722579686822, + "link": null, + "locked": false + }, + { + "type": "rectangle", + "version": 482, + "versionNonce": 1536362755, + "index": "b51", + "isDeleted": false, + "id": "3cfVk4lDzLGq0PdvBNj4b", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4238.04303123837, + "y": 1693.899618966239, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 332.6190476190479, + "height": 251.66666666666623, + "seed": 1320660973, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "xrGwbDncSIkcPxGPSZPE_" + } + ], + "updated": 1722579689543, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 523, + "versionNonce": 116453539, + "index": "b52", + "isDeleted": false, + "id": "xrGwbDncSIkcPxGPSZPE_", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4325.06257702055, + "y": 1797.232952299572, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 158.5799560546875, + "height": 45, + "seed": 762653261, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579689543, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "document", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "3cfVk4lDzLGq0PdvBNj4b", + "originalText": "document", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 658, + "versionNonce": 242740067, + "index": "b53", + "isDeleted": false, + "id": "WPAeLjlxK8lDHvDK_9c4U", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4077.5668407621797, + "y": 1686.0424761090962, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 108.57142857142766, + "height": 695.7142857142852, + "seed": 855226115, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "8I15fenmpFHwHVeN3QECq" + } + ], + "updated": 1722579680826, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 669, + "versionNonce": 989341891, + "index": "b54", + "isDeleted": false, + "id": "8I15fenmpFHwHVeN3QECq", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4097.452561151409, + "y": 2011.399618966239, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 68.79998779296875, + "height": 45, + "seed": 1498537635, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579683885, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "ACL", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "WPAeLjlxK8lDHvDK_9c4U", + "originalText": "ACL", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 569, + "versionNonce": 1973958755, + "index": "b55", + "isDeleted": false, + "id": "LozIuFWIz5B9izXInpBFv", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4607.209697905037, + "y": 1699.7329522995728, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 240.95238095238176, + "height": 241.6666666666662, + "seed": 1647411149, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "jlXUuAI7ebJXpwpyXATi7" + } + ], + "updated": 1722579752819, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 611, + "versionNonce": 963195907, + "index": "b56", + "isDeleted": false, + "id": "jlXUuAI7ebJXpwpyXATi7", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4648.395910353884, + "y": 1798.0662856329059, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 158.5799560546875, + "height": 45, + "seed": 1961492013, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579752819, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "document", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "LozIuFWIz5B9izXInpBFv", + "originalText": "document", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 750, + "versionNonce": 736056963, + "index": "b57", + "isDeleted": false, + "id": "5LasksffS1WGPkBgSaqAK", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4248.0430312383705, + "y": 1984.7329522995733, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 234.28571428571573, + "height": 113.33333333333228, + "seed": 2068149411, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "cjYoxkNFgC1-WgO41b3Vm" + } + ], + "updated": 1722579713954, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 792, + "versionNonce": 1935117859, + "index": "b58", + "isDeleted": false, + "id": "cjYoxkNFgC1-WgO41b3Vm", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4285.895910353885, + "y": 2018.8996189662394, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 158.5799560546875, + "height": 45, + "seed": 1217718339, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579713954, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "document", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "5LasksffS1WGPkBgSaqAK", + "originalText": "document", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 899, + "versionNonce": 2092594051, + "index": "b59", + "isDeleted": false, + "id": "loa17cO4XHMWyA-xLcC0D", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4514.709697905035, + "y": 1982.2329522995728, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 337.61904761904975, + "height": 229.99999999999918, + "seed": 1532025421, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "ECwEJ_rRmnZCn4zrdTK5f" + } + ], + "updated": 1722579750556, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 942, + "versionNonce": 348588835, + "index": "b5A", + "isDeleted": false, + "id": "ECwEJ_rRmnZCn4zrdTK5f", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4604.229243687216, + "y": 2074.7329522995724, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 158.5799560546875, + "height": 45, + "seed": 1983514797, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579750556, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "document", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "loa17cO4XHMWyA-xLcC0D", + "originalText": "document", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 980, + "versionNonce": 499599491, + "index": "b5B", + "isDeleted": false, + "id": "y27aHau_dD1S-xeLqf_SH", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4258.043031238368, + "y": 2240.566285632906, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 574.2857142857162, + "height": 119.99999999999918, + "seed": 107421059, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "uIxESl_sXTeE4R7SJ5oBE" + } + ], + "updated": 1722579734450, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 1024, + "versionNonce": 124862499, + "index": "b5C", + "isDeleted": false, + "id": "uIxESl_sXTeE4R7SJ5oBE", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4465.895910353882, + "y": 2278.0662856329054, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 158.5799560546875, + "height": 45, + "seed": 1464759587, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579734450, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "document", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "y27aHau_dD1S-xeLqf_SH", + "originalText": "document", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 828, + "versionNonce": 1671323875, + "index": "b5D", + "isDeleted": false, + "id": "C_HBEIj4YOQKp8Eh0g7nQ", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4254.709697905036, + "y": 2118.899618966239, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 234.28571428571573, + "height": 98.33333333333309, + "seed": 265907971, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "6YmWM9RnKl7ola2r7WWYZ" + } + ], + "updated": 1722579747652, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 871, + "versionNonce": 1199983747, + "index": "b5E", + "isDeleted": false, + "id": "6YmWM9RnKl7ola2r7WWYZ", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4292.56257702055, + "y": 2145.5662856329054, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 158.5799560546875, + "height": 45, + "seed": 1903859363, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579747652, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "document", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "C_HBEIj4YOQKp8Eh0g7nQ", + "originalText": "document", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 249, + "versionNonce": 1781479725, + "index": "b5F", + "isDeleted": false, + "id": "OKA5udmkoZqPd177yzqCE", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "dashed", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4222.804936000274, + "y": 1676.2805713471917, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 754.7619047619046, + "height": 280.23809523809456, + "seed": 1968402147, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [], + "updated": 1722579770938, + "link": null, + "locked": false + }, + { + "type": "line", + "version": 87, + "versionNonce": 542779117, + "index": "b5G", + "isDeleted": false, + "id": "OIDbgZazlUIMQKqChYe2t", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4974.709697905036, + "y": 1684.3758094424295, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 94.28571428571377, + "height": 24.28571428571422, + "seed": 1144098659, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1722579780804, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 94.28571428571377, + -24.28571428571422 + ] + ] + }, + { + "type": "text", + "version": 113, + "versionNonce": 912653389, + "index": "b5H", + "isDeleted": false, + "id": "uwa7_V7qacVDTQu7yEiN0", + "fillStyle": "solid", + "strokeWidth": 1, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 5072.114609491252, + "y": 1639.7329522995726, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 346.4359130859375, + "height": 45, + "seed": 878103971, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579799229, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "ACL entry for User", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "ACL entry for User", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 151, + "versionNonce": 265208333, + "index": "b5I", + "isDeleted": false, + "id": "xmgdTOIvzh3qC6MAM8zxK", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4836.891897292358, + "y": 1474.7329522995724, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 68.79998779296875, + "height": 45, + "seed": 2062145091, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579806438, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "ACL", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "ACL", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 117, + "versionNonce": 623227181, + "index": "b5J", + "isDeleted": false, + "id": "Sv7X_wQm9kwz4bJIoXvv3", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4029.8366553896894, + "y": 1524.7329522995724, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 385.7518615722656, + "height": 45, + "seed": 1550892163, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579872956, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Classes by documents", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Classes by documents", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 152, + "versionNonce": 893251533, + "index": "b5K", + "isDeleted": false, + "id": "_WLRKpyN0WqQMU29hglyI", + "fillStyle": "solid", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4031.2245948428144, + "y": 1618.0662856329056, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "width": 359.6959228515625, + "height": 45, + "seed": 1549086979, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722579862676, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Domain / Documents", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Domain / Documents", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 504, + "versionNonce": 363288691, + "index": "b5Q", + "isDeleted": false, + "id": "loEAMKsQuTyyJhcy_jRwD", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1523.602555047893, + "y": -665.8741905575705, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 322.5714285714289, + "height": 78.83333333333353, + "seed": 1287022915, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "WkLr-hwKuXHz0EQdBDYyp" + } + ], + "updated": 1732028458715, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 321, + "versionNonce": 2057949715, + "index": "b5R", + "isDeleted": false, + "id": "WkLr-hwKuXHz0EQdBDYyp", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1620.5042819068497, + "y": -643.9575238909038, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 128.76797485351562, + "height": 35, + "seed": 1967016163, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732028458715, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "CAP Role", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "loEAMKsQuTyyJhcy_jRwD", + "originalText": "CAP Role", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "line", + "version": 340, + "versionNonce": 669264221, + "index": "b5S", + "isDeleted": false, + "id": "jvtrQ1NidUOBuA9RRNto9", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "dotted", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 621.9750490129475, + "y": -1154.6941938854932, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 2962, + "height": 3.0000000000002274, + "seed": 1882935907, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1732089944090, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + 2962, + 3.0000000000002274 + ] + ] + }, + { + "type": "text", + "version": 286, + "versionNonce": 1561273587, + "index": "b5T", + "isDeleted": false, + "id": "_Lz924JtCQ2n6E8QBe8qF", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 634.3525550478926, + "y": -1364.5220550352615, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 197.04462687174464, + "height": 128.0050073348339, + "seed": 1219150915, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732091395671, + "link": null, + "locked": false, + "fontSize": 51.202002933933564, + "fontFamily": 1, + "text": "SAP \nsystems", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "SAP \nsystems", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 361, + "versionNonce": 2064190877, + "index": "b5W", + "isDeleted": false, + "id": "Zc1-RCvSuvQXIuGN2XX__", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2961.0192217145595, + "y": -1402.2136383895609, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 543.8650424238555, + "height": 181.11325735579965, + "seed": 1881255043, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103767803, + "link": null, + "locked": false, + "fontSize": 36.22265147115994, + "fontFamily": 1, + "text": "Composite Roles\nUser assignment API\nSystem-wide provisioning\n(System attributes: long term)", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Composite Roles\nUser assignment API\nSystem-wide provisioning\n(System attributes: long term)", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 24, + "versionNonce": 529633485, + "index": "b5d", + "isDeleted": false, + "id": "dKhQF7AoIEocZN-NTG6vj", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2067.352555047894, + "y": 1716.4829522995724, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 67.88398742675781, + "height": 118.01811613639542, + "seed": 1259986285, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1722592260951, + "link": null, + "locked": false, + "fontSize": 94.4144929091163, + "fontFamily": 1, + "text": "&", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "&", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 415, + "versionNonce": 691788498, + "index": "b5e", + "isDeleted": false, + "id": "tCJgRs6B1l9JlF7I6k5W-", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 1535.8763645717029, + "y": -257.9932381766181, + "strokeColor": "#1e1e1e", + "backgroundColor": "#d0bfff", + "width": 298.92857142857105, + "height": 165.714285714286, + "seed": 1980718538, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "U6SqPa33aRA1htWjVS_ck" + } + ], + "updated": 1732176004224, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 379, + "versionNonce": 1985786002, + "index": "b5f", + "isDeleted": false, + "id": "U6SqPa33aRA1htWjVS_ck", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1568.4286858694845, + "y": -197.6360953194751, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 233.8239288330078, + "height": 45, + "seed": 16915661, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732176004224, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "Domain (ACL)", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "tCJgRs6B1l9JlF7I6k5W-", + "originalText": "Domain (ACL)", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 150, + "versionNonce": 1060578013, + "index": "b5i", + "isDeleted": false, + "id": "fISdlV371nCIaPjWfFyei", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1923.0668407621793, + "y": -1093.8027619861418, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 795.4598388671875, + "height": 140, + "seed": 1227173078, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103696144, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "POLICY QualityExpert {\n ASSIGN ROLE FindingsReviewer WHERE \n SystemId IS NOT RESTRICTED;\n}", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "POLICY QualityExpert {\n ASSIGN ROLE FindingsReviewer WHERE \n SystemId IS NOT RESTRICTED;\n}", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 18, + "versionNonce": 1600079581, + "index": "b5j", + "isDeleted": false, + "id": "CN2Kkxzs216Y4YrbJnX-Q", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1939.4954121907504, + "y": -842.6122857956656, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 288.3998718261719, + "height": 35, + "seed": 1708931274, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103468301, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "System, SystemType ", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "System, SystemType ", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 54, + "versionNonce": 1010384915, + "index": "b5k", + "isDeleted": false, + "id": "bLSDmt_WWGqV4NPu09Brv", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 1908.0668407621793, + "y": -636.4218096051894, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 456.09173583984375, + "height": 35, + "seed": 1324310474, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103637351, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "FindingsReporter, FindingsReviewer", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "FindingsReporter, FindingsReviewer", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "text", + "version": 171, + "versionNonce": 1860508691, + "index": "b5l", + "isDeleted": false, + "id": "ZB1V0rCo4tvAa_UWTTy28", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 2354.8726708548365, + "y": -838.9218096051894, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 427.01177978515625, + "height": 35, + "seed": 714424522, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1732103722698, + "link": null, + "locked": false, + "fontSize": 28, + "fontFamily": 1, + "text": "QualityEngineer, SecurityExpert", + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "QualityEngineer, SecurityExpert", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "line", + "version": 397, + "versionNonce": 2079859219, + "index": "b5m", + "isDeleted": false, + "id": "yPoI7JKxhXH0DS--UVPJF", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "dotted", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 2850.191456126923, + "y": -1465.950801243709, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 4.66666666666697, + "height": 1411.3333333333333, + "seed": 1628533939, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 2 + }, + "boundElements": [], + "updated": 1732089859061, + "link": null, + "locked": false, + "startBinding": null, + "endBinding": null, + "lastCommittedPoint": null, + "startArrowhead": null, + "endArrowhead": null, + "points": [ + [ + 0, + 0 + ], + [ + -4.66666666666697, + 1411.3333333333333 + ] + ] + }, + { + "id": "UL0n--n5oF6DSY_dwJAny", + "type": "text", + "x": 647.9429011269215, + "y": -956.3492063492055, + "width": 122.07879412615735, + "height": 73.33333333333329, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b5o", + "roundness": null, + "seed": 19423709, + "version": 122, + "versionNonce": 837080541, + "isDeleted": false, + "boundElements": [], + "updated": 1732089960488, + "link": null, + "locked": false, + "text": "AMS", + "fontSize": 58.66666666666663, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "AMS", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "CR7FoQtEzJLNh_9E5kIC0", + "type": "text", + "x": 663.5701707305097, + "y": -466.3492063492057, + "width": 116.79150390625, + "height": 73.33333333333329, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b5p", + "roundness": null, + "seed": 1621307165, + "version": 185, + "versionNonce": 479700477, + "isDeleted": false, + "boundElements": [], + "updated": 1732089966075, + "link": null, + "locked": false, + "text": "CAP", + "fontSize": 58.66666666666663, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "CAP", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "x65TD1pgRju68SBmMoGWQ", + "type": "text", + "x": 2969.6095677935887, + "y": -548.0158730158723, + "width": 664.1820987654322, + "height": 371.6666666666666, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b5q", + "roundness": null, + "seed": 745526301, + "version": 332, + "versionNonce": 463964957, + "isDeleted": false, + "boundElements": [], + "updated": 1732103760350, + "link": null, + "locked": false, + "text": "Domain access rules (grants):\nStatic Roles\nStatic Filters\nDynamic Rules (ACL like)\n\nEnforcement\n\nDeveloper / CDS Modeler", + "fontSize": 37.16666666666666, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Domain access rules (grants):\nStatic Roles\nStatic Filters\nDynamic Rules (ACL like)\n\nEnforcement\n\nDeveloper / CDS Modeler", + "autoResize": false, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 843, + "versionNonce": 1364229411, + "index": "b5r", + "isDeleted": false, + "id": "BD6CHYOkOevwx_Cy04b6O", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 6.281244875266019, + "x": 4817.816910119738, + "y": -871.7385395684298, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 416.3333333333336, + "height": 397.0602433325521, + "seed": 183615182, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "id": "sq5YN9RTsWz1P95lS0Z9M", + "type": "arrow" + }, + { + "id": "QFPpiNkYlijtPfwUcYnbQ", + "type": "arrow" + }, + { + "id": "RJERC8cyigxXvhDzlN8xf", + "type": "arrow" + }, + { + "id": "XW93cMwR4fGB9Q4FktWXx", + "type": "arrow" + } + ], + "updated": 1734337744576, + "link": null, + "locked": false + }, + { + "type": "rectangle", + "version": 604, + "versionNonce": 1673676205, + "index": "b5s", + "isDeleted": false, + "id": "i2FPTD7QqnnA74TYwJaRq", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 4823.895282079304, + "y": -337.95634920634836, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 403.09523809523796, + "height": 150.714285714286, + "seed": 1425493518, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "LJ3GRsl1SuBVWlqGmyVZB" + }, + { + "id": "sq5YN9RTsWz1P95lS0Z9M", + "type": "arrow" + } + ], + "updated": 1734338110789, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 569, + "versionNonce": 2015823885, + "index": "b5t", + "isDeleted": false, + "id": "LJ3GRsl1SuBVWlqGmyVZB", + "fillStyle": "hachure", + "strokeWidth": 4, + "strokeStyle": "solid", + "roughness": 0, + "opacity": 100, + "angle": 0, + "x": 4998.316909305634, + "y": -285.09920634920536, + "strokeColor": "#1e1e1e", + "backgroundColor": "#ffec99", + "width": 54.251983642578125, + "height": 45, + "seed": 759061582, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1734338110789, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "DB", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "i2FPTD7QqnnA74TYwJaRq", + "originalText": "DB", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 562, + "versionNonce": 1205919363, + "index": "b5u", + "isDeleted": false, + "id": "cBpIbI-Q6qGf1PpMlsTcQ", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 5508.442901126923, + "y": -746.5992063492051, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 338.9999999999999, + "height": 116.33333333333348, + "seed": 487631118, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "623Cr6q6Z_ACc6h7M-C9O" + } + ], + "updated": 1734337837151, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 387, + "versionNonce": 635967011, + "index": "b5v", + "isDeleted": false, + "id": "623Cr6q6Z_ACc6h7M-C9O", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 5588.064925663056, + "y": -710.9325396825384, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 179.75595092773438, + "height": 45, + "seed": 2138330958, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1734337837151, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "IAS Plugin", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "cBpIbI-Q6qGf1PpMlsTcQ", + "originalText": "IAS Plugin", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "type": "rectangle", + "version": 574, + "versionNonce": 124632835, + "index": "b5w", + "isDeleted": false, + "id": "uVY-CzwiwiyTJLpHGvTFq", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 5506.359567793591, + "y": -615.7658730158719, + "strokeColor": "#1e1e1e", + "backgroundColor": "#b2f2bb", + "width": 338.9999999999999, + "height": 116.33333333333348, + "seed": 1419231630, + "groupIds": [], + "frameId": null, + "roundness": { + "type": 3 + }, + "boundElements": [ + { + "type": "text", + "id": "uCyOdszgWZ-15HvjI375c" + }, + { + "id": "RJERC8cyigxXvhDzlN8xf", + "type": "arrow" + }, + { + "id": "kJagA2Vs7UWBb4PfOrVSP", + "type": "arrow" + } + ], + "updated": 1734337872951, + "link": null, + "locked": false + }, + { + "type": "text", + "version": 402, + "versionNonce": 234871267, + "index": "b5x", + "isDeleted": false, + "id": "uCyOdszgWZ-15HvjI375c", + "fillStyle": "hachure", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "angle": 0, + "x": 5582.003595503552, + "y": -580.0992063492051, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "width": 187.71194458007812, + "height": 45, + "seed": 1468293070, + "groupIds": [], + "frameId": null, + "roundness": null, + "boundElements": [], + "updated": 1734337872951, + "link": null, + "locked": false, + "fontSize": 36, + "fontFamily": 1, + "text": "AMS Plugin", + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "uVY-CzwiwiyTJLpHGvTFq", + "originalText": "AMS Plugin", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "O_RRLbOLLelPRlqMX8FQT", + "type": "rectangle", + "x": 5494.192901126923, + "y": -338.0158730158719, + "width": 361.6666666666671, + "height": 151.66666666666697, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b5y", + "roundness": { + "type": 3 + }, + "seed": 2070259602, + "version": 257, + "versionNonce": 262518787, + "isDeleted": false, + "boundElements": [ + { + "type": "text", + "id": "ar3SPP0ccuwUncR2hNpvs" + }, + { + "id": "kJagA2Vs7UWBb4PfOrVSP", + "type": "arrow" + } + ], + "updated": 1734337978454, + "link": null, + "locked": false + }, + { + "id": "ar3SPP0ccuwUncR2hNpvs", + "type": "text", + "x": 5580.2022522214875, + "y": -284.6825396825384, + "width": 189.64796447753906, + "height": 45, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b5z", + "roundness": null, + "seed": 1687872210, + "version": 215, + "versionNonce": 1565180675, + "isDeleted": false, + "boundElements": [], + "updated": 1734337890105, + "link": null, + "locked": false, + "text": "IAS / AMS", + "fontSize": 36, + "fontFamily": 5, + "textAlign": "center", + "verticalAlign": "middle", + "containerId": "O_RRLbOLLelPRlqMX8FQT", + "originalText": "IAS / AMS", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "dTXM1_i6ESoW9qEbUOK0t", + "type": "arrow", + "x": 5020.026234460256, + "y": -1009.2658730158719, + "width": 1.25, + "height": 136.25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b60", + "roundness": { + "type": 2 + }, + "seed": 1938040398, + "version": 157, + "versionNonce": 442404227, + "isDeleted": false, + "boundElements": [], + "updated": 1734337754651, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -1.25, + 136.25 + ] + ], + "lastCommittedPoint": null, + "startBinding": null, + "endBinding": null, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "4n7OnXDaqajX_iAd3txlq", + "type": "text", + "x": 5046.692901126922, + "y": -968.8492063492051, + "width": 79.77998352050781, + "height": 45, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b61", + "roundness": null, + "seed": 1892552206, + "version": 105, + "versionNonce": 1998076579, + "isDeleted": false, + "boundElements": [], + "updated": 1734338073477, + "link": null, + "locked": false, + "text": "JWT", + "fontSize": 36, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "JWT", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "sq5YN9RTsWz1P95lS0Z9M", + "type": "arrow", + "x": 5027.771928970494, + "y": -473.68139077230416, + "width": 0.7529780339364152, + "height": 127.67722565466153, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b62", + "roundness": { + "type": 2 + }, + "seed": 1223464206, + "version": 301, + "versionNonce": 2072280685, + "isDeleted": false, + "boundElements": [], + "updated": 1734338110789, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 0.7529780339364152, + 127.67722565466153 + ] + ], + "lastCommittedPoint": null, + "startBinding": { + "elementId": "BD6CHYOkOevwx_Cy04b6O", + "focus": -0.007419237541381339, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "i2FPTD7QqnnA74TYwJaRq", + "focus": 0.017693210517091173, + "gap": 8.047815911294265, + "fixedPoint": null + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "QFPpiNkYlijtPfwUcYnbQ", + "type": "arrow", + "x": 5500.442901126923, + "y": -686.7709284863648, + "width": 323.7612047282091, + "height": 1.3266619950030645, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b63", + "roundness": { + "type": 2 + }, + "seed": 1412631122, + "version": 326, + "versionNonce": 1080602147, + "isDeleted": false, + "boundElements": [], + "updated": 1734337827171, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -323.7612047282091, + -1.3266619950030645 + ] + ], + "lastCommittedPoint": null, + "startBinding": null, + "endBinding": { + "elementId": "v8LThFEYy6lBql6nI1rVQ", + "focus": -0.14583118074854268, + "gap": 13.384084697921026, + "fixedPoint": null + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "RJERC8cyigxXvhDzlN8xf", + "type": "arrow", + "x": 5505.359567793591, + "y": -564.3989397678943, + "width": 324.60199419677156, + "height": 5.758313914620089, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b65", + "roundness": { + "type": 2 + }, + "seed": 1200166930, + "version": 320, + "versionNonce": 302311075, + "isDeleted": false, + "boundElements": [], + "updated": 1734337872951, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + -324.60199419677156, + -5.758313914620089 + ] + ], + "lastCommittedPoint": null, + "startBinding": { + "elementId": "uVY-CzwiwiyTJLpHGvTFq", + "focus": 0.06171180979360312, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "jDK4dSGNezMikjE3qn8ri", + "focus": -0.1521713873312393, + "gap": 1.5059366274717831, + "fixedPoint": null + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "XJy29-Y7ArzEfJg4lajRe", + "type": "text", + "x": 5283.776234460256, + "y": -617.1825396825386, + "width": 190.91993713378906, + "height": 45, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b66", + "roundness": null, + "seed": 1247242834, + "version": 43, + "versionNonce": 2072067331, + "isDeleted": false, + "boundElements": [], + "updated": 1734337859228, + "link": null, + "locked": false, + "text": "User Roles", + "fontSize": 36, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "User Roles", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "HDuUhjuKkuDJtKlz16nvg", + "type": "text", + "x": 5277.10956779359, + "y": -553.4325396825386, + "width": 210.1439208984375, + "height": 45, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b67", + "roundness": null, + "seed": 760794450, + "version": 65, + "versionNonce": 932976611, + "isDeleted": false, + "boundElements": [ + { + "id": "RJERC8cyigxXvhDzlN8xf", + "type": "arrow" + } + ], + "updated": 1734337861157, + "link": null, + "locked": false, + "text": "User Filters", + "fontSize": 36, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "User Filters", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "kJagA2Vs7UWBb4PfOrVSP", + "type": "arrow", + "x": 5670.701610637358, + "y": -498.4325396825384, + "width": 1.4203595798344395, + "height": 159.41666666666652, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b68", + "roundness": { + "type": 2 + }, + "seed": 1253115150, + "version": 309, + "versionNonce": 765553315, + "isDeleted": false, + "boundElements": [], + "updated": 1734337890105, + "link": null, + "locked": false, + "points": [ + [ + 0, + 0 + ], + [ + 1.4203595798344395, + 159.41666666666652 + ] + ], + "lastCommittedPoint": null, + "startBinding": { + "elementId": "uVY-CzwiwiyTJLpHGvTFq", + "focus": 0.0077922973653715135, + "gap": 1, + "fixedPoint": null + }, + "endBinding": { + "elementId": "O_RRLbOLLelPRlqMX8FQT", + "focus": -0.012229146085728775, + "gap": 1, + "fixedPoint": null + }, + "startArrowhead": null, + "endArrowhead": "arrow", + "elbowed": false + }, + { + "id": "MCu2KWfHsaBdeAv95kZ5O", + "type": "text", + "x": 5061.276234460256, + "y": -443.0158730158719, + "width": 264.2159118652344, + "height": 45, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b6D", + "roundness": null, + "seed": 1786284494, + "version": 23, + "versionNonce": 1593026706, + "isDeleted": false, + "boundElements": [], + "updated": 1732177147958, + "link": null, + "locked": false, + "text": "Query w filters", + "fontSize": 36, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Query w filters", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "jDK4dSGNezMikjE3qn8ri", + "type": "rectangle", + "x": 4884.251636969348, + "y": -616.5753968253966, + "width": 295, + "height": 101.25, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b6E", + "roundness": { + "type": 3 + }, + "seed": 92003149, + "version": 256, + "versionNonce": 1215592227, + "isDeleted": false, + "boundElements": [ + { + "id": "RJERC8cyigxXvhDzlN8xf", + "type": "arrow" + } + ], + "updated": 1734338014743, + "link": null, + "locked": false + }, + { + "id": "xAsLeGwH_dXXLy1RCLhYZ", + "type": "text", + "x": 4911.751636969348, + "y": -587.8253968253966, + "width": 240.93991088867188, + "height": 45, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b6F", + "roundness": null, + "seed": 404327555, + "version": 190, + "versionNonce": 1155415747, + "isDeleted": false, + "boundElements": null, + "updated": 1734337721370, + "link": null, + "locked": false, + "text": "Authorization", + "fontSize": 36, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Authorization", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "BlTQ5GF_PAuM0FH2Ur8-q", + "type": "text", + "x": 4880.501636969348, + "y": -841.5753968253966, + "width": 290.919921875, + "height": 95.76037030951987, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b6G", + "roundness": null, + "seed": 1503953965, + "version": 139, + "versionNonce": 703284109, + "isDeleted": false, + "boundElements": null, + "updated": 1734337749162, + "link": null, + "locked": false, + "text": "CAP Application\n ", + "fontSize": 38.30414812380795, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "CAP Application\n ", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "rYSvlT2rx-5ctDLaxq5w0", + "type": "rectangle", + "x": 4878.001636969348, + "y": -734.7003968253966, + "width": 295, + "height": 95.00000000000003, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b6H", + "roundness": { + "type": 3 + }, + "seed": 800196803, + "version": 312, + "versionNonce": 363808109, + "isDeleted": false, + "boundElements": [], + "updated": 1734338014030, + "link": null, + "locked": false + }, + { + "id": "v8LThFEYy6lBql6nI1rVQ", + "type": "text", + "x": 4903.781681525012, + "y": -707.8253968253966, + "width": 259.51593017578125, + "height": 45, + "angle": 0, + "strokeColor": "#1e1e1e", + "backgroundColor": "#a5d8ff", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "solid", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b6I", + "roundness": null, + "seed": 439986691, + "version": 243, + "versionNonce": 2113325357, + "isDeleted": false, + "boundElements": [ + { + "id": "QFPpiNkYlijtPfwUcYnbQ", + "type": "arrow" + } + ], + "updated": 1734337817714, + "link": null, + "locked": false, + "text": "Authentication", + "fontSize": 36, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "Authentication", + "autoResize": true, + "lineHeight": 1.25 + }, + { + "id": "oTv_-p5-pjuDvhOQQkjMF", + "type": "text", + "x": 5261.1402334087825, + "y": -776.5278504001826, + "width": 231.22280712112965, + "height": 87.40490714957203, + "angle": 0.007613297783697348, + "strokeColor": "#1e1e1e", + "backgroundColor": "transparent", + "fillStyle": "solid", + "strokeWidth": 2, + "strokeStyle": "dashed", + "roughness": 1, + "opacity": 100, + "groupIds": [], + "frameId": null, + "index": "b6L", + "roundness": null, + "seed": 1183558019, + "version": 318, + "versionNonce": 1168279373, + "isDeleted": false, + "boundElements": [], + "updated": 1734338088263, + "link": null, + "locked": false, + "text": "\nUser Context", + "fontSize": 34.96196285982883, + "fontFamily": 5, + "textAlign": "left", + "verticalAlign": "top", + "containerId": null, + "originalText": "\nUser Context", + "autoResize": true, + "lineHeight": 1.25 + } + ], + "appState": { + "gridSize": 20, + "gridStep": 5, + "gridModeEnabled": false, + "viewBackgroundColor": "#ffffff" + }, + "files": {} +} \ No newline at end of file diff --git a/guides/security/assets/ams.png b/guides/security/assets/ams.png new file mode 100644 index 0000000000000000000000000000000000000000..cdc487d4997642af10b5b5cfa2e793503f05182a GIT binary patch literal 426976 zcmc$`Wk6K@);BzKBM2xBqI8RNE1-0T0SP2sM@G1h|yAAP|T^{)LPN2!zf60--5lV*-DP zj}}t}{)6JG@%$;Me297t1fmDY%SdZ^8E?+uco}M+N$&3WGRM{3BPGt0aw!Bqhzr4s zA9<6%DasZ}_Sn=Fg_IOsohU(B>YZ#LDk_v?5M2i4zQ?;(H63+(KAT7j$Y-Vn)Hfqf zT;~FZ22!q{^``SVj6RWXJMljMq`aN(JG?rZvea^tenR#t7lgqgg@UUVgi4zI?~kF6 z=tJG8X~X{f+dp3i1!K>m|MNe8{0u)8ghm`HH;ATw>sJ4|vRw*&=kI4Azra)u3J#af zT?zhg5lF%GAt(P9=#S@xGPO%}Wvd@Z{qeVdKJpNC_y(b((W~j|3SzcHa-YX;>ovUk zWq|hWQQCh__phsY7%<4g$=@d>WKh}%pP!#sMD{Mj&ebHc=DaIohZp}k1UVNfz6^d6 zd-nnL2&yT0CeA#*>xV|en4OXb{S$jloe#2cUq2XsCc0^q10+jt2e)$VdLfmNxu<@h(gT zuRDME)IT42tdZ)c<}yzvG@JU1#ywLuLNP715XI?#KgdS0lqxl+i-JpyYvi7 zHRrn}5C}sq4>;7r{pxDXzrJ9R3jW9nMA^3%E;067LL$SeJsb!jGZ|wY59r?yX5o2) z%n+%FH&(KL+mn?1J)qmD-u^z7za1Zh5mo?*^6a2#xAecg@}UMYBY3}@C?0$8?!_ZG z{=DRb{qfH+XFuAw+XA$|A_626GGxqLe0RU7qC!$brd)eWaR2PG=j|oV0XpmLq+QAc zXk3Rx?2c$P`ufI38#BXds&QHEPyO7L!88PawNLNtZBHX5Cr8G|m-l6*zfg~kj+i5Q zyTd-#)g3>?yU*okN5E`)^4B8{*?~0fgpZ3KB<1gag^*ox8PyV_oty8zZ*sW`deYDI z*KwnSfCtD;Gg`jYd5io-lFSmN>tS;$s0i4eQii5Z3ssDgYr6j+9{OX*Cro3!Z&t2d4S+ zSX%#ZSUEGpjmDVLN44IT%l-ZvfyO7Se>pVR9XM%~$dR`_E`Ey?$NLxQd9eG(qi&)> z_E{B@bm$%VG&D371ee7vZQag`U&`oWdjdHaOi*`g7!?!Kug^Cs+G=32{l~W)Cio*G zGVGdY#i(#g**<-~=cUiR^sw(_Nu|vc~ zL_}6fUl3|amLO}{m_fvC z*JcOGR9D~G-WVyl3s9`L@63yUHgvpQtd?CGYkat;Dr@c!VTXXti5tPPXqc@rbaASxG^d!Mx)A1w1>PbPcg#l|Z5>F}4tc&O3W*VjF8L*}Jj%hgG@rU7GqQS#vlB4p$-?7xC+2$d_JgXk~~`_>)p9>(IWo8KEF}?%rkwb-4b+{wqiCypa*oS zBnS;IVv z);rGpu2c3FdtwEoakQ^|B$Mdb89a}dLK>cF)9ti!bS+gBm6bVcrF^eSgI(7a6s$yY zw;q1L(fSKShXn(H*g4OzNBS1t{sLF#wdtuks0OrYx2y}X3HyOS1S-mK)j1pu5t!c9 z3&3jkUS=f5C6}g;z320q~QArMwEWRzo^4O zyKrh^ra;TA`3~GW$0QM5VKAT2lvZ##G@Lqq5aPsX@-Zwdtai?Kr&Uwiy@mxEAntSc z8*A_b0fNke-fVZriS}0hK|@wbDckBYejTt77Q=Z7y}F4>TW+|RJ-2nfl#DWYSV8p{ zPnjhuplB7qYsi60BgxLN{5a(#viH}7{m=Mq!(Y+C;baAic(=rUgv@AnlY*Ifr!nO8 z>CJ#ju9?fygkXBTDM<8P^yFD!BPEkcy57Z*=+32{cAI5+1uQdtc$J&~#xP}LMzjqh zh%B?L>hWqj;&$F+=K=(VPVFU->M`+*pc0SaBejsEeWcs!7`o-!IK8=lv$3%ui2Cjx zv1aPQ7zF5 zM`HHupcWbO%LLl3ax#QGb318yE|%rOKo!gFxup#75gz^-%IG@t0)-lQ3Fj1*7|229 zA@n?F)G;W#9z^KA0CpPSy-UKRboxqH7cq=NZJfA96%N!{Wb&QMqCuB-eg6D;kJO9D zM7%^$`&*!`L=`BsV^+ftHNo`gA<+Vp){B#qlmDslL&(nOc#%x^m(pqSoe zmx8X9>M~XO&wj1xH`1SZE^&iOF48ZrjEszwD_V~ysr(f^P=!R2`cn+=vM1zK`?W{} zhg;>ch~(AOxc-s?R}AfMF)&rKhl5(2I%83Vn3MX&v9p^`1Rc8Z;%&)sSoDC zR}Khg-$Lx5>{16UqLgwn%uxVwoe+7S8{UQf5cCN{`Wvb2_e4;6<%Jl|{5N}ni;?yt zN^(KR>GRs!+A?uI5s#WJc!m9MDcVSf+W;1g8wjZOv}##gd}xp|rHu=}-*@Ns=dw$E z^w`&clP(llf!Z3sPJCnkZb22q4ft}S|J3iAF0+Yx*(K=7tnZF!McegxGteV{uVL%D zTyqlTP3pgzlUfdAq07!nq4x!Ta)F7Ffpr^h>F5LgmB3_yMyltJnr2`96%#f|E~_pc zlma?77^)HG2ddPx=g-$Rxx-Q6E;TzPLBwId%0Z5NeDvqkCo%Nc@R9G|_aJbY)U7$Z7QKxNN|0>BnA|X$Cb%8L0?0uTEKnt>9Ex^kqvu5L4*=O)4~zq^jy%t& zxbdIG6^%UV#AqH^Gz2jpPVQ)@fewOEb{+)5gRzMl-8RRo3Ww4J zE9|tXV;yeiCo}*vceVRe*YfLSTctd$60;;iPXpr6trP-H<-s3(9AzYH(FAkE$nMCD z`%35R!Ii`p98xsm&2$$>lVVXnEo$UZp%`o0VCux39rjL}P~t++DP~YT`<9>@ttoi` zX*&n#B6YEN-So^4p6nHOyGP|YM3#$lM7Wg@{{LHU+aHC=kjjdBdU!}Y!B?5`g_@E( zQld+b&&;%D*VG(XBJh-izXPbQ3&20ova?~jE^mS2OQT$lOWY^{h|!g{quAT{Venx2 zwhOZ%`zW%7>NWo7;5H(JMw)`L@9tVZnhoGht|JS#F^s8jpooa(B>ZA@oCng%dU7&8?Zo|~T1V}{?wEW)O zhY^!Y23(#3B`3ard8I7%VWsx10|%jYngA023M807`|As!F|9$Z4cWyz%e|09ENUF-zwb(1?mR^v>G58lU zC+xO`ZKC|QDC0=I*>jPpx)tHQHZ5AA4y7N@%gxO-FUsN`j{Qr?>&TYYz33qMp$a{I z=N3o|B3kFmmDC*A<^F-@FPer21Q-z?#E_OPMIIIh5;K1!W6@?W;ESdGxA60!NOPC} z55#T22x^;>>goV0Ya)tu;$QR%DY-LnZB&C|A7L3GlHtLTCgP|J4qvesNHeBc?J&RX zvZUneNFk2cyAG)C{kwt#x7V$n*yR7e^rP(!&Wk@Q%F3<^*D_$VNyDoZ=IBR;A%SG)_&`ju z>YrQzM&Q|_zg+SUM&J=q*vH9&p}u7oD?+sz`@e|t_VBxaqsthnctHNsS^t@>zzxW- zF)Sw?cCE$xF*dffr0=4xO#k^4F?xq&%5$??6P3(cxRj+b6)>fq@~+tC?%m%wkJG=q zegUAUlWzz%--W2J2|WY;vjd;ep=m>|`sLlb^Amp?_aCw+>J^f?g~E)jnoNcHRhLE+9cR7mr+-l$T}YyGfs0l26C3)MSUO1&Xij&5gLW%J)-YYYSa3KX z&l^|(ft1HUGH;f>lT)Ctb~^J^-tF`A{6JQRb=~k)K@0THJS}(H9bqDpS;K-_RN>=p zqspDz+uLm@r`SPR0KVA4Pf^*E`O7!)s{zLh#UJVLw18p{-9gj09lRB3pgq zUOZYUT90RedTbjRJ;d+SL`iotsdoU#9-mXT-GM*586cDXn??fK1XFUACuH3AQos6v z?h(=2jLi9apr32Me|y1C5S=_vY92`7%nt#E*`bvAQvR1=PJ;lcT3A^ssev0oKu?O+ zqk&5P^<)Il$~)Ng5GHp_-|7M4%(!#suXrN=icDooCH-)M27vo&(9>4c_#b}I9}B?r zWiX#2)`>=ouOB!~keJ4=;@97VUX%q;59Id8Eaxx{fqZ-gy8Qa26ehZIaQ2*?CJ*4S zo)V!$Sf6voX%U|0gF|oSfOZ}-z{Qh|g))!ViLI@z^?dghx+_pl--Tb&rwv{gjidlw zuMtSHP8yG?*ibwv>iKOFIxHDD_p{BAUAHhek{m2!Z~+BfxHL}F#z=K(f|&T^m%p_Y zh&{Vi7{R;9d?sc`Yx5dlGftI3lA2@N^w^&PfNMKfK88T-urhe2Rg|#BX~n#=8+QCN z-Di$|@P|IK-DSmF4jcR)2_1V|>ozCY?g9L7pqk78et2V} zp<};saQGRlNjS(CP?vGZ>63A>zrxiN3AHMl48NB^1DQma zt)aH+@an-TLB8us<82+0>dgR$E!}2sU%X=nWD4Hr+J!~ye#E>r^ob6zCUYPj-1I!( zF{}O+<3Y&i1gi9MpKb1Ni@psmX84$;NJ>l#Q4l3){(fmIWxiwRHgL<`&91Rtvd_PzpEWE(L>T6 z_qmNPse^Eq%_Doe>;bF2bx3j+PBP(OZ@R&JmQ04!?Hw%I*%1cV9NMzrW;$pnC%5Xu4Xe zf`JaAyCUhv=~^IAE}D`o{sy4Yssl@G)eH;_rhEKor1s`kRK;im=K@yjjxVH@m6g5Q zW-C|&X54^enmkdj>njaVrN`&{2o!W_qL!VFW%J}VcK_iM%F&Abz5cDTc01^*<+)}+ z*_r1=hw-%K#o@YUK4L&kTl4clEW>^U+~G*1ZU181-yvx@|735_Zu3Ujb@@ti*QX}d zp{>D0vf}0O`Rp8f+n2G`*;Vadem+@K7uPeZEd&0!3^_l4UK(9%F0Ee$)?}IASUSX? zu-Ds6?VOM=@1%G{GV6=n-w_`7XWO1@R;}BDZksdhg>J}HHBAXZw!N3CUq=YWhN{@N#>{E4Q3@u zP(4Zu&b-O-{rQE)RAR(i$>Y7)o1JKc@j=Gr?>l9!iQ&Bqp0ke~gzE{u2tI+&em6Em zRKOtFS8z!NGt6!OHb=}Zct!LcP1+pNt#}47t{*UXK38`e2D-wNc7VO9vQ9pETlk0L zS3=P--Q{EeYL}FFf}q`zp?Z{Uog@vJJ9tPj2JAz&_vvs#thd}H;nyQ4vsXI{vQ8;M zcJ(li$QOI6XLAJ)?fl)YjwI^TbABbfam_MnvY?xZ+5cx3V9&RFD0(W-8IR9%r8e-> zp!?Q+I)2DuSlW|-^P}m@Hg0dv_rmqiDa^$<67wp(!G64(OpJHvJWaUsJu*wi+O3R9 z{evZDfq&NH$}ntv1^OI-!XP3RzSGWh)fi*E(Rr{gc=O}SL6-mFJ>oOwpqtd5ojtR3;UUql5RaPE5GD&xhM)c`lA$5>}NCy7!DZeLC*>@}`30^kP)8 z`Cc09>HBaQm~G5Uo*Tg%0h1~Fkr=+FBrfmf#W#g3MYemst!*aPH%(Mw8_MIh&EhLV z@DtA+_|eXdEM)Ng3ulw&KxvtQ4fk`D=lu7Zn(s@V6}}Wqj5RvfJH4skt)Qu2>mp#< zIqHrx@e4TSKcHppy?MGv-4}@a=Beon z!G;~7#92pxS#g00;UDsuVU}X(D?}FrM~I=jE35 zstR$VP}-mb564`in9YCcelQA|UOo~fR=JYOCP8}(eKTrbp6{m1|JG$8%{>2#<{iNx zMi1>wqg=i>%)Kr72HclZU$w|P)jOhaVSE(z1)-035-}fKfGIq6pm^;pUeYxz^V&g! zq+4uj!?T$w*De-?R+~Ofq3=OvNBc3XK@r_okiXY_NTPOwLT!`6shyBdF|<6Oo@!++ zu_{~Wl~7%yy1uxIB<8Dd>^d7;mSwizPR-6Ae?Fh#3H{itDS!5%MwQ|!9<|;Me>6=n zPNmRB&I*TzDIq?z_)$#_Uk{@R2?EUGkh@{PA3Out01-kyA(8pRX z-~e77Dhe_poO*gsBsS~2BnuB)LVT;?#mo~EDm>zq@C8M9w!U3+rUfb<9QT_v+P+fmfG>8Y%wg}^cLIkO`|H+ z602%fIY=!{p-&f(NKChfGx}H6i@k(S%5Fa$t!aHeTU1J45AF^R?E!r+)b>I6a1Yh$ z23-C1Jy!5V0cTg^qlYsEf=}NaVPxx1xdoDadRi5?MP+RxN&us{I49 z&X-LVC>-cJU-CBmdc1V<2VM@VZx6y`_}2*Oc*@D-0mBMw>cqg0bt<0%!JF(I?sQH( zw;XR5f_d7xxC6K5ZM1F<^yKtO!+{UsPy@xZOr{VtP5BhVF_5CO8cf~MoltJ_=pIX* z%>9BU%xA}I`4r=R+zIh^>7nlhGCqb#o?;>(Okb=!NOG(XFmy&J_=A(u9(KgM12EyKmN+ zU+kz=rS}fBat)Wnh6TilLhSN`*0c#IQSvC4)pXMYIlrmOV2BwKZTjkkUXG0xvSW0o zkc&1z%*NZHYop!8a>Apdg%2MzWH$$WeQy6ic-Yd&249Q;mK6g3(e{H|<#53?g9^ub?n_0GE`*m`lnZ z|H5zA@#(#zW)1!#*<5X#bFiajd8>?2kxkC@YL(=DXc(J>YyB3El-Q4h#)IwxxwAMR zWr`aGce49S{6rwq^17IUCI#ou=(NRw@r`IwSVPR<&L4vceAQqSJQ;vEaiB&IK6~TN zuDC}>Ji(nd7y!<;!g7F2p0m?Mn_l<}#4#qE>MJUu(%$QqP>wdsB-EMKpLCNXHl*PO zZ=@K!=!R0(Jf0*1sj~0puH+g1rog{~t>Rp)`e`;)IE}`RVP}$d5Wtt|%eHI_UP(S6 zhBRRk-jOKcudoltQZ{Q~OZQNprzLwLDA?=7cCMC)b#22csp^# z8Wt`!C1;1l+y`_LJ>u>O_)EOCr~u92Q8nD3T81%ZSUIZU^Nm178(DjzT2F{776$Uo z7r0M?4+Dy{4`EQNA7Ykk#tRiC<^;oTQz^wQUxNSlzvp@2e^J z4*{gd6^w!-^XP8G8q79?Xk#+hDujN#IX8C^Ez~g0?$;i+9ygKS2tWDb(TrxZQ#?}U zi=P)$LEWLKn}9mov^9S7w?F3NP4^}qaX1&phSSN8&(_WcPJDXB%9QD<^2^Zyag^<4 zjB&q^a%n_i)dtg{Y>NlwjSXBn*9Zc}w3GBuo~sXz7WFBp7$)i-g14)PS*Kl`ULsuG}qR?Hl|n4{~talNkr6V zYK++f4Cy{;erydOZI4p$SdaG8>kTKFTmCf6AnMx9!-Z>fbELx(8^%H7d_2f`8oI$ZSn0?H+~LVs3l z7qX_xXgi%Gf+7j5jv0xOQ{ZZO6cG-4)=S1;{}(6LTV_{TvC?AQU8@{RlV(YwPIIi$_w{?UPC}w5exIS5Hyg`tM3e( z+Y0#lDmkp}IOQ+#R!-CE7X>gpb_csEzsk{tfxm|gRwecSAPl?afX?^@lZjeK`Joh1 z@ii%T1^+Ix}^*YHP9jRFTJ;L1c%2|8X)PU_dt`aiQf90j(a$`p*(qEc<(b29wi z6bd+F3vioX$7@^m@rg1*akK?fKT5M^U)b>s9zB8c=lZg~Nw<>L@P0f1?b=Qb~+}UW7mg>HwtMFPJKqh?6Pah^Pv(XgGP0YAvw*7ud z=v=ByxK{ee49n|20M7h{d7reWgBpriS;;Dzg)7|TB75$TPMz&P&f}Xz?XX&yNfvR% zd#P1yB3Qe&g3&>Zt)j%=OE7d@zgGWXd@$+N2)c(^)xxJkJU;{=W8oosEu2_3*=1bD zdu;LM9mwf)-)~$Zg;C=9*@uj}Pitqv;E)RCxJ}YGW^bZu0NjlDxRB^Ly754$SCC{0 zW_9??F1p+NE-Cw{-_+_LM?R7~GO;lc<-8!qD0fona~|qYljDA(>b*!@Ffje}dP^*z`I;Jf)l3!_V;wKZ zPTQu%ws%L|U!<;By&U$*#F@T9r|LsDxd}KwUwQbk<&~1`n-xr(ef%(}rHDE2re7~) z-z?wXVHu5&1QIMLY{8n6QGEJsQ*kAUD}hg3qNw9%`Gy77Gsr7{S51w9^Zhb(hO-?^pnG7spWnJ+%a#pP07#{TfL}cnh*1-@by5xhn7@{t!jkm5F!yIE< z(W}Z*^*lj;a)U^Z=WZGrWy0i_?p|!!c^?2FKSX#4e=h~C3NUsLguyno^uua_Tu?B` zYo4epzQt}iHCa#q?a!bz-BIwC_z6(^wO^tr%uxeL`k9#-bS-LLu3B*i`us5~z;_BJ zBLsHPyl8?R+MgUKCUV<^%9j)?#z>jXcS^uW}j&MWY*(Ph!z^@1swhDiGDxZOBso z8ih}QR=!qYtKbLG5GwcaC2&m;P|Q5S6f?goFCf?#FeIIpVoT^Jd9RZc5i~<6rxX)< zkQd}&q^ok?t}Lqvd3P42*4+uu)=`veGneRx;lgS+ zIAN!1t{TT4m;wrjYk76Qv3mT?OM|S7y^1!^aaP4yf6?D$Q7F|gM(C) z2fsljHYHEBaMGQW= z4iY?po>c%uJr+?63f1E6u8nCO8$c(zth4g>_?dJ%M7X_Lw1BE>rdA`+T0&EwwjWE` zsZ(A!T}HvLIXEbFbpmG;I9@9*j&Uinn>UN|nw{k{wy!I12dasZEECAp>aSAIf4i(6gvaxxo=3b+rgI2?-nX42drCkXM5dzQL*25T7q z(8kG<&~v2i%$wkPe278UA54Z(zN^hxJtkk?czpPxwQDND?Mq!=h{T^I$)`h!YftQIZ&v!@b7rCRD3!Sz5xdcN zZY4!(rSHD4P#I1!uR?r|E#WUo)&yF~LvsDd9@~#}3g7+Zr3>oCtW}8(TJ*ORNg}8u z6$J8tO}XzABQ_iFBpPf{EHB6xLiFe7Y!>5CZdJS2DYG9EDa1b(u6Gy1B_=j36gIEB zS1|STi%kSPdkNH0G)v@tirR<$I#NGz+7v^#{J%aJrD(;05&$2z26CP|>`!hOA&SY- ziT(JD+dl#Qnr^;-KT2q(A5V>62*7~0-~qV9H=1I=n8uh#U4gAWe6sU{kH-iN_Hi2}Go zv&Ft7u5B}^tttvlY>2dO zrSY1F+TJ;S^n7NN44rqU5NE65nG&mks=T~tv$+5&_3w;YHQe^WALIoM5UGiL5~lYH z+{pN>{H=chzey4V)Bi55&ReeTs6Fu4RhVrSY~txoAoZ9SA?UV*TkipPa2XvRPE%l}YSQ?jqBN)&>( znqM;2l*>cL)8kD zt~aF#kXvaC`%U|cB`f&8icB zxBQ4;x35uC>s2;)gW8tQ%}ZRb7hUOR=WiPA1jS|gyXsJ_ged& z`FutBJCf-NQ12!qXTC9NGn4`QVpso;9Jgj#!fx4co(cZW_91fKjIE^|= zbMv{Q$hQybBrGt1z^y5ln6R`4Kn!OBY0ZysUfl2 z?5fXqo{gFY1#*81xJj8ibY2Mi*qyVcl8-ubpYh@o8h%aJ1Je1YCJU`UN8%3H{Z(HZ zAi2j&b#z2?fx(n?ocyT}0kl;k+9lTNRTgGtD0ZEP$RJ{v{my-%K<-H~nUlsxpC+xLV27ehYZ zfwQ^f@6ik$t~m|k&7{S6cb@W+wR08ciRl&J2(}f`y=)?7skne+5#-^>3{-MVpl>~F@lNIjMwKcRiN_U%;9 zeg`-H2zT?ckF1EV$JS=_O6HYo_IMfeLu#8QxKvPh$qyJ@(n{gwkK$p}ZyU+-Cl6yrWoctp9*V&M#_x3SVWU46r@^P#9Ed1j zMzg1@eHFhodjwq53pc9OY{=r5U-XaI*(7Q44JC(AH>F&5cLR>4YZv4NlV(fAu0@ls z!8i3o8UJ~d$2(Ji_4E}UsZ~DZ@&FXAsLIlvO5L&<$Pnicc@V-bU(I)%`UeUuRg5uA`7rOY_3(CH<= z*mwx}rm4a_=AR* zK{T)zxORQv0bSZD1;CDvlCtt;Eeo69IPFQFA=fHLp{QTL(!SCkn-5V^W61Fvud?>w zlk)|ge_qFHr5FU=fv#%rnZeW{4dGj$17Yp-`Lu0^{{F2+D(phO^NY+p->id#z)zue z2c)O>=6)=>HP7O8Ll}}b*%Pd>5Ct;Jt45kv4h83F9~;ERSbB6_s?i{PV^r|PlSkj5 zsCs!4%~v>ae?By?d+*6!YiAWL=HRNVm0tVJE&_OuV)JHsf~Me8w$qw|NG>a%hi3P6 zxdKynzR(O08b>iF*Z|??WH7Q1^}-*8I5N>C=WEveK9V`+bdv8MQF@oAMBko9UHz%W zddF)`jD2Xcs*yb}!TEBKgv`NCk1W?Y9vuE99dbE0bbSA75 zFSpLur1r2$`AU*ej?CjoI_up!{kCVkj~el4&$h-k#z_qC%6^vvHUNhxTrc0N{AZ(w z#}6I$ua41FRr~FJ`*J3*yQaJ2cu#So>`l){y&gepepSX$buSU3%h@EgAxL%`xl!_x zPe_s@q9j{LpA@Tk|9N~r_tU))_6s;?vGrYo?R#XEWu7$N#ag*vm0va4y{qAfC|Gz8 z5MD2fm8^s#7||DvdIZ0s2s-sRh^u}cJU<%pLW#>5liwGCtci99cODhXHI|wYEn&<^ zEp`XbCree;+RbYWjNCEA?(hft665lb+~vm^YJS5BUc>P?MyVZW;x#%FYbEc#PnI(Y zFQJ9=Jmgnr)4^g*`lKeuD zcig_GKAkKItG0mtF(e$})EEa+~&nr%!_dPXRiYevMWA^_D;5TLWb<7IGvTR`Q|u zXsgMYV7FB6w4B>Xu~DYP?bm4e1i)|Hv<0>ve~wKnptjxbNe+Pi>oq#X##>zoD0mr1 zCOI#ld0c`H*!Xn(J#*tGH^?2~JFfA5`-A&|X@NSo%_Mb}yS7bbXqBjMAH9k*0naFf zc!x#c$#Pz$X7bGl35OnxKY5AzQ^E&_fEpNz3Sin|qJ0AdeJB1TE=IEDJ#R$2<;!Ih zux@l^u3b>V(C-SL$%|^%D+)ZGiKD|hgw!bkLhHiranmt*yO^cJu69vnjc7ow)EB{q z9qobxt~qe25V^*avlyoX&jI4@_waT4GK$uArGt}%PaL{pYcJDoNOUDWm=R?godhr3 zi>|Ekq&I9TjETfZUTRYDpuenSJKiVQ9?j2xxOyHUTNhuJ!h87C6sMrM;JiLLn{u}X z*&1SNsECAvp8J*@K^9Hun%dcD+Ld;N}!HZ9v zxk+r5ihdjgO$Cstj&bUUS4Hdw%{188UolY#i`|x?M*ys#VLlCE+MNHMuObA|X60YR$n&brs6_ z-FDyWuz6zR&d)f3$iEyHZ z)aE|Mw)VX57<%Lnt(kCB82f31Jrm|DD_}5A9^T>3t7i#o02y3BN;yvO(K-YdF_c^f z^;twC=0%aS_!3o*pN)tCQ2#NV0$;A(8{YAb zCQ2NwW7v?4U=y^;%aVD_S<}E9YM@n_6&nVD+q+|9r<#8&_XZRoH4GPPC&r2L6OdVvwJFy_R|zk3ndz)*hlG zM}^uByuL~hv}Hs_ux*%~d#%ZW$syn-oB}7!`oiv5T|>+!fx>ww44O|#^HnY~IC>=L zicp*Scb|L}haQ=!I&zIebtp1auKNHKuu{UL9uNx>n$bM}jiVHg)CjC_1WGZpfmM zG`}cVQhH#YyTi)xOwTd7(BKQ|0CC3-4FBHD2w4f_Ppcy0X~`qFSpc2<<@VU)HAP zQ>_Vz>!V9<8o8STOWI#qpnYe;#>2pxs@&~f&hRJnv&XljLIeyW8uoxEQco!{GecpX8PKA%r zBzPx$p$6#XA*z7)x;{Z$vGbeQ=~sRIU>u#e?udhiS5f_#6ueWAmmGM~oY0?ny!57F zXv|ZzvK1lVV#&rj6t%w=wQXN+!V$(=-gjp$>YB72hiG~oW(~ITOs1D<+>_|x zK-L`)&hvHIB5PU_1{DP;o6Wd`D!4^%Sw2cLg<;^FZb1!y?h5T(sV`2QE0>X8Hk}-b zD{6-(Jor_Wh&;Y3O2eRMIk0(vK`a6^J=Ggmrv0iCoFOIx{Jj%oJB1pVu?z0&Un5+Q z+Yx0APB!wNM{y136@A82zuS>^cO`EdVnICQ9h~dFm1=1WIUjvZ49@_zADm{DR)D3F z^G3>_T~Pn?NN(Z0t0=EW;lFC&Ffo8$LJ#?hT&ocqzH#zN+~KRpS5A|8cg#4<-%}&+ ztSmp6Qofir|5Q1s+4ru@w#$p$7Vej?b`TTGvMX?3V57=EBMTUzJS7Tcy>qFpt5$Mq z%r*G={BaY{L_$purVi~6PQc6-`$NA)zZpU3yF}Ew4TBD5!e8C)n-tS%9rz}M zp@~sLce5vSii%F-eJ37cbuX4r&CJ1FV<%fu#Nkz( zmU9(FLjxP-VIN(U<*=}jmBV;&q&$;XlaT~CMCZzJ`B4sT%Su1LX&mkLhJlj_Z6#X6 zux>zgcf0~A^|paPjeV;m2;u%XW7GYz#Zy=Txvcl40CRJ-FU>6J&H&1;r!IXqf+L;N zA4e;RQ(jFh-8MeX@I=#@9(Pk)cCKIXWA(o>>u4x;Wt-hvSmTLY66BZL88G$8mvW^) zO>~Ng1ZWPWu4d9H9o~k3r@_r>aSH>w;DaeK4k**yd_W_Fyo>kwL+bU^+Hb(3zzi&X zK;u!zn6f;tuo9c2$J!TucwQ-cgIn&L-5ej)@DhW_KzclEJ7svaA7z~QIyYtJKmShE zLxXIXl#IW>zrIW={+q9N_ByBT-?K$mg)Rga$nmyy=}vD3&C8>dpCpvpaT0tXtW2Og z=NyCdbEl$g6=ox|NzT6pmG{w;@+p_75>!US#D9QXQGu8peKi`!Dec7(w4$ZK25~W| z8+hs*vB6qT5Hb)(Um?90@v1H1&d7ngrc5$g_YDzPzJ*HDh>cp^sv?MK>`gCiXwJ)PYexhUaJBmS5Cyz!b{9gp&XeWHKAAO5q?O+>U zV(4ElFBbR)q^X(KFDZ8N)d;1sh?Ui3_mfQ`r}#%`))PS}&H}JkGgX^R{g~DiTC!<( z7I3fojdHY0?&@UPg~VZN($^nP@BL2qQ~zMCRkOw%$ zi|!qA%1@Z1x11qJK;#O1cKKWMeD7ma?^=@DQ98(hLg800BvLC_G9txL6xptoVIi6ccJ%*Z8n9>mh|?m_6NDY zufmq_X>V}HAit&s*+A*cgxZ1<#X3rpwny#LU8JD;#v>H$dRN@v*(aTK_Xl5`joWc% zvj1e@-ciW6fi5~Wp09nuN&0jh;f@QG-2pOAx}W4_MpL0hn-Wg{8nuUl%a62l9PFl) zC_~gu4tZ%4t%c22!dJ}AKgESuslWMzM}YK~$S`TA$U)$g@BCoU?~i^ao{J-$vG;}r zs^3KKd7FE(JkKabrWx2CWu9`m{hM?xRIJCg7cS*hH|<}XWv$YEits4zqS|R>-32Cn zlgl#Ldw?%r8mJdqE`9zZwHDXM_7lPbm*1ZrfFGYkwaUPjn;S#+*PGzFDXzJV z`me+&&);b4&2Qx(V`?HUM!SD*oDD=dVC6Nt?pO#=y|2By*DF_!k@`lK`8zw#K$A5~ ze$O-zO*8!QVu{Pt6EkQ>@kSC*RW(P{YldVO3b6u4s}f%?p;t5}4#Vbk%hOJsT_8ETSI;3G8xp|U+%Nom_K6fM! zombL>sq!)G=vyy&Bme)kw(ln7D)yw?00;rQ>r%Rwf`D%>(hF9nN8a>S0bU}|pz1!e z#bvG`*`^~(1mdGoLFZP6F!5H!F8Dt!jdFh?l6^;Hry(j%gxsY99CK>R{xSF2AR|DT zilf$Wl>ryvpr8J31KgYfpI|Oi3`|v>)5YbbF4#}ben7kswYIE&WkZ;(3JA)tvdkCH z&j|ho=B09^9<#E~JAQS!{}R>T8_Y&6k;W9>NrY^*0cfqii=I8c8G zv)zfpv(+^_#6IG2OI1mJqav80NFwE2r~td^Rn!apeDTK5CZDbsnyXsA zD!DZ1D4CW8L4#8@`|eF#Au2^>1*$#EsvUXASZPo%nk`o1O~F3|iVzv=pKb#%b_QAM z-{dM)-l@c7-j`jG%e_BQA)Xs!2LqH#MrW;H)--KD)+(&(#f9Iz5``{#-gh2PofjX@qxYgJ8Y zf+U?q413dkLQg6&_DaJSf`cE8h)_Pz1VstGsZS}Q>1OFK5`lHT^7^NCR5$onV9wdd zExTka!X(AP6Pkg0$=ZybZpOeq!@S`8vD(H8*uH{D%hiwu-?2I|0N+XcPlz|{OT%{r zjy7Y}-rZ~xzQ_8L`>NaEuGKwPDMg1sqsQW+mC^I!paBwaM`7;+w7JjjwC)4%GRT!% z?LfLPJLbJY5KvJ$4 zIQDUmGh0^Fj6eA^YS%K2q7S}z@a4dmu^=`*owlwn2cIEuX2m2nFbRFzUz zE?Sm{S*eZL*1*J=Z|wbO&y$afszOdG7;y%l@^46|GvIKb%I}OZjRLx#yUIcUY*3UX z>aS%bA!plX_|ig-f7^>@t8VgQephMF72H!ldwKGJvbz8y7-h}0^K$tPlou*908+#(b<1y=Th*SGIqC{%!*ea8bNw(|FSr z&h47!v&yO#Any@E_-&btfB8Z5&lL+vq_+m!RKB!^7Z+rC*0sCfjx@h@6epM71TfdS2@!a2dUwZSG|G9e=mhINYWjU6+# zxx~!P`J9p~;Pd-}!9#X-jVat*NpZq;K=QqT<{kML`*s2jpaYpf@_ob1bS~hJcqe&1sMemO>wF0-gB*!I?i2&2_PZA2 zExBR_t@al=?r;#oeGteL@(&d4eW<}-IEk9TUs$ln8Wjjj5Mu5;q~SkR#S^k$a(&qA zHh^^;b^Zq);|D(PH(571HyPR2qg)&#>kBSM3v=rW89~6oxfzpr^qrZnhA0hk7*l`q z_iSJ~DqC^#O9i_TSK9GdlV!LBx|9+e%zGN#4On%L;kNK$4;}8-nHEQN6A&OJ-6s;6 zSDtmr=bP}Qi<;54>{L2J&(^J{7|qvuqpLfmqrogmRIaSzGo) z`ui$Fm=Tw}m{Pjf+V2pNF%t2%;$;<)Nglzin-uasbRt#m#D@I6ii zR+vSx=^1I-%u+2e>%bd*{<+rL7lU%oR73J&s`4)@X+=$>yCSnMS`W8gtrceOK&du7 ztXaj72+<3^SP~V1HC;}1C!u%WenznROU1Pik;&b9e*!7^g(?O4jzu9?j+)&e>_wBp zB>a&bB2RX%o_k0PO+;rvD%OBFtB{Ec5UV(xj^3-t&rK$?za=u^RJzNLMW1zO(lfXH zK}f#6aaHgqJ>*B=f2{5gWS9gha!T24R}Brll%ym(W!LSXvY;=zi^!*(4;k_KX-1lr zAP0HZ_B63(Vn~C^H-uh?pQb0}#+-l;wAZI=^p47QWZm=jH9jl z^ws1N%;O)m1nne+j~8RV_L&tEo_(7r>;Nv1bbWS|omc-03|7wsGSnelD!?)S_Q^q! zg+gf3*}Byv%S}*~#7fB{B&w9*TH~>-WVWwMX;yb*=$MFd(4-s^A=A9|VR<-$Xre5dzblS}swZ2M2#$?CETz!&XEL;}f_&$rLK=>?3v^Z`M6FFH z!@YDBto0QF$9c^O+@$82g}?y3Ce!W|CE_M2U^(+>@s2sJT674$w}f@PVLB_IHhShG z%E}*2udC%F36Q4O-}mOR0afO zVGGr%BtDsr)>5N5w3~x1z>dBnCF1{NhZsq3x?`a^HRB-JNZPH;Zi1D(#aN!N!O+*V zO~K0i+dHR0tT|jdoX#p?BBzifinNDsz$GC*eo9?K!{Xt5O^o?U&C_7IZF?Ia3fR7*0b< z+xZ?0eu+`8;vd9alypZ@pZ$$DVFhZXC`hnJqb~X`Jq2098CmhIH$ToqO2(In{@2?} zkR;V1-$sKdQCC;zT<-8`di^+@jD(lX;?2m276lrj)&3y<&bv_7OSlR$}1 zN!ZG_i)L(BL;w4hcfwKBX{mw0R?bZE0-i5O$@b`Eb*Yf4(xL~AmD28R&{B0rh zD$)Unaw`%0y>^5PD69OzB#V>=_vz?g9^oKa z_vud@J*58Q9}=xw)!x!6tOd4$O6lq86Btv`7@rstx#g9ud zn>b8SW!z7S{kBO!A5`&#tIt9vN6&AGd-}_c`%2RPcXT zfS7kx1YI{?31l`l-8!DB*Ni~uQLF4EXg{(@mLG*^uIx8Ulg>uuIe4VMG^Zo1Jm9hSt={9p_`t~Kc2)= zkss%{4p$*6w=dM2NV$Mtnoj~_1Ho#+3IbR$3D_NQhgjWpG2H% ziQs}WD}BveuNA{X2JzC&8C+<$UUP-uX!c5Nuj# zWfOz%b_=gmf9y1g9JWNdin<9|o&>dadaVxO24N@9U7U#LXI4l+2QF2P`DHdb&dyis zP24U(5Hdsh?_j*MN>v`yRsk%i^WnP$iHG!mBy_P00^4&sRm9M^lvsH7C`Icqid{YU z5m!N8g*5leHF8*wUq9nl>Q<>?EnK|Jo*gKkt+n->2IYGPV8d!Um+5}T-)uywDD}Pf zs6##*)9m|XDoK&tPRY<(ES`G)`X$%{!wtC~15m;<@%^F`capZCWzTO~NS4xV2Z`Yu z*>Xg$XU{oNL_~f2)HtE)x+S@wG0hrlju2VO=}^8o1=A-pC8+zACvpj`9c+CEE&UVc z)(1Vmiy_5#qcrjHsW*nQzw4$XX)Tb%`4A)+TW6Hc&+O^JNZHza99%)nDPJ209tvPh zj7JyZ92UJz)v0YB>DhA^&52|JWdnV*~&a zU?3&Gegj2DLO(&~eCc+@Em#>MT($|F4;u6R)*{cae5}I9pN9W2wla)cMlTF^NzgVq z#W*I)0&`(*jKdbXyB|kMKuP!xF*3YFDNrX{;3OkEXahHH+VivB?wNB+^zI}+I5?$m zXlyLc3wXdnyL+YJSvsw9u4u$qguV(LTF*)s<~B5U2UyW zqy%|>c8b+BG)?aMX|VvFt3DU3)9WgF z=G*wqv3>)ujr9GcyLmWO+%dyYE3gf~i8)rFGC8&Y@~>~!A}8YOKPcMzt1p08tqXt) zlGa=q7jgJ7xjQ0##vC;RPgd!%l$2jnsR_mF+V?&(Ex(yq>xni%>a_UDjpcgTKpxS+ z<@27xs*-h3L{Je^D(}%rZrrr=6cX-KRK&t8;9kFXq+_W6ZKU@?xwE2IWyZ34nD84k zCh)*w=0@}20r&cP*dg!2*RWPWP5Y8zfrVuuLA@{O7P8#z_`*e4a#E=2lRdYe6iD0D znFm69|7IFu#0=*fNAhJdls*txZ*zKqcDaI*6@O6VkTRjBF+Jf82i)~KqAIt)ffkGk z^w8Mco-))mkFX9b(%b)ecGI4|qF%hf=t6gByBEe@9oJSCJO`2T+|D_9y{gy3r_PkG z@#@wmGT?gHH>_=7Y9<$iP?H}Z!rTN3OU8Uc_JTmTK%eZDTQ0KK>x+!YTkh~UYrXS! zGx8kN2Idf>hB4&|m7ll?yP!M$Ydt>v^NoE)=`JXJbiHhQm1U1C5K%3-cM-+*4YdrfAC_|Z@KS91HL0tLbWgbw? zc=84WhNvGwZTjb?60^76jxJ^Z}PMbn@q+$BXmcfe;qLfDL_CDe?ZNn(64MsHkNLPI;byUOL4LN$=>^KXa|} zAJqeHc9S#3PNnQuFhE`GDmLnrPvK714%~iLAW^anGC*mgWPzbR=I_5%PA$&!nIkwt z4_`!fvNRb=!MlOOJ4i#Jn2@FzPXHOoTlX)fPOEw$Pk}1F-~p zrTGFyy2~k@2dea>19H3SZ8vheq9?*7I8Aq&W)WIZ9mT^i6*#FlIBxRmZ_j+Jl>1-AvjphRvep=Y&ii6Ugnls&;nPf9$NGJxyv1cxEE+lxU8 z&3ES7wN-Lqc@y8iQCnVo^`me!PyXk|59_kH7RA+FZy}g9)1LU2Qp2t0X(DAoSh9(Wwj)F0GKmR zwG;A9;4gpxl^M?DN48o!VK1wy`2Y%s&X*{<60DR9ZET0ug+NW-@Q8hA=<%P|*Vm&? zyzND*`FWpj<`pTah<2=59n|rN55}7Pu0`y#cutom;0=5n zIZUIXQYVy79ZX(-s_tO+()R?A7}W_}ihuS=V5LV8Mi`;)JD zL)>yT+tIIQAW>z61>5U>zN&*I5{9RYL22U6Yfwd#?jaFbPw9zDGCh zWAQId5mA_@>TDhRRFV?9h6XOH%Zi#1Q^31WbEVcP2Y$et_wrbxtfVfEsOC=WiY!mm zq5(N$ZKA{@v>;-)n{0-7l|@glCI)VAJ9e81AX+Fql9W`?v{LA^;>T`-I5gm|a32dYroT>6-zya(K3Uon|amSGG-=3>sK3BfKJZyO5 zJtT%-2mSdea{qozOyf}osISul%omVX!(KMe9k(b|2#W7nIZ}(W@2j92M;!Ui7ybO9 zqt`jFp$_5_;Hh+cx+dy9Ir4l>N=RTQ2LSSDly4h3gl0`$@zqpfVl-jm+(qtCq1)^W zE;zRQjJVfq@0pLT+NUAs2AIh;!ox8MxOE;5)-PqZv-8W2e6L6Ymi?awzbk7ZDG|e*QQU0NA z(xctxnh*pLiE<7n&_g<4bw8uef{1U%@0#EICHiN_oR8(BZ{Tmo>p-9gYn|&)p?`Y7 z#H6f%<^NMKe9&b;;Z`Zh4I0rBy6*Ub-md}^BCoY`d)Qc4(4(H{QSg3zl=jnzVe1$h zD`2yp!HJ%9%0aqv*>eNcDFr!$o1ZJ)-3)xJ5Nbng66B_ibAa3DLW*Vm4 z%Oh**h+A%1nLXogFHS6^wU2qALq&I6jW8 zwRxl>NTZ8buJx%3G9y)vvK28IMQ_TpGRLy5C?I?{)HkxEx`-!21~m(CbiVud_t0I8 zw+gY~paDC12~nlp-e5xnL5Q&K7|0#nZLr;HFpRYc!H4|sX!=OrI!A8}W}1?u%$8ug z0mpr6^2b!oW9lcG@s_u1UH&h&`pjAm3f`Z*z%#7^#@n29U%pecTGn6Y2vyx!`;6t# ztPx%_g-rb|gO=`9M?l`Bqdm0R3(MQNg~hzzwNR@Xt7BA68tKM693kt?q}*bj+4s9S zeNkTX>;JwXMsrNyiWVZaovdPi*th-}u4?=yp&hwKyjNOd?)&KL8%6Fp??`fnHv@ow zADCFm5=2M}KHw04S<*yIUc6cM;Tb;&p44XZ3$qxQM5rZC^aYwbUBi2R4vak8FO_eb zXWMCLC-k1Z_Gym`)09f;+%|P>1mph~eyTZmPZ~L-3<Y~PsO=nWqQ zaT%czCO%r0HfW=vq}QU*4~M>5kzcX~`n8_H7~(W!Q>10Ir;pHc5urO&S68RZ>wcQ% z$))}I?TEMH)}6rfEsf4a7=4BhA{G6z-9RjaSmUYo?=YVQ5V$TSQMdD3N&EL-ZgO~) z^y;Ojo7PsBl9-pe+o8Ofk0TBRi5o1*^cI%`C7tYf1VjTMtCGTVLW>s6YIdgh_Jaw( zYjvz;<*rbzOT8cQF+<`r*NSaOnEyqWX^+*)ZWuW+%z!BzXm;n&sb9yHa?1Sfrdmql zx<^ZM!5n)Azb)4=+<>-kdEug+^CfYCn5&RSo+3WnaiPlK#loj)WsQl7$1yVS zYvJ_m^|CQ5Ep-`JIC+P$QE3^T@yeV!w)Im)S$^1BV@4nBP-CLkBl1(rF!nh?nsbp! zy-lcwKOlCoje_;;=n9t*ewO3z%tmlw>QQ=ACpVSSAa5DnH~0lmicVK$)=Mpn^Q8O` zIo@%crMogZ&Sb!Q1Eo#dSCH&Vxxb`05p0`q%xbJ}KCfXhD&6%k-H?E#1S4qAquhaM z!35x5lI6J_udUXWG-|t;F1&cdx&QJIn z%`F1J8^hHWo7)f1J{?vxuEG~ZZ*4!O zwiV6`@@Wf#{urB_D$cwT;B5psMQdc0oEAvyR+;r^xL>G=23{lwEors_HuVtE3#8?} zBD0JF&Np-~CqH#wbm_kaT}46tlW*l;h^k|Jd0a1Sc5hj8koAiAOjtZuRae=5yV!sA z*k@WqbH18&*iqe>jsDX*ZgDR4Tb-=tsbW}MhOr{@Mh4F!h@RhUq z)&z+;9Hfu|?X6Sa{r{zDF8@1^!#cOboRa)w>?HeI^c2}lp-lmeL}9@@VYjFK5zm(! zXyEQ05HMG^_?E1D+zBinog!HbmM>x;n*v!y_vDqiG^w=Kyz)*HhfYe^BH#;~kX zdWn6-Vl#=#0CGF5dmmJtb)nGG(JfU~OO-T(9|co54(;7%PI@Be2epkx-jcTC8&#Ha zX^Grk4{xzS4#Y;chLdH>`_6>3YYHKEJ5?-;=DrHew)?UQ@WtZY-E)CTQE+7=YSXi-YOYCj<+E)bFBL1L1+6elvXn6k2_kBiwET9){)*q(go&SCOiSRB zo1M$k^z@H_lJ?i`Uy)sUHRLACQG+`z@#$2{-0teVH22VJm)Ca^7k;Pi10Bi(gsK;; z+WMl0ywsWQ>5w)<{e5-RvRRaFX3gpNznzH#0!c7cIlmE}jdf-=c)SPjkF3|q!6w)z z-t~na*}ROMcg+0VNbbYKv#qsV6+h}jg8Pv&O;Ua^_cZ#yP4SH%{|INSz5~swM#Imj zVdau+$6up2K%(Zb1tV#M)4BsYgWx7j*+gdLnGEzZQYWkAo}wwvC1SHlo|YA40cALG zH?1w8?KbA21w`SNKb+L6w4iF|gI?J4Ix1@30qy%@ag1ywow>02UfQZ@ingr78Wn<;YFNu*rvisk$(#-ARpoxS)?w z44dR9*d9YEhzAAs;fMBPibp~0goo#BIcX@I7))LQ?VYXryE7vi=_dA)_A z>FM5|Wt2{Z;fT@vT6gSO<^1@}@xPW;)-Los4_Ae7qv+>!yO4T&My#7}HfOU0Y3{;4 z3bAIC%!@Z|rBj-#jCmBs`OpQ&A};>zChN7N006Fr62MA0#!VXS{ch`r_zE#;{tHAF zq08i7uw{A!8F#1%#|^e+m>C44T`}M~M{cHJ%I)2hV~YB~K1}3K+|=!>+VNCH3_n}` zdJpA(U2Hra{xHpckphTLs{H=Z)z{q_4mgrUwQq8(e^A+O2!Z}z!aqNqrj#Hl3A_$= z=4y@wy!Tz#PA^AXvc0Dm4ZTH>F1Wflp!O%?&M9f2Z+hVKP8}3MYAzHGCV@w(%U7aU zA84-m#CKFSTx(6OPm~=hU!|vm?IqikG@NTsY6UgbNq==@q?LAMu_XH&ix~~>!BcWX zeiW3U8`Vz}F^hh8;fpAG+g#mCNcFr60^8Me92_oCfDUbIr)LLREcTnunvB|;^#2I3 z{|U3ZyHLKHM<6^+tw45Ps?gq6Ie)@nN)uZ~+xFJn_qaiB(Fm?5N&loSNL4h z+f@f3!lWnHesi&W-s+|}1@>1Ej3jj9z8*q?U&%~WA%EbsHznA$GG@V~2ty*r3T zsIq?y?E7$~nZ}RaarJp$A|H@3Blznq&uNfjiAc13Y^1U_P-nt&`qsM}5#4nq-p89<_^s@Kp$1qPJue1QTe{!YT?1sK(4xTWaOrkntjwTb_d5A@= zKZoX0`@`?g4?hHHa=}Kzb>t(IDPv&Jjc?_l^oT9}Hk9hrP^$PFPbSSb+HS^p=!xe$03lJQSRv+lJ&FPTx;rIFgfV6}^8ZFTu4h`$;#7(llLzpxTfz zQtc&W$l0~Vh9{-vSPJ9;FmcZ(X{{Yo2NqcX3bo_NPZL+|^d%&&LIbKsM@Q)-H0&Q0 z_1+I25kD!N)SY(l6o&s|3s!$}@%Wp-hZ*+%{?I8jcK4|aTdqdnh%K8$-aI#ik9_TQ zaU~?uFzxs&1$Kjy)uhwQALtk02}9^ycz9a4I^E%#igVRg#Fl&8U?g&fzklUg!2E$p zi?k~5xdrZWW;|Rgcfd}uM&w+Ov_sM_C9~DfNFfqZ82yUp*rlFomD2 zWQ8qM=4B7zvHV0n{aA(z@J@y|O2)GQG+wHP)H9(4*!Y&u@g{NI+@}RGmEo zjt%+@?F$F=EE}31iN4Z+o#t#;@dsW2^xTMD5rKxplEtYQ4MYB9oCE7+YxbagZEZH5 z*WCH4CSJm(04_LD)&fkOKnSCTi2X?PBFzGi#QgVqUqhgjlmP1`9X?#>ZU*tZNxg5f z%OJ){=wQQ6y96lutxI@q&@J<5T1u*T=uJShz1i(w(SIChB4zN%5hm&&B&Ts&mb1p7 z=AYr!CIbvG?WreJQyVmd&q!@}%Kn+UxI&l>6K!kf+=aBrIvRC*q~}?67mvWB{Kr0| zvqx|Kp5tElkF18%Ieaw#m!((Ex4vSDV5PJu4OOQY9fG?865l4*_X3`VCl_T|H9lg1 zLGNhoG99Jd&SDIL_1|i69D`j@)6;CMj*1^F%Y`Wd?DX3QP3o_S=lR3%J|MB2arWAb zxB3~`tvtHTMCXnYcsokdc37VO}0#1g%p49{J3bsl>j#b2cH#igV)y1v|>!S6hPlc8|>t18y$ufAq9 zV6YhV$mV$Hi$~kNpVxzCJ6GEq?z?3nbkDb0zAZ{x&`C*ez{N*!x>j;(>c?-(3F7!4 z8aJz#@Q=c*QqD-Nlv5#f8IUoA(jJ(qYR+wIcQk@6m#jIoHdLsOcV=z~!u4VKS?37~h){a`k>Y;cBhZRfx14=n{<-m_IXcBnsQxW)`!T+l^4R>O896Mtl{C{STpw`JpQrLm zD!$2>fQLTTs(hsu*FV zrx}bTwlQooeA})y3xoeW5FL>t8bD?Q*CPhxx_yntU8}WS0bWV7)_;hSdmCxYEtD`J z%_@}}Se8mvXvaBzi)qowcyRn!ZhCmv@ye!8(^-Dwf|4Jk7onoE_){O-^umCMPUbTH z>o&8QW}>|ERg-`?_P`&QLmfcqey|hJB=B)vSJ5hf)aWFl@n?m8axO?E;bo;{9PyJO zulM0Z3ZfGoxJMIncCJB33jKcMgEHHYDAw_$c9eg;BMnco+V--1;D}#qJQzbHW;Gj* zne6fm?aKiP{`b#CeE68BNQ%wOvHQ`S#lgWk?^TA3HGBDW*v{fSU zmYKs-WDg3UVNmc-Iwqzwrf&r>)RmGF^%5F$PvCkT<;!4tQ1Fshe`k@nckHJQCxPc? zc~M-hrl#g-0gSL)D=s@eqoSgk3jYdLZb|plSK>9~DTT;#5nqNrU8T0nTnl(GJcNKA zuyMU(Y-GO?755qq-F)F)n#VL_IFKmw6|TZNqq=fpBZAeqF5W5yxDu|1-ly5)%>Zt_ zz#!Y*g7o4`VwIZZo%pW|s{(GPNgX>ow291mqlztxT;27Q zS*j$Subykl9n2wA=WYo-9BdnLH}AO|Ng%-e;ELKt=@ntq17|4^8;UKz_Uy5-u?@)M zhxkU@^9u_Lb+LY7#Z(yM1DMCgifw>D2lUrppAPLu)_qNTcrH3tdTh z?keLnwlfbH-)dxU2&Ys_g08Yy!pf+?=8uIJd3?BxU2DcFZn{xjz|S!wMF}4GAEMT5 z3+4iJN7|K8EL5y774C8rblpmgH|~LT`Wn+AvA5VukLn4u#AYSJK7S{S7!8}7cz+@g zCx>LS5TeqYX0c%y#Sp(H=63i`=6CsT*dG@;X;zaBF5eS=d+9ZM(Zd-H-Ll?V#GOs56 z;(M|h8b;hvly{ub>9pbt)~P-Wa`N()>~*fXSP^|bo@$=zW}ba3C%

WP9{%v20ry-%|86ui7PW`_JU{v((P>#eat6&!|KqaCV-? zf`AnoGZovDNHlu7O`kB#b)F$<0?Aoa(1hX^p1!7Oy?9e-pAAZRK^nCCFF zF+`~ghe46m)ASETmzux0w-D>X$?Gl3(Dq>XF3{6#KXuFdI zc6CSdD%J6HH*q?~ma-2O+?gPuVdd(RuMq_e>PfEdez|HSSx*zpcwc_d>y=|4Qb*#b zj>{|!b{vt5<@UXrmrpre`bt?oEl1 zgRDBsh51~8i`AC8(5+I5{v4<4(rS{Yli2uLmm)h;bFlcKnfkulqHIwS3$dUV7c3^W zO8pnZl-<^&M(kH~CfCIb$N0IofrMn(ROL|<%nJhDuDq;#Kwkc7Gjg87l}*47 z%dY!$NIt7~^l+Z(TiUlQOtHK;ycSIvxsj_{(9)ho5zp{}L=r9v++Mo!D^X2|p4cDV z?AhnV<7E^&R7l)iZ`pIILgf7RcKt%7X+PCog!yAniQAsw65+?5Y?tv-V;foS_^e0shqwLqfr$^O?AOzZXrwWj?$UAfxHgaRRU7dV5gxj;4j3EPuW%*qj4h~JW8p;Qaa==<;a@zWV2Y^rvc zVC0>G_??3UlFhJrzuWz%$QWxOp#7$H{>ABFKtpZIP64D=&u!(3XctN5i`8r-yVZ z{=OpCMWOsZ{50H;Z>Pek^;H@VeSUWYT<=@GB^T-1O%7`YdX08;ksC`!eJ z*qT#gciQ4?*!t&Sl}4G{71srm_uZs0ts7UYcc;d}XH#x)*L+(`M3o zN+jO%12U32c7>;dqm0GX@dK9i#J;zix!E7<519ju?nsYHgCDIpnSo{TnF6I0LO8Ksacu?u|ALZA+ksaL09lV2ee%;j23xa-Q@;} z+hDe)tGW%L6gS}DctoL!82HzIbqzUMbYu5-2q4g`zkHDL<Qx?l&wr}wK;t`rp+tON3C#PM1zT9;? zN(}uh;{LWbP4(5@90~zMpV&NYG%)28W}A; z_l1_kK6ue(XeL?d1&}GjnN%3?N4&q$vNyBXMf8*@RfeccQXs~rN|MG^5?V0ie!?z~ zaQ46ely19xTib;kBenpNb@G5oj4|W^{Qpy=|Eojv6wFah_c9)F7kbSNh;ux?L!S|5 zAx52B&fYN@MswnU>WnAJ&^&ty4S;|~PKY4obY1AfGsQ_S!DYgr@rJ{D7?8&`Jt(VQ zuGYEP%FM*=Vl9e(*NNV41b2;=0}^oi=v(fZ^|OdKN#U#u%;3p=F@&sJbtI?qh53QlHg>)*Mk--!66k%NcAck z?4frw+5C|g@6x}_7iFC#O*7x%@fWP+{`hm{*68=3q4%cE6^=j#J$}w*{xV_Yw_3;! z)OzJD6etY!kOcyP0pu7nN|l&W%6Ki*gs2}FFQecF8*cP9!&tTJt69TKzt-C2HZ-Qq z(AVI48D-@Fyue3XD+=)Ua=GK>9l$ozzKHWPJES`*oth{P^=ZzH@5PV1OqAWSh+hKuf!FJISrxzhBU5ELW?3 zzo}Un=wGr?<2{-!hG%Z|AI=F~=RR}1$nau(7Z}~S8hRr_o|FLIQToNq$%vWdF7D*6 zJxq(No#TAyybkOL19L3w#3dYM`kafNPN}Y&W^b2|H%~}>_exi!K$a0llZb1$6@?Z9 z<6t?<1{n4;v|Wk-(2NAHf~m{dwXs3hnH;jmQDVf3TtdaH8M;M~XDn^BK|BB!jKQJYj>_n^jU`RF%mI zdUhqFPa6;enVRL_z|27sqAG7?g9`|^`EK6)h_QK2p@5J{7sB~4ptk~3H0EGqcq~tB zzvZEZp-oZvQZHg_<9B{V1*6AAj?haz$)biVk|XBU`>?4W4wh?^fhgm4|0plCMokLW zG-9D%e%5f8|6NSH5nPiUr~dJeQ9*@RnkZotzt9+B!e#Ib0*fN)(*BmUk(Df-=9xN7 zX)4a##QcgsrHbp%FR?@j4Ok@$rSQCF5uDqN9G< zZ3Iw*8>yCXHEt{mm(C+uqE5ITmEk@4&hZwJU@JTrEF@A+7tIHY#Omu_T5sUbtSw zoz*-JCLmuw$X$e~P-3)@f7J@}T@UD+!!@tBdr`9S&c@we4X7-1@AJ@BZ^N~2ICgrI zD%rSOJJwK5(&TVV+UchbD4eTu`F%UI_t@GlB;c0iBuwXHm>USLFhwE|w#+428G+XrZV@Ol|@XC|f9Qedzr3P*$5%|ih@&4~d z2;hVIivg%jpc9GePpXuHIRHDsdz!w*Uc3+mE*(jZ?rT%qIEyKn(UBN?10$U`P^*Tp zl-#ap!%i{DYVCIa4_$BB6=%1sjY5C~cj@5n*0{U7ySoKKaCdJUf&~cf?(XhRaCe8` za{AeOt+U5iYrH?8KlD9oR@J(EIc!+DWR8+*z;v(n_@CB&w4y)BATREo#m}p|7 z$`%d&;fuiAQ6=hnvip_F%;$2q)rT^_$G=1DIy2<#meiO!S+G!kXi@zX5E6c_If>d~ zVHXWG0NU1P9o6|`!EGQEy|^C{dti*lpx2W)Um(DjTIa6FJ&7310gX z^vm_wud}MSI4=1%_?-gmQPKB2Z>5VR;x%~;{0BqNk|y7t&K8WH2nSk;&?GhXR#D&n zE=~K9S>&n1-*A13l`yLm6g5h8ReIA09+GGjEN5jLzRyow8-Zb<3v7!#y zE_-XfWRs1a5;)9lqfn3K?d8sINhAg)2P4mr4PI7KMF%j=BTZwQ>o*&wZUAf68$Q{T zu$oq)^VE1v_eZ3M_j>#5HP*kT{NO)A4p}t#ki^Ke+8um)Q%jTM5bg+G{lpg!%Xxem zPE%vz{eWt$ZO^eDfAkLUo9iHa6+24EkS~mH`>Y^mRZ1usM!si*7w#x-uaKNXK}Kf! zJC}MkSs4HyqN6)8^51-O7u3H@SOFW1^n#JmM5{A&^HBj2&}(4u+j>EP>%eYr-t#Z9 zAmdyG{Fgp4RR6I`qhySIO)SPsjA|=e4#rHGe9CliRrYtRz+Cb)*3ZKbzMu2u!r69$ zAfVI4`}T~l){2H~;ynn&A40%`H4CVEh`&TZXciJ4?+j-FpJ?zy@j`y!4XE;i`d=~= zkGhc*#+JX&MP)me>sP%SD$OWMC4#x6Rg+g#ix80dIa6WhIz>IdgA2CW9qqs@J6$_4|xS0fdUa3&*UGtQyS#Jlnzc=eR z@0c%bT%Qe2VOyPFN%Y(1N~z{qmA7Y!=CuRT!>KV3# z`ewCW2Z(Ys);)=c1aT>Z_jdb%jk?XOG>-{zWVf})L0n&F@YU5FSXIFOFzZ@nJx-hX zVuL)1=+T`HS!}z5`d9-mtCywAj@)?4h^vUd+VS675eZq}GY^Xpj?H=CBOm20=5IW# z^TECrWCVs0Dvpx<28e7Wgh$smbiXo`>@2S?fW0IskX9oWTV0~P1K!a|pz6~pa@kX=Tt1qTyUA?ItZ+aqm` z=#M~9zGtJ14(+b8L9wf2TD=Zd^B{Jimg(;Px1NVdl9-0H_uO@i_FgHX9wDr6q4wAm zoyB0z6ic2-d+EikPA56al@x*yY@jU#2mNu`wTS&|DsGQQ->MQ4lsMQn|ILUGve)4F zd-V_hr3v7WKQq_j0>6Q&pM96H9}=$HRGEvS4fS>YsgHq-6^|vv&gQ63j!B6@Jzj_< zd%GCN)#1hOo52oE_m5?D?~9L{C+_}nhZeocKLY~;I-~(JNVQC_r@vF|@pOKG-;Q6O zYiv=`{)erdB>UYt>dwX#Mt)K^INhqNQWFqBW3eiRPy`Wmy>{vuVBPAetJH5`5&qFT zCctDprK6#-XpKGcX++5RXm2p9z|``QiL1r2FbV+WGTXoJ+BV=Ml>dcA!{Eml8H!u$ z^n(BlTsSIu52hnL; zgJocaE1V=Y;)%N4{T2eXn+i@3+2qk@B5jFz8$R(*Y!qOBTeV=bTfQq=U**i!D|#QH z7(#ykBM3m0ag&Ok$rX>nz+=0o-@se5aQ_8ZRZHv{CW^-Ljc{Rum2X;QSeFkK6tAaV z+AMHefaQTz0IsvZ)R=|fYf3dRZDu(26jkw=NKuKIU=K+84c6u~3xp@7Scg_8f3Agt zYfU|TQlQjxeT>7N(TuH;oxJZtq zgM)f?$6I#+c<-x)nK~k*s?q>oxmvG>i@ZSvk@BRr>YuO~=mk6d8^L}efFrSQUjGDg zMG^Yja4=rtQGc95!wa00m8;G80t(xhoiUb$ z*lU{47)Eg1;K}I53X`=~M+P6}LK>X2MVg>y5}x$78yXS{yx%c3`+g zBvNBq#Jzv^YC#S5SsbM9L@0UQ8NF~fA@B3|RN%ZhWHXSqQUefu(N|ro#)R$PwxduG zu*aLl@js%KE4IM;UwTMRV09Sm=AngZG%~N3s*9x%!*d12Q*VtnxypqCg(7xBztgPfqC-Q(j`ifA@d|cn{H*+LC zW126rRzKG#K!@Ox`DQcX#L{>k{y8=4rt z4dK^!2!t8u&GzG^iN~i?MZ`4eXnT-A%AV`%OYCOn3eNKav8`ML>^jQ6aZ*my7UpI} z-}qeL_EiwL+e-oDjm8pr*^I{FbL{a%TnG!3Jec)LDoxv(#16KB(Y4^$Q@mAuG@r{- zJ|OO6yV+A_Ud9){F;K?0h+fjp%&(m2IeE!cp%R#yLY=ob&+X)B)rEavnM;ngkvYEI z*)O846j&>(_J^7;(bD)da3LZRMN%wPopsUwg)d_MZ>vF8aYRPJPK=Lid%pg($`wS4 zJ{Cq`{danmg+lm4xD?$JG+Br{;|dh4-h|kdv5=b_%aN>Lj*{*y?qhUjvwixD<0x58 z`K1JAP{zRsRn?qNJaTgx;qaX8V+yIr&V1;M23dK zNu;*ccJWwk`ojKIJg#Tc!H1N3&88m?J@J%In5IJxb(3fA`KJS#_xvppmX>{>a=}7< z&x2(tau&^Br{-Oci%$GAyB??;U2Rn_)?^Y&f|B)HH#j#CagEQfE&b-;sU*c;!MKcU zjsD4Pf|z)EOyI;?sJ<52AxE3*A8k&wH~8SlTDH4R+9(-}0+#+P>JHcS+TEd;@^W$m zv7MVtDSJ}zUThnilad;D(63j!5$%r9VVlPciIfn0D&eL8$47H9XGLZ}Qg2JTv}rpV z8GFb5onaG}I6|%1F~X1O7@X&Og5?*lFs2PZ`C0PPXfEqeZ|n}LYbU<-xswB3Lv4YQ zS)sqJ%WA1w*8av?+^4r!hT~d8pe0%)HgOK(ck0l2$pc5QUjjk=Dk`PYIEhGOc`kqOAonF7#|-jEqJSIO>!Qwzo>;peil+L9x8%m|Hik-5)JK+%DF>-r?LN6SoU@ zFStECNCid%hj2r)rhL8{2tEYZviPoQQxhaa0NU{70EFJFuOA0I}oI#MwM^gFeP0HR4@zt zz|1S9`OTL{AS$B~*eH^=hC8$rL2&JU{nD;RW=(!?aJ=bN)dI+rJebxfd(fte^t<(- z;kalVWR##qN25Hj_)x^O%QeM;h5Mvu-~MpD+TX6~MH|fk zL@B{FDS8;VN1U7m)0Mv{ehA)-jUgCVoK`HXb5xjNl1qjBhBMY^v8N)8CfEzA3`5Dw zt}n>o-$mfKJ>F;ZMi`9glbl|%TLoauaD>`Xk&*41i7V%$;^U~c^Oxioet33XvT7ZC z`nMLKFyha-7vb9d`bs5}A_37iZO%pvr(P|-=SO>i>C4dw+nqL7lc?9EdY$-{zY5g+ z&PIm%Z(J%yvT{dJU~%Uj!aL zV0BP=KWPH%=Z_VLbG60TO)!Fr%+0IXzpr(W-CzDmet1uGgR|CbV<8|1?;mX0`)YAu zN6N!>oQbqg#m@C@<2ob92frH!QukiteQ!xufIva!QBCVRz!e%b8JljH3uv=kVwt z3VzA6&4p6)&KcvQ9N0|+JIQ*lhEb0t_HTdm?jcNRjm8g~4!%+4S{HzA(6}2o&krL@ ze&?HlcQa^~Dd;l|Vr-NG$Swyr(|-_QfsY--`1Ys2l&Lff$ZAUBrOceArAHczm!Njh z3}Y<%!CB`r0SFd1ew)A$?P24!PCFQI3bgo*hxq|t<`;x`{J9KZL=|-V#odEoC89jUWQ_}GdofX6qH?e(r>j`u5GEVzJxy0X~gV)()GHjX6gB#7fbpdmoiCc zfF|?pDR_KHc~{&aFh`R-P{DL1&T10_dENPkX~B|zYHV7%)*!gc6Lk1vU;gF}UiAqm zW$}!i%u$a}=rm%@)~ht)hh?BeC`+@r_^7Q~T+cDdd;P9h5oKTj(=0HR0&s^IXT_P! za-MS=+lWVwN0v4s=!%fQer&q=^X1`O_wLLE>;!vVA__9)NG~ltq3=sod?$PhP}G7O z^iY}+euXsIh5P%)uKzTi+@@pm19c09%z&wKL7&6#E~aU*{kzO=VVSTy0SE{dO0Y-m zBu*lIraacChMN%B|Lw%_Bh&LQTWvme(eJ4JlW%B(2%#vY2X58!8gp~Avle&)h~O0H zKCXr4o7fMkMa&%EgSvMAwP1Vo{#ic5qU-Hw@2!TD=eXA+3S@nF;cX6Z-Dae5j_j%4CTaZ(N%*WH<=l(lBzcLc*@M$HpZ61 z;~pa=o=>zpreYb{3+A_2bB4BBZ3gSec{)m5z9Kd5g@MrvytvO6T&fec#qRfv^V5TyH)K@DX3TtTQsk4VrI?JPp#eCndH4}ma z*-u7VUQ}X|JM%u}43?0mTJcqV2gyWJcBqd`Hb|aMl|27crcc@oc_&d>LxYmM5BBZ3 z5-CKaiV@bS;)d)IzPof;f#8jshp79@v&VtlO_lx+l{`wANCbX~hWy}}_Rp^G{t|2) zH7|_po!N=;_K#5X`t$;#F(&t0R-0{%@{CP$DWVIcD!UIOOgqR%^eV6&;Mo=|tgO6h z>76n=}UT`wMiBm$5At!iB|eu zO){qF(ZDFbg-0q3c8rdXmcA+DxQAZyyL(CSfudi&E&Z@nrbQI3vO6HWSee zYXUOS2Vw>IdMvkmc9{JlPR zZmC~rCJixgyIS(;Y}WsfXenu5va1TQ6FVInvpa<%Y^D^Ss z8%>t`{|u$O>ohE_K7>H0YSDNkRASYkk>`$pFMt`Ja)fC4@hKbL5x$GTzrFZVi69(~zxuXlM6m|eK`(&q6D@0WCq9FW{V0Ve)> z@)#K)Eiu7aIi6)49Ucb!rjC?iU?YkmAB42ijb&6D^c)SsG=$l}|t#3N6FA zM-2n{9v*Nb)(KlfKo2Gjus7~{(H}}K%F*(4X3)#HrGL>u_NmNGyF7jc?`&`UXPOgA zwR0ao0VI#!c0uM(Fy)WRg0v-KNq3|CP^DGD@?&DyY?tq$y>*Y`qyAKE@dq;|{8zMM z=`~zSjQ^yh{OJCr>Z(GYSx&@j(_DXAT+$Dp=H$%i1hy4hy;20JbR4n%qE4{VUANr% zf=cRoK3LmDxWp;xX1g^0y7Pr~t{noKWm^SxQM={CHo?E*5fP+d0}bAucz*ZOE*>Bk z6!@YwkPpp*LIEDG#EKq)h?)CaV;$o;nUH&4C_7t9a*^d$C1tFkw7J>+(iXBZ1-abM z=_XZOm$R}}VN*dPw%|KPcBsvYvmaU&jHnsxxzKR5{OxoUKClU62SzDLzN!7u`uSLU z13TZu$lg}RehagSMUU$};^EzXv9QmL_->bW{cR}X`-01vAze32go&i-!}XWP5Sgcu zZi8`4lg9wOm|tUNFiBObS&t!;F0uxkuaHH%m|>95(dmi)_mBuFXFh zQsXYv*4r-^@6x;da~j)T{r2KOj{KJ@Pv3BdW^8mczd&D(i=9PO;@tCZOMKBlad+qHZcfHFO z1qI&t^pt?xn4f7B>-kq6`|FNfn0LN5vKhA2c&_6~ycsH&S&OfIZkw%t7OzM38kP%Y zXQ;A2UU``Wtyvs=%!?-VnYb=8)`I8KMT zs8s3U1cFBEj_`gekW!{9X#d&mkXX3jruRJ{Qn;uyopHOR>EP$FC8y*Ts_Rl5ZdDq(*4f zuv*acpRggL{KdC${Dq{&#Mp4LHvKm*7e1yJACpl)nSi`Qmxsa~rWfqfr+Yyv8R#N{ z4a(oFte#B_pH~RGP<^DE$qeLif-}1qCpa;PLzKzV9sMWY1k)_EpZFNczsEUIr?@K< zk_%_mKXdD6gn3K+C~9&jF!cn^tB}XY1P8#hFAUKdScI(Xx%kTp9e?wow$LN|2^0`_I$bFMJPqsgole$ zS+oheui;(vogu{(i&X)MjP`YkV$R#O5*7TMuREG+98&K%7OB)bFAA@>E^&`an?mDD zu=TL2{ANmsG58cLzWgY=-LLKIJ+P)tkll9pqibuk_m|TB%Y~rfWZQ0k4w3J}-;|E1 zc&znSm$FANSkUy9`5?&phJ&XW3&M2 znmq4b$#1@0-EkVeIbC^>ne0TXIMZQ9cXR9mL5O7V$pOWvF<)>^G{;<5zcmpkv_4(a z@Se4<0*Tsh_O@OsdGuddBkgU@QrJEo-#j=8-Hd8;a)j^K?IvG{Fl$fRm_FXF7*vsU z7GC=v$RhEtL@he~POa)MA|-!Hl?_86l^luX%@}4nezceBKO8jzkOwiNtdO!y555R) zJnjxUysZ6r4mb6CT%+imhI^i4n#}w1Y z5qH~0*tD{p`L>_xjX`aj4Cdj;|7ySJ7?|yy{bg%;t19nI)Zkb5f1%tBj_k)YG9`30 zWp#BIBG&BZ)k%FpZ?Ee>AD0KU>;nY-t#+xeo>>1xbXopO80#*qsbkyEhp;FLIrq-S z^uU?K41F2>bVZUaUkJli?K@;uE_cD3h0bxQqulcZnxC#9#6Gf5@1`t%vV~fh2oC7m zgZ?=i7E3fC5Ku%U89sC!Hw|C1-si-dEc{-5B}7Goh9_4qyvU#=d4yP@WHEp@NHm>u%K~-Y+iO(@sgbR;L@^a|GowU3|^~oN$|d$XP@stryT{>&_=u8&d-w zp(75ui65D>JB|vvtOHwN;NW#@))MZ%y#{0g9y3sBO`NqBI(=TcU0~^HM`Js2EgVe;Yd*%$H~>9#^k~`^P%OPIxkNdjOFR! zG?kb}n*2UGp!q_oB@PYzg-C(9-&d!)HbnueK*q@L-1OrbR{30U78#fkZehuihQ(4j z(moab*nlYAZ>7BaWLdGDN$`aZkg9=4rc4-OpG5?}J8s8{oL*1lgVUIYW168jL5)?E zh9=R4j!tXv**K4}L!z?8p1>`Se#2x?Y!|GN)r90)oc~-T$EJzCO{jVjBKH2tT`Pgf z#+3Y>KPTg+ikh`Ua)Fg6yO!&0N3<+BUnjGVGh@VT)Oo1szrxO(_@A)T*7i`Gta){Y zU@~J#`<=66;Z`z^PZSgc8Bs~@vnJkT7U=-B&1doptBS-hlt`ypjMQMJl@g5%_?^yo zy#1whNl+f-dyR`;*IIomE4Tl;R(gQdYQd4-GT@YT|O$Pp8=4+FeQIe9y@sHR><%^USq~G7IfJRC8#>jLn9Q#*8A+ zq5<~f?Cy(!;E%tGKYTNimO$&>@gjj1F;%%eLFWE=^8>6L8w*YlgTkc>we#N>@HkDj z<_YV?MZ)x=mQEGFhu2uFd&$Ol?B(`foZvPQlji%7Wh8SD{Q6CYOQhT9C5cauPA0yt z_w%+GyC}K8na4mh*8rZV$a{v1VJk|>o3Th6wnJ4YH780x8D(r4W1E{QP{`RfgbM^b4mRQI?h!L|6sa8jbg4h@_0f8&gojlG`9cjKmusx#H~R=T(Q2mb z$c8gV1aS9rAu}8m*xp`MVFiB#53H6X_tDG;nl|Ip5g6H}g0vfQ`Gi4B6f4YaaQyXU zwH~AruLJ_)_99)?KBtS{i6XcD;1{LVTP~|kBjYvEu=0<-IWoBW zFu%7lhKlyy|J6|$z4{F3T5LEUzV67aA;@>x&2GI95D`wYu(n3aoB4(T9Q87<|DzVr z5D0rIBWB0U4%Mw9DBbg+_Wzoe+*v-&WJlHtIP~VF>$s)ajrI7G=qmmoi&&T4d>SUt;Gz{Jf z6Ie8Jz<6=qiF}8c}RT7w&EFl+!K|Ow!60_RO}~-%TVl2Hkkp;!tDjO%}MtiAM1s^B_h&+)8`X-M{nYMI*PN;q9z>x&o zuF$&Iyu%mLtt@v?;TR;Z%gOwJ9*wuM{!u2+tdY{nzwTY!j~#z1?&zlp9-q>5YY66#2nZ-IKaTRWMjWGPjHGe|K;%pSRTwGbXaS%r28%G`p9@*nr zSt!fK&hAslhmRc>l@}O6Cj2{zXb|z!4kBMANZRmdzGSX5W>+fP8wY~ZjODBJ=rC<< zerBZ=Jt_jS00-7~fTbBxVsAHHCEb;;)QaqOBVPju>bmc7G}uRI`zm3ijV#TA#B`Dc zYbjt4hCyMY`Ed2OM!;1(nqzbfxdzu;7OZ9}I0Cdk*B`=q9+~i9 z!PN!>O#3!C1t_yTn2lrIHSxcaFYthQE%1;6CJyJhLV1E!iG!cd=9Ult+0Z`y(^;TJ zOAL@Jd6uSFu%rbl1`^Gs-FiN%fUAS}RU33thVNeKjtco=O3-(3q0qn%qEmuJg1$FlH~ugy@jeO6JUeTT#MP8%Q%o&FaRA~5rKw6=iDwb-vje)sMG0i@;vRSQ4c)? z;O~3HHQ9`J;B%8F8`t9L3y>K3d;v2k!XzHz$b@!rkMzdla#CNk%T@clsgL-oqpLgB zX+Bew5(u1?0!Yyzno`Z_X^{61h@2(q=z&%K(up*!G>V@+7FSY|OcD=*e)NG_0u*^xj z1S!{FGD)f*Ca0((e(7yMLaipux1H6>nrmxoOWc=%cN`}77rc9Sikv6^|Bvtgz2>h~ z#7eYiK!zrO3!Hy)np~mV@9(Ih4R6jrEE{YX=`Ov{a+)qAEAch|qA#^|&$Om06^O)f zO`w4DRV$mJWVc7_Ct0k&=*rw-uo&IVL*&t#;xY9wAQ}m+VlBbzW-j(a_8P?)Bd*qV zT+zNAbc!4(Xj03@ zQtZOIHA5UlKRwitE!`VUO(YQ2D7kQ1U0o01+BI&ZO*DGOo01$f;1Ws28+SOc&tEoaXj+70;ue;tdeu5?s*aqLU#%p_5+rlD~mB9=W0skgLl z+!u(d&yw#_g-8OHZJZ{TB_>Jm5HQ%F@8Q7hRIel?fpuL-tU!yHh84Nhgm{x zHbF?S3%zD-*-8RL) zeIg%50l#1K+7vFcNZn~f0QiO7Cu=RYmwHQYVfaNYEl-@;e(x=*vnvz-*J1rH7zX+W z3^O<1XBXQjT?|W;voLH3{Hql_AAoMFs|hon<+$oSToJdnG=vWSFodgLE_ovf*s&u1wxw{h+p6 ze!2BKA)6|J8}WD^bj6l{ubWGY)7vYgWCMP|<%EZ(43ah%AJAX8mdw{qP$wBq{X2~} z@JHB~Mhc+mV>A={LqhFctS3!Jn`;_F#VAyrRlhN+GZ3A z(wgY9jSz~gj)kbFG;uboLAV+U50JGny%Sn?k;qdfSv)wPXL5~k<-NiyYWMyaaLT@W zo(WnFDsw-LA*e|Wz~ZLw`n(&yD1W3n{tG<4`$mrxyl}PaG|OvB=YBKT*^B3-pf@(&Pr-XsC>+^Q+zqJ6Q0KOaq>1WBurvh`t zWdXE2lGeA^!w7#TkZJY~YZ|d~=gK^iBFurvid@!Qhtqy5rh=1DGp(|`Cf?w&y#>Bi zB(Da1VpB-*V)Wak??YQA7`u6=ICRFhJp6mQ6gF6LQaSeipJ8+u^uL&D2kjDu4~74H zeMt0>61D^LceQVz4fwX?XLdfmA_#YwVCzDn7RB=2Or2US$ia*V+;n_bx&6+Iuk@{; z9t>M4#LrRoG9q0GuyZbD*9LM_O0wO$h{(?svNd- z{|qSTh05}m!|vLaNry)>H@-pKz_P=;^+ifHj3UlOmb2g|d-;hsU1Inh8aC7$ar--@uNqHZx6Q=nm_9=~guyfA z{(W-?#VqjSMk2bauE;`{MdQu**`Pdko?9l(`*1@khLupfPKBR&4e7giokmS9y8ZMc z%Uu~9l(_C(wkwmpMi7fL^Tz=+GiHcij(Ei{HEp<_3f^7qrZ4(zmC&a?z17y%?g~8Z zB{CptswbV9H1z7tbIl7ja$b@W7S@5lDxKJPF6HK`A)S`+4ug!W;9L;fcmG#PTu9@-U}B4U9k{?+JMPHrA)<*cItE5lCUO}81Lj9% ztlso|iorwj4#-+R)?D{lywyAJzhR-D#so9Q7f+ZABKb z(DBr(Ut3K#I366RHa(t=4R8}rTQfQAmbV(Lm;W=0Qlf-P#QL#XaL;Xq90fXk->I-v z)=uQ`lUs%1FEw`;xHNF+0CAxoMeVp`y{{ObEIe0Bdf%Cht6zLkNZl5{e$b!`X^dUs zEQFR!kfHWGo>q4{OgSS-nPoVp&LKPSg2wvH#${|6V5|sWB~@AP=O`2(&xsMeBVav4 z(GX;?nV^R;P57j`w~Yt#mRftb+}mJ36D@{tgkYN@(a#h)1YNZ#^b#IzSFuzKf4(Yb z9-tj{p_qF$Vf1vyz(59vnPQC?is6X@NFp^W!aeDbY>Q@9o-awZu9&kYCsD`&Z8kUJu;glds=A^gKSJ#z z{gZxH6v;na#@m204{lUnnUx6Pf3{^1tkQ^L%GF zy+0@Z*j!n`eLJh0O80FsY`Gt0_+O&s-%mQ|fQ0by($dng{L~eTmrc9p-Loc&&kEyo zQTCD0aa{ZqbN=~^S$S5G~^60A7t+0=KbxSkpwXkW*`1)^h>ljsybB{(SO>`3 z@K)G0uYMVzAahIX{17a8BXrh(SVO|&cqRTY3>P%xtMvMb86jLZm)h5jjMvr2{EZ}) z33ro~f{9vnnj33?=vI{|H zTJ~Y>r4vY;l(vB;04D;9=fRLon>!&;wjeFBENEGQ)OankUWar0#U*!8R&R0E===6O zosay|VE=DC=AUk%oAhc-=r=iOF1R4ZiaEb6uD(CF-E9iQ?S)J;q@}#Ll87kkJG4Fo zu?@^h`ayGNLA`eMA*ajLNx2sY>heJ=F#q!70enf3oVL}&p|!Co} z98%a=S*WWoKwESMh1-9#vuhW{HcTcO;U~t2A2bXEW{MB7Pt2OAGQ7Qay`4Mo);nyz zTUZc|j(0iO*wCgTEEaeWLgMuvNM0?2X#&XL8La&yUVD`16)s5tYrR;`%_GEB1x=~) zqQzuvO||&4WQ9n64WTSDfQk4-QGlFU2uKR@L@`;zE&bQc;tA!X2`O{@+z? zvHAOSEMA=`ZY%Jn!s3H%CdY1X%eOEcr&sqjbF$*YO9m)f{^5KEVuIib7o*K0t4w;i z=9bI2R6Vl!(uzr}^AOhOe|1i=RxZ@%Q6uIf**G+VLDXxSenQqs;GlD%wn-X_ZDqHS z{@73I&|oEs!M}%uuWhZa=PMozR^#oKs;YCFE)P~87XJ||x03(F%3=4m+q;ubpLPpd zlppvtzZtUrQ>Q_|;OkyN!$3G@3W%;w=u#TE(u>cm#Ks4?wX7FVM?9X`v)R-cK#_YJ z37e;x8d13EFmd&~KD3wro|5XBlt}ZF)Y4N+uIQQM9T!qEfEo0a%$YLbueHG*OD9<% z;II5#8ck`Sk#yxmK^JYW0|JA@96kTB?T?vk-5%jEG4=@Q9qd(8TldTGAaP{VyI@@O z1S)6Q!Y2s`9B$BitB(&T94&Tf+U^|a!zW8jZ&9_ctc}yOC-?j=8eFuq;DIsRm?5db zTp7*$e1xdB@8nwsiS~}pe3-BA`p3L%O5jCK4WV3){IIuY`@5rU46`Q{TApg(#TcuF z`7b?#0AI-7-{oLv!2EQnipkw`khI;N)xMFy7i`g^eYv$)Hj65ch0B^`f zvcaBf+}UT9@Fh5aI^`wurjUkY0#+sKKfsNO2e;>GI95SF>P;al{@o(hgbNa15@4#k zr&~-Don7P6TjAP{(pw)dPgP`yMUfVsLl=#C-Yi!;+aki7zquU>8JRUG*=eC-S7F%m zTz+XmL$%nWl2a0l4>qN+-9IfGTCb<(`y3uf7vqFGYQdGl07d0f4N zj);B;j+&dlMafatnbzp42>!A}H7zdbRxZJdwbZ}Mn2&zP{v7`tz;vjPvA5_#Bk&8> zY0IdYk#aujm>evX&DwxB0rh{7wtpWPdoYCB-4R2Q7H<8cp~T6>74&sAF6z|zz)9w3 zJ1=1NmQPSw^zd}DYDGAPvUl8_T^??LmMLlz4&*`Hj{!W@qk+f{Eis<=_Dt8uFF$=q zG5xtivMt*S2bc<;gRHm3oBP_Yk?AKvx9vZ&fN7JTGG3Gknz9!$%p@tn=S>^B`?@sn zJ7WDve-|Ipb^3`EdNo6ikZ$8?pwFLqVSXpqTQ-=vnHVjv&3UOrM}#mqDl5W%9?7HV;uv^}Um| z@ZDK`ubjA-bwCPYQ!GxOuN#Cy@MWqI{W%mXkF?>l@h6Cg+?T<6+AO=R)1Jq?Vqxb2 zRhF(%z8)-5wu0L#tXsdY%6S0X{juH|Ngs!$tV|b-PC-~R(+#wM z&Eo7YlTO0U$vE*a{M37DboMiRrf0xaqvIHTrj)?z$&Q8)T?U;o{rvHGhg^42PmUU_vur#2zQ81DMf88c^G-(LAQFQdOeMlH)xwD z{4tI$#}-2G*}E5(E5~P;=x&thVQ+LMOQBI|goDw7xb9Md2Z?_2Uai4E#QD)N*8R5u z*eVxRLaLrei6P6b_!GmlJU(Bcj(W>=W1k4X=g!7@`#_QzA`i_Yv+KalUv{|Ftac}@DmzTeqF{iSvjgk*?3c1urzX>z>=RpzLuaH@yzd$y}F$6%mT_E zJ#;H{R|0x$sVeZVxoE*KU~nB4gUJ!vJuN_#JJ4VNp27T)CS*4=0-$f{iJ9Dc&|JM> zyI)iD>uVM2wgV%xe2PNuBvWwDHBYZlfdHR;Fyyt(Y~=y=EStZst?6EdK6VGYLkw55 zwB$U@JWLqmV^oB6_ki8^w z{>6;4VXM1Z4Ywc(O)=O&5VB~1+i7}+2j(X!j#x!~>~Y$|CbvC}Dbpp!ApiFn(IW7K zI)7NA^ekR>#R7Br9X*OlHfPoR6SG9{z9_}i>ml@4vdUzRcA|hRs==ex?vYF@wiAlU z=E}CsP$WD7X8zOvcT(k!OLqOuojCFc40~b=(HK5iAENx?>{p=u^*y9Av`pQJhHm%MGPO zk50nwAb?~B{v!emx_)OD-| z2oXW0=4_at=F{}QR$K?ZNm8U;df-^T#v||kHhG7Il=Qo{2RL|+W7arHE}t|=&a-V{ zec}jo8D64;TD={IB`hvoq15L8k?Ddo|Oi19^V5fnSM7{P(hCOD9r53 z1g#Y@f-tr`z@;B0yY=K>(#*KEx78`eKEg}h-aIiRI7!h5 z#Nklxqi}4rg@$t8!EiXORovMIwPCa!q$g+bWiHiGayb&5IrX;O#ik{xwlzYkQ#Cb? z)BrFpAwfQJ-&g~%o<>#L(Sn&B_0Ob&?Tz~*H_@SRCcs(lpj-zndyMgO7}m0jb(Xl$ zQg{%JHqMwcFw?-H9mIPT0A{C(@n8=#;1~T(3jX9XQ!n6<{OLY~FHuPt8s*veS&NDi zAb7Gu@_J2fB#4otL94(bArnDjwy;X+5>2Y>mC^j(v367$2mo z=Ly(~Ca^fNZ-6{TjY;c`l3z-87dE)@;GpTY{|wq-lTbXT9y69eh9UZ(VtH*~vgX^Yjhq5mu^ZAXr560zpChp|@n2&t{ zap`~R39jZcUi~h5C+*$)ia#?*tgk#$+c8UlRdDc|Um)!%j&?gwY^h@3i{Sz&=;qT> z5d)tN&tNywA4hstRI5o+X5u)WGh+}&L}oG+07bCJ@HgiLPUA-K2{u%dT6&xpVWM6k z*G?%dj}y{Z9~iCsN{jfhWsY&62{UY+JDezS-+jO0q5xYt^Dp~pnW9`e%bi&oX1X`R*(L;6*fOF`fTdzu}zcLN<{`6BE3@iRG?*oS-yt( zz+bG#!-+!c=8>@P(9t(-3S6Had+dG150`*RFcdURi4mc;tC;u-+)_$>>)_6b_a`EW zm0Bv4-FS`0yaI<8i|7Le+3;&1uy`UvwtQPSTEK*I=HktWz$sC3%?5ednBc?-rX#O8 z0y0fB6Ww~vIUb}W)?WDxo7P{4B0s9=TFNAPoTV#c=Ix5m7g^#trN|oSUywC!lKfZ- zuP5fG9|nYvPIhXaNKDo4YP)byxF_b>ljCPhQ#={l4jqE6tqi{@=s6piNR>KoVp&zB z64;-9ec2ubvxhDvF~0JrJ&U)vn=QTpF%Jl@V=&{CRTeek_TSgud}W05NjH9oR!9j& z@NU8qA<9%&=hV#ud{-gYQT(#Hs>#Y{bj{aYgj^OMj}5M_9M_t8REuB%aH^A;#4voM zcxE`GDPECZ;)`WDInDBUON~xrt7!E&U7h;i<`LKIHeh&4^A!1N@E`5V+rRBgq-_31 zw`=du)7u#0l6z^JrOaqscw-)M ziUN5@@SKQkvQp_ngkHL17iCSYMJ%v6#K2B$3OSddkM)c^QRjZN;RlUt;bOEvCq(Jx zQ&>brtj1$amKy&lWpxvZr zD-2n^iv698gccvM){QU)wFQdGUIAQ|y(6Oa7Qf-vn`iU=0=chDqq7O>HDlj25~GiG zIiNvvHUtGk7xS#EH4`Nuw|q_;FY8iSQ2rhYHu_@>?=puQb8)gpL1J;feoxFNpS};S z^GV0jeG!ijrByEG_}zO=?@0cVXOx>@f;>I}-&025`SH|2J1Q&=F*jj+#G9%24hLpZ z-ZJ(AO_`5mjx`shYj)HLz^;+4DO7!!5Q?RxiN&v7B5E zP2(wYy4((Se>Cs}Xp;s(ov;5B8#05U6cT_F`PX|lfn-_4!GhQPm8q6RHRHHfrY3iy zT`FnbDNFM2p8EFI6xX|7QQY}>s(zg>h zq}LzG0%ByWe0$|HozD>`!6%G`-He-DmnEp&ds}}@wew?;(Tqnzt$aux`i^8iG=5tN zPS`k#f-E~fbLry&)*Vq+r_@wiYjkoTZ8~WwO3-QYa<7v($DP7o;p&z4B>a$uq(*9t z!-ZKcWW&cppbIk;G^e-oft!sG!Fr6_$)GT)ax_wddg^h+IxWszsi&e!oBAFHOS&P> zmL%2%m-7%?n5m%ZZ7QgeThe^#8qFnck4%ReT`!|b$E5hiW=UVNpl~F~*3FUn0f9;9 zgF34~OIf8tH8`H2qb%6HRlmNj2GLrHme{a6M}{kR9BMOo0`*QeoLq++^wVyn>Wxd3-wl~}@VrG| z+eYtci_s_%Av4?8(-i(xC+_bk~DeP^It75?~gPUpua%NpOR2h0jCKyaS7OCnz~-)Z%6AB^t9O~CM({shC$KoYwpZK9!8 zaph}0?DxB?oZ=~km)@)^#B%$Za>+rx7O!Mapc^`4#IzD))3sA9+_Nu4Mn018{E^{V$LCOxh>tT~1kMai~->m7`;c+M3(Boe{Jt)4qvYh$+ zt}3}#@r|oZE5$d%*ErH$qj*CqPr~=d1BDU6XYo|frF&p2t!7-SR7b=aIk}~;O(JU` z>ejEE_@@lIC}A!5*NUZI2C#$d>Re zY@PY`9)tw*DpAl1Y@NF=HOGHa|HNjJfy0N+e9easr;Hp~4Xor0wJhNOt(B37axbaziOQmHOG-1Si5+W-DCf+4Jj_ z!Cpc&o>G^6iW^-U1W&0F(JeD4of_bGhowT_@2vDD6%|meN+$(7$0U??x}nXOm8*!c zL^FPyjG3vRi<;(ad2+m0Dvc=UWpyX?zyQnEIZ1v{xJ!7}7wv=$AEmf64!sQ8%E@Jr zim>L%2rIe{e)#%72~Fgfj&X{=-VW*=wf|VV_`?leGqKG|eQBv(Ot#nU-wp~7@axj6 zj8fRsK`1Fq8Pr9$Fr=@{a6at|%O(ozGZGjH%;NDJ~PU(@5I*Mzj9APNbU%gMKEn}_gM`pULEqda1du9yOX zh+Z^G((M?Hrl7uzI!Ges@}3$#fa!JnAvMbZd+4}k)IFiCpB@gUzS%F7XU zJ=WX%Ym5G0kxZn+*`TpWpNPL!ewuTaB#P%mJ>8%Wk*YJ#<`b<0S(D5=Ez_`zM2*Vi zZ6Ro2R>`OJg&o1i6`yVkN`X(|J){M@x*xV#$OO?5*Iz~j2h>5%s|1~In3oKURIcrd zBMK@1%>wkZjuzv)#16jJic3(gebyr;5c|zny!F#PdtI1UKs3!8OuzcN?ui;(gR#m1 zIl4b>0vVQLf8z>t5)dg5Sk8)Q;f;>xsd)V?(cHTBYDY0_6Fw(%61Ds+c|=#xk^gG) z)#Y$@!l@^cEWrQgF;?t7m_PofWpp6{wCVKZvC$Xp?~$LevzPzA*^F6#1}(}gxcX(+mK-uDWLINY9~2)_s2Tay;1b7(_}3@B$+usetKoNLI*a0w zSRbt!w!1rPEfRd9^?fK1Oj9SvEsz2&Z?p|8FYPE28NXZ|?9N5nZ2E*eB>pfa3V>xO zkDSoj(WX&PJIsrDiE|l#jobaIc0*`1{@tW#1y$Z?TUrS8y~*nXd}Uyoq)i;Xn)e5e)gJ^0iX!fn&X zS|q4tR+;R8y7*$_qwVJguE+a*149W!6wsc6<|kCX$>lG~KyPZe>R4aPS(_RagH#+3 z%jvcI(fh^7W3ftG8F=Gg+uKiNx&VZp>3+QY6{VQlh=)7HD>GlXo(6}|91~k` z;(ci+68z@9(JuT*re{25)uq)9oKeC>Or)pstmV7yqpq>85SNAIy> zAL9WobP}T%*9gp7?@-E1>poFhf2!|pG_<;m#04}U%p8P~3{)}R7eS`g6|Gml%7ac_ z=&!spab6`@r>|De7M>d%vl8W0H>NJgh)iiuPb%`^N#B_Tq3`i7lWVD{g@;$pn@aqq+*VsGL)0aaZ=#Oe}5PBX(Swpt;MGgw5 z*na5S8HOC%biSOBO%*GZkQq0qQrfeRI3i5MmJDFu0|1S-t?pFHvV;0W%oN_*po~H5 zm3^)mFVN=afScRUA9UmqNE!A5W$6c&yFjK?>N>9HnZG0MGCu#w0r`!4;tu4dh$!2p z7{)^SbV=2g@&JIkuIajrXc63>JT|dBVUv7Ufmu?l3c_K6(;R@CqZdDO5d4Jpl7%#4 zUt2iDb}v^NAss^ehgzk!&LaEc#g@98w4sG*#5)E;6V@4Cc?+Qo%B304!~Drzakrwr zcDg)`*w|QtQTzW#a||%`DJdz0ktL?byji2VLBIEkvwFYyw4wPBe2j2bDNI}BKaZaLM7Mx|og($7X=09cDtU^}cqsixxVE?HIh}|2^Yvh?%{(Au zSw#NEbE19i>cA~*3m4c|2+{YJk600IolT-R`D@SF;p?zD8MEo=nsbeGm5$oxg1B$M zSe-ZjFjshkPRFk-lkcVG(>+Z50>xgYHM59F)D)Fwhd7VRH~6%M@x$%{ipU4dJ~E;B z_+a~&anDyS@zgJlbqNi$%D5#z&b8y8|BU zC7)EnU$nb5ZLrN_89eA9wIb|tsxsd+{JbpX#@4N`ph`7hEB-^K-_#1<%efVzXY+iPJZ)J z1f`0tVPWTboY#_`zJxw}E)%T#zC{1qr1@ZfN3Cp_oLH61m#9b$`%qOpmqKijQSfE? zkz`)e{A+9o+8>D>ZEl*fzZ!(Xtea__M<=`C`F7;F)T1JRM6*$v>V(Sd!hSZ1bxL)7 zka@G(g82{wW-l{;bYlgA7n23eBH;;i_TcIo4-*_u`gD6l$H?j<01psl_ zq1@AHe^<^yY(p(w=T-lh;jxxYbQ}>cjxY|*BML2*UXMircwTO)CXmtVD;Qy+!T>&#zYQ zdBGmJFfMgRU-93ZT*`tPb8&f4e5MH<^QBK(U1-{bt*#8=q%p0WYjxpw@85;>K#CZm zZ2w7!j+6*60bB`iqbg!eagB(yl$P$@ez=}1`zG|i(=5n@e`gt>TIw6rB)x0?mwa*_F}kn^q-H26V<8Zir=5UMuXId zjU+e+4lxA?*J)f}T04y&;gZ~Gv%}dz-9npKHkpsKL+FHHt+b7cC};+QAmWSuK9VJX zR2aVCU%da03(fsb#_B6$ME$6j0=G1TsD|ix!g^+^&e=uupqrV1SEds2ZGV&W@Wi^$ z0BE$y8c73Iu6V^XdP1dP^@@uR-@0Nag@OE(yFHlob?2^RM;PD$EI*c4#jLmFX%JuS zWZq+IcXDtFZkV{XetxA~J4s46anN4e^+%EO>UJwELfIz2Y}A|#q@d+m33y>dcBPRi ztqDb)Py1MAw{n%+V1dbwz+2|?km8Nhj&6~8Y_efuOI^$oIiWVUp-I~gq5uHrXsG@Z z$)%Z=1m({q`Edf@Xl83KsUc69?4Mm4;I)3}P1*|cFo79n;V0^;P!51EOO7O0L)#d1 zFLG7U*fU(iLQsBu3*8=x_6ZmC9ta3BZiNw>XOpMWYBhZ)QX{TV)Q?^D&5F|>Ld+rl z5VKNCgvuFW26WvsB-4box(V@GG_a0-a-ve&7$Zo7*}!qXRegQ@%_rW~5%|v}CQ+tp zUT#7P?Gmxgn}ZK>;Fjy;%fQ#>cHM^geyKm3YBl|9r1Ygb?pB?o#h2^L+&|V*$*Sd$ zsv+xjA*7$1R0hNg)Oe>Irk518wLCDo7AAj=m(3@jF_e++2NFs4xO|WQKaPQ-H09`s z>FdISmT%6!m3yl$XI#OH?&ksZzASeSV^JShL%A+ z9lf@rN0VxDC`8GqFMZ~*8tgyMrx?2Mr&+$BRK`1Ku2#Ef!%;haP~}pv^5WYJ?rFQ! znGYyMG0NjR&7tm9A;-4|*i6?j8{s1Y& z`cQ9b^uy7gp=09oYuFQT#V@C`5F8P6?anP?bV;_hiY%6p8Qk>kB+d2KPK1TU%^mw0 zEv308jnBmeu-9PdEKW&qwV*2jjRvVW(@+3wTt0U`qm1d}xg#EsM`AuA0t_CiAxns6 z1@54Dye53$ZZGSc!-r@Fv|5lE1`W^~-r@SBcfd?2_v~d!> zP@!Ca@e>fNZ07r49_nMjUoeG@on4MF0n%m>VNxERBOY+J495c=hs}ENFVpuV$PdQm zmpu@>JKqC}8xfmq18RwCR}=ZXg@$=;x;h*@Pb5DD*>)nXPGrlOe7)k!#CL+meiLC)CE=NKitZm!`^xIOWR+<)>?-V+YCEZ< zS5s!Y_Z(f5nHWKTV5K}=0(wPexa9!the3QuwRMRBYSA(O3Y ze|@knK{NYg>jLqg-$ZKWT@PT40FTKutYX`j&v*g-!-94{F)4OG5j_{Z5A1~Y;897a z81)&YLlx~ZzJI_WAKT|7(rb_chti0GLG6sB#n}{gl_ib9n>s4qkmlz5Mj@K5$q^;} zO$A_cS7!TR%BpkZ^ad~4)xvL zx>#v-Ueg2V=f(UcX`B`YzYbH1t}oY7anT}!r>N0t-lHNIE%Dea@X zG{pHQ6W)d*!>A|Lxtj=GGUvYh{OFg*?nuJh+I#U~+Xw9)paGKHuK`5@_04|PZ4bm+ zu}EXTjP8dDL>-uu#p5%zoOh-IsrfPwxBG)K_YAHE<&Z=>AQ>f}(z=fi&WOB56L)&u z+*&i8_?8|k58>|32eG!34Lm0~Nh}WgQIl%6@X~El1o~?k(=^r0D$?q$$YkMosWo8awGqerWwTS)_9Z z6nFF*4(j|E<@ieJplDW`?=s_2%kuOXF;0P#=@jGELQJwey%E8!BoQe*P2)szr;%UOI_~YiprtnWJD&sFaKl|fcl{i5u>D$HuG~9P7?}t|D&*f zo(oay?CgMB*`LCRZoL^%i@*2nhSXr|a2iRHe5>-?@j3a%haDm~Dt-Sumx!s9eM-de zhKca3V(d|fQ0%L_^v?0fl1|g9GIPGpZF;W8o!9?v>q8#J{`U1bLLTIMf^kHsyRCZH z3%wV)m=6-BX&c>9(6rzk7VXVv^cyvcmqw)Nt|45OVi`6GBddD`+DLL)3nIx89h5ed zW`|8>L4i>RaE=!cS;V^G(=fhOj5T#6Bf@oN%Q}md5L2wR_Fa*u+T-H#y22r(RDBY? zx?gpS^Ly4*xVAsz_vjJhc>y$!Nl57k*fxC%rxi|1V|U9(iI}*>Ey>f-q~GQ}Wr1gB zJIYqW*}F|?Uf^>xO-;p+ETO}#ZmoeL?|g$nD*EhgITN~uZ8FQ9Fk*4y?eST_?gtAu z?Y>9|G4swNl4?9}e*2hI-ptC4Wa5*W=b(tJMADw_U@`{fKVU5O<}ucm9o6Gf?QHGL z9)EoFtnJ)$DFZYNxn$@En~vTFp?l)e_4+uNMFlKJdLb*g)OfozOp=gZyR$8tjMu?I z{)1{_kZhv#Zn@Gj2r!TG{dUlD3sV5xN1DXP^$Qx^?y+*uZg$Nr<*DyY0}$=>FeUus zriSPg3hS=m(-S@&Q7z7xAr`kjoV|m!n4rB=BQs=*Zh!={0;#s`pvUrQ(~$qruOIRL z9v`5GFhrj7n9-BZ&d)!KA~t#*c+Y@(0w|;EIZ;-hn2^2s!3-LVM9V1bU9??$XZ8e| zwC?3fZb1o!yeN@&h49VvJdcpX21%M3edf}N>@7^#i)OUDe2nZ8}P zEkD^pTjGe^bG-1F1>=K(ay-kSQ1Zmttx^7;pK7v0?%ZXg&p-We@JT+99HCWH{F|D5 zKf_iIvCJf9XFbMy>#d^v95~P9NP$S#r-Wk;qi}VY8QxDfy3cV_;RKoL>t;bbqhC-A zzqvA?6T3Z*vyy~wi3sPSTRsDCwHKG^?B(&iA+{A_*;u2^X_30+!QuJUJM6)HA@~ii z4<@A0dU$Y0AG#dh7+>IRMOXe^nAfGs?l1{ggqn+syZWVgj#p%ty~X?mIGa~YHMy4- zkg5R<8QwKm)Vz~5O5l=fCsyk7=CzwJ4wfJA7LHPrBENdt7Y2;kDavl`-Mf_zt{P9i zmSmD6_7huM>|GT?B{B=2I9MGpU(NvrVjv%m@^mSMRV!dNnj*QWU`hhjOR=<%Pc0dK z$O+FT`mW2oqdR_oo{jZ0#T)m*^xEkUt7WyeVAB1LASoSZrPOlzZD>(Z(cYsl(ACxc z2X6e&t}bt~glMLE=qJy`F7T6_2$r81c5Y}VV9WeL&Sj(ZV-Typ_*|ts8-uu=)UJ6n zQnG{AwzFpIH%;ZJwdw_)b(to8RlM9+OqaN^$RmxA$f!lq7hzIERwBFAd@%|ixB|Mg z7?9FZyn5O=S0w^_%(OU)E}~|QCpE(bI=s2T40{29^dhl#p1s;-A_Qlt8TupJN*-}Q z#IE?_T#tUq@topRi{9#&K8OJWqBjyIp0RBy!-~>%Tcj^l-Jy2z94#Ba$XHzgYxt!+ zbRrJ&^Z;=_Lz%#bX<(h28k3hLE?d-mXtGIO^%m9O#T=X846xXhqGjvJ>_*Ly5i+xg zHvGIRTUWBWrnv%3SED?VrMJr)H+FKgxT|){JlplT*yz+3`X^VTEmy?i9;kTx%G>W1 zXWfOtzTsq3Y~%Qydvnt1c8V+-(t8e7F?57q6AJ2xmfvC$GkZi`BalvNVqy^c1U|=9 zOVXqBYQki^?G;ypGo3HNuC`)U1b04q zKCHr9T{c|2#bD`Jx+an=B1~Zy6_zu#^JoHeqZ5Ay#^s<~NbAG8K+;%ZSLQiS?n{zy z;7-wC(lfo8&#N(Q?h~#idWhEO0o-nF-SLFpMLf%lxcM_|M7GjnanT)Sk5HSLVgXRN zxe3+-VD*;XGCxRQIYXCf_fYER#B*<|10^IwS9-UO125@$t6a&-DKVUDV%9DG&^;*? zU8gtEw$#jHA@kt*d$y$d(%uVObf2PSEB(bMHfXn2m5St*WFW2UErODI#-ug$d?}4^ z^?A2qPz+UuDEz0QrR#Es9HAv1EO&NPG~WMkO_b&lI?56cja*{_)>w7n*!@GyI;S_w zH|Ky7cSUm~MlNguum$d62Jb%xFVMPO4qcht%b%Odg(k0qs~lONe@2<})DxoF-$Z9r zvwsnMX^WGoe0CzyG)y#2=6$?6+w1N-_aj&j=`e9Qlv>E6UyaO<7+CKJiFgt#kv~~d z5Om1E`8-2;`;%td(xKRYys6@5e|u_RS%iPhK?{9Q>QNJrFjv41*I;f0hCGdFZzTLf!`WALhJ&4 z{<^U7<1rGWth*5~@^_6I*`ceCAyz(Z$)XMiI=67)MM<|F>}E$!!sw(&_-qhEPLkrw z@%{!W?h8H-KgoL=AnSvNj4{?5l;4gYJoH_f(2B1 z>)Dn<=Y7cV@K}qCPxWFk)BCxOFNiQhS0ipw(Y6O-0AI0OWm1LM>x+G0WK~Vt(>p=% zY1rUDD(i3bTsl))_}D-8n{4TIy1#b`uWG`psByN|^d@ql9}ys)E92b2b$)It#pb)o z+Qtgx`z{o~=m7MZUgI@*sn!(G8?TSmh5S~_lkhh=A=}XBM9gb)BjfWYcfahPizTb; zgogAy1X^gOmAt4&!|ThOVY0u!hJnM7H9zM|Gg82X!q5_C;y0sNtM4&7+l!YT(#jh? zrB3WfPuYOFJqpSne`xlbCfJ`qH)j^e7dXiBfjC&TbRDpNZeeDI$iC}fg zeCdC}dT(gK3Y~P(k)s>a+T15Ph3P%Bg@US~cgq|t2YCYD#B9u8kI_Axj2=zo>qmzM z5h8E4n^uNC#IS-zP*v8LVXBC_Zn(`7al;ga%OB^bYmH7MqV98Sy|j=ZYja!tI1oEX zM?0Tr*f#2x`h_49!0F2-&ZXE+YBdh+5#u?)o&pOmh|@!KzMC>1V#_epe5m@ysBV@0 zq)#9Jdvu2FXB};ilP|sxVL%7GiH?<68y%YzB#!1k%qa-|nVZ&iDUGYbe&roA)7I8` zG4>uZd1g_KG#h=+4`RvC9mN&|mnmbRw)ci%+P+GG*pa9uIbhxZX`8+JBk3AMh(XJS z5cF!pl2-G2Vq>8{3X-MVTThR(f_fSoHLtm~DLCza?r#|ib#XC(sGhf;{0JuPwM7mM z%3Pqtk}XbD{~I8v4k|SC23)}jX-S_@WOYY!Kj&jTZ$&ywpc-d#Tdlb>b-&Sti-l9G{du2qkB7^16YiK*JCu=UWCo1>Y}CM^w$14`*^aX@D`L2OyZEhXdb4#q~Qsc=0Ofoc43udZkns)s<%Jd z(cRbeI;e7-Wy>)C%%*^(z#K{OHd;w%M7kogN4H#O5bX!gwdmsu0k3mh==C?t_Udul zyY`cd8?+?hlW!-@!%J>s&M+55T-FEXs~hXC9*c|~yy@Bfq{>DV(utIf~T$gy=U!u%?#|rXF{q6~$)n89F zU%-?l#!0qb*K~P~x??lDM^uayW)!JD{1Qs}G2gRoizeDN(CnqOAVv$*-1!gFXk5At z_uQ$Zmqt?gDhI0caVQ<@El&R2@K9H|rexz!tDZcbYz>wLTy{zl%Nd{bcUs>UannZy z$g(N2HGCsSM{jdcsycELS7SwZDOGXqJVD)DPCU@=L<;@3gk{7kKv+y~VXtE6`|PcL z^B4^C*wyHT$*$%P#;%47$u?ko6Bj>=<6chJUjF_JtId?mKOyQHcff zyY5C6wsuc@e}WskY{~5{2!h?Zk>4l}O{)`rd7Q43NzbL9AIIsl5CV@cK=gP|F$8Rh z{8U(?T`CtZSdU)(P9T)5C@Izd{H<(>~SQ6 z=)F6|zOon@(~T_Gbsbv`G=D)(d6;TE{6`BD*t?NEmZXD(U!35Ckf1&$Z3=2iW)^0y zLaE2#n)R^q1CxY$m7_3{L@rpc%)LD%%aC>JvqM7K}SQ$u#c2 z*7p8byQGPRgiWql86*RP+ zwyWOL5Xe$pbS;b`EB+v>Bd!-+V8y3JCVm}ta2_?+t15aUL#}lrn zIaQH*ZcHT47^eU1vurFy=MFhz$FF)0k+a#)lZA5_()U{@8DCGafcykCbq$*vyRlGh z8S61sCpsS-T?gboLS@tV76zAT8yyVb_WgD**pr+0K3R3gs!gg($AppWm@j)7!KevLMjwI9qG>-d=|Ws~tF{I>v_!RoANTp^GzzLd(`oFU z^y2Aw??X|s3EP)wQ72C^b~TrOT~>|-sGWH=j8Vy4>1b;+YA3_aM;x7<+YeT6gy)3a z|9wXP=g<=T2bi&>!g0tfA>pkc#niyD*vTtsaO+Yautc%Q)~m_PoK~0W-dOjcyy?wd$JUL(>0pEM%<~V#UXY-4?3HS zvDAgIW&KPDE*86yrMaeIB7l-gTzwxS!Wu z#oJ!0b)@Ce7&{fjI7ts4xX=1c@1E!*#eC33>)DCZ{k?M-QsBbMN>z?tquPn{|Gu7q zw|+JD9~U$S2c?R1BGh6E)3(ihBts9U;nUUQ1hXZq%92(bC~-LrN_3B^{U)=ntb3%@#0^X%=!mD;@!4PTtPS(yT-+vbyRFt zD)3Gg{`YYVKU-gR5IS8Y@hC9%jWctj-kx})R{@Wbx}7J)^Q~+9gO|c(eSSmOIJ_%% zsApGM8{;d*9sEm)b`H_QVpk0ofmT-`xXiP_}{1_Ddg5|gCa z`lTVb-7On$;7)kzXP?V<7$iTt>Z^9bm}hwDtO1ju>j^7_2!Xih7U3wYKHewI}%B!NPEskBkSIKhOGRS{bJKb<4 zdX5FTj!@duJ^EwmFG&#c%Sd1$E`a+Rs4rq&lOT;~SyV`4$x}LedddYfv6{_aWoPl} zwMkALU(T+3(15MqoHRaT5B2%yTNN`!e*L zM9-UOXed`c@V_$4eez~Fy>N5e=zi_`GYZ0-UqLqW{d%$L>4Q8wcK>5Knu|T2WvpiU zQIFb5VJwm#%1y^8`b2{{(eD9WlROLOxdBA}V26)6kzf?-LR~NzH6VSXC%z#uRr@-5 zvVktx4m(o2=;pc)G{1p9tU71qviW&&Fh*a=^PM_Q*bYy#_Dr9*5bAKG#?E%DdF4R> zi9@HauArfufkoeQEB!bYhnFDX&WGubSM9TB5025jghM@Gp&X1CeJg_Cl}S6u`~i4T zqmoOqr7e>2FslW+SD~@>D&>`y#rLk4`o(nbJ&!k?=H9TWqKOz;ng=FTl?LYz+0q`i%Hw7>-Z%BbNQG?xwGo$5HedCKwlN4ZycXm5=3?P$$ z-%CfNCccoX+pt4NHxqNz7pNs4A0hQ}caOZO5cr?%*FUQIpICnBuNY-8PDmvBcJrV z1NR|H&teaH5Dmfm53F>J9%5*ckGg^{373ws7bmTr6OIie3v!u`KYR_)=OoIaq;Wdp zKa(Y}aLXF2;+g7#ThEho6<%atIY$-q=q7Z1c5+86Z^GX!me?ib`t;_=WA&Y^cM7Oj zH)VpL*pZ>qzwskJ(rcGm#X7jTeq^vwSK%c_@r&u>_|8Gqi)YLAuPaMaWZX}?_mS*Q ztc{X&Cy+igV;X#~J2&Y`udz$g(RY=GaQMdunM1t8$aZwo66ec~c`AOr?q`GcA>Rxf zQTw=1o#d|4aI?$ijO9psT1`_@4@_mq;)@4#BWIQhU&r@)r$7CEvA$G>6vZFCSrYZR z=`CeiTFjYSpnQ%hMbU&JQaBm9%_xP$FlA%?p8XF&$d9W5jGb+Gozr6iWKRBw49jvE zYy6E0;pRY(ZSP3GbfRa9zSpKZRFXVw8b{GaD?(lnT;m4fXYQ8mvy^R3|6@ zRRd7JoQ+QH&>pLeCM}z^E9}|wEwAE*g&9<*pxY9 z^ci9v)g*`j{jEB_khT-ftL5D}O%QcovhEH$BXkjTFE}10 z6Gy{_V+m-F8PU*|`N%Y1G0}?vJ(+<0HO;0LSrZex!v-Vv`UJ|V zD_WKRdT__FKSj%r%wgOYJZ(Cbv4Gk{8$P-E_m2m&LM4RlA~3@N3A7m$_`fZ;7731^}c?M zG|d5F0iU`72VQR?CLLgUv-ezq_{Lh{a}NVAaGB#DGsBhL4hD?kP!J!QewZ!nCSK%J zD0|5-^h_nXFc8V^8xvH7Zi!OMg)=33JxA5EAuv;ZH*u0Nn(fKc5)N_})S%)R!cwPq zxp$(;MQ7kPR+L;H6nrfgLg?W{zz^Rdrk`nHLR@)x*-WWlWTLs;3^HBn6$ccTP$ikGkS^O~?^*u=_H5?WkogHVXDW- zdLv}YB9#86j;Jxmh4o>CHMhZ~RFLxV%`hrI;FtAY(dy~T^&h_ zYm+L3&)Qb;r9*06jOJiS*iwvATP3x9v|c{ zC7v1Km9AeVM#*~P9&n&vM6bu+)_ff+n$G0yqbIqiWu;8|0^{P~FqV;)W3qE?e+5hh ztXbRw&J_P$o1OmFW*jn}E%R>ZAC6(#yz+&G1vJCfZuuV*A+9pa!lNq%rNw?M+?`^@ zU6Q|hu7)oH(316@$V(G=K@!oJ+d9d6n=})F!F~@oK2Bqq&`9OPSlo}+ouF*c+gEtm zKi%1^h2dKs6oO{ODi-~Fqa3r>g?_(jagz7ykPjiEpgx0^c_Z#yQU6DDs&9<-vcj%L zG9A5d&!G^xBZRC16Wp9KRb}dx>!4+-ltONjN&YOZbvB1K(oiiHt(HerEiM021-TZb zC%ylADzu16KPCgVqR{=aVK|lILlO5E3c|R#A5}xGB*c9$2RNHmbM9VOSu05)HGOE< z#5Z}f>=y^JRu)wCs<>*=?R*(_OrG-G+A?Xuk8}88?~60L>RYJAeNQZZV$p}s6SFx5 zJJdeWAWQc!Vh0tVH@|g~33j%$`(YI6TDxaF?z1c^`SokoB2;mwz+&~9J<>IA>{mX2 zpByi(Dn0g6w#c6-H}Mn@L%HIB#+J7QLJIwq581ZhKn`e*D$!{3`s2b*Pmbp*ysZA~ z^%Ir@UO#CIi}euc%eaSiv--wH?)gvpw35-y-YJ-BK!3dxH|QI`mZvU)m4k&XJhC`6 z<>)}WwpE6NY337Q5o7W_Dz6p!J~kxg&7DPFQejDK4?b?lk`>+7f=h7KcN2noQ4&PE zq9#?Q2TDQ$#0=HEs2Mj2A?A%6%Fe^&%({hy`t++1_k0PMIn-m>=qm;17`|5o>ZR7Q z@9Tu7v<#O-Bl_3fqjTU>CG;xZU_#I1ydn=LTiYb#Ma(uLW#$){b_;y({XRmmLhYPP z>?l5eP6iQrDCEyR*PEZ?w5W?g!T=j+Q*wUkSCp1XCQdJtf?tyCA-S$J6|^K%I_gzE zD0RMEw`trGI$B!Yu(Hf*p*|GkwC%Gpv0yr)%u(n_5i*i9lD^<%&fW=!)^Kv}>>rQU z{epN(T%a%idhPruKc!-Y!22;BqmRtr^hxQ^Z;J^cC?@hY)8vZVv#7tB7+I4(Q**?v zmbcPwJt>OTkk%PE$gw-oF#tH+Ih}0yD7DD=PdbF@ZkvwG1z~F3#x$E!!860MwjoDY9(NdB+ zhGz6CYPby5y>{`ZlW?Z-cCz3PRg%=r(Dm*WbCIe8#l^_jS?DPPX-{P2+uSW#x%ZpE zpo69NHBaeF@X5*6{YRNueVIsVwvi7 zvCePn%f6=XOks%^4_VV-C1^s)m9AovuB^gu%#+1pEk=Zp!NV8IZ@(d8gP0{w^{uw; zd$a7;-|!{?74b_|zHlW^H{NFKfL19f@A@mPR_kFGJQSi;uBedvNEYGvqE$EBfFIFu znPULS^cEA6lT>k4s{Tu1uJJP{}kXT{;W{r)FW=^C`n#S7_@5FnP zS+$<6*R{$c!tm(oBF%JD-qV68<@O8HLu|`X`NXHg>qYaNSt!JetupmdZ(be|Ey2MJijFA*ruo;5js!v=$lE0xdy zdHSe@t2Sjxal?Fr7~j-IDcs60B#VWUM*wQU2x0F=UId$F6LD@?Gk)7r*$>dG*Nsk^b;$@vKdL=Ra^v< z6IgsT`UDL#L^5YIf%om9$vMu1f@*blzpwhOq6W>0dQsm-Vr)6q?!H-eN^M`=URso? zCr!*0wcUFyMB3|JgR+%z{gj1BUPB{cqIoE4cfX;b!J*yAEPrM4|7y?wKEcJm0tZCM z{nbm>S-4uDlAqsKnf4m#a~$R2(M~WIze^f&Q$lbAAmvJ0#dQa=1`>Bf0A1#|eyDf+ zyP=L8F`BL+X(|v)sFJ)`lB+bFgFlC`(|a8F)Zi}(VLDTG%#iVp`DTV^^~Y4(4UV|I zgBA_eF!^WYcoVP;Jld(DIn)w&H`5y0t*jdI(CRK^HaBCnr@b;w>j7^9Ao*^rHA&md z(1vhSqBmb(zOKIqro20Sbps}5a zZQHhO+iYyxXl$S9?|X}=*UVfqnde!1-|NO+7&~Unwhfb*WR3pf5hDJ=8Q4(^ zgMVbJve7LTPtnjW+U6W7fE2rLS4pji=#6+@>6>4-nJHAURzgXW8Ecb-4f+QFs>AVs z>ZILt3%d=7aPKJJ=nYFU3;mAiFG0T`O~dGAqpi0I(#W*~d|PEh5*@_8fp04F;VJND z?8@Fg0Ijzlxt-C@+M=(y1bgl5Lu#5E@zg;}O&(C@KYD0~jPWo?N+Ql+7!}m;JVZFv zvtUX|F%wNO)UqwCISje9VVG`Yu+A?2I(FhCVe+EFsoMGDZhiL$TE2ZOtstjEj#C#_ zjJtZn>4tFI8N}2cc@OFFUN#HL%ebG?28V}-XX_b1^Qld5Zhp{gbai&S{$FMN_^&6{ zU#`(3D>5503TCSA%9!qg30HlY~T~ z5jQAghf`+5bn>B00SaaNXV&(R;dDpRN$E=T3Y68(J5rae5%-|ns zmA8HaydX>*KEgTMHUr(d(p9ueir%WgF+0tMVukdbjC6LiJ3x@_Xxm1sH%AqDuqW}q z>z8JEF|~P)IIteW%RZqOs+dwBlq~Ks`(6DI@8??P?pFDIPs>nblhWEKKZvv?#4AHL zk+!Gc5@!XLLEPaMzdz=Y!=N_buPxn5Kj;NL<<{ zT*)rL1Y{h$Vd;-RQ=t*;2Z2+8Ag!z+rknE&rCob-=l{n7{7C%oN{z%2^&|GXZ1KJE zSX)|Z{0SINVUmEBX&Ri;hRPpYk0NpWu9wP#w#N?!5ZM5v!-{shKp>y8UlXHy#W|F; z^cF#`7gGtsXbI|eYytT2xU4xlPZ}!eOetW?LrAkQ=yL;8n><0y`erx3_SZcLb`;F- zun&56Mal20kDMb=ABImh3BawzRgEWnR1a2}hy_P75+R2|8w6MCvKS6@Q* zfT;Di`J?jz(6GYLC8JdCxqoyBafr`>3P@Ox)O2gv_ghy(r7sL;`EEfvG!~Z^5?b~} zSycUZ3@$E+5!g#X7Hot&db%i$Aa~>*45Q_ z`C3Tpm-+AsfPv^I`<1IT_v%53p{?KN!J(k?iqD0)#>DQy=y}dst;LA4|I?oHr#{^& zr@2N;pBvvp4$tPCl?M8r2~3Ra=ljkVu2qNC64)6d5YPDjkXB{KlWi9n5>kK*2TEo0 zJ$C#0*6yI*<<6ynmVf85wJ7C3?hF*o1R$IVJ$6JljOv#YZ5#|i3PUq&J8}$b?eYF7 zC(3-=2m)j3v3eUnHn;vS?yC#;AFENDtp~u}k9m9(xQf z1&d&i-c~25kwm3FN{%tIO5;;JeGT$0lXeLB-h>G+xa|f2sY4Mf7kI=-s^5`fj08?u ziFwaHE2FgIUMdhdbdqS7#r+&F`FIP3rYy1DE1uj9_BlMzo2p3ywrgFcnj}{ z7e+b4$(&0APnO_bVdsEqsc#l;$1oE>;xM}mkc1Nri)?JLU|KEafJ#a<#c6JJ+~K%F zm7sbqw>!J*k>wVH4jl-=I%mW~g`)MRC%O!R6q4tN3$pU7W?DJpVq_bt+0Kzb%D!=8 zYfWG@Gt51d&E4b$6%Rp(mKrMcw1h0QnUYV{$jb)?G;ZJu5OP9mw$FFUBZ>&-kKgkG{>!i}R-( zC*7DRws>+QWqIC6Xf3$&3Ro;{pnh@#&? z1E6ym9PHt0=m;S){Nb3dzahMl#;53~X>Hx_e1Vl)w_To3EY{Txnw-g5T8yqC)D%>Y zYM?_~vYaX{BwKz#uqa?jD;QX}{9^AU%Q`2FE!N-Tz;Oi0LxegUyCa(rlLi?3m~7k- zolGFc0NDYQe0v2g8O?R|E6^PYHC9Ef?N;{WYtf*hZ1b%RA-3eu@%|1+C}|E7xmSE+ zaLR8fnB--lcdqwrjHL^A*o`T@2WhKE$HL8q(?zWzbXLoaIZLA)HGQbuwPPR`rJ=p| z&{Ou`|KkM+yY=gBnLrG@wG#e)?oK)i*L(Udk)<5f-*$|(65&W|9QDf7Q;`GHQt z=x{vUDKqyYECi|PYqBrz7X(t`?2dR81u7Qg7dg%LX7Yb8>|#MZ2ET$u^_(0JOXUE6 z3Jd8%TN*oGYv#XQG06tax8_=HfcR5}qM)hyBO;ZK6L{^LukC63tYo02y$;F7NP`R0 zdTxG|@XrUb14)QC60syPjR=-@tQJsn0s+1mGoVh9U`#O%9^4)6bL6n=&gQ31m=PJbeZCf)A`^ zv@xw~xzjMxZ;0O<>{HC7YR^tbUC&7GIxZ2Pry+EteU z1qhQYFW0iV=m zSTCJph?xqHk3{*xqs9-d(cchva z-Nkne^kvzYCd<3;iMXxHJ5O2kd=%p#jq-fwCu#$5`-<`uAu};9AqFP2Wx={gQovY} zunPm~du2MBmQsUko6`@htHYz<;l!sAX`6Z^#&&Fcq82lYhc#RRh<}uOPG+vGQs>Sc{gY!J%-Btk`T^`k_sG_|nM zxYzov^gsUslCq@deEg4T5|B5gn2VgA{c;)clrFouJ+3^(ws0=IN`?u=(-#`hqE`GR zyQ*iZN1p@oP5TkL&n+`Q&{C|&KW}UMcE?TMQ?b>$?w{xC1HP1i^no8l$1;irKXPhXY=1TUySG<>3LBei;-xG z=msmvB_DE1hQBe@KdY$8ay|bt|NZ)jsh^>xEQu%!j~4tDYSP&rrY4SuM^@Nnd_r=u z2)K?2VUW>s?R0HM2LbJO?b4EPcmi&XiQpqTC!8wFpT|A~O%eE2mBI>M2MO9V4Jf-d zd!r0R?;uqL@~HH{Q50jZs8$2v^sHI}CYQ9`c_HJ!QAXGbRxAgiQFR>nU;Szch;nYt zf*4n;1Pq%9*rNm|##YS-;)9leeXmJ}&SHXSEmF^sVE{*Sg5ozW9Aqvu16#Zkn>t)s z&yuFVVHSb)-(Mj1v`W;l%)uj0xPznS?-8~c+RjLC_%7j%xMn^67H!28rQW8=w)eGV zD>{&3-~BEqej@Mdt6kTOnB%5fStTp5$(l|N10i?g!xgmXhX<$1&ayT8sn_;@R~S_A zR$qgVzH`e`k(ttpeKX45c!e3goYLU1_S|5McuY{dJUl#X@_5<_=4nA?8%XCjx}qTR zwrRNFJmtpqhGoV=i697mQwkhC;ym4xp+mT|mCaFPifG6)?4)l6(#YAYIZ|xto3Ieg&Dg`D zRWoVVt~f-O39OphPF+#kys5|g7 z61c)o=KRCstS~|_UsdX5u*V1xg@=&~y77;4&|Oj0>ad0NElQ=f-L8c&eiLc`tUBHb zecprfZf(k4pI-3*L*IfOg3R^X-gseSs|K6zBJzHIbX=o54@;t!>d3+lh8sOPYqDBi z?oh+QW6nXUyppRQN6QGxpfKK)Ke5X?<;m`ZDFBl6$;B4U~NpfP-DNJZPtnYTv^mwmb z61UZ3`~rsjS4dbW{_)u>>0zhJfW@a6Y#r2uRV^^THcgFMw|jyr)AMnonKD+qVI`h_ zadXqluIRgjSb}fx#{AYny%V%G9ZaLFM3hzuio!Uga0{89en)srz8V$&M9&zI*pvO+ zj_a57WfQJ1h7Jui%@(X4lm>xtlz8gOlEX&o-H1C_6A+c+8fnKn?QQy@GU+kEyCO?8 z%NbEdpOkcwGCX&g2$7UJ28gwI@Wd_~AFqzvG|N|^9XtM9^cZQ+NqXiAAK%o}5~SH3 zR#=M=+oIAdlYVH4%_%3z3@hKBWPvCDsLSqS&#Y1me2Emmfib_SmOHOH2`-38S#-L* zEg&`D!%;~o^S=ab#NR*czLYzfey6$MRf)6^-(k)457@S5a9^aZ3!jed%!0+X1SsT3g;Qe zod^F>C+g4AkA;bXlN6)jG$&D+tUH%JFdDHP;fMKGCnxgYWcWN8-3bEKRFK0vufMWZI{`ui3c~tY|0EOyaoS}P)11L%6@cS!4XQnjQ}&J6hR40ujC0O5GUnHC$2B&O@4Shg zE+Mc>s)x`bxZ}3-&TQRTmOn8Mx-VXPK`a}ZEH3?8U7ea^d2{NOIwk+HDJnyD^;W|T zGo>R54rgng_Z8E5?NI(DQ;GG64!d;o#_R+QMa`cn8l#V@I^DE<&ie5g6l?Wy!*SxR zq#ew5)wcy(ne6J-wRO5{Ft91rCx7+I%9pC5^4-G47vt$5PA84-Y)i3AS9K4VA81Lazhz&l|+GWxPHlA}cZ zZWP_NE@w@12$l$WAhNpbjm{g1flqwZi1~aFMZEcMig0g6d4Kup=EreQa<<1ci7|fd zT!&+j9_5?=0!CDirue4cscGT+K0^GaDL8!p$Y$KKYIGBj!USh&3Py3bRI`J} zWaIWYWQvq!B#TEd)SSyD`zv74lRf8c=n1R4LIDu-W~)IsE7^Vj8)PV;YI~hLeC-DB!)kW5Fz|qeP_lp3t7y`_ zLh{bGCwf6O;W-hzGw1js6b~Ngjje@}Sy;Fc=^gryEG}4pKzWDJe@lWf0Le(T<{wrU zvDW$b@^gJjg+@(IMTCEkR7x7*Yi?*e#l$Wp=Y+WwP3BUK<8elYZkFgvqMYaGYr~9O zQF1qz9N07eqvnc~15V{4sAP|e=NoCEQR2evsNvwot;`S#Q(4Nv!|OD z+#d?@bgS7~hsw|7)K0S5j)>*+B})*v;NT92sdI~zt180aWT+4#v3iO}_Y~oI3~73z zwZVQ+dhTigcf48UX{>Q-?Zw3b6C(H`p5KOHBMs|zw_~FX>H{JtS@5F{r|o@dFdax( zr1NuUdAcWu9knu=!xO0}S_smObZEBf$g3dci3Ds(c|X}KGx?N5^b>)g3wsp#BA;iH zEHlyoky%@R5D~P0v9MDrW$VnYxbWZ%1KmE8&gA^j(dEC3FP zvHo)=_wbTP`<$n{3V({hf!{xjwO`*SuB(vsa;Opr=84;rEiKz-7_aQvnc6`oC3lW} zh?q<}&;cyXyJ9duMgL9-LH6=E*t0u`=$Po*Q1VkE(ht|NZh92J-sAb63VFS!opPts zlcM3?)5?oyDwu(vp9KMb-^k1%^cNIX*jOC+Y)>`Xo?5C42=CqA+CO9nPKpc`rl*Z1 z>|!!LA?JP^MBSOMsCxdO4jgdhiXbt;__~AynyazQDiccJm_wo6y#lpWi>j zd#Q8XGf{?83z|cMaQ*D@{Q>N)7F46am)_;$AXONbnbMk=)y+ERH8?KUt^Kr=G%D0) zwAzg;IGT0A09=?99n2hjPWzx(G%s}cfq>9{2Q6FNNJ4fOA=s2dR_jZr9=dUtbOc(v z`5&eS2BFt57^1Nt`20zagOlHFUSt zjWshRD6MzgJyP_3;;Uz$eI-@0X!y>y`E?I@M{)HaoHJ3)uSPZu&QF{$M>&~u4fZ1k zk*q}RX94rzToH*lnnzH2NS?=L82X-Ca{-ewt3+7dX1V|6TISPPoM5qzkX`{gnZQFP zcQHamIX#(}sq1Ph!BoUGx4UNQQdoQ+9}trAH#)$YsRo*5==2b?iyyVh30+K@CMk4s zATw&I<9wW`k85;5je-v4`3>CIz=bBjZw?a_>YPf=Jd#sr*VRo+Up8%e6komFskQML zC>^j}7WpTHO1fVx*=su^71S_JP87}2`-ww($tc4b8&S_bY&tVxQ7_0L=*GpzhbmW? z4ubl6U*9^~-8&_SmVJ#3_sR2MTiL;~Uo*dRN(MM{%M!BYhggS}PkFIN$SDD{O7!z&PSzIZ0cG{5Fx4Cb2bY%7P_*!s7to=v0$}^wG zTI*}Gk25IIaE-gK8cm0Pc}%LQqF~01cwzjJ3sL1ykj--s9W!O%^`=9)0{Ttb6gb-Q z&Mox~4t#P#+_+N;@;uGj05>w?1P|)`M_3a-ca)!M_~!X3x6UVrR~9_5QV0mA2QfeD*6uCL zu?9}{{BNO6;dvZ&Dml|Vx?XY21&n%GD}6kLRB!d6sMW}j%4k!7ILMrlFESI^z57nh zeUo*QiMKK(!zsr%lHM!Tj`oX#=_=@^!XOA9)uY10>HYOFo!v(2 z_(DCrAI~uq5)QK=a`u!n6N?UEWZpb@%5zgx6cSa6;dtjqb2sci(38qh0&UmtIw2{Rgj-GT#LwuOLmf=^gQG$$ZS`;KiHU9dTQQQhU*uKfw3|b z>_Y!P-Rr6iejN>)2R0j7Fi^wKDs%v+C8%jHrp#X){=N<#K@M#XoP0fzP z#KTbv4B)}G3Mv<*P(ZtOvDqwS{h2a4zvYHZs6xiUN_n-lK4PFdEzAre3FAg-jWMs3 zJrPVr3;GSUqu=@2GpcbwnUq=STx)YI9lufEy0m!V-PFp_hb;%qT7&*?!li*@E@*jC zZfW%yS5iRt=&u6lEpHikRn(n2>A=XmJYrv-soHMBM)2a#HJ!LkkAJ}V?GxP>^bG1D z7OAjxvAp(3>T_&HMg|Sv%Q49rufu< zqwseBgOFA`VYW%JCnL5WdySWVnhSbY{ryqHv-6kiJOq55mFo3cwZ?*av!LZtn(fE> zcY6Dwbf7^|IKu8q{hQmoUm;81a%EkPrc~|ooaz)_#@THp39)l#Y}KKNZkCMs8dyEl zc%3vdb7b-EnCQOzW_GBnSzvbu$MATAm8Z#^fg!*?*HmAm_g8MaF`g6$`(-(TSKv<# zdoJ6NJHL}%!dO?v5_3n>c5xL*RC;32NxUn_Y?#3sMM5W z1#{ExwD&q3+5>!hPKq8*raxOrzN=Ps3io;7Za)fnC4;LSjb<~KY9I<}DbIMP8Ptly zp^3d6mpE24cpDu*(5)#t`W|+4bnNjzZTmlUznoH%tF!loN;Q82oq{LQz zubZ3D26Ep;^|5z3iJ7oy#(qOFI%)eRzQX#q~&s6rZk+UToZ&Lz9K)2$f=cgYd@s1vMEOCgC5XK*AyUNd^Hiod+z; z>`4bB9${rnG#%Pw0I_t2j^HXovIsAbn8DAM2*&vvUw{++s<<68x&a@Pe5_y z_gE}#(p}0O#nF-Hx<<;O!-xLZ(1{kfh_C_n2zyY+Eat1BwLz-iL7n=m`{J-oH}erc zwu1t3o3eP));u;=#S1OM3#7C=t3QD#&RJcxrjiv0SIFA_pCdBO1N1#_+_+jk|AJwN z>t~>MS9T}TVW%6`UTJ1#S{4K%LkkQ5sX>7Z>eI!6Cotl_`E$`FRtM#&ddjD%s805_ zrJ>g=5;76tHQ)C#EH#bjachaIuy-}{3xUf=+841T8yB&bjriv5S08z|xjxUg5CwrG zqUz6XjP%e~O(1350g^T+ehA_~;ag|Kv z&A^h&mC+yr>o>ZAZ?^21WKZKiF$MV`jgweOFTbV51(jurEN^XXbyc`y8TWrZ@{>;F zPmuF#L%3Z&d=Tj}ASxP=>aKzp@X4-XkrP*zP2S0g9ySwU{!2P2rhB`oWQOF!u z)QijAcj6}y(er}om>H=@yd`L?srq|c&^|;g8_M3bi@(_gPUbmy?4$eZ@kUIybU6{> zh7Gwi<2+EL9t!Wd5jffAGA9NVK?mA=-y2^q%)8LXk77%sssWr

s{)-C?kqHRsRCcs>(>?cd)FWb%!rdt!Ld=74(j{2EJxvC0zEIj%I z9HSuV^{1emawva0oLur!Rl-f#CGx%^+;Eb!3YERHIy!=NFe&L#MmOa3eaEB+uamR3 zOfwJR$qH?!f#yC_o%d*6*NI7P&g#_=e0IZ-R}4RNv9)CZbeB`Yz#;bAvJRww^yFOK zM)SSqQvgH7Kd8Wynfc@;C!Y4>7jH`Z6)=>F%n?XpfYE<01++T5gPH!mIVO2hr$ zx7tL}+ocYce*|5^HrM-GKRH4v?gF4i=uxSZ)67Qt^_?)RsH!QBs$CGuyx|t^D4lU^ zJxHSKM@P!M-IF8vzA#9Spk-s3Mx9+UIWrO8^~gZl(JjB@hwZy`XoF#Hu8h1wL%_RS z<=X1;lGKfyW-4HT?Gxc45aU)S#T`aJ1AG;o;G79PB}^*D8c(+=QB0A50?wMDFCWK2 z5#yDf4M`yk!Ri)J7)0S zWfj-eHZ<%tWZ=YuR0sC0&++~1O&p|{{GZW*0bl{v&bb;#>x)9EQ5b68t+WUpi#N!dQze^lWNz&GU%xJAZ+3;0j}( zu47lAH2+doER;{8s}y_2%l8QYS=x@DUD@--X@J9Ysk9Gh&2T?L@s&7X@;=SYEKnLpTex z2X4!Y%%5tezi25dpv-rDvJK=DX#8pH*5onil(A*{sXBg>%*72+wddHH?c{kM*P`un zQZVh4lZ2+eg`;I)!E36;uYH*O`a$wBVM6G}wa+kzm2}FTuTZO1teG!Nv5RA-!OiHc zn~lWCk4sI7d~!K+>_&_~&ygJj&E}9$n4UMMHp9X=KO6S(!d0ms>pOyCs&moVGRxbGE^|*q1j^~kZ9fdxZ#sN&6?CYN%zH|*gI|?Q-i7bR6 zt2j<6vQXb4=}_Zu-*@_Ld>Wd#sooKws!EYUzDOR<(8xoxo;jfI&vi=V_Zb0e99H;d z`=;uB2MZX*J~+@5bFl@dT8MGaPw@a?C-aq)BstBI6tk$ZMw zGws1{unD5@@yQwovZTh;_5o4gdR$Pxx~j2JV}U}6=!;-PxzeN_LGSS~jGml79msDy zU{c9fU-k)OkNpQ8D#bDGg!IRj#5vo)UuBW=xoB25?Jn+ z`N>9BF!FnyWU&!p{e*nGwSF=5!Y!<0%1Ay*xv*t6q8u(JUs*{8{xc0Gxvyu28!>p^ zli@gQ9hGzFgbT~;fJqnryYjZ($*)cr>7SXQdW=y(k7~uJ3dUh5jv;-*~hLvO}@gx!;7KLOoCfEgPfr7&Thd9 z1kqiTQ+NCI?>BJXHrQjg^F!q>%Cf4ef-&6$Z2~1{+_?F|Lo@Q!fNzWw3dmLxCVP-j z&s7{gBedSBSceP_C@AlEA;e} z7ni*ggqKcahZEW*U|vwI8Px%1vEFU)2#>Q zFS**eSRL51VGczYj~Bx}CPOe+6g)d>!7QZ-`&;s8W#sn%j~9U0`xF91xH*b!Nv|ec zVBVZTGT?IX>$K3#Y>bZgJyuUwb(gpLr*gD8o}aO^d1p)C6VZ4z*=@6)XT*j0*|f$Q zWN=zMmaabTzf2A#heo_pzx8%H47VE2)%hb#YKVnlDPts^=toouK9T2?+M}UJDaaxz;tzf^Qg`1b zyDnl0IdO)nk*X~LrQr08Wnm9K`dKGpz2DDtSlXmMo1Ok;|^!c4CXtq5^8sn`oDN!6IUcm<3sjP7<(7fY%u0d8l?<>fXHUL=!&JP zm}}#zK2nNyknv?O&CGT-$R+bwW1atRfoCv*T2dA^^-TclUL5*vEV$huK+?bs*g@GPf7^0u;i;nYUP!kZ=??OnPrQaA3xx8i@ z?NMfw5C2L}LGVI81MeC8Q%A`Q?Imt?=cpGUgFezjszl*qlGi(VUkS{eBK~v+p+P(_ z9Y*osulP-ObB!Q93>U&a8j08k-D%I)JCmQ=k$kP=AH~?9IOLI0BW-LS)))QG#Ap7M zAh!&PFCIfb{Q$5iXf@tN??48sH!?C46HFJjQDbQIaDq@Tpps{yX*&W zL@qGkp2z6iL$U(B}Ir-r;~++Jgo7&)My zQu%E4-s1}>09}@ig9)m7@rVPym(F!Ls`63k>o_*Y$MHYxopR(3GWz)nED#Sgr460QK3~; z*uJ{9*65`Fsq)z6T=QR}o-L{i5Tr+3Y3t|2EXxn z67)S{_l^y)&17E$)p+G_ zG|Cjz%OG&A&rz#ji%&R>0YyyYo%*oRPK2*Dlp|4eLi59E8$)dLMPK{x8XezNHQ~p& z40-|IW(R)3jnK23l$iUwH+24naz-tSTO7#5PtxV4;?=5>(GJ@3IdOiaiaR9Z^IQSM zY=^S^WNuZ3UCN2K0^4e-R$z)Ff>kg6N^R$U%YXqhv(8+2_;W?ssU!ZD8Bk%KOll zGZ*}uPbU5z?!WevF;AN;LOA#bw+%uW3yJwD?O;HhoXm_rLi|!s4ugG@GeLn6JKec? zR$h;ceuMlDGMu?v@;_;0B;*&-S)_nJRHXa+{nGcwwT~5OR~6VTzSqC?#ZyQ1En4mO z3~H}q#hZL7KDTAycOk%GcmqxS9<-14y0UeEnC`LuKAwC zsWwx3YuMoO+LsRkoMJ_M1F%PW`1JIuX-?fixZ%Q1bam|C4>oG5VPM}CJvA}7%*9VC zR;a=i1zJVwWCJeu!)f+v2KkKIJN}n6)H&8Sx3CLgG`(Ns1H^~{YCLJ6UJwv;hkPov zbdVGSz()6dTU}knz#2Hx4^;pFQ{d%=ZXZyQR(G%+)rAAf$)wODgY*_1Op+>m+WK91 zO0HF0vD-u?4_*JAV(tEI?IZK_+01C+#@)SY{?ZWXIaAU2l20x5vy)-&?{oXOiM7Q< z<_jJTrII-&uYK_c-R)?%k;d8b!Ip~lXEp93lf<~2gOZcxBU0@OQx(s^L>WziCm*I9 z*Td%W$78pWt<0xJSy1iX^YT5*iT5QhKMz6o-#I?#QVYU+pBPg#)DcEEFU3=e--$)@ zmx`ZFUZba!C##63TwKEBIcPjb83=1(F3{uo)kAjPbeL7D8{jHE9PVE3VxEtpTFVW@(3SI(#mA z-C$ch$E6w!JSPO%UH}f6dL9Z2idb>dw%5CpIXZ)}B)Sb}zE@X%(1I1ikd%G8E(|hP z{h)%QwpmDDha*?HPP7S;MIUe~i81-}#h=Mso61ZF%kpKQ2DG~I9W-G@!3b6^V(OWz zKLhk>n=jk)HylLG4c@*&crPdf8CI>TWC2~D+P5? zeq1aEni!C0U9+q2|9Vk8XB4yFCb#6nAR?5{+%5eYrM-mN83$NGBhjpl&+~p^TJl8C zlz_XhIQ|&*W3I(>z{?Boskk5`uYBLTsXFjS%XlS9Sqgv~9dop&e=mC0E_~vo{6Rns zV_q5s(llP<(%ej#uV)gU=V6toWXoems;bq?X*qFjIw=q6a5Taga)p8g zm7b5(_!G~ee@8!EYJw8Zq*NS70=z)<2zYmMcK%%LZRD>N!EnzoI>6K#|i`l`daj1#WEAmF~zZ zHOKdie(kM>>oG~=u40fTws!C|sRgzP_8(Z!jOd9RyHs=ET5*n$`Hsg@Jux+v{kG|T zX(h+M{USpn=UaL~1`*xb->1q4rFa{%5Ka9ynHLPYy>5m7DlqZ#w)b$MHpHj9>3G>H?{#1-_KAQ2P?=VuzHFmMu!eG9mFvj0K7OA3hzDgn7IhXip^M|dpEpGxVyRkE; zqbJquxG9&$yl$!55j1i(^OWb)QE=>e;SPzoJA$CM1NBo;A(LA+X%Ea4IXKJ&hWTo$ z7g&IC$xnuy)oGm0q);#693X)ek6X|o-$^cDCRleq5YCUn{BaAXGsI_2ntd{ZSGSC{ zk0q*@gB?F>?>02#xjymPC`$kFW+$lX&^_hZ5;Bc>P3KU2qa>O`YchxC4`UVVeYUwm zFH2-0ZZZ;USf8Lf$+T_K9gR&RM z;d|gd3KD=RONw`x73(yaqvH9s} zF@nbPjvC4w$qBqDL_%3a~zOnqF)d% zQ!G=BDq_C#xcLofy0EQ2q3*=N9<{dAsyeRkcXx_5t@;lN^chdkf4(Z)@4bq-TRHsS zaceSPL4n4C{uD{!{okC-67Q=5BxOJYgBXN8CKNuz18C&A?-D|)dx_%>J&X|`!vljo z#s_8q1kF7opgIUD0iKR?ujI@;<7<(rVn($F4r?w5eC0373w5~u@K=R7P^98(xBJ8!WvNAofAu_EkQad1FN3}GC2#$oX2{N7oDzk}5m`BI7rDPV@gjiiBhZT^L8 z;74s<&iV{*j^5m;U5y)5PCEz`H*kychL&&-+n`=shKPBO^_W2^*req)8d);SXd?P*deddhQ&p{!`Ii&eYZ&%gZ57+e)VE@{eYt&rG5CsXzXJM`({QM@_RIDPDW2u+%E^~uWb6lU%oeaL# zb>g3&e77L-A|8uDt$+$fT%kjtLq1m`Y?^f2SMqvUdCA?`(Xq37Ls@mnKvnC~05gnU zn-r`-0UriXp~TX=>x$>hShDpZ#{ST!e6l-78DN}L4E&L|)3DO}gKI+n>UxwuaE$IZ&t*5BW2JQ)hbLPOpk)~ese z7`mmqGeS*mrKG|aS-8%bwjvseuYIBwSb%s389(mFo;^_J{pzH_O*B@vC(QK=C33WF zv{a6v7ECyz-IH%Jrw&|lPfG`1Ym5Wt%?cT9>RGQflS4^lH^TMTM4ePvRGIeJ4putO zjdh={b{;?vrPOE5#HW$_UwAzCLZHdp07eJW7sOQvBc8`kZG7!VQH<{b3iudCJ*@3b z@|cFng6-Bt^d;RUrKlOD)=sZKWa3Af>I1cNN-#9$*y=Sy;m=DRIrH zMT0hLF%R@v0!gHnjyGl7-f7>7?av?aYXtp2XHdnJeg^oUh^D>desmsKlM+UZf6|1B z7im9Q2&W0gJ&!Nb^2Bu&t!*LnL-nhC&Hd2&)o{>lB{F!@y)tjYe(#JsztsggX9{O{ zHStpKeDv}9PZ_!8)8Bj#nUZ*4{sH~k26M+n2{M8~5-C-KZ9y6V%>`poaR)xBmZD3E z)66ou`lQ=>X|t5QT<+QlphFB1;do{fw1>)~4vxYujtDu@EE)Uk<@IB0%bbs5UDj`o zj0+p?%rGdIZ>Sq_qu0O|Fey&yAT;zQa&m|i>ec-Q zCn#8wq9!czYb!Ig!?ipz4H%8^LnPV0H{mW&=re3zhCPui90J|Eat-ecjJ4zCu!&M4 z=pm(!hG|sJofb>#8$2F=GUt^5qT_xtn9UaaIjAZD)>-lC4NF3a+?W9!WnX8+c3 zzOasc(p}K^Cpwl(T^R2C#Xj<1Y&i}1J(M>G5`q&J8uMGM?JCSWWHe{W2L*PzH;jck zwdnAxV>+j!-*_yYyQj!V#8v;{z|I>P^uJ0Hgl~Oo|0u@vt91tV3K_N#z z>~@k{RO&OmT-QNNR8MbXq{ps0rCI6t()7#lmb41NY{EZ8i@gZmUIKgPS5OmwQVD49 z*w35Fam}UcQVE(#z=wLjj8?Rs*rUgOL3b^IabI|_^DGHhro`cmN<9N}TR*b-4JRA4 z+Q(5>FxDn5%~e#*ql@_|PuvzkEAkjWP?2Z_=96<5Q#5XY9{MGz1*;c zD3Fn>Vwn<$J$DL~;EZ}wLUBJ1}r_u{k}&E6)^PyWJw;V3{L;mvO+u z*bDT57U#`JURq2M#8hKED*Fp9~0~-TFM%u$JXNC%Sw)piw>HtOdeu10? z--HNJf2Z0hG2X()L!n0&`yS+vI|O#GJH`Xw>iN@`x>Y4+B+(j{Eu1wJvHe1ig$Vg% z7$eIYbLht<0*YaZy8W(D0mv_->q+T*^2Bv9032`@GXOA&>UWgdG+uiR;_DJbH$-N)Z5KoyqLULDiQBy~P=x3;A! ztSO^USw$tQxMg(XvaQ9L0FU*WG@>ju%*#LMk@O*uI}iqg_=^9V??a>ntp?f<|Iy@M zQ>~97C!25q6690vog4nnj*F{}p)-s$mZlMV#n7#z+utA5X%GNwDsf$Usojg{-1Lp> zR&EaXz#nI(Lz>|8e)=-8p))El!E{K15jyIvAtkRPE%_1D-=a<{M9f4)2K$8zuz>s_ zYO|lmth5O2pc?%1ZyTs-MiI=^qy}4;?PmuL-})L*9cU$3;TA>DmF@v zXko$m(yV3sG_4vkpJ|b8YLMtN$zL|pr}^g3u8IP09LZuL=t+mXoZ4&4**y5Ug?!}x zHq4+7|INY1`;~^_qXu(@P3Sgc(adLrL{3Z%s}K4biC7s;<1*|K3DT0y7ZBb3`Gvv( z>;dH~gd(-B^A=O*#xdulExCF>;8BUL{8g^r9sb7exc54cW6rd!Zn|mtP27^^X%3gY zxynu+Sx5Y}PP+^HYW(!wExT^@!CvJ4k4t*G!wPo0B-9pnrd)K9vr&iZJ%qePvl*6HRWBP09$v}{qU z_BY3hr^I@94{Y560I=U>9Hr`rvmKGw+(m=hOxG3>I|H)H)T)8q|35svb6{O)Ooe| z5q)c!h25OM(BwX5sb-HF`-2EWz7?gQk)8Vn~^3RXi4xztw;(+h30S zd(&F;_rrItoyU46t6l`E+=83!JDhIahV1IEg~Q^XbceY=9GLO2*?qCe>;9CLm3f4RqbJ=2 zYSOu>8=at&DE7uf+tTn<<7m zkHnHZYS`CXD+25_r#b6p6(ZbHpfe5Y#Z}MpQ_+aOyGR0m(6L#I=WbG}$A$Qw`Qo#B z#%AA4*|jqVVXk0!-QsGgLdxEyE!VX2F;xu$#ah60-%|6e<1l)O5_PSlBewmw-CO4W zSWOhz(8$;}J*2lzr%D{|wANrDv$Tzw_G=!wwpdklAx;ip>Dr<-osu8vc6UAtRJ8pu z5kmkI^v&QOGiLr)*5Is?iwm!&3@jFC*HPMTBnR1Bkd$n6ImPmbH$HBt`ny0_u9+ zb4F|Q7m7fv9*@oPb)3=1PsE^jR6Eobh-j?R*t{&of@tNpcP-(@=*0#vPdm>D4?i!2 z!EBRbvRk=aiG08RQ21-?Hz7+&KF2;!Gn=PO={XWTr_O(@ZW%HNOX2eP7UXN~;)r2N zx~d@vTEW8AAoDV`ld!jeFZTfknPYkrk#+g#zj% zC>+!gxB}4sx^&9<%b;;>R?gx_;cN-hKN0B9;Kxw#QOc680bq`{*dIyONyxE$5${b` zzMdOKnRHf{GrxsJG1+ne;$-EHbBZC~H5n9xuuI|McAK6CV^a7;3SAgNL2L&~^Zo%# zT6nqpj$(iWPSB8i-BS3Z6dOJb5hmKr?goo*uTX^OeUL{~_;VUZYi{z<)`80TAY=HW zZOwWW#+vGPC)k)KiQ%hmo1yBDjf65 z%VcI?#mdL^->9&a>b#*eFZ@v&;01m8NP*Wtjj+^jKeb=ExH01ySx1`*Wf5o3B%8h!NwRo-Y7TYPMC-g5jnFBeqKN(V%>0RgK z(E{ISp5W70hAO+56RH-YKec4hrOHlL-ShbY0PUqcGd-O@sF5m=7to(sXY_Z91R#ed_(KsQ*t3zzKg6=({$6 z?R)}1x;>jFWph4wYNmV<;ES-bwPB)v7qKznKf4|)A*n2(%8J>a%)%TJvZFW z-qKR)Biy8)7^A#03;ufvaw$c{)I8_Sn<2ijT`zIzKN)Q*8_xD!#!4F=*1ygFqzY2n zYWF)g`~5#{2Ndu-G^nAP95`)c!ZV_N-)R6J5ByahICc^EBy^QT7zt!QpZ#7{n*T{S zl_ZKte>Rm2IXq?;zrVFVHkRM!i``;^2z#?IB?Z?Hr%qYMbT&0D zaj*FUHZHk!CA0^~vA;0FOhX_MSSM>r#R`J;2IzQSO$lTeuCo|(bE#~aTFH*x>|0Nb z&mKA1bccidMkx%qTJ6WP)gN%eD-xZ#6N8Nad2T7aGAUUSMIY2VK=3pv;v)3$1qcaJ zvy2r|+@|L(#w~$bmEm9Iv46`}mN7$f1SfOtVyhV5?kPXCw>iR~ZmU5y3|j}L{nf{l z{+5YTmpW+|!{i}Q>)-*`mNY9pb#Y0B9@hlDGmRGUh+yW~*e1I7M+7Z6Wk+UF8(va0dT zQr~2n!^~zRA1pyRp1e15-LVW-mf`)l2OtQW1vzazYE_Lm5%mojlxG@UK zCO?y8>^8Q`*Wu18yD^-%!sPU4-l{UZ@*uAZnJv^-guqGK}VOCA|rHecxd+fv}c4^WTXtb%JRD^}Dax1xNp zBANfMrtl~I5647I77r|@KjkefEU+2yJ*w?#p6`^#3vfSZis*@6{k_nf;)d>8l@=ue z!c+qMA`8`?dyB%nxI_JEK-Q-zAz^H51cXgcR}hjTk_;xuW6s=tv)EcgNg^Sl8iU9N z05E-(Ifg_8@05Yx>hf4$-BRn==YdqwktX@?*tNy2!G`sWLYP+A;&S=!@<~yr;U~GE ze30EuN*kR*Rj#ehZ~J&QeJGEV#e4~OXihdHiayQ3XxQ97_GKr&;mcf=Pq9!DN1qb( zBs@ncEX3hhAtOeVPGXpA zuiPBBO}Xz5kDjkM>#|tr%J1$A_m(fsKJpPEeGy~snmg3~={kQd?j{Amp0GXB1DRvQ zXl~P#)<6|$3*8kiq|$+sI#V~3qR8@04pk-4Zf$VdRVa+wkwgBqZ;bMJbnT|{&~kE3 z>!4BmJ|#gv)$opAj*#n+W@Pvqc0+K0g2$}Ji#9ppkKw;CaXyscc6R{UleqzY8&O(p z{1)CD%A{>u*I|RWUXT_JZ6(Flf_A&kbfr_ua=kfTC&ld>I$4I#z166B4K6$dX|9lQ zW6fB$$_MkR6ct!+>2m5-G|1npE%h0X)nFd@?tdXB+6z=ndMAZ*UG_jlEmY~Gs$uJ; zpq4G2Zc{WpK zZZINV>IV6&BX}&!uUs_+IJOQJ)W`B8!jP+`&-&*%d zoAlpFrxM!=i|*MmC+P2Z@y|WmNyN+fxRf)(mSEj&I3|@mRjOh5Yq8BY9NkwEOLRsp zo6$BM96Bd*1)|NIpu0vE0>d*dB2&iBFU@-s276g|g#+d%~cc@{@f8T~YcOQmH-ksUA0@aKQ$ zRaqQu6800Jp}WDv1W>brz9<@v40VBGkDSoTVXn!bz2=qQG@4DITWhoTfb`9WRPP3O zsCfe_TeaaIQPBzUDGcDN&{bp>d8o${pM_lK9pt-E(2yO?PG{`t{!@?DAT(OMLLMFa zD4#ZGM8gtgI-~GRVi${h_CAt{;&1vo0#uo*GBjfSHYmz&8}b6PnswhYwah@1JsQZ8 zfNhgrEkDGUA@js|usG4cuK%A?hbOurg4kDr{#1BWthp7v&(o>((7V%2Jz)uj7uEW> z$;CZ~m3WfDxg@A|qLCR=rn?5UCxS`QO#!X^xu*ll`r5aSPH&V*`UlP)gW654%wC+C z*Z9UBou&k5Qjb|;x3CahS;UNYyjBh8A>}my!ASrf>2T8sxzqhDC@nTHwiGM5wm)9z z3XYUWk#ey2Pam3*GCdD%^_8P}4)yet(wXH@W8=Ie&dj`-h``-8I?)|*7 z|1Oi;;Isw>aXd4~y>r|5kBHZcN=K?%siezHWYXMNVLi8NC@YMUYkJoBemUl&9 zmGJ#Ym9HVOy=Un&RnGvsnR!&r&D56~8)AnB{%}1C{g-!=scE|OYKX7H8I&`R+|(6; zG3Z&ElsBn|+R|B1RwY;aHMh(U<^lzw7{bv}55u-rdPF41{dejRLw0NbuQlfXKZrAv zFx@=YU%roKeoZ{7Zv8^~Mez9ns5sXm8cfYtV<|#W*Ldu-=P}!hv+m3}t_+egSRf=$ zPiPQLS!OT3sR<09930sREeE?vQIX%Qw1JB-$W;~>IURo#%mXF$e(bV9A&RF}pE)5l zZ>xm1jt>3Xkbm@{@=+lukdO${D%%wutk%@rEckR>nrrn-RZwVC&@J&l<9%OSTU#XX zf%zc)*0MJ$0P%zdHo!mU8rLp`l+PNHw4u;--zR%sa}lx;Fs2hi+`tJS-hCMIIWfUU zsjzJwkVqUtpjqye=>9+i_`n}~jfN-aJ;>@JUetfO(IWagWz!^t;sIoJlh!L7@H3Qn z@bOudmd9WMHCnni{R-9b^K?SkKw=Vaa8qAiD{|f=SGnB zfgVxs{0c za^a1Eq4MO$^&VH81y`~p-=`G!XMFbO*-NooW{|wGFq{rQDSOFO=w+47R0ynpo>G^OgY^Pja!SLMEG6dhsjIeXB7S#MTw{jH>*n9$ZO_Z7iQAlJk= zMEKh}PC{2BQ4=r%zGDA@A#JU~K2XD@uB*gDU|-YIp7bAhqDIg}Dz(1>8=;jx1bw#q>xO^5jwSF$| z6?o;Tl`Qe>$YtqE7N{4N?Y!f@;Tdi6b`LY4n}l%>5SKA^oPj-z#LS{hKlv=7t2XW_ zPByo@s6q?u`1ozPY`0<0x?avFs;e1bZ0o*yUsc&hU*r1=b;0R8cKk1@=^~kGJ+@xE zi5h-1QA2ya(7!vb@c;7AZ1r+QL16Q#hRI?1mZt7j;G$%}dE%C4P`WwV&d`%#=k zLws30QafnOTs5`(;A;S2C;)_kr;Px5SSBdK;aOF1^BY}@fDf5X1H7z3i3=P`Ila4Y z+UZ8llks~GiOy9f$Yup;wJd@+dX$?}G~&nvmH=*aAIWROprkn>3oUjIzSjq|4tD@0 zpntUuHjm+<_2z0>w+&8+ZzsEHg=H#U*hV-p#$E%ZkMzevHuM`Ds1M`VditsCCRNK_ z2xL3W@}t|HBobuy8NsR`8142$}+W6X8#vrY<9d(hORwflwHygL(t zCsZ&5P<>Js-B)FxO0&ruUG@=qg=u!3jFXyRON*&Xn~`oJcoX4#mDu`b?6q?0AU8iG z-~)x@!Y!k8NL%68Yb6V0D*S{NM6tz3{A#?aAws)=yxJ1#`y6Hc?Abp|-o8X&eOcL; z242{Ie98AC1sl!Q@2$wlaJZp$$$MV80Mq(Spx#g4G``A&Tl3pZs~>b?%w4~aPduoQ zGU=zk4qmC)<4i*o+$Do>(jz{@X^cm~l`w@sG8y4Et@Fn$je5R`Se5NPX7JjPL+```>YUduar`6Hm4>`^u_P*LFtfreC227az}6ZM3pCdVumwXDdMX zheOzUe?M-c{Y_*lt|8Y`%umN@nz#IR_J#;;A z-b7W5-()tPk(Hu-9Bc*FC-1GFEl;XS>M|+Ab4GZ)X`qqL{d_=kCs)ZveE(@GDxh|@ zToS=xpAM&OElSM8c*S9crmrH(oZ)aZ!hr#NpUaWeK(muhb|rYuRp0hhpOV})XL(f! z9Q>4Xyv+xn^0Kl^wD`J8U>4kMN(yFGnrd|yEiEl2bG^1j`Ki5)rDZFJY5wA!@8;ph z{Jq<%ZF9B_$ExL+4+Of8ud`BAr2<4Wu!TTJTN_>BuG?$2OO9m6k9t4EdZDtGZ~WEX z_dve%hKZ=ky%2h`+S1bUX+4%X1p*3Ib;+hFt>81zm($PpcvPcc25>(0=jtXZ8JS^Y zX7Fk;dLl(?``j~!IYNKmMPlB%)|R3_p}Ra*D|f_^Cd5ys?Tes%e3k~PnytYji!{Dm zp;+ceG2&x*JyfxEMJj@Ka>=z7^8I9$5&q_*bJnzQs`E$0Prg%jn?@hMT*}<4*?l$? z8-Iy)AVdVzjQJL*RRSe~$|u6_OMsUBYkBHkdFIA%@`4Y@C6B&ZlS@|@JumtQIiZ0IC9ssH&l=DUKIm1=sWpqvFF}0Ou@{NZ_-tD?K$?vbIKv?6c zIFLrr#Y&g|a#z+q^Y$aO0DDgF*z|mia=WAsacA>KW^SicU-uoZ)Zq$7A@E!uV9e* zGyeP+t%+YAkNTjuHIS-`j@6Z~e6T$Qg=xd(e{Uvvzh!58|I^tPt+TbQG?cAUbDTvS zoenfcOp}X}QW?cJ1T58D?zXpK(OG=f0;C$ip_wpA7ohMX4gI?2NTHWw& zRE;VfIthDZhp@KS+}=#&_+J8Cm!s^jTqshnJ$cuPbzhJ#Wql*H-*jC3DMRRODY!6rHo8&bPqzEPQkcnPXy&nu=zJ40@ zi6lKlEXd*K#Ps(CC-nl>w-;P&PDgB8?&I>x%2xzd+FP-!M@y`Ze*$O5XEMd5e;EF+ zWzi)Eeg3v@(w|bg*sus3%`^0>S#2)24oOtPT-A{8Rq{bB9D`9RD?BkN9NBV}9s!?& z+DKXD8wwVRZFw|=-Ylv|f#E%#v6D>D-^^hGod?J=$;={N7#_GJ(55{;M{1sWdPJ@$h^Xh)aqHNkRwqqbi`I-S4$&DF)BB2SXpz*664=X><8e+GWFIzIU)Jb~8JpfR3m$dxr9$z2=k#J%_v!7mXNe4akC;A}1oasP}Hb8&lLN3@g?Z3V!KyYhEBHdAvjX z(OS66PO=p4*)VVU8&`;lKnqT!7wBx)dSL&*-eo!Y zt6g3h*JdTb4GqGNBGSUg)?P!M&a?eFP;8GGvIK|2^ReiwRl_qv;COE|;_zOoR=A(O z_g#xBi|mU)?&`uLC-pva=+?BldPHO!arA^47*Mj}T{LL>NkDVn_Ywy=*!Ng^5E zNME60ov&1%0W42DxwQavT+DWBTr*}hCz+3_k);yBnQba0PB9duWWV%#YB1Bwa@w%= zU#CY_JXvd0$uq`I5^3PFlmb0MUz7vJW6-&m@H1DtTRGlxoU zzCf3`x1xr%c|M0Xv}88Tab6K7!@22aPMG>IA<&T^7^s7|Gzw{Iuf))Dlt}tcn)3?^ zb{HBxq*^II*a6|kvzvbylfC=#<#rzihEN1EEmv9HY$j^dKm);M>vMHk8FrqCf|!J< zfZ*#;aDjjB)gySd?!PAf_}IxDxh;m7Qo@*zleM)q$MOy7#=*nlJV!)0>@3^qea7IOoJC$6zLz&MzBY%_f7uz;j%r0tX}+oCy=W?b;HmJ)enX zz%>}$nidH6W_s@I>iT2Y0-G+D4LYW-PG5FN0BFDobHa;e?VhP*Z#?eN0C@*CpqeRN zA;%a@x=%JuY=a2lmzy@2#^JoS_ti@K?(Ew~+)A*4EXBO%sGfg4u0Io43-(*Ld?xp` zX3U+r==Hwd>i*yt1dnNrgLI2|{eve?<~{B1!od}}0(u`7GJcUf-VPM&#dyVnE7>^J ztdHfVN?fR`OKY-zq1^SAand;WZaPWTJz_%>;2&-wstjngU0eAPO|$b`l?zD}~~t<0vdq5sJie8ApuG4oXsDb|hO4>K3XI&c6G0 zwsll-nnzG$htM~<9i}-ARyn(MuU`HLI@(l-Hz>K9wY~>+RoeXL^PMHPh8T2HOYl3^(mB zefQZF+}RUQ^DE?yTFUUP_O92}WiX*eR6G*EvO`HRO+g$W+44oCC)-JJATXz<+gsY& zz70*~i^c#mk6aT9{Z{L9855LqIsmL2+jS%Q!O5;DDfW8FhW_6_j5vA!cA`0##eHQ} zvyO{N7#(KLG;IOdX*M92ix>MEiNMMH=q?Z@F}nR_u+PZMM?NU&?O^-eDOUQky+-x! zX+Okp9~3kjt7iVp!8883;8DrJE8_ugTV&)1jI<7swpBWyJUL93`C+2V)H+txzt%_& zoJ%6f=-U-NUaff*j{FF*!&0)#$jS3*9vT=9u^ce0Tp;!OhEuGmi2M8C(Oxx!UrP8p z&_!=h?eoOLn`Dx^5hmHSs_9%wH~>k1BSG?k9b~3HjB*4TERmQ!J#U5pK{j=v=!ihk z8-?wHjT8+m51P5#iC2Jc7}PnKX$v>m#h3l25#R~8TAD3Nfig<(mSM-b%#@?WhHB)d z4>4=ekmbR6%)7Aw?Y^fSO=)NN&bbFz5d0u~KSo^?!q5U>6>V=EO*iKOmD#i*6f zo3lE_)z7piLVZOk+=3m%c%SS=$Ib?zv{J*$Ywk*MvDuxne*3_y$m9(XLs1WO1m!mN zTr52D!b&PIz@mPG)UzYs^7@#0iSnx(I%f=G{se2VPkUF^_nZa1E(0-8DTw*UQO$-j zzbna9mm!tw$_B)Z51?FJ>@=>QK#-*cFSZVglajl4O6N6qplASlGDb#5MANw|PV0Bw z#n11!!13S;^iKj&1IBMnFs(6pD+ufc3`NHRQ z%>U7V9K-W@?f=re($08x_l(@k(odSuohU7-tT~UPKp9C^91pdNiecUsqLuEiq{!*% zNrY}Fsr=bpR-7m9PoU|}POrPR20)2TtXwCKpiw@XOP|R~!qZe-EPk4ImrGD_P8Epm{$d+) z?ZAaUe&yk_sLBV6H=;nNQk0YpOtp}HWV^~0sMdYZP*QS)1oNjq{j7!xBqUUS5qwpQx#6`AP*qi>Q~q0oR>R+Tl``vJ$`4k3z>p5Mhxtnz82gIy z;Gvg=ahORasGuxx06-8c{@{e^bR;e45>g>9!Tnc5$B|zauw)S}&CtH*&Fu|d7MU09 zGjtK&FEaee)Ksk;@_`8qUM)CXf@+}qipF+~Vp$!?tG{7nQ|I;V4|8gt z$$L42j*MaT;&_aji%|I9v@A4%LjMBtHf#RZTRk4`AQl4HthY~~{e`Z=8;OFnK5h8h zmKBF%Nq3FTOLbai_|IfRnEaYa%AeTbVdkK1GULZeI(pIJzfQwzqZhxM5>>yawQD6B z6V@*^JtS@HHlZy|{$#y0bs?lNZnX3n&m6ik*?1n5o~1~wEy8*;tuCbho*cf0^4rNZ zO;hJYeL|gEh6>ynL(Is6l)?8aRwqhQg(_>pL=*?>_> zQaCblsc1M{ghPy)GHV=?pt!6A$e|*c->!^aI~8|yyk8Tgpt%zzbt5M=J;*jDSGeS> z4;{S~=MZ(}LA^B1d1c{wNuoFhmC_PpWu+h-3O<)Ad_3k;vhw+*USo8Z6p4t^nB&)o z|I-4{&3)O%s@1fi&FFpo(qht?E?|jgCXMeil5?ALPCV(C`{Iu6kr?2?%k+FpbJEqa zbW&&IB-}_FI8CXcRA0UROpzlIEhj5Y1sf(;Q;=oQpf#>L5MA8Q<+=ht@+8V+*b|U# z%b|nI;J!xQd=q&7-5bC3V^CapJLkXTwIwJB>F3%fA%lDb!kri519dbO&Fr>3@63Z?bsEnVtjuOkM4u^BvmhFOi zG9yC^wJDt{Ps|ef-3y_@TuMiQ^dtzOsM{uB;NYw@x!^O)O`jMWOi%NI+tNXi zj&0=)g8qzM`&m;VXh(=-g|V2iR*>}qK2J*8^C5%XdImAzBgzz5Pt)$^=0*eGq!0tl zjIp%0|Bz##9kt#4yj7w}R|4Hwhhp%-POOY~X~M$Iyq|WZt6;A^5E||WT;`Me9Q~VI z<;i0gnj!XNn~{{tvhNdepTT-lGc!&P?w$TXz*01PyS~c!VLL4-bUpmZ-h_DYS;jdR zK5S>(h_0VE?lHAytayJ44lRC_d{$AoBMNluV*3k*k-rn6$Ox%5NJ!KN<-w%FF${GY z3&+Vo6dgHNl}Em!8MO9ahxhe!o_Xahsj5M~$sP}^UZRLe)*MvkL~2hN(B@r%YH!6W z6f{q~FpJRf*~VWGSSv zwh&*lL6=DWtxf#O&OIQYMma)J*SB{2bEfE$M>l2VYizaloONk-yY?sT-THR)5e1zf zJgn@H>WP=|OY54xLX2z_Kq-WJwGO&gwzrI_Tbyf74`&1CH!oIWIm%A9iln7Q}bJ0bl2N7{o~ph{IjNPhoK z7?TYnHCU^ruNW&+&f0j33&F4VVoHS)5)XHctltL`a*WB>)Q%pR?(J)Ygh0TE-+ry$ zx-RD{6@rpE`uFY#^6D%vuA8S^6xMW~ut5DYJl=<#=fntZ>hI;9>+YMKl@%2-tzU=% zqW|#CF%}O{rH|13P0>cGR#=w)B|e=3$df;3IMYF|xq8Q`%K<_GTyjN&%C9g?gP+;+ zadYSUr5$D@q6uAC2fF0`-3M*U_BNoz5G zhHsNv)HgNVXCBLvSJr)9#QHrOAgsO_(rf;oj6gBG=LK^1Nv zEPBT2Z5xf(Ncjx_{JfHD&4sLIf6=kXq1B+~adm~I_Z+E|OVT10qmE?5>Jtw>@&7(n z?f&9jA2_WZ5rZ?{VgFeUE4Zhnjo*USny+-$Gpvs7H69JDV}bL@3=m|$blA%8d*6=1 zA>*o&7ptmvcP38+gL>MKJP zK?hF{Rj5}fH`!^wm5g=jCTaKK8)h7^13aT=vyOj(|HnHo1{T%@aqv=$RyKcdvzbOUTxY%R^U7;*pIn9Z=@!fmk&bG5at zt(s*1$8A5NnyP9v2}vyX=k(aoU0MAkfAgzrbxMORR_pk?RRe$}vu<2Z(WvI<`)tF^Vavxdp!>_kagl zy*EJD8N9NWCh{{!`NUI3!`@EkR@L%47efDp_C}LbIAIzM+arkVgM*Nqm=xqmf`Ju# zd(XpS9^_Il^NI7*ZOh{Jh)f00->VR+oWdY=*;SfLenSiMLn**`=W}>fWO2e^RrnN9 z({s(9+vi+dy}q1FPeV_AtcsAwVUYelr>iGONx&@*&-aP?;wpK*%-wVX6)^2U{abxh zJJhGV&$O^C#Q~r|A{hfyfQr>wHJ!0VyIbn@OhID=WAfJ3#GK{7v-Q@MgoF|h>)4U$ z{y`oOf*%eyzW5_A#20PyiUUf#A@|y7rknp%P3q`sjX2WZ^b=6MABb^xoLU+(IDukR z2~v5+ZwC

7G|tx=d3CxN!uSB3Wb69UR#JRnnT27@_c+uV05lnD&{AlHeB>^cRHZ zP7HF9d$m71(m<&_e9+J6XHUs=X`y0&>>} zQa(*x+zOmpKW1}qBe|miYT<#AZ2t)#c3AggltLI@lLzqFEYr>p3rn=w15LIYj1yi* z70sx~y62zh0{<(W?plO*v3tf{^r)Dz)fYIOSNO+!*FH;=pWzvsgQTv1*HUN)y{}6* z?w9NS58cu>+Y||(_){}R?>1nV`O%3kBjmxCD|ZOQiS$5LS;HhXn;@EaMpb8IXs7*vBgeLXQT(a#ys2UuYv-+x_9fW$9| z3e^6K43NJ3Zhpsq_^m2T5nEO=mwGX;x*n=Y%r+)S4_9Ee3K#Y;kJ#u9P zlzpIKCuW2b5aiJOy<-Kt^#tk?$S(|OWmw-z1=5#0(aRZaT7`ViRjh%?bg?CKa$B0z z*D3iw;U?&@k@%Pb^Ocv0&~ms{12ep*c+4rIyYgGR<+!560qc>d%?j5@ca%YtNKU4Y zQShD|O+NGL;U!g|zAb`XxNb?xU+9c;dguKHwuu(#4%l9iTs=nlv@^0LOkd;#T0o4N zQS;n|79UGg)~9iTYoo=8BM_C&fV$PJMUI7UC!=l11oq4f2pk}jnA2SHFQ2sr(Gv+z zKK=8u^JCg@;FWxpPUCBBs-d*-tO5K#!Y**k>qqp?74A)bufuykF6(4ktC5K}(e_TL9De!t!xO%d8kZF6$g-t5`-$$TFX^(-X8z<^*>{ zs30zr-*Eq|${g{TJ`1Ub7i^%p$5#S=auWXPzuL(GfSOkutYkXletm`zE~QxDAL`zVRpdh2KJVS7?`nZl+~PMP**}sK%+w>2(rY!xoC05c`G44M?E;23 zW*PnZl1*FA(P>}+sb#LuwG`%k*%~o}iJ3U{QY2n3&%jG5Xb0I$UgvwUuBd=U=Cmq_ z8Er$jc(+QLmaw%eo>1c-{&t}BLbCDn^ zQA~8l#KQV8`%iC9*XSHGd+eePrRV~S(XJycBU95<7pN-v-^Th}wD^K28@yCAGe2o~ z=8EFt;^S4a>^XkG)!$H5U#~)LRl@45Om5dyJZrOy8*gnv2=y3anK9{qJ1t>#b7^}E zo?BCCAZYw`oWrI3HZFG+Tw@D#QIg;*n&w~etuqcX>_re(OjGrMr^>vP1xFZRe>N(2 z_5PHHxh|cis-^9R9W{{j_vuSK8L$O_&5MjZ7OtV8p$u?c-E?cS{jRTfMnF(PDyi`K zX>|rmnHD}l+1o-g-S`3>Big&xBpH*G2FzZ9o?GJK9XjFAz(F5`8oTBrxoWX2@RBxY zcFV@s+`MFEIT99bI<-36t&eCqJ5XY3bzuDc^d&$OL}*id7bjq<;P*sLv~kCMn*={U zob}j?D}3OS;8M}d*BrNJmip<60G>H_z0siS!HEfs5a`M0ZkXne6|4T80Xwz}a_5gg z7;hC!DQ)0g{P(|GVMNSuBDW9Rx+x48fLwAK@gXFSxl3T){%9q85p#Lfq$5RSpnKc( zsPzdz=RPEDXbJwiwC`t% zdoao7eTER97hWJES)z3(uh)Uj_^;AcpdjHL!0UI)U);X39?A(9An$1;;-M!*rcDah zpV-3F*)X_^63n^uCMW9pDoV2Xz_)n#U-BtKA^$}_#_FiFv z4-EyUBm9Fk1D#R8`K36QK@YG2>CuGRv>k1SSdIOkQTuh3^zyLY>Jo5@hwtnlRA^Ms zMM|1BIL!Upv7*hC7xz#6yn%2_xfSn&U@HFOd$0Zzppn=9f|wL@eG4uM#&u3v9{XmF zhRO81XN2T-Gd{cwNT(UxXOabRNbd^^>Z52?x=^ZKqQHIu)|siT=mTMQ{g0kNs4u7@ zRCtxSCe<28K`+RCkE18^74xuXt9C-ouGxytn0sHcRsrY2q2M*AK#w;E8z1jpcUma8x~QmG99ZcJdefk8enZR_s) z!8)+n)c}FOis6x>3=Oc~=;`TcROz*Ilr|c`G8f1PqA8Ee*3V%iA5l?LE7=iPjVCgU z*cR8<-&EQSQ<{`9YB1ek;OJzAXV&Qc{uge<@KBx{ei@D&A0TzR%`9tO#Z9MQ8ls89KQ=t&L+&hl~+a zq70&tqnTfYDSrf5XMg6F(F=z|X*N5AtAC87rkzMWVq)N$zGPM$KS4%%+&JA$BoSum zm-FpnC2g+=D=zfdwZ7n7cUL!j-!b{bhRqj45?p9U_NbcBr z`nU9Vtw)Ed7snF;k>)4XH}o;imyugsOyuEEJx-}BVpjiWspX$)=F?Q-TAS5;&BXth zp>wc8TWXqOPx&gIaMqSQKBZshBKZv;UY7NjH`!o@^`{$l&1f8Sjn?TEv-kSsli{;2 zZ`aP{AW#(AGv8GEh4Ge>8aL$v?%%Ay4S}%Lgc<^%%b$oUjko<7C_C!U1%6yzN`YKx zk#4YfB)0eJ6h!z|d|WP$cOpU*bBM`$J7a3Idy?uSVN z#cqTVSOLtavxUBgnx>UzDKVQiOS@48#Vqv&A9HO$dq7{lNM}U?v)xiz9oc}!qQ|+* zT(cnqXhpM4SOvENO?K2^{bYI=ReDpgxncj@sU}(mX4ntf2fH17|8t9>lT7Wx^SRwAOy7=($o%Pxj&Xbz1C}#dWXqYq zIdvgJbHd}L*E)G&XptZTEn9r?)bDsGwbDmsy7B0)yOaOvsE5=ZI4dFuQ-odsiJopH zkf+zmIW8j`v7!d(&T_o*$M`VXfnuhZ2{X!4>1$hw6B%xkh`NpFhvImL3HIPHfT3qZ zSZ`wN@fHz6yjlj>##h^fpXMp<>X3?wOU(v2MB*OM;)ll~cWYMKf0vb6mO6aYd$~|nRlUU{SwXR@P^1*I6jp~}R4Z*-SE3#l39r|v(XZk- z(IMBQp`r1i22WQ?zy7M#lvR>$a=t!tBkY#8wEl%wM1MxLCkAYDpWSw7ph6F8n@lF)xAMVN4AJBc{5)ov2Ng~_!ezW6^XLc-ON)RL@v=iZn`3qNT2-Y`Gi`n1 zjr(!PPPb^rBsc=G$0uPz&PZR!Lr`UgPc%GA&XR_BxYP$Q8G7c?uf&pVeBWt)b!#s0 zv5X4Rfm#X+lmVD_Qgv6+5zkLc1J>?mD#3jvquljjR7!GMH717d@fyra1r zqf@LAN0v<=X-7wL1hK=Epeo#ih@dMKI$O$Q&O>I%x=IiVFhf8%gPC(+w;vgLAHUP- z3eKRT{iyyvh~XC|LpxD+&K?)ehUS6QXU6L_gR-l};sy+tX)|JS$GH%_7V%H_)*+iw zznkTVC+h`ip4OiZ$j^%d^%9AhCp|R(PJMel!fICRUF#h(7B=i#1UbV)s!qE+RiNas zk7`8Kq9Sdk^nP29?28?X61S^FGsAXN0|mVEkC|A&@A-4Oq~$h#E0 zu7=LZj1{&`4sEU{MZ&yB^HWWBG~ok@NpKx6j>q_;l4Dfs$BvcEO)%k|lj zeBl@8WJQu|E;MX?nd->i?;zZku4p+6IxD(DSyT+{s^U#mHY>{S!kB{dz@D zg_efqTZwLYl3kL>Z>`V8+We*e%mKJ?b2;uEWJt$X2boY=|49L#m z5MWq6JF02uRg36xVmUf(or4H;pGDGb)sp;xX&G~azebX{#10KrH~UZe?^Az;th^X5-K@CSHQo6XjrRX3 zJulu0ZI$7W%Ho;USJn_u=~@7!j4b5Qmg0C)-I;)5nAMK2-e@`D_l&}$y|frrynyLP zI)A64qJ#a&mB}axg)@tvj9FqXN;wa*#_v}EXcTYeVI+;+L9=AqC3F4FQPoc=P%eLO zZ=TI&s9Wd%<<=~PQRhqZnT^ ziO8CV8`u-9C?O#c7MUsSL2aa@=2QUdq@)3;TZYW3;I&+29=wMm_>T3BdIBJLmuxu5 z1%5&EHWy#+AsXE~-`TVm8ljKu6aeJL6y7m+oUm;fbYJ?fr^mLW>;C`f!m;T<5zs3| zpM&_4tz?kB^QdqtaM!gsZBmq$$O1?a-gMONsaZ;<^!GT2W`IFCjnZd#%uday6OTfL%45fmwq^kVvxSlm5PQOXFENtjO?RZL@|K{PXoH zNU*e+zR4gHeAlA+Ly?kRTY<-GkQlwIqU)Lbymo5n_?tv($+>&L{IDk#7(w!PEWE_i zKZ2^iK0NoQSdT_aIi!KBoyA@iy@mx>%D-Qs5FLMR>Swd&lz0BGeLP&&FCLjE7Jj$$ z{$pq(Ie=5i_QUzS2yv=Nd;mEElBQuRCGtD`k0LFeR?fLcX(;A^& zi=rYr8G;TggqXPFCP4!Rbiz*LXQ`1Hj@H9XRxLfUz$3e;*H!im4b~M2?;C4? z@KI{iMa=@oN~u)ADVRtp^hYbiTcppL=?15N6lxcl^x}Pvq$L}s74B8m$oUa(61p8z zX223RV(RR0HN%9f6m4wevJ49uq_u>(QVByfSn`J>UPDS? zaM@2j(e{|sW94LR9~H2NQdCggQf5_6q(n`F6f-CJL~13#<_wqK&HcNE9E&3;$-do5 zM)p{|J=Yw9FdiQlYwk=HDjRK*y$(c2Q|zMsyzU>SHQ=;bp{>b~=(L0v54m zaWPngShP7WWl+wqi!%hiTD@5m-9=$w@D9fjo2iKt_j7JhN1UIgdUz-#KVLi+jimu% zueXq5YCOVFEI%|du!%`6qmHVZ?;jjIVa!ED+n43#WVSdEq)5+Fy;olT7Kktxh7smZ zND3Dc?kb*jVn{edb^RaT5aPG$MsB;+YI-PJ9E;JOi-bTtHGaII^DQGs|^bI+SO70>Jw{Vk_lZz6}>XxYUrzIg7 ze@`qeI`zo^|7beL;7GV=YsW@+jEOzrOgQnx=ESybOpK0=iEZ1qZD(RT6Mp@E_ul+W zs=BLEb`sF!D7D67zKHtZ^j-)?Z+*ynN+!4JTIf?x#Mz2`I>eT4G@}rQ+=r1p zUpj>;v{1p^nO$%$7Om(w!FIEa2oN)@K}Z$my=gQN5D;KQP-%jHk~_-;k&_lD-K%dO zw#t{Tdi=79Byajef?HUSsJUOEXk}tAD?6FKW$uS-`2-QaoV3q^)tgD8)7TB`dhJ!b zZQ_Dwd3Wv_mjlO9X5lRLyfTv8`xI5p=Q8pLHS-nb90rPqyK>O%&*U~CsyCd-YpYCK zMn^Yu*%lq*6fOjECdaU-sgY+>={#_kJJB(+-iVGO0JR_UW*QUJ@6P}$mfm}w=$yc@`{)p#DOF6_++bl+@>XN^QVkARb-iLWLHotTzzIAj=8ZKo4g401qTtZ@-T9v{>$_C zg_unu9oe0rn-xX%Xf8GS>3;;YZ=Bbx_@S4|@0J=ZoOm(CXn_%OvDSDtsw5?*{TmA@ z7^T`p+K5JAJ6#B-o1y85=n54E{ToK`-)UuQ?z6}Wwgk-7*0?&>vj#NXu9_YPGotXe z44Ew-RqW0n1QgkI5rpKrKE1Ekr8F5ec}BZ`2*;5Warsj=e5O*^l%(9h5bm_xi0?eT zU4=0%ZNq1}l0|krA1)o%*|ayIG??TtLeIMII{Y6C;A;-I<#}PD{;Hw^T-pht7Kr9kfZ>$8lM@b?FZq@9V})^ylwQx`6@b%WmamJ85(J+W{X z7Z%u*H1#e#q7JX)z*3(xOqKIilP^B?5qjfo&mnfSpfn%@?zfB z$6ypmM`CgY+tTs#sIu+20s=SNu-x(}PK*{pzi7ywNrc3ch9Bw?qMY8dJzruQWRc$B z{6ktR(8NOULYT``0lhaGwCLYloIqtMnYhZ`!{BQYwF@KYB>4u zX;etOu?xr5aNJYb1zI5R%ts$V0ErNpv|x{hSp-`=|~lovDBq=)#Sm%@ow)n&^_c z>)D5?x-AxD1YmGwbr9l**W+RdjhzyVZRWBm9P*@Ge|ujUgp#zishRm!jE|6in;PM( zX&qr=YzvWt%9Nh(>sh6QbQV$d`(Ws(?UCP@7=!t)%*lIJiElK-7b3foD*?~!xKfU}Nn3b%HWoEN zMzmj`*lOe~Ul-^F${|jtN2ltGIIFRR;|}=W^+biQCkx}G&9N_3NOSrb3h^zPXlx?f zq^rc!(df?1BcFH}6Jh1EIGd41_LM_J*y6;ucwrjWQgqC_-b?Q_TI?McdN%>9_-upd zft?b^8X1co>dmi4b+q(~2TD9O{O2n zlXO3un)dWqg<@Urg?oHB1@z{eAfH?%o&Q>wt*X94B_Ne8{^=z@GBVO~U0&T~2+B9O zHe3Mjr;!$sLEp$PA42B4+#(>ORKgu@zkmwk!4vCq(#~mN#Y4FbXuy9LE(Xl*1w1tW z<R1I(rMC$;+ioK5-Ef^5TuYy4M}xTD3Mh)TZwK@)#e)u}aIC31fuEYB z;8y?`znwdJx#B`FL5D@C$4r|&p|@}dhhsDuH_VIa}otw8NJC1l^j>8~mq==GuC=5iLjOE~J%Pye(P-NB+WsN}NIGuNm4+c$~PsrQeZY^4E2R>;W*5R+)-SQd!9A6iy+eorv2rqkY z5nWhBSb!$Y4{a3=dier{7}Z8OFyJmjM?63K%rC2Msau`nxFm6=Abci!;e~Otjqaxg zz3XwgVJMtJY{$id8plNChpWv2PqFQ6)J%+A2|a*5(KWpV0$&Hp5cZ`SwdDS)9)ti> z%vml{k9Z!p76Z%?%*R)teNS&w^y?!lKvY(4gHV^(Z>CNPg5N4A;MQ6tMhw!9(~??j zlstxLvumN|q*`Zwt!HBBju|@ccLnQ_NKphw@TRR945nU;O0L34O{}?VcahK1sn7sf z=mUs-;X=v%NP*TE5<+Kdvf`^D@w~dIKcpFPh~6LBf{rv|lbiZv20k;DId>6v2p}<8 zz`UiE!S&#~g4#++NBHyL%Wz#Eb#%og)?r1lH-4ZBg8k*QkTH|3WjwwQ>qS9rN)H|G z#>|>_lg)Cn|9@3`2Yu4-^B=ta;JJ9~>$A12EUMEeng8kD={;2b5%D?(X0N4?dL&E* z>2DVevNWcVl_E?kZ=Nm$+1*a?#q$+vLmp-dQM6>8ao>abuqGV9lsQfG|I!<>lpL6BE2z2o7@b-(&4f)sy{> zZpqhC3}*il^x>>_&vi8{rcek7bd%(n5{)BwsUEGLL!7{3yE;541%vp^*CoTwK(AKi{8Zf8{gjw0-#+q(30Jos0yuaMGbEasa=5~bYG{=pl7?$ zqA2X(SU~QMaU9eu*$^NX?L(b64jvpuaAhdKi#FeyF z+&Gt7AtXZwzcY$QS#TDF*(P<>(v)R=g)o&C%3fEsmLQU3@T-O$_}<*ug5SpAva#Gh zPOTZ_O#mQqIK-;|2>KfIvGIxYsMy`av8?=#`P`~nY0GHxm<0XepblnDu`un_JCR|&AUn7t!SGW9 zL;h%lGnGBaM@oAGCAan_7#A7+sE)28O0?h7e!|R8YRmHiAB0Ff;B#)P)>StGWN9Mm z<~ULs2Na-taaE_OVO*L24OFN(a;w+s;l)Zz1CaOAXnf>ypC|8I3E4MZNw3S;*^SaODJ&KB$7@? z1RWk7Wv?F(u_g>Q3g-g4i{FaOUC8=un^~EEDJNbolqw&Jll)$oXe#PRtAY#g3W6FY z)Ucp7OJ7MAZ5aBa;hF3!N#hTrTHMunLv=ca_w&;!{FQ1+|7#& z3n`PQJU&`*X&F-8%y_nPZ8l-Q-h4ak;vov_N%8*zQ%o!ff3LpVya`a z!jd2m2F0#x35ETe8>$Hh?KKmS_j@jaESU4V!Wr_GmEy86WM0snyKv>{SF8SHMFv9T z{5?9_9_ohWh5yJs8q_LVF`1@E2{`9>G$%*(xDpc!2;#Vc&h| z3%_)F+?f{Do6nXi7iYL$teKoo1~92m7}?=mdwIzhTW4QB_C!ple`jUQerZG_>TUwW z$xTX-vZ>2N;a;3L#}s6q6zH?4|MC2=K(FnvP?M(n&Ld8V+BYLqg(bPW7b_ zy6>}aP~eW5O|A27lm@>JYjfK6_a}UsmOWlZl~f>UQ)3l=mY@l{G&*2#WZFT_1xj#X z7k=UWDzB#~;GfnKvgaPBFaj@P6t%(j{KcE+t6U1|o(iQ$HhuL%4aMQBgNE5y{1u1h z))hMCaEqff{);UhxI%62lQU^aGS^=m&TUMbn-5oq?a;VYBH>9l#0g4%>k|8k)=$nZqLPY^WjDyU(#t&Jr z9Uns$kpRwY0jY-#IE36`=KEs5(8&`q=)_xXgv+Cd zw}&wwmJyb0Yq+D?I#cpKLjCRQAPD%zR1GCI7aG(-OjLB$Kgp62{QD=Zx%IYBukvZ1 zAt5?<>XOV+ar0-6(ICbp=jbmtF#4&3i#b@ngz=tp?@zegvwudHWY_YHi7&ae;aMoT zH^F`({i_7?{FQk6*e>M!TI7wmX->osgS=xErM7l`GT;(2N0Lb^tO_W6y77BfFjnHy zepSjDS(^W)hELSjhXm4VAWSS~ic!NlZCYZ`9C6PDrfnNM1Gx&;k4#T@qX0?72a6P^-{Qdga+@2OkLb!`il`w`8tv2U5_nbhFsP&8q;F!dD+-a({!dT80vx*v=FTJX;C2%GKbAtflI3k5?qLDTj@H+ zEMZ4YWohZZAyU0_rQR#bQBkvcp`f^Rk+K$A+=*0bY!o;R?KtRmw<}vPk427!bmOIM z6(p}*JOYlpE>gNs%@uzt2}KCu!sfVDZMM5jM-3Xv9C2@gLcqEAWg$AMe%}~#MA^Bt zSLR9fz*$ml>qS)gU!6pVwipgA?!Ux;pN((kdDS+@>O+!glle`3(~PtTh=|V;Mr6Xc zW+2Pt{=qK)6x^sfkgloctOei@XpJs`NYI>zpk>;YLA{I zu{w4iUiYN1G@+QQ%$z?wE=wu!&`Ksw{8Px%MkdTLVkCBDh4%0$vQP}zfg;>7CoeIwW~OhwI}+*tH-%)iJx^HD-8RI@fsUBShsz6Tu~$Q7^6x${ua2 zrN!8RT@M94_sdzmQVi|gw0UR(RHZfa3c%wLwpvwxBGX86oW ziU1Jel}C#fiV;Cgn@-`4NKpH#4t4%H&vQ58S0o%@`YY`eNb(0JcFW+O{h5mHdqbwm z(TQlEJ4~_)M=hfMNykACY`o7@5dXJ%0u8)ME?%ZVFDNnw?9-!51;cw3IC-ue@tpnI zpZCs}oaa`Z`_rGTd-f6Jc$;*vBmQz)7D>DR#20A<`}l)qf*ZwkINI<$~-~@MM*(^R>;+W0H~$2 zv@YLeXkn7Be?Ad?6{gFv0xy~J^+RRIWo~ z#mM7px>9jXeM|adPSzNK5pJT2MK!X<7{Py5a??P%q63`40926yBAX_E&~?%I;asdCaQw3=98^_ST59lDFk)CH zy}Bx2qHmK*Bl2x>AqQqs7}HD|6!W2T)zP`091WYxD-AQ#FgM7QqXm&2rL+ zNC>ECTleb!5GA#zmExZJqhX`4gSy=@lmOR{{38W$EhC!iZ<>ZM(VT)n51eVXdac@P*KVHJete(a=*%WT z3U)`W6Yrg?Ulf4F?hr?CI4j98NV`bXwReyN;mzk(AQ@~cdJGcYH_bmkB2`lNpl@)5 z(ur>g+iBIhnqf)g46y*Xg{$3R~%BFyK)F8m%s$! zFI)UG%2#_v$rGm|{0OJp8(zf+E6TOKx}^JWJTz0~pv#J67@m#RXyK^plQR#YlWRnt zRnlF=strTg77b<`vBgz~00*e=a6fEl&d5zy$eYj-p8&fGg5MiU9z+(?fisZtU84R1 z;P30p$+`{~1{&!B%zx$7njTGMGlI&h5g};edB;isdl4^3fLv(ERfmu`=aAY|9J4_y zR?dV(y;iW77GYv0!++NQ#9RK-G<|Vxu!x&fbd|`M3Ge%#PlnSqdXVXQxnZ$cXClq` z$+_+<^o3v04|fbKlMlsZNX$(_L2mJu(?p7iY?4&8vM*E_@N}TUd_o0bt{yGTgkMU3 zg+t`0#N!8#&wLT%^z7^>Wca}>8z{ECmU{<_+12+Cv{~-#DCzDhR<|onlXeq5Yi@4} z|EkIkcx*ZytHrKyjf3iYXZ}9v(lUH-+A(=Z0B4JMDZ>NyrGVx~q^)SWp)Atpb zG!Yu|>^wDZ5CirA8!G3%LWm7(ND2X}o>YyGZe|(dGQ(IXL9Fnnb)ZzF_2>q-~Ilb1sc zumbbItXL)fHgJP}xmNHgX6WO?e}-x=E*WUZ;TpIBZmo57H)=V#43+(}bEi4YOijBi z1#N1a&z3F#bX46EZWMVJN@Kp1!8r4W55)*bMSsJb_+vrpv)*>P&H+N8*>nyYLlsv> z=i9t@9$=-dNQM13a%c$kX^PI7zqmqgCi6wIUe4`keD?}k;PvXbV?z$T#ZKv4uHkrIicU!&g>rwm-i7 z%V$ElGabU{d~Er-xw}y0hM^%v9p8SXJkXt=eL9qO~@5t7zGmu&NDYLLP61% z5?=rs(NepWYBI~N^zLb?jF1%VfeD&h#8FFrVA?r$9!R#+@M8j&Cf|S9@Ax~`7#+Ca zfA1S%@diG)K-phef-+fL^?ttu(0oyVog;<#wgpaFf|zy!Ct`kOm_gpKNqLX_QL{$) zwspY`#hK$5HkDy0{GQh;Fflo5+dNI^cTFe3z28;q##`@UbDcKe_QD!5_?@Y7{VIaN z31iMXa$d$Pt2MKfv&_-$ofb9`GocFEdpoG#!0Pw!-$d13-aN@JMXAOOQUj)q_g?~p zWfV2HK%dH_$3+qc5_~+P;F{?ZZMD?>TmGbbKT%poPkZ6WdOmpPtx{TUQsKKUMPf`_ z#orxRxu5twnTP2kps9Hk?@4mOZE7M zY7UvRfSPViQsXx3?iJ@#n+}$}?C+nw%ftv1e~IBsausM#iWcUmSl_(ukbv4m}V;_`iCCHgb`Fcuo=nyctu7;5u2l! z`#e0&SlZK&!ghqoTg-)kbx`#N6IBKC2)j-0L?~=`mCV(7Je@I{o_FnAxH-miE-Zf; zglC4TDuyal?_c}uX;{*7m0Iwr>r(;lv0#QXRDwbb z^$yx224aNyP-uBDP}}Jd-w|Yu-F4*cx2pPCnZQ>{c`fodj@W0kP*Ad7Q>yV1vWRR4 zD|YmVGiuZ&7%Rl_y_@8Wq_n7|&*(7!_wS#rh;h2SY#<$#yY`_}F^;|aZo(yvF1SN! zF#NR!#qcFddQy(R3` zNerX32N_M|Zy)4#`XqoOEchR=143w^3iNEkf|s#cD4n96seM9b9T_gFEkl^VRi)VW zlrzEBW@bMdiu}91Ad$g`gG|y%YO&9Ju#t76z;3$>U#rPlvde7?h!p%N2(ahe$Q$S) z_dnD5F*uBm`ZubiBh@sw{Q*M#st)_iab-K#ZOtZZp$Z~M4R((VrY2_mltt9ZgW~iR z=GRVB(ieT#D(fUfKV=1_Li*}~ncTqP>k9;J$#0&qepPPk_crhG!?)I`+JQ*2;$h5O zclVoY-s=lTl$J-n^*qbH1jHdXFHPZH;pBLXH%)&;PXcVDnE^r`QW#tO+|8*GS|Pir z<@{K9wr`i2O%JcxQynHN3(63Jm?biL#$M$9PJoqJL}(_hZ+2$9wv;t^v8f*%yQlmq z9g8zFEZhzx)TQhKqV8&I=Vjwr zbbF+Q2JRU)xi?THaP7`6eLiT5^(hql$Lhr%A&}*`0gbhh??G&l6F^EzbrA~sXBy0x zRep%!zoIvCZkvBA$L6g!GgYptLr#SiNFMF<2lV5m?-V)cn7n{+Q}y>iyz9C7j*Rh* zy5Fk~M`$i_1Pz8eG5fkoN3R8=&%m*%rh0j@RNwN?IRQw0`z1LKr4#=`S@NNiR}YG> zxb3Xk9HFJQQLgX(A7Oqhn2N3Q7DUMnid#k!dXy|G0U1IVTVFEO3~3wEHbw~*TlE*j z<6Jf;Vp))_Qc|Sw^=_x>iT~Z}*?A9Lkzs>9hD3g&$4qITCU6Jyp?IFU;*bp=&@0iO zQUimqM)byrg8v(g#6={8;_#XL2^IS1FMBi(ubQ zovt~pR8f=$DzdsLUp_R-cMSX~uu6leIG>UVwozL!->=Xv@vIPf^+wy}GX0g4O3jZ7TH`}6+bJ2KpyS*VWJ<#1ey6w0G*OCTeqRhJ~ z-F)iAdvaS(qyq|p@08QYHG98t25Pt=D#)yJqeTO~=e-tG6qm0Q0!lLBh zW$kr~TmV3dukX1E$Ky-piuP*TruBp1%gJixmt>ZAAMkJM5dV}8_^&GYLMq^4>!-+o zIW8+Fw7~jRh)}L+&CSB4rPN+)O^X6Tu0vm8V&v)WApK`yo}ejsRekr+{>?h*_%!id z)`DLfVsvb*jjwQIo?I$u_;RjLn%kskwX?5{z}l?cVPCA@Y(#fMzoI^#;ZznqSjf74 z8LLYor>)j2{Q!K2Sdw3dY?XKt)X09%ftOg*X{DlwjJ}F0sfO;Q#;S=zkOS+29V6^0 zdMj6u{)13w==gu~uiAQfm?Pn)5@F;yG~YfbXTJByi1#*E?!jT~F~wg;@>IieBD!|R zj&u{sw>c7NKU?8!X@34Dy}^L;?6aY7Z3WX$n}h@eU9$N?-yDx}D;_moapk#9^xv!6 z?4YI@buw;$Yf%<@bGNoUiY226O{g>M-UQ0o?;0`u8{#En&I8NMM z_U^xl#_dtyf)}AdFw|G_;-0Z1B*-;yGt+pO85&LeIQJ5>?65n@p#IlU_j8t}g8y~u zE*W`1%B-puRODJ6vItpG?*|jXe8y+NpoiHhG!QWIy%^%;r$2h?50C5AE_1(4)w&Go z?YMzjGtSeOV5&Yi7%q0JPzDY?&}%jsz>H!>A!YKWNrSvY(FIO|n?xbgDk;;jZ??+e5M zB`Z+TZeY5bN4&+Ficv`b*S7pvI^11eD)o$GhDrmVNQ2k|Pc^t4HO0uzP(tl=j{2%+ z+)P51HEU-)OeQPQcW+f=epDCW9{Ck=#Mh(xj)Q_+fZ_v8vhk>xhlLOCzsl-0{V^aJ zzJlUfs;IH&iQ{S@z#;32TY(r(#fHKgT37dLNpf|Az{@KyKhL^uK1$hP2G2~(O0<6l zsJA_XcK5yVa&sj5G6P|q5B08U?2b}e;&8X20_9k-t!;K!Z;re>3J>Ykza4!m*={9* zi)qKYMV==#^_}AN8CL{*#qZp1fj7;(i103)&NwfOp%&}SjL@Hp`0f|IXFK^wlX6

+ +The user information is reflected in the `UserInfo` object [attached to the request](#reflection). + +
+ +
+ +The user information is reflected in `req.user` and `req.tenant` [attached to the request](#reflection). + +
+ ### User Types CAP users can be classified in multiple dimensions: **Business users vs. technical users:** -- Business users reflect named end users which do some login name to interact with the system. -- Technical users act on behalf of a whole tenant on a technical API level. +- Business users represent identified end users who log in to interact with the system. +- Technical users operate on behalf of an entire tenant at a technical API level. **Authenticated users vs. anonymous users** -- Authenticated users have passed (optional) authentication successfully by presenting a claim (e.g. a token). -- Anonymous users are not identifyable users, i.e. they havn't presented any claim for authentication. +- Authenticated users have successfully completed authentication by presenting a claim (e.g., a token). +- Anonymous users are unidentifiable, as they have not presented any claim for endpoints with optional authentication. **Provider vs. subscriber tenant** -- The provider tenants comprises all users of the application owner which usually have no business access to multi-tenant applications. -- A subscriber tenant comprises all users of an application customer. +- The provider tenant includes all users of the application owner. +- A subscriber tenant includes all users of an application customer. -| | Business users | Technical users + +Typically, the provider tenant is not subscribed to a multi-tenant application and therefore has no business users. +In contrast, for a single-tenant application, there is no subscriber tenant, and the provider tenant includes all business users. + +| MT Application | Business users | Technical users |-------------------|----------------|--- -| Provider Tenant | - | x -| Subscriber Tenant | x | x +| Provider Tenant | - | +| Subscriber Tenant | | ::: tip Apart from anonymous users, all users have a unique tenant. -Single-tenant applications deal with the provider tenant users only. ::: -- switch -- typical tasks +The user types are designed to support various flows, such as: +- UI requests are executed on behalf of a business user interacting with the CAP backend service. +- During the processing of a business request, the backend utilizes platform services on behalf of the technical user of the subscriber tenant. +- An asynchronously received message processes data on behalf of the technical user of a subscriber tenant. +- A background task operates on behalf of the technical provider tenant." +- ... + +Find more details about how to [switch the user context](#switching-users) during request processing. + ### Roles { #roles} @@ -83,7 +105,9 @@ annotate Issues with @(restrict: [       to: 'ReportIssues',       where: ($user = CreatedBy) },     { grant: ['READ'], -      to: 'ReviewIssues' } +      to: 'ReviewIssues' }, + { grant: ['READ', 'WRITE'], + to: 'ManageIssues' } ]); ``` @@ -104,10 +128,10 @@ Such roles are called pseudo roles as they aren't assigned by user administrator | Pseudo Role | User Type | Technical Indicator | User Name |-----------------------------|---------------------|---------------|---------------| -| `authenticated-user` | n/a | Successful authentication | - derived from the token - | -| `any` | n/a | n/a | - derived from the token if available or `anonymous` - | -| `system-user` | Technical | Client credential flow | `system` | -| `internal-user` | Technical | Client credential flow with same identity instance | +| `authenticated-user` | | _successful authentication_ | _derived from the token_ | +| `any` | | | _derived from the token if available or `anonymous`_ | +| `system-user` | _technical_ | _client credential flow_ | `system` | +| `internal-user` | _technical_ | _client credential flow with same identity instance_ | The pseudo-role `system-user` allows you to separate access by business users from _technical_ clients. Note that this role does not distinguish between any technical clients sending requests to the API. @@ -138,33 +162,375 @@ In the CDS model, some of the user properties can be referenced in annotations o | Role | `` | [@requires](./authorization#requires) and [@restrict.to](./authorization#restrict-annotation) | -## Role Assignment with AMS { #ams-roles } +## Role Assignment with AMS { #roles-assignment-ams } + +CAP applications that use the [Identity Authentication Service (IAS)](https://help.sap.com/docs/identity-authentication) for authentication also leverage the [Authorization Management Service (AMS)](https://help.sap.com/docs/cloud-identity-services/authorization-management-service) to provide comprehensive authorization. Similar to IAS, AMS is part of the [SAP Cloud Identity Services (SCI)](https://help.sap.com/docs/cloud-identity-services). -The Authorization Management Service (AMS) as part of SAP Cloud Identity Services (SCI) provides libraries and services for developers of cloud business applications to declare, enforce and manage instance based authorization checks. When used together with CAP the AMS "Policies” can contain the CAP roles as well as additional filter criteria for instance based authorizations that can be defined in the CAP model. transformed to AMS policies and later on refined by customers user and authorization administrators in the SCI administration console and assigned to business users. +Why is AMS required? Unlike tokens issued by XSUAA, IAS tokens only contain static user information and cannot directly provide CAP roles. +AMS acts as a central service to define access policies that include CAP roles and additional filter criteria for instance-based authorizations in CAP applications. +_Business users_, technically identified by the IAS ID token, can have AMS policies assigned by user administrators. -### Use AMS as Authorization Management System on SAP BTP +::: tip +Authorizations for technical users should not be adressed by AMS policies. +::: -SAP BTP is currently replacing the authorization management done with XSUAA by an integrated solution with AMS. AMS is integrated into SAP Cloud Identity (SCI), which will offer authentication, authorization, user provisioning and management in one place. +The integration with AMS is provided as an easy-to-use plugin for CAP applications. +At the time of the request, the AMS policies assigned to the request user are evaluated by the CAP AMS plugin, and the CAP roles and filters are applied to the request context accordingly, as illustrated in the diagram: -For newly build applications the usage of AMS is generally recommended. The only constraint that comes with the usage of AMS is that customers need to copy their users to the Identity Directory Service as the central place to manage users for SAP BTP applications. This is also the general SAP strategy to simplify user management in the future. +![The graphic is explained in the following text.](./assets/ams.png){width="500px" } -### Case For XSUAA +The interaction between the CAP application and AMS (via plugin) is as follows: -There is one use case where currently an XSUAA based authorization management is preferable: When XSUAA based services to be consumed by a CAP application come with their own business user roles and thus make user role assignment in the SAP Cloud Cockpit necessary. This will be resolved in the future when the authorization management will be fully based on the SCI Admin console. +1. IAS-Authentication is performed independently as a pre-step. +2. The plugin injects **user roles and filters** according to AMS policies assigned to the current request user. +3. CAP performs the authorization on the basis of the CDS authorization model and the injected user claims. -For example, SAP Task Center you want to consume an XSUAA-based service that requires own end user role. Apart from this, most services should be technical services that do not require an own authorization management that is not yet integrated in AMS. +### Adding AMS - -[Learn more about using IAS and AMS with CAP Node.js](https://github.com/SAP-samples/btp-developer-guide-cap/blob/main/documentation/xsuaa-to-ams/README.md){.learn-more} +**AMS is transparent to CAP application code** and can be easily consumed via plugin dependency. + +To enhance your project with AMS, you can make use of CDS CLI tooling: + +```sh +cds add ams +``` + +This automatically adds required configuration for AMS, taking into account the concrete application context (tenant mode and runtime environment etc.). +If required, it also runs the new `cds add ias` command to configure the project for IAS authentication. + +::: details See dependencies added + +::: code-group +```xml [pom.xml] + + 3.7.0 + +``` + +```xml [srv/pom.xml - dependencies] + + + com.sap.cloud.security.ams.client + jakarta-ams + ${sap.cloud.security.ams.version} + + + com.sap.cloud.security.ams.client + cap-ams-support + ${sap.cloud.security.ams.version} + + +``` + +```xml [srv/pom.xml - plugins] + + + com.sap.cds + cds-maven-plugin + + + cds.build + + cds + + + + [...] + build --for ams + + + + + + com.sap.cloud.security.ams.client + dcl-compiler-plugin + ${sap.cloud.security.ams.version} + + + compile + + compile + + + ${project.basedir}/src/main/resources/ams + true + pretty + true + + + + + +``` + +::: + +These libraries integrate into the CAP framework to handle incoming requests. +Based on the user's assigned [policies](#generate-policies), the user's roles are determined and written to the [UserInfo](./security#enforcement-api) object. +The framework then authorizes the request as usual based on the user's roles. + +::: details Node.js plugin `@sap/ams` added to the project + +```json [package.json] +{ + "devDependencies": { + "@sap/ams": "^3" + } +} +``` +::: + +The `@sap/ams` plugin provides multiple build-time features: + +- Validate `ams.attributes` annotations for type coherence against the AMS schema. +- Generate policies from the CDS model during the build using a [custom build task](../guides/deployment/custom-builds#custom-build-plugins). +- Generate a deployer application during the build to upload the Data Control Language (DCL) base policies. + + +Read more about AMS + + +### Prepare CDS Model + +On the level of application domain, you can declaratively introduce access rules in the CDS model, enabling higher-level interaction flows with the entire application domain: + - a [CAP role for AMS](#roles-for-ams) can span multiple domain services and entities, providing a holistic perspective on _how a user interacts with the domain data_. + - a [CAP attribute for AMS](#attributes-for-ams) is typically cross-sectional and hence is defined on a domain-global level. + +The CDS model is fully decoupled from AMS policies which are defined on business level on top by external administrators. +Hence, the **rules in the CAP model act as basic building blocks for higher-level businness rules** and therefore should have appropriate granularity. + + +#### CAP Roles for AMS { #roles-for-ams } + +You can define CAP roles in the CDS model as [described before](#roles). + +::: tip +A CAP role describes a **conceptual role on technical domain level** defined by application developers. +In contrast, an AMS policy reflects a coarser-grained **business role on application level** defined by user administrators. +::: + +For instance, you can enhance the bookshop sample by replacing the `admin` role with more fine-grained CAP roles: + +```cds +service AdminService @(requires: ['ManageAuthors', 'ManageBooks']) { + + entity Books @(restrict: [ + { grant: ['READ'], to: 'ManageAuthors' }, + { grant: ['READ', 'WRITE'], to: 'ManageBooks' } ]) + as projection on my.Books; + + entity Authors @(restrict: [ + { grant: ['READ', 'WRITE'], to: 'ManageAuthors' }, + { grant: ['READ'], to: 'ManageBooks' } ]) + as projection on my.Authors; +} +``` + +Role `ManageBooks` allows an user to mange books _for the authors already in sale_, auch as offering new books. +In contrast, users with `ManageAuthors` are allowed to decide which authors' books should be offered, but they do not define the range of books. +Both CAP roles are ready to be used in higher-level [AMS policies](#policies). + +::: tip +You can simply reuse existing CAP roles for AMS. There is no need to modify the CDS model. +::: + +[Learn more about role-based authorizations in CAP](./authorization#restrictions){.learn-more} + + +#### CAP Attributes for AMS { #attributes-for-ams } + +Attributes for AMS offer user administrators an additional layer of flexibility to partition domain entities into smaller, more manageable units for access control. +The domain attributes, which are exposed to user administrators for defining custom filter conditions, must be predefined by the application developer in the CDS model using the `@ams` annotation. +For example, the instances of entity `Books` can be classified by the associated genre. +Hence, `genre.name` appears to be a suitable AMS attribute value, exposed under the name `Genre`: +```cds +annotate AdminService.Books with @ams.attributes: { + Genre: (genre.name) +}; +``` + +In general, the `@ams` annotation operates on the entity level. +The value of the AMS attribute needs to point to a single-value property of the target entity (paths are supported). +It is highly recommended to make use of a compiler expression in order to ensure validity of the value reference. + + +::: tip +Choose attributes exposed to AMS carefully. +The attribute should have cross-sectional sematic in the domain. +::: + +As such attributes are usually shared by multiple entities, it is convenient to add the `@ams`-annotation on level of a shared aspect as scetched here: + +```cds +aspect withGenre @ams.attributes: { Genre: (genre.name) } { + genre : Association to Genres; +} + +entity Books : withGenre { ... } +``` + +The detailed syntax of `@ams` annotation provides an `attribute` property which might be helpful to decouple the external from the internal name: +```cds +annotate AdminService.Books with @ams.attributes.genre: { + attribute: 'Genre', element: (genre.name) +}; +``` + + +### Prepare Policies { #policies } + +CAP roles and attribute filters cannot be directly assigned to business users. +Instead, the application defines AMS base policies that include CAP roles and attributes, allowing user administrators to assign them to users or create custom policies based on them. + +:::tip +AMS policies represent the business-level roles of end users interacting with the application. +Often, they reflect real-world jobs or functions. +::: + +After the application is built, check the *srv/src/main/resources/ams* folder to see the generated AMS *schema* and a *basePolicies* DCL file in a package called *cap*: + +::: code-group + +``` [srv/src/main/resources] +└─ ams + ├─ cap + │ └─ basePolicies.dcl + └─ schema.dcl +``` + +::: + +The generated policies are a good starting point to add manual modifications. + +The generated DCL-schema contains all AMS attributes exposed for filtering and does not need to be refined: + +```yaml [/ams/schema.dcl] +SCHEMA { + Genre : String +} +``` + +In contrast, the generated policies are usually subject to change. +For example, you can rename the policies to reflect appropriate job functions for the bookstore and adjust the referenced CAP roles as needed: + +```yaml [/ams/cap/basePolicies.dcl] +POLICY StockManager { + ASSIGN ROLE ManageBooks WHERE Genre IS NOT RESTRICTED; +} + +POLICY ContentManager { + ASSIGN ROLE ManageAuthors; + ASSIGN ROLE ManageBooks; +} +``` + +In contrast to a `StockManager` who is responsible for the books offering, a `ContentManager` makes the author selection, in addition. +Optionally, CAP role `ManageBooks` for `StockManager` might be restricted to specific genres by applying filters prepared in customized policies. +As a `ContentManager` there is no genre-based restriction based on genres is prepared. + + +[Learn more about AMS policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configuring-authorization-policies){.learn-more} + + +### Local Testing + +Although the AMS policies are not yet [deployed to the Cloud service](#ams-deployment), you can assign (custom) policies to mock users and run local tests: + +```yaml +cds: + security: + mock: + users: + content-manager: // [!code ++] + policies: // [!code ++] + - cap.ContentManager // [!code ++] + stock-manager: // [!code ++] + policies: // [!code ++] + - cap.StockManager // [!code ++] +``` + +This is also very helpful in unit test scenarios. + +:::tip +Don't forget to refer to fully qualified policy names including the package name (`cap` in this example). +::: + +Now (re)start the application with + +```sh +mvn spring-boot:run +``` + +and verify in the UI (`http://localhost:8080`) that the access rules apply as implied by the assigned policies: +- `content-manager` and `stock-manager` have full _read_ access to `Books` and `Authors` in the `AdminService`. +- `content-manager` can edit `Books` and `Authors`. +- `stock-manager` can only edit `Books`. + + + + + +```sh +c.s.c.s.a.c.AmsRuntimeConfiguration : Configured AmsUserInfoProvider +``` + +ogging: + level: + com.sap.cloud.security.ams: DEBUG + com.sap.cloud.security.ams.dcl.capsupport: DEBUG + +/cap + - basePolicies.dcl +/generated + - basePolicies.dcl +/local + - testPolicies.dcl + + + + +### Cloud Deployment { #ams-deployment } + +Policies are typically deployed to the AMS server whenever the application is deployed. Afterwards, those policies can be assigned to users in the Administration Console of the IAS tenant, for example, to grant a role to a user. Using the AMS plugins (`cds add ams`), the configuration of the deployment artifacts is done automatically. + +::: details Prerequisites on SAP BTP + +- [Get your SAP Cloud Identity Service tenant.](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/get-your-tenant) +- [Establish Trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication) towards your SAP Cloud Identity Service tenant to use it as identity provider for applications in your subaccount. + +::: + +Follow the [Deploy to Cloud Foundry guide](../guides/deployment/to-cf), to prepare your project for deployment. Here's a shortcut: + +```sh +cds add hana,approuter,mta,ams + +``` + +After successful deployment, you need to [Assign Authorization Policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/assign-authorization-policies). + + +::: details Assign users to AMS policies + +![Screenshot showing the AMS Policy Assignment](assets/ams-assignment.png) + +::: + + + +[Learn more about using IAS and AMS with CAP Node.js](https://github.com/SAP-samples/btp-developer-guide-cap/blob/main/documentation/xsuaa-to-ams/README.md){.learn-more} Neue AMS CAP Doku https://sap.github.io/cloud-identity-developer-guide/CAP/Basics.html +https://sap.github.io/cloud-identity-developer-guide/CAP/cds-Plugin.html +https://sap.github.io/cloud-identity-developer-guide/Authorization/GettingStarted.html + -## Role Assignment with XSUAA { xsuaa-roles } +## Role Assignment with XSUAA { #xsuaa-roles } Information about roles and attributes can be made available to the UAA platform service. This information enables the respective JWT tokens to be constructed and sent with the requests for authenticated users. @@ -318,12 +684,13 @@ The user name is frequently stored with business data (for example, `managed` as ::: -### Propagating Users { #propagating-users } +### Switching and Propagating Users { #switching-users } - request internal - tenant switch - privileged mode - original authentication claim - asynchronous -> implicit to technical user + - technical -> buisiness not possible ### Tracing { #user-tracing } @@ -348,3 +715,6 @@ TODO ## Ptifalls - asynchronous business requests +- wrong granularity of CAP/AMS roles +- no cross-sectional attributes +- mixing business roles with technical From 83628113a21f3e6be4d607c36017c6204859bdd8 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 16 Oct 2025 16:35:25 +0200 Subject: [PATCH 010/120] finalized AMS role assignment --- guides/security/assets/ams-base-policies.jpg | Bin 0 -> 96905 bytes .../assets/ams-custom-policy-filter.jpg | Bin 0 -> 85271 bytes guides/security/assets/ams-custom-policy.jpg | Bin 0 -> 106833 bytes .../security/assets/ams-policy-assignment.jpg | Bin 0 -> 61022 bytes guides/security/authentication.md | 2 +- guides/security/cap-users.md | 209 ++++++++++++++---- menu.md | 2 +- 7 files changed, 165 insertions(+), 48 deletions(-) create mode 100644 guides/security/assets/ams-base-policies.jpg create mode 100644 guides/security/assets/ams-custom-policy-filter.jpg create mode 100644 guides/security/assets/ams-custom-policy.jpg create mode 100644 guides/security/assets/ams-policy-assignment.jpg diff --git a/guides/security/assets/ams-base-policies.jpg b/guides/security/assets/ams-base-policies.jpg new file mode 100644 index 0000000000000000000000000000000000000000..2630000b5ff6c4d1586ce785d8930a8213c69431 GIT binary patch literal 96905 zcmeFZ2UJtr_BR^3fPf%HYLqTjX(}x?Ktw>W(20sj2}Ps@2#Fv?dQ(soA|0hk?}UyD zN(bpAL3&9*AVLUlqn>lmE#tj=|KE7yz3&@$!zPTKz1Eubx8`1RuD$D5|bO-nW?PEd0T5yL4AdtR3ND2f39Rj}N0MP*dQ2{?ckNq*wB@i_g)xq!YgNBag z;Gn0arJ-Y>XJ9xu4>2+`9y-Kyh=GBLg^7vzFmNz1va+!pWwYiTjz@I)f+c&-8L~bGq<^K`@qiL!O`8r)5{y~Sf{lHGT$1CfWO_KgIN@}+IrE+2E+{Q(`W={!0zrB=xJdgT>&gMS z@2(6BrH+;FziP)@e&oDr7Ua16&J-WjMeo;Fc`uvY1Z>ox_CAc)0Xo-=!~@_?D$ViLxf5Y>VMweG?U3^Ukr=!`+XzIrbx)K$V)Q-}r&@kVdEvKRk z7FBjj#vGDvv{Duqc#Soha!}15`!RD<*889)v9)~=UwRkIjx-I0`}S+dx1U!953XkK zgPK40W$->*Oe~Hr8DH?eei>r|Z;om0e_t3K5*{-7P42F)h$no8>iM&oQzFNoOob=M zHit{Tq5gg9-N`86jETvQa>m$zA8V=k zQl#c+XzS(;-+IK8e64Ig_;PWWo*k`?%T0f0qBn)*>i|*=ISl4N%G>XQ$|NEXEJdWr z*~KLTO>m$7>ruTgoz!Qp065kp>(3)KmXb zM+xHkmHt+~x>z~%2~%B|oAWV;!Jk;lVlby4iyFa7& z;k#RTd&!u)YoXxs-o0!xw9pXm5BrE>oEkUOM7u<9^D{<$Q(2d0e#EC7K+W*OLPU85 zT`^4NOu$R5l0v*e0i_h0Hb|L#EBGi`w8u5G;XUC_8O(mAv)HEM(j!7fg{fMHOK_!% z%F*Nt+B9O|`Tay)F|Cs?CdHo*>eBh|gOn(Yl&Mtty?C+&F|LvcEUT73ukY2=5(<`X=J3gFHsnW0iq3iQ1`%*=EJRPM*+NOMe}G% z!A|KpQG|ztPx~;6)6`_>DMcwtGWDq!tVe>Xoqia$u#r@TTPR0KG(>b0-&(6Jk#--% zx$3m`edQKHp`wKJU~x!y@*J0b=gWYNPbI4{(p7e|bdJZurIz|kX4X}q@>c{1g=P6Y$!^*;QV|}5+kT4hBueAFpvO0Ij6QAkkTE2OOiB-g0Wuw1bEX}|fN&iq^Gst{ z;U!jb-OZzdZEeqz(2mnrsW~ z4$1P7WxFSiR%u;Fbh;{iW0riFCwc$w`Uk2zgPY;T&%aH4=g3gXuZu}U*OBfofK z$}lTAyIROWp`(QEm6P}>y7@`EngLHb9@YA9GhZv~s=2okzx0QeJ`FxG6BaP~lfHU7`~ZDb0W+LImYh?J?YNuDC&xuZ1p>OvvA4X@J_?~Qc4AQ^ao6P?1Uq(YxBk%r4HK`7} z>wj_j-5Y7Xc#$Zh^EW$fUKfid@0=AF=5o;bT(#_Ftgm&_h0{pufg|t-^uN=|)df!- zhgnPaDOESYbcIuQOuHvueLO8C&AP~U=j-ZqyS^IV#(@`XVWW_}z%|Tw=M*LJd*nx? zT`Xjzwh2OrgSQwb==JG$slY^UyHBcpmUfP!eJJvwEry2q7UeLqcaod5CzQ4iIy6v& zk5ar-Md>9_(z5O}tkfb04_ifeACbF6P?a3lF`w<LcvPL`Ofz?^ zrsj6Q=J3j`90E81p_eU5Bxz@kRXX=($2n zi?wVY`7T{ojX{>pTOB($v8)#JuF^wxkt^}yQddlFG~M{10o%~KL>vrBA?n~{yIb}_ z0;C*hZw`?mK=%0HsW3DG7wr<~22Y=TuG?ld1vS)o`5hB{hfgBB++PZu*mw3#L&&L9?|*!jD#@LvpVzy? z%ACBAM`PebHXPgsE%VsygECyDkqvitvfcv$<6$7o1_38+1(RfYKrpA#dAff%59NhB zO0uPX-_Z|@|9YD{Tr&F<5TAqocRLGFZC+=%cY>pfV9etUsU=!U%z^7o;(b^RQw0&5 zhCT*SlM7nZegeZ}nSBsTNq~5HmIdYp*XQOI;jM21A>gNP$kzxBr_?WDiTfZ|!aj(2 ztM^V^q}|fhjA&4rnvT?vbbh|h=7k+HpX@b%# zHz)XnYRQU4IPjzc-(R(p*rdgI9Z<%_Mx%#-Uj7VR{|I3J5BTgp`%hfy-ASwAJITMA zOn>@m<924Fv4(VagD~ReKtB0;Di5JNxG)DN{@B{G(_31{F6(^TbJ1tHGF{&+MI9B! z1mYh*0OE11AgQv{jfi=SpZGFGx-9p~wE|TZ;y zg`fGyty;Un`+S<_>vyqh5pW363eFsjA!<*c*1tRft~|z5juuhbQCi1}C}#aTB@|B} zs*8h+D(-{O#$-s>=4xC3>Km)rjtt&?2e>syz2W zovNr?&@UM9I(RE`A2ip6VcXEKbJ*OI9Q8+CU3VqvAmva!o6``oNFnBjoeo(9!vmT3 zC4edH!%%W*)}|JDiO9CXyASGqi3HF3e(|60uJ@7ub(_y0w`EY+ry|hb)k$mselGzu z_iow(?e;+@P!5I^L?>X~ibIc3A2TG#$?K^9hcRtEi1xXy}jB(lVnmlLS<=#y^M^f))Cw&VEUn zXDiC^$L7zmf7t){%edYDJnq~dd?XDf{Ym$)w*ML3=wEz4`5WD&Uea(pU>85_0sS|7 zfc%!iU#OAKlRsdZZCCpbrq_GdhXJPlu`TqMv^V~=mtRx|A4vNr)n=oTqtYKS|3Wr| z7{uQx?l-}IZ36D>q}STIcZBK~03CS(Pwz7G{{qMTZ=qDls1J~`oPCg{EeZ8B}Ko5b?iz#09&yeq5!CV03 zcg!sRD?|pO#hhR9c^+$BIMt}e(#QT540j{&q_WodVjonja_~Un$<f;Z2mLxl8LHuZ~(7@vy|9uK4>zd%gIKhQuP-O8ARFolHx^SD-i=v!#581 z&u-rH8&0>j*178}+OOKddDUv-6^Lpe;VYZ@1}0$6yEP^v2-P#jMtSM+4zqiW1T!Wk zEpOueMYLr+t@JL|m6tL{eU@%qd~8P}_LOT;%CS(Gb7nau!9Vfok5Miw8P2>5R)uzp z2w5VE!fXPpKZ6l&Ld+yCtRRoYNu^#L|AJaz`F^5IZO7K%;_7)Q zjKFdW9in0{PyH@Wpt^0wDBQbUv3<=!Bcb~JAk(T$c%j~9toFskhhr9pSve_gs3tXa zmJCwm)(66uFkFgU`>uf-qEf{?h>4J-r~835`tvvtac=) zv;28cjvkUNk=WoZ<1E#WR!Gs|VYW|9k@bYFx$jVox<_w*Lzn5SBupEQ+!9G@-xiYS zUlC$gvo<9e-X6@y-jGO4H(Qa-3Ky3-&$OKX=+r4K-ypHihUwd6 z3rmX06-%&^&3{9BAbrD5@Y%bu^qOR?XKPVUN)^($&iJvR_0Smu_kF|3{UkeLifg$A z?{`c@s`?O81qgq}>-tv6V(vKUxAzh*TRpPRj$8=tGB)eDFXraeo4~Klc~#|56QL8Y zI<@GfxPay+`{W~>Alz$8wJ64MQpl>QZ7+{y^2wfsD2eA{&%A_nc$|XTZJ5OPxoEbW zEaxUuIrlQvkK*+&T`B7?pO=#>U#h>_VHlj2cv3FA|C@ag*R28Ygz70#g4=VML(1bO zbLi%^NaXRpyL}#pREwonB=nU*ibU3zV6K)UqmkYUmS$S+^bbGpex0Cwa`qW}i#x0Z zTn24HQ6oDiPXIch$RP}f-4Q74v2s_=k;;fdF|DSyhyEuGsBK=`d84!;Y1q1qkoOp!$Jl5(

SUo?kq7(;{K9oIBS343?u3%v($`qG$ytIWjE=kAa(zl(;Xid2~ zA(^2SIphg=jsfW;xK%@?+N(nWD?FA_N8wiTvTtno`3tX*A2#^^0?^ben6HFrI zhs=<)Py9JKFWCf zz;bMd$mQw#G%XqOSc_XfGJploh)N*)M%4g@O$w7rw-|4CSl!KVoI0`zp&ws5D*jfr z&CNNtS}1e6GAHDrMykM$vZ z-kICGk#7V%3Z32uF~Ogh#~2KgecWUVL+yL6&Td^9P^A8pB_fbZe=+T4V4!ILR0!Dv<@1mq zvB803l-YvNyiUt?e%|@Ixl;(yVWqZuP4R)5o7&vhog%JB6{@5iy}UlQ`Xi8Q+_9)b zUmBOQVutUI(3BuZ1d=84M&J*mA*^te(E#~|N{V~dqPb;fuH{EpS}(=S=_wy04%-Ny z($RC-WnhP!ik?iK~ja+zZ-INJeGaIrgseJK4INr=@ z#WwoXA{?NoO=J;_ol5TL+L7!tB1iz1I<-d z|HbX*MD+XNWwyMp7MAb?^N2=@U|m(>l0h`*puCv0Xum$k^V1?_h0AZ=-u!@l{Ou}t zkDIqfYa~+1?zQ*#&CQ}uUO*|s1qVV4K2nIA_^sceVv5aab4hKD4Ph`)=P#DBy%i9m z`=-9S@@bo9GtHPq;?q+`<$BH=nygj{ zDCD0XI_;_yz2f?a@Ukn>?fK319v|IW`uYT(b31}S^7?id;Ys68XqdW|-yS-B;Yx{> zrH`@xH|bO7y|nW?WEvl`nR|yIh3An9!{saTdIJS(o@|G$#1ivpeI{%bn-io|bZ!X5 zRq|qkk#K}9aWx7x4T1T~j#zJGFkSG4AFxzB)sbB0vO zHIXlPzNG7>hp9g)#!F96MWf0XTK0HaQW*&yK}Zo&OsgjMV9sEnljnpto;3>_CBAsY zoNiatcji>LKT4{swS`Gn7_)Xsaru^|{9~ch#l((Q%wtV8;&6oL7?hh7gLTPsz3V0) zF28(lu$9=I{ zw1!q}>WXWh9!Wa&AuVqBxWJJMGj?1B&{xUw?J#|lCTn(7B#NufeL6+eFsMfSEtWse zm2+}_1;=82C2Q9y)k8sg@yxsC0cHpFiRNoR3@j6R=T)IG4d*W4YGa-XDUhPD^{5sM zgF2+JGkd;fZ!)C9cOcHuS+-NGG^e|Ui-q}tc*mEhVz1PXZ{{H9K@!E}yiZ7ZK+q6e6e9x2Zuz{wc*-`e4h`Vnm7NPugHhB3b zd@0>6pQTL*ArV=m!0k)Xb0*2>Qi;OR;@X&+XgAkmWiM?{nCZmp73UWTP9Uxji<)C1 zkupTXXiZ_bMLUw3!CFgOwN^|Y!HpX3zQgfoI^wL;E4zh(S zHBg*(-h86Y-wiLQcY}D%>pI+9pV+n+l9$#bLw)-2q(Gd0)%thv;g^!GUeI=+q>)Hx1&6?io*p3anBm>B{Ska z$!-v7Wq zED>iw@+b0KCKXKY${+bTqxY5{X&+q`Sbib>%n6v#PlAJyuE-C*XPWmEjrZa`&mmk3 zFBjV+PJmeGaYkSt5DZ)+DelQkmGdY`t>kU4xvUH0nv87V7 zy@s--pbaX`B0Q9T0U%?$!;sNzl&n=wJgoW%?$xPB$O)};^Lyi{LVPi;17i`qmG4<= zw*As-3>l&2GH&Ew|+tuI#{(hFjmO+j| zKdWTib#PiAv#7}YNH^H!c=dUer>+_GYx2mc^wDYqo%yPV4!*nouniOz+|CxJx(`}` z!E8{t35F}gWlhc6vihEKNElyrZFNsZ)pKJp!l#85`#9zJ4pHxP=*z8I!;KP?esG0& zFbdy2$~+wte3z&bp{|y`VAza`j@c-U0-gM z0%PAY3<8&D=i%8#JDZZMIfq?ls)^Rcg=UV)DrrQy4XXhh`-t^ty85jU=lBlYINM4? z`A^U9OJ;%<<(lhX@s#PzhlW$c>>CaNfxbt9@%C~hMW)^#ay8;(9A!}Tf^3WUH{-WY z)8a~IXevQ7kG&y9OVDIAEkzt|*N!^24|)KrLW;p(wV}C+JoQHE9NsK82v^sH>J5Ae zL*5UEosmnn$sEI9!A2kda4aZR+++;n$QEXOvUsS0uZfsU>BjQ3Oz0U8h!E*>un_*q zteh8#ABIj_Ibt3ZCx1C7y0OmVSlY(H%eoirrxMydJ*|a>py=*G>tk+QIdt$JHv>+E~m#d^e;>_#7ImjhJNhB7HDX4Kv$N{djkhPJ3t=l#FQvIt zfW?^1|JMsWGGnPTg`T~c4ViaHzn^g1j%HW%nBQTd{ z!8)5>-^X=17H|p}cuNHyu@5pdDPPomy_H|=y|u3R2{mzI&l9Z0X>xAik1C18rYq#P zS($g^&UXuw&KtZWM&Po7c8wS3EXoJ)k()3FrOvbL#ChBD6!#_G??qb2zqi9uNY4pA z2#0s0Fg~v=Z|oZT*OTEa+9S6wiRyP=P;z4GWOowGc`hRL!6#pYu#5XNEgwy0322m` z-i`mdEn+ONN3Rj=D|d6wVMBDe%zI(jrZGFOryl%ZHo;kG==1U_ykq4YuvidC(%ChD z_d(ew#$eXRhKfWTTnjy@2r?9f#!~$A0IGsfL>MKsn+k>H{aNz>!9vOAK$*ZsBb20l zP$qzu{n-=S(k&oy+uA?^5~EXrUehx%h8q-Qna8Rj-jabVy%queuK8yk?YbtIY!2Sg zBr*TaLiakN4k{_w@^O&gePj__rzx)pYE32fzSp*gRUR#x?7W3_=)~&zcq$KstEA_i z-#BFyxiZRlR>ov{xM@Oh+WX13UZt?LRcEn5`OVvY9lBy0E~~ROvDEJ}?BgFWx1Vnm zT{p1%P0Qbg2A=J9al?CT4L~5!{Bvd1qZ(K`I>-@f7DFirNCRZnn;hJJVgB3<61wMm z&1QC)U|%rAAOXqx}xtiS}QFyYw6Q|yqw z9tK#I~j(0!P8CyoLyq&ZL!khmltBrcu10R`p$l)Nh?6mw8s!0!%}n@GtT{>=C8 z45EGjiQ;wWhT6slb-UEPc?r<=p2h~Sc2~tl0)_!pk09_+*pq&#ejn6Uv;$WEQ}+vx z`YE=6nqnKu0q*qHVt%CjXzX@FXQOuZL0Zf7-QO#idE$3H-%TFOuej4L6 zRU^JX3sBeay#7Nlp$I9v59;}GP-g*@G1y)OTo5otji2_=c~D@}`BTgnHs9@oHgHe` zs;iGQMF`a={UDT@5<*IqHyd6Rv=?{FzDn;tX2yM?tfpj6O7%$-B#`V%x{!_VCz<5K zbxc!th7E@Bra6h9d+pAbNJr(*FAXx>Qun|+o(7Xeww`3;l#bW(wCDfG>ZsF(B_A>_Y_1_iw;qS@x?RNIn2S zXto2hn+Kn9@!bcd?t^CbOo}RVery8E_U#8&H^m)8?*1u{pALBw96H4v`gd0z^-mp8 zCI2_S@_%e#ph&LAbZ5~<`tCuxmnepS%>%v-h!*)*7yX0fKdeaLH)UY+0}jQ0Vqx%B z#~T5g1+@7!s=cY^D)|GF_CfQ0e~9;=A$9(*rbm=N0F7#1ydeDZaT>v=OCM&dApc$; zfN%iC=K=l~<`2|)Db^onAF$~`q4zikY#$23m3YaQ|r)DL-JQr1@8o}2oy!vs3kjj++!2LT55?$`AEe{W0&82wXNe*@JX zDoX*dD?nA2v-Kx^y(={pA**=9WE@YF+#AzTiw7dqmstyVZPgzycE&0k!c}4ZQ6c}1 z$(oY{32N6!N3j+us$X_*53PBsjd;r5Fd59!b=`zjpAzy(26nrY8(mBn7EYIX_wKRU zwRJ-j1p^6w2>BB@fQq35;LtgkX;FZD{*Zsq;F&t0VCfgKV)uR;_o(Do>A;^F2hi+i zZj|5iptSNp0Jj0*hang1B;6#cFNat5GAX1)ya z6Ti$_e}n1vos2sNn6(Yei@$1xe%<#k$dLVw!*1Y>-vodCcL|QTbTC_A*aVD$gaT%f zH7_O=rk}3+cYOVH-M`SE-t$}W|K*eY&)D_v_4HqT{=Gc@YqvxH^-tg-;a>yiFC4nG z^F`$Mqf9LwKi#ij`geKyuWDW(D!q*Qus!`7y|4bpAxiPnKf<+56=(9u+WOI4$sFlyG4~d-9GwjfDzPq78Lg}$JZkoifP zCzFYfnNFSwJl}18CLFkMCY&aaLFC{o=EthNbwb~PR<4}E%}?U#C8-90e|bRbTGDU0 z!wpaSYw?E)Y-UsUY8}5b!2*&6$fSDW0T6HO!rSii=B&m%mHiumJ{NGx!FL@+<}@@v zsXzZv+r16A^m1wCCnF~w@(a$7pB^54%pI8+$J3pnIje>wVy^5P7lMFuPVDE$tmp#|sW^n0hy%PLX=Anwa2hn{5Rhhc;4k+v6+4 zMxJt!5mARUG4=ZOCbxte5?Itjugf zbp5eamr8Ta+s1WQR)iF>qj4&FAH-ItmR1y^TwQnW4Lnd*Mb_|oRq%tpsFj?N-a=Z1 zI`{S>J^`KM(n1Pn?zaS%}e?Ba7WGnOHdWb-_ES zlBc)zQ^|73v1I*ui`k25!z{7X6{nS_Mhp4(Tn(!TgR`Oj*aDrV(aJCpOjYzlZav-O zT5Oeax#}O)Ti3fD7oIvKg}|IA8Q~3|K!qB>BM!`1eY@6`G4K3xW01Tk?_l&@<05{mjNlz2``u69+vG;RwL?Ws@aRIa?aE4h{5ATK z2Ohx$~%%8Ken?f%R?O2=uAljxTC)Dil;;!pMAov-167G{6ehrRx!^Ad0ka& z)>R_XE_?%s(-DVBaRgZF_BN7BlW`!8D3p?Y0XbSQ*d?DmVQwK-s;(!XzxDLxkt2~k zu_HgK3t_EOB{8i<++?H5fpS6f4x`dyVi4bV9(Q=@t;@TIO->4%7bX_(MW4A$%gFes z)$W^YwOu^R>KWBACoeD?#K}}s+Au>XqR#eDX-msPjZY+~J(% z-IoFZ$HogUO$$}FK+BUJldW(czQY6^&0GqzQkj9>i8bM!M)8M#e0268K9%EDskkj+ zvz~fZxd{&2dO!@0uFY!lo#eLyUnCBt;r#rbx;}vAy|O54_@tx_D*hDZ@q}4Kn$9M! zIoXxx-7V*vZi*@&=+H z!fh!K@FYAHvX|%K8iL`!LqGy0GR%K7}^mGjM zye~56?NS&^bWT=x!PsZPvi`i07Cv3kxlZlTwELGf?xZvxPL)CjVPFst{KKMlzxA%V zuYSN_j{n8>IYaFdUiwAxswmnXYRFK#**SrA#r2h(7R;Hg+oWEcq#SObPBCZRJSL>> z=%etis7&dP=RCg9q&*)JySrXue!}`D;!00)VeR9vWV*R<88_R9 zIDgf?vzb-sZ;^OML-wy=$+Ywe1XukEEbh>yWi)%qLwNlar`2!-X?uMENE z76pzQH&mZ7Q*C@p{n8~0yy@pqbHf7l>%z&0ueKCOgG4?kDTGKm(L!^(>&`?>ztRW-W5^QgEsg*BkSv4f|ME}ZiDw~v=PvQcvb8LQ* zf)dh(BYuS{;>M~#e?`aFQQJ;yQ;Sb{HW|m2=*MxdZ{<6S4r&OG>gmgko}^|J4!adt zfsF;76+Il&c&lqw^tQpUa`Xov1`GruzcW8gfhT+qQekH%K1e$Fm zkF;@}(9Fnzwf6IaXM2piSN$=g6MtVah`yb*2a(YPWT_Ai#Dq(v46KD1AybHb7Ed?t8tCR$G$yamo#y(8L9eaVc+e_ww!~@!*E?oa-U~TmxwMx7#;4J z_`FpuTew_!7oM!hJs2nY(k)b~Ghsb0#F4YV^xjCM=53P!hk4kt^)no~ zc@#R-R-$dqoVS0_hU^h837zLJIj^KHNQl8R1UDRlJT6d{r*$}DKT2Dp9aChk?=H5| znj5I*kV^kl$2o}CzevU6dE3K2N-I)*_zm%Ok_n&2^Dh`I+{5omAsLzn4~obwY~7tn zT|NHsDE?R!=%N8v&4A=3tE=v*i8{sR$N^R5C}06nezQQk^BQ3_fF7-c^pD!C$l@7& zUXe-AXR3U$N}cHz;{KZJ@cBFirnDrJkTbI$_`wT!#5De|p6!^!leIpzfe!-+8O93J_@U+zXl z8bIwm^;^^`sNZl~Q96;QiQTQdh`U9Y5T!lywN_QZ!`F-eDc<^AGie^IVnWy$bojhu^Kncb|J0G7W z^-231FN26Ou0e9|E!o*qY!aO=5xiVZPkMnk>g?usSEK9nn19k24s{1NUI+Ja)j~*U zy>DoXd@x_q6HP^g4w0*C$k+_tu-Fch#Ca*SzBiYV5v4nCY|3%UBGO~Q8j3@YK-;(0 zCl>km;pW>$F*qY)K|%TEUR%C`h5xIM>#3ImFUBAJLal(uINltPTUCAi+1@jii}V8r z1_4XXW&})YTaUQ~3kQ_L493S*{^^2`?a`nV^TA{@W7EzP&FTSz?WZnqEsVy*eD@b= zEFmSY??}rsO|~v7Ojt@^EVc;RV19px_hDVEw$8N&b)C&XUIF3nhoA87m^_it>_#eA za`1q%EZlbQ)_i%F|Ln86Z59qa5nU;*S|>*?8xXyOazFVIAv6kk9QkGPcyFD2!3YW3 z;hP#ewB`HEX_i^K;zHu>Q7aR#^Zr@S1RFU{8_C`7%@l|^LHYqqKVU+42msVYPlZkq zv?llb8i%&dB&i5V_IL`ONUyA}zLNN@U^RZyE+FCam=tpPMR%81oGx*j!gLGk%8L9v zbp&BHt*_0Wf@-{OW^MVE6r(+$^f_^u$EZ~f@hYe?-ooqBNwW-bg&S)E?ABTZ0Kh9! zq~IORXf6(mZWjBUm}rD@=KKyqH7N#IW8js|`kb1%Z75S|9t4wkHs8X2Nx<zPlbvKCMRtS5cYXcwYQpYK{Z+}Y-OG?nNdHXAG zPHzmX3ii>qGVn?(iCwBa`p)eKY$9$JXev!wAY@BwMTbqXdrqifX9I9CybBdxw^i9f z*H&FTT9nf*IcsWb<41Yo&G;Thb~-WXFdhDIzParBnuHC*bW&?~41^o7{2P}HxyZut zhO~=`<|^o-mgy)hnN>M5T6Kq~LbX&W@PurQbpFRsg}@x=TO<==H$ExSqbMRwu9om% z5kd_+V!vfA`buj+DN0H_oLw$QsaSclYbbsGyFGo1c%rr*wzI+a+(hxl|v46K?zyS31;~X&c8Hxt?IzM(`adYRG*w3*4kp zwLA1avEnHax>(6KV5}S(=5jwSdw|=F{o4DzbThHLQW+(-NNrwYD@PWMFN)J0D<(t{ zyhIa9&{0*po?v%f=;%=5mth=J)_@TEfX8Nlcuj3MyPL?l%6mkGh^C_or#BK{lB=k@ z=uvs-UOHI<7g1oo(QGYT(&O3Q@6pW#H$N%di!cHOp5()gh$i2oeRPFTY?gJgr($T4 zCxV39RUzLeAyXm55a2xw%!qS%Lw?wnYJS79QrJr}M5DYO6DOlEc}(P)r6sjs;q76m zdr^o=P(m8PV(Y|!Yc{c=n8;yDK9dXYZ#@lb(INq*U^Y6%{mE)qR!W9%ciYJh#4k^s zfXDGxkb`m^4HLWEW_w17+bfJj=4MExe9JzFT9Bbd1ep&5PzNl6wG=VI{Vo$b$ilIslVr$H(dfhU z!#XOZg3Dgq!-`7zahbWSURY5HhMK*!22KQw=(=JCWa8Q=9E7Rnr70G&8eiZT3Px(C zeA&IhQ&HT!i;uaMBD_9g8mT8vj9mWM7Beb6jc$jG3XPc(#AYDO9#f$;t69z(?Ui(c zc$kq{hs+Hn>W^;rhf{osiFG65epsaj4-e z(X%2nbG`&FeH}=KmDDPg)=sckJh)R9?!enhW!kQ3RLi+Gf~PPUVPgcA%qs%$EEff( zTU99M1`%TRLp8FbzU>SC%Jr`mt)Kasu6~PRud95?+X)m6NovM;5)@5|@+(hZ_?3J9 zDo{2Ow51>$?(*fFV4-kbO_Jwk*SqUdltpPcUaIS1za4)yA&O^9f>bXamQSL&k$}aJ zrT6@BHz&^}nN$wQ^P5(bQ@&FAqr1$@E1#{G>hQfJZyw@(tRp3ueBH4NtY9~UIYRc& z0#chQML1cnbu||7#j^OVb?lB7@P5N+wb!hmnb%aG5zn(xO&5_TAj{wI^4v?4f`slT zo-86A#lUM<2jYF4)FraIxyp*C76b0nB}=Z}yvmL{KSMqLuFs^9d}A*N0U=7anAA8| zMj|EVS#p=WlD}_s;C#xnHdeA6(xYTIT`NZ04n4~|mJxjY1)laUr%7xKNdnsH&)VIZ zgvSY!mTtK|9ZEgdSGLBLmFer1Td@__R6@+pKVhHa#s5U~Q3r2DrDufq%bL3%2i)i8 zy&$C>E1R~32o+)?2Jd==WMR>RkT23ob3n=xLeQS#FYyeCk}r*$2Za_LvUTs$>|z3dglEj;>J9g7%*g8G!^@7c zBWbQv(uqvxh-^>M1cM?W#NA3FI6~Q?=rFK*&NnC0V~yLKgleG(56UQ&?}`N_%JMH( z6pu~HY;-6lR)=#*8H=6%@a~fNAn*i?jubk&hxXKGXiRKi>jCB%Fg$c+@-z$`CUgQ* zonT-p68f=na7}jAMYCstL%aWwFeCU-0P(n2@M`6WbIV&AwOgl1bA@Ctl3T$zDN5;_ zCxnF*e&Akj?P01*-c_9-m14O=v1@!J zuWsyjP0klOnF}b^I#mAXh**vAJ4Ug}7(;Kc-)U9V!}OipXNjMoTcV`;JRsS8RGn#^ z3~c)XlH6(?kKn2J+mxPq%1B@SB#zOXu3V-4pV`+{Y(LzcwO64ew}l?11{c42e#@z4&gY2(-J?TA zl7>JEUhvyqk+QtdlJzl?F0jM#lY0*7nkBsZdKv2QLZq9_TSujr>_yqe*W!J~b4{P6 z)7vdT?9jks!9K_ib3_j-eU>5wC7*FUvS|JZb`)xrU3I6fDtURdJh^Fxm)jwH@6Gt@ z^vIT~o&hJuPv440o@|AXf{BV-L8KfkSkPXRmoQ_^9&xp{ufU`BrK=nVe_NGv<&BE3 zla?1VpTaLcfA`+qJG(PGJF~m@k4(ZanZPHX=RD^*=Y3vpe0i5M&0U~8 zA&a04sf&eaBc^&Sy^_jxJO&gbFAMs$T81d&N^&-Aa$Zzrx5XPXVh;D~gwWCm$gb^| zTQktrU^h47qMuif5UkQvKX*Z#yz8Z9qpg!N$?(DAnNfKk-Ja-^NHH}zM_E$dCZt`j z9V7S|qCD9P5rbVaPng7dBpYb}Aw0gtMkgSyH0e2Er8UENt{($W$2avPOuzeK0B7cm z7Rp5$A&I(xcHb3F) zuX?nRD*v2mM3=gwhcLWE$S4@I;;_w}>=Oi#XE^nQw?lYP_PiVw@r|WV>LK2??z!Li-t@`*(?$cMWI$Xop&y zdeRxv3Baz4-O940ikgkn4GuDT9?{Zhora5GOwc7In0w9WFQuUIoz!SKX@{NXf6v|! zdGyh&Hg~&5Og&A|Xpw#WO_|`EL9XJEFOJ=6CyES)zN$P~y^0NI1C965?_WfngE`#n z-Iy~uGxo-q66)LQ+j2P4e!ek{oJn{Y;hPwX&P8b>%@V?KFg$3VN>B=upW1W_k<9Lp zWJuI7(_)o}W4Eu>3n&UXFtQ}PR=J*bKSC*3tyecr)iL<#^PB5dB`R)=KTBK-T*sq+ zH=I~7OWYM;1wdxo2(%FbOA;fBrne(lLz^LXKJ+{)dchxc>4mGxf+oqy~!d|`m;6XVtRzf(;Mp^Sm|!z zs&OZ$M)*_0EdLatG@HCOXB=>g;-KK_6#Ucb@IZ~xj}E){ZxCC(iBcR$JV1W?PNJlC z{VrMX+{>%>*%!7JVXKh@_H^m~u>mSohQxnxToqTwcNGT;V{Vor_)5^Ka1uOFML+aL z8bT^QAEZF_*(%N@i*~m)pvR_vG8LRvor1HjCb59*Idwy-^k3{=5Thw95lL8TbW6GA zipNcPyZo5@Du18(aD}z4)gYrD)0(yyr6;+j{R&SO-wrftz1~t)kQTcRArs%Afa4D+ zJ}^h~=*8F(fD6y8m<%`fTT)4RR(eB0i%Vob8!SJ+X(LEv7Y$BV`|&yQLD;*pW3po? z^_715oAzX1bEFCp`Zq_Ma`Wh2x{$7R? z;82A^2R}FqMR{h~vSqF-6J*wr+$&XjHBIeM@JfkKt$RpUZlrfHA<$*+>+7U6Jpt)M z+PZu>@!NODEM#JZcy-ZoT;(1et%-HwR!_L%KDj{~%}JS6J2f0HUxW7@&42s$a7hsY z>khTC@b@;AVAG@fVQPOj3sPqv^(nh>?Zr8K^Y^Uus)e6;=BmHH1tKA?}cx4tN4if_@J0hW`l0FRi|c z?HeyW%DDlB>{lRP3VApO2E>;q>Nu_=*i-KL@jw?`9w{Ae$+3Jtp>LZ{sVPw|W$-w9 z-Lw)S5WeEs_WRJ2=h~_Lni$@8?5Ejhu>P)+PM)aR|G|@)%m>7O5ua|dDiM0S|v zulaC!Pzc_!et zf884Yg%i577;QVXy)cyK0omaO>k#FlOK#O(2(Fy|OjyEOoYf9~bFIs$nc~Zn$+@|A z`!ekYha3032Qa))Ac5Gdx%C5^&BE;AimSA1ZXLwYg0ZJqW@}KbRcJ6r%&)Oc(~OQ4 z$3XLuTcvw(=lAM>nn8jB8^{Rzm=JE`GPtw~%|x>4qTfLRf=0WHLB7eSY8rvx|WzFnmFrz$L&NRF!^sbd8+JT;=QfF5{t z`hLi{Nkxs`wbcHD7%zZ#}2 z=XjlZne-+jN_UWZ!}^A_o{|Q)3p|13MI9n_lOgbHFc)HWZJR)PqwP4_4{0Aon;`tb+h?IpZ#??%gz!gc{Z?4`q-_ei3 z|L&ypFwVr;&l%_Y{_D*?zGK?RD*r0Y~wbC-cN?b?vYXVKIL?yJWo>ly@p+~eTMKE=%EJr z&h@tza3Bv_c4ZZbk5%y=vhNc<(P8EC zK}|dO@v~T;jV%3SAa`k8I=dJ8Z;6Bc_W0(30u7SuL%?kv@rh+XcgbCe7t_ys3}8uS zYc=ytX|~sv?DlQ%zb0fq<~QG!>LNS#H&A`n_x|m3fFFwEz27TMJ5?j*P>u)51P|}% zv7Gn;1QraWX1vC|rh0`d9+rrLL7IE_Hf{N=*tvX9P4r=yA|=Lq)@FmL@deB?Sb21V zTo}ACp(8M(0%WCHFbI~0)Ur!lY6+OCzjL@P3$iE03#U!NEH)Hx%uMlAsfCpaDd94g zP%xF-K6Q?0! z{G9awW|n7|tmnd8B>@fNZ`}+@qHLhR3-&XpGfa!ja{6y=$FFL5Y-LvLly&wRSe^-Yl z=OEb|9HTH5ttJ5%gWUY}QNh-3A?hK|1=SBB;r4qSmLqIu>Skn1gr)CPF$bIcj4oy1I=8l-R zv`G=e__h8OUuG&F8s>I*3FiJ4$+9yg_dn(p%e`h>%27_yIGRn~CMJf^qnA*L=vat5 zRwCuf25Bwxl7(E%M!}%e*0yHe)YoD~Y`Pa^bQm$X{wXp2=UWl?n$*cg5m!k+&K6Yrj=5s9uClA_EHnYuBP{66%|OS9_TsH@8hf6_wG}vn&-3f`+Q>Bw zW-9nW(No^Rps=5&qv!qZteo`j@?J*&ReW_=@zF?Y=;y^_67H9H8V=6P*6G_x5|4{5 zp!B?^XPZ+OYd*rm`~#AXEoT8&K0Rp{ACllH4CTBBp(JbSg9WUJ)>uJD1a)DF`fe9_ zm`eYwcHI~2b#*UP6w_Eu>v`HoVKWtOR-%!zda0g>9;Ox_pruX#au;m&h>Jy^4E}6Wa5iwRf${H}L5@h3oy!vx27MYCo&01OlJ^skBWxyF3^IKbL z3y;ITr1h5JSBhWSOr52{fisoID*OZ}`<|7`P-okJV+fPA3RBt$0}A^{XTJw8I8`m^ zJ`UVo2`u4|hX^KbL7xC(Dwsvp5p@AghIQK2Li~ zv*~2{b_qw0{lv0z6-R&!z98Ts<=T>3k8Ht#IZI!TIf?tV9~^?A^d^bg4s<4b`9Wvs>qJzu~bBieAbx^C$x(G0%2C!EHWe zW^dl`wpPWdSfEaUzYoBl64{eSuapxPge6a)Jh-55!B zbg*~|H`BxUy|mLurp_R5PG@{RHJsf_1q;CafNLrmhFfI5iVhuM7Mwm8%MaYOovX9Y znGHT=&$;J4{k33I7lNKWG;kHkZ&2xUY!2rmpOaz(FP#ptB5cs)t1IEZ!d69@JookjdIDu z$lhiA(Tlm6jQ^%w1xhsNoCYSf(PcgDDP{#WN-=pOFJFIrG`34SI(aV4k$qaSGtMO1 z2ZgvUR7CYz4xYDoHfmCY6hv~%U%ME2wOz4(a#z~GD{bX`8r z%V9!+0y`;$VeM+B26nFG^Vl*a)T(oAP$=QD+e`zk>KeiLb0vw2LiSvITqX|)ysj@y z5spf$Fh3TxT^lSvUJMyX&t=Y?Rz?u-mPO77RnWpc)XhJwZjAZaFNGHTyw5 zS?9RSJ))-|Hgkg&lrpQEq!wu`u6sR46>gthL)laUOnLW6&Y%jEt2d3&gdYW1i1CJw zo6h~M@+bXlYq!xnLR<7Co-g!0PH(JTNozu7m4`$Q)rah$Y*SQV{U!U{2wRG9p6_tv zC{vi*_jKro4uh_h!$3%rctIkP;L>7N&H#Q!-ES~I)D%{TO1pynLg~2 z1xFyb5g$v`BY|Sr=1|kEqxjwC8 z_f_#nC2ehSbUGC*k72yGTp*+VLL!XSPT~jH;wi>2w9@W`;#h~VRnpf^H27;{am2Tz z2G-%Rw6CLVT+`yfpc$4aYeMiZAurpvb^fyAb=`*C%FpBtoN!5Lf`R9wtSnjwukT8+ z%sRWGJI%<$D7yjPw_e0q9SaRG3fw4~jGk}=Xf5g1NH=ggtGJ+?>qpOuof`Tv+(z5H zegUIW?JhHvR{E>e=y_HE?qI?fAU~8?VpPrkE*Gd%T6;+eWeLLDbSiIH&$~RBkzE*b+B~ zN^{$dUzas47$Ix+bn~&9>SAeQa)TuA6sr2bj)D*LdZg$c4Md^^#QiuY{L5Ws5L0ya z>bW6H%lc^kNA6PASCrlS~*Xag|xQqI_*- zx(3pe$p>Q8OicJp)ZTt|`O3swh`zX$-vIl#615JHFoQU#XFV9&nz{MdTj#%KGo+jQ zczHW)L@1?EvEPd$iL%XZ3t9B8gXfFBnE$gTd!{usc4?lsX09yXr_TSUia}#$p!EGI zo4PLzJCE=$A}#ML7M_+=+(pIh90igLz3f*&Z6h8Ny4{6qH0_BIuRW6CEb`9UWNT>o z&`WMDH?1w^8_Yg1yQcZ1`ty@RcVO>J>Dex@B}3L6CcL6QOvK2$z!PvdyDdx5kmyXvj&P=XqfT6UMK;}uV1T+bX z5iuMou1InWS!3o}_lP;MKGYJjJR?{XdL2ZW( zaDd(l0mBG}fg?Kw7F2p%fL{+}Bmq*K4Oz#b!ATYtuv-hVu{a0)HQd*ZS?n1rXxW|2 zt>^%c(33i9;FwOX^4gPGUQOGcsQ2>K`@j@h2LmDe@%19LLAnR~skWuWu{8oaCn|Xb zyGd`L(zM|eZZlx}!l7=j3snA48gt5YwvqQU%>w-&UK>6BNsl*@98&%cyW2IOq9t;9 zR@`r}nU!^M0x)fWBr#61`scPPebY5bPKQFxWJN-g;eAEk$47sM6$M*3l}EXbtVMeb z@~?|KF)MRVOw6q^ySLcJ!8EsAzibH?#cXs0TRQK|w7OvnT(FKD$!z0}j>OR{3si9m z>2s5$XWvZjy%p92sse_9-nW@oulYEcBo?C_1ed~vsZSQ{t$$(5*y~Na<9T&2s&6lk z@#-ylO0^RK%h|Jp=5i)K@YUx0+N!bGQ0nv{$!T($vdWu%+e`Y$x-O>2{URDGzU1X! z!va^2Xz|j$9td0v3};Kp8>wYn~6#<1%wdnAgB$_SBiNlF#ern6x zX{58aCve}t{@6H{uFCFh@YpOl#z3PNXDJMQcw>YxK5StzEIGZ)u>>pt5d&e)b&Ad1 z6=_Fyjrg(tTLczvbz!v|Q}}VLNcqJQKmW!}_v{&w`rzgA+0tjV^CtI<9}*_?z=8gt z3Q`umqjON@;D*H4lJTx_^Wl4g=f|LmDm7JGlTLn5kzURAs*;BAXMp#=b+digU+ zz){$P&9SjriJZ{*J+eW9=i{=%KlJf5*|!ZCA2NM1JGL4!?OOjb2!4tdtO5(<(f}F~ zNJ91Ex>di+_rVH2(`|<*<(rE%d^p2D2VNJ5P8b5sYNsxIOGHdvv3Ah+n%X8f6_UM? zJ?*jKo{hRcndS?*E@b3;LNBg^$wwP#om(X|;qGAm##AKCXNQH}YFR4bz=qJgb>47e zO4X0B-Y|@qx88-V%WnSY+jH^ai@F2##qWO76;-F8gQ8o8Um>vx-U193NP1BCm8nhO zMZd>85|qv0uYl~y*Kb54oJ>9rH9Z=?uf>@6w}-HsU=7T@09Fyts;RbF0Y&L&7-FY7 zTrIcsvP@mFM|tT-V*}aanGoUUGlPMpA2mm4zlWT6I_)IWUl`8U@%!H?>P4Rm)OtIc ze}%^59j0x>5q$reu8D)A`K=M>UpiIt7t+b!pA3}-y)kNcb=~9`)@}f-WrI}N*@`|72sP=dPc%bv zBsHa?)CnW@lT2*;;}aO_H2eeoe;zu?kre_alkm+Z@(&;0vutJ|n6WWhxY2_WK=u z9U(PLH3l}lOV8FtGv~NOv*^!@d*SxZq1AO_LfdvEC1&sPG=Am`c#i@s>Q{O zuSjezrN-PJ`FDHHa7MO}6@zz|-m*0J7wECL(<{cwi6RcI=JKq2D=pFCQ~ESJyF%+$ z(2u#q)1_I3T)x8*Y98}7J#W08*;rl~FTjj;i6F*3HsV~ct~RLIJNqEiH;HO}cDL*u zDC@f7Do54oSme2z8GhPiXhL6%PHY(!UVBZ;KRC7dMBkl1$B&LGSY3Dt9$v}~4?&vv z>*6p$L3Kw3Tu8HMZ*dSj)htoHfOdD`rOG3~D>aoN`a0;xOuO~{VZx-sM7su{wybD^ zWNbiZ40ba&BBQ@HFL{bpC4#mW-qCz&luoB(SO48tBrM|ns3_{5?Fh}`p9(zOoa5jy zyqfXu3bA*Y#ph-FzeQn+#Uv!Ifq}xXbdJ2okAl`Zl)lsON8o8NMX=~*mR9g^7u8D* zqvzgZdMr6UA+D4gXZ$y0m`F4d^=2G3n@^0JlIq0iLoX5Ldy|q_bJQV6ePf!4Gk1PU&+8^oEAW^0 zYlQ_6k`aP=G-pUEZK8N(m1E!XVFwHQ(O0?=OlH(toHQln{9brGXj?fz+ww8I- zv0x9{SL&awoI`iHmf?5#7($l#$+pcWh~^GVy1H0LX^u{(?F74Lb-LVOP*aS_>w!Hg z{BKls&F}3HPZp#*3-F6D7U;x^qi_af*hMmDSHnE^>BLU3ze>5qu&bw)ep`#02;U2P zk%xw~8kEuc#_1N{+!W-H{6L@o?{*c-BXpthG{z6EovgK{H7h1Bsr7!$CVLJa)~?C7 z_j^0??WDu9O|Fl?_R@S0qE?LL^dwZY$aTxH8HSySA!$(G?+-Yj1OK(QceIrd)xUIVt@UcwKvEY-+9*Vud_PJDmy!~I`9n?=(@{Shth{~ z`}hIUd$+n2TM@LCeT~HtGau5qq6#dJ=;|)2T6eqAO?;S?{i@c~;}DicJ1m(632-j@ zND<@AQ<4c(E-U-LgZ+_gC#_~`HZ=WLb}N9aG;AX(c)ZP7ntxmvv`;@*iCp2 zBafs4%j3Q8@TyqxuBOK_yh$H_ zt%67r8uw(bF9-FB<5Lp{7ysaxwH|CF`PmttD9|+^8MC~;xuGP_%Gde#i`t@{B<8+7 zb$Zdi|CTPo{yi?s@RwMWCpwfSc`DxQhwT$RGKQ$Y0E1#H!Z~4Sk?S?d3$FaNCL{U= z&8J#pW!ctK-Cae+d_4l^D+(D=NhHfjP^E6=+)>MSVnfG+Z`WMYUyGJXza(&g=XFrsCm6t1*i* zeYH+3Y5%+ZjS^kezpzY}{!qnO({2(#^Y`8!k^iYYG>lA)*JRFX?`foe>*M_@(sL0S zMbVJF9yiL1*C=22B?ZeRMYmLXj4TWti8wxlb0vT+YTOD0W?_mu6G58Oe}civ-^PR9 zEH$~UIa1$PS`Va&J}yf(FnswWX?c>QcPiEP8M+lovLmJ-)H%ODFUNvRv_P!;ov^IL zSB}N+oV1$&2Ek1>)vu1{#2nW?R=n9axgxl^#L|iGxS=h8`mZ2{*A55LM|OBufhD^@ ztJf$tf;ZM+Q;pZ*rg!V-Yk8MO7TBM5M1O#(W-C_&5K~^ts3v1%YFa*oP<>ys+I;c- z<9eyRMD@(~XQdH%`VseWXswZ_jOpEnp)kWaa{0DxqZ78bz`65(pMEcew1t0aCQDOd zA;&PGt#$=dwwhp@)X-@;28W&TRBCrofN`b#?)wC1nRkPS=-3q1_tj|f_hlyCGm-hj zwW~)MJ!JOqs=yZ{gRO!Hb(Vy!WNM#`uV(pbt_|L*#TnU!laC-cl{OQ4;T6RTll1u} zMnYr`veLWd%&u5*TkQ7C2$q=U6TV1W*+6~6^^+B)n9pMWt@(}R#|`gMM`niWjYY$v zt!BU@qUvyy%Qiwbt+s*aPdM5xtgjb0H*C*b{k~IMita&HajlRFB{WHLB*D8IE~ZV0 z$%Y*(bW3LQ-0W}8j(IZr)vzo$Zj+-Q=QEW{fxDA_Z?G16X;%kV9bHko23E=%#8R$X zS*-k;GdJ(>C^q+UUr1Q5PL*0K0ARx_XE(gORL!yX)wc%TL3>Ed(^AWFwTwgxsuelS(>#D zaob)E+|{ZzwYBgUD3SAE!KiL_bT-^&ppe?m7NeZlOKnSndKcxosaek$vO)&{f|~PA7pj_T2{# zV$gqZ@Gu-MyQ5$unrN6TP5gmjqx(^LU+ej!Uc9&6_OyU4NhQN(?`egH^>&ZFdddmP zc6xz{-5}sw$wO(n+ptM>CWXvF*AUM3cSt={qTQnj;zGE&(;WNko&<8F+xKYXINC<* zERf;x(A$9|(nmM=eVceQ7|Pc8k|Rs!^qlDN%?(HTs>H4Zvk?GvX|g$VWwIz0{Apd?u$OvB03__y7m*t+1wXQ@B${koL%RC|vO@ z6rRceOo76@04zKZh#mSntSzZ?nrtll<@DWYg5HYnYIkW4kZPr6uHy)Dsp*>lbJ>6p z%!di{s0|5?_JN0{GPHc6XPkDwv{+URD9*hdZcSrw?{{BTwQ#tE0%t`&*iyCNX|z4f z4?>^&5?#}-uePjnsVRXXJhRwD2_evob#;+4`@Z~lD%+rAet@4EnL@6ygAsO7X>FmD}KJ!YR z%I?*J-er$mO8tXl)s(z&2*K%bFHE2h>eq|tmYG-JQb%eX!WT0G0|cM+mzi6w{XiTU zZCo$LY*Mw6FfN`@ZhDMFSI8O)W~wjSKDf)lJVZeHWuTecc6cC_AB#6Xy#>saXT1KP z4}Hs2I{GSMNmrPY{JShb&CY@g4BL@TznKL~?-;>1Bvo2w#91gUewm_VQlRxO)3S3^ z@m|ml)wGm?U;DnxDU&K|P?%I7WqAnk^hvR0LwkAcGJKIUk;sMj;G8hC<%BuGIG77d zHdGv4TC+71hK{w5UTZ@9kAfM0N~+m>j4=w@6$HxDfK=N;APqjnVvSxLhFA0|lASDN z`5jT42HuGOZOJT}$h8_s4;Bzur_A5?$<%oLmN>5bA}cVM8QjB;ya-g`9+DRzx&@ufX_O*>yR|3bBGgQjFW;7 z=2is;3e=UmOk$NSOLbzh7Jp@J+Sm5iMd-|!>ielA& z2(bkUh zBuAd5OALiteby>=efg-BV$EipozwSm+ebDPcHOeiS#L@Cwiv^u!Bz-tHu7RP$8I1r zSymIR0#7s-Del?rG1mCwGuGhgS`M#

}YdT1jz|S+h;_X`vtdi=xL=vMn$A44&9UsE0Ii z3#UOxk$f0Raz@m&#_Ts<7R7hZa4f8cw5~a&sO7NH$1Q)(eDjHXViUuJyhy?-9<6RA z{1r@|L(2=u>C~W21s_|wb!a4vpZ>O9>!sIxhijd$RITZk6%-eh+Vtt5J8mB0l6ud> z4)~V5LboCKo1iIOWv22jg;XET3iq$1)UxRX?h%i1@M!TV{{S^~T#~^+#8+- z_K|D(AU)+^GsGo^)j>D#i{$9&`q^L@x$e4|IO1@JE4rKHh(-qT0VWQ}tO=HFHsnuH zs|tlwNut&Yl0Qeuzc(jGX0c{OrhAleas91c>l909tOqzi%q2Or(S~};8bz+9o5KHr zE!r8Dhgja5002P$S10lRzpEwx<%j)$B#!?*iTr=}`tc9Ih}z>-g0vG$ve4!WnQ_wL z+ZPcW#Z~#bD{49eI3zc&+!a>9epOiIb9>XXt3>_nd+Y!;Zq3=(o1ZkHab|KI48>`v=F- zg}J?QI2LA>BBx#^S%J}F1cD4F&(wfj+znTsBJQy*JCeD~qx4sf9MQX=Am1IfX#7j| zZ5(O#h6YtU;UEpu=jmUIZu-uX=X9DBp05ucu@2edW+@r( zz1KLZ_)ue*_kAuI-WmeY`y>-wV9P1p7h6x+evxpP6iWqA^%vA7+xiG6wbItP#c z;p!9bRXx^9Rw}v6w6qB?bgWG);viLifBwA`>x=W@dX^erAh|hA89V8_(lwOOG3G=` zttR_Ov&lC_7JmJ1M=7UWaYE|4_-@O>Iyc{Rf<2zoRG=I#q>S?~zMHo>z;>19jA780 z?Spk`M|kvuuVVUo?n{#QLW3h@9{8Zt-klWi^iIneR}_*RvF}!(RDcQ3y}@9Yv;AA= zt?;4n$1?#Qg1B}d*a>}t+c>YgzFUrW!FjJi?fKq1t0@=3&u9^$pC4+&-`srzRL{wl z>cfS^pqn*=II#2l@)7nCLNbQ));5hZlgy$nrONN^M|{)u@8-ewj4zD%$8OM!IknGt zjNFAYPuFzMymKr|J6em?V?VomLi|R(OZ=2so8FRfa)3#@ijBqCgnHE^b6LgkhOW^3 zeD6y8S>RK^s@~J=q{_pO!T93yQ9~XRVAZN)3c#8sr@YgiIKEmlfWpo)F-^vN1l8DF zAFp(;uQ9Ui3DeglAC|;F6$ZfWpd)q5@Co3<{N`dd^BFfs zc-DafytMxs7vRRl)mHj%F)Ih>RVabwzi$D4qePe@tV{>=Mb)OR9esv&=0)7%}SbeiI$Llr5nc<9#7DuC2_CK_Yg=IXy z3Zya-o1EH&GzYqRwYk})8>}A{GAMDib~C+zt_)?`io*z(tF4`@ z9(6kz5|5;FQ*h1kvkuqJE#ajC(`HP>eSb4^m}G8N&y{HY{cpF53o->Gu=J2V#UPHe zy~{1TbyBDH{GaK~FE(yXNZ+VV_?JMYL9>#?oIz)4^xNJJ$%+ z-k1_KOfUvZ%f3tq+$)H}&G=Kn8M_K<4O`=cZM_i^w=-T5Pt^~nQG+Q=kF6cf(bGQru8RUzK-Y=|-5+XsD3oF@g+>?D<6-6T%qUF+!3k+&gW354948(x=3&2jm!WpyV9 zo~EuLVhZ-i6k-cs9F|wtVRdH{NZeiKicq(0pL=$e{52gN<6*cI?41d6_U*W@uN#dD zqU80cUJZS))@OJDUnUox4pDW~WVnlpAjQ)hGNZSPjBE>E_VTdbdzynmk{k&b%4j zCWQ@{Jt{%AUQK^xG)vmx~?+9YMn`V6SEoLuKOCZ6W9oxi8NcNr*8(qah| zg1x7bjNBy6Bq0Q>krS=?F84=HFEvOe7)S^1<9EwHuB&G=juC%J@U4X4>+5^JxPuZr z9>#4fL3|n8>Nr~YL~`69DJ2kyq;0pAmET?u5q8~<3S;8n$Ie1<(2})6`l$BJTjwDB zB4Q;I?{;}!SpY-A1Pov)Qmh^uxijNWH~Y?fu2!w-oQ$z1styumf{_Mq7xr}zO;BP> zOxALmdmi49VO#g74~#`Rcu?rPeUCs`O`TQ6G8%da*w5LQjIrnTcR1bfeJ_^vAp3HU zMM9J1IeyaRpQ@XwGm2ZyBg;;8n*L>ulubdo3us`>ZiH5Fl;!3NFnf01To=uLSAL-V?%@G?KhAH~hxDcT~6~|0mFr?$RlR3NG1-)(e+zqCG{A2tjW&Oxe z%wE8Wr2-eg=K6lb{2*6{ekxMVgx>a5+PZvBSgA!-gmFfTae$X+gXPEepC5R!3cPjkkHnCZW8(WPQJg?S|_ z#>`n}+aWC2K^Ed}w#VTcMb-Sm&d#kL%jqH?Mo8maE<3O?FC28U0e`(NSbQP+*7B}n z(qqAp-9_Z{oQV^ytvy5{SLs|=%OKT**HFof!B95i(zi?@4C5( zWD^jdjWi>|x8y<6Z5YGO1-Ut>NfV&oyn?lMH?^sP_M`iG@$~yE8t|F_E~(I{HFj}x z-32Q6NbUTb;z>`je_?#l$ZINFa!nsN!A|B&~#PVZ02TvH^u~BFdq_4I+v^Uv+T=A?-0tj zHFNkQ`<6E^DP;DXdEG1$?StxD+()-{69D^Uc7MlDTf*GIRv-oR=GcZhw!5lA_Yysv zj1@mKBrmVN%eiDIMDyGh5~A@?g1ASELCn%K2aA**3OtG0jfvxJpzsN*`TAhriQnEl zo96ejxpF*+3{HEO0D5poz%%ZJf4(fz-S2yzphzDyetlk)Eby|IN*8AF5nlTDRr!4TPk+` z{=Ep0KE}7*(=ZPy;LSkqBDKc1EBZ*tLD0L1mT9r;I&&9hdsPnO&?bBJP6B}bgnc}C ztLYxtEw>00hm*u{BZ)5u!s()h0?+QC;<#nj`F$t4BhJ5}&LR}aZE~icevKLUs)<(7 zj&g>r!3@bsAnw-?C1BOXZUE@B);@mU@m>S*i@}-~7dowt85Ykwz-hs`+S+?eJ4vru zG6N6M4YoAj!k2*1?RF~(U^sNYwIbbVAe65gqW!~6UKiT5QrK`eq>(*URhlV<$dYd3 zd;0S1M1T8vnDBo2j^b!D`+dltgKoVx;4|}7w=bf*Et*1!E8o~d~jV{w*sVBrTeK{&tok6 ziUpbpOtM>df78wFEyto)%Y&H3->Sb4Oi7zP4?hTh47|>bBJcEo3@bu;0Q15-pqMcf z0*R}x6@$bEuC^Rxy1-eWN7|yBai-6`R%wUxY!+Va$Bqy6E><09@`r{$GyiOTgMdzp zZf)j0n$kifv!L>j2VW401AsMPYTugOBWQ*j)nefjtZ;)zm`d=_r~o@zO@pBsM=vec z!?;y2FFX}Pc{P9)0;E>5J@~&mBr@Qsk3Hy}G8Yz7ukY=&v!*mt;UXOb*LXBc6-{+|N|E{)4F9H-1iaLd(MeVTWe3tb z!@c8=SIfd9OI;5k$2NouN^OcJnPphrdfPCf0LRNFoBblq9@OLP#Ce*I$47> zgV%ikOV?qfVTjDS)IVHHVuYy0qOMy@b^6ZOWK!CgMRsBK!t8xI*$|R78q`=J%G8Ra z>6b0jqRvG1ReG|~Aj*>AK_Uw~w~!lGT6>`1$mQ-Kz4vG|s6)g`lEp=m{5Hh0o8dqCAyziUq+BwBS<#%Jh{ zNXlC*{zC3QI9mEU@x68VknJ3xYa%`suXsOTLwkTGq-CfG7z_=pdz5O>;SqnD=1sg7 zHkeCDd#&`~+c2ZqQ~}{#b9v7l^bBLUMdr|kD2xN!z1#i_<6K?MY=N4yrEKX_=VJA* zcvdoe)EO^zrQF60Q(tF26V}qJyrIQ&BNjfouv0__p$3qW13gJ02eI2dG1<)Qh`Q*2 zq9PA^OwL(XhO%!N_=0CumD40qnkyt7bpH!t7&U>U8M2F$NyV_S5Y-A|nU7=!Zuqwn zIF`<8Hf)JGzj&?$$!RUqk+em9Y#*t<`_NNv*P8mjvG<-)O}1IvFbIkYi1bcSK&1Dk zKtu&ZgosG*g3<(}2M7e|(mMh|q<2th(mO~OkQQnJ(n~@O5aN3|&&)hCb3fmD?`PKc z=Ur=lh%8oeU1!Ebf!a^uq`ZRAvIJEu`_J*@ z1gU~BpsJHILlNams&AxCoOr99^)Fqy&) z%6x!*H+rDel11-b)`X{ExDicp4_oY`uWf4Atuu1prX79K+|qp(l)cUMNJGu^Mx$2a zt2(oYluUuKW{@4D;??R=r$*)1B|>GH`9ra$7tKxCH(GP*FX^}@>GD4kNZS_)K~y__ zK2w6OYL3A`sPt{=o=34%%qGx~A^Qh8005SzzwuqbP8*iG}F5rx@e4#sSw3TU8T zo&HlzJ~s4M5u{HyOH9Y`^jMGKQH<-6f}YBEC#Tn|dlQgb`X~<-WNT3e(VN!5Xr*la zZEn810vYJ9iivrjrqC^leisRo;Oh>Jt{9t^?%`{AgA_D3W@eLvu6ksPv*EiX^kMwt zQNxTr3wdhJr*EK(+s9x^c$+5d3R;B7zL_uK0d^w&@%xu6YxuaX zSPNBcvk`R&UN)CbX0e^NUvurCz9QtNn3y{+umaHWE#?uZMjPeO>VuZ;0D}~`5T_+n z?k)t<9?h=(@uDhIi)Nm5KfH>6i{$!Q3fQBVFbS&ZPFbwD2Bh+ixSP?eAuECo&Si8O zC*1~bjy($)5iZYpl%>C#O1~V(^nr~i=o7bpz7BKk=bSQfM_)-};!HR{$t5kC1#^ED?a_Vv@fk)d^&vZ;Z;* zE`qLa+&L;iFR<8&ER_IhY3nTR&B0FBa@_gFx2tPHm>>7E*+F)#tX_ejB>oUf;r1iU zj<4!h^ZiKoqa0|(haF(j`5YHV3G8#5lc(UwgUu)rvs%nfL5}fyczt=QtL&?=-pjEe zDpw!vP4}`B%j-#CA%v?J^KdDPp;01|sq%2lf+@zdC?B~Yy1~I#lcHU#o|@1v;3U~D z!B%YGVk{o;$gKVfi-hmR?e$&PO(AqZt92|TYyqoExN5Sv5Y#M$b&T;rRfOHi!Lb;* zP3#=Z-IUuFd}cGAY@IMjti3|=L0YLjRzlZL9JowU#`9v5_f4W_?qO5H(U_qOha$V$ zG=&cu*7-dy4cna+f`uyBz$85+m24ZG4@*Yi%!9fEY2wYu(XiHSeZu7lN0>T_Qb4Pz zG6vGvQW>)1^YAMpxjk2Qr3yC@*;P#$BI0i6!PgT`s+Lx}g#eR1#eIK-UDRWaAong8 zaMh(E*Btz1Y}wC@&ZAn7ddh?E8l)j|7VfpNB?8wTTp%U|NS21FrdQFE;RpRKZ%^B> zpdJVQrB1`Lyyn^xT!(h@emkUZSS0TQA9xmz>>Lt>IZk2<=y8Mx0-TM4d>ve)e zt7Ps4i9uKgrse2-vY8tui$z3Gb%a&5P(ihJ9E5g(7U0&v9(z)@M)Uz5%#HiGa`6xR zm7X%a&9s{#T&;AFY1`%4+=Jfl+tk5O5)iho*15PeO3m(5fnIv9Wb$u0$N|OIN`>}sI*_Q(3bU*8DB(ujdfY|WzKVV{|IF|M?t(vi% z@sBMIhIi{o-v}Q({VeBkuRo<#(8W1$bzTyneCD(VvEyIKTV_GiTRmz(mk%kQt{FOo z2NiJvSIj~K65Z)sANcqhI}I+cbubrN*eM1i-@1xKc!*I*WGYr&YF%7uRu} zH+TmxwYXNzcL?Oj^e(Z69hzNN&Q-N`U`@1%SBb)}*Oo+m)$+gQCCkB(?NN)C3JcV$ zJA4acdDa?Tz0y+I($xe(TW>98;TDW*#>;h3$I=h*6dk>Vp*dpUKG#YVKe8E^8Zho}GvBvJv6B!?@80qqnGxs! zW3&+0@hYD%Nio5G^v3pzfW}AxhjESaU`aik4c65p9?*9t^fE3a`aiU|MnX}oH(qR} zgG)F}^B6(s?zFO@6QxzFt zUlVlGe6ZEL_iccROU@8p2^cCV_7_nn6+7-Khzx4j-Z%7%sOJtMq{3mxJrRry7?M6A zuP$NId21je{OC4g#!S(FV**O1mxFoPm;g}YCx8eY`9iHq{b5BTY2&|V%$fBJ37rnNUx zSsAFnR*0KRd^x@^?;wAP-qf8v<)nqX+E1lt8*&C+Zy~J~Lsd{tgJ_`>XsfqEI_zby zrz;1BK15o^-m#7cSSa*D;4cvo;A*F^t!jW~Ve9CQLXjHRn9$UN>u)Tbxs|TnAyTyH zrSNpC&^?a^9MXNi2Q{%L$s|6J{!-psNuLq$SlxXgv=bu)1oCxD;*Z5J>D zEm!gC=n@CbC1Y%PrNiRpw=GnJbbX!ejikJ1YYbp=~({LeJ-Y6I6q-9%%ve!Gah#F2*ZkO`_iY7i0J=S|OlVF-CE@-uRhdR2}{>#Yp z<_1)I_>FUJai0lo&907{uXj|Bmde&@K^{yFZHD8!Rf*9)D#pdxqkUO>?o0+tLa1z6 z%4&jhZEB7g4X-CNChz#Xqw}ZN{63R!e$C?oF&9wL2yc6gXGD=V2~R%!F7LcF)AZm$ zM5jv|DudfZI>Um0C)x|&%XQ_eRWNBwA2d(zW_L%@o^)=4hF!JZ*wkY%^f( zs`#@#$Wh$_BC{AX(+45K-@x{SyW2y;;54uC;3W+swXZ&u*V-pE80HsNJ8pl~v4gC;cfD(g7|4k(gCH-Dd)? z-w43P3Pyp*H(6=}8$D6$hk-@DY20ZHw940=(%fg*1g#9--k+)2nisd#>iz64mlhq@ zgfFW<{4QYqp5KvgXdBtB2lMLui#fwtME**H$3ZdAN0y5mqNi(Fsu%r@k0@qD@RGI|(;gWk{9e5_YpHs)Dk z1S(>lJ&|k(WFyHO-=_ldV;1vSL^}G7SlJ)6Wy)j8-U&&PYq)mS__2=$qoFTvg@I4i z<=<7Eqv<`R$GO8%e%yo^WKAV@(il#G>)x0_9kg63m$xn$ewlA%JV^O1Bfup434KN< ze6LUSIk&mLi;CMGoAFHJ>*QL`%7a?pNw+&6lmY`Z#Tz_EoGOZrK0AtwQZ?PSn3SX6 zn+IIoiwq+$J`@$Pt@GLfwc;&kr7@&>+* zTs(;{j6cYkOq8gW*Nm+kNE2q-4b;?FuU#D>e-O8sjxS z9D-LzSsR7a+6%eN1N=WvFT3w8$ICp33svPj#Tw}Kf0n#4tV=1f>9~S>Jxpl`OUzH7 zwT@|d1t!6(Ri`OHIwmd_P%tmOd-}8fgQcTu;0Jf+3dCW{)G9!y1Apg)7759`ZF?|- zrSLrRR9lg^2}}mc2NU)J6wU7+&>tSsFHN+L7M_$@&)E#u^+7wtTa`y6&-3I2WHns7 zDpYIwEmy(Qh@;(FTugCo2+X2j-iCv}CQ*qqek8{~AvQgo=YjMr#(7Be>*`wHo(Qtw z=sAFjY(S)QJ=WayGGRJTYHE*Smep5@?n{Vns5~NFB@Wx|0b0_wDF8j|8e}APQ<&%Zm z=d(pKNG->0-U4}${zCq`ry2q>qD;SzxbXMe!N1)S{{H_NBheC@sS0Y1te_U1wiZb8O-=`y9RCR2y_fB6cc>lD|L|nDe!5v zs2#QBFrRJQ_O$#!-GxWvOt(qoUo}SwOZ;%ly>@wdoWD|6Eq<-7p~?#s1h;eobR%x8 z06KI3HzG0CUz<3ksJD{obK5+#x!!X*m7RGymO6mVg{;}vFJZt;>yZ_ESW#m7cnVYA zC$u=fLST&LLYi|d@edZ6qPA~EMwBJd*}p%h`o1~)eb?WA^_K-BsTLU$&eULXDed*! z^F>a%CMHVGF3HbsN+COLe!Jnjw%9$8^M;5vI{Q;~%T#~sDWVg86U_`ne8UuJ z|FC1K{rEE)MAKs4LI%?r_q#c7=Q+=%*32_AWwZgdt`7%)K939}pFs#Fy)NYSdh=+F zpAtg2ay z%Xb~p@mCs&9*J(j_ThlM?Rez?AP*61)w``~zE#-N} zA>cGes#!PN*Au-M>ld_t$vaYOMWjr`Ui<4DlZSjlhuP=jkVd{GNGQt|BXVgDFE+yc z-7PoXCepPPE2vy>LDZnVur+~q6NuY42>I#On`ouK(G|H(_kQ;`uJ{AGon|&q=2C^h8+gS!f zve3-sFh*1;CNJK2m^^o)^sK*+^j@m#+~aa^NS%)p?iM`IE#@**=E(?NeQEo`FQV3d zPX^HGCy0_ie9u0C#_;zhsRL2P8*v|xP z5S7PmgX(Rjpda{qlIJSuou%y*8L>eh$7AN%XAlw6a+kdEXg{o@Yo9T^O;(Xv19Jf| z!QR>i9kz7p3=K|{UpDQzUEV!hu-R*wU|`Gm${81_*IZJ_u1wrI%ylciL}>S`&+Tb} z*HAmZcEejqSkv7uZ*ZjFO`Q9oJ+4|oPkppH%b~z-k}tAf@`d=cZw^#d*&@zgwg75* z#P}UXg?+r#nFb0caIPgYp5|=I__2MNfHg5}te?bXvIqCo{Y)4@LYR8!x3@VDbG%pO za*(|{9aC*?@>D1%JndvVoJ{_8eSTmCbaV_-n}$Y@J-id73i;yIap|^vg>0~}!Gpdw zqgXz95kR8PzXN!C1_*f@11eOd5`A~@rUnhA;jwPSHqwnoRPaUGZA(ke){Z_a&T9e- zc;G+)Hh@3FplOOle}4%{6%CaRf{W&FWy;+02EddKb@BaVYc(&6xHu;x6O$ zE*dyBPk4#~vdQtcR#aP|IAkjQ$;<1-$W&Nz>j5tKqdI%L1F-V%s~f@3;>E4HbLroeP;pbaGw9r(GJt z1m~9zD?~=&ix~`Je!b!_(I%|IY^|vMvrVL5t-~wMJi zz39a{*9I?z5TaH2W&jqFc1VN2v_v$6OmQ0y+Q!(V?YzO&u+>r3)St-r53irxbiA*6 zZ6FmKiLg5z{;NGH(<`h`IJEPPdEe*@JmIh&_wG#D)>N(;>yhGEuUO_(taJn-@31dP z3f56>u)A{G_NMIWKvc9iG24qO1V$sj27@29otOPOCa?2y$!C~lEp5Q?S^fH`aWIt= zH`NW=TO$GL!q7z`rPBoHu+B$WvcjBA`n#dyMMsKy^?;XX52=9qZ66{yj5p?mCtyYe z&=UO#glhEd9YR+eeUPN;x~%8gx5h0Bgr~PEBvKE^oF*Eig5+D z&ci6*7le*ZkX5aA-2x<2R`Vs3fCtY^^_zQ46{BM}k8h^+a7DuTi=nAq8`gr7hTl7I zFH7tUcRQLc9P5v1t4xSUo_SSN9Xj+|+z4uzITZwtgz7+;kUy}}C zYJ+$&)lER|CxF9C9$*|g^}IDhOE;<2@@F)tPE+=>1H>P@6V)gvkxq`z|CdRke_AA4 z;Wp&9Bs5I+dq;eLtM()4cr!~s9IZFv?)yT+xx9J&dQ)w^SJ1Qy_3KuPRyW5x%lrCc z@HX*A)X0ZaF6!#)&7_i z5=S*2HEu+}upXqk?L;u`K=&lA^laxYVYFqotX>|9q`)1CU>)3_FcE$>^syFkL9;!3ZQ7ivy*E2jtDu-R9$+~ zJww_TtZO2d6L#5ZHeBNR-h>jh@rmWDMdz+J^Gv`LO`#GU>bG`jp=Vl_D4&YUDo*a? zUKg8!HW;n!IIoua!wQ&sc>*U#`%npX#hS=6ar7{)ZRi4b6z}m0WsiJCaB(W zSY{j8r8Rm=drKe);pfB7C2llcOFKqryFTJ|Ex`H$cbWh z0f;)~5voxh4eGvjo5s-&_tE6B^53}Qvbg$}u0G`|*JRD}W&De4KxIg8P-5`zd#L3S z2q|)O`G>F~F^+Mu_N|-HYxCHl6Fm;3kI7FzkFqGj**`V9Tm7XK^vdPi#z^D^ad9fn$*N0aMIU8X z;|66+9eCb6=d1^T?Lin#5Q#BVrp;S1stDK7p29(ziC)qeKX7>Zpr~P%!!A}k7Uxu5?c z3il;2K|_wn-^qh>?e=>7UPOLYN$A}>St~ep+V^NvDA^nadL_FcSO|2s2)1VCjZEer zQ(c#G7`QU%n1!s^a*HxI{8E{jSL(!m@E8Ua_4s9$Xs_WO$mAuh(uq}%qZk094Z(!S zw0*Uj#*xa!7HR`rZF`zuj`<7els6^aTyoFZuf}AN`qAglQ35#jY{@YX&_P?1Ss167 z9pq|9g5a3p!q&~pIZvf!-a}`nTvYDHdNG4dag1okK&*sn_}Rm8At`dN92ye3w_)1d z&g-!%-c}rTZ{B|!H~une?>^3o1(Bo0*Uw+XyLM>q(9^)a=^cK z4{CPw@jOcsNXv)a^KqhqIw_BUo{Zt;q)Ku3wG%|z12#@+*|Q6HM9by zm735%k#_jzef^Z}*%SE>FJG0{R_?FCR3xrEpr(ghPf#ncu0fpq=c$s6w5wB zA9RmGwIPAs(wUN&QodaBD$Lvuu^?z)uNWhB-HHEQ>CA=@m;PNGk7IQyRIlg789HNd zGQ82c!d8(-!}j2E=#zQ}5G zZ9}+Ifo?^8!`f-45ei>_thH`$GPBbZljhiBe)rt76HM>!3+awC*)XGn-LOZcztdLT ziyzW=SPtF^IO&0U#MY+lZFkGCt<=@Q7gLeHhyrs*oCqNNv-Gw!B<|U8yW!6 zp;zSkoz73<A2ft5dSI8rPR(373W?)h9KY z+)Mmo!_yb6NbwyDY4V5M?3*WJ(Z26h3aYgmtLAts9c;!7rKg|uiqgbz8QNFY9GQUP z_Ncne07(B1=o^E(zawvf6;Ycwq@pmIH!v3J33T{5R&g^UWHNei#Rl~?>Yh&GN#NVP zYf7Ino`fq2#W3=5MOxD}GwO$)V9JBDL6)iZD#So)wqQrhTytcJXJS{8N? zU>9rQ%yVY;cc@~>Vh)=$mo)Dq&o?j86h@io&KbSwmIHDp$9f{Ydd@xC}IH8Njmv)cbW$ zB$ra1A2}m39#rrf|u*PT&<7gPk{trg$q8NuZ1a6ZoV?)gGzb2E?1pTQ*tB6A}ILe0sBYl-sJ zD$3=5f;y=btFGj*Gx@oXK@@u0#e!aD>rQ(Mtd}JZ&XtF9?+G@$xPEYVJZn;r8e4{C zf$+3}otebrc(F44U0e=tV53IvUye)JY%_c4vziH^?ZnGJuQ!HUBwqKLUm~Soqj`w~ zoN3a|DqL3yUZWl>60uX!(-}psHkv24{<%Xcsms4_&XMx-ac_uN*vP%URWhy(gdEx3 zl>MAx?Z77Z9eahIBK~mGz0H?CrbkWXTN4@eHdHtJXN?U<4jO9hk*hrml<>u*F_;w2 z1l`0i*=b5*0_nsW&aj60u}|m4hA_^rE0pvB@xA?P;s)KL#82~^jE+F(F$qV~7>4Sc z{F<~5`?RXG5@mbKb40-u<8w29pg5f$EyRQ^vsFH%tcIZkDeS)OELgkF9dzlz9QasuHHPq#)2{Xf(fp3@%65 zWmu)Q$8=0$DsEIIP48+K@W($5Xz<~w%aQDLBJbrYb^a(g&_jH0L+zjfFkY_|9GxP7 z+~r?HtoGk~9g%)9PR?`=jvE`#>$_?0%UFElpHVV4U-e|F#0DOfVO6(@u^_^A5h5GI zS?|}LFNU9uQ+G8`_UVf!vwZ}Kb-$5QOxgi`L2UKp68bZVQ=U}Sr#~B);!_?fDjd)} z>wR-i_JAnUJ6=rzy7v-XrWaF*RJgr2`CVt4+T$6(Zc<=&I0nWr13|N& zAWY&Wq28K60tU2XNweYURr%@zI)jVTsstLKCLpT?ckLGu-X##70fT>+`Rns^Gs@E@ zOYax9ZfF>rQAWCKP<&}6_Tp8&BApzv-fsRc+0nEFMO*@9aKN~gdm zR?t3Bp3DwjQh8hS7RXc6Y}w3*F9HL`_JL7+ljm;3_)BntoDmQTjEXq{Ab2zan?s=f z{EJ8djvXUN+OWL;r=kDnb^lq+|A-23hW~RA{&Nuia}fS>5dI%CuOApY5fl~Opv$vs zioBz4l=hDrfDU;Mt~NklD$bKs?cU|c+ufz z`dWL(Ch{x)W)cjR8*ojaw~-68*+$@;REd(=2A@5$y_0K~zP*Y~aENhPzHJ_QaxL`x zqFEZ?p=NK z(Z7{%CexSy)B8xjD^ekaX}&ykKzZl)E;Q6g*3O{(+Vg_4pDG@DK0YxIlP4f1y9+A{ z+?%7+h2Kvd|FvqXb_;7VpP)LGZd?E0b(@DiBKs3>_3?;1 zv%!l@O6gYCVg)t09kJhLR8weg_foWdD&VMYpxWlepw*qZa1D^q)xEyQ<)usqOvhW^ zETi(8^J6iyE#H<(P&?uYRhVkpUqlo!8Q}l>y01fUfZIUj*G1oh=RsO0h*xr15X_sP zn>~4Y0Hbz1&hh&d#%>nZ8$<#0t;^2wDwkZu;`v)94B(P}%P+ptUO(ypf`qNFV5`4~ zu60kq*U(^FFkTS2n+wbNgV>p_Q*Fm!nl}I@&`;3(iIr6!6^o!N+!Q1^q6iPUd;^%Yd)6u!LAAYZ_o4ojdHD+-`p?RRbL8NKR z3-Tux*LwwV=8NYYcdKct!BQk3yXTGLx#jc`A5~6pmQyS!_hB4A_$?}UQlsjJh;^KS zgMZX#$#6|=CsN;est0if!x2mLp3lGlGY3~CC5pqzR8zF=`It|B*)b4eqHt}&Y&lpH zqPdO|fMCa93oiWk+V}i}%+r^kVvsH9mTs==nAMJL&A#~!s|T(;3B;Dn_th2AI`3YP zkuhoO>{d}BbI>H!oh*JCs5N%cuw!iJ+4wg~|DLPQDFW)amz@pZ<@AP4vU1)J2*mS^ zpd;5eJuhyL*!$TP{~~g68YVF3aA^U7j5j80pUE13%eYOtnFd(9T{0dCr9*w{x$X5sVAORrl*C* zv7iaN+d2I)en)m;E6vLEh2b}%+2=L0G%jk(F83BEKSA{fS0*uIO4VPCwr{wf9GuTT zsgD!i5`m6Xl=>X5Ng+N7pvkU3(X=Y-pVgK}}8{!Ov~qx=J-?r>Z9qV^Z> z^@8-thj_nz!c|tF3|~6#l_Dd~dvtk2=02-WLpongqml%7pd1n35~-`f5&R3JvjQoi z8NP}}yt`QHGGw|6`LfR}g5uB88c(N=w2q{qdP?aV^ARsM1{26H%S^FHRx0U$j6k50DJKfK}}%~1|hyFfDk zHyljmX0>;8wXK}m&P;<}*}v!6>SRUdli_*p0F=|Izli*Y0gDH8Z~PO(82M;t4sX}4 zI9*5JD1JNp34rSk+)n-7-PZ#$u`dHA0&w1Ue-W8xBRaMsk_2wuwY(HXqRseEetzOV zJ*fP>zbx0K7$M(_cW;;^w)}%%uc62{Iebp?*C2!$5Sw_)#k_X=3;CB)Kki9(rGcqi;>fmFY;*E&=&q7wUg=nf$-`qwfcvGTUB{R^2OSUC(89TfA{1?%U`#%9BQ} z=k-CEA)jRC&#|)GciXD)(If`v$v}7Ez^CyW`|aM(CuusrGfwq~O__geBNDz#L98!y zb_vGmW5$i6QWmq4UYG~ML(L_VHl;6vvyTJL;x?b5UTk8yrT%-lW!k;K*Lq(_O(Lovk!Ido^I9CN;KJH1crml^ zMdLz>e`ZRTsGsev*J^)*@t$1-8i^|ay+6zX+|CS~T4`GlcdOp7_sg}d7MA6l-Ga%A zKkR8Yv=A*Wrb1k$Tc&XAxzt1xJ|X*8u_crI`^bbVv42m(4Z5`UqlxON$I*ZH+JZXj)QsleNj*Dizq3RfB$cqF?Jq0 zEraBm>(OFrH&|H}f+@VDjC5nWEF`X7HgwkWxLJC_xpFFy>5evwI?c>Nt8eqRWr83y zv$jslrgL*W1j9>gYU=aGmd+iz2JU<1DsFQ}L(aPE5n%wzlr#%6z5Jt54J~w^Qb1*t zQ-;w~BH;@+NK=j5pQ!gY*Op%1*5U@gWY)m$%chx`9DK~hJ3A>8{1eU^rbq*!)AAl5 z=txeE9(p5Bw)g;X`T}=eltK-;2ZzrxY%n-B=du^>XQ9$Ht8eV_mtLs<_9+tDjkK6Jgg&< zu?*xO6BK5umajbdF(D)|Moh@Y6_@MZyknr5hl=z(x*F)ppIZ%=gTwjm$49_w3DE1? z`0jkwH6!-*eQkm=Q2qbj*9Z^^Fam&_i*S?$%aob4Ea+c8_dm>_3dq0^qMM26?>BnjB|f9H`uOw7UX4e09aw^m zjd=J{nbsiWgmH;rarjylPk{dhXK(+9^@iZ|5e%XDZ+;|zO6%MFMU<2@0tKT(L;P;o zd3U9R;+3=PQ!+W~&#o0+Lcr+<(j2-amWK*EyK$@bK$5Uy;0MciAI}1BU-K5wK2^yJ z@aoxF$_X3Qzb+J@F#&0vJiq+kFREUkN-qFEzQbl^Jtk?2*aJ4PV`D1j1P|;l%C3@V54e&k5_@I;llJFLfFSvSAT(wj3PI1 zn9Vc$;9nQF<^R68&GJuGZa0CK&0HV{@Il57bjsXO1hjB>5!?Z+xp~8N<@&Ja727zb)JTpIIf^cdr*;;dJp%Yl+MJ z=xg(D?n-g4_s^v6GKBzBWYc+-t>i>Me`>Z0w}7}cCrv3a7n$vWWW|4v{TI<+6hh>m z+Z4s)y+59!Kck{XrTRs#8%iEAdenXrthf?CuMcwQS@_lez`D`OtgH72-qpMe>^{b(GPe3lz!M2u5J)gButF@ z^y@oTLRxT!O5|Chz? zT+=g}guB7NE&t)b0Cp1oj~2YV8$xZ1vH!mA1h=Wr7@%^c&q{r`*BM#7$8YVdV|`Db z;zA#lmY(b6)Z*FGS;i?qZwF+VY@3_|W{1n)EX<6-wdbw;-+>3;9}IKD$_*-c&*G!g zro5l$UAcPFdvk`QwkS0cwac)i*^fV6h`YVfLF-K)|DvuZ4Daj$@W7c14eH7P=-d9m zApJpeV77OkH>#qA!0jyT^F<|Q)9YytK^h8!bF=*v4A{c{zsTGLHQozBi*t#9y|z4} zk8i2{y(~*DC=2{Q!H0z35|#~K{yVZMUr-w_a~~9+-|It@H{AW24CM_`;?`E_;NR#7 z$Tbg;RVa43ca)83sso<{Z`L*Q?`A&{6bAnnATYI-dE*n7r>b)O zc%t@uhkWv=niGHDJ3+^1k9wcod+Gj?tB^DBTST3x9X|@aM{9dTn6bBiBKh2LH-Uq`;@SM0Vn^x9MwqVrgX~WB*S+T zBMn#U+Tn0HolN!)fv+TSao>iubiW?bofMTV0^)Env;x?#-}nlECBdQpjAwyMdvm-Y zJAl!}ei6C;1@#KFtQ!l(Y=bci+SnPW=}ZrS{44gR=0sVZYT1m`#y|ljb&%ruB1Vsy zBN3e=us5bT-?H*>{YO;dW;GmOIg10~1;PIWLbZV1r21!Um9#(-ckiS!+If;*{yTt6 z(*&j9e*wpT8d%}LNu0kQpem*CcNqCsv+?It^sN7#w=-oTj-h+_e}pQ(5&EAVMCT&H z?n>LH@?SN*ncm;G@DC^W572u2&`1AJztnK$Vq>Os@@7|H_8fZuBHI7oAfU>(+sbTz$L#-$A)SWn{d@4^@ULV2-{a#STK}FU(E8h&|F66u zU*&%jU;Y0%!OOT{tPOnN-CvzHgC|b!%;;Xn4tfHIr$f6n(6uKYSFW~WG|gZyYsq`Q zPUjO{y(Sqc@jOox2qgdxAcQikCh51L$ipn46*I6h9VLb9gZx`@WjhWlkzERjn;jke z99lmP$tp;#u0tM{`h@Sr5UoBwFNQf;I!YVP*?21!-Mkj%%v~P@1P-;?OUVzEOv}Z+ zG4?6cnqnC_)d^>(u;_t{UOM?F#~KAIlg}RC&i;INVBz{ zHTL-G^RxE&Bt=aA4aSez!E3)+hX3o|wfOMcrTs>iRg{YBzXLZ_uM5r-bn9Q0*nNBX zDfQl}ZI=%C9n*^hw^u3FCmaT6+#p;RBm{B9zm7OnrH3s5Nz4m`NwcYJF>~It%aab8 z1wR90cweV`9?h(rJjj%Y##Q8kt%?}H(>bjZukU>wm9#ezUZ=Xm8eubWC5Nk0@N<3K z3{!ayTD2pC7JVEj1-b@}(5xMobTA~jI9|2H#}68Rv=|`T>aRqqH@ch}-|uRtKi!e4 zot9v-HJmo!a`KA#;isyf*0-m@DJMIAG_VU8_RN+uCcN{+t8}gCedRkc)1%}k=vuh= zdQ#(5Ql|?>cAvf`Q}0qUP-qtDd#UsnQI%PwMho&%xEuYM!AWDw-Qk#CvYPE?M~UJ2 z9`D0lI(QrLN0$5&dz4v38X*v+V3BQ~adQcBX7HZNk(~RTygH}ute%@yIXr9`0i0y3 ziYb5->vKUz_jh?72j}!6`OVFI-y1<&qc)LIq1+J=^OhoTZY}DR{!ht!jHX*MIprXGy+-Q z8%6SQCXSO&#!4kog~q+Uu1EH6LB_L>T)Bspjf)^)obGwxo+YmST{+ zXwP;?I0qlj(jCjcaqfaVk-EMa^AZ5%NY0G->dBde@yJd0&hz;ewbzVYpD~G^fgY@a;m_1B_3* zsc@)qj1HzY)cqk=o*KC+;F;eczVW>$j?I%e@#I@p`qdK>=WcNuZIh=T?n*2z(89cN zWftf;OH@q^_LhUnrYbHa3;GJoG@P@(H{XWT{f!teXD1)F6d{RXsd!}?l=M3$ z@t7)kAq;OD$0ba6O14cVB_=;E$Hp`8=~$^?Rl1Ll5&7E&T4fr}N6W0~EB7wXdM&Sr zF!&8;Uces5xV6yRH($m?*P^3nLDR_YtX!kng((N_7=F(O+)(bgsz|HTu@#fxZ$pen z4U^WRB7WBsYd*R9V#zgX;vBaY>qRdGEGIC>f%;+;9-w(kwQ??9L;CF&m6};avrQ-R7mfknKpX~vqBqau!UhoC@DyR2bO@(nV z7*7e5tDOZAOwqk`#;^+%_(1jzRT5ibzgf;&y?XIRbA>lv!)6V*dzV0ct&$vTyqmSY zjw&>rQ8lu^oW=57Gs{G%y^vbqB2lsVbuu;z87+m^R|Rn$s<;GfLzhP;`9uQxd_2-r z0+(KjhEb4`L9VJAh>uCe&Z)Us^q5tK)5a#8Il9MMBiEQ*K z#m)EhAdi8@*LaC+8!ppHw{y8?54fa$5hdi!&>4jVMg4>=T2QMAD)v_6j8N%!jc!|D zc0wucIN;ODa-F9hme_jTi0yR+_3u4du~mPh_)1(6GT<7#1fC8=)pq)FXn;H6RPvM+ zQyPWMpLxo2vJB^xcs3&yMhv(tRz-=JMfH#Ej5j~kF=KnSfW+Bddcs%>3)tF>VKeg% z_F4k`9DzP#eedvbq}?u{=UHvw@r*^L!hUxckM!tPpWn|M(ge#RCtURsD7+pNga=t; zug;)2GV-7o%oxrKl)qOMMwi^RlX>$OUHHd%y6ohA(fvGL>cJ;&fQPusWl$825*jEUf2N2WG5?z&0xB>w{W- zTipb@7dx1*zpy4zZ;BQo@yKMgK?S^j)z7HU=&< z*fQez)RszwSdbz8TlQzZl@yA`MWo)f-Bd_dw8+*-DRlLI4KB%P=?sojk&JQyUAIfq ziHEmyAJ-S_H+~WNpry?7rG3|#DMj#NgJax}WnX0!e3}=f7a&RA#H)<6#+*GGtw8Gw zmzLu1T3>AHv={kMh|RSyc~}4?HJ8?>*f%u2c%CUwjH$dgUWK55vbF*HbGTytqx4{q z139{&^~$95)uR#J`>Ld$xT6({>z1aHuDDzGf#|@tW+1|lsWjFpXa;T46XkYJ1HNLn zi)M#F#-8mzj{ZetXmq#4DA0jaciuR8V<^(XfZAYaKlo)QVBQ5bTNntpU{5eQp`EPT zy!SD>MVM1)idqCDSsf^tw3x8q8YFF8Gf-p6c((CvU|OK&c~UdeItN8F=4U}i46z~3=Xtd{ z>!7d*6_O`uuF-LiTfCiX3R}|4MQVOexYIoTQ330GmrLKwhvRK!th5v0vsT*AQPJ3I zZB(jRW>0M-pE~3b@_am9<^K`K?H{m<)9!oDd++$(@BQu=_x}I?jgdXb z-em7R*IaYWHP>8oKGTo165gDtDPKlDwJ)UO(c5&Q=Vwh@4$7iCkr(cbMY9fXud__T z6WfC?4x_$Pr*hiIs4@*T@2mE2j6L8(D(S+y92ymTpi^GV9NkO%y7oW?CLm=>71$<) zm=edH6qEHP3v&lOQRFwny(ek((4Tu8zcg7e)*o}lYTABIyOVIq94Sr)su{GGXWb%2aoW8yv9gn|;)hH0q0g4G$Ap7F?6HmcEVY!4m zqRTZ2nU5uaG$eQrU#U&XHMdpidP^e@hIRdn9?RZ@TirT-asB+%vAx=SIHpUGb1c8M ziX@3X_JpEUNVcEauB#pq%IwQ#bUc+jWjp7Vz+>*s?eZn=i0Ss{mVF`0Ig-)SExTi; zWC!A=$w0Gm)4rHtBXR20SfKgb^KaJ%U&M;-hq$zOLuz$b+zNvSrkO*rMv?6*+Cxi< zX}d{F(>#$@L$zO4^HVQ-_%a$2GhaHgdTPs7V6TZkcrRbXw_*UG_5e82UU7BFa9=h8 zC}HI}!KiaM&kcu-@!@-HXti|`^*CJ%>HN`)T`}zhL0Qic#-{NhLvJG3ydDpYvzKll zWAT*?qK4|6n zKJ7wIjon!7V_&*3>2(DU9VU}$YzLLw4x}|OA2YQ|S(Z@Dm~E3!(pwgZm9|y9%x_Uq z)DB_jDF0Yo8G%r1jH_RN+cGfhz@|Rew&T|z&Gj(l^}*mHf9~$DtF!zhqdUg;0mLaI zEHXCZT;#qQytFgtbPlkM{(fu!rGgaavi`fO;j%Y&;*S?R&!lpj_#!50pZ6xsX*gCF z+@WRMXQbRDrvb<-24rtSmO(d|bsNL16zN&(#X7O1!Jnu(Q08lOP2Yp*DQWVGFQZ4L zZ^*r-#NCGt&n{mLt|5V1XPB1I^fiNJTUl~CcD!RY9?XR9Ztgs-xDak=Cn~3+M8>+{z<5a{CsC*9ECYTc|2O#tp8@gUyz;bUqH^e7NfU1 z=rb8xuCk<)gy=e_4Fj^9p2I)j=tRKz!DoZ}pv-7#a%#Ud2^!MOMeuOE88wNUamNXi zulALByu$J)pK&sM-YQ(OE#J>}Sdf+CQMQG*DYosfjYT|!1puYC)_}`Ts zbo#O)QepKTfZ32LyB?--i9AZ$B_y`KL`#yjbjWE+aoYlP9gWNlh4ANQL#Q8(L(*Qg z!tP_^^swWK8#<)Qmm!@Z4E>u*J)Z{QiCt_!-Ps({BcO|KjBVxP`|03*OJ3ZId(1It zp{7)uKBLpciZc8^u124_C2tfzBgCqz3e*_@Pt@bbJ7#F@;9ggVpiqB(zif(w@YN`mm$GM0>1b-JM@W+QXT_cbOH8_7gcr31vymiu8#Os7fp4DEE=?CO z_aE&MxyrAzw(=x`y@n;!+aTSKS@-MDAT@uIHy*OGi7zz*(3l8J^PS*m^f})F)Rdey z@t{Ad?0#2MZzDVvC{EJ$pz7+7f!g2;6MK24r-7UOG?c5P#8n9(Z}AD&-h2YZ=JgU# z+%KL0WtJ~x4)t6&8S7bhvVu6LjrXJ1U-I39s`F51{Xb? zQ+KyBx;C)&zG7Qha{DK+EKtbC85q|o$@Wt9Q*Uy=6aCUOYk@V2Mb^H-;HA!iqGid7 zL-TDJb@>5r7cxYjZY;CmVCQ;pdn~@}qyp1+w4>0eg3Dhljzo^x%N}H)`6<_kudL~! zfJr&a|7y&Jp{D$*?$z2xltH>c);x;}JF8q%jiRikNTHg^;~U;njBB zZsvYFV_fEbEML16iYCrlp+65{o-M2PbY=NfKQl*nkkZ=XWh}`Ym2l9t(2foj=hFNs zH_k=Jd(mD+Wh50(y<2&+Tv8~GezmwU|JIxd|2A;VT6Q8HsQw4HFc|l||GH+hHeN}m zzN%^LhAUTZ)}Vibhzs-T$0hgMc`*+I!Ms$!6~%>c!1sq{yooHP7(+OGkkJ6DlNLd> zJI!c#bzBGTan^OdPVu3RcEKBbKH~!?j}I?jWVLSRu%IE!m{ZM$q>~H0k&#+IkXXb3CbDT!6wGXPYVkE5LPb!Mq?thxYix#xBg-=fse&oNgBZoRjQ4(W6s#vMq`L#q?f@dO?jATN`I3G)?jT1P;A z@iq|9LRz$^NPTvvr5*b9SW?gQ?YvbHpHqeD+_E{fYP9=m;fIqS z`szkpv{r9<;V0YMbPj&a_4xgz>s7ZHWsYYgcH|uLfDRsMJGzCWAxm5zMchmjta|K{ zXQTPBRN__RR}~?*F#crzSI?)DGwRwt^z$CX2P-Y_A)^r%_)0(}knS$;875?vsA)*l z56tPEeIMY!I%)4_BlV*$)p94#kl(w6Ka~H-R4`5jo8Z$Qsd8K6$msJMW9!>5g|ej9 zP-F$0<)CEwXN%njf&){hpM>@{UDp+p=wRf{SjI zqhlqKO4T;HB8kP*3Te;IUdyrFU6e?YiC>mZSP)6hawwP+rm|XK;g_0(l9``4-D+KM-Q&xfTNh=bW_HU*4KO(2 zIj(RGUU>UrCF06kG*6`YaIFzbBJ)S}!eLuo-j{cVou3DlMXhP3%HGB%UW!Fv%;3U1 za3ZKfb*GUy6WT0>-%n?~=H|0{ZhG{?v&xqZ*XWq4l$iIq)K7qzgFjEx5QEc7Cfw}l ziK*$1aA%VFDK2IA|pG9GuI7{G{ByPOC#vP&jmVU!#5cvF_uYP#dR-6Wt-JCQ27l z9#X4n3=dv!O_>@ukm`V_cY6DL_D1`v*%S|VCe<4T2fDpYW-@BAu*s0C z_;|hB29gTUV3JeU7A`wHe@S*J6*5sD@9V@~?hi|zad}pqMRIz%a=*fo^ikne&XMNR z*<8&7<89NNcAQk4ghb|%f>tTdJF!uD$?8p3r`c-t&OCZ>!L+ZWOZTgV^+GCjJuQu( z{B5*gW?eeRZ{0JBIKzr?CDn%^oQe@rf@c8;%C5$>(jt9)i!;o?Sas1sEQvZM*LaKXz=49X+p=?RnjE$0YKAj2T84i%?_WXaq?$*E@_3Y)RAO##Nm z;=vnAscm1Os|Pc|sbY|c3Z6M4QI&ZbQ?3U!IRMGRZWR)5}M zk>OXeW6@wIYr|Jst|8_+ecKc@nTL9G?`2iC-esyBX{>?NKWCrL3*R*v-s)#Y*yLOr zE*!!SPYFf)uwAeln*6|%s-=RMAh^(pI$qe$i3?^V>k`;`erH@x!_e@;H z&{9-PdEDE#ArEMHv2w2qmL9nu2=2Gs5PdBIEwuIrVAo1G6hH{R}rgA%Zb=yQvWl@n@L zd>#WHC%XlUK;My!<0=Y;&8CJd8%DSjZ#)Mbt+-X*-4Qt|YF7|sJHw==vgdAD7na}h z!hZ$_J5n9hSs(0`wG-0xKy*|8IdXd1`_<;{RVo8qrJul_Eg9RM&7at1dPZNNVA#P< zvs>|*3xkMIg2t}qwax3MhK>65W1qY_pz7V#F(iGRQhgsFZW=2514@gqB)_Bzki7`; zM%eoL0r*@OS1@10(DUn6G1JpW$4gHw5Wq_Pag*JTdI#%;u+t5or@a@w6YD7K$*vcqTj6sxvp@|)d6Z-@FzkK}4jYK+F>iz4p~qn57?pzhTU zc?M59GJNSgTm4=%Izx2wDWWN>=g7}5yUK;YY=Q<6v#X@2DR?7hH~-D4Pr{;Zv0?kdJjYUNuR?HELVi)XbtpU0xwDUvSS)$#t*88@yUOy7_!Xc71v zfi4sgGz;X6kt4ftHgFdcV#|s@FUp#3r}^%(@k!FB9gft=o)ee9UojK?(6Oc!u@5ph z$kY&ANP<0_fOEC&L=$e`8yyo6oH$WjrZ1s!I^cD(QU9xNL#{J579IV}@JIW)!xX03 zeE~kx5NmtOwtO3`hc82oELOz*iQO^Pcjnx*lVdT;DGZOizZp(1YriR3bow@6_UV#> zFn7a*)OO&(e7}Y?Ifno_O0gq>B7ry!mdV8$SoXOAHONCkv`-VbuHeyP;)V1H2g`zN zePPRio_JoKklWpy=`!6p(X8-AH9Cj622a|w#6030JY{QAS-PTJWbj9GGUx3mn}a+a z4xO!dns(2t$0UL-YMdl1G%G#MN4AUMs|wsNYQub;4$_a*H%5rivp>?UhrJbIcpZ2C z79EFDWH1ZdqTN~}t;j8yhe*wI$nEu%UxwLfoX>stqVxjX?Dp}y70W3!&pQ3(^Ir}? zH&$I63tLh#L`B|Dmy}>Q`5b5J+>?Xn%?}Bn(_M3Ybe(}C(`TEA&}gT@*P~)}q0@vN zP>s!3v5a?l+AWBUr+Me^gsjpj5Uc~qlGH9J7X*LFPTathP{|f`4S(au^6IXJ?sJMg zGQIxOQI%%f%@p_2ePM-AK^QXqR z2363+V|-oaTt4BY1{f|4Vv}F>!ZD{`?ly!mPSt{Lo|@mC_K-X7zbvVBl^dQj35vQj#7#QF*UPTBjdj0ce}gaSJZww zH^HJNdSzr$G*<>My3Wjt(fDed20Y3DjGdq|iMDS&agOW&fX91?&n|)-UCw@%_PF~# z)uygdOYFtx^`k#!=ue#c#MZi-$c5} zSYr=xhTGM{p363qmEIhw1V_>RZbEq>4l`BT1l9nYrnNd4Ct_aDH+b@d?_^@k3^A7W zlFiR#Yvlcx@$cd)#a3Sa1nOP=_#EusK1@9W6tp=m$TNDEoc7QK9D@jW3%6L&y7tc1 zLozSpz%j|P1G9R*uJwZRrL8HpXOrl(%$;DORDYZ&LQ5=6?fl;Mx1^5`i|bN6J=b^@ zE#k9HGQX6bl}&~p&Pn#*$PA`3&S%)%#Y-Iy@V)rAQUwkkYqkvm10Fw}97WO}e%#~} z`yoH(cva%-o6KdOoR4;l`*LieZX?0w9zlCKf=dw8d>5n35QWF91fFIyV$-cM9{Fut zzSM(P;O>UR`MG3v?dFa9oEEGCSO-xdkECzOEixhKbAa+JAwZA7-S<1kgHJs-ttK5? z;!54wGhE&N=I3u-Wn=KNudmFMpu;M@c4hj`7v>?14moxf8K!21pF9AY5pyDH1;osn zJ+5x_EZ>ND{J80PT%XAOLVK+Q%TR0rytEPAkpm*zF3wCeawa+)#NXfXJ39UOGP>(n ziVVBWl`nC|^k%K1TnTboy~P_i`TU?jsqOK4ySjl}Jyra>DduBY_ESxi{v-`fcz-97 z6|F##B7vh29&d3|ZYsLbE0s*;S#b~CwTwn)pA`7G3cUCnRXBFemR->5M%@BJeP0Vc zgPp!mGX(9_koN*nw1@ye>z5h8%#Vce7CaPr_SJ2mb?9pW9KnIsy)5y0R&%dsdDbON z23d0)%}N}>eDP0q=k+^~J+{M`&i_$_NWnBEy-JmSFL_hH&zu;!G7oqk@IT7-BA(28 zom?1S+t3?VW#u`FT9}!2-ar`GqK9?X zrlzPaA2m40(G>^=veK;j-R=W5(_%La-L`=9Sdfts3J88ZcMo^Up&OfVo2J-HI>KM1Ah$`fEdG7mqqUC z&U?auc&L*IP9m~nfxrt2M=0l((aS%SipZpWAMNZEkm7fCR_{Z2$bOfmve4bi2#iZ5 z4O!;es81ib&7N&&Ysz2Pq!u;gF&k-o{50a*?auV$VNJ>(i>bq}zXzD20aX}jge`g4 zQ`#l+)+#{h05Y)Y^)y%<*cQdObrK_^5H{X~CMN&(A}ADPX^jK$guaUQTq9|H(+SUY zkU459T+xsAw%;5e6w8Fmw-HWmd#y~$tXg`+=h+7^NV6Voi_;{%KjU<~__7GIIQg?- zz{`xDvJpb^u#FXLArVS<^>!X!*&CMcf1sTgBf(bozb>d5cW(~-@-;|$%#w123hnjQn`|(CQC8WL;rXMyot{EC>5(!srvC_G!xw|Y=SH5gL3mh+dHx(1- zG%~s`oGI>KbPkhFy$c|w_XfW4iVE!bEv?Af{>(Cn!nkMdVXOBz9LO!wzn%j(Jsmq> ze07Wc))DRB4my2pc5|ol(4_9~XH#QN1Vl!m>D+;;gq5|(6Yy{~xrc8dS&!Ykopx4L zmh2-OPs67~glM{z*%f8m5*4h1!4xZ}Ic)IJ{)6axD5a*->{vq91%}Xoiku3w>YKO# znT?T+Y17Cbk1Q+}G7Y{}=6=s1R-&bVRK%aNV2ZFO=BJY`MPfY`xupRIf?Q8dR#L4j z-u?{U3JBgp*PDIIq zO6Az?!t8<7fS}W-9zX_=Wbyxmlx?WYbRzI6AK3s>BItJ1nKuBhZz0ts1=)@!1M`{I zdl-w33Cq=5fUjD6|%{XyWf-IxspLNbM@*xYF-nH|%+QAxI#0d`my5JV7_1>kaZ z{y$MuI*Pyqs$l{(eq$N<%a-aVKnl`+W}5--uYJPI0Vo>?8Esbt(qvL^|1&j#m1*m` zz-MeJAm|e%Y+o=k067b|tmS$ze`jyv->IoI+c;PNK6_I}G7ZRQ$a}ZeWhe~L9|0DB z?^qz(^Y65nEuo<;g3uPoe}!j5f4tgp;NN&P*rwz=khui=*;!sef_UmDZ~Gz8CT}NGTHyX-$45R zjFfMoP`e6zzjOo9e}k0@_JusH0VL0QS*fh zrt1uMSppf(+lR)`{IMQe1itjvzB{Z(`|G8G>GNNecL4O&BwHn|jALQhfwzth>RBEE zz7A*5Sf4MDr0JuPV$Z~uEA>K=H($`~T~Gp9TmSjIKc4$<|1GZYG#SF_-&1vrHmKU7 zxtGyL9T@dw*JldP=x$}1x0lsWZ|`mmb`DWkD9iOP%lY{LfP2+2qRL%q9;5$-CXq?* z7n)<=fap?rhK13*YU((UV9*}{pvFAeK$0?yYGJ}uTlszp2-wnz8{pC@=SbP&p0po6(vBBpuGc(vlDle{IS^U&@fVtIw;9+Na=rtI?{EDHA@`}$ z4wh&;9h6#4CBAdZA%n$!q2bA24eY0o|2Qk)(kbLf+i7v3BK~;q;9t&$-`VlLFo)u{ zbAA$kZ;S3fo@j?IjQmqWH2&HyO&@n-E9Ye^@W!7Fsa=Nr+K|Im#r{TRB>)VT^FJ7r z^Ou$!@o^utLjL6v_%CO_H}!813HsZ)rF8st37Nle;II71YdfU%>aHc^Pg=tQ%2Eg& zH#BkNE=HL-iK)1XWdgX=#{)&*N!kGK{{)6$0giXvPHB->nVy=8ms`oiyG&G_U7 zZC(t0EAS6PLLvZ93`q2oCx^fLEh*>Jzn8>A%Wiz7J>~+xlOav8+XA?LeDyI2)0HFO z3yN%XSsAAbMKi)nZx6hIvPoBYl-PB-o=Rt8?>jNad1B{$Q%!rN!WxDiIa>)mC5?12 ziUfe2HN=+2piHZ34;ir>PpQ5uLtncjw8bZ}>>lzTc)S~K;jQ$$;4&){0P>6!QK>62 zenvnIy01x*Fw_CCjL6Z&?%5pgk*9l09~NGx-t)X$(|Gd8qxt(i;B1}Cm4*j(5JwOn z1#*y!K2EVF3(ta?$vu;^E%7^1*+;1ZVb`G5Upu~w)OqWvz0A1uDuO?Rrr$GK++%{j zYA4!T&S2*)fWuV>l#4$IlcCBY7{(D7<_fFFx2AYCkzS94>*S`oPL(J$xVpq#N%p+8 z9~c&@vUe_L-&+55@FemyMT}s?M?TuoHVq;=DqskawQC})CFdSk}KPT1zX10 z_6-b1&W6%PC_&sVp)QE_o}A^{zwBLKB-v1f$B-{TJ1|d?)kW<CW@-wu-^R01D5N2f83MtnM99f0WzUvUk=*;w3otmQ^^1r2|;}4cxBj$jSZPI8ZS9{Pwx|&_V zf}qrhZ)GGD1Z)~aBb4w^uqNK)Q9Crfc{1pVa_F^B96qdwR%yn2Dc4`gI0FbcCM715 zU_WvVl_8qQ)&@QalpHJVkHUFiBbvQMl3eB7cKog5KffXULQ{Ubu0DFc7v2%Zz0uEv zBH5P^E#|x;Ag+}WycTf?fw$5%_!c)_1J$bI?*ekIlB$#6Ha_cVjku*LAh8*V#Sm|- z`s*DeQ^D5o$FqrDmJ}}-5R2XU+!g@i;J)wCY&^T)^g31~X-Q5f^qcL;(E^&#qRY-A z8T&F+`jXl8IQ!!V$y;`EbE&WQ5)-5`}uKAH$*Lbyn(&B7t50DHHPbkji7I~LsG+Pvdk_kud_c#p21_H$M>?c3hk#g zo#S2J%IbRs-&jj(hH)o_rX7hnlKs#Qz@(!y1R`Vk$TD4W2wO5=FiCDGRoVNux`Y`tMPF78r;2~GTXbBi{35nfRtt>pd+T%vy}BA+ zkIzl+7RFUNB9_ygs~o+;YIrBzHnkL?ZH1LlQX1v7cUxduI3Ve-(EKC55?1#!y94V= z2rz?y6TA{OO${Pp)V)MlqRR<%UqwJc!H|m3I{O#EWQaWkAp5T#vJ@DA+2aW$?%A6H z8;}o6^&{wa%Vv0fq4|(i3KY41F|&8fJV~|sJnPp@uQ)JYr5ejz{IPa>!9l5JO+qD0 z$3tHa5C7tLjUhg`VnFpLr8EiOWCb(5SIIXY9639dPO65`lTS#&2zM92OhrmY_ZN|s zlOJ6>Sy}Smdr4mOkMQ+HjB3!TDF6;d<+DPY)D=aJ|1$nkCauc z*Xl{lHXrvqq2$Lf8+sCF#G#Q-g0(m5v^W&nk<+f!j%*wASy}ZJUwu9ukl9?r%lUP` zPI2n>yc_oVPXhvIWtpVfVb4CQCNO)zWykB6gkRW#FfWOK#Q3D zp82uT&sK>d4VE-Iokf8B~`P zE;QJ81v&0i4>}y=r{Tvk{qdQlt17KaDl5BzTYlAUgB0w&2T%PnZWY^&yzG3Ka(Ct; z$M^z75Wz&iFwQJzK;tM9C9aK*QI!gecGlA{8{Nz8AH^GPLu84azJj&*9M<5YK!&M4 zVb$FTq*#F)Pbia-@wwJqZ{?fC&?BF4*(_T-_J^-rfJtL0y?L7gR}AD(4<_D z?0=i+gFb^A--5*-<^GmxcvIp__GkIHBw-${`$w+76M1#CNS*06ai$xHaPGD#JE)Zm3f;ZPM5DTX13UKK*3eA=eBgjP88Zp6T$L95#>IW&xr#O=qfxQn~d*80! zI^vYdWI(K37jGGbCOovBd{bCp`8jo5X{@of zd2DQ>fuX87=DS(6(-HlTlIq&Gs}G8T`P}JUfefhA2o{x@sZ2gc!3Ots!t5PxQ_!aV zrc96W&q)69eht=xREig2H4xtnedDfFry)YhO8HTYL+#yrE+BjpCFA~FGy}`X)!3e* z_a)?_KDYOP`!6)r)Aa;C5bGzUi2JWcfO?`wht^GAsJ~AhzgC?pBN{8=-5_=QsqH%@ zF(HSlqUun;28ME-O2_GS^d+*v4bmtkd<|iYpG2}wGYz=OF5N2Jnmhj8L8>L3>GYh(F_}(d^7h$(+GDXPd*EHYv|$ z68;9t?#@*jkQ*;%(va}|OB0pHlR_Nyt|FGgZXe z`FIqVS!(OKn_rswyMEf0s8}yQ+TJQ1JlAI^rUCIa1g3QJ0`7ZvLAhVT+T2|KlNAaW zM!3-Ih zE5O^IUvVRC|A}3cX;U3Yy>uS)6kuU?y&DPI(U=$`A1}W+HjW#Qlb(ywn@6EWE1lwn zp0MLzc6f@MGkoIzDlB8@pi0_H&6M;Q9~p7KSw<{gYQ@WiWL{dJrN;76Qt`u?@W|{% zHWu}s%ND+LAJx7cF`DQ?-|oQa>!#NjafRj6%#WY~f#u(@^%<#0XS^6gPQt`$ev zCfll0ZDP6Fg*hfMtThw5G|xRFxT(L- zJKAe>NBnw%D~D??!uGio9G5{G9$ zhwp1qE+kNYthXy&f=`ckSl36CJEs)EBnJH=R70w-e`3=b6jps_W#)1a0_=%KL60Fl zyacR*2XW^z3lYX-@=jw;^Ria`YyX={WUL69e*ge70@);N}bKUgW`ggH6xt_~+^L@D2S^iyb&HJRs$B>J# zk)B24SI+a?J=e!f5T!wOYqfS9)Egx4>!Z2n&nxEp`*Zl$#f$|)v=&+<=60WY)iyEl z&Uf-^WD#u01mA(R_1sv~_-wX|@vEP_K;I)g-Y*nvak#W$1Q9GGj#{G?5Et3SmfF$3 zllVp9vUG4;+2Iw?O;2oR zdlOsh6D|EEXd&tpl7T`?^oEi~G%f-0A5mK}%+**wA3Kw=4I|~mj|_xcXxO8xsmEst zjn@u}H3aSt2tozO8esBuW2i1GO!3n}F{6i|ZvXyFX5zDYHH(fw%!(N)7CQ|lzw<=M zlwl#!6fTE1Zl$HuuD1+*ePMo17deJgFFW$do<@_xdSiFF9OqGk5660dz`2|Pe_5O=cI3+65L)mv7F`)8@>^Qu$&ILl*p)gK?IHKV7M0BE_o z!C_M1PaCZS<>@=$`&I;U3{=+}_SkJ%UXjMf8X&+jlpi5Q@?3`26L%_^bA9n1*X@MO z!yLP$;zy7H0{jw=@9%p!^dw7occ`ek+Vj7wc9Rx+tS9{RliZ0^!?#@Cr)eY~CSL)E z!y{Lf_D@(*0!f{M!h>pN6%>uJ%GbQmD9x)(nQNnX^XLG18m z3z~^C47vIEHSRYb7!`DmcD{XBqH_UV>aww=Zh?n(_n$&|pvI)tE|uz*0bv?1aN1u< zIs}o1NWr@j)#1-B++jT9^jYW8Ndf0akn%eSWwJ{iMU<$MiN`Q6)@9s`Ex1y*exDB?^7@ar_|FGft3&%#Iy11_%6M(PlFj`~Pb33Ld*jc7CpGxV zg#>WO?m98HbH2m=((qTicEj-6nVmRyzMywjqe)gzdg{Tl#Uc`{>ftX+K5Q)-J`-q> zy);zGWH(sKTO#K2SUw}zP@PwpL)$E0+_2WS(L-TjtY|*p9m6xe;{#!*TaA8zqf1Gw z0fpln&`LIx%6C7{8qTg@U*O%aotU%+ zmhbJe0e;_X^72)lq^ePRTQAYDZLB|~a1|e}vYQBYV8cN#PlPIdonw-mX*%guf1^4D z1(tHT`;ez0;JXfuvsMIxreJ(Q-r&2?QFI!l^ZZaaqt?uIi?}t7xwg}meIl^4 zU9#QRtITO_=w6-HT(_DLM4v}!5_eZVGS|!s93AeomuW%8!ltHlJzR>s61}H-xg+3n z`_r~}n)qpGJ_-VkI@&;TemUSjN&rG%9Pv!1oz~Kr0{g|i)O-i=ng#8=gOQ=D5Bljv z)_uLEp1cp0s3p^qAU5Q_ePP?B#+= zFW=JVd#4dg9|l;oRo-#;S_-ppqgJj%{&n-c1d=EG?Mv6|#_j@agS&>M+&RP>n0O>R z`f_l8hJ6(YqCZR>_IL7l{APJf?%LV0*$nlca4x1(A0AXFieFN`c^RzliLHf0ft348 z)HX1^8QMfm!TF*NXs^nCsRtzT*di_SCTsWTx0o0cKLe*qV13%EZu^!sfi>gRtE`mC zsl>b|Los;u(}z&TN`Ly<%Vqw6{;3dAZwJ7B3J$&QQQ8aVa{;IOA@1?7*vADxJe2HM z8xVDLF|WakY&Xpa*;Il%Cho;(VlPv7%T=jdUSW_0Pa>AeBm~rsDEVTcYozTBCN?2} zHL;d|1cc}Y1PF2HQlw{2AP1)Ki40I#D5A-{#- z{m63Ei1ky**&z^B9B>5>587h?elq|+R^OJh1rYKJ&5377(rruWgzT6ff4e!6Y==Gt zgcvn-fXVVnQQ1p#B}&UPOquifFidpH=6}GHwJZAr(TlIRj;o5{$!r zNgG$SCmESo`y&HD{)Ne|Ch1&kAv{uRB!8n)e)Z;%YLfx#gX+DQE5_YdE(>kY0wFiQ zw*&C!|Jn}dKfSxxLT5Uyu&uytXD9WU7R=3qx9il!*9n)Ct}wjK4*@nyE_c};YbZ4ww#$0=E@_DP}T%YrIKK3)aVH%L3ro-;G!G`)}6$U0Q*ym#Mq0 z?l{BIQpM4RaDs^Mkr#2)+WEc8ZY2An(uNJ_DOzphsieiKxqpUGeGa%Y+w*nuot>{S zL8W;>_fP$*H~tuJM!BejDq#fvhV#E{B6;z6-gfjTQwQhW?S5pKbT z?TVe!;Sd928>fKU*uQC~U&j^(P%tjPD;Vg9Oe7poFbHxbHL9``Lt!TF0`67-*Ynpa z^_~5{Uy*q8t7y&uI_(eI4%L#q{TFQLx^aE#V<71YzQt?IyjIUlM0k< z_(_5uuy{r1kOlDTRBH<$Q3V*||47H-csbM#fO7p+J8)4KZ1%Aift3nCSN)%Kod<~6 zBw+T=Vt_e{sM;|@K~>}&jv*wVs{4Oa)rX;wle7OwsLVG`DybLHKz}8}_}}E1)WKZ( zA9T#HL4G3x&;$LzR>49n;&4-P9faH%Y6Rw$zjofQ%HkhM#XJLA3Gnmx&ite2^#8aL z3|v7T_O2b|?|ljA=HK<=pFG=O{Jk$r4|(=S&xwbS%PWvxOcqpjqr}f|g!aWIH3sqh zr~uXapFsDZcJEJZdVH4a^P2%CH*Vw)PvVDPXx<;HXfcX(|A}3|D~kMWvb#yu^jhb~ zQe<*CfJ#rC*i-?|eTT+P~Qae-7LIT%ae~$eV=xUufhl2+%)<+6>t~Tbz!n zSKpZzh{Wy!qT^!stBvv>sR799oJ5D9^0>wscX}7(EQk|+6Q|6Iuc);tm%a8ZKk{VW z*qYx*agB{9ahnS{m^oQ z|AX0=M&lGKYq_x`NNQ^wbNq*_OJUE_uiewfU<%z;@0eO0L z#1|Wru;V*~cO3O{ZgxKe$8ARU(}V-K_6{d;)z#Hxy@?%jOKX8oCZ4; z@XRxy)s}1Af=`gs0gp^~U=|AEnmT-y#PKFy&G;MB%Cir>Tq38E65KX`^!&U*L)LF3 zD-B5!I(}9_%4>TSYA`5iPvA3qk7-K4oy&0JyqtgP8`HY5xcIzeFU?0Glj`$h6YDzt zfjp#=iDTd8*^zjr6^!!ef@KJ~>vc@<)qy>);0SHAwwdHd^wY;%mp;(#Mo zi0walJJ2tFIi`pG@M~ZE?RD?U{@NFolK-2}{WxQ80Cc}c#sbr6Wk==2iX|8f-){@1 zqmE2VV(>!aQmC2QmF{0?WIp@O)IXZ{eE8m_oE~~d^%bD=&^!nzv8cO}0b2=I>ZA&g z{30b28QfK*3z-h`8-u>HcJ_uxK717udzCynyUyWWm&$7qi?~z*bw9D{A+_qOcP{lC zPXD{zakIOY9bzBP9od+SXd`5$E9shP%YRT$kl>xcW{A$mdm@xLYYPnsd=l3%?}vsq zg$uT9McJOf!(Wo;dd`yzepEm-ScyiviQaN#9suyjPq}u`1f96nt37PHmk*FaN!#2N=IgU*VP4GwW#mU*^zge#5IiEF!q-mP zQ2Ip8$oKU6J`rNdgv5s#Ik`~F4R4FC^DR)=47 z-+(v$<&=x$fHI@}FGwd#{UH1&)yQ`>Urbj9x#C_#!em!$rRllb%B>(Sm?L(s*64JZ zClujxS(RO0UL`oic+Wc{ck6GZE~?z06z_cd_Q{iz?6j>%YkeKRd^Aoe2fzRmF?Bgu z$iz|XoJJ&ajvIk2apMeT8q4Kummti%5Z@blYWYV`5BK;W zn0Rw0Hir!nRF2Rbq#$t9g@p@T=3aU3fm<0zmmf(IQ&Sm>ecZm+*~R7N2UVr&>u5@3 z?5^tKLE*l!Q}#bLI|KzA8^%{m4Ms&XZ-&p9q73(?=I=Hni*AavE8h0H&upkg%%AlS zr5<-RSqwfwM21uN-WbVbiDpL@wiRg#XIFe=c$>Q0?JjB}t!QA9Z&>8_8M%{5p2Gt> zJ2{~AZDdpqvj!h@X~hH8r`uiAEx-HXPUFjrA7A>P_J623v*7(Cj93@;hQdJ1iI&{X zl9*GXuo>JKlV470s>PtlZbe$&Fxk5AsmffPnn@jZBItx-4&*07FNM%bNC%0tRTboW zKON}F6p4Gfh{gg&EFIK{z&-y%U>-YdE+aBfQ3!VFNAD^P!)3ak`(|CSF*|Y z2S^RL6#(Cw>;P~Ui@LyUa6UY?ef=bbn~2%@hNGsJ>c3qMK3nG@)LGT+<^oEgH<#0k z(ARgm)zBukWz&h~dq;|ltVCs5xA&V3ZC@6|t$kkO$e3OdGpXc{YAwybAXIYvw4R!Y zYcOvWaXJ!KxVXdV$LsWh(ZkEdgB6f3){4=1mMdmgUemmGJodWu=_()3O)h`P;leny zlwv{l4tiYa);JT50D$Ep@pTPzQi9`MynCXf9X5|I62&{-?KidJ2pW&!t1 zhRvZ5-cn2n2GB1mc2E;C)`PT0g|foMtm=oi_L-zVFAWxquG(s|)NYJ_%1UGTIVY6w ztiv<8v-<>j4;l_(tSuZtC=fs4*CT5=+|oT!{mc^+y>Fc8FU{~f)SL||@9(9d6Eemd z0r;NKP%du}s+@Z~EtkYS#fZ1eVIj6Rb!r`L{3YAlsVYOp+d@+@lS-Oz_b z7wIxG4!g5Sij0D|Ov1_?vG(G`-7XnEICZ%r77qrI{q-6~5Ta6V^)}otsqgE0U_Qh< z!+<~~tK;d>SF4NX)PQ9oEgKmyWS{1MR()l-$vH*<%qIaH)qLSCJhmg7XV`a!!%ow| z)47)3!8I+lqSxmB22NYvUD!l1QWA27;sVbBtpz6-uIXJW=veVg?JExdl!7zk5rCStJuL{zZAFqIGfSf9AETW<>Yw;RD5_F`CJcolbfB=WY{O<2h$7e#(%m5n%lm8?G7e|ibb zx^);2VhBA=er`4@Rqn$ze$P_uT6IkXleyk~DXx`u{-M^l_iP=moHK_uA{{VM)Jx?0 zeJQw>J?Wr4yfW6yW6Bp)Wjkp^+m>Jv?`#erLFvAHTVbv&aJ$NuWNY+m=x9HYtF3b4 zhgYP%#2}E+4Z8MzTv}m!xK^EBbP(0>2D?^Pwq`%u#xT2TD)CNw-oGzqkFmp^Yq**3 z^~9pJMh;*Q1|shA*{ELTWPI$}+IsEU5wj}`G+o+OU8UL_H(76P$QS3ueE9lrg@lV8 zjR6S_90fIHklCmV@vyRKz)hnGar#1m6vNqWjPzk*)S42x7T1FcI%x|VH16rkOZHwl z^H8Y6`|~AeumuwkGYTX7?`s}}QQ6i3V6E=C>oYqts|T!;ru#fWO%#kWpYv*T*89(c z*`aUQzWd9)kS(35y%b#o=5S@&cPGNYBtGUc1 z#IM)G=qar5wv@e2&ZqEkPG&ayL5Z3Hv1sQaSpg3@L9rpNpoNC1T-t=mnU#39_6EDT9MlkXdcWINtr!b+JXIy}Cx>b>dTkwd&?#OI3UCP$K*R#f~ck{-IVM&Z7q z^&2m)-t#arjxhKhKIP3&8r_phbKzE(W@QC(HVewDAr9XqKx4NcykD1b^AY9p<*KGb z+eW7`5p$zM0daYj83LR?EYY9aSoN|7ZPM9mW)*@2f{3bZ8I@71wV9Q4;KV87MLEE`agrB{0|CR{PQYz2tP==@)f7SBf~6@FIDtpl5l#I)7_r@b!^hq~?i z9;GNWvNpsJk|nYiG9+7KEFpU(6+%M9Fd<|eOOYi*NcMfN88L|LWM4;Fip*r27~}cT z)%9HUKF@t$&wU^Falh~TTz|}QIL!Rc^Zb6#^ZPl^-{-rW=9@a`Ao)y8QvN4yc|t_~ zVB}|=fJ?Qd@RdAiB4PN9yWOFO5sCz{+LxYA{J~n)eQtEx*=1E-9}Q@tkKl5Yd3ZsG4TdQI zg?vbqB8=uz1I+D>gy&exNjyu}qI!;&Wk%Ao6lam<@%hF>8IBGN2Jx=7I~5o1{N``` z;dk8iJ^tg)%EQshxKWtA86a%n{S5Ak;1nz-7H|Lp8TjMT+aRSZ3J}~5cp>%nkFh>d z;-24!obKBOP0Ry46P#pH10!!hH@5@f>f(r1$gM!-P@qquHSm1Y1lgI7iQSGCA-sZ zDnqLX^Dn~#cIbmknm`te;g5D$yDR^zhQ^Kp4C{}+=|`UzH8=e9FD#*81@&zew!Q(U z2tSaW%LAnJ(jaf3ze@>}a`=OUsSGuLVkCQ=LU*+5k%8>Y{!M6PeQghH_J<-tBhQOr zQl$#%`5n=A zyj_1;;g2c#zd#evU@u@h`3-25Io*tpki65;-`u`qaXf(dJJa`{Ypd&uodZmhu=>Kk z$0rUd(%!U`T;YN?Try(;0XZyGNqFuez;%etywM;3d&wXZChjSqNRWX+);J697*HkX z^}gL-?>^C^ug03-a0S?4kLZmtu%Om;K#0w0Ea`-L;1rU@GjT+dAdV~KoExW29wx=& zxVd^#t9#w-qV~t}&A^Wih#!pVIhkQta+j9=;6SyfD^Au|h_DruZ6iN=+1{8qW_}^n zPt++b`hnut432M{la-CHz1MiV$Toy^bJA6!RHJ;J761EkG{c0ab3?DatkQ`9z1MMH zc-CD4_9egVEi>@R$LoJ|qHk3xpjpc#*$PG=?i1yKJyWh;oSl^3jtKhO$UOh-1MIj)TgpTq&&vOS9&rVG|9IkBG)chE1>aU&q*0G>aFuApY3|Dk%3cRMid^G)V?WVSG z6Ng-o3^r`zP#EE%C0Vw-mLL~$d&N?rKHvMQOqMP_qKb{a zML&2ugE1gtfin~vLX0>YK@lZOlI|C1drytIUJO(2KGrQz!|&S()%&m&U81T$_|QVjI{gbba~c zLlY2bOWlqJZGu?(6ocUAsd?*priK@tqCIA2uSVi*Z|a$TpnqhMJxGcr+*_XnDru4# zG7!fj;em2!ro5S=viLVXK2l=XNu4mTTk@$+Tikd zn-y1&P3z1Xb5_E=h>PpFFFqN|`}I1RwGzxbVvsYNSK7F!;pv-er;Ui(@P$rwl#xq8>~d_<7_kXp$SE?R|d=4IEfAJZO^jj z7!Q^SH}jcYd*y1TPS84A7dbP|@LYob>jnR_Lk!72?@YA>iu3r#r_@*sME?(>MRBhh z3n(mQg@z`Lb!MV`DVS`IpBQq+A4-}ub-F@~SPSqt6xF}JXB=53eUVW^h)4Ycp)k5E z%C!*@U3d$#hp@CT25^Oe(9(gh71W|k_W}aGKX=mcMo0gx_Wt9E-n6fhBCcIlUr%}q zp3U7SB_C6+kCHrQSiDXlNX7O%miP?s#$m)TXvXwU_>WE<+69Ao9Yr<4M`4oU5x^&ek_ z{zreO)o=(E>~Bc6;o8unK_P^;%E-J#XS_2Gd*HH4{?KPMol^uRbKhdk`N}zFm#Q+} z&LlRxUTj(L5n;)UHS0YXaXWMw`kxe1WmwuFjVbN+YjCi`;SBs&W@?vG zyUIwbuCVO$JhVl&su0%PEVhD#(4>o7ilbDGyl0$yuu9UqsN?D|nxjUv8+B1(MSGM|6ysbbQw_W<^yk!j7zdpX#!Y+v<1->8vTC#ST#^CN85w zpkmN)JOy$t_G704O&vX7;Pty9J!t{K78w%r%eQB+x?*zIxkDBX9jIN!+Him2 zB1u?y0!0CPB60F)oGj@K0p5%`)Ljk^;Ao2H*O`n^Js+m`o_pqf+`h^0L3>KGFSw*=kI~ftm43Do>1&sB2W} zBy%I;<}^02A4#j|v3bGz7C>c-xg%LgIVUAQb$sou_jrC*TPJb6o|7OhI&JbS?yB@x zQw_=XGZ7dAbNBnl(+L{59x^kjIDH-smKj0QjCrEoa1@}^Ng7iH*^^=BD`5s5scT-g z?YNjmo>2Z}Yq#?Y8p7#J3YXH`tGrFkZB{C$!A)nSCWC`TWh{+3=NHSlY~bB|Y%jw< z%PjU87fU(WQc=fb+qBRn?^iUr0_F2tT`laegimF7v7#dpY6R?5d<0pF@Zud#>0n

Fzy_a}SVE%HN2zt^E2?B$G_GCFE95_49^0lsr&G1eR*>wUzchg{-Gjmx@Pi zBJK|{t*EsOr_v9&g!`WrDvK?lt<4xL(^os@|4#(E0M6Wce@PKVJHs!6o9fGyZ^0<% zYB=Q`n&K}vvEBwFtAWggHCMLmWVz*CjF2U>+o05l^{r(vPzhRN&0-t0au~A>!T?MQ z{se3Et?bUDUdtD#Xin!KhdiJwOs|3Ocz3>|v?XtY+AgdE9RPH2s%V(^nZ?N0Ck9=@ ze{EH3D*@nfo<3Rn-ifj)+uPf-0jTJqygm_Z0;laz%d&u>v@` z-9dWMsb2?*9z=!_k6SY7+~`~^oEkGYX#-cf9le$EMZirE?QK| z(j%Iu!fI_AFOvGb+UOFJXULD!(pP$iG%K|ITUotM6Tq`Nb6MY=+bO z45$^|r!lUfId1O&en~=PViOM-UDW*U0zytO?i$S7$IBs$KdrX#&_wn2Z(i1$TBqztCNa~zsC`gu`my0tWuafQfT(>75y8-!m)bv!Zh zgESic4w$>}k@XWuJpK2Y{r}qa1^XFjkT-N;GXmZ}pnBgY;quJb;TWqKhlq*gZao{y zH+|z8s>Jk$$51rg;% zcRsoJi%eoe(MP4>Lmqf&Nc?1FlZe9v%O~y=arn*2{>m38$C|Q{u5MWSP5P_H`W)Lb zT24GJ>rWS*I(Iaj!A8H=7i@1`CV&ZXGq zsX1ff^EhAC`^gY&iJWHKKr=iEO>P#T)dalSeu3Z>5rtPCzy4r}A+W1r9+n z|IG`RZEtFW6Bx_jbAy#njn5#mJQ0bNoW9vwsxBKhQc1~euXKJewXw-V}c zDo@IGat~QraQCLEEw5faw34DM=9m$7kWW(js?ntr!RJY-6)?6{an!PzXW$3oQiC;{ zXJW@mNok;bhcIO2soTd#nt1>~-Hf=|kbQ8uSor?_C#;T*i;#^AM>up{2f_zFilH_& zNHMc@SPtolgJk7sw!!UrO;wm)ZDsJ=B)dJ@x9I9K#OY$d zrHDJk#fb$wA{5^g1`Wj=x2Hgo>g26zg~vT}9Fp>7*QSjUTg_iOi;<^oob+-p=p(8O zWZfb(U#`Kg=DghOOV+Qt$@s~S~olMt6!cTnSoHtF1-p#SEx8ZJhXIy1i=>`B`Xo-tvrDod04NgOfC@W8rp31 z9&vJNZsD>|$|jCY(%$fL{Xi|+?QYw($a#$Cx|D!7oA_F0ZN zu8=4>O#yZRCbCJqZV`syfnzW2&5{~}>F`oWQX&suIc8(-7<;&4XeaS!v17(fUM>{d|#&f7Zylz;g2 zJYXzhVf*0M|EhNlON53g3ITyd%6()y*0ynp;x4C|9;V?zi_SGaW)=yY3e#!DoG1^* z{fAtv1so>IH0n{o$WnNSI}}8|Lh>Vmti>X1^DT6UO!KK-AFHYlCxzwfx+l*~mDIZj z+nj&E5+vJTq|T6j=91>-Hpr7M#$^@%%=$@<$D%;41>*R7(J#LI4vEl!6>PW{chXkj zR413c(h0UV~~e7T~^#Tv&1_&&o(f?45B!qn(+|pn7fp$^NUs6YLT`5cj&BPgFRymHwyrcXusu3hXAau=-|=bMXB-Cqn; zL3e36C+IQ9Z()yMxaTk;gt4WyI6pk+>7|v;LSaqcZu(FN^m=GPHT9jk!zpSAIiKfN z2*KB+W@6U4@|2nBdf-iTrITf7q{+$>t{gYq)_M;0S|Hu;?laxSXEc%~$p~gre3~6{ zj}rG~@Yxg?yP3W5V%mFUA0DW6zin>m=sxu1S%E>e>nBE4W>i`MA0D>IJlXlsEdM<^L}pMrJFiR| zeYkU`K}a+2=KfZBIpU#CSpmk8_SYZ;5l{EYXC>0CA{fkDdEl@yJE(+)g~0T^0Y?FJt^T znkK?2wMv^V_pA~`hKdyz)3EQAVXcT2?U9kDf|r+0sC=-JC-u7Eu@8`}ZXvHM)|D8$ z5Jr<{)$7+)i8E=_t3}M8aw?_F?Bgq16bCouD;iC0BGv9>JbPO>=y28B2i!OD$eP&= z9+)UokXC5zMm&o$LgXPnIACdGc-F%=fZ_63S#?4t~{!D$N7hZXvi8XG< zHUu)}|9lUQp$!L;k5Oh#v$)wTTkag_^-9i{tCo0Ou4wD2oosiUcYo|hBT?A<@TiL! zen<9|HcA(?#C9!s>`|HhnrYj@T2JXzq9d|Dz%bcyz(Zx+`(?Z@HMCJF8LVFRNVz^( zWw}6g`+E3*$At^+8HYWzegyvR|3|L_0mzrDDiGGz0@O4Qh%yFb<UAz4RWg^Rc!gZAhJzATT|Uq8fyxTuk4DHX&C|?WDg_ zOKpR`+A7=+U6?<2^l;4CWo6Zrr+@zewq?4~Ou7d!t6RbvcQrCytp_PULummGFcL3N zAT#y^rJ0D{qUVMH5kf$(8s3`2v$FBjh}kFk@e0xBRf%*qy#Bmg zPs+=yjHE7j&{jSpmtL{Sr?e6QMz#$JR1)C%KKfQ-EchFkWCJLOc}GF)_loi=i+fgh zY*^A$Ch}dOL)?F!vxs)*hnT!WM6sLSZAs)zUmVsnmXqCl1f@gq6Rw z!UmTgb;=WZYWA#0yuUofy?q;Woz#W|<`MRN9)$ocUgw04P<~&A@R@^KhhF>%p_FW1 zKCedpqPJi58b%}0r*DD%MQzAm)T$Qnzh;8}(iworJLbD%6aZ5HDI1G6guHD(9gb?M zMlT>CsBb9J@3;&dQj&r#LxG%rTEU%WRXqCUY5A{Ay0i-!R=GCrz%BqoslY|AFoMbs zx)>m@d%mLtP@U>*K2&S8d3=@EhfKQdiFha`KOnOe zF)hCF9Se6i3+UkZ@15=%t6^n=oKNIaUTTAV3LEq$fBymfWdI!i9B7FAWjp_g=#t#-xJF5> zX6OE>Z}d<2-2WMW{lD;8fa{}q1RntIlC$ieWwH*~p|2)QqaZGctcws}F-q7`#!l2p*G`Px_RxO- Dt31xr literal 0 HcmV?d00001 diff --git a/guides/security/assets/ams-custom-policy-filter.jpg b/guides/security/assets/ams-custom-policy-filter.jpg new file mode 100644 index 0000000000000000000000000000000000000000..9593ead7492fb78ee919740acaf64caf544530b6 GIT binary patch literal 85271 zcmdqI2UL?^v@aN%GzIA$RJt@#x(K4uL_knLY6Jv?2q?XTL`8ZB0R;h-E+x`Cp%-b= zA=CuvEkOt$B!tQT-Z%5^y>HFTowwFq^JY$R!dZv&C3~N;_x|m@&-u*xGU)O{9eo`T z1qB7@Ir#-TM}wTT16-X!AVWjYbr1+d2f9GP3Zf#nD9A4m6$OaqU)ms$ITh7EJ^xZc zCYS%U{ZEGp3yAt(`Ys9fnwpA+ z_5v;KKb4N2k)Do@fsU4z;SvJ_<3)0zrDtNkbdl+w_CH_p&*T3*MSfqTqow<2#Q(E$ z-Uec!qjaZ=qN2D4qGX|Cw#A>ox^k#D{{-h>peXKCl@yl zuc(-~gyeMvMI~hwRkiyMv~_g#^dCNXYG!Wn%+kv7g_E<(OIJ5*yoCRI`B%pN179p;z9`9SKu!A(Ulf%7X z<=)%5yZ4%zW z;iIG|KPA0+`=2*f3J+Ohs#8DdJbZ}rC$D_o*YD91p#QJz1gRt-9koGhrj zsU_O|r|x!cJUy4U3d5IF!Lxw3{==!{N8QIP)N0P@jZ@c((H;zV>s1y z9xYJppW~9k&-Ttc1+76a7qMG!fzV6bzsflc6@3R>H_t&Hs@B5s@ejmr)W z!%V4Nt{J{MHFY^7+3GC6?2)&~w-5H?;(vOVxQBx+{LD8?oy4u6No#Sdkb{zvUsL|I z_^O8fPm;|t+7I~;R{i33{oOeZYw#^Suwg+Z?3W-us4|%!uE-;B_>@wHQJG9la}>WR z-TSvMcw+VL{rTQEn8nA@4czZsVkR-dCakzR?{J|>X|l411N%I^2wNjhIs2x-u3Jhc zlWVRbmj=Uab}8PxmCqrloP*jmk2K%sRC?rNOCAGR2&43Lo!}67rxHtmw^@~G-yeFD ze7UPm?qdzo?R^?G4FpwE8%l2HFHUW}hZQ)+6m|)~Y}GdtZGZtV@3)G#^?rJAzcBwB z)PItCxz{xf?FuX(7D$eFKYZhFqOTvUZ>`^QCAleO6{79C??L2!+&d92V9d;21F6NF za2&k{GX3| zZ2Ic#g(&SLBC zWKH7%e1@6CQAfPxk#r7X=!D~y)(HM6=6H+kTqne(!YBEI!BKyLIYCrYYZ%zAs+A1-drTC*7@g zpn+#UY9?y2brF2+B)$x9>Pn;Bq4*p6vIictqF!G?6vBI7EF1}9CaYm-z>-a7 z_w@d24`DgFdl9tMbvlGD$Cun3dl_6iOUuSgdI$*G{i>xZ-!iMjsniSRHixDlsq**> zVWKa!VV?UgLu+4bzc{n5bvuY0R_Y&g%l?wDBr?}mAy`%1SGV;xAez;G&nc< z+m5c`xGp|v{~hj>Zib(+ivML^oh$bzV^hj4d&qBQTjG24o`yR46ZD^{WXm*cL*grC zw8U5DETrcWa9yqg42Z2q9L^ykGt%;93(F!xZtIM>YfpU(ioEO3Fqrh6^6r9gk@%Gt z@1=&%LH3$}>~z}_Ai>*)Pm6M{MPKA?%t((E<~NI`%8>}y@J zt>^GF^?NPTw8bGa$cpd$913Ajp;y97j78eA46s`hvx`3KS9Ia+KB>zNb^w=S3qxf zEn7gHMMYI$&MTNpx@Xf>`nk1V!qSY@QnQAz7Ym0OTY240{6N zYsCb;`>vRoX0|-rOujfZYXkd|sIE;=iu zhb2J!0N0Zw_u*Py26h|oSGz6orH^gkz(cHG@QI7xVlK}vU{T~slEiw(K(z>$=knKQ zYDQu?lY6gySz~hVg`$(brH}s^3Sm44QO5x(XwO;NPI#SIaj9)Uj4pOPeD~Y9LuTi} ziB(qXcGKKTjlmP!3i&YC4(5($MnN(1I=Goma+BwAUp~djxfqdGPW%=cJCa<u?Ja0C)-E++sH;)B2PoLv-(R?1ceLa_)ttUyAf98_SrxGN(s zMV)DU1pnf>*9-Zq-D-AohPDz5Wr7g&0+2vpf^{RS>vk_f*)U7g5Y7xAHQLT51Zyb{ zVrBT@*v@9SLgP1OuZW1AV-L{(BzDc5#j9A=?Hq)T4nPFvRqO7baS)LtvOKMF=|x7t znbf6lIcVc|8X`6T&UaSU1qfeMsZO3VgRAt&3{^)a=bpSXYwlkfoNp^;`UZHnT6{rXxsK-B1N(`2}Sc8#&^>;J4ZIMeLsq z`LbOYbZ;}gp{w|dG$4cp3q|DA`A0%c(BKcG3qYLziaTGYMdMLeT7#>Tt9wy1!#A0( zB-@AWSqq?(H~oJs*5E`A1U?vf7D)z939~tELd-JhJ*UX`P}PFYZ*y+HBWxZ1xYe0z z^Y@j1jYxWX4p#@N(1ArIOH;OCo+u08G~-Ektr|v<_dRi$k^`d z=&;^RA?7nCE5$$co*C~Pe{AUc_l(}GU~PPJ^)$y8-hM;#cQaZ`93|#U>B9|YA3(zC#;mbKl?1TLejk$%T99e|yVN(B4200)T%5neS!BnCsO`KxEc7EC;#%m|r0jD!|18vu-z#?D zdngHB3#lXAg14KfGZXBgmO#lem|`PaDyJ)lLA}p2JfE7gHvMmD%7cpbYlFL?A|f6> zkEy7(XgmSY>0M1+6aE|EhzT)Rfp=74o1Tpw6-yt^!7JuxLt1AfZWBwwU2f|O57Igw zJ(dTP@dfrid}gGbbmgoLrtD^6ff}=ea)uw1SpHalO7-xMnKLKcm0x?LLvfxus+l>^JAeCcK%wC{n@OFBVWF;?wAaH}jqP1gv-;~cm%V5p z>e3+_oddXQ+)=KQfn-f*s|{Cxb80&CfoF9|^qW{ud}{S}xzPJBugy1i7FIufM`VFs?lcS_#K))fJK-I^@KOK7qV+G>1ufKb?! z9cufGR(B66M;l}R2u`L?q#mYa9PWUp7HZ-fefMDJAQNz;CRTqWJbmfsK9Or0Bi`=G z43u>7)_r(l)JV{q5W9F9O82}z-ZJ%d+;tvqPX>CLdcH`++}3)T!EC?CzOQ$Xnd;>3 z^Y778Y>)qO_52r9sxJT%$2*PY>ez*MO@~3_Sbtf6&tnyF0;j61uf1aKX>~gbgE4jD z9D7b9dg6i@qZIGB66YRd;5>xiMTvZ5P%7e~cBI|IgDjqqHQZC&rI85u3mGFlaq9pV zWKHyL=9~K$FvHw(qA-)B&_l$dvyVPf#!RpgJI-1pd8NyN@d+Ow~*`XWCnK3xBFFzt7lDHZE^v&$SdI#hCK zC1|86WFFV@Q8jaFI#|lj)DyNaGHDDLDS~Y^NkmPu7||t)^CHU06u^YeK{1G7Fa?wr z7qOF$zT=HSgu=Kq+oPaz+$omW)TP+o$XDvNg1(#}`iP0sd-y&rlX{&33+w3;qoI5L5Y zrJPu1A^zR(=aSgsET)amK}hCvQ1|pNp-TT!uVEJXeB-*ttCxVl_(0M;V7)4Y_v08gNA=Lyx8zx6JB|0l~l9ly&tNC+W|)7({E z*1TZwvN0!eSB7RU@$}GC!Hb*J5vG;(Me?bs?cIx74zIsvUmxkvL@{=N`NIJ0RH5Po z%3jOY-Pit&y*J2rKGwcIURCMFsM6e#v6x^s& zQcl!)5LFrQjMkL--c8lb&329hi=A`O3hmiPVJ6SORZe!YJcBbz)`@V7bM!>gjmzc=L5KA4wiarTAmWsnPRz1{G;RdE(-L3X_c zJ==XzIq8Y;%sB35H4J+?HpTcM=7n5R1^y)XwE;!OaYaD4j!i}MxZgrrlho|iZVmF* z#!cAe4u|662}5z18J%Q5YTC~$+Qh=b!}hS!9hM94n4W4;KoV(F&Oz}e=O9L~)!`Uf z%nKTmRKZtazfSjKG$={GgVNjK>;Vy$xcCII*w$;54uM+if* zIYRM=yz(Fa9qkq)t;|60id>i=!*mUETpEdU?CY4Uuz?}CGsiW1$z1;iyXZGo8PmtxKkjG-MBZinitQdwMYq zw0V?4AH1uL57O-F#tweT$i1IsHyyoZh{7An?2h|R3Tcto^#6P&?I_#{{zQpp;5pP@ zD0;Hmq^LHL7VkUL0%@O`w>$y6-duKho}jYMy;iynudVAeW(K70Pw%N~dEqrg{=%yq z>c-?eJj)+g{?)6F=d6GH>105M^0-^bvU7h#kWki?LMokXY5lPu3}yB$vGz!-y|Vz5 z+E!il84R}mm)%!{bxC0B8lL)lt=%v8HG@~BT+!ia@R8y{VW_5S7Z69#-E0;3?V%9& zr2Vumbh<08@dE|QHLLv5-3tqK&Wqj3R7*9%hnYU@J70>HM~~ zc5+c-%vI9?$D8Ir^me`(KuHy&Aold)e@sqUa^>Qt_#e4P#>#I zgOP2H59HW1TO)fhu;ch=ktzn&DaLy)Fd;Ub<~#ZH#j=|Pt%qdat#>93yUAV3L-xmH ze=f*Go1NldX%|OEn}L8h**4&sl&OIWxbhZcVPf=XN`pvYell`{SCWN8`fz#|j4mcs z*d)?XPv0WYlMP{d5;dt!h>fcU#$AWgjDnhZBnYJCV+=OR^T?WN`bM6-HgAPZ+$tkT zkDAgOZ^rSX>`8j^DNp0$wYA#9o<=zFa_4ew7{N!IOn^ZXt~?bpbL2nGl<8h%eGYn| z??Y(rm2bWz%iqNM{qfCS5R+5{uzwD^FislE5rE0r1vK}r!0G#oZTL!Br0z~EhZ<(< zxDP+@Y8UR|PDza$)qy>(Ii=B7j4aBU_^|QBZAeHx;Fv@Y#@@zo?S$E5)wbLH@U5UR zx^$!WQ-Q*bKkH8tP>x@c*BoqPZgDO(gpz}d2RSnXBswZAAO0GUB_0dCBNs>1!ic=L z4wfnlei{wlX_t2Ak7L!kDDf=!=iobB_6^7`O7i+7tLvSf&3l`3j_8pHO|0h^ej&cXU)WOeYa5@x0%+SFlF!5Nyp zv5e@E&N%B{O)j}=p|Fgw;cs92WeW>4i$3hc|Gs?|bBUqS>F#5lHNJ{!<_3wvqv-UO z?wzYO328OVfQVd2mH|1iVDBw*`n-dN}8=wHkG|_v~0UTan|1{5Rkui%V}o4FQ1QRRYN*}O%kRkbpw9u*b!a}+nRcAj23_9PDW z`X=+HBD=J`C@P>>VeM8rG55CPaB+frSCM(zn;F&_qS#LKy$_k!9l*irIKFd@*V+y&p)RDuo z_qp6NTQ~Nq(qP4oZ`_N)D0auS$MnL&`0LS=m_O)#N5!z{oI4}KNM?BZPqJ?S9}HtHTbs9Z-1Zu{v#nzU8~IpDwh90U{5fb8{&G9c zrKfl$YMeuvYQmpb0ZM(RYQ_^ zyAo)?4s>a-Pvkd-8sTI!-{ddozxq|B%RXBD>TzXdI7K|Y>8+WmBMv4nzowadYJ^8& zA6eqSm!rWn8ceW04N>5#x`qfY;XTykhfqV@bv9H*XBU9^xiA}#OotpQ3s z5ep&0RWh06C^AUX5gxAw?-JlN76^#38_mD92`S&I(Dy7Dc(2~2cQqoAB2v)x%@WUA z>&Ewzxrs@zS4gbFxFaTq3|`u4Nb~`0_>LxE{5v>c`yuYq>d@-!_|=KB;Z*)~6Mg<} zld{3DEK-TB9u&e$FGFWI5v)hV;>4d2nlGuItNh_y(Vgmxi(3XKrlxs zuU$@|4XQi;rgh&wcd}BQEA!3Eetpdpu@>VWpZIPm`*jtyONl_oml1#{ymN^X-hQ`c z1a)uZ8SZ1Y3Xb}w)*DB~g^Do~J8q1q@MU_fIo@n1^^`*)0~2i*$p#M_huohg+8m<) zXp8@fDrih_C*G(BstC#fp+=Q4!^oPa$eR0C;%qU`|FCV=`JZ5lVI9cJJ4AOZn_*3D zGFQ6x(8q$?p|9fy1~|OmcY3po$5Pn!s?&Qj_Fj`t>dUv~c6ugACtQyRYu2V-!WxdC zlBLjZe2|x*rh;B$6nI;8X8HWsFS7isd92T#OSbjUrpKiJMDQB`;3hfQ!85jSvJ>sq zs$!)Ca!HF|WpI)aSIDvc;)_{Rj_;@?>>{op6GzpVhAL0-6mutrEWZQx!uL_F%zhbrx>SN#R^ zE;DI-Dm@1QT1Q|*O%fR}o`YDxbO-a=Tz$(6jk(=}H&3Pwl5J`aS|-OgracHY#H1X2 zH4uVsItN8%bN<%2MSKi={vJ@(UT8GxfRjEA&s8|BF5mp~AdZq+gd5v^_jX17A!2MK z?36RN0Lu8=XMw!iGpg03mC*T-`gqF^SH1d^njpSBJUzGU$U#y%jgrlO5IkAlVI;_L z03ox(@pI5V;T(kHU~R_;POKhl9tcyVKm9uQ1rbu3QCqhyso8bH0G}1ccy<}bWOL!T zqF(@(xmy}+^=W?sayqA;#6c`QB{6Ygy4rdxw?owelPN8zD63%Hur4sGZub%c1g1V! zopAZt#uO^7pjc#4Y|@v7c+Wkjv0oeGA6++BX;RINwjacQhoOSUg_mz0F&v>()4uIyI|8j>AcOwvg5v zjg1pWBka3PCSLEr#<~>03aNzT+eBRG?ihu{3i8@ibQlExHRyLOEU6$cU+5(;(m#o; zuu{r5`siz9q+h65Q1O1+*Z;cP{S7b1|B8sY@4YvoGjzuB7h+q&6W z44SpyG`Nt=&Tp~hblhS4P&KkPqvzS*&WHPaFfHqo2~F$|MT9LGKvIg30i^FCcQbF9 z?8|;gquaJ&R(XxZ;yEa3`wtQPp=11U(cD8~Iosppmh$oy5zJ2cm*8#Z@e@Y8#qVZI z+%`URqE#Uvw-YrIS{-ocgxwEQ2yvEY`hjnC$y8jJznjF?hxRLcOj|EraaN@1g5(HT z>TP8O-eLbf{awA!56FASd<(UXHy`&kFnHVgicJCBoIt~oI-x}OhktrB=ikxk1MeuB zYVko5>Bt~GZmObV9B(&lbnNe0c8omXuTd$;?3UJ+)RB}m6Bvst`?cRP?jKw`_xpsa zCx;gPk{mU-s7O5tbzfc(w{4ho_YfXazw;)zU{)qJkj)zIdY!L2Q2*i!y>{DrD(Yzg zYzm2 zm2x97;Fxd?ss~JBz|;T+GQzCAa_2(F_M?gFA?0q~o=|(~TPnUc7E#RA9;RP!yu|m< z%U;kJAgAV-lm%_V0Twcj;miGZBxeq6D6E7CHXZFXGidTo*D{zAGYKYW(wH5h2$R=b~QwIRO%-2`u;uUc~YSIH52umU}bqG&-D$hk{73 z$NRechgsYzPiC-H!@}{`S&Plxp177N`?n(Y=QkjcXZbMRCFqN@oMsoap{%u@q7ci= zW3`a#^hW~>`XWwG8_b*;Q-;}d+;%t0ZcMJ)#G? zB9Km=F*$6jK;U<%elrl97a)wDpPJruK@XG+Y!5l_E#6H0{34s%Tw)>%Fmuq`-W-JT zk{$VO0Ws*hIG-i~oe*&=Y+=Nab&G*vYfd+6#iqlF^(5G*rK3lc{nvdJ2X2=?G*O7^ z4Md)e~fV$zW&##Ej{I$U} z_i-=lQ@?+p87X2GeR2Uj^8_Q_HrXu1Kz!lwe$OBzs>oO*+4={ktBP}{=P(mEmJ;;m zi96C&GePr$f@n?;jJ|#sNE|HaR$TNkw6rlcjjz3m7@EstA%_?92!p#d>F&Xs&^ z#&6M*vLZQYxXGjG^2Cf-IUb@Ae4;S&QvwmMkN`+2sClJeG^w}MAenI0=PWlq-WXoh z4DjRb@y^&(KmgalVZ?hswd}ub-EvcY)xqeTLeo*?pg-5n(?d7xmYZoWN=ALRu9J9i zqB3?IH47>=$BR>cXHMgzfvIg00~{m74nEOf1>Tfx^`Rdb;#HpwK1*6HA2TA|yeXgX z>&E~Ffht_#sfWlh_o5*Z^MRCWXz4W{-z)olmr{3Qm)~uhoRw*l<2I^6Vm`W^uZDA4 zK0VEk03ROYJt36O;+dm}u6clLce$^-&bV=yj=$j*Q{A6iaE6o474R}8)_P#2h9ysEo{dpGjX9kZ=r z9jtQPvP#mE><#xS`q8}4W2wA%P;Y9D+HG}(lqKtzH|2Jd759vXfPv{K)ECEZyA<$4 z!c==~wf^R;)kB^cJ+p8Fbo#0|m8a^4#+UEWJDuonI_f{|T9%3rP8LIAhad!~4Z>Ym zsEPw6^_>_zPtLoV$Gsf*2&odEx)5WUc>9Lf3!gm{60kGT)dt91Arq z6LhGMC62K9sm*RReFGS_tm-TLuUNI-Ol?6$v6qe}xM3_pY-E<8iOTI^a z|1+fhoBTA&XdFB;hqd*}7Q8wyn-&}XZF%V0*m&og?c{lg+MVHVBIVPp_kRXjyry}4 znLn|&OdC6Z9~$#)W!nrw#&~;{EG&R66?iY?1eWyry;^_i)bLJbB^g|m^{wtkM>wcr z%NKvMW~#t$O1bJzZS-F-3u!usSzX?>z*q?>`X{J0TM+`^Sy065{DU$k6- zzO%Rzi+yvyGpG9OJuuKc6|_2;)e@gsKD&XEtgg#|#A%mHFV|B!c)If4RQ)Bv5R=ws zI+4nQ!t<3dt(T74a3FUTmrD?l`slDp+3;eSmCezn&2(2s#W6{jI)kdqb*^vC2O(EI zKgPb`?E}w=w;hv|#)x+cMoQgK;T1*t1#|irQr-xBL~yR$7M(9jJ1EuSu8-EW4-FHK zzVneFPtfzfV;cQ;iIy}$qQR{-pL(R14&7-FheQe*DsAzF+*2_Ug;?grIW#iPw~cJu z!b73%6TPmFqDsr>LT&b^AOD9$ zV2fe03AKcCT+!?q;SB(z<%m*eYgJIR8F!&*=S2?iwM0;77fccfAY~nrnzd?3;!H5Q?em zDS}Ft6R-YmmdD0p7DYq5?1Wk~LbR+6-{bF#?gV`>X}cvQ;aS!Co8oGtg(F%MkXY)R zO8^0yPjNCm#pvyG5ZeX{R_0Ina{72G=yJ2Ryv*vK8;UJI(q2i~sM|-}xt=9ywQX`e zrg(qCA`K|Sj{t9$&q2|l?dch-e=@d=Jt1Dwhmh^LJ8F>FKo(ouPR2Q_=FD`rk!zfb z^+Gp>nRm_z4z47PF$DscZQ+?^K&B1uLQ{cjEpJGESGId?R*1SF^lf0aDcwo}w2~ts z_${4mi9xb?OT-8tYQ5gX?mk*>t_cl}Ju=jpn(M0LgwHnmoOar5W!%B1yZAd%P(m`T zV?H^CZ*d;cTYgH@+1Dy-e^=|^IE#xQc0w(`cV9{S zyT^MTZlIH&evFvGibO(d2PmJ)@2t+KuFM}llzIK8Geq2cOH|YHsSxn>HA+GE&t!xwzRRt zyJtxX#xYCPodHeVDB3Wn;a6>RUv&w@&}h_S_5G^Hi=;fdjmMI@R9CCM#5!h_;O3TT zqlsFjfZtqu^2`jN`Eb0TGK68S%YwueO>ZEcs@9sr6UcG-<_S%%T~PcYTHCFpUxC1* zX5#->!x4}p+#njBeUVmZN?_7owuPA1VRNd)Q$6r&?yZG*T(F4()IKwb!k(m;Fz%Sy;p``IFDa9x_e&Jc^Q)zDS-6n zcF?*K!lP~7HB?L36TPQoP;o#GQdbsswSY0%F{RrG+_t*c!4xK%Ila$#)j6 zjU92Tvq03XjB>?e73Ze2@AHH!^Fl}P)>^B{{8vAEAB2G{ev>Y_I}xP{b1oNr7OZ^^ zu9N+;hktJaU9^17Ul8O0n#$q`dsvy-9A|H+WktT8WbXX#KL8TiVLM@f3+J-j+Y9Ca z5NKhd=2SI2a!eau^0M`MYtuNg%2#690A4dU;z><%(C0Vt3>(#Wc_6|U$$ljF7S7jv z8zkVQayyqDx)wWds%)s?HZ?G%{{AkoF zSVy-?x08h|w$))`0C-vRow{oN9B^T!o5cHDWGo@(mAZ8);AlGL!5b*T+JjHj$8X!W zfOpdQ*t~v9w;!k>xk+6)Y*4M>m2KZCbpgMOJ;b*Fq`{PI!53rMvI1>~aK;ktP=~o+ zQ?DLX4BA55BZn7Z&EIoslQeq7`$)29F|cbyk4bef2FaO2^>R@Rr#Kz%jviAOdbo8C zGODf^^OX>0aS%<8#965?92zMaMKd8y5=1ay9wc}3g5YB4cpl&P! zTd`SK?=$?p+OBufyaF%6*gTa zo1c_IBBx#rwwkRTPP2qd|A4k7OL)*x^RucV48KR2eN6qdVkGacJ7lFyWP`UY%AVzu zBmxK+&9@{z0OiTCRcn#Kewv-clp9#sP7~IAG1fWe&)JSqoA8ZJDzbqPdRDDzkBC85 z>qZmbxaMyM*^s!VcXoFVY3gxn4d3Q~KvPl6=P3^>Vs`2VM52e*Z1nu17fRcISDs<9oQTHbmbJ`1*3M zQ(84HJ3xu6-GXt12P;mZKU)FMA~9lRWKn!EAXJw$k1P0As*TaxN631(uT<5yG&cUs z9#ns!t=MGzw~fOgeJC+)o~mwo!esY_;E+%zk`3;V6GaZszy!8im4Jvhh1;VWLd-{J zd}hwL=}4%VY@N6NMTWX47q7&2N5PHRY`*78vUGk7pfz#~$;%UUz|2OxfyAXn;Ap!@ zqFCq+Yhb$*eAynSofDD!voSnC+QYopaNO`yvc)`~_q>Yk*_w$VEZ4;1D8k)Dup8{X z4xbsoKbdM}3YZ4tbfc?F7zKh&f7XtDPZo-VUBksz&UFp1Ls3-{asCZb>~El-U-c2{ zPp?Hw@#yz2Wa>ytUHKk;UFUysr9hz_fb24k0$=vkM41{>0rwwcos(Q$(e+3D9*S9l z>yMKyAW>Im)Jy6qi|Cm29H+hmjs)k8<0Xdb5R2|HT}auMavkcGUj|3kRN2{gytlgP zh&ww=|E;@z9t+iB7b!f}!H!b4Zce+7!MEmKBFMpoT{DjTNQF)4t>AB9z|#~PUV@R> zU)RT%)+SIEg?#qaTGRa0YMIE<26|s;1xL-bFLG9o$^8zF)V=G>GG@;B3`Yp31} zUYK?A32Pl;Q}V0nO;1$ac!|HYqX}VJFE+7x1+J$3;EXNh9dnzjCS+L?7?e1x0?UHe zKdC23xqRXqr1q)@c?>T?lrhuYLk4YdPLjZe((7maE|~3-4LQLV-qH}7l1JH=7eS(L zXdt&kCT7N&v_a-uN^IME+@Bv|YK%L!W^#Eg(bMq)KN3(ftnnLUVcal<*gzm3I z*u9xyCT5N&`4TA%6-hN@QLpnKMLl`B#Jk}rAq>~se^T4RNf%=}Nj#zGQW`M4hXyA3h{1{ds2x(p=6Jlq4&`u!zp@++MS~S{ zYzb7!+Bye#gsx<*ghQ&4FK7P*-nDhy$p$C4(GNJvD&(EgPmuG$zPEY+EB_dB*uoFc z`?&zTBk28Bb~zq<#yI7gQCO+`MkkCle(*@jut9|vq}>A z<^ZQ7_Nm$sFty&CX;hbN%SsYZ+S}uBPDAk>f3Px8qxN!$cYaer0)IrSdDZOj<66pt z;y70AE}m7x1juggw~L&=eP|*Gmcb5MTkg#0yPDSul3LLcbqYSV9{@3TS{qjqq@b)d6H=rY^|OuN0P zQ9V{o&iaL@y&&HlEYETmZE30MQ;wWc6-k}=kxI?w`AHBmNaQ29x{)2gNRNhQiu}zW zFj1<>kjvD&T+e2HY0FQUvtnLE<@x(Xx$3}IU94lhSE#8^!f5@Pn6q5h$Yx<6xDzp_ z+@{H`ZuaIY;9@%ASySPncoxeQq=^5_RCVzcM_yHZL%51Z?!~@~iR#f!6DjZM*UmwX zV3cq#m>a5vGd2XG@&c?oQ4#N;cQbsHPC}nA>{Zw$uOeXY^&Qi^`mT z+$9_JV`GJxa+=)dHJ$f=b? zu?XH`9pNZMDRP&-h#pqysP3w2k}ltR_gJ9Z`sEQb3W3q=9-$~G{sG)+c$H2N=dyJv6;SfZ)-ZMLyx1W4MTM+{i~Q?miYu{aUAsaAW^g{OmPHx zT^#(u6ifin)z;vyn-c2GI0uF9*VsO?Ghj_}tLiSElXOWPQxr7v>QvpdBL}Yp?suo> zTsX`u^P1DvP)yg4ww?>Pn1+JS#on!y)PUsKIqSgus0ckNVW~ZZ{*Fc8TSag}yW2Qr zbao+*`BBpp>=N|BL^I!V3%E;prNg`q!WHVvsC|J?;6crN0azuSigYJW<9?1b)xoJW z82e--;uuVMw9jH`yA_lksji8(z)86lqZf=QihC+z2b}Gg4@>N?nz??x*%RIV`TgIg z8w202mm236A)+-dlTBR{gtWTl@|yzHzAa0u#8}HLp|kcTs`|!iga#ic|U88 zqQh7HdeB|h^rK*q!^`j8XzC6_sa3;a76;kps&z@wkc9GL1>5v+gLhlXkwjeP!Uc>AuCb_KU{TImXE{KwXnzSLGWnx zr;S7|2LaRI$h>4dcgh8_V=T6-&qG9++dD48b1+xG#)s*<(I7!E8rbT^W68Iv?gl_? zaNrL2+wGSDNV^^H&*>uraONTM|Wq}jQjFhjQOIvp+S&q zCE~)8uc1@d(1F#}^{C3Yg8s>cig|VbkaiYmYQop@8+q3jLUeyY%E-ZiEg) zV792vX<BZSAB{7EqUJk~`c=4B9DLrW$}^d);w6|P!* z`E@S)r8iy{acS%Jkvih$?)eRp%!-MIn){lz#PF?l(u18vLwD zzkcByV*C383!YYVvG{|Ml%>$C0s!z(8vBo^14}ygnQSPMm+E(FHk zpP#S)iOD7#EyZ9{rBU6SLR1SAriO?I6LQ?tY0<) zZ-gP)+J(RCQek8sQvWb;~9YYn}i2DyaO+Wpw;tF~pp|Tg>`MKg~ z?I58=xjlyBJKEXlMX-S292}dJJnyf|8Nf9_a5f4dLpe!40dNWND7$ z>W1*jNYa<%*dV#Jd0rym-Epi52}`1|v}JNf_JUjeKbw&#%*_#V`CELx;f-r!>*2% z{)iNdyd(C(QW&wJKSv(m2=Hf^)&>ffz$Sm=Mu}c5k3~qj6xYNRe5RZX_!!G#n@Zr0 zEH7h><*2x|nbm)J%-xRNnbCOpF5jDO!JSm}7}yCL4d$fDQTWUOmT~(>D3Y!-kdG4G zHdQ-$xDy%LSvBMC#CGR6^DQ{NpR=R;Tbz8JatOq1M1L~L&%rFaS{>4bq;K*g=Ct8B z3)<8M)U2y3>N9>D@^#aMCzM#WU6+lkV;>+fwrwL{`pSCQLgevq;Z;9iy!Mm@omygd zq*NIdtP)wh+3W>fV0N9Cn^Nb=!L=97>3aXbLDt*1uRMW=_Yt>J1LX92YyYA_Pg~S^$P|#2VxPyhg6|G-FSIaAEgW>eF^UZ*~3w5c9yBH2#5{oHAs4VUtKz_2-Gi6Db5$JG13knXe1<$fWJ$&4AsP|!gLK1tcw7}p-6MQo~Yq`$dPxhDL6ZA-Ra1mkP?P)R9l8{@t z7Wh?E5$lSbwy~U~isJ)W+A_~lj7VYz!{#p|gCrpfo7@df{j5(L!*&U3(@qk8&MLT$ zGbhbXasG1RXf7=WB(G4AAl2$Pns&_P7o0om(MJSxmK*F(Ur>c1k0WI69 zl8#7uSqYBtm5db{_!htp*~+gwVvv7_Mv1U%t%{`oEG%4c^2#CXL?J66T}C()LzBHO zKzyM!iEd&-!%e1)hh@q|KX#Zdv{jVW25jdjW7c{^cFktr4eB9NR~n0hx=`GjvTKp_ zv5pj2o-Nz~Pew1!vHdbQ>QA2VfPD@V_Vv1oiNSSbpYAYD8?=ktt3E}(${B>SJ4e<# zuy_a*{A8(0l-@-Y4_r_-3^$u8Nb%*>U&Uc7=oviw4zhbtgP~LiGriV=8 z0qCnyy7D5n+H|H#mLN>()&gNCF8w%RSe=b1)}hawNuE?)h$+oWH7DkcRh-=zX7EpW z%u#Y~e6d1L+^wEp{fvqVWeh(5piw2=@Ou6=?<6j5wPCuxH#Jx zm}BVfj1fJYzmc6F6FpNLw4(b~vWt25QXw)PxtKA3xryl4IlyphyjtW73H8)H2-g#-<^oS}>nwq>n}wQr?0IrQ~eZ zsiu=MDZgDz$WTTjTK%d%NNMhcI~ z{FHuv8jVr#_T)EYs&g3bThDBkIQ~@b7_k~#Ha%}_&z4J@txEl6-$yJ8JSw zUaqLB!;Hy_MqRsF8$4-HKVpAP3#f1GUK$VGc>}Ej5-zPp*ai4>6F9K6SAgn$2d18| zzOP_4-LI@(xZ0rijkWQoU5QB4gXN`!l(hjL_7eK>owaglBK`J7&g0dH9Mbu)k>^ww z*-#&BrL~dxr-&t2>Odp0+uLby{1Q($(xm7;zg?PfVoK{j1+f7b?TKhsG3AZ^!UL31 zRm~fhS|-ou`%IF;91g)k?k7T+54zw5fgv5pUz{Ug;v?BVbRx!!po5dMf9Ss71BlP} z^2+XzF%-Pm)^8%%n8aCqsL}FSM!K~0$Al&Nz1NVcw%}6%@XM^UnH77EUC9RT_s<&4 zMn|SyQG}7+OGT!SMCYdf)^*y{@n4@oW&z-jVGC^_F*L(c6YLEZS#VDUB-_)&BdMk& z2fRv@x}=MgvMe}Mak|RgSE0D8Qgwcg+0Vh_t3UnaQ>K(X@*dGIT%E@DLnbycFAl_&C42c~t9 zi*kSHuG|>Cw~eKq2bK;%gdUSX$7g(usGJ6W=z2N+8ZH)M4o84d%tPY+bn2^#?(c+g zK0T=4=+4E5Dk11ERj#4^25~RX^*elWNbj2fKjQ;)+QTo%o*r;7V&U4Xa+?CXS7)Ao zzKDskXqaP&_!0NWQM)7Rx~-GpRg>D?a_Sl6yBniF0RfU2&E@ld9Yi)h=140PaBF?t zO^wxf8-Q&FMj!d#t+D%v?xf4~zkTS-WVWBQeVVh_KgI#*FB8C7s{{H!pA+(3xAAD< z-~;L}-|-JqWIo3c=p2|zI|bThc_O&8gIsy~*Eux)he6u-82?TqLnw^Mp8xqA|36-j zvkM*O#f~ZsO7pF#tIr)@_ipij!v{4Q{w*e*CS?B>`~l~F!GM4$9@`-xMovZYQ|=fMJ<46Y0h)w9x+d0n^+BSFL7M1%%cETU z`><1qEY^DqIC`=TrGnH4W53#!lO65;YH(T#FQ_oFE%i&qa%wPqD}|VAQMh|n$cp%) zUGAMSs`wgu$==v4uUIabQ!*dXPgs}^CpMG{Dh9~MQ?qX z>1$&~-qQnX*TL`zF+zAbHIU<(-FWlwY2_8)$6R- zYvd0GZ@`C6a_3kgr4ED(!N*6p2yJAZttWOCg!xJ$88^i&nkpxK#Y-I;d_tGrN_N6D zUsi_>nt7E_e0V9Oq0pL}*~G3;yoSsDOx-%BqRoBY=fjN^es&epvuDplUj8BI87GlS z1*9Zgz@Y+2xB!ts^UfbS3Fzcu-n}H>qPpq1%^PCnK0ngccS_q>&GPenopK$?d-^%t zmK4a6Y*gy}IVAgfChPDvLXB{$6k_f6DtEuvODK492C7kd^NGUG%dhET^`suq%a#Ux zvsXY70&62pj2Izl2p^hIGp4RNllA#h_0iSrl5>3WU1{&KP8fWm2XJvLUW`)vhwip+ zJBlj3gFGFlfZ~&AL#>F}B130g>H3(e)E-Zyb7i$dKtO{G-*@g|`^%2Sw5ugEfl# z+=rjYc`>GTw)gk+`mD?n>WSwczM$u{ps^#Pk-tO`fSX#|{Qe)hWJP3~5eY_n8y^m) z*Z>Ng-TcVK3I%hoa2jI)a6F!tGZXrmBl~Y7TXrG4Q;G_v^nJibJyo4ew9G?doc6J0yt>UXL1rLg6#({8}g|q6W-t^D(+J zk`rB4+Wvs+65jI7m-aG!+ylufip7z{284koL$R=|jn-DZn~}Rvmd%_O=;?c0;HT(i z_#)PORsZ@E_9FTFm%Ka&>4Ag!Jh&5k$gar`;F_?2KXiTR;D20qeY~8sRo{OMlHp?b zgAMsVbYB4tOiyO4j{ngA+6R4doN9BB^&f$9cLB%I2;5uffR8QoN{Mq7OiZEzRF*7Z z{1A<6A4@ID`6o;4G)Z$sF7_d*?~tx0+yB0rYvUH5fFSsX#gC`x(*Og*;RNC;01E~z z(9A~u{_$GJSq9ZuB5;w~70WTU2lm{5KMA^IJJ`y9gcChERA%)5`V@eseX;5PF^!=A znSlR^fPdu{K)IJA%$qWVP;E$-tt;=g10tGi{Cq`(8>L(fV{QtDjt7h!r#*VM%tGa1 z8MOdStv9o$(oTSB+8dg@z#CJ2_z&G?8|awMe9nC2SI;j)QQRP_wt0n=eo`jKW28it zt?x>KiK&h9V7i=V!KIc+K*4Rr`>&93|NZa$J5v!lV|!T=AHkwS!-$-i`jy7iOtepf zLI1||5uL1#{S~RuI`q1O}yB;35A}FsR;jydrMP|5@6`C=BlIdwN#7= z*NwMKzbY=nI!4|2wp*G|*~4+g$;5kK9~~Hj_ANry#BL2aWH(Ljlk160sBoWcLtp4o zov(SF<>kte@^V?N+RH{OHaZMO-0$^RR)n@hPQ^qaqp(m29b9b-1f5*{uwj0_xJ$~X zv2ls%W8h5WTeh2TgpUti%F<^tb629A!EVfJzg|i9sQVs4D9%g@9h38XlTsc^ScZNM z6?9<1Gte~IW9$x(zF5>*zMkZl#fcBJj-hd1xmf0}q3DT*ENpQO>8SXB% z!*H6l-+S3#PC@R3U)@|n%n#!&7wB{}uDwCyb`-Ihn><)cDl0%b6<}IMQ?sEX+ zV4v)TI~*z8zpk4iBK_{Jyqw`k`rJvNT=Gj*@>`Se(G#i~X(~$bSlD37L#$!K<7!n^ z!mpAZcMln%xs_YBEUa()8u|7E_8+@&&cKDcU%7PHF&r7_r9-2^nl^#EHU=Jk9ou}d zl@gd!;yhi<^5^--`#$B6BsqDyY!vLHt`%PU`(jnUP2;iMGW6#2?Zv3O5sJgr=qo0V z;!c&(J=R4KQn%8FsDJ3zQ53pAbktYzz`MUk9(H&PAU-3z7Hmg0h!;uZR}@eoB?=cP zxbTphYtr27S*dy7O_vNI7CC^P@bKIAp6msGPS0qsWo_m6{%JGENdQFwb*uoKW1v5D z@y29B7aH={5S0!|)38_j*A`DW3o0_Ul4;rjme$)dE3X!&l~4zN=*Gar6M%UCH^^}k z37mZQfisF8K+Pw*o-NcMgB4}jZPry@)y%3?8NgsyXuVCYQqCyB`zi|Oni}0~ya+eb z_*VG6BrRGYAcQ1|yX&w!+{f_t>ca`e^SQO-r(Xs3)YhcPpSnBtp+l|p$!>Tr&t=y0 zg)cJ7VP9L|^HWsAok}Qp?+;x*a`6>MZ?XL_SL>n|LVpjM$mAhzx~YPrlw21{ zibZbjMS8&i!cnlmh(%iBt*n{Rzzb zHy5}X72*p9A={K-MRo&)Y0K5@`Drho^TOX(e~BKF-0IT4F!N5o&i!&sh?O{?GQZ(7 z?nGOtvoVzK3cP19ISMoH3xJ*BR-B))(Zz%DnKOx>lbK&&?eu1R6@Lx|tzb|%1 zvW=XIQH@a@h%FD5{?(rWF|Qw2+`c=%?w+U}CI0#DYss!rO_hs#j2z7Jw<#s$HKJhT zqAcg8vIQ?D#~W|J(elyAo%e8(fOqQq+EaOpCp)2QM84#%LZYY9_i-BJtNkPj+3_3n zUytP57V_DgQjKEc_)jTC0j?pf+VL8LfFlEnl7T^Vr1cFU%iLgE?Us6w) zg?rZ?iB|og10TB3=)eG5Ip?oCu|kuR>P;N#3Y#!(-%m|4${NH>k@wTxCsCfyw}Pj9 zEZDjzPM5>F&aD~xPB5=eXO9`$@u2=1-{XOQ-HGNI9A#?%3*Tfb<@^sn`IkLx?PL6+ zBJID3B)1Wrwl0^yM%O=Xy#gI>hX0=rMJw7W*xX)ZFC_klj24ZqJ*evcT;kLzDq9HobP~Us(+K+wcDSf(USL zz?XMu$O89b)v=DHVh$?Cj>Cc`6UN{AV8 zFrfrf1ucSafY@d!sgHJj)wVAT9vVcbhrf~hc-!N#9)Yd+2BY4cdOa`tv1;>8wyV%f z4RQe}`Prau+)Bn`tg4zU6Z~GFd-;y9WW7yS!|$5yqJ$}Oe+R1~Y zx}`PiYw$=VXTdhLoHnKS>5vXyRGVxhF9`Qbt_To8Y@%oS1hqq-vg7L65uqVZ>A&)Y zOYZp!4iDQkjta>6R=hv}foW-B5yFG`)I@c%a4^ zHuOI7-1EIEP9uZkWCZkVY7Sf?pqv5O#*_swgeOXy++3wiW-2v6>$cMu`q(7>(KY#d zA0;#w#o}|;@_t9gf7d2TUnD=8`c)pfz~p08vzEQtIxhobg{T^cr7DWr6wL7K?mBj? zx1Zr*8oGa^61-p^cpAj6o2y%NFiOhT7j9klk6q^P$*T1a@MCm%>6s8Um7VR&Un`?H z{u1btQziBH*NAUK6g32Bs8K#sehj+mKeVky?CxA(^EEnUOL;ohu9}Pu^Gzz5w}Ps^ zpOl+Zy-jN4B-EnRtZ%PM+76N`6NTH#^Wyg3L>@(!YSLt zO1nCyekBV>@#~)` zz<3EtH&FBewS%d$ve*M-YjHz&STiz>`Fg;@Pvj4O3t;~~nS0vZb@(>uvH_FJtp>pB zH-dM$$pKvgQG4KV#Y(Zmu}W88y{Wh1miFThyIvZpk%$N4q#6H-PGBb59+Bc{Z^2U;?v@BKBzBAPKBS%$5COp%caCJyT94QM_%iO%;=6KXbm<$~q}}c0My( zj*Muma7g{V1~e>MVAm8v@KzJ;vF-r9=QBZ486KxO^j65<)S)NEu>G3xGN zZzQgGEbWBN@Q~w?sI+xAtqtOQzZ+ydPf0zx4hL9Ku`N{uhP}mQ(p|K7o=sU|dgu`O zIj>Xl6wZ2fE)ez2FXgs@%Dc1I8{xgb{`0yS|C4BYmOH9%W28h2(z73AYFvPb9s8;u zbuLt{#`?-e)CwxsB(+VY{|J((oxD8ybH^pBk1)t^3d&(5|8;;rVo0P|`@soVhy9o1 z_f(xy_>KXI3mcei=wArWP&X)Ve?ICj#{j+irVqE^<*dcW>6}1jH+z?JMHh&&|32`9Ha^Vn~r@=@j%M``QtEr5&ie;@v2SpSYrfX?c^!q~NPAouw1 zBQs|jE89$8ZIATUkdN8}|EC@G&sIj`Bu&=QPD zT}YQos!3b(^iy}4>pxy`L(qZ)2Z3uE*?UK6(-c{n4wEdcSqON?o^cyj^^I~%M{te& z&^-<1T^(jLoA@aH9Kc6T0mtOOw9Dj~wQE^`TgAV7+czZ~YIf8s6c^?qlD|(m^8zN{ zr!a5SoIsv2c{%$8o}=Ucu!n=7Jgar7SH#80Nm6E~z!dCS_9~Qfl(>I)GNo

So)%PsLaYPqS4}U|L%jH_7^=o=w{O;V9WVHn4qsZ2g{e&=lRFO z5()>%Rv)+ab(XXQPjbQ1ExVS_1bH;^%Q|U(3mVlJ?26hw0OU>BaISgT`r!r0Cy3QE zT`Aex7(gfYjYm(>&am^iOa zNIN#v278Enx9#SyP+%KpBBbX@7S=#RiujZ>wqCh&?(IhcJUo5`2LMa3bTcjb%i3r) zPWfnf3^MfFX+C-Ga8bwGJ#FQ7%Tr|se--f?bTJm6ZGy&vSTz+x+PyX`WJ{Y!(|W^h z7KxU+KBUOgXSZ~INQGLm#^Ar`@{jpA*4!gJa;O^q#VgrQ6+UvJ-XKjyKCed0LNWtl z@BTDkaD&`y3LAxf*!QUAW?^q%Wr{s&K8m}+nM&LtW5yth&)iQf^JZWqIVU|T;Xn9?At{G43 zi?(GHPGBp|mEn5)ElaQO`eSCZnCqvb+9<80wKZ&IOAU#ob=$4b|CQGGuY4>f?Q-4e zlQE=>ME9HYAo0$71(LXSUt#F%FPvnnPdRSt(PWbfk)ShHDpix=*9jsS<)837izSiWC-gs6|sl4D&~?b;lIWCOky1TreD_% zwBDy~a;@AK`1*Ls;n8t9O>kWkH1Zp~-5)(;__DV~QmbIyB6W}N(G9mBQRg!Ca!lJ5 zqq6iaztiH#;6?S(7Rg_J#v5eUZ(k%}f(b@!I5+E{&$1rn)t!^lxJ!<3(Q0R0rBo{- zCuzjbqx(j;((t(A-J=KG$>TTAPHL7|&p6K24dVC}4+u94$Pw@q=`4tL~se*%3SzL%vJoqh5 ziPD*iFeBzgQ68|I+gxCU3I3sbnCYKtQmt1e2R;3kjaP{$;7?-?H7{1=ui~Zfe0X&t@aEQBjV(k{V0T>n6j_RTy-WC(2=dF zJm2=cDWl%`Xm`w^_qA>EnaI_3SRD3TJ|*}_ZL@`8IH=u0nw)lwaukzFA-<-2c&~)@ zGvf;;zj3p{rrfdZ!X+IYrCB0NG^p}!4Z#R_&)CZof93&V+DVlW2t01kYjMu-Ow$)F z&vRy%dn=#D))h)5?Clcjjp&1VknA%AvCx`$_Km}rdCI|8kL(u=2y^Dtjj#Z>EPdgM z6s4LfoSj#~sje5)CoRR548)L;<~n=w^2Gg+7P3~(<}^SIt*oZVFDc)^p;<8q8+qC!Dsa;o20 z5vtk(z-#sZfUAuXkOMV%;)}Mo`KCE2BN8Y`u~{E@!O@oL?XPK9^2O;u%<)N`Bje-C$&v`(Xnc`&OU`RVFbIl{+d)~`rBR_S_NBqKIyX>xzBL{f}uJHd>-`$1xs+3 z>=wK_l7#864SvbWN|&d0CbN!zsvMz2SqGRUQJ(9P z`2(KhW{7s})Kchn?uC@97jOG(`{zEzX4QHE6h`lyYa7=lV&b~~nL6oY)WHH7kW{=0 zgBy{ZiL!B5D#nARmy8(Pq+fnfjx4laPqC2Z34p^qKF9Z9+%)Zqq(&Og+F{`?gEX0- zg?Tk%4Duq?<_Wl6K(ZBbw#*&WNv6s@e5xe&@ua1{{}D{dl|H zXXbn4nukxnw-`Xy_)$5MS{F`f@=(g`xQ$ijWrlx!|LG8Bc=2K5=(dcr4qSRi1|Ppg z)W7UI!;#dr-TXrHNjkWuyAu|-aHblrw7^Ko!AnonMkqxyf!Ytx?7#Vae&=UFLo(~# zef^TV;m^`UTv+MYmDS+6Mf$iyTLJC(LO|Uq1<*)7+lyn5^Qd?5B|xVgsxmP%Gz;E~ zkiqPuSbUpreY@ShYf#dONKvi=GSIH1%a@Z69EW6yJ5&yqjuxTgyx-+4_LL)hcPJH{ z2Y7T`Xm{}?9$7a-gZYc2Inw*=^WJisI&SH+@>f0q2`gpl)|~yqXH@;}M##Y4`O9ZSf^Fls=#Q)cMk|In zWC_G-|Mj`zM}b#64@RYOiDd=3Mljf!j^R_%ozrY{dbEemtl9n|A7)`^bEf-d2e=2z z9o8fy0a3*Q(HO}=;agg%!c&x3!j<>ab)!nD8cxLB-O1%92qC~KlT$T0HydxJgVBBe zbkc14)J`(B!_Ks@L=%CR^oC^Wl(X3){>WHB=l{c^^ zt8Vn?uQ?r&^l?KezlV0GQ&cQ&To}2+5EJrgyur)DoyjbEI&)eFv3cYYG>z;2iWGn= zvKOPL zga>YIBnW8rA>rzh1U19+cME{^oisS_j&_>!F1DHPba5V4-{uc`RoEAg9W7SOo#@!m zQ3E|QhH%1%Xcx{C?9|9Pr1;QW(oQ?-EXBKRUbt#_>c{|3t|?7rpRw+5ST(I}jvDOg z*{k+E*vOI4{6nWSLk0eRlMJ_B06sM60%g-UTo=`@DW@s$rLJm3>HPET(52ezO22U; zDU+l6BBjNE=zrnbsd@n(Yw{U$v9WQWBl#4TPYFD|M-G~7vdZ~xy)d`F?GgGjBX(MS;gsFcwJNnXPeB7cF%mcI+RWUbTU~?uu z$4SScLY;^M$<0HN2$iClS+~6nzw*;7KfBB^_3jC$ePYg~)t*XWlpF=SKyVga5N=Hl zO3S9f6yhQY)RithZvM{gIt5}zlyn=!dy?0bc* z=TJ3jSN1#Lst|#6-I<2A3tlHZYKessm>$~ZZCT&<(seH9{Pu;mrT24@?Gjkw;*du& zta|~2Y)6Jc*y2NdGhVGQne#~F8xsYD$Q$hjiC(AA`}=c9ySt8h*p+ySIMvE%62IM0 zt4scd_8u=R2TD-S;sNzL=xa$VtP_)tY%lqn1LJXMY-U=JjEpaq`(va~ENwv1TjXUW z?0v4MxDhIR;b&9G|Hth<8wg=GY$=~5IX(0Ok^VHMmPp?7-fKH1A(y{n2UU0yt?p0o8AB_E63ug%sH(5RGFP1IX_Jm~oDCpU56;n%@78nk)DF~)g~bSv z+wagL)QRMTCrG@%N14wbI*yH9k;(!0S5jAjgm~g1byUhTJn708(a2k~54fvfPmXlP zft97~Ee>rrljzBD6z~%4(%LIjJ7B)Gb_j~_*aqmJT`gRbJ|%|q_c7`4bpPB;J%^U$ zraY;N-sfLDoZju&6_im<9KC8SqOvA+w1Dd?nyu8eyt7@?3qq<5?-*l9?~T1`Q@9>7 zd`yXWeSmW^Uaq2-(8^!yJ#QARnG6^k61ulh*>0e!Kx}Li<1oC@m?S9xZX=&@tW}LY zm{%_{o^XuNS?(D-`;b&B?|Al7=}qty+T=9rm`j%3>#M6*f^ zB|n(xiCxE5%Ud2DiWBU{o6m>xhyKf9PvQ# z09H0bQB689!nvJtk23Q^rugT(HXlsbKYd^p*;D1`SQTE!0i@}v-|MtnYdWYaa3eez zkTJV~IMv0Uwp&A|YWjc+c*(D<~wg2|Sw2%D{%SQ7Dx|g3{*vH~Pc$pj$ z^bWDP?4!ne*=%^~gGm<^nLa^2f4_#ZiRbkKC%z7uNDdbkCBMW$KQHNAbw(`YQ<*7P ze6w)3CeH}!D;KXy%N1zsKmK~gw=2+UM<$=QW+6g=v`dt=o2I{@JI{3o^B z!6|a+aXd|S)7l6Sm@~ndAz}NP0+jLXK+&x7XWTERa8f%iOr;g)uGA#U2tPTQ{H~uT z{u@~2<1Hw-2DYV77{aMRQXgotP&j;!4ep2N!FcDV`^BOa`OFPdJ#9`s?-%!#mx7Ta zPWq?GwP?c7h3H3ak~|H1l&K}q)+3S^_zc39DEnH3;_iu;jq*d{^b0o|VwYR8a(jlg zI50GA^UB?CZoDD3YV{emMv=~)qb~Cv#HTNeoNRRm)1s z-O}?@3*bM;I#T@h1vRG}wDRw~Ow4;doD=EuBk@Mph=OA2*6WOznXw6=t5>IRJLL3b zA~wd?(8;5eYFG;W(u)V2;2I<q#OGqmLK+t{$ONQ7(Y7Zn6pxPBH{U9 zwcB3xI80M`^EzdVQlkDV5&76t@ES#CC?W$7=quB+*?*K`?IHZ&ru z_FbI$96G=iEU{VDqz5HHHxTZmjyr@mh}*-`JI2(hWlx5(#ax zp%^TSx&`A)_RT8Wd6`-VXJdA!Bkp%ZTcgm&i60}9y>h!=;_H}@>PBf#NGL$Fm2!4Jr$(r-4wKirC4_4qKtwpi1X;`*8gTbJ=0XvePq@SsuTrQJ|J1?-pULBCQASa<4 zuizoMbx&NP^45AMN)E2DxY`}4Krre+f$XgjmumqZ#L{Z0yQH4oJsP= z#06I>^h)wY+6WDwcza8=Igm+*IcH1B5F{JagQ|qYse_M{Y=Bg^9G2&nVtw^ns<{g7 zBnjAqzVOi@_0p?}=bk&oS`5%#OVmL)1_#^fb^ruF(Yv*1stYN$Gaf)n&LHlzR5y(~ zjMJ{db94i5I=o@<&k5iY4;m_h>7Am_)I)hc!QIMk`JSDQ7MZcrUf0P@+eLMN-$3|l zu(%3!TXiMk$IccuVsWV^!&r?G&xWe!sO4v?a_3;5lF&p_i<8BkC%0Br=r#A$NZ-UPTsXqhNpoij=SeOvPB&i0-7l zCN0LcwG%v-@1!60MRA(fXl+e?+l>YVTep-P+1n#-P5x9|R}AECA6X0HstMEe-?p|= zpIKivzg7IxWR4rE($8{ZR>z+aOf)oNg)0!k+XqbBQ9SBM&2W7D#RYh@an;1r5kY;y z6>;hqe`MZyCm^IeU63!Vvbj15Il zEdmK(Ryer5MQ(yBmM<{?<9L|Mo0p8m_3B3SUuJEqQXkZ_WjwCZQL;j7uM021La@a9 zvg~je9`i=YD3T^l9Ezsi@cq6GYOj6SkQd!uIN$%mZo#s$AtV3VNKSv_w<~({(;|x? ziYPc9A-xEC>pcU{gj|B>d==zLZMP0Br72IS3ow#;M)dL-j=9d|i(l-lF>wWbyUlRj zcQ$A(8&#X}Q`X_)o8u2HjO|BYDkDH$2o=IqSGg;nbcvcg+$EpM)OEW$t@I<&Ry9o^ zLjI;h<{W*14rh{kW0iJkDPSv;dmUhb{X6>izv*AV7$1?1R15xcrzua(5 zEy5J5BDd7*is_k=c~?6CpS@gRamLayJ%Nc93l9^N%L()jtfbm0!&xv1~gm!p=i% zY&KrS6*-9zXNDvVvKAtK{rD8jja%rQakWh7Y>kOqG$kv6lL78}{n{^!GHl%$X(Lx=GKygLGRs{hg`}V^BtW zik1tEzm)%=I8%g{E)${4WuFsqo)@=dd+UG7>&6cgvgua$_LVt--<)45Fmfgl9NqLH zQ*i8en)A45Iuz>9XH*~8x9jS?(s^d=uJnpeyOTr02X~JfH_#+{0xb^@j-O{GqN}-N z3n(G_6S6-=68OKx113UJR~R|O_iSF8B?Z4xD|eBc{`_z7<15MK1$x@p0>`hN*DZn+ zG=YQ2g~l`8z9FMz2R0o0xuwJ;KX1haR=z1xmnOQqf7VG{@Yao+gqBERcYJmErHxn3 znJD!tTUQGPw^zJ4%aogp(90JFvuxdcZ{BYIVY-5$$WB-eQqK!qRPbJAd`E6O^=?=Q(F!UMg)z z-y8~>0Ffq8*TY_*-j8pcI_x~8yftul_Y)|K4GeJ0GxDtM4g2}?l09xxcec^opB1zG z^&rg0CpWq0ks2&_Ak?9EhLRC1;c3J5V^5 z4tx4Z!0io75J(BlXDFHT{)(xZ!L4x-8LwBH@2t{qk7|m0#3Se-Eh`YOVX|@aQA{wq+IO-w?rt=XOWlWF9&iJn zEx&II!*NxU9I0Jrg9IUL>xkHJ8H7gJM*7_x(ZtlVy@qHiCLtoZ zzhAOm=ONwf&#w|EZ%>AA?HxH;(MC|!kXWi*c5cpXVp(k7eBrpF&9?BPu$2{q3K8$t zmkB-5m6y^^MCvm?uw)A!OT@kt@0|Gt*xIimXLiValVE2f7Pl08rqSxTfX>>nnK`>V zflaveS5}Q-^U$K(@)*LHl&1{7{(Gjm3a2-@?zn{tI#PfubPi|euad&UsbJ+&OmFtW z2A49szYLi`3xIz!j}$IsSncOp3^JV$eeht?Cgjtjo#FjH$(5aWpu`-10l`d>E}6G| zb`rw3PP?djP!pm(F8ga+(*@&pnY(HxN7s!%?s^MiBt?L)*@ZTNs!oJ#{HoCCR z3&4R3Y?x$ZNw=5Ckzj1ztli9v!HZT)<$Zr@oms7vKpdX$N`7AP z>}46=Icqug}9!KOxW{MkYIW=Sv^4ib!z@vUG1czyYB5qH-~ym*!=yuP9Co3ReD`ck>e5HO9XNS z!|~W{D-w%7rP~*1H(Z5KB&|mMHaZ86u0Bo7G0f}eOU%8CTOG<=eO6__WAOUc3z6et z$&jEf^F}dT7g=}gmqj$K4J*(D0Z=QvXhjixrN2EL8BqkeRSONt2`J~vw~iPa4EFnk6`DfDQ_lz4KO^Ms1ZvsC@Cy(i5s~p zG_M#YWZS{XKponb6 za7W`8Z*AWohM0S?o$RwaE?4*RT@dM35bARWYlLGOC)<9S46 zDnbYyflxyc5a|R$P3S#AN`Mg0dcHl*-p@Yc8{>TAjQ2g?kNy112rDyTuDRwt@9Vzq z>*81&qRwX1@1E!zRy1KfH%s?4gCrKAyRnlQGUC(Us_Pvbbm?tvv@)=6Q-(Yqy$H0T z><45J`?ov$Zc_8$C@}GX953`H+G!q94O1)wupK#Wxv=eBzQylAc_@KM|8WzCmpw}m z&x{K(*z9XajXSf%h!I#0I(|V>t0ZU3g{E4M$nK5HTC_nbTvD-|oCh9)A8Qh4g++&? zLcX_~C^QQt=wAAedc*u$zhzF7D%s>14jr~`BHI%XZ1xm+@HyC%(S^aPJ|<%>`qCA% zfLGl->He9ybxu2X@5P?gd8oGdMtwhV&AI{0ttPm_R>3NP+}BR{OntMU6AkXI=anP7 zwwnTrpOaoD5Y$jtqZi)xlvzJeV9lddL*4%BisUgY{00!}-nIP~Je*Gd3$OXR9~7yd zm)a{vSni59X{U;gD!ady#TrH49r!Y^cf2V}Pf4|G8S}UL&=!SVz@BD(o3=1=L$>mDFaEZf+@qZ z&mId*X;Qmqt{__A7nG{t^mazXW25?tktb-@K4<98>gEfY8*jRK-ced>So01DO<_6t z7Kw(k*+lqH&kwc@)S5puLW>`ppP59llKI*L?a@cHp-;RneZqkwvF*5o@`C(PB*9K8 z$M)kHoZec9JiEbKV?d`wbJh8cY7%%pu1P3i-gHp6rqSs|%1Z=~+rD2QUy1wj?R_Jt znN)kg85U`>+LMnz_)JFG%}eeLH}4HoqM*=f#}(+pF1_H;T<1jo1QTA{3=m>syy9QOu0$ESp=<|KM2z@_t1`U zr3w!D8UcDj{%o26U%XfRbTV)grc?g92{Q;?R+PF?T9`|R>?2s?++PwRDY--;O!h^z z-ptt{ieRBIvs>-a^L*deU)}sj1{DDk>?s3zI!_+(#MWKBPaA;B(YmfYGP36bD<~8V$%x+yF)tHnW2*D`neUDS$bQ*a$Dxp{U!I+e1^9chR>M4;%pac z?Eotb3|j7(5B7{mMG(7Mka8G(A{T~&m{E`DcGQ^2_vU?L?F8(rnE5BCupQ}e zrXw_IUzc4no^klzAz%$q0q&6Do4a331Ofgvrz!H^hn03|0x^y~%7wX$DW3M%W*${oqi7P0q`WYXBv^ zJEW(&C3d&*f-DpT_^B@Cts?(#>&!jBr!?>FOmhW%kj5|y|7;Jr(8=fnKVL%Cg5GW! zTCHD-CB_8!@L$uE5qY89cazPg&iGr!uRdpLD2uLoJnKrxl+JmbSzR&H>gUR5GY3hQ zZ{UugctvVI??EW~wmY%GVB|3=6uNz@VHkb$by2HVz)7j^RcGJJ=`dQgfSsRT?VF?Y zJBMdsS|_PmuSsn4atMkE$@ZB3b~z~mk>^@d<8Y4Thw=z`_9DODZ~8U6-@|uHFJEP- z^>AGAgygRjtQ(n1x*Q7aBY>*9;~Jbn!&!bQ7`%=a}hp{<`Y# zUMLgVbG53{#nbFgydX^rOB%7{diCBWyW|iUyEo1+p3Mhn_bHLPa>)+~o^R*Uf_Z1G zD0alX#)Mpdz)jMfbqT5i84t@klXTvNnk0^gMOatWd5$vc3Uy{Z$4IgEM!pR0$O*SGdc1F{#kQY# z5(69?Jz(6V&4^@zAe$YzzoUucJCWkA(I2DCmWxibjS3rb9qiuc9#3ZIWBm3hsEuDUsg~AzeIZ5#UYLBkInE?OLNXy?wvNu5Jm}_%+lS&P8^|@fp0S)k}?p z&tyq$#7O9sq_hBl@pY)<9K3Uz1LhaonI&6E*3FMsZ8@0XsVE=b-mZ3e-jMDhY+cA| zYwP(Iox>|~<@06DEfH^!bN2XfM>d^~(AtbP5N*zCag?|ooyFaMi-*%1DW|*-@X~tU z>*XKdBkkzx%FE4uuI63m*I-wAuf1gUAj`5KC0OIJD78wT7ve=ZDgK*pa4}n$=cR-dF z(kVwzhTxq;l!D|Ug4M~c#C3xj_e?n(68~0&Z=ZuuaymiHXT3VeDvIf{=9}3Fk4g4R z%bl~QsEXFm13Qv)$UNEgNiocjxLJ@y2+}rsh)$fnjjpv8GU`<~8&M`iElNI3mN^J8 z@Gmt$6^a+E)rc4i3cy@X-k=SUP(F;#MdEC@4sd{Y9*U3BQZ0mHIxG|n31Iqn5fY^y zk8FD?spwg{j3^z1}TS77Ys#^8?rru;D@G@Fp0kcn^PYlELv)>fFr43Go+ zI~}f-Cz`O6pMs=2v{JswEEs<5G`t~Nd!b7VT58k*G>I88+Au{s2-gm!41g);lG4Z3%o4}Tq-g~#`AMe}IGTW3R> zIRLsW@J$*s@t?&ojr#bdW`ZrB$ zz32Ye@P{VP4&r0?f~TkoG5%K?8P)8h3CJc2Tx%c)6p}?JF=phzu67&q(T#NEeoL{t zbV`JHZVir|=d|5DyJgq=)q5R)u6FoF4s7(8H~2>&aI2W2urm@QzqG>1b(U56l^Xx+ z6g`q$Y<{{7^;sUkPbo91&h58120wf-D-pK=gO$Z++n`dXq?+&dY&5FOIP%KbDz^~(zd4uU)-<*8@y}m8e;lQ|N#52`sSPtb;GXIgWqGy%)8!@2^)^lpAy{YQ1#ri5rWj zGY_5kOR@@uLE#SY+Z}M`)q02UQWJk~GuJR$<agkNuVrzLYB8r<!R4P@JY0%N|xpWd6l3ovrA4K-0B-&q3W8&pn5 zdNl}nz7pSmxDvT3G_~6!71D50faY){ozqfODSnlnF%z$3;M3b&c2ZJ`e*w`#RnkSR z@+A2IGhfor7(4;K1OpT3wN>w9Ww&IN=?ZG9;Tu5v5m^<1)&FYh;D4-49pnU8Awp!8V~yo3hm5N?J2Egqj=r8usfwK?2qpQ*ANR`a zHiUCwE!Y$r>d1^X2^B#(FAxi`R3g$!fL%MVDO~!X-lJo>8m;2tU!Edd7avfm9n6V_%(AfUDG&U6oZlC&)%l#Wb@&)UO%Q(suUvrdzaPfmN_| zvq<_mAVm+EF}@soZPSVI%HiATxOtpu=+`F$aS8Gd)zr4^p68cUS@wado4fwd#KBMH zlEmVaj+r7Yf=>~vYF^@2k3N2{8`FCFTgimpBKKclcOKw_a2)=%aL(xOC1HX z0#?pkxG5WV@cG2qN8f8=F*CFc30w0WS=Sjz!i4ED=$Hia52&qs*n_v3Bl5UW(aop! zcWQM2n->WnO$-TzW;_CJk1oEqUjU{~gh%e0@SwuytD67_$4yT3tXhJ{Q>pO{nNm?# z9wF-omp2c=YT8|G2(kn?9HJvco^PY7jXW9LV?5KPs>4y1KCC+;(58mbt7+RInHjkU zj&1b&33)2IK04$kG5i9a8T?1ZT|7phJSO7GX|+jKszveAA=Cao;TUcJl7EUL$hzy z=rmOm`CuowQ})6t-A9A_v{RqVd=`||Do0#UVgn!#z$hzNg0$PjJG?i!jx-dms|~p` zu*X!krZ`Ef*y`%{_*i?2v;pgY2q!YesZa_pcTw1W@0X2%UdWv$BRY7)PIuim_FU_~ zTdBh}vK#Gz%*irH`kA${(eOTm_W4^D$ES`@>Wt-_rR=}_22jN2L9hhu`bjP9HYsWU z!}r0eeohMepby{cz-|3%Vpeg`HFC3cO%*`ZZjNMo6T7S{`XjzF;*M}n-dx~V^06yS z1*;zL@r?QMkyy|aJo*9icWeH zm3uciudgQ_%6@*-nc=olsFaC7uAn4I3ArT2&TK|4Wh7Y+U>`7{rG$?HXV&@%f{gZS z#F~}CuH=PT+{ff#*tXm|{d<=Wn>UV+1NcA_&23a^a>LivTx(MG;yg5XxGjr&q_A#G zTIfAG#b{)h$10ig1|sttk1E1c3UPb?KxKEjG7qs0&Ay;UBjU3QDqV*&cv44%+;MCMoy6EMMJn}f zpIxEyz1GL1W_j!S6EuH#I@NqE2}f7eD0DjN;S9(76H9XHj<+XO3H}?TdHQ3MSkB-ysHE`x8~U;Z|hoT9rI&gyG$%H`R~j0U(OdBdbCzVtOj7j|&W zK^*`lXSHZ8oA?eoJO_`~MV6RNyE)Zvrv z`vWA^mVN||DYOcp1XyDHQnN09$Cj4*3Z8KnkZVZo{caG_lL(n$i*s)+S~nKmKkvsJW#1kI3sL~JgpfFBQcH80Tqq^z%L?vNHA${h zha1ddyP9{m-lIx>GVj3OjArTPS+~|lkX}P+qlQFXK^%CWLbAkwai_Q2#vEjbs-a5p zQf)_m4Zhw*FwhvuO63~7HCEFnx{DJ{riTDtC7%vO#!CSwZL^p| zRp7(U?HM5QJv2OL0?G>xqn;wk6E{!7+qq0i-ApkrQ?UN;rb=?S!^|2y!au)Sr#m5V z()fV>>J@QsgP#FxrY2l$-i&C0^BkS(N4GTy8SfHR^My!uJsewv3tpf z_g}hC+}*!(Y_RoONEg;c!t6%^>}mIo6x_*D8gXm3~reH`S{%%m*HM0PeN3N(CP(+CeAuTNRFK&Omu zvj1rDh~Y-ytZ%UhWoE>R`VDT(%rEOVnS!|tfodr?$t-x_J=q6L(Qxk~eIXW+J!L%M zcm*SQ36o84Ih;y>z=PxaI^BzhcTTClaNcD3kq^XVwLT+2`$zKPzq_~m|2h8Odd<&t z0sa)y*|FII${;p!#-mZ>ZiBrnztpYB+t}@@hN!_JO{^S+x0J_y)onoX><8rQ&uJM2`QufHdWBq3RnrQy z4>YPre=-$J;cSr&hRiXX$9L|(WD-?{?Kubie4;}JpzGICrh`ShUyj`>ietJ{7U z*_mBViz=a*k?!@>*z|{^or^oZ&4|p#?lr1z!1P2A8=MI>SnHj)`hIaCH#}N(eRPCQ zl6|L5@N#iVd_hQF&38;hekFD<_R*!R?svk_Y4RE`TlH>x59=K3GO?+Y zTnvMF_W>n+a0K-l*$~fYbPLO+8)W5c+l$m#>fEw^_C12IWc`QcHD7y(7+BGhBkw%V zG!ET{-M1!fhoDvG)Rn;GJIdOQK+$G&Z{l&|NU4lW=~c9QV@ySURUE$s-jG(y$>8iB zDt{%f`0nNbwb``Zw89?2Nz86TM5X8mlT;DP>M%Z4gs;1;hn(?nPCC9SQ=vz~=!4?N zG1q6WcjO^5dUK&JXOuVTGjr8`sdwGAkrY#v>5Y5jr(;cSC3??i16hVUJ1Gz#z=2{Z zeE7$atw#>XdH&l*8m}=|*ueb^f#z+7zKPv@0Uu)&{NjK0nFWu+E4w=3I4%Q{e#jI> zVg$xU=z6?@p4oj%SX6=xmtJ2XJiB<>Y4+#EFG%iw^@(oO^lwBQK=fS3U_ty`)@xDf#aR7KV;1{nX^iR}M>55A!067L9^!kZ(b^k@Opn2V>64C+^ z)g+pQPYcVTsTVR(nhapR*YgW??fP_761;aUyRvKJLDL1YA|6TKfh(vzDaIqgrXzC@ zMrftQ5K@GTYiBCwXUb5E>W- zx)AeGM*t{4fTPa0GaLvK6DRxj2Ls1?AqxTbmTo-d5?x@S_t=T%QHNh_o=XedeiJM) zVY5bywIMzSkVh2jgqt@^m!x3VvSTdME?&?3Lun*M-Kp!-<>GU~n7UuUznfi~(zb7^ zqfOR5W`gMx8(>nznu=z|O_&5R$u7ydnk1U)?Q^u%d|WqACsS#g=hrXy$tK|3&zUC= zcj9MddcotC?K-L_c~!HlAyV$_aG3TX5i(J~xu zRHO^};$V{RUh6;BozHgJ->gG%qK$yxq|AMFyvUP!kPHG~&xzR%z;88oPLK~KT}AYr zUJlvSL^0HaqGn7ACi)!JYkgfxABW%xi7GWWYrCC%pDN^?aX8QwG5x%tk63T6j0boK zg7o(80#`@ma>=1^{NZjlept)2f6 zaEVXO>-cRfzoJwlfO@tLxtJgrkgLBq06?!Hdijw zR$;TLUZ;Xi#}U>Sop$l+SB@g8-#yrL;v7wXtB* zl^GZNP&wC?vn*D#Z0EL=^ueXRG%k5cuAtwbv1KA#F5AK^XE5+kuxzDvP-%uB6b`O7 zhyWQuW#zwhWlimaclIVOV{P}?Dt!9Ct9I6>;$`+d7i4FphR{k zSU~IqDW~OI0(Hj=##F^CfXm3HvM}ebHmZ@*eDu=2Zc1sUC?~t^q+gu_tGdV!yc<39U#$gt2`H?9&;W0>GHrGFW4!O2zi`a%0+ z=Yeb+SGtNG^1N;4?G8M@UG6J-6SpwLfz1Pbfv_z!w zh|h;q1xvTJRqf2$%CZwV^HA%G1Oo0(3eO{jiccYo4@vs58x*nUB6ZKDH(1pMjk=`- zV!o*hA6;B-68yH3B@e_=re1eC= zS4!X zb|4vKHLm;OB~E!^*Q+#se3@mMmhND+QG}N!AgN;Tzd|XC^Ao-$yZCSCcku`9WD9 zF!)i*)CpkvqU5=p|w z?I{w9Wn{-~q3)Oim6#e{x@VJK>SjO1vcQKcYZp;H=L4&c)r0$l_Fb9)gY}$s>_aG@ z>33TsAEpvhr=`}Hr1bKhRr%ZT2&^4$gT7!| z!4&L1$+Lkjr1w_E&_dGU@ts;@@5STr@z2>sUF9gV0{8e#uErWn1#iyUPOoeoA*%wVq~v^Uj1}+lZg+s#HSFw!-L(uq0!+`g znJdAo{1>j}lOZnYTPx4i*Yy4K-&=&zf6Hc+PkYG1 z5c{Yo5GULP!9wvRpTjpu2{Nww0d|f}H6y%6V6v?YJszjl-^&txTUu4RA?>@mS&ufB zN{1oNKP0AZ9O3@ZMEh9pg1Di_kI*E6YKX7rlZF`E=*&ck+v2b;fey?o`It@1`SZ~p z?}TSKYEmBPJV%&5v(Ra2_c~1X=xX2QTrc}5T_q(WYp4URGV;OdfWOejW;ysG% zj~0t-kH9I0?+5QPcwh>FdnG6Na( z{~Ta!6A<|SCp!ESJ%RJYKT+?$E9#Z~4=K+7IC=i%iQ9S;?z(BaZ+7yj)OVJ_+BF>& zU!8fk7Xx&-?9ps`1bvvMkLfEJL-xfY3C!^lX`5^YKdxglxG#%Qg)p zxy^4y&|?tWJEMiedxzC#A)5Ljcj8K1nH5;6k6}$T+YXAV6jntb9cKcX-4LxfMr?SK zFqFRQs5FgWFFQ%#irTXP{QR!9pwn%8t=dYr7IOe0_ zh?&QW*CJnmpKYW=zY4nOGs`mtEj`lavKkd0l+MxNANiH<9mFkaz}aGZQc^)<6ukVl zyQL)Fc7JVfFFQW_{1YM|LB%8ZHdtttx9MB&H`n@48u`0^?}egeraH@P^Wf?q>|eZa zbP>J`J65HzvCZq10}b&ryd=G%IaHLx)giRKSLq7Ij#SXh-xVe!ASf#?t^D1Q3wcfD zzEf1`*ksk5vOWPZ&PG6C`p?58NQLbn&Q-u>ScI%Rx6O5%V4~sPJFRbFJ88*mdjnQ3 zGS+@tB~d>{pN3fhntwkv7&xcXc^6HVZ_h9Rcuh5ojhs9`t%=Fv97EqEXigs6W*QdM z5T_|BHMrMk&z;#c=NP4wagGbZZ@TNIY0j&2Q7^({UcToX3lDi$s)d2a4t!$0FTw@7;lqy(BvYi5_$(k0R3w?j&w){~y$7ywy0E7Ty**5G>j? zziyO$9-6beiZkwL$_~(;$@M8Q{~XhIP1X2XvieQVIa-4=>4(Srp1?dlBG2Q`hl8Bf z`E5;!xFvV$ZHmd0=$v#XaeZMddH@$k4*M6wCKcrk&^W9*dGMHQHFKcc1^H@W*`VS2f z)<|1ufkUm|UYliwx0>plhU(+9!_bajDSE>m6xI1O&&Pw1;4YtaU*-CgbWZaq^g~&d z!&hOi$T#wT06ws>aH0(=l*&MUGRMRXwb?)Dvf)ZVn>F$NF7fHp6&~*SWT)9KBLG&p z{s`G{%~1SB!41*xi12LUT?i+c%Zz;Ls}_~1rk)%$@8R4jAQi8iX=Hl*EOmf;q*WWI zRoVMpNVCWBY{X+)zcG_&AXfxfx|}6iJOtZpMtATf#9!R*z~+wlOZ<12ejn=unKfA8 z7Ux5MCfKo>q?DphHGFz|EB@fTM$Pz9j2v0qzl|OdKS0rl?XYBnR=9sHVMN=Ae%>ce z^>U@B>`Y%^L_cI#-^qJ#=W|6s3Rett!*jt~wRGgyW@|cX+u`(XI%mnQu0aHP8E`vq zY6Qg?DbpV%Lx{HsvTc+Y7@t!5C@DJ4LlYrs<$dsG)oLWpyv`b_Di#b>u%(1FwGa-4>asMKk4PVBd5C<2i`=D_Ye;wuf**wFK&WA?;Vl~ zfPI8hP?z{&Myw{b6+%kHbSgq)O`03hm$nU>tK36YU47X)Zya({x>=lF=E<*veOr?i zppwnFsrsIDgi=6hFCHXBbze2uapG;jz>-Z?fuD<(KM*sUG`I0z7;?HO2%%+P$fg!R4brb{V?R64JDIE!dnp&@~Z z-gXthhA)05!;w9ScGVropJxq{CTU_SI-MRdT<-MqoEL3)X>EC_GgbS=Ei|FZlY&T* zz275cF6+eaYcaFhWascCv;I@n*Hs>!lqE|yjp-GvR7$$$=5s`j7Tqx%c7^;Nzs>Ac z4~~~HMuczZ6&7hPX7lv>J=R!h;;+O) z_8RQj_3{iHzc=1VHt*&}oRytLd)ujZK742P#lebq=L2EB=TpvbBZ}C$6IcuP6)u?` z&9<;kb5@ozO^}T-O+GBiORwH+sIZl*nl)BAQiu^pMd*D0ySvSQ^|ge6{FPRo{G2yZ zHEHw$rf^BCU2?Aag;Ph5b{}xkoQ}Kn|9ZiH^_%_`*8xHvb>76Xu-5MY6Wd@XCat-|aR9&zRh!C?q;J>etWD=+InBA&)DTK;-54_7T3KEBt z7X^tGPl4a|yy);Y;BhEk_Rj_X%)>wH;h*Q?pZ(##f1h-TeyL-s|Dk!BeQ`y+_zL8& zR{=&RgZFdZ@GZ(6=n4Q#f1ih6KhqupZ~n)1YvQMx{(95&uRm+V(ERg}e`f4ouwX1x zgC{^$ji`-GB9}SIXKXdVmyUCv^ViGDsq0Ta?%n|)Gi$HEQ1 z@T?m0B{>q)sdta!FAjPai3CZxpeMHn;VmGTRz7tlw+FlxLk)!Et92CMgEr(0;M}Eq z@P~#!m&*5WUhISe72QmJ1csAvC-hX21_dCL{eaIY=txn8vd&ZAIv?a7aqgrZ=O85D z^-_lbt`sps?*2og>rQ}BIk;vieh9LMNnG}>MUyCyz?%Z5l3gx9$-?tz^NNBXnIZJw zIm{8Uc9TTPZcG2^Uk-afT3mRyQ$Dkf^}oJ6(z(L{$vv%Iyw^{q%Q%J@1Fp^jSso7D zpGhhq-Hd-|Qs2}{PE4o_9vE@F)Tj9%OmpE3L2bU3f{h@$UoSFKcC{Cs_nCiPnyt6n z92`0JGBr9aI4BybcI(la&8nv6WRNnpXgBqL?JvzDAcOyHi}}0u%D*Dz`R^QqoJ6Ic zF*u1;iu3wI!{Jm&O|r)>fi`T3I)K~F{%0a2tX)PKN&TGY@K%5*lY6pIClLM!H5wjV z0vxv8sl00-R?yR04IeY(lSriPn*S;0h6^bYgt<$>l&>IO%7>FIkjpl6@J}77(P|W< zK2XJUT}#*f6~An+w=w3bGCkB$jeU^|>A8QSyCr z6*SGO0|YcHJvkMY3?9AHpJ`dX9A|t6V4cpPV&N5CkuX)_L5GG|^d6&07s}O_FoD+G zr*DvgB1HonuV&^!J6n2k?#WBO)CAOSK-7!AB$GLCq}VVLvO&4MZermmwa1`Xq za+f_W?FLIdYe}8}_grY7j|`Aqxs#SMJ#t$=18G@y*xaCRQYnTrK5y#g<>4yG zh)W3-Dsus=A=jmbVd|ZaByOLN{Psygv-P(WD85kV+0teocYdF{Zk?FVOX=U?>yJ_- z8&&d6ZQOpX<1G+Urj}J1evJzyV*uu~$wcJB_hU@RV!BPabDRD~q>ee#?06oD4p8pg z_t^Pblj>V1{cB0Phx^I?r_eXTq@P$F0oPsmse( z_B-VtP-sukXhWhRJ`}0|W&i+r0Uq1!O(}OK4p$jCM|fAjwaIH7Vok5qbqbmg^hwJf zh>zADq1Q0XYgNnai|2XturUvsYO6o^Xx-Cu{?N~%c5ARuQZn65b}-R(X2{cG2-^^t z?L=P2z|ZNhQ-^swlfJFYGQi|Z-GVO;Ef7bVt_=z$Van|l%F~vk*&h2H!l6Lsm$2N1 zn%L@S5+(Ork>oI-H}$}wpzX9Wzno=Nh>TI2<-vvijNSO$CuiaQuX3DeKGnDrCc!|X zCPFs&8WaV_`XJ7b>zTMa*tw2$s&ixGl^r8b?%s)6BYlHkVA^^WP#S9tOlB?l*m$&1 z3J;1vel`SPh&FAmNKl0{!mzqZ+9*dashBd+I<+A`ZrMeE@2 zfb8+j|KU>Xm|?+2Q+g!lLISGlE0RM(E#FvXs${WoH&AV-+m$oj66U|X#Y%61b zXk5q~&?`00zngeg+lEHAAPu0cT= zhlVd9{W0-8X7&t#=?4G?5n+xd>BE~rH2}u^TQtdU8tuqE6^LB{QTR5A!)608IntSS zEOWO&HnKW7k732q8?#*LsI52gZo#Y1pPXT`_UROu$^Mn$j&Nq}emUIPI4SV5-8oPR zDVcW{tn_+mrXfhBe!VF@JJ-il7tSm=b`zjB{r^eS`*#xoZ+~4KJ8H_-&YxnQwwcx& z=wtXHp#DCB$J*qafiN@l3id}fJ7_K{`y5q-oamva4ztJ4YUA{3h9Hlv{N=krO(FX0 zlYZyjj%j1|cN~QK6ry_qJOa#K%_eWJ)i@`oKMM$U;$V2qJ!0gJY!q0=fJs0lr?vTr zCm4vybDdp)Ik7k(5do(Hfp4If1i)gnDj-TU_|+g-AKxGaPN7*9^C;5)B;_4TTep-3J{m`F2=0dFE7V-TC%)BV#aN(*1BNNZs<% zVwxl5)GejS>HOluEnrE&4mSXv-HpFlft?~YQ`kXNdPB!!8JJZh-UK6f9t^W2S9*uP zR`>z5B*Mb|OJ2N}GSZsVab$n|_;SkmMN||;`47!`ZtAFxCMkL8?PrP@@e&d_UNU6o zni9+l=#t1JN*@*&4E=r;);e`J{`)e=?`8^{R3{Dv2uaLU>YT<>^p)a~>p;I}Lvz67 zvMOudVyjrw{_&M;9CmkL1~@1{5O-PGRH4Z3g4AxsyyG z7bs_l2QjJobt?YL`b513n6xwh)6|}Nj|5QtxX$QOGgGshAOqzIKrFY#7skU3Nt645 zBygk;=?NarOb(O~yn(%z4w-f^@IM7y%GGuA2xV2-hri#I+Xw;z=daPd{`f!> zV6oy9@mYmL=S~gs?fmH(>#1=Y`>HrIWvJ{2ql*p2lHGL!WvxOxFw-X}Ke8M2m|6j}Z_bBvi(zZKM5&nbyMR zVz0;>Nk+A*gEQ1+T2QM=`zEC4$obic;ko;DC?!;>yM}D$>#s`Luqng5A3K}}Gxyzc zx)ZhCCh?%i#H;(6lKo~GGZ%1S@Ug$UOl39JTXCyN9aETA@CbnWMm$i+E5}`U zk|?$3hMSg=nU9gLQTrenw@mX=3KgeNLd!USO!e+m77Dh`L*}>^e7jHSp6Od9%X)JE zl>h#5v@m|bleJdK)_-QT@WP8x6qW>gW?_OiVS_sbRP;M}ow1v!Ds?ajDYJ|#UwktY z#@7Gy=C5eHrQWdO;^aV$9fbfIW=zu#3Dxa&xdI=*9^Vb zl&*4@T2vjvIFWxu`I=nbT3#e3!=4!%O%xGf3}rkT&VbvSI}QKU2IFs4&nDk+FF!jE>fE8@8+ujdL$ zPk%hokX%nGG`*yOnm9O2+n-EtJxQQmcgq%pJ8d&S3mrJi-0G9_q60)ePn@mL7iu5Y zqti6qhg|+d%kjG~5-ndu#emOmh+?()i5LQ^O_eVM#gX6s&;)SxuZ#n$fdr-N2e~*J$qN7YQ z*_ih~HipjMC;1hZOxcjrfAtLYKB}tVg#o^ctE>DYO^;Z5qc|To+c3 zau%3YK)mHHZ4f2RvyUD%tRSQM$X5n|h!(q}E!S`g5{I*V*j+uUGDd zFZc9@^34=HT&j(m41O89da$Q#f(zm%&gYl3213Own7bEYNyn~w>-w~x z>M~It)ip6gO>O3XiQ7iP6ptSQWp^;ok2YRMZ>nZG*hVEAkdsd{wB zB4NKNFyeAcPkye$n+mM?H`r?uyd@SDtHVLkZ`U@l&$#2k57Pv4)HY>zui~_7{vRpD z9-d{bN?A{zsyLbR?Hnf?zv_=5vA{l&AQemgc0H;V@yKmCO&Wi~c4eM^X;>(!6)cNgB3|7hNGWbqH^ z$}gETu1c@0u3j>-sK@PdRqIdfT6V$D>PS-pQmu!5Wo(T}Gx_*W;0@1iImP3Z_oiPEL2^coQX5drB^qXJSQAksn&g3^n0DT0DXCsIT2y>|qpgx*Og zAwY;{eS434&bPmB|IXcKjC;?xcZ~B#{vd0SHRrqLJLg-T_kA9za;7-iIDZcbXN#?%e)AthM3M;;Og#crcIMP zZBGv4uA?Vn(R;*`AwF4Sp^n|a**I8fLg>^Berdj$%y+h7P#EBfOr(6H!@lD3Op{3s z%s4e41EFcF$#M6Vafq`R=XGwJ-07{-=_s=+P$bq-$HFAblZ5wg&4U4|dx)Q!LU@j4ob<2pihcl?O(#uTFB?;N^CM)c?J8?dX9S=-D5aO{AuZ*E808t8O^pqwt&;)Or z#p5YBz~I$>`VRK;j%$lD6!r70!@%an+WKIO}@?g{Zne5r7Scq@{l*Bp5V z*hSQuTEq?j3f)z=%;*ftDW-wk2w&N|Q6_U&vT0!x+7vb-AIb7LI$l46bv>Fey$dba zMDkgMwi^qq4t;4^|B5esHXbyc9auufpovRZY0y_oWYjf!`-ckGiP=Jb6y47U?eUnXldlaI2THEfcbn2gPR^25PY1OvaDQ^^XsC(b`u$U6W2BV!(k z?*+zlDFmQsT~=>vFl!<3qGLKE8W>C?&9>~JXjIYKcr0vMa-bnj^IirjJ$OHT>IkeV zs(T0;TyI$jTR@&PJBOqKtzRSoKB-|lZ~BC>n~gZTneN?B0lXkra4?cs{*l*i7V7$;N{6qLs!AUk+?BDndHNt8 z>B0gkuWcw&VnL3GitLWEU87uO@1T6~BB&RpK`AFFoYK5giB#1yV(^q>^9kKs)OhI@ zcboB^TzVn#aL_N~-b`f7jtho)Ik`g<;NYY66(8Sq!b?gAOMd3>)X8fj`5`%KUKFbs zOYb}%giB`gS&wn!B>xfisRg^u`}SGRXFRqv&Sy7j0{$3+Qz`yUw0;NyoY{$WAS#Z~ z6c`X%txgPYn@!=XG&aQ(>YZCeMv6?|72I*mb^7JE|7itOT^J06Qsfo@kULN$#bF6V z+||$)-@*;|-1DEJjkGLxCmO$WE90TBm*o&CkEv@lluZN*c^XePSK=NG3HNR+8cgub z#@9K{E$mq~7L^t*@YP``Zu|k1D^X7s7l~E1bE(HoiqQ#Q6a4bDEMdORAeiJbKkglXf?Swrj}ewZ3Nn4_li%V(oXc>GkhO7G6iuohX&Jd zUuo>j%F3i$qiy2VglKVdRC>(TIj^0El*L%BT~onwU>XaTW9V_g+Z`YZQ8B!gJ(k0X zRe`FgGB}^JBj%(kq#a~y`!l@JHo1wItpM}^^dlrniE?YoG&pDp@!=I=uit*aH6JH# zKJh(z7~WUm?777Hjmt1;p(Mt!%hY5@H@a+SFI`9kcE~-An>lC8u(LT=C{J7^2m5#a{p?eSuiilG5UTPz!7^g*~}5wOJC+Kg0HVv!aG- zLS(pIZJFCaKgc2#G*K4P>X{u7s>RBYW1(WpR;U;`bkaD<*jV&HhsW~{E{tE9`_XxV zj2<~lGm)RM>JwNH=z99Acr%~U!-GS(&tBW~!&9@CrXS1^N+6Rq=WJLAiuAqI*%mB? z2@rNB?o*M{qiR{qrC%L#L5VLlX`jU#6K?ub6rwT?%Vfh+B86syX zLmyU6|9-$*R^j5P8NDGLJ{7r=4+>k$O{t+y6-mO?nI*8}z<@9zwu zMEv(=I_Gtom@33!Varu2o0MOgyB=c^(|suCFakA9aG|Ysuo5MrsXi+5yliCmNbB|TF|Pj1d@6SE}iLCKLB%J z?Z2REwNyVh^q;o8ei45pZzAblKkn|Q(e5GV`0dH4dHk;*Bmyk^@nb}jhK2e$WO~_U z>R%IApVfCUT;;rymak`~>inDNl4$WpQqghBy5=)Z6ASKeN#VUN$}ev<_`e`7x*WA^%@9Ht$U<^l(D= zjqP7mg_T~d4~VL#x9*L5%qhETi9&N@Wzag!T6~Y(cJIyaZLQY#rG+iet!vC-N&N!R}%`dINF;YzK<2 zz1Gp0{M7`eHhFF>RVI9CwelwNlg%O3Tf=zL`<;q|H!}f-w+KwR2^d|9cgg#;fv)44 z78x{bdG479NqFus!L}^?l4BaZd)V!* z6Wbw60D&6lfLA~lAr#v^lTRFf6s_W`qCPSi>kdv5WvI!;_mm8^WtPI*AXlMOd9ygn z9>hd@mggWE*SU9xf;(RkI-XbZ>G_>u-1Ele_6|(6SD52u$GGRn`GEbbru}N^5Dboz z4ptCh6U{_jaE(jP-*!lgkzH9<^g5f2!E<>VO@gLV{XzRQ<+)%>p$Fj`21|)?3UZ%n z50fR-jXvCMWVS|=D8c8X+zYT@!GS>a3T9s|NSR! zB~{_PkLgFgSqS^{#joY)>H2GB_xNg@)8XYY!VK9P3pR&gg2PHz*+NBD_sHyIRwxg_ z%z$PI;cvMT>!8lJ2l(|glWKxrc{t_-lXoj{zNeMxBC?(W_`7+ZAgT110+oU;b;%O0 z5tf-H>ZIK+^c#la+?oPG6`)o&`OKY6HmxPY@PVvK&93N2OCLF@Cwp$@5fLewALZkv z&+YIJaQaTmOCdosqf{D9e6>|-o@s8cXR{6NO9f`jvfCnV#uRQf=6{>n_Rw+ma%SqM znc#T}Sb9_YCUD!wH-__hSLUXcyq%-$UhcEc5uz+i%h83RB;V2f;uOzvmo$gigX?v#az6NzGye z*EDJ9FS%}>)w9S%qICt&Zl(@j(TgetC|a|_1*X2V_USN`!5Q2C^id=ctKPbu5hO+@ffy%2dD+!}G$SK<->MEx_#ZvXl?9}Lz$Qf*@#h8)4S+Ov7u6##MFeJEM zCl}YI9`ST^57khfZo?b8s)GYr8E;Q$NxJ!a$vmcilUi<;Tdk|g*z-Rey#h;a3`fX& zH~C^6gF57ov7O-_g+rN#QGOcWl%0D*_qUx&w0x_(_ zSGCO)tX8)pFUSZK>&3o?7_MzNL%o(?VX2{WS<3XNp03IjOR488*K#A>5K<;VX{)VW znL{=w$EP4KmB6p>1B=@wCs|FmuCEnf&u{0jE$qsd*cg(t=lwI^ZE?-&; z0*KBoX}rL=OBU)U_X-_*M|(|Od!80eOtLL+FF3lr5GNJW1N5JQsEvT_!J(YKwV&rg zLY}-)WxP!BRH!K>%w*h=e}$*yZZ}ghkk`cV108m3$K&-d{2dn1XN`f5n25p@3)aVU zr3rVtNmg9(T#ZdxnOMWy5?hb;pmo*=I&sR!Z(4M-)$VOly3AItdTt~1S8BkE33Alc z2aSlOsF$nXpBAqssq;QdbVRib-XZU#7V-z-c&FMn5bvk!1UdK)YJT#Xub!=w#U!k% z$r+DU7^(}jAWl6Z3vlu66B4kVoM{u$&v84jZxFN&04N#$saUp&d_Y_Bkw)g#@LkgP zwob-8J`?uf#dH9`?VH6lvRdW(#_36{oY20^FIOb)hxm3lKnrG^jA~k+IggQ2u+1no z63r!$3}pbPbq*TaIj~r&Im@yVu4#L)!1u^}rL${$Q0EEOE74@G5bcqt2lb-((CwH|g@^GG9X+`XyF$m4o0&Ip+ysh-CB%F0 z53B1TjXc|<6)mIWq6l-|Ja-%6Gy~t}D%8gP0%RsR*giA(fa0i$)f|?}!g(k5mnMTa z(VhO;pDPSMsTH?(!iB_k!YNGC68zW{LAWrl;>Xe7r5Fq6dk#kpmOyAY;wmsxELkDme7g@GsOeg17zrS>P2+Jgroo&6i2I#J7B5=SJYb zl*BFp=W>`+jxDUkvrJv!9+394_dhu1xW8?hcz}!s%DZa)O442d`4kTQ2boVyW@hPk z-wt*6#WVz75pO=THUyIprZf0(*OsgC92j|x@f!m-gXKAl`@Hs?R&F1X34QDm9EfA| zUA*iP4h6|M{mgrtJ9z>@QzVnUz>KdNhhRA8b+u~W#_&FjpA)JSk+gSQ^Mk6|;EX#{ zjiZi^Yex~g`!B3bz#a?t3T^Fe!1vb4Sc!8SjK8HiY~UUz;Kfh z|C3Koqzg#{0f=;*Ff!^j(4}6c$#!A7PIg?fY-j_fy;mlW-VycgcP?iY?SOj0y7*i#{e4?W2*U#S2hgL@-Tk5>1+n~DznnpO{&@r_gUh%3Jou)H|K=}H6>Es=+*pLvT?%@bznY@4SD^zJPqH=2O-lh1+ z^>Epsgp0+jCK|le`D4Ipcv4Ti1ixl)T2fVYfNS(}bStc=K!2NYJ5-C}Ryzrea%9+5 zyJa1#>3Gw6>MP6)3;2qG(f)%Ur6UylzTx;gIT_25ac5hzdXv85PJC67pu1n8LZK_d zL^3m=*b}oH_Lg4%CS6O_b6WrD45o`Z;Jla<>mo27enHm0s%$Dv4^m3@2=GeUQzwb) zRiUXbD(-Z#OhJJuW^mh@5ylfsWc?)cUIg>L>wI&EOiZi8DL9Hr z8ZU^T0y6l>FYv`i5P`4p5e9^3EJr!LuU%b5Hj72nE`&%>6{bNm>FgUXBhwyn&8unH zFr*lej~811AhG&L!?d}YA|-z3?K3$i->SwrkGW#YD)lR1@z%vSSbp9-cH#TE=x3cG zy8@s=j&YE$32OVAUSHb`W0H4bz2{SL`_kKXb1JuQmZ+1wacGKAxMjZ>CF%%K|L|I` z+Y4z_>RWZ#s`Q(v=fp7aZF3&SowqccP@`m_k&U zvJ>wH(Bz#Cakf@Ap(sb1HWES@2E1I^v~z);UpMuk8qnJz>`ji&aC7$(zR{pqS&wngUEXpT1tt~x9zp6+}2*<8kdrZ6S`zM#M9x|aV~JXA)J81j8{@iz3k$wtJ7=J zJ~CyzW2xF`v={3h0ArzQoo61C1YP^7nK;T!ls+#jKdVDZ6=$U>la*;?jSVw^Sr|7b7xGqbWQqPY=!AUt?30BD((gRd=cBSrRpWN!;J}C@8V>PK^1p&R5peB z3Km}ZDw1(fdY{gdQB(=nRWb1KhW(@Yyi2B0UGm zqDFxRZr#)Q5pU;0rKGI-eQYMK5S@#a$C(puV=AN59iQ|$Ix@5{4Pdk7-J-?CuU6gD zlrP95DZgZL2HKT9mxfkNe(<$N8&MT@JTXCk|uTM-MkkHJ;@%|qbTeVDr9a=myj{LUB1*-{xd}EaDhtJBK?8D>=ff6{t z*Xy!}qYPmX!iNT8;LroG6d1|1IgUwd34;Z6LA}^-q6hOpcr*|P$EEgQAn!#K7;^dw z?a;;H(=<|RlVV8}OCb2lc|mW@&3|mH*CblLzwm|P`o8&6qM7FF3Ty5*e^a@fuGpX1 z8jx{C`;t}jfNyd(PHc$`&nVqhRht?9mC%awv1ZB|%RZz%eV2&b16uOM?ECGby4b<* z8(B=@Ee7z#ufK_CU*qA91p|xl5F>0=mE8S$AHy(E|E*sSo0DS`dv28xUy5VAv|H7L zRt5Ujt#^Daacc^mag5HaF1j}d^&aT^72r}YINw#N^E&R)dgNH^V%ZL~@r7lMjF5?1 zT(YzoQm|sK(a3gwS^TOo`Itf34CB^vE?Z4+wq=Kg?;YJ-$sxzNy{h9gDwKLl6!GF@ z5Jz;_tB3c+8Q2P0!q3No6a7{2 z;J?Yj@Gk@We@}YS#cP6R zI4@lrkCq)U#DM`h=QA73v+MjPYXuc}c0$<#D;cIXafmc5l$Mr6E zEl??_rcYQa{n1gg7GWo_L^m%aw{IRQEzT*#(0bzPi$x@EGyMK*p=E$j}*2 z2gnJ0J73`-{TF}mx6~1YqvDOM?+~#Wua7 zIpc$zx;QN06V)fG|NByU3da1)7(QaBr~bJa0OioD|KT+LRqJoWqPXxqYrX#t5%k~IQoZtOclD+p;^^fq#JUjEL4+k?(0a zTkz{gb8@Y`fisg+OAQrw%sR6vLnHD&7!nZ?v0N_218z1+2OxrAU(xCbKJ);x9ZcO< zV&1Tqb!OXMD5N&d@0y%y#eqBIv6@KZIU9LiQ;t@_J{W0w>5LOSY1JXKyHS##zbQW8 zSTOs&@CILYZgEHY5ElCJ6GT>iQB1eF0E~VTGMfFzBM74dCF*&a*)*iM9}B#ZVH{&B z*ly3zl!*kTUyEh2>DI>lFM#3LUsOvph4wA8LCA37vmJf1wH9y1*f+!SDMD{{i<0iA z)CVd%POpsl0t!oFeSxgMRkBt4J$`Y4*4{g#&RMb~$J2f}>K?^0`Kw#sqixNGM|s{~ z?rjggX)Eze)Em++lu7C<1dPWIb_EpR4GNP41urlvxY~$CxM$KkxXf+UN@d&2u@qSc zlV=6rY`a<(xla_mnCW~`=yuI)sVe{61ICTo@sx%zI3w_2IPZtRALEi1obsA*C6++^ zXrBCuT21%s=X*r>7}P$FTW7Zg1tMR7!8OqE(252!{p#?&L#+zTU7IElu*O@0aoA&D^X|U6w#?0l5y#Q*U zv4`*eQp|MUa&8-FI(pw^szT=m4ubNXX;tAZ$$xX^m$OP3N}L=tHcDwNQRs*Y+`aju z!w2BvX(Bvv#mWJ!r-FySi5}}Al>lk9a04EOSd8@bGN7V}Acje=x>;Pl-9#&Kp<3Ls zMLXa-tK2-OC}i6VM=Qf;mY0EaX$T&?+zC`R*|v?OK`Gq#8CCLUH?ObkSyv*Fsg41$ zpTp@iIv;JT2Ck2S(GIp)Bp!&IvexfQpHuD5K&Hh{l*U$no#IZWvAzVRvu$)CK_est zzQYRGw^>Q`p4gigk$9nVGQvD>J@ZOTCX|@Iz%5*TRXP=X!q5dk^)vE z$=-tZFO_U0&yq=Pb-yO{T@yCXH}xzl6!bZ;I4_Gj(zDb;=pXJ0_I@^ZgLYjlu#~FH zW!)Y4op;D$B;dpCD59AyF4Ez)eKgdtjPpn13inTtsfqYh({ABW zv$QaN>(HJMfgCgyk+z(%D@N~vx#h(B?Z+waejOWU+Vg&M$5&lh`NBHS6+3*58La$k z(qG;c^xe|;NSv*0OxuP!uJ{=#zdx%oc@PxBt!r#5Bo9TJ?XQUgk&4*bAwoT1%MSx^ zK0rxRp`IUoZ=yW{YD>NXU6eWr(xVEpONx(sSBq_fw5t=}#};*~sIJ#`Tynn^kiHnG zjIbLuwvBk*v*;J+Hq^Kg4ZaB%1n9T`51()sM`M6)3a{|F=F>Jaer4vY6?;pV`EEvk z?yt)r+uD-ApBhJ}8c+_$7LJN?Z`pn~G* zk8j?3F$yYh@J0lKp8lvqOJy(B$#*xh z;xgN6;UP}DyX_bg^LYosTjTVGR#kR4uFY${xU;2R3j=a{`Dh5LE4pHVVH&251x^6d zdm7iGbBb{x`jdOb&taBiNcH;aga}vmXobjA6WQ77%aRJj=On(uI2&k@nf(pwyd;4A zPw4}1&Qxfn{47+SqG@twxm6X^RA**T23^%e zy@?fi=xKb%0+o9V$A*!qQKk>E-BhYyLq+H0mWgP(1yIFd56O^3a=&1ay$ZsJVGjXX zn)7x7GumPaX9;3)m}gZIYit++R$g*P(o+?lMvKObs+re_d)0#H`@C){9{|QTL;qAv z*Nz{0eMv1XX9jA?aqid{fjS?eGU1=y%RX?MtzHUWy811k>L~bDL)kV`usKfCU(CO& ziG~1_?7VDj$Z?3Bhxt$M6p2+t`8*wQMpeD}x;rqCfbK_EP0X>$stHn%gv(}6&?H$5 zz^A*GqH{5Y04ZF(VG+*N03D1du^%y?-ZS$Mndb-UC8*9tkn~OjOj!KGSmA~VQ2zN>YdM( zA$NmXm2Op*O3kxj6vMjZ2F9{>E3P*qW}Xwv&)nsF_yzH^i4-rn1R=u<4!aGp;6B2d zI;1@8IrEDmSc;OLR(B0?wb4@CSkHRbOq{<~>n)@)AemK47hzVHNl$2bGlSUWz^JWk zjXHQD8HDdCpil3q>GqyJCcoNZNH(xA#eyisGXOPi9*F>?Jr=%kx$*YJmkKQ%tkFf? zO-xnFC1+|}%_3nm@w<}2)d8_|7Eq$b7C8xi`xsH)cw?(-W})rk#?~OL#PNH1?85A2;=1P_hgz)_)PRyOwa zbO3XR`jFfC0XKv)n@#Hz@^i(84mCse3pk$#ofjv8{&Y$ zl9JUozO$=Zj%%#@j{Dn;9{0_Tu=`K@|zi0R0S-3!v)`M_?FPH!Fp&`Dg zz&m3gi;nXl7`A3~(;w_jd8-g+9N+w))VQROnxOxzm8f)D+8c@k3JSsN>@xc1>pSu1 zsyLu(c@9_P&$aP#yA@0%yvtKQymQPUsjrXe-!Ybp_lj6Eo#CTw{Sut)D*wWx*bl5~ z_r1o^@sW#X!;!eJEmz0lg-J?a!E`@RzHu!i6$cQ1tQJUzH90~;Q?q9^?QF|ZxFg|( z2k(E7^1nNbV?S1K+=nRp|AJIdC!@s|GqRA<9=Z;4zqG8NjH8J>kEE_QlPsrGr^j}$ zOr;T8;H0@18TAZSB~X#ebFkEKk59t`i5lRM&0|(e-F&W(wDQpNcDMO4(_u6x;c{*aT1mm&2?&Q@v`cqIF&DJ;{~b zbNl5q805-=eijM|QL{cmq!PsZ`@z?g?rf*Vw1R>`l>Tg@`7bU{;|e6dWsW03toJfSGJEIwT4;mnwYSgqE~;D8UL<+FYpv(lxqF<<_Y&00b-YTV-H zkUg9ODE1amVUK>lq}u$8=H@Yz@iO+qGKALmZbJ-eug>NRtZZ&{t=DYUpt`bFpe3rJ z<(&}w7e>*{d+Xe>maKq<2pkN7aOgrAD4K8!7SYZrJyoyax=eL2Y-RzacTnlkKhSX% zZ=*}v4Y}GvL>ypN?5AUC31wHJx%alk&~Pc$cQiU`S}N6B;`7+Xkcw!cuQsW$q4Z-d zN$X=x>oL<}$-S8P`djCgz7H;nd<}D9Vl9>&69o2cOOBeT#+zHI4S@rk@4HVOmBzdi zYLebaQ{1h5;SR5Fruo_^TN<$lkJMi8-7wA-RC30h_^UU#yAS&6jnjk4EjG7QEVk(s z6YEv>WnC)MIK#h{Dh8YxOW8(!4NI^J&dOJI)85ex7zbb!$YTpN5dNd!3Z`F0HZN<1UAjkDrk5dAf_KT%6AXDy6iyI8 zx;il8C)@$BZ^b0dAf+Z-aQmu}m**U_j>x(>KRbmQ>d98AH`E>V=jZ z?*R$>%H}{#`y#8FB(|Sl6M5eu&HOQ}rV>2tZ@;~z77Cj@$sdh#c=|zNY~hhQM7`E_ z)+LEjuTw`n+g63{_G9|!Qe!8yQ}1Z>fQjT!42Wv;o_{--^!VacA4;ql{LZu!>1y-B zN;-t|5Ta$N_Nukvb5feUtLwddS9Urlpd@PJl4K$ZgcG1?Utq_t3Tb*cWDrYrlS)pRZcj2wQ8eLyT%#|H-NeZc-4{y1T z*UTY|riw;5`k@f?Fnwc;8BBL^6witvt$0%wBe6a7n}~iY(K@tnroc(>83oJNp?q8u z7KYPZPM+XtLNA1mEVQ6>fO`+4i+1Dorm@1r@$b8~^^D6WZzWG`r9J(a*j?o4n@I$JT;O5zXdh z7CKU+O^yJK@fIil*s-5MeEIah_9Lt<2dsbVPYP1WLEsk3V4Bv*gwnQKz4vpl*nQW_Z~WStR| zSc;=r%nUO2^yf#DeUQA+?7Z$VrkZVni_pg~Y)WxLiMj5_b-8nd-(kN<{bem+Zk4nD zvkqk$buQpbi$u@NZqejhTADl57A2Wp`BF9H>2fPhHB`aoy+$nii|7Yj)Z@9m6QhC( zJzGN*n3LTcjC{*NrDE64CUb-WuUM#pa^ANy=XQ#$Fts2nnYb6Zzf4IEAVzdwX>Z-) zjiE2Ic?_QRbddnjRxozI1Tu5WIR` zPvO?np6o3x#ks@2wX~}0+v{FS_gQVIIiyNPzp5#6w@sEqId6tMl|o7xNnJ0tw@a2~ z(5(OJ`CNMu>=EE}8pAU_kX!a+Dbv`MYn$+BA)>Liix8F31P0rJ=pZ;TEJ+B~FBrQi z31ON334igJ$5~cFOM7B(pIusamAsPt9S3>DWRuEzn6Lbm!kjH5=BZSrT%H5rsvjD% zLU&)qNk40Gmrwa|zmt50&fF*pt&g&Nhk!v1D$vozoY{*PlsZ>8PWT^>&uc2mX{9Za zChU>*K~l=v((n9oefl}x=#X*Q2P97zfK)aXo{JND8kt5UIi$5~Dnn3CX@xkkJ`IxE z%B61}WhRd`KMrBT9Pd`#o_#~ct7+`$dT#7%frfNhh~LMQ!N4tNBD(`gpB-J@QP)g; zL>x4}XpMFhw7tbvA+Skyqob=#3wD?Fp4}M6#O!S5;M$f#T8m{B%_EpVD!Pua5D8O3XXbTjhgR?E3jo5ts2FurgKHSFb3SdfYWrY5W6vyU%6u%KkJox zu&Hm+5hJ>!C3C0T%b*~Z`@u6N{qz8bw5Ywwl^l`ypQmlj;3}~W@H-$Mx*no$j=7Sy zv_Om7@47JSE*32jMSv$rqh(U*ZqTxZMwWXJ7%wUs@A;}X z;(SnZ;%zg`A;T&GGWE4I`q3h?ys|28Nq%EwE=A8UuI*AvDK<_#whIWYl3u;2 z#G9R8!Yu%ZDV;1_TkE`7m7ml?8#BGgXKaiYz4+%xPeS|8V0ud9<_tuXTaR8QPWiIp z?69CpnkXevSly%GwszCqgd5j^K02FcIZMhfh{Y*vlFXi!yWAG47Jgy)GRjkFu4{Oz zHRCeS_9{OQH;tDrFo)$Dj_IpckBdrZJ@7ogA$|v`3hV7+eZ`x2IYdUJ`rU`Ue9I1> zL8%&J)CDpWb@BO#wccduvwWxN@$p3B>R^7ZnYy!;Seh4Oc+%GA7pl)g`%R_|uD@(g zZT-XkfcMy@7R#XAeB?sqeIO<9+TEDq=FS%d{;4%lc=yuDSVZ|JC*RQEOt84u5tStZV zy3l)SqMLV~Q(e6~sAZD1RH?|>=m$JJ4XA1X?|dz!SgJ|V>`9tj*jd#xOpJSSukJE! z0L?&9_}OLqxEba+^=Hdbn&Nj`^Vs8bUO<=$<4UqM7f7H*eI`vknftZ*v|I;@i+rCe zS*53x)t(-@hm6gg_dIRC_8`Q>3$htIG=+VBj6Q=}`=qNIhs=6(7yI1dg7M=%$!N0ct`%W!S9a3|u!oL3k zHf(;8e*evf{W!=5y~|F?UuU z7iDGfVY(Ugiw>fOL$;>Eqwykn8?}{1p0$?6j=VW@^_d=apC6ZH-~+wbr)Jlydtpw( zi12()yEeMpl5>Jlm4`|?0&Ut&)Vggg2fYR_<9B|Ez+-VtfE9a$cASc;SH>th9?xk$ zgo25-koOe7J$>XfEclA~F#8Q%UBV3hO>3PFj>|aGJ%);~P)nMW#?u6pJv$Y}(uG zl5#*({bi{m;`}oZfdYu|k(7)yy|AvGI#x7P&|EIo`(-xZ$*v}3Mn1@z^+Bh9`bB?K zV2gTheb9L>BQ7k~uGul6c^?EF>R@C<2VT_|q7`0sgI zz50%CE8Rw;(i%p~N1XGIiy3txz3WGJ{*>VOw`fe=314a3qQQ7AhKSJM@l;kz){ov~ z4_IhkPi%!e8RMSVo!r{=ok(7bmRhCraT$)2?K#fEUJk+En*2?4c!~gQmMtKz8x25z z$laUp1R$V{ldA_hL01+lg?u-=f1nr@_szj1=3_3=TOUKm%OVWzXOdN4tsHF>KhIEb z#qYFu=5M^Y&y8Wc*miZ}+rnAK-X6BGRkjB~ha?aZ{fbmIA~CNg zKI=S*c~k{WGdy?*k%&c*Z!bg#yc<-{c_Pb*a7mdLL>K2qR@e(Wa}s2%Z|;`?`C&Ki z+CHjpp?(t|T$<4R{(s;OhT4blG8sUycxC2DPB3Am>ZMD>948Q#yxIk1*016L@KRgY z5)DBso4^_arWt5vSNULP)zsvj~~D}>G#t|2CH!Rx2LP)#X&%RP#hx;WMTP3!KYFU)ZvOn=RdG6 zJ6`L5yBLFe1*U-y13mEFFioc1JGs7}*E(*#(Ubk|?O?TIJE~GrhYUuA*E8uN+aXy3~FasF91Ov1v9y+{{ zJu_5CW6Rl<@wbaW3iGexo%%YWUYY5^`M*K&#%qr&f$;Z}JI`KUU(GE~Q^%+wa?Ld9Y&cys zp`Vs}UU4v{yKlyy?7A$lDP6GxbNVuQWoPe+v-&xL|^}|ld3vIrJMWxXcdn+tlCDz#@d|A;B0j(H5RA*c{Le> z1p6?|?Ia-l=Y06zU(MlAAb}2VeGx9fR_DmCUyXa0ZI%{X8qk(Z7wPrj)vNAPO>3;6 ztWdhQGvFb3Z$Pda7PG|X&k|`f7TDZ z6KqY#co{5*w{_s3;^H<|$@ax+r?x!7|Iw0}x34WODRo>oHJ_b(psmntOcq0h?NS+?Ey&zJVg|Gz52HdQBtz5-12tWT*h-^?`h9iQTCjskV)y{^37U*4mM zUaFRQ$o|Rb>xSR+M?)ksAC?T-{%w0OPwr?U#<49D0!~bmL;ZQfrYQpF{BPkttbANt zUS+Q7;(!h*m;v@8YXfG#z0R2oe+PZM*5KuNcun=?J+lX2(vxp;GzlU}T&83S|L6|? z!a}73LYv&VKzHnCbZ!uQQBt&{g%V=)eQk96T?^5PqMADVo=MJQL_CF;V%lUMeyAb4 zg|Td-$e3R9XGe+Mn2|gG^xKPs`8_iag%hmyMdq!Gd;%|^RIM1^%urkOUaED>lN*Ro zNfGtk#l>44%jy@ zQ3L0B<^UXkY#C?bJu2<8c7$!kRR|iu^C*8>#`1YhfmS7*)$)K$G6vz)m7$6luw-M#_#e& zSFR02GNj^E0Nf!15{1}FTkd=2>w=y<>9l06{_tR{>g@B8@{0WxwVyT?bx+gxx}F61 z5b`F(=wKdQ9km>jDfu(XelL7j!(n_+d$=;%;ps+wclz^sCEv)TjHVmLM}8}+vzrX5 zi(h+o!(cUF;Kz@4l!JV4dfbAOT~$RKgnz0Qw~YcGu7Xv?p|W~Bzrd~wB_SP?@4#DC z3c^HYhl5|ZB5h(x)6JiJ)tEnN&%sXUoRB-$=oGQRcHK4gmB|ok1 z_FUt~-GFt4caheSq@CIh$!$8bL+$fKNq)pjkPq%`9Qse9GBkrN!k-%%ny_|Xinz>1 zYj4CjLhr=Ot-JL=0`tB^Of zF%p*PGIw8|Y@nW5lkdL%%v!_B-*6;I$d4SMmdUgi8Y4Fvy0sy_F1wyYbOlK3qkOXr%z-;1~8h10w+|Hzh z5BoXe*}#NHOTUQ>%OGdOIe^1~BB=Le{^cJ4d*UxY>8Gv=`tvVkA6dv}|Y48wT z(NH9H0nvhicTI}F7s_F5S+2oOAKN|;tzqqEdn?|u7^|x!J@f^k&{_sL#=`Nj6Ym$( zkxY`B*8*~7Jq)rIPz)VlR9{oM`UQhCzSv8#U`7$JD*uLzZq}dG#X3 zeSgOO2*H3iv;QjMe8-WauPD!=(I8f1`atwSx~;KyGd-p{{YZj{}-5)JOD(2vhTX%|L z-hD2J&m&fvJ9h&;g>g5_Nw>jiW;abaKRbT^X_}kNu1g&e_eP^fp;RG$e6m56{ZI~; z7~O8=&|7Atx1P9Er#ipMUen>50i)S5&n2al(VW*^joQ+16bzrN-Ka!*TK{LO$r$mk z%PA)Ge|lF@-#7~n2eD#^N0tF} zFtGX#RLsTVMU3eGu|qH_h@qn7TP)d2M zBY7ws86R%{vI_8j@A~+@3qc;!6)DU=UR>mR)%}_xU80zFIf>HC-PQWCdv}L8CkF6L zzzrh4mr&&kmkDzz>Hh|_fxk+l?u1HygWmDz3W90DO?7CV{x-Bcqz$+YC zYZE#MC#^LKc!ia4+vXpqby8lR_L2Oc6vShe8KJA2wYm*chuhgxOAF{JtD&Upg(cq$ z7XzGqr%Vgp+bk>b6Oq0sB}Gjl3$MJM-lT%2VSE)(BvF;X~wu5-CT zFnq9Bz#v9M)y-p3oZaY3S^M)X87+71e%!$!mf^p3cb!p9WqF*DDvFVk009yar3Iu& zQ;;YK3Q`0mbRr-is4( z{W|;Mo^#JT@54Ly-uLeR{@P;}(6!wfn2xg_R;O>EVm0k=f2ihgl{#=;m=Jgx!SGHS z2EQ(f7{WkXMQ!XlX4+W4*b|G+=X7{APH<7!b+6^k$DcKs@m@h&eY86!m#iMb@6BkT zOpvSIc8_>_&krhossw${4R!r8?HfInzOX$xgptxVKz#UcK{H5VSamIg90v%Hd37q6A!>o^1iktg z7c-`!c2onL|F9ne(sG`|++(VfhD8E5BxLTUfjt#{BKe0~6dY4hNoGi^afVCzcr=1A zb;n~UeA+UHo@u#|I3`H5riw-UZVZpdi<^TZpDXi$bTsAy$R%ZgZ8f;a%|)%zeY4kk zuyxq1c-M?Fr>V((@}VTALtR@S>=t6124Q?eP09yYPZ>bJ8PSB!Y?7B&us7gL$+gaL zu_NRghrNy1uD<(n%Dolo8umrk*ncIb%-#Chjq|kHojgRH->u{5<;CLTja!_1cmy*W zhgK9Vc>ThFTO?q)kGAIdCZU( zpIlK~GH`B-mtES~UnHu5yTeCm&^sfs7$Dg6{NB7NXq1PC&MsZL&$~2 zG0WhBmYdiGLg6MdD*pt%-w=z53Da~v$#UGrPqrI|^EBAeqTCQL@Z#%+mY!xQEmaga z5y=gK3oE3QI;8zzQR5$EIwZH^vkfDBOSdRB&f~_18?$li1e)qPR+31h|4uI#R8nrv z_N)b5rGr#q1MdEaCE44X60LwZjHJMn;#sHQw^HL_YAx&Rn?_>PYEwy>Gi-`J?^$z` z?ntxipYTOnm|gWLeYkL;1Uk<$AiJgEtOqjFmagt5*Lx{bXbA?LM)VuRM{NoIV^67E$te^PxddU=X& zLWoV9wEq$mXaEC$s_1=IUwJ0xlyWV2qt2&+O~yedzo>bYye-4bqZ=CQV_1X6!u3ZV zvIVFKX6xA*wTR_LDo(v`N=0|IHWt-OWlhhm2{GE_krLnD<)3o%D_Z)aj8;VRw+OvT zt7<0h!qo%{8`uBZe+>M+;imFs(XF0mq-`ei z@wCY3X&`hm++jq*tsUYMJb3hoL>KtV;B~E3o88q!@}71LCe8+}iDYQPgA*}k$)KwWcyZy6uczM==nQT>EXdV2JD!h}6;R?bINTwouD;-&FL>}YLYR5(%c__{ z2Ua!HaxmQ_LHK?7i!l>Zvy3gW%6H#mgb=k&r=S#`xs2PDqLYFu@?Pp~;VoKZjqF2i zZ>qK5(Jc`KPXt5SB~}SKHe=1!@L9*_I(2ivbpUuWUHU**)J`oHLLho-cZPi)wb4w? z;jIF57FCjsWC(>14*8i59mV&WHH+e+*{`XYRhNjdIGukqo-aEe7o}n^PqJBp+E;V( zJqDNG(@jZkU%qs2TZqyEoCPC+L6h3EjFE`2W4~6BjUTSA!NA+Ut0Jkzhbrsl@hZqz z>;%O!4MId$_F8EymItGAlAMtt#2WaMsTzf3PujPf4$4Kjz^c3*UtLkB0i7g;0g9Zd z#v)I+qn>X`Q{{wibQd7$p@zO)?X>%Vs?;v*bNurcKe$~L0E zQYs0Oh@}oXW}Jc8Ct;#f&ZpppnoQ#`bR$#Npun3MH`nDC2(w})?(Z2r{+d^gy%T~r z>66(ql0PqX6NYYE=*p0A11bwYSen-W-7a1Ex1cAvgE=pwGk>LzeJXkhoJ$eFnM!h^ zn_fVof!d!{l8TqqpdNbg%+{;2<@^`Mo8Ai3u%C+(H=PBt(zPY=9$9z4nwuDJd42)gz%r(Y@8|GMkoVFFH zf;}85N6R)xrKZib)EjPP-a{RNN$NY#v0JTXe0GZJ9wxlTXUkN&Y zy*~S*^ve+Lf9O7sc*S5CMt?UU-0AZ=5FkFS3s$xa4&O+tAlBo0S#g zi=7&VmF`KyQ8+f~F%FY8XInV8SH>alF?*$W+X0AbRldYd_MI_&s{TzO*!Nw^4V#-~ zP>U>s4r3{LAC}z1sP9{K|DJ}*#Tj%edp`uIucdzM-Z1iF!FD?H5JN5ODJvK)gGs~K z)QU*}M)s~|^`Z7;6Aj}&I)4Bx`o6B!0|d=$ba+N8rS&XRGIT8-ej;Z&p9mN*V9)(m z9^N(PvOp+eSp@Dr6S@9jd{vf%`AgF_0S(OM*i;~ilY|*9aQVT4D?koz1OgV+fCoF1 zV=d6u?0Da1h;o)}P?)NQDi=<=vCi0G-EQkFr1{&_PAceZZ>5z-mXt&DT<)tOkGwqE znzoe`2Jw2%G0Y5rHr!?u_BiZ*uq?hQUE1Ls%AUdRDm-4@oEImkKF{y{BEIvyerzCB z&)h1%Jv32Ih$Y0b7oS=f`b1CQ)=6OdW%++;|HcOj_@jA7SJZh2R7~o4dERO%H=jSX zc_La7Hd^xE&?YVbqTKcq;FJMaPzJhQ?uq@+!`XI0U~Ae&e`k-}4~U XmGDtdJm#l3*FRtPzvy-NkI}yY()hqi literal 0 HcmV?d00001 diff --git a/guides/security/assets/ams-custom-policy.jpg b/guides/security/assets/ams-custom-policy.jpg new file mode 100644 index 0000000000000000000000000000000000000000..b6e0ec180817258c961af42fb95a70d7e12c1379 GIT binary patch literal 106833 zcmeFZcUY6nwl^G#bfotxU8+(Q5Co))2+|QE(g_ezN{~PVq&Mjb0wN$H0@6E?t|GmM znjj!ZAVCZPLU`kDXP>>l_dM_U-ao$UT;FrUT)A^4b7$7fTEAJd)^Fx)?rasnY+_(+ z03ahH1KcD10nU&B2YraQ2LNDZ29O2-05pJe6l8#Nq&qTFF`=ON%j@rZfCckk?|;9s zU;$8)UP!m+do5W17u4R&&0@Z{`dXwhy1SoyB6u6frgsq_c#7~*V#t^3k|t2 zMI{B92!Nc0jDm&itPdbWYUw#rPyFtTzg=YH6qM(vNKK-nCw-xjnbdp=3UX3o&ry=Z zB?~8g4xnT?$9mzi4i%e)3$;i9yJBQ|F^#BhZ8wMII7UqA{=+C*I!-Qb9$s+?NvVs{ z$||aASFWn--Ox8MG%_~1V`Xh)YiIA^>gMj@>E-S7C@?5E1QPl<`e{sTTzo=eMrKxa zPVVy;d9O=K%iff~t$0^g-_Y39+|t_C)7#fSF!<^7mx;-#>6zKNc?1%*_HBJ*^ZV8| zcK_$WFWe#i==ir>WB`i4iuDi4{zWbpl3e7ZF`%UWEf*Pi2&qu8P@cPRnTl1%g4!j3 zO++!0hFv$kxVD>CRLK&JJlmfg?#8!cbbkvxnUU*|c+Q*?$u260EU)(c};cO@JzdHK8cppTJT~J*+ zG#UOH{YD*Yrr-JOWyT`TLF)Cho(7NiS zx#nm?Q{Qd-R4U_-)a5GcusSvLJf;$d#>~{bhhD_m62u*XV*;B(CSe}Vc1NsrVC#iP z?7s8P4_~D{W_Pr0iVO-9Y}IGCLV+R@~=XUE$=SMnS3wN(9Mo>oU zUI$s&X=56p3TFU4iO4fRGz|>@P8;ci2NGk=D9!*>%x3_s)e+FeiEqk=Uz?4f5+Gd~ zabav}ZdH1v&zPWQgZL1{P|9qeBf!Y0tdT_ODUuTWRs<RNMO{wV$`&?FAY zg`m6eFOd0smxfk(N&8izzDJ$RnCRADGc3k%b-;1sBXnBsm#6NG< zcWm8Q`2Z(yhOGg+!D&JQM4pI=+`N$FMqrFORYkR7sEa$;Q)bwup|OoyG)3^DMYJe) zbZU8YAz`lpW;%iRi@s+r;u?~C8i6Pz=8SZ6ohO{Vi)c914GMMk8dhwddjbUI* zOftYC*>+0%0~3K6+_y}Qo$cS_BaUk+k9UNi_L3Z~;bI;u8)Uz>tFcoV?#{7$efopr z_PbijWCfm2^lRp%?)^oaB(mWHstK%^(Lp#>|A{sv&d$kXcVc_Seah{^v%O16!QZ&o zB$V5Y7GH^xgQ{-DDK)kQPL2#JrTAOJfk2r8N%W&L05uh4`6uoQo+}(vt~YT|lmO>r zg_P%PD>N*8uj_s&yLi10`hMcBTXE*YcNZ7m8;O`l3t=qw5Jfn?GeA^2o^KV1R;j`3 zp#^Jy!U8ZyYY~~H(yM!I8BdW$15Rg z5*K;}Rq;xcNhKgPY;*Rzjyl>6rK3=<7uD3yt0SA-Qr@38P}}J|15jGwN7obDC z(=8UhhSkGOo|eH~h47;1$_HRWO9qKFnMGH*07;I6W%pMsKVvEYosW=1B3?YUCv?^Y$+`T)f(l{x) z@ZReaOSEr#0>jWJS10qGEt0rjPiu$_ux`y?Oi^RdyLj(c+v>M!1kM0)K^i(i?@F5t z!-n77rBAZ5TUE@49zBY+fqXfq5+rSr-PD!adMU`z|Ms_1E8(n5lSmJ1WDh%P;@?p&P=8+SWR~^lR;WeP9&R6tRvo^i}neZMqCdZV+KqXYB&RY z+?$hG<4Pi)+g|3yz@HMhD!ME2`FA>^mVa2ZNrmNzBf7- zO{C$&8X{}Z?rQyKfW$62yrW>vo2};HHs|bBrwf5U_+D%_>U)Fu@6p<)ezJeL znsGV0{)GDs(9J@Wi5MaMzCs#F$s6I!&}(g2?S3ctyqb;LY?=!=K3h9t&!V> zkm}e?Bh16i{o%zN&)n*}ohwOafOFEPA7HEbz((pGKT%vdRw%mb0z?DVqoa^pZnw~@ zmCc?Z25ww!esVO<@4APvy+`cwD2uA23&j87ApR{Bx9&A$r zrc-XxU{d+Yw+z!3Y15ttG4108QF|;-7dW}mc8?6zi{aLJJ!|BBt@axRKXhJ z_D?@(iIKYQzLqqB46m_f&LEzW#hM}^#Jm-piZwLxX34{6 zSAG@Yg$D`jD=0YH8%vE!>#0dmQ&k^KCJKCVH?yI?;^&ragG6t}-iTxsUH`-elCHRr z`Y3sJu<#1r6>ExWCh$MPW}4$w)`raEV9b8#&9=!#(;@5D#%Jb!Yxf#m=$@8PP9u8CHfF#$w@L zO{Dm&0HNYGR?{*XPG#HdPKK7ph`q5B(oA2Yd_ew}`TqBu|39ZNnDaZ|`rwUIo#^an z>zr#)y3pGfDQGJlruu1)V(wX(MTL)`Al?+oSEYOW!x*z0S8lkm`wj}%Bi~^q?t)#nU zKvH;XY4!;JAS-6hq2+mHi@~ks#LZH|mD92aeuC>v*(6kSjWjO!N{cAA0P*UyYKIjw z{(DdEmfrfx&S{ZxIpZ40v+oSRuBo(|U-4?DL%-OYZDC%kOg5w$>(~+ew%ZvQ{XsvQY4rdy(SP#*XORgwJHQDyx_ff zzFT)cE)NS%UA{Eap^c^JZ*GRM1u7)*#uRnS8Cs-n`w893&`^a%vaV?AK5d9?EL`NDh6v3{u*t)x4v5jeT49XC2rrBcyr3 z4<3YuY1}=PqhhrD%CdgfaU?PlIiW8qe9WwW?|V}v(wu}k?v9LkLBHPT=3toGeXwn^ ziG}gYKFpnDjH!)3ZFd;`pfC_HZDI-k?)b!=m{(!~@kPbUc;j|6BKc*6_j3^-!9WL<+R zD0GVZ3H3?}7NB7Yeao*CWjArE#H-18`F^?fA?xVjgH!9=k4o!zg@BS>=ybLV%RONpZgzHxC^h;7rdI>t9l)l z5SUaO?4pyKO{aN_J;X2LGDRyOq{MQPa19IUQF93YRh@~FW3ov5(pKLVBk#BAyd~yO zqnT&6SOkMS60)o^&772SG3Gnv zn091!h00-^79WJV_pq6B&s%OFA9-SG>>h*dlJHuiEV<`yPR*a_#D}xNyC8??lbp1X z@F(x(YUI`%3i)762z`Fc7poyQ=>ZDSEXywtzY^h9n==4Gx`zG?FxLDEw%R2`lt{x{ zJ9C`@iow@O&<)ilm<5|E_J3|QX~+*gF@Ll4IPj`#WN&FkIiG^~Y(%tg7Z2XHH{wzo zR=+uppzTt#;J-F{@%z0NnF1lM() zMzqkApT18hK7M^FT*6Fuyu;$d^bGGj8**V5#V$Dd6thb|0dNBXIfg9X zm%m@|pP6lTea*fmAd>N;JizO9;-@jG*NK4t|CQF71Q@$4kK>Mx(2Z;-O8Qn{7U4x9Zfw=gefpDN07D@M(xvJN;q-2B?q z=D?vqj$=b_kOZmzRCogY>hltRYk8>qgN(PNMXN;KHq-d?u!%E3&m-&|;?uOa6}*Ep zY`?mbX~)+P0$cq8BfQu+1NghNla>JItj_@7m~OuA7$ve5B^DisLA6K~Cw`s*vIAlN z@_@8|)PD~9v-Y38_NTV|X(j&wFMp!LpQ!lfT=M4}`ls*k&ra8$sQ4!;{)vkJpP^z8 zIFS_n)r{S=#luSP&KZ6!=_QJW>teauWt9+))E_r}T3yG;A27j?+8kTUS262_HKj{~ zVdcO9@hG=X4A;85Ezj#%l2I~W7f#&lTc7@}f6H6>pe@U-X1=A_bNRf$Txmu_T*GXhOUHL2%S8Vh*m@eGMnyUhHIyc=px}jj(QS--i72Qcw zU}-54$ktLSLE7f2f|7<@=NZ3)sWx{&-GE2X`Rl^Zl#&xmFnhRncpx@x=nU}G9A)^V z!(wBpDhlQXiJCYJA2Qf~FZw0D{zB?ieo4#P)&cf(Ag;3^@dwTtpW~i*l@4;pTBcP8 z5izJB()AF#7uzW3x@x`?>W)0MfU3M*-p(UMWxe&i`S%eOm?hj{iWrrW#3EWzM(RGj z%o8i3DfgSS@x?sPd9LH7oZKMqbJI&z4Tt;Oey%yzhOH0E5?@KmE?B2h-C{4C_UYoR z#m}!@#!4DtM%qzwLVayTkr7hcM4?8kP<&t#&3eW;Oy419NJ*bgjFImq%X*VtlEG6! zp2!2>To`II)jvY~F5VmkjPJ01i_baf#e#Bh$0^kbsxJbQq*6guia&4CIE*!<$E5D7 zyd*Dw#IPEOuswIpH{4hss&f)ZoGZMHcUcqS-;SW2g$Br#_ma5?mU+6DK_ax792dWe z=6{-!fWH85D)vkJ@j@)~Kc22(ts>-z6WXk@V3^k#fQ^)~;Ho;Xi=f+XLYLqz0t?iQ zYSzNlM^+u3HJ>&1itT?E3*dHEV;KIa#li8;tTOs-`k|j|KbGlwAr3XKGAyv`r;vNI zP`op_L(MlyWZ}bzjb-Y4WAM>-1lia1=kd%l7K!h{eiF#vfJ)0PC~$uUVWa!xo7zB&D}=BK(U#`6`lww~ z7s)t3$8SF^k}b(wSl`TYUvbGyw+z=G2_MpjhGP_Pv9rIlqc+#nl8Gt~TQgiah~fT~ z=#dmx@tky=^~-z+2aCeD)+Rf86G6|Fy6d9J95SdP4lPZB0k*jZp0rFeOEAWY&@%#& z=SxuE<)Qkn$gr?)m+KUcWgmmg*5^n0-ZpP)TX6f;GI zEiu_+d~KYirj=8!?e4%E8x`so=N1P+463^~jKrL34TbFojE|ht+>WWQ9&%Vu2DQt% zSKEy2&Y<6KsLqn}*yvHdB6o!fWj_&q7W&OLjyR;Hhz-uio&iuby*2ER_S@L6g3M-; zwm z5+`8iyJ$h2ys#9_@YNccmF*H$8^la2sC*cr)O_eIQxRb#B&9j~oWO{+O(C$I+=rAP z2NMW>;cK0j2^ZZ_NgDa5s$WLJRlVhR<<^_ic4}|bknNA>eq|C_jTYTZ)y75QAH9XJ zt;O}h;v;CWLOpU3Yq!UJs|fB$AznbcT-EEW0al!vN4>E~dV+D)dP>^x{xmgu z6;BrAPMxMDj2G%w+VbZ1wZpmw+GhI^nP3$G&ViS>e9IA~e z893gIJ=lu_)ik|8u9XcCxu=6n!3sBJ{dcSGsA9y2%ClS26jc#$Id42@tvOXoHDaQO zf?$g*qK1HgSoghN#)q>`6HuKRtu)SpP^z+W9Y~?CO>Stq{Qba%59Ep=56Bu#TeT)@ z4}niRfTj48-r&b0G4H$)GwE*!BpSLtw3_CFvaSh;>00M5vdS2AfN%zQrHY7QA?gm@ zWeGp>o-=^Mtcn8r^4$0Ph7$+C2JPoFxb<|w8@Jn&LcKee7Vd9y{8a0OFF2w&M$--| zY=PK;a^#*6UeXyWnEePPC)3+x$;)XWK_fl@u&KIHXfO}XT>eAi(pMDxpQdzWTi_x)vaIg`shyAQ)1QL}vttWZ`A zI_~K!{Pdc(5Tv>P@pNbP3&FHvNU%BU>wM#Cu^3(*aQThuXPOCeUk&L}OTOMOGc=BR z@hir9LZw|UV!Hf8dt+y$8{}rr{`+_V?#gPb^j14&!`nJka4iA_mVQ9Hp(Z(k(ua35 zP1CXXcPcdv1w7wTNfqT^V>9z*&($gP(jp@K)$8YOCra`0o>K2l?A6nv;T#=~Yc;HR zJ>rA^rn(Ib|1tSQ!{tP zZ=d8P;=@+qgEdJ)jnoMd{E){?@e>f|Nvm92kAMspU!*Sw&hGX+_!I-Me#2`QQz5YW}82GA=Ku6oNy3U;O-KTUBw-;ER z3nQu|sL06QSRwT8+}w+hg+9ipeRNWsIUICW#uP>E?73Z97_HvM9S7Q;r!pzIxy@5M zLaj3PUHvpIvBA;F)U>l~yB!ZB>4+i^_EUf=ac6X%uQvqf%k%BP$5haE*jr`Vqu0H;xkWRTK(~8)z8zWb?U(Hd{4-Xzi(r3T~p^%Cw*ma z2CQ&;7I~T55gn!n{uBl(N?JLuDZUEl0%=Kr1xHCa?57TcsZ1o|M=jb<_TW@^V0pyL za;lfR<)Uz_dr+Rev8eQIXz>ZBf>&CXRLwJ(3oI4LsTqVd)Q|2PMs>RObV*?f4{bCn^zi@#fgx+q2Y(zdALLX|ctV zrJaJj(Kn`SO%*Pj=z%z!UBDd`%;i}#ivAPZXi+yv=NHRKI@?RY+KV=`?W>lNlg5P183}Nnf$Js2v@_@na8J z6ZeYXianq*Pg6%%BmIg!#%G-F@#F@-GJt~vv(E5!~!8LAADxp zY$D&BR(rjlSt<@(@gL_)8U0#Ul6$T>?t;;#@M&$tg>6njddy7gS`GKs>JLHr@kS(C-UeLmZV@Na%QXI@jFHEPr`+3>suEHBxaC$(yKuO;xQ>4j&~FXjwlqP46|vbGv_ zRFr1F*F0$eBQjCM+7d`w_ZXzSFOMr;IV~YV5YzX#Jb}b?Vp{rP)Aac1MKSDMiRW&U z^Ru$9Qtv)0g6~FWUdF1VkF}sN_+MdR(dpL4mfVnX9<)&x zd$6#uI9zv+)!I$2`N|dKlWj$&5g}%nk5I}nuzw|<*ORoIsjiD)-_G+-0rM5n%zGW< z!$9`V;Wnn9(R-|>u`i~1KZ_(7IaOX@$SN^w3~04G*?)_V?&tM<`X1FX9mFS~xEvN= zC7QE~ykIPm-4}3!o|(SA?%mt<7f%40Kz4%tX}zZBYv|*KX-$nP$i`t$Izexe!1TyZ z{sr;`%pm$XfTMA`Y0HB+m$$8&K4(gIr11)j5vDsh9*;O7BQCB@GOOh**Y?f`kUj~9^~SDb}GidBoU$qB8f-!xV+OhnxIlI zb(?HY5)Xl<8s>KRCF>0z3r)6av0^mZ0I}L+a8-L^@-K6 z^&zcWMU$FxcySfJ=q6^;UcT(@+!ngxZdLZH)&dc=J0HYd(gOItU9gMck@Q|m>;%%{ zGY5%M(WvR7$POUtM-5lalL$q~V@B<}Q+~2Ldmd4HCV2tuLm>9sN@A&B-q*_O+}075 zY{G}1nBym{@!7>t#c6^**c$~V2O-L4Q-6i}pDYKar|m{q$l=BPcbg_#=S4w20D}vbOg3dK7IHvs3HFqZREf8S+x@G zv5pJMJOKgKbAMBWLfuOaOdFjHJZTLe9?Y^`J$&R;5U@f9`xb$3J_ES=3LW2{0Kpln z`IrkAD+s5h9K?;;;lf~rn>IXEM~I`atL@=i+8Ng*NbD`~TkC zvrij4Nc2XlNN-W{P@4 zu5!gt-qQ3-2ipl;rVq}nG~c$h_OF2$BL!NL563ROYLnIZ>M+*(pMHi$hdqfsbp zu_NMb$h_ppVsE|})t_SYSuE12wM$D=|b5cddu3@~_<*H%%|(Uu)s3nB#gVva?1AK! zWgITZzbJ6ZzbMah6i5oWu+sMc>w$flYelU1BujkSn%%BgYZDyayf56G9j^t;ayAJ4 z*>aR7%9MXW4>0{}JwON{#Hs!L7Cz(*5L2*u29W+v9K+Y10dzxp;RM+|?IT-L&4G>9 z0ns1!*^sG%_cfLo#=*wMVjUSqig}?P_IlfRUZtmC7}DCW3*FMRlJEQDSGdSzAFuUv z%xP68I%UTk8~_gB&X9>;c|q++yc`YW3XwCUh)`L6THts@LZ|49q!^#hX{F(jB#HU_4z^E8qPpd3@jy+m znUJJD*!d1x6ch6`_}s#ssRnw}_JQbg&=TeJ-1#Vj#WhOo@WW-+(|Ap$a_C*GVTz^> z>4|iZn!7Wax^2YF(6?Tk`%CzsoROJDL(0+4?%}uLpX+l5wC)x*pXi|mPia@qlSr-g z9cO@br+*vat@mBcztNBC4k=z8b6TPI_ZCu1B7t*h-JIH79e38i%-;n$u>PG@kOZhs zne(QLlWu7c-Hks-bGpyyB(%)&=4f!O_JkZJtED3gPOEM~ZQB%v?h$!Cea#q!v>R%-I{ zf7N)yf3rv6{4~7qZ_N@yWNBx>{;FYS$kF+=--F$8RV%F&!q<(kNe{ZGT=Cxb0OTe2 zrk+vs^hJpkoy(GP)p~lfV(Wn2H%!_N7DF<0Ql;0J-RM;?wO64~6jp`%V2F_uff&&! z4N8|}5us$QeD~pj8r5x`PaI7D)}DXw#{Z4dQJcFW9DIhhrlUZ_QxY}2U zmAi;1A%F~1KE)@YtEt{Ae~7EPLzN26OavYhH!Fh)?V$acWRB;oNG5qc*8mfojvT&Y z(KXpnrP_07mo5QsX>Kwq>k3S9HOS5)Uw5^>?kFbx7js={@W{^=^QIX1zAdNPe7vo-Y5Uw(BUe=7>Q+=bp|*RCQg?S zvb8bR=EUph7kU+xNAA#4`APv=a;5gACh{h4Bz6#f-ACvcE@-NfB;Bvf=XgCQ4(u6P9e>|$XyiM67plFfy-8{6R~7gVoA+k_cxCi&gT;j_ zWBOJ^q^mdseB$g7#n68&Vmb(IKvQ=+vyLmDBx&z#`S~h`g?YI*u81Bn#6RI~9#--d z^>=@iTsy)5tBvda9w9W0RK}ZQ#x-RE0u{=}<6>oFi^M;2vndPO=D1Nj>3_86Q1tHu z^RF}WiTZy4dE7q%Ir-g)uW-g1O(pNwW|)(Y``>4Hqqb+7n2H@5s~SN>zaaA3H`M_AkB`gevF{&;aW*=I={HT~%oUbVep)d8IC9xA z73P^1M@mZ&xXSV1zAh?ENPLGzX_l(Gb9srQ)4Y9_(_7cr8&dhUkqr#z&*}a5(D5HL zT_oHab9ntjXY2+elVL0h(R(6&(X~FsSw=G&=PvA~mrXq+B!7J^G3h2Ah%8_Y=XF## z|J^17A3S`37Ds+aRGpN&D-03701INHSv$u@2W?zi=kEXG8BV+2=M12%jd9l|8fiEF zll{pO)J}^C)EKbUv_i*))gl_a&7mVq&7x)eAS{drydt*y;qbiKwQmlwb z&A$N^^*l%zX&{ z^jV_Q^^et@{{<#ZeQ0dBR{`24|;x+&HJxY`jTgB@hcyBnfgX)m%a;%jVq@y zd)a;$CGFsmxw4Cvw_?`quq01bBJHD7;DR%H?#R;OXPHPJSzU@^@B9*w+kG}vA5HR z8MMSl2cQfEyhl9Gvb@H#a*j+catmAi@qF{YQ+)x2B!WOG zR0lJ>n^d#q;NM!}bNRXdjtae7Yg3!vv{*{F4e&nAdl&c-}XByOaEvbrnpi2ZF z$Drzk<-zn>Iy~Q4)FCeX?70mt+;LiZ{m45%pX&`wFQSV60 zLTcAHTTRDW1?S32nGpzwfe*b5Qmj`juG76Mc|tlsfgd34gZg(D|39yU%TH8me(L>g z6&Lq=o$2#eJy{sP`|k^we}CEw+yAU(f7br9*Zv-U`cqr}9-a8pO8y$d`V$@gr=r6w z9|n*>@WeU<9u*h$SFE>uKT!@>lpGvi3)0&5>6ig>5Oiaw-*-?Wt#a2vC*d}m_IbjO zvtrPGnIXlV!u;-b55m&oy2wA^y^*HjqPKo7bK9?Hc&~gd-1X+}s5e>Z7j0L%{Bb=M zz)d!Fy9c?gYkBLDv4fn+&M5_<7{Hy6Hx9I>@7*;6vWJZ5+M3=A@6jX8dcG zyM|Idx<6|@(sklo@C8oSRX)gfA!n|N~q=g=B$F(&^Q-=x7Yj5ze!~VtU z*#|aAz9B_p&P{201CGPTz9bqCDS9kGU=n&-rGmp2#c=7u<(m-c)9C)PZhemj8GCaJ z*4!@z$ul1F9@+M<&_OLQp8bLV5^pgnU=6Kdj86%u^fC)l$x_<>U{-#2@e4VVJokFy z>enwk_jPseMSjxs#%%Tp@?sC41}&VC7HgCEB2>@-+#9Ld(dhjuMfn9=XuyRgF4?gL zJge`b71xN-)^Ug6=>FByj^mOoGh1Bz__t{&O&jI0XTkxTfBVkX*tU8^3I7b{$fkb8 z$(};?WzQY5ST#@0d)1jIMv(hM$m$f7IVZ@O2jiwbseZlr_%vU4r+TPS(q6OTJV0BN z-;??oXaK5#xif$OrXJMr)I@vKCH_S5BMyi{iNr~?y3@-xSGyOB3DD>ZnTI3kMuUt4 zxKHo2=^|(#E2~*VrkTA6q0eioO_;L5xZS|^uoI5f2@lY`%cu|P;F@jQOk3MxNwhj;rh98GO7Si7A=o@3z9ePZ$ zjY$a#Xtci{GVh8d@*T8w5)TM{D6Ti2rV7<3xmubyGq{Oi;|oCztEszry7tkKGT zh41Y_ELZT8ukY-r*vWg^#Zwwt@PDx6G4gdy|6z%Lv?lpf)3tK@aYQ-_&bZxtEbRJr z!G8OJxyq9}(HpO8FRwT$A9o+*?)TWA{v$w-vhH`i!!v(_zu_De64IxpR z<{9jqTkNq9Cp3S^7Wx>FC9k%2SEu2Cr}-Vg)f#5JHj&jyZNQx<uYe9?G>6bYz+iiCR`OTTOkBj2u z^VNqCFfLGt5^BC$UJvGh458cj zg%)yZ9k_SVs$0!>hC^^Kf{PBGT3f!p8FyReiUDT`5zc08Vr!#?Zp7CjK}#ApI^z1e zgz_f)nuXjZB+U#s)2#DB&Ds9lwKC{by+*|VzL(H)ZX)YxIq8gnGr+)SWC1;jEAkhd z)zlY!$K=DTpFg;eY{r7_>cb+mtKhGF7>T183FE4Ig{NNaG(=Vne zkIXYBE$dIT%GlWuH!_vKsUckD>&0$8eNrjBI26(&^x+JU1igx(#s!W0YN~)6`u_&v%Am>(gg|#}1Cq6>IA+e_Eq^P;f;aK2wYqUpO8+Wa5fgilF|0 z??t9j;=xXs@?@1xpndE3FOZoUusP>P?X z_=!4%2_=+5&_kNX&U9UyMDL=7XH|ZLdG*x|2z^Sm?HTnFsd7urrZ7BjP~&cc(%13N!Z}yIF?`N~Dk)q*?#=V9 zna7aGrh~TN^Mo6dyP9g4(+;wVEkUj+P4R$m{&e$}#pp^g+^~CKaY!hbf7MVBpTAob zCglekoGS9ZhQ>b@dIWViE!CvO7<~EMVZNq7>&4~pTRmfGg5=Ck8XvD|q1pacCBL4H>R+Yf6?dw|=6Gbu4`-fuB!*;w~!P zC*&~lATc$$<%`+&;~;hmd)|NeV4;TnOo&vWShxUGZFQ~0INbByk<2@v%0L!ngVuCZ zJwyJjGl06?lGZ-@qvl4ZbC)9)xD&kwPFDBq8zwmz{dtEmDlkr9{oMDN@vZuWBbyuY zc@rjMpQTyH-t`FpHPv=7Us-t>+I~{r0UwIc#$uFeN7gDrXkfrzMZsO)GO&TiCG<469Hc6TFHrHn?Z| zaN*TY?yM7d;N%5-5Q?5jfZ%~C%Z+3kMC6nq3%Gh8`n=hnVF61`%qSiTd8GqC%PxD| zXVtPIv?4%3v2nKJLC(MpSM>UL&<=r=6*?BOJ1r@?iM34*Y&ozK*J7Je&Sz3}a^SOW zKY5V6_jSSAB=k9LYo0Cu_~J=*ZNw#rG2t;(O7jk~7xkn)HC06_Vwq}beqSy0`NHVZ z)-ZJIUBpPC`lKXQB1testM(jWnYlgM&T%0q_1o4cNMI}|Lr3aCt>%;L3vp!4F6QQ# zkdMx?c&BTdvGQ8H^FI4REZYuW1!eP&zs|!Eg5LLA++_W`#we3$Ett8fS^ZFNtSS&& zL@m=_->rOZ;Xuc&TY1fB4a|wjM2B%;mlCG)2gC$nTIH}jYtxhyCVq=1U5)Uxi5)!n z_4=L_kvn2iooRq?N#2hVU24v{NO_FzmjVm6uqgm?uMi>ft&|R)t38CX5nF zhOa~kvEhB39_h}=vYBCK8q1ajA0il=a@`*V`MyhV7kKiMI5Kg*zW&ljah)NX#xuaq z+S*E@5R>cV8_dBnce@Zh9LefFrBGFB(3y&26?Fy67PV!IfS(82e52T(R#(n>IkYEk z^Y&NsYB&!m)1KBviS>wkyZzWU1u9;#)ut!CvV;I}{?u`^Tcvfn`;HaD7e5Td81|df z6U@{~dLzWfpt^zc(4^6wC0!YK-RIHIk~xE}4P`heyEfDDImxaTp1IdPw9utx-{6aqxa%54peD zjmxtfrZ-4DyzFGsqr|PzW%tr0ag7>)d%tNyr)Cb!O)vE^>uk78yhNP41663pC;0gx zpa0TGBY%^6pVh}>Nrh@keE*}^jSbpItQ73HTkpf283 zUh2cCUY#FY_Nu+Uz%%L|EoEhebgytK({0eG%H9I?M@5L*;A|HM7933gy(ef+RR5AQ zH<)Pr0ZOWLrSvD>9pcltZvU*>9&&Ycjbj4hdEx+$_L1vQazXlezZd5`7TfQaYkWE9 zm)@?k&n_1g9PGN>#fmZ9sl|@==QXCx#%s!|M3+zFCVL_2+XSv$avT4A1N^s2LWebpc8-1GRqzD&&~e)JLw+ z!FtRqA+F}wbDhJx&m%tL(&|Up6j(+-cdqgOY;N?1@}JfcB(Xn`6;qm`75I=o;-#js zSJQhPqNR|ikxk1FIbNLlO<7zzZ2o?cWh}}20YEu?2+jddB6P)RQH`x2DPiZUySNFY zL$EH(o&gXDw^~T-{+^ks9okQ8SV`@fyZP1Sb(h|!J%x6D1U5Ve_Wn4L#kiaxGEU_C z0Xzp~gq6w-lvUadm4gm{k~YoQjGe~X=I<2xItQjH2VA<>ZjtIxH5tJgZdg zk%CD02PZVz;|(WH*!l|#e!Q)8 zeYBF9Q&U6fK>btbmo%jxr{RMaS4n-jhw3~W5aNP}+TwMP6^(Fu{Cx#xS!X`%{1o)4 zyx?_HeQ?`{`c#Q$`bxX<3zo8I@hrY&+S6)icm=+9V3~1-$YCeh$3*XylZP(MeFbT{ zW-?@%xM6=kRkFRMx$#7^7?k_E>*JWSZ3$#+sz9cZ=HLz^R+%!^tViY;pZKj627F$ug z5KrKG_aoTY59Q?UuQnV~Z=Mqt=An90%$ma}TF1jIO>t{%mLzO{sP}0^Tmx|w*3g^~ zAwqD*dOm^rtqv>n6kfzs7r9m%1%jDXTg%PB!IQE+o*5WR?f+bJ$ z;O?XBI#|&`L|QCC4y8R0?k0+Ss5LsMlHR+~-rh1TnrGMoH??*|YXPv_NRRFer}o5R zYahgEi?VtAVHzf1pXA6C2|#ZH&q2zKu&U)X`ftB;8erw1>)AXKZ6vmfu^-8wYLB^a z)FP8YI>zi;8w@zJwvl^Ldr$!{B~gW$#br)w33@x2_ZXE6!8#DNgmk!a2piX z%{^*jNK9*zNe*oUZxV8yK{mn;(|o4+C~S_tlYtvKe?aeh!w07?}JRM z@X?4S4p8u^<#m^Pw8=HRRsBT!xme0O2v16wa;#S+b&;QTLB(NMP(NuuS9KXuJB}!f zAy&DU*dctJ#Ueds{Us;S{_}nlI(%0RT3K8uI1zj)3x*wRkw9uF_%y#uWIICR^sRCj zQ?vy>XL7B$p_W9NJ*|9W$QUJ`4fb*GF!pfFilu#;A(@f!$sS14Y72f9As#VQcoiGc z3uF6!Y(7xK=^dhVVcgcJDe-JY~_ zii5}0u_UF5lm{#N-kc-E`^yU|Q(;D$9-DBF=C(~kxCJlTFMHjrr6O~Q^cN0f)5vza zBS{+-W*&70Xw0cVnI~#VVSs4_4dfm*sEd0H4K-C6$VLIt1u{EajEXYG0pgAIdLqyH zv%PTHy)qw0w4gKa`{rr9J_P4U*&r~$v;?HZI;LzUvZ6cguc;B zzM%X}sjgsPovtnv+|Jgw^1(1kO9aA)a?kCpi5Vx3cJa;z3P{s*NP(40iOW-H70R}Z zM~wMS_WEthN`4zA{6iZ|>LT%ElNtH*Bw=CQN}Cn4$BW0CcTX#o%~_$GaBN6VNjcOj zgYWIZ4@V%K4{r9sXpmTZq+5%D7cxaHE`7vA*aI;K=si&*j;n9>7jfbzdkW<-1w~Jx zF022GyY~!+^Ns&TC6OQ^qDKjd61^l^uxvySM6~E-^|o1}uUI5RZ$S_Q(Ftp#M~_Yf z(PNdht3}^cH+Jps-2WG6=Dd66nR(`%ne*Zvuh?tuy(G_m4+*-tXv0F`Xeh zRM^0whO;2kH>)hq19d8X6w@Zu;*5C0tTdxu-0Kll?fj2w=TP#6esMLpIVb|8MA9Hm z{os|J1BtI>x67+#LCY3*xGp-X;1SRTKgFyY#=9z0QRwRR<|~7`zb?wUpyOQRYpsMA zm1PK#Tsyqt+lJ|xfW5#oJN*Zn2_9*hQ}!}LQp+OU5`t+&k0XA|;C*W~~)*9{}eA;CLbEg;0##$dC+D_72Bt$t(jj?XNamGAAvOZ zzn6!!HL^W?jWxx%lm%%MqN(4CB;@H7QcgU{bp+DY9tUo0PpH@{IfT8GjSYIHFd}d- zw47;AY;znWy~44W64Sz0imieY3W=htxhb?3M9QB8~hke}Iv=H7$ucgoJ?yJMTD)@S&q?q14ekeF(1 zdG^7%X=p8ce_)_}b7g!l+Z)Hgfukqu)Z-6&t;eIeKELs5^QQt=2FCv%l^JpQym8m@pw~_qcE3No-llbN!4eSRAP&{rb_~PiT1=nMtoD zKDwPG9mCgf(07oGsZV(a3Rx+L4r9t(?N{)%^?YO3wd&C@Rb1Di&ZT!V@3rtcM6lZ4 z-YF11MARo)A?%6kcxi1ySBx4fS%rP>2vf3CiO_6qY`$f^DEGjoTWss5YqSIR5N8@l zsyBLRP!`|25b%}Vt2nkNUcUR~ z)R#3pIht}QRG*Qdfsgp2!FWTUAMnH%yu;y}dtm%W1Njdoyg@I}p_oLjIo)}xU>xsrwI_gfKosSEW|dqFPU*Z`9))bEs)8PT z({rqsES)rv$#dahqt;Gs0|j<9&i#PWRU>Z6g-7z`cIaAo5@nL~F5jH^Y@WLXX*}qI#A2=>?yaU! zlf{0YsDdHCUvyOHBjGc0RjP6~3hD>>(W8QsE9{HE`)}QG9=|e3VW9lPFm*Zaq|lFp zdqceAUoVnD1~lUirJjLC{n+gOy_u264CGpxTK9dY_YLYL{W)PA~8pG6kKL>mCoN(erxE2)wGj+>qBEe{3rtC_TjZfXkb7mBBl#dF}P zX3op2e#}7sqY;o2&z{MG5F&a}l$hXF3;nIrZ<1ScBywOKy}GqlPeIx5=SmjFKur$@ zK(*P?Sex*kg2?}x8_bwZ1iB_;~|1i zLVU9fc+x68>aTxKI{R!$R3$w^m|a9WIAKv&wFzoF{S^AC<0Q>$`4C$*Nj}R)Xz_;5 zX{CUq<9}4pfxqw5P^py4=GXrmCNc1q^0`B`4x%1GQI9x<@9JHap5WDyOJVW&?HTB* ziKe`qh%xN_EW;3?atm5m!*U8CYAF8Tn;-c>p=)VRF>J-x#Cen%_;F?Eti=nNyU=_n zeK!z1Al_EvVRgV_CZ~~sG-Qg$FYk2(w7yZok=fJ*~&_*py$R5 z+7hj$rOoq^)vwe8Qkg9U4NJU4SU2VUw^~Lrn3O7NTthO8u_Ok&)1MprKPR_0^*@ff zN&K$rsE*>KALw(rUHmXj=5?RHoTnP!x0!=iHD0?&sT%+J=d-?}*W1uTMjzT=X&J@K ziVD!&(AKbffHgp?odOOJn7*J$l0knM*QEdG&9kSq6T7SV!IXKPk_KnkBF}r3lGm}9 z1S^KC&{=zxMeaGQ=@6pRK;WDHu2@O3tU@#lR@xPRh?7>nL~22^YwLe^&Um{ho5%yH z&D-q)hRD6?dk$@?Y4P|y@zebY?|^$(F_DPS5=~f*CU(?#<8*Asegah*U{REvhHZ|) za57S5P^AX3jlw*D=5!;nf>=inBr-g2Wm~SJ@HP{~t$QyrRL|?R>`gX+G4GCPG4t)G zE(2HcALh~3M4Em%&qry(yY@yya9vl)*9jbnAn{cgwC61U_SF4WJ*c%feL~3GZ7~;; zetXS>p?{ojj&dgPe0{N-jnvQTu4ikx2N3x^!NUo3nw7U;`H5$KC`W?#_!`$ZvA}iOg%mBM|&%&n1kA< zmvp?=l0&A$I0-$(V!P>G+?2e#WW&ij?6g}P`?#^C(=tQbH3_WN6&G`ALe4+#RUnms z1$ax8DK&{H1mL~`Au?dwbarugmj$@iVkjr+nz z0=qxOfuqwQJc*Z|I7*VUfufg@jIsH1CeynOD5ic#iB*E+dzMyfPx@Pzs4`gZOuXY> z^`)x5ibx_!Q_z6nl}91@=JXn|m%w35;7Dl{SCPKup(a8MhZYe%?q&1*detbsJMuEk z`NtuPyr2z>n_?LHyJ z3yAw6w%3BD@1|H~PO4}&H8tw%DkyyAdG2!0r{gfY(9qlM-^o9^Sv~)-j0rm!Nh@s1 z%58U@Cc3C)A^^j@qb4(*oL;=8tT#XC7y2k#=MSBQi!<7(SMEZCr=jv(UiR-arNR*Pd3AIXdf{Qk^paH$Shgn{ZO*&*cHRb`P_2_}Zg%r|Lq1!(U$8 zg&)_hq}wX)#gJa7%wu}O#2bGjl)e%p2b2xoNh4rRw9nM~93q~^{wv+*_s%FWcQHxl zQk#T$Hin4W^_-?Qj(-tBWeZ%inRj>IojH-_v>=v0O#TU|rT z46A3*<>fIPxNdQjdIFRi?U?=P_9EM&Li+qO)e?ik3X~l23Q2z+5i|!fDjLBSu)(GK zIvI0lPgJ@4n9#^+pK;DKx*4QfK1Z@9Lqr|(bs75-#}28&vb=1a@~=QC0fLgme|FL! zbY|O~aMB5eo{C)_3BA0+SudtIhLhArscIWP3jZt)8W;H7WbkN=ip?m&qqDC?aB}~R zepbw`+>-I>IeK7h`OH|vYhNJB*t#g8@kZh`h$sHx3!2Lb(u{vRT1)p%8k6!m_Dc+x z7PYUJG;4BrasryJnHA^HH?JaMIQAYOJrD2^(yR!301@OB#)Htag_RFI*n24dT$)U6 z=RSa-8EG1IGA)CR{t!U)=)uSd1ps!KL=M{1EN8q=1;xnVBEcVpFeugb_9xi9UuaZp zfF5Z!C}w5!G>I2t%Q6mt!`b$R89xIWGj}{*Sy3J8)DMXH>a{25p3O?Ln6a>THb-$y z_Kp~0x*UJhkgxC7I#-B zFB3m3bKSP?<)!gabo(z?v3#zA#;<$arDu(I5H%-0IXg2;%HTQbo2 z{GiB>!T)v}$=ude$Y5(*EAytry~;Ev0jU>y9bne{vGEtq`I-9Y^Wu4T6l48G>v2$L z4)?)TVEFV*U(qsBeO9==q2bowERzQ4!+6vl|5@Yxg%<3HR#t zx%;XLZ9VtCSQ9h8M3TfpP688ubafp4M>SieB`6a+l1QV(Imy|1(@K;Qme4rBGO3dPLtg7lEKXiuZyXTX;pCr66Q z@cog|msNE$jJZ zUX^(C?i)2fTHElkY~*74TvqUXchBp?=9C>KC9~AQH~vrD6B#H*rwUX3PkyQkyIFV~ z#df6KeUNPaCS_1hm8Q3g{T{LZ%d&e`P-|(AcG<6Gz8qP;56@4TG;c9y1{|&#WA3lK zrbPiMMu^}lgaI&CWWwDE+}T49ph|lEf_&Bm?fes!U=^2BzEBxOj8@>>hN%xwt{uzP z+qnifYsDEAdHaEN`ES2BbM-xzz#%zkxg4V1mcQrL;<2arkeX1~yfV1gfCXOlBE5$q zJF|*^YG||5j1EP%0XAbtnj3L(Y5s1ew*8s%ZrnO(ExN41@TQwFD;?$*@fdXiB-a1n z#)3vr&33D41GAO;#K`T8=lRZ+g72R`P5dTU{Z;+0v+0OJk9M}w?(W%97qZ0`Jzj=DC@)?)bhMI|?mifJXg({vC69xQa97T~)uuvdbr?wMYiG&NvN_jE=Mdcb7u z8MHAga&Sztc$y^Hsx6Uh+uYxz)JFr&9KQ`ZmL&`6dRBRf?gi8|)z@{TZ&)w*`LFOVQ5{DR(;wDj&tCI1XUJ_Psa{jI)VnN6u0 zg0b@-!j7v)8g5kHU60``3Wx4^V5e5=@X{%b4Aw?0wd{MGAB;b zaUCVE>hwH*d&4!#;h{>9Na2$L`)jIVm9BDPvoAeV+7tttGI!>1){wEjnUSi=q8%V| zQFlDld#Y?aB$zi!lhxd(2Z%PI`v2--8-nLz4GDY$()7e{7}}WVUDWPqVPp_GY-SCy zaK_Mv$j^Nd6mWYJRg?pJbw7RaUz!0?m^F|+U#VdVWV_~(FE-skT98ye&{I?hyk#{a z*yWH-J>&(m`8l$_q5750*T<@h0c<}_4E5U>M7pzoU6!mPSk_M<eg?-!fB8g|$!_fNS)0Pp4k*NOXaI6W``+zC^d`8el^ZQ*}{ zLJM~HJTY#ApA@}FikMYy%GMxgE&@>J7qm*h>l9D&ngw66@kl`G)l{_MO_2lN(}wn> zKg!?teF_!#GFcD)dbuL~a%W6Y8p=rgzTy*xrQ#Hzkl>3c90lFsfTI@hY4hRu4}Utc z(Bu^GE~zWQb$uyCzjw#Zlw?H~OJ7w?B45G69xmAG{SkJV4G?MAGW+44Hej}o)=Q&y z*?2HeB=7ox=fR~g&vW+pm)qZAzx~QeTaLnN@!$c9)I}k%MgYRZ$GBVVXOw!RNRGXo zOSRRK+|UluK5~4SBh&AT=;t0Vx%<)%09GTs;9+O|V6O>agmaUmI*{v9W+NO2;)CJn zV~uBpqLn0FGNzww2pM)yz7)JR|9NxEN{mu3k8fkyy?Zv@gGWU-N;5*OvT`fY2l+X2Xku29jmI~W>boZEd8fQr{J<> zxR|7dQEkMt_R8XhR*nZ+g&%9L;g)@?2QzOQ?KhZ-!Blb{l~p5_io(04)Yv`qWo82) zyhKP(0rRiS*09ts<*{-iQVYFk+l(T0wi0it!~TM?jI~ROa^DvYBfKc%eBabG_3GtfaVgbH}yycZQ@bAmX@dJGuR z6g-~t2k#!#?U5A!Y_z419tGtsP-c?at}SH`k5Px$VRjD~cc<|EWMz5U#%zeijJye4 zqQ9Q62{RtNzPGr!c690%G+O`2X6210>*w6xtj0m0@zW9__g8Wlo`>sxK?Piy+ewYI zz{p0_1+%!HmsmeL+-Q`2Ja2X{Bh9p%Cz{7R9ZpZ7JHVy9%T(iTCx#G|$2AF3Sw#le zJ*`mlUj53gtjsjq;UH#fwB(`z?9}6a>Rnz$e5#C=r3~$PX1r%fS{=)K>ozsxTnb%) zM>)|L(`#jr{ZQ@;Qg&Q~K;p_WvED^_&QGI_eB^3|9R2OPA3t|3n+{(o z;FTh#SL~d}q)@~xcg~aB@P{PqUuE+stt=Rnp?9EX&k0)j>F4#lmCiY#z}UCkp|QCg2$A;Wf70PwMKYk5d?PMP7L~B#;sotZS*8WxbzF z@q>W9FO!5{h0i;#p3=^?!>T=(1qlTy67nhBP^+#OlyJus0)!6C^L8u7gw}CCgIR5R zunz4>{j&?c=}awRN(a%M&_fS}jS1(&8CRsq_rMM2eT;nJo)=XVmMT@Lsa-yo`BT1H z!JW2W%RvW6^+{FD-hl8=wFVC}P zu8wLnmnXBf&$@)PYIWJmTWwmgH;*&aZM!u?5CinfkZk?}RNEt%&#gMJB(AYBT zJo+9Ab3uC!^n==8&OnqR?m1A#s2+-k73H76QIGr%d}N#`YeU`i=`8!cV{AgC~F zjkf6q^UlLPYFQ12&p)M{Jf3?zFcJw6O z_F}e@tZU~C;NB$1tiOMY*skuExuX?t^hIbyU!hOT23g}%fR!Xt7zyF0F{uD-RoZyb zH4jR{c#@3!S}@;VEvz4-{o0zu>xx=-rjneCjco51z)V^fM#G=|Ej07D&QNrnvOV@3 z4;Q|W9R#_N1OaA+Ig&W_GNI4U<2)<&BvjUR$}Ra9_*8S|{j=1}s|4i-2H9Z-8L`wn z@}`leI@9t6EX{EsOh~4t`6td<76gdE{%OVT4 z@+H3NYVI5diimgoE0A8-t_o%N)Wj8$7#taPP!~#hun{`dobT3M08mR9fBZ+q-qj5I zf)^UdY5j%9U7)(n>US#Tk|#e6l#Cf<)-|oGnSc5s7AGVA*GkOO`IG3hsT=+9t9?>4 zrp*hp7GIvX>YzWFxX002x0~fPEdC!=?juMt_*yBk7FxKp)jC29=?mlNq5$?HOs|@a zdPS3P{%OqSzmir{rz>1Q5x1Faq}oWlo^~pD^AtzGWeuRbYp1;0JO0-wB9{ttE4Q|8 z0~u*RH|m}IhIE3n-FDHC>zjy=QnFfb zuc@9!2BM%<=+iEZh?td_Q^o#;6aX(z+iF4&_1W8S)6VJ%As@O2v&2N5g`wV0 zzN|W?j#0+=E|Y`s0==y?G14G!Y?5D3>(%ly~y*Uq0(^RSR=e3F&t zP!pyXxiO|}FLOK(bacF?-Uve#(miK8Fy_IO$v$PTbdPeEYRBcc(kk;-{gQ(aOMkON z40jm7cKfu2VTb)k)zmo(c=2c$=-t6MVJ@bdY7gJIb@+9PUVI2h_(Rrq zC?uj)xt|dFlRC0ukuDQai-(`~W@pwLvc`Zb0VaEfVB17)oDutIQBf7o)^vTb=(WqxU^Ikn(4Qy_b^ zVL?}FTWZT{PTy*K#FjkH5OWHiX5YBOMz&8ws5TM!$bu8@gTU!&z;aQt6w9!g*RYTf zVI%TZCs8^(ehL6QOaP{IK#@D&0_Kp0kV^0_IF&w`@5(&dB_YPZv#&7eXMW9}86ib= z$p-I}_84ZGLp+M+G|S@LTfIhIK0B^M$K66R&$o|fcBiC0q)%;#2FR`EbLr@kDS2DhL7U$- z{`$TLCit?B;zgq4vR(-CG-$MwfgrW=7iTGg++pVZJSel)-1#oPO{RH=8#aI1=9 zI&)&Av!tp}KfPPr_bAq+l8!VM>Tg9FFZ#QNuD3b}C_IWTCf$T*^`lKon`0>gR@;#I zFlKpSy}T?Oblv?6PUCUjLllOu(E9PIbx7iS`Dn(gJl+_b zN+jUCulM8VMeP|nZ0`j-J$PPieS;_BcC^`#!B!*d_L$395nT@B#sg8sGIVpO>T_^& z?N6VaywBcHEm3G^oHazFfBhn(5kkAeq zIPLX^PlH!ReL5oX;-S`>{p)9A z3?90k58L=lY>J%`Q>)>u9CPTCW~Nk zxu;EiJ(0Ix`KnJ6&qx;V|LL1iUx~h<;n6z0&g#j5y>A^& zC%PGTb+lw^ntigdvl6rP7<;+?GBAxXXslElwhHrJ=k z;wIM*8ZCIaEd}Ytelc^hzWC$B9lZjxVO~lq*aaL^nTd|9gspe2?5pqjgKDi~_ zK`v-gi$8ew*?leQFZ6F;EB)Y9(zia6^=Oam%TnZe$&Bs|q=?QitbNeMu0=po z8iMQlEUv8o9E-e7byHNVp`n$0>mu((K`u!AIT5o8NmLV=B0rIrlp5@99qh@?^F8W4 zw6d*J`S*@TBEgSShu%MHWU(@1V6`0zH#tot^l$d68n5;!bTUl&r$pzoOv%$P=)d4@ zt8COxH_&T}=G6QF^|$y|B^VLtI;P$&{6`WHVx&-6qTLOx|28XpAbLN~(yY}BH9KUp z7QM#1tY4R+tmaGI)|9VBJF1D3{&R%I#Os$Y$ZsV#<_ z6j_nLsYitBn;>iov&jue#yr}vhh+Y+B_{?JKy*FHiiUm8hRUK<^L2Uk>T`yUy2qBpb?%1V% zMbP8RYMpRx&?F%%%)o4=8&a$OXF||*jWscbYS1_Sf8jw5XFH=d0P_raWiX5ya$~!R z&vSxfsK2>D5Po=vS31uE{BxpkXH046e*Nh;;{@GVC_pobfB;Mf#g-Lb-itg09ijKM zkhlu?e8`q~9syOj*BKkAuFc=i3&lrECP_<)E5I~39r?NuwZ84E(~ z$pO^*QV(ba?Qg9JYk0YZ4YlES=ex-*qXDPk^!^Nreac#u(DKsK*{Jf)Ec>Rzc0+4x zr6*3es%QzMhHf$4s2_J(p6+N4ppXAqS{oQf-7gJ?OqqjL{O?fVG->WAPv7;Md-kSXQ9`DNqGufNwLg-e5_dqst zV0;+wmJ=?$t52E>9PNy+X{lU-*n+tFBS!_RynR?6>7m4biKRb}w%LDenpa^Q5&!+s z=x~8r7zUs?Pz1KXm(?T@GK5v4fZZ$>51hdr;xB(oNHrvAo6Xuchgf2BLduNm#8SnE zg2WZ~r%|KZ6#k2vuzO@0f?EHst*3dKrLIfEr{!VaIdO>>zID~_eq2{{c**G2*kr9@fqk;hZy0YoQcLBO zDVP>IEI9r0Bc%7@mF=Tp#M6&Pn$GV3&*>r?zNr?EG9acCSXTSn`L3ZrP#jP`M!ZXj znfIrVTB)K_dx);%N-yROY02?yAm6p!IZb>&rypO?JIeRtJh?fjbp9f9wJ&JUcp5Sq zMAGa|;+KvVlpf}~Aw@It**Pt+*m`~mwPV87(6ZlYpKzuJ8%C#S~Pg@R8mh;ZT(L8II5D#0N71ZLgydPlkZ zoi|y#%oEKPwNyK0w=lx;#Iz%wZIKqBehjyyus?0Fo$N1WBvTW%>(E=-*t+QaK@EG)Io&zkXbo($#ZMdQT z6Fkz$Iw4ofcLR-cc$Btrrw^x;J?;FK3ReTioEqUd`nX4Q4vv-Xrj2#`mr_Qjr5a{3 zN5l3Ss$hbS?%M8aH;RR?q-!^nE&v8*k*L4CW98w46dJP9Mgd^g4Zh=^1L-qh_sCpk zf?P*DoF2#vEwkzN0o?WfdC)I{g6PFcZZqTL-JO@3(*Wo6i!>qYVKtHOG|rtW)7;d7 zG7AC7E+)$GG8F-m0I}-)ZMk2TMpt8>OxfV(-i+kcTeK34SPp#rm8~=>_If-1!2}Rm z@FHpj=s+UPCt>#+ItZFSmpv`ova$L0g^2#R&x72zuHoWKzbQJuGZFjvPsy*+^7qFg7NJ1I@b$pWS<&RRSt4b?*aD|f% zRYO_mW<&R{u__;h)+Dv}Fq@=aYWd}^0 zZy2yq=G2skEaewn1E*@Nv#>@3T03IS0K;|By|wzxKTk$s;=_XZzA||}55;`T*VfF+ zy8$5Q3eKP})WB>4TwlG`m8(ISm^{fvQSaoiXLtnO7H!D$mYGWV^sxO!X++mhJ8$*NSpGE2?3F}ktfL5xXO?kNb!KP59GUr}*zy^r3-uk~ z#;g?cg61gPVf|qu(+$WMp&W+cfCPQ}^y%RJbf`}-HAhftdRnxIVCLibpL;YQ*Y@I7 zgWWD*Tb_ymDKLDj2*C*$LKufM7|4Odcxe@=#DO4AfxFEfZ}eE;TkND%xwaCs$kz_( z1*j7U{TBKx+Dp!wBo5QiX={S2Bf~%&BDnoU(0<~SKr3f_wA0$@pqKjdd+h^{+6Vi#UBe9w(sM< z^Uo3i5b-K6VXhyQkOOK8W1p5Lb0djgcY2e`&C(CDcNAV8@iPeO z#tT@|9$6OOJ!jkn>LxW7ICVwmtO;tLa|+_^33gRDcg?2e3bi!h?_Di9%j?yavokfT z(Jvv7e%M;7ncp+5`hCp!X9PPJ)hW)$xrLUzDEsE^I^D;#6SS(Ed}!*Dx#fSLvI~8U z&GoOM^|g(Am8SpG|HO>aRZ}t`FE@>cL}Hp!`p0isAnp*P6OdtdQs~IGvr=S`+^AU3 zp{lli#@&ugZdAjtFQN5O{k_6Nbpshkvu?K4u6j&&0WBGhKihTr0$=FmVoYdI#1F;` z!@w5b;!o#GG`t(hEthP2g=siBQEjilE~raeVO)5-lxtDzTNp;~u}VNNz3@7`e*d{& zAH*l!zd)$3mzkYU&F2H{21p%v85cmVlk|0>qL#8+SD7Ul9F4;~4(02A)0ys9KKT0O zuL#`ihEg8Hb4{gLm(3m7Kq>eaHj1{&bA%gU8>1w}fjx-I((0V@ zKMFi!r|`A6MF+OjMut3ym#kg*b&tlAJF-ED}DG$TC3$Ayn!qJ<3VS@OjsU54RuYWuh zmAx9nOY-cN!ge_lJV1aLh4Yf|&F_Lv)bSZcev07*#{cf5frb#Cgf)s_JD#J5kp(Vm zHVNFSr444iKpHr#T8AI50K6x911gE^yY#Th%WkWEu_2O)hdDS;`gEJvNWeUwkq?h) z0yDO&mUx6S_=odl5ZID73PE+t+HVe=NC~l*Yb2xR@qtI5))o~)n)?j?m|!7&CzErA z_})K*B_2*15vnXNJ0=9uUr;kSJ)GC4&7Tg8FeD^4j|`6+xsgC{S^c)zvc})YJ;qo$ zJ@1=#CCtOD2IULYBMhxt)y(pm-#=ctZ4$k6SaTC@?ci(Bas=DlD<=5i`dVi;dr6R( z9NzRIvcg1rm_e+Bv^-sT+Nt=k-Qby`Ow{dW8~y0{$p2ZHZ*;>FfK3^Jf?3>?cVp!I=v}3w*Al17z1(cB8e<|Q8&luo(btE1yNuZ;Jg!f z(b+J046a+)w&QKUm-d7_h(LYcxTc3*!QX9T=T&`i(kLCvvBysmMuW~!2ZX~ zs@;XhV9OKs+k(geF^R#s3{U`Tysi!<*LdgqBM$opaV!2%WXKO506E!1B{REXRQVn-_OO*nWxf4^ibwP4gXX4Mw{>zV+ak#WDt>vWy@vb_9p$WB1ZXmtNXpZav~ zsLuVFsn*t|J1?iInK&FTze|IrM-H41#+L^DmK*WdHHxPn8A+!$x%D~_X68yoXuAzs z$w|QNBPFwX@?N(}neQQA7IGgkmgU9QqF|)vsmSpPA^c z!IB>&^1Iz;5a4&a68P+z%qQJHIkkl`2_M&X)0XN8k8=D)e>QrE^oZ?s#%`%itQ!0y z;4zdNuK!W3vR-fx20ei4ltBZ*^I7$me?J@&j99zb#&;!k=@|{rD$m?NS0iRmh>&1D z;SY(+5$deM8}x*+L`lmf$@ax&S(W$M>i(sU(M^BRkfRkxy9kCq|2lS?e^;X5+21Y} zY05*&uVo%WG74+!*R4F-cN+BYFS-HHw?NtWG@xg#;(lC@Kpu7l+SL6%#49cFytof{7ZqkLsX>n3scA)eWlVMwTBlE` zd_^kcwh%iae@?{2-u#5e4D6tVw0;&EPRQXHW;W;2?`8VO2$2 zw{n8d7s`odQLL9XyLdnx<%+$d&lk1=#UH)<$=dw*$2)-j(}LtnfH3TW-Mb>QD0gx# zW{;8LeN97kOMlOvp!ZfBtB2~?U{(C<+*gEb-wG(z6qrwCnbg5QIm>jT9yR|)7~uDH z?*6XXE161=6)Ii3Z-EtD+ZFry!|k)%9r#9bp_P9**T@zk<*vntXw4iPN>qx?$urKL8uLVh~@gNr*}LvpR(T`yW-aP8V^{0DC~az06OzpLsM{;+0K%|UfFW_bpa-|@T>`*$imLqrg* zv!Kt82^>nn%|%vQV`2Xy_3JqJTpg>Mwr?ve(>@x5W?a;fO>qz|z}|(-v;v{&$8~7n z{FyE9XqeO=H85NsEjE#y!QQR9lS2CbX6VPsLgXG-W@aaAeS&nB=e9zi#r4hBmI>T30Tn;v(^C|Zs_d3vVcXjmifV6&8l)Qt6QT)W6KfE4 z;?0ao?qop7ADtkjO*-azD_!15>Nf=X){xu9CUpdbG+x;h^GF1oNDnHl@?NzDwA<&D zNs%nh<)>Ts_|ASlAd52~99B;s9fFj>dz0Q26%%4ew{mlAyT;8*9Cvq+>NoynL3JL5 zl@oMld5d8Fe1G7^zgdBYmDj)LTlZTpnYH=)`g(Z$S_twGKUMNwtckwHTprU=a!}RL zV5FmnOw%1+9<(fltLP{^$ecXJ^=s)g0TM&829Qwc%^cT!@ZLPQ2c^lEaT}r=0FS9Q z;^mw&FDq~a?*YW6C{=%M)-4xzwGSwwX{*R(;C8@Kiu?`$qEHGewtNBg>>eNfl8Mpd z8`c(CCGKkRqCelgp;C*;jHd$RHvca?-zb8_5DNk%Li+gPN}nv;+`Pq<9bIkaW2c&Z zvm}-EORf^GEKluaeZ1{t2z7#Ms=$;3`WRUNcnm9C{A79XYaBFGHJV&!2 zTJC%4tV7&On&m1^t);tWY=u1)<;H%HR6XPVe-ABKA)S|0v zt)HZG{^1OYEz#z+zACt~Ch2cL|7Z_YUV6SznE2pU=6Sf8YF+$4^a16%!^-<9iM0m6 zBBXL#IV)D4@uuZg=4=zjvo(K6G;a>E!{z~MqjFsO0ZOxP8?D(Y>!!Oc|M z=+zVJ%=T}|+&fy*TvZPnf6Vh(e|mnMoyP0;;`D`8x#`8d3&#SjP&Q3gvuoX&@W5u0 z-(N7pNdfcUe5EOG&;wj3S7@u*hcxgx6`% zTZTrjRG9Er1RXit_>W3OQ9aSTVi_2dsv|fZ@EB8q##X+ta##xPKPuvrjYRA2P5I4F zwg2KlySIINHv|>H(XGN!m7Kol4W>Tz8dyp|Q71RC4Y=Jh5tfVbva4Q&rS3UdkpYY` z=VY$H+^>2L-u#+;Xjn1a%{Fe+Vsn8`Hued8G3xoEdW?^% z7S8_&*f9b|5RfU={P=${g9Uiwsyo6z!ju%$t`U}#R{7|Oh@I0`gV=^odpX;SX$gJ} z1_eTVy!H}xmp+T$eVb2nQM(V)B!ICU(ux zp3a8^|FimkOu&#-pX9uAm?=fdX1aB0=CkvMYx=>VXJppmA0OZ>KhP&->8q-C;8+gD zK;?jp=*)TmHh%>U_Lfky=hw%G%(wUr-wX5nH1RnD7oTCFIbZ)*S$y+T_)2O1)fS>H z6erRE;U1~9+c|_gO5Z5^SZ)J*0^*1nK2o^+RfA>2{z`JYNtYu8tzviag~E@prA$+1 zfH-P!jkT4Bl~;NBpi6M6*6hzo4Y7(v3!S!1*Hgy_FYza=HYG@JqN6EXp(t-Zlui@j zO?pE4Ls7s(_6&l93b$Vm;!)TRN@@wbb7A+xke6$h8^hg>`bJE;0 zJrfPU^R7U#5WssAUjT(VyA+wP1c*!*PB=J@^vdZUh%C&lg0XF0N|mAuuwQtAW3qVn z`H+_N1P~wvMaZSZHs=U<^!lh+Y zw|9D1(TYAWq@N8}zyS6tU_e+9noy-%ynKX@Ic9M_!O#HQwQsRoM#G+TA7v%VUXn^g z;aNUBt|-bVq=`M1WPDJdjvq|im5XjxRA_A~b-8YV5efa2w3_pTuXFgaf>OVzVUB*| zw;6Xu=W&~&_)$V~ais?@>vT;6OhMAktf?u@T7^z3>g%#DYewu((+ICe+_87v^2Oy) zg~f6eD4I#Iw)P^JkMFal=FU5ZpCx}~?W(gA`qQq+s6koj z+5)xPO<#O2CWtd}4nXLEe*4R}qQYq@uF0O@mzO67#$>1Nx^}YQ%gL<5t5GpOx^9wf z2<++j%$*-r12s9$Ie`VIq)=F|O=G9iksv(bGBCAfF8;E~ZCogpu=KFfN`{!yUV#$( zcF{y(-v%=U6ws9?z>4SERZi0@7e=8z*DdH>7-V(C2LwzF!w9bwZce`T$-sh%A}QTn zJQh%ME=Xe9x*UV*iFLoS%dYQ5h8lT7>vv2xM@y_4jjCwK^@5)iEXgzcSLYGB0wq9f zBiRs5dU$E$^=127pDQnSVcWWx+!=yhf_ywA+hu~wa1PWilXtJD-MoFs%8si$hAi}A zDRG5xv$?)}vD)-L<&9LQiqVUVQco5uX|(B+X9gb!mKB{2>3%BE4iy?!%uL$vsH-T1 zM6uz{4fZU{h~9&I?Ai(KMp$w1O|n}4FIW1Ip_+!ZoI49%Ihu#-LEhgb&t5+UKe$|m zKiE6Nr}W!hCh)~ow>z-r7`#tY3UIn#5X8`*_N?1zw5{*HSpVA_71|v)qh7=vlhw^) z!nb()HQ{RIq)-HyF!vS|toXJaiX|aKy3awaxlP3`A*YX+)E8u_6G6YD2cC0}3*6Cy zR02ifiP~+1EPg+>Q;v|I>xRU*E99(Ixs^dcCjAcy65{K!9|a$v!vc&lucRAnpMWzi zdQOi?#Y-MY<}O2qV1uMCFK|>iV*?Bjav2kx^(cM+_ryV6x>P?lrAmOl`37Siqb?t z={+JHgn(2b5EUs>1q7r>lqym}?+_q#q&KM{p-E4u0Ybdb-us+0&N=%(#(m#A?x#EU zhm2uj$g|d*bItjibItN3uac$oC4=@AU&9m!U1qh%8<`K~6VBbfD&(b|T1;icgBA+- zL^ow{n!TIM)y?-o^TnGpod|W{L+d=Sz^Azuw`(5Y!$Y)lQ-+!y#k0 z5kyWt-1_9ii6&gH#vikHm!3CS;E`l!gI~o>cJ+HoJ{~?dcMu1wwrR;i8Hb}MyGnVH zI8G@N6+gy|8~@CO#6$?exaqZ-Q~Re`NtusiS2Z@5>fcMgu=gb{`PyH?|;Qm?1YtJ?7!g>7G> zq^YC0YD~HUYgO}x(Gjl`{Ojw94+!tDbnG1kS~f~4VO!6dnq?Eq%VjDV%6V#S1g&H2oqgR{4I?8;QFtN1~Ei7`*CF-j+5H^Mx>JJ_fZ7^vgH( z4<6NxJ2euhqL>wl*e%jpenokZIdU9BkVm+&p?6EJTQElQkxB5?<#{ z`A@9ts5}}!5as3`wces8cXu$e5ChVR$o??3;RgZ9O-RHV^~~t>>hQh^aO=trTgd6^ zpu|K3bD9zcb;}#^%i%d@diFB4V z9XpZ2xTrRjX(TR=klns3y$0b7d;Jt5&hMzmS!ZO#+T&>dWTP8#3l~RZlxhtY)1zh@ zA)4ib82lq)RGKvtPgJMH^69rvm458$cET_>8yQ-8(*~sT`Tet&jU{}aA4Lkc_#g;3 zCf|5>Ly{*o@X1wyED_s^;`u+;>Y;ut=38_1VV{Z(wfEFmdA+&~*7QbH7P6Wz0uzRE zfD1SWLdnRU0p3oTrgo&H$QJO#G{^XRjOt=?&KZ#N$HNh1@9!cC$I&0G=iy%SKp7R% z8NiZML`gT84lX~`r^(g=hlunZq+QqZbY(CHRWZTluo#XCjk?FB@&Dzl<)W9x4gRWwnWE`Dng;_0gWsfGH*ll$tM9hTeHR14pqE^X20@-z7c z_%O8+FA_%Oy4<*c3-;lG6r-hBH9-d8GWZFMRQ)|=Xs_dO_>{ah;iS5`|1i!2J z87bVR;sPezkb4cVO64-4VIXbM46hd|efwZyn5U}VKvC*WEWM+t_3iOlHxaLjLNeh& zC{XBj;n5I~CDhj{;mTsnCWwMC`isG?^aGQ0(PCdyTwidT+J-yDr=08Iy7!E+miuK% z28hbxN198q5dCt}R`yXblQ4gSoAh{cll;eLwNYZI{?P(+IpgL+?PiOba;-w;IlU4m z1Sj5c>l7E#3Z{X|EK&oBE>p0lgbr<|@)`5lxxufYr>COWn7m_o*~iZnW$Bo}?P%N+ zy*DH}f*%IS3?{6%Dk@=DGL-~&g|$;B)-_qY%aUSc?c)8}IfR+H?}~Q3xPQH$-`!G1 z!x!7sgBe)|MHORx)=}?^WpYiN7%YQiRXZHffjq0vK6|ldS}RMtJKEJ(M%0 ztJ+#L0Ya_z4fZT3|CH;@A^FG&!lU4IDNUnwusi(A{_T-`S_jVxLxIWqk}m>?8wEG! zXMoHapW!P5IQscYgYl_exk?M2ovP8vo!^%O?*ikD=)$Hi?4V4BO2mi;ImG+p0;By~ zNil0~GS4)``srsXDznrKZ(T_sJMEsPEQZmNW`j9#LHX@x23;gcTxed@!XQ(1$n)u- zq!UYv6=}QbRK7=p-deV#XwFM(LyKk}&91CB2i_(fT9)k0FO?fNja61uoDNe*NUmvh z%4BUd)R!N!h{v+f`Q_P3{OHT)88gUjjC_i9hfU`)Q#%Nv>IkOw^efFAQ*GfU9I$+ z3pHvSf9!t~UWB{@RXKKT1s*058ZfYM4It+%B6!0rKnRHF~xx`ruAQNuZMUG}zim#Z%Lw#5JZUJ}i zB8A;bll(02$F>hbqj8m9%SSdlT3)DWwcEKtHh#HVj$Ut4=%3o_dt}tzd0Caxz|tqC zW!5B}l%lh*oRHQ00uR~h;wr{>Erg{kxT0xYNz{ZwAaiIsRm(2^LT+iiVpho)T4G`0 z7n?V?a`d6{zatfb6bfD;_ZI4m=k1(lJ~fFHtgEh0L7h0{46W0vNk^zP6~(icU%5g1 z$p7+yhska2Fe!drCMJQ|!$_UpqXKs6R8xouMeCLKKQxivYXQ$HGdoD zEt!UEJh5i_Li#bS5=~MhIP_`YA#eF{dJ&48K3GGuE%B_eoGSxYW+}}sG)+1PjqQj}YD+}r){m6zAM@@pR=Sn1-1t#=gYOmv$b83jpdC|avo0^QfZ?xq&TBFl z+x}vmRrfuB_;|CwDI}+66>PDyfk{cLGl-&MFp; zIw6$5SK!o;n71pu3eO5prBtSr{ZdYwG9f#j6+7;aRzDZhMFT0*nfds0Bvu!omFV~8 zt9T96CF|)yeNuNUN%&(;UeyZ2^&mvH{P^S~p3C)S*FXafPG@#16F(@W+P zB!t%zFqE63ySbVmAs7-KE3IQr4Zq^Twly|=6e4=S?J;@pB9()Bq~UZ||GQCz!CtcS z_2TD)TUdbFjz++48Vv<=gEhQxi`pp<8c%(bQ(!a3FTV5pe@H!7v&5t?m-IM0gX4@p ze*H%G0pq+-;V`n5(x#x;?Kt!w+xANTAfrO`#KJwcN<&9eV=&B3X&WBIFf>Bn0KbgTgB3Y)My7=K|U+D8_>O z4-=jE^oy`cYqeW~pj)li4@>g@_@kS7qxB3X#*TgOVXZfz=N1}Z6lenHbzEGuBIj2# zv~2x*Z7+cwZcA;B_|&Ak>4JP*QbV!Af*oL-_L+rc-DKsdN~E8!GVO$-d9y^^0|*`J z=9|3%Ee@rwk9^+TnvZ3-x&?i21=j()1=#x2w0>qU=!E1TPOa?<5+yzWPL$`mwcH3v zWbF#{fvhzrA@`eFar!lB#xxx9d>_Z5M`h3<spoF%d=1%hA;ZE4-EETOTV2W*DzFu|zM*{8W}Y zdxOE(M2{NQ;T6k(oDHgNFqsxbfd71J=j9uJ|G7&p zq3k)*C09DV8thV7Y(At8?1Sx_ykr)VmB zH$MLpN98gD8ML7L;@GuD2H=!!1BIsw7(^Q#9jwjf5Kb^s=1*)_aU%6jofXt;fqQ0F zLBd?_a`vR1xz)Jb-9HX&Vuw)>?7}MPxhtKHH<5_!;ktHe8{DaPYO>yZrGbmLX2hhe zVo=z0olQER6CTWeH#K2i^`>D2PD_kl4ssU zUL|g2xX}a@yQ2unaVf~=>&cht71DCSRo13beZ5d4;C~zlQa?*V+HV;g223h?ecMo$ zOz8}$iLGL-QYb8tZZDJ2jK9=P729jL`0D%?8LemH=AA!O;e#?6el9bWZeG=^ewxP* z!34gPSBgdpXl6JItD?>#f@uy7mWyPYws`q`xz<7A!`nwDSM8oMAD0F=#^}f$(&O`A zH(EFI;$R)ejY^31dZpMTtoA!asSCt_zG-!y*kyV%m?!sLujKdiUR&Ttf6A^(@pxdv zS=&jKa>ViO>Y)@K9I7lu22)G8?+JVqpVYPU|wlZFNHh9H}Bn?t< zxo$w?o~Ubl{qpQvF+91Oi!FUF*ztRs3X!3Acjhp)hLGs9D0)-;xjRJ6hD|T@`pEWn z@KE#@vDH}Bnj7iJ$m{);_Vwe)sr18hDGQ)3Z3O2WA^Tx-W9=wdCs2n0b?YbdWMB^6 zs-*^FF-HQ8hY>@;ZJGVBKP31u-iWOtNVNP1AV~_jD~!LZ(C!1Kf#;7aaMh_m-|qV2 z=1(@i6%_D!&dqDMM|paeEvc8^X3r2?nWntm(`AkX7XG{H^(g&)3&6h~Q^{lw8?i+8G^__*9t!0NQXHcWFc6zO;5Hf@nBt3Wt`YtBcf72VeRQd+2g6m zpr!XLV_!{<)&0SHbJfa47S;yK0mJN@H?^Kadu&fHxdf~N&VrLDx%s&FhNiOkhS$1$ z(0GVq!c=>2v*}04eD294D?j+JrTS zc7l&|CO1Xg3kRc1ie+sA>RL;FCx6-yVZCC*3aejaz36z5Nf><60?taj4)7F0=xc4J zAVlSFoB$0(4x&y6DF+u27kbMFOms&-<@=o8bJ{I2*F-(13ymX7%m4kpMX;v5rV95O zSN&yShkD}#6z<)`w%EbuTldY(g}XS(`0-F@rrN9qg-~}{^=&~8y6W;j&NpJC3i2Yj zKzBm<9sx*3qS(M|w12Y2&TRm*e5&j5zKE=iG@2YOo~RgQo?Q3EA7mQO{8b4QT-g^@ zu;5K5{Qbp=MEregynEpSyEq$R6jj~K2K0dqZ(y@(l(6hl(3UP&w|9K@mh8$aiJq-P z-#-|qZ`vC<55}qVT*f#fHztXLAAp>Qws|2!$YQad{wRVd2XQTc3PZ?M6ZIq|t*^;Z zUNViiVq43P{87kt;Vc4bfI&pW6wadkeKqOYK0>L!2z=}oe{7Spa$PaxY!lFP&zf`o z)YD+|g1%mrLe(P`QIed$`stw+UIhizAj&tD#C>%F)7p>7Se$~cexl{H7if6lhOMiu z{ABm|b3zvDEXx3i3;_%adj?{5Zk9d!ph)-CX`ZtYm-)dP4{^@5dgzcaeZ%UD!O9it zFv=#&*L9X0Ue<+wLXC}QK{<@(lStxuXPdK(biKR3V=X{xOAK=U2_MK8i={}EFznA} zhB@NxMnbP0!K+|h5^TL@+)N+FUYE43co^fJ=4W@@a$KGHNx>xNC#iO3KUk4P+WRhzDSPq0yT+cfJLIADG9lkJGeFpcV{ zM~0vc@f;~^eqm5*&xNQcr_J+9CpwoRW`$EPMMT?)O|B9Oe>VQH!+a4d<8Aa3^<^z# zK4=4O5U7U0BB=aNG4sV(x+nuewjROJ&Br#!c?YgYZ^_9L zbday%INcqB{t3Fxb&&8#r4orTK^1mXoC^1lMo$AP9F@IZT3c_zxHe&zgT((NccxI` z2ykrnev!#iU)FI+!2*T~lnJlQ--Ka7Z_F>EcIei8>${?*`(Rf$f_WOopDQZBJf7#& z8SQROD=GUl-rJKKg50_ zY+dV(;a>;=lh}SN;bI%ovMZiry`7vCDYjPEvq@i+V|D?)FRG4~j^FaeD(9~S-XRIxT3tki z@Ndd5`D(#9YD~1#hxx<|H4~&{m7l6#9Qoz~wD&#sQ3*SekZV`i!&4n~4Eaw$7@Ol6 z)F<)hzh211y}ADORr<+Zg0lHPRJKrXl?n0yxgUPu5)_vR0kYIn(@H8ZFb*JO+d*A8 zNblcgJwnv1M>$D||JV_E-Fi#p3ny!0D7);d&nc~f>v}X(VCQCz(wecIM1!%DW1N69jiN}D;1sA^ydL)64njStksWJzVc0(4>yp$$Vt2UXng;a(?qAy zDup@ay$DXXZr~a#lg<0vyj9kJ@})=W-c@F4s?S1STgaZC)BcC8Jomf%^}EBzb?($T zxO;kX%WqLUTppUX_%rx7+(52uMPW1itF~j2ws$;Jh3r6t>ZY%Qh?V9dS!SlpB8$yYaDcHNm+(euTYS9QierDTk5PL^1QS@Z8+|07p!KS(8G; zHuMe_K@dcC(!~TIIz(+dr&m!?Iu>2PjQ3}_q@sYEjj|IaS1l>8)TE`S$&&MTeWzYf zS6yymXi+JLwJQuxYXB9Z;w=3OZ{aBA^9_Ja{4LSTizhuFF404mP6Ze5CHH*BDslb% z9Yp@0Ft-HBy0|{-ofc{AY%W{w@!0w0?c5{5dAxSmE$`JWhD1M|x%n-vez`r!P8rag z8B7oab%3XKP%tVWIiJc^g>DB5!=3aQkBEy@IYZdho2r`X6Fl&J9IA#%a%3>Su(b?Y z-(Xf)tBj(_g5Fgk&-jkaAk8`p=^8$-Y*CN#QnJ%^DR3L3nk`pnZ}x>1)whdE{vfA6 zU2`{!Sg(gAy1H^HGH9U&{ndH^+zL#(9+X#m*J_LBWo3QJ?z8u^TkJs;F2$TFPVEY| z!+!vIUt*uIpt$KS6fmJqPGh`Tbly2cr=bz(5N9Pn!R`>Yknmo%C+-~84jKK69IC$h zv-iOY`J4C!^hGB>pq99in&qvG&r9#Y%l=WOr8N_qidokjnq&FvwW2#dRnx(JwaLMb ze}Y(hT8Yk1iKw?A;i!h#=1r#CXe&3Se8U+}=Y}-Buv_IH;L=IkMY;J+f^u&1JsZP0 ziS-(-aNsg*Aq~l_%;0a^=9gyOu%M*fVa-U0`ATSIdE7Y0HE=kwJ*(QgTdqj*IF9=c z=6ho&c;^RRoXFtVRY7RzuofHfL0@XcMvw%7cttC2mIdM|3s;0Wn(8zyn2yKC@k!ep zE{61U&Aj|W@~s#azfTx(8ZUm|PG2_97ju9o?d(F9qy6uTM>9$1+B-C@W@{(Othxqu z69T(nI308Z8dx3Fyl(OUPOgEc#&%X^qh~ElWxfXpz#;iPTw`WzvdLQ4n94gPlCOK* zL3k4aPh~cOub$N@y5S`Qi@7W5==~jafvGasg!_IR6Pq1VW1sK7z50d&{#bbC#UB8y z*3;4?u3bOrT2&w4ctTa8;dn}d;pdd>`BiIBxQDlkdJ)5ljzUd?uKUjTSYmLqMz0(U zr;Vn98UbC51&MbFshAxa{|Zg~y;0rQ)ctpA%XUSH1;p`lSKRF%*}$)R#U>Tw5r^t{ zcv!OvQ2LlH_V%-9)3{MrBCaw0)3^Yke<{J+ z4|9&QS#R7>sC}{f)gt-OM9ZpBVFPeI#%HPCe&FuAsr{+PSTK-qHb6#j?H zC|nKoN$Zz+(rMy;6gjTq>`g=lDiymHDqZd2y4r^wed97wm9y_UHHA=_Ljk=Gpm03< zArF2BXbKyshZm2LfnEA>R)eW7SeSeI)6H8ky|7MOBzcWzIm?ijf615+^ntwV6A_Ts zH`e~EtHVB-=ltjO=#S! z{3j$O`v*$>eEuK*2Xx;4)25L9B!<&pWGCb^KxHZn|4jv>g8W7HS*eC}p$53Y zC}<4b&+Z04Y&O)8;s)Xlq+evDSBGcRX7B;@$APMwm_>W~||K}pdfR#AtnIfe~jIe+GoyeQbzW>b%3k^tDQd#< z*AgehzXMJ@2p8S6!LkDTohX0r?Qg#Q`>FX`CjVRK{C(a!|JEgc>&d_E+kc>o|C@Sp z@coYRZ=`V(mWn=>tvmLv9Oac!G%#B470vq+3XF9Q(^9YN-nDR~#gP~_wt%> z*n`B0HvmL%_0$A5JUj!#)cg*8nt@J(e+4wK4F{=X;L8|U&@Zy2izjuVqyQvA8GvUZ z$|`^Pjky1Oi0~%eUrZ5Q&QSu;dq6b~XUkP!J$65*h?V(*KE@{%y&{9|xDRf%iXPBty{p3d`|2 z;1dENZ(=C{z>9yOp$g_f@Hl$k+ZRo6+ehLMrT+s`iaV&dM*IN7rPBdn^^h}5AT+N8 zCW64f$dW+-Iocx53Xwm5ZXt0qYcK$p-H4lRAjQT4y03~d8IpHnn>2LFgl=f%&A|=_8M)6+~F#{O|w~Q~^G78P; z-tsNIEf^0rg#8DWH;4Zd)BbDe*4DOZ6P>%K_80mBUl`=;1wu9#*|#PR*BTUXcYGB2 z&k_@nd%9jTHHx{AB*dic|8LZdknP_2f5R?RI^g!>#Z&|!JuNK%|U!xLkq1(Zlvk4N@kQuBi1H4VQY}IO#`HBM(;EzSzOj>+oclZtw?@7|Y@pdCoLOJkFouQ2L{CMa@XaaWQZbg`@W{$DYV=d`nO1f)v zTuaxZC6?$u_moE)yFD4{^Pnn9Mx;zDh|6t>G$QISD<9X*o-;l2RW=-*CiQ@a0~IQM z4idoTzsSz$^&;Q|mM^f~&ba^npj^cPGCkM=uNr)lZi!PaPm4BQrav4pyfwGBE4fW6 z;ut^s+ckBe8M9KI05uQW>!nG#VI5BwDZ4bT1sYC%^HR7~mMQST6@yRs!2iv4N}A-7 z+68Mn0nF6T1SpXF($Yi?m;vd(ekAi_*b;3HShpc*X*pc(E)E@rpN0YW{pnrR~a{fCYkWz3q zhCDX=|Ga#S2|z{fU#4r$2dq3@0T%XC2<9VBGWJB{nt>9o6F&G=6`Z&#u&5Z&Uq11b zesWNxaz=iC2Pk&vBmaBze{=qCvHuUX`S+RsHyiS|!uwm>|8462Pwafi--iC55bJN0 z^Ebr%zkzRy@xRE-UqRp)y>?A*Yim6@jr6AnQ=F#?K}=eQC8!qgl}g0B0J_82c#l!l z1Zf5h5gnStL@_xv5nb{wo+W!z@@}O|{Nrs?s?A(yg`3G^FSW1;>iJplH(Yt2t(V>V zZjGaAux8Ey_hauTk%lzWfUD7O}pso*-bld7fsaYuRrrheEZGNhg%@) z_=ADvKu$;Qg-3KFe<-w0DvJX#yt>06 z*T=)i3KHjf&5NMq8=$SP&Bjk*vT|*5FVexU!#E~)E=ChM^N6ar*!(Z9vhnCO`HrGw zzvNxV=fm2 z&4JH)D0&xN@^?)7p085L!)FzRutda#L~MDqmF95aoq|p;lPK$*`ng<(ItvryNgcgj z;(bgJiYXPdCn6(foWX-#WZ4lcDKu&t-#l@F0$0@(zi$_Vo*BJgI=b}1%(a>&xjy<~ zuo<_hxe*_%g3k#EbXiVrH9--;cb9?dej6urX@Avx6|4a9PSLZ_qPVGJ{lT;9vWP8* zunT+%)UkHYnW<_Gmq6cyml`dxP^8k}ytwE@h7GHi`E0-JanV6_waG+ZRa_1ZeZABE znmlT;G9zcXFK{<6p~gMMcN;2kYC>cNNDDZH7laaKNK6;o&{1d`f~T|il%m_$v&hRT z@=4u$+$v8SXSar83R>0!Ol+}nacKHRcE`mtxfV9THZN3rZLb2FCnm({_g zLB*S!D`DC`l{K+f%5nxFVk?8&AH?WJN{PZlZls&D{^KGN*uY{jC1wk>vR>LS|I1`? zald2<-m+O1zuN=1gkyoye-@}LVGVmMGsxh?A{P)kSL7=PluiOut=$fyoPhG_<~Q?p zk%#;uKVp~p9&?7>Y6tZvsbx9N-EI!QcB)7kv6esk0whOp22*PTZOK(=y*Z^ckd#U} zyBl(duWNnYJbM&p z26{&FuzI}xaJTGL?cL9d8JR9|5y2M-CLQLh5eLF&;)6|i_lQi+@to5~eTNMfq>{p^ z76g<><-WfLub$3|38u+4g*)0V!+`>ZyCeZ9Z%tiFhq=mYpPNLrg(wwfg72t~Mf!u0 z)w<^DatrO5cl_`5*qUY^ImX`h*HZD7yzE4@KPwLwBlY75tEl=V5G~PU@iH$e!0(;6 z!knCL%JY#71?pt0L0ZDpDFo<>1;(rHw8)nJtdEOS6vfO0 z`5D%YDzgz1!Icv$b;(Qj?Wvr1A9~~HXG1(acDEgSJ3^l-DIDe#J_$6PUaW}(`aAmA z%N9bit@^Xpi+voG5(i&8v0ZD-53}>{d#}EHoJe!2H*<1Pa5HW}JkFXY#01Zk^tHO+ zazSZelavK=M4+Kc#B|0|CTEyELXI9u(BS}D#A+fx71#}C*trkLt0WKU1b?=z8Cj)UJ^gp28o8TG^$a+X?+kJ{-@YR z7~TGy{tjxAdGKkWE6vx@@8X;*Rgn~K$py>F9}`y)siCLB7H1!cbXb*3gz$Tf!-`wN z9p=4+5W|qI6zapm<%DY#z%UDN=B3y%?qJ=If-;TwPWg#Sc#Tk~b{5+Ir9&y+w_Ndl z!MQ+>gz7BCrW((O<&>h!1~m5O%&MXHEIHC#a*UH1LKNvb;MFD_gH*uSy;u4(n3Y^S z`9u6b6eetZqHPkH*~;RlaFEeig{Rm=WKV+bYvB*FQq>;ZoLzmme=my!x?VfA)c+%Ltmcd{5>CvK=5UXlG9JT@s>BJ z(E8B(XR*qhME&uqru(MDVlxK#3(K+DenE~!)<3NI`#-obRSxw-B(>as#%|OztF}fw zUz#vfDHUvMfc$3V^u)=$QZ@xBYT{4EiqpHi`&ym%zUcg>HTCNk{1RV{ZLXt}=V~kH zZ=yC?bL}>3J4z+ybvBdswWESn$?X$-U!C?47(y ze5d$?r?AvoHr<--tRh&5s5cJ1jIpBaYmqmJta5|2&vQ;zvCn8X^vh4XUH=wU=)~-w z@retsN_{Lz5viuTTS^~(ZV)J~K@?=x+~i_vQ*F~w&sJTJdAys@hd z|4vaT@ihBeMAsxh3YhvOlhVOovr10<-VDR<&-jr)l}s zJ+n}F$LAIIbQu`q)dQ;htr#D*VEm=Tzg&qPWr3S0D|8B|oUm9J%}vp3NSoW{rI%`a zayu$`!r^8DwX9^Y(>Tl>!9X;@9YsS$zs))YY=;AR-{D-m6Vj)1;;q12H~T|ZpSF&m zufdB(kq>Gqbll6%m2!UcjH`e$;lL;mouY7|Q<`oP2b*p~P~cbejFw1Z?)RgF#u|}% zTM1NS?8CSZ?k!}V)_xeEFb>wHci~aF*-y6iE!sFg%m!?Wj$yt2RmEsYJa6W}InNhZ z)`y+1_yUb&-+a-N&b}e=<92Tk*JWJSVIAS!=}jml!Od$iUGD-Rr0rx7W%0>XyK?Ah zZ5479{AeVr{>q?qg=UJdh#8lQ8f{n0kCv61W**Wsh(*N_dAX`9ngLT?=Yv%t+fWuC zrj5zBwouENGqvcrQ&qPomLum;{ylpjdM4p9Y15q|P_GU0<30x5Dhv!g@`s_M#QH_| zwf$u{txpZBMmND+_QjPf23ky&dR2ZoLaz^FS{4kNL8LYqwKAK=*SvI0syolvet|Sg zoY6SK$7#!ZP5CUQd`{CM zW6m$?6V!?cs8f^8(Vmx%o-T(G6qh;MEu=Wx8^Cx>Y)Cl0 zSBq;LbxAwSF8F?8c&gYZF1hlOLshZr$E(+%{tEY%LCD3;Ba93IB!@~*r|vgtJ(87l zu9#Y{|1^;;a=2?Jsnou!xP`hx`96u2ESg69!}Eljf`Jt)D(8de&`gTD^NK^2{S10| zM5HwA@)RLT-5*L>OnAa+U+*Lkx0#mlMthi^Tu6(e>|LqtdD-jZ<7efhn=Zh8^z_Dk zdAbOhPg3o$spjj*N`hBOF*ChB{EblttchUYu)%T^SOMb$HQVbsj$e~v8zdZ;aiuUd80covy0E9W7D03Z{wNY zVFyFejFmC8i>LtEcV7v9kCOXPX)!Cg1$-=8d|@jq_mvu-he%j5K9Nj`@|dyi!EYR% z$L&NkpLc2IzzM|XItMg$#-D{VxUfuyu{W?Z$L_Arn}sMA@}mk@HZOkS(z`{E%7iVb zZ0cdX@xcXx?UW87tzH&WN;RP>7`u&T>8MlH5xm%!W|p*Q51n)BF)TgNj8OY`ozuBD z%rVZEE6O)WLz&Xm_=^$BAmY7h93-MjkD8F*YLZ-YB3k_=$GqRIz~v1;9o-DqJ!x@@ zx1c*&?-}Q=vA>@$J*!X_nZECcJ$pEV*(ESF3+muVI+E1X$SvmuH*+0%_VGHo-}rnW zB9-dQG)zC_-7g{U5eg5V;^bnWj$a8O21BIL!u4`z{W;5^a*X1{s2CTveaq~8oREpb z!sTPsHW`(eiUS?F6+u<$Hyt|PM3#u~D0;eTOB$DF`{x6j8yKSjBf!0zCv=rk-*vc7mn?Tj89IYB}p9?(%VDRi&mwb!F4Y!OR)g!o8d7$&_3J zPHCo=ouOIp%jvU)jRa}!e|#)3-3101gAd0ikWN;CtykyP%pFo)v5@d`|8FZYu{P3j z@o4@+p5su>s0*=^cNbr2wlZNdubzDl7789dNs5a=K(#T&3aDUig2cBC`PkQx9IHxw z`Ps$`SzbY9{DL<0fNqn^qg~k8KbRyk9AQMe!ioI3U6}L+Y8CQnoqVT_{Ef8G#8zji z!aiqSl)U2Mc5m*NkByFGOdV#WXK$OCoeqPqRhQzHC(_*(&IDFfN4d);5L?f*siTjp z%Zt2jWb){$e&^tBwaOva(xtXjHuF*TC4f(@iK=JG&2&(C2)miTiYZW3OD?-mH#XR3rIA z``&3U?P8~UoovHQ&8|iE7ISFk^s+Aa^xRp2Ql4IdiW0nBzoGK{1Mu17mG7X+*i*|f z8M?By@@S=`FSVcgKh?3Gjn^c@g%+TNA(?a*7eyK}^>C|LP`mgwq9q~F5BpA$JkKB1 zj;56f@*Oyt=zAQ!bXfUNasT!19@{g@kJ+VKu4eigH-yOPD_sz%#XOF&yjgfAYwnYuvt&YUs8 zz2Zxcmm^EqwjxgySGEtiSc(TXgT;2N8sy_WmcdVp5E@CZ*Y>C6MA<6b<(<&w@XqPv z@Rx`B)zk1enXS7&WQyKszZB&P>)9M%#L__!9Y zHFLdp(g<3>I>YISGCBQ)eG58}dsgNnhnk#M_xt*4-M>5@FjjN65{$l*E4LhIrEvHP z4+&S6CBR#`7^-kFDbb2x{MCKmiK^R(5^q8R8g&Tlt17i&cI4JE{UwJ`i7>uWUzkn! z;W>f{-CM7P0VVkRg_IoXN z?EHh1PVI>nc$2tFaCkrv0yP7>)`dL-w*^d;$;8a2S&K?{?_is1s#vJ6&sL}xlk0lS zyh@4bnugiN#nc}G-MGT!i%2&^G^5%xS@F!dm|}G+p*uWfjmZO;tUXMuhF^@8YIUcd zkQRITHTh=pvk#5rxbOZRKkF|}+2eBimk;3z^Rt60(_%xp-}kimqK_ndi~O|i_zGsM zru}T@1mXt4jOH$-PRyXEQRd@fK853ZODO{lwLyE@dlhc8vs;!oHZMHLWiEP;{dAyg zLQpt$AzF?D;0@J960IV5kS+u5)Oa!ZBi@19mE$62OLdXdWuE*fjq9RhXvk97-KFCq z!^o-y$cz+Lw*i9;k}8TJxIrTfSmfmt9Cu zKZT}6;1aP*cA5I;+YfPx&6h~S!l$>1zu`ddSngGimq72}=tYe=Cu^=qZ;Nd$YO)`N zQA9TsIMWEIk%vvo!tH@x8$>-^XX?UzypUeFGH;wd9vzM?OGF*kXC@t9<4(q}3 z!-!_v57HTnfp4M|#W5fvqiq+AN%`iQmnp&I@mM2o5g}^>g`P@=(?L~hfNE}oe)syf z^_cs4y_t4*d+4(wCR7zCoVt}JHt}t6K{Z_x7HkCbXCdEp(dmm09_zxgYrf(lM&eT z2N9-CYY7{u8Tb?Dhw8lr937lyc6&_s&mAZMIVM{S?XU~aiIl}rbG91QrPXCG`5Kbh z3mRXg3+!R-85hC$Hf9!>RAQ$;JAWKKHG0+tQr*cXpxIP{tT3|0j3`UXF zCC#jawDswg-d@(c)8}k#LN0vTtDWiQcjL<+J}P0l9|St(h1yS&O__cn8x<(xsU_9B z_TrJ-o_rVW1S?g`Qqa9(=$&Ec{Y4#6yIi$uknP<_EH&l#5(-L>ZxxqcZMwCx?2t!$ zMyFvFg@KT#91a{U4FLNg1UGUhKY3BxWCD^`H8O4J9q+a^Z%ZRl-rds0Cd8!-PVzi3 zBgr$bJShfdgn4IN7&2aZM$M?}dXxwI_z806mHW*eS zeM(uBXx<=6?N{lvRGV7!Zl&@XU4q~sE8+p5L;w&Xe%U{0zg9Z1ZWFAQj>=P*Ge6w_ zMdsK$Ge6@!(m>J8x_X0*%8my^t6VN4A7{DT5_^ss&^<4M zl*TdRSRG%tIkPF*Z_FfiOQ;b!38Gszs)`kAi2NucXgB&)X3f#cxMVX?~Nr%MRn8 zj*aufg8|ja0re7$B${CWL=#uS_Z{5gK&UTT=r3-c|*&Z#f8mQeN$!pjwmVdST&K+mYW(X&^W)X?p%v zL;B1X(3WE-?C?ak$^I-n@CIJqJg>k@xdtY4fT?=l1L3t&>;x{Ro)^7Fy<&84`^xS` z8sNIzfP=jArrfXF_C~VuXcXm~#Eg}r-`2#=X+IpfM*i}NdTz-1hueH*e22q>FM6fN zFO9m(3;Jsqon|`X<@|aSgd4mB(gI(M_j(=(toJ%=8yDYn`bGA#Z&+B&X>P_sdenjd zi$c2VF$=c;B4e;11fpuD^Aa(l4wreXgl1ah=ks3{zA0_o&C7nCH}E6t`@=4tI*7PP zH^;N1D5MKGg2WZqsm!kpyFhozU$`^g-`zs6qTWqIzxt({tz=G{Cx;|=?EsA~2!b;y z+JKd#UlZ>yA_$t>(&?3B^QM9s7V9<16DcFDaRS;=PRpiZoU$boNgOeSgXb${Ag{Qt zPAWNM7YaqeL2kAk;FMg`(3mOt-5(XWph zom;6c^v-oS+X?iscY{>`Z8G|e+-IMo;iCI%+jFAQQ*-E5EB21yTT%Msz|gGDcx;fe zcy#r&(OYWgKxeTGIdwnYs0o_Lq6Qn`QrX>B)CKTEf*?M-3r^p7jjmlseX&K}@s$j9 zU|;v9UF?eRnf$yG$*{uuWidlyh2-_uiltpN%N~LEP9^eX|QKHYyN@ z#ptP+eb(J=W_17V69RkWXY^~N?}f)@XK~G(&eLbxUzlGD5+5m#*_Q|DZtKXfEt|Qs zDF}R+d9W*7>kunr+f=tS962DlzCUZvoSWAeUxRYyt4lEPg|2~hs+?}v*G^06O6s^C z=AzZn!tTAK4d2Ni24xstZYyLF&O%`CVv}a8PU2i1d{re*?;Ow%4>@RJR$vb4qls5q zdUx2;b4y~jW%#WCzQMdP`^l0qF@P1PJl&b7svs=XYl2H*@cuyY8KJ{UZy) z&R%=-<=gM~e$V^7&jUH@SFFgSCqUboEd!z+9_QQV^5+}@2bM-#+^bUi-dpuCfoIxD zOLFqjIa4AFV@NlGnJn(5@X6&UcDiPj?HA)wc4M*IeTBn1Pn3z5YUYzeF8a?5Kc*d) zH{&<*=B3n5+sfOry6g1@^Z#NkEGn^GlMzkJ7&<k}|oVC2En?_u|y4+X5y7@_sHR z1+w}xl@^7>mMXX2-f=6Hnf0=jaMSeKrCSNhb#Xhcp60YS}XeFj`fWWAFTkO-N3 z6yTCFu04Q>cY-8pBJQ<}c*;mu`X2M(T1LmabqZgvqz?^lNnQT>C6sv}xn$4t-Ml@s|bZ1nH%1eYJOZcp}l+9(=Jq_-LV~~UJL0do8uxu zv_`kf_p#?5jfuX|4le3e$kh6-Bo+DiV&a!PMnO09#uQ-}Fx3P~x-g~o7NOCmTMe~> zJZV-96HWTApj=Er!)(8+i`mVhm(hA}BL$!QWa{<5=C(fv7+vNtw_JvyEyq#ra#k7Z zo!;7FWz-;%(amx{VSZQE!|?Zkh@iP zudTRI!?0NBRA_h|tCcR>JLa+P_mWk#`?{WUTqkqrc@ZwW ztX1|~?QC=$4@iv7r!bGN-mbq$@yf2OQ=acat=aNS{`mH{7GBC&i0Vm!wMG@*6!}V3 zvA8wd1Ty9bn3O7VTbb8qkGX%)DR>#mBU501oeiZIvKgsZu{eN9>I6hSjR=hviG3Y& zm^ns9uc>>St}@I1Bby!;Iss)jcg3F3Z;0L{yib}Y)e!Ybh($gD&e>pk1CTn)WR`qe zZLr?9P9op+7%UemRSaf0^lmy?#F?jjn>z%cYcr4o`~t;_aA}D$dO!FW`gHvC`=C-^ zKZ0f1WSWf2WeLTnL>y!@&7r4huEjl0ywz)*Kc+&Kyn@;;JXuj#f)%3BG8@SHytd`i zB)wdp?eD`O>k#^Ayj5I22d_40bThuOjB$vHbQKpr7r)qwD6DHSvAb2_R;SlEp!aoA*i z|D-%b6lw-oCAxoHB_55JEuO+n?z=m;W9lO85iUpYgS$I?Ds}p=U1l%G@+5SyU%a)= z`1xq1J3h)ziGY6Ps{@cQg4wL_+nv$zjB6tpS1wQc@(;uLjgjQ|x-!Y9a0LTl3c;uY zcLUu@@+5lU5wB(TYEdKGj!9Z$eAacJo5wu1Jz^K{;(78jTOpbLbAwBN0*EO6&Q9P8JSV%6XD~ z2@Gp8(qygH6SKb;x*!#V)sI#{M?4fy3cTE(#5`)ro~w0tQ#x1gKuw*fL<%e*)lFDM zXpf$q2`|OWyqBqjG^eDjU$5zBDl>c(`R?mdoz@u-Wtv*}_2a7~@wTH{t~y@RQE$xJ z$a?CkSV@2aC)%e++Pld}wSwPmU9~=zUCgF#W>V4Thxa=p-%oo#E6cGlY@VsPGb#n! zQm8Ui*0(szcfGk;u3b}m$>k~YM7IH)zqQn=eQy&7uzf##+QJVD>pV}o0SMrmg*uOv z*J7<-H4V;f7|(tY&06+tpt%`UZ-K*f+CM8Ivz!zFaVpFl@EcnArONFaA8loWK95>XE!tYHT~rkyu~A0?GQbfBd9fhlnu&<*&T>H?FA-e5uag2YPr_!U2? z#%SAX;sfvNQg`$QF|^;PZ$~Ed=wU`cXJO`A(QV({3j(3@=Q5b6f(z}5)GnYO+H%JO zGw}K(ukDG9<<8~w`^kBFajRuJ`Qs_d?%OJs4FN$Y&e=`<=iH24-VG`KP<`|`{|v`g z@!bQ5-MaWg?tpfuGNge)jmTs)2uPldk+FZmYOJmw>ZH>Is`O1bQ zD$8YM3k3}y)EHP6l|pMEQU`|p3Pazb+eSLOv;quN3bQhTNA}$PU28`S^7<%q1bfP> z?Far{%n~z--<{BJvbDsp;FhL0tg4gW_432QVz=^7Zg+_j_a{zH z`Kcctdj6*Bah)_*_*FizxsE(Ky@oj00fal^hEAIO0Hpz2Fok0Mn~H#u=KAxI|AFH& z?io#ym?W#>yND=cn@`^AEnh9mtx8^DUgj6@N<-a?%*rCnd)ZMN!zs!SGl~puV5{~0 zXTPpO2SSuXMt~wAEzoUIHY<%L61TksUP-I2;_K{9)xM-K`p&=^gRc`xleqg5;*QDRczSc{M`==kA7+-&8Sv zL2nW{^~1Y9KMYl*38^|L$%~fx!h93sehhs`pFxK zLSRO$8gyPgSJf45J7tWKFzKV>Z@g+|=Y6#zX}v!<_HmK*s{ewN#ihD8-mD_$^6(sr z>cyssC!4NHOGQ7$y90yi6w{WH?FF+(GV&nGDu+iod{7|vL~IHz23u`047_1oeGVU| z*ce;daY*PqXj}ZjM>_nvc5^Y)Tpe%N%8&h(t(n$|{rTB?X_V7)CDo*nNbIy%RQr2R=d)$w6dv<@3v^I`A|hLO|&exGwtYf3LKS8x6;(Q z`KTPL?azNI*pV7~ z3f(N?oF#G0bKCH)+rM-lQ6VipqvN*N_=^*@W=u!VBhJ{d9P5O9$>t)>d7y83_k36* z^op{!=WAb@<^Re2@aLI?ZteT;M|X;9^=g|d@kidGaUFCWEV0{{S$iXF(LELV*I&#qOM}FNgM0-SN0CkjS1XF;UW&% zXM=n?Ca_;on>@~{YT3kg+`0tjTWfy7TWEUp+)^lXf8oJv)m2e{02b z{iqfbC6QbHA~#Bc>MyT4ZL=d%RG zPXI}@`O4N>r}`2Sn)rgGjZ5E95H45`p&t_+l!0rt4;fqZcidg|zASa{fc!dB4f>p( z2@RSn-LSXp(_~wROpg4;OjRAzNOT`-xwKZ-gR6#tP3nhKjhvBl8vM_hHmi)})!L+Z z?$ke9@$mUd8#PAiIrb;Xwf&~5mW!vz!h|gGtzArVUovdFKZ;m!wo>D5zR`PL<$D7k zi+!_iCalH;PdE-nw8?LV(1i4=)2XWA(O(+2JLRazssys2Gy(lO5wgi--F=n+aQBw- z>8+>PPv);aI{o6apw3)%Pc-P(EM*LIi)4$J>YAek36XkmK&RP#d|b%~%?}V#yv1F} zK)hiL?&{08H)wXq4mGDr3k>aco+H|>`-wG=qd-S^+RdB_xCW^T@2MNs(ZX3hNRc32 zYclZ>9f)>MG94+{Ni+>*;ABw4P?1~{PFK>ozdO}@y#rA@(UHRkzdfod{1FDwv5qF9 z_fT(Ve)(JNmmkGe4zw=cj&m?5qS~^%-XG!xbH-_RB4cwnfYwHLjeB^dPVm|3)f{To zJ2=a2zkd2f@Ga(Iz=HI`vo4(%O~rz0o!2j!oq7Lo4zHgRek9ipn0LU=*q+3Y{c_0` zc>Xlq3i6#M{8B}B7W9g43etYGZ}}MUE=u_9C+_5d)OvBP8x4r@yjV-SfuqUeAmY=L zstPjVSQZe1`$kIe!ykOP@fKo>nVGgC{pd3tmNAwJf6aqjd`#u^rPrf3sTNnA*968` z<2rNb!SP%Rw4v5t)}F!dDfXG<$7gzygFSaz4upb`9Hh;1N*9F312O*|5P7O(Ys*$c zqe%#Yu-zD0^TQpS4ob~QLcA$yW1?zRsg!lsMcR~yFEZd%Ou`g$L!fXi2M`mAQ`DbP zBBo_;cM6?<3fFiHWog&vW75zct@!9m8MLJl*D0v+dsZ!R&&h%I@y|4AHI=zcBlPnrT-4%{uJlE8|&pXhhikhy7zg69)oI`pMWaUCb zu6-iCp8wjU1a(~CqI8al;P2Zpwh|O%c()rGMue#}B_4744}Cs$P`9ND*{EMI0RM&M z*g>3$!ro5n43V#|8zk#~{I%*QP>WeAwU8I_>J#tH>u>i^mrUg;Pf;ikZEl_Cy%k&B zT@vI#{i&@Lw16vRxC)i6>zO#ITZLTYCEa|NZD%pYqiXxc5deGO6%Iz zPgl#=JSu5JK0SGbcp9XR^_+)ii`z0I=%Ec-WdR>xVYjnaJqm{W_$=x5PbEu62>FG% z+eGl6Nr2FY^vzzF00{$u&YUbxP{$!RfMhRhe$)z8SqK=iZ^Hu%Rn2Zie{amwr*jUF zo^!ETp6fGi)V*ELu?4|vvjM7ZLY)XqP1mhw;vIsQN%h4{vZmZoKRbA}6(T1~;EZvN zP`%puT#VUJ2txkKXp+BY{lQswBOB)j|GUD-|A}L#(&v$fY_&N@y8t!!Hb*=GxA*>A}&gXUAE3Gy7^ivoGuUtyC$iL6;$Uh&-%;e`s zV2On*6ZDPn<}ZOZDbD!wZrSIPi~zQGycNEpCvs~E4Uu-OJ1WS|5;3?W;plCV%<@S` z{-#q2{@5DN^YXJyNsmhUNg+tAXI<* zyxa4$V-@?|dCxg#9bFwxZJAnWzjbG!b`{hR<4o%4CN5K2c2WYMsFUEHF<`<_L@nWu zNj~|o90POjJN5RLuInvJ7c92ayv6e)UQ3UIBTYAo($(bdAAq;N(g0|N%HK7&szoY!?JcJ*9ae4y&4I{=?`?mv?LJcH4=0H-rNu3Y*ZuLua5AF8p#<0W9Ri z7Zo&-vK&~s^)xF@PW5Va`O^sR&yqzVp?P}D1<0bq4JBhYuDYUe1@o>DQPRC3jYTGB z9OPxw9bA^M5&j+i-L5Y*nqlTSWoKDI$;Y}kS|vC`%pV&0mUEW$q|~Z;r3=Ee(dvYp zvhQs0>=xg`E46v{r}te>r*G{$&m0oAhHMO~7g0=_W5h=jOP%PIdg zBV|_$yD#(Vfg_aLcp4D{iSSd&Ic>K# zkhhBOVo3{fE)A}h(s!1w+<_N9Ii%LzDHaY7o5;lP?e6j+MTrO@$PQ>Dx5<;(6=9Or z*1}cIX?JmyEaOvohbt;c3zfY_G*H#PB(-##ae%M)vL*GSs=FQBVom1YllRL6yU$0U z%=sCU_8ca1@S=*0#<8H(73s^>BYVf!g$JZ{Xs4LQdheaS@$H<^Tkf})vp6Jnl|0vX zCH<`Y^;V`v%?E_gigD@l@l!S0c(LeQTg^gPrg`-cm;Ru;PP()ixYqXE{^s?b9Giq96$h7X48H%5kqg{KCYqCY)$f z^@J-CcSlckg3|JvYOU?obTulz_7^ftl>PN#9U4?}!TXu@?K1#0(eW$V19+^8m@QNa2)m8*E`6753ACj|h&8J-P z^N>R=3Vn@xp|6`68z}mq{OzXsBkp9Th7>D$DeY%PmVJKqV=k58J0uimi|RFW2SvIT zBpzk?*4EWn<0M1acCvBcDBR<8nKzhwezClq7wY3MG6?`58h@=TlR6f1HnRxF#4ys* zBFh;{UkeNAF(?Z^PI3(qAry7$V@HRbMnh@R3~KAD1%vv|C*E+4+-YNe_ha0%W_?~t z{mtA3z`%2kn<8d01Lq>;5aMxw!3_Hhtmp0+MPRjR{Z?Hvqa-Y&_oi znH_OP>@#AjjF>%65d+rChZ{`@LIiFis)fdaG}0E)4xuk6>$7|HBav99{$4xzdd{@X z>dUF#R9KD2?-v8|LfS(vBhJH+i*&6Pm&P{xr;U4<&~I;?dE1}UGI#YbT~v*Y{%;xtilbndbjxD_<-Kgzp0sUfJvbe+P%TyShinF^sN|7bfnHP8iR5)aY|w4jj97F(&ch`$egQgPSqY)W5oo;GZ5C6Wg$MJ`acnyB1Pw2H{ao@|vKcpCshPd?o9g+2nQo4qsja7F9ez1Fuz0rj zV$G+QTjEKsp0WzY-zTY(UeL`uwcZ4Hfvus43r!pZXN}Q)TQ;jYQrJg>avSJw*L>r# z8NtY9`O4YZdeKFzX-(lnF=76D-KHTAPsKih13lpj2wu`=J6W;?e}ar6(;=sz;}1wu z4@YE{T484TK|y_G*htO2zN@0*S9nv8%R6yFkTW=YGcQ=@;@P0$DfOsTJ8MP0ZmVu{ zeT@V!r^^p3m&L8b~DzSd=-Coasl8#sg%LAiN1KV^vX5f!m=`pRZfDx9xR@XBthrV2k`Iz>>c&KVwuoTdEq!EU{Gb(Ju*iUvz0>Mg zUY|=*&@Zg+ro-@rcEtwK*}MSOqceeO2H&q5^Tp2SYr2d)s102b$!^QH{Uv%^U&}J& z5jSI;HoGh3+OVSMg*9Ha%Cf@gwWGU0+J4O@Z+c4l!@KWQVfANT=%t={M$3cbJ^|8J zN6!nSwC+zp0-;^GnoUnCpuXI`woK$qG9a8yU;Ne_dq;N28E*WjIt6nh6N zRzQ58J>A+n;y&9ib$zfPvRj|^*N>FkO!&kQvN~}t^AMR^7ds=c{YF*IaUtt+5Yt@@ zU!#8V6%lWVM|Zfl2Y1I?l$(RLCmDz_)z+?ixcO~fh$<$w=~;dH!8erS%Im2{0d1}Q zl}*V*AqxF|kTamz?bAV&$3`Nz{rIQ8{(Msr#oedVdHxv<3(s#Vzn0ZQ)p1D$TiB|E zTh8jP`a}F$ZP~Kdx6(>C?&xl>!yEa?ah18guSY_QCkL^6$gqa}iH>Mn`s41pI*NZ9 zv|KvY*>~;EwHrNJXOpj*e5UI1>4q+WU*!m>19(@=9OGqzM~dIEB-Zs^vYqJ8`uOgu zai>l;L$dgR@x9)*HdT9NVd|5Y_+B2F7CzE*<#a2TJ*=a5{#%QC9}=>skfE*a=hAdf znzulFzt+7t69^%59S0#72g}1!CUi!#RlcROrO^Cf74yS3C>(x6j=`V;%q=fOTgwH4R*UkQ5bO)Tz;s6Dv6eeC9jWq5jT0#w2hY{TGR7=VIDj6#Ez%;v znfQhjR1V8r&`f*jUYowHn!_|r@)+OYMg{pw3*v(dwR{+|T8t!KzmSRH5dZZ&s=J#> zwwn*?@}#Z~tqDLiw%!Q)J+UuF*wNU53rPZtty!r5x%YpzX4jX#2T7 z{7455r&T`vGqpMhed4|}Eg2Ez7mnW!SCqM9&x(pIN1vkm;{C>&=b#IMls);>qT&jv z8Tis{Z95_D*OztKVzzf}#h?mWRVba%5FI&Yxb)KSjC{E8vw33Qnb+CE7wFj+`>!Y@ zTDOY0Mt9zQ%`;xSk(=p>PLIbUiN&L;2FJ{>fQ9ZnT!o3{7|NE0$!HJEG}#y6<)a#P zjqyTke`u$7552s_Jev)e%+^W-Jg+xxY0%I`Wca}>OY^6OCeDo4iKrh*-fwNy8nFt8 zkJ5~8Z90kszPumBVR#ln5)tolms*(EfX<%?=~PWH+A$4D*RD6~Ep&aTYG^puZs9)j zM!r__wl|lH>}RJHKEOqM?ocT`sst^PSexnZ8N%%yN$3N^r&z7dq`*)_jtEiAmi($zRV5d2}8HQu8ji zoFP-=BR0O_k$QOWOJ98i3(Q{A%vxU}KhZYxePfMk%#W?_-@CHXBSjLS$lT~g3u)vt zKop%3$gHUTJ6^k)t?|5a9d|e*OI%x&6SoZ`FS#oGrlN5>N@;p|`&23v>ME>!<|b3Z z>_?!#w+4?sIo%?Lz||92ep6jCFEp~U6EHajV2KN^zK94i8{ij(D<{hUyKQ7-4#@+q z@tf-FLqvxq$(r&K!lsU&CILI~w`C&|x%dshjf-^3^#Bs^=d}O6A?e;9h-+mb>o3Hz zS+xKwd*`=(IcC*i*WsLq7Ln6a1u;Fs?wpS;l0_U}b{k$xvKGRRhX5UJAIv)k$V#9~ zzo~vo?)6G6M>rnwJ=rhB4fV8dFap9*qjSnEvG3X&x_*7a=E02l@5@+7fqfl66X%q zi`I92$#&zo(dF%yu>To{P_IO(J+ta2ulZo{1@l+iwKD$QGWxosc{`Qv1wW?DFV4@0 zDpTQu%mtNLcn51`^HGM!>W%iRpUpv(-Y(sRi={@z^^#h1?0n{Rt*oet>Ak0A_`U_L zbONN!|JHJfyuN!7cksuTE|EN#j;bSK+qU&S0o)ZI-g*J?2wOtd#czX~36LXq z6Ca0dW4_#5qdNQk>di}4-{wyl17LynNh{f;)N(x|xF?(26`k4{i#(AJr#jBMs%VS+=((W;f(dNn4RYgDtE z0gYy~x$D@y%l*XK!z<~%Q*ANQ>3Xtf@21Z#7yH2-P4@T}1W6+6tc z{keHqc|qNkcf4y$gy_m0lp7YvQ8-+K~u#l>nRDn!k^Td#W@wJOcL zE$OoAb8i9`=kmV4q5ywqMUXsXV_fFdGuv z>#^If1X)M7o$BlHtq~rwvH}IEmcEm=Oa98zot3&GiMs2y9RIQguK-9CJ-97rPl99* zbV5Bt5CGeSB)szpJ%}6FrrQXS4Se@ZmeahvD|`McA2sTi#q~Dw_mHos(;x=(aPedg zpqAA+^v_pO92wG9XpE5D@Dal2lY#8}ZhW{p-W-7M*|h)Z+zGHI|L_)nS=IM{zO#RG zs;wHkkN)RBxB6#P|IF1tkJWz~*Zu^n|M77Z=t1i8B#8rs`J8CZB!--GE)Buc2`T!~ zDmNFd-I%7KrUh@C)w8Zr1l7p*>&JU9e^E+!l`*yBu{JtJAIYC{CMp7KIYRvS`!{j~|Advs6QM zCf+&yo9aD{BRp z-gBp>0xupv3RiWYKdz3_r+wpjkn(dPCBbB2I`=(fw7S$NXbpqZ^25($(>fPw2I zMH7TNiMJwR0182{oc`mbIoIb-*^PxZpJtjaVz4^LMf}X+&AT{2Ij#)n{BldQp%MQh z0lCIDK#a&fYNs*oc-?;X41Lq1pMv1$2YOO^mciU0s4{4CZujPO*<1aDw?s*|WEl@D zuZLsEAkf3iLv-~7QavtAM8bhT}Om&8G2oQE&i_Z@nvBQA{AoR03DP#2) zQX~BUq}=si%}JtD{FUQL#vzPAmz;Ko5J@WRH&rCy#FrDM{>up8L!k%k9~YoSxpA%m z%%+pe>Ns7}b;@fYM#Ow23q|bToLQM2rCczrY;OPV-`v_io!anRVma;El5L#*KV1ya zz>H`SAR*e#D|`xEtU&3{em!w@m(F`VMMqsC`C;)Qe-Qm-Zrb%Nkmh`kq&hQ%UaR`K(7EIed(>uXFn>f>p&BH<&*Wx!>LE6; z#}H`inbybZuX%++RqxCQ6Zj)syVU@(?SsCM>!d;H}EQ*h1u~rM(=bET0 z!9vgbjul|M%aAurN)ek|+Fha#33_0K>Yg%5EW-mHo~REy55*9{8&=jsvF3-(?Gt5;kXm<%x%8!Kr)GR9r)KU>N^3Y71@g1M)xF3aS1?4ppI z=Glfw@82lQS~#XS|45y~n{3DC@W3zStwC6t)bKsJNMRdIsoi=Y5<`=TJM`#3NvONg zv5{udtEVTzWmHF6xFhua+_T2`G0^Fgun=Hk4o(;hk|m#(C$(3@M4wPbn$kStcA6^O z7rp!U{VI5%gaIUo(wIYk8~GQ7DzRH zOntldWe&qZ{nNe@eGgmOZzlDNLZ85!H3Xr>gD#aEX3|JU87R{SH|e)-fH1_%w&Kbd zRKhOjH~2<8w6VF#T$yyY%~m61(+gq-MRTQQ$V@l*)p9kwde&%d-LD*arGRQf>#Y>K z@iT_APiPFsf5GR7Atx~{0+han*E18Ld$ES?L46h*`gZG>@ZyVgF{wJ2xO{pqMe2%Z zbB+n7Op*;rx;SubHhVB_cL+EBAi7rBK{v;6y!MyproiBmMVDkXC+%CW1j~nB-cA0B zp^5R$^*a-95KijRc47pX}Ii1O?xaN~gjIjI%%Z zPRpZwvq)L26}iiPd4$sXb-g$@>g(WthA>K2HvXo%s4{Q_%-18jvWMU1t=|bM@g-_X zcHI1`%1cECy!Jw$hkPG~o1A2W&bqZSw$K3DLcgh4eOo!YO5Acd$j34&hM5M@M#;06 zT(Y#YUl$0X&^IoC8A65{)N0KInF#S6v7VjiSpnL+_?Bk=x{!NZ ztkTgH_wx)I)BI}k+US>bFWC~WA*)+x$V_{%0*p#(s$@C zHEa{X{U!Dy~F|eHdz^Bm}rKJ5SwAF+i0+NOz>VmJqNBcEyc+@e(ea{xzN@HlM)Keh^(|S`7U-DFIm4j!1V1 zP~*{U#qD!4{o^%77OMe?9VN3?szVmvmMvQzr(aW*IgsUIljx1W=;W`NU}g|sLw*z< zfXvarS6WNHJ=DSuBcP(yX|Yhj^Mtqv+?1+mG0ffyPl+y^Tyx=f<7#kRm)X##J9|#P zR2ep@Q>t4YtWKdXB52>nD_|A8+XVUzWV@Bn%5PnRuL@UGVn|Jb|cgMsc)A;d3%&Z ziNt^Q5dKHUNe~J{1r9+nXc2(Z53A#NhnpNv@(9klXiEF&R!g6AnMdfaK-RvcZ&iFB z-D6*btgafZVg@1+PXIRo;Wh{h=p6hqNpW!?W>(()@+?EJvAeTID7SQeeGoQ`@kXMq z?AL6C*Lpwax4Um2S)%Z>3)6Q0QLbt&YE>f%uvM`DZ@^`DM!7L$gu1eFemJ%J$A@O-0oA33s)c z7aMdhN1i?5yWC)JrWz$rX=S4`NxPm%X+5(j^a>;;H9I0}oDeMXHrj z`{6`h_tB6Gy|&oyv?aZ<^A>!fE}Luw;|t&KN6M%8N} z)=fa}7~I|fIA5S{pwP_?Y$E<<*ZX|}s#5O09qgeN<%mu>+tNS+;wkkSNeTaa7yKE& z0%TA%g~Q}~a7&NhRG5hojxnb68ff9JnETe?bt#XpPER%%633!i@p`QHM`Yv2FQtAZ&Ac0T3lvL1ckt*Es z^P~vj1Smc^^|kTRcG8j67h}aXQJK)C;g3NoSZh~jYprWD0u(dNrntDwAH>6Rx9k{B z>QM;3kYPavQuJal3plzH!9eCA2pLRN_=+WLAh#6Cnw1@b?jGm#y}fwx+LQdZx{}bf z^w#-gb*j0J7Qx{~ymXy^HtVgILrmGNC7AyF%+=JOJnAYN>4Y>t{<71hmRxSvul({A zB8kVhAsMV-oJ>kzh-MeyH>~pqIT`xiQGTEygq@lv;Jt!(yB9z2oIfNhfCmE%(Y7hB?)$&|WaQceFAllGm7Xy^O}##| zM)wmEn4qHv_At`FH)&8_*fN3?B{3Z{k*}SkH{Cx%ht~3KO0I9j7kx>BX1v}fsnJHK|_K zVt&81@q>1r1;{SS$+o1;c_dTC%1cz%83+mDwxWH(*+1gjOz=M^B3j9r)E48athAmu9liuca*YOr5`x=J(~xk zoKl&WvhyR2M$`Md1#6EyR2^?16xuKl)+GKB(Jt&)G)WRNOwt*07*RaYH)ujtzugKl zt4Dv@5J2r!K2e*qF3C^z- zGshB_3GFjeeTb*`ZaI9qPHhy(Eb@d-qA0#ms z0XYzPym-j#0=B;#B~fBeq?pCZd z;45;x@O6)cbvo}*E(LgDRW17^Lm#fV?VVrHJvE^tCF_)iPDLl5Z05A zO$DKC#3rFDVRJ&V4XAjBA!@Z<`F(%Gcsa`MsvRXp*5aO_xN4#d!eh5DJh2J z@#Mvz1Z9h(#xE_mhFZj7Dh33W2tR!RsK&U=_*(bT5629K;&+a=+|TY*xRJmM@!dIR z)`13G_(h65fh!ht7S2AVD&$o{^0>LrmvcsxSnA2IBbEqkmDvIX9}Z%^c6?`RRJh-J zca+4FPg*Bt5WpQWTmUQ(BIeTSLIV4gx!ri~ga&+}n(xlLdG$a8lJFB}vuj$Ktg2e_<#SDr z(;vgNJJjO@RmVW|@VldX>XE!p(Pj{O6c7Yhu~@j#c#~0ugT+BSYP3jz6rFN_E*Sxc+S@W?D`Kj1PCFp<7$eeXq$&Q_;n z=?h(v7gUv6o)~c3d3fLmh37^y6``df7yahx-Vk-Z&18ADWx5k~Nhp&Pu>D2cg9eJ5 z!}Q^{3g&0ny6qUiTx30hSmt8R%Z9l(`zpcOUA(WceI-+BMQN&M`uiJNF(RyYXugWr zT#2c?Q?vjkX)ClwHh6Xd*fOSxB0bW=N(K$WO#nAH6sS>VKjwK{33Ji;hE!e0cbS$R zFN`-MV%Z-_P{p#3Z84WM$2Tj0F>GzK!lac-xMJ0KZao1VzK0Eln2eaw`MA2P$aijv z&B;kWB)^P46?&VRZE9jgE)4!yz1@=!Za_kpPLWrsLDwaxTM8wK6Vl-!nB>~QAJ;bbu9I+fHV~Ot-+?|pFc@LjnSXw={TnF(2*qnGH zY#axmgWEzdx2b|5keJtbla?SZ4(|G2NKyJaDEIVIO%S~)pC0ZKh;)`k`0RLJ}Tx0 zR|I(KI!vM&c+xd$SniUvDA!1Ret7$iqnyruLr>cESs4P?lm}d3vDxH-yS82!c=u9m znt39Fesq<U+1}@z0yVU@!uugnhvLL5gxT1Nkg;s3 zVG1u<6R0%}geSnB3~!q>kHR&*7Wjg%+d$K~zD2DC_^`)&rlyWrNNd`w2+xG=qwH_) zH1c-a^y2jt6c;#&f`9l`=@1$J_5(qy$@ z9D-x^QqB0bg8px+^OM+hPA}Jh0M;)Rgl~>FsNa@A zrU6yT?I;8X9D1w@<1`!DW8ql6b|bIIE#%^O6WEIxMTtiExwA3&RVAvVUF+an33?ZO z?MdKIazEg^=}D?t*pAE)DO*6Yw03UGnJ0CFxSB`_fPiL9OzLj(%O*9k?79r|v}ZEp zdR7PRJLvB@->G{)?C)F|vkJ_~r6`hWa6m|V4lt0{Z$(Yc!V)d#M-o0Jbaixiigtde zE_sM$H=Oc5g?*WLTL$Q~4r`y|P}l^mcVLKVr9GvqZ`W^>P|x?tBu`zi33O%__AWnj z{*JXdEt6ZtN|6L2XGT$C{6x7Q}B=i++|u{Zh^8{Y`3V>GX9)zdSp)Bdx^SS|c(hqR6^ICz&5${yz*f z9yIJYWNzTK3bKe=<(n_)+DpVg6~fjRvcvEbxa@*O0RVE_u;U+=wl;2T+yOi+(GO=K zPpbizHnFmmbNMz}Gd$O1`Gv)^E1k{cLVM?bh`38>OMA zp5Ex~Co-g&zyyayBTb*sely6;8EcHj64k+vvOFH?p5M}Cmw#`6ap%hZVdSx9$Z)m{ z0nx*9p(UC?+ri7!bmWoXg|9qXU+^#cfN}HEhq7g6+RFE~FEa)Bjoi}Zj}<;^YQ+C2 z!gItxVmeD6yO|BfkPCLnx%Y$cO7352d49;B>axG(aYbo#oP#~{-ky=Blgoegi8mWp z%v5J_4dBAOo`fM@MBwmb)wk&ZLe9 z=;5X-B{sH`(`){pusXw2SWIS#N1E$*=y~e;$KBID8T0B6a}l!_NrCufXzq$|*&E@j{(otv_=@`#EvN#)?+a=b# zAjhy4!Z*fdF^qEO)c5jp^sf5GIiGgEpZZ0Qbd;GzR>;#A=cxTC|KUGka3gClqb1@j zo`q;X5^`oeTWtJC^MVj3EU#PM`dc~l`PW+g%(m0qII!#wh9KXEW{+;%%U_YUSZJ0k z3FM6@pI9R1r4WQ()mUvxNO>!sqm{J8RJYY8QmcuPOiL*KO*JrfcW#ijv`jp z`hdcsH6YSp%;O(b@Y79wci-_h)r$&1HcDbgQRwgp;A(sU^mP}LPyK)Xc)fb;Zz@{f zf%qK8ZL(B37~x*zCXekCN%e@7e z3(oQ1B@$?(4rr?YKCEqX?2|5bvVaH;f`0vZF_UA_I`3vh?AW|aE%!po*n7@-ciL>J z&&U{{Xx(~t7S2O@O-NeMe&sh17NR(e(zgzZ7a%Eh2R+HS1buQ|L*PgubjIPurSmpe zo!43K}NA{$K0>N%6y9(rGZO#sN^$SP}9{D%7`VT_+zm-QnYR@DV?i}+oS0$ zR}`D|xNjphguWMW34hn%^_czKxB?c0mLsl7HOfIERypU-G$W4}2-YiNtC;jeHa z$*?|I@pE)bFZKNG$}fGFOzo@WC#e^sNZZ8fR)SnROE`topFpf2tXq$e5x6X^9-SS9 zXqkuC`^3I>Sc^8D=1KSA(|b{D{yp(j4=rK1!|vq&Xz#s)nrydzVMIX@>AfperAe2T zh)Nd_m0qIsA|NFc2}GqM9f3y>B2ADMX`vJ8(nPw18mg2)LX8mOcYEIN{buj|yn8=; zzH?^InKSPnOlHU=*OlvD>ssx%eyh5b1x7RGNVx9Ssx%HWD%(_KDlGH=h*ftQ)o;$E zlNT&bRjj)qVdx|&lzc^4{M-Y1FQ>Ve*HObl`?OZXm+y)0ofy#T;?3t;h%#bCp~3a` z)!myFP{kOfzRU5^u6kkv(`PWsH`$PoY*PWwGO!zZ`s@O-hpx)<2REoxDRRFyO`pet zqXQGMTJlVJrjCxS>CD$nYW{IJb`sY_U|w6KPrV)()?*1w#kx!sf)GSgeHYcmI?@$A z4y^*$Y8yu-w?3pC-+V@N7`u~l5!MzaNgqaKA@F|8tRsj1v=Af+qlHJ>ULl4NZo`>e z;Eb)@8=+Sx?CbFd@BCZ&8>%X68uxI_6Ia*##3f!Xrt8u&DpvVbSm~XjS|v!TV8-$a z1p&4VC7{LZ;tmX2sFVnla-E*kN9s%{dn}DO+oh*S6h!YBW&JTm!?V`5B{G~iEwnEi zOWK-*yLi18pe6GGM1HwN#H>YhyqbDGF+k_juqVtF`-ht1L}onhxCbt4!6|X2KHsM`BO>DQw}Tzdq6p7}*8yWt9bAQ7 z=A>4pzVDgn$e6jC?{<=??Q+|;1fZwzj@Q#tJpdTN=p_ssf`wdgJ@zlG*x(mM*Fgf8TaT-l+gigF8@LB`KQ3gYAMv$*j?dt%QO>k>{q;EZ_N(D$ zKBsTz`;w(ZGklpE@{qEGL|iSw7pwh(tmIl3DnhVLEe!;Ba5F^v&Fc50^YaAbu5BN1 z)V^}@9ti2{FoLIY~>1z?uDWv#{w1k;tPsf*@1dNyQOeOsw*IDx)DyQ5R`+8gLQ%t3AB zpBc2iGUy{FZhm6c!GB`}=2fH{l(&)Tk91}0L?x=H^;v7B-o^1&vfsYt2X%DZC@WyR z05BG;oW_A<+##$I%>oO^3$Qy`pKZAb-PKEIR_#SPsjq#jN2a?9-Mb#;gIjXbC4X#N zIuG1ivFFi??{1QQ1s7|9~BYI({;nBN+rlXIB)gFo#R=6}Ogjc&q-5bZ1l}nd* z4anW$Oyg{#NaSKx{07o85YZ??ADjxZIZVt??hiFyMP~h?uusGwekU$MX#xe8tnfxL zB(soE>8A%qtm{R3wWD_FBfE=}1DP~ZOZ8?+w<=8M<}|7A(VscnhISg7hAbr}LfS)> z8b@GOB`#zM8&d;)?J-Aud29S*N!+%GPE8l8Nu@cpOG2hg(7GV*j!xH=>l6rkNm%S* zsgc}HwtZKlSrn9(*5J;=(Jjvdv%s?4`UahXX219XXuSEW6?;=3j+-XJc$!jfL!>Km zJ^cv9VS0oz^Nx93|4Kvn;T5h+Wd)Jv{DfjjCnGS|MKE9B{GlBI9u1PvSPDk)o4b)O ztFX8>!b}?-;@{6y(;A5iznSiK+l}HYpg*#K`h+RSyE=8R{ibl-wp~+mOJ#W@x99Ehik=@zF(l&;fnptX zK>T0)eVyAdi`Lp^Zf-`TrKLbqtP1on{?w{ zr{jHh+|OP1lvRtnU2^8@qIWE5lsJ8&OS&})qJcfdd&NSfdFR(Nd)nfSy8LlVv|xJ6 znY$ak+`aDniE=gmDZ-uM&HT?~;#6V8b+F4$3`i26@p*`YsCBaF1~bC%#I@486E;{a++iWfz;9|0MNVWTY zCwcevQALKg!rWUA$xdp_qIud%_$RMx(dR0(G}@LfFU9ux%{=h>Sm0C`%rdOWMiud& zt$Ba-$`(TqI$W9kkn$Tf{^cPIP8t?v)VTf{tz@awi8UPq~6(b2# z9-YYHq=A||VQh$GkdXb0LLzi3L2btVw7hwKQz}hXmmYPQeE9M^v@?X-A`@fy1Ay1=C;4Cos(aseyJL0 zCRIomIICwOdaMaqJ&{(*-G;6LENuYdc0L>=K~N}qO$t~@j6BY%E_$Qy;ch!z_MriF zJ>ar_Oj6ZCT-=TBo5(CrwChgdZ<0RZs2UqK7=G4#hKAkh#17~ZB3#$7f;?4Vu*7n;u)VDT!Sbe#GNjUyt zpybL^Io)dQ(r+nO&3Txo^`D@8!P*j*1L zi{S2e@@Nh&Je?PL&mqYv$S%Bc7AMl^YwL^M!AxQy?TGUm{%9Hi?R2Q(*#vt$R$kLW zIccchg~?sZoMWSOyfW+4qsB{UJKUiO?Eq2WL(-ZV1Hro4lJ~nKgX@HmoR>^xnmCt~ zyWL0Bzze|;T1{rxW9k_9WvTB|BC2E0J!RGoa_=NBV>y&v*aR%OLkSp%_>mw-@LC4>9FSdgj%5h$N?cd~6i_Q&$45uDT+m#13};dduKzVPp7}?c){&(E z=1CbfN)iew2(;?V42Wbu9>Daf7slq_6IRYtW@Ec^cUg4h95W;3Gw~hxzc{tiwA&K_ za7B?ttpG0Hhi`;N`ra{DP3s4tn@Q_LIbfAr1n1B5thSK#P!Rq!+%lpj6FOtdH;mBL z2dZ15i*n*+Sw?4k;|mhvyvJPy@P-00kPFQMUb%r6hzvTz_a*AMt)E*nP1($Kwk@=} zd=q>-KF%w1u2idl{|vH8?Npl_@)V7~h9=JPhXTnz5DG$MohNxFZuRNwG)U{ppqYGi zdktGuOt{Hz_u-+jYhUJ>;Lb)E`!06>d+wod){= zq`~}xjuT18Q}Bg{a6+SzM8tI5au#{-0`X;xcf|GY)@oS(gg7YLzifVRz3~SurZ998 z%||-JUh><6kSdcf8`OPV3awT0v40i%N{) z^OZW6I8wgz_?Sbxfd+!VeM08PJ1-?j2CThsEbij6HKnlRm6?Tu{tJ6U6Ga<=f57Rh ze-;daC!U5e&QJP$DLp7uzKyZEyCa}p=8fUNRpW=O>swzCb0+%M3>@|U@Ep%`Il6?r z*)~+UV$eEzt>><47udV!5^SRL$P*|b5h=<^$Rq4bMvIk9}u;$InwJ_BVt_3#G;h z2iIBy0TMNo>2_M#lIu?g|Wz$lYyqVIyL z&BLxrUFwD)`j@VJ-POGBzGO%V&C1phXlTy2c>m^n@QTVDYO`@}o1?`e!$7u*XKIWo*{4Q(@^mn@Sx5D+PNTj^i+a^vr0!>L`!7F|} zo^J!u17C_e&?S!tvBwlludfFv%B<>K(WEDmMSCksKK`vr{H?}{PLIDyL;cQ({xdaB z`kl7_r+fJyN&WwR_y09#|EHdYTSP{LUyG8}n1X7EVmqC_srkt9wyK}*j_D0k8S$45 z?bMH(Vm{l)Ic2YHfcG|m>cUHdUliRx{$97vbi2)0!P^Jn*e-M!lFSVQx8UOo`)%8D zhp?Nv^531EoLo(3^JPlY14Lder`zWkK)Jm-X3uJ&M=Q$q)%iy@wW~Z7+g+Y6CFt{* zUbUPPJ$sEwrdv;n^{0DJpN!YvncCsM+sS%^j0F?XteqPmZ!+JXWziq4@lX*I&|n-9M2h~TBe9GdZ6uh*Ze;qs=rKz@Jvsm z2D(_TTsOW^Xn3K^ul1iUuPwLDTa0ZMJK-k@n(IW7GdvD_;7axsm_-vw!3E{K2Njp91BO!~G) z+jM%x+QRv*GgzaD_0z(#>0cBc?sa!yIMtna>xDHnuP0%9{7nhI6P4(NxBkxqV#pkB zbJA8WET$9CYs@PX3)UQ0Dc_!5c($hI#}kPB;NI7U9rvqLI9)xkNm+LYech!zu$!6s z#plhB_DtjA(W4Cm>7YLS!W{?HU4K-i`Ef zNj`+3&LK|NNRpqz0HDrXj5YdYOYKK}|c%_5r3inY5wP!1w`daTajI@0dg4&MB* z73!*7Td_97YSsb9PmpEs0-XYJ^UQwpjO(q!MAuvr7;tl=;_@Hib)V1}ri`m8q3b$aXnXM~CY(vdP~}x*JoqVs6Q%+5Rb{jt?{vANF9oLa z2>>`Bq=!`-NB|wV@l3>5q`o?+!d6#_>O!yBP}7@xzH5-$3ZN|*(}7Lg`nlw;J#0r{ z8;XH4a0O}&>AEsZwe}a<*jQT3eEE8}x-M;Hz{FT1IZ3*=C3?8E?wg1y#{85q4-E#` zr+s=3^G?wKu=C!?&O4%X`%#svio06GmEh8O`Z+hHD)7@Dj_>xpCuJi1wIjsym{#8hp<`ABHFuTJA=GYfK^UD3z9z51@um=|h#1OFv{Aib3S#sw;KMiu5C z7pp+id9AmJt|zXrd-%grJb7=?o+MNI4PXmrKI%#b@I{f^p94MJ^{w19^h@75y>)(> z;xBqPRy5H`v3H^Y3Bl*>0?2L_NZi=6d!KBRW-i=aNSW?IS&>dX9H7kFWqd^%Eg{| z@K}ullQqKHGC?0t3yXW46{@Y=w7)X9HF>8f+vudr)iB;iKe=p@7gDDg3MI}T22Y0G z0Dgl;bBI7pD?N#ZxQ28MrNMt|Z6wI=x}ef!)f#gQ-pN{Q7_uFb+6vAEx%WG->}L>9 z%Sj@{n59J8Kt}vcDZi%a)XOm0GWLA^!(_N^Z#yU6ZjjxB%gwG4J_c zO{~^LjeV$z?=NglxhxgilagEgDyaLKURJ_V+!#vrBnzPWn!A>t;PUQC@|f(WBkJZm zONm<=KzzgBCRK#}p8HKr|B^3laB&htrpD0Vt4GU}4E6^|-@FF*`$eW|)n@8XkvF>? z$4#E{X>$<4qA2$Cd>d4C)*WAq>)|y{F}afV^SqeTgfLUH zL-H%oXJjUPp%@^aA79(r3_-dbVv+m3#$}}XFkR?Xx+;k!A+_Bzpt+pVlWQ9R&(T}+ z3k^tT{nFgRJ3Iqr*7}wH)V&n%B6yPry&tcrKpi8pR&{MasI8&$#aPaJ{x;gt&uUKJ zl<1CrWNn$0M-I~W7L`naO`p>NGuYn#B>o3X$e5sx`;YHfQsZmfUczxIIL>x2#VDNwp!^bcS|T4zjwPX0q*U^ znpHkn#~A(~LS-_SboUgcW`LD`G0z4wc6Y?COOxmblmZvcg_HW8WR7o_U75ei{K|0} zdWA}_;x?)N9G{J(2aCc({pyX2;>&~1hsDGq$CJBmt&9^N0GgAnTJcSsbVu?AnSR_^ z|G+AUe`JHtRy^6>TO#gdW>-XW+npCbt?RCwT!n=Y#}|#l=Fc`Wxi2ElZt%+x5MiPO z$H|yl9Q`rwan%dUyPwqS$Jnh(i_(`l5JNGyKZ1;fFRH(;-R2*+?U{LG)&ul|)`m)u zpa5YyF`zvi%+L%*2F6ZzF>cmj%CqP49i0R6=Gz<`P_fDjL4t2*zi2@n>5GD{n&8!d zVIEXmL}97m**?k5kDUH+A#?!`6gx0dkEKbrv#lf_FX%$2)DG% znG~CXj4j7gxb5x3O3-p%D+AE3&RV*dM08w)FxnEW-73XiKm|C=trH{3BKX6sT-)i- z)tXOyp~Y0Ory^#m&M)83E~A9bj3t(bGR+Y?Oo`X%juMLS%dMBkBrP{|_Vsnkagq=2 z&Loi!Ex5IA`M;HY`Q=Nz9O}cPcLCQGSW&8t;=A*Qmrk?u2#KE)U#Os8kSXSYpWu|` zUAWQM(?y9<%%;zO!sFFURqi==_`~Kdx3p9stH2F8+;#EU-_&hXqLYXv+cb|5@At%_ zwj2=y8=Ua48W++PKUJPqHfda=GPuC5@;>=8RB%=hGjMUoM6}`&A0`1MsE}5%4;s#E z6(r6RI2L=lfTqXEP9xsHZg|u+fG>dqcC&e+Tz;1OD?x#eW3Z07gEd21KG~MxTEdY| zIlk{k83UhL#4idjzTeaU6l##A6IvuK(Mn_VKu1juI}K)ZRe6(HH5$#CL0D!DZ*kHLW3l+E_EHlUmS2k-RG%^{yPSQ*}Cv;lKY|& zjoTd0uwRqK{!X39>_i$|&Fp^m_c~xu2UoVhz{T6+>Hxbm8$ntZ4~b0QGajjpcV1MA zsV(-457xu8mm^&OT0^%yk=dM#qH2g?hHz=AdcWXK0P`EBkI2#i^%|qrtH>LtNgz2O zmCX;L!EEMS#UJKlTYSX(OKGD$_k(9I+g@;T8QB(hAJdP{drSG{<7J85!*sg_5W>9H z*~uk){2QRtk$;VAgn;2~rX~{ zx*!vl{#bP=28>dQQL{KvB=M#PtDk`^nT0{E23<5+-&@JL$j;eK%kt$9epV$7WyGyz z4i5)Z$(fkcf;#hB&()na!JP3+?SQ2dc;z=Z35?IPfA3x=@r#0iq_Nmh*6;hYpDk1I zjpFx9R*KGuf!-vKm{&5$Tg0>z50W0fE>2CZ#P)|jm>zbv)YZ~3SEMJVS*T<_Dt-AE zMImO^7W3s}fv#7Y&1CvOLeGx$W&U;zoLxwOCJaC)DvQRK#g=}n$;juq5?b^$3$%q1YmJmQBhPv4Pj946T@(y!Ds^A%<*beJ}u zr_~N;&T0IjP?vlX=6XK22{#kZQ?Sik>g+C%TVwV`MG4nH5H(=wKrnkrHeZ~-1T$Vr zUijg6Rbm@mSGJgH9HJuL-K<2-0arfTQjfAJ?hGnGs==c}dhnDDl%<|GDzNI!w|#OhA=Oi6Mg{9|q50Qbx@T{R9lH>#xusN?Qh2dBo{+n=Dj zCsy;*9i8Cwa7TF52obc@o}Ri6r+cbq9QFQ z*PH06w~Y)AA{J24NnR`EaH|x|;PqkHX?0X0gGUPOa;bbRyW-7@+X#TP2cHe5qepBEq_?>KX$NWy5v##p*Yf{!Ym$Za;udx0k7qT$Z~oh0|4;Tr-*?M= z%KbIV+ZoE4iP;v7bQ#jtI(LJlp`gwtnw)C5>AN@|8LH5H3S6cxIQupXDm{JfJUV*z zyX|xgRSo+WS}xuurd7x2r0S_QH?Tz@xc6mnXkG2pybfM?03Au0kS?L+dJBy*FeH zJ&KxZBSmW4L~q(D34aoMbN<{VN8hd>Q9;#2+>>*^R*x5<)Xdx=yZ zGM{N$!@JgjoQ&4QL4?<2BI(g-SSts~nc$yazIiN)l$@wxf|^S->wa9H;Qp+60W|6A z;my}F`6bsVn`h9gL!$AH_>6Oe5)qX5B0=5}gi*y*yd&wT`CQJeYH5 zOS0@^a)6o!zP{|k`m)P05PZl$G+Agl+o|GU%avtXOEAoAR4hDgDV=vu8GPI@?Nl{4 zDA(gz7-OFAs3~?uW3>rRG=f5onPI>k4d34(>*bSKX3faq2*5d+KUD?lou!R?J4A%I z%OQzgt_|_&r~^W2b%*ama+$3zb&+Ffk9P?%_2IZ@%HjYpgXqYNS$Cz=2G!Nn&y(2O zTkb_4+6NRc6JtFNvXyR~@Zoampo`*;3CGJ;(~#L)->eOI`JLb7*r}$Q+>e+om~MH^ zH~&`~DsDa@U-`Wq_jY*YP>0c3mrT*D0^)u72HbmXsW6>MSg`BIz7ehAnV*eiH(K7t7>`L@-j<~_ zXSF<-rz3X>(8FY~`m@~X(iUTq3Opx#daE`-5i_SWKw{#d@Wk7OhWeC{WSv-3^^@~L zo}6KmK%(Lwjz<8Wvw_|hCL)0H?fN_^?QWscB!M~3%;pTWwCyJ%k>Cy0CDr%|mr3bE=}eLMTUv?}byWwuA5`BxMu&uO$8B zTnNw}YpIT=M1%pMH-d@;o{-q70W(ak%efw3vgNGRHx10K8@2aY_e`eV9iz7M;RpcG zTn_<^!71%RQAajUyDeuWc>oVIIN=`j8`bU=0G&VY+be!@Wq(qwX4wJc=N}}d9*Ez_ zla^vHEEUG~L!7QTdNXVDO=OE#r@pAS%KsVyFLzenEghVCo_+JFr1jm?9DaJEDg$&I zKhlDHm0+8-P|oh5ZQ4>dy5-UBkm-C8(3{CaWU3c>;R9x}(~GGmKac^7el3!@jm5oh zYOZ~4-+1E^cp`$&`&}B>hI?l9DWX-DJfcJiiER|E^msog&yln~QHM$~qW-2YMhX#S zi=im>InTLi`?Q)096-k(a3q}tT1-4^bTRGeam}-Drv4s!`DQ0KEbCfNpzFa1E|OU( zyzLf9JkYlzl-a5VFV8_InqQ(R?DKi}%9W$5U%6f`tv*aTUmo%n>qTc7sMKM~Z4e%6 zlAh(6{!N-!@T&2<0KnT_AalB~L#Rn0zacu3{G@!THe6OS(m>%JayE;@2Ck7qQIYzO zf>sI>rGGU2(Rj{ho|KWiLJ(jw?!KLV_U!pf3Ou_-1jV^3M38!uaE;1yae(Xb&ocRs z+T0XmvHK2~nOkB1k1PF`BCTxhD^!%%koZ?(R=o0LAn|4kfM@W9agBj48!RfrILm!~ zKgN58sJUg7=FLDNXQY-#&&@vxIwFznZ&?KlX3vbx0oLJFFu-P&vE*S7nP`^w4GKoi zS#4N`)0S^Aez&pJSovw@;gnilhcWAoqY1aWC#Cc_DdhaWwf9!nBa&{7YUp_}j}uOq zDvJ1C4RV@VGFT!)$}ICAC59Pi>Au>%)wZ2Kn&a!tyB16)Tw%ztf0tsY0&i1mWwj!T z>EKUW;}>bg1sJRceG3en7iaA-zbJI}l7v5D=Cu9l7_F*G!n}B2)3d_fndSZILjT7b zOAj!E5&6@2IT*`{LLd*eYb|2!TeG@*A^6q)bheNd`>xJMXAd8OuFBKd+Nn9t?@f_D z8md);nVDu=xqt#{j=}_-&qvvvh`k6MlfUWEnDeNb!?^ijB>l1;pDCW4XlCS0NXu=wnS$658~ zp$aemiT!@GZ0V0QB7>pLnO^dEjWX>U)exeEi!?-A=~h_7A`n zQ@=f6)Dkq=0iY0e+7lyMC5NFcJh#S~k2;K0U500gi4R+AhSLM*uG!V1aoq<;2;y3Pdgnnah9QrF=`nYElOctyG%*a=`0C*wGpSIAY96zaDSDzxy zjEqs3_OS1UgG5Y%sXb(p}czcz*D#dycLu7;q$?h_^h%cIOt7tkGk& zA2}c@laULx1XSfm2vOOf@va?e(n0Y!F6+BqS4<+MJ^#gokfDD|rz(OllO)Yvp1CeW zB!W&J63$Okh2M$730IHQ;O8FsSoiyiv-@oCNR*A}Y;6sE-5ThM5l*!l2Uzs~!kSwE zf#>k(uyxPBBfUPKR<(^Z0T%zi_XxEA^x3|Sw|wesf4#c4IK6}4zM0IwBQd;X%E|wC zZq!_W4aD&S!cFGg1ThoT6AuwlBn`Ji%Lrt)FxVxcn=7EZZ!>w;T;MtK-#I86g%aA_ zMsyqG(k7Zo9?WjN{(Ii)w0OK?H%>|6kX8dwW`j26P^9Pv`;0e zDZ}7S1I>LBgA&jm^U9AT+<>2pD5PVsMWOK9@BD&wC1Dn&(>A(Kn(M3Tb5sk{SHH8X zKF(f_*Z6$@W;r5Spi-#=9y2Fm@X&ntKpQSNhgs~K?BtG5e_Pyj{`gH}Riq!P(S(!2 zh$oIh#oGq{CsF(_PR!Q`y(q3-w_pJfs7f;Q9FYYY#j$o&A zRDOS{9S^LhAq4*H1XaCL0N~|pu}*G3p-%4P(fy`FXXhNumzj`E zYG0uYrn|XEsD&woAMn3Y*N3bB836&aw-5^qXErh&w^QGTq_1g>?CiTMoj?b23<`05 zvo_k1Nnx!HrZYbMao3Eyd_skRXX*{(2UuBM9iiBk2jV<7lnk`$g@_oam3Z)}EURB6 zX8We6vD7fT_C?Qg;hr~@71kktwV(U%j*JMjzyk_G!~(o}S#W9~GfP_zgh}nkiI@W( z9s}w7CrZ%=`Z~2%s^;leB|Y%tJ0RSfb0T9<@TJ0m zxf`P%HRZMfsF}jT8O2T>{}YujS9J3(Kh0)xx>dsV`79s!-w_>Kz^!KlYy=fJ3{251 zhiA}lt;H{^v_f^e23ICZ%jY(g>I_*0Ga8yRE&jOvqNEW2{_z=`?7zM;AJxp26^so3 z_pSNwJca-5cBrMyWg_&-$hHKOR^NS7yg+8i%bU5MweNYUIOPRU_#=FKI=;X=uZNqW zq~r!G{R;-YRrEhZYk#^s(<1&$I}F5m41t+PmMtz7Fx4{G3&qw30h0Mbyf14meDEI< z-j!)vdoP}r_{aC(WALu01F-u;L~d4hS-^V`h9fAE zX@VCJEN)^C@D+t+L=Ln5rROyB4ZOg?>RQrpyNSlONs zs!Oc_zP1va@WMCqhnhN2Be+L&F6m;xY)h3DWtxTGX4RRVOp^Po%%yxD(;7YQ$HVtr z!D>@nfBYVfrM-%3$l8Iw_DkUFLpx%?Vu5%Fz#ZCK&)6j)6qBXybD#2gK*5hCyHiZe zF>=>F(!Cv;mo9Yn0Yhno)oGvc&z(JGjgw%KEMu3Dd*01u4A;~xbBjn5-nEN8pA@Kp zK71+~q8U=|HJq{Ag#Au4?m`zm*O}Q@9ivD#07_k{)c#TaXE{%sif&zwX6D_~Rlc#u zEPMVXX7Ep9ZJTTH1$e29KO#9CszuL}sJav@PkF&iw~MGPK57Gr!Z!e{|3K;o7**6E zz;rze&hGm28JBNESlH*w#X?9vUn}jybUb%w0?fFuq&K_iUEC7V*ji#9Zzvsp=V9c= zXopde`~@a^RP!I&9iCq&?7zCdBXE$Iy|CwFp>4&sQ|?tWw5k4b#g)caE~may;kD;~ z^KS24D`(vXFbT09TQ5}r;EbZfVOT?>QC;cQwY*I@DzSr)auvgq$Zk%9q;N4d=}ls( zVcK2dTKwdRUdRJq^nmF~CBbgf=d;GsywHqt=6gh`A%;O}oLqp(By9CdN98wC`Cr$+ zBF^os`jGRg+)$r3XvVaP+yl83_PM8>+g-h;dr{FT`K<%ED`iS-^AWlE7e!jgDichA z%2ncS4UiRdw?*L1mcFe*8HiUA?d2*fmqTC*9Uq@CUw=zIa+a>CI&Da(_6d;S$3J3- zJoZQO6^0+F2GabWu&EyPU;huf>uzS6eLxflGr4=9eeR<|X^FKII=`}>5O%~cFh z5u8bEirw?tv6~wB^zu@ku7FCWYpJ*=^qlr97#}TJcSHm6=ZOxYlsuR!>)QFBN!b!=OIj?ZZtosRHQ7kH!v=v9SjBVD1%M#;0K7b0ZDfu6HnF1G`Eajj2PXAdy>i@?7 e|ILin`;*I*=L}b>$#4~b{`UHR(%=4?`hNgHP8QMt literal 0 HcmV?d00001 diff --git a/guides/security/assets/ams-policy-assignment.jpg b/guides/security/assets/ams-policy-assignment.jpg new file mode 100644 index 0000000000000000000000000000000000000000..58cba355396b24465562aa1663b91e387cb9596e GIT binary patch literal 61022 zcmd>lcT`hfv}P2P4$=jLAVs=Jml_cP0g-?4xw$e%8duYYOh^B^tI#S0hydHrjnxJ2py+lb#mJTI<529qg#ByCm^D?W+Qz`);Hrdx{pQ#1!)_1d;j^l*np1q2o zq2=Jb%Ec{wLqt?eTwXy@>9(?p);(<<-TQj_j~<(uTUc6IJ32W(cX4%d_x1A+2!sX& zM@B`*#Ky%Zq-VU%%*uZEKBu6tsJNuGti0k&Lt|4jqNTO1r?;6zJI zb0{~XC(+J9$;@F?P8mHwDl1B^U|55E3XSau|+2BD>ZwJrZx?XMx-PTPpEsW4qt!p|5Js+FHl4vNtqEBxUui+3$Ffm-yjcm)QqgJ7;kg{hkkJMZdifFB?%T5Ms z-_X7(6)Ia`K)Sge|A<7RgoUT@G2;ef4{PJ{nT}MYB+SPBO%!%NSO;M=#e-gHU)R+Y z)_h`?`FiQHQIa%~RhrOC*4vv10~(hbvSW#0JVmzy2RdtEae3LM+rQ}U-t|;5^*%}? z&X4@`o$j}~CGy|;sZbHG%wynRQvpG6-*ODfxhXcW^CnSmx^c%8YgpG6!{gz)(h^ri zr{1g0Bg>!mJ|2`M-d;!JB`-hke-65gNviY+IXVZucFe|?60fcb#_9&Q#BR*jSE z;egO1O?yVMk3TF(cx0Po5K`+gE4fa8Ep^w0+M7A(gD8f(R;s~#oeIz`5*-x|Zu%1` z^JyrA-uhu7ZlWg$&)7ge5mc|ResYI)VC8%4TI{O!#&K#(*so=r{y8WW!VX_af;6o6 zgi?LY_Xb|Cgg!J#_SPq%CJRp4oV~&|d`IiLPWsTisUzDy4dX|Tsv}w33wyjxNDlV=!Fzipd zH>zO!VsHE$^!{hqd_K-zI&S$A+*OKorRz0O4%a-3QHaU*fF$}GaeKIxx~ljepsEh6 z`}X{4LAl|KvkWaCKgsYUd~9#4EA{5;lbwxzdPEZbd2|_x<6iv?ABa| z;B3cG5KR66WFAZim}%@{bW^rS{wd%xD0#EbOWi)NclHNtnQl{H2#qyw=BC?5(Rd6;Araq;%; zY4S2>!@H&6u1pDe6la-8L)>J~iG4d}ITCd#Ijg+Db~CF^y=k#4O}swn#{J?XJywYq z*=qDo*OJA)C*-*Q>q1)xhRC7MLBLI=7>(;Nr?U<}SC~!VMw?5Yau~0rd+=^$d zz4~f*Mr`N0KSm_*H68P{l9eQ!ebRuyyRF06U{CPppx#B5$zJajKz@(Q)@rj^%EK|> z#PbK|t)k1TYkn;HZ0wBG5NNm|G<#c{JeUUo=BMWU3mnk=wcyMB*Uv(L$ z?jZ%=zA!X^MPv$+Mpjo0M{oJ~R2%9jxo?C8GmAfZ74UG3bnPe=5Q^Qoj>(@>B2n}B zWAmv12YtL(LlKa2#4%&%X#0g*Hgy{E|bm^<@|Z@x%e7vw*z6~pTinc;*u zyf=~AxBDDK{}i{)9hi!g!rF`k?DfiS1wf~&i|ONrRUUXA*X(>%OYHX2{3=5lf#dX~ zQ3k#FIMcC6FuR&I&KJELp(az1tLN|GaCz~UwUujuXi;4J(^D-yh2E!jOAvXPjF{W} z&Z6Vlsu>o6=b&)ckB>3w0p_YwA|$%$QzPgpW^7>j5|n3UJwnZ=0;bfC46&(H4XK36 zpVAq`7v_XCg&==yS6;o3asBo2x7Psbgo?mLwy+^!nDB-C{sN{AAkIOw$M=xZj!)pWkf0M7$To>kgm%&E?>*ezyuhu+y)JvEvaOu>PG{Yx|_l|^r z@$-%k2>xKt(?Xi5&p*{GX>EZH{3>~#D*gu!<>Xqws(^-H?pjI6Z+u4fY@K36=_xg3 zrWlxKB@{K;XU_cqwfZ)`#=6%lZak>&0si{(foSGiuOydi3J(f3HwxxSG$xtOH68F3 z-gD6QEO`er6Rooe{Wv4C(@4x?22^jn#qI%1O5XiIv#bVO&F>U<{MHdq<~ZT(+ax7UQTotGr7Fad(sF zXsKU>(>O11bUNT-iOi{lf)?QT6auX^2E=e%J;B})-hM6q9&oy4x0%WQOCJ}!juG3l zLW_3#?e7{5MQ95_#HLk;CW}Y~Bh&$j)&PIdZ_kBO>V+h>@g-JAec05v?m*Au`t%Zw zC28JS5-BK@;rWK+juxyppdyn~qSAAJd1_>;qR=Ju9Hg~977fAKJH%^%&Z3A`r+10E z2pj>~DU0XF?S&)3B|S4QH(vGf(G`Z^e@6ipi^u zfL|a=;+SH?t^koM4?B3=+H6&#GB&us=5QW7e)!$V$}+vbNS3AB05WP7DoCOsTLKH;7XP2SsKAxgIj5+vUJ zp%pC%{}0m-&OxXQ><@T@(%0&cfpoW5Ti!*wS0j3q`!4Ug30W4V{@{K6pwo?civ)*gX8Q&z~al2;augwk(e~b1_$238Qg^xd0L_w>umpiT% zWU91m-m0d$t$fod!*hVNujkQ3m_q-kc$mjhw4tYCTQf2zv{SrSa`q#CZVP)38i2%+ z#99#eP8l$XuK;Y#R}ly0_+4;S(- z8@__jhiO1nu_EC$YDVa>E0&ww?71Vn(~}(GR*lLB=FV>5Vjy~Wty`7Vio+{nB^F23UHPB-zdv50Y*!x#YCOF?8GtG2qKVuucNSj@X zi5TFCFdATn>eX$)ckgB>ARuiYLp~HGLP8Z!q~~aSr?5-IxO>~54kjBK3zTuRuCPSWZga3#Q*gj^G@FTS=^YboHqgJf zTYT^0>RKV&&zIT3y*N&i7#`B2ek0WPab{_I-k@pMBnw7I*^OJ(3Y*l{;i;tP|eG(hOzD874RGcy=~79_@nJadaUVRaTzwfb>b@Grw~f%L#EuJ z@NG~8abemkM2qIVw%vpa$h-bcPlD*Di~o^2GL!6P zohL+MxPHXdd}5U}y}6)Fx^}qM@hV}n+tFiXYmhxABMGycvnZF(8C@7(D9(-@p^=b3 zDeSx1wUQ5KBHEnZcFm`Qxh@F<(ddqgPt_aS2=y|ZlI=ZSISW1awO>`JTmm^JET84T z9i?O7^`wvGD55eBY0sNzmFA2T*k9XOcfM+i+*bu%e);M3(Cs0GO*RX=7Y8zxI?$k5 za>V%?`{S>T*G^06aL88uh=J(W$x3cqAs@6-%*t0NvwEbXx&*DwX7M)ox;C5fh5s*m zP-^ly=mq!!Ob!3Mw!l5`WPQHzQgV}^8@l5mVd<+14coAq;vNe_l%hcrV@rSVjp!OH zAYZ$2s&T7K`h_&wCeb6#R?TmyfTpCHFzh&JpirPyH2+$)8kl)l;HH7omPHAFBG;d!Cv=+m;DI6D2ss z*qTk0^Ln@%?}drt4*bZ#Yr@doZ{{{Osy2b7@wZn8-=*h^zHBjRt=#D1A^p<02n1n9 z9PUl+9gQJe>3H0ACVPWF?sSCvv4~|sJ(q-ds9$7X<@HH8G^Dd_z-uJBmAlOv+y8Rt zL2%4oX@RaMhl_9aMo{xd+9fm=OcnFW@BeB0Q1jL)C#mUl>@7?Nud9!z>Q6Q#2@b>noxQO@&a(?^=2s#m3Nai-@+T}e09v5?C8Rk#UegT2C)Ml>-zn>CvesL#EF zXm0O15XkUE2Fl7CH}AART-Uj3dVi4L$-x;;0-K+dYO7 zc|@KjFP{SwkmJlJfFm{d1~SYhdm#;cz13dQJW(>gvG}AuPjPJ5bM*c~@qN$-hbRcM zcc%alw%4D>H0#}D#03rcYVoSSbhA@FvQKH&8kvw=vm-f!323H`&=z-$BHUzuI% zRKi7P_kk~Ows8~)D{_w%HCqUX(R(?j(JIbdi;M`W<#f0JD6O1>`lW6j_lIfV9pai& zDP1{(2XZf0dU!TGs57&4dB>xAJ1OcW=ZmDB(Yxz8Gq>YZQ7UKWpjmH0G2`^6rF@^& zWsq9vS(68*wTUS%;3vQbrVDEOed3aOWOQXy#cp)>rg=~mM$vTpfZ}fQo4aY;SOvn3 zq;bVGch9wuIC_KC@4I$Iw)8TNLqfh8_Mx~_LK}{%Z<*Ed56Y`H)VqB1O>QDxsD)1F zgpF|$eOBa-ao>%v>&GE2>&3xlz7`qYW{w3(rq-%tM{3D)iOuBBf7`(fL`Gm3oei{B zFF}tnv8gM-Y$=dy84siLsIe38h%)pcSQdofgerxi?=s zZ-lNc9mv2DfrubA{p|Qs{kjdMFTZRSkzvnJ!?3zs%U#+harP$HDPhQ@c>s+U`I?Oy z$?k!$K*QZm$jf1UdC~mljS<~5MSRjExl-w*DZKE{ea*>-;ccw8V}B5 zH6$#7M67f-0At7744i|Qo9sM#5S$Q}ZH46E^+$H%W{B`^Ny3*_L&cQ^4($Z_#2=== zD?Jx9PHPze&C_Qvp~e|Ma106@@2{Ge`{0j?^Wst>oH4(A#DmKshF80KVifa409GZN z@fODP7W=3hj)3#iDT@@qh5!H-SR=4Dx3B?=Y2Fv~%Br183}w{)}NPSr%e zTQH8!qnu6f;~V|$0L2U471m%P8w8!wfwhz9tvCl=d7%*MQ(~yWYlNPSYn(>9J`E~* zoQ~;dey7XR{B!R1SIRf^A<6;LdFo@{1xTA72+mkKCQKHHErME0r1ES8&vdMxMX39J zwI(DojAbxq*%}48uxYuAIc9^)svRPhn-RSb6l;I_pDX z@yZCQ+~jwOn7=wW%G2 zWF{+wO{K)V%QAc41KF$KKS8_Tl$8-u-tn>K zEZ?p5R8p4CRmmx6@vJ1r*Ka#AXgl|s23-2ofD~jrMylzCOZb}Sy zvWCqqGmsSipk_XQ1|nQvAl2Qoj}JV!?bZ_NP;CvuKTls6?;)IZ1e|`jxb^zjbX|bB zrd}pZk}jNsq6)v}EZFn^WLWG^Skk4eD;%bbQNA0`ZUEZ6^Mn>*e4l^vW%?qGp89)~ ziEUu7bSjAn7{)koZ18c;N;T!4gDBh`ew|=6ujRh*A~wD0u`RQBQq%g&QtW&B)hnvp zh6*i{Mo$V74!o~~&E_)_C2E1ehf~NqFY?i61xwJFO;3%D7xMkix|XQD;Zx;zRcZOc zPO|9P-@lDBLMYt4f(_YwVT@;mNWoL>jlknD_KqnRZrkBYi=BmqOB%wTNi{ODdCYROHTAbGAvuB#cMAzT&*4&DH*-*295XCm zUrVmCu6pN2#tuoKP>JuYkJaxc>`Rjae}s2WZ4^mEgL_uZ)br?e*r+$(vH=p=Fwyz* zPUKFuaUX#Y_FQMVQIBs$^BS`rIWL{>LVNczffu0O)_8{BoCG;d?@%Ac*fKkE6(hrQ zKYjB=lzV0_H~7kpOh#TKpX{NV-D7;~wI=tgcr_`n=xFk8^^xHLK-8!gLJJ*WV0sJ( zZy>U*tAd5(?8xC6y`t>mkZ8>9nVl-_R{GzUd~Wo9h#6E6m)ef`oweRPZVyL$qjJeb z*c1)rEeL}job{J`o+9q(UDwp%ymPukT|e@M&|B%ZUoH#EWG~6m7*oqb9SLPXDApk* zc(&IL+(%F;O@^tu5YCJYoAiVgWxQ$Ph0J7VD45?J|Bd9&1VtKU5*VEq4rwL&b|5RC z!SuVZphCdQ0#C@T@HmN^@H+?XKw|T*Pwsft#61(ViQi7=yQ@3|d#X2j*~6#@f)MFh z=7kw&ccUEQQK6pBt%#`3_dyKFhs|@R_snNguQa!&OY&~e*9uOjAx~Z9(Ta@J+e&3%RPl0&Q{+Ez)7!X9yCQ2*)#&d_-H| zi;w5ALDjW2YD_hj8yN)=22wly1vXdi{Jo#SKvW(HUSyPV?Up~%)Mhii`tQvo|2N8A z*e6AzQ+a_(LIHqwLrb$j9eZc8S>4`{H^Qfpa@&ijU=W_YEt)Odh%tp`&`aVY5c%{o zksdFGvq(S&VQQ(N4!wMIO^H3S^B!^=f{&4p#79p*Ih`7Q&y3{QK|TeN);i06Y6!TJ zMDgaW1(r)eC#5k*ED^5~5#xrdk!@Wn^M+vU9L>+ia5_@<1H<=Km^b zbm`?@?uRhDs(8nF!8FV5Ts0swYBXqr60x+Os`8GynSwJv!3duJ5Hhm zVhf26#@D;Xr8VZ=yaUyv(u0in=05$CQmlY8r(^DP4`>SJ{K}D&yjiisbBkXEE3qp} zJvPPts;1coafn1lb4%+K!?&jX7OpTQBF(Vy#1n_t{^~XsZedsGit!BNEol#%_gVQq zIKLnrs<*nmQ`Er~9Xy7=0RNQ=6DOAh)T`lte%Csk9_|nQNy+ak#szTEZxE-9i!Xi3XL#GAkLc>#+K;-an zk77#&9#1qW-c(U6_e0rM`n9ofR8;#&?%yz%EOU*hryqC#3aTyWWU_ZfG;?o^E9@9K zq^NuCsvXW=MrvYMERk+>_thU_G(;z30@u`Y$Yu z-a{2o(jZ|5u*1||gYn>ZvJ+tjSc5;><5PY#+tq&G4!6EldwR|(+{kt^QC-ltmzUg= zF?%i=dw4ftdH$$Awf;bZ1t>ke2l!(1cl>cRP6D2vg z*V=LOy=`xEcJn2_SPr89au2AwHf|kT7I|1%uZYStzF4_4%G{iE)}amYD6W!rsosUf zlVO^y19WM;8UtQ>5PYSR4@Qaqt(X%NQ42%xiQ%S?KBTe@+{n8(X?0VM%`0D)C9uru z4z?fS#KdMp8d{RYN%t8gpnji7N5ZTMfgE)?d;F!Ax)ib9rUp1?o?^wkp8pH830Y1J zE0Y6yiwy-f@#a*i*Ap|x5Cydhm=4vRc(egHF-!>$CxcZ{B>uWtm@azb$!rZ#Je%y! z`hWcFSD%t*OBA;nqUd)Wr3gxW`|2HM=S`SaJ0OBz$1ue|0p=>8myo(>2F7zxH>*20 zZ`0y>s!+ttV~!Mr`Rb~p(o%DirI(WJ?t&5sqU%~gI9aUS+U2aDm{p_ecVO3mFhyp! z<)z|!d$LiDB%T;d4>inmsDjt@e!(K^oUM)ai?n{hZ+c39pI*7f`8P~@ij3sELyC~i zQcwqQ#GWykXMD}!UELXNzmXZDQTQ@D(1P=kt?pB}>WJ{n#=KL|V$*a|(4FP-#>YK~ zo8NqkN7^-%&fde_Dw(bT>-~h_*!~?J%wG4RL=WD*4H4I*4tdyEkDFe9XSVH>wTT568{T7UTr9 zEkWp@pH-k=B$w~l>`fF;-CXTYZc##IT?pBzT?kCAc!%D6KA0zNJwoG(dz;i+c4*O6 zDVQ5Zg6=BsK(6~2y2NVrBQA!%NWar8PK)IOl~#VAW!xh$D$yKQ8t>mB8)}H;#ir6j z#nqqB%!NsA^6@pKA7uq8xdmi3-!SySy4G#HO62(YsldzEq2Tb5S+55CZ+p?jKWKO1DFXdQ zAfW+Iu@X5C^(DNWm6y`$i}x>v*^bwGuOg@Yd7sUU4lozljlFu|^uFLtADu>k7xMtC zhBYO)g#6zVP1#4EI+FJSV2P(PVL!W=VIdX3<{0`o0jYF)7wV!Ls@|B&x|I{9!qE8T zdj?OtW>Cq-e)r2Ka~JsR>IU=7mS6d9N9~|glCN&!>=A~$L zKHi)2kBzu(wVYSsE(6E6xV(&Q1w}GkufGdA9paf{`gtO5_W0w@S(wA?hq>;v8q{Zn z*3>lv6L(+rprEOJW9T}l@p?6EzRuk_E1G?0&Dclxl)eD7j} zUCb~XXUc>U=?Rm>HCL{*GsUUIBw`>;L+;I8jJt82I@2*n1UOzKwDxd0*i7c%`mhSwo(iZJ}x^|Lp*Ghbpd9KkBuXVE^l$BL$O*Nvo+o^slk4UdkSEqv^*)5 zdvDrw*-ZL)wP0U7znv);H2Uw(BaV()%225M{N)Dw$`yy$eC{x2z+%OvfA1PhE03l| z{v5>lXBIU*@Y%D}%?CByY*Wce$MIg?w~G0b<>$bK?#$8qXBP?*z8C%dIC7oOm<%Dx z{@=h5nBEiF@uy#xso)-|Nd$5N3y&cx_`(B=IvTC>3fU`13%W0e^S%~T^Rf5A8lhA? zYEiN?o;|#=oJu&{U+OP%O-5)v&QgQ=eP$FA9fqhIoP4N zbPnokv;RmY;OOsuo|X?8<8qg^H7J$%u9i7|={+I=!Y?@ZQV8^h=54lwgV*@IdcEbv z<&&K{NjdZ5W>V+DTK=!Ce*3E(IE&YQb4a5QH;lT{quCeO@#;ON6xH`L7>g{`cNQ_O zSU-QJB=2uq4hH5%2}s`}fPbUVtTW-;=5hVTOi1_HS>OA)t6w(*@{m5()6rJG8XjJr z57jE)iq-^$NdR7Uy7!tAttWSH;IC!$m;7ak&%&=z{-_wv{O+l|9zng;@28M!=w~h;O6?9l1h(sq!d1y^ZDcFga#up2I$TL5CO@8I_9RJzTMs)?g|sOH0`^QaU@@wdO1A{u zm00dE)3bIbe`jRV8-sr)>W%y7r=S4*aSG894Poi7u^L1tUsN~6e6#)4__ERFMd6RY zFsEek??2Mndg)6RQY%Hvp>JoFXBSLAO)j6Dj=kyRwA~7}=#h@q5XkNCl%Dc8Vkh1) zFqmnd@p4Yw9`b=DdevwDs^2mDMzMx!Z)kK(0ch~NFq2}U5@{4j#X_#Yv}e?`q_R2+ z7Ceqkw)0W+;cSsJC|e)5 zKAi)r2(o@NJ9V;1|~bR*f!nBqeb&A z3p=AeoO|2jww;j`gO<-N(Cax|&QHMtN^{Ya&HG9+&&H^Tk6JPea79ZT`1Qo5a}dW8 z0Dqi2*vuK+-#;||+kguU%i8Ui|LfRJn^xt)%>Ussg~E|iOqaX#1!#LuYPBVhGFSC< zN?@XtRZFU)zj~oYFootxnz`l2_isUeI(#Q{_S(kPvY{f= zGTc1V3bGu-X>NmXm)-KX@x0kdYRXS5-6lf|jiz?6?akSaBDt((PA_gzI$e2rM0RiW04H!7L9z7+^FwUua~1PLAt|iV=H*EmBs$Z2$H>N`ZP%{k62$Q*V^3 z(mm(671P^Q+$9)KF%RQQp~Jd3;_PZyxT-McTZT zpIOOy`ma@(3qwS;88zSXE$biT2x>3t&`yP>c|&ePL!f0^q$AN6HaRGj+4gn*E^pZZ zeFMX?sML&!wj#A?LBbt23wC@jAs*+wjYXfT8w{v?n-rL;$@<>2#ACJR?avcIb7g-1 zPO94e6V_&V$MA=@L;)~41yv;^xCS((gMVt~Z@Sc&pjWcwPEX-my2nq#932z7U$)y;PjD@Gy<1HKBpJkY49l zyec5+gV^nr39jION!Jg$;^9r%z4=ipoUuoSA^ka?&AFK500{j?b^v;hzh%m9NdX~E z+j5sr$<(%@QjA`+8ceQRHi|@cvOuxjOWb%y1jol3*qx4Sqn}drvfodV#`~Q8FR@2l z(o7#U3!+fw=Uxqs{?Y#NBb$jSnRoObnp{t@xuPWra7e6&=G%@Vd8>i8eFmG} zlbLomp&9PzFV?+RUI(Z>w}_w6{9To>{)6%&!z&0)n7~$7<6AQ4@I~!jt(tJ@SQRv7 zVt=e>D-ivw7TqZJdoOlGwok7&bGe13H!0^t3lqDexsn>$$!{oPJ6)qwF*9(qy)8f7 zp^u?^>9ek%HGY3w_XBa49jb=&sKx~*HP*&yT>UcBsD5|SY{FkOYG&4af=1vy(@WjI zl+W7EDoxgW{t~Nytq}q<-*!5v9&2demiyZOs_A`}x0l7=I|p4|#rImdcXDQ!e?-SV zIDJ$VzR{0-+iY{^i`2kZgC~EZK0GFIoE80^f+^uDd$9d&AC}~sfk@%hxEGysa`ye8 z931uT-vxoEtDY>ds*5|LOBz24V&f7|A+w8h;w%mxC#T069A_U%V!Y3m(Qi*2`n)-z zi5Q(ijGk1}2;+fuORM%o@2HTQw2lFfn*J)aDL%Q?A;Tt&EZq7$JT@ z?N^j(m3E9-r!!@^2jn4835g+z0WqTxo@HqJqs~~nz8sf?J&p0=7cp*voNe;oO-BS! zf_iADg?UEC%@c|qcr%&A1>xGvajq`u2=zWg$TUyZ`13LuPgd=%4)NJqa9$CTmEjL( z9};<;b6Cp;4FhukE+!K-){hZWJI;-n1^g;SagQ^Fm_P8zGT2lP7h%1(er6iwT7F;e zgU}O$J8$5+BGEWRD$)iU8e)qJC?F|J?lpNN-?4^&dajhd_^Z08%M}&JZv5@)2c@N| z{5W`Ha`a&L9s|lXPcUzEPa6pF@OM@sie&SF5qTTW{2)$1sn}X>qwQQxswwL&w zlS3C*;50T+s_tN&=;sH+ZiQA_jubz%?hmn0n)ZR{p6a{=jXkw~tM)jkc9?wT;ww|- z_nFpxr38{NFl^LXhnrFvtrp%JI1@C?zt^Gndo5~`%We979T zqdC|4C7w>|x~*vD=X=SP$Xp$JodAmK`sD&`C*RF7F_>ogWRd5&3qZWd8@|X5MIxepUwNS42b=!x1_3JsHF{suB|CAB z1%>Ld-pY~31}@msG1g(vkZWm|-i}DhR2TPD6{(qT8^e${IU%18%@f($2JzR?`Fdbp zU<*A^TmWq!X!8q$06Ct1U9s^P%UKdjZogwW#Va*j_pvzX&vSMG*1SirQ&{_#d0_q+ zUbo-VYG#h;MQg0)_%2dP>Kv5heR!`W-NrIc?^#`QV~+ZRrd}1Kmu2|HD3b$l*Pr5R zW{Bh-ORv#EX57-LVJq+&D;?v2SwjS2mlOCPky!hDjOR09oK#J#Uj>0#VQ}tQqV}cgrMYTz zF^)g|S+8hvMLePTJz&(VIUbTkhBg$iJadvnJ=}aBs`}6XZ+_aJO~|g(q_5+tbZJhQ z)$K_90qb?)AGj|OWnPOUs-M1sspGx--owO-^{|Epk0Kvu>!f4mzn=VVvkf%4@0iJb z=E?Ahdh`3J^Dk;;_caaCFjPJ*%*8VVcWjrB(MVa6%OnbAjNy*^I9}?h|MYm7wm9;X z;MrG?T21izkXchUv~1Zx#Xg}M71o>2UIo*}XRi=7Xn|@hJPuXUL}nP}#|Ll^boiFn zWQxy!eUcSoWm}T_(u+=@pIduP?3G#bF4$%3WH80EQ`jx5%_0^i614KyakQ{}5t@LR zf7Areje9Zk{r=iD5h-7;zqzSzy;j1QNHY+c9ps~8n8Z)mBcH$uH(C^L#=^#|3CdyQ zd9HH=&swzS&6|SMfrIo(!}a@xZUgy|5YOcphbtNaHvbU*FHND6kNOB%oGgE4XHK41 zs;MG>RZIUSk1D#8qTel%R^RgXq3p-`F0q$i%v;wSno^Svm*6=;Y{kgxV5BLl46El+RM2g;0e>?&&;9qkx&mJ+v+fq%dSux}e-84hjfP*<;4h6)Q^&+~ zkVBO2FKLJE!yXJa-)`q_2d4Km&xSeRL-X_$!}V4k8CGNKa*SMB_tp56rq!H%G$L1| zDe)UN=%?ZU09jL=qK?GJn?P_D0fMGCE^Kw2J+E zelv-KwBSJ3DF?-PGXjBqYkQ{mZ?uJvl`L7IHjR5uZ)AZ~s=AmVSYK zn#ciQ(OoFkZZQmmX3@dnPlNurmcLJlou$;wLfHOwpKH%8Q#7rNuP(f*(za-P8+h+j zp5XG;81@`Ut_qt)rQ}K{H8M~Q%#a{9>LU8n8aF&R4($G1MBkOP=SeimnpxwjI#!ye zuj-x;G31-5{JCL(vE%t_&j}<;_esYcx9xt$r*HML*cf0u#N{N3*JH}iUk;kQr30{UWoWgMpg$NrP$9bSAYnzK)uZR23hJ&Yb-oF8t=<>=gh z))9TW*`S+Ob}VqadsnLA=j^Y1CWu#R^f`!4K_bykq>r;wNX4%WDP86o9Fxmf?98Dy zoU45ENwV~HqgS89U!Q}T9bR|2c34Xo(bguHoNAZOe{P$CF;#DH$o1}{ z)7N$RV!xpWvPx2^$N$SeGYLsB0WYIHc2A* z8^xZ5f4CWnvS*JQ(gmAi6eNH6q`#!PLnA^?kZR}#x|;WTAt0zoPtF;sD^NW@MM`@& z(!1mj;v}oELUXmM#B#g(bNcUsLb2yE;khxGR(6faTy*MD8F|^Vk3QpSw~tP(w(`V) zhHE5dd|^@w^r z5~yAoV}%~0v*VjQ9S8HS0xmC~O!#-j2Xx9!m&`cJyl1+Rkd>Z` zSpXwQYNQ#5%WB>@eJN=xJV#{}0LKKxzVw{zRnaM~v>$siygGb4Wq{^+G-tr1U`4d| z+kNU<`3a&K&U>XR2}y;g>N^KIvOUH#=sHX6i*5YMGJAEcN?Rfu!d z>?cOZ@+cJK+nZj4BcV4V@h$__vtP&JXZfxGg(V-^v$+oTp+06%@NQH{q zQ=WyPsZ#MAK-ZlRD*$jAI z6}Sj7t;Cdvk3c%(!spSi-l$ZC2%x zq~6B~c?*+4fg5af&y8u(uf;WMRMEOS!?<>=d3~VcCm>5pp*nH%^AWH3u|dTC5F_6% z%BIXQWo_}5oFx4p3bDlq*;a?A2RGNNP3+BZMucC0%c&MneCR*}#9&TM6k|wBs?`F= zMuz%Rx3zrTgn!5sFI-4SRlJ<0;rzGr>BmGcD)K9LYzp}#OAGN)34;T=ze=g|M)I&O zM>74leL(}c3s?R!|HDQC)p2oM6K?t^q1<8r4Pk(LgQLM5*Jp$#kdHkJel|{4Ee=(= zW#`DkU6R%afjQmd-N*YH7F2Oxxv~b&{+nuE)<77TkZR!#e(1bPOgogCytaesc0xU=J zI|0;=8Qh`0147K4;>@{jT+}vh-){3K%;U#W8XaQnnWq%UWIp#S?i=yNcU_R39q*q; zEK-?2e+D`{7NRu|tlLE>l+}uygJPBe7m@ALBBE)eeP<`myu*jL=3}7q=jBD)SCVQzCj(?297Eu`sMQhQFsrp0eUZi_{awnvPh?m)9$hMFoj0mnQGLlT8GZu zM_;kG>6c7bkJi}={`VlVx^+YNw&5EyG^eArap$1Rch!i2Xwa3>m&2-!m1Z--r#M_w$f`sK zDYz|N^&4wa`NsIcX2`&~kxpRY1!XhSJH37*GDqv7p>8jn7I{<6rhEiz;2kGx3B(NV zWGHMK)6{}e_CEI9;4>c=`Tq6h!VY%BQ;S?|dYFM(X8jXrf4!l33d!}9ue@5Q;!jQ} zGW>1eo0`!(BCgMRlTx&GalM2$xYPlL=Z30U9aG7N0X;a)GS}HQ$B_%SSq5%COa1ZS zjnWNW!949p6{z;uqhrsSs0w$2DXH^p>@CCvo}g=q0Gu_l$=KJD0FYJ&q#JnpY9VK8 zZkqVj9mI1RC_YQ;ON*PksTlKo{-D{%{_m;oIcR7I#&Qm-J##n*8BSO{#gVyWU>am< zjEYWSkZ&0jZe(|-*Dt!5z=##%)>x~E{vUuQThmh$P@(w z<1>2lAmqby!5d(Dd375jvVW0sXWBkh=jbtOMSf{HwenFbYrR!u$-)`>>C)B*i&+Oo zkqM?$H7jp746l*djHgqhq4@x2Q;&aQd3)33X>!c3-rCWCbswQTkMe1SQ(i`!dmSB( z4IzK~o4$<64tNRk*Ck&N^u6*g#ka#se|GnB`|q>ur#q{^%~T#Lws$m=Pvq1o(u&p? z^~0|rrB*%~*)~io7=2j)ymh$=MfuO)lSZ81Q{`sf<#|{1*FtLl@V9drqAu6Kx2gb% zMIZ0DtU%&B#hZQ}E?S?=TXcml%%R-d)ORza4xczRUfjHjT%i&fUVJ^Ke;E8Ks$fU> zsgAyN{{p!@nN9{xJ~54jhM3|wd*BI#Hh7Oi5}8a-y17WyJ&;!8KI!k($(prJ%P>vB z>ds%2K^2)A2`nP7cUpdX|Jpe8VBmU}Ywdim!Ow!1CrsUjN~i9}Z5pkiJpHb*OLPtz zcU5`bjk)hw5Eg*v%dCS@x^XwV8s|+_WEbI%4sa(0;G3eO>3&$Bm*yo{zUq$!+MUJz z;FMxGUuLPToxZS)jm|_%!i~)DWkNgmF1=fMSwW)?x`BAR{Mh+wO%m}4(8KOXSOXF` zxs{Q~#O1_J5dI^QB=FOWJ`klpr{24`^swcJ@q_Ap{bk8zH{)Ui_wTOf>h8U!c*Ivv zjoHD#up4;AG)!e{6FBOX_SIB$&(Nh`LCxZHf1+#7L1KI-ZqMEro;I0|@0>bxgArrB za4^hZ9CqDJB&F(~M|&_NzMkCXzza#S{?NIZBewf%yMW%51rS< ztsd>ARRJHpcpf13oxB?p{Vj6WXw3pD%m2oWLPs8z&7`QFgY4oSPfpAI21kLL9J+J8 z0WmVrCnfg)c#YeM(+E}A9K<8&;o zx`mr2+AgHm#qVGr?Uxz*+E*5m7U1*>wK3f5iIaU6967o%yQagB63#)oo%K^MYQWx^ zbiYPu?f#~F8%e2EPk7sX{vr{w61yX@vWL3CU<}w8cV(?>z2~2L;V&g{aDPhDYBo5i z8Ih)~B2g>e4|@86HNiL6r>T+D^}{5gW3Tpzq}$Wg0N!!)!S2nApmzpRF$RT>SYBO= z=Gn#$EllWooC1%Zf!kUN&lwx4I3-P7P0+oY|5e3zt>kSLqnPC;rJm|QLc&?8yf>Lv zNG=^E)f{y(Y|M~&aii}m=j-sSHf~B6Z497jSj*L4JsKA3$)SbLcx*3s_CUyTEMYbq zp&>RYnPJ=!!7ICI;Bh;Dm&PmV`I7Qg*f8sTA?LplX(JB*iM{uZYO34zhNCE=fJpB| zrAifPN=ZZn1Ox=7mxzdz2$3En5JBlpKtMr=Ql*RZmPiL_(joLvL~4Qv5t8`s=brPO zd!BRO@4jQ)ao;<>Z;a;;7+GT^d#^qBnsco==WqTdxd6cBpiiJqe?Ve78pa|b_LyY= z?`XQ`hOUs&@%YWYTW5+G<n$zAtdiOn(febV`ia2jnNv z(Iu`=x2pUq^q_4#S@?5vwokNIyQDaGPpC%VWsOrWcRda{LQkc2%z=p$K&8U*HE`v( z4i+|)ZAC3{Y*R>LJZ9iF=l5A%7Tm@P@_UNx|3L{v@VA00!Z63O@S++YSAzT0E4OSUrLTJ94-$Y3tY5W z%wJFZbwzy2gGqjXUHYBM_G;Xx7YP}>-RIegX2)>lb;3sDqrV*YarNZpC92wuk0e-2 zZ@*)!wNuJmb;&eRuKmz2&($-CYte~guuw1m%h#@is>`?duSj3_VDN5P!_=mQ{{}h3 zCW{v|;&#c-pV911c8l;Jg&U2eyq{s!*u;m4H^fFCy%Bd(CR;AwIuWXu(QEoa>osi% z;9NLr0Z=XK28$Z}?F}o~v?B61Q(Dj0QtN9XX(siPw%IT4KI7Drois@~5&BsW8adDA z1ABqxOtvAN+}RI)!?C|#s*)^HmlTl1kme?((k~KO-%0QFjzTO7`K=$1#Owa%vFEyGbfWlk(2IM zf3Sd%1=`ds>{*l&sRYLcR5(ht3!NukA95b49y~J(vw`oMr?IQEO-WC%8VK%X1>UMq zPi_oY^10&PLp@23A<5k&8!zfksA~pNF?n4Y&6UQ>J+dNM4?{)q(fvR4F3Ng_ynPEY zbfVm(zEc+@VmgD*5qBb$dfnA*NLw4<@yyA(B1!8CB8F073`L9E$$r+*T@ej~Jh(65)em;&0a3-muGpve{sJL@n73ZRi;5 zgsc~4xebrX_PxB3;b@LX z*JJgLWmx-b7+zD$Ul1s=58c_h^&3@Q=cuHHhfxy zx{PS)=6G4dqcnkEiS}aVQyL3(ezsdl@_ZkiM8Kuk3&Epv$H;e~kpvP;X7wzE06be*-7O52){=$SL!ywe^pg>+hd+4#&Bp!-d4j&IA_j^5_S{RnRkf%Nuf~ zQ?_dpsWIR5Wc)GD$Fv6>C-#%yT%S3<-Ndiin$LQVGD~bEKrl;#c<#mi8Ngvj zDUd8aqfeuhN^Oy$OUA^meY>*f1xndBgvVkGlsCGj`_%3qb9njs6wlGpB1;F31%)I# zXCu2>(W&meEHR9B) zwsUdI@-586R7*A=yT11@`CD%PXTfSLNlD8+twWT zIZK>07qQqoE4LWY=C0Px=e2G!t#*#h;#1>;>{&zdRVYNVE33>^9a-^>#7pA8fo91lyGQwwwfc z)r$_iMt@-zU|SJH$EB`Fbvsf*C;A+gzu!3zX}vygM077JcK$HqVlQOHrkCFoD&`j$ zHRT|~bMnFQtIuTWYS3-Q_~$e}YbYPeh>R#Ft8}8de=>ty0oE(A5Q2szAoSKlHQW4+ z;%5h^`DdNRopll&O%q%B)iSYp<3L;&5r!2am!Y_Q39j7M@rN?9u6OmD(+sPdlZEVZ zCpJ!3MK9J$u)MX{i<_om(Ak< zI3e5&e`}`Gu6TfO*=05G1C9)SV&$7is%?{tx)R){3f|(RLtP{1EEF>f8-Gm=oQ{L( zgdg(ehDu}+0*m3r73|%^&FyK&1TF@|>(?>bVK&8&4A!`w&UaLi3gXno#oM4vE!pd- z6SX)tS&Dnkl!3zS{F`GxB^>@R_lalv0>iydq-#y?s zwuxo>W5y^=G6wuYF@deew|K_Z*x6Oe)uO@`A4?2<6psJ3$W_ZGHa_$6%cioj?ibH> z)qx7v#o3D+cX0K!pDHTCwq<3-U+QwOzLOs4Lz;ou^cIfY{MG+g)WYI{LFZLKTaudBfwe>nRSDnOmH|3@^?=--URNP z7k~(%w5c!9PEs-G$kdN(!Ga{&gaTxQ8F9NLKj`#?b^}|N$k$Z(qcfBKzpOhLZcGgOm{@+X@K=id^wC6{Q}mw;QvatugU?eC0MQ;$K<}~>^~Wj| zUZgTwR1jxN?D>Yv%d4lPoj#7rEE`PahbvXTx^ieB4(`yZ{9EBxw&-Y67rkwZ`yBuO?=qIf!X}^sb`wbFK`PvwK@bfD<=d;k6p=ul# z@;AtY93r??nwCIerpJ}>uvyeq#S;#{XM=P~7T>?P(R8URCFwHrQ}E^#2{=7kkY^E# z8Y~254C#5xPM)DZq)_nfjUU&2T*i5v>uVTKEhBVVXbYr?^OD&VfK~Gp9B++!kd)DhW$i|N^ug4j^u>%RD z7W^#UIg7ea?nUR@&$>2*6|^?Gx^I`}x#ZV+`UXbmm@?cCIAM=$0V)xF9b!{fdn+czy39M}mFAodT`mc!-Ogm}my2+q!WIEnktn4)hy{Pbz% z!#6H@=dWr*92IWvUMXJeR>jIwv-8vTBdd~cPRNzY-6xHeMQNn$#Ctq!R1S9v>Ds?| z-92@z%}G2}^Ma^NfXJnzGlPVJ2qhV3-H|Qd493RtbJo2<`7r@E3jBl&?Y9iSzLmokCX{$7N~ahS^HZoz+hc13m`n6XrKN zCu?7QmN;o!_VYaGv&8XK6UibeKP-ILhN15aVOGkzT8TFr10}r)#hQlZuUMYrbHV>ub0n~ zS1Rw*t+`4L`0J~n3*2k?bKgH&L2OKT14k=|K_T+<4q(sU%gmA*{&^L4BMHXlI=Ez~ z3v0G19okGa2-sXoFiNrQE0Jr&4juwY2FWh7HU}0NJO%MA} zZxc9~>eA6sl{y^ekl1jI(~dvO>=oP-OBa=$B-mJ6XuECN6snLl_8E?; z;eMvbXv}i^Ftq}Sl^lsL&jYFqw{-8M623m}>o^~RSK=Sp34>lPSvqa-(B`fA=H9v# z21pMZx6SiVE^*Z^W|~h}j)*;qH9UR3bN$Is!$+q0g3wsHvkMlQdij~JM-1)2Y5Vw< zxcQjPy>hZ)*?h+k#ZfhaBC#4T&%yc|OfPzbAg@N9_EA`Qh_*ba>pu@~Amp zl5S^*kP5kY$p#(oPOvi{-)NB`Fjm!ukBPk1KiTM`rX2}DYZ%Lb-XY`eemM7nk zJ2#hU9;CPD;$fpT%C497%ZqPV}W^sCk-xv+hI(a)EsE5;qikOEaQvwi5^PN8S1bp_lRBnTs2E`r%!pqRFTF6 zbi_|s3;^`{2@acQYceB=6K)Ywey)%k3E>)zryRTNSs0Y zD6e8?$({hQjRv`X$)yT>wr9yuXEm^JbE!#)e&XVA)-9{?+py+rygM^L5Oz{=6$T~g z1P+G5IICFVuqQr|RKn!|(A}Ql_3oMj$jz6(!msg({}M6tjL;DXdHc}wxj|-^4@6t$ z4N;%sHu4z#5W(j58^jPS3)tf>99Kewj5tX-Gl*cYb;Iy{^(bSIr%a{p)!{P7xNT50 z&z%qEQYXUYqcO~K$prt_a)I@Rgbp0DD-A?+-;OF@I~;hk6lX*53FaSncr%q(*VtSc zk~KBju{s@@8Rk7xXxN)scN_EWbbkbN@S9#y@i&@D;mN-o?};4$fAixmgQ6R#3oCE2_Yze_jz zr7%p$i8kwRZ3zIL5*@3q61XI&(qVpJ4>p(>@ulkCGrTekaC%nrZf)gyb0le=hqEQaAjRmf0gNzKr{6`bXkNb3P z8^}+#I|$D{-Ta?VsP{TZS?K3U-=Q3e zO&#TSN^ZmIipJxK^sv3fXq(PvBMzhLTn3wWH%6JOltv3v6&)!<@s|EE9g`Qt|M_sP z-lJkUAssHIm!tE`_)8xTlfeDZr|1_jt}2%Jd1fC3H`#vIPOEM1e2q;n;~RIeDpvxc zVeVdcl57yKW)8lpy!Tz8;%phJ7;v3*N#Ho}zTL!NjAAKEE0(vCPZ!QcH#s+iX1s-3Cd34sA(h)yUj@^v|FfB z8W^(Hwa3EB@}!f#6s5M#=1P9soP&S*^-v)A8DLM|zejNs=?e)Mb{P86nzf>R(8@%z z$eg|hV`gIUwdI6{)1}?wHm})kswHVN74UQ`$rroe=f}hJGiSGh-CWFZj3`eM9S@_rDpEqIE z0JKz3x19?ph;7r42ZwnxqB)H(AQy&Ks1 z$?6y_#)6s1-IYdRaFo3S5!$}yJmP`k&32i)*zhUFe2hNMML3=xNvR&4 z&1dcW`sEWS%s4fp7yK0*f~l%~j&s>yzOe+9-M;!}kSN?(JL&_Uy|~W2F38j3&t$sk zd(C3HI^u?>C6pcKJ{SS8-v$fYk&W-B0U%LoSd)r{Ii5Szx7pX-F~k4W!=%n(m#-gn zE?9+p9+1~pa6`=Uhpt#-uFyvQO`uRAvynD$GL}J~#tiZXz&R#*A zomqKS#K~1Gh4W^z!wY%PyB&v0Frl^`%0lK|?Aj707Tjr!qg_B5OgPmMgI}G?C}*3V z!%u5FDZS%W&}B6&zqqWuEdSsg9n1oCkJ=c_P2nObrW;3A&l-(ykIzXpt^%~Ed4Y(W zHn~fpn?#!?b2r^S&Wy$@*#d;?~8UpNz%rao;Q#%w`@k z@;q{=eJdfd&+%#t;UgdyWIV`%kI_qLZ9vCD&LS0-&SomtE`iyt=D`s-Vq8_02={@C z`GJA~=aN2@V9(&1g{XvlF3I*ie{6_iizR|vs%6o3NceN#k>=LYwg zPZ}LFFnGA(c}Z;rNTR;9JJgxGIZK8pHQ2!6uSXvwN-w<=c%>tjPL?ujl*RUCH(=UPFzo6NWCFOHFLC*m2jE2Pud53cNzqhDVQrq`%Gz zBD{Y*k}^X_p&5hEQK00Od@^D1v%R{(WRtl2Vt&;)Ma|X4+104nXE=HJ9YRw1NTdFB z5AXbWk*xB4KOB)|i*X@S7w~q@L8K{~jpRl`rm)2b1-=O0+USYTXcl~Aycw&m?Acnk z`|wuI4+t#Fj*KW&mpekBE|bza+7^P;+WR5ciMx}nHn*FiTlZH%xA*rC%Fk72xe%wb zqs@IMr|4X}050jMr{ZmhP4rgdd<7ceX5z{P28e1Q>v#GRDbaq*!l?c*p5^#UUvj2^ zdUp=j(h)$kKhS36Hvm=^t29!L4*Lz_+$)bwFKGP@0>L}ymf9ekM`zY{4VYM`wfssI z=RC5vSP{Yp=K};j*YmDZ0!V4szy1a}l?L7+^OF35prmiOstQGPFlfn8_l_Ogut8?6 zcXdzvs-f(Iu=beabjOcx9Oq<)*#I0&>tqWOJ0UihWr%WT0w{ax+c*D|DZ8toW>WWz zU6E^I@LY9Wszz!3g_Oz1j}u-k!58PZ%!mhs`3^Y_vRoUGIs1uYC0`N_a+~|A*5$CO z@WDI-@oIoig{f%eWg!#Ch%eZ3i|TjsBn6=PwHy3{N7|9xXiW;wSPF=UQCA|ApVUPk zcZtv=ZRah8IEW`P_rdVBH80iIEOSn>$ffpuue&dCnAKDOsCzYWgwPegMY;BVV8^HT>lJ^5dKA!+cEUiBl2E(fzt^KN#>wxgm$$zba z{GSLh{nx`w4F_Ayi@0bQ>rOR-lcGy94plVRIrbf&mEr7IZtMC|_Fcb^=ov@fAF`aU zBqA^hu3sQS33XDLz`4uP70muKflFIy8mK6XE5oQiUcY~93;*awj>kfK-&8N_=g$J) z%C1J@``v37yuLhd9+~%EiXi7AP!=mFYjPZ6=fq5TTeBoh3hwTil-Py`da9& zmRIbRhnw^1wo@HD5)J+E@wJZdf+Dm2|G%HMv6y@g983smzbWoCQIok2e3&$ zI}Y)%44Tr`Z`X#+QqT(=YY?Eh1F`%wf_I*bSUeRXjTPJg>i&z`77U;2?d@y@{Nzlq z2v?IyRJ_u?D5Q)?6#(T8aClr(LPYC~v|4kcGyzMK}B=qBAZOVRq7smIfS{X zpwDq%D*4i@0Qq0YGr^iwd`Csm<)u>dX@^H)Kb_&Wza|!yQuBz@`WU23_&$CxCpx^h!vmxkEPT%v@;wX$5YuC`xNyOkhN@kzQcsNcp8j$l7)bKKnxE?MhE?XK%M5`zxI? zZ(=oHwh2v~5m;D>hi^7WSv|OmhmPlawpBObN}=6kMonriKw$~cU!{X1t9j71TfQBm zGP3Ia-bL$NN7CD(Q62!-)CHNUDHDQeC^yS99sX6}%3&W3i(A!XS68`cigzix^$Srf zN32$G6&D~;_eOdl_1XoP0#&e0jj65jiTd&nn3IW-W!}Cc;&rOvPv?-}o{_b?!7WcM zzxrA!Sw0{x#&2QF((Wi9+!#IWFe_Z2;OMz>oKy9rpj1yVGsT=Z2xOEwP{&6p76fK+ zTe=VC%u0x?uT)h{)bbU}mmzPTSw1sTCBnC!N-5dd%_3H9vNuciAr54%Viy3|k`}G* z45=t3!&|cyNu|%pP76u!W92itE)`soAh{FUac$4agqgoaA3lwiQcYg05SFq`hRhv7Vor@0u)Zuup9Y(#zJ z*fN&`-uIC>strmjv& zV=3&*OrH}P0eY39L%EG@(Gi4Sa3DoxwCNO(PCRJCouzP+Tb2fS$lb`!Ko~31e#5e^ zE__5k$tFsUdG(dqg^F{PbON;7rV5YwbLYHQaTU(-KE-k;P$DC!QzU3dEsnFCVi)L8 ziqx*|jVhJ#d6Y%UPc@YI7|O$ns%P80$vgAm2h30Er+#!fBCnJh)P4k3_%X78XgA~s zJTXS7v)qfP5A!z&X>G=AEh^DImP<}p;-Qs|U6;S7S6!dUmw{q_fa&4sA50G+M3t== zLIOL*eaKfX!g^(Pzm^b*(h|Un0_nfrLDqExZ^5v>{nQEkg=zyqF{gBnGcUggJo^JF z0yTBXnJ)EVdAK)9X{Tm1xe{QpfP*R%JEt~Mt;UawNPmk}9Ff6F!?EYbAK+LE<1K1a zJEwfCQjL{_@RzcgO0LJf019!@4m(W9!4}vjmDWuD)^ypF4@hG(Vpv{3t+W)tBV?F= zs!ttdtJxp1o{_rA|7h&!p2V}4AKqU_6n-eognxgKqmQ4VOj2WmuOO!v(LhQ7$=-@% zwdjOg{xnjqSk6gN3E~>Qu&`QN`6g*`O4#Ou&6Y_!;6x?LLcUsG&f!^wIs*+1aOVKm zqS=@xhUW$tW}qRyZ&2O~#h577iAY}!qm9j6=_}vaT!|ey`m(1JdcrNA3pc!bS@e-= zlwCYsY8SOH2gjsCPd2G68pos0sVgj2ken^a^SO2?`LR8@bGJUWdO!rVMf}!>-ql1| zUvt7c?jl|s=x%OATzxVt{uw8LOa{35Y!>(jPoj*830)`2-ivnD%I;9T(++REE8R^td8x-R_29%8q-t6sP7&SEr7Cuxl4bv{%Ol%`e;m-pGe>@KRdn7?e;_W373t(R)9B~ z=m!If9~=>bua4q^nzbcH4GfrDzjb4XCg^kI={wXgtXvm5XU&hsY|I=nT;1sIwYp)` z40(9fwFGP&ebqL!i%~J+2^~UQ$aMh|)38+=-DKu^q)aaEnCIJCA=(;$(DEmEmWaia z_V^?U=Qf13Y9myqt9F}TCW+89bao$DtSNCUnSU8)&!27{9E45P64GAaoS2Q5D05JN zW4IjX0n(bPDzlxZ616-mmjw^2P7r!h-CXy>qf88;czGr-L%Ms$LSboM;5)dw{4*>P z%31{jleyc$=YH~1Gy>7@$o{6a6KO42p^7o#I#xr@%1Ybrkb-o_1FKIlyYB|ShjCDA zn#M=%dktV(%g`zGemLnML0x;P7#sm`Q~`WL%!{RB^F|nbfITdLKEg#dPl2%!T=Tt# zO-tof6yvkhj#vE^^TJ9Uw8=CmGlg*pC$K>iCO0ktFmpa7%-Jc!0y4afCfryP?|y?p z#KysqP3zcLoBlMDm&k{wJWDgzk6NSki%c6}6F-+#4DtOK`rsK%RZ2o6`q6a431lxp zwg5O(N+PWpiwBwQT%SN73rRPbjPk3wqH0F45nNmrL_kcw_>=k7hG^)-yr>odqYj^h?0JfA8ulJ zyu^Z?tW1R)*RJ#}k(Bne=Y3Ka-9>_*59wJl$&X7PqWfKPz;+JN8eX>^l6I`hpnmM!?Wp1NN3lZeaeCZw$W6nY)nmDX)ifu zN^S1jx3pHU(0A+kmcbAp@U-d74dzCjUb1neXk|-3PHVVf)$`=QqOwdufL#iegh_=} zNtjN@c^;xWpv+`k2bg|aU6-WN;g928CTE->SGJ~Qov%xpza@#_&^dIJ5B(zYi|Z2G z)xLMnv4)*EW0&_9cF!k&VVF>2)KV-<@FcieE_|~J7YRP=13gVq9T!h%h49vnJzgAB zH!KeD`h0+X#3T|urWc4JUd3(SdJjT@|_yE{6HQKT>GEvy!R0xU#&(To}5B2z=5W4MbJNu{5bo+NUtqa{fHbZt?btZllcsY49~}C*V+C4m1t<@UP>KwlmrP`K_e6RU}HFTU#(% zh#!p1_ZviUOZd|$=Hy><`AaVUSg8N)>jgNk{dcTg^q=0*-$#F}T^;u#$!YBK3gHe%s>y?NoK?6pDA}S@6ybE%E^h}`=o{+}@&#`tJTg^}aLdWvuJ&U66R0PP z*QwodZgTm1phsLu@I^RR7W;(n&U1TCqG)ed{(QfS`3Asmf%ctK7WiI-?1K2|b%N+d zdV$_yC8KV>!bYqXUMZW6F3Ik-Lt=-`?C|IOv4>6Uu>#ApuguDh);E(302Jt!@SHF7 zg(`qk8Y$V@GZ^I!U+ug=C+sI`ajfgZ<4~w-+G1DKHxf(4f&In2m68O+lj5(pVofTx zUc$4eZ)g$#TN3)2D1w)K_YN^3y2_?tL`f~c5%I~cmxs5$>Se;*bk9q(2%~$u^_P+C z7TBsL(h0xuCo|{A%C8JwOQ6}{vX#6DAAh_zz2|04@*B#>8oG?E4GrCBl5ACSsN620 zxvsy-t}ytnEN@|Bvpex{3$%fs?m5x)Ldn=ab?!DBq z$OWkWrD?)ny^+yrHNzUst>u~*<;}ZlG|Mw_3z@je()Q#T)YFNdnU>@>LMKLWb~_Qi zf_EAB+X}DIu8s5B)n&N%L&Q(L7F01Rk@qSAdl;{O=z?JVK$dESk2) zT|0QW7R;xeXZ#&PYU3lCU&j|^g1?Ucu;ohmQGMe^{PJ7&*0&(N&z$2f)++^3RR$XR ztv(GExG-6nRpUl!kM}7N6({)SEUkxf1a7_?6~UWUR=Q2-ZQ>gmzWX=|Xp5T+ncDV< zjg1WlD%Vz4R=|O2gse%F+0O$Gr7ZTcE%~(E47q5;!0?d`v{Ikb-Cm2YXLW0Lz?QX2 zdFS!HyE&$L)VDUD8b39s`A-F;sD2Eq$6NSWtRKlKeE7V_asTNViIRT0zg;!^854`9 z&Z&3VmDNygS5?`10BMq*pXplYwyNpis`N!y<9nR{)u_`mM;6Id0%r~HIb2fHhS5NI zqMUyH0)P8ybmG6r=pIF@+!|?d9XlqsvMcQ~9UxoggzsPJjJC=+15msH6(Xo!B7(+f zaU_pIkz;bnciX@mr5@F@eh%&hZ2{Tq);|7T$sv6G-UtEhNg}tOCGnV&$&1{wL|IR3 z`ea zzHcEU-S*dY{o8L%ZaMt@!*%*Uzh9tp8z7*|8Yh7^UH|Q0$-f;!aEQ;wXoCXs(xTE9 zjpKafwm4H1gY30m+e&hAjhsB=4?2ziET<9q?Rnz3cn6xXArzqR0_g+*u3)b(Y#enB zQL1Bp&-~P=g@$;`>=j+{P13{Pph^p$gNyx-q3vM)CXHOYeC4Q2bxapeIKINv;EAHcZu<@ ztxs)|h*J90x65QZNwVWzV$gbObLf$YPTi>31Ku*HS68|{7*TWgFNAc?z5{9GSP{3d zmAqCamS7XxJ4J7?@pgQheMBkPINwCtuQP;Yo34 zL9@NUa@~n~JK81W-Os_i)gx6l8HU%bKG*D<^PyV3tFPZP{QUAA=$hkKexyUp|7`SLZH5et7?2KTuBruhF?7skJtn!j6^|H&Ku zy=BBP68F|dF*yxj%1>ArjG%E4?J(_X&||JDLLw7YF`17vWKSint5ns@D|DToi5|Xc zmzz1Y#9Pjpuw)U9(l}y6-fh9-;unArB{U2oRY&Z^71+WLo|=rk4;KqW(igb$S6z)u zhF`w-vOxS9%en^V!D}JKJS}G3)6$Zjd5Lsl86w?!mh76uMBn$;+?HV(awV}vczEmz69;0^~QLO zb@OQ1VbF-3gzLk|OC~;dFRezloOr$)(zW)}69=Z9a+$A+Xf>YRQ7(6-SpT?Uk`d*Sz^1cRyL`-u>$_44UH3q+}c6L{mm>Ls_{8QttCXeyHrF8PbFh7~ z$*|m&y)nn$woA0M5BDfuhZV$#__C+DJKokk~+n|dO2FiW7fO^CW2(O~H`X$j!U#7dG>T}yMPXW>`y5;e8X zXTKD}5yvY;&f3cFbp+=5tlE0MFnjA_YIgnri+OZOwC`;xw-CJ1-t?)fe>mL>l5A3n zTm0Jz_oqEIo5PK!E1#N^toLBAac7$@EY0&Gdt07rbajDa6YAI8+ z2?Qh&ljK*;c)YHck3E%=LNwZq_2o66 zX`X3;#xj0*+z9VB9kf0D6hIi*pWYOR*gEwaB*G39VC;i{(AIE(6sc=L4RvP%`UpA+ zpvdNV5KX7v1rJyNjTNxNO8s=k^%>^1xElXJenWlNWmcP#Z7bBINd(W;0r>uY^jwOE zHk|ifUf+&4X?`C|ZEDgcI=4b=Se_vu=TSF?gGE>btk#9jR);Q`9_e7Rn^K+oYce4Q za8vC4t3EIcPwz9g;NjmOL6k31j__?O2}|EN4)j@HPevNtOSMr-)wrR-WZlKNwa3Pg zE6M$|FvTRA-WilqKBX$99Tj~99mgy`T2tA_m7@D7LF7Qv27x;U`XC`T?GVwG0XvI? zjMxoXXphTL+>6QacIx%?`yD^WD&kkKuJFrCyR9DY%X{@Op%S_PfY}7|$ls0>HrTqe zWHWuBtajf?>#Bp%c|h4hdfE7o$JM-!@p@ZW_u?ilQ(gmQsSP(N)s$Ds=CT}b?Y03X z>-&#^f1v;0{8<3&fI&I)HwaQQfAAgMnn2d9+WGYpAgRO|&^T>#e+aHPBXJ!K{?D4E z3gPJ;!G9V=;PH224D{Og*PXBWN}awZB0ZCv1L$n0SdWT9ir~lp?x` z27Gm53+5yc_)SJB0Eh+qu0QTIl;Z`zL1JF8f0^~re|Rom-2Z0Q|KZUD zC_v#NqykF5lJ*-Ub=F?|Hwg0zN<4$1yy^LuN$dWH$EpU(K>vgIb^qf#@+SII4uSOg z!WS5&?;?C6;h31a)l$pbTKPW=6C%G&EY1##PiRP2IG@R(4W)=Py7usj2SL*fttTif zM%i`He^wR_bSrZKda$&XdI%$yXRc^q9h?5MujIVC7QY(};I$X&M{wW9r)g9Mg1U-K-p#nIfsAvCiHG!5d-h2PMtLa|$dQ0W}8Wauw zwZcu^l{n&n{`ewyv~1ER@Yh}blGtBs>|eC+e^6gIFdSH6viCw)$PP-IpjK?BX7JIr zNBBc8`w)lkBk_0OUNI~LLn!D#OgDC<)!3i?LE&7;P;TuO-hDWh#&r6}g!C~cdXU-G zHA7E=Coy}JZ8dpH1~`=quX~+kYhU&G7X2zm{{=)cxgk0z&C0+ot=QEqNS9C^9n43( z>2FxPfj7!}d`C~!&?lO7X-)sz6M;jEH^?^H8Gd3$%QPMNmD|~0zobiZ-#nue+2iHe zRxcBYCqq@Ghz%7lCAn- z3-_=7;Sjc5r?HV!zg)vDO4W{}+nYBOf-@}qJ36!qqzWA*e~Z6`z2RfON3`BBaWT>Xml zW|IxIcF~w?!&<4oo!Go5Eo1a*p1Q=eK**!RK0<|AWUPF_OCQ zc&lZj`pMJhKX<~bXZbs=^+L7_^7~ncXTkjf#u(g{=aV#>#Gp&SKrpkp8sPP(f!9R5r2Q> z+M(3De;EFM>^QHl83jkL{bP6e#}=`A_AciCiz>Yra?{z*PC*-!{WPHpHYct(ne(_xGXJ@p(X6G@%bAMbfc$mOA$X0mYGfX1{ zY(ksC5Y5TIK|od|9>PjI`+Q-RrTs7=#z&aIpd^UytjS^@wg)Tp-g@6q7dLD*8M~== zRjOx@ze&BypfI{z5b^a$GMb#WUk?-!Vco!$r`iXPAw?nlE&zca2@^iiei!K6dDzz0 zV3uX$JarM5A`(sr`o&{fq%+L(Eeaw>8zLh8X=m7pH-gamq=AeN>lhZLQm=1DBkJa2 z!|pdP{~Feoc_n`ZcKfoKs9wrb!Sb*Rl5Dea<5Bz7oWFXA-)M|MOL7U&a}ZV+EDzaX zpwujK-d(EZf z_dyT1nty{7_GF`hR$3Mm&Ts7i$H|E20wx@&5>+aXw&?n7jy@+NQcGguvxHxYk`-gu zxfyuwxUyn`@MROQ>18ZEx&^U=l_yUxEX|_M0(=KFL5g#ODg>bBZ1x-1qJAhsO>*^f z1JE6932|>B3fJingY};>fx%k)#OAV~AKJm*C>c^1^9y(X??DZ7^wMOXdk`(jeg3Lxzi1R-u(n$dgp-0z|j{oZw)SOF7U3 z2HkQuSQ=n9s)jylR$GjCalR3VMZ((H$l->nM`qR481py+6YXIFLU=mkw!%pr>aV5q z7Vm@m(L{@Wt^N1Z;-7L6>D+DZTod}kO4I#pyX!|?`&@_Ax|$iG<+XuOzZajD_0`oZ5}P6UmPBU(-g=f+QjfT1T+iTO@^&?*QH#^ zB0#{_c7A^6$F_e_(XZQn$@LkY>XJSIrKM%p##XQy;M_fnE^v*1`yhL8AFOs~lS*im zW8L_KR3SKRV(CbyB35vzhH8U}Of~+A*ZUmf?=PlgUYCAOkL~*KN;-Ml*2!<;K5)=I z^M`If|bBXv$O=*?621 zD;2{>i#AGCqL1h|XwR)N)FU9q2Sg3;&!WG=?*f5Ozdsw@ul86deeTiSW|x}`+@-r)qCd9WzgIZJaU8B^nvR}WzvtzS<&v{=aAaTxcfm#zCJ;S>)v(H+6ogw#l9lXI2hfaVuw zV@hgNJ_9=)2F?=MEn&7Ej{IwO!7h_mczTPOcBS%(1wf~vPROxwlrfxh*;?r3fhI!y zp5;zX?ZB_a3sLfHC7iEi{gUVz#011@weH4D0b$xn71$o%=x@-@?BB4z|GZet7Sk}i zO|Ch#HdSckwi1|JMzOAW`TYmKi|*7nT)kP?%|K4S@eV zrE>WZv^$t(5Y_u(4I=$j+IeXE=a%Y`X-%kvFWlgMsZ@Khf_?@2<-%eDUYkkzWLV3+B?Lb6Y=6>6fMsHX9p+Ij?@H>FqsQx>8FK%HBAQl-Ds!l zf2zB=LI7-&F6l0TC6r=N&cfBUcr*Vikm==D{EFlPn! z?lx&LXJoqta1+>~+jj7d7UVYp#E&+{BFur=^Kko1wV_{)FCASeZM=T&(v#rft!K|Y zgLgKhIsQJ#yPI_cr~lR7mxn|BwtbUIvK8643L#rW3YjEZl9DBa z%1(?mgE13@tb;;PCi`x(Z^LBImh8JRBV-w75W|e={r>Lbx$oz>``z#TyWi)1pW}Vs z=lK0G9FD{HdtGx~=XqY|b)KK|bN<0fpcF_cgd7}}NjJcUEfQbirZ_b^z2%lM072GZ*gn{=q~_R3&Tw{HH&c;QyQykgawy$d5sDnIPhw z8G|`+tRKPuHd%WP#AHE!ZbBSQD(K0riShBMjYhTxgzqzSKidN`)Xzt@Lz%9uD5r93I4c;sYaz#8(q@HL5klZj4s5wc1Y}E#1 zK$_MLZ+GRo>E|MhYbXX?GWRl`$-KD2lBUB02074%o36qmMCj4F1)l~E3S@=O=pMh3 z9clr4!m`E|aJ5j{@ZNKz!Go0^;;VN2qp&>E?VHkzYf!+4W_Z`7OHqVTX4m zg!ECYfKTW|X1GP{Un2;k0Arj6iQ8Y?jQT-{tWdBx9XEXlWk@yWh*ZQ4s_3LMd zgctsfE$!h)dZ)f=R=#^y&^YDNlDbbO&R#N+GS7Y8m@}!rdaAyAM_;*c%mik+)hpvV zoONkTyejC@zRqOBlkI_YoHjIp$U{4RdROESl%@Vl%DlWVWT}l`uzq3lyXp$hrnJdgkYHlUcoKq=yy^B?sd9p13~p5P=GtE<|<<+ zmR$)MnaZ$S-~O?#`Z1qpyUit`;|X8KIzdcw8<je?52$`C>FdEJT$>56#2~$ z71O(%-~8AvI|J2I2(lsqK!x+;1@_8VWx<-miB*68*fz_1x_;1e_jdwPNVV$RdnPe!pMR7_@3(e z)fpNCxsJU-EZ(sZB+Zr;KT@Q++0dJf^6kj+?* z;_b%U9jkY~f=iX&*gbD6o9b|gw|u2R=s0bCqeZs+au>cH$qU2U&=HNtd;HE7DJLz3 zvq#&k&mK;cwmSPgfk`8H*1i;Xm&-~_Fkv(os+@ZLCfkeB4UYyuQ-Wn@l=9_NR6+s4*Zd8Y{h+`X6AP0VuH*r>I11=v%BncZygQ^!aekEUW>FL1lM!xl zH$Lg1&Rn-9%ZIT%^S4ngX00YWrt>b&G$WJsN|)07jaIzNSVU#^I;O`nGpdWU)(@U@ zch#Fnyz%jU((Ac`lhwyGs$xX@#Dy0tQe+-9@DH2!*_Oc~@bV(?W+gON9vR+-A;zrk zBO>roSc}Ad!iK%kQB48Wqn>q>1`h=V1t0EhP&qi~5HD#$-<#xyr|`lU6eJLQ!nGc{ zuTjEV2d>fzIvZSmW%p3H_TkTIdQRfys^){ExD}J{_!XlQuk(!(bd$}KOKg^v1tun} ze>7HtTk_tU6qvIf8}Lxh>YW+M%6wW;@wBO4UV0^E@`tX?9e0ym)~H64DlB=+cDHj= zdF$A2dWZI@yJpw^4ai7mQf*7xq+M_d7}R(O0NGBvDg?E_tYz z*lx8s$IO>a)oEsvdIbhPzn1sS)zG$YV_GCP8k6)qCK^-`@eC&5D#C}BDs<6c`Fb?s z3W>30O32x!Jp4w(i$1R<%P$|-47(H<9oG)Ity@Zii%lA*6n9P$>=EHjGJsqQ{Xp@< zz6jHkO|zgTU&oqhOkd$;u{BXNAs5=Yph(z54_vZ^X!7W_lByfvFw+O#iXQDiY^9;$ z0Qm|R5k)u1<|Qln#-+;)ZjRL2}^mb&@Wsk?-w zs@CyORE2}*G+x?Q06^^DW*c!2DD$^bX&_zQ$pAaygXB4=bY)-9R97S#j+LlHMl(mh z$0(S~)@xPHlijwjV`)scA052MIAiHWgzafxh0kEdVt02WsLx;{3$)c9itfHnzx;*= z;>vdgTid(l_c*20N|?fqwOgz}>xd0BrZND#Ftrm32B0P_E;|5=XE9A6ID#Sy6tN(n z@Z7!h019@i2P}eB?t%h@C!t#K7A9iQju#P0m65N4w}K#vMkfx6D2z@3!%+hIJ<=KE z)cH1cDtmc1097ejd{9YAS<4zHo9hD)%TGfuljl*Z>5OE=hwrrGB;A()!xlT6n=PAf zBWzhbp>Hbz z44vM?VklE(FUw+r#)f?FtQxL2-wmA*IhjZ0V82hqP%ozE;N+u+AmDZoo$vDx)!9%5 z)-{dO6`n=sdBu?2Yb$~ttY@sL-t>h{D!@o;Zg3uqn-M$Jkc4P==QOrug(L&?u>fs2 zRdr}PHlWS0UO>OjKS8d+Nksc%1@13jN~o;iFP!`g{eD*aFgjf2aUs1}DWjOVJO$u4X$EPC0Y444 z0U(g8s(&XlHoS>3a(m;%IM6AD?9bJ=5T0>7#lj)c0{8v_&mzwQDc;j#Q?HF?0YdCI`r-^Hi&YB9J3C0x$?akT1EB$HD9906a!S1qjuA+@4wwf z5Sy~xJ;eh&e6xp3*0Y+AN{Pw~JWOOWzHvG(+v_f5s}&~OP;WsMN0EbWB-(hSn0;Lw z9(;V1K{9TAy5JMtx9V$x<{$uMgX#e7i)a8Y9*!~iCtXkApcL5e02=dcb`(C=i$e!f zn7T+#HvnMhU3?I$Tl-|mLfDXv;RhYxq`1DB%qlkqDaC8hE*0rsi)bg$Njmq9H6ecL zC4}DKhB|Y`Y+q4lfvbKV`JBL20rSX{BeD_|p^(}8n(lM@o=cufqQ})RWNnxNP_(u8 z8$|7x+6K*P;2+Ft#tgZIYM{}ll*ds~`+M)qo8jY%JvjF0${FLURyUoWRQ2=)tSQYL zl~o*BN}Z6+Fp0Zzyd%Cttn+Z$E3r_ft0KV4J0ZBp%pK{ck=IEJjfe^z~0+ z+RT+ey=DAOAOiF2_*t}*wlVN+jlV$e*eC#^Zo6(~uP$W<`%S~t%^S127$6b{cdYZ9 z!X78H-$1s@7B26v(ar)?n&Lz0gM977966t(9%rf~Kf2U@-(c@1M&XDKER4T6QazfEceMB_WAZvQXG92NbEu?#$IO)7QR^%DNk}}AY&7*xN zwvbziQ35O~{QMut4+zIa2HYC0B>=T}dIPfuHZ)E2H@5Ys(yMy8ev#h*3{Sv1@Ze!e z`4E&ILv16Y*44eyboNDFX*`@IXYZ7o_Z=*Z#>*6fm3eF@%d~S5} zX~rD=fqgM6N<2spDKHFn%D1(4omBw(H{cUDERr&rcn{n4sO{kH9y+gGBl>I%{_Be9 z{(eiB>uS&`GXQe)CX+i4u*c0RXfI*~jT7;*>BQ(FW|IJwQ0^O?2v7^_-PHP)l`?&4 z%`7E0PkcYd=bJfT>6E$(sCxB-R5zbIl{kmU;w%ci^R_c=a7=}J>B;B8cJ)%qGv_a3 zqRK!xrA3;AphffpXhlsdd~+7@JF_tOVnHYyBfPtIMbiL+S-riKMz*3cO*wsdu<8SM zAv=B|hi~bp?o3@L76%%>4ehYIc&#kE7anwuS*_wD1EW7L0qstau8A$tI4jn4`a&1! zc#v4Cro$^2JCCx0Du&*@ny{3md10@;+gJW2-7oaBpP3%}0hSjNzb$2p%RLh0IETD*|%W+xU;H`xTxo`A+Kd_W;P23hLeN zmhJ_PqhA#EABgAoZ??S{kxjNgzuI5Vqd#};?~KU*ZGn_tf=|isFn}tNF_j<@h;--d z8L}qHzh!jL!UZNXP=ar;D6xOo=N9ZFzrG>6m3)6X78TAIBfRy;YMmN&d*wH4aOTov zMKqu^WJ)`RcuRhgp?UTa&{A%i8rVqQBO!6agBp<;tM#mi2&xMFkywzN48A79dvdlr zo6yL1ZsPLPW*`sOCXJmBkMM$?b;KAiXN7VvhuQ(NOJX=j`#D^)c}`6OS=g zdHl{!Wi}E;+TS~NyQysmK$UCD>vh8MXXdO%6m?oz>Qu`ZPA7Z@-RwVUXqvlRCwtEt z{&~GyVe`|x%j0>T^_z;z19`(szmX=}o-oJDuVvv@D+EvUpG>{-I7)#dL$QKIm&(BU zj6EkP7N9QU0eV=kIZ^JoBH7V~{Dv8j@JAZ&^E>In#C3wp!eSL6d*!evk3z02HjU|W zNIINJ3fE*j9ksQ&GQIs;oTRI}sez1BL=`R?w+&Wg+3v=>%v|oV3T$ss&f3%sgZyT> z0sDyG?bzUgjCJm7B+Um@eJ03Ou3F#xtoS`%>zGd5B^iI7c=QV#jLZu}J=A#scL7h5 zXmRniLNY?lf_d%?DMg}H)Q8C4YVEZ{tgSs@j-uP@bsx+n#e1aa95qIMxO4s3uFX@* zGa4_f2}@i^jLC8?HL0^toeEYCY^Z#@S8`jpX9?uGJZbK+T-!~UX~<2d19>XT?C;7ZK)!ECw!7a=NrOElZ?!lt8^=%ZcLcbo5vrr-{k zkbcS~DkE_>)P9r=z0Y!#6XxF3>*2jN6%&MXS)z0jmu*6{?cR{sKthH??S}d)y$9pD zlZ#c8`VBs6(i0N)#R<90;?1~oc@fcu((-|Z;yG(+ZZ@X=ZVhh3(u;8NdH*;$bp?vL zcAk~4@PRAw`c`F#Vg31cuZ0W}Ke71O8W^csUEkDO74#}_bi8cJkf^^VjYq`P_tgMF zRKxoaHO=#@u zDlZ;i-MtK-HJq3buOiHv)$9oa1*|(l1IlUr^yCP$+6c43N(?=cRX=NmKk%lLRfI)M z?72C5y4Rl&@0LV!9zifPrZC1B7&lOET|+xRq+9?KSyADHcvuIudaYD{9KU%fTA;}P z4Rd_dDVdP0M`gDa*T4FG zngWS!@flm8nN5Y6RZy!m>ngLcg+LwY`(1s?_QiW??j=*B-{b^)ieKdg+4@UlMMYcI z_;n|mPq^E)0C@(Z@p|@&pnD_oHb#f0tzEfEmRaPW=1a4}=OYtu#R?{>7q^9aH){$? zcA>sfWp$UL3=}=z9a=PId@`0fVDZR{qjfaaIeXfAZO~;u zFH7f5)bT1Q<5w=qZUAb`&2Djne9pER9xZYN1~B}Zw+m_M*CciiO3SLX?)#oBce&eH z%ae?=h^f$zzkhVRL1#9%9y#uhV}Gf^LcL59evg+HFKcKb*_0GqD^mB4lwE2_)I&

SUo?kq7(;{K9oIBS343?u3%v($`qG$ytIWjE=kAa(zl(;Xid2~ zA(^2SIphg=jsfW;xK%@?+N(nWD?FA_N8wiTvTtno`3tX*A2#^^0?^ben6HFrI zhs=<)Py9JKFWCf zz;bMd$mQw#G%XqOSc_XfGJploh)N*)M%4g@O$w7rw-|4CSl!KVoI0`zp&ws5D*jfr z&CNNtS}1e6GAHDrMykM$vZ z-kICGk#7V%3Z32uF~Ogh#~2KgecWUVL+yL6&Td^9P^A8pB_fbZe=+T4V4!ILR0!Dv<@1mq zvB803l-YvNyiUt?e%|@Ixl;(yVWqZuP4R)5o7&vhog%JB6{@5iy}UlQ`Xi8Q+_9)b zUmBOQVutUI(3BuZ1d=84M&J*mA*^te(E#~|N{V~dqPb;fuH{EpS}(=S=_wy04%-Ny z($RC-WnhP!ik?iK~ja+zZ-INJeGaIrgseJK4INr=@ z#WwoXA{?NoO=J;_ol5TL+L7!tB1iz1I<-d z|HbX*MD+XNWwyMp7MAb?^N2=@U|m(>l0h`*puCv0Xum$k^V1?_h0AZ=-u!@l{Ou}t zkDIqfYa~+1?zQ*#&CQ}uUO*|s1qVV4K2nIA_^sceVv5aab4hKD4Ph`)=P#DBy%i9m z`=-9S@@bo9GtHPq;?q+`<$BH=nygj{ zDCD0XI_;_yz2f?a@Ukn>?fK319v|IW`uYT(b31}S^7?id;Ys68XqdW|-yS-B;Yx{> zrH`@xH|bO7y|nW?WEvl`nR|yIh3An9!{saTdIJS(o@|G$#1ivpeI{%bn-io|bZ!X5 zRq|qkk#K}9aWx7x4T1T~j#zJGFkSG4AFxzB)sbB0vO zHIXlPzNG7>hp9g)#!F96MWf0XTK0HaQW*&yK}Zo&OsgjMV9sEnljnpto;3>_CBAsY zoNiatcji>LKT4{swS`Gn7_)Xsaru^|{9~ch#l((Q%wtV8;&6oL7?hh7gLTPsz3V0) zF28(lu$9=I{ zw1!q}>WXWh9!Wa&AuVqBxWJJMGj?1B&{xUw?J#|lCTn(7B#NufeL6+eFsMfSEtWse zm2+}_1;=82C2Q9y)k8sg@yxsC0cHpFiRNoR3@j6R=T)IG4d*W4YGa-XDUhPD^{5sM zgF2+JGkd;fZ!)C9cOcHuS+-NGG^e|Ui-q}tc*mEhVz1PXZ{{H9K@!E}yiZ7ZK+q6e6e9x2Zuz{wc*-`e4h`Vnm7NPugHhB3b zd@0>6pQTL*ArV=m!0k)Xb0*2>Qi;OR;@X&+XgAkmWiM?{nCZmp73UWTP9Uxji<)C1 zkupTXXiZ_bMLUw3!CFgOwN^|Y!HpX3zQgfoI^wL;E4zh(S zHBg*(-h86Y-wiLQcY}D%>pI+9pV+n+l9$#bLw)-2q(Gd0)%thv;g^!GUeI=+q>)Hx1&6?io*p3anBm>B{Ska z$!-v7Wq zED>iw@+b0KCKXKY${+bTqxY5{X&+q`Sbib>%n6v#PlAJyuE-C*XPWmEjrZa`&mmk3 zFBjV+PJmeGaYkSt5DZ)+DelQkmGdY`t>kU4xvUH0nv87V7 zy@s--pbaX`B0Q9T0U%?$!;sNzl&n=wJgoW%?$xPB$O)};^Lyi{LVPi;17i`qmG4<= zw*As-3>l&2GH&Ew|+tuI#{(hFjmO+j| zKdWTib#PiAv#7}YNH^H!c=dUer>+_GYx2mc^wDYqo%yPV4!*nouniOz+|CxJx(`}` z!E8{t35F}gWlhc6vihEKNElyrZFNsZ)pKJp!l#85`#9zJ4pHxP=*z8I!;KP?esG0& zFbdy2$~+wte3z&bp{|y`VAza`j@c-U0-gM z0%PAY3<8&D=i%8#JDZZMIfq?ls)^Rcg=UV)DrrQy4XXhh`-t^ty85jU=lBlYINM4? z`A^U9OJ;%<<(lhX@s#PzhlW$c>>CaNfxbt9@%C~hMW)^#ay8;(9A!}Tf^3WUH{-WY z)8a~IXevQ7kG&y9OVDIAEkzt|*N!^24|)KrLW;p(wV}C+JoQHE9NsK82v^sH>J5Ae zL*5UEosmnn$sEI9!A2kda4aZR+++;n$QEXOvUsS0uZfsU>BjQ3Oz0U8h!E*>un_*q zteh8#ABIj_Ibt3ZCx1C7y0OmVSlY(H%eoirrxMydJ*|a>py=*G>tk+QIdt$JHv>+E~m#d^e;>_#7ImjhJNhB7HDX4Kv$N{djkhPJ3t=l#FQvIt zfW?^1|JMsWGGnPTg`T~c4ViaHzn^g1j%HW%nBQTd{ z!8)5>-^X=17H|p}cuNHyu@5pdDPPomy_H|=y|u3R2{mzI&l9Z0X>xAik1C18rYq#P zS($g^&UXuw&KtZWM&Po7c8wS3EXoJ)k()3FrOvbL#ChBD6!#_G??qb2zqi9uNY4pA z2#0s0Fg~v=Z|oZT*OTEa+9S6wiRyP=P;z4GWOowGc`hRL!6#pYu#5XNEgwy0322m` z-i`mdEn+ONN3Rj=D|d6wVMBDe%zI(jrZGFOryl%ZHo;kG==1U_ykq4YuvidC(%ChD z_d(ew#$eXRhKfWTTnjy@2r?9f#!~$A0IGsfL>MKsn+k>H{aNz>!9vOAK$*ZsBb20l zP$qzu{n-=S(k&oy+uA?^5~EXrUehx%h8q-Qna8Rj-jabVy%queuK8yk?YbtIY!2Sg zBr*TaLiakN4k{_w@^O&gePj__rzx)pYE32fzSp*gRUR#x?7W3_=)~&zcq$KstEA_i z-#BFyxiZRlR>ov{xM@Oh+WX13UZt?LRcEn5`OVvY9lBy0E~~ROvDEJ}?BgFWx1Vnm zT{p1%P0Qbg2A=J9al?CT4L~5!{Bvd1qZ(K`I>-@f7DFirNCRZnn;hJJVgB3<61wMm z&1QC)U|%rAAOXqx}xtiS}QFyYw6Q|yqw z9tK#I~j(0!P8CyoLyq&ZL!khmltBrcu10R`p$l)Nh?6mw8s!0!%}n@GtT{>=C8 z45EGjiQ;wWhT6slb-UEPc?r<=p2h~Sc2~tl0)_!pk09_+*pq&#ejn6Uv;$WEQ}+vx z`YE=6nqnKu0q*qHVt%CjXzX@FXQOuZL0Zf7-QO#idE$3H-%TFOuej4L6 zRU^JX3sBeay#7Nlp$I9v59;}GP-g*@G1y)OTo5otji2_=c~D@}`BTgnHs9@oHgHe` zs;iGQMF`a={UDT@5<*IqHyd6Rv=?{FzDn;tX2yM?tfpj6O7%$-B#`V%x{!_VCz<5K zbxc!th7E@Bra6h9d+pAbNJr(*FAXx>Qun|+o(7Xeww`3;l#bW(wCDfG>ZsF(B_A>_Y_1_iw;qS@x?RNIn2S zXto2hn+Kn9@!bcd?t^CbOo}RVery8E_U#8&H^m)8?*1u{pALBw96H4v`gd0z^-mp8 zCI2_S@_%e#ph&LAbZ5~<`tCuxmnepS%>%v-h!*)*7yX0fKdeaLH)UY+0}jQ0Vqx%B z#~T5g1+@7!s=cY^D)|GF_CfQ0e~9;=A$9(*rbm=N0F7#1ydeDZaT>v=OCM&dApc$; zfN%iC=K=l~<`2|)Db^onAF$~`q4zikY#$23m3YaQ|r)DL-JQr1@8o}2oy!vs3kjj++!2LT55?$`AEe{W0&82wXNe*@JX zDoX*dD?nA2v-Kx^y(={pA**=9WE@YF+#AzTiw7dqmstyVZPgzycE&0k!c}4ZQ6c}1 z$(oY{32N6!N3j+us$X_*53PBsjd;r5Fd59!b=`zjpAzy(26nrY8(mBn7EYIX_wKRU zwRJ-j1p^6w2>BB@fQq35;LtgkX;FZD{*Zsq;F&t0VCfgKV)uR;_o(Do>A;^F2hi+i zZj|5iptSNp0Jj0*hang1B;6#cFNat5GAX1)ya z6Ti$_e}n1vos2sNn6(Yei@$1xe%<#k$dLVw!*1Y>-vodCcL|QTbTC_A*aVD$gaT%f zH7_O=rk}3+cYOVH-M`SE-t$}W|K*eY&)D_v_4HqT{=Gc@YqvxH^-tg-;a>yiFC4nG z^F`$Mqf9LwKi#ij`geKyuWDW(D!q*Qus!`7y|4bpAxiPnKf<+56=(9u+WOI4$sFlyG4~d-9GwjfDzPq78Lg}$JZkoifP zCzFYfnNFSwJl}18CLFkMCY&aaLFC{o=EthNbwb~PR<4}E%}?U#C8-90e|bRbTGDU0 z!wpaSYw?E)Y-UsUY8}5b!2*&6$fSDW0T6HO!rSii=B&m%mHiumJ{NGx!FL@+<}@@v zsXzZv+r16A^m1wCCnF~w@(a$7pB^54%pI8+$J3pnIje>wVy^5P7lMFuPVDE$tmp#|sW^n0hy%PLX=Anwa2hn{5Rhhc;4k+v6+4 zMxJt!5mARUG4=ZOCbxte5?Itjugf zbp5eamr8Ta+s1WQR)iF>qj4&FAH-ItmR1y^TwQnW4Lnd*Mb_|oRq%tpsFj?N-a=Z1 zI`{S>J^`KM(n1Pn?zaS%}e?Ba7WGnOHdWb-_ES zlBc)zQ^|73v1I*ui`k25!z{7X6{nS_Mhp4(Tn(!TgR`Oj*aDrV(aJCpOjYzlZav-O zT5Oeax#}O)Ti3fD7oIvKg}|IA8Q~3|K!qB>BM!`1eY@6`G4K3xW01Tk?_l&@<05{mjNlz2``u69+vG;RwL?Ws@aRIa?aE4h{5ATK z2Ohx$~%%8Ken?f%R?O2=uAljxTC)Dil;;!pMAov-167G{6ehrRx!^Ad0ka& z)>R_XE_?%s(-DVBaRgZF_BN7BlW`!8D3p?Y0XbSQ*d?DmVQwK-s;(!XzxDLxkt2~k zu_HgK3t_EOB{8i<++?H5fpS6f4x`dyVi4bV9(Q=@t;@TIO->4%7bX_(MW4A$%gFes z)$W^YwOu^R>KWBACoeD?#K}}s+Au>XqR#eDX-msPjZY+~J(% z-IoFZ$HogUO$$}FK+BUJldW(czQY6^&0GqzQkj9>i8bM!M)8M#e0268K9%EDskkj+ zvz~fZxd{&2dO!@0uFY!lo#eLyUnCBt;r#rbx;}vAy|O54_@tx_D*hDZ@q}4Kn$9M! zIoXxx-7V*vZi*@&=+H z!fh!K@FYAHvX|%K8iL`!LqGy0GR%K7}^mGjM zye~56?NS&^bWT=x!PsZPvi`i07Cv3kxlZlTwELGf?xZvxPL)CjVPFst{KKMlzxA%V zuYSN_j{n8>IYaFdUiwAxswmnXYRFK#**SrA#r2h(7R;Hg+oWEcq#SObPBCZRJSL>> z=%etis7&dP=RCg9q&*)JySrXue!}`D;!00)VeR9vWV*R<88_R9 zIDgf?vzb-sZ;^OML-wy=$+Ywe1XukEEbh>yWi)%qLwNlar`2!-X?uMENE z76pzQH&mZ7Q*C@p{n8~0yy@pqbHf7l>%z&0ueKCOgG4?kDTGKm(L!^(>&`?>ztRW-W5^QgEsg*BkSv4f|ME}ZiDw~v=PvQcvb8LQ* zf)dh(BYuS{;>M~#e?`aFQQJ;yQ;Sb{HW|m2=*MxdZ{<6S4r&OG>gmgko}^|J4!adt zfsF;76+Il&c&lqw^tQpUa`Xov1`GruzcW8gfhT+qQekH%K1e$Fm zkF;@}(9Fnzwf6IaXM2piSN$=g6MtVah`yb*2a(YPWT_Ai#Dq(v46KD1AybHb7Ed?t8tCR$G$yamo#y(8L9eaVc+e_ww!~@!*E?oa-U~TmxwMx7#;4J z_`FpuTew_!7oM!hJs2nY(k)b~Ghsb0#F4YV^xjCM=53P!hk4kt^)no~ zc@#R-R-$dqoVS0_hU^h837zLJIj^KHNQl8R1UDRlJT6d{r*$}DKT2Dp9aChk?=H5| znj5I*kV^kl$2o}CzevU6dE3K2N-I)*_zm%Ok_n&2^Dh`I+{5omAsLzn4~obwY~7tn zT|NHsDE?R!=%N8v&4A=3tE=v*i8{sR$N^R5C}06nezQQk^BQ3_fF7-c^pD!C$l@7& zUXe-AXR3U$N}cHz;{KZJ@cBFirnDrJkTbI$_`wT!#5De|p6!^!leIpzfe!-+8O93J_@U+zXl z8bIwm^;^^`sNZl~Q96;QiQTQdh`U9Y5T!lywN_QZ!`F-eDc<^AGie^IVnWy$bojhu^Kncb|J0G7W z^-231FN26Ou0e9|E!o*qY!aO=5xiVZPkMnk>g?usSEK9nn19k24s{1NUI+Ja)j~*U zy>DoXd@x_q6HP^g4w0*C$k+_tu-Fch#Ca*SzBiYV5v4nCY|3%UBGO~Q8j3@YK-;(0 zCl>km;pW>$F*qY)K|%TEUR%C`h5xIM>#3ImFUBAJLal(uINltPTUCAi+1@jii}V8r z1_4XXW&})YTaUQ~3kQ_L493S*{^^2`?a`nV^TA{@W7EzP&FTSz?WZnqEsVy*eD@b= zEFmSY??}rsO|~v7Ojt@^EVc;RV19px_hDVEw$8N&b)C&XUIF3nhoA87m^_it>_#eA za`1q%EZlbQ)_i%F|Ln86Z59qa5nU;*S|>*?8xXyOazFVIAv6kk9QkGPcyFD2!3YW3 z;hP#ewB`HEX_i^K;zHu>Q7aR#^Zr@S1RFU{8_C`7%@l|^LHYqqKVU+42msVYPlZkq zv?llb8i%&dB&i5V_IL`ONUyA}zLNN@U^RZyE+FCam=tpPMR%81oGx*j!gLGk%8L9v zbp&BHt*_0Wf@-{OW^MVE6r(+$^f_^u$EZ~f@hYe?-ooqBNwW-bg&S)E?ABTZ0Kh9! zq~IORXf6(mZWjBUm}rD@=KKyqH7N#IW8js|`kb1%Z75S|9t4wkHs8X2Nx<zPlbvKCMRtS5cYXcwYQpYK{Z+}Y-OG?nNdHXAG zPHzmX3ii>qGVn?(iCwBa`p)eKY$9$JXev!wAY@BwMTbqXdrqifX9I9CybBdxw^i9f z*H&FTT9nf*IcsWb<41Yo&G;Thb~-WXFdhDIzParBnuHC*bW&?~41^o7{2P}HxyZut zhO~=`<|^o-mgy)hnN>M5T6Kq~LbX&W@PurQbpFRsg}@x=TO<==H$ExSqbMRwu9om% z5kd_+V!vfA`buj+DN0H_oLw$QsaSclYbbsGyFGo1c%rr*wzI+a+(hxl|v46K?zyS31;~X&c8Hxt?IzM(`adYRG*w3*4kp zwLA1avEnHax>(6KV5}S(=5jwSdw|=F{o4DzbThHLQW+(-NNrwYD@PWMFN)J0D<(t{ zyhIa9&{0*po?v%f=;%=5mth=J)_@TEfX8Nlcuj3MyPL?l%6mkGh^C_or#BK{lB=k@ z=uvs-UOHI<7g1oo(QGYT(&O3Q@6pW#H$N%di!cHOp5()gh$i2oeRPFTY?gJgr($T4 zCxV39RUzLeAyXm55a2xw%!qS%Lw?wnYJS79QrJr}M5DYO6DOlEc}(P)r6sjs;q76m zdr^o=P(m8PV(Y|!Yc{c=n8;yDK9dXYZ#@lb(INq*U^Y6%{mE)qR!W9%ciYJh#4k^s zfXDGxkb`m^4HLWEW_w17+bfJj=4MExe9JzFT9Bbd1ep&5PzNl6wG=VI{Vo$b$ilIslVr$H(dfhU z!#XOZg3Dgq!-`7zahbWSURY5HhMK*!22KQw=(=JCWa8Q=9E7Rnr70G&8eiZT3Px(C zeA&IhQ&HT!i;uaMBD_9g8mT8vj9mWM7Beb6jc$jG3XPc(#AYDO9#f$;t69z(?Ui(c zc$kq{hs+Hn>W^;rhf{osiFG65epsaj4-e z(X%2nbG`&FeH}=KmDDPg)=sckJh)R9?!enhW!kQ3RLi+Gf~PPUVPgcA%qs%$EEff( zTU99M1`%TRLp8FbzU>SC%Jr`mt)Kasu6~PRud95?+X)m6NovM;5)@5|@+(hZ_?3J9 zDo{2Ow51>$?(*fFV4-kbO_Jwk*SqUdltpPcUaIS1za4)yA&O^9f>bXamQSL&k$}aJ zrT6@BHz&^}nN$wQ^P5(bQ@&FAqr1$@E1#{G>hQfJZyw@(tRp3ueBH4NtY9~UIYRc& z0#chQML1cnbu||7#j^OVb?lB7@P5N+wb!hmnb%aG5zn(xO&5_TAj{wI^4v?4f`slT zo-86A#lUM<2jYF4)FraIxyp*C76b0nB}=Z}yvmL{KSMqLuFs^9d}A*N0U=7anAA8| zMj|EVS#p=WlD}_s;C#xnHdeA6(xYTIT`NZ04n4~|mJxjY1)laUr%7xKNdnsH&)VIZ zgvSY!mTtK|9ZEgdSGLBLmFer1Td@__R6@+pKVhHa#s5U~Q3r2DrDufq%bL3%2i)i8 zy&$C>E1R~32o+)?2Jd==WMR>RkT23ob3n=xLeQS#FYyeCk}r*$2Za_LvUTs$>|z3dglEj;>J9g7%*g8G!^@7c zBWbQv(uqvxh-^>M1cM?W#NA3FI6~Q?=rFK*&NnC0V~yLKgleG(56UQ&?}`N_%JMH( z6pu~HY;-6lR)=#*8H=6%@a~fNAn*i?jubk&hxXKGXiRKi>jCB%Fg$c+@-z$`CUgQ* zonT-p68f=na7}jAMYCstL%aWwFeCU-0P(n2@M`6WbIV&AwOgl1bA@Ctl3T$zDN5;_ zCxnF*e&Akj?P01*-c_9-m14O=v1@!J zuWsyjP0klOnF}b^I#mAXh**vAJ4Ug}7(;Kc-)U9V!}OipXNjMoTcV`;JRsS8RGn#^ z3~c)XlH6(?kKn2J+mxPq%1B@SB#zOXu3V-4pV`+{Y(LzcwO64ew}l?11{c42e#@z4&gY2(-J?TA zl7>JEUhvyqk+QtdlJzl?F0jM#lY0*7nkBsZdKv2QLZq9_TSujr>_yqe*W!J~b4{P6 z)7vdT?9jks!9K_ib3_j-eU>5wC7*FUvS|JZb`)xrU3I6fDtURdJh^Fxm)jwH@6Gt@ z^vIT~o&hJuPv440o@|AXf{BV-L8KfkSkPXRmoQ_^9&xp{ufU`BrK=nVe_NGv<&BE3 zla?1VpTaLcfA`+qJG(PGJF~m@k4(ZanZPHX=RD^*=Y3vpe0i5M&0U~8 zA&a04sf&eaBc^&Sy^_jxJO&gbFAMs$T81d&N^&-Aa$Zzrx5XPXVh;D~gwWCm$gb^| zTQktrU^h47qMuif5UkQvKX*Z#yz8Z9qpg!N$?(DAnNfKk-Ja-^NHH}zM_E$dCZt`j z9V7S|qCD9P5rbVaPng7dBpYb}Aw0gtMkgSyH0e2Er8UENt{($W$2avPOuzeK0B7cm z7Rp5$A&I(xcHb3F) zuX?nRD*v2mM3=gwhcLWE$S4@I;;_w}>=Oi#XE^nQw?lYP_PiVw@r|WV>LK2??z!Li-t@`*(?$cMWI$Xop&y zdeRxv3Baz4-O940ikgkn4GuDT9?{Zhora5GOwc7In0w9WFQuUIoz!SKX@{NXf6v|! zdGyh&Hg~&5Og&A|Xpw#WO_|`EL9XJEFOJ=6CyES)zN$P~y^0NI1C965?_WfngE`#n z-Iy~uGxo-q66)LQ+j2P4e!ek{oJn{Y;hPwX&P8b>%@V?KFg$3VN>B=upW1W_k<9Lp zWJuI7(_)o}W4Eu>3n&UXFtQ}PR=J*bKSC*3tyecr)iL<#^PB5dB`R)=KTBK-T*sq+ zH=I~7OWYM;1wdxo2(%FbOA;fBrne(lLz^LXKJ+{)dchxc>4mGxf+oqy~!d|`m;6XVtRzf(;Mp^Sm|!z zs&OZ$M)*_0EdLatG@HCOXB=>g;-KK_6#Ucb@IZ~xj}E){ZxCC(iBcR$JV1W?PNJlC z{VrMX+{>%>*%!7JVXKh@_H^m~u>mSohQxnxToqTwcNGT;V{Vor_)5^Ka1uOFML+aL z8bT^QAEZF_*(%N@i*~m)pvR_vG8LRvor1HjCb59*Idwy-^k3{=5Thw95lL8TbW6GA zipNcPyZo5@Du18(aD}z4)gYrD)0(yyr6;+j{R&SO-wrftz1~t)kQTcRArs%Afa4D+ zJ}^h~=*8F(fD6y8m<%`fTT)4RR(eB0i%Vob8!SJ+X(LEv7Y$BV`|&yQLD;*pW3po? z^_715oAzX1bEFCp`Zq_Ma`Wh2x{$7R? z;82A^2R}FqMR{h~vSqF-6J*wr+$&XjHBIeM@JfkKt$RpUZlrfHA<$*+>+7U6Jpt)M z+PZu>@!NODEM#JZcy-ZoT;(1et%-HwR!_L%KDj{~%}JS6J2f0HUxW7@&42s$a7hsY z>khTC@b@;AVAG@fVQPOj3sPqv^(nh>?Zr8K^Y^Uus)e6;=BmHH1tKA?}cx4tN4if_@J0hW`l0FRi|c z?HeyW%DDlB>{lRP3VApO2E>;q>Nu_=*i-KL@jw?`9w{Ae$+3Jtp>LZ{sVPw|W$-w9 z-Lw)S5WeEs_WRJ2=h~_Lni$@8?5Ejhu>P)+PM)aR|G|@)%m>7O5ua|dDiM0S|v zulaC!Pzc_!et zf884Yg%i577;QVXy)cyK0omaO>k#FlOK#O(2(Fy|OjyEOoYf9~bFIs$nc~Zn$+@|A z`!ekYha3032Qa))Ac5Gdx%C5^&BE;AimSA1ZXLwYg0ZJqW@}KbRcJ6r%&)Oc(~OQ4 z$3XLuTcvw(=lAM>nn8jB8^{Rzm=JE`GPtw~%|x>4qTfLRf=0WHLB7eSY8rvx|WzFnmFrz$L&NRF!^sbd8+JT;=QfF5{t z`hLi{Nkxs`wbcHD7%zZ#}2 z=XjlZne-+jN_UWZ!}^A_o{|Q)3p|13MI9n_lOgbHFc)HWZJR)PqwP4_4{0Aon;`tb+h?IpZ#??%gz!gc{Z?4`q-_ei3 z|L&ypFwVr;&l%_Y{_D*?zGK?RD*r0Y~wbC-cN?b?vYXVKIL?yJWo>ly@p+~eTMKE=%EJr z&h@tza3Bv_c4ZZbk5%y=vhNc<(P8EC zK}|dO@v~T;jV%3SAa`k8I=dJ8Z;6Bc_W0(30u7SuL%?kv@rh+XcgbCe7t_ys3}8uS zYc=ytX|~sv?DlQ%zb0fq<~QG!>LNS#H&A`n_x|m3fFFwEz27TMJ5?j*P>u)51P|}% zv7Gn;1QraWX1vC|rh0`d9+rrLL7IE_Hf{N=*tvX9P4r=yA|=Lq)@FmL@deB?Sb21V zTo}ACp(8M(0%WCHFbI~0)Ur!lY6+OCzjL@P3$iE03#U!NEH)Hx%uMlAsfCpaDd94g zP%xF-K6Q?0! z{G9awW|n7|tmnd8B>@fNZ`}+@qHLhR3-&XpGfa!ja{6y=$FFL5Y-LvLly&wRSe^-Yl z=OEb|9HTH5ttJ5%gWUY}QNh-3A?hK|1=SBB;r4qSmLqIu>Skn1gr)CPF$bIcj4oy1I=8l-R zv`G=e__h8OUuG&F8s>I*3FiJ4$+9yg_dn(p%e`h>%27_yIGRn~CMJf^qnA*L=vat5 zRwCuf25Bwxl7(E%M!}%e*0yHe)YoD~Y`Pa^bQm$X{wXp2=UWl?n$*cg5m!k+&K6Yrj=5s9uClA_EHnYuBP{66%|OS9_TsH@8hf6_wG}vn&-3f`+Q>Bw zW-9nW(No^Rps=5&qv!qZteo`j@?J*&ReW_=@zF?Y=;y^_67H9H8V=6P*6G_x5|4{5 zp!B?^XPZ+OYd*rm`~#AXEoT8&K0Rp{ACllH4CTBBp(JbSg9WUJ)>uJD1a)DF`fe9_ zm`eYwcHI~2b#*UP6w_Eu>v`HoVKWtOR-%!zda0g>9;Ox_pruX#au;m&h>Jy^4E}6Wa5iwRf${H}L5@h3oy!vx27MYCo&01OlJ^skBWxyF3^IKbL z3y;ITr1h5JSBhWSOr52{fisoID*OZ}`<|7`P-okJV+fPA3RBt$0}A^{XTJw8I8`m^ zJ`UVo2`u4|hX^KbL7xC(Dwsvp5p@AghIQK2Li~ zv*~2{b_qw0{lv0z6-R&!z98Ts<=T>3k8Ht#IZI!TIf?tV9~^?A^d^bg4s<4b`9Wvs>qJzu~bBieAbx^C$x(G0%2C!EHWe zW^dl`wpPWdSfEaUzYoBl64{eSuapxPge6a)Jh-55!B zbg*~|H`BxUy|mLurp_R5PG@{RHJsf_1q;CafNLrmhFfI5iVhuM7Mwm8%MaYOovX9Y znGHT=&$;J4{k33I7lNKWG;kHkZ&2xUY!2rmpOaz(FP#ptB5cs)t1IEZ!d69@JookjdIDu z$lhiA(Tlm6jQ^%w1xhsNoCYSf(PcgDDP{#WN-=pOFJFIrG`34SI(aV4k$qaSGtMO1 z2ZgvUR7CYz4xYDoHfmCY6hv~%U%ME2wOz4(a#z~GD{bX`8r z%V9!+0y`;$VeM+B26nFG^Vl*a)T(oAP$=QD+e`zk>KeiLb0vw2LiSvITqX|)ysj@y z5spf$Fh3TxT^lSvUJMyX&t=Y?Rz?u-mPO77RnWpc)XhJwZjAZaFNGHTyw5 zS?9RSJ))-|Hgkg&lrpQEq!wu`u6sR46>gthL)laUOnLW6&Y%jEt2d3&gdYW1i1CJw zo6h~M@+bXlYq!xnLR<7Co-g!0PH(JTNozu7m4`$Q)rah$Y*SQV{U!U{2wRG9p6_tv zC{vi*_jKro4uh_h!$3%rctIkP;L>7N&H#Q!-ES~I)D%{TO1pynLg~2 z1xFyb5g$v`BY|Sr=1|kEqxjwC8 z_f_#nC2ehSbUGC*k72yGTp*+VLL!XSPT~jH;wi>2w9@W`;#h~VRnpf^H27;{am2Tz z2G-%Rw6CLVT+`yfpc$4aYeMiZAurpvb^fyAb=`*C%FpBtoN!5Lf`R9wtSnjwukT8+ z%sRWGJI%<$D7yjPw_e0q9SaRG3fw4~jGk}=Xf5g1NH=ggtGJ+?>qpOuof`Tv+(z5H zegUIW?JhHvR{E>e=y_HE?qI?fAU~8?VpPrkE*Gd%T6;+eWeLLDbSiIH&$~RBkzE*b+B~ zN^{$dUzas47$Ix+bn~&9>SAeQa)TuA6sr2bj)D*LdZg$c4Md^^#QiuY{L5Ws5L0ya z>bW6H%lc^kNA6PASCrlS~*Xag|xQqI_*- zx(3pe$p>Q8OicJp)ZTt|`O3swh`zX$-vIl#615JHFoQU#XFV9&nz{MdTj#%KGo+jQ zczHW)L@1?EvEPd$iL%XZ3t9B8gXfFBnE$gTd!{usc4?lsX09yXr_TSUia}#$p!EGI zo4PLzJCE=$A}#ML7M_+=+(pIh90igLz3f*&Z6h8Ny4{6qH0_BIuRW6CEb`9UWNT>o z&`WMDH?1w^8_Yg1yQcZ1`ty@RcVO>J>Dex@B}3L6CcL6QOvK2$z!PvdyDdx5kmyXvj&P=XqfT6UMK;}uV1T+bX z5iuMou1InWS!3o}_lP;MKGYJjJR?{XdL2ZW( zaDd(l0mBG}fg?Kw7F2p%fL{+}Bmq*K4Oz#b!ATYtuv-hVu{a0)HQd*ZS?n1rXxW|2 zt>^%c(33i9;FwOX^4gPGUQOGcsQ2>K`@j@h2LmDe@%19LLAnR~skWuWu{8oaCn|Xb zyGd`L(zM|eZZlx}!l7=j3snA48gt5YwvqQU%>w-&UK>6BNsl*@98&%cyW2IOq9t;9 zR@`r}nU!^M0x)fWBr#61`scPPebY5bPKQFxWJN-g;eAEk$47sM6$M*3l}EXbtVMeb z@~?|KF)MRVOw6q^ySLcJ!8EsAzibH?#cXs0TRQK|w7OvnT(FKD$!z0}j>OR{3si9m z>2s5$XWvZjy%p92sse_9-nW@oulYEcBo?C_1ed~vsZSQ{t$$(5*y~Na<9T&2s&6lk z@#-ylO0^RK%h|Jp=5i)K@YUx0+N!bGQ0nv{$!T($vdWu%+e`Y$x-O>2{URDGzU1X! z!va^2Xz|j$9td0v3};Kp8>wYn~6#<1%wdnAgB$_SBiNlF#ern6x zX{58aCve}t{@6H{uFCFh@YpOl#z3PNXDJMQcw>YxK5StzEIGZ)u>>pt5d&e)b&Ad1 z6=_Fyjrg(tTLczvbz!v|Q}}VLNcqJQKmW!}_v{&w`rzgA+0tjV^CtI<9}*_?z=8gt z3Q`umqjON@;D*H4lJTx_^Wl4g=f|LmDm7JGlTLn5kzURAs*;BAXMp#=b+digU+ zz){$P&9SjriJZ{*J+eW9=i{=%KlJf5*|!ZCA2NM1JGL4!?OOjb2!4tdtO5(<(f}F~ zNJ91Ex>di+_rVH2(`|<*<(rE%d^p2D2VNJ5P8b5sYNsxIOGHdvv3Ah+n%X8f6_UM? zJ?*jKo{hRcndS?*E@b3;LNBg^$wwP#om(X|;qGAm##AKCXNQH}YFR4bz=qJgb>47e zO4X0B-Y|@qx88-V%WnSY+jH^ai@F2##qWO76;-F8gQ8o8Um>vx-U193NP1BCm8nhO zMZd>85|qv0uYl~y*Kb54oJ>9rH9Z=?uf>@6w}-HsU=7T@09Fyts;RbF0Y&L&7-FY7 zTrIcsvP@mFM|tT-V*}aanGoUUGlPMpA2mm4zlWT6I_)IWUl`8U@%!H?>P4Rm)OtIc ze}%^59j0x>5q$reu8D)A`K=M>UpiIt7t+b!pA3}-y)kNcb=~9`)@}f-WrI}N*@`|72sP=dPc%bv zBsHa?)CnW@lT2*;;}aO_H2eeoe;zu?kre_alkm+Z@(&;0vutJ|n6WWhxY2_WK=u z9U(PLH3l}lOV8FtGv~NOv*^!@d*SxZq1AO_LfdvEC1&sPG=Am`c#i@s>Q{O zuSjezrN-PJ`FDHHa7MO}6@zz|-m*0J7wECL(<{cwi6RcI=JKq2D=pFCQ~ESJyF%+$ z(2u#q)1_I3T)x8*Y98}7J#W08*;rl~FTjj;i6F*3HsV~ct~RLIJNqEiH;HO}cDL*u zDC@f7Do54oSme2z8GhPiXhL6%PHY(!UVBZ;KRC7dMBkl1$B&LGSY3Dt9$v}~4?&vv z>*6p$L3Kw3Tu8HMZ*dSj)htoHfOdD`rOG3~D>aoN`a0;xOuO~{VZx-sM7su{wybD^ zWNbiZ40ba&BBQ@HFL{bpC4#mW-qCz&luoB(SO48tBrM|ns3_{5?Fh}`p9(zOoa5jy zyqfXu3bA*Y#ph-FzeQn+#Uv!Ifq}xXbdJ2okAl`Zl)lsON8o8NMX=~*mR9g^7u8D* zqvzgZdMr6UA+D4gXZ$y0m`F4d^=2G3n@^0JlIq0iLoX5Ldy|q_bJQV6ePf!4Gk1PU&+8^oEAW^0 zYlQ_6k`aP=G-pUEZK8N(m1E!XVFwHQ(O0?=OlH(toHQln{9brGXj?fz+ww8I- zv0x9{SL&awoI`iHmf?5#7($l#$+pcWh~^GVy1H0LX^u{(?F74Lb-LVOP*aS_>w!Hg z{BKls&F}3HPZp#*3-F6D7U;x^qi_af*hMmDSHnE^>BLU3ze>5qu&bw)ep`#02;U2P zk%xw~8kEuc#_1N{+!W-H{6L@o?{*c-BXpthG{z6EovgK{H7h1Bsr7!$CVLJa)~?C7 z_j^0??WDu9O|Fl?_R@S0qE?LL^dwZY$aTxH8HSySA!$(G?+-Yj1OK(QceIrd)xUIVt@UcwKvEY-+9*Vud_PJDmy!~I`9n?=(@{Shth{~ z`}hIUd$+n2TM@LCeT~HtGau5qq6#dJ=;|)2T6eqAO?;S?{i@c~;}DicJ1m(632-j@ zND<@AQ<4c(E-U-LgZ+_gC#_~`HZ=WLb}N9aG;AX(c)ZP7ntxmvv`;@*iCp2 zBafs4%j3Q8@TyqxuBOK_yh$H_ zt%67r8uw(bF9-FB<5Lp{7ysaxwH|CF`PmttD9|+^8MC~;xuGP_%Gde#i`t@{B<8+7 zb$Zdi|CTPo{yi?s@RwMWCpwfSc`DxQhwT$RGKQ$Y0E1#H!Z~4Sk?S?d3$FaNCL{U= z&8J#pW!ctK-Cae+d_4l^D+(D=NhHfjP^E6=+)>MSVnfG+Z`WMYUyGJXza(&g=XFrsCm6t1*i* zeYH+3Y5%+ZjS^kezpzY}{!qnO({2(#^Y`8!k^iYYG>lA)*JRFX?`foe>*M_@(sL0S zMbVJF9yiL1*C=22B?ZeRMYmLXj4TWti8wxlb0vT+YTOD0W?_mu6G58Oe}civ-^PR9 zEH$~UIa1$PS`Va&J}yf(FnswWX?c>QcPiEP8M+lovLmJ-)H%ODFUNvRv_P!;ov^IL zSB}N+oV1$&2Ek1>)vu1{#2nW?R=n9axgxl^#L|iGxS=h8`mZ2{*A55LM|OBufhD^@ ztJf$tf;ZM+Q;pZ*rg!V-Yk8MO7TBM5M1O#(W-C_&5K~^ts3v1%YFa*oP<>ys+I;c- z<9eyRMD@(~XQdH%`VseWXswZ_jOpEnp)kWaa{0DxqZ78bz`65(pMEcew1t0aCQDOd zA;&PGt#$=dwwhp@)X-@;28W&TRBCrofN`b#?)wC1nRkPS=-3q1_tj|f_hlyCGm-hj zwW~)MJ!JOqs=yZ{gRO!Hb(Vy!WNM#`uV(pbt_|L*#TnU!laC-cl{OQ4;T6RTll1u} zMnYr`veLWd%&u5*TkQ7C2$q=U6TV1W*+6~6^^+B)n9pMWt@(}R#|`gMM`niWjYY$v zt!BU@qUvyy%Qiwbt+s*aPdM5xtgjb0H*C*b{k~IMita&HajlRFB{WHLB*D8IE~ZV0 z$%Y*(bW3LQ-0W}8j(IZr)vzo$Zj+-Q=QEW{fxDA_Z?G16X;%kV9bHko23E=%#8R$X zS*-k;GdJ(>C^q+UUr1Q5PL*0K0ARx_XE(gORL!yX)wc%TL3>Ed(^AWFwTwgxsuelS(>#D zaob)E+|{ZzwYBgUD3SAE!KiL_bT-^&ppe?m7NeZlOKnSndKcxosaek$vO)&{f|~PA7pj_T2{# zV$gqZ@Gu-MyQ5$unrN6TP5gmjqx(^LU+ej!Uc9&6_OyU4NhQN(?`egH^>&ZFdddmP zc6xz{-5}sw$wO(n+ptM>CWXvF*AUM3cSt={qTQnj;zGE&(;WNko&<8F+xKYXINC<* zERf;x(A$9|(nmM=eVceQ7|Pc8k|Rs!^qlDN%?(HTs>H4Zvk?GvX|g$VWwIz0{Apd?u$OvB03__y7m*t+1wXQ@B${koL%RC|vO@ z6rRceOo76@04zKZh#mSntSzZ?nrtll<@DWYg5HYnYIkW4kZPr6uHy)Dsp*>lbJ>6p z%!di{s0|5?_JN0{GPHc6XPkDwv{+URD9*hdZcSrw?{{BTwQ#tE0%t`&*iyCNX|z4f z4?>^&5?#}-uePjnsVRXXJhRwD2_evob#;+4`@Z~lD%+rAet@4EnL@6ygAsO7X>FmD}KJ!YR z%I?*J-er$mO8tXl)s(z&2*K%bFHE2h>eq|tmYG-JQb%eX!WT0G0|cM+mzi6w{XiTU zZCo$LY*Mw6FfN`@ZhDMFSI8O)W~wjSKDf)lJVZeHWuTecc6cC_AB#6Xy#>saXT1KP z4}Hs2I{GSMNmrPY{JShb&CY@g4BL@TznKL~?-;>1Bvo2w#91gUewm_VQlRxO)3S3^ z@m|ml)wGm?U;DnxDU&K|P?%I7WqAnk^hvR0LwkAcGJKIUk;sMj;G8hC<%BuGIG77d zHdGv4TC+71hK{w5UTZ@9kAfM0N~+m>j4=w@6$HxDfK=N;APqjnVvSxLhFA0|lASDN z`5jT42HuGOZOJT}$h8_s4;Bzur_A5?$<%oLmN>5bA}cVM8QjB;ya-g`9+DRzx&@ufX_O*>yR|3bBGgQjFW;7 z=2is;3e=UmOk$NSOLbzh7Jp@J+Sm5iMd-|!>ielA& z2(bkUh zBuAd5OALiteby>=efg-BV$EipozwSm+ebDPcHOeiS#L@Cwiv^u!Bz-tHu7RP$8I1r zSymIR0#7s-Del?rG1mCwGuGhgS`M#

}YdT1jz|S+h;_X`vtdi=xL=vMn$A44&9UsE0Ii z3#UOxk$f0Raz@m&#_Ts<7R7hZa4f8cw5~a&sO7NH$1Q)(eDjHXViUuJyhy?-9<6RA z{1r@|L(2=u>C~W21s_|wb!a4vpZ>O9>!sIxhijd$RITZk6%-eh+Vtt5J8mB0l6ud> z4)~V5LboCKo1iIOWv22jg;XET3iq$1)UxRX?h%i1@M!TV{{S^~T#~^+#8+- z_K|D(AU)+^GsGo^)j>D#i{$9&`q^L@x$e4|IO1@JE4rKHh(-qT0VWQ}tO=HFHsnuH zs|tlwNut&Yl0Qeuzc(jGX0c{OrhAleas91c>l909tOqzi%q2Or(S~};8bz+9o5KHr zE!r8Dhgja5002P$S10lRzpEwx<%j)$B#!?*iTr=}`tc9Ih}z>-g0vG$ve4!WnQ_wL z+ZPcW#Z~#bD{49eI3zc&+!a>9epOiIb9>XXt3>_nd+Y!;Zq3=(o1ZkHab|KI48>`v=F- zg}J?QI2LA>BBx#^S%J}F1cD4F&(wfj+znTsBJQy*JCeD~qx4sf9MQX=Am1IfX#7j| zZ5(O#h6YtU;UEpu=jmUIZu-uX=X9DBp05ucu@2edW+@r( zz1KLZ_)ue*_kAuI-WmeY`y>-wV9P1p7h6x+evxpP6iWqA^%vA7+xiG6wbItP#c z;p!9bRXx^9Rw}v6w6qB?bgWG);viLifBwA`>x=W@dX^erAh|hA89V8_(lwOOG3G=` zttR_Ov&lC_7JmJ1M=7UWaYE|4_-@O>Iyc{Rf<2zoRG=I#q>S?~zMHo>z;>19jA780 z?Spk`M|kvuuVVUo?n{#QLW3h@9{8Zt-klWi^iIneR}_*RvF}!(RDcQ3y}@9Yv;AA= zt?;4n$1?#Qg1B}d*a>}t+c>YgzFUrW!FjJi?fKq1t0@=3&u9^$pC4+&-`srzRL{wl z>cfS^pqn*=II#2l@)7nCLNbQ));5hZlgy$nrONN^M|{)u@8-ewj4zD%$8OM!IknGt zjNFAYPuFzMymKr|J6em?V?VomLi|R(OZ=2so8FRfa)3#@ijBqCgnHE^b6LgkhOW^3 zeD6y8S>RK^s@~J=q{_pO!T93yQ9~XRVAZN)3c#8sr@YgiIKEmlfWpo)F-^vN1l8DF zAFp(;uQ9Ui3DeglAC|;F6$ZfWpd)q5@Co3<{N`dd^BFfs zc-DafytMxs7vRRl)mHj%F)Ih>RVabwzi$D4qePe@tV{>=Mb)OR9esv&=0)7%}SbeiI$Llr5nc<9#7DuC2_CK_Yg=IXy z3Zya-o1EH&GzYqRwYk})8>}A{GAMDib~C+zt_)?`io*z(tF4`@ z9(6kz5|5;FQ*h1kvkuqJE#ajC(`HP>eSb4^m}G8N&y{HY{cpF53o->Gu=J2V#UPHe zy~{1TbyBDH{GaK~FE(yXNZ+VV_?JMYL9>#?oIz)4^xNJJ$%+ z-k1_KOfUvZ%f3tq+$)H}&G=Kn8M_K<4O`=cZM_i^w=-T5Pt^~nQG+Q=kF6cf(bGQru8RUzK-Y=|-5+XsD3oF@g+>?D<6-6T%qUF+!3k+&gW354948(x=3&2jm!WpyV9 zo~EuLVhZ-i6k-cs9F|wtVRdH{NZeiKicq(0pL=$e{52gN<6*cI?41d6_U*W@uN#dD zqU80cUJZS))@OJDUnUox4pDW~WVnlpAjQ)hGNZSPjBE>E_VTdbdzynmk{k&b%4j zCWQ@{Jt{%AUQK^xG)vmx~?+9YMn`V6SEoLuKOCZ6W9oxi8NcNr*8(qah| zg1x7bjNBy6Bq0Q>krS=?F84=HFEvOe7)S^1<9EwHuB&G=juC%J@U4X4>+5^JxPuZr z9>#4fL3|n8>Nr~YL~`69DJ2kyq;0pAmET?u5q8~<3S;8n$Ie1<(2})6`l$BJTjwDB zB4Q;I?{;}!SpY-A1Pov)Qmh^uxijNWH~Y?fu2!w-oQ$z1styumf{_Mq7xr}zO;BP> zOxALmdmi49VO#g74~#`Rcu?rPeUCs`O`TQ6G8%da*w5LQjIrnTcR1bfeJ_^vAp3HU zMM9J1IeyaRpQ@XwGm2ZyBg;;8n*L>ulubdo3us`>ZiH5Fl;!3NFnf01To=uLSAL-V?%@G?KhAH~hxDcT~6~|0mFr?$RlR3NG1-)(e+zqCG{A2tjW&Oxe z%wE8Wr2-eg=K6lb{2*6{ekxMVgx>a5+PZvBSgA!-gmFfTae$X+gXPEepC5R!3cPjkkHnCZW8(WPQJg?S|_ z#>`n}+aWC2K^Ed}w#VTcMb-Sm&d#kL%jqH?Mo8maE<3O?FC28U0e`(NSbQP+*7B}n z(qqAp-9_Z{oQV^ytvy5{SLs|=%OKT**HFof!B95i(zi?@4C5( zWD^jdjWi>|x8y<6Z5YGO1-Ut>NfV&oyn?lMH?^sP_M`iG@$~yE8t|F_E~(I{HFj}x z-32Q6NbUTb;z>`je_?#l$ZINFa!nsN!A|B&~#PVZ02TvH^u~BFdq_4I+v^Uv+T=A?-0tj zHFNkQ`<6E^DP;DXdEG1$?StxD+()-{69D^Uc7MlDTf*GIRv-oR=GcZhw!5lA_Yysv zj1@mKBrmVN%eiDIMDyGh5~A@?g1ASELCn%K2aA**3OtG0jfvxJpzsN*`TAhriQnEl zo96ejxpF*+3{HEO0D5poz%%ZJf4(fz-S2yzphzDyetlk)Eby|IN*8AF5nlTDRr!4TPk+` z{=Ep0KE}7*(=ZPy;LSkqBDKc1EBZ*tLD0L1mT9r;I&&9hdsPnO&?bBJP6B}bgnc}C ztLYxtEw>00hm*u{BZ)5u!s()h0?+QC;<#nj`F$t4BhJ5}&LR}aZE~icevKLUs)<(7 zj&g>r!3@bsAnw-?C1BOXZUE@B);@mU@m>S*i@}-~7dowt85Ykwz-hs`+S+?eJ4vru zG6N6M4YoAj!k2*1?RF~(U^sNYwIbbVAe65gqW!~6UKiT5QrK`eq>(*URhlV<$dYd3 zd;0S1M1T8vnDBo2j^b!D`+dltgKoVx;4|}7w=bf*Et*1!E8o~d~jV{w*sVBrTeK{&tok6 ziUpbpOtM>df78wFEyto)%Y&H3->Sb4Oi7zP4?hTh47|>bBJcEo3@bu;0Q15-pqMcf z0*R}x6@$bEuC^Rxy1-eWN7|yBai-6`R%wUxY!+Va$Bqy6E><09@`r{$GyiOTgMdzp zZf)j0n$kifv!L>j2VW401AsMPYTugOBWQ*j)nefjtZ;)zm`d=_r~o@zO@pBsM=vec z!?;y2FFX}Pc{P9)0;E>5J@~&mBr@Qsk3Hy}G8Yz7ukY=&v!*mt;UXOb*LXBc6-{+|N|E{)4F9H-1iaLd(MeVTWe3tb z!@c8=SIfd9OI;5k$2NouN^OcJnPphrdfPCf0LRNFoBblq9@OLP#Ce*I$47> zgV%ikOV?qfVTjDS)IVHHVuYy0qOMy@b^6ZOWK!CgMRsBK!t8xI*$|R78q`=J%G8Ra z>6b0jqRvG1ReG|~Aj*>AK_Uw~w~!lGT6>`1$mQ-Kz4vG|s6)g`lEp=m{5Hh0o8dqCAyziUq+BwBS<#%Jh{ zNXlC*{zC3QI9mEU@x68VknJ3xYa%`suXsOTLwkTGq-CfG7z_=pdz5O>;SqnD=1sg7 zHkeCDd#&`~+c2ZqQ~}{#b9v7l^bBLUMdr|kD2xN!z1#i_<6K?MY=N4yrEKX_=VJA* zcvdoe)EO^zrQF60Q(tF26V}qJyrIQ&BNjfouv0__p$3qW13gJ02eI2dG1<)Qh`Q*2 zq9PA^OwL(XhO%!N_=0CumD40qnkyt7bpH!t7&U>U8M2F$NyV_S5Y-A|nU7=!Zuqwn zIF`<8Hf)JGzj&?$$!RUqk+em9Y#*t<`_NNv*P8mjvG<-)O}1IvFbIkYi1bcSK&1Dk zKtu&ZgosG*g3<(}2M7e|(mMh|q<2th(mO~OkQQnJ(n~@O5aN3|&&)hCb3fmD?`PKc z=Ur=lh%8oeU1!Ebf!a^uq`ZRAvIJEu`_J*@ z1gU~BpsJHILlNams&AxCoOr99^)Fqy&) z%6x!*H+rDel11-b)`X{ExDicp4_oY`uWf4Atuu1prX79K+|qp(l)cUMNJGu^Mx$2a zt2(oYluUuKW{@4D;??R=r$*)1B|>GH`9ra$7tKxCH(GP*FX^}@>GD4kNZS_)K~y__ zK2w6OYL3A`sPt{=o=34%%qGx~A^Qh8005SzzwuqbP8*iG}F5rx@e4#sSw3TU8T zo&HlzJ~s4M5u{HyOH9Y`^jMGKQH<-6f}YBEC#Tn|dlQgb`X~<-WNT3e(VN!5Xr*la zZEn810vYJ9iivrjrqC^leisRo;Oh>Jt{9t^?%`{AgA_D3W@eLvu6ksPv*EiX^kMwt zQNxTr3wdhJr*EK(+s9x^c$+5d3R;B7zL_uK0d^w&@%xu6YxuaX zSPNBcvk`R&UN)CbX0e^NUvurCz9QtNn3y{+umaHWE#?uZMjPeO>VuZ;0D}~`5T_+n z?k)t<9?h=(@uDhIi)Nm5KfH>6i{$!Q3fQBVFbS&ZPFbwD2Bh+ixSP?eAuECo&Si8O zC*1~bjy($)5iZYpl%>C#O1~V(^nr~i=o7bpz7BKk=bSQfM_)-};!HR{$t5kC1#^ED?a_Vv@fk)d^&vZ;Z;* zE`qLa+&L;iFR<8&ER_IhY3nTR&B0FBa@_gFx2tPHm>>7E*+F)#tX_ejB>oUf;r1iU zj<4!h^ZiKoqa0|(haF(j`5YHV3G8#5lc(UwgUu)rvs%nfL5}fyczt=QtL&?=-pjEe zDpw!vP4}`B%j-#CA%v?J^KdDPp;01|sq%2lf+@zdC?B~Yy1~I#lcHU#o|@1v;3U~D z!B%YGVk{o;$gKVfi-hmR?e$&PO(AqZt92|TYyqoExN5Sv5Y#M$b&T;rRfOHi!Lb;* zP3#=Z-IUuFd}cGAY@IMjti3|=L0YLjRzlZL9JowU#`9v5_f4W_?qO5H(U_qOha$V$ zG=&cu*7-dy4cna+f`uyBz$85+m24ZG4@*Yi%!9fEY2wYu(XiHSeZu7lN0>T_Qb4Pz zG6vGvQW>)1^YAMpxjk2Qr3yC@*;P#$BI0i6!PgT`s+Lx}g#eR1#eIK-UDRWaAong8 zaMh(E*Btz1Y}wC@&ZAn7ddh?E8l)j|7VfpNB?8wTTp%U|NS21FrdQFE;RpRKZ%^B> zpdJVQrB1`Lyyn^xT!(h@emkUZSS0TQA9xmz>>Lt>IZk2<=y8Mx0-TM4d>ve)e zt7Ps4i9uKgrse2-vY8tui$z3Gb%a&5P(ihJ9E5g(7U0&v9(z)@M)Uz5%#HiGa`6xR zm7X%a&9s{#T&;AFY1`%4+=Jfl+tk5O5)iho*15PeO3m(5fnIv9Wb$u0$N|OIN`>}sI*_Q(3bU*8DB(ujdfY|WzKVV{|IF|M?t(vi% z@sBMIhIi{o-v}Q({VeBkuRo<#(8W1$bzTyneCD(VvEyIKTV_GiTRmz(mk%kQt{FOo z2NiJvSIj~K65Z)sANcqhI}I+cbubrN*eM1i-@1xKc!*I*WGYr&YF%7uRu} zH+TmxwYXNzcL?Oj^e(Z69hzNN&Q-N`U`@1%SBb)}*Oo+m)$+gQCCkB(?NN)C3JcV$ zJA4acdDa?Tz0y+I($xe(TW>98;TDW*#>;h3$I=h*6dk>Vp*dpUKG#YVKe8E^8Zho}GvBvJv6B!?@80qqnGxs! zW3&+0@hYD%Nio5G^v3pzfW}AxhjESaU`aik4c65p9?*9t^fE3a`aiU|MnX}oH(qR} zgG)F}^B6(s?zFO@6QxzFt zUlVlGe6ZEL_iccROU@8p2^cCV_7_nn6+7-Khzx4j-Z%7%sOJtMq{3mxJrRry7?M6A zuP$NId21je{OC4g#!S(FV**O1mxFoPm;g}YCx8eY`9iHq{b5BTY2&|V%$fBJ37rnNUx zSsAFnR*0KRd^x@^?;wAP-qf8v<)nqX+E1lt8*&C+Zy~J~Lsd{tgJ_`>XsfqEI_zby zrz;1BK15o^-m#7cSSa*D;4cvo;A*F^t!jW~Ve9CQLXjHRn9$UN>u)Tbxs|TnAyTyH zrSNpC&^?a^9MXNi2Q{%L$s|6J{!-psNuLq$SlxXgv=bu)1oCxD;*Z5J>D zEm!gC=n@CbC1Y%PrNiRpw=GnJbbX!ejikJ1YYbp=~({LeJ-Y6I6q-9%%ve!Gah#F2*ZkO`_iY7i0J=S|OlVF-CE@-uRhdR2}{>#Yp z<_1)I_>FUJai0lo&907{uXj|Bmde&@K^{yFZHD8!Rf*9)D#pdxqkUO>?o0+tLa1z6 z%4&jhZEB7g4X-CNChz#Xqw}ZN{63R!e$C?oF&9wL2yc6gXGD=V2~R%!F7LcF)AZm$ zM5jv|DudfZI>Um0C)x|&%XQ_eRWNBwA2d(zW_L%@o^)=4hF!JZ*wkY%^f( zs`#@#$Wh$_BC{AX(+45K-@x{SyW2y;;54uC;3W+swXZ&u*V-pE80HsNJ8pl~v4gC;cfD(g7|4k(gCH-Dd)? z-w43P3Pyp*H(6=}8$D6$hk-@DY20ZHw940=(%fg*1g#9--k+)2nisd#>iz64mlhq@ zgfFW<{4QYqp5KvgXdBtB2lMLui#fwtME**H$3ZdAN0y5mqNi(Fsu%r@k0@qD@RGI|(;gWk{9e5_YpHs)Dk z1S(>lJ&|k(WFyHO-=_ldV;1vSL^}G7SlJ)6Wy)j8-U&&PYq)mS__2=$qoFTvg@I4i z<=<7Eqv<`R$GO8%e%yo^WKAV@(il#G>)x0_9kg63m$xn$ewlA%JV^O1Bfup434KN< ze6LUSIk&mLi;CMGoAFHJ>*QL`%7a?pNw+&6lmY`Z#Tz_EoGOZrK0AtwQZ?PSn3SX6 zn+IIoiwq+$J`@$Pt@GLfwc;&kr7@&>+* zTs(;{j6cYkOq8gW*Nm+kNE2q-4b;?FuU#D>e-O8sjxS z9D-LzSsR7a+6%eN1N=WvFT3w8$ICp33svPj#Tw}Kf0n#4tV=1f>9~S>Jxpl`OUzH7 zwT@|d1t!6(Ri`OHIwmd_P%tmOd-}8fgQcTu;0Jf+3dCW{)G9!y1Apg)7759`ZF?|- zrSLrRR9lg^2}}mc2NU)J6wU7+&>tSsFHN+L7M_$@&)E#u^+7wtTa`y6&-3I2WHns7 zDpYIwEmy(Qh@;(FTugCo2+X2j-iCv}CQ*qqek8{~AvQgo=YjMr#(7Be>*`wHo(Qtw z=sAFjY(S)QJ=WayGGRJTYHE*Smep5@?n{Vns5~NFB@Wx|0b0_wDF8j|8e}APQ<&%Zm z=d(pKNG->0-U4}${zCq`ry2q>qD;SzxbXMe!N1)S{{H_NBheC@sS0Y1te_U1wiZb8O-=`y9RCR2y_fB6cc>lD|L|nDe!5v zs2#QBFrRJQ_O$#!-GxWvOt(qoUo}SwOZ;%ly>@wdoWD|6Eq<-7p~?#s1h;eobR%x8 z06KI3HzG0CUz<3ksJD{obK5+#x!!X*m7RGymO6mVg{;}vFJZt;>yZ_ESW#m7cnVYA zC$u=fLST&LLYi|d@edZ6qPA~EMwBJd*}p%h`o1~)eb?WA^_K-BsTLU$&eULXDed*! z^F>a%CMHVGF3HbsN+COLe!Jnjw%9$8^M;5vI{Q;~%T#~sDWVg86U_`ne8UuJ z|FC1K{rEE)MAKs4LI%?r_q#c7=Q+=%*32_AWwZgdt`7%)K939}pFs#Fy)NYSdh=+F zpAtg2ay z%Xb~p@mCs&9*J(j_ThlM?Rez?AP*61)w``~zE#-N} zA>cGes#!PN*Au-M>ld_t$vaYOMWjr`Ui<4DlZSjlhuP=jkVd{GNGQt|BXVgDFE+yc z-7PoXCepPPE2vy>LDZnVur+~q6NuY42>I#On`ouK(G|H(_kQ;`uJ{AGon|&q=2C^h8+gS!f zve3-sFh*1;CNJK2m^^o)^sK*+^j@m#+~aa^NS%)p?iM`IE#@**=E(?NeQEo`FQV3d zPX^HGCy0_ie9u0C#_;zhsRL2P8*v|xP z5S7PmgX(Rjpda{qlIJSuou%y*8L>eh$7AN%XAlw6a+kdEXg{o@Yo9T^O;(Xv19Jf| z!QR>i9kz7p3=K|{UpDQzUEV!hu-R*wU|`Gm${81_*IZJ_u1wrI%ylciL}>S`&+Tb} z*HAmZcEejqSkv7uZ*ZjFO`Q9oJ+4|oPkppH%b~z-k}tAf@`d=cZw^#d*&@zgwg75* z#P}UXg?+r#nFb0caIPgYp5|=I__2MNfHg5}te?bXvIqCo{Y)4@LYR8!x3@VDbG%pO za*(|{9aC*?@>D1%JndvVoJ{_8eSTmCbaV_-n}$Y@J-id73i;yIap|^vg>0~}!Gpdw zqgXz95kR8PzXN!C1_*f@11eOd5`A~@rUnhA;jwPSHqwnoRPaUGZA(ke){Z_a&T9e- zc;G+)Hh@3FplOOle}4%{6%CaRf{W&FWy;+02EddKb@BaVYc(&6xHu;x6O$ zE*dyBPk4#~vdQtcR#aP|IAkjQ$;<1-$W&Nz>j5tKqdI%L1F-V%s~f@3;>E4HbLroeP;pbaGw9r(GJt z1m~9zD?~=&ix~`Je!b!_(I%|IY^|vMvrVL5t-~wMJi zz39a{*9I?z5TaH2W&jqFc1VN2v_v$6OmQ0y+Q!(V?YzO&u+>r3)St-r53irxbiA*6 zZ6FmKiLg5z{;NGH(<`h`IJEPPdEe*@JmIh&_wG#D)>N(;>yhGEuUO_(taJn-@31dP z3f56>u)A{G_NMIWKvc9iG24qO1V$sj27@29otOPOCa?2y$!C~lEp5Q?S^fH`aWIt= zH`NW=TO$GL!q7z`rPBoHu+B$WvcjBA`n#dyMMsKy^?;XX52=9qZ66{yj5p?mCtyYe z&=UO#glhEd9YR+eeUPN;x~%8gx5h0Bgr~PEBvKE^oF*Eig5+D z&ci6*7le*ZkX5aA-2x<2R`Vs3fCtY^^_zQ46{BM}k8h^+a7DuTi=nAq8`gr7hTl7I zFH7tUcRQLc9P5v1t4xSUo_SSN9Xj+|+z4uzITZwtgz7+;kUy}}C zYJ+$&)lER|CxF9C9$*|g^}IDhOE;<2@@F)tPE+=>1H>P@6V)gvkxq`z|CdRke_AA4 z;Wp&9Bs5I+dq;eLtM()4cr!~s9IZFv?)yT+xx9J&dQ)w^SJ1Qy_3KuPRyW5x%lrCc z@HX*A)X0ZaF6!#)&7_i z5=S*2HEu+}upXqk?L;u`K=&lA^laxYVYFqotX>|9q`)1CU>)3_FcE$>^syFkL9;!3ZQ7ivy*E2jtDu-R9$+~ zJww_TtZO2d6L#5ZHeBNR-h>jh@rmWDMdz+J^Gv`LO`#GU>bG`jp=Vl_D4&YUDo*a? zUKg8!HW;n!IIoua!wQ&sc>*U#`%npX#hS=6ar7{)ZRi4b6z}m0WsiJCaB(W zSY{j8r8Rm=drKe);pfB7C2llcOFKqryFTJ|Ex`H$cbWh z0f;)~5voxh4eGvjo5s-&_tE6B^53}Qvbg$}u0G`|*JRD}W&De4KxIg8P-5`zd#L3S z2q|)O`G>F~F^+Mu_N|-HYxCHl6Fm;3kI7FzkFqGj**`V9Tm7XK^vdPi#z^D^ad9fn$*N0aMIU8X z;|66+9eCb6=d1^T?Lin#5Q#BVrp;S1stDK7p29(ziC)qeKX7>Zpr~P%!!A}k7Uxu5?c z3il;2K|_wn-^qh>?e=>7UPOLYN$A}>St~ep+V^NvDA^nadL_FcSO|2s2)1VCjZEer zQ(c#G7`QU%n1!s^a*HxI{8E{jSL(!m@E8Ua_4s9$Xs_WO$mAuh(uq}%qZk094Z(!S zw0*Uj#*xa!7HR`rZF`zuj`<7els6^aTyoFZuf}AN`qAglQ35#jY{@YX&_P?1Ss167 z9pq|9g5a3p!q&~pIZvf!-a}`nTvYDHdNG4dag1okK&*sn_}Rm8At`dN92ye3w_)1d z&g-!%-c}rTZ{B|!H~une?>^3o1(Bo0*Uw+XyLM>q(9^)a=^cK z4{CPw@jOcsNXv)a^KqhqIw_BUo{Zt;q)Ku3wG%|z12#@+*|Q6HM9by zm735%k#_jzef^Z}*%SE>FJG0{R_?FCR3xrEpr(ghPf#ncu0fpq=c$s6w5wB zA9RmGwIPAs(wUN&QodaBD$Lvuu^?z)uNWhB-HHEQ>CA=@m;PNGk7IQyRIlg789HNd zGQ82c!d8(-!}j2E=#zQ}5G zZ9}+Ifo?^8!`f-45ei>_thH`$GPBbZljhiBe)rt76HM>!3+awC*)XGn-LOZcztdLT ziyzW=SPtF^IO&0U#MY+lZFkGCt<=@Q7gLeHhyrs*oCqNNv-Gw!B<|U8yW!6 zp;zSkoz73<A2ft5dSI8rPR(373W?)h9KY z+)Mmo!_yb6NbwyDY4V5M?3*WJ(Z26h3aYgmtLAts9c;!7rKg|uiqgbz8QNFY9GQUP z_Ncne07(B1=o^E(zawvf6;Ycwq@pmIH!v3J33T{5R&g^UWHNei#Rl~?>Yh&GN#NVP zYf7Ino`fq2#W3=5MOxD}GwO$)V9JBDL6)iZD#So)wqQrhTytcJXJS{8N? zU>9rQ%yVY;cc@~>Vh)=$mo)Dq&o?j86h@io&KbSwmIHDp$9f{Ydd@xC}IH8Njmv)cbW$ zB$ra1A2}m39#rrf|u*PT&<7gPk{trg$q8NuZ1a6ZoV?)gGzb2E?1pTQ*tB6A}ILe0sBYl-sJ zD$3=5f;y=btFGj*Gx@oXK@@u0#e!aD>rQ(Mtd}JZ&XtF9?+G@$xPEYVJZn;r8e4{C zf$+3}otebrc(F44U0e=tV53IvUye)JY%_c4vziH^?ZnGJuQ!HUBwqKLUm~Soqj`w~ zoN3a|DqL3yUZWl>60uX!(-}psHkv24{<%Xcsms4_&XMx-ac_uN*vP%URWhy(gdEx3 zl>MAx?Z77Z9eahIBK~mGz0H?CrbkWXTN4@eHdHtJXN?U<4jO9hk*hrml<>u*F_;w2 z1l`0i*=b5*0_nsW&aj60u}|m4hA_^rE0pvB@xA?P;s)KL#82~^jE+F(F$qV~7>4Sc z{F<~5`?RXG5@mbKb40-u<8w29pg5f$EyRQ^vsFH%tcIZkDeS)OELgkF9dzlz9QasuHHPq#)2{Xf(fp3@%65 zWmu)Q$8=0$DsEIIP48+K@W($5Xz<~w%aQDLBJbrYb^a(g&_jH0L+zjfFkY_|9GxP7 z+~r?HtoGk~9g%)9PR?`=jvE`#>$_?0%UFElpHVV4U-e|F#0DOfVO6(@u^_^A5h5GI zS?|}LFNU9uQ+G8`_UVf!vwZ}Kb-$5QOxgi`L2UKp68bZVQ=U}Sr#~B);!_?fDjd)} z>wR-i_JAnUJ6=rzy7v-XrWaF*RJgr2`CVt4+T$6(Zc<=&I0nWr13|N& zAWY&Wq28K60tU2XNweYURr%@zI)jVTsstLKCLpT?ckLGu-X##70fT>+`Rns^Gs@E@ zOYax9ZfF>rQAWCKP<&}6_Tp8&BApzv-fsRc+0nEFMO*@9aKN~gdm zR?t3Bp3DwjQh8hS7RXc6Y}w3*F9HL`_JL7+ljm;3_)BntoDmQTjEXq{Ab2zan?s=f z{EJ8djvXUN+OWL;r=kDnb^lq+|A-23hW~RA{&Nuia}fS>5dI%CuOApY5fl~Opv$vs zioBz4l=hDrfDU;Mt~NklD$bKs?cU|c+ufz z`dWL(Ch{x)W)cjR8*ojaw~-68*+$@;REd(=2A@5$y_0K~zP*Y~aENhPzHJ_QaxL`x zqFEZ?p=NK z(Z7{%CexSy)B8xjD^ekaX}&ykKzZl)E;Q6g*3O{(+Vg_4pDG@DK0YxIlP4f1y9+A{ z+?%7+h2Kvd|FvqXb_;7VpP)LGZd?E0b(@DiBKs3>_3?;1 zv%!l@O6gYCVg)t09kJhLR8weg_foWdD&VMYpxWlepw*qZa1D^q)xEyQ<)usqOvhW^ zETi(8^J6iyE#H<(P&?uYRhVkpUqlo!8Q}l>y01fUfZIUj*G1oh=RsO0h*xr15X_sP zn>~4Y0Hbz1&hh&d#%>nZ8$<#0t;^2wDwkZu;`v)94B(P}%P+ptUO(ypf`qNFV5`4~ zu60kq*U(^FFkTS2n+wbNgV>p_Q*Fm!nl}I@&`;3(iIr6!6^o!N+!Q1^q6iPUd;^%Yd)6u!LAAYZ_o4ojdHD+-`p?RRbL8NKR z3-Tux*LwwV=8NYYcdKct!BQk3yXTGLx#jc`A5~6pmQyS!_hB4A_$?}UQlsjJh;^KS zgMZX#$#6|=CsN;est0if!x2mLp3lGlGY3~CC5pqzR8zF=`It|B*)b4eqHt}&Y&lpH zqPdO|fMCa93oiWk+V}i}%+r^kVvsH9mTs==nAMJL&A#~!s|T(;3B;Dn_th2AI`3YP zkuhoO>{d}BbI>H!oh*JCs5N%cuw!iJ+4wg~|DLPQDFW)amz@pZ<@AP4vU1)J2*mS^ zpd;5eJuhyL*!$TP{~~g68YVF3aA^U7j5j80pUE13%eYOtnFd(9T{0dCr9*w{x$X5sVAORrl*C* zv7iaN+d2I)en)m;E6vLEh2b}%+2=L0G%jk(F83BEKSA{fS0*uIO4VPCwr{wf9GuTT zsgD!i5`m6Xl=>X5Ng+N7pvkU3(X=Y-pVgK}}8{!Ov~qx=J-?r>Z9qV^Z> z^@8-thj_nz!c|tF3|~6#l_Dd~dvtk2=02-WLpongqml%7pd1n35~-`f5&R3JvjQoi z8NP}}yt`QHGGw|6`LfR}g5uB88c(N=w2q{qdP?aV^ARsM1{26H%S^FHRx0U$j6k50DJKfK}}%~1|hyFfDk zHyljmX0>;8wXK}m&P;<}*}v!6>SRUdli_*p0F=|Izli*Y0gDH8Z~PO(82M;t4sX}4 zI9*5JD1JNp34rSk+)n-7-PZ#$u`dHA0&w1Ue-W8xBRaMsk_2wuwY(HXqRseEetzOV zJ*fP>zbx0K7$M(_cW;;^w)}%%uc62{Iebp?*C2!$5Sw_)#k_X=3;CB)Kki9(rGcqi;>fmFY;*E&=&q7wUg=nf$-`qwfcvGTUB{R^2OSUC(89TfA{1?%U`#%9BQ} z=k-CEA)jRC&#|)GciXD)(If`v$v}7Ez^CyW`|aM(CuusrGfwq~O__geBNDz#L98!y zb_vGmW5$i6QWmq4UYG~ML(L_VHl;6vvyTJL;x?b5UTk8yrT%-lW!k;K*Lq(_O(Lovk!Ido^I9CN;KJH1crml^ zMdLz>e`ZRTsGsev*J^)*@t$1-8i^|ay+6zX+|CS~T4`GlcdOp7_sg}d7MA6l-Ga%A zKkR8Yv=A*Wrb1k$Tc&XAxzt1xJ|X*8u_crI`^bbVv42m(4Z5`UqlxON$I*ZH+JZXj)QsleNj*Dizq3RfB$cqF?Jq0 zEraBm>(OFrH&|H}f+@VDjC5nWEF`X7HgwkWxLJC_xpFFy>5evwI?c>Nt8eqRWr83y zv$jslrgL*W1j9>gYU=aGmd+iz2JU<1DsFQ}L(aPE5n%wzlr#%6z5Jt54J~w^Qb1*t zQ-;w~BH;@+NK=j5pQ!gY*Op%1*5U@gWY)m$%chx`9DK~hJ3A>8{1eU^rbq*!)AAl5 z=txeE9(p5Bw)g;X`T}=eltK-;2ZzrxY%n-B=du^>XQ9$Ht8eV_mtLs<_9+tDjkK6Jgg&< zu?*xO6BK5umajbdF(D)|Moh@Y6_@MZyknr5hl=z(x*F)ppIZ%=gTwjm$49_w3DE1? z`0jkwH6!-*eQkm=Q2qbj*9Z^^Fam&_i*S?$%aob4Ea+c8_dm>_3dq0^qMM26?>BnjB|f9H`uOw7UX4e09aw^m zjd=J{nbsiWgmH;rarjylPk{dhXK(+9^@iZ|5e%XDZ+;|zO6%MFMU<2@0tKT(L;P;o zd3U9R;+3=PQ!+W~&#o0+Lcr+<(j2-amWK*EyK$@bK$5Uy;0MciAI}1BU-K5wK2^yJ z@aoxF$_X3Qzb+J@F#&0vJiq+kFREUkN-qFEzQbl^Jtk?2*aJ4PV`D1j1P|;l%C3@V54e&k5_@I;llJFLfFSvSAT(wj3PI1 zn9Vc$;9nQF<^R68&GJuGZa0CK&0HV{@Il57bjsXO1hjB>5!?Z+xp~8N<@&Ja727zb)JTpIIf^cdr*;;dJp%Yl+MJ z=xg(D?n-g4_s^v6GKBzBWYc+-t>i>Me`>Z0w}7}cCrv3a7n$vWWW|4v{TI<+6hh>m z+Z4s)y+59!Kck{XrTRs#8%iEAdenXrthf?CuMcwQS@_lez`D`OtgH72-qpMe>^{b(GPe3lz!M2u5J)gButF@ z^y@oTLRxT!O5|Chz? zT+=g}guB7NE&t)b0Cp1oj~2YV8$xZ1vH!mA1h=Wr7@%^c&q{r`*BM#7$8YVdV|`Db z;zA#lmY(b6)Z*FGS;i?qZwF+VY@3_|W{1n)EX<6-wdbw;-+>3;9}IKD$_*-c&*G!g zro5l$UAcPFdvk`QwkS0cwac)i*^fV6h`YVfLF-K)|DvuZ4Daj$@W7c14eH7P=-d9m zApJpeV77OkH>#qA!0jyT^F<|Q)9YytK^h8!bF=*v4A{c{zsTGLHQozBi*t#9y|z4} zk8i2{y(~*DC=2{Q!H0z35|#~K{yVZMUr-w_a~~9+-|It@H{AW24CM_`;?`E_;NR#7 z$Tbg;RVa43ca)83sso<{Z`L*Q?`A&{6bAnnATYI-dE*n7r>b)O zc%t@uhkWv=niGHDJ3+^1k9wcod+Gj?tB^DBTST3x9X|@aM{9dTn6bBiBKh2LH-Uq`;@SM0Vn^x9MwqVrgX~WB*S+T zBMn#U+Tn0HolN!)fv+TSao>iubiW?bofMTV0^)Env;x?#-}nlECBdQpjAwyMdvm-Y zJAl!}ei6C;1@#KFtQ!l(Y=bci+SnPW=}ZrS{44gR=0sVZYT1m`#y|ljb&%ruB1Vsy zBN3e=us5bT-?H*>{YO;dW;GmOIg10~1;PIWLbZV1r21!Um9#(-ckiS!+If;*{yTt6 z(*&j9e*wpT8d%}LNu0kQpem*CcNqCsv+?It^sN7#w=-oTj-h+_e}pQ(5&EAVMCT&H z?n>LH@?SN*ncm;G@DC^W572u2&`1AJztnK$Vq>Os@@7|H_8fZuBHI7oAfU>(+sbTz$L#-$A)SWn{d@4^@ULV2-{a#STK}FU(E8h&|F66u zU*&%jU;Y0%!OOT{tPOnN-CvzHgC|b!%;;Xn4tfHIr$f6n(6uKYSFW~WG|gZyYsq`Q zPUjO{y(Sqc@jOox2qgdxAcQikCh51L$ipn46*I6h9VLb9gZx`@WjhWlkzERjn;jke z99lmP$tp;#u0tM{`h@Sr5UoBwFNQf;I!YVP*?21!-Mkj%%v~P@1P-;?OUVzEOv}Z+ zG4?6cnqnC_)d^>(u;_t{UOM?F#~KAIlg}RC&i;INVBz{ zHTL-G^RxE&Bt=aA4aSez!E3)+hX3o|wfOMcrTs>iRg{YBzXLZ_uM5r-bn9Q0*nNBX zDfQl}ZI=%C9n*^hw^u3FCmaT6+#p;RBm{B9zm7OnrH3s5Nz4m`NwcYJF>~It%aab8 z1wR90cweV`9?h(rJjj%Y##Q8kt%?}H(>bjZukU>wm9#ezUZ=Xm8eubWC5Nk0@N<3K z3{!ayTD2pC7JVEj1-b@}(5xMobTA~jI9|2H#}68Rv=|`T>aRqqH@ch}-|uRtKi!e4 zot9v-HJmo!a`KA#;isyf*0-m@DJMIAG_VU8_RN+uCcN{+t8}gCedRkc)1%}k=vuh= zdQ#(5Ql|?>cAvf`Q}0qUP-qtDd#UsnQI%PwMho&%xEuYM!AWDw-Qk#CvYPE?M~UJ2 z9`D0lI(QrLN0$5&dz4v38X*v+V3BQ~adQcBX7HZNk(~RTygH}ute%@yIXr9`0i0y3 ziYb5->vKUz_jh?72j}!6`OVFI-y1<&qc)LIq1+J=^OhoTZY}DR{!ht!jHX*MIprXGy+-Q z8%6SQCXSO&#!4kog~q+Uu1EH6LB_L>T)Bspjf)^)obGwxo+YmST{+ zXwP;?I0qlj(jCjcaqfaVk-EMa^AZ5%NY0G->dBde@yJd0&hz;ewbzVYpD~G^fgY@a;m_1B_3* zsc@)qj1HzY)cqk=o*KC+;F;eczVW>$j?I%e@#I@p`qdK>=WcNuZIh=T?n*2z(89cN zWftf;OH@q^_LhUnrYbHa3;GJoG@P@(H{XWT{f!teXD1)F6d{RXsd!}?l=M3$ z@t7)kAq;OD$0ba6O14cVB_=;E$Hp`8=~$^?Rl1Ll5&7E&T4fr}N6W0~EB7wXdM&Sr zF!&8;Uces5xV6yRH($m?*P^3nLDR_YtX!kng((N_7=F(O+)(bgsz|HTu@#fxZ$pen z4U^WRB7WBsYd*R9V#zgX;vBaY>qRdGEGIC>f%;+;9-w(kwQ??9L;CF&m6};avrQ-R7mfknKpX~vqBqau!UhoC@DyR2bO@(nV z7*7e5tDOZAOwqk`#;^+%_(1jzRT5ibzgf;&y?XIRbA>lv!)6V*dzV0ct&$vTyqmSY zjw&>rQ8lu^oW=57Gs{G%y^vbqB2lsVbuu;z87+m^R|Rn$s<;GfLzhP;`9uQxd_2-r z0+(KjhEb4`L9VJAh>uCe&Z)Us^q5tK)5a#8Il9MMBiEQ*K z#m)EhAdi8@*LaC+8!ppHw{y8?54fa$5hdi!&>4jVMg4>=T2QMAD)v_6j8N%!jc!|D zc0wucIN;ODa-F9hme_jTi0yR+_3u4du~mPh_)1(6GT<7#1fC8=)pq)FXn;H6RPvM+ zQyPWMpLxo2vJB^xcs3&yMhv(tRz-=JMfH#Ej5j~kF=KnSfW+Bddcs%>3)tF>VKeg% z_F4k`9DzP#eedvbq}?u{=UHvw@r*^L!hUxckM!tPpWn|M(ge#RCtURsD7+pNga=t; zug;)2GV-7o%oxrKl)qOMMwi^RlX>$OUHHd%y6ohA(fvGL>cJ;&fQPusWl$825*jEUf2N2WG5?z&0xB>w{W- zTipb@7dx1*zpy4zZ;BQo@yKMgK?S^j)z7HU=&< z*fQez)RszwSdbz8TlQzZl@yA`MWo)f-Bd_dw8+*-DRlLI4KB%P=?sojk&JQyUAIfq ziHEmyAJ-S_H+~WNpry?7rG3|#DMj#NgJax}WnX0!e3}=f7a&RA#H)<6#+*GGtw8Gw zmzLu1T3>AHv={kMh|RSyc~}4?HJ8?>*f%u2c%CUwjH$dgUWK55vbF*HbGTytqx4{q z139{&^~$95)uR#J`>Ld$xT6({>z1aHuDDzGf#|@tW+1|lsWjFpXa;T46XkYJ1HNLn zi)M#F#-8mzj{ZetXmq#4DA0jaciuR8V<^(XfZAYaKlo)QVBQ5bTNntpU{5eQp`EPT zy!SD>MVM1)idqCDSsf^tw3x8q8YFF8Gf-p6c((CvU|OK&c~UdeItN8F=4U}i46z~3=Xtd{ z>!7d*6_O`uuF-LiTfCiX3R}|4MQVOexYIoTQ330GmrLKwhvRK!th5v0vsT*AQPJ3I zZB(jRW>0M-pE~3b@_am9<^K`K?H{m<)9!oDd++$(@BQu=_x}I?jgdXb z-em7R*IaYWHP>8oKGTo165gDtDPKlDwJ)UO(c5&Q=Vwh@4$7iCkr(cbMY9fXud__T z6WfC?4x_$Pr*hiIs4@*T@2mE2j6L8(D(S+y92ymTpi^GV9NkO%y7oW?CLm=>71$<) zm=edH6qEHP3v&lOQRFwny(ek((4Tu8zcg7e)*o}lYTABIyOVIq94Sr)su{GGXWb%2aoW8yv9gn|;)hH0q0g4G$Ap7F?6HmcEVY!4m zqRTZ2nU5uaG$eQrU#U&XHMdpidP^e@hIRdn9?RZ@TirT-asB+%vAx=SIHpUGb1c8M ziX@3X_JpEUNVcEauB#pq%IwQ#bUc+jWjp7Vz+>*s?eZn=i0Ss{mVF`0Ig-)SExTi; zWC!A=$w0Gm)4rHtBXR20SfKgb^KaJ%U&M;-hq$zOLuz$b+zNvSrkO*rMv?6*+Cxi< zX}d{F(>#$@L$zO4^HVQ-_%a$2GhaHgdTPs7V6TZkcrRbXw_*UG_5e82UU7BFa9=h8 zC}HI}!KiaM&kcu-@!@-HXti|`^*CJ%>HN`)T`}zhL0Qic#-{NhLvJG3ydDpYvzKll zWAT*?qK4|6n zKJ7wIjon!7V_&*3>2(DU9VU}$YzLLw4x}|OA2YQ|S(Z@Dm~E3!(pwgZm9|y9%x_Uq z)DB_jDF0Yo8G%r1jH_RN+cGfhz@|Rew&T|z&Gj(l^}*mHf9~$DtF!zhqdUg;0mLaI zEHXCZT;#qQytFgtbPlkM{(fu!rGgaavi`fO;j%Y&;*S?R&!lpj_#!50pZ6xsX*gCF z+@WRMXQbRDrvb<-24rtSmO(d|bsNL16zN&(#X7O1!Jnu(Q08lOP2Yp*DQWVGFQZ4L zZ^*r-#NCGt&n{mLt|5V1XPB1I^fiNJTUl~CcD!RY9?XR9Ztgs-xDak=Cn~3+M8>+{z<5a{CsC*9ECYTc|2O#tp8@gUyz;bUqH^e7NfU1 z=rb8xuCk<)gy=e_4Fj^9p2I)j=tRKz!DoZ}pv-7#a%#Ud2^!MOMeuOE88wNUamNXi zulALByu$J)pK&sM-YQ(OE#J>}Sdf+CQMQG*DYosfjYT|!1puYC)_}`Ts zbo#O)QepKTfZ32LyB?--i9AZ$B_y`KL`#yjbjWE+aoYlP9gWNlh4ANQL#Q8(L(*Qg z!tP_^^swWK8#<)Qmm!@Z4E>u*J)Z{QiCt_!-Ps({BcO|KjBVxP`|03*OJ3ZId(1It zp{7)uKBLpciZc8^u124_C2tfzBgCqz3e*_@Pt@bbJ7#F@;9ggVpiqB(zif(w@YN`mm$GM0>1b-JM@W+QXT_cbOH8_7gcr31vymiu8#Os7fp4DEE=?CO z_aE&MxyrAzw(=x`y@n;!+aTSKS@-MDAT@uIHy*OGi7zz*(3l8J^PS*m^f})F)Rdey z@t{Ad?0#2MZzDVvC{EJ$pz7+7f!g2;6MK24r-7UOG?c5P#8n9(Z}AD&-h2YZ=JgU# z+%KL0WtJ~x4)t6&8S7bhvVu6LjrXJ1U-I39s`F51{Xb? zQ+KyBx;C)&zG7Qha{DK+EKtbC85q|o$@Wt9Q*Uy=6aCUOYk@V2Mb^H-;HA!iqGid7 zL-TDJb@>5r7cxYjZY;CmVCQ;pdn~@}qyp1+w4>0eg3Dhljzo^x%N}H)`6<_kudL~! zfJr&a|7y&Jp{D$*?$z2xltH>c);x;}JF8q%jiRikNTHg^;~U;njBB zZsvYFV_fEbEML16iYCrlp+65{o-M2PbY=NfKQl*nkkZ=XWh}`Ym2l9t(2foj=hFNs zH_k=Jd(mD+Wh50(y<2&+Tv8~GezmwU|JIxd|2A;VT6Q8HsQw4HFc|l||GH+hHeN}m zzN%^LhAUTZ)}Vibhzs-T$0hgMc`*+I!Ms$!6~%>c!1sq{yooHP7(+OGkkJ6DlNLd> zJI!c#bzBGTan^OdPVu3RcEKBbKH~!?j}I?jWVLSRu%IE!m{ZM$q>~H0k&#+IkXXb3CbDT!6wGXPYVkE5LPb!Mq?thxYix#xBg-=fse&oNgBZoRjQ4(W6s#vMq`L#q?f@dO?jATN`I3G)?jT1P;A z@iq|9LRz$^NPTvvr5*b9SW?gQ?YvbHpHqeD+_E{fYP9=m;fIqS z`szkpv{r9<;V0YMbPj&a_4xgz>s7ZHWsYYgcH|uLfDRsMJGzCWAxm5zMchmjta|K{ zXQTPBRN__RR}~?*F#crzSI?)DGwRwt^z$CX2P-Y_A)^r%_)0(}knS$;875?vsA)*l z56tPEeIMY!I%)4_BlV*$)p94#kl(w6Ka~H-R4`5jo8Z$Qsd8K6$msJMW9!>5g|ej9 zP-F$0<)CEwXN%njf&){hpM>@{UDp+p=wRf{SjI zqhlqKO4T;HB8kP*3Te;IUdyrFU6e?YiC>mZSP)6hawwP+rm|XK;g_0(l9``4-D+KM-Q&xfTNh=bW_HU*4KO(2 zIj(RGUU>UrCF06kG*6`YaIFzbBJ)S}!eLuo-j{cVou3DlMXhP3%HGB%UW!Fv%;3U1 za3ZKfb*GUy6WT0>-%n?~=H|0{ZhG{?v&xqZ*XWq4l$iIq)K7qzgFjEx5QEc7Cfw}l ziK*$1aA%VFDK2IA|pG9GuI7{G{ByPOC#vP&jmVU!#5cvF_uYP#dR-6Wt-JCQ27l z9#X4n3=dv!O_>@ukm`V_cY6DL_D1`v*%S|VCe<4T2fDpYW-@BAu*s0C z_;|hB29gTUV3JeU7A`wHe@S*J6*5sD@9V@~?hi|zad}pqMRIz%a=*fo^ikne&XMNR z*<8&7<89NNcAQk4ghb|%f>tTdJF!uD$?8p3r`c-t&OCZ>!L+ZWOZTgV^+GCjJuQu( z{B5*gW?eeRZ{0JBIKzr?CDn%^oQe@rf@c8;%C5$>(jt9)i!;o?Sas1sEQvZM*LaKXz=49X+p=?RnjE$0YKAj2T84i%?_WXaq?$*E@_3Y)RAO##Nm z;=vnAscm1Os|Pc|sbY|c3Z6M4QI&ZbQ?3U!IRMGRZWR)5}M zk>OXeW6@wIYr|Jst|8_+ecKc@nTL9G?`2iC-esyBX{>?NKWCrL3*R*v-s)#Y*yLOr zE*!!SPYFf)uwAeln*6|%s-=RMAh^(pI$qe$i3?^V>k`;`erH@x!_e@;H z&{9-PdEDE#ArEMHv2w2qmL9nu2=2Gs5PdBIEwuIrVAo1G6hH{R}rgA%Zb=yQvWl@n@L zd>#WHC%XlUK;My!<0=Y;&8CJd8%DSjZ#)Mbt+-X*-4Qt|YF7|sJHw==vgdAD7na}h z!hZ$_J5n9hSs(0`wG-0xKy*|8IdXd1`_<;{RVo8qrJul_Eg9RM&7at1dPZNNVA#P< zvs>|*3xkMIg2t}qwax3MhK>65W1qY_pz7V#F(iGRQhgsFZW=2514@gqB)_Bzki7`; zM%eoL0r*@OS1@10(DUn6G1JpW$4gHw5Wq_Pag*JTdI#%;u+t5or@a@w6YD7K$*vcqTj6sxvp@|)d6Z-@FzkK}4jYK+F>iz4p~qn57?pzhTU zc?M59GJNSgTm4=%Izx2wDWWN>=g7}5yUK;YY=Q<6v#X@2DR?7hH~-D4Pr{;Zv0?kdJjYUNuR?HELVi)XbtpU0xwDUvSS)$#t*88@yUOy7_!Xc71v zfi4sgGz;X6kt4ftHgFdcV#|s@FUp#3r}^%(@k!FB9gft=o)ee9UojK?(6Oc!u@5ph z$kY&ANP<0_fOEC&L=$e`8yyo6oH$WjrZ1s!I^cD(QU9xNL#{J579IV}@JIW)!xX03 zeE~kx5NmtOwtO3`hc82oELOz*iQO^Pcjnx*lVdT;DGZOizZp(1YriR3bow@6_UV#> zFn7a*)OO&(e7}Y?Ifno_O0gq>B7ry!mdV8$SoXOAHONCkv`-VbuHeyP;)V1H2g`zN zePPRio_JoKklWpy=`!6p(X8-AH9Cj622a|w#6030JY{QAS-PTJWbj9GGUx3mn}a+a z4xO!dns(2t$0UL-YMdl1G%G#MN4AUMs|wsNYQub;4$_a*H%5rivp>?UhrJbIcpZ2C z79EFDWH1ZdqTN~}t;j8yhe*wI$nEu%UxwLfoX>stqVxjX?Dp}y70W3!&pQ3(^Ir}? zH&$I63tLh#L`B|Dmy}>Q`5b5J+>?Xn%?}Bn(_M3Ybe(}C(`TEA&}gT@*P~)}q0@vN zP>s!3v5a?l+AWBUr+Me^gsjpj5Uc~qlGH9J7X*LFPTathP{|f`4S(au^6IXJ?sJMg zGQIxOQI%%f%@p_2ePM-AK^QXqR z2363+V|-oaTt4BY1{f|4Vv}F>!ZD{`?ly!mPSt{Lo|@mC_K-X7zbvVBl^dQj35vQj#7#QF*UPTBjdj0ce}gaSJZww zH^HJNdSzr$G*<>My3Wjt(fDed20Y3DjGdq|iMDS&agOW&fX91?&n|)-UCw@%_PF~# z)uygdOYFtx^`k#!=ue#c#MZi-$c5} zSYr=xhTGM{p363qmEIhw1V_>RZbEq>4l`BT1l9nYrnNd4Ct_aDH+b@d?_^@k3^A7W zlFiR#Yvlcx@$cd)#a3Sa1nOP=_#EusK1@9W6tp=m$TNDEoc7QK9D@jW3%6L&y7tc1 zLozSpz%j|P1G9R*uJwZRrL8HpXOrl(%$;DORDYZ&LQ5=6?fl;Mx1^5`i|bN6J=b^@ zE#k9HGQX6bl}&~p&Pn#*$PA`3&S%)%#Y-Iy@V)rAQUwkkYqkvm10Fw}97WO}e%#~} z`yoH(cva%-o6KdOoR4;l`*LieZX?0w9zlCKf=dw8d>5n35QWF91fFIyV$-cM9{Fut zzSM(P;O>UR`MG3v?dFa9oEEGCSO-xdkECzOEixhKbAa+JAwZA7-S<1kgHJs-ttK5? z;!54wGhE&N=I3u-Wn=KNudmFMpu;M@c4hj`7v>?14moxf8K!21pF9AY5pyDH1;osn zJ+5x_EZ>ND{J80PT%XAOLVK+Q%TR0rytEPAkpm*zF3wCeawa+)#NXfXJ39UOGP>(n ziVVBWl`nC|^k%K1TnTboy~P_i`TU?jsqOK4ySjl}Jyra>DduBY_ESxi{v-`fcz-97 z6|F##B7vh29&d3|ZYsLbE0s*;S#b~CwTwn)pA`7G3cUCnRXBFemR->5M%@BJeP0Vc zgPp!mGX(9_koN*nw1@ye>z5h8%#Vce7CaPr_SJ2mb?9pW9KnIsy)5y0R&%dsdDbON z23d0)%}N}>eDP0q=k+^~J+{M`&i_$_NWnBEy-JmSFL_hH&zu;!G7oqk@IT7-BA(28 zom?1S+t3?VW#u`FT9}!2-ar`GqK9?X zrlzPaA2m40(G>^=veK;j-R=W5(_%La-L`=9Sdfts3J88ZcMo^Up&OfVo2J-HI>KM1Ah$`fEdG7mqqUC z&U?auc&L*IP9m~nfxrt2M=0l((aS%SipZpWAMNZEkm7fCR_{Z2$bOfmve4bi2#iZ5 z4O!;es81ib&7N&&Ysz2Pq!u;gF&k-o{50a*?auV$VNJ>(i>bq}zXzD20aX}jge`g4 zQ`#l+)+#{h05Y)Y^)y%<*cQdObrK_^5H{X~CMN&(A}ADPX^jK$guaUQTq9|H(+SUY zkU459T+xsAw%;5e6w8Fmw-HWmd#y~$tXg`+=h+7^NV6Voi_;{%KjU<~__7GIIQg?- zz{`xDvJpb^u#FXLArVS<^>!X!*&CMcf1sTgBf(bozb>d5cW(~-@-;|$%#w123hnjQn`|(CQC8WL;rXMyot{EC>5(!srvC_G!xw|Y=SH5gL3mh+dHx(1- zG%~s`oGI>KbPkhFy$c|w_XfW4iVE!bEv?Af{>(Cn!nkMdVXOBz9LO!wzn%j(Jsmq> ze07Wc))DRB4my2pc5|ol(4_9~XH#QN1Vl!m>D+;;gq5|(6Yy{~xrc8dS&!Ykopx4L zmh2-OPs67~glM{z*%f8m5*4h1!4xZ}Ic)IJ{)6axD5a*->{vq91%}Xoiku3w>YKO# znT?T+Y17Cbk1Q+}G7Y{}=6=s1R-&bVRK%aNV2ZFO=BJY`MPfY`xupRIf?Q8dR#L4j z-u?{U3JBgp*PDIIq zO6Az?!t8<7fS}W-9zX_=Wbyxmlx?WYbRzI6AK3s>BItJ1nKuBhZz0ts1=)@!1M`{I zdl-w33Cq=5fUjD6|%{XyWf-IxspLNbM@*xYF-nH|%+QAxI#0d`my5JV7_1>kaZ z{y$MuI*Pyqs$l{(eq$N<%a-aVKnl`+W}5--uYJPI0Vo>?8Esbt(qvL^|1&j#m1*m` zz-MeJAm|e%Y+o=k067b|tmS$ze`jyv->IoI+c;PNK6_I}G7ZRQ$a}ZeWhe~L9|0DB z?^qz(^Y65nEuo<;g3uPoe}!j5f4tgp;NN&P*rwz=khui=*;!sef_UmDZ~Gz8CT}NGTHyX-$45R zjFfMoP`e6zzjOo9e}k0@_JusH0VL0QS*fh zrt1uMSppf(+lR)`{IMQe1itjvzB{Z(`|G8G>GNNecL4O&BwHn|jALQhfwzth>RBEE zz7A*5Sf4MDr0JuPV$Z~uEA>K=H($`~T~Gp9TmSjIKc4$<|1GZYG#SF_-&1vrHmKU7 zxtGyL9T@dw*JldP=x$}1x0lsWZ|`mmb`DWkD9iOP%lY{LfP2+2qRL%q9;5$-CXq?* z7n)<=fap?rhK13*YU((UV9*}{pvFAeK$0?yYGJ}uTlszp2-wnz8{pC@=SbP&p0po6(vBBpuGc(vlDle{IS^U&@fVtIw;9+Na=rtI?{EDHA@`}$ z4wh&;9h6#4CBAdZA%n$!q2bA24eY0o|2Qk)(kbLf+i7v3BK~;q;9t&$-`VlLFo)u{ zbAA$kZ;S3fo@j?IjQmqWH2&HyO&@n-E9Ye^@W!7Fsa=Nr+K|Im#r{TRB>)VT^FJ7r z^Ou$!@o^utLjL6v_%CO_H}!813HsZ)rF8st37Nle;II71YdfU%>aHc^Pg=tQ%2Eg& zH#BkNE=HL-iK)1XWdgX=#{)&*N!kGK{{)6$0giXvPHB->nVy=8ms`oiyG&G_U7 zZC(t0EAS6PLLvZ93`q2oCx^fLEh*>Jzn8>A%Wiz7J>~+xlOav8+XA?LeDyI2)0HFO z3yN%XSsAAbMKi)nZx6hIvPoBYl-PB-o=Rt8?>jNad1B{$Q%!rN!WxDiIa>)mC5?12 ziUfe2HN=+2piHZ34;ir>PpQ5uLtncjw8bZ}>>lzTc)S~K;jQ$$;4&){0P>6!QK>62 zenvnIy01x*Fw_CCjL6Z&?%5pgk*9l09~NGx-t)X$(|Gd8qxt(i;B1}Cm4*j(5JwOn z1#*y!K2EVF3(ta?$vu;^E%7^1*+;1ZVb`G5Upu~w)OqWvz0A1uDuO?Rrr$GK++%{j zYA4!T&S2*)fWuV>l#4$IlcCBY7{(D7<_fFFx2AYCkzS94>*S`oPL(J$xVpq#N%p+8 z9~c&@vUe_L-&+55@FemyMT}s?M?TuoHVq;=DqskawQC})CFdSk}KPT1zX10 z_6-b1&W6%PC_&sVp)QE_o}A^{zwBLKB-v1f$B-{TJ1|d?)kW<CW@-wu-^R01D5N2f83MtnM99f0WzUvUk=*;w3otmQ^^1r2|;}4cxBj$jSZPI8ZS9{Pwx|&_V zf}qrhZ)GGD1Z)~aBb4w^uqNK)Q9Crfc{1pVa_F^B96qdwR%yn2Dc4`gI0FbcCM715 zU_WvVl_8qQ)&@QalpHJVkHUFiBbvQMl3eB7cKog5KffXULQ{Ubu0DFc7v2%Zz0uEv zBH5P^E#|x;Ag+}WycTf?fw$5%_!c)_1J$bI?*ekIlB$#6Ha_cVjku*LAh8*V#Sm|- z`s*DeQ^D5o$FqrDmJ}}-5R2XU+!g@i;J)wCY&^T)^g31~X-Q5f^qcL;(E^&#qRY-A z8T&F+`jXl8IQ!!V$y;`EbE&WQ5)-5`}uKAH$*Lbyn(&B7t50DHHPbkji7I~LsG+Pvdk_kud_c#p21_H$M>?c3hk#g zo#S2J%IbRs-&jj(hH)o_rX7hnlKs#Qz@(!y1R`Vk$TD4W2wO5=FiCDGRoVNux`Y`tMPF78r;2~GTXbBi{35nfRtt>pd+T%vy}BA+ zkIzl+7RFUNB9_ygs~o+;YIrBzHnkL?ZH1LlQX1v7cUxduI3Ve-(EKC55?1#!y94V= z2rz?y6TA{OO${Pp)V)MlqRR<%UqwJc!H|m3I{O#EWQaWkAp5T#vJ@DA+2aW$?%A6H z8;}o6^&{wa%Vv0fq4|(i3KY41F|&8fJV~|sJnPp@uQ)JYr5ejz{IPa>!9l5JO+qD0 z$3tHa5C7tLjUhg`VnFpLr8EiOWCb(5SIIXY9639dPO65`lTS#&2zM92OhrmY_ZN|s zlOJ6>Sy}Smdr4mOkMQ+HjB3!TDF6;d<+DPY)D=aJ|1$nkCauc z*Xl{lHXrvqq2$Lf8+sCF#G#Q-g0(m5v^W&nk<+f!j%*wASy}ZJUwu9ukl9?r%lUP` zPI2n>yc_oVPXhvIWtpVfVb4CQCNO)zWykB6gkRW#FfWOK#Q3D zp82uT&sK>d4VE-Iokf8B~`P zE;QJ81v&0i4>}y=r{Tvk{qdQlt17KaDl5BzTYlAUgB0w&2T%PnZWY^&yzG3Ka(Ct; z$M^z75Wz&iFwQJzK;tM9C9aK*QI!gecGlA{8{Nz8AH^GPLu84azJj&*9M<5YK!&M4 zVb$FTq*#F)Pbia-@wwJqZ{?fC&?BF4*(_T-_J^-rfJtL0y?L7gR}AD(4<_D z?0=i+gFb^A--5*-<^GmxcvIp__GkIHBw-${`$w+76M1#CNS*06ai$xHaPGD#JE)Zm3f;ZPM5DTX13UKK*3eA=eBgjP88Zp6T$L95#>IW&xr#O=qfxQn~d*80! zI^vYdWI(K37jGGbCOovBd{bCp`8jo5X{@of zd2DQ>fuX87=DS(6(-HlTlIq&Gs}G8T`P}JUfefhA2o{x@sZ2gc!3Ots!t5PxQ_!aV zrc96W&q)69eht=xREig2H4xtnedDfFry)YhO8HTYL+#yrE+BjpCFA~FGy}`X)!3e* z_a)?_KDYOP`!6)r)Aa;C5bGzUi2JWcfO?`wht^GAsJ~AhzgC?pBN{8=-5_=QsqH%@ zF(HSlqUun;28ME-O2_GS^d+*v4bmtkd<|iYpG2}wGYz=OF5N2Jnmhj8L8>L3>GYh(F_}(d^7h$(+GDXPd*EHYv|$ z68;9t?#@*jkQ*;%(va}|OB0pHlR_Nyt|FGgZXe z`FIqVS!(OKn_rswyMEf0s8}yQ+TJQ1JlAI^rUCIa1g3QJ0`7ZvLAhVT+T2|KlNAaW zM!3-Ih zE5O^IUvVRC|A}3cX;U3Yy>uS)6kuU?y&DPI(U=$`A1}W+HjW#Qlb(ywn@6EWE1lwn zp0MLzc6f@MGkoIzDlB8@pi0_H&6M;Q9~p7KSw<{gYQ@WiWL{dJrN;76Qt`u?@W|{% zHWu}s%ND+LAJx7cF`DQ?-|oQa>!#NjafRj6%#WY~f#u(@^%<#0XS^6gPQt`$ev zCfll0ZDP6Fg*hfMtThw5G|xRFxT(L- zJKAe>NBnw%D~D??!uGio9G5{G9$ zhwp1qE+kNYthXy&f=`ckSl36CJEs)EBnJH=R70w-e`3=b6jps_W#)1a0_=%KL60Fl zyacR*2XW^z3lYX-@=jw;^Ria`YyX={WUL69e*ge70@);N}bKUgW`ggH6xt_~+^L@D2S^iyb&HJRs$B>J# zk)B24SI+a?J=e!f5T!wOYqfS9)Egx4>!Z2n&nxEp`*Zl$#f$|)v=&+<=60WY)iyEl z&Uf-^WD#u01mA(R_1sv~_-wX|@vEP_K;I)g-Y*nvak#W$1Q9GGj#{G?5Et3SmfF$3 zllVp9vUG4;+2Iw?O;2oR zdlOsh6D|EEXd&tpl7T`?^oEi~G%f-0A5mK}%+**wA3Kw=4I|~mj|_xcXxO8xsmEst zjn@u}H3aSt2tozO8esBuW2i1GO!3n}F{6i|ZvXyFX5zDYHH(fw%!(N)7CQ|lzw<=M zlwl#!6fTE1Zl$HuuD1+*ePMo17deJgFFW$do<@_xdSiFF9OqGk5660dz`2|Pe_5O=cI3+65L)mv7F`)8@>^Qu$&ILl*p)gK?IHKV7M0BE_o z!C_M1PaCZS<>@=$`&I;U3{=+}_SkJ%UXjMf8X&+jlpi5Q@?3`26L%_^bA9n1*X@MO z!yLP$;zy7H0{jw=@9%p!^dw7occ`ek+Vj7wc9Rx+tS9{RliZ0^!?#@Cr)eY~CSL)E z!y{Lf_D@(*0!f{M!h>pN6%>uJ%GbQmD9x)(nQNnX^XLG18m z3z~^C47vIEHSRYb7!`DmcD{XBqH_UV>aww=Zh?n(_n$&|pvI)tE|uz*0bv?1aN1u< zIs}o1NWr@j)#1-B++jT9^jYW8Ndf0akn%eSWwJ{iMU<$MiN`Q6)@9s`Ex1y*exDB?^7@ar_|FGft3&%#Iy11_%6M(PlFj`~Pb33Ld*jc7CpGxV zg#>WO?m98HbH2m=((qTicEj-6nVmRyzMywjqe)gzdg{Tl#Uc`{>ftX+K5Q)-J`-q> zy);zGWH(sKTO#K2SUw}zP@PwpL)$E0+_2WS(L-TjtY|*p9m6xe;{#!*TaA8zqf1Gw z0fpln&`LIx%6C7{8qTg@U*O%aotU%+ zmhbJe0e;_X^72)lq^ePRTQAYDZLB|~a1|e}vYQBYV8cN#PlPIdonw-mX*%guf1^4D z1(tHT`;ez0;JXfuvsMIxreJ(Q-r&2?QFI!l^ZZaaqt?uIi?}t7xwg}meIl^4 zU9#QRtITO_=w6-HT(_DLM4v}!5_eZVGS|!s93AeomuW%8!ltHlJzR>s61}H-xg+3n z`_r~}n)qpGJ_-VkI@&;TemUSjN&rG%9Pv!1oz~Kr0{g|i)O-i=ng#8=gOQ=D5Bljv z)_uLEp1cp0s3p^qAU5Q_ePP?B#+= zFW=JVd#4dg9|l;oRo-#;S_-ppqgJj%{&n-c1d=EG?Mv6|#_j@agS&>M+&RP>n0O>R z`f_l8hJ6(YqCZR>_IL7l{APJf?%LV0*$nlca4x1(A0AXFieFN`c^RzliLHf0ft348 z)HX1^8QMfm!TF*NXs^nCsRtzT*di_SCTsWTx0o0cKLe*qV13%EZu^!sfi>gRtE`mC zsl>b|Los;u(}z&TN`Ly<%Vqw6{;3dAZwJ7B3J$&QQQ8aVa{;IOA@1?7*vADxJe2HM z8xVDLF|WakY&Xpa*;Il%Cho;(VlPv7%T=jdUSW_0Pa>AeBm~rsDEVTcYozTBCN?2} zHL;d|1cc}Y1PF2HQlw{2AP1)Ki40I#D5A-{#- z{m63Ei1ky**&z^B9B>5>587h?elq|+R^OJh1rYKJ&5377(rruWgzT6ff4e!6Y==Gt zgcvn-fXVVnQQ1p#B}&UPOquifFidpH=6}GHwJZAr(TlIRj;o5{$!r zNgG$SCmESo`y&HD{)Ne|Ch1&kAv{uRB!8n)e)Z;%YLfx#gX+DQE5_YdE(>kY0wFiQ zw*&C!|Jn}dKfSxxLT5Uyu&uytXD9WU7R=3qx9il!*9n)Ct}wjK4*@nyE_c};YbZ4ww#$0=E@_DP}T%YrIKK3)aVH%L3ro-;G!G`)}6$U0Q*ym#Mq0 z?l{BIQpM4RaDs^Mkr#2)+WEc8ZY2An(uNJ_DOzphsieiKxqpUGeGa%Y+w*nuot>{S zL8W;>_fP$*H~tuJM!BejDq#fvhV#E{B6;z6-gfjTQwQhW?S5pKbT z?TVe!;Sd928>fKU*uQC~U&j^(P%tjPD;Vg9Oe7poFbHxbHL9``Lt!TF0`67-*Ynpa z^_~5{Uy*q8t7y&uI_(eI4%L#q{TFQLx^aE#V<71YzQt?IyjIUlM0k< z_(_5uuy{r1kOlDTRBH<$Q3V*||47H-csbM#fO7p+J8)4KZ1%Aift3nCSN)%Kod<~6 zBw+T=Vt_e{sM;|@K~>}&jv*wVs{4Oa)rX;wle7OwsLVG`DybLHKz}8}_}}E1)WKZ( zA9T#HL4G3x&;$LzR>49n;&4-P9faH%Y6Rw$zjofQ%HkhM#XJLA3Gnmx&ite2^#8aL z3|v7T_O2b|?|ljA=HK<=pFG=O{Jk$r4|(=S&xwbS%PWvxOcqpjqr}f|g!aWIH3sqh zr~uXapFsDZcJEJZdVH4a^P2%CH*Vw)PvVDPXx<;HXfcX(|A}3|D~kMWvb#yu^jhb~ zQe<*CfJ#rC*i-?|eTT+P~Qae-7LIT%ae~$eV=xUufhl2+%)<+6>t~Tbz!n zSKpZzh{Wy!qT^!stBvv>sR799oJ5D9^0>wscX}7(EQk|+6Q|6Iuc);tm%a8ZKk{VW z*qYx*agB{9ahnS{m^oQ z|AX0=M&lGKYq_x`NNQ^wbNq*_OJUE_uiewfU<%z;@0eO0L z#1|Wru;V*~cO3O{ZgxKe$8ARU(}V-K_6{d;)z#Hxy@?%jOKX8oCZ4; z@XRxy)s}1Af=`gs0gp^~U=|AEnmT-y#PKFy&G;MB%Cir>Tq38E65KX`^!&U*L)LF3 zD-B5!I(}9_%4>TSYA`5iPvA3qk7-K4oy&0JyqtgP8`HY5xcIzeFU?0Glj`$h6YDzt zfjp#=iDTd8*^zjr6^!!ef@KJ~>vc@<)qy>);0SHAwwdHd^wY;%mp;(#Mo zi0walJJ2tFIi`pG@M~ZE?RD?U{@NFolK-2}{WxQ80Cc}c#sbr6Wk==2iX|8f-){@1 zqmE2VV(>!aQmC2QmF{0?WIp@O)IXZ{eE8m_oE~~d^%bD=&^!nzv8cO}0b2=I>ZA&g z{30b28QfK*3z-h`8-u>HcJ_uxK717udzCynyUyWWm&$7qi?~z*bw9D{A+_qOcP{lC zPXD{zakIOY9bzBP9od+SXd`5$E9shP%YRT$kl>xcW{A$mdm@xLYYPnsd=l3%?}vsq zg$uT9McJOf!(Wo;dd`yzepEm-ScyiviQaN#9suyjPq}u`1f96nt37PHmk*FaN!#2N=IgU*VP4GwW#mU*^zge#5IiEF!q-mP zQ2Ip8$oKU6J`rNdgv5s#Ik`~F4R4FC^DR)=47 z-+(v$<&=x$fHI@}FGwd#{UH1&)yQ`>Urbj9x#C_#!em!$rRllb%B>(Sm?L(s*64JZ zClujxS(RO0UL`oic+Wc{ck6GZE~?z06z_cd_Q{iz?6j>%YkeKRd^Aoe2fzRmF?Bgu z$iz|XoJJ&ajvIk2apMeT8q4Kummti%5Z@blYWYV`5BK;W zn0Rw0Hir!nRF2Rbq#$t9g@p@T=3aU3fm<0zmmf(IQ&Sm>ecZm+*~R7N2UVr&>u5@3 z?5^tKLE*l!Q}#bLI|KzA8^%{m4Ms&XZ-&p9q73(?=I=Hni*AavE8h0H&upkg%%AlS zr5<-RSqwfwM21uN-WbVbiDpL@wiRg#XIFe=c$>Q0?JjB}t!QA9Z&>8_8M%{5p2Gt> zJ2{~AZDdpqvj!h@X~hH8r`uiAEx-HXPUFjrA7A>P_J623v*7(Cj93@;hQdJ1iI&{X zl9*GXuo>JKlV470s>PtlZbe$&Fxk5AsmffPnn@jZBItx-4&*07FNM%bNC%0tRTboW zKON}F6p4Gfh{gg&EFIK{z&-y%U>-YdE+aBfQ3!VFNAD^P!)3ak`(|CSF*|Y z2S^RL6#(Cw>;P~Ui@LyUa6UY?ef=bbn~2%@hNGsJ>c3qMK3nG@)LGT+<^oEgH<#0k z(ARgm)zBukWz&h~dq;|ltVCs5xA&V3ZC@6|t$kkO$e3OdGpXc{YAwybAXIYvw4R!Y zYcOvWaXJ!KxVXdV$LsWh(ZkEdgB6f3){4=1mMdmgUemmGJodWu=_()3O)h`P;leny zlwv{l4tiYa);JT50D$Ep@pTPzQi9`MynCXf9X5|I62&{-?KidJ2pW&!t1 zhRvZ5-cn2n2GB1mc2E;C)`PT0g|foMtm=oi_L-zVFAWxquG(s|)NYJ_%1UGTIVY6w ztiv<8v-<>j4;l_(tSuZtC=fs4*CT5=+|oT!{mc^+y>Fc8FU{~f)SL||@9(9d6Eemd z0r;NKP%du}s+@Z~EtkYS#fZ1eVIj6Rb!r`L{3YAlsVYOp+d@+@lS-Oz_b z7wIxG4!g5Sij0D|Ov1_?vG(G`-7XnEICZ%r77qrI{q-6~5Ta6V^)}otsqgE0U_Qh< z!+<~~tK;d>SF4NX)PQ9oEgKmyWS{1MR()l-$vH*<%qIaH)qLSCJhmg7XV`a!!%ow| z)47)3!8I+lqSxmB22NYvUD!l1QWA27;sVbBtpz6-uIXJW=veVg?JExdl!7zk5rCStJuL{zZAFqIGfSf9AETW<>Yw;RD5_F`CJcolbfB=WY{O<2h$7e#(%m5n%lm8?G7e|ibb zx^);2VhBA=er`4@Rqn$ze$P_uT6IkXleyk~DXx`u{-M^l_iP=moHK_uA{{VM)Jx?0 zeJQw>J?Wr4yfW6yW6Bp)Wjkp^+m>Jv?`#erLFvAHTVbv&aJ$NuWNY+m=x9HYtF3b4 zhgYP%#2}E+4Z8MzTv}m!xK^EBbP(0>2D?^Pwq`%u#xT2TD)CNw-oGzqkFmp^Yq**3 z^~9pJMh;*Q1|shA*{ELTWPI$}+IsEU5wj}`G+o+OU8UL_H(76P$QS3ueE9lrg@lV8 zjR6S_90fIHklCmV@vyRKz)hnGar#1m6vNqWjPzk*)S42x7T1FcI%x|VH16rkOZHwl z^H8Y6`|~AeumuwkGYTX7?`s}}QQ6i3V6E=C>oYqts|T!;ru#fWO%#kWpYv*T*89(c z*`aUQzWd9)kS(35y%b#o=5S@&cPGNYBtGUc1 z#IM)G=qar5wv@e2&ZqEkPG&ayL5Z3Hv1sQaSpg3@L9rpNpoNC1T-t=mnU#39_6EDT9MlkXdcWINtr!b+JXIy}Cx>b>dTkwd&?#OI3UCP$K*R#f~ck{-IVM&Z7q z^&2m)-t#arjxhKhKIP3&8r_phbKzE(W@QC(HVewDAr9XqKx4NcykD1b^AY9p<*KGb z+eW7`5p$zM0daYj83LR?EYY9aSoN|7ZPM9mW)*@2f{3bZ8I@71wV9Q4;KV87MLEE`agrB{0|CR{PQYz2tP==@)f7SBf~6@FIDtpl5l#I)7_r@b!^hq~?i z9;GNWvNpsJk|nYiG9+7KEFpU(6+%M9Fd<|eOOYi*NcMfN88L|LWM4;Fip*r27~}cT z)%9HUKF@t$&wU^Falh~TTz|}QIL!Rc^Zb6#^ZPl^-{-rW=9@a`Ao)y8QvN4yc|t_~ zVB}|=fJ?Qd@RdAiB4PN9yWOFO5sCz{+LxYA{J~n)eQtEx*=1E-9}Q@tkKl5Yd3ZsG4TdQI zg?vbqB8=uz1I+D>gy&exNjyu}qI!;&Wk%Ao6lam<@%hF>8IBGN2Jx=7I~5o1{N``` z;dk8iJ^tg)%EQshxKWtA86a%n{S5Ak;1nz-7H|Lp8TjMT+aRSZ3J}~5cp>%nkFh>d z;-24!obKBOP0Ry46P#pH10!!hH@5@f>f(r1$gM!-P@qquHSm1Y1lgI7iQSGCA-sZ zDnqLX^Dn~#cIbmknm`te;g5D$yDR^zhQ^Kp4C{}+=|`UzH8=e9FD#*81@&zew!Q(U z2tSaW%LAnJ(jaf3ze@>}a`=OUsSGuLVkCQ=LU*+5k%8>Y{!M6PeQghH_J<-tBhQOr zQl$#%`5n=A zyj_1;;g2c#zd#evU@u@h`3-25Io*tpki65;-`u`qaXf(dJJa`{Ypd&uodZmhu=>Kk z$0rUd(%!U`T;YN?Try(;0XZyGNqFuez;%etywM;3d&wXZChjSqNRWX+);J697*HkX z^}gL-?>^C^ug03-a0S?4kLZmtu%Om;K#0w0Ea`-L;1rU@GjT+dAdV~KoExW29wx=& zxVd^#t9#w-qV~t}&A^Wih#!pVIhkQta+j9=;6SyfD^Au|h_DruZ6iN=+1{8qW_}^n zPt++b`hnut432M{la-CHz1MiV$Toy^bJA6!RHJ;J761EkG{c0ab3?DatkQ`9z1MMH zc-CD4_9egVEi>@R$LoJ|qHk3xpjpc#*$PG=?i1yKJyWh;oSl^3jtKhO$UOh-1MIj)TgpTq&&vOS9&rVG|9IkBG)chE1>aU&q*0G>aFuApY3|Dk%3cRMid^G)V?WVSG z6Ng-o3^r`zP#EE%C0Vw-mLL~$d&N?rKHvMQOqMP_qKb{a zML&2ugE1gtfin~vLX0>YK@lZOlI|C1drytIUJO(2KGrQz!|&S()%&m&U81T$_|QVjI{gbba~c zLlY2bOWlqJZGu?(6ocUAsd?*priK@tqCIA2uSVi*Z|a$TpnqhMJxGcr+*_XnDru4# zG7!fj;em2!ro5S=viLVXK2l=XNu4mTTk@$+Tikd zn-y1&P3z1Xb5_E=h>PpFFFqN|`}I1RwGzxbVvsYNSK7F!;pv-er;Ui(@P$rwl#xq8>~d_<7_kXp$SE?R|d=4IEfAJZO^jj z7!Q^SH}jcYd*y1TPS84A7dbP|@LYob>jnR_Lk!72?@YA>iu3r#r_@*sME?(>MRBhh z3n(mQg@z`Lb!MV`DVS`IpBQq+A4-}ub-F@~SPSqt6xF}JXB=53eUVW^h)4Ycp)k5E z%C!*@U3d$#hp@CT25^Oe(9(gh71W|k_W}aGKX=mcMo0gx_Wt9E-n6fhBCcIlUr%}q zp3U7SB_C6+kCHrQSiDXlNX7O%miP?s#$m)TXvXwU_>WE<+69Ao9Yr<4M`4oU5x^&ek_ z{zreO)o=(E>~Bc6;o8unK_P^;%E-J#XS_2Gd*HH4{?KPMol^uRbKhdk`N}zFm#Q+} z&LlRxUTj(L5n;)UHS0YXaXWMw`kxe1WmwuFjVbN+YjCi`;SBs&W@?vG zyUIwbuCVO$JhVl&su0%PEVhD#(4>o7ilbDGyl0$yuu9UqsN?D|nxjUv8+B1(MSGM|6ysbbQw_W<^yk!j7zdpX#!Y+v<1->8vTC#ST#^CN85w zpkmN)JOy$t_G704O&vX7;Pty9J!t{K78w%r%eQB+x?*zIxkDBX9jIN!+Him2 zB1u?y0!0CPB60F)oGj@K0p5%`)Ljk^;Ao2H*O`n^Js+m`o_pqf+`h^0L3>KGFSw*=kI~ftm43Do>1&sB2W} zBy%I;<}^02A4#j|v3bGz7C>c-xg%LgIVUAQb$sou_jrC*TPJb6o|7OhI&JbS?yB@x zQw_=XGZ7dAbNBnl(+L{59x^kjIDH-smKj0QjCrEoa1@}^Ng7iH*^^=BD`5s5scT-g z?YNjmo>2Z}Yq#?Y8p7#J3YXH`tGrFkZB{C$!A)nSCWC`TWh{+3=NHSlY~bB|Y%jw< z%PjU87fU(WQc=fb+qBRn?^iUr0_F2tT`laegimF7v7#dpY6R?5d<0pF@Zud#>0n

Fzy_a}SVE%HN2zt^E2?B$G_GCFE95_49^0lsr&G1eR*>wUzchg{-Gjmx@Pi zBJK|{t*EsOr_v9&g!`WrDvK?lt<4xL(^os@|4#(E0M6Wce@PKVJHs!6o9fGyZ^0<% zYB=Q`n&K}vvEBwFtAWggHCMLmWVz*CjF2U>+o05l^{r(vPzhRN&0-t0au~A>!T?MQ z{se3Et?bUDUdtD#Xin!KhdiJwOs|3Ocz3>|v?XtY+AgdE9RPH2s%V(^nZ?N0Ck9=@ ze{EH3D*@nfo<3Rn-ifj)+uPf-0jTJqygm_Z0;laz%d&u>v@` z-9dWMsb2?*9z=!_k6SY7+~`~^oEkGYX#-cf9le$EMZirE?QK| z(j%Iu!fI_AFOvGb+UOFJXULD!(pP$iG%K|ITUotM6Tq`Nb6MY=+bO z45$^|r!lUfId1O&en~=PViOM-UDW*U0zytO?i$S7$IBs$KdrX#&_wn2Z(i1$TBqztCNa~zsC`gu`my0tWuafQfT(>75y8-!m)bv!Zh zgESic4w$>}k@XWuJpK2Y{r}qa1^XFjkT-N;GXmZ}pnBgY;quJb;TWqKhlq*gZao{y zH+|z8s>Jk$$51rg;% zcRsoJi%eoe(MP4>Lmqf&Nc?1FlZe9v%O~y=arn*2{>m38$C|Q{u5MWSP5P_H`W)Lb zT24GJ>rWS*I(Iaj!A8H=7i@1`CV&ZXGq zsX1ff^EhAC`^gY&iJWHKKr=iEO>P#T)dalSeu3Z>5rtPCzy4r}A+W1r9+n z|IG`RZEtFW6Bx_jbAy#njn5#mJQ0bNoW9vwsxBKhQc1~euXKJewXw-V}c zDo@IGat~QraQCLEEw5faw34DM=9m$7kWW(js?ntr!RJY-6)?6{an!PzXW$3oQiC;{ zXJW@mNok;bhcIO2soTd#nt1>~-Hf=|kbQ8uSor?_C#;T*i;#^AM>up{2f_zFilH_& zNHMc@SPtolgJk7sw!!UrO;wm)ZDsJ=B)dJ@x9I9K#OY$d zrHDJk#fb$wA{5^g1`Wj=x2Hgo>g26zg~vT}9Fp>7*QSjUTg_iOi;<^oob+-p=p(8O zWZfb(U#`Kg=DghOOV+Qt$@s~S~olMt6!cTnSoHtF1-p#SEx8ZJhXIy1i=>`B`Xo-tvrDod04NgOfC@W8rp31 z9&vJNZsD>|$|jCY(%$fL{Xi|+?QYw($a#$Cx|D!7oA_F0ZN zu8=4>O#yZRCbCJqZV`syfnzW2&5{~}>F`oWQX&suIc8(-7<;&4XeaS!v17(fUM>{d|#&f7Zylz;g2 zJYXzhVf*0M|EhNlON53g3ITyd%6()y*0ynp;x4C|9;V?zi_SGaW)=yY3e#!DoG1^* z{fAtv1so>IH0n{o$WnNSI}}8|Lh>Vmti>X1^DT6UO!KK-AFHYlCxzwfx+l*~mDIZj z+nj&E5+vJTq|T6j=91>-Hpr7M#$^@%%=$@<$D%;41>*R7(J#LI4vEl!6>PW{chXkj zR413c(h0UV~~e7T~^#Tv&1_&&o(f?45B!qn(+|pn7fp$^NUs6YLT`5cj&BPgFRymHwyrcXusu3hXAau=-|=bMXB-Cqn; zL3e36C+IQ9Z()yMxaTk;gt4WyI6pk+>7|v;LSaqcZu(FN^m=GPHT9jk!zpSAIiKfN z2*KB+W@6U4@|2nBdf-iTrITf7q{+$>t{gYq)_M;0S|Hu;?laxSXEc%~$p~gre3~6{ zj}rG~@Yxg?yP3W5V%mFUA0DW6zin>m=sxu1S%E>e>nBE4W>i`MA0D>IJlXlsEdM<^L}pMrJFiR| zeYkU`K}a+2=KfZBIpU#CSpmk8_SYZ;5l{EYXC>0CA{fkDdEl@yJE(+)g~0T^0Y?FJt^T znkK?2wMv^V_pA~`hKdyz)3EQAVXcT2?U9kDf|r+0sC=-JC-u7Eu@8`}ZXvHM)|D8$ z5Jr<{)$7+)i8E=_t3}M8aw?_F?Bgq16bCouD;iC0BGv9>JbPO>=y28B2i!OD$eP&= z9+)UokXC5zMm&o$LgXPnIACdGc-F%=fZ_63S#?4t~{!D$N7hZXvi8XG< zHUu)}|9lUQp$!L;k5Oh#v$)wTTkag_^-9i{tCo0Ou4wD2oosiUcYo|hBT?A<@TiL! zen<9|HcA(?#C9!s>`|HhnrYj@T2JXzq9d|Dz%bcyz(Zx+`(?Z@HMCJF8LVFRNVz^( zWw}6g`+E3*$At^+8HYWzegyvR|3|L_0mzrDDiGGz0@O4Qh%yFb<UAz4RWg^Rc!gZAhJzATT|Uq8fyxTuk4DHX&C|?WDg_ zOKpR`+A7=+U6?<2^l;4CWo6Zrr+@zewq?4~Ou7d!t6RbvcQrCytp_PULummGFcL3N zAT#y^rJ0D{qUVMH5kf$(8s3`2v$FBjh}kFk@e0xBRf%*qy#Bmg zPs+=yjHE7j&{jSpmtL{Sr?e6QMz#$JR1)C%KKfQ-EchFkWCJLOc}GF)_loi=i+fgh zY*^A$Ch}dOL)?F!vxs)*hnT!WM6sLSZAs)zUmVsnmXqCl1f@gq6Rw z!UmTgb;=WZYWA#0yuUofy?q;Woz#W|<`MRN9)$ocUgw04P<~&A@R@^KhhF>%p_FW1 zKCedpqPJi58b%}0r*DD%MQzAm)T$Qnzh;8}(iworJLbD%6aZ5HDI1G6guHD(9gb?M zMlT>CsBb9J@3;&dQj&r#LxG%rTEU%WRXqCUY5A{Ay0i-!R=GCrz%BqoslY|AFoMbs zx)>m@d%mLtP@U>*K2&S8d3=@EhfKQdiFha`KOnOe zF)hCF9Se6i3+UkZ@15=%t6^n=oKNIaUTTAV3LEq$fBymfWdI!i9B7FAWjp_g=#t#-xJF5> zX6OE>Z}d<2-2WMW{lD;8fa{}q1RntIlC$ieWwH*~p|2)QqaZGctcws}F-q7`#!l2p*G`Px_RxO- Dt31xr diff --git a/guides/security/assets/ams-custom-policy.jpg b/guides/security/assets/ams-custom-policy.jpg index b6e0ec180817258c961af42fb95a70d7e12c1379..0f8b19fa3cdb32616ac07806b94b25245e30a55a 100644 GIT binary patch literal 108815 zcmeFZ2UL?yyDl80D!um(B3(d0ibOz~2#88AkzOKQAV45W?^QrRiBbfm2?UUq&`}ZT zy#|zC5)cd!!k_p3_ILK)=llMD?S0Pr*E(nK_X)G|aOX*8?wNb;HrLF>^u;oO;jXTM zE`WrD1n`*n0$iX0t~wA8R{+4s2p|Cf0H^>IBuoHO;vEU`1t28>kpFoP0GN}K{z3V( z08APFcK-*#lo3GoH#%LnDbv5+6KTY!W8VM(wP_b~0Byh}5|Tgu{^cSiC;j81AR{9s zr=*~y{G(7^roK!?b%lzO@(S&hE7UZ^i}ErZJuMC0ANPO!$RA(-<6Fc(8Y)VvKc4u{ zT^AhyMyg99q-CTeLV!z*B&3Wa7d-%eVoS-1z4AxL{L4jhiIj|-g4m=h)WioG7>La$ zCA~y!EIApGU6OF(=KwNBawb7JO$ugH2TCD77WwBHZ>fZ}YCBmUj9^3*9Q`9NUtweC z;N%j$Dt1j=;)bG<@=X<0?K?WUdin-;A3icOx3ILbc5-%cb#wRd40swC6buOojf#$m zjf+o6%*=X`os;`AFTbd`r1V```TGxb^@xVXrccc+UEMvsef^)md>tJdpO~DQo|#3j ztp519w!X2sg*`a@b#(k2cXIj%UnImK{QLDc#{MV17>RscB8~wWJTnZ)@Qbsaz zK{*O0O;bt-KV~8M=Tt0O8E{k6d9Bxq%kN{=wRxoc+fbi~L{W?0+!! zuYAn{Xo!M&iIJ2M00f-lixRH^{wydppxXriCl!|fwYdP0o8kH~0sUp@rkDs$=#8dv z8KEgR`RVyS={@NcZ9hN7FV8MrRS{DB(kC~3zKvO0DT~#Rhdkg7>*5n0hMK*dR}isI zO)J+4_YfBECeOL*EW$@e&suu-LF^B$5|`R`osg+G)D!;bLK$2%RJa8H02lZHQh9fn zmu;*k=i!!+&e@kAQn5zepXM^`lzZTbi|jZBbco^*2PEq@=3NpsS=RkYMXD!WrfIjG zv$HjC#d@mPPfF%_`;6Gubep8|(c+fS2}fz9xTbDC`7r_4l$skx4`_84oJrNFyS}|S zb5q2u$Ki(%xb3w9}X1Yp5bYZ^e*t?dGN(Q`M3On?dPcT2LMgY zoLl~Kex+AmM+1&!}L zTL~rIkdI#(p)dFL`1G98={OGbE+IRxWj(Z%#6gq^+-C%b>OOxv^ColEblgX{0rA{~ zq|k~=hbPrw-}vcIPXAh6&$}B_Ma}flaD>>i2%wdnEsnXLj~-jqkVW<>S98*`j(M`t{T2-g-ZbWRKGlfgAL1V9P5$1l_W)k_F@D^#6|b?n}+~X=t7|Lek)|y``lm zMaZ)wDy%O3FwZHeo+R~aa#o7m4>sG@Pz&?A%E`m(AAa+&>*1O|xC+y|60g0v^e=^e z{T+WSKM6tl0?-*o(AWeblxoX12$W|*HR`mmN{uYA;!0bDb=%g4CY7^`-I9V(GJgxS z>G(SC`6@gPjxq6>Q(ZzM-&Ufc1-aCX#PD@7Z+M>Lh~*?SEpPKXV${JD{)qyBXCYKe>m!bZu>bXtA+#y{VR! zC;}3Fxapjawzq1g*_h13p8gtZ#_bcU8%JPJUG%t{YCQzz^VdfT zsfEYyAJ;L7$t-&6LChZLx&oC*dFKhCox!U(0w>HoQI{>WBv80v z)wk#0!Q|RG`;|w~;q|i%z27!OJZ1JCDq9wd&N2X@Rw6=)qh+H(3spZagDvOt*F)iy>R=3!s6pN6 zag}%zi`TBYn&DH)U!Nu~te#veJ#JhljM#hDHk3#Dk^ZoMCk8v$Sr;+1)G+ky;d1|T zDE;aWoJYAya1BJ;2L5QwTd?U`%B4J+>f-x@5^`Z7i7Lhx0$k@|Sp=%)Gr4&vM>A)6x-z|J81Cj1SmDXeJZ*T*M0w}8tgl-P$dOI|$0NsPfkJQq+62#(b_~S{V$ymS zDKSmmb_xcV{nVW$lc@|J?;ow>UN0YaP5DULM*l#Y-zHJvP#@Q0C8x8qN7cOdp;wmi z0+vM3@J|PH_!AkVi0ikiIx;{C_OHs7bUyukz#SF_yxI5IQlZ{MYLq!;E@7RMbpwUD ze*xgwinxi>J|o2iuTa#y@5B_CVp6mHKG>@7)wbpp$L^UwdDUj#dcDU*`&IZV2!XzdfVZNd;B`7r61t7`cy!gE0Jn6il`~uMb{hZ(iUq873guMzW2(N(kT>vm9HBlfY znCm$+S}b0jvJ|WVz)T>5T8s;VrAEKJD*@NiD2oz?Q`v<>Kl4OtI%Sz1Z5-My1^;F~ zGO!+~1M(ngATab)2T?X*=*gHf@vUJHj@mSKamn0>+bYZAqkG|Hu45pAQ$)V6JmYh) z8hN^3`6yfNA$F|168+2KM$50U4zVi zUEgJ3OBheT>&(MA`{CwGwblmb+=B5uhaZ)dO%d@k7l5d{frCW3JvPGSx`ar7E9C!( zRR_&P>WT_w@4lFqaC>$$I$f>y*7i~2r=@4G`lZMVfXh-W7c5Gh1ib+4B5;l=hp?GH zkDu?C+S@Vwyb~g`WBL1PtHg4Rsc~`sR?tXPG>fIF4r|66Qymt-|4qf5yeKIx(cKd_zOFO;x&0GIgvp_I?L zDC=pn*~zOW4Q7|4}H|yB$2Q=OSyYi28pvpx>u^- z;*b5c#A*kL2>143wbmrH?kto3Jy*m;e)!zHKbKj~j6!Qpv%fTAa0w9{gYra0Px8rQ zQnnU6f_pPoJRC!IN^O~G2AEq)p0PTX){(y72VKQWo~LUF>8z^J>h7b@)1sfa;$Bxk z@{Kf>9@OX4YV>XEghA$h`+PZ^153zgGu;-Ct$`7HE(k~6%YPZ=jG}=U_7b>ryRD~U zMi86A;DN9bq?uaIPcC*}#wG?*bYFKikMoLDz1Z96fX=%z9-UT3xA+ljEo<2e<30n< z)vXI{S^RkuJ>`xo<6Joyu-O-|nxwP~)^q2ay&NKXhpQ&RYbyTDgn!aZ@SLV(gpV-1 zuW6gKa~>Dfd*`WY(c=riTy{CZv1uDE67GNHTG7ArX#Vcm{FivIZPPBYQ!1u-|L!Gn z=}GL>L~}{r@jH>G@nrAGTx=*Qg~^z0Zrp##LE1Z;PXml;DC&Nn8m0v5$m_&+loH+V zZqp0ETMN(y05u81XV{ECM5R{}yRXZEsP~5}YAygv+p+}xcVAZQJdf@LA$eOHvOh5` z&ENi5)_hQsk$UU8!j|fkrVjf7H79{<*rI#ZC({L-@H6Axr@UC2QMmynHM))<0Nun} z9hO)YQysv6%VLp>8?u`qh~e*yLnTW*b3-Z8&_ANLxnc@OLITv^uZfmOb;L*Znf~xq z&X97r@_O)o+Dx~WdSeZiv7nhaNQXAI@Hef12vXMVewkupImm}p83Q$4^}(yvH6c2Z z6^gFELT5H0qu(mVU*$06zi^ywEB#tv{CzUHpx#KW^uy@(!-?`538HJ{I}F^A#4;1L z+CuOJAd{%9{%6wWxdq7u;E&ioa`gf*Kz`KLPk?q`04NME0NH#MIw2N#h1lm808LOl z9B03c!sqJ!17X6K|L_=wlL6vCYBasP01Ul^Eq{R>6i>MS2OF_*T1`rb7$W8s`Y!-E zl#_@2Cx`TSPFcdE&??rSAk23z%5(AvAs9NW`T}rZ$Nvumvkur0(e5sPB7WR)y6AKP z&~PA{VbKe~*EF-Dwh97g_w5V7o0=XIylmhS!Laxr2wR`%PtJgNc7B2-zs)z;`ZplP z8Fga1g|Ntmb>DR7|HX<+xB$fLwO#vCiem$amzgMpa$ng zOG=1DF#<8|Q?L`6wEy}456i&y9ip3M3p;rn?juLEiPwo9VCDtjr{0GVd$S7w4f+ji z*kVPDz}`Z1^hHPhk#b~9i9d%EsM9V0QuI}8z{53uoID6$eq=5A6@`9vgZ}gi{tj`f z|F*jT{AdCG14W~P=-7eZ+DQDHDc;vcFjUXu!rZpLmn5AEsLUNb9}vj(7qeh;zAb6 zc`>fm^bu5UMa_f*0ydu55jm_>G<4sWF6mSM{Nwfpj8&+{BID*=Ccn&jy@tzueh;Hs zLf;f6O57!;OP>8v)a!}K>umlc__5;L1zYYF`xF&C=bdK9hB$CQuGOw$q9JuqioE*w7wcvJ(M>pa@sQuolPY z^Aayas|hcz9$gl*C;CZ=4awTr`sq_+ilZw?UQMfhzBL5=DbtKvf!yqK&0S*rY6k0k z1buP=;JV=xi(*u)K(TBf1q*gmgGwX%Y|f~2q@3u*Pk!n-Ax>iQ{69VZ@Cg6=Ok5xK zczp*ue`3%)$N7pg@#TwAja8!9*{7Wp2Ko9D3AhbT>W?V;=IwUq7eac%Ld>et1s zhQb!fh;@s&h&ec-DV3Nd_KEv#FGKv*XKiw;{B$1oduF4SAa!0s2jU{1^v#45p2)E2 zd`mRsWJry8m>S;K7JQ7yS=2zEoM%F<&}lT5Fpuqg_%vbAYrUU7@8@EtB>q7DO_wmA z{^s-V$ybvCwRC z@Sgk1D{nIafTpnT&|o3MdAz!Z$MUw3Y>x&>met5Ef}U%$Zd2*>s3ECk2@*-&%HfbF zqVZ4>;WCUVH#Pg}##)rjCE6^!%O8W{#PehOyZ0+_lD!dJ*w}2Ica-fTiZ>Oh1JeVw zMWnuRIQzXiG=m>M!|;GunLDaheW+?uexwb8=y@IIJu3?gz1imQqe_thO>YK6U^_rG zFkXWPg)Je-kF{yKlr9Z<&fY5&H)6r%_-C->?)q<%%^5PSC?@13Pt&)Z&tmrZ@D#YE zRa9zYO#pg`VQ!Plt(P0f_`HmtdKTijYLvKpWg!Z&b+8n|za89mSKqgF>WTLY*4a<< zuWOvP!)1>Pa9-7rQ~E1bP%X@@^+cKEB3?e)ph?4%WaCYlY0^Bp{#2bOvR_S~cT%MM zr=CWN;m9#%y+GCoF0mMdPb}lKH9Yw=E%6<8bZJJqQqCF@8{+I==-#fJoZj%!EV{q8 zQ~r52Wru8xhB&SQGomhC485M(HI8>1hngv;<`BMkIV6ttC=3X{IMmr}bB?Ksth{soP!+UM}6FltCv7lEsOM4-8?Wkhy&e^M>UPo3+jtDdENGPp0o z@qO1Vj&bO#5J)!3uR6ljW_Ld4)Mm-zB*b*v{@ZYVgFF zxF+Po>ZuFBkw49?Of9>5K`$IngqKc-ZAUci1^i<%kj0ezU?iJuaV<8BsKfaUa3OEO$eUPTB!M3oU+pdZ#Onye>hV*i zP<&Ck_Fmn|gWB24j~pL0j>VE$6oVHfM)8v9f!9ut#w%|u2z_S`@Cy(0O`p?b;FMQS z*81@LyFo8h2;@XQW* z2*|0pH+@6NKYQ1Hc$|PK>!|`AD~uu9+3ySon(*rJWh$ysbAwd`HF-WN&U{S8C4m$# zwQ3$G>vG;NeDRY!oI_lr?2S7J(bS#B0-=*-^?);|GneBW!{D`gmDbxi^_B)eJeIlQ z`;RzULMzkHc5%#u=D9eieY{yJvGmM%YG_TOnd%5BjO+=LqP^T?*c9NsZJC$#BKIN?3l5;}PbL$p6N-B`s-iW(- zs&^cU)2_s;o);sPx0S7(LnESAX>INyN1apk6BjvtZ9FbCito*C`+S_a%r;B)xwGhg zqV@F$Pr658;2K`2E)Kr3tJbkZ^AyF1bL&6~5VPR{=It$5e~;73T&mg|Lq5)4i%KbE zZ{FvxF`ZdHPbqDHx%x5rK}}X zmoPqWR{EfSBB)=(eO?;@z@@FqrX0<*DPp*YW(W83yL1~6YjFo_6#Fvg{WGCYtvM=1 zs0=6m(3z^Tlv)HErEl#j|FqZ&<*x91y#1uQ0hYQKNm|es_LN#$_FmIS_2bsDCytUH zej=H3CQ?SC-SZ}m;!e&?)mooEmvXqzDCcUA;=|8O@p?Y9z+NCdo&+=1g%l^UsHZ#D z5H>dm>hs?iH9GEVzRY5J74BQ9H&c+CLHSM9A3TC`+fU7h5wqjZTliDGs$`ymjqGRE z@+VKy4ID(gM+Uj;GUJ>xTJ|VC=F)w^Yx}XV+PDOy3O;xe?}qj4?nAQYT4I24H)d9c z)q_Jy`UA=}kC&Qs1jf9_2F>LA9(~D3pc{LAv=3q-ur5H@kM*YTyqNm#MIOTedU}&G zNSH1%hTF*XAhDk&ejP0QRP8%Q)~DsHhoZbp;-DZ;oXPQ9oZIRW&DQB;43@d0WikbQ zLS|ih9@`EM0KaR#Nv)nBXqoWKpH{6KhFI$M;n)aWd|yH|VHy?haGoGxi`M!nFSn?> zSvO~Vw|+W4!Nv)!p@2wr=oMUn2L`rkkpQ)Oi|g6ss_6zxUz&kB0ApA4_JqcR!*jn5 z59{WjoliKwRkFTxiP+q_0C@4o*o$M!x_lBBwnHtt-eJf-LV-zLEkQ|sA2yM}@q13~ zshe7gi2W-zJ+(J{5&PWCzBBq$R~w)qXDWCttV#UQ1%R8L}47II6FmkUwp!>DN4LDAYGf9l3)rG>1hTCjR{39)ac9yuY~FEr{zbFBd-k?^lAtV|CmC2 zqO0=Y0^Q-fn^Tl#h>xX0SMKQYoxoq?Eu#oM*aA~IythMz450k!r&%coI-nAQRM{yTytpyNQ>vL z#?AFcP-9s8Q=XukKh{q`O&l77pPC;mzcT!3yXwpR*46y8K)TKoyw-Usk_Rf>ZsWs> zzl|}8mEr$F%~n-yJ);&fhktdM*JNM4S&0aM8F=F6QIi$H9q}E`q;UxcGs#>>tKbrp z;|a_gijRb?s$d$=*h; zaj^wzU=dzBNaYQinqZ&tf%uGMY@Z%dznjX=@K6$hrasW)cYiESbMDQFI8Jn zOkvJR#uIr9+}Rd>W&s&pU0q7RlVjG=YbmSL`(z%+!KdRbO^JQ+gU6*AE2*P$V3oYa zKL1e;CmOANpqzcu@x2BtEJ}kNV%WJThH0NHxByTsMc;skPB@Qy?J;fPZaXzMPN#n7 z66VSh{0e-jl!cgj88HXD?2M~lz5HPH_$dl|TsDE(*ozW7*U2tZzK0n035Zb4shNXXg#2isf`` zKckawl9iK6rz(J?de4AROWcFmZ7`C;B;~X}ErQ3xp1FO(aeT+&jP(ei(C^#idZ3?I z`7@-a6m8%vReeuoE}ysn+Nq&#RtBZOjiKij=(>9~1hACdwYi z*4AI{EAo%#47#MRvMSUpJdu=dmsSJi$DVb-8Fm^5;PkkuF6*C7u_BPbyr<`mi<>uc zZySns>It#kFGj;?#{xL%6(1U+yHt|`werEr513(D-@)I##5;tcn+nm=Z7X$DPj51j z&8@T09jLWDyYj}2{ASQAqP=| zeTxB2Ws1h2*(7vj=z7A9w^+(fc~1g;L*{S0k48b`3+|Xc`2*YjHSd^5PEzRGLsyaE zSoThOeh*LscoCx3#V0m;Biy7nW81oYvbfwmKR3olSWfC8s3#M?Yh$E6Kw|dTELt_C zH~Zxj?b+3c9vCB(a%Dg6l%E)LqMZkPFnz10%}o;^Q%nmaXwTqnp)`g%OtWHOJz+pU zSL)@HdINDYDSzFmPtC7)o#r%%w!8BYfeLRv5y3a@5urRx{=26_#rx@8NJA2dG@{(m z)Xld-McjY)`lEzkHfO)tR$lJo?-;rQ%#b0LKBdiS83xcOrJOZte7`cNl6mdhs8*_& z6|~IUeVW2t*jMt^dsZ~OzQ1cJ0Z!+1{)p_r9B6?FSYs( zBkp`W(ZBiKU*gqckssmASOuaT^}yH<8GXXW^~jPzta&|U)r`Y!Y#ZvhA|LY(pQNgf zL~5*srddaJA6Mf%!m1%*1~6U-$Ycs?;l;X^QS7N29mG|Ie?U_#`s$~Q3g_}Wh`PnP z_iGG%#qAja2c-q0Q|_LE>7zpRq6tEC(^i{Y3wzm&VWUEEyP>5o?xQll-^nQWJT%ZE zU>Y1I4UarpO5jS1Rd>NybQ0uE=y6^A^q!`kTq$cw!RXialZ!W5MaL`m>F0K<-^N@i zwiF-GV`fu-ws5Wb&AT&xPpBp?3%wMLWc@S+HLKY`a*jyLt#5HP{4zKH_+!~SNB5C! zp^9S6d%_rq76BsjD7@N+i&_pdq1|>L-JGqQ-K`8#-e{}WmJ81$nSXz?n*Mm57*q7n z26rRrd`LFgPv3l;%Gox{(u>l|wg33c=G%KE_<6NX<~LDia}Ny%ZUcn#R081}5n4Nx zia@d9l~LHHSZ}ek?n0ukmmniL;r*+5PkObz(a*zw+qJfHt+n}UCj(V)D&Qp5FFM3~ z#@P5+Z_*sb54~ItHGz@Y5LLiK-001S;Zw5E-d4{fw&A(KkFXmuqjW*5WL))F{#E{H z4Z7)0qTkF4@#$)u5{*^>bG=fM8$h@;A}Zf3GZ?G7BIR&)XH0mVVGVgJ_d-FR1dBrc zF%2O*+~S-??YO!u-SY&QwU(6WhGOtl|2is>$sHLiI@LcKpfLLR3J^M31{BYiC5CPtdi<5;*{GCRHdgrI?AzK<&;P&Hv| zqRX%)zUOa$Q5_`(O|VJ7Z7O(7aJMVr+3lmcQOI-tMxAn%K7KYW>Q@>!MDGzcD7|v( zRJ5?xN2A!8<=MT)t+hLVkKccCd_Jm4MRE{&P>cxrWTnun$R#G98@viDyz42ufnZ+k zE({LFWM>q}TnpBny!X?Y!GP1Nvb5vXRTgs$<<2^Gs29dX;I+qPX=C{kywL4#)}O|| zxplK4xyO)GPT@2Gn;A2*$1f5`4H;n#cX{e#j&N z0eyU;!|LKiJ=@${T;Jc)rhHKF{qVP)A|W-Y8gzIPT!u?!#NZ+i5_fx%Gj6#pSIHWc zxH@s;ebH;1yUh(}I+;>KYI-*Yc~Y+?@F-k$f-1kopOcde&(*)hMn3u(si zdgZwN&PG1Ii8o;tybso`8xy}Cu-NU31Smv5H9JWX7oam?{f3J>ZpR?=R)$DQV@uz7 zE;3`0@DE!~J(H(B(q+~*)4e=ZvM-xcRt3Lo?MF~`#T942K)diLTuKpl?7%HR;Gq7K`gZjNv%)B zx3qEPoR%6i}oTDua#f>|9vxv zuu$SP(ii6$D(6`Q4%l>QDQuI+Y$I?TUMGgn5ALQvV?orM3n#YIHGN0@a020p5bn{u zf%FT&=X&}JfIa#GP(n<&OMbicxae=2sz|@8D?UY15@(!SDJa8xQNB6KezYWl?Qo#B zvA&Sy)*`U3xbA39zVPKm8Bl_njHh|mgybrf7Dv4ZYk7=6E`Qyj65*OzE)PbGMQipu5Owf z=tyPfjq{J?yZ(x&ROF`^TXR8{`TfiwubBl87cZF|ybexwc|VzPwk!!MhK93LB{)4% z440usd)sg)hJ2U{c>XG|<5!gl6;4?X2Saar32Tlb7MKm{$uwOYp5#noE*Ub^zPZvY zQb_p#Oi$o+>bd|NUI4I^{{l$Mx<&+~Sz=Il;&vg;zeAJ0PFhxqyq93AG41rs6{?Fc zoSkcCe4A><>!OvbuyELlg4Z=qncAk|<@;kU0P7ck75cw{qOO_}g{Bq_J0T*!qyCQ7 z%8tW}{VO)C8@vWP+=BlNn5DWUneor+2cmP-Wr>)$3jhP`Pq>zR8qWCNLZhHVgz$$% zx8qNEmYt425HrBXPJG}35D)wlBbTT5PaAi6>F+Q(**qdj?gQ*keAb4#8aiB|iz~ot zQ#CL(*L}>;f7sflgfY)0qa?@Z17Lpd+fHb`oR~=dfA~RSr~DHhT+*nCwGxdd|DPbZ zd&LB1)c*jTq0lD(yG#WWt?c>)@K4-c;JAhGKN*b|ux=>`hyWuH6FYwc^SSV2UjG~X z;iVHe{r_$QO&A2rLrQD+@UHzLyYJrVf&2i&&0sF@%4kCXhLYTfAlzoT8* z|IeGXhAU}1O_+hz*jDfd$P{|&xw^yq={Kpf`!>VUikEkXc{@#irsU~{bld_r)z`}HmXD~0ruN$Qgxx*qJz*vtKkmrN)JiIs$NB=v4Eoh>|NEMXJAwvdoPt^J zI=1GIL!>BZjy#?2QOb{a?U~cqSgtDN_vT8{4uG}nKk5hkH_`9^OXB)pRE_*){B!=j z@&8LW{_+g}Up>RWgya82;jsPPOCQfh++zym4t#(2-O5JV)voUvuH)VX@l~t#m3z|w zdVgOMq1=CTb~upm3jGo>2H~;mu?E`4~3Qw zNk={Oe^oV>DTm5FS*TeY8qVv!@yeD(kovqjUKjISsSBrH!zBi5wp-; znajsN^5oZyow4?f>mtr+PpY2&GPO4rYTGu;_SnBVcjUcZ8{6F#b8WZ`(<{=>R7Zpu z)++rSYxv*kUBmSpMUd++_9XCQylQ&5`Q!4FkAn+^z$ZuLzfd>l^cp9pTjlo*ym^Dg zup%;4!ivK)gz5Ym;=X9KUFS0VvK6Foy`R8aU~f>Z2>)n3O?8i2NPmUXX8*2*L}lk=s6D555T2%k%`tM+LyVX&E<)t9-eZk|3DH^U=vO`^0U_(_gvK{i*R}b+m0~Y&aLLZOayPs(u>&)y9M; zvyzEjYe%a^Q0(W)ZIK#<4}?)7RFt9Nv*OFX_BT3S%O=cU-g~f}ruH?WYMYy4jtv@$ z-E^(U0yw^tuKS3BgZ7Va!0+H{mz^<-H7hBkdYH+W54|$&Zed=c_}nH7rGwf$x70f? z2G4#wI!JI_QetQr{c^?tv6tr7udAQHo0e7Qm2QO^_0-yF9c*DeDFerB5g8hrT=zxi z3$8Ei;2UhmgKva$LyVR)>jC{B0F=CshO+-n!ko)?x7d zRc)rg;%$+yB3FVrur|Meb!>TFl}QWCy@g7c`gu!hkJ)?=<@7r(JwfHd38k{sb@~im z^0yrwZw`^N=$O*iBO+X*v!RwP@+R(5Ie23+8JitKSn*921JTC{2fKp$ z(Hl#k@pm8QOoq|KBbh?5HSu#@hmbE1hHdd$lG(ogMW#O2+SC`b1Q*Mfky&>w zBtOw$N8Len=1FfMiPR(2kes#2p`HL-;gCt8p%d6GP}NrI^QUNir+@%q)?h~}+v|WR zi!NAgT3nl0#U@S5dScBlAg!%Y@Y@ac;OmXAiwy+=m)NFr+@|YpYTl@mpg6hR(fwkh zb@POn#_M2lG7BUS&uEEszzdw$HVnmcrFDM^thv;U-lbo0mVYg@sn{73z(YI%U?-nm z@KUjmzS*R%7HC3-DHEL7D;(;04>5`-aU!mV@nzYhf~f3p$Ww~;Gqp`@cLUo(TFy+yn!Mf| z-@Q0Wj?yWhSJHk=x+gPU6Jv$>Mvb0nGc4o2Wfw@%k|>rU(v&NA=i_&p5ns;LleB#e z>oqANc+$v=cxVPFMPBc%k<$t+q3fvfhKkSIj9;JmzqwaICwxQ=4W$k~T3oAAAxT~6 zAASm-?!Mh#-^O=sQr&cwt$lbXZpFxPi}^gy^{3TJbSI0OpL24av#j{R*!t>gt~aPE z*yreN;I_%(btGfN+z>YI!PKu?!uK%VO)G=Sx?B@6InP&bD%wa+$bRgU9_>Q8<=K`$ zHqE7@a^)l@_d4%E?W!OOgv-CNl9r=BieBtCh>_?Flai%d4L{pr^*b59Cnr~ZA&HW; zFKSI8J%+W6v?)|>PVqBp2zh31O&U7U9t|GV*>1YOc{WKfYZ1sQbk5-YPGPxHjfdfA z-$jg|E(Pubz}B&~ZtozmpRH`|r@t^Q_K}z`ril3P;md*YjJuX!ADxUP4o^xzs|>b? z+VF7YUH#cj!f@u|YvI+nXmxcYV6q_=v))s~0gR_ita*|nKDMK9UT?)sC#VTQ9M%ZyGF_&1>IWV$9S{c3;XYvH8Q28xqT6iH$t$m! z*D0?q|KgvPz55C4b3B!T55ZEeWdGnY+DmdQ6oH#0(#kI$$gz$jN>Up>k~iR>a!ywx z|NNj?r3bTwXIAJAeK@00vAUl?kjOH?R2MI|t2Bgb4aUMt7kgPun54{WD^#V#8?8t` z!%|8}ZkI`TEhOlASaA?hX5_LH>Xc3tWms->1;j#U5>FevT1AW4g?Khi-M6l4H3IvQ zM6yP%vYUEcmMZu6-_n&FM0o;dnOE=;!dQ76ae)JO;yc4>VX+Gez35th(L_H@+YNO}EVP~NGwV3tjeLOdBv8|9!uu~W>!XHt3 zADB;G8D_-^5KX1$_(|Na9SPnDMV7s{hm@_z_R8{@yocx#1%vKiT!d^OlS+kPoNv7R`#d)(pfY<;E5HlKdd<6y3c2Q>hf0 zH1}`4d2h80R77@pCh`;ehApkMFV%mFVY@zD>yF(nU*?)3fm+^4I_$+tXA`Pm%akOLRn&1r$-rHoV%&3Ih`DIW`AF1b!1-V1eh z^}KWN0AcUCbo4}}H~6${x3tDXtXH)SPQOZ&bji*_5g5H^XwC8RnH9DC9dCz*134kt zm!;1$s7@O9dxO@G9}*XK6n=r|9&KGN?e@+PJ#B-{3Yn$fm4OZxK=*Hi6f`;oKk>5< z$DAF@eVRO?=V(f7fU{a}%uc1qG&Bu6wl#REStYm{NdL@bM3i$o=A?)uD|I%juD9kV zH-Nn~Kr&_g(q=_rISnRrhW4W-iGd*+{QX3PlSP!eK7nui2(;UIT*u}dKi>`h;dlom zXGki{=%LJCv2$~KmH7ZsMwpzpB?A>6xgbn>*Hor1i@KyAO-4Tt#Ur)n%=+)~F5u62 z7;#>cOhI*sI6Vf4wd|!d7F^gp#Drt(2-JqH*@aAgKHknbu%T;SutSbTLVJ(NZ|MCD zp{GTPk8)gH9GIjY5{9O(l3z7w7+xC}WXpGH`*h+cdFAU*0EznV+{eq0fty+E_FT}1b9!6VJn#IqQ+3F3u$(7_CV5Y=EScA{k((}%7bzu?x(ef-s5-is z6-ioO&z7ZxBWXiBt|ysWnI>cwIa5m9$e}>SM3y@*6ug0gTDnTh=|;-On#1UEAfiD! zpy%|s{c3|#)x77_q0RZb&7G$3LZ(`+3=zp@r2eXwq1<<4&yeyX5Ih&p)a>~SmJ7#| zS}gnYRq3sG*RQlQ+YNgW*Q{kJK{_5`KH&1#T9aluEcxQXFMF98%sy)CmayImof?V| z$I3LXoO|x;He+QIt9EK4lz3SOQyT(Z=Ty;1shO^hVeL4r%;FuEG9b@mee2-D9EYY*m={aSNJt%haiBXKGXEHrx^*9 zhV{+5R-p~y44e7htrZR5j)T)pc7ybk?m^ZuPFVEkhoV+r&rj%;p@E$ z$TosrIbs3ndfWTa`&*A9b=)49dPRtK$s52qpv3dNB3~}zoz8PKLBP=_fS+;voV;Jh> zwlWkCWNtGHSPiG^@1FWSm7Bvh*6raIG<82I5K$j{%~CB}DkD-47`FZ%uSYzYZxS=q zBTEGtFd|MPf(V4T5Z;&XQk|etU%oWcTkbI%-q6vUIy+OfTa-fb!rOyODSJp-P*8uw zIJ2qdgkjZm>2%M)0qfKYL zm8Jy8b+`4CY)40C0%NyqOB@31iaF6|s@wCLJg9GB3 zyNWhp%_3l%xMYcb)*l~em||x>_1nJ!E*Gj&)Ph&Up?a(E1bZngMXQ@fS?3D%x$)xC z!w~@ld{^m<`(zGAw^XdBv_#K?Q}5*{N#dpkE8%kvoaQGsqSS8{#s?|uUA$43X55BV zsts@tG|7TC$r0wYRI?toj&yck!jE{c1|=Y=0;59NGeN>o4v3=|R~rF!z=rz7 zwWP&A)WwV%U?qE)>_S34Al2S0t>A7|sVUc|f+ANoefTs7&CYWOmxr+0=%L?XLWhtuJIb}8c8zkhD0T6;@Qw65j%Z+UO%T?$|r22x^R#f9<2KTOX^_n18(G#;$9A=$72?=Ub!< z&=1N6=@H}ZNT@pyle8_j09julo+y)a)NVgzThQn4nS%xU*;)5FHOa-lG1N)CIWw$% z?8JPTKUB^U{OKGHbKO-thNbnei`PI3dXWNHm#w93)jgCSP1DqYh#`yT9Y!584<7dq z?^*PVvmy;dzxsJx06WVZ2J|#Ll zTu;5LH=c1P+$(*hUfD@8ocPIc(FjXwgkA3(N=7Q;vWVUW4b-R|bG2ag1*CynHfgph za>nDyhZ1J(cC)@ybNC&%#Lt!6whsMR;>({Lv zWxsRAmbc#Z@jHX9$C&=2V~vJ$TBPwp8;Non%AtZjQA4(HwTGVpDdve}X&rw%Q4Qtw z`(T44Zu&CL6maw+ObRmTru~rah|Wlp^^nm2E-|%x8Wk0Mq~3b`0Y~l%N62=kP<9o{ z;+o5Ft^E;KRVUv#;4*5$6T9{6T$+&%ZpTCQmHu+EGxv2FBgU1UH>JXkA?I}j0jMIT zKcNA{gnO{w69H(#)l}d-VT|***QMh-IpO|>hCWxny!Aa!N2K=z_;CxE&oP>jBdf*; z6r1KC{y^FIQ9DnI&|N|j#d8*gFWlCflOuy7-vsVI&n^vqDCp|7_y|JkqhV46>r`x0 zD260%>0(hmVN29YxH=Hm0`9@u>EN%h*G7ATv!DHl+edE{I8i+aOn&*IrIpQ<|Z&m>seu0_{16}pmJchcZ=@9zITLTyzXk&f6@VR7;D`A!Zv8{IRp!{j1<1 za!9+Zlp-~xN~god%aerWy?2-8>yi|QTsieSvLe652$#3f6+`q}Ddmuw{?M}IBO}+j z9?HJ@MeBFX;4m-7$VL4-=9?Z|dejCS@ir&->b|sdhcWZ_!ltjtCKFLqzhE@mD7FZx z`Nr((nt0c7`_;So;SbPqKSeNxkB?ocrX@?ny))v>!b@X4U%hXNKusOZ-&L4<8*_FQ z8Z@Rs6)`lt#m}k^L9!3G>8)^&EQe?af@^2D*;Ng%D`gl-k0rRgtX?-uM|3GC8yrTZ zso@;XT%osd+RA;>!IqfP{zL)~#BJp@AuqgY9``o&ZK<_^B0^tkCt3co*Rp)%SGVYA zHjWx9r&B~!e0R7BIxhCz#|fz43X0#>(AU*YyN7XeGk_`E^yjs@hQ_qV0vRu)b5tC! zQ>HBt!#|?HhOM9&Z3k9i3H0b14#+E9lO5(Qs$Ny;eb`#b2Oe%8gotKQnq04{Vtw*R6i_|Qdq2NjSG7J7@I zG!c*@Jw!xmsL}$2BE2JBsY;dJiFE1GJE22D?+G%Ol0*RHs_c;L=3iY=-3vLyS26*(0D7$vIib)`@5m-u!;3T4^Qea1J>{P)rK zZ$~iN^Ji5!ODqQ%@)A4REic+tYmbycVc?ACgFmAOgAT-kZ#WN3S=2f7sOIIe_O;XI zBi{%c(WD%@Kx#skAK`qj!Fb;ZI2cRS%^_Sp;UFe#c)&8;`O2!$du&;*bNL=QW!)o7 zErNa$^5zDkvvvlL6_VSTm3#jZAn?>{AbQxI;#kGfMh#AHO%SSn)*tlc+|rk_o9B%) zjf3egw=ch|I+Jla*Hnve0o-*7{uQ8(=)f96rdnQBsg@eqLv#JYb>oOq9>#XFIOvx2 z@_eND%tiALx-05HLEe9qVTB!3Rgs4UMYk|k!t6ISvLuZ$2a7sj)5{3UREaoPAtGJU zoNSOb@Ff?;o&5F2O8+h$c!Po!j`7+G3L^TKz;cjM&uCf> z;DSr+zAkD~jFLujYBh$*wm*lREA#7u!6XaK^wXxmdXtos%?;?349Ep4q(mrsh05IC zZ~~UiT1wukXON+Dd^?N0yE_4e_pf)~iDDZ1D6T)-V)!cewsV<&{FW4F`iHU%R&w37 z%z$OVeG}eT*V8N+LDZO+89IF&N+6FUTy^~XQFFxK5y?N~9(JaF4IMmj$pw^W{C~d8p>sQO4{1ZZBHepd>1?b!g7=z+TPul}|8@N9DAS@eyBrm%SP(mx}6`ZbX$o!>;BM9wjj*YdtAbBl6p z-?v(AmF!rdz)KgIj^@LhQPw{hiVN*z;GX9*hH2EV9;;kXm%V&um{N2pVf~@PEk^%Z zIgiTvOf~3s0#aLor@D!D&sehT&0+NTmmso%g(C;$C}FA{Y5s5$X*#oI6-1mU>)UNi zZZ_PQ^~G6Onwzih8Me8TLlkFNv24pBj08l$2L^*({v?y-c&aj(#Fk#R;EgVm6=NDp z^7(q6nb;t?jh=I@x6N&n;cPpN|37vRdbsy$tnd4#sYnb%o=CZcC0m5Bh)DL*s=Bpq z=(p~~zj{zUiaFV;XG8vD?KPhQ>J;+$8*!mn(JmIPpG8@M2IHsfx+Fp#(I1D5xoJAM zzt;Zq$xb+%nJkkL<+5f74JkfXkjl`-HDc4cAei6cN2G8?ELF%BhBN%^IGwm>NxSnw z{3&CO&NY2XOooWfvRicgL-rB|C6c}}|A`y~aTMGULyT_5Kfxr=7X|~{BXLGF&`FM> z4JYblr7P-wdXpP5{q{x{e$=8O)`{M&1M53>i?XAkS&{!(FmUme|Gzg=aLk8F2;H{g4o30(*wdIhU z_&APN&ILr>6Xfh4`O4b{X(h89g{o!#(8!OebDYHzh7;18Pf!*Dz1*YEn!J_+{}MPI z5SwEVe@Ofv*`*`;OozSk(uDK&EX0xd^>AY_V`OC|1mLB{=ngDoT4__#>23cr#ihSkHGbTHk^mJ<5Ik#!M*U@jE(x zp7`4ToSTAtw^tt6OmT&yiF>H-+nGO{IH-%Kw)0Ubb!0D!_z^@+a1xSwEO&n_UU+%< zU{F-=D@hvK8BaUf38Ka;`pL0e#L9{0?p^s+B%$RAU$=)*zUV%07~JTgAA^~{?}jv4 zBN7>5n7AQ=J1Y6QhPMsGq?|H){t8%|KB}M`Rt3NV*y*?ip@apaoaW@j3+$SP&YR?$ z=64LzCWMF6tHSop)WxED-9K}EnyU(g9>r7H+n9_AIWrSEdO5T8DE`$QxDPVHYDaQn zv~x(|YS@a>UlOfr?2L+7>3U}xoT)}j5IbXc@0`wKNxreV!EbAEk`FW=)9@U^rU@6Q4u2(W10T5m_Zcn_ZI z<_7?BZABi!c}j5UGbg~xrat1-3V%IWW;1n&HYItIC@y)}Q1v`eQmnbU?w46+TtQfi z)Aymhc>~+)k5QM5sPH~eL=Fp8S1SW2qxm+CeG?*5Y)S8(DW!z(b%X=^YavgenNq30 z6dx(6FC&O!BvHuTqevf~%C2%>V=TPwNql$HW+m#nmD|oBb?j|J!m_tssVZkWuXX*s zs$1g|5|ZEfm>RI*S%B!HvbPY`8&mvfrC4m?R=or*5xjxhUk;?(E)=0@Y>6bhn()NaS3;|oMB26dFQ{kzVQ z!I_53KFDA^G!Om?bIQ^le&+YWY{CiQE!pHZVYV<_AJs7TAVunfV#jKbpjMkZZW4>= z$svb(qn(N7%=>Pt*NAGI?+iHpygR+=foRffe)bRn+Tn#+HoRr~Vx}GGFO9oU83(Fr zx@e@@5oW6=y1*FbQMbUJ9>cv58sbn(`}h}VO5xM?{cF+vewH;8y{%={&v2C3%;<*VlhJsj#6ul3M| z2a%Zg)lr}zpg6GMJ)m$7AWw+9eXeOV(xJ>*0<`EXU`&r$ijzJ7H`JnUc)Qx@8<8HA zdRkTELI>&RYwvzHs+B+dV(9z!xSFIo^fH<@POH-@Y^xNZSO8X7EiCjwRMpIe8@)POxb=^~=Tia<;R1QbMn1F+Nj3t^ryVC6k z9E`K5Fx_Tw{AHiGbIV`ds3|e$e|kcf9I?i}RFyaL0|Pl&!GO@J5v$`Zve-0~R%_`J zv8{vq5yQ@f;R_iMW47b!CJRl}iWrU^MsRKR@3xm_zRxC}3iwcKS$yD|@V zMuG2xS+2G0#A>-l-D|<%`sv?sG$C9sOSyk_g9aGK6zftMr%}W# zsJg|Fo%-N7&qZ+jSl+dx{he#k(Q+8TBZUHmnOvB)+n{M9wcWLNFFi=vqDIPq(DJUS zcjrqUkZtn4#Xtows*g9#a4W22SDU~X^3T~h+|+Vz41Dx)u6hC*87a^6bdFEN{Dk$zj_7vM+iHL9G^EFd&gA8bLH(eVopLiO zuUD8-?kt9W4Py=byY331hSi?eW4(H`so>gJ=WvCmqQPSEVH{)=c+EUOIASrIZ_a0$ zCACaGxZWJ6p15p$=Zj@SB7=cC@wed^1IRqc6yp`u#)Io*{RI~;*)!+DIeEYe)fV<8 zkYlqw9<-7A`{2ZWj^jJ#fCxBzpY!baUxKISf3IgsX7@Zz3O1Hn>o>}KdUGB|?eY~E z`q~IE2?l=7FXiv(=pb%|(_Xv44UqoNaf9fU;QiZ&D|RM~U*OspoGImFVHwrx>^)tG zJhylGMnC2H0DY5~+I^iYPRM&)Bf6ao?~TNh=HnWuD1d5hjFsr>GR%Ii$@rEfC$)_U z(M+M%z%a3FrpXlhDVv}E)xqn|-Y9|lK*o?sz_%DJ<9cNEGJ#0-4=TQV# zb350LN?Rt+>E+McIX1VShnvtL4w4_-q&T56F09rfEmugEs9Dz(u-BA$RV*l`jx&OV zFfBI2a1BRAugXs90=pVP8DZusLFr1`d3s&w(!l;-RO zAcU$B`;QvxxdrwdNGXcWa*~ItCn?vQX!cw!t2ll*{+5(w&uvy1yGKVC>G7z zJR4}qf;lWnBXvMM*-Uuq0%87E_C+&1NNu3vdB+##yk2t=Abm$W9zrL2DtdQ2TP$81 zqY^S7Tk*44zN{*@d{y?bsa*>;b|Z<;6ucT|<9K1krWze4pqQyBBxY>$2$PMZndf z|hLoNOL{)vQvtD=lnz_6aH)ak_;i+z|};R2 zRny|vlnUb1bsyD3Jjczxuf=Y<&$l^e1Tw+<{%QN@z5dfM(S50s$4}fYKM`5#vphI- z1zXq25`pO()`7E5H6@OUUf0#HB%CYLAIFFLi^7$#eev#)d-FK7nnid|Q*W>ZnJKnb$9R^kAg+`3vNqV2FVc8k>iwBUk{s(DY0rh^;GyN;3X1b_>eyFZw z{lrDZt)O29^zViJym=pz{tbkBXABp_&U3V%^#1pk!`xcCDKmAl=cQ`ZTdvC1?~Ew! z{_&zeA>PlyUZ5e}?X);f{ppWLr#fvGV>7Tl_3m@q2eY&E@&BXmx%^*!kM}2P^Dk>l zDl1(ph=4Cn&Rbz4D>|6eatlYH5o+Gw*P6-Mx=9^=QNxI0GHpv!osplWRBXypb(wjb z-lpoN5Dj(Hq22}!8L3E%U3G~(e&33#-YcIa*-MTjbWV&pHAW&Mz`Gn*)Riuuo#K+3 zR=Z;VZlTZS#V_|L70)~DDJek>q!c7f;*4Sbk}%QUY`QjNoiig2VlZ}EHSGOs&b~_9 z&X(TmS)%^Oh`YyL)L(|-d010O0C03Wu`QXo8Jm&*n2@H0_-jBEzf=z2 zK!c(|)M8-K?l!=>5;9>~g!4rU;5;cw>{0`)nyP$p!cl{dqDM~X-u4)CLz)9*k%$S?aXaI&~ z6GukY$9e_Ch{L)Wi)~9CbdTSG;omGBCtOTj1)fTTuo*DHcj>XzU7b|=OG^#g7tW^g zl3-n#XUyE&76lQRGqHk#N7D|eX(szu624jVC&*6cNOK-6@;p37^!A~$bwkr_QGVa* zxQ(^&tf}0%vSaI4uwQXEROEH2niE%__z+wHcd#Y}MAU@(Kg{VPM+e|c7!aSAw{tru zq{Kd^eqMC0f7V-jFX*)qWYqh!X<|`S&cUuk^mlQ0#puXz+duiABOsqLC&jtctenw^6Tj1XB*^v7I>a8 z*93@&EpRka;2K_~3PbpecC)L#1Ab5`DtgkJP6ix8UNDsI+8F2i@!?YY#-otJ*F632 z-x5f#ge!<3{Yl`&nEO8q?HQUX@}QV-9i%YtbeY5Z18(KX0i{}1I)_K#;p1AX5y{%G z`L5cLmP6@(6q_6PrQ(w`1+{$WLUw>!P0?z_a@ zv}VuNoBD>9xcLP~FN6$g;4rs{x#!e*xyFC<_TY5OaN>HW{x+}Vs-YbEW5-JpiIg}u zFmM$^GSdF#iXxe^%KEk{5J<|MNg%jh8PyJmJYkk-(HJ@T++A~lsREo|q4DUwG41=N zCcDQP%wLC##TUQIC=Fki%?nw0K3g>1pt{NT=YnORslF&ks`{=y0^%y}*^-is->c6Y zU%AQCqLp1#e=HVLb}YvCA@SL_{=sYkdn`L&r<2$QY{@=Rvp{eT;V8|1cG{@_+o`PR zonG763u3b;#uC5gA%w0>OJ6dl8vZ4?j|bVY2Pyxw z9T!P)My`VS z1HKQ6)8A(UfA}Ot)x_02w0e{hrbzrSDvh_%)0FKfT;V=Wwc}Qx73m&NhI7+Eipv2? z!`jJ5L5D}YyhADavg^m6wZ+RTaL!s-<+`W4o(v{25+{8gG~k!DLV7A4c?qxX5|$FY z4}Tb_3@*zd!d1(;qJE1@?Tb4;v$3Ny-8G1Xe$HS|5@!8;XCWcGMDa*@Vah<`RqB)i znKs%v-o!cPtW|5^3fU!bqKvwcVVCXqCFNCC-%NGm`fgT|@~)Jnr24OASP2KwO)?OI z7{CJc=bAc=r`o$Z&#TlfpR<=VdHv+*&56O&$8iRWYj#Rr{E*f$uhZRiydpMDb(|Z^ z-a@_G)LVcuIw)wLJY67la!NL{8JG?HsPyuqQc_@k=KJE|?MRoP=~NG@;5O=MyqhyR zx}6O7d9S z*P7E&-KD?NzH8Q8j|U6!ms1Go_U9cRgZP4-bcf?%vDDOtgf61Qw+GxKIxlr6WSgIH z2@Q3xCm92=U_y2)QZOUwcHOB1a-$ui;W)1(pgKTL?~|uekB;T#U*w5c*Vd$zWKZ7 z3?>yR#edEbsfJ&L&M#bLQef+`Ukp`r6?I7-u1?Kc7dV&gG+d-6sk%bFXoe}O8`e{p z?v_!xDE^bCGv#<1tKi$*h^nuzk1b5M%j9;+jj4UXK|nyGzIw-a@AGMOC;rJzl0QA3 zXr^eYg&Z>pROp~H)?Y1=6?L5V=XNGFIoztVnWm%G34>gFJUlsw#!idtBZb`^1?IIM z3~udK(&yXGXJ(u9w0$N%G97&VwoPkVXY39zHMTP#-h`?**0;w~hIZ5?o2C^}lYR88 zwR|Ugg#7OY!X1DjqBcR_z9ePdeX7y+4DUMOPZH26cvJ5DYcZe`f)>=Kn7c_73lP}c z3P?S6^60j-=m!r;b*4LiZT7uz;o6iZ|5^?q4AdK4D4jS2Z4z(D6=qr!=FE((%DivL zE?8Beji&0Ae}QU`m1Fz~Q4A1Xi93^aFD3p$ofl?wz}sY;6YCNAK3z7I-o!D%0sQ0do%T z4DE8>gR_>xHaY3QFpVxr1s;UJ$LWHJRp0IN7|L4u<)>0iat6cgVRZ}gpO5sywQHhv z+vB91Dkkn3A6mwHrN*r~S%D7%)d^ku^vuPJZkL)gM^fj9`-0>Gig0h_bv2(rsE3_D zoM?bkJWNx3(()H!57P0u@`}{R2yoyUQPnnh|-U2Q4VM2+S_|isfZx%%=((Q$l-KW^((ncqZr`*|Y;Cu8Tza|swa?nvv9eyG5v`y!Ti!3r%_-R{e!^D6PF>AqMkN+-z`tBO0VEGB(TZ6xY{XB{G>g>Uq z#}?TmBu<3;!~T}3d&#~MN}zl9>A35Kiszw=G_&A{)JiyKeew#8Kes&xQ#2~4Tl4vm z^6#(}{ok!J?+}v|)sgT1TDEz9co%$K?>748H_Ea^$Hd1wAn`gulwPoK{p<`7T}fWl zHeFqEAd?c~ucLsYb{5du_+n%>rGtp5KEm!sW+AP8Xu3-Q_tBo>6+BvqvwZt|+9|L8 zz1?~gNxG^&#Xvz+@gJdoToYx++2q9qdj&4qmdw-6PDnorNX_ed)+4s-5k+5naIz>m zEEa2oL4*@W8GEvSu&V+HX=;R%+)bOc1oooIRs9E?1rrb|r&-g~Gllw3Wd3JHj8;WPVi4a=}Tb6B~IYMDrI)2&d+R^TCFkuq6O~9wRGPUAU zl&(@)f50VLV}!puMmf@c;E6Dzq3&3_0-R{4k7LOtEDWiJ2z$0MxTShra_3m%q%sfQ zMV!9JSK%OG81j?jjsAqm~fXmY*WYFnz1c83yg0k=s|rcr3M68 z2I9l2Z)D3V>M12yzn6`;eOsEUVLLfa7*<{beYqvW#g{7}B*B z^B~2u~_FnCaRHmd6+mmm3e*K zdGGdXtT*QOVr6}2%{oWSo%8aN<(aY0i>d$5BhqrC2>z?@z~r!)+jHIp*=OnXdYN-z zIoeV2OtuC-&?VdSPfc0932spCefrf9v1R>IiC2%SD84y-VgXnLIy~KUo77${EW;QR z*Jzas+e352y14shc$$7YUC`kF0FC}V`Gh_tlA=P9L|=lm$1hgdUG>3QiOIf&0O|H} zMovyUJrJH1p&$(#m^2)#D+hHoaYoiP)MG>DIr2Ps!yO$T*LhYoq|Q%h7+Fw+lK6h} z^o}zJLXbomwwr)T0J2>W_UZd`Z0FO1h<8LR&*NnEezzyRr4>?H-*c3l8!r2rnE}hQ zdheu!%JdUPQ_Zpd@#meXmtAO;e9vEQmNBf-%kKLw`0W&r)Z&RT_nzY;$2`yNk$w1F zrFxurnE31W`Z}TSo)VnW*Y@P637iCZj-2tVKE&>>!guR?p`}OgGIaGLBbbQ!+8B!)B{rePLQ8e(d zzPXahnDz2|ZlJ2;iyk*A!Rm-RhR;7M5nd?MbDE|c4#KRUqI=HA3d}cUa!j`mYnmro zUSKv??XDz)9ak~2)1zNJVn1Haa)(+rSa9yLW(W zPQ9ESa{761JAu@yA!sb-z|+@n}09=RNIX+Rnm- z_Or^%90ouJWgOs#7G?UgOpfJ2_L3hlt9ql_>7S&@Rhif=!-Z)@av28@L9(uolo?j=l>ceOV5qMXLQ8#mx%$g4+n z&Nb;lrl~o|)9^C@NQ2C5CEQMPuuj2WRl@oG6gtl@#g5pFmzL^VDEaC`Km4W?%21pS ztO@EPppo8e$?M2@a0Us_z6Stxd~o8m14#GnBdkHg{3mkM;NR2hG*-67`7CG2i#_7OgOh&vS+!rZJ?Vn1^yicUQB&l^UuK_+vojj@~^slM(TOH zJ~P;fu>9FMXVg)C(#1B!o84bCFf__Be|Ev zxM}GQgU=teZjJM1Q;lCgek+)SJTaP0zN4l8F;mb4K0&wR+fuEdhs#0%BpLHwJ9Xkp zXZBNo9cqR2`Lklpix|@K7Z*)n&0WN*bzg2ruoZ*T#%R^liRTk?u1}9=r6~LG+Bn81 zKUd4&1l))7VfR5qo49(^u;CkwUwpW;*!8cnhjkv)A{LWmed6V1iNN65#|h4l{>EJ9 z1?*Ud|D40wDAxifdsAO_koFhh^70=ss`M>tKXs^8$x40@5EGEqD^)svU1H72ltF&^ zgxTuSj(7@06`q&dVIV#JViOjV?v#)}S1mI>ub<6Tw@n40SP&1EHSKr?l)@H13Rc@0 zdw%-fZXHhyt400A1$g{|z384x_cbUZNWo2_O}|yoDVoarMl97`(>ep#O&&hbk3hqdh129*gKy7izIUJG0Ghzkns_ zwx)G{Hkmh`*9z9pHVSTRV05JWX8df+BA9|bpR60}wZG#f8VUfSL7ZgvNT1%KwJKyZ zok-eMMPSXm{BUcrly#K8`tyX$H;QbTWY=U-J6BVU8Pd1qtlV&EEa9qW7P|62?D(jw zol;ydAPj47&fZ)F1TX-tDB>wN{(w9KETIsVEGAGty;dZiN04n zj630>1BYQ3C%GsJD;bW8@9^ht07T(yg>5r(23KZ#_jxR(w=TDm{`%@V%ci3O@gn>!pno9F+iftMk#UaZ)Qao8Qe&oG5_%vs*2rW@ zS5hRP#Vilq7Wj$Ip)`ecbs>GM)|UIAzRYn30Gl)50-8%_P=9b;N@!d%`n?~}Gs>pz zrwPP6A6H}gy1nZI;y|^dk$}spNMp)WH|jzO<6vM=zG3#pQCuScQAa`2k-pzlOyqj^ zvn&+0f|4jNwFOZ_P?90yM`XAs$CT7g?%z*Yv*he+l--Z~$7ZDw=`S6lxWAZyKz8qj zyerF1SHnXCP-Z*JG++*<7TNrMXW{ZpU3Hf3^W(B{iH#54k<>=(S$(p#N!b;MtED!2 zB)Tp!~kXz;gY_ri$i0pr4|A zy%Qg7yf1qF+s;x~Wh;U}@p0>XROkE5f}!C&brrdyzirR4PCu_L;V_I=b1v*fpFazx zsB=#kz%)Dp=wSX^iiyX&TiS^ef~+u+1m5I3g8kfIY|AW?$H(|H}dV( z(R$VC^Bybrx*h4F6D0*Hs1rtC8Rt;J3G?v+m?yEQthOE1d;L{6}Uu zYbDB`7#9B)`{|s;;n)l+lQ=hf6Dyj@Z|5{v|0jNEDEzqqhJ-V>P7f9-=_)`rqre9g z+PI1U>zw)cE}%h)Xko=lT)h2_lg``T6A50;GBhRir5qaNsmu9<_^SL+SHYOvveV1Uz=SPbBvNQzGU{jIrm^s0T;ZMi zy2Xk@=ej1Dr*J`hbIZ~B51h0g8o~^>V%h5AWZYX}Zc+8Nlk6O&o!v&t#IO(rSR&L6 zR^GopcJDznYlMGO=T`XeaW)NRazm3_Y*4$Yrj;^X;qQZYzll49E3Z1wtM=9cgz}66 zuMw_fPzU2wnC?EYqR1`dpG?{NJ#_JBLEO6os+HrY2Bi-g*Dr7XilQq?{U>gvIf$mu zKoRF{!gW)4+Fz71b{^ygQC)AkudEqAZ@x|d|Gd7{G5GtIYRrVcn`-gFEGK67BW5t{mQq_0tK8n1rC~JnXne*fTPhEG*Phzg#Ds(%l|G|3hAOz3 z8bW1^DUiYGF&s=>z&J*|2}jF%WSJ9O61etP zi7L@@8=s;;AXmbhM_y$aFwY)8MzslnvkxE^+bk-q=$7#tv*B8`Qtt5amk;BlbAdGC zg#7orfBeP9WjN80kw8vmf*`5Q|GI_$uiE?nU;eK!jSI(gt3N4Ab!qtsZ-}?O`$mA! z3y7ahvl~U{;NOd_ya8lAqVRDd(e4tXUsgQs+tH zFLW%eq}ZQ#Cn4j4+%Unf`#9%!eW}a9>jCQ~n;;;PK^kP!PHH3^mf(eUX2Rv}U5j?f z(EsY%O)JnK81XmyseEreA%ZMQo0s4c(Loi*N!vz>*Pdv(hh6sLHEhDxg=tg5@?O_G z-8lx+J=e&88)z;4xXb(b)0=OAk@qAA(RQHba zDKt*{p?`fAme(+QSM#pqWToSHeKcE3EcO4qf-UY9<2#OS=6$FSQ;%u)n!@q|d>=0E z-CJ)MdmYde&C360CzU(9#hq=^K8F&y#*c$}Ec|M*cONe;Or7u91$aJB?PsJ((A7LE z{ZxWafh4>G?W@Hg1_eGiIfg2{MGr;AWOqw}5f3Y%^B0-=IU#(;ZazZFrcz_t_j&nk zabw^o^3CA7Vv9y-C*Jv5Xgh$j4FC?6aE5Dk&Un+Z1>Wu~ZS;A`V9B26*GLM6)YPCm zL^{1&u%{?4k`M|mpS2vmcwV~xks z0$%K*$^pgEf12NUQ6NdNDzdSH8ki_ev8K==mV7(z9vzO2(6ZHPLNao;Op5!^!Um*M zj0PZ2_R}Z=p968+o^1lQSHIKi3}7=(+W1b7JO2_81_L!m5BWaxUxK0MI6rgFTj_T? zo>3)DA$_-IPT|wJzyq|?c@B7lMA8Vc+P4CMLOSoF(?G{ZPk{%|ZcmW&(t2%I6*oq> zolh(uQSjq`mvH_6_~-l{jhXiw?hR(|NhcL?zmBMU{Azq&(vTdN(&Ontzf`i+sS~D1 zH(C2Ty{S42#mTzUCOK)arQN80ALLE?P?ONh(7Z(PUxK|)ZYE_NbhQr%n7L2sJ7Dpv zDhZX#%msB{vf3kl3|seIOV~!OX7JsYb)Y-oSYHN5`wL^m+v8hY0k`s}VlU@>GuGzj zh>`77&6r3giw-GIUUn&V7~`#|9pVMdi8We`#%$-L$BTv|Zd~R!XQY_{GE|Pr1_kwq zTc(RO{Gk(L&^rA;ek@a72Kes0JuLMnhV~UOD@kU1Sr&;`=8dT1BG z$;9jpWM@`cmOP56 z)>8dNeQ$$=8hF34G2CPs>2%PrAjOq}djB3WS0vl$CJ&yko!)CmofD=RXTY1Hp#hwL zmUGg*U-xiD?YE?t7j@RSPzE#2)2<+weJvRm8H_yHy#<W7jIEsh6X-|pUD4<2aG`Q|{W;>jI=Gw+K4%#NU*pOt;&JdG z(@xbz)=c00y)vr|c>(VvtKf*%Us*_NroxjMXm7afHdU5D8PeH*{%&n*s10Oe=1s7C z>GxcX9y=xDd|--|nU(J?w?zF_?f^zKH6Wr$DL$bfzCWDq@FYp^Aj`oRB%U^>hx370 zX&zRv&nLUqwbTKu0uo<>3{qC-0?}KZ{tg~ecN=FE%1#U3KxBEYvKN2LigZ>u^gYin zJJY``(HPA)SoUm9OTT($jspVJDk)Z8LA}wAk7XkiD-j%r!v#ieHV(%Urd~sLIs_y#6TV87X;T6Yyr;M9J3hi2ad}Vb%X|E| zKlh(Emv4Q(ODsgX?K;!ELVDX9K-t1xU~0SovmP;W80#U)tjjh@%DnILk9L9VT7I2Q z{PNJ6Mlj}B%dOI6R6qG)dP9Tr_j32Si(|QYZJYoo=nQ<<_kdOrt5vivqq@=Wkh-b4 z4Sth2obZR}>r*3NfqirG@l}`p{GEtDiDdIX9%i=|%P;}XHBnu_Z22b4tuy&B z6)atmIh`J$pr3F&orb4ZJTnc|&<<_m`^Fc$^>u{EC6CQ%k?T=VoE8;3R$~o><3mQD z?&Lf2qO3NCi2BbzURW)k8REu>bb_-(&gGC(=h-w9WzW{_(&17}H%m>T$Ml}$umj6E z8g5%qsQw-8-QNx60xOpSv}g{tP-OvQ6KGw@R6ylv+sPU~X!S=9Q~4)nNfb}sKeHdz zw!S6;H%FM1n=&u+;=CLdu$t#Df*DT9T;|4E_|n!-E-dv}2{xNlVn70)sZ6dmGsO5^ znboPmtR+={#Zswg8Y*trrLkJ7y5re;L`}z2zj9W*_V(7{KP!P7t9RfI`KPdwv#XLG z!u%(Z)zokFg=%Zc_rUn|hsCRB`85EGQ1mJQC8(*RzyfRh)SPBB$1TenE8#>#&!1I9 zWW%oPr@TS=(I-B5vg;i;A?8Z!2TkvF*qDZ$_mo zQ%8loT8|Ej5Y9N>VSf_f8_IAmAX8ioGh$RUFdy~Y6E4OFVb-9fdC!DipSbDC9Zrm% zXb4OBeDCd}^byJHq*2>j{Y;w;E6Qffh%B<)9z-I?U$PV(iI>im|HE|B*2B^tuldJ@ z?R5CF-fb@@h1J8N5cl6kZ*2yOA67FtF(m{^NwH0w!*B;u?fS@dTWkxvF+xt*-p7$8 zAyNBw+3;X-8dG^7xk|;VZl7)wbs8Ps8Zk=t{jJp+^JUea53W;4NFFX+8%v@2B*)JN z9^o?V{Ct3MS3e!2%@NS?{FW6rLwAfcoY)GJ2xAs@it>I|-LL$INW`_**T)bT5{7%S zctsqY)Xi}pYhG;O4drRUnv$nB#J!?9n0@035~Q64qjeUxn zPhQY|lRRnI7C9j7)U=?%X`};rY@4on0K#0DrY@tey1fHJbXrIU2OwHxV3xQ(hb66#(yUMV1vBtU#$B zq#3(#lkK9i7|41jVzGr^{^q_sOY_cD$n@$V-08)g$WHA!bnyUHT@pmz$2*ix$Kdn5 z|CNUIKU1;(ufI&$@_7JF z1;U$Le@?vqOok?=FRq0ht*QL@g?L3;xv9Ap7t!4fE>FiF2_w(`mbbIOKStL(DObblP_fjWNk-$aOWH(PqoNLRyrM~@=?F=fVF)(~H1Hd__>45nSa+BBc z{#xFDQnkZh3YSu}WM|M$c_{805MXIl$a7mLl286PupOpyH)1*}t8rdS)0-Z7kcSP^ z4qTzc8+)wr3%fV3P?*{K9L&U8<(WbMK{@lpS||3d_qENc1P0`VN>iqe0M4w8X>sSA zoV0}JJv~l2XU-=e<`q8&*4R0!{OX_Al5VV#l8|r``^n2GI!da=4OZ~!N5#ahPwHs^jr!dpQ(OV0uMFH z0Pi^YBp~d(jr#;o?ZNe?O(FYVf`EuJhtDr8Hc~DRN8Xg9xQXsXU4Bt~7nEj7Fa7(p z@zjGJqCVN1P_SSkgrF@i(|C~TO_A7Ncc*doc*r$TThBo7dFOw?+G;p6mba^&dg81_ zzH+e>U>g$BASn=A>c2v6dkWvQ7;Ai9V)8tO|bvKGN?@B}7T z^GGm+i>$eNL=GC2>4$jw6>^be#w*zqW^4jQf+r(tZ7W41Z6;4Rej`Oh!tJ zb|8+atTmlb-wa=Ap3s+_DOLg-kcYv4L%(Fq>|G%)ld)gHoM!>YAf-|fQP%BATqlI; z2_Ug(y;s$mq{+zVv=-Pf&L1rs#IWZ1EFFJ%Q{Kjf*8oxa%isum0v@y@eqxkIzW8wz za75dEKt5O+$T(P{SEJ6ObNO>L1QXIv0DJZROEB--!%3hZ3~SdNt7qrxMX-o=mdalH zflo_CC5{c-jbaCfiR_1IO4E*0@RezgRG*~(=`UwL0uDj=ZftbJ3MSz1^>P&M_WC?} z%Adl2IGY#CQGKms$06UIJ<)BfSpf6Z%HC7SMs?n;>JhVh+{i7OtS;3GPKh2=}hYh0lh=Qs}3OY02Q>|^1^TVp64jN&7i$)J%Z2RO^XHle znPguQO=(<%0YB+K^=M6o1$09+)`0((bp=)-Y|{6pCbUJ`n~av}F@fc$k17oBOr=KI zwTm@Ni*Ag)y~AhFb*ES|cW` zqUaLdsB?}!azG*28-+s&34q+7j@KY4B^0F^lLy2`;%!QC&L)$1dAG{N4y)W9uV({M z3y_H08FjPk`*=qak%v@e1^| z%beJPv>*^l4Ck=SGi4S33eisLp19hgA^Na^pyT5Y+T)}k>6N>;iy-PYQJB|iTT%d) z{58(@R$$^xlEo@N@|UKK3r2`63C%Q@@~T1N<|vI_pe;{f4|{Ta>`Qz0+cRLg zedv0y^A=#ioGry?qDyv~TI*YmO$LQi2F$qKR6JW8{;J(C3M%^QGYwPV#(8e_y?}j` z4^U3(ZorTiyQj28tSD3Wa@%@2lb%q0i}@@M-2&lw?zgl04>a8td;J0gfpFt;ux0?+ zJ|YW#Jp4Q+^AYoh=PpzxmzJHJtj_L7F)XTm3pxMbHitc&*))YOB0fz{*$$%?LN)ku zX`PqfIH)kcY_1)B^K138NNUA-==;ZVror}g|H5$y2af7I3hUf6IuGhiSiye;afcdxzn-m94Tdu`=1Nkov|Mo&!O-`ag6^WOKg~*CGMNtp-*KJ=4kdEoCF?vR=sEhGSJ$+B#6O zPhqZ50YnBsX(xhlUqK%8B}tx)zU70JHsUJ9DaWqMEzTRl%a7BcG5{P3*Y|Rj?{6FJ z0fR7@^!ezZL)5&(mJJ*Av|=05p}-&$Ac@*w@y}rJFA%P@qRODSe&=R?4S9qeX~J9O zRk0g#R^Ge(ZKj6Y9@pENlGr)28hj?^2=KE?u@t3fsM>-E%B|L+Q!!RPF+9gU=l$}D z9IuqIvaFht>v(50JPveG>B0LMqIzv9=6&MA)X6R{^z^r-PFd9lxSE8|pHX*TS!KUy z)TR6Ql81bJhb}{ZLU|DA`R_X?SR!!@2>Y*}8wKEBNu_Vwc9^>Ph#ffQ(4rRd`^{EL? zZU)pDjCtmT-OF;IZ&%Zx&lj#%?C#+ac9N5?tOMaWS4>I`v=4reMFDV=J1C92hb?E$ zu$lLoXIG{rD2WqHr}4V&R`4ibFg#U}*}UG!>bP%+Muu&|t;h3T@XImK zq4Vq~AGZapLCt|5&o$Mg8yxQ&g|S{l2CYT#V+U_|qpy`yzi5v;QURFWZ3IUT5>mfctq9bk&W$=n}ywGB9{wyv)nOZ8Rn zti+G<3~E<(#eJ1C3KYH}|DZ(=nf<-$@Qp4rIg(WMgN#4qy9NLORD#>WR{?=%dZL3D zjm!M`70hnSL1{X=g0G$#Kz2M=6Ho4i>`7{u7bYWv-t!hDjWl75K&*Jlj`YS9^a~~S z9I)4$_4I_qJa?vmfb{I>+{PRJQ)e^juQN@Dm82TKqDE_-Hbl+B7vSk^rM~04qa@lx zPOo80TZ(XlN{l{&qsWgBSHK=866C`xbZX`{k0H;C(Pg!PB-6ml&5IT8DVdajIeyE5 zB{dhC<2uQlmUh9)%1Uz-tTf1zz+j-OcpYs*rY-R3^aB$0@%vC#qUPk=k$Pod05Jg`Xw(g9<_tSNVBX~Wo5v3~x>G@3w7=Od) z-O2r7FK4vrHzml*CvKTKr}-7`O6reqB){#AvcG^yjNv z7&WSC@q7kBJdm*H71zkGO_S1C8h|ch8kuaJ2%xtdta`(fz1v#WIAS1D)=5U)@l<~4 z>v5xsuq*s@ql5-?jAQ*oJyn5AqHB5uDI+(wB4NiMsZGisDw=Zw`N%Mqri)kh+yn&_ znLalQtFLdzJ~M+V`>m6l*JkZDe;%GR+D2!k&lr0iD4(7BqLQ!NFtBf^OY@dZx{c== zH&>vT=I7wa4o(J;dr9nkxy^28CY3Q(FDl-PDEWH*VQ1Qh#%P)(SG@p*HvW4E#ickE zbbaX|g|}pux+#D@;!d~`NW!fG*aW1jZY*9cP&KslE#EqEetwB)a=NxlF1%!!UmTb3 zP@KuX-&|Gj5Z)FP6l2kj)P>;TAfA0^&51&y);p^WmXPs^?-5(N0Cn|YxANj6O@|}Z zg~%^x0W)wRC-4DF*&R(R8w#K(rRz(5;%6)@U>v1b_d^xd(rQju)5BC=!F-mg-fJf` z3?ps?UEBm!0+|u zWfoUWW*0|I-m7jm&b?7>9)LwG&`uK;rBIVGg_E5ukqz#C7@&u(!wNc>`*xivfCbvG zV@$NzR@o06)dU_G%sNsQ9fRHjDpSmBh^P<-%D=rU^7_CbHPEl{@LpVZ}&w`iqP>NWS2tOfMWjxKwHFk5Pe*icB8DKV(yJF ztA}-4+?lqb95%W|3Zi;NF>~WE!>y$Ej1Z=2vFWLbDCsj$JH%hHC>~SGj41g&^_@mv zkH5DSg@T-yoRYEQr>`y!1G&?0nE7E+XJadgIQfr zoKJmcxev@ouYQL*_mhUovNq&)#Oq6I!NL;i+DLEz@W(wx3Ws3a05&vv0X$uW^B?yc zFxDSN_5t7w3g3>FMHgaap62+}oRhe9N+6#hbP7@lP0ebgA64NbYPq{N_<4CYj-#iQ z1%-g(AmBI&3A3W)WW>?$(wtsK10%8r=;s3n8_xv zcz1SD%T_i~88FydWANaG-EG1WJKO|M69mA`xw5D{UUZ*@gD0gaxxyy8tgWS~px(UC zLN|SUo;aQ^yB>F9)f+&EgLLiE!33~O<=AWMwJ-G3Ua+M$tmfS~~$E(Ngq?`2~qHlkWG?3hHjk!q(&z$l5o?A@+Nw9Ou)+bgrKjS>w?r)OOhNbf&euQ788iyqgZ5mT-4BhzA37i%SJo|dTLB{2j;y!(O+ z^4Pw;wj|as$T7HJTj%hR#K4uAMZvBgP)2;HU;WBR(2 zmxPehi3j}FSI@Sr1@^T0mH@Df3&$d@iR7cc1YNERS6tqn>(6;DI!5A07A$7tMRq$t zRP&%VLKxc-0yS>;o}kSt`|EaD6&FRCU}lTqOV1< zV8gE2GQ3miYI=;3`^$MpX{zavJ1J>Su$%ZUicbX>8Kzwo#pUEt1efHdbdc&=$spos z6J4VS?9y>1$VHq!P-VWE`DikdNb_bRomksCoBOJ?#hs_ts*T=jW{WL9=>D43JOQm99;Nfq8AUpmFs;d!Rx zLu=9HPJ;(=uQGJg(yyo0SHN9)k9Hkw#ICl<>ttGJ>**M3i|kn$C1k4fL48qM1c}5u za&lY?OW|{k0{9RheL|0aNzecaMYVG9v~8rbqxbNS(U+BU^Wk2s`81EK8f5kg!BjLG zYM*YHcyDxkI+x|#GLM{$4y6t4=VX8xF4%z3*%3QPL=4MdHec!+*ZjH6P$xf&k+TzD zyC;)%OzbQ)DegZ#aYc-xOM{?Lq?zL?IIFxY7(DSXc-Yla@lX_i3ADcNeX#x>?X>F- zz0{|>`z|@aZO(&0iaDfRT-}bqLeR9WpeS7WOg8ntR}6{wQ|(xV9uI-pdV)!Ci8Y0* zqLi+$S-4D>_YGsX{r&Z3BE@lWqX22FslvQ@+o{iRSP6ulXABeuDrv`jCDOcAg(ANR zifNy8G)ohDVe{7w2df9gC|C?wSJb42$WfwJAen$bz; zM8!F*9Qu~&`N$Rd4HrB5exKCc^lCJ1i_0f}7_JM+Y%0s%4qqI{2LT9HU9Iz!L>0_# zG|asKpS0~THu(BT`Z-fTQqYqtnX5@blmaIW3cj4?I^XC8MEcr8)Y0$=%}jL3X->9T zm|hyXv4mmtPA0!=BIhypoQBH1E6}JFx(lbM>Epbj7p`_@1{nd}OjgLuL%K`tW{xJXEvyK%#-1D=;rOxuv)pmQ-UzLCvS*1^lqB_lRp?%3FIlN=r&O!Q= zngcRBv$c0D5e&gB3vKp=aDkv+m7hal%2D>GvA7nKq#LJ_z;5`y_UwwN z&Uo<-TYe1ai71I|KQK$QZS=s7X*t;47YWrF93+;Rg$Ca_zDj;Ev0LhK%e@nq*)@Y0 zvEr@bsH#P0#8*5VXx8M2z)Y*xjfS$h+6s(0VmYVhdU!G~a#tX4eU;e0fd z<~0)bqt$NIRVA=JUvZA3dx)1XgUf21LW;5$NEHB$Xk-G!W-QEp60n?h35v~Tp%Pfy zs3Ig`R@PtyCSGJ=F~s)m>CT0z*@&7f-3MvydV~(H_-g5W+AURrrcLMwgsOr@*JwgX zvcL_cpD&i}U#s#m7E@%E%b0177i zq27bZTBh?-MBB+A;}o{I?@Hc2OBnpnVj7XYs=W_dFz^w-iQap9m*TEX5yi-eP7?jM zg)nO#uR#^VI7H1Rs6&OR6q^;{^M2zRUq{i1gv2NExG)Lj^OPmgMX4=KuIe+{en&-! z35jB*4z={=mCa2#=bX6j?m(-++et0&s5aW@TJcWtlj|fN%rR*ZBP)JGsuXO)ARidKd2JD)O<-o~z~Q+w(q861BVhw@fA{ z{f5Ka6_C4pAN@l=VCAy;^U~}Y73jS4}>5#B28VIH8Yg)=c2N$y{?r-c; zuJ=Qdgxb>R3a$Om%;|cbl9wNJ&z*tS!WCpWcd`f5p&tCnGtF2;E94weeO!vLdm+%d z4Yj?K)KTau4RluKd-QN6vnnJ#d8V?XaISLJx?9yu4lN# z?LKYsNh^)5Bj6+Y#oY_?Diw9w|FyHWZL!Z3 zUNJ=aoWMPB%;=pFsR5@6%8?C0uOj=J1o>ynyyq4kZ3I!vv*%0Cle;tuj!X4zgKv#| zXPsrTe~>q0W7Q>9Np~>}D|yoXo?P#<2Ufwqe|WTxF|pefQaw7J5XyARk!rO9P4Lm5}o(?(o7Ye<3hD}KnbJmH#f&VfAdAv{1J*Y^+34-bhJtC%(dVrzLV=5KmT9ZA4n< z*hcxXdZeZ}M)e|@lEx|MW>O4aJoi=qmeBeUFzJ~eD_zcUOZP`Clu)`VgjPn1YEBGk zRfVzcbA^?2bJ3loymU8^zjoj^Ha#G%6W4wEs=bRl+0$Bgsn=^05J6t(*>iKdZ4(2I zxnTAu+Waq12^up{Ghe@AaKfaS>qJa=Cxn7{1TSM6!M|S{6hC1+J=c+c)yBarfF45lngv28t!_$Q`DpHNQP#+aCU1GyMZKr(N!kXK zypxb$o)6o%9We{sbzewiC@W?@vP8;8vF(U267fN*$j=UH&tNvm5BZ+EWO}aSTYv-m z)T-2UNd)O~1LhJ2ImiC_J*Ks_a_Ls^+4Sa{?-;>cC27bDXD>B37yZgCm8E4Zk&m#m z7?rBUI^~B4EsYHIlTynX$T8;;=-0Xm%7c?S#t$R5!>*&U{V-ZB0gXyvMm;nw)xcul zQ-=vooyR4gA3wUe3~PDZHMee~@=q_KptN@iMu|~*xg?T((K=AJHI>9wKaY#oSLUA; z7nr+7SfOmFI;q;T+MtTwof<{&KCv6i8G%tQ%!(;H@ld?3OczC-Jd*G>GWej>AyDpM zZvSWYuqAE*Ev~eUbb-cb(aesf2-tP>F7@lmnjbF_($`%7cuw!8 zJ-1x>-ZI7L{c&rkt%UyggV(1Ehgk5kdiZEGjj`&4XyeqoO_?%FTh$e*P+tilbDM5; z>M%`{Fh!P;Kdwc(|M)5M;g^l)FrFEh-BuRc@SN!og!XWeeOY;UzpK&iymqY5wI-BG)0OQa$~7O_22E?0S8Hc4c2)&XF2;-@C29G zc8);I&~TF-0HMKwzw!YlSB81#Pof$3jM$#bsyeXDy1Rz%?}W&Pvpi_JWNnNslqjvw!s57UJ(-@!w7q$?WqbbV_xmrxnc$#^@z^nGPE zpt#hP_~_xt#(XKL^*FdWy(F?kNyy75XVa=Zi>o$zXNNl5>si>r#lDrG#Oqzeaz`=; zvJ=u9e@N=#?T>ItLdVvdDGuXzq&C1|7ALd9+m5!HVO%C2wp$%(R;8(Uqz$umDJ2JG zc@!%1I$c`2v{-~6!YSe(V9yiSeIt}^s?2&fp|}~RE-k7qqXUoU zW)22m+t>`;S$sAei|9ySeMD5xbE#BVPKi&*km3*-_qEOx6LEh)?aJ#vtYCAR>zRYc zH?7Mh@;4EB4W*lJ8${uc_&p*c0W4rNya<%Ab8_osAR*OY_zzaFeLVHt&yo zqs_ESr-M&^IVej1U677mls}=C-%pkb#PRY zcy@~mqgo7V$u0-A!J`!RALd0hat89Kj-ko5g7RFn&&)u?5G55+@&T0-93K5LY8Ay8Mlc5fRdj-GanOqYU7h{`Z{ zeM(5Jp~~j+N9+*HACZQ$F?ynsOCW^rfVI|`lIR=PhqiH2*3k1nG%j&NAtZ^?7A%31 z$~r+sw<`11p<}x&3XdOK5kXE0+pk0k}i9S zf4+FXOj437E|u!ijL8)Ns>jLZNUy0pbXSyJk}{~7gR(TiI;e0Ky02)FvXH^yaZ{K& zXTj4p{_!*Sia$;!cPtq?|KNiLZ&7K4E2gTACG^cZn-=r{1yuLE;*KjW03 zStJG3iyUDx;TPo8_sWRM1O>pgO{ihY%MGM&sddUF-v)|u-^W6!vAw;f@61i8*}_!s zdaH8RvH!lWpStwW{>w@uH_*G`)v@FbR4+O|0ZMfcpF9b&xW=^80HT7u|B$q`r+?g1 z@tIs_@vQ;OtW*d{pOd!!g48j;e{E?63u8&Lv*cZ5;`@G{%z{({%I5vz=|7H$;cH6r znX^^?i1T;?fnkd1K3p%2wpKRQ!<4ky2!Hqb4g&Nz!`bxmcdd?8*F?Sw!BW3Gsa)zF zc$k&|q>9WJQ`5YF@t)Lpc)Pz@d?Qteu|5zgu)fq=7}KIJ*Io3>F=bjJQ*d;7i~-O= zul6R2dd?;Ac?*}Lt_UUR0#_Dm5lf3X*Jog;6A=Dl^UO7P+>D|)ZPs+0U4QyxAZ%S$ zKC8TMa6px;-a)ZaSq5x$7F&HZY5j{>(Rr2H4@=xS_l80E5!od&Uk2nK zrqxeju6dx+uccZe^c}z#$%G?47EuaKhb= zMK4NMTUKmW+Uvl|!Cr9*#h0eHa}-bTgeiz$&AIZpBbGcll=T^_3IdU&F)W7EaiP^3a+|D>rh6qz8lW0@DsP6DKRr5Lo5) zjP-gMxl4qhJ4Jqh4X9aVguRyK1&L?9ZCv5cG`xE-#%Ku-;PDUe^pI$mc(`|bJ4P^-fTQ-&Rr zbJvqj9D)Td%P0Yr^{0_|)x}F;n=H?*Zs#-TU7_#XtRc{5kc-Q=U1xLfu|}6`x4jG= zn>GvHsIzey6<|fk`Vki>Y1YK><-E;fjSm_+OSGEEleG4QBMQq2w%+K_N-8J z920A)PXBW6vif1&(lc+}9Fgl+ElPPaPys{+)&-{z@BnNux)xT~6tXCCOB1x_lM(3l(W0eieD07~ee{e!H_eFO7_h`ax_ZLDxH-9I)nIlgc|xY%O4BBfGm1;14w z);5Umz4jy>&Tub7|6tZ*SLC2>r%wh_+SC@Wgn!fU;IE2v`L2K#WcrJ2-^W1uVj%x{1P7qYe|JKQ(x;};i z-r+|oTZL^&50f*&crV&8&V36K!_NWRc|XXoC=j|{I{%oxt=W`50UQvcj(OcesjN$;A)jvTE(P^}fAXN7fL zd1F{bDDJMDj(Z)SUbRoVS17N~XbS?Fq~p(iMsV&e8taL?Jm=e$-cIi8w1K2?L& zG;ABqmBSH(>M0&dEYAMgxcsHP4v3(5!Y++T#h>h5ZKc1{hEBYnN+VPCL0dvg(JNhu zPcki?U%ubFT!0ta!i|(de4$12Kbkx3&Phq7t-^wgNB3}#?b7LiV2$qic4Cfd#I5JG z-!!jx0Kw2m4F1XwG7SV8OkzX<(i0bA7bzA z6}YjbEzBmgU{7{#Y7}&DH(esoW{>LX8fNFcm)MfT(}k1#b+vpE~<-1FUytNFSx_^Nyq`1R)nau7a!cB#VNRR1i@!I}D zhS&5R+M35}e|P;p06ylnY#a@eQR;yQ4pb>>^;R1ukQM9xg@6Cexqr=~l1op@R47UB znFX7&^MvBor{9cH+gh^94W?IY7y35hwnH0^5{drD5h@I!BaK(XZLoPyM889AsUEoE zKJ1El%mu2>aA$NUl6TW$daAtxS8}nFTk4qdMVXqs4XeB-P`$adHv{MbV^_Zi4vDU1 zox{q--Mkt?rC-EUguENj3F~y_6*0wn@bDZR$wNfIGnQyHF11)eB z<7e8h#a*HGcusGqn>7sftrHj*9Sr(GcCXjyRYS73Yt@e1#K3`jE>1G^3cN+B@jT3U zm?-O5gqIL`O61GqPt5H*pA+Qnb2?qnw955uieu`vGqZ^=yun63mGh-}Z9<+fZC+q- z=c~ZFTNR%xTmZZ}ySlPUy=NNB<`rK zS#dcJUQTzHN^#IBPE%X>;ux*Yb|@ujDC@#;CX#AEwv|PDRP;OR`-b`?>zZ9LF99y0 zB+J!+RL$1MsrHY^7<=bJ=bKIy-Vn!zqhmb>m73_MfQGEs-4ASSu(Bko6F_MKOKx!n zIz*F}%`I*2ZkVX>hP=AO$p_z(yzk#4r%re|5cD#^^<}WUI;&YuY=E1-{;r09)~+L5 zeO*F@A+UGY(uqY(_vX^20#WNbDBddnCZCOsZ{jFL9CA4HoNIuYe}W&J?$Aiej48t* zFmvqld-K-V8;M&* zahmcxVOrFD&m5j@RkLMj$+4M_js0O~Ogb^svM`Lx0qEq7t9=hBf*>-TeU~lyg83Mc z_mGCR+VB^@#^r3z#Qe!FIr)DG)BXNCgEME3lw0g$k8jf+kurd6{yShGD{xwofI@j( z4#%37Yq;7gzL@_q3E95@L?1CSUL;|}mV3$3SvNSIRTc;rTT2<wslo74Z<=zmW1KUepk#lnBy=zoOKf28g|l+=IJ%l|Sd{wL|t`z!}x z_ptg=!MPiV2l=kG&uQHQT>X@iRsE>)%@b}q33vD25>_RrqY3f{Ts!g&ylB4lAsAEF zT>3$=oB}~jlYQ{)6yB-v8L1m6k1#2Yr zcgs2-OSHcYK>2cP5k8Av>_BbXWzxmK;*(c>Cx-bPgq6MMq)YU#R$m>+9rOHeRgVB z;!`G90?xHN2Hd6ozHZpDP{fK}NxM2Har}~a@p9PuU63;ddD}^IkQY4r7fnq~U`mX&^iAV8bde3H&I_!@WRe^w$f|mTe*DtzL&T1)eldQj95J`$1O5-WlbW zuevZ4#SDy}h;~Y)rM0?Mnt%6o67#8Kh{*=z(@?98?I3G#_NjGAb+5WUP1kF6rFHna z1rwC`mN5_nuDxx>WJ@(tw1s}wn<$j*Rw^&B`w;h$G&QtK!fcZOH~S?52PYGRY>dAu zK_!`eFAu1w<>a$yaDH>q@4ER`L-=ie)T=qO!}AqasS#3P4?cyn5<0$z%3_uH!J?=}$cI2Ek{=iF9u z9@R!u5=K-ionGywvwYWRrmsJ8D3XQWe7vrO>kR!tw!-(bf3sgDzuBBY@@o4icNTq@^hO@jKTW@9Fj5s@QTTsl6XsaBdiytmsj^p^saUD*9wee1nVk2fPHbcXQ+P9>x_2q& z^RMrX$vzW=U6R^jM0EXlXVPI8!VkKV&;szQBnWm}~_{raknVOJ3llYRO**Q%}@} zyJ9P5ByXzo_VG(3QJkm}JAXqtB82sSM+}2Ki?N^3toF{%?m?D}bNkC;J54zc#{l66 zC`AqEu%)k!0^9$cduKC@p8B8b8LIoe$q~9vSExw;%%zq}GV#wIx(WPGZaB(Ou>E4# z`Lplx9Q69V{^aj#cns^e+v9NVF+N35@MsS=qZW z33OD`g$0QgiES5MsUGulitkn0a5j$-3@9L{kaa#4YI1=Ffj3nV{6Y4%27BfQ85vTX zWNyM)cJ~KaoCV%3xG4hJWxt{K?q+sAZ+bYc{P;Z*GR3^$RJs)6DO(#0reZ95cVOcjW( ziBkO_OBsW==3}*v8Hb*N@TcFvztz@#6eNun5I+HiqVEr~!wdiB>aVeB@i~|~>1sXi zH?0u3&K#y!dHSWnZ`|%&-^-gO6*Ern-I}3BSfO$V`c>b6RKw{}fG~~YWUa#u_yVel z__7scpbFEm%;S z^@GGaj|b0kZwWNMS@BCvxb}~IS?Y1F0#U_qV1~puXMhvu@;W&8%~iO7`^XgWgRFN0 z^iQm|8E1gIj*~3l3$<|KQ@{#x`9Y=(CbF6X_LCgsFOL;?8GrfY+=L3ROD%1}KAd{i z_Rwmj3F;GI=f14S`m~4$SgNOm>tJj6dz7=C_wVmUHA*8E1;Ps}ULa@PZzb$sXG*U~ zp0ZW1n1Tn<6T9_i;=Yq}?899r{y|aGuLQ{hX^VdrAO9UiJ0E~^DEa*ywEoR=FwI8H zvm#5T`q2DEOUj<}2DKymUIK$Lol?P(drk?ADE36~0C#dK+o{Q1e<^_2ir=p__rH0u zY70S6A#_rZ2wM(4b4UYA$dk0x2`ZuJul)y-x%EO%fFUB?v9IoW_HdnaA&nOOet|Cn z1FDBf53}(yB|t+dAV2@*1t@}eQb)an#gm;e~4j<=P|IU#szc3#N zaQ|yME$tUWWQ`|wk$q6L&LyLfc4)9G!`dE-^2GI*7udVmL>Ol%ZpaM^XGasgI3p@% zDO&btJr64gl}PQvLfb_ux=;0uj(sH;I@O@(XP6yq3xSva3*+Fw@XZGh(f=gvbN(Vr z#%E30&D)PWBR;H8q}9g9XU>&KT7PL%T4zfu`zRHcD8yAqu62)@SGaVI=2s4b{v@M- zeCz+WGU{V?2N;#n3a3Phv&`8H1j9j(M7PEKGDJkYog>5&xKIv4tf?(>w9RY_3!IvH z$GMgvPyg%D15XV8Z$9~*0%kC_{viTUAx;}FYaOE}F+x?@nA$PYx^R0$FhOXjk2iWb zX-(c>4LrxtgxvT+b`^xN0g-OPf4z1O1RIo7=c|U&Jj9mkIgDAt4C-h&>?X)=~jKlmt}NKbtLo zvB!!xVnDy#DA2D8;%{oKf6@=?|2_#d!SGlGzphUA>{C}|bIdA+b0#_N#p3Kw^imzpwOJp;`DBUc1a4{QR;!)w-97N#w;|EXFIT%*rvvqDX}fN_K<@En)87z4r5|8= zpGHGPT(fACSljY9P>zE|)E{HNUNz7q_bd$Xq_*;HKBsxgAwhEZ?y!zGYrtXSUZ@3Y0}F&Y)m@97rQuusULqp1X4*{4iZx#-#w4Yk;x7RZg{ zot4*qmsXxv5FC=U;aL6fzR#---U@g_0RU!K)t~*hEQ>k3BbEw`FUK5cVr7z?NQ0B2 zJoS&A49Yr-YrZVdoyzb1)YC%l^d2ja;9GLm%}O*Y#}DV8eF1PZoY&Wv>yF>Tg|+=1 zRjCNo@8msb(=PXrRmF7(CnV>ccML9Z)IajVDOeks*+kqoWz?QR4WY(1tEM-6;D6_q z028{QQ5_-Y_6$bf)JIaW>mO)8yYsf-GSriU@)FdERku^;)z>hI6N|N1ALtY-Uexi- zyrn9gV>|fM9xzoZr~O>t55}{s|&d}6y3Uj!QsY*MShTtq8enq=7z_-t0NjW@ zlYd76Y%<*Yv+|7r4g5RKV686T_^w+y$NTP{AMz`=952eNM^=5CIV`;~Tv$|1ljEAM zLP@@}z{cj{CX01dfE@(TE>BNuj`ZRM+&=KWI{)zexEJSBvj#c$s-67JBIJSexb;{> zs@?3i{Cd-_o9iS5UJ67`{-wq=%ZpMGacvZ@{R}VL{_egFYEQQu-})}M<;Y|U-sz1> zeDv+>13^d46Hm>SmZeAUW!~}U&sfesE3m4Qo%iiP6)f5|U`r2_c2rk{z+e3>H=2jR z4E~E700B&-mH!tGW`k&?h;R61Z`S0}>IN8^3dHR+_TQwH> zarRecag9nHlxK6cc8<)=nGET*Bq(fq+&w@VlgoOVFmM@I&kU!smHB%6&{7a0gWNz4?JZ>#v3vfpu18*@aYy1oQ_6O* zZ?&NYWAj6P{e~Z8oUx<@lGBIr?O+m!`M8BRU|4jK_Gc{i0x(pR?B`(75#WzszW(_y zAj4GVOiZt80}&XdnvQv5>gh>Tc9;Mwd;6MbbTvQ;1X>qTw&MCRqcu!`0xpJQ^{m7X_gTX5n>0uQ+ zRTKmH!`pC2&NwNbYr<*fv{$_uZLdu;DOD*2#co2}@be@}YXXRr%N%_wL3k2eisPZF%0wYP@bM3;0pJqI=Gol~Z<(tBkM_s<(4ibbG-_ z`^rT!)62XVg=EM_EIbxZ9cmiW;)rz0i%IhFSw@PU)%Y+~CGyR44C=rA8Lz^E8ND3d ze+^&gcS{aEYG}}~9Hg(^yKXfzEwbe@*~>wFoQTG!5L{sQvCK~$@ELEchCZxy>15o( znw7t{*lgh+Ao$|z^__dbTgmmPm@?5kdV@*lIyO#*Laumn^0jlnj2~{Yc3Ae?%u?d&K;FipC(Xx9JaHJxK=s645UBmzglJ8(R=5t^wX=C{F7R&&{y90M%l ze3b86(RL!wr*Y`+_O{fA#S{SvbqUQ&lJu)05uCXU#<+gvbR~COHKwv)QE}*rW^3z# zk%DtOyA1C8HZ)5WdQ#Pw!x?qHyT!4Og91Gyy+_-+`(;9$9M8Gn99=}>+_)IHvb1>m zdsTGF$|zrmI)P=y#z6P_b>KwjH=7ppLD4rP;b(5 z@#+M=J1}*id)!)_DUkUN==@bB?ZsnbjnCg>vjfqcSikkK4Y!bk|@w!D5up3iPP<JK(4=s}e0bShz?zeIhbL zkRX3uc87OQmFw`Od=@|6JRg4sz1{UF4{yre)iw=}CUJ#GOGC)q=0u10bs294OY6}A zokp=iwwCqzmkuv7^7>S9<{%BXvkh=A#5JHl8IS-D_;8%hB#E1Nb*w_9;pA%j5pRGj z2Ss&thN}I?ob}UhxfiWPT$aqQb$>(N&%cyLe!XA;9#&b)83m&bl?LF75b;D#+Q*Kc zhNY^BLP5pwd+s0zAjJ0^x~&Io}qywbq$WGsB!=XNR_~7OEkfP z!>@+Q2CA%f&N_aZ*DzbBHQ6^eDgMU%@to3lqmQc7o1roM}r8G}}~5Gad8r zdtO_gHKda+mn$Kf&Rt%pyIS_a_{yCz2(qeek6?gbU0jVV38f2cv%M)WNxn0CBDU>D%Hd#PR&fq?$f&%$i8QcPC2Qm{_iD!NQ#~>Cp5k-Lz z$O!C0*7Xr-C|#dAUi!my;6rq1^UWfGNd9#9mmVm?=(llEduq3gRIHkAujR75`q=hd zY$wzOKe@0Nn6u#ZICoNo)porEJvOnmugplIcjw^7bP$d16lgp+PD)}|*Qj|WX6Kx! zQ7c*eph5$I0_kBj(!ya{AKe>IjEl~Dy^DQDwWD4hVvLqIKi!$uX2YsX z`t>R#6*psUeKf5Y%XWSr)jUs5BFBRkE1DvRpj^D$1Qn%Ik)Zy$VPg@ zO38119N;?LtSE6bC|d z@P13on4-BfnzleMtMai>ZX5kiLwvK#v$GKmg;iAS^-1?cGFnLlFsf+uYhPk_aISlU?fnk+mQ|8=}z(fX@?PG zORQ~Ck+sW0r#;9a?AwY(5h7LR6rIpnoj9Qmkh|}WxU*9stPaRT>0q*|u#$^r4e!-4 zD4Kijv}c$x6F`eC0EI_yGcR8)${05>d12b+z)<35>xywhe{|f_)-;&z7||NdNdt2p z`A&Nhrh}!Z1BMTVCZ9)$0dpn`zU+GCjEcRk4htGrs&h@%GBQKwh}KcnG+GfBV^Yj| zL}-((v(q6LK#rT%%A8A#uR!OdU%;G~#G~d|Sv*VL<5iZn=^3JVnw~&9Xm^Tb3mq3- znasY8S3Y~m-nD&(Ag}=-qH@CwM^xzW0;VHMqKo3E*Q(Ns@}khef<#p%h4x62REmEN zWWa7EhrQMERPoAJ7Q#eKC?Ei}RzV4*6RJy)lf-+KcsX}i=Y%OebyA}@V^6!OMYfm+~-m4+_$Jhe7NQn41&MSult^nS`4>Bsa z{VZ);=mk79sQ61@R3`vl*?GWH(#m;3^;F4A$jDUb3OU-MXb_ z=?`nl{eRed&#&UM!QzVEu$T6>@K=j`{#m zl_<-Yua{pE^$hWwr$^c|&nBijb5Cw4O~E(4^QH$EyW=>mWewHt(HV+IT20W?{*He@ zX37yJT2<1wZNJD-B7!J(*>aQw~so0@W}GY;C9m6 zQybc%aMdmlTMaBGb1eFWW*8`PFMmEP+uE4g*EA9+2fI_phJx4`FqQIG;MJ08RI3)R z8b^Wdx`c{XCufvQBs?G8=~0XdwD81-fb-y$-%N$qg# z_%1pMm;2mDnK3$bJ|N4eK`qlJH9y(@D=TZqD}$}BFf$5=H2}UMiOdJ(LOxBwBewb` z?CP4}K)UNZC~i|!vdS5@`|-EjVur+0;#C{fv<{!)j%npVmY?v932zqR#kOTRsepc%P_eU*dnz5NAHzvt;&Cn;qWY=|n@e3q(cRX=f9$y1aYu zGUa;O2cVrt_NE8dloJk#xS7JeyxxoTtOZf#(E5te3uUDwg?&HLSYkY}U5IDOWC3-? zmV9GrcnIj&c@c_^zmSeRfQfn?Sr!#|RA+nJU2qI%PbV^YxSxsRQ z*4{Yy3<%v6&a4Vv83P`p?MMyOQ+^x62d?l(0Z7-I@vM{dRqPKba5hPw}o>eZRvj7SfDGX zI6%cea&iITb6zde>s^-BX6pd5xIKN2iQAHd`~+BTZGLjy7u6Js(%9}|Q$2BSJd$xO zN$x|!b;WMxUQ5Ja&s*PEK4+PfVhY{3ve0uZtH_UlY+aK&EU~LKH!u&VI12BiFUS3&arsW~6BTrd<03m+vq?7RX8Tkwfp zt{ARz3OVzu!u^T9|7$~1^n6h&(6|n#68iCli-Rv*8;IW2ltR!8cb(eW-$EEsF1d40 zdTH;V*$kRxs!|U>BPa4c=Xa}p)aUQ5EvLj_Z`qJh~Q=Wh%DG8NAb;Yx)*Vh7|gXrNm@OU*OJIkG%2moS)n$Gi4LHc{54YbZ zRd2P?a;`cFkPY9H?R!FdV#~dKgq$W=g&Uh2T5?u9jSOvE*qY9{Fd2vVp1J#Ob5MEM zT3!TnvL{`WAAAlQEB9!j@7H)q%^T~ixD=yJ0S-UZ%xJOsR7QEDp2kjbVT$*Wl&z}U zV8RAPbpaNEOMLB25MX~m;>w-}0iDvXPMSK90!^NxBYS)r152}$b|DV8f_;UXJ$G)D zN_C&BKv|KUVGBw8W(z``2)PMmIc_S~$eJ--K3)p84XSn@5{dNSYL`gwg$%QOQTY0` zslCQcVTQxnQCq%*=SI%=5lC0fVL)hasT`ko(`E$@Iskws*+W5|Ij%2I(;wTM{2A$8J^^ZfC3$lKjHQq!AI56%P&UA-bKBb{Tk?Oklp&qV0^0p zwZD>V)&{_Tl~)j)VM6g9q{3;z%T4KKuhF2Y;*@)Ax_-97j5_690A35e%*lXdY|P?hm*bg_8JF6_1AVf6ygQ$EX24Bj|K zC($7|N!i#0gDBUUiSdKmqe{O^`iAvW%0{jjj6OQkFHdHAxt3TeeE3vIQ|R=T^4uxJ zy((1n5SVN(N*pgQhTu>g_A{sZmhQmZxU1|T=?Y5apvj5Hk(N$+JzsTC|DpNtz;bAT zx8_~pIh92*nTFckH||hOxccLAZ$7gu{US8e$j7`wF?X(-IQtU$q~nR;))HlJ7^%2Z zD9V3L8_+(RDUQ&*rP?8-46vy>dhrTW#A-EQhlPi6*V$|zTc@c#y2>M$%IKnU|3w1E zLhl5q6ya4#rYTU!e2f2GvUvzeP-Eu0ZvF7`=eXhC0Q;CNflVIEa&NIlwVi?oR$wZcqc8dCs34lL?5i9N<&-0YV?~)K+3!v9fD|Nbqp1!?Tqhokl9GP@#_wX! zZz07!RgRRqpW{mvxWCN`RUco!1?9}g*)@e{++qB6xT&Io_)z!kC99L!{9Fug-E+X3 zFd}lIpCT`Nxj;9;KC|M3=BC`dsd*{!QooNG6JBbIr8e z3-R5QC8%XZ#&Iur)~@I{|C6oBhw}l&{e1b)Kx8MElkqu^1f$gvM$B(J2=C>--rv~;7hWQ?>V~OuYZeGF zQ7EoCoWSE9;EXS~HXYhhRx4++8j@?j<$ICAS+d!-AVd@%Tv{^whp8HhVtX_&(8u zk~#i?q+spswPb9VhOfzx7=5dE{UNLCw9@wdyIi8k;hzdjm;kM*~;fCthc@Dn%|@= zZw?G>w}fD-tk#xtnVc82gSKjh_D$u-TN=X03Tq~uqC17oQJEE9XhMit)+C{haN`HL zH_g~RaRDP_Kl_H=;mo|+WVBRl&a7A@xGz)ZV_av{sfKp47O}~Sl+-yOw?q!4OK~TF zn4wlV5|w5&UZF0S&R6+e-XFo>yX&9SUI_pUd4|l*H|6;crXefL`-smJ#XcxB!|zRz}j!L6t|bV z8l~#Ts=OdUnQ%{@*xgxRR4V6>bO#|yo^+n}0$oCgJ+~*OCs^ab9l4xv(9L=>3{|vl z#Rd;rH%ze_ zZKh|jrSmQBKwtGunv2^*n`Gz;pns9sv#{o}%$pjRZ0L00Gh@FyG9tPQ!_{Fz6fWXKXa8~7fW6tP zHI*2b2^a{VPQ@`|sR)7xhQ$jnM%m3nhp!ObRL&Q=5 zXchpbZ9i}XV61(+UXs+QZ>SYv6qz6U4fI)Y@Q4n;S3NbLBms!be?A|CPt#QRLjwZB z3lyC^F3h+p@@a)IXh`^iSUntq_GLagetHMSMuSvn=0tdVw`U>AFC&!zQZH_(r z3KL%o5&5cid2>E)*GLNGy#(521yL@5ml&_~bCv!@*F}?b2t=4p&g*~0nLIZRC`g6l z=ZBg3)|hQF1$;pNTUo#6wpKeJHhfEu6 zn7_%JF20}MwWKN!s16~~ANF}z7|i%? zEnQlRXNgKo^s`NC0u0T56x6A9@deqx@p}iJF+EwY*;gpAJQi(aLadx zrK>dqEkg$CXlJDx$C|Gz0i`HSo?t@LawA-pvOL8+k=9qWeCBcYUYi8H@(T6rNrW~( zT)`x9X4i9%UtlM;cc&SD6@II!d`V@5tR|1%VZ;TJZ+lF+6>aQ(epSX0LL3 zb@%A-{d-PE+oT`cHnSXU%F>rY-^Kz-0tL~0x|S>3q3d-Xb$z_xcq{~+h`d-!_kH9` z9q-GfM^L!=i;Et7s+FSJ0IvPj6O&tc6o!+JN&_yF?xYRtv`s;Iu}tS0|Dk&-!LF^o zn_%}LgMF7E{}S<&$DloGp|+><6C3!gIWxCH=pUL;>$IH5w`H*es;-~kAQnjvqXL|8}ApANkp{e#q}J9k-#v{J8t!j z?oile6-2wrJ5HyJw(lC&j`Q1Oskvv$<)H`0#5K|ySZ&RBS!?esj6 z1!Z(}>&Kl)8#=2?mtRK6q>xm%E*NGGq-Gp{ZNi+lMlaKxI&2^3hz-Ub%Z=WEn3ea=!@p7q49yCfF$`U za{+CWvbpofDW@wZ@2HY`^V{)UrLcUBkf5XKozOnEtR?0WGoA9mn3f{o1mTI@;m8=L}t|VE-dw*Q5 zyXW+C_Hr^0{zhQ!=D9f8K*Z-&E1c6G;2HMgEJtzLzN5mX1Op2s<7&wUj=O4^x1Dak&lgQPVFRRwoZ}_ zfMq00E+vNTTLTo|QUr9=(RSw`&X|ys;qT89owLJyHgkL?BVlY~r>H;Z>SLEeMf)dL zOv3q&*^!+nVvmyux#=SSD*;H+g(z}nyffsEe(LvQp?z=;&9OFOQgf#Mn0yzI`LP0T zVvbKcB1h&fHZub{uDKVLg(6WLRDrCR8WgMj>Z`TSSA{wY8DAftjP_qk0Rz|*(T)YsWC|fT3fK(e8pi>`2EsVT znZO*@9)T{`t(epwV;ou&jn!#AjVEj7z+$>yIZv=$rs2cGOAbUjj+HSq@ z8Fn&edx7g(@ZpnK_F8QA0BE@GM&Ba}wOQb|W70A~Nv+IeZ%ygU+5GuqN9f%N*{6qT z-Zuz3pQd7^`{k|u{ot2P6E^k_0ixD~Pfh3_%M{~3H1wz8A=;-YY9y=Y^Y+kka8KjX z2mE@Lw@250sA=p6$Df~S2#)q{uN1GoW-=|U)qA`cYK_BIqq?-L7d+Y&SjeTeKOR$* zKSF^PK+hDjn(@uOQn)^WqbCG*T=M!29aGC&H`>==ZG=AXbba9c-E-BdQLRF^NY}r- zHgxva8pi?@VeMLi$A%=)L{!i~vCo}(&!?yCRHvV)a%oN!0qnmhmr~GAmVL-)ac4dhe|zj4(6^1(KFKDSh#+!Yy&GHO(TR?s%ADkBORP{?(sh1p1|-pS6@8U^9#RV9OwD*T zAe-X4ym0F6>u0a4-&hWZmy>xU>pTu}fXw)rn3KZ5ZCvjD1!5wW(2LvdYP_57Bs5-O z^J`|t)|9B!c>v+$9Bkq}a%lyoP{eKIfZYMGR_WmeH%V^H5Wf2Rsd9+6e zj!i?!Yb|=lB>b8K#{2tWP{W83B|Zyi=8#eR%iBKvzj-hX0?fHzr4^3;l3E{*SvRfL z1geOaKVsMS0SXQyk@6eiXAp$e`qJr99g^ciHTSD!-R^g)q=9GDRw_X(sN)XwMi38rMtNwBgelB=t(CRh=c zqei!Dff05Ytjw_BEFrPX0|5_+*DG|U5Z&3NrO}R?-^m`*R_A@0;)io z_Y=N+rd6KcHtdoDt#4r$Tr-W(*L}egbFNs@ADT_~LbAx0eX2Ny*z>a40Dq_yFj1k* ztoWVvY-&~oNu*|{tEKkWTf%Qq8n=&Mzunm0Ovh)_b{%bH$!8JNWi=Hbu#hsSAyjA| znN!`d)cNvmghA>vJyrw0)>Zb!wy!`%DGp3Dwb7P_r`U#VdUUX@93^a)?fcHaO*P65 z^f1xALe4b}ko{XeR^l{z=M^&;rbFm4B#Di9z;<(Ypf9aTbeh3R;l-V?1WycSB~z_m zhb#+}T?fq8!#maa!pHFoo60X|yT~+bZaRf^7BibWvFAz;c(<+<5Y##45T(I${ku*Vn{e-s^4v%LXgg$G*^ z3rDR&BXcSR>fb26mi@T)!&vrl*-IAY*VE^_z|RE5NCq*Q5+!hKcTna6*~2Eq=2$r= zMpmu>Rn>ekPb$;kUX;PB^bp2tmvD441pt^7;D^ZGj@w!q1=VaLtSd~)OcY)(h8Xqo z`|8jweNB{n9qi_DX5NF7J>XEb4ltEq;-a2e=C*5(QZ5c{leJ**5+mR=*wq;PoT6L; zKt*uwg|%5vT7^ezE69L&OxoM(#nW#I4-#I!yrhV>2swVTVrQBiT1Vw3m8W5y0kmHz zm?g^|g5hdti2wegI8~#4#kJqZ*7WqdXK|5OH@=hWZB%X(iLO`n@Zt_ZkrtBlTCm-% z`kI#dCTNnndo8;N=j0PhqrP*v3t^Un49H%gpSi5NU`{V5;dGm^%|MwJ*n`&_FN{l^ z`n_sDSJC{^<+!;0AZZz-ZJd&fQ`P%JV^(~4@=MGT1qP&+Ng@m7N$s%6eWb*MQbN$& zW;M=EK9%X3gO_kv#(mLfH$O#XoS?I%L>$Ur{}mCGX*!50j`Qzkc>rAq(MJnn`3f*l8x zo~i6)^x-?LnMGZ9d%rr~+(8i9FbiAow!haZC^=kwqb~N*1R79TzU8fJJSq&e*?eD{ zGwsl`6e4rU-R0Pr?QZzBY-K}q*q*#k9&)t?q-cCxJ8HmSh88|Ygf(pl-{|4nNN|20 z;Pt6qqk3nzT#J6+z!B6j%QS)x+;2(h2;Dr0K~FxW6pd}m>-DlwKOZ{TPgk>Gv*Sm2 zN|9~eM}JK+MeEx26Ymp5d}#3I^Y?453d6F_Lx{ULaqK7U_#*PFHkx5HjMGhA>04{a zeV0JC5N&%-{MV&MFktZc9#i?CHvsOwlyY)br(L_Da?$GoQ8_2qo0hoGT;pi}7DF-~SMX*Q__e&e~0SZ5X!q`-eIiq*>}%BU}U~ z#hwiWf!L^L;Ljb&SndQ(DZ;uL^O~P$`TJS9rKFRBB>L=S*;h$76r|ld1 zT?~*N2u1X80|A(qI}V5dgvNKV=M3}7!QD4z3m2}3);3xe7M$K1D*MGc&6uRrueYL#gUlhZI8ewYZ26}SSisXb)1q;cSu!x+oo z;c-qN#_!tzU}^Gf$AijIAD?oiToyp-z;W;lU z)jWWSrzwo>@ISj+%D;G(+3+3 z2gZZB*Cv8PJFP?YhHuvLhE4+dfS+=eGaWnon_oTAiDXRlGx1ldySrktr{BV1e*fNI z&7sze$7U3p1~SXBD*U*6+)CHHnV1xf-iwjDBkEvywyE!_ zpRH5fLT8!>$wsXg)@sum>!O<>!J4#=HBF5vC*uA06Lk0*0K8f9Du=t}YhsWUMhxDh zu`m9@byK)FZ|!^VesC>p%547`mQ)v8zA3*Oe%-dddZZjTBCdA(y7cW~KqgvJow2v~ zduVuh{>px<(C~a!WnI+p@Yoq&UAD+OqX9JM$sJUNV!{&9r!t(lY=wbp!Su$9k`T-6 zPKQCieKbNh9jEkt56t){rZ^YerR5_^_OrKV4?wp`;(?H5_BMl=4<>r|`a^Qt))g_;xD)sItb>Zsr>}R(s4EmbEjK@nAnF3q7I>$nl(r+J%mTk3hc=_ zclM0U&JN;#x(yRXvWcI2gFwUIx)riQKi{J~?h1DehH#z~e7+kmd;Ln{ZRb~O`scJe zt-m2TPM$UU6PMcO+5xGURe}~R-aC6P8~VY1rS=aEF6~K3D+Cj7G1KBQ^XfY5!)PCZ z%vP1GK3k4pnU~SUkJFFWbhFjO^Z0)V0@;R&qJ|y?v{Y`UK z-*812!`#y3>ufX=a`Ffkt2D=<545#J7n8HveeDJV@gcik-Nu&VmW3IdZ5|~{=u6L6 zzBwZ~weRwoVtITTqOD1mBbl|?eaFa+6?dXp2MK!FvZ?mQsW|S0peDs{toZwW9BQHu z11m0}+T_yAUNjy=Pk@Q~@u;#{$bmTO0-0{^PGx=KSbtVnzvr?-FjHaTE+o~D?nnOR zqcjZ+N^`{{(imX`|Ab;Ax@N8#M<(Y%o>i=f`hn;*{U(%+YVZmRn%hU z;<3d0VF|SDX>4TJ7i}3q;pg2)!7uj8S*$Ub#GQ^!4L2H>joX8=Cdb9Lc3N{N&x+Y~ z>Umncu>#LPQU7~*uTm-Vqq&aE^ccN&%mu4<@1{=Uj0mn*+(Xz@;0y57pQlgOztxzL z#Vi3t9e2ggRixUFU2ijU(xVi@iMGl0w$GCgoa0#BV^&7BM(> zYKF^@YEEQ~0)jcjyKLQ;9Bm$NK@=;e=I_5NHBFnSx^ws9*EJidME#eQxcT3X7^x@u z@ew6eL68Sc-naJbY=28S?bo%0t2a1X#Edq)Q}tS{w-p;$E4Ul8Rpi=id@ z2W<*`P%JBz8^XICtEm8r*b6rm(acmjfck62acSGUj`+yNf&2FMkdad~RhgyR>{$*U zc@>`#Fn4h^sPV;PY?Gp-*g189B%VF`l8W|>K!1VMniQip;aKA)!8n>;sfGO$Tny`Z|-w#{4o@vP|3bpo0$}g5V`KftE6hp z)&@f&E#%$|vgeoipJ8mVQM_tJPZRYUJSj|AUhvrby@2Lnt_wvzO|dn&c0cc1le4qM zv-;FW66!)y-531#6P(*8izF1@U4t9e_r1%N*_kRf__X`u=noB--!~P7s{y|E9L69P zsW!XIz9uV2n{w7&K}d&nRHekm45{f$4&M(zTS`2+pWyNGSABJT?I>oz5{suhmMIH9 z;EwV6JV5*TwrR>8(t@-JG8Q=~bXrMaGHV_%;EeeCMH7*Z+Pqou)H-7gHrqx2ne558 z3oq+vn9d(A?@OK}B7BL1`-P7(@Z%*BXSPy=}(i)XY{Y3`6{Wk{DubU0VoYbQ-7h!N{zKEEZZ?~`+XTZWB-h!`Sq*mATT2w{8S}_$ zLLMNuo6fQX+S`k^N;x(i+TV_dlSDt$?mV2Mp7%y+=N@Z$Ccuj=x=_WC|~ zMfX~-I98`m#=LE~-}f5YEK|AQSDmlfYgIAHNxMO-W3{?R6J1LWJ`ucJKkwvgTN{e* z--l*TDs62C7Jo_}lNh1)2r*#*v@-UzQnrvIDd)pN5u_bmv z%~_$M>C?$zKW#Low5 zj{wA*m^l!aZvoMiju{XDY*VuV5=cvjvK+U7U26a!`H%m4fNBo|`jLL55KzYeQ5R~* zlD|y-^~lhF>3tvgeO@v!)AJW1=B#0NMaj9;KQyazlvIO%x~IO53;`|9Z~ydR|8%9y zg}-m~?-Bipzg7U(n(~qK=2V80w~y^cDJcU zpAyE$DQ7kgumpcF5y(vg?MlD#xzvlnbCkM#Dl7OUYF8U^9mw8a0IW*d-Z1dnKbV<+ zT=|v*3JPCxY!0asfWveS-3>Yt(&ho~gFgHZO@Al|&q?n2L!-Og0is;q#vZ~P75>S_ z{0rmeZ`@D3@b`QEJ)VEhrT??m(KqZRlxvb897a%{>+%NK4hN#yJM(PIG&MdL7GkD^ zIrSf;tu6Q``}I8ePJbrF5xfC(nw}LRPISvzftkrMfW1;Dtg}eVWI9a+$EUDXa$v@9M{vyChHsswH`S;{I=uVj!7?b!khz* z;?--5mThB^X3!`I7`}_l&N%ofFZ#vxDpX;xq|cN=KidY2Wboz@&(*wtST5&}EBDE3 zdFCEn?1zv7rv0{b zAHpqzH{M@(78@uxE2eu8W@j)%y)M~59n>$}_vzFNw_rdy3`KR%Pd@YA8U4oQ$ zL$@`jJ!n11wrb<;W@CDo9j}!m@wmgr1?u_NM8YhwZQt9+@V1MKNV*x~N_ZBz@%Td( z!^W*op;!th3SXNg)@hD|rU$FE@!t86+14lX)G|@t@cgYyYCXaw3!nR~&BIr^bLo~x zAO`dn;4NcH^I)+jI#Ck}Jl_Y{6tft(Jw7Qe(6|ZUzi@G^G+E|A$vr#wE1z!OO{lMW z3eZic8Qi4D+qh}-P9PWr#=gqO$`x3&(cCX9bW4*EOS-&&K=>SzEv0Q|*n6lj;X0la zJ((cw)#|S1JU@e0FFnLb?*#46ne1w}k_J2F`0%xnDuw0XHfPA`^x#+fN7j8Hb`T^f zMyO^v!2=MIO=1C2MAGUmG7ea5=9o9c-Ktk?WRIkUXwl5{YFeS9LCzpHc*S5ZIYBi^ z^JZ+2`{}*~)5xtWQo@Idl?`p+cY@sSMOqDpQ5VYIlg;sA-h4O7zUb9)u8*wu)dPOm z3;aAOl?@*-E{yA31PMe286 zgN?y?2BmNnL!Szm5AV+YmJ6@#FCUtjr$!$yIZkSs`8&n`m*NAxQC19t{kI{0@iO`?r&GQFbPmS7bGBy|WWbbV`Ty=;mOX}b^yPrGe>{@aI$&tIAJ{UbsrZrvZN;dTBu zz^iDYh`wtwhub_G>PjzKjCin#p5JDNrwtm`4zm^}MZK{ffcpFLykn%y11+Z6sWMuqEPu;c8K`Nz;`&Z`X|~oT2}lGC}BEsyeFe<}M)Wkz4Z^#i%qF zmCK=h1zuirh9vu%>@s1Rd`T7;{FED7`t`!*>JQqE3!#L3ZV5LjL%G5Ck`*2uxoq~< zWOJc7i~y|@5wD^U?pv@1Ilso`{Gc*XFV0qY?ioe#>MwsM+xa=NWOM|=3@E#@Pn`&L zQ+bGrWSyRF7FTEVRb0Ynrs8=219-a}r9Ds-NE_PakATy)v!4DjE|k z8pmUL?Ntcp7mC+AwE(cNsZfsmL_I|YW(pnJCszhwmyo{S|5Gv58bk;HBjc6Q0 zpl&_?Y4w5>*G4V6I6RVr`Xf}KnCZkT%dy3DRi9z&Bc!}dV*|*KT=_@59)Hiv*7Iat0>58H9X^}I0@6xJnd}}G^gkfg z`>#OLMzAj1k&UJwn8)fOcHjEQ^ zfd|$)iJ5|;ON%nSGu1!-qgE3zFf{*oxUJ8T$k;8GC9edh|EIBe=;8s;$o%Xtg#2HJ zfEb6lZRWqdLOLLfPu^+^lO^`yWB@AKF33a@n@HTn^1`Q#8-JvjX21}Z_!g_R+s;h( z!N!%}RPUwI2dClvTe0RVEC%v${ zEyy>{_XRf*gOO5Z^|Z4ocaK<`ozriuOXXIOuK6B>cWdts#zMe9OFKb4R6&4qM`g5` zWnt5TaJDsRzG;x&p*;J@sp11?Di-G>J9P6=qyBW&jfmBnk{)5K?Z@&osq*x_;zOPj z$3Tz8;>|0^?C=G=FBym(u@O`*l6E>CebF-cX(T00Cw1rA~CAXkM4~BTE1N)#0a$>_k+v|f}=yDBa~Wh1UxOA|9j2j$p4LbKXSh{yq77 zCNuAf+f0IvoydU?anX^@)_8_Z>y6T4a`Msef%)X6^Hqk*H+)F#|=zs(Zr|~@yi}Bf<++w@l zz`)=u?(GI_r?+PN7%J#ZPU4!)0k5eo?GFt{vo2vy5a9zLl%6$nhk4@_nAW76^XzdZ zzMiGBlCtG^m{z;2j)6-bL(f2jc6VM)f;DH~%S98_AfyaAcwV7v>T7eLPzNlEDn`8P zBuRFyGspZu0ES*gK!0D$=)3JEukmq1&JwUt(80XZpI`L1)Mlv5?6PzwMc8@7qaNj+ zU&U4@wW9L+J62pDQ0NW&$harnlfasX&m%p zzBZy3_3H+waI7y)$9l?m7+@M}Xa19|C z!as;@VmnO0U0k(DVeZF1?&0#|OXF*}WysD#L$>jiggQ=-8F0y5Wly9s_B6E*%L1T% z*BZaqm9OGB%eaFZF&Q=3>=&+d1QF3fG1^nlUVooQx;jdkzuA?4fv^5g z|BehmPJ>v2P;HjZB(sL{gLt)2+Rtc*T-H8r4}rutAnn8QEu!9pQ2 ze#p+EU z^QCOd(C)BmwWfxjw$|Dn^xEzf)E=Zd3B6&zARvB#N5x^7jTD}0Gt^X8HWDe+Ft4EC zIzKZQ+nuLb_4zJ$p~r2_Oo$Fp<)~FD+xXXB{K!mh61XnuX&^Q>)3lD|Das=o)=`4T zo?Gp~pNs+(h5i;tqf)@9bxoFu5A(j@DSk%DgmK^s%|?oJ)ZnJju|_Tz`FQ_rJ&FFy z_Dd&e@-xDE%QY$={JF`HLgx60xufvF*>C<8A~l{Br!(Z;a0Mdb1Xnj9^cxGCqDGV* z>Xqh=aI-#^B%!lZr9nI(+>pZuIMnuCc9G*B7Lv{b_#c0XXrDc1jjqhwp(fdwjVEPn z?J!?|28g$Ch8z4x5~1w~DD5i~n=Hs4#KCSVY(Fg*e`4PW3(j9jfeRkAjoaM_VU;a) zcMkE_B-v{|t-o-OUeWtz0Xx9;%wDl5XwS(jt+)hiGoMv}AOG4nqNI|Oj<2qT=03;t zC$YnId)RtCNU-k4*4%PgLSBH|upv&T{Dr zKAzE{!iGZ-DGYBNw?(lhF7zlO_(k15$WW zhqsw!L-;wPD4Bo>t`phvGVO1IJl<~cep~)k`qI!JsE0x??2_8%rmD;f;4Gb?71?Eg zieP^QysmSWc2rZNV)c>nGbQusHIwVM>oOtJT6d`D#Yx zK(%)a0gBDP|Il0kk*&r!{=WL}QTuzg{Jl#4whsSiSVhi&>_<}$wGeN&->z0aO^2K3 z1?NNKF#j&v@xPM#(xXAN6i|@l#p7G3c54DEG8ENe45lMPt(u2+OIcWNg~;a<4j&i6 z+LkM_@Bz-?16BWHwITAAkBir^FGEkE{t226#U+1At!Z!3Eu zR5_aIv5hrRcjSbp`58RmLlM_$pPGd1#}a85iZ{0X33C?^(xcj!X2~+0ILs2J&=H;n z{fS{YXA*YZ%r73sWF|n-frut6L%hGvRc1V;E1>|IuiEl9UP5e-DRQM`?oKPvrCkk^ z>rP|Mx}y8sje65TAm_{-zA#VG#8uIFXbe*to?nH(6w$)xSRrOjN#M|jk>ach!M4ucCspmlhB-RId&$F~_TkKcClxmv4$oU>hT z6Aik<8SjoNWjK@Oo(0UETk)SUyqwBAVp3l{7hrWAV{DYL15=xRa^ci3O`yH7tCslS4cf=UY{cSd#j4O?;g_wJVZa(vQW^I$s53tU$Y znosB}-utbU$ub2v66!?pIzWDc&1oeQ7A;Zz+`yvcLSMV=rSbYf#$#fc}&k>6UyYKbp0m1{o)Yo0&g zl`mA@sGPo`Lw(>!f7@E`)${r{^KRyasCA$(@ZBey7NW=g{5S=542SpQD@qD&CgD1A zH*m}C69ex49v=sv$Zq;nly5D(i%1k{PI#?ZKXcnJipQ?-SP6)rbw$ak{-j(7(wiGj zk@F~8Xzh3oe?v8S`US>8<%&C6fS=E834czg_$#hvues%-$fTM{A;- zi4*q2yL{e0>m9zUK||}@p$|q@8@jh`1LfjsTZNM7}DLP5TtKwcf3Rz-%`qkcLv-=F3 z(GJCpautdLN(HQ%K%1MH({RdNK+O3uX1!cch;z+}C(CLCKjd7gvg4&rJf9}g*r?T*=bsgD!T?`do!L@>yTeFNmS633L`5~p#jvd&+ zI_md0x@KFKow;xNFO-}OA7Tj<`&B~8k_^I_1GaIgi zDgwMr&LwTrC80wm!&#RHoNX=Bv;a=Po@=%}=JP}`KgKBV!wtT)ilukAijkD-V)qny z2R+;&5dYJ~Kf$(RW$2D+Y-X<9KuwV|?NxZ6OC#z9sv21gK;X5Apu}c|!jt6XFMjJe zd<{T%T;zwcRTXU+`=*aRg=6J`o6?tx>J8;NbF;wWI$NiU)1uHn+b32GFxi`<$8?}6 ze|+RbTr*FeEja^Y0_52;y>2k^24w{!VC9*XFTUTsrr5=+A^EyMT6k^org)28Yrshc z$Yl!q6va-FDJ!rOsL0MIORwuT)Ygu|wioS>vkhTI@Wp0`c(U-+&W>?&rH~{)OWt~p zm(+354?pNE5D&ip{4Wwwv?4vNT0^bea0LrMSO}w`#iu*uowIdxw04VMW$1Fh2K!Hz z@6A(2Crzz9>w*lUd%L3)T^OWb5az91z8t9xH8Hi7zrG(B)ot(Im^;w%_-ZG9zjk_l z!F9im%;SG-KpkuZEXd|MJq&aUQW>&;=lAJZD3=^Tp zxi(Dkxk$u1#@>6MelIKuSWp58h2vXfBS%442y7U0I|7p7)-2L)t9F> z*Sy(K{@dFqJ@z-Rl3u@fh+IWhpQKRFlhg58FadiUU|3lHd4$vZ zJtpehQkq(hi*TJjgje$5dMyWy^d}t#M@46K)kmS5|6BQ;f6oaCu_3g8p~`^w+ngjL z72xUMA-?-_@eLnLk)GB!mEWm~hmmRa!Ex@kbeE*~ZpX>YAZ{Ip zB9w?1n&{#QLKjUSrMk>nUddA{6B9Rl;>G$(A{AgRk(*`xTlez_4@4DnUa;d)0@(SC z90hXpF~cgA@rN>+83Jan@!X5&3)i=OL>*}UJi6tfs^Wj6(`^SQ>Q4jUhA#++prPpY6q(4B)&P?w&Zq`JdnY z_-R-G%GtdY|6+5&Is%|;F3H^vJ`MkEPMj?vKtBd*aa%mUGsdgMaxdq9wD+B1O?BJ4 zC?FtB={+h4A_5{!DT#_S5mAsXpmd1z4uMGTARwS1AYE#t1dtYbktV$fAynxJNC*Vt zU4G}DeZRf;*{A%vKhF0fdDbFxWz8(+9COSu-toReYF{#5+Ujj=+~%V7c%#KOeKp}} zX9V7m2?Uzm0sNA% zM%6{FK(lJ9(CXRkv-0Suv_{!_g+u0tY#bJqquVWCtRmhJ%LE{oT*6FU)p*&rC5e=F zXf6_i_oT{*2LN$iKi-X6u5L0!GO}&T*03GQ)Vi2-U8#lU)Yy(ZU`fBnT%7ebC?_{1 zGYzP1Wgk#~7 zzfv7=WOi9>>}n^S7ig9yBrJ)57&UTd0C6o8wkCrU#}Hp)=QTW3Y|=-E)pEoh;RY(q zZKuxKUpO&djAzRVms19^5C|%Jwh6h%B|bj9Z@Hw2 z-=C}OtJ_^np5wkYZ*w+zac?ag1V$>apjMe5WyE;4&KMi{FCCa$=o&3eM+b>wCXhz7! z?B*9;iz;?*1>vSNIA>_Ko@l&Y>!rzT+n*IZznRl=YE=KZC%dO?(%N3rJB4n5c2Jk#0r=yh}jyd!%_QK-At)ti~bL_|jnEp9uh1wXAfk(ubyyj&eGIJ3DmZ#kML zZ}lCkQVCu;ood%p-AV`C)Tzk;3UA=Idd_Tl%1wrYxrba_ayFS@$~fumjxF;P4o-K& zJT8y)Qa8CTD#_HMmA4OJl}nFjV;_1=5mlnDmAe5&>i=O@?qC0);MwW7Gt@Xp3jq~wp*?a=sWKCXCW(sccZRLT2r ze9lY}GkW&LPOYI5In$RGYqG?Kw-%oE>wEiR4v`s0W@2miK0@)P!o#8-qB0w_o3uYt zpneh072Npg!nEaruFq*>cf(&P@Mq7gr~}Wsf0_Yg)gWDLk|)7#pmy5;R|15MT}SU@tbUONu%BEzyZzV4e?6AJhQnXe z;4ka&msJE-1J?W)nTv0OII{11vBsVa^7k&X{k>?C3z_~Riw8)coZ*ts?D0*1Q~I5V z2nXbUS*QWr3fb@1I`G#28^!X++0j}Hs)j0#bkqAcAAN`{CIE%Ec(gbwbA0yK#|;v;0_Y+_+Di6=Lk6Z_00 zH}Fw4(OmqBy|cp8j-370>M~~pw8eE1WT&4XHu20SCWNd{W(1uD>BAuKHJL&t1DNhG zO!wtWDBkitbtbl5%4<@oSF;Q%ofn}#-QYB&7a&L)gj{UA8*tsunZSzlQz0bf!|so2 z4(3{>!K2F@M%o8PTO>KJWXTMwW-;A2v^c`5^D4XvFq=G>YR|MihPR`u!`o5puv?9| z@}wm+!vz!rM|jG#&ba4!8SNAFL~;&$BfTfK5P~s?3;!!LOPuyOa%$WD0)=oVpb;~ z*Mtscr?6=K7nuW&!dKhmM%9o2v$|#N4M%g^S+UIhnxI>NWoE6DQ&g z!r@XQ7hP>8O$C;c6pCFXDpy4f;wOwn`HgGFUWrNJYc4kLR#i<$K1tTDcwK(6*{Hkn zG^JU>&<>4#Clm^UxZ#*P=Fj3D9gi2}yEu3iDwo^q%P<+QkDMi>U0bN#BY)AM_ucW* zP0Br;n&mJ3$F*$`q)@wf1Rv*wbQ#s6Y@l=#cl!vnhcS^pU}SYt)76>Hhv|NWgyM%_ zJs3Ap1*S-d&fBadfpF+xk693HgL3Kj^_g+xn32Y(t0|a-o{-lxmwUPx^I;;T0o`zp z0Fm`9mfs*L?)h0@E58yRwzYj??1eE9v&!Us@D*Re7so^qXl{MY%7>dWY~{AjW)_lt z3xhikis1uKlDG--51OjRn?ZJR^wrwkFL0)sPQ|?f6<3?usncw?1uSUl&R$qK^U9GW z51br94|2|lq5me1Q4yd8D&|qQckgaJh+K?9Ajtw10(Cuyxvc<+`_NQP*sT< zWjb2(C1eT8%X@5zOd6{1rlC{ae!$-J;&%QNv3UufNr2j6SG&7zohV_YOfQc0m1Wi) z9~7_GTCvV`cu}6z&Q$bt(>e3Idh5guJsxv7hy~L&sAKA@>tn6MZ2xe*OGFsXzqv=@ zd=C*7z!%WTCotx8LSMRR#26!<36I)dGI5>lVn3#v^t9uPcY*SbD(837r!_pfBzPOP zIu}XHWb8C+pZ$!CjQll~eV0qrbozbGozVY`8;csTyD(B}U03w)vhn_--Ehue%TKEY0v8vpdW*lJ8v^LiPDa^Tf;=EU0u~ z>77o%05%654Q578Hi{r@n+3li0%d06lKfb=^IIr_D-EU-KHsCF`h*xPBGLWE@>w@w z7neFSDaIR3N;a~1#7~}D~Bxi=zim8cGu_m(P~;vf{G3;Zx#^9=luQl&Ik9Yw3%na@Gx)CM9M6`}2T)amGXZ z%1O$*p396E6S?2@-EK8xzSPrJLlOz-16^Ff7IvY|7{X-ZJ7RI=#&@=0rqc4%+c3qN zwuwoHjlOI3bN2Y{8xZTL7oA;nHiGpZgqyMs3Qz6~7E0HHt0z%*sIYl99I`eH35hVJ z8ilF)`J84r<(oijKF<$%)X3~Hu{m#xO`FS;%|%{VTIJmGFwvX5KPo2fRPL~~wasr= znCU~|azE3p9%YZr30WqBGjyyG{s37@FG3iYrzQ6{|W} z6m;`6TY#?!OR-Zvh{?O4Mr_IaMTYM@O=xrjm??d6r06`DD$cYDzQ}Lq@iJ$_W&MJ| zRD}4IFTXQ%Eq9m%9M~LZFyNO>29ATUgi*82`$sF~;Ru2TK7ru1v>Tol9$hUC@)kG3 zW+py2gX(e3AqO*TKA$C7{kwrAiYX*%T1DYoA&%57!MbBd&n-4S$Hxo|u38Q1t2%4Rnb!Uh&Sxr=*A&~jPugEJG7 zTGEo6$_9(_dwo3E-hZl2t@`etwy4%obV29!?iaS3r2}t`pDiG~PHi=cz}?@>Xiy6u zA=F?Af_!H^>HX3!&FnfK)tJpFvLwC9vG>a7y;biNA6_e~IGRVV%)LaKRPF*r;;eAT zU5XR=N&>WW8fwZmslbk-HOzYC#N3K#sW(k$kkNjOt;Ex?1^3j$L+HkjgaO z4}Q)NPZT^c`?lREiP(VCAHaE@|3Gn;H@dkLK)GsOrzMYvq)7ydac_|{U)QtKci4Vv zHeYT=qZ714ci|n6^YFC`{-GrS6M)9zL;!pI`MDp>Qs0^dH)XjrYpU`#hMybVy#kMntF@KZ4L}PU7)H{B$YO6L6&xZ2>BMIHq9#Ab5X!c{A?HnT*1A^p zmdcq+u&;9QMn{nLtg5VzSouZ4c-(nN_@uA4J(_h#LCX!}Ev*UJo}mvp=3cknP+>kz z&cF4GEbrl){xt^A_n<2kC=0Er)J5@jvj{VK_ju0u$Rs1!^(Itfu&#q@TQ8=sJ4HAL zO;%gY)!6L)p*mqs?q%hGK>o8zcZ@?<@k1iW4-nTHbo@u`_rE%49e`;ON(xS{j5v6R zTFZBg6x3@#qkrTwp36XmrntS)yEUcVa)Fj^!7?tT4qzOgXP6AQ;w|x$o{Kc}uy%rb ztG;ZxWL1kkU6`qq`dLvzcMt8tHS_OpC{3h3B&Ku>AlduAOe)=aem@bAesv@l5$<{6 zd%<6LJZV9TVjWF?!dvh|?vd8H^t{d z*n6!jZ52_3W~Vb+U%4Xt!bq^Ub^S1KN6Yj>2}rNtZ4pF2 zdsi!X@4LYBDxR-t(5(?|ph)Uk{wBiW2jn7Y)btGYqmut(nV@un7r*M|_s?B=u2J)U zu=HB2%i@K%Dv{W|86S>0Sx*!+*N%F7RRwz|6Z&lpKG|@t8<2pMYtReW4Q$kR^C7(k zqHcrH*DA9wO3Xal-Om|aeadIsP!%@qkaKpu4lgkg{ILSJ_T41<5`xfh&Tii8h`3a> z?p^q@C8qT!?@`G_)i$*tYR|gCW5?%l0uVGe#MVZq_*6q^2*vmT(dJ>g(GGxS$@Zu% zS+|d8@3A74{Tc#b#?5cOgQMJX_IATakG>b!)A&C3o=I}tFsk^afd$79q;Sm0s})7J zej#G}=Q|5s^9357h0G&Sqlspg%F38L5x4V6iA)>16hF7-+fv6XTul$4zRCdw(GX19 zEypm!f!WMbG`i1n=nV=}2(if|S|$8G6F z5sKN& zk%~;*vz!8Y6gNr)ELo{2n8Fjj=`^zuKufh-I4p^%fmLna4JUCKu4&Y5Rf8Cf?ettN z&j|huljgI@zV6Kn-TqIy0~Jrx!;ccX#qMMaruR9c3F25ZiRVbU`D(zJTw&-gABf)0 zldCiiYutTHq?@`$M8Zj2bWmlk?y%UD1Lw4DOJezAVl>oVRNDVl)M&n6N+Q(hUGuYx zUwmKiK{rwV`Z<_Qk2K90o-UWme#}|osbwtDT5wn&+0lA@Ius8~B3s0aehXJ;@g|7| zIk9b-{3adBu50xpuWp9rup6o20*snVgy3B0=&UL1T0^3|u%7UUtoO>R4~{zfV(pW6 zdUoXXC*e~U;6obd6FMLb5LEyeO1oT3&jxpACEyvT3g;jK@= zEYq}lb&V4rV+<(lV9cXweLfR$FHLLP z4!ibz%u!UdQNIw`nL{I_V#qHc%t={$t<#fBHLhASVD5S`myWD+?xcQwsoTEg5 zbUxk}7Y_h*Tct?M-X;2BBnPfNkseMCP1dDwhj5X^X(8N!bUO?n^9*|AZPP)zR6F60 zxJZcB9Cw)4tURr`dltN3{bJ!o62RvOf1VhOSV6J*40;Cf|0fl!Ja_Pu?zON z`KoM+`KL+Wnd`7BPtsP|Xg@I^3I~*xfRIk@@EPG4Q{G7@@b?Q3U+wG&2Kk4)<~Tcb zDTVAsB6RE**=K+bF*6lK;FJZt6O*6CZFxRL4G8`vNxEA0z)~z>#<*KhBKV7YzsMBD;n-VFr0em29^_9bXRfE>DM0%p0Mdk9 z@E6(QCsIo=$rp%sEm)#Ybjf7(ur==y_HrI8_>7l+Ub+2~GR#AciRu<2D#O(Y5)`={ zbKjC%uW!jQT|d?SyGucT?$k%xYF+U^-}vvX3|WKnUl;%N!2TK}|G51AFP#|5cGf9R z-ztfmbtCo~DIHY^=Kn#s{y%Y{5oxGb@ENDhc|P1u7Iq&qm!`4E`uJ5TBb&O0;q)@G_x z#YviaT4<}^e`_W#j|7qc9mF{5mXQy*JE2Aoi`#WPSoj9!lx6Ba)q2L71*5Q!dJbsw zC!2+#>|i0>)z&%B&cmx+8cgM7O)e?CGz$!2%{kcAKzI0Ay9z*j+aDR)D7=!>)mVHm zn>46cWi+NofbnvjADbLP%=>Vzv8?(u9#tTXHEhfHL04IGOycQB;f_#oCIZ0Yr|}KU zbMgcy9{#h;rSXp6Vwt2SGWB6iW871^zR%yIdzpl3R8!;usqc!pP;*87Ruq%FRs>gA z6Ex2>x-Xv2UNmn5x+3SF_CuMcK%w$AT44A?x&CUGD>aDq#A`Gki|E)6*j*?L2Rt3E zvnNKV$&mPh*&nru0KiyBs^@A$gPop<;BBi&!+Be)u(c0a^RU7XxbUqdC?-8C?l>S8 zo32+|Ki14|SHBwpsZbCVO(!7Qw(*=|+hqv;NNucCwCgUECze0pC(E25_bC2pfNCF6 zU0m{~_7?~z%p8bf;Urs|SsQ{#nyOuU^U4+i*TOhrkzX>kq*Cb4+`T(fmNZG8Mvyfn z2)TIKEs3DXPb6`f@kF`rgsk>juJ9mHn4(9{cPQKE{GM@vn&CPA55`qZk%?!RxC0$z z_>;VbP&l`RnyRHTSq!pvYZN2ugrU!`DO(hb@;7cvP17xlPtV`JrDP}A{aGD-__Q%W zh3)>{jmOR=*RLM~$pR0v2mbni{zo&mwhb}k)B-t=g!;eq*o~N|O_eiQc2=2zSx+lT zY4<#r>siQn&42b;kSb>)8efZTTHE%6v>IFaQR zRM0TDz1_LS6IamrQt(IqY>!}8Wh|_-%27oex&?E%8r zbD0UV1PhFH)dCbcr!IX(pcDChZ%A?D0b06iYI=-3jJD2Cwj1<%pVa@0jHy{v2|I+* zoI{7e)E9U~5!G|o+YVkyYu?>R>~wM6wAIr{e_Q>g_lApXmfR)n#|w6HB2Xai%~IT8 z+C8tUGTX^zwHs0XGs1(L#sf-iURPhK5dw|2%@^ZOSfX+*dAEFC?M#h~WUyI^Tvmt& zIvh?8mYAL^K=Zm065jO_F@Q07c|@C0q+ zd@r%Hu>Ao}s8x%73IL;$f-x8m9Qh+0V;q=!y_s^Nuxj|H*=J;>>S=-tL#o%O*31Ji4J=(GVhy*rhRL* zLG=$YE)F4c@bITj`77NnoB~RjAJ1KBHp2>S1-dK^QNZpDOUH6QnFNDOPYhC@$27W=Qfy4$_q5@{hJ_w`ZFTgUpeofZV+$YRU6>8-Txk~5i3AH6 z9Ob|;tBHGDm2D?m^Jd-GwQJMPNkMP&qLXS&g^J$Aw*sLv>;n9L4e^%R)(X^c;Ba>R7_Z#06Cm!-x1G3YTuFga(!2wsZP@I@79ke)?0V z36e!$@wpH!HG7AXPR^DLe!$PNS?`6?7pdwDgD zw*nM9)=f){=ga^i5V5RHe3b7BcTYJlPnN2ab!7n<9fz+4?o_n_UK^3)c zD=R;A8NR-8GoaC>(}yaA1U>i1>- zwg!5o-;cuT()+25{vxySL^eio$78bkqw$cY2CMhJKM*DW2bKhgXFM-#`eY7)MlpQnzEbc+>8>!+Bd?t!KcO()aE1 z3Z-C~dw@@TdpBcb(S4@Xr%CFE>PYxIAarPRITpvh$QO-GZSh4#o~VABU6*4Bw!3<8 zy1aIAww)`*`t~wbjt&UKCz)zuQTX-I=1YXN_G6hs?EYeWU^XryiF9#JtHbxf1;fo7 z3DwO8dp0S?c61L1i@bQ~S|6Xg$67@6fpJfezyZCP64>srks1GhRcgndMCf~kI`P7q zy0{h5Ws4T|NB3`Ok%6^XhX}Oz-tlHBXuWv2J0b+a@-uytu)=patHW1dMmjz$*&G(= zcI!yLd?ZxaSS4A_d}WNmBSt5-e?@4(0$swmsNa#njG+oVU}W+J*sEv6-UexuBr*4` z2*3Eat!xdEJkz2GT^I@xUNpP-172AhoP|MmD#{Qs&ri^pG-16)s>2oQ_|RGSboX-27FQ(Dk~ zF{TF7@yfQcR}_Y-Ra>%syWSRjuP$z%sXEC&eZ}%%OT{J8llt73aOo3OHgNf(ELJSVT) z-;3EK_;c837cyBv8ar zUsP+mj?Gp(<7@sUJ{ny)*nnNaAfgoD{)>Hrsg?Onptc^R7!wE>1hq7o@8%gwt7KdykER({>l#gUfr@n$%(svZfO_ zR9$YVZHzctb-Z{m%`cR&mx=z6Nlp-7s;g#T&Lk+Qmfp;pgwe4j(nDJ)h z@`md#GP~JU2Y=_iCgSwDhyh~iTd5Z|;Rr24I5z7M&ZeCaV4)j8Gbr4{rmTQ3t;=fq z6?vZ{YK(3zvw5i z2vDNo){Uae>h9`ptv`4>LlvbUS~hP)(D1Af@bv1nv9K%peotunTb`+{uEc#dk!FsR z&xacf$a+v2A2&|r{gNn`sH*DND-RQ}r$^kzpnE3g`8%p-#@;*xY%bsVgfZQXlTzS! z>MeEYf$3AV(ikJqv>1XzfvqXS1RA4Pwxlk4AY!4Q?>gIQ=jR}p0PDX5_HT>fXnSuV zaT8JiqHypBnmduG6ri)r|k4<4rf9;&H@TFYRRVhF$#ga@0jj-wF<2&Lgn6$ z>5hsqyUy|Q0z5ce|0OR4P`AKmLR1eJ^F&uA18hw{aTpLgVb%~gm@k%^Z`aJn2KMXY zt*#XtoJ^I$U606i%Q)&G=NU&#@8eTPA-3!|)+k$3L2PQI0>2k;Ci3GZ9;fVISe+1Q zZvHaGKp;+SaK$^{<2L`LAgXtyc?gYy4$fjpyoLHiq8QNnv3Z2kJssFVWv}B8U4IPo z@*R+)W?p2@vCgI3=;P#kb0+N4WYiGWsSA9Tz==C=cHzf77&qAgAmvp85rpXHr2hSU zT-bXnI8?gv*j*2&%1mAQrU)6RkymuBon6m=iMp;FAc1-Gd^wK@Zvl@Is&LVd2zRK$ z^TrlX88D6VX@c+M)~6VYx_Z}ysvTfh$G?k7nAY@2K3d0}-|gU&JI!gdz+D-_>~>6@ zh=8IMC_l|Ml31GKj*mx1G=MFL2tQ~>Ei#WgS0Yk3z&!9_QYbbY55ujWmOD5}6RbvH zeonZv`+DgedcVldOUp+SPdUE#2|UqQ)cGWuP?^}@%{U!noFjj?_D1?Tk=4PVsRS@= z*AOC;5a=$gw;R4;xS4j|cvHeV*YsPKX;s5b)zgeCB0VUZec4^+#*cekM%469@6P1K?o<@nHfCQkundHhwC5jyn3%S57*X8J{4A)ZsSpDDgblz47V{X0uA%S_dT5%|6vlseVLx+(}w}2lQAY zDO4k(EbTV?D&+&)fG1}-=C2WiJxYzdN0#s~!pkLicmP9E%dnw$ygC=e5=@%b zkWa*0NG%iE`XY5$dW7yy2Fs(homv&qAD!ElwW_n|3vjy(e#~0@ffl`bu6LpSxI2Qe zb5S;2eYAOIf40}%;l47L?7O{i?GB0-Q!i&_%h`Y_Ia5H|u`>WP+IV%T$rMCopJF7K zUA%tmuCHf)ylhQET@#Z+>NRQe(1?Dp zbJU)Mf_mc;Wi4V3P?-tx05q@w@2J|}PkUTigJ`TGB9>nOe(ymiD$;mUvElo31?y|? z`OmC+wb6IqIeT5_ss5v4Hz$>NeIO~z{N!JtV95Ub_fjYJle@zw6f<7<&J6>>GS3>B z5w+MAseYPgHstnft>i9bAI>D+ElXQK+3wOo`5*)vH%tadeH6)#<0R7eABRmKM=!t7 zcrIlbmM}?fj*!PE-lZ5HRqqvk^=S5~1MfC#JU~;`rrKgkJyNan$)2lXWIJ(oJ9UIc zOiU)m(UZ(_qVsp&c^2rdFx_t?YVZFeN^ANPhhxs=9U!BA_TR~DYpBn1rp8xEe*`1xd`Yr~= z%%jITqfxIZJudar4sX*PKz&*P^C3#TtB#MEaq|)NznWZ-_v|P&qA~K`lV@=%>Oy>l zX~*1{?rp^dc$AU<#=fi%-|F7NWz+HBt+=e) z!*j0tX&f|qYVn7NPGZ{DPS(7CaKE>cOsWj{?PsL%#IuoPh^a;)NGg4A%U?qoW{e2v zMOB-%6Gs&Iao6PsgoXC6)QYpXMPOww+eDoC@`dM3-MT?qVVBd418&K?lMM+Wq5N)PQ%P5R*;7pC!rd35^YV>2zujbf3u zYQ`DKRnp1rZ`kUwWaOpS0su2Wp7NC0f1gPE#0Mk2Li80^; zzvp$b_=89FF4F9nw^0iy1(Mn&Dd&Krgor!aN97Oge-eVgMK*@M=#82yWj@v}NDrYzoxPEmX!nLfd&9zq8&QI_{sTK!J?OP+| zs}cK|{N#l52C4$Z0x*WY51Ht9h&Kw9SS3K*yA0FUg^Q21#5T+qMbUcO)beTHD%$7i z=H^`p-dk{;Q=xa~;|BIG2F+FY101RY!A1z0KV_2*)JAgMD7w*f_UG=<#e=U0 z>^nt@zI|HlZeDFiUAP#f0SevWBa105yJQcFIC6WSMobr=6XZ4RY<0Q_owhm2F&01Q+sWIeLdw|AXK1j}Jn+ zpeT6K{W-x6yQV}?U&w&8XL64^{ETIO82=TC4B@Q^(qK{-sFGyr@7Iu&5J*%ns|R?N z|IWt56aL<=PV~1klA-N5``D=6o3!Kk%{<6Kqh^ z9eY9lQJG8ZwopQ*mLl2zm@fXA4Ez0!X#>zZx|=_xrLArMjPteH$fO$f=tEb}|2Q^T zY310rsg6_al35a99*xg;IRsVew`;^Y`m1>hwND&Q-c0wgu0a}mx(hIYA2ED%n`mN+ z8hmEgw-^QIZ(w}CbWP+*$+dL{fr*T2KRzKKD%7e-VuuD?L5{O4LAe`*Zrz`#+?wfU zSX8G>zcbXYRUS?N75bj}XMdSIOXc19H++Q1U? zvF+yhHKDQ0x?Hot;i#ySHaxPXQZg@R(&+=mw9Z$QP1t#9`Z5z zU?c4p*{oJ93_?5ygT{9bc@>|$j9SvPZI!9PR$G3p>oT_X{NNTOhcl8OwV;_q59Bwi z3E8gOpGx}#ZmE$pQSV3l&Ujh*Ia-)KAHM(9Rtz8u`F#g_?}QJ%=tHQ6-NQ7q5IFBp z!f(P93N+54dh+Q8h*jDz+UFxJOI)-2#AqPti_2&7Omvxs1<)jOWVMmm9(Ccw;*0Nx(- zw<8v94!D!%=@g2eB=xt0r+2CFKhbm1dypm7e?I`e_HUp6?clG5e?6YRM$aFU=YP{w hkftBZmma~SpZ8;+WO)+u_2*ONCqYryJ~IBA{yz_Pbt(V= literal 106833 zcmeFZcUY6nwl^G#bfotxU8+(Q5Co))2+|QE(g_ezN{~PVq&Mjb0wN$H0@6E?t|GmM znjj!ZAVCZPLU`kDXP>>l_dM_U-ao$UT;FrUT)A^4b7$7fTEAJd)^Fx)?rasnY+_(+ z03ahH1KcD10nU&B2YraQ2LNDZ29O2-05pJe6l8#Nq&qTFF`=ON%j@rZfCckk?|;9s zU;$8)UP!m+do5W17u4R&&0@Z{`dXwhy1SoyB6u6frgsq_c#7~*V#t^3k|t2 zMI{B92!Nc0jDm&itPdbWYUw#rPyFtTzg=YH6qM(vNKK-nCw-xjnbdp=3UX3o&ry=Z zB?~8g4xnT?$9mzi4i%e)3$;i9yJBQ|F^#BhZ8wMII7UqA{=+C*I!-Qb9$s+?NvVs{ z$||aASFWn--Ox8MG%_~1V`Xh)YiIA^>gMj@>E-S7C@?5E1QPl<`e{sTTzo=eMrKxa zPVVy;d9O=K%iff~t$0^g-_Y39+|t_C)7#fSF!<^7mx;-#>6zKNc?1%*_HBJ*^ZV8| zcK_$WFWe#i==ir>WB`i4iuDi4{zWbpl3e7ZF`%UWEf*Pi2&qu8P@cPRnTl1%g4!j3 zO++!0hFv$kxVD>CRLK&JJlmfg?#8!cbbkvxnUU*|c+Q*?$u260EU)(c};cO@JzdHK8cppTJT~J*+ zG#UOH{YD*Yrr-JOWyT`TLF)Cho(7NiS zx#nm?Q{Qd-R4U_-)a5GcusSvLJf;$d#>~{bhhD_m62u*XV*;B(CSe}Vc1NsrVC#iP z?7s8P4_~D{W_Pr0iVO-9Y}IGCLV+R@~=XUE$=SMnS3wN(9Mo>oU zUI$s&X=56p3TFU4iO4fRGz|>@P8;ci2NGk=D9!*>%x3_s)e+FeiEqk=Uz?4f5+Gd~ zabav}ZdH1v&zPWQgZL1{P|9qeBf!Y0tdT_ODUuTWRs<RNMO{wV$`&?FAY zg`m6eFOd0smxfk(N&8izzDJ$RnCRADGc3k%b-;1sBXnBsm#6NG< zcWm8Q`2Z(yhOGg+!D&JQM4pI=+`N$FMqrFORYkR7sEa$;Q)bwup|OoyG)3^DMYJe) zbZU8YAz`lpW;%iRi@s+r;u?~C8i6Pz=8SZ6ohO{Vi)c914GMMk8dhwddjbUI* zOftYC*>+0%0~3K6+_y}Qo$cS_BaUk+k9UNi_L3Z~;bI;u8)Uz>tFcoV?#{7$efopr z_PbijWCfm2^lRp%?)^oaB(mWHstK%^(Lp#>|A{sv&d$kXcVc_Seah{^v%O16!QZ&o zB$V5Y7GH^xgQ{-DDK)kQPL2#JrTAOJfk2r8N%W&L05uh4`6uoQo+}(vt~YT|lmO>r zg_P%PD>N*8uj_s&yLi10`hMcBTXE*YcNZ7m8;O`l3t=qw5Jfn?GeA^2o^KV1R;j`3 zp#^Jy!U8ZyYY~~H(yM!I8BdW$15Rg z5*K;}Rq;xcNhKgPY;*Rzjyl>6rK3=<7uD3yt0SA-Qr@38P}}J|15jGwN7obDC z(=8UhhSkGOo|eH~h47;1$_HRWO9qKFnMGH*07;I6W%pMsKVvEYosW=1B3?YUCv?^Y$+`T)f(l{x) z@ZReaOSEr#0>jWJS10qGEt0rjPiu$_ux`y?Oi^RdyLj(c+v>M!1kM0)K^i(i?@F5t z!-n77rBAZ5TUE@49zBY+fqXfq5+rSr-PD!adMU`z|Ms_1E8(n5lSmJ1WDh%P;@?p&P=8+SWR~^lR;WeP9&R6tRvo^i}neZMqCdZV+KqXYB&RY z+?$hG<4Pi)+g|3yz@HMhD!ME2`FA>^mVa2ZNrmNzBf7- zO{C$&8X{}Z?rQyKfW$62yrW>vo2};HHs|bBrwf5U_+D%_>U)Fu@6p<)ezJeL znsGV0{)GDs(9J@Wi5MaMzCs#F$s6I!&}(g2?S3ctyqb;LY?=!=K3h9t&!V> zkm}e?Bh16i{o%zN&)n*}ohwOafOFEPA7HEbz((pGKT%vdRw%mb0z?DVqoa^pZnw~@ zmCc?Z25ww!esVO<@4APvy+`cwD2uA23&j87ApR{Bx9&A$r zrc-XxU{d+Yw+z!3Y15ttG4108QF|;-7dW}mc8?6zi{aLJJ!|BBt@axRKXhJ z_D?@(iIKYQzLqqB46m_f&LEzW#hM}^#Jm-piZwLxX34{6 zSAG@Yg$D`jD=0YH8%vE!>#0dmQ&k^KCJKCVH?yI?;^&ragG6t}-iTxsUH`-elCHRr z`Y3sJu<#1r6>ExWCh$MPW}4$w)`raEV9b8#&9=!#(;@5D#%Jb!Yxf#m=$@8PP9u8CHfF#$w@L zO{Dm&0HNYGR?{*XPG#HdPKK7ph`q5B(oA2Yd_ew}`TqBu|39ZNnDaZ|`rwUIo#^an z>zr#)y3pGfDQGJlruu1)V(wX(MTL)`Al?+oSEYOW!x*z0S8lkm`wj}%Bi~^q?t)#nU zKvH;XY4!;JAS-6hq2+mHi@~ks#LZH|mD92aeuC>v*(6kSjWjO!N{cAA0P*UyYKIjw z{(DdEmfrfx&S{ZxIpZ40v+oSRuBo(|U-4?DL%-OYZDC%kOg5w$>(~+ew%ZvQ{XsvQY4rdy(SP#*XORgwJHQDyx_ff zzFT)cE)NS%UA{Eap^c^JZ*GRM1u7)*#uRnS8Cs-n`w893&`^a%vaV?AK5d9?EL`NDh6v3{u*t)x4v5jeT49XC2rrBcyr3 z4<3YuY1}=PqhhrD%CdgfaU?PlIiW8qe9WwW?|V}v(wu}k?v9LkLBHPT=3toGeXwn^ ziG}gYKFpnDjH!)3ZFd;`pfC_HZDI-k?)b!=m{(!~@kPbUc;j|6BKc*6_j3^-!9WL<+R zD0GVZ3H3?}7NB7Yeao*CWjArE#H-18`F^?fA?xVjgH!9=k4o!zg@BS>=ybLV%RONpZgzHxC^h;7rdI>t9l)l z5SUaO?4pyKO{aN_J;X2LGDRyOq{MQPa19IUQF93YRh@~FW3ov5(pKLVBk#BAyd~yO zqnT&6SOkMS60)o^&772SG3Gnv zn091!h00-^79WJV_pq6B&s%OFA9-SG>>h*dlJHuiEV<`yPR*a_#D}xNyC8??lbp1X z@F(x(YUI`%3i)762z`Fc7poyQ=>ZDSEXywtzY^h9n==4Gx`zG?FxLDEw%R2`lt{x{ zJ9C`@iow@O&<)ilm<5|E_J3|QX~+*gF@Ll4IPj`#WN&FkIiG^~Y(%tg7Z2XHH{wzo zR=+uppzTt#;J-F{@%z0NnF1lM() zMzqkApT18hK7M^FT*6Fuyu;$d^bGGj8**V5#V$Dd6thb|0dNBXIfg9X zm%m@|pP6lTea*fmAd>N;JizO9;-@jG*NK4t|CQF71Q@$4kK>Mx(2Z;-O8Qn{7U4x9Zfw=gefpDN07D@M(xvJN;q-2B?q z=D?vqj$=b_kOZmzRCogY>hltRYk8>qgN(PNMXN;KHq-d?u!%E3&m-&|;?uOa6}*Ep zY`?mbX~)+P0$cq8BfQu+1NghNla>JItj_@7m~OuA7$ve5B^DisLA6K~Cw`s*vIAlN z@_@8|)PD~9v-Y38_NTV|X(j&wFMp!LpQ!lfT=M4}`ls*k&ra8$sQ4!;{)vkJpP^z8 zIFS_n)r{S=#luSP&KZ6!=_QJW>teauWt9+))E_r}T3yG;A27j?+8kTUS262_HKj{~ zVdcO9@hG=X4A;85Ezj#%l2I~W7f#&lTc7@}f6H6>pe@U-X1=A_bNRf$Txmu_T*GXhOUHL2%S8Vh*m@eGMnyUhHIyc=px}jj(QS--i72Qcw zU}-54$ktLSLE7f2f|7<@=NZ3)sWx{&-GE2X`Rl^Zl#&xmFnhRncpx@x=nU}G9A)^V z!(wBpDhlQXiJCYJA2Qf~FZw0D{zB?ieo4#P)&cf(Ag;3^@dwTtpW~i*l@4;pTBcP8 z5izJB()AF#7uzW3x@x`?>W)0MfU3M*-p(UMWxe&i`S%eOm?hj{iWrrW#3EWzM(RGj z%o8i3DfgSS@x?sPd9LH7oZKMqbJI&z4Tt;Oey%yzhOH0E5?@KmE?B2h-C{4C_UYoR z#m}!@#!4DtM%qzwLVayTkr7hcM4?8kP<&t#&3eW;Oy419NJ*bgjFImq%X*VtlEG6! zp2!2>To`II)jvY~F5VmkjPJ01i_baf#e#Bh$0^kbsxJbQq*6guia&4CIE*!<$E5D7 zyd*Dw#IPEOuswIpH{4hss&f)ZoGZMHcUcqS-;SW2g$Br#_ma5?mU+6DK_ax792dWe z=6{-!fWH85D)vkJ@j@)~Kc22(ts>-z6WXk@V3^k#fQ^)~;Ho;Xi=f+XLYLqz0t?iQ zYSzNlM^+u3HJ>&1itT?E3*dHEV;KIa#li8;tTOs-`k|j|KbGlwAr3XKGAyv`r;vNI zP`op_L(MlyWZ}bzjb-Y4WAM>-1lia1=kd%l7K!h{eiF#vfJ)0PC~$uUVWa!xo7zB&D}=BK(U#`6`lww~ z7s)t3$8SF^k}b(wSl`TYUvbGyw+z=G2_MpjhGP_Pv9rIlqc+#nl8Gt~TQgiah~fT~ z=#dmx@tky=^~-z+2aCeD)+Rf86G6|Fy6d9J95SdP4lPZB0k*jZp0rFeOEAWY&@%#& z=SxuE<)Qkn$gr?)m+KUcWgmmg*5^n0-ZpP)TX6f;GI zEiu_+d~KYirj=8!?e4%E8x`so=N1P+463^~jKrL34TbFojE|ht+>WWQ9&%Vu2DQt% zSKEy2&Y<6KsLqn}*yvHdB6o!fWj_&q7W&OLjyR;Hhz-uio&iuby*2ER_S@L6g3M-; zwm z5+`8iyJ$h2ys#9_@YNccmF*H$8^la2sC*cr)O_eIQxRb#B&9j~oWO{+O(C$I+=rAP z2NMW>;cK0j2^ZZ_NgDa5s$WLJRlVhR<<^_ic4}|bknNA>eq|C_jTYTZ)y75QAH9XJ zt;O}h;v;CWLOpU3Yq!UJs|fB$AznbcT-EEW0al!vN4>E~dV+D)dP>^x{xmgu z6;BrAPMxMDj2G%w+VbZ1wZpmw+GhI^nP3$G&ViS>e9IA~e z893gIJ=lu_)ik|8u9XcCxu=6n!3sBJ{dcSGsA9y2%ClS26jc#$Id42@tvOXoHDaQO zf?$g*qK1HgSoghN#)q>`6HuKRtu)SpP^z+W9Y~?CO>Stq{Qba%59Ep=56Bu#TeT)@ z4}niRfTj48-r&b0G4H$)GwE*!BpSLtw3_CFvaSh;>00M5vdS2AfN%zQrHY7QA?gm@ zWeGp>o-=^Mtcn8r^4$0Ph7$+C2JPoFxb<|w8@Jn&LcKee7Vd9y{8a0OFF2w&M$--| zY=PK;a^#*6UeXyWnEePPC)3+x$;)XWK_fl@u&KIHXfO}XT>eAi(pMDxpQdzWTi_x)vaIg`shyAQ)1QL}vttWZ`A zI_~K!{Pdc(5Tv>P@pNbP3&FHvNU%BU>wM#Cu^3(*aQThuXPOCeUk&L}OTOMOGc=BR z@hir9LZw|UV!Hf8dt+y$8{}rr{`+_V?#gPb^j14&!`nJka4iA_mVQ9Hp(Z(k(ua35 zP1CXXcPcdv1w7wTNfqT^V>9z*&($gP(jp@K)$8YOCra`0o>K2l?A6nv;T#=~Yc;HR zJ>rA^rn(Ib|1tSQ!{tP zZ=d8P;=@+qgEdJ)jnoMd{E){?@e>f|Nvm92kAMspU!*Sw&hGX+_!I-Me#2`QQz5YW}82GA=Ku6oNy3U;O-KTUBw-;ER z3nQu|sL06QSRwT8+}w+hg+9ipeRNWsIUICW#uP>E?73Z97_HvM9S7Q;r!pzIxy@5M zLaj3PUHvpIvBA;F)U>l~yB!ZB>4+i^_EUf=ac6X%uQvqf%k%BP$5haE*jr`Vqu0H;xkWRTK(~8)z8zWb?U(Hd{4-Xzi(r3T~p^%Cw*ma z2CQ&;7I~T55gn!n{uBl(N?JLuDZUEl0%=Kr1xHCa?57TcsZ1o|M=jb<_TW@^V0pyL za;lfR<)Uz_dr+Rev8eQIXz>ZBf>&CXRLwJ(3oI4LsTqVd)Q|2PMs>RObV*?f4{bCn^zi@#fgx+q2Y(zdALLX|ctV zrJaJj(Kn`SO%*Pj=z%z!UBDd`%;i}#ivAPZXi+yv=NHRKI@?RY+KV=`?W>lNlg5P183}Nnf$Js2v@_@na8J z6ZeYXianq*Pg6%%BmIg!#%G-F@#F@-GJt~vv(E5!~!8LAADxp zY$D&BR(rjlSt<@(@gL_)8U0#Ul6$T>?t;;#@M&$tg>6njddy7gS`GKs>JLHr@kS(C-UeLmZV@Na%QXI@jFHEPr`+3>suEHBxaC$(yKuO;xQ>4j&~FXjwlqP46|vbGv_ zRFr1F*F0$eBQjCM+7d`w_ZXzSFOMr;IV~YV5YzX#Jb}b?Vp{rP)Aac1MKSDMiRW&U z^Ru$9Qtv)0g6~FWUdF1VkF}sN_+MdR(dpL4mfVnX9<)&x zd$6#uI9zv+)!I$2`N|dKlWj$&5g}%nk5I}nuzw|<*ORoIsjiD)-_G+-0rM5n%zGW< z!$9`V;Wnn9(R-|>u`i~1KZ_(7IaOX@$SN^w3~04G*?)_V?&tM<`X1FX9mFS~xEvN= zC7QE~ykIPm-4}3!o|(SA?%mt<7f%40Kz4%tX}zZBYv|*KX-$nP$i`t$Izexe!1TyZ z{sr;`%pm$XfTMA`Y0HB+m$$8&K4(gIr11)j5vDsh9*;O7BQCB@GOOh**Y?f`kUj~9^~SDb}GidBoU$qB8f-!xV+OhnxIlI zb(?HY5)Xl<8s>KRCF>0z3r)6av0^mZ0I}L+a8-L^@-K6 z^&zcWMU$FxcySfJ=q6^;UcT(@+!ngxZdLZH)&dc=J0HYd(gOItU9gMck@Q|m>;%%{ zGY5%M(WvR7$POUtM-5lalL$q~V@B<}Q+~2Ldmd4HCV2tuLm>9sN@A&B-q*_O+}075 zY{G}1nBym{@!7>t#c6^**c$~V2O-L4Q-6i}pDYKar|m{q$l=BPcbg_#=S4w20D}vbOg3dK7IHvs3HFqZREf8S+x@G zv5pJMJOKgKbAMBWLfuOaOdFjHJZTLe9?Y^`J$&R;5U@f9`xb$3J_ES=3LW2{0Kpln z`IrkAD+s5h9K?;;;lf~rn>IXEM~I`atL@=i+8Ng*NbD`~TkC zvrij4Nc2XlNN-W{P@4 zu5!gt-qQ3-2ipl;rVq}nG~c$h_OF2$BL!NL563ROYLnIZ>M+*(pMHi$hdqfsbp zu_NMb$h_ppVsE|})t_SYSuE12wM$D=|b5cddu3@~_<*H%%|(Uu)s3nB#gVva?1AK! zWgITZzbJ6ZzbMah6i5oWu+sMc>w$flYelU1BujkSn%%BgYZDyayf56G9j^t;ayAJ4 z*>aR7%9MXW4>0{}JwON{#Hs!L7Cz(*5L2*u29W+v9K+Y10dzxp;RM+|?IT-L&4G>9 z0ns1!*^sG%_cfLo#=*wMVjUSqig}?P_IlfRUZtmC7}DCW3*FMRlJEQDSGdSzAFuUv z%xP68I%UTk8~_gB&X9>;c|q++yc`YW3XwCUh)`L6THts@LZ|49q!^#hX{F(jB#HU_4z^E8qPpd3@jy+m znUJJD*!d1x6ch6`_}s#ssRnw}_JQbg&=TeJ-1#Vj#WhOo@WW-+(|Ap$a_C*GVTz^> z>4|iZn!7Wax^2YF(6?Tk`%CzsoROJDL(0+4?%}uLpX+l5wC)x*pXi|mPia@qlSr-g z9cO@br+*vat@mBcztNBC4k=z8b6TPI_ZCu1B7t*h-JIH79e38i%-;n$u>PG@kOZhs zne(QLlWu7c-Hks-bGpyyB(%)&=4f!O_JkZJtED3gPOEM~ZQB%v?h$!Cea#q!v>R%-I{ zf7N)yf3rv6{4~7qZ_N@yWNBx>{;FYS$kF+=--F$8RV%F&!q<(kNe{ZGT=Cxb0OTe2 zrk+vs^hJpkoy(GP)p~lfV(Wn2H%!_N7DF<0Ql;0J-RM;?wO64~6jp`%V2F_uff&&! z4N8|}5us$QeD~pj8r5x`PaI7D)}DXw#{Z4dQJcFW9DIhhrlUZ_QxY}2U zmAi;1A%F~1KE)@YtEt{Ae~7EPLzN26OavYhH!Fh)?V$acWRB;oNG5qc*8mfojvT&Y z(KXpnrP_07mo5QsX>Kwq>k3S9HOS5)Uw5^>?kFbx7js={@W{^=^QIX1zAdNPe7vo-Y5Uw(BUe=7>Q+=bp|*RCQg?S zvb8bR=EUph7kU+xNAA#4`APv=a;5gACh{h4Bz6#f-ACvcE@-NfB;Bvf=XgCQ4(u6P9e>|$XyiM67plFfy-8{6R~7gVoA+k_cxCi&gT;j_ zWBOJ^q^mdseB$g7#n68&Vmb(IKvQ=+vyLmDBx&z#`S~h`g?YI*u81Bn#6RI~9#--d z^>=@iTsy)5tBvda9w9W0RK}ZQ#x-RE0u{=}<6>oFi^M;2vndPO=D1Nj>3_86Q1tHu z^RF}WiTZy4dE7q%Ir-g)uW-g1O(pNwW|)(Y``>4Hqqb+7n2H@5s~SN>zaaA3H`M_AkB`gevF{&;aW*=I={HT~%oUbVep)d8IC9xA z73P^1M@mZ&xXSV1zAh?ENPLGzX_l(Gb9srQ)4Y9_(_7cr8&dhUkqr#z&*}a5(D5HL zT_oHab9ntjXY2+elVL0h(R(6&(X~FsSw=G&=PvA~mrXq+B!7J^G3h2Ah%8_Y=XF## z|J^17A3S`37Ds+aRGpN&D-03701INHSv$u@2W?zi=kEXG8BV+2=M12%jd9l|8fiEF zll{pO)J}^C)EKbUv_i*))gl_a&7mVq&7x)eAS{drydt*y;qbiKwQmlwb z&A$N^^*l%zX&{ z^jV_Q^^et@{{<#ZeQ0dBR{`24|;x+&HJxY`jTgB@hcyBnfgX)m%a;%jVq@y zd)a;$CGFsmxw4Cvw_?`quq01bBJHD7;DR%H?#R;OXPHPJSzU@^@B9*w+kG}vA5HR z8MMSl2cQfEyhl9Gvb@H#a*j+catmAi@qF{YQ+)x2B!WOG zR0lJ>n^d#q;NM!}bNRXdjtae7Yg3!vv{*{F4e&nAdl&c-}XByOaEvbrnpi2ZF z$Drzk<-zn>Iy~Q4)FCeX?70mt+;LiZ{m45%pX&`wFQSV60 zLTcAHTTRDW1?S32nGpzwfe*b5Qmj`juG76Mc|tlsfgd34gZg(D|39yU%TH8me(L>g z6&Lq=o$2#eJy{sP`|k^we}CEw+yAU(f7br9*Zv-U`cqr}9-a8pO8y$d`V$@gr=r6w z9|n*>@WeU<9u*h$SFE>uKT!@>lpGvi3)0&5>6ig>5Oiaw-*-?Wt#a2vC*d}m_IbjO zvtrPGnIXlV!u;-b55m&oy2wA^y^*HjqPKo7bK9?Hc&~gd-1X+}s5e>Z7j0L%{Bb=M zz)d!Fy9c?gYkBLDv4fn+&M5_<7{Hy6Hx9I>@7*;6vWJZ5+M3=A@6jX8dcG zyM|Idx<6|@(sklo@C8oSRX)gfA!n|N~q=g=B$F(&^Q-=x7Yj5ze!~VtU z*#|aAz9B_p&P{201CGPTz9bqCDS9kGU=n&-rGmp2#c=7u<(m-c)9C)PZhemj8GCaJ z*4!@z$ul1F9@+M<&_OLQp8bLV5^pgnU=6Kdj86%u^fC)l$x_<>U{-#2@e4VVJokFy z>enwk_jPseMSjxs#%%Tp@?sC41}&VC7HgCEB2>@-+#9Ld(dhjuMfn9=XuyRgF4?gL zJge`b71xN-)^Ug6=>FByj^mOoGh1Bz__t{&O&jI0XTkxTfBVkX*tU8^3I7b{$fkb8 z$(};?WzQY5ST#@0d)1jIMv(hM$m$f7IVZ@O2jiwbseZlr_%vU4r+TPS(q6OTJV0BN z-;??oXaK5#xif$OrXJMr)I@vKCH_S5BMyi{iNr~?y3@-xSGyOB3DD>ZnTI3kMuUt4 zxKHo2=^|(#E2~*VrkTA6q0eioO_;L5xZS|^uoI5f2@lY`%cu|P;F@jQOk3MxNwhj;rh98GO7Si7A=o@3z9ePZ$ zjY$a#Xtci{GVh8d@*T8w5)TM{D6Ti2rV7<3xmubyGq{Oi;|oCztEszry7tkKGT zh41Y_ELZT8ukY-r*vWg^#Zwwt@PDx6G4gdy|6z%Lv?lpf)3tK@aYQ-_&bZxtEbRJr z!G8OJxyq9}(HpO8FRwT$A9o+*?)TWA{v$w-vhH`i!!v(_zu_De64IxpR z<{9jqTkNq9Cp3S^7Wx>FC9k%2SEu2Cr}-Vg)f#5JHj&jyZNQx<uYe9?G>6bYz+iiCR`OTTOkBj2u z^VNqCFfLGt5^BC$UJvGh458cj zg%)yZ9k_SVs$0!>hC^^Kf{PBGT3f!p8FyReiUDT`5zc08Vr!#?Zp7CjK}#ApI^z1e zgz_f)nuXjZB+U#s)2#DB&Ds9lwKC{by+*|VzL(H)ZX)YxIq8gnGr+)SWC1;jEAkhd z)zlY!$K=DTpFg;eY{r7_>cb+mtKhGF7>T183FE4Ig{NNaG(=Vne zkIXYBE$dIT%GlWuH!_vKsUckD>&0$8eNrjBI26(&^x+JU1igx(#s!W0YN~)6`u_&v%Am>(gg|#}1Cq6>IA+e_Eq^P;f;aK2wYqUpO8+Wa5fgilF|0 z??t9j;=xXs@?@1xpndE3FOZoUusP>P?X z_=!4%2_=+5&_kNX&U9UyMDL=7XH|ZLdG*x|2z^Sm?HTnFsd7urrZ7BjP~&cc(%13N!Z}yIF?`N~Dk)q*?#=V9 zna7aGrh~TN^Mo6dyP9g4(+;wVEkUj+P4R$m{&e$}#pp^g+^~CKaY!hbf7MVBpTAob zCglekoGS9ZhQ>b@dIWViE!CvO7<~EMVZNq7>&4~pTRmfGg5=Ck8XvD|q1pacCBL4H>R+Yf6?dw|=6Gbu4`-fuB!*;w~!P zC*&~lATc$$<%`+&;~;hmd)|NeV4;TnOo&vWShxUGZFQ~0INbByk<2@v%0L!ngVuCZ zJwyJjGl06?lGZ-@qvl4ZbC)9)xD&kwPFDBq8zwmz{dtEmDlkr9{oMDN@vZuWBbyuY zc@rjMpQTyH-t`FpHPv=7Us-t>+I~{r0UwIc#$uFeN7gDrXkfrzMZsO)GO&TiCG<469Hc6TFHrHn?Z| zaN*TY?yM7d;N%5-5Q?5jfZ%~C%Z+3kMC6nq3%Gh8`n=hnVF61`%qSiTd8GqC%PxD| zXVtPIv?4%3v2nKJLC(MpSM>UL&<=r=6*?BOJ1r@?iM34*Y&ozK*J7Je&Sz3}a^SOW zKY5V6_jSSAB=k9LYo0Cu_~J=*ZNw#rG2t;(O7jk~7xkn)HC06_Vwq}beqSy0`NHVZ z)-ZJIUBpPC`lKXQB1testM(jWnYlgM&T%0q_1o4cNMI}|Lr3aCt>%;L3vp!4F6QQ# zkdMx?c&BTdvGQ8H^FI4REZYuW1!eP&zs|!Eg5LLA++_W`#we3$Ett8fS^ZFNtSS&& zL@m=_->rOZ;Xuc&TY1fB4a|wjM2B%;mlCG)2gC$nTIH}jYtxhyCVq=1U5)Uxi5)!n z_4=L_kvn2iooRq?N#2hVU24v{NO_FzmjVm6uqgm?uMi>ft&|R)t38CX5nF zhOa~kvEhB39_h}=vYBCK8q1ajA0il=a@`*V`MyhV7kKiMI5Kg*zW&ljah)NX#xuaq z+S*E@5R>cV8_dBnce@Zh9LefFrBGFB(3y&26?Fy67PV!IfS(82e52T(R#(n>IkYEk z^Y&NsYB&!m)1KBviS>wkyZzWU1u9;#)ut!CvV;I}{?u`^Tcvfn`;HaD7e5Td81|df z6U@{~dLzWfpt^zc(4^6wC0!YK-RIHIk~xE}4P`heyEfDDImxaTp1IdPw9utx-{6aqxa%54peD zjmxtfrZ-4DyzFGsqr|PzW%tr0ag7>)d%tNyr)Cb!O)vE^>uk78yhNP41663pC;0gx zpa0TGBY%^6pVh}>Nrh@keE*}^jSbpItQ73HTkpf283 zUh2cCUY#FY_Nu+Uz%%L|EoEhebgytK({0eG%H9I?M@5L*;A|HM7933gy(ef+RR5AQ zH<)Pr0ZOWLrSvD>9pcltZvU*>9&&Ycjbj4hdEx+$_L1vQazXlezZd5`7TfQaYkWE9 zm)@?k&n_1g9PGN>#fmZ9sl|@==QXCx#%s!|M3+zFCVL_2+XSv$avT4A1N^s2LWebpc8-1GRqzD&&~e)JLw+ z!FtRqA+F}wbDhJx&m%tL(&|Up6j(+-cdqgOY;N?1@}JfcB(Xn`6;qm`75I=o;-#js zSJQhPqNR|ikxk1FIbNLlO<7zzZ2o?cWh}}20YEu?2+jddB6P)RQH`x2DPiZUySNFY zL$EH(o&gXDw^~T-{+^ks9okQ8SV`@fyZP1Sb(h|!J%x6D1U5Ve_Wn4L#kiaxGEU_C z0Xzp~gq6w-lvUadm4gm{k~YoQjGe~X=I<2xItQjH2VA<>ZjtIxH5tJgZdg zk%CD02PZVz;|(WH*!l|#e!Q)8 zeYBF9Q&U6fK>btbmo%jxr{RMaS4n-jhw3~W5aNP}+TwMP6^(Fu{Cx#xS!X`%{1o)4 zyx?_HeQ?`{`c#Q$`bxX<3zo8I@hrY&+S6)icm=+9V3~1-$YCeh$3*XylZP(MeFbT{ zW-?@%xM6=kRkFRMx$#7^7?k_E>*JWSZ3$#+sz9cZ=HLz^R+%!^tViY;pZKj627F$ug z5KrKG_aoTY59Q?UuQnV~Z=Mqt=An90%$ma}TF1jIO>t{%mLzO{sP}0^Tmx|w*3g^~ zAwqD*dOm^rtqv>n6kfzs7r9m%1%jDXTg%PB!IQE+o*5WR?f+bJ$ z;O?XBI#|&`L|QCC4y8R0?k0+Ss5LsMlHR+~-rh1TnrGMoH??*|YXPv_NRRFer}o5R zYahgEi?VtAVHzf1pXA6C2|#ZH&q2zKu&U)X`ftB;8erw1>)AXKZ6vmfu^-8wYLB^a z)FP8YI>zi;8w@zJwvl^Ldr$!{B~gW$#br)w33@x2_ZXE6!8#DNgmk!a2piX z%{^*jNK9*zNe*oUZxV8yK{mn;(|o4+C~S_tlYtvKe?aeh!w07?}JRM z@X?4S4p8u^<#m^Pw8=HRRsBT!xme0O2v16wa;#S+b&;QTLB(NMP(NuuS9KXuJB}!f zAy&DU*dctJ#Ueds{Us;S{_}nlI(%0RT3K8uI1zj)3x*wRkw9uF_%y#uWIICR^sRCj zQ?vy>XL7B$p_W9NJ*|9W$QUJ`4fb*GF!pfFilu#;A(@f!$sS14Y72f9As#VQcoiGc z3uF6!Y(7xK=^dhVVcgcJDe-JY~_ zii5}0u_UF5lm{#N-kc-E`^yU|Q(;D$9-DBF=C(~kxCJlTFMHjrr6O~Q^cN0f)5vza zBS{+-W*&70Xw0cVnI~#VVSs4_4dfm*sEd0H4K-C6$VLIt1u{EajEXYG0pgAIdLqyH zv%PTHy)qw0w4gKa`{rr9J_P4U*&r~$v;?HZI;LzUvZ6cguc;B zzM%X}sjgsPovtnv+|Jgw^1(1kO9aA)a?kCpi5Vx3cJa;z3P{s*NP(40iOW-H70R}Z zM~wMS_WEthN`4zA{6iZ|>LT%ElNtH*Bw=CQN}Cn4$BW0CcTX#o%~_$GaBN6VNjcOj zgYWIZ4@V%K4{r9sXpmTZq+5%D7cxaHE`7vA*aI;K=si&*j;n9>7jfbzdkW<-1w~Jx zF022GyY~!+^Ns&TC6OQ^qDKjd61^l^uxvySM6~E-^|o1}uUI5RZ$S_Q(Ftp#M~_Yf z(PNdht3}^cH+Jps-2WG6=Dd66nR(`%ne*Zvuh?tuy(G_m4+*-tXv0F`Xeh zRM^0whO;2kH>)hq19d8X6w@Zu;*5C0tTdxu-0Kll?fj2w=TP#6esMLpIVb|8MA9Hm z{os|J1BtI>x67+#LCY3*xGp-X;1SRTKgFyY#=9z0QRwRR<|~7`zb?wUpyOQRYpsMA zm1PK#Tsyqt+lJ|xfW5#oJN*Zn2_9*hQ}!}LQp+OU5`t+&k0XA|;C*W~~)*9{}eA;CLbEg;0##$dC+D_72Bt$t(jj?XNamGAAvOZ zzn6!!HL^W?jWxx%lm%%MqN(4CB;@H7QcgU{bp+DY9tUo0PpH@{IfT8GjSYIHFd}d- zw47;AY;znWy~44W64Sz0imieY3W=htxhb?3M9QB8~hke}Iv=H7$ucgoJ?yJMTD)@S&q?q14ekeF(1 zdG^7%X=p8ce_)_}b7g!l+Z)Hgfukqu)Z-6&t;eIeKELs5^QQt=2FCv%l^JpQym8m@pw~_qcE3No-llbN!4eSRAP&{rb_~PiT1=nMtoD zKDwPG9mCgf(07oGsZV(a3Rx+L4r9t(?N{)%^?YO3wd&C@Rb1Di&ZT!V@3rtcM6lZ4 z-YF11MARo)A?%6kcxi1ySBx4fS%rP>2vf3CiO_6qY`$f^DEGjoTWss5YqSIR5N8@l zsyBLRP!`|25b%}Vt2nkNUcUR~ z)R#3pIht}QRG*Qdfsgp2!FWTUAMnH%yu;y}dtm%W1Njdoyg@I}p_oLjIo)}xU>xsrwI_gfKosSEW|dqFPU*Z`9))bEs)8PT z({rqsES)rv$#dahqt;Gs0|j<9&i#PWRU>Z6g-7z`cIaAo5@nL~F5jH^Y@WLXX*}qI#A2=>?yaU! zlf{0YsDdHCUvyOHBjGc0RjP6~3hD>>(W8QsE9{HE`)}QG9=|e3VW9lPFm*Zaq|lFp zdqceAUoVnD1~lUirJjLC{n+gOy_u264CGpxTK9dY_YLYL{W)PA~8pG6kKL>mCoN(erxE2)wGj+>qBEe{3rtC_TjZfXkb7mBBl#dF}P zX3op2e#}7sqY;o2&z{MG5F&a}l$hXF3;nIrZ<1ScBywOKy}GqlPeIx5=SmjFKur$@ zK(*P?Sex*kg2?}x8_bwZ1iB_;~|1i zLVU9fc+x68>aTxKI{R!$R3$w^m|a9WIAKv&wFzoF{S^AC<0Q>$`4C$*Nj}R)Xz_;5 zX{CUq<9}4pfxqw5P^py4=GXrmCNc1q^0`B`4x%1GQI9x<@9JHap5WDyOJVW&?HTB* ziKe`qh%xN_EW;3?atm5m!*U8CYAF8Tn;-c>p=)VRF>J-x#Cen%_;F?Eti=nNyU=_n zeK!z1Al_EvVRgV_CZ~~sG-Qg$FYk2(w7yZok=fJ*~&_*py$R5 z+7hj$rOoq^)vwe8Qkg9U4NJU4SU2VUw^~Lrn3O7NTthO8u_Ok&)1MprKPR_0^*@ff zN&K$rsE*>KALw(rUHmXj=5?RHoTnP!x0!=iHD0?&sT%+J=d-?}*W1uTMjzT=X&J@K ziVD!&(AKbffHgp?odOOJn7*J$l0knM*QEdG&9kSq6T7SV!IXKPk_KnkBF}r3lGm}9 z1S^KC&{=zxMeaGQ=@6pRK;WDHu2@O3tU@#lR@xPRh?7>nL~22^YwLe^&Um{ho5%yH z&D-q)hRD6?dk$@?Y4P|y@zebY?|^$(F_DPS5=~f*CU(?#<8*Asegah*U{REvhHZ|) za57S5P^AX3jlw*D=5!;nf>=inBr-g2Wm~SJ@HP{~t$QyrRL|?R>`gX+G4GCPG4t)G zE(2HcALh~3M4Em%&qry(yY@yya9vl)*9jbnAn{cgwC61U_SF4WJ*c%feL~3GZ7~;; zetXS>p?{ojj&dgPe0{N-jnvQTu4ikx2N3x^!NUo3nw7U;`H5$KC`W?#_!`$ZvA}iOg%mBM|&%&n1kA< zmvp?=l0&A$I0-$(V!P>G+?2e#WW&ij?6g}P`?#^C(=tQbH3_WN6&G`ALe4+#RUnms z1$ax8DK&{H1mL~`Au?dwbarugmj$@iVkjr+nz z0=qxOfuqwQJc*Z|I7*VUfufg@jIsH1CeynOD5ic#iB*E+dzMyfPx@Pzs4`gZOuXY> z^`)x5ibx_!Q_z6nl}91@=JXn|m%w35;7Dl{SCPKup(a8MhZYe%?q&1*detbsJMuEk z`NtuPyr2z>n_?LHyJ z3yAw6w%3BD@1|H~PO4}&H8tw%DkyyAdG2!0r{gfY(9qlM-^o9^Sv~)-j0rm!Nh@s1 z%58U@Cc3C)A^^j@qb4(*oL;=8tT#XC7y2k#=MSBQi!<7(SMEZCr=jv(UiR-arNR*Pd3AIXdf{Qk^paH$Shgn{ZO*&*cHRb`P_2_}Zg%r|Lq1!(U$8 zg&)_hq}wX)#gJa7%wu}O#2bGjl)e%p2b2xoNh4rRw9nM~93q~^{wv+*_s%FWcQHxl zQk#T$Hin4W^_-?Qj(-tBWeZ%inRj>IojH-_v>=v0O#TU|rT z46A3*<>fIPxNdQjdIFRi?U?=P_9EM&Li+qO)e?ik3X~l23Q2z+5i|!fDjLBSu)(GK zIvI0lPgJ@4n9#^+pK;DKx*4QfK1Z@9Lqr|(bs75-#}28&vb=1a@~=QC0fLgme|FL! zbY|O~aMB5eo{C)_3BA0+SudtIhLhArscIWP3jZt)8W;H7WbkN=ip?m&qqDC?aB}~R zepbw`+>-I>IeK7h`OH|vYhNJB*t#g8@kZh`h$sHx3!2Lb(u{vRT1)p%8k6!m_Dc+x z7PYUJG;4BrasryJnHA^HH?JaMIQAYOJrD2^(yR!301@OB#)Htag_RFI*n24dT$)U6 z=RSa-8EG1IGA)CR{t!U)=)uSd1ps!KL=M{1EN8q=1;xnVBEcVpFeugb_9xi9UuaZp zfF5Z!C}w5!G>I2t%Q6mt!`b$R89xIWGj}{*Sy3J8)DMXH>a{25p3O?Ln6a>THb-$y z_Kp~0x*UJhkgxC7I#-B zFB3m3bKSP?<)!gabo(z?v3#zA#;<$arDu(I5H%-0IXg2;%HTQbo2 z{GiB>!T)v}$=ude$Y5(*EAytry~;Ev0jU>y9bne{vGEtq`I-9Y^Wu4T6l48G>v2$L z4)?)TVEFV*U(qsBeO9==q2bowERzQ4!+6vl|5@Yxg%<3HR#t zx%;XLZ9VtCSQ9h8M3TfpP688ubafp4M>SieB`6a+l1QV(Imy|1(@K;Qme4rBGO3dPLtg7lEKXiuZyXTX;pCr66Q z@cog|msNE$jJZ zUX^(C?i)2fTHElkY~*74TvqUXchBp?=9C>KC9~AQH~vrD6B#H*rwUX3PkyQkyIFV~ z#df6KeUNPaCS_1hm8Q3g{T{LZ%d&e`P-|(AcG<6Gz8qP;56@4TG;c9y1{|&#WA3lK zrbPiMMu^}lgaI&CWWwDE+}T49ph|lEf_&Bm?fes!U=^2BzEBxOj8@>>hN%xwt{uzP z+qnifYsDEAdHaEN`ES2BbM-xzz#%zkxg4V1mcQrL;<2arkeX1~yfV1gfCXOlBE5$q zJF|*^YG||5j1EP%0XAbtnj3L(Y5s1ew*8s%ZrnO(ExN41@TQwFD;?$*@fdXiB-a1n z#)3vr&33D41GAO;#K`T8=lRZ+g72R`P5dTU{Z;+0v+0OJk9M}w?(W%97qZ0`Jzj=DC@)?)bhMI|?mifJXg({vC69xQa97T~)uuvdbr?wMYiG&NvN_jE=Mdcb7u z8MHAga&Sztc$y^Hsx6Uh+uYxz)JFr&9KQ`ZmL&`6dRBRf?gi8|)z@{TZ&)w*`LFOVQ5{DR(;wDj&tCI1XUJ_Psa{jI)VnN6u0 zg0b@-!j7v)8g5kHU60``3Wx4^V5e5=@X{%b4Aw?0wd{MGAB;b zaUCVE>hwH*d&4!#;h{>9Na2$L`)jIVm9BDPvoAeV+7tttGI!>1){wEjnUSi=q8%V| zQFlDld#Y?aB$zi!lhxd(2Z%PI`v2--8-nLz4GDY$()7e{7}}WVUDWPqVPp_GY-SCy zaK_Mv$j^Nd6mWYJRg?pJbw7RaUz!0?m^F|+U#VdVWV_~(FE-skT98ye&{I?hyk#{a z*yWH-J>&(m`8l$_q5750*T<@h0c<}_4E5U>M7pzoU6!mPSk_M<eg?-!fB8g|$!_fNS)0Pp4k*NOXaI6W``+zC^d`8el^ZQ*}{ zLJM~HJTY#ApA@}FikMYy%GMxgE&@>J7qm*h>l9D&ngw66@kl`G)l{_MO_2lN(}wn> zKg!?teF_!#GFcD)dbuL~a%W6Y8p=rgzTy*xrQ#Hzkl>3c90lFsfTI@hY4hRu4}Utc z(Bu^GE~zWQb$uyCzjw#Zlw?H~OJ7w?B45G69xmAG{SkJV4G?MAGW+44Hej}o)=Q&y z*?2HeB=7ox=fR~g&vW+pm)qZAzx~QeTaLnN@!$c9)I}k%MgYRZ$GBVVXOw!RNRGXo zOSRRK+|UluK5~4SBh&AT=;t0Vx%<)%09GTs;9+O|V6O>agmaUmI*{v9W+NO2;)CJn zV~uBpqLn0FGNzww2pM)yz7)JR|9NxEN{mu3k8fkyy?Zv@gGWU-N;5*OvT`fY2l+X2Xku29jmI~W>boZEd8fQr{J<> zxR|7dQEkMt_R8XhR*nZ+g&%9L;g)@?2QzOQ?KhZ-!Blb{l~p5_io(04)Yv`qWo82) zyhKP(0rRiS*09ts<*{-iQVYFk+l(T0wi0it!~TM?jI~ROa^DvYBfKc%eBabG_3GtfaVgbH}yycZQ@bAmX@dJGuR z6g-~t2k#!#?U5A!Y_z419tGtsP-c?at}SH`k5Px$VRjD~cc<|EWMz5U#%zeijJye4 zqQ9Q62{RtNzPGr!c690%G+O`2X6210>*w6xtj0m0@zW9__g8Wlo`>sxK?Piy+ewYI zz{p0_1+%!HmsmeL+-Q`2Ja2X{Bh9p%Cz{7R9ZpZ7JHVy9%T(iTCx#G|$2AF3Sw#le zJ*`mlUj53gtjsjq;UH#fwB(`z?9}6a>Rnz$e5#C=r3~$PX1r%fS{=)K>ozsxTnb%) zM>)|L(`#jr{ZQ@;Qg&Q~K;p_WvED^_&QGI_eB^3|9R2OPA3t|3n+{(o z;FTh#SL~d}q)@~xcg~aB@P{PqUuE+stt=Rnp?9EX&k0)j>F4#lmCiY#z}UCkp|QCg2$A;Wf70PwMKYk5d?PMP7L~B#;sotZS*8WxbzF z@q>W9FO!5{h0i;#p3=^?!>T=(1qlTy67nhBP^+#OlyJus0)!6C^L8u7gw}CCgIR5R zunz4>{j&?c=}awRN(a%M&_fS}jS1(&8CRsq_rMM2eT;nJo)=XVmMT@Lsa-yo`BT1H z!JW2W%RvW6^+{FD-hl8=wFVC}P zu8wLnmnXBf&$@)PYIWJmTWwmgH;*&aZM!u?5CinfkZk?}RNEt%&#gMJB(AYBT zJo+9Ab3uC!^n==8&OnqR?m1A#s2+-k73H76QIGr%d}N#`YeU`i=`8!cV{AgC~F zjkf6q^UlLPYFQ12&p)M{Jf3?zFcJw6O z_F}e@tZU~C;NB$1tiOMY*skuExuX?t^hIbyU!hOT23g}%fR!Xt7zyF0F{uD-RoZyb zH4jR{c#@3!S}@;VEvz4-{o0zu>xx=-rjneCjco51z)V^fM#G=|Ej07D&QNrnvOV@3 z4;Q|W9R#_N1OaA+Ig&W_GNI4U<2)<&BvjUR$}Ra9_*8S|{j=1}s|4i-2H9Z-8L`wn z@}`leI@9t6EX{EsOh~4t`6td<76gdE{%OVT4 z@+H3NYVI5diimgoE0A8-t_o%N)Wj8$7#taPP!~#hun{`dobT3M08mR9fBZ+q-qj5I zf)^UdY5j%9U7)(n>US#Tk|#e6l#Cf<)-|oGnSc5s7AGVA*GkOO`IG3hsT=+9t9?>4 zrp*hp7GIvX>YzWFxX002x0~fPEdC!=?juMt_*yBk7FxKp)jC29=?mlNq5$?HOs|@a zdPS3P{%OqSzmir{rz>1Q5x1Faq}oWlo^~pD^AtzGWeuRbYp1;0JO0-wB9{ttE4Q|8 z0~u*RH|m}IhIE3n-FDHC>zjy=QnFfb zuc@9!2BM%<=+iEZh?td_Q^o#;6aX(z+iF4&_1W8S)6VJ%As@O2v&2N5g`wV0 zzN|W?j#0+=E|Y`s0==y?G14G!Y?5D3>(%ly~y*Uq0(^RSR=e3F&t zP!pyXxiO|}FLOK(bacF?-Uve#(miK8Fy_IO$v$PTbdPeEYRBcc(kk;-{gQ(aOMkON z40jm7cKfu2VTb)k)zmo(c=2c$=-t6MVJ@bdY7gJIb@+9PUVI2h_(Rrq zC?uj)xt|dFlRC0ukuDQai-(`~W@pwLvc`Zb0VaEfVB17)oDutIQBf7o)^vTb=(WqxU^Ikn(4Qy_b^ zVL?}FTWZT{PTy*K#FjkH5OWHiX5YBOMz&8ws5TM!$bu8@gTU!&z;aQt6w9!g*RYTf zVI%TZCs8^(ehL6QOaP{IK#@D&0_Kp0kV^0_IF&w`@5(&dB_YPZv#&7eXMW9}86ib= z$p-I}_84ZGLp+M+G|S@LTfIhIK0B^M$K66R&$o|fcBiC0q)%;#2FR`EbLr@kDS2DhL7U$- z{`$TLCit?B;zgq4vR(-CG-$MwfgrW=7iTGg++pVZJSel)-1#oPO{RH=8#aI1=9 zI&)&Av!tp}KfPPr_bAq+l8!VM>Tg9FFZ#QNuD3b}C_IWTCf$T*^`lKon`0>gR@;#I zFlKpSy}T?Oblv?6PUCUjLllOu(E9PIbx7iS`Dn(gJl+_b zN+jUCulM8VMeP|nZ0`j-J$PPieS;_BcC^`#!B!*d_L$395nT@B#sg8sGIVpO>T_^& z?N6VaywBcHEm3G^oHazFfBhn(5kkAeq zIPLX^PlH!ReL5oX;-S`>{p)9A z3?90k58L=lY>J%`Q>)>u9CPTCW~Nk zxu;EiJ(0Ix`KnJ6&qx;V|LL1iUx~h<;n6z0&g#j5y>A^& zC%PGTb+lw^ntigdvl6rP7<;+?GBAxXXslElwhHrJ=k z;wIM*8ZCIaEd}Ytelc^hzWC$B9lZjxVO~lq*aaL^nTd|9gspe2?5pqjgKDi~_ zK`v-gi$8ew*?leQFZ6F;EB)Y9(zia6^=Oam%TnZe$&Bs|q=?QitbNeMu0=po z8iMQlEUv8o9E-e7byHNVp`n$0>mu((K`u!AIT5o8NmLV=B0rIrlp5@99qh@?^F8W4 zw6d*J`S*@TBEgSShu%MHWU(@1V6`0zH#tot^l$d68n5;!bTUl&r$pzoOv%$P=)d4@ zt8COxH_&T}=G6QF^|$y|B^VLtI;P$&{6`WHVx&-6qTLOx|28XpAbLN~(yY}BH9KUp z7QM#1tY4R+tmaGI)|9VBJF1D3{&R%I#Os$Y$ZsV#<_ z6j_nLsYitBn;>iov&jue#yr}vhh+Y+B_{?JKy*FHiiUm8hRUK<^L2Uk>T`yUy2qBpb?%1V% zMbP8RYMpRx&?F%%%)o4=8&a$OXF||*jWscbYS1_Sf8jw5XFH=d0P_raWiX5ya$~!R z&vSxfsK2>D5Po=vS31uE{BxpkXH046e*Nh;;{@GVC_pobfB;Mf#g-Lb-itg09ijKM zkhlu?e8`q~9syOj*BKkAuFc=i3&lrECP_<)E5I~39r?NuwZ84E(~ z$pO^*QV(ba?Qg9JYk0YZ4YlES=ex-*qXDPk^!^Nreac#u(DKsK*{Jf)Ec>Rzc0+4x zr6*3es%QzMhHf$4s2_J(p6+N4ppXAqS{oQf-7gJ?OqqjL{O?fVG->WAPv7;Md-kSXQ9`DNqGufNwLg-e5_dqst zV0;+wmJ=?$t52E>9PNy+X{lU-*n+tFBS!_RynR?6>7m4biKRb}w%LDenpa^Q5&!+s z=x~8r7zUs?Pz1KXm(?T@GK5v4fZZ$>51hdr;xB(oNHrvAo6Xuchgf2BLduNm#8SnE zg2WZ~r%|KZ6#k2vuzO@0f?EHst*3dKrLIfEr{!VaIdO>>zID~_eq2{{c**G2*kr9@fqk;hZy0YoQcLBO zDVP>IEI9r0Bc%7@mF=Tp#M6&Pn$GV3&*>r?zNr?EG9acCSXTSn`L3ZrP#jP`M!ZXj znfIrVTB)K_dx);%N-yROY02?yAm6p!IZb>&rypO?JIeRtJh?fjbp9f9wJ&JUcp5Sq zMAGa|;+KvVlpf}~Aw@It**Pt+*m`~mwPV87(6ZlYpKzuJ8%C#S~Pg@R8mh;ZT(L8II5D#0N71ZLgydPlkZ zoi|y#%oEKPwNyK0w=lx;#Iz%wZIKqBehjyyus?0Fo$N1WBvTW%>(E=-*t+QaK@EG)Io&zkXbo($#ZMdQT z6Fkz$Iw4ofcLR-cc$Btrrw^x;J?;FK3ReTioEqUd`nX4Q4vv-Xrj2#`mr_Qjr5a{3 zN5l3Ss$hbS?%M8aH;RR?q-!^nE&v8*k*L4CW98w46dJP9Mgd^g4Zh=^1L-qh_sCpk zf?P*DoF2#vEwkzN0o?WfdC)I{g6PFcZZqTL-JO@3(*Wo6i!>qYVKtHOG|rtW)7;d7 zG7AC7E+)$GG8F-m0I}-)ZMk2TMpt8>OxfV(-i+kcTeK34SPp#rm8~=>_If-1!2}Rm z@FHpj=s+UPCt>#+ItZFSmpv`ova$L0g^2#R&x72zuHoWKzbQJuGZFjvPsy*+^7qFg7NJ1I@b$pWS<&RRSt4b?*aD|f% zRYO_mW<&R{u__;h)+Dv}Fq@=aYWd}^0 zZy2yq=G2skEaewn1E*@Nv#>@3T03IS0K;|By|wzxKTk$s;=_XZzA||}55;`T*VfF+ zy8$5Q3eKP})WB>4TwlG`m8(ISm^{fvQSaoiXLtnO7H!D$mYGWV^sxO!X++mhJ8$*NSpGE2?3F}ktfL5xXO?kNb!KP59GUr}*zy^r3-uk~ z#;g?cg61gPVf|qu(+$WMp&W+cfCPQ}^y%RJbf`}-HAhftdRnxIVCLibpL;YQ*Y@I7 zgWWD*Tb_ymDKLDj2*C*$LKufM7|4Odcxe@=#DO4AfxFEfZ}eE;TkND%xwaCs$kz_( z1*j7U{TBKx+Dp!wBo5QiX={S2Bf~%&BDnoU(0<~SKr3f_wA0$@pqKjdd+h^{+6Vi#UBe9w(sM< z^Uo3i5b-K6VXhyQkOOK8W1p5Lb0djgcY2e`&C(CDcNAV8@iPeO z#tT@|9$6OOJ!jkn>LxW7ICVwmtO;tLa|+_^33gRDcg?2e3bi!h?_Di9%j?yavokfT z(Jvv7e%M;7ncp+5`hCp!X9PPJ)hW)$xrLUzDEsE^I^D;#6SS(Ed}!*Dx#fSLvI~8U z&GoOM^|g(Am8SpG|HO>aRZ}t`FE@>cL}Hp!`p0isAnp*P6OdtdQs~IGvr=S`+^AU3 zp{lli#@&ugZdAjtFQN5O{k_6Nbpshkvu?K4u6j&&0WBGhKihTr0$=FmVoYdI#1F;` z!@w5b;!o#GG`t(hEthP2g=siBQEjilE~raeVO)5-lxtDzTNp;~u}VNNz3@7`e*d{& zAH*l!zd)$3mzkYU&F2H{21p%v85cmVlk|0>qL#8+SD7Ul9F4;~4(02A)0ys9KKT0O zuL#`ihEg8Hb4{gLm(3m7Kq>eaHj1{&bA%gU8>1w}fjx-I((0V@ zKMFi!r|`A6MF+OjMut3ym#kg*b&tlAJF-ED}DG$TC3$Ayn!qJ<3VS@OjsU54RuYWuh zmAx9nOY-cN!ge_lJV1aLh4Yf|&F_Lv)bSZcev07*#{cf5frb#Cgf)s_JD#J5kp(Vm zHVNFSr444iKpHr#T8AI50K6x911gE^yY#Th%WkWEu_2O)hdDS;`gEJvNWeUwkq?h) z0yDO&mUx6S_=odl5ZID73PE+t+HVe=NC~l*Yb2xR@qtI5))o~)n)?j?m|!7&CzErA z_})K*B_2*15vnXNJ0=9uUr;kSJ)GC4&7Tg8FeD^4j|`6+xsgC{S^c)zvc})YJ;qo$ zJ@1=#CCtOD2IULYBMhxt)y(pm-#=ctZ4$k6SaTC@?ci(Bas=DlD<=5i`dVi;dr6R( z9NzRIvcg1rm_e+Bv^-sT+Nt=k-Qby`Ow{dW8~y0{$p2ZHZ*;>FfK3^Jf?3>?cVp!I=v}3w*Al17z1(cB8e<|Q8&luo(btE1yNuZ;Jg!f z(b+J046a+)w&QKUm-d7_h(LYcxTc3*!QX9T=T&`i(kLCvvBysmMuW~!2ZX~ zs@;XhV9OKs+k(geF^R#s3{U`Tysi!<*LdgqBM$opaV!2%WXKO506E!1B{REXRQVn-_OO*nWxf4^ibwP4gXX4Mw{>zV+ak#WDt>vWy@vb_9p$WB1ZXmtNXpZav~ zsLuVFsn*t|J1?iInK&FTze|IrM-H41#+L^DmK*WdHHxPn8A+!$x%D~_X68yoXuAzs z$w|QNBPFwX@?N(}neQQA7IGgkmgU9QqF|)vsmSpPA^c z!IB>&^1Iz;5a4&a68P+z%qQJHIkkl`2_M&X)0XN8k8=D)e>QrE^oZ?s#%`%itQ!0y z;4zdNuK!W3vR-fx20ei4ltBZ*^I7$me?J@&j99zb#&;!k=@|{rD$m?NS0iRmh>&1D z;SY(+5$deM8}x*+L`lmf$@ax&S(W$M>i(sU(M^BRkfRkxy9kCq|2lS?e^;X5+21Y} zY05*&uVo%WG74+!*R4F-cN+BYFS-HHw?NtWG@xg#;(lC@Kpu7l+SL6%#49cFytof{7ZqkLsX>n3scA)eWlVMwTBlE` zd_^kcwh%iae@?{2-u#5e4D6tVw0;&EPRQXHW;W;2?`8VO2$2 zw{n8d7s`odQLL9XyLdnx<%+$d&lk1=#UH)<$=dw*$2)-j(}LtnfH3TW-Mb>QD0gx# zW{;8LeN97kOMlOvp!ZfBtB2~?U{(C<+*gEb-wG(z6qrwCnbg5QIm>jT9yR|)7~uDH z?*6XXE161=6)Ii3Z-EtD+ZFry!|k)%9r#9bp_P9**T@zk<*vntXw4iPN>qx?$urKL8uLVh~@gNr*}LvpR(T`yW-aP8V^{0DC~az06OzpLsM{;+0K%|UfFW_bpa-|@T>`*$imLqrg* zv!Kt82^>nn%|%vQV`2Xy_3JqJTpg>Mwr?ve(>@x5W?a;fO>qz|z}|(-v;v{&$8~7n z{FyE9XqeO=H85NsEjE#y!QQR9lS2CbX6VPsLgXG-W@aaAeS&nB=e9zi#r4hBmI>T30Tn;v(^C|Zs_d3vVcXjmifV6&8l)Qt6QT)W6KfE4 z;?0ao?qop7ADtkjO*-azD_!15>Nf=X){xu9CUpdbG+x;h^GF1oNDnHl@?NzDwA<&D zNs%nh<)>Ts_|ASlAd52~99B;s9fFj>dz0Q26%%4ew{mlAyT;8*9Cvq+>NoynL3JL5 zl@oMld5d8Fe1G7^zgdBYmDj)LTlZTpnYH=)`g(Z$S_twGKUMNwtckwHTprU=a!}RL zV5FmnOw%1+9<(fltLP{^$ecXJ^=s)g0TM&829Qwc%^cT!@ZLPQ2c^lEaT}r=0FS9Q z;^mw&FDq~a?*YW6C{=%M)-4xzwGSwwX{*R(;C8@Kiu?`$qEHGewtNBg>>eNfl8Mpd z8`c(CCGKkRqCelgp;C*;jHd$RHvca?-zb8_5DNk%Li+gPN}nv;+`Pq<9bIkaW2c&Z zvm}-EORf^GEKluaeZ1{t2z7#Ms=$;3`WRUNcnm9C{A79XYaBFGHJV&!2 zTJC%4tV7&On&m1^t);tWY=u1)<;H%HR6XPVe-ABKA)S|0v zt)HZG{^1OYEz#z+zACt~Ch2cL|7Z_YUV6SznE2pU=6Sf8YF+$4^a16%!^-<9iM0m6 zBBXL#IV)D4@uuZg=4=zjvo(K6G;a>E!{z~MqjFsO0ZOxP8?D(Y>!!Oc|M z=+zVJ%=T}|+&fy*TvZPnf6Vh(e|mnMoyP0;;`D`8x#`8d3&#SjP&Q3gvuoX&@W5u0 z-(N7pNdfcUe5EOG&;wj3S7@u*hcxgx6`% zTZTrjRG9Er1RXit_>W3OQ9aSTVi_2dsv|fZ@EB8q##X+ta##xPKPuvrjYRA2P5I4F zwg2KlySIINHv|>H(XGN!m7Kol4W>Tz8dyp|Q71RC4Y=Jh5tfVbva4Q&rS3UdkpYY` z=VY$H+^>2L-u#+;Xjn1a%{Fe+Vsn8`Hued8G3xoEdW?^% z7S8_&*f9b|5RfU={P=${g9Uiwsyo6z!ju%$t`U}#R{7|Oh@I0`gV=^odpX;SX$gJ} z1_eTVy!H}xmp+T$eVb2nQM(V)B!ICU(ux zp3a8^|FimkOu&#-pX9uAm?=fdX1aB0=CkvMYx=>VXJppmA0OZ>KhP&->8q-C;8+gD zK;?jp=*)TmHh%>U_Lfky=hw%G%(wUr-wX5nH1RnD7oTCFIbZ)*S$y+T_)2O1)fS>H z6erRE;U1~9+c|_gO5Z5^SZ)J*0^*1nK2o^+RfA>2{z`JYNtYu8tzviag~E@prA$+1 zfH-P!jkT4Bl~;NBpi6M6*6hzo4Y7(v3!S!1*Hgy_FYza=HYG@JqN6EXp(t-Zlui@j zO?pE4Ls7s(_6&l93b$Vm;!)TRN@@wbb7A+xke6$h8^hg>`bJE;0 zJrfPU^R7U#5WssAUjT(VyA+wP1c*!*PB=J@^vdZUh%C&lg0XF0N|mAuuwQtAW3qVn z`H+_N1P~wvMaZSZHs=U<^!lh+Y zw|9D1(TYAWq@N8}zyS6tU_e+9noy-%ynKX@Ic9M_!O#HQwQsRoM#G+TA7v%VUXn^g z;aNUBt|-bVq=`M1WPDJdjvq|im5XjxRA_A~b-8YV5efa2w3_pTuXFgaf>OVzVUB*| zw;6Xu=W&~&_)$V~ais?@>vT;6OhMAktf?u@T7^z3>g%#DYewu((+ICe+_87v^2Oy) zg~f6eD4I#Iw)P^JkMFal=FU5ZpCx}~?W(gA`qQq+s6koj z+5)xPO<#O2CWtd}4nXLEe*4R}qQYq@uF0O@mzO67#$>1Nx^}YQ%gL<5t5GpOx^9wf z2<++j%$*-r12s9$Ie`VIq)=F|O=G9iksv(bGBCAfF8;E~ZCogpu=KFfN`{!yUV#$( zcF{y(-v%=U6ws9?z>4SERZi0@7e=8z*DdH>7-V(C2LwzF!w9bwZce`T$-sh%A}QTn zJQh%ME=Xe9x*UV*iFLoS%dYQ5h8lT7>vv2xM@y_4jjCwK^@5)iEXgzcSLYGB0wq9f zBiRs5dU$E$^=127pDQnSVcWWx+!=yhf_ywA+hu~wa1PWilXtJD-MoFs%8si$hAi}A zDRG5xv$?)}vD)-L<&9LQiqVUVQco5uX|(B+X9gb!mKB{2>3%BE4iy?!%uL$vsH-T1 zM6uz{4fZU{h~9&I?Ai(KMp$w1O|n}4FIW1Ip_+!ZoI49%Ihu#-LEhgb&t5+UKe$|m zKiE6Nr}W!hCh)~ow>z-r7`#tY3UIn#5X8`*_N?1zw5{*HSpVA_71|v)qh7=vlhw^) z!nb()HQ{RIq)-HyF!vS|toXJaiX|aKy3awaxlP3`A*YX+)E8u_6G6YD2cC0}3*6Cy zR02ifiP~+1EPg+>Q;v|I>xRU*E99(Ixs^dcCjAcy65{K!9|a$v!vc&lucRAnpMWzi zdQOi?#Y-MY<}O2qV1uMCFK|>iV*?Bjav2kx^(cM+_ryV6x>P?lrAmOl`37Siqb?t z={+JHgn(2b5EUs>1q7r>lqym}?+_q#q&KM{p-E4u0Ybdb-us+0&N=%(#(m#A?x#EU zhm2uj$g|d*bItjibItN3uac$oC4=@AU&9m!U1qh%8<`K~6VBbfD&(b|T1;icgBA+- zL^ow{n!TIM)y?-o^TnGpod|W{L+d=Sz^Azuw`(5Y!$Y)lQ-+!y#k0 z5kyWt-1_9ii6&gH#vikHm!3CS;E`l!gI~o>cJ+HoJ{~?dcMu1wwrR;i8Hb}MyGnVH zI8G@N6+gy|8~@CO#6$?exaqZ-Q~Re`NtusiS2Z@5>fcMgu=gb{`PyH?|;Qm?1YtJ?7!g>7G> zq^YC0YD~HUYgO}x(Gjl`{Ojw94+!tDbnG1kS~f~4VO!6dnq?Eq%VjDV%6V#S1g&H2oqgR{4I?8;QFtN1~Ei7`*CF-j+5H^Mx>JJ_fZ7^vgH( z4<6NxJ2euhqL>wl*e%jpenokZIdU9BkVm+&p?6EJTQElQkxB5?<#{ z`A@9ts5}}!5as3`wces8cXu$e5ChVR$o??3;RgZ9O-RHV^~~t>>hQh^aO=trTgd6^ zpu|K3bD9zcb;}#^%i%d@diFB4V z9XpZ2xTrRjX(TR=klns3y$0b7d;Jt5&hMzmS!ZO#+T&>dWTP8#3l~RZlxhtY)1zh@ zA)4ib82lq)RGKvtPgJMH^69rvm458$cET_>8yQ-8(*~sT`Tet&jU{}aA4Lkc_#g;3 zCf|5>Ly{*o@X1wyED_s^;`u+;>Y;ut=38_1VV{Z(wfEFmdA+&~*7QbH7P6Wz0uzRE zfD1SWLdnRU0p3oTrgo&H$QJO#G{^XRjOt=?&KZ#N$HNh1@9!cC$I&0G=iy%SKp7R% z8NiZML`gT84lX~`r^(g=hlunZq+QqZbY(CHRWZTluo#XCjk?FB@&Dzl<)W9x4gRWwnWE`Dng;_0gWsfGH*ll$tM9hTeHR14pqE^X20@-z7c z_%O8+FA_%Oy4<*c3-;lG6r-hBH9-d8GWZFMRQ)|=Xs_dO_>{ah;iS5`|1i!2J z87bVR;sPezkb4cVO64-4VIXbM46hd|efwZyn5U}VKvC*WEWM+t_3iOlHxaLjLNeh& zC{XBj;n5I~CDhj{;mTsnCWwMC`isG?^aGQ0(PCdyTwidT+J-yDr=08Iy7!E+miuK% z28hbxN198q5dCt}R`yXblQ4gSoAh{cll;eLwNYZI{?P(+IpgL+?PiOba;-w;IlU4m z1Sj5c>l7E#3Z{X|EK&oBE>p0lgbr<|@)`5lxxufYr>COWn7m_o*~iZnW$Bo}?P%N+ zy*DH}f*%IS3?{6%Dk@=DGL-~&g|$;B)-_qY%aUSc?c)8}IfR+H?}~Q3xPQH$-`!G1 z!x!7sgBe)|MHORx)=}?^WpYiN7%YQiRXZHffjq0vK6|ldS}RMtJKEJ(M%0 ztJ+#L0Ya_z4fZT3|CH;@A^FG&!lU4IDNUnwusi(A{_T-`S_jVxLxIWqk}m>?8wEG! zXMoHapW!P5IQscYgYl_exk?M2ovP8vo!^%O?*ikD=)$Hi?4V4BO2mi;ImG+p0;By~ zNil0~GS4)``srsXDznrKZ(T_sJMEsPEQZmNW`j9#LHX@x23;gcTxed@!XQ(1$n)u- zq!UYv6=}QbRK7=p-deV#XwFM(LyKk}&91CB2i_(fT9)k0FO?fNja61uoDNe*NUmvh z%4BUd)R!N!h{v+f`Q_P3{OHT)88gUjjC_i9hfU`)Q#%Nv>IkOw^efFAQ*GfU9I$+ z3pHvSf9!t~UWB{@RXKKT1s*058ZfYM4It+%B6!0rKnRHF~xx`ruAQNuZMUG}zim#Z%Lw#5JZUJ}i zB8A;bll(02$F>hbqj8m9%SSdlT3)DWwcEKtHh#HVj$Ut4=%3o_dt}tzd0Caxz|tqC zW!5B}l%lh*oRHQ00uR~h;wr{>Erg{kxT0xYNz{ZwAaiIsRm(2^LT+iiVpho)T4G`0 z7n?V?a`d6{zatfb6bfD;_ZI4m=k1(lJ~fFHtgEh0L7h0{46W0vNk^zP6~(icU%5g1 z$p7+yhska2Fe!drCMJQ|!$_UpqXKs6R8xouMeCLKKQxivYXQ$HGdoD zEt!UEJh5i_Li#bS5=~MhIP_`YA#eF{dJ&48K3GGuE%B_eoGSxYW+}}sG)+1PjqQj}YD+}r){m6zAM@@pR=Sn1-1t#=gYOmv$b83jpdC|avo0^QfZ?xq&TBFl z+x}vmRrfuB_;|CwDI}+66>PDyfk{cLGl-&MFp; zIw6$5SK!o;n71pu3eO5prBtSr{ZdYwG9f#j6+7;aRzDZhMFT0*nfds0Bvu!omFV~8 zt9T96CF|)yeNuNUN%&(;UeyZ2^&mvH{P^S~p3C)S*FXafPG@#16F(@W+P zB!t%zFqE63ySbVmAs7-KE3IQr4Zq^Twly|=6e4=S?J;@pB9()Bq~UZ||GQCz!CtcS z_2TD)TUdbFjz++48Vv<=gEhQxi`pp<8c%(bQ(!a3FTV5pe@H!7v&5t?m-IM0gX4@p ze*H%G0pq+-;V`n5(x#x;?Kt!w+xANTAfrO`#KJwcN<&9eV=&B3X&WBIFf>Bn0KbgTgB3Y)My7=K|U+D8_>O z4-=jE^oy`cYqeW~pj)li4@>g@_@kS7qxB3X#*TgOVXZfz=N1}Z6lenHbzEGuBIj2# zv~2x*Z7+cwZcA;B_|&Ak>4JP*QbV!Af*oL-_L+rc-DKsdN~E8!GVO$-d9y^^0|*`J z=9|3%Ee@rwk9^+TnvZ3-x&?i21=j()1=#x2w0>qU=!E1TPOa?<5+yzWPL$`mwcH3v zWbF#{fvhzrA@`eFar!lB#xxx9d>_Z5M`h3<spoF%d=1%hA;ZE4-EETOTV2W*DzFu|zM*{8W}Y zdxOE(M2{NQ;T6k(oDHgNFqsxbfd71J=j9uJ|G7&p zq3k)*C09DV8thV7Y(At8?1Sx_ykr)VmB zH$MLpN98gD8ML7L;@GuD2H=!!1BIsw7(^Q#9jwjf5Kb^s=1*)_aU%6jofXt;fqQ0F zLBd?_a`vR1xz)Jb-9HX&Vuw)>?7}MPxhtKHH<5_!;ktHe8{DaPYO>yZrGbmLX2hhe zVo=z0olQER6CTWeH#K2i^`>D2PD_kl4ssU zUL|g2xX}a@yQ2unaVf~=>&cht71DCSRo13beZ5d4;C~zlQa?*V+HV;g223h?ecMo$ zOz8}$iLGL-QYb8tZZDJ2jK9=P729jL`0D%?8LemH=AA!O;e#?6el9bWZeG=^ewxP* z!34gPSBgdpXl6JItD?>#f@uy7mWyPYws`q`xz<7A!`nwDSM8oMAD0F=#^}f$(&O`A zH(EFI;$R)ejY^31dZpMTtoA!asSCt_zG-!y*kyV%m?!sLujKdiUR&Ttf6A^(@pxdv zS=&jKa>ViO>Y)@K9I7lu22)G8?+JVqpVYPU|wlZFNHh9H}Bn?t< zxo$w?o~Ubl{qpQvF+91Oi!FUF*ztRs3X!3Acjhp)hLGs9D0)-;xjRJ6hD|T@`pEWn z@KE#@vDH}Bnj7iJ$m{);_Vwe)sr18hDGQ)3Z3O2WA^Tx-W9=wdCs2n0b?YbdWMB^6 zs-*^FF-HQ8hY>@;ZJGVBKP31u-iWOtNVNP1AV~_jD~!LZ(C!1Kf#;7aaMh_m-|qV2 z=1(@i6%_D!&dqDMM|paeEvc8^X3r2?nWntm(`AkX7XG{H^(g&)3&6h~Q^{lw8?i+8G^__*9t!0NQXHcWFc6zO;5Hf@nBt3Wt`YtBcf72VeRQd+2g6m zpr!XLV_!{<)&0SHbJfa47S;yK0mJN@H?^Kadu&fHxdf~N&VrLDx%s&FhNiOkhS$1$ z(0GVq!c=>2v*}04eD294D?j+JrTS zc7l&|CO1Xg3kRc1ie+sA>RL;FCx6-yVZCC*3aejaz36z5Nf><60?taj4)7F0=xc4J zAVlSFoB$0(4x&y6DF+u27kbMFOms&-<@=o8bJ{I2*F-(13ymX7%m4kpMX;v5rV95O zSN&yShkD}#6z<)`w%EbuTldY(g}XS(`0-F@rrN9qg-~}{^=&~8y6W;j&NpJC3i2Yj zKzBm<9sx*3qS(M|w12Y2&TRm*e5&j5zKE=iG@2YOo~RgQo?Q3EA7mQO{8b4QT-g^@ zu;5K5{Qbp=MEregynEpSyEq$R6jj~K2K0dqZ(y@(l(6hl(3UP&w|9K@mh8$aiJq-P z-#-|qZ`vC<55}qVT*f#fHztXLAAp>Qws|2!$YQad{wRVd2XQTc3PZ?M6ZIq|t*^;Z zUNViiVq43P{87kt;Vc4bfI&pW6wadkeKqOYK0>L!2z=}oe{7Spa$PaxY!lFP&zf`o z)YD+|g1%mrLe(P`QIed$`stw+UIhizAj&tD#C>%F)7p>7Se$~cexl{H7if6lhOMiu z{ABm|b3zvDEXx3i3;_%adj?{5Zk9d!ph)-CX`ZtYm-)dP4{^@5dgzcaeZ%UD!O9it zFv=#&*L9X0Ue<+wLXC}QK{<@(lStxuXPdK(biKR3V=X{xOAK=U2_MK8i={}EFznA} zhB@NxMnbP0!K+|h5^TL@+)N+FUYE43co^fJ=4W@@a$KGHNx>xNC#iO3KUk4P+WRhzDSPq0yT+cfJLIADG9lkJGeFpcV{ zM~0vc@f;~^eqm5*&xNQcr_J+9CpwoRW`$EPMMT?)O|B9Oe>VQH!+a4d<8Aa3^<^z# zK4=4O5U7U0BB=aNG4sV(x+nuewjROJ&Br#!c?YgYZ^_9L zbday%INcqB{t3Fxb&&8#r4orTK^1mXoC^1lMo$AP9F@IZT3c_zxHe&zgT((NccxI` z2ykrnev!#iU)FI+!2*T~lnJlQ--Ka7Z_F>EcIei8>${?*`(Rf$f_WOopDQZBJf7#& z8SQROD=GUl-rJKKg50_ zY+dV(;a>;=lh}SN;bI%ovMZiry`7vCDYjPEvq@i+V|D?)FRG4~j^FaeD(9~S-XRIxT3tki z@Ndd5`D(#9YD~1#hxx<|H4~&{m7l6#9Qoz~wD&#sQ3*SekZV`i!&4n~4Eaw$7@Ol6 z)F<)hzh211y}ADORr<+Zg0lHPRJKrXl?n0yxgUPu5)_vR0kYIn(@H8ZFb*JO+d*A8 zNblcgJwnv1M>$D||JV_E-Fi#p3ny!0D7);d&nc~f>v}X(VCQCz(wecIM1!%DW1N69jiN}D;1sA^ydL)64njStksWJzVc0(4>yp$$Vt2UXng;a(?qAy zDup@ay$DXXZr~a#lg<0vyj9kJ@})=W-c@F4s?S1STgaZC)BcC8Jomf%^}EBzb?($T zxO;kX%WqLUTppUX_%rx7+(52uMPW1itF~j2ws$;Jh3r6t>ZY%Qh?V9dS!SlpB8$yYaDcHNm+(euTYS9QierDTk5PL^1QS@Z8+|07p!KS(8G; zHuMe_K@dcC(!~TIIz(+dr&m!?Iu>2PjQ3}_q@sYEjj|IaS1l>8)TE`S$&&MTeWzYf zS6yymXi+JLwJQuxYXB9Z;w=3OZ{aBA^9_Ja{4LSTizhuFF404mP6Ze5CHH*BDslb% z9Yp@0Ft-HBy0|{-ofc{AY%W{w@!0w0?c5{5dAxSmE$`JWhD1M|x%n-vez`r!P8rag z8B7oab%3XKP%tVWIiJc^g>DB5!=3aQkBEy@IYZdho2r`X6Fl&J9IA#%a%3>Su(b?Y z-(Xf)tBj(_g5Fgk&-jkaAk8`p=^8$-Y*CN#QnJ%^DR3L3nk`pnZ}x>1)whdE{vfA6 zU2`{!Sg(gAy1H^HGH9U&{ndH^+zL#(9+X#m*J_LBWo3QJ?z8u^TkJs;F2$TFPVEY| z!+!vIUt*uIpt$KS6fmJqPGh`Tbly2cr=bz(5N9Pn!R`>Yknmo%C+-~84jKK69IC$h zv-iOY`J4C!^hGB>pq99in&qvG&r9#Y%l=WOr8N_qidokjnq&FvwW2#dRnx(JwaLMb ze}Y(hT8Yk1iKw?A;i!h#=1r#CXe&3Se8U+}=Y}-Buv_IH;L=IkMY;J+f^u&1JsZP0 ziS-(-aNsg*Aq~l_%;0a^=9gyOu%M*fVa-U0`ATSIdE7Y0HE=kwJ*(QgTdqj*IF9=c z=6ho&c;^RRoXFtVRY7RzuofHfL0@XcMvw%7cttC2mIdM|3s;0Wn(8zyn2yKC@k!ep zE{61U&Aj|W@~s#azfTx(8ZUm|PG2_97ju9o?d(F9qy6uTM>9$1+B-C@W@{(Othxqu z69T(nI308Z8dx3Fyl(OUPOgEc#&%X^qh~ElWxfXpz#;iPTw`WzvdLQ4n94gPlCOK* zL3k4aPh~cOub$N@y5S`Qi@7W5==~jafvGasg!_IR6Pq1VW1sK7z50d&{#bbC#UB8y z*3;4?u3bOrT2&w4ctTa8;dn}d;pdd>`BiIBxQDlkdJ)5ljzUd?uKUjTSYmLqMz0(U zr;Vn98UbC51&MbFshAxa{|Zg~y;0rQ)ctpA%XUSH1;p`lSKRF%*}$)R#U>Tw5r^t{ zcv!OvQ2LlH_V%-9)3{MrBCaw0)3^Yke<{J+ z4|9&QS#R7>sC}{f)gt-OM9ZpBVFPeI#%HPCe&FuAsr{+PSTK-qHb6#j?H zC|nKoN$Zz+(rMy;6gjTq>`g=lDiymHDqZd2y4r^wed97wm9y_UHHA=_Ljk=Gpm03< zArF2BXbKyshZm2LfnEA>R)eW7SeSeI)6H8ky|7MOBzcWzIm?ijf615+^ntwV6A_Ts zH`e~EtHVB-=ltjO=#S! z{3j$O`v*$>eEuK*2Xx;4)25L9B!<&pWGCb^KxHZn|4jv>g8W7HS*eC}p$53Y zC}<4b&+Z04Y&O)8;s)Xlq+evDSBGcRX7B;@$APMwm_>W~||K}pdfR#AtnIfe~jIe+GoyeQbzW>b%3k^tDQd#< z*AgehzXMJ@2p8S6!LkDTohX0r?Qg#Q`>FX`CjVRK{C(a!|JEgc>&d_E+kc>o|C@Sp z@coYRZ=`V(mWn=>tvmLv9Oac!G%#B470vq+3XF9Q(^9YN-nDR~#gP~_wt%> z*n`B0HvmL%_0$A5JUj!#)cg*8nt@J(e+4wK4F{=X;L8|U&@Zy2izjuVqyQvA8GvUZ z$|`^Pjky1Oi0~%eUrZ5Q&QSu;dq6b~XUkP!J$65*h?V(*KE@{%y&{9|xDRf%iXPBty{p3d`|2 z;1dENZ(=C{z>9yOp$g_f@Hl$k+ZRo6+ehLMrT+s`iaV&dM*IN7rPBdn^^h}5AT+N8 zCW64f$dW+-Iocx53Xwm5ZXt0qYcK$p-H4lRAjQT4y03~d8IpHnn>2LFgl=f%&A|=_8M)6+~F#{O|w~Q~^G78P; z-tsNIEf^0rg#8DWH;4Zd)BbDe*4DOZ6P>%K_80mBUl`=;1wu9#*|#PR*BTUXcYGB2 z&k_@nd%9jTHHx{AB*dic|8LZdknP_2f5R?RI^g!>#Z&|!JuNK%|U!xLkq1(Zlvk4N@kQuBi1H4VQY}IO#`HBM(;EzSzOj>+oclZtw?@7|Y@pdCoLOJkFouQ2L{CMa@XaaWQZbg`@W{$DYV=d`nO1f)v zTuaxZC6?$u_moE)yFD4{^Pnn9Mx;zDh|6t>G$QISD<9X*o-;l2RW=-*CiQ@a0~IQM z4idoTzsSz$^&;Q|mM^f~&ba^npj^cPGCkM=uNr)lZi!PaPm4BQrav4pyfwGBE4fW6 z;ut^s+ckBe8M9KI05uQW>!nG#VI5BwDZ4bT1sYC%^HR7~mMQST6@yRs!2iv4N}A-7 z+68Mn0nF6T1SpXF($Yi?m;vd(ekAi_*b;3HShpc*X*pc(E)E@rpN0YW{pnrR~a{fCYkWz3q zhCDX=|Ga#S2|z{fU#4r$2dq3@0T%XC2<9VBGWJB{nt>9o6F&G=6`Z&#u&5Z&Uq11b zesWNxaz=iC2Pk&vBmaBze{=qCvHuUX`S+RsHyiS|!uwm>|8462Pwafi--iC55bJN0 z^Ebr%zkzRy@xRE-UqRp)y>?A*Yim6@jr6AnQ=F#?K}=eQC8!qgl}g0B0J_82c#l!l z1Zf5h5gnStL@_xv5nb{wo+W!z@@}O|{Nrs?s?A(yg`3G^FSW1;>iJplH(Yt2t(V>V zZjGaAux8Ey_hauTk%lzWfUD7O}pso*-bld7fsaYuRrrheEZGNhg%@) z_=ADvKu$;Qg-3KFe<-w0DvJX#yt>06 z*T=)i3KHjf&5NMq8=$SP&Bjk*vT|*5FVexU!#E~)E=ChM^N6ar*!(Z9vhnCO`HrGw zzvNxV=fm2 z&4JH)D0&xN@^?)7p085L!)FzRutda#L~MDqmF95aoq|p;lPK$*`ng<(ItvryNgcgj z;(bgJiYXPdCn6(foWX-#WZ4lcDKu&t-#l@F0$0@(zi$_Vo*BJgI=b}1%(a>&xjy<~ zuo<_hxe*_%g3k#EbXiVrH9--;cb9?dej6urX@Avx6|4a9PSLZ_qPVGJ{lT;9vWP8* zunT+%)UkHYnW<_Gmq6cyml`dxP^8k}ytwE@h7GHi`E0-JanV6_waG+ZRa_1ZeZABE znmlT;G9zcXFK{<6p~gMMcN;2kYC>cNNDDZH7laaKNK6;o&{1d`f~T|il%m_$v&hRT z@=4u$+$v8SXSar83R>0!Ol+}nacKHRcE`mtxfV9THZN3rZLb2FCnm({_g zLB*S!D`DC`l{K+f%5nxFVk?8&AH?WJN{PZlZls&D{^KGN*uY{jC1wk>vR>LS|I1`? zald2<-m+O1zuN=1gkyoye-@}LVGVmMGsxh?A{P)kSL7=PluiOut=$fyoPhG_<~Q?p zk%#;uKVp~p9&?7>Y6tZvsbx9N-EI!QcB)7kv6esk0whOp22*PTZOK(=y*Z^ckd#U} zyBl(duWNnYJbM&p z26{&FuzI}xaJTGL?cL9d8JR9|5y2M-CLQLh5eLF&;)6|i_lQi+@to5~eTNMfq>{p^ z76g<><-WfLub$3|38u+4g*)0V!+`>ZyCeZ9Z%tiFhq=mYpPNLrg(wwfg72t~Mf!u0 z)w<^DatrO5cl_`5*qUY^ImX`h*HZD7yzE4@KPwLwBlY75tEl=V5G~PU@iH$e!0(;6 z!knCL%JY#71?pt0L0ZDpDFo<>1;(rHw8)nJtdEOS6vfO0 z`5D%YDzgz1!Icv$b;(Qj?Wvr1A9~~HXG1(acDEgSJ3^l-DIDe#J_$6PUaW}(`aAmA z%N9bit@^Xpi+voG5(i&8v0ZD-53}>{d#}EHoJe!2H*<1Pa5HW}JkFXY#01Zk^tHO+ zazSZelavK=M4+Kc#B|0|CTEyELXI9u(BS}D#A+fx71#}C*trkLt0WKU1b?=z8Cj)UJ^gp28o8TG^$a+X?+kJ{-@YR z7~TGy{tjxAdGKkWE6vx@@8X;*Rgn~K$py>F9}`y)siCLB7H1!cbXb*3gz$Tf!-`wN z9p=4+5W|qI6zapm<%DY#z%UDN=B3y%?qJ=If-;TwPWg#Sc#Tk~b{5+Ir9&y+w_Ndl z!MQ+>gz7BCrW((O<&>h!1~m5O%&MXHEIHC#a*UH1LKNvb;MFD_gH*uSy;u4(n3Y^S z`9u6b6eetZqHPkH*~;RlaFEeig{Rm=WKV+bYvB*FQq>;ZoLzmme=my!x?VfA)c+%Ltmcd{5>CvK=5UXlG9JT@s>BJ z(E8B(XR*qhME&uqru(MDVlxK#3(K+DenE~!)<3NI`#-obRSxw-B(>as#%|OztF}fw zUz#vfDHUvMfc$3V^u)=$QZ@xBYT{4EiqpHi`&ym%zUcg>HTCNk{1RV{ZLXt}=V~kH zZ=yC?bL}>3J4z+ybvBdswWESn$?X$-U!C?47(y ze5d$?r?AvoHr<--tRh&5s5cJ1jIpBaYmqmJta5|2&vQ;zvCn8X^vh4XUH=wU=)~-w z@retsN_{Lz5viuTTS^~(ZV)J~K@?=x+~i_vQ*F~w&sJTJdAys@hd z|4vaT@ihBeMAsxh3YhvOlhVOovr10<-VDR<&-jr)l}s zJ+n}F$LAIIbQu`q)dQ;htr#D*VEm=Tzg&qPWr3S0D|8B|oUm9J%}vp3NSoW{rI%`a zayu$`!r^8DwX9^Y(>Tl>!9X;@9YsS$zs))YY=;AR-{D-m6Vj)1;;q12H~T|ZpSF&m zufdB(kq>Gqbll6%m2!UcjH`e$;lL;mouY7|Q<`oP2b*p~P~cbejFw1Z?)RgF#u|}% zTM1NS?8CSZ?k!}V)_xeEFb>wHci~aF*-y6iE!sFg%m!?Wj$yt2RmEsYJa6W}InNhZ z)`y+1_yUb&-+a-N&b}e=<92Tk*JWJSVIAS!=}jml!Od$iUGD-Rr0rx7W%0>XyK?Ah zZ5479{AeVr{>q?qg=UJdh#8lQ8f{n0kCv61W**Wsh(*N_dAX`9ngLT?=Yv%t+fWuC zrj5zBwouENGqvcrQ&qPomLum;{ylpjdM4p9Y15q|P_GU0<30x5Dhv!g@`s_M#QH_| zwf$u{txpZBMmND+_QjPf23ky&dR2ZoLaz^FS{4kNL8LYqwKAK=*SvI0syolvet|Sg zoY6SK$7#!ZP5CUQd`{CM zW6m$?6V!?cs8f^8(Vmx%o-T(G6qh;MEu=Wx8^Cx>Y)Cl0 zSBq;LbxAwSF8F?8c&gYZF1hlOLshZr$E(+%{tEY%LCD3;Ba93IB!@~*r|vgtJ(87l zu9#Y{|1^;;a=2?Jsnou!xP`hx`96u2ESg69!}Eljf`Jt)D(8de&`gTD^NK^2{S10| zM5HwA@)RLT-5*L>OnAa+U+*Lkx0#mlMthi^Tu6(e>|LqtdD-jZ<7efhn=Zh8^z_Dk zdAbOhPg3o$spjj*N`hBOF*ChB{EblttchUYu)%T^SOMb$HQVbsj$e~v8zdZ;aiuUd80covy0E9W7D03Z{wNY zVFyFejFmC8i>LtEcV7v9kCOXPX)!Cg1$-=8d|@jq_mvu-he%j5K9Nj`@|dyi!EYR% z$L&NkpLc2IzzM|XItMg$#-D{VxUfuyu{W?Z$L_Arn}sMA@}mk@HZOkS(z`{E%7iVb zZ0cdX@xcXx?UW87tzH&WN;RP>7`u&T>8MlH5xm%!W|p*Q51n)BF)TgNj8OY`ozuBD z%rVZEE6O)WLz&Xm_=^$BAmY7h93-MjkD8F*YLZ-YB3k_=$GqRIz~v1;9o-DqJ!x@@ zx1c*&?-}Q=vA>@$J*!X_nZECcJ$pEV*(ESF3+muVI+E1X$SvmuH*+0%_VGHo-}rnW zB9-dQG)zC_-7g{U5eg5V;^bnWj$a8O21BIL!u4`z{W;5^a*X1{s2CTveaq~8oREpb z!sTPsHW`(eiUS?F6+u<$Hyt|PM3#u~D0;eTOB$DF`{x6j8yKSjBf!0zCv=rk-*vc7mn?Tj89IYB}p9?(%VDRi&mwb!F4Y!OR)g!o8d7$&_3J zPHCo=ouOIp%jvU)jRa}!e|#)3-3101gAd0ikWN;CtykyP%pFo)v5@d`|8FZYu{P3j z@o4@+p5su>s0*=^cNbr2wlZNdubzDl7789dNs5a=K(#T&3aDUig2cBC`PkQx9IHxw z`Ps$`SzbY9{DL<0fNqn^qg~k8KbRyk9AQMe!ioI3U6}L+Y8CQnoqVT_{Ef8G#8zji z!aiqSl)U2Mc5m*NkByFGOdV#WXK$OCoeqPqRhQzHC(_*(&IDFfN4d);5L?f*siTjp z%Zt2jWb){$e&^tBwaOva(xtXjHuF*TC4f(@iK=JG&2&(C2)miTiYZW3OD?-mH#XR3rIA z``&3U?P8~UoovHQ&8|iE7ISFk^s+Aa^xRp2Ql4IdiW0nBzoGK{1Mu17mG7X+*i*|f z8M?By@@S=`FSVcgKh?3Gjn^c@g%+TNA(?a*7eyK}^>C|LP`mgwq9q~F5BpA$JkKB1 zj;56f@*Oyt=zAQ!bXfUNasT!19@{g@kJ+VKu4eigH-yOPD_sz%#XOF&yjgfAYwnYuvt&YUs8 zz2Zxcmm^EqwjxgySGEtiSc(TXgT;2N8sy_WmcdVp5E@CZ*Y>C6MA<6b<(<&w@XqPv z@Rx`B)zk1enXS7&WQyKszZB&P>)9M%#L__!9Y zHFLdp(g<3>I>YISGCBQ)eG58}dsgNnhnk#M_xt*4-M>5@FjjN65{$l*E4LhIrEvHP z4+&S6CBR#`7^-kFDbb2x{MCKmiK^R(5^q8R8g&Tlt17i&cI4JE{UwJ`i7>uWUzkn! z;W>f{-CM7P0VVkRg_IoXN z?EHh1PVI>nc$2tFaCkrv0yP7>)`dL-w*^d;$;8a2S&K?{?_is1s#vJ6&sL}xlk0lS zyh@4bnugiN#nc}G-MGT!i%2&^G^5%xS@F!dm|}G+p*uWfjmZO;tUXMuhF^@8YIUcd zkQRITHTh=pvk#5rxbOZRKkF|}+2eBimk;3z^Rt60(_%xp-}kimqK_ndi~O|i_zGsM zru}T@1mXt4jOH$-PRyXEQRd@fK853ZODO{lwLyE@dlhc8vs;!oHZMHLWiEP;{dAyg zLQpt$AzF?D;0@J960IV5kS+u5)Oa!ZBi@19mE$62OLdXdWuE*fjq9RhXvk97-KFCq z!^o-y$cz+Lw*i9;k}8TJxIrTfSmfmt9Cu zKZT}6;1aP*cA5I;+YfPx&6h~S!l$>1zu`ddSngGimq72}=tYe=Cu^=qZ;Nd$YO)`N zQA9TsIMWEIk%vvo!tH@x8$>-^XX?UzypUeFGH;wd9vzM?OGF*kXC@t9<4(q}3 z!-!_v57HTnfp4M|#W5fvqiq+AN%`iQmnp&I@mM2o5g}^>g`P@=(?L~hfNE}oe)syf z^_cs4y_t4*d+4(wCR7zCoVt}JHt}t6K{Z_x7HkCbXCdEp(dmm09_zxgYrf(lM&eT z2N9-CYY7{u8Tb?Dhw8lr937lyc6&_s&mAZMIVM{S?XU~aiIl}rbG91QrPXCG`5Kbh z3mRXg3+!R-85hC$Hf9!>RAQ$;JAWKKHG0+tQr*cXpxIP{tT3|0j3`UXF zCC#jawDswg-d@(c)8}k#LN0vTtDWiQcjL<+J}P0l9|St(h1yS&O__cn8x<(xsU_9B z_TrJ-o_rVW1S?g`Qqa9(=$&Ec{Y4#6yIi$uknP<_EH&l#5(-L>ZxxqcZMwCx?2t!$ zMyFvFg@KT#91a{U4FLNg1UGUhKY3BxWCD^`H8O4J9q+a^Z%ZRl-rds0Cd8!-PVzi3 zBgr$bJShfdgn4IN7&2aZM$M?}dXxwI_z806mHW*eS zeM(uBXx<=6?N{lvRGV7!Zl&@XU4q~sE8+p5L;w&Xe%U{0zg9Z1ZWFAQj>=P*Ge6w_ zMdsK$Ge6@!(m>J8x_X0*%8my^t6VN4A7{DT5_^ss&^<4M zl*TdRSRG%tIkPF*Z_FfiOQ;b!38Gszs)`kAi2NucXgB&)X3f#cxMVX?~Nr%MRn8 zj*aufg8|ja0re7$B${CWL=#uS_Z{5gK&UTT=r3-c|*&Z#f8mQeN$!pjwmVdST&K+mYW(X&^W)X?p%v zL;B1X(3WE-?C?ak$^I-n@CIJqJg>k@xdtY4fT?=l1L3t&>;x{Ro)^7Fy<&84`^xS` z8sNIzfP=jArrfXF_C~VuXcXm~#Eg}r-`2#=X+IpfM*i}NdTz-1hueH*e22q>FM6fN zFO9m(3;Jsqon|`X<@|aSgd4mB(gI(M_j(=(toJ%=8yDYn`bGA#Z&+B&X>P_sdenjd zi$c2VF$=c;B4e;11fpuD^Aa(l4wreXgl1ah=ks3{zA0_o&C7nCH}E6t`@=4tI*7PP zH^;N1D5MKGg2WZqsm!kpyFhozU$`^g-`zs6qTWqIzxt({tz=G{Cx;|=?EsA~2!b;y z+JKd#UlZ>yA_$t>(&?3B^QM9s7V9<16DcFDaRS;=PRpiZoU$boNgOeSgXb${Ag{Qt zPAWNM7YaqeL2kAk;FMg`(3mOt-5(XWph zom;6c^v-oS+X?iscY{>`Z8G|e+-IMo;iCI%+jFAQQ*-E5EB21yTT%Msz|gGDcx;fe zcy#r&(OYWgKxeTGIdwnYs0o_Lq6Qn`QrX>B)CKTEf*?M-3r^p7jjmlseX&K}@s$j9 zU|;v9UF?eRnf$yG$*{uuWidlyh2-_uiltpN%N~LEP9^eX|QKHYyN@ z#ptP+eb(J=W_17V69RkWXY^~N?}f)@XK~G(&eLbxUzlGD5+5m#*_Q|DZtKXfEt|Qs zDF}R+d9W*7>kunr+f=tS962DlzCUZvoSWAeUxRYyt4lEPg|2~hs+?}v*G^06O6s^C z=AzZn!tTAK4d2Ni24xstZYyLF&O%`CVv}a8PU2i1d{re*?;Ow%4>@RJR$vb4qls5q zdUx2;b4y~jW%#WCzQMdP`^l0qF@P1PJl&b7svs=XYl2H*@cuyY8KJ{UZy) z&R%=-<=gM~e$V^7&jUH@SFFgSCqUboEd!z+9_QQV^5+}@2bM-#+^bUi-dpuCfoIxD zOLFqjIa4AFV@NlGnJn(5@X6&UcDiPj?HA)wc4M*IeTBn1Pn3z5YUYzeF8a?5Kc*d) zH{&<*=B3n5+sfOry6g1@^Z#NkEGn^GlMzkJ7&<k}|oVC2En?_u|y4+X5y7@_sHR z1+w}xl@^7>mMXX2-f=6Hnf0=jaMSeKrCSNhb#Xhcp60YS}XeFj`fWWAFTkO-N3 z6yTCFu04Q>cY-8pBJQ<}c*;mu`X2M(T1LmabqZgvqz?^lNnQT>C6sv}xn$4t-Ml@s|bZ1nH%1eYJOZcp}l+9(=Jq_-LV~~UJL0do8uxu zv_`kf_p#?5jfuX|4le3e$kh6-Bo+DiV&a!PMnO09#uQ-}Fx3P~x-g~o7NOCmTMe~> zJZV-96HWTApj=Er!)(8+i`mVhm(hA}BL$!QWa{<5=C(fv7+vNtw_JvyEyq#ra#k7Z zo!;7FWz-;%(amx{VSZQE!|?Zkh@iP zudTRI!?0NBRA_h|tCcR>JLa+P_mWk#`?{WUTqkqrc@ZwW ztX1|~?QC=$4@iv7r!bGN-mbq$@yf2OQ=acat=aNS{`mH{7GBC&i0Vm!wMG@*6!}V3 zvA8wd1Ty9bn3O7VTbb8qkGX%)DR>#mBU501oeiZIvKgsZu{eN9>I6hSjR=hviG3Y& zm^ns9uc>>St}@I1Bby!;Iss)jcg3F3Z;0L{yib}Y)e!Ybh($gD&e>pk1CTn)WR`qe zZLr?9P9op+7%UemRSaf0^lmy?#F?jjn>z%cYcr4o`~t;_aA}D$dO!FW`gHvC`=C-^ zKZ0f1WSWf2WeLTnL>y!@&7r4huEjl0ywz)*Kc+&Kyn@;;JXuj#f)%3BG8@SHytd`i zB)wdp?eD`O>k#^Ayj5I22d_40bThuOjB$vHbQKpr7r)qwD6DHSvAb2_R;SlEp!aoA*i z|D-%b6lw-oCAxoHB_55JEuO+n?z=m;W9lO85iUpYgS$I?Ds}p=U1l%G@+5SyU%a)= z`1xq1J3h)ziGY6Ps{@cQg4wL_+nv$zjB6tpS1wQc@(;uLjgjQ|x-!Y9a0LTl3c;uY zcLUu@@+5lU5wB(TYEdKGj!9Z$eAacJo5wu1Jz^K{;(78jTOpbLbAwBN0*EO6&Q9P8JSV%6XD~ z2@Gp8(qygH6SKb;x*!#V)sI#{M?4fy3cTE(#5`)ro~w0tQ#x1gKuw*fL<%e*)lFDM zXpf$q2`|OWyqBqjG^eDjU$5zBDl>c(`R?mdoz@u-Wtv*}_2a7~@wTH{t~y@RQE$xJ z$a?CkSV@2aC)%e++Pld}wSwPmU9~=zUCgF#W>V4Thxa=p-%oo#E6cGlY@VsPGb#n! zQm8Ui*0(szcfGk;u3b}m$>k~YM7IH)zqQn=eQy&7uzf##+QJVD>pV}o0SMrmg*uOv z*J7<-H4V;f7|(tY&06+tpt%`UZ-K*f+CM8Ivz!zFaVpFl@EcnArONFaA8loWK95>XE!tYHT~rkyu~A0?GQbfBd9fhlnu&<*&T>H?FA-e5uag2YPr_!U2? z#%SAX;sfvNQg`$QF|^;PZ$~Ed=wU`cXJO`A(QV({3j(3@=Q5b6f(z}5)GnYO+H%JO zGw}K(ukDG9<<8~w`^kBFajRuJ`Qs_d?%OJs4FN$Y&e=`<=iH24-VG`KP<`|`{|v`g z@!bQ5-MaWg?tpfuGNge)jmTs)2uPldk+FZmYOJmw>ZH>Is`O1bQ zD$8YM3k3}y)EHP6l|pMEQU`|p3Pazb+eSLOv;quN3bQhTNA}$PU28`S^7<%q1bfP> z?Far{%n~z--<{BJvbDsp;FhL0tg4gW_432QVz=^7Zg+_j_a{zH z`Kcctdj6*Bah)_*_*FizxsE(Ky@oj00fal^hEAIO0Hpz2Fok0Mn~H#u=KAxI|AFH& z?io#ym?W#>yND=cn@`^AEnh9mtx8^DUgj6@N<-a?%*rCnd)ZMN!zs!SGl~puV5{~0 zXTPpO2SSuXMt~wAEzoUIHY<%L61TksUP-I2;_K{9)xM-K`p&=^gRc`xleqg5;*QDRczSc{M`==kA7+-&8Sv zL2nW{^~1Y9KMYl*38^|L$%~fx!h93sehhs`pFxK zLSRO$8gyPgSJf45J7tWKFzKV>Z@g+|=Y6#zX}v!<_HmK*s{ewN#ihD8-mD_$^6(sr z>cyssC!4NHOGQ7$y90yi6w{WH?FF+(GV&nGDu+iod{7|vL~IHz23u`047_1oeGVU| z*ce;daY*PqXj}ZjM>_nvc5^Y)Tpe%N%8&h(t(n$|{rTB?X_V7)CDo*nNbIy%RQr2R=d)$w6dv<@3v^I`A|hLO|&exGwtYf3LKS8x6;(Q z`KTPL?azNI*pV7~ z3f(N?oF#G0bKCH)+rM-lQ6VipqvN*N_=^*@W=u!VBhJ{d9P5O9$>t)>d7y83_k36* z^op{!=WAb@<^Re2@aLI?ZteT;M|X;9^=g|d@kidGaUFCWEV0{{S$iXF(LELV*I&#qOM}FNgM0-SN0CkjS1XF;UW&% zXM=n?Ca_;on>@~{YT3kg+`0tjTWfy7TWEUp+)^lXf8oJv)m2e{02b z{iqfbC6QbHA~#Bc>MyT4ZL=d%RG zPXI}@`O4N>r}`2Sn)rgGjZ5E95H45`p&t_+l!0rt4;fqZcidg|zASa{fc!dB4f>p( z2@RSn-LSXp(_~wROpg4;OjRAzNOT`-xwKZ-gR6#tP3nhKjhvBl8vM_hHmi)})!L+Z z?$ke9@$mUd8#PAiIrb;Xwf&~5mW!vz!h|gGtzArVUovdFKZ;m!wo>D5zR`PL<$D7k zi+!_iCalH;PdE-nw8?LV(1i4=)2XWA(O(+2JLRazssys2Gy(lO5wgi--F=n+aQBw- z>8+>PPv);aI{o6apw3)%Pc-P(EM*LIi)4$J>YAek36XkmK&RP#d|b%~%?}V#yv1F} zK)hiL?&{08H)wXq4mGDr3k>aco+H|>`-wG=qd-S^+RdB_xCW^T@2MNs(ZX3hNRc32 zYclZ>9f)>MG94+{Ni+>*;ABw4P?1~{PFK>ozdO}@y#rA@(UHRkzdfod{1FDwv5qF9 z_fT(Ve)(JNmmkGe4zw=cj&m?5qS~^%-XG!xbH-_RB4cwnfYwHLjeB^dPVm|3)f{To zJ2=a2zkd2f@Ga(Iz=HI`vo4(%O~rz0o!2j!oq7Lo4zHgRek9ipn0LU=*q+3Y{c_0` zc>Xlq3i6#M{8B}B7W9g43etYGZ}}MUE=u_9C+_5d)OvBP8x4r@yjV-SfuqUeAmY=L zstPjVSQZe1`$kIe!ykOP@fKo>nVGgC{pd3tmNAwJf6aqjd`#u^rPrf3sTNnA*968` z<2rNb!SP%Rw4v5t)}F!dDfXG<$7gzygFSaz4upb`9Hh;1N*9F312O*|5P7O(Ys*$c zqe%#Yu-zD0^TQpS4ob~QLcA$yW1?zRsg!lsMcR~yFEZd%Ou`g$L!fXi2M`mAQ`DbP zBBo_;cM6?<3fFiHWog&vW75zct@!9m8MLJl*D0v+dsZ!R&&h%I@y|4AHI=zcBlPnrT-4%{uJlE8|&pXhhikhy7zg69)oI`pMWaUCb zu6-iCp8wjU1a(~CqI8al;P2Zpwh|O%c()rGMue#}B_4744}Cs$P`9ND*{EMI0RM&M z*g>3$!ro5n43V#|8zk#~{I%*QP>WeAwU8I_>J#tH>u>i^mrUg;Pf;ikZEl_Cy%k&B zT@vI#{i&@Lw16vRxC)i6>zO#ITZLTYCEa|NZD%pYqiXxc5deGO6%Iz zPgl#=JSu5JK0SGbcp9XR^_+)ii`z0I=%Ec-WdR>xVYjnaJqm{W_$=x5PbEu62>FG% z+eGl6Nr2FY^vzzF00{$u&YUbxP{$!RfMhRhe$)z8SqK=iZ^Hu%Rn2Zie{amwr*jUF zo^!ETp6fGi)V*ELu?4|vvjM7ZLY)XqP1mhw;vIsQN%h4{vZmZoKRbA}6(T1~;EZvN zP`%puT#VUJ2txkKXp+BY{lQswBOB)j|GUD-|A}L#(&v$fY_&N@y8t!!Hb*=GxA*>A}&gXUAE3Gy7^ivoGuUtyC$iL6;$Uh&-%;e`s zV2On*6ZDPn<}ZOZDbD!wZrSIPi~zQGycNEpCvs~E4Uu-OJ1WS|5;3?W;plCV%<@S` z{-#q2{@5DN^YXJyNsmhUNg+tAXI<* zyxa4$V-@?|dCxg#9bFwxZJAnWzjbG!b`{hR<4o%4CN5K2c2WYMsFUEHF<`<_L@nWu zNj~|o90POjJN5RLuInvJ7c92ayv6e)UQ3UIBTYAo($(bdAAq;N(g0|N%HK7&szoY!?JcJ*9ae4y&4I{=?`?mv?LJcH4=0H-rNu3Y*ZuLua5AF8p#<0W9Ri z7Zo&-vK&~s^)xF@PW5Va`O^sR&yqzVp?P}D1<0bq4JBhYuDYUe1@o>DQPRC3jYTGB z9OPxw9bA^M5&j+i-L5Y*nqlTSWoKDI$;Y}kS|vC`%pV&0mUEW$q|~Z;r3=Ee(dvYp zvhQs0>=xg`E46v{r}te>r*G{$&m0oAhHMO~7g0=_W5h=jOP%PIdg zBV|_$yD#(Vfg_aLcp4D{iSSd&Ic>K# zkhhBOVo3{fE)A}h(s!1w+<_N9Ii%LzDHaY7o5;lP?e6j+MTrO@$PQ>Dx5<;(6=9Or z*1}cIX?JmyEaOvohbt;c3zfY_G*H#PB(-##ae%M)vL*GSs=FQBVom1YllRL6yU$0U z%=sCU_8ca1@S=*0#<8H(73s^>BYVf!g$JZ{Xs4LQdheaS@$H<^Tkf})vp6Jnl|0vX zCH<`Y^;V`v%?E_gigD@l@l!S0c(LeQTg^gPrg`-cm;Ru;PP()ixYqXE{^s?b9Giq96$h7X48H%5kqg{KCYqCY)$f z^@J-CcSlckg3|JvYOU?obTulz_7^ftl>PN#9U4?}!TXu@?K1#0(eW$V19+^8m@QNa2)m8*E`6753ACj|h&8J-P z^N>R=3Vn@xp|6`68z}mq{OzXsBkp9Th7>D$DeY%PmVJKqV=k58J0uimi|RFW2SvIT zBpzk?*4EWn<0M1acCvBcDBR<8nKzhwezClq7wY3MG6?`58h@=TlR6f1HnRxF#4ys* zBFh;{UkeNAF(?Z^PI3(qAry7$V@HRbMnh@R3~KAD1%vv|C*E+4+-YNe_ha0%W_?~t z{mtA3z`%2kn<8d01Lq>;5aMxw!3_Hhtmp0+MPRjR{Z?Hvqa-Y&_oi znH_OP>@#AjjF>%65d+rChZ{`@LIiFis)fdaG}0E)4xuk6>$7|HBav99{$4xzdd{@X z>dUF#R9KD2?-v8|LfS(vBhJH+i*&6Pm&P{xr;U4<&~I;?dE1}UGI#YbT~v*Y{%;xtilbndbjxD_<-Kgzp0sUfJvbe+P%TyShinF^sN|7bfnHP8iR5)aY|w4jj97F(&ch`$egQgPSqY)W5oo;GZ5C6Wg$MJ`acnyB1Pw2H{ao@|vKcpCshPd?o9g+2nQo4qsja7F9ez1Fuz0rj zV$G+QTjEKsp0WzY-zTY(UeL`uwcZ4Hfvus43r!pZXN}Q)TQ;jYQrJg>avSJw*L>r# z8NtY9`O4YZdeKFzX-(lnF=76D-KHTAPsKih13lpj2wu`=J6W;?e}ar6(;=sz;}1wu z4@YE{T484TK|y_G*htO2zN@0*S9nv8%R6yFkTW=YGcQ=@;@P0$DfOsTJ8MP0ZmVu{ zeT@V!r^^p3m&L8b~DzSd=-Coasl8#sg%LAiN1KV^vX5f!m=`pRZfDx9xR@XBthrV2k`Iz>>c&KVwuoTdEq!EU{Gb(Ju*iUvz0>Mg zUY|=*&@Zg+ro-@rcEtwK*}MSOqceeO2H&q5^Tp2SYr2d)s102b$!^QH{Uv%^U&}J& z5jSI;HoGh3+OVSMg*9Ha%Cf@gwWGU0+J4O@Z+c4l!@KWQVfANT=%t={M$3cbJ^|8J zN6!nSwC+zp0-;^GnoUnCpuXI`woK$qG9a8yU;Ne_dq;N28E*WjIt6nh6N zRzQ58J>A+n;y&9ib$zfPvRj|^*N>FkO!&kQvN~}t^AMR^7ds=c{YF*IaUtt+5Yt@@ zU!#8V6%lWVM|Zfl2Y1I?l$(RLCmDz_)z+?ixcO~fh$<$w=~;dH!8erS%Im2{0d1}Q zl}*V*AqxF|kTamz?bAV&$3`Nz{rIQ8{(Msr#oedVdHxv<3(s#Vzn0ZQ)p1D$TiB|E zTh8jP`a}F$ZP~Kdx6(>C?&xl>!yEa?ah18guSY_QCkL^6$gqa}iH>Mn`s41pI*NZ9 zv|KvY*>~;EwHrNJXOpj*e5UI1>4q+WU*!m>19(@=9OGqzM~dIEB-Zs^vYqJ8`uOgu zai>l;L$dgR@x9)*HdT9NVd|5Y_+B2F7CzE*<#a2TJ*=a5{#%QC9}=>skfE*a=hAdf znzulFzt+7t69^%59S0#72g}1!CUi!#RlcROrO^Cf74yS3C>(x6j=`V;%q=fOTgwH4R*UkQ5bO)Tz;s6Dv6eeC9jWq5jT0#w2hY{TGR7=VIDj6#Ez%;v znfQhjR1V8r&`f*jUYowHn!_|r@)+OYMg{pw3*v(dwR{+|T8t!KzmSRH5dZZ&s=J#> zwwn*?@}#Z~tqDLiw%!Q)J+UuF*wNU53rPZtty!r5x%YpzX4jX#2T7 z{7455r&T`vGqpMhed4|}Eg2Ez7mnW!SCqM9&x(pIN1vkm;{C>&=b#IMls);>qT&jv z8Tis{Z95_D*OztKVzzf}#h?mWRVba%5FI&Yxb)KSjC{E8vw33Qnb+CE7wFj+`>!Y@ zTDOY0Mt9zQ%`;xSk(=p>PLIbUiN&L;2FJ{>fQ9ZnT!o3{7|NE0$!HJEG}#y6<)a#P zjqyTke`u$7552s_Jev)e%+^W-Jg+xxY0%I`Wca}>OY^6OCeDo4iKrh*-fwNy8nFt8 zkJ5~8Z90kszPumBVR#ln5)tolms*(EfX<%?=~PWH+A$4D*RD6~Ep&aTYG^puZs9)j zM!r__wl|lH>}RJHKEOqM?ocT`sst^PSexnZ8N%%yN$3N^r&z7dq`*)_jtEiAmi($zRV5d2}8HQu8ji zoFP-=BR0O_k$QOWOJ98i3(Q{A%vxU}KhZYxePfMk%#W?_-@CHXBSjLS$lT~g3u)vt zKop%3$gHUTJ6^k)t?|5a9d|e*OI%x&6SoZ`FS#oGrlN5>N@;p|`&23v>ME>!<|b3Z z>_?!#w+4?sIo%?Lz||92ep6jCFEp~U6EHajV2KN^zK94i8{ij(D<{hUyKQ7-4#@+q z@tf-FLqvxq$(r&K!lsU&CILI~w`C&|x%dshjf-^3^#Bs^=d}O6A?e;9h-+mb>o3Hz zS+xKwd*`=(IcC*i*WsLq7Ln6a1u;Fs?wpS;l0_U}b{k$xvKGRRhX5UJAIv)k$V#9~ zzo~vo?)6G6M>rnwJ=rhB4fV8dFap9*qjSnEvG3X&x_*7a=E02l@5@+7fqfl66X%q zi`I92$#&zo(dF%yu>To{P_IO(J+ta2ulZo{1@l+iwKD$QGWxosc{`Qv1wW?DFV4@0 zDpTQu%mtNLcn51`^HGM!>W%iRpUpv(-Y(sRi={@z^^#h1?0n{Rt*oet>Ak0A_`U_L zbONN!|JHJfyuN!7cksuTE|EN#j;bSK+qU&S0o)ZI-g*J?2wOtd#czX~36LXq z6Ca0dW4_#5qdNQk>di}4-{wyl17LynNh{f;)N(x|xF?(26`k4{i#(AJr#jBMs%VS+=((W;f(dNn4RYgDtE z0gYy~x$D@y%l*XK!z<~%Q*ANQ>3Xtf@21Z#7yH2-P4@T}1W6+6tc z{keHqc|qNkcf4y$gy_m0lp7YvQ8-+K~u#l>nRDn!k^Td#W@wJOcL zE$OoAb8i9`=kmV4q5ywqMUXsXV_fFdGuv z>#^If1X)M7o$BlHtq~rwvH}IEmcEm=Oa98zot3&GiMs2y9RIQguK-9CJ-97rPl99* zbV5Bt5CGeSB)szpJ%}6FrrQXS4Se@ZmeahvD|`McA2sTi#q~Dw_mHos(;x=(aPedg zpqAA+^v_pO92wG9XpE5D@Dal2lY#8}ZhW{p-W-7M*|h)Z+zGHI|L_)nS=IM{zO#RG zs;wHkkN)RBxB6#P|IF1tkJWz~*Zu^n|M77Z=t1i8B#8rs`J8CZB!--GE)Buc2`T!~ zDmNFd-I%7KrUh@C)w8Zr1l7p*>&JU9e^E+!l`*yBu{JtJAIYC{CMp7KIYRvS`!{j~|Advs6QM zCf+&yo9aD{BRp z-gBp>0xupv3RiWYKdz3_r+wpjkn(dPCBbB2I`=(fw7S$NXbpqZ^25($(>fPw2I zMH7TNiMJwR0182{oc`mbIoIb-*^PxZpJtjaVz4^LMf}X+&AT{2Ij#)n{BldQp%MQh z0lCIDK#a&fYNs*oc-?;X41Lq1pMv1$2YOO^mciU0s4{4CZujPO*<1aDw?s*|WEl@D zuZLsEAkf3iLv-~7QavtAM8bhT}Om&8G2oQE&i_Z@nvBQA{AoR03DP#2) zQX~BUq}=si%}JtD{FUQL#vzPAmz;Ko5J@WRH&rCy#FrDM{>up8L!k%k9~YoSxpA%m z%%+pe>Ns7}b;@fYM#Ow23q|bToLQM2rCczrY;OPV-`v_io!anRVma;El5L#*KV1ya zz>H`SAR*e#D|`xEtU&3{em!w@m(F`VMMqsC`C;)Qe-Qm-Zrb%Nkmh`kq&hQ%UaR`K(7EIed(>uXFn>f>p&BH<&*Wx!>LE6; z#}H`inbybZuX%++RqxCQ6Zj)syVU@(?SsCM>!d;H}EQ*h1u~rM(=bET0 z!9vgbjul|M%aAurN)ek|+Fha#33_0K>Yg%5EW-mHo~REy55*9{8&=jsvF3-(?Gt5;kXm<%x%8!Kr)GR9r)KU>N^3Y71@g1M)xF3aS1?4ppI z=Glfw@82lQS~#XS|45y~n{3DC@W3zStwC6t)bKsJNMRdIsoi=Y5<`=TJM`#3NvONg zv5{udtEVTzWmHF6xFhua+_T2`G0^Fgun=Hk4o(;hk|m#(C$(3@M4wPbn$kStcA6^O z7rp!U{VI5%gaIUo(wIYk8~GQ7DzRH zOntldWe&qZ{nNe@eGgmOZzlDNLZ85!H3Xr>gD#aEX3|JU87R{SH|e)-fH1_%w&Kbd zRKhOjH~2<8w6VF#T$yyY%~m61(+gq-MRTQQ$V@l*)p9kwde&%d-LD*arGRQf>#Y>K z@iT_APiPFsf5GR7Atx~{0+han*E18Ld$ES?L46h*`gZG>@ZyVgF{wJ2xO{pqMe2%Z zbB+n7Op*;rx;SubHhVB_cL+EBAi7rBK{v;6y!MyproiBmMVDkXC+%CW1j~nB-cA0B zp^5R$^*a-95KijRc47pX}Ii1O?xaN~gjIjI%%Z zPRpZwvq)L26}iiPd4$sXb-g$@>g(WthA>K2HvXo%s4{Q_%-18jvWMU1t=|bM@g-_X zcHI1`%1cECy!Jw$hkPG~o1A2W&bqZSw$K3DLcgh4eOo!YO5Acd$j34&hM5M@M#;06 zT(Y#YUl$0X&^IoC8A65{)N0KInF#S6v7VjiSpnL+_?Bk=x{!NZ ztkTgH_wx)I)BI}k+US>bFWC~WA*)+x$V_{%0*p#(s$@C zHEa{X{U!Dy~F|eHdz^Bm}rKJ5SwAF+i0+NOz>VmJqNBcEyc+@e(ea{xzN@HlM)Keh^(|S`7U-DFIm4j!1V1 zP~*{U#qD!4{o^%77OMe?9VN3?szVmvmMvQzr(aW*IgsUIljx1W=;W`NU}g|sLw*z< zfXvarS6WNHJ=DSuBcP(yX|Yhj^Mtqv+?1+mG0ffyPl+y^Tyx=f<7#kRm)X##J9|#P zR2ep@Q>t4YtWKdXB52>nD_|A8+XVUzWV@Bn%5PnRuL@UGVn|Jb|cgMsc)A;d3%&Z ziNt^Q5dKHUNe~J{1r9+nXc2(Z53A#NhnpNv@(9klXiEF&R!g6AnMdfaK-RvcZ&iFB z-D6*btgafZVg@1+PXIRo;Wh{h=p6hqNpW!?W>(()@+?EJvAeTID7SQeeGoQ`@kXMq z?AL6C*Lpwax4Um2S)%Z>3)6Q0QLbt&YE>f%uvM`DZ@^`DM!7L$gu1eFemJ%J$A@O-0oA33s)c z7aMdhN1i?5yWC)JrWz$rX=S4`NxPm%X+5(j^a>;;H9I0}oDeMXHrj z`{6`h_tB6Gy|&oyv?aZ<^A>!fE}Luw;|t&KN6M%8N} z)=fa}7~I|fIA5S{pwP_?Y$E<<*ZX|}s#5O09qgeN<%mu>+tNS+;wkkSNeTaa7yKE& z0%TA%g~Q}~a7&NhRG5hojxnb68ff9JnETe?bt#XpPER%%633!i@p`QHM`Yv2FQtAZ&Ac0T3lvL1ckt*Es z^P~vj1Smc^^|kTRcG8j67h}aXQJK)C;g3NoSZh~jYprWD0u(dNrntDwAH>6Rx9k{B z>QM;3kYPavQuJal3plzH!9eCA2pLRN_=+WLAh#6Cnw1@b?jGm#y}fwx+LQdZx{}bf z^w#-gb*j0J7Qx{~ymXy^HtVgILrmGNC7AyF%+=JOJnAYN>4Y>t{<71hmRxSvul({A zB8kVhAsMV-oJ>kzh-MeyH>~pqIT`xiQGTEygq@lv;Jt!(yB9z2oIfNhfCmE%(Y7hB?)$&|WaQceFAllGm7Xy^O}##| zM)wmEn4qHv_At`FH)&8_*fN3?B{3Z{k*}SkH{Cx%ht~3KO0I9j7kx>BX1v}fsnJHK|_K zVt&81@q>1r1;{SS$+o1;c_dTC%1cz%83+mDwxWH(*+1gjOz=M^B3j9r)E48athAmu9liuca*YOr5`x=J(~xk zoKl&WvhyR2M$`Md1#6EyR2^?16xuKl)+GKB(Jt&)G)WRNOwt*07*RaYH)ujtzugKl zt4Dv@5J2r!K2e*qF3C^z- zGshB_3GFjeeTb*`ZaI9qPHhy(Eb@d-qA0#ms z0XYzPym-j#0=B;#B~fBeq?pCZd z;45;x@O6)cbvo}*E(LgDRW17^Lm#fV?VVrHJvE^tCF_)iPDLl5Z05A zO$DKC#3rFDVRJ&V4XAjBA!@Z<`F(%Gcsa`MsvRXp*5aO_xN4#d!eh5DJh2J z@#Mvz1Z9h(#xE_mhFZj7Dh33W2tR!RsK&U=_*(bT5629K;&+a=+|TY*xRJmM@!dIR z)`13G_(h65fh!ht7S2AVD&$o{^0>LrmvcsxSnA2IBbEqkmDvIX9}Z%^c6?`RRJh-J zca+4FPg*Bt5WpQWTmUQ(BIeTSLIV4gx!ri~ga&+}n(xlLdG$a8lJFB}vuj$Ktg2e_<#SDr z(;vgNJJjO@RmVW|@VldX>XE!p(Pj{O6c7Yhu~@j#c#~0ugT+BSYP3jz6rFN_E*Sxc+S@W?D`Kj1PCFp<7$eeXq$&Q_;n z=?h(v7gUv6o)~c3d3fLmh37^y6``df7yahx-Vk-Z&18ADWx5k~Nhp&Pu>D2cg9eJ5 z!}Q^{3g&0ny6qUiTx30hSmt8R%Z9l(`zpcOUA(WceI-+BMQN&M`uiJNF(RyYXugWr zT#2c?Q?vjkX)ClwHh6Xd*fOSxB0bW=N(K$WO#nAH6sS>VKjwK{33Ji;hE!e0cbS$R zFN`-MV%Z-_P{p#3Z84WM$2Tj0F>GzK!lac-xMJ0KZao1VzK0Eln2eaw`MA2P$aijv z&B;kWB)^P46?&VRZE9jgE)4!yz1@=!Za_kpPLWrsLDwaxTM8wK6Vl-!nB>~QAJ;bbu9I+fHV~Ot-+?|pFc@LjnSXw={TnF(2*qnGH zY#axmgWEzdx2b|5keJtbla?SZ4(|G2NKyJaDEIVIO%S~)pC0ZKh;)`k`0RLJ}Tx0 zR|I(KI!vM&c+xd$SniUvDA!1Ret7$iqnyruLr>cESs4P?lm}d3vDxH-yS82!c=u9m znt39Fesq<U+1}@z0yVU@!uugnhvLL5gxT1Nkg;s3 zVG1u<6R0%}geSnB3~!q>kHR&*7Wjg%+d$K~zD2DC_^`)&rlyWrNNd`w2+xG=qwH_) zH1c-a^y2jt6c;#&f`9l`=@1$J_5(qy$@ z9D-x^QqB0bg8px+^OM+hPA}Jh0M;)Rgl~>FsNa@A zrU6yT?I;8X9D1w@<1`!DW8ql6b|bIIE#%^O6WEIxMTtiExwA3&RVAvVUF+an33?ZO z?MdKIazEg^=}D?t*pAE)DO*6Yw03UGnJ0CFxSB`_fPiL9OzLj(%O*9k?79r|v}ZEp zdR7PRJLvB@->G{)?C)F|vkJ_~r6`hWa6m|V4lt0{Z$(Yc!V)d#M-o0Jbaixiigtde zE_sM$H=Oc5g?*WLTL$Q~4r`y|P}l^mcVLKVr9GvqZ`W^>P|x?tBu`zi33O%__AWnj z{*JXdEt6ZtN|6L2XGT$C{6x7Q}B=i++|u{Zh^8{Y`3V>GX9)zdSp)Bdx^SS|c(hqR6^ICz&5${yz*f z9yIJYWNzTK3bKe=<(n_)+DpVg6~fjRvcvEbxa@*O0RVE_u;U+=wl;2T+yOi+(GO=K zPpbizHnFmmbNMz}Gd$O1`Gv)^E1k{cLVM?bh`38>OMA zp5Ex~Co-g&zyyayBTb*sely6;8EcHj64k+vvOFH?p5M}Cmw#`6ap%hZVdSx9$Z)m{ z0nx*9p(UC?+ri7!bmWoXg|9qXU+^#cfN}HEhq7g6+RFE~FEa)Bjoi}Zj}<;^YQ+C2 z!gItxVmeD6yO|BfkPCLnx%Y$cO7352d49;B>axG(aYbo#oP#~{-ky=Blgoegi8mWp z%v5J_4dBAOo`fM@MBwmb)wk&ZLe9 z=;5X-B{sH`(`){pusXw2SWIS#N1E$*=y~e;$KBID8T0B6a}l!_NrCufXzq$|*&E@j{(otv_=@`#EvN#)?+a=b# zAjhy4!Z*fdF^qEO)c5jp^sf5GIiGgEpZZ0Qbd;GzR>;#A=cxTC|KUGka3gClqb1@j zo`q;X5^`oeTWtJC^MVj3EU#PM`dc~l`PW+g%(m0qII!#wh9KXEW{+;%%U_YUSZJ0k z3FM6@pI9R1r4WQ()mUvxNO>!sqm{J8RJYY8QmcuPOiL*KO*JrfcW#ijv`jp z`hdcsH6YSp%;O(b@Y79wci-_h)r$&1HcDbgQRwgp;A(sU^mP}LPyK)Xc)fb;Zz@{f zf%qK8ZL(B37~x*zCXekCN%e@7e z3(oQ1B@$?(4rr?YKCEqX?2|5bvVaH;f`0vZF_UA_I`3vh?AW|aE%!po*n7@-ciL>J z&&U{{Xx(~t7S2O@O-NeMe&sh17NR(e(zgzZ7a%Eh2R+HS1buQ|L*PgubjIPurSmpe zo!43K}NA{$K0>N%6y9(rGZO#sN^$SP}9{D%7`VT_+zm-QnYR@DV?i}+oS0$ zR}`D|xNjphguWMW34hn%^_czKxB?c0mLsl7HOfIERypU-G$W4}2-YiNtC;jeHa z$*?|I@pE)bFZKNG$}fGFOzo@WC#e^sNZZ8fR)SnROE`topFpf2tXq$e5x6X^9-SS9 zXqkuC`^3I>Sc^8D=1KSA(|b{D{yp(j4=rK1!|vq&Xz#s)nrydzVMIX@>AfperAe2T zh)Nd_m0qIsA|NFc2}GqM9f3y>B2ADMX`vJ8(nPw18mg2)LX8mOcYEIN{buj|yn8=; zzH?^InKSPnOlHU=*OlvD>ssx%eyh5b1x7RGNVx9Ssx%HWD%(_KDlGH=h*ftQ)o;$E zlNT&bRjj)qVdx|&lzc^4{M-Y1FQ>Ve*HObl`?OZXm+y)0ofy#T;?3t;h%#bCp~3a` z)!myFP{kOfzRU5^u6kkv(`PWsH`$PoY*PWwGO!zZ`s@O-hpx)<2REoxDRRFyO`pet zqXQGMTJlVJrjCxS>CD$nYW{IJb`sY_U|w6KPrV)()?*1w#kx!sf)GSgeHYcmI?@$A z4y^*$Y8yu-w?3pC-+V@N7`u~l5!MzaNgqaKA@F|8tRsj1v=Af+qlHJ>ULl4NZo`>e z;Eb)@8=+Sx?CbFd@BCZ&8>%X68uxI_6Ia*##3f!Xrt8u&DpvVbSm~XjS|v!TV8-$a z1p&4VC7{LZ;tmX2sFVnla-E*kN9s%{dn}DO+oh*S6h!YBW&JTm!?V`5B{G~iEwnEi zOWK-*yLi18pe6GGM1HwN#H>YhyqbDGF+k_juqVtF`-ht1L}onhxCbt4!6|X2KHsM`BO>DQw}Tzdq6p7}*8yWt9bAQ7 z=A>4pzVDgn$e6jC?{<=??Q+|;1fZwzj@Q#tJpdTN=p_ssf`wdgJ@zlG*x(mM*Fgf8TaT-l+gigF8@LB`KQ3gYAMv$*j?dt%QO>k>{q;EZ_N(D$ zKBsTz`;w(ZGklpE@{qEGL|iSw7pwh(tmIl3DnhVLEe!;Ba5F^v&Fc50^YaAbu5BN1 z)V^}@9ti2{FoLIY~>1z?uDWv#{w1k;tPsf*@1dNyQOeOsw*IDx)DyQ5R`+8gLQ%t3AB zpBc2iGUy{FZhm6c!GB`}=2fH{l(&)Tk91}0L?x=H^;v7B-o^1&vfsYt2X%DZC@WyR z05BG;oW_A<+##$I%>oO^3$Qy`pKZAb-PKEIR_#SPsjq#jN2a?9-Mb#;gIjXbC4X#N zIuG1ivFFi??{1QQ1s7|9~BYI({;nBN+rlXIB)gFo#R=6}Ogjc&q-5bZ1l}nd* z4anW$Oyg{#NaSKx{07o85YZ??ADjxZIZVt??hiFyMP~h?uusGwekU$MX#xe8tnfxL zB(soE>8A%qtm{R3wWD_FBfE=}1DP~ZOZ8?+w<=8M<}|7A(VscnhISg7hAbr}LfS)> z8b@GOB`#zM8&d;)?J-Aud29S*N!+%GPE8l8Nu@cpOG2hg(7GV*j!xH=>l6rkNm%S* zsgc}HwtZKlSrn9(*5J;=(Jjvdv%s?4`UahXX219XXuSEW6?;=3j+-XJc$!jfL!>Km zJ^cv9VS0oz^Nx93|4Kvn;T5h+Wd)Jv{DfjjCnGS|MKE9B{GlBI9u1PvSPDk)o4b)O ztFX8>!b}?-;@{6y(;A5iznSiK+l}HYpg*#K`h+RSyE=8R{ibl-wp~+mOJ#W@x99Ehik=@zF(l&;fnptX zK>T0)eVyAdi`Lp^Zf-`TrKLbqtP1on{?w{ zr{jHh+|OP1lvRtnU2^8@qIWE5lsJ8&OS&})qJcfdd&NSfdFR(Nd)nfSy8LlVv|xJ6 znY$ak+`aDniE=gmDZ-uM&HT?~;#6V8b+F4$3`i26@p*`YsCBaF1~bC%#I@486E;{a++iWfz;9|0MNVWTY zCwcevQALKg!rWUA$xdp_qIud%_$RMx(dR0(G}@LfFU9ux%{=h>Sm0C`%rdOWMiud& zt$Ba-$`(TqI$W9kkn$Tf{^cPIP8t?v)VTf{tz@awi8UPq~6(b2# z9-YYHq=A||VQh$GkdXb0LLzi3L2btVw7hwKQz}hXmmYPQeE9M^v@?X-A`@fy1Ay1=C;4Cos(aseyJL0 zCRIomIICwOdaMaqJ&{(*-G;6LENuYdc0L>=K~N}qO$t~@j6BY%E_$Qy;ch!z_MriF zJ>ar_Oj6ZCT-=TBo5(CrwChgdZ<0RZs2UqK7=G4#hKAkh#17~ZB3#$7f;?4Vu*7n;u)VDT!Sbe#GNjUyt zpybL^Io)dQ(r+nO&3Txo^`D@8!P*j*1L zi{S2e@@Nh&Je?PL&mqYv$S%Bc7AMl^YwL^M!AxQy?TGUm{%9Hi?R2Q(*#vt$R$kLW zIccchg~?sZoMWSOyfW+4qsB{UJKUiO?Eq2WL(-ZV1Hro4lJ~nKgX@HmoR>^xnmCt~ zyWL0Bzze|;T1{rxW9k_9WvTB|BC2E0J!RGoa_=NBV>y&v*aR%OLkSp%_>mw-@LC4>9FSdgj%5h$N?cd~6i_Q&$45uDT+m#13};dduKzVPp7}?c){&(E z=1CbfN)iew2(;?V42Wbu9>Daf7slq_6IRYtW@Ec^cUg4h95W;3Gw~hxzc{tiwA&K_ za7B?ttpG0Hhi`;N`ra{DP3s4tn@Q_LIbfAr1n1B5thSK#P!Rq!+%lpj6FOtdH;mBL z2dZ15i*n*+Sw?4k;|mhvyvJPy@P-00kPFQMUb%r6hzvTz_a*AMt)E*nP1($Kwk@=} zd=q>-KF%w1u2idl{|vH8?Npl_@)V7~h9=JPhXTnz5DG$MohNxFZuRNwG)U{ppqYGi zdktGuOt{Hz_u-+jYhUJ>;Lb)E`!06>d+wod){= zq`~}xjuT18Q}Bg{a6+SzM8tI5au#{-0`X;xcf|GY)@oS(gg7YLzifVRz3~SurZ998 z%||-JUh><6kSdcf8`OPV3awT0v40i%N{) z^OZW6I8wgz_?Sbxfd+!VeM08PJ1-?j2CThsEbij6HKnlRm6?Tu{tJ6U6Ga<=f57Rh ze-;daC!U5e&QJP$DLp7uzKyZEyCa}p=8fUNRpW=O>swzCb0+%M3>@|U@Ep%`Il6?r z*)~+UV$eEzt>><47udV!5^SRL$P*|b5h=<^$Rq4bMvIk9}u;$InwJ_BVt_3#G;h z2iIBy0TMNo>2_M#lIu?g|Wz$lYyqVIyL z&BLxrUFwD)`j@VJ-POGBzGO%V&C1phXlTy2c>m^n@QTVDYO`@}o1?`e!$7u*XKIWo*{4Q(@^mn@Sx5D+PNTj^i+a^vr0!>L`!7F|} zo^J!u17C_e&?S!tvBwlludfFv%B<>K(WEDmMSCksKK`vr{H?}{PLIDyL;cQ({xdaB z`kl7_r+fJyN&WwR_y09#|EHdYTSP{LUyG8}n1X7EVmqC_srkt9wyK}*j_D0k8S$45 z?bMH(Vm{l)Ic2YHfcG|m>cUHdUliRx{$97vbi2)0!P^Jn*e-M!lFSVQx8UOo`)%8D zhp?Nv^531EoLo(3^JPlY14Lder`zWkK)Jm-X3uJ&M=Q$q)%iy@wW~Z7+g+Y6CFt{* zUbUPPJ$sEwrdv;n^{0DJpN!YvncCsM+sS%^j0F?XteqPmZ!+JXWziq4@lX*I&|n-9M2h~TBe9GdZ6uh*Ze;qs=rKz@Jvsm z2D(_TTsOW^Xn3K^ul1iUuPwLDTa0ZMJK-k@n(IW7GdvD_;7axsm_-vw!3E{K2Njp91BO!~G) z+jM%x+QRv*GgzaD_0z(#>0cBc?sa!yIMtna>xDHnuP0%9{7nhI6P4(NxBkxqV#pkB zbJA8WET$9CYs@PX3)UQ0Dc_!5c($hI#}kPB;NI7U9rvqLI9)xkNm+LYech!zu$!6s z#plhB_DtjA(W4Cm>7YLS!W{?HU4K-i`Ef zNj`+3&LK|NNRpqz0HDrXj5YdYOYKK}|c%_5r3inY5wP!1w`daTajI@0dg4&MB* z73!*7Td_97YSsb9PmpEs0-XYJ^UQwpjO(q!MAuvr7;tl=;_@Hib)V1}ri`m8q3b$aXnXM~CY(vdP~}x*JoqVs6Q%+5Rb{jt?{vANF9oLa z2>>`Bq=!`-NB|wV@l3>5q`o?+!d6#_>O!yBP}7@xzH5-$3ZN|*(}7Lg`nlw;J#0r{ z8;XH4a0O}&>AEsZwe}a<*jQT3eEE8}x-M;Hz{FT1IZ3*=C3?8E?wg1y#{85q4-E#` zr+s=3^G?wKu=C!?&O4%X`%#svio06GmEh8O`Z+hHD)7@Dj_>xpCuJi1wIjsym{#8hp<`ABHFuTJA=GYfK^UD3z9z51@um=|h#1OFv{Aib3S#sw;KMiu5C z7pp+id9AmJt|zXrd-%grJb7=?o+MNI4PXmrKI%#b@I{f^p94MJ^{w19^h@75y>)(> z;xBqPRy5H`v3H^Y3Bl*>0?2L_NZi=6d!KBRW-i=aNSW?IS&>dX9H7kFWqd^%Eg{| z@K}ullQqKHGC?0t3yXW46{@Y=w7)X9HF>8f+vudr)iB;iKe=p@7gDDg3MI}T22Y0G z0Dgl;bBI7pD?N#ZxQ28MrNMt|Z6wI=x}ef!)f#gQ-pN{Q7_uFb+6vAEx%WG->}L>9 z%Sj@{n59J8Kt}vcDZi%a)XOm0GWLA^!(_N^Z#yU6ZjjxB%gwG4J_c zO{~^LjeV$z?=NglxhxgilagEgDyaLKURJ_V+!#vrBnzPWn!A>t;PUQC@|f(WBkJZm zONm<=KzzgBCRK#}p8HKr|B^3laB&htrpD0Vt4GU}4E6^|-@FF*`$eW|)n@8XkvF>? z$4#E{X>$<4qA2$Cd>d4C)*WAq>)|y{F}afV^SqeTgfLUH zL-H%oXJjUPp%@^aA79(r3_-dbVv+m3#$}}XFkR?Xx+;k!A+_Bzpt+pVlWQ9R&(T}+ z3k^tT{nFgRJ3Iqr*7}wH)V&n%B6yPry&tcrKpi8pR&{MasI8&$#aPaJ{x;gt&uUKJ zl<1CrWNn$0M-I~W7L`naO`p>NGuYn#B>o3X$e5sx`;YHfQsZmfUczxIIL>x2#VDNwp!^bcS|T4zjwPX0q*U^ znpHkn#~A(~LS-_SboUgcW`LD`G0z4wc6Y?COOxmblmZvcg_HW8WR7o_U75ei{K|0} zdWA}_;x?)N9G{J(2aCc({pyX2;>&~1hsDGq$CJBmt&9^N0GgAnTJcSsbVu?AnSR_^ z|G+AUe`JHtRy^6>TO#gdW>-XW+npCbt?RCwT!n=Y#}|#l=Fc`Wxi2ElZt%+x5MiPO z$H|yl9Q`rwan%dUyPwqS$Jnh(i_(`l5JNGyKZ1;fFRH(;-R2*+?U{LG)&ul|)`m)u zpa5YyF`zvi%+L%*2F6ZzF>cmj%CqP49i0R6=Gz<`P_fDjL4t2*zi2@n>5GD{n&8!d zVIEXmL}97m**?k5kDUH+A#?!`6gx0dkEKbrv#lf_FX%$2)DG% znG~CXj4j7gxb5x3O3-p%D+AE3&RV*dM08w)FxnEW-73XiKm|C=trH{3BKX6sT-)i- z)tXOyp~Y0Ory^#m&M)83E~A9bj3t(bGR+Y?Oo`X%juMLS%dMBkBrP{|_Vsnkagq=2 z&Loi!Ex5IA`M;HY`Q=Nz9O}cPcLCQGSW&8t;=A*Qmrk?u2#KE)U#Os8kSXSYpWu|` zUAWQM(?y9<%%;zO!sFFURqi==_`~Kdx3p9stH2F8+;#EU-_&hXqLYXv+cb|5@At%_ zwj2=y8=Ua48W++PKUJPqHfda=GPuC5@;>=8RB%=hGjMUoM6}`&A0`1MsE}5%4;s#E z6(r6RI2L=lfTqXEP9xsHZg|u+fG>dqcC&e+Tz;1OD?x#eW3Z07gEd21KG~MxTEdY| zIlk{k83UhL#4idjzTeaU6l##A6IvuK(Mn_VKu1juI}K)ZRe6(HH5$#CL0D!DZ*kHLW3l+E_EHlUmS2k-RG%^{yPSQ*}Cv;lKY|& zjoTd0uwRqK{!X39>_i$|&Fp^m_c~xu2UoVhz{T6+>Hxbm8$ntZ4~b0QGajjpcV1MA zsV(-457xu8mm^&OT0^%yk=dM#qH2g?hHz=AdcWXK0P`EBkI2#i^%|qrtH>LtNgz2O zmCX;L!EEMS#UJKlTYSX(OKGD$_k(9I+g@;T8QB(hAJdP{drSG{<7J85!*sg_5W>9H z*~uk){2QRtk$;VAgn;2~rX~{ zx*!vl{#bP=28>dQQL{KvB=M#PtDk`^nT0{E23<5+-&@JL$j;eK%kt$9epV$7WyGyz z4i5)Z$(fkcf;#hB&()na!JP3+?SQ2dc;z=Z35?IPfA3x=@r#0iq_Nmh*6;hYpDk1I zjpFx9R*KGuf!-vKm{&5$Tg0>z50W0fE>2CZ#P)|jm>zbv)YZ~3SEMJVS*T<_Dt-AE zMImO^7W3s}fv#7Y&1CvOLeGx$W&U;zoLxwOCJaC)DvQRK#g=}n$;juq5?b^$3$%q1YmJmQBhPv4Pj946T@(y!Ds^A%<*beJ}u zr_~N;&T0IjP?vlX=6XK22{#kZQ?Sik>g+C%TVwV`MG4nH5H(=wKrnkrHeZ~-1T$Vr zUijg6Rbm@mSGJgH9HJuL-K<2-0arfTQjfAJ?hGnGs==c}dhnDDl%<|GDzNI!w|#OhA=Oi6Mg{9|q50Qbx@T{R9lH>#xusN?Qh2dBo{+n=Dj zCsy;*9i8Cwa7TF52obc@o}Ri6r+cbq9QFQ z*PH06w~Y)AA{J24NnR`EaH|x|;PqkHX?0X0gGUPOa;bbRyW-7@+X#TP2cHe5qepBEq_?>KX$NWy5v##p*Yf{!Ym$Za;udx0k7qT$Z~oh0|4;Tr-*?M= z%KbIV+ZoE4iP;v7bQ#jtI(LJlp`gwtnw)C5>AN@|8LH5H3S6cxIQupXDm{JfJUV*z zyX|xgRSo+WS}xuurd7x2r0S_QH?Tz@xc6mnXkG2pybfM?03Au0kS?L+dJBy*FeH zJ&KxZBSmW4L~q(D34aoMbN<{VN8hd>Q9;#2+>>*^R*x5<)Xdx=yZ zGM{N$!@JgjoQ&4QL4?<2BI(g-SSts~nc$yazIiN)l$@wxf|^S->wa9H;Qp+60W|6A z;my}F`6bsVn`h9gL!$AH_>6Oe5)qX5B0=5}gi*y*yd&wT`CQJeYH5 zOS0@^a)6o!zP{|k`m)P05PZl$G+Agl+o|GU%avtXOEAoAR4hDgDV=vu8GPI@?Nl{4 zDA(gz7-OFAs3~?uW3>rRG=f5onPI>k4d34(>*bSKX3faq2*5d+KUD?lou!R?J4A%I z%OQzgt_|_&r~^W2b%*ama+$3zb&+Ffk9P?%_2IZ@%HjYpgXqYNS$Cz=2G!Nn&y(2O zTkb_4+6NRc6JtFNvXyR~@Zoampo`*;3CGJ;(~#L)->eOI`JLb7*r}$Q+>e+om~MH^ zH~&`~DsDa@U-`Wq_jY*YP>0c3mrT*D0^)u72HbmXsW6>MSg`BIz7ehAnV*eiH(K7t7>`L@-j<~_ zXSF<-rz3X>(8FY~`m@~X(iUTq3Opx#daE`-5i_SWKw{#d@Wk7OhWeC{WSv-3^^@~L zo}6KmK%(Lwjz<8Wvw_|hCL)0H?fN_^?QWscB!M~3%;pTWwCyJ%k>Cy0CDr%|mr3bE=}eLMTUv?}byWwuA5`BxMu&uO$8B zTnNw}YpIT=M1%pMH-d@;o{-q70W(ak%efw3vgNGRHx10K8@2aY_e`eV9iz7M;RpcG zTn_<^!71%RQAajUyDeuWc>oVIIN=`j8`bU=0G&VY+be!@Wq(qwX4wJc=N}}d9*Ez_ zla^vHEEUG~L!7QTdNXVDO=OE#r@pAS%KsVyFLzenEghVCo_+JFr1jm?9DaJEDg$&I zKhlDHm0+8-P|oh5ZQ4>dy5-UBkm-C8(3{CaWU3c>;R9x}(~GGmKac^7el3!@jm5oh zYOZ~4-+1E^cp`$&`&}B>hI?l9DWX-DJfcJiiER|E^msog&yln~QHM$~qW-2YMhX#S zi=im>InTLi`?Q)096-k(a3q}tT1-4^bTRGeam}-Drv4s!`DQ0KEbCfNpzFa1E|OU( zyzLf9JkYlzl-a5VFV8_InqQ(R?DKi}%9W$5U%6f`tv*aTUmo%n>qTc7sMKM~Z4e%6 zlAh(6{!N-!@T&2<0KnT_AalB~L#Rn0zacu3{G@!THe6OS(m>%JayE;@2Ck7qQIYzO zf>sI>rGGU2(Rj{ho|KWiLJ(jw?!KLV_U!pf3Ou_-1jV^3M38!uaE;1yae(Xb&ocRs z+T0XmvHK2~nOkB1k1PF`BCTxhD^!%%koZ?(R=o0LAn|4kfM@W9agBj48!RfrILm!~ zKgN58sJUg7=FLDNXQY-#&&@vxIwFznZ&?KlX3vbx0oLJFFu-P&vE*S7nP`^w4GKoi zS#4N`)0S^Aez&pJSovw@;gnilhcWAoqY1aWC#Cc_DdhaWwf9!nBa&{7YUp_}j}uOq zDvJ1C4RV@VGFT!)$}ICAC59Pi>Au>%)wZ2Kn&a!tyB16)Tw%ztf0tsY0&i1mWwj!T z>EKUW;}>bg1sJRceG3en7iaA-zbJI}l7v5D=Cu9l7_F*G!n}B2)3d_fndSZILjT7b zOAj!E5&6@2IT*`{LLd*eYb|2!TeG@*A^6q)bheNd`>xJMXAd8OuFBKd+Nn9t?@f_D z8md);nVDu=xqt#{j=}_-&qvvvh`k6MlfUWEnDeNb!?^ijB>l1;pDCW4XlCS0NXu=wnS$658~ zp$aemiT!@GZ0V0QB7>pLnO^dEjWX>U)exeEi!?-A=~h_7A`n zQ@=f6)Dkq=0iY0e+7lyMC5NFcJh#S~k2;K0U500gi4R+AhSLM*uG!V1aoq<;2;y3Pdgnnah9QrF=`nYElOctyG%*a=`0C*wGpSIAY96zaDSDzxy zjEqs3_OS1UgG5Y%sXb(p}czcz*D#dycLu7;q$?h_^h%cIOt7tkGk& zA2}c@laULx1XSfm2vOOf@va?e(n0Y!F6+BqS4<+MJ^#gokfDD|rz(OllO)Yvp1CeW zB!W&J63$Okh2M$730IHQ;O8FsSoiyiv-@oCNR*A}Y;6sE-5ThM5l*!l2Uzs~!kSwE zf#>k(uyxPBBfUPKR<(^Z0T%zi_XxEA^x3|Sw|wesf4#c4IK6}4zM0IwBQd;X%E|wC zZq!_W4aD&S!cFGg1ThoT6AuwlBn`Ji%Lrt)FxVxcn=7EZZ!>w;T;MtK-#I86g%aA_ zMsyqG(k7Zo9?WjN{(Ii)w0OK?H%>|6kX8dwW`j26P^9Pv`;0e zDZ}7S1I>LBgA&jm^U9AT+<>2pD5PVsMWOK9@BD&wC1Dn&(>A(Kn(M3Tb5sk{SHH8X zKF(f_*Z6$@W;r5Spi-#=9y2Fm@X&ntKpQSNhgs~K?BtG5e_Pyj{`gH}Riq!P(S(!2 zh$oIh#oGq{CsF(_PR!Q`y(q3-w_pJfs7f;Q9FYYY#j$o&A zRDOS{9S^LhAq4*H1XaCL0N~|pu}*G3p-%4P(fy`FXXhNumzj`E zYG0uYrn|XEsD&woAMn3Y*N3bB836&aw-5^qXErh&w^QGTq_1g>?CiTMoj?b23<`05 zvo_k1Nnx!HrZYbMao3Eyd_skRXX*{(2UuBM9iiBk2jV<7lnk`$g@_oam3Z)}EURB6 zX8We6vD7fT_C?Qg;hr~@71kktwV(U%j*JMjzyk_G!~(o}S#W9~GfP_zgh}nkiI@W( z9s}w7CrZ%=`Z~2%s^;leB|Y%tJ0RSfb0T9<@TJ0m zxf`P%HRZMfsF}jT8O2T>{}YujS9J3(Kh0)xx>dsV`79s!-w_>Kz^!KlYy=fJ3{251 zhiA}lt;H{^v_f^e23ICZ%jY(g>I_*0Ga8yRE&jOvqNEW2{_z=`?7zM;AJxp26^so3 z_pSNwJca-5cBrMyWg_&-$hHKOR^NS7yg+8i%bU5MweNYUIOPRU_#=FKI=;X=uZNqW zq~r!G{R;-YRrEhZYk#^s(<1&$I}F5m41t+PmMtz7Fx4{G3&qw30h0Mbyf14meDEI< z-j!)vdoP}r_{aC(WALu01F-u;L~d4hS-^V`h9fAE zX@VCJEN)^C@D+t+L=Ln5rROyB4ZOg?>RQrpyNSlONs zs!Oc_zP1va@WMCqhnhN2Be+L&F6m;xY)h3DWtxTGX4RRVOp^Po%%yxD(;7YQ$HVtr z!D>@nfBYVfrM-%3$l8Iw_DkUFLpx%?Vu5%Fz#ZCK&)6j)6qBXybD#2gK*5hCyHiZe zF>=>F(!Cv;mo9Yn0Yhno)oGvc&z(JGjgw%KEMu3Dd*01u4A;~xbBjn5-nEN8pA@Kp zK71+~q8U=|HJq{Ag#Au4?m`zm*O}Q@9ivD#07_k{)c#TaXE{%sif&zwX6D_~Rlc#u zEPMVXX7Ep9ZJTTH1$e29KO#9CszuL}sJav@PkF&iw~MGPK57Gr!Z!e{|3K;o7**6E zz;rze&hGm28JBNESlH*w#X?9vUn}jybUb%w0?fFuq&K_iUEC7V*ji#9Zzvsp=V9c= zXopde`~@a^RP!I&9iCq&?7zCdBXE$Iy|CwFp>4&sQ|?tWw5k4b#g)caE~may;kD;~ z^KS24D`(vXFbT09TQ5}r;EbZfVOT?>QC;cQwY*I@DzSr)auvgq$Zk%9q;N4d=}ls( zVcK2dTKwdRUdRJq^nmF~CBbgf=d;GsywHqt=6gh`A%;O}oLqp(By9CdN98wC`Cr$+ zBF^os`jGRg+)$r3XvVaP+yl83_PM8>+g-h;dr{FT`K<%ED`iS-^AWlE7e!jgDichA z%2ncS4UiRdw?*L1mcFe*8HiUA?d2*fmqTC*9Uq@CUw=zIa+a>CI&Da(_6d;S$3J3- zJoZQO6^0+F2GabWu&EyPU;huf>uzS6eLxflGr4=9eeR<|X^FKII=`}>5O%~cFh z5u8bEirw?tv6~wB^zu@ku7FCWYpJ*=^qlr97#}TJcSHm6=ZOxYlsuR!>)QFBN!b!=OIj?ZZtosRHQ7kH!v=v9SjBVD1%M#;0K7b0ZDfu6HnF1G`Eajj2PXAdy>i@?7 e|ILin`;*I*=L}b>$#4~b{`UHR(%=4?`hNgHP8QMt diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 04e8953900..b084aeeeff 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -584,6 +584,20 @@ You can now perform following tasks in the Administrative Console for the IAS te - Assign (base or custom) policies to IAS users - Create custom policies +To create a custom policy with filter restrictions do the following steps: +1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. +2. In **Authorization Policies** select **Create** > **Create Restriction**. Choose an appropriate policy name, e.g. `StockManagerFiction`. +2. Customize the filter condition for the AMS attributes available +3. Press **Save** + +::: details Create custom AMS policy with filter condition + +![AMS custom policies in Administrative Console](assets/ams-custom-policy.jpg) + +![AMS custom policy filters in Administrative Console](assets/ams-custom-policy-filter.jpg) + +::: + To assign a policy to an IAS user do the following steps: 1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. 2. Switch to tab **Authorization Policies** and select the policy you want to assign @@ -597,36 +611,23 @@ To assign a policy to an IAS user do the following steps: ::: -To create a custom policy with filter restrictions do the following steps: -1. In **Authorization Policies** select **Create** > **Create Restriction**. Choose an appropriate policy name, e.g. `StockManagerFiction`. -2. Customize the filter condition for the AMS attributes available -3. Press **Save** - -::: details Create custom AMS policy with filter condition - -![AMS custom policies in Administrative Console](assets/ams-custom-policy.jpg) - -![AMS custom policy filters in Administrative Console](assets/ams-custom-policy-filter.jpg) -::: - -You can now assign the custom policy to the test user. +You can log on to the bookshop test application with the test user and check that only books of dedicated genres can be modified. [Learn more about AMS policy assignment](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/assign-authorization-policies) {.learn-more} - ### Tracing & Troubleshooting -You can recognize a correct AMS plugin configuration by the following log output: +You can verify a valid configfuration of the AMS plugin by the following log output: ```sh c.s.c.s.a.c.AmsRuntimeConfiguration : Configured AmsUserInfoProvider ``` -For detailed analysis of issues, you can set AMS logger to `DEBUG` level: +In addition, for detailed analysis of issues, you can set AMS logger to `DEBUG` level: ```yaml logging: @@ -634,7 +635,7 @@ logging: com.sap.cloud.security.ams: DEBUG ``` -which gives you more information about the policy evaluation at request time. +which gives you more information about the policy evaluation at request time: ```sh c.s.c.s.a.l.PolicyEvaluationSlf4jLogger : Policy evaluation result: {..., From a53d04ab0ec7e7eb42645c7bfe1119de7468d67e Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 17 Oct 2025 17:17:42 +0200 Subject: [PATCH 012/120] cap user propagation --- guides/security/assets/nameduser.drawio.svg | 197 ++++++++++++ .../security/assets/requestcontext.drawio.svg | 237 ++++++++++++++ .../assets/switchprovidertenant.drawio.svg | 216 +++++++++++++ .../security/assets/switchtenant.drawio.svg | 158 ++++++++++ guides/security/cap-users.md | 290 +++++++++++++++--- guides/security/remote-authentication.md | 276 ++++++++++++++++- 6 files changed, 1328 insertions(+), 46 deletions(-) create mode 100644 guides/security/assets/nameduser.drawio.svg create mode 100644 guides/security/assets/requestcontext.drawio.svg create mode 100644 guides/security/assets/switchprovidertenant.drawio.svg create mode 100644 guides/security/assets/switchtenant.drawio.svg diff --git a/guides/security/assets/nameduser.drawio.svg b/guides/security/assets/nameduser.drawio.svg new file mode 100644 index 0000000000..f802c3142d --- /dev/null +++ b/guides/security/assets/nameduser.drawio.svg @@ -0,0 +1,197 @@ + + + + + + + + + + +
+
+
+ OData Adapter +
+
+
+ + + OData Adapter + + + + + + + + + +
+
+
+ Custom ON Handler +
+
+
+ + + Custom ON Handler + + + + + + + + + + +
+
+
+ Custom AFTER Handler +
+
+
+ + + Custom AFTER Handler + + + + + + + + +
+
+
+ systemUser() +
+
+
+ + + systemUser() + + + + + + + +
+
+
+ Technical Service +
+
+
+ + + Technical Service + + + + + + + + +
+
+
+ tenant1 +
+
+
+ + + tenant1 + + + + + + + + +
+
+
+ John Doe +
+
+
+ + + John Doe + + + + + + + + +
+
+
+ Technical User +
+
+
+ + + Technical... + + + + + + + +
+
+
+ User: John Doe +
+ Tenant: tenant1 +
+
+
+ + + User: John Doe... + + + + + + + +
+
+
+ JWT token +
+
+
+ + + JWT token + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/requestcontext.drawio.svg b/guides/security/assets/requestcontext.drawio.svg new file mode 100644 index 0000000000..d514dff739 --- /dev/null +++ b/guides/security/assets/requestcontext.drawio.svg @@ -0,0 +1,237 @@ + + + + + + + + + + +
+
+
+ Named User +
+
+
+ + + Named User + + + + + + + +
+
+
+ Named User +
+
+ or +
+
+ System User  Subscriber +
+
+
+ + + Named User... + + + + + + + +
+
+
+ System User +
+ Subscriber +
+
+
+ + + System User... + + + + + + + +
+
+
+ System User +
+ Provider +
+
+
+ + + System User... + + + + + + + +
+
+
+ System User +
+ Provider +
+
+
+ + + System User... + + + + + + + +
+
+
+ System User +
+ Subscriber +
+
+
+ + + System User... + + + + + + + +
+
+
+ Switching to technical user +
+
+
+ + + Switching to technical user + + + + + + + +
+
+
+ Switching to provider tenant +
+
+
+ + + Switching to provider tenant + + + + + + + +
+
+
+ Switching to a specific tenant +
+
+
+ + + Switching to a specific tenant + + + + + + + + +
+
+
+ systemUserProvider() +
+
+
+ + + systemUser... + + + + + + + + +
+
+
+ systemUser() +
+
+
+ + + systemUser... + + + + + + + + +
+
+
+ systemUser(tenant) +
+
+
+ + + systemUser... + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/switchprovidertenant.drawio.svg b/guides/security/assets/switchprovidertenant.drawio.svg new file mode 100644 index 0000000000..dfd0ac29e7 --- /dev/null +++ b/guides/security/assets/switchprovidertenant.drawio.svg @@ -0,0 +1,216 @@ + + + + + + + + + + +
+
+
+ Technical User +
+
+
+ + + Technical... + + + + + + + + + +
+
+
+ OData Adapter +
+
+
+ + + OData Adapter + + + + + + + +
+
+
+ ON Handler for OData Action +
+
+
+ + + ON Handler for OData... + + + + + + + + + + + +
+
+
+ systemUserProvider() +
+
+
+ + + systemUserProvider() + + + + + + + + +
+
+
+ Sidecar +
+ CAP Service +
+
+
+ + + Sidecar... + + + + + + + + +
+
+
+ @requires: 'internal-user' +
+
+
+ + + @requires:... + + + + + + + +
+
+
+ User: John Doe +
+ Tenant: tenant1 +
+
+
+ + + User: John Doe... + + + + + + + +
+
+
+ JWT token +
+
+
+ + + JWT token + + + + + + + + +
+
+
+ John Doe +
+
+
+ + + John Doe + + + + + + + +
+
+
+ tenant1 +
+
+
+ + + tenant1 + + + + + + + +
+
+
+ provider tenant +
+
+
+ + + provider tenant + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/switchtenant.drawio.svg b/guides/security/assets/switchtenant.drawio.svg new file mode 100644 index 0000000000..25fac6f1f1 --- /dev/null +++ b/guides/security/assets/switchtenant.drawio.svg @@ -0,0 +1,158 @@ + + + + + + + + + + +
+
+
+ Technical User +
+
+
+ + + Technical... + + + + + + + + + + +
+
+
+ Technical User +
+
+
+ + + Technical... + + + + + + + +
+
+
+ Background Job +
+
+
+ + + Background Job + + + + + + + +
+
+
+ Job Scheduler +
+
+
+ + + Job Scheduler + + + + + + + + +
+
+
+ Tenant specific processing +
+
+
+ + + Tenant specific proc... + + + + + + + + +
+
+
+ systemUser("tenant1") +
+
+
+ + + systemUser("tenant1") + + + + + + + + +
+
+
+ provider tenant +
+
+
+ + + provider tenant + + + + + + + +
+
+
+ tenant1 +
+
+
+ + + tenant1 + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index b084aeeeff..1f6b7553cd 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -19,7 +19,7 @@ status: released -# Users { #users } +# CAP Users { #users } A successfull authentication results in an CAP [user representation](#claims) reflecting the request user in an uniform way. Referring to the key concepts, the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategy. @@ -33,7 +33,7 @@ In addition, CAP users provide an API for [programmatic]( #developing-with-users [[toc]] -## User Representation { #claims } +## CAP User Representation { #claims } After _successful_ authentication, a CAP user is mainly represented by the following properties: @@ -131,7 +131,7 @@ Such roles are called pseudo roles as they aren't assigned by user administrator | `authenticated-user` | | _successful authentication_ | _derived from the token_ | | `any` | | | _derived from the token if available or `anonymous`_ | | `system-user` | _technical_ | _client credential flow_ | `system` | -| `internal-user` | _technical_ | _client credential flow with same identity instance_ | +| `internal-user` | _technical_ | _client credential flow with same identity instance_ | `system-internal` | The pseudo-role `system-user` allows you to separate access by business users from _technical_ clients. Note that this role does not distinguish between any technical clients sending requests to the API. @@ -756,78 +756,284 @@ In the _xs-security.json_, the `attribute` entity has a property `valueRequired` ## Developing with CAP Users { #developing-with-users } +CAP is not tied to any specific authentication method, nor to concrete user information such as that provided by IAS or XSUAA. +Instead, an abstract [user representation](cap-users#claims) is attached to the request which can be used to influence request processing. +For example, both authorization enforcement and domain logic can depend on the current user properties. -### Programmatic Reflection { #reflection } +::: tip +Avoid writing custom code based on the raw authentication info, as this undermines the decoupling between authentication strategy and your business logic. -UserInfo +**In most casese, there is no need to write custom code dependent on the CAP user - leverage CDS modelling whenever possible**. +::: -req.user -req.tenant +### Programmatic Reflection { #reflection } -The service provider frameworks **automatically enforce** restrictions in generic handlers. They evaluate the annotations in the CDS models and, for example: +In CAP Java, The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) of a handler in different ways: -* Reject incoming requests if static restrictions aren't met. -* Add corresponding filters to queries for instance-based authorization, etc. +```java +@Before(entity = Books_.CDS_NAME) +public void beforeReadBooks(CdsReadEventContext context) { + UserInfo userInfo = context.getUserInfo(); + String name = userInfo.getName(); + // [...] +} +``` -If generic enforcement doesn't fit your needs, you can override or adapt it with **programmatic enforcement** in custom handlers: +or by Spring dependency injection within a handler bean: -- [Authorization Enforcement in Node.js](/node.js/authentication#enforcement) -- [Enforcement API & Custom Handlers in Java](/java/security#enforcement-api) +```java +@Autowired +UserInfo userInfo; +@After(event = CqnService.EVENT_READ) +public void discountBooks(Stream books) { + String name = userInfo.getName(); + // [...] +} +``` -### Modifying Users { #modifying-users } - - UserProvider +There is always an `UserInfo` attached to the current `RequestContext`, reflecting any type of [users](#user-types). +The `UserInfo` object is not modifyable, but during request processing, a new `RequestContext` can be spawned and may be accompanied by a [change of the current user](#switching-users). -Depending on the configured [authentication](#prerequisite-authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: +Depending on the configured [authentication](#authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: -| CAP User Property | XSUAA JWT Property | IAS JWT Property | -|---------------------|----------------------------------|-------------------------| -| `$user` | `user_name` | `sub` | -| `$user.tenant` | `zid` | `zone_uuid` | -| `$user.` | `xs.user.attributes.` | All non-meta attributes | +| User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation +|---------------|---------------------|----------------------------------|-------------------------|--------------------| +| User logon name | `getName()` | `user_name` | `sub` | `$user` | +| User tenant | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | +| User attributes | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | +| User roles | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | ::: tip CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. ::: -In most cases, CAP's default mapping will match your requirements, but CAP also allows you to customize the mapping according to specific needs. For instance, `user_name` in XSUAA tokens is generally not unique if several customer IdPs are connected to the underlying identity service. -Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you implement in a custom adaptation. Similarly, attribute values can be normalized and prepared for [instance-based authorization](#instance-based-auth). Find details and examples how to programmatically redefine the user mapping here: +In addition, there are getters to retrieve information about [pseudo-roles](#pseudo-roles): + +| UserInfo method | Description +| :---------------------------------------------------- | :----------------------------------------------------- | +| `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | +| `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | +| `isAuthenticated()` | True if the current user has been authenticated and hence has pseudo-role `authenticated-user`. | +| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#privileged-user), i.e. is unrestricted | + + + +### Customizing Users { #customizing-users } + +In most cases, CAP's default mapping to the CAP user will match your requirements, but CAP also allows you to customize the mapping according to specific needs. + +For instance, the logon name as injected by standard XSUAA integration might not be unique if several customer IdPs are connected to the underlying identity service. +Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you can implement in a custom adaptation. + +This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers): + +::: details Sample implementation for overriding the user name + +```java +@Component +@Order(1) +public class UniqeNameUserInfoProvider implements UserInfoProvider { + + private UserInfoProvider defaultProvider; + + @Override + public UserInfo get() { + ModifiableUserInfo userInfo = UserInfo.create(); + if (defaultProvider != null) { + UserInfo prevUserInfo = defaultProvider.get(); + if (prevUserInfo != null) { + userInfo = prevUserInfo.copy(); + } + } + if (userInfo != null) { + XsuaaUserInfo xsuaaUserInfo = userInfo.as(XsuaaUserInfo.class); + userInfo.setName(xsuaaUserInfo.getEmail() + "/" + + xsuaaUserInfo.getOrigin()); // adapt name + } + + return userInfo; + } + + @Override + public void setPrevious(UserInfoProvider prev) { + this.defaultProvider = prev; + } +} +``` + +::: -- [Set up Authentication in Node.js.](/node.js/authentication) -- [Custom Authentication in Java.](/java/security#custom-authentication) +In the example, the `UniqeNameUserInfoProvider` defines an overlay on the default XSUAA-based provider (`defaultProvider`) by leveraging chaining technique (`@Order(1)` ensures proper ordering). +`UserInfo.copy()` returns [`ModifiableUserInfo`](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/ModifiableUserInfo.html) interface which allows arbitrary modifications such as +overriding the user's name by a combination of email and origin. ::: warning Be very careful when redefining `$user` -The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. Also consider data protection and privacy regulations when storing user data. +The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. +Also consider data protection and privacy regulations when storing user data. ::: +There are multiple reasonable use cases in which user modification is a suitable approach: + +- Injecting or mixing user roles by calling `modifiableUserInfo.addRole(String role)` (In fact this is the base for [AMS plugin](#roles-assignment-ams) injecting user specifc roles). +- Providing calculated attributes used for [instance-based authorization](../guides/security/authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. +- Constructing the request's user based on forwarded (and trusted) header information, completely replacing default authentication. +- ... -### Switching and Propagating Users { #switching-users } - - request internal - - tenant switch - - privileged mode - - original authentication claim - - asynchronous -> implicit to technical user - - technical -> buisiness not possible +[See more examples for custom UserInfoProvider](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#global-providers){.leanr-more} -### Tracing { #user-tracing } -

+### Switching Users { #switching-users } + +There are a few typical use cases in a (multitenant) application where switching the current user of the request is required. +For instance, the business request on behalf of a named subscriber user needs to reach out to a platform service on behalf of the underlying technical user of the subscriber. + +These scenarios are identified by a combination of the user (technical or named) and the tenant (provider or subscribed): + +![A named user can switch to a technical user in the same/subscriber tenant using the systemUser() method. Also, a named user can switch to a technical user in the provider tenant using the systemUserProvider() method. In addition technical users provider/subscriber tenants can switch to technical users on provider/subscriber tenants using the methods systemUserProvider() or systemUser(tenant).](./assets/requestcontext.drawio.svg) + +In CAP Java the user context can only be changed by opening an appropriate Request Context explicitly which provides a well-defined scope of changed context. +Services might, for example, trigger HTTP requests to external services by deriving the target tenant from the current Request Context. + +The `RequestContextRunner` API offers convenience methods that allow an easy transition from the current Request Context to a derived one according to the scenario. + +| Method | Scenario | +|----------------------|--------------------------------------------------------------------------------------------------------------------------------------| +| `systemUser()` | [Switches](#switching-to-technical-user) to the technical user and preserves the tenant from the current `UserInfo`. | +| `systemUserProvider()` | [Switches](#switching-to-provider-tenant) to the technical user of the provider account. | +| `systemUser(tenant)` | [Switches](#switching-to-subscriber-tenant) to a technical user targeting a given subscriber account. | +| `privilegedUser()` | [Elevates](#switching-to-privileged-user) the current `UserInfo` to by-pass all authorization checks. | +| `anonymousUser()` | [Switches](#switching-to-anonymous-user) to an anonymous user. | + +Named user contexts are only created by the CAP Java framework as initial Request Context based on appropriate authentication information (for example, JWT token) attached to the incoming HTTP request. + +:::tip Note +- The API does not allow to switch from technical user to a named user. +- Asynchronous requests to CAP services are always on behalf of a technical user. +::: + + +#### Switching to Technical User {#switching-to-technical-user} + +![The graphic is explained in the accompanying text.](./assets/nameduser.drawio.svg) + +The incoming JWT token triggers the creation of an initial Request Context with a named user. +Accesses to the database in the OData Adapter as well as the custom `On` handler are executed within tenant1 and authorization checks are performed for user JohnDoe. +An additionally defined `After` handler wants to call out to an external service using a technical user without propagating the named user JohnDoe. +Therefore, the `After` handler needs to create a new Request Context. To achieve this, it's required to call `requestContext()` on the current `CdsRuntime` and use the `systemUser()` method to remove the named user from the new Request Context: + +```java +@After(entity = Books_.CDS_NAME) +public void afterHandler(EventContext context){ + runtime.requestContext().systemUser().run(reqContext -> { + // call technical service + ... + }); +} +``` -DEBUG level by default +#### Switching to Technical Provider Tenant {#switching-to-provider-tenant} +![The graphic is explained in the accompanying text.](./assets/switchprovidertenant.drawio.svg) + +The application offers a bound action in a CDS entity. Within the action, the application communicates with a remote CAP service using an internal technical user from the provider account. +The corresponding `on` handler of the action needs to create a new Request Context by calling `requestContext()`. +Using the `systemUserProvider()` method, the existing user information is removed and the tenant is automatically set to the provider tenant. +This allows the application to perform an HTTP call to the remote CAP service, which is secured using the pseudo-role `internal-user`. + +```java +@On(entity = Books_.CDS_NAME) +public void onAction(AddToOrderContext context){ + runtime.requestContext().systemUserProvider().run(reqContext -> { + // call remote CAP service + ... + }); +} +``` + +#### Switching to a Specific Technical Tenant {#switching-to-subscriber-tenant} + +![The graphic is explained in the accompanying text.](./assets/switchtenant.drawio.svg) + +The application is using a job scheduler that needs to regularly perform tasks on behalf of a certain tenant. +By default, background executions (for example in a dedicated thread pool) aren't associated to any subscriber tenant and user. +In this case, it's necessary to explicitly define a new Request Context based on the subscribed tenant by calling `systemUser(tenantId)`. +This ensures that the Persistence Service performs the query for the specified tenant. + +```java +runtime.requestContext().systemUser(tenant).run(reqContext -> { + return persistenceService.run(Select.from(Books_.class)) + .listOf(Books.class); +}); +``` + +#### Switching to Privileged User { #switching-to-privileged-user } + +Application services called within custom handlers introduce an authorization on a second-level, which is the preferred behaviour for sake of security by default. +However, in some situations, you might want to bypass additional authorizations because the initial authorization of the request is sufficient. + +You can run such service calls on behalf of the privileged user which acts like a super user w/o restrictions: +```java +cdsRuntime.requestContext().privilegedUser().run(privilegedContext -> { + assert privilegedContext.getUserInfo().isPrivileged(); + // ... Service calls in this scope pass generic authorization handler +}); +``` + +::: warning +Call application services on behalf of the privileged user only in case the service call is fully independent from the business user's actual restrictions. +::: + +#### Switching to Anonymous User { #switching-to-anonymous-user } + +In rare situations you might want to call a public service without sharing information of the current request user. +In this case, user propagation is explicitly prevented. + +You can run such service calls on behalf of the anonymous user which acts like a public user w/o personal user information (name, token, ...): +```java +cdsRuntime.requestContext().anonymousUser().run(privilegedContext -> { + // ... Service calls in this scope pass generic authorization handler + +}); +``` + +### User Propagation + +#### Between Threads + +Within the same Request Context, all CAP service calls share the same user infomration. +But the runtime can't automatically propagated user information to spawned threads and by default, the thread runs in a Request Context with an anonymous user. +If you want to avoid this, you can propagate the Request Context to spawned threads as described [here](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#threading-requestcontext) and hence the same user context is applied. + +#### None-CAP Libraries + +CAP integration libraries for IAS and XSUAA store the resolved user information in Spring's [`SecurityContext`](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/core/context/SecurityContext.html) which contains all relevant authentication information. +Hence, library code can rely on standards to fetch the authentication information and restore the user information if needed. + +#### Remote Services + +- original authentication claim + +Custom: +- Cloud SDK: + tenant provider + + +### Tracing { #user-tracing } + + +```sh logging.level.com.sap.cds.security.authentication: DEBUG +``` ```sh MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' ``` -Never in production! -
- -
-TODO -
+::: warning +Never activate user tracing in production! +::: ## Ptifalls diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 7106b03ca7..9f827336a4 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -21,7 +21,275 @@ status: released # Remote Authentication { #remote-authentication } -### Local Services +### User Propagation + + - threads + https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#threading-requestcontext + + - original authentication claim + + - Remote Services + + Custom: + - Cloud SDK: + tenant provider, + user per SecurityContext + + +## Connecting to IAS Services { #outbound-auth } + +CAP Java supports the consumption of IAS-based services of various kinds: + +* [Internal Services](#internal-app) bound to the same IAS instance of the provider application. +* [External IAS](#app-to-app) applications consumed by providing a destination. +* [BTP reuse services](#ias-reuse) consumed via service binding. + +![The TAM graphic is explained in the accompanying text.](./assets/java-ias.png){width="800px" } + +Regardless of the kind of service, CAP provides a [unified integration as Remote Service](/java/cqn-services/remote-services#remote-odata-services). +Basic communication setup and user propagation is addressed under the hood, for example, an mTLS handshake is performed in case of service-2-service communication. + +### Internal Services {#internal-app} + +For communication between adjacent CAP applications, these are CAP applications which are bound to the same identity instance, simplified configuration is explained in [Binding to a Service with Shared Identity](/java/cqn-services/remote-services#binding-to-a-service-with-shared-identity). + +### External Services (IAS App-to-App) {#app-to-app} + +CAP Java supports technical communication with any IAS-based service deployed to an SAP Cloud landscape. User propagation is supported. +For connection setup, it uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications). + +#### Provider Application + +The CAP Java application as a _provider app_ needs to: + +1. Configure [IAS authentication](/java/security#xsuaa-ias). +2. Expose an API in the IAS service instance. + + ::: details Sample IAS instance of provider (mta.yaml) + + Add this to your `mta.yaml` resources section: + + ```yaml + - name: server-identity + type: org.cloudfoundry.managed-service + parameters: + service: identity + service-plan: application + config: + multi-tenant: true + provided-apis: + - name: "review-api" + ``` + + ::: + +3. Prepare a CDS service endpoint for the exposed API. + + ::: details Sample CDS Service for the API + + ```cds + service ReviewService @(requires: 'review-api') { + [...] + } + ``` + + ::: + + +::: tip API as CAP role +The API identifiers exposed by the IAS instance in list `provided-apis` are granted as CAP roles after successful authentication. +::: + +::: warning Use different roles for technical and business users +Use different CAP roles for technical clients without user propagation and for named business users. + +Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice verse. +::: + +#### Consumer Application + +To set up a connection to such an IAS service, the _consumer app_ requires to do: + +1. Create an IAS instance that consumes the required API. + + ::: details Sample IAS instance for client (mta.yaml) + + Add this to your `mta.yaml` resources section: + + ```yaml + - name: client-identity + type: org.cloudfoundry.managed-service + parameters: + service: identity + service-plan: application + config: + multi-tenant: true + oauth2-configuration: + token-policy: + grant_types: + - "urn:ietf:params:oauth:grant-type:jwt-bearer" + ``` + + ::: + +2. Create a Remote Service based on the destination (optional). + ::: details Sample Remote Service configuration + + ```yaml + cds: + remote.services: + Reviews: + destination: + name: review-service-destination + ``` + + ::: + +To activate the App-2-App connection as a *consumer*, you need to: + +1. Create an IAS application dependency in the IAS tenant: + - Open the Cloud Identity Services admin console + - Navigate to [Application APIs / Dependencies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/communicate-between-applications) + - Create a new dependency pointing to your provider application's API + +2. Create a dedicated [destination](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/access-destinations-editor) with the following configuration: + * The URL pointing to the IAS-endpoint of the application. + * Authentication type `NoAuthentication`. + * Attribute `cloudsdk.ias-dependency-name` with the name of the created IAS application dependency in Step 1. + +
+ + + +[Learn more about how to consume external application APIs with IAS](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) {.learn-more} + +[Learn more about simplified Remote Service configuration with destinations](/java/cqn-services/remote-services#destination-based-scenarios) {.learn-more} + + +### BTP Reuse Services {#ias-reuse} + +IAS-based BTP reuse services can be created/consumed with CAP Java even more easily. + +The CAP reuse service (provider) needs to: + +1. Configure [IAS authentication](/java/security#xsuaa-ias). +2. Bind an IAS instance that exposes services and service plans. + + ::: details Sample IAS instance for provider + + ```yaml + - name: server-identity + type: org.cloudfoundry.managed-service + parameters: + service: identity + service-plan: application + config: + multi-tenant: true + catalog: + services: + - id: "1d5c23ee-1ce6-6130-4af4-26461bc6ef79" + name: "review-service" + plans: + - id: "2d5c23ee-1ce6-6130-4af4-26461bc6ef78" + name: "review-api" + ``` + + ::: + +3. Prepare a CDS service endpoint for the exposed API. + + ::: details Sample CDS Service for the API + + ```cds + service ReviewService @(requires: 'review-api') { + [...] + } + ``` + + ::: + +The CAP consumer application (client) needs to: + +1. Create and bind the provided service from the marketplace. + + ::: details Create and bind service instance. + ```sh + cf create-service review-service review-api review-service-instance + cf bind-service review-service-instance --binding-name review-service-binding + ``` + ::: + +2. Create an IAS instance that consumes the required service. + + ::: details Sample IAS instance for client + + ```yaml + - name: client-identity + type: org.cloudfoundry.managed-service + parameters: + service: identity + service-plan: application + config: + multi-tenant: true + "consumed-services": [ { + "service-instance-name": "review-service-instance" + } ] + ``` + + ::: + +3. Create a Remote Service based on the binding (optional). + + ::: details Sample Remote Service configuration + + ```yaml + cds: + remote.services: + Reviews: + binding: + name: review-service-binding + onBehalfOf: currentUser + ``` + + ::: + +4. Use CQN queries to consume the reuse service (optional) + +[Learn more about simplified Remote Service configuration with bindings](/java/cqn-services/remote-services#service-binding-based-scenarios) {.learn-more} + +::: tip Service plan name as CAP role +The service plan names as specified in `consumed-services` in the IAS instance are granted as CAP roles after successful authentication. +::: + +::: warning Use different roles for technical and business users +Use different CAP roles for technical clients without user propagation and for named business users. + +Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice versa. +::: + + +#### How to Authorize Callbacks + +For bidirectional communication, callbacks from the reuse service to the CAP service need to be authorized as well. +Currently, there is no standadized way to achieve this in CAP so that custom codeing is required. +As a prerequisite*, the CAP service needs to know the clientId of the reuse service's IAS application which should be part of the binding exposed to the CAP service. + +::: details Sample Code for Authorization of Callbacks + +```java +private void authorizeCallback() { + UserInfo userInfo = runtime.getProvidedUserInfo(); + String azp = (String) userInfo.getAdditionalAttributes().get("azp"); + if(!userInfo.isSystemUser() || azp == null || !azp.equals(clientId)) { + throw new ErrorStatusException(ErrorStatuses.FORBIDDEN); + } + } +``` +::: + + + +## Local Services Local CDS services which are meant for *internal* usage only can be easily consumed by in-process function calls. They shouldn't be exposed via protocol adapters at all. @@ -35,13 +303,13 @@ service InternalService { ``` `InternalService` is not handled by protocol adapters and can only receive events sent by in-process handlers. -### Application-Internal Services +## Application-Internal Services - internal-user (IAS + XSUAA) -### BTP Reuse Services +## BTP Reuse Services - IAS - XSUAA -### External Services +## External Services - IAS App-2-App - Via Destination (S/4) \ No newline at end of file From c86ed58594c6b0b8913cd8a1a3dd3039d70e0084 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 21 Oct 2025 13:03:00 +0200 Subject: [PATCH 013/120] user propagation --- guides/security/cap-users.md | 118 ++++++++++++++++++++++++----------- 1 file changed, 82 insertions(+), 36 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 1f6b7553cd..eb0222ee4c 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -800,10 +800,10 @@ Depending on the configured [authentication](#authentication) strategy, CAP deri | User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation |---------------|---------------------|----------------------------------|-------------------------|--------------------| -| User logon name | `getName()` | `user_name` | `sub` | `$user` | -| User tenant | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | -| User attributes | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | -| User roles | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | +| Logon name | `getName()` | `user_name` | `sub` | `$user` | +| Tenant | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | +| Attributes | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | +| Roles | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | ::: tip CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. @@ -811,12 +811,12 @@ CAP does not make any assumptions on the presented claims given in the token. St In addition, there are getters to retrieve information about [pseudo-roles](#pseudo-roles): -| UserInfo method | Description -| :---------------------------------------------------- | :----------------------------------------------------- | -| `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | -| `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | -| `isAuthenticated()` | True if the current user has been authenticated and hence has pseudo-role `authenticated-user`. | -| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#privileged-user), i.e. is unrestricted | +| UserInfo method | Description | CAP Role | +| :---------------------------------------------------- | :----------------------------------------------------- | -------------- | +| `isAuthenticated()` | True if the current user has been authenticated. | `authenticated-user` | +| `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | `system-user` | +| `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | `internal-user` | +| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#privileged-user), i.e. is unrestricted | n/a | @@ -829,7 +829,7 @@ Here a combination of `user_name` and `origin` mapped to `$user` might be a feas This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers): -::: details Sample implementation for overriding the user name +::: details Sample implementation to override the user name ```java @Component @@ -889,27 +889,27 @@ There are multiple reasonable use cases in which user modification is a suitable There are a few typical use cases in a (multitenant) application where switching the current user of the request is required. For instance, the business request on behalf of a named subscriber user needs to reach out to a platform service on behalf of the underlying technical user of the subscriber. -These scenarios are identified by a combination of the user (technical or named) and the tenant (provider or subscribed): +These scenarios are identified by a combination of the user (*technical* or *named*) and the tenant (*provider* or *subscriber*): ![A named user can switch to a technical user in the same/subscriber tenant using the systemUser() method. Also, a named user can switch to a technical user in the provider tenant using the systemUserProvider() method. In addition technical users provider/subscriber tenants can switch to technical users on provider/subscriber tenants using the methods systemUserProvider() or systemUser(tenant).](./assets/requestcontext.drawio.svg) -In CAP Java the user context can only be changed by opening an appropriate Request Context explicitly which provides a well-defined scope of changed context. +In CAP Java, the user context can only be modified by explicitly opening an appropriate Request Context which ensures a well-defined scope for the changed settings. Services might, for example, trigger HTTP requests to external services by deriving the target tenant from the current Request Context. -The `RequestContextRunner` API offers convenience methods that allow an easy transition from the current Request Context to a derived one according to the scenario. +The `RequestContextRunner` API offers convenience methods that allow an easy transition from the current Request Context to a derived one according to the concrete scenario. | Method | Scenario | |----------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| `systemUser()` | [Switches](#switching-to-technical-user) to the technical user and preserves the tenant from the current `UserInfo`. | -| `systemUserProvider()` | [Switches](#switching-to-provider-tenant) to the technical user of the provider account. | -| `systemUser(tenant)` | [Switches](#switching-to-subscriber-tenant) to a technical user targeting a given subscriber account. | +| `systemUser()` | [Switches](#switching-to-technical-user) to the **technical user** and preserves the tenant from the current user. | +| `systemUserProvider()` | [Switches](#switching-to-provider-tenant) to the **technical user of the provider account**. | +| `systemUser(tenant)` | [Switches](#switching-to-subscriber-tenant) to a **technical user targeting a given subscriber account**. | | `privilegedUser()` | [Elevates](#switching-to-privileged-user) the current `UserInfo` to by-pass all authorization checks. | | `anonymousUser()` | [Switches](#switching-to-anonymous-user) to an anonymous user. | Named user contexts are only created by the CAP Java framework as initial Request Context based on appropriate authentication information (for example, JWT token) attached to the incoming HTTP request. :::tip Note -- The API does not allow to switch from technical user to a named user. +- It is not possible to switch from technical user to a named user. - Asynchronous requests to CAP services are always on behalf of a technical user. ::: @@ -921,14 +921,13 @@ Named user contexts are only created by the CAP Java framework as initial Reques The incoming JWT token triggers the creation of an initial Request Context with a named user. Accesses to the database in the OData Adapter as well as the custom `On` handler are executed within tenant1 and authorization checks are performed for user JohnDoe. An additionally defined `After` handler wants to call out to an external service using a technical user without propagating the named user JohnDoe. -Therefore, the `After` handler needs to create a new Request Context. To achieve this, it's required to call `requestContext()` on the current `CdsRuntime` and use the `systemUser()` method to remove the named user from the new Request Context: +To achieve this, it's required to call `requestContext()` on the current `CdsRuntime` and use the `systemUser()` method to remove the named user from the new Request Context: ```java @After(entity = Books_.CDS_NAME) public void afterHandler(EventContext context){ runtime.requestContext().systemUser().run(reqContext -> { // call technical service - ... }); } ``` @@ -947,7 +946,6 @@ This allows the application to perform an HTTP call to the remote CAP service, w public void onAction(AddToOrderContext context){ runtime.requestContext().systemUserProvider().run(reqContext -> { // call remote CAP service - ... }); } ``` @@ -968,16 +966,21 @@ runtime.requestContext().systemUser(tenant).run(reqContext -> { }); ``` +::: warning Resource Bottlenecks in Tenant Looping +Avoid iterating through all subscriber tenants to perform tenant-specific tasks. +Instead, prefer a task-based approach which processes specific subscriber tenants selectively. +::: + #### Switching to Privileged User { #switching-to-privileged-user } -Application services called within custom handlers introduce an authorization on a second-level, which is the preferred behaviour for sake of security by default. -However, in some situations, you might want to bypass additional authorizations because the initial authorization of the request is sufficient. +Application services invoked within custom handlers enforce an authorization on second-layer, which is the preferred behaviour to ensure security by default. +However, in certain situations, you might want to bypass additional authorization checks if the initial request authorization is deemed sufficient. -You can run such service calls on behalf of the privileged user which acts like a super user w/o restrictions: +Such service calls can be executed on behalf of a privileged user, acting as a superuser without restrictions: ```java cdsRuntime.requestContext().privilegedUser().run(privilegedContext -> { assert privilegedContext.getUserInfo().isPrivileged(); - // ... Service calls in this scope pass generic authorization handler + // service calls in this scope pass generic authorization handler }); ``` @@ -990,7 +993,7 @@ Call application services on behalf of the privileged user only in case the serv In rare situations you might want to call a public service without sharing information of the current request user. In this case, user propagation is explicitly prevented. -You can run such service calls on behalf of the anonymous user which acts like a public user w/o personal user information (name, token, ...): +Such service calls can be executed on behalf of the anonymous user, acting as a public user without personal user claims: ```java cdsRuntime.requestContext().anonymousUser().run(privilegedContext -> { // ... Service calls in this scope pass generic authorization handler @@ -1002,22 +1005,65 @@ cdsRuntime.requestContext().anonymousUser().run(privilegedContext -> { #### Between Threads -Within the same Request Context, all CAP service calls share the same user infomration. -But the runtime can't automatically propagated user information to spawned threads and by default, the thread runs in a Request Context with an anonymous user. +Within the same Request Context, all CAP service calls share the same user information. +By default, the Request Context of the current thread is not shared with spawned thread and hence user information is lost. If you want to avoid this, you can propagate the Request Context to spawned threads as described [here](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#threading-requestcontext) and hence the same user context is applied. -#### None-CAP Libraries +#### None-CAP Libraries { #user-token } + +CAP plugins for IAS and XSUAA store the resolved user information in Spring's [`SecurityContext`](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/core/context/SecurityContext.html) which contains all relevant authentication information. Hence, library code can rely on standards to fetch the authentication information and restore the user information if needed. + +In addition, the [authentication information](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/authentication/AuthenticationInfo.html) is stored in the Request Context and can be fetched like scetched here: + +```java +AuthenticationInfo authInfo = context.getAuthenticationInfo(); +JwtTokenAuthenticationInfo jwtTokenInfo = authInfo.as(JwtTokenAuthenticationInfo.class); +String jwtToken = jwtTokenInfo.getToken(); +``` + +#### Remote Services { #remote-services } + +Remote APIs can be invoked either on behalf of a named user or a technical user, depending on the callee's specification. +Thus, a client executing a business request within a specific user context might need to explicitly adjust the user propagation strategy. +CAP's [Remote Services](../guides/using-services) offer an easy and declarative way to define client-side representations of remote service APIs. +Such services integrate seamlessly with CAP, managing connection setup, including [authentication and user propagation](../../java/cqn-services/remote-services#configuring-the-authentication-strategy): + +```yaml +cds: + remote.services: + SomeReuseService: + binding: + name: reuse-service-instance + onBehalfOf: systemUserProvider +``` + +The parameter `onBehalfOf` in the binding configuration section allows to define following *user propagation* strategies: + +- `currentUser` (default): Propagate the user of the current Request Context. +- `systemUser`: Propagate the (tenant-specific) technical user, based on the tenant set in the current Request Context. +- `systemUserProvider`: Propagate the technical user of the provider tenant. + +::: tip +Remote Services configurations with `destination` section support `onBehalfOf` only in case of [IAS App-2-App flows](../../java/cqn-services/remote-services#consuming-apis-from-other-ias-applications). +::: + +[Learn more about Remote Services in CAP Java](../../java/cqn-services/remote-services#remote-services){.learn-more} + -CAP integration libraries for IAS and XSUAA store the resolved user information in Spring's [`SecurityContext`](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/core/context/SecurityContext.html) which contains all relevant authentication information. -Hence, library code can rely on standards to fetch the authentication information and restore the user information if needed. +#### Cloud SDK { #cloud-sdk } -#### Remote Services +On a programmatic level, the CAP runtime integrates with [Cloud SDK](https://sap.github.io/cloud-sdk/) offering an abstraction for connection setup with remote services, including authentication and user propagation. +By default, +- the *tenant* of the current Request Context is propagated under the hood. +- the *user token* is propagated via Spring's [`SecurityContext`](#user-token). +- *user propagation strategy* can be specified with parameter values [`OnBehalfOf`](https://sap.github.io/cloud-sdk/docs/java/features/connectivity/service-bindings#multitenancy-and-principal-propagation). + +::: tip +Prefer using [Remote Services](#remote-services) built on Cloud SDK rather than natively consuming the Cloud SDK. +::: -- original authentication claim +[Learn more about Cloud SDK integration in CAP Java](../../java/cqn-services/remote-services#cloud-sdk-integration){.learn-more} -Custom: -- Cloud SDK: - tenant provider ### Tracing { #user-tracing } From 61c51421ba17372217ec9fddb7559bb12252a3ce Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 21 Oct 2025 15:42:05 +0200 Subject: [PATCH 014/120] finalized cap users --- guides/security/authentication.md | 3 +-- guides/security/cap-users.md | 45 ++++++++++++++++++++++++------- 2 files changed, 36 insertions(+), 12 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 974d83902f..a37d269377 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -691,8 +691,7 @@ DWC Integration (internal) - -# Pitfalls +## Pitfalls - **Dont' miss to configure security middleware.** Endpoints of (CAP) applications deployed on SAP BTP are, by default, accessible from the public network. Without security middleware configured, CDS services are exposed to public. diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index eb0222ee4c..520192ca89 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -884,6 +884,8 @@ There are multiple reasonable use cases in which user modification is a suitable [See more examples for custom UserInfoProvider](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#global-providers){.leanr-more} +
+ ### Switching Users { #switching-users } There are a few typical use cases in a (multitenant) application where switching the current user of the request is required. @@ -916,7 +918,7 @@ Named user contexts are only created by the CAP Java framework as initial Reques #### Switching to Technical User {#switching-to-technical-user} -![The graphic is explained in the accompanying text.](./assets/nameduser.drawio.svg) +![The graphic is explained in the accompanying text.](./assets/nameduser.drawio.svg){width="330px"} The incoming JWT token triggers the creation of an initial Request Context with a named user. Accesses to the database in the OData Adapter as well as the custom `On` handler are executed within tenant1 and authorization checks are performed for user JohnDoe. @@ -934,7 +936,7 @@ public void afterHandler(EventContext context){ #### Switching to Technical Provider Tenant {#switching-to-provider-tenant} -![The graphic is explained in the accompanying text.](./assets/switchprovidertenant.drawio.svg) +![The graphic is explained in the accompanying text.](./assets/switchprovidertenant.drawio.svg){width="500px"} The application offers a bound action in a CDS entity. Within the action, the application communicates with a remote CAP service using an internal technical user from the provider account. The corresponding `on` handler of the action needs to create a new Request Context by calling `requestContext()`. @@ -952,7 +954,7 @@ public void onAction(AddToOrderContext context){ #### Switching to a Specific Technical Tenant {#switching-to-subscriber-tenant} -![The graphic is explained in the accompanying text.](./assets/switchtenant.drawio.svg) +![The graphic is explained in the accompanying text.](./assets/switchtenant.drawio.svg){width="450px"} The application is using a job scheduler that needs to regularly perform tasks on behalf of a certain tenant. By default, background executions (for example in a dedicated thread pool) aren't associated to any subscriber tenant and user. @@ -1001,6 +1003,7 @@ cdsRuntime.requestContext().anonymousUser().run(privilegedContext -> { }); ``` + ### User Propagation #### Between Threads @@ -1064,27 +1067,49 @@ Prefer using [Remote Services](#remote-services) built on Cloud SDK rather than [Learn more about Cloud SDK integration in CAP Java](../../java/cqn-services/remote-services#cloud-sdk-integration){.learn-more} - +
### Tracing { #user-tracing } +By default, information about the request user are not logged to the application trace. +During development, it might be useful to activate logger `com.sap.cds.security.authentication` by setting the level to `DEBUG`: ```sh logging.level.com.sap.cds.security.authentication: DEBUG ``` +This makes the runtime tracing user information of authenticated users to the application log like this: + ```sh MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' ``` ::: warning -Never activate user tracing in production! +Don't activate user tracing in production! ::: +[Learn more about various options to activate CAP Java loggers](../../java/operating-applications/observability#logging-configuration){.learn-more} + + +## Pitfalls + +- **Don't write custom code against concrete user types of a specific identity service (e.g. XSUAA or IAS)**. +Instead, if required at all, use CAP's user abstraction layer (`UserInfo` in Java or `req.user` in Node.js) to handle user-related logic. + +- **Don't try to propagtate named user context in asynchronous requests**. Do not attempt to propagate the context of a named user in asynchronous requests, such as when using the Outbox pattern or Messaging. +Asynchronous tasks are typically executed outside the scope of the original request context, after successful authorization. +Propagating the named user context can lead to inconsistencies or security issues. Instead, use technical users for such scenarios. + +- **Don't mix CAP Roles for business and technical users**. CAP roles should be clearly separated based on their purpose: Business user roles are designed to reflect how end users interact with the application. +Technical user roles are intended for system-level operations, such as background tasks or service-to-service communication. Mixing these roles can lead to confusion and unintended access control issues. + +- **Don't mix AMS Policy level with CAP Role level**. +AMS policies operate at the business level, while CAP roles are defined at the technical domain level. +Avoid mixing these two layers, as this could undermine the clarity and maintainability of your authorization model. -## Ptifalls +- **Don't expose non-cross-sectional entity attributes as AMS Attributes**. +When defining AMS attributes, ensure that only cross-sectional attributes are exposed. +These attributes should have a broad, domain-wide relevance and be applicable across multiple entities. +Typically, only a limited number of attributes (fewer than 5) meet this criterion. +Exposing entity-specific attributes as AMS attributes can lead to unnecessary complexity and reduced reusability. -- asynchronous business requests -- wrong granularity of CAP/AMS roles -- no cross-sectional attributes -- mixing business roles with technical From 5d04142606779c7f305e08ac7faa90dd205abef0 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 22 Oct 2025 10:55:37 +0200 Subject: [PATCH 015/120] restructured images --- guides/security/assets/custom-auth.drawio.svg | 289 +++++++++++--- guides/security/assets/custom-auth.svg | 1 - guides/security/assets/ingress-auth.drawio | 70 ---- .../security/assets/ingress-auth.drawio.svg | 174 +++++++++ guides/security/assets/ingress-auth.svg | 4 - .../assets/security-components.drawio.svg | 193 ++++++++++ .../assets/security-customizable.drawio.svg | 354 ++++++++++++++++++ .../security-platform-integration.drawio.svg | 235 ++++++++++++ guides/security/authentication.md | 4 +- guides/security/overview.md | 250 +++++++------ guides/security/remote-authentication.md | 73 ++-- 11 files changed, 1345 insertions(+), 302 deletions(-) delete mode 100644 guides/security/assets/custom-auth.svg delete mode 100644 guides/security/assets/ingress-auth.drawio create mode 100644 guides/security/assets/ingress-auth.drawio.svg delete mode 100644 guides/security/assets/ingress-auth.svg create mode 100644 guides/security/assets/security-components.drawio.svg create mode 100644 guides/security/assets/security-customizable.drawio.svg create mode 100644 guides/security/assets/security-platform-integration.drawio.svg diff --git a/guides/security/assets/custom-auth.drawio.svg b/guides/security/assets/custom-auth.drawio.svg index cf518e5a3e..2f0d10a5c1 100644 --- a/guides/security/assets/custom-auth.drawio.svg +++ b/guides/security/assets/custom-auth.drawio.svg @@ -1,52 +1,237 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + CAP identiy +
+ integration + +
+
+
+ + + CAP iden... + + + + + + + + + + + +
+
+
+ + CAP +
+ endpoints + +
+
+
+ + + CAP... + + + + + + + + + + + +
+
+
+ + + Custom + +
+ + endpoints +
+ (same auth) + + +
+
+
+ + + Custom... + + + + + + + + + + + +
+
+
+ + Security Middleware + +
+
+
+ + + Security... + + + + + + + + + + + +
+
+
+ + + Custom + +
+ + endpoints + + +
+ + + (diff auth) + + +
+
+
+
+
+
+
+ + + Custom... + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Framework + +
+
+
+ + + Framework + + + + + + + + + + + +
+
+
+ + Application + +
+
+
+ + + Applicat... + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/custom-auth.svg b/guides/security/assets/custom-auth.svg deleted file mode 100644 index 2e5c0826e9..0000000000 --- a/guides/security/assets/custom-auth.svg +++ /dev/null @@ -1 +0,0 @@ -
CAP identiy
integration
CAP iden...
CAP
endpoints
CAP...
Custom
endpoints
(same auth)
Custom...
Security Middleware
Security...
Custom
endpoints
 (diff auth)

Custom...
Framework
Framework
Application
Applicat...Text is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/assets/ingress-auth.drawio b/guides/security/assets/ingress-auth.drawio deleted file mode 100644 index 6034d10d7b..0000000000 --- a/guides/security/assets/ingress-auth.drawio +++ /dev/null @@ -1,70 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/guides/security/assets/ingress-auth.drawio.svg b/guides/security/assets/ingress-auth.drawio.svg new file mode 100644 index 0000000000..2bed10e872 --- /dev/null +++ b/guides/security/assets/ingress-auth.drawio.svg @@ -0,0 +1,174 @@ + + + + + + + + + + + + + + + +
+
+
+ + Ingress Gateway +
+ (authentication) + +
+
+
+ + + Ingress... + + + + + + + + + + + + + + + + +
+
+
+ + CAP srv1 + +
+
+
+
+
+
+ + + CAP srv1 + + + + + + + + + + + + + + + + +
+
+
+ + CAP srv2 + +
+
+
+
+
+
+ + + CAP srv2 + + + + + + + + + + + + + + + + +
+
+
+ + CAP srv3 + +
+
+
+
+
+
+ + + CAP srv3 + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + mTLS tunnel + +
+
+
+ + + mTLS tun... + + + + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/ingress-auth.svg b/guides/security/assets/ingress-auth.svg deleted file mode 100644 index 993f2c181e..0000000000 --- a/guides/security/assets/ingress-auth.svg +++ /dev/null @@ -1,4 +0,0 @@ -
Ingress Gateway
(authentication)
Ingress...
CAP srv1

CAP srv1 -
CAP srv2

CAP srv2 -
CAP srv3

CAP srv3 -
mTLS tunnel
mTLS tun...Text is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/assets/security-components.drawio.svg b/guides/security/assets/security-components.drawio.svg new file mode 100644 index 0000000000..9f6fa3359c --- /dev/null +++ b/guides/security/assets/security-components.drawio.svg @@ -0,0 +1,193 @@ + + + + + + + + + + + + + + + + + +
+
+
+ + + Authorization + + +
+
+
+ + + Authorization + + + + + + + + + + + + + +
+
+
+ + + Authentication + + +
+
+
+ + + Authentication + + + + + + + + + + + + + +
+
+
+ + + + Remote Authentication + + + +
+
+
+ + + Remote Authentication + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + + CAP User + + +
+
+
+ + + CAP User + + + + + + + + + + + + + + + + +
+
+
+ + + CAP User + + +
+
+
+ + + CAP User + + + + + + + + + + + +
+
+
+ + propagation + +
+
+
+ + + propagation + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/security-customizable.drawio.svg b/guides/security/assets/security-customizable.drawio.svg new file mode 100644 index 0000000000..918a8e01e3 --- /dev/null +++ b/guides/security/assets/security-customizable.drawio.svg @@ -0,0 +1,354 @@ + + + + + + + + + + + + +
+
+
+ + CAP User + +
+
+
+ + + CAP User + + + + + + + + + + + + + +
+
+
+ + Authorization + +
+
+
+ + + Authorization + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Authentication + +
+
+
+ + + Authentication + + + + + + + + + + + + + +
+
+
+ + + Remote Authentication + + +
+
+
+ + + Remote Authentication + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + + Custom endpoints (auth/protocol) + + +
+
+
+ + + Custom end... + + + + + + + + + + + +
+
+
+ + + Custom endpoints (auth) + + +
+
+
+ + + Custom end... + + + + + + + + + + + +
+
+
+ + + Modifying CAP Users + + +
+
+
+ + + Modifying... + + + + + + + + + + + +
+
+
+ + + Switching Users + + +
+
+
+ + + Switching... + + + + + + + + + + + +
+
+
+ + + Defining Access Rules + + +
+
+
+ + + Defining A... + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + customization + +
+
+
+ + + customization + + + + + + + + + + + +
+
+
+ + out of the box + +
+
+
+ + + out of the box + + + + + + + + + + + + + +
+
+
+ + CAP User + +
+
+
+ + + CAP User + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/security-platform-integration.drawio.svg b/guides/security/assets/security-platform-integration.drawio.svg new file mode 100644 index 0000000000..d387167bce --- /dev/null +++ b/guides/security/assets/security-platform-integration.drawio.svg @@ -0,0 +1,235 @@ + + + + + + + + + + + + +
+
+
+ + + IAS / XSUAA + + +
+
+
+ + + IAS / XSUAA + + + + + + + + + + + + + +
+
+
+ + + AMS / XSUAA + + +
+
+
+ + + AMS / XSUAA + + + + + + + + + + + + + +
+
+
+ + + Connectivity Service + + +
+
+
+ + + Connectivity Service + + + + + + + + + + + + + + + + +
+
+
+ + Platform + +
+
+
+ + + Platform + + + + + + + + + + + + + + + + +
+
+
+ + CAP + +
+
+
+ + + CAP + + + + + + + + + + + + + +
+
+
+ + Authorization + +
+
+
+ + + Authorization + + + + + + + + + + + + + +
+
+
+ + Authentication + +
+
+
+ + + Authentication + + + + + + + + + + + + + +
+
+
+ + + Remote Authentication + + +
+
+
+ + + Remote Authentication + + + + + + + + + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/authentication.md b/guides/security/authentication.md index a37d269377..b33131741d 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -604,7 +604,7 @@ There are multiple reasons why customization might be required: 2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio). 3. The application needs to integrate with a 3rd party authentication service. -![Endpoints with different authentication strategy](./assets/custom-auth.svg){width="430px"} +![Endpoints with different authentication strategy](./assets/custom-auth.drawio.svg){width="430px"} - For CAP endpoints you can go with the [model-driven](#model-auth) authentication which is fully automated by CAP. - For custom endpoints you also can go with default settings because CAP will enforce authentication as well. @@ -674,7 +674,7 @@ Be cautious with the configuration of the `HttpSecurity` instance in your custom In services meshes such as [Istio](https://istio.io/) the authentication is usually fully delegated to a central ingress gateway and the internal communication with the services is protercted by a secure channel: -![Service Mesh with Ingress Gateway](./assets/ingress-auth.svg){width="500px"} +![Service Mesh with Ingress Gateway](./assets/ingress-auth.drawio.svg){width="500px"} In architectures like this, the CAP authentication is obsolete and can be deactivated entirely with `cds.security.authentication.mode="never"`. diff --git a/guides/security/overview.md b/guides/security/overview.md index 2f7e3a4b43..3a243acfc0 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -12,32 +12,55 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ [[toc]] + ## Key Concepts { #key-concepts } -- diagram +### Pluggable Building Blocks { #key-concept-pluggable } + +CAP divides the different tasks related to security into separate and independent building blocks: + +![Overview Security Components with CAP](./assets/security-components.drawio.svg){width="600px" } + +- [Authentication](#inbound-authentication ) +- [User representation and propagation](#user-representation) +- [Authorization](#authorization) +- [Remote Authentication](#outbound-authentication) + +**By separating these concerns**, CAP ensures that each security function can be configured and customized independently without affecting other parts of the system, providing maximum flexibility. + +For example, authentication can be delegated to a separate ingress component, while authorization remains within the application service close to the data. + +### Customizable { #key-concept-customizable } + +Due to the plugin-based architecture, **CAP allows standard functions to be modified as required or, if necessary, completely replaced**. +This flexibility is crucial for scenarios where the default methods do not fully meet the requirements of the application. +Moreover, this integration helps to easily incorporate non-CAP and even non-BTP services, thereby providing a flexible and interoperable environment. + +![Overview Cusomizable Components with CAP](./assets/security-customizable.drawio.svg){width="600px" } + +For instance, it is possible to define specific endpoints with a custom authentication strategy. +Likewise, the CAP representation of the request user can be overruled to match additional, application-specific requirements. ### Built on Best of Breed { #key-concept-platform-services } CAP does not deal with user login flows, password and credential management, user sessions, or any cryptographic logic - **and applications should not have to do it at all!** -Instead, **CAP seamlessly integrates with bullet-proven [platform services](#platform-compliance)** that handle these critical security topics centrally. +Instead, **CAP seamlessly integrates with bullet-proven [platform services](#btp-services)** that handle these critical security topics centrally. This approach not only simplifies the implementation but also enhances security by leveraging robust, well-tested mechanisms provided by the platform. By leveraging platform services, CAP allows developers to focus on core application functionality without worrying about the intricacies of security implementation. Most notably, authentication is covered by [platform's identity services](#identity-service). Likewise, TLS termination is offered by the [platform](#platform-environment). +![Overview Platform Integration with CAP](./assets/security-platform-integration.drawio.svg){width="600px" } -### Pluggable Building Blocks { #key-concept-pluggable } - -CAP divides the different tasks related to security into separate and independent building blocks: -- [Authentication (inbound)](#inbound-authentication ) -- [User representation and propagation](#user-representation) -- [Authorization](#authorization) -- [Authentication (outbound)](#outbound-authentication) +### Decoupled from Business Logic { #key-concept-decoupled-coding } -**By separating these concerns**, CAP ensures that each security function can be configured and customized independently without affecting other parts of the system, providing maximum flexibility. +As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any adaptions. +This safeguards business logic being independent from platform services which are frequently subject to security hardening initiatives. +As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. -For example, authentication can be delegated to a separate ingress component, while authorization remains within the application service close to the data. +For instance, CAP allows performing outbound service calls via Remote Services while handling authentication under the hood completely. +This abstraction layer ensures developers not having to worry about the details of authentication. ### Secure by Default { #key-concept-secure-by-default } @@ -49,32 +72,90 @@ For instance, endpoints of deployed CAP applications are authenticated automatic Making endpoints public requires manual configuration either in the CAP model or in the middleware. -### Customizable { #key-concept-customizable } -Due to the plugin-based architecture, **CAP allows standard functions to be modified as required or, if necessary, completely replaced**. -This flexibility is crucial for scenarios where the default methods do not fully meet the requirements of the application. -Moreover, this integration helps to easily incorporate non-CAP and even non-BTP services, thereby providing a flexible and interoperable environment. +## Security Architecture -For instance, it is possible to define specific endpoints with a custom authentication strategy. -Likewise, the CAP representation of the request user can be overruled to match additional, application-specific requirements. +As [pointed out](#platform-compliance), CAP cloud applications run in a specific context that has a major impact on the security [architecture](#architecture-overview). +CAP requires a dedicated [platform environment](#platform-environment) to integrate with, in order to ensure end-to-end security. +### Architecture Overview { #architecture-overview } -### Decoupled from Business Logic { #key-concept-decoupled-coding } +The following diagram provides a high-level overview about the security-relevant aspects of a deployed CAP application in a cloud environment: -As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any adaptions. -This safeguards business logic being independent from platform services which are frequently subject to security hardening initiatives. -As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. + +![This TAM graphic is explained in the accompanying text.](./assets/cap-security-architecture-overview.png){width="600px"} -For instance, CAP allows performing outbound service calls via Remote Services while handling authentication under the hood completely. -This abstraction layer ensures developers not having to worry about the details of authentication. +To serve a business request, different runtime components are involved: a request, issued by a UI or technical client ([public zone](#public-zone)), is forwarded by a gateway or ingress router to the CAP application. In case of a UI request, an [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) instance acts as a proxy. The CAP application might make use of a CAP sidecar. All application components ([application zone](#application-zone)) might make use of platform services such as database or identity service ([platform zone](#platform-zone)). + +#### Public Zone { #public-zone } + +From CAP's point of view, all components without specific security requirements belong to the public zone. +Therefore, you shouldn't rely on the behavior or structure of consumer components like browsers or technical clients for the security of server components. +The platform's gateway provides a single point of entry for any incoming call and defines the API visible to the public zone. +As malicious users have free access to the public zone, these endpoints need to be protected carefully. +Ideally, you should limit the number of exposed endpoints to a minimum, perhaps through proper network configuration. + +#### Platform Zone { #platform-zone } + +The platform zone contains all platform components and services that are *configured and maintained* by the application provider. +CAP applications consume these low-level [platform services](#btp-services) to handle more complex business requests. +For instance, persistence service to store business data and identity service to authenticate the business user play a fundamental role. + +The platform zone also includes the gateway, which is the main entry point for external requests. Additionally, it may contain extra ingress routers. + +#### Application Zone { #application-zone} + +The application zone comprises all microservices that represent a CAP application. They are tightly integrated and form a unit of trust. The application provider is responsible to *develop, deploy and operate* these services: + +- The [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) acts as as an optional reverse proxy wrapping the application service and providing business-independent functionality required for UIs. +This includes serving UI content, providing a login flow as well as managing the session with the browser. +It can be deployed as application (reusable module) or alternatively consumed as a [service](https://help.sap.com/docs/btp/sap-business-technology-platform/managed-application-router). + +- The CAP application service exposes the API to serve business requests. Usually, it makes use of lower-level platform services. As built on CAP, a significant number of security requirements is covered either out of the box or by adding minimal configuration. + +- The optional CAP sidecar (reusable module) is used to outsource application-independent tasks such as providing multitenancy and extension support. + +Application providers, that is platform users, have privileged access to the application zone. +In contrast, application subscribers, that is business users, are restricted to a minimal interface. + +::: warning +❗ Application providers **may not share any secrets from the application zone** such as binding information with other components or persons. +In a productive environment, it is recommended to deploy and operate the application on behalf of a technical user. +::: + +::: tip +Without limitation of generality, there may be multiple CAP services or sidecars according to common [microservice architecture pattern](https://microservices.io/patterns/microservices.html). +::: +### Platform Requirements { #platform-environment } +There are several assumptions that a CAP application needs to make about the platform environment it is deployed to: + +1. Application and (platform) service endpoints are exposed externally by the API gateway via TLS protocol. +Hence, the **CAP application can offer a pure HTTP endpoint** without having to enforce TLS and to deal with certificates. + +2. The server certificates presented by the external endpoints are signed by a trusted certificate authority. +This **frees CAP applications from the need to manage trust certificates**. The underlying runtimes (Java or Node) can validate the server certificates by default. + +3. **Secrets** that are required to protect the application or to consume other platform services **are injected by the platform** into the application in a secure way. + +All supported [environments](overview#cloud) fulfill the given requirements. Additional requirements could be added in future. + +::: tip +Custom domain certificates need to be signed by trusted certificate authority. +::: + +::: warning +❗ **In general, application endpoints are visible to public zone**. Hence, CAP can't rely on private endpoints. +In particular, an application router does not prevent external access to the CAP application service. +As a consequence, **all CAP endpoints must be protected in an appropriate manner**. +::: ## Platform Compliance { #platform-compliance } -CAP applications run in a certain environment, that is, in the context of some platform framework that has specific characteristics. +CAP applications run in a certain environment, that is, in the context of some platform framework that has specific characteristics as explained [before](#platform-environment). The underlying framework has a major impact on the security of the application, regardless of whether it runs a [cloud](#cloud) environment or [local](#local) environment. Moreover, CAP applications are tightly integrated with [platform services](#btp-services), in particular with identity and persistence service. @@ -83,6 +164,20 @@ Moreover, CAP applications are tightly integrated with [platform services](#btp- CAP application security requires consistent security configuration of the underlying platform and all consumed services. Consult the relevant security documentation accordingly. ::: +### CAP in Local Environment { #local } + +Security not only plays a crucial role in [cloud](#cloud) environments, but also during local development. +Apparently the security requirements are different from cloud scenario as local endpoints are typically not exposed for remote clients. +But there are still a few things to consider because exploited vulnerabilities could be the basis for attacks on productive cloud services: + +- Make sure that locally started HTTP endpoints are bound to `localhost`. +- In case you run your service in hybrid mode with bindings to cloud service instances, +use [cds bind](../../advanced/hybrid-testing) instead of copying bindings manually to `default-env.json` file. +`cds bind` avoids materialization of secrets to local disc, which is inherently dangerous. +- Don't write sensitive data to application logs, also not via debug logging. +- Don't test with real business data, for example, copied from a productive system. + + ### CAP in Cloud Environment { #cloud } Currently, CAP supports to run on two cloud runtimes of [SAP Business Technology Platform](https://help.sap.com/docs/btp): @@ -115,21 +210,9 @@ Find more about BTP platform security here:
-### CAP in Local Environment { #local } -Security not only plays a crucial role in [cloud](#cloud) environments, but also during local development. -Apparently the security requirements are different from cloud scenario as local endpoints are typically not exposed for remote clients. -But there are still a few things to consider because exploited vulnerabilities could be the basis for attacks on productive cloud services: - -- Make sure that locally started HTTP endpoints are bound to `localhost`. -- In case you run your service in hybrid mode with bindings to cloud service instances, -use [cds bind](../../advanced/hybrid-testing) instead of copying bindings manually to `default-env.json` file. -`cds bind` avoids materialization of secrets to local disc, which is inherently dangerous. -- Don't write sensitive data to application logs, also not via debug logging. -- Don't test with real business data, for example, copied from a productive system. - -### SAP BTP Services for Security { #btp-services} +### Security Platform Services { #btp-services } SAP BTP provides a range of platform services that your CAP applications can utilize to meet production-grade security requirements. To ensure the security of your CAP applications, it's crucial to comply with the service level agreement (SLA) of these platform services. *As the provider of the application, you play a key role in meeting these requirements by correctly configuring and using these services.* @@ -156,6 +239,13 @@ This service helps to introduce a strict separation between platform users (prov The service lets customers manage user authorizations in technical roles at application level, which can be aggregated into business-level role collections for large-scale cloud scenarios. Obviously, developers must define application roles carefully as they form basic access rules to business data. +#### [SAP BTP Connectivity](https://help.sap.com/docs/CP_CONNECTIVITY) + +The connectivity service allows SAP BTP applications to securely access remote services that run on the Internet or on-premise. +It provides a way to establish a secure communication channel between remote endpoints that are connected via an untrusted network infrastructure. + +[Learn more in the security guide.](https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/cb50b6191615478aa11d2050dada467d.html){.learn-more} + #### [SAP Malware Scanning Service](https://help.sap.com/docs/MALWARE_SCANNING) This service can be used to scan transferred business documents for malware and viruses. @@ -169,89 +259,3 @@ Credentials managed by applications need to be stored in a secure way. This service provides a REST API for (CAP) applications to store and retrieve credentials at runtime. [Learn more in the security guide.](https://help.sap.com/docs/CREDENTIAL_STORE?#discover_task-security){.learn-more} - -#### [SAP BTP Connectivity](https://help.sap.com/docs/CP_CONNECTIVITY) - -The connectivity service allows SAP BTP applications to securely access remote services that run on the Internet or on-premise. -It provides a way to establish a secure communication channel between remote endpoints that are connected via an untrusted network infrastructure. - -[Learn more in the security guide.](https://help.sap.com/docs/CP_CONNECTIVITY/cca91383641e40ffbe03bdc78f00f681/cb50b6191615478aa11d2050dada467d.html){.learn-more} - -## Architecture and Platform Requirements - -As [pointed out](#platform-compliance), CAP cloud applications run in a specific context that has a major impact on the security [architecture](#architecture-overview). -CAP requires a dedicated [platform environment](#platform-environment) to integrate with, in order to ensure end-to-end security. - -### Architecture Overview { #architecture-overview } - -The following diagram provides a high-level overview about the security-relevant aspects of a deployed CAP application in a cloud environment: - - -![This TAM graphic is explained in the accompanying text.](./assets/cap-security-architecture-overview.png){width="600px"} - -To serve a business request, different runtime components are involved: a request, issued by a UI or technical client ([public zone](#public-zone)), is forwarded by a gateway or ingress router to the CAP application. In case of a UI request, an [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) instance acts as a proxy. The CAP application might make use of a CAP sidecar. All application components ([application zone](#application-zone)) might make use of platform services such as database or identity service ([platform zone](#platform-zone)). - -#### Public Zone { #public-zone } - -From CAP's point of view, all components without specific security requirements belong to the public zone. -Therefore, you shouldn't rely on the behavior or structure of consumer components like browsers or technical clients for the security of server components. -The platform's gateway provides a single point of entry for any incoming call and defines the API visible to the public zone. -As malicious users have free access to the public zone, these endpoints need to be protected carefully. -Ideally, you should limit the number of exposed endpoints to a minimum, perhaps through proper network configuration. - -#### Platform Zone { #platform-zone } - -The platform zone contains all platform components and services that are *configured and maintained* by the application provider. -CAP applications consume these low-level [platform services](#btp-services) to handle more complex business requests. -For instance, persistence service to store business data and identity service to authenticate the business user play a fundamental role. - -The platform zone also includes the gateway, which is the main entry point for external requests. Additionally, it may contain extra ingress routers. - -#### Application Zone { #application-zone} - -The application zone comprises all microservices that represent a CAP application. They are tightly integrated and form a unit of trust. The application provider is responsible to *develop, deploy and operate* these services: - -- The [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) acts as as an optional reverse proxy wrapping the application service and providing business-independent functionality required for UIs. -This includes serving UI content, providing a login flow as well as managing the session with the browser. -It can be deployed as application (reusable module) or alternatively consumed as a [service](https://help.sap.com/docs/btp/sap-business-technology-platform/managed-application-router). - -- The CAP application service exposes the API to serve business requests. Usually, it makes use of lower-level platform services. As built on CAP, a significant number of security requirements is covered either out of the box or by adding minimal configuration. - -- The optional CAP sidecar (reusable module) is used to outsource application-independent tasks such as providing multitenancy and extension support. - -Application providers, that is platform users, have privileged access to the application zone. -In contrast, application subscribers, that is business users, are restricted to a minimal interface. - -::: warning -❗ Application providers **may not share any secrets from the application zone** such as binding information with other components or persons. -In a productive environment, it is recommended to deploy and operate the application on behalf of a technical user. -::: - -::: tip -Without limitation of generality, there may be multiple CAP services or sidecars according to common [microservice architecture pattern](https://microservices.io/patterns/microservices.html). -::: - - -### Required Platform Environment { #platform-environment } - -There are several assumptions that a CAP application needs to make about the platform environment it is deployed to: - -1. Application and (platform) service endpoints are exposed externally by the API gateway via TLS protocol. -Hence, the **CAP application can offer a pure HTTP endpoint** without having to enforce TLS and to deal with certificates. - -2. The server certificates presented by the external endpoints are signed by a trusted certificate authority. -This **frees CAP applications from the need to manage trust certificates**. The underlying runtimes (Java or Node) can validate the server certificates by default. - -3. **Secrets** that are required to protect the application or to consume other platform services **are injected by the platform** into the application in a secure way. - -All supported [environments](overview#cloud) fulfill the given requirements. Additional requirements could be added in future. - -::: tip -Custom domain certificates need to be signed by trusted certificate authority. -::: - -::: warning -❗ **In general, application endpoints are visible to public zone**. Hence, CAP can't rely on private endpoints. -In particular, an application router does not prevent external access to the CAP application service. -As a consequence, **all CAP endpoints must be protected in an appropriate manner**. -::: diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 9f827336a4..21a10b7217 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -21,26 +21,9 @@ status: released # Remote Authentication { #remote-authentication } -### User Propagation +CAP supports the consumption of various kinds of remote services: - - threads - https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#threading-requestcontext - - - original authentication claim - - - Remote Services - - Custom: - - Cloud SDK: - tenant provider, - user per SecurityContext - - -## Connecting to IAS Services { #outbound-auth } - -CAP Java supports the consumption of IAS-based services of various kinds: - -* [Internal Services](#internal-app) bound to the same IAS instance of the provider application. +* [Local Services](#local-app) bound to the same IAS instance of the provider application. * [External IAS](#app-to-app) applications consumed by providing a destination. * [BTP reuse services](#ias-reuse) consumed via service binding. @@ -49,16 +32,30 @@ CAP Java supports the consumption of IAS-based services of various kinds: Regardless of the kind of service, CAP provides a [unified integration as Remote Service](/java/cqn-services/remote-services#remote-odata-services). Basic communication setup and user propagation is addressed under the hood, for example, an mTLS handshake is performed in case of service-2-service communication. -### Internal Services {#internal-app} +## Local Services {#local-app} For communication between adjacent CAP applications, these are CAP applications which are bound to the same identity instance, simplified configuration is explained in [Binding to a Service with Shared Identity](/java/cqn-services/remote-services#binding-to-a-service-with-shared-identity). -### External Services (IAS App-to-App) {#app-to-app} +Local CDS services which are meant for *internal* usage only can be easily consumed by in-process function calls. +They shouldn't be exposed via protocol adapters at all. +In order to prevent access from external clients, annotate those services with `@protocol: 'none'`: + +```cds +@protocol: 'none' +service InternalService { + ... +} +``` +`InternalService` is not handled by protocol adapters and can only receive events sent by in-process handlers. + + + +## External Services (IAS App-to-App) {#app-to-app} CAP Java supports technical communication with any IAS-based service deployed to an SAP Cloud landscape. User propagation is supported. For connection setup, it uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications). -#### Provider Application +### Provider Application The CAP Java application as a _provider app_ needs to: @@ -106,7 +103,7 @@ Use different CAP roles for technical clients without user propagation and for n Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice verse. ::: -#### Consumer Application +### Consumer Application To set up a connection to such an IAS service, the _consumer app_ requires to do: @@ -166,7 +163,8 @@ To activate the App-2-App connection as a *consumer*, you need to: [Learn more about simplified Remote Service configuration with destinations](/java/cqn-services/remote-services#destination-based-scenarios) {.learn-more} -### BTP Reuse Services {#ias-reuse} + +## BTP Reuse Services {#ias-reuse} IAS-based BTP reuse services can be created/consumed with CAP Java even more easily. @@ -268,7 +266,7 @@ Instead of using the same role, expose dedicated CDS services to technical clien ::: -#### How to Authorize Callbacks +### How to Authorize Callbacks For bidirectional communication, callbacks from the reuse service to the CAP service need to be authorized as well. Currently, there is no standadized way to achieve this in CAP so that custom codeing is required. @@ -288,28 +286,3 @@ private void authorizeCallback() { ::: - -## Local Services - -Local CDS services which are meant for *internal* usage only can be easily consumed by in-process function calls. -They shouldn't be exposed via protocol adapters at all. -In order to prevent access from external clients, annotate those services with `@protocol: 'none'`: - -```cds -@protocol: 'none' -service InternalService { - ... -} -``` -`InternalService` is not handled by protocol adapters and can only receive events sent by in-process handlers. - -## Application-Internal Services -- internal-user (IAS + XSUAA) - -## BTP Reuse Services -- IAS -- XSUAA - -## External Services -- IAS App-2-App -- Via Destination (S/4) \ No newline at end of file From ff238d40512d73a9df712e4a7adf2a624dd2c851 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 4 Nov 2025 14:40:11 +0100 Subject: [PATCH 016/120] next step --- ...ss-auth.drawio - Kopie.svg:Zone.Identifier | 0 .../security/assets/ingress-auth.drawio.svg | 12 +- .../remote-service-stack.drawio - Kopie.svg | 174 ++++++++ ...e-stack.drawio - Kopie.svg:Zone.Identifier | 0 .../assets/remote-service-stack.drawio.svg | 391 ++++++++++++++++++ .../security-platform-integration.drawio.svg | 6 +- guides/security/authentication.md | 18 +- guides/security/cap-users.md | 2 +- guides/security/overview.md | 53 ++- guides/security/remote-authentication.md | 21 +- 10 files changed, 623 insertions(+), 54 deletions(-) create mode 100644 guides/security/assets/ingress-auth.drawio - Kopie.svg:Zone.Identifier create mode 100644 guides/security/assets/remote-service-stack.drawio - Kopie.svg create mode 100644 guides/security/assets/remote-service-stack.drawio - Kopie.svg:Zone.Identifier create mode 100644 guides/security/assets/remote-service-stack.drawio.svg diff --git a/guides/security/assets/ingress-auth.drawio - Kopie.svg:Zone.Identifier b/guides/security/assets/ingress-auth.drawio - Kopie.svg:Zone.Identifier new file mode 100644 index 0000000000..e69de29bb2 diff --git a/guides/security/assets/ingress-auth.drawio.svg b/guides/security/assets/ingress-auth.drawio.svg index 2bed10e872..ab7a534b2b 100644 --- a/guides/security/assets/ingress-auth.drawio.svg +++ b/guides/security/assets/ingress-auth.drawio.svg @@ -1,4 +1,4 @@ - + @@ -16,7 +16,7 @@
- + Ingress Gateway
(authentication) @@ -46,7 +46,7 @@
- + CAP srv1
@@ -77,7 +77,7 @@
- + CAP srv2
@@ -108,7 +108,7 @@
- + CAP srv3
@@ -146,7 +146,7 @@
- + mTLS tunnel
diff --git a/guides/security/assets/remote-service-stack.drawio - Kopie.svg b/guides/security/assets/remote-service-stack.drawio - Kopie.svg new file mode 100644 index 0000000000..ab7a534b2b --- /dev/null +++ b/guides/security/assets/remote-service-stack.drawio - Kopie.svg @@ -0,0 +1,174 @@ + + + + + + + + + + + + + + + +
+
+
+ + Ingress Gateway +
+ (authentication) + +
+
+
+ + + Ingress... + + + + + + + + + + + + + + + + +
+
+
+ + CAP srv1 + +
+
+
+
+
+
+ + + CAP srv1 + + + + + + + + + + + + + + + + +
+
+
+ + CAP srv2 + +
+
+
+
+
+
+ + + CAP srv2 + + + + + + + + + + + + + + + + +
+
+
+ + CAP srv3 + +
+
+
+
+
+
+ + + CAP srv3 + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + mTLS tunnel + +
+
+
+ + + mTLS tun... + + + + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/remote-service-stack.drawio - Kopie.svg:Zone.Identifier b/guides/security/assets/remote-service-stack.drawio - Kopie.svg:Zone.Identifier new file mode 100644 index 0000000000..e69de29bb2 diff --git a/guides/security/assets/remote-service-stack.drawio.svg b/guides/security/assets/remote-service-stack.drawio.svg new file mode 100644 index 0000000000..1fb45bd9e3 --- /dev/null +++ b/guides/security/assets/remote-service-stack.drawio.svg @@ -0,0 +1,391 @@ + + + + + + + + + + + + + + + +
+
+
+ + Connectivity + +
+
+
+ + + Connecti... + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Remote Service + +
+
+
+ + + Remote S... + + + + + + + + + + + + + + + + +
+
+
+ + + HTTP + + +
+
+
+ + + HTTP + + + + + + + + + + + + + +
+
+
+ + CAP User + +
+
+
+ + + CAP User + + + + + + + + + + + + + +
+
+
+ + Dest +
+ ination + +
+
+
+ + + Dest... + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Authentica +
+ tion + +
+
+
+ + + Authenti... + + + + + + + + + + + + + + + + +
+
+
+ + User +
+ propagation + +
+
+
+ + + User... + + + + + + + + + + + + + + + + +
+
+
+ + Resilience + +
+
+
+ + + Resilien... + + + + + + + + + + + + + + + + +
+
+
+ + Destination + +
+
+
+ + + Destinat... + + + + + + + + + + + + + + +
+
+
+ + Outbound Protocol +
+ Adapter (OData, hcql, ...) + +
+
+
+ + + Outbound... + + + + + + + + + + + + + + +
+
+
+ + + CQN + + +
+
+
+ + + CQN + + + + + + + + + + + + + + + + +
+
+
+ + + Protocol level + + +
+
+
+ + + Protocol... + + + + + + + + + + + + + + + + +
+
+
+ + + Connectivity level + + +
+
+
+ + + Connecti... + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/security-platform-integration.drawio.svg b/guides/security/assets/security-platform-integration.drawio.svg index d387167bce..e4f36d677c 100644 --- a/guides/security/assets/security-platform-integration.drawio.svg +++ b/guides/security/assets/security-platform-integration.drawio.svg @@ -1,4 +1,4 @@ - + @@ -112,8 +112,8 @@ - - + + diff --git a/guides/security/authentication.md b/guides/security/authentication.md index b33131741d..d08ef8422f 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -51,7 +51,8 @@ Setup and start a simple sample application:
```sh -cds init bookshop --java --add sample && cd ./bookshop +cds init bookshop --java --add sample +cd ./bookshop mvn spring-boot:run ``` @@ -106,7 +107,7 @@ Sending OData request `curl http://localhost:8080/odata/v4/CatalogService/Books results in a `401` error response from the server indicating that the anonymous user has been rejected due to missing authentication. This is true for all endpoints including the web application page at `/index.htlm`. -Mock users require **basic authentication**, hence sending the same request on behalf of mock user `admin` (password: `admin`) with curl `http://admin:admin@localhost:8080/odata/v4/CatalogService/Books` returns successfully (`200`). +Mock users require **basic authentication**, hence sending the same request on behalf of mock user `admin` (password: `admin`) with curl `http://admin:admin@localhost:8080/odata/v4/CatalogService/Books` returns successfully (HTTP response `200`). ::: tip @@ -134,8 +135,8 @@ You can opt out the preconfiguration of these users by setting `cds ### Customization { #custom-mock-users } -You can define custom mock users to perfectly simulate different types of [end users]((../cap-users#user-representation)) that will interact with your application at production time. -Hence, you can use the mock users to test authorization rules and custom handlers transparently from the actual context. +You can define custom mock users to simulate any type of [end users]((../cap-users#user-representation)) that will interact with your application at production time. +Hence, you can use the mock users to test your authorization settings as well as custom handlers fully decoupled from the actual execution environment.
@@ -586,7 +587,8 @@ The same is true for the logout flow. ## XSUAA Authentication { #xsuaa-auth } - - setup cds add xsuaa + +TBD ## Hybrid Authentication { hybrid-authentication } @@ -604,7 +606,7 @@ There are multiple reasons why customization might be required: 2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio). 3. The application needs to integrate with a 3rd party authentication service. -![Endpoints with different authentication strategy](./assets/custom-auth.drawio.svg){width="430px"} +![Endpoints with different authentication strategy](./assets/custom-auth.drawio.svg){width="380px"} - For CAP endpoints you can go with the [model-driven](#model-auth) authentication which is fully automated by CAP. - For custom endpoints you also can go with default settings because CAP will enforce authentication as well. @@ -687,8 +689,6 @@ This will make standard CAP authorization work properly. If you switch off CAP authentication, make sure that the internal communication channels are secured by the given infrastructure. ::: -DWC Integration (internal) - ## Pitfalls @@ -700,5 +700,5 @@ DWC Integration (internal) - **Don't deviate from security defaults**. Only when absolute necessary, only experts should take the decision to add modifications or even replace parts of the standard authentication mechanisms. -- **Don't miss to add authentication tests** to ensure properly setup security configuration in your deployed application that rejects unauthenticated requests." +- **Don't miss to add authentication tests** to ensure properly setup security configuration in your deployed application that rejects unauthenticated requests. diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 520192ca89..290c2c8813 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -19,7 +19,7 @@ status: released -# CAP Users { #users } +# CAP Users { #cap-users } A successfull authentication results in an CAP [user representation](#claims) reflecting the request user in an uniform way. Referring to the key concepts, the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategy. diff --git a/guides/security/overview.md b/guides/security/overview.md index 3a243acfc0..0b5e120a35 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -1,6 +1,6 @@ --- synopsis: > - This section provides an overview about the security architecture of CAP applications on different platforms. + This section provides an overview about the security concepts and architecture of CAP applications on different platforms. status: released uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/9186ed9ab00842e1a31309ff1be38792.html --- @@ -17,14 +17,14 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ ### Pluggable Building Blocks { #key-concept-pluggable } -CAP divides the different tasks related to security into separate and independent building blocks: +CAP divides the different security-related tasks into separate and independent building blocks for which all of them there is a standard CAP implementation suitable for most scenarios: ![Overview Security Components with CAP](./assets/security-components.drawio.svg){width="600px" } -- [Authentication](#inbound-authentication ) -- [User representation and propagation](#user-representation) -- [Authorization](#authorization) -- [Remote Authentication](#outbound-authentication) +- [Authentication](./authentication ) +- [CAP Users](./cap-users) +- [Authorization](./authorization) +- [Remote Authentication](./remote-authentication) **By separating these concerns**, CAP ensures that each security function can be configured and customized independently without affecting other parts of the system, providing maximum flexibility. @@ -46,16 +46,16 @@ Likewise, the CAP representation of the request user can be overruled to match a CAP does not deal with user login flows, password and credential management, user sessions, or any cryptographic logic - **and applications should not have to do it at all!** Instead, **CAP seamlessly integrates with bullet-proven [platform services](#btp-services)** that handle these critical security topics centrally. This approach not only simplifies the implementation but also enhances security by leveraging robust, well-tested mechanisms provided by the platform. -By leveraging platform services, CAP allows developers to focus on core application functionality without worrying about the intricacies of security implementation. +Built on platform services, CAP allows developers to focus on core application functionality without worrying about the intricacies of security implementation. Most notably, authentication is covered by [platform's identity services](#identity-service). -Likewise, TLS termination is offered by the [platform](#platform-environment). +Likewise, TLS termination is offered by the [platform infrastructure](#platform-environment). ![Overview Platform Integration with CAP](./assets/security-platform-integration.drawio.svg){width="600px" } ### Decoupled from Business Logic { #key-concept-decoupled-coding } -As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any adaptions. +As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any security-related adaptions. This safeguards business logic being independent from platform services which are frequently subject to security hardening initiatives. As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. @@ -66,7 +66,7 @@ This abstraction layer ensures developers not having to worry about the details ### Secure by Default { #key-concept-secure-by-default } CAP security features are activated by default. If different behaviour is required, you must explicitly reconfigure or add custom code to adapt accordingly. -CAP's autoconfiguration feature significantly reduces the risk of misconfiguration - **override only when absolutely necessary and when all effects are under safe control**. +CAP's security autoconfiguration approach significantly reduces the risk of misconfiguration - **override only when absolutely necessary and when all effects are under safe control**. For instance, endpoints of deployed CAP applications are authenticated automatically, thus providing a secure baseline. Making endpoints public requires manual configuration either in the CAP model or in the middleware. @@ -75,17 +75,16 @@ Making endpoints public requires manual configuration either in the CAP model or ## Security Architecture -As [pointed out](#platform-compliance), CAP cloud applications run in a specific context that has a major impact on the security [architecture](#architecture-overview). +CAP applications run in a specific context that has a major impact on the security [architecture](#architecture-overview). CAP requires a dedicated [platform environment](#platform-environment) to integrate with, in order to ensure end-to-end security. ### Architecture Overview { #architecture-overview } -The following diagram provides a high-level overview about the security-relevant aspects of a deployed CAP application in a cloud environment: +The following diagram provides a high-level overview about the security-relevant components and interfaces of a deployed CAP application in a cloud environment: - ![This TAM graphic is explained in the accompanying text.](./assets/cap-security-architecture-overview.png){width="600px"} -To serve a business request, different runtime components are involved: a request, issued by a UI or technical client ([public zone](#public-zone)), is forwarded by a gateway or ingress router to the CAP application. In case of a UI request, an [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) instance acts as a proxy. The CAP application might make use of a CAP sidecar. All application components ([application zone](#application-zone)) might make use of platform services such as database or identity service ([platform zone](#platform-zone)). +To serve a business request, different runtime components are involved: a request, issued by a UI or technical client ([public zone](#public-zone)), is forwarded by a gateway or ingress router to the CAP application. In case of a UI request, an [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) instance acts as a proxy to manage the login flow and the browser session. The CAP application can have additional services such as a CAP sidecar. All application components ([application zone](#application-zone)) might make use of platform services such as database or identity service ([platform zone](#platform-zone)). #### Public Zone { #public-zone } @@ -105,7 +104,7 @@ The platform zone also includes the gateway, which is the main entry point for e #### Application Zone { #application-zone} -The application zone comprises all microservices that represent a CAP application. They are tightly integrated and form a unit of trust. The application provider is responsible to *develop, deploy and operate* these services: +The application zone comprises all microservices that represent a CAP application. They are tightly integrated and form a **unit of trust**. The application provider is responsible to *develop, deploy and operate* these services: - The [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) acts as as an optional reverse proxy wrapping the application service and providing business-independent functionality required for UIs. This includes serving UI content, providing a login flow as well as managing the session with the browser. @@ -123,10 +122,6 @@ In contrast, application subscribers, that is business users, are restricted to In a productive environment, it is recommended to deploy and operate the application on behalf of a technical user. ::: -::: tip -Without limitation of generality, there may be multiple CAP services or sidecars according to common [microservice architecture pattern](https://microservices.io/patterns/microservices.html). -::: - ### Platform Requirements { #platform-environment } @@ -136,9 +131,9 @@ There are several assumptions that a CAP application needs to make about the pla Hence, the **CAP application can offer a pure HTTP endpoint** without having to enforce TLS and to deal with certificates. 2. The server certificates presented by the external endpoints are signed by a trusted certificate authority. -This **frees CAP applications from the need to manage trust certificates**. The underlying runtimes (Java or Node) can validate the server certificates by default. +This **frees CAP applications from the need to manage trust certificates**. The underlying runtimes (Java or Node.js VMs) can validate the server certificates by default. -3. **Secrets** that are required to protect the application or to consume other platform services **are injected by the platform** into the application in a secure way. +3. **Secrets** that are required to protect the application or to consume other platform services **are injected by the platform** into the application microservices in a secure way. All supported [environments](overview#cloud) fulfill the given requirements. Additional requirements could be added in future. @@ -147,9 +142,7 @@ Custom domain certificates need to be signed by trusted certificate authority. ::: ::: warning -❗ **In general, application endpoints are visible to public zone**. Hence, CAP can't rely on private endpoints. -In particular, an application router does not prevent external access to the CAP application service. -As a consequence, **all CAP endpoints must be protected in an appropriate manner**. +❗ **In general, application endpoints are visible to public zone**. Hence, CAP applications need to protect all exposed endpoints. ::: @@ -157,16 +150,16 @@ As a consequence, **all CAP endpoints must be protected in an appropriate manner CAP applications run in a certain environment, that is, in the context of some platform framework that has specific characteristics as explained [before](#platform-environment). The underlying framework has a major impact on the security of the application, -regardless of whether it runs a [cloud](#cloud) environment or [local](#local) environment. +regardless of whether it runs a [cloud environment](#cloud) or [local environment](#local). Moreover, CAP applications are tightly integrated with [platform services](#btp-services), in particular with identity and persistence service. -::: warning End-to-end security necessarily requires compliance with all security policies of all involved components. +::: warning ❗ End-to-end security necessarily requires compliance with all security policies of all involved components CAP application security requires consistent security configuration of the underlying platform and all consumed services. Consult the relevant security documentation accordingly. ::: ### CAP in Local Environment { #local } -Security not only plays a crucial role in [cloud](#cloud) environments, but also during local development. +Security not only plays a crucial role in [cloud environments](#cloud), but also during local development. Apparently the security requirements are different from cloud scenario as local endpoints are typically not exposed for remote clients. But there are still a few things to consider because exploited vulnerabilities could be the basis for attacks on productive cloud services: @@ -219,13 +212,13 @@ SAP BTP provides a range of platform services that your CAP applications can uti ::: tip SAP BTP services and the underlying platform infrastructure hold various certifications and attestations, which can be found under the naming of SAP Cloud Platform in the [SAP Trust Center](https://www.sap.com/about/trust-center/certification-compliance/compliance-finder.html?search=SAP%20Business%20Technology%20Platform%20ISO). ::: +[Webcast SAP BTP Cloud Identity and Security Services](https://assets.dm.ux.sap.com/webinars/sap-user-groups-k4u/pdfs/221117_sap_security_webcast_series_sap_btp_cloud_identity_and_security_services.pdf){.learn-more} + The CAP framework offers flexible APIs that you can integrate with various services, including your custom services. If you replace platform services with your custom ones, it's important to ensure that the service level agreements (SLAs) CAP depends on are still met. The most important services for security offered by the platform: -[Webcast SAP BTP Cloud Identity and Security Services](https://assets.dm.ux.sap.com/webinars/sap-user-groups-k4u/pdfs/221117_sap_security_webcast_series_sap_btp_cloud_identity_and_security_services.pdf){.learn-more} - #### [SAP Cloud Identity Services - Identity Authentication](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) { #identity-service } The Identity Authentication service defines the user base for (CAP) applications and services, and allows to control access. @@ -239,6 +232,8 @@ This service helps to introduce a strict separation between platform users (prov The service lets customers manage user authorizations in technical roles at application level, which can be aggregated into business-level role collections for large-scale cloud scenarios. Obviously, developers must define application roles carefully as they form basic access rules to business data. +[Learn more in the security guide.](https://help.sap.com/docs/btp/sap-business-technology-platform/btp-security){.learn-more} + #### [SAP BTP Connectivity](https://help.sap.com/docs/CP_CONNECTIVITY) The connectivity service allows SAP BTP applications to securely access remote services that run on the Internet or on-premise. diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 21a10b7217..36588d2cf0 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -21,16 +21,25 @@ status: released # Remote Authentication { #remote-authentication } -CAP supports the consumption of various kinds of remote services: +CAP supports out-of-the-box consumption of various kinds of remote services: -* [Local Services](#local-app) bound to the same IAS instance of the provider application. -* [External IAS](#app-to-app) applications consumed by providing a destination. +* [Local Services](#local-app) as part of the same deployment and bound to the same identity instance (i.e. same trusted [application zone](./overview#application-zone)). +* [External IAS services](#app-to-app) which could be even running on a none-BTP-platform. * [BTP reuse services](#ias-reuse) consumed via service binding. -![The TAM graphic is explained in the accompanying text.](./assets/java-ias.png){width="800px" } +According to key concept of [pluggable building blocks](./overview#key-concept-pluggable), the architecture of Remote Services decouples protocol level (i.e. exchanged content) from connection level (i.e. established connection channel). +While the business context of the application has an impact on the protocol, the connectivity of the service endpoints is agnostic to it and mainly depends on platform-level capabilities. +The latter one is frequently subject to changes and hence should not introduce a dependency to the application. + +![Remote Service stack architecture](./assets/remote-service-stack.drawio.svg){width="300px" } + +Given the CAP user of the request and the destination provided by the application configuration, the connectivity can handle authentication (IAS, XSUAA, X.509, ZTID, ...) and destination handling (local call, BTP Destination, BTP Service Binding) transparantly. +Appropriate user propagation and resilience are tackled on this level as well. + +::: tip +BTP HTTP Destinations offer [various authentication strategies](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations) such as SAML 2.0 as required by many S/4 system endpoints. +::: -Regardless of the kind of service, CAP provides a [unified integration as Remote Service](/java/cqn-services/remote-services#remote-odata-services). -Basic communication setup and user propagation is addressed under the hood, for example, an mTLS handshake is performed in case of service-2-service communication. ## Local Services {#local-app} From 9aea779e9b18f5bc0c5c702510589ee22071fd55 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 7 Nov 2025 14:45:40 +0100 Subject: [PATCH 017/120] continued --- .../assets/co-located-services.drawio.svg | 165 +++++++++++++ .../assets/remote-service-stack.drawio.svg | 226 ++++++++++-------- guides/security/remote-authentication.md | 178 ++++++++++++-- 3 files changed, 447 insertions(+), 122 deletions(-) create mode 100644 guides/security/assets/co-located-services.drawio.svg diff --git a/guides/security/assets/co-located-services.drawio.svg b/guides/security/assets/co-located-services.drawio.svg new file mode 100644 index 0000000000..0dfa257e88 --- /dev/null +++ b/guides/security/assets/co-located-services.drawio.svg @@ -0,0 +1,165 @@ + + + + + + + + + + + + + + + + + + +
+
+
+ + Service A + +
+
+
+ + + Service A + + + + + + + + + + + + + +
+
+
+ + Token + +
+
+
+ + + Token + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Service B + +
+
+
+ + + Service B + + + + + + + + + + + + + + + + + +
+
+
+ + Token + +
+
+
+ + + Token + + + + + + + + + + + + + +
+
+
+ + Service Instance +
+ Identity + +
+
+
+ + + Service Instance... + + + + + + + + + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/remote-service-stack.drawio.svg b/guides/security/assets/remote-service-stack.drawio.svg index 1fb45bd9e3..460c28f8e1 100644 --- a/guides/security/assets/remote-service-stack.drawio.svg +++ b/guides/security/assets/remote-service-stack.drawio.svg @@ -1,19 +1,19 @@ - + - - - + + + - + -
+
@@ -23,29 +23,25 @@
- + Connecti... - - + + + - - - - - - + -
+
@@ -55,25 +51,25 @@
- + Remote S... - - - + + + - + -
+
@@ -85,22 +81,22 @@
- + HTTP - - - + + + -
+
@@ -110,22 +106,22 @@
- + CAP User - - - + + + -
+
@@ -137,29 +133,29 @@
- + Dest... - - + + - - - + + + - + - + -
+
@@ -171,25 +167,25 @@
- + Authenti... - - - + + + - + - + -
+
@@ -201,180 +197,204 @@
- + User... - - - + + + - + - + -
+
- Resilience + Destination
- - Resilien... + + Destinat... - - - + - + - + -
+
- - Destination + + Outbound Protocol +
+ Adapter +
+ (OData, hcql, ...)
- - Destinat... + + Outbound... - + - + -
+
- - Outbound Protocol -
- Adapter (OData, hcql, ...) + + + CQN +
- - Outbound... + + CQN - + + + - + -
+
- + - CQN + Protocol level
- - CQN + + Protocol... - - - + + + - + -
+
- Protocol level + Connectivity level
- - Protocol... + + Connecti... - - - + + - + -
+
- - - Connectivity level - + + Request
- - Connecti... + + Request + + + + + + + + + + + +
+
+
+ + Config + +
+
+
+ + + Config diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 36588d2cf0..943c7aa088 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -23,47 +23,187 @@ status: released CAP supports out-of-the-box consumption of various kinds of remote services: -* [Local Services](#local-app) as part of the same deployment and bound to the same identity instance (i.e. same trusted [application zone](./overview#application-zone)). -* [External IAS services](#app-to-app) which could be even running on a none-BTP-platform. +* [Co-located services](#co-located-services) as part of the same deployment and bound to the same identity instance (i.e. same trusted [application zone](./overview#application-zone)). * [BTP reuse services](#ias-reuse) consumed via service binding. +* [External services](#app-to-app) which can be running on none-BTP-platforms. -According to key concept of [pluggable building blocks](./overview#key-concept-pluggable), the architecture of Remote Services decouples protocol level (i.e. exchanged content) from connection level (i.e. established connection channel). +According to key concept of [pluggable building blocks](./overview#key-concept-pluggable), the architecture of CAP's [Remote Services](../using-services#consuming-services) decouples protocol level (i.e. exchanged content) from connection level (i.e. established connection channel). While the business context of the application has an impact on the protocol, the connectivity of the service endpoints is agnostic to it and mainly depends on platform-level capabilities. The latter one is frequently subject to changes and hence should not introduce a dependency to the application. -![Remote Service stack architecture](./assets/remote-service-stack.drawio.svg){width="300px" } +![Remote Service stack architecture](./assets/remote-service-stack.drawio.svg){width="350px" } -Given the CAP user of the request and the destination provided by the application configuration, the connectivity can handle authentication (IAS, XSUAA, X.509, ZTID, ...) and destination handling (local call, BTP Destination, BTP Service Binding) transparantly. -Appropriate user propagation and resilience are tackled on this level as well. +On the layer of connectivity, following basic tasks ca be addressed generically: +- Authentication (_how to setup a trusted channel_) +- Destination (_how to find the target service_) +- User propagation (_how to transport user information_) + +CAP's connectivity component can handle authentication (IAS, XSUAA, X.509, ZTID, ...) and destination (local destination, BTP Destination, BTP Service Binding) as well as user propagation (technical provider, technical subscriber, named user) transparently and fully configuration driven. +All three different service scenarios listed before can be conveniently addressed by configuration variants of the same remote service concept as shown in the following sections. + + +## Co-located Services {#co-located-services} + +Co-located services do not run in the same microservice, but are typically part of the same deployment unit and hence reside within the same trust boundary of the overall [application zone](./overview#application-zone). +Logically, such co-located services contribute to the application equally and hence could run as local services just as well, but for some technical reason (e.g., different runtime or scaling requirements) they are separated physically, often as a result of [late-cut microservice approach](../providing-services#late-cut-microservices). + +Technically, they share the same identity instance which allows direct token forwarding: + +![Co-located services](./assets/co-located-services.drawio.svg){width="500px" } + +[Learn more about how to configure co-located services in CAP Java](/java/cqn-services/remote-services#binding-to-a-service-with-shared-identity) {.learn-more} + +You can test CAP built-in support for co-located services in practise by modifying [`xflights-java`](https://github.com/capire/xflights-java/tree/main) and [`xtravels-java`](https://github.com/capire/xtravels-java/tree/main) sample applications. +`xflights_java` acts as master data provider exposing basic flight data in service [`sap.capire.flights.data`](https://github.com/capire/xflights-java/blob/6fc7c665c63bb6d73e28c11b391b1ba965b8772c/srv/data-service.cds#L24) via different protocols. +On the client side, `xtravels_java` imports this service as CAP remote service and fetches data in a [custom handler for data fedaration](https://github.com/capire/xtravels-java/blob/53a5fa33caf4c9068f2e66fab25bda26f3f450ca/srv/src/main/java/sap/capire/xtravels/handler/FederationHandler.java#L63). ::: tip -BTP HTTP Destinations offer [various authentication strategies](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations) such as SAML 2.0 as required by many S/4 system endpoints. +CAP offers a simplified co-located service setup by leveraging remote services that require +- Shared identity instance +- URL for the destination +- Principal propagation mode (optional) +::: + + +To combine both applications in a co-located setup, you can do the following steps: + +#### 1. Prepare the CF environment with a dedicated space of your choice. + +Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): +- CF space to deploy the applications and a `cf`-CLI session targeting this space. +. MBT CLI build tool. +- HANA Cloud instance mapped to the space. +- [IAS tenant](./authentication#ias-ready) mapped to the subaccount. + + +#### 2. Prepare and deploy the client application + +As client, `xtravels` first needs a valid configuration for the remote service `sap.capire.flights.data`: + +::: code-group + +```yaml [/srv/srv/main/resources/application.yaml] +--- +spring: + config.activate.on-profile: cloud +cds: + remote.services: + xflights: + type: hcql + model: sap.capire.flights.data + binding: + name: xtravels-ias + options: + url: https:///hcql + onBehalfOf: systemUserProvider +``` + +Property `model` needs to match the full-qualified name of the CDS service from the imported model. +`binding.name` just needs to point to the shared identity instance and the `url` option provides the required location of the remote service endpoint. +Finally, `onBehalfOf: systemUserProvider` specifies that the remote call is invoked on behalf of the technical provider tenant. + + +Deploy the application with + +```sh +cd ./xtravels_java +cds up +``` + +❗Note that CF application `xtravels-srv` will not start successfully as long as `xflights` is not deployed yet (step 3). + +:::tip +In deployment for production it is recommended to combine both services with the shared identity instance in a single MTA descriptor. ::: -## Local Services {#local-app} +#### 3. Prepare and deploy the server application -For communication between adjacent CAP applications, these are CAP applications which are bound to the same identity instance, simplified configuration is explained in [Binding to a Service with Shared Identity](/java/cqn-services/remote-services#binding-to-a-service-with-shared-identity). +As server, `xflights` should restrict service `sap.capire.flights.data` to technical clients of the same application by adding pseudo-role [`internal-user`](./cap-users#pseudo-roles) to the service: -Local CDS services which are meant for *internal* usage only can be easily consumed by in-process function calls. -They shouldn't be exposed via protocol adapters at all. -In order to prevent access from external clients, annotate those services with `@protocol: 'none'`: +::: code-group -```cds -@protocol: 'none' -service InternalService { - ... -} +```cds [/srv/authorization.cds] +using { sap.capire.flights.data as data } from './data-service'; + +annotate data with @(requires: 'internal-user'); +``` + +::: + +In addition, the microservice needs to share the same identity instance for co-located-setup: + +::: code-group + +```yaml [/srv/srv/main/resources/application.yaml] +resources: + - name: xflights-ias + type: org.cloudfoundry.managed-service // [!code --] + type: org.cloudfoundry.existing-service // [!code ++] + parameters: + service: identity // [!code --] + service-name: xflights-ias // [!code --] + service-name: xtravels-ias // [!code ++] + service-plan: application // [!code --] + config: // [!code --] + display-name: xflights // [!code --] +``` + +::: + +Finally, deploy and start the application with + +```sh +cd ./xflights_java +cds up +``` + +#### 4. Verify the deployment + +First, you can check the overall deployment status on cf CLI level, in particular the application services need to be started successfully as well as the shared identiy instance need to be verified. + +::: details To verify successfully started applications, `cf apps` should show following lines: + +::: code-group +```sh +name requested state processes routes +xflights-db-deployer stopped web:0/1 +xflights-srv started web:1/1 ... +xtravels started web:1/1 ... +xtravels-ams-policies-deployer stopped web:0/1 +xtravels-db-deployer stopped web:0/1 +xtravels-srv started web:1/1 ... ``` -`InternalService` is not handled by protocol adapters and can only receive events sent by in-process handlers. +::: + +::: details To verify the service bindings, `cf services` should show following lines: + +::: code-group +```sh +xflights-ias identity application +xtravels-ias identity application xtravels, xtravels-srv, xflights-srv, ... +``` +::: + +You can test the valid setup of xtravels application by accessing the UI by login with an authorized test user of the IAS tenant. +To do so, assign a proper AMS policy (e.g. `admin`) to the test user as described [before](./cap-users#ams-deployment). -## External Services (IAS App-to-App) {#app-to-app} +## External Services { #app-to-app } + +External services +To connect with externally located services, same aspects such as CAP Java supports technical communication with any IAS-based service deployed to an SAP Cloud landscape. User propagation is supported. For connection setup, it uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications). + +::: tip +BTP HTTP Destinations offer [various authentication strategies](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations) such as SAML 2.0 as required by many S/4 system endpoints. +::: + + ### Provider Application The CAP Java application as a _provider app_ needs to: From f6e8f7597669458b93a422482462bbd377058a35 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 11 Nov 2025 15:16:30 +0100 Subject: [PATCH 018/120] external authentication --- .../assets/external-services.drawio.svg | 245 ++++++++++++++++ guides/security/remote-authentication.md | 272 +++++++++++------- 2 files changed, 417 insertions(+), 100 deletions(-) create mode 100644 guides/security/assets/external-services.drawio.svg diff --git a/guides/security/assets/external-services.drawio.svg b/guides/security/assets/external-services.drawio.svg new file mode 100644 index 0000000000..bd5c3df1e9 --- /dev/null +++ b/guides/security/assets/external-services.drawio.svg @@ -0,0 +1,245 @@ + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Service A + +
+
+
+ + + Service A + + + + + + + + + + + + + +
+
+
+ + Token + +
+
+
+ + + Token + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Service B + +
+
+
+ + + Service B + + + + + + + + + + + + + + + + + +
+
+
+ + Token + +
+
+
+ + + Token + + + + + + + + + + + + + +
+
+
+ + Service Instance +
+ Identity A + +
+
+
+ + + Service Instance... + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Service Instance +
+ Identity B + +
+
+
+ + + Service Instance... + + + + + + + + + + + +
+
+
+ + + landscape A + + +
+
+
+ + + landscap... + + + + + + + + + + + +
+
+
+ + + landscape B + + +
+
+
+ + + landscap... + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 943c7aa088..c075b46872 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -21,62 +21,64 @@ status: released # Remote Authentication { #remote-authentication } -CAP supports out-of-the-box consumption of various kinds of remote services: +CAP supports out-of-the-box consumption of various kinds of [remote services]( #remote-services): -* [Co-located services](#co-located-services) as part of the same deployment and bound to the same identity instance (i.e. same trusted [application zone](./overview#application-zone)). +* [Co-located services](#co-located-services) as part of the same deployment and bound to the same identity instance (i.e., belong to the same trusted [application zone](./overview#application-zone)). +* [External services](#app-to-app) which can be running on non-BTP platforms. * [BTP reuse services](#ias-reuse) consumed via service binding. -* [External services](#app-to-app) which can be running on none-BTP-platforms. -According to key concept of [pluggable building blocks](./overview#key-concept-pluggable), the architecture of CAP's [Remote Services](../using-services#consuming-services) decouples protocol level (i.e. exchanged content) from connection level (i.e. established connection channel). +## Remote Service Abstraction { #remote-services } + +According to the key concept of [pluggable building blocks](./overview#key-concept-pluggable), the architecture of CAP's [Remote Services](../using-services#consuming-services) decouples protocol level (i.e., exchanged content) from connection level (i.e., established connection channel). While the business context of the application has an impact on the protocol, the connectivity of the service endpoints is agnostic to it and mainly depends on platform-level capabilities. -The latter one is frequently subject to changes and hence should not introduce a dependency to the application. +The latter is frequently subject to changes and hence should not introduce a dependency on the application. -![Remote Service stack architecture](./assets/remote-service-stack.drawio.svg){width="350px" } +![Remote Service stack architecture](./assets/remote-service-stack.drawio.svg){width="400px" } -On the layer of connectivity, following basic tasks ca be addressed generically: -- Authentication (_how to setup a trusted channel_) +At the connectivity layer, the following basic tasks can be addressed generically: +- Authentication (_how to set up a trusted channel_) - Destination (_how to find the target service_) - User propagation (_how to transport user information_) -CAP's connectivity component can handle authentication (IAS, XSUAA, X.509, ZTID, ...) and destination (local destination, BTP Destination, BTP Service Binding) as well as user propagation (technical provider, technical subscriber, named user) transparently and fully configuration driven. -All three different service scenarios listed before can be conveniently addressed by configuration variants of the same remote service concept as shown in the following sections. +CAP's connectivity component can handle authentication (IAS, XSUAA, X.509, ZTID, ...) and destination (local destination, BTP Destination, BTP Service Binding) as well as user propagation (technical provider, technical subscriber, named user) transparently and in a fully configuration-driven manner. +All three different service scenarios listed above can be conveniently addressed by configuration variants of the same remote service concept as shown in the following sections. ## Co-located Services {#co-located-services} Co-located services do not run in the same microservice, but are typically part of the same deployment unit and hence reside within the same trust boundary of the overall [application zone](./overview#application-zone). -Logically, such co-located services contribute to the application equally and hence could run as local services just as well, but for some technical reason (e.g., different runtime or scaling requirements) they are separated physically, often as a result of [late-cut microservice approach](../providing-services#late-cut-microservices). +Logically, such co-located services contribute to the application equally and hence could run as local services just as well, but for some technical reason (e.g., different runtime or scaling requirements) they are separated physically, often as a result of a [late-cut microservice approach](../providing-services#late-cut-microservices). -Technically, they share the same identity instance which allows direct token forwarding: +Technically, they share the same identity instance, which allows direct token forwarding: -![Co-located services](./assets/co-located-services.drawio.svg){width="500px" } +![Co-located services](./assets/co-located-services.drawio.svg){width="450px" } [Learn more about how to configure co-located services in CAP Java](/java/cqn-services/remote-services#binding-to-a-service-with-shared-identity) {.learn-more} -You can test CAP built-in support for co-located services in practise by modifying [`xflights-java`](https://github.com/capire/xflights-java/tree/main) and [`xtravels-java`](https://github.com/capire/xtravels-java/tree/main) sample applications. -`xflights_java` acts as master data provider exposing basic flight data in service [`sap.capire.flights.data`](https://github.com/capire/xflights-java/blob/6fc7c665c63bb6d73e28c11b391b1ba965b8772c/srv/data-service.cds#L24) via different protocols. -On the client side, `xtravels_java` imports this service as CAP remote service and fetches data in a [custom handler for data fedaration](https://github.com/capire/xtravels-java/blob/53a5fa33caf4c9068f2e66fab25bda26f3f450ca/srv/src/main/java/sap/capire/xtravels/handler/FederationHandler.java#L63). +You can test CAP's built-in support for co-located services in practice by modifying the [`xflights-java`](https://github.com/capire/xflights-java/tree/main) and [`xtravels-java`](https://github.com/capire/xtravels-java/tree/main) sample applications. +`xflights-java` acts as a master data provider exposing basic flight data in service [`sap.capire.flights.data`](https://github.com/capire/xflights-java/blob/6fc7c665c63bb6d73e28c11b391b1ba965b8772c/srv/data-service.cds#L24) via different protocols. +On the client side, `xtravels-java` imports this service as a CAP remote service and fetches data in a [custom handler for data federation](https://github.com/capire/xtravels-java/blob/53a5fa33caf4c9068f2e66fab25bda26f3f450ca/srv/src/main/java/sap/capire/xtravels/handler/FederationHandler.java#L63). ::: tip -CAP offers a simplified co-located service setup by leveraging remote services that require +CAP offers a simplified co-located service setup by leveraging remote services that require: - Shared identity instance - URL for the destination - Principal propagation mode (optional) ::: -To combine both applications in a co-located setup, you can do the following steps: +To combine both applications in a co-located setup, you can follow these steps: -#### 1. Prepare the CF environment with a dedicated space of your choice. +#### 1. Prepare the CF environment Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): - CF space to deploy the applications and a `cf`-CLI session targeting this space. -. MBT CLI build tool. +- MBT CLI build tool. - HANA Cloud instance mapped to the space. - [IAS tenant](./authentication#ias-ready) mapped to the subaccount. -#### 2. Prepare and deploy the client application +#### 2. Prepare and deploy the consumer application { #co-located-consumer } As client, `xtravels` first needs a valid configuration for the remote service `sap.capire.flights.data`: @@ -98,8 +100,8 @@ cds: onBehalfOf: systemUserProvider ``` -Property `model` needs to match the full-qualified name of the CDS service from the imported model. -`binding.name` just needs to point to the shared identity instance and the `url` option provides the required location of the remote service endpoint. +The `model` property needs to match the fully qualified name of the CDS service from the imported model. +The `binding.name` just needs to point to the shared identity instance and the `url` option provides the required location of the remote service endpoint. Finally, `onBehalfOf: systemUserProvider` specifies that the remote call is invoked on behalf of the technical provider tenant. @@ -112,12 +114,12 @@ cds up ❗Note that CF application `xtravels-srv` will not start successfully as long as `xflights` is not deployed yet (step 3). -:::tip -In deployment for production it is recommended to combine both services with the shared identity instance in a single MTA descriptor. +::: tip +For production deployment, it is recommended to combine both services with the shared identity instance in a [single MTA descriptor](./deployment/microservices#all-in-one-deployment). ::: -#### 3. Prepare and deploy the server application +#### 3. Prepare and deploy the provider application { #co-located-provider } As server, `xflights` should restrict service `sap.capire.flights.data` to technical clients of the same application by adding pseudo-role [`internal-user`](./cap-users#pseudo-roles) to the service: @@ -131,7 +133,7 @@ annotate data with @(requires: 'internal-user'); ::: -In addition, the microservice needs to share the same identity instance for co-located-setup: +In addition, the microservice needs to share the same identity instance for the co-located setup: ::: code-group @@ -160,9 +162,9 @@ cds up #### 4. Verify the deployment -First, you can check the overall deployment status on cf CLI level, in particular the application services need to be started successfully as well as the shared identiy instance need to be verified. +First, you can check the overall deployment status at the CF CLI level. In particular, the application services need to be started successfully and the shared identity instance needs to be verified. -::: details To verify successfully started applications, `cf apps` should show following lines: +::: details To verify successfully started applications, `cf apps` should show the following lines: ::: code-group ```sh @@ -176,7 +178,7 @@ xtravels-srv started web:1/1 ... ``` ::: -::: details To verify the service bindings, `cf services` should show following lines: +::: details To verify the service bindings, `cf services` should show the following lines: ::: code-group ```sh @@ -185,62 +187,99 @@ xtravels-ias identity application xtravels, xtravels-srv, xflights-srv, .. ``` ::: -You can test the valid setup of xtravels application by accessing the UI by login with an authorized test user of the IAS tenant. -To do so, assign a proper AMS policy (e.g. `admin`) to the test user as described [before](./cap-users#ams-deployment). +You can test the valid setup of the xtravels application by accessing the UI and logging in with an authorized test user of the IAS tenant. +To do so, assign a proper AMS policy (e.g., `admin`) to the test user as described [earlier](./cap-users#ams-deployment). +::: tip +The very same setup could be deployed for XSUAA-based services. +::: + ## External Services { #app-to-app } -External services -To connect with externally located services, same aspects such as +In contrast to [co-located services](#co-located-services), external services do not have a strong dependency as they have a fully decoupled lifecycle and are provided by different owners in general. +As a consequence, external services can run cross-regionally; even non-BTP systems might be involved. +A prerequisite for external service calls is a trust federation between the consumer and the provider system. +For instance, BTP HTTP Destinations offer [various authentication strategies](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations) such as SAML 2.0 as required by many S/4 system endpoints. -CAP Java supports technical communication with any IAS-based service deployed to an SAP Cloud landscape. User propagation is supported. -For connection setup, it uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications). +[IAS](./authentication#ias-auth) is positioned to simplify cross-regional requests with user propagation. +Prerequisites are identity instances on both consumer and provider sides as well as a registered IAS dependency in the consumer instance. +![External services](./assets/external-services.drawio.svg){width="500px" } -::: tip -BTP HTTP Destinations offer [various authentication strategies](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations) such as SAML 2.0 as required by many S/4 system endpoints. +CAP supports communication between arbitrary IAS endpoints and remains transparent for applications as it builds on the same architectural pattern of [remote services]( #remote-services). +Technically, the connectivity component uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) in this scenario which requires a token exchange from a consumer token into a token for the provider. +The latter is issued by IAS only if the consumer is configured with a valid IAS dependency to the provider (establishing trust). + +:::tip +CAP offers a simplified App-2-App setup by leveraging remote services that require: +- Identity instances for provider and consumer +- Configured IAS dependency from consumer to provider +- Destination with URL pointing to the provider +- Principal propagation mode (optional) ::: +#### 1. Prepare the CF environment -### Provider Application +Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): +- CF space to deploy the applications and a `cf`-CLI session targeting this space. +- MBT CLI build tool. +- HANA Cloud instance mapped to the space. +- [IAS tenant](./authentication#ias-ready) mapped to the subaccount. -The CAP Java application as a _provider app_ needs to: -1. Configure [IAS authentication](/java/security#xsuaa-ias). -2. Expose an API in the IAS service instance. +#### 2. Prepare and deploy the provider application - ::: details Sample IAS instance of provider (mta.yaml) +As first step, clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to remote branch. - Add this to your `mta.yaml` resources section: +Similar to the [co-located](#co-located-provider) flavour, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. +The difference is that the consumers are not known a priori and also are not part of the same application deployment, in general. - ```yaml - - name: server-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - provided-apis: - - name: "review-api" - ``` +To expose service APIs for consumption, you can enhance the identity instance of the provider by defining API identifies that are listed in property `provided-apis`: - ::: +::: code-group -3. Prepare a CDS service endpoint for the exposed API. +```yaml [mta.yaml] +resources: + - name: xflights-ias + type: org.cloudfoundry.managed-service + parameters: + [...] + config: + display-name: xflights + provided-apis: [{ # [!code ++:5] + name: DataConsumer, + description: Grants technical access to data service API + }] +``` - ::: details Sample CDS Service for the API +::: - ```cds - service ReviewService @(requires: 'review-api') { - [...] - } - ``` +Only a single entry with name `DataConsumer` representing the consumption of service `sap.capire.flights.data` is added. +The description helps administrators to configure the consumer application with the proper provider API if done on UI level. - ::: +[Detailed description about identity instance parameters for `provided-apis`](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#service-instance-parameters){.learn-more} +OAuth tokens presented by a valid consumer requests as a result of an App-2-App flow will have API claim `DataConsumer` which is automatically mapped to a CAP role by the runtime. +Hence, the corresponding CDS service can be protected by CAP-role `DataConsumer` in order to authorize the requests thoroughly: + +::: code-group + +```cds [/srv/authorization.cds] +using { sap.capire.flights.data as data } from './data-service'; + +annotate data with @(requires: 'DataConsumer'); +``` + +Finally, deploy and start the application with + +```sh +cd ./xflights_java +cds up +``` + +::: ::: tip API as CAP role The API identifiers exposed by the IAS instance in list `provided-apis` are granted as CAP roles after successful authentication. @@ -249,64 +288,97 @@ The API identifiers exposed by the IAS instance in list `provided-apis` are gran ::: warning Use different roles for technical and business users Use different CAP roles for technical clients without user propagation and for named business users. -Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice verse. +Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice versa. ::: -### Consumer Application +#### 3. Prepare and deploy the consumer application -To set up a connection to such an IAS service, the _consumer app_ requires to do: +Like with xflights, clone [`xtravels-java`](https://github.com/capire/xtravels-java/tree/main) or, if already cloned and modified locally, reset to remote branch. -1. Create an IAS instance that consumes the required API. +First, a BTP destination needs to be added which points to the provider service endpoint to be called (`URL`) and which bears the the information about the IAS dependency to be called (`cloudsdk.ias-dependency-name`). +The name for the IAS dependency is flexible but **need to match the chosen name in next step** when [connecting consumer and provider in IAS](#connect). +The destination is required by the connectivity component to prepare the HTTP call accordingly. Also note that the authentication type of the destination is `NoAuthentication` as the destination itself does not contribute to the authentication process. - ::: details Sample IAS instance for client (mta.yaml) - Add this to your `mta.yaml` resources section: +::: code-group - ```yaml - - name: client-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - oauth2-configuration: - token-policy: - grant_types: - - "urn:ietf:params:oauth:grant-type:jwt-bearer" - ``` +```yaml [mta.yaml (destination instance)] + - name: xtravels-destination + type: org.cloudfoundry.managed-service + parameters: + service: destination + service-plan: lite + config: + init_data: + instance: + destinations: + - Name: xtravels-data-consumer + Type: HTTP + URL: https:///hcql + cloudsdk.ias-dependency-name: "DataConsumer" + Authentication: NoAuthentication + ProxyType: Internet + Description: "Data consumer destination for xtravels" +``` - ::: +```yaml [mta.yaml (destination binding)] +modules: + - name: xtravels-srv + type: java + [...] + requires: + - name: xtravels-destination # [!code ++] +``` +::: -2. Create a Remote Service based on the destination (optional). - ::: details Sample Remote Service configuration +:::tip +Alternatively, the destination can also be created manually in the [BTP destination editor](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/access-destinations-editor). +::: - ```yaml - cds: - remote.services: - Reviews: - destination: - name: review-service-destination - ``` - ::: +Given the destination, the remote service can be configured in a pretty similar way as with [co-located services](#co-located-consumer): + +::: code-group + +```yaml [/srv/srv/main/resources/application.yaml] +spring: + config.activate.on-profile: cloud +cds: + remote.services: + xflights: + type: hcql + model: sap.capire.flights.data + destination: + name: xtravels-data-consumer + onBehalfOf: systemUserProvider +``` + +::: + +Finally, deploy and start the application with + +```sh +cd ./xtravels_java +cds up +``` + +Technically, the remote service implementation will delegate the HTTP connection setup to the connectivity component which can recognize by the type of the destination that it needs to initiate an App-2-App flow. +It then takes the token from the request and triggers an IAS token exchange for the target [IAS dependency](#connect) according to the user propagation strategy (technical communication here). +The token exchange requires property `oauth2-configuration.token-policy.access-token-format: jwt` to be set in the identity instance in order to create a token in the JWT format. + +#### 4. Connect consumer with provider { #connect } To activate the App-2-App connection as a *consumer*, you need to: -1. Create an IAS application dependency in the IAS tenant: +Create an IAS application dependency in the IAS tenant: - Open the Cloud Identity Services admin console - Navigate to [Application APIs / Dependencies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/communicate-between-applications) - Create a new dependency pointing to your provider application's API -2. Create a dedicated [destination](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/access-destinations-editor) with the following configuration: - * The URL pointing to the IAS-endpoint of the application. - * Authentication type `NoAuthentication`. - * Attribute `cloudsdk.ias-dependency-name` with the name of the created IAS application dependency in Step 1.
- [Learn more about how to consume external application APIs with IAS](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) {.learn-more} [Learn more about simplified Remote Service configuration with destinations](/java/cqn-services/remote-services#destination-based-scenarios) {.learn-more} From bfa12d9b61c91078b20059191a16edf591bba0d4 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 21 Nov 2025 17:03:46 +0100 Subject: [PATCH 019/120] remote service part2 --- guides/security/assets/add-api.png | Bin 0 -> 19514 bytes ...ervices.drawio - Kopie.svg:Zone.Identifier | Bin 0 -> 25 bytes guides/security/assets/ias-dependencies.png | Bin 0 -> 81408 bytes guides/security/cap-users.md | 4 +- guides/security/remote-authentication.md | 417 ++++++++++++++---- 5 files changed, 322 insertions(+), 99 deletions(-) create mode 100644 guides/security/assets/add-api.png create mode 100644 guides/security/assets/co-located-services.drawio - Kopie.svg:Zone.Identifier create mode 100644 guides/security/assets/ias-dependencies.png diff --git a/guides/security/assets/add-api.png b/guides/security/assets/add-api.png new file mode 100644 index 0000000000000000000000000000000000000000..4f9d8e06c7338b0b7cd44dbfb2d2bb72068c4c6f GIT binary patch literal 19514 zcmd?R2T+sS`!0&Q6{T(qph(%e0g);l>5B9Y2|XYP2%(oyLbCxX0!oz*QbP!#g-B>B zA_CG0ks44#NeCzqdO2Uzy?_6E&Y3&s-Z?XO?wrgp5ivs&|l83cRhSmudFn+UHQwyMfHl6oY6HSKTTJ64_$bGs|DN`bO-Kv=eo-kbv0Hd zl~5(12XEIPr@unIy?g?dLRByS>{tnSPybl*vYJYOi<^@9E$!befGgF@?ml?BXIP?(8JvA}%H6;w0|mA|oa4A|vCXASb0L?Iz`X`S;_4 zJly{Ce4oJIVgLjpNxvg0C2@^DWcqt0lK>A_U=;L6s!6H*y#IgsOhuADkpD6;wO^kA za|Pc0D;c_&{*|t)4^sNk;38f(3z5VqChCYW_r-e70?wO^)e4iJ82`%nW>EN zM98DEb~hM*HS=Thn67`K)ZmHW4c|Z(*Mo%61W(h&-*+>YOQiU;p56X%%B*@_X6%_#bZO7;;6 zz$MsSJv9?0kpV&5isN{(kdb*eqwMRBd}yoWdjFnax#iGIZrE$kMR{MOAK$M5&3J8~ z|A@Yb74ZC;?xJVz;em*=1m)=3)7u>1f7&t zn)h$v^j$qv+>&9@l$jS#b~?`;3gM5LXqVl@x_0-3Yz3>5o+_wWrqj9HqyQ59(A?@Y3Vw- zd2GqkXD10jBTBz+8=r3BXE^Y`YsF>vfx7rSbS0xoZ-AN6m)XX~$cREH~K@*VN_##Z?JYPZt<>9JY zv>ULrB4QGj85<~kwSzat5Ly`#XVGJYTBE{wfLRa^RV-pJ;h!ae-QCN5xqdHP&X1%A z>e$Yr#X3&?WL%Its^E~tvR-OY!QO~-zX50KWmJwW$p z7+6(-{Y;dz#Rw!SVG7dOvkUjsosaM5MaNrPLj zA<44dqeormzisoJ`t{tcvcr(?Snp0BltY`%?8ddo&BgQL`84nCjR{G|3fP(eX^!Lx zOqzrHOr=@|EJGkt*)`VIF*I%5J~WLlG$1tQxCZwK5+%Vq@$nkV)aDj5l<*ab!4)L6 z9)`_HS*cAwm7~D^64#`WM}{i-)lhzt!)?)uxbO7pH_q<_yGV(hw`b0l^i=3Vy9>7`Dx3gR*SdA$Ed9FB!)= zeWb{pJ9oZZ!I8TZ33n8$8>SHz#^y6@h9!K{R}z*LxVjGz4i zU1&C@0t$F;-_pOt>DMscIA*dWU;F)jWv@*XaBF_Pa#~LQ^H%-VzdHKTzY3cD^xki) z74`UE6|ecPmgc{_^?Oh6{rUDELlO7C+~vpm$lc)fkSo8&axX9&QBeJ#$D9>Pagn!k z5fKUg&mi8pNOyTjcYOhe;ptypU>gUE#k z>IKQGp)LA)y{3;;K`&;5Gkb-I67&`BlX5^8s>E4@B_8b{JWlV0(x^uZ&Rp6$CW5HU zQOPtC0zYBd{Arr~5_`G=KYpcEKwVxN3aNc#6cL@HH(Sby(2AXi454r7@5fGWTqDh0 zCzXscmXDk~xToJu{c)|CZehM#xYg99utxKeNw(-i{~5hU$!G_C)31+XNo2; zD%)=P#Auf3c|ykljKWr-)IPdy{H6>jZ4b3^`tQok&;h;D%$<| z>%84d(eDpL_I%vWYHZZ-Nh*Bu5c-kkaO}ca?sVTGG_rJtAw}D;f3%ms)MB48NATpq z-bjYUJmT>AENQ}sJz*r8m{ktBy4VWo=Z?4Z8L1|yfo?d}_zqt%v;H<@QKUB1(%)LN zt~tgrE_A4JScxN8xPIE@N7zzJpBfvQ2RSD@Q!oSfCJu_cyOblF4v;*?WeyP}R=n?^ z-ry6x3PN*{Lu6p()2B}(n&{4sVoZ(%dU;D$(~dp8+>vta`iD`1cy2q#ZIq(p*59f{ zK?@0RGF}X1G0NrsZJkHt@LnCm+kAe5XGwz#Wd}w6?fe5@LmVaRx{Bw4fp7N^c7r?e zg@r|i){l#RqoG{U0^=AT1P8O5`&xHQ)@tvqF)vHn>n}=1xl#rnh}M_9-o7d!NB2Mi z6qzEjjfIJ`1JuJXQ;V|xk!*BpxsfR6LhhiX=PFj6JnPhteEywo{S>`9y(EWT@oJGL zq(S*?6@}GrYR}ImH6H9l`vv*5Rcq9#;l#C#oR6({tZa{GgW;3UZ!?r}0mH7d{Zzqy zp=zQ0B*xv|s$bPFUV=Pg-uB5(Lgz-IZ%EGj4#H64@NfF|Zke!c&2FJ&4##`#X89aGOl~9y(Gl`97L%8iD zQXP8K`R_{ZK}p-O<9v~=lb14fSN3@sW=8(nLf$eILfCbti-?I>>O)Hfu8RL{XOeKB zdyFqsPeE1IoIgqxBIuJO;ITRq2LF+(2M-wnO(_OF^5Idsxni7E@y}Pr}0bMZ>sDzG*HJKqtrd+sRR4{ z85sHMDU3zM?tt|WDGkcdzWnWybeR zKm<#&w)PFD_P&dfHXHmW_*zz{T_RVfJ~5?1Q=;?A?h?0dbyOvM)b zsEsKJ3*e}o;l>Ph<{PCGC}1b27n~9frO2w+hEL?qir8aeJ##x=d*?eofHDNccO%mz z7RIm|)g}|KN8kBFJ!R4mi6*YkzA40p0pSO@;$FYM)EHwd%ox zn<(OI8!lR__9CN9H(GgaKWQZ7jdy@zj%}NNox~ChGtGPWgd3~s2%K#k<)E|PeK7#m z@;d3&*_5C$u)=}{bnN-gmoLsODrE5vyf0$my#Q@7+B0k-*2pf%35}$Eibo5V`ULjA zl-u+Lo6cM#lINg-%DVv`u33 zo%{z!y}5Va?Ze$ZYIsk!+R1QMJ{Rb9XtoVZuN*vk*mxslI@DYhS3er=Xb9G}OcX$T z2ETIk#4ZfJ-KQ#{c978YYK6T2X?z2UpG`qgsJ>I zL`_O*xej48YyCqC{EPZA*^n-7afim5=KfWT9lpd{CV~G)byee1#6IqJ%m$xshLf(N zVP+AD(%|t~RbgS+EQzug+*>admL#z-U{1jQ>1?#)!(3M?EF*-$L?6+e7S;7nrTwEmoIT)jSneOtFdL>(k#0 zq4wx>wXJ}xqsNZQE|)OkHRb|P+2(m7mnBfNF^W!J_@b@21I8@2SmZ@8%qOMz z(Pt>f@@x?D498V8!PL#IG^g)qq@sWAax<)8D7cF7Wz2%s^Jy$gJ~CZmaoQ+9TG0}s z95Rq+Br3Z;{Z{Ga3q%+3pqLP=j$F^ZxIR^U3cfbQULVj4zn)`Eovt&X+G4-AxE!BI z4k0fWCLs^yBGVcIThc#m+ZaSUmSpI(2(G;N12+EbdPUlwXcUsmWA)0)VvldsK(ebS z$keo)(AkVu_G!GasI1^VXOfbZm0neuQ=320mRze2&c^x>nmve%WoWg*ob9&7u6c*i zEvce*d*lAoq$ie165jPr6FwZAX&;}T<3Ee?42Ki|k`|QH9SQT!_5iFv zcUK^EEUTA1REprn8<^hft%z5`Cig-Im+x@?xrj$SgkE`HZku*8m)P1U%|734V_j_2 z6@KnCC%v6H&|DjKc4YI51gR4>)~vbl{5DK|X!^B-5yr>XQB=W868#ivu5JdIkOzla zKki!@u;)Z-F|w0{6^IC!T`+P*5P~nh@#?|Dqd`-osh~Ug%h18%#G_vFKyL=I#gMBW z0gBA{;wYnin{Vbtwj8vDA$|2;+W?oB>w{KRWbofKBBPIGXL^FGR5rfc$4E;jMpU7# zpxG*A=LvmIfNw^g#6771Cya1RDT}=0d*zlu{^)tWySrC?XA)w2_1etmdE;~zP1qUe zLe-HBQ6Z&@y`8(Z?(UC2w8`l2qnC>qvW-|N1n{mr3icQEJ#*Lljt>j*Nz-^OuAsDD zH}G1i5eV(WOX4}(oQ6w6SE`IY1$(Ah%Q#>sLvw+N;87{%mqOTwd=1h?cm2k~#<89# zf?a1Q36{KR@P`N&;4x@ueV%QFyPr{5mf%X#4t@K zv1P4`kd_>*8_vd)DscSx31OW6t?ioRZ*nXbVhbOb%av%{P9R0uDO_)Kadub54N=d zMfO!^P}8ZEv9L4etW?L#=6^^mk6Q}W*{r2kA-_KXo7EW5U4#&oZQKs~g{ld@a3kf- z67WgJo@LsCl+&gAOf1#BQ~tMrgR)V2upOAs3J57#&pg6D2k`9Gc9skIFjb(^Vjo| zI4+zn7nnX=4l9pv{njw=Sb>@d0nA)hP;r2?g#4WE@kC(x z-Yjxn^e_WG*6KR^`W&KDW5pOS^)#VcSmm?*tnVedFX$);_!sVT@6w*u$6YPdmID^0 z90)2tsHoo}K8tLK*qtFUf>HX#hRJO6N+4@{`>4eAXI{rYd)1D4F;&~ZT$B2Cc3$3T zyRcj7vozfD4rcP+SxOW*xt9rp*FxOFuFeymx`Op+9F|}nmo3k+R9

lS!0AxXV|pj3Q9ga@lGXQaS}vjX(D)veIi8^t`&+rxrNZpYPWTq?X&Ym4GYR6ZSU z{gN+wLCt$Fveoin1KHq1ER<~B0if^l`g%}D=iVpf+&-qx1BfLO418&4t3@HLF{G|` z!}}@`PFwOHLesr^zlLhY%(OpU@f9r+)PDa%DhJ$ZCD6mf62YBw`|-7V!|^lyNsX!w zuJd!EqE}1+kHUTZk#Bv}gb!;o`Akgg9~Dlye*pg$ksi#c6k*f6A`QUjeHGR-nx6l+ zAoY1^FQh8j91HlfXhBbTgi+mzr`2)gf!U?DweS?nN@A%wR!4NycNobZA+B@7EM`~n zMQ|^-$Q2@@(SRV*Z&o0#yy4L|R7CI|uD{O{qm?D?iC~I{==XjcS~x}I!7_Y&aw|3t z0XByiWwzY13t393tJYQThm?j~F#_u$?ELXXV60_jYgU8Ckt0W-)>o!C&t1XeJdSnT z((%~MD~eA&mys&`*Iyd58-F&c^7Y!`w0F(f_o-m7B=Brw{L>_rP3(Am%TnVek7Bvh z*=Uh`ogYEM{%OK8q6Qb@q%mQX;Hk~;*Y;H+OY_3NIE_&YMQEWebz|o^E?i2{%WCqg ziON+)-=x_`wQ4S2h@)FCgbBy|%)Ezv4%v#pAl22CHaCJ^D+*1b8# zl2YCgNtwHpZiu)^4Nv+F1KL0lgP5PKyYOjj&tX{Wu#0?b{=+kG;_N9t{>0F}Jc0 zu9@ahcF1nKQ!okxCrd=fy*4bG~E+Nm357jDI(@L!)&Mpn8V;4^v32eru(vI4ib@(5Z< zY~c=aWQ^%o`T47t)GUuN+84dgI>im|zumGw{RiG-{Dx!H+QYoi@2zbr^G|^68EZ>O zwM1KeoJ8B4P=|thi9%akD$RtG+j9kK)-zH`$7*tZM^t`p1WYio958T@bKF(v&ySY=zqpB=upd}bv<#D#ugb{CQJ)_y=T+R4sB};ker5$%YrQ9^{`P9ruR3Oo_qKOY;P=J zGetzC)P9woLoz2Z;_-XhXXE0rYgwVm7I;CNs}WcKE8B>H#U4u$FIh zEcc%JDxB4(m-ERN3Cd)*=%=j$ksAF`#!_C%44jh{iy5Hy0%7%_IE~*x!LJp z(siaFMTPusdOq=uNoY%Kz$y>@1is_zZl2Q+?Bt2o5NuEuG$QufR?@OVDvC#_6D;)J zc+TFgtMDjNB8TW%$yKKORhJ3pFOUYF3fu%V{qhs{ZC(MB3Jqg z0VomBzC<^A7xU+l9j}0xKuhbhE5xvdyskBb(^%#np<<2}A|$J)gHBtczly zx3$k*wxk(MUgWO>gY+{m`8E9YTaZ`M^5!iwUhK*R2Hv0K(*$f=@d&!H~)tytt9mBp2>Z_Qh&jHJwi^B-ubuxvumA(oZq&BEpI(3dRjrokId z32@IGz`l^eKl_jRPF6C9Ls07vFSHubCEj@VeqVHOm!MxvbYtcTg z1KoaMUU*R+T#gx^N;}SdT{W&-eMU^fL0Xni2v% zTJV1Be2YRvIp8>c0fu_@s(4!G*QP0+MscTovB51osNy*KRvmB@;Y*oZavKkm4yDhFUA_7OS^Pdk0T}I!Rf881A69Y(rQ&&bs>Q&WC%5>9 zmFuR{YTNVwbHws8!LdFA{FRsP^0Bw9=QS)%Ug2%rc)xOYF&#hyX`5}uj1Hkz*(sa) z$)mngB|1701(cO&Jq0%2!XJ)CR)FJ0htUC~(0#r&XzE}~I8w?ruVGn#P*bv{>{EMV zafu-;{XQH(sCWR!l`SC0@5Wv^xRh{{g^@u4((UFrI?tT6Nm+yL)%Du7|vs z^a+XC$Z+5<)9SHA1nyb_4sY)FV;j-g{~f~D=#u?jgBp#hN@qhNUh5(gTXGwo+^;z6 zJ)Fprp_00Hu#wr#E%oMOa+wQ&W)bGsd2b62W`QKeXyCR*Nw zg_IOi_9e>@78D^m#K*n;nRmQK0h}M9fZWRrSj`!471fedSJFkR!>|I26N_yCrvdz= z9vPS|Ao$)A={Idr=oXO^tG-)2eSWQVgKC1Wzfgzq=#gg){}!bhM1;VXyW;SeKt}3V zy}9NJZ^V!SA3)|wkmCP1D`vWiD^aSBOaQ`{!j|0)Q88Iiaw-6G^;lJoPUg4aajt=` z?979^{Kg=_10k=mck(s%G0`2AsFzBR<60f#7^lW$f;hN+hgL5h*6FeR{w%P9ieP}K zA?q`;hAZ%7RNWfs$x;h<3ftNoG4Nf;<}ahPDl?L&Zye(|e|{!>>*^03uw(m64Vy%x z{X`p5$eXRNT&q80C=W2)p#!SHP{vPRHac_(u!->HmRiXp4K|w8@r=^Szwv>|=eT~M zUKPJlFKQMPK)pmnB#=AtNInz=4k@TG)0rUf4M$yW+%`r{)EY!eE>{S#o&h|+0t!52 zI3W@zI>}dgxOD;7n#V-B)!4o$8I`br!Beiz(gTknfi2U}Ygdn*T%zr^=h0ZI59H*Vl+34%bHk>mscxx8L( zT(j)x#GBr^~n@mtyO=@i6meR-ZXx> zHB0>3-xjQWv#o7aN3LK~^5Dc#Key9>kplxsxQc|X@oI0ZPlVqiI*KxTN6iX8=Y*QT zH8ndL1{E)Lev;y{YpH1Ne54~IGM86(jj{ZQ6z zRJ64E;>Tv57qd=GY%F3#t~2M#lg*PfviL9#O&=+fs~<+S1AZ z7&3>A)YxIZoepi=a~#fQtA~m%1hXaleS56)-(pPc@>b_hu*|Gq-fFk;w9?NC;5`ms zzMn1UvvrJQmn4D0z%6Pgmum}_{Hio#I&|ij4AfIm0B*=>FqX9Gh{=E4;q}7lync_O z7%>A2z@E^Z2Whyqo$0K-jo}@)r8@FJ?GGYciun|q`RJ_5b>{f)O%BecbGPe0IyZn8 z!sUfwO>#TAn=Eat=pM|pR@iHQx>H}GnOSjUVFze=3ez@a0Ou8Nb%413XO(O1aNYAcIUVTq@_Yb^l_zqHl?FR7llPG zSKcI^9SfW(_+Yq)h^R@jpk_GEyHCX$!57D_tPcg6K))@7)H|(N5`9SK8~mow@wZ>! zz3p$^(pC+(2a>Z~WFWf$zw?dx=}C6?})B)C6xt0Q~R&+rBJ7bRCAJK}UfIEqaqWEAu2X!qyJM>@UFwPwAbsm8MW8@}Q zvXC%<_V`4v%e8Fv31B?NHCiN=tR3zX3Va@z53w(9bS5@zwpKqhEUmqMtS)ek*1hZ4 zW9C=y{K+Nx#0Isnp_d!_{XQ%9syb*y)&AfC$V;&$meaC)THZaG6^Dh}>DRJBx1!)12}nX+?V`;@TV8 zQ1n>5HmT1)w8Cq$87%pXrz9gk+#LU^2ww^goRXd4Zc$u?0r=-`u+^r|yvO`<3wLN| zOLtdKM&gs3O~K0rPx7Nt+NdTGB`JDRAGbH2U4Pe6KPE6oH{}B>=||{DNoN{>1S*h& z9q#tpy|#vBhk(3VICrADCE*8%&U2iWobTxY-PWf4XJPAkg_EOzkBp;!eMn*sdvrWY zF4Dc(VZj3YwxPDo^=H(I0-{!!$L&r(d}0IG`qcS1i+80X33exwJL8t`;J-iWDF z59`{X=uh%1pOK}k(B0(&LP^P8_mA!EvSiXckO=VRICoA&ZoeQ_ZKK|{!M*fFzk0_e zeOD+RZ=f2RJ$(O2J$G(lMYlhYGNfREx!x;?zGTD$(mXak!Qp2pN2JsRtS_aCaipEc zl^VTN;{|Ct-9KEyF&tcvVm^{%e!a1g?kTbHb*BOeSs+XCj_Oo922dT!Uq7a&itg2! zcs&9e#NkIuj5J*_FM}wZj2xl;Y?&vnWcVgUWg}jl(KMk|Rp^C$IJ0x)?y0D=K&Px1 zM}~8;Q{~Dl;nsMHEIsQ>PrHsc_>=&di&x`6`3Q`AQuPWXyb_d;KXmfXY0vRTT~ZCL z4$C1y3zGL_k_uZj1Yx*eA+(~*0jjW-p%1dRaV#wr@BD&buuSh`>u)sSIo|7qaO+QM zNX7FMROKLrqRfLEW?5qV^md__@IMi97N>6COf zV)KZI%zvSd?f;IZ{~u7ttnpms?^PVo^fH=6obqG`tDW41;8N{k)D*O8~Zjv&$_(1{(&NwI`2nETer9eYi&?KXbrkdpKn@P z$`ycQBJyJPckJhXJ&X;Y$$}GDGP>T!?P<7n&>;hWu#Eob*YuCn-tm=As+2X4>@cKp zzvVa810ws_P5Q=<>h_ZFqSAD~Mg4>%fKLE)BYj;3Ypc>`lHQc;${i8Zw9z7a9pXS- z1_I50$UmyZ4*58!1aoY2*J2%@`z1Ly*b3C_)9xsmJw%da$09MT(Z~6V0F2t_y#1TDa zH2=l~uk|r`$6NV~&_f&`2FdV!7}rvW2u$z#dUf}a*N^Umoqic#(KSDxm^&sJQY+EL zP)zo3h42(bxOvQHH>p9;Dk42PyM1va9^G8HBd&B6P#CnVkP)PBBG}CAg|8KT-eu2+ zNqF9TH+Rb0Gc-?Lq0Y}cxRSuvM=LqznWKyErn0q|nY3iZK)ZL2CgkL4lKA~N0hGYF zuwK&!uxREt4eKp^_0wnTUReUXu6F)bqpz{*1vQeBXf>{oQFa+FkL4jbB|A*=M+D?G9QX3jEjA^ctfv424S*?S19RV6D$Y0&U@c7^6IJ^_rq|M4A-k8p zQG-B_Dy)8{M3Im+ZQC|jMqfG!d-Uirkhqeq6dsAtoEW7uJEo#H|4O)c_+)i;EwYKf ztho4ARdRCMzRKCQE$wg%wuPpC^$`FOuh2GxL82BrcD}V>L8jK_05g8&5`FNFq2v+; z*_pn$)J)jcYxXfN37f*@NZ--rmfa*zWiYVOKJ@m3<(jnGceO+XX51e=&!dvk7M17V_|1qyVQJYAOx1fKfU<7UR^4?#17r~} zde~61bv0IB-$2fD`RG*8{GZ}B4L4y~uz`uMLLVtK=s3C#-#Xz+C!gIclHb{?>jDz_ zB7l4HuA?Ui&yjJp#_eVdrNL*+K0krK=<`c*aBErI{i7aNV zfO9XqhgaaRz%~Nx6~G%C6uBy{3STO*N^?And4Wa(v}%fi&!|=l+HB|TvsFrB*x}za zUcYP}wz7Yqp^(n#S0B9ltpF{(j60MPx5e2*B$tbTi9mw!tV++bB=kfiBu0CRrp@j5 z)9GW*KftDAy+7A$ac$si`Iu)90!+2+TzQG z|1qHUd&;BR5AtcXFuEupq9S%nkM#@&dZ)JeO4zIni${CI)DD0{$(2K-)^{`kDy0%u z&-|vB9I$C5>aBHLY^(Pt~;_sT^flQ6(____QI9ws}VAdK& zoxBk)j~W;VXQbTLE(H!yio?Z&%ApXSfshoTh29YLfo?ep$xjIr-mix7oO-vJ%;9A) zjcAHft2!X8gU9=5w$k%=#rGrA9QbJI&C|6`Cx+cVnV}wqdP7=tQ`Eyu=qP-;m|Y>@ z>$RxOMNawmu<8>VZ^%SvRgTmLxstwZIm|sW-zbBwjZ(7|sLK26_$yg5hYG6OlRez( zZmH?L*+N!&Pg?V(jR1NT-D@O?65P8c^V4c!7@*Px6_*!b%ob-M%|e~Zcm=SiZEO5u zaUsekrFV$p0Ipv!qz45#=C`Tqhnt(z-g({u+b@Z*?=QE~;Htrgx%!XM{^QdM2WEJ} zH6hdVI~HwsEVp^D9c;y@EZuMuyk(n~XH~=f=bJ?xz`eXo!BQ>%OR#+GXRv&Sll-wO zaG`bnLpi|H1R}RtZmDGhjQ6x@izM0a9oL%DDY+oRy&jIUyrhYs507GF-S?D>Mh?kp zOx0r})lm?P@31Z7P`AiLM92RPLt=^}@dw5kZ!0+Zj3BPyPzFRvFp2>58obfhJPK8-g;jInS&xlx7vd7-bL4Cu=>a&DN zt6PsC4}C9|f9A&Haaw^G_q^h_*s0>;53KkC2Z)>jwDMbSQ(B~=4!~E+Dp2; zr%V>$w;S8Tal39O=f_gOwXe?&lfQiZ@@*q@eekYhg%QD^+v;$i z+>~#uc_VrB(TDLt{pMU<>KaeO1qivo<@2M-@~ zZ;rL!1Y4U5Z@w6~c1gmru<%kRk6`1J&+!u{pq~~p@TIPSQ=z-6PkjgU+1Yo|0c&d} z@cz!H&mNm5yd-nne8(--X>}Vn1rUbLK?hXX)6mZ*H}(uLuw6D@U89slknx9(4|}LL zrva^zrej{TleJCNfm)**_!>h7E->#q|1JKMsYZA^nx~c`yg}Beva31G8N-+@%5vuGEQFM+gqEp=*?;{8A4LtDE1?C zpE5AQ$64CRk2AR#osUjy+yBYDh)1^qLKhJi2mAZ`hdGwjeR&`joq>mfb=@DUMXeaQ zE>BffM%r~_9aO_})+uzqQr8@_Ad0L_^v{>4c)HHkwc5b}u_UZ|dmQ zH=0J6sssp@0LnD54N)SSx}~e_?|C-bOL!A&42q`t%779=P!PVh5Pv0Q#m{}=Yrp$} zuK`d70pNovs$z!8=Pq0TC_p#&ufbvguJ+ugL!*4&Q-2&XSL% zG~S2oVpWg^_ysAzQH-`R&a(gzLCdDO1eY3Xk$OCe1F4a1l-;m`tUg>(%ApMGpqhe& zcNbLdmyK6oDEQfT4$$$|Y#e0N1mVF*Tf?S|R2doQneWPr<4f*@Lq1cW9V6aV0JpHb z0cH2m#?&%_Q0%W6rosnX^p8>7|Kdqoj6?t|HvB7#5PDh`b5R}mxwX+h5bwfpTPXCN;o?aTvmR= z`GHt^wB=gL&opx>G%(A+K{HFSJoZFAR&?eiw3Tp|v@mwn2FTt98D(FKR4R{scl2-! zc4RM*9t3Iqtn=BzMvHEx2mnc#gOxJRjnSKps#lUu=aC`cetWZ$W~M*iWYYShcL5zu z_cC|yxchb^VIwMP-(O#9Ce)uwx#JbtGP$xa;K*>7kAvQ82fhAhhIr8XRGnd7C~Eh< zKEMR(q6lu%D?j&M5IjE$q}=+!Yl<-YnWb#pme%|4a+!o{Ai;MMDNokf%PY(23E=YY z*GS)#VgEyhw<|>Cve=^m_VRD^W;Ih+Jpeq^89BO$v<1iwSCH!fr&y`}lYchrz^aZ6d;FL4{xF z01t4&#J(?pGODtzEAfoYA~angBHR35DSE5=Qu2UIQi_hjMT=;G46 zrdJh0Q)ZgO%Sl$|_V@HvW1mI0eE7ZukYRqVoF7|H5O+XWaUVt;*HmZpR^G#>)(%3H z7|CWf0D(lN#=1&blj6GN$P1=3R#hiQEVvkjDWq%r2e%);de9?s4DI7I+&X_VZ4XpF zPN;Q%Pr9!ksb-i*pavu~cpgN)B|mq6K@&4boAZ?f1-;Z#2&xuUoLT6FRdE#~G{210 z7(cIcO9{T4MlNM%7x{9K3zWiDYWFV>Hhag2(9V-I0~~Yxt-WK*J_c{H;iGrl!~GG3 zFNWDgHwLF_ry;>hpL$)rj|)1m?p`v$^Gyp&S`P_cix^I&6z}rpr0Fute6WrseYn)+K33+KnQ7BEh+4S>riKhnoGzCTc4J7v?tn($hhKE~_ z?my1Taqzkg9!p`rD%iBteD~l zyX1a87jpLT(WzC}n&my5wZR6!)=U?#t&ztg2N+Utqcy@JpDP>W#6^NH+BS3|*)U>E z4Vmj-wUZn&?J8ab>enkwAk+Oh$HZDg0ybnai{H-cER^kjk*!XFSYb~M8}YV-XI8sy zzNGmJ6oemiS8$IuRX8kNMCBQ2rrIr-!Sn0_v7F_42@I-Z$frJ(Glf?*zrcuEF9L8X zSxqR@T*`6EXy0ivNWnU3{h2w?oWlP4n_2=hoG1Qwk?tGzz3M`cRkVHa)}a!NxY^O| z2ghToz^WH*Xnpt_`r(CMud9BPLiV%ldLA|%S61zo+^B#&u-Uh@24O4ox-uOi>#9KD zn}$sF`s}c}u5IYcbk*~(in-ll{&*Rb{0b){Br#M0pt5YF{N{Ik*NQW_%^1hJ%u@hnk0Vz}9AT;F+Px^s&uC**amLvkUZu0$k+(|L(0dwRFRb+G)pYMo z45?#W=~{))wtT@u$o^2kz6YIXZ4jt#j+WTl41c!q_(DLwO z@wV?X@r?~yCXQzc@)A%?)j65hC@xjro&Nz9aX6QT6PX=-a9#G32U6fqmB6F*o&c(GSzS^i1lDl%y-*1$3>I68Qbs(!UDtY^ z2g$Xg4aDkgUSg&_j~IGG|8h{xK7q7}DBz=BC}CyPAMqZEimX>O;gV&td@^CGoo6?F zr)SG}X4c@s22{ z)P!a?@u>FhvU%C6%39|06~8mTf0H0buW0v=3iwN#+_U0Lr@njB_~qkAt`5HX{#T0j z<|$CD@*BExgTy*LrZ;JQBaU9$wg zI_}Pwv?=c!Pg#W4mGPsM6aV}yf}i~PsVk<$Y3|~NQ*L8o$+Hu)JTB*5MSDh*jsPL8#j)uKkSAnx&Q!nY}b1(p5Njn0NgGUwL{ArN8~fP#BAp#*nZuZ;i+HW z#ES%TAfag|Gc&5}k!hZzyBj~_E+B$rv%&hur=#qVN|-OM7+V*giB~mly^fXJZQ^N8 zTkQ+}zj`THy~d&$pI$YvKE@1cvaDo5TLEPXnRB1)Zl8}WG@1zMa&D+tA#u^mlU9EG z`VK>%^i_n%4vDZGz^R0jQwKX4eTHcUME zyt^+fdGpSd>yw*mEbaeo-=k8We}1d(skYhEY_{)0N5-xWj_|K5I9%P@PN!Hs<2iok a@_)u2cD_Ac|BYXO0>abP&t;ucLK6V6V+uV0 literal 0 HcmV?d00001 diff --git a/guides/security/assets/co-located-services.drawio - Kopie.svg:Zone.Identifier b/guides/security/assets/co-located-services.drawio - Kopie.svg:Zone.Identifier new file mode 100644 index 0000000000000000000000000000000000000000..d6c1ec682968c796b9f5e9e080cc6f674b57c766 GIT binary patch literal 25 dcma!!%Fjy;DN4*MPD?F{<>dl#JyUFr831@K2xuGV00N>W3hrJP68H{dBlguE0s^t;`R~<$b+G~PK#-}Ds)MSu6qmlW zC7rH;wVolJi=_>4Hv|L^zl)8ozPX{pM?FJhQ!8Hb#CR*>kz@61@z}1$=(~nVyJ`$Iifr zOF>BF?;XH5ULq3*2OBPWdS_>6I%j4&Ydd3lMovyndIlzXCMH_o4qAIxD+gT{S}S|v zzXJ#v+Uwhy+Ble6TYY>UP*=~|(Seu9(b3d^%ShLVRnNeHl~zxe*?^Xj(Lk40*MOOk z)_|GWfSr|*gUN_dkLd684yH!`o8QX*uNnY_&_7?HXQX3z7Ww%zm#m$sAt1%`lzfal zFW3KHzwyvN3-W&i9t%GG} z57Y~SffE(wD=W(QNx=p8uVAj+smYidD@~xL=$L-ZMkXNU z%WUIJFgw6UwB$qR@fEgjAg>*G4B^t}pPr{8qW*gowjeZDp~Q~Q!oKL{uaqY=3I&C` z=;We7=}~aNy+}%dLqaxk$iiXhomCTbEE`;gKjWLL9RJm19tryYzv={ojWdS~^!AMH zVajJhFWZA`Nw3{9^WHyCAo%X&qu3|sEMP^?2~MD1&8Yv@uHZxfU6B$oalI(7m)UfG z%rm}Z3hK#h^rUJwy{bdocgWyp^E|Qh??Lgz%4?jsp^*i+q?A?@O01|gC)npZ2}Pre zx0fgMhxo|I84z5o3Py>YzzIiclMpRXSliKwDr%(`_Gmw`u^(+7BtBt5K&dg@<`ao@ z&k7F@Pp^acLw_V1G&}0jVT}1&GSMX;bX#q?+#D5S-6reSaxpLUfjM0zsQsIA*=X|) zasBoWc`e)rHmJP!-&U5n|LktS%r-2Mg7le9Jm-rYtUlA z8P#!a_W-Li&E>U4gb@}1RbQr1+eA<~7KyaEr41+qd=TtiL&Q?9iT-7)foJC@Z%iYk zr1GB&-vR>zv9qCp5alw%(_Tgm&f0)cZ@NN{lpjH-SClU{_!bgg+~E5=)$F}gZ(A)N_^YnN8hC>i6A{X1QVH``x4H{HLZHOO?p}5e zH{8smI@OQ9nQwo3S76rgeUyOrgqTT+3{80LN6h-U*9oh{oLK}QQhfPj>^4-C?rM&{ zD$Px64eN&p8m&k22(HVzc9DSFL#(GqcsfYU(dH&(Fs0+;>6ZfsHL7^Z5H-z@+U-|D z1q$*xQsTG=haBEFrTz{`Vj0+9u8n35w#ILQOXB)b_)uSPx9NwZ9)R`p@jM#bqvFrcNf0Nv^LH86fPtmI<`-rMKIpnAUB}H&}7sm$4R! z7d=`mHE_>G=|JVhkaj)@4_m#l+&+N405Pxm$u{F-TY(Y}-4TuUnXOK0`8m8#V8^38 zdM;adp`*6$3$iUhRTQwGE8Kj|svJPI0z=reu1|4KG12kxjW@{!`T3^{b8w~;l~tCl zW-P~J=L@UR(a|RAM+1gs6q+D6KE&b`-%-$2_4beVT$gwPLnCwUuJ_RX0iv6?8rscn z8IAm@(wia~7I!nH1IUjWjUneFr2|vjbP5%wDxmv0a_PD+53lkI3z@j14%6B0aKNZ2 zL$|R>ew9q85l9s3jfbOi`+WY|Pa2|TYKx&}M zuHk5DJhC0y60<@YdpgIntkC&hcyVP6kzN+bipFuH*Hk3jJxWrg+$XWiVEBkDzO5eFP7)Hy4=IK0f9_VF zezgFv|6o0UH%IL6QcFr!1Q@Vb^Fa33U4%_ZXymM9Aw4^Zv9GxhX!Lu}4rF(_0g}FB zB2F9gA?g?DgXOWef*ow@C0@5hO*RGWvwcT;idNeW%P1&VLvdhMy*<0-p1M97*fdC% zng@Z_*4B*FWjzE@hzHsSy0cVtMh>_S)xbbNXi4Y;=08 znfv{(1fBj4=8Q>Hej+x$wT5kQ9cJZ3$*QDB#()!DQ%%On2?gu{uT4B1eOq_nlamfh zA!yc?k|Md0FTHPKZl%6MEAir=P$U2Gm8STUUO4X3xYHUgI^HnYu(Qr&R|3@6mgo1z zIua`|tPZu3Zp_8q%|Ja!xvaqCy|#vCdL1t!vIlK^@s28}b2y$(ye3zeLSt|M1Khm5 zbIwD_86YgF9IMMTS*#^Jy_d$`Hz1SgGxE5ONWkA0k#!k%eJfWdA_gweudTv*rlZ5H+0jEI~?g+U{vo?pd~XMbnbBcInkHJOyo%kdWvyrQNu7 zp+si#n7e!RofeobeD|qHWxjT!u*ZA|?@G=rTeO^NSO(T;(<7O>Yi_~$`U4ObfMC>- z+&JHW^mTKo0S5@<9``qm3k{uG6=u^FUuPOL-I4G&lUASl(+5mSy&ulBGd&*<`5n@y zwkt-5#4f~k?M19TBNx^YfU5@aUV6zQKC1QHH<8^b5 zkg<gBIAO?+YO z6D1d_g-~JKBrDC^jKBJ561KE(FkfzVHNef3OC+6c2kp z!n;^JH=0RBAd#G6BFuzw%Zm|ZRJ+XJ;O11NF0>P70t+x0CfnidviSLgsZ=hEafaqH zfG?aWzvhvSa&>-kG5Bt|(#KQU2IMQdPa2r%cp1eSIk*V>)72T~iV9P~;gOqes{Zw_ z>CT$Dukdmu^2VMMF%>wkeuLV}FPH>bLQ+y1m2)PbHbzf(r(C5^wwcEZSkgw>Ni#Q+ zvt~bVxV~FSl*IO(oZA@dWF0jiGnAbrRq8Y>9grUI(1| zj*cxb-9vce=A0uP)~`gPl3IzUw%PJHfdjA6W;dhET0CR&Vd;sJXKC5S)^=+OiTuy< z_SB#8Nq!xfZ8}K9)v?v5LW_)s6wpmpMO9~X^*i`LhjiS7=9(5sfv)G!@%)L)QdIqU?cYD zYBiHrCh9$@Low*$AG%t9@2?9Fq4d?VLVvwJlYoj!9rPh4XV{!PCoO8AO`Z4Blogj= z@7~mLI^;HJ{Ys_$o#Dbv`Lley2A=t9*=>E<!VJFEJJ*d0TjO{Q|7{GxGq;0otE z>k)718DgYPkVv2oe~%Pd|1_0$93@lKd~6??RtCqnl3A>@v6qGT!-7$L&YQrxE-#O_ zg~!XI6%P~BSSiKWGDA7dp6wfJaZA);ZAX6vWvDOd@c4JG3`A&dZcrzy*@fj3o%P^2 zYd-=PH*KCM;`htEG{a>e4lLgxGV3kfd2p7rhX~y@+BD6-ib3zHm5Q(K2b;1 zW~W=irl5<_db?Yl|FJu0i2(#=NX_=56g{YS?m%o+c`r`3=WQ3EwHo+7F7~Saa(_6F z;>n94h`H<@9~u&S;&8>=fB7zIgGyeb!3;rQPOy&Og#e6#^7UknzX4}hVsp6q;y8=5 z+7+EN6n&_f17dSHo~YUY2GrSjFh9JuUSzp%qFO`-xWZbVo}Z&L0a$V54Blg+&4o_1 zX-k)2t+E-Whli8gt-nxqNDm*wSOrsk~uZ9v8X-t;J zo6J`X>K_+$2$wA$=x*F3c{W#&h$z_By-tzjzX|pbe{Iz*tDu6G~~NA6K`zVE3p5XM#k4UxsJH<`Ax~lhxL{y01l5 z#$KOFzJVKgt2UDyZD9AEmOhy5%Ct0C53$$rjnr#0lga)7al3cc-{dHi$Qg5LLFF-m zvMEAy=baAprjJnxO9GQUMNlFv}9{O;sW`t#_o0yD@|-G^Y#ZnZ8kQLpg;^HMhR zRMZCAmx*E)1a{&rLaU0X^h!%UC?HyJB=rBuBC-o`sG^So2Wg5c{h50IyP!TGI7-dO zQp7@ohq+Tjr|j*Zn*cVDRxLsDZ!e^rA;5?a`HPAeQU>}MXr|eu&}y%HG2Ezjd&%E^o*VPelBe7 zxKnMw3xSZj`h-C!d5NloT-mws2Zec#mC|4ut;I~Tl&XY9 zTB=XfNZYsZ@J^Vpu$Zf2l8X+suF#1>L;r+=nlIf(7hX#Xkc4T$5Cm!fZLcd-%`EQ_ z>aQ*JgOWG31+^D=AMmlHd)(@G=E=65X1j(aW2gn@l9`X87aPrfMzVI=IIVWV<4oXK z8jk+X}K?dWor^BKh{4c4liZTnA+O4aQ^7k-hax|0S-nxQK*4bT zij0XXkZrtu@I=v=)8(AR9+PgfzOhK5(uy0q;dppr@)*dg4AfUTn^rYf9o`XU@~**< z-Fjd~E>mOLct4=nv-QVi-gqYI$(gWn`)_w5880q!@TubUB<#SyCWkzkq)ibhZAJws8wu5$bY8PnCF5JDq^FpWqp&ud@O3#a3J945+Xj-Fi`e|O7;XS{Ep_U?`^&HrL;3IOS&>Ilwy@M zy&2oF%>H&DgX645ugF>aYsF!)uV-30suJ@QVKtO?R9d> z|E>kw7r>Am&6R6tMU8|%8%W_&D_4>8F1vj;WJ-A#77SFIT@4zPPvG<2S$Vo&0mu*s z&E*5`OQY|jU#~Q2{bA`~gOcGj_SC=!*%lyEU! zxRZhDZ#?nH-dqPCnbfQCW$^fnS*p*cHnNqf#EI)`*M3obMM6r7it*mCjOWRI*(frD zBaT`~p=^f3DATyk&e2i#fcmqItzCE5N+uF{WRAiOQ^Q$ApB^C-SK>SnID`eP8LIzm zCwzdvb*DO@+EPjG8s`sUi|W{0T0TY00~|#%ry)^CK%2EPa;g;IkmHi$!*eM#+VT5C z`JcKRq8`q_P~Z%@TSs>DMHP0i12wt`A$=83V+;=HW=#kdvlgm!NsrrG{Q-%5OhX4$ z`Oq-?7C;*pRz$xEJh*L?a-h9{mPjJA(N;G;8v|_VdD*X97PRTVL&^h{s{Ci|A5%RM zROrK#ohq0hVUvk^Sm-iw(Zbr404a(u%|YzWY3tT+>WVYj6cLyb646B5{SU>^`siE zF5G^1Hx=^^L^{w{m#I+JFPb^s4MMfpw;5A7**@GHqNcwzK0H09kY5_V1OU8+#5$yw zDs2k?sG&Jq_AeqW` zW*=I<+0r9*b@q-H0v;%FafZ6?kN1?T{&}@JB8x3KurvUyT=Uond4BK~$>mSJ;?FW)s1gkit5%th651N=fdI?=IHNmVsg*M7ecy|d7l@)-E7Y*A zQRZft==sE%7libKPBiQLi#5pR5?QGsw(XCX$_t-3jcNbBP}}+qFN&Yng@una@Vl0kl5qfuTdWYM)5$K&HY3=wruA z!7}CdKr-BCObBoCyMKNb|2!R2M3)^wG7wX@S2pILt$4c=rjK&BqSbPx)^S`nmAyEH z`r7pa0P_0!`BJDIJVKGZLui&sVPgMWRJ5$FXjF4r<;|Ej%E84^eQ?J)U9NnSm_`3w z6TBnD$E>1_(p%qUN$lJZy#OP144KdJZKoej-+R(r)KuiU{|Ex^>U}tMnEh=~L`JgW zAA3Ws2qfj#EOibn^e>4V@B!3)detydqZeD{0uZ7mdPp-K8bvS`3zyYa^=}5*d(4M_?(+&~$gd@Nq z>N*-=x0=@Ul(>kKgii0T)*4KIYS*aJz^=CamZbHDHo8Y0Zd%PX`MLt*ZB4rd(+nNz zlG8!$q{ez&9=dkbGqkk+BmHHK1>f1K4?)5CG4(XhskxsD7}GD|+w#u?N&F==mWg&B z<#=H^yI_m`8kR-`GcU%Bml(nG8~?ThxhEH1nB}@o^Am3Zm?r27ui)#$k{=Qe{4eOg z%$#gtFbV4NR-o;9>H9cgT|xIMi!}|Q*pMUp9*$T}{<0QQyz2{6eu>+iXsdW@w`*qu zVB~Py?~UZr)`K^Hh?7!{esrxwx??ve{w1rJMpuwU)5bra&h(817amQ)_6WlyrMi1YAt`wPzV6u&ma1NAe>e=t&?eJ`r%HaT)db7W8l}O?j5{B|+GY8xrvA?5jVihlt z3UX!S(G(OeG~gn1j@RNSQb0s&>HkoIf;{;7NY9EGM2S-j4h|)yBZO)1y8iK*3n)hN z{CG2uD$!0ZybL_YHc34HBS-(?EAe4o=)~vu>Xt}tf{h8trMOA`$M~N|hYfw}08S~S zfW-)dtXl{lvgkKx(5Y1|g0JHQIjq~pE%*XISv)7zB-MX44s0sV7_v%mibEdCn1y`# zTKZ5tR?~8`piF^6j&d20_X2^G1sego9yZ}87YyO4C@}Be_XmUmr`QpD)TyE|Nnsh} z8zZMhi%Dq^nYs~UktvQ9ZHO1mfHzE{qLR2*@Q-#59Cp5QO`Dm2`Y7Oo>`e9_FRTjC zZJAi?-JErOzLdm%EPgTB<^ZsVMWLLJ+`+ff#KpaGLZ&T`1}IjjuNMX5eFTt86x@da z*x@(jqR)8^4Y-|CZvHN_FXZvdQYr(s?NYe(Zd>63icX_BP$aLwv>iL1^6P7M%p#BF z-#~J^q>)acSo>Cbe@>`q%69E1tHQ7IWF{sCbsEkrqW@HCD~U1@V(eQ#&dHEA`XPMx zttMO#VCs7bKXb>*U0N{##}0f3Z|r=UsAo8bA~veS5^nxl^DjFL>{{-tOsRJ#{*3A) z$x=o@`7AEUELWko;PGW-Q?x$Ra1!Siup7D!nDiTx?dkqEaSS=kPOsvz$VIwdjgHj# zM>al~PND!51|0WCei1{YNgNlYm^KHRG&{}L@4pjH) z4HtyAwJdx;{D={1;>g@T`NOl4noyr-kgZ9q)n!vpYf2q40`PY`I;U0OA4AG$@+iiL z5wqCEzh?W6@D$jgRK&JRt(ZNMwz>_6~6rr@licRv9 zPGtrNZnJiqZW>T;I-))jj;dKY_jKvJ>G2NDZz_s(^SN9qeJ3j)KQdRlW&eLw0D4w| z;!%78ugX+FLKT{!c6274cEF-wi(eNM*F8O&3N$Ndl`66`=_s+@*4Yi=KiPxJl}b$A z`i3S6x7Wdx&UvNO=KQ9v4_C@h{M+7V%>4WMoZH5lbX5a&W8?cz+xN#2Pu4Z6fW1&) zKz?qC$}n*qA~e6>A^b~}QUCqOAm=6tqwbKGO&II+Z-4ywIF?t^X4Q7(}) zlrh-NqTBbjzId{K{AUhpsnFadC$F)AGc{+ev$NEsIS;~9>K+3k4vOI1zR=Y_ zmP2c;zkV%K2(Znf)LaTxG{~?8-xU)QLdFouF2e5?4tL)Wf5&-)uXP;ZF(8-lX37cF z!=Zd48!Z+kj6SJwWm9D0A8{;#@@9)Ibu*BOT7BVn+B`huX)w$`d8Zj2{B?&X9I=2h zXO76TiJ9}$+6f~at5!MFKLc+3NJ0S0p(7wnb-;KCe%nfUdil=nAJPyRtoytIGqunT zP$(#|%?_+jua=h=ffp}$2m|l#2IjT<0kL>V1Q z2pMyr12GKDkOn+rj&P4!@eCxl2tb!vEZZm7l7_9Xt%dq!@M2d$C7h3v31z}EWuH;2 zjWi(cM*VH^ILZG<3@C^Ga0e9BxMnn5!HA!mw$AoL&DWmd5;B`RC1>%76rn*uIG0@9 zfM0Ej0JL!AjQ8)$Q=nVG#2`muB}hQR7As{de9D{DF)kt{Vypa7WSOMOI9h1DfCl8J#8|WPP^T%XKGh<@cq1a;7819Jm zzh_Pyo)vwel;X!yJVW(e4dJM=a($3!X?}R|1H6FJnFRvseP!|{^^A>!>f+vbb*$_lKs6k5ci#-F0LmIw5zfe^AR#TX z0|@wrLtd#=t*ERjb~+iv`GtiXWplZ*FSF7AHP;}65e?8(PNd`jyUf*LOJPir{xHSN z@F5%+69{@@;xlo&wHwsg#B~ehGG+aJ3-6s(Fmds4ZEUIsR%C*d^MvzevJ=TF1(y=T zpQHWDiYUK0;#>*}Sc*`{I3Tzg5b^d1xrsnw?P7iS#mtZeI%moWR`#( zp&aIyftZnj$en@c&W(p10aYR5CsEK4iA(L{gWUMi-Sc91|HPlr+-wMpIxHXtEdXJ& zHqeo*Zb41gxIuYxnJyckcT8B!rm4`?fKimwI2rt*BGe+(@&po^%aOseFa1U@3qrl? zC&R<6L}gxOvo}J;UZET&Q`EDvva%>Nvx09d8Z?LCdKt9?Y`Oh+ehw_2+L%2(?0Z}T2S#}Vq1dxEmoHfI-mQAsK%bw~}g@R$4 z6;Gu?O!L9$HY{N#A5{V@H#c4+BA|-J5s9xi?wJ2bVNj${GEqFU}bMUN%@m&{IZX~$lM>R)|AN)^rIDzEbS zwmxV8BZ0996aMNe7#i4`OAWH_FXeP_RD_kGL~KztJt|2xR4K zcr^VW$^RDkKZr(V4YA2C zEgs(b{!K%JeQjFrB3~ozXg!dkTu5U6ab0H;t-`V&>#&CQgLjE&7n(|$6Q5RZ!p#tv zq3oKzyT+Cu+DZ>wZCp+|f7|96u-$<`%=*x^vg1|9`f5}Xv)X-=$eTcxbl=m_#5d&E zF;ot=D{psDxgnO@7XUgS{!4w{jqcDVNNCK7sx6%r z&2C1gs@)MKg`h+PZh1TKmqjA${Tmx+rS-k+!r(LvOCS7-gL5ocZ#>Dap|M*c^Qa=7 zq4jywX}RgoVVy~dx%g_`sM7G-xLx#jaroCY7(k-V!@J~SeNU0fTG|t{UX;voVK0-> zI*7SSXEbE(4c=cLEh1eU z#6>om?VR0)A4EgjS6t_TI}l!&p5<67>rSb{NM`i->#r>Ne>|bTHQF;0W$4dEI8?0( zhMh)QaK(w3_)>1`p>UmJp{*5)j991l?(Ss%CV#;}w3R{&t(lonkWN>H6xCZou#sHo z<1=KSagSCG?wHAU++f_rk?I+mVeYqma2O&;90gY7(8C z@hvOjTP(S6#Rkk(G!eZQ^^y%_xn)rW$gw)Px1uTww({eZl5RX&oxR6FiX72-;uX0+ zLO%}y!+!vb%;tk*jMEd`nuBVKWf~M6{DA!dsn>jlkRR6EM2CTAM!QNmC_0IDdn#C# zb*jA(Zn?A-86_*G3bwaY_|Vo~2{p;6KRS<~!y&F4RF-Rbw|CZWSXdS2{#)7+==%@_ zxW#0~8)>R|>IjK~?#V76)8ohj)4UcF10{vO8&sdpc*3blSAEQJY2OXM;B~7XoHRqt zt^@X$&;`ZG@yM|+nqutK<@_lUV@hT}R~b3Di+43f1A1BD^b>_`KVBQTBv@247)sM@ z!h$9Xb5WCsrm!v~NxB%ZI8_pc0|p%yJ>Pe)P`jypaVXT*R6+SQV!@dt5-6^FwxFbp zFHxvMiz(80{;|(Qcls9v5z45?{0t6(3IZ@%jfvR%J!q~C4PI&_(lap9dm-|)UG=#H zjLnRBH@0V@&zAMls83z3r5mSHIOj_l#j&xdSX)R4b)NW73$C;;wO!p=q6!p8C3#+y z(5Z=zy;EO%Qc+79D?+D?DMnT^Kjp3nCgeIbaT$1X&t*z&o<*EElI$2v42Aqo zhG#*lM3#GZ5}kkmuX8DCJyj>EZY1lOhFFo7Gi7E^NA@=`MFj+*=kk`%QBpu+OjvSf z_0KfHr^Y+>jtWQvXbjrf#Odk+3wWwFNP(XHO6Os}PnEZYqN?HaqN-RfWkXzh7&bv+1XC5a6{sUrgL#hGRO07nX+7M zJod_Qs!?!`aPplmeMT7$klsUyQfvfr$ zm|NvQ%Dk(5Rz*r#SbHj8y{2nT3=Tb;-TK3r7Ou;979dGoKnTQgS?feuBAohI!Q@Su zTwA}E-XPNZ|6w=)%CfZnA(S@~BqRXoFb9?b^s3maIs7AV_V-Soh}HL!9e>8px_w<6 z7NZ)@+Q0Ht%Y7Cun&2TEX44VB3Hb$}5{k%`k8+GdP6S*+A`EF0A9b|VOolzAx{>hEg$4u?G%IO)eQ%Lk(+5LKt2A9@4%_8mHONOT z=hbo=!qM(6X459l;$4+(qd&71EpUij=$-gdM6{Btb}Mw)Mpv}GQJ=&9tWOY0?XP{d z9dFZ~>k%IfRS88o6UKUUsi*i7ws1DwLBf_HK5GB;U*1Lt+ua_hqcumra^XOKleAtnM|DTi^H z3r;6dD*jow3GX(S`dFd-%6Oz3Dc*#Ea-Jq&$6?YZJNEG56FIfa0h+80b06+MzeVSN zx8*leL$XWzK^nG1Bmi%F%Ej9e9;XhTFGtxb#U=?~I-+@HVb@xR5jr>dm7XUq3Y z5D>fQ3UFj}z#Go28T`bo$+ILa()i-;Yq%n&1d7T4Rp_{dzB4tn$l8e=b}j zvV{|(Z+YH{FCta3ipf)xhEfEs0CsmULF8X-323R0Zmp1`4z51bnzL;L-F`$D`_yvb>4vt9oR;zNOTru9&c=Zm3&z4 z_KTZ~IB2)XmeS?MK%y0tN1_GPKGhltXKQN2mL*M0Jn#{ACKOa>>tT!imaBHtf~xaC zQm`VB%n+ASyEn3t+bw7E$9KmXk{#N%`N2_)QgqvyQvi@uqPpHTfF1a32d(e9*Hr7G z`o1lF=HBgNN(SbIL)lt)%Uqb^H1V-S1L$U3iK=85){=@-H_7lE3cw%`B)E~|^o*ub zxTCgGG0ELoD-q2)7Gi(=7Jh%wlx=M0Ou(fyh9CGpbu3lg2WnoS6fQ@!YCf$aPnWzL z%+NoYlpyerdJ0+hn_={r9u2zUcHhK8LD2XxR{LhC+@+bK-K~o(1{8I z9S-=-L%$%ofAem_BT$B51@wChUW!K0Ea=c!Anx1$>Pf++Mo@reRNa7XE9vvmj(|bvSBF4$6kS%n=o#4*8`Kwjomp$&J98Rm`7?Rl16U zYkoV~^_ZO#xFyqxeH@cru*Mx`fF!%M9?u<#@xI=fp|I!;gX1q%sEhqbk-VXXC7?ZF zhhL8eV3-&1JG+Lb{30vTPWJx1LZesvkRTy!mYSKgdi_oF4oTnIc%b%pTdq#caC*<3 z-|GqtFfwD>0Vo+3W2YfM$42Ex7a99ZG-hLh+FV~mBtmixP=Q3(;FURDl!Z0Xwnm>Q z8EUHm7|pL_2~tc$Bymzq%X%%Y9RP7f5gNMTX?>_b9jE9`1yxC{^Uin)n zv`esVyz&gxWiXPMZvOs7Af%}ZL27x1qms4Y1wBGO#*}^Cn75ip#5-;u=6Z-iWJm5W zJ%9y}rH3TRr~dRlW)hdj?RA)N4$x=G)x{bX3KCeiVc^y&Cwmo|9ISEcK z=ac@>YoP(!^3X%kroT^#|2~~A>%M~siQ{4_PO?iD@Eq%z^3V$4b_dlUcEQ<3XK8)U z3_^z$wg_#6!8j>zlz7K8-pJz!utY862zk3B`x+6WzuA&-A@1#&623K7{W&gCVj6K) zZS0rn!mrRDMa9|~qTTAcghbtwjf>jv3!w{uk zXV>9NrjN@lSr08LS7;Na(`G2Kv5YCB4Fgg}%rK26dc=UKQWjDeNUHRDa@v7efWDNb z=9bgFYRo_MYoZboKvTeBk4IV=27$HgVuOVg&;pp!Opp zAptiKt^!5OF1rV=PrceY(BugGd+tMDXn$hZqS?N`V{|ruT~mVLH8eS}q&=YUoN8}E zTPY9EQ11S?@`KeMl)H8__wZSQc;0{D6MYuS`~r0bb+p_#DV8+Hj4S1VSc^f=LwyEH zn)#IAp>lAPO4wvxA)M1{*_J1NK{Ipgr$mg&dl&&XkbGq#(o)+(dhBot1`?Vb7WQp~2S(q{sG{oIFaLm% zF35nrLD2+%q?;K5Lg1gPpIXbAQvhv(EwT9nXPk3+c3Piqf5+9Z3x!RkW%IH?1ak$s)~m68O7S@#D#Xa zwZqt}%O`iLgvm~!lg+b^?`0eD)bZ_8_wHXN?nW&Ei0Ao`n!X!XXx}1_xIm5aXP!^o zR|Fdo&cI+#p_o5uC8%#8v;C-`-)LXKd7M1f#| z^4i{kzeGjiw@L`0GfC>{{d#angz@FH`1#&qre*8Z*(nY|HpFxPftRIuoyzI^2}3;O z?x9H^!&PsYlpo)C-n1YYd34pT&MABkribfDmI<))>Fw=1TLy1F?}^jsM-Gm8-G(tu1%NEL0|Hy>&gR>{2$!L5E-jb_+?_Lo)r{?+x zIM8zNoeGLJ6e2r6DlzMdEKcwHA3c3`GRHr9OV*S3?o{Y`;$1TWqs^wIlzTa&wSACz z*?y$~+^8w-gqZ|dG~KgsruSYPDSe;A=2!Lsut@5fH?XG*3TV*TRT~XhjUr+8*3n)3 zVh7f#_6g}6u%WQ`N;0D>|Hnd9%rBqEWGOP>7*kMRY$qG4soNX4#QXkCKhbJcns~Zh*$_RiMvo{a zrgCW_1;r^b>8U&lpzC-P8nvI{a+B~1Z|qfi*x-*D0cl%V%S!D{BuE?zo=2umBU7;3 zXGSF2BN?+X;e7p}b-fov2&q3^`b6nZoxYul^#Kc2$2^*>sxM5~YaqE^z*z@?fe`jZ zH{>k6HSaW3F|oR818o$7s;~lWJj~0^ec3psNU3|?)b+WDWM=LJ%?AFEv6=K;#eo@R z%dOq~wYn8P02F#|*8q{B6~$(;R==`oP-J%gMo&A;Jz0#gP)`MP+W5it zH=b<>8gTV^h5rC-pZ$$T%2Hn%uo=QtQN&$xVITv5)cl}b?{`L|Ry@7lK)Lt2tGzIb zA9l-RO(}C(RAKFj6ji^+xiw~%*%r{4I&b@n-?Cdy-TfyfyfUuIq6X@&8mzW^dy+^lR-9FeF~G$C^c)E#9?25Xo?WnKNUs~1 za1l726*_%;(}^dxw&O@l;CNM-n}r8FUU#hN4cm(D!J#q%PZsbrRv=$ljaL9`YWig* z#-ROK>ijhH%Kp?3cjjoeltzzpRml2kZhrYq4aq>t2r#0=r-5IDsp*QpGg zMWOWtFrne8jDAORfEizC(??>og>iiZJN+JnDP=zl1r9SlpF04~EZ%smL;-B?v>9s; z^i>zJq@$(`(EBD_q5M86TC56lK(6Ae%1SCzm_GUVQp0hpFG{Kok-RnGRpv8@4VK6H zH5ei5e*4FYoF0nJhIFPlTJO7oa#`11M!RcK9=l@e-9$quYKR+i4W-d6zHE*IAzoF( zpKL&N>mavWk-iRU_B$;1oDLjjH;i2G<+N8BY6$o;*ep~w4FJqhD4bN#mnQ+4DPsm0 zM*4vg(47I8P0nko>)qrlUwV3Wd*f|LUPLZd;Bh@wRQ8p_jlSr>N{w)dZN2>ZC=Q^! z%HrAX*-<`%HwQ{xrY4YEGdO3{{s3uR+@?KwaTH_ul^%f@E+RNol6$7;%0I9eV zsbQzX$!-IQb0Rt(aOD}3tL@-=PUuRzx_xxs5S|#V>~8c;kR7#6&c?wUw%ZI_9C>^k z{3Mp{_*l)e#a~jcUZs#TS!^w12AIXOZM5{oZ+hrj9+_37w|+599L$1C^5gUXvjDyL zj%f`F9a_(4M9H(=;4tVkLl!Ky>?T-c(mAt?KRHv=(T#cV9pbfoZ})t%1&+}am${7D}c*{n_y@%caJwJ?of|SQ|_Rl!r#SF6}2y?To`SluVOux`F%J zufPH^r8TKJgZmMb$H=7rsd0uJ>|3z&u=4YP&b zBK)tUFi4xFxr@{XJ>?qDIhoYEIybrdm4z{DOL-?rmtipHKiRvuH7(HHvRN#21gtmH!E+~QoAJQ(qf6OSp7JF}%r6adcQ4C=b}o|GSGts4l}3aD1qx$0x# z$(S}sCM4?{iSW^+7cz{Fxk2K0rrqV-(jEcgZ~>V*gR_3ESGD0^-*^>&mVSb!$;d-= z5+ZJ~*nv~GAUIrzFkkMd=#!(+WnZt!kczf)L!8QwSj2F)%JIw_#4*Vz(V1Bz4B)?RmnWnk z^K0~q+LCIjH?`DKOLXpD78s3kN8v3_f;jf68zKE>kFj2!!2rBAstb=G*F zXUE5sQMb0sqcWTzfUvZqJ(uw4sEM^O9Z@UnV8K~cl;4O!fXSM5k2-LF2s5&XJaB+u zOJaD*s8Udj7hpH?L^FI(o^Yt2a%Lp?9ESjhbHozjYkN8ZNvGKX^gK9NfqeCZVb|3M zxk1yVU*E8pvFfhL19kI#M^9}!;AqCrh*y3`IpTzj9&A@eN3jEj4wU=z3!D5qtrSx10_8gUsHIafv;n$ANbw9pXGl5iF(K5CM zvdMyzqPgUAQFyN-H4WV9r4p;k@~TK>^o)6T;c@>2Mxb{7)I7XYV8}_1fkZ78yVCtF z;JuVOj_BMT-N@0pUsTwZ(eC1#Qvi$Kd&_Y;TWZoWiqNwx|JfFab`H#RY9TBKxMrXL z>NinvvC{f5J_<+7)hG1c`4I0e{>*lAq9Tx4pax4y73;Hy+EF3~BwwjeXEEFqA01PfOL0* zC?$v! zf~pHQd_F$@RWDk-|Keo*ni{N0C zD*xpdmWH(zj77?_{Ns#WRfOM@E9S98d2j`YSbFccSf1`#$#+ z5Qy^@2?7fN)AvT_35h`L25q@Tb<*vCTSUp8&6$#`h|PUliRjPJ_;4niuQ;2Il@}5q z))Ha+Ytm!h<8BQ|NO!vHiGHyV#&xQxvHs2$nSJ+xJ#y z#P5x#3rSD6EwOvjGSQV>fY%GM3X{I8&od03UD!}K(12o4#JP- zmzI3_CmkM<)%d0;uQh9u1?2vL0#0wg`cjsD^FCj}R>k)MK42@~1a~RuwyKDJh!wK= zH*TdO3U5I{N+4CUM2nSXB(A_GVfvsZPF$%hfhnPXT~Of;>Y8pF)8AY=azCsP>|Wfq zhy8%VRPWBATUnGJf zRh}W%3AvdgPsXl=kvsNqUMp8WR44jaX{5|x8QmZ+T6pX4wZ1%sue+!iN4%YM=CP@1 zs+k%3tg3%E^}`@Kd3&^YbIrdG0^fF7Qqc~nsCnE>ism}qIkUImulVwAs&vkGB!_1i zJ!{M?`|H1))r)YM3e8HSqY*nli61rsN=Lj|2_1bI9MT_gn}f^3j7nuAKUQZ1B&s+#h!N)5k~V z@sZp6N(WqBI(|INt~ufg?eAn;eTV!I+COh?pL54magHd^WM%x$~# zRL=iHoAq@08Bm7(JG;O&f+eN?0+9ZBNFbXh|8F_`y$821|Eoj-xBLIlhc`noH{UBO zCkogK@A13jxZHGB?F|PU;4}WxXT4*0HtYVNi8p0)^Er^5`j+Z+1Y4FcY zGmkU(H1aly?~w@!j%PX-W|uVAC&w&U#xrlAt|rub~ke zYifEc{Zo#7rpAuD=jhsV+H8cQ=olD-@SW|`2h{Q&5qknIYgc@5qgy}!MnvcR_wSYO z27mi%*p@p0$D?1LMXQ|Z-xu=abKb_p52e~z{_ltS@^q+?hWW>p(dmMinAqVML8bXz z0jjX@e3iviibAeDxm+m?A0O4sk&BB>z`Ik)LQV)fSnSCMqEjxVKPkF|L1l09As>Zdvusg{55So0@j@ zE94%p6O{suR|V7mN(af)%09`L@|4}Sh-y|_i7JUet&Zu{O4?1+ePlD<2v3osC9v-q zX>llpcKqs9@f|KPQrqUX>ODpYvfH0^zhh`<_~K;QPW7fP$p__ua)XbN$El~ECTrgf$yuO@d$Y=y7Na(gTunA2X1NmAdweI zL#JCqoda5Kj?1r}5DT`ShuDs0xr$_FW-1}8`ae?pa)w=oC6E5pVDQmE6c!UQF$$)P zltM*sItR?BE0`QN25JIqWa5}tZhDjxz#I!puF2KSGV$VaB?XmoyR+3nFr0<;mR3;v zG8Rtedzr{#I>hF-`4D`=-CDaPiZ+SnH%$@)X5dNyFKXssN z-f3jrQNwgFx|JZ-%2 zVl^(XPWRD*HGEk3SDgmdWd5lbs#AV`{+ECNr5uN~l*%LPw$6cThy$LUH(T=DOwDkE znnLbSg1FenS9kLB&8-l&3>+efgU}sBrdM4>zh2oxz~aF7x_TVTpt88p5qfSjKLLD_ zHEp4wCuAAw<%YO02HC{lexS_84)Lo)fLo)wrqbxF=*6Ext)L;17$3T0es?@_+4Uv{0@*_*6J zgHrfhAH&JK5L0=mIM4?!~{4@WleAQ z_Zr#uxrA?z7|zIe&1Ot?5Ri{6mt5aSj_GCMZ>1IO5Xl(-?nb~i3cgGG`Dy<_bWhB2 zhSxg<1=E%F+s!{2LTi2TZG-ZXGu*|)TUFZiP8|?!Xmb<#A&V$E85uvscIb3x;+?$w zAf%-6d6cxSZg9p&uY>`%Q?W*2^eUu~3p zu84c+Fqq&(7SW)*JTAkwEZp0>oFf|2J#f zuDle2v6+&ZN~c*xD;ZAG$H$-tvP)o!yB|aIej4t@t-nmHLP=NaiOA3h^A3EZjH%@och-2KMRT=Cg)@n+*rO?*UJ=x>?xH!X$CAH z$5W4oI`!~OVBL`yg;Oh#zvBEej+IhsOAgA0D~p(X@0x<7RYxdZTgMdN24jhC!{C>i z`3#Lh7vu--`Uibah>3A5*R~fM75Qf` zMsA3CBRF`&eEj^wneNIEtEtY5M+B7vk0OE>2STE2-L~FCx+;HLaPso<9&R(R*qbdd zKRH;iPSzzBWYv1;!s4<&Ef=;urVfXbS*gQ$h{kUQ$QXP(x@M9`O>M#{lDWRI6NXJa zu&5HoLZd#r8lh4?d|P*0L<*aouQor`TN`f6H!uMpRQBED;YXb zL`lK^ok^?axOa16ga{LtPW$;MUqZ$|DS5{VL=_HRAX8O+h}x$j1M_EImoz( zt$V@nlDTi=52&kw9TSrjkItPi^^~9EuYM;br9XAFASElix?R1~2yYEa5p*Za8VPP_ z5P0$=9K_-)u50jKt?~Ly!CQL=2g4!7TID8l9^oV+ejtIjehaZ%?N*wG*f=lT&HvvK zirx%)w5hGFoxo+ppUPily5D%=v_BsGf7{ zIc|g~Nd2&g?XCNq+ZjgafcS+<@r!bEzW9-@ZdxPjruc&=FXX{&`Ken>4>Zew0)X7f zc3GM~uJ)B;6A*OmIdB6QX|DXmr`pNq)2{pST_r=$aB$v^(W^LEzt!!HL2tL>9^JU` zE4nmthI}d!gDrcpd($_-cXO<}m@$djFJ{cBC*zF6&4F6k0}EmFQvk%!KNtFtan0r02K(aP&uv{_-|r?Bs-CcMG}Jh znIeK0d9nrWb~_HmPQ+vQvhL7bP!ilKDvHabdfj~QayW7a-W2XR_pg)trIyIUpKVAr zLP7ig)PFox03}0U(f#L-{@=Nq%WO6JJ+}A9|I+>-`7@7LD((B2*=2K6LPhXF9!7Gk zQ-{}S_Z8A#+Lc`1qf1vRFk$HQWkqRPT3@8qa^1_ah-N0{zdX0v@rS?{m3k*E6~?G_ zc%9eZ`0cqS=?*QbEf~%=kQs62R$5Q^5LO-Z0YV*H@}qSwVCY6S`m^A}6X>DAgO$<7 zRb1(Wk1^?BnV2gjDV$C~vo2+yx)Do{Js>`yVAG<;G|`4y}-oKS1tf z$)<8Qav4+8<(os?OiKVKu~HNAK;%nFdFP2`pF8~8WH2Z^bs3uKxkh}5`v`oved{;|ov{am1Ve(q z4La`^XjD^xz-&-mCG{x0E*!ASf@_46#Kqzc&s;by9+yHngKbUZOlBEazQ>s?p1vDJ zl6~^cc~Dx>2Fzq>xVXSU&#TM!?EH(^B_>H9!LiRPF1ZLcq0|pe%`H9;JqQED#T=GT z_@v`cHo8MNzDTYj7}uzT$)fhBlWm9_ANt+jgY!bT3@g4= zyV57l!E660bJRRvt%09phST)A@a=_Z$D4X*s{t(N^&o%~l4;(V%@wD7VtwHcw7mu( z9+Hw8Hf2RFmu~W?xlom{Yv0$$_`GEvsg=^!zJnH#CZ>d|yE%s1G~bf=DE|0#K4}0S z$*3{X$uZP$DbeZ-7WKAsaO$qBtyTDk2(0juMiNceyK6xOF@DeuO zfmCw&3;Awg0On3oiciy`>GTOGeB5R-8?n|mp-Mc>+-Zrz0YsV4;QwgVYDkXpZw!k+ zNsn?I#-ca!+hcGb;3US|RT&?{;$+j0nF9NBGtt6Re&`%zKu$^dU9dwPj;T2|H6IQ| z5Gw#sClcOu;Cm#3&5^7&I|)gTyL~sKTURrn&v^s@tYE#O16Z#4n9)OU5&ho&()_7R zw7enRs<{-z%>jPzxOrb-al=t#&nfI|b!-V`vJU>#^T~P%F{sSiYk-fIA3T&+{f7v; zx0m1EN%MpD@Jup&#B_7V>vRsgcfuBV6BlPedgr!Rq}w%na<5PE8#$c0%{?qDt2mqd z6q*wh>OA(W4|?iC)f`kt1!YZ{wW&E7zvn*Q87@&V8q}_B2bwB%#_`a@)~tEM_DT5p z;b=B} z3|XJ?yvoVeXHPtLoTDam-Bkeh1FZYN3E#1l%xEQ`V|ZPz!9h7kjz&De`B6i<+p)g_ zQg#HgrND+XYn(q)A#_GkWGy&%IwSgSTl8ho7E|*bHwAW`n{^L4R0y@=UvMqG%`{q} z`tuZZFd=O)d=4#Ny@YdsXe#|yhIB$O?eBmXG$C1oBZgW8l_)C?iJMh(1^c#U1M}$G&AsPv;}!bLTGe))R87( z+kij&(i4lgHNob_rY}@FCo?jF03$Iy$8&L0e`xq_lU-HK1~6)X7`pjb!o>F&C6)vF z7D#A%%9Tw44M9wzi``+?GbVoy30>Y2@gnY0NN=;^j*f}x2SfUE@&^iHEa`Z5QH>8Q z`n(~XAEFJ-vWXX5k7rKT#zK_U8|;aYRJyJ-6sxJa2oGxy4$plG{!=1R{Q*_Zy`y`c zPly5F8Oi5e1{Tfh(}RQOR9r{`4o?TR>I`j1?`&B>(Q z<#UT+9)gPHCl&wv^AkspY?XJCJLb&p6WN zSX5;L`ds5Ji~tOy@aTrgU;iYS<^#ZVp1XN!ppaDtu&m#7voPG6ObZwx%@{H9uKP~g zP;jV%*xi!{D1e~TvDhq>001Z0*wKlHt$AV+;*KzBR^+x!(JWkab?P}!B=VJIs% zOv{>l{Bl5`)@_ZR49b&M5Zhbfc0mTJE#oZ74H_>HnC$GbUND#d=GHB-2$P=mRjdfJ zupb*v9td7_lZki_%qB)_)YvmDupsc1*9TJP&GgTBLN}-CNJ^iOy_Qmcg?s@N6C>%) zYpx=&HwVmKr(0+-j7l+!mgGp3X%^cYVO1gsh?{WR&d34oVZKfiyM^<7JfGb5Sgz`6 z@Ac6YA=sxY<{stcZfVq*qXFf?+JyM+${Y;n8{<+zX%%+#RDE$!MEd$LY}AX_9uw5k zA8*A!asxzS*zeFA^U+3fXfYzF2`wB6DqW}vy)a%|@H#oOygr_}M@&NE=Gkl7-l2g4 z4U$vBh3rjB0?;ei@V^tP&@b!TcKK0uRR+Y~?oGZme2<;3kS-SQ!gLOcU(jf_DBioN z7)W<9LKIjXA7f+Vw=%5IM1TL@TSSNB?s&pl67(fHCgF{fmEaDyO_poTlcH-F1Clhe zyyjcsGOBucvMIIU!bGRp9xvjX)^+ITJ+f65StpV{bQN{$4aWgY#O356;cSf+57~5~ z2tCznd4=x_425W)z%^+BY=Hs=b0gX*&ig^#f zuu#+UpT)IaS4Y|bJ{UTSg6lQL)%;NdL!N`N^hmy(BSO6)>ahE#_Kt}2`n?SnJp;hl zV$?fCUF(Z8yxg^|wd3nPgChoh#{R1%0#K5C z?zl%SeC2WX#>463&DVfG#VWB_!WU!&%&6~B;V9VHgsrgA4YS|iY#q>;uh&2*sgPF9 zo!H#L1|=nI-F8ksv~z7L9C|PB6W~p^y3&#JqwwR$kB8uU8E>q)0Eiq3-hrK+EVjMS zdxrn4Ljj6t?dVfW6tHB6vLFb-bAjMx4{PH2Ngry_xuX!v}-{XQu z6C&fko1K*b`!2x0Ne5!h`aJ9!a!Ho9GaE-|3zd-YcyQo*jT+KJ=f!Hk35M?lTNzfN z&t=m4yB&)8MOPM_xf~axr5AfczRv*}UC;Yc*ce6TXdR7Xs@9mNv!B&-|8qJW&gRe; zHcAlEU_9TdvGV2@mIKf!KA%g*$2()0Wu-i)7Ah;}TaIF4nj$iJgSsDqpTDxb+@BY{ z@X-#s|K*D~GQxRyw!UNTt2e+8&Nx{=eNnw=eNr~MVjpKiOSU9 zznkneFK>CG9UaUg3_;ojH(0z7a&*&s>!1RA7)1sGj0sF8PW(*vF!bvhN0#EG@jTOb z$cKEzxDm<+_Dc?|8_c?*Jw+y-V1@(iZEqxEh|K^@_P{R=XTR`Vc7>&+3)0kr9{&Ke zsgtdds0XJO74|!%TE-I9(rXu1y;^{GgmdtX2&gsC(ccmC`6LDZd_MmIjv>TfZM^xY z>G@T!ewC(Wu*3E&)u3MUF9w$8*QfNco4=c>05?y6quIZmO1kgPdPbb&M#S#rV@m$mOoP|Q z=F$F|S+}ltit(VQ4HplmD^BOiOtIksfEJwN!E#(q>8<9QW zIqRKKz9MrZs3!#{f#QTBhlY!q+6rNhBgUmDrEjFdk!df2)eC0i1dfu=nYY=fZ$i_4rJv%1k=~mKFFL z5J`nocmpwvWy-yWTKk`z;bC03v6)W4x)hp7bX{;mU3fDO=wCAhk^!`|0&wCt#i~j` zas?{;MtD3_6G1{CCMJ@{`<_C}(j{IA$N&ROH&92hgRy`QO=(q}H_9)D_ojTGi!1%qts{2fCjns{3T|e42v&=1X@ez~HpEw=3to;iJeh3JDKcIq+37vgt8Bnq5fYi@eA`%76rBBZ^~mO+sbN|P?}TX1y9SA+^_x$aYP zGtav`Q=$LCYg00Kr?!D_#q8h?J#dy=2a)uCo*76i9iDze3qR;x@Kt=N`kgYJN+lK2 z^*pvM4EY+~mN11mGBWS?o$4#l50ur^w2jV@fb{xEg1ojig-^hvrQKaKEs;+EfiBbl zS=kKXNa1&lYU@(Snjiw)Xnu=0vg9cF z`dFaC@^;C}H$CT`^y12%`OZ~;>maGE0w}byE32uTa}yI2$05P7w023J+I3s(!;yL? zM@2_>5jA@sIE_)m!w=V4bmbGLtsfRmeHEFoUY_i!1ab_MM@79c7%gpckN+Vo3G3=U z$L#DMY`~K?O+5g3q8evJ7=2qKn5+7>rV0jn2igP+pjgL?_n4u8b6@s#_4*&n(NG4p zxBJfxJ3BjY2;!w;F^tPAD@k1?yZZOIG;1X9-up_>G1G?ay8#e$J&w( z7|i8>*2%0>7gxM;=15S=YWGL1_fI*u5D}-S!O zS}@=S^bLALsINc1cx8x4iBLZoquHIQ{VqHwu>QhrZDK5v73>o~6(OAV=;&fy?MFko zdmpTScT9h?ZzpPR?~IB``4u_@&vdQ~^g4oG{IMR5#-DotT2&~4XO(*Qj_QY)l2f9{ zuaNW7-XO&%V_1@7^v_lPbr?Bo*TncBOn0P9*|?{ z@rkoj*c-=@^s`YG@z=WDS5FnI{#%E|%y!EI&}n zSCZ5vgbR}!JgY14OQ*UJxkN6?l!!bcZ+^~Kob=%VP}`_T`Bg0kY5Gtf-4MWYuD1LD zV6&EvF(3?5>DqbUiMAYEntirxwUM%{1I;Nw>Y`X@FPb)^Pm`Ps9z= zjOXuqjkYU7&Lv%N)EKv(l^`dxHIem+w*99di_NiD3*?C^oF{y=qK9@emR{xMX43xP zc^(oH+SWFJCx9mK;b+mY@_Qv*5cH9fEpl#dx+xaeVBX#FXPcAy_+dZSXMs_>w*bn` zYIKxLe13rCQhFN;Tt{nzqhbImUS3-p1e=a^Y??=tvnR>!UZsl4L)Z_UM(qA59MjFQ zY7$3NpO))>XgQdt4q&>M1gKwmyy|=T4EQ`hY zqDQV=7weuieH(OVbq4!YIR9?^#N3Ar-u;;qDnN3OzR9~5aeiF^Xx)&wC z`emdo2xWY907xKLVhosihBsgcry*wj<4~VL7v`N=2r96eY+z?enQsaYEA(lZ>5I1Y zRS%r9Y6b38;Y6E_hH?Iwg^jzn0V^Rgeoc%@{EIS6@vcn?bIpww-RfRQWfmoHip!iG zBNI|&9i%Y^<-=VCO9icggS*n*!vVT5C6$`YUNfHhmT=GvrmSqAK5Z151KCb0aK^~o?=cxE-zln#6or3|Z= z0Eb>>GaadO^`zYA*u`)KN4?qvCEe#j=tXXFYLM^IMa^}&3kqna(0<(kecx>L60i5c z?;<4(~YDu(lgYbppe zuL^xkhS%2Xxa&(AnjxK4O*39V297+v-RrL_(4N)SHk-=68x)ahcs3hQgfPW1nnwiV z6;2qjCmx<1{g7$EzrHyzIU^C4uL&}s+DO6y5{5#Ap*hJz@}ycQlPl9GjU<|-GUHF`4kfXaG9(= zD6{rSjteX1*{0{UzZ9G~BW_8EY7IMTPf}r6R-24Z)ML_L+dgHycBd+B|B>lt>UA`JL-d3E2~FQCna#0MR25Q^MO| zK^?fwZo_B9yr1Rs)&g{Owq{H4QrT}iFI^6#-b)u0uUvmtZB&2e;cPwB z!?E%1om`))&PPbX2+_A)0ku0VLF(10IS=d?x-eq6B+vcw>vv*G_j z47J7oJcU8D3c4`1W6VkiVm&yFQt*m`^?9qZ!hD z#WVo?5)yj6bNnNq%G|b^hJ=EZ)_LG-yST<9tiLj@^Ktc6j}cGt^QE(8nZ`Qxd_#_SDDfJC7m9 z9?=h~4?%?Z*j=Q|WkuBo5PL#fbXZASGzh~^}oFEKXj9VPGazbe&jx$nic<+#2S#O=M$ltwbZ9Dzp_SzojAdYM zj)sBhlI?w9z^HjCfY%pWe)D~QbMf_o4N1cBK*TpsxKT&lm-^sXVOkYY%vDDtS zDKTOo0UqHf_x$|g$v%?oR zUY7%bHy6Ki*sl=v7eXJnSwFRWTHc-Xe(D{U8-gmH^M0gI%M;oArodZhP6ru5!;XHx z2|~ymP)(^Uk7}TvnmljURw;7*oh741-OT+RI&mu*zoCb05C}UyE$8+hs4J_r1zo3d ztn}|7sJ@yA=*6I8z65O?T=s-M&nvP{gqnmVmNwrej@Zf>cM=@4ftGfcOJd+`roZ>( zb&lalupj2`gukt?w)}<drYnHoev55W1tfdEkqLeK70{T- z>GG@n!(wZ;`x*?U>ZAmu@&VeZ6IRT4AAN6Bix7Al< z14%OK?E`Vo!7=1;FD2rTX?36-%M^ANGxSrDJ5piZH`-9#%hvPe=e_IDE96A0+PR@H zTDVA9m)jn#v=m4oCUIa!^eckO*@OKVKCGdmySQ(HubhQ>Q}o97GZRW_C_QTG^KzZw zlzYN`-3O<{k^j?J)7JAIH2S}Ed=L!?RbIJy|8~OnJ*ML-RB0|Z**a}xM~okXh*j`awc`Q#{Pm(T!106z zo?7&{>j*l7F*2hx3=AK)EUhRf0F7YDjuFFb?*r!1I8!|*-(t<6-=pP}{d2E9MD zg2v6r9H2J;B>!>m*WrLilH4q13WA-wn2H_5VGp9)$Aj3No8=K>II+k;mFvO}S^XAo zmG}QJEMPwc?d7!bP{UK}+K;%j>hST=U!#lY1;Y1U2mD6x5kP57S#(xH$y5zkb2&Wh zcm}l_C5|u09x^V)JB|cdTqG5PmWvz)AJe;*AH1R#j#5}>GIE2;f1oF6*>B4W4i3+f zoas~$PiGmw(HcB#CdvQMdFw}ZtP@n!Rq8p@IThI8OB^8HS!U2h&R=8kskBBC;?4#O z=})LhG4K{p%;h88qk}Uc+&BU$8f#Yu2FxKuAyfn$&t>lUquCt z5`5-!CQta*AD(;=J0Ce%RqAWf<%i?$V@4KJ`{m<&Vs-E+L8)-egiez^k0X9bRT#0` z<+6&r&O=C;hZ{>#m(3Q6h|4oJbYfonv@fe4K+8;b*KrDYJ?r2ojWhUHyF(ApY^2_B+F;7`x~#lHu_gw58nDReEmF<;KSpOIUlVV+jqEERUX5jvD+MxEMBh9 zId_GelYhrGm}U-VtlfDbisSn5>H#&BJ9614z+n&q+z3Y9>L{Tg`6wH9<;kvSa-o^` zg%*4tT6R$x>|LFKbRp5mlsRL>Y;&p^eJ^QzE!rJww`KAC&XY5jZ-kSvcsme|3SYoo zM+fBGkON$7W?{kO(Uw#|Qnu*ECLX3DzN@vqOYHkkFq1ClK8?zy|aCg?YDgix12ORBkB zy&c8K?x@;M4@}>lMHTQUg3(bzX;30ByHAhTuThK56W;~p!iJKZ4pq%mk{|L@vW7d%frO^1wYvg}FuL-K28iQx4^LJPMJ)Ol zW>Kp*`_zREPg0lT$8OnNCLO&lRxE()eitmtuAhE$=MFG3&Qi6ofrf~uFK{9n3OQB+ z&$8cZSdR8p#+Sh6j;g;%b}X&xD@<@d-kOK7fmFWUgcTLnE54haQUC|J; zWzl0qt}}tPWI{iQ43x^h1a`6dh}pjGxU{~~0Ba$H&b+pPpJTHQ!kMp(3bK`b2t>r* zRpq{s>vbr;NoS*8ts57nxDr?)*H8PYA1yH6Br{C>0_aH2QoXQNp&0|)ygrv*7ZQGO zMYIIYZFlWd5k}T@^Q3*HE)mU$0&5Ro$der7!ZKSTpth^m zu{&OZ2G3=nZb6;Z499avfMbt2f9H%uNG5AK_F_L8cCtVD&DWKff}S}I-i4Vh`&!AP z%CcXfav{^I$8c)A$!kCrbm3~gU4876bi*Cn7x#*q`L3y?rCIu=5vApwKB-&>B5(HAS41n^hBzU)MxrG|g1*_PM$nzg8;=lvvX+c0KjGP~tY6%S=7uQDSlv`Z`yY=ZRP%nuyMPT)Lpjcqf@TC zj4MHK6U2#q3>M?ySLYecnkgT zooezS`^9!Xu$4(cnVB|6n%PbZVmBsA=d;{zwx@mtfag2x>eRv9A4}^i_+n554qO0 z9l!mRbz!olS7oM{+EKY+^84q;6y)GJSo~$EY5y2&pnQs6MQT+U@ln^fAD?3b9g^z> z;oJ;orr5}@%_>4*P=X38aq^gFcUKAw6YmgClzdJO#gW@q70pt@d4?D7=sX295Wgsl zeyWyp4gz@a%$AvA@UX7kfrF4T6_7c|`H00pAOFhI3R~?VC*b98 zhx;#h?&F^3IIm2*)z&H2S-rdV60CC&`ursuchGdd##c#i#;1W#!2a^h(=qz{4or++ z+haJv`~dBnB`#W)0ZO{VirsNr`)O=n?3=?{F7pTK2<07OpU{TT#z+dQ0Fk9Ifts4;dCd=Ql)inERou|5Hv^u z{zsoPV>RJpP{-#jIfPA$C$mSt=H@773pn!?OlZT|@_5uuztgeBF#rnjr&iNFlTf}P zRu*V|mDTH>gJ8*UQT{J(}s`+=;m#p5=ct;C<3J z+hu_VQ04CXD;t4LkZ zJW1A2LY1=|UOY){OxURe2%~?dk03hG=a+ma|J6?Y>KR^gB(Qi>h7zE=_1+d}n=D^A zqHmiwF#fI3%;3PvyO$0F)cnmnpaB~;$jYs?PxWQzzL1jRC|hZv18qTL4t&}gn`Z3? zt)z`vO+c65_8sN*->&_fm*I(>zZMYW{LE1wyyry&8yJUSO19FHKdba_`Bf{K%rPiXLMxDn=yKifR_7UwDnlWF3R3b>|5(I?3Hk^;AC-g8bwx^} z%58t3rl3w!o4+NaT(}^X^z=jw&3j8qDskx(Bdk5J$e(I%Ho@lwXvOb~=g{NhJ{A8U zES_B${8A^1xrq+E;>nURaWc<+b@NQU8(aF#moJS&e0*r@gM;&lb4``-IZspm=BYaj zh3755%)U|5Z?~czv{6!!C3o;n&Ma>&b#5Z&5=G9?ju+D3Hn;4|bM2xMmLl5#q z;P9ELo-|AwW;b_}#qRu2ZRnazs~}%@>|AJMBNfajo&ulWwxMJA z9N~@xX=rH~m|FJjoEEa%$}Zf$8ZR-vk$lr)8buY2CdA*=x~k_fTH`5jMk+MWoMnoA zUs!2`O;)ECpTJbI^YL!ab-4&@nVM-zD(U@?5zWF%5#HWuol`x2jq@6b*L`Z}XRr-h zk@k*@sa!#t&gp3kEiEmtl6jBS!B*sTw94>7LppFB*sw4)V&0_;q~zMdltf%SSB2s_ zjz=aM^mT3bFVXB*|Ddwh)<=%@;T#kt@_Jm}GxaW^B3y1Zlb3(8+7lJ~PDG0o9%1MF z4q;F5?C+nu#_tcWHxgUJ#^o%_HoDCN1ulR^WeOqFS(Y#OQG7y(Vl{z zIxwu^2@WA?>mUlvr1N3+8g)O$I;?YQ#LpdWs-`-}qHcMY-|cggq&!G4 z_JQB(Ik&xVtHBaFk#opd7X`;ys0#k}{v-XZD zbWboZ-uzOB_~f~BCWGaC<^r*r_6}}YWR*{a{;GH^FyKcGzbClx>E%8Dw`AyDjIm6r zpCS(*#ud%IQx|(RVS9BnlZ{F&vU1#Cs;B-D*Y)}y$hxwrwapL46|8+NzdC&9Ld^T@ zR+r!HyB;D%Qc>zTn*=4Zy!_%DFKc0d+N?^65 zBXS{?tqPyl;8@Z(ZOhdOqElscy}rto5)MzPmjZ&9fMaSOavvjY;${Ts#W;&?#M!yD zbGzFm#7XfvXU7E_-{-cLWp#4PRAisxpTGQfNx%`XP@`{C)0uwy6t_15s<4rqPUCO` zVQCWa2=!3uGc-os1AB!P?DI9NAw3E7GT<%E;Bm)QF$_{GVD5m+5)+h)CV$uihaS7Y zMH`PV^qX&tu_tWisT$O%lg3NhFGJw9(=l` zT8Ys0lI)v!5jOilj9%P6q-vvEAQ;eYOP zjw?;jBN^~M0EZX|nFWv+xsj9~UFu8UekEWraUh$uXDJSWpu<}f8NN#6T+D zUxo1Kj#{qS-IBRRnIXTGDc=*>&z20_KXt=RoC{g4TP=joO?Z_FigLBf?|nS7i&*F~ zGTj{BK?v9D8yU%c_<#v2tYVns(ox~zI^Wph(hi{S?9860pArq^c}p&lJ%3Z))z}3f zZ#}V;z`tL@?N3HQiDYOXh#DCIn3O0s|Kzo|V9z7>E!mY#sQ#u$Gf4AmdD=x`WqD|FU}){B$p{U(#K9M)zUqQdgjpnTC}L_;NWl4PG@RKM51tZ)CWP!WVoMgU$fd% z+c{Kqb@V*5WGL*?MUe%SiGTlA-*J9sMmIDJyRI}5u&g0_$@>bCi(bMEa3MNh&TRiE z@N|ia=`sM%buul{{5zR8X6TJTc@X|9bk`+Yo9q`Y>J8f=0kPrSqO^B z{3MUO`f7*bYZ?lQ{O|YbR}cLEKDpF;LFON$T;RR`{^?SnI$^y)Ox!bJnG5duxO~Z^ zm&>R=pmY1WZ!E3v?50bj)`FqDT%wQSACvv;*}EXzVWCdzg*!;URZ*(eSn2z9r3+fy zt)@O{v)lD9Rd{-nSdr4*)PKf0IGFZ_XOROH#!=TI3vHx819(5szS1OU&7L-yfY$BL z&^#ON@BI7A1WR4UhA?G|#@}Ks>@%6;sN>kYC+`2QLH;f)C7p{DvOgRwYoV$k$Q*L1@V2N@KgdByJ`jdkSbVYd71M%1dsYn7lQK zxJ)Z0Ef^IT*g2BO+Wx?(lHhK1`M&Ud{(X{em1KB@PnW1i^TOAuENI>w(P?6}6XjKS z8u!G;>P6qjo)|xS6wl$T6{1}}hom-|A(8Ute+@9jcbDw^PlJ6NC?Y=de!a$^BfPQr zk{4gk>XL-M-A}$Uda(5lY^##{Cv%MT#s83MPT3W7!w%NV*i`PtaU9 z2KtJMi-8IVXxV!k`zig22E)(RZygWH{~M4a3n}HhbM+)>d|pTQZm&*s*26CR%%MKV z-Ezb>vu9jb+8l|?2c6rShc6dBG~EqB4|ZVxX=r)-k>6G?+$jK=&S=?(aSRhrzVRTvPNh^!@dFXj|uF3P?LWv7?%6 zm`^bq(UA5*H^=Ikd`eS$H(h9ONC=lmDcEVj8X%|TOxeHb8g^{q{Y6Phr$LM5To}_j zewM+n<54TGm}}+(_ME;Al+L+^7ajhVU0ldL=d^&;fax==*V(MQaok zTS{(X*=w1v-tF_fq~?y35f=V9v~;6wef0ll-&x&unmM^X|24A6aamQ#`p4q_{Rfpt zPHt^);ed##XrH+Go6f=wMuL!R`lRKgYwxH3*zT`ga`q~(X>Jp%2!H07U|g+2e|%!T zxO(|_5`4$S*j%lnwUTMT-R>Es{UL)8{%5kk3b@Db&KO{u`IN<5`8C)Po<58ELn%n{ z-A3>KW9zNsqUyT-e^CiZX(W{t>F!WEq@@L$7lvz%e;_}H>?`dbG>r^Sqz zCd5Z(P4Q9276fU?qf55J%WSPJ%3;yS!9jsKRKM6e&4bFS zaYg=ZsqChc|NYlrmx6!`2qUohD&V7;g0Y?5&4~0+kc{NWO)663WFv0m*7&dS@eXG~ zu%K8_@&za%y(Wzzx)!}NlReCHFHFar866w%vty7zGjBv2T>QrL5T2PmW9y75VY1Uc1 zX>a0A%s@vQ!4RE4m82x?NiEe-mDTWP;B*^Zo__8#zACagR`hfJ=#~f7wKXft=XWJr zv4MkZ(y84(7FsU!OoCCj;Lg17#RDa!s0Y;z3-hlOAsk6hd|R?jhkq7nwQ|{PLasEGTf6Jd~qfv?i zXEp4MeMLqhx~`{LGW#>Q_yB1(k-}T2(T9a5#7{Y~FP#JvMYCwO@0_tRnY~d=z(x4{ z4U?c?3JBVV1za2<+6MqjhH=Z4X{wMIz8XF%cb}^m#uA1>NdDf?{3CED8acfWJu{vw zLze2zUMS+bsZ;!JtRJxQBI)0n7tTw9>!SR;Q8SkBOBY) zcUC^v)=gYj$a3mFo*0g=^6x9s#+ex&7M6F#cdtM-Pk4Bk1Ce+ZBhhSfk@AvU)G4KP z-ajlgoNET78wH!J_g73{cd8JBrse@G{tEiZyGfNIh3{)fS}}{Ze&FsYg`pqi4KZ2G zHZ?WpEyT-T(1xf~G5WqMV0~7gPU;htaCUHoI~q^b10J+sX#fK(78_x6NnzjK^Yidi z+&?osIwsx!B^DEJbkXb;v&Ydp_&fYu9~eNgQ)?^hKV>4+jrV^lM!cYHRuL0MN6} zeVP8rldLstHA_o=Y;5d_si}QOQFC^Zvg+!!&6Cu%P8lhgWf)axH-U_+24-7_B0|vE zj>+8RqRU*9?XzOkwhlhl)ZKu9N9?xbtMWw4KRWzteM~X@;Rj5t0|(EuLPK*6*?jJ& zIn6h$8Ri-wvsqhbez}p;%^U3MT~u+SR2`O%%=DK2W97<;Fv|>0PE9-{BU8wD-v;Uc z@h6Ljkic#HscCZ7XPR(I`AXV4DW;q|q0yASD5?!!QeJ*D4^TrssB6NQ4F+;sh}qZu z4OMcD41n-qdvr_0S{t^*(XDs!#TPicv$sW#1$2NU(&_s8ifVhp`;(Q4KSy+Cp+TN- zDNjLALIMxf@p_vcOX^7Vn9Vur{e#)ed0=xJ_p#k@gBh8YVhF9CU@4>0D4+$7n0qNN z@Z}1b=X>E}-j`B7yi(w0v@0(!Ukr4&L&L)2@(6bJvM@Ow6e}~k5|tmbmX52bSE;l{ z7TvgJ1&mr^>O#MHq~&-4Hn^%p@)V0slNH%&Z~Q_>@$|&>^vFhv{b{{Cu^{3ZvU?UqjoL|8_%?3nyA*dwVEQulXdnx1}Qh%nx)#u6qTjtM)wtZQ8h%vKr-w^r!1`GK^ImSyx z`slm={fnTx^_}Nzg78wWPQw+mQP}AQcz<6ypFKycNs_dTl*B`My*5L6D{kMIOAAlF zxgAQW(ew`L%lquARlNSYF5$|3bj2Ua(|`%(Ng(0MJz~6=RQ!7S;?Ef*S9BUjfYy;) zh5ENqHflB{d1QCSv8cc83l$z<0_T^s5X=)irH=K={RI=GoBGGggR4*~DSpR63#D~H&rFMszQvX?QNU_{-G;iXd zoaC%v|8##W(Hea1svXDWB_+Ai5)X0T(3uwg+fvV}rsH?40Sv60nSTeS zF~vYvJSkquN=>iz+Ire$|UbK`>wd4cmqhm{D?{1}4q zM!%}0%NsFjPV~5q;itPn$gYDUPka*x)+3TDABng(dRjmrkOGxv@>#Jh`CA`P7AA+;^;2u?;wX z`z?1+`)*e(W9gE4v?`YK1|!pTL+!fKk<~_%*=)N2S6feSbTy~McA{2bI86~JATUs; z$(*9bVP3ALQ=GQgbG&-b%C6w=@aEdVt;Elm(|Rm6Ai5QmRqdmraf->pjIY1Zw%iJT z@R(|D->!3cfQ411FY>x8O^7(0xGxJxZw&H$l$11Rw0N+Yo+koK5X2~a-w?xCPajYA zNyOf$hfh==-(H966kv4xner94@?uXBScP z(otW$b}lsvUqvs{NaGSwVvFnRlVcFEd{G@;(lj5w)f-x{hTQ!(JcFWC^%+)=VIqsaPenar7!#I zv65SiV(P9t`csc@*Zeg~3{tJDHiyqTk?y0Q%oajJApD-_AfGrgm2czpB5BPof&z{T zW|=$Z7Z<}d^LM^MOO*3KS;m8Qt#kc)+mejXMsj5v{EYFEkAH?!cIr6ezN_+_NdwXd@ zKJBqTYR=lNm<~=8b1ia zAY2)2p~rvps68lL6qEcA-){Q5Ic)qT=H&sZ`|gZc32e*;y3S{$5>U^gf2|x)U#wdd z9DK4>?moupq^fFd)B@kmQgp6QhT3&^Y-BT z>8pQcn{)!4_4MDK$H%1N!MzqN#QC*NSEq4|>hwUG zskeJg9{YWtW0u-Kj#PMZRohQLS5aZNfjTTy(MK}s*FJQ2ujaN@!4X1i;%hDae5Pxr zKM83maa#09j&?-Wd7V7V%6dXB;1$noV8CsyO$FS(=)|nQLZ})Y(%tJF;7GzEBK@m~ z%eoh*fXfD69cZu06Mi))Cf&8S|NZqfhLE0+{aj=J2A9PHG|Yu%R;q=K4Y@VNe_1Nv<5MlA;LNJwN0`E(byS0tmhC*K}LCT`DFChhN|0VSt8$KjA!@6$IXHVUO| zUMejH6fYwQ<)jEk{?3=VRE(rUB40;83v7w^N-=Jhl(HE;Rv=>g`SYiM2Ft4p>6&JlzD%37t_*=>{8 z@@Gs=C%^yVUHZ5O#Ka7ZoEAzCEgvl}g@$wCl9Ec(D=UKsuHS3`XSR-qn>zxi5~()$ zEz4{XQAUAct;*>$+BzZ=)erEcb7Be#EIG}Of6dPJ>nDB&{{!A-`O3uN{=oy^mRtP> zzqGP4_LP>nc*OKmbcP9>{~D@hE{X8&*7Rbz#=wreZ7Y)7H^ZEmgAn@-n?ExQgkkM)}>GP9@;* zi$xdtdgG(k0QM+|kChCN6H(rz75(axtUt`b0bc0Et*y@FO4z!X<;;1W&!r7}}1jBQDj%WIeQ7Q4thmhaz+DHHIVC0KgLD~5wIqhB9A#^NVB~=ht=-$* zcdQjEa=lXK%9|RZ(KIqqBj5Ukxc!=tDFi(h2hxNTNrXP)(S2-d+W01cieqYtx>IVrW;6W5pR-yd9jeA{8g)l*WtTmaH~uv{ zNI^`}L#|ifG=6T(tv4`qC$X{3pYFEDf8{EGuJfQ^Qpy8yrv0NM22Sb#$lM&}qlt{- zX%7`>w!Jc`NM{q-8%)Y`n%i5X#<>a}mU*AlPoEyjCp?Q;D7Uw_$J~bByY*`Zt)_dK zTJsYMO~Rv-H!?Gm%KJ!&82QK)-hAu+`XZf%sKEyR%il2Km?W6o&es=z-5)XE`w`BM zl{b3IpW+<{>X*oumJ~_Ono<`ot=ZbZ`d;UFKz-wXZjcopn#-t+zD#NFLGf*X=Gm0& zN=fy^v<`#zpxR&Gh|?eMiK4NwN!`k_#3}jQ;24o%i~C7kP0Y-HJR6~11(FsjqGxFJ zzqEs0fG2_Tck|!nrO_*vVo1dP7$O)=O+9FTnEg^wzYNJlA7VCaB2tp(JF@i%_6@_h}h()&F@_ zfM>59;l@cfw3H-R#8piU|N9)R5GJm?QySHil2jW{R^Usn@(~hf6h6Gt}fSXGC}^a2s?k%5d1Mzz#q>rf}wvM=HRCY z*Z)5sgKUBa>(?$s-}Py!soCC58U8sW<~v(AQd--jNn$v7EeN~co^g=j3eQC+S^+OTIOwy?y@Vt;Gqg35r%x z5uT_6gfXh%^Ji`3FuzuJ@8cfHSI9y2hmF;D**RwrJcZV~}J)Y>XB z>-<8E9LC0Y7IHhr>f%aW@3nvha?S4LGQcRqQC?Y1mI;EuH{vjX3>y%Bt33MQq)1<& z*?ga>aSRQF8o?xT-C&Q}%ePGrHd4&V!skW47#~*#!@!-D=;;5Vv^r8W@APT983`Oc zTzQmA(4B$*PNH*=!)%e%{t9JbHTk`9(4phWrJYM!hDObzKg*BVu?O%U53w@@qpK2l z5aCL)NNX_BEp*t4-KNyUj>6bX*tJ!^$%@uj+ejA;cMUmJUhJnqpXxs5<8!#;INhVu zZ*;y#W@BTm#VVCQ9$8*l)ynqxbC`>k<8=g1M=d}4%E4M&P3oskp)Cm+!MW9~nhTS0 zXP=VUUp+=r2QNI&&u5_=Bnu(9qx%?WC?J(L;dzrFNE<-feQDuaD{NR|>oe7i4A6vZ z_dL|j0f1$(%{ja*52ynNfkt-p>;G);GwYO*ue&H2mqA7NE8PDE>H;oF?jRq%ETL)y)i}^O)oc3 zd@?c{5TcH95LdZA=t_=Mp60Xo{oQ~4&>jCHVHePp;|378S?4W2$h3_G6bXeMPp(gQ zz&SF?(dfCrZ;%s z^Pp0+Xr_@EY;r)@UZ-XG@x0GSVvEdi*7FnRYYuOL8sB?&fKame*`m77$s4i`tZN8l zvhj1JD@}~*uzsy`oEWSm^G&4lwMaG&(6v}Pe?;XXlA&L7-m@d>`q6qd{HXJj!FMa& z@G-r!WtSTw5N3>kG(JQX((AxnZ!Mr|c;n!3)pc?fAo26uw}<+0wWlNA(CbJcBbwiT z10`I`q0N-D{0;O;c806bo@esoCR7IpbYr>TsfUT=B^bs><*`AEf@I5#!9oLPBy{AQ7F~YwxzPE24(|J zMm99W?%ZUbm|$S5|C%s0EaD^mQ`(66eBeO=vHbbcvsJQdm(saJ-aUbU$Ve;`)KjCW zQp4qh;mEHTTKM=T_Z9Eo4{=)mh1|S19#wwNYazKcfe}L!_tB#h#ntFa5G%aZsZ3KU zCga+HI#`}b`$nZV1Fx2%Pg;>3iO_;Un(%CLy(1RD_%OG}9_-mBUzA(O_+5Tc2zWPX z8ekPZ?zFbVgL1an*B1lNk-k_`gfs*kof*tu?KK#@*5$HafUWeT2i5iR;^GqCsO-=- zRa~q7vw)36!O+)b&7REqqAEk$`X^(&#(IoFoGRv8fKjjU4hUNEpt6DG*K@0C3d}63 zMMn148c$oZ@L>-yu}we>Rf9z@;^##pc=xlE5=JJp_2|%k0?b2pmt3bCGMuKHAn(lg zICN+qO$l=JB(SjZq7DOgv=$jW)=wjZohBTeS~+U6NmOe2enx}M@U90jgS7_pdoZ=v z?42XRnNJpD8le@UVEI6tjZMt*szEI24FZb?bg}8`9!9<^{)6|2r`Fh8oi6)zwPhyLnXJdE+OL#`# z(X}jJe$p5SVB-@~V9}RVRejmna_d@73+j6`>zVV$&F5Y~ozD&S7ly=nzipnQ>}(T2 zMbWC2Y3%4b&f%6Cxx+0GDNm^ zMOJG0c;Nm+_&vJGRd~O?iV>bW*lS23R9GM*fj7q;FFM(M`zi2`^|4cT54`gNKKdb? zd9x=tKaJjj1p^Hy`WI}<4p1Yt7xtw#)w`Wgu_5x~w`M)>3M=C-4nTm;m@}E3G!jfv zWwvdsN3+Ia+ec(t_A{-pDHfpn0dg<^i#5>Zsi_Zn5Z5iK{gz<2gq444I<*%2$67oaa_X==hUqUIFz%&8{dwsZ3EK%(4U zxG^DqL=kCd#GZjea%R~?Ly47zcyTfe=?@GBvl?f8ALiuWNa)W5HaR-EKK4!oIlCNz z4H&2H?j(D&8;b|4i84#?`Ax{dE^XyxAZ3B4es6sv{P+=Xn0xfs(Pfh52w*q}bJZp% zO=|0bBCaOQR}R-#yUzu1D1jO(jc#I zi^>+e>~7!-z~{BL&YdRr;G3A)1*H}5G?nqbNv=~ucIMdNaPuO!VX{%AR}Y8@E0?AL zVoeXe{FJ{uGOWq?Yvvvv=4p$ceOD#-a5$;dkGC!F;J>~bcz}hrR5Zu~R^WFu`D{bG zktqB^0xH$o&jZ@1!7{7_d>VCr(@DU3dAp+P*gL*Q4QPf@;*yHxA5J|)Z0`VUu%cxO^fBrc-2qVG zb%S{)jhpure?fp}qm!Gn(P=E!Ip8b-V>qABY(82-^WbOp3(qDeCs(7n!~XjyA$b1* z8Xr12(G!(S^%T*O0hcfcYNGII#pmv!tSDo|Q7^a4# z)y*(Y(&hal9BOv{l^F3}wbsTt&|7wgcA~qKC1(Q?(GhszT7rA(JDT=o|2{nqFN3JL6x~LO=&EzdI?R= zTI06)9Rt85>`p1%&E`Kq^OU4eZN@N32(TjGw`M(v3IT)wU@}eGJ7)Fk z-NOskNfPZQpcwsTPy>&%yk zIH78Vew|auoCJKOl1h5iVTJo{z>AIPVhTF+Riwuj)qTg?Gamu@a&*hrc5w=80dY!Y z$E1+}PZ!74wbyg-OD&YB+tiA7^h4d*9`F{DYOr-~xiK9|grh9~qN*y+ru*hk3Aaj`Xpiv_dS7~ALx!<6 z{4WB68W0ft$^q~C`+<20Y(*o-ry2iZh))5A=xkzUmZ^UbfLL5`t|Br4Fjx*7Vgyh! z8bdy+x=tN2sqe*evg>;i>xVmzUf3iu(l~sgc2IJ?REBv%JYZ!9-L0$O@>}EdyRm6i zcQAK^N0mHp&GI>IyYUK{X=tgQ*N}XIkzM5A){mPNvVe>;7)##Mt;77 z!)M`a-usJBOnC)#5bq(mH1sTGdEE$ygpvgZJ!i|iA1p)+TGh;eEQ%Q(C30E$9dtiS zD{ynwQnM5tAcAXw4#8Y*t=2t+Y~lk&2HZueQ9%zjP zst9dvl7%Ls6U5?wBdwIbtkvSUaPH~lZZ9=Zl-$21q6ESm`2(*P``QbYv0l*Gsqp`^ z-}fT{d(rd;p}m!JOUHy1p(K|?yQQiAhU44yVwnIcPacE?9_Erbn!hC!tr+c_=p2(o zmp7#p^6e<}BQM^cFtRfC?=~7r#WUroUjs;k)c*~J9Q^-*A+BqBAEPq8Cq@Nhl(#;7 z49(?Jwjuss{&i$mVF`;vIS+aQTsgM%JQg2a?`MA}ASoU}F`*GW9<>1VLqP&HsByE+vyxtd8;H^P?HU=?p)^`=; z8MqnK^gz^|n$b>6ZA$X5^TD&K@%y{o=3H0VxRFUhTu+_YDNVXO3IfkbrHm%=Je1;Y z!xB*@s9h@wu|=JH%31H`o$ZG7w*6t9ql_yUY|@K2pjM_7_QyGSIAh=?F2gAuMO$^m zM14q2TV*G2J+2NIEscd^T}Bo{9q7Dj@`>%Bw{7Pa zsCf8fK=xKBjEfZbVJZ{JvD+6%U5<5JlPpbsnoyAA%Ip}H#@0mR5bt(;LN`E1bip$y z_amYM?wWfZ!Eqx`5TU+qtB}~Kak>S8ixdV|NMR;3edpJG>$q1i86~JD)S1P)!gg*qR{CD{78Jn4v zG5Zzex_a%YcWO!ADp+N`b}kT%F0iDDX_zv0I9s_xCrmx!tQsraEAW_uqr6=I@ZgCz zwgYCcg&3Q5z2DBJivvyF)hD%*+1hp?D!uT?v^t948FCahTTOFm3SEeV)fMdJwjCDpR(c>QGKJ@iRsvl}o8=V@tD<(Yth|Qr zf^+ha+(85}l5!Tne8Nk66!%Sfh>l)>=4GrP5X@fDq0P6GQzE0^7@WjNs&$)2Y}WFr z8hbm_rqr@6pKNNB{&Khn?<^AY&rtyU%Hr1UgP(OnL+pMON5q7iHS``Ef-8*bN#kkt zE{De#_Ze9;XGl;m^sZ(O4#9riLa&@$Pf&U*2vjTO_G_m- zZVE=TMd}owSr-i%3oxp#4!Z_Ml_!3BISd1jc~4sjpx{c<$`GXlX@|H5R|>>QQz;rm z)TjWKUO4WM)vZSr3!C$LMcUH-)652_R&kVCa3*V4T9Lh^(k+!;?Qp%>lu=5PtLrrCrGot-5V?P z7MsbTU2U<`QMCE}ct~guu-Z)J-!2D%sN~@?bk@nmO|HzK#sP)X{?K-JCKBgtX=!P~ zW1Xab?&`xUvTAy-dm%eQXGfjC>p(#wAdhT0l1V>4uKD4^2j~6$2TPP*eaT0n`YoPh zz#?v|A9M0>S#=6*2cG!0>DSE*HBRbvPE5BPcYw}8{-k$Cnd^ykLoPhLi0 z<+n|`vj$L}h!mvEKWXi%8|BME!;D_`GO`U|FVmy&uqJd~*?Zlpe-J%(^2b-XQkRzu zUc#%ixm?6%5~Y^=0s?`IM9xw7f-5%js_QP8qmC@D3}MvCt? zH9qVM0(w6y4-6Mr-YE%n#8%;20*yCUHfY} ztxw3kXrtDyav}rKr^CGPN{gMltdvt-iK~@}xgxL`9#BCSZfutDHZ6T@Lyx0YP+PSn z6n~uPNH@PZBjK|c#-TkO^u8G@wkG$}HAPEPa_Bu{Rnb55_Tbh<^H{U#;3%$NIyL|z zbkl1@WOs2;sm}=el2UhHPnnpQ-1{-m6taH1Bi;k`jx&Chdf4tEA>gx}>nW*kD4N!bYI2>PwUgyjc9=T zi@kessPaWp)sNzwC2ig}F02KIJ|{$|kk6Km^BEq{G^zjYkHM#90rm)1CtebuE!4cc zi6W>`M%<(va}5%<+HYx}WG!mz>BR6Q@d3iDbDAYJB^r9f@5_a*h05goc0!m_(6M`w zz2aD&zx|{+TW1F?>?2sZqIduJ%;idm{o+F5Df4MmEW~tS`OrJPQq+g&@@#fN_IL-j zfJb2LHsy3$Ys6{mR5D+#o(-ETuIiMbSU*rj^(oO`o{et)CHA<>IpO{-3CE`nAeZXa zX&`!;%?9>ot~=MP^FFt40vv7H>-&$lxjwIdCZWIPeMf&{<8(g3IOTgyxQL63xjh<( zZKntD$9{x>&w6h&cxi_kyop7xGAV@4C|3dp;WD6*3dK})E}SpJ#OBKKEfFPdcYc$< zDX1z~4^u7C_bw@ob-DIU>u(a|1?hFQ)OVip}lh_H7-hgyj z2{eb#=iJQgP8;;Ra(#3=dWPS4W08F>{cYgaw2DJbDPmhn53L7?**hjAcQRFyHUSLF zk)iYX>;*?F-~mY0HY;z0cfz~kfRX!=pszDmRf509pJG~TU^R)V<%`C_PwiQSNPti# zNpvcKYA)f!Bvg)*6BC~RG+AMB;oM-hdPaqw?>d8k1>n?4!U|@LZyXadnit z>^;vmF?RHD$uq8tRffoW`R9^}C-x;%l0lLczuez4ABaDQ5wsZG43a_dz$96}wzqkf z=(|7T;dAqu-$e98*WKtxS-GU7s9`Op3T>*$lkU&oyf!ttOHL1H_I6wTQqvCY5bm(@* z`um$^%qdt|p7MWKi`?RH?t+(rVmLkpli(Ki)2uh|&IKupS%yUR2gW3Tt)$@@Sw{;K zRQ0=xUkA?K;8~zdg~=ci>3GRNf#Kzn>)vkpAXfk@vv7d2*UgX9S=6rWjn;s#CS7S< zSNMiPVA+w0&M=>vX)n^R2?8-{m&wppc+S`sR(ZAG;nQIT9cTXdYX7;F=`W8quDqme zi>ZFEI?=4Zpjo!$xkZ8Pb(D$5#CZHM+@cYAAZ)am3U;yHXr>IkZ4HSiT=OftS zPihfPPKxOq82|tm-8|+6DP0eGl1k=&B+cW{(bFf28v6VMRNc@)r31g`rLd=qH`mo5 zu4yl+*j-i*WsLPZy!Ny0orbsXs;YQ=o6kSbcPKsK=Z?pfxRoh{QhqQBLv~FnHGrkz zw5&vxQqg@R0=}7ygB}QOV5_)_BU(#j>Wd_IyRHN-AqnXSi=HAW1mbsc^>7nf^6>;; z8Ya>QJg2^ANTOHuV$WNje7BnXka2a=F)%*vJZ9l8W-H_<5bNKtD*NykivW2C6l1UA zn?=<9Co^n?_twu!+2)%QW2l&4{4q>o7(DgG&ur&I4LKM+pL_HQiGDGaeM}vlG?LK} zZ%Zs0YyGR1@mkoLnub9!Pdd(nMA(PC7iw#~v5Dowx6apmxkwD^&XreHu_9OmjmWit?P;4jUQ!u=z)4@od?5YRciIHz+L*aOmdlU_13`xif0Oj%7W{Mxk8BAffDem)7 z5z*YOt36{IleWlIkMlCv8HC@3b+}W5Sua*DCwM8Qbq7%4$%^#1U>MhKDo1?MYWY%m zjJ4sV_=*`XZSSW=M)L64&t<9CIPiNfs%4*CRKq%bX3AMm?qOcq3HuM;Bu#{r$arMr z1m3Hp$L{1Zkrs5{=}*|=!=Ftr498IKz|J#HW-z4M)48b-d`ESA0#Y{+2KVhwVwz&f z_}clNvCPex*L85cg+$6kUk=bhDm?FsN-qJENI3##vJr*pGfl@>?FxAF5E zw{L_RDeE~TPHhc*jxJ;rA5l;Zh%kYP&IW7ib6^81-2YhDIjlRqKiuCuBIhb(r~jn9 zq9R*=W2x`f=KgD;mcZg-EU=+CzN!~m_PdEO4#G%rC|dyhZ)!hjx$Eiuo+Q@ibNT|> z!Y1Ue=lzqmbt*rf4R&+{1B<27sOKp#Y7(dy$$!+m6xJT%Av@(oaW@G4Q3ypY5)}+z zoHLA?BNlLBN`X*TlV3mK;~^aQYlV)W)ziv$XD&Dqkji>x4XOic2xN?*dh*O>bdcKl z>=SnPtLCgBeDNz6BKG&w?$*QhsqY3~5pc@_7+7xe&s6e1X$l6Ph#yI3ioa09Z8{re zMI@j7o9(0`eumeyzOeKLor5-S-S>J^?JtduxEFHhpfq7$FQyRXmj#L4QE$$h|MR7l zr1b+i$}c}??Gz&SzFr;A$y59Tqa#`t`vT+&B&OU;>{Q)9oFBe=u9ouO32q?WOe(Lv zjQ*=Zf+Osef3ZOVlu_jWTwr6UkP@vsJnzo#Sl<6myr5M@KUfh(cHBt%-{*{jWj|)y zQQN0i&iUU5tOTiLp3SRF(8H1ccmElzG<9*V2)@Z#|DQnvA$V2v_1KnwamXwLbb$A# z9gg!qU!`)8E;AE{BLcf!OkZ?vtog-c;Lj21bhPqFuMhtl=+)6-{Ri9y>p8K^|D@b? zDdhflLW&w94e;;h5HGLpoqb2&q(*^S;9)|cI$*8<*4RD0S8Z_>_4-$P-ZsT?gfxvp zQmIjY{YjX?4>n=yfI+Wg)86r&utc$bP*QV!s1CzpcczM&Q^@xc^MtIagAcx?pr{z( z>3QwqAG4s103i(w&laa5K@L_juZelZ=6@OhZ{j8%LW*a7{n4Ljz^wlxC?jBjghlq- zVqqbRT*&XI^BBySn{*PCi|dTe@UcRIj_(LPRe3DNXFszrUOb)H?lV+JQ<%i|1{|uG zcFX{#OFuDeT7Lcs=U0e_3-OT)8Zi~Ou&@cw&u2*H^o(V((G;xqkIt6Da5?W9Ccqlm z-rgoT9evn*dFWD9WN@8@j{RV9XpzR}{JBMAQ`2On!#vFuY-L6Ai{e3NwqsU+EBqKA zfT*DUjaR@4;u%DIXx+RHzK;6;0M1nz8HPJPzBh=0$?1HVY2QY#n933N`7?=mf3i%@ zmwraWI>G*V%eIuNt+4QLlYRsoQeHs#Q9l3D10@2=^ueUD^*t zlfD)W2Jn=6v8G5coHw?t%<*U$RLmpcTU53lvynuAoKrh4_OpKMn>*k}x?ZesJ$qFs zHEQlq=G8CgqGPO-Au0i2HDnB;Or^h&AVBSU$M75-9e<3E4>)toq#g=7|0Y44t^FI% z#&N3*xv=X>%#iZm{s9OC!c8^Q-rinrHtmj0E-btF0-1vZ^Fwg3^Y!@ydS%FuX@@HF zjl%>$c71vyhVy1`pxEa^3MV-FIt}oV>UC;#FC-)c{1>V3fG&ZOwrZf*Cs?wq{V0J? zfXZKK={T9IFZG6R3tIG}w>Mlpe-LbF*^?C&({A}>qA4s+=SL?R-(b-x5LoOF8KPlf zw23`_*L;Jb(ro*Px7e^hHw>TOcMY=@2RRUjD_PNYvObbCPhoL)O}aal4h<7?X$oJu z10)@>Tio8oMCpoc@2&XU7831z-le)Wc#+CN230Gyrx<{UnAD~G0V%+rMsX|7%xO?v zvucxxQ)$j}5;Bq}53Ku_J1IO*4NJ(U z-M4AOwan3pn7cqBSwsRP2$m=QsC9bpyf1$$#Oo-MqB~pe;c%+Denhv|6LK zD%hJofBwXFwmPt8`a5q@%W$>;puzN;+|v-HZYe3H|A)~;K!l*?YD&iP8zdwo2)|p3 z^{c`=pLoKF>zr4OVY?y^q#GkC;2{^%xIA0jM$lc6>;2bM!d&J)mNo~VDovfs8LN=T zF8wpkk4h9%2lmr7;Fcy9{^eP~l!FmVf3H5o0k7PCjFY!muN~ZCUQ}yVR#uSGL^QN``z0^Im`SgqN2n z5Q)?5kQ-I^K;4Go4m+s{D7m(f3ioxu?$d3&AhH-pUj+oDq?A-#Yui1G{PVB1GYuVS z#l?{qa2z2ZfRV41w$`RBn)4!oRO6dwctW9OrDyN>{ZS{XX1QO%JWM+L9z;^%L~`7& zOnP6q5g^~uxE;554o~rPbLYV82A=kRI9|yWI{7%H**3nguFo7ayu4u{`geH8$3fXn z$K7ksBhDN|-v~fo?+^egQ5_Pt+!NV-vrYSJ!~L@K~OOG zRUwqq=hstU2|rbd0L_hthL+i$ z>Y!e3{jvjoK|EXUcP&f8`0t9!7WIT#n0iB^oSA>N0Xr3>Qi&|$#w3Qv(*BoLK**WP zjf&&V)EI0|`hRkA{`gM`lUb$zhrr9#M9_Q&+1=s198Rq$V9%B)_4i7#N>9Nv;2EYn z&NN8T@)+=qx&QLXX@~{>5YOz;ak-fORh?gFh8zapv)q5kL6EN>7TRbUbYzo)8|rl zWLJO}#sFah49z|25G`p@TXh^8CZ68EKiG&w@QrN4v5~0zhpwb;8$skAe&lKF~{Qm(RWxwSy{=IZ8C1MQz`FMsQl4J&b z-&6hZp#z{&`h$$5E~|Vj2-a+QP%U?D^n#%1;_jwo_lr79?J5F*v>gflx5pf{mx>6V zBCZN@}vN@tl z{BS9fBvKAik#gPl^3UMW_WzMwU^KtkH96OBh+AiSk>qe*VGre4TB2m}hDh?pv4Z^( zaG)yooA1Q{5A-8zQprq&8^iEf&;~b%i3bq| zS!-DuGcY;M;6lT|U=S7#!120{PKT2zYQO!k+LjSsnjscB?IS){aiU#j$^+a~YZc8B z{(tu5;}r7*Vh*9Qn?w{8ZD7lvXVe~iynDvg`Xno{P&f|MVH;j4W>rjUTCcNMkX=GN zGO`~9{7!rD@6|5DN*?A%J&!G({vMb9Id0~Y#mUx z$5Mkh)Umv?wQi|73`%ig%BIZYYp*>Lq3k@sIMf-<_($+0c$7{GA+Agn%8rHd%Fr;Ll%x-4w3JE<)9k8BPytcDaeG)nAlC-{4Abhv zG75-MC&DEsvahrLs9WVp6?6nMm7Fgj=-KLT^KA?5vP6lz5SnZ?vv!_l`{XO5j88(I zxP2ymeel^zloI&Z01LKUG+4zD#f^ts$EG|$K68R$ba2S?Va8@&fspAZUxt4~pu{yX zZ3Ywc?O6^RC@jzF+4DOOWEJX4)0j+`ZPW z=?K2ge2APr-Jk0;JOB=JAWiTD`2MJZZFmtVBuDSdQ!IrT8D|nGU=Rd7eyZa z_VXun+jFiH%HC%d>s?|`)$$%7nh9q!L3`kP4aDNi6h^YGe9c+3dm{BbC?D1N!3FfR zg<-`)2ZNKVM|E?Q8-S1IR(tW2XT}C2x3I@iS-08Ymas?0iyiap`S4@B8laXKlno+Qv7}-~fVl zMMIyOC8V9NN(}2A_z?Rw6T2V_6h6Q`#`X8cd89zwh4jp$GJJ=IWgncnS6>h1h|CIp zmvw}-64L>|h>N&%WUWfqbl~&*o6bRz3V-a=Qy@FU5Emj8bm%pj_39qNedc~-A8?|k z2H5Z0=dA!oz#YW2pP15Sc*>WoC@Fn&)^=w2!MPoS{ml?DL0=rrbF^fF#7=}3R`cxi zaIpkNQSs=CjLJ$7he+H0)p4dzEo`lnAx?f_%3-dE(^ zk4z&XWvX7_LMk`jp}&QQCQVG78_Gtf3%9Kn@|`zB^S}EvJ$cfaMK0(S3(~v6WTxHZ zL`K+~n5(_$qdjZ0ZyYIo3Fl0dQh@G{S?qBc@59T=%R$kFRG?nM;rvs>oK?H$2mHiz z^;!<>d4ZCC%M#VYgPCSdwhh%^3 ze1|>d$?qmOaTcuH9+^=4se#EOQQ(9kGgBZkJIyvD=XZ{s2r-8W_jOFA)XZDTiyJ+( z;oEskFSz)${+!oe$V{H-%^FqP#`F~z@7_dPybeZagwH+%IOq|+ytk%~fXDKGb2;OG zo^8X>lgQi?uM;ldc6ztj?-o%Mbf#{rcUvrk%WonYlt&0@`7+4kpde|G4yvZQto&jG z)fQxk*p#0oFtx|v=hwMSCxJnV$`I@%p2un(YfsL&@|EhWW&s)TM8E((-kFUAZq|#; z*JMOWWD?E70{wNNgR6x;mt)c3LNag%Z}waVwvyKka?uW`POUI>kU0dzhd^vq5qMi) zK+ooB9HuR+d|KX!~uzd9oH4C1qstulAzH=l$nvT2_DNR#a7$ z>mO%;Wf2d6#s#mw61bnGL*Koh4N+QL+GKx?7`!=O(qQo%rI`igT^&jDfn*-7?rdV{lZ4#76eTXMPL1q>}kBl3Bu_ zp@1)X1;pfV!!_-er|b*?v&0xH#!%;C`b3aE(Fy~~>D)uTRyxu5ei`;uho6mADe8`X zvtMe~GK}47?wO{;q=M^rT%ZMKt@$j>g<3)~I<2njfGf#zvOw_j($=dgeJ6l&0wtCT zyFFD-Z!eV!M}wo|FF-2BokCa+sETzhti>9obro3B_v^K6CP$aIuPd!;ScfK9L z0;*AM!D%4{`d`>(lwbeq>G=Uj?nh^5ctoXhN?>zYeizX6m_QSU{U*z#27WF8;HmI% zm+SJ%qUi`Jn+xAfV?D7bz zjHpw0AXbP4JircdM9xb^I9oNHR1N;n-5>V}29kPb!iYR6InM4vR=m#1%RJ}1W&FO@ zXymJL6crVPhKJLzvp>}0tLao4j);tG@8E5=^Mia^SYWVU25E*z+Rk9dKLi#A0|#wX zkP51l*7Rc&YZ@W2;`U8zZM$7TF|8_eujMjAckG#3u90YoK}&ZtC|;{kLl4RVu2h#& z`QM0!f-hsonD86UsMf}J8n_Ge(iDbO4Pt18r5 znjRF(HZA}89Y~kV2)I0aNYYm}99N)GLMzhXPVG&^R$)5u>(~>nQmm!}qV~QeP~aA0 z5%k$6m_8#nn%s-j$Y)#w^lpA@mj!0->Ma@Jjp>n^$@E z{m)i#BfVt2C; zatPdHL~Mo%tv+>DYAr+{TFk7|^nNp;*9C-N@7@hW{3D>J#oj9Iox_BkuL*#VnYBjo zk6;!dCue7)bsR(0LR~4uU{!6^kO&-mr~EDqYe*$at=<8uG1fE9%bgLP@O>%h*;lfrp zjqOR+n|K!0c->b_BaLz*pyt=;OYehPD(#W${WL%qO`lS&UaxMg3?^U&KJohi1+q;W za47~|o^P$2EZ&H03Xyq-cF6Gj=x(G}pKg5&u*B4xC7)Ag8zZtCW*STufMg|OiWu=^ z6K8Tpr)j`f45;(PrJdi#5pJCS#m9)mtSw3@$6yvGyn*?1hI_#*a@u{rLIa_xn@)_g#P=SgfLI`cBOtwVqjj2B1 zN8u&Y4?v<^h#7~B((4t-pj)v2*@IEPo0LO345!_Z6B+5%WJPwnMcn~|#-4@JIg7O} zxN4J+(=DVjfXw6iyjjm1eWhEeH+U>r^qTA=ai1ObIfQ(te|1)WDmY6+} zZGbAUC386yYqIRH6#&Y;v*A*>^_4 zJ~v2}e()%ujK*%(`s~Her9IyN$JbkcRno=E_y(=-eXEoLIDgdw+M^aDvm1e}=cWkTaC9hBNK58gW%QZF9*a z*VjQ%&mwM8YQN(Sj7?(a6)K?>zasWMgj`x?di}u-_Pf}D)xI!xs7AwMwR5k&V5TNg z#$XUwaYj~VJy)q^qQS!U_`~2y9+Kwlp3@ zvA=y2IP3KjuCu=K?T^q)+)wTBB9- z@EjJkHtTc_KysI8WmzIw64VZ2J<8RFA8l=!fLM@tJ9QfOBDvfcyvyc*oz;9caS5*8 zwbmxA71|o2K{F`fICs+=09*z2_q74hz*7L*`aY#-m$Zq$y?A6k-z2K5J4OgaKyk7H zitg#sjkm1k^Qn3_L)|J>_ydbK-+^MN%;^RnwxnFy2>}%V)nmECnd)~SYx%m}OM*op z2iwG&PNVXM7JvakBooy6vMh0U8|}biT3`m`10D18h(JLDX2{E`4WTK;+2PEM3$*-+ zh>+&ZzDk_xq-%lu{QYSSPuW#~w`;f`D2CYu4qSO+KHDgaG^nFfL{Vs~XMZky0h|Fo zm6hmlA<5bL9bpj^VIb~8X)I6n$#af<%HfnsiHrMiFwPGTP69;rYOK1VfzeAko!<|H zpC5Y(u)8h45I2^4D-hkOJ8u57Ny{NIkVDk)(Vp(|A!YAx5Efd~Rq zzQR)wUa{8gX|EsHjuF~ZI!1ocxv?$Y8%_2EvpbHQP(7BRjvLN5KFf<-UW=G1yt6Vxsjf%U~F(mOolhBH*ysI_erc z-U1FFzT~2VpNuB@U_FzoSoge>P3N0Y1~rasx?}1bsJHMtjZaQH$SUEi)_h^2ZEXOR zT(Unke8bA#Hbs0?S=Z8z#37jK^y*aY*wG+W&^zqNuJ;^p0ZAxGe7r~pWg7Y60h=%+ zsFL{)o6y|ioWO-HvsU;{6_|u@!4U$J5Q@j{{u81t?Hj;MEL5$IrT2iECDG{8VRr8& z;sKm~oj{wn2Q4M)oS^$d>4!^FPu5@m?V!yCZ6l;u= zE2-Lq$&N`cEM6Zew{d{#(CekCGi7o|gnJy#v;KJb>(+)R&9HkGCqT5DNT_L!-6>m+ zF{*gF{Yd6$()*EOl{2ai$zaMTXWW2-Z+jhZ8Tmx&AlSikPq(nr4oDR@1 zTZaj7R|4onKS=4*FWm4gukUdJpDN%RxNHm8fZ49x@ESAtK(Y058OrXsO9Z5UbQ-e^ zjUwUH>mY0&Lsvs8;{o*nyiX=L@n9r--JV^~)>j@Ip+J6B=A_5Oy8!srE}SahMg^+2 zH1o*cz!Dn%HRX#$V*R&pFYc$ux*nTYfYsTqNw>6hv=mJQ?4rAS5J}xmHo_75Qa~*1 z$Bl7gcYFlQur{--U%}cJFlnvqT`jGv%B$T>MclS;(Sh+{B^%xbxS?Mioa6p#UD;rB zyv2RDjJzLqc_{v#1PK~;^w>q3$Yb!yWK~Tu81zBW>o5T9|6RC<$ph6wt4HR>%(Po< zy8-&ANvIp*OUb)RqB1Aq1Q8R44voc4tFHa^#7i9mEPl0G_xOkD`opP{lCTj0DkvuU zg%*xerJ-D(<$kee1fLZn+eJe}Op@9oq2y4Q!N8VLQptTP5~muA?s|lS+uh^{1bILZ zzdNa8)YTN<-D4q|I>6wY;Qn1Hs?#_(Ig_O1IRVFDH~i@4p^*hF@-U_pa0y}+AS{sk zr3wvD2GYKGHi#wH$AGfMR-neIPf%=o9^&kNB_t#X9q_ucUAG{x?f&Qn&G7NrGq9l{ zRwPxCr=^IdZTmfrgURaj28_{bUikMqC+Cg2mJXTfg%qZXjmeQXRZAGJy3_PbE}h2O zH~!Xb1sMKj&GU^1S73=k54t*FUhGi>iwMVi*#4N8=;ZMfF)ai&c%1pF`(~0 zJPT<9vNin4qQzgj3|cyRiJKSWrzA(VWRWhHBq)CK8B1C~yE`>KW4$#)4f0R)!63ki zdjJiSdn<_q0;Iry-kwC54K_>Ngzo}dH36FPP4idH6CCFE6#hR;E=&4nda;3!6WBWv z0PmH-V;6b78CV>(OmxI84cW9%kolvRKw;f<0&W!SAS=^Fj|A{+TwC>#7f-gwQ1C~= zF3YWLFE=M}G+1-0__a}UZ3xfEWC|X5Ios)9TP*&ruqW21o(6vX+fSVbR@0ibjNfD#T9U&9sb|HI9TDQ0(BP$z+@uBxi)QngVJ z={?mV@MekA8sJn3B4x7nwy8IlPb2S zg332&!&nu9T~r*IwkoQt)7N$opT9tQCrM+`8%5^d`t#5PxI3Al&3l75#mt(!8A`54 z^RFIxeLL!nKmjv$)9tC-O!N3R4I#-it9axXE}M6sUaooQ>Q?>u(QadHyHxqCves=f zhWMF z!1WF1h#NTHSv&`2h}Q?!gDgc>XKuIrz;Yfkt+LeR7z$@KSSF6kZRZJsW-Gg=nmEm{^N9r;P7}*nmP5znNI972W zR{sqQv=4#+>upuVQdx=*Z8r6pI*SI!k7-He1OLS$JO`P5M&a zTnk3VSS-W?YzSC%q~it2-Q0x*npCQ;7U1l9`_@weQ#et4H0c3Lh{huDCKCvXZ2*RK zj#MhqC`RG(RII4$?;*h6UV)U< zCouk#cbGRm2Yx{Jc4VkS{J0)8*sEWq)X#iRMY`b&e$_sA=bRqSRf7#BSUh$8=s}*S zEc55J2Xk1qSvdz-IVF5Dsajr#h^5D&mrP*1`|NYLfh%%%$ewav<1L9dKi#Z?V_HxM ze4YQ11%3z5Vc@^<2`?}IKk{`LPWXTGil>wi`pHePaKg>7Jir40OIL6D(fdr8LC$f& zp2u`H;L#hQ5V0h&5yULab{<5Y|#B%!`EN+3vYdAhhdnDmtL z@slS$M2MHBN(; zK3$6o^^Q!PA&(E2?JlUM_H9qVAq%o_x(2|@`uCxuFha63V$xU8&seHhK7Q(07ZAM#0DKe%`6rKqLH>O$0J3d_3NbG_U1^>o zFuwFVQlq>6Q5;Yi%FBqn8N3*4c{gDQ+sy|jHVMzk@c)b zzx@2D&e}in7-8oWn5s^iTHNXn@aNy_|9st#f08?C+JS#h+Wz^l|M_I$rReY$2gsd+ z$FZ>tOqQ1$rC;+uKRvw1)&lJ>J-<7@?+>|J?f*(~`wl&Xc2N^e7>a!{&-JKg0g@zC zV1^?mASl~7?9>!?El~ZU`PO`YKZF{t26)0ytB~-gB_8)HYv@Y#t2mif=LrHY;v8RsA+0G*x$#(R~e*a_(#6}4fiKA z&O};@8vW-yyYmJAPYvQJe^$-HA3`#aRlS`q({q8G4vlejFt;oM;ujWyN^sV{Q^!88 zAuj^TbZhl}!J%l)oRto(waN{lfoO z&RERz=Rcf{p8svGjK}{ciV0L!fW3N)=KrN#2xS72%CL+2`w$N58LRVO#K1GtuP0+b zoiX2~VYN}D;eUHM3RvBpcg*44Ib^WP3!%DFfBK5Nh;15(u)5Xm;Iw@6P(VRPH&Z(O z1!M|GPRXqWiq)|o$JVC}+O8akEC*uP<0b1ah^V-@T91LYZaCEjV}IdHyo4*$Y_=)f zU(N&u-0M{+lBiTZyUa0R1rk5qyU0NxQ?k8!F;SpWJeUb<*6x?5AT2!Apo0twg?Ab< zDZgp{0+PwYC3I)-Kqs90TlGUUwr*csP%L9snSO`#T@r^Mmy`AAN4p-jAlF-!0xMhcLG~+1F#Sgf%_3Rk3tcOf&V=ZEX)ry22y2$ zjMmXb0)^{)Q!a;OAS!Bmum2$4VRx;30h)U>!>M{$`%6v3;~L834>V<=`LbpUhWF$f zwCWQVE-0b4fJM%rsHC#Iwak|#mb5yQ9CC2u+J?M%rnL<5sBvE*0jVd18>8nMZddH` z^5iZ*KvLb$t*7}3;C7Kc>w5~ikE9kIrr~HB{iMa5{)H!DdnZYPvh(t9^rn5*z-N{D zR<1WMSg4`#j2koz*0-|Y4X6b#4~LHJ`V;PHJ%X@*ZOxk)g5b4pa1t;@-Em$mcnQ@w z?~w##g)GlCRaThHCjhkYdw@TrZ$3?zI1>pZSV-QZ+z8{fpqVgR@T`nPkB=UNjO{a{ zQ7Zog0eFdSonOGg`-XcxsK-oRR7!}=(K_9>D(3#6JN8=OtcM59)H*~j>M$D^g!!P#^B`S1SyIS z2|XV{1}tr(^kRl-qszkOC%1_{C~I!0TKx8VW^exxv6P&4V4{zl~T$$LLeem7K+v!8o2EybcVD5Wj#Y}asg%lhUqU-cP7C_ zQYs<=uJwLOtYLPxDVv)?Jp0|LPqMmbi5wLx^Hml=joCMIhT~ZHSqCswzb7VA1G#zI z#Dveu25lU{;&~y<>OeRgsZiIGSvP!Qe~ffsWpUK+?*@cenDTENhZ+z)-wU0aHe3mc z+8<1dYHGgPVKL3nJDJQ?O2-C({;_BYd1G64lbv6AFbx2Ku)e%jNg(cXw#C@?u~P&EQ~fu*oxf z4Mu)IU0g~JHoG#oa;8zOGftw0fP_#b4l6u7JhQK1YU(nOuWFi@w6$g9d9}jaSwKn7 z#LENXC%pF`#Io4Z(zP*J^k0Lr@un*D@qI!p<<70T*1AJ+n^%-?$zp)lNUBJe9?A69 zw@;|*@PeQj0@*dK%>(No#$vG#0LY@(Wam^{riaO4_yFKSSI(j=e%I}}?9Md$0@LjO zqPId0+Lf#MP=oO~2d`dY0O>P;LWfhUKuE_(L0Vu9z&6pklNZaLe=SfdU$Q-D$3aIQ zh|HffoG7cjGA~)Y*cqzanS@7ze+Lkm-=4luG>4#ET##m0S3AXma{|jsAUltvEmnW) z;eJBv4m7%epBut#GKq?g-cdB~LZ*<#G+nO8Y#{*C;jPMjDK&+EfzjUv22Q_P2kN@s zHBn#={x#5Ez;QV9IQPZ+1a~gkWn}Q&Yore!M-NC*QHSn7l$NVYPXP zg3W9k17R)yV<2&wHZ?W91TqSKfwq26C5Z#mz`HBBD$_-wT;&17V|ff%I+iqXv14Ij z&>FR2x&Q@Oq?f($-N=CSD4*3V-8J_0T#X%$i;D_JY?;?J=3dX1)M zwvYdxHD+!s0DsAJ-L>xoZEKpKdOU{v3XEWunxni_aXfE|`;Q1$MbN0be@~+xvRC-o z+)N%d)AE2?OD1WHexNeo};Vg_3|z~&klR5+HNFbIb^MaI`20rwVF&Uj1W>exR{n$G@?b5Zn#G3G0*nz z*j53LEcr&kTdrMJW7&KlC16CSj96LC9cA)JM+B{(E!B4II+n@k)^y_uKa#qdvp!YKlg|xw2;PnA`12C*(t1hxhPeWx{}|f8AHsG+v{HS}YXAY;p5Yyj_M4k1zMeVX z#W8exAWksdy!`SDn;;(kpF?u`^!Iat8t_OyJWsWGWhlcN2mLqqs=IJBZ#i{h_RaB- zmN)oF*!430qkj)W9}Ew&A27CrN_^$7BW1JUd^TYFccZQV+sTE>5;48^2Suv-I<|ff zyd@Ox1l2?5F|+J?KPGqXPi+?btshbR*3J$n@c+N$?_v9M$Q%35aFk{lUs^=j{Zcld z`ggRs^@L!vdG+i`x#k&-wWHo@8_QWqm2|o5p$L53-=hoAXzq)z`Wr%$sT1nKUY~GQI4{}_U!}&FQE>j@-wBa-@_*KNpc!~-OM;5a zYk2qj?V2c~pql7H63{`SA`rl~hHuiV zOPoKy>o13ek3r4OwLTh9O%q;c%SR1-Q5Yy-E3*p)z&cuh58OC&mODHat1sTmC#rmE z`}vIG$=~h~#sk6#qK%(hbxfySVo<^{!ngxSn_X{Ez~~?rOci@+^a~d$kJOu3YpUBO@$(G>bt%y}TH)SGd@N3xwGcE7eY9@dlM%zz1j^ERW6|A(l{ygf$8c4g+Kv|F8EC07$ZX zA>H6P0=&z+V$Z*Kxv+7x{qILh6KWoB3Z?{Cl+mvmWGG>!D~op3ZFi=^fH=i!Z9Q>g z|4`_o;0ghz*hD|pQU8+Qo$7Q9T@Gnv9~yCKD;9mJprGW9FX#^37dF`>R$%3*t-0w`zQ$ zlf3;=7op9-?J*zz3m|ye!cjn=8br*?s3gW=y7IY}pTZ@kXHlsNG~@3b4Mt6uO;NpP@CTI9GMjs=G@T&b zo>jhVRvhUf-FFBrhs|$5mB#M?X6P%K)CDFxR-DNcsR4fwD-Sq{ws^3lY0;Iv7tiR? z@#bH8B1q!{9pJYuO&JkD#H@fSLMBhxeWqCodGV_z$)HlJLvo`@QWQJr!oi7kEf@2% z<+g1!5*js+T0jlVXXo2urh%cQ9<&YGhmUN?!iM7aZX}0+o`1neKAL#Pq0F_-{MY;UJ)q#9BF8yeV0)*2Alh2G_kGf_tmGg`N>GkGb=rD2~1saJ}&qEat%3`E$sLjONaC$EsPUM6ZT?VN_SE~h!(dP!F zT?Q1*ydBJM$zTw?Wv}Y^F9jdW0m3A<+7%VY9v2`$pB0PYyB-gkz$y*v7`R^EB%i4^ zI>Ax4K{=SU7e^RDV=RkXw$cimzaD8Y&7DFoZ&1?viJ?-u` zgozxs+L|*R^ZB$ytp3CL%?tqUECc5yDGQ+YvoaEIg7&g)7?b9QnFj#jYH7c}uvs+Tb<41Wq zH)hMi0?QrdT93pC8ry2UQz70XBKyAR6S_V!UR2lj~)6Issaw z7t|FWxN!!8WLS2GEP<2n!5>+ZRXYne9frBoGH&o884UCiG?o(CK_6aKEm5 ziBUACyZwuK{bhUdMXf}v_R&FTKR$f%2!IE5P*j+8_-eOL&W?b<<$aTDe zAPICV0KlbRVHjx7^=Ez;`uOnGE8O1LmkO9;J8teb`=|wl1&TG+JNL8o2b(1MtY23a znT*11C103LyBrXgReybM{_4{w+4khGRB+NyFlHZ;r6GKJX!Z5SH~+7_5!5afwg>aO zt9N(8kcwcHy^0dc-Qsk>9RXL#pT2kx;L->LjN9DGBIi)QF(b|W#9ng z$xo0y7pq@KJiIttpNK*nHs%)o+()6N3a=j!nK6cdJzf|bQvI+oniSkTeB^c=UuW3S z`+R>Fsxk6^yJg3V7EYb!U!*ZRWWoM{;6QK#{fI!)x0bE7j`oz=+0Kwp*O5%nE2-Yu z;VlJM#irvsxZs2=1K&3v(eV!EONpO8)qgGXJD_h1{2ocz2LBQ%1#sUp3^t@St&7p^ zEBPNmjZ~{S;vMi?mMx_;8Oraw$>Ugayd@l_ z7nV|O2Vd@w!!P^0^Pazb`U|PIZI-%?#NIfxP`>AifL$r3n%xz>o*vrOmXXoZ zotdaQX37;aTMY{@^8@~`%??)ar%4=nAKz4xb57z-*9S5l^-S#|?QhRNw6Gv-^>m+G z*n9Jv!CF|P?<2W)YhUJ#NRr51a zMOl7FYz~Qh-@vkF>v3`I#g-B5 zmFd~kZ`rv6#sW>zG!Kv8GqHVr3HNKQ?pkxjo1?<;gS9b*!e0~@d7P$& zXAMEu5bHB%$qNo&7KfiRhQp|D(7tH9s?lJmbKs@p*M=KMQqb*qjU(W3CbAQ_N~rT` z9qs%Z6Zn6`w~C{uKQXDH`sC{;m(CbS~M%B-69oY ztD))E%15U6qAIc&WR8Qs8V5 z=JGiF<)ERw#6$0>lh)1E3b6(*?h#||4=X(8bz?`Ohlj&yUx+gG)NHv4U~i6hIO%?B zW<0ujtLz%BGwc$oph?17T*5Xz2t7$}U0Rd7Uc)##VmTa6vTONcn7ny^@q zYuHczJ8ttow_>b0#k)cz1BcG(ve-NLxGSc~lDKQA9W^?lGd`eMa}RkIxJJ0%@jYb9 zRY)xMm>ZmKmn~r7H1U`cOr8E1;KN)@VQ9&Y`riJ(bS9H5Z8#6$$3w%CM*N7g4VWABfY-RGJP{HKLlAKn2~ zZR|nST_^aSGV5cd6DZ5?GV6!WPcKrfM%WSp#oP5AN{#^M?8Xq0r9R!(O3#`@O;>kK z-CDf3f0qlq#i|xfxezWVDy7BbU)^0nh9Op8lk#4jAL?3AhGNz4N;%>7>dlXw9#G~-P}Q}xF_vBGzj9x3Onn>Ie&-?w;Gq9oFUJW(Zw1rEd8Doy?KMkX2;@Z zQN0Ulj0kSpDj*d-WGYnf;xG5E>8^#wCCNb& z;I6NRYl?21Ih>EFuDtap%w}3|LngIZR7RW~mpu65k&?Mo-scZ#SB57g$}|+su`}m? zgly<&j$c!w#SLT_td%)K-%tpC2LtsSaTh_#u(tj=TynY2y%d<8cmxTZy$rUZ;lY&u zXXs{ah^P1fH(V-*n&fs$Q)crrhRcC`MMFba+xVFdL47=pSv+LW5rU|<(_4ROmw;*Sie1Tbu#aK zFDT(2Uy$JXzSsL_M3kT43cfGM=rQgkt|4HZaO|+`rO2&tY*r{BkvzS;l1`U?assO3 zU>y|yGOa}K`ik(38fpHGOAGrrH!M>TV$@;R}#V zcG2!Z>ZL0bFQYH@y~JHR{PQ!+>5>~0RLZ4EaDvU9za*PeKhGP3F5j^dr(g*27_m6% zk8nbZ8DPqhL$^rxB(clKsOF|*jpl>a|E^F+RF5l^@<+ZFzn=xRBlNU?XKB9?+ z)Uv)QUH3I3E}Nyf#c~AWHy5KGKA)#M7k!RJEGL#m_oiNoRAL_04aDVHkaHxdhHLm+ z-sZHXIa>m=|5gHbZA{)IHdwV%9{rUPc#TRKdh3Vl5L(CEJ04kogf88xu(;TP+mH!q zc7}v(pE>t&&o~dl{DDD}mpsc+`iPtECgmPyieyhuc-6hCM_L3PyQs=p?j4k9&r1>! zWizgi)b}DtCvx&!kJJxGS*hN#s@3ppBwH;zd^l|wXG_>WL!%|W&aEFds+__@($>)i ziks`V4oa_4A;qMBkA*Pp=;!XH^g#Jtj2kBvuj9* zNxr;$e;n2Y!YhBD{t^E}%nH2J>ZH~uCH~(5%~273AO&muPPtBvsQ(uHi-M1AGuaYp zChjW&4m_q+^m|iZ@&9NZsuWZC_f1;Q6~dt=B22{|*I1 z_-hdwSn7u-xqk&s8SLvjhxy`NJMZU5w*QXi{#(2;#v~Zj-xOW?2y|&%l4F43>S&X@ zG3T`$K4^6zjk}hp#G6vi1ldAGPbp+%BCzyK&t7q~xZ(gN!EV}Syfl}a^<56jzzrdU z_j#_E53+|y=vSaam`5LYS?(Hqe;mHrKbXYI)P$}lx>g=39KR5Ia(Q*Q)Usb;vhb>Y zMKuu)EGdY$(ZF)1Bd8(3#8`x3?N^`1F?ryuTKJ*i3g?ltdNF?%C>Ks|B=(ie^yT#3{|=^k2rU10z!-jUzSj+AM=TaC zlA)$!*yL+jmjEW%H&pj=F3Cx~+=ST-&NGjsf0qjnbU$mE&B<0Z)U;CCQ(<~b$(o!| zA*KzHDN!_I%2CVwSmiUi^-I56hB(jl$fl!9WQ=_;jiXOQ0geCpQJ3LQ1dhK`Q+x9w z`0|s(;o)36RQ<+7HUbF(QLwR6y1o)LWg%5h`nM>Q)E?*DAiz^*rcgt8Acg+x`HMrn z#bue@IS=6eO#eZKp$uULYYFwFq;`^w2uJ)6JE@H+gBY}VGFf`?@7mAadhGsp+uqDG zJ>T4&S5CBHa?g`>#(nFJ-|G8!-(RxQn~1$?lv( z1Q-`QL#mTn!Bmr>ZkN?~LNCzSFbLYmXuJj~i9>BG&40XDE|$OiDOl@*OV*npJP!8X z*Y-wjzWGfnp;nBF4bG1Tb|%{=XC3(x`vSJ-`0_jLhPQ0l5+o!#i7Yp#uvBRjwzNU# zgvAD6KOTILF=WuNagMGY`EpGT{*x6x{A$KNsp*jOt@DC0u7rW#O6DhCI}DD(H}!3N zreX*n+#B5=(I+fPNW`=o*7Xn!z_coz<3A7R|26Ppt7&OetwpPNI3H|q;@!mlX8!N{ ztjd2rNCcx1&P1hd$A7(Xfd9|1Vy=o|;QsQzP7?fN6CB`N36Yn?-$Ompc>566g;?o6 zr~Wri-F*HEo^3}IWq`dH_PYD0e?~E@wmPNb4HjsF*Y-fYRIXIl>yT;;nzm)zDEBLI zY99L7=@X3bh%ou}^TSMN$(jQ8+;3kN?tKy-`m4N!69+#@G5x{Y4kBU=HH|wF0Km{) zNL!o23;ykUH?D8m-FdkBnJFak!^sr9t6);v&F)9{fXbz71IZp@H@B3Z=H;)2d+cuY zlBJBUB(hu+dluMUN+@ildq{YWe>$l3bL4S%Z)i*AZtIpD6&|oTM!tVO_hnb2BTVB& zv5FfxU*MS_IH|>zx+j}=TN=iov2NK}uQx6RBKR=yv471-F6dn#C!frQXdJ@+c0YDV zA2k+jKFx}X2pf!Ebd{91m)H`(ppT_?tuUr0^g+}HbRkd>d7pqgyLo@AZ8#LQXRyc1 z#!cy-JC=RgLn-Bxs?tgCvvbKJvD-jnQ(Sbv5OskIc6iqYLgf0BW+(l!mx-?DDi2Gs zf_LuNq0Q!=3GRgyRu-~4`;A(rJo;&U1&;2LWeX*IBfKl~)a+ahY~GJ{A_)^n;sab3 zMAt{vuBLEbWWQv=CD*+%dT9?o44VEjUN!nb;tt0>mb0B42B@4+Vv5p7_Vpc$?2d_ZIs0<1_~y z2Qn0lC9$*|duNR-ZfE!(pKRt}7OdRKyPINZgwkouH`AyT4Ch&@>a~w#rnEpPnkEpE zuzB1H9=*gT^DSPko1=ksVucKHrr6^B_#Fl=I}R>xyUb*osE7#JKev-d_zQFjRfeD1 z)tp66B8lKGyFJ)+$}eWiWc;6tnZP>T8*3ZuL*(Z*t5#pzzhCx6SuxY>wk4NtZQy-u zzI&5Ql_0MB@$!?IpP%T`Rc`rIlMC+y?)oZ&*Zyw6@k$B1LOCxz~7UIIfVuhA!ICeGCpp_x-Q7nu`&s_IBcwi1%r( z>^v&BZ|r@&FtP@;ZuZ?aW?9UM(0hHYRxim(J`SaP8uf9#oyJ~pHhUfKzTjCs@eNSxIiHEI55$Pcesr=w;A~%=TwLEg3U@TDL}=Qv?+kX0 zc;KOdM8Mf&Lpuc7=X5>+g%L8c41QlacTN-xR%%j@E_YjiX`u-|l@O0mDU zctWRq+Gru;p^dszQm+(>uKpSwIDrYb3sjc+#B;MaMx!}l%<`CxDm+1^w1)@ zee?Z3ndA%<^wpm4>ic)Z8yuVTq@nPQ-)gfnX(g#81@b*lACc}LqeCnXH9O~1!9^(7 z6h)H2Xqf8a<`JYtZ0=CTI{Hj;vqE)=RS|fwhOd$y?W2TKK8>#PjzPG~w|P}s(~iDD z;B7I|bG;GT+J*{}$K?ZV@#Uw>$EPNcwt}E(s<}8(LC^4QEp;mA9NeIE1O#W^*n^Nb zOEz?LFYakNiZJkbxtIkyuEmwh!fUHC#S;Z+i7iTPJyOjUHQptx>#xvFl`NhjiBmj?41w+ zM%?Y7!L~Q6g6g@J16zc&$n>tg9i$yz?u%hvPQOh^M#gF%J}nqH6+6edipE1!s`EjS z?>v7*&Im`>6R3Vw9& z5Z#4^57g6=P^+=^&YLdtRW5^wM#d(lFF0Go0^nwV^LfXltcY^m^?6reo_I+8xWx@} z?rEUtWVDOlb(8Xa{>b6-;}6x4(=L5a6@c{3FO zagCa#z1_X?1T-3j9OpO%+AFAX?x~-H-0$QnxAQF`JG7;;2NUGf;J7m6J)nu!Y`Dgw zL$l-1kRYkpY4%TU?5WrD_ci{a!qTJ?T{-rR`!WX&_n{2&)D$E%d}lbPHF2lgs(O{m z;|D^LIV5-%3X+nJN{K;|(guT_`Sm_Lh3c+)Rb?}##GN@*E9u$!+n{Zbql@LSVwH?X zC-(A`HaN!|;@#zud}V?{l2R9(?sfFaXXQ*))3%+vyo`IYHS&J(mjh5v#x{>;j&k)8 z>6#_mSQ)xTZclMzuJkB_Y-&$I=cne>By84C=rLl(N5@0s=|fz_Wo0&U^7ch>EGC}U z&TW#t=GFPEi)wlMPOBc_t~5wl{wAlm`R4O9 z4b?_PeS%WQnr{6p&(gcf)lphmt<=wWJoeIOn3pBW)mkz~LwDX;9?_W`;vov;wZX5= zg!@bLox`=qkMW!+h$mAyBtm3#Qr6Nj4BUK~DiZk&+w^+RmKmMT1<`a+$p##{6gDI%Cwu9l5Kx z^&Fwba){|V0U-wfR}hr0Gv38{95Jvg9YXV2K2%3Ce~t54);LLR;GSGXF40kNkIhWl z-dCEou;)vqMxa!DFnXS9xXb{QM^s!bI#(h?SuS2-WlXY5jDmS6m1E$C0_;>zT^;T@ zhkhu~dL*V&u|&t62t;k)$ft?)ROSb|`eK(eh*K}d=9>nG889zGWEy(q=+md-0V*0^@~$Fmv0ym@vmqIIUr|JrxU~0OwTtmT%@jhYB&2u< zCGz0&N9DAu)L`c^o`{wnOr$jKhn8>5MJzus6O(BzwqI(-u~tw|RWCX)_cN1UFj1P3 zMK?FYv|iaI<%3+3rJ&n+yvweEdABq&m5B7!n`~*3++t+39KHk6d@p!;y{g(V${mJ3 z*StoozL$|x?w}Ul_zKBkT7>*;>NgsCBZ~mKvYPRn!B*Z@pTYP(W;w&Gs_|eamE6h| z<92j733{@gLQwkru%8thPV`sTdUq7%$A$Iux`VA~r- zu)mu2sI3h(Wa_|TX00omNZI+_L`^!B&|z9dXWHF(d3F8jHE#O~@_g4;OnEzL7FayB z3`M72AZKXHK6&QVWIOVJ$wW3}*2V4}8{JnLJY|_oX|xb7ON=#s0mFqH9(8r~3_V?| zU0noyQKhqv(4SxGcpU84SaDbwQzRX*CknmQ4?ZR1nVo77HY8iRHFE)nlwSVWY#YJD(;YiCq1(8|o zl$FB5t+^&dt#_?+6NQA8c?!!-o^H>P5K`pI1#47k7#PY9SvF&#y*6|6%^1#&N!xOi zBMnk+($b7H#-c_p=l2pHy{+dQ3^c%}$x#S0fVJuFjLXmdT~&u!S2w4_Ce9!J&$Ep) z$(-$*B4f(^(Bk?t11M#xgR3ovzRo^}M@kz7M__G&<33l0Xpp;@YJXdm{4?dl_4(%a z5yKSqJ?zu{h0wxT`xVG99$7e^&t6NhL>m(fL z6E_$8w3OlYPMbB^rj&#P)xl2EQnyKU{%?=AMxno|95i>%7cDvN<_`Q_R;V&C*svCO zzP`1f9_Q!An&A0KP1?U2t45Zh6_I4%@S=l!P_8wuK%a3>kMmZ>DDL;9uV;;MG%NeQ#w+l1_cGA3Mf@T zKrr;)At*?1O0S`d^eVkdlU_m(EujPqy@q~=B`j`e$%v1iMVao2n)f<;1y@}iYcBH2F2&3P5RPcsZtsGsCs zE!8D^OC1@$ZRWQHgNFIOM?=7Y4uzJPdRMu_vc|inG&8IjAu;6a%D`A4mUI)?Y|Ba= zaDtneYdt1SvJf}L#20?z4;nJs9Nv5->Xm-kaaG9ZkyZCRJt2%DE8DO*44Ct4+&oj> zW~1;69T51W*y~<)piqpwb%D`V2}3Kb5u%B}pZS*Si!}>AUm>2u;dI492j&(7Ro_); z5?mu8NtJZD6Pw6PqtZavFf-G3ejrG@d9cH|McbsS|B9diNcc+dH(O zME=OYPD6wJleX99qrP&XB15UV`c50-t%J9-ZFLRESiL0lyJATn+3K%5h}cGx;0ZK? zCzr7EE!BOryLu0Y4@<6H=b#PVVOGym{d?`I8r;X{GLOp&cS6jHjnJXX2<_wn{qx24 z$#VuTn~Le$C9?8T;S7B0VxiWkFfNVXaX;ZpDmK|!#D?B&(vDI>4Y|< zm;fzVH2Vw8!wk#A!>g;pHgVsQkJPG5+-2s3NvZ7FSi-y|Z@ZJzEj1Wq9YWI_L79TAYFXQ@-{9Rphf^eu_)WZD^17X^T99)rR*Cb3_=nN4 z@-pwGL$5ERlBwIpIwL6ctGcVtJ%m{zvz`lA?ly!=`G-eFCCORAFS*}1Q7Y?mrbzJt zP>=oZ9xW0QMGg9V**@FUSFcG%4Suj2K3*M;rwDecaz7X(red}i8&Rt0q$kLsT6$Sr zS&0AeU0Rr%V$SBFf_j_zEMk^Z5Fd}c=os(n$YNFTzr_PchN3n72UhHg8!_F&Ed)ja`D-62E5hxtSt{3SP zD@h1)8au0s+-!B9%2@aO*Ml|iub*meVF%whko^OF;FRG%^b{WX_F8eDmR}%yUwW+? zm;FxKGpln$Lhi;tD`Mqj3|>v=;2;R@4U;C6ZuwE*sS$%Yvg7*RZ$=zSlyQbRa?s|S zAtE%A7VC+xPYe*P%EE6oqRG>dx{aaqyDu!eyE@TRx+QI9Qa(#HA#LlP#IEjx9d+9$ zFr~G_PgOoTRbKD(%QXgxy(A!*+Y!IGg;EY<_22!3@u$}Ih}3$u<{(R|f=U;oRFgvG zTgN(F1_jo!Soxjyy@^U!vJd1*5|9*b*Sn$qezAJ)!K0kC_M6zEK+!7StetG5&F#xg zEiFEXWb4Il;~n8TOL1M1a^rRso-G;Kh?S9kJj-~$5jr+}?V#y>^jO-s$ zohHf06~%yT8ow;?nrv@je3(s$dQ`H01KwJ%60MEabAjFCMLk2b(cdH#iZ+qj$a%K0 z_^DE_#lGIBnB%+FiQXQZ^V`hd-g?f5L@VWABCwfFZqRNvXty4n%U?V$1G%}MGHFI^ zbO$Qd`ro8`d@S6};e3|uD1+;JKmLdjq1&^Zl_vK+jFDS^>UVorGqXr3dj5QFv7>@NSa<6rmc|7qKo_q{gLVHgzGG}Ug`l@imk#s<1Hx`%3$auk8)vh|p#A}IS zid2f69DhoByE=DfFHllMBp{lnoT-t;R+hQyg)S;o<3DnB^74;j28yjXL1E|`Sfy(H zOfXbjbZ266W4y-liC|)=zVrIx#LJ?{=wuztkFi`3Dtz`O+FFmGTv()zh(R- zkgs!YIS%?!ctuU4Th;QIc?KY%(igG9A-ub&?HTV!Z|}<>y$LF=#!qk)pXiO3`1~54(__IrYy?hiBj_3p4U^`AfzA7l`L>0hLB{M2@6U+40mIbPttKP;?jCI@5HCo$IaqZZcdKt758l?~5FCXcGpd=? z`Q!{!=w?xLtH*G#3jM0rlK^%Kp86qOYt@k7AcFRwqFT;`*nQR8+;!|;_Sg<& zg*`!NT-#3QF&{$z6&{F8cA?MBm2h&fp?N9nnZa|j^v>o*xY7MA9kyIyfIv>?4o3hlQ1H=`{Y!z zzM{T*ZKh*+rkY+^%tHcE!~S8QjhU&$Vo`%m%&x9yrJlffb|&(TzK2xuXuXTYFcX6p z9xgI7bgN+0M^6{E(-N~5l6XRNzxmPyN?x%(u9&e8cD8cn0c0X5ejfN`?j8e!2eoxw z^_K+B8eaTX30Sd5nAaQBvXZKsXL3?w&fP1rpRHY1=uxq+10dtisRR-X5I0DDjnli$ z%?~*vxuW*7x^ke5_ZC}MgQ!f#;6ULU`--(m=Y}K!Y}XccEA3z?&s>H`0ve-T;Kt+J ztO}Njeu|A{jb@kL+{Z=Yjj;^0&Nh|0*+`WPP>aXA1-mM2p4J&v_L|PwPrazsR;0IY zOj!o>KzHhqn-ETU1}^1_&X;>w!vI=mKfV<~?Kc9coI%eWzZ);WN<#x|Kfn&$#HN3{ z@zr?}=!uXWRBjtt^xu;%kZo~Zc;v^Wl;)|(_-sZ)kFVg_XN2&9-&Wr@iwEt=XwYq8 z8ZELhoyl)B7<+=V$oR{y4iYnGHJx4Cr1=z zPfU;*4dgR=Sg#l4TZ5%8Fd<4m%IJSiXn)~qo72h|IffGb@lc#H_bM>)R&erv9#(}gyh*8KtAL7=#*Id zl@r@OqTB{*Tp7jWIN1aZx~{Xmkmm7NuGgU4yscr~?q>mDY?t%q?K|~nC)ke{+-d7S zw5_YY(=^|5pNgD8*#xgn{`lIBBrc73GH`(H>7y*0nz!JW9x8T0RB!3h+m{Tqy~aNF zl2Z?rl7)lqo}JbRaFO)=p>=JUy|jofsNQqG#>YNf65Qlq7os8M*n2b%80plgpJyOda#jk+1uu>Wz;&S=bhjB~{_xzI3=CfVV*n8M{*RibF{EWBN?^H9 z*jB{PQuM&ELR%if_ASbAwwV#6Qg^cDzllvh1iA&C%C!fA(3Ob6CESZgZD&$46ZUh( zQ^llP;m3JinEo;p{r|e=Pc;56p@ZC`3z7>^a<3XKt$&xVzXYQv4Zp|rM6ZcY^VV4%vA?E_TKt>a@|gfIE|0 zq0w@q_}B!*TZ{Et`R||=N9}`!wS!pQF+u&Q7@WpFWNSiWcDuDKl7`pn zal94~kLzmyIGV?!hv`6|7?)B_^!cWh*BGq>g{S|->i&@OfB1ia5>dLU!Y@~xrZ0m> zfWAEwCWi`#=~tYqCwVT}Rgb&R@hFRl#^>TY*o zS0|F!q2crrgNGg6;Z@%(@^ee*sUbbtB&drML0R>79X?X1LJ63?7)4s(scJ`@UXz`C zB@Qd+1X74QGI|ZQ{Q&oR9mKKGK$JU$ANzRo+|0|~V+w5}cQMQU)Aed>h3JF|F%0uH zSC^euCp%UTA?Z<={Tbbf1~gyT+Eml00)0MlH?cSDFI0F-#VYb(!}`ssV>?Uck>h(U z)Wbz;gdZ1%9Sr9qG* z{@>i8cVE6rl^}4dr>;C$@2X7k1a$1d+`Q$Ld(50ZC6RjB=mO6iWDP4YEV|9qUbg=i z8<#VBD0szPUn;gN>{yU3AwC_X|#V1v5rTMX^1ZbP&`{dx9@Z5~I}dpi3Qi zZ?YV)1FcNJ>LT#8|G*g(ud3e-M^IE7B; zRA)-fS;vX~SBNu}3hZ%hH#a};Lf{9}$r1^a)4K6REYr9s2rl1Q7OBVnb;RkYM+@QN zWM}Jsagslz=&WVJSME{6sR1chY%r?EIbE%GR47@g;S?@!yF~K>>52QX*87FEo$5n7 zWkSz&PqWL8s9j7)0ZOynf|9XaseRF|#C`U@HfZf9GrRm1+^q=JJ0e4;2scZ2KKmJB zW-G(~)~b%>DF+nvK)i2X*F6|1G^<|`0sh~a!6+Z@20NCo!!P_Tb4)sa$= zg=!)O?;`tn@($DwSz`O}Dg<7a@V8Nht;n>e)rjRi(%AfaoZ^w7s_am?k=G3dsGllH zc6Zy8S?e@ZlYdb6Z^wfSkK_4K%vn~Z@j%x3&6-`v&oikGxsVZHUNDaYb;w<_bu3&8 zUM-rl5dyPH>5Z&^oq-$-lbZRX68xfApmy0NB@uQKAQkKbo_c=YMJ2WqP7wc2|cGRiB^xg}VmM?w^OLk`yeR93~0cGx++l5E%B?^k+|4 zEXAnzUb|sK?2H>JY)-B`V0!p)E}erGIBcH%jL~GzVP>ZBO)A=uqVOlPr+B{k^z6vQ zlzuR()$N=;E-ke)9m^F)8>C%8dgqF9($XeW0_LyN;K@Uth3e@HL6_6Yu%1m-v3jic zd3}oq-gy%e287DL+ubQDb~(fXz#rftupio`_S<(Lrx(xjF}>tyE~6iBh2-{HJ|Ve( z7Jt3QK1vlxczUP~sPmAE5h(`$PR1|#nD_sUHxlcgV}?ft0NC%fN^cAX3=9Ag!Ej}K z)&monos8+8R;w3rzXU1JmIAPj7LPdzyrF@KC3}1GS70kM)8FD~({=g*e{u=E-X2%T z9B#h1wk&(7&epTyq$ZNJL)wU+7QZ}A^Dq|E%-U{Hq3!Ct-(7Bvyqt~flrL&*i^U0o zU8|(1dXl`QGtfCDkrUMi1RFg8-?|Gd$4f1#84<|}hnqZ5PcJU?qU6QxopnfmjgRgw zy~_9fO+85lBC&nRvUb@^=gBwd!F2=zK_})B;xD7r`o5wVw$9FP^*a3PJWH8<|1)ht z^IwTYN`O|0&EZ=r+3vQ6jnwh(e3O~S8MUHqQloyB!E%>~A)f8vK?WKWNoPFPUI1`& z>UQ6e2Mi5HiC@}3hs6Q?y|c=#X1;{2Y0sn4pE@m?VFMY1FkpPc zflXcjQEZ+iX~4$5(FDhW3j{XTx-_Zj&Tvvy{i#!!jGAog)m;zDLC zq*{k7y>gf_;nq}$?o#1Ml%QW!y-o}D!?(UC+Q)SU_t$io4U;1A#>WgqyKBwESQ$!U zgfG4lta=POrx&;0qb%!7PpKhIRu7&=-xFl<3;6Y2o(Pk#&hA# zW%?57=XmM6ZkY($pt&lE3oQOHrHPN@paRf;meZaYI24GB#YHOFRoYXcWA&Rl0syIZy(DJSZHJ2C^Hi&0dCFOJw|w;a z#ZRqUU_4;9&vZme!}#A-iUMf}6ARdh+%yCG?UJ&GD+`!3tME)Dic6Th^cGG|)1hK6 z+R&x+9oH51?9A4M*V{X!IX4-kgIUN1Vf=S?-B`kCm9YDkTbrBrz-YP^nT<@0OmLg6493Y5lKnXs&-~uxM`!2 vT9>U8B literal 0 HcmV?d00001 diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 290c2c8813..96de700480 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -587,8 +587,8 @@ You can now perform following tasks in the Administrative Console for the IAS te To create a custom policy with filter restrictions do the following steps: 1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. 2. In **Authorization Policies** select **Create** > **Create Restriction**. Choose an appropriate policy name, e.g. `StockManagerFiction`. -2. Customize the filter condition for the AMS attributes available -3. Press **Save** +3. Customize the filter condition for the AMS attributes available +4. Confirm with **Save** ::: details Create custom AMS policy with filter condition diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index c075b46872..ecd712285d 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -160,7 +160,7 @@ cd ./xflights_java cds up ``` -#### 4. Verify the deployment +#### 4. Verify the deployment { #verify } First, you can check the overall deployment status at the CF CLI level. In particular, the application services need to be started successfully and the shared identity instance needs to be verified. @@ -220,6 +220,9 @@ CAP offers a simplified App-2-App setup by leveraging remote services that requi - Principal propagation mode (optional) ::: +[Learn more about how to consume external application APIs with IAS](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) {.learn-more} + + #### 1. Prepare the CF environment Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): @@ -231,15 +234,14 @@ Make sure that you've prepared the following [local environment for CF deploymen #### 2. Prepare and deploy the provider application -As first step, clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to remote branch. +As a first step, clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to the remote branch. -Similar to the [co-located](#co-located-provider) flavour, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. -The difference is that the consumers are not known a priori and also are not part of the same application deployment, in general. +Similar to the [co-located](#co-located-provider) variant, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. +The difference is that the consumers are not known a priori and are also not part of the same application deployment, in general. -To expose service APIs for consumption, you can enhance the identity instance of the provider by defining API identifies that are listed in property `provided-apis`: +To expose service APIs for consumption, you can enhance the identity instance of the provider by defining API identifiers that are listed in property `provided-apis`: ::: code-group - ```yaml [mta.yaml] resources: - name: xflights-ias @@ -253,7 +255,6 @@ resources: description: Grants technical access to data service API }] ``` - ::: Only a single entry with name `DataConsumer` representing the consumption of service `sap.capire.flights.data` is added. @@ -261,16 +262,17 @@ The description helps administrators to configure the consumer application with [Detailed description about identity instance parameters for `provided-apis`](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#service-instance-parameters){.learn-more} -OAuth tokens presented by a valid consumer requests as a result of an App-2-App flow will have API claim `DataConsumer` which is automatically mapped to a CAP role by the runtime. -Hence, the corresponding CDS service can be protected by CAP-role `DataConsumer` in order to authorize the requests thoroughly: +How can proper authorization be configured for _technical clients without user propagation_? +OAuth tokens presented by valid consumer requests as a result of an App-2-App flow will have API claim `DataConsumer`, which is automatically mapped to a CAP role by the runtime. +Hence, the corresponding CDS service can be protected by CAP role `DataConsumer` in order to authorize the requests thoroughly: ::: code-group - ```cds [/srv/authorization.cds] using { sap.capire.flights.data as data } from './data-service'; annotate data with @(requires: 'DataConsumer'); ``` +::: Finally, deploy and start the application with @@ -279,10 +281,9 @@ cd ./xflights_java cds up ``` -::: ::: tip API as CAP role -The API identifiers exposed by the IAS instance in list `provided-apis` are granted as CAP roles after successful authentication. +The API identifiers exposed by the IAS instance in list `provided-apis` are granted as CAP roles after successful authentication and hence can be used in @requires annotation. ::: ::: warning Use different roles for technical and business users @@ -291,13 +292,13 @@ Use different CAP roles for technical clients without user propagation and for n Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice versa. ::: -#### 3. Prepare and deploy the consumer application +#### 3. Prepare and deploy the consumer application { #consumer } Like with xflights, clone [`xtravels-java`](https://github.com/capire/xtravels-java/tree/main) or, if already cloned and modified locally, reset to remote branch. -First, a BTP destination needs to be added which points to the provider service endpoint to be called (`URL`) and which bears the the information about the IAS dependency to be called (`cloudsdk.ias-dependency-name`). -The name for the IAS dependency is flexible but **need to match the chosen name in next step** when [connecting consumer and provider in IAS](#connect). -The destination is required by the connectivity component to prepare the HTTP call accordingly. Also note that the authentication type of the destination is `NoAuthentication` as the destination itself does not contribute to the authentication process. +First, a BTP destination needs to be added that points to the provider service endpoint to be called (`URL`) and that contains the information about the IAS dependency to be called (`cloudsdk.ias-dependency-name`). +The name for the IAS dependency is flexible but **needs to match the chosen name in the next step** when [connecting consumer and provider in IAS](#connect). +The destination is required by the connectivity component to prepare the HTTP call accordingly. Also note that the authentication type of the destination is `NoAuthentication`, as the destination itself does not contribute to the authentication process. ::: code-group @@ -311,6 +312,7 @@ The destination is required by the connectivity component to prepare the HTTP ca config: init_data: instance: + existing_destinations_policy: update destinations: - Name: xtravels-data-consumer Type: HTTP @@ -329,6 +331,7 @@ modules: requires: - name: xtravels-destination # [!code ++] ``` + ::: :::tip @@ -336,7 +339,8 @@ Alternatively, the destination can also be created manually in the [BTP destinat ::: -Given the destination, the remote service can be configured in a pretty similar way as with [co-located services](#co-located-consumer): +Given the destination, the remote service can be configured in a very similar way as with [co-located services](#co-located-consumer). +Currently, an additional Cloud SDK dependency `scp-cf` is required to support communication with the BTP destination service: ::: code-group @@ -353,8 +357,18 @@ cds: onBehalfOf: systemUserProvider ``` +```xml [/srv/pom.xml] + + com.sap.cloud.sdk.cloudplatform + scp-cf + runtime + +``` + ::: +[Learn more about simplified Remote Service configuration with destinations](/java/cqn-services/remote-services#destination-based-scenarios) {.learn-more} + Finally, deploy and start the application with ```sh @@ -362,124 +376,321 @@ cd ./xtravels_java cds up ``` -Technically, the remote service implementation will delegate the HTTP connection setup to the connectivity component which can recognize by the type of the destination that it needs to initiate an App-2-App flow. +xtravels-srv is not expected to start successfully; instead, you should see error log messages like this: +```yaml +Remote HCQL service responded with HTTP status code '401', ... +``` + +Technically, the remote service implementation will delegate the HTTP connection setup to the connectivity component, which can recognize by the type of destination that it needs to initiate an App-2-App flow. It then takes the token from the request and triggers an IAS token exchange for the target [IAS dependency](#connect) according to the user propagation strategy (technical communication here). -The token exchange requires property `oauth2-configuration.token-policy.access-token-format: jwt` to be set in the identity instance in order to create a token in the JWT format. +As the IAS dependency is not created yet, IAS rejects the token exchange request and the call to the provider fails with `401` (not authenticated). + +Moreover, the token exchange requires property `oauth2-configuration.token-policy.access-token-format: jwt` to be set in the identity instance in order to create a token in the JWT format. #### 4. Connect consumer with provider { #connect } -To activate the App-2-App connection as a *consumer*, you need to: +Now let's create the missing IAS dependency to establish trust for the API service call targeting provided API with id `DataConsumer`. -Create an IAS application dependency in the IAS tenant: - - Open the Cloud Identity Services admin console - - Navigate to [Application APIs / Dependencies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/communicate-between-applications) - - Create a new dependency pointing to your provider application's API +Open the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): +1. Select **Applications & Resources** > **Applications**. Choose the IAS application of the `xtravels` consumer from the list. +2. In **Application APIs** select **Dependencies** and click on **Add**. +3. Type a dependency name (needs to match property value `cloudsdk.ias-dependency-name`) and pick provided API `DataConsumer` from the provider IAS application `xflights`. +4. Confirm with **Save** -

+::: details Create IAS dependency +![Manage IAS dependencies in Administrative Console](assets/ias-dependencies.png) {width="500px" } -[Learn more about how to consume external application APIs with IAS](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) {.learn-more} +![Create a new IAS dependency in Administrative Console](assets/add-api.png) {width="500px" } -[Learn more about simplified Remote Service configuration with destinations](/java/cqn-services/remote-services#destination-based-scenarios) {.learn-more} +::: +:::tip +The BTP destination as well as the IAS dependency can be automatically created at runtime by making use of [UCL integration](../java/integrating-applications/ucl#unified-customer-landscape-ucl). +::: + +Now restart the consumer application with +```sh +cf restart xtravels-srv +``` -## BTP Reuse Services {#ias-reuse} +to trigger a successful startup with valid flight data retrieved from the provider. -IAS-based BTP reuse services can be created/consumed with CAP Java even more easily. +You can now test the valid setup of the xtravels application by accessing the UI and logging in with an authorized test user of the IAS tenant. +To do so, assign a proper AMS policy (e.g., `admin`) to the test user as described [earlier](./cap-users#ams-deployment). -The CAP reuse service (provider) needs to: -1. Configure [IAS authentication](/java/security#xsuaa-ias). -2. Bind an IAS instance that exposes services and service plans. - ::: details Sample IAS instance for provider +## BTP Reuse Services {#ias-reuse} - ```yaml - - name: server-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - catalog: - services: - - id: "1d5c23ee-1ce6-6130-4af4-26461bc6ef79" - name: "review-service" - plans: - - id: "2d5c23ee-1ce6-6130-4af4-26461bc6ef78" - name: "review-api" - ``` +Similar to [external services](#app-to-app), BTP reuse services have a fully decoupled lifecycle. The trust between consumer and provider is established at _deployment_ time by means of the [Open Service Broker](https://www.openservicebrokerapi.org/)(OSB) API, i.e., the consumer creates and binds a service instance of the provider service. +However, the simplified configuration comes with a drawback: consumer and provider necessarily need to run on the same BTP landscape. +Still, in particular, services used at a technical provider level in the consumer perfectly match this setup. - ::: +![External services](./assets/external-services.drawio.svg){width="500px" } -3. Prepare a CDS service endpoint for the exposed API. +[IAS](./authentication#ias-auth) offers built-in support for OSB, resulting in a simplified configuration for provider applications. In contrast, XSUAA-based applications need to host a dedicated service broker as an additional effort. - ::: details Sample CDS Service for the API +Similar to co-located and external services, CAP supports communication with BTP reuse services transparently as it builds on the same architectural pattern of [remote services]( #remote-services). +Technically, the connectivity component uses the provided service binding to inspect the proper authentication strategy. Under the hood, it manages required interactions with the identity service, e.g., to fetch a proper token, depending on the concrete scenario. For instance, an IAS-based request token needs to be exchanged into an XSUAA token in case the binding shows an XSUAA client. + +:::tip +CAP offers a simplified consumption of BTP reuse services by leveraging remote services that require: +- A service binding in the consumer +- Principal propagation mode (optional) +::: + + +#### 1. Prepare the CF environment + +Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): +- CF space to deploy the applications and a `cf`-CLI session targeting this space. +- MBT CLI build tool. +- [btp CLI tool](https://help.sap.com/docs/btp/sap-business-technology-platform/account-administration-using-sap-btp-command-line-interface-btp-cli) +- HANA Cloud instance mapped to the space. +- [IAS tenant](./authentication#ias-ready) mapped to the subaccount. + + +#### 2. Prepare and deploy the provider service + +As a first step, clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to the remote branch. + +Similar to the [co-located](#co-located-provider) variant, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. + +In contrast to the scenarios before, the consumers are not known a priori and might also have a different tenant. +As a consequence, the provider service needs to manage multiple subscribers and hence needs to be a multi-tenant service. + +You can easily enhance the service by adding the `multitenancy` facet: + +```sh +cds add multitenancy +``` + +Note that multi-tenancy aspect is now also reflected in the identity instance (property `config.multi-tenant: true`). + +As OSB protocol is leveraged to establish trust, a service broker needs to expose the API as dedicated service plan being part of a service catalog. +IAS can be used to provide a matching service broker without the application having to provide the OSB endpoints itself. +This can be achieved through enhanced configuration of the identity instance by declaratively creating the service catalog to be provided: + +```yaml [mta.yaml] +- name: + type: org.cloudfoundry.managed-service + requires: + catalog: + services: + - name: "xflights-data" + plans: + - name: "data-consumer" +``` + +::: details See detailed service catalog configuration + +```yaml [mta.yaml] +- name: xflights-ias + type: org.cloudfoundry.managed-service + requires: + - name: srv-api + [...] + catalog: + services: + - id: "4aa23ee-1ce6-6130-4af4-26461bc6ef79" + description: "xflights data service" + name: "xflights-data" + bindable: true + bindings_retrievable: true + instances_retrievable: true + plans: + - id: "2aac23ae-1ce6-6930-4af4-26461bc6ef78" + name: "data-consumer" + bindable: true + metadata: + subscribe_with_consuming_app: true + auto_subscription: + type: "subscription-manager" + propagateParams: true + bindingData: + authentication-service: + service-label: "identity" + endpoints: + eventing-endpoint: + uri: ~{srv-api/srv-cert-url} + always-requires-token: true + url: ~{srv-api/srv-cert-url} +``` + +Property `auto_subscription` will automatically forward the subscription request to the provider. +The ids are required to enable an updateable service catalog + +::: + +[Learn more about IAS service brokers](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker){.learn-more} + +::: tip +If the application requires specific functionality in the service broker, IAS can also be configured with a [custom service broker](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#create-custom-broker-optional). +::: + +To authorize the client requests you may add the API name (i.e. the plan name) as CAP role protecting the service access: + +::: code-group + +```cds [/srv/authorization.cds] +using { sap.capire.flights.data as data } from './data-service'; + +annotate data with @(requires: 'data-consumer'); +``` + +::: + +Afterwards, you may start the provider service by + +```sh +cds up +``` + +As the service is not yet registered to Service Manager, it will not yet appear in the output of `cf marketplace`. +We'll address this in the next section. + +#### 3. Register the provider as service broker + +https://wiki.one.int.sap/wiki/pages/viewpage.action?spaceKey=CPC15N&title=Test#Test-5.RegisteryourBrokerasSubaccount-Scoped + + +Subaccount-scoped means your service is automatically visible for consumption in the catalog of all environments in the subaccount where the service is registered in. + +```sh +btp login --sso +``` + +CLI server URL [https://cli.btp.cloud.sap]> +https://canary.cli.btp.int.sap SAP BTP Control Center -> Choose Landscape -> Open in btp CLI -> CLI Server URL + +```sh +btp list accounts/subaccount +btp target --subaccount +``` + +[Learn more how to login with btp CLI](https://help.sap.com/docs/btp/sap-business-technology-platform/log-in){.learn-more} +[Learn more how to target a subaccount with btp CLI](https://help.sap.com/docs/btp/sap-business-technology-platform/set-target-for-subsequent-commands-with-btp-target){.learn-more} +[Learn more about btp CLI commands](https://help.sap.com/docs/btp/sap-business-technology-platform/working-with-resources-of-sap-service-manager-using-btp-cli?version=Cloud){.learn-more} + + +```sh +https://service-manager./v1/info +{ + [...] + "service_manager_certificate_subject": "/C=DE/O=SAP SE/OU=SAP Cloud Platform Clients..." +} +``` + +landscape-domain: +cfapps.sap.hana.ondemand.com (EU10) + + +```sh +openssl req -newkey rsa:4096 \ + -x509 \ + -sha256 \ + -days 3650 \ + -nodes \ + -out sm.crt \ + -keyout sm.key \ + -subj "/C=DE/O=SAP SE/OU=SAP Cloud Platform Clients/OU=Canary/OU=sap-service-manager-cf-eu10-canary/L=service-manager/CN=service-manager" + +cat sm.crt | sed ':a;N;$!ba;s/\n/\\n/g' > sm-line.crt +cf create-service-key xflights-ias xflights-ias-key -c '{"credential-type": "X509_PROVIDED", "certificate": "'"$(cat sm-line.crt)"'"}' +``` + +[Learn more about establishing trust between service broker and Service Manager](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#service-manager-provided-certificate){.learn-more} + + +```sh +cf service-key xflights-ias xflights-ias-key | grep osb_url + +"osb_url": "https://eu-osb.accounts400.ondemand.com/sap/cp-kernel/identity/v1/osb/c0e703e2-93aa-4c9f-adb5-16efd4fabcdef", +``` + +```sh +btp register services/broker --name xflights-service-broker --url --use-sm-tls + +cf marketplace | grep xflights +xflights-data standard xflights data service +``` + +[Learn more about registering a service broker](https://help.sap.com/docs/btp/btp-cli-command-reference/btp-register-services-broker){.learn-more} - ```cds - service ReviewService @(requires: 'review-api') { - [...] - } - ``` - ::: -The CAP consumer application (client) needs to: -1. Create and bind the provided service from the marketplace. +#### 4. Prepare and deploy the consumer - ::: details Create and bind service instance. - ```sh - cf create-service review-service review-api review-service-instance - cf bind-service review-service-instance --binding-name review-service-binding - ``` - ::: +The consumer can now consume the reuse service in a quite straightforward manner. +First, a service instance of type `xflights-data` with plan `data-consumer` as displayed in the marketplace must be created and `xtravels-srv` must be bound to it: -2. Create an IAS instance that consumes the required service. +::: code-group - ::: details Sample IAS instance for client +```yaml [mta.yaml] +modules: + - name: xtravels-srv + requires: + - name: xtravels-data - ```yaml - - name: client-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - "consumed-services": [ { - "service-instance-name": "review-service-instance" - } ] - ``` +resources: + - name: xtravels-data + type: org.cloudfoundry.managed-service + parameters: + service: xflights-data + service-plan: data-consumer +``` - ::: +::: -3. Create a Remote Service based on the binding (optional). +The identity instance must also be configured to enable the corresponding service: - ::: details Sample Remote Service configuration +::: code-group - ```yaml - cds: - remote.services: - Reviews: - binding: - name: review-service-binding - onBehalfOf: currentUser - ``` +```yaml [mta.yaml] +resources: + - name: xtravels-ias + parameters: + config: + consumed-services: + - service-instance-name: xtravels-data +``` +::: - ::: +Only in this way will a token generated via the identity instance on the consumer side also be accepted by the provider. +Additionally, after validation, the token carries the CAP role `data-consumer` in the provider backend to pass authorization. -4. Use CQN queries to consume the reuse service (optional) +Finally, to establish the connection between the service binding, which represents the reuse service and carries all necessary information to establish the connection, and the service consumption, a remote service can again be created analogously as follows: -[Learn more about simplified Remote Service configuration with bindings](/java/cqn-services/remote-services#service-binding-based-scenarios) {.learn-more} +::: code-group -::: tip Service plan name as CAP role -The service plan names as specified in `consumed-services` in the IAS instance are granted as CAP roles after successful authentication. +```yaml [mta.yaml] +--- +spring: + config.activate.on-profile: cloud +cds: + remote.services: + xflights: + type: hcql + model: sap.capire.flights.data + http: + suffix: /hcql + binding: + name: xtravels-data + onBehalfOf: systemUserProvider +``` ::: +Note that in this case `http.suffix` must be set to the URL suffix `/hcql`, as this information is not contained in the binding. +Like before, user propagation for communication is set to the technical provider tenant. + +[Learn more about remote service configurations based on service bindings](https://pages.github.tools.sap/cap/docs/java/cqn-services/remote-services#binding-to-a-reuse-service){.learn-more} +[Learn more about URLs in remote service configurations](https://pages.github.tools.sap/cap/docs/java/cqn-services/remote-services#configuring-the-url){.learn-more} + + ::: warning Use different roles for technical and business users Use different CAP roles for technical clients without user propagation and for named business users. @@ -487,7 +698,7 @@ Instead of using the same role, expose dedicated CDS services to technical clien ::: -### How to Authorize Callbacks +#### How to Authorize Callbacks For bidirectional communication, callbacks from the reuse service to the CAP service need to be authorized as well. Currently, there is no standadized way to achieve this in CAP so that custom codeing is required. @@ -504,6 +715,18 @@ private void authorizeCallback() { } } ``` + ::: +## Pitfalls + +- **Don't write custom integration logic** for consumed services. +Leverage CAP's remote service architecture instead to ensure a seamless integration experience. + +- **Don't implement connectivity layer code** (e.g., to fetch or exchange tokens). +Instead, rely on the shared connectivity component, which ensures centralized and generic processing of outbound requests. + +- **Don't treat co-located services as external services**. +This introduces unnecessary communication overhead and increases total cost of ownership (TCO). + From 13d96690f5241cfcfe5850e12201c6479b22a15c Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 25 Nov 2025 12:07:35 +0100 Subject: [PATCH 020/120] cleaned assets --- ...ss-auth.drawio - Kopie.svg:Zone.Identifier | 0 .../remote-service-stack.drawio - Kopie.svg | 174 ------------------ ...e-stack.drawio - Kopie.svg:Zone.Identifier | 0 3 files changed, 174 deletions(-) delete mode 100644 guides/security/assets/ingress-auth.drawio - Kopie.svg:Zone.Identifier delete mode 100644 guides/security/assets/remote-service-stack.drawio - Kopie.svg delete mode 100644 guides/security/assets/remote-service-stack.drawio - Kopie.svg:Zone.Identifier diff --git a/guides/security/assets/ingress-auth.drawio - Kopie.svg:Zone.Identifier b/guides/security/assets/ingress-auth.drawio - Kopie.svg:Zone.Identifier deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/guides/security/assets/remote-service-stack.drawio - Kopie.svg b/guides/security/assets/remote-service-stack.drawio - Kopie.svg deleted file mode 100644 index ab7a534b2b..0000000000 --- a/guides/security/assets/remote-service-stack.drawio - Kopie.svg +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - - - - - - - - -
-
-
- - Ingress Gateway -
- (authentication) - -
-
-
- - - Ingress... - - - - - - - - - - - - - - - - -
-
-
- - CAP srv1 - -
-
-
-
-
-
- - - CAP srv1 - - - - - - - - - - - - - - - - -
-
-
- - CAP srv2 - -
-
-
-
-
-
- - - CAP srv2 - - - - - - - - - - - - - - - - -
-
-
- - CAP srv3 - -
-
-
-
-
-
- - - CAP srv3 - - - - - - - - - - - - - - - - - - - - - - - -
-
-
- - mTLS tunnel - -
-
-
- - - mTLS tun... - - - - - - - - - - - - - Text is not SVG - cannot display - - - - \ No newline at end of file diff --git a/guides/security/assets/remote-service-stack.drawio - Kopie.svg:Zone.Identifier b/guides/security/assets/remote-service-stack.drawio - Kopie.svg:Zone.Identifier deleted file mode 100644 index e69de29bb2..0000000000 From d1e2302a354d1c689f9781133e90484092c88647 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 25 Nov 2025 12:23:44 +0100 Subject: [PATCH 021/120] fxed typo menu --- menu.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/menu.md b/menu.md index 4a2c265518..7cea86d492 100644 --- a/menu.md +++ b/menu.md @@ -76,10 +76,10 @@ ## [Security](guides/security/) - ### [Overhiew](guides/security/overview) + ### [Overview](guides/security/overview) ### [Authentication](guides/security/authentication) ### [CAP Users](guides/security/cap-users) - ### [Authorization](guides/security/authorization) + ### [CAP Authorization](guides/security/authorization) ### [Remote Authentication](guides/security/remote-authentication) ### [Security Aspects](guides/security/aspects) ### [Data Protection & Privacy](guides/security/data-protection-privacy) From 188666e08edaf0f2bc4c9afb84f722bfa3fbd6bf Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 25 Nov 2025 13:25:57 +0100 Subject: [PATCH 022/120] added diagrams remote auth --- .../assets/co-located-services.drawio.svg | 157 ++++++--- .../assets/external-services.drawio.svg | 197 +++++++---- .../security/assets/reuse-services.drawio.svg | 305 ++++++++++++++++++ guides/security/remote-authentication.md | 2 +- 4 files changed, 561 insertions(+), 100 deletions(-) create mode 100644 guides/security/assets/reuse-services.drawio.svg diff --git a/guides/security/assets/co-located-services.drawio.svg b/guides/security/assets/co-located-services.drawio.svg index 0dfa257e88..7a56f5e599 100644 --- a/guides/security/assets/co-located-services.drawio.svg +++ b/guides/security/assets/co-located-services.drawio.svg @@ -1,22 +1,22 @@ - + - + - - - + + + - + -
+
@@ -26,22 +26,22 @@
- + Service A - - - + + + -
+
@@ -51,29 +51,29 @@
- + Token - - + + - - - + + + - + -
+
@@ -83,26 +83,26 @@
- + Service B - - + + - - - + + + -
+
@@ -112,46 +112,123 @@
- + Token - - - + + + -
+
- Service Instance + service instance
- Identity + + identity +
- - Service Instance... + + service instance... - - + + - - + + + + + + + + + + +
+
+
+ + + landscape X + + +
+
+
+ + + landscap... + + + + + + + + + + + +
+
+
+ + + <<binds>> + + +
+
+
+ + + <<binds>> + + + + + + + + + + + +
+
+
+ + + <<binds>> + + +
+
+
+ + + <<binds>> + + + diff --git a/guides/security/assets/external-services.drawio.svg b/guides/security/assets/external-services.drawio.svg index bd5c3df1e9..5ff2f15409 100644 --- a/guides/security/assets/external-services.drawio.svg +++ b/guides/security/assets/external-services.drawio.svg @@ -1,25 +1,25 @@ - + - + - + - - - + + + - + -
+
@@ -29,22 +29,22 @@
- + Service A - - - + + + -
+
@@ -54,29 +54,29 @@
- + Token - - + + - - - + + + - + -
+
@@ -86,26 +86,26 @@
- + Service B - - + + - - - + + + -
+
@@ -115,124 +115,203 @@
- + Token - - - + + + -
+
- Service Instance + service instance
- Identity A + identity A
- - Service Instance... + + service instance... - - + + - - - - - - - + + + -
+
- Service Instance + service instance
- Identity B + identity B
- - Service Instance... + + service instance... - + -
+
- landscape A + landscape X
- + landscap... - + -
+
- landscape B + landscape Y
- + landscap... + + + + + + + +
+
+
+ + + <<binds>> + + +
+
+
+ + + <<binds>> + + + + + + + + + + + +
+
+
+ + + <<dependency>> + + +
+
+
+ + + <<depend... + + + + + + + + + + + + + + + + + + + +
+
+
+ + + <<binds>> + + +
+
+
+ + + <<binds>> + + + + diff --git a/guides/security/assets/reuse-services.drawio.svg b/guides/security/assets/reuse-services.drawio.svg new file mode 100644 index 0000000000..1ca1bcdf20 --- /dev/null +++ b/guides/security/assets/reuse-services.drawio.svg @@ -0,0 +1,305 @@ + + + + + + + + + + + + + + + + + + +
+
+
+ + Service A + +
+
+
+ + + Service A + + + + + + + + + + + + + +
+
+
+ + Token + +
+
+
+ + + Token + + + + + + + + + + + + + + + + + + + + +
+
+
+ + Service B + +
+
+
+ + + Service B + + + + + + + + + + + + + + + + + +
+
+
+ + Token + +
+
+
+ + + Token + + + + + + + + + + + + + +
+
+
+ + service instance +
+ identity A + +
+
+
+ + + service instance... + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + service instance +
+ identity B + +
+
+
+ + + service instance... + + + + + + + + + + + +
+
+
+ + + landscape X + + +
+
+
+ + + landscap... + + + + + + + + + + + + + +
+
+
+ + service instance + + reuse service B + + +
+
+
+ + + service instance reuse service B + + + + + + + + + + + + + + + + + + + +
+
+
+ + + <<binds>> + + +
+
+
+ + + <<binds>> + + + + + + + + + + + +
+
+
+ + + <<exposes>> +
+ via broker + + +
+
+
+ + + <<expose... + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index ecd712285d..639397ba7c 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -429,7 +429,7 @@ Similar to [external services](#app-to-app), BTP reuse services have a fully dec However, the simplified configuration comes with a drawback: consumer and provider necessarily need to run on the same BTP landscape. Still, in particular, services used at a technical provider level in the consumer perfectly match this setup. -![External services](./assets/external-services.drawio.svg){width="500px" } +![BTP Reuse services](./assets/reuse-services.drawio.svg){width="500px" } [IAS](./authentication#ias-auth) offers built-in support for OSB, resulting in a simplified configuration for provider applications. In contrast, XSUAA-based applications need to host a dedicated service broker as an additional effort. From 1638c21124c0af876d6934c474a9d39b2bf2a8e6 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 25 Nov 2025 14:40:28 +0100 Subject: [PATCH 023/120] fixed typos --- ...ted-services.drawio - Kopie.svg:Zone.Identifier | Bin 25 -> 0 bytes guides/security/cap-users.md | 8 ++++---- 2 files changed, 4 insertions(+), 4 deletions(-) delete mode 100644 guides/security/assets/co-located-services.drawio - Kopie.svg:Zone.Identifier diff --git a/guides/security/assets/co-located-services.drawio - Kopie.svg:Zone.Identifier b/guides/security/assets/co-located-services.drawio - Kopie.svg:Zone.Identifier deleted file mode 100644 index d6c1ec682968c796b9f5e9e080cc6f674b57c766..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25 dcma!!%Fjy;DN4*MPD?F{<>dl#JyUFr831@K2x Date: Tue, 25 Nov 2025 16:13:22 +0100 Subject: [PATCH 024/120] before ai proposals --- guides/security/remote-authentication.md | 91 ++++++++++++------------ 1 file changed, 45 insertions(+), 46 deletions(-) diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 639397ba7c..907a39b2ec 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -46,10 +46,10 @@ All three different service scenarios listed above can be conveniently addressed ## Co-located Services {#co-located-services} -Co-located services do not run in the same microservice, but are typically part of the same deployment unit and hence reside within the same trust boundary of the overall [application zone](./overview#application-zone). -Logically, such co-located services contribute to the application equally and hence could run as local services just as well, but for some technical reason (e.g., different runtime or scaling requirements) they are separated physically, often as a result of a [late-cut microservice approach](../providing-services#late-cut-microservices). +Co-located services do not run in the same microservice, but are typically part of the same deployment unit and hence reside within the same trust boundary of the [application zone](./overview#application-zone). +Logically, such co-located services contribute to the application equally and hence could run as services integrated in the same microservice as well, but for some technical reason (e.g., different runtime or scaling requirements) they are separated physically, often as a result of a [late-cut microservice approach](../providing-services#late-cut-microservices). -Technically, they share the same identity instance, which allows direct token forwarding: +Technically, **they share the same identity instance, which allows direct token forwarding**: ![Co-located services](./assets/co-located-services.drawio.svg){width="450px" } @@ -69,22 +69,21 @@ CAP offers a simplified co-located service setup by leveraging remote services t To combine both applications in a co-located setup, you can follow these steps: -#### 1. Prepare the CF environment +#### 1. Prepare the CF environment { #prepare } -Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): -- CF space to deploy the applications and a `cf`-CLI session targeting this space. -- MBT CLI build tool. -- HANA Cloud instance mapped to the space. +Make sure that you've prepared a [local environment for CF deployments](../deployment/to-cf#prerequisites) and in addition: +- A Cloud Foundry (CF) space in a subaccount. +- [HANA Cloud instance](https://help.sap.com/docs/hana-cloud/sap-hana-cloud-administration-guide/create-sap-hana-database-instance-using-sap-hana-cloud-central) mapped to the CF space. - [IAS tenant](./authentication#ias-ready) mapped to the subaccount. - + #### 2. Prepare and deploy the consumer application { #co-located-consumer } -As client, `xtravels` first needs a valid configuration for the remote service `sap.capire.flights.data`: +As client, `xtravels-srv` first needs a valid configuration for the remote service `sap.capire.flights.data`: ::: code-group -```yaml [/srv/srv/main/resources/application.yaml] +```yaml [/srv/src/main/resources/application.yaml] --- spring: config.activate.on-profile: cloud @@ -99,13 +98,16 @@ cds: url: https:///hcql onBehalfOf: systemUserProvider ``` +::: +Property `type` activates the protocol to exchange the business data and needs to be offered by the provider [CDS service](https://github.com/capire/xflights-java/blob/6fc7c665c63bb6d73e28c11b391b1ba965b8772c/srv/data-service.cds#L24). The `model` property needs to match the fully qualified name of the CDS service from the imported model. -The `binding.name` just needs to point to the shared identity instance and the `url` option provides the required location of the remote service endpoint. +You can find CDS service definition of `sap.capire.flights.data` in file `target/cds/capire/xflight-data/service.cds` resolved during CDS build step. +The `binding.name` needs to point to the shared identity instance and `option.url` provides the required location of the remote service endpoint. Finally, `onBehalfOf: systemUserProvider` specifies that the remote call is invoked on behalf of the technical provider tenant. -Deploy the application with +Now you are ready to deploy the application with ```sh cd ./xtravels_java @@ -115,25 +117,29 @@ cds up ❗Note that CF application `xtravels-srv` will not start successfully as long as `xflights` is not deployed yet (step 3). ::: tip -For production deployment, it is recommended to combine both services with the shared identity instance in a [single MTA descriptor](./deployment/microservices#all-in-one-deployment). +For production deployment, it is recommended to combine both services with the shared identity instance in a [single MTA descriptor](../deployment/microservices#all-in-one-deployment). ::: #### 3. Prepare and deploy the provider application { #co-located-provider } -As server, `xflights` should restrict service `sap.capire.flights.data` to technical clients of the same application by adding pseudo-role [`internal-user`](./cap-users#pseudo-roles) to the service: +As server, `xflights-srv` needs to restrict service `sap.capire.flights.data` to the technical client calling from of the same application. +This can be done by adding pseudo-role [`internal-user`](./cap-users#pseudo-roles) to the service: ::: code-group - ```cds [/srv/authorization.cds] using { sap.capire.flights.data as data } from './data-service'; annotate data with @(requires: 'internal-user'); ``` +::: +::: tip +For different [user propagation](./cap-users#remote-services) modes the remote service can be configured appropriately. +The provider service authorization needs to align with the configured user propagation. ::: -In addition, the microservice needs to share the same identity instance for the co-located setup: +In addition, to finally establish the the co-located setup, the microservice needs to share the same identity instance: ::: code-group @@ -164,7 +170,7 @@ cds up First, you can check the overall deployment status at the CF CLI level. In particular, the application services need to be started successfully and the shared identity instance needs to be verified. -::: details To verify successfully started applications, `cf apps` should show the following lines: +::: details Verify: `cf apps` should show the following lines: ::: code-group ```sh @@ -178,7 +184,7 @@ xtravels-srv started web:1/1 ... ``` ::: -::: details To verify the service bindings, `cf services` should show the following lines: +::: details Verify: `cf services` should show the following lines: ::: code-group ```sh @@ -196,21 +202,26 @@ The very same setup could be deployed for XSUAA-based services. ::: -## External Services { #app-to-app } +## External Services In contrast to [co-located services](#co-located-services), external services do not have a strong dependency as they have a fully decoupled lifecycle and are provided by different owners in general. As a consequence, external services can run cross-regionally; even non-BTP systems might be involved. A prerequisite for external service calls is a trust federation between the consumer and the provider system. -For instance, BTP HTTP Destinations offer [various authentication strategies](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations) such as SAML 2.0 as required by many S/4 system endpoints. -[IAS](./authentication#ias-auth) is positioned to simplify cross-regional requests with user propagation. +A seamless integration experience for external service communication is provided by [IAS App-2-App](#app-to-app) flows, which are offered by CAP via remote services. +Alternatively, remote services can be configured on top of [BTP HTTP Destinations](../using-services#using-destinations) which offer [various authentication strategies](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/http-destinations) such as SAML 2.0 as required by many S/4 system endpoints. + + +### IAS App-2-App { #app-to-app } + +As first calss citizen, [IAS](./authentication#ias-auth) is positioned to simplify cross-regional requests with user propagation. Prerequisites are identity instances on both consumer and provider sides as well as a registered IAS dependency in the consumer instance. ![External services](./assets/external-services.drawio.svg){width="500px" } CAP supports communication between arbitrary IAS endpoints and remains transparent for applications as it builds on the same architectural pattern of [remote services]( #remote-services). Technically, the connectivity component uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) in this scenario which requires a token exchange from a consumer token into a token for the provider. -The latter is issued by IAS only if the consumer is configured with a valid IAS dependency to the provider (establishing trust). +The latter is issued by IAS only if the consumer is configured with a valid IAS dependency ponting to the provider accordingly. :::tip CAP offers a simplified App-2-App setup by leveraging remote services that require: @@ -223,18 +234,10 @@ CAP offers a simplified App-2-App setup by leveraging remote services that requi [Learn more about how to consume external application APIs with IAS](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) {.learn-more} -#### 1. Prepare the CF environment - -Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): -- CF space to deploy the applications and a `cf`-CLI session targeting this space. -- MBT CLI build tool. -- HANA Cloud instance mapped to the space. -- [IAS tenant](./authentication#ias-ready) mapped to the subaccount. - -#### 2. Prepare and deploy the provider application +#### 1. Prepare and deploy the provider application -As a first step, clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to the remote branch. +Assuimg the same local CF environment setup as [here](#prepare), clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to the remote branch. Similar to the [co-located](#co-located-provider) variant, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. The difference is that the consumers are not known a priori and are also not part of the same application deployment, in general. @@ -257,7 +260,7 @@ resources: ``` ::: -Only a single entry with name `DataConsumer` representing the consumption of service `sap.capire.flights.data` is added. +The entry with name `DataConsumer` represents the consumption of service `sap.capire.flights.data` and is exposed as IAS API. The description helps administrators to configure the consumer application with the proper provider API if done on UI level. [Detailed description about identity instance parameters for `provided-apis`](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#service-instance-parameters){.learn-more} @@ -292,7 +295,7 @@ Use different CAP roles for technical clients without user propagation and for n Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice versa. ::: -#### 3. Prepare and deploy the consumer application { #consumer } +#### 2. Prepare and deploy the consumer application { #consumer } Like with xflights, clone [`xtravels-java`](https://github.com/capire/xtravels-java/tree/main) or, if already cloned and modified locally, reset to remote branch. @@ -376,7 +379,7 @@ cd ./xtravels_java cds up ``` -xtravels-srv is not expected to start successfully; instead, you should see error log messages like this: +`xtravels-srv` is not expected to start successfully; instead, you should see error log messages like this: ```yaml Remote HCQL service responded with HTTP status code '401', ... ``` @@ -385,20 +388,20 @@ Technically, the remote service implementation will delegate the HTTP connection It then takes the token from the request and triggers an IAS token exchange for the target [IAS dependency](#connect) according to the user propagation strategy (technical communication here). As the IAS dependency is not created yet, IAS rejects the token exchange request and the call to the provider fails with `401` (not authenticated). -Moreover, the token exchange requires property `oauth2-configuration.token-policy.access-token-format: jwt` to be set in the identity instance in order to create a token in the JWT format. +Note that property `oauth2-configuration.token-policy.access-token-format: jwt` is set in the identity instance to ensure the exchanged token has JWT format. -#### 4. Connect consumer with provider { #connect } +#### 3. Connect consumer with provider { #connect } Now let's create the missing IAS dependency to establish trust for the API service call targeting provided API with id `DataConsumer`. -Open the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): +Open the Administrative Console for the IAS tenant (see prerequisits [here](../guides/security/authentication#ias-admin)): 1. Select **Applications & Resources** > **Applications**. Choose the IAS application of the `xtravels` consumer from the list. 2. In **Application APIs** select **Dependencies** and click on **Add**. 3. Type a dependency name (needs to match property value `cloudsdk.ias-dependency-name`) and pick provided API `DataConsumer` from the provider IAS application `xflights`. 4. Confirm with **Save** -::: details Create IAS dependency +::: details Create IAS dependency in Administrative Console ![Manage IAS dependencies in Administrative Console](assets/ias-dependencies.png) {width="500px" } @@ -445,12 +448,8 @@ CAP offers a simplified consumption of BTP reuse services by leveraging remote s #### 1. Prepare the CF environment -Make sure that you've prepared the following [local environment for CF deployments](../deployment/to-cf#prerequisites): -- CF space to deploy the applications and a `cf`-CLI session targeting this space. -- MBT CLI build tool. -- [btp CLI tool](https://help.sap.com/docs/btp/sap-business-technology-platform/account-administration-using-sap-btp-command-line-interface-btp-cli) -- HANA Cloud instance mapped to the space. -- [IAS tenant](./authentication#ias-ready) mapped to the subaccount. +Make sure to setup a local CF environment setup as described [here]. +In addition, install the [btp CLI tool](https://help.sap.com/docs/btp/sap-business-technology-platform/account-administration-using-sap-btp-command-line-interface-btp-cli) wich is required to manage service brokers. #### 2. Prepare and deploy the provider service From 6a273f84bde251691ae704feef8215650b2e1bba Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 25 Nov 2025 17:09:23 +0100 Subject: [PATCH 025/120] minor improvements --- guides/security/authentication.md | 52 +++++++++---------- guides/security/cap-users.md | 66 ++++++++++++------------ guides/security/overview.md | 50 +++++++++--------- guides/security/remote-authentication.md | 60 ++++++++++----------- 4 files changed, 114 insertions(+), 114 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index d08ef8422f..846ba51391 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -36,14 +36,14 @@ CAP [leverages platform services](#key-concept-platform-services) to provide pro - For _local development_ and _unit testing_, [Mock User Authentication](#mock-user-auth) is an appropriate built-in authentication feature. - For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services: - - [Identity Authentication Service (IAS)](#ias-auth) provides a full-fleged [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management as first choice for applications. + - [Identity Authentication Service (IAS)](#ias-auth) provides a full-fledged [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management as first choice for applications. - [XS User Authentication and Authorization Service (XSUAA)](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) is an [OAuth 2.0](https://oauth.net/2/)-based authorization server to support existing applications and services in the scope of individual BTP landscapes. - CAP applications can run IAS and XSUAA in [hybrid mode](#hybrid-authentication) to support a smooth migration from XSUAA to IAS. ## Mock User Authentication { #mock-user-auth } -In none-production profile, by default, CAP creates a security configuration which accepts _mock users_. +In non-production profile, by default, CAP creates a security configuration which accepts _mock users_. As this authentication strategy is a built-in feature which does not require any platform service, it is perfect for **unit testing and local development scenarios**. Setup and start a simple sample application: @@ -194,7 +194,7 @@ cds:
-In the mock user configuration you are free to specify: +In mock user configuration you can specify: - name (mandatory) and tenant - CAP roles (including pseudo-roles) and attributes affecting authorization - additional attributes @@ -202,7 +202,7 @@ In the mock user configuration you are free to specify: which influence request processing. To verify the properties in a user request with a dedicated mock user, activate [user tracing](../cap-users#user-tracing) and send the same request on behalf of `viewer-user`. -In the application log you should find information about the resolved user after successful authentication: +In the application log you will find information about the resolved user after successful authentication:
@@ -225,11 +225,11 @@ TODO ### Automated Testing { #mock-user-testing } Mock users provide an ideal foundation for automated **unit tests, which are essential for ensuring application security**. -The flexibility in defining various kinds of mock users and the seamless integration into testing code significantly lowers the burden to cover all relevant test combinations. +The flexibility in defining various types of mock users and the seamless integration into testing code significantly reduces the burden of covering all relevant test combinations.
-::: details How to useleverage @WithMockUser in Spring-MVC to use CAP mock users +::: details How to use @WithMockUser in Spring-MVC to use CAP mock users ```java [srv/src/test/java/customer/bookshop/handlers/CatalogServiceTest.java] @RunWith(SpringRunner.class) @SpringBootTest @@ -275,7 +275,7 @@ await GET('/CatalogService/Books', { auth: { username: 'viewer-user', password: - cross-landscape user propagation (including on-premise) - streamlined SAP and non-SAP system [integration](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integrating-service) (due to [OpenId Connect](https://openid.net/connect/) compliance) -IAS authentication is at best configured and tested in the Cloud, hence we're going to enhance the sample with a deyloyment descriptor for SAP BTP, Cloud Foundry Runtime (CF). +IAS authentication is best configured and tested in the Cloud, so we're going to enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). ### Get Ready with IAS { #ias-ready } @@ -288,9 +288,9 @@ Before working with IAS on CF, you need to towards your IAS tenant to use it as identity provider for applications in your subaccount. - ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) on CF, -in particular you require a `cf` CLI-session targeting to a CF space in the test subaccount (test with `cf target`). +in particular you require a `cf` CLI session targeting a CF space in the test subaccount (test with `cf target`). -In the project's root folder execute +In the project root folder, execute ```sh cds add mta @@ -371,7 +371,7 @@ The following trace in the application log confirms the activated IAS authentica
At startup, the CAP runtime checks the available bindings and activates IAS authentication accordingly. -**Hence, the local setup without an IAS binding in the environment is still working**. +**Therefore, the local setup without an IAS binding in the environment continues to work**. For mTLS support which is mandatory for IAS, the CAP application has a second route configured with the `cert.*` domain. @@ -401,12 +401,12 @@ On SAP BTP Kyma Runtime, you might need to adapt configuration parameter .accounts400.ondemand.com/admin`. +you can see and manage the deployed IAS application. You need a user with administrative privileges in the IAS tenant to access the services at `.accounts400.ondemand.com/admin`. -In the Console you can manage the IAS tenant and the IAS applications, e.g. +In the Console you can manage the IAS tenant and IAS applications, for example: - create (test) users in `Users & Authorizations` -> `User Management` - deactivate users -- configure the authentication strategy (password policies, MFA etc.) in `Applications & Ressources` -> `Applications` (IAS instances listed with their disply-name) +- configure the authentication strategy (password policies, MFA etc.) in `Applications & Resources` -> `Applications` (IAS instances listed with their display-name) - inspect logs in `Monitoring & Reporting` -> `Troubleshooting` ::: tip @@ -416,7 +416,7 @@ In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows d ### Testing IAS on CLI Level -Due to the autoconfiguration in CAP, all CAP endpoints should be authenticated and expect valid ID tokens generated for the IAS application. +Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the IAS application. Sending the test request ```sh curl https://--bookshop-srv./odata/v4/CatalogService/Books --verbose @@ -432,7 +432,7 @@ cf create-service-key bookshop-auth bookshop-auth-key \ -c '{"credential-type": "X509_GENERATED"}' ``` -The overall setup with local CLI client and the Cloud services is scetched in the diagram: +The overall setup with local CLI client and the Cloud services is sketched in the diagram: ![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.drawio.svg){width="500px"} @@ -473,8 +473,8 @@ From the credentials, you can prepare local files containing the certificate use ::: details How to prepare client X.509 certificate files -Copy the public X.509-certificate in property `certifiacte` into a file `cert-raw.pem` and `key` into a file `key-raw.pem`, accordingly. -Both files need to be post-processed to transform the single-line represnatation into a standard multi-line representation: +Copy the public X.509-certificate in property `certificate` into a file `cert-raw.pem` and `key` into a file `key-raw.pem`, accordingly. +Both files need to be post-processed to transform the single-line representation into a standard multi-line representation: ```sh awk '{gsub(/\\n/,"\n")}1' .pem > .pem @@ -537,7 +537,7 @@ cds add approuter ``` adds the additional AppRouter to the deployment which is already prepared for IAS. -The resulting setup is scetched in the diagram: +The resulting setup is sketched in the diagram: ![UI-level Testing of IAS Endpoints](./assets/ias-ui-setup.svg){width="500px"} @@ -602,7 +602,7 @@ This is the safe baseline on which minor customization steps can be applied on t ::: There are multiple reasons why customization might be required: -1. Endpoints for none-business requests often require specific authentication methods (e.g. health check, techincal services). +1. Endpoints for non-business requests often require specific authentication methods (e.g. health check, technical services). 2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio). 3. The application needs to integrate with a 3rd party authentication service. @@ -664,7 +664,7 @@ public class CustomSecurityConfig { ``` Due to the custom configuration, all URLs matching `/public/**` are opened for public access in this example. -Make sure your custom configuration has higher priority than the CAP's default security configuration by decorating the bean with a low order. +Ensure your custom configuration has higher priority than CAP's default security configuration by decorating the bean with a low order. ::: warning _❗ Warning_ Be cautious with the configuration of the `HttpSecurity` instance in your custom configuration. Make sure that only the intended endpoints are affected. @@ -678,7 +678,7 @@ In services meshes such as [Istio](https://istio.io/) the authentication is usua ![Service Mesh with Ingress Gateway](./assets/ingress-auth.drawio.svg){width="500px"} -In architectures like this, the CAP authentication is obsolete and can be deactivated entirely with `cds.security.authentication.mode="never"`. +In such architectures, CAP authentication is obsolete and can be deactivated entirely with `cds.security.authentication.mode="never"`. ::: tip User propagation should be done by forwarding the request token in `Authorization`-header accordingly. @@ -692,13 +692,13 @@ If you switch off CAP authentication, make sure that the internal communication ## Pitfalls -- **Dont' miss to configure security middleware.** +- **Don't miss to configure security middleware.** Endpoints of (CAP) applications deployed on SAP BTP are, by default, accessible from the public network. - Without security middleware configured, CDS services are exposed to public. + Without security middleware configured, CDS services are exposed to the public. -- **Don't rely on AppRouter authentication**. Approuter as frontend proxy does not shield the backend from incoming traffic. Hence, the backend needs to be secured independently. +- **Don't rely on AppRouter authentication**. AppRouter as a frontend proxy does not shield the backend from incoming traffic. Therefore, the backend must be secured independently. -- **Don't deviate from security defaults**. Only when absolute necessary, only experts should take the decision to add modifications or even replace parts of the standard authentication mechanisms. +- **Don't deviate from security defaults**. Only when absolutely necessary should experts make the decision to add modifications or replace parts of the standard authentication mechanisms. -- **Don't miss to add authentication tests** to ensure properly setup security configuration in your deployed application that rejects unauthenticated requests. +- **Don't forget to add authentication tests** to ensure properly configured security in your deployed application that rejects unauthenticated requests. diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index c7b0ea3055..e5a34febe2 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -21,15 +21,15 @@ status: released # CAP Users { #cap-users } -A successfull authentication results in an CAP [user representation](#claims) reflecting the request user in an uniform way. -Referring to the key concepts, the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategy. -It contains static information about the user such as name, ID and tenant. Moreover it contains additional claims such as roles or assigned attributes that are relevant for [authorization](./authorization). +A successful authentication results in a CAP [user representation](#claims) reflecting the request user in a uniform way. +Referring to the key concepts, the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. +It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). Dynamic assignments of roles to users can be done by - [Authorization Management Service (AMS)](#ams-roles) in case of [IAS authentication](./authentication#ias-auth). - [XS User Authentication and Authorization Service (XSUAA)](#xsuaa-roles) in case of [XSUAA authentication](./authentication#xsuaa-auth). -In addition, CAP users provide an API for [programmatic]( #developing-with-users ) processing and customization. +In addition, CAP users provide an API for [programmatic](#developing-with-users) processing and customization. [[toc]] @@ -37,10 +37,10 @@ In addition, CAP users provide an API for [programmatic]( #developing-with-users After _successful_ authentication, a CAP user is mainly represented by the following properties: -- **_Logon name_** identifying the user uniquly +- **_Logon name_** identifying the user uniquely - **_Tenant_** describes the tenant of the user (subscriber or provider) which implies the CDS model and business data container. -- **_Roles_** the user has been assigned by an user administrator (business [user roles](#roles)) or roles which are derived by the authentication level ([pseudo roles](#pseudo-roles)). -- **_Attributes_** the user has been assigned e.g. for instance-based authorization. +- **_Roles_** the user has been assigned by a user administrator (business [user roles](#roles)) or roles which are derived by the authentication level ([pseudo roles](#pseudo-roles)). +- **_Attributes_** the user has been assigned, for example, for instance-based authorization.
@@ -75,20 +75,20 @@ CAP users can be classified in multiple dimensions: Typically, the provider tenant is not subscribed to a multi-tenant application and therefore has no business users. In contrast, for a single-tenant application, there is no subscriber tenant, and the provider tenant includes all business users. -| MT Application | Business users | Technical users -|-------------------|----------------|--- -| Provider Tenant | - | -| Subscriber Tenant | | +| Multi-Tenant Application | Business users | Technical users +|---------------------------|----------------|---------------- +| Provider Tenant | - | +| Subscriber Tenant | | ::: tip Apart from anonymous users, all users have a unique tenant. ::: The user types are designed to support various flows, such as: -- UI requests are executed on behalf of a business user interacting with the CAP backend service. -- During the processing of a business request, the backend utilizes platform services on behalf of the technical user of the subscriber tenant. -- An asynchronously received message processes data on behalf of the technical user of a subscriber tenant. -- A background task operates on behalf of the technical provider tenant." +- UI requests executed on behalf of a business user interacting with the CAP backend service. +- Backend processing that utilizes platform services on behalf of the technical user of the subscriber tenant. +- Asynchronously received messages that process data on behalf of the technical user of a subscriber tenant. +- Background tasks that operate on behalf of the technical provider tenant. - ... Find more details about how to [switch the user context](#switching-users) during request processing. @@ -114,17 +114,17 @@ annotate Issues with @(restrict: [ For instance, the role `ReportIssues` allows to work with the `Issues` created by the own user, whereas a user with role `ReviewIssues` is only allowed to read `Issues` of any user. CAP roles represent basic building blocks for authorization rules that are defined by the application developers who have in-depth domain knowledge. -Independently from that, user administrators combine CAP roles in higher-level policies and assign to business users in the platform's central authorization management solution. +Independently of that, user administrators combine CAP roles in higher-level policies and assign them to business users in the platform's central authorization management solution. ::: tip -CDS-based authorization deliberately refrains from using technical concepts, such as _scopes_ in _OAuth_, in favor of user roles, which are closer to the technical domain of business applications. +CDS-based authorization deliberately avoids technical concepts, such as _scopes_ in _OAuth_, in favor of user roles, which are closer to the business domain of applications. ::: #### Pseudo Roles { #pseudo-roles} It's frequently required to define access rules that aren't based on an application-specific user role, but rather on the _technical authentication level_ of the request. For instance, a service should be accessible only for technical users, with or without user propagation. -Such roles are called pseudo roles as they aren't assigned by user administrators, but are added by the runtime automatically on succcessful authentication, reflecting the technical level: +Such roles are called pseudo roles as they aren't assigned by user administrators, but are added by the runtime automatically on successful authentication, reflecting the technical level: | Pseudo Role | User Type | Technical Indicator | User Name |-----------------------------|---------------------|---------------|---------------| @@ -148,7 +148,7 @@ All technical clients that have access to the application's XSUAA or IAS service ### Model References -The resulting object representaiton of the user is attached to the current request context and has an impact on the request flow for instance with regards to +The resulting object representation of the user is attached to the current request context and has an impact on the request flow for instance with regards to - [authorizations](./authorization#restrictions) - [enriching business data](../guides/domain-modeling#managed-data) with user data - setting [DB session variables](../guides/db-feature-comparison#session-variables) @@ -171,7 +171,7 @@ AMS acts as a central service to define access policies that include CAP roles a _Business users_, technically identified by the IAS ID token, can have AMS policies assigned by user administrators. ::: tip -Authorizations for technical users should not be adressed by AMS policies. +Authorizations for technical users can't be addressed by AMS policies yet. ::: The integration with AMS is provided as an easy-to-use plugin for CAP applications. @@ -362,10 +362,10 @@ You need to make use of a compiler expression in order to ensure validity of the ::: tip Choose attributes exposed to AMS carefully. -The attribute should have cross-sectional sematic in the domain. +The attribute should have cross-sectional semantics in the domain. ::: -As such attributes are usually shared by multiple entities, it is convenient to add the `@ams`-annotation on level of a shared aspect as scetched here: +As such attributes are usually shared by multiple entities, it is convenient to add the `@ams`-annotation at the level of a shared aspect as sketched here: ```cds aspect withGenre @ams.attributes: { Genre: (genre.name) } { @@ -514,7 +514,7 @@ cds: You can verify in the UI that mock user `stock-manager-fiction` is restricted to books of genres `Mystery` and `Fantasy`. -[Learn more about AMS attribute filters with CAP](https://sap.github.io/cloud-identity-developer-guide/CAP/InstanceBasedAuthorization.html#instance-based-authorization){.leanr-more} +[Learn more about AMS attribute filters with CAP](https://sap.github.io/cloud-identity-developer-guide/CAP/InstanceBasedAuthorization.html#instance-based-authorization){.learn-more} ### Cloud Deployment { #ams-deployment } @@ -580,14 +580,14 @@ Now let's deploy and start the application with cds up ``` -You can now perform following tasks in the Administrative Console for the IAS tenant (see prerequisits [here](../guides/security/authentication#ias-admin)): +You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): - Assign (base or custom) policies to IAS users - Create custom policies -To create a custom policy with filter restrictions do the following steps: +To create a custom policy with filter restrictions, follow these steps: 1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. 2. In **Authorization Policies** select **Create** > **Create Restriction**. Choose an appropriate policy name, e.g. `StockManagerFiction`. -3. Customize the filter condition for the AMS attributes available +3. Customize the filter conditions for the available AMS attributes 4. Confirm with **Save** ::: details Create custom AMS policy with filter condition @@ -598,10 +598,10 @@ To create a custom policy with filter restrictions do the following steps: ::: -To assign a policy to an IAS user do the following steps: +To assign a policy to an IAS user, follow these steps: 1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. 2. Switch to tab **Authorization Policies** and select the policy you want to assign -3. In **Assignments** add the IAS user of the tenant the policy should be assigned (in **Rules** you can review the policy definition). +3. In **Assignments**, add the IAS user of the tenant to which the policy should be assigned (you can review the policy definition in **Rules**). ::: details Assign AMS policy to an IAS user @@ -881,7 +881,7 @@ There are multiple reasonable use cases in which user modification is a suitable - Constructing the request's user based on forwarded (and trusted) header information, completely replacing default authentication. - ... -[See more examples for custom UserInfoProvider](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#global-providers){.leanr-more} +[See more examples for custom UserInfoProvider](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#global-providers){.learn-more}
@@ -1009,14 +1009,14 @@ cdsRuntime.requestContext().anonymousUser().run(privilegedContext -> { #### Between Threads Within the same Request Context, all CAP service calls share the same user information. -By default, the Request Context of the current thread is not shared with spawned thread and hence user information is lost. +By default, the Request Context of the current thread is not shared with spawned threads and hence user information is lost. If you want to avoid this, you can propagate the Request Context to spawned threads as described [here](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#threading-requestcontext) and hence the same user context is applied. -#### None-CAP Libraries { #user-token } +#### Non-CAP Libraries { #user-token } CAP plugins for IAS and XSUAA store the resolved user information in Spring's [`SecurityContext`](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/core/context/SecurityContext.html) which contains all relevant authentication information. Hence, library code can rely on standards to fetch the authentication information and restore the user information if needed. -In addition, the [authentication information](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/authentication/AuthenticationInfo.html) is stored in the Request Context and can be fetched like scetched here: +In addition, the [authentication information](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/authentication/AuthenticationInfo.html) is stored in the Request Context and can be fetched as sketched here: ```java AuthenticationInfo authInfo = context.getAuthenticationInfo(); @@ -1096,7 +1096,7 @@ Don't activate user tracing in production! - **Don't write custom code against concrete user types of a specific identity service (e.g. XSUAA or IAS)**. Instead, if required at all, use CAP's user abstraction layer (`UserInfo` in Java or `req.user` in Node.js) to handle user-related logic. -- **Don't try to propagtate named user context in asynchronous requests**. Do not attempt to propagate the context of a named user in asynchronous requests, such as when using the Outbox pattern or Messaging. +- **Don't try to propagate named user context in asynchronous requests**. Do not attempt to propagate the context of a named user in asynchronous requests, such as when using the Outbox pattern or Messaging. Asynchronous tasks are typically executed outside the scope of the original request context, after successful authorization. Propagating the named user context can lead to inconsistencies or security issues. Instead, use technical users for such scenarios. diff --git a/guides/security/overview.md b/guides/security/overview.md index 0b5e120a35..7a315490ab 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -17,7 +17,7 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ ### Pluggable Building Blocks { #key-concept-pluggable } -CAP divides the different security-related tasks into separate and independent building blocks for which all of them there is a standard CAP implementation suitable for most scenarios: +CAP divides the different security-related tasks into separate and independent building blocks, each with a standard CAP implementation suitable for most scenarios: ![Overview Security Components with CAP](./assets/security-components.drawio.svg){width="600px" } @@ -36,7 +36,7 @@ Due to the plugin-based architecture, **CAP allows standard functions to be modi This flexibility is crucial for scenarios where the default methods do not fully meet the requirements of the application. Moreover, this integration helps to easily incorporate non-CAP and even non-BTP services, thereby providing a flexible and interoperable environment. -![Overview Cusomizable Components with CAP](./assets/security-customizable.drawio.svg){width="600px" } +![Overview Customizable Components with CAP](./assets/security-customizable.drawio.svg){width="600px" } For instance, it is possible to define specific endpoints with a custom authentication strategy. Likewise, the CAP representation of the request user can be overruled to match additional, application-specific requirements. @@ -44,7 +44,7 @@ Likewise, the CAP representation of the request user can be overruled to match a ### Built on Best of Breed { #key-concept-platform-services } CAP does not deal with user login flows, password and credential management, user sessions, or any cryptographic logic - **and applications should not have to do it at all!** -Instead, **CAP seamlessly integrates with bullet-proven [platform services](#btp-services)** that handle these critical security topics centrally. +Instead, **CAP seamlessly integrates with battle-tested [platform services](#btp-services)** that handle these critical security topics centrally. This approach not only simplifies the implementation but also enhances security by leveraging robust, well-tested mechanisms provided by the platform. Built on platform services, CAP allows developers to focus on core application functionality without worrying about the intricacies of security implementation. @@ -60,16 +60,16 @@ This safeguards business logic being independent from platform services which ar As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. For instance, CAP allows performing outbound service calls via Remote Services while handling authentication under the hood completely. -This abstraction layer ensures developers not having to worry about the details of authentication. +This abstraction layer ensures that developers do not need to worry about the details of authentication. ### Secure by Default { #key-concept-secure-by-default } -CAP security features are activated by default. If different behaviour is required, you must explicitly reconfigure or add custom code to adapt accordingly. -CAP's security autoconfiguration approach significantly reduces the risk of misconfiguration - **override only when absolutely necessary and when all effects are under safe control**. +CAP security features are activated by default. If different behaviour is required, you must explicitly reconfigure or add custom code accordingly. +CAP's security autoconfiguration approach significantly reduces the risk of misconfiguration - **override only when absolutely necessary and when all effects are safely controlled**. -For instance, endpoints of deployed CAP applications are authenticated automatically, thus providing a secure baseline. -Making endpoints public requires manual configuration either in the CAP model or in the middleware. +For instance, endpoints of deployed CAP applications are automatically authenticated, providing a secure baseline. +Making endpoints public requires manual configuration in either the CAP model or the middleware. @@ -91,7 +91,7 @@ To serve a business request, different runtime components are involved: a reques From CAP's point of view, all components without specific security requirements belong to the public zone. Therefore, you shouldn't rely on the behavior or structure of consumer components like browsers or technical clients for the security of server components. The platform's gateway provides a single point of entry for any incoming call and defines the API visible to the public zone. -As malicious users have free access to the public zone, these endpoints need to be protected carefully. +Since malicious users have free access to the public zone, you must protect these endpoints carefully. Ideally, you should limit the number of exposed endpoints to a minimum, perhaps through proper network configuration. #### Platform Zone { #platform-zone } @@ -106,20 +106,20 @@ The platform zone also includes the gateway, which is the main entry point for e The application zone comprises all microservices that represent a CAP application. They are tightly integrated and form a **unit of trust**. The application provider is responsible to *develop, deploy and operate* these services: -- The [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) acts as as an optional reverse proxy wrapping the application service and providing business-independent functionality required for UIs. +- The [Application Router](https://help.sap.com/docs/btp/sap-business-technology-platform/application-router) acts as an optional reverse proxy wrapping the application service and providing business-independent functionality required for UIs. This includes serving UI content, providing a login flow as well as managing the session with the browser. -It can be deployed as application (reusable module) or alternatively consumed as a [service](https://help.sap.com/docs/btp/sap-business-technology-platform/managed-application-router). +It can be deployed as an application (reusable module) or alternatively consumed as a [service](https://help.sap.com/docs/btp/sap-business-technology-platform/managed-application-router). - The CAP application service exposes the API to serve business requests. Usually, it makes use of lower-level platform services. As built on CAP, a significant number of security requirements is covered either out of the box or by adding minimal configuration. - The optional CAP sidecar (reusable module) is used to outsource application-independent tasks such as providing multitenancy and extension support. -Application providers, that is platform users, have privileged access to the application zone. -In contrast, application subscribers, that is business users, are restricted to a minimal interface. +Application providers (platform users) have privileged access to the application zone. +In contrast, application subscribers (business users) are restricted to a minimal interface. ::: warning -❗ Application providers **may not share any secrets from the application zone** such as binding information with other components or persons. -In a productive environment, it is recommended to deploy and operate the application on behalf of a technical user. +❗ Application providers **must not share any secrets from the application zone** such as binding information with other components or persons. +In a production environment, we recommend deploying and operating the application on behalf of a technical user. ::: @@ -138,7 +138,7 @@ This **frees CAP applications from the need to manage trust certificates**. The All supported [environments](overview#cloud) fulfill the given requirements. Additional requirements could be added in future. ::: tip -Custom domain certificates need to be signed by trusted certificate authority. +Custom domain certificates must be signed by a trusted certificate authority. ::: ::: warning @@ -181,13 +181,13 @@ Currently, CAP supports to run on two cloud runtimes of [SAP Business Technology Application providers are responsible to ensure a **secure platform environment**. In particular, this includes *configuring* [platform services](#btp-services) the application consumes. For instance, the provider (user) administrator needs to configure the [identity service](#identity-service) to separate platform users from business users that come from different identity providers. -Likewise login policies (for example, multifactor authentication or single-sign-on) need to be aligned with company-specific requirements. +Likewise, login policies (for example, multifactor authentication or single-sign-on) must be aligned with company-specific requirements. Note, that achieving production-ready security requires to meet all relevant aspects of the **development process** as well. -For instance, source code repositories need to be protected and may not contain any secrets or personal data. -Likewise, the **deployment process** needs to be secured. That includes not only setting up CI/CD pipelines running on technical platform users, but also defining integration tests to ensure properly secured application endpoints. +For instance, source code repositories must be protected and must not contain any secrets or personal data. +Likewise, the **deployment process** must be secured. This includes not only setting up CI/CD pipelines running on technical platform users, but also defining integration tests to ensure properly secured application endpoints. -As part of **secure operations**, application providers need to establish a patch and vulnerability management, as well as a secure support process. For example, component versions need to be updated and credentials need to be rotated regularly. +As part of **secure operations**, application providers must establish patch and vulnerability management, as well as a secure support process. For example, component versions must be updated and credentials must be rotated regularly. ::: warning The application provider is responsible to **develop, deploy, and operate the application in a secure platform environment**. @@ -229,8 +229,8 @@ This service helps to introduce a strict separation between platform users (prov #### [SAP Authorization and Trust Management Service](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) -The service lets customers manage user authorizations in technical roles at application level, which can be aggregated into business-level role collections for large-scale cloud scenarios. -Obviously, developers must define application roles carefully as they form basic access rules to business data. +The service allows customers to manage user authorizations in technical roles at the application level, which can be aggregated into business-level role collections for large-scale cloud scenarios. +Developers must define application roles carefully as they form the basic access rules for business data. [Learn more in the security guide.](https://help.sap.com/docs/btp/sap-business-technology-platform/btp-security){.learn-more} @@ -243,14 +243,14 @@ It provides a way to establish a secure communication channel between remote end #### [SAP Malware Scanning Service](https://help.sap.com/docs/MALWARE_SCANNING) -This service can be used to scan transferred business documents for malware and viruses. -Currently, there is no CAP integration. A scan needs to be triggered by the business application explicitly. +This service scans transferred business documents for malware and viruses. +Currently, there is no CAP integration. A scan must be triggered explicitly by the business application. [Learn more in the security guide.](https://help.sap.com/docs/btp?#operate_task-security){.learn-more} #### [SAP Credential Store](https://help.sap.com/docs/CREDENTIAL_STORE) -Credentials managed by applications need to be stored in a secure way. +Credentials managed by applications must be stored securely. This service provides a REST API for (CAP) applications to store and retrieve credentials at runtime. [Learn more in the security guide.](https://help.sap.com/docs/CREDENTIAL_STORE?#discover_task-security){.learn-more} diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 907a39b2ec..a0a2ef4dd5 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -21,7 +21,7 @@ status: released # Remote Authentication { #remote-authentication } -CAP supports out-of-the-box consumption of various kinds of [remote services]( #remote-services): +CAP supports out-of-the-box consumption of various types of [remote services]( #remote-services): * [Co-located services](#co-located-services) as part of the same deployment and bound to the same identity instance (i.e., belong to the same trusted [application zone](./overview#application-zone)). * [External services](#app-to-app) which can be running on non-BTP platforms. @@ -30,8 +30,8 @@ CAP supports out-of-the-box consumption of various kinds of [remote services]( # ## Remote Service Abstraction { #remote-services } According to the key concept of [pluggable building blocks](./overview#key-concept-pluggable), the architecture of CAP's [Remote Services](../using-services#consuming-services) decouples protocol level (i.e., exchanged content) from connection level (i.e., established connection channel). -While the business context of the application has an impact on the protocol, the connectivity of the service endpoints is agnostic to it and mainly depends on platform-level capabilities. -The latter is frequently subject to changes and hence should not introduce a dependency on the application. +While the business context of the application impacts the protocol, the connectivity of the service endpoints is independent of it and mainly depends on platform-level capabilities. +The latter is frequently subject to change and therefore should not introduce application dependencies. ![Remote Service stack architecture](./assets/remote-service-stack.drawio.svg){width="400px" } @@ -40,14 +40,14 @@ At the connectivity layer, the following basic tasks can be addressed genericall - Destination (_how to find the target service_) - User propagation (_how to transport user information_) -CAP's connectivity component can handle authentication (IAS, XSUAA, X.509, ZTID, ...) and destination (local destination, BTP Destination, BTP Service Binding) as well as user propagation (technical provider, technical subscriber, named user) transparently and in a fully configuration-driven manner. -All three different service scenarios listed above can be conveniently addressed by configuration variants of the same remote service concept as shown in the following sections. +CAP's connectivity component handles authentication (IAS, XSUAA, X.509, ZTID, ...), destination (local destination, BTP Destination, BTP Service Binding), and user propagation (technical provider, technical subscriber, named user) transparently through configuration. +All three service scenarios can be addressed through configuration variants of the same remote service concept, as shown in the following sections. ## Co-located Services {#co-located-services} Co-located services do not run in the same microservice, but are typically part of the same deployment unit and hence reside within the same trust boundary of the [application zone](./overview#application-zone). -Logically, such co-located services contribute to the application equally and hence could run as services integrated in the same microservice as well, but for some technical reason (e.g., different runtime or scaling requirements) they are separated physically, often as a result of a [late-cut microservice approach](../providing-services#late-cut-microservices). +Logically, such co-located services contribute to the application equally and could run as integrated services in the same microservice, but for technical reasons (e.g., different runtime or scaling requirements) they are separated physically, often as a result of a [late-cut microservice approach](../providing-services#late-cut-microservices). Technically, **they share the same identity instance, which allows direct token forwarding**: @@ -67,7 +67,7 @@ CAP offers a simplified co-located service setup by leveraging remote services t ::: -To combine both applications in a co-located setup, you can follow these steps: +To combine both applications in a co-located setup, follow these steps: #### 1. Prepare the CF environment { #prepare } @@ -100,7 +100,7 @@ cds: ``` ::: -Property `type` activates the protocol to exchange the business data and needs to be offered by the provider [CDS service](https://github.com/capire/xflights-java/blob/6fc7c665c63bb6d73e28c11b391b1ba965b8772c/srv/data-service.cds#L24). +The `type` property activates the protocol for exchanging business data and must be offered by the provider [CDS service](https://github.com/capire/xflights-java/blob/6fc7c665c63bb6d73e28c11b391b1ba965b8772c/srv/data-service.cds#L24). The `model` property needs to match the fully qualified name of the CDS service from the imported model. You can find CDS service definition of `sap.capire.flights.data` in file `target/cds/capire/xflight-data/service.cds` resolved during CDS build step. The `binding.name` needs to point to the shared identity instance and `option.url` provides the required location of the remote service endpoint. @@ -139,7 +139,7 @@ For different [user propagation](./cap-users#remote-services) modes the remote s The provider service authorization needs to align with the configured user propagation. ::: -In addition, to finally establish the the co-located setup, the microservice needs to share the same identity instance: +Additionally, to establish the co-located setup, the microservice needs to share the same identity instance: ::: code-group @@ -168,7 +168,7 @@ cds up #### 4. Verify the deployment { #verify } -First, you can check the overall deployment status at the CF CLI level. In particular, the application services need to be started successfully and the shared identity instance needs to be verified. +First, you can check the overall deployment status at the CF CLI level. Specifically, the application services must be started successfully and the shared identity instance must be verified. ::: details Verify: `cf apps` should show the following lines: @@ -204,7 +204,7 @@ The very same setup could be deployed for XSUAA-based services. ## External Services -In contrast to [co-located services](#co-located-services), external services do not have a strong dependency as they have a fully decoupled lifecycle and are provided by different owners in general. +In contrast to [co-located services](#co-located-services), external services do not have strong dependencies as they have a fully decoupled lifecycle and are provided by different owners. As a consequence, external services can run cross-regionally; even non-BTP systems might be involved. A prerequisite for external service calls is a trust federation between the consumer and the provider system. @@ -214,14 +214,14 @@ Alternatively, remote services can be configured on top of [BTP HTTP Destination ### IAS App-2-App { #app-to-app } -As first calss citizen, [IAS](./authentication#ias-auth) is positioned to simplify cross-regional requests with user propagation. -Prerequisites are identity instances on both consumer and provider sides as well as a registered IAS dependency in the consumer instance. +As a first-class citizen, [IAS](./authentication#ias-auth) is positioned to simplify cross-regional requests with user propagation. +Prerequisites are identity instances on both consumer and provider sides, plus a registered IAS dependency in the consumer instance. ![External services](./assets/external-services.drawio.svg){width="500px" } -CAP supports communication between arbitrary IAS endpoints and remains transparent for applications as it builds on the same architectural pattern of [remote services]( #remote-services). +CAP supports communication between arbitrary IAS endpoints and remains transparent for applications as it builds on the same architectural pattern of [remote services](#remote-services). Technically, the connectivity component uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) in this scenario which requires a token exchange from a consumer token into a token for the provider. -The latter is issued by IAS only if the consumer is configured with a valid IAS dependency ponting to the provider accordingly. +The latter is issued by IAS only if the consumer is configured with a valid IAS dependency pointing to the provider accordingly. :::tip CAP offers a simplified App-2-App setup by leveraging remote services that require: @@ -237,10 +237,10 @@ CAP offers a simplified App-2-App setup by leveraging remote services that requi #### 1. Prepare and deploy the provider application -Assuimg the same local CF environment setup as [here](#prepare), clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to the remote branch. +Assuming the same local CF environment setup as [here](#prepare), clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to the remote branch. Similar to the [co-located](#co-located-provider) variant, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. -The difference is that the consumers are not known a priori and are also not part of the same application deployment, in general. +The difference is that the consumers are not known a priori and are not part of the same application deployment. To expose service APIs for consumption, you can enhance the identity instance of the provider by defining API identifiers that are listed in property `provided-apis`: @@ -266,8 +266,8 @@ The description helps administrators to configure the consumer application with [Detailed description about identity instance parameters for `provided-apis`](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#service-instance-parameters){.learn-more} How can proper authorization be configured for _technical clients without user propagation_? -OAuth tokens presented by valid consumer requests as a result of an App-2-App flow will have API claim `DataConsumer`, which is automatically mapped to a CAP role by the runtime. -Hence, the corresponding CDS service can be protected by CAP role `DataConsumer` in order to authorize the requests thoroughly: +OAuth tokens presented by valid consumer requests from an App-2-App flow will have API claim `DataConsumer`, which is automatically mapped to a CAP role by the runtime. +Therefore, the corresponding CDS service can be protected by CAP role `DataConsumer` to authorize requests thoroughly: ::: code-group ```cds [/srv/authorization.cds] @@ -286,7 +286,7 @@ cds up ::: tip API as CAP role -The API identifiers exposed by the IAS instance in list `provided-apis` are granted as CAP roles after successful authentication and hence can be used in @requires annotation. +The API identifiers exposed by the IAS instance in list `provided-apis` are granted as CAP roles after successful authentication and can be used in @requires annotations. ::: ::: warning Use different roles for technical and business users @@ -394,7 +394,7 @@ Note that property `oauth2-configuration.token-policy.access-token-format: jwt` Now let's create the missing IAS dependency to establish trust for the API service call targeting provided API with id `DataConsumer`. -Open the Administrative Console for the IAS tenant (see prerequisits [here](../guides/security/authentication#ias-admin)): +Open the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): 1. Select **Applications & Resources** > **Applications**. Choose the IAS application of the `xtravels` consumer from the list. 2. In **Application APIs** select **Dependencies** and click on **Add**. @@ -410,7 +410,7 @@ Open the Administrative Console for the IAS tenant (see prerequisits [here](../g ::: :::tip -The BTP destination as well as the IAS dependency can be automatically created at runtime by making use of [UCL integration](../java/integrating-applications/ucl#unified-customer-landscape-ucl). +Both the BTP destination and the IAS dependency can be automatically created at runtime using [UCL integration](../java/integrating-applications/ucl#unified-customer-landscape-ucl). ::: Now restart the consumer application with @@ -428,9 +428,9 @@ To do so, assign a proper AMS policy (e.g., `admin`) to the test user as describ ## BTP Reuse Services {#ias-reuse} -Similar to [external services](#app-to-app), BTP reuse services have a fully decoupled lifecycle. The trust between consumer and provider is established at _deployment_ time by means of the [Open Service Broker](https://www.openservicebrokerapi.org/)(OSB) API, i.e., the consumer creates and binds a service instance of the provider service. -However, the simplified configuration comes with a drawback: consumer and provider necessarily need to run on the same BTP landscape. -Still, in particular, services used at a technical provider level in the consumer perfectly match this setup. +Similar to [external services](#app-to-app), BTP reuse services have a fully decoupled lifecycle. The trust between consumer and provider is established at _deployment_ time through the [Open Service Broker](https://www.openservicebrokerapi.org/) (OSB) API, where the consumer creates and binds a service instance of the provider service. +However, this simplified configuration comes with a limitation: consumer and provider must run on the same BTP landscape. +Nevertheless, services used at a technical provider level in the consumer are well-suited for this setup. ![BTP Reuse services](./assets/reuse-services.drawio.svg){width="500px" } @@ -449,7 +449,7 @@ CAP offers a simplified consumption of BTP reuse services by leveraging remote s #### 1. Prepare the CF environment Make sure to setup a local CF environment setup as described [here]. -In addition, install the [btp CLI tool](https://help.sap.com/docs/btp/sap-business-technology-platform/account-administration-using-sap-btp-command-line-interface-btp-cli) wich is required to manage service brokers. +In addition, install the [btp CLI tool](https://help.sap.com/docs/btp/sap-business-technology-platform/account-administration-using-sap-btp-command-line-interface-btp-cli) which is required to manage service brokers. #### 2. Prepare and deploy the provider service @@ -459,7 +459,7 @@ As a first step, clone [`xflights-java`](https://github.com/capire/xflights-java Similar to the [co-located](#co-located-provider) variant, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. In contrast to the scenarios before, the consumers are not known a priori and might also have a different tenant. -As a consequence, the provider service needs to manage multiple subscribers and hence needs to be a multi-tenant service. +Consequently, the provider service must manage multiple subscribers and therefore must be a multi-tenant service. You can easily enhance the service by adding the `multitenancy` facet: @@ -699,9 +699,9 @@ Instead of using the same role, expose dedicated CDS services to technical clien #### How to Authorize Callbacks -For bidirectional communication, callbacks from the reuse service to the CAP service need to be authorized as well. -Currently, there is no standadized way to achieve this in CAP so that custom codeing is required. -As a prerequisite*, the CAP service needs to know the clientId of the reuse service's IAS application which should be part of the binding exposed to the CAP service. +For bidirectional communication, callbacks from the reuse service to the CAP service also need to be authorized. +Currently, there is no standardized way to achieve this in CAP, so custom coding is required. +As a prerequisite, the CAP service needs to know the clientId of the reuse service's IAS application, which should be part of the binding exposed to the CAP service. ::: details Sample Code for Authorization of Callbacks From 8dfe991bdc7fae983d650691ea24bd4b5510e19e Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 25 Nov 2025 19:15:23 +0100 Subject: [PATCH 026/120] minor changes --- .../assets/security-customizable.drawio.svg | 32 +++++++++---------- guides/security/overview.md | 15 +++++---- 2 files changed, 25 insertions(+), 22 deletions(-) diff --git a/guides/security/assets/security-customizable.drawio.svg b/guides/security/assets/security-customizable.drawio.svg index 918a8e01e3..f53de15cb7 100644 --- a/guides/security/assets/security-customizable.drawio.svg +++ b/guides/security/assets/security-customizable.drawio.svg @@ -1,9 +1,9 @@ - + - + @@ -28,7 +28,7 @@ - + @@ -53,17 +53,17 @@ - + - + - + @@ -88,7 +88,7 @@ - + @@ -202,13 +202,13 @@ - + -
+
@@ -220,33 +220,33 @@
- + Switching... - + -
+
- Defining Access Rules + Defining Restrictions
- - Defining A... + + Defining R... @@ -319,7 +319,7 @@ - + diff --git a/guides/security/overview.md b/guides/security/overview.md index 7a315490ab..d8866bbf42 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -15,6 +15,9 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ ## Key Concepts { #key-concepts } +CAP's security architecture is built on several fundamental principles that enable flexible, secure, and maintainable applications. +These concepts work together to provide comprehensive security while maintaining developer productivity and operational efficiency. + ### Pluggable Building Blocks { #key-concept-pluggable } CAP divides the different security-related tasks into separate and independent building blocks, each with a standard CAP implementation suitable for most scenarios: @@ -23,12 +26,12 @@ CAP divides the different security-related tasks into separate and independent b - [Authentication](./authentication ) - [CAP Users](./cap-users) -- [Authorization](./authorization) +- [CAP Authorization](./authorization) - [Remote Authentication](./remote-authentication) **By separating these concerns**, CAP ensures that each security function can be configured and customized independently without affecting other parts of the system, providing maximum flexibility. -For example, authentication can be delegated to a separate ingress component, while authorization remains within the application service close to the data. +For example, authentication can be delegated to a [separate ingress component](./authentication#fully-auth), while authorization remains within the application service close to the data. ### Customizable { #key-concept-customizable } @@ -38,7 +41,7 @@ Moreover, this integration helps to easily incorporate non-CAP and even non-BTP ![Overview Customizable Components with CAP](./assets/security-customizable.drawio.svg){width="600px" } -For instance, it is possible to define specific endpoints with a custom authentication strategy. +For instance, it is possible to define specific endpoints with a [custom authentication strategy](./authentication#custom-auth). Likewise, the CAP representation of the request user can be overruled to match additional, application-specific requirements. ### Built on Best of Breed { #key-concept-platform-services } @@ -48,7 +51,7 @@ Instead, **CAP seamlessly integrates with battle-tested [platform services](#btp This approach not only simplifies the implementation but also enhances security by leveraging robust, well-tested mechanisms provided by the platform. Built on platform services, CAP allows developers to focus on core application functionality without worrying about the intricacies of security implementation. -Most notably, authentication is covered by [platform's identity services](#identity-service). +Most notably, authentication is covered by CAP-integration of [platform's identity services](./authentication#ias-auth). Likewise, TLS termination is offered by the [platform infrastructure](#platform-environment). ![Overview Platform Integration with CAP](./assets/security-platform-integration.drawio.svg){width="600px" } @@ -59,7 +62,7 @@ As security functions are factorized into independent components, **application This safeguards business logic being independent from platform services which are frequently subject to security hardening initiatives. As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. -For instance, CAP allows performing outbound service calls via Remote Services while handling authentication under the hood completely. +For instance, CAP allows performing outbound service calls via [Remote Services while handling authentication under the hood completely](./security/remote-authentication#remote-services). This abstraction layer ensures that developers do not need to worry about the details of authentication. @@ -68,7 +71,7 @@ This abstraction layer ensures that developers do not need to worry about the de CAP security features are activated by default. If different behaviour is required, you must explicitly reconfigure or add custom code accordingly. CAP's security autoconfiguration approach significantly reduces the risk of misconfiguration - **override only when absolutely necessary and when all effects are safely controlled**. -For instance, endpoints of deployed CAP applications are automatically authenticated, providing a secure baseline. +For instance, endpoints of deployed CAP applications are [automatically authenticated](./authentication#model-auth), providing a secure baseline. Making endpoints public requires manual configuration in either the CAP model or the middleware. From 30bfe76604e4df63155a26d7dfd046ec677dbfef Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 25 Nov 2025 20:15:23 +0100 Subject: [PATCH 027/120] diagrams --- .../security/assets/authentication.drawio.svg | 131 ++++++++++++ guides/security/assets/cap-users.drawio.svg | 187 ++++++++++++++++++ .../assets/security-components.drawio.svg | 16 +- .../security-platform-integration.drawio.svg | 22 +-- guides/security/authentication.md | 10 +- guides/security/authorization.md | 2 +- guides/security/cap-users.md | 40 ++-- guides/security/overview.md | 1 - guides/security/remote-authentication.md | 12 +- java/security.md | 46 ++--- 10 files changed, 397 insertions(+), 70 deletions(-) create mode 100644 guides/security/assets/authentication.drawio.svg create mode 100644 guides/security/assets/cap-users.drawio.svg diff --git a/guides/security/assets/authentication.drawio.svg b/guides/security/assets/authentication.drawio.svg new file mode 100644 index 0000000000..c98e85a234 --- /dev/null +++ b/guides/security/assets/authentication.drawio.svg @@ -0,0 +1,131 @@ + + + + + + + + + + + + + + + + + +
+
+
+ + + Authentication + + +
+
+
+ + + Authentication + + + + + + + + + + + +
+
+
+ + + Token + + +
+
+
+ + + Token + + + + + + + + + + + + + +
+
+
+ + Authorization + +
+
+
+ + + Authorization + + + + + + + + + + + + + + + + + +
+
+
+ + CAP User + +
+
+
+ + + CAP User + + + + + + + + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/cap-users.drawio.svg b/guides/security/assets/cap-users.drawio.svg new file mode 100644 index 0000000000..bbd9b644c6 --- /dev/null +++ b/guides/security/assets/cap-users.drawio.svg @@ -0,0 +1,187 @@ + + + + + + + + + + + + +
+
+
+ + Authorization + +
+
+
+ + + Authorization + + + + + + + + + + + + + +
+
+
+ + Authentication + +
+
+
+ + + Authentication + + + + + + + + + + + + + +
+
+
+ + + Remote Authentication + + +
+
+
+ + + Remote Authentication + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ + + CAP User + + +
+
+
+ + + CAP User + + + + + + + + + + + + + + + + +
+
+
+ + + CAP User + + +
+
+
+ + + CAP User + + + + + + + + + + + + + + + + + +
+
+
+ + <<propagate>> + +
+
+
+ + + <<propagat... + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/assets/security-components.drawio.svg b/guides/security/assets/security-components.drawio.svg index 9f6fa3359c..34e9978c28 100644 --- a/guides/security/assets/security-components.drawio.svg +++ b/guides/security/assets/security-components.drawio.svg @@ -1,14 +1,14 @@ - + - + - + @@ -35,7 +35,7 @@ - + @@ -62,7 +62,7 @@ - + @@ -130,7 +130,7 @@ - + @@ -169,14 +169,14 @@
- propagation + <<propagate>>
- propagation + <<propagat... diff --git a/guides/security/assets/security-platform-integration.drawio.svg b/guides/security/assets/security-platform-integration.drawio.svg index e4f36d677c..67945d84a2 100644 --- a/guides/security/assets/security-platform-integration.drawio.svg +++ b/guides/security/assets/security-platform-integration.drawio.svg @@ -1,9 +1,9 @@ - + - + @@ -30,7 +30,7 @@ - + @@ -57,7 +57,7 @@ - + @@ -69,7 +69,7 @@
- Connectivity Service + BTP Connectivity
@@ -77,14 +77,14 @@
- Connectivity Service + BTP Connectivity - + @@ -112,7 +112,7 @@ - + @@ -140,7 +140,7 @@ - + @@ -165,7 +165,7 @@ - + @@ -190,7 +190,7 @@ - + diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 846ba51391..b33317af67 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -2,7 +2,7 @@ # layout: cookbook label: Authentication synopsis: > - This guide explains how to authenticate CAP services and how to work with users. + This guide explains how to authenticate CAP services to resolve CAP users. status: released --- @@ -21,14 +21,16 @@ status: released # Authentication { #authentication } +[[toc]] + +## Pluggable Authentication + In essence, authentication verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. Briefly, **authentication ensures _who_ is going to use the service**, in contrast to [authorization](../security/authorization#authorization) which determines _how_ the user can interact with the application's resources based on the defined access rules. As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. CAP applications making use of remote services of any type need to have a proper [remote authentication](#remote-authentication) in place as well. - -[[toc]] - +![Authentication with CAP](./assets/authentication.drawio.svg){width="500px" } According to key concept [Pluggable Building Blocks](key-concept-pluggable), the authentication method can be configured freely. CAP [leverages platform services](#key-concept-platform-services) to provide proper authentication strategies to cover all relevant scenarios: diff --git a/guides/security/authorization.md b/guides/security/authorization.md index a7bbd493e2..b7e5711665 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -21,7 +21,7 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ -# Authorization { #authorization } +# CAP Authorization { #authorization } Authorization means restricting access to data by adding respective declarations to CDS models, which are then enforced in service implementations. By adding such declarations, we essentially revoke all default access and then grant individual privileges. diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index e5a34febe2..593607f737 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -2,7 +2,7 @@ # layout: cookbook label: CAP Users synopsis: > - This guide introduces to CAP user abstraction. + This guide introduces to CAP user abstraction and role assignments. status: released --- @@ -21,21 +21,17 @@ status: released # CAP Users { #cap-users } -A successful authentication results in a CAP [user representation](#claims) reflecting the request user in a uniform way. -Referring to the key concepts, the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. -It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). - -Dynamic assignments of roles to users can be done by -- [Authorization Management Service (AMS)](#ams-roles) in case of [IAS authentication](./authentication#ias-auth). -- [XS User Authentication and Authorization Service (XSUAA)](#xsuaa-roles) in case of [XSUAA authentication](./authentication#xsuaa-auth). +[[toc]] -In addition, CAP users provide an API for [programmatic](#developing-with-users) processing and customization. +## CAP User Abstraction { #claims } -[[toc]] +A successful authentication results in a CAP [user representation](#claims) reflecting the request user in a uniform way. +Referring to the [key concepts](./overview#key-concept-decoupled-coding), the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. +It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). -## CAP User Representation { #claims } +![CAP Userse](./assets/cap-users.drawio.svg){width="600px" } -After _successful_ authentication, a CAP user is mainly represented by the following properties: +After _successful_ authentication, a **CAP user** is mainly represented by the following properties: - **_Logon name_** identifying the user uniquely - **_Tenant_** describes the tenant of the user (subscriber or provider) which implies the CDS model and business data container. @@ -72,13 +68,19 @@ CAP users can be classified in multiple dimensions: - A subscriber tenant includes all users of an application customer. -Typically, the provider tenant is not subscribed to a multi-tenant application and therefore has no business users. -In contrast, for a single-tenant application, there is no subscriber tenant, and the provider tenant includes all business users. +Typically, the provider tenant is not subscribed to a [multi-tenant application](../multitenancy/#multitenancy) and therefore has no business users. -| Multi-Tenant Application | Business users | Technical users +| Multi-Tenant Application | Business users | Technical user |---------------------------|----------------|---------------- | Provider Tenant | - | -| Subscriber Tenant | | +| Subscriber Tenants | | + +In contrast, for a single-tenant application, the provider tenant coincides with the only subscriber tenant and therefore contains all business users. + +| Single-Tenant Application | Business users | Technical user +|---------------------------|----------------|---------------- +| Provider (=subscriber) Tenant | | + ::: tip Apart from anonymous users, all users have a unique tenant. @@ -89,7 +91,7 @@ The user types are designed to support various flows, such as: - Backend processing that utilizes platform services on behalf of the technical user of the subscriber tenant. - Asynchronously received messages that process data on behalf of the technical user of a subscriber tenant. - Background tasks that operate on behalf of the technical provider tenant. -- ... +- etc. Find more details about how to [switch the user context](#switching-users) during request processing. @@ -116,6 +118,10 @@ For instance, the role `ReportIssues` allows to work with the `Issues` created b CAP roles represent basic building blocks for authorization rules that are defined by the application developers who have in-depth domain knowledge. Independently of that, user administrators combine CAP roles in higher-level policies and assign them to business users in the platform's central authorization management solution. +Dynamic assignments of roles to users can be done by +- [AMS roles](#ams-roles) in case of [IAS authentication](./authentication#ias-auth). +- [XSUAA roles](#xsuaa-roles) in case of [XSUAA authentication](./authentication#xsuaa-auth). + ::: tip CDS-based authorization deliberately avoids technical concepts, such as _scopes_ in _OAuth_, in favor of user roles, which are closer to the business domain of applications. ::: diff --git a/guides/security/overview.md b/guides/security/overview.md index d8866bbf42..6de23af30a 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -12,7 +12,6 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ [[toc]] - ## Key Concepts { #key-concepts } CAP's security architecture is built on several fundamental principles that enable flexible, secure, and maintainable applications. diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index a0a2ef4dd5..5a83b2c1ce 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -21,11 +21,7 @@ status: released # Remote Authentication { #remote-authentication } -CAP supports out-of-the-box consumption of various types of [remote services]( #remote-services): - -* [Co-located services](#co-located-services) as part of the same deployment and bound to the same identity instance (i.e., belong to the same trusted [application zone](./overview#application-zone)). -* [External services](#app-to-app) which can be running on non-BTP platforms. -* [BTP reuse services](#ias-reuse) consumed via service binding. +[[toc]] ## Remote Service Abstraction { #remote-services } @@ -43,6 +39,12 @@ At the connectivity layer, the following basic tasks can be addressed genericall CAP's connectivity component handles authentication (IAS, XSUAA, X.509, ZTID, ...), destination (local destination, BTP Destination, BTP Service Binding), and user propagation (technical provider, technical subscriber, named user) transparently through configuration. All three service scenarios can be addressed through configuration variants of the same remote service concept, as shown in the following sections. +CAP supports out-of-the-box consumption of various types of [remote services]( #remote-services): + +* [Co-located services](#co-located-services) as part of the same deployment and bound to the same identity instance (i.e., belong to the same trusted [application zone](./overview#application-zone)). +* [External services](#app-to-app) which can be running on non-BTP platforms. +* [BTP reuse services](#ias-reuse) consumed via service binding. + ## Co-located Services {#co-located-services} diff --git a/java/security.md b/java/security.md index 0eba8a281f..83c5d13ea9 100644 --- a/java/security.md +++ b/java/security.md @@ -30,24 +30,24 @@ uacp: Used as link target from Help Portal at https://help.sap.com/products/BTP/ For Web services, authentication is about controlling _who_ is using the service. It typically involves verifying the user's identity, tenant, and validating claims like granted roles. In contrast, authorization makes sure that the user has the required privileges to access the requested resources. Hence, authorization is about controlling _what_ the user is allowed to handle. -Hence both, authentication and authorization, are essential for application security: +Both authentication and authorization are essential for application security: * [Authentication](#authentication) describes how to configure authentication. * [Authorization](#auth) is about resource access control. [Connecting to IAS Services](#outbound-auth) describes how to authenticate outbound calls. ::: warning -Without security configured, CDS services are exposed to public. Proper configuration of authentication __and__ authorization is required to secure your CAP application. +Without security configuration, CDS services are exposed to the public. Proper configuration of authentication __and__ authorization is required to secure your CAP application. ::: ## Authentication { #authentication} Authentication rejects user requests with invalid authentication and limits the possible resource impact. -Rejecting them as soon as possible is one of the reasons why it's not an integral part of the CAP runtime and needs to be configured on the application framework level. In addition, CAP Java is based on a [modular architecture](./developing-applications/building#modular_architecture) and allows flexible configuration of any authentication method. +Rejecting them as soon as possible is one reason why authentication is not an integral part of the CAP runtime and must be configured at the application framework level. In addition, CAP Java is based on a [modular architecture](./developing-applications/building#modular_architecture) and allows flexible configuration of any authentication method. By default, it supports the standard BTP platform identity services [out of the box](#xsuaa-ias): -- [SAP Cloud Identity Services Identity Authentication (IAS)](https://help.sap.com/docs/cloud-identity-services) - preferred solution integrating endpoints cross SAP-systems +- [SAP Cloud Identity Services Identity Authentication (IAS)](https://help.sap.com/docs/cloud-identity-services) - preferred solution for integrating endpoints across SAP systems - [SAP Authorization and Trust Management Service (XSUAA)](https://help.sap.com/docs/authorization-and-trust-management-service) - previous offering scoped to a BTP landscape Which are highly recommended for production usage. For specific use cases, [custom authentication](#custom-authentication) can be configured as well. @@ -64,7 +64,7 @@ These are the individual dependencies that can be explicitly added in the `pom.x ::: -In addition, your application needs to be bound to corresponding service instances depending on your scenario. The following list describes which service needs to be bound depending on the tokens your applications should accept: +Additionally, your application must be bound to corresponding service instances depending on your scenario. The following list describes which service must be bound depending on the tokens your application should accept: * only accept tokens issued by XSUAA --> bind your application to an [XSUAA service instance](../guides/security/authorization#xsuaa-configuration) * only accept tokens issued by IAS --> bind your application to an [IAS service instance](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) * accept tokens issued by XSUAA and IAS --> bind your application to service instances of both types. @@ -84,9 +84,9 @@ On Cloud Foundry, the CAP application needs to be exposed under an additional ro
-On Kyma, it is required to configure an additional component (i.e. a gateway in Istio) which accepts client certificates and forwards them to the application as `X-Forwarded-Client-Cert` header. An example can be found in the Bookshop sample application [here](https://github.com/SAP-samples/cloud-cap-samples-java/tree/ias-ams-kyma/k8s). Besides defining the actual `Gateway` resource, it is required to expose the application under the new domain (see the `values.yaml` [here](https://github.com/SAP-samples/cloud-cap-samples-java/blob/e9c779cb64c0937815910988387b0775d8842765/helm/values.yaml#L47). +On Kyma, you must configure an additional component (a gateway in Istio) that accepts client certificates and forwards them to the application as `X-Forwarded-Client-Cert` header. An example can be found in the Bookshop sample application [here](https://github.com/SAP-samples/cloud-cap-samples-java/tree/ias-ams-kyma/k8s). Besides defining the actual `Gateway` resource, you must expose the application under the new domain (see the `values.yaml` [here](https://github.com/SAP-samples/cloud-cap-samples-java/blob/e9c779cb64c0937815910988387b0775d8842765/helm/values.yaml#L47). -The Proof-Of-Possession also affects approuter calls to a CAP Java application. The approuter needs to be configured to forward the certificate to the CAP application. First, set `forwardAuthCertificates: true` on the destination pointing to your CAP backend (for more details see [the `environment destinations` section on npmjs.org](https://www.npmjs.com/package/@sap/approuter#environment-destinations)). Second, configure the destination to use the route of the CAP backend that has been configured to accept client certificates as described previously. +The Proof-Of-Possession also affects approuter calls to a CAP Java application. You must configure the approuter to forward the certificate to the CAP application. First, set `forwardAuthCertificates: true` on the destination pointing to your CAP backend (for more details see [the `environment destinations` section on npmjs.org](https://www.npmjs.com/package/@sap/approuter#environment-destinations)). Second, configure the destination to use the route of the CAP backend that has been configured to accept client certificates as described previously. When authenticating incoming requests with IAS, the Proof-Of-Possession is activated by default. This requires using at least version `3.5.1` of the [SAP BTP Spring Security Client](https://github.com/SAP/cloud-security-services-integration-library/tree/main/spring-security) library. @@ -127,7 +127,7 @@ service BooksService @(requires: 'any') { ::: tip -For multitenant applications, it's required to authenticate all endpoints as the tenant information is essential for processing the request. +For multitenant applications, you must authenticate all endpoints because tenant information is essential for processing requests. ::: There are several application parameters in section `cds.security.authentication` that influence the behaviour of the auto-configuration: @@ -138,7 +138,7 @@ There are several application parameters in section `cds.security.authentication | `authenticateUnknownEndpoints` | Determines, if security configurations enforce authentication for endpoints not managed by protocol-adapters. | `true` | `authenticateMetadataEndpoints` | Determines, if OData $metadata endpoints enforce authentication. | `true` -The following properties can be used to switch off automatic security configuration at all: +The following properties can be used to disable automatic security configuration: | Configuration Property | Description | Default | :---------------------------------------------------- | :----------------------------------------------------- | ------------ @@ -156,16 +156,16 @@ The property `cds.security.authentication.mode` controls the strategy used for a By default the authentication mode is set to `model-strict` to comply with secure-by-default. In that case you can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again. -Please note that it's only possible to make an endpoint public, if the full endpoint path is considered public as well. +You can only make an endpoint public if the full endpoint path is also considered public. For example you can only make an entity public, if the service that contains it is also considered public. ::: tip -Please note that the authentication mode has no impact on the *authorization* behaviour. +The authentication mode has no impact on the *authorization* behaviour. ::: #### Customizing Spring Boot Security Configuration { #custom-spring-security-config} If you want to explicitly change the automatic security configuration, you can add an _additional_ Spring security configuration on top that overrides the default configuration by CAP. -This can be useful, for instance, if an alternative authentication method is required for *specific endpoints* of your application. +This can be useful if an alternative authentication method is required for *specific endpoints* of your application. As the default security configurations provided by CAP act as the last line of defense and handle any request by default, you need to ensure that your custom security configurations have higher precedence. At the `SecurityFilterChain` bean method, set the `@Order` annotation with a lower numeric value, for example `1`: @@ -218,9 +218,9 @@ In case you want to write your own custom security configuration that acts as a ### Custom Authentication { #custom-authentication} -You're free to configure any authentication method according to your needs. CAP isn't bound to any specific authentication method or user representation such as introduced with XSUAA, it rather runs the requests based on a [user abstraction](../guides/security/authorization#user-claims). The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) as explained in [Enforcement API & Custom Handlers](#enforcement-api). +You can configure any authentication method according to your needs. CAP is not bound to any specific authentication method or user representation such as those introduced with XSUAA; it runs requests based on a [user abstraction](../guides/security/authorization#user-claims). The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) as explained in [Enforcement API & Custom Handlers](#enforcement-api). -Hence, if you bring your own authentication, you have to transform the authenticated user and inject as `UserInfo` to the current request. This is done by means of [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers). +Therefore, if you bring your own authentication, you must transform the authenticated user and inject it as `UserInfo` to the current request. This is done by means of [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers). More frequently you might have the requirement to just adapt the request's `UserInfo` which is possible with the same interface: @@ -270,12 +270,12 @@ Mock users are only initialized if the `org.springframework.boot:spring-boot-sta #### Preconfigured Mock Users -For convenience, the runtime creates default mock users reflecting the [pseudo roles](../guides/security/authorization#pseudo-roles). They are named `authenticated`, `system` and `privileged` and can be used with an empty password. For instance, requests sent during a Spring MVC unit test with annotation `@WithMockUser("authenticated")` will pass authorization checks that require `authenticated-user`. The privileged user will pass any authorization checks. `cds.security.mock.defaultUsers = false` prevents the creation of default mock users at startup. +For convenience, the runtime creates default mock users reflecting the [pseudo roles](../guides/security/authorization#pseudo-roles). They are named `authenticated`, `system` and `privileged` and can be used with an empty password. For example, requests sent during a Spring MVC unit test with annotation `@WithMockUser("authenticated")` will pass authorization checks that require `authenticated-user`. The privileged user will pass any authorization checks. `cds.security.mock.defaultUsers = false` prevents the creation of default mock users at startup. #### Explicitly Defined Mock Users You can also define mock users explicitly. This mock user configuration only applies if: -* The service runs without an XSUAA service binding (non-productive mode) +* The service runs without an XSUAA service binding (non-production mode) * Mock users are defined in the active application configuration Define the mock users in a Spring profile, which may be only active during testing, as in the following example: @@ -307,7 +307,7 @@ cds: - "*" ``` ::: -- Mock user with name `Viewer-User` is a typical business user with SaaS-tenant `CrazyCars` who has assigned role `Viewer` and user attribute `Country` (`$user.Country` evaluates to value list `[GER, FR]`). This user also has the additional attribute `email`, which can be retrieved with `UserInfo.getAdditionalAttribute("email")`. The [features](../java/reflection-api#feature-toggles) `cruise` and `park` are enabled for this mock user. +- Mock user with name `Viewer-User` is a typical business user with SaaS tenant `CrazyCars` who has the assigned role `Viewer` and user attribute `Country` (`$user.Country` evaluates to the value list `[GER, FR]`). This user also has the additional attribute `email`, which can be retrieved with `UserInfo.getAdditionalAttribute("email")`. The [features](../java/reflection-api#feature-toggles) `cruise` and `park` are enabled for this mock user. - `Admin-User` is a user running in privileged mode. Such a user is helpful in tests that bypasses all authorization handlers. Property `cds.security.mock.enabled = false` disables any mock user configuration (default in production profile). @@ -427,7 +427,7 @@ The API identifiers exposed by the IAS instance in list `provided-apis` are gran ::: warning Use different roles for technical and business users Use different CAP roles for technical clients without user propagation and for named business users. -Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice verse. +Instead of using the same role, expose dedicated CDS services to technical clients that are not accessible to business users and vice versa. ::: #### Consumer Application @@ -588,15 +588,15 @@ The service plan names as specified in `consumed-services` in the IAS instance a ::: warning Use different roles for technical and business users Use different CAP roles for technical clients without user propagation and for named business users. -Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice versa. +Instead of using the same role, expose dedicated CDS services to technical clients that are not accessible to business users and vice versa. ::: #### How to Authorize Callbacks For bidirectional communication, callbacks from the reuse service to the CAP service need to be authorized as well. -Currently, there is no standadized way to achieve this in CAP so that custom codeing is required. -As a prerequisite*, the CAP service needs to know the clientId of the reuse service's IAS application which should be part of the binding exposed to the CAP service. +Currently, there is no standardized way to achieve this in CAP, so custom coding is required. +As a prerequisite, the CAP service must know the clientId of the reuse service's IAS application, which should be part of the binding exposed to the CAP service. ::: details Sample Code for Authorization of Callbacks @@ -619,7 +619,7 @@ CAP Java SDK provides a comprehensive authorization service. By defining authori - [Role-based authorization](../guides/security/authorization#requires) allows to restrict resource access depending on user roles. - [Instance-based authorization](../guides/security/authorization#instance-based-auth) allows to define user privileges even on entity instance level, that is, a user can be restricted to instances that fulfill a certain condition. -It's recommended to configure authorization declaratively in the CDS model. If necessary, custom implementations can be built on the [Authorization API](#enforcement-api). +We recommend configuring authorization declaratively in the CDS model. When necessary, you can build custom implementations on the [Authorization API](#enforcement-api). A precise description of the general authorization capabilities in CAP can be found in the [Authorization](../guides/security/authorization) guide. @@ -751,7 +751,7 @@ The most helpful getters in `UserInfo` are listed in the following table: | `getRoles()` | Returns the roles of the current user | | `getAttributeValues(String attribute)` | Returns the value list of the given user attribute. Referred by `$user.`. | -It's also possible to modify the `UserInfo` object for internal calls. See section [Request Contexts](./event-handlers/request-contexts) for more details. +You can also modify the `UserInfo` object for internal calls. See section [Request Contexts](./event-handlers/request-contexts) for more details. For instance, you might want to run internal service calls in privileged mode that bypasses authorization checks: ```java From 252021f874d60f34467a79b6ef2271357a1a8d9b Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 26 Nov 2025 15:09:21 +0100 Subject: [PATCH 028/120] fixed AMS aspect --- guides/security/cap-users.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 593607f737..85635261aa 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -374,7 +374,10 @@ The attribute should have cross-sectional semantics in the domain. As such attributes are usually shared by multiple entities, it is convenient to add the `@ams`-annotation at the level of a shared aspect as sketched here: ```cds -aspect withGenre @ams.attributes: { Genre: (genre.name) } { +@ams.attributes: { + Genre: (genre.name) +} +aspect withGenre { genre : Association to Genres; } From a31cba0fb151922d5c1d701ef6393397e379242b Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 26 Nov 2025 18:01:20 +0100 Subject: [PATCH 029/120] autorizations --- .../security/assets/authorization.drawio.svg | 102 ++++++ guides/security/authorization.md | 307 +++--------------- 2 files changed, 147 insertions(+), 262 deletions(-) create mode 100644 guides/security/assets/authorization.drawio.svg diff --git a/guides/security/assets/authorization.drawio.svg b/guides/security/assets/authorization.drawio.svg new file mode 100644 index 0000000000..1f07079dd4 --- /dev/null +++ b/guides/security/assets/authorization.drawio.svg @@ -0,0 +1,102 @@ + + + + + + + + + + + + +
+
+
+ + + Authorization + + +
+
+
+ + + Authorization + + + + + + + + + + + + + +
+
+
+ + Authentication + +
+
+
+ + + Authentication + + + + + + + + + + + + + + + + + + + + +
+
+
+ + + CAP User + + +
+
+
+ + + CAP User + + + + + + + + + + + + + Text is not SVG - cannot display + + + + \ No newline at end of file diff --git a/guides/security/authorization.md b/guides/security/authorization.md index b7e5711665..66703d448d 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -23,36 +23,42 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ # CAP Authorization { #authorization } -Authorization means restricting access to data by adding respective declarations to CDS models, which are then enforced in service implementations. By adding such declarations, we essentially revoke all default access and then grant individual privileges. +This guide explains how to restrict access to data by adding respective declarations to CDS models, which are then enforced by CAP's generic service providers. [[toc]] +## Declarative Access Control { #restrictions} +In essence, [authentication](./authentication#authentication) verifies the user's identity and the presented claims. Briefly, authentication reveals _who_ is using the service. +In contrast, **authorization controls _how_ the user may interact with the application's resources**. +As the access control depends on the user information, authentication is a prerequisite to authorization. -## Authentication as Prerequisite { #prerequisite-authentication} +![Authoriztion with CAP](./assets/authorization.drawio.svg){width="500px"} -In essence, authentication verifies the user's identity and the presented claims such as granted roles and tenant membership. Briefly, **authentication** reveals _who_ uses the service. In contrast, **authorization** controls _how_ the user can interact with the application's resources according to granted privileges. As the access control needs to rely on verified claims, authentication is a prerequisite to authorization. +CAP authorization modeling means restricting user access to application resources in a declarative way. +The decisive point here is that the application logic does not need to contribute any security-critical code for this, but can rely on the generic framework. -From perspective of CAP, the authentication method is freely customizable. For convenience, a set of authentication methods is supported out of the box to cover most common scenarios: +There are several levels to put access rules on CDS resources: +- [Static access control](#static-access-control) limits access to CDS services on a general level independently from users. +- [Role-based access control](#role-based-access-control) controls resource access according to roles granted by user administrators. +- [Instance-based access control](#instance-based-auth) even allows entity-level filters that usually depend on user criteria. -- [XS User and Authentication and Authorization service](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) (XSUAA) is a full-fleged [OAuth 2.0](https://oauth.net/2/) authorization server which allows to protect your endpoints in productive environments. JWT tokens issued by the server not only contain information about the user for authentication, but also assigned scopes and attributes for authorization. -- [Identity Authentication Service](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) (IAS) is an [OpenId Connect](https://openid.net/connect/) compliant service for next-generation identity and access management. As of today, CAP provides IAS authentication for incoming requests only. Authorization has to be explicitly managed by the application. -- For _local development_ and _test_ scenario mock user authentication is provided as built-in feature. +But **by default, CDS services have no access control** which means that authenticated users have access to all entities without any restrictions. -Find detailed instructions for setting up authentication in these runtime-specific guides: - -- [Set up authentication in Node.js.](/node.js/authentication) -- [Set up authentication in Java.](/java/security#authentication) +::: warning +Applications need to ensure a proper authorization which is highly dependent from the domain model and therefore cannot be enforced by CAP out of the box. +::: +Finally, according to key concept [Customizable Security](./overview#key-concept-customizable), applications can introduce custom authorization code for special scenarios. -In _productive_ environment with security middleware activated, **all protocol adapter endpoints are authenticated by default**1, even if no [restrictions](#restrictions) are configured. Multi-tenant SaaS-applications require authentication to provide tenant isolation out of the box. In case there is the business need to expose open endpoints for anonymous users, it's required to take extra measures depending on runtime and security middleware capabilities. -> 1 Starting with CAP Node.js 6.0.0 resp. CAP Java 1.25.0. _In previous versions endpoints without restrictions are public in single-tenant applications_. +## Static Access Control { #static-access-control } -### Defining Internal Services +### Internal Services -CDS services which are only meant for *internal* usage, shouldn't be exposed via protocol adapters. In order to prevent access from external clients, annotate those services with `@protocol: 'none'`: +CDS services which are only meant for *internal* usage, shouldn't be exposed via protocol adapters. +In order to prevent access from *any* external clients, annotate those services with `@protocol: 'none'`: ```cds @protocol: 'none' @@ -60,107 +66,8 @@ service InternalService { ... } ``` -The `InternalService` service can only receive events sent by in-process handlers. - -## User Claims { #user-claims} - -CDS authorization is _model-driven_. This basically means that it binds access rules for CDS model elements to user claims. For instance, access to a service or entity is dependent on the role a user has been assigned to. Or you can even restrict access on an instance level, for example, to the user who created the instance.
-The generic CDS authorization is built on a _CAP user concept_, which is an _abstraction_ of a concrete user type determined by the platform's identity service. This design decision makes different authentication strategies pluggable to generic CDS authorization.
-After successful authentication, a (CAP) user is represented by the following properties: - -- Unique (logon) _name_ identifying the user. Unnamed users have a fixed name such as `system` or `anonymous`. -- _Tenant_ for multitenant applications. -- _Roles_ that the user has been granted by an administrator (see [User Roles](#roles)) or that are derived by the authentication level (see [Pseudo Roles](#pseudo-roles)). -- _Attributes_ that the user has been assigned by an administrator. - -In the CDS model, some of the user properties can be referenced with the `$user` prefix: - -| User Property | Reference | -|-------------------------------|---------------------| -| Name | `$user` | -| Attribute (name \) | `$user.` | - -> A single user attribute can have several different values. For instance, the `$user.language` attribute can contain `['DE','FR']`. - - -### User Roles { #roles} - -As a basis for access control, you can design conceptual roles that are application specific. Such a role should reflect how a user can interact with the application. For instance, the role `Vendor` could describe users who are allowed to read sales articles and update sales figures. In contrast, a `ProcurementManager` can have full access to sales articles. Users can have several roles, that are assigned by an administrative user in the platform's authorization management solution. -::: tip -CDS-based authorization deliberately refrains from using technical concepts, such as _scopes_ as in _OAuth_, in favor of user roles, which are closer to the conceptual domain of business applications. This also results in much **smaller JWT tokens**. -::: - - -### Pseudo Roles { #pseudo-roles} - -It's frequently required to define access rules that aren't based on an application-specific user role, but rather on the _authentication level_ of the request. For instance, a service could be accessible not only for identified, but also for anonymous (for example, unauthenticated) users. Such roles are called pseudo roles as they aren't assigned by user administrators, but are added at runtime automatically. - -The following predefined pseudo roles are currently supported by CAP: - -* `authenticated-user` refers to named or unnamed users who have presented a valid authentication claim such as a logon token. -* [`system-user` denotes an unnamed user used for technical communication.](#system-user) -* [`internal-user` is dedicated to distinguish application internal communication.](#internal-user) -* `any` refers to all users including anonymous ones (that means, public access without authentication). - -#### system-user -The pseudo role `system-user` allows you to separate access by _technical_ users from access by _business_ users. Note that the technical user can come from a SaaS or the PaaS tenant. Such technical user requests typically run in a _privileged_ mode without any restrictions on an instance level. For example, an action that implements a data replication into another system needs to access all entities of subscribed SaaS tenants and can’t be exposed to any business user. Note that `system-user` also implies `authenticated-user`. - -::: tip -For XSUAA or IAS authentication, the request user is attached with the pseudo role `system-user` if the presented JWT token has been issued with grant type `client_credentials` or `client_x509` for a trusted client application. -::: - -#### internal-user -Pseudo-role `internal-user` allows to define application endpoints that can be accessed exclusively by the own PaaS tenant (technical communication). The advantage is that similar to `system-user` no technical CAP roles need to be defined to protect such internal endpoints. However, in contrast to `system-user`, the endpoints protected by this pseudo-role do not allow requests from any external technical clients. Hence is suitable for **technical intra-application communication**, see [Security > Application Zone](/guides/security/overview#application-zone). - -::: tip -For XSUAA or IAS authentication, the request user is attached with the pseudo role `internal-user` if the presented JWT token has been issued with grant type `client_credentials` or `client_x509` on basis of the **identical** XSUAA or IAS service instance. -::: - -::: warning -All technical clients that have access to the application's XSUAA or IAS service instance can call your service endpoints as `internal-user`. -**Refrain from sharing this service instance with untrusted clients**, for instance by passing services keys or [SAP BTP Destination Service](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/create-destinations-from-scratch) instances. -::: - -### Mapping User Claims - -Depending on the configured [authentication](#prerequisite-authentication) strategy, CAP derives a *default set* of user claims containing the user's name and attributes: - -| CAP User Property | XSUAA JWT Property | IAS JWT Property | -|---------------------|----------------------------------|-------------------------| -| `$user` | `user_name` | `sub` | -| `$user.` | `xs.user.attributes.` | All non-meta attributes | +`InternalService` can only receive events sent by in-process handlers. -::: tip -CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. -::: - -In most cases, CAP's default mapping will match your requirements, but CAP also allows you to customize the mapping according to specific needs. For instance, `user_name` in XSUAA tokens is generally not unique if several customer IdPs are connected to the underlying identity service. -Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you implement in a custom adaptation. Similarly, attribute values can be normalized and prepared for [instance-based authorization](#instance-based-auth). Find details and examples how to programmatically redefine the user mapping here: - -- [Set up Authentication in Node.js.](/node.js/authentication) -- [Custom Authentication in Java.](/java/security#custom-authentication) - -::: warning Be very careful when redefining `$user` -The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. Also consider data protection and privacy regulations when storing user data. -::: - -## Restrictions { #restrictions} - -According to [authentication](#prerequisite-authentication), CAP endpoints are closed to anonymous users. But **by default, CDS services have no access control** which means that authenticated users are not restricted. To protect resources according to your business needs, you can define [restrictions](#restrict-annotation) that make the runtime enforce proper access control. Alternatively, you can add custom authorization logic by means of an [authorization enforcement API](#enforcement). - -Restrictions can be defined on *different CDS resources*: - -- Services -- Entities -- (Un)bound actions and functions - -You can influence the scope of a restriction by choosing an adequate hierarchy level in the CDS model. For instance, a restriction on the service level applies to all entities in the service. Additional restrictions on entities or actions can further limit authorized requests. See [combined restrictions](#combined-restrictions) for more details. - -Beside the scope, restrictions can limit access to resources with regards to *different dimensions*: - -- The [event](#restricting-events) of the request, that is, the type of the operation (what?) -- The [roles](#roles) of the user (who?) -- [Filter-condition](#instance-based-auth) on instances to operate on (which?) ### @readonly and @insertonly { #restricting-events} @@ -241,6 +148,28 @@ This results in the following access matrix: CodeLists such as `Languages`, `Currencies`, and `Countries` from `sap.common` are annotated with `@cds.autoexpose` and so are explicitly auto-exposed. ::: +## Role-Based Access Control { #role-based-access-control } + +To protect resources according to your business needs, you can define [restrictions](#restrict-annotation) that make the runtime enforce proper access control. +Alternatively, you can add custom authorization logic by means of an [authorization enforcement API](#enforcement). + +Restrictions can be defined on *different CDS resources*: + +- Services +- Entities +- (Un)bound actions and functions + +You can influence the scope of a restriction by choosing an adequate hierarchy level in the CDS model. +For instance, a restriction on the service level applies to all entities in the service. +Additional restrictions on entities or actions can further limit authorized requests. +See [combined restrictions](#combined-restrictions) for more details. + +Beside the scope, restrictions can limit access to resources with regards to *different dimensions*: + +- The [event](#restricting-events) of the request, that is, the type of the operation (what?) +- The [roles](#roles) of the user (who?) +- [Filter-condition](#instance-based-auth) on instances to operate on (which?) + ### @requires { #requires} You can use the `@requires` annotation to control which (pseudo-)role a user requires to access a resource: @@ -483,7 +412,7 @@ We recommend defining restrictions on a database entity level only in exceptiona A service level entity can't inherit a restriction with a `where` condition that doesn't match the projected entity. The restriction has to be overridden in this case. ::: -## Instance-Based Authorization { #instance-based-auth } +## Instance-Based Access Control { #instance-based-auth } The [restrict annotation](#restrict-annotation) for an entity allows you to enforce authorization checks that statically depend on the event type and user roles. In addition, you can define a `where`-condition that further limits the set of accessible instances. This condition, which acts like a filter, establishes an *instance-based authorization*. @@ -847,149 +776,3 @@ service CustomerService @(requires: 'authenticated-user'){ ::: This keeps your actual service definitions concise and focused on structure only. It also allows you to give authorization models separate ownership and lifecycle. - - -## Programmatic Enforcement { #enforcement} - -The service provider frameworks **automatically enforce** restrictions in generic handlers. They evaluate the annotations in the CDS models and, for example: - -* Reject incoming requests if static restrictions aren't met. -* Add corresponding filters to queries for instance-based authorization, etc. - -If generic enforcement doesn't fit your needs, you can override or adapt it with **programmatic enforcement** in custom handlers: - -- [Authorization Enforcement in Node.js](/node.js/authentication#enforcement) -- [Enforcement API & Custom Handlers in Java](/java/security#enforcement-api) - -## Role Assignments with IAS and AMS - -The Authorization Management Service (AMS) as part of SAP Cloud Identity Services (SCI) provides libraries and services for developers of cloud business applications to declare, enforce and manage instance based authorization checks. When used together with CAP the AMS "Policies” can contain the CAP roles as well as additional filter criteria for instance based authorizations that can be defined in the CAP model. transformed to AMS policies and later on refined by customers user and authorization administrators in the SCI administration console and assigned to business users. - -### Use AMS as Authorization Management System on SAP BTP - -SAP BTP is currently replacing the authorization management done with XSUAA by an integrated solution with AMS. AMS is integrated into SAP Cloud Identity (SCI), which will offer authentication, authorization, user provisioning and management in one place. - -For newly build applications the usage of AMS is generally recommended. The only constraint that comes with the usage of AMS is that customers need to copy their users to the Identity Directory Service as the central place to manage users for SAP BTP applications. This is also the general SAP strategy to simplify user management in the future. - -### Case For XSUAA - -There is one use case where currently an XSUAA based authorization management is preferable: When XSUAA based services to be consumed by a CAP application come with their own business user roles and thus make user role assignment in the SAP Cloud Cockpit necessary. This will be resolved in the future when the authorization management will be fully based on the SCI Admin console. - -For example, SAP Task Center you want to consume an XSUAA-based service that requires own end user role. Apart from this, most services should be technical services that do not require an own authorization management that is not yet integrated in AMS. - - - -[Learn more about using IAS and AMS with CAP Node.js](https://github.com/SAP-samples/btp-developer-guide-cap/blob/main/documentation/xsuaa-to-ams/README.md){.learn-more} - - -## Role Assignments with XSUAA { #xsuaa-configuration} - -Information about roles and attributes has to be made available to the UAA platform service. This information enables the respective JWT tokens to be constructed and sent with the requests for authenticated users. In particular, the following happens automatically behind-the-scenes upon build: - - -### 1. Roles and Attributes Are Filled into the XSUAA Configuration - -Derive scopes, attributes, and role templates from the CDS model: - -```sh -cds add xsuaa -``` - -This generates an _xs-security.json_ file: - -::: code-group -```json [xs-security.json] -{ - "scopes": [ - { "name": "$XSAPPNAME.admin", "description": "admin" } - ], - "attributes": [ - { "name": "level", "description": "level", "valueType": "s" } - ], - "role-templates": [ - { "name": "admin", "scope-references": [ "$XSAPPNAME.admin" ], "description": "generated" } - ] -} -``` -::: - -For every role name in the CDS model, one scope and one role template are generated with the exact name of the CDS role. - -::: tip Re-generate on model changes -You can have such a file re-generated via -```sh -cds compile srv --to xsuaa > xs-security.json -``` -::: - -See [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/6d3ed64092f748cbac691abc5fe52985.html) in the SAP HANA Platform documentation for the syntax of the _xs-security.json_ and advanced configuration options. - - -::: warning Avoid invalid characters in your models -Roles modeled in CDS may contain characters considered invalid by the XSUAA service. -::: - -If you modify the _xs-security.json_ manually, make sure that the scope names in the file exactly match the role names in the CDS model, as these scope names will be checked at runtime. - -### 2. XSUAA Configuration Is Completed and Published - -#### Through MTA Build - -If there's no _mta.yaml_ present, run this command: - -```sh -cds add mta -``` - -::: details See what this does in the background… - -1. It creates an _mta.yaml_ file with an `xsuaa` service. -2. The created service added to the `requires` section of your backend, and possibly other services requiring authentication. -::: code-group -```yaml [mta.yaml] -modules: - - name: bookshop-srv - requires: - - bookshop-auth # [!code ++] -resources: - name: bookshop-auth # [!code ++] - type: org.cloudfoundry.managed-service # [!code ++] - parameters: # [!code ++] - service: xsuaa # [!code ++] - service-plan: application # [!code ++] - path: ./xs-security.json # include cds managed scopes and role templates [!code ++] - config: # [!code ++] - xsappname: bookshop-${org}-${space} # [!code ++] - tenant-mode: dedicated # 'shared' for multitenant deployments [!code ++] -``` -::: - - -Inline configuration in the _mta.yaml_ `config` block and the _xs-security.json_ file are merged. If there are conflicts, the [MTA security configuration](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/6d3ed64092f748cbac691abc5fe52985.html) has priority. - -[Learn more about **building and deploying MTA applications**.](/guides/deployment/){ .learn-more} - -### 3. Assembling Roles and Assigning Roles to Users - -This is a manual step an administrator would do in SAP BTP Cockpit. See [Set Up the Roles for the Application](/node.js/authentication#auth-in-cockpit) for more details. If a user attribute isn't set for a user in the IdP of the SAP BTP Cockpit, this means that the user has no restriction for this attribute. For example, if a user has no value set for an attribute "Country", they're allowed to see data records for all countries. -In the _xs-security.json_, the `attribute` entity has a property `valueRequired` where the developer can specify whether unrestricted access is possible by not assigning a value to the attribute. - - -### 4. Scopes Are Narrowed to Local Roles - -Based on this, the JWT token for an administrator contains a scope `my.app.admin`. From within service implementations of `my.app` you can reference the scope: - -```js -req.user.is ("admin") -``` -... and, if necessary, from others by: - -```js -req.user.is ("my.app.admin") -``` - -
- -> See the following sections for more details: -- [Developing Security Artifacts in SAP BTP](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/419ae2ef1ddd49dca9eb65af2d67c6ec.html) -- [Maintaining Application Security in XS Advanced](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/35d910ee7c7a445a950b6aad989a5a26.html) From 0a6f78fd9a46607515aef2187357e74828034ea5 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 27 Nov 2025 11:22:58 +0100 Subject: [PATCH 030/120] authoriaztions restructured --- guides/security/authorization.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 66703d448d..c08f434708 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -40,17 +40,18 @@ CAP authorization modeling means restricting user access to application resource The decisive point here is that the application logic does not need to contribute any security-critical code for this, but can rely on the generic framework. There are several levels to put access rules on CDS resources: -- [Static access control](#static-access-control) limits access to CDS services on a general level independently from users. -- [Role-based access control](#role-based-access-control) controls resource access according to roles granted by user administrators. +- [Static access control](#static-access-control) limits access to CDS services on a general level independently from the request user. +- [Role-based access control](#role-based-access-control) derives recource access rules from roles granted by user administrators. - [Instance-based access control](#instance-based-auth) even allows entity-level filters that usually depend on user criteria. -But **by default, CDS services have no access control** which means that authenticated users have access to all entities without any restrictions. +**By default, CDS services have no access control** which means that without authorization modelling authenticated users have access to all entities. ::: warning -Applications need to ensure a proper authorization which is highly dependent from the domain model and therefore cannot be enforced by CAP out of the box. +**Applications must implement proper authorization.** CAP cannot enforce this automatically as it depends entirely on the specific domain model. ::: -Finally, according to key concept [Customizable Security](./overview#key-concept-customizable), applications can introduce custom authorization code for special scenarios. +Finally, according to key concept [Customizable Security](./overview#key-concept-customizable), +applications can implement [custom authorization logic](./cap-users#developing-with-users) for exceptional scenarios when declarative approaches are insufficient. ## Static Access Control { #static-access-control } @@ -150,8 +151,7 @@ CodeLists such as `Languages`, `Currencies`, and `Countries` from `sap.common` a ## Role-Based Access Control { #role-based-access-control } -To protect resources according to your business needs, you can define [restrictions](#restrict-annotation) that make the runtime enforce proper access control. -Alternatively, you can add custom authorization logic by means of an [authorization enforcement API](#enforcement). +To protect resources according to your business needs, you can declaratively restrict access according to a [CAP role](./cap-users#roles) by adding [@requires](#requires) or [@restrict](#restrict-annotation) annotations. Restrictions can be defined on *different CDS resources*: From 2cbdf03b6c426461bdbf004c4f88ca73ee07cb2e Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 27 Nov 2025 12:39:22 +0100 Subject: [PATCH 031/120] fixed links --- guides/security/assets/fetch-ias-certs.sh | 39 ----------- guides/security/authentication.md | 32 ++++----- guides/security/authorization.md | 81 ++++++++++++----------- guides/security/cap-users.md | 18 ++--- guides/security/overview.md | 2 +- guides/security/remote-authentication.md | 4 +- 6 files changed, 72 insertions(+), 104 deletions(-) delete mode 100644 guides/security/assets/fetch-ias-certs.sh diff --git a/guides/security/assets/fetch-ias-certs.sh b/guides/security/assets/fetch-ias-certs.sh deleted file mode 100644 index 40d1012d8b..0000000000 --- a/guides/security/assets/fetch-ias-certs.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# filepath: ./fetch-ias-certs.sh - -if [ -z "$1" ]; then - echo "Usage: $0 [cert-file] [key-file]" - exit 1 -fi - -SERVICE_INSTANCE="$1" -CERT_FILE="${2:-cert.pem}" -KEY_FILE="${3:-key.pem}" -SERVICE_KEY="${SERVICE_INSTANCE}-key" - -# Check if cf CLI is logged in -if ! cf target > /dev/null 2>&1; then - echo "Error: Not logged in to Cloud Foundry. Please run 'cf login' and try again." - exit 1 -fi - -# Check if service key exists -if ! cf service-key "$SERVICE_INSTANCE" "$SERVICE_KEY" > /dev/null 2>&1; then - cf create-service-key "$SERVICE_INSTANCE" "$SERVICE_KEY" -c '{"credential-type": "X509_GENERATED"}' -else - echo "Service key $SERVICE_KEY already exists." -fi - - -# Extract service key JSON -SERVICE_KEY_JSON=$(cf service-key "$SERVICE_INSTANCE" "$SERVICE_KEY" 2>&1 | awk '/^{/ {found=1} found' ) - -# Extract and convert certificate -echo "$SERVICE_KEY_JSON" | jq -r 'if has("credentials") then .credentials.certificate else .certificate end' | sed 's/\\n/\n/g' > "$CERT_FILE" -echo "Certificate written to $CERT_FILE" - -# Extract and convert key -echo "$SERVICE_KEY_JSON" | jq -r 'if has("credentials") then .credentials.key else .key end' | sed 's/\\n/\n/g' > "$KEY_FILE" -echo "Key written to $KEY_FILE" - -echo "DON'T SHARE GERNERATED CERTIFICATE FILES!" diff --git a/guides/security/authentication.md b/guides/security/authentication.md index b33317af67..41104a9a04 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -32,7 +32,7 @@ CAP applications making use of remote services of any type need to have a proper ![Authentication with CAP](./assets/authentication.drawio.svg){width="500px" } -According to key concept [Pluggable Building Blocks](key-concept-pluggable), the authentication method can be configured freely. +According to key concept [Pluggable Building Blocks](./overview#key-concept-pluggable), the authentication method can be configured freely. CAP [leverages platform services](#key-concept-platform-services) to provide proper authentication strategies to cover all relevant scenarios: - For _local development_ and _unit testing_, [Mock User Authentication](#mock-user-auth) is an appropriate built-in authentication feature. @@ -116,8 +116,8 @@ Mock users require **basic authentication**, hence sending the same request on b Mock users are deactivated in production profile by default ❗ ::: -[Learn more about authentication options in CAP Java](../java/security#spring-boot){.learn-more} -[Learn more about authentication options in CAP Node.js](../node.js/authentication#strategies){.learn-more} +[Learn more about authentication options in CAP Java](../../java/security#spring-boot){.learn-more} +[Learn more about authentication options in CAP Node.js](../../node.js/authentication#strategies){.learn-more} @@ -131,13 +131,13 @@ You can opt out the preconfiguration of these users by setting `cds { .java } -[Learn more about predefined mock users in CAP Java](../java/security#preconfigured-mock-users){.learn-more} -[Learn more about predefined mock users in CAP Node.js](../node.js/authentication#mock-users){.learn-more} +[Learn more about predefined mock users in CAP Java](../../java/security#preconfigured-mock-users){.learn-more} +[Learn more about predefined mock users in CAP Node.js](../../node.js/authentication#mock-users){.learn-more} ### Customization { #custom-mock-users } -You can define custom mock users to simulate any type of [end users]((../cap-users#user-representation)) that will interact with your application at production time. +You can define custom mock users to simulate any type of [end users](./cap-users#user-representation)) that will interact with your application at production time. Hence, you can use the mock users to test your authorization settings as well as custom handlers fully decoupled from the actual execution environment.
@@ -200,10 +200,10 @@ In mock user configuration you can specify: - name (mandatory) and tenant - CAP roles (including pseudo-roles) and attributes affecting authorization - additional attributes -- [feature toggles](../guides/extensibility/feature-toggles#feature-toggles) +- [feature toggles](../extensibility/feature-toggles#feature-toggles) which influence request processing. -To verify the properties in a user request with a dedicated mock user, activate [user tracing](../cap-users#user-tracing) and send the same request on behalf of `viewer-user`. +To verify the properties in a user request with a dedicated mock user, activate [user tracing](./cap-users#user-tracing) and send the same request on behalf of `viewer-user`. In the application log you will find information about the resolved user after successful authentication:
@@ -220,8 +220,8 @@ TODO
-[Learn more about custom mock users in CAP Java](../java/security#explicitly-defined-mock-users){.learn-more} -[Learn more about custom mock users in CAP Node.js](../node.js/authentication#mocked){.learn-more} +[Learn more about custom mock users in CAP Java](../../java/security#explicitly-defined-mock-users){.learn-more} +[Learn more about custom mock users in CAP Node.js](../../node.js/authentication#mocked){.learn-more} ### Automated Testing { #mock-user-testing } @@ -265,8 +265,8 @@ await GET('/CatalogService/Books', { auth: { username: 'viewer-user', password:
-[Learn more about testing in CAP Java](../java/developing-applications/testing#testing-cap-java-applications){.learn-more} -[Learn more about testing in CAP Node.js](../node.js/cds-test#testing-with-cds-test){.learn-more} +[Learn more about testing in CAP Java](../../java/developing-applications/testing#testing-cap-java-applications){.learn-more} +[Learn more about testing in CAP Node.js](../../node.js/cds-test#testing-with-cds-test){.learn-more} ## IAS Authentication { #ias-auth } @@ -485,7 +485,7 @@ Finally, ensure correct format of both files with ```sh openssl x509 -in .pem -text -noout ``` -All the steps can be executed in a single script as shown in the [example](./assets/fetch-ias-certs.sh). +All the steps can be executed in a single script as shown in the [example](https://cap.cloud.sap/resources/examples/fetch-ias-certs.sh). ::: The fetch a token - either as technical or as named user - the request needs to provide the **client certificate** being send to `/oauth2/token` endpoint of IAS service with URI given in `url` property of the binding: @@ -619,7 +619,7 @@ There are multiple reasons why customization might be required: **The auto-configuration authenticates all service endpoints found in the CDS model by default**. -Model endpoints that should be public can be explicitly annotated with [pseudo-role](../guides/security/authorization#pseudo-roles) `any`: +Model endpoints that should be public can be explicitly annotated with [pseudo-role](cap-users#pseudo-roles) `any`: ```cds service BooksService @(requires: 'any') { @@ -640,7 +640,7 @@ service BooksService @(requires: 'any') { In multitenant applications, anonymous requests to public endpoints are missing the tenant information and hence this gap needs to be filled by custom code. ::: -[Learn more about authentication options in CAP Java with Spring Boot](../guides/java/security#spring-boot){.learn-more} +[Learn more about authentication options in CAP Java with Spring Boot](../../java/security#spring-boot){.learn-more} ### Partially Overrule Authentication { #partially-auth } @@ -672,7 +672,7 @@ Ensure your custom configuration has higher priority than CAP's default security Be cautious with the configuration of the `HttpSecurity` instance in your custom configuration. Make sure that only the intended endpoints are affected. ::: -[Learn more about custom security configuraitons in CAP Java with Spring Boot](../guides/java/security#custom-spring-security-config){.learn-more} +[Learn more about custom security configuraitons in CAP Java with Spring Boot](../../java/security#custom-spring-security-config){.learn-more} ### Fully Overrule Authentication { #fully-auth } diff --git a/guides/security/authorization.md b/guides/security/authorization.md index c08f434708..5a3cea2a1c 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -34,31 +34,30 @@ In essence, [authentication](./authentication#authentication) verifies the user' In contrast, **authorization controls _how_ the user may interact with the application's resources**. As the access control depends on the user information, authentication is a prerequisite to authorization. -![Authoriztion with CAP](./assets/authorization.drawio.svg){width="500px"} +![Authorization with CAP](./assets/authorization.drawio.svg){width="500px"} CAP authorization modeling means restricting user access to application resources in a declarative way. The decisive point here is that the application logic does not need to contribute any security-critical code for this, but can rely on the generic framework. -There are several levels to put access rules on CDS resources: -- [Static access control](#static-access-control) limits access to CDS services on a general level independently from the request user. -- [Role-based access control](#role-based-access-control) derives recource access rules from roles granted by user administrators. -- [Instance-based access control](#instance-based-auth) even allows entity-level filters that usually depend on user criteria. +There are several ways to define access rules on CDS resources: +- [Static access control](#static-access-control) limits access to CDS services on a general level independently of the request user. +- [Role-based access control](#role-based-access-control) derives resource access rules from roles granted by user administrators. +- [Instance-based access control](#instance-based-auth) allows entity-level filters that usually depend on user criteria. -**By default, CDS services have no access control** which means that without authorization modelling authenticated users have access to all entities. +**By default, CDS services have no access control**, which means that without authorization modeling, authenticated users have access to all entities. ::: warning **Applications must implement proper authorization.** CAP cannot enforce this automatically as it depends entirely on the specific domain model. ::: -Finally, according to key concept [Customizable Security](./overview#key-concept-customizable), -applications can implement [custom authorization logic](./cap-users#developing-with-users) for exceptional scenarios when declarative approaches are insufficient. +Finally, according to the key concept [Customizable Security](./overview#key-concept-customizable), applications can implement custom authorization logic for exceptional scenarios when declarative approaches are insufficient. ## Static Access Control { #static-access-control } ### Internal Services -CDS services which are only meant for *internal* usage, shouldn't be exposed via protocol adapters. +CDS services which are only meant for *internal* usage shouldn't be exposed via protocol adapters. In order to prevent access from *any* external clients, annotate those services with `@protocol: 'none'`: ```cds @@ -98,7 +97,7 @@ service SomeService { #### Events to Auto-Exposed Entities { #events-and-auto-expose} -In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be **auto-exposed** by the CDS compiler due to some reason. +In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be **auto-exposed** by the CDS compiler for some reason. Access to auto-exposed entities needs to be controlled in a specific way. Consider the following example: ```cds @@ -129,7 +128,7 @@ As a result, the `IssuesService` service actually exposes *all* three entities f * `db.Issues` is implicitly auto-exposed by the compiler as it is a composition entity of `Components`. * `db.Categories` is explicitly auto-exposed due to the `@cds.autoexpose` annotation. -In general, **implicitly auto-exposed entities cannot be accessed directly**, that means, only access via a navigation path (starting from an explicitly exposed entity) is allowed. +In general, **implicitly auto-exposed entities cannot be accessed directly**, which means only access via a navigation path (starting from an explicitly exposed entity) is allowed. In contrast, **explicitly auto-exposed entities can be accessed directly, but only as `@readonly`**. The rationale behind that is that entities representing value lists need to be readable at the service level, for instance to support value help lists. @@ -182,7 +181,7 @@ annotate ShopService.ReplicationAction with @(requires: 'system-user'); In this example, the `BrowseBooksService` service is open for authenticated but not for anonymous users. A user who has the `Vendor` _or_ `ProcurementManager` role is allowed to access the `ShopService.Books` entity. Unbound action `ShopService.ReplicationAction` can only be triggered by a technical user. ::: tip -When restricting service access through `@requires`, the service's metadata endpoints (that means, `/$metadata` as well as the service root `/`) are restricted by default as well. If you require public metadata, you can disable the check with [a custom express middleware](../../node.js/cds-serve#add-mw-pos) using the [privileged user](../../node.js/authentication#privileged-user) (Node.js) or through config cds.security.authentication.authenticateMetadataEndpoints = false (Java), respectively. Please be aware that the `/$metadata` endpoint is *not* checking for authorizations implied by `@restrict` annotation. +When restricting service access through `@requires`, the service's metadata endpoints (that is, `/$metadata` as well as the service root `/`) are restricted by default as well. If you require public metadata, you can disable the check with [a custom express middleware](../../node.js/cds-serve#add-mw-pos) using the [privileged user](../../node.js/authentication#privileged-user) (Node.js) or through config cds.security.authentication.authenticateMetadataEndpoints = false (Java), respectively. Please be aware that the `/$metadata` endpoint is *not* checking for authorizations implied by `@restrict` annotation. ::: @@ -207,7 +206,7 @@ The following values are supported: - The `to` property lists all [user roles](#roles) or [pseudo roles](#pseudo-roles) that the privilege applies to. Note that the `any` pseudo-role applies for all users and is the default if no value is provided. -- The `where`-clause can contain a Boolean expression in [CQL](/cds/cql)-syntax that filters the instances that the event applies to. As it allows user values (name, attributes, etc.) and entity data as input, it's suitable for *dynamic authorizations based on the business domain*. Supported expressions and typical use cases are presented in [instance-based authorization](#instance-based-auth). +- The `where` clause can contain a Boolean expression in [CQL](/cds/cql) syntax that filters the instances that the event applies to. As it allows user values (name, attributes, etc.) and entity data as input, it's suitable for *dynamic authorizations based on the business domain*. Supported expressions and typical use cases are presented in [instance-based authorization](#instance-based-auth). A privilege is met, if and only if **all properties are fulfilled** for the current request. In the following example, orders can only be read by an `Auditor` who meets `AuditBy` element of the instance: @@ -253,7 +252,7 @@ Here an `Auditor` user can read all orders with matching `country` or that they - `@requires: 'Viewer'` is equivalent to `@restrict: [{grant:'*', to: 'Viewer'}]` - `@readonly` is the same as `@restrict: [{ grant:'READ' }]` -Currently, the security annotations **are only evaluated on the target entity of the request**. Restrictions on associated entities touched by the operation aren't regarded. This has the following implications: +Currently, the security annotations **are only evaluated on the target entity of the request**. Restrictions on associated entities touched by the operation are not regarded. This has the following implications: - Restrictions of (recursively) expanded or inlined entities of a `READ` request aren't checked. - Deep inserts and updates are checked on the root entity only. @@ -270,7 +269,7 @@ Restrictions can be defined on different types of CDS resources, but there are s | entity | | | 1 | | | action/function | | | 2 | = `@requires` | -> 1For bound actions and functions that aren't bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`. +> 1For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`. > 2 For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`. Unsupported privilege properties are ignored by the runtime. Especially, for bound or unbound actions, the `grant` property is implicitly removed (assuming `grant: '*'` instead). The same also holds for functions: @@ -414,9 +413,9 @@ A service level entity can't inherit a restriction with a `where` condition that ## Instance-Based Access Control { #instance-based-auth } -The [restrict annotation](#restrict-annotation) for an entity allows you to enforce authorization checks that statically depend on the event type and user roles. In addition, you can define a `where`-condition that further limits the set of accessible instances. This condition, which acts like a filter, establishes an *instance-based authorization*. +The [restrict annotation](#restrict-annotation) for an entity allows you to enforce authorization checks that statically depend on the event type and user roles. In addition, you can define a `where`-condition that further limits the set of accessible instances. This condition, which acts like a filter, establishes *instance-based authorization*. -The condition defined in the `where`-clause typically associates domain data with static [user claims](#user-claims). Basically, it *either filters the result set in queries or accepts only write operations on instances that meet the condition*. This means that, the condition applies to following standard CDS events only1: +The condition defined in the `where` clause typically associates domain data with static [user claims](#user-claims). Basically, it *either filters the result set in queries or accepts only write operations on instances that meet the condition*. This means that, the condition applies to following standard CDS events only1: - `READ` (as result filter) - `UPDATE` (as reject condition2) - `DELETE` (as reject condition2) @@ -446,7 +445,7 @@ Supported features are: * [Exists predicate](#exists-predicate) based on subselects. ::: info Avoid enumerable keys -In case the filter condition is not met in an `UPDATE` or `DELETE` request, the runtime rejects the request (response code 403) even if the user is not even allowed to read the entity. To avoid to disclosure the existence of such entities to unauthorized users, make sure that the key is not efficiently enumerable. +In case the filter condition is not met in an `UPDATE` or `DELETE` request, the runtime rejects the request (response code 403) even if the user is not even allowed to read the entity. To avoid disclosing the existence of such entities to unauthorized users, make sure that the key is not efficiently enumerable. ::: ### User Attribute Values { #user-attrs} @@ -455,18 +454,18 @@ To refer to attribute values from the user claim, prefix the attribute name with In general, `$user.` contains a **list of attribute values** that are assigned to the user. The following rules apply: * A predicate in the `where` clause evaluates to `true` if one of the attribute values from the list matches the condition. -* An empty (or not defined) list means that the user is fully restricted with regards to this attribute (that means that the predicate evaluates to `false`). +* An empty (or not defined) list means that the user is fully restricted with regard to this attribute (that is, the predicate evaluates to `false`). For example, the condition `where: $user.country = countryCode` will grant a user with attribute values `country = ['DE', 'FR']` access to entity instances that have `countryCode = DE` _or_ `countryCode = FR`. In contrast, the user has no access to any entity instances if the value list of country is empty or the attribute is not available at all. #### Unrestricted XSUAA Attributes -By default, all attributes defined in [XSUAA instances](#xsuaa-configuration) require a value (`valueRequired:true`) which is well-aligned with the CAP runtime that enforces restrictions on empty attributes. +By default, all attributes defined in [XSUAA instances](#xsuaa-configuration) require a value (`valueRequired:true`), which is well-aligned with the CAP runtime that enforces restrictions on empty attributes. If you explicitly want to offer unrestricted attributes to customers, you need to do the following: 1. Switch your XSUAA configuration to `valueRequired:false` 2. Adjust the filter-condition accordingly, for example: `where: $user.country = countryCode or $user.country is null`. - > If `$user.country` is undefined or empty, the overall expression evaluates to `true` reflecting the unrestricted attribute. + > If `$user.country` is undefined or empty, the overall expression evaluates to `true`, reflecting the unrestricted attribute. ::: warning Refrain from unrestricted XSUAA attributes as they need to be designed very carefully as shown in the following example. @@ -484,8 +483,8 @@ service SalesService @(requires: ['SalesAdmin', 'SalesManager']) { } } ``` -Let's assume a customer creates XSUAA roles `SalesManagerEMEA` with dedicated values (`['DE', 'FR', ...]`) and 'SalesAdmin' with *unrestricted* values. -As expected, a user assigned only to 'SalesAdmin' has access to all `SalesOrgs`. But when role `SalesManagerEMEA` is added, *only* EMEA orgs are accessible suddenly! +Let's assume a customer creates XSUAA roles `SalesManagerEMEA` with dedicated values (`['DE', 'FR', ...]`) and `SalesAdmin` with *unrestricted* values. +As expected, a user assigned only to `SalesAdmin` has access to all `SalesOrgs`. But when role `SalesManagerEMEA` is added, *only* EMEA organizations are accessible suddenly! The preferred way is to model with restricted attribute `country` (`valueRequired:true`) and an additional grant: ```cds @@ -559,7 +558,7 @@ service ProductsService @(requires: 'authenticated-user') { } ``` -Here, the authorization of `Products` is derived from `Divisions` by leveraging the _n:m relationship_ via entity `ProducingDivisions`. Note that the path `producers.division` in the `exists` predicate points to target entity `Divisions`, where the filter with the user-dependent attribute `$user.division` is applied. +Here, the authorization of `Products` is derived from `Divisions` by leveraging the *n:m relationship* via entity `ProducingDivisions`. Note that the path `producers.division` in the `exists` predicate points to target entity `Divisions`, where the filter with the user-dependent attribute `$user.division` is applied. ::: warning Consider Access Control Lists Be aware that deep paths might introduce a performance bottleneck. Access Control List (ACL) tables, managed by the application, allow efficient queries and might be the better option in this case. @@ -592,7 +591,7 @@ Be aware of increased execution time when modeling paths in the authorization ch ::: ::: warning _Warning_ -In Node.js association paths in `where`-clauses are currently only supported when using SAP HANA. +In Node.js, association paths in `where` clauses are currently only supported when using SAP HANA. ::: ## Best Practices @@ -601,7 +600,9 @@ CAP authorization allows you to control access to your business data on a fine g ### Choose Conceptual Roles -When defining user roles, one of the first options could be to align roles to the available _operations_ on entities, which results in roles such as `SalesOrders.Read`, `SalesOrders.Create`, `SalesOrders.Update`, and `SalesOrders.Delete`, etc. What is the problem with this approach? Think about the resulting number of roles that the user administrator has to handle when assigning them to business users. The administrator would also have to know the domain model precisely and understand the result of combining the roles. Similarly, assigning roles to operations only (`Read`, `Create`, `Update`, ...) typically doesn't fit your business needs.
+When defining user roles, one of the first options could be to align roles to the available *operations* on entities, which results in roles such as `SalesOrders.Read`, `SalesOrders.Create`, `SalesOrders.Update`, and `SalesOrders.Delete`. + +What is the problem with this approach? Think about the resulting number of roles that the user administrator has to handle when assigning them to business users. The administrator would also have to know the domain model precisely and understand the result of combining the roles. Similarly, assigning roles to operations only (`Read`, `Create`, `Update`, ...) typically doesn't fit your business needs.
We strongly recommend defining roles that describe **how a business user interacts with the system**. Roles like `Vendor`, `Customer`, or `Accountant` can be appropriate. With this approach, the application developers define the set of accessible resources in the CDS model for each role - and not the user administrator. ### Prefer Single-Purposed, Use-Case Specific Services { #dedicated-services} @@ -620,7 +621,7 @@ service CatalogService @(requires: 'authenticated-user') { ``` Four different roles (`authenticated-user`, `Vendor`, `Accountant`, `Admin`) *share* the same service - `CatalogService`. As a result, it's confusing how a user can use `Books` or `doAccounting`. Considering the complexity of this small example (4 roles, 1 service, 2 resources), this approach can introduce a security risk, especially if the model is larger and subject to adaptation. Moreover, UIs defined for this service will likely appear unclear as well.
-The fundamental purpose of services is to expose business data in a specific way. Hence, the more straightforward way is to **use a service for each of the roles**: +The fundamental purpose of services is to expose business data in a specific way. Hence, the more straightforward way is to **use a service for each role**: ```cds @path:'browse' @@ -661,23 +662,25 @@ service GitHubRepositoryService @(requires: 'authenticated-user') { } ``` -This service allows querying organizations for all authenticated users. In addition, `Admin` users are allowed to rename or delete. Granting `UPDATE` to `Admin` would allow administrators to change organization attributes that aren't meant to change. +This service allows querying organizations for all authenticated users. In addition, `Admin` users are allowed to rename or delete. + +Granting `UPDATE` to `Admin` would allow administrators to change organization attributes that are not meant to change. ### Think About Domain-Driven Authorization { #domain-driven-authorization} -Static roles often don't fit into an intuitive authorization model. Instead of making authorization dependent from static properties of the user, it's often more appropriate to derive access rules from the business domain. For instance, all users assigned to a department (in the domain) are allowed to access the data of the organization comprising the department. Relationships in the entity model (for example, a department assignment to organization), influence authorization rules at runtime. In contrast to static user roles, **dynamic roles** are fully domain-driven. +Static roles often don't fit into an intuitive authorization model. Instead of making authorization dependent on static properties of the user, it's often more appropriate to derive access rules from the business domain. For instance, all users assigned to a department (in the domain) are allowed to access the data of the organization comprising the department. Relationships in the entity model (for example, a department assignment to organization) influence authorization rules at runtime. In contrast to static user roles, **dynamic roles** are fully domain-driven. Revisit the [ProjectService example](#exists-predicate), which demonstrates how to leverage instance-based authorization to induce dynamic roles. Advantages of dynamic roles are: - The most flexible way to define authorizations -- Induced authorizations according to business domain +- Authorizations induced according to business domain - Application-specific authorization model and intuitive UIs - Decentralized role management for application users (no central user administrator required) Drawbacks to be considered are: - Additional effort for modeling and designing application-specific role management (entities, services, UI) -- Potentially higher security risk due to lower use of the framework functionality +- Potentially higher security risk due to lower use of framework functionality - Sharing authorization management with other (non-CAP) applications is harder to achieve - Dynamic role enforcement can introduce a performance penalty @@ -710,7 +713,9 @@ service BrowseEmployeesService @(requires:'Employee') { } ``` -A team (entity `Teams`) contains members of type `Employees`. An employee refers to a single contract (entity `Contracts`) which contains sensitive information that should be visible only to `Manager` users. `Employee` users should be able to browse the teams and their members, but aren't allowed to read or even edit their contracts.
+A team (entity `Teams`) contains members of type `Employees`. An employee refers to a single contract (entity `Contracts`), which contains sensitive information that should be visible only to `Manager` users. + +`Employee` users should be able to browse the teams and their members but are not allowed to read or even edit their contracts.
As `db.Employees` and `db.Contracts` are auto-exposed, managers can navigate to all instances through the `ManageTeamsService.Teams` service entity (for example, OData request `/ManageTeamsService/Teams?$expand=members($expand=contract)`).
It's important to note that this also holds for an `Employee` user, as **only the target entity** `BrowseEmployeesService.Teams` **has to pass the authorization check in the generic handler, and not the associated entities**.
To solve this security issue, introduce a new service entity `BrowseEmployeesService.Employees` that removes the navigation to `Contracts` from the projection: @@ -724,19 +729,21 @@ service BrowseEmployeesService @(requires:'Employee') { } ``` -Now, an `Employee` user can't expand the contracts as the composition isn't reachable anymore from the service. +Now, an `Employee` user cannot expand the contracts as the composition is not reachable anymore from the service. ::: tip -Associations without navigation links (for example, when an associated entity isn't exposed) are still critical with regards to security. +Associations without navigation links (for example, when an associated entity is not exposed) are still critical with regard to security. ::: ### Design Authorization Models from the Start -As shown before, defining an adequate authorization strategy has a deep impact on the service model. Apart from the fundamental decision, if you want to build your authorizations on [dynamic roles](#domain-driven-authorization), authorization requirements can result in rearranging service and entity definitions completely. In the worst case, this means rewriting huge parts of the application (including the UI). For this reason, it's *strongly* recommended to take security design into consideration at an early stage of your project. +As shown before, defining an adequate authorization strategy has a deep impact on the service model. Apart from the fundamental decision of whether you want to build your authorizations on [dynamic roles](#domain-driven-authorization), authorization requirements can result in completely rearranging service and entity definitions. + +For this reason, it's *strongly* recommended to take security design into consideration at an early stage of your project. ### Keep it as Simple as Possible -* If different authorizations are needed for different operations, it's easier to have them defined at the service level. If you start defining them at the entity level, all possible operations must be specified, otherwise the not mentioned operations are automatically forbidden. -* If possible, try to define your authorizations either on the service or on the entity level. Mixing both variants increases complexity and not all combinations are supported either. +* If different authorizations are needed for different operations, it's easier to have them defined at the service level. If you start defining them at the entity level, all possible operations must be specified; otherwise, the operations not mentioned are automatically forbidden. +* If possible, try to define your authorizations either on the service or on the entity level. Mixing both variants increases complexity, and not all combinations are supported either. ### Separation of Concerns diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 85635261aa..3c9ed89da1 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -25,7 +25,7 @@ status: released ## CAP User Abstraction { #claims } -A successful authentication results in a CAP [user representation](#claims) reflecting the request user in a uniform way. +A successful authentication results in a CAP user representation reflecting the request user in a uniform way. Referring to the [key concepts](./overview#key-concept-decoupled-coding), the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). @@ -156,8 +156,8 @@ All technical clients that have access to the application's XSUAA or IAS service The resulting object representation of the user is attached to the current request context and has an impact on the request flow for instance with regards to - [authorizations](./authorization#restrictions) -- [enriching business data](../guides/domain-modeling#managed-data) with user data -- setting [DB session variables](../guides/db-feature-comparison#session-variables) +- [enriching business data](../domain-modeling#managed-data) with user data +- setting [DB session variables](../db-feature-comparison#session-variables) In the CDS model, some of the user properties can be referenced in annotations or static views: @@ -273,7 +273,7 @@ If required, it also runs the new `cds add ias` command to configure the project ::: These libraries integrate into the CAP framework to handle incoming requests. -Based on the user's assigned [policies](#generate-policies), the user's roles are determined and written to the [UserInfo](./security#enforcement-api) object. +Based on the user's assigned [policies](#generate-policies), the user's roles are determined and written to the [UserInfo](#reflection) object. The framework then authorizes the request as usual based on the user's roles. ::: details Node.js plugin `@sap/ams` added to the project @@ -291,7 +291,7 @@ The framework then authorizes the request as usual based on the user's roles. The `@sap/ams` plugin provides multiple build-time features: - Validate `ams.attributes` annotations for type coherence against the AMS schema. -- Generate policies from the CDS model during the build using a [custom build task](../guides/deployment/custom-builds#custom-build-plugins). +- Generate policies from the CDS model during the build using a [custom build task](../deployment/custom-builds#custom-build-plugins). - Generate a deployer application during the build to upload the Data Control Language (DCL) base policies. ::: tip @@ -589,7 +589,7 @@ Now let's deploy and start the application with cds up ``` -You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): +You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](./authentication#ias-admin)): - Assign (base or custom) policies to IAS users - Create custom policies @@ -836,7 +836,7 @@ In most cases, CAP's default mapping to the CAP user will match your requirement For instance, the logon name as injected by standard XSUAA integration might not be unique if several customer IdPs are connected to the underlying identity service. Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you can implement in a custom adaptation. -This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers): +This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../../java/event-handlers/request-contexts#global-providers): ::: details Sample implementation to override the user name @@ -886,7 +886,7 @@ Also consider data protection and privacy regulations when storing user data. There are multiple reasonable use cases in which user modification is a suitable approach: - Injecting or mixing user roles by calling `modifiableUserInfo.addRole(String role)` (In fact this is the base for [AMS plugin](#roles-assignment-ams) injecting user specifc roles). -- Providing calculated attributes used for [instance-based authorization](../guides/security/authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. +- Providing calculated attributes used for [instance-based authorization](./authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. - Constructing the request's user based on forwarded (and trusted) header information, completely replacing default authentication. - ... @@ -1037,7 +1037,7 @@ String jwtToken = jwtTokenInfo.getToken(); Remote APIs can be invoked either on behalf of a named user or a technical user, depending on the callee's specification. Thus, a client executing a business request within a specific user context might need to explicitly adjust the user propagation strategy. -CAP's [Remote Services](../guides/using-services) offer an easy and declarative way to define client-side representations of remote service APIs. +CAP's [Remote Services](../using-services) offer an easy and declarative way to define client-side representations of remote service APIs. Such services integrate seamlessly with CAP, managing connection setup, including [authentication and user propagation](../../java/cqn-services/remote-services#configuring-the-authentication-strategy): ```yaml diff --git a/guides/security/overview.md b/guides/security/overview.md index 6de23af30a..e9ab911396 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -61,7 +61,7 @@ As security functions are factorized into independent components, **application This safeguards business logic being independent from platform services which are frequently subject to security hardening initiatives. As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. -For instance, CAP allows performing outbound service calls via [Remote Services while handling authentication under the hood completely](./security/remote-authentication#remote-services). +For instance, CAP allows performing outbound service calls via [Remote Services while handling authentication under the hood completely](./remote-authentication#remote-services). This abstraction layer ensures that developers do not need to worry about the details of authentication. diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 5a83b2c1ce..de456b10c5 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -396,7 +396,7 @@ Note that property `oauth2-configuration.token-policy.access-token-format: jwt` Now let's create the missing IAS dependency to establish trust for the API service call targeting provided API with id `DataConsumer`. -Open the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): +Open the Administrative Console for the IAS tenant (see prerequisites [here](./authentication#ias-admin)): 1. Select **Applications & Resources** > **Applications**. Choose the IAS application of the `xtravels` consumer from the list. 2. In **Application APIs** select **Dependencies** and click on **Add**. @@ -412,7 +412,7 @@ Open the Administrative Console for the IAS tenant (see prerequisites [here](../ ::: :::tip -Both the BTP destination and the IAS dependency can be automatically created at runtime using [UCL integration](../java/integrating-applications/ucl#unified-customer-landscape-ucl). +Both the BTP destination and the IAS dependency can be automatically created at runtime using [UCL integration](../../java/integrating-applications/ucl#unified-customer-landscape-ucl). ::: Now restart the consumer application with From ad90ea54c14ceb33a39ce325455e4ab5a4e20720 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 27 Nov 2025 15:51:30 +0100 Subject: [PATCH 032/120] fixed links --- about/features.md | 3 +-- guides/deployment/microservices.md | 2 +- guides/deployment/to-cf.md | 2 +- guides/providing-services.md | 2 +- guides/security/aspects.md | 4 ++-- guides/security/authentication.md | 6 ++--- guides/security/authorization.md | 12 +++++----- guides/security/cap-users.md | 24 +++++++++---------- java/outbox.md | 2 +- java/security.md | 12 +++++----- .../rules/auth-valid-restrict-to/index.md | 2 +- 11 files changed, 35 insertions(+), 36 deletions(-) diff --git a/about/features.md b/about/features.md index fb0f76820c..433de2198c 100644 --- a/about/features.md +++ b/about/features.md @@ -114,8 +114,7 @@ Following is an index of the features currently covered by CAP, with status and | [Arrayed Elements](../cds/cdl#arrayed-types) | | | | | [Streaming & Media Types](../guides/providing-services#serving-media-data) | | | | | [Conflict Detection through _ETags_](../guides/providing-services#etag) | | | | -| [Authentication via JWT](../guides/security/authorization#prerequisite-authentication) | | | | -| [Basic Authentication](../guides/security/authorization#prerequisite-authentication) | | | | +| [Authentication](../guides/security/authentication) | | | |
diff --git a/guides/deployment/microservices.md b/guides/deployment/microservices.md index 60bdae144c..403a8eb353 100644 --- a/guides/deployment/microservices.md +++ b/guides/deployment/microservices.md @@ -370,7 +370,7 @@ Note that we use the *--ws-pack* option for some modules. It's important for nod ### Authentication -Add [security configuration](../security/authorization#xsuaa-configuration) using the command: +Add [security configuration](../security/authentication#authentication) using the command: ```shell cds add xsuaa --for production diff --git a/guides/deployment/to-cf.md b/guides/deployment/to-cf.md index 746d9aa672..d539b0da74 100644 --- a/guides/deployment/to-cf.md +++ b/guides/deployment/to-cf.md @@ -159,7 +159,7 @@ cds add xsuaa ``` ::: tip This will also generate an `xs-security.json` file -The roles/scopes are derived from authorization-related annotations in your CDS models. Ensure to rerun `cds compile --to xsuaa`, as documented in the [_Authorization_ guide](/guides/security/authorization#xsuaa-configuration) whenever there are changes to these annotations. +The roles/scopes are derived from authorization-related annotations in your CDS models. Ensure to rerun `cds compile --to xsuaa`, as documented in the [security guide](/guides/security/cap-users#xsuaa-roles) whenever there are changes to these annotations. ::: [Learn more about SAP Authorization and Trust Management/XSUAA.](https://discovery-center.cloud.sap/serviceCatalog/authorization-and-trust-management-service?region=all){.learn-more} diff --git a/guides/providing-services.md b/guides/providing-services.md index 1d75e2800e..47d563f201 100644 --- a/guides/providing-services.md +++ b/guides/providing-services.md @@ -994,7 +994,7 @@ The remaining cases that need custom handlers, reduce to real custom logic, spec - Domain-specific programmatic [Validations](#input-validation) - Augmenting result sets, for example to add computed fields for frontends -- Programmatic [Authorization Enforcements](/guides/security/authorization#enforcement) +- Programmatic [Authorization Enforcements](/guides/security/cap-users#developing-with-userst) - Triggering follow-up actions, for example calling other services or emitting outbound events in response to inbound events - And more... In general, all the things not (yet) covered by generic handlers diff --git a/guides/security/aspects.md b/guides/security/aspects.md index a9d3dce210..d131623179 100644 --- a/guides/security/aspects.md +++ b/guides/security/aspects.md @@ -118,7 +118,7 @@ CAP doesn't require any specific authentication strategy, but it provides out of On configured authentication, *all CAP endpoints are authenticated by default*. ::: warning -❗ **CAP applications need to ensure that an appropriate [authentication method](/guides/security/authorization#prerequisite-authentication) is configured**. +❗ **CAP applications need to ensure that an appropriate [authentication](./authentication) is configured**. It's highly recommended to establish integration tests to safeguard a valid configuration. ::: @@ -196,7 +196,7 @@ To verify CAP authorizations in your model, it's recommended to use [CDS lint ru The rules prepared by application developers are applied to business users according to grants given by the subscribers user administrator, that is, they're applied tenant-specific. -CAP authorizations can be defined dependently from [user claims](/guides/security/authorization#user-claims) such as [XSUAA scopes or attributes](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax) +CAP authorizations can be defined dependently from [user claims](/guides/security/cap-users#claims) such as [XSUAA scopes or attributes](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax) that are deployed by application developers and granted by the user administrator of the subscriber. Hence, CAP provides a seamless integration of central identity service without technical lock-in. diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 41104a9a04..5e9c3b2edd 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -28,12 +28,12 @@ status: released In essence, authentication verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. Briefly, **authentication ensures _who_ is going to use the service**, in contrast to [authorization](../security/authorization#authorization) which determines _how_ the user can interact with the application's resources based on the defined access rules. As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. -CAP applications making use of remote services of any type need to have a proper [remote authentication](#remote-authentication) in place as well. +CAP applications making use of remote services of any type need to have a proper [remote authentication](./remote-authentication) in place as well. ![Authentication with CAP](./assets/authentication.drawio.svg){width="500px" } According to key concept [Pluggable Building Blocks](./overview#key-concept-pluggable), the authentication method can be configured freely. -CAP [leverages platform services](#key-concept-platform-services) to provide proper authentication strategies to cover all relevant scenarios: +CAP [leverages platform services](overview#key-concept-platform-services) to provide proper authentication strategies to cover all relevant scenarios: - For _local development_ and _unit testing_, [Mock User Authentication](#mock-user-auth) is an appropriate built-in authentication feature. @@ -137,7 +137,7 @@ You can opt out the preconfiguration of these users by setting `cds ### Customization { #custom-mock-users } -You can define custom mock users to simulate any type of [end users](./cap-users#user-representation)) that will interact with your application at production time. +You can define custom mock users to simulate any type of [end users](./cap-users#claims)) that will interact with your application at production time. Hence, you can use the mock users to test your authorization settings as well as custom handlers fully decoupled from the actual execution environment.
diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 5a3cea2a1c..7e86e9bebc 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -166,7 +166,7 @@ See [combined restrictions](#combined-restrictions) for more details. Beside the scope, restrictions can limit access to resources with regards to *different dimensions*: - The [event](#restricting-events) of the request, that is, the type of the operation (what?) -- The [roles](#roles) of the user (who?) +- The [roles](cap-users#roles) of the user (who?) - [Filter-condition](#instance-based-auth) on instances to operate on (which?) ### @requires { #requires} @@ -198,13 +198,13 @@ The building block of such a restriction is a single **privilege**, which has th whereas the properties are: * `grant`: one or more events that the privilege applies to -* `to`: one or more [user roles](#roles) that the privilege applies to (optional) +* `to`: one or more [user roles](cap-users#roles) that the privilege applies to (optional) * `where`: a filter condition that further restricts access on an instance level (optional). The following values are supported: - `grant` accepts all standard [CDS events](../../about/best-practices#events) (such as `READ`, `CREATE`, `UPDATE`, and `DELETE`) as well as action and function names. `WRITE` is a virtual event for all standard CDS events with write semantic (`CREATE`, `DELETE`, `UPDATE`, `UPSERT`) and `*` is a wildcard for all events. -- The `to` property lists all [user roles](#roles) or [pseudo roles](#pseudo-roles) that the privilege applies to. Note that the `any` pseudo-role applies for all users and is the default if no value is provided. +- The `to` property lists all [user roles](cap-users#roles) or [pseudo roles](cap-users#pseudo-roles) that the privilege applies to. Note that the `any` pseudo-role applies for all users and is the default if no value is provided. - The `where` clause can contain a Boolean expression in [CQL](/cds/cql) syntax that filters the instances that the event applies to. As it allows user values (name, attributes, etc.) and entity data as input, it's suitable for *dynamic authorizations based on the business domain*. Supported expressions and typical use cases are presented in [instance-based authorization](#instance-based-auth). @@ -415,7 +415,7 @@ A service level entity can't inherit a restriction with a `where` condition that The [restrict annotation](#restrict-annotation) for an entity allows you to enforce authorization checks that statically depend on the event type and user roles. In addition, you can define a `where`-condition that further limits the set of accessible instances. This condition, which acts like a filter, establishes *instance-based authorization*. -The condition defined in the `where` clause typically associates domain data with static [user claims](#user-claims). Basically, it *either filters the result set in queries or accepts only write operations on instances that meet the condition*. This means that, the condition applies to following standard CDS events only1: +The condition defined in the `where` clause typically associates domain data with static [user claims](cap-users#claims). Basically, it *either filters the result set in queries or accepts only write operations on instances that meet the condition*. This means that, the condition applies to following standard CDS events only1: - `READ` (as result filter) - `UPDATE` (as reject condition2) - `DELETE` (as reject condition2) @@ -450,7 +450,7 @@ In case the filter condition is not met in an `UPDATE` or `DELETE` request, the ### User Attribute Values { #user-attrs} -To refer to attribute values from the user claim, prefix the attribute name with '`$user.`' as outlined in [static user claims](#user-claims). For instance, `$user.country` refers to the attribute with the name `country`. +To refer to attribute values from the user claim, prefix the attribute name with '`$user.`' as outlined in [static user claims](cap-users#claims). For instance, `$user.country` refers to the attribute with the name `country`. In general, `$user.` contains a **list of attribute values** that are assigned to the user. The following rules apply: * A predicate in the `where` clause evaluates to `true` if one of the attribute values from the list matches the condition. @@ -460,7 +460,7 @@ For example, the condition `where: $user.country = countryCode` will grant a use #### Unrestricted XSUAA Attributes -By default, all attributes defined in [XSUAA instances](#xsuaa-configuration) require a value (`valueRequired:true`), which is well-aligned with the CAP runtime that enforces restrictions on empty attributes. +By default, all attributes defined in [XSUAA instances](./cap-users#xsuaa-roles) require a value (`valueRequired:true`), which is well-aligned with the CAP runtime that enforces restrictions on empty attributes. If you explicitly want to offer unrestricted attributes to customers, you need to do the following: 1. Switch your XSUAA configuration to `valueRequired:false` diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 3c9ed89da1..65b8f38e22 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -25,7 +25,7 @@ status: released ## CAP User Abstraction { #claims } -A successful authentication results in a CAP user representation reflecting the request user in a uniform way. +A successful authentication results in a CAP [user representation](#claims) reflecting the request user in a uniform way. Referring to the [key concepts](./overview#key-concept-decoupled-coding), the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). @@ -119,7 +119,7 @@ CAP roles represent basic building blocks for authorization rules that are defin Independently of that, user administrators combine CAP roles in higher-level policies and assign them to business users in the platform's central authorization management solution. Dynamic assignments of roles to users can be done by -- [AMS roles](#ams-roles) in case of [IAS authentication](./authentication#ias-auth). +- [AMS roles](roles-assignment-ams) in case of [IAS authentication](./authentication#ias-auth). - [XSUAA roles](#xsuaa-roles) in case of [XSUAA authentication](./authentication#xsuaa-auth). ::: tip @@ -156,8 +156,8 @@ All technical clients that have access to the application's XSUAA or IAS service The resulting object representation of the user is attached to the current request context and has an impact on the request flow for instance with regards to - [authorizations](./authorization#restrictions) -- [enriching business data](../domain-modeling#managed-data) with user data -- setting [DB session variables](../db-feature-comparison#session-variables) +- [enriching business data](../guides/domain-modeling#managed-data) with user data +- setting [DB session variables](../guides/db-feature-comparison#session-variables) In the CDS model, some of the user properties can be referenced in annotations or static views: @@ -273,7 +273,7 @@ If required, it also runs the new `cds add ias` command to configure the project ::: These libraries integrate into the CAP framework to handle incoming requests. -Based on the user's assigned [policies](#generate-policies), the user's roles are determined and written to the [UserInfo](#reflection) object. +Based on the user's assigned [policies](#policies), the user's roles are determined and written to the [UserInfo](./security#enforcement-api) object. The framework then authorizes the request as usual based on the user's roles. ::: details Node.js plugin `@sap/ams` added to the project @@ -291,7 +291,7 @@ The framework then authorizes the request as usual based on the user's roles. The `@sap/ams` plugin provides multiple build-time features: - Validate `ams.attributes` annotations for type coherence against the AMS schema. -- Generate policies from the CDS model during the build using a [custom build task](../deployment/custom-builds#custom-build-plugins). +- Generate policies from the CDS model during the build using a [custom build task](../guides/deployment/custom-builds#custom-build-plugins). - Generate a deployer application during the build to upload the Data Control Language (DCL) base policies. ::: tip @@ -589,7 +589,7 @@ Now let's deploy and start the application with cds up ``` -You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](./authentication#ias-admin)): +You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): - Assign (base or custom) policies to IAS users - Create custom policies @@ -805,7 +805,7 @@ There is always an `UserInfo` attached to the current `RequestContext`, reflecti The `UserInfo` object is not modifyable, but during request processing, a new `RequestContext` can be spawned and may be accompanied by a [change of the current user](#switching-users). -Depending on the configured [authentication](#authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: +Depending on the configured [authentication](./authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: | User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation |---------------|---------------------|----------------------------------|-------------------------|--------------------| @@ -825,7 +825,7 @@ In addition, there are getters to retrieve information about [pseudo-roles](#pse | `isAuthenticated()` | True if the current user has been authenticated. | `authenticated-user` | | `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | `system-user` | | `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | `internal-user` | -| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#privileged-user), i.e. is unrestricted | n/a | +| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#switching-to-privileged-user), i.e. is unrestricted | n/a | @@ -836,7 +836,7 @@ In most cases, CAP's default mapping to the CAP user will match your requirement For instance, the logon name as injected by standard XSUAA integration might not be unique if several customer IdPs are connected to the underlying identity service. Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you can implement in a custom adaptation. -This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../../java/event-handlers/request-contexts#global-providers): +This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers): ::: details Sample implementation to override the user name @@ -886,7 +886,7 @@ Also consider data protection and privacy regulations when storing user data. There are multiple reasonable use cases in which user modification is a suitable approach: - Injecting or mixing user roles by calling `modifiableUserInfo.addRole(String role)` (In fact this is the base for [AMS plugin](#roles-assignment-ams) injecting user specifc roles). -- Providing calculated attributes used for [instance-based authorization](./authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. +- Providing calculated attributes used for [instance-based authorization](../guides/security/authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. - Constructing the request's user based on forwarded (and trusted) header information, completely replacing default authentication. - ... @@ -1037,7 +1037,7 @@ String jwtToken = jwtTokenInfo.getToken(); Remote APIs can be invoked either on behalf of a named user or a technical user, depending on the callee's specification. Thus, a client executing a business request within a specific user context might need to explicitly adjust the user propagation strategy. -CAP's [Remote Services](../using-services) offer an easy and declarative way to define client-side representations of remote service APIs. +CAP's [Remote Services](../guides/using-services) offer an easy and declarative way to define client-side representations of remote service APIs. Such services integrate seamlessly with CAP, managing connection setup, including [authentication and user propagation](../../java/cqn-services/remote-services#configuring-the-authentication-strategy): ```yaml diff --git a/java/outbox.md b/java/outbox.md index 0bd0d0c2a8..1804f1df9a 100644 --- a/java/outbox.md +++ b/java/outbox.md @@ -420,7 +420,7 @@ Filters can be applied as for any other CDS defined entity, for example, to filt It is crucial to make the service `OutboxDeadLetterQueueService` accessible for internal users only as it contains sensitive data that could be exploited for malicious purposes if unauthorized changes are performed. -[Learn more about pseudo roles](../guides/security/authorization#pseudo-roles){.learn-more} +[Learn more about pseudo roles](../guides/security/cap-users#pseudo-roles){.learn-more} ::: diff --git a/java/security.md b/java/security.md index 83c5d13ea9..1a3536db83 100644 --- a/java/security.md +++ b/java/security.md @@ -65,7 +65,7 @@ These are the individual dependencies that can be explicitly added in the `pom.x ::: Additionally, your application must be bound to corresponding service instances depending on your scenario. The following list describes which service must be bound depending on the tokens your application should accept: - * only accept tokens issued by XSUAA --> bind your application to an [XSUAA service instance](../guides/security/authorization#xsuaa-configuration) + * only accept tokens issued by XSUAA --> bind your application to an [XSUAA service instance](../guides/security/authentication#xsuaa-auth) * only accept tokens issued by IAS --> bind your application to an [IAS service instance](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) * accept tokens issued by XSUAA and IAS --> bind your application to service instances of both types. @@ -103,7 +103,7 @@ Only if **both, the library dependencies and an XSUAA/IAS service binding are in * Protocol adapter endpoints (managed by CAP such as OData V4/V2 or custom protocol adapters) * Remaining custom endpoints (not managed by CAP such as custom REST controllers or Spring Actuators) -The security auto configuration authenticates all endpoints by default, unless corresponding CDS model is not explicitly opened to public with [pseudo-role](../guides/security/authorization#pseudo-roles) `any` (configurable behaviour). +The security auto configuration authenticates all endpoints by default, unless corresponding CDS model is not explicitly opened to public with [pseudo-role](../guides/security/cap-users#pseudo-roles) `any` (configurable behaviour). Here's an example of a CDS model and the corresponding authentication configuration: ```cds @@ -218,7 +218,7 @@ In case you want to write your own custom security configuration that acts as a ### Custom Authentication { #custom-authentication} -You can configure any authentication method according to your needs. CAP is not bound to any specific authentication method or user representation such as those introduced with XSUAA; it runs requests based on a [user abstraction](../guides/security/authorization#user-claims). The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) as explained in [Enforcement API & Custom Handlers](#enforcement-api). +You can configure any authentication method according to your needs. CAP is not bound to any specific authentication method or user representation such as those introduced with XSUAA; it runs requests based on a [user abstraction](../guides/security/cap-users#claims). The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) as explained in [Enforcement API & Custom Handlers](#enforcement-api). Therefore, if you bring your own authentication, you must transform the authenticated user and inject it as `UserInfo` to the current request. This is done by means of [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers). More frequently you might have the requirement to just adapt the request's `UserInfo` which is possible with the same interface: @@ -270,7 +270,7 @@ Mock users are only initialized if the `org.springframework.boot:spring-boot-sta #### Preconfigured Mock Users -For convenience, the runtime creates default mock users reflecting the [pseudo roles](../guides/security/authorization#pseudo-roles). They are named `authenticated`, `system` and `privileged` and can be used with an empty password. For example, requests sent during a Spring MVC unit test with annotation `@WithMockUser("authenticated")` will pass authorization checks that require `authenticated-user`. The privileged user will pass any authorization checks. `cds.security.mock.defaultUsers = false` prevents the creation of default mock users at startup. +For convenience, the runtime creates default mock users reflecting the [pseudo roles](../guides/security/cap-users#pseudo-roles). They are named `authenticated`, `system` and `privileged` and can be used with an empty password. For example, requests sent during a Spring MVC unit test with annotation `@WithMockUser("authenticated")` will pass authorization checks that require `authenticated-user`. The privileged user will pass any authorization checks. `cds.security.mock.defaultUsers = false` prevents the creation of default mock users at startup. #### Explicitly Defined Mock Users @@ -744,8 +744,8 @@ The most helpful getters in `UserInfo` are listed in the following table: | :---------------------------------------------------- | :----------------------------------------------------- | | `getName()` | Returns the unique (logon) name of the user as configured in the IdP. Referred by `$user` and `$user.name`. | | `getTenant()` | Returns the tenant of the user. | -| `isSystemUser()` | Indicates whether the request has been initiated by a technical service. Refers to [pseudo-role](../guides/security/authorization#pseudo-roles) `system-user`. | -| `isAuthenticated()` | True if the current user has been authenticated. Refers to [pseudo-role](../guides/security/authorization#pseudo-roles) `authenticated-user`. | +| `isSystemUser()` | Indicates whether the request has been initiated by a technical service. Refers to [pseudo-role](../guides/security/cap-users#pseudo-roles) `system-user`. | +| `isAuthenticated()` | True if the current user has been authenticated. Refers to [pseudo-role](../guides/security/cap-users#pseudo-roles) `authenticated-user`. | | `isPrivileged()` | Returns `true` if the current user runs in privileged (that is, unrestricted) mode | | `hasRole(String role)` | Checks if the current user has the given role. | | `getRoles()` | Returns the roles of the current user | diff --git a/tools/cds-lint/rules/auth-valid-restrict-to/index.md b/tools/cds-lint/rules/auth-valid-restrict-to/index.md index 6b6c7fe2fa..f22577ccca 100644 --- a/tools/cds-lint/rules/auth-valid-restrict-to/index.md +++ b/tools/cds-lint/rules/auth-valid-restrict-to/index.md @@ -14,7 +14,7 @@ status: released ## Rule Details -The `to` property of a `@restrict` privilege defines one or more [user roles](../../../../guides/security/authorization#roles) or [pseudo roles](../../../../guides/security/authorization#pseudo-roles) that the privilege applies to. This rule checks that the values of `@restrict.to` are valid, that is, roles cannot be missing or misspelled and that roles including `any` should be simplified to just `any`. +The `to` property of a `@restrict` privilege defines one or more [user roles](../../../../guides/security/cap-users#roles) or [pseudo roles](../../../../guides/security/cap-users#pseudo-roles) that the privilege applies to. This rule checks that the values of `@restrict.to` are valid, that is, roles cannot be missing or misspelled and that roles including `any` should be simplified to just `any`. ## Examples From e1f09723720b1002e31eb2bbc6cd4b7e138aaad4 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 27 Nov 2025 16:08:13 +0100 Subject: [PATCH 033/120] fixed links --- guides/security/cap-users.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 65b8f38e22..fdab88fe81 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -119,7 +119,7 @@ CAP roles represent basic building blocks for authorization rules that are defin Independently of that, user administrators combine CAP roles in higher-level policies and assign them to business users in the platform's central authorization management solution. Dynamic assignments of roles to users can be done by -- [AMS roles](roles-assignment-ams) in case of [IAS authentication](./authentication#ias-auth). +- [AMS roles](#roles-assignment-ams) in case of [IAS authentication](./authentication#ias-auth). - [XSUAA roles](#xsuaa-roles) in case of [XSUAA authentication](./authentication#xsuaa-auth). ::: tip @@ -156,8 +156,8 @@ All technical clients that have access to the application's XSUAA or IAS service The resulting object representation of the user is attached to the current request context and has an impact on the request flow for instance with regards to - [authorizations](./authorization#restrictions) -- [enriching business data](../guides/domain-modeling#managed-data) with user data -- setting [DB session variables](../guides/db-feature-comparison#session-variables) +- [enriching business data](../domain-modeling#managed-data) with user data +- setting [DB session variables](../db-feature-comparison#session-variables) In the CDS model, some of the user properties can be referenced in annotations or static views: @@ -273,7 +273,7 @@ If required, it also runs the new `cds add ias` command to configure the project ::: These libraries integrate into the CAP framework to handle incoming requests. -Based on the user's assigned [policies](#policies), the user's roles are determined and written to the [UserInfo](./security#enforcement-api) object. +Based on the user's assigned [policies](#policies), the user's roles are determined and written to the [UserInfo](#reflection) object. The framework then authorizes the request as usual based on the user's roles. ::: details Node.js plugin `@sap/ams` added to the project @@ -291,7 +291,7 @@ The framework then authorizes the request as usual based on the user's roles. The `@sap/ams` plugin provides multiple build-time features: - Validate `ams.attributes` annotations for type coherence against the AMS schema. -- Generate policies from the CDS model during the build using a [custom build task](../guides/deployment/custom-builds#custom-build-plugins). +- Generate policies from the CDS model during the build using a [custom build task](../deployment/custom-builds#custom-build-plugins). - Generate a deployer application during the build to upload the Data Control Language (DCL) base policies. ::: tip @@ -589,7 +589,7 @@ Now let's deploy and start the application with cds up ``` -You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](../guides/security/authentication#ias-admin)): +You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](./authentication#ias-admin)): - Assign (base or custom) policies to IAS users - Create custom policies @@ -836,7 +836,7 @@ In most cases, CAP's default mapping to the CAP user will match your requirement For instance, the logon name as injected by standard XSUAA integration might not be unique if several customer IdPs are connected to the underlying identity service. Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you can implement in a custom adaptation. -This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers): +This is done by means of a custom [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../../java/event-handlers/request-contexts#global-providers): ::: details Sample implementation to override the user name @@ -886,7 +886,7 @@ Also consider data protection and privacy regulations when storing user data. There are multiple reasonable use cases in which user modification is a suitable approach: - Injecting or mixing user roles by calling `modifiableUserInfo.addRole(String role)` (In fact this is the base for [AMS plugin](#roles-assignment-ams) injecting user specifc roles). -- Providing calculated attributes used for [instance-based authorization](../guides/security/authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. +- Providing calculated attributes used for [instance-based authorization](./authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. - Constructing the request's user based on forwarded (and trusted) header information, completely replacing default authentication. - ... @@ -1037,7 +1037,7 @@ String jwtToken = jwtTokenInfo.getToken(); Remote APIs can be invoked either on behalf of a named user or a technical user, depending on the callee's specification. Thus, a client executing a business request within a specific user context might need to explicitly adjust the user propagation strategy. -CAP's [Remote Services](../guides/using-services) offer an easy and declarative way to define client-side representations of remote service APIs. +CAP's [Remote Services](../using-services) offer an easy and declarative way to define client-side representations of remote service APIs. Such services integrate seamlessly with CAP, managing connection setup, including [authentication and user propagation](../../java/cqn-services/remote-services#configuring-the-authentication-strategy): ```yaml From c3ddcc39fc1a4bceec7750b394f709a44f22027d Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 27 Nov 2025 16:18:05 +0100 Subject: [PATCH 034/120] fixed links --- guides/providing-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/providing-services.md b/guides/providing-services.md index 47d563f201..355a7155fe 100644 --- a/guides/providing-services.md +++ b/guides/providing-services.md @@ -994,7 +994,7 @@ The remaining cases that need custom handlers, reduce to real custom logic, spec - Domain-specific programmatic [Validations](#input-validation) - Augmenting result sets, for example to add computed fields for frontends -- Programmatic [Authorization Enforcements](/guides/security/cap-users#developing-with-userst) +- Programmatic [Authorization Enforcements](/guides/security/cap-users#developing-with-users) - Triggering follow-up actions, for example calling other services or emitting outbound events in response to inbound events - And more... In general, all the things not (yet) covered by generic handlers From d6716948e1bd3235574bf41661f73c7dda363dc0 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 28 Nov 2025 08:56:52 +0100 Subject: [PATCH 035/120] chapter headers and java menu --- guides/security/authentication.md | 126 +++++--- guides/security/cap-users.md | 4 + guides/security/remote-authentication.md | 4 + java/_menu.md | 1 - java/security.md | 364 ++--------------------- 5 files changed, 122 insertions(+), 377 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 5e9c3b2edd..0be4b8d732 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -21,6 +21,10 @@ status: released # Authentication { #authentication } + + +This guide explains how to authenticate CAP services to resolve CAP users. + [[toc]] ## Pluggable Authentication @@ -116,8 +120,13 @@ Mock users require **basic authentication**, hence sending the same request on b Mock users are deactivated in production profile by default ❗ ::: -[Learn more about authentication options in CAP Java](../../java/security#spring-boot){.learn-more} -[Learn more about authentication options in CAP Node.js](../../node.js/authentication#strategies){.learn-more} +
+[Learn more about authentication options](../../java/security#spring-boot){.learn-more} +
+ +
+[Learn more about authentication options](../../node.js/authentication#strategies){.learn-more} +
@@ -131,9 +140,13 @@ You can opt out the preconfiguration of these users by setting `cds { .java } +
[Learn more about predefined mock users in CAP Java](../../java/security#preconfigured-mock-users){.learn-more} -[Learn more about predefined mock users in CAP Node.js](../../node.js/authentication#mock-users){.learn-more} +
+
+[Learn more about predefined mock users in CAP Node.js](../../node.js/authentication#mock-users){.learn-more} +
### Customization { #custom-mock-users } @@ -142,7 +155,7 @@ Hence, you can use the mock users to test your authorization settings as well as
-::: details How to add custom mock user named `viewer-user` in local Spring profile +::: details How to define a custom mock user with name `viewer-user` ```yaml [srv/src/main/resources/application.yaml] spring: config.activate.on-profile: default @@ -170,7 +183,7 @@ cds:
-::: details How to add a custom mock user named `viewer-user` in the configuration file for local testing: +::: details How to add a custom mock user with name `viewer-user` ```yaml [package.json] "cds": { "requires": { @@ -207,21 +220,22 @@ To verify the properties in a user request with a dedicated mock user, activate In the application log you will find information about the resolved user after successful authentication:
- ```sh MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' ``` -
- TODO +
+
+[Learn more about custom mock users](../../java/security#explicitly-defined-mock-users){.learn-more}
-[Learn more about custom mock users in CAP Java](../../java/security#explicitly-defined-mock-users){.learn-more} -[Learn more about custom mock users in CAP Node.js](../../node.js/authentication#mocked){.learn-more} +
+[Learn more about custom mock users](../../node.js/authentication#mocked){.learn-more} +
### Automated Testing { #mock-user-testing } @@ -256,17 +270,20 @@ public class BookServiceOrdersTest { ``` ::: -
TODO -await GET('/CatalogService/Books', { auth: { username: 'viewer-user', password: 'pass' } })
-[Learn more about testing in CAP Java](../../java/developing-applications/testing#testing-cap-java-applications){.learn-more} -[Learn more about testing in CAP Node.js](../../node.js/cds-test#testing-with-cds-test){.learn-more} +
+[Learn more about unit testing](../../java/developing-applications/testing#testing-cap-java-applications){.learn-more} +
+ +
+[Learn more about unit testing](../../node.js/cds-test#testing-with-cds-test){.learn-more} +
## IAS Authentication { #ias-auth } @@ -284,26 +301,30 @@ IAS authentication is best configured and tested in the Cloud, so we're going to Before working with IAS on CF, you need to -- have an IAS (test) tenant. If not available yet, you need to [create](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/get-your-tenant) it now. +- Prepare an IAS (test) tenant. If not available yet, you need to [create](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/get-your-tenant) it now. -- [establish trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication) +- [Establish trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication) towards your IAS tenant to use it as identity provider for applications in your subaccount. -- ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) on CF, +- Ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) on CF, in particular you require a `cf` CLI session targeting a CF space in the test subaccount (test with `cf target`). -In the project root folder, execute +You can continue with the sample [already created](#mock-user-auth). In the project root folder, execute ```sh cds add mta ``` -to make your application ready for deployment to CF, initially. +to make your application ready for deployment to CF. + +
::: tip -Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and hence adds all dependencies required for security transitively. +Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all dependencies required for security are added transitively. ::: +
+ ### Adding IAS Now the application is ready to for adding IAS-support by executing @@ -320,33 +341,34 @@ modules: - name: bookshop-srv # [...] requires: - - name: bookshop-auth + - name: bookshop-ias parameters: config: credential-type: X509_GENERATED app-identifier: srv resources: - - name: bookshop-auth + - name: bookshop-ias type: org.cloudfoundry.managed-service parameters: service: identity - service-name: bookshop-auth + service-name: bookshop-ias service-plan: application config: display-name: bookshop ``` ::: -Whereas the service instance represents the IAS application itself, the binding provides access to the identity services on behalf of a unique client (multiple bindings are allowed). -CAP applications can have at most one binding to an IAS instance. +Whereas the service instance represents the IAS application itself, the binding provides access to the identity services on behalf of a client. +**CAP applications can have at most one binding to an IAS instance.** Conversely, multiple CAP applications can share the same IAS intstance. + Following properties apply: | Property | Artifact | Description | |-------------------|:-------------------:|:---------------------:| -| `name` | instance | _Name for the IAS application - unique in the tenant_ | -| `display-name` | _instance_ | _Human-readable name for the IAS application as it appears in the Console UI for IAS admins_ | +| `name` | _instance_ | _Name for the IAS application - unique in the tenant_ | +| `display-name` | _instance_ | _Human-readable name for the IAS application as it appears in the Console UI for IAS adminstrators_ | | `multi-tenant` | _instance_ | _Specifies application mode: `false` for single tenant (default), `true` for multiple subscriber tenants (SAAS)_ | | `credential-type` | _binding_ | _`X509_GENERATED` generates a private-key and a signed certificate which is added to IAS application_ | | `app-identifier` | _binding_ | _Ensures stable subject in generated certificate (required for credential rotation)_ | @@ -361,7 +383,8 @@ Now let's pack and deploy the application with cds up ``` -and wait until the application is up and running which you can test with `cf apps` or in BTP Cockpit, alternatively. +and wait until the application is up and running. +You can test the status with `cf apps` or in BTP Cockpit, alternatively. The following trace in the application log confirms the activated IAS authentication:
@@ -372,8 +395,12 @@ The following trace in the application log confirms the activated IAS authentica
+
+TODO +
+ At startup, the CAP runtime checks the available bindings and activates IAS authentication accordingly. -**Therefore, the local setup without an IAS binding in the environment continues to work**. +**Therefore, the local setup (no IAS binding in the environment) is still runnable**. For mTLS support which is mandatory for IAS, the CAP application has a second route configured with the `cert.*` domain. @@ -456,10 +483,10 @@ cf service-key bookshop-auth bookshop-auth-key "credentials": { [...] "certificate": "-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----", - "clientid": "2a92c297-8603-4157-9aa9-ca7585821979", + "clientid": "2a92c297-8603-4157-9aa9-ca758582abcd", "credential-type": "X509_GENERATED", "key": "-----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----", - "url": "https://avpxtt84j.accounts400.ondemand.com", + "url": "https://.accounts400.ondemand.com", [...] } } @@ -488,7 +515,7 @@ openssl x509 -in .pem -text -noout All the steps can be executed in a single script as shown in the [example](https://cap.cloud.sap/resources/examples/fetch-ias-certs.sh). ::: -The fetch a token - either as technical or as named user - the request needs to provide the **client certificate** being send to `/oauth2/token` endpoint of IAS service with URI given in `url` property of the binding: +To fetch a token - either as technical or as named user - the request needs to provide the **client certificate** being send to `/oauth2/token` endpoint of IAS service with URI given in `url` property of the binding: ::: code-group @@ -598,11 +625,6 @@ TBD ## Custom Authentication { #custom-auth } -::: tip -**By default, CAP authenticates all endpoints of the microservice**, including the endpoints which are not served by CAP itself. -This is the safe baseline on which minor customization steps can be applied on top. -::: - There are multiple reasons why customization might be required: 1. Endpoints for non-business requests often require specific authentication methods (e.g. health check, technical services). 2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio). @@ -615,11 +637,17 @@ There are multiple reasons why customization might be required: - For custom endpoints that should have any different kind of authentication strategy (e.g. X.509, basic or none) you can add a security configuration that [overrules](#partially-auth) the CAP integration partially for exactly these endpoints. - In case the authentiaction is delegated to a different component, just [deactivate](#fully-auth) CAP authentication and replace by any suitable strategy. +::: tip +**By default, CAP authenticates all endpoints of the microservice, including the endpoints which are not served by CAP itself**. +This is the safe baseline on which minor customization steps can be applied on top. +::: + ### Model-Driven Authentication { #model-auth } -**The auto-configuration authenticates all service endpoints found in the CDS model by default**. +As the auto-configuration authenticates all service endpoints found in the CDS model by default, +you don't need to explicitly activate authentication for these endpoints. -Model endpoints that should be public can be explicitly annotated with [pseudo-role](cap-users#pseudo-roles) `any`: +Endpoints that should be public can be explicitly annotated with [pseudo-role](cap-users#pseudo-roles) `any`: ```cds service BooksService @(requires: 'any') { @@ -640,10 +668,21 @@ service BooksService @(requires: 'any') { In multitenant applications, anonymous requests to public endpoints are missing the tenant information and hence this gap needs to be filled by custom code. ::: -[Learn more about authentication options in CAP Java with Spring Boot](../../java/security#spring-boot){.learn-more} +By default, if a CAP service `MyService` is authenticated, also `/MyService/$metadata` is authenticated. +
+ +With `cds.security.authentication.authenticateMetadataEndpoints: false` you can switch off this behaviour on a global level. -### Partially Overrule Authentication { #partially-auth } +[Learn more about authentication options](../../java/security#spring-boot){.learn-more} + +
+ +
+TODO +
+ +### Partially Overrule Authentication { #partially-auth, .java } If you want to explicitly define the authentication for specific endpoints, **you can add an _additional_ Spring security configuration on top** overriding the default configuration given by CAP: @@ -668,11 +707,12 @@ Due to the custom configuration, all URLs matching `/public/**` are opened for p Ensure your custom configuration has higher priority than CAP's default security configuration by decorating the bean with a low order. -::: warning _❗ Warning_ +::: warning _❗ Warning_ Be cautious with the configuration of the `HttpSecurity` instance in your custom configuration. Make sure that only the intended endpoints are affected. ::: -[Learn more about custom security configuraitons in CAP Java with Spring Boot](../../java/security#custom-spring-security-config){.learn-more} +[Learn more about custom security configurations in CAP Java with Spring Boot](../../java/security#custom-spring-security-config){.learn-more} + ### Fully Overrule Authentication { #fully-auth } diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index fdab88fe81..58da34b999 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -21,6 +21,10 @@ status: released # CAP Users { #cap-users } + + +This guide introduces to CAP user abstraction and role assignments. + [[toc]] ## CAP User Abstraction { #claims } diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index de456b10c5..644f80bbd0 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -21,6 +21,10 @@ status: released # Remote Authentication { #remote-authentication } + + +This guide explains how to authenticate remote services. + [[toc]] ## Remote Service Abstraction { #remote-services } diff --git a/java/_menu.md b/java/_menu.md index 3baf3672bb..bcd07a0355 100644 --- a/java/_menu.md +++ b/java/_menu.md @@ -24,7 +24,6 @@ # [Multitenancy](multitenancy) ## [Multitenancy (Classic)](multitenancy-classic) # [Security](security) - ## [IAS and AMS](../../java/ams) # [Spring Boot Integration](spring-boot-integration) # [Developing Applications](developing-applications/) ## [Building](developing-applications/building) diff --git a/java/security.md b/java/security.md index 1a3536db83..325315c575 100644 --- a/java/security.md +++ b/java/security.md @@ -1,6 +1,6 @@ --- synopsis: > - Describes authentication and authorization in CAP Java. + Describes authentication and authorization specific for CAP Java. status: released uacp: Used as link target from Help Portal at https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/9186ed9ab00842e1a31309ff1be38792.html --- @@ -26,115 +26,61 @@ uacp: Used as link target from Help Portal at https://help.sap.com/products/BTP/ { #security} -## Overview - -For Web services, authentication is about controlling _who_ is using the service. It typically involves verifying the user's identity, tenant, and validating claims like granted roles. In contrast, authorization makes sure that the user has the required privileges to access the requested resources. Hence, authorization is about controlling _what_ the user is allowed to handle. - -Both authentication and authorization are essential for application security: -* [Authentication](#authentication) describes how to configure authentication. -* [Authorization](#auth) is about resource access control. - -[Connecting to IAS Services](#outbound-auth) describes how to authenticate outbound calls. - -::: warning -Without security configuration, CDS services are exposed to the public. Proper configuration of authentication __and__ authorization is required to secure your CAP application. +::: info +This chapter appends CAP Java sepcifc information only. +Consult the comprehensive [Security Guide](../guides/security/#cap-security-guide) first to learn about CAP Security features in general. ::: ## Authentication { #authentication} -Authentication rejects user requests with invalid authentication and limits the possible resource impact. +### Auto Configuration { #xsuaa-ias } -Rejecting them as soon as possible is one reason why authentication is not an integral part of the CAP runtime and must be configured at the application framework level. In addition, CAP Java is based on a [modular architecture](./developing-applications/building#modular_architecture) and allows flexible configuration of any authentication method. -By default, it supports the standard BTP platform identity services [out of the box](#xsuaa-ias): +To enable auto-configuration for authentication based on platform services, following two conditions need to be met: +1. Required Maven (runtime) dependencies available. +2. Binding to a corresponding service instance (XSUAA and/or IAS) is available at runtime. -- [SAP Cloud Identity Services Identity Authentication (IAS)](https://help.sap.com/docs/cloud-identity-services) - preferred solution for integrating endpoints across SAP systems -- [SAP Authorization and Trust Management Service (XSUAA)](https://help.sap.com/docs/authorization-and-trust-management-service) - previous offering scoped to a BTP landscape +::: warning +Only **if both, the library dependencies and an XSUAA/IAS service binding are in place**, the CAP Java SDK activates a Spring security configuration, which enforces authentication for all endpoints **automatically**: +::: -Which are highly recommended for production usage. For specific use cases, [custom authentication](#custom-authentication) can be configured as well. -Local development and testing can be done easily with built-in [mock user](#mock-users) support. +#### Maven Dependencies +To ensure the proper maven dependencies, we recommend using the `cds-starter-cloudfoundry` or the `cds-starter-k8s` starter bundle. +Both can be active for the local scenario. -### Configure XSUAA and IAS Authentication { #xsuaa-ias} -To enable your application for XSUAA or IAS-authentication, we recommend using the `cds-starter-cloudfoundry` or the `cds-starter-k8s` starter bundle, which covers all required dependencies. +:::details Dependencies required for authentication -:::details Individual Dependencies -These are the individual dependencies that can be explicitly added in the `pom.xml` file of your service: - * `com.sap.cloud.security:resourceserver-security-spring-boot-starter` that brings [spring-security library](https://github.com/SAP/cloud-security-services-integration-library/tree/main/spring-security) - * `org.springframework.boot:spring-boot-starter-security` - * `cds-feature-identity` + - `com.sap.cloud.security:resourceserver-security-spring-boot-starter` that brings [spring-security library](https://github.com/SAP/cloud-security-services-integration-library/tree/main/spring-security) + - `org.springframework.boot:spring-boot-starter-security` + - `cds-feature-identity` ::: -Additionally, your application must be bound to corresponding service instances depending on your scenario. The following list describes which service must be bound depending on the tokens your application should accept: +#### Service Bindings + +Additionally, your application must be bound to corresponding service instances depending on your scenario. +The following list describes which service must be bound depending on the tokens your application should accept: * only accept tokens issued by XSUAA --> bind your application to an [XSUAA service instance](../guides/security/authentication#xsuaa-auth) - * only accept tokens issued by IAS --> bind your application to an [IAS service instance](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) - * accept tokens issued by XSUAA and IAS --> bind your application to service instances of both types. + * only accept tokens issued by IAS --> bind your application to an [IAS service instance](../guides/security/authentication#ias-auth) + * accept tokens issued by XSUAA and IAS --> bind your application to service instances of [both types](../guides/security/authentication#hybrid-auth). -::: tip Specify Binding +::: tip Unique Binding CAP Java picks only a single binding of each type. If you have multiple XSUAA or IAS bindings, choose a specific binding with property `cds.security.xsuaa.binding` respectively `cds.security.identity.binding`. Choose an appropriate XSUAA service plan to fit the requirements. For instance, if your service should be exposed as technical reuse service, make use of plan `broker`. ::: -#### Proof-Of-Possession for IAS { #proof-of-possession} - -Proof-Of-Possession is a technique for additional security where a JWT token is **bound** to a particular OAuth client for which the token was issued. On BTP, Proof-Of-Possession is supported by IAS and can be used by a CAP Java application. - -Typically, a caller of a CAP application provides a JWT token issued by IAS to authenticate a request. With Proof-Of-Possession in place, a mutual TLS (mTLS) tunnel is established between the caller and your CAP application in addition to the JWT token. Clients calling your CAP application need to send the certificate provided by their `identity` service instance in addition to the IAS token. - -On Cloud Foundry, the CAP application needs to be exposed under an additional route which accepts client certificates and forwards them to the application as `X-Forwarded-Client-Cert` header (for example, the `.cert.cfapps.` domain). - -
- -On Kyma, you must configure an additional component (a gateway in Istio) that accepts client certificates and forwards them to the application as `X-Forwarded-Client-Cert` header. An example can be found in the Bookshop sample application [here](https://github.com/SAP-samples/cloud-cap-samples-java/tree/ias-ams-kyma/k8s). Besides defining the actual `Gateway` resource, you must expose the application under the new domain (see the `values.yaml` [here](https://github.com/SAP-samples/cloud-cap-samples-java/blob/e9c779cb64c0937815910988387b0775d8842765/helm/values.yaml#L47). - -The Proof-Of-Possession also affects approuter calls to a CAP Java application. You must configure the approuter to forward the certificate to the CAP application. First, set `forwardAuthCertificates: true` on the destination pointing to your CAP backend (for more details see [the `environment destinations` section on npmjs.org](https://www.npmjs.com/package/@sap/approuter#environment-destinations)). Second, configure the destination to use the route of the CAP backend that has been configured to accept client certificates as described previously. -When authenticating incoming requests with IAS, the Proof-Of-Possession is activated by default. This requires using at least version `3.5.1` of the [SAP BTP Spring Security Client](https://github.com/SAP/cloud-security-services-integration-library/tree/main/spring-security) library. +### Advanced Options { #spring-boot } -You can disable the Proof-Of-Possession enforcement in your CAP Java application by setting the property `sap.spring.security.identity.prooftoken` to `false` in the `application.yaml` file. +#### Authenticated Endpoints { #auth-endpoints } -:::tip -CAP Java requires an AppRouter to be configured with mTLS in case of IAS authentication (`forwardAuthCertificates: true`). -::: - - -### Automatic Spring Boot Security Configuration { #spring-boot} - -Only if **both, the library dependencies and an XSUAA/IAS service binding are in place**, the CAP Java SDK activates a Spring security configuration, which enforces authentication for all endpoints **automatically**: +By default, the [auto-configuration](#xsuaa-ias) covers * Protocol adapter endpoints (managed by CAP such as OData V4/V2 or custom protocol adapters) * Remaining custom endpoints (not managed by CAP such as custom REST controllers or Spring Actuators) -The security auto configuration authenticates all endpoints by default, unless corresponding CDS model is not explicitly opened to public with [pseudo-role](../guides/security/cap-users#pseudo-roles) `any` (configurable behaviour). -Here's an example of a CDS model and the corresponding authentication configuration: - -```cds -service BooksService @(requires: 'any') { - @readonly - entity Books @(requires: 'any') {...} - - entity Reviews {...} - - entity Orders @(requires: 'Customer') {...} -} -``` - -| Path | Authenticated ? | -|:--------------------------|:----------------:| -| `/BooksService` | | -| `/BooksService/$metadata` | | -| `/BooksService/Books` | | -| `/BooksService/Reviews` | | -| `/BooksService/Orders` | | - - -::: tip -For multitenant applications, you must authenticate all endpoints because tenant information is essential for processing requests. -::: - -There are several application parameters in section `cds.security.authentication` that influence the behaviour of the auto-configuration: +There are several application parameters in section `cds.security.authentication` that influence the behaviour of the auto-configuration wit hregards to the affected endpoints: | Configuration Property | Description | Default | :---------------------------------------------------- | :----------------------------------------------------- | ------------ -| `mode` | Determines the [authentication mode](#auth-mode): `never`, `model-relaxed`, `model-strict` or `always` | `model-strict` | `authenticateUnknownEndpoints` | Determines, if security configurations enforce authentication for endpoints not managed by protocol-adapters. | `true` | `authenticateMetadataEndpoints` | Determines, if OData $metadata endpoints enforce authentication. | `true` @@ -145,7 +91,7 @@ The following properties can be used to disable automatic security configuration | `cds.security.xsuaa.enabled` | Whether automatic XSUAA security configuration is enabled. | `true` | `cds.security.identity.enabled` | Whether automatic IAS security configuration is enabled. | `true` -#### Setting the Authentication Mode { #auth-mode} +#### Authentication Modes { #auth-mode} The property `cds.security.authentication.mode` controls the strategy used for authentication of protocol-adapter endpoints. There are four possible values: @@ -258,7 +204,7 @@ public class CustomUserInfoProvider implements UserInfoProvider { In the example, the `CustomUserInfoProvider` defines an overlay on the default XSUAA-based provider (`defaultProvider`). The overlay redefines the user's name by a combination of email and origin. -### Mock User Authentication with Spring Boot { #mock-users} +### Mock Users { #mock-users} By default, CAP Java creates a security configuration, which accepts _mock users_ for test purposes. @@ -360,256 +306,8 @@ cds: The mock user `Alice` is assigned to the mock tenant `CrazyCars` for which the features `cruise` and `park` are enabled. -## Connecting to IAS Services { #outbound-auth } - -CAP Java supports the consumption of IAS-based services of various kinds: - -* [Internal Services](#internal-app) bound to the same IAS instance of the provider application. -* [External IAS](#app-to-app) applications consumed by providing a destination. -* [BTP reuse services](#ias-reuse) consumed via service binding. - -![The TAM graphic is explained in the accompanying text.](./assets/java-ias.png){width="800px" } - -Regardless of the kind of service, CAP provides a [unified integration as Remote Service](/java/cqn-services/remote-services#remote-odata-services). -Basic communication setup and user propagation is addressed under the hood, for example, an mTLS handshake is performed in case of service-2-service communication. - -### Internal Services {#internal-app} - -For communication between adjacent CAP applications, these are CAP applications which are bound to the same identity instance, simplified configuration is explained in [Binding to a Service with Shared Identity](/java/cqn-services/remote-services#binding-to-a-service-with-shared-identity). - -### External Services (IAS App-to-App) {#app-to-app} - -CAP Java supports technical communication with any IAS-based service deployed to an SAP Cloud landscape. User propagation is supported. -For connection setup, it uses [IAS App-2-App flows](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications). - -#### Provider Application - -The CAP Java application as a _provider app_ needs to: - -1. Configure [IAS authentication](/java/security#xsuaa-ias). -2. Expose an API in the IAS service instance. - - ::: details Sample IAS instance of provider (mta.yaml) - - Add this to your `mta.yaml` resources section: - - ```yaml - - name: server-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - provided-apis: - - name: "review-api" - ``` - - ::: - -3. Prepare a CDS service endpoint for the exposed API. - - ::: details Sample CDS Service for the API - - ```cds - service ReviewService @(requires: 'review-api') { - [...] - } - ``` - - ::: - - -::: tip API as CAP role -The API identifiers exposed by the IAS instance in list `provided-apis` are granted as CAP roles after successful authentication. -::: - -::: warning Use different roles for technical and business users -Use different CAP roles for technical clients without user propagation and for named business users. - -Instead of using the same role, expose dedicated CDS services to technical clients that are not accessible to business users and vice versa. -::: - -#### Consumer Application - -To set up a connection to such an IAS service, the _consumer app_ requires to do: - -1. Create an IAS instance that consumes the required API. - - ::: details Sample IAS instance for client (mta.yaml) - - Add this to your `mta.yaml` resources section: - - ```yaml - - name: client-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - oauth2-configuration: - token-policy: - grant_types: - - "urn:ietf:params:oauth:grant-type:jwt-bearer" - ``` - - ::: - -2. Create a Remote Service based on the destination (optional). - ::: details Sample Remote Service configuration - - ```yaml - cds: - remote.services: - Reviews: - destination: - name: review-service-destination - ``` - - ::: - -To activate the App-2-App connection as a *consumer*, you need to: - -1. Create an IAS application dependency in the IAS tenant: - - Open the Cloud Identity Services admin console - - Navigate to [Application APIs / Dependencies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/communicate-between-applications) - - Create a new dependency pointing to your provider application's API - -2. Create a dedicated [destination](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/access-destinations-editor) with the following configuration: - * The URL pointing to the IAS-endpoint of the application. - * Authentication type `NoAuthentication`. - * Attribute `cloudsdk.ias-dependency-name` with the name of the created IAS application dependency in Step 1. - -
- - - -[Learn more about how to consume external application APIs with IAS](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/consume-apis-from-other-applications) {.learn-more} - -[Learn more about simplified Remote Service configuration with destinations](/java/cqn-services/remote-services#destination-based-scenarios) {.learn-more} - - -### BTP Reuse Services {#ias-reuse} - -IAS-based BTP reuse services can be created/consumed with CAP Java even more easily. - -The CAP reuse service (provider) needs to: - -1. Configure [IAS authentication](/java/security#xsuaa-ias). -2. Bind an IAS instance that exposes services and service plans. - - ::: details Sample IAS instance for provider - - ```yaml - - name: server-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - catalog: - services: - - id: "1d5c23ee-1ce6-6130-4af4-26461bc6ef79" - name: "review-service" - plans: - - id: "2d5c23ee-1ce6-6130-4af4-26461bc6ef78" - name: "review-api" - ``` - - ::: - -3. Prepare a CDS service endpoint for the exposed API. - - ::: details Sample CDS Service for the API - ```cds - service ReviewService @(requires: 'review-api') { - [...] - } - ``` - - ::: - -The CAP consumer application (client) needs to: - -1. Create and bind the provided service from the marketplace. - - ::: details Create and bind service instance. - ```sh - cf create-service review-service review-api review-service-instance - cf bind-service review-service-instance --binding-name review-service-binding - ``` - ::: - -2. Create an IAS instance that consumes the required service. - - ::: details Sample IAS instance for client - - ```yaml - - name: client-identity - type: org.cloudfoundry.managed-service - parameters: - service: identity - service-plan: application - config: - multi-tenant: true - "consumed-services": [ { - "service-instance-name": "review-service-instance" - } ] - ``` - - ::: - -3. Create a Remote Service based on the binding (optional). - - ::: details Sample Remote Service configuration - - ```yaml - cds: - remote.services: - Reviews: - binding: - name: review-service-binding - onBehalfOf: currentUser - ``` - - ::: - -4. Use CQN queries to consume the reuse service (optional) -[Learn more about simplified Remote Service configuration with bindings](/java/cqn-services/remote-services#service-binding-based-scenarios) {.learn-more} - -::: tip Service plan name as CAP role -The service plan names as specified in `consumed-services` in the IAS instance are granted as CAP roles after successful authentication. -::: - -::: warning Use different roles for technical and business users -Use different CAP roles for technical clients without user propagation and for named business users. - -Instead of using the same role, expose dedicated CDS services to technical clients that are not accessible to business users and vice versa. -::: - - -#### How to Authorize Callbacks - -For bidirectional communication, callbacks from the reuse service to the CAP service need to be authorized as well. -Currently, there is no standardized way to achieve this in CAP, so custom coding is required. -As a prerequisite, the CAP service must know the clientId of the reuse service's IAS application, which should be part of the binding exposed to the CAP service. - -::: details Sample Code for Authorization of Callbacks - -```java -private void authorizeCallback() { - UserInfo userInfo = runtime.getProvidedUserInfo(); - String azp = (String) userInfo.getAdditionalAttributes().get("azp"); - if(!userInfo.isSystemUser() || azp == null || !azp.equals(clientId)) { - throw new ErrorStatusException(ErrorStatuses.FORBIDDEN); - } - } -``` -::: ## Authorization { #auth} From a7babc3f59f8992073940320b8f274781269f779 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 28 Nov 2025 15:02:33 +0100 Subject: [PATCH 036/120] refactored java security and authorization guide --- guides/security/authentication.md | 68 +++++-- guides/security/authorization.md | 269 ++++++++++++++++++++------- java/security.md | 289 +++++++++--------------------- 3 files changed, 342 insertions(+), 284 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 0be4b8d732..9eff35812a 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -63,7 +63,7 @@ mvn spring-boot:run ``` ::: tip -CAP Java requires (transitive) dependency to `spring-boot-starter-security` to enable authentication middleware support. +CAP Java requires some Maven [dependencies](../../java/security#maven-dependencies) to enable authentication middleware support. Platform starter bundles `cds-starter-cf` and `cds-starter-k8s` ensure all required dependencies out of the box. ::: @@ -121,11 +121,15 @@ Mock users are deactivated in production profile by default ❗ :::
+ [Learn more about authentication options](../../java/security#spring-boot){.learn-more} +
+ [Learn more about authentication options](../../node.js/authentication#strategies){.learn-more} +
@@ -141,11 +145,15 @@ You can opt out the preconfiguration of these users by setting `cds
+ [Learn more about predefined mock users in CAP Java](../../java/security#preconfigured-mock-users){.learn-more} +
+ [Learn more about predefined mock users in CAP Node.js](../../node.js/authentication#mock-users){.learn-more} +
### Customization { #custom-mock-users } @@ -220,9 +228,11 @@ To verify the properties in a user request with a dedicated mock user, activate In the application log you will find information about the resolved user after successful authentication:
+ ```sh MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' ``` +
@@ -230,11 +240,15 @@ TODO
+ [Learn more about custom mock users](../../java/security#explicitly-defined-mock-users){.learn-more} +
+ [Learn more about custom mock users](../../node.js/authentication#mocked){.learn-more} +
@@ -278,11 +292,15 @@ TODO
+ [Learn more about unit testing](../../java/developing-applications/testing#testing-cap-java-applications){.learn-more} +
+ [Learn more about unit testing](../../node.js/cds-test#testing-with-cds-test){.learn-more} +
@@ -320,7 +338,7 @@ to make your application ready for deployment to CF.
::: tip -Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all dependencies required for security are added transitively. +Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. :::
@@ -359,11 +377,18 @@ resources: ``` ::: +
+ +::: tip +Command `add ias` enhances the project with [required binding](../../java/security#bindings) to service instance identity and therefore activates IAS authentiaction automatically. +::: + +
+ Whereas the service instance represents the IAS application itself, the binding provides access to the identity services on behalf of a client. **CAP applications can have at most one binding to an IAS instance.** Conversely, multiple CAP applications can share the same IAS intstance. - -Following properties apply: +Following properties are available: | Property | Artifact | Description | |-------------------|:-------------------:|:---------------------:| @@ -375,8 +400,8 @@ Following properties apply: [Lean more about IAS service instance and binding creation options](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/reference-information-for-identity-service-of-sap-btp){.learn-more} -
+
Now let's pack and deploy the application with ```sh @@ -632,17 +657,28 @@ There are multiple reasons why customization might be required: ![Endpoints with different authentication strategy](./assets/custom-auth.drawio.svg){width="380px"} +
+ +[Advanced configuration options](../../java/security#spring-boot) allow you to control the behaviour of CAP's authentication behaviour according to your needs: + +
+ +
+TODO +
+ - For CAP endpoints you can go with the [model-driven](#model-auth) authentication which is fully automated by CAP. - For custom endpoints you also can go with default settings because CAP will enforce authentication as well. - For custom endpoints that should have any different kind of authentication strategy (e.g. X.509, basic or none) you can add a security configuration that [overrules](#partially-auth) the CAP integration partially for exactly these endpoints. - In case the authentiaction is delegated to a different component, just [deactivate](#fully-auth) CAP authentication and replace by any suitable strategy. -::: tip +::: tip Secure by Default **By default, CAP authenticates all endpoints of the microservice, including the endpoints which are not served by CAP itself**. This is the safe baseline on which minor customization steps can be applied on top. ::: -### Model-Driven Authentication { #model-auth } + +### Automatic Authentication { #model-auth } As the auto-configuration authenticates all service endpoints found in the CDS model by default, you don't need to explicitly activate authentication for these endpoints. @@ -682,7 +718,7 @@ With `cds.security.authentication.authenticateMetadataEndpoints: false` you can TODO
-### Partially Overrule Authentication { #partially-auth, .java } +### Overrule Partially { #partially-auth, .java } If you want to explicitly define the authentication for specific endpoints, **you can add an _additional_ Spring security configuration on top** overriding the default configuration given by CAP: @@ -711,17 +747,15 @@ Ensure your custom configuration has higher priority than CAP's default security Be cautious with the configuration of the `HttpSecurity` instance in your custom configuration. Make sure that only the intended endpoints are affected. ::: -[Learn more about custom security configurations in CAP Java with Spring Boot](../../java/security#custom-spring-security-config){.learn-more} +[Learn more about overruling Spring security configuration in CAP Java](../../java/security#custom-spring-security-config){.learn-more} -### Fully Overrule Authentication { #fully-auth } +### Overrule Fully { #fully-auth } In services meshes such as [Istio](https://istio.io/) the authentication is usually fully delegated to a central ingress gateway and the internal communication with the services is protercted by a secure channel: ![Service Mesh with Ingress Gateway](./assets/ingress-auth.drawio.svg){width="500px"} -In such architectures, CAP authentication is obsolete and can be deactivated entirely with `cds.security.authentication.mode="never"`. - ::: tip User propagation should be done by forwarding the request token in `Authorization`-header accordingly. This will make standard CAP authorization work properly. @@ -731,6 +765,16 @@ This will make standard CAP authorization work properly. If you switch off CAP authentication, make sure that the internal communication channels are secured by the given infrastructure. ::: +
+In such architectures, CAP authentication is obsolete and can be deactivated entirely with `cds.security.authentication.mode="never"`. + +[Learn more about how to switch off authentication in CAP Java](../../java/security#custom-spring-security-alone){.learn-more} + +
+ +
+TODO +
## Pitfalls diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 7e86e9bebc..2a2cae02e3 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -23,6 +23,8 @@ uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/ # CAP Authorization { #authorization } + + This guide explains how to restrict access to data by adding respective declarations to CDS models, which are then enforced by CAP's generic service providers. [[toc]] @@ -252,11 +254,6 @@ Here an `Auditor` user can read all orders with matching `country` or that they - `@requires: 'Viewer'` is equivalent to `@restrict: [{grant:'*', to: 'Viewer'}]` - `@readonly` is the same as `@restrict: [{ grant:'READ' }]` -Currently, the security annotations **are only evaluated on the target entity of the request**. Restrictions on associated entities touched by the operation are not regarded. This has the following implications: -- Restrictions of (recursively) expanded or inlined entities of a `READ` request aren't checked. -- Deep inserts and updates are checked on the root entity only. - -See [solution sketches](#limitation-deep-authorization) for information about how to deal with that.{.learn-more} #### Supported Combinations with CDS Resources @@ -325,6 +322,47 @@ The resulting authorizations are illustrated in the following access matrix: The example models access rules for different roles in the same service. In general, this is _not recommended_ due to the high complexity. See [best practices](#dedicated-services) for information about how to avoid this. +### Propagation of Restrictions { #propagated-restrictions } + +Service entities inherit the restriction from the database entity, on which they define a projection. +An explicit restriction defined on a service entity *replaces* inherited restrictions from the underlying entity. + +Entity `Books` on a database level: + +```cds +namespace db; +entity Books @(restrict: [ + { grant: 'READ', to: 'Buyer' }, +]) {/*...*/} +``` + +Services `BuyerService` and `AdminService` on a service level: + +```cds +service BuyerService @(requires: 'authenticated-user'){ + entity Books as projection on db.Books; /* inherits */ +} + +service AdminService @(requires: 'authenticated-user'){ + entity Books @(restrict: [ + { grant: '*', to: 'Admin'} /* overrides */ + ]) as projection on db.Books; +} +``` + +| Events | `Buyer` | `Admin` | `authenticated-user` | +|-------------------------------|:-------:|:-------:|:--------------------:| +| `BuyerService.Books` (`READ`) | | | | +| `AdminService.Books` (`*`) | | | | + +::: tip +We recommend defining restrictions on a database entity level only in exceptional cases. Inheritance and override mechanisms can lead to an unclear situation. +::: + +::: warning _Warning_ +A service level entity can't inherit a restriction with a `where` condition that doesn't match the projected entity. The restriction has to be overridden in this case. +::: + ### Draft Mode {#restrictions-and-draft-mode} @@ -371,57 +409,44 @@ So, the authorization for the requests in the example is delegated as follows: > 2 `@readonly` due to `@cds.autoexpose`
> 3 According to the restriction. `` is relevant for instance-based filters. -### Inheritance of Restrictions -Service entities inherit the restriction from the database entity, on which they define a projection. An explicit restriction defined on a service entity *replaces* inherited restrictions from the underlying entity. -Entity `Books` on a database level: +## Instance-Based Access Control { #instance-based-auth } -```cds -namespace db; -entity Books @(restrict: [ - { grant: 'READ', to: 'Buyer' }, -]) {/*...*/} -``` +The [restrict annotation](#restrict-annotation) for an entity allows you to enforce authorization checks that statically depend on the event type and user roles. +In addition, you can define a `where`-condition that further limits the set of accessible instances. +This condition, which acts like a filter, establishes *instance-based authorization*. -Services `BuyerService` and `AdminService` on a service level: +### Filter Conditions { #filter-consitions } -```cds -service BuyerService @(requires: 'authenticated-user'){ - entity Books as projection on db.Books; /* inherits */ -} +The condition defined in the `where` clause typically associates domain data with static [user claims](cap-users#claims). +Basically, it *either filters the result set in queries or accepts only write operations on instances that meet the condition*. +This means that, the condition applies to following standard CDS events only: +- `READ` (as result filter) +- `UPDATE` (as reject condition) +- `DELETE` (as reject condition) -service AdminService @(requires: 'authenticated-user'){ - entity Books @(restrict: [ - { grant: '*', to: 'Admin'} /* overrides */ - ]) as projection on db.Books; -} -``` +
-| Events | `Buyer` | `Admin` | `authenticated-user` | -|-------------------------------|:-------:|:-------:|:--------------------:| -| `BuyerService.Books` (`READ`) | | | | -| `AdminService.Books` (`*`) | | | | +In addition, the runtime [checks the filter condition of the input data](#input-data-auth) for following standard CDS events: +- `CREATE` (input filter) +- `UPDATE` (input filer) -::: tip -We recommend defining restrictions on a database entity level only in exceptional cases. Inheritance and override mechanisms can lead to an unclear situation. -::: +
-::: warning _Warning_ -A service level entity can't inherit a restriction with a `where` condition that doesn't match the projected entity. The restriction has to be overridden in this case. -::: +You can define filter conditions in the `where`-clause of restrictions based on [CQL](/cds/cql)-predicates, declared as [compiler expressions](../../cds/cdl#expressions-as-annotation-values): -## Instance-Based Access Control { #instance-based-auth } +* Predicates with arithmetic operators. +* Combining predicates to expressions with `and` and `or` logical operators. +* Value references to constants, [user attributes](#user-attrs), and entity data (elements including [association paths](#association-paths)) +* [Exists predicate](#exists-predicate) based on subselects. -The [restrict annotation](#restrict-annotation) for an entity allows you to enforce authorization checks that statically depend on the event type and user roles. In addition, you can define a `where`-condition that further limits the set of accessible instances. This condition, which acts like a filter, establishes *instance-based authorization*. +
-The condition defined in the `where` clause typically associates domain data with static [user claims](cap-users#claims). Basically, it *either filters the result set in queries or accepts only write operations on instances that meet the condition*. This means that, the condition applies to following standard CDS events only1: -- `READ` (as result filter) -- `UPDATE` (as reject condition2) -- `DELETE` (as reject condition2) +* [Exists with a subquery](#exists-subquery) for access to ACL like entities. + +
- > 1 Node.js supports _static expressions_ that *don't have any reference to the model* such as `where: $user.level = 2` for all events. - > 2 CAP Java uses a filter condition by default. For instance, a user is allowed to read or edit `Orders` (defined with the `managed` aspect) that they have created: @@ -437,18 +462,20 @@ annotate Articles with @(restrict: [ { grant: ['UPDATE'], to: 'Vendor', where: (stock > 0) } ]); ``` -You can define `where`-conditions in restrictions based on [CQL](/cds/cql)-where-clauses.
-Supported features are: -* Predicates with arithmetic operators. -* Combining predicates to expressions with `and` and `or` logical operators. -* Value references to constants, [user attributes](#user-attrs), and entity data (elements including [paths](#association-paths)) -* [Exists predicate](#exists-predicate) based on subselects. +::: tip +Filter conditions declared as **compiler expressions** ensure validity at compile time and therefore strengthen security. +::: + +At runtime you'll find filter predicates attached to the appropriate CQN queries matching the instance-based condition. -::: info Avoid enumerable keys -In case the filter condition is not met in an `UPDATE` or `DELETE` request, the runtime rejects the request (response code 403) even if the user is not even allowed to read the entity. To avoid disclosing the existence of such entities to unauthorized users, make sure that the key is not efficiently enumerable. +:::warning Modification of Statements +Be careful when you modify or extend the statements in custom handlers. +Make sure you keep the filters for authorization. ::: -### User Attribute Values { #user-attrs} + + +#### User Attributes { #user-attrs} To refer to attribute values from the user claim, prefix the attribute name with '`$user.`' as outlined in [static user claims](cap-users#claims). For instance, `$user.country` refers to the attribute with the name `country`. @@ -458,7 +485,7 @@ In general, `$user.` contains a **list of attribute values** that are For example, the condition `where: $user.country = countryCode` will grant a user with attribute values `country = ['DE', 'FR']` access to entity instances that have `countryCode = DE` _or_ `countryCode = FR`. In contrast, the user has no access to any entity instances if the value list of country is empty or the attribute is not available at all. -#### Unrestricted XSUAA Attributes +##### Unrestricted XSUAA Attributes By default, all attributes defined in [XSUAA instances](./cap-users#xsuaa-roles) require a value (`valueRequired:true`), which is well-aligned with the CAP runtime that enforces restrictions on empty attributes. If you explicitly want to offer unrestricted attributes to customers, you need to do the following: @@ -500,9 +527,7 @@ service SalesService @(requires: ['SalesAdmin', 'SalesManager']) { } ``` - - -### Exists Predicate { #exists-predicate } +#### Exists Predicate { #exists-predicate } In many cases, the authorization of an entity needs to be derived from entities reachable via association path. See [domain-driven authorization](#domain-driven-authorization) for more details. You can leverage the `exists` predicate in `where` conditions to define filters that directly apply to associated entities defined by an association path: @@ -564,10 +589,8 @@ Here, the authorization of `Products` is derived from `Divisions` by leveraging Be aware that deep paths might introduce a performance bottleneck. Access Control List (ACL) tables, managed by the application, allow efficient queries and might be the better option in this case. ::: -
- -### Association Paths { #association-paths} +#### Association Paths { #association-paths} The `where`-condition in a restriction can also contain [CQL path expressions](/cds/cql#path-expressions) that navigate to elements of associated entities: @@ -584,16 +607,132 @@ service SalesOrderService @(requires: 'authenticated-user') { } ``` -Paths on 1:n associations (`Association to many`) are only supported, _if the condition selects at most one associated instance_. -It's highly recommended to use the [exists](#exists-predicate) predicate instead. -::: tip -Be aware of increased execution time when modeling paths in the authorization check of frequently requested entities. Working with materialized views might be an option for performance improvement in this case. +Paths on 1:n associations (`Association to many`) evaluate to `true`, _if the condition selects at most one associated instance_ (`exists` semantic). + + +
+ +
+ +
+ + +### Checking Input Data { #input-data-auth .java} + +Input data of `CREATE` and `UPDATE` events is also validated with regards to instance-based authorization conditions. +Invalid input that does not meet the condition is rejected with response code `400`. + +Let's assume an entity `Orders` which restricts access to users classified by assigned accounting areas: + +```cds +annotate Orders with @(restrict: [ + { grant: '*', where: 'accountingArea = $user.accountingAreas' } ]); +``` + +A user with accounting areas `[Development, Research]` is not able to send an `UPDATE` request, that changes `accountingArea` from `Research` or `Development` to `CarFleet`, for example. +Note that the `UPDATE` on instances _not matching the request user's accounting areas_ (for example, `CarFleet`) are rejected by standard instance-based authorization checks. + +Starting with CAP Java `4.0`, deep authorization is active by default. +It can be disabled by setting cds.security.authorization.instanceBased.checkInputData: false. + + +### Rejected Entity Selection { #reject-403 .java} + +Entities that have an instance-based authorization condition, that is [`@restrict.where`](/guides/security/authorization#restrict-annotation), +are guarded by the CAP Java runtime by adding a filter condition to the DB query **excluding not matching instances from the result**. +Hence, if the user isn't authorized to query an entity, requests targeting a *single* entity return *404 - Not Found* response and not *403 - Forbidden*. + +To allow the UI to distinguish between *not found* and *forbidden*, CAP Java can detect this situation and rejects`UPDATE` and `DELETE` requests to single entities with forbidden accordingly. +The additional authorization check may affect performance. + +::: warning Avoid enumerable keys +To avoid to disclosure the existence of such entities to unauthorized users, make sure that the key is not efficiently enumerable or add custom code to overrule the default behaviour otherwise. ::: -::: warning _Warning_ -In Node.js, association paths in `where` clauses are currently only supported when using SAP HANA. +Starting with CAP Java `4.0`, the reject behaviour is active by default. +It can be disabled by setting cds.security.authorization.instance-based.reject-selected-unauthorized-entity.enabled: false. + + + +## Limitations {.node} + +Currently, the security annotations **are only evaluated on the target entity of the request**. +Restrictions on associated entities touched by the operation are not regarded. +This has the following implications: +- Restrictions of (recursively) expanded or inlined entities of a `READ` request aren't checked. +- Deep inserts and updates are checked on the root entity only. + +See [solution sketches](#limitation-deep-authorization) for information about how to deal with that. + + +## Deep Authorizations { #deep-auth .java} + +### Associations + +Queries to Application Services are not only authorized by the target entity which has a `@restrict` or `@requires` annotation, but also for all __associated entities__ that are used in the statement. +For instance, consider the following model: + +```cds +@(restrict: [{ grant: 'READ', to: 'Manager' }]) +entity Books {...} + +@(restrict: [{ grant: 'READ', to: 'Manager' }]) +entity Orders { + key ID: String; + items: Composition of many { + key book: Association to Books; + quantity: Integer; + } +} +``` + +For the following OData request `GET Orders(ID='1')/items?$expand=book`, authorizations for `Orders` and for `Books` are checked. +If the entity `Books` has a `where` clause for instance-based authorization, it will be added as a filter to the sub-request with the expand. + +Custom CQL statements submitted to the [Application Service](../../java/cqn-services/application-services) instances are also authorized by the same rules including the path expressions and subqueries used in them. + +For example, the following statement checks role-based authorizations for both `Orders` and `Books`, +because the association to `Books` is used in the select list. + +```java +Select.from(Orders_.class, + f -> f.filter(o -> o.ID().eq("1")).items()) + .columns(c -> c.book().title()); +``` + +For modification statements with associated entities used in infix filters or where clauses, +role-based authorizations are checked as well. +Associated entities require `READ` authorization, in contrast to the target of the statement itself. + +The following statement requires `UPDATE` authorization on `Orders` and `READ` authorization on `Books` +because an association from `Orders.items` to the book is used in the where condition. + +```java +Update.entity(Orders_.class, f -> f.filter(o -> o.ID().eq("1")).items()) + .data("quantity", 2) + .where(t -> t.book().ID().eq(1)); +``` +Starting with CAP Java `4.0`, deep authorization is active by default. +It can be disabled by setting cds.security.authorization.deep.enabled: false. + + +### Compositions + +Restrictions on associated composition entities touched by the request are **not** regarded by the runtime. +The rational behind that is that authorization rules are [implicitly defined by the root entity of the document](#autoexposed-restrictions) and therefore security annotations **of the composition root entity are evaluated**. + +This has the following implications: +- Restrictions of (recursively) expanded or inlined entities of a `READ` request aren't checked. +- Deep `INSERT`s and `UPDATE`s are checked on the root entity only. + +::: warning +**Restrictions on compositions are not checked by the runtime**. +If you model dedicated restriction rules on child entity level, you need to add custom authorization handlers accordingly. ::: + + + ## Best Practices CAP authorization allows you to control access to your business data on a fine granular level. But keep in mind that the high flexibility can end up in security vulnerabilities if not applied appropriately. In this perspective, lean and straightforward models are preferred. When modeling your access rules, the following recommendations can support you to design such models. diff --git a/java/security.md b/java/security.md index 325315c575..24beacbd85 100644 --- a/java/security.md +++ b/java/security.md @@ -36,26 +36,26 @@ Consult the comprehensive [Security Guide](../guides/security/#cap-security-guid ### Auto Configuration { #xsuaa-ias } To enable auto-configuration for authentication based on platform services, following two conditions need to be met: -1. Required Maven (runtime) dependencies available. -2. Binding to a corresponding service instance (XSUAA and/or IAS) is available at runtime. +1. Required Maven [dependencies](#maven-dependencies) available. +2. [Binding](#bindings) to a corresponding service instance (XSUAA and/or IAS) is available at runtime. ::: warning -Only **if both, the library dependencies and an XSUAA/IAS service binding are in place**, the CAP Java SDK activates a Spring security configuration, which enforces authentication for all endpoints **automatically**: +Only **if both, the library dependencies and an XSUAA or IAS service binding are in place**, the CAP Java SDK activates a Spring security configuration, which enforces authentication for all endpoints **automatically**. ::: -#### Maven Dependencies +#### Maven Dependencies { #maven-dependencies } To ensure the proper maven dependencies, we recommend using the `cds-starter-cloudfoundry` or the `cds-starter-k8s` starter bundle. Both can be active for the local scenario. -:::details Dependencies required for authentication +:::details Runtime Maven dependencies required for authentication - - `com.sap.cloud.security:resourceserver-security-spring-boot-starter` that brings [spring-security library](https://github.com/SAP/cloud-security-services-integration-library/tree/main/spring-security) - - `org.springframework.boot:spring-boot-starter-security` - - `cds-feature-identity` +- `cds-feature-identity` +- `org.springframework.boot:spring-boot-starter-security` +- `com.sap.cloud.security:resourceserver-security-spring-boot-starter` that brings [spring-security library](https://github.com/SAP/cloud-security-services-integration-library/tree/main/spring-security) ::: -#### Service Bindings +#### Service Bindings { #bindings } Additionally, your application must be bound to corresponding service instances depending on your scenario. The following list describes which service must be bound depending on the tokens your application should accept: @@ -68,8 +68,7 @@ CAP Java picks only a single binding of each type. If you have multiple XSUAA or Choose an appropriate XSUAA service plan to fit the requirements. For instance, if your service should be exposed as technical reuse service, make use of plan `broker`. ::: - -### Advanced Options { #spring-boot } +### Custom Authentication { #spring-boot } #### Authenticated Endpoints { #auth-endpoints } @@ -84,31 +83,27 @@ There are several application parameters in section `cds.security.authentication | `authenticateUnknownEndpoints` | Determines, if security configurations enforce authentication for endpoints not managed by protocol-adapters. | `true` | `authenticateMetadataEndpoints` | Determines, if OData $metadata endpoints enforce authentication. | `true` -The following properties can be used to disable automatic security configuration: - -| Configuration Property | Description | Default -| :---------------------------------------------------- | :----------------------------------------------------- | ------------ -| `cds.security.xsuaa.enabled` | Whether automatic XSUAA security configuration is enabled. | `true` -| `cds.security.identity.enabled` | Whether automatic IAS security configuration is enabled. | `true` - #### Authentication Modes { #auth-mode} The property `cds.security.authentication.mode` controls the strategy used for authentication of protocol-adapter endpoints. There are four possible values: -- `never`: No endpoint requires authentication. All protocol-adapter endpoints are considered public. -- `model-relaxed`: Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is considered public. -- `model-strict`: Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public. -- `always`: All endpoints require authentication. +| Configuration Property | Description | +| :---------------------------------------------------- | :----------------------------------------------------- | +| `never` | No endpoint requires authentication. All protocol-adapter endpoints are considered public. +| `model-relaxed` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is considered public. +| `model-strict` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public (Default). +| `always` | All endpoints require authentication. By default the authentication mode is set to `model-strict` to comply with secure-by-default. In that case you can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again. You can only make an endpoint public if the full endpoint path is also considered public. For example you can only make an entity public, if the service that contains it is also considered public. + ::: tip The authentication mode has no impact on the *authorization* behaviour. ::: -#### Customizing Spring Boot Security Configuration { #custom-spring-security-config} +#### Overrule Partially { #custom-spring-security-config } If you want to explicitly change the automatic security configuration, you can add an _additional_ Spring security configuration on top that overrides the default configuration by CAP. This can be useful if an alternative authentication method is required for *specific endpoints* of your application. @@ -160,55 +155,31 @@ public class ActuatorSecurityConfig { } ``` -In case you want to write your own custom security configuration that acts as a last line of defense and handles any request you need to disable the CAP security configurations by setting cds.security.authentication.authConfig.enabled: false, as Spring Security forbids registering multiple security configurations with an any request security matcher. -### Custom Authentication { #custom-authentication} +#### Overrule Fully { #custom-spring-security-alone } -You can configure any authentication method according to your needs. CAP is not bound to any specific authentication method or user representation such as those introduced with XSUAA; it runs requests based on a [user abstraction](../guides/security/cap-users#claims). The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) as explained in [Enforcement API & Custom Handlers](#enforcement-api). +In case you want to write your own custom security configuration that acts as a last line of defense and handles any request you need to disable the CAP security configurations by setting cds.security.authentication.authConfig.enabled: false, as Spring Security forbids registering multiple security configurations with an any request security matcher. -Therefore, if you bring your own authentication, you must transform the authenticated user and inject it as `UserInfo` to the current request. This is done by means of [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers). -More frequently you might have the requirement to just adapt the request's `UserInfo` which is possible with the same interface: +If you even want to deactivate OAuth token validation for XSUAA or IAS, e.g. to establish an own authentication strategy, +the following properties can be used: +| Configuration Property | Description | Default +| :---------------------------------------------------- | :----------------------------------------------------- | ------------ +| `cds.security.xsuaa.enabled` | Whether automatic XSUAA security configuration is enabled. | `true` +| `cds.security.identity.enabled` | Whether automatic IAS security configuration is enabled. | `true` -```java -@Component -public class CustomUserInfoProvider implements UserInfoProvider { - private UserInfoProvider defaultProvider; - @Override - public UserInfo get() { - ModifiableUserInfo userInfo = UserInfo.create(); - if (defaultProvider != null) { - UserInfo prevUserInfo = defaultProvider.get(); - if (prevUserInfo != null) { - userInfo = prevUserInfo.copy(); - } - } - if (userInfo != null) { - /* any modification of the resolved user goes here: */ - XsuaaUserInfo xsuaaUserInfo = userInfo.as(XsuaaUserInfo.class); - userInfo.setName(xsuaaUserInfo.getEmail() + "/" + - xsuaaUserInfo.getOrigin()); // normalizes name - } +## CAP Users { #custom-authentication} - return userInfo; - } - - @Override - public void setPrevious(UserInfoProvider prev) { - this.defaultProvider = prev; - } -} -``` - -In the example, the `CustomUserInfoProvider` defines an overlay on the default XSUAA-based provider (`defaultProvider`). The overlay redefines the user's name by a combination of email and origin. +CAP is not bound to any specific authentication method or user representation such as those introduced with XSUAA or IAS; it runs requests based on a [user abstraction](../guides/security/cap-users#claims). +The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) as explained in the [authentication guide](../guides/security/cap-users#developing-with-users). ### Mock Users { #mock-users} By default, CAP Java creates a security configuration, which accepts _mock users_ for test purposes. -::: details Requirement +::: tip Mock users are only initialized if the `org.springframework.boot:spring-boot-starter-security` dependency is present in the `pom.xml` file of your service. @@ -216,20 +187,38 @@ Mock users are only initialized if the `org.springframework.boot:spring-boot-sta #### Preconfigured Mock Users -For convenience, the runtime creates default mock users reflecting the [pseudo roles](../guides/security/cap-users#pseudo-roles). They are named `authenticated`, `system` and `privileged` and can be used with an empty password. For example, requests sent during a Spring MVC unit test with annotation `@WithMockUser("authenticated")` will pass authorization checks that require `authenticated-user`. The privileged user will pass any authorization checks. `cds.security.mock.defaultUsers = false` prevents the creation of default mock users at startup. +For convenience, the runtime creates default mock users reflecting the [pseudo roles](../guides/security/cap-users#pseudo-roles): + +| Name | Role | Password +| :---------------------------------------------------- | :----------------------------------------------------- | ------------ +| `authenticated` | `authenticated-user` | _empty_ +| `system` |`system-user` | _empty_ +| `privileged` | privileged mode | _empty_ + -#### Explicitly Defined Mock Users +For example, requests sent during a Spring MVC unit test with annotation `@WithMockUser("authenticated")` will pass authorization checks that require `authenticated-user`. +The privileged user will pass any authorization checks. + +There are several properties to control behavioud of mock users: + +| Configuration Property | Description | Default +| :---------------------------------------------------- | :----------------------------------------------------- | ------------ +| `cds.security.mock.defaultUsers` | Activates creation of pre-defined mock users at startup. | `true` +| `cds.security.mock.enabled` | Activates mock users. | `false` in production profile, `true` otherwise. + + +#### Custom Mock Users You can also define mock users explicitly. This mock user configuration only applies if: -* The service runs without an XSUAA service binding (non-production mode) +* The service runs without a service binding (non-production mode) * Mock users are defined in the active application configuration -Define the mock users in a Spring profile, which may be only active during testing, as in the following example: +Define the mock users in a Spring profile, which may be only active in local testing, as in the following example: ::: code-group ```yaml [srv/src/main/resources/application.yaml] --- spring: - config.activate.on-profile: test + config.activate.on-profile: default cds: security: mock: @@ -256,8 +245,6 @@ cds: - Mock user with name `Viewer-User` is a typical business user with SaaS tenant `CrazyCars` who has the assigned role `Viewer` and user attribute `Country` (`$user.Country` evaluates to the value list `[GER, FR]`). This user also has the additional attribute `email`, which can be retrieved with `UserInfo.getAdditionalAttribute("email")`. The [features](../java/reflection-api#feature-toggles) `cruise` and `park` are enabled for this mock user. - `Admin-User` is a user running in privileged mode. Such a user is helpful in tests that bypasses all authorization handlers. -Property `cds.security.mock.enabled = false` disables any mock user configuration (default in production profile). - A setup for Spring MVC-based tests based on the given mock users and the CDS model from [above](#spring-boot) could look like this: ```java @@ -307,154 +294,42 @@ The mock user `Alice` is assigned to the mock tenant `CrazyCars` for which the f +### Custom Users { #custom-users} +Therefore, if you bring your own authentication, you must transform the authenticated user and inject it as `UserInfo` to the current request. This is done by means of [UserInfoProvider](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/UserInfoProvider.html) interface that can be implemented as Spring bean as demonstrated in [Registering Global Parameter Providers](../java/event-handlers/request-contexts#global-providers). +More frequently you might have the requirement to just adapt the request's `UserInfo` which is possible with the same interface: -## Authorization { #auth} - -CAP Java SDK provides a comprehensive authorization service. By defining authorization rules declaratively via annotations in your CDS model, the runtime enforces authorization of the requests in a generic manner. Two different levels of authorization can be distinguished: - -- [Role-based authorization](../guides/security/authorization#requires) allows to restrict resource access depending on user roles. -- [Instance-based authorization](../guides/security/authorization#instance-based-auth) allows to define user privileges even on entity instance level, that is, a user can be restricted to instances that fulfill a certain condition. - -We recommend configuring authorization declaratively in the CDS model. When necessary, you can build custom implementations on the [Authorization API](#enforcement-api). - -A precise description of the general authorization capabilities in CAP can be found in the [Authorization](../guides/security/authorization) guide. - -In addition to standard authorization, CAP Java provides additional out of the box capabilities to reduce custom code: - -### Deep Authorization { #deep-auth} - -Queries to Application Services are not only authorized by the target entity which has a `@restrict` or `@requires` annotation, but also for all __associated entities__ that are used in the statement. -__Compositions__ are neither checked nor extended with additional filters. -For instance, consider the following model: - -```cds -@(restrict: [{ grant: 'READ', to: 'Manager' }]) -entity Books {...} - -@(restrict: [{ grant: 'READ', to: 'Manager' }]) -entity Orders { - key ID: String; - items: Composition of many { - key book: Association to Books; - quantity: Integer; - } -} -``` - -For the following OData request `GET Orders(ID='1')/items?$expand=book`, authorizations for `Orders` and for `Books` are checked. -If the entity `Books` has a `where` clause for [instance-based authorization](/java/security#instance-based-auth), -it will be added as a filter to the sub-request with the expand. - -Custom CQL statements submitted to the [Application Service](/java/cqn-services/application-services) instances -are also authorized by the same rules including the path expressions and subqueries used in them. - -For example, the following statement checks role-based authorizations for both `Orders` and `Books`, -because the association to `Books` is used in the select list. - -```java -Select.from(Orders_.class, - f -> f.filter(o -> o.ID().eq("1")).items()) - .columns(c -> c.book().title()); -``` - -For modification statements with associated entities used in infix filters or where clauses, -role-based authorizations are checked as well. Associated entities require `READ` authorization, in contrast to the target of the statement itself. - -The following statement requires `UPDATE` authorization on `Orders` and `READ` authorization on `Books` -because an association from `Orders.items` to the book is used in the where condition. - ```java -Update.entity(Orders_.class, f -> f.filter(o -> o.ID().eq("1")).items()) - .data("quantity", 2) - .where(t -> t.book().ID().eq(1)); -``` -:::tip Modification of Statements -Be careful when you modify or extend the statements in custom handlers. -Make sure you keep the filters for authorization. -::: - -Starting with CAP Java `4.0`, deep authorization is on by default. -It can be disabled by setting cds.security.authorization.deep.enabled: false. - -[Learn more about `@restrict.where` in the instance-based authorization guide.](/guides/security/authorization#instance-based-auth){.learn-more} - -### Forbidden on Rejected Entity Selection { #reject-403 } - -Entities that have an instance-based authorization condition, that is [`@restrict.where`](/guides/security/authorization#restrict-annotation), -are guarded by the CAP Java runtime by adding a filter condition to the DB query **excluding not matching instances from the result**. -Hence, if the user isn't authorized to query an entity, requests targeting a *single* entity return *404 - Not Found* response and not *403 - Forbidden*. - -To allow the UI to distinguish between *not found* and *forbidden*, CAP Java can detect this situation and rejects`PATCH` and `DELETE` requests to single entities with forbidden accordingly. -The additional authorization check may affect performance. - -::: warning -To avoid to disclosure the existence of such entities to unauthorized users, make sure that the key is not efficiently enumerable or add custom code to overrule the default behaviour otherwise. -::: - -Starting with CAP Java `4.0`, the reject behaviour is on by default. -It can be disabled by setting cds.security.authorization.instance-based.reject-selected-unauthorized-entity.enabled: false. - -[Learn more about `@restrict.where` in the instance-based authorization guide.](/guides/security/authorization#instance-based-auth){.learn-more} +@Component +public class CustomUserInfoProvider implements UserInfoProvider { -### Authorization Checks On Input Data { #input-data-auth } + private UserInfoProvider defaultProvider; -Input data of `CREATE` and `UPDATE` events is also validated with regards to instance-based authorization conditions. -Invalid input that does not meet the condition is rejected with response code `400`. + @Override + public UserInfo get() { + ModifiableUserInfo userInfo = UserInfo.create(); + if (defaultProvider != null) { + UserInfo prevUserInfo = defaultProvider.get(); + if (prevUserInfo != null) { + userInfo = prevUserInfo.copy(); + } + } + if (userInfo != null) { + /* any modification of the resolved user goes here: */ + XsuaaUserInfo xsuaaUserInfo = userInfo.as(XsuaaUserInfo.class); + userInfo.setName(xsuaaUserInfo.getEmail() + "/" + + xsuaaUserInfo.getOrigin()); // normalizes name + } -Let's assume an entity `Orders` which restricts access to users classified by assigned accounting areas: + return userInfo; + } -```cds -annotate Orders with @(restrict: [ - { grant: '*', where: 'accountingArea = $user.accountingAreas' } ]); + @Override + public void setPrevious(UserInfoProvider prev) { + this.defaultProvider = prev; + } +} ``` -A user with accounting areas `[Development, Research]` is not able to send an `UPDATE` request, that changes `accountingArea` from `Research` or `Development` to `CarFleet`, for example. -Note that the `UPDATE` on instances _not matching the request user's accounting areas_ (for example, `CarFleet`) are rejected by standard instance-based authorization checks. - -Starting with CAP Java `4.0`, deep authorization is on by default. -It can be disabled by setting cds.security.authorization.instanceBased.checkInputData: false. - -[Learn more about `@restrict.where` in the instance-based authorization guide.](/guides/security/authorization#instance-based-auth){.learn-more} - - -### Enforcement API & Custom Handlers { #enforcement-api} - -The generic authorization handler performs authorization checks driven by the annotations in an early Before handler registered to all application services by default. You may override or add to the generic authorization logic by providing custom handlers. The most important piece of information is the [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) that reflects the authenticated user of the current request. You can retrieve it: - -a) from the [EventContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/EventContext.html): - ```java - EventContext context; - UserInfo user = context.getUserInfo(); - ``` - -b) through dependency injection within a handler bean: - - ```java - @Autowired - UserInfo user; - ``` - -The most helpful getters in `UserInfo` are listed in the following table: - -| UserInfo method | Description -| :---------------------------------------------------- | :----------------------------------------------------- | -| `getName()` | Returns the unique (logon) name of the user as configured in the IdP. Referred by `$user` and `$user.name`. | -| `getTenant()` | Returns the tenant of the user. | -| `isSystemUser()` | Indicates whether the request has been initiated by a technical service. Refers to [pseudo-role](../guides/security/cap-users#pseudo-roles) `system-user`. | -| `isAuthenticated()` | True if the current user has been authenticated. Refers to [pseudo-role](../guides/security/cap-users#pseudo-roles) `authenticated-user`. | -| `isPrivileged()` | Returns `true` if the current user runs in privileged (that is, unrestricted) mode | -| `hasRole(String role)` | Checks if the current user has the given role. | -| `getRoles()` | Returns the roles of the current user | -| `getAttributeValues(String attribute)` | Returns the value list of the given user attribute. Referred by `$user.`. | - -You can also modify the `UserInfo` object for internal calls. See section [Request Contexts](./event-handlers/request-contexts) for more details. -For instance, you might want to run internal service calls in privileged mode that bypasses authorization checks: - -```java -cdsRuntime.requestContext().privilegedUser().run(privilegedContext -> { - assert privilegedContext.getUserInfo().isPrivileged(); - // ... Service calls in this scope pass generic authorization handler -}); -``` +In the example, the `CustomUserInfoProvider` defines an overlay on the default XSUAA-based provider (`defaultProvider`). The overlay redefines the user's name by a combination of email and origin. From b067cc22e9bc1f8a35afbb727f61ce71c7d83564 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 28 Nov 2025 15:50:24 +0100 Subject: [PATCH 037/120] fixed links --- guides/security/authentication.md | 8 ++++---- guides/security/authorization.md | 7 +++++-- java/migration.md | 8 +++----- java/security.md | 4 ++-- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 9eff35812a..ed23235c74 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -44,7 +44,7 @@ CAP [leverages platform services](overview#key-concept-platform-services) to pro - For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services: - [Identity Authentication Service (IAS)](#ias-auth) provides a full-fledged [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management as first choice for applications. - [XS User Authentication and Authorization Service (XSUAA)](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) is an [OAuth 2.0](https://oauth.net/2/)-based authorization server to support existing applications and services in the scope of individual BTP landscapes. - - CAP applications can run IAS and XSUAA in [hybrid mode](#hybrid-authentication) to support a smooth migration from XSUAA to IAS. + - CAP applications can run IAS and XSUAA in [hybrid mode](#hybrid-auth) to support a smooth migration from XSUAA to IAS. ## Mock User Authentication { #mock-user-auth } @@ -241,7 +241,7 @@ TODO
-[Learn more about custom mock users](../../java/security#explicitly-defined-mock-users){.learn-more} +[Learn more about custom mock users](../../java/security#custom-mock-users){.learn-more}
@@ -644,7 +644,7 @@ The same is true for the logout flow. TBD -## Hybrid Authentication { hybrid-authentication } +## Hybrid Authentication { hybrid-auth } TBD @@ -718,7 +718,7 @@ With `cds.security.authentication.authenticateMetadataEndpoints: false` you can TODO
-### Overrule Partially { #partially-auth, .java } +### Overrule Partially { #partially-auth .java } If you want to explicitly define the authentication for specific endpoints, **you can add an _additional_ Spring security configuration on top** overriding the default configuration given by CAP: diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 2a2cae02e3..43045bc60c 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -34,7 +34,7 @@ This guide explains how to restrict access to data by adding respective declarat In essence, [authentication](./authentication#authentication) verifies the user's identity and the presented claims. Briefly, authentication reveals _who_ is using the service. In contrast, **authorization controls _how_ the user may interact with the application's resources**. -As the access control depends on the user information, authentication is a prerequisite to authorization. +As access control depends on user information, authentication is a prerequisite for authorization. ![Authorization with CAP](./assets/authorization.drawio.svg){width="500px"} @@ -59,7 +59,7 @@ Finally, according to the key concept [Customizable Security](./overview#key-con ### Internal Services -CDS services which are only meant for *internal* usage shouldn't be exposed via protocol adapters. +CDS services that are only meant for *internal* usage shouldn't be exposed via protocol adapters. In order to prevent access from *any* external clients, annotate those services with `@protocol: 'none'`: ```cds @@ -417,6 +417,8 @@ The [restrict annotation](#restrict-annotation) for an entity allows you to enfo In addition, you can define a `where`-condition that further limits the set of accessible instances. This condition, which acts like a filter, establishes *instance-based authorization*. +The condition defined in the `where` clause typically associates domain data with static user claims. + ### Filter Conditions { #filter-consitions } The condition defined in the `where` clause typically associates domain data with static [user claims](cap-users#claims). @@ -510,6 +512,7 @@ service SalesService @(requires: ['SalesAdmin', 'SalesManager']) { } } ``` + Let's assume a customer creates XSUAA roles `SalesManagerEMEA` with dedicated values (`['DE', 'FR', ...]`) and `SalesAdmin` with *unrestricted* values. As expected, a user assigned only to `SalesAdmin` has access to all `SalesOrgs`. But when role `SalesManagerEMEA` is added, *only* EMEA organizations are accessible suddenly! diff --git a/java/migration.md b/java/migration.md index 1697c152b1..47650c0484 100644 --- a/java/migration.md +++ b/java/migration.md @@ -94,9 +94,9 @@ Some property defaults have been adjusted: | Property | Old Value | New Value | Explanation | | --- | --- | --- | --- | -| `cds.security.authorization.deep.enabled` | false | true | [Deep Authorization](./security#deep-auth) is now enabled by default. | +| `cds.security.authorization.deep.enabled` | false | true | [Deep Authorization](../guides/security/authorization#deep-auth) is now enabled by default. | | `cds.security.authorization.instanceBased.rejectSelectedUnauthorizedEntity.enabled` | false | true | Requests that violate instance-based authorization conditions now fail with 403, instead of 404. | -| `cds.security.authorization.instanceBased.checkInputData.enabled` | false | true | [Authorization Checks On Input Data](./security#input-data-auth) are now enabled by default. | +| `cds.security.authorization.instanceBased.checkInputData.enabled` | false | true | [Authorization Checks On Input Data](../guides/security/authorization#input-data-auth) are now enabled by default. | | `cds.errors.defaultTranslations.enabled` | false | true | [Translations for Validation Error Messages](./event-handlers/indicating-errors#ootb-translated-messages) are now enabled by default. | | `cds.sql.runtimeView.mode` | resolve | cte | [Runtime views](./working-with-cql/query-execution#runtimeviews) are now by default translated into Common Table Expressions | @@ -190,8 +190,6 @@ In IAS scenarios, the [Proof-Of-Possession](https://github.com/SAP/cloud-securit Because of this, applications calling a CAP Java application will need to send a valid client certificate in addition to the JWT token. In particular, applications using an Approuter have to set `forwardAuthCertificates: true` on the Approuter destination pointing to your CAP backend. -[Learn more about Proof-Of-Possession.](./security.md#proof-of-possession){.learn-more} - ### Lazy Localization by default EDMX resources served by the OData V4 `/$metadata` endpoints are now localized lazily by default. @@ -1179,7 +1177,7 @@ With the help of these interfaces, the classic enforcement API can be mapped to | `getUserAttribute(String attributeName)` | `user.getAttribute(attributeName)` | | `isContainerSecurityEnabled()` | no substitution required | -[See section **Enforcement API & Custom Handlers in Java** for more details.](./security#enforcement-api){.learn-more} +[See section **Developing with CAP Users** for more details.](../guides/security/cap-users#developing-with-users){.learn-more} diff --git a/java/security.md b/java/security.md index 24beacbd85..5d2e5450eb 100644 --- a/java/security.md +++ b/java/security.md @@ -185,7 +185,7 @@ Mock users are only initialized if the `org.springframework.boot:spring-boot-sta ::: -#### Preconfigured Mock Users +#### Preconfigured Mock Users { #preconfigured-mock-users} For convenience, the runtime creates default mock users reflecting the [pseudo roles](../guides/security/cap-users#pseudo-roles): @@ -207,7 +207,7 @@ There are several properties to control behavioud of mock users: | `cds.security.mock.enabled` | Activates mock users. | `false` in production profile, `true` otherwise. -#### Custom Mock Users +#### Custom Mock Users {#custom-mock-users} You can also define mock users explicitly. This mock user configuration only applies if: * The service runs without a service binding (non-production mode) From cb1b81a7261791adf449d1785239e1c93960466b Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 28 Nov 2025 16:31:20 +0100 Subject: [PATCH 038/120] btp reuse internal --- get-started/troubleshooting.md | 2 +- guides/security/.remote-authentication.md.swp | Bin 0 -> 16384 bytes guides/security/remote-authentication.md | 293 +----------------- 3 files changed, 3 insertions(+), 292 deletions(-) create mode 100644 guides/security/.remote-authentication.md.swp diff --git a/get-started/troubleshooting.md b/get-started/troubleshooting.md index e3de313b8b..146600f8b5 100644 --- a/get-started/troubleshooting.md +++ b/get-started/troubleshooting.md @@ -252,7 +252,7 @@ A new option `privilegedUser()` can be leveraged when [defining](../java/event-h | | Explanation | | --- | ---- | -| _Root Cause_ | You've [explicitly configured a mock](../java/security#explicitly-defined-mock-users) user with a name that is already used by a [preconfigured mock user](../java/security#preconfigured-mock-users). +| _Root Cause_ | You've [explicitly configured a mock](../java/security#custom-mock-users) user with a name that is already used by a [preconfigured mock user](../java/security#preconfigured-mock-users). | _Solution_ | Rename the mock user and build your project again. ### Why do I get an "Error on server start"? diff --git a/guides/security/.remote-authentication.md.swp b/guides/security/.remote-authentication.md.swp new file mode 100644 index 0000000000000000000000000000000000000000..aabe9d42afd7d2ccb9700fa340f6c9ff83fed3db GIT binary patch literal 16384 zcmeI3%a0sK9mktj9y|g{Brb5McqMjcwcWF^6Dir)RyKBkP2$90J5E?xY)?uSKU3^v)-7;5qhPc z*4tfG{d@oF_pS0^{fVt}>fYeE$In|lul#;5UitXV-j5%7t2Yg;oy4J$S2y~(?B8?d zT_;W)KXLAn6E_<7!Dhk!epc-Eqc9hW3*CP}U$weO!=yhh-QJx z=g%E_|F`=6x%&C95550u{eHWCe!OO&;o~p$`vze6)S>tFwC-1@fldRR209IN8t638 zX`s_Ur-4obod!A$bQf4%2@9y$r#5B>I5&-)hiVQ33_H+1qA&-?n#p7%BAA?Pf0?IzFjp+COP^Zo$+ z9{K_F67-wbdfq2r<9VNed}s~&8Q{lHq5Gi?NOWEz#8s6Dd1kO`-GqE(pZNqqyu1fIA3s1A!1#tU8zveK$awy$i4wCN}wmppz2xzUt* z7_qLb^hLUU^nuiG^wQk;X#QRr#OV;V_%`#yW|Y5=7JM@a3qAC?Fv86cJL{=yK_V>q z!qT&zcjxw*>-BzRCFqC7Xlwch+%@Z(U|59vaTb`paqrrGJhYQj$L_voJ->QPvEW4= zO;R+FB(pWOx{9G@$}!<=hL*Hyn8CcphH0eN)cz!nCW=YfzEMN2yF?Z(?dnuqV?QiJ zy4BSU&wDf*H;bE+DF^%=cn!L>MLa027EOz*w5+1^2TEbiSw70jWT=WVRiQYW)#Kti z2bB4a?P(kpS*`Lle7JI3+sLa59hxjPYDEX*U=1loBVC|&S>MLUjguP`BmP^!1yW9V zZF<5Y{NM{l=V8S`KAD+D&}?K;1RRFUGi72`Hsasg3B39de6%?eS&J-;CKxg3^UuB5 zxyIaAnpu8(mgxoF5ssjSnMyM!fyCksR3Y5kSzfWMkis!JpD@&UlFdY1Ri?3Z%IC5Y zVU0xigA!+Lf58?d>4Jz!hhZ@jfn}}jwjrO%QZ1gE?Mb@O`%A5tzPv;xZ)r)j`yw_V*+Yeqm4_BoTb5wcg%E}T~ynOetC!uS~DQRji4x1sWj=(?`c&NUp z)x0#!hc_3UdETp?U2@_8`O7pFkH}Iqo%-_e924R8QxXWPwb*a*a|HV&Gjl`DORjSo zZNlQ{XjCh4pmE@VPBKZgRS3DU&MHX$AKF0-A^EIM_ePNj{cPl8Qh$(Ltu>mP%|OCUr?QxF6$ovI!yyi55P^YN zIhF)cC1Q7J&V4#0CL4!yQZIg8W<)x-YocyLI!~L>7-f>b#F$*o6Jao5Rq&XS%A-9} zF!QH5-bpA-uty74r@E-}AU=8L_Ius!Ox5V0iWlvY?4wDHS}i+(R<&JpYTu1LvfQrE%PowNF1Q)0 zVxvYN1*57AWmW{Y@rK9 zl;d$YKs4EuN~Kf-LTZ#LPDhn4nI+r#MDbgotuvN#?e8YHoq5UP#p8B;rb55r1{ zJmjOB14B5v6sE3Smuh8~x4n%?uUuifH^EfyLbB3VF$G(?W{ca(YEtIqj&c*BvNb-r z#fJF_va{sdcVl(cKMgYtFNfmyfQ{C&QZJ-vpX?huOY~_^ss5@8(on(n2=DawwKNDD z_pGnqubx$_eMSUVmAu9wvtmOM{)$g!ANKC&aeK~vZjMZtT|Z$=l}VX$#DtTM7fMf- z>)~nPjf9z7VNMKg)nlPLrPNAKojR>1E6b$Kba_oUO4xI6sO2=|PsMIM(fsuo0m}YA zPQ*!<)w8_XUQYYr@)fx1%@=)A-FVTfvgUlz&BXIN;g`R^x4V{9d z=l=%%{c-3nXdSv0x&^u!`U`#kpP}zUm!T)1S3@78|Nkho1^up;>o+1>_tR;h(?F+z zP6Pj+8gLbM-VGR_8oE|?`hvjFwN8O~h!% z(;Dl-OyXRvTs-qQAb<}bcs5Iy>9d$%8F)S9OHFKm~#LP=aRWh|T31IF3I zBo4M){G@9Wc{J3ks|^4Ma5B;sj1t_h*|wu0Kuyp#~C8FgvP`3Y(oi*o=_3Qoy0 z2iatW^P~fY>$QPz_;yNP6L27eR7E@6xW%05mr=4r${EERU{ubl3qOG&Q1o2;yvE=#Z{xfYLQXRr3#dBP`-gePe4FBH zv2?e9aYPJGak;sYL98G5{LHGycWW0wB-z zC)mU*d;@vVv!&rPsupJ9YqMAWmgn6ah)AQjm{xwZx_W_gt<_cUM4&E$rlOZQ4>Jeg zsg+dgp=54_9Z6Pr87Tyq5}z!!+KG~^9Gc;7upq$97xa&y754!3-)+2es5Z}UshzX< zuqYRtyx6(kg`EOhwpR0_yq&;19;mI9O0n5;R2DVlDML5N$q-ef1y1o?xQIw9yHXaI zIUG_lyt@KWw|YWrF{9o=|7WtYAk>+BdhuI4LW`4(qaGI!qWw0jb&$``40jGf%k{Jp zL;x-l`;UX5xiyaV4VQLhxO}2Y7;41;U*`n}M;s6t(za3C6aJF4w}^bWBMFx~djft- zyeHanx>`k{`|dQZs@fqB!q}2I94=JhpmSEldJP;WK@G|&(5hs=I{#D_c4>>Gx@c)+ zUgAgLZdhL+?*rwy8BGoY1Q7VkjR3&`r49-XT>12?0uofY znqw78s$apy8|vwOyCd+S;JieosQ0?_##SAb_f2t@`YK0`6AI76moJJ=h>5`aCzad) ANdN!< literal 0 HcmV?d00001 diff --git a/guides/security/remote-authentication.md b/guides/security/remote-authentication.md index 644f80bbd0..496a23eea4 100644 --- a/guides/security/remote-authentication.md +++ b/guides/security/remote-authentication.md @@ -431,297 +431,7 @@ You can now test the valid setup of the xtravels application by accessing the UI To do so, assign a proper AMS policy (e.g., `admin`) to the test user as described [earlier](./cap-users#ams-deployment). - -## BTP Reuse Services {#ias-reuse} - -Similar to [external services](#app-to-app), BTP reuse services have a fully decoupled lifecycle. The trust between consumer and provider is established at _deployment_ time through the [Open Service Broker](https://www.openservicebrokerapi.org/) (OSB) API, where the consumer creates and binds a service instance of the provider service. -However, this simplified configuration comes with a limitation: consumer and provider must run on the same BTP landscape. -Nevertheless, services used at a technical provider level in the consumer are well-suited for this setup. - -![BTP Reuse services](./assets/reuse-services.drawio.svg){width="500px" } - -[IAS](./authentication#ias-auth) offers built-in support for OSB, resulting in a simplified configuration for provider applications. In contrast, XSUAA-based applications need to host a dedicated service broker as an additional effort. - -Similar to co-located and external services, CAP supports communication with BTP reuse services transparently as it builds on the same architectural pattern of [remote services]( #remote-services). -Technically, the connectivity component uses the provided service binding to inspect the proper authentication strategy. Under the hood, it manages required interactions with the identity service, e.g., to fetch a proper token, depending on the concrete scenario. For instance, an IAS-based request token needs to be exchanged into an XSUAA token in case the binding shows an XSUAA client. - -:::tip -CAP offers a simplified consumption of BTP reuse services by leveraging remote services that require: -- A service binding in the consumer -- Principal propagation mode (optional) -::: - - -#### 1. Prepare the CF environment - -Make sure to setup a local CF environment setup as described [here]. -In addition, install the [btp CLI tool](https://help.sap.com/docs/btp/sap-business-technology-platform/account-administration-using-sap-btp-command-line-interface-btp-cli) which is required to manage service brokers. - - -#### 2. Prepare and deploy the provider service - -As a first step, clone [`xflights-java`](https://github.com/capire/xflights-java/tree/main) or, if already cloned and modified locally, reset to the remote branch. - -Similar to the [co-located](#co-located-provider) variant, `xflights` needs to expose service `sap.capire.flights.data` to technical clients. - -In contrast to the scenarios before, the consumers are not known a priori and might also have a different tenant. -Consequently, the provider service must manage multiple subscribers and therefore must be a multi-tenant service. - -You can easily enhance the service by adding the `multitenancy` facet: - -```sh -cds add multitenancy -``` - -Note that multi-tenancy aspect is now also reflected in the identity instance (property `config.multi-tenant: true`). - -As OSB protocol is leveraged to establish trust, a service broker needs to expose the API as dedicated service plan being part of a service catalog. -IAS can be used to provide a matching service broker without the application having to provide the OSB endpoints itself. -This can be achieved through enhanced configuration of the identity instance by declaratively creating the service catalog to be provided: - -```yaml [mta.yaml] -- name: - type: org.cloudfoundry.managed-service - requires: - catalog: - services: - - name: "xflights-data" - plans: - - name: "data-consumer" -``` - -::: details See detailed service catalog configuration - -```yaml [mta.yaml] -- name: xflights-ias - type: org.cloudfoundry.managed-service - requires: - - name: srv-api - [...] - catalog: - services: - - id: "4aa23ee-1ce6-6130-4af4-26461bc6ef79" - description: "xflights data service" - name: "xflights-data" - bindable: true - bindings_retrievable: true - instances_retrievable: true - plans: - - id: "2aac23ae-1ce6-6930-4af4-26461bc6ef78" - name: "data-consumer" - bindable: true - metadata: - subscribe_with_consuming_app: true - auto_subscription: - type: "subscription-manager" - propagateParams: true - bindingData: - authentication-service: - service-label: "identity" - endpoints: - eventing-endpoint: - uri: ~{srv-api/srv-cert-url} - always-requires-token: true - url: ~{srv-api/srv-cert-url} -``` - -Property `auto_subscription` will automatically forward the subscription request to the provider. -The ids are required to enable an updateable service catalog - -::: - -[Learn more about IAS service brokers](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker){.learn-more} - -::: tip -If the application requires specific functionality in the service broker, IAS can also be configured with a [custom service broker](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#create-custom-broker-optional). -::: - -To authorize the client requests you may add the API name (i.e. the plan name) as CAP role protecting the service access: - -::: code-group - -```cds [/srv/authorization.cds] -using { sap.capire.flights.data as data } from './data-service'; - -annotate data with @(requires: 'data-consumer'); -``` - -::: - -Afterwards, you may start the provider service by - -```sh -cds up -``` - -As the service is not yet registered to Service Manager, it will not yet appear in the output of `cf marketplace`. -We'll address this in the next section. - -#### 3. Register the provider as service broker - -https://wiki.one.int.sap/wiki/pages/viewpage.action?spaceKey=CPC15N&title=Test#Test-5.RegisteryourBrokerasSubaccount-Scoped - - -Subaccount-scoped means your service is automatically visible for consumption in the catalog of all environments in the subaccount where the service is registered in. - -```sh -btp login --sso -``` - -CLI server URL [https://cli.btp.cloud.sap]> -https://canary.cli.btp.int.sap SAP BTP Control Center -> Choose Landscape -> Open in btp CLI -> CLI Server URL - -```sh -btp list accounts/subaccount -btp target --subaccount -``` - -[Learn more how to login with btp CLI](https://help.sap.com/docs/btp/sap-business-technology-platform/log-in){.learn-more} -[Learn more how to target a subaccount with btp CLI](https://help.sap.com/docs/btp/sap-business-technology-platform/set-target-for-subsequent-commands-with-btp-target){.learn-more} -[Learn more about btp CLI commands](https://help.sap.com/docs/btp/sap-business-technology-platform/working-with-resources-of-sap-service-manager-using-btp-cli?version=Cloud){.learn-more} - - -```sh -https://service-manager./v1/info -{ - [...] - "service_manager_certificate_subject": "/C=DE/O=SAP SE/OU=SAP Cloud Platform Clients..." -} -``` - -landscape-domain: -cfapps.sap.hana.ondemand.com (EU10) - - -```sh -openssl req -newkey rsa:4096 \ - -x509 \ - -sha256 \ - -days 3650 \ - -nodes \ - -out sm.crt \ - -keyout sm.key \ - -subj "/C=DE/O=SAP SE/OU=SAP Cloud Platform Clients/OU=Canary/OU=sap-service-manager-cf-eu10-canary/L=service-manager/CN=service-manager" - -cat sm.crt | sed ':a;N;$!ba;s/\n/\\n/g' > sm-line.crt -cf create-service-key xflights-ias xflights-ias-key -c '{"credential-type": "X509_PROVIDED", "certificate": "'"$(cat sm-line.crt)"'"}' -``` - -[Learn more about establishing trust between service broker and Service Manager](https://github.wdf.sap.corp/pages/CPSecurity/sci-dev-guide/docs/BTP/identity-broker#service-manager-provided-certificate){.learn-more} - - -```sh -cf service-key xflights-ias xflights-ias-key | grep osb_url - -"osb_url": "https://eu-osb.accounts400.ondemand.com/sap/cp-kernel/identity/v1/osb/c0e703e2-93aa-4c9f-adb5-16efd4fabcdef", -``` - -```sh -btp register services/broker --name xflights-service-broker --url --use-sm-tls - -cf marketplace | grep xflights -xflights-data standard xflights data service -``` - -[Learn more about registering a service broker](https://help.sap.com/docs/btp/btp-cli-command-reference/btp-register-services-broker){.learn-more} - - - - -#### 4. Prepare and deploy the consumer - -The consumer can now consume the reuse service in a quite straightforward manner. -First, a service instance of type `xflights-data` with plan `data-consumer` as displayed in the marketplace must be created and `xtravels-srv` must be bound to it: - -::: code-group - -```yaml [mta.yaml] -modules: - - name: xtravels-srv - requires: - - name: xtravels-data - -resources: - - name: xtravels-data - type: org.cloudfoundry.managed-service - parameters: - service: xflights-data - service-plan: data-consumer -``` - -::: - -The identity instance must also be configured to enable the corresponding service: - -::: code-group - -```yaml [mta.yaml] -resources: - - name: xtravels-ias - parameters: - config: - consumed-services: - - service-instance-name: xtravels-data -``` -::: - -Only in this way will a token generated via the identity instance on the consumer side also be accepted by the provider. -Additionally, after validation, the token carries the CAP role `data-consumer` in the provider backend to pass authorization. - -Finally, to establish the connection between the service binding, which represents the reuse service and carries all necessary information to establish the connection, and the service consumption, a remote service can again be created analogously as follows: - -::: code-group - -```yaml [mta.yaml] ---- -spring: - config.activate.on-profile: cloud -cds: - remote.services: - xflights: - type: hcql - model: sap.capire.flights.data - http: - suffix: /hcql - binding: - name: xtravels-data - onBehalfOf: systemUserProvider -``` -::: - -Note that in this case `http.suffix` must be set to the URL suffix `/hcql`, as this information is not contained in the binding. -Like before, user propagation for communication is set to the technical provider tenant. - -[Learn more about remote service configurations based on service bindings](https://pages.github.tools.sap/cap/docs/java/cqn-services/remote-services#binding-to-a-reuse-service){.learn-more} -[Learn more about URLs in remote service configurations](https://pages.github.tools.sap/cap/docs/java/cqn-services/remote-services#configuring-the-url){.learn-more} - - -::: warning Use different roles for technical and business users -Use different CAP roles for technical clients without user propagation and for named business users. - -Instead of using the same role, expose dedicated CDS services to technical clients which aren't accessible to business users and vice versa. -::: - - -#### How to Authorize Callbacks - -For bidirectional communication, callbacks from the reuse service to the CAP service also need to be authorized. -Currently, there is no standardized way to achieve this in CAP, so custom coding is required. -As a prerequisite, the CAP service needs to know the clientId of the reuse service's IAS application, which should be part of the binding exposed to the CAP service. - -::: details Sample Code for Authorization of Callbacks - -```java -private void authorizeCallback() { - UserInfo userInfo = runtime.getProvidedUserInfo(); - String azp = (String) userInfo.getAdditionalAttributes().get("azp"); - if(!userInfo.isSystemUser() || azp == null || !azp.equals(clientId)) { - throw new ErrorStatusException(ErrorStatuses.FORBIDDEN); - } - } -``` - -::: +
## Pitfalls @@ -735,3 +445,4 @@ Instead, rely on the shared connectivity component, which ensures centralized an - **Don't treat co-located services as external services**. This introduces unnecessary communication overhead and increases total cost of ownership (TCO). + From f3efb63fcbf10f0418446f9d1bc9dbfb3d349c1b Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 28 Nov 2025 16:46:56 +0100 Subject: [PATCH 039/120] links --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index ed23235c74..32aae7bbc9 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -644,7 +644,7 @@ The same is true for the logout flow. TBD -## Hybrid Authentication { hybrid-auth } +## Hybrid Authentication { #hybrid-auth } TBD From 1628cb2905e7c45d2598ef2e59fe871cdc910e06 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 28 Nov 2025 17:20:19 +0100 Subject: [PATCH 040/120] added some external links --- guides/security/cap-users.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 58da34b999..5e15798570 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -508,7 +508,7 @@ POLICY StockManagerFiction { } ``` -[Learn more about DCL operators](https://sap.github.io/cloud-identity-developer-guide/Authorization/ValueHelp.html#filter-operators){.learn-more} +[Learn more about DCL operators](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/condition-operators){.learn-more} ::: tip @@ -611,11 +611,16 @@ To create a custom policy with filter restrictions, follow these steps: ::: +[Learn more about how to create custom AMS policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/create-authorization-policy){.learn-more} + + To assign a policy to an IAS user, follow these steps: 1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. 2. Switch to tab **Authorization Policies** and select the policy you want to assign 3. In **Assignments**, add the IAS user of the tenant to which the policy should be assigned (you can review the policy definition in **Rules**). +[Learn more about how to edit custom AMS policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/edit-authorization-policy){.learn-more} + ::: details Assign AMS policy to an IAS user ![AMS base policies in Administrative Console](assets/ams-base-policies.jpg) @@ -631,7 +636,6 @@ You can log on to the bookshop test application with the test user and check tha - ### Tracing & Troubleshooting You can verify a valid configfuration of the AMS plugin by the following log output: From fa385f826e74e4d3a8b3837f1344ba4be468a9d4 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 1 Dec 2025 10:35:32 +0100 Subject: [PATCH 041/120] unified diagrams --- .../security/assets/authentication.drawio.svg | 83 ++++--- .../security/assets/authorization.drawio.svg | 41 ++-- guides/security/assets/cap-users.drawio.svg | 76 +++--- .../assets/security-components.drawio.svg | 112 +++++---- .../assets/security-customizable.drawio.svg | 220 +++++++++--------- .../security-platform-integration.drawio.svg | 94 ++++---- guides/security/overview.md | 2 +- 7 files changed, 328 insertions(+), 300 deletions(-) diff --git a/guides/security/assets/authentication.drawio.svg b/guides/security/assets/authentication.drawio.svg index c98e85a234..3234b2146b 100644 --- a/guides/security/assets/authentication.drawio.svg +++ b/guides/security/assets/authentication.drawio.svg @@ -1,21 +1,21 @@ - + - - - + + + - - - + + + -
+
@@ -27,47 +27,49 @@
- + Authentication - + -
+
- Token + Cred +
+ ential
- - Token + + Cred... - - - + + + -
+
@@ -77,48 +79,53 @@
- + Authorization - - + + + + + + - - - + + + + + + + + + -
-
-
- - CAP User - +
+
+
+ + + CAP User + +
- + CAP User - - - - - - - diff --git a/guides/security/assets/authorization.drawio.svg b/guides/security/assets/authorization.drawio.svg index 1f07079dd4..28760699b7 100644 --- a/guides/security/assets/authorization.drawio.svg +++ b/guides/security/assets/authorization.drawio.svg @@ -1,16 +1,16 @@ - + - - - + + + -
+
@@ -22,22 +22,22 @@
- + Authorization - - - + + + -
+
@@ -47,29 +47,29 @@
- + Authentication - - + + - - - + + + - + -
+
@@ -81,15 +81,12 @@
- + CAP User - - - diff --git a/guides/security/assets/cap-users.drawio.svg b/guides/security/assets/cap-users.drawio.svg index bbd9b644c6..7f57f9bbac 100644 --- a/guides/security/assets/cap-users.drawio.svg +++ b/guides/security/assets/cap-users.drawio.svg @@ -1,16 +1,16 @@ - + - - - + + + -
+
@@ -20,22 +20,22 @@
- + Authorization - - - + + + -
+
@@ -45,22 +45,22 @@
- + Authentication - - - + + + -
+
@@ -72,33 +72,33 @@
- + Remote Authentication - - + + - - + + - - - + + + - + -
+
@@ -110,25 +110,25 @@
- + CAP User - - - + + + - + -
+
@@ -140,26 +140,20 @@
- + CAP User - - - - - - - + -
+
@@ -169,7 +163,7 @@
- + <<propagat... diff --git a/guides/security/assets/security-components.drawio.svg b/guides/security/assets/security-components.drawio.svg index 34e9978c28..51f3360a6f 100644 --- a/guides/security/assets/security-components.drawio.svg +++ b/guides/security/assets/security-components.drawio.svg @@ -1,21 +1,21 @@ - + - - - + + + - - - + + + -
+
@@ -27,22 +27,22 @@
- + Authorization - - - + + + -
+
@@ -54,22 +54,22 @@
- + Authentication - - - + + + -
+
@@ -83,34 +83,28 @@
- + Remote Authentication - - - - - + + - - - - - + + - + -
+
@@ -122,25 +116,25 @@
- + CAP User - - - + + + - + -
+
@@ -152,20 +146,20 @@
- + CAP User - + -
+
@@ -175,12 +169,48 @@
- + <<propagat... + + + + + + + + + + + + + + + + +
+
+
+ + + Cred +
+ ential + + +
+
+
+ + + Cred... + + + + diff --git a/guides/security/assets/security-customizable.drawio.svg b/guides/security/assets/security-customizable.drawio.svg index f53de15cb7..0b9bc7fad1 100644 --- a/guides/security/assets/security-customizable.drawio.svg +++ b/guides/security/assets/security-customizable.drawio.svg @@ -1,18 +1,18 @@ - + - - - + + + -
-
-
+
+
+
CAP User @@ -20,24 +20,24 @@
- + CAP User - - - + + + -
-
-
+
+
+
Authorization @@ -45,59 +45,34 @@
- + Authorization - - - + + + - - - + + + - - - + + + -
-
-
- - Authentication - -
-
-
- - - Authentication - - - - - - - - - - - - - -
-
-
+
+
+
Remote Authentication @@ -107,33 +82,28 @@
- + Remote Authentication - - + + - - + + - - - - - - + -
+
@@ -145,20 +115,20 @@
- + Custom end... - + -
+
@@ -170,20 +140,20 @@
- + Custom end... - + -
+
@@ -195,20 +165,20 @@
- + Modifying... - + -
+
@@ -220,20 +190,20 @@
- + Switching... - + -
+
@@ -245,40 +215,25 @@
- + Defining R... - - - - - - - - + + + - - - - - - - - - - - + -
+
@@ -288,20 +243,20 @@
- + customization - + -
+
@@ -311,37 +266,82 @@
- + out of the box - - - + + + + + + + + + + + + + + + + + + + + + + + -
-
-
- +
+
+
+ CAP User - +
- + CAP User + + + + + + + + + +
+
+
+ + Authentication + +
+
+
+ + + Authentication + + + + diff --git a/guides/security/assets/security-platform-integration.drawio.svg b/guides/security/assets/security-platform-integration.drawio.svg index 67945d84a2..030639417d 100644 --- a/guides/security/assets/security-platform-integration.drawio.svg +++ b/guides/security/assets/security-platform-integration.drawio.svg @@ -1,16 +1,16 @@ - + - - - + + + -
+
@@ -22,22 +22,22 @@
- + IAS / XSUAA - - - + + + -
+
@@ -49,22 +49,22 @@
- + AMS / XSUAA - - - + + + -
+
@@ -76,25 +76,25 @@
- + BTP Connectivity - - - + + + - + -
+
@@ -104,25 +104,25 @@
- + Platform - - - + + + - + -
+
@@ -132,22 +132,22 @@
- + CAP - - - + + + -
+
@@ -157,22 +157,22 @@
- + Authorization - - - + + + -
+
@@ -182,22 +182,22 @@
- + Authentication - - - + + + -
+
@@ -209,19 +209,19 @@
- + Remote Authentication - - + + - - + + diff --git a/guides/security/overview.md b/guides/security/overview.md index e9ab911396..4936cfa357 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -21,7 +21,7 @@ These concepts work together to provide comprehensive security while maintaining CAP divides the different security-related tasks into separate and independent building blocks, each with a standard CAP implementation suitable for most scenarios: -![Overview Security Components with CAP](./assets/security-components.drawio.svg){width="600px" } +![Overview Security Components with CAP](./assets/security-components.drawio.svg){width="700px" } - [Authentication](./authentication ) - [CAP Users](./cap-users) From 309ce6ecb8829dee9ccb8226397222944fd391b5 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 1 Dec 2025 10:56:26 +0100 Subject: [PATCH 042/120] improved diagrams --- .../security/assets/authentication.drawio.svg | 56 ++++++------ .../security/assets/authorization.drawio.svg | 4 +- guides/security/assets/cap-users.drawio.svg | 86 +++++++++---------- guides/security/assets/custom-auth.drawio.svg | 18 ++-- guides/security/authentication.md | 10 +-- guides/security/cap-users.md | 2 +- 6 files changed, 88 insertions(+), 88 deletions(-) diff --git a/guides/security/assets/authentication.drawio.svg b/guides/security/assets/authentication.drawio.svg index 3234b2146b..b3348f9768 100644 --- a/guides/security/assets/authentication.drawio.svg +++ b/guides/security/assets/authentication.drawio.svg @@ -1,21 +1,21 @@ - + - - - + + + - - - + + + -
+
@@ -27,20 +27,20 @@
- + Authentication - + -
+
@@ -54,22 +54,22 @@
- + Cred... - - - + + + -
+
@@ -79,36 +79,36 @@
- + Authorization - - + + - - + + - + - - - + + + - + -
+
@@ -120,7 +120,7 @@
- + CAP User diff --git a/guides/security/assets/authorization.drawio.svg b/guides/security/assets/authorization.drawio.svg index 28760699b7..c6bdb5e9b1 100644 --- a/guides/security/assets/authorization.drawio.svg +++ b/guides/security/assets/authorization.drawio.svg @@ -1,10 +1,10 @@ - + - + diff --git a/guides/security/assets/cap-users.drawio.svg b/guides/security/assets/cap-users.drawio.svg index 7f57f9bbac..96ae7e418f 100644 --- a/guides/security/assets/cap-users.drawio.svg +++ b/guides/security/assets/cap-users.drawio.svg @@ -1,16 +1,16 @@ - + - - - + + + -
+
@@ -20,22 +20,22 @@
- + Authorization - - - + + + -
+
@@ -45,22 +45,22 @@
- + Authentication - - - + + + -
+
@@ -72,33 +72,33 @@
- + Remote Authentication - - + + - - + + - - - + + + - + -
+
@@ -110,61 +110,61 @@
- + CAP User - - - - - - + -
+
- - CAP User - + <<propagate>>
- - CAP User + + <<propagat... - + + + + + + -
+
- <<propagate>> + + CAP User +
- - <<propagat... + + CAP User diff --git a/guides/security/assets/custom-auth.drawio.svg b/guides/security/assets/custom-auth.drawio.svg index 2f0d10a5c1..1622d083c8 100644 --- a/guides/security/assets/custom-auth.drawio.svg +++ b/guides/security/assets/custom-auth.drawio.svg @@ -1,29 +1,29 @@ - + - + - + - + - + - + @@ -37,7 +37,7 @@
- CAP identiy + CAP identity
integration @@ -171,12 +171,12 @@ - + - + diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 32aae7bbc9..4579e4c4e2 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -34,7 +34,7 @@ Briefly, **authentication ensures _who_ is going to use the service**, in contra As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. CAP applications making use of remote services of any type need to have a proper [remote authentication](./remote-authentication) in place as well. -![Authentication with CAP](./assets/authentication.drawio.svg){width="500px" } +![Authentication with CAP](./assets/authentication.drawio.svg){width="550px" } According to key concept [Pluggable Building Blocks](./overview#key-concept-pluggable), the authentication method can be configured freely. CAP [leverages platform services](overview#key-concept-platform-services) to provide proper authentication strategies to cover all relevant scenarios: @@ -667,10 +667,10 @@ There are multiple reasons why customization might be required: TODO
-- For CAP endpoints you can go with the [model-driven](#model-auth) authentication which is fully automated by CAP. -- For custom endpoints you also can go with default settings because CAP will enforce authentication as well. -- For custom endpoints that should have any different kind of authentication strategy (e.g. X.509, basic or none) you can add a security configuration that [overrules](#partially-auth) the CAP integration partially for exactly these endpoints. -- In case the authentiaction is delegated to a different component, just [deactivate](#fully-auth) CAP authentication and replace by any suitable strategy. +- For CAP endpoints you are fine to go with the [automatic authentication](#model-auth) fully derived from the CAP model. +- For custom endpoints that should be protected by the same authentication strategy you are also fine with automatc authentication as CAP will cover these endpoints by default. +- For custom endpoints that should have a different kind of authentication strategy (e.g. X.509, basic or none) you can add a security configuration that [partially overrules](#partially-auth) the CAP integration partially for exactly these endpoints. +- In case the authentiaction is delegated to a different component, just [fully overrule](#fully-auth) CAP authentication and replace by any suitable strategy. ::: tip Secure by Default **By default, CAP authenticates all endpoints of the microservice, including the endpoints which are not served by CAP itself**. diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 5e15798570..7346d28b69 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -33,7 +33,7 @@ A successful authentication results in a CAP [user representation](#claims) refl Referring to the [key concepts](./overview#key-concept-decoupled-coding), the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). -![CAP Userse](./assets/cap-users.drawio.svg){width="600px" } +![CAP Userse](./assets/cap-users.drawio.svg){width="650px" } After _successful_ authentication, a **CAP user** is mainly represented by the following properties: From 9e4aa8cc94e31f1c753f56e384783fd04218fa13 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 1 Dec 2025 11:26:45 +0100 Subject: [PATCH 043/120] removed switch users from java guide --- guides/security/cap-users.md | 27 ++++++----- java/event-handlers/request-contexts.md | 64 ++----------------------- 2 files changed, 20 insertions(+), 71 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 7346d28b69..e6e98a4585 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -636,7 +636,7 @@ You can log on to the bookshop test application with the test user and check tha -### Tracing & Troubleshooting +### Tracing You can verify a valid configfuration of the AMS plugin by the following log output: @@ -660,6 +660,9 @@ c.s.c.s.a.l.PolicyEvaluationSlf4jLogger : Policy evaluation result: {..., ... "accessResult":"or( eq($app.Genre, "Mystery") eq($app.Genre, "Fantasy") )"}. ``` + +You can add general user information by applying [user tracing](#user-tracing). + ::: tip It might be useful to investiagte the injected filter conditions by activating the query-trace (logger `com.sap.cds.persistence.sql`). ::: @@ -783,7 +786,7 @@ Avoid writing custom code based on the raw authentication info, as this undermin **In most casese, there is no need to write custom code dependent on the CAP user - leverage CDS modelling whenever possible**. ::: -### Programmatic Reflection { #reflection } +### Reflection { #reflection } In CAP Java, The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) of a handler in different ways: @@ -810,17 +813,17 @@ public void discountBooks(Stream books) { ``` There is always an `UserInfo` attached to the current `RequestContext`, reflecting any type of [users](#user-types). -The `UserInfo` object is not modifyable, but during request processing, a new `RequestContext` can be spawned and may be accompanied by a [change of the current user](#switching-users). +The `UserInfo` object is not modifyable, but during request processing, a new `RequestContext` can be spawned and may be accompanied by a [switch of the current user](#switching-users). -Depending on the configured [authentication](./authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant and attributes: +Depending on the configured [authentication](./authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant, attributes and assigned roles: | User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation |---------------|---------------------|----------------------------------|-------------------------|--------------------| -| Logon name | `getName()` | `user_name` | `sub` | `$user` | -| Tenant | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | -| Attributes | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | -| Roles | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | +| _Logon name_ | `getName()` | `user_name` | `sub` | `$user` | +| _Tenant_ | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | +| _Attributes_ | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | +| _Roles_ | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | ::: tip CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. @@ -833,7 +836,7 @@ In addition, there are getters to retrieve information about [pseudo-roles](#pse | `isAuthenticated()` | True if the current user has been authenticated. | `authenticated-user` | | `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | `system-user` | | `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | `internal-user` | -| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#switching-to-privileged-user), i.e. is unrestricted | n/a | +| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#switching-to-privileged-user), i.e. is unrestricted. | n/a | @@ -894,9 +897,9 @@ Also consider data protection and privacy regulations when storing user data. There are multiple reasonable use cases in which user modification is a suitable approach: - Injecting or mixing user roles by calling `modifiableUserInfo.addRole(String role)` (In fact this is the base for [AMS plugin](#roles-assignment-ams) injecting user specifc roles). -- Providing calculated attributes used for [instance-based authorization](./authorization#user-attrs) by calling `modifiableUserInfo.setAttributeValues(String attribute, List values)`. -- Constructing the request's user based on forwarded (and trusted) header information, completely replacing default authentication. -- ... +- Providing calculated attributes used for [instance-based authorization](./authorization#user-attrs) by invoking `modifiableUserInfo.setAttributeValues(String attribute, List values)`. +- Constructing a request user based on forwarded (and trusted) header information, completely replacing default authentication. +- etc. [See more examples for custom UserInfoProvider](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#global-providers){.learn-more} diff --git a/java/event-handlers/request-contexts.md b/java/event-handlers/request-contexts.md index f3d89ed70c..9e234f3b27 100644 --- a/java/event-handlers/request-contexts.md +++ b/java/event-handlers/request-contexts.md @@ -116,74 +116,20 @@ For example, if the request is processed by an HTTP-based protocol adapter, `Par The CAP Java SDK allows you to create new Request Contexts and define their scope. This helps you to control, which set of parameters is used when events are processed by services. -There are a few typical use cases in a CAP-based, multitenant application on SAP BTP in which creation of new Request Contexts is necessary. These scenarios are identified by a combination of the user (technical or named) and the tenant (provider or subscribed). - -![A named user can switch to a technical user in the same/subscriber tenant using the systemUser() method. Also, a named user can switch to a technical user in the provider tenant using the systemUserProvider() method. In addition technical users provider/subscriber tenants can switch to technical users on provider/subscriber tenants using the methods systemUserProvider() or systemUser(tenant).](./assets/requestcontext.drawio.svg) - -When calling CAP Services, it's important to call them in an appropriate Request Context. Services might, for example, trigger HTTP requests to external services by deriving the target tenant from the current Request Context. - -The `RequestContextRunner` API offers convenience methods that allow an easy transition from one scenario to the other. - -| Method | Description | -|----------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| systemUserProvider() | Switches to a technical user targeting the provider account. | -| systemUser() | Switches to a technical user and preserves the tenant from the current `UserInfo` (for example downgrade of a named user Request Context). | -| systemUser(tenant) | Switches to a technical user targeting a given subscriber account. | -| anonymousUser() | Switches to an anonymous user. | -| privilegedUser() | Elevates the current `UserInfo` to by-pass all authorization checks. | - -::: info Note -The [RequestContextRunner](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/RequestContextRunner.html) API does not allow you to create a Request Context based on a named user. Named user contexts are only created by the CAP Java framework as initial Request Context is based on appropriate authentication information (for example, JWT token) attached to the incoming HTTP request. -::: - -In the following a few concrete examples are given: -- [Switching to Technical User](#switching-to-technical-user) -- [Switching to Provider Tenant](#switching-to-provider-tenant) -- [Switching to a Specific Technical Tenant](#switching-to-a-specific-technical-tenant) - -### Switching to Technical User - -![The graphic is explained in the accompanying text.](./assets/nameduser.drawio.svg) - -The incoming JWT token triggers the creation of an initial RequestContext with a named user. Accesses to the database in the OData Adapter as well as the custom `On` handler are executed within tenant1 and authorization checks are performed for user JohnDoe. An additionally defined `After` handler wants to call out to an external service using a technical user without propagating the named user JohnDoe. -Therefore, the `After` handler needs to create a new Request Context. To achieve this, it's required to call `requestContext()` on the current `CdsRuntime` and use the `systemUser()` method to remove the named user from the new Request Context: ```java @After(entity = Books_.CDS_NAME) public void afterHandler(EventContext context){ - runtime.requestContext().systemUser().run(reqContext -> { - // call technical service - ... - }); -} -``` -### Switching to Technical Provider Tenant {#switching-to-provider-tenant} - -![The graphic is explained in the accompanying text.](./assets/switchprovidertenant.drawio.svg) - -The application offers an action for one of its CDS entities. Within the action, the application communicates with a remote CAP service using an internal technical user from the provider account. The corresponding `on` handler of the action needs to create a new Request Context by calling `requestContext()`. Using the `systemUserProvider()` method, the existing user information is removed and the tenant is automatically set to the provider tenant. This allows the application to perform an HTTP call to the remote CAP service, which is secured using the pseudo-role `internal-user`. - -```java -@On(entity = Books_.CDS_NAME) -public void onAction(AddToOrderContext context){ - runtime.requestContext().systemUserProvider().run(reqContext -> { - // call remote CAP service - ... + runtime.requestContext() + // [...] prepare the fully context + .run(reqContext -> { + // do service calls }); } ``` -### Switching to a Specific Technical Tenant -![The graphic is explained in the accompanying text.](./assets/switchtenant.drawio.svg) +Most important use case is to switch users, for which CAP Java provides [convenience APIs](../../guides/security/cap-users#switching-users). -The application is using a job scheduler that needs to regularly perform tasks on behalf of a certain tenant. By default, background executions (for example in a dedicated thread pool) aren't associated to any subscriber tenant and user. In this case, it's necessary to explicitly define a new Request Context based on the subscribed tenant by calling `systemUser(tenantId)`. This ensures that the Persistence Service performs the query for the specified tenant. - -```java -runtime.requestContext().systemUser(tenant).run(reqContext -> { - return persistenceService.run(Select.from(Books_.class)) - .listOf(Books.class); -}); -``` ## Modifying Request Contexts { #modifying-requestcontext} Besides the described common use cases, it's possible to modify parts of an existing Request Context. To manually add, modify or reset specific attributes within the scope of a new Request Context, you can use the [RequestContextRunner](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/runtime/RequestContextRunner.html) API. From 880592b89a27f7bc6e1ba35e9476121e13211620 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 1 Dec 2025 12:10:56 +0100 Subject: [PATCH 044/120] minor changes cap-users --- guides/security/cap-users.md | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index e6e98a4585..6dde17f03b 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -64,8 +64,8 @@ CAP users can be classified in multiple dimensions: - Technical users operate on behalf of an entire tenant at a technical API level. **Authenticated users vs. anonymous users** -- Authenticated users have successfully completed authentication by presenting a claim (e.g., a token). -- Anonymous users are unidentifiable, as they have not presented any claim for endpoints with optional authentication. +- Authenticated users have successfully completed authentication by presenting valid credentials (e.g., a token). +- Anonymous users are unidentifiable in general, as they usually do not presented any credentials. **Provider vs. subscriber tenant** - The provider tenant includes all users of the application owner. @@ -140,8 +140,8 @@ Such roles are called pseudo roles as they aren't assigned by user administrator |-----------------------------|---------------------|---------------|---------------| | `authenticated-user` | | _successful authentication_ | _derived from the token_ | | `any` | | | _derived from the token if available or `anonymous`_ | -| `system-user` | _technical_ | _client credential flow_ | `system` | -| `internal-user` | _technical_ | _client credential flow with same identity instance_ | `system-internal` | +| `system-user` | _technical_ | _grant type client credential_ | `system` | +| `internal-user` | _technical_ | _grant type client credential and shared identity instance_ | `system-internal` | The pseudo-role `system-user` allows you to separate access by business users from _technical_ clients. Note that this role does not distinguish between any technical clients sending requests to the API. @@ -786,7 +786,7 @@ Avoid writing custom code based on the raw authentication info, as this undermin **In most casese, there is no need to write custom code dependent on the CAP user - leverage CDS modelling whenever possible**. ::: -### Reflection { #reflection } +### Reflection { #reflection .java } In CAP Java, The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) of a handler in different ways: @@ -840,7 +840,7 @@ In addition, there are getters to retrieve information about [pseudo-roles](#pse -### Customizing Users { #customizing-users } +### Customizing Users { #customizing-users .java } In most cases, CAP's default mapping to the CAP user will match your requirements, but CAP also allows you to customize the mapping according to specific needs. @@ -906,7 +906,7 @@ There are multiple reasonable use cases in which user modification is a suitable
-### Switching Users { #switching-users } +### Switching Users { #switching-users .java } There are a few typical use cases in a (multitenant) application where switching the current user of the request is required. For instance, the business request on behalf of a named subscriber user needs to reach out to a platform service on behalf of the underlying technical user of the subscriber. @@ -1024,7 +1024,7 @@ cdsRuntime.requestContext().anonymousUser().run(privilegedContext -> { ``` -### User Propagation +### User Propagation { .java } #### Between Threads @@ -1091,6 +1091,8 @@ Prefer using [Remote Services](#remote-services) built on Cloud SDK rather than ### Tracing { #user-tracing } +
+ By default, information about the request user are not logged to the application trace. During development, it might be useful to activate logger `com.sap.cds.security.authentication` by setting the level to `DEBUG`: @@ -1110,6 +1112,11 @@ Don't activate user tracing in production! [Learn more about various options to activate CAP Java loggers](../../java/operating-applications/observability#logging-configuration){.learn-more} +
+ +
+TODO +
## Pitfalls From f5ccc9126ee0f15d2ed975b7f5947b868e892405 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 1 Dec 2025 13:33:05 +0100 Subject: [PATCH 045/120] deleted swp file --- guides/security/.remote-authentication.md.swp | Bin 16384 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 guides/security/.remote-authentication.md.swp diff --git a/guides/security/.remote-authentication.md.swp b/guides/security/.remote-authentication.md.swp deleted file mode 100644 index aabe9d42afd7d2ccb9700fa340f6c9ff83fed3db..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeI3%a0sK9mktj9y|g{Brb5McqMjcwcWF^6Dir)RyKBkP2$90J5E?xY)?uSKU3^v)-7;5qhPc z*4tfG{d@oF_pS0^{fVt}>fYeE$In|lul#;5UitXV-j5%7t2Yg;oy4J$S2y~(?B8?d zT_;W)KXLAn6E_<7!Dhk!epc-Eqc9hW3*CP}U$weO!=yhh-QJx z=g%E_|F`=6x%&C95550u{eHWCe!OO&;o~p$`vze6)S>tFwC-1@fldRR209IN8t638 zX`s_Ur-4obod!A$bQf4%2@9y$r#5B>I5&-)hiVQ33_H+1qA&-?n#p7%BAA?Pf0?IzFjp+COP^Zo$+ z9{K_F67-wbdfq2r<9VNed}s~&8Q{lHq5Gi?NOWEz#8s6Dd1kO`-GqE(pZNqqyu1fIA3s1A!1#tU8zveK$awy$i4wCN}wmppz2xzUt* z7_qLb^hLUU^nuiG^wQk;X#QRr#OV;V_%`#yW|Y5=7JM@a3qAC?Fv86cJL{=yK_V>q z!qT&zcjxw*>-BzRCFqC7Xlwch+%@Z(U|59vaTb`paqrrGJhYQj$L_voJ->QPvEW4= zO;R+FB(pWOx{9G@$}!<=hL*Hyn8CcphH0eN)cz!nCW=YfzEMN2yF?Z(?dnuqV?QiJ zy4BSU&wDf*H;bE+DF^%=cn!L>MLa027EOz*w5+1^2TEbiSw70jWT=WVRiQYW)#Kti z2bB4a?P(kpS*`Lle7JI3+sLa59hxjPYDEX*U=1loBVC|&S>MLUjguP`BmP^!1yW9V zZF<5Y{NM{l=V8S`KAD+D&}?K;1RRFUGi72`Hsasg3B39de6%?eS&J-;CKxg3^UuB5 zxyIaAnpu8(mgxoF5ssjSnMyM!fyCksR3Y5kSzfWMkis!JpD@&UlFdY1Ri?3Z%IC5Y zVU0xigA!+Lf58?d>4Jz!hhZ@jfn}}jwjrO%QZ1gE?Mb@O`%A5tzPv;xZ)r)j`yw_V*+Yeqm4_BoTb5wcg%E}T~ynOetC!uS~DQRji4x1sWj=(?`c&NUp z)x0#!hc_3UdETp?U2@_8`O7pFkH}Iqo%-_e924R8QxXWPwb*a*a|HV&Gjl`DORjSo zZNlQ{XjCh4pmE@VPBKZgRS3DU&MHX$AKF0-A^EIM_ePNj{cPl8Qh$(Ltu>mP%|OCUr?QxF6$ovI!yyi55P^YN zIhF)cC1Q7J&V4#0CL4!yQZIg8W<)x-YocyLI!~L>7-f>b#F$*o6Jao5Rq&XS%A-9} zF!QH5-bpA-uty74r@E-}AU=8L_Ius!Ox5V0iWlvY?4wDHS}i+(R<&JpYTu1LvfQrE%PowNF1Q)0 zVxvYN1*57AWmW{Y@rK9 zl;d$YKs4EuN~Kf-LTZ#LPDhn4nI+r#MDbgotuvN#?e8YHoq5UP#p8B;rb55r1{ zJmjOB14B5v6sE3Smuh8~x4n%?uUuifH^EfyLbB3VF$G(?W{ca(YEtIqj&c*BvNb-r z#fJF_va{sdcVl(cKMgYtFNfmyfQ{C&QZJ-vpX?huOY~_^ss5@8(on(n2=DawwKNDD z_pGnqubx$_eMSUVmAu9wvtmOM{)$g!ANKC&aeK~vZjMZtT|Z$=l}VX$#DtTM7fMf- z>)~nPjf9z7VNMKg)nlPLrPNAKojR>1E6b$Kba_oUO4xI6sO2=|PsMIM(fsuo0m}YA zPQ*!<)w8_XUQYYr@)fx1%@=)A-FVTfvgUlz&BXIN;g`R^x4V{9d z=l=%%{c-3nXdSv0x&^u!`U`#kpP}zUm!T)1S3@78|Nkho1^up;>o+1>_tR;h(?F+z zP6Pj+8gLbM-VGR_8oE|?`hvjFwN8O~h!% z(;Dl-OyXRvTs-qQAb<}bcs5Iy>9d$%8F)S9OHFKm~#LP=aRWh|T31IF3I zBo4M){G@9Wc{J3ks|^4Ma5B;sj1t_h*|wu0Kuyp#~C8FgvP`3Y(oi*o=_3Qoy0 z2iatW^P~fY>$QPz_;yNP6L27eR7E@6xW%05mr=4r${EERU{ubl3qOG&Q1o2;yvE=#Z{xfYLQXRr3#dBP`-gePe4FBH zv2?e9aYPJGak;sYL98G5{LHGycWW0wB-z zC)mU*d;@vVv!&rPsupJ9YqMAWmgn6ah)AQjm{xwZx_W_gt<_cUM4&E$rlOZQ4>Jeg zsg+dgp=54_9Z6Pr87Tyq5}z!!+KG~^9Gc;7upq$97xa&y754!3-)+2es5Z}UshzX< zuqYRtyx6(kg`EOhwpR0_yq&;19;mI9O0n5;R2DVlDML5N$q-ef1y1o?xQIw9yHXaI zIUG_lyt@KWw|YWrF{9o=|7WtYAk>+BdhuI4LW`4(qaGI!qWw0jb&$``40jGf%k{Jp zL;x-l`;UX5xiyaV4VQLhxO}2Y7;41;U*`n}M;s6t(za3C6aJF4w}^bWBMFx~djft- zyeHanx>`k{`|dQZs@fqB!q}2I94=JhpmSEldJP;WK@G|&(5hs=I{#D_c4>>Gx@c)+ zUgAgLZdhL+?*rwy8BGoY1Q7VkjR3&`r49-XT>12?0uofY znqw78s$apy8|vwOyCd+S;JieosQ0?_##SAb_f2t@`YK0`6AI76moJJ=h>5`aCzad) ANdN!< From 0d314420cd2f17285b81910128d52477b4283e1b Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:55:10 +0100 Subject: [PATCH 046/120] Update guides/security/overview.md Co-authored-by: Patrice Bender --- guides/security/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/overview.md b/guides/security/overview.md index 4936cfa357..b82dc707b6 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -45,7 +45,7 @@ Likewise, the CAP representation of the request user can be overruled to match a ### Built on Best of Breed { #key-concept-platform-services } -CAP does not deal with user login flows, password and credential management, user sessions, or any cryptographic logic - **and applications should not have to do it at all!** +CAP does not deal with user login flows, password and credential management, user sessions, or any cryptographic logic - **and applications should definitely not do so!** Instead, **CAP seamlessly integrates with battle-tested [platform services](#btp-services)** that handle these critical security topics centrally. This approach not only simplifies the implementation but also enhances security by leveraging robust, well-tested mechanisms provided by the platform. Built on platform services, CAP allows developers to focus on core application functionality without worrying about the intricacies of security implementation. From 408e2e2795e12fc31cc45f754b47324bd358e199 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:55:48 +0100 Subject: [PATCH 047/120] Update guides/security/overview.md Co-authored-by: Patrice Bender --- guides/security/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/overview.md b/guides/security/overview.md index b82dc707b6..ed430cf19f 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -58,7 +58,7 @@ Likewise, TLS termination is offered by the [platform infrastructure](#platform- ### Decoupled from Business Logic { #key-concept-decoupled-coding } As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any security-related adaptions. -This safeguards business logic being independent from platform services which are frequently subject to security hardening initiatives. +This ensures that business logic remains independent of platform services, which are often subject to security-hardening initiatives. As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. For instance, CAP allows performing outbound service calls via [Remote Services while handling authentication under the hood completely](./remote-authentication#remote-services). From 10bb91365435170d96ef4d49e69f9ebcdbc38301 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:56:10 +0100 Subject: [PATCH 048/120] Update guides/security/overview.md Co-authored-by: Patrice Bender --- guides/security/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/overview.md b/guides/security/overview.md index ed430cf19f..34cab58985 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -61,7 +61,7 @@ As security functions are factorized into independent components, **application This ensures that business logic remains independent of platform services, which are often subject to security-hardening initiatives. As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. -For instance, CAP allows performing outbound service calls via [Remote Services while handling authentication under the hood completely](./remote-authentication#remote-services). +For instance, CAP allows performing outbound service calls via [Remote Services while handling authentication completely under the hood](./remote-authentication#remote-services). This abstraction layer ensures that developers do not need to worry about the details of authentication. From 135857a8d0bfd64271ae334f1e59e87035203ae5 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:58:34 +0100 Subject: [PATCH 049/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 4579e4c4e2..f0cf460868 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -464,7 +464,7 @@ In the Console you can manage the IAS tenant and IAS applications, for example: - inspect logs in `Monitoring & Reporting` -> `Troubleshooting` ::: tip -In BTP Cockpit, service instance `bookshop-auth` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. +In BTP Cockpit, service instance `bookshop-ias` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. ::: From f7b2590792d987ef4379da279f10aeca7db9e64e Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:59:14 +0100 Subject: [PATCH 050/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index f0cf460868..79bf91883e 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -415,7 +415,7 @@ The following trace in the application log confirms the activated IAS authentica
```sh -... : Loaded feature 'IdentityUserInfoProvider' (IAS: bookshop-auth, XSUAA: ) +... : Loaded feature 'IdentityUserInfoProvider' (IAS: bookshop-ias, XSUAA: ) ```
From 36bb1a747ceb3ede43839d8bfd2ff0e5146a5a17 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:59:38 +0100 Subject: [PATCH 051/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 79bf91883e..d2b736e6d9 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -624,7 +624,7 @@ The same is true for the logout flow. ::: details Redirect URIs for login and logout ```yaml - - name: bookshop-auth + - name: bookshop-ias [...] parameters: [...] From 20c8dc8fade2f5f310a6d437ee21f35364e1495b Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 10:59:55 +0100 Subject: [PATCH 052/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index d2b736e6d9..f8152de1dc 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -610,7 +610,7 @@ In addition, property `forwardAuthCertificates` needs to be `true` to support th url: ~{srv-cert-url} forwardAuthToken: true forwardAuthCertificates: true - - name: bookshop-auth + - name: bookshop-ias parameters: config: credential-type: X509_GENERATED From a47893c4d4cdee6d3f46cb77f47ea5571ee424b2 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:00:03 +0100 Subject: [PATCH 053/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index f8152de1dc..d49f0e517b 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -578,7 +578,7 @@ curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ Don't forget to delete the service key after your tests: ```sh -cf delete-service-key bookshop-auth bookshop-auth-key +cf delete-service-key bookshop-ias bookshop-ias-key ``` From 02f28b033e4d07da78fbeab1069f94e0db4dc64d Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:02:55 +0100 Subject: [PATCH 054/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index d49f0e517b..f9db5bd089 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -111,7 +111,7 @@ The CAP runtime will automatically authenticate all CAP endpoints - **you are no Sending OData request `curl http://localhost:8080/odata/v4/CatalogService/Books --verbose` results in a `401` error response from the server indicating that the anonymous user has been rejected due to missing authentication. -This is true for all endpoints including the web application page at `/index.htlm`. +This is true for all endpoints including the web application page at `/index.html`. Mock users require **basic authentication**, hence sending the same request on behalf of mock user `admin` (password: `admin`) with curl `http://admin:admin@localhost:8080/odata/v4/CatalogService/Books` returns successfully (HTTP response `200`). From 74ee732c9dd0701a30ae5058f4aac354f101448d Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:11:59 +0100 Subject: [PATCH 055/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index f9db5bd089..11af495c84 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -158,7 +158,7 @@ You can opt out the preconfiguration of these users by setting `cds ### Customization { #custom-mock-users } -You can define custom mock users to simulate any type of [end users](./cap-users#claims)) that will interact with your application at production time. +You can define custom mock users to simulate any type of [end users](./cap-users#claims) that will interact with your application at production time. Hence, you can use the mock users to test your authorization settings as well as custom handlers fully decoupled from the actual execution environment.
From ebd98ee4d95beb1b354873cbc02a6b77457981f6 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:46:17 +0100 Subject: [PATCH 056/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 11af495c84..3450a0a0bc 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -306,7 +306,7 @@ TODO ## IAS Authentication { #ias-auth } -[SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is the preferred platform service for identity management which provides +[SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is the preferred platform service for identity management which provides: - best of breed authentication mechanisms (single sign-on, multi-factor enforcement) - federation of corporate identity providers (multiple user stores) - cross-landscape user propagation (including on-premise) From 34c58ba82ad454aa2672b13e6b4b53546922b60e Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:47:19 +0100 Subject: [PATCH 057/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 3450a0a0bc..90761377b0 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -393,7 +393,7 @@ Following properties are available: | Property | Artifact | Description | |-------------------|:-------------------:|:---------------------:| | `name` | _instance_ | _Name for the IAS application - unique in the tenant_ | -| `display-name` | _instance_ | _Human-readable name for the IAS application as it appears in the Console UI for IAS adminstrators_ | +| `display-name` | _instance_ | _Human-readable name for the IAS application as it appears in the Console UI for IAS administrators | | `multi-tenant` | _instance_ | _Specifies application mode: `false` for single tenant (default), `true` for multiple subscriber tenants (SAAS)_ | | `credential-type` | _binding_ | _`X509_GENERATED` generates a private-key and a signed certificate which is added to IAS application_ | | `app-identifier` | _binding_ | _Ensures stable subject in generated certificate (required for credential rotation)_ | From 03f49fbb2c05c627377539670650ced83e2b1a46 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:48:59 +0100 Subject: [PATCH 058/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 90761377b0..06b6f0f1b1 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -482,8 +482,7 @@ Now we want to fetch a token to prepare a fully authenticated test request. As first step we add a new client for the IAS application by creating an appropriate service key: ```sh -cf create-service-key bookshop-auth bookshop-auth-key \ - -c '{"credential-type": "X509_GENERATED"}' +cf create-service-key bookshop-ias bookshop-ias-key -c '{"credential-type": "X509_GENERATED"}' ``` The overall setup with local CLI client and the Cloud services is sketched in the diagram: From 5c8fcce1fbf22a741d70d405a83c9fe3ee36fabd Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:52:01 +0100 Subject: [PATCH 059/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 06b6f0f1b1..ac5f1b1375 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -546,7 +546,7 @@ To fetch a token - either as technical or as named user - the request needs to p ```sh [Token for technical user] curl --cert cert.pem --key key.pem \ -d "grant_type=client_credentials"\ - -d "client_id"=" \ + -d "client_id=" \ https:///oauth2/token ``` From 8ac1467633c18bb0d1616eb7e887222797a55f9b Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 8 Dec 2025 11:52:55 +0100 Subject: [PATCH 060/120] Update guides/security/authentication.md Co-authored-by: Patrice Bender --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index ac5f1b1375..74631afcff 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -499,7 +499,7 @@ The client certificates are presented in the IAS binding and hence can be examin ::: details How to create and retrieve service key credentials ```sh -cf service-key bookshop-auth bookshop-auth-key +cf service-key bookshop-ias bookshop-ias-key ``` ```sh From 7e3fcfe5d9442f498ea167035441a83defa8905d Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 8 Dec 2025 12:43:11 +0100 Subject: [PATCH 061/120] minor changes --- guides/security/authentication.md | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 74631afcff..ab3e5de014 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -90,31 +90,50 @@ MockUsersSecurityConfig : * Security configuration based on mock users found i
-TODO +TODO - is there a corresponding log output in Node?
-Also notice the log output prints all recognized mock users such as -
+Also notice the log output prints all recognized mock users such as ```sh MockUsersSecurityConfig : Added mock user {"name":"admin","password":"admin", ...} ```
-
-TODO -
+
The CAP runtime will automatically authenticate all CAP endpoints - **you are not required to manually configure authentication for CAP endpoints!** +::: tip +In non-production profile, you may set cds.security.authentication.mode = "model-relaxed" to deactivate authentication of endpoints derived from unrestricted CDS services. +::: + Sending OData request `curl http://localhost:8080/odata/v4/CatalogService/Books --verbose` results in a `401` error response from the server indicating that the anonymous user has been rejected due to missing authentication. This is true for all endpoints including the web application page at `/index.html`. Mock users require **basic authentication**, hence sending the same request on behalf of mock user `admin` (password: `admin`) with curl `http://admin:admin@localhost:8080/odata/v4/CatalogService/Books` returns successfully (HTTP response `200`). +
+ +
+ +The CAP runtime will automatically authenticate all CAP endpoints - **you are not required to manually configure authentication for CAP endpoints!** + +::: tip +In non-production profile, endpoints derived from unrestricted CDS services are not authenticated to simplify the development scenario. +::: + +Sending OData request `curl http://localhost:8080/odata/admin/Books --verbose` +results in a `401` error response from the server indicating that the anonymous user has been rejected due to missing authentication. +This is true for all endpoints including the web application page at `/index.html`. + +Mock users require **basic authentication**, hence sending the same request on behalf of mock user `alice` (password: `basic`) with curl `http://alice:basic@localhost:8080/odata/admin/Books` returns successfully (HTTP response `200`). + +
+ ::: tip Mock users are deactivated in production profile by default ❗ From 615aa3f3bb67b0164f352d82be99d4c6296be4d8 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 8 Dec 2025 13:53:01 +0100 Subject: [PATCH 062/120] prepare xsuaa auth --- guides/security/authentication.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index ab3e5de014..2985d2d638 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -606,6 +606,7 @@ In the UI scenario, adding an AppRouter as an ingress proxy for authentication s ```sh cds add approuter +cds up ``` adds the additional AppRouter to the deployment which is already prepared for IAS. @@ -664,7 +665,7 @@ TBD ## Hybrid Authentication { #hybrid-auth } -TBD +will come soon ## Custom Authentication { #custom-auth } From 6b1b21ef3a90199edf35f293d989fe94042cb545 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Mon, 8 Dec 2025 19:46:34 +0100 Subject: [PATCH 063/120] xsuaa auth --- guides/security/authentication.md | 324 +++++++++++++++++++++++++++++- 1 file changed, 321 insertions(+), 3 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 2985d2d638..f6ceef7cc4 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -370,7 +370,7 @@ Now the application is ready to for adding IAS-support by executing cds add ias ``` -which automatically adds a service instance named `bookshop-srv` of type `identity` (plan: `application`) and binds the CAP application to it. +which automatically adds a service instance named `bookshop-ias` of type `identity` (plan: `application`) and binds the CAP application to it. ::: details Generated deployment descriptor for IAS instance and binding ```yaml [mta.yaml] @@ -661,12 +661,330 @@ The same is true for the logout flow. ## XSUAA Authentication { #xsuaa-auth } -TBD - +[SAP Authorization and Trust Management Service (XSUAA)](https://help.sap.com/docs/btp/sap-business-technology-platform/sap-authorization-and-trust-management-service-in-cloud-foundry-environment) is a profen platform service for identity and access management which provides: + - authentication mechanisms (single sign-on, multi-factor enforcement) + - federation of corporate identity providers (multiple user stores) + - create and assign access roles + +::: warn +In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation. +::: + +XSUAA authentication is best configured and tested in the Cloud, so we're going to enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). + + +### Get Ready with XSUAA { #xsuaa-ready } + +Before working with IAS on CF, you need to + +- Ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) on CF, +in particular you require a `cf` CLI session targeting a CF space in the test subaccount (test with `cf target`). + +You can continue with the sample create for the [mock users](#mock-user-auth) or, alternatively, you can also enhance the [IAS-based](#ias-auth) application. +If there is no deplyoment descriptor yet, in the project root folder, execute + +```sh +cds add mta +``` + +to make your application ready for deployment to CF. + +
+ +::: tip +Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. +::: + +
+ +### Adding XSUAA + +Now the application is ready to for adding XSUAA-support by executing + +```sh +cds add xsuaa +``` + +which automatically adds a service instance named `bookshop-auth` of type `xsuaa` (plan: `application`) and binds the CAP application to it. + +
+ +::: tip +Command `cds add xsuaa` enhances the project with [required binding](../../java/security#bindings) to service instance identity and therefore activates XSUAA authentiaction automatically. +::: + +
+ +::: details Generated deployment descriptor for XSUAA instance and binding +```yaml [mta.yaml] +modules: + - name: bookshop-srv + # [...] + requires: + - name: bookshop-auth + +resources: + - name: bookshop-auth + type: org.cloudfoundry.managed-service + parameters: + service: xsuaa + service-plan: application + path: ./xs-security.json + config: + xsappname: bookshop-${org}-${space} + tenant-mode: dedicated + role-collections: + - name: 'admin (bookshop ${org}-${space})' + description: 'generated' + role-template-references: + - '$XSAPPNAME.admin' +``` +::: + +**CAP applications should have at most one binding to an XSUAA instance.** Conversely, multiple CAP applications can share the same XSUAA instance. + +There are some mandatory configuration parameters: + +| Property | Description | +|-------------------|:-------------------:| +|`service-plan` | `application` broker` | +|`path` | Relative file system path to the application security descriptor. | +|`xsappname` | A unique name within the subaccount. All XSUAA artifacts are scoped with `$XSAPPNAME`. | +|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is madatory for a [multitenant application](../guides/multitenancy/). | + +::: tip +Set `service-plan` to type `broker` to ensure your XSUAA service API can be exposed via broker in future. +::: + +The security descriptor perpares all [XSUAA authorization entities](https://help.sap.com/docs/btp/sap-business-technology-platform/authorization-entities) such as scopes, attributes and role-templates derived from the CDS model. + +::: details Generated XSUAA role templates +```json +{ + "scopes": [ + { + "name": "$XSAPPNAME.admin", + "description": "admin" + } + ], + "attributes": [], + "role-templates": [ + { + "name": "admin", + "description": "generated", + "scope-references": [ + "$XSAPPNAME.admin" + ], + "attribute-references": [] + } + ] +} +``` +::: + +[Lean more about XSUAA security descriptor](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax){.learn-more} + + +For every [CAP role](./cap-users#roles) in the CDS model, one scope and one role template are generated with the exact name of the CDS role. +In addition, [preconfigured role collections](https://help.sap.com/docs/btp/sap-business-technology-platform/configuration-options-for-sap-authorization-and-trust-management-service) can be deployed. +In the example, a single role collection `admin (bookshop ${org}-${space})` that contains the role template `admin` is defined in the resource of the XSUAA intance. + + +After successful authentication, the prefix `$XSAPPNAME`is removed from the scope name resulting in the CAP role name. + +::: tip Re-generate on model changes +You can have such a file re-generated via +```sh +cds compile srv --to xsuaa > xs-security.json +``` +::: + +See [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/6d3ed64092f748cbac691abc5fe52985.html) in the SAP HANA Platform documentation for the syntax of the _xs-security.json_ and advanced configuration options. + + +::: warning Avoid invalid characters in your models +Roles modeled in CDS may contain characters considered invalid by the XSUAA service. +::: + +If you modify the _xs-security.json_ manually, make sure that the scope names in the file exactly match the role names in the CDS model, as these scope names will be checked at runtime. + +Now let's pack and deploy the application with +```sh +cds up +``` + +and wait until the application is up and running. +You can test the status with `cf apps` or in BTP Cockpit, alternatively. + +The following trace in the application log confirms the activated IAS authentication: +
+ +```sh +... : Loaded feature 'XsuaaUserInfoProvider' (IAS: , XSUAA: bookshop-auth) +``` + +
+ +
+TODO +
+ +At startup, the CAP runtime checks the available bindings and activates XSUAA authentication accordingly. +**Therefore, the local setup (no XSUAA binding in the environment) is still runnable**. + + +### Administrative Console for XSUAA { #ias-admin } + +In the [Administrative Console for Cloud Identity Services](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/accessing-administration-console?version=Cloud) +you can see and manage the deployed IAS application. You need a user with administrative privileges in the IAS tenant to access the services at `.accounts400.ondemand.com/admin`. + +In the Console you can manage the IAS tenant and IAS applications, for example: +- create (test) users in `Users & Authorizations` -> `User Management` +- deactivate users +- configure the authentication strategy (password policies, MFA etc.) in `Applications & Resources` -> `Applications` (IAS instances listed with their display-name) +- inspect logs in `Monitoring & Reporting` -> `Troubleshooting` + +::: tip +In BTP Cockpit, service instance `bookshop-ias` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. +::: + + +### Testing XSUAA on CLI Level + +Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the IAS application. +Sending the test request +```sh +curl https://--bookshop-srv./odata/v4/CatalogService/Books --verbose +``` + +as anonymous user without a token results in a `401 Unauthorized` as expected. + +Now we want to fetch a token to prepare a fully authenticated test request. +As first step we add a new client for the IAS application by creating an appropriate service key: + +```sh +cf create-service-key bookshop-ias bookshop-ias-key -c '{"credential-type": "X509_GENERATED"}' +``` + +The overall setup with local CLI client and the Cloud services is sketched in the diagram: + +![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.drawio.svg){width="500px"} + +As IAS requires mTLS-protected channels, **client certificates are mandatory** for all of the following requests: +- Token request to IAS in order to fetch a valid IAS token (1) +- Business request to the CAP application presenting the token (2) +- Initial proof token request to IAS - not required for all business requests (3) + +The client certificates are presented in the IAS binding and hence can be examined via a service key accordingly. + +::: details How to create and retrieve service key credentials + +```sh +cf service-key bookshop-ias bookshop-ias-key +``` + +```sh +{ + "credentials": { + [...] + "certificate": "-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----", + "clientid": "2a92c297-8603-4157-9aa9-ca758582abcd", + "credential-type": "X509_GENERATED", + "key": "-----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----", + "url": "https://.accounts400.ondemand.com", + [...] + } +} +``` + +::: + +::: warning +❗ **Never share service keys or tokens** ❗ +::: + +From the credentials, you can prepare local files containing the certificate used to initiate the HTTP request. + +The request returns with a valid IAS token which is suitable for authentication in the CAP application: +```sh +{"access_token":"[...]","token_type":"Bearer","expires_in":3600} +``` + +The final test request needs to provide the **client certificate and the token** being send to the application's route with `cert.*`-domain: + +```sh +curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ + https://--bookshop-srv.cert./odata/v4/CatalogService/Books +``` + +Don't forget to delete the service key after your tests: +```sh +cf delete-service-key bookshop-auth bookshop-auth-key +``` + + +### Testing XSUAA on UI Level + +In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the IAS token are done under the hood. + +```sh +cds add approuter +cds up +``` + +adds the additional AppRouter to the deployment which is already prepared for XSUAA. +The resulting setup is sketched in the diagram: + +![UI-level Testing of XSUAA Endpoints](./assets/ias-ui-setup.svg){width="500px"} + +To be able to fetch the token, the AppRouter needs a binding to the IAS instance as well. + +::: details AppRouter component with XSUAA binding +```yaml + - name: bookshop + [...] + requires: + - name: srv-api + group: destinations + properties: + name: srv-api + url: ~{srv-cert-url} + forwardAuthToken: true + forwardAuthCertificates: true + - name: bookshop-ias + parameters: + config: + credential-type: X509_GENERATED + app-identifier: approuter +``` +::: + +As the login flow is based on an HTTP redirect between the CAP application and IAS login page, +IAS needs to know a valid callback URI which is offered by the AppRouter out-of-the-box. +The same is true for the logout flow. + +::: details Redirect URIs for login and logout +```yaml + - name: bookshop-ias + [...] + parameters: + [...] + config: + [...] + oauth2-configuration: + redirect-uris: + - ~{app-api/app-protocol}://~{app-api/app-uri}/login/callback + post-logout-redirect-uris: + - ~{app-api/app-protocol}://~{app-api/app-uri}/*/logout.html +``` +::: + + ## Hybrid Authentication { #hybrid-auth } will come soon + ## Custom Authentication { #custom-auth } There are multiple reasons why customization might be required: From 9f91ec5170952bf3c3ec15643ed1d93267fe1858 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 9 Dec 2025 12:01:05 +0100 Subject: [PATCH 064/120] xsuaa continued --- guides/security/authentication.md | 106 +++++++++++++++++------------- guides/security/cap-users.md | 27 +++++++- 2 files changed, 86 insertions(+), 47 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index f6ceef7cc4..1afff95c3a 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -666,8 +666,8 @@ The same is true for the logout flow. - federation of corporate identity providers (multiple user stores) - create and assign access roles -::: warn -In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation. +::: tip Notice +In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation out of the box. ::: XSUAA authentication is best configured and tested in the Cloud, so we're going to enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). @@ -675,12 +675,11 @@ XSUAA authentication is best configured and tested in the Cloud, so we're going ### Get Ready with XSUAA { #xsuaa-ready } -Before working with IAS on CF, you need to - -- Ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) on CF, -in particular you require a `cf` CLI session targeting a CF space in the test subaccount (test with `cf target`). +Before working with XSUAA on CF, you need to ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF. +In particular, you require a `cf` CLI session targeting a CF space in the test subaccount (test with `cf target`). You can continue with the sample create for the [mock users](#mock-user-auth) or, alternatively, you can also enhance the [IAS-based](#ias-auth) application. + If there is no deplyoment descriptor yet, in the project root folder, execute ```sh @@ -691,31 +690,43 @@ to make your application ready for deployment to CF.
-::: tip +::: tip Notice Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. :::
-### Adding XSUAA +### Adding XSUAA { #adding-xsuaa } Now the application is ready to for adding XSUAA-support by executing +
+ ```sh cds add xsuaa ``` +
+ +
+ +```sh +cds add xsuaa --for production +``` + +
+ + which automatically adds a service instance named `bookshop-auth` of type `xsuaa` (plan: `application`) and binds the CAP application to it.
-::: tip -Command `cds add xsuaa` enhances the project with [required binding](../../java/security#bindings) to service instance identity and therefore activates XSUAA authentiaction automatically. +::: tip Notice +Command `cds add xsuaa` enhances the project with [required binding](../../java/security#bindings) to service instance identity and therefore activates XSUAA authentication automatically. :::
-::: details Generated deployment descriptor for XSUAA instance and binding ```yaml [mta.yaml] modules: - name: bookshop-srv @@ -739,26 +750,43 @@ resources: role-template-references: - '$XSAPPNAME.admin' ``` -::: **CAP applications should have at most one binding to an XSUAA instance.** Conversely, multiple CAP applications can share the same XSUAA instance. +
+ +::: tip +In case your application has multiple XSUAA bindings you need to [pin the binding](../java/security#bindings) which is relevant for CAP Java. +::: + +
+ There are some mandatory configuration parameters: | Property | Description | |-------------------|:-------------------:| -|`service-plan` | `application` broker` | -|`path` | Relative file system path to the application security descriptor. | -|`xsappname` | A unique name within the subaccount. All XSUAA artifacts are scoped with `$XSAPPNAME`. | -|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is madatory for a [multitenant application](../guides/multitenancy/). | +|`service-plan` | The plan type reflecting various application scenarios. UI applications without API access use plan `application`. All others should use plan `broker`. | +|`path` | File system path to the [application security descriptor](#xsuaa-security-descriptor). | +|`xsappname` | A unique application name within the subaccount. All XSUAA artifacts are prefixed with it (wildcard `$XSAPPNAME`). | +|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is madatory for a [multitenant application](../guides/multitenancy/). | -::: tip -Set `service-plan` to type `broker` to ensure your XSUAA service API can be exposed via broker in future. +::: warning +Upgrading the `service-plan` from type `application` to `broker` us not supported. +Hence, start with `broker` if you want to provides technial APIs potentially. ::: -The security descriptor perpares all [XSUAA authorization entities](https://help.sap.com/docs/btp/sap-business-technology-platform/authorization-entities) such as scopes, attributes and role-templates derived from the CDS model. +[Learn more about XSUAA application security descriptor configuration syntax](https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-developer-guide-for-cloud-foundry-multitarget-applications-sap-web-ide-full-stack/application-security-descriptor-configuration-syntax){.learn-more} + +#### Security Descriptor { #xsuaa-security-descriptor } + +The security descriptor in the `xs-security.json` file contains the [XSUAA authorization artifacts](https://help.sap.com/docs/btp/sap-business-technology-platform/authorization-entities). +In general, XSUAA artifacts are managed in a hierarchy with role collections as root elements that can be assigned to users. +For convenience, when adding XSUAA facet, these artifacts are initially derived from the CDS model: + +- **XSUAA Scopes**: For every [CAP role](./cap-users#roles) in the CDS model, a dedicated scope is generated with the exact name of the CDS role. +- **XSUAA attributes** For every [CAP attribute](./authorization#user-attrs) in the CDS model, one attribute is generated. +- **XSUAA role templates** For every scope, a dedicated role template with the exact name is generated. The role templates are building blocks for concrete role collections that finally can be assigned to users. -::: details Generated XSUAA role templates ```json { "scopes": [ @@ -780,18 +808,17 @@ The security descriptor perpares all [XSUAA authorization entities](https://help ] } ``` -::: - +[Learn more about XSUAA attributes](https://help.sap.com/docs/btp/sap-business-technology-platform/setting-up-instance-based-authorizations){.learn-more} [Lean more about XSUAA security descriptor](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax){.learn-more} +After successful authentication, the scope prefix `$XSAPPNAME`is removed by the CAP integration to match the corresponding CAP role. -For every [CAP role](./cap-users#roles) in the CDS model, one scope and one role template are generated with the exact name of the CDS role. -In addition, [preconfigured role collections](https://help.sap.com/docs/btp/sap-business-technology-platform/configuration-options-for-sap-authorization-and-trust-management-service) can be deployed. -In the example, a single role collection `admin (bookshop ${org}-${space})` that contains the role template `admin` is defined in the resource of the XSUAA intance. +In the [deplyoment descriptor](#adding-xsuaa), the optional property `role-collections` contains a list of preconfigured role collections. +In general, role collections are [created manually](./cap-users#xsuaa-assign) at runtime by user administrators. +But in case the underlying role template has no reference to an attribute, a corresponing role collection is prepared already. +In the example, role collection `admin (bookshop ${org}-${space})` containing the role template `admin` is defined and can be directly assigned to users. -After successful authentication, the prefix `$XSAPPNAME`is removed from the scope name resulting in the CAP role name. - ::: tip Re-generate on model changes You can have such a file re-generated via ```sh @@ -806,7 +833,11 @@ See [Application Security Descriptor Configuration Syntax](https://help.sap.com/ Roles modeled in CDS may contain characters considered invalid by the XSUAA service. ::: +::: warning If you modify the _xs-security.json_ manually, make sure that the scope names in the file exactly match the role names in the CDS model, as these scope names will be checked at runtime. +::: + +#### Start and Check the Deployment Now let's pack and deploy the application with ```sh @@ -816,11 +847,11 @@ cds up and wait until the application is up and running. You can test the status with `cf apps` or in BTP Cockpit, alternatively. -The following trace in the application log confirms the activated IAS authentication: +The following trace in the application log confirms the activated XSUAA authentication:
```sh -... : Loaded feature 'XsuaaUserInfoProvider' (IAS: , XSUAA: bookshop-auth) +... : Loaded feature 'IdentityUserInfoProvider' (IAS: , XSUAA: bookshop-auth) ```
@@ -833,21 +864,6 @@ At startup, the CAP runtime checks the available bindings and activates XSUAA au **Therefore, the local setup (no XSUAA binding in the environment) is still runnable**. -### Administrative Console for XSUAA { #ias-admin } - -In the [Administrative Console for Cloud Identity Services](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/accessing-administration-console?version=Cloud) -you can see and manage the deployed IAS application. You need a user with administrative privileges in the IAS tenant to access the services at `.accounts400.ondemand.com/admin`. - -In the Console you can manage the IAS tenant and IAS applications, for example: -- create (test) users in `Users & Authorizations` -> `User Management` -- deactivate users -- configure the authentication strategy (password policies, MFA etc.) in `Applications & Resources` -> `Applications` (IAS instances listed with their display-name) -- inspect logs in `Monitoring & Reporting` -> `Troubleshooting` - -::: tip -In BTP Cockpit, service instance `bookshop-ias` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. -::: - ### Testing XSUAA on CLI Level @@ -922,6 +938,8 @@ Don't forget to delete the service key after your tests: cf delete-service-key bookshop-auth bookshop-auth-key ``` +[Learn how to setup mTLS for XSUAA](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-mtls-authentication-to-sap-authorization-and-trust-management-service-for-your-application){.leanr-more} + ### Testing XSUAA on UI Level diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 6dde17f03b..e04711390c 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -670,8 +670,9 @@ It might be useful to investiagte the injected filter conditions by activating t ## Role Assignment with XSUAA { #xsuaa-roles } -Information about roles and attributes can be made available to the UAA platform service. +Information about roles and attributes can be made available to the XSUAA platform service. This information enables the respective JWT tokens to be constructed and sent with the requests for authenticated users. + In particular, the following happens automatically behind-the-scenes upon build: @@ -765,9 +766,29 @@ Inline configuration in the _mta.yaml_ `config` block and the _xs-security.json_ [Learn more about **building and deploying MTA applications**.](/guides/deployment/){ .learn-more} -### Assign Roles in SAP BTP Cockpit +### Assign Roles in SAP BTP Cockpit { #xsuaa-assign } + +This is a manual step a user administrator would do in SAP BTP Cockpit to setup and assign roles for the application: + +By creating a service instance of the `xsuaa` service, all the roles from the _xs-security.json_ file are already added to your subaccount. +Next, you create a role collection that assigns these roles to your users. + +1. Open the SAP BTP Cockpit. + + > For your trial account, this is: [https://cockpit.hanatrial.ondemand.com](https://cockpit.hanatrial.ondemand.com) + +2. Navigate to your subaccount and then choose *Security* > *Role Collections*. +3. Choose *Create New Role Collection*: + + ![Create role collections in SAP BTP cockpit](./assets/create-role-collection.png) + +4. Enter a *Name* for the role collection, for example `BookshopAdmin`, and choose *Create*. +5. Choose your new role collection to open it and switch to *Edit* mode. +6. Add the `admin` role for your bookshop application (application id `bookshop!a`) to the *Roles* list. +7. Add the email addresses for your users to the *Users* list. +8. Choose *Save* + -This is a manual step an administrator would do in SAP BTP Cockpit. See [Set Up the Roles for the Application](/node.js/authentication#auth-in-cockpit) for more details. If a user attribute isn't set for a user in the IdP of the SAP BTP Cockpit, this means that the user has no restriction for this attribute. For example, if a user has no value set for an attribute "Country", they're allowed to see data records for all countries. In the _xs-security.json_, the `attribute` entity has a property `valueRequired` where the developer can specify whether unrestricted access is possible by not assigning a value to the attribute. From b77e87e90481b5983d731df88519139ffcfa6ac8 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 9 Dec 2025 16:59:57 +0100 Subject: [PATCH 065/120] xsuaa authentication --- guides/security/authentication.md | 120 ++++++++++++++++++------------ 1 file changed, 72 insertions(+), 48 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 1afff95c3a..6dd0c90a5a 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -810,6 +810,7 @@ For convenience, when adding XSUAA facet, these artifacts are initially derived ``` [Learn more about XSUAA attributes](https://help.sap.com/docs/btp/sap-business-technology-platform/setting-up-instance-based-authorizations){.learn-more} [Lean more about XSUAA security descriptor](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax){.learn-more} +[Learn how to setup mTLS for XSUAA](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-mtls-authentication-to-sap-authorization-and-trust-management-service-for-your-application){.leanr-more} After successful authentication, the scope prefix `$XSAPPNAME`is removed by the CAP integration to match the corresponding CAP role. @@ -876,61 +877,71 @@ curl https://--bookshop-srv./odata/v4/CatalogServi as anonymous user without a token results in a `401 Unauthorized` as expected. Now we want to fetch a token to prepare a fully authenticated test request. -As first step we add a new client for the IAS application by creating an appropriate service key: +As first step we add a new client for the XSUAA application by creating an appropriate service key: ```sh -cf create-service-key bookshop-ias bookshop-ias-key -c '{"credential-type": "X509_GENERATED"}' +cf create-service-key bookshop-auth bookshop-auth-key ``` -The overall setup with local CLI client and the Cloud services is sketched in the diagram: - -![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.drawio.svg){width="500px"} - -As IAS requires mTLS-protected channels, **client certificates are mandatory** for all of the following requests: -- Token request to IAS in order to fetch a valid IAS token (1) -- Business request to the CAP application presenting the token (2) -- Initial proof token request to IAS - not required for all business requests (3) - -The client certificates are presented in the IAS binding and hence can be examined via a service key accordingly. - -::: details How to create and retrieve service key credentials ```sh -cf service-key bookshop-ias bookshop-ias-key +cf service-key bookshop-auth bookshop-auth-key ``` ```sh { "credentials": { - [...] - "certificate": "-----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----", - "clientid": "2a92c297-8603-4157-9aa9-ca758582abcd", - "credential-type": "X509_GENERATED", - "key": "-----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----", - "url": "https://.accounts400.ondemand.com", + [...] + "clientid": "sb-bookshop-...", + "clientsecret": "...", + "url": "https://cap-zone.authentication.sap.hana.ondemand.com", [...] } } ``` -::: - ::: warning ❗ **Never share service keys or tokens** ❗ ::: -From the credentials, you can prepare local files containing the certificate used to initiate the HTTP request. +As second step, assign the generated role collection with name `admin (bookshop cdsruntime-cap-zone-bookshop-xsuaa)` to your **test user** by following instructions from [Assign Roles in SAP BTP Cockpit](./cap-users##xsuaa-assign). -The request returns with a valid IAS token which is suitable for authentication in the CAP application: +With the credentials, you can send an HTTP request to fetch the token from XSUAA `/oauth/token` endpoint: + +::: code-group + +```sh [Token for technical user] +curl -X POST \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d 'grant_type=client_credentials' \ + -d 'client_id=' \ + -d 'client_secret=' \ + /oauth/token +``` + +```sh [Token for named user] +curl -X POST \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -d 'grant_type=password' \ + -d 'client_id=' \ + -d 'client_secret=' \ + -d 'username=' \ + -d 'password=' \ + /oauth/token +``` + +::: + +The request returns with a valid XSUAA token which is suitable to pass authentication in the CAP application: ```sh -{"access_token":"[...]","token_type":"Bearer","expires_in":3600} +{"access_token":"", "token_type":"bearer","expires_in":43199, [...]} ``` -The final test request needs to provide the **client certificate and the token** being send to the application's route with `cert.*`-domain: +The final test request needs to provide the token being send to the application's route: ```sh -curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ - https://--bookshop-srv.cert./odata/v4/CatalogService/Books +curl -H "Authorization: Bearer " \ + https://--bookshop-srv./odata/v4/CatalogService/Books ``` Don't forget to delete the service key after your tests: @@ -938,12 +949,10 @@ Don't forget to delete the service key after your tests: cf delete-service-key bookshop-auth bookshop-auth-key ``` -[Learn how to setup mTLS for XSUAA](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-mtls-authentication-to-sap-authorization-and-trust-management-service-for-your-application){.leanr-more} - ### Testing XSUAA on UI Level -In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the IAS token are done under the hood. +In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the XSUAA token are done under the hood. ```sh cds add approuter @@ -955,35 +964,39 @@ The resulting setup is sketched in the diagram: ![UI-level Testing of XSUAA Endpoints](./assets/ias-ui-setup.svg){width="500px"} -To be able to fetch the token, the AppRouter needs a binding to the IAS instance as well. +To be able to fetch the token, the AppRouter needs a binding to the XSUAA instance as well. ::: details AppRouter component with XSUAA binding ```yaml +modules: - name: bookshop - [...] + type: approuter.nodejs + path: app/router + parameters: + [...] requires: - name: srv-api group: destinations properties: - name: srv-api - url: ~{srv-cert-url} + name: srv-api # must be used in xs-app.json as well + url: ~{srv-url} forwardAuthToken: true - forwardAuthCertificates: true - - name: bookshop-ias - parameters: - config: - credential-type: X509_GENERATED - app-identifier: approuter + - name: bookshop-auth + provides: + - name: app-api + properties: + app-uri: ${default-uri} + [...] ``` ::: -As the login flow is based on an HTTP redirect between the CAP application and IAS login page, -IAS needs to know a valid callback URI which is offered by the AppRouter out-of-the-box. +As the login flow is based on an HTTP redirect between the CAP application and XSUAA login page, +XSUAA needs to know a valid callback URI which is offered by the AppRouter out-of-the-box. The same is true for the logout flow. ::: details Redirect URIs for login and logout ```yaml - - name: bookshop-ias + - name: bookshop-auth [...] parameters: [...] @@ -991,12 +1004,23 @@ The same is true for the logout flow. [...] oauth2-configuration: redirect-uris: - - ~{app-api/app-protocol}://~{app-api/app-uri}/login/callback - post-logout-redirect-uris: - - ~{app-api/app-protocol}://~{app-api/app-uri}/*/logout.html + - https://*~{app-api/app-uri}/** + requires: + - name: app-api ``` ::: +To check the deplyoment, run `cf apps` in the targeted space: + +```sh +name requested state processes routes +bookshop started web:1/1 --bookshop.cfapps.sap.hana.ondemand.com +bookshop-srv started web:1/1 --bookshop-xsuaa-bookshop-srv.cfapps.sap.hana.ondemand.com +``` + +and open the route exposed by the `bookshop` UI application in a new browser session. + + ## Hybrid Authentication { #hybrid-auth } From c6632cfdf0e60ceafd0407dde06c00c6470e6ad4 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Tue, 9 Dec 2025 17:52:50 +0100 Subject: [PATCH 066/120] harmonized titles --- guides/security/authentication.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 6dd0c90a5a..c9b21d91cd 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -471,7 +471,7 @@ On SAP BTP Kyma Runtime, you might need to adapt configuration parameter .accounts400.ondemand.com/admin`. @@ -487,7 +487,7 @@ In BTP Cockpit, service instance `bookshop-ias` appears as a link that allows di ::: -### Testing IAS on CLI Level +### CLI Level Testing Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the IAS application. Sending the test request @@ -600,7 +600,7 @@ cf delete-service-key bookshop-ias bookshop-ias-key ``` -### Testing IAS on UI Level +### UI Level Testing In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the IAS token are done under the hood. @@ -666,7 +666,7 @@ The same is true for the logout flow. - federation of corporate identity providers (multiple user stores) - create and assign access roles -::: tip Notice +::: tip Info In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation out of the box. ::: @@ -690,7 +690,12 @@ to make your application ready for deployment to CF.
-::: tip Notice +In addition, activate H2 to serve as in-memory DB (**not** recommended for production!): +```sh +cds add h2 --for production +``` + +::: tip Info Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. ::: @@ -866,7 +871,7 @@ At startup, the CAP runtime checks the available bindings and activates XSUAA au -### Testing XSUAA on CLI Level +### CLI Level Testing Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the IAS application. Sending the test request @@ -950,7 +955,7 @@ cf delete-service-key bookshop-auth bookshop-auth-key ``` -### Testing XSUAA on UI Level +### UI Level Testing In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the XSUAA token are done under the hood. From 4cc24e4bfee0e6edb2936dfb27b190464b0f6639 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 10 Dec 2025 08:53:24 +0100 Subject: [PATCH 067/120] minor --- guides/security/authentication.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index c9b21d91cd..b2765ca5ab 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -32,7 +32,6 @@ This guide explains how to authenticate CAP services to resolve CAP users. In essence, authentication verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. Briefly, **authentication ensures _who_ is going to use the service**, in contrast to [authorization](../security/authorization#authorization) which determines _how_ the user can interact with the application's resources based on the defined access rules. As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. -CAP applications making use of remote services of any type need to have a proper [remote authentication](./remote-authentication) in place as well. ![Authentication with CAP](./assets/authentication.drawio.svg){width="550px" } @@ -122,7 +121,7 @@ Mock users require **basic authentication**, hence sending the same request on b The CAP runtime will automatically authenticate all CAP endpoints - **you are not required to manually configure authentication for CAP endpoints!** -::: tip +::: Hint In non-production profile, endpoints derived from unrestricted CDS services are not authenticated to simplify the development scenario. ::: @@ -135,7 +134,7 @@ Mock users require **basic authentication**, hence sending the same request on b
-::: tip +::: Hint Mock users are deactivated in production profile by default ❗ ::: From f24c5306cc1238cc7684d0fa608288507c89c169 Mon Sep 17 00:00:00 2001 From: Patrice Bender Date: Thu, 11 Dec 2025 08:00:19 +0100 Subject: [PATCH 068/120] wip: xsuaa node --- guides/security/authentication.md | 64 +++++++++++++++++++++++-------- 1 file changed, 49 insertions(+), 15 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index b2765ca5ab..5dc9844373 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -660,7 +660,7 @@ The same is true for the logout flow. ## XSUAA Authentication { #xsuaa-auth } -[SAP Authorization and Trust Management Service (XSUAA)](https://help.sap.com/docs/btp/sap-business-technology-platform/sap-authorization-and-trust-management-service-in-cloud-foundry-environment) is a profen platform service for identity and access management which provides: +[SAP Authorization and Trust Management Service (XSUAA)](https://help.sap.com/docs/btp/sap-business-technology-platform/sap-authorization-and-trust-management-service-in-cloud-foundry-environment) is a proven platform service for identity and access management which provides: - authentication mechanisms (single sign-on, multi-factor enforcement) - federation of corporate identity providers (multiple user stores) - create and assign access roles @@ -679,7 +679,7 @@ In particular, you require a `cf` CLI session targeting a CF space in the test s You can continue with the sample create for the [mock users](#mock-user-auth) or, alternatively, you can also enhance the [IAS-based](#ias-auth) application. -If there is no deplyoment descriptor yet, in the project root folder, execute +If there is no deployment descriptor yet, in the project root folder, execute ```sh cds add mta @@ -700,6 +700,21 @@ Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and t
+
+ +In addition, activate SQLite to serve as in-memory DB (**not** recommended for production!): +```sh +cds add sqlite --for production +``` + +make sure to run: + +```sh +npm install +``` + +
+ ### Adding XSUAA { #adding-xsuaa } Now the application is ready to for adding XSUAA-support by executing @@ -772,11 +787,11 @@ There are some mandatory configuration parameters: |`service-plan` | The plan type reflecting various application scenarios. UI applications without API access use plan `application`. All others should use plan `broker`. | |`path` | File system path to the [application security descriptor](#xsuaa-security-descriptor). | |`xsappname` | A unique application name within the subaccount. All XSUAA artifacts are prefixed with it (wildcard `$XSAPPNAME`). | -|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is madatory for a [multitenant application](../guides/multitenancy/). | +|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is mandatory for a [multitenant application](../guides/multitenancy/). | ::: warning -Upgrading the `service-plan` from type `application` to `broker` us not supported. -Hence, start with `broker` if you want to provides technial APIs potentially. +Upgrading the `service-plan` from type `application` to `broker` is not supported. +Hence, start with `broker` if you plan to provide technical APIs. ::: [Learn more about XSUAA application security descriptor configuration syntax](https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-developer-guide-for-cloud-foundry-multitarget-applications-sap-web-ide-full-stack/application-security-descriptor-configuration-syntax){.learn-more} @@ -814,13 +829,13 @@ For convenience, when adding XSUAA facet, these artifacts are initially derived ``` [Learn more about XSUAA attributes](https://help.sap.com/docs/btp/sap-business-technology-platform/setting-up-instance-based-authorizations){.learn-more} [Lean more about XSUAA security descriptor](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax){.learn-more} -[Learn how to setup mTLS for XSUAA](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-mtls-authentication-to-sap-authorization-and-trust-management-service-for-your-application){.leanr-more} +[Learn how to setup mTLS for XSUAA](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-mtls-authentication-to-sap-authorization-and-trust-management-service-for-your-application){.learn-more} After successful authentication, the scope prefix `$XSAPPNAME`is removed by the CAP integration to match the corresponding CAP role. In the [deplyoment descriptor](#adding-xsuaa), the optional property `role-collections` contains a list of preconfigured role collections. In general, role collections are [created manually](./cap-users#xsuaa-assign) at runtime by user administrators. -But in case the underlying role template has no reference to an attribute, a corresponing role collection is prepared already. +But in case the underlying role template has no reference to an attribute, a corresponding role collection is prepared already. In the example, role collection `admin (bookshop ${org}-${space})` containing the role template `admin` is defined and can be directly assigned to users. @@ -852,8 +867,8 @@ cds up and wait until the application is up and running. You can test the status with `cf apps` or in BTP Cockpit, alternatively. -The following trace in the application log confirms the activated XSUAA authentication:
+The following trace in the application log confirms the activated XSUAA authentication: ```sh ... : Loaded feature 'IdentityUserInfoProvider' (IAS: , XSUAA: bookshop-auth) @@ -862,7 +877,13 @@ The following trace in the application log confirms the activated XSUAA authenti
-TODO + +run `cf logs bookshop-srv --recent` to confirm the activated XSUAA authentication: + +```sh +... : "using auth strategy { kind: 'xsuaa' … } +``` +
At startup, the CAP runtime checks the available bindings and activates XSUAA authentication accordingly. @@ -872,13 +893,26 @@ At startup, the CAP runtime checks the available bindings and activates XSUAA au ### CLI Level Testing -Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the IAS application. -Sending the test request +Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the XSUAA application. +Send the test request: + +
+ ```sh curl https://--bookshop-srv./odata/v4/CatalogService/Books --verbose ``` -as anonymous user without a token results in a `401 Unauthorized` as expected. +
+ +
+ +```sh +curl https://--bookshop-srv./odata/v4/catalog/Books --verbose +``` + +
+ +…as anonymous user without a token the request results in a `401 Unauthorized` as expected. Now we want to fetch a token to prepare a fully authenticated test request. As first step we add a new client for the XSUAA application by creating an appropriate service key: @@ -892,13 +926,13 @@ cf create-service-key bookshop-auth bookshop-auth-key cf service-key bookshop-auth bookshop-auth-key ``` -```sh +```json { "credentials": { [...] "clientid": "sb-bookshop-...", "clientsecret": "...", - "url": "https://cap-zone.authentication.sap.hana.ondemand.com", + "url": "https://.authentication.sap.hana.ondemand.com", [...] } } @@ -908,7 +942,7 @@ cf service-key bookshop-auth bookshop-auth-key ❗ **Never share service keys or tokens** ❗ ::: -As second step, assign the generated role collection with name `admin (bookshop cdsruntime-cap-zone-bookshop-xsuaa)` to your **test user** by following instructions from [Assign Roles in SAP BTP Cockpit](./cap-users##xsuaa-assign). +As second step, assign the generated role collection with name `admin (bookshop cdsruntime-cap-zone-bookshop-xsuaa)` to your **test user** by following instructions from [Assign Roles in SAP BTP Cockpit](./cap-users#xsuaa-assign). With the credentials, you can send an HTTP request to fetch the token from XSUAA `/oauth/token` endpoint: From 9fba62377273ee9ebc50e4b93c533f45b1bb1c73 Mon Sep 17 00:00:00 2001 From: Patrice Bender Date: Thu, 11 Dec 2025 10:32:12 +0100 Subject: [PATCH 069/120] some adjustements to mock auth in node --- guides/security/authentication.md | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 5dc9844373..fa6c7aca92 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -89,7 +89,14 @@ MockUsersSecurityConfig : * Security configuration based on mock users found i
-TODO - is there a corresponding log output in Node? + +```sh +[cds] - using auth strategy { + kind: 'mocked', + … +} +``` +
@@ -121,20 +128,29 @@ Mock users require **basic authentication**, hence sending the same request on b The CAP runtime will automatically authenticate all CAP endpoints - **you are not required to manually configure authentication for CAP endpoints!** -::: Hint +::: tip In non-production profile, endpoints derived from unrestricted CDS services are not authenticated to simplify the development scenario. ::: -Sending OData request `curl http://localhost:8080/odata/admin/Books --verbose` +Sending OData request + +```sh +curl http://localhost:4004/odata/v4/admin/Books --verbose +``` + results in a `401` error response from the server indicating that the anonymous user has been rejected due to missing authentication. This is true for all endpoints including the web application page at `/index.html`. -Mock users require **basic authentication**, hence sending the same request on behalf of mock user `alice` (password: `basic`) with curl `http://alice:basic@localhost:8080/odata/admin/Books` returns successfully (HTTP response `200`). +Mock users require **basic authentication**, hence sending the same request on behalf of mock user `alice` (password: `basic`) with +```sh +curl http://alice:basic@localhost:4004/odata/v4/admin/Books +``` +returns successfully (HTTP response `200`).
-::: Hint +::: tip Mock users are deactivated in production profile by default ❗ ::: @@ -305,7 +321,9 @@ public class BookServiceOrdersTest {
-TODO + +[Learn more about testing with authenticated endpoints](../../node.js/cds-test#authenticated-endpoints){.learn-more} +
From 2b7b7445e97bbb4b6824969cdd312d08f10fb629 Mon Sep 17 00:00:00 2001 From: Patrice Bender Date: Thu, 11 Dec 2025 12:20:15 +0100 Subject: [PATCH 070/120] add learnings after cli testing with xsuaa for node --- guides/security/authentication.md | 55 +++++++++++++++++++++++++++---- guides/security/foo.json | 9 +++++ 2 files changed, 57 insertions(+), 7 deletions(-) create mode 100644 guides/security/foo.json diff --git a/guides/security/authentication.md b/guides/security/authentication.md index fa6c7aca92..946c493c4d 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -725,12 +725,6 @@ In addition, activate SQLite to serve as in-memory DB (**not** recommended for p cds add sqlite --for production ``` -make sure to run: - -```sh -npm install -``` -
### Adding XSUAA { #adding-xsuaa } @@ -878,10 +872,24 @@ If you modify the _xs-security.json_ manually, make sure that the scope names in #### Start and Check the Deployment Now let's pack and deploy the application with + +
+ +```sh +npm install +cds up +``` + +
+ +
+ ```sh cds up ``` +
+ and wait until the application is up and running. You can test the status with `cf apps` or in BTP Cockpit, alternatively. @@ -960,7 +968,8 @@ cf service-key bookshop-auth bookshop-auth-key ❗ **Never share service keys or tokens** ❗ ::: -As second step, assign the generated role collection with name `admin (bookshop cdsruntime-cap-zone-bookshop-xsuaa)` to your **test user** by following instructions from [Assign Roles in SAP BTP Cockpit](./cap-users#xsuaa-assign). +As second step, assign the generated role collection with name `admin (bookshop ${org}-${space})` to your **test user**. +Follow the instructions from step 4 onwards of [Assign Roles in SAP BTP Cockpit Step](./cap-users#xsuaa-assign). With the credentials, you can send an HTTP request to fetch the token from XSUAA `/oauth/token` endpoint: @@ -993,6 +1002,8 @@ The request returns with a valid XSUAA token which is suitable to pass authentic {"access_token":"", "token_type":"bearer","expires_in":43199, [...]} ``` + +
The final test request needs to provide the token being send to the application's route: ```sh @@ -1000,6 +1011,36 @@ curl -H "Authorization: Bearer " \ https://--bookshop-srv./odata/v4/CatalogService/Books ``` +
+ +
+ +With the token for the technical user, you should be able to access any endpoint, which has no specific role requirements: + +```sh +curl -H "Authorization: Bearer " \ + https://--bookshop-srv./odata/v4/catalog/Books +``` + +If you also want to access the `AdminService` which requires the role `admin`, you need to fetch the token for the named user instead. +Then, the following request should succeed: + +```sh +curl -H "Authorization: Bearer " \ + https://--bookshop-srv./odata/v4/admin/Books +``` + +::: tip +Try out sending a request to the `admin` endpoint with the technical user token to see the expected `403 Forbidden` response: + +```sh +{ "error": { "message":"Forbidden","code":"403", … } } +``` + +::: + +
+ Don't forget to delete the service key after your tests: ```sh cf delete-service-key bookshop-auth bookshop-auth-key diff --git a/guides/security/foo.json b/guides/security/foo.json new file mode 100644 index 0000000000..30e124d1d1 --- /dev/null +++ b/guides/security/foo.json @@ -0,0 +1,9 @@ +{ + "access_token": "eyJ0eXAiOiJKV1QiLCJqaWQiOiJNckMxRWF0RXNZNGM5M0xxSnJ4WW5uc2loLytGdWVGYzk1cVRaMGhJNEFnPSIsImFsZyI6IlJTMjU2Iiwiamt1IjoiaHR0cHM6Ly9jYXAtc2FuZGJveC5hdXRoZW50aWNhdGlvbi5ldTEyLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCJraWQiOiJkZWZhdWx0LWp3dC1rZXktMTQ5NjU0NDk4NCJ9.eyJzdWIiOiJjZWIwNGY5Yi1mMTNiLTQ5MDItYTQ2NS0yYTllMmNmOTE4N2IiLCJ4cy51c2VyLmF0dHJpYnV0ZXMiOnt9LCJ1c2VyX25hbWUiOiJwYXRyaWNlLmJlbmRlckBzYXAuY29tIiwib3JpZ2luIjoic2FwLmRlZmF1bHQiLCJpc3MiOiJodHRwczovL2NhcC1zYW5kYm94LmF1dGhlbnRpY2F0aW9uLmV1MTIuaGFuYS5vbmRlbWFuZC5jb20vb2F1dGgvdG9rZW4iLCJ4cy5zeXN0ZW0uYXR0cmlidXRlcyI6eyJ4cy5yb2xlY29sbGVjdGlvbnMiOlsiV29ya3pvbmVfRXh0ZXJuYWxfVXNlciIsInN1YiIsIldvcmtmbG93X0FkbWluIiwiU0FQIEhBTkEgQ2xvdWQgQWRtaW5pc3RyYXRvciIsIlNBUCBIQU5BIENsb3VkIERhdGEgUHVibGlzaGVyIFZpZXdlciIsIlNBUCBIQU5BIENsb3VkIERhdGEgUHVibGlzaGVyIEFkbWluaXN0cmF0b3IiLCJDbG91ZCBDb25uZWN0b3IgQWRtaW5pc3RyYXRvciIsIkxhdW5jaHBhZF9BZG1pbl9SZWFkX09ubHkiLCJXb3Jrem9uZV9BZG1pbiIsIkxhdW5jaHBhZF9FeHRlcm5hbF9Vc2VyIiwiTVRYIiwiRGVzdGluYXRpb24gQWRtaW5pc3RyYXRvciIsIlN1YmFjY291bnQgQWRtaW5pc3RyYXRvciIsIkNvbm5lY3Rpdml0eSBhbmQgRGVzdGluYXRpb24gQWRtaW5pc3RyYXRvciIsIlN1YnNjcmlwdGlvbiBNYW5hZ2VtZW50IERhc2hib2FyZCIsIlNBUCBIQU5BIENsb3VkIFNlY3VyaXR5IEFkbWluaXN0cmF0b3IiLCJXb3Jrem9uZV9BZG1pbl9SZWFkX09ubHkiLCJTdWJhY2NvdW50IFNlcnZpY2UgQWRtaW5pc3RyYXRvciIsInNmbGlnaHQtYWRtaW4tY2hyaXN0aWFuIiwiU0FQIEhBTkEgQ2xvdWQgVmlld2VyIiwiYWRtaW4gKGJvb2tzaG9wIGNhcC1zYW5kYm94LXBhdHJpY2UpIiwic2ZsaWdodC1yZXZpZXdlci1jaHJpc3RpYW4iLCJTdWJhY2NvdW50IFZpZXdlciIsInNlc3Npb24tbWFuYWdlbWVudC1tb2RlcmF0b3IiLCJTdWJzY3JpcHRpb24gTWFuYWdlbWVudCBEYXNoYm9hcmQgVmlld2VyIiwiV29ya3pvbmVfQWR2YW5jZWRfVGhlbWluZyIsIldvcmt6b25lX0FyZWFfQWRtaW4iLCJMYXVuY2hwYWRfQWRtaW4iLCJMYXVuY2hwYWRfQWR2YW5jZWRfVGhlbWluZyIsIldvcmtmbG93X0VuZF9Vc2VyIiwic2FwX3N1YmFjY291bnRfZXZlcnlvbmUiLCJXb3Jrem9uZV9FbmRfVXNlciIsInNmbGlnaHQtcHJvY2Vzc29yLWNocmlzdGlhbiIsIlN1YnNjcmlwdGlvbiBNYW5hZ2VtZW50IERhc2hib2FyZCBBZG1pbmlzdHJhdG9yIl19LCJnaXZlbl9uYW1lIjoiUGF0cmljZSIsImNsaWVudF9pZCI6InNiLWJvb2tzaG9wLWNhcC1zYW5kYm94LXBhdHJpY2UhdDUwMDE1IiwiYXVkIjpbInNiLWJvb2tzaG9wLWNhcC1zYW5kYm94LXBhdHJpY2UhdDUwMDE1Iiwib3BlbmlkIiwiYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiXSwiZXh0X2F0dHIiOnsiZW5oYW5jZXIiOiJYU1VBQSIsInN1YmFjY291bnRpZCI6IjEyN2M2ZjM3LTQ2MmQtNDE1Ny1hNDFiLWEyNDI3ZTJmNGI2YSIsInpkbiI6ImNhcC1zYW5kYm94In0sInVzZXJfdXVpZCI6IkQwNzIxMzAiLCJ6aWQiOiJhNmQ4NWU3YS1jNGNiLTQ5ZTAtYWZlYy0yNDQ5YTU5ZGRlODciLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiY2ViMDRmOWItZjEzYi00OTAyLWE0NjUtMmE5ZTJjZjkxODdiIiwiYXpwIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiLCJzY29wZSI6WyJvcGVuaWQiLCJib29rc2hvcC1jYXAtc2FuZGJveC1wYXRyaWNlIXQ1MDAxNS5hZG1pbiJdLCJhdXRoX3RpbWUiOjE3NjU0NTA3ODUsImV4cCI6MTc2NTQ5Mzk4NSwiZmFtaWx5X25hbWUiOiJCZW5kZXIiLCJpYXQiOjE3NjU0NTA3ODUsImp0aSI6IjE4MDg1M2YxNGMxZjQ3MDU5ZjY2YTg0YTRiOTYyMjIxIiwiZW1haWwiOiJwYXRyaWNlLmJlbmRlckBzYXAuY29tIiwicmV2X3NpZyI6IjkzY2U2ZmI3IiwiY2lkIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUifQ.irC6G4CIhATwTn2yNEdj9GbwKUCrS8hkxwH3h9Hpnl9zwXMvSgoAQkNi94zJ2i3t6Z0ddTQ3kjpGEVpdKiCKVDZZ0J8pdxUK_oRW0_2VXG7AY8RJ0KBpx5Un9-Kxp3NJTJ3Zs_dn0lsLLxj78_bX0DoatBcrFojZ00FhPrRgjVthVuLZdMDFqKBjo5FtXxIkSDI0BExhXBIyV1mHLVbJz3gFxV-DwR7fXYbix8EqL00WASNwyIk7Q_YYtm8fEiibpnwg1ytPi2hEq2ruuj4wauN9FzLX_VrCQMIKd3o3vRN4NWgM5ogsi4B44u1ZXplH_peStQEt8HM3jGL3HHe_Og", + "token_type": "bearer", + "id_token": "eyJ0eXAiOiJKV1QiLCJqaWQiOiJxQ1FmNUs4SmZtZ0NqT0Rta3BPK1NmTURRRmZCN1ZjS2ZKeXpqZ0VnMXIwPSIsImFsZyI6IlJTMjU2Iiwiamt1IjoiaHR0cHM6Ly9jYXAtc2FuZGJveC5hdXRoZW50aWNhdGlvbi5ldTEyLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCJraWQiOiJkZWZhdWx0LWp3dC1rZXktMTQ5NjU0NDk4NCJ9.eyJzdWIiOiJjZWIwNGY5Yi1mMTNiLTQ5MDItYTQ2NS0yYTllMmNmOTE4N2IiLCJwcmV2aW91c19sb2dvbl90aW1lIjoxNzY1NDUwNDMwNzc3LCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoicGF0cmljZS5iZW5kZXJAc2FwLmNvbSIsImFtciI6WyJleHQiLCJvYXV0aCJdLCJvcmlnaW4iOiJzYXAuZGVmYXVsdCIsImlzcyI6Imh0dHBzOi8vY2FwLXNhbmRib3guYXV0aGVudGljYXRpb24uZXUxMi5oYW5hLm9uZGVtYW5kLmNvbS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6InNiLWJvb2tzaG9wLWNhcC1zYW5kYm94LXBhdHJpY2UhdDUwMDE1IiwiYXVkIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiLCJ6aWQiOiJhNmQ4NWU3YS1jNGNiLTQ5ZTAtYWZlYy0yNDQ5YTU5ZGRlODciLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiY2ViMDRmOWItZjEzYi00OTAyLWE0NjUtMmE5ZTJjZjkxODdiIiwiYXpwIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNzY1NDUwNzg1LCJleHAiOjE3NjU0OTM5ODUsImlhdCI6MTc2NTQ1MDc4NSwiZW1haWwiOiJwYXRyaWNlLmJlbmRlckBzYXAuY29tIiwianRpIjoiMTgwODUzZjE0YzFmNDcwNTlmNjZhODRhNGI5NjIyMjEiLCJyZXZfc2lnIjoiOTNjZTZmYjciLCJjaWQiOiJzYi1ib29rc2hvcC1jYXAtc2FuZGJveC1wYXRyaWNlIXQ1MDAxNSJ9.hhtXRzN2xgAkKcoKi9zDnNbUYjTSo3IrxixY2lTlT5ZsWchxP_AVT46vEx6Fn5imvD0L4TjqrDSViNrKMBa86fnhmOqmRZemS5oz3_JmARG-156oFzEHIbIX0-VxOKXerOa0zQeoaYP9YA-YxmKl23W5J8ABUQAA1V-5USpG89S6rRcJ-b-Dv6QKXqh5w-Wco26FVguVQPswaeCnDjY96RK3AK1qqMSNE6ZxlTyAZsvELiEwqJS2Q7ovUgrDtObMW3z4xWjsmvGW1yee9_9JtC3cxIZqlMW-C2lj9RHXTQR5kZjf4dP-d5sB0i0WOr8qBaf4V0EmmBs6M30Vu3HbSw", + "refresh_token": "47e1bfb110134610a82662428a377f14-r", + "expires_in": 43199, + "scope": "openid bookshop-cap-sandbox-patrice!t50015.admin", + "jti": "180853f14c1f47059f66a84a4b962221" +} From dc6d970556ae7fbc16e77c70c009f293da87b725 Mon Sep 17 00:00:00 2001 From: Patrice Bender Date: Thu, 11 Dec 2025 12:20:29 +0100 Subject: [PATCH 071/120] rm unused file --- guides/security/foo.json | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 guides/security/foo.json diff --git a/guides/security/foo.json b/guides/security/foo.json deleted file mode 100644 index 30e124d1d1..0000000000 --- a/guides/security/foo.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "access_token": "eyJ0eXAiOiJKV1QiLCJqaWQiOiJNckMxRWF0RXNZNGM5M0xxSnJ4WW5uc2loLytGdWVGYzk1cVRaMGhJNEFnPSIsImFsZyI6IlJTMjU2Iiwiamt1IjoiaHR0cHM6Ly9jYXAtc2FuZGJveC5hdXRoZW50aWNhdGlvbi5ldTEyLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCJraWQiOiJkZWZhdWx0LWp3dC1rZXktMTQ5NjU0NDk4NCJ9.eyJzdWIiOiJjZWIwNGY5Yi1mMTNiLTQ5MDItYTQ2NS0yYTllMmNmOTE4N2IiLCJ4cy51c2VyLmF0dHJpYnV0ZXMiOnt9LCJ1c2VyX25hbWUiOiJwYXRyaWNlLmJlbmRlckBzYXAuY29tIiwib3JpZ2luIjoic2FwLmRlZmF1bHQiLCJpc3MiOiJodHRwczovL2NhcC1zYW5kYm94LmF1dGhlbnRpY2F0aW9uLmV1MTIuaGFuYS5vbmRlbWFuZC5jb20vb2F1dGgvdG9rZW4iLCJ4cy5zeXN0ZW0uYXR0cmlidXRlcyI6eyJ4cy5yb2xlY29sbGVjdGlvbnMiOlsiV29ya3pvbmVfRXh0ZXJuYWxfVXNlciIsInN1YiIsIldvcmtmbG93X0FkbWluIiwiU0FQIEhBTkEgQ2xvdWQgQWRtaW5pc3RyYXRvciIsIlNBUCBIQU5BIENsb3VkIERhdGEgUHVibGlzaGVyIFZpZXdlciIsIlNBUCBIQU5BIENsb3VkIERhdGEgUHVibGlzaGVyIEFkbWluaXN0cmF0b3IiLCJDbG91ZCBDb25uZWN0b3IgQWRtaW5pc3RyYXRvciIsIkxhdW5jaHBhZF9BZG1pbl9SZWFkX09ubHkiLCJXb3Jrem9uZV9BZG1pbiIsIkxhdW5jaHBhZF9FeHRlcm5hbF9Vc2VyIiwiTVRYIiwiRGVzdGluYXRpb24gQWRtaW5pc3RyYXRvciIsIlN1YmFjY291bnQgQWRtaW5pc3RyYXRvciIsIkNvbm5lY3Rpdml0eSBhbmQgRGVzdGluYXRpb24gQWRtaW5pc3RyYXRvciIsIlN1YnNjcmlwdGlvbiBNYW5hZ2VtZW50IERhc2hib2FyZCIsIlNBUCBIQU5BIENsb3VkIFNlY3VyaXR5IEFkbWluaXN0cmF0b3IiLCJXb3Jrem9uZV9BZG1pbl9SZWFkX09ubHkiLCJTdWJhY2NvdW50IFNlcnZpY2UgQWRtaW5pc3RyYXRvciIsInNmbGlnaHQtYWRtaW4tY2hyaXN0aWFuIiwiU0FQIEhBTkEgQ2xvdWQgVmlld2VyIiwiYWRtaW4gKGJvb2tzaG9wIGNhcC1zYW5kYm94LXBhdHJpY2UpIiwic2ZsaWdodC1yZXZpZXdlci1jaHJpc3RpYW4iLCJTdWJhY2NvdW50IFZpZXdlciIsInNlc3Npb24tbWFuYWdlbWVudC1tb2RlcmF0b3IiLCJTdWJzY3JpcHRpb24gTWFuYWdlbWVudCBEYXNoYm9hcmQgVmlld2VyIiwiV29ya3pvbmVfQWR2YW5jZWRfVGhlbWluZyIsIldvcmt6b25lX0FyZWFfQWRtaW4iLCJMYXVuY2hwYWRfQWRtaW4iLCJMYXVuY2hwYWRfQWR2YW5jZWRfVGhlbWluZyIsIldvcmtmbG93X0VuZF9Vc2VyIiwic2FwX3N1YmFjY291bnRfZXZlcnlvbmUiLCJXb3Jrem9uZV9FbmRfVXNlciIsInNmbGlnaHQtcHJvY2Vzc29yLWNocmlzdGlhbiIsIlN1YnNjcmlwdGlvbiBNYW5hZ2VtZW50IERhc2hib2FyZCBBZG1pbmlzdHJhdG9yIl19LCJnaXZlbl9uYW1lIjoiUGF0cmljZSIsImNsaWVudF9pZCI6InNiLWJvb2tzaG9wLWNhcC1zYW5kYm94LXBhdHJpY2UhdDUwMDE1IiwiYXVkIjpbInNiLWJvb2tzaG9wLWNhcC1zYW5kYm94LXBhdHJpY2UhdDUwMDE1Iiwib3BlbmlkIiwiYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiXSwiZXh0X2F0dHIiOnsiZW5oYW5jZXIiOiJYU1VBQSIsInN1YmFjY291bnRpZCI6IjEyN2M2ZjM3LTQ2MmQtNDE1Ny1hNDFiLWEyNDI3ZTJmNGI2YSIsInpkbiI6ImNhcC1zYW5kYm94In0sInVzZXJfdXVpZCI6IkQwNzIxMzAiLCJ6aWQiOiJhNmQ4NWU3YS1jNGNiLTQ5ZTAtYWZlYy0yNDQ5YTU5ZGRlODciLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiY2ViMDRmOWItZjEzYi00OTAyLWE0NjUtMmE5ZTJjZjkxODdiIiwiYXpwIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiLCJzY29wZSI6WyJvcGVuaWQiLCJib29rc2hvcC1jYXAtc2FuZGJveC1wYXRyaWNlIXQ1MDAxNS5hZG1pbiJdLCJhdXRoX3RpbWUiOjE3NjU0NTA3ODUsImV4cCI6MTc2NTQ5Mzk4NSwiZmFtaWx5X25hbWUiOiJCZW5kZXIiLCJpYXQiOjE3NjU0NTA3ODUsImp0aSI6IjE4MDg1M2YxNGMxZjQ3MDU5ZjY2YTg0YTRiOTYyMjIxIiwiZW1haWwiOiJwYXRyaWNlLmJlbmRlckBzYXAuY29tIiwicmV2X3NpZyI6IjkzY2U2ZmI3IiwiY2lkIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUifQ.irC6G4CIhATwTn2yNEdj9GbwKUCrS8hkxwH3h9Hpnl9zwXMvSgoAQkNi94zJ2i3t6Z0ddTQ3kjpGEVpdKiCKVDZZ0J8pdxUK_oRW0_2VXG7AY8RJ0KBpx5Un9-Kxp3NJTJ3Zs_dn0lsLLxj78_bX0DoatBcrFojZ00FhPrRgjVthVuLZdMDFqKBjo5FtXxIkSDI0BExhXBIyV1mHLVbJz3gFxV-DwR7fXYbix8EqL00WASNwyIk7Q_YYtm8fEiibpnwg1ytPi2hEq2ruuj4wauN9FzLX_VrCQMIKd3o3vRN4NWgM5ogsi4B44u1ZXplH_peStQEt8HM3jGL3HHe_Og", - "token_type": "bearer", - "id_token": "eyJ0eXAiOiJKV1QiLCJqaWQiOiJxQ1FmNUs4SmZtZ0NqT0Rta3BPK1NmTURRRmZCN1ZjS2ZKeXpqZ0VnMXIwPSIsImFsZyI6IlJTMjU2Iiwiamt1IjoiaHR0cHM6Ly9jYXAtc2FuZGJveC5hdXRoZW50aWNhdGlvbi5ldTEyLmhhbmEub25kZW1hbmQuY29tL3Rva2VuX2tleXMiLCJraWQiOiJkZWZhdWx0LWp3dC1rZXktMTQ5NjU0NDk4NCJ9.eyJzdWIiOiJjZWIwNGY5Yi1mMTNiLTQ5MDItYTQ2NS0yYTllMmNmOTE4N2IiLCJwcmV2aW91c19sb2dvbl90aW1lIjoxNzY1NDUwNDMwNzc3LCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9uYW1lIjoicGF0cmljZS5iZW5kZXJAc2FwLmNvbSIsImFtciI6WyJleHQiLCJvYXV0aCJdLCJvcmlnaW4iOiJzYXAuZGVmYXVsdCIsImlzcyI6Imh0dHBzOi8vY2FwLXNhbmRib3guYXV0aGVudGljYXRpb24uZXUxMi5oYW5hLm9uZGVtYW5kLmNvbS9vYXV0aC90b2tlbiIsImNsaWVudF9pZCI6InNiLWJvb2tzaG9wLWNhcC1zYW5kYm94LXBhdHJpY2UhdDUwMDE1IiwiYXVkIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiLCJ6aWQiOiJhNmQ4NWU3YS1jNGNiLTQ5ZTAtYWZlYy0yNDQ5YTU5ZGRlODciLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiY2ViMDRmOWItZjEzYi00OTAyLWE0NjUtMmE5ZTJjZjkxODdiIiwiYXpwIjoic2ItYm9va3Nob3AtY2FwLXNhbmRib3gtcGF0cmljZSF0NTAwMTUiLCJzY29wZSI6WyJvcGVuaWQiXSwiYXV0aF90aW1lIjoxNzY1NDUwNzg1LCJleHAiOjE3NjU0OTM5ODUsImlhdCI6MTc2NTQ1MDc4NSwiZW1haWwiOiJwYXRyaWNlLmJlbmRlckBzYXAuY29tIiwianRpIjoiMTgwODUzZjE0YzFmNDcwNTlmNjZhODRhNGI5NjIyMjEiLCJyZXZfc2lnIjoiOTNjZTZmYjciLCJjaWQiOiJzYi1ib29rc2hvcC1jYXAtc2FuZGJveC1wYXRyaWNlIXQ1MDAxNSJ9.hhtXRzN2xgAkKcoKi9zDnNbUYjTSo3IrxixY2lTlT5ZsWchxP_AVT46vEx6Fn5imvD0L4TjqrDSViNrKMBa86fnhmOqmRZemS5oz3_JmARG-156oFzEHIbIX0-VxOKXerOa0zQeoaYP9YA-YxmKl23W5J8ABUQAA1V-5USpG89S6rRcJ-b-Dv6QKXqh5w-Wco26FVguVQPswaeCnDjY96RK3AK1qqMSNE6ZxlTyAZsvELiEwqJS2Q7ovUgrDtObMW3z4xWjsmvGW1yee9_9JtC3cxIZqlMW-C2lj9RHXTQR5kZjf4dP-d5sB0i0WOr8qBaf4V0EmmBs6M30Vu3HbSw", - "refresh_token": "47e1bfb110134610a82662428a377f14-r", - "expires_in": 43199, - "scope": "openid bookshop-cap-sandbox-patrice!t50015.admin", - "jti": "180853f14c1f47059f66a84a4b962221" -} From b847c8233f4028a2ae44672137128afade059767 Mon Sep 17 00:00:00 2001 From: Patrice Bender Date: Thu, 11 Dec 2025 12:22:23 +0100 Subject: [PATCH 072/120] format --- guides/security/authentication.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 946c493c4d..11239386dc 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -1022,8 +1022,10 @@ curl -H "Authorization: Bearer " \ https://--bookshop-srv./odata/v4/catalog/Books ``` -If you also want to access the `AdminService` which requires the role `admin`, you need to fetch the token for the named user instead. -Then, the following request should succeed: +If you also want to access the `AdminService` which requires the role `admin`, +you need to fetch the token for the named user instead. That is the user which you have assigned the `admin (bookshop ${org}-${space})` role collection to. + +With the token for the named user, the following request should succeed: ```sh curl -H "Authorization: Bearer " \ From 7166e1a4d30d01e013a98129dfc36e60e6019e9f Mon Sep 17 00:00:00 2001 From: Patrice Bender Date: Thu, 11 Dec 2025 12:23:56 +0100 Subject: [PATCH 073/120] add TODO --- guides/security/authentication.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 11239386dc..a32fe9f8c6 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -720,6 +720,8 @@ Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and t
+TODO: the below command currently does not setup sqlite for production. + In addition, activate SQLite to serve as in-memory DB (**not** recommended for production!): ```sh cds add sqlite --for production From f9e42a29c2a0057b60a70481dbb0253728fc88fc Mon Sep 17 00:00:00 2001 From: Patrice Bender Date: Thu, 11 Dec 2025 12:36:57 +0100 Subject: [PATCH 074/120] more infos in UI testing guide --- guides/security/authentication.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index a32fe9f8c6..673d297157 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -1121,6 +1121,17 @@ bookshop-srv started web:1/1 --bookshop-xsuaa-booksh and open the route exposed by the `bookshop` UI application in a new browser session. +
+ +E.g. `https://--bookshop.cfapps.sap.hana.ondemand.com/odata/v4/admin/Books` + +
+ +
+ +E.g. `https://--bookshop.cfapps.sap.hana.ondemand.com/odata/v4/AdminService/Books` + +
## Hybrid Authentication { #hybrid-auth } From b4cada044a4803ac49746354d10f6ea8eaeb427e Mon Sep 17 00:00:00 2001 From: Paul Date: Fri, 12 Dec 2025 09:26:19 +0100 Subject: [PATCH 075/120] Adding node specific Snippets & Sections (CAP User) (#2264) Adding node specific snippets and sections to the revised security guide, originally added in https://github.com/capire/docs/pull/2223. --------- Co-authored-by: Manuel Fink <123368068+finkmanAtSap@users.noreply.github.com> --- guides/security/cap-users.md | 459 +++++++++++++++++++++++++++++++++-- 1 file changed, 437 insertions(+), 22 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index e04711390c..69ba8cbba9 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -471,6 +471,8 @@ The attribute statement is in the scope of a dedicated CAP role and filters are Although the AMS policies are not yet [deployed to the Cloud service](#ams-deployment), you can assign (base) policies to mock users and run locally: +
+ ```yaml cds: security: @@ -484,17 +486,63 @@ cds: - cap.StockManager // [!code ++] ``` +
+ +
+ +```json +{ + "cds": { + "requires": { + "auth": { + "[development]": { + "kind": "mocked", + "users": { + "content-manager": { + "policies": ["cap.ContentManager"] + }, + "stock-manager": { + "policies": ["cap.StockManager"] + } + } + } + } + } + } +} +``` + +
+ :::tip Don't forget to refer to fully qualified policy names including the package name (`cap` in this example). ::: Now (re)start the application with +
+ ```sh mvn spring-boot:run ``` +
+ +
+ +```sh +cds watch +``` + +
+ +
and verify in the UI for `AdminService` (`http://localhost:8080/index.html#Books-manage`) that the the assigned policies imply the expected access rules: +
+
+You can now verify that the assigned policies enforce the expected access rules: +
+ - mock user `content-manager` has full access to `Books` and `Authors`. - mock user `stock-manager` can _read_ `Books` and `Authors` and can _edit_ `Books` (but _not_ `Authors`). @@ -510,6 +558,7 @@ POLICY StockManagerFiction { [Learn more about DCL operators](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/condition-operators){.learn-more} +
::: tip Don't miss to add the policy files in sub folders of `ams` reflecting the namespace properly: Policy `local.StockManagerFiction` is expected to be in a file within directory `/ams/local/`. @@ -527,6 +576,35 @@ cds: You can verify in the UI that mock user `stock-manager-fiction` is restricted to books of genres `Mystery` and `Fantasy`. +
+ +
+ +::: tip +Don't miss to add the policy files in sub folders of `ams` reflecting the namespace properly: Policy `local.StockManagerFiction` is expected to be in a file within directory `/ams/dcl/local/`. +::: + +```json +{ + "cds": { + "requires": { + "auth": { + "[development]": { + "kind": "mocked", + "users": { + "stock-manager-fiction": { + "policies": ["local.StockManagerFiction"] + } + } + } + } + } + } +} +``` + +
+ [Learn more about AMS attribute filters with CAP](https://sap.github.io/cloud-identity-developer-guide/CAP/InstanceBasedAuthorization.html#instance-based-authorization){.learn-more} @@ -646,14 +724,36 @@ c.s.c.s.a.c.AmsRuntimeConfiguration : Configured AmsUserInfoProvider In addition, for detailed analysis of issues, you can set AMS logger to `DEBUG` level: +
+ ```yaml logging: level: com.sap.cloud.security.ams: DEBUG ``` +
+ +
+ +```json +{ + "cds": { + "log": { + "levels": { + "ams": "DEBUG" + } + } + } +} +``` + +
+ which gives you more information about the policy evaluation at request time: +
+ ```sh c.s.c.s.a.l.PolicyEvaluationSlf4jLogger : Policy evaluation result: {..., "unknowns":"[$app.Genre]", "$dcl.policies":"[local.StockManagerFiction]", @@ -661,6 +761,18 @@ c.s.c.s.a.l.PolicyEvaluationSlf4jLogger : Policy evaluation result: {..., "accessResult":"or( eq($app.Genre, "Mystery") eq($app.Genre, "Fantasy") )"}. ``` +
+ +
+ +```sh +[ams] - Computing AMS filter conditions for ... +[ams] - Privilege check for ... on ... was conditional. {... +[ams] - Resulting privileges for ... on ... : [ ... +``` + +
+ You can add general user information by applying [user tracing](#user-tracing). ::: tip @@ -689,9 +801,11 @@ cds add xsuaa
+ ```sh cds add xsuaa --for production ``` +
This generates an _xs-security.json_ file: @@ -801,13 +915,18 @@ CAP is not tied to any specific authentication method, nor to concrete user info Instead, an abstract [user representation](cap-users#claims) is attached to the request which can be used to influence request processing. For example, both authorization enforcement and domain logic can depend on the current user properties. -::: tip +::: warning Avoid writing custom code based on the raw authentication info, as this undermines the decoupling between authentication strategy and your business logic. +::: +::: tip **In most casese, there is no need to write custom code dependent on the CAP user - leverage CDS modelling whenever possible**. ::: -### Reflection { #reflection .java } + +### Reflection { #reflection } + +
In CAP Java, The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) of a handler in different ways: @@ -839,12 +958,12 @@ The `UserInfo` object is not modifyable, but during request processing, a new `R Depending on the configured [authentication](./authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant, attributes and assigned roles: -| User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation -|---------------|---------------------|----------------------------------|-------------------------|--------------------| -| _Logon name_ | `getName()` | `user_name` | `sub` | `$user` | -| _Tenant_ | `getTenant()` | `zid` | `zone_uuid` | `$user.tenant` | -| _Attributes_ | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | -| _Roles_ | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | +| User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation | +|---------------|-----------------------------------------|-----------------------------|-------------------------|------------------------| +| _Logon name_ | `getName()` | `user_name` | `sub` | `$user` | +| _Tenant_ | `getTenant()` | `zid` | `app_tid` | `$user.tenant` | +| _Attributes_ | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | +| _Roles_ | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | ::: tip CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. @@ -852,16 +971,59 @@ CAP does not make any assumptions on the presented claims given in the token. St In addition, there are getters to retrieve information about [pseudo-roles](#pseudo-roles): -| UserInfo method | Description | CAP Role | -| :---------------------------------------------------- | :----------------------------------------------------- | -------------- | -| `isAuthenticated()` | True if the current user has been authenticated. | `authenticated-user` | -| `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | `system-user` | -| `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | `internal-user` | -| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#switching-to-privileged-user), i.e. is unrestricted. | n/a | +| UserInfo method | Description | CAP Role | +|:--------------------|:-------------------------------------------------------------------------------------------------------------------|----------------------| +| `isAuthenticated()` | True if the current user has been authenticated. | `authenticated-user` | +| `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | `system-user` | +| `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | `internal-user` | +| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#switching-to-privileged-user), i.e. is unrestricted. | n/a | + +
+ +
+ +In CAP Node.js, the CAP user of a request is represented by a [`cds.User`](../../node.js/authentication#cds-user) object. +An instance of `cds.User` representing the current principal is available from the current request context in `req.user`. +Similarly, the identifier of the users tenant is available from `req.tenant`. + +```js +srv.before('READ', srv.entities.Books, req => { + const { user, tenant } = req + // [...] +}) +``` + +In addition to the request context, information about the current user can similarly be retrieved from the global [`cds.context`](../../node.js/events#cds-context), which provides access to the current [`cds.EventContext`](../../node.js/events#cds-event-context): + +```js +const cds = require('@sap/cds') +const { user, tenant } = cds.context +``` + +:::tip +Prefer local req objects in your handlers for accessing event context properties, as each access to cds.context happens through [AsyncLocalStorage.getStore()](https://nodejs.org/api/async_context.html#asynclocalstoragegetstore), which induces some minor overhead. +::: + +Setting `cds.context` usually happens in inbound authentication middlewares or in inbound protocol adapters. +During processing, you can set it programmatically or spawn a new root transaction providing a context argument to achieve a [switch of the current user](#switching-users--switching-users-node). + +Depending on the configured [authentication](./authentication) strategy, CAP derives a default set of user claims containing the user's name, tenant, attributes and assigned roles: + +| User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation | +|---------------|-------------------------------------|-----------------------------|-------------------------|------------------------| +| _Logon name_ | `user.id` | `user_name` | `sub` | `$user` | +| _Tenant_ | `req.tenant` / `cds.context.tenant` | `zid` | `app_tid` | `$user.tenant` | +| _Attributes_ | `attr(attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | +| _Roles_ | `is(role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | + +
+ -### Customizing Users { #customizing-users .java } +### Customizing Users { #customizing-users } + +
In most cases, CAP's default mapping to the CAP user will match your requirements, but CAP also allows you to customize the mapping according to specific needs. @@ -924,11 +1086,58 @@ There are multiple reasonable use cases in which user modification is a suitable [See more examples for custom UserInfoProvider](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#global-providers){.learn-more} +
+ +
+ +In most cases, CAP's default mapping to the CAP user will match your requirements, but CAP also allows you to customize the mapping according to specific needs. + +For instance, the logon name as injected by standard XSUAA integration might not be unique if several customer IdPs are connected to the underlying identity service. +Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you can implement in a custom adaptation. + +This can be done by modifying `cds.middlewares`. +To modify the `cds.context.user` while still relying on existing generic middlewares, a new middleware to customized the user must be registered after the `.auth()` middleware. +If `cds.context.tenant` is manipulated as well, it must also be done before `cds.context.model` is set for the current request. + +::: details Sample implementation to override the user id + +```js +cds.middlewares.before = [ + cds.middlewares.context(), + cds.middlewares.trace(), + cds.middlewares.auth(), + function ctx_user (_,__,next) { + const ctx = cds.context + ctx.user.id = ctx.user.attr('origin') + ctx.user.id + next() + }, + cds.middlewares.ctx_model() +] +``` + +::: + +There are multiple reasonable use cases in which user modification is a suitable approach: + +- Overriding user roles by calling `user.roles(roles)`. +- Overriding user attributes and providing calculated attributes used for [instance-based authorization](./authorization#user-attrs) by invoking `user.attr(attributes)`. +- etc. + +::: warning Be very careful when redefining `$user` and customizing `cds.middlewares` +The user name is frequently stored with business data (for example, `managed` aspect) and might introduce migration efforts. +Also consider data protection and privacy regulations when storing user data. +::: + +:::tip Custom Authentication Middleware +In case you require even more control, you can also replace the authentication middleware with a fully [Custom Authentication](../../node.js/authentication#custom). +::: +
+ +### Switching Users { #switching-users } +
-### Switching Users { #switching-users .java } - There are a few typical use cases in a (multitenant) application where switching the current user of the request is required. For instance, the business request on behalf of a named subscriber user needs to reach out to a platform service on behalf of the underlying technical user of the subscriber. @@ -956,8 +1165,38 @@ Named user contexts are only created by the CAP Java framework as initial Reques - Asynchronous requests to CAP services are always on behalf of a technical user. ::: +
+ +
+ +There are a few typical use cases in a (multitenant) application, where switching the current user of the request is required. +For instance, the business request on behalf of a named subscriber user needs to reach out to a platform service on behalf of the underlying technical user of the subscriber. + +These scenarios are identified by a combination of the user (*technical* or *named*) and the tenant (*provider* or *subscriber*): + + +![Typical Scenarios for a User Context Switch](./assets/requestcontext.drawio.svg) + +In CAP Node.js, the `cds.context` enables convenient access to the `cds.EventContext` and allows to update the principal of the context. +The prefered method for switching users and executing code in a different context and for a different principal, is to spawn a new root transaction using [`cds/srv.tx()`](../../node.js/cds-tx#srv-tx). +Providing a `ctx` argument when creating a new root transaction allows switching the user for nested operations. +The `cds.User` class exposes convenience constructors and accessors for specialized `cds.User` instances that represent typical technical principals you may require. + +```js +await srv.tx ({ user: new cds.User({ id: '...', roles: [...], ...}), tenant: '' }, async tx => { + // Perform operations with a privileged principal +}) +``` + +:::tip +When creating new root transactions in calls to [`cds/srv.tx()`](../../node.js/cds-tx#srv-tx), all properties not specified in the `ctx` argument are inherited from `cds.context`, if set in the current continuation. +::: + +
+ +#### Switching to Technical User {#switching-to-technical-user } -#### Switching to Technical User {#switching-to-technical-user} +
![The graphic is explained in the accompanying text.](./assets/nameduser.drawio.svg){width="330px"} @@ -975,7 +1214,31 @@ public void afterHandler(EventContext context){ } ``` -#### Switching to Technical Provider Tenant {#switching-to-provider-tenant} +
+ +
+ + +![The graphic is explained in the accompanying text.](./assets/nameduser.drawio.svg){width="330px"} + +The incoming JWT token triggers the creation of an initial `cds.EventContext` with a named user. +Accesses to the database in the OData Adapter as well as the custom `.on` handler are executed within tenant1 and authorization checks are performed for user JohnDoe. +An additionally defined `.after` handler wants to call out to an external service using a technical user without propagating the named user JohnDoe. +To achieve this, you can create a new root transaction using `srv.tx` and use it to connect to the external service from within a new context: + +```js +srv.after('*', srv.entities.Books, async (res, req) => { + await srv.tx({ user: cds.User.privileged }, async tx => { + // call technical service + }) +}) +``` + +
+ +#### Switching to Technical Provider Tenant {#switching-to-provider-tenant } + +
![The graphic is explained in the accompanying text.](./assets/switchprovidertenant.drawio.svg){width="500px"} @@ -993,7 +1256,31 @@ public void onAction(AddToOrderContext context){ } ``` -#### Switching to a Specific Technical Tenant {#switching-to-subscriber-tenant} +
+ +
+ + +![The graphic is explained in the accompanying text.](./assets/switchprovidertenant.drawio.svg){width="500px"} + +In this scenario the application offers a bound action in a CDS entity. +Within the action, the application communicates with a remote CAP service using a privileged user and the provider tenant. +The corresponding `.on` handler of the action needs to create a new root transaction by calling `srv.tx`. +This allows the application to perform an HTTP call to the remote CAP service with a `privileged` principal and within the provider tenant. + +```js +srv.on('action', srv.entities.Books, async req => { + await srv.tx({ user: cds.User.privileged, tenant: 't0' }, async tx => { + // call remote CAP service + }) +}) +``` + +
+ +#### Switching to a Specific Technical Tenant {#switching-to-subscriber-tenant } + +
![The graphic is explained in the accompanying text.](./assets/switchtenant.drawio.svg){width="450px"} @@ -1014,6 +1301,33 @@ Avoid iterating through all subscriber tenants to perform tenant-specific tasks. Instead, prefer a task-based approach which processes specific subscriber tenants selectively. ::: +
+ +
+ + +![The graphic is explained in the accompanying text.](./assets/switchtenant.drawio.svg){width="450px"} + +The application is using a [`cds.spawn`](../../node.js/cds-tx#cds-spawn) to regularly perform tasks on behalf of a certain tenant. +By default, operations that are nested within `cds.spawn` will inherit the outer context. +You can explicitly define the context `cds.spawn` should use by passing relevant information in a `ctx` argument. +This enables to ensure that the Persistence Service performs the query for the specified tenant. + +```js +cds.spawn({ user: cds.User.privileged, tenant: 'tenant1', every: '1h' }, async tx => { + await persistenceService.run(SELECT.from(Books)) +}) +``` + +::: warning Resource Bottlenecks in Tenant Looping +Avoid iterating through all subscriber tenants to perform tenant-specific tasks. +Instead, prefer a task-based approach which processes specific subscriber tenants selectively. +::: + +
+ +
+ #### Switching to Privileged User { #switching-to-privileged-user } Application services invoked within custom handlers enforce an authorization on second-layer, which is the preferred behaviour to ensure security by default. @@ -1031,8 +1345,12 @@ cdsRuntime.requestContext().privilegedUser().run(privilegedContext -> { Call application services on behalf of the privileged user only in case the service call is fully independent from the business user's actual restrictions. ::: +
+ #### Switching to Anonymous User { #switching-to-anonymous-user } +
+ In rare situations you might want to call a public service without sharing information of the current request user. In this case, user propagation is explicitly prevented. @@ -1044,8 +1362,24 @@ cdsRuntime.requestContext().anonymousUser().run(privilegedContext -> { }); ``` +
+ +
+ +In rare situations you might want to call a public service without sharing information about the current request user. +In this case, user propagation can explicitly be prevented by running in a context whose principal is the `anonymous` user. + +```js +cds.tx({ user: cds.User.anonymous }, async tx => { + // Perform operations anonymously +}) +``` + +
+ +### User Propagation { #user-propagation } -### User Propagation { .java } +
#### Between Threads @@ -1053,8 +1387,12 @@ Within the same Request Context, all CAP service calls share the same user infor By default, the Request Context of the current thread is not shared with spawned threads and hence user information is lost. If you want to avoid this, you can propagate the Request Context to spawned threads as described [here](https://pages.github.tools.sap/cap/docs/java/event-handlers/request-contexts#threading-requestcontext) and hence the same user context is applied. +
+ #### Non-CAP Libraries { #user-token } +
+ CAP plugins for IAS and XSUAA store the resolved user information in Spring's [`SecurityContext`](https://docs.spring.io/spring-security/reference/api/java/org/springframework/security/core/context/SecurityContext.html) which contains all relevant authentication information. Hence, library code can rely on standards to fetch the authentication information and restore the user information if needed. In addition, the [authentication information](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/authentication/AuthenticationInfo.html) is stored in the Request Context and can be fetched as sketched here: @@ -1065,8 +1403,30 @@ JwtTokenAuthenticationInfo jwtTokenInfo = authInfo.as(JwtTokenAuthenticationInfo String jwtToken = jwtTokenInfo.getToken(); ``` +
+ +
+ +CAPs generic authentication middlewares for IAS and XSUAA maintain resolved authentication information in the `authInfo` attribute of `cds.context.user` of the current `cds.EventContext`. +For `@sap/xssec`-based authentication strategies (`ias`, `jwt`, and `xsuaa`), `cds.context.user.authInfo` is an instance of `@sap/xssec`'s [`SecurityContext`](https://www.npmjs.com/package/@sap/xssec#securitycontext). +You can retrieve available authentication information for use in a non-CAP library from the `SecurityContext`. + +```js +const authInfo = cds.context.user.authInfo // @sap/xssec SecurityContext +const token = authInfo.token // @sap/xssec Token +const jwtToken = token.jwt // string +``` + +::: warning +The `cds.User.authInfo` property depends on the authentication library that you use. CAP does not guarantee the content of this property. Use it with caution. Always pin your dependencies as described in the [best practices](./best-practices#deploy). +::: + +
+ #### Remote Services { #remote-services } +
+ Remote APIs can be invoked either on behalf of a named user or a technical user, depending on the callee's specification. Thus, a client executing a business request within a specific user context might need to explicitly adjust the user propagation strategy. CAP's [Remote Services](../using-services) offer an easy and declarative way to define client-side representations of remote service APIs. @@ -1093,9 +1453,43 @@ Remote Services configurations with `destination` section support `onBehalfOf` o [Learn more about Remote Services in CAP Java](../../java/cqn-services/remote-services#remote-services){.learn-more} +
+ +
+ +CAP's [Remote Services](../using-services) offer an easy and declarative way to define client-side representations of remote service APIs. +Such services integrate seamlessly with CAP, managing connection setup, including [authentication and user propagation](../using-services#authentication-and-authorization-of-remote-services). +Under the hood CAP utilizes the [BTP Destinations](https://help.sap.com/docs/connectivity/sap-btp-connectivity-cf/create-destinations-from-scratch) and [`@sap-cloud-sdk/connectivity`](https://www.npmjs.com/package/@sap-cloud-sdk/connectivity) to do most of the heavy lifting. + +```json +{ + "cds": { + "requires": { + "SomeReuseService": { + "kind": "odata", + "model": "srv/external/SomeReuseService", + "credentials": { + "destination": "some-reuse-service", + "path": "/reuse/odata/api", + } + } + } + } +} +``` + + + +::: tip +Always prefer using [Remote Services](#remote-services) over natively consuming [Cloud SDK](https://sap.github.io/cloud-sdk/). +::: + +
#### Cloud SDK { #cloud-sdk } +
+ On a programmatic level, the CAP runtime integrates with [Cloud SDK](https://sap.github.io/cloud-sdk/) offering an abstraction for connection setup with remote services, including authentication and user propagation. By default, - the *tenant* of the current Request Context is propagated under the hood. @@ -1136,7 +1530,28 @@ Don't activate user tracing in production!
-TODO + +By default, information about the request user are not logged to the application trace. +During development, it might be useful to activate logger `com.sap.cds.security.authentication` by setting the level to `DEBUG`: + +```json +{ + "cds": { + "log": { + "levels": { + "auth": "debug" + } + } + } +} +``` + +This makes the runtime tracing user information of authenticated users to the application log like this: + +```sh +[basic] - authenticated: { user: 'alice', tenant: 'some-tenant', features: [ 'some-feature' ] } +``` +
## Pitfalls From 8e0844334cbd6ee3e1caeff981465ed5ae4a6be1 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 12 Dec 2025 10:26:27 +0100 Subject: [PATCH 076/120] DB support --- guides/security/authentication.md | 68 ++++++++++++++++++++++++++----- 1 file changed, 58 insertions(+), 10 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 673d297157..dcfbd45fc7 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -379,6 +379,37 @@ Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and t
+You also need to configure DB support: + +
+ +::: code-group +```sh [SAP HANA] +cds add hana +``` +```sh [Alternative: H2 (development only)] +cds add h2 --for production +``` +::: + +
+ + +
+ +::: code-group +```sh [SAP HANA] +cds add hana +``` +```sh [Alternative: SQLite (development only)] +cds add sqlite --for production +``` +::: + +
+ + + ### Adding IAS Now the application is ready to for adding IAS-support by executing @@ -692,9 +723,12 @@ XSUAA authentication is best configured and tested in the Cloud, so we're going ### Get Ready with XSUAA { #xsuaa-ready } -Before working with XSUAA on CF, you need to ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF. +Before working with XSUAA on CF, you need to ensure +- your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF. In particular, you require a `cf` CLI session targeting a CF space in the test subaccount (test with `cf target`). +- https://help.sap.com/docs/application-frontend-service/application-frontend-service/enabling-service + You can continue with the sample create for the [mock users](#mock-user-auth) or, alternatively, you can also enhance the [IAS-based](#ias-auth) application. If there is no deployment descriptor yet, in the project root folder, execute @@ -703,32 +737,46 @@ If there is no deployment descriptor yet, in the project root folder, execute cds add mta ``` +
+ +::: tip +Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. +::: + +
+ to make your application ready for deployment to CF. +You also need to configure DB support: +
-In addition, activate H2 to serve as in-memory DB (**not** recommended for production!): -```sh +::: code-group +```sh [SAP HANA] +cds add hana +``` +```sh [Alternative: H2 (development only)] cds add h2 --for production ``` - -::: tip Info -Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. :::
-
-TODO: the below command currently does not setup sqlite for production. +
-In addition, activate SQLite to serve as in-memory DB (**not** recommended for production!): -```sh +::: code-group +```sh [SAP HANA] +cds add hana +``` +```sh [Alternative: SQLite (development only)] cds add sqlite --for production ``` +:::
+ ### Adding XSUAA { #adding-xsuaa } Now the application is ready to for adding XSUAA-support by executing From fc41f6066d3e11939e7ee7c5c087aa21de96a131 Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 10:49:08 +0100 Subject: [PATCH 077/120] Sync changes from 'revised-security-guide-ams-nodejs' into revised-security-guide --- guides/security/cap-users.md | 170 ++++++++++++++++++++++++++++++++--- 1 file changed, 156 insertions(+), 14 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 69ba8cbba9..a7ba0988e4 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -196,7 +196,7 @@ The interaction between the CAP application and AMS (via plugin) is as follows: 3. CAP performs the authorization on the basis of the CDS authorization model and the injected user claims. -### Adding AMS Support +### Adding AMS Support { .java } **AMS is transparent to CAP application code** and can be easily consumed via plugin dependency. @@ -303,6 +303,49 @@ In general, AMS provides highly flexible APIs to define and enforce authorizatio **In the context of CAP projects, only a limited subset of these APIs is relevant and is offered in a streamlined way via the CAP integration plugins**. ::: +### Adding AMS Support { .node } + +**AMS is transparent to CAP application code** and can be easily consumed via plugin dependency. + +To enhance your project with AMS, you can make use of CDS CLI tooling: + +```sh +cds add ams +``` + +This automatically adds required configuration for AMS, taking into account the concrete application context (tenant mode and runtime environment etc.). +If required, it also runs the new `cds add ias` command to configure the project for IAS authentication. + +::: details See dependencies added + +```json [package.json] +{ + "dependencies": [ + "@sap/ams": "^3", + "@sap/xssec": "^4" + ], + "devDependencies": [ + "@sap/ams-dev": "^2" +} +``` +::: + +`@sap/ams` integrates into the CAP framework to handle incoming requests. +Based on the user's assigned [policies](#policies), the user's roles are determined to decorate the [user.is](/node.js/authentication#user-is) function with additional roles. +The framework then authorizes the request as usual based on the user's roles. + +For local development, `@sap/ams-dev` needs to compile the DCL files to Data Control Notation (DCN) files in `gen/dcn` which is the machine-readable version of DCL that is required by AMS at runtime. + +Additionally, `@sap/ams` provides multiple build-time features: + +- Validate `ams.attributes` annotations for type coherence against the AMS schema. +- Generate policies from the CDS model during the build using a [custom build task](../deployment/custom-builds#custom-build-plugins). +- Generate a deployer application during the build to upload the Data Control Language (DCL) base policies. + +::: tip +In general, AMS provides highly flexible APIs to define and enforce authorization rules at runtime suitable for native Cloud applications. +**In the context of CAP projects, only a limited subset of these APIs is relevant and is offered in a streamlined way via the CAP integration plugins**. +::: ### Prepare CDS Model @@ -406,6 +449,8 @@ AMS policies represent the business-level roles of end users interacting with th Often, they reflect real-world jobs or functions. ::: +
+ After the application is built, check the *srv/src/main/resources/ams* folder to see the generated AMS *schema* and a *basePolicies* DCL file in a package called *cap*: ::: code-group @@ -419,6 +464,23 @@ After the application is built, check the *srv/src/main/resources/ams* folder to ::: +
+ +
+After the application is built, check the *ams/dcl* folder to see the generated AMS *schema* and a *basePolicies* DCL file in a package called *cap*: + +::: code-group + +``` [./ams] +└─ dcl + ├─ cap + │ └─ basePolicies.dcl + └─ schema.dcl +``` + +::: +
+ [Learn more about policy generation](https://sap.github.io/cloud-identity-developer-guide/CAP/cds-Plugin.html#dcl-generation){.learn-more} @@ -490,7 +552,7 @@ cds:
-```json +```json [package.json] { "cds": { "requires": { @@ -498,12 +560,15 @@ cds: "[development]": { "kind": "mocked", "users": { - "content-manager": { - "policies": ["cap.ContentManager"] + "content-manager": { // [!code ++:5] + "policies": [ + "cap.ContentManager" + ] }, - "stock-manager": { - "policies": ["cap.StockManager"] - } + "stock-manager": { // [!code ++:5] + "policies": [ + "cap.StockManager" + ] } } } @@ -581,10 +646,10 @@ You can verify in the UI that mock user `stock-manager-fiction` is restricted to
::: tip -Don't miss to add the policy files in sub folders of `ams` reflecting the namespace properly: Policy `local.StockManagerFiction` is expected to be in a file within directory `/ams/dcl/local/`. +Don't miss to add the policy files in sub folders of `ams/dcl` reflecting the namespace properly: Policy `local.StockManagerFiction` is expected to be in a file within directory `./ams/dcl/local/`. ::: -```json +```json [package.json] { "cds": { "requires": { @@ -592,8 +657,10 @@ Don't miss to add the policy files in sub folders of `ams` reflecting the namesp "[development]": { "kind": "mocked", "users": { - "stock-manager-fiction": { - "policies": ["local.StockManagerFiction"] + "stock-manager-fiction": { // [!code ++:5] + "policies": [ + "local.StockManagerFiction" + ] } } } @@ -616,13 +683,15 @@ Policies can be automatically deployed to the AMS server during deployment of th Enhancing the project with by `cds add ams` automatically adds task e.g. in the MTA for AMS policy deyployment. +
+ ::: details AMS policy deployer task in the MTA ::: code-group ```yaml [mta.yaml- deployer task] - name: bookshop-ams-policies-deployer type: javascript.nodejs - path: srv/src/gen/policies + path: srv/src/gen/policies # Node.js: gen/policies parameters: buildpack: nodejs_buildpack no-route: true @@ -658,6 +727,54 @@ Note that the policy deployer task requires a path to a directory structure cont By default, the path points to `srv/src/gen/policies` which is prepared automatically during build step with the appropriate policy-content copied from `srv/src/main/resources/ams`. In addition, `@sap/ams` needs to be referenced to add the deployer logic. +
+ +
+ +:: details AMS policy deployer task in the MTA + +::: code-group +```yaml [mta.yaml- deployer task] +- name: bookshop-ams-policies-deployer + type: javascript.nodejs + path: gen/policies + parameters: + buildpack: nodejs_buildpack + no-route: true + no-start: true + tasks: + - name: deploy-dcl + command: npm start + memory: 512M + requires: + - name: bookshop-ias + [...] +``` + + +```json [srv/src/gen/policies/package.json - deyployer module] +{ + "name": "ams-dcl-content-deployer", + "version": "3.0.0", + "dependencies": { + "@sap/ams": "^3" + }, + [...] + "scripts": { + "start": "npx --package=@sap/ams deploy-dcl" + } +} +``` + +::: + + +Note that the policy deployer task requires a path to a directory structure containing the `ams/dcl` root folder with the policies to be deployed. +By default, the path points to `gen/policies` which is prepared automatically during build step with the appropriate policy-content copied from `ams/dcl`. +In addition, `@sap/ams` needs to be referenced to add the deployer logic. + +
+ ::: tip Several microservices sharing the same IAS instance need a common folder structure the deployer task operates on. It contains the common view of policies applied to all services. @@ -1546,10 +1663,35 @@ During development, it might be useful to activate logger `com.sap.cds.security. } ``` -This makes the runtime tracing user information of authenticated users to the application log like this: +You can verify a valid configfuration of the AMS plugin by the following log output: ```sh -[basic] - authenticated: { user: 'alice', tenant: 'some-tenant', features: [ 'some-feature' ] } +[ams] - AMS Plugin loaded. +[ams] - Added AMS middleware after 'auth' middleware. +``` + +... and find more information about the policy evaluation at request time: + +```sh +[ams] - Determined potential actions for resource '$SCOPES': stock-manager { + potentialActions: Set(1) { 'stock-manager' }, + policies: [ 'local.StockManagerFiction' ], + ... + } +[ams] - AMS user roles added to user.is: [ 'stock-manager' ] +[ams] - Privilege check for 'stock-manager' on '$SCOPES' was conditional. { + result: 'conditional', + dcn: "$app.genre IN ['Fantasy', 'Mystery']", + policies: [ 'local.StockManagerFiction' ], + ... + } +[ams] - Resulting privileges for READ on AdminService.Books : [ + { + grant: 'READ', + to: [ 'stock-manager' ], + where: "genre.name IN ('Fantasy', 'Mystery')" + } + ] ```
From eaca12da09c8d574d6934e81ee2a349f1b9aa3a6 Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 11:11:04 +0100 Subject: [PATCH 078/120] fix: missing closing tag --- guides/security/cap-users.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index a7ba0988e4..52b92e3d05 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -602,10 +602,15 @@ cds watch
+ and verify in the UI for `AdminService` (`http://localhost:8080/index.html#Books-manage`) that the the assigned policies imply the expected access rules: +
+
+ You can now verify that the assigned policies enforce the expected access rules: +
- mock user `content-manager` has full access to `Books` and `Authors`. @@ -731,7 +736,7 @@ In addition, `@sap/ams` needs to be referenced to add the deployer logic.
-:: details AMS policy deployer task in the MTA +::: details AMS policy deployer task in the MTA ::: code-group ```yaml [mta.yaml- deployer task] @@ -773,7 +778,7 @@ Note that the policy deployer task requires a path to a directory structure cont By default, the path points to `gen/policies` which is prepared automatically during build step with the appropriate policy-content copied from `ams/dcl`. In addition, `@sap/ams` needs to be referenced to add the deployer logic. -
+
::: tip Several microservices sharing the same IAS instance need a common folder structure the deployer task operates on. From 13518fcd24197706ae49e49041aca9a3011502ed Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 11:18:19 +0100 Subject: [PATCH 079/120] fix: smaller messes --- guides/security/cap-users.md | 101 ++++++++--------------------------- 1 file changed, 21 insertions(+), 80 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 52b92e3d05..b1a4439e7b 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -739,7 +739,7 @@ In addition, `@sap/ams` needs to be referenced to add the deployer logic. ::: details AMS policy deployer task in the MTA ::: code-group -```yaml [mta.yaml- deployer task] +```yaml [mta.yaml - deployer task] - name: bookshop-ams-policies-deployer type: javascript.nodejs path: gen/policies @@ -757,7 +757,7 @@ In addition, `@sap/ams` needs to be referenced to add the deployer logic. ``` -```json [srv/src/gen/policies/package.json - deyployer module] +```json [gen/policies/package.json - deyployer module] { "name": "ams-dcl-content-deployer", "version": "3.0.0", @@ -888,9 +888,25 @@ c.s.c.s.a.l.PolicyEvaluationSlf4jLogger : Policy evaluation result: {...,
```sh -[ams] - Computing AMS filter conditions for ... -[ams] - Privilege check for ... on ... was conditional. {... -[ams] - Resulting privileges for ... on ... : [ ... +[ams] - Determined potential actions for resource '$SCOPES': stock-manager { + potentialActions: Set(1) { 'stock-manager' }, + policies: [ 'local.StockManagerFiction' ], + ... + } +[ams] - AMS user roles added to user.is: [ 'stock-manager' ] +[ams] - Privilege check for 'stock-manager' on '$SCOPES' was conditional. { + result: 'conditional', + dcn: "$app.genre IN ['Fantasy', 'Mystery']", + policies: [ 'local.StockManagerFiction' ], + ... + } +[ams] - Resulting privileges for READ on AdminService.Books : [ + { + grant: 'READ', + to: [ 'stock-manager' ], + where: "genre.name IN ('Fantasy', 'Mystery')" + } + ] ```
@@ -1626,81 +1642,6 @@ Prefer using [Remote Services](#remote-services) built on Cloud SDK rather than
-### Tracing { #user-tracing } - -
- -By default, information about the request user are not logged to the application trace. -During development, it might be useful to activate logger `com.sap.cds.security.authentication` by setting the level to `DEBUG`: - -```sh -logging.level.com.sap.cds.security.authentication: DEBUG -``` - -This makes the runtime tracing user information of authenticated users to the application log like this: - -```sh -MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='viewer-user', roles='[Viewer]', attributes='{Country=[GER, FR], tenant=[CrazyCars]}' -``` - -::: warning -Don't activate user tracing in production! -::: - -[Learn more about various options to activate CAP Java loggers](../../java/operating-applications/observability#logging-configuration){.learn-more} - -
- -
- -By default, information about the request user are not logged to the application trace. -During development, it might be useful to activate logger `com.sap.cds.security.authentication` by setting the level to `DEBUG`: - -```json -{ - "cds": { - "log": { - "levels": { - "auth": "debug" - } - } - } -} -``` - -You can verify a valid configfuration of the AMS plugin by the following log output: - -```sh -[ams] - AMS Plugin loaded. -[ams] - Added AMS middleware after 'auth' middleware. -``` - -... and find more information about the policy evaluation at request time: - -```sh -[ams] - Determined potential actions for resource '$SCOPES': stock-manager { - potentialActions: Set(1) { 'stock-manager' }, - policies: [ 'local.StockManagerFiction' ], - ... - } -[ams] - AMS user roles added to user.is: [ 'stock-manager' ] -[ams] - Privilege check for 'stock-manager' on '$SCOPES' was conditional. { - result: 'conditional', - dcn: "$app.genre IN ['Fantasy', 'Mystery']", - policies: [ 'local.StockManagerFiction' ], - ... - } -[ams] - Resulting privileges for READ on AdminService.Books : [ - { - grant: 'READ', - to: [ 'stock-manager' ], - where: "genre.name IN ('Fantasy', 'Mystery')" - } - ] -``` - -
- ## Pitfalls - **Don't write custom code against concrete user types of a specific identity service (e.g. XSUAA or IAS)**. From 48e2099f87f0ec0c67d171f5651139567a132a7d Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 12:50:13 +0100 Subject: [PATCH 080/120] fix: add section on validating node config --- guides/security/cap-users.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index b1a4439e7b..7188463b2b 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -840,10 +840,23 @@ You can log on to the bookshop test application with the test user and check tha You can verify a valid configfuration of the AMS plugin by the following log output: +
+ ```sh c.s.c.s.a.c.AmsRuntimeConfiguration : Configured AmsUserInfoProvider ``` +
+ +
+ +```sh +[ams] - AMS Plugin loaded. +[ams] - Added AMS middleware after 'auth' middleware. +``` + +
+ In addition, for detailed analysis of issues, you can set AMS logger to `DEBUG` level:
From 98ee89cc14d5e6b2555048e689aae095585df1a4 Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 15:18:35 +0100 Subject: [PATCH 081/120] feat: add node specific graphics --- .../security/assets/nameduser-node.drawio.svg | 1 + .../assets/requestcontext-node.drawio.svg | 67 +++++++++++++++++++ .../switchprovidertenant-node.drawio.svg | 1 + .../assets/switchtenant-node.drawio.svg | 1 + 4 files changed, 70 insertions(+) create mode 100644 guides/security/assets/nameduser-node.drawio.svg create mode 100644 guides/security/assets/requestcontext-node.drawio.svg create mode 100644 guides/security/assets/switchprovidertenant-node.drawio.svg create mode 100644 guides/security/assets/switchtenant-node.drawio.svg diff --git a/guides/security/assets/nameduser-node.drawio.svg b/guides/security/assets/nameduser-node.drawio.svg new file mode 100644 index 0000000000..0499f5dc62 --- /dev/null +++ b/guides/security/assets/nameduser-node.drawio.svg @@ -0,0 +1 @@ +
OData Adapter
OData Adapter
Custom ON Handler
Custom ON Handler
Custom AFTER Handler
Custom AFTER Handler
Technical Service
Technical Service
tenant1
tenant1
John Doe
John Doe
Technical User
Technical...
User: John Doe
Tenant: tenant1
User: John Doe...
JWT token
JWT tokenText is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/assets/requestcontext-node.drawio.svg b/guides/security/assets/requestcontext-node.drawio.svg new file mode 100644 index 0000000000..e9555a457a --- /dev/null +++ b/guides/security/assets/requestcontext-node.drawio.svg @@ -0,0 +1,67 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/guides/security/assets/switchprovidertenant-node.drawio.svg b/guides/security/assets/switchprovidertenant-node.drawio.svg new file mode 100644 index 0000000000..427d595c5a --- /dev/null +++ b/guides/security/assets/switchprovidertenant-node.drawio.svg @@ -0,0 +1 @@ +
Technical User
Technical...
OData Adapter
OData Adapter
ON Handler for OData Action
ON Handler for OData...
Sidecar
CAP Service
Sidecar...
@requires: 'internal-user'
@requires:...
User: John Doe
Tenant: tenant1
User: John Doe...
JWT token
JWT token
John Doe
John Doe
tenant1
tenant1
provider tenant
provider tenantText is not SVG - cannot display \ No newline at end of file diff --git a/guides/security/assets/switchtenant-node.drawio.svg b/guides/security/assets/switchtenant-node.drawio.svg new file mode 100644 index 0000000000..3162b1aeca --- /dev/null +++ b/guides/security/assets/switchtenant-node.drawio.svg @@ -0,0 +1 @@ +
Technical User
Technical...
Technical User
Technical...
Background Job
Background Job
Job Scheduler
Job Scheduler
Tenant specific processing
Tenant specific proc...
provider tenant
provider tenant
tenant1
tenant1Text is not SVG - cannot display \ No newline at end of file From 2f192e30221eaae5e1c5c5283b940e7e928b8d23 Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 15:18:49 +0100 Subject: [PATCH 082/120] feat: integrate node specific graphic and update examples --- guides/security/cap-users.md | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 7188463b2b..265f5d1f04 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -1325,8 +1325,7 @@ For instance, the business request on behalf of a named subscriber user needs to These scenarios are identified by a combination of the user (*technical* or *named*) and the tenant (*provider* or *subscriber*): - -![Typical Scenarios for a User Context Switch](./assets/requestcontext.drawio.svg) +![Typical Scenarios for a User Context Switch](./assets/requestcontext-node.drawio.svg) In CAP Node.js, the `cds.context` enables convenient access to the `cds.EventContext` and allows to update the principal of the context. The prefered method for switching users and executing code in a different context and for a different principal, is to spawn a new root transaction using [`cds/srv.tx()`](../../node.js/cds-tx#srv-tx). @@ -1369,12 +1368,12 @@ public void afterHandler(EventContext context){
- -![The graphic is explained in the accompanying text.](./assets/nameduser.drawio.svg){width="330px"} +![The graphic is explained in the accompanying text.](./assets/nameduser-node.drawio.svg){width="330px"} The incoming JWT token triggers the creation of an initial `cds.EventContext` with a named user. -Accesses to the database in the OData Adapter as well as the custom `.on` handler are executed within tenant1 and authorization checks are performed for user JohnDoe. -An additionally defined `.after` handler wants to call out to an external service using a technical user without propagating the named user JohnDoe. +Accesses to the database in the OData Adapter as well as the custom `.on` handler are executed within _tenant1_ and authorization checks are performed for user _JohnDoe_. + +In addition, there is an `.after` handler that wants to call out to an external service using a technical user without propagating the named user _JohnDoe_. To achieve this, you can create a new root transaction using `srv.tx` and use it to connect to the external service from within a new context: ```js @@ -1411,17 +1410,17 @@ public void onAction(AddToOrderContext context){
- -![The graphic is explained in the accompanying text.](./assets/switchprovidertenant.drawio.svg){width="500px"} +![The graphic is explained in the accompanying text.](./assets/switchprovidertenant-node.drawio.svg){width="500px"} In this scenario the application offers a bound action in a CDS entity. Within the action, the application communicates with a remote CAP service using a privileged user and the provider tenant. -The corresponding `.on` handler of the action needs to create a new root transaction by calling `srv.tx`. -This allows the application to perform an HTTP call to the remote CAP service with a `privileged` principal and within the provider tenant. +The corresponding `.on` handler of the action needs to create a new root transaction by calling `srv.tx`. +The user passed to `srv.tx` in the `ctx` attribute will be used as the prinicpal for requests made within the new closure. ```js srv.on('action', srv.entities.Books, async req => { - await srv.tx({ user: cds.User.privileged, tenant: 't0' }, async tx => { + const systemUser = new cds.User({ id: 'system', roles: [ 'internal-user' ] }) + await srv.tx({ user: systemUser , tenant: 'provider-tenant' }, async tx => { // call remote CAP service }) }) @@ -1456,8 +1455,7 @@ Instead, prefer a task-based approach which processes specific subscriber tenant
- -![The graphic is explained in the accompanying text.](./assets/switchtenant.drawio.svg){width="450px"} +![The graphic is explained in the accompanying text.](./assets/switchtenant-node.drawio.svg){width="450px"} The application is using a [`cds.spawn`](../../node.js/cds-tx#cds-spawn) to regularly perform tasks on behalf of a certain tenant. By default, operations that are nested within `cds.spawn` will inherit the outer context. From ce81253ef0d3ae76c28fcb41383bb5a099b61f06 Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 15:44:10 +0100 Subject: [PATCH 083/120] fix: graphic format --- .../assets/requestcontext-node.drawio.svg | 68 +------------------ 1 file changed, 1 insertion(+), 67 deletions(-) diff --git a/guides/security/assets/requestcontext-node.drawio.svg b/guides/security/assets/requestcontext-node.drawio.svg index e9555a457a..bb1f291d27 100644 --- a/guides/security/assets/requestcontext-node.drawio.svg +++ b/guides/security/assets/requestcontext-node.drawio.svg @@ -1,67 +1 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
Named User
Named User
Named User

or

System User  Subscriber
Named User...
System User
Subscriber
System User...
System User
Provider
System User...
System User
Provider
System User...
System User
Subscriber
System User...
Switching to technical user
Switching to technical user
Switching to provider tenant
Switching to provider tenant
Switching to a specific tenant
Switching to a specific tenantText is not SVG - cannot display \ No newline at end of file From 30cd275a05f1ba293678b67a57920886e0c74125 Mon Sep 17 00:00:00 2001 From: I548646 Date: Fri, 12 Dec 2025 15:55:46 +0100 Subject: [PATCH 084/120] fix: small messes --- guides/security/cap-users.md | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 265f5d1f04..55d0a8b1e2 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -1135,7 +1135,7 @@ In addition, there are getters to retrieve information about [pseudo-roles](#pse In CAP Node.js, the CAP user of a request is represented by a [`cds.User`](../../node.js/authentication#cds-user) object. An instance of `cds.User` representing the current principal is available from the current request context in `req.user`. -Similarly, the identifier of the users tenant is available from `req.tenant`. +Similarly, the identifier of the user's tenant is available from `req.tenant`. ```js srv.before('READ', srv.entities.Books, req => { @@ -1152,7 +1152,7 @@ const { user, tenant } = cds.context ``` :::tip -Prefer local req objects in your handlers for accessing event context properties, as each access to cds.context happens through [AsyncLocalStorage.getStore()](https://nodejs.org/api/async_context.html#asynclocalstoragegetstore), which induces some minor overhead. +Prefer local req objects in your handlers for accessing event context properties, as each access to `cds.context` happens through [AsyncLocalStorage.getStore()](https://nodejs.org/api/async_context.html#asynclocalstoragegetstore), which induces some minor overhead. ::: Setting `cds.context` usually happens in inbound authentication middlewares or in inbound protocol adapters. @@ -1247,8 +1247,8 @@ For instance, the logon name as injected by standard XSUAA integration might not Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you can implement in a custom adaptation. This can be done by modifying `cds.middlewares`. -To modify the `cds.context.user` while still relying on existing generic middlewares, a new middleware to customized the user must be registered after the `.auth()` middleware. -If `cds.context.tenant` is manipulated as well, it must also be done before `cds.context.model` is set for the current request. +To modify the `cds.context.user` while still relying on existing generic middlewares, a new middleware must be registered after the `auth` middleware. +If you intend to manipulate the `cds.context.tenant` as well, the new middlware must run before `cds.context.model` is set for the current request. ::: details Sample implementation to override the user id @@ -1280,7 +1280,7 @@ Also consider data protection and privacy regulations when storing user data. ::: :::tip Custom Authentication Middleware -In case you require even more control, you can also replace the authentication middleware with a fully [Custom Authentication](../../node.js/authentication#custom). +In case you require even more control, it is possible to replace the authentication middleware with a fully [Custom Authentication](../../node.js/authentication#custom). :::
@@ -1321,19 +1321,20 @@ Named user contexts are only created by the CAP Java framework as initial Reques
There are a few typical use cases in a (multitenant) application, where switching the current user of the request is required. -For instance, the business request on behalf of a named subscriber user needs to reach out to a platform service on behalf of the underlying technical user of the subscriber. +For instance, the business request on behalf of a named subscriber user needs to reach out to a service on behalf of the subscribers technical user. These scenarios are identified by a combination of the user (*technical* or *named*) and the tenant (*provider* or *subscriber*): ![Typical Scenarios for a User Context Switch](./assets/requestcontext-node.drawio.svg) -In CAP Node.js, the `cds.context` enables convenient access to the `cds.EventContext` and allows to update the principal of the context. +In CAP Node.js, the `cds.context` allows to access the current `cds.EventContext` and enables updating the principal of the context. The prefered method for switching users and executing code in a different context and for a different principal, is to spawn a new root transaction using [`cds/srv.tx()`](../../node.js/cds-tx#srv-tx). Providing a `ctx` argument when creating a new root transaction allows switching the user for nested operations. The `cds.User` class exposes convenience constructors and accessors for specialized `cds.User` instances that represent typical technical principals you may require. ```js -await srv.tx ({ user: new cds.User({ id: '...', roles: [...], ...}), tenant: '' }, async tx => { +const newUser = new cds.User({ id: '...', roles: [...], ...}) +await srv.tx ({ user: newUser, tenant: '' }, async tx => { // Perform operations with a privileged principal }) ``` @@ -1415,7 +1416,7 @@ public void onAction(AddToOrderContext context){ In this scenario the application offers a bound action in a CDS entity. Within the action, the application communicates with a remote CAP service using a privileged user and the provider tenant. The corresponding `.on` handler of the action needs to create a new root transaction by calling `srv.tx`. -The user passed to `srv.tx` in the `ctx` attribute will be used as the prinicpal for requests made within the new closure. +The user passed to `srv.tx` in the `ctx` attribute will be used as the prinicpal for requests made within the new root transaction. ```js srv.on('action', srv.entities.Books, async req => { @@ -1457,7 +1458,7 @@ Instead, prefer a task-based approach which processes specific subscriber tenant ![The graphic is explained in the accompanying text.](./assets/switchtenant-node.drawio.svg){width="450px"} -The application is using a [`cds.spawn`](../../node.js/cds-tx#cds-spawn) to regularly perform tasks on behalf of a certain tenant. +The application is using [`cds.spawn`](../../node.js/cds-tx#cds-spawn) to regularly perform tasks on behalf of a certain tenant. By default, operations that are nested within `cds.spawn` will inherit the outer context. You can explicitly define the context `cds.spawn` should use by passing relevant information in a `ctx` argument. This enables to ensure that the Persistence Service performs the query for the specified tenant. @@ -1556,7 +1557,7 @@ String jwtToken = jwtTokenInfo.getToken();
-CAPs generic authentication middlewares for IAS and XSUAA maintain resolved authentication information in the `authInfo` attribute of `cds.context.user` of the current `cds.EventContext`. +CAPs generic authentication middlewares for IAS and XSUAA maintain resolved authentication information in the `authInfo` attribute of `cds.context.user`. For `@sap/xssec`-based authentication strategies (`ias`, `jwt`, and `xsuaa`), `cds.context.user.authInfo` is an instance of `@sap/xssec`'s [`SecurityContext`](https://www.npmjs.com/package/@sap/xssec#securitycontext). You can retrieve available authentication information for use in a non-CAP library from the `SecurityContext`. @@ -1635,9 +1636,10 @@ Always prefer using [Remote Services](#remote-services) over natively consuming
+
+ #### Cloud SDK { #cloud-sdk } -
On a programmatic level, the CAP runtime integrates with [Cloud SDK](https://sap.github.io/cloud-sdk/) offering an abstraction for connection setup with remote services, including authentication and user propagation. By default, From deba5d019d6e3c3b69f7c70b1cc6752c6cc20f5c Mon Sep 17 00:00:00 2001 From: I548646 Date: Mon, 15 Dec 2025 14:06:32 +0100 Subject: [PATCH 085/120] fix: fill in todo --- guides/security/authentication.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index dcfbd45fc7..8c29093add 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -270,7 +270,11 @@ MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='vi
-TODO + +``` +[basic] - authenticated: { user: 'viewer-user', tenant: 'CrazyCars', features: [ 'cruise', 'park' ] } +``` +
From 83901241fcee9b1a70e3091cb1a194f35b30902d Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:34:57 +0100 Subject: [PATCH 086/120] Update guides/security/cap-users.md Co-authored-by: Paul --- guides/security/cap-users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 55d0a8b1e2..98ae6cabd1 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -65,7 +65,7 @@ CAP users can be classified in multiple dimensions: **Authenticated users vs. anonymous users** - Authenticated users have successfully completed authentication by presenting valid credentials (e.g., a token). -- Anonymous users are unidentifiable in general, as they usually do not presented any credentials. +- Anonymous users are unidentifiable in general, as they usually do not present any credentials. **Provider vs. subscriber tenant** - The provider tenant includes all users of the application owner. From 33836d6393d2cfbab00610c41b27555ef1677012 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:35:30 +0100 Subject: [PATCH 087/120] Update guides/security/cap-users.md Co-authored-by: Paul --- guides/security/cap-users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 98ae6cabd1..a6ab86a030 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -1591,7 +1591,7 @@ cds: onBehalfOf: systemUserProvider ``` -The parameter `onBehalfOf` in the binding configuration section allows to define following *user propagation* strategies: +The parameter `onBehalfOf` in the binding configuration section allows to define the following *user propagation* strategies: - `currentUser` (default): Propagate the user of the current Request Context. - `systemUser`: Propagate the (tenant-specific) technical user, based on the tenant set in the current Request Context. From 954a79fd0027f3f3dcb66691049bf42f6a65c413 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:37:15 +0100 Subject: [PATCH 088/120] Update guides/deployment/microservices.md Co-authored-by: Steffen Waldmann --- guides/deployment/microservices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/deployment/microservices.md b/guides/deployment/microservices.md index 403a8eb353..690651c9e5 100644 --- a/guides/deployment/microservices.md +++ b/guides/deployment/microservices.md @@ -370,7 +370,7 @@ Note that we use the *--ws-pack* option for some modules. It's important for nod ### Authentication -Add [security configuration](../security/authentication#authentication) using the command: +Add [security configuration](../security/authentication) using the command: ```shell cds add xsuaa --for production From bda623a818faaad4fb2ed160a7f2e254f29004b8 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:37:45 +0100 Subject: [PATCH 089/120] Update guides/security/cap-users.md Co-authored-by: Paul --- guides/security/cap-users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index a6ab86a030..2415ccc964 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -1064,7 +1064,7 @@ In the _xs-security.json_, the `attribute` entity has a property `valueRequired` CAP is not tied to any specific authentication method, nor to concrete user information such as that provided by IAS or XSUAA. Instead, an abstract [user representation](cap-users#claims) is attached to the request which can be used to influence request processing. -For example, both authorization enforcement and domain logic can depend on the current user properties. +For example, both authorization enforcement and domain logic can depend on properties of the the current user. ::: warning Avoid writing custom code based on the raw authentication info, as this undermines the decoupling between authentication strategy and your business logic. From 612458167e42ea05b8fa46ea33d183fc3fdf235c Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:38:13 +0100 Subject: [PATCH 090/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 8c29093add..88f36bb462 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -40,7 +40,7 @@ CAP [leverages platform services](overview#key-concept-platform-services) to pro - For _local development_ and _unit testing_, [Mock User Authentication](#mock-user-auth) is an appropriate built-in authentication feature. -- For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services: +- For _cloud deployments_, in particular deployments for production, CAP provides integration of several identity services out of the box: - [Identity Authentication Service (IAS)](#ias-auth) provides a full-fledged [OpenId Connect](https://openid.net/connect/) compliant, cross-landscape identity management as first choice for applications. - [XS User Authentication and Authorization Service (XSUAA)](https://help.sap.com/docs/CP_AUTHORIZ_TRUST_MNG) is an [OAuth 2.0](https://oauth.net/2/)-based authorization server to support existing applications and services in the scope of individual BTP landscapes. - CAP applications can run IAS and XSUAA in [hybrid mode](#hybrid-auth) to support a smooth migration from XSUAA to IAS. From e55f0764ff6fec8d2047193dd639bba3596126c2 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:40:33 +0100 Subject: [PATCH 091/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 88f36bb462..bac7134da2 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -193,7 +193,7 @@ You can opt out the preconfiguration of these users by setting `cds ### Customization { #custom-mock-users } You can define custom mock users to simulate any type of [end users](./cap-users#claims) that will interact with your application at production time. -Hence, you can use the mock users to test your authorization settings as well as custom handlers fully decoupled from the actual execution environment. +Hence, you can use the mock users, to test your authorization settings or custom handlers, fully decoupled from the actual execution environment.
From d881e07a067d13b6885255ce9fc55a5f21c10ecf Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:42:49 +0100 Subject: [PATCH 092/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index bac7134da2..53028fb3d6 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -504,14 +504,11 @@ For mTLS support which is mandatory for IAS, the CAP application has a second ro ```yaml modules: - name: bookshop-srv - type: java - path: srv + # [...] parameters: routes: - route: "${default-url}" - route: "${default-host}.cert.${default-domain}" -``` -::: ::: tip Platform-level TLS termination is provided on CF out of the box via `cert.*`-domains. From 27f391a6f2d8adff29d50546a7916b9a1e1031d1 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Mon, 15 Dec 2025 14:59:55 +0100 Subject: [PATCH 093/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 53028fb3d6..c2384a97f8 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -258,7 +258,7 @@ In mock user configuration you can specify: - [feature toggles](../extensibility/feature-toggles#feature-toggles) which influence request processing. -To verify the properties in a user request with a dedicated mock user, activate [user tracing](./cap-users#user-tracing) and send the same request on behalf of `viewer-user`. +To verify the user properties, activate [user tracing](./cap-users#user-tracing) and send a request using the mock user (`viewer-user` for example). In the application log you will find information about the resolved user after successful authentication:
From 55b164b4a0031d287d3539d0cb08fe5f6f28737b Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:32:13 +0100 Subject: [PATCH 094/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index c2384a97f8..a919d6022b 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -651,7 +651,7 @@ cf delete-service-key bookshop-ias bookshop-ias-key ### UI Level Testing -In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the IAS token are done under the hood. +In the UI scenario, adding an AppRouter as an ingress proxy to the deployment simplifies testing a lot. It will take care of fetching the required IAS tokens when forwarding requests to our test app. Adding an instance of the AppRouter and re-deploying the solution is achieved by running: ```sh cds add approuter From ac89f7053c001c880ec911bba4eaa0f7c06f2523 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:32:26 +0100 Subject: [PATCH 095/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 1 - 1 file changed, 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index a919d6022b..64edf57c15 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -658,7 +658,6 @@ cds add approuter cds up ``` -adds the additional AppRouter to the deployment which is already prepared for IAS. The resulting setup is sketched in the diagram: ![UI-level Testing of IAS Endpoints](./assets/ias-ui-setup.svg){width="500px"} From 337cc1e0fb570d95a50a14a541e3fd9e92c08f5d Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:33:39 +0100 Subject: [PATCH 096/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 64edf57c15..a16923d01a 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -837,7 +837,7 @@ resources:
::: tip -In case your application has multiple XSUAA bindings you need to [pin the binding](../java/security#bindings) which is relevant for CAP Java. +In case your application has multiple XSUAA bindings you need to [pin the binding](../java/security#bindings). :::
From 9919e2d5fa6585a451e42f3887292de12f5ed60f Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:33:54 +0100 Subject: [PATCH 097/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index a16923d01a..6b40915be7 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -1254,7 +1254,7 @@ With `cds.security.authentication.authenticateMetadataEndpoints: false` you can
-TODO +Automatic authentication enforcement can be disabled via feature flag cds.requires.auth.restrict_all_services: false, or by using [mocked authentication](#mock-user-auth) explicitly in production.
### Overrule Partially { #partially-auth .java } From 047dd11f7c02e4cc6e268f1a02f939fbfe932a8a Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:38:06 +0100 Subject: [PATCH 098/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 6b40915be7..5fa1dd0ca5 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -908,7 +908,7 @@ cds compile srv --to xsuaa > xs-security.json ``` ::: -See [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/HANA_CLOUD_DATABASE/b9902c314aef4afb8f7a29bf8c5b37b3/6d3ed64092f748cbac691abc5fe52985.html) in the SAP HANA Platform documentation for the syntax of the _xs-security.json_ and advanced configuration options. +See [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax) in the SAP Help documentation for the syntax of the _xs-security.json_ and advanced configuration options. ::: warning Avoid invalid characters in your models From 852c823ec79740db4763dfa20910ea393d8b0e9d Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:38:37 +0100 Subject: [PATCH 099/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 5fa1dd0ca5..adf261c8aa 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -709,7 +709,7 @@ The same is true for the logout flow. ## XSUAA Authentication { #xsuaa-auth } -[SAP Authorization and Trust Management Service (XSUAA)](https://help.sap.com/docs/btp/sap-business-technology-platform/sap-authorization-and-trust-management-service-in-cloud-foundry-environment) is a proven platform service for identity and access management which provides: +[SAP Authorization and Trust Management Service (XSUAA)](https://help.sap.com/docs/btp/sap-business-technology-platform/sap-authorization-and-trust-management-service-in-cloud-foundry-environment) is a platform service for identity and access management which provides: - authentication mechanisms (single sign-on, multi-factor enforcement) - federation of corporate identity providers (multiple user stores) - create and assign access roles From be23c2f5c7d3b035a94c8399e67874e5b1ffd4c1 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:40:28 +0100 Subject: [PATCH 100/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index adf261c8aa..02fd9d96e7 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -550,7 +550,8 @@ Now we want to fetch a token to prepare a fully authenticated test request. As first step we add a new client for the IAS application by creating an appropriate service key: ```sh -cf create-service-key bookshop-ias bookshop-ias-key -c '{"credential-type": "X509_GENERATED"}' +cf create-service-key bookshop-ias bookshop-ias-key \ + -c '{"credential-type": "X509_GENERATED"}' ``` The overall setup with local CLI client and the Cloud services is sketched in the diagram: From 1217019d8857d4b123937bbf21c16e079de5cbd4 Mon Sep 17 00:00:00 2001 From: I548646 Date: Tue, 16 Dec 2025 15:16:35 +0100 Subject: [PATCH 101/120] docs: suggest node specific custom auth section --- guides/security/authentication.md | 61 ++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 6 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 02fd9d96e7..49dd56bda2 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -1190,6 +1190,8 @@ will come soon ## Custom Authentication { #custom-auth } +
+ There are multiple reasons why customization might be required: 1. Endpoints for non-business requests often require specific authentication methods (e.g. health check, technical services). 2. The application is deployed in the context of a service mesh with ingress authentication (e.g. Istio). @@ -1197,15 +1199,9 @@ There are multiple reasons why customization might be required: ![Endpoints with different authentication strategy](./assets/custom-auth.drawio.svg){width="380px"} -
[Advanced configuration options](../../java/security#spring-boot) allow you to control the behaviour of CAP's authentication behaviour according to your needs: -
- -
-TODO -
- For CAP endpoints you are fine to go with the [automatic authentication](#model-auth) fully derived from the CAP model. - For custom endpoints that should be protected by the same authentication strategy you are also fine with automatc authentication as CAP will cover these endpoints by default. @@ -1217,6 +1213,59 @@ TODO This is the safe baseline on which minor customization steps can be applied on top. ::: +
+ +
+ +Ideally, all authentication use-cases should be covered by the generic implementations CAP provides. +However, your application's specific requirements may make it necessary to customize authentication. +For these scenarios, the CAP Node.js runtime allows to specify an implementation of a custom authentication middleware in cds.requires.auth.impl, by providing a path relative to the project root. + +:::warning +Be **very** careful when creating your own `auth` implementation. +This should be a last resort for when every other possible solution (e.g. through [modelling](./authorization.md#restrictions) or by [configuration](#pluggable-authentication)) has been investigated and dismissed. +::: + +Like any other [custom middleware](../../node.js/cds-serve.md#custom-middlewares), the auth middleware you create needs to accept express's `req`, `res` and `next` and end up by sending a response, throwing an error or calling `next()`. +Additionally, a custom auth middleware in CAP needs to set `cds.context.user` and, in a multitenant applications, `cds.context.tenant`. + +```js +module.exports = function custom_auth (req, res, next) { + + // do your custom authentication + + cds.context.user = new cds.User({ + id: '', + roles: ['', ''], + attr: { + : '', + : '' + } + }) + cds.context.tenant = '' +} +``` + + + +:::tip +In case you want to customize the `cds.context.user`, check out [this example](../../node.js/cds-serve#customization-of-cds-context-user). +::: + +
+ ### Automatic Authentication { #model-auth } From cc77e6a87bbfb6f1f5d013394c4f7be7b73caa96 Mon Sep 17 00:00:00 2001 From: I548646 Date: Wed, 17 Dec 2025 09:04:01 +0100 Subject: [PATCH 102/120] feat: use node specific user name --- guides/security/cap-users.md | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 2415ccc964..0c8b32bc9e 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -136,12 +136,27 @@ It's frequently required to define access rules that aren't based on an applicat For instance, a service should be accessible only for technical users, with or without user propagation. Such roles are called pseudo roles as they aren't assigned by user administrators, but are added by the runtime automatically on successful authentication, reflecting the technical level: -| Pseudo Role | User Type | Technical Indicator | User Name -|-----------------------------|---------------------|---------------|---------------| -| `authenticated-user` | | _successful authentication_ | _derived from the token_ | -| `any` | | | _derived from the token if available or `anonymous`_ | -| `system-user` | _technical_ | _grant type client credential_ | `system` | -| `internal-user` | _technical_ | _grant type client credential and shared identity instance_ | `system-internal` | +
+ +| Pseudo Role | User Type | Technical Indicator | User Name | +|----------------------|-------------|-------------------------------------------------------------|------------------------------------------------------| +| `authenticated-user` | | _successful authentication_ | _derived from the token_ | +| `any` | | | _derived from the token if available or `anonymous`_ | +| `system-user` | _technical_ | _grant type client credential_ | `system` | +| `internal-user` | _technical_ | _grant type client credential and shared identity instance_ | `system-internal` | + +
+ +
+ +| Pseudo Role | User Type | Technical Indicator | User Name | +|----------------------|-------------|-------------------------------------------------------------|------------------------------------------------------| +| `authenticated-user` | | _successful authentication_ | _derived from the token_ | +| `any` | | | _derived from the token if available or `anonymous`_ | +| `system-user` | _technical_ | _grant type client credential_ | `system-user` | +| `internal-user` | _technical_ | _grant type client credential and shared identity instance_ | `internal-user` | + +
The pseudo-role `system-user` allows you to separate access by business users from _technical_ clients. Note that this role does not distinguish between any technical clients sending requests to the API. From 161a63025eacccba396001c55f330816bdd3a5aa Mon Sep 17 00:00:00 2001 From: I548646 Date: Wed, 17 Dec 2025 09:05:02 +0100 Subject: [PATCH 103/120] fix: node specific user names --- guides/security/cap-users.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 0c8b32bc9e..86a4c266a8 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -153,8 +153,8 @@ Such roles are called pseudo roles as they aren't assigned by user administrator |----------------------|-------------|-------------------------------------------------------------|------------------------------------------------------| | `authenticated-user` | | _successful authentication_ | _derived from the token_ | | `any` | | | _derived from the token if available or `anonymous`_ | -| `system-user` | _technical_ | _grant type client credential_ | `system-user` | -| `internal-user` | _technical_ | _grant type client credential and shared identity instance_ | `internal-user` | +| `system-user` | _technical_ | _grant type client credential_ | `system` | +| `internal-user` | _technical_ | _grant type client credential and shared identity instance_ | `system` |
From 5a5376b5914abd329c8d885d2c56ee4040ec4771 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 17 Dec 2025 11:01:57 +0100 Subject: [PATCH 104/120] fixed dead links --- .../assets/create-role-collection.png | Bin 0 -> 33691 bytes guides/security/authentication.md | 114 +++++++----------- guides/security/cap-users.md | 4 +- 3 files changed, 45 insertions(+), 73 deletions(-) create mode 100644 guides/security/assets/create-role-collection.png diff --git a/guides/security/assets/create-role-collection.png b/guides/security/assets/create-role-collection.png new file mode 100644 index 0000000000000000000000000000000000000000..ad3cd4bb7c74bc90dd063311957e5c7c5f81d4d2 GIT binary patch literal 33691 zcmcG$1z6Ny+b)WU0b(K228uKi(qYg7(lE4iOAN@62B4&jgfuvG=O8hR%3qPLVFnmN zq=%9iI`$d?-}gP|+u!;2zOKW?z{Fa=wbrwqbwBqLzj^yaMUL_e-5D}6GD-#cN9tr` zqcr2V-UG}voo1bl27Uvh@Z?LOd z6OXv-zH}lS%;4b1M92#1aqRFF8CfdVCw$G3zpp9pQq-Ul&eMcHWWJYL;N0`CPvlR% zM*M9?cJb)QoxiXAUrP&q!aoIC8- z;mtyE_#DXb!2=@0&U9&zd5r}8dSlMwH^=p=_R59a2Gx{*4JF<1@VVgs%=g1S?#=h z>-S^54g)`vcpqn2d1$D#?}p9Gfw3)!Q>0_ z;T)aTT^Hh<*sV6GO2l*zN1MIfRqBw+1X#~7}tb!d}BI8S2;OV-(OybEVW;ynHxMV@Q}1|pW)5Ujm{6uI>LXr z&#c$w&_&L5zOj#Bu~81l5Tw3ekW;)eUp)tTayc}===VT!IAYXAL-0m3W891ep8&eI z$i~h`ZDta>I+b{Y4Q^|1jH(;U#w=JHMH(-MykaNnM=sgnXm;(f%T>4tCw8x%S$C1l z!*#fsPm4(OaCzuHZsL2aF}O(?c|E5*>{!=IA`>B5NZ_^wZD!7V)hmmu>eDeuO8FP7 zF}fqx9WkT2e76QmodO*Ph05AQtC9xca2AEiFhyMaQtED9wt*@qrv@}gIS#(-`6Py~ z))Irv@YR>l$$y_iNOPoQ6YA@5K=8$5>O64vxc6t9i9}gr^Q~t-Vp{`V*n}nnvC52~ z^=rOn&Try!9;%Dn0K zbj+~{xl|F;h07WSE1RPJO%%=U zfZe=ihLgd-Z0R8~$sdm!+-w@RfiZO$a7XBX7rCEIlm`g!(pwyT`c0%Zvp<9RvXI3j#xBJZ053bdIBJ~UTDBn3XFtnDS2R`qmqEBt2IR7`rp z+QP?`^eJ@H`pz2)!&S8};c0Gp!;}vRf=;%eu<5QGaOJY5Z9i?5+RRv{r@6M19VQ!%dznM1h3a*?Up-X3<5B%08r&Y+F#W)) z0iz7}worUxQcbfj8KVM4eP;@Bb1wFu@+_;C6AsZ@dWxzpGF-cx+v0Fhc?B3P;)Zh(Lq}$E8o%iEOmEj&G(FfO}93JqHyr* zcTf0d<6{a=BzQw()|!748qHvK#GZ%5N`%++ha)z8FJm4zN9GQPrDiPpsQ2*Pte%_} z%Hvqsg_mYqczLK|-!M2?Z^2;UioxuD-YM0t9|}2$a&;ajUJ(TM(8vE8K!F!R8H;My z%xg{r~E8W}?-Rs5WsJ~sN! zCM9jbTUNsyF>YI!wCK;-8n+&WAnWblN1W~To`#GRS3iVqO5kjtwoEYWD0&ReM}^P7m%3Y@ft2KU+1dCcH5?;p?gFvF9L5 zU%|KdPx0i`5xR>A6HT}{irm(_MKSM6dG4_;2fF2--V*D5CkuEMg+4WorNwQIrb)Q9 z{G_m8k!#o5{POE*TnyJu>zP;II#F``U>SCg+)*ReX1mK8X_Cp6YJ;(LGQ5YhLYn_X z9zms~k^@^&Gb{J2|6>tzoemFof1xkA(7>y5OJ3O4F=ksYdL&=xKfDY(M(8o}r`nKf zepPkhdN$WH=j88;U9^_mUWA1u^XbTm*FD+W&Xl&O+YG{^RzA;*nx)K&HXH9bE2Y;` z(O{F(pDz_tH0E0A4xZdzPB?0~ybwS@{$jl46k>taJ2X}oAM*AFrafhtIdi<d(u%zO$k3AaJl00A%Cq`HV^14bemFDG2C6M=NwAJh!xtsu4JJG|nxc|_bs3=u zDbF?td-)hMt68-L4+}}9kbCy;8K!HZ$6<2~t^J=e9vNcmc#52qLRL$vC=eSG`Y%=| zgii|^^6gLJ-S7A<&KiC6b;X4)F_nV1+DJj;1l(@dM+bT@Y@dWjaaYZXty*8J783gE zUV+|4oaicpkFG(p6Hl|HU+3$JYTIpS<@C#u9LQE{_;vTwvUnqkNrt)g$N0#(UQuh4 zYL@AmaSJ#Dt@_xGl$5=rwlM6c|H?_Ul@ zhosiun)+J;o|B>A&JaUoX>$m&Tu&Hcgt?c5yr`2+o>PdwOFqp}r*TRae;?3}QhNa9 z4Q&kBb$tq(j-EMn#zvV?8OZ{kT=kTE7DK-4NTE2yYOWYV5rbUj91v+EFN=r^IY-p{ zy-4xh>iXrsu#|~6QoF%1727-)W+$QDQ8Y(=%bCN^qmSx!4~2YDPb*vzEYko$W}4_u zvYlW_CF|{s6HDl>!Ahwt-L`6*-f)%SqP$H@Rt5Muh7W1S$SnnG5|zkXv)W-X4$sB5FDrw2UOg$Hq1}r~4Yh$A!B#Z=^8D!DhGbi#iyr1)haIxL+_T zpKOv-D&)iIk(yuSb+{{J?jOyUMJ?RtSYufwQQQUo#uP=nvjd zdC!q{a*C!m5cKM*1^yVM+BT^a>B}BlQD7MH*7R9@ePM(1({&HVgH05z#fmqpv`^;% z?*6ow&ZfEFShHFX-7_vQsb>XKp@O#4_Y*|z`fJ_aDpuORv5BMXb6qh7CQ%=9Z!2Wg z@o4<@w6C2nlP8<*8t_p(R533~y0l2;lm8EdoEzh!-}6tZ{cn?lZvt!ZV;?V-jM6dlxPeTUs0 zASh`qJjc_4>P&nIbN#roqvRl>oancaxV6)0+U&}!%4`k#IfQ07I?cw z|L*ho+lQCU&am|gz;Y(%tjx|g&6flXC^Rbfb3dst{B|NwOS_y+a@qHuhP9NhCd^%E zd}VfcZ0GkDGVhZ~SX1ylk2eRNj*C65i_F9>Mf-*RD=F`{6QcB%0w`EJhU5+@n*Tpz zz3dzV*`;5@6z8LIRA>#O;4#-L#qoiu($-Ba z{dzRRtxYp4l;M_#N^HX=6!Qyz)w*Cl2M#Vx3mNi(19wgsKH3YmN8LJGzi)9b@$#J~ zmeVwR40()eOoz*Sy@8AdrmHNDokQ`I}Tcp7#)1g>BAOeWc>;N$FiH9TfoNu zeYfMb{P({v$XJelRr}Yg(=VPKGI}yH=?5lle?RL;6FKLDBKzm0$EE*m^J|A%16sU0 zf9kKS$o~6L{<9lJgLC4l<8d+p^XaY(Isxk^UP6D7V)oaR$f5ZKagzUeIN|>?3h|%a z4#FXCB$`VvQ=GKWi(zPpbil(|x&1nGo z!-lt{0vtc*xFkY*>bRzs)~yC-h(V8L%qLPx`!og`Xq3I$# zE0594^iOkQ`zPR+(wTC&j(LKzA`NrUss5s!`77V9zSDi!^H-vn{K0c(6+p_0}#$ zYHh6lXjoWefGuktS65V2e2hPO(ed&9=?=mv z=XroA!LNEYtE<@y)bN5+PjOqAGXrba!9g_f==}J1*2Vl_RZC^d&&8DqB262wpXW*p zTbuR&G8pmR_trnpXMP*8u3h9kC(TJ3OF-xi91LPSaviGNZSN*;*j)OH4ih92UjM9p ze{#JA0%Cs^Lg1gtH&Kw{l-vh8H zz|8*J(j-%OE=t2tMxNryvXvv=55%>!wVRL*w1H{q>FKgKrx2r-IW-+GjypLR8NVG! zB}%-e@rccR=L{9U-)AK@+iq;UTG>4LXL?gp@r>b1yyrd_e&kxXes3+$P!a46XEWUN zs&cYZ)Ue+hR-mE{&SNfBbV*K{H}WH5C91Qg$L*+k^!ai3*sgKiDa3e2_~e9Y7VW~O zcNLce21XB7J{OUUAamDu@T7A7WIU&yo0~f(9R9f5Uj6*7#VxAEOQ(*Ht!>>>V2a36 zc!9FHx0UjY3mXH49>2L%N*tDA!dgp1_^IKE;OGaM3V6yJk_Hcbkhj^Ku`f{S6JuQtJK)_2m{dp&Ncp@t5}lZ_I4tED@HlUFK0`;Lugy%S%yZ zQ1}Vg9T{+}OUNp}^Jnv(+<{9|9O5eE@#=TIaD(%&&g4_zKv;9l>twf1F3U`~uRIqA zP^COXI*d=iqNf`N5{r$_1mtLGX*t{Wg^Qj)Bahx_zPssZnDc$UPbNp9b(d9OUwWc% zu1NHa97<19Pmis+lqIL{eiQ)3-sKH%7X~@**gU;@aiuiZZwqS;T*X2Zua-*!9ckGJ zF`cz37Y;6yd_~!If(RQGjiLuo_RpC$4$MAKna5j}y}AQLR6@PKy@GxpCW~Vd8v?$4qZ)AMUX*6!CD^V5t8Z$x8bBiETBLvEdr_VK`| zb%sEXeQo{hnDgz@?EvQQ0n7poiY_jEq`@_7=XKcF28!HoRlLfM*_~bA3DO1o6}cg+ ze<{>UoJm0pCR?fP;!?Vq;Ynx6!^Kt513lml4z1518<)AxpZaIT)L{JxGudk{!)nb} zCn;^AA_GO|l@e8_tnKmI;6&Kt9XnS?MlzMlz8wqMUj-SXQHWP~pr<%fl>s-{qN(4X zjIYNCr*w3F$jnhm5|x?Yb0B!y#AntT@f?xZ?{o1%UcK5|k{U7|T>p(YQv~?sY*y#J z8fBs9!ocd{8=uKm&kIi6n0pOv8|{A2)3LM9VXjVr@H8@6QeX%`Fs%nCTu^PtsEUAI#|g?`i)h5Bty21{UvN zN;yxwx~~@ljI=o($s2&6+^X{k$An)O3GU<4aGz8UH1KLlvU56~5~mi8_e zWuQEM6d)^nRG5pq9_iqKM=FEUQ!p3{xu8hO9g~nV4}vBHz3rZ zSn%)ispC)8ulOU?o*3kmF(nu7`BXygR#X3-%|9|g%^@+jQrc;nk@9Cwq-WYRjk|oS zwI?fCo35pV*?p(;5oa|DO)!HMs*v^e&rV6=hQU3KZC zwU^eDSP5d%(7GeFg#6*$q=PUYlMz5VmJg?~4S)vi_XT(&q~8!etwg1sdgRuv3^;>`%3y4I2Q%&LEM4v{^{j9>gUFek_P5?vS7lK} z{Q<9M%I1F8F!r3om)P0Uz!q?osuU52JiNT%3Xy@hwNv6KSAzkAeLXV$c5BiW%#lWN zH#)NwB1amA81PZ-fudZvSu+x096tA>R+(|9x)JHlr=Cb}%Zm$&M(1^^9)f23%Bv6UZc7H^XpT>&K2RC~!6`1P9B>U{jC`<0L z?ED_hUv)f4<+&egWzrS`D2QMbD`*~fsnGKwgRnBZQ|!{`$4-51KzAwO7;+mCm+Y># z<>s<0?-A@!Vsk!RkaAs%@o|@$!G71DWXj@8rx^Wa?>4oxST9(9OzL6!de2r@Uxc`O z9j<1UI2b>SGs5wP{&-iLX^N#)ubg;Nn^rxuYEDU2Q)7k?{J!CUg2UAfp>ssYCu?WG z@4|6UWMl#|{fHHk+f(m?x$0CxT) zXg4sddZ(>M&}nEpd;E*Z6REw@N2CYO-j<-DR}Xdk^RWwjtyjVv!`&y=wuqJJy%fvV zU4^wl*R0LSalx8U`G}U^9iMto_ZacvXXNUuvecIM2&Yx-9%ZDR?>QBaj(mVtqO9*# zvxI(0gXQkwPq#uKu0!3w-DRPAixhJ78e4SLYlULv!@YOsu*ukG406VP%SrP|F6c97 z&m!uUw|3(BJ(4F{lCu1^mqiANS@`k=NdzH|-+fI@TRU@WcPTYEB!u`mYU|_6g+jw> z>+LV(IZN-`1$?*fABM!OD}Xc{?xs6>VNP6g7iFyx^wsr13E3s(9*qfZ%ImLDaQHg8 zJiV~DM%9`iWLzIa)lH4wDv+H;#R9hj*z@wI}?y; zf%*z{UVeVQ=Xx&+>$eBQ zfEh!uPG`~=Y5?E!BR0-$?1Jd}=VL2l8mco=dpjxfep44DmVWLu&EYDOAdJS}Zhd3t z9f>l1zRrgC|{p61|b08p6A{4 zg+50SdyxgqzKI#JMxI(yt#KUa;iAMu21e0clO)g0oPM*2UA6nBN)f}eDHBs&!-i>y z+sYURq2cTkXK4uEVvXKnMBILuBzesDiT?Usf5X*8YH>^hHe$>p*CastD4E9`JR8$-?vTzb`-JliuCt%)0mrl#iTW)+!Fm_tqU~6ZNnnAiC0-!(iXl+3`?%5s=~?JX=-l@5DO}a^W|$d zaa+Y{58b{`XAyp%zBERJ5$s2W!?g0y!T<`9W;9YCG(Aw(j`1~X0P&NV zWU1jIDydCfczH>xG&){D5AKFZe_Op1Lw}2{w2iTHF#l4x81f5Jp)2_qx$RQtdqPqI za>D25QZsi?R*GL5Zg<(3Yj=Z2p({J`=1PLGacYT~tQ;fyw5~-HvJch!~9QU|KHACo0gAIAl zFe+EA70Rbpp-R=Mq?SGm!K~t0*d(}=eYRGx@f9l1N1m!Hyrq;=V(lw>rNx!!&Q*#gU{inkAA!_3CP{9rxcV$jPgai!p|Q8n8&H;6 z$CkvZWw))AdF=O>N2>-MDSHuUq1dG7TqY`@~u3uf+yJ zwOx_6t)ikieRHV*v9*%efryYZR0Y&x)A##hA1Sj;74Z>aL+H2hrpC750guPsntQvR zfOdeFwkuRi+J%sU1jj064(&oX3vs?j172>w;Ucm7j|&P&m^f6=!gl`DR7$&Kk)Pz2 zH)ct%%&)5}qnSWqvHc~887T3d42UaD+t|>FninrE3r&Sg8xu&6-}UEuk}8L*yNeGT zS4O!I7@)$`5lDC$&DMDw#2-QF4yZRg9 z*VB6!L7aL>m2Hf!1O7E>;e%_tU=s0&Sfh=~-Dls%U8)QK%<`a?a!HC9NX48Eq5%5_N6!j#2W#ng;8yp-gX#V?} zLfY?nB5t@tf8nu)Bf7476sa%pbOB`^p9vg{l?go1)rJ(XHxg;Po}T?)MI(1b++8Qy zy1&YVxZxNp3B{*_*xA?=sHv%86IC?CE{;8{-|&arW2?+rfRRkSTyE<;-N2ZaSBNqS z2$0!qPFc|2tF6sm0*sCJv^n^z=afV|5j`^ER&Q$ad`PXqIrm|62U74=OH$6@!}7W( z<#ncR9u!$KkCG}gZQS2feHL;W`p9hA3TL5Y6lEdQ@MQYsSS5Si&tYS$p2H>xjJ#VU zNtRQo8@&lx8(O20*!!hKCu~B+xR_T@UtqVh>8)I~ci*9}T1&{lBTPkfMEKUNTa5sV z0VWOZb=)Ma1B0%naWeyI{}DQa%kwizUZood&Ts8T@6KS6CloY%h4qIIgWX616`I_nHp78R_N67`}9CgRa9L;K>_T0 z$d$ePNu%d#?<3;V%gY4}y@<@^wnSS)&mJf+n&B&T=Rjme%mH5?Az4Vxp<~k(DK{0L zR}@-JBeB_gX>;nmD)EPzUr&_Rf;tQa!>p$GEoO9ecdx9mGIf9G+yc&;jKkXSo^p?o z7p0D^VsKM4hrrwp6^JfC7Y6;hOoNy%Rx#bP@6FaR@=?BYPU7`J3eJS4b2f_zsuU<` zL0s;Lb)3J2T@(HCCCRJNEJZj(v#(c4_$^I>7=(zo2vzp2_Q^mZZlFE&f+RmPf zj&{!T`^>Zh#kUHv3soAYPYwf^cbn_+dxxJR!Nrp=nXT{#_i=GqDVhALQd$w>ziB9$ z?+IMAPfur=Dc4X1`XSzGT>L~I=@^Dt93p47ZG>mUKbyKc`q@5KHWW2Yh{qn|VAlL>*(tui}v-Lus8yY^DYyM|;)MY{t+xn-l4Zri`*HjK7!^ z59!PiZC8y3^;El&S56%laN0dO2x~}!l$z(P4q8R6(u&+z^6~Tx$gCrVzxisn>aww5IRw+nTSQCv}c?tpzKEFpA`s;kW5K!OkX)8#HOEgeD&LsCHg-F+WUJ4*R z%~-=FdW9~z6z~3YJ2Aidlb~0IRXRt3YxB!;0LH!_1oinXcT*MQn9`JZs_tA2Ra9RX zLb-h#M{D5<4OjYTx+^M*pQukw{$9Wt=>Ur9#DmghW$<`B_9-qi2en35D8~$w1`H!h z3k9inpcip@q{+)3FfXHHxZy=ITBNIQoV|kWt1Hictg|24bds z`N<$E&9rn*dTV3YBaiqQ)A20lE#Ot8D>k7#rsJ~q3P&R(WC4@|mW#0~LZ>ws)k4tm z!g^~1LNfGc&pb6+yFN;#4c1HGWR|r55J<`RQ7cb}LrO}jv{osWfuu{sb8~%cf?7$U z8BHL@zfc5caTu zQmw)A*0{Uz5`;_b0FF`>6j zULc>9Djf2APr)E8eQb5Ah(wy2V+x>kMO@45fZg%z?BKQ7or&0=f=^8442=`q- zc>`lcGSRxka`TKV7D5cmCG}6^sj_+F4Mtk@qs~ z%gVItUNaO0`eiYM5ihM#*LBpYM@4j06d~8H2=|pBeK#NM7wp$!&hS=9UY1py&f@<8(EOZC^un#*VG=;874xl2n+ zvUukC>nPtH*oL%kkV9@>#e%=(7-Y5=XVhP_W_pqs?)rqE8opa!#ap z2nwjdaGeiJKww`%Zm{GKNO>+jC+za~3bcsUr)Fh9u>q4QdE*?~gd9I{grDTvOJKay zP6vhJUY`!imRp-=^p!N)kHE}!{Cb7~iG%|3x29KLBR+Hg`k{s@AKBo?*U&P?0AG@6 zXSrN%Pdv$IVj7@X#(doZ56Pe!?X=HSFK*hI-Fy99+tTtq4$2_M?6(=W>$3Ndor5P9 zKc{WvSO|x|kBW;-8}Qv(X|zg_anJzU@$1(`k`Yh9tV>kq<|@+PvyWoQz;w^#OU~qZ zA#by?F03NRG3VrzyWcqkNd--kL2V1rW{w?~`Dd2s#VsYfqU& zAD1Pde|g?(VWy6a>JA5o#wAuJHBg;<`Sk944fUsd4NmLcMV=0`k3m-AecK|phzQ`P zBv;#6!5OvH`2kriYioq|^sEYN%Zf{mxy`mJ74*Fyi}6yjn-g*mHQKMK`dVl2$fNvq1k<@X>R!iM+W!{L}b9aS!aa@}uXD_v)2x@#)apDdI~UpwDjl|?V+ z>rh~M)s`;PzCQeTilDJ+MSW)=EVqY3wtgWk_QnFd41voYl@C@)mkmu_v-MkhbzK6GGvUR(G!~#ec{@~aa z**2VVU9oFeg&GH%HVK3=E(oGMWNZC`u+PaK-ItuSJtO=T|mMK-C32@7=Bd?^R~Xq%qZ)P_|GHvMKqM{snWfYX%m(4}MSmj|4nllW1WDz}aoCGnb#p;AttyE`0!Sj|az>zZe`>oTB`SE%36QIaPJzUq8(o{)PXDzIK%2X!RJ z^!2Mw#s#%;Z8Y6EZI9#Wa~8i-?^plcUe?q$DkM28`juB?eTMUNc;>1mrAdl3?7ilb zWY^)$(7J6JbMMM!>yG4OH?JdX=v;bSDKX;1!(My!qQr{V06c+NC;}|B;^{cMvggn1 zz$dI4g6{14lcM|*#0aaEDKk~;FJC)|9bIV`)ornem27}RV2VV&eT;p z-aNj%!4hyZM9>a5{gySQYgAR7ba_NXd^Xq+g*2&ir`vVbexZ%9AU-fI9Bz-tz6<~! zrjLduL>p_evpms?15W6L)AEcBouCQH`OyM2b^R4p@XC#uPE?J$h6V{=;_td<+T+8^ zmr1_-iy-E_wflQVwj#PgJjZS`)|fPSaIRf5wqO(2yocSPlKeQ=BhkM~C;8Y+b|LSU zQVgMeO)9%$1}pOw4tzZn|C|Ki?1qs)b9CC7MBSIv&YXM&8!JKE&ev{4BDJ(PSGLdY zb@}ZHX-RmkbSyS7U81$QcBP@{7Set&SJ3X^)_$!Li%n}kRCFib6}qW6X$zhc9qG?7 zg*}nCjqi~V@pzq72!pu>er=zEy1&jC@po(36obXef&!&N(KPG1xf?tP*{%M&41yF7 zfy0=+(=e9>(ng*18pELsP70tDHUGV;xRGO}zUtm6t&ikR^N%$^Wk}&v(i1&L%9pFT>!VBvbW&o? zX5{0y$Q>o%Ed$_qv&}H%yC$KfwRbnrLJv~v7Dq~rfMCh}q@Qlx6Rk}}^W*btTQ|3~ zQg*(FVs}SZyFs{|xPD1hcE?oSclYGZ#x8k8tJzORapzRFWP9!}b{>fl9}qu>Lj!U4{3r3+S#OW}kfEv`^z`_U;jC%vhNVT-!t+ zRt~IYC1L$Y&^TzbFoQ6Y)B;dBp0|`&%zIgM9)J>X=^7(b%{!942vZ7|h-jhVE~3!T z#~~Cf*A)`4T>#<2Bcc6ltTVu#Re-E-w&>={bU}hs?fuHV>G`C2GZmHaReCWOD~tu`;K|8_BnLi(W-njIXeUB8yjLGMFx*Q! zrkBq3P{;0R`)zG?Z;mQgf^cRopa~GPB=EVPfHQzIc8vy7xLvBOt`3K-o(gycB+okN zf=^k&3^U5EGCCfG=9V7j5$R*={rr4Sa$nXeN09U29@I(#jyta3;`mowI$(S58F zqz{YS8VV}2T_@YBR|!(tpVA+ZV2su(rD&yGAR|5V(aWa*1M^!RQ}(;2)*3k_rPNET zDR+WLPMMP(Hor&mrd+Paf)UB@*j#Jx_84yO*g)6ms!vgIF!_yLzs1Vh!aanfIx$+ zL;V&kgkCg=s-e*FBg36eXaw!a<$)|#81 z{sAeEBF;2&WyFH1#YgJsaY zIgAt{g$6!%Xk5g9Dv@5OTdM=?C>O!1oX^i=y1veBT=JlSQA`g7TMcDEo7M-~0?!#z z3U`O@J?$L=v!O4>as1^#U2s`X0e{8qDVAuQd@8ao#?E$(=8@VeWx@ET< z!==_xjhr8>X0z5Kh1tiQ2C|P)^%^JTdYL3-=74l;22kkir6m^!_TF^m1R)L%4kbC& z_-v^`_mFdNC=y;yFOR1z9~ z{^}&vP?<^}SCuSXe|t+P1&K_by~5Q6GzC*;rOF8V@r9(4Fi8AuCg<0it8<87zn(hu z>ZXEOlkxx!%wD06sObn%+pd4I(>(2V8Ng&T)ghTpO^O*=88*W{Yn@OX(RVrOlZ_~b??-` zriOo?&x)~VMB3{ifekRn3wj06oq^I7T=2&dL~QXY=E5WKJfLE;H{8A<#w^HhP7JPA zR{N|-?WV0`SN4W%*pni&{b9&@wZ55?N~=1=i2+HOrcHMfI|h;i+2X=k1=8J_bq_0(AVHvZ z-GB872SeC#L?)YDI0Y>qqZT*?4>_fOYUcJE7>?TSs?;+-yFdcz{ zj?o`$uiEM_2WC4fYrPMb)6@_KY@~)?z*QZ15-EkHYieTcP32cW%yyhu;x<)l~Q63PU8<4YAkh zHF?#!zJ4Za=Bm{-)g05C-fcPEtXd0R3*9e#w-}h_QDv3|8#n$)sXzDAgwlb$uznA) zH^CPQ?0+vn(?LmoD#x9J0(<|$)WgF2>X$B;4>t46zZ$M^8hk45KA;w4w+-3{s$9jA zj+j(j;neMzKJ}-==gTJg2jy=62Uq?dPvO66_@Mm}MZdKGpMXG=EFw}nFWRy!j)m@(45zvzr9!aV)etMUcfN)-_066;vw{YEBFLu(ica5J{)2^|1$%I@9oAI@dt*fh30bk-k`Y~Y}h2-iL;rMxZc?+Mq*&I7|EC)B^ zKzsHB!e^Z*e?xj0WjW57yrr3gYEV+? zWYE(0cH_w9!cX02fI5(7l_ZeqQm&m>;lME%ZBqfs>9M_ZPqIUjUbA_lSAm>Uty;#X9%+Ps-8B1j&1aFnvJw6zt#(2qmVLh(&L7&A-P|dQxSN(I8&m-) z5TFY?okDIML76-5z1T|rw-pw&f}tcYh=@wk@cMFa$ou)up_0P)7yiziV%)l{FYyfn zW6D|Uh>@2o0b7nqw_ZK;>|y0@+`tXvrVqX&0Kp^2YNj-((sH7_y+u(qxojqprO^Zx zDR+g^U3kCbSGtS8pFW@Agm%`D^+dN+)h#REt^TOsfJE;VZqMnm$~m`v{@~wP#K3h$ z&Zqf<@`SUv}padm&fSg3aR z(b3GqSL6su*Kz~yETbaTM={ZDC-U)xFv~W{h3|>WJM{1G$o|nre<&^+AEKTkz=j{Z zawZ^3F#`zdYRZD)qTILrFTW@@x=L*7WSO3uYyJ7tq^2yNm%MmBVNj>>WVhFH?!!u* z1E`rPe~{N>8#ex(HN~6HtQHz}Cg6c(TcSv&7Y!E#GaAUp!=jL(?uuo%rzm&XtfH?L4+C4YltM>M~6# zz8i+$R*g>Jw``F|8L1X%>(9W;{~SS&fjpUmlZs8}8lNh5sY(RD;9#evr2$PUhZIDX zlA1obldj30k(JfZ_wmoRkbO?Ku@e!^*JNjtd{J0x-T6^P&YIq8|E3>aEs?Q<`;Dgl z4bc88H2E))@BgEr#912dS-1TvZ!-VWIDU`$0TnAU-GUQmuegcsA4lF3z1jyR=Kp94 z{?56$nWXUjHRhifzw=o*x_SH%Pq6W z7tu*VK>$KdPEH^>D|Tp&^HaG<2lla_-yXYCXV0JzFYh}@L5yuh{L@Zu^uZSWbJarx z0?CrXF-q|E?8|ogq?CP?U2t|IkJD z9l&D0L(5k0J-RUD6+}IN#x84te#wJdcsd5Z8~h9R_OIiXbvGJO0dX*}3N2K~>rpJw zPAFd7S2O>4{s|Yik8FoV(47t{0<6hxx1OnD?Y!~XLo?|hYe<^O+aH~a2Rz3=#{u&% zjM^XQLqBMy@;#BB+D`$Infp8XH2zXHU2>Wrxj?K5vXc<-?T!jbuGz}H7(Q|kr? zi^f=vAD%aA*+EH=X!w7P3M^XGoa5Pm2Z|Y8uiFpy$}Q;boIW1>%rh{?9lSTiWX3JW z>O!H9s zcWko){L7aw;QToUh%k)1+xB#jE;k?p~$BWJP92{gayRI0QKOh5e2GRMW zqvHu(m@K3KE3XHd{#Daa`-819=_;>aVAN)hzMOI(K+$j451vZv{9X0G9RYBP_FHyP zMXxiTf{R`vqD38D`oDzx5X+CZiCa zVIxCc3v+J!w~LubWHFq;o^_pQQ2-|t{DLC@k1X1spPku*CSa}qg|7k$tt<-QfTul? z2Pm$pstR=M(POH|Y5@;S$9ill)bCstW!%3zR5t>M9`GMP7;aijEd>rc3DAM(fP4Xq z1w#IgRum>@*sp}x+)DuODdf}bYrSmI{{|~W)nR0uMNjS=+DB*FL%a|!EdAJLZ@KvE z8&JMcBbjOd@Xmwn{}5(oX55ZrHNHLV)Y})%=TD(|e>mCItJXR(ktOzJXJ;a|nCIH1 zcJWTG+hxdBV+lL_W6a%Dr4$}Q{=O2Ka01Zy7oL#dkUhFz@?M88y4uv#cRiuTWf!`Z z(PulpZsjDzc7pAX>^@tERWZyhEI3((Q-4nuah-S_MpfQUB3ieEoKl>Ow$YxWlST6I z(`@q82a|hF-Qc1D;HQIs4^p6QThafg%gG)WN%yWJp5tkFtHz&ChSoPYmb&v6-kRM% z;0diCnmgZSG6WDCp55R4W##yu#DrS2xV7Hx1N=;)S}Y<=*6e{!*g3ljh>ZZMq$=8Cl~)jI&OOi%u4|!ifNIfZdGXq?>(q<4+s^bgOb9U6C{S zDyYtuEI${ew(ZplHtMq?8&if$T~Me@=%Hq6cP`()A=fZ@^t;^MeK^UV0nqwg`S2B$tj~lsfDDvT${S9Oq_et} zJ@l=KK0{$5lUqW!)ef0bp;{#kU^eQ=8m>PM0uU6ho`|hYFvuYzw3N((JS6Ci{Z$A(H%T0kICK^UY-FM&iwdWnF5AwWb(LXRXs2noq|LUG=2t@qx$ zzPs)pA1iCc^(1-DdG^_7@8ACIy^lWkYyjqOkG*8T^=Jy2-oN{&dmR}%2y>2_L-}8w zKHj-&xc{1d`L(yVJJPj_do|W2vpAHB3Aviz7feqrFWGcLC+KjI>Aaj*u4$H#eL3%x z-v*-c#%p8(SmUI2*yMY0aY|`p00=Im5C#5}4Vzlf@&A+M^*p;7FJ7DSt#HVUd#niJ zu&i2_P5e>Ne?zMFRdMDYM|K&tb<>DNk2XS0Z+w(I>cn2>NY6bZ!ZW#9XKd5(TrZuO zXRDfFWA;$#GJtQBo&m7Zx3~T;sC(5pVSHqgTgfRFqi=Wi#-Pt;)oS@|GnMUeD4MV; zAo<9#K4)a_(V7XC3W9&rxUg>#NsU0#JJYM$NKw&1+0(!a*gjwUyGj#)a)70>IM@$st<`M4`Pk!I0kDlIwEgqXKRpc`%e}iV?$B{EvOKR-yD&g&mIpy; ziJcR@;?>XJrG>VWGhKWo7|2#z_$4lcAI6C+bnXg$`Uu=1>qE}zRH+vGq%>zrTR z56=?+g*5okm!ftNW21%vmJvXKbf4ZFfb1c$w226gK33f&1S#j}L<*olv0ISjkP3t( z4yk+URCP}YSi_gD`CmHLcdppA2vif}W?_o`Q zu9&}c=!}ulw9#YU0H$Y;t;2_+fFjyA0H~paX;0IF0xV?us&C36IV-vC+E4oRN=XSm z$-dxkzcMiBBg$&!7EZY8N;yeGCbPA={`gIDHEp8sL`=w*@sPI?7Y z005%gIbOR=mc3H#yCHYNW=NvkzBjSaO#{4uVM-gA`l-XMBxzT)$@5gV`Mhac&k(<1 zpr-(qAE!eM3Yx@u%&jIr}ax3}}AzuQ<>twE6}cE9N^! zZpN4VUXg)ylg7k0eM30u^}OX__S_iKbrPaIyy)%1AB|?WBvxb~2M_3k$9LN5^#c$` zfq$D$;J-y+sUI|r#iwJ3f|+An+I9{t2QSw-N9kzW5f+e^Sv7d9x9#P_jQ#5_=$aH% z#n`cM{O#ct1Wi_wh5-}^a8c^$@XxKDMO;!lvqOqntM$_D03|?6Gm5F9-8`eM&YL@? zSLS8uXPdMLY_}=c@gR!H-2hc@l6q6%3!@kAphm^JNZZlj9^>^E+6Ch<39^APv+SzG zV34I3=PI1p5RIVS7H3BjlX6{kg-hX+d`hCC`VewDd^PEgX2jrKH81Dfh%rZMmo0H= zF?=OazJ2ZzwXpZ*Es0cZm`kq0+9SNVtIXM@S?FY%XLs>Z-myGH)ys$eC(@<<(uU7O zIx>zn&!p5>;WB+;N}SW>r!d2OM#fS_K769Ls)Z^?aIYi>dbtFD4mL?J#>sRnA`KEq zLVo{8>B92C9bP(|;i_YO_r{|lGH@_+mN~0gRME%VXrmN75UVi6W{1D(tT+qop_opBkOozI{8b+gN@&aHCQ8VyPRjt2Sz@zFO(fVWpr+ zx4`9TJB!IJ275t(N-onDNf3iVH*DALFs$Row$}~#R>0c}t7r(<<;z6``k;BS4WeUP zeAl#PXpq*>jfN-Fb9mTw!pb6S{Ps4rwl|-zN$8D#&fw<|+fy97I^E;-u~pcW${9RK zlO=hW=rfL`QHk`yX*iunY7-wp8bz{takRndV$xy5V9S8INhFtLOL$5OpK`C6&!N(` zKr%BGQ4Q$=0}~dumzqY35JaOWLcN2=vh#JGELX&A5Q;*fCSQu=XOR){!;}@y4`$MT zX|uY}L}lBN`9BDeZEwlfqqp}@5uyWDu8e$D7bYU>0^{rE9%LRmb#P7W$E21boAnMs zi|nEMvh@8N2CULaX^E5o*T>Q7^{T+)R1CNTEuPe&ee5lr%t;@2XJlj|GlG4KYL*7; z#uhYLEm`r0OavTBBwgN8=Ol7yo>w1(jXOmiuRE|ACHVxrr_p?hVm<4 zjoEMRNYWddWz*9%A!=+cfj5)LAuycDA^imzp>2+=8dCUi@tG>v(x6{Ff2qp$rA>ak z6UDcJHBIGfu^G&y*~(!rYn^N5-}}ZoAsGrabCQw_nlRidQkZ+VKZLYZTdgDC;HJr3 zM99q|?&>)yU-S1rHmq;S^L`92F7wz++c-Ipz^Ym9X=lAf>*~1*o3z>dthf$@q@E%L ziid)Ts3qvq>G|`5SwB~jm9g9tboewiKD=@atZ`v3HYLA^a41R^evz;!Pi-|S^P(xp zuUyj__DEE0#p0P*dHzH**}uyxZ+pK{GEBhFgf~qxFTT8NKU#K_5%9!ec2eYlg0aNj zmb5H!+2xsVu8M1C#5QJoFeM;;JTEzKz$wfbi}>&-`P!Wd$3}7Yitd<^aQY&tV_v@I zm^O9Q&V@T~2A`uywriz#IZZBNs4PaEpiGz;wRb!HnKNU&1H;V3Ugo9rY!N;BbWTk= zEM+>N_Fx#3;3ooKHFG(R$C2#LL0x)}<9Hkk{=(8Y6KhBu-eKfl+By@?&yw!~O=&4i;b&v+K(Qcg#Dk5v2MWZi*wK$IsF!=R~F+G9Z{5Q8g4YWA)9j zf)~JsckbMg+P}XIxIfU{aJkS%b4+~z1PUips(>i9pLVA!a0cP`I6@kvie6@j4@%>B zaV*-~C59@8ccf^5nkbo|_iXsb9i;XIfnX@Gm&uZ+a!DBxU51SAX1R8gVjT@Igng-p z$;bi+<~+HNWH{BL>Qbr*G7IFuG7Cxyl&ym>iXiQA^v6Q<*|+%gDqH$JV?)C}-;=hk z2x#!&%_#pG+9Ndcm{q^^V;43r%IHyd1oD%jYgqf+^_Xblw=!*P@>smyt6q&;H}|W_ z0Q?HrVekSE1@NipwFXp;Ok3Sbs%;L^2KSA;tLpQ82|{+jGXhZno)N$seSLj};>&p- z)8K*5TJ;W{-|?832oB1~U_OsTe-W+T8Xc$SHO{_r31t@iN#LV0G%zrLfs<TSaQbI6ZBQ-U}Hl_enE|2&H$BRmEqBR8wXRY!nB0 zGdO3MQve?t8G&o1>4)9pq!;E2ey?a((_>~ptA-ERx&#FQI!i8WW`3rOGXj;CH*$}M zYIlK?F^B5LXSTr`w?9kiy#x^v9(6+1Grx(cD$Ri`Tt&(2p z77&k67|#X*IFE2)lwlhu@@oU2*FlKUL&Z@AORqZ8tAe!B>P_g-`m4c|AdFMUXrp}( zmDmyF3U)L7iLrcVPP%`BelR*zjre5%_4Rp_QIUOJ$V~zt;|J8@IAEK=?$&RQLCjVR zc)pb-!YG`|ZX;>>vn{wxmEu}m;wd2pwbF|OHepuZZm*F$X;!OCawI6EGIbGs@GrOZ z066FVOWRmL?wR8Z^hN0cS65e%*hmA;!3)$3iB@#0eG;G_J*7|tMLHc8W!fQ&>AWYw&2 zBx%4HWN2YpP@n%4XVcKDzL5edgP|iXn>vfDbe>yY71D|5`S#Oa-)!NwkRdONnR)CT zmqI%qqMGp|iO70hJ!<}Db2gxgC}5|G3>+E6b)^H?uyL5nJS$@<4oQQ;(6)k=yO@I} zgorsL0%(i}k?6#Zfy^XJMl5G>Kjs>ypOe%%RW%YERCal>)79~`XKAlsaw~_>`^hcz52Kknn%}Uz@F}% zHB^W3`MY&Evr(Qvaf%jdx94)`9mEm6Vm-Iqp~W|eI^1Ytmt*|!N#1O=5B`NB%6EE5 zyKXL9=Cv>q%!)zt6AEHamv~!gO-#2xkCMsY;J9-gRG-`@(;NyC7rxYsYrzm$FrC#H z&Os9qPO1~uGg|>pvPke3md~>0<0BPuymuIupsY)-hJH>yT-b7wWXO7OdZi_c%YlWf z7z!py@MVN#XBs2}s~$e-YP_oNUqKtn_*#mgx4UwE)d=IIbzP=wBV8y6Y!V3K{UwVDlw-Wbez2xg9tO z4U5{=Gdl3pCialY^S-8}EsI7YtFeBpeCa*(Xjo)0R!1nT3|-};sVORZPp3-O`{Miw z-3v~U(>Qi5$pyPt{+RkY#RVmgR{4GOT?}8&KzB7sliFHgEBH$0@Xyl;AbaF7QisZn zTaV|QeYl#2=>P!_jFJxb_RuE2w)I!&v&%t(CgG!WXZRd&A*<9HHCX6dH59{)bJ4XT z!s_76;g)%;D5x=MZCq$Q}WT{3k^|>5{`{Ex^maK1o-IwxqlP1IK<|HiFA! zkeGoosef#c3KIo1+bGK=n_88!g*~-?gO9iT!+4NQ9(1|_KaU*Zu zoH1B_9zXsrTCM9xbv*-E$f`-2OJT6?9`jQhA?*i=oept;6isNnb1qGz&{*lGn5UbR zQxvu}HT#c?UN(n3m2bsW^XBk+vg^XO+Y)>5jI@7Ai?f&n??T3JW$$E+v z+{tkQYb~PttbhVQUmNgA4p?pTt;wmj%LT8?2#{EY@R6refDFfY2Lp9Df zR|Ywe4qZEaXo~!g=`v*G>XcI`dsSz3Ss$^CMO>LZ8l-#KabaM8&1X>D@&TniUTb(d zLlRdF%T*}ZwWi*$yK0c5t7P{oF0hORxl5m*g1ZHC3;zGnAAr%YLV1?7jE_P>i)cM6E-;3kejAfTU?^v$s~d2$v}*Kf0Qo z|4eJWOyQOUC@YZKw{M@VMr}E`)z1?BgU9==vo>aYkwcUOSEz-lB9VbM{V^X-HrYE&0mXaezUf6Joq-UGg`X~O3eLO~klF_s zzEPrIdO^#r0`Rj-mGOm}4{M?&{?bpWv915u3r$2e} zuw~1#{?6mdV(#k&CU&`hms`BK3kqElZ5;MQPdA6QK2$T>`E5=;AmRgavIAud}v*UhQv4`sRS@`E~ln*2ptrrmuI!%{?*?-LLtOyu* zUw~Ol9y)AR@f4H+Mk3oE>9|(IaVQ+Scn_Xb$$N`p(EHTUJ^{qV6w3_(*+CYUmMkCY z^dG(w>NxBw_yXZBGwfa$s!lPg`jd@SH%Mr;2@33o=V}3T1EaOUKo5 zh{z!Ao_oX|h>|JR<^1W*74 zLg?1Jv7Mzk;W~p=zq`hvy3JDTHOPSEqZJpoM3HngiTKGTndOXgx(TzFw(X^x;dp^s z!-1AvD=p2Muym-gK^T{skxGi7@8tF{3^IF3{Lja6g=Q(LE}(p=dn1W2HVtxoARmzc z_FQG0qo~ZH_LnOJ8Rs-$E;5nBCn@?+9zXK!tOCs&dgGX(uoySaFkH2o!*j45gCS!w zoG)XDj%Xo>cs!HGKy{tyyWFM$!Ab4m8_vqfz7mG4zcRi)+G$$@h2{6PdG2+6EG{4N zE7OpdvAc~F3xOr<6fP~+EZ=tZ>Mw{j9uYPO1qKX3^8jKIhE4=&hGEW-UU6urUs;1C z+qj}O5UME&)ON2S&m>aNE6*T=FT z1f%lQ6fRoc51QC}V&W-X7!$7W1|QcHGUarl9~u3z)(#yt;vEurxeokv}@oZ~mh+tfgr z360T+-dJsq_be?(j^^+ke`cU z;w{_pRHO}-(2Vt4T`jht|0xiJ3(9aEK?6?7?k)?qK!{v!=WYybMlvIfsK-63Gr1ks zCE91G8Ng+I8N1X{U|-hLTlPhA&>M~uvW0C6lf8&>c6^tHdg%J1uyKO(fQUHFMv_kw z1-Nz=%vEsKWr;;>)uIGo1cHO20U&Q@t32~jl!7vfGS7C zbY`7d!Z-(P*l6|TtCj{dA??{6NsEM;#h8fF#-T#ild=&ELxwdpQ$`i2#8i2A@8ptT zXw4{@;1J8uhIFHp!!Ta?Ec;K*ku>QdqMEq;%Fu36$!!bh??{2nRHI+@P5N~>gXN4C zu9#E~2kCWWYt`XuNTHSnHQYoyA#Z*B%5;xv&b1 zQU@$x%k}}+bkR?Q_3pnfg*F+W1l!`J(wO$*29QF+nxhiCHvF|#fzCL`7=GNq$78k19YLCqE_0!)#BW8GI4qco68KepndNt4*M6e-&e3Z?>!hCS7Q0KsA?#T) zxB!(ODEo0={KHVKw<}Y3?^L$G#Y3?Tq-9iOXrKOMu|=kkPIdJg&$S&+6kU}VfwD7h zdaI9JvyB5)RftdQxQ_3o z15!f^Q`*&Pj)5mcjx2L>RS|LC!i0n5YYnkBryR=xZFXn7wu9#m+u}aJZYeTR&3P)T z{KpIf^>gPIcT3b|8bla*bH2I)obAk0*d2s-o&>a9h1ef@jyl9(&si9Pd^ zL4EpNNBE*00g54J19yRXk-ni$#Q1gbiim#!$|3~ZRnPAVpUTx{B;%?T?=0q7J+@TA zlv3l;$AOM%<$!W>0FWx`f6UURwRaP?ufRK^T@nfz&_qS@^;|CZ9mFu1s$Lyo4GAo2 zogN8+SCWGp%g#Z%GHQAdr*cWDSPMo+t3GEa85j(|ii!YytQNcW8SKt>cpGITji@u9 z&0j&QbvEwhA7`FkJcJ^P${7#l((X@IM}A<8qT<0zmoepGk+ryon$x2pHP> zTTD}ux-q7TW5DyoI3wH9k-T)W7k<{LGPDq=%wajSDv({827=zQ*Z{d>lUrO@r^;E% zamd74Xbr1|>AT}9x~vKrHyS0^QSOrrsL`UnA+SW=e_?^wHKd}^-;00WtBLUU^Z~hF3S3fU*H0i7 zlOfXW6p_#2e}Ncwa)`W4nUx`iXM17J(%a5;)Dq)7FndlHaEmhNcPjAa*(%zXZIQ{q z5-O4b%g4&Sw+%7dN0ddWn*`L;kf_fjbQgd@$%>OoM=6I%!|?W*Q)q_MP4YphWg!KR z-=~w$`}wml4GB4or))*5zE<^m=p%D3qxAk~#eZV{A?1E%^u;TcSLMI?JbGar`_cNL z_1#C-O3G~(A0IqYmbXmmIdfz7%rAtS9Z?l`4_WpWMZfjiB2iKn^vjhWq{D)}Qqx?l zwJM`yXEVVFbPnE$$tR6Hi3pI(L_BIdXNXhVGls>_#Zc>(rZmdxm|HN-EqZ$z2Z(TE ze{=w4$Fya=AT)fn9r^wf{qWc#m4Aq?zAt8*n$v#wbX<&3XC}5QFK=M%u%W=p>BeYJ zD)HK}<79J>cwK#za#~m@{APElncEjG!_AGyj*0|z@Qq{A^0APrIC-9#LB~V7!48ms zAfT!Dm&s=8ax3A@mrXt&-WY&1VZr-VntjHw`pIm9tM)qXEX)Jw>m`sXyWMn$klp+0*4yliZk$*m6w zo(?(9Ua$j!NMkX2HGkjfv6y9UyP@7fJt^H#co&W_eHk+KQ2xFBIf(qtr;A^4IAK>~ zi2&S!If6F;I1wEC+Y2t4b{k!Fl3#OCD{Zq z;Axl4B$z2Aww^!#eiFfG!c!4e=Kg3ktsw+bG{uZ6Z>#VXO;Ccxbogb5kaG;?>WcOc zAAh@C1!;2QimOEAq&rW3awsaz3A1NYTw0^VA0&) zewNZGS>=X&<#8GXRDqTn?=!O*J8Wq9CCu>2(BaE*1YxOU6OAZ*-ojv)%s+|x62>Wt zhmzu&4`K-F21^VaI3H85@TM>%^=eYqu-SUC&KU*I$a#kv!4mQN$5^TWZW|L5lMR*t zbab4fn_F0%1WN$o_KSM!OrLDFhH<8t_Ya=GuC2(4OIow*8%Rv7@W1Kj+T=d|wejoh zrNQsSbl;ATdu%N6t*YlTTfJ|Mj*gZqtlt>cP*J=7um8R3>d>CG)0~YdoVNV=PdnX9 zAaK~A)h(^^8zD!E2=EI(tECQns98F6?aTxdQUAEA(JlD~B zuq1r`+EBT#$aVt~Eoem`x?Y}tDaA&B*a*{zhp zQiN-PjI5=eQE#D)Y@Fe0RIVkL4b1IG$XM)OHu+ZI{5zZc3+K;krN^2d+G&z-9u#>i znlMs2Vskbqk!LSWlYNbG`}P0Q#+}c*tUpNt3D_f;_NcZGS+aaog+na7MuzOK1^Ph2 zQU6l3+3z>mpVY0O>=U3}_mmgSydiKBD9DUY%+AL8_qRW7ej&3p^+HZgPEVZJQ4P=_ z5`4D^LYxc`NCI7cGjk=+`h~Ufg?bl5npB0u(IqBT{@&TQNNUz5$XC47_Wq#=r z>92kIYqvI~-S3z>u{rcb6EH83thrA*iZQb)#PY*(Gc7kO;FLfCI#dV$L@so^d-)3{ z0A^|ueqxh@$$kb*+l=yX)nyEp<45ifR4?g<)>ql+!taagqX}-a~5B7e2sFeQnsj1#sN5HIY z?%y*5pkQ9M#zw&jj0mhfrX+%QUe!@+@B`U$qw?-dbj26b;S>G7cVXe|t_Kh9@6Fn= z`OMxrhmEO&Z`~Gl$`ebJ*x#5nH?se>$y$(@~QMhcr<4j#nhfxAgky3av-5JajyyN}c)@3qr z#w4M9yq2=2OD7^SgMr0Z`{dRxa6*5aT~_9%rTKL$H=K}{Ypj_T17A3@`3x6L01|WT z3b6hALV_YF_ug+%^~aGAzlEa<*|K7{w738KbGGbv6Td8pYGZ%3K)_9Qwf9YQB7;%3 zs#?=O7X+x_Pvr#IrFXM?k9%9n;jwK>)l9g zO#20pQuZjzb)kBektdi;+Zeg1jqJ{?lvx2c^_7ts{W{dokjIR)h zl=ORNN3%_P{I#U-odvF&2eB>+-a-{wva+ssqt8FpLVpwO`$6!&M?&&scv1b2sSmwo zEkMDkUCEImJKbF>u!vJ~pGxsrraf*o`z8I!vZ5=ZPqYi{0(&%p&=)uyV=zM?$%_f& z4|+7yJB<<)pO6??#l<9_?!?D=+F!nWvG?%xRi6C;+8E|uen(a>_YE~sHiVfDz@)G-$rfE{AP^sB4ae$^zaj~A4$rYR*$>B z8P!&$-B~9v@bY#gV;}L2WqP*5X_KY=*LqH1%0GA)J>2MT8hMnsLH7PXIEx7rJ+U)~ zQ!_HmH=Nv8Eug{MkDWf90gSik?=!Uef7DI4_G7XCEWra@AGozQ&joc-F3e4J$$ZX2 z@23yp0g znvxu>D6yFfc=l4{Y90Gyf~}Q8%SXb00sbepLi(^J$_Uuo%Xz!RC1f6~@;J@l03?7< z8o_~6W8mxoE9K-D4zn@S4;(Li^IlMLjXHROT-mHik%vpkYC3@5IM*nOXgwC<`VxcJS5B_I z9icC9=~!$W@Jsde^-nr=fh17Qbfodi2N zr?C46Nqv_0X=2200@f8=4CwaySdsC~d;%H7*}3Nw;k|;KLf$4+kF~o(+jciZUHRr2 zKp#mC7Px7b;;KeUR-y9WxfQo$)0YYZPaoRs+U$-1a0Fy#p7?cImu>r&8!5L_DSGuQ z^Ocy`mY+<{|8D)!!oAQ49NO2X0h=58M2L7XTK2b7v5b?WXcJJ7^J^aJD|ypkdzbiE z2AyrzEwMFl+(EN@#_hz}O-Fi^F+PzFq&F7rTC4xt zQ^y#iO(*e8bfUCzQIN76nw6KTjST3G?tbt9o3qicCMI*hB%#IQI6yJ!wU&nxA1azW zt!*-2cS^MJjU-$4uQ(F&{r=hWo8u_~3=Tm1Q!T^9)+5I80Ew(=)U71I5LD7;f?s~S zplI?7XuKOmfUe8}wBL#C`aa@fpDh4K0d{Te-BnTk?Aj8DK6dO_*B?@d%kw`@ok&#J z%#Z!*3H(rk;zPHReH9L~NnRenudE>;T8Rh&t&RKaC4D^MNJ@TpI&;R)HJawz(VDqT z)d0pFv`qs)3$WHhsxTRGA-c@Dfe3zZVb{^Z=Ihg*; zc^Ck0r;@-UHX|!HPQUg3{x>>(w zCYrf%zr3yX>HDQ|LN!}vtC#);vitBuQQw9q`uAsAY%1Nq#z60c|MC99d563js~<#b OWpcste9_r!xBm}if_ifR literal 0 HcmV?d00001 diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 49dd56bda2..443a96fdc8 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -385,32 +385,9 @@ Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and t You also need to configure DB support: -
- -::: code-group ```sh [SAP HANA] cds add hana ``` -```sh [Alternative: H2 (development only)] -cds add h2 --for production -``` -::: - -
- - -
- -::: code-group -```sh [SAP HANA] -cds add hana -``` -```sh [Alternative: SQLite (development only)] -cds add sqlite --for production -``` -::: - -
@@ -569,9 +546,7 @@ The client certificates are presented in the IAS binding and hence can be examin ```sh cf service-key bookshop-ias bookshop-ias-key -``` -```sh { "credentials": { [...] @@ -652,11 +627,13 @@ cf delete-service-key bookshop-ias bookshop-ias-key ### UI Level Testing -In the UI scenario, adding an AppRouter as an ingress proxy to the deployment simplifies testing a lot. It will take care of fetching the required IAS tokens when forwarding requests to our test app. Adding an instance of the AppRouter and re-deploying the solution is achieved by running: +In the UI scenario, adding an AppRouter as an ingress proxy to the deployment simplifies testing a lot. +It will take care of fetching the required IAS tokens when forwarding requests to the backend service. + +Enhancing the project with [SAP Cloud Portal](../deployment/to-cf#option-a-sap-cloud-portal) configuration adds an AppRouter component as well as HTML5 Application Repository: ```sh -cds add approuter -cds up +cds add portal ``` The resulting setup is sketched in the diagram: @@ -707,6 +684,12 @@ The same is true for the logout flow. ::: +Npw re-deploy the solution by running: + +```sh +cds up +``` + ## XSUAA Authentication { #xsuaa-auth } @@ -750,32 +733,9 @@ to make your application ready for deployment to CF. You also need to configure DB support: -
- -::: code-group ```sh [SAP HANA] cds add hana ``` -```sh [Alternative: H2 (development only)] -cds add h2 --for production -``` -::: - -
- - -
- -::: code-group -```sh [SAP HANA] -cds add hana -``` -```sh [Alternative: SQLite (development only)] -cds add sqlite --for production -``` -::: - -
### Adding XSUAA { #adding-xsuaa } @@ -838,7 +798,7 @@ resources:
::: tip -In case your application has multiple XSUAA bindings you need to [pin the binding](../java/security#bindings). +In case your application has multiple XSUAA bindings you need to [pin the binding](../../java/security#bindings). :::
@@ -850,7 +810,7 @@ There are some mandatory configuration parameters: |`service-plan` | The plan type reflecting various application scenarios. UI applications without API access use plan `application`. All others should use plan `broker`. | |`path` | File system path to the [application security descriptor](#xsuaa-security-descriptor). | |`xsappname` | A unique application name within the subaccount. All XSUAA artifacts are prefixed with it (wildcard `$XSAPPNAME`). | -|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is mandatory for a [multitenant application](../guides/multitenancy/). | +|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is mandatory for a [multitenant application](../../guides/multitenancy#multitenancy). | ::: warning Upgrading the `service-plan` from type `application` to `broker` is not supported. @@ -1102,28 +1062,27 @@ cf delete-service-key bookshop-auth bookshop-auth-key ### UI Level Testing -In the UI scenario, adding an AppRouter as an ingress proxy for authentication simplifies testing a lot because the technical requests for fetching the XSUAA token are done under the hood. +In the UI scenario, adding an AppRouter as an ingress proxy to the deployment simplifies testing a lot. +It will take care of fetching the required IAS tokens when forwarding requests to the backend service. + +Enhancing the project with [SAP Cloud Portal](../deployment/to-cf#option-a-sap-cloud-portal) configuration adds an AppRouter component as well as HTML5 Application Repository: ```sh -cds add approuter -cds up +cds add portal ``` -adds the additional AppRouter to the deployment which is already prepared for XSUAA. -The resulting setup is sketched in the diagram: - -![UI-level Testing of XSUAA Endpoints](./assets/ias-ui-setup.svg){width="500px"} +The resulting architecture is very similar to the [IAS scenario](#ui-level-testing), but only with XSUAA service instances instead of IAS service instances. +There is one more difference: By default, XSUAA does not enforce mTLS. -To be able to fetch the token, the AppRouter needs a binding to the XSUAA instance as well. +To be able to fetch the token, the AppRouter needs a binding to the XSUAA instance. ::: details AppRouter component with XSUAA binding ```yaml modules: - - name: bookshop +- name: bookshop type: approuter.nodejs path: app/router - parameters: - [...] + [...] requires: - name: srv-api group: destinations @@ -1132,11 +1091,13 @@ modules: url: ~{srv-url} forwardAuthToken: true - name: bookshop-auth + [...] provides: - name: app-api properties: + app-protocol: ${protocol} app-uri: ${default-uri} - [...] + url: ${default-url} ``` ::: @@ -1160,29 +1121,38 @@ The same is true for the logout flow. ``` ::: -To check the deplyoment, run `cf apps` in the targeted space: + +Now update the Cloud deployment with + +```sh +cds up +``` + +and verify it by running `cf apps` in the targeted space: ```sh name requested state processes routes -bookshop started web:1/1 --bookshop.cfapps.sap.hana.ondemand.com -bookshop-srv started web:1/1 --bookshop-xsuaa-bookshop-srv.cfapps.sap.hana.ondemand.com +bookshop-potal started web:1/1 --bookshop. +bookshop-potal-db-deployer stopped web:0/1 +bookshop-potal-srv started web:1/1 --bookshop-srv. ``` and open the route exposed by the `bookshop` UI application in a new browser session. -
+
-E.g. `https://--bookshop.cfapps.sap.hana.ondemand.com/odata/v4/admin/Books` +E.g. `https://--bookshop.>/odata/v4/AdminService/Books`
-
+
-E.g. `https://--bookshop.cfapps.sap.hana.ondemand.com/odata/v4/AdminService/Books` +E.g. `https://--bookshop./odata/v4/admin/Books`
+ ## Hybrid Authentication { #hybrid-auth } will come soon diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 86a4c266a8..0a1030b024 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -1583,7 +1583,9 @@ const jwtToken = token.jwt // string ``` ::: warning -The `cds.User.authInfo` property depends on the authentication library that you use. CAP does not guarantee the content of this property. Use it with caution. Always pin your dependencies as described in the [best practices](./best-practices#deploy). +The `cds.User.authInfo` property depends on the authentication library that you use. +CAP does not guarantee the content of this property. Use it with caution. +Always pin your dependencies as described in the [best practices](../../node.js/best-practices#deploy). :::
From d874ec367c34a53e329dceb323deb0b6b6e4bf5e Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 17 Dec 2025 11:21:37 +0100 Subject: [PATCH 105/120] fixed dead links --- java/multitenancy.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/java/multitenancy.md b/java/multitenancy.md index 20585d1eaa..d938068f5d 100644 --- a/java/multitenancy.md +++ b/java/multitenancy.md @@ -298,11 +298,12 @@ runtime.requestContext().systemUserProvider().run(context -> { }); ``` -[Learn more about how to switch to a technical tenant.](../java/event-handlers/request-contexts#switching-to-provider-tenant){.learn-more} +[Learn more about how to switch to a technical tenant.](../guides/security/cap-users#switching-to-provider-tenant){.learn-more} + #### Switching to Subscriber Tenants { #switching-subscriber-tenant } -You can set a particular tenant and access it by running your code in a nested `RequestContext` as explained [here](../java/event-handlers/request-contexts#switching-to-a-specific-technical-tenant) and demonstrated by the following example: +You can set a particular tenant and access it by running your code in a nested `RequestContext` as explained [here](../guides/security/cap-users#switching-to-subscriber-tenant) and demonstrated by the following example: ```java runtime.requestContext().systemUser(tenant).run(context -> { From 5cbe0d1a67fb3f9303c4d1e60cc4d38d677cddde Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 17 Dec 2025 16:22:50 +0100 Subject: [PATCH 106/120] removed toxic link --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 443a96fdc8..6bc259aefc 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -810,7 +810,7 @@ There are some mandatory configuration parameters: |`service-plan` | The plan type reflecting various application scenarios. UI applications without API access use plan `application`. All others should use plan `broker`. | |`path` | File system path to the [application security descriptor](#xsuaa-security-descriptor). | |`xsappname` | A unique application name within the subaccount. All XSUAA artifacts are prefixed with it (wildcard `$XSAPPNAME`). | -|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is mandatory for a [multitenant application](../../guides/multitenancy#multitenancy). | +|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is mandatory for a multitenant application. | ::: warning Upgrading the `service-plan` from type `application` to `broker` is not supported. From 1466775a846ed234acc662b1b3e6df329f33f041 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 17 Dec 2025 17:55:18 +0100 Subject: [PATCH 107/120] added tracing --- guides/security/authentication.md | 2 +- guides/security/cap-users.md | 37 ++++++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 6bc259aefc..cf18ce05fe 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -684,7 +684,7 @@ The same is true for the logout flow. ::: -Npw re-deploy the solution by running: +Now re-deploy the solution by running: ```sh cds up diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 0a1030b024..19bf2696e1 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -186,6 +186,41 @@ In the CDS model, some of the user properties can be referenced in annotations o | Attribute | `$user.` | [@restrict](./authorization#user-attrs) | | Role | `` | [@requires](./authorization#requires) and [@restrict.to](./authorization#restrict-annotation) | +### Tracing { #user-tracing } + +To track down issues during development, it helps to trace the properties of the request user to the application log. + +
+ +You can activate the log by setting logger `com.sap.cds.security.authentication` to log level `DEBUG`: + +```yaml +logging.level.com.sap.cds.security.authentication: DEBUG +``` + +This will result in trace output (in case of mock users) + +```sh +Resolved MockedUserInfo [id='mock/admin', name='admin', roles='[admin]', attributes='{tenant=[null]}' +``` + +or (in case of XSUAA) + +```sh +c.s.c.f.i.IdentityUserInfoProvider : Resolved XsuaaUserInfo [id='be72646e-279a-4f96-ae40-05989a46b43b', name='max.muster@sap.com', roles='[openid, admin]', attributes=' +{tenant=[b2c463bd-da56-488c-8345-2632905acde3]}' +``` + +[Learn more about tracing](../java/operating-applications/observability#logging-configuration){.learn-more} + +
+ +
+ +TODO + +
+ ## Role Assignment with AMS { #roles-assignment-ams } @@ -1171,7 +1206,7 @@ Prefer local req objects in your handlers for accessing event context properties ::: Setting `cds.context` usually happens in inbound authentication middlewares or in inbound protocol adapters. -During processing, you can set it programmatically or spawn a new root transaction providing a context argument to achieve a [switch of the current user](#switching-users--switching-users-node). +During processing, you can set it programmatically or spawn a new root transaction providing a context argument to achieve a [switch of the current user](#switching-users). Depending on the configured [authentication](./authentication) strategy, CAP derives a default set of user claims containing the user's name, tenant, attributes and assigned roles: From 5984adbbb9e421fb2a5e0c746934a8997fea2667 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Wed, 17 Dec 2025 18:13:59 +0100 Subject: [PATCH 108/120] links --- guides/security/cap-users.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 19bf2696e1..8a6ed7e388 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -195,7 +195,9 @@ To track down issues during development, it helps to trace the properties of the You can activate the log by setting logger `com.sap.cds.security.authentication` to log level `DEBUG`: ```yaml -logging.level.com.sap.cds.security.authentication: DEBUG +logging: + level: + com.sap.cds.security.authentication: DEBUG ``` This will result in trace output (in case of mock users) @@ -211,7 +213,7 @@ c.s.c.f.i.IdentityUserInfoProvider : Resolved XsuaaUserInfo [id='be72646e-279a-4 {tenant=[b2c463bd-da56-488c-8345-2632905acde3]}' ``` -[Learn more about tracing](../java/operating-applications/observability#logging-configuration){.learn-more} +[Learn more about tracing](../../java/operating-applications/observability#logging-configuration){.learn-more}
From e45a3b68bcd39228065128e83a95849a8d72e422 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 18 Dec 2025 13:51:46 +0100 Subject: [PATCH 109/120] minor changes --- guides/security/authentication.md | 363 ++++++++++++++---------------- guides/security/overview.md | 21 +- 2 files changed, 187 insertions(+), 197 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index cf18ce05fe..9b58063f5e 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -2,7 +2,7 @@ # layout: cookbook label: Authentication synopsis: > - This guide explains how to authenticate CAP services to resolve CAP users. + This guide explains how to authenticate CAP services. status: released --- @@ -30,7 +30,8 @@ This guide explains how to authenticate CAP services to resolve CAP users. ## Pluggable Authentication In essence, authentication verifies the user's identity and validates the presented claims, such as granted roles and tenant membership. -Briefly, **authentication ensures _who_ is going to use the service**, in contrast to [authorization](../security/authorization#authorization) which determines _how_ the user can interact with the application's resources based on the defined access rules. +Briefly, **authentication ensures _who_ is going to use the service** which is technically reflected in a resulting [user](./cap-users). +In contrast, [authorization](../security/authorization#authorization) determines _how_ the user can interact with the application's resources according to the defined access rules. As access control relies on verified claims, authentication is a mandatory prerequisite for authorization. ![Authentication with CAP](./assets/authentication.drawio.svg){width="550px" } @@ -56,13 +57,12 @@ Setup and start a simple sample application:
```sh -cds init bookshop --java --add sample -cd ./bookshop +cds init bookshop --java --add sample && cd ./bookshop mvn spring-boot:run ``` ::: tip -CAP Java requires some Maven [dependencies](../../java/security#maven-dependencies) to enable authentication middleware support. +CAP Java requires certain [Maven dependencies](../../java/security#maven-dependencies) to enable authentication middleware support. Platform starter bundles `cds-starter-cf` and `cds-starter-k8s` ensure all required dependencies out of the box. ::: @@ -101,34 +101,33 @@ MockUsersSecurityConfig : * Security configuration based on mock users found i
-Also notice the log output prints all recognized mock users such as +Also notice that the application log contains information about all registered mock users: ```sh MockUsersSecurityConfig : Added mock user {"name":"admin","password":"admin", ...} ```
-
+**You should not manually configure authentication for endpoints.** +As the mock user authentication is active, all (CAP) andpoints are [authenticated automatically](#model-auth). -The CAP runtime will automatically authenticate all CAP endpoints - **you are not required to manually configure authentication for CAP endpoints!** +
::: tip -In non-production profile, you may set cds.security.authentication.mode = "model-relaxed" to deactivate authentication of endpoints derived from unrestricted CDS services. +To simplify the development scenario, you can set cds.security.authentication.mode = "model-relaxed" to deactivate authentication of endpoints derived from unrestricted CDS services. ::: Sending OData request `curl http://localhost:8080/odata/v4/CatalogService/Books --verbose` results in a `401` error response from the server indicating that the anonymous user has been rejected due to missing authentication. -This is true for all endpoints including the web application page at `/index.html`. +This is the case for all endpoints including the web application page at `/index.html`. -Mock users require **basic authentication**, hence sending the same request on behalf of mock user `admin` (password: `admin`) with curl `http://admin:admin@localhost:8080/odata/v4/CatalogService/Books` returns successfully (HTTP response `200`). +Mock users require **basic authentication**, hence sending the same request on behalf of mock user `admin` (password: `admin`) with `curl http://admin:admin@localhost:8080/odata/v4/CatalogService/Books` returns successfully (HTTP response `200`).
-The CAP runtime will automatically authenticate all CAP endpoints - **you are not required to manually configure authentication for CAP endpoints!** - -::: tip +::: info In non-production profile, endpoints derived from unrestricted CDS services are not authenticated to simplify the development scenario. ::: @@ -150,54 +149,33 @@ returns successfully (HTTP response `200`).
-::: tip +::: info Mock users are deactivated in production profile by default ❗ ::: -
- -[Learn more about authentication options](../../java/security#spring-boot){.learn-more} - -
- -
- -[Learn more about authentication options](../../node.js/authentication#strategies){.learn-more} - -
- +[Learn more about advanced authentication options](../../java/security#spring-boot){.learn-more .java} +[Learn more about advanced authentication options](../../node.js/authentication#strategies){.learn-more .node} ### Preconfigured Mock Users { #preconfigured-mock-users } -For convenience, the runtime creates default mock users reflecting typical types of users suitable for test combinations, e.g. privileged users passing all security checks or restricted users which just pass authentication only. -The predefined users are merged with mock users [defined by the application](#custom-mock-users). -The effective list of mock users is traced to startup log if mock user configuration is active. +For convenience, the runtime creates default mock users to cover typical test scenarios, e.g. privileged users passing all security checks or users which pass authentication but do not have additional claims. +The predefined users are added to [custom mock users](#custom-mock-users) defined by the application. -You can opt out the preconfiguration of these users by setting `cds.security.mock.defaultUsers = false`. -{ .java } +You can opt out the preconfigured mock users by setting `cds.security.mock.defaultUsers = false`. { .java } +[Learn more about predefined mock users](../../java/security#preconfigured-mock-users){.learn-more .java} +[Learn more about predefined mock users](../../node.js/authentication#mock-users){.learn-more .node} -
- -[Learn more about predefined mock users in CAP Java](../../java/security#preconfigured-mock-users){.learn-more} - -
- -
- -[Learn more about predefined mock users in CAP Node.js](../../node.js/authentication#mock-users){.learn-more} - -
### Customization { #custom-mock-users } -You can define custom mock users to simulate any type of [end users](./cap-users#claims) that will interact with your application at production time. +You can define custom mock users to simulate any type of end users that will interact with your application at production time. +Internally, mock users are represented as [CAP users](cap-users#claims) as well. Hence, you can use the mock users, to test your authorization settings or custom handlers, fully decoupled from the actual execution environment.
-::: details How to define a custom mock user with name `viewer-user` ```yaml [srv/src/main/resources/application.yaml] spring: config.activate.on-profile: default @@ -219,13 +197,11 @@ cds: additional: email: myviewer@crazycars.com ``` -:::
-::: details How to add a custom mock user with name `viewer-user` ```yaml [package.json] "cds": { "requires": { @@ -247,18 +223,21 @@ cds: } } ``` -:::
-In mock user configuration you can specify: +In the mock user configuration you can specify: - name (mandatory) and tenant -- CAP roles (including pseudo-roles) and attributes affecting authorization +- [CAP roles](cap-users#roles) (including pseudo-roles) and [attributes](authorization#user-attrs) affecting authorization - additional attributes - [feature toggles](../extensibility/feature-toggles#feature-toggles) which influence request processing. -To verify the user properties, activate [user tracing](./cap-users#user-tracing) and send a request using the mock user (`viewer-user` for example). +::: tip +Define the mock users in development profile only. +::: + +To verify the user properties, activate [user tracing](./cap-users#user-tracing) and send a request using the mock user (such as `viewer-user`). In the application log you will find information about the resolved user after successful authentication:
@@ -277,27 +256,18 @@ MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='vi
-
- -[Learn more about custom mock users](../../java/security#custom-mock-users){.learn-more} - -
- -
- -[Learn more about custom mock users](../../node.js/authentication#mocked){.learn-more} - -
+[Learn more about custom mock users](../../java/security#custom-mock-users){.learn-more .java} +[Learn more about custom mock users](../../node.js/authentication#mocked){.learn-more .node} ### Automated Testing { #mock-user-testing } -Mock users provide an ideal foundation for automated **unit tests, which are essential for ensuring application security**. +Mock users provide an excellent foundation for automated **unit tests, which are essential for ensuring application security**. The flexibility in defining various types of mock users and the seamless integration into testing code significantly reduces the burden of covering all relevant test combinations.
-::: details How to use @WithMockUser in Spring-MVC to use CAP mock users +::: details How to leverage Spring-MVC to use CAP mock users ```java [srv/src/test/java/customer/bookshop/handlers/CatalogServiceTest.java] @RunWith(SpringRunner.class) @SpringBootTest @@ -324,18 +294,13 @@ public class BookServiceOrdersTest {
-
- -[Learn more about testing with authenticated endpoints](../../node.js/cds-test#authenticated-endpoints){.learn-more} - -
- - -
+::: tip +Integration tests running with production profile should ensure that access by unauthenticated users is rejected from all endpoints of the application❗ +::: -[Learn more about unit testing](../../java/developing-applications/testing#testing-cap-java-applications){.learn-more} +[Learn more about testing with authenticated endpoints](../../node.js/cds-test#authenticated-endpoints){.learn-more .java} +[Learn more about unit testing](../../java/developing-applications/testing#testing-cap-java-applications){.learn-more .node} -
@@ -346,13 +311,13 @@ public class BookServiceOrdersTest { ## IAS Authentication { #ias-auth } -[SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is the preferred platform service for identity management which provides: +[SAP Identity Authentication Service (IAS)](https://help.sap.com/docs/cloud-identity-services) is the preferred platform service for identity management providing following features: - best of breed authentication mechanisms (single sign-on, multi-factor enforcement) - federation of corporate identity providers (multiple user stores) - cross-landscape user propagation (including on-premise) - streamlined SAP and non-SAP system [integration](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/integrating-service) (due to [OpenId Connect](https://openid.net/connect/) compliance) -IAS authentication is best configured and tested in the Cloud, so we're going to enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). +IAS authentication is best configured and tested in the Cloud, so let's enhance the started bookshop sample application with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). ### Get Ready with IAS { #ias-ready } @@ -377,7 +342,7 @@ to make your application ready for deployment to CF.
-::: tip +::: info Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. ::: @@ -393,7 +358,7 @@ cds add hana ### Adding IAS -Now the application is ready to for adding IAS-support by executing +Now the application is ready to be enhanced with IAS-support by executing ```sh cds add ias @@ -427,27 +392,27 @@ resources:
-::: tip -Command `add ias` enhances the project with [required binding](../../java/security#bindings) to service instance identity and therefore activates IAS authentiaction automatically. +::: info +The [binding](../../java/security#bindings) to service instance of type `identity` is the trigger to automatically enforce IAS authentiaction at runtime ❗ :::
-Whereas the service instance represents the IAS application itself, the binding provides access to the identity services on behalf of a client. +Whereas the service instance represents the IAS application itself, the binding provides access to the identity services on behalf of a concrete client. **CAP applications can have at most one binding to an IAS instance.** Conversely, multiple CAP applications can share the same IAS intstance. -Following properties are available: +Service instance and binding offer the following crucial configuration properties: | Property | Artifact | Description | |-------------------|:-------------------:|:---------------------:| | `name` | _instance_ | _Name for the IAS application - unique in the tenant_ | -| `display-name` | _instance_ | _Human-readable name for the IAS application as it appears in the Console UI for IAS administrators | +| `display-name` | _instance_ | _Human-readable name for the IAS application as it appears in the Console UI for IAS administrators_ | | `multi-tenant` | _instance_ | _Specifies application mode: `false` for single tenant (default), `true` for multiple subscriber tenants (SAAS)_ | | `credential-type` | _binding_ | _`X509_GENERATED` generates a private-key and a signed certificate which is added to IAS application_ | | `app-identifier` | _binding_ | _Ensures stable subject in generated certificate (required for credential rotation)_ | -[Lean more about IAS service instance and binding creation options](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/reference-information-for-identity-service-of-sap-btp){.learn-more} +[Lean more about IAS service instance and binding configuration](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/reference-information-for-identity-service-of-sap-btp){.learn-more}
@@ -457,9 +422,9 @@ cds up ``` and wait until the application is up and running. -You can test the status with `cf apps` or in BTP Cockpit, alternatively. +You can test the status with `cf apps` on CLI level or in BTP Cockpit, alternatively. -The following trace in the application log confirms the activated IAS authentication: +The startup log should confirm the activated IAS authentication:
```sh @@ -472,12 +437,12 @@ The following trace in the application log confirms the activated IAS authentica TODO
-At startup, the CAP runtime checks the available bindings and activates IAS authentication accordingly. -**Therefore, the local setup (no IAS binding in the environment) is still runnable**. +::: tip +The local setup is still runnable on basis of mock users as there is no IAS binding in the environment. +::: -For mTLS support which is mandatory for IAS, the CAP application has a second route configured with the `cert.*` domain. +For mTLS support which is mandatory for IAS, the CAP application has a second route configured with the `cert.*` domain: -::: details Application routes with `cert.*`-domain ```yaml modules: - name: bookshop-srv @@ -486,8 +451,9 @@ modules: routes: - route: "${default-url}" - route: "${default-host}.cert.${default-domain}" +``` -::: tip +::: info Platform-level TLS termination is provided on CF out of the box via `cert.*`-domains. By default, the validated certificate is forwarded via HTTP header `X-Forwarded-Client-Cert` to the CAP endpoint. ::: @@ -503,10 +469,10 @@ In the [Administrative Console for Cloud Identity Services](https://help.sap.com you can see and manage the deployed IAS application. You need a user with administrative privileges in the IAS tenant to access the services at `.accounts400.ondemand.com/admin`. In the Console you can manage the IAS tenant and IAS applications, for example: -- create (test) users in `Users & Authorizations` -> `User Management` -- deactivate users -- configure the authentication strategy (password policies, MFA etc.) in `Applications & Resources` -> `Applications` (IAS instances listed with their display-name) -- inspect logs in `Monitoring & Reporting` -> `Troubleshooting` +- Create (test) users in `Users & Authorizations` -> `User Management` +- Deactivate users +- Configure the authentication strategy (password policies, MFA etc.) in `Applications & Resources` -> `Applications` (IAS instances listed with their display-name) +- Inspect logs in `Monitoring & Reporting` -> `Troubleshooting` ::: tip In BTP Cockpit, service instance `bookshop-ias` appears as a link that allows direct navigation to the IAS application in the Administrative Console for IAS. @@ -515,23 +481,20 @@ In BTP Cockpit, service instance `bookshop-ias` appears as a link that allows di ### CLI Level Testing -Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the IAS application. +Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid OAuth tokens created for the IAS application. + Sending the test request ```sh -curl https://--bookshop-srv./odata/v4/CatalogService/Books --verbose +curl https://--bookshop-srv. \ + /odata/v4/CatalogService/Books --verbose ``` as anonymous user without a token results in a `401 Unauthorized` as expected. -Now we want to fetch a token to prepare a fully authenticated test request. -As first step we add a new client for the IAS application by creating an appropriate service key: - -```sh -cf create-service-key bookshop-ias bookshop-ias-key \ - -c '{"credential-type": "X509_GENERATED"}' -``` +Now let's fetch a token as basis for a fully authenticated test request. +For doing so, you need to interact with IAS service which requires an authenticated client itself. -The overall setup with local CLI client and the Cloud services is sketched in the diagram: +The overall setup with CLI client and the Cloud services is sketched in the diagram: ![CLI-level Testing of IAS Endpoints](./assets/ias-cli-setup.drawio.svg){width="500px"} @@ -540,6 +503,13 @@ As IAS requires mTLS-protected channels, **client certificates are mandatory** f - Business request to the CAP application presenting the token (2) - Initial proof token request to IAS - not required for all business requests (3) +As first step add a new client for the IAS application by creating an appropriate service key: + +```sh +cf create-service-key bookshop-ias bookshop-ias-key \ + -c '{"credential-type": "X509_GENERATED"}' +``` + The client certificates are presented in the IAS binding and hence can be examined via a service key accordingly. ::: details How to create and retrieve service key credentials @@ -616,9 +586,12 @@ The final test request needs to provide the **client certificate and the token** ```sh curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ - https://--bookshop-srv.cert./odata/v4/CatalogService/Books + https://--bookshop-srv.cert. \ + /odata/v4/CatalogService/Books ``` +The response should contain the queried books accordingly (HTTP response code `200`). + Don't forget to delete the service key after your tests: ```sh cf delete-service-key bookshop-ias bookshop-ias-key @@ -627,10 +600,10 @@ cf delete-service-key bookshop-ias bookshop-ias-key ### UI Level Testing -In the UI scenario, adding an AppRouter as an ingress proxy to the deployment simplifies testing a lot. +In the UI scenario, adding an Application Router as an ingress proxy to the deployment simplifies testing a lot. It will take care of fetching the required IAS tokens when forwarding requests to the backend service. -Enhancing the project with [SAP Cloud Portal](../deployment/to-cf#option-a-sap-cloud-portal) configuration adds an AppRouter component as well as HTML5 Application Repository: +Enhancing the project with [SAP Cloud Portal](../deployment/to-cf#option-a-sap-cloud-portal) configuration adds an Application Router component as well as HTML5 Application Repository: ```sh cds add portal @@ -684,12 +657,15 @@ The same is true for the logout flow. ::: -Now re-deploy the solution by running: +Now re-deploy the solution by running ```sh cds up ``` +and test the application via URL provided in the Cockpit. +The Application Router should redirect to a login flow where you can enter the credentials of a [test user](#ias-admin) created before. + ## XSUAA Authentication { #xsuaa-auth } @@ -698,24 +674,21 @@ cds up - federation of corporate identity providers (multiple user stores) - create and assign access roles -::: tip Info +::: tip In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation out of the box. ::: -XSUAA authentication is best configured and tested in the Cloud, so we're going to enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). +XSUAA authentication is best configured and tested in the Cloud, so let's enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). ### Get Ready with XSUAA { #xsuaa-ready } -Before working with XSUAA on CF, you need to ensure -- your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF. +Before working with XSUAA on CF, you need to ensure your development environment is [prepared for deploying](https://pages.github.tools.sap/cap/docs/guides/deployment/to-cf#prerequisites) to CF. In particular, you require a `cf` CLI session targeting a CF space in the test subaccount (test with `cf target`). -- https://help.sap.com/docs/application-frontend-service/application-frontend-service/enabling-service +You can continue with the bookshop sample create for the [mock users](#mock-user-auth) or, alternatively, you can also enhance the [IAS-based](#ias-auth) application. -You can continue with the sample create for the [mock users](#mock-user-auth) or, alternatively, you can also enhance the [IAS-based](#ias-auth) application. - -If there is no deployment descriptor yet, in the project root folder, execute +If there is no deployment descriptor yet, execute in the project root folder ```sh cds add mta @@ -724,7 +697,7 @@ cds add mta
::: tip -Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required](../../java/security#maven-dependencies) for security are added transitively. +Command `add mta` will enhance the project with `cds-starter-cloudfoundry` and therefore all [dependencies required for security](../../java/security#maven-dependencies) are added transitively. :::
@@ -740,7 +713,7 @@ cds add hana ### Adding XSUAA { #adding-xsuaa } -Now the application is ready to for adding XSUAA-support by executing +Now the application is ready for enhancing with XSUAA-support:
@@ -759,15 +732,7 @@ cds add xsuaa --for production
-which automatically adds a service instance named `bookshop-auth` of type `xsuaa` (plan: `application`) and binds the CAP application to it. - -
- -::: tip Notice -Command `cds add xsuaa` enhances the project with [required binding](../../java/security#bindings) to service instance identity and therefore activates XSUAA authentication automatically. -::: - -
+The command automatically adds a service instance named `bookshop-auth` of type `xsuaa` (plan: `application`) and binds the CAP application to it: ```yaml [mta.yaml] modules: @@ -793,6 +758,14 @@ resources: - '$XSAPPNAME.admin' ``` +
+ +::: info +Command `cds add xsuaa` enhances the project with [required binding](../../java/security#bindings) to service instance identity and therefore activates XSUAA authentication automatically. +::: + +
+ **CAP applications should have at most one binding to an XSUAA instance.** Conversely, multiple CAP applications can share the same XSUAA instance.
@@ -807,23 +780,25 @@ There are some mandatory configuration parameters: | Property | Description | |-------------------|:-------------------:| -|`service-plan` | The plan type reflecting various application scenarios. UI applications without API access use plan `application`. All others should use plan `broker`. | -|`path` | File system path to the [application security descriptor](#xsuaa-security-descriptor). | -|`xsappname` | A unique application name within the subaccount. All XSUAA artifacts are prefixed with it (wildcard `$XSAPPNAME`). | -|`tenant-mode` | `dedicated` is suitable for a single-tenant application. Mode `shared` is mandatory for a multitenant application. | +|`service-plan` | _The plan type reflecting various application scenarios. UI applications without API access use plan `application`. All others should use plan `broker`._ | +|`path` | _File system path to the [application security descriptor](#xsuaa-security-descriptor)._ | +|`xsappname` | _A unique application name within the subaccount. All XSUAA artifacts are prefixed with it (wildcard `$XSAPPNAME`)._ | +|`tenant-mode` | _`dedicated` is suitable for a single-tenant application. Mode `shared` is mandatory for a multitenant application._ | ::: warning Upgrading the `service-plan` from type `application` to `broker` is not supported. -Hence, start with `broker` if you plan to provide technical APIs. +Hence, start with plan `broker` in case you want to provide technical APIs in future. ::: [Learn more about XSUAA application security descriptor configuration syntax](https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-developer-guide-for-cloud-foundry-multitarget-applications-sap-web-ide-full-stack/application-security-descriptor-configuration-syntax){.learn-more} #### Security Descriptor { #xsuaa-security-descriptor } -The security descriptor in the `xs-security.json` file contains the [XSUAA authorization artifacts](https://help.sap.com/docs/btp/sap-business-technology-platform/authorization-entities). -In general, XSUAA artifacts are managed in a hierarchy with role collections as root elements that can be assigned to users. -For convenience, when adding XSUAA facet, these artifacts are initially derived from the CDS model: +The security descriptor in the `xs-security.json` file contains [XSUAA authorization artifacts](https://help.sap.com/docs/btp/sap-business-technology-platform/authorization-entities). +In general, XSUAA artifacts have a hierarchical relationship with role collections as root elements. +Role collections can be assigned to end users. + +For convenience, when adding the XSUAA facet, these artifacts are initially derived from the CDS model: - **XSUAA Scopes**: For every [CAP role](./cap-users#roles) in the CDS model, a dedicated scope is generated with the exact name of the CDS role. - **XSUAA attributes** For every [CAP attribute](./authorization#user-attrs) in the CDS model, one attribute is generated. @@ -854,29 +829,25 @@ For convenience, when adding XSUAA facet, these artifacts are initially derived [Lean more about XSUAA security descriptor](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax){.learn-more} [Learn how to setup mTLS for XSUAA](https://help.sap.com/docs/btp/sap-business-technology-platform/enable-mtls-authentication-to-sap-authorization-and-trust-management-service-for-your-application){.learn-more} -After successful authentication, the scope prefix `$XSAPPNAME`is removed by the CAP integration to match the corresponding CAP role. +At runtime, after successful authentication, the scope prefix `$XSAPPNAME`is removed by the CAP integration to match the corresponding CAP role. In the [deplyoment descriptor](#adding-xsuaa), the optional property `role-collections` contains a list of preconfigured role collections. In general, role collections are [created manually](./cap-users#xsuaa-assign) at runtime by user administrators. -But in case the underlying role template has no reference to an attribute, a corresponding role collection is prepared already. -In the example, role collection `admin (bookshop ${org}-${space})` containing the role template `admin` is defined and can be directly assigned to users. +But in case the underlying role template has no reference to an attribute, a corresponding role collection can be prepared already for sake of convenience. + +In the example, role collection `admin (bookshop -)` containing the role template `admin` is defined and can be directly assigned to users. -::: tip Re-generate on model changes -You can have such a file re-generated via +::: tip +You can re-generate the file on model changes via ```sh cds compile srv --to xsuaa > xs-security.json ``` ::: -See [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax) in the SAP Help documentation for the syntax of the _xs-security.json_ and advanced configuration options. - - -::: warning Avoid invalid characters in your models -Roles modeled in CDS may contain characters considered invalid by the XSUAA service. -::: +Consult [Application Security Descriptor Configuration Syntax](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax) in the SAP Help documentation for the syntax of the _xs-security.json_ and advanced configuration options. -::: warning +::: tip If you modify the _xs-security.json_ manually, make sure that the scope names in the file exactly match the role names in the CDS model, as these scope names will be checked at runtime. ::: @@ -902,10 +873,11 @@ cds up
and wait until the application is up and running. -You can test the status with `cf apps` or in BTP Cockpit, alternatively. +You can test the status with `cf apps` on CLI level or in BTP Cockpit, alternatively. + +Run `cf logs bookshop-srv --recent` to confirm the activated XSUAA authentication:
-The following trace in the application log confirms the activated XSUAA authentication: ```sh ... : Loaded feature 'IdentityUserInfoProvider' (IAS: , XSUAA: bookshop-auth) @@ -915,28 +887,30 @@ The following trace in the application log confirms the activated XSUAA authenti
-run `cf logs bookshop-srv --recent` to confirm the activated XSUAA authentication: - ```sh ... : "using auth strategy { kind: 'xsuaa' … } ```
-At startup, the CAP runtime checks the available bindings and activates XSUAA authentication accordingly. -**Therefore, the local setup (no XSUAA binding in the environment) is still runnable**. + +::: tip +The local setup is still runnable on basis of mock users as there is no IAS binding in the environment. +::: ### CLI Level Testing -Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid ID tokens generated for the XSUAA application. -Send the test request: +Due to CAP's autoconfiguration, all CAP endpoints are [authenticated automatically](#model-auth) and expect valid XSUAA tokens. + +Sending the test request
```sh -curl https://--bookshop-srv./odata/v4/CatalogService/Books --verbose +curl https://--bookshop-srv. \ + /odata/v4/CatalogService/Books --verbose ```
@@ -944,25 +918,31 @@ curl https://--bookshop-srv./odata/v4/CatalogServi
```sh -curl https://--bookshop-srv./odata/v4/catalog/Books --verbose +curl https://--bookshop-srv. \ + /odata/v4/catalog/Books --verbose ```
-…as anonymous user without a token the request results in a `401 Unauthorized` as expected. +as anonymous user without a token the request results in a `401 Unauthorized` as expected. -Now we want to fetch a token to prepare a fully authenticated test request. -As first step we add a new client for the XSUAA application by creating an appropriate service key: +Now let's fetch an XSUAA token to prepare an authenticated test request. +To do so, you need to interact with XSUAA service which requires a valid authentication as well. + +As first step add a new client for XSUAA by creating an appropriate service key with ```sh cf create-service-key bookshop-auth bookshop-auth-key ``` +You can inspect the service key credentials by executing ```sh cf service-key bookshop-auth bookshop-auth-key ``` +which prints the information to the console: + ```json { "credentials": { @@ -979,7 +959,7 @@ cf service-key bookshop-auth bookshop-auth-key ❗ **Never share service keys or tokens** ❗ ::: -As second step, assign the generated role collection with name `admin (bookshop ${org}-${space})` to your **test user**. +As second step, assign the generated role collection with name `admin (bookshop -)` to your **test user**. Follow the instructions from step 4 onwards of [Assign Roles in SAP BTP Cockpit Step](./cap-users#xsuaa-assign). With the credentials, you can send an HTTP request to fetch the token from XSUAA `/oauth/token` endpoint: @@ -1013,36 +993,53 @@ The request returns with a valid XSUAA token which is suitable to pass authentic {"access_token":"", "token_type":"bearer","expires_in":43199, [...]} ``` +With the token for the technical user, you should be able to access any endpoint, which has no specific role requirements:
-The final test request needs to provide the token being send to the application's route: ```sh curl -H "Authorization: Bearer " \ - https://--bookshop-srv./odata/v4/CatalogService/Books + https://--bookshop-srv. \ + /odata/v4/CatalogService/Books ```
-With the token for the technical user, you should be able to access any endpoint, which has no specific role requirements: - ```sh curl -H "Authorization: Bearer " \ - https://--bookshop-srv./odata/v4/catalog/Books + https://--bookshop-srv. \ + /odata/v4/catalog/Books ``` +
+ If you also want to access the `AdminService` which requires the role `admin`, -you need to fetch the token for the named user instead. That is the user which you have assigned the `admin (bookshop ${org}-${space})` role collection to. +you need to fetch the token for the named user instead. That is the user which you have assigned the `admin (bookshop -)` role collection to. With the token for the named user, the following request should succeed: +
+ +```sh +curl -H "Authorization: Bearer " \ + https://--bookshop-srv. \ + /odata/v4/AdminService/Books +``` + +
+ +
+ ```sh curl -H "Authorization: Bearer " \ - https://--bookshop-srv./odata/v4/admin/Books + https://--bookshop-srv. \ + /odata/v4/admin/Books ``` +
+ ::: tip Try out sending a request to the `admin` endpoint with the technical user token to see the expected `403 Forbidden` response: @@ -1052,8 +1049,6 @@ Try out sending a request to the `admin` endpoint with the technical user token ::: -
- Don't forget to delete the service key after your tests: ```sh cf delete-service-key bookshop-auth bookshop-auth-key @@ -1062,19 +1057,19 @@ cf delete-service-key bookshop-auth bookshop-auth-key ### UI Level Testing -In the UI scenario, adding an AppRouter as an ingress proxy to the deployment simplifies testing a lot. -It will take care of fetching the required IAS tokens when forwarding requests to the backend service. +In the UI scenario, adding an Application Router as an ingress proxy to the deployment simplifies testing a lot. +It will take care of fetching the required XSUAA tokens when forwarding requests to the backend service. -Enhancing the project with [SAP Cloud Portal](../deployment/to-cf#option-a-sap-cloud-portal) configuration adds an AppRouter component as well as HTML5 Application Repository: +Enhancing the project with [SAP Cloud Portal](../deployment/to-cf#option-a-sap-cloud-portal) configuration adds an Application Router component as well as HTML5 Application Repository: ```sh cds add portal ``` The resulting architecture is very similar to the [IAS scenario](#ui-level-testing), but only with XSUAA service instances instead of IAS service instances. -There is one more difference: By default, XSUAA does not enforce mTLS. +There is one more difference: **By default, XSUAA does not enforce mTLS**. -To be able to fetch the token, the AppRouter needs a binding to the XSUAA instance. +To be able to fetch the token, the Application Router needs a binding to the XSUAA instance. ::: details AppRouter component with XSUAA binding ```yaml @@ -1102,7 +1097,7 @@ modules: ::: As the login flow is based on an HTTP redirect between the CAP application and XSUAA login page, -XSUAA needs to know a valid callback URI which is offered by the AppRouter out-of-the-box. +XSUAA needs to know a valid callback URI which is offered by the Application Router out of the box. The same is true for the logout flow. ::: details Redirect URIs for login and logout @@ -1139,18 +1134,6 @@ bookshop-potal-srv started web:1/1 --booksho and open the route exposed by the `bookshop` UI application in a new browser session. -
- -E.g. `https://--bookshop.>/odata/v4/AdminService/Books` - -
- -
- -E.g. `https://--bookshop./odata/v4/admin/Books` - -
- ## Hybrid Authentication { #hybrid-auth } @@ -1341,7 +1324,7 @@ TODO Endpoints of (CAP) applications deployed on SAP BTP are, by default, accessible from the public network. Without security middleware configured, CDS services are exposed to the public. -- **Don't rely on AppRouter authentication**. AppRouter as a frontend proxy does not shield the backend from incoming traffic. Therefore, the backend must be secured independently. +- **Don't rely on Application Router authentication**. Application Router as a frontend proxy does not shield the backend from incoming traffic. Therefore, the backend must be secured independently. - **Don't deviate from security defaults**. Only when absolutely necessary should experts make the decision to add modifications or replace parts of the standard authentication mechanisms. diff --git a/guides/security/overview.md b/guides/security/overview.md index 34cab58985..a2459b0925 100644 --- a/guides/security/overview.md +++ b/guides/security/overview.md @@ -1,6 +1,6 @@ --- synopsis: > - This section provides an overview about the security concepts and architecture of CAP applications on different platforms. + This section provides an overview of the security concepts and architecture of CAP applications on different platforms. status: released uacp: Used as link target from SAP Help Portal at https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/9186ed9ab00842e1a31309ff1be38792.html --- @@ -19,10 +19,12 @@ These concepts work together to provide comprehensive security while maintaining ### Pluggable Building Blocks { #key-concept-pluggable } -CAP divides the different security-related tasks into separate and independent building blocks, each with a standard CAP implementation suitable for most scenarios: +CAP divides the different security-related tasks into separate and independent building blocks, each with a standard CAP implementation suitable for most scenarios. ![Overview Security Components with CAP](./assets/security-components.drawio.svg){width="700px" } +The building blocks are: + - [Authentication](./authentication ) - [CAP Users](./cap-users) - [CAP Authorization](./authorization) @@ -57,7 +59,7 @@ Likewise, TLS termination is offered by the [platform infrastructure](#platform- ### Decoupled from Business Logic { #key-concept-decoupled-coding } -As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any security-related adaptions. +As security functions are factorized into independent components, **application code is entirely decoupled** and hence is not subject to change in case of any security-related adaptations. This ensures that business logic remains independent of platform services, which are often subject to security-hardening initiatives. As a welcome side effect, this also allows testing application security in a **local test or development setup in a self-contained way**. @@ -67,11 +69,16 @@ This abstraction layer ensures that developers do not need to worry about the de ### Secure by Default { #key-concept-secure-by-default } -CAP security features are activated by default. If different behaviour is required, you must explicitly reconfigure or add custom code accordingly. +CAP security features are configured by default. If different behavior is required, you must explicitly reconfigure or add custom code accordingly. CAP's security autoconfiguration approach significantly reduces the risk of misconfiguration - **override only when absolutely necessary and when all effects are safely controlled**. For instance, endpoints of deployed CAP applications are [automatically authenticated](./authentication#model-auth), providing a secure baseline. -Making endpoints public requires manual configuration in either the CAP model or the middleware. +Making endpoints public requires manual configuration in either the CAP model or the middleware. + +::: warning +CAP cannot guarantee end-to-end security across all application layers by default. +The application is responsible for coordinated overall configuration. +::: @@ -82,7 +89,7 @@ CAP requires a dedicated [platform environment](#platform-environment) to integr ### Architecture Overview { #architecture-overview } -The following diagram provides a high-level overview about the security-relevant components and interfaces of a deployed CAP application in a cloud environment: +The following diagram provides a high-level overview of the security-relevant components and interfaces of a deployed CAP application in a cloud environment: ![This TAM graphic is explained in the accompanying text.](./assets/cap-security-architecture-overview.png){width="600px"} @@ -224,7 +231,7 @@ The most important services for security offered by the platform: #### [SAP Cloud Identity Services - Identity Authentication](https://help.sap.com/docs/IDENTITY_AUTHENTICATION) { #identity-service } The Identity Authentication service defines the user base for (CAP) applications and services, and allows to control access. -Customers can integrate their 3rd party or on-premise identity provider (IdP) and harden security by defining multifactor authentication or by narrowing client IP ranges. +Customers can integrate their third-party or on-premise identity provider (IdP) and harden security by defining multifactor authentication or by narrowing client IP ranges. This service helps to introduce a strict separation between platform users (provider) and business users (subscribers), a requirement of CAP. It supports various authentication methods, including SAML 2.0 and [OpenID Connect](https://openid.net/connect/), and allows for the configuration of single sign-on access. [Learn more in the security guide.](https://help.sap.com/docs/IDENTITY_AUTHENTICATION?#discover_task-security){.learn-more} From b6e6212279ea4c74b0a04cc9a4d624f4335755ae Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Thu, 18 Dec 2025 17:28:47 +0100 Subject: [PATCH 110/120] minor changes --- guides/security/authentication.md | 2 +- guides/security/cap-users.md | 171 ++++++++++++++++-------------- 2 files changed, 90 insertions(+), 83 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 9b58063f5e..255811e1e1 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -1285,7 +1285,7 @@ Due to the custom configuration, all URLs matching `/public/**` are opened for p Ensure your custom configuration has higher priority than CAP's default security configuration by decorating the bean with a low order. -::: warning _❗ Warning_ +::: warning Be cautious with the configuration of the `HttpSecurity` instance in your custom configuration. Make sure that only the intended endpoints are affected. ::: diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 8a6ed7e388..6404c68b7b 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -29,7 +29,7 @@ This guide introduces to CAP user abstraction and role assignments. ## CAP User Abstraction { #claims } -A successful authentication results in a CAP [user representation](#claims) reflecting the request user in a uniform way. +A successful authentication results in a CAP user representation reflecting the request user in a uniform way. Referring to the [key concepts](./overview#key-concept-decoupled-coding), the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). @@ -60,7 +60,7 @@ The user information is reflected in `req.user` and `req.tenant` [attached to th CAP users can be classified in multiple dimensions: **Business users vs. technical users:** -- Business users represent identified end users who log in to interact with the system. +- Business users represent identifiable end users who log in to interact with the system. - Technical users operate on behalf of an entire tenant at a technical API level. **Authenticated users vs. anonymous users** @@ -69,10 +69,11 @@ CAP users can be classified in multiple dimensions: **Provider vs. subscriber tenant** - The provider tenant includes all users of the application owner. -- A subscriber tenant includes all users of an application customer. +- A subscriber tenant includes all users of a dedicated application customer. -Typically, the provider tenant is not subscribed to a [multi-tenant application](../multitenancy/#multitenancy) and therefore has no business users. +Usually, the provider tenant is not subscribed to a [multi-tenant application](../multitenancy/#multitenancy) and therefore has no business users. +There are technical users for the provider and for all subscribers. | Multi-Tenant Application | Business users | Technical user |---------------------------|----------------|---------------- @@ -86,7 +87,7 @@ In contrast, for a single-tenant application, the provider tenant coincides with | Provider (=subscriber) Tenant | | -::: tip +::: info Apart from anonymous users, all users have a unique tenant. ::: @@ -102,7 +103,7 @@ Find more details about how to [switch the user context](#switching-users) durin ### Roles { #roles} -As a basis for access control, you can design application specific CAP roles which are assigned to users at application runtime. +As a basis for access control, you can design application specific CAP roles which are assigned to users at runtime. **A CAP role should reflect _how_ a user can interact with the application at an operational level**, rather than a fine-grained event at a purely technical level. ```cds @@ -117,7 +118,7 @@ annotate Issues with @(restrict: [ ]); ``` -For instance, the role `ReportIssues` allows to work with the `Issues` created by the own user, whereas a user with role `ReviewIssues` is only allowed to read `Issues` of any user. +For instance, the role `ReportIssues` allows to work with the `Issues` created by the own user, whereas a user with role `ReviewIssues` restricted to read `Issues`. CAP roles represent basic building blocks for authorization rules that are defined by the application developers who have in-depth domain knowledge. Independently of that, user administrators combine CAP roles in higher-level policies and assign them to business users in the platform's central authorization management solution. @@ -126,22 +127,22 @@ Dynamic assignments of roles to users can be done by - [AMS roles](#roles-assignment-ams) in case of [IAS authentication](./authentication#ias-auth). - [XSUAA roles](#xsuaa-roles) in case of [XSUAA authentication](./authentication#xsuaa-auth). -::: tip +::: info CDS-based authorization deliberately avoids technical concepts, such as _scopes_ in _OAuth_, in favor of user roles, which are closer to the business domain of applications. ::: #### Pseudo Roles { #pseudo-roles} -It's frequently required to define access rules that aren't based on an application-specific user role, but rather on the _technical authentication level_ of the request. +Often it is useful to define access rules that aren't based on an application-specific user role, but rather on the _technical authentication level_ of the request which can be mapped to a pre-defined CAP role. For instance, a service should be accessible only for technical users, with or without user propagation. Such roles are called pseudo roles as they aren't assigned by user administrators, but are added by the runtime automatically on successful authentication, reflecting the technical level:
-| Pseudo Role | User Type | Technical Indicator | User Name | +| Pseudo Role | User Type | Technical Indicator | User Name ($user) | |----------------------|-------------|-------------------------------------------------------------|------------------------------------------------------| -| `authenticated-user` | | _successful authentication_ | _derived from the token_ | -| `any` | | | _derived from the token if available or `anonymous`_ | +| `authenticated-user` | - | _successful authentication_ | _derived from the token_ | +| `any` | - | - | _derived from the token if available or `anonymous`_ | | `system-user` | _technical_ | _grant type client credential_ | `system` | | `internal-user` | _technical_ | _grant type client credential and shared identity instance_ | `system-internal` | @@ -161,9 +162,9 @@ Such roles are called pseudo roles as they aren't assigned by user administrator The pseudo-role `system-user` allows you to separate access by business users from _technical_ clients. Note that this role does not distinguish between any technical clients sending requests to the API. -Pseudo-role `internal-user` allows to define application endpoints that can be accessed exclusively by the own PaaS tenant on technical level. +Pseudo-role `internal-user` allows to define application endpoints that can be accessed exclusively by the own provider tenant on technical level. In contrast to `system-user`, the endpoints protected by this pseudo-role do not allow requests from any external technical clients. -Hence is suitable for **technical intra-application communication**, see [Security > Application Zone](./overview#application-zone). +Hence it is suitable for **technical intra-application communication**, see [Security > Application Zone](./overview#application-zone). ::: warning All technical clients that have access to the application's XSUAA or IAS service instance can call your service endpoints as `internal-user`. @@ -173,7 +174,7 @@ All technical clients that have access to the application's XSUAA or IAS service ### Model References -The resulting object representation of the user is attached to the current request context and has an impact on the request flow for instance with regards to +The object representation of the resolved CAP user is attached to the current request context and has an impact on the request flow for instance with regards to - [authorizations](./authorization#restrictions) - [enriching business data](../domain-modeling#managed-data) with user data - setting [DB session variables](../db-feature-comparison#session-variables) @@ -188,11 +189,11 @@ In the CDS model, some of the user properties can be referenced in annotations o ### Tracing { #user-tracing } -To track down issues during development, it helps to trace the properties of the request user to the application log. +To track down issues during development, it can help to trace the properties of the request user to the application log.
-You can activate the log by setting logger `com.sap.cds.security.authentication` to log level `DEBUG`: +You can activate user tracing by setting logger `com.sap.cds.security.authentication` to log level `DEBUG`: ```yaml logging: @@ -200,19 +201,21 @@ logging: com.sap.cds.security.authentication: DEBUG ``` -This will result in trace output (in case of mock users) +This will result in trace output like ```sh Resolved MockedUserInfo [id='mock/admin', name='admin', roles='[admin]', attributes='{tenant=[null]}' ``` -or (in case of XSUAA) +for mock users or ```sh c.s.c.f.i.IdentityUserInfoProvider : Resolved XsuaaUserInfo [id='be72646e-279a-4f96-ae40-05989a46b43b', name='max.muster@sap.com', roles='[openid, admin]', attributes=' {tenant=[b2c463bd-da56-488c-8345-2632905acde3]}' ``` +for XSUAA users. + [Learn more about tracing](../../java/operating-applications/observability#logging-configuration){.learn-more}
@@ -223,21 +226,24 @@ TODO
+::: warning +Refreign from activating user tracing in productive systems. +::: ## Role Assignment with AMS { #roles-assignment-ams } -CAP applications that use the [Identity Authentication Service (IAS)](https://help.sap.com/docs/identity-authentication) for authentication also leverage the [Authorization Management Service (AMS)](https://help.sap.com/docs/cloud-identity-services/authorization-management-service) to provide comprehensive authorization. Similar to IAS, AMS is part of the [SAP Cloud Identity Services (SCI)](https://help.sap.com/docs/cloud-identity-services). +CAP applications that use the [Identity Authentication Service (IAS)](https://help.sap.com/docs/identity-authentication) for authentication can leverage the [Authorization Management Service (AMS)](https://help.sap.com/docs/cloud-identity-services/authorization-management-service) to provide comprehensive authorization. Similar to IAS, AMS is part of the [SAP Cloud Identity Services (SCI)](https://help.sap.com/docs/cloud-identity-services). Why is AMS required? Unlike tokens issued by XSUAA, IAS tokens only contain static user information and cannot directly provide CAP roles. AMS acts as a central service to define access policies that include CAP roles and additional filter criteria for instance-based authorizations in CAP applications. _Business users_, technically identified by the IAS ID token, can have AMS policies assigned by user administrators. -::: tip +::: info Authorizations for technical users can't be addressed by AMS policies yet. ::: The integration with AMS is provided as an easy-to-use plugin for CAP applications. -At the time of the request, the AMS policies assigned to the request user are evaluated by the CAP AMS plugin, and the CAP roles and filters are applied to the request context accordingly, as illustrated in the diagram: +At the time of the request, the AMS policies assigned to the request user are evaluated by the CAP AMS plugin, and the CAP roles and filters are applied to the request context accordingly. This is illustrated in the following diagram: ![The graphic is explained in the following text.](./assets/ams.png){width="500px" } @@ -473,9 +479,7 @@ The attribute should have cross-sectional semantics in the domain. As such attributes are usually shared by multiple entities, it is convenient to add the `@ams`-annotation at the level of a shared aspect as sketched here: ```cds -@ams.attributes: { - Genre: (genre.name) -} +@ams.attributes: { Genre: (genre.name) } aspect withGenre { genre : Association to Genres; } @@ -503,7 +507,7 @@ Often, they reflect real-world jobs or functions.
-After the application is built, check the *srv/src/main/resources/ams* folder to see the generated AMS *schema* and a *basePolicies* DCL file in a package called *cap*: +After the application is built, check the `srv/src/main/resources/ams` folder to see the generated AMS *schema* and a *basePolicies* DCL file in a package called `cap` ::: code-group @@ -546,12 +550,12 @@ SCHEMA { } ``` -In the schema you may configure [value help](https://sap.github.io/cloud-identity-developer-guide/Authorization/ValueHelp.html) for the attributes in the [Cockpit UI for AMS](#ams-deployment). +In the schema you may additionally configure [value help](https://sap.github.io/cloud-identity-developer-guide/Authorization/ValueHelp.html) for the attributes in the [Cockpit UI for AMS](#ams-deployment). -The generated policies are usually subject to change. -For example, you can rename the policies to reflect appropriate job functions and adjust the referenced CAP roles according to your needs: +You can modify the generated policies according to your needs. +For example, you can rename the policies to reflect appropriate job functions and adjust the referenced CAP roles: -```yaml [/ams/cap/basePolicies.dcl] +```dcl [/ams/cap/basePolicies.dcl] POLICY StockManager { ASSIGN ROLE ManageBooks WHERE Genre IS NOT RESTRICTED; } @@ -563,19 +567,19 @@ POLICY ContentManager { ``` In contrast to a `StockManager` who is responsible for the books offering, a `ContentManager` additionally makes the author selection. -Optionally, a `StockManager` with CAP role `ManageBooks` may be restricted to specific genres by applying filters prepared in [customized policies](#local-testing). -As a `ContentManager` there is no genre-based restriction based on genres is prepared. +In addition, a `StockManager` with CAP role `ManageBooks` may be restricted to specific genres by applying appropriate filters prepared in [custom policies](#local-testing). +As a `ContentManager` there is no genre-based restriction. There are several options for the attribute declarations that have an impact on the effect of filters: | Attribute Statement | Description | Attribute Filter | |:-----------------------:|:--------------------:|:---------------:| -| `WHERE Genre IS NOT RESTRICTED` | Offers `Genre` as filterable attribute in the scope of the role | Filter restriction could be provided in a custom policy, but no filter applied by default (potentially restricted) | -| `WHERE Genre IS RESTRICTED` | Enforces `Genre` as filtered attribute in the scope for the role | Filter restriction must be provided in a custom policy and is applied (restricted) | -| - no defintion - | The role does not offer any attribute for filtering | No restriction filter is applied (unrestricted) | +| `WHERE Genre IS NOT RESTRICTED` | _Offers `Genre` as filterable attribute in the scope of the role_ | _Filter restriction could be provided in a custom policy, but no filter applied by default (potentially restricted)_ | +| `WHERE Genre IS RESTRICTED` | _Enforces `Genre` as filtered attribute in the scope for the role_ | _Filter restriction must be provided in a custom policy and is applied (restricted)_ | +| _- no defintion -_ | _The role does not offer any attribute for filtering_ | _No restriction filter is applied (unrestricted)_ | ::: tip -The attribute statement is in the scope of a dedicated CAP role and filters are applied on matching entites only. +The attribute statement is defined in the scope of a dedicated CAP role and filters are applied on matching entites accordingly. ::: [Learn more about AMS policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configuring-authorization-policies){.learn-more} @@ -583,7 +587,7 @@ The attribute statement is in the scope of a dedicated CAP role and filters are ### Local Testing { #local-testing } -Although the AMS policies are not yet [deployed to the Cloud service](#ams-deployment), you can assign (base) policies to mock users and run locally: +Although the AMS policies are not yet [deployed to the Cloud service](#ams-deployment), you can assign policies to mock users and run locally:
@@ -655,7 +659,7 @@ cds watch
-and verify in the UI for `AdminService` (`http://localhost:8080/index.html#Books-manage`) that the the assigned policies imply the expected access rules: +and verify in the UI for `AdminService` (`http://localhost:8080/index.html#Books-manage`) that the the assigned policies imply the expected static access rules:
@@ -668,7 +672,7 @@ You can now verify that the assigned policies enforce the expected access rules: - mock user `content-manager` has full access to `Books` and `Authors`. - mock user `stock-manager` can _read_ `Books` and `Authors` and can _edit_ `Books` (but _not_ `Authors`). -For the test scenario, you can define custom policies in pre-defined package `local` which is ignored during [deployment of the policies](#ams-deployment) to the Cloud service and hence will no show up in production. +For the advanced test scenario, you can define custom policies in pre-defined package `local` which is ignored during [deployment of the policies](#ams-deployment) to the Cloud service and hence will no show up in production. Let's add a custom policy `StockManagerFiction` which is based on base policy `cap.StockManager` restricting the assigned users to the genres `Mystery` and `Fantasy`: @@ -678,25 +682,26 @@ POLICY StockManagerFiction { } ``` -[Learn more about DCL operators](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/condition-operators){.learn-more} +You can define valid attribute values in complex [DCL expressions](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/condition-operators). +
-::: tip -Don't miss to add the policy files in sub folders of `ams` reflecting the namespace properly: Policy `local.StockManagerFiction` is expected to be in a file within directory `/ams/local/`. -::: +Don't miss to add the policy files in sub folders of `ams` reflecting the namespace properly: Policy `local.StockManagerFiction` is expected to be in a file within directory `/ams/local/*`. + +The assignment to mock users is done in the `policies` property: ```yaml cds: security: mock: users: - stock-manager-fiction: // [!code ++] - policies: // [!code ++] - - local.StockManagerFiction // [!code ++] + stock-manager-test: // [!code ++:3] + policies: + - local.StockManagerFiction ``` -You can verify in the UI that mock user `stock-manager-fiction` is restricted to books of genres `Mystery` and `Fantasy`. +You can verify in the UI that mock user `stock-manager-test` is restricted to books of genres `Mystery` and `Fantasy`.
@@ -714,7 +719,7 @@ Don't miss to add the policy files in sub folders of `ams/dcl` reflecting the na "[development]": { "kind": "mocked", "users": { - "stock-manager-fiction": { // [!code ++:5] + "stock-manager-test": { // [!code ++:5] "policies": [ "local.StockManagerFiction" ] @@ -734,9 +739,9 @@ Don't miss to add the policy files in sub folders of `ams/dcl` reflecting the na ### Cloud Deployment { #ams-deployment } -If not done yet, prepare your project Cloud deployment [as eplained before](./authentication#ias-ready). +If not done yet, prepare your project Cloud deployment as [eplained before](./authentication#ias-ready). -Policies can be automatically deployed to the AMS server during deployment of the application by means of AMS deployer script available in `@sap/ams`. +Policies can be automatically deployed to the AMS server during deployment of the application by means of AMS deployer provided by module `@sap/ams`. Enhancing the project with by `cds add ams` automatically adds task e.g. in the MTA for AMS policy deyployment. @@ -839,21 +844,21 @@ It contains the common view of policies applied to all services. [Learn more about AMS deployer](https://sap.github.io/cloud-identity-developer-guide/Authorization/DeployDCL.html#ams-policies-deployer-app){.learn-more} -Now let's deploy and start the application with +Let's deploy and start the application with ```sh cds up ``` -You can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](./authentication#ias-admin)): +Afterwards, you can now perform the following tasks in the Administrative Console for the IAS tenant (see prerequisites [here](./authentication#ias-admin)): - Assign (base or custom) policies to IAS users - Create custom policies To create a custom policy with filter restrictions, follow these steps: 1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. 2. In **Authorization Policies** select **Create** > **Create Restriction**. Choose an appropriate policy name, e.g. `StockManagerFiction`. -3. Customize the filter conditions for the available AMS attributes -4. Confirm with **Save** +3. Customize the filter conditions for the available AMS attributes. +4. Confirm with **Save**. ::: details Create custom AMS policy with filter condition @@ -868,7 +873,7 @@ To create a custom policy with filter restrictions, follow these steps: To assign a policy to an IAS user, follow these steps: 1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. -2. Switch to tab **Authorization Policies** and select the policy you want to assign +2. Switch to tab **Authorization Policies** and select the policy you want to assign. 3. In **Assignments**, add the IAS user of the tenant to which the policy should be assigned (you can review the policy definition in **Rules**). [Learn more about how to edit custom AMS policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/edit-authorization-policy){.learn-more} @@ -1119,11 +1124,12 @@ Instead, an abstract [user representation](cap-users#claims) is attached to the For example, both authorization enforcement and domain logic can depend on properties of the the current user. ::: warning -Avoid writing custom code based on the raw authentication info, as this undermines the decoupling between authentication strategy and your business logic. +Avoid writing custom code based on the raw authentication information such as dedicated XSUAA properties. +This undermines the decoupling between authentication strategy and your business logic. ::: ::: tip -**In most casese, there is no need to write custom code dependent on the CAP user - leverage CDS modelling whenever possible**. +In most casese, there is no need to write custom code dependent on the CAP user - **leverage CDS modelling whenever possible**. ::: @@ -1131,7 +1137,9 @@ Avoid writing custom code based on the raw authentication info, as this undermin
-In CAP Java, The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) of a handler in different ways: +The CAP user of a request is represented by a [UserInfo](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/UserInfo.html) object that can be retrieved from the [RequestContext](https://www.javadoc.io/doc/com.sap.cds/cds-services-api/latest/com/sap/cds/services/request/RequestContext.html) of a handler in different ways. + +Either by directly requesting from the context like in the example: ```java @Before(entity = Books_.CDS_NAME) @@ -1161,14 +1169,14 @@ The `UserInfo` object is not modifyable, but during request processing, a new `R Depending on the configured [authentication](./authentication) strategy, CAP derives a *default set* of user claims containing the user's name, tenant, attributes and assigned roles: -| User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation | -|---------------|-----------------------------------------|-----------------------------|-------------------------|------------------------| -| _Logon name_ | `getName()` | `user_name` | `sub` | `$user` | -| _Tenant_ | `getTenant()` | `zid` | `app_tid` | `$user.tenant` | -| _Attributes_ | `getAttributeValues(String attr)` | `xs.user.attributes.` | All non-meta attributes | `$user.` | -| _Roles_ | `getRoles()` and `hasRole(String role)` | `scopes` | n/a - injected via AMS | String in `to`-clause | +| User Property | UserInfo Getter | XSUAA JWT Property | IAS JWT Property | `@restrict`-annotation | +|---------------|-----------------------------------------|-----------------------------|---------------------------|------------------------| +| _Logon name_ | `getName()` | `user_name` | `sub` | `$user` | +| _Tenant_ | `getTenant()` | `zid` | `app_tid` | `$user.tenant` | +| _Attributes_ | `getAttributeValues(String attr)` | `xs.user.attributes.` | _All non-meta attributes_ | `$user.` | +| _Roles_ | `getRoles()` and `hasRole(String role)` | `scopes` | _n/a - injected via AMS_ | _String in `to`-clause_ | -::: tip +::: info CAP does not make any assumptions on the presented claims given in the token. String values are copied as they are. ::: @@ -1176,10 +1184,10 @@ In addition, there are getters to retrieve information about [pseudo-roles](#pse | UserInfo method | Description | CAP Role | |:--------------------|:-------------------------------------------------------------------------------------------------------------------|----------------------| -| `isAuthenticated()` | True if the current user has been authenticated. | `authenticated-user` | -| `isSystemUser()` | Indicates whether the current user has pseudo-role `system-user`. | `system-user` | -| `isInternalUser()` | Indicates whether the current user has pseudo-role `internal-user`. | `internal-user` | -| `isPrivileged()` | Returns `true` if the current user runs in [privileged mode](#switching-to-privileged-user), i.e. is unrestricted. | n/a | +| `isAuthenticated()` | _True if the current user has been authenticated._ | `authenticated-user` | +| `isSystemUser()` | _Indicates whether the current user has pseudo-role `system-user`._ | `system-user` | +| `isInternalUser()` | _Indicates whether the current user has pseudo-role `internal-user`._ | `internal-user` | +| `isPrivileged()` | _Returns `true` if the current user runs in [privileged mode](#switching-to-privileged-user), i.e. is unrestricted._ | - |
@@ -1228,7 +1236,7 @@ Depending on the configured [authentication](./authentication) strategy, CAP der
-In most cases, CAP's default mapping to the CAP user will match your requirements, but CAP also allows you to customize the mapping according to specific needs. +In most cases, CAP's default mapping to the CAP user matches your requirements, but CAP also allows you to customize the mapping according to specific needs. For instance, the logon name as injected by standard XSUAA integration might not be unique if several customer IdPs are connected to the underlying identity service. Here a combination of `user_name` and `origin` mapped to `$user` might be a feasible solution that you can implement in a custom adaptation. @@ -1348,22 +1356,22 @@ These scenarios are identified by a combination of the user (*technical* or *nam ![A named user can switch to a technical user in the same/subscriber tenant using the systemUser() method. Also, a named user can switch to a technical user in the provider tenant using the systemUserProvider() method. In addition technical users provider/subscriber tenants can switch to technical users on provider/subscriber tenants using the methods systemUserProvider() or systemUser(tenant).](./assets/requestcontext.drawio.svg) -In CAP Java, the user context can only be modified by explicitly opening an appropriate Request Context which ensures a well-defined scope for the changed settings. +The user context can only be modified by explicitly opening an appropriate Request Context which ensures a well-defined scope for the changed settings. Services might, for example, trigger HTTP requests to external services by deriving the target tenant from the current Request Context. The `RequestContextRunner` API offers convenience methods that allow an easy transition from the current Request Context to a derived one according to the concrete scenario. | Method | Scenario | |----------------------|--------------------------------------------------------------------------------------------------------------------------------------| -| `systemUser()` | [Switches](#switching-to-technical-user) to the **technical user** and preserves the tenant from the current user. | -| `systemUserProvider()` | [Switches](#switching-to-provider-tenant) to the **technical user of the provider account**. | -| `systemUser(tenant)` | [Switches](#switching-to-subscriber-tenant) to a **technical user targeting a given subscriber account**. | -| `privilegedUser()` | [Elevates](#switching-to-privileged-user) the current `UserInfo` to by-pass all authorization checks. | -| `anonymousUser()` | [Switches](#switching-to-anonymous-user) to an anonymous user. | +| `systemUser()` | _[Switches](#switching-to-technical-user) to the **technical user** and preserves the tenant from the current user._ | +| `systemUserProvider()` | _[Switches](#switching-to-provider-tenant) to the **technical user of the provider account**._ | +| `systemUser(tenant)` | _[Switches](#switching-to-subscriber-tenant) to a **technical user targeting a given subscriber account**._ | +| `privilegedUser()` | _[Elevates](#switching-to-privileged-user) the current `UserInfo` to by-pass all authorization checks._ | +| `anonymousUser()` | _[Switches](#switching-to-anonymous-user) to an anonymous user._ | Named user contexts are only created by the CAP Java framework as initial Request Context based on appropriate authentication information (for example, JWT token) attached to the incoming HTTP request. -:::tip Note +:::info - It is not possible to switch from technical user to a named user. - Asynchronous requests to CAP services are always on behalf of a technical user. ::: @@ -1714,7 +1722,7 @@ Prefer using [Remote Services](#remote-services) built on Cloud SDK rather than - **Don't write custom code against concrete user types of a specific identity service (e.g. XSUAA or IAS)**. Instead, if required at all, use CAP's user abstraction layer (`UserInfo` in Java or `req.user` in Node.js) to handle user-related logic. -- **Don't try to propagate named user context in asynchronous requests**. Do not attempt to propagate the context of a named user in asynchronous requests, such as when using the Outbox pattern or Messaging. +- **Don't try to propagate named user context in asynchronous requests**, such as when using the Outbox pattern or Messaging. Asynchronous tasks are typically executed outside the scope of the original request context, after successful authorization. Propagating the named user context can lead to inconsistencies or security issues. Instead, use technical users for such scenarios. @@ -1725,9 +1733,8 @@ Technical user roles are intended for system-level operations, such as backgroun AMS policies operate at the business level, while CAP roles are defined at the technical domain level. Avoid mixing these two layers, as this could undermine the clarity and maintainability of your authorization model. -- **Don't expose non-cross-sectional entity attributes as AMS Attributes**. -When defining AMS attributes, ensure that only cross-sectional attributes are exposed. -These attributes should have a broad, domain-wide relevance and be applicable across multiple entities. -Typically, only a limited number of attributes (fewer than 5) meet this criterion. +- **Don't choose non-cross-sectional entity attributes as AMS Attributes**. +Such attributes should have a broad, domain-wide relevance and be applicable across multiple entities. +Typically, only a limited number of attributes (less than 10) meet this criterion. Exposing entity-specific attributes as AMS attributes can lead to unnecessary complexity and reduced reusability. From 06664ac1e96592456c5659bb25b4f77a1584cd0b Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Fri, 19 Dec 2025 11:07:07 +0100 Subject: [PATCH 111/120] Update guides/security/authorization.md Co-authored-by: Patrice Bender --- guides/security/authorization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authorization.md b/guides/security/authorization.md index 43045bc60c..bc0492133a 100644 --- a/guides/security/authorization.md +++ b/guides/security/authorization.md @@ -99,7 +99,7 @@ service SomeService { #### Events to Auto-Exposed Entities { #events-and-auto-expose} -In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be **auto-exposed** by the CDS compiler for some reason. +In general, entities can be exposed in services in different ways: they can be **explicitly exposed** by the modeler (for example, by a projection), or they can be [**auto-exposed**](cdl#auto-exposed-entities) by the CDS compiler for some reason. Access to auto-exposed entities needs to be controlled in a specific way. Consider the following example: ```cds From 1cf0a2de02f8b6200582d4b1251f7cfed6acd644 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 19 Dec 2025 12:22:18 +0100 Subject: [PATCH 112/120] fixed curl examples in IAS --- guides/security/authentication.md | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 255811e1e1..4d241d235e 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -484,11 +484,25 @@ In BTP Cockpit, service instance `bookshop-ias` appears as a link that allows di Due to CAP's autoconfiguration, all CAP endpoints are authenticated and expect valid OAuth tokens created for the IAS application. Sending the test request + +
+ ```sh curl https://--bookshop-srv. \ /odata/v4/CatalogService/Books --verbose ``` +
+ +
+ +```sh +curl https://--bookshop-srv. \ + /odata/v4/catalog/Books --verbose +``` + +
+ as anonymous user without a token results in a `401 Unauthorized` as expected. Now let's fetch a token as basis for a fully authenticated test request. @@ -584,12 +598,26 @@ The request returns with a valid IAS token which is suitable for authentication The final test request needs to provide the **client certificate and the token** being send to the application's route with `cert.*`-domain: +
+ ```sh curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ https://--bookshop-srv.cert. \ /odata/v4/CatalogService/Books ``` +
+ +
+ +```sh +curl --cert cert.pem --key key.pem -H "Authorization: Bearer " \ + https://--bookshop-srv.cert. \ + /odata/v4/catalog/Books +``` + +
+ The response should contain the queried books accordingly (HTTP response code `200`). Don't forget to delete the service key after your tests: @@ -993,7 +1021,7 @@ The request returns with a valid XSUAA token which is suitable to pass authentic {"access_token":"", "token_type":"bearer","expires_in":43199, [...]} ``` -With the token for the technical user, you should be able to access any endpoint, which has no specific role requirements: +With the token for the technical user, you should be able to access endpoints, which has no specific role requirements:
From 8ef015a72526d0f26badb57ed63ce9db94dfa6d8 Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Fri, 19 Dec 2025 16:59:01 +0100 Subject: [PATCH 113/120] Update guides/security/cap-users.md Co-authored-by: Paul --- guides/security/cap-users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 6404c68b7b..401cd71dc1 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -473,7 +473,7 @@ You need to make use of a compiler expression in order to ensure validity of the ::: tip Choose attributes exposed to AMS carefully. -The attribute should have cross-sectional semantics in the domain. +Attributes you choose should have cross-sectional semantics in the domain. ::: As such attributes are usually shared by multiple entities, it is convenient to add the `@ams`-annotation at the level of a shared aspect as sketched here: From eb5395566fcf4cdeabdabed2483105ede90e163d Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Fri, 19 Dec 2025 17:00:06 +0100 Subject: [PATCH 114/120] Update guides/security/cap-users.md Co-authored-by: Paul --- guides/security/cap-users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 401cd71dc1..b45f46c271 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -487,7 +487,7 @@ aspect withGenre { entity Books : withGenre { ... } ``` -The detailed syntax of `@ams` annotation provides an `attribute` property which might be helpful to decouple the external from the internal name: +The detailed syntax of the `@ams` annotation provides an `attribute` property which might be helpful to decouple the external from the internal name: ```cds annotate AdminService.Books with @ams.attributes.genre: { attribute: 'Genre', element: (genre.name) From 848ccd41278660e6398b29829940c93133958a5e Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Fri, 19 Dec 2025 17:08:36 +0100 Subject: [PATCH 115/120] Update guides/security/authentication.md Co-authored-by: Paul --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 4d241d235e..0169c8ff0b 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -818,7 +818,7 @@ Upgrading the `service-plan` from type `application` to `broker` is not supporte Hence, start with plan `broker` in case you want to provide technical APIs in future. ::: -[Learn more about XSUAA application security descriptor configuration syntax](https://help.sap.com/docs/hana-cloud-database/sap-hana-cloud-sap-hana-database-developer-guide-for-cloud-foundry-multitarget-applications-sap-web-ide-full-stack/application-security-descriptor-configuration-syntax){.learn-more} +[Learn more about XSUAA application security descriptor configuration syntax](https://help.sap.com/docs/btp/sap-business-technology-platform/application-security-descriptor-configuration-syntax){.learn-more} #### Security Descriptor { #xsuaa-security-descriptor } From b8e86aa58ff6f13baa061980b84e29473fefa677 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 19 Dec 2025 17:11:04 +0100 Subject: [PATCH 116/120] minor fixes --- guides/security/cap-users.md | 66 +++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 28 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index b45f46c271..c025817cdf 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -30,7 +30,7 @@ This guide introduces to CAP user abstraction and role assignments. ## CAP User Abstraction { #claims } A successful authentication results in a CAP user representation reflecting the request user in a uniform way. -Referring to the [key concepts](./overview#key-concept-decoupled-coding), the abstraction serves to fully decouple authorization and business logic from pluggable authentication strategies. +Referring to the [key concepts](./overview#key-concept-decoupled-coding), the abstraction serves to completely decouple authorization and business logic from pluggable authentication strategies. It contains static information about the user such as name, ID and tenant. Additionally, it contains claims such as roles or assigned attributes that are relevant for [authorization](./authorization). ![CAP Userse](./assets/cap-users.drawio.svg){width="650px" } @@ -95,7 +95,7 @@ The user types are designed to support various flows, such as: - UI requests executed on behalf of a business user interacting with the CAP backend service. - Backend processing that utilizes platform services on behalf of the technical user of the subscriber tenant. - Asynchronously received messages that process data on behalf of the technical user of a subscriber tenant. -- Background tasks that operate on behalf of the technical provider tenant. +- Background tasks that operate on behalf of the technical user of the provider tenant. - etc. Find more details about how to [switch the user context](#switching-users) during request processing. @@ -103,25 +103,28 @@ Find more details about how to [switch the user context](#switching-users) durin ### Roles { #roles} -As a basis for access control, you can design application specific CAP roles which are assigned to users at runtime. -**A CAP role should reflect _how_ a user can interact with the application at an operational level**, rather than a fine-grained event at a purely technical level. +CAP roles, which are defined on CDS resources such as services and entities, down to the events allowed on them, form the basis of [static access control](authorization#role-based-access-control). +Technically, the request user is restricted to the resources for which an appropriate CAP role is assiged. +**Such roles should reflect basic operations performed by users interacting with the application**. + +In the following example, there are two different basic operations defined on domain level: +- `ReportIssues` describes users which view existing issues, report new issues and confirm provided solutions. +- `ProcessIssues` describes users which process issues. They also write notes for customers. ```cds annotate Issues with @(restrict: [ -    { grant: ['READ','WRITE'], -      to: 'ReportIssues', -      where: ($user = CreatedBy) }, -    { grant: ['READ'], -      to: 'ReviewIssues' }, - { grant: ['READ', 'WRITE'], - to: 'ManageIssues' } +    { grant: ['READ','report', 'confirm'], to: 'ReportIssues' }, + { grant: ['READ', 'WRITE'], to: 'ProcessIssues' } ]); -``` -For instance, the role `ReportIssues` allows to work with the `Issues` created by the own user, whereas a user with role `ReviewIssues` restricted to read `Issues`. +annotate Notes with @(restrict: [ + { grant: ['READ'] }, // any + { grant: ['READ', 'WRITE'], to: 'ProcessIssues' } +]); +``` -CAP roles represent basic building blocks for authorization rules that are defined by the application developers who have in-depth domain knowledge. -Independently of that, user administrators combine CAP roles in higher-level policies and assign them to business users in the platform's central authorization management solution. +CAP roles represent basic building blocks of authorization rules that are defined by application developers _at design time_. +Independently of that, user administrators combine CAP roles in higher-level policies and assign them to business users in the platform's central authorization management solution _at runtime_. Dynamic assignments of roles to users can be done by - [AMS roles](#roles-assignment-ams) in case of [IAS authentication](./authentication#ias-auth). @@ -131,6 +134,7 @@ Dynamic assignments of roles to users can be done by CDS-based authorization deliberately avoids technical concepts, such as _scopes_ in _OAuth_, in favor of user roles, which are closer to the business domain of applications. ::: + #### Pseudo Roles { #pseudo-roles} Often it is useful to define access rules that aren't based on an application-specific user role, but rather on the _technical authentication level_ of the request which can be mapped to a pre-defined CAP role. @@ -174,7 +178,7 @@ All technical clients that have access to the application's XSUAA or IAS service ### Model References -The object representation of the resolved CAP user is attached to the current request context and has an impact on the request flow for instance with regards to +The object representation of the resolved CAP user is attached to the current request context and has an impact on the request flow, for instance with regard to - [authorizations](./authorization#restrictions) - [enriching business data](../domain-modeling#managed-data) with user data - setting [DB session variables](../db-feature-comparison#session-variables) @@ -227,7 +231,7 @@ TODO
::: warning -Refreign from activating user tracing in productive systems. +Refrain from activating user tracing in productive systems. ::: ## Role Assignment with AMS { #roles-assignment-ams } @@ -408,11 +412,11 @@ In general, AMS provides highly flexible APIs to define and enforce authorizatio ### Prepare CDS Model On the level of application domain, you can declaratively introduce access rules in the CDS model, enabling higher-level interaction flows with the entire application domain: - - a [CAP role for AMS](#roles-for-ams) can span multiple domain services and entities, providing a holistic perspective on _how a user interacts with the domain data_. + - a [CAP role for AMS](#roles-for-ams) can span multiple services and entities, providing a holistic perspective on _how a user interacts with the domain data_. - a [CAP attribute for AMS](#attributes-for-ams) is typically cross-sectional and hence is defined on a domain-global level. The CDS model is fully decoupled from AMS policies which are defined on business level on top by external administrators. -Hence, the **rules in the CAP model act as basic building blocks for higher-level businness rules** and therefore should have appropriate granularity. +Hence, the **rules in the CAP model act as basic building blocks for higher-level business rules** and therefore should have appropriate granularity. #### CAP Roles for AMS { #roles-for-ams } @@ -487,12 +491,18 @@ aspect withGenre { entity Books : withGenre { ... } ``` +<<<<<<< Updated upstream The detailed syntax of the `@ams` annotation provides an `attribute` property which might be helpful to decouple the external from the internal name: +======= + ### Prepare Base Policies { #policies } @@ -739,11 +749,11 @@ Don't miss to add the policy files in sub folders of `ams/dcl` reflecting the na ### Cloud Deployment { #ams-deployment } -If not done yet, prepare your project Cloud deployment as [eplained before](./authentication#ias-ready). +If not done yet, prepare your project Cloud deployment as [explained before](./authentication#ias-ready). Policies can be automatically deployed to the AMS server during deployment of the application by means of AMS deployer provided by module `@sap/ams`. -Enhancing the project with by `cds add ams` automatically adds task e.g. in the MTA for AMS policy deyployment. +Enhancing the project by `cds add ams` automatically adds task e.g. in the MTA for AMS policy deployment.
@@ -768,7 +778,7 @@ Enhancing the project with by `cds add ams` automatically adds task e.g. in the ``` -```json [srv/src/gen/policies/package.json - deyployer module] +```json [srv/src/gen/policies/package.json - deployer module] { "name": "ams-dcl-content-deployer", "version": "3.0.0", @@ -814,7 +824,7 @@ In addition, `@sap/ams` needs to be referenced to add the deployer logic. ``` -```json [gen/policies/package.json - deyployer module] +```json [gen/policies/package.json - deployer module] { "name": "ams-dcl-content-deployer", "version": "3.0.0", @@ -895,7 +905,7 @@ You can log on to the bookshop test application with the test user and check tha ### Tracing -You can verify a valid configfuration of the AMS plugin by the following log output: +You can verify a valid configuration of the AMS plugin by the following log output:
@@ -984,7 +994,7 @@ c.s.c.s.a.l.PolicyEvaluationSlf4jLogger : Policy evaluation result: {..., You can add general user information by applying [user tracing](#user-tracing). ::: tip -It might be useful to investiagte the injected filter conditions by activating the query-trace (logger `com.sap.cds.persistence.sql`). +It might be useful to investigate the injected filter conditions by activating the query-trace (logger `com.sap.cds.persistence.sql`). ::: @@ -1124,12 +1134,12 @@ Instead, an abstract [user representation](cap-users#claims) is attached to the For example, both authorization enforcement and domain logic can depend on properties of the the current user. ::: warning -Avoid writing custom code based on the raw authentication information such as dedicated XSUAA properties. +Avoid writing custom code against the raw authentication information such as dedicated XSUAA properties. This undermines the decoupling between authentication strategy and your business logic. ::: ::: tip -In most casese, there is no need to write custom code dependent on the CAP user - **leverage CDS modelling whenever possible**. +In most cases, there is no need to write custom code dependent on the CAP user - **leverage CDS modelling whenever possible**. ::: @@ -1308,7 +1318,7 @@ Here a combination of `user_name` and `origin` mapped to `$user` might be a feas This can be done by modifying `cds.middlewares`. To modify the `cds.context.user` while still relying on existing generic middlewares, a new middleware must be registered after the `auth` middleware. -If you intend to manipulate the `cds.context.tenant` as well, the new middlware must run before `cds.context.model` is set for the current request. +If you intend to manipulate the `cds.context.tenant` as well, the new middleware must run before `cds.context.model` is set for the current request. ::: details Sample implementation to override the user id From 224efef459e3d9faac5b749f326131861329a76b Mon Sep 17 00:00:00 2001 From: BraunMatthias <59841349+BraunMatthias@users.noreply.github.com> Date: Fri, 19 Dec 2025 17:16:10 +0100 Subject: [PATCH 117/120] Update guides/security/cap-users.md Co-authored-by: Paul --- guides/security/cap-users.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index c025817cdf..0d742d1c82 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -552,7 +552,7 @@ After the application is built, check the *ams/dcl* folder to see the generated The generated policies are a good starting point to add manual modifications. -The generated DCL schema includes all AMS attributes exposed for filtering basically: +The generated DCL schema includes all AMS attributes exposed for filtering: ```yaml [/ams/schema.dcl] SCHEMA { From e5ba88a30aaf21615ee0b998e19dcd54f4b2bc73 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 19 Dec 2025 17:29:34 +0100 Subject: [PATCH 118/120] minor --- guides/security/cap-users.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index 0d742d1c82..4d77dcff43 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -400,7 +400,7 @@ For local development, `@sap/ams-dev` needs to compile the DCL files to Data Con Additionally, `@sap/ams` provides multiple build-time features: -- Validate `ams.attributes` annotations for type coherence against the AMS schema. +- Validate `ams.attributes` annotations for type coherence against the DCL schema. - Generate policies from the CDS model during the build using a [custom build task](../deployment/custom-builds#custom-build-plugins). - Generate a deployer application during the build to upload the Data Control Language (DCL) base policies. @@ -491,11 +491,8 @@ aspect withGenre { entity Books : withGenre { ... } ``` -<<<<<<< Updated upstream -The detailed syntax of the `@ams` annotation provides an `attribute` property which might be helpful to decouple the external from the internal name: -=======

4-msPs<&#OV%`S~$Cy_qzPf9s-?3A^*Dy<1pIOHuL%Y7?vUD!IMwUlM zH8i+P?oyIU?5l4!|9d#_X@MJtw20Y2d~<8pE!E$`Gjuis95Qqs$uTc z7YkQ1ddm7Kv&NFbuao+9h%qB=9_!FQC;8XC_;V%y zl*vC8=bu`&KTXj8>&AR*iQq<2BqMg-5l6!Nq+9A$B7OB=?AsJ77kmq{o6)13p3a_| zTRNgCwA!V?37deQ1VX>jT~r~GbZdf*jf~Kmyhm8JaWvC{zbOG-}dK}!g21t_& zA022q{k>v&axulOaC};4K%aG3`fSppaKY_ZLLHqqj*~d)V|wro7_#dLw%tW&O2a3w*pxn0w$Nr9)7V@e{Mh~ zCsfNF)qk<69}{CSzp#EWVcEuRUW6>s*={88KsF6(6D+Fd8P-?HVc;b|XbbZ;58s|a z+%hku${mEDPtFNxv{LlJ>W29fQ)ok2Ja=nb5)to!u+QP% zQNz~zmpiKE1y`|a#?jGJ2HkE+Zj&2u(N?Mp#RPi)pcp0N%O0V@K6Es;P%06>W2m`M z0Xex--*qNj@kQKol=SAi7$DI#Kx8mKNQKgavzB23#MddO6>97Gr&k6m6rOhO^Ie|y z=@R>KwQS9jCjv2#}m$P9s`1H^T!}!1JldlY|B4iNqCtdt^+9(NmK&P$%fUoy{ z((SR;2TIqkmThtef3c%jb-=gjh@CWc;KKV&6;y==0_WG*ff5iJoTgQp9wpas1nKkU z*Ejq+#A;qx5h!13zHju(h0i(322?@(obV=6SPm6a{QGOg6przX+N(2 z=zQ7=Qv-Z}KGC+Z>PAk2-m?%N&8Csl`Wo|HN6?A+8g2P~-jlj(IobU=Q%zNPc%)@V zA*rCg(NGs19)1&z%g_BAs=FTawa|g*ZahK{7`hLOr5Ob62>TrdW zRNcxX(`)Pcr`b#VY>ts&Z|AX0F8dv^!R`evfiX;18~e~9^GU}(pN?|9eE}U5nZ4u~ zAm4_FV4`SP0UZU1qnP;%J$P2>Ta9HSP(ygJC3b2St7+eDw&?<`HmYRe%9`}yJ)9(F zUNe>q8@0@7fT*Ten+x_UVoftBZBV^Wx z9-mbux{`76KuY=8@@NUB>S+=d;DX!os(D9P?&Fsy2oQJM($z+&vU!lL<`kO5SJ41J z!?ROX)yY5U47EEJQ;+zFJ+!y~Naxt3H4Jya0u3?`Y8OY*N9HgmoHay7sdfids1^Q> ztPd;cLiJ%Kw-m9KqEaIz^5YNBORR@5O1Pc0c|?(hH><#;p;t&eFDm7^mu;@p+eVnH z5=P?cz=h<;LTm@?xVmf03s$U__q>+a71dHq%><&WN4Q|!+!zIoQU5B$06ZKn0OcX& zPOg9%Aq}mp?HjfnyLOMb z+G0K{FoeE{zpAEHZRkBY@yO9_=Iz_;#It7Ra`#hMCd4+~z5xknTDL7fjL{Xuq^|Ek zthq~a9}8^~hfKBc?3;!+^RIl&X0ytatl87I0z-YiS#kn46be0B`yapqC1)dy2PfWdUyvjT3T zvMOtxYGr+ab65CKQ5c*Ve1z$s3QnZJ$=0@pv@iQr0C{d}w3`){5whBBck}EQW?Sx+ z(bUo$FaG=~=?7M`vjK0vs2C{3Cy7U#PPyDJ-MM{CzwsyCz52{3Y0+z$QIdbhxt)(H zg|#~vEjd4sT@{~Q1 zwIdoYLf6AoPps-Ft1ERc6_1rI&8pix`Z!529$Lz;a(e=mR|T51!fiyLgL25arlhgw zN+@18NrcmfnboIXSNyFy%zJ8_I5a%Hssh?!{#1Z1CDf7nxEesI2sF>3*sKtdp3W{f zcE0cO1(Q1U;mKgwFk*@Cu&iulAs;-TyYGC=tEka~GN8>A`=rFYN*jiIauRaZpizi= zH_J6peP5dVxW@=xR+&7~o8t2zV?=oGke-JA<7n4srMjOF;*zd_{H9<{5$6l;%9`$I zY@-i~fQIk0vWAD|@kY-cjya?U*$>&1STkqP9}hXj+_0auyukLO!(0%bQ+ANo#P14c zE>-t(C$WDT6Fy$?Gzxw~8)ey)!cgRXe(bD~l-^_dBefD-fQ67JpVMiaM=-gCZ{bQK z3Rd~C1bW8k_3XMJKJogm+zvC+Y9OhF^`n9trxQLd=2IcSLU>Yd*O63Wlo3aqjh8K- zrjcOm0xp3%2(N7IODKnf1lEc^cOkriz77+PYFQ> zWdI^wlHPzTanmQUMds(db<1~2Ntl_OF7>Jtk9qwlKH%_Z6%-Jr!*k>#MbM*UEmUdU zBYdNT3CZZ?hVoRj5R9TiZsxiRB)=^hJMv)p_5$?TcW4 zKE69le9M468wW9#qJhlt5w0PcAjEOQsFsNB)GPKwii~TiR!%|#WeOLaV!XKttR;1_ zV?9^hdY)jMi!-g8!GPqLA zA#a`!eSSaoknX^i&y#cVXoJFMK90Jp2b7Y{ACO-$#>rL@MD7v$N@DcNJI^b(PES@B zSKQ$2*_^Wz$m`}~P==*^nEc@FsWxhQhIcAydh}gd<4D*)G%CLunSb_oq2&fO00p4< z_#6Hf-BbGdKZW|4Q2eDlW4PXhAC~N}N`J0?=h%0*{wnN*JYY!uf?~Dqk)4Q?yO??( zv0W7#p^8+OH$NPo#v}%Jl@3vi;rmBtfqJq#Kp}%K+|>y1O{cJw6%m?TuAPpH^Ho$Gp3Ru-9fLQ_m zoi>c5h16hnhe1?piE}?5CR&~)a2foQ@#1?bP2~xIWAR-e=qFvU)=#>205%RfU;x86 z^5Nuqx(03I|M*go$yb06ercDs9|1Jm`M~_=(|@kopVIPQswFHl>^R*pw8DI_Rof&u zypk2vmb#z0l3G%YWHFzN*L=Zwt5En_R!HqTwj`fco8tp$zMYM=V2N9U@G7})m_~|F zq2^9QO2=OI_|ZK92Du3d!PK;WViMku7f1hdwbqgwFu_zw00|5Cje{TTKk0aMf3ZV{ z{<+n8_U8-a{#&fUh^#+Nee8fljs5$Bp>Y5GS`9bO<_n&_K`q<)vj$e0(~xQH4p4CY z`EO(j$vrgCS%4)7t{U}sWC{U04HQf0d15unD{lqPsUhMrwo_`CKDpXv=Gn*0R`_}F z5PR9FjmZY92B6BQh9qtLG2Ot50BWhv>8l)gr>-cTU0lrm_}JlK=|ZCJ3nhRG!N6!> z+fBe-#bD@zo-Cnco=H&eC>`CM*T#$SQ~u=&z+roh%#1J16Hf`F0!;@wY;L66HRrf- z?o0ilY@hhda$Ae-zgpcP}a-F-sYOBQEEt_=Dj`8iNH#_PHEwW z3-ENbQ$+*jn{j1xh_z^=kFl~pz-!rW9_&5dAOuByx!<$kXCxUs*Ut(Yz;KpAPvS6f zoDiU^xd`4?KrVEaiPl+ZCG9R3tY7*4T-=cpg%ATg_@(H_S|WJoYWCB>t6>wbE%m{kWhDdYR}=VH z%0DBT4D;VSFe8EqY9y5wI4g_~>P}*ewX!1SwNdaX>Fl)6mEl8LRkhW%wUurb^Dz%9 z%U<5Kzo>t{Y4?0V*r_0%>8phrbD2%*WN}h7zB<8+sN2ybN%};(6iezbI=j*8o^3H@ zN%qiRJBO*hVT6Pj7NLek|6I6q2x7Jog=UsmH zrj%US_qoX_W+>@qzAMRhjy*t^8l2EGVSM=3*cAvhTd|rLWo(=Nh1KKK-D|(^hI>!$ zL8rSYLujEMHJ^Ulyw$cGM3|bNG2f9T#bwO9U&mULlX8kVosHA(yN4I1W-#Z_R>VzO zrq!&h9#UsJO293dv#X#FSEAZ7eNjtPx<}Md zxun=){>h`(8nwG0y^8a@_&SO$ez0=Q)nllqoN((QxU0-IjnQpplc1>WlO^9(6z}Kr zPp5?fxA<#myJ^&NdWQ4s*v;fgiv0mvLlV;8B2xCW3lx2=5sUFoY86=lbP^hXdEW6Lp^1NG_82@SI4R_f+eK5mcfpRa|4qdi_&hxXvOKXH@@mi^o2j15_sf&2ZV{! z&AF91x*#R-5on|=`ZweD8(Yl3{6X>8kV{Y)0>yvs6&%T;J$GL@seDruPeA2HW^Y~E zdzUFW)d1$}2*^!pn?X2aHrWhfJlqfw{2S55>Y9&GkRHPF)-DPK&Lz^}G z-rjYCwO4N0jeK=dDP*j8fPAfOYXyM|z2+&+5HKKD_T(=PtTaGWc+iFl0&WY%38l z)f=|9kPlT3`cd;rL@|=!o)dbFT_<*2#BvpbdkVQo3*P`T3xn*m^9ZtaIv|7@4M37Y z2>`f9Klb zJ*TA2letScN4)08u6DH78hKg!8{=o@#n*fKS+Gxm>1lW?p|fBSX5@=h-N>o-YGF=V zn<+YO?aP=x19q?NYPP?egWikdbA?h#NuI$KG#;ntpzj_)&W80gaFxyf-PD=_k%OYi zjFDuX9fo15Jf5A+MKuC}scPbeh+4j~A#MO*uQG0d2A8h*R@V02cP&8>mM@Pr4?nro zS%-B}AT!dKe&j>^O^F@RCFE@&qsI(A60DH{C=L8EK$hYJS%{NdN8RX^dmJK>@Ypn5 zbeFj@OcUk#yNUd=MsdKr*zOA}099g~qd@1&v}P|iS{2C%mqL)jql8y6oamFN3CPsibMqk?G?Q1J zp4lj4IQ?Nl;Vn_n1vyKVnHbi(&pYhDidoh#t5=uh}ZD z`)->9a`20M!CTgdP6w>BzafsYMX101t6)#vzw%ZS@1Bo7a!W?qJ|e^hbs%@A_pv!8+6*tz7;>%ELwL zeiot%mD9_iRn?3TDL+TfO-8Zwg6AOtJCmfnwRAYc< zup(q}D+sd1mc24k-EfW&*wbw3x1J^&5sl`krzQFAq=l$VW>mV>4hmG#Wp*z<3WeSN zZ~z3_|6svg2t5i$Cl>Zc_Bl5CdB8P>@Q8QAl6}P{aRhhsH62);t`DMCQ&|uf)5w+tnryt}rJ{ z)4zVr!K=s6>z=k>eIZcfkCv$5iiyXX>xG-0VdPgdrjoo>OTaK0d{;O1dV)FWRG!*B zYd|lfA#`#^*Wb5{UBTcW7snFkT`Lw$K#!1@fuP?GNw*z{s_#1@NIKY77#q1nwsE~E z4-{^;vp>5oc{;*ZMQ4HQQGz=jD{#Gkx4Iih7XG23&ASV4W$IvzbVYtN%fo{wt!|Lk z3-AagRS1kaYdLctA}a$mlF_)=QO&th;1l`e6U^??)SI&oT>=OJJUdyO6HE@H4q7@WFxKN?Sf(@5R29KWEF4hgQ;otfo6uoAtue0 z=Y-x|kUjIzAgJ+=b;m?sf2A97en9A7(H?_j>xlm{Mf(>l&HpPl;m@i5%a-=XJW>$j zh&&0w;Ac}vjGu&+Du}u<#g&}{a@oVaAVP_nak-27h`xK<&bsgw6-CuswX@C757BM> za!&rvH_GD@TaQnRo=KMopd4}iNM%iHApuEY4Y3jB8OJ4S($&sbG|$n-97xn6>_KBx zALHx%>o41USPMT~qE#);o&l`kmG5Jd<}VhbjfrfSQgV>aE3I@R0mvbCPM27ZF^&fk z6SCs9I+YhHOA|sa=Es~>?5gD7ulePy{Jp0!V3J==ed(FIdl?e~FAoE1+h5jLj-~}X zOuh$kG9Z4lbWcuTdk^-INynjw^`5qc^mXo6#+qIty_*Z1`D2AObJuSuABy@@VgH-@ z8~;6R%inTh%F(|& +::: tip +In general, AMS provides highly flexible APIs to define and enforce authorization rules at runtime suitable for native Cloud applications. +**In the context of CAP projects, only a limited subset of these APIs is relevant and is offered in a streamlined way via the CAP integration plugins**. +::: ### Prepare CDS Model @@ -381,7 +383,7 @@ annotate AdminService.Books with @ams.attributes.genre: { ``` -### Prepare Policies { #policies } +### Prepare Base Policies { #policies } CAP roles and attribute filters cannot be directly assigned to business users. Instead, the application defines AMS base policies that include CAP roles and attributes, allowing user administrators to assign them to users or create custom policies based on them. @@ -404,18 +406,23 @@ After the application is built, check the *srv/src/main/resources/ams* folder to ::: +[Learn more about policy generation](https://sap.github.io/cloud-identity-developer-guide/CAP/cds-Plugin.html#dcl-generation){.leanr-more} + + The generated policies are a good starting point to add manual modifications. -The generated DCL-schema contains all AMS attributes exposed for filtering and does not need to be refined: +The generated DCL schema includes all AMS attributes exposed for filtering basically: ```yaml [/ams/schema.dcl] SCHEMA { - Genre : String + Genre : String } ``` -In contrast, the generated policies are usually subject to change. -For example, you can rename the policies to reflect appropriate job functions for the bookstore and adjust the referenced CAP roles as needed: +In the schema you may configure [value help](https://sap.github.io/cloud-identity-developer-guide/Authorization/ValueHelp.html) for the attributes in the [Cockpit UI for AMS](#ams-deployment). + +The generated policies are usually subject to change. +For example, you can rename the policies to reflect appropriate job functions and adjust the referenced CAP roles according to your needs: ```yaml [/ams/cap/basePolicies.dcl] POLICY StockManager { @@ -428,17 +435,28 @@ POLICY ContentManager { } ``` -In contrast to a `StockManager` who is responsible for the books offering, a `ContentManager` makes the author selection, in addition. -Optionally, CAP role `ManageBooks` for `StockManager` might be restricted to specific genres by applying filters prepared in customized policies. +In contrast to a `StockManager` who is responsible for the books offering, a `ContentManager` additionally makes the author selection. +Optionally, a `StockManager` with CAP role `ManageBooks` may be restricted to specific genres by applying filters prepared in [customized policies](#local-testing). As a `ContentManager` there is no genre-based restriction based on genres is prepared. +There are several options for the attribute declarations that have an impact on the effect of filters: + +| Attribute Statement | Description | Attribute Filter | +|:-----------------------:|:--------------------:|:---------------:| +| `WHERE Genre IS NOT RESTRICTED` | Offers `Genre` as filterable attribute in the scope of the role | Filter restriction could be provided in a custom policy, but no filter applied by default (potentially restricted) | +| `WHERE Genre IS RESTRICTED` | Enforces `Genre` as filtered attribute in the scope for the role | Filter restriction must be provided in a custom policy and is applied (restricted) | +| - no defintion - | The role does not offer any attribute for filtering | No restriction filter is applied (unrestricted) | + +::: tip +The attribute statement is in the scope of a dedicated CAP role and filters are applied on matching entites only. +::: [Learn more about AMS policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/configuring-authorization-policies){.learn-more} -### Local Testing +### Local Testing { #local-testing } -Although the AMS policies are not yet [deployed to the Cloud service](#ams-deployment), you can assign (custom) policies to mock users and run local tests: +Although the AMS policies are not yet [deployed to the Cloud service](#ams-deployment), you can assign (base) policies to mock users and run locally: ```yaml cds: @@ -453,8 +471,6 @@ cds: - cap.StockManager // [!code ++] ``` -This is also very helpful in unit test scenarios. - :::tip Don't forget to refer to fully qualified policy names including the package name (`cap` in this example). ::: @@ -465,70 +481,171 @@ Now (re)start the application with mvn spring-boot:run ``` -and verify in the UI (`http://localhost:8080`) that the access rules apply as implied by the assigned policies: -- `content-manager` and `stock-manager` have full _read_ access to `Books` and `Authors` in the `AdminService`. -- `content-manager` can edit `Books` and `Authors`. -- `stock-manager` can only edit `Books`. +and verify in the UI for `AdminService` (`http://localhost:8080/index.html#Books-manage`) that the the assigned policies imply the expected access rules: +- mock user `content-manager` has full access to `Books` and `Authors`. +- mock user `stock-manager` can _read_ `Books` and `Authors` and can _edit_ `Books` (but _not_ `Authors`). +For the test scenario, you can define custom policies in pre-defined package `local` which is ignored during [deployment of the policies](#ams-deployment) to the Cloud service and hence will no show up in production. +Let's add a custom policy `StockManagerFiction` which is based on base policy `cap.StockManager` restricting the assigned users to the genres `Mystery` and `Fantasy`: +```yaml [/ams/local/customPolicies.dcl] +POLICY StockManagerFiction { + USE cap.StockManager RESTRICT Genre IN ('Mystery', 'Fantasy'); +} +``` +[Learn more about DCL operators](https://sap.github.io/cloud-identity-developer-guide/Authorization/ValueHelp.html#filter-operators){.learn-more} -```sh -c.s.c.s.a.c.AmsRuntimeConfiguration : Configured AmsUserInfoProvider -``` -ogging: - level: - com.sap.cloud.security.ams: DEBUG - com.sap.cloud.security.ams.dcl.capsupport: DEBUG +::: tip +Don't miss to add the policy files in sub folders of `ams` reflecting the namespace properly: Policy `local.StockManagerFiction` is expected to be in a file within directory `/ams/local/`. +::: -/cap - - basePolicies.dcl -/generated - - basePolicies.dcl -/local - - testPolicies.dcl +```yaml +cds: + security: + mock: + users: + stock-manager-fiction: // [!code ++] + policies: // [!code ++] + - local.StockManagerFiction // [!code ++] +``` +You can verify in the UI that mock user `stock-manager-fiction` is restricted to books of genres `Mystery` and `Fantasy`. +[Learn more about AMS attribute filters with CAP](https://sap.github.io/cloud-identity-developer-guide/CAP/InstanceBasedAuthorization.html#instance-based-authorization){.leanr-more} ### Cloud Deployment { #ams-deployment } -Policies are typically deployed to the AMS server whenever the application is deployed. Afterwards, those policies can be assigned to users in the Administration Console of the IAS tenant, for example, to grant a role to a user. Using the AMS plugins (`cds add ams`), the configuration of the deployment artifacts is done automatically. +If not done yet, prepare your project Cloud deployment [as eplained before](./authentication#ias-ready). + +Policies can be automatically deployed to the AMS server during deployment of the application by means of AMS deployer script available in `@sap/ams`. + +Enhancing the project with by `cds add ams` automatically adds task e.g. in the MTA for AMS policy deyployment. + +::: details AMS policy deployer task in the MTA + +::: code-group +```yaml [mta.yaml- deployer task] +- name: bookshop-ams-policies-deployer + type: javascript.nodejs + path: srv/src/gen/policies + parameters: + buildpack: nodejs_buildpack + no-route: true + no-start: true + tasks: + - name: deploy-dcl + command: npm start + memory: 512M + requires: + - name: bookshop-auth + [...] +``` + + +```json [srv/src/gen/policies/package.json - deyployer module] +{ + "name": "ams-dcl-content-deployer", + "version": "3.0.0", + "dependencies": { + "@sap/ams": "^3" + }, + [...] + "scripts": { + "start": "npx --package=@sap/ams deploy-dcl" + } +} +``` + +::: -::: details Prerequisites on SAP BTP -- [Get your SAP Cloud Identity Service tenant.](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/get-your-tenant) -- [Establish Trust](https://help.sap.com/docs/btp/sap-business-technology-platform/establish-trust-and-federation-between-uaa-and-identity-authentication) towards your SAP Cloud Identity Service tenant to use it as identity provider for applications in your subaccount. +Note that the policy deployer task requires a path to a directory structure containing the `ams` root folder with the policies to be deployed. +By default, the path points to `srv/src/gen/policies` which is prepared automatically during build step with the appropriate policy-content copied from `srv/src/main/resources/ams`. +In addition, `@sap/ams` needs to be referenced to add the deployer logic. +::: tip +Several microservices sharing the same IAS instance need a common folder structure the deployer task operates on. +It contains the common view of policies applied to all services. ::: -Follow the [Deploy to Cloud Foundry guide](../guides/deployment/to-cf), to prepare your project for deployment. Here's a shortcut: +[Learn more about AMS deployer](https://sap.github.io/cloud-identity-developer-guide/Authorization/DeployDCL.html#ams-policies-deployer-app){.learn-more} -```sh -cds add hana,approuter,mta,ams +Now let's deploy and start the application with +```sh +cds up ``` -After successful deployment, you need to [Assign Authorization Policies](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/assign-authorization-policies). +You can now perform following tasks in the Administrative Console for the IAS tenant (see prerequisits [here](../guides/security/authentication#ias-admin)): +- Assign (base or custom) policies to IAS users +- Create custom policies +To assign a policy to an IAS user do the following steps: +1. Select **Applications & Resources** > **Applications**. Pick the IAS application of your project from the list. +2. Switch to tab **Authorization Policies** and select the policy you want to assign +3. In **Assignments** add the IAS user of the tenant the policy should be assigned (in **Rules** you can review the policy definition). -::: details Assign users to AMS policies +::: details Assign AMS policy to an IAS user -![Screenshot showing the AMS Policy Assignment](assets/ams-assignment.png) +![AMS base policies in Administrative Console](assets/ams-base-policies.jpg) + +![AMS policy assignment in Administrative Console](assets/ams-policy-assignment.jpg) ::: +To create a custom policy with filter restrictions do the following steps: +1. In **Authorization Policies** select **Create** > **Create Restriction**. Choose an appropriate policy name, e.g. `StockManagerFiction`. +2. Customize the filter condition for the AMS attributes available +3. Press **Save** + +::: details Create custom AMS policy with filter condition + +![AMS custom policies in Administrative Console](assets/ams-custom-policy.jpg) + +![AMS custom policy filters in Administrative Console](assets/ams-custom-policy-filter.jpg) + +::: + +You can now assign the custom policy to the test user. + +[Learn more about AMS policy assignment](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/assign-authorization-policies) {.learn-more} + - -[Learn more about using IAS and AMS with CAP Node.js](https://github.com/SAP-samples/btp-developer-guide-cap/blob/main/documentation/xsuaa-to-ams/README.md){.learn-more} -Neue AMS CAP Doku https://sap.github.io/cloud-identity-developer-guide/CAP/Basics.html -https://sap.github.io/cloud-identity-developer-guide/CAP/cds-Plugin.html -https://sap.github.io/cloud-identity-developer-guide/Authorization/GettingStarted.html +### Tracing & Troubleshooting + +You can recognize a correct AMS plugin configuration by the following log output: + +```sh +c.s.c.s.a.c.AmsRuntimeConfiguration : Configured AmsUserInfoProvider +``` + +For detailed analysis of issues, you can set AMS logger to `DEBUG` level: + +```yaml +logging: + level: + com.sap.cloud.security.ams: DEBUG +``` + +which gives you more information about the policy evaluation at request time. + +```sh +c.s.c.s.a.l.PolicyEvaluationSlf4jLogger : Policy evaluation result: {..., +"unknowns":"[$app.Genre]", "$dcl.policies":"[local.StockManagerFiction]", + ... +"accessResult":"or( eq($app.Genre, "Mystery") eq($app.Genre, "Fantasy") )"}. +``` +::: tip +It might be useful to investiagte the injected filter conditions by activating the query-trace (logger `com.sap.cds.persistence.sql`). +::: + ## Role Assignment with XSUAA { #xsuaa-roles } diff --git a/menu.md b/menu.md index 2a2151c3e1..4a2c265518 100644 --- a/menu.md +++ b/menu.md @@ -78,7 +78,7 @@ ### [Overhiew](guides/security/overview) ### [Authentication](guides/security/authentication) - ### [Users](guides/security/cap-users) + ### [CAP Users](guides/security/cap-users) ### [Authorization](guides/security/authorization) ### [Remote Authentication](guides/security/remote-authentication) ### [Security Aspects](guides/security/aspects) From 1613da9fa0d6ee75d3be4427ef5689b26a179086 Mon Sep 17 00:00:00 2001 From: "matthia.braun@sap.com" Date: Fri, 17 Oct 2025 08:54:48 +0200 Subject: [PATCH 011/120] finalized AMS --- guides/security/assets/ams-base-policies.jpg | Bin 96905 -> 115538 bytes guides/security/assets/ams-custom-policy.jpg | Bin 106833 -> 108815 bytes guides/security/cap-users.md | 35 ++++++++++--------- 3 files changed, 18 insertions(+), 17 deletions(-) diff --git a/guides/security/assets/ams-base-policies.jpg b/guides/security/assets/ams-base-policies.jpg index 2630000b5ff6c4d1586ce785d8930a8213c69431..55efd3ccaea36009b74550e7886f7bdbc15f0507 100644 GIT binary patch literal 115538 zcmeFZ2UL?yyDl80D!um(B3(d0ibOz~2#88AkzOKQAV45W?^QrRiBbfm2?UUq&`}ZT zy#|zC5)cd!!k_p3_ILK)=llMD?S0Pr*E(nK_X)G|aOX*8?wNb;HrLF>^u;oO;jXTM zE`WrD1n`*n0$iX0t~wA8R{+4s2p|Cf0H^>IBuoHO;vEU`1t28>kpFoP0GN}K{z3V( z08APFcK-*#lo3GoH#%LnDbv5+6KTY!W8VM(wP_b~0Byh}5|Tgu{^cSiC;j81AR{9s zr=*~y{G(7^roK!?b%lzO@(S&hE7UZ^i}ErZJuMC0ANPO!$RA(-<6Fc(8Y)VvKc4u{ zT^AhyMyg99q-CTeLV!z*B&3Wa7d-%eVoS-1z4AxL{L4jhiIj|-g4m=h)WioG7>La$ zCA~y!EIApGU6OF(=KwNBawb7JO$ugH2TCD77WwBHZ>fZ}YCBmUj9^3*9Q`9NUtweC z;N%j$Dt1j=;)bG<@=X<0?K?WUdin-;A3icOx3ILbc5-%cb#wRd40swC6buOojf#$m zjf+o6%*=X`os;`AFTbd`r1V```TGxb^@xVXrccc+UEMvsef^)md>tJdpO~DQo|#3j ztp519w!X2sg*`a@b#(k2cXIj%UnImK{QLDc#{MV17>RscB8~wWJTnZ)@Qbsaz zK{*O0O;bt-KV~8M=Tt0O8E{k6d9Bxq%kN{=wRxoc+fbi~L{W?0+!! zuYAn{Xo!M&iIJ2M00f-lixRH^{wydppxXriCl!|fwYdP0o8kH~0sUp@rkDs$=#8dv z8KEgR`RVyS={@NcZ9hN7FV8MrRS{DB(kC~3zKvO0DT~#Rhdkg7>*5n0hMK*dR}isI zO)J+4_YfBECeOL*EW$@e&suu-LF^B$5|`R`osg+G)D!;bLK$2%RJa8H02lZHQh9fn zmu;*k=i!!+&e@kAQn5zepXM^`lzZTbi|jZBbco^*2PEq@=3NpsS=RkYMXD!WrfIjG zv$HjC#d@mPPfF%_`;6Gubep8|(c+fS2}fz9xTbDC`7r_4l$skx4`_84oJrNFyS}|S zb5q2u$Ki(%xb3w9}X1Yp5bYZ^e*t?dGN(Q`M3On?dPcT2LMgY zoLl~Kex+AmM+1&!}L zTL~rIkdI#(p)dFL`1G98={OGbE+IRxWj(Z%#6gq^+-C%b>OOxv^ColEblgX{0rA{~ zq|k~=hbPrw-}vcIPXAh6&$}B_Ma}flaD>>i2%wdnEsnXLj~-jqkVW<>S98*`j(M`t{T2-g-ZbWRKGlfgAL1V9P5$1l_W)k_F@D^#6|b?n}+~X=t7|Lek)|y``lm zMaZ)wDy%O3FwZHeo+R~aa#o7m4>sG@Pz&?A%E`m(AAa+&>*1O|xC+y|60g0v^e=^e z{T+WSKM6tl0?-*o(AWeblxoX12$W|*HR`mmN{uYA;!0bDb=%g4CY7^`-I9V(GJgxS z>G(SC`6@gPjxq6>Q(ZzM-&Ufc1-aCX#PD@7Z+M>Lh~*?SEpPKXV${JD{)qyBXCYKe>m!bZu>bXtA+#y{VR! zC;}3Fxapjawzq1g*_h13p8gtZ#_bcU8%JPJUG%t{YCQzz^VdfT zsfEYyAJ;L7$t-&6LChZLx&oC*dFKhCox!U(0w>HoQI{>WBv80v z)wk#0!Q|RG`;|w~;q|i%z27!OJZ1JCDq9wd&N2X@Rw6=)qh+H(3spZagDvOt*F)iy>R=3!s6pN6 zag}%zi`TBYn&DH)U!Nu~te#veJ#JhljM#hDHk3#Dk^ZoMCk8v$Sr;+1)G+ky;d1|T zDE;aWoJYAya1BJ;2L5QwTd?U`%B4J+>f-x@5^`Z7i7Lhx0$k@|Sp=%)Gr4&vM>A)6x-z|J81Cj1SmDXeJZ*T*M0w}8tgl-P$dOI|$0NsPfkJQq+62#(b_~S{V$ymS zDKSmmb_xcV{nVW$lc@|J?;ow>UN0YaP5DULM*l#Y-zHJvP#@Q0C8x8qN7cOdp;wmi z0+vM3@J|PH_!AkVi0ikiIx;{C_OHs7bUyukz#SF_yxI5IQlZ{MYLq!;E@7RMbpwUD ze*xgwinxi>J|o2iuTa#y@5B_CVp6mHKG>@7)wbpp$L^UwdDUj#dcDU*`&IZV2!XzdfVZNd;B`7r61t7`cy!gE0Jn6il`~uMb{hZ(iUq873guMzW2(N(kT>vm9HBlfY znCm$+S}b0jvJ|WVz)T>5T8s;VrAEKJD*@NiD2oz?Q`v<>Kl4OtI%Sz1Z5-My1^;F~ zGO!+~1M(ngATab)2T?X*=*gHf@vUJHj@mSKamn0>+bYZAqkG|Hu45pAQ$)V6JmYh) z8hN^3`6yfNA$F|168+2KM$50U4zVi zUEgJ3OBheT>&(MA`{CwGwblmb+=B5uhaZ)dO%d@k7l5d{frCW3JvPGSx`ar7E9C!( zRR_&P>WT_w@4lFqaC>$$I$f>y*7i~2r=@4G`lZMVfXh-W7c5Gh1ib+4B5;l=hp?GH zkDu?C+S@Vwyb~g`WBL1PtHg4Rsc~`sR?tXPG>fIF4r|66Qymt-|4qf5yeKIx(cKd_zOFO;x&0GIgvp_I?L zDC=pn*~zOW4Q7|4}H|yB$2Q=OSyYi28pvpx>u^- z;*b5c#A*kL2>143wbmrH?kto3Jy*m;e)!zHKbKj~j6!Qpv%fTAa0w9{gYra0Px8rQ zQnnU6f_pPoJRC!IN^O~G2AEq)p0PTX){(y72VKQWo~LUF>8z^J>h7b@)1sfa;$Bxk z@{Kf>9@OX4YV>XEghA$h`+PZ^153zgGu;-Ct$`7HE(k~6%YPZ=jG}=U_7b>ryRD~U zMi86A;DN9bq?uaIPcC*}#wG?*bYFKikMoLDz1Z96fX=%z9-UT3xA+ljEo<2e<30n< z)vXI{S^RkuJ>`xo<6Joyu-O-|nxwP~)^q2ay&NKXhpQ&RYbyTDgn!aZ@SLV(gpV-1 zuW6gKa~>Dfd*`WY(c=riTy{CZv1uDE67GNHTG7ArX#Vcm{FivIZPPBYQ!1u-|L!Gn z=}GL>L~}{r@jH>G@nrAGTx=*Qg~^z0Zrp##LE1Z;PXml;DC&Nn8m0v5$m_&+loH+V zZqp0ETMN(y05u81XV{ECM5R{}yRXZEsP~5}YAygv+p+}xcVAZQJdf@LA$eOHvOh5` z&ENi5)_hQsk$UU8!j|fkrVjf7H79{<*rI#ZC({L-@H6Axr@UC2QMmynHM))<0Nun} z9hO)YQysv6%VLp>8?u`qh~e*yLnTW*b3-Z8&_ANLxnc@OLITv^uZfmOb;L*Znf~xq z&X97r@_O)o+Dx~WdSeZiv7nhaNQXAI@Hef12vXMVewkupImm}p83Q$4^}(yvH6c2Z z6^gFELT5H0qu(mVU*$06zi^ywEB#tv{CzUHpx#KW^uy@(!-?`538HJ{I}F^A#4;1L z+CuOJAd{%9{%6wWxdq7u;E&ioa`gf*Kz`KLPk?q`04NME0NH#MIw2N#h1lm808LOl z9B03c!sqJ!17X6K|L_=wlL6vCYBasP01Ul^Eq{R>6i>MS2OF_*T1`rb7$W8s`Y!-E zl#_@2Cx`TSPFcdE&??rSAk23z%5(AvAs9NW`T}rZ$Nvumvkur0(e5sPB7WR)y6AKP z&~PA{VbKe~*EF-Dwh97g_w5V7o0=XIylmhS!Laxr2wR`%PtJgNc7B2-zs)z;`ZplP z8Fga1g|Ntmb>DR7|HX<+xB$fLwO#vCiem$amzgMpa$ng zOG=1DF#<8|Q?L`6wEy}456i&y9ip3M3p;rn?juLEiPwo9VCDtjr{0GVd$S7w4f+ji z*kVPDz}`Z1^hHPhk#b~9i9d%EsM9V0QuI}8z{53uoID6$eq=5A6@`9vgZ}gi{tj`f z|F*jT{AdCG14W~P=-7eZ+DQDHDc;vcFjUXu!rZpLmn5AEsLUNb9}vj(7qeh;zAb6 zc`>fm^bu5UMa_f*0ydu55jm_>G<4sWF6mSM{Nwfpj8&+{BID*=Ccn&jy@tzueh;Hs zLf;f6O57!;OP>8v)a!}K>umlc__5;L1zYYF`xF&C=bdK9hB$CQuGOw$q9JuqioE*w7wcvJ(M>pa@sQuolPY z^Aayas|hcz9$gl*C;CZ=4awTr`sq_+ilZw?UQMfhzBL5=DbtKvf!yqK&0S*rY6k0k z1buP=;JV=xi(*u)K(TBf1q*gmgGwX%Y|f~2q@3u*Pk!n-Ax>iQ{69VZ@Cg6=Ok5xK zczp*ue`3%)$N7pg@#TwAja8!9*{7Wp2Ko9D3AhbT>W?V;=IwUq7eac%Ld>et1s zhQb!fh;@s&h&ec-DV3Nd_KEv#FGKv*XKiw;{B$1oduF4SAa!0s2jU{1^v#45p2)E2 zd`mRsWJry8m>S;K7JQ7yS=2zEoM%F<&}lT5Fpuqg_%vbAYrUU7@8@EtB>q7DO_wmA z{^s-V$ybvCwRC z@Sgk1D{nIafTpnT&|o3MdAz!Z$MUw3Y>x&>met5Ef}U%$Zd2*>s3ECk2@*-&%HfbF zqVZ4>;WCUVH#Pg}##)rjCE6^!%O8W{#PehOyZ0+_lD!dJ*w}2Ica-fTiZ>Oh1JeVw zMWnuRIQzXiG=m>M!|;GunLDaheW+?uexwb8=y@IIJu3?gz1imQqe_thO>YK6U^_rG zFkXWPg)Je-kF{yKlr9Z<&fY5&H)6r%_-C->?)q<%%^5PSC?@13Pt&)Z&tmrZ@D#YE zRa9zYO#pg`VQ!Plt(P0f_`HmtdKTijYLvKpWg!Z&b+8n|za89mSKqgF>WTLY*4a<< zuWOvP!)1>Pa9-7rQ~E1bP%X@@^+cKEB3?e)ph?4%WaCYlY0^Bp{#2bOvR_S~cT%MM zr=CWN;m9#%y+GCoF0mMdPb}lKH9Yw=E%6<8bZJJqQqCF@8{+I==-#fJoZj%!EV{q8 zQ~r52Wru8xhB&SQGomhC485M(HI8>1hngv;<`BMkIV6ttC=3X{IMmr}bB?Ksth{soP!+UM}6FltCv7lEsOM4-8?Wkhy&e^M>UPo3+jtDdENGPp0o z@qO1Vj&bO#5J)!3uR6ljW_Ld4)Mm-zB*b*v{@ZYVgFF zxF+Po>ZuFBkw49?Of9>5K`$IngqKc-ZAUci1^i<%kj0ezU?iJuaV<8BsKfaUa3OEO$eUPTB!M3oU+pdZ#Onye>hV*i zP<&Ck_Fmn|gWB24j~pL0j>VE$6oVHfM)8v9f!9ut#w%|u2z_S`@Cy(0O`p?b;FMQS z*81@LyFo8h2;@XQW* z2*|0pH+@6NKYQ1Hc$|PK>!|`AD~uu9+3ySon(*rJWh$ysbAwd`HF-WN&U{S8C4m$# zwQ3$G>vG;NeDRY!oI_lr?2S7J(bS#B0-=*-^?);|GneBW!{D`gmDbxi^_B)eJeIlQ z`;RzULMzkHc5%#u=D9eieY{yJvGmM%YG_TOnd%5BjO+=LqP^T?*c9NsZJC$#BKIN?3l5;}PbL$p6N-B`s-iW(- zs&^cU)2_s;o);sPx0S7(LnESAX>INyN1apk6BjvtZ9FbCito*C`+S_a%r;B)xwGhg zqV@F$Pr658;2K`2E)Kr3tJbkZ^AyF1bL&6~5VPR{=It$5e~;73T&mg|Lq5)4i%KbE zZ{FvxF`ZdHPbqDHx%x5rK}}X zmoPqWR{EfSBB)=(eO?;@z@@FqrX0<*DPp*YW(W83yL1~6YjFo_6#Fvg{WGCYtvM=1 zs0=6m(3z^Tlv)HErEl#j|FqZ&<*x91y#1uQ0hYQKNm|es_LN#$_FmIS_2bsDCytUH zej=H3CQ?SC-SZ}m;!e&?)mooEmvXqzDCcUA;=|8O@p?Y9z+NCdo&+=1g%l^UsHZ#D z5H>dm>hs?iH9GEVzRY5J74BQ9H&c+CLHSM9A3TC`+fU7h5wqjZTliDGs$`ymjqGRE z@+VKy4ID(gM+Uj;GUJ>xTJ|VC=F)w^Yx}XV+PDOy3O;xe?}qj4?nAQYT4I24H)d9c z)q_Jy`UA=}kC&Qs1jf9_2F>LA9(~D3pc{LAv=3q-ur5H@kM*YTyqNm#MIOTedU}&G zNSH1%hTF*XAhDk&ejP0QRP8%Q)~DsHhoZbp;-DZ;oXPQ9oZIRW&DQB;43@d0WikbQ zLS|ih9@`EM0KaR#Nv)nBXqoWKpH{6KhFI$M;n)aWd|yH|VHy?haGoGxi`M!nFSn?> zSvO~Vw|+W4!Nv)!p@2wr=oMUn2L`rkkpQ)Oi|g6ss_6zxUz&kB0ApA4_JqcR!*jn5 z59{WjoliKwRkFTxiP+q_0C@4o*o$M!x_lBBwnHtt-eJf-LV-zLEkQ|sA2yM}@q13~ zshe7gi2W-zJ+(J{5&PWCzBBq$R~w)qXDWCttV#UQ1%R8L}47II6FmkUwp!>DN4LDAYGf9l3)rG>1hTCjR{39)ac9yuY~FEr{zbFBd-k?^lAtV|CmC2 zqO0=Y0^Q-fn^Tl#h>xX0SMKQYoxoq?Eu#oM*aA~IythMz450k!r&%coI-nAQRM{yTytpyNQ>vL z#?AFcP-9s8Q=XukKh{q`O&l77pPC;mzcT!3yXwpR*46y8K)TKoyw-Usk_Rf>ZsWs> zzl|}8mEr$F%~n-yJ);&fhktdM*JNM4S&0aM8F=F6QIi$H9q}E`q;UxcGs#>>tKbrp z;|a_gijRb?s$d$=*h; zaj^wzU=dzBNaYQinqZ&tf%uGMY@Z%dznjX=@K6$hrasW)cYiESbMDQFI8Jn zOkvJR#uIr9+}Rd>W&s&pU0q7RlVjG=YbmSL`(z%+!KdRbO^JQ+gU6*AE2*P$V3oYa zKL1e;CmOANpqzcu@x2BtEJ}kNV%WJThH0NHxByTsMc;skPB@Qy?J;fPZaXzMPN#n7 z66VSh{0e-jl!cgj88HXD?2M~lz5HPH_$dl|TsDE(*ozW7*U2tZzK0n035Zb4shNXXg#2isf`` zKckawl9iK6rz(J?de4AROWcFmZ7`C;B;~X}ErQ3xp1FO(aeT+&jP(ei(C^#idZ3?I z`7@-a6m8%vReeuoE}ysn+Nq&#RtBZOjiKij=(>9~1hACdwYi z*4AI{EAo%#47#MRvMSUpJdu=dmsSJi$DVb-8Fm^5;PkkuF6*C7u_BPbyr<`mi<>uc zZySns>It#kFGj;?#{xL%6(1U+yHt|`werEr513(D-@)I##5;tcn+nm=Z7X$DPj51j z&8@T09jLWDyYj}2{ASQAqP=| zeTxB2Ws1h2*(7vj=z7A9w^+(fc~1g;L*{S0k48b`3+|Xc`2*YjHSd^5PEzRGLsyaE zSoThOeh*LscoCx3#V0m;Biy7nW81oYvbfwmKR3olSWfC8s3#M?Yh$E6Kw|dTELt_C zH~Zxj?b+3c9vCB(a%Dg6l%E)LqMZkPFnz10%}o;^Q%nmaXwTqnp)`g%OtWHOJz+pU zSL)@HdINDYDSzFmPtC7)o#r%%w!8BYfeLRv5y3a@5urRx{=26_#rx@8NJA2dG@{(m z)Xld-McjY)`lEzkHfO)tR$lJo?-;rQ%#b0LKBdiS83xcOrJOZte7`cNl6mdhs8*_& z6|~IUeVW2t*jMt^dsZ~OzQ1cJ0Z!+1{)p_r9B6?FSYs( zBkp`W(ZBiKU*gqckssmASOuaT^}yH<8GXXW^~jPzta&|U)r`Y!Y#ZvhA|LY(pQNgf zL~5*srddaJA6Mf%!m1%*1~6U-$Ycs?;l;X^QS7N29mG|Ie?U_#`s$~Q3g_}Wh`PnP z_iGG%#qAja2c-q0Q|_LE>7zpRq6tEC(^i{Y3wzm&VWUEEyP>5o?xQll-^nQWJT%ZE zU>Y1I4UarpO5jS1Rd>NybQ0uE=y6^A^q!`kTq$cw!RXialZ!W5MaL`m>F0K<-^N@i zwiF-GV`fu-ws5Wb&AT&xPpBp?3%wMLWc@S+HLKY`a*jyLt#5HP{4zKH_+!~SNB5C! zp^9S6d%_rq76BsjD7@N+i&_pdq1|>L-JGqQ-K`8#-e{}WmJ81$nSXz?n*Mm57*q7n z26rRrd`LFgPv3l;%Gox{(u>l|wg33c=G%KE_<6NX<~LDia}Ny%ZUcn#R081}5n4Nx zia@d9l~LHHSZ}ek?n0ukmmniL;r*+5PkObz(a*zw+qJfHt+n}UCj(V)D&Qp5FFM3~ z#@P5+Z_*sb54~ItHGz@Y5LLiK-001S;Zw5E-d4{fw&A(KkFXmuqjW*5WL))F{#E{H z4Z7)0qTkF4@#$)u5{*^>bG=fM8$h@;A}Zf3GZ?G7BIR&)XH0mVVGVgJ_d-FR1dBrc zF%2O*+~S-??YO!u-SY&QwU(6WhGOtl|2is>$sHLiI@LcKpfLLR3J^M31{BYiC5CPtdi<5;*{GCRHdgrI?AzK<&;P&Hv| zqRX%)zUOa$Q5_`(O|VJ7Z7O(7aJMVr+3lmcQOI-tMxAn%K7KYW>Q@>!MDGzcD7|v( zRJ5?xN2A!8<=MT)t+hLVkKccCd_Jm4MRE{&P>cxrWTnun$R#G98@viDyz42ufnZ+k zE({LFWM>q}TnpBny!X?Y!GP1Nvb5vXRTgs$<<2^Gs29dX;I+qPX=C{kywL4#)}O|| zxplK4xyO)GPT@2Gn;A2*$1f5`4H;n#cX{e#j&N z0eyU;!|LKiJ=@${T;Jc)rhHKF{qVP)A|W-Y8gzIPT!u?!#NZ+i5_fx%Gj6#pSIHWc zxH@s;ebH;1yUh(}I+;>KYI-*Yc~Y+?@F-k$f-1kopOcde&(*)hMn3u(si zdgZwN&PG1Ii8o;tybso`8xy}Cu-NU31Smv5H9JWX7oam?{f3J>ZpR?=R)$DQV@uz7 zE;3`0@DE!~J(H(B(q+~*)4e=ZvM-xcRt3Lo?MF~`#T942K)diLTuKpl?7%HR;Gq7K`gZjNv%)B zx3qEPoR%6i}oTDua#f>|9vxv zuu$SP(ii6$D(6`Q4%l>QDQuI+Y$I?TUMGgn5ALQvV?orM3n#YIHGN0@a020p5bn{u zf%FT&=X&}JfIa#GP(n<&OMbicxae=2sz|@8D?UY15@(!SDJa8xQNB6KezYWl?Qo#B zvA&Sy)*`U3xbA39zVPKm8Bl_njHh|mgybrf7Dv4ZYk7=6E`Qyj65*OzE)PbGMQipu5Owf z=tyPfjq{J?yZ(x&ROF`^TXR8{`TfiwubBl87cZF|ybexwc|VzPwk!!MhK93LB{)4% z440usd)sg)hJ2U{c>XG|<5!gl6;4?X2Saar32Tlb7MKm{$uwOYp5#noE*Ub^zPZvY zQb_p#Oi$o+>bd|NUI4I^{{l$Mx<&+~Sz=Il;&vg;zeAJ0PFhxqyq93AG41rs6{?Fc zoSkcCe4A><>!OvbuyELlg4Z=qncAk|<@;kU0P7ck75cw{qOO_}g{Bq_J0T*!qyCQ7 z%8tW}{VO)C8@vWP+=BlNn5DWUneor+2cmP-Wr>)$3jhP`Pq>zR8qWCNLZhHVgz$$% zx8qNEmYt425HrBXPJG}35D)wlBbTT5PaAi6>F+Q(**qdj?gQ*keAb4#8aiB|iz~ot zQ#CL(*L}>;f7sflgfY)0qa?@Z17Lpd+fHb`oR~=dfA~RSr~DHhT+*nCwGxdd|DPbZ zd&LB1)c*jTq0lD(yG#WWt?c>)@K4-c;JAhGKN*b|ux=>`hyWuH6FYwc^SSV2UjG~X z;iVHe{r_$QO&A2rLrQD+@UHzLyYJrVf&2i&&0sF@%4kCXhLYTfAlzoT8* z|IeGXhAU}1O_+hz*jDfd$P{|&xw^yq={Kpf`!>VUikEkXc{@#irsU~{bld_r)z`}HmXD~0ruN$Qgxx*qJz*vtKkmrN)JiIs$NB=v4Eoh>|NEMXJAwvdoPt^J zI=1GIL!>BZjy#?2QOb{a?U~cqSgtDN_vT8{4uG}nKk5hkH_`9^OXB)pRE_*){B!=j z@&8LW{_+g}Up>RWgya82;jsPPOCQfh++zym4t#(2-O5JV)voUvuH)VX@l~t#m3z|w zdVgOMq1=CTb~upm3jGo>2H~;mu?E`4~3Qw zNk={Oe^oV>DTm5FS*TeY8qVv!@yeD(kovqjUKjISsSBrH!zBi5wp-; znajsN^5oZyow4?f>mtr+PpY2&GPO4rYTGu;_SnBVcjUcZ8{6F#b8WZ`(<{=>R7Zpu z)++rSYxv*kUBmSpMUd++_9XCQylQ&5`Q!4FkAn+^z$ZuLzfd>l^cp9pTjlo*ym^Dg zup%;4!ivK)gz5Ym;=X9KUFS0VvK6Foy`R8aU~f>Z2>)n3O?8i2NPmUXX8*2*L}lk=s6D555T2%k%`tM+LyVX&E<)t9-eZk|3DH^U=vO`^0U_(_gvK{i*R}b+m0~Y&aLLZOayPs(u>&)y9M; zvyzEjYe%a^Q0(W)ZIK#<4}?)7RFt9Nv*OFX_BT3S%O=cU-g~f}ruH?WYMYy4jtv@$ z-E^(U0yw^tuKS3BgZ7Va!0+H{mz^<-H7hBkdYH+W54|$&Zed=c_}nH7rGwf$x70f? z2G4#wI!JI_QetQr{c^?tv6tr7udAQHo0e7Qm2QO^_0-yF9c*DeDFerB5g8hrT=zxi z3$8Ei;2UhmgKva$LyVR)>jC{B0F=CshO+-n!ko)?x7d zRc)rg;%$+yB3FVrur|Meb!>TFl}QWCy@g7c`gu!hkJ)?=<@7r(JwfHd38k{sb@~im z^0yrwZw`^N=$O*iBO+X*v!RwP@+R(5Ie23+8JitKSn*921JTC{2fKp$ z(Hl#k@pm8QOoq|KBbh?5HSu#@hmbE1hHdd$lG(ogMW#O2+SC`b1Q*Mfky&>w zBtOw$N8Len=1FfMiPR(2kes#2p`HL-;gCt8p%d6GP}NrI^QUNir+@%q)?h~}+v|WR zi!NAgT3nl0#U@S5dScBlAg!%Y@Y@ac;OmXAiwy+=m)NFr+@|YpYTl@mpg6hR(fwkh zb@POn#_M2lG7BUS&uEEszzdw$HVnmcrFDM^thv;U-lbo0mVYg@sn{73z(YI%U?-nm z@KUjmzS*R%7HC3-DHEL7D;(;04>5`-aU!mV@nzYhf~f3p$Ww~;Gqp`@cLUo(TFy+yn!Mf| z-@Q0Wj?yWhSJHk=x+gPU6Jv$>Mvb0nGc4o2Wfw@%k|>rU(v&NA=i_&p5ns;LleB#e z>oqANc+$v=cxVPFMPBc%k<$t+q3fvfhKkSIj9;JmzqwaICwxQ=4W$k~T3oAAAxT~6 zAASm-?!Mh#-^O=sQr&cwt$lbXZpFxPi}^gy^{3TJbSI0OpL24av#j{R*!t>gt~aPE z*yreN;I_%(btGfN+z>YI!PKu?!uK%VO)G=Sx?B@6InP&bD%wa+$bRgU9_>Q8<=K`$ zHqE7@a^)l@_d4%E?W!OOgv-CNl9r=BieBtCh>_?Flai%d4L{pr^*b59Cnr~ZA&HW; zFKSI8J%+W6v?)|>PVqBp2zh31O&U7U9t|GV*>1YOc{WKfYZ1sQbk5-YPGPxHjfdfA z-$jg|E(Pubz}B&~ZtozmpRH`|r@t^Q_K}z`ril3P;md*YjJuX!ADxUP4o^xzs|>b? z+VF7YUH#cj!f@u|YvI+nXmxcYV6q_=v))s~0gR_ita*|nKDMK9UT?)sC#VTQ9M%ZyGF_&1>IWV$9S{c3;XYvH8Q28xqT6iH$t$m! z*D0?q|KgvPz55C4b3B!T55ZEeWdGnY+DmdQ6oH#0(#kI$$gz$jN>Up>k~iR>a!ywx z|NNj?r3bTwXIAJAeK@00vAUl?kjOH?R2MI|t2Bgb4aUMt7kgPun54{WD^#V#8?8t` z!%|8}ZkI`TEhOlASaA?hX5_LH>Xc3tWms->1;j#U5>FevT1AW4g?Khi-M6l4H3IvQ zM6yP%vYUEcmMZu6-_n&FM0o;dnOE=;!dQ76ae)JO;yc4>VX+Gez35th(L_H@+YNO}EVP~NGwV3tjeLOdBv8|9!uu~W>!XHt3 zADB;G8D_-^5KX1$_(|Na9SPnDMV7s{hm@_z_R8{@yocx#1%vKiT!d^OlS+kPoNv7R`#d)(pfY<;E5HlKdd<6y3c2Q>hf0 zH1}`4d2h80R77@pCh`;ehApkMFV%mFVY@zD>yF(nU*?)3fm+^4I_$+tXA`Pm%akOLRn&1r$-rHoV%&3Ih`DIW`AF1b!1-V1eh z^}KWN0AcUCbo4}}H~6${x3tDXtXH)SPQOZ&bji*_5g5H^XwC8RnH9DC9dCz*134kt zm!;1$s7@O9dxO@G9}*XK6n=r|9&KGN?e@+PJ#B-{3Yn$fm4OZxK=*Hi6f`;oKk>5< z$DAF@eVRO?=V(f7fU{a}%uc1qG&Bu6wl#REStYm{NdL@bM3i$o=A?)uD|I%juD9kV zH-Nn~Kr&_g(q=_rISnRrhW4W-iGd*+{QX3PlSP!eK7nui2(;UIT*u}dKi>`h;dlom zXGki{=%LJCv2$~KmH7ZsMwpzpB?A>6xgbn>*Hor1i@KyAO-4Tt#Ur)n%=+)~F5u62 z7;#>cOhI*sI6Vf4wd|!d7F^gp#Drt(2-JqH*@aAgKHknbu%T;SutSbTLVJ(NZ|MCD zp{GTPk8)gH9GIjY5{9O(l3z7w7+xC}WXpGH`*h+cdFAU*0EznV+{eq0fty+E_FT}1b9!6VJn#IqQ+3F3u$(7_CV5Y=EScA{k((}%7bzu?x(ef-s5-is z6-ioO&z7ZxBWXiBt|ysWnI>cwIa5m9$e}>SM3y@*6ug0gTDnTh=|;-On#1UEAfiD! zpy%|s{c3|#)x77_q0RZb&7G$3LZ(`+3=zp@r2eXwq1<<4&yeyX5Ih&p)a>~SmJ7#| zS}gnYRq3sG*RQlQ+YNgW*Q{kJK{_5`KH&1#T9aluEcxQXFMF98%sy)CmayImof?V| z$I3LXoO|x;He+QIt9EK4lz3SOQyT(Z=Ty;1shO^hVeL4r%;FuEG9b@mee2-D9EYY*m={aSNJt%haiBXKGXEHrx^*9 zhV{+5R-p~y44e7htrZR5j)T)pc7ybk?m^ZuPFVEkhoV+r&rj%;p@E$ z$TosrIbs3ndfWTa`&*A9b=)49dPRtK$s52qpv3dNB3~}zoz8PKLBP=_fS+;voV;Jh> zwlWkCWNtGHSPiG^@1FWSm7Bvh*6raIG<82I5K$j{%~CB}DkD-47`FZ%uSYzYZxS=q zBTEGtFd|MPf(V4T5Z;&XQk|etU%oWcTkbI%-q6vUIy+OfTa-fb!rOyODSJp-P*8uw zIJ2qdgkjZm>2%M)0qfKYL zm8Jy8b+`4CY)40C0%NyqOB@31iaF6|s@wCLJg9GB3 zyNWhp%_3l%xMYcb)*l~em||x>_1nJ!E*Gj&)Ph&Up?a(E1bZngMXQ@fS?3D%x$)xC z!w~@ld{^m<`(zGAw^XdBv_#K?Q}5*{N#dpkE8%kvoaQGsqSS8{#s?|uUA$43X55BV zsts@tG|7TC$r0wYRI?toj&yck!jE{c1|=Y=0;59NGeN>o4v3=|R~rF!z=rz7 zwWP&A)WwV%U?qE)>_S34Al2S0t>A7|sVUc|f+ANoefTs7&CYWOmxr+0=%L?XLWhtuJIb}8c8zkhD0T6;@Qw65j%Z+UO%T?$|r22x^R#f9<2KTOX^_n18(G#;$9A=$72?=Ub!< z&=1N6=@H}ZNT@pyle8_j09julo+y)a)NVgzThQn4nS%xU*;)5FHOa-lG1N)CIWw$% z?8JPTKUB^U{OKGHbKO-thNbnei`PI3dXWNHm#w93)jgCSP1DqYh#`yT9Y!584<7dq z?^*PVvmy;dzxsJx06WVZ2J|#Ll zTu;5LH=c1P+$(*hUfD@8ocPIc(FjXwgkA3(N=7Q;vWVUW4b-R|bG2ag1*CynHfgph za>nDyhZ1J(cC)@ybNC&%#Lt!6whsMR;>({Lv zWxsRAmbc#Z@jHX9$C&=2V~vJ$TBPwp8;Non%AtZjQA4(HwTGVpDdve}X&rw%Q4Qtw z`(T44Zu&CL6maw+ObRmTru~rah|Wlp^^nm2E-|%x8Wk0Mq~3b`0Y~l%N62=kP<9o{ z;+o5Ft^E;KRVUv#;4*5$6T9{6T$+&%ZpTCQmHu+EGxv2FBgU1UH>JXkA?I}j0jMIT zKcNA{gnO{w69H(#)l}d-VT|***QMh-IpO|>hCWxny!Aa!N2K=z_;CxE&oP>jBdf*; z6r1KC{y^FIQ9DnI&|N|j#d8*gFWlCflOuy7-vsVI&n^vqDCp|7_y|JkqhV46>r`x0 zD260%>0(hmVN29YxH=Hm0`9@u>EN%h*G7ATv!DHl+edE{I8i+aOn&*IrIpQ<|Z&m>seu0_{16}pmJchcZ=@9zITLTyzXk&f6@VR7;D`A!Zv8{IRp!{j1<1 za!9+Zlp-~xN~god%aerWy?2-8>yi|QTsieSvLe652$#3f6+`q}Ddmuw{?M}IBO}+j z9?HJ@MeBFX;4m-7$VL4-=9?Z|dejCS@ir&->b|sdhcWZ_!ltjtCKFLqzhE@mD7FZx z`Nr((nt0c7`_;So;SbPqKSeNxkB?ocrX@?ny))v>!b@X4U%hXNKusOZ-&L4<8*_FQ z8Z@Rs6)`lt#m}k^L9!3G>8)^&EQe?af@^2D*;Ng%D`gl-k0rRgtX?-uM|3GC8yrTZ zso@;XT%osd+RA;>!IqfP{zL)~#BJp@AuqgY9``o&ZK<_^B0^tkCt3co*Rp)%SGVYA zHjWx9r&B~!e0R7BIxhCz#|fz43X0#>(AU*YyN7XeGk_`E^yjs@hQ_qV0vRu)b5tC! zQ>HBt!#|?HhOM9&Z3k9i3H0b14#+E9lO5(Qs$Ny;eb`#b2Oe%8gotKQnq04{Vtw*R6i_|Qdq2NjSG7J7@I zG!c*@Jw!xmsL}$2BE2JBsY;dJiFE1GJE22D?+G%Ol0*RHs_c;L=3iY=-3vLyS26*(0D7$vIib)`@5m-u!;3T4^Qea1J>{P)rK zZ$~iN^Ji5!ODqQ%@)A4REic+tYmbycVc?ACgFmAOgAT-kZ#WN3S=2f7sOIIe_O;XI zBi{%c(WD%@Kx#skAK`qj!Fb;ZI2cRS%^_Sp;UFe#c)&8;`O2!$du&;*bNL=QW!)o7 zErNa$^5zDkvvvlL6_VSTm3#jZAn?>{AbQxI;#kGfMh#AHO%SSn)*tlc+|rk_o9B%) zjf3egw=ch|I+Jla*Hnve0o-*7{uQ8(=)f96rdnQBsg@eqLv#JYb>oOq9>#XFIOvx2 z@_eND%tiALx-05HLEe9qVTB!3Rgs4UMYk|k!t6ISvLuZ$2a7sj)5{3UREaoPAtGJU zoNSOb@Ff?;o&5F2O8+h$c!Po!j`7+G3L^TKz;cjM&uCf> z;DSr+zAkD~jFLujYBh$*wm*lREA#7u!6XaK^wXxmdXtos%?;?349Ep4q(mrsh05IC zZ~~UiT1wukXON+Dd^?N0yE_4e_pf)~iDDZ1D6T)-V)!cewsV<&{FW4F`iHU%R&w37 z%z$OVeG}eT*V8N+LDZO+89IF&N+6FUTy^~XQFFxK5y?N~9(JaF4IMmj$pw^W{C~d8p>sQO4{1ZZBHepd>1?b!g7=z+TPul}|8@N9DAS@eyBrm%SP(mx}6`ZbX$o!>;BM9wjj*YdtAbBl6p z-?v(AmF!rdz)KgIj^@LhQPw{hiVN*z;GX9*hH2EV9;;kXm%V&um{N2pVf~@PEk^%Z zIgiTvOf~3s0#aLor@D!D&sehT&0+NTmmso%g(C;$C}FA{Y5s5$X*#oI6-1mU>)UNi zZZ_PQ^~G6Onwzih8Me8TLlkFNv24pBj08l$2L^*({v?y-c&aj(#Fk#R;EgVm6=NDp z^7(q6nb;t?jh=I@x6N&n;cPpN|37vRdbsy$tnd4#sYnb%o=CZcC0m5Bh)DL*s=Bpq z=(p~~zj{zUiaFV;XG8vD?KPhQ>J;+$8*!mn(JmIPpG8@M2IHsfx+Fp#(I1D5xoJAM zzt;Zq$xb+%nJkkL<+5f74JkfXkjl`-HDc4cAei6cN2G8?ELF%BhBN%^IGwm>NxSnw z{3&CO&NY2XOooWfvRicgL-rB|C6c}}|A`y~aTMGULyT_5Kfxr=7X|~{BXLGF&`FM> z4JYblr7P-wdXpP5{q{x{e$=8O)`{M&1M53>i?XAkS&{!(FmUme|Gzg=aLk8F2;H{g4o30(*wdIhU z_&APN&ILr>6Xfh4`O4b{X(h89g{o!#(8!OebDYHzh7;18Pf!*Dz1*YEn!J_+{}MPI z5SwEVe@Ofv*`*`;OozSk(uDK&EX0xd^>AY_V`OC|1mLB{=ngDoT4__#>23cr#ihSkHGbTHk^mJ<5Ik#!M*U@jE(x zp7`4ToSTAtw^tt6OmT&yiF>H-+nGO{IH-%Kw)0Ubb!0D!_z^@+a1xSwEO&n_UU+%< zU{F-=D@hvK8BaUf38Ka;`pL0e#L9{0?p^s+B%$RAU$=)*zUV%07~JTgAA^~{?}jv4 zBN7>5n7AQ=J1Y6QhPMsGq?|H){t8%|KB}M`Rt3NV*y*?ip@apaoaW@j3+$SP&YR?$ z=64LzCWMF6tHSop)WxED-9K}EnyU(g9>r7H+n9_AIWrSEdO5T8DE`$QxDPVHYDaQn zv~x(|YS@a>UlOfr?2L+7>3U}xoT)}j5IbXc@0`wKNxreV!EbAEk`FW=)9@U^rU@6Q4u2(W10T5m_Zcn_ZI z<_7?BZABi!c}j5UGbg~xrat1-3V%IWW;1n&HYItIC@y)}Q1v`eQmnbU?w46+TtQfi z)Aymhc>~+)k5QM5sPH~eL=Fp8S1SW2qxm+CeG?*5Y)S8(DW!z(b%X=^YavgenNq30 z6dx(6FC&O!BvHuTqevf~%C2%>V=TPwNql$HW+m#nmD|oBb?j|J!m_tssVZkWuXX*s zs$1g|5|ZEfm>RI*S%B!HvbPY`8&mvfrC4m?R=or*5xjxhUk;?(E)=0@Y>6bhn()NaS3;|oMB26dFQ{kzVQ z!I_53KFDA^G!Om?bIQ^le&+YWY{CiQE!pHZVYV<_AJs7TAVunfV#jKbpjMkZZW4>= z$svb(qn(N7%=>Pt*NAGI?+iHpygR+=foRffe)bRn+Tn#+HoRr~Vx}GGFO9oU83(Fr zx@e@@5oW6=y1*FbQMbUJ9>cv58sbn(`}h}VO5xM?{cF+vewH;8y{%={&v2C3%;<*VlhJsj#6ul3M| z2a%Zg)lr}zpg6GMJ)m$7AWw+9eXeOV(xJ>*0<`EXU`&r$ijzJ7H`JnUc)Qx@8<8HA zdRkTELI>&RYwvzHs+B+dV(9z!xSFIo^fH<@POH-@Y^xNZSO8X7EiCjwRMpIe8@)POxb=^~=Tia<;R1QbMn1F+Nj3t^ryVC6k z9E`K5Fx_Tw{AHiGbIV`ds3|e$e|kcf9I?i}RFyaL0|Pl&!GO@J5v$`Zve-0~R%_`J zv8{vq5yQ@f;R_iMW47b!CJRl}iWrU^MsRKR@3xm_zRxC}3iwcKS$yD|@V zMuG2xS+2G0#A>-l-D|<%`sv?sG$C9sOSyk_g9aGK6zftMr%}W# zsJg|Fo%-N7&qZ+jSl+dx{he#k(Q+8TBZUHmnOvB)+n{M9wcWLNFFi=vqDIPq(DJUS zcjrqUkZtn4#Xtows*g9#a4W22SDU~X^3T~h+|+Vz41Dx)u6hC*87a^6bdFEN{Dk$zj_7vM+iHL9G^EFd&gA8bLH(eVopLiO zuUD8-?kt9W4Py=byY331hSi?eW4(H`so>gJ=WvCmqQPSEVH{)=c+EUOIASrIZ_a0$ zCACaGxZWJ6p15p$=Zj@SB7=cC@wed^1IRqc6yp`u#)Io*{RI~;*)!+DIeEYe)fV<8 zkYlqw9<-7A`{2ZWj^jJ#fCxBzpY!baUxKISf3IgsX7@Zz3O1Hn>o>}KdUGB|?eY~E z`q~IE2?l=7FXiv(=pb%|(_Xv44UqoNaf9fU;QiZ&D|RM~U*OspoGImFVHwrx>^)tG zJhylGMnC2H0DY5~+I^iYPRM&)Bf6ao?~TNh=HnWuD1d5hjFsr>GR%Ii$@rEfC$)_U z(M+M%z%a3FrpXlhDVv}E)xqn|-Y9|lK*o?sz_%DJ<9cNEGJ#0-4=TQV# zb350LN?Rt+>E+McIX1VShnvtL4w4_-q&T56F09rfEmugEs9Dz(u-BA$RV*l`jx&OV zFfBI2a1BRAugXs90=pVP8DZusLFr1`d3s&w(!l;-RO zAcU$B`;QvxxdrwdNGXcWa*~ItCn?vQX!cw!t2ll*{+5(w&uvy1yGKVC>G7z zJR4}qf;lWnBXvMM*-Uuq0%87E_C+&1NNu3vdB+##yk2t=Abm$W9zrL2DtdQ2TP$81 zqY^S7Tk*44zN{*@d{y?bsa*>;b|Z<;6ucT|<9K1krWze4pqQyBBxY>$2$PMZndf z|hLoNOL{)vQvtD=lnz_6aH)ak_;i+z|};R2 zRny|vlnUb1bsyD3Jjczxuf=Y<&$l^e1Tw+<{%QN@z5dfM(S50s$4}fYKM`5#vphI- z1zXq25`pO()`7E5H6@OUUf0#HB%CYLAIFFLi^7$#eev#)d-FK7nnid|Q*W>ZnJKnb$9R^kAg+`3vNqV2FVc8k>iwBUk{s(DY0rh^;GyN;3X1b_>eyFZw z{lrDZt)O29^zViJym=pz{tbkBXABp_&U3V%^#1pk!`xcCDKmAl=cQ`ZTdvC1?~Ew! z{_&zeA>PlyUZ5e}?X);f{ppWLr#fvGV>7Tl_3m@q2eY&E@&BXmx%^*!kM}2P^Dk>l zDl1(ph=4Cn&Rbz4D>|6eatlYH5o+Gw*P6-Mx=9^=QNxI0GHpv!osplWRBXypb(wjb z-lpoN5Dj(Hq22}!8L3E%U3G~(e&33#-YcIa*-MTjbWV&pHAW&Mz`Gn*)Riuuo#K+3 zR=Z;VZlTZS#V_|L70)~DDJek>q!c7f;*4Sbk}%QUY`QjNoiig2VlZ}EHSGOs&b~_9 z&X(TmS)%^Oh`YyL)L(|-d010O0C03Wu`QXo8Jm&*n2@H0_-jBEzf=z2 zK!c(|)M8-K?l!=>5;9>~g!4rU;5;cw>{0`)nyP$p!cl{dqDM~X-u4)CLz)9*k%$S?aXaI&~ z6GukY$9e_Ch{L)Wi)~9CbdTSG;omGBCtOTj1)fTTuo*DHcj>XzU7b|=OG^#g7tW^g zl3-n#XUyE&76lQRGqHk#N7D|eX(szu624jVC&*6cNOK-6@;p37^!A~$bwkr_QGVa* zxQ(^&tf}0%vSaI4uwQXEROEH2niE%__z+wHcd#Y}MAU@(Kg{VPM+e|c7!aSAw{tru zq{Kd^eqMC0f7V-jFX*)qWYqh!X<|`S&cUuk^mlQ0#puXz+duiABOsqLC&jtctenw^6Tj1XB*^v7I>a8 z*93@&EpRka;2K_~3PbpecC)L#1Ab5`DtgkJP6ix8UNDsI+8F2i@!?YY#-otJ*F632 z-x5f#ge!<3{Yl`&nEO8q?HQUX@}QV-9i%YtbeY5Z18(KX0i{}1I)_K#;p1AX5y{%G z`L5cLmP6@(6q_6PrQ(w`1+{$WLUw>!P0?z_a@ zv}VuNoBD>9xcLP~FN6$g;4rs{x#!e*xyFC<_TY5OaN>HW{x+}Vs-YbEW5-JpiIg}u zFmM$^GSdF#iXxe^%KEk{5J<|MNg%jh8PyJmJYkk-(HJ@T++A~lsREo|q4DUwG41=N zCcDQP%wLC##TUQIC=Fki%?nw0K3g>1pt{NT=YnORslF&ks`{=y0^%y}*^-is->c6Y zU%AQCqLp1#e=HVLb}YvCA@SL_{=sYkdn`L&r<2$QY{@=Rvp{eT;V8|1cG{@_+o`PR zonG763u3b;#uC5gA%w0>OJ6dl8vZ4?j|bVY2Pyxw z9T!P)My`VS z1HKQ6)8A(UfA}Ot)x_02w0e{hrbzrSDvh_%)0FKfT;V=Wwc}Qx73m&NhI7+Eipv2? z!`jJ5L5D}YyhADavg^m6wZ+RTaL!s-<+`W4o(v{25+{8gG~k!DLV7A4c?qxX5|$FY z4}Tb_3@*zd!d1(;qJE1@?Tb4;v$3Ny-8G1Xe$HS|5@!8;XCWcGMDa*@Vah<`RqB)i znKs%v-o!cPtW|5^3fU!bqKvwcVVCXqCFNCC-%NGm`fgT|@~)Jnr24OASP2KwO)?OI z7{CJc=bAc=r`o$Z&#TlfpR<=VdHv+*&56O&$8iRWYj#Rr{E*f$uhZRiydpMDb(|Z^ z-a@_G)LVcuIw)wLJY67la!NL{8JG?HsPyuqQc_@k=KJE|?MRoP=~NG@;5O=MyqhyR zx}6O7d9S z*P7E&-KD?NzH8Q8j|U6!ms1Go_U9cRgZP4-bcf?%vDDOtgf61Qw+GxKIxlr6WSgIH z2@Q3xCm92=U_y2)QZOUwcHOB1a-$ui;W)1(pgKTL?~|uekB;T#U*w5c*Vd$zWKZ7 z3?>yR#edEbsfJ&L&M#bLQef+`Ukp`r6?I7-u1?Kc7dV&gG+d-6sk%bFXoe}O8`e{p z?v_!xDE^bCGv#<1tKi$*h^nuzk1b5M%j9;+jj4UXK|nyGzIw-a@AGMOC;rJzl0QA3 zXr^eYg&Z>pROp~H)?Y1=6?L5V=XNGFIoztVnWm%G34>gFJUlsw#!idtBZb`^1?IIM z3~udK(&yXGXJ(u9w0$N%G97&VwoPkVXY39zHMTP#-h`?**0;w~hIZ5?o2C^}lYR88 zwR|Ugg#7OY!X1DjqBcR_z9ePdeX7y+4DUMOPZH26cvJ5DYcZe`f)>=Kn7c_73lP}c z3P?S6^60j-=m!r;b*4LiZT7uz;o6iZ|5^?q4AdK4D4jS2Z4z(D6=qr!=FE((%DivL zE?8Beji&0Ae}QU`m1Fz~Q4A1Xi93^aFD3p$ofl?wz}sY;6YCNAK3z7I-o!D%0sQ0do%T z4DE8>gR_>xHaY3QFpVxr1s;UJ$LWHJRp0IN7|L4u<)>0iat6cgVRZ}gpO5sywQHhv z+vB91Dkkn3A6mwHrN*r~S%D7%)d^ku^vuPJZkL)gM^fj9`-0>Gig0h_bv2(rsE3_D zoM?bkJWNx3(()H!57P0u@`}{R2yoyUQPnnh|-U2Q4VM2+S_|isfZx%%=((Q$l-KW^((ncqZr`*|Y;Cu8Tza|swa?nvv9eyG5v`y!Ti!3r%_-R{e!^D6PF>AqMkN+-z`tBO0VEGB(TZ6xY{XB{G>g>Uq z#}?TmBu<3;!~T}3d&#~MN}zl9>A35Kiszw=G_&A{)JiyKeew#8Kes&xQ#2~4Tl4vm z^6#(}{ok!J?+}v|)sgT1TDEz9co%$K?>748H_Ea^$Hd1wAn`gulwPoK{p<`7T}fWl zHeFqEAd?c~ucLsYb{5du_+n%>rGtp5KEm!sW+AP8Xu3-Q_tBo>6+BvqvwZt|+9|L8 zz1?~gNxG^&#Xvz+@gJdoToYx++2q9qdj&4qmdw-6PDnorNX_ed)+4s-5k+5naIz>m zEEa2oL4*@W8GEvSu&V+HX=;R%+)bOc1oooIRs9E?1rrb|r&-g~Gllw3Wd3JHj8;WPVi4a=}Tb6B~IYMDrI)2&d+R^TCFkuq6O~9wRGPUAU zl&(@)f50VLV}!puMmf@c;E6Dzq3&3_0-R{4k7LOtEDWiJ2z$0MxTShra_3m%q%sfQ zMV!9JSK%OG81j?jjsAqm~fXmY*WYFnz1c83yg0k=s|rcr3M68 z2I9l2Z)D3V>M12yzn6`;eOsEUVLLfa7*<{beYqvW#g{7}B*B z^B~2u~_FnCaRHmd6+mmm3e*K zdGGdXtT*QOVr6}2%{oWSo%8aN<(aY0i>d$5BhqrC2>z?@z~r!)+jHIp*=OnXdYN-z zIoeV2OtuC-&?VdSPfc0932spCefrf9v1R>IiC2%SD84y-VgXnLIy~KUo77${EW;QR z*Jzas+e352y14shc$$7YUC`kF0FC}V`Gh_tlA=P9L|=lm$1hgdUG>3QiOIf&0O|H} zMovyUJrJH1p&$(#m^2)#D+hHoaYoiP)MG>DIr2Ps!yO$T*LhYoq|Q%h7+Fw+lK6h} z^o}zJLXbomwwr)T0J2>W_UZd`Z0FO1h<8LR&*NnEezzyRr4>?H-*c3l8!r2rnE}hQ zdheu!%JdUPQ_Zpd@#meXmtAO;e9vEQmNBf-%kKLw`0W&r)Z&RT_nzY;$2`yNk$w1F zrFxurnE31W`Z}TSo)VnW*Y@P637iCZj-2tVKE&>>!guR?p`}OgGIaGLBbbQ!+8B!)B{rePLQ8e(d zzPXahnDz2|ZlJ2;iyk*A!Rm-RhR;7M5nd?MbDE|c4#KRUqI=HA3d}cUa!j`mYnmro zUSKv??XDz)9ak~2)1zNJVn1Haa)(+rSa9yLW(W zPQ9ESa{761JAu@yA!sb-z|+@n}09=RNIX+Rnm- z_Or^%90ouJWgOs#7G?UgOpfJ2_L3hlt9ql_>7S&@Rhif=!-Z)@av28@L9(uolo?j=l>ceOV5qMXLQ8#mx%$g4+n z&Nb;lrl~o|)9^C@NQ2C5CEQMPuuj2WRl@oG6gtl@#g5pFmzL^VDEaC`Km4W?%21pS ztO@EPppo8e$?M2@a0Us_z6Stxd~o8m14#GnBdkHg{3mkM;NR2hG*-67`7CG2i#_7OgOh&vS+!rZJ?Vn1^yicUQB&l^UuK_+vojj@~^slM(TOH zJ~P;fu>9FMXVg)C(#1B!o84bCFf__Be|Ev zxM}GQgU=teZjJM1Q;lCgek+)SJTaP0zN4l8F;mb4K0&wR+fuEdhs#0%BpLHwJ9Xkp zXZBNo9cqR2`Lklpix|@K7Z*)n&0WN*bzg2ruoZ*T#%R^liRTk?u1}9=r6~LG+Bn81 zKUd4&1l))7VfR5qo49(^u;CkwUwpW;*!8cnhjkv)A{LWmed6V1iNN65#|h4l{>EJ9 z1?*Ud|D40wDAxifdsAO_koFhh^70=ss`M>tKXs^8$x40@5EGEqD^)svU1H72ltF&^ zgxTuSj(7@06`q&dVIV#JViOjV?v#)}S1mI>ub<6Tw@n40SP&1EHSKr?l)@H13Rc@0 zdw%-fZXHhyt400A1$g{|z384x_cbUZNWo2_O}|yoDVoarMl97`(>ep#O&&hbk3hqdh129*gKy7izIUJG0Ghzkns_ zwx)G{Hkmh`*9z9pHVSTRV05JWX8df+BA9|bpR60}wZG#f8VUfSL7ZgvNT1%KwJKyZ zok-eMMPSXm{BUcrly#K8`tyX$H;QbTWY=U-J6BVU8Pd1qtlV&EEa9qW7P|62?D(jw zol;ydAPj47&fZ)F1TX-tDB>wN{(w9KETIsVEGAGty;dZiN04n zj630>1BYQ3C%GsJD;bW8@9^ht07T(yg>5r(23KZ#_jxR(w=TDm{`%@V%ci3O@gn>!pno9F+iftMk#UaZ)Qao8Qe&oG5_%vs*2rW@ zS5hRP#Vilq7Wj$Ip)`ecbs>GM)|UIAzRYn30Gl)50-8%_P=9b;N@!d%`n?~}Gs>pz zrwPP6A6H}gy1nZI;y|^dk$}spNMp)WH|jzO<6vM=zG3#pQCuScQAa`2k-pzlOyqj^ zvn&+0f|4jNwFOZ_P?90yM`XAs$CT7g?%z*Yv*he+l--Z~$7ZDw=`S6lxWAZyKz8qj zyerF1SHnXCP-Z*JG++*<7TNrMXW{ZpU3Hf3^W(B{iH#54k<>=(S$(p#N!b;MtED!2 zB)Tp!~kXz;gY_ri$i0pr4|A zy%Qg7yf1qF+s;x~Wh;U}@p0>XROkE5f}!C&brrdyzirR4PCu_L;V_I=b1v*fpFazx zsB=#kz%)Dp=wSX^iiyX&TiS^ef~+u+1m5I3g8kfIY|AW?$H(|H}dV( z(R$VC^Bybrx*h4F6D0*Hs1rtC8Rt;J3G?v+m?yEQthOE1d;L{6}Uu zYbDB`7#9B)`{|s;;n)l+lQ=hf6Dyj@Z|5{v|0jNEDEzqqhJ-V>P7f9-=_)`rqre9g z+PI1U>zw)cE}%h)Xko=lT)h2_lg``T6A50;GBhRir5qaNsmu9<_^SL+SHYOvveV1Uz=SPbBvNQzGU{jIrm^s0T;ZMi zy2Xk@=ej1Dr*J`hbIZ~B51h0g8o~^>V%h5AWZYX}Zc+8Nlk6O&o!v&t#IO(rSR&L6 zR^GopcJDznYlMGO=T`XeaW)NRazm3_Y*4$Yrj;^X;qQZYzll49E3Z1wtM=9cgz}66 zuMw_fPzU2wnC?EYqR1`dpG?{NJ#_JBLEO6os+HrY2Bi-g*Dr7XilQq?{U>gvIf$mu zKoRF{!gW)4+Fz71b{^ygQC)AkudEqAZ@x|d|Gd7{G5GtIYRrVcn`-gFEGK67BW5t{mQq_0tK8n1rC~JnXne*fTPhEG*Phzg#Ds(%l|G|3hAOz3 z8bW1^DUiYGF&s=>z&J*|2}jF%WSJ9O61etP zi7L@@8=s;;AXmbhM_y$aFwY)8MzslnvkxE^+bk-q=$7#tv*B8`Qtt5amk;BlbAdGC zg#7orfBeP9WjN80kw8vmf*`5Q|GI_$uiE?nU;eK!jSI(gt3N4Ab!qtsZ-}?O`$mA! z3y7ahvl~U{;NOd_ya8lAqVRDd(e4tXUsgQs+tH zFLW%eq}ZQ#Cn4j4+%Unf`#9%!eW}a9>jCQ~n;;;PK^kP!PHH3^mf(eUX2Rv}U5j?f z(EsY%O)JnK81XmyseEreA%ZMQo0s4c(Loi*N!vz>*Pdv(hh6sLHEhDxg=tg5@?O_G z-8lx+J=e&88)z;4xXb(b)0=OAk@qAA(RQHba zDKt*{p?`fAme(+QSM#pqWToSHeKcE3EcO4qf-UY9<2#OS=6$FSQ;%u)n!@q|d>=0E z-CJ)MdmYde&C360CzU(9#hq=^K8F&y#*c$}Ec|M*cONe;Or7u91$aJB?PsJ((A7LE z{ZxWafh4>G?W@Hg1_eGiIfg2{MGr;AWOqw}5f3Y%^B0-=IU#(;ZazZFrcz_t_j&nk zabw^o^3CA7Vv9y-C*Jv5Xgh$j4FC?6aE5Dk&Un+Z1>Wu~ZS;A`V9B26*GLM6)YPCm zL^{1&u%{?4k`M|mpS2vmcwV~xks z0$%K*$^pgEf12NUQ6NdNDzdSH8ki_ev8K==mV7(z9vzO2(6ZHPLNao;Op5!^!Um*M zj0PZ2_R}Z=p968+o^1lQSHIKi3}7=(+W1b7JO2_81_L!m5BWaxUxK0MI6rgFTj_T? zo>3)DA$_-IPT|wJzyq|?c@B7lMA8Vc+P4CMLOSoF(?G{ZPk{%|ZcmW&(t2%I6*oq> zolh(uQSjq`mvH_6_~-l{jhXiw?hR(|NhcL?zmBMU{Azq&(vTdN(&Ontzf`i+sS~D1 zH(C2Ty{S42#mTzUCOK)arQN80ALLE?P?ONh(7Z(PUxK|)ZYE_NbhQr%n7L2sJ7Dpv zDhZX#%msB{vf3kl3|seIOV~!OX7JsYb)Y-oSYHN5`wL^m+v8hY0k`s}VlU@>GuGzj zh>`77&6r3giw-GIUUn&V7~`#|9pVMdi8We`#%$-L$BTv|Zd~R!XQY_{GE|Pr1_kwq zTc(RO{Gk(L&^rA;ek@a72Kes0JuLMnhV~UOD@kU1Sr&;`=8dT1BG z$;9jpWM@`cmOP56 z)>8dNeQ$$=8hF34G2CPs>2%PrAjOq}djB3WS0vl$CJ&yko!)CmofD=RXTY1Hp#hwL zmUGg*U-xiD?YE?t7j@RSPzE#2)2<+weJvRm8H_yHy#<W7jIEsh6X-|pUD4<2aG`Q|{W;>jI=Gw+K4%#NU*pOt;&JdG z(@xbz)=c00y)vr|c>(VvtKf*%Us*_NroxjMXm7afHdU5D8PeH*{%&n*s10Oe=1s7C z>GxcX9y=xDd|--|nU(J?w?zF_?f^zKH6Wr$DL$bfzCWDq@FYp^Aj`oRB%U^>hx370 zX&zRv&nLUqwbTKu0uo<>3{qC-0?}KZ{tg~ecN=FE%1#U3KxBEYvKN2LigZ>u^gYin zJJY``(HPA)SoUm9OTT($jspVJDk)Z8LA}wAk7XkiD-j%r!v#ieHV(%Urd~sLIs_y#6TV87X;T6Yyr;M9J3hi2ad}Vb%X|E| zKlh(Emv4Q(ODsgX?K;!ELVDX9K-t1xU~0SovmP;W80#U)tjjh@%DnILk9L9VT7I2Q z{PNJ6Mlj}B%dOI6R6qG)dP9Tr_j32Si(|QYZJYoo=nQ<<_kdOrt5vivqq@=Wkh-b4 z4Sth2obZR}>r*3NfqirG@l}`p{GEtDiDdIX9%i=|%P;}XHBnu_Z22b4tuy&B z6)atmIh`J$pr3F&orb4ZJTnc|&<<_m`^Fc$^>u{EC6CQ%k?T=VoE8;3R$~o><3mQD z?&Lf2qO3NCi2BbzURW)k8REu>bb_-(&gGC(=h-w9WzW{_(&17}H%m>T$Ml}$umj6E z8g5%qsQw-8-QNx60xOpSv}g{tP-OvQ6KGw@R6ylv+sPU~X!S=9Q~4)nNfb}sKeHdz zw!S6;H%FM1n=&u+;=CLdu$t#Df*DT9T;|4E_|n!-E-dv}2{xNlVn70)sZ6dmGsO5^ znboPmtR+={#Zswg8Y*trrLkJ7y5re;L`}z2zj9W*_V(7{KP!P7t9RfI`KPdwv#XLG z!u%(Z)zokFg=%Zc_rUn|hsCRB`85EGQ1mJQC8(*RzyfRh)SPBB$1TenE8#>#&!1I9 zWW%oPr@TS=(I-B5vg;i;A?8Z!2TkvF*qDZ$_mo zQ%8loT8|Ej5Y9N>VSf_f8_IAmAX8ioGh$RUFdy~Y6E4OFVb-9fdC!DipSbDC9Zrm% zXb4OBeDCd}^byJHq*2>j{Y;w;E6Qffh%B<)9z-I?U$PV(iI>im|HE|B*2B^tuldJ@ z?R5CF-fb@@h1J8N5cl6kZ*2yOA67FtF(m{^NwH0w!*B;u?fS@dTWkxvF+xt*-p7$8 zAyNBw+3;X-8dG^7xk|;VZl7)wbs8Ps8Zk=t{jJp+^JUea53W;4NFFX+8%v@2B*)JN z9^o?V{Ct3MS3e!2%@NS?{FW6rLwAfcoY)GJ2xAs@it>I|-LL$INW`_**T)bT5{7%S zctsqY)Xi}pYhG;O4drRUnv$nB#J!?9n0@035~Q64qjeUxn zPhQY|lRRnI7C9j7)U=?%X`};rY@4on0K#0DrY@tey1fHJbXrIU2OwHxV3xQ(hb66#(yUMV1vBtU#$B zq#3(#lkK9i7|41jVzGr^{^q_sOY_cD$n@$V-08)g$WHA!bnyUHT@pmz$2*ix$Kdn5 z|CNUIKU1;(ufI&$@_7JF z1;U$Le@?vqOok?=FRq0ht*QL@g?L3;xv9Ap7t!4fE>FiF2_w(`mbbIOKStL(DObblP_fjWNk-$aOWH(PqoNLRyrM~@=?F=fVF)(~H1Hd__>45nSa+BBc z{#xFDQnkZh3YSu}WM|M$c_{805MXIl$a7mLl286PupOpyH)1*}t8rdS)0-Z7kcSP^ z4qTzc8+)wr3%fV3P?*{K9L&U8<(WbMK{@lpS||3d_qENc1P0`VN>iqe0M4w8X>sSA zoV0}JJv~l2XU-=e<`q8&*4R0!{OX_Al5VV#l8|r``^n2GI!da=4OZ~!N5#ahPwHs^jr!dpQ(OV0uMFH z0Pi^YBp~d(jr#;o?ZNe?O(FYVf`EuJhtDr8Hc~DRN8Xg9xQXsXU4Bt~7nEj7Fa7(p z@zjGJqCVN1P_SSkgrF@i(|C~TO_A7Ncc*doc*r$TThBo7dFOw?+G;p6mba^&dg81_ zzH+e>U>g$BASn=A>c2v6dkWvQ7;Ai9V)8tO|bvKGN?@B}7T z^GGm+i>$eNL=GC2>4$jw6>^be#w*zqW^4jQf+r(tZ7W41Z6;4Rej`Oh!tJ zb|8+atTmlb-wa=Ap3s+_DOLg-kcYv4L%(Fq>|G%)ld)gHoM!>YAf-|fQP%BATqlI; z2_Ug(y;s$mq{+zVv=-Pf&L1rs#IWZ1EFFJ%Q{Kjf*8oxa%isum0v@y@eqxkIzW8wz za75dEKt5O+$T(P{SEJ6ObNO>L1QXIv0DJZROEB--!%3hZ3~SdNt7qrxMX-o=mdalH zflo_CC5{c-jbaCfiR_1IO4E*0@RezgRG*~(=`UwL0uDj=ZftbJ3MSz1^>P&M_WC?} z%Adl2IGY#CQGKms$06UIJ<)BfSpf6Z%HC7SMs?n;>JhVh+{i7OtS;3GPKh2=}hYh0lh=Qs}3OY02Q>|^1^TVp64jN&7i$)J%Z2RO^XHle znPguQO=(<%0YB+K^=M6o1$09+)`0((bp=)-Y|{6pCbUJ`n~av}F@fc$k17oBOr=KI zwTm@Ni*Ag)y~AhFb*ES|cW` zqUaLdsB?}!azG*28-+s&34q+7j@KY4B^0F^lLy2`;%!QC&L)$1dAG{N4y)W9uV({M z3y_H08FjPk`*=qak%v@e1^| z%beJPv>*^l4Ck=SGi4S33eisLp19hgA^Na^pyT5Y+T)}k>6N>;iy-PYQJB|iTT%d) z{58(@R$$^xlEo@N@|UKK3r2`63C%Q@@~T1N<|vI_pe;{f4|{Ta>`Qz0+cRLg zedv0y^A=#ioGry?qDyv~TI*YmO$LQi2F$qKR6JW8{;J(C3M%^QGYwPV#(8e_y?}j` z4^U3(ZorTiyQj28tSD3Wa@%@2lb%q0i}@@M-2&lw?zgl04>a8td;J0gfpFt;ux0?+ zJ|YW#Jp4Q+^AYoh=PpzxmzJHJtj_L7F)XTm3pxMbHitc&*))YOB0fz{*$$%?LN)ku zX`PqfIH)kcY_1)B^K138NNUA-==;ZVror}g|H5$y2af7I3hUf6IuGhiSiye;afcdxzn-m94Tdu`=1Nkov|Mo&!O-`ag6^WOKg~*CGMNtp-*KJ=4kdEoCF?vR=sEhGSJ$+B#6O zPhqZ50YnBsX(xhlUqK%8B}tx)zU70JHsUJ9DaWqMEzTRl%a7BcG5{P3*Y|Rj?{6FJ z0fR7@^!ezZL)5&(mJJ*Av|=05p}-&$Ac@*w@y}rJFA%P@qRODSe&=R?4S9qeX~J9O zRk0g#R^Ge(ZKj6Y9@pENlGr)28hj?^2=KE?u@t3fsM>-E%B|L+Q!!RPF+9gU=l$}D z9IuqIvaFht>v(50JPveG>B0LMqIzv9=6&MA)X6R{^z^r-PFd9lxSE8|pHX*TS!KUy z)TR6Ql81bJhb}{ZLU|DA`R_X?SR!!@2>Y*}8wKEBNu_Vwc9^>Ph#ffQ(4rRd`^{EL? zZU)pDjCtmT-OF;IZ&%Zx&lj#%?C#+ac9N5?tOMaWS4>I`v=4reMFDV=J1C92hb?E$ zu$lLoXIG{rD2WqHr}4V&R`4ibFg#U}*}UG!>bP%+Muu&|t;h3T@XImK zq4Vq~AGZapLCt|5&o$Mg8yxQ&g|S{l2CYT#V+U_|qpy`yzi5v;QURFWZ3IUT5>mfctq9bk&W$=n}ywGB9{wyv)nOZ8Rn zti+G<3~E<(#eJ1C3KYH}|DZ(=nf<-$@Qp4rIg(WMgN#4qy9NLORD#>WR{?=%dZL3D zjm!M`70hnSL1{X=g0G$#Kz2M=6Ho4i>`7{u7bYWv-t!hDjWl75K&*Jlj`YS9^a~~S z9I)4$_4I_qJa?vmfb{I>+{PRJQ)e^juQN@Dm82TKqDE_-Hbl+B7vSk^rM~04qa@lx zPOo80TZ(XlN{l{&qsWgBSHK=866C`xbZX`{k0H;C(Pg!PB-6ml&5IT8DVdajIeyE5 zB{dhC<2uQlmUh9)%1Uz-tTf1zz+j-OcpYs*rY-R3^aB$0@%vC#qUPk=k$Pod05Jg`Xw(g9<_tSNVBX~Wo5v3~x>G@3w7=Od) z-O2r7FK4vrHzml*CvKTKr}-7`O6reqB){#AvcG^yjNv z7&WSC@q7kBJdm*H71zkGO_S1C8h|ch8kuaJ2%xtdta`(fz1v#WIAS1D)=5U)@l<~4 z>v5xsuq*s@ql5-?jAQ*oJyn5AqHB5uDI+(wB4NiMsZGisDw=Zw`N%Mqri)kh+yn&_ znLalQtFLdzJ~M+V`>m6l*JkZDe;%GR+D2!k&lr0iD4(7BqLQ!NFtBf^OY@dZx{c== zH&>vT=I7wa4o(J;dr9nkxy^28CY3Q(FDl-PDEWH*VQ1Qh#%P)(SG@p*HvW4E#ickE zbbaX|g|}pux+#D@;!d~`NW!fG*aW1jZY*9cP&KslE#EqEetwB)a=NxlF1%!!UmTb3 zP@KuX-&|Gj5Z)FP6l2kj)P>;TAfA0^&51&y);p^WmXPs^?-5(N0Cn|YxANj6O@|}Z zg~%^x0W)wRC-4DF*&R(R8w#K(rRz(5;%6)@U>v1b_d^xd(rQju)5BC=!F-mg-fJf` z3?ps?UEBm!0+|u zWfoUWW*0|I-m7jm&b?7>9)LwG&`uK;rBIVGg_E5ukqz#C7@&u(!wNc>`*xivfCbvG zV@$NzR@o06)dU_G%sNsQ9fRHjDpSmBh^P<-%D=rU^7_CbHPEl{@LpVZ}&w`iqP>NWS2tOfMWjxKwHFk5Pe*icB8DKV(yJF ztA}-4+?lqb95%W|3Zi;NF>~WE!>y$Ej1Z=2vFWLbDCsj$JH%hHC>~SGj41g&^_@mv zkH5DSg@T-yoRYEQr>`y!1G&?0nE7E+XJadgIQfr zoKJmcxev@ouYQL*_mhUovNq&)#Oq6I!NL;i+DLEz@W(wx3Ws3a05&vv0X$uW^B?yc zFxDSN_5t7w3g3>FMHgaap62+}oRhe9N+6#hbP7@lP0ebgA64NbYPq{N_<4CYj-#iQ z1%-g(AmBI&3A3W)WW>?$(wtsK10%8r=;s3n8_xv zcz1SD%T_i~88FydWANaG-EG1WJKO|M69mA`xw5D{UUZ*@gD0gaxxyy8tgWS~px(UC zLN|SUo;aQ^yB>F9)f+&EgLLiE!33~O<=AWMwJ-G3Ua+M$tmfS~~$E(Ngq?`2~qHlkWG?3hHjk!q(&z$l5o?A@+Nw9Ou)+bgrKjS>w?r)OOhNbf&euQ788iyqgZ5mT-4BhzA37i%SJo|dTLB{2j;y!(O+ z^4Pw;wj|as$T7HJTj%hR#K4uAMZvBgP)2;HU;WBR(2 zmxPehi3j}FSI@Sr1@^T0mH@Df3&$d@iR7cc1YNERS6tqn>(6;DI!5A07A$7tMRq$t zRP&%VLKxc-0yS>;o}kSt`|EaD6&FRCU}lTqOV1< zV8gE2GQ3miYI=;3`^$MpX{zavJ1J>Su$%ZUicbX>8Kzwo#pUEt1efHdbdc&=$spos z6J4VS?9y>1$VHq!P-VWE`DikdNb_bRomksCoBOJ?#hs_ts*T=jW{WL9=>D43JOQm99;Nfq8AUpmFs;d!Rx zLu=9HPJ;(=uQGJg(yyo0SHN9)k9Hkw#ICl<>ttGJ>**M3i|kn$C1k4fL48qM1c}5u za&lY?OW|{k0{9RheL|0aNzecaMYVG9v~8rbqxbNS(U+BU^Wk2s`81EK8f5kg!BjLG zYM*YHcyDxkI+x|#GLM{$4y6t4=VX8xF4%z3*%3QPL=4MdHec!+*ZjH6P$xf&k+TzD zyC;)%OzbQ)DegZ#aYc-xOM{?Lq?zL?IIFxY7(DSXc-Yla@lX_i3ADcNeX#x>?X>F- zz0{|>`z|@aZO(&0iaDfRT-}bqLeR9WpeS7WOg8ntR}6{wQ|(xV9uI-pdV)!Ci8Y0* zqLi+$S-4D>_YGsX{r&Z3BE@lWqX22FslvQ@+o{iRSP6ulXABeuDrv`jCDOcAg(ANR zifNy8G)ohDVe{7w2df9gC|C?wSJb42$WfwJAen$bz; zM8!F*9Qu~&`N$Rd4HrB5exKCc^lCJ1i_0f}7_JM+Y%0s%4qqI{2LT9HU9Iz!L>0_# zG|asKpS0~THu(BT`Z-fTQqYqtnX5@blmaIW3cj4?I^XC8MEcr8)Y0$=%}jL3X->9T zm|hyXv4mmtPA0!=BIhypoQBH1E6}JFx(lbM>Epbj7p`_@1{nd}OjgLuL%K`tW{xJXEvyK%#-1D=;rOxuv)pmQ-UzLCvS*1^lqB_lRp?%3FIlN=r&O!Q= zngcRBv$c0D5e&gB3vKp=aDkv+m7hal%2D>GvA7nKq#LJ_z;5`y_UwwN z&Uo<-TYe1ai71I|KQK$QZS=s7X*t;47YWrF93+;Rg$Ca_zDj;Ev0LhK%e@nq*)@Y0 zvEr@bsH#P0#8*5VXx8M2z)Y*xjfS$h+6s(0VmYVhdU!G~a#tX4eU;e0fd z<~0)bqt$NIRVA=JUvZA3dx)1XgUf21LW;5$NEHB$Xk-G!W-QEp60n?h35v~Tp%Pfy zs3Ig`R@PtyCSGJ=F~s)m>CT0z*@&7f-3MvydV~(H_-g5W+AURrrcLMwgsOr@*JwgX zvcL_cpD&i}U#s#m7E@%E%b0177i zq27bZTBh?-MBB+A;}o{I?@Hc2OBnpnVj7XYs=W_dFz^w-iQap9m*TEX5yi-eP7?jM zg)nO#uR#^VI7H1Rs6&OR6q^;{^M2zRUq{i1gv2NExG)Lj^OPmgMX4=KuIe+{en&-! z35jB*4z={=mCa2#=bX6j?m(-++et0&s5aW@TJcWtlj|fN%rR*ZBP)JGsuXO)ARidKd2JD)O<-o~z~Q+w(q861BVhw@fA{ z{f5Ka6_C4pAN@l=VCAy;^U~}Y73jS4}>5#B28VIH8Yg)=c2N$y{?r-c; zuJ=Qdgxb>R3a$Om%;|cbl9wNJ&z*tS!WCpWcd`f5p&tCnGtF2;E94weeO!vLdm+%d z4Yj?K)KTau4RluKd-QN6vnnJ#d8V?XaISLJx?9yu4lN# z?LKYsNh^)5Bj6+Y#oY_?Diw9w|FyHWZL!Z3 zUNJ=aoWMPB%;=pFsR5@6%8?C0uOj=J1o>ynyyq4kZ3I!vv*%0Cle;tuj!X4zgKv#| zXPsrTe~>q0W7Q>9Np~>}D|yoXo?P#<2Ufwqe|WTxF|pefQaw7J5XyARk!rO9P4Lm5}o(?(o7Ye<3hD}KnbJmH#f&VfAdAv{1J*Y^+34-bhJtC%(dVrzLV=5KmT9ZA4n< z*hcxXdZeZ}M)e|@lEx|MW>O4aJoi=qmeBeUFzJ~eD_zcUOZP`Clu)`VgjPn1YEBGk zRfVzcbA^?2bJ3loymU8^zjoj^Ha#G%6W4wEs=bRl+0$Bgsn=^05J6t(*>iKdZ4(2I zxnTAu+Waq12^up{Ghe@AaKfaS>qJa=Cxn7{1TSM6!M|S{6hC1+J=c+c)yBarfF45lngv28t!_$Q`DpHNQP#+aCU1GyMZKr(N!kXK zypxb$o)6o%9We{sbzewiC@W?@vP8;8vF(U267fN*$j=UH&tNvm5BZ+EWO}aSTYv-m z)T-2UNd)O~1LhJ2ImiC_J*Ks_a_Ls^+4Sa{?-;>cC27bDXD>B37yZgCm8E4Zk&m#m z7?rBUI^~B4EsYHIlTynX$T8;;=-0Xm%7c?S#t$R5!>*&U{V-ZB0gXyvMm;nw)xcul zQ-=vooyR4gA3wUe3~PDZHMee~@=q_KptN@iMu|~*xg?T((K=AJHI>9wKaY#oSLUA; z7nr+7SfOmFI;q;T+MtTwof<{&KCv6i8G%tQ%!(;H@ld?3OczC-Jd*G>GWej>AyDpM zZvSWYuqAE*Ev~eUbb-cb(aesf2-tP>F7@lmnjbF_($`%7cuw!8 zJ-1x>-ZI7L{c&rkt%UyggV(1Ehgk5kdiZEGjj`&4XyeqoO_?%FTh$e*P+tilbDM5; z>M%`{Fh!P;Kdwc(|M)5M;g^l)FrFEh-BuRc@SN!og!XWeeOY;UzpK&iymqY5wI-BG)0OQa$~7O_22E?0S8Hc4c2)&XF2;-@C29G zc8);I&~TF-0HMKwzw!YlSB81#Pof$3jM$#bsyeXDy1Rz%?}W&Pvpi_JWNnNslqjvw!s57UJ(-@!w7q$?WqbbV_xmrxnc$#^@z^nGPE zpt#hP_~_xt#(XKL^*FdWy(F?kNyy75XVa=Zi>o$zXNNl5>si>r#lDrG#Oqzeaz`=; zvJ=u9e@N=#?T>ItLdVvdDGuXzq&C1|7ALd9+m5!HVO%C2wp$%(R;8(Uqz$umDJ2JG zc@!%1I$c`2v{-~6!YSe(V9yiSeIt}^s?2&fp|}~RE-k7qqXUoU zW)22m+t>`;S$sAei|9ySeMD5xbE#BVPKi&*km3*-_qEOx6LEh)?aJ#vtYCAR>zRYc zH?7Mh@;4EB4W*lJ8${uc_&p*c0W4rNya<%Ab8_osAR*OY_zzaFeLVHt&yo zqs_ESr-M&^IVej1U677mls}=C-%pkb#PRY zcy@~mqgo7V$u0-A!J`!RALd0hat89Kj-ko5g7RFn&&)u?5G55+@&T0-93K5LY8Ay8Mlc5fRdj-GanOqYU7h{`Z{ zeM(5Jp~~j+N9+*HACZQ$F?ynsOCW^rfVI|`lIR=PhqiH2*3k1nG%j&NAtZ^?7A%31 z$~r+sw<`11p<}x&3XdOK5kXE0+pk0k}i9S zf4+FXOj437E|u!ijL8)Ns>jLZNUy0pbXSyJk}{~7gR(TiI;e0Ky02)FvXH^yaZ{K& zXTj4p{_!*Sia$;!cPtq?|KNiLZ&7K4E2gTACG^cZn-=r{1yuLE;*KjW03 zStJG3iyUDx;TPo8_sWRM1O>pgO{ihY%MGM&sddUF-v)|u-^W6!vAw;f@61i8*}_!s zdaH8RvH!lWpStwW{>w@uH_*G`)v@FbR4+O|0ZMfcpF9b&xW=^80HT7u|B$q`r+?g1 z@tIs_@vQ;OtW*d{pOd!!g48j;e{E?63u8&Lv*cZ5;`@G{%z{({%I5vz=|7H$;cH6r znX^^?i1T;?fnkd1K3p%2wpKRQ!<4ky2!Hqb4g&Nz!`bxmcdd?8*F?Sw!BW3Gsa)zF zc$k&|q>9WJQ`5YF@t)Lpc)Pz@d?Qteu|5zgu)fq=7}KIJ*Io3>F=bjJQ*d;7i~-O= zul6R2dd?;Ac?*}Lt_UUR0#_Dm5lf3X*Jog;6A=Dl^UO7P+>D|)ZPs+0U4QyxAZ%S$ zKC8TMa6px;-a)ZaSq5x$7F&HZY5j{>(Rr2H4@=xS_l80E5!od&Uk2nK zrqxeju6dx+uccZe^c}z#$%G?47EuaKhb= zMK4NMTUKmW+Uvl|!Cr9*#h0eHa}-bTgeiz$&AIZpBbGcll=T^_3IdU&F)W7EaiP^3a+|D>rh6qz8lW0@DsP6DKRr5Lo5) zjP-gMxl4qhJ4Jqh4X9aVguRyK1&L?9ZCv5cG`xE-#%Ku-;PDUe^pI$mc(`|bJ4P^-fTQ-&Rr zbJvqj9D)Td%P0Yr^{0_|)x}F;n=H?*Zs#-TU7_#XtRc{5kc-Q=U1xLfu|}6`x4jG= zn>GvHsIzey6<|fk`Vki>Y1YK><-E;fjSm_+OSGEEleG4QBMQq2w%+K_N-8J z920A)PXBW6vif1&(lc+}9Fgl+ElPPaPys{+)&-{z@BnNux)xT~6tXCCOB1x_lM(3l(W0eieD07~ee{e!H_eFO7_h`ax_ZLDxH-9I)nIlgc|xY%O4BBfGm1;14w z);5Umz4jy>&Tub7|6tZ*SLC2>r%wh_+SC@Wgn!fU;IE2v`L2K#WcrJ2-^W1uVj%x{1P7qYe|JKQ(x;};i z-r+|oTZL^&50f*&crV&8&V36K!_NWRc|XXoC=j|{I{%oxt=W`50UQvcj(OcesjN$;A)jvTE(P^}fAXN7fL zd1F{bDDJMDj(Z)SUbRoVS17N~XbS?Fq~p(iMsV&e8taL?Jm=e$-cIi8w1K2?L& zG;ABqmBSH(>M0&dEYAMgxcsHP4v3(5!Y++T#h>h5ZKc1{hEBYnN+VPCL0dvg(JNhu zPcki?U%ubFT!0ta!i|(de4$12Kbkx3&Phq7t-^wgNB3}#?b7LiV2$qic4Cfd#I5JG z-!!jx0Kw2m4F1XwG7SV8OkzX<(i0bA7bzA z6}YjbEzBmgU{7{#Y7}&DH(esoW{>LX8fNFcm)MfT(}k1#b+vpE~<-1FUytNFSx_^Nyq`1R)nau7a!cB#VNRR1i@!I}D zhS&5R+M35}e|P;p06ylnY#a@eQR;yQ4pb>>^;R1ukQM9xg@6Cexqr=~l1op@R47UB znFX7&^MvBor{9cH+gh^94W?IY7y35hwnH0^5{drD5h@I!BaK(XZLoPyM889AsUEoE zKJ1El%mu2>aA$NUl6TW$daAtxS8}nFTk4qdMVXqs4XeB-P`$adHv{MbV^_Zi4vDU1 zox{q--Mkt?rC-EUguENj3F~y_6*0wn@bDZR$wNfIGnQyHF11)eB z<7e8h#a*HGcusGqn>7sftrHj*9Sr(GcCXjyRYS73Yt@e1#K3`jE>1G^3cN+B@jT3U zm?-O5gqIL`O61GqPt5H*pA+Qnb2?qnw955uieu`vGqZ^=yun63mGh-}Z9<+fZC+q- z=c~ZFTNR%xTmZZ}ySlPUy=NNB<`rK zS#dcJUQTzHN^#IBPE%X>;ux*Yb|@ujDC@#;CX#AEwv|PDRP;OR`-b`?>zZ9LF99y0 zB+J!+RL$1MsrHY^7<=bJ=bKIy-Vn!zqhmb>m73_MfQGEs-4ASSu(Bko6F_MKOKx!n zIz*F}%`I*2ZkVX>hP=AO$p_z(yzk#4r%re|5cD#^^<}WUI;&YuY=E1-{;r09)~+L5 zeO*F@A+UGY(uqY(_vX^20#WNbDBddnCZCOsZ{jFL9CA4HoNIuYe}W&J?$Aiej48t* zFmvqld-K-V8;M&* zahmcxVOrFD&m5j@RkLMj$+4M_js0O~Ogb^svM`Lx0qEq7t9=hBf*>-TeU~lyg83Mc z_mGCR+VB^@#^r3z#Qe!FIr)DG)BXNCgEME3lw0g$k8jf+kurd6{yShGD{xwofI@j( z4#%37Yq;7gzL@_q3E95@L?1CSUL;|}mV3$3SvNSIRTc;rTT2<wslo74Z<=zmW1KUepk#lnBy=zoOKf28g|l+=IJ%l|Sd{wL|t`z!}x z_ptg=!MPiV2l=kG&uQHQT>X@iRsE>)%@b}q33vD25>_RrqY3f{Ts!g&ylB4lAsAEF zT>3$=oB}~jlYQ{)6yB-v8L1m6k1#2Yr zcgs2-OSHcYK>2cP5k8Av>_BbXWzxmK;*(c>Cx-bPgq6MMq)YU#R$m>+9rOHeRgVB z;!`G90?xHN2Hd6ozHZpDP{fK}NxM2Har}~a@p9PuU63;ddD}^IkQY4r7fnq~U`mX&^iAV8bde3H&I_!@WRe^w$f|mTe*DtzL&T1)eldQj95J`$1O5-WlbW zuevZ4#SDy}h;~Y)rM0?Mnt%6o67#8Kh{*=z(@?98?I3G#_NjGAb+5WUP1kF6rFHna z1rwC`mN5_nuDxx>WJ@(tw1s}wn<$j*Rw^&B`w;h$G&QtK!fcZOH~S?52PYGRY>dAu zK_!`eFAu1w<>a$yaDH>q@4ER`L-=ie)T=qO!}AqasS#3P4?cyn5<0$z%3_uH!J?=}$cI2Ek{=iF9u z9@R!u5=K-ionGywvwYWRrmsJ8D3XQWe7vrO>kR!tw!-(bf3sgDzuBBY@@o4icNTq@^hO@jKTW@9Fj5s@QTTsl6XsaBdiytmsj^p^saUD*9wee1nVk2fPHbcXQ+P9>x_2q& z^RMrX$vzW=U6R^jM0EXlXVPI8!VkKV&;szQBnWm}~_{raknVOJ3llYRO**Q%}@} zyJ9P5ByXzo_VG(3QJkm}JAXqtB82sSM+}2Ki?N^3toF{%?m?D}bNkC;J54zc#{l66 zC`AqEu%)k!0^9$cduKC@p8B8b8LIoe$q~9vSExw;%%zq}GV#wIx(WPGZaB(Ou>E4# z`Lplx9Q69V{^aj#cns^e+v9NVF+N35@MsS=qZW z33OD`g$0QgiES5MsUGulitkn0a5j$-3@9L{kaa#4YI1=Ffj3nV{6Y4%27BfQ85vTX zWNyM)cJ~KaoCV%3xG4hJWxt{K?q+sAZ+bYc{P;Z*GR3^$RJs)6DO(#0reZ95cVOcjW( ziBkO_OBsW==3}*v8Hb*N@TcFvztz@#6eNun5I+HiqVEr~!wdiB>aVeB@i~|~>1sXi zH?0u3&K#y!dHSWnZ`|%&-^-gO6*Ern-I}3BSfO$V`c>b6RKw{}fG~~YWUa#u_yVel z__7scpbFEm%;S z^@GGaj|b0kZwWNMS@BCvxb}~IS?Y1F0#U_qV1~puXMhvu@;W&8%~iO7`^XgWgRFN0 z^iQm|8E1gIj*~3l3$<|KQ@{#x`9Y=(CbF6X_LCgsFOL;?8GrfY+=L3ROD%1}KAd{i z_Rwmj3F;GI=f14S`m~4$SgNOm>tJj6dz7=C_wVmUHA*8E1;Ps}ULa@PZzb$sXG*U~ zp0ZW1n1Tn<6T9_i;=Yq}?899r{y|aGuLQ{hX^VdrAO9UiJ0E~^DEa*ywEoR=FwI8H zvm#5T`q2DEOUj<}2DKymUIK$Lol?P(drk?ADE36~0C#dK+o{Q1e<^_2ir=p__rH0u zY70S6A#_rZ2wM(4b4UYA$dk0x2`ZuJul)y-x%EO%fFUB?v9IoW_HdnaA&nOOet|Cn z1FDBf53}(yB|t+dAV2@*1t@}eQb)an#gm;e~4j<=P|IU#szc3#N zaQ|yME$tUWWQ`|wk$q6L&LyLfc4)9G!`dE-^2GI*7udVmL>Ol%ZpaM^XGasgI3p@% zDO&btJr64gl}PQvLfb_ux=;0uj(sH;I@O@(XP6yq3xSva3*+Fw@XZGh(f=gvbN(Vr z#%E30&D)PWBR;H8q}9g9XU>&KT7PL%T4zfu`zRHcD8yAqu62)@SGaVI=2s4b{v@M- zeCz+WGU{V?2N;#n3a3Phv&`8H1j9j(M7PEKGDJkYog>5&xKIv4tf?(>w9RY_3!IvH z$GMgvPyg%D15XV8Z$9~*0%kC_{viTUAx;}FYaOE}F+x?@nA$PYx^R0$FhOXjk2iWb zX-(c>4LrxtgxvT+b`^xN0g-OPf4z1O1RIo7=c|U&Jj9mkIgDAt4C-h&>?X)=~jKlmt}NKbtLo zvB!!xVnDy#DA2D8;%{oKf6@=?|2_#d!SGlGzphUA>{C}|bIdA+b0#_N#p3Kw^imzpwOJp;`DBUc1a4{QR;!)w-97N#w;|EXFIT%*rvvqDX}fN_K<@En)87z4r5|8= zpGHGPT(fACSljY9P>zE|)E{HNUNz7q_bd$Xq_*;HKBsxgAwhEZ?y!zGYrtXSUZ@3Y0}F&Y)m@97rQuusULqp1X4*{4iZx#-#w4Yk;x7RZg{ zot4*qmsXxv5FC=U;aL6fzR#---U@g_0RU!K)t~*hEQ>k3BbEw`FUK5cVr7z?NQ0B2 zJoS&A49Yr-YrZVdoyzb1)YC%l^d2ja;9GLm%}O*Y#}DV8eF1PZoY&Wv>yF>Tg|+=1 zRjCNo@8msb(=PXrRmF7(CnV>ccML9Z)IajVDOeks*+kqoWz?QR4WY(1tEM-6;D6_q z028{QQ5_-Y_6$bf)JIaW>mO)8yYsf-GSriU@)FdERku^;)z>hI6N|N1ALtY-Uexi- zyrn9gV>|fM9xzoZr~O>t55}{s|&d}6y3Uj!QsY*MShTtq8enq=7z_-t0NjW@ zlYd76Y%<*Yv+|7r4g5RKV686T_^w+y$NTP{AMz`=952eNM^=5CIV`;~Tv$|1ljEAM zLP@@}z{cj{CX01dfE@(TE>BNuj`ZRM+&=KWI{)zexEJSBvj#c$s-67JBIJSexb;{> zs@?3i{Cd-_o9iS5UJ67`{-wq=%ZpMGacvZ@{R}VL{_egFYEQQu-})}M<;Y|U-sz1> zeDv+>13^d46Hm>SmZeAUW!~}U&sfesE3m4Qo%iiP6)f5|U`r2_c2rk{z+e3>H=2jR z4E~E700B&-mH!tGW`k&?h;R61Z`S0}>IN8^3dHR+_TQwH> zarRecag9nHlxK6cc8<)=nGET*Bq(fq+&w@VlgoOVFmM@I&kU!smHB%6&{7a0gWNz4?JZ>#v3vfpu18*@aYy1oQ_6O* zZ?&NYWAj6P{e~Z8oUx<@lGBIr?O+m!`M8BRU|4jK_Gc{i0x(pR?B`(75#WzszW(_y zAj4GVOiZt80}&XdnvQv5>gh>Tc9;Mwd;6MbbTvQ;1X>qTw&MCRqcu!`0xpJQ^{m7X_gTX5n>0uQ+ zRTKmH!`pC2&NwNbYr<*fv{$_uZLdu;DOD*2#co2}@be@}YXXRr%N%_wL3k2eisPZF%0wYP@bM3;0pJqI=Gol~Z<(tBkM_s<(4ibbG-_ z`^rT!)62XVg=EM_EIbxZ9cmiW;)rz0i%IhFSw@PU)%Y+~CGyR44C=rA8Lz^E8ND3d ze+^&gcS{aEYG}}~9Hg(^yKXfzEwbe@*~>wFoQTG!5L{sQvCK~$@ELEchCZxy>15o( znw7t{*lgh+Ao$|z^__dbTgmmPm@?5kdV@*lIyO#*Laumn^0jlnj2~{Yc3Ae?%u?d&K;FipC(Xx9JaHJxK=s645UBmzglJ8(R=5t^wX=C{F7R&&{y90M%l ze3b86(RL!wr*Y`+_O{fA#S{SvbqUQ&lJu)05uCXU#<+gvbR~COHKwv)QE}*rW^3z# zk%DtOyA1C8HZ)5WdQ#Pw!x?qHyT!4Og91Gyy+_-+`(;9$9M8Gn99=}>+_)IHvb1>m zdsTGF$|zrmI)P=y#z6P_b>KwjH=7ppLD4rP;b(5 z@#+M=J1}*id)!)_DUkUN==@bB?ZsnbjnCg>vjfqcSikkK4Y!bk|@w!D5up3iPP<JK(4=s}e0bShz?zeIhbL zkRX3uc87OQmFw`Od=@|6JRg4sz1{UF4{yre)iw=}CUJ#GOGC)q=0u10bs294OY6}A zokp=iwwCqzmkuv7^7>S9<{%BXvkh=A#5JHl8IS-D_;8%hB#E1Nb*w_9;pA%j5pRGj z2Ss&thN}I?ob}UhxfiWPT$aqQb$>(N&%cyLe!XA;9#&b)83m&bl?LF75b;D#+Q*Kc zhNY^BLP5pwd+s0zAjJ0^x~&Io}qywbq$WGsB!=XNR_~7OEkfP z!>@+Q2CA%f&N_aZ*DzbBHQ6^eDgMU%@to3lqmQc7o1roM}r8G}}~5Gad8r zdtO_gHKda+mn$Kf&Rt%pyIS_a_{yCz2(qeek6?gbU0jVV38f2cv%M)WNxn0CBDU>D%Hd#PR&fq?$f&%$i8QcPC2Qm{_iD!NQ#~>Cp5k-Lz z$O!C0*7Xr-C|#dAUi!my;6rq1^UWfGNd9#9mmVm?=(llEduq3gRIHkAujR75`q=hd zY$wzOKe@0Nn6u#ZICoNo)porEJvOnmugplIcjw^7bP$d16lgp+PD)}|*Qj|WX6Kx! zQ7c*eph5$I0_kBj(!ya{AKe>IjEl~Dy^DQDwWD4hVvLqIKi!$uX2YsX z`t>R#6*psUeKf5Y%XWSr)jUs5BFBRkE1DvRpj^D$1Qn%Ik)Zy$VPg@ zO38119N;?LtSE6bC|d z@P13on4-BfnzleMtMai>ZX5kiLwvK#v$GKmg;iAS^-1?cGFnLlFsf+uYhPk_aISlU?fnk+mQ|8=}z(fX@?PG zORQ~Ck+sW0r#;9a?AwY(5h7LR6rIpnoj9Qmkh|}WxU*9stPaRT>0q*|u#$^r4e!-4 zD4Kijv}c$x6F`eC0EI_yGcR8)${05>d12b+z)<35>xywhe{|f_)-;&z7||NdNdt2p z`A&Nhrh}!Z1BMTVCZ9)$0dpn`zU+GCjEcRk4htGrs&h@%GBQKwh}KcnG+GfBV^Yj| zL}-((v(q6LK#rT%%A8A#uR!OdU%;G~#G~d|Sv*VL<5iZn=^3JVnw~&9Xm^Tb3mq3- znasY8S3Y~m-nD&(Ag}=-qH@CwM^xzW0;VHMqKo3E*Q(Ns@}khef<#p%h4x62REmEN zWWa7EhrQMERPoAJ7Q#eKC?Ei}RzV4*6RJy)lf-+KcsX}i=Y%OebyA}@V^6!OMYfm+~-m4+_$Jhe7NQn41&MSult^nS`4>Bsa z{VZ);=mk79sQ61@R3`vl*?GWH(#m;3^;F4A$jDUb3OU-MXb_ z=?`nl{eRed@35x6wObTLM5IXOQ*?R&~fYrQWDdyhi=wO2R}ZWp>0LBD1?XU0I6b7zx`aCheN;ZCvtGH^<>M(PO*TO z(d$LJR;O~bZ(a)7xYdHrrZQ9b8%HTu2-3*YaK?@t*2c#Y+Q^NTH|2B@Tml?<^zgCS#s1C2 zHz(G##o(&#AogllbjC3~AS*l^qIha56Kn5%_X|PJxt{V^ zf?5Q%u|^$DrMF;^LCwDhGj}#68I|{TiZ*6jrL#@3a14?z9Nav`scWP#KS{3 zy2h+)8{h!kbrux6E+$oJ58L^$Ew_*^xtMU-QZ=>BbFghvxu5k1JmZV?in)14#HZA2 zIE%}r#f$o@Vz9_lo)%`0f3OTM{E`1#T(C~ zPFa!F7Y7Fb#ZGt-I*ug`xepU_KQt@Mcd5$qus-ilmueV$=5|`ln~h`T+!DN^R+5^+ zIIOk4|2eRAQ#iFOcyR>yH(Cu#W=RiNhB(9OoGNC80eVr^y!0a?}jioN$ZyE7( zJ5T0k%GTh&0ny)waB8ytnW|(-)NXU;s!yS!no7+#QWz zTuGFBAAeP`gZY~oqQCQvR}87?w@+yKk0`aV?hE-kjr?3uN+{l@-pG ztuIaF+N&Pw{p|M%;FEn`7;)y&fnp6E^4S2yNKgfLL#kCntqF3~KjnCFWG1DoyN=Ku z@!?yov}eYEl}t%+v4(=i^in&h8oQR`nC}ka^o1}|G`A^NKEmbOOpgSz6FlY6yOs(+ z7At`FMFa;2M!Kgo1_saK}2L2Q|3>6z+Vpre<3RBgQRv z=IJ-uTWEHJMw!Z#gHOn@+)sHOY9I73e5>WoI>@f^-QPy`%Ip|#KrJFa7hLr#;D^B)jXXi@jG)WTf)&|;Vs@DyJRFq74i1#5lwqn$z1!+0+;rdT zzDumyXrbj=wi6&5z9WM>gF0i%JUoT$#@Iya8|#{~mvOfZEgje!&Nwg`1$v#j^LD*o zdC)>$6m-0MsX8y<3^qpY@qE|M(cm36EB#|3vnUj#+2oFsN6#{AeG^nyD`5wEDw^ab+%`$F)FX68$O)JKc zOw5_hE+(L9$*Q-A2B9#D&|C=LQu|B0$wZcKg*VfZCTt4cu3w39OgZDqB|(?`?0vHh zYu&FRc|}}*PPXcz#|qy1$e3>>t=ix2mMI~FZQ-YXrI9YWNTPTL_R994Y97#(PhTJg ztR0~fPb0WUS=e}kNXP22(S6-vrS0ObLH*>?p^FB?k56^WlbK$uB$S98JQLCsI=P`d za{_U%5*0N7A)AU3N6U)bCQxnQsgqrcw_r{@m0-6t1*J03_}G&OGdsP`uR14x)4YFZ zHZadu{kGtY%7VB|UCqvGXDBA*+LJO5ev?f7LNwFRhui{jXYT4)aIt*i(O5upv9bq@ zRD=_X^jXmcYM)INg=*eVZIf08+*EDd`2@;iwCb>fB7+lG*{z;fq^do>%qy3|=%8{x zJRb8v?--mY2Gcyak zSMHX%Bl_;L`ZxWOvE2=rwk|x%`)FnS{;Y3NcUOMRvSj72GN|0(8UjS(m}LiyR&j@{ zaR{zCl)&l$+~m$6QfQT%Pp>0SAOgp2XLQCT{`T?^BWBy$jZe7i+jdqy%L{~7?I2Zd z~$qn3fTCJ`D%thsI4`&;|1@-u!U$epGX1rNv9J)T1wl>Ec3AokQWX)z7 z-6tATGDhE%6f8X47mW;43DxP6!*BGiK4Nne-ZIn&ob{f~ZZ566OaG=R8zIp1vHfiD z_Ap$TaHC-Afy#Sr$2NJ=(q?JONw=3>fxF$oQ2IkDR>Z5gLzbA+$*hqGbYuoSju|e% zz2B0SEiyD;^-5Ibet8N^R?)_~G+w)3AxKosBb*5hAr|d{ftk7ihh+rT6TEIb(^AB; z?3B4{$lhYIw}(nc-?j3!iP1r@Vc}zI));GGuWhtL2x7c*A zZG4@kyx!Zp*%XMWG+$ZFVX~js_TQ);*t;t~+Ef=ZQcyi+7lji#LuFP7*K{LhT9Aa= zLW~~fTsPrxo$wtZdxPtC1~YPNlF-sI+0)_?kgklIA7XKlC+b?sTEqr(QX;NbZjtPF zI@x&+#0)jhmaH(LaSw99;9lmndwhUE?yP=Pdno`ovYJF>-QK{@ggfj?H{1kW69dsTc9tI|+#aj>{Z8=6VxtwB*gONj-t9E$~@j;#=1G4+VmXrA2-3N1B{=feCGM zv34Avvif0$Y0zuI`&VkWkxVeQ8-#M#_b#QuQnFRd>)W68+oL_NR;!E*MGPK+GoC5C*4G1oB&@(C7 zNdL<8#ETs*X4#0cf zO0@YlhMgy&CWU%N_?pnD&N(3G21@^^oO^KtU_qb!4<@+!ZK=QW!>_@FDBQ#`T=!9M zFWBVeib}LYD79|`%Kziu+t=V|0ddA`|HzKOc6(HtEF3~bQ2~l3A-Ei%Z8`@jbN#yC zTQU5uc(6>Z{mJVLqXnPdvgAiH#v>&+*^{R}x7TjFZs(Al6M^RjD0Khj-Q+w*f&nz^!JS3IHgaG6NsVK)_n-@JtSsUSazx^-DMC7oY$?A+)8r^e@f_a_^Cr zL@WiMW&vc{)_q%m#@e;xE=9%npni#<$QQ6ZpiheZho=F4)iVQ1BEZP}=kq~?R8587 zG$3Gmfg(1Ip$-(A_+tOlU9he(RZ*VBpv`eOgsD4zxJ8D>iZO= z!co{kMxF&`lT3l^({C&5SLy@J=yBdV0UY#(dYtBupa1>cU%&bP_jov_e0s=t zUd;YZ0;x5#?nKrIXU-!_4zs=}|4vD(Vb1LLj?bhHA1k61-F{do{VMHW<3}GdyQB6u zW&r0e)8jB8&vB#7gnEnzHh>>xdH$U8ze~Gdpz%ES00_4Z=Fs#i_w>W-zgl=(09ms= ze~nK9^nT>?%ek@AOaM+n^Y0%2RW#!-d;@ew^TyEwvij0|(Yg?fWVBavT-Yo~?!Qjz zt8kgcGLykLzPI%uIJSn6Y>>Ec>SfKf4$*A~+jp$55hHv3tst_rOFJYC7{hDF1QRZV z>KIZ2DEGp-)1CPSp}GIkRd%#yt;ZAXlA;2x2y^6;PQpJw3;i|oBXds_KpE6YLhVyJ zRCa)62OuTx@X^fOhwTAPXd z`~yXXTtr-()XO8s&fJMI3&-2YkI!ZgK7N>Tt531bO>En?vh1$0UKwaMPzGQ3jn7P^ zJR3_y&i~B8`%upY&p}?ye1hN_pjwjc*i+gH6a`ZD^E`O6Vf9#e@;GDWkJvXbkJ!LZ z-GZ~X&Yt<&a-U%r6eCpA83A%m#2?LfBKirFXz4Zs!Lm=e}=&}oevz2~Y^R=3bk zDt?HTx}BsG?Phmb1YM?)TGj-x(^Ih+a_{_1wE7qhC1gX+M*w7$A~L@P*qBdC1y*fc zf7?%L^7gM6gYUdp(=aBy_AS>wOiXDbAw-?jvdv>4emrw=L)BWev%UZVCQ{gj{F`PE zPC^3(DyHGIrX=oH<;&Eo)pfxi=ql{_jX52R7z+)|6QwWSKmTg$!og@Fkh2W?j&lA@ zGw!n&NZfe!9u%!jQQv;rwnc3f80Eg4iu0j}5 zvzaqoJ0KczSSwZSxDa7Dk7c!m>ue(Dtgl_c!C4>lTb0a()-4&vrShap!=S1IA=SPFO8sT`*_DiaS`W3o@h8ZoACU=9G2&R_czCNW|@ zM>QTA-UhU~G-n5z=bwMBSZumVWmrApvZ8)LRT)RMHE1E1aG}$OtEL%SMrKt}y`Nux zU8bwAI%9u|Qe0P&Ciq| z3n1+ou&C*Cw(1YGYMw)jDi8KeCo}>j771^{q)+Mz`K7%Gq+jEnzDjO6GN3#qgB(c~ zdoKnN5(svzQw_PGTnnA>WY_<7?urWC*`8E)PNz_=^e@6;c9B(=#tr=( z`Vn!R40D+Saf1>Y`RCVJ1}KrSyMu;u?QPQ0-#9BGl1_GQB>ebtP*O;=ShJWH8t3n{ zQ$Ehq7DpJ6AnR--kO2`<&m9HLhpWh`+<3y@3x=1L_C&flWeS1LGvQt^#lOuhPhN+8 z`KH$ZYTPj)iy5rTppnDBX+8yn16`W??if;T(5aqC#dvp0Y^-zzJTH`Nxb>ktNA14eo;a(ZEg@;+!*oV3K1#9$ue>I+G@lbmOx*WSu;u+A5 z>C3SAX@dtaYpc}195DV@kH_#@>J3xW*m@E5wSl!?`rOO`ogP3Xs>wMt6>uB+CA!o< zQ8b@WOx&LBCb8 zuTZ3jfB~(Kd;;9XUS@KixEr4@RU_AwSC@<+eNoNLD(2u0dC~Qz%p@8`PrXPU zdN8^!hZG-Qp5`8-e?96!cvCnmYwyG;_SEK}D=eT#$LLfvzP?#% z(K6&Z#;uOb-UEVHxE!XtTWbB{xewKK>3gkw%J*94UVG9#<1PPOe^=TNcr4&w!hd1V zEHE>c+I$2UcL6~IDyPsQNMB1*Mn?idRS@g9yuv204{oVXqh(8{0%8P;Qsvfb#X5P? zg=xk0_3g({Pq0kC1Qo`7$9-qmzS$Fkje>g}t&J=JYW>b`wvdXLgA==E=~<~*wWxhj?SQLtqOJ2_QtbXrW*dxPdx zt?1cdSqz1OolV#+-=Shl&VvL%Pyrt!@{N*jg>ZvTZB`QV@L@3a_^#*l)~qhy zsaUJ9uh9Z8?$dciOukWGhMY#KgAtHnO}!$NJvpwezBWQWw`y2+H+miSK0n6Uz&zB- z(b?${{7J&B`6bF3l0vNJ4T6?YI}nz~gxb_`8J**$J2&h-M2}NuBiQZ?s)s9ThBth* zithM+#a6Nv79m6|-9%UfsJuTe3Z857_Hb}RB+7J|-dgsr5o2EswPRR_93(A zn=`im5GdAt=@McrSnygtbtDKk!>8%|VPy{~H`FLZD7yoP=nu)sRpTQ_+y$6`jw_;* z)$KV_oSp3XPn;gLqy%O5`nVghgc0n^)K=PRyRJk6sc z2=?xJ%K4M&q1=)1%yKp>vEEHvHWc5keV!z+8DsIFevrAnV7(o06WA^HDgAtTcj!m+ zd-~sfCd%PPd$*`Ka$+vI|^ImIVQVaiD`(w zdNp}f}G9Dg+mC;XUaiadALXStu<@z83$|F2*d9nbq4_f>d&gL z@2@FT``GdT_9{SgS7{o};_J}VerJL)M%I zV6q)N!|y&3K_uy?TpMXLQfUe)TIFMO=d*jyVcqFLSG_m42)g>svQ36(!ZOKm`Ni@_ zRU^FASZ_FCPt`Gs%QK=c6i5m^;KfhH3w+2Z?%2&R8_j8_} zlcI6t|7+s-__ZQjVeWM11uC$*3ctTHx6$`qr*K7lPxijzr0N?6s+#5q??G(#B_V(f z^=UV!#lxiSs!qvxKTxL1z+$AgtUOU5oMURno^4cZ#tF*ApJ!&)GL@57;PwktslH4V zBtFgxMq}2H{9~|2J!H4bf(km&TmBYmH>zuEdf`n7WzFtQFL;j;Hr9W5kknKQS%t0s z1P@`K2+#xkr&o?FadVFcl#fk!Y*lfQXHKUC!%Hq+DRkcMO6K^G{B7$8n#DkQkYYl{ zyAbhKLrQR^EEsNDWR%^oOey~2MQB>2R_M`g$7vEw3AHW;*WA436dpJb_&|nxp%JI)%yKRLlFeS+(4ty>V=eT7{LtP6 zky=|ozG*Df)_i4jSAjQk1T$DBC(Pp??;@NqYZI6(<`w>OeX8-j7XPbk^gK^z6KHm1 zDRQl7Q2E%$jAV-+cbh;apYpM}waj?Cz4mMDhm*5)9v`i|uXi)S!XcF%nZ$sOJ-&j3 zJRd)|d@|~Yy>EI>YluE+q1>}PKTR!A^5y#{BC|#Bzbqo95!$3$T;jyM@o=L?aVMd~ zgq9pQI=z2?Kx|l6VMC!nM%G^U(}wGO?TZDmt~B0LDh%C*-Nq?EvJCk=C{}&**k(oZ z%FzRBcz=rpUv~N|5Xh(9Q>_~(xJJWMpN2FKu3SvB66!m;Br$mY)=;>{GbYQq;$=vU zcGR2+vuiD%NmL`a1e&py=G8*L2SdGz_4W*3sLDwPrcNsvo}OCtD7B=My(<$(qNi}| zti%_5AW6I`!RH4gt&C1f5GRA$n+s5Wms4$TT-?r!)p#BsZ7crp`bVCy%rfOGI)hdA`+Ly~-`4CU&giAl|X~i*N(xns9zJBh8ltT-Y!>3)K2^Lk=Cex7x#D zT8RHknuQNoKz+rSMb$%F%o5ktbwL&_ZN;)Cr6b&W?z2X{d2*>W8Ef9qFe=h8D4#_4 zX=wDT?kL^EgVMnb3EQ7xp`21SK1tB@f_j&mu#d{Wa$}Q10r27EXUGIG5d`0%Nr}q%AeB@@I(&knG#~=UI&?(0E?aBQ-+*J+#zG_ldNw}OdxRb)3H)j&3X+(_b)Mh57MQ>7|A1T75=AzkX zgb{*%ViymF$<1c?U(oEnP{NP3aP3yHOhSwRJtirK8_Ct?Lof;bO@qlvXg-e+ZU{UJ zzl&n}v07`b>0Pnyv9o^rvDNy;hZpV5nCyi=J$8UL1Culy*)^?x{2ZZEPLZI2cg}7f z=ivkeNfA>$4CO6>nuPKveoFTuS1eot?=PQo))9T?Z$6adw(28QqWpem6wnS{wB?~< zfz6QNVwrl+81|=3?r)m0Rn)TPNRegL!}}!p2A&AYwGZwACtmRRRj1vjTQTFT=xnA# zppUetD5&FHDla@>t{vcb(B7&gX}(%X&1TGL`}D1#y-0&#pR|T5NPhuQ*?sh$JRW=4 zu`wufWcVnZ+w!r_h3K}6!!OQ-M5EtOq>pIfON8DCY&hi#X$TiY--_43s*l~Q9q<6! zLw0r>F$Co_FA+D)qIsE#f>F4p`DD|heZ3bc&vhwk9cL(tE zi4c0#yqGL^?;_qVhTAI~KM`YzGO!HQSepqbw)N200!uW7oL;t$!kq|w51+srk)eJn zIVCIWg&m`;{)v3z)l8LXsaDozKi+Fl@QPP4ghV``29d~|i=Jr#o!j|M!vVi5W3|z! zpqaYyP3V(Kl=$YH27t1Rkn#b zA6THrg@p~m>x$`k#q#SDoK8abvjlmIjkg~@O;a)-LT=Utx;C!Zy6z;(%w+aw*&K41 zhbC2LldO+Mt+7O_6->(LXagyLde+429sGVPgqcj=?ufewpSerS#=KwItErf_3@Li@ zjL9}SeIW+xyDDSQu({5KpF*`%XOeFjb~ZJ`EU}YuhPz<%Ia&^rX5a3WFU+0yNgai9JJx zP+kEex+`A?QZ;M@p*02aoL*1ORPOd(O7r-jU1Fr|%s4%|k1kS`z2wE0b~SR{R+Uk# zu5lMzzW{}8;K3nw3!wtkfKe3Jb%2UjAgdH zBaf!lV0$teVTK${qlKjopnJd<9F=#NpHiS+p zS*~y+vk*NQtSI z*ThES4PA#;3u_aW?fM_C`$?va9rBY3>px1NwX5gVlirHtW_pMRD~S6~XL~fStralnpH)n|Y7_v)YRO`@ z4CxRg0B+zuj;MyD1!P{HuPYU5#0*-HlZC6@eg?>^y zrTTrx!rUs|L6P$C${RzqK9*&4r)Rt?B>{mv8L7&uDKDY!ngPsDECeXw5;B9A9KI+cy?k5nywwva5+GvbxibbE;0Y@lQH1B1nyrEMDyz`DQ` zgMO}!JD8!K^+0Lo9BH}6!<0T)qAW7SSH_^=n=WI@okhQC|A)6y9DGS-SsAV*JecYB^Ram&az5 za)=84{?G%p<&*3QlDueR!jg9d%?B$Hxt>R_>Asea%`df>LEPdX)w_r)nJS61S%Q5F znhkN_^Y$r(FbtldV*Zm8Vtw?z9-M2jsSlh)Rx(W(rd4V2L7$jedzsZ(ZEE{M~Ilc zg541#=TLvsEYDC<4F2h!y4unOw77cy>C67 zdM;pwQkzF*gS3iXH|teU_>ygTK$TPmwq@uJ(4mkv zFK{39A-`$5gFpl>a_4UvouxJqMR*f?0JBy2rx^1uf}4*~H<9JfXZ~r=KYi){sBt7_ zcZxU`=ixbl;(<~HMyCZmEDXOF4zY{qGhR;Gn5}3LepG%!lW$e#4Y1DJHv^)VBml(j z|E9SMP}x6%{vr6iFWd#p?~;v7w$+3Fy(`jWgcSeXa}&%jd|m!k?nvdBvY>|NaQvp3 zIo9}1ll0+V-P$!vAJL-Rx_=DEdH;0rf_+aycI@ImKFU8`m=g8B>y3UC6dc)5E|ExG zGQtiD*u0BeC%D)@3!vpp`1~{BE?m=B;@I%U|Eo2(9%7pqM?LFE+?>~1>IgPg#N$%y z6Tgh3IczH%F_G8M4mI0hlh!9>7#v(`Q#dPh>YlcEUwRE5VfZG;yQ9q2Pmv@iI+EfD zs3=WvpF3bV%_5i)1z(dhmNoAKPiI~5 zwl(5=c_!X=fYFC?H*dOeY&H$hecvQkk>d1;@>R2}z~+P5?>7ynTcvvj4e49uzs-L6*DRT46nOza6ljO2EXaWhitG@Q z4{?tiF<0}Q16OH4h_h9{^{C2in#Q&qEv!*nbe)yy+G^|zo2-`wVzt`Oa_e$f5QZKQ zf-dsXurG6PTlkNr-Hznqe3=hc5%)W;aZ5YJA?b-<+g|ksx`d$soQ8n}Y6ZqDYzM_p zcKOmxU=-qQ#(s3|-J`=a$Z}6=GRq%*ATqtu=XdoLe*691bgQ?K&$Mgd4fV+{Nf#%R zq@2|{Zv3>MC8q7Y`c73un3CfOa`HpwVfV?7#dtUC{4`VjPc}wcr2$gkx%?mBOOg^F zVVQk;W--Y);nxnIOa%GC(T!i&^V-6Q8^q~!=*Jr&M7%|u-thE_+Nktm(jY&^^>zcd ziM;QrPY*s{ZaFVm|Gu#H)aEC^bS?6Kob$Fr9cdv4`GnSG3gEfhH!&j~BE+;9G(`qT zHYKPet@K?_Y77?GW|LfyWHK=0TwC|Dwd?%L$nAgfnR+x%t1~1rc7t`%J>KsB7Ge#Y z+XuS&^S>BKaMMw;{))nL*<^M7<7LAcsW^=W+EOQQBnV!+FuT9}mxK!QePjG7O2*A2Qew5%q zyi`HJBS2-ik#&Ck!5m$4;%q}dy-iuxp$MyP?mFl6()y176SgQ|Z zsnTU>yF~}Q$F_bh3q|V}k2v7-1TTP(L%@boxk=h-1oS!AY}OH&+`GuVIfZleb~f?$ zjuNgDiz`M>iG8~1&aVXu!fx?3hXdG(Aw_an`vMvl_qA-ZT8I&9G3xC$EeMGUiV9U~ zQulpUx-~uyu{F7Dg$h`_pdT?WuHz}u+?kteHkk)lQj}r8ei*oI1IVlsW}tLw#rv8q2(h8!@f(2oDw z=qJ<$i=>JZ@7PI^9cxW7-w}+ZWEBDZJ+0e)R_lC5M|IhYziHOc0eq96!n>Pl(yz(v zu;LO!tzF_!k8{p0W2+KdQGyiV29wxqq2`yX&CJcUv0b|HDZ3nwGN&)Mo;^s69vJtw zs`^Y#9sp|^`G4=VA6!A2lheK+#lK^LqO^1rO_IY?a3~P&!B?xx>=zx$O%m?lIWKqa)Q7m1-@1)BdO+j zsetO88op3H$Dq-gm+q>DKRZRl=yEeI@_zz9!`ot^CB4+k)Njpa$P4q#Ae{9SI$BOs zr(i-m2lmlbTYQ)T3fXgcx=!0`?{z9kuSw^Lzcce!nxO^C#hXn)@l^nN_}5#+42NeDNjH>CcPS)74CR?PE@Qwoc6@?SADZcM}YpI5SGnH zW}Ag;ULzRGDV0euIDg)vj7uiD75FDv6{PCBiKk4ZXBhIPzezGw9y0fX`uwt0x2ccd zG_~aaTU_~jr1>wsM*1QrL9G6$7BhR2Npv-6LJY1&aRf z`ba;3(|Yl; z(#YW^AML&QOrrm?`NHlJ`T5*x(-kT|Jj{4NA!BsN)K;XIuE(cbwA!`&WV*c5M82rR zoTHNv`t<|L!g`c7>ZPW7h)EY~q7WTbshCkZ~4f?P)1{E6mG>!OcS?-3k6ZajxaCjmn@*YONdjv=`^<8WUeV)vJ_q1U$x*%_2_C1>!@$e$)BNI9!A&`jve?Tqi@KKq*Qf2ZRjv=nsoX| zCH{1>ST*A+yHw84J6u>$cK{*<6D(pkC}84zry_!%BvC{)`J+I`KFKDeXQynW>1^eMq5Nm(<5z0`3eDCD&}0WA<4jegyKd@yGsg5C@3N$ zq45IMHH|~!K+YyK;oDC&*CF}Fr1xgys0XfP+LcGVM|6{v{MzFTZAn|?wEDt+j4Y-} zqr-%BTg%0O6q4BHVPaMna^`lVjPDrtv20nXc8?&hhf|#QhEJvbCFpn5BcX8X#FiO+ zrD;B#6&F;VRSHx+>Mn=Z;-+bbH8skY9~(VaGM!v8zG}59BO3pz+O1h>!u#|rO8-MX ziMiy;M+OaGh}kR>{sqVWzY3e5hy$c2tOmbna{4L2+($5=$Z82uQJ^hg^A+J?di^|> z_-O}q00^AFnov1Wt!)E9g-IZFb`eB2AL0CS^`BPz(_8+Gl0VVm|BR@}<(u^wZ&Tyu z;k4~&{^Rao<~4?%%0~_}9J|(Uea?k{6C{pjs{FP!U0>HY3Ps zGSs|rV5fwY?M9${-rNB|Opv$rbjVOE6?Mx?QX9|xEctlvEX%|uRTw!X#M;a>(^3c@ zGj005`@Vq#TYGq|bjicsZjq{r4*N8XYXnY_T@0v`yyO8d+>a4&{PJ72W6=`%OO zg19uSeSVrOgPXuCVhU{Gsn8!7)-%SzS53U*U`!?gl$&m1Ny=^>UuP=PpPeqI05$5g z13O2|AobI|!64dbhJBaJ#@dpz}ell~z4j4l3PSFwa;u{dZnQ!3$t%7qd{ z6L(n9nth=7Vvt3<0$GZ+6%uAAF}xEJj2knZaZMc^n|N9IeV18ZPGyu}l?xCuCKyB` zCnKKptW}h2KjzBJ2Us|b{0be|7(31p`;lrbRYFZB^rJ02a?_|e@pd+YgPTC};OMI7 z^Xs;6(qA0C>EL&?PyyLzIqDJ(Izkxl3@fGElV+a#&Ybz>Gi4~8!Z&36xoXDO{3^!i zcKjAhZSpD0iJzK4hUpZU)So~B&G(;eE&xy*+D>hD;&IwuzIDpafJ6V1e5tKroePG| z6Z-e=lz4G|)LwC6qT>Uu1GGT#T}8XwS{bZ(U?FjhC{YX8WwYD;0(29SRbdZop*Mzo zGrJWqT@~P4d$pGh)FLe&aYGck)f^kn;=ECusM#VcD}{^LaE~My51m7^*|<`L2X~lt z02+L_qea#56YE3xfJD;xT5oHIqd)vdd*x$OzAFKycENe57LCRSWn@R2x{>Nl)@3`% z;avq5k0exdvluBlquY4Ip*h`d{voe1-f3$t;T+eSjg+vYCdfMP5jS~k&H#svX_g=! zFGch;i`NjtGn8xI2WXz%=aVl`UaOc?ze#=QO|NUA_cHAB>scq$0@P|Z^~~FkmQ6&L zz1dL;>Ie?+CX^Q!SdPPQ%BfE*wT|^V`?!4Qe=57~Szfj=|28y1v@!mb=I1G0??_(j zf+Hnh2dyJUPVph-*pObU+eOTxXrVQu*%#`nFrTwGA5^5%L|W)7Dh>8aUJ<(z+Aa1- zh9fzJ6t~Amjw7k`cV;?or2XvuAiz`r*7m|x?NtbB{jS;eWPUTD|%7; z39jedPdPLXwQX9Rm=>jpvL}v#2Y2{AJXhPimi-4-d4e7eE!TULn(wQ4+udO7eLR@& zZ0>q0;Y9x_;<_(cHV*Hh20f>=BerXHoM>{eDQGd~^xf`eAo;_}M0BiiG% zqs#c?+FmK0@N-T@J*TIkZAez2QM4!lgm`yj9jiJb#bJKV?$x|KR3Ua3#op@ybt^nh zA*fD-KMq`EfA$sZu-PLYk93c1adhAA?tMO3g8tZ(!QwLsDYb1`{Ot_o?g2G| z!p)gRpQHnHT6ubhLI$~mO2JH)riq}%K8Lb5Dm8s;JK*fWh*NBpiR<|i11 z3vh!k&Ejbt&Eh2G+L&DhzJ3>HH#eV?ML!@`Bc+#$p?JbFIkf7-Ilu%Wzj`;`7f8K)}i}%)-T!eTL$o$du+=3zTQ&kuR<4)Ya4s!!{SdM_GojLij?X zn?#ZberwC9u|i1d0&DJSw!8FE;dgK7G_W6h_vv2%QM96+%~}J^JaB~vKp_N-h8Dlh zfJgSm;o-`S3n~M`-5MM}So<3Bw~rf|c~=D)hIe;{DLOE>{C=2+a@kUZGSv94mHgE` zzsL@-bA3*4+mp*U!d}hf?7ZV%Et%Kn$bi}plyMJ#;>RB%b02%o=Es!HjU{}$56nvd zr~M?5Zcb76{qVWlsh!FTIp?)6AO~{zk^DMP|KBvMjS2zKQfm|KSA-efl|3Q6zx0LN zIi69GDx=JsTT1e|jNV^vb~)KgSXk=Ixw}XkYO#zx006{Lg!ll0KA)Vhi5v4D<(oz; zM6C-a-yG&K^|&oHZBP*`NYjIoWm_b%;Ta3V0E1P}^GH^{ebVXZ+gYWK|d zy?@vgw5PO3Or`WVF$iZ*5JWS0d4ylT;`;Pu{uCeCe}B(`{OU-Jj3zv}TpNyIr$GiZuNDG`?U(wyMRQtbr=^P2Ju!uPT0JV;DT)UX zso;QEXRFiarTKMZWu_1}j)H*t?ko+b*o-GhfI-(*yAZEkz8@VG0&0c4i zv;QZsc!L3)Ps7=D!f^ISpZ5hCR=^@}_m@wRsbK9KP={5DrxkJ%zHLgJE}nya@YCXX z5O!;XPmA?lcK@xqEPGe;l@&EUM!%OP+~eY}Ok;$vT>26efD?*VS7^~{^9v3Vfh6vBJPPnuP2AsTw_NY^{iO4GWpfKj1a3) z-ULt#1WT;R;w7;pmbe8B^nbMNW+Iw+5)Vkd6%Ln6TKE>tT%N{%_6`c5a9}%BwfROc z+irwj);YQ6viB<)_nH8V48%Jz!z@qOV4q&ud~p2JRHIwUl&;x9-ZI^!+jQAE-ohCA{{Gj6{y5LM`$W=J??5w$d<_Wk3ETY))GgwX)wuOHbsvu(@d`D~Q6iyp^ zY3`}=n2*M*yj>Qn;7S@VR6G+cak-;T0RTH&w1EM2vb*iD=2gI~M$S1`A&w1%f2wt7 z3?}|QZ<+W&Z{oPny}DR%?HdiYCACMK^bCVE!*0`a-o+Igib%Y=Ndm=;h|y&9gMM_S zULl!nM((~s6-`+|mXpBCwE@N);2x3G>8C`4lnl)^RKvE6h4CyaUWb4MoPy_D>m{&0 zejkm+apvCN^6l`;hoz}MV+Q;7EX_yP^V&SYflimWVrZm0%p@sBohgSAXxnfhZ4c?u3Z ztN+BBzxr5|Hh;gDSMDl1LXV`pj$3m`JPe zeR*qJ-XkXK03yG1;~jL*PI^GjPflfpah35`Dl|CSM$<=>De}I0=%uOq#LcKDnxgL~ zmNRU#nsbVNbX=^h4ZZxTH7xhTg%cL;w&-^w>mU9jGx%T40CE{o*_t${2wCiA>)&*E z@yj#Y1VEaOtauKh5%|JNy|2f1<;ms0hpkTm>&w*j|U8e}6N8EB<6?2)x+! zuZfdZ@;{+|?t4xDS7pM{=qR9EA?KO@U=l3@FM7WJ$Gd~2FW4IT1nOn@U;eq_ssto} zZiu#NOXajqMCPf+%~y}=)@+~gbV)RUItsmxuX~oXa!r8esY$wyABYL%i3MsX`XxrI zsJp}?RFWu{o0GaBS6B98YvTAswZ7q{$31y_9viBh5WBBnhNe0G0CGv>pxBagK0wG1 zW|j9twWU;w*ewxe0|+yFd+451`k8EEn^M4-&Nt&SsB(U^;dleA-yA7H?E|qjUPoSX zdrIcQ1nZNN3lKMljQjGOGEi}49)oSYLtn1)isY#D8RW3vv~oNk8VYE>L_)@Pf3#)0 z9-`W2s-xPlJP5@`QhD~f^c@*IIB>lFw1AJns7QTvjf#J-hKFldetyc2>wXh~O9cr0JYXY(ngg}N zqU|KeAF<5X%DJ3&LB7!kgpH!&Wk9P>Iu&%^R<^2NjKk2WR@T$OHD$>eWFHk=c-ekjC}OYV;3WdKlPs9vPn?cB<5 zi#^lk1d;XRvo|E;H9&yi>E3buu0klu)nw0uzjbqtag$B!*Dc}ChQd?M3r~KQs$TBu zv!M|)tzHuCq`;13$@}w-d`z|33>8E=Y6NldNUtikZ*LSVCkn0^ej=~5SHsr4SyeS2 zb1&t7#j|p@X6w$%E%n|%Y`Uov@T>fe;Rfseb=7$$zY|ty6T%H)g3|kw05Kkq%`WpU> z;o{d0)&hh~DY6rF9x1b&!}%9UihmjpY~>fCBG=X_-~fW9ymPjIZr5IkU;_K8=MImh zoCEpkA{W#itma^N)(E7tLN5fh$Ef^d4c(@yk!B$`b>`~(osUR%#;}jy#45y_+RkLS zu8TP`d_H+@;lvY9&MYarF>1B+!_+V%hE>$P~5P=?7iUan+<2_8gHO+aX&SFJ%f2>ptk0I|{3_~UBL;aihDD+W~$ zX2gGE?>(cM>b|{E6cp*wJE%12(xej=X(AxK6X_*Fq)7`zL3$Gqkgn3ZbfiUk2c>sN z=slrE2=VUcf8O(s^PKlQ=iWQ+828ip0Ar94_F}KK*PLt4U!j_9i2ZIy!|sb0SV?Fs2ODN89z)gL^wi8DG_SvCo|XSqIie;}vs_p^uuGK*N-cs zf;fV@Ik+dFIEu1eGpZQTYZb%Eu8fsAG&Q9QLLhd|_J0Yu z--}6cP#_@SP8w^}qB^U_0&SA;xyop- zoZ5XLw|MIuJd$*5xA;NM%VAY8&^L@NOc^bXH8wm}>MqOjpKw0UHk0pPA4LoXMzh7t zo2;mIp(&s^B>D0#iv+~`;xwxbN`u+SLL?P8CvkBiG6B8Fzjuhj` z|HAS)w4za~-PuHwEtaJ_Ic%ahUE4f}^acM!oeWiY!95#SA~}D{(q1m2E{zSf!OX~v z-NTt2WOxLOX_*G5hN7b6ydm8s%Ai?kigiDD*_iPxe6RlOcUt+9I?=cSl|)3=1hd*u zFK>z0D!o^KsD`vdygM*ggfD^6_FtY0{~x|ixXu|4M;mB@+3bpxtoyhuWP^R6K_D)|%Jzg+qkdt~HUD$)TW(t#z?~27#n9J_L ztfb^`?ZXu7JEo>xcLwh_ExMfT3xOP>UUv78JMuPV^0(%k7UE<_3ZIU^N0SYB)}Fm9>=^^{^cE za0(_7C>q`ZE%CLIg=x9wEh=_CD$Z@E&x1zZiap?UUB4|8X}~f$fp9#G1TiQH;~rtG zu{!Q60dQJu(vS4y*7A|!{C+=ghP0yE)S89Bbd-8m@ooLLhu;|q;|P-TLo+JKFF~@ng5Qk0W{h%Em{q zRrL|Tj-`jY9TMT>tFe%>S%?+Gv;rfB%rxgYl(xO{N0U_s-9uwz9S=v=uL;-c?+1Ak zy7RPIaMA*XA)GO7OjsWjm~tzKU^1f*o9}}XD>2nTUJlOhiyv%kth-6(P4GTY@gb|d z8@uMdBAIP<9AZHkf60pj|J(G@5gr)v%dh+D^bg_3Ltb2H^ zw@r)`T~0-9HfwFm%L#g+hwv`#yt9Utz|hj5DZmqIDu^+jbaAUq@@E_Gt~85QeNEoZ zFAK9rcdMJ4#JPIdc{gTy9@)3Q+FWnn0lYhbWh8}-Eb&!V#Z^G=0rzWQ>RvyJ0k0AwxPy6e+EYlw-=y)Q1rL;i%a}@6{ zShpQ^RB5l0^Tq!Vg3QBDWl^A$Ux zV8M?*YnWo)YbswW-O!=P;HN3OWl)^Z+efx?-)7;%4NJ+)#FVb#I>y28)5_u&PZ9yE zIyXW={=S#~w*&bnlU8(ywwEbz>;+qL&vkBQ&}|pxrBMZ#w_vZUq2PYUq1drpePDQi$n1O z@q4#GoB4Q*;h{bMQhJdT(0Av?Wy6)Hpcwb#C=1)Fyp(S=R{mDb6I|DXRlvn%SjQsz|+tw zn;{pxk_tJstUFN(`Pv2ol=@amlqizAr7s*Jk(`{nPdZi}O$!QklSf&;P%rcwaO2DV zVYgZbW&aB@@cd#T#p*T|QnF(sA;&$<(t`bN$K~*o^ewacOHEtidf5%XdWLB|#8>Ev zVp9;SJMBkXeX4$Mc+iWul(vS%`YW9>1vq-MbD2Sb-}^JR@bRw}%`eLYB3}DO1A>E^ zZ*OtI^aQzHzV%~Qd4bhOtF^Rd>}Wsu4k=psut(>P-3sQ((C^w%Sw!mZ>XO&wTXQCvZXE1?2>jkOV*fR?(_6cKhK~SBAN@PTtD=Uh(fSJ=3~jj+8%9S{IEK&*#CCodC`$2BtfUYLhVGiuP zhUq1Ir|Aj&!bf!Zz;=6!A~7VGq`MxfA7{BrJTF|K4#Hb6i0@?2A^fS zw>M?2>kq&~`9aECo7jHjttCS!y|1g;4beMtnRj|VuOuD67WYr@n1;Jlh6gd%X;k9O z^X7U5{37f;q(xpckvkHdC>~p>e1^C4w{dK-SU1G&nh6W(KottM2N$|FdDv>iKw^A~ z{+{omrhXz;QkO|m!mZQ>N*BrWvr8BQQWL=eIDzK6BVP2eCIR%p z(`oTnYW+MDgrPPX+%Yr|i27ADp4rLYyDlFQ>S{#x)Cr~RE_RDKr2ZO={2Or;XnwAt zsqM&CgtA~F)1B6M(kgv?YJRUi5S-Alm4i0W3FF`z7daF{Ai1*19+Qc&`0DM7b%?L` zJYKn?grrTvSIU>DH9v+wN5{w1F&D(H$8o)?>T4$+{y;|HtKi7TE^pk_c`1gaT)LkC zlXb4XHKb0Sc)Q3mdA-TQx13#c1^WI(Ppcx*nM9n~Bfpw0GbwXZHg9V+y`eVh1iUfK zm4=R$eWu%Pn7);7D3WDiThVl~zX3x6x=c4rE%lIhtFV@+`82b;5>yXvJYD{VYbQ;l z^pN;)jV~&vdl{_@;4SNJ8_@kM=eu%^p1O6vzMt=+u`%U@teeg3gn8;7bv&EYk zbVPO=()J3cTLBvt=DtrlMme78FkB0A%~GN^|K^+G#6{a@Whk%Ap-$-Rrs{c==}>!0HQ$Vy3e9~i zwcL@PzGj*HJ#3DP1$`?5GUMnFbZv&7hboPSRmWL$UsWtd;mr4o?Fz9D$25W0uE6HD#A2RId7COE8)}g2V(S$g~ zcXXNcS&R&*GwFjrW^@KIa~nRYxr`$RdTmj;m)EI&Zv$uRcS&%JLAIrItMk?R_$o|M z%4xkZ@UV<^cLT3EII6$4OzAs*R*0W6J(Z_m+uoMwK`Yx87;EJ;yC-vY50Ycv1$!D+ z;_NSt=Pe$)vKK@Pz3&p?WATs3HR7(hJLe-FLy>pw5DZiS|1qTN<42Oq_Z`n8-Mcx0 zpnH3u!kTdaj~+f=btIfTy6;@HBwUuB5^W!8$@3jQ^#1ee8vjRGi)@Ydl@)`F-cH0^ zqEACgCwTnrC1Vn|j|3m>yLg#b)}4;>Iy%oTM*sGI{w=RaJ#*RBgW{Knd&l+k^51o; z;gQ1d%H854(Jr0Y(X&q&-5Pu^Hq(o)uJbnQu=C(oD5cNaCv8_Pc9fe^j$PoI)P2T4 zh+92~R;1jars3h`(3g~b+;E43WhaxKF|+KCjkc=4xXwY>nSr zynMd%&TJQDxs+Kz)5HDU)YN`C6G~)H8gs27*fVLYt@EERo`03BQwDH7-vQ|>ip$n; z;q{Ey@|A4(uID-#A_P?1i7hd`i^=xg9uS<9*zTV%_N;_N?8Ay!4Xg$`nc)~jPhhkWkq$F_Kl_;nlo zg4;slrqcH(C#QSh)RwAl3>&vtj?_^56(Y0(8TFJ0DdY=|m!4jz%j9Pr5Cnh;6;BX`rjm~d>^ednsp8xKH{`S z`SV#kf;H=8;75D|-{9@i-Y0-dBs{{bdER{FyvpIg_HJ@2D|2(tEepyPj*TiE9L;E# zzOvvjM$j}MezBi4utJyodC6ld0-N_)3yB`YGN`t$f1dm=>rBQia0V?9txPcEdPyCA zO)(&Fv%d|2**cW_DEbyHaKG)xW{p(L4Tg?cP z8bfAJ!K2c%_9N=DSq+lHgEf@)@{=DsScSY%B|x<`{PXn-sx!rBLBKZrDIaAODEQqV z8sYzXJFs<8I>1LsFC0%YzY0N6x-b|6gv2^##|fs~g)W5#O;3`Tj?W@LrCnv`v*jj5 zZva36QK?a)x&3IA5h8#;IN-^-kDlz&`ZXW&YvG1W#D$82yOsaE0zuWUr?m>t5yw>6 zNFV|UePKy>W}dH2;_8-wqlyEPj9?4j?10s~*o-n2R*UkkNcN$(I!EvBJ$!uEWDS=` zoeo%28Mp)2xDy%(3m#W~ga2)}SNq#)D1ld@5rfzo zFg8j-1rh-C<=-m*AxK#Gt@)Qyvn%Aho?!(5L+DCB{HAP|_C3wkNjFmH(dLkX=XhLl z0w<297tjYIjE|f2mZ{57hh`M%%0R9Ie}h%yD~0Bcu_pjn*O6Q&gNu*Nqj{5G=2$}tqZDMa3UOic6+ zgMUqu<4@7O!!~{wiDBQTPd21xFy^0F_#z)!=DN>$HgFLW(SnWsyItQ@oB37F(jS7M zG~cA0XSm6G2ZwM+vXkAxwfGMTKo&;Sf&tt~#fqI1V0svO)K0=D7D&c-@|0h}G1;as z9{l*c+e5<6Plcl`MY)9+t0=`|jP{>cN`AIn)JAcyk}^62=+o<`mEZmza{oRF#c(_8 zvP3QO;Xedvr5Je-V8<&nm=Q1@qNC|LIP;s!=qf5mTCHSp*dF7svGg#0us(5Y!z4d~ zMx6OUNhiT^=32;H#WH>n!Qqu9d}pkUZ%3L&&9|Xccpq0SA@Y-=#`9cehswhpZ1}gx z^S2YNK7Jtg*B~%f2c53xzh<@RvYN-jR|`*zkG#+KCNH1vTzJQ)VU#uoPNL)MHC$zn z2Bj|&i%eX};#9Rg{OCq+!)UGw_UlCD)iB)|PhO49_qBfNubL1@t7i8Yp-W2WlvOO< z)%oWKfx}qmcRmmb#Cp4gJe*q;Zzi93S-V&VE3f6S2aSMg<0GU>8OQK^I(ge? z;(JbdkB%+7p16suzg^CeAciuT1r=Y)TvWPC?R;0xRTeL$4N~sXwlNRc)$t ze=#;L(X5lMo$L;=ShL%mDtYa_YwfGql7Ol+Fotxug6UKQ^#N3uJDFyD^j0iu!Gw(u zXS$Mk{c1x2Wl;4$k0GzRL}NJ}jHMMQjF|b|-HqHb-NrEqKitP2Zos1bE@kjzZ;t1c zT`}TE>R-kDj$8VkucV0I&s^ z|1C|!^nmYr+mC;~dhVq_)qbI=5y^?RJA zFrVhs3d0k|IQ1`)!vk;0XPr={+n!6=TgadtgP*r^K>jEHb2$+(4n$#I(N*d=`!o|J7($2s?OY{ zK1Ql5B^?^(wJ#Fz;tZ|fy3tSmRqUw7&o;~^&^^Yh97G3ud{wwIQNFA-R%Z57oGUNg zgCR-GIeSYk}gIms6z+UvO zPVZ|XXUd`8;2TbW#sS+sT42vE0@s^YW$Sy$ zNXr>Ic;5jFA(5?XQ)H{TfjxvE_*(x8^>Coie=`-DJ2LUV@%S};)IvteApc*FCr~6> zLsaw*$ob&t7*Qmc=jkekon)nc1+AA-`8}+AmCQ!=$@A_nsRqOvVsi3Tm(lv8G-lYU zSF9_`kq3K@vG!4T*&+4Z0g5~JVhyD8-)5PaR*a|qb|;G56z*F4&gW~a%gm>KPmWWR zb%7gnm6w9PGgt8R@d!=~xmd!csCR_;Ag2QVy)}qK} zEEJ^gN3f|=4&AtO%1407oJvXh>uiY)^!(cH=Vx6x=eJVQk%BT+XrGiT$)xmPZ9L2j zxLWSmzm8W-+OB$@@n%0EElg2XQIOB@Dzk;6+&S9b8<{0;Zt!xKp`)Zs?)J63En9t8 zL!Bwmnt^8!U8XHd8Vq&OIOzt|DtP^j0TtLHPI8!jrAi@CMK)swNP zLFuRaHn8us96<$de~PEYMr&&};?%#*H)-&TQai-S95FA_dfp4ZHF&KL2dQqn`qV<= zO{l^b{@H0ZBw=&-JY4yFmln_DgS1f`??wumaJPh(Z}=YY-B^XTf8eb;fCLlNd@{)jH^>eo^V6sAtw86e{6_Ho8e6^W&z#XwHrolc9Vdx=QT`p&v zS#PnyyOJQWN-mhvh`45%4m0OTsfr8p2G_uFP3-u};%i!a)H3-JLD-X*lXsFxZ)(2o zeV1J)jT6oxja|m*`@+}c&GEbsaD_i{i;&GLX*`KCP*Ob0)=uRuEEH50uKBGmyG$M~ z%qiTf*ejK?j8+%DrWKUbUkcH-X}na|75rNB(rt^OpTbJ87Uw^#WN5@q$mKXjzVl7M|*u~NZPht!-DZCTM zyUfartMZJt_DlrkdsMlYf*xFtS-JYvEd^$sN(8C|h!s*lHBybDu^|D$Q?EDswRnK; za+zcF3(TkkTqSqn1p7q}+yzj^*KK^W9os%Oa3{OJi~W(18Dp)+?y?8^#@9_ng!MRD z1}w?Fiz-Elw9djODx`b1Zq40%G}D!+>Yvaky zO4c#;ZL2BkeR|?=V@C1C=Wax?VKh(Qx^(cZt4OSS&-%`c+@iDg`dBdm2y_6yA6Yl|mU1>h^SHPdZuzV!p9ym2H4`==!7vt-#!4DABM`q{bkGgR37 z=N&TK32vu={1HmljOJWyq{viT=H;4)zyH*S;Rn^mo0`))L#tiBfnAdJgQupNIEEa2 z;_OKlJ<1Ha-;4$usyVd;kd`?@m+dbJf(| z`H>8dVJ3~lGW{=dLuQ%+e~OJEwyRq zbAQ_2!ml2e=KRM{Ql8Y-n|gmhWX#BZPC!sovO4A~vk7g^(z7wn;YcZA@hAT;yCD@I z6kjjm7EZ9HDb;LRs62g)H$~kL*Z;_Z+|}ZP#vKCpq!X!Q#6Hz(B}dR$4vSQLSoV$S z_;9bQ+Yxnvh^^^Vv06Kc-n*9rBwQ}1gxvmzTX6Jqsv9mW11{Mjjm;R5+;wg}s7=BE zt=r-%pZo7?BiFd8v|+P0y9RDDPF8c4&7#Lj=Tx1hR;0;tzYlo2M+BZ_$sB8sj7Yov ziWm1W--af0MlPcbhG{!EL~DMXaNh7O?Ut~-PsJ_vn*?&VxBu=O;4R^Kh|Ppk2hDRb z!d&x}8Q&|hQz%`maXzqA;Tfv86C0pseQfjj2cPr&wF$GNrknk(o%^b=pSM zqNdmnX6|5(j!Nz``o*^YF}x(@YkgRGyEMP^j)3UViy z_p>Cw`gUtb5sZxAvoD8fPPFK6;>;$!7mYPrQXfwnsWp;8CAf{r-##F=b5IE^v$C)9f-^UlsZ#5(WEL45TKAz@gXCq5q8T&}nB`5o^ z&CHx7SYak6d~X$k%*ctm2#Q5#7&SCav~f8%9Y%nv6oiE{u$3MAXUrn|<&|8KdT7aL zk3$GsELYG8-6AimccS%DjR$nNMj)GKqe`2}%&Slv9P_dXdWzId~8pGztnJJt|m-rmMCDLHIwIML#Ao-${9 zjdON?YL3fm_o2B=M{K@9=DSQvNKf5iun*&#Z1Gk!s1wAz1=tLgk4EC;-HUwhO?OV4 z3HMY%NG)RZG+o)pWV@T?XVUIa-)&?Vw~>{GUH&0pR3d{Y$&ClGng^1IAtF_wdFnBj zV@VF!>3QlV}RH=jpWh*x*6q@q^s@L9eS{dFZGX1>tNkKJ3}HQEyb0@ za%%3%ob)sI*14E$*I(FKS=Qd3FFdz-6mmrW+dL0PhEd92fySDth2bdR`B-ST62bVG zJe(XRGzFt@4JhW#d-|!qIoouzRXt;)ah_G~?dx_QDhKQ;ngc$YgEH zBNYhq>&`OrO{~hpii_CwOe#byT}k^rJyH^xdE$7FH=mMfEKs<7!RZKp}+l6w9AQ1!jA zOZi~(6k#Qx;Gjh6+tv%TbWS*_$SNaP93x=v=w&UmNS$JK{MW0{@Htz+M7>Ak#&5vW_QJYZ;{K(PwU^<*WV@O@zPj4-k z_F9wLEfE$bJ{zT9McwlEdfl11m9szJyw?Us^Xf4jy>FF-XK(lb92j@2}^gilnq}b)GQQI@O^}BoobHv;%%b~%E z(J3iKxl+z+VYF+$I7`=m*!K76*>#307)?_{)ncktji^6zht4r_a|JZVXKPOxDSbsV z#&KcrNuE9o8RgrWkU&oxn@J(75mR#US_cEQ^{*by3B8p0Ca)o&E)a{PC>1u|{1@S} z3k&|;*ZA8O&Tk&-Em&$e4GY|j5J0K4$K8FUG&*`w>4;|{;dA1OnxN^kvr!`VUde=J)n6SqjR*B-)fxkg zXRZj*2i0v{=&QKT_2(%NIF$WI@BuAF*R_d<{kMsx1Vvco-?qIVIHr-9z2zm8prLP-hcS@NKdt^BMg2Kr!~>&cd&XhfC6 z7eJ8d4?(R%>nhbvFt!vWlC!dZw?(2TgW1haZn!>7+G5*IBxwAsj&LYslgH4r=l+@4 z;gu7}<$~)(E~+0**Wl^PsuK9fMuqCfn3A*f4rG{vGs%Mm_0Nv5(&aeV zRg!`&GM*y8_Tp;j_Tu*0w7B1Eu#T%c`+#|0@7u&r@9nY)VA+B>XvY1dQkc`U7npJz zd@G25TY4HZpr8zjIMJwua8d|#{l30oe^hCiPa0JpEAXLvu!wD!sgN~oKqtKyVZ_;0 z87artK}ER3!Hr?x8n3nFCrUNuwpW4Zd z%yFH1MB&!4%V>DV+*Ce>q@s<~chpqNr=$Khj7bg}ENZJmn&8wY{Mj({W{5lc29GoE zrSw4magI>Q4EFSreg{qqlfWFBVSL_8>Cj;>bOQM-b39ua=H#W5=eV!eY_k9gG)z;ZmbySe+M> zU#iCnv!}agx=R+}F2qk$X#IS6KIuwAA2GQ;cx%`K}}%&h9FsK@n#$eeXi-JJh7_SIMx8Mpq___2LZ+bCYR%9k=V_A z{4j_Jr?%SaFlaF0HA-Q2Re_q@$;pVY&+NW-6-h18;JFLrdcb)#1$D-`=zXUjqf}No7%HSv z8fr9*gSF}^12~|BAcY5DkH_57&-Kt0XQ_p=eL@Ebhlm=7+uv`8Jv#cd8oN+nrR{Fj z%~#4dS6{D${fdx-1tKA}*t_WS_Vm&ANYj09*XP*57Z}dB-Z>m5TIKiD@aa8L9RWP{G&(jPj2}}gN86U(9ijR#C@!sXHrK0mSH*cv!1HuF9dxwc5 zJ>&X~!8$cx)LVX**t{1qhKUJVA5O4Cyg+6O(x_O89y3X^xcH)(ohI1cF8gHWwt_gF zM;u}Con(7^83lT-qSDFVrWmS~^4^#-7^_H*BqwznV<&q4`Og;iazsbDc~7GGj!}(^|Nfpr^I76m(LTaa z@DBm;_G*WcD5kzQcv9lqQ|OxpTSC?V=Go3`)yG6sVplCeG`@wX z-X8E;_r_Mb~!sS4-e(Wn?;MS1chI!|?qoZBuiVLVN%}1@SxCDo4ffQk&k@hg?t9(9;bQ zDZA{Ub_WuVl~3RMHO_#hPhcU&ag`wr?LkGQQQQuf!=_r+pie7jb(wnIz1F!LfmPkk zDaOoIoxUr0JdUDYj!^KvRPpUaspNDnM^<5tKn%WQx($9f{y_HA)BL3dv*NMVr~h79?Zj@Eu(I1luJjHG3mxxvBtTU{lkzGOh@kUSdFR?)&7z7+V^qY%r>=UzA!M z-@J^!lzVEN5Hz|0UE&j@t6+2>eY*KZRd7RRmJ#_H3%-PqNOBTE7`KZ@%h-Lu(=FHF zpCL_p{anux&Qm^Q>~6dtgxm!L`&sB+u|^d+XB}8IRF?T!Iz~EPK_0nit2YTFMzT|Z ze_Ad5T5vIb;~)2hXZXEnY`NrA;vmBhfX%J0AE(0eOuz{Gc~Nz8OmVe+xvnx4=W}V` z+l*w$qO9bLRG`f_+i6N3e-!*fxc#@ahV+5+M>+>qg6k^3Bl|eMfU^_vKpde1t7Ah- zo#l8D_N${2aMF!Qk&STgyy%i8m!t)y%v3(oRBCg{*P=tD5kGOCuZsc7sd~F6wV3?g zz2E50o<9VXICj2wU#l@3iIQZMq!zwmSQmzB1tYX}g2HrgyXaR)9+Ris{j||Vw;1zZ z(R2N7@eOTv@Z)l7ouiyP*(^z_812fEZ7a^`E+}PEVPM^6L*mxl`zT4M*g9o?1j*Z$ zgO#ZM`m1kVtvV>RC>*HJSF_i@MTv4!s8&naaQtMeqOAM0uK{{jmq(hjDQ<(GC*ceA zJvaG&Jpe$)f@A$9H4H_K11CSx)tsAHumKiYI5Tg~NwmCWbbh{F`a3a?!K0H^=&N|y znrgvw#=%fw%S?E+kQL1|UUZj*v-8%;FxUvYiQFB8%yUxSa)Wy1HU6sLOXgPZR4f^4 z5O2P2OIckdOYVGm-y2`gSevSRLfSYwd%hZ%bg7QJJEq|LWq#*jx>e1lA2nDtVL>!m z@ZFKDkj@@b}D+b1CakPU_;K9(3Mf;ZOr}1z#ytfA8Lq?Q4XbdZi&dppvhb5 zt6en~f$2K~cGRF*WN2&FM9}0ibXWOAegz7I8GwA%k;U4> zBFT6*=kT3YlgPLzQtn2=hl5)~pVxI%6>ORYa81)nwAeu~RuOI03r2gNw2`7+3!1-T z!&L#nWndS5_{{~-PmV3G&`xrdYMG|~1VhrV+4v^;^^ifq%?Rs5B0x~*U&)cv#aVud zOX^vDjFF}0^FZ+(CNpE-mjOPFjlM&=;;Mv0hwoYAJctYmzE-3eY%IlcRI1P!@qYO) z!^*!UJ5l;8`BDUj&b$GlU$-3x>!CpH=<8eRX%E$G`~^B z&Y7ypa68KECRxETK<6IN9L`XWf2z4?Y=Z7<{4Vzb9#$feBk|YQ z0Cfw4=^K}7zP2WqKLnlfIpkXx+F3=2h|w80$BBn^6=`JG&5*g=l5vf!^nS~=i3GgW zah9Q(?unK+=NUL=BnJrSmg{YE2&32QLMvl%YBu%364YV(%#@K0 z!!{%fo7w7zQ>9iwvZAEmhs@#~6D5afPnFq?8L8BMupHn`8v4QeAZcAQLQaS$g~ z9ZS~EVie^~p==~)S#2Izeesy5yXRNz$Pe=LnF>F98S@5usOqnsF$`Y>9T#cx$FZrg z81A}d?`hjrS1urXsy%Fnw5odgD>&MGNC_3;GtEy+B_{nWrne|NS|s(?WzsjvcRQ_t)GM}ej%2lA_T#LL>FWKRir97|=9`6=N_p^5BMrY< zyu)bhYm?}fLE&6I?YZ9cjJaj&!*fpQEua8LMG))1sx|#`qL#G?_m0GyruWTQu%WGW z>~PP6Yf}3`gxFD}PUHamoA;H3UV>%9*SMFwMpmDDUaxYjRu$oN(bDaBao=TK^hSch zxB9I$hMmN_eRskvI6kwWmjSPucF7iybMYcXi5&6$r+0tKico&!ouM+eFe2+nPylm# zZ>#*O^Ul81Iq2xFa;Vr~ibw&&n_ZU=i0m=V!#Z62m(xQm4t!30ET!5)cJ>@wx|#u| zx5CL`!=aw;|UXJ7JPQ5koC~SWCchJ1oM_m;MC)oO>N>DfB5-(;W7en}?sdO7J z5dh+q5pndYPwq@zVD=-|d88`Kb;s*C5&_AHTPBpc#uy7Dg6`pdel_=UHq0eHFXPsh zChWWM$yKSbvW~yzN$Twuk9+-WZ%YNq!-$Ij2(VlM_)zv|Mo7TC2kw)=W(xXSBez)Ryx!)2v+*wQdF+a*Q z?2iZoN{7%J*y=|qO83U|1Dn&Hf0`Yk)L40m_S?14i3eHh+{8U^lGycFveNG35*JR% zB1to!@R_#rC2k>*M?VL_`MC7IQ^^$g{5B9VN=?DbhkqpB120lZfQtaXDSI zoeBvOQj67G<|})5G;ZHLUN~VdzIsyzkJP}`aa|b<3QC_U3?xmfNC~(to*G%Dem_g5 zN9T{mA|T-F2Q|%Or>zcl4SgviigN0(g*EFg%5LpPvi(drL1nG0{2*y3cZHxkzgnOW zg{WgSE@z`sa+k;yi>uTPo5fqbRv*3B) z0ko3T%4V7di#jnkJAOTNu8|b%C(GkZu0v$ysC|(3DjHQ^=%~rCIavTun3n21)G832rV^;wP-g zF+}Q{sKSUnqJ**%QQ_LHNTZbpe+X1$nOEaZr`lH+udiK4Fhbut7~GhD{y1s8yy&E& zaXMGnR_Z)QBBJkDfGVY)12QGFgBOF*p_h9rNq8es(Sp&<_uam>H3XRNMw6AwN5t8t zlSTW)IoauHb4VMtbII`50QL>Tcp5B~ck!Zc(70ie-qd?YU@?Sc@vNa}F)yH{acSqw zxlpX&d@kdx;_L^rY~0O;@3ZST-3jhv)wOw%k3R9b_}F1*b6?eq69-NXY?L*=%O3(4 zG+We=vKOX$=;cW4*IsGh{qZl;y;}?b?p(Pc67b{e0SdT%weXG`f0^#>1EzZzz;jQS z!E)%}^4|>d{{99h`kf2nMBXR(2Fcg!lUD3<`d z5Q4=AFtP!T-T%jjO?}APdjI7+_qXe*;r{by?H5G;XQ2PbUHSj*j-GBH7(jNFL^wxG zrq#VkBt|N(mHyNC9FQd71twu2clTEnBj1M37#}bvm@bs`H}b#f5%&aU{68(Y|Fo{O zoJ(GwE;1^y;bec}X?*!~(3@c=^MPDX$8wL#U9E{8q(lSgt!47 zM33sg7wj!SpEpSI5U-Mpzb$Nx4~NnM21c>+08Y%LtMoqu{hvGfU$5r>S)+e>l>L8rn2Ow5cmnJmW%Rb)ec$j1 zvt61qG8HYdYV6PLU29CDAZAXx0n?sX?YtqM^Nfl6Eio>@yPpt4KVpS5Lbv76&kth4 zu);B}LhJAv@PLX8H);Y+MW0#n7bh{UNrv1KjMV$sN()ceoiHA5O5IOd5xnn~AC5vq zihivg&EaXS$lN991#FbJzLN&9c_vu-0I~3fIC_EQOGA8DkZkge&N;tq?d;D3`Hy;D zwb{vnwWu+SW*7{OeB z1~|x;^Lee|VzoN7|HocXOIs+7x*)bl=zoRO6|cuwHlBMWn{bn*|a>^h9B z@r~20S}QeEu6s%p+#g#U)_2*-ZHMQGN5ZkZhz=+P&jmYWK%cjYN>do5&?KL~wz%WN zsNmky-#5m-^z|Y`k2Jak*e;&T0c34`0d0 zlcMoyuDl_(W!M7Lk*O;xu7gT~rZ=W|K2iSk$7;FXVT6(#&i^W}*4#;f8u>2QIep@Z z$^@SdkMPY$zIjVOk{aCm6cS~mPNv_%9S*PIBqPV4q6=c}Hv%_~h{`;tH(=QT$D={X z^LoC|wJZext7DBHzFNZHiZ|m<)>>V_y0H3w^EJj37vC^*JPp+NM=OLFI&W9 z=+*B+k!GiQ4PhEhpg|^RJNWPQUb$xitYlxjUzJe}-DL7-Nw4`os>I9+01B^LfIFct z-;&ARgyR-hV+Gs<3qpc!KeA~<_l6(*JdX6jW)M%%v~ao)dwCfQh^1`J#oa6C^Vf3^ z(yHvk{AC%9*5P~)XDDN#(CJ8cV#X6PRP#OMCUw!B`<<>oM*O|$Lx2)qC)O5+9>3;gqfh0Qrfx1eae$6#H1+p|9D zs98yW8mR7mY-67)vr)%cqBJ$5)s2=$obv1*7P0zVvs7j~e>Dka09YO^+DBcIR8juP zp^en3q5ID^o)U_F*yI`Uc`b7YHrF*(C?!3MZDj=)Z;fL(BW$K0a-|7w-|x@_n;>>4 zbC^0WZ{S{y>)xx!Ru*J9*}YMZ(fcgW$*M8eMSlFjGkrQ|rE;GWDJ(qx9HSIptOXHr zpZnbE6}mEioVxHib-VxYq_TVqz&z_>?f*g@OSoj;+b}e{=oXMT&8NDm6TZk{o^b-z zRlMEZ;EgX$RZ|lz>WWC~e?q9_LwQYhllYw;kZsTds547e!-m>P1x|`SLxXg4CuAbM zd`BV^O>ao%k&^y!V1f!yN*#JKXZa5SL9zRq0C;|V#u;4q5W#PbR+5=SK;q{JJDVmL z!dLLkB~L}tmoz^KKg%uH6KdiA(c>X;nBI)anMa`FLr^rD=qAmX@_U?aVs6H9dNVWc zKKX^Stv_aCx!8$<>s3^`j2=9Nm#00?w0vHYk}+opjPA%0DhU6f^c0{~=KG%|!=0U$ zDNp_Qnr>@;+F#>m)5|7fLl4MW4^snRP?)D^)M_<|>`<@g$nS1#8~3L*!>zq94JFwj z0WV)ZIikK2BQ?MNHQOSkH6z#-tF|K`Hn6e)MMT@ zT2rZo7AdY>gRkO~cKdcUcN**Jptxifcp00-!{q1X`RiuJxcDp_Kt8^qg{F!spHnZd zlfivFE~H}ChcaAc%!r4?oDpQJl{;g(@T7j|(%!Ka|DZxYg{m4s0rRA90xA6?Vjbyc zYQVF@PoCc*jGQ`7wM!efR$=aJFgXnY6T~fWth)S=Jh-v z5%Rbx!?BTEwH+9K{`F&{cwU`JIs}g#SdM{nwS2oOz!4VjT%V$%b568iU%umj=WLy4 zGpGd0kSsDpgPqlmoc735BT5ei3ih^dh24)FA|7b#fMbk)P?u%@9 z9Skv!<`4;vJS{-9)KBxI#ke-?{~@^JH0|<$)&JekGv0XT_=a}Q);|Ov0(C+%YrCd3 z@vVRa=Y=s&s^#RA@bWqKmRYAXj)%oD`E{83y!-FByYqGCV{IT`QS+m=L6jx0t@Oh6 z*JSS568ly_!&{^By(*F?aUR^5!f)ogWU1^IJM*$Sv4uwdlC&8hzz`!_3&S18?=)cy zTO^oj?zsqVykli}!PMj1kNfzd#P*^C1axWdPW(W7BYdJN;d1Wvc)h8?vCZ%EIOU%r z31*5=jh74Lmc5x5wu-(A0s7;;X53ZGj3#4gjLg^uq_frCshbR%M!=j9FX?ZRQL_ zvPt(f_~gZU=_X;Wb$JN1D3(a`KGMn|_mlP`f#wKCb#;zbf8(Kg1X`0Fq%kJqDha64`DTxfG@F0Q+fb|1 zO|*G3qTRE~rC6%OiRE5kh-PWWfVwe6#zs6o3h!z@n6$knqq+H7rsn~_f~o`_2Ar_^ z8rNV#hX9Ps^-U`?{vqPaX=p>F$7XOzbYdW$LJl&yDNB!8 zV&_x;ulBC|8>&A3Pu8+cWr>oJZL(Jgk7ZKXA0~OShRPNOQ6u}{3E9HfvP5Vsg^@7I zE^A2H&18%v!eGWa%$UB{bI$iU=leH&pC9fy?{n@wpL6c}-uL_7_xtmHy`nH2c&?V<`_gSBGq!bf0I#tDf|j5m@u~F)oIY1=tK== z?Y+J$n|2jF=&`}bP+Y~``MD4ltsnaI4HFpZ5kgGdeoCwO)?X%TWg}*JHoq|Dr!?Fd z$I3Zg{2gFuNoESYkgBHT78<3>d{dHY2>41e^}U?g=crS5uoGVEM2ruWPS<)HR4KpT z?X~SbC1Bmt0;Qdxn@`e+Q>rkrW$xKBjLo#2yGK(A;sc}2HA08ibgm#0==~R8Y8VcE zEZ|S*5w&PnpwBnBLZ7@aWoeAj0Bw34hL^N{%*-!X{4-F6V;?nZ9@~U%s@=?LET)sg zLi7QhLS+zh^u4FsdF4C9XS*CV*+!f=Qe$R_P>XhL*|iPZ&%n*qRSsP0nE0f6vctvd ze!0BaACSf^pSFAcPw!E?wT6Qd({MEfKkn#q6kjYydEC#Sk4|jvLmqy2k}{k1#Yd|a zN{8 zlP;MMhy=ae}nKgz6@Zy1VopK-)D88pw@05 zxNtj%6e*64YORZzj>&plU1tHcr4vTo%U8SHrURk74S}vvK$Giw?A|*GxEdurlHnDx z;`d9Xrx|=1z#(K=(xcBnSzZI0Z|xm~CG9bk?57JiO7dfG4;haXI|G3KqGHoB~w zSOUL~))R}k;{;|v58u_n&#aGYTNc?o9PSnwA0{`wlOU0vv?0W@yUif@DyuovmWOz==K9DWN zByz(%8Q8_y2q~Y|+2~9q;1ogTJ$;T8*6TQsuEtq(|` zTeJ@qjtV)+T^YYYjy|mRCr+&mLF7UkpU*AiZUmPmBU55AKf}^h?)z5E=sd;;vj)zwfTH1ZGCFkSr`o(`{D`xWtt@| ze=pNlBDYIuz;W&R+PRi{CpOwx(A{(AaMh?_xl*o$^tpvCPv1VvG6LgF|F-VCPgH~K z2L$&~#05!FoetThQcH{ed9$;e_=EbFiF`lQhFJ^Do4tPK4$-7vEmqmggxXSd`ZfnF zl4~MTtNe8>W!YYUbPVJ~P$cy3)}Yj8D4hB%>$ZZYONy^k3Zt^RWtvFq+c2KX zyIba>t>}wVMaiigBEs%!JG@CT8dD`JOC4e~4m~~qLI(BEn{w*2&njIRd=kO4y`;7! z(+WJ)`ug!F2_YKc610-Go9G^?6mjc3%^~PhN@V1+A+VQ5%J@S!jReTdCj178(n@V@ zUxt;0WDEEIA-}Hwb<HX9k*q|jZ)bVd|*@H-8oii$UNarX|*0ES5ytfDS0FAc_EWFM&oYP z8==w`f5GH*sx;TkVJHTRa~37t&a(SX@T#Y&Zys)Ac;l&em?I2t-G**+b>d%+7P@gt zD;c~zT;NML2ozhv6J4lRUphBFcz@YnJ;m=w@ZXL)>WtGNv(lqKf8wZYuhX?47C$0N zr^UU=aKYj;41VZrq808NnaZkEh){G@EIWOjHBY&}{Wpl;_^+OwXW@HH{n7SE{*H?> ztxRqJ*dTpqKLj_*+I>x7I}`_jme#hq>>vcx+ideR&DYoC^T9Cz zN%(7<(`I?q?Y-6@rg*-GtQ(lz9y+rx^y|?bHI!Fe?q;;weyjhobbEV7Q$ofv&j=rgjWkN*C9 zID&eoFWH-D;UqJV5B+;qxZyii6KQ@co=|Mue2{;>5|FoTVlRGJJ#$Xc%BX5y#V#UN zUG5D>8z@Cjqn%Yl4ekJxh=o(OD+cEvtg92_F-CYq@;DE zDwwp0P&O+-&)Y@{SuUBI>pE&~S874HmvdZFo9kaW`%spg^?jaON^%N|y7(DZck8TR zmLW9p58*;F)%{CQY?m#gK7P4n)!`FFCNP=F6JXCTk~xegmN45{88Y8bKNw{0CaZ1m%*k^{tpp+%pg)#;F933t3W;&@cK_W zfQqwtG>3@dl6ActK-_WL*poik-e;g@XK1njE2rLDZZOUIY*!_rHkW67UGiSM@aBo1 z9|_w_f}DWldokoBQ!4Ol81zq?ah07ue^A0>q_;%eeZInY9>!qQBlfUleTZe}a`4dl z^(_7cS<^JRB>eD>8<|cpJ%EkwpB|atSi2B3XY@L4mhs2~=WmqYpSjjDt*3Q9HP(-y zv#JY^FQ|hh$pj)8f@0{%OTf^T3|b!%CDMCLn9pBtiKV5#D7SxcuTr@gl~UZ@V5I9A ze9#WsIIu!ml5d3a#)c6>Yly!i%H=w1kH(g0#jL) z8pemCDlvnqP8$_o9gh{7eQ~GVL#5d`)USKJZl_K_p_Jzp-gm5Zi>pQ29UUvJd7YbH zTaN8X-&g5?P)u~>^{8(?5iwNOu7ib|lF-~(0+$I_MuxTDg5Y_7-T*5A4hBdm3;7R; z*NqYFyE2qsRi&%pd)r^RT;R|X_Zx{n;D~Q?rm z1Qnp%3s4|J{d3!{9^4kueBnX3O97S}j;w`ZmkHevII|7!rt{(JskW(20sj2}Ps@2#Fv?dQ(soA|0hk?}UyD zN(bpAL3&9*AVLUlqn>lmE#tj=|KE7yz3&@$!zPTKz1Eubx8`1RuD$D5|bO-nW?PEd0T5yL4AdtR3ND2f39Rj}N0MP*dQ2{?ckNq*wB@i_g)xq!YgNBag z;Gn0arJ-Y>XJ9xu4>2+`9y-Kyh=GBLg^7vzFmNz1va+!pWwYiTjz@I)f+c&-8L~bGq<^K`@qiL!O`8r)5{y~Sf{lHGT$1CfWO_KgIN@}+IrE+2E+{Q(`W={!0zrB=xJdgT>&gMS z@2(6BrH+;FziP)@e&oDr7Ua16&J-WjMeo;Fc`uvY1Z>ox_CAc)0Xo-=!~@_?D$ViLxf5Y>VMweG?U3^Ukr=!`+XzIrbx)K$V)Q-}r&@kVdEvKRk z7FBjj#vGDvv{Duqc#Soha!}15`!RD<*889)v9)~=UwRkIjx-I0`}S+dx1U!953XkK zgPK40W$->*Oe~Hr8DH?eei>r|Z;om0e_t3K5*{-7P42F)h$no8>iM&oQzFNoOob=M zHit{Tq5gg9-N`86jETvQa>m$zA8V=k zQl#c+XzS(;-+IK8e64Ig_;PWWo*k`?%T0f0qBn)*>i|*=ISl4N%G>XQ$|NEXEJdWr z*~KLTO>m$7>ruTgoz!Qp065kp>(3)KmXb zM+xHkmHt+~x>z~%2~%B|oAWV;!Jk;lVlby4iyFa7& z;k#RTd&!u)YoXxs-o0!xw9pXm5BrE>oEkUOM7u<9^D{<$Q(2d0e#EC7K+W*OLPU85 zT`^4NOu$R5l0v*e0i_h0Hb|L#EBGi`w8u5G;XUC_8O(mAv)HEM(j!7fg{fMHOK_!% z%F*Nt+B9O|`Tay)F|Cs?CdHo*>eBh|gOn(Yl&Mtty?C+&F|LvcEUT73ukY2=5(<`X=J3gFHsnW0iq3iQ1`%*=EJRPM*+NOMe}G% z!A|KpQG|ztPx~;6)6`_>DMcwtGWDq!tVe>Xoqia$u#r@TTPR0KG(>b0-&(6Jk#--% zx$3m`edQKHp`wKJU~x!y@*J0b=gWYNPbI4{(p7e|bdJZurIz|kX4X}q@>c{1g=P6Y$!^*;QV|}5+kT4hBueAFpvO0Ij6QAkkTE2OOiB-g0Wuw1bEX}|fN&iq^Gst{ z;U!jb-OZzdZEeqz(2mnrsW~ z4$1P7WxFSiR%u;Fbh;{iW0riFCwc$w`Uk2zgPY;T&%aH4=g3gXuZu}U*OBfofK z$}lTAyIROWp`(QEm6P}>y7@`EngLHb9@YA9GhZv~s=2okzx0QeJ`FxG6BaP~lfHU7`~ZDb0W+LImYh?J?YNuDC&xuZ1p>OvvA4X@J_?~Qc4AQ^ao6P?1Uq(YxBk%r4HK`7} z>wj_j-5Y7Xc#$Zh^EW$fUKfid@0=AF=5o;bT(#_Ftgm&_h0{pufg|t-^uN=|)df!- zhgnPaDOESYbcIuQOuHvueLO8C&AP~U=j-ZqyS^IV#(@`XVWW_}z%|Tw=M*LJd*nx? zT`Xjzwh2OrgSQwb==JG$slY^UyHBcpmUfP!eJJvwEry2q7UeLqcaod5CzQ4iIy6v& zk5ar-Md>9_(z5O}tkfb04_ifeACbF6P?a3lF`w<LcvPL`Ofz?^ zrsj6Q=J3j`90E81p_eU5Bxz@kRXX=($2n zi?wVY`7T{ojX{>pTOB($v8)#JuF^wxkt^}yQddlFG~M{10o%~KL>vrBA?n~{yIb}_ z0;C*hZw`?mK=%0HsW3DG7wr<~22Y=TuG?ld1vS)o`5hB{hfgBB++PZu*mw3#L&&L9?|*!jD#@LvpVzy? z%ACBAM`PebHXPgsE%VsygECyDkqvitvfcv$<6$7o1_38+1(RfYKrpA#dAff%59NhB zO0uPX-_Z|@|9YD{Tr&F<5TAqocRLGFZC+=%cY>pfV9etUsU=!U%z^7o;(b^RQw0&5 zhCT*SlM7nZegeZ}nSBsTNq~5HmIdYp*XQOI;jM21A>gNP$kzxBr_?WDiTfZ|!aj(2 ztM^V^q}|fhjA&4rnvT?vbbh|h=7k+HpX@b%# zHz)XnYRQU4IPjzc-(R(p*rdgI9Z<%_Mx%#-Uj7VR{|I3J5BTgp`%hfy-ASwAJITMA zOn>@m<924Fv4(VagD~ReKtB0;Di5JNxG)DN{@B{G(_31{F6(^TbJ1tHGF{&+MI9B! z1mYh*0OE11AgQv{jfi=SpZGFGx-9p~wE|TZ;y zg`fGyty;Un`+S<_>vyqh5pW363eFsjA!<*c*1tRft~|z5juuhbQCi1}C}#aTB@|B} zs*8h+D(-{O#$-s>=4xC3>Km)rjtt&?2e>syz2W zovNr?&@UM9I(RE`A2ip6VcXEKbJ*OI9Q8+CU3VqvAmva!o6``oNFnBjoeo(9!vmT3 zC4edH!%%W*)}|JDiO9CXyASGqi3HF3e(|60uJ@7ub(_y0w`EY+ry|hb)k$mselGzu z_iow(?e;+@P!5I^L?>X~ibIc3A2TG#$?K^9hcRtEi1xXy}jB(lVnmlLS<=#y^M^f))Cw&VEUn zXDiC^$L7zmf7t){%edYDJnq~dd?XDf{Ym$)w*ML3=wEz4`5WD&Uea(pU>85_0sS|7 zfc%!iU#OAKlRsdZZCCpbrq_GdhXJPlu`TqMv^V~=mtRx|A4vNr)n=oTqtYKS|3Wr| z7{uQx?l-}IZ36D>q}STIcZBK~03CS(Pwz7G{{qMTZ=qDls1J~`oPCg{EeZ8B}Ko5b?iz#09&yeq5!CV03 zcg!sRD?|pO#hhR9c^+$BIMt}e(#QT540j{&q_WodVjonja_~Un$<f;Z2mLxl8LHuZ~(7@vy|9uK4>zd%gIKhQuP-O8ARFolHx^SD-i=v!#581 z&u-rH8&0>j*178}+OOKddDUv-6^Lpe;VYZ@1}0$6yEP^v2-P#jMtSM+4zqiW1T!Wk zEpOueMYLr+t@JL|m6tL{eU@%qd~8P}_LOT;%CS(Gb7nau!9Vfok5Miw8P2>5R)uzp z2w5VE!fXPpKZ6l&Ld+yCtRRoYNu^#L|AJaz`F^5IZO7K%;_7)Q zjKFdW9in0{PyH@Wpt^0wDBQbUv3<=!Bcb~JAk(T$c%j~9toFskhhr9pSve_gs3tXa zmJCwm)(66uFkFgU`>uf-qEf{?h>4J-r~835`tvvtac=) zv;28cjvkUNk=WoZ<1E#WR!Gs|VYW|9k@bYFx$jVox<_w*Lzn5SBupEQ+!9G@-xiYS zUlC$gvo<9e-X6@y-jGO4H(Qa-3Ky3-&$OKX=+r4K-ypHihUwd6 z3rmX06-%&^&3{9BAbrD5@Y%bu^qOR?XKPVUN)^($&iJvR_0Smu_kF|3{UkeLifg$A z?{`c@s`?O81qgq}>-tv6V(vKUxAzh*TRpPRj$8=tGB)eDFXraeo4~Klc~#|56QL8Y zI<@GfxPay+`{W~>Alz$8wJ64MQpl>QZ7+{y^2wfsD2eA{&%A_nc$|XTZJ5OPxoEbW zEaxUuIrlQvkK*+&T`B7?pO=#>U#h>_VHlj2cv3FA|C@ag*R28Ygz70#g4=VML(1bO zbLi%^NaXRpyL}#pREwonB=nU*ibU3zV6K)UqmkYUmS$S+^bbGpex0Cwa`qW}i#x0Z zTn24HQ6oDiPXIch$RP}f-4Q74v2s_=k;;fdF|DSyhyEuGsBK=`d84!;Y1q1qkoOp!$Jl5(

J}Gdufo2(yEh z?(EF#@>BSaEQ#SEpuh+JeKMW%49V&Jl4gw~#{y0U@LguuJ=KEDv>`NTgrYn9LROKU zuA(g`Cuc`YjEs_cRg+M~VaFf-vYb{*75wAeAA&05VS$J}5L{(}IHuw$#}=*xZczfa ze?M&|Z=WO^G$$D6p6>p~WwbwtLeoo(88MK*&H$GZoMVnwtB9i<)TsbwQaS#~86gSc zJD^{gaYYuMeWwXR`dN|l>9qRa5x?wB(b?8%$_iu$&zi&lW=tG{cJrOWQG>s@ty_#G zff|H=av2!Qh28Y!s`8OD?Fs{)|Iin=bZeloJIM6J{G3a#(jF#u?d@hzUl{dcLscxb z*9?`F!J^aPO^M)<{F@A%q>k~?BGm*U55CN!|W`+iU>=ZO0sn(Q_XVi$CKEb9p=t1{)+ty!WlyU z)n8jFhzF6r6v>`WO2+<;R^cVWP2VhuK~&J#rch6CJ~vje6^f-$`>Z)z)vTdqiXM&0 zITM6K;JRu>`Ay&O%@Pw&N`W^FB2F4&n5qcLxBS}ebdhBV59dPkfIE`-z)nYKO$ z@tOESejNrZ6Pcv%&z}?-Kd3@f53=m_aq^7EmUbCWnkL>2X8l)J|EL7D4B0T625Hw{ z2Q9|Y>Jv*oL!MgrwI|fl7AF_mV8;ZKGm#D4ZTuJvu{CwFI&2yrn_Le9rR%7Q>w%kN zPp*x^qrT3|J43sy)ylRT55e}$4+;qTLO_+zny*uFK$e;x)NmSN8kMfDMyhEB4401~ z8G+{b#J_kkDZ~xL6$uCuIa(26S}0{s0y4G>@Zhpg?|wF#ADUZ^7K)jbJ}^Z_6@FWDg=nTiIO}~ zA#k4R32nFih$-UpLi~8O28}gXw>&I|L+(B-O`HY~+bOH4=f(Hody01Bj?x6P{Bw#w zla$7;`*XqK!{Y9x@@Y1kW7c=xU$@K5@ozn6$GL6;*aEn?d6PzXt7E*8mS7RXVECgD z6vEPX`$KWCTpXgOJXfJal&siy{@~vx+BkDGPDC)zG67LM1-J{fGdEvpnC5>C z(wYyJKTj5cta%OX`=lIa~-#TZJL)@5?l)5BENW9-4meUwLp*nl-aa^5Rxxvg6 z^66GvQp4%(+J&o_%S|4W2HS4RV=LIVLGF4vr9YJUtOBDL34?L?xe5|q!`gT^(}{kV z--GAu+@}s*2Q+MLULg>`mC#y@Q3m<-iWi>HZpMtdMa z8ywIQw4t!XFy${2R%gvl;L{*ywV+u~t^x#IC^K?`nD)_Zv00xGox3d3j zxX9PyjBhcW;*jrc2lkS>EjF69Qo9oTYa)O(8PmBy+RTI#jY0x$f!bgZmTuVDd1&m^ ze+R=vlNEI3%U+t;sUMgv!Pxpq1O;QI^luPJqsCEmRepR^>QxKQIho2Zr49VWbEFSm zU6<{s=W)u$!EJv?fNacEfr=$fmr_^RI;4{>F`9*O$|HY^CBHUk9r#WbYxsLTkqYJ8zdbK*k!^DaJo zZn(OF5lHu)^LVNU6ppN(-ixDQA;A#RDVR0uyz&ORFhZ_?*(V-fdpbeW+T!-66jT0wU%zlwB_`o~ z8EfBdQDh`5(v-R(dHs=3X1eWy@7?Ucxw799XTowDuSG^d{~E(*KX$zB(}<(naRIdg z+=MIEbs_n}KF|oh3m8Qr+dmABSrbn@KD#N1tsp+{(0kIIJ`p?RXoJ7`w&FV8HfU~t z8ov=g&3--&@Yzr8glBhc4hRs~aXQwdb8jO0>ovi@r6Sw{4b&nyG8YNnUc52vy^#YF z3jJ!Z0Ea0L3)-+K`5ob3K|OY+;}bkI3>kc+`t};=Y{4zbYO@U63C)@JQ)kmhpVe68 zAKlx-Hb+mzCW2sPlQA3AMinyx%P69~4MNy?qTySBay^+7-Tw*(1OMPUFp?4aoQ;~Z z(L@ZAYlRg&FAmqQUuY}r25j8rDwxMJW9$e`ZYuRq)<@^il+-yKRO&zm~^7Cgs$5?PstsJps)B` z?Oj7%wO6<$;ScRbr>6zdF7#yq!YEIl;&V(Zgr<}TTafX(ZU1gDi;=Ip_{G#ZXB1*6U(ab&Qd%$uKR(;I^J!T&aFf1UKzR1<+jDr4_nV! z77g1MDmgSQMrN8jK%Yr%7>(=(+cpkY21BRkbdby;+~jsLcQ7;XVDgpNnJtl$v7RJp7DY`$OxD+ z1X^^%neE0HibVdBC$mL4{1zn8BX&66(K$;byI5qma=VL|Dze{!TzbE@2$ulpJR)z^Ryz^)XuV5IX~0 z#c;?b#Gsa+$z|O|IhC|I^8^75^g{j2b{Gj*u`KFY` z^HwKzwW?oNcGtHSFssmvjPrhn=59A@>wkQAnGPFDWE7OQRqp(uX8Y!~A^w>}(}kPR zHL3GUx7$e^zk34=vt4VaRe35`*WOm9Qhb@pi`S5x_>i7dTU>kc>_M zJQy*tYLOGGC@frcN)u-dbA&H4M*V0H&!X~c1DADd7>4SCF28FWQf=)eWlRgU$Xh9J zo@T0Rzkxz;6Cd@C_k#ui^m34Huvz>6Jmh!iDAlr#oe`0NA2BKdoS_5-@Svi0YpRfF zyDo{HpMs~dFuxV{^dfQ82p9-YzuII0>INg;kqh?0<_@uW6rB0&Dk&P@iE=B+FBx1#f20q&6|PXYnM4}M@H_5@SAA1KwWtqw56wgKk~P);(Q`Z?uD*3%PM;s1m|K7{}mxUo1NZWjpynP-N$3!Sp4y>GPjSO{-2#P~@byWM6@ z6`HOm|7i$y9w4#ZRzX$B&Gg-E2`r=W3Cibqemu(jqpUvB)dP=3oBm5odxcE73>u6J5{ve$@^HE8LwISnr8 z5g+bu(NKNONKheUTx2| zhNS4qxSX~dE0Kr4eqs}y<|84aUWL-W5^88tU%pZWv8kIH-xJK+f~t0!nClD$0-lQ@ z7W_vXEATr92vx73dM||%VF#vgsX{V73TF>G&qzOj67G|kXXdr@oun1X$U*gn0G{1n zT28p>>J>*D3x(0xh*TP6COM`#%04?fnR18!%zC za4c+Czle(0?vf^F;-A9=Uj1-zHVfB;@!PHppeI=f+~wMrR&EI zGyU1f&4z`!yQ02Pvr|i|M%$Xt_{uqCU^g6Me1YqA^`XCx7ZlQsp5x1?sxT7@8|OX*?^rrR*f{==g4mWQZU=rRmE4&FObpD0V$9Mjv-L*L&PB= zU#3LJdeC90Ohlg*^PcUIfH%^_pBKFena;+{8fl1jfL zagL9>*|=6C02hqv!}N(#T7bJP52IOSLM{lZ4rEdu=vi|$+Y^lXn?pN|+h$RDrWVcL zreR``M#(m`Se8w+w_*#pz#SRvxV@S7 z1)N9_CLClogY5ZP%7gyr7!=cHc&}sj<*!Vmp7FPxbR}o`G}lqxqcZ>@txKgFSfgWv;_?TCwpI?(qjXa!y3k3| z{zMecBqEBen?<$bx&}fJp_W8cSgeI+10|e)02tx1Ho>y_{JGa&REYpauclj7;HJM! zpoOl)o+(7ziiOiLcR?*JljLbccvPJ}#4Lb(~o6*hESioP9>8wRAvS6*bFKZA6U(TY8F#RbpR<>X#Mlly-<9 zp0zZ{woEwUZl#nU*040?`{P2zA}5f5bKv~MDHHyp$E!!U#nR-zwt~7yr*_Q@bA5Ymp)0Y zJoYc^GjkKjrQbrF+u30ZeadqUZgYnoqf)_6j31;#qJ!gkwe@AkUtz!lku7w9_%}3~ z$g3!;NVNMtf;xJnj%L1&gR%DM<6-8nC|D5N_V87!(OC(612?~1li-%Txb;banm5N)RnT*#o8tNh zm~A4N^aDe`VrrrN@FXg3H%18pE=S2IEK-93HvWcW=0EdKKaXG<`VhiuxL!<);mW+A z4nf%Hf;sVN9b&80~JW zh!&q@siZm<2cKAIpPUT(FX6oGld+roX&o2#LJoQb3- zsjSd$q%M7$F{aPha5rFMk;T{y55ml79c<6dfy>oEl6sM(&FfCACA-|%P20(pD}Gxy z{<-%&FZc5IAk>s7f!mmS%}>B8dzozOENH8F+V_@ScYt$#)F478(P0T1NSX-Abf(b1 z{fl^-P!WH38J*UrXq;oi$XO2DZTO4PAj8K_H0VD{N*XMHJFvinOA<-1$xwdZHuU%m zR3YBuDLPZO99w&SPhzd-v7u=WN}hQJOE1r|aYakAy&zUN;giAqq3m^|FWu6|Lmk;T zZnf&)%Yu8FGnT+KKuIebCo9id9FV@6qQ@W-!G86NS^5_EIUh{&m2DFzXWNr+f1?<* zqDUiD6PbDbEqaZ`2#GY!@4IF5!I1J9xZsdxd_`cgKTOMsZBp5w3~GVizvVC+R_cE! z<*Z;544P|6#1ubDs?&|Ob*CsJ^kZDGfFnmiU*<%~ilt3Hx!8#))5CylxbHmrjVtnI z1hb<5R$!Ny$ZYPc>q(D=)TpjtVWC^eBmyQnE<-G`!a*y1cqklq)0xVm@X`=s^bFt} zoN{~E>f${w@Ou21vkwYdX}7mDfk{sqmekK~qg`u{C`D}^fz-W(YTMKG2qFky#J+MX zb+e7+)|7Y2ey@d)*q>im=7g2;;0gUT1GLjm#oYhqdmcvn#;)_Q%{{sRYkbrn?N@K> ziSo#|G6O07WN#A;>J$&~?z}{H-%Y+FeYvxhWj^D7wK7i>en~w=dtVxV554%*x};cI zSARMG-7}JA{Do(a0ncT$GWO5r2YUKlHaAP(6DJoE4khorK$jZo7E}SEa#r~&rZm^4 zOkxVq+)9<{eVGRt{HyELQzn8$yJ`KE;_3LLM*FdP`r^Y2-x<modaSONWHdFH3NgP?$>A8WMz6#B?*Vz0fSckiXB&8{ z@t)6Yl>ca%$aPON+O?{w%8_s0z)y`vVYm)q3=UGm##QMq&N9{5peJB0yXOiBBkNScE!AQ%*)fUy+R{?1)g~w9@p3qsE+Buo zj|fjq+9w^vHfiHhK#r4!dbU~A6Q{htn6xR@m6xP0%~B2t$~(!!sTcI)Kv$NOEQ^OfEYsIo zK>JKv4QRZZE8;l|+ZZCN`GER_LmtT&4ohCqB{+L>jqno-5ouP_El!S4{p8z2pv@-7n`^|Kh~R;U*0W{ zMY|)L=APVf$x+TU;4_*Op3@c*aa;wOpk)xW&z+xsiSgi;=-_^qfk4KXRYAs>mDZ!^ zv&>6ziMTTnq53rsQ6xO}0Zusd>q^UakQ9)5nrjGpXfO7Wb7K7)8&Y~H-lmhLX-}5c zSc>fg3IyIG+4LJPa0kA-|25&)c1nsi{d=N~QfTyTJrhc>)qo^-CRmYr{zWY6bgpGp zeiLr7Kv(Pn2#igbX|q{mCebycitLwm*au&~&&sLF#WYES`o;-TK@JLBjHE#ZW`Ug+ zy(v0uU%7fFaA~kiRB>qw(AZeOM0ivq-T#U8ZSj}N{(F}fpo}((OU^S`N}26L+AYbq z6fI2bvOq74P+uTcA|QU%GrkS#pl*@Y?6SJUJ@QD#Tke1I{xdPN8TWVtYHm0z7*9us z{_94QsYjC5083Q3kYWB#bK>UvH2qUQ<|vxTwK-mN?Z5j!F2FHjnIb1YAPNvd1(sdp zdJ~a=w`4f zUr`kjV8&iOw)14Yw4;l0<}ahEzz&uZVe9VpWIHbn26}uf@*LeJJ2*nOpHqru8ddWP ztaQrqz(-4S^9kK9zYfXQE6KS>^letsl#_bCEbg%)mi99RgzJ(Jhi5C@5f=U5^_gH! z*|)%9tKZ)Mo=IaGqd_V1U_F&E3c9ujX8G&BkjvB!oCn!k$*cv^=H+~urp56-h3x9G z(?J)Xx2L|{rj zr3GZA>BO}(t4F-2xnqc=N}!Nc!{mqOiV`&NzI3l@>PnaGIRL0dVB__i?EU#11nj*9;A zL#KRcM;NcpsK7!w!l8nEnv1io5~Tf^5X}Q76~Y_ClDsWdECe2SAnJH>$yR(1(`z_bWdar3_OdGShth87LbN*rY|hP_ z!Q05Q@Ri6%gDYD6fF1gbG$cOyj<_Br4MvNQqO}qZiHGUunWVhK{R=0DdklC*1X8RW z=!d~pF@&i6WkY2+yO&sxS?QzMct|*~xXQ+97tw#%5wA9xG@U4P`v>iuyZYytfZP8J zKcAWOSvqtGIT*U_KE!^ZDsW;x`-dGtiR0dgf`b9KE$T1O9NUK`BD&|R`@$DP0dn2# zRb-onw*pCT8)DXbYHh;Zfyc0^jrrdY8HZ+XO$V1v8&W>mHP9nqx?KYl%242XWX{%4KUDh*=;fN9v44vE-1n*D#P&Nu$2V3OD-)nBoCXZt}tLSx`1~ zbL$nDN1LUVwq8!376I|dled}0$?!qF7PbKmiJN>cBEIRJCFM!=PJ~7s6yj$gv17*e z6>TB<5|SDCbEmlxoBU(!a=r1m$$U$g6xyv#@c6@`_~9b5R532(BS6W%K_?8Uhpg?c z@B*Q%>2H82uo)>(&tmoF158R7_{tJ4<2hR5Sr8VP6sp_+qO2s(cLO@Kg85!a39W3x zr8wqjJ|ZGtb$3>${yRdR*K%x$s31 z-J4M5|1^t_>$j!fv01Kbd2kbs$5h+#r+fTdm!faX-rIQga7_5P!c<_i#p7x4c{WDq zXgc^6L1NpKNGoA{K&z~qraUMkl$0 zm+pEFvh_nXf=z;M|HO-G^y~6yXH05Xy$ahBZfME+Yk>UACaz{P8@g;_HX!bKjGxm0XN+%#!x*+bL0OcP3%Bc^Pv&=BiU z%n*4+GCjr@C@A6`sP^?c)TEBMgWKOMrF<)b_m;A*Y8lY>#cB5|CfjGcqnQI(O0&L) zjJX4wSkn0&ZkE744^~Bmu)K(A3yX^!o9Ta8`2=Ga-k!@)7w=~T zbPs~1AL~TNspa?Pi1$jwoDwCqceiJkH z-9_%|_3sVJ63yK+T=q$L*Twv-ADGdKv}#U_X#>OpE2aPV{%WAD%4>meFq2D4t8?q~ zNVSQI>t?HgM-COU(46rR9;hFn=TTB4AUpz`xHw2+@%EC>g}1@geAM# zb-$YB5q)}IMf15{FflR{w+SXv#^WMO$S1~vu#r&fXhIUw-G-F2z`0{0dNthcyp~#% z$}n9}&_4G@?_AZY@Wln+u0KA>^un(`&MWg2Puwn=msVO@A8^lLE#gx)7Rjo5HvLAV@Up=Jb<- zk@z>s_i(9#5K&C;Tw_g^f)v}aBM9gjBH_4Dc=9wuRaH}KvXzxfl~uR@d1`%XfMG9h zjODU1Td*p#OzR34|LJRRt|ZGYBE^X(#+Dc9Gi7db2BXvP(L;g!h4``dz2uzD*ZId! z*ofw}`P?UjzvV0+KWdng{yd{V2+aMHXO3rnJ=N9Rqf1&kBqdA7`qrDNx;8FDde7Ur z(oLhHVxM3Vz+kUcXIaBS(3}BpCmC|-e(~lxz4ShG@@42Yr4wW?+%$%NKeX5i9+5oO4d=!&uaV@LV-`6@j(Ap zt$Z=F<$CN9De7^_W$WR4D4-nHx_!Qpb#;=&BCrcs$xANXX_Bym_@v0!=ELuj|x1BotY(~D; z_p8E;jEr?zjjoc5sDI@D_!Ywsql*NDYv(MfqCj1le9mF1_diP*U`}g~0MfXDLJb5H z<)H<5BhRZ~TM|P5y$?U%i|J+D@M043P7Uxhn%rT!kp7+8P0dq$LzGmt|8cqS&DQ-y zsR=FsMLX)Gm2GV!$=*_lE*s4R(0|^CToYIz@}Vlrotc*cly+tcYxeB1vx^w}BSQ-g zns(Qiq55-X>3R#J=sCKsP)@X~I{e5tPiD$1XT?V<=jc+V==@k z+3LIU4%1>{iCb3a9B|RlT5Ja&WPc|5sx*JjPvxpFb}_-fXkJ8~u)%oxcNacd^wkLd zz<_5v+r}k*+*5wCvq`-e_a^|+4z~dsQ4Lz@wgQLdnd5Xggk1X#DO+}tcbmHg&e>^mjoA{yh}m|E^D~j)6WXIGynX$&pG}V z68ty+V@mky-LcTwzo>S)o5M<%3vyEx?-%VXKVm_kX4RtEXex48Qc5P0<2Ie5Hb3u8 zV-L31S&;{S6!iGpx zT3wja(IjLgAhRiAdExF_A(K|HF}*iy=rjo_q@@gVL5P^Wi4uozw)zihe{wn$x)tj& z2<`00nm9sRDUOSOHMr?L6RZaW7B!!pp;=OgAZUmW=xcwCoDIK2Aje6Bcpxy3QfEv) zuxpu%IewL%R+&~+%s#g)8TNKp#?m%g+JXkCti@a+9BD*~>ZVLO|($}7N6}jb0rGR0YRpB{BSPc2$ z$w_7!td}W!A)Wf`bJy9)x2>vXL;8pv)xd?a#`gNaV$2zrAU~JzBD3v57{i|{zAt4)e#dgC+55zzq zkdeTgO-oBl(cx!C6tPb_Gu_lmWcy9zmjpVGR-Z|W zo(zY|m$Na@6*1a$o|;e(GdtNlRW)U~OV_!KjaEke!Mw?BL%nn^kT(#DA49BRSsq-V zT*<@V<<1u^b)ygVt$nGTWn{U=z3gXnds#L!jgrn4!Kv@|i-DU+Xk@;D-f&9`$1cRT z7j7L)P%hbc!G2-DEeVew?QatJ5)i7?{aaGjxUDa|Z0jC13IUa-y4%?UmymGMu0z_@ z=m3Z4*umGi7hT1ChRGn?00$a!m)TPD14pPHRQvVCrk?%VAh!vD3B5B)?>!3gTpGW!$VQ<)ldtEO5A3n<~N6y;Z1C=y|~n!uZy`} z6D!z1Iqmga`vyZfwu`uxo*=KbpQb6U6UZ!~hd=8yY+E^DlYL91v0?)Zb^FFu>o307uG-;3ctQVr0+?nL#_QEGyxWrch)i$4 zg-kDn2EJ1pE^|Y;ww`13l5TYaf?Es7NYZy|EiptCp$Kfb2A6%_B_t)C_%iqK0zsHU zPsg+2dGH-#vJvT4+J-k7VWj5}LGk3Gja=h;3gYDCP>K@Cx*FM8Co-3jCE1?Y`m=J0%eZLo-kYbdve8%&~379pnQ6NKY$W{KROWegy z4TvRjMRU39yX#k#I8AvXd26``V|I;PD#-j?sWB(~(i<7BOrh?ttGf0ePcGVSKx-{j zFoA_*ySr(6yfGXIO0Y?F&;DSxIqwax8oTZJm7zdmulEF*Vz#*W5B?<+xWftQ8jFjK zZJWAqyqyLbPV*r+S>owN^N$f6M1ul6Ia+FleHSGu;q1)w)r6>%!3z@Bl{wa3 z9flYj?Z&K`CchlEL-h5lhG_=nLMhJakB-W)wnqVc#l1|3)>$XWc8?{@wtg{6NjYmFf{o=!)f;qrO}78N<{>)IPHue z5v>!JBXA1WR1uG1>1KlWxCZC9j$mO(IpGbYM^ujN%2U10h9yt9gWlV<{PH>cqbivJ z_mBT1spNJ;?Pg6kWt?cbJvU>hZ@O^&5{fK$8r6Wr@5VQ#r4D8N*W%OPHNUTp^x#V> zAH44_wZjh;-vNyS&h+q^PM71g_z6#dJ3>B$JFCUcw3&`v@s#(dU%%RTDU!6Ml98?maNFvgap^HU43-CeJ2hp~c{y2XU z*S2%D4`?^mXX;6Ai5MeHI@Z?KzBKf`J%9a*+I983Cc~mX(WR%%r_NoJ>uRU{{?;lU z47nZIZ{_ptDyw>3tHFBSqe)p6DH6dQoH)HA^BWTVJ7nUwMCcb|Wwgruhj;h&*H6a5 zADT)kkEmm-Q#&)b zoPvS`nVlFz!cof3j=3v?Rx%QYDGD5pf;7X>3Gsq*;}ux;Qt8}QD4))5&ZBfxvE~UQ z`gFf&=)aGPHNVAIs{9vr(W*>RMrMQr+?Iu{8@9a;z_CUT!2Y@I({DpyT(K(e(LxVB<%!LU(-rBl62Rb-qp zBpk%6TER56W3Zxo8~3`xCmLY*>z6eRbcx+iBzdXr-dw=17nmaey*NTi2(eKxHI`B%!La(>rHHuWRO}~sFZAZ>n9hSN*yFwxlR&>)w zkkjFquNYF%qrp``I3y%IJ7vpYuS~u_RC9iJ2La(aX?=kV!TPr-=4N}tieCEf6mYock5Vd8ZNWmmX34yG8xG$1&PqJZCfW%s~7O!H}-GL z6an(RTV%;H)q~iEEO@8*s0Z&^k13?^6mtHtzBs`#d3kx);Ez9LO8k(>^8?IThA8`H z7VfPYLO_yGqb;XegcRlHY!35Nj74saRI)Cc3kL?6u?@-=FsDu3Cf@zw7xW{;@Tt^@ ziQ8$c!a-OX7{nPL2%9o@UXG2IZYbY&OnX62zn#sRMrh>|Nk}tdM1_Ej;Ty31M2G*r zXpbc!Jp25o0W`c1Rg|ef(FNQd;*+0z0Z?SV?Ach&nr0=Ra{3>|BWXh8rTX&MKoz$R!35*cK7;;45S z?(Vq(Tg|;4h}343UvAH)hQ|%(q%D!tc==}tGc2nw{ICkDeu<_}9Il}j zKasi(N{X*$JszepWTDABZqqF4+Jt5}Oj^EUXYE^@>R5VNmVEFcoeA~=MfgZIH zbYyS6-__h|6)-e0u0LDToN;}6nPnHu`YTcT=9t5zyjz-|7a;+BBg zZi;r0l`Nb%8q3>^WIo$gx4pC>T%%6%+k?Z48TdP^@h!SjV3El<4VGhi$*+#kIus;T zHecLeyVJgJs^fC@@$qD(hlhs za?D_wDk+~ava{DRke9AFJ`aimCo?h#kAHD~T*%N3J@SP)BbTFsihm0Gw9g)^y;np= zL=Z>-OACT-p8uWRD_f7asj1CLTl`eBKu$_Xm=pH@c*`EnJj(&EFg+W%|BUqa!CB1R z$=^QNz>_2@#-GBIwx*h~V;5Nyds%dJ^naaq5*LbGdeO>YFo1R%MR8-zG8^x#7tK-2 z&8?B%_j{6(wd;UJkOep_S-R#BTAmtnag>2RevJPETv!Bx^l?hu^xm%TbVp;dp) zuYhO3T4dvLQuxx-M3CR&v5V?FaIt-nYwuP2>_Zk#xM00yWr|et_XM&?b2Qf5Jy8Vyx#Z2rj^?hKf-ELnGlADr4nr&Sb%m zkZ++~umv);ZuE62=Vfh6QxPeI>V&u*o(*b(p?3~*e}!_BUFP%t8ri(HnxQE&hvHSH zE=oZ4*6y5QHXoj|<*C^mLbr=^8C%RU0Ndm=I%-um;s+1f@t>`c5Y}4)dy1%th!atu zkN-QroIa*khK$d%kgBwFLl%N@@Z342{zHMtGy(c*IMtjzP`{48*m_JcJEdmkz~f0V(T>YT4XMXw3G3qW{m9J{a|O|+tknVFgOJ;yZh%-gE5cpYP2(!3=+_d&75 z8|y18|J!}bBqw?8u>a0{%-%latzoJi9Z)SS> zQgkpolK*l?ZlP8##`l2}GMXa9QFdSU!=}sP5{0T75#WIex$6&9N*S6z0%nl3j|>5X_~sf zjqF(22U*02!DBF@ zOB}J)AeZV4P!bg>2k2eGRZ$MAU7<2Bx~t$Y8SDI!W(|Ph{JYu+-d+yz3)`CzzE^xU zq6}@e2+!0w>BD~rL|!8MIW*Rbk8xg(vXWQg?)AO!6p1bbvfE-ZS%!8C1-GycuYRg0 zL$zQRsEA#3-n8}8@+J(n7DJS0c5^4{spMK9=y1F5$BQUH>|SJ}oO_`{idMlLPQj7c z4nPSDh*S_tjTj_gUauSak+*07V3ReYQd{7APZ(;q-zPqazN1;_>hZ=?O~|ZEW~6H% zDYX0ZHDhvjJnHeG^=f|U-9o8CCYhCxQBvDrfR;R4soh0XUuP=etNOK#+66x$z@Ad} z?s|KvCFP?4n|0$Sj2fNRq|8{cRdd_?_|st9eep{Ft4-=0N*Ubvjgju0$Pg~Get0&g zxJe9P@FF_9H>tq9RYK^iK2^@BJ7JYRYWD*y&vl^S5GwCdUbO#rZP9f19A5l= zk~k+<$~Pww;3`o0Ee%u&NV16X{RrmEHNJl_92aWgG`}WvV;@zKZCtQW#)VosyB7I8 zgiSZ;C?Jgxzi?g*er&qHc5m>TwbLiQ2wI%0EK6QyuaZa>;<#nW5OCt%Whe+y1p=kq z+#U>I6J|9SJ^Y4nNkYZ~;V)Lr*absCNE%lSi)a!xVWjX}&x#)cHoL@?A2gGY{jbxP%2a55VPmy+L})0&=M-q{^y49^T2o2Ejo7gn@09B0i1GG zRNz`hX6A%|V8pg>>Or!sdUdb2Q3SYos1MsOlxxGq4&92IFIZ6pz*l0T&^xJqQA3`X zoYZK*=Scltu3S(|K*BodJr_3v?jWr}qzNV8;1GakshOD-!*4%V>glQk=J%908Wf67 zJ-{HHx>Avv;HIMO7xw%%Fv7eXn=7^k6jlTW2-mKM2V4o^etzNR*_g_9=Fg1y^0+}M zqAvV>LzvtRoFuG))o{=5qh?sX{|?}9dlmveK0}0+;t;NAcA1WEN(ctVLypwL-XmpM ziml3F1j84#dps(mu~wRFCxprG87|MlpePF+EEb^?=yOI1m9T=GE)YKRv zM58-YwN^eS5J0a%fn;pLGi9j1tz}DrVyU?yXo|>Ldfg%MH}B1;CE^dQ-WM>S&dD9G zB&ux^&f*^g&r~hz-kZ`8a8!E>R)Irs{K2%pOts9lx}bky0U|YJbJ`edSi#yV927T zp-J(!$Nzi8Sm&k4XlD$Ar9Ztt$#Tx@F)=DY(bn#jAI*3U*2q>H7Q#LwrG0q$=T{CrpGmTxuHe}D zc^)mykXOYF_s!Z1_j@81(9Riv>FUotMZ|zU)U+je_jl1>f5U#!C)+x9rQe=2z=X8j z4=nw#>d=~)AX(52IO$b}cj_5#s;$A@TmyOrFIH*J z6L`d`4iVKw60r3ZD@2b{{}8YXF(8jFq--rZ2u1E#3gTTRAYceoFW5qB`(Q1;O`koU zQ*f$>J$o;o5eXSFGr3g#;cmT?p(x~eALyYjp=!5l&ctXQ*dW;z=-CZ%$MAP_XdgSy z%y3t==Om`19088}Zg$4&YJtW%TX(QYGJLQM$3|g#7I=k%zILb@V831|-lM*lxDwl8 z9}Kd>NqxVRFsik&UPrj_Ir_Z*MloFukt5RAs}_Ptu3`u^JWYZ81PvFAuO&|qAM?wry>srSdurkI(>3<^$Q= zt#nJS4s?>bU2m!71D4HO?sZct-$<|Mzd4e&6d^oTP;H%W0QSXp)SioY`|_KHH_gRA zgbu1E?|`76oz5Hrp^&B2Oe@d#f_PC5!~#fdJWRL3h-(HYfYC!f2O?KIqtL$sKdKGu1eF!&;yboD^Q8O_V-3LQRS)|E-MY~R%k$Os)J-+*Vk^}-dMf;nRGQB1y_&n>C zw;O_-_Aw2Vc5IZfn)VM4h_Ajt-Np(9cfIu%;mIV{OFq~<SJo1`XJiGimg9l6t$;CHP|7T@I?gnhb)UGo~3#WZ7b{`C0xza!&jk|Ct< zX~G2KAX<8QFSW=(BlcAK0TAtgZ8msUE_MAk4l?4SCpW3*L{r=Cat=}n0GS3sNC`oR zxJG!mM}zoF62q!(a#nKg#;C4sSvQ zxl84zo9!t@fE~>j4_-3q)FCjrA|0GL?H>sWi^Di!t5wj0L1SA^>?DTN!R&S{V^eTW z<{B{XB0&?v60Dvguw(uk1Pf?m4%yUk4?R`cShsz3<@Kf9ReHTWoGOF*7k5tw)keZ4 z*~7s~=HkHTz$}8hQ`pr^uA7d+8*3gr3Pz9s-J|^ie+&~IwWDgx)igt`X7Xi#!Nss` z%=-o=`sgvd;O)e!BkiP7ku2y3AP25{k#SJVKUK_VQMb|z=y~VzCfU>Qcgih&^ihgF zT^Wiz{|5i&3@*q9k9@5Mg-X^mu^*}IxCO~Mn~ITJVM7vyv%0T;Cp)R8G2ys1*A1&q z2`T`j4i2#MIqMI{yfACpm7pX51e8JaYZouxD;9GdwG&d_WJ%5FOS>%#Gj>k--PnBcc0tw`M1@-LDr(k;txheXPkK z6us2v=kLjEu6!}_k`_m(uxUPMO_=%)ax#x}IvDr07u1{aT*@TTMz)w&k-I31S|>fD zK$9Zd(oK83vmQju!f+G{VrC=znG>u3x7E#-`IQY|r6zA!;p&5|;Vztl5o&3XzPp~%s$QL5s~clhEIR2V_O!ytrP z5p#-GCQ}ThRRX4eV;u1mGHFytTxW{ZZc;ws0Gc)BPJ3Q=e9+JoU`}T(HKib`U4-FmumG4K~#+1E@HxQOkEh)RsiU-w1fx*|mbSuI*xwW#24&|MmL;C4RWn05ur zn9DNly~9GWChEK20JIRk8QCmGM_NGD@$*9UFm8ILaMifqev#I{VJ}WB0bE>hG;{1+ zYf}DG(L)?dtS4}2MOvz?xqS0 zFh>|(cpTP<*>0pUdKmzu->g3{9e=s4z9g2$aySQlG8Ca373+Sgp`Q9OrMaK^RU4S$ ze)utKv|h}2{YIDDLPKB`A0tSOmFHKugy;?K0R$$S|H*}|z7z!MToA4m;VNwelWSR^ z{#c3rQKl{eH1EPLT~VJ9nMVRl28@{PtVc}-8Sp-Apk{N52JGrg!qLGT2M4ew0;_Wa z#Dd7&>KDojn+eC@j}1tD{UaR%=&P%*y(HD7Ynm}3PB9`-wU8aZ&b=g-e^H)7!Pm4G zQ7&Q&%Ppm1J^kU^KyYzoAD9D^$4b_N*Tz@9iPf|V{rhBx>@#dzR+y_tLWp@FF-at- z8WMg|t!*2hxB0_J0>>$yTK=Tr*!R_*=7Go*Lhqkr4-ZQE>NT2f{FjhF@i zVZZ9!i2J`oh$!#^JrtJ}mb`lwkTWOhM-iO77@8qQR_p<%5{t!_*SY$sn1^249qHh zqD6XN>}CqQ^@oSv(~CFj*bffvTKPBoP(9qd@9sHy-I?ENOnk%872D~lLIbTo6XiWT zrBavS^j94j!hi$hRGw6ofP^|Q_W{6 z+snQ=UeI7)sBWcbo&McSp#%G7`a#{Rf^%^8ECMv8VZz)MqBl89*MLrvXg@*0;M z5P@G*vM(6Im&>qahRn0br@o89am2sC?y;Xo0t4w&13d4+peM>M-pomjPE?KToHq0= zK~XsUp#~A**2z2POa&ewasn+;Q1B+=QxltmB_~~^+g0pz$U?DnOH$@58|72C=1O5h zQd}*_rf&t&>xh!Xa*K_jt~eECOIIvKfQ$fFN21%LZv`cDl~=+m0g70 zj>O%by8+I`;KzLKFJyzI|ANoTcH3~IAd!Ewg1HKw2O?W+GYZ0DJZRgZfVrw(3^C&#Ektu9q_>r}7qj4-_9Ts>uhyrbB{Qp>BsQp8-xUcC zwHzh~L(Gd7E#L=uGfx=W-JXG?3s;A4G&FoQ@@YD+$QVSpF6*1)i_`LK-;KhK7sMIXBr$`{c-sq*!k&E=)1fa+`uw}|81^ycE@E8pcke4-h(i30rYV~cSoeZ-}8frJT0x6ALiY%8XIkeBMul8|V>nMLYs zH;^nKw4%ZYMiCjTwsV1D?MPDiOE`X&H4JV4&ogA_R&~^h=fVLiKQeZ9CzPFRs%y~G zO7vGA1JfjxT5mbS5bIPE1m^68;~vfMBLu?{z*MZBJ(z5i?P@rQYx(G#mP*_XJ+*CF z0AS^N;()y)P6{UO{v9NtTpYw!7$DOa#_g<(m9m3-2iq}7`A`_7kLz3vl z)G5b5_J+FVJqeLV$gSB8@_k+TGNTEJ;GQduI_e_x_RIFo)Fz};r@?nP3I^>$h81PT zWk6f!6@6oW1lsiL(n zrf;1HAd=7N{dEGkrNB+|>Vy{L9@ml(z=fs-9iUC#MNG%AO!ROSsUk*$%15e{>IjgV zPCN*GMb1BN`)H=EVdX_Y9{jewyZ;zk9!xzDxJYqndUqEZS5fv&D<@$52ov1*OenV}k8=+>k{R{0+Mj9ak zcpz;BQNumPa3TC0=AWs$_E?c^MLvP>Y*mW{+8+vPcyPUNbtdv%>~rE9_E-8Q+P#%KyzVDhiau`m$k(Q8 zB@ayF6{eL)rO86BG4qsFb~GaM8BJPqBp{9iz!XT|OW*HEB1?&Q!ST&q^rU(0n_IZVSN2bMW0Dm27CsEhH**!qRI_3jXGEQw-GyE5r{7Q2+<+b zi&ylLHEL?=_+5k`2)+zMY(ho8T_?YpXcHu|u8dWlR4rPXM(5+>5e4%&WfXj^6g|@J#^0sawgoS_OzwmXEOB$cVPx=F?c%5^uZ}jjw@-EKhbaLFdX6+ zzTl1Xe10o%4I<6Y6!cDde%>E#PyV=izRAbcj1u(T)5Nh8>IVaJkQ!WMJ37V%j9xm-O>gwpZUjJ;r>ZoIVO#3~Icw zHb20IX8LN@$aA7G2g#I41}#YG+Igfm@I>l=>Atvx+J4GIu6DLZp3=&TQ>srpbD7HobrsdS| zq=J9#z>$@|@kPDomw368Gqc+cK)k}>0#Yi~`)=D>OQ%=FVFo?p4!$jBI|7s_K}+%@Go0Y!X2 z`z@HAyumnTPe-~D;v56UvtrJ&G?*k%gXVv3lyH2JEAMSVjw%u*$-#FVlS{7B`V zui3BCFqQvT4Ni=50U*M*R??qlHQ#FcFS_jFlK?H3Do6_)aXTIuh?x~)*GKcjgttFZ zsxtzSYtdC{#CKNq_1s^Q8hfk z6`6PCE-K!wLcGuZ&&T8lrRv9WU=W4FVY={U%>#57H$ZiV#Vngq^N=Nbh<$s^bGp+o z$dH88A!}bOq;m?77w`T~*Qof`GCZN3GMBwK^CrJuJ=rgA*qF)G)0Qv0ukRy4efp3j zp213Qm`DoBeaT+KL(RsQXekbmzUi%Cowr}wv;Xx>KkVYz+TUwZ*zD}tKs zsDSK=m{^llLchTHxAcyj6JzpbcQG3?i(r##Qr3`eGN@*3gqI0cDTA3~mjx9D8Oeq* zI_gFCFvDYBqY#@pVZ%;aq`W*u{_K8T{+e`nobOiA*lKh8&@%j@&H+X!=vwuIbkGTO zlmxKPlZO8dH|bra^7BY)69EfIKnaQSErMrjuChbJ0)88kDLFu1lfBRNB~DNTOB9I8Fqe+_A46qI z?2r5^Px||6$?ZL2RifMy7p^g~_(XeNSt#^mmf-1Pr4cyoy=H5mGxNbq{v^};=zZub zr``OMa+zaw>8+wur|)E9WHOEK%ifN|;gn_c2Ii~#ICLh@$H^?&=D)}Lnj0~l^D7-O zYSJw6oWj<;9lx}0oK3}`HW=kI?r+}=oNf>te7F4LmMFmoKyKWC3(J2pk!%X;-NN&k z;AGzZ5~yA@CiH<{n_fF3=VMJBx*pN;_M@kaPn9(M{3}XOREQB(xSG|T>M2d?d9;&Y zw(QjK5>hrc4vxaTbzSu>e4F%jVR&I^e!D%%SCebSu}z#2j&eZAgJP5a?*`KiGV<)F z63WJrq4mdJXqu*~dO02KwL&n&J(bPxS{jt|cOuhI=}u`3cYIc}jrqV)xGOx5mz*_L zezFNwJcJVch=R!E?cU@_ShCNv_rS@FEJ&ya?dx3c%t2!;WY83(aoGS`weC?SAboW* zN6ns8&zx=08Y*qZ`O=Ly5SToGx5zyFIEe^im4Gmwa@ZwRmrtpChCLmI@ST zlGf>5^6zthA2x6tnrc1DD>@x2*^5wi6Qam}2{CyxGt}a|RTd`=oCJk%Vu#+mS}_2B z)ldxFKbP5b}-fknbEUlaonMo(KYGZomZrti_U$@`w~xAq+co zA67@4w@f9h!hgI>zPc}>KmMH`+Jq$cSg-y77%JwJf#To`S5^|6qQSz0K_N}*Bkk}d z*0G-}JuE-Vjo!Vi-Rxo2l>?}L&X%~fE25<^D9cW$V$jqNI*I+qqA341DNO$tI)h@8 zLn*i4@3w9ff*r%up?qPfpcWl!gD4d|Nt|6*5EzI&qs)jVBQX6T!pSd&BB!t6FHKYX z4?wZ{4?r0;8p)eUd&>qRYk9H`5o2u7B4%a%Nl@_6%asZhvvc31oTq1%mGhx-uwMl? zYetw~&43G!x!H_iyj?e4Dw~b%w%HITgTDjpb&+e#HNMl=@NN3V20Ss7Wi`lW`a2;k^^pkrMyOk(6d5N-PAu+U0TD(7cog!(Vc1n;}H^pMdsT&%2<5pB^jf& zO~GklX<4un1ldB~cXu{EK6ZAMdz`x!>z2L{BYfQ+k=J*aV}(4n4!ZH~<%3J9){C~z z0=&6CA7`jVA)$}$WFX>yMPU0QFf9LCQYCc1-=Y2L|6z5QcAj;XJ*igTHsfcZknn}A zDFX7YaJ5qRfz?Nu07W}k*b5A*=8TAj_B}1AJ{2WYbEo^#AIc zR4=!=biYxR>xwih1NgApB6SJ-|iTLLY|JopCBUl3c9nT^vky{hYZp^-67hMkmOMeBu-MS_cJKuCZ z8eVat{LN1I&)*l@Zzmo~V=XN$lf(Pibhm5&3Z8^# zS|p)$QvzxXgV?gxQ?V!p&W8aQ0!Tb5r#}*Z%J>?}oFYP903kbT@OED4T&$N9^XnRAT*_Jba1Y-shiB7I^4g3AF)Kb2QVV))NROqLDzbp!6Zx z8Vo|T`zb=)QupT+!qwf~(DyP}m&0uGy|J_aW-)b5Qw4*>p48S6jI~%7`u!0>SM#|= z%&D4_Cdz(%8P%Mv718Qm13k%J?5kp z-f8cxP>GJtzd2wN0uVjP%l1Gy0H8w~0*fzYAWR^cJxR*dn0p2TG%Ubd3o72zZmR9o z_cALlWqRzMGU&W{tbuJw(0J{Z1R|LF=64-+!bNC1YQbsZ=GUy*rSMtGMkE^@HEt;P zw|PQ3l>ADl*HH;SA{dL#YUi+6bIfs>y~|39PGV1z!2d_oJBG)>M%}`}#7U#ZR^w!1 z+qUh-w%HhsZCj0|w$D88_n!0ponJH8?0aMFwbt&H+jgz%9?tX5nFW|Xzi_(W zQWg1d4*L@XM#l?!>k`7GuDIZH3MYW?&Lx(~jzpfXd7arfC&io@$pi-H8psHoF>Dxd zUD6sTwx>ErgrsQ2L&MgK0u`d#u5a7<+&|n-mm8W6>`lERqkPp_EkH!TrMOp-ArLLi z0mFDl5JED5@C5JqbH>yO|`YFa#kYJQ;;f`b=!(N%eglDknj&&GmTp;0?IvhDlsE}}QkqEPKsb5>oV!|{_V z{rZwQVsKk527`q^-ShbjM5d9XfTWWKu@dM5IdtHe@lwJmcu)lyy?EDh+f7Dk3#gbw zyRqsYg$2`AMK|d?#--hv{`$3is60DHTu`cosJvNEztxQmRfRyR z$L)D7df)NXbs{QS@^;s0Cp73vLPF9ZpUq8Si?Y1#W^T-$wYZZHP8eqa&y)8Z1A`Cq z_;4VWrm-ihWyzO|@em|ioa{NIxpttAri!F=<<^U(inP%hu3-fpe?DK3<>Ige1ej~Z zIGP3Nm=zP!yK-+-%r+o#kZ#_6D&)$F_hUg74HI2m|6Be2`?nWJFNA22@t&c)esTrA zQ%IV!Zp(&fl*#cY)C}Pg2Ia;mm%{mnSy;ygMF*H69k3+lo-xUUuivXW z*m+c$eT5ox%DMRxg2ykg$*>Sukzb373>(yEbKTzn$8rHgmVvn=8gqF5kN3kXzq&uw zAu2?bstzDA77l5bd%o0&3$WfgoR2{4S1!S{IDiRg+pflh@ikTnwuWA)l=!;m>-kYI z?^*aO#V;gP?*@su3U=`bv>HhSD^WpN1Q;X|g+CLEE#NXQ4{n|x>DKf@L}z}zbZ(v2 z+SYoEz}I_KD@xhsqAz5GUBgEpb&ynLsgxw-{qP%h@mzypd;v$mv_EG#6>4Rxpm=Zc z#yelFQ=LsWbn8pQL7>o?W~=3e$C@-%lRguy$sO8t%{h4{_Q zb348R82|y3EXCe@sgcJHc7_k^RV)<>*)>9Z^!eN+w>;uaa}LwR3;ruU+|vrcW&3KZ zicQ=OHt^rEz@`G1yXE%~477o2`x9*6ijulRWl*y` zNX_v5=n|9)FI6{x{r)j@a`n_Z+Ll;+6g`{{H2da)&)U$R=5dL$Z-j)&z_N1`EHcuq z@(tQC(~van*5c3XBo1JUm!p;X3)^40#mIE?Uag}C!4gWOX_T@vsMn^slZgqMR?*Fu z!)O97k|an^6zCvq{XS#Le8cpJF6?zoXF(6xRJ6|>&wA6>H_vz3 zTf#5xfHk5|jfu98G23NqFw_zGLtpJQ(Yj)gQt_z9qR0l>jRPX#t!qnvnN#KyWr5VM zGEEb95_o}wz5yPP;pW=Wjv4Be)C_NM5U>kaSS^bM`;=ImtEoTO-%z090&;Q&kZx?u zDzMpGvY~R+Nw)nkhv(a!*)>)jz>L@^BLVYER?&&ar?+)&_~UkE!Qlcw0E|#Clqe0Y zOLkFA>dk|uVvFq(k9O-fI~-DLwR()LIZ~o;(t4;)t(&>w03no3Uhl^$KsbnhWRKb} zO8lx{zNoLBG2LmGsFTuF=efCW)m-sq$dopgjF8e%@;}-}`~uh|aLaWOdP?*8GNnCw zBG+6oG!Sdv;Gk&!u)zW%iN*vaS#zL?fLZzW;%a(H6*zk~#%0f10u<>&6NpCC*}w3Fj%qFAOU{8`*EVZ`761h|i|x~D*UBt7CKpO? z1zwlBsra4g`>)sZDCwotUAHQVJSAgCrBqbcUmsNVbFGeh+Fo5bGIB)op~s&d<`2%U zq-(5l&0*Uxj?Z~)U5>^;>B8{b&QvE0|P*Qdwe-WAiC9Z+}z3f z#e&x}JnZF?Q)7IxsO~2PF4`e9mBT2^i8l$RSoqRxoaO^dGm1+uyVx(kh(M2OevlN~ z8+C^Twm;)KhOGVKV%OE3pZ`$+APUU>SfiJ!vt7ybLn-j?7sbBaK9`PI9vSh4J9k|+J@cN+BVV6F`A5dV`9SDo1A)RvyaIu?SN-@A<#P8J%lbRTiR z>^nX8!=r%xOHXbpzV2i$4YFIMmM=7OtfoML)|*|0jO;`W`@alc)-fAx-P5nGPQQIy zj+}RgH~J@+-b$-s5P8-D+z1>Dzp5~JQ$)u&bXAH!<$;U}uuOP~TJ6MzQ(2_|6f#Wz z@wd5`IjZ-jhD)9gmLw7O2UJST^Qt;HYVyaQ3M-BOe~*M?mSy9A<-&b+-Ta>|Qq9md z_ZxUV>Qb{#jAKQyozH)Sxm4KIK$ulaE(MrqyBB%)ISq z(RI9XMtgp2Iw}l!EL^#j8x(W_<^g~#Q>L^w)dJn++c}Lu;wJEf8o-)a^Fe730D`~w z=nu9r#b~o~5vb9k|9*o=@@~vFWT`z`ykE*E6a++voiyr;$%l(U*Fp^=I+Tz{>s>mh?QI93unsLC6N#fmw3KTdYX+jMIJT<0C z)mB1b|GNRmay%p!5^hT~x*pN5Ts)GNB`nXBh*TAF{y`R&piFbK`ysA+=y!a4B5B_N zs?j04w(pOl(kqC;NfJ#ytFrvsiUVuuZeL#TPLQUC3KkgQGQXwGBfs#oH|44>P*7x$ zw0!!j?#%wBLkA4#j6IDD8ILJ&^s9SeYImJd^VzKrcj&ZByEa$jG4V=@>i6n0$ zq;kk>{--I1ZqdpBJa)ykwB{*G^@ihOW#c4q5CuXY{H-2gH7 zb`$xP;=5~0xuTQ;vcs=WpMPeRx)!hvpU?`2!n} zxOG1>$5deXSPh00K>V6IBvf@6m4G9X8%={x3GXvk_wH+feAGT-K&rZFmERPy@I5Y< zRK;E`ovXeb9=0s85>oUrzJNFctWSSbRwwfsv8z?hzlWLt#MPx^h`cJ^8qsJ z<%H*}xx5~3{{Yd)r_MBYtuFL%NQ@=WJr(i+0|E*?IGG#>8BiPO%Ji(TN#DZ%8L0|A zu+ylFRJp}jwo%A?b7Vr~!vaTYGHToXtl@814u)Xi7E6RQe)@cHZMPk=fHhD$4sQM( zC`p3M;B6!$y(q5O@x|XaW;?bSu#R4V#(c{M zY^4w|SB1;Aq&pl(j8A-`k$5Q!8?~qWb3xK^ttCp7NwQT?YM5jt`LiSdVvYUmL9;7Y zofIVO@cyp&L<-U7qPebPOPK?cxa;;V4&cHxInU16b1se}?@bnT(W1-WJV(j*<%=aN zmhJfg`-;t0@iJ7oh8r5*ej%7A5i*62c<5yI?eeD`Z*saTE3$ ziP$eaFL_;>XX%~Z~qOMRcv40f`BN;X(leRz`j5 zLPpoTu%TqbFsuNkYG9zduB?L1B0vwPh#gF*fJHy1(fv3Z8Lmg%Z-ZjU9-af9a@|*9 z{51j+TuQPkfXUmzl&AFHxt6qFsDvBVOMK78LnZtIotz*0%kBM9cvVcc_KicSao&^< z6FE{MJv-XwueAXX%d73po%VwfNjZ!CmefZ)Pp=(=p#|?Mvr4fYTIhI zlb+bs9H?LyhbR0#*G^27wVnrI)DGme)C zpa1Dw^_#LsHJDA50mP^Cb5a|MUuAoa?Bz&dJnI#znjYxp@Tz>LJz_UMX#o$|8OMCt zh4U2ou08yUAU#;HMh-r0X=I+7v4ITi%(nq8yM1Xg_y(Rut1D6wxAK} zynZ2}BAu3z1g5@>77X(!faS^?)5UACm72)koxsulmcNOW8k?A_dkTEK%4jjH_P(Ek zRG-$?D~*C_F8nw)+3Uy4N(ByX3HR4+7Yn_UMVPTTxl}qjbrKw{17+soLUJ$ce%jpc-~z}j8jiG2k4NhWC-49@@RSBx78xHxe=Mha?>B4Lv6maBc8eF#1Z_|1plS?Zk50tuh=)&C2~OBA%ur&R384^%_%!e&k*X zi*H}SW70$wnR}Z;4!1mvi(6^+W#e4>6%vvUC+_TtS{WeUqAPc`i|UB%Stdz-TxJ&N*t4bp=DE1do~mH%n+>Iz zO88WM>gq@;IV}=$a&nw|ZT-URWkH4Zu_SsQ`FylA)n${PyX?s1~<+Nr7 z(We6yu;V|t6Ti#KmCuX2*cjVtvq`RX8*um7vdKq9^^F)3S`nb~+y5Fae&3LHD>e}B zrHfMPviZkRlGJ(MBKDmS4d6l2hw?VnTR&Oc)=zM${}xyWmG|sY#|&J1XfoF%#fR*l z2Q7s6)$_a62`XWaCkcfOP8*i0)67+gFn?S=kn$ z44!iz!F(*q@=uN--4*Kt>kh{W`s6qV2efJc9pG_zq=%s> zyteDg3y`hfULx3A)o`b>;x=xckV*x`6}#BY?m9C=K&{~17CLuwj=Ri%Le2(*s+k(t zWe4+PD6in-_Y=>P3ZP7YADVXFWb{qX`?uycM>1Fr{14`=B(ZnW2QZT8Y?PR@rW#7> zsOP^7tVQhiGp3^-vbJ*?U0oJ$8BYTh0pX)HRTXak14sn25I1J89l3COOS}2X?uge> zh74&pnO9ZC>ZipCPH9D(Pi$=O`@H!GdPxfIL;*zTqHfB=CX#ccLiA9MNkBEtbLuRh z(1zhnm=vEHwig!-!_92$bRvR!Z6RS03eM=pEJ;07(v=4qML3Kq@-MgW*fo#^!IMTj za?J=!>~wWdv$Q+q^fM)h9!ad?lK_PkT#1!3WVl`?VzJpDKKu!N*RWE3B~r#K@GLgm zyGauPYkzPsQ zI0X}o{$W`;uegI7@x+x`vo}lzFdI=PgFq5m6iZ-4(;ymV=_p-GeRdU;R`7Z1Y7-WMR(v;FveaL7f zFUD>J6aDoUyYxkNLhI=?5MwS?S_*UR^l*RQr*Pgra_y50oE1gbS`>MhUqf}Nd<=B6 zZ&P_nvC>oFynM7dW^M?SNlnB{`IUgW9K?*^mj0NCNxF^t&xfj3k?PJwX|7`iC`|)&^mA*r< zvpW!GAe(h}ldybvqX&&Bs5TZ`)bJY?F9L*$;q7zdEW`sAM1K;>p7o8@q`^TT%G-oi z&@@;2laP6B3zln_fk);yf*vwVvP)1HTHhL?HdufD%hxgMgVpE3DRNhrJet+JLfBbc z)b&|{@APggKL#C#{b6S(PnYutS~(zKjEY8Q(UIi{c2T`sXR`T${^}Shdrw^C?i(LX z;~HMoThDu&f;9=*NtaW{^X)g^jxG9*d&rWVM!XS!Zn)&!T=zY9|Cb2zXieHGhILdP zc+KMk_p$VZ!b7_A( zglw~{8_Vip>)db9;ZEALBq%k&QNIw>jTTTU%(uTvSwMoCW&P;H2ZAr&_FKPf#qs_G zN_r#5jQf}U&gdDcaBFEj2>yn!@~fe{Ci0_V0f=zjQ-^suOK4r{v@23zlF<#`oB=$o}PjuIFi}y3qCM zcOYaDWtrf|0fud15n%lT`g>o}YaoYjC(7ozEytMoa9a|m;;w1AfstwXCyg17ev zJKfe#1e6|Q&xi7FaX#8>W=|V)NPriqe{{}RBg)Gq=iUY$w=3xipEr&Pe_x&7t_$Tm zq4Nr%c7WAlR-@{HO(x|5-*ToYuD7@*c)*!@>dpO0W@$9PlL!a=iQE(Rj&|dli6g%_ z5XJtPF67?V{)bp~mBE(de!D3M2fudo5>Aqx+-1V9T7|HYid0Y{xWvF}S@=PVpj1R~z{vD6!g; zw{+rIq2{v$xpNXKbRz+5$AJ_veN#c~a9w8Y*CWIaUPkPVg_G@Gk#AdR+E1=aEcRs~ zXdtV>FCy47q{|XjvTnO)Z00WduoC%h_pg)gW4p)a8QbSCf8GV6B|5td$NTXIgK9NO z{m}_yZxHQ$@YS^b76 zNeu&hpd>Y(7UMZVp{;BVvvWLzmJ#mxiL$`@E-;*E$!ltgJ+2oyqW4=l&P~VG*I2h` zLnYlgJF)C=dquYfSHupY{*MUEkgmXy_M5@143tD4-0@tyM|Q#@cS1>Bgx$t)OSgZB zRBz%-Xs%ZBWWPD;_vLbef=q^7Y4sXS4*q6Zy|K15(V2`;gO4M;jOv!(MJY#lm9!b+ z1bd-5tjWhhY~hH^*E8CgY3M3gW}%*bNB4A2yL^z3MSvkD+s8 zPpr(IU1NDIZP5>$9qqo=8$*nqubp|0LB#D1Am26_L!=2SHosW02LD_gC6RBpMOyYx zm4$tSAgEGuKPTQDWCYt=eDiZ0?#Gzw;^=03Yvsr@my+faJxL6t~*h zH@pN5IpD?Sho|ncPEN8~{%h`A-@3eBq&F2`{1dTf`_4|nUPo#he5jam#0vQV+`KN3 zvq_@djd7)hZMH(_?vIY43KT*T8#QW|X}VCcS|NRcs_+O3{!dRxzUC>`Kfy7o$J-rD1&bRW4^O5mJ~; zMxsAm%p4tWieCf=zrrxmh(rhjzdB%>U`W4lzW3HndEYrc*YtU{;E4T}8A=3x zj}lhOhB-CYZ#FvFp*uh@{DdZCVx6D(NMg%q@Lw1e>p_#Pq&K*B(Ca|>ed8GPlMo5LEqUs4^YK#DLZn!9B{KHj~-U4mNBsA6J@f%-%g_C4yqpLQC(j75`K#2+CyurY%i zq-O!j$NBH7kZ$7Mwx3a&zRFYhjr6Vz-rAbe)cFWqDcGM>R^&926_a=<(h#m)R{ zbnD~V)s?Hs?8gSsqvQG*tK%AanCD;pY49(|o*b>Gp)=6ibuXIprZmEnR+8%B0gs;L z7-SbDN1>`chY{9C8GBV?@kCXx6@P;Zj;A9@m|^=t&6mPD_6usqWN+-yXzw+4?9_OX z|1+8gZlu9QsNGa~sUC-C-G-u}+Y5lRs|Ae@&Mk)ph$6SufxZ9z+uF^P^L+iXK-E|< zYH*Ca?#Dioi-X0@+ea$czoI1UFs0j*(p;+*fwsj-1}M^bi5-HuSh?c=JH}%o>UE5X-Vt!TTue!gb*4`Y_>wiHuzfJ7m_ChnNGmaZscc?8cnv!a4J(? zlFL*DRsJv6#N0Qgw~S1d6FkNyzw>Xj$03EKmkLs@Qvo91zS=D}mb|lGhb0u5Rjm)Q z5VqbQ{`UzP!jAXs{eCmhhVitbk^=m>qWWbgF z>gx04i6c8*o&o~X(ga5S0>XdnIZICWfh~k~UKY6Hh<#z+kf5uDvOUae7L*Ul0=HyC zM&peIu?R4%&o8vWj(usQR`Tuqs8fTZ(rC=^;DFz$EVQK5bXPnVa-QAG0HAP$B)za zni5EPCS~%B2H96el?!&RWf*JOr}y=>H)GjKcNQqG@oiRj4JEuCy6G6g#X-EYCM+}V zBSAM`aQ~Tg!0q%LdF3mS&(2s}oUqA21xln-o(BE{68GYY!zZ#@$k zbCpFN7((i~-qR~Ih9$GI7-YK@udiOsHyT>7;cWDLVx#v1fc6Du$jIcxW;z?`XsJ?9 zrocv^QkkSL_$=Kd)W5XE4kEjDwMj>ws{vUGgFEqBm$-B);3z^vPSEV= za~C8A5=P^X@}%XWS!ponKehh3wD3=8LI!Iv7lLI2Id$?DubyZ(G9R}FdqH1%iSNDU zy?&)wFvP0N{c5u^jce~}Z2SNT32CbyH+{^8b;&5AU0*SXNhLxT%PuU!P_VpMp_(&Z z*OC>~$`FowAcU|%(PMMD65G0F&Y!FC#$YQj?}g!fNQqfD6@%)_jMOLqcwU6IdYQ>% zIGv9q7qj)q?YWrCwEeUCO{T`~cIggwAN3#EbufwI$G?dLi`-V788)nirKPy7oCav0 z@;RNK-l^S_(X_7RwpMwzRSor`*cB#nO)YSy{EK1gh{PIRn{Ju%hK@D!F)Oap>3E+d zNU%+fw6~y6$_DNLZxw`t=b0g~E^TdiRY6TI_;nl4VE2pnZDXmo z8e2T`OY!SyhcSdLcJViMAytO-CGW1BJ?Zj!wLSV%&>ijf2(uJRvDu{MQsQw7p#^m# z;vyYQXV03Mzb7};sDHx7^JrcDg&MrdP=uMzf0N&I#4|pp>2xR!t6N427+voOMXu$znw)@p4dQoj(1dQjRxGdfk`ZJ}&gG=3*yawfHbZZ4P_ zRd0auNa*c2Sy%clucy-C`)}Lsq^Yz={+f9fJC_m>_w2^wHSR+D)XS>7j@nOBCL<@f z*9I6X6)a7e8F*DBbj~>}N%IL{lDlP{Gum@=cRyBq8dQGlLL4t*joX+Bn!S3eoS!*z z|H;9&7gu^WeO+JKFV;uq{c!49gd$vAcRn$W#mdV1F0~L-R3Q=Ym$~oVRMI4o%l~7S zKWw=1clw@DqimFK(+EE@8U{ca{%q<@IrThg!ymoTDI?uF-7GyAMK6MLVJu=$F(nQE z5i0ql-+h$j%-RdfqlmleL~5{S9!ik;&c4ZCKEzw-Ia~hwQ$1s42bL@P6xww01A$`p zgixt3F{%U%(y(stS?E{6owDpm9>J?r% z_T2RJH9_bGSLL&kIev=FS$_6yWg0>|@~#+>0MlLl|#&;5`qB)iX{|E&n|uyo$1 z-5M#pJ_CxR+78(tE4iwpxT>u9oU3y7Ms|?ywwnP*>8Mi}McG}ylb84HNl>PtBG%Sy z`1ZNeu*uv4u&}Vkb#o$Dv?wsbiJ;hNE$xc8!q~2Oq2eG1uYYIqTN-#ua3B_ioh5Z#wyNqS z&HFQVkA5A9S)~PW@ohTDrnDcG(h&}vrB^qL-D8kEbv|_ba7ap5bettwigK29c6EY} zfZ}wSRw~cA4EVgIf2`$)vcT4*YvpN#wOD2&Z`7k4o!Z)WiVDQ9oL~_ z$=e7Y%4(Gce_>4p?iJW$rB4t}$q0x0g6wig3>;$DR-?Egu)z4EN3e}OCEB`79#oCDUvWpLbHZ$b_fY@IC)}u68VK(xX`mZ zoV7(OfmPCG%9e5;YgZ@p&57#`j$^i`Z^aA8as=44>>;b;VR*Q>1vB%%0|&*c0kw#k zW;LES>3Ql_EmJ}beYYt{Gxk-sW=r14*o=_(&6Bgr&FC^KTcfN!L<~+>{%_C%mQz1= zQGyu|GYQ0q)`IM71CPNZ`Ds%FtoJi3M&`@!bV+%!Zx8Fx+;)|KNXEMw1LiBLPY>oJJPr(uthp5WY{QxI@93%D3HNCOSe z@yfA!jplM;A9E=>NQkcv*{58y5uEx(yG#`M)75s#*C3u;C~1_0|Mb zIQ;Rzd$www`jd;d2|z%BR`mnufQv6VFtG?5od)-V;P7g)F^=5U)rm_4MGx&3`qELv z;*xu9X=GaiO3A)2jhSR@qwMhu}i(?vYoKN~T7TXCkl#5mAZCn%mHOEy2_W z6*cC!=r6f@a{(iR!6@#QBKRb^66EnHVe^$xJC7m!HydcbwG8t+hDO~|=j^mh-3A>j zX7#{h=P^77IcLpnIvfV#9J9j}(fKjvG4V5XZ&sWy6ykwfsHdri%JAZI3N&od=rxzp z^_ip(a_r&6ZO8n6=B4JPl3YiB?c2YJk)w9A4@6QcGT|rI0kneRnCUHvJIxaoTaOmg5tbw z5p&is-##?GEzs}pi@r=@T-MRB_j4La2m^jU^AoD%ELma>PVfDt6Y=9BF1fha47%x~ z@-116G0?w_o}N5y;Ri=Xg8{@(0m<&ZTPT)jPhkNZa$?{YcstYHcOxv%juv z`LdbO&S{R#XurpA7&Md~;B5P#mgZxI&z8}8@u``1_rdQECv6WQQ3alrM>*0Ywk3WE zIy%;`qQt57w}AePO9yOBo!nMIc+W(D9;Z|xLi|cN>tBCbay_XK9!ihk8W`&eyZL%+ za6&o?h73*B$M|p0lC#|ku*yx3_QIQjFbNG6C8EUi2f{+eNW}JwN?lmw7fvD$AzC&R zMGA1~2Q_xzW=!8v1I({6@o_d;IleaE=fEEO9OiXC0~~ z6FP!?ryX-KAVbK?C`8&dLwx^x3*CfS%rxv5AO4s`7Z+CK>`Hl?FeDluqAMHLDlpGi zw^6}__vbEi_m>BG7fnPCoHwNQMR$+i^Zq*4=i_?PDNF@Blk-#dn#rLK=-8#timm-d z>A9*m{N}2?@C-l$+DF_*ZIr}PYg#As&ukJlIr$;=5SYxR!SpP%)B5G!pGG=&LWy~) zPS{;YI(vsHUB)4(k!QvThib#f5T8Dk#s!VXCY&L(R%I;JwH=NJDAZ~sPe`vYiCKNw zATJhYtfp;F4mXu5CjFt1P-5n^pDxRIWv-bTtQfg)QXIj@<+{-cW$6Cz!3S5_4qJ?u zif=y;GMIjX_>or!{jwnB2L~0D-L+Cp3$#U9{XkA|QLD(zYI5P5gh6FAxKY{G8s-HO5I`b8OFbiUf`H zKQ)rBhS=o1=@(EAzqsOaod#i_ydAMqWP)Okx#d*(d#>ndUB7Ed`^^Ti`MLz!a{5(k zcFFoQzxD4&`Xw!3a)WYtX{z*R*ngdon{Y3vFHDF-odofA_i;_ z+(P>oLo%jF%c?xOkKd+)YTZndp3Jxu?`Q}U*p``R@F~x7m)&R%)S)HVOUN}odw1Ra z7y+%t{5j58xCfF9U6aoxc)aG^?>@R1Geb@~hptIwmR0PY??E--gE%Q%uSy%(g(IT) zK`?lO2X^w9UtMh#FMPzcX8oQ<_SbexG4bdr0mxtC2enA*LqNMFlfN7L{0Uyo+*fR|P=dxbz=_MT;?Xxca|Nc- znZQEtuh9YwN|w9VI&l}~lqQA1UP!}siPW>L6!RM#RQ-P#0TJZr8Yqrjy<+1o{>w+P zUj_Eo-fUP+K9V7=2McS`H0+3_?EcWxcqEM`c{UPs#^tA4zfU6X7gOe@1m2IfD)I*8 z&%?1oP*^T~p89A6&$k+qkuy6b9E$OB>Ps?ufMbb#1#<~|?QuRbAOVFa61t2r{y0!P zY(lAK@>{*CF+-Y2$Gt4x1vT)R6T4R1+@ZsHCDtT@{K6S(CK>H^r7k^Fok(VdRGZu$vHRJPUb#^Oq3o8CMtSLU5=KopE&s`vqDK@n#v zj0B!4%SfW39WTA%QSfaFXygNeGa>RpWieWx`0iM=l zqDp}*;OqV!3g^qaULTVIWt<>kATPw18$dsjKkRrzV>@rhWQn1|Cofg!S8}BXK6cy) zYuE{>FWK_$Eo}=Lw6&#yI@0jMrXpBM)x9WPwc$=aeZiTN`M2QzdBc548IT%rJ$&+U z%--^{4~hEqSe$$XDi&YffXJvQ>xg4cQf_z9Yh6>JuE0fqlSA`h+4*k~<`{Od)eyj8E(7{`2p;i4JlO zI_Mo}no{o8m?EjNOG&QPMi`KmyBKjt{R@8NJIQXQuzC7s2}|-b3wiDc-PnNGLCrbz zg8g`ef^mrjvBR$eq;@|^3FSw+zO>2SA3GOL>j2!G2UefY*B3FuLWj0hGO%Yc?UG*# zw=s^cd=cyn>5yo9Ladw2!34^6Yk^T*ZXr-yl6R&9dDMFdkZW_3?$9k2<%bHE>7Q&k zLx9S+V?^5ZhZV{TY0$Roc`lyAAv)7-BWOre5Zgm}^gasR_khOsU-MuF8j_(tsARw# zXcm?-JA|6PAcKuoD2+Kqb3ZOsQ;YkzbY9B;xcCrLiD(|YU5nQ$AsQGOj9{jx1$PWS zKr&^o_P%J=m;z~ksMTK?!RFye{6P2AkUy1~9Ov^RCbP*wI3;wTHTG>&oz|zu#}&g3 zY_E5dUuCpeL0&A9;)1GkaMCSl7!#9CY~-n9HJ7$91I!F%r{}=VPR`E!lY`=tv?&DoKzul2f2Q^JW6ap@nLKdIJY%HXAYh(rBpc?OnM0j#- z)AQH`f!guqvUP&Re|xSr?m>#h<~|Akts#;SHMWK`p5GBqHB+wCY1X5lfXMPh-1+ob z96IUu#k|c42G8S-D8UsOxEXajd`L;8Ur~rmx5}YkZ|H=0$z-1_=hLj=)kbpmcsRPb z@%c*XC4B4)_y4x)Eo9fm`$~hCZD=_`lgK`|HxgPW+Kn1FsDovJy@2ZNq6Xk*B$g1c z4nx8cDzK%wT+`mV9z)`1Ga>&zYP=$)V~g57<-<%u^Y}-=la>0VRBu5f+H2dl&OVW_ zjn>b~DaO$#wa>Lw&F)~(o3lr~e*3TzshA~{udJ<|vN2Br?jM!ATBlpOR-SgLyEyup zOngG$=#YEJ{lml0+d!nSEf#W2C+8KIL6o0eh$%kT0%TF9BMN(Yv5$3^nJ}tnBADCM z`}76)kzx8{{`L}_uH>$G=$B*bGHa|dG0ZoEZbob=Goi)%D}Z+6Nn)Q~Nf?H^)c@nn zkoqJ>og*sE44TKsxh0No55;hsIRIW;3|=B^T={S3q_%Oa9)-{uoGyGnR0;>@QnOvf zp>zPF{m%W=kMslNjs zz@DQ9)fldb9+?#U$K;2Jhk-cm$6>?o`wfjTtV6%z^HTesK{?k=^6%A3qlM8_4qwaW z{pdxi%rr$%Ogj3wQqA&kR)$oSCJ>E7o(|qh54Es-P|c7lGLYY}Ta&U~^I+LRQm{Hs zhK{9-99&ms;c(E;34xYR7`f2w=Q93Upiu&%e{i4r(tB-}n5_s(Ig1eI0aux^h zmk0^<=6?AFL~W~We7eJ%47~{BWw|rCO^c$VmLq<gBwjTA?sRc-`h92CGuiH%BOlRw- z>cwc3B@~3;Lz2-u3xA!+ixtND(!tFK-5>?mG<62TxZ7!*AcCp(Z*S;G#!gdjfmZK{ zvl>w8nrq%`~QD!zcS11?xEgx?$|L4p;vpq>~i z&zGL1g+Z9yjFHlC`cN)MU*(C;)(P+IKg2%ui#uAqZ~2X+F8r9^upb5D}I@2)snLY(-*H z!xd=l)-(&-_W94JR&Wpw>*FLC@|PUHYURT<;a3R4H8(8F#;xDN_MbHuh-_zVf0}HV z2nx|OzAl5X%M$uz+7fkKv+6#r znB^R0JUoPZj;`H6T1}ZdC zX_7B}h<9Q1lwO8F7^DXZDA%9v*VLlymQC@$oga)JO5X})b2vJ-nUl3%40OFBg>g=c zxIBBXYlyg+BRbMDofZp;xZ(|KGH<4amQk4hipT*4`L`?EVsl1b&IFx04$bJg zNO5J^UcnkR-5^o$9AP*eej4&^@L4N;zQL`;4uMdJ#ZgMcCs0i z&OdMAJXA_~Fi61R~=)5=XanwXe|(2o&*e9nT#j0^U#f6#A=(tB#q6Udq1 z8ZranCb{{_y>N<`2-b84*Qs{4lX@0!9pCd}(^5mmnJ?bSMkrtcqOk<`F|u+}VpbXk z8ogAQpD@OMh5DG)2v34S!w%&mx`?hZauno!x`_7j>REf-$<=3wK}>t^#aCRcy1J__ zkkVkC&SW!?67!Zj&+^`O*#<(T<^bPpH)xQ#{NkKI=UI%gd=s>v;DXuDa=u6{PM9qJ z9i{CjrnK0!*Ibn)D#j8~kIk=*m=EG0Wgs6efqAJ=B31-Bl&g-l82X8oN;Q16{Enss zB`@Q5-hBkq=4Q~^)&iVcx$QWl%WG{eRPOPF-tq;7NzVu)S+6wPpGIk5+#BWoyyWNX zCwe$tz}6&AfR!}wpkp4a7yKv0f-p&2z zexkyua~GD&(pS1*$SC-TW`>9R)>{$srk9xSKM;EdG;xMsmoZ$mY?LGh7`0Uiv>;S4 z>C;g4rIm|XZVawMAdXg8xPv3|l!tJ?Pt$1Jh7wcJM{*#v?=6@AZIWs}0i{q|h5mID zMqOqJ0>Gine=WTy;PVc4JcAQOhu!=eSrur@RlF2WeSzl&RKE(^-e&`VYB@kJp3|hO zwD0uz|8fCN{yG7}4jN8u5U7@z>+DNezh!gBcat?N@=yM8|5O3sXP;$n)j$CP+oOWJ zl2;!dK#T={Kcqv6c!}*V8VJx#?#oL{^9lac`8C~4%#<+0%!xPQHOwWREgG#A%kmGK zzYo89)}s+qtXY9YpER$L#9{xrKd&<5{eST5oFI!(?qh&H{7Vpx{U?u^&S_99*tj=U z0%ta7@oF9V%n2g9PMWyT<^~syRn(*7-f_-U5wiTVq5UnTMiqJB`5z5FAKj93 z+>gE5U{U+cS+gF8DHERkDG&xn2!rR84qyW3(AhK$+fA(=%s4;E8hSwaPC0Z*GRKEf z;Izl5>;qeXk%Hr}@S-SB8U!Q?ff}3_TPnd-p)>RU8y!clQkx5Ws$A`_(VJr|3sxv{ z3{{&?SegAlOr3LZB+%0KV{B|&8*5|RHa50x+cr1J#>^hPvxpbyzLP(9P?62%;z zyzg--x3P6vCC%kAT#q#43ovgJNOQ5w$4hBU+IcFO>Y_{76Mqg-q(&|vl~_!mkY?IT zvQd$QZbiZD;4|0h<&4X-po?Ym1%C->@;^OPy=I-z@lSxqOE-D|DZ81K2cRhuPdg3* zRy$vxT`2$lMBE|h`_=stc5%mSH3pxm$O*nfY>9S8L<; z)=T8j2YS3xt&@D-3mnlxXuVo9{aWR0xas$g(fNSFzkeyAG`DvpV^y%Ruu$}yB9I<2 z?m=8eekM;}5jmpi!Hn5OHjJ2gb&fOAa2epKc3mxPHHg@h(s?sDUILiH=g14DV@5KU z!vB(Gn2aly^QitN=&SR!+oXTJSUO9hJkcsiT}J=P13%bU>2Z8<1oTpY5xE=G*P8Di zrX#=k=&mEpB~YoJ9(YzVHLij~t#sSeL|b&5FHuo~8!i8J zdyl%oUxNs&6nrX;#*e&CS|9wunGth#@+sdw{8ICMx}7e{YHL@IS-y1oW;wF{Nupn# z5bu7y-z>ap_1!k}r?#VK$o3DY4mrDH$gjL%ed2&1N*B)5>vm;8=0A~}Buz(}P2FH|ZbXrV;pi#27(Hc+j1wYCW~&bLF}?n}xheum#Z zX5Swo0$a3%;GVdJ)Kw`_(^ne(j1VL>fqI;MxFM73l!l2(TX1$*)5uD#_#o|Fd&n*+ zN$*=ih-vTWn+S5134@ET&xyRIEGftaIt=pkd0AX^Q|g7|L#3jU;Zp$@C2U#R+{ih4 z^6)xfomd&uXe0BS8uLeG#{Odvtd|IXQ>{Ox2ZL~eLHx#UQ`=cki>Tk^K~4m3&(dnA z*nC-%q*G8ih5EX=e(L57RVN)WL*Pq>mHtrWJSWh|Y2o^Q<+K`O`uYsVyq)6(d>gv?16*gv;#I4N;m+{$Z8$1H9(KS9bWk|OCVhK zNtJk6=}MzHRPN_OzVk={DU&*nKb0d{Fa~((x}_Z<`{1zGk9~4^3_5%8NPA-Kl5>3h zjVAUykVUY`bh7DU$8kgCk;){;Yf*g(%%t6GbGA<)$nrCetZmvo9S_@QXdZ9%%UDih z8JSf9xPpG{Tmq;9UXujrrxR6eSbPziiNC~r{-#T9NMk1%#{#*xA;EXF5}2TQUGQsE zw#Ev{#{QlVV@dT?8sl^mSL{SVgcuZ+XUhf=#|;pCjoUu~<_;>C01p<`WH>^-sJvmW z-Tw9!=TEQyyYeX@c4}hx$}d{$l|zyFfFEv@t(Je2_d~znBT?tX{sHyrs{$0B>Z9>h*)cSLuj#M^lCtlb0eDhM&o+`583|z9Z zO;2mo9E`KEFocCl2YB=MHo4q#oB+>S-4$Qbi$~8zcX-N%w|roSr18Ub2vZHkm<(lx z>4eu@^H9zZT(wb0FwSjNUF}vXa}{m`CqN?70+~7M+wM&a&Gs3DiY-ILvtF7eNyJrx z)^SA^;kF{HddrwT+(1HF)BDFE;ZaSYznUBymNfP96JQEhXEyrr1F%vUhF@bBY8M&D zrl>4OB@K8>%XQQ3^Bl`SUcr8|8`YHd&sOQLb@nYyrPU9(!B725jt88G3xv=KnZ609$qdhBl@od^xsYgvG!5}#V}GIfW8 z3Yz$_fu<}~P{Uc5qp3N<+wisUGbbYWi6^v~2e~&@G62!`e>~pY)tV`ogi+e4l{5582U%8_AL+-W<;De5JG~{U7C33vnZElFSC!W(6&e{_O zdV)lB5@7p4388I6wIZcUlcqi=bC;^Hkt-K5%sWOYOIS+=_!Y);5bLBsd0WR5`qBAK z4ro(mq+Mc%Wsqv6g-x@#_GLDg{eU*h1F=u{!$ep;?gbXfY{)Jw8TzY7#~Kt@09nnx z092)=+HTc%=YSq~&){&&e3gkjSy?1h%^*j;F|3?}sKt?IW=WOmgbch}$mVc38D$x0 zJF!VT5c;|8iP3k)+f(G~fW zz(L`GBrU1Z>we|&6tgWyd{SYJ%kX2Oj*?wjD5?15X8oHBR5(!D*>l5jkg-)9iQC0r zR3)6%9bvIyVX>=Ol)4*?=zDcf&u7SWu;FLkze2%p>tDnlAuj1yiUMn36V=_uR8Krqv~T3I#xrZ$ z=hYm!z;=e56`Jqv?rT^%#Uh$Y+r=p-NysH6Z9lTZM3*8N!9?A`N=3{ZQgpl%ONJDP zJ#hlFVT}^wFl%z)%LJ>yV0kVH2v*{m{m3NW5o5+lSobCzRBWg8_4($RhJ5O}ex8(| z$gFFCxv(_8r)9OIggwIAy5I$KBT$KF;gEs!4BV!c^S)G3B*pAX3+FKE9HvC_O>pDK zwd|t1UP6Ox;O!OtP7%o0RQ-FdjO>is$})ZzLT(+z*rph*Mgx#B>nVJgx@~0a;tQMo zO)|ZHPWvW?{r)XbuW4$}k?Y1^L--yhJFqId@6nqTGc)8wCz#Ee;x5-vKhyer=>4Ht zENs3Ikw*P+p~GYE0s7k`zr$Cppj9xzT;70q_C8hp?_ShDgsn@EY&$>~qL%yxosx^? zl3s&-k71Toi3BE|byBP29@Ets*i8W8;AO481VWk;*42-A`Sj)Y87b3$t4+zzYSY0Q z)>3Wx#u+apL-Cya!@{CP?u`{M?eb?ri8~01mZDZ0(_U6w#YRlA6)N3P0>?C#Teeu^ zl91=)3lG2;=66pyF64YWT32AzR7I#yDVp*~#)V|>vCLwpZ zL?(BHJN>*W?@UtM54l-AVBOtss=Uql9MPW)OkX}&&%eGDph?x6xTQ>-ydqAYfk1&d zRDtyIfl?pk9%t@~hC# zjWV`wlmAl-DE@Epl6H-SsF>Z8ts>Pu?$Lto=M^0lU{4 zRU5(DY-r(2tE;rMvxpS8@k0ut9G@YX0?kt_YOBqnInVZxL#DDB)}G)|gxA_eiyksL-X=WH7YPmzoEl!Fz^+V8U3jPCxu9uA3&7M7D zu1-45B#tGrcOoE8CDl{TsL)=0-)1vR-Im%cph=I{%vl}Sf^{TsVJgdX32sg4fvk;J zS``GAZ-6E?JGeB~cWbRV?A{cJPnd{F*N3G@KGqRr1L=Wa!&)9=iiU#Ylaym`sfgXM zZxY)j-g)yWe4&EzOdh^>E62tg1dwh$RLN%jBhXV_43}_^i#4Sw-4IFf%u_Xfxe;Yn ziv|FEP|La;^Op$>TA@byt7fogb`ziz^(r=+BPwD|Trz)~W*Lfq!Z9M@9a5KR(Q`y_ zWmR5Xr9p9kKgcwbIp>>Vy)hT$3Wrn@1ZIl%VzLHLLnX3Ws7xw(lM8kuxt|}}{dX#| zB9@J63{yRPW>v>busFLT&BAJ2uns_qJq^J>K~L~Kt!XzY2#SNjnRr99n-NxfCMZkmcH6LV%JoAmcc{{Ufh5?EkY?)d{`}5Y3o(8^XoOT6 zj$%hdmV1gX5!wuxcbHDk!nIGZt-XEjRc$Vs|668u-g&|2l>lZ0h=Z`NuPk)bc3X%TfN(V8u>HyZpepk3aJA}#LEmn(TRNmv>q*eGx# z{)9M1oQWj?a3DH}LbNC0!(6_rvr&Leb!Fh-MIL67*pH&U$SMX8Wln8{BM_qe)hh`a z(2}7urG~jl~8%)nOZASL)$OikQ*BrQra4rBzaM)l&n3jts*VIJ6<-Z zY4j1&2#=CnAXE@lVErv5OGdBHba5;mOMAY?!Kx?^Yyr6ya7oL8V;`C&jr5K<12&rw zp0U?flnj;AIYNrmK+Zd-ah!G-)=E=IQ#2wJLetp`Ru-T;?vDmo;7Hj7O2D^vSktKy zcvFD$A^hQz#L|qSJXi)1R|&)>Jje8)9u1oh>(i@hVt0b*Bb9msCs~7UpSyIwq&gqk zHU9P8#;o+Pbv3q11|F5rFBCMiw=!G0iQ11v#tQ<>JrpkZq;uMmVU~@Xhpz`Eq*cUB zadJR$rB=3Tt80n1TZ(F5JGX-00xp_k2^ZcIe8VM0)VBQA$!qvcUnT?I-ah01W7$)Etp; z)~~E{fqz|Dr%*5*oVwU^P%A(%Z35>=K6q$$)LUXV|4PdgjO}J9zo({Qv|%DE#_Z6a z1(~@S_=KOe#7m@_If^i>2m_5CKqA?E44JFT?x@C%q3|As5#5w)P>En!m9dx<4%psc z6e?~WLf1O&3o5BD^vJDl#qGIYv1{V%V`XKHz!{9n#}m#f->29v2^mWq$x9MY(Ezdm zUzQMdWt`u}YXv0YyQ5UF_#WT2NxN9OiE>NuB(g7t0m#_JaHy@D^t9P!y6m}|;1hz8 zaclqw0`JZ;Vu-=9hZ*}-Fry&8q7b_Y_EG{c6ou8*)y~(!F9m^gAOC+c{QIuZKiZ{< zwRwHI!WmO;ofcM=v%tZ{p46#Wkex2fISVz%bd@K|878ViUfQ7ATXH z2E}CYjSEyhQ3T4b7K@7Fzfpq4tJUPw|2lAa*_bllm<3yOJMh_oD0UwbD$7L~!>GcP)o;#|@Ht2793#!%4i!hN0ao;^zYu7q?RA@a z4bi*CVhE8>etzDi~9gw?u=kzhR_(h===6)f1WB zD1lTjSt^&Y7sgdDU?8q<1?{M~!*zVqYF$?2#t*l7tl2fDk(29;HPq1#@__!eWOmK} zQM%Aq6+V#}0D5>w>@{%6FQ4EE>UgxsP6OiE7tapz&)!25>=EOk zjADY5mXqIzJ4lvn_8!z#^VdN3vNOXG6>S^k5$dyS@JEuYDl))0=_naUHDGAJuZ~Kz zKrLC#4LoV{adVrPtVkG78#4W#mfew&$axaB%1xGHepP@XE!l4HdSJB`PGZzZNtj4< z0vbA=m@vIzLj~MI%@Y_~c%&i-HH?x6-wCXRUDey8h(JWd+WB|j@tw_JU2o`jW@-$4 zrU>!>x_PbgKeJayd(wm+BpKLaxc>E?t3OCnd;h~5G3?RKu6O5JD)CUyvb(U8BEsA)0IbW;<=;S?Ip%6J2H zw_^WQbpdtkbyCTWp(FQE%TSkuB zpoiXa_A}Wl#SA~PA+IDEQ|BHIY{jH z5_D-PS5iDuDXuSGB%Es7OzJl!OoM_={!SjTYi*nt*9L|#%- zxXTW?M9Q^V9!m7AdZD~9Q#SB};2dy{9n`=+6?%CedTFIJW*$KNZMo$R{5e0%JiWDnjw8I?|3$wt5M` z_AW7QOlwwn0S|K_T`fSGI6fH^6orcA&bU zp&^jfq!IkxG!xX;E7giDDT*<0$iXnec}tm~P=4BS@175Y&&IUAam$eo4!5#25jj5i zCc^jm_G6aYR0)XJIc;}~l&a)Uiw*s<&t>;5OO|yJ-hZ1<8D!05of&5*2%b10g z)@H?c!;i~>%ZiPus(yaT9Y?lW)Ojt)2<5nx^4goUz4yOcTH=o>X|?IVBD9rw6S z`r4UmG<7&|x2qnhN!UK5%NV?lQ=roW`@>@*YEZ%e>uk~de?>*#4#9r-^ZnP=7a#{i z(&I$P?|EbCcyk-1Q0TeE(dH&_nJ{qrP_%9phjNgsAqEH}H>hi+qa1Z;k7g-S!6{Tt zd=HKvf0)t0Hf;*PHf;x^1xkHL?S;3tM<~yZq;s9_*S%%LAx?YcwY9qpX}~0R80VwT z?7r0vuA_sTPMZEaQ@nq3>NJJn2A{dy+HxgUlLzQU)=&s~hRrlj89+Ne!c%ni71^+) zQr}spac!vGx6+s@$g>K_3KpaoT@I1v${G8Vfc&Mv?1jtpl6C`PrU(OsX&iI3s}&L4 zk>4Z0EyN=cOD$Lkp(A@l-&cX1b$u#YR$eg!N22?t)Wzc_x;X3-rc2L_sTMQNE;DMNYlY#<upps*|)9}sE%_5c%h2ayET-=^WIw8rt`Vkzk~#uFocQx z(E5OaE&5U)YKC>EZ`R$UNVR$i%jki9xwod-Cubl@GZ&h}MB~*0ii3UQtUwO7xaBIi zDJ`%+0b83nfPW!Sqdkc#m<1PgqQT-Y5;~~?^FzM;J>e;Miqpget1lv1dW>yXetS)? z_e%9f@4^1#_2JHLqsh{?Qa#jtYqq8gpZ|r9zMEndd{%$<|M=VBzH5n4ZH|XzzcFSimg+sAZGb${${G_ej1(f|peTAsJV<<){C3=AGkwoJqHG zO=%6cGKqM`DNLK?cOCfJUIS>qEnxGz60@B-WIk33bbTlv&i7Y;TX(*=xM(IK`GW6x z>G)5|;(@$I^6NzzSU-qw67Q1}QjMYMXqUO%+6fhN9BUhu4|Ps$VX^qesQnO+eCS9k z<4(ln3?i=(>Dgm!P>bPmgZQ;Gb;~!Y;ntvITz{BEmKk#*Xc2M<=PHkC>#7g&j54`o z%_o{n10pi|!%p_vH!3VNp`RM3mb9>*&O)}0$)GdNRp-3V5xxR8yWhFVgWD}tH9WFU zO890CI3a`9nJi73&X79Zc8BIo{_N%FZml!UmFBo?Y=m#+pAl<=)1%qiQREnZ7e%kLKvh0NAj#rNqVVnz@Bqeu}b= zMU`)78T-BK@2`A%GU4_*n(6YM;#5c6LW5 zF2^HT`fzh7(dEw_tC8AUC$A{iyej^bJJVMWJP6C18q2mwc1_|r=GA(#tW^kuL_{G<0YtreyR_~=kNSq zXU7dPP=bL6gQ(}xCJe!GN2FO}8h>MO`Rb$|!zY2{1`OL?LmulER|i*P zx4^OIp7T{=yjE8kr*3-jfcLsDdRYKXuU9k=Sr+je-hiIDp8Sh8CqVEjLHoNsQrVNe zTKPAe|FHo4$n~^vRR2YU5n<4=u!w|2&o}GDVE%L;Y=_rS+`Ne9B@6E;Yw$eT5?ujs z1H_9dpeZrh?K4|jN6hd$sv)BZ4v%bv1#47%R~o03*W{biuG=>l~qv-+dA zHe$(bAD+%!NV~FS`dAN2KrTgOgCk$0eX~TSgJo}HFh?Ad<(>?brlht=xqQ)KnL{!q zLZ?|)KSas@b(tLq}6r&G#apmJFe1Fs=qv{Z=S}Qxw#q zM4l3GmROimcp^bfKO#vvT2mhZCJVd^U1g~Vzk-N2mO?XB2$IM#VQzks*lX1UjN8I< z>mV~A0u!eVnEBt;L-p}ykMQ4s1G~Wm6UEIJhv;d6Tn_qaL#BE z^R>=2RIY48fcuw!MlD$s__o;U%=y*%C+Bw9EI%7Tnffw<}`Im!g#L1?HFvl>dVIPd!J zWb>R!9_Qhu`|W>ru%pvXEI{>{;2^J@`ko`nB z?jwBvieK;|hE`0y_i#EV?3h16Z+SfhX;t5%ji!ZFfQQ9zY!R8gresb9oRGF zX0MD%MLA-@AIu2$)9D-qQ`C=H!haG3^KaG<`mS}6EZQpB6=;egLmnA?M-~RHy>@py zsE!t6G#t1_caZmlDx6(%G*Suh8;IG)IQ`Mu(MiyY zc7PtNhfI6}p7}>hsdy8`#;)0MbAM0+EcY8wSuKRm+XEb5GUr}iku!a1(!J0GO4RSG zG_$1g6nZ;B_kzzk^^THEA5^{?%_!M3IsTl}q0B~Yp;$tF;iB$H%lJ~SQFD&q{e>=n zd5D{VI|mV+7s1ChjPS(TEp)lmvZOCJ;YtmvgXZaS&)m*B{57dL<&q(K+e*Az4thOh zf75&E)3={C=AXFVh<*Us+d750P85|LkvX`wM;*tK3$O^ur1IkZTd-*PirDGM5H0Z} z16;d3B_>+>!dHyb2x-+@^`NLH02@TUndB0HwtkxQJh6+N^W1ERZ9YT51cbJ)X3HUL z;JKHN+z7l}dU0@;g@o(Jj75KhAj|+fwk2ds&tNU<>gp61B;1;D1=`!&*VCwqTRG13 zph?BA+gCSC3J1x%4US*%*lj$>Rj9VB&SR?OJ$o_zLzs^Aw3K95FQ9%dnxLk@xR{a$ zu+l`I?Z`gRmpl^%J7}1qKCTH`0 zF;4D_Nc?5})e1GUGO0~$9asg~Qw_=Q`$e$z(%3HP(qw!NFgJeGO3&9<6UA{ST~K9o zbKf73f;)cXfS2WR6le&=(ivlEKY64WAi)qzail6Ni9|9V`KCnS)N!ICbdL4Q!SASt zGP~WDxt#&sP8#H(<~A06t-)gAtEj#GCB)u(*5;!MvH^2UyU!~DGsNbliZxC? zl&Meem3axZ2T3$J^Ci|mXx-=Mt}Ed5ZmO$v^nkF~IpkbhBZV1Hp~3K7LlI3gp@(!c zpL%P)zGxhT59dD3?Fh!~dlL7a6M%))m3%z>1#ZG-vGPKj3}dPd1!^aBznOc#yJPK} zz+f50oUNaI`PIxtk|t+@iB|wj_WE9SF!%(^1k%KuoFp&aewiM@_wS2Itl=#+oZw-O zJi)8Shg6ia1yhGPqypdl~r+2r~F}CacHHW&}6snz7cNINfX%?kjA9i;{l?lSt z3)}EG#5K|dBlpL>+2HA)+*d%7ci4m`_L`S+Yq7h#4c2VW11}&-b~Kq|y|Cxykb6wPA9M%cHy<@W6B3b2_?8 zxv}ZweD~_-H7uZxGnoE}NmQc3(>rnR~(L6YhSd=m8tjjl;PU*;?9>NTKiEC1dDBNl0j^57sON z4i<=BTqKg)Mp%LOf&=oj37Mo~Tw{5-4$mvxw-jaM)d;*3+~yj9gFBoGOgAUA_XOs^ z$i!owAyKx^ojUnHPY2^oj3?DgSeH=wuuR@TLv+CM8faaPD{RXJ0wuS>2PDQr-Xdft z@S+dqKhW>sOi;UV?ml+3S}X^tLm^0iyzzOx^egfzgO51E&Vi14$*gX~Hny;Fr(~=K zhT_k2XmAjjsk;Koh}m|KJbYCyfe{w+WH@&H4Z%ctF(@zd5z&~=i8H_)9y}VO;HLz4 zo5fvnkuF2)O)ouyhp#}xl|H_D`Wp^%t;Vm=BV4UPDxE?!)S=nNLdd{(WfJ;k`e%xG(8;iFQ0wdQ&~vLqNS5tl@q>OZ4U+|ec z;mq_~&*LoN|K&t3I(zG**Zm8D)eRaC{gcZ4f#8`)a#DYR9Mwu@HMEWnx%aIK3l9E6%%$M#c zqYhQ~39KJCprRg_-$siS(SSd9fYV&7iM^@fHv=Vv09sc zGD1kP)Uf|Op&lLTFB1ICdWF_lplkIX7P3ex3JXEI)jywpe7WjMXxL3MMr_oV19LLk zVMc#c1YK090QOte8%P4&Ult^6Q<~@6q#CUA%c2?APbue~4Eyu5AfI%5fLPZCLtB|= zzIw&FKB_HVoXN^}tC>>3bS)~=H&OGmS0vkb^g;quCJ&5XLZJ2=v=CJd@pzp3*$>MKykUh9(JDf!IDeyhUV_?k%0!t>2)ZVGSZAP?77M}o#2tNu zgk9OV7R^c6z@YD9k>+aRC*UX35z5x&EtfGty*r10Jb@SXc^)jiOFg=PA z^!SsvjQb`Rq@VfbN)}7*8WEI!xkxKa2U)#N+;dhf6z{9Eb|)Ke47}I0EVQ&iSMIsY z_DZTVXJ#3N)Ase#6t7CFxV7;E7248=Xxqp&z;ugPfq*DV>>3ncW43gvs9B)-ObC{n z_M=R;G$z@ql^yd%R9OQ|FP|Nz*~a>?Nfgx`MQQAMJjSkK8=ViCL4@3%gY`MdMS06` zFzo8wt@DWMhsLYfF%^f++AlR^$Bxn8JzwmB5v_7RJ@7<_f}j|v1_q}%RnwoWg`6P~ zyMljas5T=-!bjMa+wJ!TI%0xPI!7z!QCk?I=A(#Gp3(A9&)y?eWP2cD$J1aT=Jz52 z4@Q}t5vwwNKa$b=^3lMvjEuzg0&F5{(O7U;?8bZYCKduZYP-$&|K&vSkV%ncJ}^@j2M75U@6nu7v)302)w%lq10)`9zNfdduK?2 zd(fXP&EhDe2n@p|k=dY)vLqS&M)UQ}-av?=!b<}!Awf4&oroM=K3#N9owtu~n8V-{ zkR3$&DkW@|hDoil6F>rrWX*rd+;auDl}$H#p7Lg;H)Z>O$MnRXk^pfr{?%7{WDGY< zIvbG%f^ub>#9-yYe7-+V$<+C-_eLBMQ!XQqJ_xIM@swhv@_26a2LWoY4R4pCcMZTT zC?=Zm=jnNfdPdVqXTYCa?8F)DE(qKg2VC1}?_g6MVOENK$M^=7N#NL^k0j0UYnf=Pn`CW-#h!Y7ZPRo%~_x#?aOVl zLe2im&fOw=94--&H9Z$t!Kyf0-x2Sd(?_o=I`{dJiH5@fCk8@Vt2HsXAI5(WK-i(X zO`*@v=?_EOeRZI#fxE~%(22ZU{Io`_Y0&k#pd`CSWM{d`otIjwvJj+0(ChlHU13yP zLTW<`Su-sy`*gg*t{$2we7MkmR>EMV@ca(UY&j3jsa~p#uBI`Q@0!?)1=c%!tPhN{ zk^df4ZzvaEHC7M--+ez5lrQU5xB1Eo~J(vD^oI2 zZ;PUgP$iw?l^4f2n3=NSb%(x13uWkOi88`D7As31=1L#_>Un_#G=AM=n4d~Y{8)P8 zS6YYq&o%p%2kB-LdobJ)ej|JeI@I&JTC&D2izfJB>Lb+pe zU8DTj4p=RnZq;ux9oAzQW(@kY6P{U#u`<57--j5BU zJ__;8Y=i$)<~+!$9T%gVySG$ThEo#@juG@!63aCv?;w-R#JPn6Jzn~Jtp8H}FV-o~ z1zBg*KrZM2b#50r68Ejm5ZSWmS}Fp5;aG;!-%JX;Y@BEaI?)3AaPvE4TVzof=ty(y zU$OG?#@`8j!KXyP^>+WtThjxxVA4NFAR1?;G({)O2k{{K#lh<`{so$caDNbh7eD32 zt3H0EfT|FmNS{^j>MEIFnxD;g%ojXx^D=U?SLh9BnW@i%`B503A8Wo5yFA+~5-hG{p7V)B_o~QNTthFaJQV8|N^8IF5uTsh@ACU7?Ae8mnn zU&O2;*i+utbiw+7Hl6}I-c@>bM>|j8&Zv}Yd4y~dq2+AegKB=>FeDA;Q=0c>237#$@ zoh2H&0cUr!BJz4^?1dcB3_4WSfnP3gRsQa5JDTm-l^0lrMOXTOFu)6f8Zg_aKvz$5{IbC0o_iEzBe*@zl+tXh|d5M%02E5_~ zX@fe%=iVD<$?cjt?EY%CX|m%BC5JgW=D@C?7)|z{!_Tsb#zYz(NDn&I2K$=2uBSRq z`8?nMBfxxML(Uxsd+BtKdWCJ2c!I+V`P&SFuej1?)}M~%FqE*h6u1oK$EaJ5EB&N` z(NRx+@;Ge}xEbtdvMoxc{GUK0_D^8>zK&YtHcgFcI^xkrc#|;@Qi^N75rdg`&+@tAFPH-z?^7 zQWhpLkf@%8Xvg0ctM1>uslH>U7WWC+Np6{l=Q{#v1`UoJ79s5nOOM#^+%O=|o$j`r^>=6!KEvs|j97jtjDFbEE!) zHbW?=kgu&gGUAFOr=(zJQbO5F={P&S)vBE<8Jy~^H0hSMlBo8Fg>}_rEV;A-zDP^f zK8v5qRYbk_g?dUJU!GS2Q86Sbp_5WY)P(7b$kl z+9v@jZ1N>dB+c7L*dnu@E-v(1U9=QOR$}HMZG+p!$>BR@51}F!vP15!j#uN)>}c&l)}OL6 zYkQ?Zkfx2Uclt)s+_=U+^M;sm2YnFqi$;c#tRXBkSeW>Wl@rRZhU;&b8InwsU)j{KqG6bi;}Mpbxz_yUN0wffGBE8U-?iEuz9qd!_XRZc zuGgHcMQH~yOHgw+^Y*#~2Iua86%g+MFwW1H?O>w^h7Lpxuv}&9;LxWht+9Q2;siuC%55XN#6y@Tm=NiSm}C~_y;3&TCP?>(c!*z_GHvL2 z%=VZs7HDH}*{o6wu?G_O>-l$ATJ3kYv$C@G<&Cedo_4vA9lf0I27FhHJk4K)D^+&v zrArz)cq}Y$o$SCf9E_Mvbx$!fvzR9I^wnew(+qW#MQ#5p=CdAs*MZ1lMEj%4P@^QIQRRD8z8t^h@ELYhU2iWs9CGG&T`ys<^oce%%L?NA>ODWJ60nsEhJLl# zTG(yd*-o}mZ|uGLMzA?Q-!u45H@~xT(48pTCrO?lOW7xmD$Zir&0*k|E<3=KWN>l! zw|DV;!aS(Va1eO_#gHJ-5c`x|ms$VF{w1gV;!QQzzx(r|ZRx4JgSmUDZSI}ZoXzM z6uaXBcWw9ADV98UnitNE`WI`ey|-FV*j0|1&hp;&kEz^$JM-qQJ#%uraYSBuJ4e>o zPVA=yY~{pN2;{pWDyP=fmz+S&SIj;m*l~ z!>#;nK?)Tg4Gm0xvh(-Yb790te3y?57lWKQG94wiwV1o!;=2HjkXMpDGL8tYLx1?W3*uUN;j6+`^IP55|VCqE^O`84ebqR-^SC$HwKW5t33?;V-?HCLeb-swZL$R83Q zW$+0sPTb;uZg+Uxy9K|LRxx?o^(ZW`vSR)*IYrw%q756HIj0a#Z>iztv?SLvIi9^u z5U_LWFW^ImSIG_0CS475XeX`s{*=OBn7f!ZX8QY7nsN*GCPmLygJTJ`Jr><>qo4Dy zW^JwdrWr2{%Mn`7=LXy1()^;gBBV?HY_0lbe|r}$lM~K3wa~Rv3uv|??=2zo-qY)& zV+SK+R5j-?LQgctF5%dd)Mq$C}dn?R(}J zJPro)gOS);%D6mz3=M(TBEZ zl0qPWD%Y6tYUKx@X3Fe*=&xvomXhee=v-M;LHwJ=N7K)30CSxFNf)FxM^GG;#gCSHqttV@5-&sL5x~M(6ZB7?|1+%_)q3 zxWp!N4|_P4ws4(mS&2%K;K3dv5pgEp+o~G9 z1vgxH1i}bb#=b}2oC=$Ir@M)22U7kXU~X2xfUJ*K*_-jpPQCB!C<`6W(pkz!OfD&w zs1t+0*QKX>uq`J2$aUyvKDF}oGhYvx%c}BE372nfH!21d0B;$E`DKLRqJ~aCYIHjo z51$t0RGIyG=j18(?{mXI1IKnF?j9pbY-K_{FWK2vTA{Fd-oWi>fbZ-(!hn%f)#nfJ zb3HR%47!`*QrP>99iUw(_3ari0u!RExMc#%RYxOdTLpKb?I`gqnG0OTxcy#O%ERO>Pecfnv>dV^oR@> zm*re%e>Yzo6iN;Bc?~ylc@Yj?H7(g~E|1J}9jD9zd0J1CQC0NBz7VgJEU3KMkSzJQ zFmu{yDR1V9el|HD8FPms{Hu&4YKfPg_%;PQ9`*h{E7E(6vY+0BW+tQ~vIr$5i5fV4 z$!fz(2glq_hhrj{FE{U?ov(bsVX_dA!b# zX^aBCUk4>@*CoffxYk}D^U$)mJQizZA9#8&0xk4C6#tK^Zw#(8?7D93G-_}&76*4k@B8M2<$JG_aRO(0RC zg)}y0YSq$LAc;gKJE;h{LbaU>ZURO5w?7x{t?eyWP9fFKK2#SoD}t_rtICtzJszFy z_0R8(1S`Dp%9P^b;12tZop)UdokbfxY>_20&h;0H=jnnrm8D)L9+q;X9cxa?L#Lef z8@*F7^7l;_i|g0(Y-5;Cr;C(N)+HWNE-TaOBN!V>K(*uY@*Ed64>Y_D+)cIPIa|w?EdbysR6ow)0HdWY z|0|7{7v^Prwfyt zy$E1YHiwzu6uy-rD5icGPcJ+Z zBGep!9z6SQx#6;o;=wbwoOt+Cxg8^LCEdBg(s&CG$Ax0mUyJb zhud3pW9KbNKqegKW90N73+bPG7SiPJxxwf2(pij=5>blG?{La4F#H7@#H_0=Z;Je+ z@3TGDHbd5+SEL4pn1zI1VB9B#(TN-*3?JFxi}1q!R+(p;NyGu~n3gSL6nH$-)+ql>>6NOha_QIhA(fcmD zm_9=^m`Vq@L9x8%9Jkvkc_48SBKABKl02cd|TYs|}%itfT z9Gl&aeB3IF-LE)@pL=BuRQJhQ+}5#ce?e=~kgU*#jc|^tbtFCn`kCk0`lI_5@=Qp+ zvw^Xl`BRkCq)s~{idgGtev@kymz;0^fHV*Tp`o8;&rer=`Q#o7D@z+HMLdlY2GxK$ zy!a`pHy{0;Vx^tmBD*!_gVEW^zIu9@KqNdg6s@*nSUwYV^Xus#M#ib7OIoX( zBESP;A4-Nf2Io)yrL0+8!7Eb&g=5&+bJJff$k&$KX*3Y(6P0fMoqXBWVEC67-eyeG47uszpxs+jWf0e?z>aYqU$s#YHJ&z!!w zJChWG?tyicX?VKNnLj-HiM_3}cABrKgcs&n87z43Av1LHT)BozC@Bs5uvP?SlM-^@ zNSC8=O9Gyi9q-`}0)4|!M;q3J;p_#wpg-HU)IAARF~oLZ*(ntEQ%KX(TS0S6!H|UJ z@5}+6@Xn&G!{$1H$P1kqws_dn3l!cuf7tQc4?U*) zag*^r7$>D~TjMPbesm~28(Fiy-Smm^Y*$O6d&ax!;``cblC?GuO$u|SDW~2%&*|OO zGs&54N0y16z`{vdr7l&)RNTnsO9Z*TfQvy&1>ieBJ4pJO+8{IMa6J3BWiF?l4~K@X z*zU7kH=EdS*V)4Q{qxjnr5;%>0hmpR+Fb!BW`|!l7D|csE8&aBq^REEF**_TPS& zgJ4`dnVkQ=Ll0{5b_TJhOpqgnSFJ{oD~vS)y#PKlp%SB9T2~Z}?sOjgcN4z{eA)0c zk!FgR{>8W<#X8+QGe$OJ84!!vB-vOMq*pp+SniR#f(8#?3B(_5 zg>o&To6b~A3+#NqPMgK#Qo1440>+6*vJ4GM8H3hq%gU#=F23|ssnArbg7*^RpNNlY z0VY6AF0{PNN?58V``louz%_$VCtL9Xij3<^kGJ@N`v^xF3^|$kGkcaXNoYX6yW60z z8-rm(7>nktO2oB>BeEnV7={5&VuXpD68`{lgDV8l4D-N5y$&q!L+GX zI~w)Bdh#m-x;Q#F_(M;kZ87Ky&<)6*b6k8nRMC|CYSwx=Q`yD>dKmgAOu*stw-qx* zT{@?i76R%^AvVxCqOXKUPN5Pg5XJWexH2ES`XTIB##LKHIhp4|PI4r76Or%>+JsVf z>YEvPInFMM=?l{wAM9j7x94dJ>DLc`^gW+tLvA>@xXcl)y^@H!Pg(voKhX`o8rgtM zMrvH;A+ITzy4m~9U8S?uS$5Zq`c)bAV-^rqt(lgG&As3pD?tn4-X>aHr~pv68~7mG zjG-U6hu)_xir@iW!3()MZGzjxKeHJXiu|wY*xY0bXQ|w6A96}iH4Hf#`F^l%2?t5% zxw32;tF`UD1v)0^Zj z=kE-GRoVDAt~VZHoNpcoYoJ{6F47R{LR_vB+Fx)8__#~H7pm%$qA!;`q9VAD)q6tZ zR7}B1UEj#n(;m_=IA~B2u^FoT-QoLdc#g$p%NEbe5iP{F18s2p2mlpr!Esb#Tk*o3 zgocV(QK3I~sX%@dvTmaI_moAgIj;FFDg=~-m(PQT`@l{OandXHY)r_Gf+EWWy|K^@ zw5v(pjAKj35;~`q-XU9mLaP0fS18ksXqt_dH;FWLB-^%F8!&%zXQIOgP}5qVHd@&G zw80Kn{%nW0Ldj!7V*w+fR~k~Des=cH$qc#(d>(sA^S>gQNGhcW{)d8D6_S3ZyykZF-QXPg%0^~ zWaL(Yw~SHW;1y6&%Bc&(?Imh0k$Nk{o9o$;i>EsxfazQW?@-svV zo3iNcIr`HV+2zEMrQ27-2A>3rF!=NOJ?-7gOw{|CVmYQ0sC0yX;F>ikkR1=S827?~ zdcMdy-+lf*M8bQ(+o8J@@)t^!{-84wC+H;o#F6i)S*#TAktQ1M0}#vNfFdvbq2DP` zK@&$&(!3^738D44;b9pjNDO>y2oOPs{y*06seFe-VZUDX)W`nD$P4Ybha_iIS zXkgZ2#zMWp)H_H7;sh7<0LFm_FL@r}Yx5W?VC$#Gb)Asm zzD`w#w?iG$yd}n^{-&6Day;O8`#I6cO{=0fhv?lxOuvKf;jlK=5suS@ZIzs@ zaxJB;P_+yttbEYBjRjT9_rTo#P73wiji+Yn-M0YzL{#IFmO;@*N-htV7JhhZcIB+7cH0SyqP zzLH`C(A+0RRd8bRL@at1dQXH{lFp)q_%pBX*j?~u6v~F$4c6vUu+m8vtBA{{PtyZ> zg#yIX)K3w-^V-i1^MzN%{6!IzTm+jJTsP=#tvQL+ka2{k`Q#rFUEMAbeLP-q${SCurD13qyzZkrkGEs^5ceG%gb&8Ap2;JWn?P!8hEdrIO=*qmiO*BS z6i2m4e&8G89T}umEXGaQ3tV#QHcFPwSpXoXP#wG^ zH?hE>kS)Y&hEt$#vM@@7o;nI@4P$HgJFS*3SH&kh3}&AZPL-%j0)E8}7$B-_!o7n> zq+8Lu^P->o_C!G=cwQs^)c#?NDxHxbZQU?AVc7-Tx6$uMv8PPb1+;)nGl?Zncww^X zsdB+D`0X=c6HDXKSkH7bBZ|`6@V2kMY&aR640T?<(hpytrlW_A3VSU|#IKF{#b<jn++P=gS3lzonX`$Ph+YRbYB zTcYWm3)|mI2c_y;0H+I8AGg#0AVyn_(+W~3tsf8z*)rRRujW)a5 z@^DLrKUP->J;_I-om3ssB{LD#g>> zv_iXmp@oyf|t@+B@ zL^miNU<*2c*qJ(Ktkud90tWA+RZ$WY@Gx@pTSwcEFVNKBP-^x z+pGC^Scr6U3RD>sg#>}Fuo`6oLt-4`u<5*GYUF9*xHicu_Fh0>NSi`J-up%FPd?L%QmG) z;Hn(GnBlq-#7+a(`x?{{2|LrIGIZ#c$!MKET~G#oZWmfp%gP z5FzjapgP4I?=Y?4l3Fkrg0=y9Eh`L$;;w^PIRfTk73xtHBc^wV2u!Okw^9wd_a;Iz3)d#Y7xs3|`$glZE$gNiQ8SQwXnP?rk-*t7 zew6N+cHuz~{EudCuHm+A^n*o^e9^FR{)^c@7AGxYjcvJn!#p?90~&D*ZLDGB(jH8Z z2_ydXl`fPzPbUIMC-B%w!XnBHmDLCuQfVCWI^*F9Gz22c_05Fq z#Jv&DElVYF8f(L%q}S*Kfh)_V7_d%uHpHu#Xgh+~$;B%X3VYFfB$y`Ul(^jy<~$)S zAif2QGtOi3msXP1aLWu7XpRU^7Pg7$0v?UF6Z^bF;@&Wj1u|xBVJ7TXRSc!Pvp-%C z4`+)%?2|mt<68}LDD{ph&~{8Dn%9*|m6YXUT|@kMb(bUEBFguau_>3zP?QC$By!nn zQdlJdVepmFc5!2f<%szDV^ff4z7*47_D7?)_KEh0OAr**23r4Jn^hk6n_y46b6yB> z>e95vPTo@H4u<36EqGGpy419fvMpce_d(A@fQHAgEho4#qO}Tz`@(CY#5KaSV_8(6 zQUCHChOO}MT**F5(ap6W?!c%TRFIn%*9%r+Qd#8UMvjq*2JJSanq4^?BewMGiZ?O| z13VHILAjm7!Y>#m4Twk751Si^LvHRf;_q4&p~v!kIv zqr1s~l4NRgeF9H+&7XUQ1nI7r;sAu-S=SJ$nAGPDZjTNF{jxarQL+8)T!a6Lf<+Am z-m{>UGiwn|aJ^zy2yq{8pZ5|C5STOxFYeX7`sGa&UWv+O*3hqY8s*1qa!Gi{@Iwqe zTfB0%wE~f~LHmm?S=E%-rx5)}pAD7Q`2mrhu~wzDR_7m;&Rex|JQXtU#%Ev> z0Ys5O!fn`@f-lfVml!Ob3VhPlGB^ii>FJt#UWF^UzPsJP)Poh}JtRN!Dvdr9Q2_oO zE=}n3&E4ylhMLQ?*@V#iJ>!~ZALM@YkhyyM3%M1JZ+KB4s!JIo@1+ZdI*R>xPD|sM zw2(_SqaEBXm&6hjR-lsN8K+NYJEDzo!TW7@GeqR``tGy9)b|-PxZ0q;Ot`tGHn?6X zo}D9tY2}9bXm%=|#b14aeh`z`mLtLJT3|k2^TdcnG^mw;wRZ-PrM!{U;+K1blT$8{AWq+Gdq8bj8<2#& z6d86G{kgN*HV(ex#-2P><}v}%w6Shsfew)^K~WHoydvC>yQHJAVRhN(OsLhlxyki0 zDrJAVdb%Oox^8A5&Nk@k`n87QTab@nlSq5tvPcjdU*~V>#$;4hh!R z-&~&?Xkzt1t)_UQiDEsyMl>@o4Oww;zWWrI@<0{j)ihDN233`#j7Y$0ofQZ!tqi0)&Hl^e_GaB--2S2c3405 zvfw(hho>)RXJ>aV91P77AwK1;_RUsY^pJwcx!MAQ?bfxh7Nk81+ ze(c0h8mW*N>sOF9@1%G|+!NTaUZI02q+qToVTJupcBNdUhP%C6x-N9$;hu`>maNQ8 z4{#JoZat$@*pBRnfZjQ7fpVYjijHPOyJu~j@$Shf&|myRH;b0h-M?M@)`8`hftO;3 zqjQ`u{5~G!*jO6zi;LPIY(ty!)wHpolHyr~vNHqj09ruMidT*r6V>FQ#|s_%Xl1}W zOcZl2O2RAUzYK;m_?6?Y#yAL=t6Y- z&sjs+LO9u3f9?)Z`EpzxIl#o;GN-q+JQ^i~VtXziUhTX64)Qq(-^sACd}*@DYU1BT zYYt_7YogN7Bpld_BL*0z96}x^QnkF{1OEy7rzp{l+nIPu^{d&$UP zcG8h*>!5Fx(f8RIdH?iVG-Ujgzbb9*1M~l!^Sk$M8fFvC0ukxUjY>R&6$*H z1@Y2JhO&{5eM`0Kw5M?KY{iE)Awn;|u7C(P$_^uRr`aIcH;Q;Mu^xQOqKZ$aYl;%npM=1(WN>S$jEdj0Juk z>h=PCr=WwS{y7~4%%y3;HcwSlBqxF#wKO!S^Fe5v-q|fJnzD<}7mqpPjVb@q;71E4 zHZb?=CqpB$bRVs`p7$Nn{$-az`(Yo(M@hzOb$$K)jw;KOv{ZV78kk;y2#876R#eNc z+nr84Jk6*1km~xpn{+%vqJ2yTJ^Sd}|2yC_A1J*pH(JToE~%!sx+UTP3edbyK>@L zO`G;UCN6v&pWwQj4t5bW?erg)BTj^DVt7gaWW*kVMx3IkY4KY=#sel7Z;uviI+_oc zC}e0%rESCHnxuTvs;-}!HPK(+T&}{s$*zydv^lMpYE^V^nrF??BQtesDx6*xF8CYF zC{Vrf7-BvpIZJ>%hl|(laarw$!St;c7jK_nvb>0$RJ^p5xAw8~t+%}M2IFM+$~|r% zltNAt1r!=qD8P>YM+=bkTyEp7KbgH1@UYZca975l|MUH)xy7xj0M7(pv%y1p`|2z3 z+B5f*_2{~6+rCbI{#bzrw3~}8W$cI*gErTg3(hjf!I6F2^=b=`+X%7+3yEM<{mg@h zP640E`?-z_A)AY1y%X#YHS%4g6AlV08)mkLyIZ>95r>08u7NItfM1p(f}GRjhiy@K zI@~6ztSNHV&%2h=OK*~CM?G!MCnTom zqtK_E1{WMt3q;GeN9uSk&w|q8a5WL_(2TEB-$JXcrYfTJGM?r15|jyk8KVbl=<@zgcbw;|>U&Ysbz~-z0Av=7Dch00%cd z{y`RK#Ri5xh-fzWP^RR`M;^y5U>MFswDZBO3N~A(zI1C*6-~JhWAX@mARF`^4aB3S zs;mu1!Lbm*>W4jxn6fPOYA8qA7OC#8@b>pNNq?;#qyg=CgB)be99e<7pqJQcVL1_> zxuH~93K9BU4WPVGd)SMlt%bClVpTuE!m|`*oYXtJ9GUps^KrYzqA{<-85%S^!J|(! z*2V3WhwfS=!_E{Fz=BL?zzhZh^2w zeD@uRMZLoD*f(c?N!P46ujWW|(xp>*@PZ$S+ysZ6Q~%vL7MMUYB>>%`Q;8$ao{?gz zu2cl7PDtrGm%Df@wH+@ONXUJ?v#HXy;^{6l&az)-FxS9;!@t<{?~T0gkE}@B@yFoI zc+PkaBU`5OF#7L!MmrQalpMJF(Z@**E=KXhznn`8&;0TC*mqlK}ZT# z>)QEol;CsmNXd2A%L}mXn3-fje!uTTm}-dROvD2ky-@8-j5wZ0ytN}#&f16tdxi&H zls3!Yat>V}o-YpR2R5|gdS=j-^AWLGTI`LLK{fJmrl>RXmS~Y9q=m|~9QnpN%|_RX zonOn$_cT14y|l53{RI$M0ETB5+n;QuB;?q}vDP5un&|y-!0gv9^64E=Fz;^efl6{a zdbqU@HW|L}W}#m?P#v_UeGaruB5;v9#z(D|G*AMS;#u^Na+7$_zX*Z-V*Sc9BiX45 zOO*kxxHg>^{%=T%Zf(HkjCJEEzuiEW3>BJRoSFquu1O-&u^?}F!b`s>+fRpV-+lg4 zz_IMRl$5MtBJ$dlmk)8cgQ$Ey-}ZQOV`*UJgbAHWrs}NZHR|Cayi$m(eAD|(v)Zv! zU|xvQp(tBJZqo~Nb+>ZlXB83L{b09rvw8x$#D z4STe!vsz?6wCm|Th)TA1sn9CAgd*8GNU-Qu=}!J*XN6K8uF#Hq{^|e;>Of=I{=&xE zTJUb;tuNV1=)b6mZLM!~J57O1g0ks2y$Br1{K^;M!i=v)`?VY943}MN;M?3qD4!** zH`?DBn`Et`Y*v2eAjr-3gNk9rXnui-!5}L*k~a=?{)n0VgsxcwT>W+bUOW-X{>YZk zvVJzu{#gcj^7ABevC0-4Z*$*eAq2k)@>2Oj9#ZbOuHD;>@S+l`uW6vsYPq%G+cNt} z!Gbi2`Sb0?&NplIEGq`HjU%g6sf3THfIxpqx4>XRU0_6w;c4%qAN-Zm50>PZCQ*d- z1`cp4cnpGixO?~kQ!!@8lY!$>6@*GmU6 zA5L(==zvhp*$+?kHH16CyzNjm?W(uC@1zHOX}Vnq{Lh1rL$1)mb9 z;;}d)tpzHyac(h>ucD!g-i*IuUdAIdfZ(x*LVYu)`(hEHG@Nap?yoT4K>rXVQ*D(`!{1j$#IF`d@Eeby>^quaA1y7vWvAO{ zk+gZA1|9|ik_3B$LbCh?d7rFjMuv#orkRhNV<)jUs7M=o7Sxogk`GMCET@g4&Xp(E zG6wWxo0-P?l?dyo7L?0uS-^r!|LGC32WX=7J5b<75 zd9V4YDZ@^e79Hu5nfZCM`Giwkx3x~MwkN&!wl!-q!YC>Sd;9R!RUKoX4v+nDwV_A2 z(QdSB2Vq|6a_qWQDAmJ{AMEHNdNb023d7mewMlSG&E!yMNWY zj?;5xA_$pad1L3Qd0M52mzNh1jI~s5r@)+F@5fa&?(gnO(I#js7fsI;#w%NkD7EM? zwlLjNkC@nhLPav&*G*84rKA|Xn2a6S9c*uJXA*q96w}s=wc(2*YJGP>7GK4%ChQGN zb8iTk@23RAWuc{&p(azQlu*V5vuy_WDoH6j2$cVDRppg51n$t4RGSNiN!6$9gb@LF>$$($mZwJ?FY=y-a`w!spgsW~elR(Zq7~WNC5)OeofLRrVxqri=nt-0i=K*_N=CSz$RN zmm&47_I`lck>MkkajzZ*wxkri{-r5M_F_VcERpqOdgT_oY1oe~D%sU(Q2{l*F44{eO52ppyS%`tv%e zu?c93kW(?6-vjB+n|nX`Q(>w|oz!z)))1?Bi6HPa{`~^pA|OUpMB^o}IGm^3Elb*? zsVRDGu%4&k6zKL~ZI=GEJBlvUqGe5^49``EYHQPoEaa$l?eUnhlQ4WFVSqe5Z~0mZ z;v$W_ow~g7+W@(VU8AW8nSPOP_ExW<^KSIM^-pjn-|DP5fr30hvB|{x3s5s>a{d09 zqF7+#kd$zBFdAz!{Ou0A>a-SDSODEDOGDhU-r77eY>k?*Q*!4B&f_hJd@}!mF*h z5DXd8%=YK#FJNBba8RRV?72i5=vAJZ9J!D&nM#>C7A}GKnqQjyUfPkwetnd|_wWFl zLb}XCp;G;qHz^FUS2f9RM6P+7nfa>!?U1dl5euLrApt%$0{~4Sh)+#P8xd6(bCdv< zk|#rM+J)8D^BW5sm;9g+l#IInRP@gwR4s~_N{-fCHiK%3p(^8bq6J$Y7sAXqVja?u zD`(hh;LXP7^2jykl?Hp4*1eHgwvbyGq=d1Y1fpr3*kk6dIj5G3ACnQUGCf;M75@36&AZHIFEdQ9xZIR z%5p|oFZxsTB|kUMLXj^qr+(5-Z@=41Gz!H%wT0pXE|qzI?Tn3MWPt=R&C{+v%U_Le zasnEaGcYxq0_#zTL6e5y1u$eBUz?qU8UX?~bNxP5ZCC^TEwLSN}+ zo&@0$fzw_LKoYw)td44nk06b`b3KaYPCA3@>dHW5g{{#GOxF)M)~)d#C1OA|;zCne zKv3x3xc9^!rSJDk8$n^41*@8y!b!tR|C^eAU?rwO1}tOZ8RZx1tkEw{J`{W=I2P>dZY?$9o!WYT%p3OV(yu<=5`s&6=m5$fZZUPC7u|nu zV*kV{|G8oQWAyd$f%ym+n(>(HqQ0FZn7=sA$Of2Kl~ea#IS2m0OwkI)4$Byxq_>79 z8Pd_$l)E{7u6p-5)rE6a`L^ucm6q?zZefRIF}9A`A0dx|m2Uwi4ek$Ed^Lwho-{|U z6gNkl9CGv0p2Js!!m~5T#(fHH^XIFF!bl}$M3jvq)wREPI0(!~mpyNRN}BRHcO%T4 z-e0Y2cNr1baO--gFsv~^7i@Wh!V|-Um4ajtZdRh?#mS>!+ZP_Vj0GeA<04c1fu1)3 zEPE)pXwoE>=?6o1?XU6Sstn6c+ecBrL+y!}lZ?M5Cy^-0D8UwM*ELjWRZ(Hlh%%g} z%#~(Y@Y4y!$aS zADO(R*z+$~k3`N03FbCuhiVY{%H#??W_!sGS0Z>&Oo7fXk4r$#Hec2WsPP5o| zPwcga5OW;#bB<{-nzFrd+~ASFQRz+GZ19AT@C4%zAGC zmoS&4(Cni`$=XvcEeG=kXR+yp3%g>$jDKK<*(@hNG@ITaMgum^Ut*wz{P2}VR_D#D z1w34cEGjU$(Aq*f8ugwdRi%CHb2z5l6_#fW%Jdf)ImF^We*)~nXN1TQsXXFuS*~Z6X>P_luxd_wa zX3!^?Zc=9$&|G6s{hmvm6`v4z}F3-WM z%#^#qaV>TAn!Bu((Q8z8>5z3s9I#IAV86-FqO~-usiiTTi(@cBu^C5GN(}or z6fKTrJx;V5%28;SSOQcj)3}(3(L9izR*oA~JOmw<+UgYwr6#MZFx#G)Tz~CN}ve&z4qd=lCYcw+12h%G-?Pen{^xm4RO|S-UBL+%EbUe~mUJ@aw zaZT1>s-7Q>G@%57E~L{%lNXt3f`7D8?(Kz{Cq>(|m;%#s zYlbd_-?TcSxfY0`ip+a%^6;1?zeNJbYm@}`MfnNL3NLxhkcP(6`C~D+gRnL0DMJX6 zr)R{awdniizo>}Y!Xb9Cf1$Ugl7-i!nJB=!J&)rwLp5w^e!tV`!hkyg)!%#FxAqH(k+pBB5YIEig&5J zxsf0o3Y5H17m4#HL#`=ETaL2>49QB97v zWa3kuR|CZQ0>gZ{A(GB9ubPzU#E@F{dz_yz)>cGpNI1 z5ou;KJ4d_*8P<+V#gQ|H(`FXgB<(6Gm4+l$Z2PsJq?`~NglEnuPP?@tA|{PrtIo>9 zUQ1?hjmp|f2P2*AbjmiFfw92zMYq<(``U_bkkiqfIOl5E&LN5q3v&vw{hwHV%pm@o zBOI74>+Ia9D06|OZHppbSyr|pUtXaKn}A9wPKsSvG)uU0q#ZC|klu|8iayI6)LXZ7 zrH5cD!IjM5@dccwV|Dw2*oehv^}u@ym?H(rq8#50c6c_}X3Y?%R7w>_-99Fy@R=KJ zHTt0bD)!(?j_qTl`5=`Fe~;N4q}u!I!j@}0gvIC+ z1jJQVhNyRvwyYg)fw`P)EsjakZtFOWsKM$gvz)L?PS_&6BlUh=1@X&~o9NgHy*R}FJE*J4-F}j zv02nHdt;33J`bYgsYYq=qL6$|aj1&U!@ zEPL`qF@rZtilLPL`jdA@i+Wq{WF0jlBw3>D_sb$K`Xz=IAB`+2k{s-`^K4-pwhy~e zV#2&Fjc?yiT{}6_#{`UES5j<5y-U6)Z;l`fQiK0gy(g>vOn~j+BM5JNHNDtp3#~dpf1~vd`0s868QDb5po$S z$2xk+$65Smy;XR40Bcqx>U%ETtE zO0>zg8N>!e(9f_|krq$4Zl#tKgr8bPAoWcb9DW*37Ju4;AX`grZ0%MPlaJNqrRsgJ z<YczujDeyzDv`24@ry2s zsHc>%e5^v$NiWpvfYSMrHJd;GL4*$QVeOg%K*#@cyf-N}p&OQPgdtV&=tqogl&`D4rY( z5Q|*9h4XiUbx*$3ss@Nx2g6Q|Rm(7om>A`q>9FSmf%R4&#!#OO+w|oiwi;oM0ZtwR zrLzbVKZe!-z(V{AUElD4v_DKU6{3S2ACnGmOM?srwk z^hAx5ga3h~f-R<^Swh*Z(VWOCck*D!Kj zy!(HhYyof&v|tT9udE9?T!Ve-ySqD41kqqAc(D2cTxL^uLbp3&#;~vwRKvun+^eO# z^pyGVFXFBujkYuurbO5;5(%>&;x{2xv=eztt#1q0@8c}8T?i(L-XXs_da)TjdLkLD z=W7FIlW%%oBpr^ay@Wt_m|=x(CH*8G_oqv42NM~In%h)P5O+YQVf^XdGxPdP}J*= z$4ypRjosOSe*?-1mm7Xi1g?wtM-G)3NjE z9WW!6FMBg6sTPv&6!N+K@M67py5+Gq$pPr@atW<8OF@leg>g-dJ<2~sLH9!R7u|$j zQSUi5TPsdlyc}g%)gr&0rYB$Al@$HT|~p&0zy^L>crd zo2BzIWYMk&4FM?lxrv#b6+a;&w1n^q{r|0YDZ#spA-$D}jnt41XuE^tn!U9c-()`r zCC%G*mTrkLuXBt>M3o$CUs6I?7Vb?sc5oV>V?dI~n1|2}Y?P}vF&v~_DU=lKF;;|_ z!Yi8G`V%ZLYrtm@dCSR2vYUi z8kj-ZfYDOzKg-FkCLHHSzm$xOjPc-P*U8>ZkDq;C$6XDz1a+&pt^(gEd?oW%ACo(D z8TQ$tt;ZyCGC9RwC0+p+_<&10X+rtA6Cn{YGlRK${^v03YNMpI?ysUk7l9|Xc@ztacZw~HN&>L={kWke-PYBTd!1Gcs{*b<+G72W75-uchXGc(V4`he(SS_N>&KO3!naLrtZLk zO2~RFWHjg zU2Jp*LxD}q>aJd(si5B{3DBz{^5rpw5D2d+tBpMbD4|#k*0@_^Ud@Iqz`{yO{NcpY zTp36~=b><8m#Eqal+U+aqaMlg2nWrc{^-nvO{#_JyFC>*W_rxBYpT!=D1(?3D)wwQ zseJ5xR+2uM{=x$Rowp()P<=tNG|YebcX84h=0Vtf|6Q_=S?J&Y?_&nZ-)1ia+$JkY z*OLcWo3-%2^A~ef3!Y}0ZP)S*PeIiNE)-a(d!0T&R(b#?GFn)AgwabdDOyyMe;n79 zK8gP_N=1~HL>An3HJrlzGL4^JJu(}>W=-+R=xZLK6S&=jMlzwP7%NL8mG#8YPEVU@ zNjH+GRO{ZSfUAH1rr$H6I0U+d2#f-9z#^m;dn=~`czJcN6sG{_^5Z=N2%K_jM$ai<|`i|Qu+Oq zA8VrGYG&_B0-w4@kjnI7t?M-ZJuQ7?zYJeul*_i%LV>5d1$_jr@elW1G*e0yGc$+`pHCo3Fkvo3cMOXz{G@{RH+fkB6;Yh6E^#&pV%ngG1^V6| zi-oxZ=xQg=CFEO~mgaOyP&(-*@*E;2q;zi2Ex;uku~cR8wYB;v^nomhL&WHA@meH% z@BwR#`W;)D{fk@Q&}OtCM0hLPf1e1Eh`~@ut1DI(}01h#ZuYPWP=BvmosVRg7Sv_O`KW z5cUDioxaxCq`zIR{J>@jghiQNp6MJvU>)qzQS+KGWHtU;1#Ci+egDb`=a5PX-bNA~ z7pKxYF8aAFGNlOEBwNL7`0R#?qNS5scxF!q;a+d)1%(PXpZciIWjwX!FhOW5DJOKc zKnp|QsHhHbniduoHLzCI_4VwQuSJh*w2obY`w5R0H5x`;VLqX`{on*wU17q(u0jz< z+94m>^ofD<-{cVJ{vSbZgvgSn+#Lc0cZcBa?rtHt6Fj)PdvJ%~9^73| z&&+==yPtj2(A8D7)?4*e7pKhpv3_Ng#gMNtsMIg?hM%nR>}sxa&EHz_RJC%Uddx`I zb$*4nt5q98A3AEV%QSLA;_Fm=X`1?UD9(G}GZpiRF}<7DZ#V5Qamt>-i+Qi|%V{-8 zfAaat!Kh3lo5$$>_2#l*<00Vm=rZa7!`r;xAKi|c2!p`%hAo!D@vK6mtNyf&;X7GE1q>hdbIq+PGMEvd&gNJiUya@+8y$lGRVli@%G#1#tDV7yJ zj~Cisvg`sB=IbMmaK97(qK$sapwEAqC1HeLSd3{Tz-x&0qzR8`DqZ^2Tt%VC%2+QrM_P>c3BhnYJ|oYgHrj z>Yzi+Z9{REul{6)!$z^z^Q8GpI4IipG-i^3lhsfrAjAe{=?{#cZ^N3Z$O@@9)fl!% zC)lcIIaGPS*gx{$=3#jl>85N(kc41Nx8lCT#N@YY|F40$1C`Z0G1?PWa4!kkm6j7RJe$G>xr|dRxD}*y!+(vava(iY|EL#lI6E z-Rwp)&HZhqqpqqtzxD?)@&+a#uAq0Pp1)&!nB8M<{k{Ecc~Yo){0Ldf^dbE1v5iO( z1or$ly2bbpPgt9~*j%t=&GpT>x{%U$Ww~Mf8@3d;lnu`84>h}I- zDuzY&X$;5nqN5hbgxs_ zb_mTD0wg{EoPRyR_we3fENtKW;lR}3{F|oGsIKzjt?EM*Uy(xbZzd@} zO+VemrlW20zUnva@%3*;J*tGzy0Q3GaOw)KywN6yFjB<=dTyN~294`wn}q(QF_{jYKZ}al_gy|`%yjwgduPM@LT_L`O_ai2DwVUa zI!#DW9J&_HX*tafe8fLs!9E&H$Q}WP2)e!*cp951%x>42wo=Ici`;2QN3#yov8bb^ zPmPmd188z~)MKY%;6&@&pPT!8&wa&4dPbD~54$=-a;kL#Cjx9!y)U;!V1nST>Rg0A zhhQ&abDyN-j7w_StbU}&LY_bqU2jQzPeoLB{8fu9*h#;fchX=oEr3MNWo_KU@cZXs z#Yyw8g9OLj!Fd)j_ih;`&KRJ=35*gM0l{emgi~Zx|R%8gYDQqrBg$)tCUjGsUR9BP`e}W>9;x{JU z+}v6|l_0J;l-f0G4BE=eyNTTnd3iP)jjY~Pm6Ib>;CsCY-YT^F{E0hMBh^k)z1C9A zbr=)f1{?cQlvyP-me;m>AVOiGFb2*YT7`>0;cd$+$~0Hx|W++ zgjP#vFYCjfb0_-ei}u!cK501h%9<>@Xf8A<74}$ApHHx8bz=|J+9({WOKwy%hnE#5 zl3A|0$a-Wb&X3)BJmd?Nh#zhEu}MtSs|@KyipQ1nE0k#C=}@7+qdyTc?6qFwDfVeB zG98d@EkoJ5^CKMm`~B-gg*G)H_({&AU6tOJITr+W;LV;b-2PDC(2yhH3Y@z(V=wXu z6(YK$NS#jCqr=v@jZSf#$G!bpLV}Nh3aiPAyFO{6uzL){5#TJ&wD%&Y!6x&N%5 zZP&C-0fv*hKg;0lCU4V<87KoOOR>GbD=-(QHDr5*yW5|adG>9#`~2^sKoFdg$6yJ^ z)G!)3Nlo(ptbL+2*~7y_r-fpL@7YqbedzYy@v?Ai&6lC?G^^f6_o)dKrp5 zQ*cvJx6q?UA+0r9sm3O1=uG(RbY(;JK;9jF5JYKjitpRb)Z6*k2#;HP!`_))oo*q~+N4tPnKWZB3NcCuuL1DmQ z$omY)HFweIp@#5#eK=p3n{yTb5%o>Dg!CB^bloo#j^sX=!;n85C#Lxcx;mNLjoOe=`K-w-G8@$&I~LspHUnIWR2RLD39vI7ehuU)#L;nFc;N z->52RdlK|A0o@06M0oKa2u{*QIF)3!mrZhGScSI1u!L*x)A#lH?VZc$V*d~A8C69~ zzSG}6`U*o30gD7q=zB4}sWX)86J0!nm5{&W=x5jP(_GRHA=!|B#3e-8T`Ss>hdB>P zVjj&F4bs`A6K1m#%ge0sfi8sUpAx2-bmF}9on&iPFY#_A8RZu)?sGx`^8n2_gU{X7 zOQdlajjQgFi{uhlZ}IM1xUnSqy=e>%gb%tbRmqhWi2MsF#v;jIy^$LI&L;j#2aeI4 z3>zxMH!S4aJYuR!X#>UM`8deQ+)v#UDqmWWFK8S_1KeEq-h@P+3)k4Bv~tH^K9RQV ziKUHGT`v^m5oQaR7Sc&>%`oLMeqsIUC8Tz5YL?%Su@|PHk!Gc|kBtt?%f9o-E1)fX z&%7W2yjvszldJfv=E>K{KB+}+nuW#1b17J_U*SI5V2MK4-m=UJso?m9ZxEO81npMO zMe`g$wY=>O_P!P-5zU$Sbut2gM<*4YZyYhleHbrSU!ZMs_-#tr`@?L-_!=(3@rGmsFS#tnu6sC{}mEvY2o z;Yqgm;Yvg@?P^1<3Z+Io6ZC&d8GukoP~{0Js+hzjJ50{WVLFQLzd!nA#OmnNmv0tZ^7@erc`A=(t zh2B)WTHT<ocs6J|?iiJ7aG8_lw{8tD*-vwvJHymy1_JjMO{S}!i^aR_mjQD*Gg1@^Zj zLLJuKOOxSMHn)3n0(*j;GWqA}^eSEDB}aQQgQn~wRC(%-urK3>q{W+jdnc6ei;I%E z)tDfXm7{^ClNrAtOR6V-)}yF=#}5L#gD{L-!64uQ`9oT^?>X}7?}hyf9i5A3e6dUG z8Z~+Gra1|PIkmYaQpp zq2X|c7GpQ7sbPY)&5c}Onr%c=vU48+THdJA3pV*CKRdEiUp_QIH!MA7GhV1{w}`uo zDvbo@2T+oZ1>M~S+_xf2pSk`^J0cQ*Qn11lDTxquv=4~-s>9fgE`={o= zu@5nFm7XH=Dei1wWl&Af{we0%M=l;s;<4o~H1v#W>5NZoVcF*&-#x;pNi98TujifE!xJ|SohB5#qqTD;s7o=hA zw8OD#rMAyLyo;=m;-YXws;GSaOve>p2`)tE6Oj#y3;@#N@5wSR_zXB)GSWsc^2ErM z;yIUj1nCgRJl0!+3B4Uh9wF^6?k9pcWXQWHK=0vp9op<>lqwOXq!H zCctvnwQcyTD6i-vZ|^)+&TEz9W7Z8{@N004tvZ&iJzj*Z3cT-uil=hHs@L=Nx}8rz zUC+(PW#xv7t>>J5l*$n8=3Nw85W1hqzT;N$Z*td8AS!-5(4W04DU!Tb8R$EB9;?;9 zpob7&@gNk%P}f-+56@;QjOVo`2>JQj1B3#B_R#B-UdslZ^SoP($G@Mqv;~4CR<2nz zg(8`U-~P7lyC^KOuj45mi#cw7*-FG_=u*PR?qJWJ8*1X-&qH-g9Qyu;zim97?^sJb z2vzh5WUfg_UcuedXZUrnn6!J*lqHj_LKpM^o6fd!?nsTOcIh6ewdaZe+Z=cVnb0Lt zzQY#av$%&n~x#5}|4Pz*bRs~kLl(Iueo!4=x!+JptjnjS>mN0($GUTo7 z#-IHjYcKCG+5^2ky&m5`Ti<>__SprcH}sW;zzT@fj~dZChnB8wxDcOxMaxw;D899n z9ZW>0_fyWZ+n^LsWqu7!m&l{O&2{`xL}S?!3%J3)J5Mpe4OZNTMgAJ7RIc zzyb2dBv`=lA6fw^Z$Z1q&qO9pjIYZbM5aaF7@Oa={c4xSbCf-e6cwkGCm7*iqHKI% zK}3d{nx*66TzoA=@4ht`|H3hJf`MC<${X&)8n(ULsu8AJayYqtMM=bvQwkl||W^4^w49CDdI3j4O^ zhA0(0&RP3|g}$4+j~7%szJar51xc44BqkT&;ovcc1e?mg%+u6o4EK;caGTgAFJ8?f zWfy{pC;hel`}c3Kfe$iBP)k#jW@F>!8N{vo_8Be$#JcA(4!O&pWVOGXr;(P`<>k{r zKd&4qa(n^xIj3cAZmusXAto)tn5z&M*#*^UF`X;OrGP=#LQb?-1*DX0167lV7FEx! zVuWkfTK2^QTncx7)zoMOtXIq99AV1*G_loM_y_Xi>H_Yw&s?s}?LV~1%uoyj?~)UZ zaIrXg@xj8QCFjV{-`N{)8NVrJZ_}b(5dR)otu@1y@sT(0WM>N9cywDsQa`ZzCZqy4t`E~OyBS{YgjD@U+!Zxa3!V~jN(8`*79%FTzLAzgI6OK_J+=5CTvOKpk4(I3JJ0#@3sv(swV0xYCP z--g2qe;lMX5fAQe-;PT)l_PUn*BbsVBOE5x%S?n)z|Vejqp3y$v-Kdh0HBi^_W zjJV{kufu%c(+j&zj12YKTBxFdOr?R#xIpAs+j4EMtUyNksB)uV8x;TThC|Lp#W zQM8?aaOC;-opKdzl}`D=KS%jQ%8SPlgKbMHwjnl{6o@CCTB+Pvax40U^{N;t?aHNP zQO{x1w9-OPaUsB7Jj2$_o4pn>uQBLCQBhYHSPLJ%Udg8&Q|@ui9L|Lzhk|C3Vlh3e z1MES&YEUs3qdPXWF7ANRG>sMU!WsTYT5Y#l7Momx6yb6_+AP^G*&T*I6u)Q01pM|q z3%wg`wD!UMRDVkU8)fFZ*4Adq8;O0rJ9PcGj%wh45ib1I?!y=dgSSdvQ|}`bm7Hnd z|Ll++Oo(#)z6l2E!tO&1!XJyJ_tF1SiFvC?s+LZbv?wt4l79-|QxMFb=@5$})$up< zj%M-_(;Ae}@|?$hP^#O-!$xgHV@c=CrnyR%$yIoTuN=#p3uXf7L4I|$Vy5uB{LY7b zV^&g<3nxbmPK8v=kaOS5{VBlzsNA#IzVUfn__A;)SsX?Hdf0_x%JPSN?7PQi2^B!1 zq|(|MWVTdujBrOCU6+)U+~;IS?h4}qPS@^> zZZ{)QX~AqyAQwJ(zZ+1LV|aHBLty{1uP8t~^)GV##nAQ5cIFt{fwnfckBK;fL$e)i zb%#KVe$xc`(uW;!4RPZA=$k{~CxWFf3Fzaj9_NF`qE#O@h5-9=4MJW&8TqQ3zwlf4 z0P&5W4HL$8I1|LI zq!nuOu1L6^+##d*Q7cWp(QtbFxhG_mW6e@YeO`O#rbn=+DqzreZ)5K3g!yE`hUTs- zQ2^@fV}$z=SJ3DU6|P|`M|OJ<6I=ex`G<{6Ul)So1yqEpZIN6xMjl${1P40x{e>2L zyn2-i`1`;C?aX_wUaR>p3KRKPux;_EXG=|~9i6VJae_1wMV%y>-@cPM%CuN8Oj{QL zIhcHzSa(TvFcOBF;eo&;Qsu)^$nZR{i}(YF3kD^DRU^ssz=^bGfu1S3| z4c@?8JP6+C0sR`0S^5`enI_(iK2}%m1%!=e2YYnU3l< zj{Wwl)Hp4jMgFZdBhET>a&j_!zLC^yDt)d_3L#?5ihCEsY_g!YZ9q%=BPuVdy|~F2 z8dp=5A%3Y4gt!zu2Tz`vt<;N?_??hq+$UFmyi{_-!lG;vm%IWe0Pn(Xd?@|5L`+9XzlU;CJd2ak%2>p zt6neDnR*x4;jgc^1k)eq^TcKH@WKDuLT2{f&9Lz}Ass*qUdOv`Aj^JxU!OF@&HHCDKay^Jltj`9pU&n_?B zM?LIu&h?fWin+*f;fy0Ty!S2VT97I&ui}>Bun=YonLAW9Cz$a^RXTTixueDIt6kfY zq`&qAHOiyy^t5+i9Sh|h+GV9#)fH)m)J^8>5R&o}A&LckfDRuE`+nMK_}FyYlId)2 z2mA;W4q;4Mk54Lkz5uEXR1qFAr8eZG>0Y^|+obkSsc=g;shOI*j zqt}D5svA*ujNS}2`6qO}k$DmC50s(>m;uQ&bB%w#N>AJ4B zowxXhGFWQRRruNk%VD&(Po%`M#$##t@}(JuYq&=+UaZYsZq$QG#KT3RYo@`$diX0a zOfAHL$S(4gLkunq&?4zD%u$JZI@CATL_#@mkzmHG0ZuO_U74LJZ_Erb>QqobG88n_ zR#efbqk}Q7jHlGQtbrw7fA(HTMER!hg|dTM zGMs`ov#Y)L7qbl89>>0PMXwtdUPth|a&ZQXJ+mcn{g*0~iR#@gy&NWB5e|R%xf?#< z@DraVOnxXN9B8Gz^tI%vGXpz5>_*riEPMI}uBJXPa}0SzAUL{*A||$CE$T!p+k}sf zFZ>%9<m3;R>Yik=Wk^OIbwRpk zN}IU7FID6=GKcWgM871dh=j$`;^MKvEyPl;pwHo;HVwHEb+AwrIk0#Kps~ntuPTac z(u3gkTo@}70UK+A(8UC!uZQ6D^fZh@X>1qyITs?CEwFj;oOVIs6$@4~6q04=>BFv|FZxs35Bm8kXHHC52Ne`sl+JKLZsW@?A4{)9|=0-94c>{HIbWj z7%ziYF6BJrRO36zwsg>V*I||l0ckf2>;(~&>&kxzP2v%S@x9uZJd0vu)ra#qMk_TU z^$;R)2;m5f94W`hJ6d)IW0pIY;f21s(~F^zm9Y7Ab$5YauYtqYprcNW6EtP(~EV>eUF8@b-S1#*LPP! zns>}MFy6dy=7DyRX;I^RBAE{q1{oKuk>N;Jt`qYZs$R89wfYu-V*vH0VJVxMQg}9- z8t6t7Laoed)japB-#fx(>JX%{`eqQht;GTJmt8*aCk1i?zCLCPB=vBJ>GExKg#+WH zcC3?<-@`e$Ov@lQq(3B>8Bw~uaVkm=d0#L5}8Av=!BN&Ok zUtn+j)*vtlFTgEX(YxJ`V=(OY(;#n>Em|QYL4qlMXz_V9+e{J}3?IZ{1;w>-)b8l2 zT$2TM$lX|`RfH)<>3Rb*0Cnt35?08F&^E@CO8`yjbO<&#S>^LP^VKG_xY8(?QMj!# zQ~#@{4s>{4hIBi^h{@4^T(4SVb2ZSD)8A|aB|#tg$yfOYg|Clu(l`Y^hE}Ufo4F*n zJpTg%lHtxQSE7AN;zVp*FxGLlbnZu+ED{vdVoO_?Gz00_se^0(G;-|`K{&(V8kcb? z4>$zZc2TAkv6$Q83wLN?w6nahXxz%gk#?_dGW{t`^e*KC$}9hZbfP=IKBI5#4EH{5 zdfswI|D`8XCX9dQ z@PFDZoIVf6N<@HlSotKiaRfcddxU47bTSx;(ttM(p8sI@^cm=8|NgbP{7j%tH<1}b zJoeApHfrFL1Z&4So@C73l;#ksJc^_QM#qdHLAz|I3F4s;fWe8fM?^j&e{f*+7m}*A zojcD8I?!Ih2Q@V2aQ3?V=>B178^ParPNZ=JC#g)`-ky6$G5fmzJh{=lVyez~iwTXY zP|IH|diiX;C617MOxnGXQ+@fO3@RTp)zCoS@hc>HXni+BW>`66GidDY-o z3V4LO1ZZbr{h~?|$*gT)aw$HwDeY`Fy(ZI8e-0GMVT`_a%m_T~JePmblF|JW>L7?> zk&9V+^^>4)mFU~kSC97Yq)5v`a?F+9P$GNCoCGZ}l#>vo17{_vKJmHd2uOdJgix&K z3ueU~_r&_abX*MsQHh%NGiSl{n;)N6&^)(amKAQhb$gB%JVWySlS9@_9D0-<=+T^H z^4_A-1e>*d@w)AcT3Btc9@QDq&)33*^iC z;BnycVxX-t6Esr!sy|VvJA&Ha*>YV%o% z5rnj1&8>KB>_X8Tm#hT9%iW5mR$G?O2DRKwpx@EE&j}%~yHx*VTYVzkj}4Aw52l zxvHYV$4u#BC% zg}M2=C}Z&8irK%e&OR0u))J7DO(}_|%xs?||J|V~2;nWKkNNw87kl>ZDp1n=>SZv> zEm&z()qll2cMhGW16~Ow*4yK6jW+8KVu^A;>)~|VX$b*VwGUfpY`)1c$zbE=M^Cnh zV!ev+vXE)_5@1iTv1%-~suXRv&F843_&ba~hC8BzresTHR*(x=>RcwbjVJoa27dcY zPrkPZZ)JujU?FO^3qt4YXOZ?Gn|=wn zG#9tsDcgPT@AikkSb(aV@eNZSwd>y(gGgp7quO#E7iu?xE`8Jh2Uyu~ ztkBJ+QxlTI1g9ik#6r|X<<>{KVivhQCyQ+S2&XWMdA+Iq#5CzdDCk&!2qq|gbm6Hb zx9;#RTiZ$It4?;f&#PS7hCVV*>k_e6H`v_vNfasNxTZ}g{FYW#8=K~a5~kCm&NwDr z?aGT$NPgB4mth}VknOioD?g4;Kp?3hHZeZ|zZ$fOjbW=1N z5iW1$PlBw>bbm_Qq_zjc811OMC@1mgv%RM zfqW?)w&SsmOaG&r-BWoRtw_{K7C=s@RnbQ7>F>pa0hnQFmAcBmT)wd2^LF&%<8ue0 z!wJP4gSTEbPQ=FuKj0tm)=WerAy9$LnII{_FPoGC!0WF6KK7{)_=}fhe!l}-6 z_FA|2X+Q~OE#+`KgArt1t>DzT!X}u2TC{yODw^N1F?YREnTS%#{i2}8BXUpVIVw{=AC$SlKB6qWsXQC^6 zt`xbxb3*p51QsyDn2`Upz}tw}bR-?^f9_LGr>fB1{Kgd`(s zxt2)(uU(mt*WU>Fd+JNkG<*ndLmH9?lQc=Ewq#_FC}4H_3yv;qoz zr9XOp;?k6eP7-IaX%yWSGmg76pW*=vUO8%KOpV^P0aHj)*)gPK$3Q7u)%)CQ;Da<> z++KRe_~w)jTg&?=Zc7`x`|*yMg~b+Qdg}FFF7P7Qof;OpY|c(U0y*em>pS!-vatV5 zqd(@{sZ6Ip3D*u0n$S;e>(uH)f3_WtUeR8|m|K};f{cvgA^gtaP!{0J&#lBm<_SMs zY4z-y2EsLOdL!frZ-5>!ccIsxiDJh_GW7}RSm@eJA8MH>jmvg3*+E`+6ve~u4Yjw~emQ^MCu6e61@k9d(AHVYp zo%TA#hx2Lkx9ppxiclSsJfG*Xy@co-=mnc&ZT18^jy9h((s)@i=|c<3k1~Elv`e1)QdvJo>fxm9RO`H{%(|7BM4wpL5fh^UkNk>T+IH~kp$;t&az8GMr z9%})I5>wKNP*XIh*q+rRC(^g!eM4JgLDb zJ+2@c&Q_cPIR$&>f;`4KvEme0UtaoBG2n}iHXKM-EgmT=nfF7!>k9+^+riiV4~?8N z_t+HnpibjY;Xd4v{AqKs=z^M?A2mWJW+3*lof;%q#bvE5I_zbAkpV;ij=CE;(e0CH zn>bOUw<)wpsWse&Szk^x`2lI2Tt0 z=eA#A>BfeP?n&&W6V*5>1ol6Z`ADO6+n88&nrh*`3H_6GrirrAhJR2?D+_yxKRi4P z@xKVX1&}Up6nr+X=ioFqZJ4MuY4DYHy=;LH+5;SKy{E4dWj^ezK0r)hNyytg37OpS zQlKV96&T>r$<2*leHYwm*dO@5d}RpNN-f5tLhsp@N`%=r<}*#$^x1rQ5_ZX{NZ*Y) zCH&Td=9so2eQ5FDlx7TN5OA!lCg_6deMhq3drgrdzjWAN{5XL%FTTG!U;mJt($?itusdaAiWLng;2g*x>=0nevlXP*q;-!X$=@jk( z&`DK_At=zSm4IXjTz_ zVn!bJx-J7DQCgi2#!}jIZ_ZI8btApgwa*ZU$j;CTMdP`du*W(6bD%xH23=1@l8S1m z%TRJ00rzn7(vX(jmo<_onO1ztP_i`I=$mC=r^eC6lRKOzSOl^6kw12fWD(vF<5c=z zRYSubQW~0nW34IWPq&EC1?&HT^*0PM!xSZ4TpB!KK@-`biV{Q|O2=S!T!+KIXyqn0 z73Lf7XEB4Ae!Cy4PSV&{Q9FlEuO*2{TyAzXsH+PmWrQ`Q;okm}Xe?`Mdk%Bxd3SFB zxdRX06-KO;%tcZB=TadvMtMtk`5$nToJw5p6O=XSZt2r8b#vZLW=2+Lgn&Mu#4Ozh z>Fwt;@bL%ATgBW?i0#!ZHNJz9s>OkFmqiceOUkWyw=BYuB<&qun0xNg$;FFk01|j& zT0j%TI$xhM>7A@fDzxwuO$EJy@$frw)ad~Kn_}AJ4iO21h(k)#9yKttH>@+ZYX`SJ zHn>cOJ)TruO`}iFFAd0jYf+B);;+Bj=*xkDan(9$`iJ{3A$75XI|6 zPLjtlWB3gX4#(?kYQ*e)1eZD%qWK$1#=H6RQu#bqmdY?bplv&ztO|P*yrp4?9{n}5 zl8_|!33|Fv(54^wKvYLYWx#I#lVXrh@GXY`;jV?f2C8)_N112v=;O}*Q5X{1qHcJ= z{GXNV{FJfXu+{3RHtl>{{FUoBa?I!IN$}%+T>LL^vki z?E~jZ%t3r-##7uLu~{3Sz}Y2p&4XZqoz|ZIg}Fmco#HX1DMlbe^2TLr`<30ArmCHA z>SNBv%x6*d8z!0lRk(7r{8v+{zHf?`a|7b&3~Nk?u(ZvMDNu|qya>ZBm%@Nx0NO#r z`h3j`?#s9T5U(4hPrBd?GJ1oj83D6@G!l}JF#fl={}V^@!h6G6ga#)VN=53l zt|Qh+{-m?nbuz0mUAR(aM+vccr=~7C6LV;=?(G6_Q3nU56iLf>?4Vt?q361^=Z$Dj z`_x6TZ%koNvkg)&V!&_>1qT9wNB;JdsWV5DQ(Kx&5jNfpfn{Dl@Qw+$?1C}S8(GLLdk2)_X?x8?V40ulNhE@K*R zX>8sLF`y)YU$tDLh(ow~m$DUeu^M52kZsjJ)k48eeROn(-v z#c9kb;)iFx^g-!;>mTwE#R?pdpGf-`e- zDvXGfa4^uI_o&E06RM2&pGPek%E`iZE48BQ4IOb^kRvpP(nQF^Z+zU^9R>itC|T_T z!_i}4Xvku#y(V|?FlL`Q_pA`;5qw0{(j}5znq17@XjTMs9#>YpYaL(4;>8|Q#E1*f z1gYRRJlS)SF)e)oNOW4mvFD%}_);E(rK319>n<;F+())2s)PYL2zR>i^{e^;#`Sg; zGV|(j1IKVAPlu3C1r65q0;9RmYDK4-V#dvHi*127Ea5kiBWzOb7@EWgdXoLQ>9u)c zt7Y)++L`i3bR4L4DmHo757+H|bz|r1AzUh{Z21VOLE{Gb6-|J$Cp-XES0*^m^mhjb zgK3M{QEV0)q?*DnzU5|S?D-5{Wohs$5VOeQu-!7!zSeSf%ABUTSqh?PhN9Xv#P{>Z zrvZdvv5sedQT0oI(dN}|(BM)+#*_NrV8QAwM}{DBB)jl6g*Tj*x;US+!To_As;W6CzGUT_1>SA+9sbWrf2bpsB zKtOW8XIjRl#~PyIkFDu$oX8_r1slBMKLXm^-yT;Fhay(ylGV+WyXP8iCjb079-0W2 zErOd|NSqQmYW%l~sF`78g&-U@fd9&8N_#&91M%$pZhMP|w`zZ%v9M zDL~e4G#-Ev9RE^ir11LPrVzYC7pU8Z1Uq%hS!MMeJ(4_7@d*6CFA zhvLiZLGeuG<%(OaPNqKCNnHH=y8AaVBC5_HM37T%YFT+Z83hGJr}w?}#^f(SUhW>X z4TCQ4gUGt*hm7ZVz#JhtP)m#Ob;09F77?S`D&&s$TEo6?q+PSJCFE~kK6*=Gz6$DcbnT_2NCq%6 z8}8E{x9paq)##!eI=5v>+A$=)S*Ay-U>Nu-ty4qhh!I&sGu*@; z5g!c`z%~N0s<-Eki2_-Sf;MuY9Mn}Vgb*g=zJ_=Z^IB`jv-uUAJVYSgsh!TL#;)ef zuDEegLhsleQz3DRju7WZ(P|6bQT*I91JLK9b76J3m!>)lQDFR zYoxzRfifJ-?y~ikIVi1r!3qeG-v-KOkz_~vy($!S!jWx6s6zLl=($oB@q(ZVWXN?_9L}fd)O)$J48R^W}b5Rzo%6iYz&olUcY{{oS z6mgFU`-w)C$W&n8V^^E!rhO)=tRi-FiAg$8lw)L{g?dEQP0_j)R)(WmYzvYL=w!>c zcbGQVJe!zAhHdIJ8%2JNDXk1wG7-a5Lt?=bA-~isB8B67F_&<)(AUpl#=7tE!RA|f zoj&j-9fa^WTXEv%ps73;(!?}B2}dTd-c5g}wG)4fizGHZBnTj{FlqsV1$B*11R%qN zoW9;2yNKA>ROCBFJ4JE+(AIBvZEJ0A)?lSvm8*}V2IZ7m>G-b~s4sYl&NuP{XfCc# z!qG-Y%X>vlH~NUY8v&m)3}BngYAR#?3Q0r@j;UhP2_DCR(6jW&qH`oJ&xxNh9A-a=*tbKhE;-6?VlSY=-M^I zNBd0bl78pOGf%6m1K=yjt!}Or2SC(%ufk#MTjfG}k12Y)Duc90;`_KXFauD=6$+|?Kyi`)#eo0bP)-ux==}R=l z|2Q0ucy~jx=4?i|6NbCuC2iMlHhK*AqY13TEP@*zb*gUzoKRKHLmK!yA`Ic(x>J5L zwNT$j4o56bzR8^5HS)EN<6_c--*v?%G+?^+rW~oub~})%N*aDe^>PccRM4Pg-@e!1 zP32JJv6&ji>B5e?vW*eE#bEWzPDGF7uu0LQX%gS~DM)O!oh#DW@y*Ks!TaLybC5vFK>?^^`;_7k%D`<|ntd_3%4FNtsRd27S)@y4U(C$eP=harP*8)4# zj%n1Jl!e9duPDj%37nrD>Z|;!K0u_NqoVI;KaIaHOdR3*nO(d{rrh#728cy68~WX+ zuqzZ-vD`F+fqdB}1+?i7^0{o5&hkkr^hBj0`+P-kt#DE@ppiW9X^O2_dr@jV-JyxL zjqsyGqmo_=R0uNPaSbTJd}&hh?HVJG<#$3oz>O6pqhyoRnyna)plJm$p7xMgc@~z2l9~;2AI{epW(y0r}LGF2)g_khCq5JJ- z9P<-ZNeVb&fWs&-Qd7r^q_J6UXlTf~J#6!H%BJa&pYih8h*~|FZxb zUtnzvUhA(Z$c5^?ZV%-HY{e_rpS4G|omEuNHoIO~>8L_LlLt61XxH#`2LUU~#^IvNul}cgut@2lD=6}yAw_ZA`)_u zdel)4(UyRS%if%el&^1Gq6?^8lZKmCp>{VaJjFDr6JEML5A{7HKh8(ezEY?B;dftN zKXK@Ql0ciC<>KO6bI~%?l7z*B>7)TyY#6VauF3@ugn<)31B*E;Uq=^fb#}hAlWA7Z zYL0II1%651mn`ddW!?cXp(W>akD>(yb*jthsw*olDyAk!JL!jpgN5}D4k9@;&34{P znz8tC&at^CIhLp7cn?eG!Mv(@Z zDnE*I$;2*zM{`nDP>7pT@JWk)#JF5={ke%f(04d+=P8iw-PaR$Xw47OS5sAOfK;df z7L~vvlBGw@x!$`ALh=EZ@4C7)uiDdr{GeIRGSwiMzn1dfiCDv2VFM{Wh!tr16{hT( z(RM3qx?kk*LRvf0#$h5^J1#c6e4>(n;_Vae-iNn%F&X zb7|+znesr(7Y~`A-D18c{TWRHE#pM40}p2ywr*|b?`mp`gvUbwPu!%tbNCXb%GV$f zFBS?DIynGw5qJ>Inx*xndSx05A{7R~H=@~V zU~1*?BQtf-#bb|_oEW-dp&Q5pv-9!V7_uX|Fuh44Gsk@p!adTqx}3!UA`tC%)e*V$ zy`lW0L2fF&R(lA*4)!?rqr74Y^lih)Zy2txc$Lkz4X4=dDfPx6a93z}i?s%9lULL3 zW?W_W6m)-!e_S8~;m2>TJYEGKV!*coS#2~}64uW7JfK(NtTeeI1B|x!E4ZK6$#% zC%;f41{!rm274&c;dR?oh7wTdrIy#zoLebyhD|M1>=Tn890v<>}8B^@ZgABP}Sx?Vb+;qWgs%MXY z?w}Q@KRVa`A6IV`)@B!VYbU`ePLbkn#fm$D;$Eb<6?b&_vzeoSx@Ur&p#S88n7U7sG(w;Gjncdql_zs-CVE*pD2YD#?L7HT zUNgMJ`G+>Qqo(2_D_-sdo^#RacvU6+dUN!-2Np%fZ_#n|5575jry4iDe9d@?gsGh* zQ}5fJ*4RO_o@+@s5d+qz?Re0TJ)oP(OnJ1|k(5}JW4z8vgAbO?Ec!lT@K!q@&P;U_ z*QJye|8`2LN5P#Kk~}K?zI5kEB3rb7 znvzs_EPhqN=ZeESx%UXGwzBioyHAQ?Z0kjW>c`f*P~3N7On>i#Y9%rZ-n99V6qnm> zt25KVW6o=4RObKMd79Y5;)7z~yIm5Uc1!v`G4)Id&CBR?lYrQ$lQF~e{+7txw1HslSdO21 z21RLfgCA*oaxO2ksHHuaHKe%B<6fB{WOY_o55FTG6)M#9gDnO82?9H?!2Se|k1S`M z%is10cz?;Kei@g{y;8yb2McGyhe5iKJy2z^C{7ZBQFiL>>}jXUUEjea0a-!j4>Q@}$^T5hM8V`!n-=v+cb4x|NHLJoT?_yndl;dm#~^`7jR3{+Mh-< zkMsz7keO0({*>jnaMih_kNwK=>_m=Uc8Xm68B15<;?TT1li?E$qOhslcV46%-)%rn ziqn6_WHIpEBG)Ow#aN^AgRP@vwLWJOa}N+i!>i$g$tkt`{kJ}Z*Va!C-inIo^{4*H z3-}a4E)t5F1XMT5G&rx`-rR1(t7s08zHTNt6YQ#yf|ds89rJQU2%jqQPw`mS5ObxnbDi~K&|b8@cTq!*9afmb5? zno^tbO?&hyV#pP?(R2Y$!>>q@?yQ@%RcQD#czYpoql7D+D?qvlG{-1faS*ewgI6c( z3v4$tP4x5eZ>(%>hNDuFp}`sDvn|Ix0VMRAL1dX1_L0gg(R#D7)c-hOVV|3EfSAwe zNm6~Y3|9Mcwozv`Chv}ha%uu-?r4@vL~-1t4m-QX=6-(9t)JEX-#~L4ldjj>Zh#so z`pXk<7+$UJ;`?XwAALI)=cbA17tU_xVZEUd5 z^iuHc-*^oSZ;p(3B+7}X3^HYCJh5dD7dB|F`qh~Qt&H-{3Vew5%fjO*3MORGH)f#Ply7k z^iS*Ju6O(s7%*gVc4hhd>}N?P240n*lQ`n3l_kO2R|CF8px^F(;N3^vdvb*?kS&T?3|Z+1LR zvx+!6>`zQW_E?ZTdGQ|OH^wUv9}4!ZH0)|rUu5i-1`e9(*d+;1TH8zbcFiVPwW$y3 zP4Sl`@b;%bcDAiLV>`!7@GP3Sr>&D6-|Xao^JhB$s`!6|0;FniKFO!>MZCfzGIqy| zIDE^L2M4tX{wXso5*+jU=_s_S8(2)t_0h={WqzGe0~5BWBRxYSzHzIx5fZZ(^q>O; z%4to5EsfcudJ$p|a5#NX=-;;)YhD_K*WGfkQb;52s6KUaw*^|}uy-p7mN}B1h%WVz zHsiBmAUhT~u0BZ{c$JT@6y~coAwgmCo`n%ONFgkeB;BD z9kPIk=F<$Wczw0K;vacLm1TYN_Ccd)++4Q5bZI@@GYr1PBx}{6>8?=)tud?qrYj*16@Vntip}(R$0pDzkT3S5muxmFb^CYN@-_u%;*|f1hLn45U zvU}1m*X7kB8*Pwr+57!YW7{{a*ByU9fRV|n4(elOORe|HvO;DiaR`lx_gh)&UwS_O zbY;y~!`=o4F!KRtcBcCs_pe%i>JD&BrbRjC?=|TjvQt*a3HebEY2Ck@U3UN5N3U1) zlm&ERDC>)4JbF=QC}3nXoqWGV!|E8kNOS)*xD5Y86J?u5@EwVVh+Rf$!gne7-Vwj) zS%l}2Kf8Zx&_fQ;ku{RM!SsS!RTP}Bb!_Hsf8MbvlED(rUo4Ec}L>PyMPueI5TiWvtB|jqZ zI&3^e<5A44<-o!>BnQ-N$4L#7RSkf4n8;vYsg(P+1v)SSEWI%$dEwP{p~x%T!6zUf zmz7|S8}{SlAap7=CiEyzrytS(HHuz;L?}E)#HX;PHnbdw-^q`p8nT;zF)*cvp%z(rrUw z|DH`<`P8d}l=C~korzn|Ni%{xb;gn_=mQ3tz=V=Hw(L;=_ofrF{BZ$PXwp(HAOuSq zZup+Xi$Oy5!H1&8=S3>tM_beFw_*dUKUmf)4s;QBnK~{tcQFsG6VW<2GxLf2HCQDP zNPzqMjaZtd)u^?B8mH1*e|cR&Z*d=T3#*22!nd-ywNu#Yp=$<@1K*PUF)0-AFz)p4 z$zG9OyoAWQEbdR?18DQmT>!B5eGz(r`fUzR;lA=*uQ>n7s=ho}0hHI~ZfnKy=Nc#{Rh z)$E$G&}*?ZAiLIIm`v^}T!X21zSKc}MAUFQ_dmLorcpD~`9#{-R^XMC6M4=CzOo)N z&K<%}6g;?-jlwCG!ff$i5A5wp+0K~-X4?l2fiNtsV6W?4oZXa*?<;+wyLaBATX90M z_>W7IqJ6%iZ1hFP2-`kEzD7q!Ai<$`$drAu?fa5};j<4(CHJv#O7dZ{XlPUal{0@9OFjT15&-_l*m` zim?1_0F3i?$5kySoLGP{w)@;?a(>Y1|Ew~so4pEj#y>yX#;t>?BBP?Dxd!3t=&}j? zQ^7rFNh1ZVeXD5UOCuF^Ry0ha!6T-Z696_wz-!*4oT?ftIUv@N`E%ym@p=MKK#hxN zGa@ubmZ!cDCS<@C)`Vig5o5R!@ZCu6g=g!X1A@m>Xa&H8gtfBn+wDT-b@@aA_&0t{ zNr9F+0WrveAZPg8I54kSRAv{NBeT`7u}QydLH3ya_y<&Ix4uGgE0to;WiIUx@$P%) zW^2yw>c7>0_Pb+3UeVrqD{`%rX$0u5TOEiPAQ;Dx}H=AH?^|u zb&|6e$g(@cSYHSs>v*n@_uuW8`>dX+DfqC~NN+KJc+YaZ$0MeO??T4efaDhTig(Xy ziDbpHAohKP-?|SJuV#tY)*u#*hi6WJUhl@ksYjra%rS+SpisSqjMn9r+Xnv4Dgss; zy6^MbKz|GNidWku%C$7D&~vds!hHFROnw7W(IY&z+Vdt#i!b%B>*!7@61izg@qDD z{r+(FvcLi0y0DQ_c2cJ5ogtA#;po<-LEqks0`BO8NlvJgoMFXOhJ>px8H3!)R6 zHj_H&y7#>sOYOvCt98EJJo){MM#`1O-_VDa&`A)xdpB!7m~`u~T=%D}DN~7u-|U8l zfs)GLWZk%KUI;zkY7~KLW3^PRcue&1n6r>lQ{L>k6&7Bl-+uZ%Ep5o3mcRLMHF1Q7 zo{6Cl#g|pvAv7u?T=ch#Q`Qs;C99o%l@(=oD|dnnJNnY+$xrI)Tu|f-BiyDj42mRD zteK~Dp2Vb7Rz=;H$xA%MT*7z;hdSzdsVW5;obd;%H_(MtlV%aOryivd__)=`Y^CfXhEF@h2sZcvO zIU7{aW+ab-?RMe!3F6bKjti7uCI-Gtr#6} z`#1}wpC|uNbVbOSy8O_wlq9+K6?qD1UjKNER3wYYQk+A6(phBh6nr3+X790HwlPQ_*PV)YNl5{nPBL# z;@W1j=>Hy2(65(An-*Z$W<_9_?q21FM92_#Ot-B;-pPvy=qQVpeN+jN*AB0BhJ8o0 zyD6!U`=S5{*^u{|l2i?V%5SS4h= zpRCh_uoX34GeTOVL3&#DJLJ87-v$F<1Qb1h+>=%)l4@se=N6zC{u5dw_K}3=b1jvR zus&OCg&+?K{9*2Du>$T^@c8HfCqge){AHcdejUBWP;7xoF&O+v>`TJjV2B=P`VR?~ ziwt@VruYtSHatAUS2_y#7*wy)7Y-%JnH_LiX!}d$8VRJ!S7%}VN*>QOANU4U>+ofd z;w*Zr55=0#*jUyHSJ8;xAtzXbqK+j~sBn?S$>jB8A4C}a*i7{!P#oHz>>&fEc^C>d z@y4+vE_8zj8pYB)VC!1^FW3m~?)b+}=L{saRxR%)2F^G$XpJ7kvsAWb!%Absu0?RR z{HVOyc5g7%3?3ERkeX(3aAeSRj~-V?+*>f!%s(~n6Hx_CR4E}T4fLjtXs=ER-*`|6 zk&2;Vye$J18@G#3mMU*UwcY|I%pi^w=Yt~^yEYTVQL9xK9rW4k-$mk5$+sIjC?Utj zACuG!vnbPlj8NBVkdt;Rdd>A{^ZX;9fK|?qWbQzqH#kng#Hp(ECkf>v1_g^XFRD&j z+owgwL6S9M3>Y?lFR;MDb)#s>5lz@}UQJ0SV#?>fA8dX0D48s_c6oxX$T`U834tBe zbEmuI8tu49MG@n*xK;2R@0kPZ096xO6zi*{0LlS`p2V_2QUzV9@ncUVT=u&GgOU!h_i1w(@&r>p zUsllf#dA!29Y@jSZnXb@chkXN-YxgHtNxf%&qvWo)dI#?oVdxA&iognYhp@ph|0%b z^J;zH87z{EajIB+A08^BOzsavIgo&y^&8omF)r_qD@l8=fg85!%FjR~vV#w3 zJLD1rU1GAu1Q$)Td4#B|vxYw+?=0ETqjr2yn;g)!uKN_FQ zn`~IWSqe=7kG?&Yji)y5Yo}q-#XJKv)^pSB9rTHa4^-aa;pmUU+a#0MYZpzG>do2GJ6LD(SY7{}A9d(i z@62X7$>DzGBIrX!MZG-H5=v-W8ZqiIM41UJL06Ncbv6W=xwzy0K=?QWRKNYz80xGl z5jf~t3`I7^iiG#%-R*G|sUY7b^+2at=QeTkJ_Bt(RUZcu%&%Mf-fX57Zc;;Smb3P2 z`~ahjqg$>DIxIx(L5tFe4vX#xjJQ(i9H#c5IEXpAL zBBxV;?H!bO9acPONPQq6X;2=Ss~1a5lFRDXxeEephAmeCxnotF@txx9IP4!T(|@j( zHt0+LwlWNaBPQYwwvRE>S0<=GA&N82Ba>4W_`odFt%IzJM4AtN&4Fv>KaR{J?WOwr69v^sI?893hM-Dwn4TzlCkhsr*=h zHUSRg@wdyH?8h?%-UAPjw{;hlR);TE54WG;u-AS5X|bUPYvK@UoEAQO@b*PH`J@7J zxRS0)W-s`u(OOwkgT4GHEs4SuqXwMqAa8V_W*)K}rhECOyk|g#uZqNJaJ#P1lX?al zQ&N&R+=^vAI{LrAJpMcUaq)()gA1Ns?+1Lts_N_i=ldMHBQ)8rATNGxVu_Sx!~`6X zm_+T*tF+DVDJAXqtolk%2HBP%G`>Rk3FO|rlh!|P-;(_N8MDQP=cn@S zD#fhv!g@0~Ql!MyeX46n85|V#9g)Om%~YPRd&Zqo4?8MT(NC! z4`N+JN>E({hLVGViS$FUvaBX6qT#SE8kN2atPdxNMY)DIK_Hb3X~6alTo(JX(o$nM zbzLi|`s{Q@M@sD4f?yM#YDF3x!Jj+M&*=SIc$T_f|Izsch)Xp8+28N}@~3)cZ5WsX z-M7=072XsV8h%<8YA&d9iFvYE?2nt>_FZ0Ir++B8#O)J?`vLFT8i1)$Y z{a6HUuWq1@v{W5NyiQRCJIz=lvXF~<*y`f1V2fg7iP;A`X6ZykMZ(3O0;-(NYJ7O# zf*E4Rr1LE@{^LuCBsj0g!SVa?$$>`38GrI@`AFN5!OC_NI~+*Xp8{`0r~wa*7Tltb zpd-te%A|d`?dtmhLaG=NsPdy(60XBhDklt{KE4N90_}W$U+R^gRWd<|b-N69oN@if zizDa{OGK3rxnVoodY&y)vUSfK`PChZ(-wqvyK*lb!pn9Xp-YU9D@F!+rqntJFwl5h zKJ;XRJIH6Q`Pr>Gia$AkpFhw~N`pZ<=T#6hK;uqC?*dD{U0HwJ{2Qni*B`GOt&!dCFz()*0Rep$JG5(Af1hOBa{ zb(`fmts-}EHaVysf7h($>f+K)W@g))8v`7;v7DxRI|E8K>q@CT)+`Ht)fW{FUP9EX za?=8hgeaqHP52x|Q^pPvATmmIjC{T=K(G)|K>|G3qC|n>tBC6iI%VYQ9Aybb~0gST-*+uzZ($-28vQRT(5~ z2BaA$GQ5@=9=7o7msVAQqOOt}_Lez3VMXM|I4QdgsxKy(gts+>wAaIa?(_7g;}5-2 zFaSR1oV<8!?#5!6#MbpIz-sNxc>KifRg8yO!GS5pOcG(3R!yru*0kc9(FCFFmJ{_ z;fKjc2Qr@~xFr>Jb=NN@T$`J9N%uK4+`&V~7oLz9W^%;7RI5z)J>d4rl8>lclF`3& zQA0i|Y+H~i-(=aP%=5qj3*RADT$j=TDG4P+BU2h!Sz3A))27PLW!CNqvay|I6-B%U z<`yq4vZKXj*k*p3!gb=2wnL?>GiFk5aR>Ee1`!_@Z@UVROG^|Mb%qjECaS*J1B6HF zhwgSK=fXJED%eHRr-nC@JYV81#ZjlSO)P%&jJ;&XP5gBvbR@;AU9~ zQR`zh%1|-v+-mxS*mTi?CjS)|MH;)WP%Mpih+)|(%~9Zm1|~#}ne|bsU0(aecGBwV`I? zm&>J+yh9j8-oVoFe4rWSDf*BYAu0v(p&Y>pypw4i6PW3RkCNF43qJxkn4Fk$3IR8L zQ3Nb9nm`A{HyxuW=6rbVpiea&`AzvzvDZJ?3d_Van0T~NJ@IMQrW0MMvm%8Vu%@K@ z&r>|!73#&r75pm=aio_60L5hsl-;j$5AS3gNq_L5lo%6%4S1`ji~n_vc?Xe%ZSiqz zv1$|{gmFHMG5kOSzhKoIvT4T2NbReqzDJKwBR^wO8(fys`uhoU3>%8s;zzmaBT5>O zCPNmAW2<@ku0kC4k>(ShDV(hxC)R`yI_%D?OHk{eUDNH!E+KPr3j5*+Hs;f^&X=FT zC*Asjfh`5EXB{!~{-`{loWCJ}a#|X=lra3^%#66jlVF3JHh}lk7_KyrW-b7H-|w~f z;fd~km$iM3wFF=%K8khow7f4j8CG}6$o_L;!(Hys!umPRAUObs8!@0%Zjv$SLE`5+7^yn1ww&4-lfo<;OrJMtb3%G%xt}oQ>M4-nbC}4-6KDFL`+o8-(F`lEIoXatJcsT!y-{B3jSWq1O^#^*>(ZQ`SigZRULigXjmXMAA zOw{q^mdMgQImKPJlgtJ;Av6-KnVXcbr>Cbdw(h4y?%DP%ksjB37TqQVajpztG^ain zX;aEOx_UnU&AaxAy{M-9zlwrXd2v`5aap_5yS|Gq6ZH?@Dn zf%fq{-TmUh`8nY0(+`vyiVTH11$QJK>1O-&8&h0G(A`I3Gf}||2XkseHY%#@l154K z0Wxe}S{#&Y_=e$)dk6jeygaI#RAcg(>k-r0r!cz>Dz^&;LRU1@4%V$p4q}<*^hQuP zQmbCcdSB}i?llmHc1oG{*g6j7LGnM))0)$iwYBs zX#~HgI{fPlnB(Acsh$&!BG&O-UP1Sg$8ERxODMF3;o#=Iwsk_ZNFa?6B~7*xk?`P_ zdC#B5WLeJn0C{PJydFG2L*vcAEF*h}GV$P6B+VUFHM$3#qgn2PV0535^-^Un)ZnF+GE%UlT%p zBt8CK<)=q+n6=p9Z~ynC4%&1yJIQp=!4*2ir2#W zi=fGV1^Lna$m_w!fpuv+xXu}Y6dk@Ax0gTZajV{aKR!j7y~if&VzPROPBwde4Xns2xVEpdd8md)b#lBY%oFHaY513vC+!oZ`V}P(O zNNPu5FMea{$VYOVF48K?6s)1lylGTAu?ZM0a5t%w>m54TIXR--HU*^+KEBZ;`cZiz z%|sD9tHuBVrE)(4H-vO6myqO3Yho!lPFi#7-wKoi7Ui1N=C4R&N8hiB`9t%ex}aQ~ z@L@Evt^jv#vVYR;RqJhTg6hb<)3DtdZR@|>_Wk=P1#!$diaZyVChz^6uUQ^_40l%8B6q_CE9~a zxBAW(w~KZnVaiE~o>ho_^`(b!Vyr$2Y@abC*@b*<|p7)xw+Z2k1;WCma zN)5y^3l7^C6}kfT%*?C*riP^<*#z)#I+2IIrvlJ||}fE-P=KJYA_(3%WmLsQ72wVGUL3Mcw$>GM)c@gZUBQ zjKu?9&lIs3s{7;Ul&!0Md=OsfnHxPjL{WV)bn5Cid1c zvJ;+@L71x;#N-7|ZU)f7k8omND=2FV1J|!5@)l9kW#Ro!##!$nLjPe-AP4Fm{v=k;m`qj+=!6b^W%Wu;xD(#LBco!^#iJN4N9&3*fSo>uJFM0Ta*4wOtz!=no}w%+T2gtG)>^G*(gKm zN1l_Wx$K@#IXrb-MC_IU4&{!J>I=RSAQ*FX8@sTmmMg=fXCvkTa%)bYl3A4bo}sjn z-g_F2UuAvx z@X-GR*8{_(k?p4>kzRsO94?t;sndrruBYb-xVP}|fZzvvVVogw^hpKPL7~HqF z)_O6*ODE2*YP9_4wS5^&X9@Ak^mCvC%f-jZZD5d(;Cd7%?*N8}Got>GLLm@i1o*4BrglVNF*I(vPSYhix;4!n&ANjZj_0AQkev21~f zNAAF8KIrDYCgxZ4ub(-99E7urrIGv|Gs{m2`7j6hElSH%Q)8t0Kg@!V=kKT9Q-mb- zl3u3(t0_S!5%T^x+v2LLeBKa(K1!-I^CH~zCH;I4CQ;ZW!(+u(lca(HadN zo#1GmfZA7H6&;<(QSwHBfWVSSr$%QGZq1QRskddTC=dw?;f>GrRV6nKKr}0VijEXJ zw|=uG(u%pVhpfq3Yy;a$P8A7%pN1Q7V9>{r6p1q@F>VW_VtDJdSK>Fn!~?xs{|sXV8ULG*Qa-;#T11C{X^Z|hDe_JV}Z{c?;=#Je1Y zYB&9j%(=fj2cHr#&OIG+ZEY0dPz*mIOMpxf>GKWv8wP5U=*g0}$zHx626)50It7k>eaUeATcO4F-}#np;B^P#&q2LQ6pqwh%Tq zOvE&45c&gfG{^Zf?gOkTya>P>xXwP+4XZp^5&G27H42r_(JU&&yAyI6m~V$aeE;WP zGcBqzPhUMioZK7)>#CUxyMpLw&~+taMRJFTnY^jMrN85wiS`!;Wy?yOAp&S_naNkR zH$GH61K3-L;(QR4cEmM?@GB$vnsufgCK%4V$V3F?)BqI;n+~Su^CiEeYV?Llx5Oc#1d)vcklW> zoiUxw+eu{;fcrce?!Rt-=AJkibEd%Z45e_I)VdumwtEo5$0o>_D$#w8zI*{VcuZQf zK%oQN{Tr3|4V(t+{&@Nb@`ZVzU5*!$T< zOs56_p1sKOg|Lz(8rfZsWjEM5b0LMZe!n8`2_2DLW2p1pRtcxPWARr;-r>WX>8{-n zTAJ-!W)~H7|3THiI@P^CGVE@^Us5XM@}+3;BU}e21YiB1)N0B1|AKBbo+Y%e;Q*Q7 z3NdQZC?ha+L+E~ z*}-26!Mm{VO_FIiI{hn#V~^ZQX?5Lphs~}|NcRKkn%jzs)~y>PmdqvbW!A*w?i)Kn zQv*#zx>&({bx14Jk)4W!yOdX_ZoaMu63_rRfwW0-D)-dc*T=0fG-&lc`!2JI<)953 zSlW9zzB8Zw&+6*`;PdXceVr5)Cxp8nqUQboFAS`#8VI;fMxU*d0c?Hm3sJL-&MP8l z5n+8}a|M0CHHAKb1{NyTJhkxYH3i*!xU^S6yp84H^1WtxT`4g+Sd68uodl-`ELt*% zrF4|TtF&|#WN%nYN(*!`Q_=;hkZtrfsk*=#v(-I)&?2uloNud{;z>=!bHxslh3Ve$ zI{4Bx{vR_XKeprAUM6}!ppwqjwu8^bLD;A*(oFPh_WnDR{Cl01a|&9D0D zo28NHNGMzF@rn`$H#V8GugmEnylAjfbO6<3`ynG`VPx&V9!Tgzr$Cdhj1+`RJ7O}( z7|q{IE}GxH$uP9Urhc%wd72$*`sFInkv-7eb6EHb{j!Y4$&o&d{S5YDPFQmJr|_>= zP-20VFS=I-Rh497kbUZKFR|v87}O^N2+= z0?)EmJyzlD0NlukZc3eTuNlat1Q&R3BqM*$;t{kx{v=8{f`ru|4>`pib;x$KYgD%U z!ir^&FHXkW)H4NKPromnzYRoJw@4=NRBrB+R(p5@Vh@YA$7p>nvMnkpIbe`5Wk1*i zz%OZCbbFxZb5-PgumrH|N5{A7f1JN4hyMuL8cvcsx0#o{ko%U3>44qG!k-a5-=u9A z)(qZGiQKR(pI<$_2GzJ}pd{r46{57ki?Tp$ zOydzn=c(XQu@Bocm-M%|?{HL}LszGM?;;=3EnUb@1fPWPjNpEr;g;tbO?CdrtuM5? zpW>`}t3m;Qy&C0gs%F2pIux2sC z2Q;3UMN!TaVr+w~U&I;Q=F4@1>GjCQLErW4x5b@(>&Xw`&m{qeM$-w%y<|%aaE2e` zWo8l;!ri$jPhCB0ew7~DZR4H@$gWBr3T`Fn* zj5y|<9XQI1c>kpNr=u?zS%WeyliTPfBeGJWr;`CQwnkrA@h3jq?;q-HkFl%e6;c|J zj&cF`*hcVpot}NaE*s*lKSAFY}U9 zx><+|urTauI6h7WCO@>CPF82z+ta}>Zh0j$%87hXrt)Jmu@Ou5$OUXE3VmWes9S7z z(a+1c^TRo~WjHJ}`tb_UsH7@ga{aw2+2imr^rlBu!~6vf{<0$sQDFa$)jC*Qa-uo;HLvkOEw|Uol!59C3VY^)3G5#kKYI{j7h)I*prPhCxGB~D{r6F& zPmt($q;r~P>*z4zm}kGo5$of_QFY4gTk`i=Gp}?YW%#@|5c`}= z{u*NgM(Y*d_;bse`m?yQmF}nKj^|4Oz86W*JqBEy>Q6)aq)I{ukSYP=;eu1Be_^2Q zLboX^m|G^X|D-3+4jSzXhh>1)=1X5PIKn7EnpJ}X(uYLnkLjD`Fr5`E9P5BOVnf{B zOXiSYV(VG1r8B_nMjiX}er5D^*?2ebc!~5+YfsfoH-sv;M z#p<;UKjeJ{cj9)FLoug zL2k47A$MM)Uv@7Xlsk?^cvOj}tVG>8_)b}f54{L*qSZ&3C)+Nz#}LA8P;XamANxCp zs)1aI|GbRzU^=p+Nz~aB-Z>T6^`V0|x)Cl3NKfWaQAwS%+3L-AR6mPYRzv@XpU*^n zOF)n#DZzX)N|PkpY&9*jORY#^DQ&#hMQ!EBh}|L{Dxxeu6j^ZXkidXllc4QLzTNOb z1VM*a6r@|Sq9K0KX|iOx5khf-SUcJpVO|%|X3bWA3>ky%YV`JT(8>_Y9tI;DCxEa( zmV(%*#n_V$Jt3=$!{z2U#*sB{?n#<9*}e;$SZ7h#AMV zfkA%)(otJ}m6Esi)n4R5GpQmrP+OnnN@ZyZH{T#rWATrfj@4XF{$b{Ct_rYwf@eJ7 zhrckN7EZ*qPG(6g>q5d}qo5oFCJ_kU5p%DPknHnhjQz?T8;gJmHd+dZz{M|o5?({Z z(4&b+{_wr}*M#6WCFwl83Y-24<&X&@=c0%8gLkK65?rcnMdgu`+SXrMH)0NEgf@;0 z1txU4{=>UM=%pO`!H>(nx^fMA(fzNX>qOCEcrmtFl7Wy$`mlQ;v)`|fJZi4D{ex{% z&V(?)nIH@aGJxFyDM<~ED8dkI973&O0vx(zf(P^R2h-9h$}MVm9b(r<+ZdYsjJq#X z{2(qny_z{0vM94}`o+o|1sPag-`4rG1p>n{v5{$#EkgA~c&-{nZm-*rvTCwGsbBTF zs5Mq6bTsv8NWNfGxI%i~p9m=}SvDk8)~d)o_(na#`su!in#oAeRBndB=&`4ffRxAA zrM>^at~6C=v=iPDQ|H%ZU_M5S8>Vqi(z>-Bm@2)mU;Bdn+QCJ6so7`K0=cJnG;J!T z%$Z*}66BR67f;=mY`4PEhK?NusOgo&EFLPY(N#zxoCP6)^tX~USV_zOj|C`vC&%M| zr7z)Wsp_Dvs#{l=;6Yf(iALyYE!yx4$N**|5h)53J!Qg>l`@U6C>DK-4bZ5Wn&9-> z-L4wk_XlQa&zC}1{fT4GW4}77*@tz+t_siU%qt3F&6IIG|K=&%tb1oJ>Q3Fk**;6M z`mR|yI5RqX?eq8`zYZy(kOmTN4F2TKVMA@wVLc%3t;51Or6gerW4%P3*W z%zcXPjUo%0FYXhOarZk`*7@669H=LYuAM7GEB^uUPq**4E<8QmvNpLzfwOicjIYFY zU?&;jAdo2|7l->B)GTi@_fw!fL5jmEwayNut)nTyV0&fhio!7ui%URdE3Wh*+VtPI zge_Gp$IrPvx0rw2R~xpK;Uc>c^r=(G-8p&3Pfn*B7Ev0+#l14uB^a_6Ce&#af1|7B zFG6PxgF+V!2$(4;*7QEgL~NjN{Gl0?kh?&S8h#Dnb(cvwEv*c`wmB>WB^$2X4+4G}DMv;a z0(3eBUIY+SSZFJSaJ>9?i9N2Oo~aIm(T zb%l4H>$}i2`O*2jzliR-VweGgN$7d;Uq5{8gX+=^Hr-8Vg14R{fy%ee6><2)g3MQx zN5FK=4gAG1ac9W=fv^@A+T2zGF1_=~J|dMjIw9h?xl|`-9q*3fjJ3j@Z6Xjgy_^eWt7UtHJwhgE%Ko`a9DVDNwi z=oer)AyhQ&--$^m+2p}ZvxgzIMSr38HT#wl8G{Yt1Yd}TZS&pSu@)L?+l?C`fE|x5 z2^9NLOzgDYxbU(Z8yIe$f57%7V^Xh{xpL}jtVhaq>|(*nX7IS5QbTuj*FScY{jCqm zB6f^1g?=d>d_MzQ0%-FGpn{+=9=5Ce5SXAzoFRbpI!Z90xA+Pz*4hHzfF$G+{JU^J zE$gAK$f|=$9T5~K&&Xz*ZToiOpg+P$1lyN{>EANZsO0Q}G;+=D<1O>4`}6hU`#%@k zuE(r2LbzD=wVgStwZtfn9LNtsz)e>>&HO~|;Rty;DgG2F)JTK% zW9C%vo(&+GG@w^}$NQ>JhEt*X=vEaHvhtAce$>g0$`gW_)7a8^Y~usp#B&n0`}_cc zrcBC23#|dmhgf!q3VunRf>{OZZ63oXHkivR2KAsKvd+QC%TWyH<>{i%3gL6j8f%~X zk_4a@G>IjgqGyjjn*pxMAa6Rr@}q5J>B_1nZtyPJ0Yd68M&@(|pYJEhU-?W$<#j%t z_5dWu1=R74CHt`4Ui>QS(bzeT458i(0ZZdZs~sTQtHi6ILm+sa@e}6EKzLLOtO1R; z*e9Qnz~Df{0$%@ATD=XI5~lR96@`gU{$c~B;_=mmV_V}vNE{PcGAMQ;ShF7G^dDVF z#;z@g4t#xM-Ye>`N%#23-;@06-pS|gwD+vpV-Z!Z*fe}s+T8o2Ke*eQ{fkE+@$}44oqjAgA2@2ih<46=U^)4 zj9+hp0AnEFpR(8hXy;0 zg{9+4nJNT{7>!T$r-;qXql(*OL12{X>%BWOmC}ETB6UU1BT)l+_kV=?otXwjn)_fr zpog&dUjh8WJmg#|_&`Chr{`%}`AC^+=3UGo;!vzhnv+C{S@}xK7Mc~85Jrf{lA=^z z#uB;g?~kx^=jju*DhZcN1gNm`tSAcJ1JbgFP*!Ybc!)Hvsu`g5()ov|)e?W&Qdz|L z%Ddj}k4Qxq#JU+;)ULxN6l0DB44{cUBQoPq+`stgpG#ma z3hC)g)TyNUAemo0_XI^{J*h)dn58}sYcPe+j*^Mkq54_+V$vgS+q z9H{=bRP43-&hk6AIqEzF;oKUWqk(IyTLsh(Fduar^RjI7Hjw(0v1>cyqfz#)<-uZq zDX?c}zRZ6{!Jz9+bU@en+_cQ|@;T|7Jb}1{pg)wzfw%YD@@nwl!e=%IEa4m|-0YT2FYEL0@~AwY zhaHMTS}==2chQQn|%||29n;#KZHR|#i6PyIME$+qgi?N#;lj6IjZM9A} zxf}fqe>c<4XMibN_W{VVjVyO47qKp%9u5#+LuQ-+@X?JkpFEHeNSMaOt|JORCXWQU zxm^57c#hA=nFhgC!|xJW>29+xQ=P13QBLPf=?9#aS}2xI_(wz>)wrny*?%jk=;_Ri zw`OOVw*gsI>IzPt0d8AKWo}WirsWXXmn`Xy^O|twZrXDw`>rTBvX5$-NIcL9jlnpbKY`7#1i+;c|9ML)IEGjdq);nv}le(1+$bh4Z9s=S?(B68;x zzK&Q)&%xTv`22K}9w`YgjqjwZ}V+b z;qp1>OE`oBC)jaOA4+5tKe4r74tt>`Rh6kjhEn7l1kq5SgNVd(XWbg)G@5s>f8)T2 z8i)xGpqH-lNxr=78vUFgfu-SAQ>+-8O1ELBtYYkbktI1C3;~4wDL$(BW1a&|3j<3) z7DWBaJhOPqyyS#;?MY|C;X?b%98ah3Y;%VHd~nx@Ft}lVd{RohY>+xOHny5bT4Nxm z=rsQ`NuW}0uNP}rsE|r08H^7CqDtb9q6*BA9pgW_yC|$jBA_zlhuPMUlZnY<7Q{G!Tz7HEgHlYow2I(aueAg!Fqj1>tR+hU)3`?X1YR>sxCjDs{~Bs2NiUdmCP&+?;x zw}|-{6j+S8Ie3UHY?@j~GWRh64Fqj*;bP;2VQ^XlG=A`;sDz-f40uJK?A&hjS;?fG zEAfhXUUYy2aC+(AKV3b}^(XJ`SHvvhz#DQPLEzHTk`}m-aiBw=>ExM=@n1Lhv9*ps z`9d7>bV)Ehr(93KsuQ+pG;H8SelqbAgD-ng_o%$tAe{x}D2S7rJ_1R*AyFdJT50Rb zHW8rIjnj0xQU8Hg)ka5{&0Jg@P>lpSobBCFrGnn>q}W3%DT<>S7pR*01;)@v2Hdkl zeVWc1#eI%8d zPKutB;L&6MuJSA~G`Bn40jweUE_L(!f+AoM@k*?OR)kH?NILLk-*|XH2eFZS&PEtL zTdy-}nRx3nt;rv5zmN^;Q{)sbkaSNF>Qt0ozuRt`6fgi|hu^BuK_k zWP~h+b80a8-tXm4Yd03o$yU_;M{HH_?6|`NXdic+jy*?$&_q7Xm^a6F|!5E6HP_*bs zpLyvcR2q+qKQi>a?Vg`uZgO6GlwTQ}hfeOAUn~5~%2C0ZRq7J@s=mJ#PxfBLDLXJ} zS4$aHgB?VAGzE@AzI5V!I=%nh#%h>1*Kb6Kv5OiPc5*khk*t>t!1zqsrzY)GYW1() z5MfyguyJ}M?bHLJ%m}}JrMC`4GzbJ76s|8Q5s*IQpn)&98EC}M0fLBD14LgD-T_W+BZ{)gm#J_E}bS8&FTW~NjU6PuLSZWcXn|R z+BH#j!@xKHZhoT=tN9aaa``erc0}Im3t~2WNTAnDvohvr45Fiha>p@im6oWFcQf_S zj-Bqbb<;J=@ac3?W@ZIa=Rbsj%a16;@5t7w80xoX`{BGwjlinvSl2cO&F;stO!C zTf}60Lq6(f(@JolKp7$*&&kp07aY@Q$j*k_b|{hh?N(ak0KRCN6OEIT(xwXZ$`ANV z@&_w8NTAWpOb-rkG8d=--2lw@cA~Hz=tIfsU*A~h;x|5q`q&Cm*F^&5j0_LcT9l_1 zTOWSIj_#4dXm)z+-~(arcml|>rFCLh)88WiV_ z-I`-UZVJ3M3M*3p=eAqT7IQ?DF4$zQzn4m!9ScOF*6-aly;x`Ll{~GT{$bX|(8H0= z>>kTmmLvTst$dFYa6R>IpwX4V|9w&VLwX(jsEK%W`~LPa+7qQ}@B;?1TNtL=6-;d@ zFcV<;? zXmA!|ER9hEvz(WX4CmD+4h4sY=s1O8D!;PIRDw9MuO}WdoD8HvKghKUs?qG%<=b?D zKA{-)Q~AJ~-}@KEoTY#v*YoJ|PiwdTRu0Z`B}99ugwvA=!fuR>jrU2m&jfy~!T8#H z7uHvQtO|aZt+re~-A2TJyg=LWJu`9EJk7U44jV7%+%B+(LrTjP{}XP zNxKaRWn(4Bak7)?+u(qLBtZz0jS_MVrBCf;w9ExDn`@w|tD}*9Av0=UB#g1)s=8B3 zAu1}WqPcG4=*1J?l6uYwe?LFii8x3Oya@`AiFpeN|8dnF3gmdW*qFSi-;>FRlf$`k z598TF?o^V!@oWS1t!&e5Wz7~3+I@}a9fb~BiIvG0Qt`zj*gK%0eMT)$%02Q;-FKf% zOHAw`dFC#_Bpcany4U7$tD z{UYy7)Q)GtggOg}uWoTPF6Wc3&CP|MmvTF)fEp;>*^})i6z)KSCFY^u<43K9ba&S& z%jlOl(gn%%+D@I4S$aq(X{2>^hqz~awf*b-Yv#`;7|!yap-VpUWmsy_`>iY`5_$rG z1JJla)$+`yrQ`B$o%p`?8>{APcx$8Pm!DQSj=n~dyCF~W*6OR)aq?3>feK%BJ$Vw0 z1OSAe0N)9Wk5%%m7#PMgx#Cb@p>s&dMx|9rwyP@9iNX0VB7F$4yv<>agF^vUpTPC(suy2hKQGtaPLe3CiI{5z~c1`eRM0h z>=%le9cZVLwd5%|o9NGBap7L3&dZ6Hxu8lTY;)y-E|~ zjvsJ*fJZP2dD68DvC!Iu>4 z=Hn3XpZJdUKJ&a)90nsH1m)S@-1{&pq%?U0NvT7hBzrh+%3Pp{S`A{DtWfIgcuTDy zejpdnF^u*q^2Jvh5Qte`=%LBH5zd(D?AC!JbN7$;^iLH<$4B5?^Bl}g=%aVrBxAJ53h&GvMKurJ8V?qpfHHA{8)!UZ)JO8>XccNC%y~76@FS-RHWuOwxH866NhWVVjUMY^&H&L z-?c-W12`pSm(Abmd|>qt|F-*_rvaSkF(7IQ3ai?&{Pg3u4pQ zEbK4AqOXQrY0S{tjh03{F8gER7L(ZmxLF!$Ognaf-gd4uB|zH=tE9Z?y%?atTqzNqfLqZ>q+{*^j|yrZs`o3Ji>PN3=fnknU44QQ ziwEpxDyV!+ic}oQ!fz___}lZ&$X#QEyesnHX2wjq$jE<8S_`FUEF6Ca}(jA$8qQR}Mt; zvMb-WS+2zZ#!?NL;K|^_l2sErx3fBqsrcJ2zK6XQyXYRYiMz}tLosTsRBJ$CPDfM`2VB3lQMz(qhN) zyQNpgIT}-qIGKaNaPUQBw9UuwuJm?iS?W=a-RNvrgYWAV5DL6Fyr2^oYGfWYT{2zY3nWvTUy0;J@&@*>Ar4o9_MIpEKpu`-fBKGVCsf6BRY`#drXVt z%vbAo^4cirs5+n9l7e40<+q3U4wZug90Co+RQYdx3&o>Qu*H9By~3yoH4OhfYF~LvUDwScJw+U&5gK4QrHPX^pUvM2{_wC~A_sse?>8isnb-4_#6tvmwmR*qG40)}veSRZ?4;WgWX}{p zM0#G2OGABYkwJ92Stzrh{y7V^!r!QHWQ_Ly!yQOBM4d>8e#mK#A;g)-qmR;v?5hQK z>YWZ285?irbs6{OWF8%f=}Q*EGc>|W)!2I@2U>3YZ0al+1|^;!%?9xNT#peKO@1yL zd2&iIZ%Yiecq=rV>rQ)`%5ok^_VqPYU&0ea@wGi_;Ow zrJofQ*6TCW7cXBT(GX!y@o;~YmL<6py68-YS5W*-LNxZIQ2fe`WA%g=VXElcG7$jO zBW&_Mk(TTN_rOz_>9FH^uM~J&N$eIs2}DKwr3HGUvr|?!Ygh5Bf2d2q;xArWZxt?{ zR1p#Y~9tu`szi;v5Y*ouIOTPtf$|g>^fbr)F?~)0kX z`M1g+xhR3S1uDHY2j}o_6w0IXR|MsJTDlJ~(-#}kAo^MtC zHv{kZYP9@RC9hAAl7&gC2&{~+)=4#IhYQ1zKMo2E7M|9U^7rShd`XNDOOP$`>+kWK zG;ONtu6R|u!8;|Mw8=e;MkWe{rt--qJYnm(xvIE4>9VzSkt0JT68e;XqWkEsmto&7 zLXvNilUGaYOR7RqX72hcZm2tLdPBK;D|M|Z_ri356{eC(F5@z4aiZLH!H}7KwZ*|; z0`fgH$zB1lLn&-iSNo$^A@kOIIMvsGC3hvzJv!IJ=|A0{EqCsnH2zMKP~D4i95}g4 zg%J={z`@5~%?fA70ra+odvHU_p1_4WF1wXmR?-mrSl^>Mq5q_p2XhcleWxD}?%)Am zb1rRcAktfKcqn+lRdQaHNf~ltY>A%H$gJ{GhF6t420SsPn~uuDL9-* zSo+%AGnV98ey*5b5k<^h%hj#b({r0ch zwZ0gViR;T^cyphujGSdaaIw_g6an`!9PMVI*X5+~6J6B_@-8IEo1r?_ znkxKST}eGOxbSt@J}R~|jsk8{wl5byk@cNI#oz8MW0qKV`i+h%csJa$P5J5-vIq~D zJ#>8-UVPSQ)b+hEYl(}FjI{PVo+~@+e!E{Kp4g6#CmyyHRkHnt%t!E9Cr!$(=$StX zNIPj%zm^6GML?*cep?macw8OJmBynY(eN~Yu$hHw6Xe=V+(3xNH?^A2+pCK8dXqVv z1j*0+5SeDI#TGybUZi zRNj1M{i2pux2J!^H-kKY^X3zuhtwS1HB}^m(SY>5DVE9ado>-2A%Tm%VUZ$HVF*883auuJCi|zG zVggOw+52MdS5}07ji#|6KzwngA>dEGm%^XHK|$5iBvwLz-@R972g_|*vWpS;(mF&7 z;8(L~v)@p1nr~nERWxM63l(7ju^>c_W~;bxA-c;tZRT*Y2FYk3oI4tK7?WQc4i&JS z4?X2;sbe}QG0^8~K;{tu{1Fo_wuZA0$=sMR{z*$5GUrpKit$ycf3-=vIG%G~iXg=_ zpoavx#Gj8zF|X%qFa}-MBpwYi*+*i7-2lRuPr*IQY--SC>2e7?{_vGDv`;aee%r2x zOAp22o!f2aar%KAIjOk&KO|UF=_h7-Z?0_UPDszo^%dDxP^0v{!DskP*~=eWy6*d) zVg3{3!`6L4sY;~O4g>;_s?4i$bqYE4IfgDpg8A`!zOTh7_+-a90$Y2wmmYJq6d_MO zc&auqaU~BDL$xnFSl|?K*#q&aXCLk*H?3dBQ|{T8h_i`_ysP@`793Wf(GK2}&%HFy zooC6}$|)xQe!P*i3VGrAIZCFE)eZfPLGQ$12}&sv8Qt(jlYc_VJ!|sKH4C#Zuj!BE znVn;Nz~xl`)vfpuCggdN#`jv2rC^_aQ4~5$-IGncAkva&LUNUgptc|uf%>Ni`dgkf zwH`r%>Sv4w^7o_b^I$Qfjpi5#t`jq|e>*vftAoR7<<@rjm|%h8`*cCX?@>#DS*16` zxWjmHTj7k zxs&kYzN)d^8Ek?SG52)L0)7nlnU;m$^C44<3??cg%EwF&p{YCk9;2G{y_HAQA>H_( zvJ%Mkrv%o(epaz>AQAP~BrC{N#pah_IuNRwlm4#J1 z$|GHnXE&_oQHm?T(B46(xMa`smhAF|hH@3Z($mw^fL9}mRG&U{5S8FbAU;B>shb#> zm`R$bsCC_HG?%J_Gqh%hr)8+6RtuF{gyKpoAke6mnz}s1BJ1Z`!8_8%&#IBESN}3h zOw5KnS2SUzSR$Tm?) zSxa$V^;e-A8K5%^=yeyB4HNYYRub?<ie|t8O$AyA zojnRd<`RPn*KDKyGJm`Iy+Ijd8TKa?LW!1uda>oBsthcH$F6~*m$40BWS3jjFg@4g z1hQX^k4s!&0(=R$!~^KH&Mqx<`a3Wr7upO)oD`1xDL+}6z20pv3vfPrZ#RIpk`z~&xOxgB8C6rBB^56T2|?k-u4Y7$GiaMYBdfowNl?# z8fM_1%4SUdDzC3WeD&J@Eh}F<6b`6{?y-z#Usj@4nicxWA+%#=)H6yMh)vnGU7D0j z>m)ZinNA0~5G%AG+#jfyi-GLTA>h^1Hs!Wk&0>X3k2hmC69lxXrA3h>CVcSfy!(7w z=s~7Qi!D|9jTZ{p=PN*8CQ{OkX@S0c5eBOJv2!fJ&g;8MeYhEJizrAp#RrdQvAmrm z)1ETm0km~g$UQf20LL*ylBeQ~UwN5`0ZYbv-+8oqhgq`7n-=)ack<&|^wQHKt@DB~ zt~?=ps|-$?2vmZMVz?ExL+WjUR3OWgLeeolf`LlL0>@~pjfday8Xh{xEulU397n9~ zzQa|*R)8Mhi@?2|fCosxMeT^cHGc!hS_r8y#*li@vwiXC^~~S23^heKe~G`E&DCn3 zz+ORvL$=RWCi`QUiUb48&$P(xptMJ?OqZJ_0HefVonk|7dFv^XWDas);A$0A7T^vF zUH*c~+IYOAXI7Mcyb$IqK5{4X{32RpMSGlnx`Zmb?vt;pYhLL6(1w2=MASc2 zzN4%4^mU1Ttl4k@DyK%jAQHdUf6<5aW_PyiL3AQ^{213IQkua<57CS`R9|S4jZFbJ zX@@p@cV90mtsRq$4puUHV+Ta*Aa{ez;)!ZwFXka zP-FHqihr@SIQ(DwSVsp1SUrhGh-y}no_2XaXlxiGclNKxoSAMio)&ZmCm9i*Rh%Z| zJo?u;P~@*d*s|~blA`$GQBiEzSXgsF(NcdvKp8iOX4*HfkeX6PFIA3@?Qfxf@E~ z%QNv}W~0BADPBC8k0#g+4ald-I8x2~gn-Av>pSzU8d;z?UC+sed5uz82a=TWgqMy^ z(Fn-T+7v>f?Og~k!`w3OKzu+S^3tz;mESkikJ>aPcJI76wD=)$8jrG#2;P?QYtd;! zS{j6tYSgYe{j%1b==p%%eflsuJZyC1RCSUuLe=VZ22{#RzEGBXZ0tWMBlT{D$t6z;kl4GNEaz)wE^G@4X=#`}WXwHlu`5Vz zgDpkvCBG=9KbKG@2w0PSzK0_Tf9efbttsgAPbLx?r|=g%01G z(p-XHHPz;Z{wE2*Con&g5`%zvo@5=7IGmKUAlH=s#8SeOqZ@j-Tq2su0n|!1#T!Dt zrXB%^TMvrjxzgYG)TgaTT3P+4px$`rsJ+aR^(Q3@i?pb~To9Bmb{{OwLuoDK)dQ7c z^QLP(3)Fa)UkLN)LzHR7e%}UEbGfZ{Y^FSAn8%`KxF2pjo#b?{cwI?v3`?C5`}vJ= z;Gz=0LHdvN(>5AXgcn>gF#2P%N7oP_iY;=eKX4N?RbpmTy)qDLzAPlapg%c2UH$O4 z0i9z_@_TIX2^u2~9u68VabpYu2(!+mp-Ju=58_w7~tz^yLAeLH__m ze6;?T;o%jDuwm58fXDj?L6*J1LhpS(4ij4rgfX;qV%Z>@no6NiNggmR-%yow?@sZi z9BL>KR0^j|#d{1+jk~;J?DmF|t}W<6IJf38c2ZTvVuMo4Nt;QuX2z9ZYmX2i1auhW zXEFaRYydu(@zX2*6QMZ4z->PcB7w`c1**;()mx32reb+vz*2{k&;tQDE8jISk2#+B zJ0ju(By6o}=5>--tH0w6g5{6VH2j9{)A^7{ z?FP~>sGufD4ojt&2B8@O01BAXlJZe!>r+pVo#^w=6#P%!$6qhoZD#h5{@1`FDgW{; zNP}RqezpJZ9yZTeBx4YRxCF zIuneV{5wkX6s(PxWCBlREqPWIkv)Wqz8`g&qi5zW8yFI?VHMBRB6r%;)+!x6W-t>~ z6{$U3Q9?9HS&pk*g0JPr-+|go#Ky~fl={l_4$Dt^!+h2otJETk_~(^#D1lm3sHLt_ z9Uy|8;!;CpOC-j>Fc$J+or86BmjOXny@?oI!shouCZ}xWV96TTpY*a83bgHm5J^Iw z-D1~N|z**ZTEV~*x`qqw;*#N}zLT(>Lo6jos5ix1@bn>7t z+#T4~5}Splm^LK_!a+nSbsL}GzfFt7Z~mDW-1V4?UfLGabNb%m5J&iL<9B`NA&-FS zgvR?UdCzrrX=!QXZS6IK3$mUTs$O9dr`<|p4N#N|FA8S`!hU!eOr{mwimyt5$23); zN*nN#49JTbLXYjaB=B; z^#_NGhK^3z3?l_QxEI*%upua?*igP$L?iP8iLkata!sA``PHX?_uRYT%UfWHj1au4 z(jUyI)!mbowG2*WFMsxD<=Xts+;?%H&P}B;weWT|kXue0J$U~N&`~Ssq4bJCFN4D) z2PQ0AdZVBJTQzeXnl@A3o?`iq-8uv_!yuY{M*E552h8+Z6TsV&!5M-eYJnX!>drL# zHrqI3d!sey2#w;|KFw?@GBYpw&poUctWmSps-Ao5kLteM9=4p{>Hq86bBf<}o|C3$ zVMX~`^zeBIcOCQ$0@-nViQx)ehxrdQHaz-d2#!Sj)Z8ES+Pv8G!g-RJLw>gF95h!s zTcY5P4a=wdboA2_NJ!ddPtNBS-Rd%72f3RJfYT&K%x*-Q?Ko^wBPpr|gJ2Q@JZzfd zYSoH`xNvhItQYtA8{NN2R8B72^}`d0t|M3?AY!X{rgzZuJWAx3yN@LDOwQrkrVr=+ z?&8GEB#)EHH>UwImE+N#@PpKE4;|hcW9z!qa}5QeIXwC5!e3}^%OPvN?+xY6EfxG4 z2%A+}Orv4BR&j1(KUzlf{22*fD)51?0F#}(Bkl1Y6H?DK;%()ct;tVh<|)liue+;1 zww#?8NZol#KuxiOOC^z4etmCLv6%58GT$|zOFm|R zU-->P254zz-a&@h(j{4e3P_`+GI{7-Y9J`Z;w>)gie`$UR1B8N>zd&8ZNzl&!JCBX z1H>DqAiEK(P8K84Rj?ArS3wQ%hVh8pybY^u{ziyDCoepcQru*wPJOXYIkE5?#3dbY zMVdK_Hq6Jv$A2LJ37`RV%r9OI6*nu#B$9Us_61$OdjB|qj0zWqC41-mzV{wn*(+lm zlc7x^XmvE9*}wbfETum14mp1ge{$qwCG{Hp{5bWZ0AJ&C6_jn}z{WD4<{w@BhUfpy zZ%z2LWiqNST_$cW6fTsO)mXV`y(IU&7D#KX*elxm9Hx9AHpu9s`rdDQd>0|Ka?(}f z?8`H#H|%Y2ugHekl8D;E{Ol$FZaej+qUI=Ep_-DC=U!k91sb!~e0?^_;Cs|Yd3IEh zGyjCz@nZG8u51sgcPuFy-GEM(WJ_G|B7U*+5PkV2RZVs-)W-5?&Yv5V;6@crk#yz` z9uHe2E~1=O5?2cGA%9cP^PqFG>_Oa&lAvcZd?mYosO($pl(XT3+vDNzs_L+4Vfwt( z0TLWppGe`zGxjULt1fw+*L(F7DgxP$Zyrz!ew;cf*N$7>0T-EK-hMxdF8C|_(7(RC ztKMZyHmz5_z?V@K1)pcOb>8&sy5;4H96`r)5@>pBGkz@l^ompaNcx)~oM1QEEKdBZ zGm+%^x%z6G5eq;k?OQ73j!v(u7QB$%;ZNB70a-@8Q0$KCWLueo*YjQOxqm4;ZKuRn zSIO2OzY&0Okej*vT5B`R9$^)z`d|DGgB*BdEE1>CE zQJUS4@zHn3koFh`EU7>@Q^sE)B@2)h(Oq82`W&Gn1DQx?*4$K#c_P4;FII4PCP-J( zq6CZqM5OuSCaddRgrJ|-PsZ!+Do8nV^xy zCW<@%&Gq8Vc=36VC9#B-`sO@Wmonuf7Foe;LXnvMMX@%lH$W~hnIl&bU2^SjT`W^g zhUen-Pg(PeaI>F!UXTcv|OVaP$#URx}o7lm% zr~cBL@514tgRgW^9c0&+QL}zQfxE}RP30R~VT~HD(7>-b1wKX~8e@sOE!=296tDCM zfoV|FnR%)o$UADAT{yrJsOfgJC_CfF162KN0qRR_#uVG!~9>yd8-V8sriI{4|7@+w$LoPz?) z^OLsud6MmS9mOySQ5(8=QA-U|>Bp=U<3Qo?ce%Dy#W=&a)js`HZ@=*?mJNa8#ONc0 zs6QZe-4Aj2MlxTA&}ZSC}9se?anb-M=Fd8uU4o(_a$4S0HdGdR85bb6+g&5Sj!$r z-+|kmpVk~VV*mvXQQi%X(vpwdEd86y1V4LUgXe=!FuaDMqh3M>vbCAm|Ij287r@Tw?2daGIb-t z%J&9I#RMb;J^cun0R@92&6b}w=oy~~O+HYFOy2cF>q8#1@$XJwrV5LS{f*38mb-7C zDqphVGdtnz{mjw+xYx-Mfa2K5I9wNZTlDV;U*0B89Rx<|3|ttDzH4^%<~kPV(^M2& z>|dd55r}%YfC;Rv<7AgDMv*pI1R})$vVHhMxAO8AvvqXexGPgrXx?pyGwR&<3;jhY zRf0%bWZvOFW=OJy4*yF5`}@Ey33JfVm7^9S!C8kN#uL%>{n``Pgz%ppB|0hkp>;;t z4C|rlI0i*WLTz14jNKNlP91|P6t!J|Z}piN+=BI@S{`F|Wkw--;jVw}W#~VGK92n+r2!lHK&r$!hB-dc+qtq(qD&G^ zD(QPw;RFfxYEn1^>odd>LfMuiD2SCYN4vOpnCH{cSQL!Ko`!8D4W(WrNsN2T?=#Qf zUgo&)rOBY8arAjBMR(=*i=mp1+~H8TmM(U$eqTMwv>PxYv8w!7Eqm$B_?1DNIO~jW zfp(KM`o(g?0V+PyVw~0G*))vg$ZvfcC{T4!bV7;3ub(^@bvz}_UViiutSDin%tjrUJS)6S7|V;4!Pi;+db=tT-V!n3A}@Pk(O2_FEq)z6L=zRm3!Jy* z0oeN@t~7{VK1-dipjR%`sk1)mX|w+2%{uq8H3t*}z?9y)N5SBvZ3|k~;&&^9`)VM<{*3~z+I^u(+%%=CcwVAgsAs=rnI4mJ z02U%+SIKA@Yw^kr36LdCXQ6?v#mM5~xK7!{57~}}+KLFAM#{)!u=0Co5N1vekpG2d z_>gyJ3zv|sP!^iqH6{q1%LO&{IaIv!CG(j$R+Ve~01pgl;SrISgX3LhUokBv0m)g; z(Cv>EL{S~^j&ZJG{VIQt&td~Attz)L+q^6&t~rIeT%mnNO2;e`KFG7X(&(HhG@VWQ zW1mxyhsaCOBqo=!9`wtV6l6;lpykEXR@7!8!G(_itVaA&F8)etwAKJx;&;(;CMe%$ zP8i|Kq@i1ZHDK_3yNbn6o8W3bUfNmIDe;@DEf0QmpF=@_6_vZ@mbg~ULysjIVvRNU ze=WdLi3|)UiA4jts0`C1%rkXLDBYs}{1%GVtxo>qe z50E!jx260#)Nq4N$1!X}7FG0gy;0pP6gEl5!xr~jX{5hctF%>Vx76eBzJmmz8svUb z*KZ!#KLlA}tR=!~{O`Ic^X&dTPE}a5p9!(#Y$X*Gy_yj*w? zl-hN1OrT|Hv%Oxm)aw)2Iba@viz2|Zu(bdvf{W;GztgUq?u(FcRPK-?J{I6&S$m%N zi;a7w)|FG*uMMAquF}vn<=TLxa7aUqQqnyRzkRQKMqvg5e(qa%>fav8forSJP0GNf z^y6M>&XWM;m_sQDcq@JKx(ff`(|;hj`HJ|e5i4Bxv_(2d*LtHoGT~)jQZ}?E20Stm zMGXj8%_{zjf?@v^LgJBw%6SUx>H_wf9`j)S@cn{zLWY`HaG5jMp2Yo%xFH-MEh6Jp z2&K`q_5Ii{40ar9K&t(>J6Po*(L<)!{<#G%IiCUENEZd(s}J;xn@PDnN}2O66>L?Bt zq7^S$og(2LyxII0ae?~5^2T>hhHL@n8y7zLZP*7=g1w;#i5DKZ{R&@zlw3{Fmp0Jp z7tE`gWXjcr`xdU?kZ+>6TB9L03QtxH`5qhgky)*Y$2y=e(^vZf8{g@Up#y!z72MGb z+)Wx2YvxC_hA;Nyq1Iv?t%+L9kh;6fZF?Ys3Ox4-z^#>k`X~6nXyqACD1Ch29m;XF z)vZNfU@)@i%>B-*b0fsCWh;{w2JTfZ)mG@va55E&zbv!J;Y;Vj|)c4 zR_iLLeTb};q=`fV8yM#&Y1HbRtndTsSRT&%g|!eJuD_aR>; z75H8DqoE0&@`vrzx#45+Y9)Z}$~-P60t? zUW?}=3Kwvqtx#4737VVi)XCiKk~IHOyCNP!VQHcSwtbp2G^XeKUEY8ZPXx{qp|}t+ zIxI?|NK{Xs&cyObi!aAVbRf2@vnqZY7#OHUwblKWxzzLa^}LD&E9{3?+UsaHx*8nW zlywul$%fyRS0}a{yiEJ$5uTWq`V11iTXQl*k7+_79#j5>c$KsB|n3u6@Xvfo&)*PCW zFVdD}*2^bo-Y~&}Ob9BZg*c54dPzOE4$aQyc+bIcX!AL|^BO(uL-8waHU)5&Kf5Uq zpiX(mrV6^$P>0093A-~e5mi476GbLKJ*Fb=M_a}y3=IxCXWx+s=$-tIo_}ilUwHYz zg@T|$g9W{W_sCH-n>3|SvRFjWyvV|nysps~x`Gc6!c)ivV0^tDp6(Yfl5_>Y=r3N0 z#HbrKFZ@sGP>JhJIv5<}KEG?M{J5B~c%e5{+*CxRU9~i~#BpJF=|p}0;QHPd1WZ0+ zllmO7Q%kVJu7fl4(H>(7x3LJ?X+_ek&#r%`0jKo?kNI9gR7xiAy-H^VAPyex+j3df zQ!a&ek!KU{F6(V49F$C7OUjtPxRXo+1#;r%UT@peCgr`Y{@7|L8Ylfx8UPP$Hn%-V zgD2YciMe)X5BAq~g|;hza@c5K`nwVXI_XMDLl@)L1taOlE~lMA7Kwrc1GKLI#5)tF z{CgzAmg;xzg30wx?+=e@B)pA3CF)#kSa5!1x#RLK#t)Zu?!TOM^1@?&UBQL%7}-PG zgo>Cq(eDpK!W&=z4B;%YAkM}CT(@?ik^}{}1qj&VeIyWj=_4^A4sS1?;Ddc^uaY_7 zy7z|K^*^rH#M;r>smSgVX{eh}@52syuX^MhsMd`$hXi-S2V-|u)@H)OgM|HlUx-4a zg^>X(Oc}{Dylf0f?rjP=0^V+t9^cBoZU`X3@-qTTKCx4SZ=W{>Ynfo6JCPAz@Ff>J z+sNIb4-FvU51U$Q`5T~};B%%uD^knJ^>2T3j?Y1-rd$uSI$WuP%95U)>p}C4+K(tO z6`O~pa(Mt+_P4wi463kGJ)9lXkp zcZ*_`mj`J+a;Us;K9s`IeOI#!#4=YsWw`(GsLym&9Kr$B03_8`%KgaYMaq`i@P%&z zpc09CC;;T4NvqxGs?+5QV$A|eFv+T@QeSE3RAgDP_~YI<514cWgg9%|3szDE+V8V6 zr*kGI<b`_^C0qk>#8^T&(UR~0rQsLqom0--(OG($f^jhM_6WZQi>8d}6;();jNo4)1z5coU9WC)0`5 zA&{Z+;PT^#J4mo`au?!mbVoqNeVc1sj@wW=FFGj58MbEbkqC?zB~bY0xD&pBJ6*|O zhSRjv?K`^WL66fHI$-|nv#hs zL*&uL-{@a|9;akzR->@eLzu}$cQRvVdHIPT7reBa@00&&(s}&ggU*vk)uyGU=TMwb zrYb>&>09+`&oA?Pkb#N^DC?TE+%7~XLU7<3s$2))rX)oB>cVCGG(0Z{BV$M{rM**2 zfi{&{HV4ghA+-)bEQ6>B@E_D@AmgW-zPz_VM6{v(rrz0sF!yzC>0hnSgApK|0Bf+} z@-CtgqrWAjzdBAP3V(;|;TL`lDLnL?EGqc+$GqYjkwW_PDs>@R!IpFhz&Xm1Bc0HX}MykmBt|C%gI{J;%B`d7y#EKM& z9Ba*MHtjCaJDautEOr@QCTDZ}IMVZ{5TAz!*ogsK`MPt#t4=xadXw6t8 zFpYcDLx_3&P6ozc=q$^cvtSr3#~kUbD{nyGonOaZBhI-_HW?P>Z<2%XIdmH)ON3Jd|uE zJ7F%1vI{|}irM5Sh}vJ(NAUcCIa#X7YJQ-CZempGHwk8GPlvaMtyy!KfJQNwPtyu) zULN1Yv2S4&n|iU&{aHfq-CI^1N<<7EME^`9+D%mJ zsQKp#%O!nEl~OvD7=I(whV1XcysFzwaVk0jvxpY)BHrQDRtLg`$o?f_N|AoQgNMf= z6|YOgSk1qcj^ua#TI`YbBvcJk%%)z7N4{~&rg_JQC>%fSi!XG)`*?3u@q|MR`3v(N zB7iMMn&blz&uC~ysSbo9fceKOg>~)WB4lGhcN?YHP1-{hg7}}O?^?TDRd;*hl`4ci zM~qFNz1b$UNax6Mo-X*x&)g*u0&*amaaa_2|I^Q?3oTUHkHQuiy)?KW^iAaA9Y1;( ze-FL-yqaD&KWwj|945oO7E}^I_0znLKa`iV+4GNN^VMz-((Vqzq?oRe8RM-)nF5xC zRi+g64rK~ACcO?77DoTQjL>~c#S%Je!95i;@$RpfLDH=9vyXeEPz)pgceL*_j6b#_ z7jK_F-kC5k*I1dy<^DT%L>}ME=QxI}l67c4Sx<<;UM7*PHlxnuvUrd1#&zn$F`aQ) zRr!zsrfHk8=)IgfO=q}PyEFcP^I=HsSd-rad^il{kBibdp7-%56!WsHW)4`3v7u8NU3o9WH#AM@2A6oF4~5EJ_FuIE+o2=E zFDJz42@Fy5h@Y|O>wbv+Ea1O46%bvOb+5>Q=4rJ7L9I{^@3%mNE+!Hn)mIKVsXT~e z^mF*{7$gjR{tE815t4u;>1pZ#bTKyWc5WLP#elj58x28NTf`mhW>_v(>q*`#y7d*_^+R_wD2rQ0r{|K z$#G`x+%c1B*FdPRQb9i`e@sLW^ORuQY+=Y6wFOlL+H2 z9V{OOKB9)LuonEGnyk5$4qpz&OumTfJd~vXC<^;j+{1mzsz1%Kja@4Ac)5L(XGIAR z=-hDjt*u9o@Q7BpUtONGzG^I@b&b{VuCp0HhB?JP`@ls`5AxXlC$Xx^T`x znW^?XFQ_(wXt#QH)9EeSRYLt#v6xN34jtk9iI~`T_^^Auc60AZoKfk>jACdp+a_6e z=N%KnbS81ZrmW<${_4H$mDKR@(lgx-TfZk3A8N=P%{Al~bYKO9Nk_zrN}1nh=?=wT zrU$JSEo60=!aW@9)N7lw5iEas_EU2xYCGD7-ldt6s@KEP$%GLnr*sohd%K`b+|j|} za`Ee&H)4z)5DRqrp~I7_=%0H|y`Ux5HevErC7CxQ+{`Nq6r7t~nQicS>viLwE7ZJ% z*k<<85XX}&gq6yar}s8%{X|StA>%%qkz9H)J~_Ew?fx$&q4x1=E;n>A{)p87Zkz)B zR?#ctdw5YXL``N1^76iAWZ4pYo_+~Ps3G3G7?eF0s-w4ueUS)LRC=Aqm)gGDTU*ij z)-dbPVo>t*cIA5kU05%cKXM_!gj>Q_FbeTu5R3KEpd~A<$j%*l`aZJICUH;wD!UM_ zw{(g#s9{t@+We;yBAd@ALoMo(Zf}0+QGiRk_}#hWLwD;$M-d<#WCf9s5WE_u*t+WM zHbg{MjTjo^QTxq1L@^N}k*1u@eu`AfxSklp4_IwAM_2S(!7pvsu<_AfdTFZ=0~{~I zTXU~>8#=Z>W?{$=v5sGB2V;F&%fP6Oe4^U>QO=PW4h@TQMVT8u>HbEgAVj~K;cej} z6u)B2X^u}56c!G0ip%}<{T;1?2<~cPk|f0eP^6eSVh~{bH>)NP2ecDTL(InFy?@;> zHr}%G5Dal8Rm{S&CVKtQTGS|&IFqC^*JspC#Q#&1q5KmXZ+guDZUwa+mT0IYEN{6w ztX4Eo_CCYdqkk^aNRtptym7Rm7!c+|CY2Nr_ADT!8`Oxn-8Jr+nhbZ6!Qe7Q!^yYI z`Xts(GLS4hP|N$_3x`SfHrgd#rnMW3CFL;1m=-SG+;)Z zJY`env|`Hf)M|hBLy<%_ODTE!i$vJ~^_BePO(Q~&X67U)2mj>M;UKaI=)u;sH}j`v zIO$Y><8f%jp0C^3*Z^4=X_A!Q-v7_{{P@8M^R2Sku76+_qjp6vo_Uhp3#I@&Q9u6} zd1t~?SrQt|K%MvL`)QHB4!*jpW zpE3ux#T7|4pZ$8?xTKV@j~q|^%P{5@fl=$4Y2VFt{vw=*OzulwQTA_#=#4vXzgz@t z54Y#fjHG#GdN2*xvv`yusZEiz#UKR_iln2YYwF>o^FN;nft?uKZQ43TS+k;lg4a* zxcXr*VjYEa3J99DRRq1*On>S2ulfAr9=Hz*%N9}w|h321*s)ZO1 z;0yVhSqnu&*(bcdA<}hu9gLml6{mPJ{b3`D3*VLJpIQ?ytOQvRv!*i}0qn`bQh%FDXr+nl5XiBau}prv(BX}i=D6*-6TGS3vYG=ydm3e|4N zC4SwR3+_!irWPd$%gOBfxS}sV1 z_m@xeap<$cFsLN<<0Tirv9vdoT+XbFE-Z7elfE33qdUZtb82S&V_)#_8w=$cvt=+TtteSNo@&pfi{s+a_OQ$I^9`&uvK`@Hv1kn3MrWY&1@v zN-cDBcP^+fzhU%cJKH;Ql2=?heF$O97f42y4Mw6PP;ItArok?2iBCF1=qG5Mdg4aH zaZdEMA&xhj8az$uz^u|{-m~JHVMBI%Uio*1K6lV73hUmy1YC@QH0O*H#?Ag4?op_EG zY2Ls9f6`yofR&QB%E+g8On?baC}czr0&Tm&X+cypgZOn+xd8}khLsJ+l&LD@ARnzIR)e)yrJJW4(l}Ukld?Z}yqwVnG;4 z$@^@SZ;AZ}${qt)Fitoh>6=BvHpt~^K;UNbzDjcD)Ui=dRt1?>&}n42YIVL*;x5Li z52Vo+dKG=>5$Y;uc>D05Rnp073ZgU4O6?8`stTb~k<)D{4nmTPA$Dk^+KY(i<2#vZ ztKA`IVPZg&!xqbIf{A9lC~FE4QsHi4q0)%MFOnhvl;s=ZI!Q)OX?pw&NcgF)@l`ILl zHvpe9wE2zHWI8sF8Bu+~LKY+9@{fE~f`J!Gq*q6NbvtAT8WkiiBeU1%YukO&^D{tj zPZLXo7t1=j>+mWsq+@5C**iNs%h>h@8&uo$zT|h}(zN>N!IT6xTz5yNZr^Yf@tD^A z){TsfY!PyPe&Al;+N!_ad`2U*si(w2f-~K}g7MvoUKcqNsvDI9terNUtP9+9ZT6eK zGmj^WaheVkL)M)&YG`WKOH=2OeH@j|cWJtwY}B6L`iic(!U=i~l~&AM8ic__2u^$G z74(8I!_bii=CPSuYMWei39hCj2Rh|;Zn~@rsD*_$qd@iNR}c~RY;Nw`U^>i8&a`f` zw&zQFJ3f)l?Z}8ToRDG=pp%@b{1OY3QA!HQh0Ma}d+%ZP6DLp7kk+l5-SO?Us_!;| zDJWceR!^0JtVg(n z&70M#tRXGopF-8_2U49Y<@Qx@=*9s4Sy~i0NT;n=(-pmk>?o1*vG(GhF?h+$16t`fyP4r`co!1)Y=#M>8t!-%6K&BU7Z)B z($s|58*%w_@?YZ9gXAvWENeHCmgr+qtc_iP|X!{XE#HK zPYe9k7DEaZMoc5NRmJqXIW2~yw<5)JHsAA+FWcnqrLICFe9Mp&p1?yKkLQsMq66=W z8Gk*!^%Keam1C%Wn_`tVCPoSSAxH?4l^UX|&<~i+gL3YHx*npQT*Y=0ii5y&r20=l z5jWkx5#Qu0@=5xcpfW2*r;jL*-lQQfI)hIaaZ>&#&#JYZxbTJ)qlp|Y@|b2_WHGa- z12)0yN8)IseA6c-^0a#6*P-v7N1qJ~wq0pmOr!_?&HT>B{-hXZtlgH_rWDi$BKJds zUgBfsPy1C;5*NJ~{^)TufZUSny;bHRh5-l()vt=ut>Bp29)W{oBQck}aB%~62MF5FRZM1#b5p$3|Ko-ykswPj6hDpQsd zKK4Y39G|>HXOGSLEpe^YPr!y$0Db2#5wbM$C3yqVR5(SqQ)b+}g2->VFaUi@sIBZ2 z)7oZEC1vHj7!X5vSUFun*X@CBa>>&RXwN?Kk4MP!f?QkZRwvMjA<=K!dc3^x>R56g z2~#?7^ZhDunSQ)8o1VWJd4dlW(V>T(vXJlmdN$2bsyLVfFnGJRDq15Nes_2G12pC~ z9>2Ur$PE|RemBjCU{I#UTeyaKT}Eh?w){R9D>`lC_;1C1`6=guH;B3SJgVVPCjbK#O_&HJt9mZhQZ-Ohz0j!b-* zjf5Sxmy26XIArN2Bs%0uNk&Fy^v-Zu+21I&m6s;tK}$>Xn1s(Mzn}9E4aXc4#0;}r z!q!hN(dE+c=NsdKfhd9>I{AQ^*o{mnwC;rakSj9M6vB`K`D50g>EhCa%TsqHuz(Ty zR!iqA2|wz~P#=_gL=Y%a_y1`D5(JVDD0eEu*f>9_*{QF6Uul+)CEZ2xF@gy(6m!dG z7tV|uRp5|Vy21VxcUW?eJz`K?S}KYyE%kaG4szJ+;I6Hy`L@fU|HQ<~daQt5geMac zrb!WIBEyrh;o(lWNhWTr9AZO|yN!;1F09PxsZJEJ3(@!#kt3&_H^&q*K8ic$7561t zZ>lbm{Y(hlRkx|;(sJBEebUjEZ7L46+YrdnaSv7a+%Ofb2{!h=HPL;%Xq8DAwvOq zH^;Yy;onAreRCFRJwJNfn$t)$!qRB`!1L%uP(lnhbG&8;P%!$AgkQD9&I+%DuoF}XLy?j%MJ&o4e(}Zq}YBi6afj$1r zVlzqHeLoStPbSXC#rgQ{cboW+QAbS!j&fHi4C>aCun`n#>9g1OiWu@C|Bf$t1y*l@v@LU zU>Xu!MD{i+Bg%6(3L+^yG}VnS`7Il|;oG05U#i9s^STQeIt@ zM^19#Gp==a>rvv6VNZpKQRM8OX?Bavlv@&dx*G7dB8fqpKMuZIDzGdj5QlXx2qpvH zYcMPnv73t6>`U0bPAE28NB22CdY}JU&}jTAy4zeuYX)0|jMK^qZAT@qoNug4cJHa{ z^7*@kg-4>=&43Z^@+ZE4v0um+-BprmY73F00sJ0o%!4&KSV-Z|veM-37=}hdXS==K zw^lZl2g_!vI~}%Pv);5QO>26X1$frc3{?yb->VsS{s73)!fhmuMZEvO*81Ix6JCzE zq+rjtmwwx$5nagt^5JN==ec<{o<6uZeVCe+9|SfJ`4r<~j?GQB96 zJqxL8lkS(O9K=i0A?}19Ta5k}%(YAh_ai2y!?{Z-qbs;fJ)h*ZVt{0VQ~dS%BV@XQ zG6@tqz51_xhmkj&v(>la`n4GKcbAtU0cw*6c*((I1@0g0KE)j!nb!FgN0Qs~rI$~4 z_X*F#(MtEvq3VqbqMZ+?-rdRSdYijnNJ=%K%!DPjQg&P;zY2f-iNERjl*@=Pc^)^db}zaboa0_U-pPY6aWk!TE?PA z_D;3S?C7#GcTE)&%k*z1eOv0xJesgmkaWt=BIk>cGY%LqSCYcct?mw^dd+Uwlwc{& zS%hG|#M1Fe`;*$h&g<4#Awwo6GeK7kW)m#J?#%Qb)+nvj3#yg zx!*IcSim}KRbCDbjw9JHxA$d{>hoaYwBGkf97@v^z!qGt(-X{z$1_k&RS(Bu;stTf z)4Dl~JnMJVSE`8Rz}8-rDf@LvmoxbYgZjiR#h6;vV{Ec6$r-^5s$Vn9(nL-#t08qt zk#0&zLCZV(P~L%yHo$i`xn_VpinN;hU%D{c_rTpB_q2$m6p! z?#qfuX|G52^S{gN-;&Z9Upnvmbzn!bZvm7-eIb3(L7ewhDOza@d;;~i*WPNj1ivB~ z^i&nTLf4UEy!Q`u$4zrHkiJSuY1^mIUrM_9X#qa-v4o^7zSYl;jd{flbDT?75@*To zT}Gi$b6oXi1(%f=v86&wbv1Q$y%MHvGeVzQ3zKrU8htdj))vkQLOoKcEd|M!C%f^^ z73$yM(rz&Q?PxLs|0r}7r?UkO#N^PoM-W+u2h4sBHYI?bvLu$PuGH4nvBL)t<6`|$ zn{cFA_*Ss5&v@*@`k>7Gelj;M0N8 z`*6fS9QgA#=30v{g5k4y=b)Wn@4M+w(2=HwhR^|$mp8Z>7c=K86uSOax3PN+9?%WE~H$gTw;-&7>!nI#8qYT zOm7bV;Q8kB5;5?XBV3e{lo&_3-UJnn0&pH*)?0nN?Y^zr5(~69;M=G3F_Hy z1?sPsl^jcrR=P8vLPCn3R_o2|SOsG~mJ4i08_v_VH-`Nh%%d8c4X{7kHS4ZpU>bS; zQW2}=e9>?htkmkIt?|C9^b(%{?wje*;dH#$vwmyhjk;Q9Z3$4TKUf<*FZwxAlJdpU zA7Afj;!*c9by@C7smnyf^*+8Oy-gy`k4oBP`${k}VrEA>_Z57?%FoWyo1*2||0} zW{vo)%DIP(Db;k}6W3Edhq5Ie^2F&&;p*vbW=mXV3pP7vAYMx)sJ= zpjen7czgyHTK(2H|JU~21P4(_v4Hh!I!;8v;`5HDu6Gm?_(pd7=(P%)3@C%S1it2x z*#^Za16+w*mCu%1KLlmpA|s{Ad(;^i7~FPakK5y7ZlgQ_svae?$9ikp z@Y>X9Q6kh5iUg;z2OL9nr;O2mhwH2}cie*Brtxohl3gV~p9F&{dm}xDE(9U~`Y5 z*uDU>f==jz`D~K@^az@ULxRP*G+&4(>DL)pZZib6rv3i4xivno(wcF6rADXHqNbuq^E$P*SpZ#M17rg#8_NhVLl`6U z#Id74@yW&04b7^{MW!;eF+dl*|Khu2aJgQ!DNzNH7Bk#hIP@&m7TK)T}lFW&v2H%otT&9kauX7^=))*~En2{ddstY5_?UV$PY=?Q4DZ(!#5_ zcMUneX03NRc5D2)MaS7{)iaK+xYe`nE;>`>C*#2=@(~TG(jBFqeJ+V z7p%R3b}`1pB4D&Q;g`6#ZuxMK70tgiE6ZW9_k>c|&ctQZ^F%*w8F6VSWRo>{Z+*yc zg_>!Z*5%m|+h;@O?svp01{%DToffz!owAI_RrX4cd8HsHevLsw8Mj2u&J#+pBkKM< zWS;`0xCJDL&@Z|q!Qze-r{`wZUBPTz=~eju7}7^7j=q$9xP9e(CP&>KbL;gc7X2Kf zd|AgBq?;aOC}tgUHT34XGsQDBn6}Lo`D&AtA86;)uutFgq&1>Rk^t!b4P!v#BGw#YEA6eFd#??Xy= z(Qvk>=ztPF+_QGQ`sYY(f%N>i5=ox>WKNm(%AGKVTNq5-I2$NlBD94bns|XDT-m?I zd5`OnU~`9od}1N`)M9p$;`^V*`PU)1X>}l@_o>;x19}4E2RA^3yigf5mH-0Rz4L(u zxh|({6-TMX#l@xIzkiC3t?IFXU!PBD)sF>d z82IE>aeg_L3BE{RUb4{X|9(zkA<1?ByiT@PhzhL$IZMugnkV1@0Ps!T^x{B6FElRr zIV1tr72(7FO?3IRaKH=<*hXj&c+JJ|icWEnFtn-pOcJ@?dsBVhqjmXl%)D-->Uf+Z z0kVDpU$Vya_Cj7`kzsQP;it{rHS~g)}f2Ui#>Aaen3X$%uH$o$T z+QQ=ErNrxpn-_}=iD-b|HDsoHpIE*KIcqxI<5GgxCLol`IK#DUV}-7qXd!^z31s4$L( z?T>j~uw1RT{d|~a^sNy@4ef>t6%Bagm^HP`^VxJl=4&lxmLuvX==s>I`>aSpD_ z1`d3UF<_psk}l}=`c%jS80rqH`<>w@@wYLcO1O)iO5VCfnwlOwmdPe)RyEHkg7+-E zLN&k*MTv`f#5ctw>0f;xyhj6L1#e3)p#Hac#Otx=Q?oJ@-4T|Z-!vw=-Aqdg z`#@3S53J{`YC7QEY`tHsOu!iYu&5oCc+tac60uDj3#{RWe;3k!dZ+0 zsX7&oUJYb~liLon6@8FO4PntA#*dlmlsHQPxEU>2x~`7;W`nmJs~Ef=#?WP-rMW0H zl)6^gkGFi@bLTnjX=XHD{Iv2PMWFs9G;`k7`j2-48qhIj#uew60jC@7t`Ua^Db1Y*Y@jJmn#Zmh?e9FV!p`49W=_)kD{SbU&1*rJ^kkoMk&omKVPx;m z=i2upx6{a?Th;diys!&#Fss!jg700bev!+}N6kAHo~sxtR)9iW9dfR9JbE@2`KbZX ztUf2`wo#LMc7<~Bws{_gB&)ukeN@Yb1HXybZ*{fno=*Q2yov%iM6Zz^!~**DbFhFKL$PuCmtU)>r(I03Ao7;P6yK@T;$RpF-aDACYNQ<3bQDrAX2AS9463uHF zDw;IuU`t4G=67st>>nwHhRmW=%D#`=0WI4t|EFBsP)~=qyH@gyP&3wv&C@oMvz~JM zQT(#KVkrD{iD%?5kYmG{JY8Na=H8>)JD^qA7i_Mlg)96vt%YC;R?c~{-3$$fo+S!4 z1%#iURYsM zGH`eYprH0g{+4age@XCu@yY)4a>?{ez=^fv!KA;|<$VihR}UGTUYOLxLvFFsgrRNU z?XSIN%bb?81j5*eJU@a+UnccU95fmKg)FzyDArM&Hp%*6%|G)kx${ zAsB|Ge>`foXeP#{w3U)(E(Pj3vs?F$-jk=?>1CAKnlhC#H9(-~_%e*o1#~rUFAt~D zE>%w-dx=Y(z9D85g}<}(Q+)r@AU=d_jY-2#gVx*vPyoJ+2_e&E#t?Kk0R=4x+>H*& z)jr2J=ry~*28vLGn5n=@#w8Lcisly|EUR=mj~9ln8yWBv8I;CeI{I9o8t~2Z`mke- z(r_gHZ@Q%buN`PM&;Pb0c^O#Q^%E~V#8ai?XTJw#GtzC!;@2g4JW2sh7>{g$NR=%Kc=KE6(fR%e(vK}Jz*CoKRhNa1a98S zs!>8(Khd0EzTH;c@Q;s0?042|{goO6<(l$xejHDmW}BCLX{E9l%#d=a-NjhIo`#8(bPqZf&cGa@cj|R!JbF!#Cp~$(H}u{E zz7YZpOTW|YU-@!NTO{iam@Pfb>sg@FAa&zE`EJFoc_TL&ZIC@qDjLon1Nmy8PC|%a zCa>cR@`kP!<~q$j_-lv94U2jbJuVb4KZL~|je?j{c#&043Lu}S5kv}mI`l-o z#ugX>rlOP_=KM1K#b~?jhNrPvc|=i+k3>A)L)+zi4u0?0@B}OZ4=lpi!B1|t_zlQb z!DY1=^C8}{(*=8ddx;h8Wm)}5PRDg+FYy- z7+<4^-x;IsoRs6OYw7yq!bdwwCf!0`d0R#stYG;X%&nh0JryYDcAWh%+rAV{!TL8@ zhXLWMNX2o~Gbk^))@zmp@qZDbqQpKT!UxbEh4O^RAOP9u-^gr_14!+8C47k&8tLpje7Dd-KBdx;Pkeuh5| zL=eSQ9ObsZumZQyW3QJB)=OXomSQ6I|8#LO%v^B`Y)-mIE6Dkbsx!VnzoxzPr)I<6-~OfsH0$ z7ddn6^O-W1yU?>8CKt<8+KZBAHmS(A@dycz6`C9w`a+_R-J)?kH||dX{AIoII03m1 zj8ra&t6#j7hW3c7DC1e8*OQX6TC$HLa=50Fq%mTdZr0#xpf%6&rOMw$?-t)E;3nMW z^yv}=!J21??^V}Nev9|;2{yuayf;)PB<7df`Q%aw`$9WcJe**rx`^4+% zuj3X%372;geA;>0{{x$IDJTH+52%<@^lw=Z6gUljuHf)N0X>E6%*;xZ8umgE?P6G; z&EDcoV`6)1ME@IQe@a~#MWfGtD||2ND}@l6t?}bj4?!=Vm6P1>izgd;6F|`#MEYJS zZb`Klc5~yRMBF)Yl=0|G2^;tw{;VDPgeB->jQ_1RPO}#y7!=3=$&1gI-$%nyhR?@` zKH-j}v8+(d)zI_}6O~TX4fN1;X<`B{4I;lu$6yS@MDf`-K=WpWW3D$N2g;E*;^4H% zTM!Sn6Njx|K5hYLQ)XJq0xKyS16)svn{e}q)(rXq8Fs)?5O%W z;T8y?RwFk5bFQdMdT}P;7xrgQeh%Qin1~|dvEAy*>F8s(6(k$_JVTsr5aIT67Q^dN zVd`-`9Bf6bE+aFdUjVXB6LD!S*&cf*#bS$u`sXdcuX0Otw?!d#fGyvc$mgPVhFBr* ze~bv#whI{!djg8RP2|(Q$dB({dZDQw&*XF}(9cp9Hm2()`?zF1kaW5e?R@Nxy@z)8 zsv;wU9yu`~LrNO-3vG@H@5y3YTssj46it87j=KcEz-)G<8pc_q;7)h?<1UkedX~GwcBGHB*Peq_OVC3dI5D^`S@psb9`AdCUH7}BgS1o6`n>~!(z_|n>_Qrxh*^T zT_&nCcyPT7{$?DMCC7$WfW^_l80_7wN2!O1%VMLRdREG=RMCG#i`@4e&zYc)NXOlt zSCiLk97s{s9(s;M7--741_uqNdyF#>6h_KuH^(?=Ri{EbOwUSeCj9kzW1$S$h3j@I z-LjT(4|34NArLAO46sj$FWcl~TwlSHfN%yaSo3r(R}kd}-E+=j#)-&};O*?-M~Sd4 zm`7gpq?0~2Sk>T8FZ-;&y*I@FPYWRW;@2Y(azGp+T`E6-PSZa#PR~zU(Js)>lLOV1 z1k@tX5v>6`=F+R^;Oh8qAAXtl=mw!eu8#IPfsmk@3B_@pa_*+}%l1r+BXa6Ec$AzG zWD~K8!i15;CI`a21`eXPW<0SE=qh*5h!YDoCYNli6ae?0*`p@lK|$e=xQWruNv0ppp(PR%wBmAK4$RTr==r8&(f^ z+(l3_S(WHLHj(NdNQ>{n5j?IJw-fr7r0U;g!HCsE{l$y3ppFo?clkrjS!n8y z!v;S5Ww)06LLUMW9s=0^ncFq!!|P?HtWCB`?M9+_Z%Bg1of6U&W}^&}Q;9gMBg1bz zO{hH+!{{%jg!G>oG_mY)+wtttj^2+u5GCLE7E%m(niDF?hQP76Is5qdkRrEcyV+P6 zZ#Awn$)IcRIsQk?t|<6ots@_X5cjz-!{C=q4Yj&go~;ph{rC{UsM^PR(;E8~lOR9RdK2WQBD zcW*_-S+bA9W!z_SRge{zbgyry&vs20W1zCM^l(mnaO)hNIvd7X3=BJt+A~o=8-gLR z1B|&~KAm%>eaCXbd1#goGMhgN)-t5&M;Z3o>`xj69XtUac_W7(c>jfiz@NyqVaj4t z$>lNZp%GWkn8T0*uiUVvhmVuWgjk1Xbj3QHB`l%PG06vS95uo?AiZUa&HjJ#OeLW6 z(H=9ph3;BuYywVJ%-6mt`y$G4Zi5MKGQAV95IG=M5vv9Aoza|Y3nl&V63M&F0G*gK zXY1pxN!j7nYko)Tt$7v&w^QsmN61&PuNQQKOMc;@Yd3h_>Po^)2sCL|!cwBmxN9**a+F4#B%z0_BzR^LIwJ`(@gfEV zutm+~BOW0(KU1SVe+x%(#?TzE>Uvlc+`S%cOYm}$+mQhX!BEd~;mK+?1O8SA^s}_6 z+jX2sLiipJDP4k8E>9PQ8EhYKmlwqdtgvnPA=YfX7eur&nJTbv4IU@~Ip`_b&F;Hd zB$zjM}}~AboX`3cSBVg&9LA%vuf6yv#^@h4ZunfxO^(-r}1%hf9ht1RTHIry;|#O)cO50Txk2| z$uIWvbE{M`2Ilp|pw!(Lh}E5h?04C+r1M><26n|zWA))1Pl0h=M+(7O6AH$s|G1Z* z^F~2^CPT_c*IE~a$e6qQlx^ktTCi}N0*G-P)-aiQF`a(oF!#EqQj*j*}xSk!3r2Pn>BToOg)vy#bf{c+d z?Ch)3C)NGyQ{WZfDQMHx=aBPOvI3g6_dq1eO*%Sbl;$0nxP%s}y}TaaFvRO;2}r>O zLVUTEHDl<;urH0<={-ZcA6bNKC8ede64T>rR6iUIH>HU$k6`-DA;O!?&TqP>m9o=p z2Y#|9huun_7fG4H!5`C;x9hV4NGmm)xK$8wI9zlq^nx)p|Cn5|SP5&`uqALWXi(^z zmXR2<9bmBQ@pa0&{`97M3GQ2;D<{mBgk0tA6o2MG5QMb=0yZY_GP%|KlEQ|X;z~&@ zI&0v{1y#BtgLHX5q#wrqB@#O(Ytt6gK(xn{rqKPz7*}x8>21Jkc|WSHU|AJB7&(ug zHk`^z8NshEer9gw8fQp5?pP)(-y3r%-ZFR5eDLKF2LS`DSXRopG_vY%dFUQb-Gfjj zjL<2tbBi*9(~J{_XT2XWZ|f7HtRLkEf2PeI{;g}(@FHmSz2IUtO)p|#37d2S*P#yH zzADaeq;0?OP}om59&FSsZLg8>cye)TiC{p{n?MiJ(yqH>hFpkUyZ&%xQNcNkm9HN4 zTV2iRdAD>lD(KS-8Y=s_9vh}%@V+MtJm41Nni-o>H#ku6$^ZzZS}w2Dt@_=?#V-}? z=Y{muK`e}I%PwSsEjdFew)EK?yQ{;wdS2uAIxn4@0FHvHBR$glb;~xk-s(KP8Vh zH^gM5K?1QnT*D90GuiEr<^lgGbSpCnY?14JmkHk4Wp-_f;C=0 z1qpK5&ol)m(`gH16RjWLMnUt+wi} z;e)#}4UDBY>u)q1TLpG$=PcuQSq_AVz$8z?qbeT`4 zR;|{;V=`Bim8qCKU*v=3S&AbD6NO9Sa<~V%%ytLDP3Ph){iVgmDf&dznOnRB=LAOE zLbf)4m`2jiCN2K4viSRp9FYZ3_|KdE;ab<;V6??O;_S>G;3lZfqaWbN4&9ZUW?C!l z_FHrY_sWIBlRTJ1Ou58J7#!r;0}w!v^ukW>lY}WfqFLt|1-EWpPUDX81h+wf@D!4Y zN{f$(STa`-y6}+;U!a`=fua2B%<9~(C2L_=2J%50u58U|DQw5j3TirI?oK~=RB z3He#9&@g&|UsC|dw56-u))~Z%t!}`{IYWunG|QH}I`l;#Zm{IsC(Lz){MlP3{#Jr% zP28)Ll)W$G^=Hjytv~AMt%)hl%~Ta3YQyT4maD5HJB<{qq&q?e)1pN?z5kD=w~UIi z;lhQ7p@wDv5kb0F)0CZfQx$?|$BM&Nu(=A2YMotl4$N z-Z`mCuix!qf^5W(>A56nLV*F|jcm zzIhN-BJac&x1~(z{SnSI@Euqm$}Ihx`kWtVJx2R0oc~YY&4&K*I!p4S`@q03`^QfG zeS*WN**`6h*r^-_LeWlxPoN;?lkny@bK2>O!6}3v2*g#;?8SK~+YOcdNT#~Gkwq@X z&lm?eo&Li3T)ZJ*^Mx=X3v=_B@2d7klT8-)4~1D9#_+SV$BF+(*B_3~krwdjab$CA z#2KXGt)|~D%v96^4_Sk4x(PC6y_G9TL|6=H6|pY(F_LIVWCH1F3Cy{EV&p-lY*Z{C znrp^^vmKvMHEL>xaxWzIfPUJ9BTE5#)lB7_{%U|J2%US8OiZ@C5RQinwQ8_ka)Ko# z7+o_in?clKsj2fm{k0F?DQgav2y&11qS#Jkq-pSbec?kr`8Fi~pD5lV4`fjQh0cB4 z)GN^i{ipOw`MmK;%RGJVosh}rYHh}rYOMm~<=)aT!M7-gDQE%C#6$H`QAJR_RV=VN z691Tqi|1^Ge@bLwTWmU3wgAS@kHK2(fVxQwc8?Ul`g;21@tgj~`v|1^%U}LxD`|Eo z3|m!;uVJ3>dfyk-^0{iv-ZS{_(52^pWgwvmtf{gMnkgZJM6h=fa3#BScSl@X4 zXxgR5MR}rMo>*3MZJvv1rjX1p!)#*`?1!sGfO8LP`i?#V_ z{Vk|u*lMUL%8CZI*kd)duDZO)wtd9us+Rc*OZmKl5gh7Z{}Rn8oHnC$gq8ZDJ2!DO#gokHKOKfY{Zi7E?2 zM))&JnoeYMeUu&rH{iSVfA%#B3wg9{Ts4APu|t3jXt8@COua3hRru;aqfZ3zIieJY z(U3Jt-{{DU@71nnQ}^MGPg&8 zpzBOPtRXI6{Q*n%7mYYRrQo6_)UvJPkS}16qIrTB9l=(sBakWz3GNw=j(;MdXTu;a zE9-@a!U=l027n;&3~Kq@HHtw1(#hw3<}J(fK8E_vD0_nYZoyJed@=&x)Sim|-(=siDgx~$8?7uu!Z+Bar!X$ar=nsiVCZ^f>EVw_cvYS1n( z(-+c(#JBmq`mU{wY-9{>iYb~<^(0!hJGJ^@oNdjT__|P{f?}3Go z=YE$74WBrb{;*v25o-F?V5=cwzzp2bne_aDibFA@7PRPsLoMNuzdEEolk%?NCB^QD zLiY+PEmoLH(AyHFZ811$1zH?vd6mxv1&&KbMs@e3lVa2CF}w>sjzR#V1@$dS?@AyL zL08ep=J}aSj$t^Z6mC@Yp@q7+kgq7kaTmJtZj%@(9Uc(KawvifLfmQX;=9x-vLDvK zj&bQcT14X*fzTz-P(q~jXn#XQijE#zQmX<56@rV_5IUq`Lc(9j8wV(Fexa$hLaFh2 zRPAg@wQ29qMR@$<8C24Sk`hPDYbJWxIaOpUat@$ztY|8$K;Qm#TYq^zv+By>MXe=KNe=6})PkH+1 zA&J_%Xgj&s8S4dXtAeZn*=);U^!cq9aA-D?dh-}n%pq)PQGr4>GZn>%=MxrUw+TQd z_<>*~BC`qdjuQGdcD=CwWA|K?m6i$?cPUsrZT@%d#YNt&IIkElPW+dVHx2Q_m(H4C z&@xJ=d4i>qeuPk+OlIjXZnzI{lQz5c+o<1O5L9;q$lO?)=B?@%nzgmdHO%RBV`1mX zDJeww)r2i?xBu5*0&*;5`a|IcF$2NvYV43_=B zRJZkNs_Dor%pGP!68bUqKg+UQP@q6V$4|m9Wv^Wy3_i;~LDx!}d83*e*$K}`N;@b) zGjW^Escjb@+nU_YmY?$-73M(ndxyZuf{XKBKY4LKZcW2PyNh)VJhLLGL(@w*1|bLC zQ5dPOp{98hlG?!QvoHK8qMn{jG;bS7C;|`C>BOIi&fk>I5gO2`>iy42Ktp?+k2H&QN4egS=zmPk zSUGBw*rMwo3y{Vw*nMJR0>Trk$|4_Mc)mH3R|D0h!wM!qmR7;V;NL5l3ah&^{&Ykt}6g}Ge*{F^?+ z*bTTUTx7OxX{Tv%7mK=FB+Nr(xOORIE3$!sL*L)~zH-Abq#|14a)`zMB8u#Zp@;n@ zw(GCHjWBNnukS%q+DSl;4AfJDL*-5%u9utP*ZpL3=*2ocq<*(w^@NH{g(UPk(`_n- zEvr9=0?B!?LQ;#zWQx<4ng_dTZ5luOh^UD z(eI_^9|a9i{nY@6-6^4$sa|r{m1u+oXy}w##)1+caKhCv!}IkWOSJ@f}s2we8+9Q{}WkiaQ6p z3IVJ0pxZWR7VV8$bN&s1-W5F1MUtTC;7*qeRGZIo5JT16J6i+-m5qD*7rrdk^vMn3)-*0$61jSo3nch#@AK z9|744F(pgr9mMdfDE=?(_idVbvX$7Kaln+7K99_q%jA86maS@2_^wq3B!SpgRi9Th z=Wre5!5C_EKPps=RL>+RlItVbJP7=4f|4!b8mdMEE!zVt;{|03qJlw%E*7OuJ3k*92aUy^r z6CBpGr6@q^k#|8x`}eGa|FDTbbQPa#$hJ+Qv1OY5J48U_kV{$Z~O28y44nB{XU0N-It5lZlXTs&1p| z8WYh>09m4iPRS;MEz}6gaJJ0IM(1ljGhTb4V#j%2ue_(fl?h#V33h`3Cf(>fq}i)G zF9#8F`;@JV+t%5Pl2D(=HZz2zT>#CHK)AR(^H15(*@5)HXPU#8_KRGain-?hdn5I` zO~m0uOkWp%7s7#&X*&M0Y8iv3vFh`p;%pvV32j|1 zd|Y=o$?K^EMag6r6Q1TRXI^4;@rZ^#C{&$&ijfNLpH|;o3yC85#ODYz3`B^YZ0 zyl7(*ts2~{Dmz-TukS7h*}8tW5q+Sb0yVC_;cng0Ru|KgH+4g{R-ey`rz6@fRar-(T=IcBVvL z3xEF$OKCYde$H+FQtftEB9Gh9rMvR?vZ(0OH32(r)?GQgtOBKr(vwju6%5ouO{I8n z7Nds&&D4^@bl#Q@7R@$ z1SIZCX)@Y$ry%O({}Bx5*#Uqi!@rO_3(ZRKp=&O-B?!lGu#Ay$hS1ZDek}-u1~RH9 zdHC?s2v7`jx5;FN>b_XBt`gdxWp(8nzl0i9#fLawXHMi9l!2bV`Qrb!%(1`Vf6bK} zh`P_+K2~=dzxd~!R<*GqJn}jXiI}t2L&(9`^$-=P1SDs|&Ax9q^PLaI1x(!tW&{&5iC2Bj75^6_;@xLde`GITE~uLjUoglhBgIrE`f7Kw;*poUvIn<-q)Fdpk zhoOG>q%8eXob#6tD!(w(=SWOX2#@+L!0eJCH2=y^WGBRZ)&K84LZUtcKI_>)MKp&$Q* zF=@#{#iYR#PhLh4PCviu4V2FN$;{m#QRm@hJbI7+uFvJh{^p-IR`0r*O61xbM(I@N zrQZDU<07Z70%uyebd{j5j_}WTH=e()*U?m6GkBHGUtoM%w$#Bt<2ISONF9INNLa0f zao?qgEs^7SPsQ8L%*8rB3gS|2judZxk?!Rn((@5tfS!Yu+DX{V{?a)*hzzCSyG>M%F8aUQ1&?W#X9e&qZ|Nxtp$ry>R;!Ls zOzC!cSbBWUFpv;ko(Bg98^d7uE{DsPhnW>#3D(xTIVE<^7?H{f|4yw`$+u_KloZtP zBtj&XQ0cdPM7#UTzm*?}_;Thmddj3AcO#b(iPFO0$WRkhJTNxk7aj&S z*yit=C?s6{SN&NTI%wJK6uGU5qd*MO0WXrp&B=wm>)VO=QODj<1*XFHuXKyw09goo z_tu3q{<7&ZIw<4d>L2=)r*=3{7e^CR*}kxw6W^02hi%;KFC4b&ZxzwK$2{=68sl!Z zNA588wf*Nwf;Ld?Z+5~XUiPW2*Z{`b?7)c%wS63rJxmqv1*g~Th!5<5cTR$1#Ahnf z=B&+vPw7|FU}wN-vdKciGC@FTsH(XI-cY23Jd0`5At6dRb{Oz8x_z4B0w`N2&^HKd z9w;$yZN~V1t!;{S#v7r^1sJ2zZNIlTuGYP_#wLofwWLhm4}nw&{68%Ke>j;|s6y(0 z8v(SF<{eH@JyLMQY~n7MDRiN^7N-1+ORmMPXa4T+aCNl33vq@gU$3^NBm>h0LjQ>P zQy}}#^I@Ej0ul{sP!ehaA8z-ufE;GW3}=ttQ6>t`8Er5n-Pdr+zM|u&O(9hQV)^U$ zAx4?(g;2|HlR6~yVC2m288d&dTDJz%?Fx8qX=FTfRXu9*e(0xwB595fDK5ZY5TsV=d)_E;mG`TxD&#i&-f^c+&z)m2%p7? zaEQ*0>r+%qP`cutyU~;Jf-L^SK6RER3=Nc~av$^)m+Ngd+~mZ-SeVz5-fOqWr2v(u zaA0G9ys=mJVX(enE4Aynl)=fj-R%xnn9Ts`_b>Hu-Se%#|! zQu@!j04jo0TdO;(o993A+e;BSW@J_Y?4Nb`jmIX|lfKJTB~x`sZ6(0&FQOCCE!Auo z=4);3Wu7(2d`+pchWk)e@#Z&{QNTjZX{TR~GdqCp0|NIJM+^h!Y0Rkl^;2p2$T@E| zHVK)`0*ZtHmTK0q{E*!Rz_SY|)-Ofd8ZkzRK=4C*IKIiIXYjeT+&r?Ne>0E@oT9tt zv{$#$4X8{^vVoGX*(&}%dQ->ee%eZ>i`!0Fp7MG9c6cq3_=FAxKk?1paeQN^rf90q)gh7*l#fk;4%4{d&Y5Oarcif%?z(?<7gA6%+$dkC~ z(78c_#ALnra2^X(k?nORxz=yO+Ymy-X*U%U7k0);8jL9&n(=bgjyQ}u;#h`(T)+XPvD&~;PJ zJt$JnKL0*;1iMepJTKANS98~K(Uufjj9!|j`-|$>_Zgb2@Kr_eFHkym?^_g>1D%mB zP0L~g4`i))+{=sA$J#Z)NU4`#k&ZX03fc1=%h#Diw&j&H^v9qrqf&*ddavQUSSLd% zDW~1bjx_5*lG3$i^<=wcFu0i|n}_1=C^lr{-+tsx{&|+GjmhKp+i_K1eJt@_ZT=^H zi~5|G6`q5a$Q7&~tbY%W#$_Cc`XcKvA%@gs0)@+Kx+F%6;LAY@kTG)dCE1qM+>ued z#1&@(#4j>P&QN9DEw@4Vk_*H1?CCN=E_f0&Dg1+l@$ zjUexF2IJ06V{rnz&y*R}M^u5r6C@QDZ{=53KfAmqd-`n6+8^88AY+JfG#~-O~;`^<&K~R3{R&BNLpJ~xdd-;kaH8Zzyup>5MsQ(xD)H@vU(+KsQ54WS0omDTU!oqMZ}#gcZgwSyUgNBO=Q>zFM7H#{{F#qZhcJ5?-Jm@ z`HNdM9fFktvL))!aP?r5FFJkDtu(HfVJ9o(xF#Jf)7bfw1 z2kQq9j<77Bm*JBm1i>|(RE!HDVGx&jj;A>dG1b_6EEb!Xf1%@IiV$(oY|=;Aj;GaR zhlfK3cMkmO@kyQ&2@0R|qN-MR{q|dnNKX-ks@oN03g7Kp@4(-$L~PASGScBip(zSN z*Qih-?)MKDZdaF>Y(zLv6*2W1_y2R@QZ4OcwbSjCPNx|o;wOqX+SxcZ+!u_j-(q#d z$(GtGnd3B4`~FMDXfI&5Io_C8Vx-K8MchOYKjfPEG__z+x^M8e>eYWa?CJf2Qr^^I zz`uDB_t$kMvb@$-Z)w>!SG(pJxxA_3+-6TgRu3_9f<&oF+bdU}JqmpF@jwqtio`(%{pd{aP_Tj<+y*_2?o^8C%vKa8^j*wJYMNDpTE9wPQf(7N3oimpV0(2Q?5XaYcQ`9Q9@lnyxQhkSEH-z+iQTzM*vF^J# zOMxl)#>xNv065TU;_R({TAx!%^4@FL<9V%VzM6ri386GYA-e4p(^ABo55Vrfs;S|oz+ETtc51(Cg%j41_2i-W4c|qS z5whCsdhBc-L(Xf`N=X>aW|>!=ujT3akB8!cDMij~UR4(F`rOXW&TsfE_T0hCi~slo zYa#Gvq1^o&99C)+kIk=`&W~dv z86)VsOQ)wUy-|A6HTB+^c4-Jq*>K7R5{r@~YPx20oh0(&`qI>a3tp#ZBjD;uF_9;E zAZ?uS=oRfN1;0e$Oh^Wgj1{jx+~|nS6~GV?JO~rKu^qjLgoKK?R2n*{sxuJQ0&pCp z?b58(!&>GUvbr=q@W}-!KvCk-qW=H!tOVs| zzv1*XI{q!lk@`dnx>4cS+cZHUSjqnT{;7I0=)^h*k*lG>;WMyg0Uzm&h*~S=#8j8Z zy$qO6nV3Xva*Z@rAV`FPOh0!yT7vgqbAW;zCe7F_K6p$8L;Pd(b~?kDR)9!8bTmZ% zU+b54ECqE`PvPKL&&({ev9sg~j5xX{LJ@mb2B{$-7J^6t329E8-LEqWoymN^jyJND z(?DBl|0Oiy_@jjhFu=3t0zXmYS~HDoGr}njO%hQ+l~?RC_w@B;vz2*Nmm$Tf{E8;p zisca!69L*9BisOmGCO(Bgo>Tj1Q9F@4CASW-;LWjNqn(eb`W@?BEzJnNGYNoAmulV z$oes17YTGMhgEONL;^Mfl4Rzz1m_ML|J9Z?D&_5Pf}f;8%hW@~6Ix^V8!L5och!cx za7fse3?SzEY2&5(vt#REWs(IBUiWV@b%-`pc%W{4ah@1F0hv>Wr1U1v=iNC$Q)mn-Q6%9g41_Bs=jO{sYyqVd-cRW%uzbH+5$wap&GkL>+MBlnmY%_}A=Jh8N~d93=0pY3fQbN1=rW~SQ~y`SJ)&(DFrz=+m>^Y|RA z+YDJbId`a-?oiz#%_!PS#TMtJL?soiTdWK{%lXXDSX&1Ni%A$FoEFHX<@@RNRP@cX zCo^;nxG?T=8k6+F_0C-#fZKn-TpUcq%dBi|O&zOhj?!s@ zQ7(+Kd&Y)uLKQ5GvCF99I;8MAXi;MSWn>}OU}5$Lwcy|}AuI2LCXWzYVkZhh1)bLe zzr%DOTFCwzxJxk?yru1|g#I1W9H@u@sAGZ94JG#fJfNj1fwY|wJ%Avyn1T?+j=Pbr zbd{Xf>yM?n*$+Vw7(RAPr=bb5{X`chO7w{so>&>`i0sm-Vi<%5*&@qc%ddp?@b-0c zqt3D~+)OX&ZUVv%7xWyf!i!LE>d2hz=57A(453h?kCCbLsHo$I-JKAY}H z)WJUdTA9zsE!t(ckN2`>QA6p*M7(&t6G|GR-(a7)g|tD6<(Coh49Z^9Gk1Fyq3Ay2 zN?}b@mHlFE~;&${*6Q5j*dka(5O z2Gx7J{<7&)0XX3ls(+bk+jT8UT+JS2B%X+I^W>X`pojV4;iL(R6l}v3?7*r&*R1ek zwt_YO2PFQEWMpf(e804KTIFWe>?0xr#dFBFv%W;PJmt=lZnsJj4!H%X|lBi>;jL7$wO4E(H_ojso_A_hfF?)k~nc> zcp{^<-PW%|uKx@D*Ct3SsV`K&(QD-~3#M;xZT$xUX`c(*Yc5tI@ZG;f1MinrBxA>0 zbPU7mlH|dVqL>Y{!G7KQLhXNd+*CkfE967e|(Rc9iYO>lJ)PJ>rC;3V}+ zN+VK(lQNrIemw|WkN$9wq}FO#vox;X;#N*yWir2~?{&HdxQE{NygM??t6 z_)-j#3|qv=A3-7loiQ*ox4+a(2#u7wWedXIlNs|@j{@!y09UGlY)CRE#;dZ)Z83hK*fu;AD%RO|(hW5P2DhRbPbE$NESe%^#$-uL(SkAHg>vAqld3@0An)tZS6fBNN2Vd1JkdI4ogTDk34R{VAeux^ydU5VnA zS5?&aC7kl18xg$E#B+MGEH%ixv0(-hfzO;)M8?#{+UXF|pHKm0aUk=}N#<0o+mS(i zNg+s{r)PrYQOMKB*WwbepCF^$g|ng7%I4nV^}!%opWlCXej51L)AJ$malbUaAkU$D z-wyoghHO`P{LXi&m!Vf*zA<7Z7ox!y7%C_qR_)}(f5AX)B^7BIwaGSRfDytLvK0#S zA|Z;?7q%OqE7!O3!KCpxwIxS(7@nIv# z(j)J}Yv{*F-PXae>R4uK(f{xj-pREAU7E(lfqJ#sL;Jk0^}9mnqwDC+tv}!>XyEZ| z2SP1sSSe`P<_mfyQ;iz_8~!1_Us1`~)-Qib=1+|iH)0atb@J0c%n4gFOwINOOYv6* zyhwvAiX?{R`^ZVXVo@Vbt8m~nCI~~n&!%06T~SjR>9zxH0#dV32tKi%GO&n%f^BZH zs<2$@M%%oki+rgWk2xjsK&U0V4WYtsXcE)y=jxCD9}IAz1z*{>VGC(3r4F{x5JsgcR6ikq7EFq=okuAcBwRE++f^G?x2KXH3>T0g8Q-tP>6U-4=_;%@%QyD%mc%srOw z?8+`bkLZw7DPx0b+hDcsbGP>R_RX7TzBtvc51$6E#iuvm&{j9@;{@A< zX%Upjmvw1SFwC7oC3!*1jxOyaR)PkNs;ID|WFOk6i(Tral*6X!+IV*|?$y76(=GyO z#0}8@v0q#-AN7E1ghamV6Z3~$!v`5R-a?J@bwK8j$FkYyk6T{B(g71}j+jQd70w^+ zbJz+8FE%WUm)T2|==7LK({5;gW&b|69MsvMjz;_LH8vi8O0q1s%E{TbrqOJAZXjLo z3Z7}JBOpf&uh8)1<8vu`h^WC5!9yK|BQ@PUt27UWXz5=*npABaWF0YF8ABMyw_ffX zKKK_mln)zTc-J^!Uj@+JFSmwVw~+QT+$|fp#iB&XIPuEL-nKP%&KXYtpW&6}lfe;S z!e-&B*+8f1=DyTV_Wu#E`}lBGcXlP2IdIO@(_hGL_q7@o8x`9YdAE7nMPC@7F9c+d z)Hw&K)ppfj9~rAEy!p(9BgSdvNFKy$#fA2&xKQNi-_}wy-r_6|fQ4N_$mgYW5m^d@ zMVn?IcrwdTTFlh?BX7D5DP{u`dw4-)gpOfkf`Uiy1nih>L3D%aw2O>67YZER(z>q2 zRUmAxewRrNywi&Ko}B#rz1;CWLyklb>~&T*vq-SfHH^ zA%yQaoP{~c66Y&7L@cm71p_xX6T?j2elrgZrwQgMrd>vQ9V%4S&~W3}<|3Mt*XoXm z8rXCCxL2Eqswm!GR8*u`=#nzR89x$M!}jp7UsF|e5kg$p3h4Gu$O}#JB_)quQ-Mii z!z?986T;@E$S&nT_DRL!4!2@OIKR3&J_N!2TMdY!tm1|N%4GCW`UMC?yUcfvNp)Mk zzsk!`w^#p0XIZP8!b3qhLE-$^c=+9|3~Jqp`1P%13uZK=hw(j~TaP{9d~{t7S$ZWK zdwZ@o(*Oi190}vIY8OBfZ>1oN{@v4s8Dz|l9XYNxJTg)_(n|$z+Ada^M0dGuu5Q@W zuxO&;RB#7{g>*;;2QO?@kAjeJjLh>cYc5gdtZa`D9HQUD67)bc+x zwz+0cQEW?y0*SW;#a69@ZVhync>kn9!0yyC8cG2Z-+~kS)KBuTUmVl+V-#ru`Z*$U3Dw>vX|jyJ8NtHxtnGPng+~k; z3U2sG2`a1HKV|idf@r-xPch-YFelvjWKwOAapJ#$HJPzDXc9z4^Q_ZMC~A;eY7vD) zu|$YknIQ8)CY{nOF>GrPHZ(Y@_p9}V`NsQMYF7~;`nj!l)l&B0{YSRIlG zl5krFM<}!fkcCi!{HxDI~>DUPeU~ej|V5?jfIQ{{kQp2z+{p ztb2t)s{58&DVtH(4---*@U>HQ7ixgB0(ujk{gaYm1c*7> zm1{kGyrBwjX{eX`>BO2$f-*$@MN|F>xV zVN_Ge5j6c;R=F2-PvIBH5FUAdx8l@D%oICpxS*<&jC!p)FPHB>wlsHg-y*>9DVDS2 z^hc}uez#i@=1&!yEh#BwEdl7jG|B!0@+Yo3CJcg;rDl}XgXnI|8nmBwe3bs1H4lS( zR|i~&u2t-{Tm)u_1TNZsU|seW90i~7rU~BcDFVC;uv=%b7IMxJR%)z5ihYJ8g!aFv zPD%L!jjy;BI(;JAgzfzJy1MfJkpI6>&Bsffi~Dn>lU7F~qui_gWzGTI&JBM6Mrna{ z`MAYBr>{(p5c<7A;y2z;h3AUnp-KxS^;5JZOZm<{^91>6X-E{0C}&0k~nudN*Li0qh_^{TfeppyW?U}bSj#8 z4qRojFm}AXT^5@4WyhXota;dN5-@!{r}x7aY_f%XDu%AJUH{IA!HCAJJN^DV*YkCh zm7QECxt?zPBS;_9Xm>kZwqzw)7l9a*x=oO493W};IKYX9SWn~^lSW3-6mT~Q>A8BK zA3fSWTe8r3U{DE&Nk@Y(B|=Q+KGJA}j96-AbCF=C{XZ>$xWGRYvL=z?YU?3WweQ+w zBo8bIxj4fRXw;X}EC#oL(JTNle;@{DA&69xK{mcG#_m{rA6qr%eHH(46Bq-+zAK^m z1MC(M#&1SeK}XJE%d1GkTUvnhezJh?_KWY0rVBQxQ!>>^23q-^JMi{9Y38Xwb?q8h`hLrRfaTxzMuj6{qZ*85(O z))#%UQ`IDoPBX1im3rdK05S8zV^S63uj$y%t4b?j^BzGBv#nZ1UUU$X_y5x~= z6v~zh6UI00hb{hDlC)<>)Tw5C=l&N7)O`XPzmel(<|LuRYK;ZEU zjPBEwk?_efFNVtp@OvfH_gr3dY1#y4wtQ;r4?Sf@gPa9LcH<0u7>G|FQ5*-YdK}x9 z0kt$@3?FHztcbe`+$Sph2d6?(e**AtKI;VNRYmY5rGya`Nue21~;+cayUu~$D9s4}8?Aw!QPKhx^Y zW8N_v&Km^_(|T(JoKe#8a(V^^YWNWBiOXXepLGL(B&g&th{hfAj7t!+T5wwY>hZjnY)`>nT4 zpX!-Typq_s%Rdi>ZSvg>gctiFXVP8ES@=WhKjMmw>NeP~xv6g&5W-kNSo#vZ!oc+m zSI^M$F0oYG4n=WYta1N2Hu^pKv9YnH4ebbE2APZ+VPrc!>hA8|@V@MOTeR^l6@Dh> zovrgY(WtHA$$)xMR;nNt7Z;ar<~hk(S;x0dW zqHAYm{5D!+#Mbc0oa6q{7qP|x+I^3AuNa}XW=P%s78at}d5$9TB<<>f*`SRDz-hc7 z;sU;3nUVvDI5!Ivlj6!3c&SNpsdKhR-cYQL5Kx%4|4tGA>eDEzZ5cU;j1)QdNrNe? zvzhTb(}l?*B9{kge7%eEK=01`0aMxamW+dq#$6Kiq>bfHw-a@#WOBo9TEw0BYMjH* z^N7{U99Pu=9=mpAT2>$E7AI^K9&uf1$zh%%7gBRuL%v7^<6|3yzGx_tG6_;j?(%G= zDYirw_cCIP@Hv#q)}QqcOh4U~VlxrdamITSL-f@%vk0#irAUx-;9ynUWJ1Yb4_JkT zo;aZ{_ZcK37#t~7ph*#gr>^4*Q-T1!W<7$~lTx^9l93eg>)dx}*6FOa*y$r zaeUCgdccqOj)`(w%@F;b-1I!9Gi407b}AJ z&2F~%KTQduY+)({^(d~ymVD^9dm$uT%^;pAQ{)_o^I>H~iF; zXB&i9?}vZ-2Y#JjpZ|}&zn0ugiR{E8n(q>{(107V>vS7BD^z+~V6U8@@*n$`HRdhA zukJ$E{6X1SfjX_-ai+V=fueh)CNwuohSTQAB-Krr<8#8-t`k|G9is=vQ{_!!F-;CH z0&UdJ&u7Ab_;-hBspFd;W#Ov<^Pja2)%tpPH2B|>&hD8E_Y6lTfAz$Zs;zb&(oJSK z+5C7*+MUiUif6(c7_ksntQ5hVOJ$;PnGvh zK|vw(rhTnR-#ums4lER}I**5sF9~d<8~OM&L=9d-N1`BHn4PU<^U@WZLmn~`zb2?< zU}6$fhjgVU+t2-k7YT%o+gV#1$Cb*BfVJ-(yie$X&wM%S74kvnZ+oAVcYCEh%H(6X zKeWS@erjY+dz~{u%*Rn$>tVw|ILFE44}u#L<@ICqrleRcARFbOnJ@>sRA;+e=DbFw zJr054$#9xD2s=obf%6nqqWaQ&2fwn%1hsX(UNS2wA%-@%v^)b3|EY18uFqUY6vF-W zAK0Hwv`%Sp9ECcrI2%OuNnVe3`b;5QE#`{%*S{u*WpMZ)2Gw2&SR!*_i_47S-o%wQ z7yAx-3mIH8WOM#YCca5pJH_xF+&o$^lYWa=(Guv1$(01V5dluPZpAK4-6**v)1iv` zFC)EUnQd6m&)4BKiMOK2)*$ z$Sgl$D27{Qb3?r)Y~+A(#RR~la>Pe|ChU?0Am+ElFsKp3XJ#o~kV!X7GL>-6xu=op z{FZ~lB*`yaD?^Tvu^0)k=5V%66%xaUZT5G6m%AMLh-8)|EMR;9TKgm?NGc7SV%k|T z7gMZ-jsk{Zg2>1BqNSH-)#7t8X|Nj?h{<_ z9$wwUUz=@QJ(wRGO*l#0-9%HUcYgh&@2_y4eWGj0jq{y!4e&H@ktJy1OlbUMA9*{z z4{}Worw*MQ5t4F!i{y7YKdApZ^Sia`y1iO2;;3aEn6zPx-U-^WMh4?=y$vr?WcFpQ z5vhk1KI8RTvtMeqO9gw>f;_ary734CYzwF67n@y$5qTVNo!s;v&d%Cx{yuZ$=!l4G zX}yaKKC%t0{!@}t@^-`N1N6OpAFH&Ebp=A;cg|$iqoVg|nzw`dY+HK?R2gfJdBXLD(OJpYdNKD$h}cN0Cs_gIbf zMETRyOl#M<;Qx3#fY^_bG6K=;1$?K#>d<`z~+(ZI&#np1A)gJM!0blv7DeO7cD?c~@|yPTRczP-UPF5eaP zU>Kz@vt9sk8|_N$6BiN!d>F8g}chf+02Za^NF7 z)NP1_lER7UjugP!KbZ5_B1@waa#$_|1_oO2Y;~F;m&HZHbRT=xw26Y{QfqXUl*|Co75nRg&#Hm@wsC5$?MOLZKoyyP@EQ#`N!Y?-SP7ZRGO(hPESu~ zcey-0(bE!9m*oXRTVOYZ2i>E=8ys9*Y!D;Ju<3CE*>*xqOpF?r?c&8VW^eTA114qO z)jRPKBk2o=ZPJLm)hp-kwgpUT@1CRqU`?u>ch+9}m#l)02tvcZjQzT;6)yNKR=D@n zA~9^GWAk?0aEeM48Y>`t@=iJZu$9`3AKY5>(4i5yL!&t>MLC1U!ggJ`;bagGGOS{r z<42qhX$Kkf9Xag#2e88om0l3+t=18;ZMxc_cNRa$yBJ`F{Q9fr`YEMk45vi3JNqsH z3e08aVYt8VO@wL{dciF@#4P3RwDNPRO3yP<4{|PM+)ONS#Csp_*P)`5R1pCeT97`9 zD!(XG>MFI@dsxUoLG8LeZt!Qq!IAhXE!S`IqUX!v_ZkY_h2TTJ%9^ykLYL_ELz#`PzPas_h2Ian-x0U+WntHuaZ%uPtmMr*rKLN%HNzA!t0u`NK8 z{ido}&a2Fci{w*PKuJ!4`}&27u6BvPKlMl#5c){L6_dj8#Ba*Y9sRSj54%cVKU^7T zD#`Mb0z1Bk^U34;Rrx!@&(6jpA?e~h9D+AyEWPqzp+a*IbXydnT+S!JIJ;a}z4uE* zKu*>}gwBy%M&OHUbIW2u3ZMd`4Az|a*?8VRA*|E3<}T5GV|;UG4+kwQEJTKoUlVRP zpZm7E4pt6iSQg%Ng1N7R!a&$b2k_|oK4LAO;GPm8_7(49{5XkhEwVxR)x?t8R)U8S zmlzi~WM!$J!;5@JyvtpVkko?Hu3}u@v}NF^*K9aVSF$X(ex=M$9V9~tg0_|aU$qX) zn*d#|-isbV;f!xHxbUE^bfvJc0iK3{7bJ*Uc~)WS0UdeLo9nRr7NeOVBBJ$L<}^<9 zBCP;?fP%9M&X);L(J1tp;D}?ue))E~+twh>q(vS~kR=!NT4>x3zo0TaJZvv6u6H;* z$~={0P_ZK%4fAj=Rana zntTZvB=;rK|GigLJv~3)%%EMy;UTiLbel)Dyp;6tz6yqj{Fa#9xNf)DJ^pyVZWcmL zSMb9I`s1X4l#>)xlgTF`kp_t>mJLf#`WG^cHMPpP`G?Hsgrlyk>_CXBT?mQ9G<9@9 zZL}jZ3z{voSk8(X8Tj>6g$~D;X1m|X(0HCL*N&CHZ=a^Iq1n3GtjHxF=6tScf`3kH zh-Win#j8Y~Q3YyN47h|X!G~O4;K4hRf>>2^=H6M~l3c{)@*way2`Tx1M8$%Z)c$(S z$kW-;s}Qb&PNaYNrJ_jc(-fb!Ci@R0J=Rx2l`$beI{~n#pjpvWF-J&`%Et;;E5E2k zw%6Y7E>@GvspJPvPOh+$tzPQ#sx4S-0MDdSprmzFrPZ?!)6Kj9?1dB5=%lSTZ&0ZU*o64t@_ z=hC(;*t~IK3jl)}X|DaBnb*rGjsrmoi z^?ocs&|Jv-@p5|hVuLO9WV2!D^T5YE!}1;l)|FMnZOn+{Yhn5Qsscff2@e%X@>Ge- z8B;r>q?<)-;63WoK!TU8fUfURivuvL zq_jaQZVbUPUUz8h)Ad4*&!YW}a#y+HC*_5(^pD6-0 z@8&l?WUxf$(#IB9%Qg|g$&%x*e1aX}L53a?^ z7!Wa7u>zGiwdW5Gb@ zG_fUjti=|_2_o~c@)ar!w-gsnb7wrP^83o86nB#tNCNG{6nR|`@)QD`Z6+5AI!IU;1m~8qK zM7ZzX8o++cm0p%biEIQ4^zdeFWc#~}R`v4|j_SoCbInetCbj#%MzJ9?eiC(B4^Hb{lP zlH*!P08@R!0H&c*}zqleT8&^l+ zp>r26V5>gURqilRQ8kxeeiRk zEnZzfI{*$+oreUjX>@eVR){wD!SxrbB{I7Ci%e)g(I9qWz~;gsXLFOAq-@nF&Ypf0 zGqKA#Pl895-?k? z%y!|AQIc@aDt+3(x_-1zn|cAb2Q;$T<~=HmC&z*%Q>x(rcRkndq_W)_q-0~*5yn(P z5kQNt^`hOz(eLA1?v3JPdUR%$lz#oxWF{k#LgLya-Jp(%)x|Q;ZD<+h<20f2HPea-u(mCX9m{bP=d`!huJE-WY0G0E>xDVH&-kmBM$}i?}WK{mNgQqa5(#rpxb7H@C`<8{U$&XF7zjQml6IK3C&s_#oBKpZ(df%t7wz zKkH)9iGdfhC*M++vf3&SIVcD<^ZOPvo`3uZLsKrADM{L_^3}t15vAvqd0=iFpyWm> z`0*8VpCQSAMWgbg{?=*nMf~ymb5?zwvMAsAI>E-G>$tzP?%_pIUa={%8`6*Ks@&p3%XO+`$MGtx zvXE*E*6P}UsV7#o5DBFvOhvoNT)TW#>`iX?*4|Od5XtbMO$jPbkwUI5=eG1W9WluB zCvNV&SHO!`L62z{1`(&3hvE#M>EW>~CK{-SlbpbfzQYjuw{u_#e@DbTb8v9znW-=f z4*J&LFJ7a*aBPEh+5PtVY&5sN9=Fsx5|X;$0oX<$EmjE#*Qry4y@{PO7>3ZBI#J4<=kx=6boYz46v2@gPe z#pkdw(W+!4uE|>#)-N1*Ug_>akF;J_!lTU!?){QIL|{Kpr?71Lm#)yOv))NJiYk#D zw%?w{F^0%AaBA+B4nA8Mdx83IDRgK&;l)lSLQSjVOAE^eTl9JrML4f&_#9$)*f`ha6LOIH!(5F8i}H% z^)HyBMriu&u9k4vzNbxfK=i=@54irl%#s|>s-WLe?)&XK5#r<}ww(IWr_ETJI_8-N z<~%4U2UAkqT6=I!QNwN62OQ!rUA2pT@rUi-B64A(UctQ@V(fmILAU1rRv$&fbNp~$ zqE%|H_$%V;Vtj-eVO5sUqk=z2Waa7pJ{G|zlK@r?VM`W0Psn8lXB{IYNoiwO8e&hR z!dAre<``2s7tpk0;&qaJYDWs=oYWTz;?5Xf@Doyt2S@xEgqt97Xl+!GjTX@8m4$!5 z;GYNz0~;8*pnY$o?2Z52K~EjMW{&peDT5b?dM31msh_DO`FuIg_aRoV<}g>Np#uS8 z<`of4#LZ(`E(@Qwi-4vzvj=u$q>8C8cyV8Lg%!$FJ~n}llmJ-xvgj36BH{de(8uHP zNP2-lLkYGKJF1QV^F0QTZ&C)rW#}`E^2_IpqX?VLzYHH&Urc#>!^if&a}D)}*-LIl zpvPXMq0*^8r%pV%WUYByY&La8t7+bJ(%=X6rv@}sYxtdT2j&4k8T7@3&1C%A@cQB5fp znsKo#d3ks~ELUE-xr{PDg2T(#n-bQC`b=oAeNEOom4y*6gw{s&F=6!`)# zQ|v~Ye%pT^^WLHZbovAJq1<4v{>PS;Ot_EmaYFx_0<0Hah-{26Q_Av;=T3Yi=y`s3 zy7qr%p{>>lbMfvKB595A~Dml;W_ z-D&3Jq7+Upk|hVeg+qF%LrVeWa!uL|4E0VYJ3n}_E+`~>4}^%^KL%akOy_h9(X#nc z2G|USK;(grZBqp_kUVvvlQekE{LKU{3XM9q!*aEmHyH8t-3DdO2?K|YQj^K-2DYGb z&0^8d9(2LRpiPUswTaCiRz4?PLnwEI?F&p02C*!{!&6?4g{zk9Rb#3vK3Om0QIXb< zz4OQxn@Xquo(9a-YQUlNRjXQrz6p`i)M7+btJZrwNpbsWiQl0UA~>58RuHBrI=B#K z&$=>P;WzV=BA^9;9bsYtq8R-XmJ{ zH<*zowAbCxWfoMwS&0 zi$_wnp$u7NjYD1BhnXgx)pG!->#Q7n5i`5V&fH5eLyz5=rF^_aUTIYqyQ!GS?s5k- z^Uko!YKT^n2rZ4=%v>6{#Atx)U@m|9A=bk7TG(&VTSVF25V^^M5s6x!wpks0K z_Lx@>`I{xlCb5edy86L!o$t!0Xx^d$p_<`T>RQnT`$CGh!Q|9R=l`2t+oKsC$_td_ z0n(p7mDN0wpUK5fujk;8A$ zx%%l@gkroRM2V*0S=E@@Dp8VGS8%uvI`UJu316W?dz^mpv7S$&jaPA{x zQ5TNHTgR}6da{mORG*FaK-=+Q|9NwT3Pn}Tm(xc-(U*Cs=q5<>79wbUB1SIIneat0Iam-=}@}< zv?zbMZh_piYc9!9d=3x@?#vA22_DSX``d)Z=tB{dj=^%uyz;E|fJioS&N=WeKFk3N zNRQJm!2BCA?<77V4Fy6E^4*4Fa-;%(&q&~qx4?;>iYUOXi8pseO9h&yJ((N8kJfaV z?n4(PPPeY<+9@^x2(KLSz0$|a^m-nsj~)*8k37I+Zfg?o*YF>daN&n>0)jdbVM`WI zn=dWyTHkccI13D901r#Yd1UXyUICL;fBrL)GPZtg5{Z4AXQiNGZT)p?^Fl?OZP=0i zbJi>fuQJ|1xHF0m^4;_MiU=y(Tfx(;HQYWsEN9eB!Dm zTD7U|;#*m_|59GDVn;>A^&z#y^h7~JQlyb+zI*qE5nF#|VEEe>^J=Qh*=f>jQ@k)5dn z9|kQwvMdyBcDA@^`|^;#Hcjc;J;or@P)%Wtm*dSHjfiR;`LAbRIM{WK(_A#0;fo8f&<$DvAC^iCPvKJoo4B+z5~_@UnShX& zod6s(b^^wP=KF;nNBGS%vSS0yas!w_b7+x1Gj;!YXUk&NPP#I{j>iEiSAT_9#r#kW z7@Vt^aY>l-z8e}ir|J)qaV}cm7}2=?2#U`}0Jgx2jfbB~>!$P{Y{HHjC54_>kqD$C zAOLm%y|UP%S~ANgiLh&tVRn$eW?0wqysjPF)Y1y!;QC@jy?v!^g#tNjlm#}j ze{H%Gt<{OwpfkGWTp*<{S|D3Lta&F<$A80qa6YRPBM(-u1KavL8e+d&YBp#)AI-y1x_ics`fN*JD{r+4zzSexH|TSK3iFRs@+>nE0p+w1=@3gfyUmXm zYBw;74!q3Xweu*Uq;rOsBL>z_y0G#E550F2CC&_Ao@=G4SOvY+D+5RlrRi|9jE!z* zc0pH0Hd%xGUKD;S^;@ zM7IVObxOHuHCRMITjhc5YHv`~XSHjyBDkL_K-EULX_a3VS$s`KnrZuaqWIn*gw)`o z5ai7dc@6FIJUl+oEa`_YkX8g07PV6xUE9SvgyvcFzM}d>8b5T{b*PdiKOTqvTU(7ME=>vxHAq&pT#UqV6rvem|*lLU`J5xgf- zx=%O5Puo8P*C#~bso<756)}Z5C_zrON%lFyGT!$%ZVl47hAK*zF9y4%!exkZHbibz zMYTxy$%|rx@a6KtJLn;2;f!ak@z{?}oVOH0P)i`IyR&9qU+xdT;#z_Yl!Zbqy6ts# z*;^g(+YX-+dot|%7G={4;G>M0Wxd>MQf%E%(sc)UGCp?x44g9Qw3S6j-EK8A`6YyjD|nH?$=0GfTuO=KF$6umFw_J0s~kqJtBqt5}CSaVyCNn?B7pNc&OCz-4N ze4VvIh}?g!-hJzWf*erezYf*ku%u?&r7!Pi9p`$FJ^MV%n^5yv zT9MX1Z+VPJb-Co)w!H7hVc?@Y?i#;uzG&_>-+7K6RP3*(o zQAQ#yk z4j)g))2~YW&KKA9SX|9&dIz&6mCz=~Ay{(4!*RFE?7TQ@O(e)kZNSRl5%k4kEM6E+^WXH8nIYB23-w+{a23 zv$}_UFZrf5eg1Xd)7ABQ?a=)go+Mi`9-SjBHy@{hTMUckF?CaI zwOj(7S-Ewb)XSfg)(2h1ENb3pkO`EuB_#RyEz^w#b@EfnmUhR9RKqj1P^t=uNBfN&x$AFVD;3tSycSo9_?0g3+U5v*#>wBAO}?Y<3SFj-JwP zw6z>liM}UlWjrr?zHVXfp(HM@lA9!_AQXyXbpw#esG>Zc>w_F<7w00Gzc1D1XL-z6X&6*-P7Kl18=_Q~74wNg;(a9dgL zYvQh-Ry*Ox0CF;W=As3FBWgkGoK4;^vDN^7WW+lHd<|8^swwt|Z!K3*L7vbh$^zf> zcO%Gcccuuxu*K*SqZ*aKtlHpghnt?@DBh>NEhhSb>>RMZhX6ZgSm8g;fGO|iTEGdG z3a6r0L4QK6cM=LeeIE>2^>A<9s(zm|&gULVeWdzY#=ATg{uoqBn%RrhpB+K2Gh@QKRM40 zA4Q!1$JF>N0T1e~DTk;NRPnxHF#++M=RIwFIQ(BXf>Y3ckCr^dM)D(8ghg_qrgwqhuJgW zG|Ju_3x&{=O0yd`HKvQauXgP7DAPF&nQ@YT*TOBP$l^+tG8!p3)R`P|xY63sdh6N@ z*xbn$sWn|h%b+mid&mE#G8|~ZL(67q5eb*8O>gq#2-dyd)$V<@yWML!e%23T+mRpe zqnsLpuns@@ZF8roaJoR}r#>HsxsooZcC8-6$EEZ9L%*f?1IQr5=DV}C=m~>RoC6Hau=H|QUx%_5fMa}zEn*$xH86AuyK4oBZMx@{~ zojx7KcVv4Foay%2>ZZB*)&7DQC$DN(nxbXf0@GzI{7MY z*Sj-Cq_E$O6^(nY)ISvX@VQt02kSQ=-2gH8OP)h>+tVS*Woa`{jN{(7G@9u|YX^Jj z^n216X)**D`Xt8qDanF#yOyWa1BK*95)c`x=ZoB6OmS->=p!gF&78rlDDC$0f;930 zj)t$RLZ|uxOF>Fk^$!w6LJ(M*t)X_AaFib2Tq}TL@Y}|0bT258Xf$y!%x1ndPMGHw zg~CZC_faRgEUMH!w6p_W#E#KOrlNwWe4NqcZI_oBseSE?AYBkPFb3>ouC$-+^%cCC z2TGU=v1mEtDJd)B?U*d}^u!7Nii)fKpkZU_dUUmWgbt|ZmE%w=F6uLvk1`uVg&LXa zi{@)pt9wK)U5SEy@L=s=LjN%-moAS%{jl*MaWlCBHt6$6tGn`a2Hh)O=@~b&E~<_t zY7FX1ZRFBXP6$OQ4eZ+{6pn#^wI2IZo3*)3ml+4IO25rTR>&sh+t9Xb*Z<%(@JHOT zOwTYzC;Dr)82jC<^LRP6ZS0Z^J#4=)VjrKOs9;?mwyVSJ!^Mfg^XW{fvg-LOX6tl{ zk*A^ainbx=hgVFd2$+GmK)47}m=H{27&r`7?2qrlLsvabiqiVbAX&EBtq;T$jADt6 z{;7#Lv}S%o0sHSuJJ8XLCD;+lD93f}53}oIM_XJwwg&i$1n#htD})2`AY$ z7P)tPhSx1a!{hJJ#i<=-F3m(#cUyO9;w3DbDH>NfLQ(dYY^ zQ!dj>`a%aTKMm8Lv8Sdf{QkZdOQYhzZ)JM-$_L5uBh%N0fb%E8_t>7D zcOm?I?h^|VYrI?- z0avZ7y!+`wB2y91X7A&#E-%$ComHDudoK?=tZHAoqvZ55q6|B;d#Of=#a zMs6ILqi$zak()dwC!JdlVb)~wAEL~~+s^Z>{l=y8I+jAyYAJd@%yoTg*z1cR`EdT# z;r2uLABUL|#bt%KB)|5a^JZ`h!kdGxF=qcLGnCv)f$Z55$-_<~On`5!^IQKi?G4X~ zUk)E)Z^^-XV*+|GJYUfaC)ZlkmmNrD8F&z4MgHtKXx#3_uwcJLH*CRfRq>O(f4+BO z3!@k$z_Myct`pNn>3jb9gld2c|5+PGV`}u8IchEBau{k#!Hl#+ApNwqvEoo3w`+ZS zIZO(BsRLM6ZvAz$6gJ~haIW=B`_>-mlIbT}17qpOb7ie34^?*5J7}V$Ki45dJj#NVNv}Dn~J>C6%@PLTW zt+sc`>{q42S+643DhKQL4j)mUqcX-NjaB@aGB~ZWD`ng#-}W}jQ5ZHAu8+wuN|piZ zwVb9MLBY$!?VL!CI1D=>53V1UijRd9KHK0lr$pmOS83{=6Q?>0aA;TRg}Addq_RmP z>#5(=BJOosYisD|SYfDl5CG%3MB?yEV)U3F%S#HonQ~Z!tTqdo{QgQZqjffU+Y9ml z2g;d&;oE~ag#E?b^FzS-;|BOdvw7?BW61flM-+pE1$`n64y-WqT_Vkyfap$wH0>XE z$_qmH7n_upVDpZ9>ne=k$3*}zF9Ck*wmoj@yAE{p!uf#_$9It)fp*QSVc!FKi9p4Y zX&Q)Gq}DNdC2u?!=d(hRdhY4N)v^pKvI!X>yZalvhIm$ek*I^~ws)P|aas|GE=M(7 zFVfyH<{?y+9QpTgeqVF9A1-p-!ma6!ZV)=WhaHh~*N=MExIZ&Mc9%WF1>u(#`ZEhg zVtEw1soz4_UI@YzwRK3XsNOo}B&j$fz9i)sW0XAVjNkvBpy8*NPfoe2CVrZLE^2!9 z`RC*A*{IpEdsz!iJvEYe$@*v}eSCJFY`|bK zgt;mDR$_8Z2i_!TMzrnEyrB+TBdzFs(bB zdf4bm{I}}V)Mivg7QTr=N&-Dl8(?f#jk$mHyZYOoZ{WHaMw!=Pq)*S8IPohLTYMr+?1Lx>jJ<@E^@EV0Y0s|GbYtH9rdgFb>6kO?;WU zts8@W%SR5sFo@F!4c#HrQGEn#>p=JmD`XUDbbAW>;=_S3y$gp$gW@TfQVdvzs4}ut z3_#D4Pri#pDI(Mc0`SQ1R9v2U{gb%fwcJs2K@#OQwk@|OU zWawJxB2(E-4a0IVb}TOhV7SC63F)H4Kkqq`WBmf@;GzZi-fgDZjRZH5^hkruNrG27 zLRWoFRa%@5CVh4yKTMfBOi$+fnOptT$W<0VfRvhlZF|v`(`z~wM(QuP^-*EX^md*~ zWf4EB@0YFLuRJtqxm;3P%mjF8h%vq*nF`B338drk?_hhNH zv7!|z96e}-cB>a7LEx>Z>J$-RhTV&tV#bz(PQ_)zz@RWAX z_%#9VIO3$V?MgqgO}G{X#F6dwG&H8g0mw>3ombs%Aqf2w zLn76%&ZM&uQdSuA3R?SB>KkHj=&o)|W1$*ikx^J&1eB!=E(iHFdsed+^B6}w1 zyHRN1B$EIB9eSt(x?P4A^u3;ihjuqmz3~YMZjaWq zGZWQLJ3Q!G?98JI4E(%wSdN+kj1m*wf4BHeytXb4JqWrmUf|w4cU+;Ytmu0*ohs;I z`($)4?d;zl9AfpS&`%^Ut+!Ve=dC*L6rOEwp1HKBUw4-@av$Cei!NfSCbg~&LzY3rkyA`HnJS)|tEDrX)P>oiA zpee;Ibc%{AtZ4x^7@vU{a z%Hk-}1P|3@d#U_Lwy4!$n%jpmq|aIdHyZ(E?e~jzLH4LG9~*l&`$B4!kkD9Cy&>5R zUe^{}r{cd#KS=*TlkGN&=KSaDEmiH( zbay{|N{-YiBZlRZLP^i?6GkWDb1VUETlsWw{nx_Xe_Z33@oP~IilmeXS4dE+VZ2E$ z^1oeZInExYJQm5{0mE{YDPzqG zyxDYPx~va-`PeA%b_N46k7y2B&l3q>vqAp9?dG{Sf*uSMmde;XG=ct$C<_W3+O`HXvOWKLAu2AL4TA#AX8=Gt$_Ipaz z7?VWN2iR9uRvs;NohGNAVzN|;*V{~=`&R-yeGNG?KCRieyqq*l-Tm#Vu_@36UjSqX ztEn3rcApG-A&{&bPZ50HzgUr}jT^ji*(8cL%odN5fukSDIg&Rn-8e$JB@ z9)DkQCY8aAKqFFfoJ(>L^=_eM`Ck?wu%FNCxs-gW?N!=kzF3X1F9d z>H8;z0P+sb1o55ftPq%+TN-T@`t=$cFs352tF`SN6(+O_;qzv=MY@4(Gr;eRf>jRrv4I6gjpJ(?r3 z`~fs@_FS`&JX%^Cd$gRiX0|TLdt9yJdX~N*o?7)IXffWs@8+o6db?+DFUE2f#*5LZ#EbzqxKOSUSSl8e)BemEAv1 z781XlD=hy0k;16}vC>Jntk0-C?80v3T+#lp^4(qCXXqo0zF^-pC@z5)b!rvuq~8Ignua>RrgA8uNje% zXeaq%+bxZuk|4slWg^cxhZd?|5zXvOC0~D!r2rxH;>VsQB)U*gFOW*5FD#WS5QI6v znQ>Ltz@oWY?DI??lM<=ED&yy8QJWoXP6LBsu&c_hw5(N$Z%2kXX#_+NwtA+pvml1^M^D zH@ooNBK1jFxmJo zB=l!f#1^7v05Qk4qd=>Zg&jXrlqriKvJMjP`Os6O{yVpqTK_OY#1HIwje8MvIG9@O zKGf?m4$D^)i*=saY?H&OzCrUPF{yXr6wKfIvI)8dk!+&05NSVKyg;DXlg{)x72(z@qQhjk{v%qZq6EDpn0nqhx%EHv3Ge7h_(uG)z2Ko{}u-&Me zi$dF{%>MJ~8GOY9_NCga=2Q281VhS_yM2$siwZG|>MJz4*3S;QE? zonW7Mi91{Rmo%l0Q_$tLj-^BK~ugs+iJR$jZjm83;RX|&WWAK*o?jkDQT z1Qj21$)iPi(IC%)e~VJ)XjAlD5s+-Y!y(epY2hjFa}KZWGcwx)Zu|!t+`q>OhVWWY zjWrrv2#HrsBe?5ahJrcy_q3>7#N95(V=G=G5)(XR)MWEp>oshA{tbYQucmpS4>kmh z{o&ilZReTf{YlpHPHnFfU0T?|Xa! zqn5uYDq&gr1bHxre}M-@?2XLMX8huE>9$;;?{A@?7~3a9z@9`)_D%chb};?Jyu`{P z(P861Mbz2ig<3hw4+WB(n(AzkrV1p%Qk6or`+89s>bUd5`O;wj#f_sq6)?$xB_$vh zM=*52G3h*Yzh&Oe(QuSxRB`)5i>#PU>V?xc(A3X4MoKQwGA!^s$DQF{=+$L*{dd61 z8ePm^bNIF%QXMbbZp`Z(jTlMAQUS)4U6wvtog*9nwh5;^RWBN+v9`yxhI6LgS)I`oisS^6j{kZ>stU0?RnF%8=^ z93A)p*~QX?C*fH@6uH(R$nBZWRTRS*9?E=5c<^;0awJuof5Y8R0y&sw5o<>EIRes$p)x$jG2W2|IK>r z60MZj@^?+>1@+wPI7)EifX&J3N-@UhNu=iTT=~FDTQa*i9!sT7(F)8~gw<@nvbEnZ zyP{pgv$o)xN9y2#2rS={R5L?J==>{-6m%w|X!WIGVfoC;^s$X3WuoglcL*CB0Y9DM(wQ<^<;Otu3e9{Vy11uLo~aP#N*83c)L+N0{!Uj7 z8%mJPMkE18 zcvxiy_daV5=l0N1@3A2t15MDePcU$wo8%Ih^|WrdCOR>(oZM1EiY)!8+L43Y5jy>= zN1-}Y7t;4|*uE{s&~hdaVB0|lCL5EH-7o69hud>=mVrxuzF8WNxQwzw9dW@z#uq* zM9)DVXuYbCA*q*1yYv~bGer_DS0Y7h?T<~wE~TAkD|k{1+m`}WZK`a>;Ee&j-+-pB zX7)nww6QnZ*mZN|G{&;jigcm*>QUdgEpUWo0On`73c0-5)N^fF2owKe8UuR{hEHr) z@`8XpF2TDWX*mVH^kS}BVQ<2dhOS6qbSeS*9z|xQL|FwX$K8U%7JfzYgZ~8wX0+Fn zRt^pZru|JA>Yj$7cI^wUa!!6z+C#-ZBm*QNxDg`82)GgYmo>gWe@eBPRzM!g@h9vq zJ!&b6@`Y&Cl~J4b|76NdiFu&}+|UG{Pkod&AFOASx-W(EwmkdBIZ<$b=qS-U7Ut!>evG0dv!8GW7hLkb@!hTB6oZ{^@euVH5_~SwNpxyUncBtuH3< zZN46d$(0uQu5Cm23&hdGj{l!;RKxr%eC5mw&p1nUN@F7yI~uwjW$j=%!50dNj;c<-=E;(DWJwMfU`bBHVf`^SK{yJ z!6O$1&U4BjZEc^Ih4SBMwEZohE#;`X`u3vWS01S3K|D#zZjU6(t4Z)&>t1)5CBEs% zco=&0rH7NTgN5u32fAZHCj0Z8yyBz|xdR`bs$<4LGwx^zz6gKoCsMIt&!uivKl0N|BWS&wgez@U|J^Tep z_Rwpf!#x=z%9&to?<`Nq6E*Rr2>LE6n!Nh~@ni*HR9-z{PT$!?y+Pyz2$0>I;SBto zo$PC(o;*E8sMaF^E6AHa42r2k5Yaz`MaC>!o@JFoGsEN%k^*j`e%1y7>8Q7s?|Gr> z$$bU)HgL9%&N$V`aa*$P_+SA{zg3ib{3Brz>+R=CsFT3{a)tSw4%!7=wkI-6Sw~=2 z_EFNQ-qAuJMbQ}0V$K2+31-F`vuRc`c|x2JM6zc_-{HH72i@|*D#7|P>CQPB;m%ib zC!^7y$|`sp$^eYyM-a0`?#)kTcj_~F2p`BKqk;8j&rKRJ{&(b1h(*YM@uLHc$t|0r zIfqR;aLn4*v%&g3rb@Pl&|q&j)a7)8n#1$|Q1zBUZMRR@C{8F8E$%MG-8Hy-aVYNY z?oiwvio3hJdvSMncQ|?e?|Wv>$^1TMCdu5{dv`C{jYlrx;j->v-~lj;rZZ}$v|c#` zRW{>bDQksDm1N=v?Ff!MIb~u=Zx(iKA7YX&%VRNqHW;MV!^}5P`f?zH`)KWn7+dS8 zhv06fH1ex-30^Z3gwKM7_Y8Mzp77Q}V#owFstxPKp+j-m`(V?YNxFZjrNIeSD);=Q z7gM7KK)lxug-Wp>wuxy100^T|T+oE>Ur21T{`7uJb2Qv%PSI{AvK7)*@K!6)ozA{c z;64l9)5)TTew(M?L;Ga#yAhC#W8RV>kl{&R5SsmaoY*$4!lgBx}a+w&+GbpvvaN9`An_S z=uY5O;e4~}f2_-NV-JWThYv=6&mLm-g9R=@<{Bg~)LX)^4$KY+U*L=jFL|=ab=zkca7g!?hWQUC z6xg(LC*cnF%O>^1gwz#C0jI%DN%KpTDfyHD5vjROB(Go)FLQ9!;!ab}RJB9m`dv~) z0*DSjd!~c9nClBH;j7+7QLHs@w(d zGRM_~CzRbbFaKuLnVd2{pMy6M6aHMIeH|h^{kC=S=?kW`RxyVr^!99Q!}LRVsOMC~ z#$H@lwAp5GGhh52vL~(9d;`sIqN&K2<%<#ni?+6$kl**f!EbN5HrIu+CJF-AaOuHC z)+NAV)I1;jEA^S%5Xe*|{NRr;%16}#!xxUgMm+uYFC zuVp0|k)XN?lwsj0`dlHx9Kdh@_$GqIQ~%u0Nv|B08ph6+%1S`vKScc)r&)PIauk@Q z)AkV>gNhTvAA(|0!;VzkX&nBr2F1rw18cZ-9^X9D{k)v%>C-_R+mn3CYL_g~`(H_p zp3P>5#u>|dzI?=&4bko(Xu%O2NH|0<<|~<>EOxSe)*(C8O5r!2)k0wP>;58)v8xE7 zk@h4a!we2}0s=1IiS4S%u~P<%QSxBjc(I90EOSS8{&^n{`+4vhJcI6nug7j#)Fm=ALk}IT2y(z zEs{PuHe-?|HV_ z2SGb%aGA_25#t|>kdj9i0HHJewP7cGWbN{Ufo0)fe4a|?1Qg*OJXNk(Yx#0Q2wug# zer1)WYRdvN@Eu8@+eo+>yE1zorOtdj5|d5zNY|jo*zyLz|PgC?3ws9xY003scqNX z${eq}3Hs0c|8n{N8vidZcmym)eP7T-_Tvy@=xpJ7Z__o9A?N*OxGaf58i)Z0RyF=9 z(sS0WXqsz$6M`8`3?mFn2e>a&NfroksU-Mbw6E02Kn%SH*@<3rZL|+T)P|$bp?*<1 zGdARyy!8D(gzULtl4m>2ol`qJ`a4CQDJ1ezSZH|%`l`dGK8Xh(nEjVA&F8l!xTV^R z(E$&z3Ctoaw)Q0_V~rkV9vm^OkQ-(&zG9Jp`C(G+M^|pJE=)VW>d^QdaldCS(wK_d zDTOf^$MA6YZ9^!x<}t0@1O7ed10K=QKYN(nM zStXViS9x>s(GZrFwF4g8_dTqEd%IF4IWttVzrO@>OQcU6^bIu!CdL*QV2f7|+JV$wAtw6-uk4-1=}F>}PBc=21Cn^RYL z;%Kw=T1{4IMG4%Wro42I)W~t)A!WxA7 z%?0SMmL5F&+vKK2wnU5gH8<;JE`0-UVm977-HzDycY$GzFFl7fqL>56@LTwM0uk>4l?H0$xrf16AP*+h~wOAH|G<^_BAzHpdAj?EuMWp$o)+t-8v@-XUCx8 zWy-tyi9Gw zy77*?;u+gB+Q>1y=VUTa;)xs$J_SvPH2wiq{tev+6w_mMJR3Oe-Dm&FnA+%KYyZpe zp>PICnm<@lIg+HJrpdqKMT*md@4sPf9s%mNP}~s^N+|w9FJzAmt1cd{+DX3H)+yl> zDxsBo5`M{5b^Sz}mSODmO7`QoH|Raq$li0Hk-Tn_J{jx_0FJLw)dU5lVjpwqgd1I` z{9sgrm>rMqfV#Oxg8p{sq@{CFsX)Q&h6qwJWdQ7`(m1QyTt%nY>;+twMWyVnv)xe= zqwVa(jR>$RW{CKQ_AkR#AuK#Q2nGo#RQ|&ZWC86)esI?dgUQ&@=)OhCC?!bsC zP@v0pT>J7AzhrAd$n9jB7`<{Ol*rH&Lqcv8!w}TC zYO?JR3)?~6(OoN%iuD@it@D&8rnq;|rLZ6WyD=+%)-mq*$vk|KryPWS07;RMBgLDE zXSGzxKd+v{JQ1e~D!_V1Bc$=&UM?y)&r~>iw=&dW58$HS%^i zAO?}ZuBSoVE~&92yBJ0qQI2R&jFO+BDmbKAPk~ZtBLt%y;0T6yi`;A7^TQx{lTQaV zvrshUT$e9u)fh;$sdP{|b4v=+KPCCOkwJWFlusmty+?ulO1rt!cEMpbl7K_u69!H= zKZ?>Maqn&sr+jXG10v7P{TJ&=Oy~cT#EFLZ*%uT1iE2Y@qZiBU{P;I&(5UBted^st zk30ERW?67m|DI>a-gYmQIUpw$Fmg%(zml zWIg+K+7pIAyfn|TPz!d^cs`^f2-sBlUSkl_+o|CQ7W~%t)x`A>0U&Jm$V4Hh< zVxz3=@HpNbPU<{d$#9xW{f6s_O$bD@2;U?Mr#I;ewV00Nal&X~&Vz_S4pKgH`}w@# zRy`E!G;vl-5c~SApUp>Z+FWy?Oo8NYt-=I}S5FJm~H(4C3!ZBZZirApvE>cz#lkGMYFCJ3L&wt49 zv*3+*;Ul~FQ4d2)nOG@3=+rt+;?2nf1CDboY{`G}{THeR;q$lbSC3uXlHvqJsgdi0 zrzZO8j*y)u77G^v;UkzQO1nC$x&jH&G+N%$`_00jc|HH0%B1IeY5vQlHe^I6K`@{O z)D}&!+5!~T3bU<6*Pg(c_Q`s~5#G#V;6x3u9Qj8)P+ryZXJc5}E3hHFl_m2~BPUWf z3JP=q5IW(JF0Ll*h?Dh(E2Y=VQE_F@#&fMDw5uUHxwdRk{w)GAii)d-IlsIS{ogwU z-BdzX%_P|IW~6p?phhqOdxviCTpwD}9;~ew-=Xd$@&t}YwA^*aU8}m3(r-1HcQQ|P zeT?&Ns5O;;Hx%$g4lMZR{h|3t?~B~#$5o`Qx>chJ6zv5*gA?(hBFEdhEy}GWbmuiR zBnFz|k>MDXUP*F&B*^nCqQ-x+3{D1}sp0R2g9`@c*ZDUiCg=8Ik*2_`+ z)ASU30N)PQB)lvX&GPoMf^kb;+j+Gr+^lUZlKTw%MoA_nHVF>BUaUklGSS;Kr^LM7 z;tdG+g`{76ZocuKKx&&guzD3G%#{7GB%?gGRr{|2EklFlpr zIA4QrQuuC&;gvayu051%rQyxxSY46SurwtUyBTyn^3Gf_8`a(tZX+7NOex+GQ7|Jk zn@c}*Eup{iw_2ztbyeghpHtUo?f=yRXumb%DZ>j_+jH(E zxwPdur#zWgWY+Leql|-*nThLL^`d2v@B?8)#gDZ|xO+a_3sHr*CGz5?e=QinwYOC^ zjVenM#CMgD8EYREynd$0w#UMI<%>O+Mi10qY8j13;J+~HXf*YW5kXOMLo3%uqm`FP zP&N`uvNFG!3{#9IgBOIbR?jB zF`&>?O6a5iNmHl26*acDYWyVpnD*jyiCOp`Gk>J@7j*cuneWl*t4E9k$FO=7j6sF0>E%}CsRol$ zF*1rw&=qA53j!pBqeoddg1cTWut1XJ;W@A5Nrm2 zn+p3y@ipt5ogS?UBt}{{<*j}N?yHi~eE*^TxG>3*8d=k}ECXEHrnyqF#`a_+h(_JT z+Cl9qBbXCVjcNz!k>p8jwul0jGLczw-N?Q{#8lp@+`FV6NfMc(knn39Jmge0dNaRT zlCCjeZg8XvdSp66|K)tyd+}wPXp;^fHJA{vhw4QdCnVh?(|ks%r-1xfpWU4Np(K+TBX)UZ^_ z6}Ljn@5$1;gq*G}>+I;C_Ynv-}C&q8&khXUUSuo71V>Y3RNcU z{N#`Ue+)rVlBE}|rlC}|NRA|P4Zq>d(60jlC|*d;RYLNa`70Dky4(K3$H&9YT6OhM z?S||Uv+}>V+-ejAv16vS*cu*@*1-&>nLKMHoQ5VDrhnhIH8{&PIj>6^0p3f?b$-Zn%* z0>nNx?(MW9CsyHhH9`sM-NtZ3jzASQBreP@#)@d4%iIgD6;7!U3wL{H6lg+5%?@V zXr>lO7l)c6@+7@UCKGf_8|$S-w56yRGvyu5wwbs zWCkil!X=hS`~O<}N8|<%p87*=d=zCBoi9!4o-@9ssLbtE_#>TU8np*tUKGulyL2<= zpc{b;KFA}yJp_^&AL2}NIWZDwKm{D4_%(Hu@ng4wf%}RoRn0D_g0)pr%F$>tz_RddV&d!kA7k}$BQ(&U<|iwa9;qE0 zg=LJrI=#sKy*S6GY`^kZotGTc@iKuj>mG8Pq-&Rrjm@RuC^~9T*6BvdKt-T?iV&j- zVG9B0?g-F$mD_;_(1$r|DQ8Ro`b#s3a}pz*Z})MNJ?A2Z8}RI$zbE4SRRv-GIgeKNyYuIOUM&47~oCRX}>>D~a}z2%wKc6+0uEU)1K2wu%<@ zvuER1Sp-|fo;~v4eqD7?Id#yQQYg+cLG3fEbldtK!58jOEjK4&t=&Xpj^0P~6Y%n3@Eq+&9e zoebn~X%303lDl5`C%Mj<>Bq1VJ^x3|@H#;i0Hnp_ zoisTP*LI`xyhKo$dz{>c#bi1eC1K|v%f(-c`?N!mo_M(Pf=lvVQG}qOsj^ZhVeVVF zS6Fkvp+^yP{m!h?WwpXfh^NxgwHPWz&73`xSf)Jvd3=F+HTm`BJa`>N($sSRzB@M9@BR_H>!s-N|M zL3IYQ#1#KTOjs$C>$eb(j~hUW&Ap>i)-M!WEJKp2q%hyKvm47muyI#@7OkQQWTK5q z(!+hp;P|-Wf6QmY(gTJ^9yE!@OSx`lSO&d3Wah@sl7-0)?(QTW)lg-@Kb|2w7lupu zyDTX3YU2S_u8Es6A=MZ}RmAb8&>cxgr!mU=I+8QRlRl7@xUzI~PQ>6t~(AkGdIduKSxdC@ibk=woYq#?Yj zSI-3GOy5A@q4;;=vM86O8jUwuW21oAb;`%ki);M9OGgD8C7l*L}yYjyNG9LD%B z4#yinE^yiP}`*JD<$#9sZ07ihN=KYkn0;p!t-A$vLJ0Xj+(2)jkK=!(WD0J_zHL341 zoGbgFAJ*@O}hJ_sur3HV9-;`d^_p&(lNgWs@86rzPvdm5cB8 zl3Q7)W8kS2h)CEA2G8lAFI8qrI?HSd24S8$@Z7eFdOVL!c=rn`P=>e+2#EIQJ@foLc<^t@OHJx zkFMhDd5gnsK>1;!#7Q>itarHA52_=d2PrhGd43pk8!ir$)B%RwS36t2q9R z0UUo=*cPfy68%6zA{}@FFdj>gqye@9!Y~sgi@9%5p%QkM!mg32dBl$QA->x9cvp;n z8O=mMY)V-(Zj3RLX2NWz<6O(B!U&yqYp|i+MIuYSIy&1Q40?#u-a>&-oWgOI2&(ow9Nn}$|K!MyLlSf+`|&NKc4Crw>$wz|OmAGdiTy3h8gg^P zB|>vlvyg5Lyg6p0I<}AsuZQR?`Uwe>J1xvNqWnyb{L}pT$l_@-C7%x+)Zl_E<~i2l-Q-(zxWNUFFKqq|?plQFwy^ zDLnSS=bcfvJ^*k<3yGw#hKZ9Q={Z&qkz5<0QY2(+23-VTyJme*_@M!^B(L$`oz)!z zj8;m!=@c_q0P}?{;EZFX^C0DlDvG8MmU!t<9kSv`KOkcMW$&tB;;m@oBq~FR!Gk31DTa`49IWsZuS&+?1{0US^`NNLa zg*!+_GJvybdnOg<7D*e7D$bud$mD?l9!(4>R(5&7o)-l}!)mIR&TzQV7alI9%}W(${=LD+HZW}yb+_=Y z*!d^AwF5gGE(!kScTBy%dp%ulwCmV3uX(E;uMP`_*;h08z62dKGpre<7fAzll9g_Y zrKL{T5k&5vzMtzk@2tbdZ;>rBXgtq+e|H5s6=r2t`J`=8X7aYSJ@tGi!;aZ2>$L<*j0>{8?4W4T^d;g8Z)2kGjX_&#O%bl`t|%rG6~KM^h;El1f} z1AJR=Sk%&lfeo)FL*tRYPJ>}I@u-^`cNmm#72d{=8J$r(?CYV?x2g>nHW9WSXZ`B# z*&2J!)|5d#{DrUxbo_q{oX#kAzEx`)YQ-4I$;g#4FXNZ0RMu zOkFNDe*fZs4$D38hQYTRSkmh9xY~2&Fdj3h^KO`!c6&}FjY*+4@A~TV#2^goB>0>? z?RVVoegF;Tqqv zNMK$aDllni63JWJ+4zy+y42B#ilPjhCk{F$%KJgmbVvDRz1u-u|B86R@p-XOz4f?* zi_5Wkc7?;i!hdzP|HXZw*?%$SdA}6lGt_OmLgTsRuwPLdO2}e3(07sJQ~!RGLD0H( zNKee}VZ!@~`z3IOgsH9C;d_(F(O;e2_1b&QL!VOK&pH_mGG)bq_DT0v*3{JO4L5%- z^BDbhk3`ljdwixN0IC`qp@2=uI?Bq-l$KmSYMX$Ei9qOjr-?GoGQ!RP0t#?J*a%&z z56B-0LH43tlxg?-3j3-Q1oMTxHyvaQXiW3fakrgL9aMk~OOdaDD+-ajN{tP7TVWlVCx^ zjhVSv#${z7xrVE`H25A7F%SU;E=DG_~adOrXACKuwWrRI+Fu5u+xnuaSSg>-?IHMn-zpU)8DsBxYiw?rG$~uJU8EhM_n*XHy9W>nne~Ix?Jd+$C3&&R z7Y>eosq|yne@lI?w|a@sO;yn0ctMojEXwy-|f9@_wcD62AqUstdePoMvX$EJl}4%@y1 z-$oc5`z4o}#q08I+25-Zw92>=G#lQb7J0)VqwKLH$`n<1j@1)c5vh4?<1SM` z+byA8{PTW9CpY4E^}w<{)em7i{fsxpI1~BH@oqx4k7Z?UO`gah%q_!27}#&OFA0#~ z?`ibz^`Gr`8+`D8zP&YESXf$aZ4B{ZzCYRYZGBZJH+Zsvn03ZtTvAnR=joiqY0*x; z&3H(uSMsJI0Vx}4pLmLSqk_bTEd0nF`LiQXJfv%t# z+7eb4V;Ax`r{lY}5(?0<_o2>2o&@G`3}I@C92u`Xo~3bkpZl;qR=@4f@e=n{x}T!Dp?3eo+?)=c?y^G zO$JD_^D~pcVq?oy>+k>ax2e`&+pR7>_;25$dBy~G+iaV>oX?YoOp0~9R6LfqA=fl{ zw#Q>CD!k=!nbgl444$68_Go*qRFtrU_t6hA#}ZdoH&?q7>MwxyuG69J=y5HjB=QH2X-M&S@B!9<2`J(A^x4cUkb3nM{Ij-pyZ@pU=CG2dB zi`ySdR!>!DEb+QN)(Owj^X|H-$ATRR8xaHsqF>ed(r@J1$o;v%u#n$w;EDq!se+P-UedXPA^M;-+OIg&L+)E~#&Z51040wG;~}qG2HAUGxSfMNnmyN; z4v|43J>a*a4lq`K&77Z8@`#n*oJ21@%oHEIqoo$XgaNppVLfG%aPlE@)Nm7$rjG(P zuudV919BVPdf7dy>_eKm&xWJ*AFjBeqhv1+>(9ai?5gBONfV4={64Zq-j_#t3*glB zDc7|lRzdhOXt6r9v~jlbS%2md%33LWFvN9kbT`Sk9ADp$DSRK@r$Wg)=~;^lmp1Al=Blw1y)h~uxN=Zv&Q)mhUO|3!g#<JMm`R`}XWXOrM6?)UuEFBjQ z>DR~8?!EB~Jf@fE{LGi^m&oV#-7a!iyT*aX>1OY~8Bg5bwn7(N?HT@CcSj>DhVow4 zgX0k|?X;ZyPX{tKLo4i|^4zy2kRkWDj}v(z+ypG}HnyuX?g=~h?;DA$Cv)uGZ#O)I zot-yxeBFCnvUBIFhXLL1`;Xn)*TZ+rAIw{D#Lwah0x#|Lwq4uLeY(LPwgN{_zDx-H zR<^br-}__fQ^u{Vts8x&#>ZI_Mho26w4V4`t9=*vlRoI=g9x+tD(4+?ZiIX+w4PZ< z0*9=U0w#JHKzl=j2_LW%^*~s2SVFq6iB>XLOOCN3VTsGy)vYt_QEn7-cl8iIzYYmr_=T*wMqaP=_y)p}!U?rvV4P*w7s zzus(t>x%Dgs@Nr5QTH$*AvSEJ`{=vCWmvv65-zjjg3dS>Q=hLXl#*@{5(?Am$f@sf z>g^wVJ)5`Naalb(Y!DVEM(TZJ`XhC#e{Rn&>n00NVf*S6r2$os2RG(1hSRHu81h!{ z*Xz0{-I~^-)oO#}Xu?xWChXUQ^%DpW{yhMATCCK<_Mt$&c>-MkoA4ewOTcajxVy}P z16os7v1v5H4KG5AG_?!Cp1VhBdO|N_E!6z(!WVdc2M6HXM-j>|=lcZb*ms0!Xb7*m znD}IwS65MME{lh3IyLWrh|KeWDZihDi$(7AEg@gb8>`k112DoRGo^CNO?on5B1dlu z<97y24vu6G5szM+mlL@o!vdySAPWIn&%g`6ikK7&qKT$OSw6Z!1x>%rv?H`>S};fm zH0EM;^ymy`=CoT-Gp^_+>pL6gwi=QZ9jGg~V!`3er!srb{=l`4aJZTx7j%T`xKue%b+I@4L)wjrG=47x#;&$bUgC0h^ z+qJ7y#KpyF7#J8978jFgsHh|^RvUjlteECpym~&abxwXE!WS5$wbJLH!|R&a*es&{ z`n>uz+ijX0(Peh*?$M21VRT2h^?HAzoS2i7bL7x^ySlcPmO(zvh~P?-R2P6hvGF^d z;_H1fnNEwgDomfmixMoGPJw`BIR7x_Ime^}WV5?2fc=hhk3m8($an)v+)OL*8mRd% zsM{ut`iZ1*zaue7`!LyzN2IXFOkg3fcI@P>u`SYc&we*7d)PCG(~X8@arvUa$t{f% znru%&^jJz^H6q0)Pm>7GNJ31P8N<5y1&JOOQD#QYjyb_N7o(+RUT9a72HhQ|5HEdF zW#H4MUnMh|Y}&0Couj86FM5Ij}5-?(A&7^sxFJF$YBThdGKYD31a(D$WKND=B$#y4MoJJWv~cb87rU4`bIY`v zy2qYXGZmzixB1|EyzxOcMtKZxq8Mo}U+Jk`{XoxGRq>m=pFv$X4Yf<`M;zmo!t;35 zrW-Aod@>p0xQenlkC?o52dshYy(yI zsY{|U;be0cH{6eOYX`Mg>{@&!Q1UQzt)5&=`1sX(xF4zMfWUSQv+kb6Sc;cUMtnje z1j|chS-6*!9Ky*C46evv8bg zJ@UVESmbJdFn}KzAdwGzt?7z_@hEVZ*(x9r$vesS@Tk2q(ItX*qE?xX&l1YsiOJjX}|v-$h0aJHe_%XH5e zlB@$b8b0a|gIKmi!`$%?;jl^0#>i0_igfnkY;VUVnW+cy8xQ_b+nuAPks~^`*&nOT zP;yJu#nBe&2bkeAXa+s^Yi{^@C+)qK$uPuiZ9futm7NVesDM29U2K?>)NQSjO_KGd zU9OU`;YS@9Y16{6&`cMlJ~NY}&6$zz7GI)Eg;`Q45n-jIy2GAt_7+wcY?t#&D*mbv zI2oe-XY}7g%}&oNUp9VU9HxGrd~}G{-c5K|@Gm6`siK13;dso3N=l%TW}+K$UJ6qs z>|`av2aBEXDHui%kD7eQHX4(95>Esvf9LbBu6`DEb9}@48~z?9+w5Le@4do|hewX$ zq{Cm)dkzfl8F{~Rrb6Sk0r~fdQnFfJquHrY+x~1{xljAK-{EaKn{(cjynkG7?k;C6 zJI$!`B4~3*eX58NU5+(M_=?2jZx@G;FOme!b8+6ahY1C0H3hQD~CkoM-lb zcm1IF{ac8lZ5O-yjeoqdR)h7Ml((aasjtaelUM;>>I?5@=pJX6up{}$?%*#WFepJV zs1Qof(X$x~D+}qm;+eMZNP^eH_}f5`!=p4=mut1ANcB#5lA(q}Q}k_9qi~lQkd*hS z-!m3|$RWn$=>&GgdM06pQ5}z$CoiHE<-myk)_%*gs@Vy-Z(-!yP#E5Nz&EYe?gzf! zJLUAmC(Ancd+L7er)MAi^t%NCBYLTkuc=GaEbA19Bff131(;4#KmE%|6dfles*X9-jVrH;0K zv7=2=3DKq(yWj7y%I0*^VX{4^Ezt^0q<((Lgr%4Dvsyo@y(`wbPuj+t_c>)`6m3MW zCu3srP1}vBP-=)0r=OZemZ6XWS)_f8`}VVP|8<+%6YrBYja=n?u1nx#37M@QIRsy6^^B2<3a!$4i#xbilIl9jb@ z9cQQ$Tl;W~h=hmdJ7U(EQ5g2U-pi4#CL!7SMxN~p{BFKbQ2FuC--8qGgJXnOeR!dy ziwi?`98GVf$$ByiFKKkRgELOzIk~Zq!5JA0{J)3F6{5*{df`f5(`Ma16YhXtHxdbI zk=#E%IP4egqbSO3u_p~M^KA}x%|}}J>qlDFXC7E*ziJ>zcv7mJ{w@A=|Ut0mGv+d*QY=2YIBej2`1y5y-*VGAzL`k z&blbj7CP-^qeG%es`$kG_v@dWID_bz-a{el$HWtaYm^ZjN0WD!OT@C4JbuC-MJWY5 zZF_cGQDzYnKXRe5>sKs4g2?yQ@_c9oB9>~u*^9;uaTqZ;oGb|yS~->_te34bJd9_mjSK1K4YKubmu-Vq&E^(6$T{X(Mo=(z<%?O-h21f`D6yJ5rIMc z_taFuEjLvn!OSmvmF{uIId2fI!umTqwbOmj*0M(l1@B49c?cOcRODOHTgUh!wwBi#gJmvkskUsNM#Io@fpB zaO^&Gq-=R?-nLmSW9Jp89z%BH`Ph;!>)?wjTV39Hj#U{8uM}dA7QzO2u}>Vn+M4I_ zy-%>qqN9Jm)5EGh+K8AOP5hYmY#lOAzdXXvvo^Z&Hu0F4?qR3&-mMhOi8Hy8!3(@R za!;opa-wItAXGsgFRM3(vRsB%nRWt=;nyx24>x015!R)PytJ2HOIDoD^j4nLvhs4v z`#R%sFVS;{Ptl0l|C7G`{7^?;HXgh7I5Yge0T4|8yS=}SHd$Aa)hMgB6x{{1r(gOy zDjk>m$nVJ>1e=cL<$sJln6FXLz9X5Z6cMt8^TEyti%%a?-5pPVdkxr7{!~2f zMU~d%ACS?zU8^}=ZUi-hddNSCEr`W1I!R=PVXSS~`g(qY#5NVV%_!1iBU4HDoGhIL zDw0N*!Y_Ho?(#;}2;a7Hwn(}a0{iH5vp(2GR{rGxoyxaNjyFY>?hIBvajc<}d?&q(a@M21z0ZlilZAp0zy{+UBW8aR7_9lTUTTW}VDlSQPND?PHA6LxI@E-W}Z z3D&k+>Ty|i6SG{LKe-o?)BcJI>7X59L07atF^~u+>N9hN<@{^FK2uS|%p&z0;67cjIw;JH)q|Twuc|X_L}=7V zNn{0{fI|G038U@z6tHX5)~G12=c8&SbPV(CZw?>}#5-xj;r*qKdAiqqQ-yPH1cBz_Ecq%! zR#Dc+)Iv#k6*3<+kd}CLu-Z53+#v5}#{v|sSq3Cb_k11(3e;;uCW->F44T5q?-SVd z^2@;|`yt$jPLS+Hp*gb6bC*6zDl#W?)HdlwuZ6;F>4}v@UqJ*y^2aekUDSs@{{RtR zFdNfFesn>EZ}l@RvN#&6xvtrX(-wztN+LwMwnSFp$qX7a=RKjy%iYG zGKpLDTPU>-8LU0FrqT9TolaW~+rxAacvSmp?Lz$De0)sl4?0z1mhz*xGfugZoXH&r z=pRY`E4%De&Rpv)1F3$xL=?s=l6} zV1ZtG{9Q_{eO_aNtel+8?lQhEfN=M>`%E`h_gjdn~j@C{elz z%lM156Un;cpF*?bhvx4-Cobvd?I>DgxbG3YGEda0-Y1a#=;{x z#JN?`D6AXJr{eYRL1A((a}5bwVl}2&scn5a4QuDtt@+FCa>3*e^!DLC3kuVkAGzB* zqTf4&p3DKQho{hDoUG%{GOVv*+^;k&(zPy8V2`dQul_kZhH_+L;&7iRm?pwU({?)P zC+bskRyGeQ8EOKlheug;`u-|(Yke#*l}Pu~W^sD8GbsE2_Mge*o|zXU5N?$?e0H8j z&B_w+2v{lWYZtHI%Xc5VEM|%;sk^!8sD2OM`v#%so%lS}qkOUA>?}CJUMQV^6ofP+ zA9SYZYBhYnIK!kaa=acIWhFlLxh##|-II(nX71KtE!*`RXb9Xoiq`O~G+_!1L%e%i zXEQfLLY*zAK(E~PoOY`y!JNhyI#K1IPo55GI~Jwjwv^*5k2}X1E|5$pQ?K}S)AYi3 z7rn=6_yDgpv%2^HE5s}Z8?}J@vqsEZc8{Q-ZWzv8_LGB1VR+fQIihvOy1ljP`Pbe>dxvVoa3PDyN*SEk0BQMV!4K` z7$Ws_?pa>F(7Z^GEgV$wz&f1RWBh?t{kYD~WLdz~3(4c!xJx%eWMNB=7q{W1b^#Qd z7q6_{!VVrL%8HN9oB9x!WLg;3n+^1ZTQq3~q-~{D&8Xv?YH-+y#$;fOVy-tFvDtff zWOu8d1LZ5Qg{I>aBIj5a7~06ksY^18AKALwfoJPV9dMxLi^C5#D9DA|i=WGRQa96<&a~P zy6?W6sOYX;TCYrF*K-H?VqZP45!4z%m;n`xF|q^=>q~w)kvY%I|1M;h^tk*9d}5k& zcRc+i+MXBMD({0^_rExAd%Tfh9V)%?=qme_PvI;)m%eFOL_Ik0{qE&DF`4A7BvI8$vnN_Hx5iMRpT^oU*AgE*)5zg`Z7dB*fQ1R(HFh!)^0E{jJmXpN+UEV@*z~zu zwq77YZai&3CGjke)N<~~?)JL%q4&e;NcUu8hAeed$;>#ODhv9Hps-oagercI&94K+ z#l2|$?hA075+XN6}J*R%1Mo(_t$-$ z#~G(WyEZ@zGI zEo8Q@_QKXi-xSP?6cm$tkI^?&WM#PL=#KL6|i zEQ_LJzu;9zw$+Ix1HGxfJkHkg5o|2@<&_cq2ks)E67Is>bNNB>U2fhjQq5gY zI?2!Amqx#CJ|S!O^m zBSXcT0=TVoPj-3`lv@l%%|_*^ObWN?rxL6Kr>R3p9`o6Z)5!vPr=5s^=6%Ea1nQC; zPjQgo%AcP%O_=+NaJXEKMRK#@4hz&9RNZ>6B%f|4$a;EktBN*6f055VCfQ}Ef1Z>d zJW^9&($dNuV4(4eQ@Xm);OsCp*k;+^z}2U6(8(^Lmje;k?{=9c(lY9qHWQMlbK`}^ z(J@ZlzMC&Jb9>6_{rE={S(|*5+pV?St+I}I*$qT}w&Mg0uGWvbPIl1O1t<61YK`9lW~sRGehS(EI3N^(GArmj@w;wX|&A?I7^60&k=lxVsNA z&CH^rl1x={I4Yvj`&ih`wS^gn%*$D(VsbUlKPJ6Vx-G(CRPa)EhzAko@A~O5GYs`K z)Z`1c!$>YFRc&;aW_})Fs;1vPoblLqo+ygr$r-+46=)P^y?&lJT!xOf> zY)I0o;JqS>y;Ru|G0msmT@@lqPUp1b28-KtHMn{;iJ4AO@Fxotqdn4%$68$Bo#xhX z_zHW~JVPoyam(p$!p{(?V9>YXLi{Z&GS75sLm^{oa0K)LgE!;`f$c%AwcC8BTT% zy%~CJsEIy7{ls+!dH~%Q({p>`OEJb6ARB{(|LWXIP4r}(Xb+1ctL#>*LWfL#avI5AInczS7U>-NiI{r(ez={kkaJg^|FU!t8q*OKV@Oeji)Xwg2&zbPe0vT+8ZnT{s7p5@qr@<%`{H z3?owAt>rl$xsS%DAFuC(o%^&NHAC)sVDsGIH~-?=zi&8fove3O@J^(UC3_9UJXzaX zI6m0_TX#*RXz{ujE#YZ^glFQpcx*BQ2`fb3z@RZ`qhVc8vs1greZ**rF0NPb>@)&r z{7)tQ8x9u?l)#3FlmRe|0jr z^WAvxO7MD+UJZO~JQ7*8tzG>j?CxtMb!811x#C7}0L;gvbC5q(n{rNO$NSQ*O-|EK z=n&`AdqMjEPJ$>S*_wzsk!1X`l-sU8O&KvqTPA%i4SchlzQz@T8~c2XZc3PWkNLBg zBBm8ZPfla``ear1E$~Gcdg8zASFE8O0qAfIW&6G=+LRa*mX&{muU4>IX$z4^)g?rF zAEx0ZJGSs5>__Iqp(~QNhwC%WH!!#KpK}*7zP#?Wlf*~Td?c}~ma^X0s>m_S7Z(}0 z#R;&^e(N75%FH9SVnOA*%Bf_c9-B9`w6rR$YQAHNFhYdIlU0ZhaGAGFivDew&!m{q zPw8QJv6fS{j=}HHzcVISZhaja8#64lh`a00S+J(;uZ7xwV*`S()Wx`qXrVYHPW~u; z#l-BMBN{10ylA)W0Bc-jc3GP~hP8;B(t300?Z-VK8c1p;3eem%R7Wq$XZ)Hie}3!x z{;AghPf*w;hsxQpL;1nZLqWepJDlAMskpX}C?bc_Te zvNRF-*O#Vz?1yS9is-WQZevr4Qyi-3^**JnFk?#%_|U{~!putvQ5zYZm~ue~4EPnd zppV}S(~la+UQ?f2=2JcLnHzF?Re?R?AnoRicV=%Ak0UVsa`aX${pu`l-s4vDWzErj zu8q4{YuGpkzDe5`(`+#W_r2A`Zzjy}NN0J6-udA(m&(EepxXYG1u=$G--4I8i49%XvE2$L!bvqJ1O`Q(b?Y+6a0F%w5P&_MOqz2uwo zSqv|}zY-+b&h>^dx3)dG{f{qxCS{4gT7h@ZqAQY&-@F4}z)Qp@ArCv1y|U?c9^?AJ z%M59-#VKXruFzXve>nS8+$Y4c^Y&i6j^I=M=Y!*Ssw$`AzW?ONXAZn10!v3bI(b3A zkrX-JVZxp@bDr@wHL6{_qejGrR_Mq*+4MzIRdn~wFlzlgslD$(8EL6+-PoB=l!iy1 zJj|QtfK1Z%v}RW-Qtd4h;u&S%$p7d@fVrjp@!_l&-TsTW%A#kl3BJ5_QyQsG7}j!S z*nNkR+QrI`l^f5K1)>v<%2ZG>;l5@yUbvvj;)(x-phqf|KZ6bJ;|GFNw~BMK{Jd;M zrLAv})m;{8$!U5HqY|(8!|5AuJb6ISXQI>-p{utlT3}V5oHTnY{5f}iX#inIM*PkOJKzw92og??bu^-B{K0F1pBRUoXrv*L6oMT1STCqPbIzOwKmCbxL|<LQP5jH}anV6F676*nm%8X-mhv{mCd6btr08~b{#z544~?+CA~g)Yu1x_7KR%{` zkFdv0DzKtA;k3(s*|YRAIB=W$XD{uw zG3OWz*l3z#fl&lEe_9507S3~_5RV>oiD@h{zBBXkkW~u_fk&57!5(AEz!!L+vm=362*O7}0p&m)Q!+*d5$fbFGVJ zOM%c47YXMoYf|bC)+ip*FsM>s`F`3=PRH`2eG>EqnxPxdOmHgIl%bA=M^h8I9AlWj z=AYV?fkmbgb&sB2buv0X8a*LBeVlEa3*mon<597&P3PXR=&7bK&BXT2&hFGL4S#u;+C`4;^fAc>_71 zr}+y)uA#e}`u%^EKk?5TrcQ?s#4g@12%**Dq8Z^8!cfsJZ@hIdc*wF0K`eJnlg%ve zMc}J)X2vV!QL*0Wi6?4G4?etgYtHGFB*80T_Ucm}CT%t`XBmn)JT-sd8qyhBIK zFA(AQ!<{x^rh{MFrG0Q0zx zwS-i8t(^K~w;4fkwI(}+K3F7bxt>asm3|&+g;U^!ji}%JtSOoGITu%~AU_cRwtJ1N zkIt#LKKJJ^?AXgnW;T?}6kf~APH-YmI$>)J3O>X*XS0vJsaPn&gw+irwfPcDfOfVW z&DQV?ZUs_|F>_ZQC>$$!{qDR0nN3E@I8S;fjQ9M3*l1EUD@?sXxcGp8$qM-R4yL~Yxy<|S&b(%FhRW^4&6AnDt;0iB`_+RP%6D%l zN+pMito^ce_iY}>UMQ?Kl=G<`_+cj|V zGQ6$z#8*$Yp+zTLTPN~OluV^=t@3vtIH5~IzD<(QH_eCSKDQ7lOe=(}JDO#Quc$0$ zL-PjR9gor+Z|N62PFAyOU{=rsfW}R(5%!NYshP~BUURmcv0c=aU9dzkc@@{^5`8M8 zANSv!O^~X!m_Mi;Jw`?#(c(=xsK{sax4LhoiW3~>ll{i@K_TlkO{(_ZJ|)xyJ%PE| zJJb8YqrL_5``#5Q$7?_O#rUniDMC&xRaFPvdt$aao$S-Fei6wUJLuFf&2xNnR5S(C zbPUMEPN#XLEi~I7yE@D!_@qAMJ0R=SokRo&HC~4!Xz)u zV;9@=P+(vndwzENdP2=+bc(L&1HteFll{rZuc~{pZFfX2!?%~KMD6CiAg7KRDM8#L zXWX8j30teYt<+BUccY$)+duV1w8N>7>Q#JhE&)6;Aro^X_lRcA=b3|H*keNj*2 zYQrwrO;G)gT6DR_z!L%nR0nv*EFYLHJ#TZ1w-S~MZn?V{`pQD2j;m0*LsgY$#&U@I zXNf<}3E+kp&petkJTdDsYu~bY_v4?2WR5=@w~9Cqd(ncYsWv*To^sp8?&UR0^tY|p z2!EV|($^y4Q~-!C$bSsrO;6vIQE2A-;EXCZ5w^GAl|0c$L+@qM>!C!#IWYClyarrY zAQvVYM9HNAviV{^vG2L^QTx{}sbn7h3B(!@~L;0`6N52-bus&KEu< z-mR0B8DJORf43<-akX6&;2SeEX)xsd^aqioL9+{ZrOM2?y};~#b!Lk9xBGKGjqgr+ z1H?VvYs>59s7AdV6JEpJ@R;;lK_JQsn$Lf336`G!Y$obr?eH9MyLF=0WoRvW*UG+xv;S*n zaWVPMa-X_H!jJXO3XvI?RTn6J^mbTG-oh5dH%rwv-zlL1N+^@8h30@ft(Y! z|3r2`>+~1Itns%y%{WQytbF;kj*VYfB`<>(KGGZ;FY(_YS&G;qSfwb@C{Yp19E{ zJ>6@?d&~05*RGm9`!pzKESS(OL<2w z7Q%9}dhe3}Ny43CIxESW-lqrtUH$VZketuyl$4GlWfa}gE0)*00#AGN9h3yuRr4-l zR_&Zjwi?z3H;4AFtgJ9&zM5(>5msrJ9qUHXxIYjNfT8gET)mg3*?5@hAaNMCbT?r5 zve(7EM2CprFDNdvF)4fdJ^Q>_F*`Wg`$j)WDxMv?_zWTeQ8Cg!rllT+8 zp^eGHHN$OK(%9#Ks{PJ?LkqJc0eSd=# zZyIP!p?b_lLku{C)rsaF_lEKh#|zRPJSdCv7p`S@SyPQ*`1FUV+Gcj%Z4PLo){BzX z(JvEOCN_RCQG!#`s-7Nf#wUoI+pBUDkBgfJEDo}TUu10?;(RQz`(035Xs&_a@8%ofkFE24^bN-D=5;DF){Yu+^{tOE* zdf_-B@VdgEX^}btyTA3GsN44f<5mM+tYnh&LYD&p)(elJ(YKi#Q1=AT$1%-AFC}lW zCS_U(8NRvQzj5IpIQrIH0>&DqFfz;M0=qI^nCqXeM_6}78ovX*ZlXFB`h)%C*YglU z>8B~i1pymZGV^xfV}AY{V*!#^*_L|ZD{zHG(z8j6Bewq9M2g*vv+6BR@o%mU72=Ig zmjWb*hj*uUN)fd!we6)r46VC8>2}ZF%LSY`1X!s&vM4UT-P-CFc67aUn6%1*Qq*k9 zS(&8yFhOtn9PgC>>thjthTecV<6;UpmB5Qhs(M6$fP$w-{*+GHXw)Zti-BgVoFQM2 zg{AE)YvEbr7nqOiRi!nSdXCoC z)(pfK$^nH994YaggU%Wr^ba!_bxpTX*FOgGSM@Od-aF3^CL1=&T6CW|C zq1hjaZ?zj0pnuYb>lX0JFHm#A(Lwvcj|5BGJX9AWPi>ah4`j6N{F~8g50+vhj)>@K zQjsl^kLz75HREwmAwb8%e})%Gfrfq~@LDkZ-m^%Ke=#AEm^L+FHV3(ncuu6ra0z74 z0`JjWqcPXu%88p-yC&W7q!o=T;E!_t?pC}O$cBOesUwjx#lw(-lcM*mqW(4U-wewe zDEPb(Zuya#H64toWO6U^?tkwveS`c%Y?bz=+xBvg#5eNl;`9>j|67MGsm)XbQDDXvmSNR2_ zqoa3fp6+~)LAmv>Ihj6%fS$e7{0Bw2A>*ao26(!u*Mc#oiT*8J;KFb855*r!RPlOeZlv%MZg?iw>&46 z{O=uYQplBR&>?PPpyR!DIFp5v&o}&#DAKfJe)ey+-ImQM@q|-2|1)MR78E{ zyU^`JGa0k{+@TT#Z4_^YR-e%PccS3@f*g>NZQ7HupGfn4TFPsM`CoCprNWeg>&E;< zxKDsZ-S<#_j`Dj6`>)%QxGm(gbad{5c47Ls-o~)Pk_v};kw02Ws({?cR}7QI|FQc* zU)0k^g{!)Y^l*nMUihjaRG$MX&k)z!dhlM=@UOi>1IpGRr2(Umc>z|LRrMpIhpMhV?iK%a{!I;}(pp*~>?gR+{d7@7!um){e%z*MCl7C6QBB=HTu$*;fC@ z(BE4v?xkO?H{6hzN)8+1C5HvN}xDHfk;@^sbn@CW&eV z6^zg*VJwqTkf4W3S}i-_BW{8;LHMTQ?dse1EmwhzN zSfshG+I*mtu9<=7Y^0+zegsZ#9V%WP#4)HA8&{flzDSnvXM%dVd3aydd^V zlLA}tNd+CJ1-!RD=PA#v+EdisMh`&+h9_f2#2s42s1YU&<0GGWogAPJbN6~?V!Dj| zasH>Iw>_QiA@&QD@`tFPpNP*&d+4UPqm7f3do!;2PpU*RbMJ2hq{RziiiOgoQ+uZ>i1Q{w9z*l7v~3CIh^|Q1b?!V zStb&|{K=+zV*{|79C(wymX^D&y?u!{44sO+xvf8ud#`tSk(aW&J`LWm%Q;8{O*)x| zL9^CK>?uzm5IiVqA`0X092fb2+cTukGG#*GVGuHEC`!ZFh$%7^yX%-4$-iHRHgr{$ z2E!lA!hFJeP+&E&$vZAq65O#0)9Bo&+t1C>cbh1dqwfgsin6n__bJm@O&vy)p)727 z8Ax+_^PSJbDu$3`XLjmxz!3Iu*vv zry=IAaduVNlTTj3pw7lw(--%WZZt4ipw<_W`QbsElF4?yU9-xNftAQE#+@cSM7sNc*GeRMFaCxZECD+$HMP4Sj4&#z8Zi$WYw?kPf!}7gEQToC!#r&|QwIkJ3171KCEY!;rsWweqR$GpR=e=fvaD>x!z?d59*Qv7fY!pS?GP_ zk{mtm>n#2yUP6mTR#jr#)99$%Ya54^IAV(yDoLBY<+q&jmTjX1$o6WJ(aG@kFBKog zMt%LVcq(G;n8<@7|zTj~m6h>Nr=yV)%Dj0s~ zHdXt6K-0EPp!+57QI(I|!&RZdP?ion#B`~SoW{Y6rurh2j}}=PtA+H+2||9&sVb@6 z5XAfBlX*80KQ&OTLGs7tQJjl)x?a^&F3*sNbB6U)d_mVbIq-faL9%!vaSqDH39!Ba z0tS^rTPLU1q~xKW_2&)c<>lMpy%(EtEz!O4WT10qhy&jXVXik825x5YP;iv2w-{n} zI+b&9*m5L;$kRrz?{?>Xj2B_;^N{bw@d=d!aK7FK#ABP&L%_aSQ#KT`%oi36m zC{4T@Hw4@S>U(sITMtoBEJfTOR(l_;-zDA)!oY)i@ToQP36|(enkx?5Hn7>#%2!NJxwjOMIo_ zM-vnpd>CL0q;ZiLPp!QCZY`y=1Eq$EF-N@pxYJht8%2xE*lW$tS|R@%JN!& zdfb4!0xE0LPhD-K0}yU(*dp5=8vhe9x@48&R>g`KvA}}ig9gv-4 zkahWI!l#Wr4<&Iiqq>A?ta<0M9cCcN_qjmSn10ffk=A zQ^j^;*eY@RQET*qO}J|2*F#J3Cpf>He_IN&5{SMQcm>>lU?U282s1cWP<*m58=@yD z4|7w2#%ct%9ce5yB68$C7ZdpU2d;+Zu31r(l$E8gHFW@6%m5-KtP@bbl;*g0EUTLeZ}2CXOUP=9xQxhVI_+DTOT zhB4srM!&_>PP_C)C9vsbkNZ$Gh?!-Xo_YCEvO-fBzEMJ5ya2rrgDq=^UM72Z5Qq;2 z>A~W36esT$SFD1~C#B4Ove!7gb4dms)xpAkra$^5>F_a|Iei2M8LIB(*hxIOW3A|K zAa_gSE}S-ECbWKh@kBc<6*v+$Ghh33^9Rp42x8;F(UV@&{QpD}XXQ`hES? z^bE^dvOazwm(O_O`bM!+Xf)USyvu#2vFXaYpF-Wv zRDnN-6Nx(ce^um;$P`@A5MgJDOu>^kLhc7iwSp@Bf)?7)!Ke9oyPrheP)uFBmlT=dIM;7(kK5S?YOOJ)o`SsvshS*4Tw^GzeM> zHt4^zI9UIZxG3jdh+@h_Xh)ar2VV_z6QML|a4V8<-xhX}C4+hk?GbvtIy6#>S1{I7 znj0wXJs66rvEf1BWiZN`#7uMBP{b5vc9jJ ze)l5?4-vPlv3spiUDG7IPH_lv#h7%m542R?@l=*MTi%$ZuNhX8NfzPsDc)hq$4cye zO>1e-3fZ8xj?UcV-N2H>J5NM@DXi45>R49lTL4mV9j^tNDIjb4V2Q9Hi4W{~Y37&w z!h>gbmqYe=_g?47MTzhVnoC2bYW<`cq>Wu?z*pA!685Z^v`g_c8Zz9y;<1vLn8G1e zWaoxppVmAz-we`M{i_#%`zm}|)qHU4NsOgl_jNM$$=WjElK_EnB7U>}yA{G$Y~9Wr z8}=RdJW8*BeoT%Z797qwn+0K5b365pvwQH<)|Zc5JS{oENuW9`vg8O+q{+g{ad2kD z1ERJ96X9pV1S6gz0;jMZ{{Hh)OFdim0%qu`t7>Pjs*G;CCO7A<1-o-GA%fWx>b2ny zVs*i54Q4AGVy_JH&VFO9QVm?(rIPzx*Kv&YXbn{41CSX$JGG_KLpwD>2oZ6$d9bm+ zAa7=(0v+FVD;)K3e@-Uy-v$3FKL|q2av|6uT*zYLsWbPxT_|2e=k2j`uq9a(9}m12 zmvS~3B)HhbugG}=d6Q3^A@#kFsrfDE?STi;1eW0VwLbG_Y$lb)W^ZlSM~y%l3jQ5} zarc!JLaZ4#J%o+h4c-#YHt^l7^@BIF7%58MefG_b>nZ#k_L%#s z$S1+S=cgFn;;k$&4ih2|pm~~`$K|%x><}jWu*hmQWgNkGr=e7SJnRP))?o-NEs!Yd z-2Z4W5*-~an8k_kTSI9~Q%7h_f`XVD19yH8Co6RM#>h?%AkNN^4{ z1nGG!{4#^~>!J=nqF~KBTw(04nbZTG-B7)3ym`@!CXA4G+3LGvm8RrsjyJuw4m72i z-NDHBmFfqFJZU9)3OFxmmW>}GXj{EQ7!?XNVio98XcXeB^o4FBv634Jpok7!3L9eq zU=kde>$N<`_*$FphgGqJH)Jv=GlY#cu5r@7m&vsf!%ZGV)zN>tC?7zm!raU^^3ddNnmI+l6iaC@htX?Xo`tq|c019flM8XDEdI|XnHcG+X z*d3JJUd1};iBEPxejr#_T->0fN~pZ!#5DS-eBL&T@J-WMw&_8_w8vhgTm&Y`#OJsA zvZ?KVeat=c)ko}vWco3juCs` zsUEU+jH9;92|gn!_*D@~;Q=s_fUQqI*FiWs$nUF^lq?02GDwfZjYMuWea48-!sE_> z*L>_43|R{5KhJsQ>w+c5XyIIz|UfyoQz5;5_@yogV2hViyd0Tz0 zX%-~;Wj8lB#iU@-TzPz;D^6($StzDz9AHDq*ExCr>;2md|(j^r{6aK zz!b6dU8(gIiBOMt{CnKU^CkctFoaA9nw<9#1ng&cHPqG$FhFt2H-2Q2EoeR*(|-8c z5jz~Vx^=9qM@t**Cj+Y~wK1CI7xZv^CjDlfn0teDBYnGVKSIIL(vY3{hSkFJjF5k#V ze;C5$Nrat3ZKdAB&Yi@mzbK2dO4?$nH#P>{C1{?7+3)ANEWV~khp5}x_>=L}RFto=4=0&qNN2r8 zZ&Zqgj3)cW4)!BvO`ks zJHv)nLZ7Z=a6+x=;uP7hbh$>SYPTHtWj|_G{M`LAvR0!b+g??=y|`FoqHkp6=Pxhc zZ6^GMX^cy^9|y6Wmu2$dbsq^-sR;Ut_S)lDJ0^7r@Z0>7_Pv^cNqznAk}KEl@I}dX zW;oQ`v8XJD`qkx))#ZW$Xx4qk0B+-B<*x<<=a7`G)+?o8EhVw|R%s`*R8GmllAq_C zkBu^Q%wP}WNBiC^jy|LQz_fkv4r;sGo#5%8wa(V^g=06{*Riy`T*4A$Om~l7o1s*^ zdPVChFz366n16EoOoOTB%`^B{-dySD!LyvnHE9+gP|ouH)dhrvZPP)5UpWZLLBm^R z(1?}}j#hpM1(n`&`0dpd{p-T#Iuo^iHy}pqBSTss;gB4A@PgsuyTnXSYSd>)7);ve z>b2$Na;wRWi0cA%vV9T6hv=Wch_n<1k za}P)?-1*5u_M$7vI*rWcWy+jf`4B7%4nJR~xmSu^dIrwijt(PA8qB8-sgmErwe=8g z5$~Fmc3GSD-%l!_(0mm9#FVJcMl7laD<9KjfYcY~xiSS=IOB)_Nz?$J4Z24OL=%2LUT;?4LRuZ6CI*jn<(rn(xvASf3thtY`9IKpX z0f3V)6Gwxa`#YMS{@vT56@A{qixD^{sh@P&YD3}ueML9sSDdr*#01~7ZS=uv65){} zRXHH#Iqm)U0$X%f@GbegX+Qfrr~-4Sc7~8DY_OM~MRVu{DAia2*Cz+HA@3Ja?CZJx z_T?}&w3RsaE)v1ecgX#PtaA1k=ScUie<=xAeQ(QtU5a^S@su6jlVcYNqFUl>moi~S z(1$r>vFsZDRLVwJwd`_-wz^(|F;>CQkZm0**$l0g^S)br)eE|Qc!wU&Yj!*PzaH22 z?}Vr#jsYULV(HX+aj5@AuckFd^0H2X5Q{Q*o6KsKjrQp|9e~$L76z1wn2Sms6O1xU zUR)kKLQd-8O>gWoyOU^RdvyD%I6gtjQA;BC&C{Q-{3YLO7{|YOM0E5UVN$}_5aHBh zcDPOS@@zzp&5?iZtaI5f#8$V4;JtV{vGe9j^e)lcX3^Z>@$ zuwE2ybHY`1|LLm;TZ{pPe!+pjYZ^wZ`4<4HS^%Zc?)@L6s&uM3a@>XYAAtniuJ;wa zTBR2u+)j5xlgR$_+P*M=mxInpRK4TmppPE9?h}fuk55N@;||Sd*fM$ZTvi4eJG`?F z0SA!^BH(f?@tVC1Q%`?1oz+=2M{BHENY?#}WWo>7Mo8?t2a|*F>a|WO`>FEzt?UHW-9+5@M`6%G z)Ple;DuUXsLBMWfCwWoyRaxEo@JjW>l0_0Pb{lx)GPnCxWM(G!?OS|64O#?s$yT=u zOV~ZP@4{Y?g?O=>x=xN~l{y=-5l>0OMk%C6?w!60=b~PaqP;}dRKR#4ZJl%`-`8UI zX~={i42BJgmDtL(`1ojzm_@TOS!!;Cus&e=?3?8CH@5C^-&O==!|`_tmN)9alI z(m2XocvGBO!PE_zr#&|bK#ni)J=FWAVUh~NJ0+NaCA#NlJo+~owCU;TQvkQSFVd-^ zFF)x%GnS{EXtyXcZmK%fbaxb&K4ELbeP$5&^1ABky@i9F4ARp2oV&;n$0YyjXfo8L z8eRu#17^EB)Lf4NaYkCJ91|AQ)<(c(wq(5ohuB?uJ{pU3`sTwnN4!_8Yg6A}0YLF5 zC()#|XnzGt-NZlL1MI^RhU4k4mGb!X@o!?>QU-`?$WoQXXX>|r4H&#g*O*+x-c9t+KSVRc@wX;$a$WpsjIViB~CX%2+b8`dy9@iq~Vyb3FEWj}D zloGzCQ70il|2=vj799YgQAu!QjIEJLKW~ih4I z1keT$w7+=q?u`S=ZL2*DW%+jxCBVtw3Vua*G6@_nh?El`y_3 z0Lh2;HHA)zSyX-%2I&{?_7w0x(FRqIdga@r(3Y|P0_)#0Ag4n6pQ%jMCY5tMxwCS9 zZ=HDN77vnJq|TnReg8Kdc|eVeHuE?A8&4JpY`5A{Zz#pgVMA!}BM${M1PwI^@Ub0l zvgG93kqsI1&Nl((kq*)T-UWin>%5r&^7R)Nvx?UHjbMW`9UU^PIRk>(Bq$whhU=eF zqKEK+$;o)RbHA@b3c57G!svDvCd=NVM%s<@H@1udp zdfT#DjC5K9+3&$r#;}a~mpp&7Aj3L9MNgG(j|WO|f=R5>bEW;pj{hb}xag2J^{Ovi z@ii?F@D&~O%pk$t99fdx>4tOvE!;mtw>2<;k&FoB&i=2t!fG8P2l|P5@6H1L^9B<& zmm%`W<*YGYLBD4E_vCMpBloEhc&8efad+#y2SxHX%Us>iQ7w_oc``c&*tGvVoogRS zmwMZWlN}(pu%){F^?!a37Nda_5xv<*#r9xuhgsEd62o5x`+M-VQvmXsUsTEuEg|W# zlQK*>^#2*9138L0cKF(U1bBx3e0%5rj)Dg$OBfez8aJ|Whg8BoDmeiq5Wo!j@pddh zFWT__Vc|?)A{YPY+iH0!xM12?`tU6TA1PlLY!2^tfiGk0n1ubWNj{SVOQ@6iuLXFd zz}X=6Lf|x!xWY^}#a{*wTuUGiHC`CZqn2$$k1`ytqQDU6lw!32{4r`wV49jn5umU<5Po`t24xP<1E#iJN~cSG$N7e zO+n42033=j3`PKZW%-{3>fB9I1ql7{_R^0i^)G86b z5?=qm`Y6Q>6#R)3=qv%g?(8}=MFn;w6z$sf|1sxGYS4we|8_yh=l?Zl0QnO^UC1Fu z--HHFf=1aJQ2q)me@d~yKW+gnh;02=q$#8jAJrk-`#S(#3;c)Ki;t*l(M(q5N#(% zXZWkN1BhD&=}Kto3X>jWf{j@v5HLhXwMTX?WmdCoXhFT139+{3NN8vZaLkth(f*zN z$&G)lfm8&j%&qiy9V-8D$3HO&kAi@W?$7m~2LbFOVm3Rh(|nF3HZygj*8PsPnbTC; z$-g&x36SitlX4t6fjZ>VIGpwcf&mmgqXc``e_jEea5Ag*rFKg+Y?T`7J>#6V0IQY{G$PCqCRv+7T}57Jpo=xHR} zFkXdWi1|SOPj|;}r=~#$hS%&8F^k{G077veA{Du-$c$pOru_TdV$UH$W#8#eD$zppGb zRtW9szvD;am zrmm*xGk-W5dI%IL5oay#f&(S+Zm=H%{kW^tu*H4gEi9kmIfEvg^rEDl@C6|g!-^pJ zm49oAAM~YSqY$U-{0Y=Wo+nwXjx!3d(H1=Ss{%&B@;?}tapF0v%Hp*R82#!8BM06E zX{pd%L!RU`eHHjuyOJ`AsfmgDVa>ieF5nmqY+XD5BM~^TS7+$%&31Fpd6==uPBK+{ zU^X@jtLb-6b8c>?S_zWML-w07v%YZFCJfYN^QeM9^$O^3G67MqLc=b^VQP*(yJTN% z+}%?x@4=AHD2!Y8A2q#(5(BzKCPu4D2_aE**>fP<+?st81`0Z!J&Wa(cl`rCBgBK( z16>%wE>G)VER-mqGJMVogA34Sn}|fa>O*M0+d@)rZ&#`L#iZKE}v zI*fw3(Lu_T3PwcPK)D$800FvVSYeBN;&bjZMW8CHe^AlsMXh0rRP@PkvnC=L(B0q# zBV^2G=yqmU!iH4pJ_d(S4H)U5bHFJl>hv#iY5Z#if$uQD6DzFy!Rr`EYI1#mQZ;I- z)H>Kd+9b5{=Z{s`)L3^H!bN96c0no`@<-M~k$+GJFC?AUYJXyMG(EkW4&K^HpB>_e zm?~4xdl125Zca+~PjGoAbq`haN1es-jOUyKLpFO@VOevtU!&)&m$fBcxdI)}hpN&| z&krS(-H3f7kl8;%hRZ7Dh_EszR0eg8fGivDt~}Ty2m&{3m8Y-jGG49VYM@`M-`5%% zdpvnc#d-Q~&#@{Aw1ks3`>u^L)I|jxD8aIA33Zs#zsK$~n-#tA^gfXg=nn;XJGZ6| z@g55{s_+__ef%=tLDsvDxXb6KR^U}f5A|-52L0`ez{M&FlCWGO(nH(zq3oWJoO*L| z`)Li_@FlATAlQ7MBF4@1ALpNJr8>2oWcuTvk_1U51HkG2GIsF1mOx06wk;HvZx8vg_7aY8-(V|y z{Mg>wQiVVNXtuG^Lpv#9*nSoBLol8Khe@MA8Fgu#BytS)XY5<0k1XshRT$~` z3?|d}=H44GZ9iL%+ROP`Id>ruQ2WlwSlG#m|ER@hh-_+R=0a(S^5tuRtE_NHlpKH2 zk^;o52E5QwJt9}u)K8ZWjba-4PVq={qbOX&SM3>dI)qibSWk|eR!pdY;a zT#eB}v>Jmg5aX*<2Ywy1hmtZ0>cPQ58C^HpQ<}^nCxR$BcRcBvw0z1-(XPw=Ufyf^ zl}1s255tB^9B4@q2);_QLddl3S~`lTo7v}2&!jq9h3T(F_O9$zuurW{eBs1KKELX1 zpGQ;#5ppLtF5G7BhIf9Kh*ii{ui9Jt@#6<2$;RU5xBo1H4RsD1^&(dLkOW>>Q4tWg zc!O?k^T&_cs`R-&$FFLMeCUs<%@wC0qM3QO179p9Da@LD4&h*Z1n=oZ!aHp4*tOVI zKp0?_f5}EFAosNiE>a9-C}JjFf=&6Luj&?dx~!?56jIJFjB4!-H!;BPt*<>U=w+6D zq@mcg*C(Cztv_A#y-%h3pxR#|{`1stKKDRV+z&GdbDTO$-uISmYgV+^_3c3V{xnb$ zP5)XaiA+xGL46?QEu<7ax3qisDWjue_ql6BXORu~{Opjp>bU$-|Pn!I)YzZv+?|9Kk*Yr681?MJM|4K0Ve zyXj@0mf3+LuK_RxufdEojk06ZwUv|>h&Us|YD-@1-Y*rCC>$cMoh>l8#^?~Q9`FA@ z-qjaog$d5ZHm{8i*Mlr;(q<>~t7zBxh3Wb2L*m-K%^@6N7##qf1Y{t^-=}81FAtM+ zulS2+0dOHKj|B_f`{s3~`Tskz;G$~`S@I?z(QL-vC~xje_ z4gdG*|L0GY@nGgoPvKBaI3RK@a_EGj%k0XEn1_QAtgl|yLKC|-3?wT#)Li%f4jQ&| z5McYvpE%Tm@L)3~5V%&FamMD~oN5Gky2duJLd22&jA_~giz7o_-KLV0d#40aCh9ZX zjzerX3ivcOYE#;dB(0y%VtYq1|4x>kgb0Z`gG(5ZX9r_+mu~6o^t|c+#gxSvjfU2D zm@+QIJG7nw_q#^HjpHe5f%sv9N`l+y+&u0u(>JQ~{F=7od6&?Np|gl4FX$mzv6_|| z5x!FAcJ(f83q`5?S`lWBrGVRmO|^fJ8>@ZPD;W%8?jlL1CiGBK85;(;3RX;s!?gcK zacB$tDBNi?sPpJP*sjhX@cr>}+m-FmDk<#q9<68zQ`40<#j}{S)^G>#7>Jx!<)*c! zY5zjYAT*R6$G>{(v$*;BkKD1{3!^N>r2p{(Ogv-vu>O{if!UYri)W+Yyek41LW0K3 z5hmj^d}NDC#U&ID_$uKnZX=)eo|hyBu-s4DOx^&(XFH zXWmsW!!1za6o6MAiwvwpWR$*O6AJ&QZp1B3YwXe^brohSD!hr#^| zB9-;tN0{2|BHJleb%GL1y4&}`UbYRxA<+taL*KGjwAFkc%TXvEF26t6-8~11&%t9Q zZ1>1JB&KM`5B69Vw#*0ZkZ^Rio=*JjPS$F#T6NCGwH|||A5=LB6ms;tiE~7K;+tQ) z&kwcd&#PUzh&R{WUaszcz5e{!Z#W(5Fl~Upq25fq{M&v1baEejyL&d~v+y1I*N&X+ z^78Tvh<%s&x%1?r>ly0{CPn@DsU}JH?QFz#(BnmosrK?gD9u2~6BxXjb9IvAY~u{F)jyD=5n)GwfsgoRGJ?E6PYs^70y0~XJ2 zYSG)qNMC$3oVUb>^)itL&^^#WtO{%tj<*4I&Jz=VGqBf41XM&&m8C*>G zIh&Ms=T)rEi6}w>hqlM8YqG>cf^}6@Rdqjn_y80Cb-nU6CPVaLA@~hi(@}$@@n^+< zQ8M7B%Ul<2S%wfTZ7&ZL=dN2LGD_U}R}y0Kwto!@WEIYq9gsbT_$?@ZH<)Qhax$hy8 z_EHt5;Q1i@NR6PqtAzZ?YDox zs%=j*Si5fvhnK)2PnWO&f4&VEb8>vs08MMZ`4rGCE+XJ{=K;2tXPInX4(Zz%scM}T z*5(l~adB)p$n(-)@@B(Z9z2i^ z=bw}I@Q39t%PC`p;hWmMKz}#mk9Huc4^! z@1C~=dM=$uhi3tMxonq)ZSV6n7)4G=PW<=svhf&1AAaeZ14Cw_?nx_>rgQJb#Kac! z*`EWR9&TkHuP2^P?^F>}j5qSs#r-}!S1=r&HV!$c24o@irdncpwKc0HsE6C(b5}RM_PCP@O{|0%wRgT0t{HKOxdr5y{I1BMx8*t5kO1t?J?nCAd z*u@Pf3t(cMWtiQ(BqNF_P&@xGZQjN4~dBydI zdf{NaIA#Q@EFu__5Lj_>)az}Z8R1-(x{BZmH6!v-Ja-zuinyA;R8R&(rpg}vZ0@8g%jhPZ5`(lwj+zja>}R$nWrcdV}kqx31q5BQk!Cr>X*s1 z)L8DT{(zpg$z#4lI*{hYrJOl|>||8;m+`2=%U}6y-9nw%q6+(9%%@68d)B;BKy<wm`Y^0~k7#FG5&WkUiL^$-o~k5$^3 zEkSN$w>dGV(#-U>3FEr)xH3=Adc+e7XKG6)WoYBDiE=YNi#?)<1m_Jh!)1=)kBL%!!u$k)zcWLlNI zg^8CmN`VHi8mM+IPpb}p`giU5?sU^A0qp7H(|s;IHWX+5FDO!M00)2m2+;eHhe~(z zPfW;c)xzWf`L2rFXUZ@Ttj^+**-{E(#*#=CG7+)p39W!}RA;gH8%#DfU7y{?+#FsT z+vM_4hST73wegG+Q)&?HG^(Dx`6Ii~>)=Kv#Ju(MkrAP8m1O|MxdAmMFE*DRF2=V1chnoZHeuH7Ch~mSv*Ve9_JnxA37mHo; zg0sQaOP{yqU7{FKQMT|bQpR4eY@5aDJ9;r1Gp#w6WJX0P%@k3ZbrhybuY3x!u1=IoC5nA-#vO(1JMzSU5nTKv^2#d0(2J^sTQF6MT zBdM%(&`6E+F;g}loB%zI>Jc~jb>8{}ZMCwnyZ>N@=haAXJTotEEH(|3l@KbzRv&`M zKIzB=9{!cP{IE6EwHanO^IZG})%9v{Fb)>u`T@QCI9l(1@ZJ1a%|PuB`K0tH#Hs|t zzhNY)s!}7q}W6Am_BZr$sV$}1LoG7LT1 z!ID^s|FJdmKcF(G`w1Xn4!56(t9|i{pVCrlI`|zd6asT$C{5G!b4>$jR}R}f`4EfZ zsq)GGrlqbA5$K2sjufM%FAWmjrxj4_iRgL zWq_jV2pNvfK4h%Vc#SeZw1wMjKfq6X$)m%;HBhvLNiz&umNhn`q=2b7N+g~Ht_ufW zClv5S(DEUooq));g-)KWXcvMcFHT~wrGU>cR9q(S5434o2{v&ho-!QNZ$yCfACUPv zs}m7_Gj58ZuDV;-e=naHnrRCtdW(hbs!C1Y&fC{mB7j=CEnHt+zVg`6dXRcCrMli` zV{q3AS(9)r_||u<`eS>j$8Mjk`jg}6#~$<%c8C2f`fs4rSIg<1TlO?1hFz$=sB<`~ zp?LN_JAy@MdonoSwpc1#Od&Jsem~h>$^2esFnQF0%`z$HVB-ZVvq?UHf$!&*95ll{ z5EJq#QvI;cu~OvKv{nA?5T@fLFR z-!sPh1vm<5DD7k1gxDp=cXoGl+~M|^S%Z!}@Nz_zBpb zGQBtXjxCvrC7SDLGl5;Y&r4N(NigmZm#+RpTi5`AZwkqZa=XSjHeg(Tb#qg-WY4}b zSy~C#ocm1oiL5E=O`DWwt8I0V zk_1z3Tf({HBS}o)sw;GdQiUFJuW+cz*q6?!bRKrSiZ6#ovTlmdU?R^iP_=)Y?#zro zxq08(D&(@`KWHQLi-AAm42Z0{tjSwv+xTKro?b-@i(WxjtZ zD#=@^S0ki4ND|+xI<=2L&t%u>&)obAG-Eivvk7Z3&&$LA$RtfCnf>5|B5)n;OCHW( zS~@y|ZO?WjD$iu1(i=6DwoG_VR^FiggyVhE;(boq4H{8+5G2Mr*0xiq?EdBAA#5J- z?pK!^AD5etPfPsC_RPVVSEdW>{-r2Z zghv`qo58Pq)bXJ4*)`{ULOd7)7hlMRF>%87Qn)`WCj{9zQLq#@r;7zN6Y=J&pqx;~ z>mWJ*=2eO*wc97{h}l8;?(l53$|*ca-tr|WsGDo z?B92>R`}il`3&zYf^9G-LqB)m7K7DUwy?3h{bTlkop2dfyDa{=a{pF6wmhq{Riuqcj39 zaSR1h&F7eBAB2cRDnmR6u!z*@M>GBUsVrdbko#K#6BUzE21&i-?;@-X_0#k^ry?RO3};3eTdkGn-`e%BRu9^={=GVmHm`DZ&Tk1 z3eRQfl~mz?y=n5s@`+=w1MyFZ&`F4-yriO_me6kIVl6TpBiv4r|xB z_#L?zcyJ#)lO^O4)7`-O?Y|6$gj275*#Kx9o6B4s9~?}p`8{)tzZa#zQNizh6_vK^;we`js0)ymGS3oOU_|PKj|^Bz z<4wP-6pTfQm>-TEaguz`VCSa+XeC0MYvmI9F<%NX1_;UlL})Q=+Cw?nEd*@GM5}73xUF;8vN_V@obYZ*8GmMgyT% z2JGPwcQRt9WpywSXq}oWcy$X@x5}7o9gY2&@LOH)#|_xK)QMup_&B1NoBRT_wFy_l z@MWK55RsD|bL>59MY}feoamwN`bHY%$D+>g5LAcK-l&IZ8$KxlMD(zFPThXcYE)m9 zw6rb`^X(yX@e!v6#a=k?Ht5V3p~hg+h>UFwhh@J`2EWe0$f6_$m*Px*%o|X_5UaTi zx0t%)lbwwvp_4<3Y=nT3(o$Sylu?k3m?0iNA;o|=g@K4$i(xdJ+$1;unb^#G6}ww& zRF_Dw$BG=+x17eEvJpLAiqCbE7-hXA_@aLX zYy`A(*$mAna7Zc2`>H?3el3Ubkw$M1R&l9J%)R@6zz7J{$1}tQBDjB0>Gb^zR9dSq zI=q;Ryt|3k`gYqLAO6e_U2^&lCs!W|BS?RBsjl_jc0@{9MzneCBA@?C=e!+9#4*~e z;%&RqdhLk-{tE=t}q*c*;y$cnNX#z_4H#^YNPCj2oZalSHb4a2(mK4Gz-ocKcob`xCWy~Kksj=%+OQT^-zDa~?P+ox{#w~yR}MH3{&^4jDf4B@ZD zE^5c(Nrsi>P#}f7czi>xx4fb&im6CNl&!S;gA*!2C1Ou1q2~Cn=45OZg(JLz;WIo> z6$RdT&ugQDgnYEVyJpB`4&i7EJt=~YrXtEZBwf>GOClH&TbuWwcAp_*Us(28Yv#}h zsOOuQ2uJ^FbX|*$Bb`-~2-sQKh#rilMBvw{YMT%SQ{5wXW=MyAq~~6t+ZfcAyeaiq zj_#*GYF+i(YWy11t_(IWuHCpn9{SXHL>Xp-y5Pt>5|q>@9gL$-N3!i~oh!7n0X26q z`7O}oH0HLXrSYCQYOT#}suMXZ@>q@JY-Ub))uZ`7XNV?-44*gWytC1MBe@!GPMEi%%aA+nJovZ?bb z>cZ2xSu@?c8II5)++Hu%&7`fe=Lt6+=lR+@tGY7f8ads!;<*#Md|1(OMaB*Pc;U7G zQvJi}?m_i^Yr?iS#_Ge~|51rjqyWE7eO3ryHn7HNjoi0OiN%$uGt3K0%-$PbIk12X=L^MXt`#!$9O%jlLgj`SBr|6> zxk^F>Wcyy74?p0bb!cEK$0Z3#2C3!rHtFEhplek5a}I2QN*l6Jdm~S|dfz7vQK=cH z7kA&WRr0xHQ3Z)Y>L|@9Ct=X1p$^$dndDjc&|iOJVpNGuWOzvaMR0aWyL@Q@@wS^db8@ZcKXx6#DE-A zfYl_-|04(?B=F9i#MVOFK4U|upd%~iv8>Vc^rzXbjCBzp*WypMl}m&$uUFC|&P6<} z{yFN&JmpI0NwYC2K^mj_H2|dzCrRpSQ+>THd>}D1olBjT3QG6$;H6Nh3uOrGg`Ktb z>7CDp<&5{(DU2Qop<*&ha#_KVDG=W)Fd5v9PHe7b@#$j z-!ONGc?%jx-vxDAI!JL%(XcyFeOHhiXq4Qio@sT?GJ`f_c;NrwWf;jNC*K*HS%G>P zbtb0BkoFj?B#?UYh)Z^PCd=(o{kmIxV#7Q*j31R84eCGWJF9k6Vx%{{#jD}~?O8=V zFW?lLvH-@b1auPjfRikIW?lu*8C+yAR@Nx9CB*IN96!}foTH-BGi?@>w5sr0<{IVE z)~nNo|Am0@RT&p*_Iu*+%WouA zM-;4<`;D1ncp}BH;Q>O0BHv`GQd#%;wPwoKz0KZKc6W_z14gE!#fW7R3 z*0T>Bp#%0{;`V-&iP+Nu1;2MsS<+{+?^FMN{mu)&$_i1&6k-y`?Leqsl@1mvIMso@ znIhT>qv4#3z8%Qkbs=~XejprFT9S}%m~W_?)f)RA^~8wQq!f$r|^?uXo08k$F7!lB>eYk#|x*Es8R zbT?X|btRs=+=|ApOCnn5yl5T5xuIuM(@eW+#WPEFF496uGc~%?*Iv0tF3YUq>A%ZY zCB}AhEx%hs22&-2QV!X)6WihvbW9) zye4L^9W#f{8R&pt%@bOAh_Q0)h$p;VG#ZMLv%HE1UsTu!b2>a)7_TCvjfN;FEYMit)#PArmUQ-Yx&4wG&ah zOKuOpe_lc?Ibp@-fY` zkQKGeH21bv*ky5g)1%T%$Tm^^3u+5UcuH&j0EdUM&`C85Ga}jL z;cEl9WP-Ua_qvM!-XxJ}_SOIdnKwXPE%!|-Dfb8GglJ}16&oKMpdbZ6%^eU}d5cdHv!v98 zb|?TzMXlT&uwk1CZr*8asJW#9aL`-TH=M1GoKvD6=Yy3KVxOO;53Um$ArQd)x4pvr zHZFq#{*~Sljea5Q7!NY8l8?m=fp5cOQyG4X3|=m`)Mbtsnrd8Kdyj7U43V((A2 ztnY9D3&f{sXw090IFA!p*TOAy1&W*%Qg1LcP9F+F)@}nZX0CPCzPkqjbD!myAR*5c zlV+AM(9If+I{WL_3MDnemqBBgHos&iJg3Q*+=K`TGD7_`aPa4nKK<#~@Zl|6Ef z@a*^@+n=!Q6e?&dIePeCG2C489-YDC91bDy`^Y2N>F?EPk((1*7n!XXT9)Qx&Hfx8+m&D+hZfXIZn0riJQ0Jr;p|(;gr%2Z@9L|MWI`qL^mJg1n zQ77+@Lfa1a;Bn57DcX16m>#wg;NQOv;0$pq&%bc}Drh*{%|bv7t3L-Voc7Ct`>EDN zF+p(xU%+_ZzSTl3X}0U~{PboOJuSAm=He$m(;jhQeM%&U)su;7d=)hIq(mjO3ER9l z81DcyD%*&*d`O!>RCe|LqP0ru@8iGuU5;5q&8a^JvJgvI`N43G<+_q@V!s95n@o^m zUXqJ21V!nAtOFAucYHFqOsV3vpaGUDohC(y!{AwAX!$;5$%4Ts(uYO6`Hmnn24XyH zLe%3;|1&)a0tK|DhhM0s!zJ7CvSn=OTk>c(>(E2^6g|TS+uat1-+UZ&rG{^sQ29!~1gxL9@{*M>nMP40R5O&g);XgV!;8wCVUjMHa^Psj!K)CXfr_MhQNu7W75uDWYL{K;3g45`_5-KxD#J2DSwX zlpX#9(0G6gVQ*|y+C%@WT}cGfoh#G)ND|-F^!QS8pJrFz@ffn)?U#s)Jh%>mFgfjS zUcwNHh}IM!xf1`d?~JIi=xTK+O|r%3k~C2}PXJ9COTV&uX`?HdKD zE+e}acbsnVha#_D4y0_O`^;ewc>Cg3tPAMB2rbNDCF{|20r5;GK!4$EUalf|=hOz* zDoIvAJObAX+|j&1fSi;N*5sH6jBsrgQnW<}ob^uJ!pEtSq?>x06sT7hIFV_7Cdo1T z%C`*lxCpGj+-kqjE>SUhL5&ut{MO)n1TzKFM(xWHF(FzGa0Hz zos(~ z{v7(xb)EF!7F4&!FYBQt$Wz>(9!Z!Suqd>?Dhv0*C%O*|yZcImyox|$c!fn{jlose zS_$T&fPO=Ip#_yVyU^B*{vj9Nck%R7%UyfcGe1Zo5LuG%b?jniKgNUJ3AeJKnkJm- zXtSpEHx?94nGL`3XC@X2ye!9S*{bJ$H#v3Ek*bV5X5pn6`ax95a3}~8z z!>+K>dX$BKUu~(6?SjTEpacyETbwWXebbI_9(^W2|Ir+?M zK+RrAi4M*;l4E0=vHZ&Y-2yo%Z|Xg^s<3f0tVbnYi77j|Q2F-BO>HMRQQy?M$~YM; zmMMpXVotQ*lJVZ=C8hmEWzBjm=?;d)P!HU_7S<=zy#H93Mo}-3KK+F^1m>E1Y0@or zS4i|X&?V%(XL)m&GO?R$@CFR?6G_xkL{ZQ|-Am7q#34WO&Fg6d*T{%REjim_GxcRp zMT1m)NXE7i9jYGkTzLYQorU+6ZT;#|t68SxA6Pd)K-t%go+9d{eYzP$y?lclB};A5 zGN-L-*X-3_R58t$B#P$8&ol-#T>YlMCamo)M_IJVjAr4k9k_KsD#{uZtP)@p6jd`q1 zOa2kO_A&dDo#?9Exr7-Pb)c#ad-eEVkqs9wp{8h6V^G#;lv)cI0mTG(^Tcrk4=e zX7=ewJ%p5$QLYIouwI=x39#EmE|;dJv}%u^M++9UX_DXgFTtP^#t{AEMG*Mj&oVP2 zE@yfRD#*nN>NXv8FbwIUd#Iobnio`%ZW3XDPIf!84_pabdDi`#!CZ`Q)R;cmnL27>s##>>R5QBYEb+E43%i~BXu0)H)9Q_6= zkhZ7Or4g^oqyKEMG~(Q78>ENr2x+3>1#K=D(adEW&$!bgPc1{O595(@lIvyO6TIt# z+!rTQy_PzDJWn+-z|MOh)BFhBc+UJYs8#|r7F*pygw%n)Cl+qSe?8;d*tQp-clsE# zV&@+Csh|F|u4{=gW3a`%BIyW&{;d7apeF3L5hSZxRB{1ZgeKqRnk+8bR&kXp{v%C0 z<{L}+S|%aPeL7)9QLO}0;Jo038u=Fl?gBqG(y0aewOS>;kC?v0Un(kr;vz?{t7ORr z`EWk9{F5*Yyk8UyqY}eZ#N5=0U9YGTzW?$*1~LDX_irL8Tk7o{9UFGo48xFN59^54);k{*yy`W-O#b;*^!Xks zR_rIV)~pwu^0!|25$smoed1+&B+=ItH65`#)3Hj5JvjxOjvG3=H4`+6h1%5j0bhXr zRIQ8s`I8yj>0N!>mu^Pf>~oneSvn#oc#+?~h203sH-3}p)=TNa7iB;TQR4+bXMNlj zt%<@y=*Wo4W*HQd_j{ZPxx^P3X;d#%0i3#VS zZ~7s1CZjUc&7#Tu8AJR;b~I=wSLq&@3v&lS>m%z-Ng!Gqvcfun-xtC3@ZA{x7I%ZC-k~yfkh| z;jmz}&m)no-kR`>)(%E;jV6!Tih{Yd1(MDC8=NE8YZG)fhK3AWtGZo890*e@(!m07 zmD;AUW#vF)yjQsMf(5lrQM6U0s1kS4WMY<2TUm-UB_f}R0uTcQ#-ud_)T zO>oqcTWlnIXgMQcuaZY3ujj~8mBI8vhV@bz{40_*$_&ODbLELGg-fXh{Qyhnr}l{Y z0}$oGfX(~D2Od8VvG4ez zJmb`p2Gv^F3F{;;%GP7@8zGWRqr-c;)voWZP}r!6CSt0F1rgFH^p$J?QzSbH(6UZPVnB8b>Rm;t5pkSM=1V2 ztN3;5fsV>J;V$Z8JHjq2xTl0;y($Mrfbhkf!Z>(jHV1QB20t6yTFu+QE>jQg zB+`+!dkJP@YNqlU<=rwN{ARs=U+wq7=41i@sH!b8mcPlqN0JbrfYw`8_&mIq*tc6o zrCj|DNOUWQS!?ZX0RZ8j5Bk+KL9{uKW(j9E$YEYTXvwt6CkWTw(bTw+ zyy?}7-U^YcCl^tqa%2yVs|oiGqwiz7e58K*gbGvFY_i-`$wZN4O;~!;qgnwaOGRGa z@AW6QqAsktcw@Md#*(gs;X?+^MsD8(yB2mjx%QL)+5#asJ16Cgo~vlKcJ4td-~AB1 zA5aX)s#4a+RjZ|eC2H?eE`soV7ZrZq4Np@BluFGW-Y5&Uu~>^?BbedQpV4j(3)v$ zUE4&77;&Zud8`(F>uD>iXaq3z>VZORDH6QvJu*cHHq%=Q}MO(-%$F8bvYdNgz_ z?GiI&=^+=5i&y}f#-jJw6VaHCU6~Q|%cMVOn!va(?rma{1U> zx#G%izkYPl@CY?0BZxRDbG*eX+ZJHbO9q?e6YJ0jJ!(@!X%jqc6q6~ zjZrVZ`+QN5*Vj+w0(Ci4S?fFfGj+gP8TiX2c@-=$8!r!+V%<6yeYhZfYAAfgk68(c)J3sYutX4rg`qUpl)vc zH)h%lxnVJ6l->96UtE^6c4}(WcWhG^t))MMz*@*7U{YMzqAY=y|q18NpveMrT~F`#tC4fdx~+ z`NO`;5&b`GpJE0q)MC)o-k)+6wIh?H4ZrhTQi)4V5MlT9T- zqxhV`S&Pnt)k?Ov@;HaI{TuXN z89F2()Vi%Efm!d-nDx2}k7vWyq&WC9IgM7itHh7aED?l_-;rpaw(voWl_jeRHC{Yu z+mQ(e(+qIDKh7@$ffNQAwr`jIM-PGFd(}6Uh}h+@4;Z654=Jtm9sdPa3I?pdstgFX z(yl`ux#e4Pbq>pQk$Q)C^HW43u zHgsl$OWTCea8qp+Kk_RW`t_Ct=FJ>N_m4;|XM!>nS$W7mw%H?l+fwKo^^5ZOb3!I@V2LqMLu+PvBxw zjpjM;VfzbgEqO?oVwo4ghwZEqIktj4wXGeNa$bgL%<}mi#&#>wt17L0U1x+}n%wV6 zA*h~0qse0%@U7AP9CO9lRtb#R(*qggk!oZ6_dj>vxE-ch6f7}mzu8}ad)DZ2vJ|Cg zCsn@PJB?CT>BM&c-~YKcd$sz@rlsVhOef_Yl&1^G?gBFnwE}SKiyKuKIK%qshFVR? zTCZnX!QXnN0WRFO&U=4m$T=91csag(lX72n9ZI_bCPF_vQkxL;zM@zA3iATg5T-oE zz`R4AsvhXK5y-ENj+^Gp&}k_!@2i{t5lqSg2-2T03~6wqE|aqs+^dTNI*txr$fakl zmoOS9{jK!A1y)5-d{%v4LZ+5uDZW!18t=F~V>h+#j`}lbWQk}enxneu%N+PBk}X25 z=~I@lFVH+RBDa0-)(~VqeSH| zER!4u#RTX(K6WI6eS##U_NCD#pA@^kPko zz;+5TiM-R68-Bs1wJ#6X{ z$K$t*qpsEkZN7KU$5Y!12#-NN`hD?u5sS&T9}K%nDU=6fQJfG}?JPApBV|oC`M-3v zAi^A_ujq23StOP%(O7l4Q%aJOc?lC3s$tC+Uy4@68H<~q{>xKmQtIusU?|9Kw6D9B&hcCk_};b&$8fgg0LSVF)dnM}Xu=03>Qk9Kof z%^Zyj-%Y2m=n^!$yrq)cx%g6<2V5~ml68j0;i@v_AfJXNogR1f%d{48)P zW13Y&Fs$5vpS7uIr7NDX6;okx^+x_CCEKUkh6=jVg#O?i2 zHbl2A@Bc{iL-oS>%r_E24ZqhgDlKV9DZ-h$T+T5Wd6P|mTm=&*IE)3Q=*l-H3{gow zIuy*nUz{~_+|UvyYOtMo#*HmnhOb)*(Br*^DK438l3Dx0THXoatjXJ8KQ#?ToZ?hhp=fpfb(;IzJ z_uD0pb-6FytRwUQt(CNPh$XWnpt%fsY=EQF7u$O;3EZfy# zi;Oj+%OR1-83*-D2)#1?7a*of(Z`o)DcjkKO`Bwx1I7)R1r zTcsJJEw`Rlui6cpuUs3pAm~}mB3{2Grg0umf~!n65$qRwNmP7O=DI0^%uq&n=RQsK zj%?kusynj*->ME{WhCh);(qD#i$ZSWvw0LgFZ0uT7x+Zn4D^nxB0=j4u2iv*nRCfS|VCLt+C z+ZzU&Z-|m!@!Hbs?;rIh;s+Wen3;~d)f!_*Ii(*qg394`_7c)^5Sm|ao~9kTm7<;& zp}y18wVcU2`Cczm@fnO72!y&|WD05qLK{xb3bo!Prg-qVLy9~|D{Q4CNADicD=Bn# zv@~V?)kBYE#Lqin7p_#W6a#;IES~q!@Z6J$b4hL{aWZYxp1i$pgYn_DmsGIp@_mXx z4`wx^*N^cpeHDbm6sd3 z48#zJIXu~xs)}s(Xd`%9NE&seus?j#RRee#UBT&C^Z2xSBD2wE7t`Nms;sY2*Is{Y z^}L+p&)$xtzDZZl!nq319Cx3=^@#v-1^wpB;x1WilZ|pdcYxhFSX;V88S*O2PDK98 zx)+)-%=rG=4UofDTm&`~3vasSPEt!!qzyxX6MZe2$`mA$yj>&Xsy6jGz_)OjVAJFP zczr5u^Qa|6PXBR7_C}kUeUXYE)}rE3oTn-}6)H*H_w+WEhtz*kGH)(6org=y&=Gg& zF9G%kcNr8bg!ft`bJd!Ik{gHugeqzoS2yU`;=fzzq3&5YrNqlRUnYqqDMs%RGRd11 zpP6pk!Hx8`x`I;hO9DT)+IsH$p{f8(WH)7QcA`(q492O0uX2mQV1wAIO!-TW5JNY> zE^bAN-nvh~e!v?vI?SVoa>h;FTCjM)0+CJ`oVp3a|vQO;b6x5Z#m(S7*8TK40$_ z^vZ^weFTcYMOdrs{%8@GIUMxumS<0R+M@G%)rJjuJy~mDUP;L^MsrAxWd^lNrJt6Q zn><#o8?LqwzVzu!<_Xm7&%jnp?Frt0!t9Vr!`%ENK}A=u%O99~qCf1rAU#k$|Bq5< z4F>S9c+MQaIvq72h&GdXl6;n(<}XK@hRxk~Sh}PQaz1;b-J?x;UU2G9{X2xM0f=Mr zov0>SiUz;gheSqX`_ZU9dr8yMQBmvM1Lu&8R(F1S+&XFf9gayND$Vy9M_eTP)o7oU zR(rm$!AEfpq-NT&c1&ec%W!n1ZFFT-^!16bkX%cQlLS!SGc`$C8_s% zVC%qGhP=NJ78K8I~rPv18H^+oC*%tMV3W;ov$vDFxaQHS6X> z3<48*IY3;MvRj~u0rQIAn3oOK3^dR#PMR8MhSTeq0qvLBO1rw@p< zM?%-3`7+BU!dx)_6KI_d{WDRF}DPD6>JM4JfU}s&9*TYW_KdoM{}~R1LS)Y!?bfw6Gs-)qA8Vn4(e1qPeT!-AI(EXMi#~t`h&a3 z&MYWQoZ1n-TDrQ-1O%5@Z3S2axEnP!3r1*kH+!!W2a&WuLRkFF#2%TBd>8g6ulq} zDuhj{`$70AJ-yQ($@`cc%88)-kz8o-!02~{8a03NuCKFl4XV8%b=Mr2>I@42THgYG zCnmK$B;y2d&oJUlT)Zl|T@TpRYC4!Eu&)Cz4b-FT@-b^&!|>c(i#0rMBWGB6^6MXf zd}R0%bXgaIiD7H-zr@+i;&A2PWFn;datNP)gLB&&DpKeh@rBJoH|V_=yH6lZEd`|eO3wCR&-TP-4?PNx%329r($SCRjzB*N~s?(o6)9z zEiaIck$KPR6Yx1Y#w!PreOJR>_Zf_k2iin^FA6hfQcr&+zvYS&%HK_;@}jHzuE5Yx zny|+5LQZ|JL{ye4((0=NoRT)zBnpnq@L+!%mod(h{rrVXA-y}6{kw<1 z*xC_Kdthb&FD;}q>ZEE}7mtSjMniNZM zo}~F6HRDW^fO@Jxy`R;WXX%Po3BU0oeO9;;{ykFzK+4G1GK`=rac(NpGC3I~r7<>2m1S9z4N zJF`Y(d%JZ0{@V*f>Y(FTlRU9p)*A*c+OKC*I8Zn~a~s1Mih6aT5y^t#QY)+_a{nW; zQ?2hi&L}k>vu#;$zhwJ_LY8nSnscTZ=xwN12TE*dc)PCL?S$sM9L1n#U?>WmtAy9r zjh+&s^C19DwgQMgliv?bq}_+~?QJScbHjj(*Z8*Jds=02W$d-~uZVtKi6Oz$G|O-{ ztpUL6*VI?*nT@viicb}%6{V=_%3pXYV!s>36N^fU!QjU-lFsw2ON&5!Ed1G$FNl$A zJ>%DxeXT>eD;tg2kw}UtO5yNA9y&gqqT}FhMOufWj1Cs_8yP~ z^O4$&2FY>tnJx%`@r+z6=@uoCaj3mYQrge)YyH}D=8U)T-3xdt|2gFMO1!r)Osys-nRtR2AARsu`vjrtuR0 zdyv0>QDD2AZ_L+of4#yMCrrNGwQ`clW2Lc40XLSHm)FP%Q@WO6OH&cigxC3dAwD>W zzPqGf=jZdPg6mjIjS~sWOZBTw6SRoq#%s&JLaablPkY$ZY^eTp*-Jf_V zNEMA678|QVHyjPTJOVq(jXPK2ki!KB)kg5v>IYO$e*#Vgbc}c_Hz;~^4W9xj&NDxY z{T0O;Ua?)7vvI!}rZ4nan`-s`UOw?#E-=t%0QZ?Yw}EgxIho>u2SanvY)avzcoyTR z)fZF1u|{e_sql90R!+T0hQAGLDhh6}6QMUj_fq4UfYaS4p-VjY$~UVSl8OuIhbdV) zU24h*YIb39a9g)?#d4vyQfyFs8o}s(&!ANb2SF!Hfoc*aT!!!!>^a)(ABPv}-A_za0;5>$om!|`Qamwr=y)S3gW$4oOf`to95{BpmF_PQk$>t0!H zvi7&`E!3+bBI@(=1jqq6t+W~vPIfeQqM;->`+}BgPl2FGR8ly<+Gn;*V8Zox5gPYl zv2o3#9BVAnjvOw(FbjyH-lt%rsdpD~giL?{#4x&V%kz6T>TFkLB+pV!ZSdef<+4|4 zM~McwidI@IBZ}=Lkpnza3~n?4UgPS9#E>VF9ZczUp304hu+gb)^Mk&(=dON}y+5P7 z{T0CxVW~2uO3ePxHg1?|()fg*1y`qrf4nUyC&Ztc^R`#Yb5WTwb7e9j|SpA?uG zJ)!2EVmn#0jUF3I+K#Ql#;R3#PvXAD7E|uNleCeW#iB2zz=-Bhx*D zJd@R&0XdT^-s?)P{rVxBFnzqwcBSb=;1fn^tyO&e++L!$S4wvq39VfL#WxajU_RUG zszq|mZ1ZFuniZweQfuV&(zZ3(7Ds#HjdjYxRpJ;zpe#!q4%}wh5NvVw?=|kKzWELe zNG0(>na?MAveGeF65czac?Yp53+~E=6OvsjKFCPML4!e?p~cL}khi$2$0EIRd#<_m z_-e_mLjxQ{S%2p_DE{aabu{d&C@;9Y-?&FxA_C*7MX_No^i!UdmqI($6v4*e3g%rz z4pX=db4r>6fQE4^Hm#E#!T`_Q{5-r2PNCaMe8v2*Fkdk!K3dcyZcQQaey9?DN)b++ z(e*>g!Hfljlu5mLP(Mhq=Hq6tacABqxz*Dh`{jcxMh1Jp_?=cm_Kh!#o8vEcnpUAD zNKX;Lga4bD09stwPwE5Y7yyQ9u3Wjr`+U$by2S~r{zEq{k@xy~_Sg>TpOjhMlUUr! zLFivpAWa8^ZW}-a`JCcU7{;01E=}x@x}+e33jeScasBB0q*bX`le4cR{z^M`B;Y?b z>&J<9#_JvSu9?^Z{FihinOQdgU7$~G8?oUUjxdc{B8zi5bjQdb?`=dtOfX(=VqjQv zqc?f8c%>%JgE4H=SbfbCR}i}#m7Ljw?3dC~tEOnM@^Gi;PEvJeE8%B@|po z*Vm*)20-%QmWXz06o^OonK-r(FG345nqZshu5^nI3xro3wD#%6>1~!1r;s&rWc&+z zQ4Gy_&o`wY&Tw%gZNCT+OltQ&7YXgSJU6YKH@t7M^Hcb#wwB6ie-S*Te(uU)m6@oV zKLLyZn9y^NEzA??X{AjTr=WxvpFw)mcP#PZ&%s7B!+CY;JJfj3tGMH%W$PojEXF9b z_5zMbAo4b~RQ2{|}=|1U?ZbZGk zptBri_?Brw73?HP9~Gg4L@BMxYV|aeB~;Lo%UTnr(71Gy0FQiIjcJn>r2B4-g@3(t zfaLvq)hZ14DJW(ndG?cW1MLSnC8fC6-pB6@R5~o_;eY*u#dcYTQ2J29u@=Q^dabLV|&O6mNi7OvF zdsi);OJ$*sL5vifmj+Cr`7VM6?*gc21h9q@9odk{#aabXLKYCfSCn|we`>jw)#Ch& z_2lcv=Ms9mcc|6nWI*&$%b1himy=wY+M-xq!wER)vaOR(XfYX6A#X9giB$KLI@JNl zOUo#e@07aqxS_ZJ&^HdLv0o}jjT*vx4FlKZskSpsl};&&ji#MMISm&I2b9owym@yS zI~)ibQRknQxCMzH*y^;(Iy`P_B?lu?F&!GNwep>Bu?*Ye?=G!28T%;;%#_2kR1@kq zhT$TNEDMug-YFwb&w+{7k|;Sm6BNq5E)5HiRjjg3MTl@`Y_xYYuFsXYQZV(-UJjOp z)(LdL)DTbHxt;azHT=CGT&Q7ln6DpJ6o*OlgE{r8I!N2$y(qmzTe62#t`&9wVgE=% z7S)5Q2|Y#PMMyY9*>A5Ucb*^PyEy#=0FLXqkIr3|{2v9kw>4CZP;rIj_-dn#hgyb_ zZxR>$+iS6S-=3Q>Xf6{)w3c*eOTli zltP6sAug;P)O-V;ub-1h7$^!5xU-O=mN5jxgA3lc+%pp&b$Z2=&-6WPZ$<4QJqP}) zX5=$Hj4iq>>5&?cnyaDOfq%i}3DlFynbEJ*t{$;AH3saY|NAQJ>uvvnu1!*AUgRi9e^$iv!jJlVv!$mxbFRwG%i*$SHravvM{#Nm4L|r|_zSrLH}JcjLIw zQb&XC4QQh->U7h2P{E0fjFswQQ4G?V$95pj)ESNsSo~*T4_6?AVofN{s^F^_uH1R90%r5)?qGWeB}0g5V=V5AhL=|q zg`xi|f3i(ZVaCW!O|5ldIKg(ZI@%Q|B%hD@=K??*R|ADF$b&JxbUB5y%WUs?p(R4DZH}Dt*A94nrmHFJ>f;vv&rV%q_`jvWmB9L)?T@-Cs$ym>D3SNf z`eUBr3t*UcpU&aW9WViQZ=g@%8{28OVrj8k$wf5q-_t`2r6&Piv82cHCyGRJz{=vk z2ki-$;K}ZM1Nr3_8^bwin@s|Q-D!SH#Q4@$!X7D^voiOh=iB`)u;kAf$|B!2X9y87 z{siWn^vgCHR1W@;E_7xknWuxIn*2A@s|%&H(Pszja$;iC_ZK+PNh_aJKGOcC^qg85 z_^yJV1oWY#2r5t-@oY}IE?Y73cSYdTsQXyho57**j`|BhG09PDc9q#7llxy5H`*9h zaId5Zu2;TbaS-==)_#skp)HXPwLj=^&}o+Xxv%m0{F+Se4JINVx}L49%#I?t^YfqI z;0S7AJXf=pHTK(3FE_2mO)$DRs%Mg%bHTlp$x+EaW z4w(Oy*ypL@{u;);f6NrvJmoQJRC9Q<-KK8ch)K#z*E`#HA{lhs`bk$3I1>1md+2nRh@zhqIyQ+|Kw)bqv`8hfKpp}-F z`?N*2Kq?np6THxnS{&%%PohQkXwY&aI<%WV*%Q!p_^)E z?1p|b5KlDtGwKe%TD9_y0x`OWt-}aBQ`X-bqO};>}+M1q8kEmg%cFA_F zQ<843uLV^?{)z;@->n+_mz#*Oi9n9af|l{4t9~r$ikD+t8K0L z_8krQ*exqHn63igF&W*ej*uI>-A0d$xVZtfp?ZdN#Vf2Q!H4c%Ziw%>wE%^&Uubhv zO!Y$PN~a?-;T_Q|Y%-Hgznh8l!QnEL%A!ZNmz0dp&{=DT@`^$+rusN=*M2>;yXQ}w zeL?k>bS>RturISEkH85gcr?nB?d7f+RQ%9x<0=4tZe&?@{urJ$X=kNcfg?+lx8EY7 ziJ;i20%t`rD4irX7mZ6LYAX zxCA#{2ybvIL@wcNQ0voTMvzEP75-lxL>8m<>|0 z(sX?Ee7yC`z#90<7MA2toxkZfw4}$yu8z17RN3p)d_{n0@->AXWxmP#t+>^l#&l%F z%nj~T$0>8dX4)%Vf@OnU+sKcy07xZCAj`xuPe*74+o-UIae*0Mben!ujI&BCpO*&b zY?KfYD?j4gih5yY)A9KLIwOoUn4R%|j!-OZ_~GDu;qWhZV9o(0KAKG!!cs;0|3mGt zMD_a&8U7x2@4Ri9KlOhgOM#sYlg?KehTG55)gX|%d6m=c&&bhy)bJY$l7|g%C z0#&5Q9M;S^0nbG!lbHF>h0fYWOxO{xJ0C^Rye9O~)}!ks$MLXC4y^xn7839`H6UNw^T=66f&naTrlt(+Yt{Zir``fX=Y!VpA*({xk0-5tsV$mtraTk`FQ5EAfF* zU0#K@VS_{)rJg5p`%3FN;C1=pUlwmY0N`=#ObK=UR_ry(AF!p`B}<$czBVUfUGpxu z4g&Sq=NfQ^ikxz*dQ^VhOapZAP9N-!Pd^d0nddEq`DAw4EwH?4LO0!3dW` z1T8Q!z}s!7r959k$Ybj7UWvEuu6tR9cj1C~OPPkD8*}GB;0Q$W$c1?4RxQt4#}j`q zRKE7wcFG#gv~XX#ak!sa4;Nci-k^QL2OAa z*-UqS>}| zMftDu6G@p@sZ5e~Y0$|O2khYg!}k9JTCfW;?K3swOLMI0qnyT##*1>F2m;$1eY8t8 z-S!5K=;p7damk#q2X6B1bF(yea0BmCv5$y)OWT?PoIkbw^5@gU4BLYDISL0fJInA- zX6ns9*jx6w5T>WklNU)A3|ccOB|@Po_Fp_Bx;neB74U?81;Ni5I?uuaqniNc3}3dl9N|zLT|_gu_?^51ANG$^ zBV~V-2+J~B^BH}VSJ<)13Y>5kp4ZT~IX0~^n(=qc#c88fG2@>}Lu`Ju8iN6(l)^@0 zRo;&5HwUFN5sJ+a%nwKtz!lrqy z3EbB&pHVf(g_Xe$4cWQ?y%jja7i0|d8xnoy+>}V|O{pHbowb7AgBW6s+eJ-U(=t$Z zBK!pfV5(iyQCk=mJ$A0VfK;$W{Es$`vcVF2DK(cZ8=}B-0og#t43dZt7Sm~l`ICeI zRlbWi2v$mYPP}W+&yAc{(dq&p6L&@#jz6!d^F{vHd{ny&xuOzW93Yq#AW(#HWu9Dk zPC-=xdS?N!O!U`G#nkEh%|xYE!Q#P;vGJYze{|Mm3HfEZ8Olm9&CHJh^q z!AgdFe|;x3>18x=e&%u@Am2oSnv!M_k`16BWG5LQpVMb^r>Od}#i80)mZl{H-USmX5wB&<)&z!saiV(t8P+W4+{ zDSDkDzQ>7#^L_ zMf4F)TkSl%e2nfc|JGV)(vS3zK+?YorYpF5E_5~*vKk_&3!u*wvgl4N z|MPN;8pO>_FYa;<&c|0IOnh(DNIcS>*ky$&;83&U>vVj7a=R}x1?yjN04FtRNc<5e zRZ?@V6dog>;wfIJkMuhBV1M^b5Q1U*vPuNc*&A+5$jsY0H^ok3ijOIf#a9&nW9Oza z9JNr1F0-K1a#<@GrG(*@$SnBqH6}g!%nZ@*TmJOUYzX{1b5l?ZG}ZbMnpnTT=xNTK zpTl-PGPnKM^mUl{$$>)f{Rwl`%OmT%$rX;Sz8n2D%6WBR#)eU0U>as0Q}NBqwCkNN zh#-Rj5#DD6&igl+$^eR*(;u8R_08reb}tVz)$-R&g2SXvi&vzD%@n;juJJ~0r#wx;UcN2*Ks z;PN-Dp*$hq8<~%(Y5vp@lup+EpBJFVgIjy23-6fhRIyo2bezQvU#}k2SnmXIo;=ZPg^Ths4s^3_~?V# z&b4N_2%l?OTK|;C(d3D_a)V*r(3}S*|BGXPU6#R)AXXMUXNrrSB~J+g>lYB79J;F` z$ha`U^-RQQdp8(L3~vAsEKN@SvRO`z4qJJ9#_`D5{6lu0VBgj7{e`ye&O=j`K2TJR zp5hRdgDcFpEvqPAGlKi0W6k{9rxsf-&P+E` zk)I|s43kePD$9O9-(~N&s?~;>(S*j4lLnI*_PF9DV3w`WZ@(WmSb$eG>es)zFVn@6V3k@wd-KoSV9QLai{+15O{ zmdMHpeVw8yB}m9eTe?vv-Se3}m%u7fZz#dNb?^%d1y(M7*Rc!9f|U@SjT<|LRQ5|` zYKifF{4;Ne7V7h`THNSO9~Tk(uU0m8bae3RObP#E;UDd87zA52E7^XxeG&P{ z`aOQqHB(>);3y`hV|qr0F8~`=Kw@MB1fLk=TQbzL|9#%6wt+E8YezB-5ntglZL}^~ zmv-zs;?-i!CcjZMZ_eS&Wn=kdl`(%}NMu!a)#hOTwqGkE{75TW_z8-uHL#c}H)6C_ z|A6Bu5HuuKd;^W|bP=hs_G=LhHH;AK)~$Q$C8)kE9iDi7TKF4+syY1&zIQQ2qJ#Zb zYyYbiG1k}FNXeki(ps$C)mVno`w}#jK%({a zPYFXwX+8XYewXx<1id-Zx>AoJH%Ge$Fhv-}+a2_%WFfLv2|QiD~^OX=#bA%uCZR*Sl(MnpYIqh~LJfo{>93E^Ey zJ4oV&Rn68UV1@qp(>t@=^>_MEVKLL4fUfRBH-WHNt5?NRTJx_b7i~>?`sxuO_Nvi! z8oOz47nJP^VGCd^&z)@Y9Am^wp>!y*ZE1N>1GNvBXtpUsviecnRRxx#j?NqNpUOv~ zh16Rh-9aE-${a`u)pfxpy<~ju=VXo{UQxs_M%y|CThN-*Rfjt6OgDg{*o>bDd}wow zQ!5p77g^mPn$W9}x;nrd!I~i$7pC*l)WjE1aP5z9PZBENZfBDsA0e}#Hg=A5XVMc> z25ku%Ehxqbyi4<;e1c@(8mM0oF9fKRY2Y1y-Z-b;H+52fPG z0x%M|@cK>NzOJgUQjHqcu8~Be+gIYMx~nJrMf`kp)OVXIzmW7&ZTy#!3X>44>IQX? zFZPh_TXudgY<=@@n_mbH)bDo?v5%F*$v>W4=9QRf`3^7v9n)1hXy24PWZZKBECI{2 zUY%vmaOy0NU+i%QTQw<9F}#dOBu>t`o@NTeu*p2z=SE z^N6gkew||FR4Hxo)hB*svBuz0ZMW>r@|7m0@QPCyj?44wtj>Tu`X{EzHt&{A?fr?% zJx`ObmhFuR8l})MK=Ba_F^y3EQvQ*-ax87_tjkHa z0OS=M4Hom4-< zM&lLUt4xvx?hRjwf1XEL2{@-pKoL?=3T+0@)&ka#1t1TF^M)L~VSAn7j^8c?(wGIZ%H&MWFo2ayycc z@^nP5hjDL-Bafgr#7o5Mme%>l56<5Gz6|B{v&u>?`U8&|p;Rs!=cC=qM(80T0HoQd zAkLm@yp)JR`E-r}IEq+(-gV+hT6Hh}7*SM3&$X_zzQ6Apc)e|BMFc0fK5$yO!RkF@ zrt8858g`}%{xRWgFQJm#CJMhU!cB`Te0ta+iq&y_OTF<<7@I#G{1tGY&we3Oi(8tg z?S>5KZD)4uE_qjY@|Yt$=P>=I_*eN!0o}}#!U*!gC7{X-8`S*WbcLTrFS#F+Mvxj- z8*`Qmm{soW@O!T!mu z(z@7e`$;6M+KzZ?hc|0oaP!kD-r=0hp~AnX)+Zc(1|mEUs*S}YhN*au|Fy-qy~AnM z3_)+KeDpY)PBOQIH~9)Zl|ynHSQ+OIW#$sxa>;CTTuMSy`T|82D~?%y>nSRRv}t?UVC{-c65zA<(j>kOeT^})#gZm`(g^x&AEnScq(y=P)%Ney}L>X<4 z6TZMi>howDne+C-40iInYn`3#EUp`i7CDvgQW8!^-&_WygA5XX6f};rFJytPN$!b| z3?EKrPY`~n?-*heiL;Y}eu{66Flx60_!}Hkm;R6!VpVkW=StNvMCUr)nVb}e83Uet zAU8;YRc*wULoRw-Lz1Po2+tv53$k3oBAVA79+kIAW+`ge#WezCYc_FtZBZq86>W?zX$;oZdwf!@}&ec{e7U;Dz+ z*}K4nq9{!%2OR=+waGn7x_)D%sv_E`!$$R?1s@aQ|Fmms*t~H;X@$|(Whi2cdINtU zd1~G}-UPj(`ca^+dxoVQnoidz_p_EV z%!$QV5XI}6xil4>+E6m&4FG3C?7oTIY2EN&li;q%uOGsn+4KIKiq>i`o?u51qTYKX zURk)+_Z5utbZquMT+f#%qsc<8FQ|6Kbj-`;KuVLP<%ux0A~y@Fjn zp1_TF#Dl?ML7hhx&byIPw&NTgwM8Um0Ohny$MfP@qrvfE_Rh94$$H*9vtvLU9fRqf zWI^u&9!6NNWKf4phrcNq;s_VNrDpk*LecmLSL?u)t7-{d`n33t1OkaxyB^;NEqg?J zVI@yhQ@zH(-HTUSuUC??Z$2yNZSPSIXug9em$IRL!?DR)`SG&}X@4`!Z<);z`IfXf zfqQSoz^#5H>%r>=2Q23TGF=Q zW~Ti!Wkx>Q9|9Ew8tprVrTG>T@oClV?er2ku-05lMes~Tg>phzSCl_=nv)Ok{6ML> zw_6$YQXevE&SJ4faRtU0Q~ON4Hteuvb2cpJjJf!=AIFsZFnfZZq|$oL1k#!^}%F1vw@N=qN^cN@Hh7z&f zOex&yz&xH+QRwm%8!VH+NI;gN^inwE1cUn-G{wpN?PF~duo!Eq#7p|m3>GX+m91=l z^+@p|KXny3RS3JlhN1C)#@0;aP#C=iyk13at%EsxoUl9w$L6D9hKxgk@G zW#TnzseIM6JeqV~44?1jaD+;O-2zU@;n}pmcNAu<<%tg>Qm}`iNBA%u4YzOt@@OE| ztDh>+2HVDo)9pFK3O|*l2E!=!wYG!7fslOjuTb^Ol1>uL+n`utzE*jFL#XWqx!;qN z5D(CCqO7htx~}(;Fyx*oGdaO=Xd#v~y(B=QxBRbyvQ7Q?QuMo_9(@qKWS6^I;lvMr z+${1O+wNTVuN-)Yr>f8-1aP)WoFYwL2`#i;Cw!$K>Onv55X#<|?WkzR5DhzYv8ERH zD6Jg+6vx6qRq=J@7;?mrhmQWPI~T=M6%;{`ZYe!v>DQ zXi79Ubr7w$U|}i`7LEm4XqCI&11t~5!Pse?b;3to50rX25WBzNUgg`?Z0rEael zBbz@@Ki9!=q#yx#wz?#3=VX-?QM=20*vDw`UKjt6R&E4&@u;VFK@epF8(iq{`6~{$ zGJ!Oyb#N*4jX3?#lE_&ahx3WfMLZ*u^&HPgj1A)%9#)5zt1SopV^sNRMRpj=m8C3v z(BFYQcNlZq@~*qug&;W}wx!7ibnh2!`cDDS!~EytS<(G!I!HR!n$br}W%BW#`8AUw z6lUJQOlfC+98)Z{u)>w^dC0Khhv^GHe2?sDcfyeO)CjO>8<<-_9oXlYR1DJRjD|B6 zo4`Tng?e)x*SxxEwo)7kWCcABCTEhwEV&bFZ1`>f>q(>Y;T=sPL?(7JR>0NFp}YXS zw#t#NF=M6+ZWIvAG3r3^BSOz|AI)kLJ)DCbfN??2XP%TtugNEzv25ptPf8)Im}jl5 zq0DgZDb9Yx&-9Z5h=@D*=lcaQ*PwNxfGf;quoUV1D(@3!?C1z5+KjFK8?EXVc+#Au znO;ISKdgG5v}e*3Pe~s~y5YZFb8Q5~IDEmV^y|hD=o+97Cy;)@CD1sZij25%{5BOf z%J$6!Vb_=f=ON_I7b2%<-lCv;{TNQTJz&tAH&ONrYx1dST!Bk{@8=d_VC)Ij)BBf- z*$PxfpERBI3Gez*xA|N z05$X<{`s(T8p^BmU_xj6aV;}V5KKa-2eQE=s92ef$f=d$KORd#=V(3{NT`ax^3N@o zd>uvz4U9T@J?I^SAdi!fGY;jE$a4F#`*Ln zl822-kV#`;5A>(Ko0BJy_Z+$ngbx~IxjkRAO8lK?00=V0S*8}zq}gb?d3ZE_ON~l!NeP-3<8;#n@=z_>d*V*8;qT8t^gH96^z_R< zx*_hAk>o`(cMnEv+5Xbq16!ZW4vOft2IawKHW=y};HrWfuq}sZ#LkiUX{NQ30`AbxE2-ty>S6=nbH3EK*4{I(^xmvg zC7Tl!KFLpoGv;8=MkfHzJ*m43CWaqjr1Th=xPJxdUIiv~Iq6b=Q4D<~8Hu!S$R7eE zGmcF?H*L6lVW<_>%!O}5>bO{~LrtKdq<2-4rX9kG(n)WV1PH}>d=rdws7K|MYMij? zEBm>*17maF@TEHXmB$ZBtTR%q+L}GblkK(YI^%zl4HkLAtj&ad4vBZTrut4-K)%Zl z$C(dEF$?Z?cl*SmYVa;4W=`1Qxw`$!7wng{oCQzaLS)YxlzZ~Pdg7I3-?KO11w>We z{&^$0po2Uc$eQ%wq#yS4nA(`?P2$^|PbEJGmkMuwoW0)97K|lQ7JB6K{y%@U%$FZO zZX{A#j{b;Fjg1$I_i$*rKgckec>agnf+=BzQ%LrOR+`|LK3(y*_EP*mc31ZApT7#U z#nU6G=E~ci<})Vts^*496}cAVIls&RSg2nj7C?(THRCVwy$L(p zk1nCm7qoW5GyI$i_Tnj z&87^@3nd_#-C7Jqt7=i4K#XLfj^kOiWuA=(^-`uXXw z1SF>&>RnXW`q9)BreXS^muAE~ou?uai*3fxh1> zAn&ghMR8l7LP2AZB;leAKbAPT;;e$CeJ@SbhkkND;OR(`m9EjaH>^|**e;mR zCK0h)V{cadW&tLlz3xF}L2e>koL$JeCd4jt&^haH5GiRn%oltJ%4wWe2uXsQ*8*{A3D$oTIW9<&qxE6; zN9;2e7TmE&L2OR(#6FQ&l`vQJviZ`@&eH!Z)vG9NIdbvcxPh+oo`0XLEYW0(oqsU!E$ZEwhS@ih! zU^~^~Mh8}v5AYL7+ldqFCv?RjmoOd@lk(m6>R1=N1hgGEu$7e_Sgm}y1dQqQJnOuI$P}2jTE+S0 z?Ip_tyte1CBa`_^`=HoE?Ol-s`)ZtCx}h4|qEwroefoU&8a2i>&Bi^n&~Uu?$lkAV zkAb4{@-c)&P`ry`IpqxtI@6su1!habe0@;99%F597tTloRmQsHYxyJ!`xoUWTKr%@ zc#;ZkbIYhTLIG+omX5S|{X`cj*@F?B8fyJF6jfLL=1VItw0aPsdFpyuv8?k(kphbf z1Q)M*$G4Sz?fuq~8FV6orxtZW0m}tpkRlDH&+RYl^Tpd~&rRub^hA;1TJ7%vA`>X} zO-+iIS|c4zDlr02qi}p+EOFoW<-4(}ScJ|f6UWpIy)-8sZ{@-v9Y4Yn3@pk==9c7= zf-l(TvcUM`qdw}b6G5!u*E!LXqx}M3$&8PflRNSmzz!MUk+#h_m zX!IfnWz)K*?>Y1aR$p|vo-@&C8sPa$Bs}7xR}%3T@@NVEl5^Q5Vb;$2 zKuxJ$xoYFrwLHbQjfoOu zq8(tOmin?6ozzBS;Hf${BIBa_%acbr8#gG|$UYZF0zcx!hnk6qTiLY86bAQ@!9;QR zAUV~KH9Z7XF)WEAi75__Lz|iwh6p|iAw4>TmZ^RPWIr4nSo&vXql_C%WcD4&A8^j_ zVwM#tVI=58`z=ok!o^oO9R;(e7~0=D`#Gb}ywN`%qnjpDKR{n1c>YrLn;|$xo5gbhnl+P}C zTT*svh(PvPCGH0tQ-*I!S$fz~WbHidc zU9ior-9NwCGa)vtA;@N$<@|mFc4>UL+V8nF&5{ck`46TM!K44fX|RRn+cY2bVM6{0 z#}`-ytw(`S8Pe{M&64Uz3hySRu?$+v$0$-{ki7AnL!QiJ7+)g4jf~Knc!w3ggTPtQ zBcWJi+Go6=0@D3zrET`6)5QJ6vwTWcpoZSGQ(8`>bMaSHPNyU(mk2R*iN;6Jfmz0W z=`ShZw_G=z{Ugzzp~AWLjRgQItpLBh_S-FM$>|lQvc@vsGqePlfJgUk#R8vSbq;Q7 zAr>0=eE?R5!*Jgj<-)wB+&WW0d?6$?37SKhjr);+7=54-O}x?Ho7T9zHx3e3=>eu8 z14R$JwuZ_!MX4gZp~#;OXzN`#Xt5SVTqayKO8FmG3~3F-Im4cQT&zVZBdna*tK~F)2nfu;z5m+S@2+}pki+;xK z7ONo6UE7gg5RuB2flIuB&63o=Z&ZT6HqoEKjjuPatz?V=6of*Lxb96jXf?z-Z@O8o z%&pi_>PoAyYecnJ6oeDQ&Q@G?25|t$5VK?;IMbag*?u+|cY7OyXdM%4_Zj3{ylLcc zcNKr`e!_<|=Xm^$)O4FfI#P;%a$_Z4CLV4rizhA>M@3yN$NiG<6KOpL5{@vA zn)_bhgVxP&+c)V6@QkFrpA_tfzld=1N9>R#7RS&zNSoD#7bY`p7oWOo?)1{MN}Op> zn|RiD*x!w4G#2=rLx1{iC1n}YO&!2U*MQm%>{!!(HS+!&EzEMZaNuo*Xb}hNEnheu zzgYrnIscR1$D;q)vlG<#8G1Tl`lw0;Y1Ul>h^A@y&M_fc3L*}_Jb>6O!p*L6dPOKd zM3%^_Q?dDgizV0q3=}urTcIe~*?CVG(WY)8pXF0m!ytp9XjUC3WrE_v5q$w5$XVdB zzFaLawW>FKpRqmvGBPx=9WElAZH6T)^3gt{H5fyq8#=bRGL?5!cYt5S*LR1H%HH z?J{iLsrWtUhl)3g-c3Mdpz1?iTLiNBP&dkBDXM%ev)r`rjVI zI9d0v_R;@y4t2%QF$nFP&J**^f8jBefpVIh~UrJ|DNLY0_ zj{Lq%PRm1f;e1dwF_!ktDZj(11LbVlepD2dt*u zwAvI2*DO8~Z<8J1ScQ~6dp>*%2|j!}wkBa>^XHI-7R2niKF!>b@Tw7z*4S{$z5gH8 ztQy+_CUlc#32n6knr>Ge?mkqE`(E!Z=V9x znbS@ASl%LcC*r<7i99H3t`f_&$A;$<&=ri7%}7BA|Eht=h;MU=DYvZh=5e_{YB4?d z?OX@-6}D*QJ}J3!FaM{S%24^uoP;00JnJpz$bSZTVm|cR7~jr3sf<$}-GV&~x5^tm zX3bqCgTt7%5o_6X82C`am+$KN<8KfWK9=1~o1QDTakE$l`+|RqdRKuijc|n+=U6F= z7S%vYB{2rd8eWaUiF%mxxWsFXY03kSl3}t4OL_ioW+qVmduJmtK^}H}s^CAqQ`U>4 zH~dzlE)4(S4}bo=l12TvXhL}=2zG*OR@Ma41^q-d+%MW;TDJDseUEL_h67Xl2!ePF z$8w+FJ8hGRN`}BVRi2>g7;iIhO`EK!VWR5LVNW=g!7}Mp%95zR=AX}>;R*hK-5+k; z>v|%f2IeGgDRw`+& z`SeFHVfNKn0KmWQd$rf`a^f6i|4SVPSRUZ+i;%CyHsmIH`UsYf(U55TbZy5u@HSd1LTBzRs1hMLW?JU&iDKPfi9s#I-$a2y$i{k=k%P66GvW4@gn;LrFY|`ZmK>YldNN9OuAh>DU5j;?UYQ+M z4Bn!M5?5Nc3??)ij4id;FEX<mx|AMZ<2YM$R zA{&B2!A@d*uhnlI(3zQQ0kIU2;pFP7pWO4l=>I;{QU75NO1aDMrH(TVm^~DElet63oEy=zY4X;Dk4Z}T zix8M|r9M(%V-s8Ai}4ZFiwm1PG{Hc_50CuVMg61ui1^kY7x{bI2^0HeCl~oN6tWE^ z+$b4m)B*~7Uxn2i*;+hN_TKfrp2LPvWIuODfm@U*5SPXl0%D!bSL$H%(x~d~9o5~o z?*vTAf6BmAKEZyD$XVGWZ1m!YUHnlfw6-4|>|}fLwsIikhs+B-yPu3jjKCxTGFv5v z`ej0uFr;qrDFAu)asK83rld+&s0vO8E#-br>CGiQSEuvjqHM@W#80w%UQQKw#;eW>P?WEFS;GrPc9vz(-hPUm&7D=)Q9Tcg zs{cJu5}>?Z$0A!~f znwnc`0nD~%EOlqv8QJ-eML^WFFoz65>Ew|6=B5X}jzByq(TMLVX<6LJU`xf1%J9+} zJKi~un>CjH55h`oFIzu8uZ6L!T?fW?Bc|YuKQ*g3PQ_sPsZkCW?Ajdpt&h##+tNX% z!pCwr1^d%62|0Idk6B>CWw$`i5!OWR5f+MJ zyC80i-gx{^=$6S?IRzTj1-NF4t_rL}4ob>;5ssO6MR$9{Uv_>}d|>RnBk_0*^7Wl) z-f#6f$hz~B6VFZoDAt!3;^EdA=4jm0 zzw=gQ$Sx3)#+=smQ`hRGA>pEjuVlb6s@U1?(d)|q|l!UuFL5XwJWqxY}gk!K7( zLinM7{dx3K-;=3Uyv}uxHN?_nIN`^A921K(TQuaAF}3EvQ#W|Xg0lUxDe88tyH2b& z(0}-;w5dMoU7X5$U(Ku?AIkg>Fz6f0rRm`02cFlpcWj04C*{1olg_y=D@_U*NM^IB zF=kZ=@N6p_iGO#5TV<|U9#C_*bQhgwg||;J96FyTg#%G@ouXE`-&)VcZ02szDlB!6 z(3RJ2m%9|v4SV&oxBtaDo0{l47b2#7rc-#?| zLfK+HReN#t)219LobePtel)?_P5IqTpP%=nOSj5}-e0EdiMO1C;i)`=xKS4jdlmZb z1|yIBG>rS7NMMv1Zn!VBeazJ=0u~l@3KT!ezs>>CCrETnLI-6-=-wO6GgQ!yHU$%k zn}l5$4aN6DL}8&UnSr+oAUcLDwz$nclNtY4A##=CG>i0XDEV2WV6oNlzi;aF+|Mr1 zA;vLQ+3(R2;e)K>EOV97d3`=1Xk!c?!qPAVbNQ@rH(4qzz^uG!n~d~-bc(wa5_VlD z+Ojv570sy_qFsQzU->lg$&3^*OQ~$gT*HMxL5;1wKX#uB1cRzE=-@~_y?!cMdCQc? zu`uMUMSY=*l#3>(u94nG715;d&u-v47>Y)zrd2~+de7%N?+&r zFff_`3wAAKx}6u}V9u~Dmu>xO1Grok<;$M<`^mfGw7IP0f`Wp=UgG6?x?V&?B*p(4 zDxXz%^X1$4*_L3C3KR8x|GEDg*p&I<^Pg3#5?mUI!4h8(E z?-dn~w{tCRQUuC;{@&aYP93**MS7nEcz+tUpkSfP3jZ^rfQEpQFXAdmjk^@w$ZP}R z@1rm}#o<}L$Nd^8ITk>LmOzJPxID@$q4};sr_;93Le@uqz;E*s;I^ScKo9$aM^Q-! za!d|G4%2d?P*hITlBe#_fyEV}^)HYqBNu1Lv(ugUL_{XjX4$ca{3! z#Xu*$ozd5evUM zZqxI47^};dtTgL3T?^38UH-$)%kOw9z79+$Fu{a3^#Z)dLyLdjfb{4=sDl*;`k51JK# z_wRV~&du_2NJ_7MG_rH38DgNAotumNazr`Koy|mu4u#nZ_KiO_JJ{LS6wm8N`9qqj z5Kamzr?8uMO1`n{0b zc11-+NQV8_$Cza2;g9um9WVR|>Ig&Ng8b(_+OzjrZt@-RqV;(w#!(!66Ud z=hI-)rdz+j53iHRn0^lYoSk+d#j5g@rsgEmM6|{(U6vgYK9)3Tksi<=YD?_mAhm6( zEl6*L`$ACKE@f}Rh4(4$x1NafUZRRC0U>^_JMPWoq5?>@u-gf-b)r)qN}YK?G@WKk zSr`-$Top>h&l5Q`wqI_t`309U5_t?10SxcU-K92rX28!?e)`UD#kS*zjwJeN=0{T> z5KW=(GEL*2D}s;p{K*FNC{1hFPmVHZRgC&K+r~}7)^<0K6=T1)|1q7bzB!KWFT3i) z%c~p!|7XHpZqqPw_%~l^;5^&cmg~7GoDf>$Gi?`EM_b-!h`9R5;> zeZr3x?age=s#{ZKt)w>kvH6c1bPPQD1s?EEK4xWTVVf<15o6%b`0ov!u(uvHR3=}- z5?_wbRtf8vIs21Uss(`#L*&bMvR4sB&0&G41fJ1IhhG|{2*}zCZJL|Y5)fM$$m{xk z8yax;Z}cm6}KH_ojpH7 ze6VkE!k!KAR#hDni6Ul;5AH4by#{(3#EuEuiB&3&xs2)_b)K1-dEerFVV0-Zh5oho zUzZpjDk40|(t33#TeG2>#!Wx}2C%mf;`AssQX`%m7bXFV{5(rv?H5snbwud>F<;j0 z=_W0~JgwIh7NfvOXIB5ZH(k8b%V17MEnf)&{|ElN!&Rw*LfArn~pSB_KA?D~~2VrL>x!4ow5$PjIB{ zAG|%vi7G+=3?^bfB~u$Zh07{3h=w)3Z7Y&A0{Q|wf3p56HZgRJ{5KfY5mxdc$4d?n zxiIsz3we&rpildH7(TVq0(;!s%v$(N(BZMxXfs;H-#WQ8!Xx&o7lhfsP_4eqQ1sLV zi>gSKLhk?u1*;bsGeaV@zl@mvFAL9p;x7j;14hr&U#ZwKo`Q#lb_lH6^J{Cb8tnI5 z0|G9DBR=e(Kyk^~P%_6Z;Y^-$SA1ZHLwwl5-sRc?l3?2|yFy2*Oa4A2V*4OqD`Q+f z@V6G-p?S~lZMuJ9mdl`KZIL5?@z7Pf(glP%S`JP`c7Xgug+8l;S-Vjk9D4A5;$rGq z#4MB!t}`^EkS;Lu89x)HUwBfGZAl@kE(aKSMjJe7c`NYcPWj61ns^+~G1z9(Zv}R7 zX}&9*c_$6`qm>z$;w?JOC@r(%Q$f@1*xMla=SXDC^~DEy%O=N>E{5wh0<#g}AQE{s z(^ToowV1*cnf(gC&tr`-9uZG9ksoX214bMj@^?OY((6!iFcsxL(;w+7SBZdn;H3T$ zQ*aSeNpBsfMCh|#lOBnST#-~lw-3zQALhqqQuHSr2!+A8IoQ_mYR80u6TgG0C+EN4 ztLEEuUJUr)XHk6xXmL>yEeIUm`0=3Qiw<*16;G?t<0S_5>u1>qO#+B%50(HHnz>e+ zyaKe*;_`B_p?u5Pbv^A#m;7Z(d^|qbzJ1e?nivzSYVMSWAN9$wtWg3T&(oK$=7&wN zh^&w_N4k=g`OBB}#4)R{7}OtyZzW^yo?dd5lc;ltEMJ~7LB+sYZ#r!yG>iv-yhNDl z*-*`p6nuM4d88R6`8x;%7-dx;A!uvn?d5?PH04{LPXEfyoJpGLoFF7dRIH_s>_(HD z-@b@X1`27A48;%2xLfc;h}aO!YX!_ghs;PwFh0flY3z$uik zg3KR1`fFOXGpkDXlba(zL$|DAzQ22~Sy-5)Cg;cENN$x!@ZyzE2s?%&;wT5el%XY4 zFl%!);=+2&+Ys-S04ptlbIO>Bvc}Y^za#RIv?DrnXqJULZu6weJBG{_AZpd3#-k;w zM?m>__u~PlLfp68U{o|KO`W0UL_d}_BEz9fY)@=^0vwfSC#j^v(JX8~G zi9f`M@ov6LU>GPPJX=(~uLZ0SqQw^tms7hcNNH&Fpb0iGD+KfYn`LkPHGA+UmDWid zc%PZ#8Remte{aX|-q<5TkRCr@q;-v%jVwzJGY5IFaP?*}p_iCd#P&)Xs&;*1lNy~X zbiqp{-8rTrm`v)0Z`wlQN1JAqW31?Aeu5;W!bvYhz)WlbMa8`E9Du#Zj;vuFB&2uz zKNbCf;IW*%2!18j}%29OhH4uLba(=-~Q>P{`M|>P2%lF2i(GE zHNkHuyxctM=KYNN{EgG^@H&K;wg(%s{LKj_aV%t8Gd;e zcCh`Ap7K>uhn>zhx=^@l9fFhd>XXY4<8t|Xzrb*MfvUi&$Jgu$fydIy_H;&%`Jl2N zzx`O|hestQ_OG^tt5|-)A*5^jnDvtVR<-w2ke45TypUA|d$NB0q<{1$>E(ld;iMiC zm{paDSz>tCEvtC(Qb-}l3D#o&Whp@PGnH;>RRWR_p@&(+auR2L(a7+h{rhKUfW({q z8oDjwr9zD>XwW_uRRhn4;Z+lpw_8G(u-cU>Wd3WdV%h9+ADt9w?f43$uMTB+K( z;OL~$b4~qi7R~k8(BzR`HZPiOW^qWe>t73V31;%b=E9F3)Gwe7FIk=YeAw43p+ygi zfDfjSdQ$&{0%KT*q4FlmrAEw)h>$HCVu9%a7=vG>M8WXqAPgUss1B@U+NiZjg@wK^ z(V=ydPq@LQNNzIOs9a7hRSl?KeL#GV9+p6Bp6uiDx86J5nA$|S9FM!}c$^V!B%;^8buy=%s7XrVG4LY| z6(h52G@RU~Uv{k&oz`mNy^9&yb*rfR1-qj5TX)nW!iz0_G^~hP?|G-b;$uj8bCc6; zPLUZXN5*~$otD(KTNeJVVZCMBo)YLt4>uFL6HYBw@lm`;KwgFpzPg`(+mX`x+oC=R zk2wv?OCXz9t3yT3g>?=ISDpwlfOcg)M|ac|L+ejq6j@W($Rl6c9x-tf6HT!lSB|Y9 z+E$K^vW3IH;r7p+{BhN%TlG`6{nBeqg@OE5B5=)+`K7)O`9~N}Yx}utL)|umVz$sr z1}cl$t=HVBe&<{od}h4}C2NH$`%L7y@A0(Jt4 zs&D^$o%HH+$eqXyO->phX&^D~tL&stI7!n&$lM=0);k#E%CWQ``{OPqCah}ZcK&3@ zGa+UB-7Z=HC?1+JN1As*zpgW(aadFEVcG0s&eO+NeX~m*(JHL;R;Hq^NMJI-K-2k2oItgc&<-6_Y z3X-A#)DlB>Mx^SX->i@6GB;=J|Fw2oz23X?>7f5&AwM(EZf3lt8nRn2GkEeTC|9IU>K8qQGQ;=)+EtuNT z!Z<`2TzwYi;*SZn(VCXx(f8p|ma601p?A%(I$nFvfQP}$ueih%#-q3WXpu26|qWv__0edy(u(()5uV z5ZQ4KjnJFOrT;YObXU2LPloF3^v#tsivQcO-|9$v+uD|IXuFjb@_kk;zlr$p;e*&#Dg3wjPt}a0 zU@{Hr-3Snxgiwq5x_Q819=sYjRPj`=(*AMS_|;`(L1Nvt8P$S3;CBL(rw8}D4|@9FMN>wa8B!i2RsWA=lmC5;K%(>~b7^_`D^$1C zi?IE67VY0B+*q@uB{?8qYhip81&?i-hTu^$N5h8wZBOq@tsCz_eidMFJ!>xsg;f2pG4?^^*fiI6FIgvAGE| zp+i5w;%o#Gn>9rBK?idV{E%1vIQkdx!#__$7bFG-I(tdMxtWsj%Q!qG!loF&@EB=5 znTv+PuzOkM9%c{%8lt4Sz@gjRx_tl@-J>Cm&LRdmofsH&RwSXH7x*yp`1<4N(r;5b zZB?eksOIY>o({b2i(!hG>bTV>Dzb0ow9Zr*t|=qpX^V=G1BU3x4FG*V2{s!sMG3Jq zXGq_)#bb%s5lz3dD%>@F5YTc^4@!|*00l)<b|@$V?E~lR`&zI5Vtpw zdVz#@8`@3hn!pJ**qh=^B@2iR8?9g*;>9S*$+003N^Rldsu5cJoI9MXauEU;)qU?w zB{hcEeq>Ypl`%9t`T=BRjKQQ#mvm|Ia< zb%JM*;Hav*I81<-fGzgA?H40@RiXeowu}AK$Kxwud+gQY`s3@{>sB53y~|TjjP<<+ z{mh4M1Sl8fy!hA|YDC%&?+)A6cbZ!A+IK?b7q+8Swj>Y*3aW4-GQ(2q@D&^bnF$c)QL75fr50cNnVO9C<;V#nQIvkVCEtmq|gWg&;NK&%hc@?n$2lmvr z@fNF;xuGY!1{~ji=E;828@-r!&lSMhMMu|Lbj%%XLB;-f<~RsB^@i9PM(@8g_#>Rl z5PUP6gU7Z93(1NM#7d^_(qr4`s1^(>-h)V;eHPWn?RNikf72#rcOo~hAcs*`6xZ+w z@JOP0+NPI@zyGrLMPsVh2hwq|M}>~6A>(%>Yq!fVzn>dR^-h%{jfGjKE&Ao8LD}b& zn9oCWYC0_&Y_@9#T$EOS41X%FkQu@X1|@_Vx2aTxNV7WYnyqgHoph+vg9F>=knRHM znZhPRk{oK2C*o_sL~AC3-faOr2O%GFRZ?j8Dh^4v%?--SSfNXC_cU_JD3yu0!40Ix zD@P#tB9IOce$a`D2~A!!N@fHMASG=NoU|@SQ0Hgo`V5ZXthkm>N<_28ZQ1`m zukDaX7d`2s7{|**HBd=R!-2))h`oPKBg@j5^bR5o0Q1L3P%+Pbb3I0VLcedOiac+MYs6@xxKHii-|KQ0s>)0q z!P_wu4Q@xJadAikS^IRtIK^PpY@$Q0gtY3?lp{Ilm`qkIX2g=f#+|e|oxuaOcGF)F zxxQp)2t!J0GNyVJse9!1DjC*|l&tbaf(q%nDk`Owcgl5{UmE*>dTKS7L8?PbCBAJk z;>DB=sNZ`{+15WJ=o{$5hgaoCdJMSnLils1IS_Ye5!dP%7Yn-PG|)J@uQ}W;0g8(V zZA(z{V%xj%RfgK(wcDUirAkt3D0M&6q>MzA>(_sw)c{NK!H>xPRzduay9+-9M*@Kz zH{{wD=`hF%c=b!Ua-`)&hhi@+JhVqz)-D?L2_UovP~v@nj9DRZU6tFid6&24`s{8rk zMz#0Y05U9UvfUl<_i<$sx|QRoBbXxW-Af85NMz~iJMZ#n@Ih(zwSTZJoGYv#O>?*5 z%wszEraYWZv_XX*kC%AUjl3v6n?Maak5rmC_B8pD+Z#9;UAW+;X=!RbWw^%zOuA9v zdG;;GDRSRCI@EHvS_Ykj4xxxsHKcRLfB&tqn~7g8N{;S~W(FY6-8FF`n!lo9IDXe} zY4rZ`6BTrqN!aIEO>hfZB{C`&w`WWwOUEc>vKLzVgwF^YKrkR3vpV6o^KmWGjUR$g zvCSm;&E(}|ERMuJHvrSs;TAboJ`U&H6Gfmx5>i#Jh+9Xk+{<&Zc41?v2#uW8fB*jR z!=^cco^#HlO^U|v-TLc8=Jc$4{Aj_~iHCrQsG$g*F$FQ-X&-uE7~>mP+?KiS5yYtJ ztRXFS-KY6Cfl_2A4lMUPZ{7dN@$Wy5&j?>TDKLE(giyf@BCEi3YZ7KH6iht?^8mu% zjjC4}V%he8>CoU%iR?vY!y;5638lkT3C}H%ATYHWIc0I$V(sF;75FPu8zvhEiLt<7 zma&h`f!P+|i&Z4v7Cp(O30v40Ik+kFxG%KLjFLY`t;PQxBzf?amLlc)2njzq-Wtb9#1ZMYURwGB@zOW{a_80 ze#+gub+-xk@UYh}I=aD|(+zZa8``3MThv;Ws7D^vA~m^;rz05=Zir7=!qWn%2}PJi zMsp6iwNsWfUkGDPUY{|dx%z6XS1{i~$js3@_ok)mnslYACE8OTf_%l#6elje-+g)0 z{;xzzoe?vXN>#aL_0JZdP#SE6*;_2&ZvdX@Oab}9XNv?ypia^O)w^-Cy?RhG(G?4S zwOEnsakew7FqqQF_4MO^PtW3f;1cNp{>YOa_Lu_VOTOQc4eI`~4!+n;jQc>6{t?Fe zC13{u9#IUL*&%z($AYsJ$`cc`vOf~Dstr3wRETpcZ*@O5ZmqZMnDT9P;8fDZs4HEu2-5C@% z#H1EKc%EnCpc3tykAvM@+qKk$nzR1f9hV`!q|CEGo%YCO0sOBs0y7(3P6clqw~31s zMXrYq{i-ef1Y0wtF@md7T{T);{4?`tXt!k?m(>hVbWHu@hB0O=LiC?O6 z^o@c!N`gYx_9P8tL{^gnGLE^97>-KXPfH_QTZwYK#(TDc^^6n>%d3P`&X8RWkQ5IXM))?%*z{_EzwjE2D zYcbaEpWuu%I)UNVZOUO2+)kp-bkU%oMa)B1V1*u4B8saW8juai@ytZu+f( znjVPIm1k)4pybu>%S9BFT%9plT={2 zml{;C%k=5q$08b5*J{CV+fhR$ba4CZC*3=T;XA{}eXWW*j9GKhWk|&epj+3!Mek=m zp`cR9ht!3^@&$N$NNoBaio4>VnsiJU<{xXbzQT7a%DE2mzNG~zYAlRi`wl8@F}GJ2 zf2d|7&5K$hO=!cHyx?7z4*fWBf>$iJAwnF)9q|3(c4d5o?Vkv7dZl0Uu4j4@ z)94phw~lp**=kH8$Kd_Cxv^wRRgTw&CAA-gz|d#aI%M>)V34a$ZorQfd|_c>(ac@# zKJrJA@NE_v>51TXaku5UG;}^2R}W5X1m+U`HDx5j*A$PLAQ+lo9zOGqTYC0;r%nJR zpbyfsO3u~h&7SBu+8WhF&n{9uI)|yHiP4dy@O6mQWk+^~r9zNjE+7rYCuiT@D&FfD z8wb$wtY6eK0LaP7rSOT6k+7X+IfAxP_c>5!v27CU6RhEqk&96G@o->SyO^W zjX3%yAOBSmiy>Pyy_b99I_RUu(@EqE_*VfJG@p+qGr`uVEU2IwH%w)lUTdW{)c7M+ z;UT+$_qibfhhe`$esgAEK^(5ndAkLR%asxve^&e@9J2yx~BB5Y_CwhBfuC6w@V|S zb&&iF*kd(-M<$ZBci4+7zR-`JIz#BW4r0)H-p&QBvyIx&*PMKwa5HH9x@r_o>?2No z%66+``p0LrlG3Qk99-#%h>+6XZ86QXvIL&6Jo|B8h;cj8dU;H}e+JlMapG<>@f_kc z9th3c7Z?9A<2V0o_5#cXH+ATfy!71FH6|1YXVd68BeqB-UiwxTbV=>aUaok$y>qFf;G3<6<;(~pVt&C)gpbNqfKDeNKc z+3kv*;c?XeTI(pcY-1LSS-N+P&=knDPG{jcf4-BV20ewjoPOu~xyJXE$MXumQq}4n zV0K&-G^SwMF-Xc|CLhn&x9=a!pi&9 zBmvvADS2wDj8EBYc={8;m!V|!zd|tKiwRsm>uCB+W4(8B_0Wo{s0oV%8qjqVWO0r9Jwd(%)# z^AHmyz{BT3iC`Va1n4f(mK^qK^|Cl?D2>@TJCl_BYn1(_2Q@IS7g{^Jqmlx4Fy{WP zSv>Zr41>KTnpq$hZl7BeH_BkHwC>>m=-cPyEWd|} zqmn1&!RFk9$Fs7Cm+w?8!J0rpI(z_Lpob$5&vT>|Z(Z9@Q<77qie&Z(-YDIXY0upl z7iJ!-{%$LZ7K?OaOX(hA`#k?Q)9Zry$8EA#0WPDvnt#d`_o=y)`?h5l6cG3I2t_E{ zO5D2wclzafxVZ&oF172W4f;$hDhKPzgYd{2l%=*=d%*5l^uca;-3wHxFq@%RRlV6gl+;?eD#xFfdMZ;|z zO6?WxLl?Z+IjGaA&;_?m&6I}M6J`p}rr>ffd_WHmQggSYJFCUA(T%^{l6O4Y&S2B3 z@`08xOld?(;QtQXg*j@6Jzd|w&pS4OU-bu>^4e|c*K5PC0!j9ioZl>c(a9pRxk*LR zG(*uJ%}w!*w~W~0tcD_^aBkquT5-{)g$jLy=W4w;H@(e3{3A1kT-U`H_kjJH4PXSa6lW%IRGp!O|Ksa&LC& z)AEG?6!3SbIZ$YSUKOPDx7{4Bx=kdaZ!)y*6A-U+~##0@PgJ- zCyy*;)~{CeH*KICz|g4h9#{P%vRy@#{Uy}MI~+APX?%lVOg6vmYaP@td+cF5#;Dv2 z^fabgVi5;RFd|uDsl*>B;RO2Ps=$m#qgZUnzMo8bEHoBKfEV9pv8PR@=v3k>4qKtp zm+RZIh|EXYP>EufQ;-z!n-#Lf`F1r?eO0}^B5=Y_-qn3GsT<43&__OGGo3hkZdyij zUhed%X=Pef#-yt=YZWO}#n2tEzmDzYT{Vkvu!$C1bRD9r4O67wwE*lOt5)h^9U=P(BmEWVS+e#N;t3(y0>D~FSB2Uw*0w6zeXkf1yMNQq~*gE zxNF<=eE?<=G=%!sYTXwWVg$RtS;Ph{~+ARu$H0)IsP zoqMo*xPQ7TIqDE)f&KgDoC+p}NhD>!SPKL=^mR(KPKr$#8yZrxvpa|gd!xHAwY-mR&Ob*#Q!Ct*(TS(IA~G8y_7g#WiF9{o*{4q+m`bn`h}}%VGQG+VfvK=*>H(;UU*r|3 zF8HEE2mX_Al)v0Oaf9GNI`uOTIbc584bY?2rNFXL!his;&|kZ1M5+@+J>!@D~DdvbIu`L;d0-d&c2H-W z6>-4X7z)&+Fj~=KAGE5?J<*X>DEmk8$4s<=9F~bPnj9(=^qm zvmtI($@k{KeeLZO1&9)3#j{!L%*A8ef49mgBYWbfz$M_B5;cUwA-o|y{fxd`gDl^3 zs*mCp;~gH57f4VJe=AZ4UB02Afp;W_^mg-(@(zS9&~axq5~?xT7{Yf?sJ5O@kq%)h zGhBQ&6P?+qCUfT>OG)UCi{m=oO6A$Vnp+B%e0Hx#SJe_d=KV3AZB19+uhmpM(5Xy$U-BmMG=UJr7B5coNdfdjCam;#h7ab8>8-f~D$f}T2!^B3W z4N&w3`>3P8pEYEwzD59-rC2|Kr5hDtp(p2bdJ72{3+m$NDyO`6b(gWe#8$Qa<=&ALLzO*mt@bKrzh{r`w)o&zZ1VCRqz zFOz+wm;un<9HpnDBcQ}gpN`!9c19q)K9TlCd%ITus0UUF-;dvq5a5l9GG|XjVb4bL z{;y(F`HQyy6MykR27RtOtRp(c@B1c;Yz#F=2nwWIq+(iT4Y0RCC83L4$jH*1;xAPI zu0UZ%nc=@@?MGp^$)SOSYz}r6A##GB%6N~Cj(%b+*X>+uQwjhcU19d=_ail-?bRea z9hzEN?gv|aQQ#klS}XD~@0(p=9bL}5-pSwb0FH>{DD<%IvA2|KY3*yu$G6SyI zce6msi0V!H6^kNJ!BaS8l8uKQ z9Dd+cC@biM9Bg>cXfbV39IpK4{n1!D)cyA{xXmTO5Q0^!?G0XNxTdgQLRGNdEJSEZ zMzih@wpt2zKb~&L%nviIhSIUrv@IPs3Qf*h>NwKtxe#{EO*Hi%0mfCXJXD*I9ir5R zV?*ujZFi|yFmOU#Re6COE+T`l#r8*x4!L}=@N?dtIpr4u+blRKGY@lL57y>xx(|>+ zdd$J_-r`4N{z5@Qkl>DeH7=TL?~8uH0}ZN2ri(_L8z(e09dB7(TTsJZ#fINTB~i`g zKyiQlaw^1Y*?$Ij9sjAs_F}8AjY%p(du_hPl{?-bkT3 zDie{YS^wZE0sZw*7o7QNzSbeji**w}3^VOgzfVB74_%< zU=Lkzc75%Bu13uZBv+{qXpt^pvu!Q=6^3UR# zL@@?Q!bqjgGur-^*dGk|k04Q?#-@n!<6{4gfDD-gT$UrZ+54#l*svJz<$H=D``wo0 zgoxct@wa65uPq#SiecLLCj|@#3(9u(_RhLZE;*VZPQUlrZW6A%JUt`FbongIk1mtFYz+N1DeBY}_E#%C?flZxqaO4zP*Ter z_LNodr++S1$@X6>XfKv&WWqC^0%lZqk6Mq{7ZxldKu<8w12j&Pp^iHOHE3Od{?pQ8 zvth-Kh`pf=pzqTr@xrqc!;{cqhQfuG3h5tGHar|`AGa1VLbCtU0&xAj{Xz*LDG&=cD;<=t3TS(LL20igP148UIUs z#n4WVTNE*1PFX>#)=jOuf|yBx1$o#j__h@6+1U&f?CupJc|pYO53VNDTpymcd)4)o;QdS{b0GbsH&h@&?%BC*%&;Ns0s|g&O!9}weUD(3#?l^{2zFy2tWB*|j zv6(PrZ_L0dYQsD3H~xKY3hw8?W}B{ni76oYiTH4e53YU_RBJ5XpRsTvLH`&V@}xmZ zF1(7s#8Qk#+j5-d%f;s`rj1WfqzJ?xhuqf|cS)9+g&1MqEMa<%F_<4}{M!?rs)a6p znE~4ie%=ZTwBXyTKjjn3gM)DAbRX7zJCaH60!s_hN0@q5qe%|VK0eI6Fs9IGZLPo` zHlYNUccqR*f3qW9R>hizpRoV6Hy?5CXDk4()gRw^^P?V^PGw?(1>euqU!iJ>Ul(Lg z@H0GjyWdQ|J^+&nmlF& zKD&G!EvzBu(9VQu+#;RC(jCEIaJ?~1BTZD$o1np(%&K=eC{N{g?GrG*=^A~Y0Ftdk zHAvPO>(JhhME@RKgfXa8QCWF9LZkVxtjn`Vdoh^7=gzJ8$ljDaAf^7acQklvq2k)B(s>Uq zBX6ky0B<=HEq<~9GcBAyy+DXIdHIn-(gI*TBgah(egx(^Qo{{~8N;sMVfN^`)LbBYHoT**_BX$hK4GsE4j`IP;ps$uq~EOkmC39J2S3Y@v(^AP7Mvc?kSkM9Obg zV`{qb%}SJtXW=1fk3ARy@YH)3lfKub*jRcS`o8!3r#fs=>WkYJ;5{~f*w)9{h)jUN zuO^eG24Lj+ykxtOiWrXBZcqg8Kp1}x-|4Y3aI#(7@x3|tM^oU4Ir#K8FM<#w^io67 z$JWHty;xmjzSM?nCV)90a;W;lY8)-SYyhAPNqQ>O1rI95WN2Vw$jb)Ix;rStbS?_& z@J;nIc)RWWe>8n#Sl;jdceRYwRab7=wr$&5Smu@8vR%uzZMW>!vfZ+labNrX?*G%C z)X{OCpZEFVo9M9fhY!badoR=U(JeM4^=L1cV0kIJB9#eA1)0#x2l~}z@?*==)K}4T zTN3foUElDY+TZyyTB9R_#S3{}H-ZT2+zndR>E*(wrbhQ%w{Z&6A{+z;rb8{iZe7Ed z-4_Q7!_1Enn;Gq+`M6Dt(f~syUmn4P-E`7*-Q(f5!>MDG`L}BV=P5qXY?3aRVU`T$ zdYPFH_|3@2Pz`Ib zlx`Kom!mm`6SUi5H&nRqpXXosK3j&dfF~oWkR}*T=rvDFX4Zao#zFMU;Bx;%|z1@m)j6G#Rn;v^j@xq+3#xwIgGsV8lu{!Sy#6%>DYgT+rosmIDq2kNhGcjPIz|8%zUIX=*QP zse+&*ZVJJq#1^e;8b+jN1gp0qV`^ttZS&p3CHR+RT2@Q=^saciBd5L3Z8`g;#?gt1 z^CwRn@T)X}b9BEK7VK)0z2-eV1dMgTI?tzJPYLPg6~jRD7BSeJQs^~>fq5yx1e5w- zRjIPx0nDDOIJ%5US{;y#KCw2#K17}hkHlE)YZ0r~7tuICMi?TT@YL$MK-Bsn){0J2b z&gU78HhWIUT`BYOEp3xSg;Ecbs~zx@+(!jt^o<6_$HHzHUo+f3!i|Sf!MCxY7Zi3I zB63ocU@&3NeKE-Gdbs!O74+c(Inj_{4{GGM-vuR1ULon4in9PfzGE`Nh6Byb&1&Jc zBJ--DZ;jn?ye~u;r39tn00>jn;?t%J_D*q?g9Z-vp{^Y zIFI!QY-tmeXdQX(=Em=1hIa|#kwmn*P0xcAK@9S&?O(~~vy204!yyt;DNN-`p3p&X zkj5RUVj;-0iHF?`+e#)>^x@%_X@fK+V7IBZzK`1(W8NHj6J7SM6_)zM$l!7>^(+q$ z7J1=Nb__jf)!Y>KkklhSyjJF*UlNU9Is%CR&dwpMyKipJi&8vypEC117E8F@c)iJ6 zg|D{DW=|n3c1Nc=2Vlol>z|(5=gtQOrp-BpM`VEEW%Uh_FB`GbORdks#KbO8B3{#K zvIOU%!6sHt=lb^d4*H@iNt{&=u$PNCg)zb zO2T8@fCh2#T(`4Ia)3(L5hHDZt3C{A64Dd##Q;$rNY16IGd|~yC1aOTp-smUE95Wp zrg)g6U_)_3ODfbLC8$<9JcmPqJZHBRXxuFwe!?Fcfwp747=Q945DEBOaYOlwo@u+; z7Y6yE0v?e|SLYFqjW8ng18$@?ON#&J5w;ziI~^K&B#7PWb#S6Yotj_+v4I3fCVG$5 z_(7pCiz>l*%;<7fCn{eGxs<}5CA{>>0+G8>IBki5oR95nfk6Cw_~;}D0&v=PZ>+;e z>s#@!4t6|JrTWBlTtW3utpW9)StzBD@#oTU-xC(wf&!?*l}$xsxP2a$a6M|62FFe9 z_>Z?>!pSBaEwg}jML)o~60-EC&s3iU5PKrnXH1N|O2{U#2j~K8 z7p|kuLcC9r%?!B?NEQkO33d9F$_2v#REEE<*Vsy)x_2G4(lOmkV|-^;DhOwETggG%fiu159$v-t8)t7NAVJgOU5g9Tj4QC^BT`#+15ig!L z;EKiUX+0YaFH`bFX&wz@37n|jxh3t>NJnSIQ57AZ2M(WibQDCz zgPTny_=NLu*Q&v6xI=L=yu`%AITLvHkzc>q&1>)65R26SSAW`xfFnbC+@iTR_*8b1 zc6R47NZ5=n3z2$rd3O&UG-)V={ExKef<3*ynJJvF#L%cniIp7F(d?JzkV+9JzSpl*qI3ga_|CTF#doBth4cVLd z*g1w94~Yvu?gCTxR&tTXiJ2~33XZI#s{#IBP@G^qF5X0Vvq_G7Xq{$?tuL9_I zl4;~@K6sywXkt8)`o{{JhH>qDiZuGZ7`^i1xnZkdj-Zed=aWX9YUadEm{n-D~)F7`_w#ngzzJT2QPd? zbpKB-{WGpLS`JmdDI{B=vHM6an3|GD6uoA(uIFC5HJ28ZF$S{RUx`+M{~&%g#T(2z zgVX^9Vwdz;Wj9qBdTRtYZyuZ#XEc}emg;W|_r_faI=hn(C{R6A5xc^~S1{i>BH=T7 zvGOyDBPISW{db8f0LKykn7XO; z5!|wSTiNHsbP}OicJzf{qAfP5{53r<0aOj1DWoIo;E9(zCnuSv8T!Q>s;$@4KN*;p zWufy!gBn=lUX#kuWk~b+bU6WWwXhV&z)Ejx>*+H-r)^9|244Pnvh8xJ7`?hO*Z$K- zv+Bv}d$=#Jgiv~EwUkQH>$mi$cppKg2i@lCUHD`Q(j3OkQ_)k_7Dy^mu&uktEMK`! zA~5{8!Irag{m|-ut;^n>3yYX;XAONn=CJ3VYDKFP!jYLTQFx|0y#0eF1qW97 z2V6SW(yrMr<%6*YNf&@9To6A%0kl&@^coB;=lnzz1Aav;bL6jJ`^2odHJJ#!ZvQ;f zV-8nO$J_14>*;q1hpxNdM73`c2#_R9-1+j+-^@L~KX=lgmN{e^Rs z5f*$QO! z#55v}el6}%_(9c?K*}y9<*Vcc6{-A{m(nmB{cakDFJ9pwNnvt0+Qb^zJ!b{8rlnsA zCOrOCCb0dhOi(1vV61GUuk4?iv;M39)Y?LO@bKbJ(r{jW;H_B(xWT8EpnIZ>H<6Es zeMSHv1l|S4#(oAt(sAUQo{dlTGGRLG3n+clYeNO^X)K5uvH@rG-elRuLX38OIXF0^ z7<8MC)hvu|UfxR4|2q9h3La$BwUM!21|FH*$lj6nn3&JKKNGSkQCo{9lU?c?@M&_M zV0s}Jzx{&Q3f8c+x=57PZTL2pGO3TgkZMD1Qiw0RTlyG7S8rY2)Z_v{5@61qVG66O z5=Nb%G59zSVb zMR#+TAqCZ0o2(d~$=goSyy($ZPDF4#E)E<`Cb~$Q!ADj>%N$r6A`x!zuSb(;vLti9*shqh;5p^V=OV74I*G51ur+Lkk*I)Us1lzv|P zLvcVW!mljGL@@I9h%4!KOPqTshVvE8;F?(Ioqo%3+4S*)SnQXf)#9|meHb``GNiO+ z{zU_6md$a0vJlA%31-$n!K=ulze-H6e+yd;okR~WXFgxN)Uy&Ae{9PfbSqQy`wz`O z+1XZ#Z@Wr(@a`T5B7;AJV!1O^*8K-)#WSLOXZKA0j;GJ1=K7{WQQ|II`O4h2@ItRe zXHp^txBG#GHoieMdfX2~sTaLFlj_%SUFDOgdWVkFPZ3KOxUbzPW{vM=UuVE#{R?I@ zT4DxB3Y637@_9fU^<-KjvaZ(L#s9jUp+)Bz{unbkkq>3!76?2^<^i}YnHbi#U_^mE zkkYjo$5=Zno|}0uNR!3`{@P?jNJ;RU9WCC6&Uwe|*IA2gihvB6ot{ygM(&eIpweP+ zDefa&|Dt3<+k-U&Qk#qwpC&d3J{r=mF{~kmWqW+0VbP|np^CM(7Vfi#eZ@=~1op}p z2~^QRvb{OxFXp=51u04tAwQdzf1(RUz>c-#y4tuwp?eghQS-**+^F2E<%VpOMpFV1 z^=gK;4mUJXV{kf~nJn^tHB-f)raOW`U#LO|q@OI78-tD@92BIA=-0-_*gtGRJ?Jww z%{Kos=&$|+0pKV77F#1c4kE|T5AYi^JV?2@dI0_(XJDGCq$ zWvy!H1%TO z^}x4203X3AiYkR&O>2A7l(!r|aPml@lDuTG28e1PV=Xg7P~_3`Z7gwuHkkcIVB{p= ze|JuwF?DUKas+JCn4ZWl8t`{zOg&v098r5MKo@EJFlrn7D@>Upf4w1(rqUNxK$1wC zVdGqNPz09iuJ`_aVtVNo&p;(_k3d+GKqd`!Lf=`zPC%)xJBEVz>WRSKQq(4cfST(l z#=igg3zLFA^ks1G*E(jC)qklOkp|-idj8t)Q7|V{cn*UDP5Pvz4Y_?~QE@%OxxY#j zGVj{`NgQ6yxUev;zOjo7Iq~(Dy*nuPZNbBbbBe2llgpj2pj+uN?ZDp{t9~ou!y9a& zh6!acPVH&?bI&1tD+bNZyyrTjpqcR@-q*`ceDw-fAmUyPCIBu!t#sXiz#hX$lp(#R z;J7Uv7nundsq#49O~caKzp3wr^5k9e;#Q>3bbzVzi;L-Gbl67l5+@`#6EgtYs;Mz; zIUG_PDETJ<*g37S;^ij{7IW2D7Hf5o$Vwjn(9O%BBYEn%tYyAziSAwL5>d+I9w>%6 zL5nMWGx}1^JV%a5ca*^r_j8dIa-Iocc@YU=k3Wc%lU4?U%$hpkkV;tllkI6V4uG&A z^Ox05dx2PRxRzov57@b=r!ca51B0%GuzfBK=2Tl7R(7)xoe|Q`Q(m1HlK`2rTNyZq znEpqby}CY=2#@=X#FRvGAI_?OJX4#T1b~Np$B1N240Gf2wh0CU7_;CkM^cxX!P>^H z$2SEOLaLA`jy)m7w#snn)#?=qAye~6eD-`yycr36nJnArDG(qLdY!81yhuhSxl$`v zoGy0&afx<#W<063SUlLr2V6Vit9c-%`la$eJQfGWV*#DAc!b7&)H8thVgZQ+T6+E!He|)Y_s526W)Jh73kAKS%Z@ zI98#CBNo|ZNDCRmHk7W>;fEU#Xr-onOanJHIJ<~%@kU%xu)XGtFm6Xw zvA_kxnTVio8JmK0mXg#2QdsxV(N5U2O(B#F{H10;#c?E}@oE*?vgp%yiIBFwx)A*E ziO4Q-nD2Db$x!DXx=aui#3K(NX>Sn+`~2$#Y}N^pl86QP^;oBlSa-ClK>Cxyx6(zA zqN?##OQF7?`E#3i6Oi6A?l-Zw2UZ2)GHR%5sJ)N+heME)y2i_+v;7P?aVC9Wu)Go! z`9}6A`aMSyw1}|yVw#I9x-b^tTY`k94z$iU%y@}!G9BKc5E2OzI#39eq~0Z!RJLkC z#82Gt}O*KZznMEnO@j`yWFPVGuIogf*!Er`q@Ye2zpAx9GVnnv`T$HnwU_& z#G+!qzRec86P7EYgF&C)Z%KGP@~YIAw&SBveEYVO0*R<5<=g6j-M8Myw^rAaF$YJ8!i&R@%tvxkK@66wjWY8TuIHU@w2m?~mr(mp zY2ENh>rG}qaZMj0289Nz$H72jwNoQJSKSv~VWTqvoql1tf0Y$Hg2GYz#F=qY_iAv4 zD=-ZoTSXH@8d9%iMg>`e5(!y_>RUZlPie-iLhxmxHl4!4H{320>B~R$zECas1-|>v&-}gPB5kOB zGl(mKNImZ@IHbGN#PB8tN$=P*(!V$&gwX?LRG?3w=C~l?=ZvSOrcS$FZzdA(1#=5& zKBP(;HoZ=((`Ac+Etjv1YLylVv*j074EvuvN;E6GTgaRK?LAdmvTpuE{Xevi~1_0=O6^h&nlUlcc`atvI&x(Qle@z^f{EF_hPDm|^`L2JA;`Z}S z1-3+do*N4-@Gpfo%pph$uFU8JM3Y_t>4#@NklZ5C`G5DbKW;u3{Oz`V9eIpK>}3j! zG6sD!R@Z)u$%(^)gbzWl(AecPR5X#`A78jKt5Af|WnbxucaGXG7Ym2iyl-Hg^n63C zEfbr=Q+E3% zpuzK=7Yc%l`!OmctGoVPnB?X8<P?!eJI6+PVS}lmBwZ^qBv3jSg&AZ}lLSs{EfO@MJ+cHWvBMce$SE6k3 zX9KgC=HAWU{FakjTZCvSZTsp2Lhs~6nuO+BTB$d5cI8UF#-~iyBTd4h5ZkUlmur>egpb!hPvK%}i z)ID3SMM3j?qn*LrJq7x-+hgsFBja$xy> zZ}~JLT?C`uKAt+J+{c37S`vvljUMDXWD@4XXlU88T$-DIT#IQVyrvH4TE5>{@S~Gy zN_PQl2E(<04TXbb9<_zY;7aU=ANiGa-=J*DV zx`nkNp1rgDMkle`L>$-*fktlXy?!z9fcC=5N;>qZl-Fw|(s*&Br&wX$Y|Yd%W$0zy z&chGNa)TbShX{+>h;73R^+X>n@x#P3=HaIJ-vy7&B4}l58^U$(eteP(YV%Xs^ROs* zE~g*E2f|WaiVT9dr6s7QY zC4jJ3Ir(lkpvd?vevME=`*n~X-9$@@a$2!T{osQ90=VnMbfg%Zf^DZUs4xVHfcf2K z!a`IfWwb;zmf538$ri>N=(OttuC4phIvzK8!WbagEZyW~u-zVz*vxEr%e`816^$0> z!4t9n2;?gtNI0QnUV?DgXDgWHwwNz~fw2fTVpeFwUk5C-AK&u9a*w0OSq>bV6`m_O zoa`@~hsM8p!)44zD_+=Iry=x@qn#a_?W5KN{O}bN#xzD>-!&WjV*;oV$fd38;0Xt~ zcFwjyMoQpE^b<+*8;p+M)56}x`M;6@XRWNQb@jv-{}9a^r*8T!=!%6}Y+jtKpZ|_n zqqa6KukdXjXr$(DpPu-z_k%c3Y?#qwxN3pq4B4Lcp2||8 zlil4Hyn0+CFZX93goEpA1hTA zVKvmer`O=o3irO%QPD~(dz=B76dsx*XSN0Cp^|q!MC#U$qHB8=W7h3${w$2*ZR}{@ zEqJ)jIO*DNY_R(6dMbGO@e69|WE-BZ$=?_>EE8NgTf@dqzx-`kbEbs&b4CQv9&0TGtyX&-3!Uz78 z(@>099;japm#MTt9h@h@iCNajp>73I5`ff@3LeE;-2&K|IC4hd zpA3bAK)kR+Px=eL^ExNRqM9Z9t zonojt9C0>x>^o*?OkO$>`^HmQGgH>hvjw+?a#h-+Lww}Pbg!^5=fJA(hCbEIym%+I zyhN@lh4>60HG@-=P7y3qs@NaODDKybj{2T5QN$t9gHGcMQ>GHTO5~x92;SI|k=6)p zyXAF*Qw#b1FVOd?kr1Q_pZ4rXCp2oz7!D(hLAzfMMh zTr8t^ns~cq?Wj@52q#kiq5o!tbq^?XwQAZws|6GR?J zU~S?rPdWWcq@V?29TRfPouursY|}S2se&BBFIq9ENI0(WqK2Cyeza}}Z;25w*F2mDn zhNtOCDN97oJ>+gT0!bwoDt&M9s5%(op-N?6q=;$+b1{vAf7faFHQf<){{9xJaq{`{ zn)$J_LuL>mH>J{+iltujr<_JawC6=j-pP%+85pe%Y+Q`H?lDBH5$ zn*dP+mGQ|ZY)~#F%l4G_YyE&&^!6iRzl?(T7}SgWSmZ!@cC~sw;<)dSuD;Hw#HIde zzgaF-ymH4_t3g51+bz{q&UwEZC?w?_GR3z?b8E-&_@HR(#~)L$F`2e^y^|Tp?<1K2 zK?JqelZ}b_12m*Afp@g%ijdsv7cHmqb?0y~R6TiO_Q;2M5uc`3JiBTC76o$C?YxfB zPk!tu$kig2g*=vSFx>eEt-9-u0I>&yVyEcL#>Fi$dZ}KYG@^wEnM8Z#v}To44%#Ve zNKBy%q+p~k6;t65yKdHDLGWamqy7e-tJ_ap(jS{ZYafWt3}8+(N7bolD*Iw1RzpVe z1MU*j+1gm4F!j_SBNH8oI_DuSce{Og1!ua@z0({#hJ+k$5Rb_fEIp$e#i>_J=xLbl z(|eua6b}X##tCVR^(TVv_lhj??-g20@L6ZHX;^$7`DJbjDBcRV3`C9Py03!=iWl;` zh9vgW7B5x%`qe7j${91*8qPn9omKC6#Ngv7=>>ThL^b;6(QkjJga-a$oY4C+6YZIm zCcEP#*0ca!F;=j8I8d^}J(L@Az;svwnn$1ol#HbnNsoT29Pd00VGCL$k6zJyhgbR=OB zH3S_st`TVf9l|R&BVf@~w2dvF`GQZs1Kv1sZmbr6mrGPX%UwGzl&_w%XrKzpglmcM zY8QiE>q-4fbAq8j$d3)F(SfqDRNsp2Lq1uMCFv^VfjEpmsoslEtT9swoezGWhT${` z_sS9aRXk=g3P?8VP-N`rR(567;@hz>svKF4cYGUnO_^H7l?VK9lHIQyCL`P+@n-4f z!E+PQr4YUD=rs!Bu2MnQ2VVl{wINke+E>CC^n05w{U$Lv52cscFSG@1ZK(IE`P5IZ zoY2-$ymCvw0|j5Ea>~+DD!K^OClq|@j39?QpF>VpkHjVJ`+|X$+RF=*M{PQn+p`L$ zHK{4mLOb`^%c?e?8FYon9rXx03U;3J?@AhhG0N@+Pv%)~RVP*PX`fub6Pve{QA*^( zAzUNHXc2rVK65s$cxdSt+mvpdwf2vW61+?h%>Apw7`2+tbUmxfR1+F(W0h#5fK5lg zB;ki0udVbQ+n|GCr?Y9ML``GTy~GHAVcpUYflrFZ%Ti?us+YNsBdIYTueovRif0ZY z@>n}>sQ8)fxQUHX^S2qS9!tnMBH2E|l1!<)<9PZO4oi0{6|~?65L(1?CbfwiN(MR+ zo}MsZ2nj$}+jX-o?!%}EO# zE#;qn{hR>7au*wSsBz$MDzgTyy|2>`G`QMGot&9hJSy{pz)u=(HK(8ok~66dim) zE63RkG-$*|wE{#68zL)C#sOW+wJSn?#P+px4_>vI1Q2T9dB#G71?Cs$sf{)qHxi>q zI&mf~vwSuuq%1(^RqB%7<-wlp_TQ$+zuV_4^fS`r*u&@_aBj1a;ixX&b4Xvf1MYSz9N&kC>T@S|_=kVdu#?sh`^ZHq2h zzS>tgE)xe>Gj>t*?HOvu#zvk_(zaFs;v%+7d?d3Z7H;VD;i6{y1+RZAz=D?qcVmm_ zWp`ZVrN#(4eA>9lYi=_hr{-C17o>eHXTgyT-L0+&+Y`@cui|Qk2Sq{zQF9MzpYiih z)iQX#-+QiSz{dTC=29B#s3q!|c)1j~B7k=Hz*SMY9_1_?U{ixF#SOxsiiwX?pGiGi z7j9kmJgGU=vq^~vgG5^UG$imO@E<8+0j;a6D@&TVv;rd%|4d#Gkvk(z-l&U3HtRSs ztMChf-2aj2m%28VSVFWFPi&um5gLo_a$Qw(%U8bs_8^U$^1AE9fr34^OFWr90m(Yv z7y8qzd%HKjEa1Av=qQ)|L&yHDJx&)T)>`>naVj80N}^?!bUsgdJ14-FSL3esqN9GK z_q$3Mch$2?SZa`H<}^`dS`Pes#*EK;jr~|aGC1dBPvgNKuwRtCbqEkF0SzRSZ=`MXY1vmvD^nw66E0l6Y6jbq;^Q?=Va&4w)#s- z9*YyQ@TJk#2eke)f%bB?6oX7)902Mr&Nwj+HVLCS!)g7AS3`v<(Dax9Sm)xQQ(T)g zN#P54%r3*(hv+=znmkH{T~oHbW1>Awn;FvUz~b|)(9SZCP%GVEA6t&5Mdid=Qn_l2 z)E=(-b9DOTT1mngAxrxbmpRuzHMmVu--Z@Qw3v;!s-N}Z6cSdxU3`*29V`@^SqoJG zEM5$n`^nn@1qH5*xoHIXjPDe1)YW` zBRqrS8_i|idp1iPeg-A~*U}%8*G>(Ur{9KX{Vl_5b)$F^2Nn&7&s#87V>9A8|I*ca z04RZ$Z`MF`s-|p%;MM^s<>;6iunSafUD*qi2@j^n_zUp+JrP+^E7@|7*jkBjXx*Sc8exsgtye!D zb%JnQPZQ*z=mbw__yWw-GURb_YQyi-MMI90tGhE9QanTfrL3Of8nuq;c>d%FcS`v} zu6ftMx}M&q?hym;R?P>!o-#9xEj&P87(|r@oYpFh980%+nRBA*l|sUVKjVNs@R3wk z>R*w?G=vJ;2sTE?K^R*KT5t{Q!-JIuc>HX(F{ru$TR|%IJPG;H>?rB!5zOJQK=E}DP~kl|Z6vGehbOXdH<*JSle5+dU8h4&W!hDOdB`u1OGl=? zGU*;(QIyK}f+5|eEhJztHXeFqF-r^Io!c{plF8^8E8`k|S_W?L>jWnyWwUl!Yq3hr$S=;- zp-!|Ra8_3gsoXYm7VdB9AA0)v)Ljp^ZB9yvsO8hqXh&1kU#l-NUn0xP7qUScpu(Ri8dr2>6!!Z$aA*_u^@^>UKbmko;UWTS4&|`;%M{2n3Y_{`$}cV_|wDymrT@Tn<+EI;CLGnean@oK*K` za`LXe6{zp10jsn|$2&krHV;qXFfAN|u^`db9q)l7KiIZ}zD`zny~Cx{)`Dq+ss_D- z$}Z$ziW3G4yT|jU+@+fjlL2SOa=!OPVqO6lYJIkVtb`eHzKdjE!AiFQ(B-dp5H{Uw zHI5JDV1<9J@j9T8Lbbf7h?gnQ6N*1&CSsn?D|9AWM0z9ua@cZ*BU{lXpPGU+)y>tF z$4dQE_e|o}|A)cgW%SM2MJLC1&?3xW-fsSz`M(Dr7$JXvN3EV-Z?#)3dG7JWgp&7<4r_CDws=EUy?ecyd>pDX7$V&&r8uy}jsDk85NXP-ZYepV?CBYFwfod3RA#MAe()QHuSaU;*(0zQ{ z4}EFq!d~kitsK+;WpNh@r)lUshjWleL&ZP7IZb=C-HswkW0PEb6R{;LF+rLxvti~F zO`9_PrnVV}?Wru(%N{`Vr`l}x=~l<@yHg-)b3<047dG>wh2Z?ij0;C|3OT49haG`s z(M(OZ;z}95M`_m&VB7A6Xj+H{E94*hvzHmCLdvQ1Xjbvja-*CP{u&OgBz4(bH#*$B zeSAyLNPvVewzD+G)k_c!G2EVzGDyesH^+w#6X<7-AwNT4>n(0;d^zFQsvA)KG8F7u zr#O8SX3jV0(iOaEhG;B_;5O4Oi{3|j-v^&I0DscVD2+&s0{W^{*8ST#V|&ECG{7 z=K<^d0|g;NHE2Z|mj%qU&)KT?Pc~2(URuL-R$>RWH9VMfuT}>94~}%)HYX566|i>l z&A9I*9B0Q)aI{+G)L9D13C{Vsc=lYhP8BfSa;h{w&cEPQ09B)!H{~6iTl#m9ZbVHc z((Y{w5+K@_t`YRL-VebZe&V5`8A5KlzAIgfVTBcC!$_ape_Gq(5FJ|AsoA$Co2&!u zw$GU?se{Z04FOWc{&4O{k@A7s@@?Gk z48T5>#fF<_F``45QLT37w4kex!bwz<_Q=H0ZFiI)2jpffhewFY4c!t$_QDj0*Cy&5 zN@KT&0-^-znd(R4V)n#~dJ$u8f>ajKzVFz!J_NXZ_&4|8CsjD5p#C@`mIZu@lfrIw zI?c8yh+c{-CEQ@UZj^6+>#W)D1X{8vlEQuNf6(RqBWy~&erC%R@A%A3bhz{U)uqVY zqiG`=L=t`NJ1}Sdd6Yxb?}C05v2A(ZciThSSU9YA|MdC$Gm^-z9#-|sdP zkulWsl%_gnVr%jyTIkPVMkpbp-a4(#J9oW~#lJg`%Q|`3IsUF-zLQacx?%=%V3(H; z_R%9Pp_Ud5uvc$&K!^jO^|d#NybY$@0ll~)w7CFG7gvgE)IjZO`|ihr)P!P7jVL1Z znc@sVy6((ra?mGKfcRXUi$I~htulFl-~p`aB$u#G9miTqhJ zjYsKGNWOmkwISu%Ma?BkuM?4Z-uGe)TK`j!n&ownm+`qR(@{&9U0%lYIpiuVzP?Ps zu34dhmaK*$T`+HO6H4&KtT$6%4zy%ca5CD_OO<-DE^BR%CEB7pNnZ|WrZ16mbO567 zAvU&yLh1b5z4;N02%3(tp4-P6C7B#p4cZn01Prm0ZXyL5Eqn}eB-#8Mu<`#`7b>t8 z2@PNY2bumxv($2ha?rsCDkIma?+h_>m$Zh~D&QZq{IPYsB_g@bXW)VYGzjIQ=xM=cGz zR+A%#OkJbKHB@QN*gb>!*=G}Jo_!?34VkFOOly3JpozYZ>K53IQ+v)Yv_iIC$f-k* zc;e1|^Di&?4AYG@f)iAF>XMcF+YW8SlkAJk8daV2d9Sb~P2_CJ>@9&z-95ug7et^# zyf&EQa1*jcdLmlN5>4ygwjg&IdBtO*OGT~Ie76ixQGnHx$D?^Osge7lT5)5dOJI*2 z>s0-APwP%9wx*^)E2d<9^nB|H1^uFH1Xf_;FbwElvP6u4(Ed>v0>5oA`82Qpt6ovBQC#^6`1q&)fyE{?V3f_9On^d!(V*}HWcD7oc`L z;{cXD9>_2r#Wb^m8C!bkTI|*Q#>Vgel`*B>92+KR? zOiZUs%OZ$AwS5khq0?ZE$R=% z0U^^;57k#Tz;%Ye%I;_a+y$DZBnfK7PF`rOAr*de_4WuzLRo-NEka2HHU?s0p%tN5 zwT@uegS2+A2R3@-UJf2dC|V3j8!G(BlfaTs$;{qjIgn7}n;HpSC(7M8)6?&l?sP0N z0|dXZQc~R-j=?y}qXIi7v5_dCI`o|(M5gMMBng?~&Tw7byhU+^v&!l$WzBUcFWul5 z(l%>?RGvo@!%q`ZAC6uAH&*@s8>?<;(5LkN0BQ3q@HY+&Ud{NR{=Y|+}<`b5dZzWX?!hRs{!DVO@d*-3d_LQe29P}qHk zquni%5X;xz;d?u99li9g@{JDi2F-Un;WOX}m&1dnvO%7LyWJ&t*)@ii1)Uc68X~8! zKjfmIEs~1FL$Pk>3y78$FChVfH&ng`b%T#f*%8t(Pwv8@4@y?Ky*0JYLZ^Um1>lYcl z9T8PcPTIk3aD5lh7mgH#2efN4XB+Fmwel{Gzl1WBQY;oRW(!XdE)EP8r(GyTH53bm zQcUW+-g06x69L6T;$Q?Gw(vbHW*ZZ+qdQtY#(++csc^flLt#JPkTQd}a3mEh?IGJQ zaknqJ`~lN;A|8rEdNx?5`l3-gPdVJd3;8>P#&eT?u7Zw%;=Uvd(vRU%3*1F1YizN#X+{{4Y{I|5it0Q1vez zq8*$ia1nN&Ioj^k<44BtsOdUB*zYR~*wo+2PzYp1G#^=cKj|**Z&c@-!{Lg0w`p>} zk*vhS3XHnNRbfad)@>iKqwx@jW`oU}v}8Hukl+a4o?x6%=@$MuwrkAbgBMVbMVP_d z!z}t+XW!Ir(S~5N6YWc6O*o&$M|Uls^D&=-1eHeWkPd|X<-StY5C|yG_-!BSs8MSN z7w97uz9p5<@sAV^Y`*^_kh5P7Ubm#HEvNer%gR6tV*L{`w!ELSZzaL!kYY#Xzft?| z7}EVahRPcrpO~rO16$hWd{0CN!AqxlEUSH6K{soG#LKH7%+O_{q|1@1)bRm)o0FHa<7um?_brHZ^{4-%!fbQ z%VM#E)Rt{~0R`(v#kwHDFjbRx>Q^*M?QlavY-ZV z+G|DoWU$$l?x#Uaf9)*`U+LQ(^-Gs5Mqr!43+@;GWt=Q%NEFANeR=-iPUG$hzA5K! zc^7mXu(75h;tCe}R5n_{qJ5l*PIUn7MKN~nV%8bU*Kg!bWXk`KtZ;K~WDFjHd&bs6 zpo(!apB18eF$!VHwlBbyBfM0C+P5FaQq&D(tRAgUg;fo|facL<@5{5;e(&=R894RN zM5Fi{mZd?#KcM|LF~4|}oW#}7j>54`Muk`>s)vvvS74R4f60B!yjfdukf}FJYx$yx z0}7w~7Y3z{VKl5%&4EnHkm*Xgc6I8<7lo1(%n8DzlS!DJbKQ0a-Z&tpwXL^^< zW4kb@I6_XK&<%!oui|AgRBUR)TCuOW@}}uGBUX$OYyQJlQ9~p;dFzD!1ZS1)x~O9X z-kFn+F=8K5Frqp&0 zD_32~0;(ALa%rT!aaXvU6fp_=1W$j0nO<@?t)_i707C~-ENi^6)#SvbS` z7x>b!w1Pygk+@?8JYAbv+;30AuJ9QrQxAWo2%pP*XLHCTEK!1HITDh??)5K}D z)N7H*^f(Vk<%Z?00Arp=2}V!iGGxx4kghVh@-VIs@j6TOf7G3(cx_M{;$-(s2he%- z+-3_U3hGa$RQp~}*{0rq{w{pcw14+Ey`}X57f9FDd}L~>4WY#}5Q2v!jtvx}=*KaF)S#yQc+LD)Xv?dFK z)!oEj^>}RgVY{KDQ>$CW!rfbeiNo9vU{X=Nr0FPphcs(0fv;7oN?l?UtEj(-Jd8y! z?N42EOPnmvhvIRiWZR26%$Obp)rrf|Z5sL}N?jf&HYgWEMu>^uG+SP72gR^vjISkC7|G9srmE0tk9y9X$p+tg3p0D zBE7h}7fMhtmW?cmofndGg<64iwQY+L>|BK1jynf3gTkOa{tCyG6OFH;tFxib_wo}v z=(-}hGf=#>ahia+VTn9uDXOT%5PrwhPZmU0w?>ASjapc3FTl#QESasKiK0_C)bLw$ z)z-!doT6Nq5?`V-R#rPLcOhE*5w=rox`8&bbTNyabzDZ1ZN}lD3a`pnL-t4KL+rxhDWsfR%@vX!l^p#}Bu1DI}yuUN+uQ&e+ti`-|aT8SY z*z_z(`PJ*c+M6~BY;JBQVa2ic+$I3@vpN+$FN8(X3=Wx~Vi)|(gD3+#t?F~C+Ohm0 zPu;0tp<$!0F{&bpo#S@nMGCP?{Gg=tRF_>^?Ozo-FmGV_zD>xCEqeTz*l1jekrE@j z`_!gxQt^$6LMsb#eyDIkcc9&h`x()B8Y51r>umi3cALUYWjIKPv-j)J+~*ubDcQUrC{O9 z;|D&{gq`&y{*qC9Eu0Pk@JTSUilCGchP0OFd=5)^tqE_FD0uqnxxUEWao(RNuGEC6 zJ6J;}zcOT`uhpF~9erNNr`s`}oQffAB!+UEP{c;hQs$qaHnQU|$wn^VRH!@J@bg;P zt+5=r)%^%sJ37^)6NX&b4)K*2`XjLX3yBaz7AK3oq*4{qy8W=_v1?}~;{hLwm%nxP zJbm^vFpY8`?q`E;wLH>Z_TFTY+ffpxO^bKML));Ew06)SQnm32U&9y?$ls8~SK^YO z1j`dD13u;29D@(#ix^BFG{PjHsp=U&sTq2wWqT2q_OX3RyY?5q4hem9Ffqe%%8qTN zK72n3EMwIh+jE%}S@kWpL7ry9v$!Pxs=b7qHi}ChTEMYV!NwtckL``icKe-9{*#CU z%C>do4nEa=R19=~=~ab&s!hd{o0NJC~dgLNu%stQ|<4x9}xT+uu&==Mm6A(yqqh;|DZw9U~PxJw(G7a7NoF?4GhJ% z3sWvc9#N53W~y(WBqWjF?Ih;#w`TS3K465mxk?aKXg1onrC8`eo(>|!FnQuLo@<;o zgjxb-zg0Mr=9^o?N{iP`53c8HQ0-~OdV_QSmW{x0L-`R9G$8JnkRC^nl{4Fa zqKY_g9gNJ{KYjZ^VrrwrvBc;f&?F&v_YN}@M9j$V6GRbu`}-!lz%YSiN3Te};lix6-5;^j!Ez(fS%iixwv zR^;)v!9g5;1|y=tzLfZhFCLRx(8Sk*xcYvY@OJ1Qq^J_C5)<>vY_3Y9v09VkOvU-$ z@_Q9f#PbIKp+(PcP_FzXsbgz^Bw(8#*&r(E>YrG%uZoJNQ~rHONKxqbRs!Dcjjw`Q zJw3FYjc5AWf4}#1(aW{J;b7O0>5h|#3^j{P{l@Xw+;96gO>F;-sSX3`4f;$1Kv44e z?L)jMXV?F4;)}uOv^DG(gSl z7fi9^JL?SdDAcl898gA#t+iDL%natSdg{|zoNLuI!J*5Wqai(0$G!d7^0l8TEE{on zg04v_ zazNQDwWoLJdJK=Mf$*Xyf(_Bd4e8Y@hVsr}Z3&PH*q#=OZ|QNiubc}V=b-L|J`rpI zQUeX1_^dt^w#EnC|lO$0Qi+0uQoX z6Y%1XYAPYv&K2b6?_lc#yRDGa&U1(HF)MVLdxzOENT4FGEiSo`SAG9V`W&rJp$xIZ znb#j0LIfRazH6^%SMi5r`e*?vjZ1;{qZSeppd9(+9}6g+@%WwVeKl3(I<+eLwEioy zBs_}+BePp$H8n%0o#Yq({?y1(rEWTo8Ng^!ch|5a8Wzi@HHlG<}xE%T) zxWuDzD}Shdycv#u*5{{}A!z*^mxH3GvcV~!-6jvaS z%Z=n1$>A^B615>*H{e5f+I>(Jut@1djg1UHhRITi5L|lQmf38CtvK>a_43x;5 zM_55Zl=7x3!hLegQS%DLqFYdAui`}>9zGJ3yMSn_AYw8sY*bdh!rX*~XY9VX$u2q^ zaLso6k`7E>duplTveG#z_lvl+H+(Y=K?o=Y^T21xyJ}S&KZr8MLO$#0(WC6~TDr^{ zj|(Z5cO{d^gn+V0)G`uqW`+8v-6=W={3B~HNvHxmYWp5;l*F(RKSncErdDN}Mq$Hc zzb$i9K865+&~^y+0QA3TG=4k+4A z(LWi@WdJf#D(kZ=(RTNO>i2wr^@X!Y+IB3m0~9)45#_)%&c1%-(Mam3fZ#fm zOXJfgkqUJjlu-i-BU}oNYiCYq(mYc?FMmgZx}g{8RFAyv1M&|MCW7-jpNbZPtw`lS zFckvmKxMOj7hSo^e!L1i;EQW*-kzGPtv{fkI!2a*6#eiIqMXGZQKRLxwYB4oe=K;2 z^#9h$*SNoOe2KUU$|o)nEZf^{LNVvb|FRi1wxbkOseE$xpa}a+3xu2G%06qtr+m@r zn<0j=M-MjI-PN2W)mGLO=r?Bl*?jAuWmG9PaBYBg*sgcrFEGpH*)T9W1(hm_d`t%T^->RwbY+*X*n`XgD!~rg{WURl)mXyU(%K! z1pZ{)-@u?SMq~8d{Ht^7oF$~m`xs(`sk5OxI;IT&0p<_Mi$UQc4OY1{E*dNC7f!Hp zGMBxqY>z?Lv^Ky!6jJsOn|(+uHg*VaeZVkiIWfb^;oM!2O7E0k9k}^xV2^=TMw;9a zjk>t4d_dTYNxePcd~k_HT^)LMwzP3!?6+|NoZkhOmeQ!q=>TU@h{YRt{RlcA?O7z| z#xNi%Jjl;>Iw7{z#jc%!-XXx!4kqS%r~KZJxX?dRGTc~3dO}nvehE6$WPtR@XpG^T zdH6TMd5j8`JSFQtxON5hbPhBMT}cYFr#liq#fipQOMM@;*vDIb5QW}k6+{by-t#w& zyh=9JGrJL_$?Jo!?}QN%VoKa?hdKq+y{{PM%DEb9P9CjQJ0d+50Bp-K#qj*^QW(4S z0fq$m?5jJUp)+N2Cfa9VM_nOYeR^PpIbt7;BOTx*kdS-kNn~3Y@xBb<=Ee3xv?lbN z9n3|YOTWKM>MO(MzL498 zLIO@vR@}$gXHO(s!~Oe(rI>d7L}cWuvH zmCW-9gfG!;uKLMiTHE!v_(PwyK^rk40t8ip+RX8x{kW{_6GI`;ANsVhV_@9QWqQ>{ zP-x*>ev0;`iO~|LiO!$bDio!m$e%Uh-F~w?Wn)LFchc+ zu?qS5+eG^ibqvVfjCujfQ*cVYKyBxOVkHP)6JIi_P=!*L{?X#H9)?$py?QC;sWdje zH3bTD`KUZ$0@ujNewZI#7(JlRtqP8+&cep|NEN>&wAD z*)uxyAurC&nFv%&t5kUgom!`d~}Z=4WD? zSAHBO;me3e4(nF|AsG@iW%Uq^z`CE|K{sziH*Hj?8x+pR4<9Z6`YI$2e{fIrK~ZkQ&+>K;_5UPG zdE5V7MJfC;;<=~C$10&Z|FauGt#?Gx!cd=F1EsTcwyW5y<3}3`(Xa^}@!}rnuv$lF zSLaM8yJ5I})FXspzj06g2OdCWi_6K15zuav6^xIMUtZ~Fobo&lI+2{a4TU+;>fdUp zMFQnABYv!<(?aqo+CaAXxhqmmuFs2ri&PWZ8pTqm5t&${wd3R_J4@0Wc z%eXNB^fwQB+Pi@#Rv_*i=vCT8LUdKB2#q>>WM7$Cn!!I5R5{EpagRms6csjDy&vsIBjzrmbwEotWvMI;Zn&#U$KN* z;AGfxB_|=Eq$U`6_ysJeXa7h6UrVcmH4cwY>P_jwQ%*O ztl1v3inL4z7qe(}zQ(wLh7cn;o7bFk7~QOJqT=>7XQ5u-s7CIzop#7^cDG^EivKaa z7l*w97D=Tya|}VtUw^W6jRxwOKnVG#MQ$G34IhdJmcMxSfC~<)DJMu))6W?RAy;}j zF8;40gU+FxctJ}`OM9OTimQ*wfs~uXPZ3YrsMu^_GAF_ez~FC_)6PAmAP&Por0cJq z{GwgcQp^o44J+dZY;|D>*n%|R&gPX4b{*HYwEcE3mkS!_;sq9FdF zRRigHU#ZFp&-ktL)n2r^zigyCaO#?KR$7$`TbX*09P7Hr_MKb)Yd1}v!H0fjoybmm zzO%=7*dXCE4)yM9&-qZNWZsk#$RckyIIVvY`XuHBl4#mHdgKJ{LQWdGtWJ~nS+ai=7@%KohzwyEHMBT`@7`I3_oHr&T22P}XNJHSwhqRMDkzW{z4TQOsJG(x zBRs_F;Vif5p(o$6K_%S#pUhCPWx;I6@3LwGv}}C_f3A@FgPb??5i}RCzD8Z=d3s-RjllBCD0J)}TjclAcVK#%3w`5(nXk zLK_}_OKkdnTbi3|4EywRsev9C-0yTp^S^N8g|4V{Sf)S{_gYwh#K?&QUjDJ~|5Idc zCqO;LOCHU=RWTx1miEw{LJL+wmy7it&j(ScCf&y{(jE)1%^A@kP0IwGdWKxr`{O1{AWD3NNj?v z&dvRtpnWu+E3dzX(C|yWmbo?yDad%&90`*6M1l$N$Et&%u8fDRW$d_^ptS2jeTQY` z#@W0&FZKJ~pA#!`6}n+#z!TEUZB4LmHL+*Im~?DA6&2JHs2f3kTa3ZzBHj2F78OWU zkrlxBQX{vU4wUEbZd+MQdR#P~voIGdB(XIZBxF?kS_gU{oEGS5j>f{Uv=W`w!yxfU zd#{;^Ps|pTA}*sr1;3A>W@c6WJ?5w97KEj`BE%Q9$XN&A;l(whCAOr}cZw|twS?XCO<3!s^@-i5B+ycidI^tOz8zFKiBE^JGxXjS>d&1cBr!p*gUopS{OC1%cuSdK8u>&wGNUZYg5U4S zQ&3Yc(tKtPHQ0$eW}o$olp?qFL!O*2nsx=xsTnp{24R1@d3PYhXD7v#?uGIc@Zg1R z3QS!UI(=lTm~WsZWD&hJ^7Suzt;4GKRC1_wO!ypPsH}7&IUY3Sab&93;DP?V1&ru6 zQc$!TEpxzFmRLYG8O@My=d6*d^V|*1ZtF=4!Kd57X@g$KhGN$WhVjOI-s{fogW=(iw~5o8 zc9d@9XE}mk9X-rlDd^%mT3TnEdO<{VaU!rU#wM?c@K` z0zALP?oOQ^wLEMQXeU7Tw^y?WGNyD5mCa}E_NU{mK?Mql$J~iK8VKzv*iVpdpd$7) z12^#~TVVb9^Fo%(cciH-TkxgO06Bd=LP)QhyDV^uUPKR-HU<)T1cd#yjQjL4>{F?c zKd%lBzqU+zs?>aBsjuPc$Q>bF35@`funsCRvoD$-X;(JFnMkmmZ0RrCFj*Jv7l{Sp z^B6M`kn}iRuu(Or`j!1QbaGEyYb%Em5CV1znuA7B$=YZizHxOSMU!@5Yb>raG=InN z4=Axuy&*c|FAQTO++YC5Jje+)7VcmF$0l|h>}?7dqAR?Cs#a>?Y3L4kFF-t=EBXc||xQ{^u$tivEa0fh_>y{GF{NmRFT z<-wUB9MkjMh2rD|HCj6)!!$1o@4Y{XryMVhatT4geu zN;?a9j=zel=^fTqMZMMYriOG1R;)A@qFpMM40h@>g|W$|J+-64K19@h8pOcMHXM!a zG#77G$>W-ka}(e|R4v;09F9S{_Bqz8yuxcn_hYBc3u81QQMuCZ?T713y?;kZUO)d` zq4pk5tNCS-1Kpn;;%PeE|3B1A`qy@-DlYnTZxcd(ub>wTjX_atxb?)p#;>P!_{~_8 zR9%#-P~iAOEMEaJ)O?K7p9rXR*M56zSfy4F&6lgu7F*@b@rYm?ywfy~qcS=MT-I7Y zbcwAAi^qhnxS~Je?LPV{)H>eYy$^*uxI!h2X5f!u;xdFFw){}~a>fg7GJbG2-ao{U zKGOi!MIEg+kY1!XE?4Cto1z*#?r}|TcWbe%IS5bUQobaRE{Yxo5jT$(OM7Nb6o}x? zri6+{A13q3Y!Y|Ny`!OB;Kz#X7e#wJTH2&{0Ka4+>L;~km0Z5Z`Y5P8%PCq7CKQl8 zTmK8EM0a7gar#*IH>9g>+0-9=Ku*=aO*T?y?W5%@l0S-|kAyzb6qOKyrW>c@kOdJ< zMC$r~%$wNq#|YiwLKw02;7#&!g-C-wz56s)Mq4FAbPw~vGA71`{$5&-9Ng`zF+BXC zs$ee;;!|%QB+BC7qdV{x*%pY(2BmGEQ?nK#Bdo5vfjS;Wlt zjv$P25Se8EB3#Nf2VRjRrEeC{e%xY%r_=jPU>icP^+d1RG|kHPgd0GE4%PC5-TDO@(gco9L#( z7PXUA{}rnpbUBb2x$#tzhJJSE;A!NpC*qdh$Mv6d$=9E1rf*)OO*t1A5Tx344CQhE zr%(T%a*ltj304mqAW}WQ2W4;cZ?!xib*RDMqtE#}C}Gqz3y7Yytk?_>3&F!Q0DslU z0>aR+Fvh#WFxr5Nh0KN)*-K72W&u6|#P@7WHXZhc@X;T6Y1$WXo{~H}zqsgP<-X67 zr;31x=u{))emh&_`*-qJbwWM}%lN<<6g@dhtKrvoSbuFb<- zxBKQ!?RWh~0c=zrBP=_OiY<(rDrkZZ#m}6T4v}j=hXy1a1)}PfW8PGv7RK0DXq-Y^ z)yFPcR;<@7y=ZUOK$QZaYbj*dNKKe6Oo4eQ^_irBJo7I&y0#9MpojQ50>rs5^cv-O zS#^sSi_~lcA6|zu`Sl8}8NH9q#XT(3psumyO1jiamqvpN7@i!cejrPSMGmZ8?Lf~*NxWYE~l&B;?&j9-(5s$hd9w(FV5)3j~_{BKB)-ND8#wh4no76_G zaBu}{b1)g7jZj~6IsUOnw?zLoqO;#u?wE?)xU2f}4I6#%#LLIqUU>f6<74kUfuuNj zOzvUgRYa@L)clC>r7K3j9@AXaFZ6)q}MQB>-b&>5c*t!qh6 z#5haodmNlfmdW+k>_hCg$SxO`Y@Z%>J(f*ajJCSW`wBg#HZ3mJ_=$~i&~~Q&yg4eS zCcWMO4B|45XF8>5q2=UVKSUca!7d$rijH3JFF3juhs49&e`NtqPajy@4vLZcQ-VE# zlI=33-=3@*BrK!AyiCOS$No;@lRh%IsKHsn8;3L!5^^;))-+YqPliCfB&YTBO5jgX zHinv7Ar}cU^xf|=V=Ds&m924=xpf$vlQ{4VHx}n0M;G`Jv7vio+!HwnRvV(Tz7_7*D-#w-%Iaz{@oNFn+#m(>E6;oL) zev9IRIWX??f%PVBpIZV^Kg#&sA~(#)u6}fO`H)R{tNezVWWIt1$uPQYeV)L|f;FPsZY=77kq( z+;_diw&0%;M%-8zx*?@-)8!e1Q~3}WHVUp20G|aX_zvCCo8O#3`IOO7Mca-MA%JTT zbW}`FRr(p#jUn2T5D^h}>o(~Y%+RfXFckKs(Ft-ZN1MYw^~FK_V8Kq`;r zQX1w&1}&$xI6hukKCL{moOTI%3`)VEs{H9YfsWP>igr~1I*9m>e@;zH3vT7fYWXf& z62g`IaD4}p@$BNnW-zBc0YoKT!lo8HL6L#tHu`Do)~)u)LF8TVmtpGGuZ$}0qt z$PK}jyN_+w7RyW>!jqHHkW;RFlO1oJa=W{vW2Ul4lLUb2T6-OSb=bp;Mnr$?U`}wW zUi~14j@Z5kOrvrtm~^7)R*YUyiCZL=GKrl4S*A^I0y0>FHJOm*tMF&!C2Fy$&TCTA zpVg@s?8jD?>XwfdBOC&L|3Hn`#RtQesEp|tXk6qF{vo5lqPX0S6INB7Po#847>js( zdQu-@w8n<}?|T&izT@W3p~4ydOpqc&Qx^E5DKB0gSiI(}r^T3ReN0Nvs-4HE$7ioa zwUpgi`rLxA(S&M?4w%+F&e+!B2>}xRhn{%XJ_O zsz#)7u+1N12qc0z;sp3*oOX)jl%ne8iYykBeAuV5%4-NpZ6)7i z0XZx9n=2D-%)+o?g1ShL4A|eTzMcA~=Q@dN*)lLU43g;jjV$sI<+QNhy|5F2k&{fs zWvNpd#tZ{eRzFNuWzu2do)E0;`ko-lE*xGRmN{~?p?=wfCTJR{90E=`l78s1ljl0* z1lfRNusl|kYQd@$e7RsYt~Ao80uJYKdsrQ#`fTQJt*r7%$1N&|!>k2jF=F4L4>g+8 z4}^YNSs}Gn?xaUFv~zv)Cb6-{Lny0ix*EnRo&7Yf&LwOo=8`ywjEy2ods`9eSreWB zzkBa}T2I)TyG9w%NM^Y2AuWds@keR3C5a-nrh&Kj45~tV8P8-djgYm@^Ez9u7<~*wRWsO{6t)V=mJX*g=c$*%Xz;m+!l~=EIQrKEI=#RYZusD zdTZ#~d1c7?!GUe?e2@W5j-$(~7F=3maB9ugE}`- zu|L6_WDyWHc=(lt1Ht@53%^{ZU{wi7iEhaRG2eZ+CZGs@ch+0Pbg3*l>RAim(j7{& z3)E5I3D$>wjtd68j2O)|a3@K2zR_jfGsoV5=G}R*Ruz;+bb>CI=QY`=Tm2^eKO|DD zO=x7a_07ynt4it`HdWT7w(8QMvE?a9azgd`TP-Fn8Rq$T?krIa#~vFq6YAmV$}pE{ z=_$W$|5R|H1;GP1%y4N)`88QU($Dg0Vj=CTvQgd_{sogqhrEbFp=pG1Xpwmyv=S#b zHmx(IEs+)}4W^L;^9)aZDvLgz>EMl6v5%CR`>qsIbeA$cNrApWhe*LWj5-8W^G0t7 zaK#9|+&%bJvLaj!mwT{#{W2q}ZmHJ`lKGt{XW~ms<5F`^aIZ!_6FMu&S}=R*rO}|< zj|{+=q83l4YLm60C)oO-zLwcL~U+be+}lJu-nyU~##aFk!huYWeiD$2 z>w7jegkMwGpk7=OT$ryqX{DMUM-I{ri0fiPy$KZ#{`e+JBhKVkLQ2fKPd-mRbc=oE zhB0u~S3MJhUza%=?Pr{NPoL4njKY5t_QAF1%gk?x zh^7ivwnZX=@|hY!L#6*{)Y8*fS@cUBcK_y4D4$L3FNrNl6Is|PS%GFU*Xrmkap_3R z?vzbw+CvxT#UazJasW>za|*{JCKt%7Ol(`KDhoOqfU~D(s{B-KlS{lL~2^meQ`h z;3K2(x>KB}VY_@Qxqm9dera6|!GONKdwDhPSEfVY)A{amqma6w8cPl@2V$~-jtw2J zeLxPAZ#UMox|TeXSyH33Aep8gshd=1r5fYn!mwk_`$ra0a#5o(;rxmUD-Y}rDj9KR zqGbUc^M9G`10XXii;ea{pM{$(RYpUTTYptkM%;I5`e9$C;-+X?Y*8Ij5Y(^Ev3qM3 z-}$VE=>n{Oi_rBMr|=Q07W32vNJ2m8(38@``VlW&5Ah<{bCDr-b+X1N-yUNG#i;`; zd5%Fj+IKRI&G7YR}sSWE5jmt(MD&0OQ)`4d1;i_$l>JR-Gvv$2vP-=-Ej|CH`zRY_2;0&kg zRUoEk#q^^dg%+O((j9wqu)x@VrykVKDlx}^tIk#!CvFw8xO1L#CYnaQlnya^R*N{1 zq9>QNY*dPRKK3g=YbBIr+R9n7UogWJ`M+7Yi?v{(Ona&V?HtYG43BvrMq z&v&%aFvS0Mxdhia<7`EHvwJh+%VtBaoxd?r5~PtF{H_SUAy}ISR+Y3YGtf6Ql$IWI zVc)uhL=HE}&~g=y`^qB_JNvW|v35)KP;^FQ*Nx4p?bqb*O8|iHEl2iw%jkAb*Q*np z4x)ziixua!XZo;QFSv=ZVWu>Jw`Jx z*s&OBUsf~5xBNTyUjnRyp?`}fGvM`)L4 z#rB$tgDv(p0mdKNt|^dyV>H~yH!DvGFqN89xV~Uil0Z{LyvlKvNl80Ffy1nd+{&Q? zR~;4eAw>U@m_kxkprbK9Q3~-!+x<~l`6r5!k0&SP{gP4fC<{|mbOhjj1z5T+)cE`P z>vg+)HS8U#Q%ekf4vTXd%sQ%*@|sA~ve2SV!oZbeN$9>)x_{U)347q&K!_Hau7XYC zvaOAZNCzTB0t-HlquQY;w8~$KNQo{kCKjTG$hY!&Ipg|)Fvy)K$jPATdB{!vTBv2q z&z49lptHo52CX)F!Dk-}sKzUPCcfSDyULsl*0B$i)1nH?vRRC^ZCYTz%;1I-^1YF9$zkc(FD8 zun?%Q3ha}n+lM*iI=J@0vVCUYc!U)DDxGKzS=PhWsU@MBx~6Zc<6zOYz@XQ@G7oA) z$GOy#8NQ~j4)@j2)>2snaPd@%pt22yI<~x+TsmE-3@PJ7@72J1VWEU61gK>_J;a6f*##cFB zj#I%JiJRO%q7xvm?zFTDuEa?Zv!BIZqHrMZI6N=*MCAC3^bYQgHA%#i2b}VBKxNn=0W#Svkiv#hRvo3^)|0QYP?t z-(>0)Z?_2K&Ol{BxfnVdlHnsQ>+tWolFVZK652+NY~x~B9SyP?)hSQOBur#C3i$3` zZSsXF-w;jX3ny*yxu-^}OU?0%jb zNt#<|`M$R&0o&?&q-Tb@VTk6BxQoEXa4cwSw`kMCi&)>$R;%woUNyxG+ltuGwfwow zk92LP4loG>EO*&b4xCiBmV)Q0B|}yOl9Re@1v3FD78!omPCi-#BJuPYgpYAbr7o zb70ot@7yU%2A3x*{#;R4=dehF8Du&1zhQJ0IJoB&mwLNoCSIZDjDy~*LP<%M;K2wB z1D-5Vk@m1%6nL@YxDQGHf^N&csb*wTWWJUmdg_!={?F__x`3%SNhLTDMkD3#eO&hT(;IGUp^^9+$n(v#4^HWRIMZ>&n7`f{RKN zN$bh>gsLq+jiBT~2rN7rJNTScA7-&c>$A2Xz(jm;w%_`w0(H{udbu;C201H!8bRE! z{Y9w7_HY*rLDO~Am$&_(X}m#a#J*`h|Ml#^QeKoW#3uyC2LLw9qLt>>Cg?QD;A}m% ztUHTW@jGv=qh55C??De)F|+RSwe(Z)H85JB)tE6x4X*MtfDf_=ESi_@nDyFzQfr+# z*0F{x8dF(*^vYADcR_@Wzgn|i@6>4U27zr1<`M&$l#*Q(qah8hIRH7&Grvm9)4&NC zUQL$uO05S23sZExwTYc=!ccyN4PqEmnCjCxv+`P9H+@nD{BZe) z+Qnady8HT~au|_+1XKeY-oHs0Su{3-PddE0yUXL~0_&G*C#k-!2KX1PO8o8lxv&X8 zc;5g_<+SjvW3{j1c(=;G4!&AUQ5*|Ed$_+JI9^zgY&ou!MSTBDZ?Dj%Qd4VPN+fiC zSQDeJhVSiDWAtOXaIvq~@~s}@w%j_@1-y*Nj(67XiJ}LI{H%4uML3Er`O!|Sl?xy8 zme6QB-t0{O#2Tv*<>3sZ`=KNOvoyI7wxOlsu^V=&!V-QX$z6*-TtqT)^LPd#L%8pE zE-dWv8XadIo43Xqlf6f|Zo+ zJKMrDXb_Hd!HCNV0x$F^cq8`7)OVvS?sM%(!8ZDSpZ&IQXx#!`jvLq)u7(J2IKeML zM!ya{!afH0b@|5Eof3bP0XZ|6IuN`mfQDyvkfITLzYVD5dD)h6$`YW72t~k4qP^e? zWk(Gxh*XZ9{rYnDGzs7h1$e$T=X(0`?m-qV89CduOY`tcLlET;cuTE!BrHhrsfso% zpS}_XhHDACnyWaA)W8p@(1%z6?(6%F;M0GXaXJk`q~Vxm`mosV_M#M1+<(w^`dd>VLqdO7vL}x}oz^9$J{Kkk5 z4%1V5tUZ46!50YbEZXX?eo7Hs80oZM#%?We5`R2~_B$PO9O_^P`edV14dJ)MPK zA7#x3jZb3OrPA*REsSbAUGW;qsgF<=w9jy?fEBZI%C}&fE@h zS5=mPCiD$gaiV2UJLlpvtxYQfE2kr9^BEnsd(97Y2VBX0K=Emf_{akrj~+R%M_ITC zG4Sxpb35WK|6K&c07icOZOh+;Q0ZwB0&J~GStYqm==vt+8QRZ%i3b>f-t3f8v9C7< zrSV}+2Wb_VEVirj(`0@r|C4>=h!W|eJltZCrImx6@`DZWfgF4)H(tY~+`_Oa1qkz= zPF7&NxTeE16V^MTIY2w~3APkNJ6X+5uJ0a|N`Td1A7FP{%bZg^^y*avWTCPzX>X}R zbg{Y*8!aX)JS+PdMFO{x9ZiI7H=)o=t8RW5u+IXj%+!e&GHJ@~nLliN%icUjf)Fy< zt>HDcWKr%kht;b%%n5e-nlkU*oCRh)2(!%V&3&GYQVr@|bLHVN`BPydQ?b-w-680U zee>s;0APuM%YlEERy~~utp6C9r)`_^2HMmI#?SW-VceNbwRJO zxIsUD{6Lq+SS7g7g+kdh*%yymAszMqNLqjp9Eh&@wSup}PfWZUn!w5&pP}<6nt5ru zzSAP6Le8I4l@M6k(~H7{rvkn`wRa|V4wGx#-^DI}_`Z<9-io4Wb}SrT*RhZ7cxn?O z?&vV8G+Cj0VUg1XpD?yY>++^>tV$SS!n+qH3nxs>sUXd(U?SIh*aDXFcqCC;XdQc| z&C@BBuEg{HPYYmx)gMU?=HO`|>ms(%GvO!6a zqa}}G4pMa{iTdNCwpKM#p*_)3DQp+YO=6@bGipGl^tgI!NRxz6EDQ?=WGOzSyr!V# z;9Y}MHImah|JEa|RKO#JHxRnR!CSPb_>)bK3-1{{NcA;E*Mjo!S__K~39PFZDqRaO z`>m5BE{bdJ!pZQ^>V_dv$$pTFWqUC9{)q8c1I$V!EKfz1^xR~Y(M*5X3S(2QYVtk} zipCX=I{~&^M1DU{csn~xBW-w%fDVZ{SC4HnXG-Z3df_?^*4Mj=5jz!(`t-?PcTFCl ziss*`8QmKRig6418UGSEF>{l7Nt5Sho>>(Fn+g1TU5*S}lEUhp7UudGaJ07~5^QUZ z{SmJ&gu&#}k1At+Rwqk&abcmkG?M-aL4d?nrGBxQs&1V6fPPu9Xqys12}qLz49Amp z8Fc88$;>RZgzIuDM{AJ&HxW393GZHcDv|nGSE$X&^VvMfL`623j?j)DG`@}DhNNWW zy}zuN*LVrDE7nFhW_?ZwA>jft>@NL0(bm;MlO1u)f5;z<1Gw7~9R-fB{ ztds`AshT1t>)YeV7}jA`Ta=fWicz&@LKhEm-Kb}C6c)en0fVJmNsriU z=Dk#dn7C2A;dar}S4vHA&T~=RE2!Onl&UtSe9S_&wbBD%}A?2#2*rd2q7Y>`-yff`~RQ&{aIwGvX_u|vog1-v{{!1i8PnP7y7_J|O&fM=z49M?IX?Iv%Mt?i9A>Jdv zb$_(wYpp-a#+(dDn}$cv#}~?MZiuG-fzmAwkV=h$*Ndm4&;_pOqPc%+i`MDTh62iK zMsvh60Qg2uMRYPwhea0xJzW~c*=pPM)M2k6hIR-r&o)JSr_H~p&ckIvmQEBICLNgo z>^_+LG79>Jldc~N3B^EyXYQ6l?M6dhY^>hl%fVTVV~*ov@Tj)Fj8RPgj9f- zwgqhY7*NY83s(WiH8O1%^(%WnVgy4&kEiM3%`9{SOowB?;sJs>BaOb*<|uAB4|(Cf z+64#|1yMoc>80o|m4&{}kfL3BmZ?&)@A~qPU?BId*@s^2P#Ch-r!6 z9-o}3A|w3^tl1)|1oq)_`dp4-Isd&l-e$oaR2Dyx-0~U< z1@5_Z-O1Le!w-?Wzeq>_ruw)%nKrI)L50|!3&s!UYZ)-9$YA@0UFklo^4pGo;6xnl zBqy$+wbM7}z8bF21~7u_X`uzDD+lWGA7;+$A`+I6vVv>-V!CzMDQ-!0U!DGiMgLB% z6>JeJBHIzm^JdZCJ@Et`N0A8f2e#icUEZR1^aJA*mJa_fN_ad@1|MgN!)sB{tgs5V7lr zGJ&8O@a=mxhAiES`Jt#1S@`~k9AxE*@k|!8beQd+e(WQSw#d(#i4ll{+y^jaiViMo ziUw9_7@&T$EYG8A1A9WIy(kHDIfvLCU${dHXztp18a&JiGU7(Q6UqDNj{Osp8+?6U*(xun*DiZ}f-N3o! zY35WJi)CWw!)rESt-e>5WwT$`?Fc5G)G!9=5`-5uOy0RHgtNl!e+Dq2Td6&oYPQ<< zwITtudw25+Ag+7BF0w&axJ>z8XUiy;-~kxGB5$+hQ` zA6IXvh%W`3v zv5+)ZQ4AL-`?+3?{$MAVoU(XKQpOfHNgaN5l(wc(>-_@VTh9UoNdfn?fuvjv0=M42 zmVHDJ4xj-W+n{9YuQ;Va^?dwXFE)z#nrXkph`@G|K^j)tz}$}`hdl7XPec%YO@_$b zia+RxeAcf#4_-A5EzQ<^SD{ve2PEQjfWC?>7?q{}SKU{(McGE}&d{Aw3P>X$El4-g zAl=>F-Q68ShZ54=-ObRA3?(HkU3>I--@Sjs=IbyV9M`N_*Lk0@7EBEu94b+Nifr_c zxG4gyt`SP)>|wUkv4)i;=ww_w`F*3$sEraoM;$lce~Uqf5uBnLJS0ob8MdVkdlYvN z<=K+7`6xeY<+-sI$b(e0Yc%fFM0Np)xa~;k9H8zH^dWWG8U4x8$;^jeezTxQpW3E- zYxRHa8wWGryA5Mz9*k|zK+;9_DqVt=6umM`N;6}BJ0P?NUjL;yT-DJ&<4W1BLj@;K z80*Ke$cWRCs@fnTyaZBhICMsS zlu!DA2kU_gx7|cGSk*Y#Q0b&GJ)bqF<}7UAR~|jUnt^xQpBTG;pmVV<8o5jq8Ab;a z8D3=}v}d&rz6`Rr+HXX7?4oyGYLt%XlkrH`%~hNDCb)mLa(1sHuYCnAcpsh+$!M8t zj>3MCN8oe(aleqbP2Qg*H~e`lZ6u)Gg_51&ytX&@gYvfzKtGV1h0z3)!(&}9Kc0KK z%<)0-I*Ji6qBga$TesSVrke|Re=Nx^HU;w22Pir5-;-yc&;i_kD@x-SRIe4ONVE?m=DSJ4)@r<>J>ha{snr zUS@e0#YZDYjNUCYyh!;}h-I@MQCOBGD7Lt95q}14=~UVJR`tG%8;PZyT~+(et_i%s zfee5Qb1u9VT&rwQbqR7sJQp`dtNtj=1bAf*MA3x7&Q&^nr8VOFUPO=30jpXB==6umRf@T{&rJtu=P>$Y+fJ;DQdOF>Zf4(;0qoUZr3+wjUF0aQ{Q$h}q> zg};wGB-&f`N4}6zu@s0Ok2l7F-IN=JR0OwU72w~IW~X4G5^>NsAd2n z&u6lDU@Xs)u7)wvqiT4+7W`Wm1+1fs)CSF*-4L9i?w{2p0E`UQr0%Z+s8v7=QaFHdKM zyZb|O%KP?TnG9cpi%mNVKdr^h>3XB+QLs)E_CHi@Se#J02mpq>q%;?}-7xLHI(Cdr zZCUCmeeyK0&0Gf7_^H}lVl$|L&;gPmL}P3 zZhp(^am*z>NI!)|rG;d+K68sIxrA{|Xl|PP2;J26<2+`nu7OCc-0?#>?`*T01|_J3 zV|MolFMsJoY>rxb_p59US1M@-q_+yz81v>@6ortdG8^$ z(z|H6SVEIPE9786L$2mXq3bRB(MQnFqVS_rE^> zbDlBQ-D!)9k)9qOJ0C?p-%{dKvixIZA)E0%(94vT(0E==Zw=}z8f_c>{AsN^J7PKx zT9v0aOqh^5rBas)Ez_iy=pgnEHFvViTTiAy;}0!d$qAWnae0P_^NbM#VBp&^R zd2vy~aJ%8nQ#Zmwj1~@$HY{lWjRWBZ`t23{9!)K1dx{F{^L2IaN9B`&(_)($1FV^? z{^p@9+x%K8EgjLjRmB!=!wg~v>Z!F4XavX=7ZnaSy{rgyvL%K>B&tHBx<;rXK*CRL zxxA5W^$A?+gEZ_?r3`3kxA)d4U4sB`6Qyr$m>k+oSBmsKxzWKtKecQZ`Rs_Iw{Aau1w~i}_fUaYEIELs6``qO z(}r{36>0juQRIHc(VDlLo1x$k_Y-WUk<+k|G&+`5B5j`he5QO>0kMx%>>y&z_iyDCRg`%q8^}l~PR}7K;hyS7Gvu@14 zzkoaP)k8mdVE_91nww*+Z>KBnaA?O7opV0dc7|=dV$o;S7W_k|@3{&hKa7rd5*Q6w z-=^Nh+8?$K^bg8kDr(#00Lckcl9FG1OJo`O${=k${>T>>VnzC+=v!L4hBnkL)*zP( zw8_>R&ea*g^CXBMfi(b46|NuaB!lxr9n!JZ+8aon1o$^1X&u~YEEW1f0!5iIhsdge zATR{hh0?KpViDdj5c`Z2QAtHjGK6t&WJ{;2eY~oOEstQ}FI6$L%2T9OiKd?Vn82t% z{19#&nXOC}Su8GO(+)`E3I}(e@&1L%fI}Ez_NmfqbsC(7kl>O`RNY4_PR4K+1WcrJ z9UgMrBOQgt13uAUVVp-7s5QxUct1)dCz=rk(jlwlcl29bMm8Y!2>u)WHW5HUMLMR< z=8q?d#5m2%gL;bCc^Bvnt!>%SLxC0+X1iN|_^&*M%P-_SNW?bIDnIm;Pn^pl*8J+V zq8dsg4d>$UJ!kG?@I6Y9ihUkfwJ?5u{ny!`(S18t6K6io2Dr<47I)xVU6cH8;Gg5Ys*OlD^mbtNhZ)CWnEWi1Y)~-De zajhF!Mt=h$>$#YXAepmX*;M4t6U-;momtZC;tQZ_x}<45R8fmfNxWViv@8N$^+OCX z34c2rxf#F6Ub4%In_NLjd|F)(vF^Xxk=Wk`RY`Z*Eh~z>QdC_Hez@fn`S`Cpk%>U^ z;(G*BCS9Sj6S(U0(GoP91jnL`xMp+vyt(;2Qoku(Vq&`lsrPR6ZH>_vJ+3DSir)&a z2g3wx=_w6y3$7B(J#Cg4R63z0m+*?cn%!r=g|$P9FlR62L5`*XV@BYT9ZXQ|nn^f# zA|o}D@s;IH4OH0WnxHX}IfRsR>bsl9_EJ)KP@L5KoaYW59?E}<^Vt)bdzuqm#_~fe zv&$+%gNKe+E0{Bnez&=ZT#Gm91|kmz<1d>>#LwE=X|>Srq2{B7gE~{%<2vbgJ#w%= zS`bD~7ITi$sy(%H$0D$cJGgc_W$Pq90|Z*+_ z)#~nN*WBlEGA#5tBo~-{TP00CHZM(%Ou~4^g-yYE~bJ|fHOT0 z!LXT<)5$*0^2618D71bHK+s+K&mu-9B7_|=ykkXD-Dc8u#o1n6T}>%M^S>3e8Qk+j z@w=Lxg@p%d4@(Yk)D>z1(y#oSRZWdu(6HgbSLGIMjizlyMd15zAq~9&tvXAuPru~1 zhi~Z3GPZ$k2|%JB-^SUKa;XV4GD;GmeyMpIiEad>QLrv&j3Yom7oZLDc!TgF@!sHR zYiG~c8uE455UCIIc8*8c2v00ib(fqKq68y&f#Z~kdY9$B%t}aB((A!PN4pZ2bMy?W}pH zynt)?{VmpduA@et+R|$jp!`$H3}2%z{=(7K(f)GF1e-@{&p{Z1Y)vGi+J1&f0Cc7% zpjSZ`Ej$}ciImOUqpLS-yO7R!se~1-V)YU)M=Mq-S1AXt0(_#&Nx9Y?-g}x}bN?=E zl+93^q(6b=5h}ETW)S>`=Mr)Mj-L+!m=br*zQoUOO^W%MRmTdBz?CaE*(dRqrDr$l zSLP@UP z^3Y*P`q|Q=2RCTCc&==4dSP4&Z)<+DG%T1+n@x)7o6xK7ZL2z$e3+;!%?pnc*J3?# zT^Lv=5V`}m9?hW=l+?d-(PH#?FZh)fBu!oZ)uvO>08FM+RL#%ngeyrO6Sg2~gZEz|A&zG?9R zU7oM`C=sW88efcF-RLy;x$~^i(ZVv(OwmtEw8V(}dy2w$r~(!rnYCxKm)VlB%K6oy zq9#%w**z7sv4y-IVqY~+i(dQE?kRFj{>qL;qF~TQp8p3_x2s>jnnaXS{hnqn#`^p z%te3v>;-p(=sGCF8UhrsTUe9p5Vuw+;za_2V|s^8?qbR~!x~Ma`BWmJL(_BI{$xQN zp+X7p7wxjrB8~3HkA*!@X5Wo)LbiGJ`m5RfdN0;3pk-brl7_p2QGa&~c%ilD=SQ<+ zF!2O+v=A>w3(&6qK>*yNpOoS+zyWK~BG(HKAB+I<+eC#gF@&{R zwHgg=VJ(aJ&-hS1sAiXZdVReENEGE1E+@uxczpc$GbvoGVf#N)0!m3hbpcIsBpAj> z(gJq!`{0)szgWYgrfNoPR}^QXG*wA zcn~2}o8Z)CpkDklQQT1msCN|dVpX2%*qfr!tR}&W8tTqNRf({ zZQ#ubS{*Yy>YTEj_f>|$*XJ;BTyy|8_l25pv|!T$*^spSxPzbeUffU2!G?9kcnIDe z$h?gHzs7YM4Lw@wA3$DlD4u!slCs(+HTQv417Dyf=YS(8;tZ)#xhm_-E6;YoiB3hN zQ^Uz}2iO%BVkw#;aEJ7cOOuO#9TnInHk~Rz0-U-)^@#{V2kB#!w-d78!zdI(e9{~v z%85mW#~wSvdz#_Ww`ZA3^an3P57rMNxc~; zpWy3u^nw?S@i*nBL4j>yXXh8So8UHwNckm3gHqapDY03k;oxr(`BVOFVfzsy2`oiy z^J>1(7WT3~E_-M#BX(dgIXSssR#N}cKFcO)cMdI}m;3sFm3{kpn)+UYe#=VevrUu1 zt~SeEEZm(GPhd1p{*?mRFK?)xQjn>k zK^An0_&)#o{DKYgyM81I;4eeF{y@|UV-H;(1h5NiJIW*tHL(3Sz-6!7USteqni+1q z+q7AR25KthN?(VTTKj534}u}w%utx=`n!sP7uKj4J9{y)22^=ay8?5D+p9+Jw_kUI z8h?Es@#Fe~V};BgW*z@P-!~sS4~z>jR=>WO^b6`kFzL8PKSA>28i_@M=wqayYM$Tx z4E_FmtHivBD(p0EXQ9RRH?wl1GUOWUFv87597f}^mCMfc7$B)=0Afdq%^7ib4-?YO zTLGANr*j{#Y=+HT!#5!6djJCW;$1QGyp0YV1Vj;s01#Hm$i#$Q6$!hCnyokka&#q> zWb(`@$NUK07jJK_R2O&M;`ua`FU$;Y? zWcyz)z?j?mU(z4Iha4tV8Q)p>d*_J#@$FKgxCeev5-3G&t+u}Heo_OCISI*xkW(_g z9@L^TZs>!9%0{P%ATjwx=~Cb)`4M}5L$FVx76SC%qATl#k~%-isW>?)9pYt-shgL_ zRN?s)Bum6}IiMe(a$X{(=8#v0+aZDhlqX1_|+i+uWM?@w|0Y7K#oX&2+%CAJjmP-DyM$ z(j-Ta6G6l6ojeSg{|Ha?mg<;Y-H_rpd~h&(rEAJjw2xdsuZsxI6y`0d06fLQbbzZ4 zHK`#B9Is#OZD+gP6)n8w3uHc7gf4LtY4zwadLxfK&}8^>@B zVr|r4&(|5kpIfsA^&Q-Qo-kfx2}X?RZ9nAU-S^DXQt+ohyK&V_nWA%w6(8^^I$x?k zoFKT@E!tu4S;v3e({ z4nbq(l3XFn?a!b+yApz-NArp;fAeKHLlrXfCEx2^W=)IOt3K2w_;_>0IoeGR&2`XB zcE2cCeKPu6POs!}DtWT5Rs& z6@8G^@Vnq-D3a97F@SJmeeaw%dRtq$=lfF!dEh3J$VRW)g+d!*KWLCVl&G;$6vz^1DmqXVaVg7U95-VG>*Ho`O`?N!T<0%%Y=^fg7 z@3Y)S_N;+J9-&T_U8?=sLpBE}Sr+yW4}XUIviq&*Z(l3h$7?uzI8@ddGoU8FTIh=# zuF;u`^n6pTS$P`zwN;hH{a%6-N-{LRbmWdCf0MNR=58GCo+&`7sKYdw2RtILQPJq| z9h4%fJ8V@dx+7vi0hwbqe7*k^ScqJc8;zW_AO@%@BCI%R91G%c_En1Dn1k}cp6f;u;WDN3Qni$x_D%lyg-|&@NHCNOe7+0K_Y~6LR1Kc=!m=1Z= zx;*o!VPw?D9B~dqI?T1zt9rcY(k@mT~KP|j;ghPI|r zW55h5JlJ4`@Ce;5I(wH|UA&=J8#>y?>7s;Y%$f-9d1+SlV_4sHLC5c@g-wH=Me#`p z{=z2{3MhPff=$Y+B@o};`s+ajlrtnXnNZ+Y^881J9t;1CgP1;=2VK4jQlyHq->u?e zuR8v--wP^NZ#w1m*F5*q>Nfa$e^18GWxgy5(4bQ`FJV5u(xE&T;seQ#B|tRgRGbAc z5gbB+OvjRKmWK7QQBRtw?%MP5SZ6Ca)FTKDHhX-|uDvTu$R)yH!$oBN z=gg{;_)SoLbW#=Ve$;xYl93}K?D|pBfMsQoTcF8^7Bs*(ChW@c3?KMxjDEM+fZv|5 zi+;88siW*_3kPBH+EM%-?utPwA^xovt6Q1m3g^p&XSRWnhYp&mPEZ@hszJ*7-t4>MGqVM0EM?Ow0nap!IL zKUU$!{ZObdb(^mD+dNs|GyiD8o63$=*b;~@2wV!hN33CjwK-^%s=oGQx-`O(@F8N@>;UVl zrX#H(2J!QdAV)tLWn+NYXo}Xv$KO@hrh(_s9hv}$tra0x@OH)WyqPNRW&$Q}>oiD@ z+4~eO+S1ZIkt3HLan(G}ZWxRQ%2&DKNqC!Db(k0^O+t@aVJYfd_4PNCuOFiRIZ-39 zYRFlv=6@ujqoZe9JXic?rk{y81^o~FW`cntq<2a4?)Jv6RB|u$??mK)T`rF$R1_|M zpt|##*h^Kzw);@J@21C2?5*`Alm6}oT8*oxc!hwk>;1@Et~V=@06}U9xSL3OD&4R- zYCb=>QgAvY>Z*KY_#t!^dvuFal;5sPzmDx`oX=C4R#iD&>|aY856GS z)R7<45c&pIeMgEASbeD-v1LcNenxF#zLcsa%nh(ro#|J$9X3PdTOrKGH1gu1(^St} zp?J>v?1p(}?X#?ZxYi&s)Ad=BA)}nDcvBB-cv^L(Hq#T6QMO`1>>NJ(8 zX8R%Z&g=nrGz_+{dHf`bKOZv7d>;_cmyp5ON@!wN}ioz3ZpNM%{C7Im~M% z&#bPg5|%a#ou)!#rX_+NzIs*%llQ$hlNcIUYTPs3?_8Rc7&OQUV;hpQ1%0Lb0PQSo z&j_OXs&&5*uWxTR?}}cP#1X&zV?Z^q2tV8D_&7Lx-83Cn$JBfS*L$ZGbch}CA5_AI z(MJ!2+Oz!o3BRwpe-HC2tFZ(hK(!pJX z?4b2^=#OkWKNc8l%xmmXTSw`YRUW4`Jga5J_-G!$-oe>?VA$0|0WY(#)|$&6e-Vgq z2eS^U+WC-h?O9~SDCA&GW63P_Rc27S$4lYs&|uDqYY3X}6kJUn(xP)MO_g69B}fzD zilaw{cIK$e9TOKH-GfQ!fTynXn8)?{^2a3^6CT8dncAGYx)i*mLdKGu1m5)5=c3k! z*s?6g_WaTlQ5o-Dt@BH-(cmQ<*qw6oocGGRabO@H%dRMNac}W_{ayYnU2Sg_!e@NY)!g%s83eu%2?;}-?HNfP*}c__rU65JSF|V>MZ)Z#(1)khp}c!GP#n4hve1mo*sm(o%xi8%SVh98KAD!|lPhrnG=t7w zg&7`Seno2qYh_wYoGW$=T1!83Dd>25NJ*;4I4+l%H1o#K(+z)J1nEgA=bDe~B-7tWG_sBBn&PVODVP_#4 zvc^IP8Pwkj*QHOxQ%t*uzt6#Vc`A)#gZTD$qGf7(4wpqBH9YdsNyGXpjG)sf~s26skCOhzHGz4n|g z*l|}M)Z327pxVg4G1_=jCSKL{+ySB97+tdYY#!aK_oYT(Ld355TAR^UxnOJOxDDs} z5{WK6vhU25YHt>*&gDo=m1*&WizamZ=d^gO@cz$@MGMZ)WfE=bX~5PY0mPdo)qTgM&9je!C|n0MRq34$0o>t$Oe2K@TH6K2d)^); zM=)>$cd|JgroImd8h!%~g*U_u95QZw0?+4R{%JkB*EV?00@uOD4A?P_k@p)ayME|m zKMAv!W*%Nwd2u0JV+_FV+uI3?kc5lK(8@$pW6v*~2*e?Q4xyAGC@G?3y*DvE0V^;f zb>p?rO>ZsP=x&MVnq-Dj+(I?fMBzc{LTD?HYn&NRLX82{rj3rgwjjP+uv)9+^_(Q*Ej1Jy_xoRu}8laB;@lKmjd+>Sf<{pSXX>B_I zM2s0cH$}7alg{d-&7ML;)q*(Xez01jBZ+BZ52AnqG3*9uM_Z=hSA~u_Vt%6N z9T(OVJevLEk3ya%3vujPQp&uue)_0#F3T48`Eg;-SwHLCXKDP8XrOe$$4VIVblE%e zP7gM@RBU)l7!9p=!wfJ}ovA*X73eKz%llI7^vesW;)Cqs^h?_5#ol;*HdJ@C-G8za zN-VR#+=T$}i*P&|&z@@|r;7MKBEl;aZhIJi#Lo(kXl^~de-~+S)aH83$H@G&JI+Z? z1{c!Pixn|wli{Q*4yck}TbT6p# zL2OQg^;FfnjC~np+*DE0I;5K4WKSn6ZCg}IEMwr!pI*J=(+D@sm}3vMA4Hu$_2~W} z%OKt-kp+7Zt>qOvsnDOkhUPJ{20&clJb3X8I27~9{c4%3(LF4^{TO4HI|Ca(NC}WZf8GX zV{>usIhS(DU!`V{PqjHpsfcc)yq9l+u_4I=kA`%+%7|v3*28>y>!4aTCb(?%{9^3I zKsF&cn5gUQmBS@x5l0pcXHQ*zk>zJx2P+U~y$%?@A0#p)vVn(#%R|ToYihy4ff`|n z1=$0S`B%&jVdi_r%G8w?JQD2%>r)PrMuGVHNPM^K1HF_A({Ib3jm)tUtwvz91vn5i z)fUVxhydBy(vXDwcRspd0zv`C!LzW;l5=|qeMVFsT$-`Xh}qr~tSrGZ&X#ZMFb!P= zHdj2Bn#-35Lm5fq+(-R{>0BGtee&~bN8SFGh>$*#2cNw_GI+mQv)iw8-``n(HK9#J z2ni{$8YNKUqZ{KlQ&SSBp>TWLR->65)?Cjesa~Z5GR+jde6uXP9HiW?+50NZL1|=tg9ts5b7i$N&32hhWJ1c* zsPdwjelkc>a6hDI5`xJ+<*zljU0jKe4PAO*{ZN2MNLyVh#4B0@3N$4?eAVoj#??6i z*-^DirB#t*iv7cd1&x*H@?8Z8&bh90f6(Y#20rD_GEap~`cq&t)a4QpJ0NKZ`$c0kMXHEZk3F@&>5MBm_}ZxoUZ5K34?MYbftHF7TR|DnU5tZxr+zJ@mPaE$;}wn4 zpK>_tjp)-5ugqYvoL)Ah{IvYJqVO;!7y0;-$s0~6W7ms3V{ETRMq0fK-&)KY*<%)=*+pdjO*l)UwqowF02 zE0Fmw&_{cZ^!iDz)2}|Seu~!5S7~YZ`ly`U&O%MdKxhdGVE!!=zHisvMD8cuxeHdi)p8$=C(LE3L~F4xSx%S+T}ex zJsl+^!WFf&tX$mO-j;GJAZnfrvE+rL%QIIs1t;OmIi;?Kup z&7$DAXTO`A*Vdg>_-+s0Hz?%()HDA*}y{q4Im2?YWf#)&f zRs8mU29)i8HWXj1sN+9v6E%MlX&G+FNk`1Dd1h^d#}5e+Wu_JFoePDI~LQv z=4PW=+p(2+ZES$dpDKiHD_CF>DF=a z`$?i<(M&x>bHkL=YW4UjYsq!8xr)zv9+_kAv(LlmcJoV(L8RFc^{W!baT;lj~nom)Rz*W?7-0Ld*ruA~OJ9xbNexJeIQIiQYCrxL~3nn2U;dz6S zA?V|B$N`Ih*)6!#wZD%!!L?tKC^@j+>Rf^m-p_**dB9=4*uc9F*DeAK!rm3=i9!dY zf5$48i{CNocCHo>wTBT=rH|`>I%3oi-sF7KfrR9&?AXCBM1x34LXbkS(3P8sTu{jw zxASbmq$BK3rxpazNtK4v0R0BHv2v!KzgPARQ>xHMipuJLwi=oB=@KOGSIoXITd#87+sWqV{w~U;eM0=Av*8J_;wk*ZNmkO`hinIxR%o-=yfcs+0 z7jJ9p@@lpgW`7kWbtEJp`LsF=bU`+Aq!x2YBjUVA#nIUCac45^u2#Le}E>NaI1juI`N}qTF0u z#GuON3`czz_pbqE|E40>g|l2=ha23dIvc{UYqrW1wuq4fuhMM-*`1_!ryWHtF4Kjd zL42;@A=NyeAyYm|iY3Q16l~G`qL+(P-*$I959iTj)OA;s>z`xJ7@;q1lLKQr%+ z1)uMfCE_-i#?3v`o@Q_rc;BIaZ@J%b|G8+U$LqUuBJZomOixFm!eaql8dr6qz2;`O zlTWeu0?*!^@UB2o5gCi{UPnS7OjpVbry*6a;rxLZ8IQ#E&rIvoP1BUGxBJ@KUHLum z`tCNMz|>THkXpiit)^*oVxK1>B9(6A+9PK?#n3?fx=@+-=5(XWZ~>)BZ44Ki!SJ%e zhnzxB%T%=_o5QnbdS|HW0aCf|?z7ky*z7u3d04emW}nM`J(NWuE|J<%2kGUG;{$#B z(H@&T)$OBnO+>KXv&y1^4Pz;oSwyWceS)EyD<2!m*68NoV2O= z2LYC-aRtWo z;zMc_UY~FxpPcr_QoDrR_b##i)s#HU_b;(Lc@bP!O7@o3f+Av5-rXNT)uy{f zue`p8rxWfNT89HL(9_NzL?Lr*ZnW?``t9(JZ^8!r;3rrcrvN~%w}GPLLjXmW+os7i z%|ie{!gobTJQoZ4e?h+Dehr(!juMM*$gl^yyEW7*4O)}xs9~c@M1Rl9dM8+y%3cv* z7>eF*e=?_K4;x@x1RJiTI=Lda++k;`ZM`F5dS0XsJ97co=Pd<J^? zrCY-BYHYW>g<8i^T0WN>mQU28xoP5Eg<5E$wvXMt-FG+7^+pZ;I^u^*!9@KH)UY_N zrKNR8xj>%xP(%?VF)93PMuUOYF|?{cu|4mDcFnbTKt@r5z4cCS%fzyCeJ%m}dzg*x z=EMbU8?81hK}+>wTR0zW{;%FK1`@762OGRiEjyom3^U+K&dATk4{m#FP8d*|CxTCm z->({6Jm=U}`+j61!uq+?RL*|Ta_Q;4>TafU-VGKU%)rYYy}ART5o^ph8HewfUx_cf z+_snfTAz_S>uOuI>j<9+?rd5grYDYl+j`^X=7{urXJl+3e~}|Y&pril&CRgWfy-*w z>7cI+2$Z7NQQD}2N5ve<8?32-Lc zKin1f3FaLaDJ6E}hoZEM;`@ClEZYo03r7*^Ruv;I14iro`xAe^nNTnfB*zj9sH9C% z3f5o^jDXdgv9{c~MO-<}MejdoqN!m-`4|l-newxCU~p($JL;*9GcE0Tm4_oLVNX_j8BXd3(Emz3k(OLlt4Z zCcFhc)*^oq23(N3+Q^`rcayG>WH4#wy6T+Vs+Fh{G`yV3Y)9V8MB*PhF(rfI*3$XC(l zVYWVe%2txo$M#~|-m1}iuoAM?`vd?0>7~SkRb10LW3pYFy6BNC>}{QgIgd@fbB$BD z_cJUrz0vxYl~hz38oPZ}aKyy~yWdIP{`+$LcUpf>|G%RnmVy(*cBCSaBZ~gNXZinL qMGEwj7kY#J`~;Bt|MTsTSKttpu9RQX4HW?TBPA{`RwZH(^nU=qu)KT# literal 0 HcmV?d00001 diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 4a6bf5e5f1..5c3f494388 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -342,11 +342,11 @@ Following properties apply: | Property | Artifact | Description | |-------------------|:-------------------:|:---------------------:| -| `name` | instance | Name for the IAS application - unique in the tenant | -| `display-name` | instance | Human-readable name for the IAS application as it appears in the Console UI for IAS admins | -| `multi-tenant` | instance | Specifies application mode: `false` for single tenant (default), `true` for multiple subscriber tenants (SAAS) | -| `credential-type` | binding | `X509_GENERATED` generates a private-key and a signed certificate which is added to IAS application | -| `app-identifier` | binding | Ensures stable subject in generated certificate (required for credential rotation) | +| `name` | instance | _Name for the IAS application - unique in the tenant_ | +| `display-name` | _instance_ | _Human-readable name for the IAS application as it appears in the Console UI for IAS admins_ | +| `multi-tenant` | _instance_ | _Specifies application mode: `false` for single tenant (default), `true` for multiple subscriber tenants (SAAS)_ | +| `credential-type` | _binding_ | _`X509_GENERATED` generates a private-key and a signed certificate which is added to IAS application_ | +| `app-identifier` | _binding_ | _Ensures stable subject in generated certificate (required for credential rotation)_ | [Lean more about IAS service instance and binding creation options](https://help.sap.com/docs/cloud-identity-services/cloud-identity-services/reference-information-for-identity-service-of-sap-btp){.learn-more} diff --git a/guides/security/cap-users.md b/guides/security/cap-users.md index f0260071ec..173141f345 100644 --- a/guides/security/cap-users.md +++ b/guides/security/cap-users.md @@ -35,42 +35,64 @@ In addition, CAP users provide an API for [programmatic]( #developing-with-users ## User Representation { #claims } -After successful authentication, a CAP user is mainly represented by the following properties: +After _successful_ authentication, a CAP user is mainly represented by the following properties: - **_Logon name_** identifying the user uniquly - **_Tenant_** describes the tenant of the user (subscriber or provider) which implies the CDS model and business data container. - **_Roles_** the user has been assigned by an user administrator (business [user roles](#roles)) or roles which are derived by the authentication level ([pseudo roles](#pseudo-roles)). - **_Attributes_** the user has been assigned e.g. for instance-based authorization. +