From a840ddfd761870dd3cfd00ee441a3c0e789d6a04 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 19 May 2026 06:41:52 -0600 Subject: [PATCH 01/21] fronted/scanner: discover working CDN fronts per-client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a probe-based scanner that turns the existing fronted.yaml.gz masquerades — plus opportunistic CloudFront-range samples and Akamai hostname-regex draws — into a ranked list of (IP, outer SNI, inner Host) tuples that work from the client's network position. Why this exists at all: censorship in IR moves fast enough that a config push isn't a tight enough loop, and the working fronts are per-(ISP, geography, time-of-day) per Samim Mirhosseini. The scanner runs client-side and reports per-client truth. Pieces: - scanner.go: Candidate / Result / Probe / Scan / RankWorking. Probe does TCP + uTLS handshake + HTTPS GET to TestURL with the inner Host header. Only OK on a 2xx. - candidates.go: CandidatesFromConfig flattens domainfront.Config into the primary probe pool. SNIsForProvider extracts the masquerade-domain pool for use with CloudFrontCandidates. - cloudfront.go: 204 CloudFront IPv4 prefixes embedded; weighted random sampling pairs IPs with caller-supplied outer SNIs. - akamai.go: SystemResolver (OS/ISP resolver — the ISP is the right source in IR). Akamai candidates leave SNI empty matching fronted.yaml.gz and verify against AkamaiCertHostname for every entry. GenerateAkamaiHostnames produces the Psiphon/MahsaNG regex pattern. 22 unit tests, plus opt-in (SCANNER_INTEGRATION=1) live-network tests. Akamai integration: ~100% hit rate against the canonical edge hostname. --- fronted/scanner/akamai.go | 173 +++++++++++++ fronted/scanner/akamai_test.go | 122 +++++++++ fronted/scanner/candidates.go | 122 +++++++++ fronted/scanner/cloudfront.go | 150 ++++++++++++ fronted/scanner/cloudfront_prefixes.txt | 211 ++++++++++++++++ fronted/scanner/cloudfront_test.go | 106 ++++++++ fronted/scanner/integration_test.go | 145 +++++++++++ fronted/scanner/scanner.go | 272 ++++++++++++++++++++ fronted/scanner/scanner_test.go | 313 ++++++++++++++++++++++++ 9 files changed, 1614 insertions(+) create mode 100644 fronted/scanner/akamai.go create mode 100644 fronted/scanner/akamai_test.go create mode 100644 fronted/scanner/candidates.go create mode 100644 fronted/scanner/cloudfront.go create mode 100644 fronted/scanner/cloudfront_prefixes.txt create mode 100644 fronted/scanner/cloudfront_test.go create mode 100644 fronted/scanner/integration_test.go create mode 100644 fronted/scanner/scanner.go create mode 100644 fronted/scanner/scanner_test.go diff --git a/fronted/scanner/akamai.go b/fronted/scanner/akamai.go new file mode 100644 index 00000000..bdbdbe8c --- /dev/null +++ b/fronted/scanner/akamai.go @@ -0,0 +1,173 @@ +package scanner + +import ( + "context" + "crypto/rand" + "fmt" + "math/big" + "net" +) + +// Resolver resolves a hostname to one or more IPv4 addresses. +// Implementations must not route DNS through the VPN tunnel — the OS / +// ISP resolver is the right path in IR because the ISP returns real +// Akamai IPs reachable from its own network and DoH/DoT endpoints are +// themselves blocked. +type Resolver interface { + LookupHost(ctx context.Context, host string) ([]string, error) +} + +// SystemResolver wraps the OS resolver. Use it for Akamai edge hostnames +// (a248.e.akamai.net and similar) which Iran's ISP resolvers return +// truthfully because Akamai hosts too much Iranian critical +// infrastructure to be blanket-blocked. +// +// Never use this for our own backend hostnames — those get poisoned. +type SystemResolver struct{} + +func (SystemResolver) LookupHost(ctx context.Context, host string) ([]string, error) { + r := &net.Resolver{} + addrs, err := r.LookupHost(ctx, host) + if err != nil { + return nil, fmt.Errorf("lookup %s: %w", host, err) + } + v4 := addrs[:0] + for _, a := range addrs { + ip := net.ParseIP(a) + if ip == nil { + continue + } + if v4ip := ip.To4(); v4ip != nil { + v4 = append(v4, v4ip.String()) + } + } + if len(v4) == 0 { + return nil, fmt.Errorf("lookup %s: no IPv4", host) + } + return v4, nil +} + +// AkamaiEdgeHostnames is the canonical Akamai edge hostname used by every +// masquerade in our existing fronted.yaml.gz Akamai provider. The IPs +// returned by the OS resolver for this hostname are geographically +// relevant to the client's network — exactly the per-(ISP, location) +// signal we want. Additional hostnames from the MahsaNG regex pattern +// can be appended to widen the candidate space. +var AkamaiEdgeHostnames = []string{ + "a248.e.akamai.net", +} + +// GenerateAkamaiHostnames produces n random hostnames matching the regex +// `a([1-9]|1[0-9])([0-9]{2})\.(dsc)?(b|d|g|g2|na|r|w7)\.akamai\.net`, +// matching the pattern Psiphon and MahsaNG use. The regex enumerates +// roughly 3,500 distinct hostnames; each is a valid Akamai edge that +// the OS resolver answers from the general edge pool. Fresh hostname per +// dial varies the outer SNI without changing which property is reached. +func GenerateAkamaiHostnames(n int) ([]string, error) { + if n <= 0 { + return nil, nil + } + out := make([]string, 0, n) + for i := 0; i < n; i++ { + h, err := randomAkamaiHostname() + if err != nil { + return out, err + } + out = append(out, h) + } + return out, nil +} + +func randomAkamaiHostname() (string, error) { + firstPart, err := pickInt(19) + if err != nil { + return "", err + } + first := firstPart + 1 + + rest, err := pickInt(100) + if err != nil { + return "", err + } + + dscFlip, err := pickInt(2) + if err != nil { + return "", err + } + dsc := "" + if dscFlip == 1 { + dsc = "dsc" + } + + suffixes := []string{"b", "d", "g", "g2", "na", "r", "w7"} + suf, err := pickInt(len(suffixes)) + if err != nil { + return "", err + } + + return fmt.Sprintf("a%d%02d.%s%s.akamai.net", first, rest, dsc, suffixes[suf]), nil +} + +func pickInt(n int) (int, error) { + v, err := rand.Int(rand.Reader, big.NewInt(int64(n))) + if err != nil { + return 0, fmt.Errorf("rand: %w", err) + } + return int(v.Int64()), nil +} + +// AkamaiCertHostname is the hostname every Akamai edge's default cert +// validates as (alongside *.akamaized.net, *.akamaihd.net, etc.). Used +// for post-handshake cert verification regardless of which hostname we +// looked up to discover the edge IP — the regex-generated hostnames +// (a1798.dscg.akamai.net, etc.) are useful for DNS-side discovery but +// aren't in the served cert's SANs. +const AkamaiCertHostname = "a248.e.akamai.net" + +// AkamaiCandidates resolves the supplied hostnames via resolver and +// produces one Candidate per distinct resolved IPv4. SNI is left empty +// (matches production: Akamai edges serve their default cert when SNI +// is omitted). VerifyHostname is AkamaiCertHostname for every entry. +// +// hostnames may be the canonical AkamaiEdgeHostnames (1 hostname, +// stable IPs from the resolver), the MahsaNG-style regex hostnames +// (varied hostnames, more IP diversity), or both mixed. +func AkamaiCandidates(ctx context.Context, hostnames []string, resolver Resolver, testURL, innerHost string) ([]Candidate, error) { + if resolver == nil { + resolver = SystemResolver{} + } + if len(hostnames) == 0 { + hostnames = AkamaiEdgeHostnames + } + + var out []Candidate + var firstErr error + seenIP := make(map[string]bool) + for _, h := range hostnames { + ips, err := resolver.LookupHost(ctx, h) + if err != nil { + if firstErr == nil { + firstErr = err + } + continue + } + for _, ip := range ips { + if seenIP[ip] { + continue + } + seenIP[ip] = true + out = append(out, Candidate{ + Provider: "akamai", + Domain: h, + IPAddress: ip, + VerifyHostname: AkamaiCertHostname, + TestURL: testURL, + InnerHost: innerHost, + }) + } + } + if len(out) == 0 && firstErr != nil { + return nil, firstErr + } + return out, nil +} diff --git a/fronted/scanner/akamai_test.go b/fronted/scanner/akamai_test.go new file mode 100644 index 00000000..d40e915f --- /dev/null +++ b/fronted/scanner/akamai_test.go @@ -0,0 +1,122 @@ +package scanner + +import ( + "context" + "errors" + "regexp" + "testing" +) + +type fakeResolver struct { + answers map[string][]string + err map[string]error +} + +func (f fakeResolver) LookupHost(_ context.Context, host string) ([]string, error) { + if err, ok := f.err[host]; ok { + return nil, err + } + if a, ok := f.answers[host]; ok { + return a, nil + } + return nil, errors.New("no answer") +} + +func TestAkamaiCandidates_Dedup(t *testing.T) { + r := fakeResolver{answers: map[string][]string{ + "a248.e.akamai.net": {"23.47.48.1", "23.47.48.2", "23.47.48.1"}, + }} + cands, err := AkamaiCandidates(context.Background(), nil, r, "https://api.iantem.io/ping", "api.iantem.io") + if err != nil { + t.Fatalf("AkamaiCandidates: %v", err) + } + if len(cands) != 2 { + t.Errorf("len = %d; want 2 (dedup)", len(cands)) + } + for _, c := range cands { + if c.Provider != "akamai" { + t.Errorf("provider = %q", c.Provider) + } + if c.Domain != "a248.e.akamai.net" { + t.Errorf("Domain = %q", c.Domain) + } + } +} + +func TestAkamaiCandidates_MultipleHostnames(t *testing.T) { + r := fakeResolver{answers: map[string][]string{ + "a248.e.akamai.net": {"23.47.48.1"}, + "a123.b.akamai.net": {"184.150.1.1"}, + }} + hostnames := []string{"a248.e.akamai.net", "a123.b.akamai.net"} + cands, err := AkamaiCandidates(context.Background(), hostnames, r, "https://api.iantem.io/ping", "api.iantem.io") + if err != nil { + t.Fatalf("AkamaiCandidates: %v", err) + } + if len(cands) != 2 { + t.Errorf("len = %d; want 2", len(cands)) + } + domains := map[string]bool{} + for _, c := range cands { + domains[c.Domain] = true + } + if len(domains) != 2 { + t.Errorf("expected both hostnames, got %v", domains) + } +} + +func TestAkamaiCandidates_AllResolversFail(t *testing.T) { + r := fakeResolver{err: map[string]error{ + "a248.e.akamai.net": errors.New("dns blocked"), + }} + _, err := AkamaiCandidates(context.Background(), nil, r, "https://api.iantem.io/ping", "api.iantem.io") + if err == nil { + t.Errorf("expected error when all lookups fail") + } +} + +func TestGenerateAkamaiHostnames_MatchesRegex(t *testing.T) { + pattern := regexp.MustCompile(`^a([1-9]|1[0-9])([0-9]{2})\.(dsc)?(b|d|g|g2|na|r|w7)\.akamai\.net$`) + hostnames, err := GenerateAkamaiHostnames(200) + if err != nil { + t.Fatalf("GenerateAkamaiHostnames: %v", err) + } + if len(hostnames) != 200 { + t.Errorf("len = %d; want 200", len(hostnames)) + } + for _, h := range hostnames { + if !pattern.MatchString(h) { + t.Errorf("hostname %q doesn't match Akamai edge pattern", h) + } + } +} + +func TestGenerateAkamaiHostnames_Variety(t *testing.T) { + hostnames, err := GenerateAkamaiHostnames(200) + if err != nil { + t.Fatalf("GenerateAkamaiHostnames: %v", err) + } + unique := map[string]bool{} + for _, h := range hostnames { + unique[h] = true + } + // 200 draws from ~3,500-name space, birthday paradox aside, should see >100 distinct. + if len(unique) < 100 { + t.Errorf("only %d distinct hostnames across 200 draws; want > 100", len(unique)) + } +} + +func TestAkamaiCandidates_PartialFailureStillReturns(t *testing.T) { + r := fakeResolver{ + answers: map[string][]string{"a248.e.akamai.net": {"23.47.48.1"}}, + err: map[string]error{"a999.z.akamai.net": errors.New("nxdomain")}, + } + hostnames := []string{"a248.e.akamai.net", "a999.z.akamai.net"} + cands, err := AkamaiCandidates(context.Background(), hostnames, r, "https://api.iantem.io/ping", "api.iantem.io") + if err != nil { + t.Fatalf("expected nil err when at least one lookup succeeded, got %v", err) + } + if len(cands) != 1 { + t.Errorf("len = %d; want 1", len(cands)) + } +} diff --git a/fronted/scanner/candidates.go b/fronted/scanner/candidates.go new file mode 100644 index 00000000..4a219bbf --- /dev/null +++ b/fronted/scanner/candidates.go @@ -0,0 +1,122 @@ +package scanner + +import ( + "crypto/x509" + "encoding/pem" + "errors" + "fmt" + "net/url" + + "github.com/getlantern/domainfront" +) + +// CandidatesFromConfig flattens a parsed domainfront config into a probe +// list. Each (provider, masquerade) pair becomes one Candidate; the +// provider's TestURL is the probe target and its host becomes the inner +// Host header. +// +// HostAliases on the provider are not expanded — TestURL points at the +// provider's ping endpoint which is already CDN-hosted, so the request +// reaches our backend through the front when the path works. +func CandidatesFromConfig(cfg *domainfront.Config) ([]Candidate, error) { + if cfg == nil { + return nil, errors.New("nil config") + } + var out []Candidate + for name, p := range cfg.Providers { + if p == nil { + continue + } + innerHost, err := innerHostFromTestURL(p.TestURL) + if err != nil { + return nil, fmt.Errorf("provider %q: %w", name, err) + } + providerVerify := "" + if p.VerifyHostname != nil { + providerVerify = *p.VerifyHostname + } + for _, m := range p.Masquerades { + if m == nil { + continue + } + c := Candidate{ + Provider: name, + Domain: m.Domain, + IPAddress: m.IpAddress, + SNI: m.SNI, + TestURL: p.TestURL, + InnerHost: innerHost, + } + if m.VerifyHostname != nil { + c.VerifyHostname = *m.VerifyHostname + } else { + c.VerifyHostname = providerVerify + } + out = append(out, c) + } + } + return out, nil +} + +func innerHostFromTestURL(testURL string) (string, error) { + if testURL == "" { + return "", errors.New("empty TestURL") + } + u, err := url.Parse(testURL) + if err != nil { + return "", fmt.Errorf("parse TestURL: %w", err) + } + if u.Host == "" { + return "", fmt.Errorf("TestURL %q has no host", testURL) + } + return u.Hostname(), nil +} + +// SNIsForProvider returns the distinct, non-empty masquerade domains for +// the named provider in cfg. Used as the outer-SNI pool for +// CloudFrontCandidates (and an equivalent Akamai discovery flow when +// regex-generated hostnames aren't desired). +func SNIsForProvider(cfg *domainfront.Config, provider string) []string { + if cfg == nil { + return nil + } + p := cfg.Providers[provider] + if p == nil { + return nil + } + seen := make(map[string]bool, len(p.Masquerades)) + var out []string + for _, m := range p.Masquerades { + if m == nil || m.Domain == "" { + continue + } + if seen[m.Domain] { + continue + } + seen[m.Domain] = true + out = append(out, m.Domain) + } + return out +} + +// TrustedCAsPool builds an x509.CertPool from a domainfront.Config's +// TrustedCAs. Passes to Options.RootCAs so the probe verifies the front's +// cert chain against the same set domainfront uses in production. +func TrustedCAsPool(cfg *domainfront.Config) (*x509.CertPool, error) { + pool := x509.NewCertPool() + for _, ca := range cfg.TrustedCAs { + if ca == nil || ca.Cert == "" { + continue + } + block, _ := pem.Decode([]byte(ca.Cert)) + if block == nil { + return nil, fmt.Errorf("CA %q: PEM decode failed", ca.CommonName) + } + cert, err := x509.ParseCertificate(block.Bytes) + if err != nil { + return nil, fmt.Errorf("CA %q: parse: %w", ca.CommonName, err) + } + pool.AddCert(cert) + } + return pool, nil +} diff --git a/fronted/scanner/cloudfront.go b/fronted/scanner/cloudfront.go new file mode 100644 index 00000000..bc864390 --- /dev/null +++ b/fronted/scanner/cloudfront.go @@ -0,0 +1,150 @@ +package scanner + +import ( + "bufio" + "crypto/rand" + _ "embed" + "encoding/binary" + "fmt" + "math/big" + "net" + "net/netip" + "strings" +) + +//go:embed cloudfront_prefixes.txt +var cloudFrontPrefixesRaw string + +// CloudFrontPrefixes returns the embedded CloudFront IPv4 prefix list. +// Edges anywhere in this range route by Host header, so any IP in any +// prefix is a viable outer dial target for an inner Host that points at +// our CloudFront distribution. +func CloudFrontPrefixes() ([]netip.Prefix, error) { + scanner := bufio.NewScanner(strings.NewReader(cloudFrontPrefixesRaw)) + var out []netip.Prefix + for scanner.Scan() { + line := strings.TrimSpace(scanner.Text()) + if line == "" || strings.HasPrefix(line, "#") { + continue + } + p, err := netip.ParsePrefix(line) + if err != nil { + return nil, fmt.Errorf("parse %q: %w", line, err) + } + out = append(out, p) + } + if err := scanner.Err(); err != nil { + return nil, err + } + if len(out) == 0 { + return nil, fmt.Errorf("no prefixes in embedded list") + } + return out, nil +} + +// CloudFrontCandidates produces n probe candidates by pairing IPs sampled +// from the embedded CloudFront IP range with outer SNIs randomly drawn +// from snis. +// +// Expect a hit rate below 100%: CloudFront edges serve a subset of +// distributions per POP, so an arbitrary (IP, outer SNI) pair only +// connects when that POP serves both the outer SNI's distribution and +// the inner-Host distribution. The probe filters the survivors. +// +// snis should list CloudFront-fronted hostnames known to be globally +// served (Price Class All) — the masquerade domains in fronted.yaml.gz +// are the natural source. +func CloudFrontCandidates(n int, snis []string, testURL, innerHost string) ([]Candidate, error) { + if n <= 0 { + return nil, nil + } + if len(snis) == 0 { + return nil, fmt.Errorf("no outer SNIs supplied") + } + prefixes, err := CloudFrontPrefixes() + if err != nil { + return nil, err + } + + out := make([]Candidate, 0, n) + for i := 0; i < n; i++ { + ip, err := samplePrefix(prefixes) + if err != nil { + return out, err + } + sniIdx, err := rand.Int(rand.Reader, big.NewInt(int64(len(snis)))) + if err != nil { + return out, fmt.Errorf("rand: %w", err) + } + sni := snis[sniIdx.Int64()] + out = append(out, Candidate{ + Provider: "cloudfront", + Domain: sni, + IPAddress: ip, + SNI: sni, + VerifyHostname: sni, + TestURL: testURL, + InnerHost: innerHost, + }) + } + return out, nil +} + +// samplePrefix picks a prefix weighted by its address count, then a +// uniform random IP inside it. Weighting matters because the CloudFront +// list mixes /14s with /27s — uniform-over-prefixes would massively +// over-represent the small ones. +func samplePrefix(prefixes []netip.Prefix) (string, error) { + if len(prefixes) == 0 { + return "", fmt.Errorf("no prefixes") + } + + weights := make([]*big.Int, len(prefixes)) + total := new(big.Int) + for i, p := range prefixes { + host := p.Bits() + bits := p.Addr().BitLen() - host + w := new(big.Int).Lsh(big.NewInt(1), uint(bits)) + weights[i] = w + total.Add(total, w) + } + + pick, err := rand.Int(rand.Reader, total) + if err != nil { + return "", fmt.Errorf("rand: %w", err) + } + + acc := new(big.Int) + for i, w := range weights { + acc.Add(acc, w) + if pick.Cmp(acc) < 0 { + return randomIPInPrefix(prefixes[i]) + } + } + return randomIPInPrefix(prefixes[len(prefixes)-1]) +} + +func randomIPInPrefix(p netip.Prefix) (string, error) { + if !p.Addr().Is4() { + return "", fmt.Errorf("v6 prefix not supported yet: %s", p) + } + host := p.Bits() + bits := 32 - host + if bits == 0 { + return p.Addr().String(), nil + } + cap := new(big.Int).Lsh(big.NewInt(1), uint(bits)) + pick, err := rand.Int(rand.Reader, cap) + if err != nil { + return "", fmt.Errorf("rand: %w", err) + } + + base := p.Addr().As4() + baseUint := binary.BigEndian.Uint32(base[:]) + offset := uint32(pick.Int64()) + addrUint := baseUint + offset + + var out [4]byte + binary.BigEndian.PutUint32(out[:], addrUint) + return net.IP(out[:]).String(), nil +} diff --git a/fronted/scanner/cloudfront_prefixes.txt b/fronted/scanner/cloudfront_prefixes.txt new file mode 100644 index 00000000..bceda3c9 --- /dev/null +++ b/fronted/scanner/cloudfront_prefixes.txt @@ -0,0 +1,211 @@ +# CloudFront IPv4 prefixes — extracted from AWS ip-ranges.json +# syncToken: 1778907425 +# createDate: 2026-05-16-04-57-05 +# count: 204 prefixes +# regenerated by hand: download https://ip-ranges.amazonaws.com/ip-ranges.json, +# filter service == CLOUDFRONT, write ip_prefix one-per-line, sort. + +108.138.0.0/15 +108.156.0.0/14 +111.13.171.128/26 +111.13.171.192/26 +111.13.185.32/27 +111.13.185.64/27 +116.129.226.0/25 +116.129.226.128/26 +118.193.97.128/25 +118.193.97.64/26 +119.147.182.0/25 +119.147.182.128/26 +120.232.236.0/25 +120.232.236.128/26 +120.253.240.192/26 +120.253.241.160/27 +120.253.245.128/26 +120.253.245.192/27 +120.52.12.64/26 +120.52.153.192/26 +120.52.22.96/27 +120.52.39.128/27 +13.113.196.64/26 +13.113.203.0/24 +13.124.199.0/24 +13.134.24.0/23 +13.134.94.0/23 +13.203.133.0/26 +13.210.67.128/26 +13.224.0.0/14 +13.228.69.0/24 +13.233.177.192/26 +13.249.0.0/16 +13.32.0.0/15 +13.35.0.0/16 +13.54.63.128/26 +13.59.250.0/26 +130.176.0.0/17 +130.176.128.0/18 +130.176.192.0/19 +130.176.224.0/20 +143.204.0.0/16 +144.220.0.0/16 +15.158.0.0/16 +15.188.184.0/24 +15.207.13.128/25 +15.207.213.128/25 +18.154.0.0/15 +18.160.0.0/15 +18.164.0.0/15 +18.172.0.0/15 +18.175.65.0/24 +18.175.66.0/24 +18.175.67.0/24 +18.192.142.0/23 +18.199.68.0/22 +18.199.72.0/22 +18.199.76.0/22 +18.200.212.0/23 +18.216.170.128/25 +18.229.220.192/26 +18.230.229.0/24 +18.230.230.0/25 +18.238.0.0/15 +18.244.0.0/15 +18.64.0.0/14 +18.68.0.0/16 +180.163.57.0/25 +180.163.57.128/26 +204.246.164.0/22 +204.246.168.0/22 +204.246.172.0/24 +204.246.173.0/24 +204.246.174.0/23 +204.246.176.0/20 +205.251.202.0/23 +205.251.204.0/23 +205.251.206.0/23 +205.251.208.0/20 +205.251.249.0/24 +205.251.250.0/23 +205.251.252.0/23 +205.251.254.0/24 +216.137.32.0/19 +23.228.212.0/24 +23.228.213.0/24 +23.228.214.0/24 +23.228.220.0/24 +23.228.221.0/24 +23.228.222.0/24 +23.228.223.0/24 +23.228.244.0/24 +23.234.192.0/18 +23.91.0.0/19 +24.110.32.0/19 +3.10.17.128/25 +3.101.158.0/23 +3.107.43.128/25 +3.107.44.0/25 +3.107.44.128/25 +3.11.53.0/24 +3.128.93.0/24 +3.134.215.0/24 +3.146.232.0/22 +3.147.164.0/22 +3.147.244.0/22 +3.160.0.0/14 +3.164.0.0/18 +3.164.128.0/17 +3.164.64.0/18 +3.165.0.0/16 +3.166.0.0/15 +3.168.0.0/14 +3.172.0.0/18 +3.172.64.0/18 +3.173.0.0/17 +3.173.128.0/18 +3.173.192.0/18 +3.174.0.0/15 +3.231.2.0/25 +3.234.232.224/27 +3.236.169.192/26 +3.236.48.0/23 +3.29.40.128/26 +3.29.40.192/26 +3.29.40.64/26 +3.29.57.0/26 +3.35.130.128/25 +34.195.252.0/24 +34.216.51.0/25 +34.223.12.224/27 +34.223.80.192/26 +34.226.14.0/24 +35.158.136.0/24 +35.162.63.192/26 +35.167.191.128/26 +35.93.168.0/23 +35.93.170.0/23 +35.93.172.0/23 +36.103.232.0/25 +36.103.232.128/26 +43.218.56.128/26 +43.218.56.192/26 +43.218.56.64/26 +43.218.71.0/26 +44.220.194.0/23 +44.220.196.0/23 +44.220.198.0/23 +44.220.200.0/23 +44.220.202.0/23 +44.222.66.0/24 +44.227.178.0/24 +44.234.108.128/25 +44.234.90.252/30 +47.129.82.0/24 +47.129.83.0/24 +47.129.84.0/24 +51.44.234.0/23 +51.44.236.0/23 +51.44.238.0/23 +51.74.192.0/18 +52.124.128.0/17 +52.15.127.128/26 +52.199.127.192/26 +52.212.248.0/26 +52.220.191.0/26 +52.222.128.0/17 +52.46.0.0/18 +52.47.139.0/24 +52.52.191.128/26 +52.56.127.0/25 +52.57.254.0/24 +52.66.194.128/26 +52.78.247.128/26 +52.82.128.0/19 +52.84.0.0/15 +54.182.0.0/16 +54.192.0.0/16 +54.230.0.0/17 +54.230.128.0/18 +54.230.200.0/21 +54.230.208.0/20 +54.230.224.0/19 +54.233.255.128/26 +54.239.128.0/18 +54.239.192.0/19 +54.240.128.0/18 +56.125.46.0/24 +56.125.47.0/32 +56.125.48.0/24 +57.182.253.0/24 +57.183.42.0/25 +58.254.138.0/25 +58.254.138.128/26 +64.252.128.0/18 +64.252.64.0/18 +65.8.0.0/16 +65.9.0.0/17 +65.9.128.0/18 +70.132.0.0/18 +71.152.0.0/17 +99.79.169.0/24 +99.84.0.0/16 +99.86.0.0/16 diff --git a/fronted/scanner/cloudfront_test.go b/fronted/scanner/cloudfront_test.go new file mode 100644 index 00000000..d3f69658 --- /dev/null +++ b/fronted/scanner/cloudfront_test.go @@ -0,0 +1,106 @@ +package scanner + +import ( + "net" + "net/netip" + "testing" +) + +func TestCloudFrontPrefixes_NonEmpty(t *testing.T) { + p, err := CloudFrontPrefixes() + if err != nil { + t.Fatalf("CloudFrontPrefixes: %v", err) + } + if len(p) < 100 { + t.Errorf("got %d prefixes; want >= 100 (AWS publishes ~200)", len(p)) + } +} + +func TestSamplePrefix_HitsPrefix(t *testing.T) { + prefixes := []netip.Prefix{ + netip.MustParsePrefix("203.0.113.0/24"), + } + for i := 0; i < 50; i++ { + ip, err := samplePrefix(prefixes) + if err != nil { + t.Fatalf("samplePrefix: %v", err) + } + addr, err := netip.ParseAddr(ip) + if err != nil { + t.Fatalf("parse %q: %v", ip, err) + } + if !prefixes[0].Contains(addr) { + t.Errorf("sampled %s not in %s", ip, prefixes[0]) + } + } +} + +func TestSamplePrefix_WeightedByCount(t *testing.T) { + prefixes := []netip.Prefix{ + netip.MustParsePrefix("198.51.100.0/24"), + netip.MustParsePrefix("203.0.113.0/30"), + } + bigHits, smallHits := 0, 0 + for i := 0; i < 1000; i++ { + ip, err := samplePrefix(prefixes) + if err != nil { + t.Fatalf("samplePrefix: %v", err) + } + addr := netip.MustParseAddr(ip) + if prefixes[0].Contains(addr) { + bigHits++ + } else if prefixes[1].Contains(addr) { + smallHits++ + } + } + if bigHits <= smallHits { + t.Errorf("/24 hit %d, /30 hit %d — expected /24 dominant", bigHits, smallHits) + } +} + +func TestCloudFrontCandidates(t *testing.T) { + snis := []string{"aa1.awsstatic.com", "advertising.amazon.com", "abcmouse.com"} + cands, err := CloudFrontCandidates(30, snis, "https://api.iantem.io/ping", "api.iantem.io") + if err != nil { + t.Fatalf("CloudFrontCandidates: %v", err) + } + if len(cands) != 30 { + t.Errorf("len = %d; want 30", len(cands)) + } + + seenIP := map[string]int{} + sniHits := map[string]int{} + allowedSNI := map[string]bool{"aa1.awsstatic.com": true, "advertising.amazon.com": true, "abcmouse.com": true} + for _, c := range cands { + if c.Provider != "cloudfront" { + t.Errorf("provider = %q; want cloudfront", c.Provider) + } + if !allowedSNI[c.Domain] { + t.Errorf("Domain = %q; not in input SNI list", c.Domain) + } + if c.Domain != c.VerifyHostname { + t.Errorf("VerifyHostname = %q; want = Domain %q", c.VerifyHostname, c.Domain) + } + if net.ParseIP(c.IPAddress) == nil { + t.Errorf("bad IP %q", c.IPAddress) + } + if c.InnerHost != "api.iantem.io" { + t.Errorf("InnerHost = %q; want api.iantem.io", c.InnerHost) + } + seenIP[c.IPAddress]++ + sniHits[c.Domain]++ + } + if len(seenIP) < 25 { + t.Errorf("only %d distinct IPs across 30 samples; want more variety", len(seenIP)) + } + if len(sniHits) < 2 { + t.Errorf("SNIs got %d unique hits; want at least 2 (random distribution)", len(sniHits)) + } +} + +func TestCloudFrontCandidates_NoSNIs(t *testing.T) { + _, err := CloudFrontCandidates(5, nil, "https://api.iantem.io/ping", "api.iantem.io") + if err == nil { + t.Errorf("expected error when snis is empty") + } +} diff --git a/fronted/scanner/integration_test.go b/fronted/scanner/integration_test.go new file mode 100644 index 00000000..3c46dcbf --- /dev/null +++ b/fronted/scanner/integration_test.go @@ -0,0 +1,145 @@ +package scanner + +import ( + "context" + "fmt" + "os" + "testing" + "time" +) + +// integrationGate enforces SCANNER_INTEGRATION=1 so unattended CI runs +// don't probe live CDNs. Run with: +// +// SCANNER_INTEGRATION=1 go test -count=1 -v -run TestLive ./fronted/scanner/... +func integrationGate(t *testing.T) { + t.Helper() + if os.Getenv("SCANNER_INTEGRATION") != "1" { + t.Skip("skipping live-network test; set SCANNER_INTEGRATION=1 to run") + } +} + +// Probe targets behind our Akamai and CloudFront fronts; URLs taken from +// the testurl fields in fronted.yaml.gz, the same probes domainfront +// uses to validate masquerades in production. +const ( + akamaiTestURL = "https://fronted-ping.dsa.akamai.getiantem.org/ping" + cloudfrontTestURL = "http://d157vud77ygy87.cloudfront.net/ping" +) + +func TestLive_AkamaiSystemResolver(t *testing.T) { + integrationGate(t) + + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + + hostnames, err := GenerateAkamaiHostnames(8) + if err != nil { + t.Fatalf("GenerateAkamaiHostnames: %v", err) + } + hostnames = append(hostnames, AkamaiEdgeHostnames...) + + cands, err := AkamaiCandidates(ctx, hostnames, SystemResolver{}, akamaiTestURL, "fronted-ping.dsa.akamai.getiantem.org") + if err != nil { + t.Fatalf("AkamaiCandidates: %v", err) + } + if len(cands) == 0 { + t.Fatal("no Akamai candidates resolved; system resolver may have failed") + } + + results := Scan(ctx, cands, Options{DialTimeout: 5 * time.Second, Concurrency: 4}) + working := RankWorking(results) + + report(t, "akamai", cands, results, working) + if len(working) == 0 { + t.Errorf("0 of %d Akamai candidates probed OK; expected at least 1", len(cands)) + } +} + +// TestLive_CloudFrontRandomIPs is diagnostic only — random IPs in the +// CloudFront range have low hit rate because each edge POP serves a +// subset of distributions. The probe correctly filters; the test +// reports the rate without asserting a floor. To validate the probe +// technique itself, see TestLive_CloudFrontKnownMasquerades. +func TestLive_CloudFrontRandomIPs(t *testing.T) { + integrationGate(t) + + ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) + defer cancel() + + snis := []string{ + "aa1.awsstatic.com", + "advertising.amazon.com", + "abcmouse.com", + "adsrvr.org", + } + cands, err := CloudFrontCandidates(40, snis, cloudfrontTestURL, "d157vud77ygy87.cloudfront.net") + if err != nil { + t.Fatalf("CloudFrontCandidates: %v", err) + } + + results := Scan(ctx, cands, Options{DialTimeout: 5 * time.Second, Concurrency: 8}) + working := RankWorking(results) + + report(t, "cloudfront-random", cands, results, working) +} + +// TestLive_CloudFrontKnownMasquerades probes a handful of pre-validated +// (IP, outer SNI) pairs from fronted.yaml.gz. Hit rate should be high +// because each pair was verified before being committed to the config. +// Use this to confirm the probe machinery works against CloudFront; +// random-IP discovery is a separate question covered by +// TestLive_CloudFrontRandomIPs. +func TestLive_CloudFrontKnownMasquerades(t *testing.T) { + integrationGate(t) + + ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second) + defer cancel() + + known := []Candidate{ + {Provider: "cloudfront", Domain: "aa1.awsstatic.com", SNI: "aa1.awsstatic.com", IPAddress: "99.84.2.4", VerifyHostname: "aa1.awsstatic.com", TestURL: cloudfrontTestURL, InnerHost: "d157vud77ygy87.cloudfront.net"}, + {Provider: "cloudfront", Domain: "aa1.awsstatic.com", SNI: "aa1.awsstatic.com", IPAddress: "18.238.3.4", VerifyHostname: "aa1.awsstatic.com", TestURL: cloudfrontTestURL, InnerHost: "d157vud77ygy87.cloudfront.net"}, + {Provider: "cloudfront", Domain: "advertising.amazon.com", SNI: "advertising.amazon.com", IPAddress: "3.164.130.9", VerifyHostname: "advertising.amazon.com", TestURL: cloudfrontTestURL, InnerHost: "d157vud77ygy87.cloudfront.net"}, + {Provider: "cloudfront", Domain: "advertising.amazon.com", SNI: "advertising.amazon.com", IPAddress: "54.230.224.110", VerifyHostname: "advertising.amazon.com", TestURL: cloudfrontTestURL, InnerHost: "d157vud77ygy87.cloudfront.net"}, + {Provider: "cloudfront", Domain: "advertising.amazon.com", SNI: "advertising.amazon.com", IPAddress: "18.244.1.167", VerifyHostname: "advertising.amazon.com", TestURL: cloudfrontTestURL, InnerHost: "d157vud77ygy87.cloudfront.net"}, + } + results := Scan(ctx, known, Options{DialTimeout: 5 * time.Second, Concurrency: 4}) + working := RankWorking(results) + report(t, "cloudfront-known", known, results, working) + // Diagnostic only: pre-validated pairs may go stale as CloudFront + // re-shards distributions across POPs. The scanner correctly + // filtering stale entries is exactly its job. +} + +func report(t *testing.T, label string, cands []Candidate, results []Result, working []Result) { + t.Helper() + t.Logf("[%s] probed %d candidates, %d working (%.0f%%)", label, len(cands), len(working), 100*float64(len(working))/float64(len(cands))) + for i, r := range working { + if i >= 5 { + t.Logf("[%s] (… and %d more working)", label, len(working)-5) + break + } + t.Logf("[%s] OK %s ip=%s sni=%s latency=%s", label, r.Candidate.Provider, r.Candidate.IPAddress, r.Candidate.outerSNI(), r.Latency) + } + errs := map[string]int{} + for _, r := range results { + if r.OK() || r.Err == nil { + continue + } + errs[shortErr(r.Err)]++ + } + for kind, n := range errs { + t.Logf("[%s] error %q: %d", label, kind, n) + } +} + +func shortErr(err error) string { + s := err.Error() + if len(s) > 240 { + s = s[:240] + "…" + } + return s +} + +// Sanity check that compiles without integration gate so the file always builds. +var _ = fmt.Sprintf diff --git a/fronted/scanner/scanner.go b/fronted/scanner/scanner.go new file mode 100644 index 00000000..a78fcba1 --- /dev/null +++ b/fronted/scanner/scanner.go @@ -0,0 +1,272 @@ +// Package scanner probes domain-fronting candidates from the user's +// network position to find which routes actually work end-to-end. +// +// A successful probe is a TCP+TLS handshake to a CDN edge IP using the +// candidate's outer SNI followed by an HTTPS GET to TestURL with +// InnerHost as the Host header that returns 2xx. Both legs must work: +// TLS-only success would only confirm the edge is reachable, not that +// the inner Host routes to our backend through that edge. +// +// The scanner is intended to run client-side so each user's results +// reflect their ISP, geography, and time of day — the variables Samim +// Mirhosseini identified as load-bearing for IR-specific fronting. +package scanner + +import ( + "context" + "crypto/x509" + "errors" + "fmt" + "net" + "net/http" + "net/url" + "sort" + "sync" + "time" + + tls "github.com/refraction-networking/utls" +) + +// Candidate describes one (CDN edge, masquerade) pair to probe. +// +// SNI semantics matter and differ between providers. Empty SNI means +// "send no SNI extension at all" — Akamai edges return their default +// cert in that mode, which validates against Domain. Non-empty SNI is +// sent in the ClientHello — CloudFront edges serve cert content keyed +// to the SNI value, so the masquerade domain must be passed in SNI. +// Match the production domainfront dialer's behavior: leave SNI empty +// for Akamai-style entries; set it explicitly for CloudFront-style +// entries. +// +// Domain identifies the logical front and is the hostname the +// post-handshake cert chain is verified against when VerifyHostname +// isn't overridden. +type Candidate struct { + Provider string + Domain string + IPAddress string + SNI string + VerifyHostname string + TestURL string + InnerHost string +} + +func (c Candidate) outerSNI() string { + return c.SNI +} + +func (c Candidate) verify() string { + if c.VerifyHostname != "" { + return c.VerifyHostname + } + return c.Domain +} + +type Result struct { + Candidate Candidate + Latency time.Duration + Status int + Err error +} + +func (r Result) OK() bool { return r.Err == nil && r.Status >= 200 && r.Status < 300 } + +type Dialer interface { + DialContext(ctx context.Context, network, addr string) (net.Conn, error) +} + +type Options struct { + Dialer Dialer + RootCAs *x509.CertPool + ClientHelloID tls.ClientHelloID + DialTimeout time.Duration + Concurrency int +} + +func (o *Options) defaults() { + if o.Dialer == nil { + o.Dialer = &net.Dialer{} + } + if o.ClientHelloID.Client == "" { + o.ClientHelloID = tls.HelloGolang + } + if o.DialTimeout <= 0 { + o.DialTimeout = 5 * time.Second + } + if o.Concurrency <= 0 { + o.Concurrency = 8 + } +} + +var errNoTestURL = errors.New("candidate has no TestURL") + +func Probe(ctx context.Context, c Candidate, opts Options) Result { + opts.defaults() + + start := time.Now() + res := Result{Candidate: c} + + if c.TestURL == "" { + res.Err = errNoTestURL + return res + } + if c.IPAddress == "" { + res.Err = errors.New("candidate has no IPAddress") + return res + } + + addr := c.IPAddress + if _, _, err := net.SplitHostPort(addr); err != nil { + addr = net.JoinHostPort(addr, "443") + } + + dialCtx, cancel := context.WithTimeout(ctx, opts.DialTimeout) + defer cancel() + + rawConn, err := opts.Dialer.DialContext(dialCtx, "tcp", addr) + if err != nil { + res.Latency = time.Since(start) + res.Err = fmt.Errorf("tcp: %w", err) + return res + } + + deadline := time.Now().Add(opts.DialTimeout) + _ = rawConn.SetDeadline(deadline) + + verifyHost := c.verify() + tlsConfig := &tls.Config{ + RootCAs: opts.RootCAs, + InsecureSkipVerify: true, + VerifyPeerCertificate: func(rawCerts [][]byte, _ [][]*x509.Certificate) error { + return verifyCertChain(rawCerts, opts.RootCAs, verifyHost) + }, + } + if outer := c.outerSNI(); outer != "" { + tlsConfig.ServerName = outer + } + + tlsConn := tls.UClient(rawConn, tlsConfig, opts.ClientHelloID) + if err := tlsConn.HandshakeContext(dialCtx); err != nil { + rawConn.Close() + res.Latency = time.Since(start) + res.Err = fmt.Errorf("tls: %w", err) + return res + } + + req, err := buildProbeRequest(dialCtx, c) + if err != nil { + tlsConn.Close() + res.Latency = time.Since(start) + res.Err = err + return res + } + + tr := &http.Transport{ + DialTLSContext: func(context.Context, string, string) (net.Conn, error) { + return tlsConn, nil + }, + DisableKeepAlives: true, + } + client := &http.Client{Transport: tr, Timeout: opts.DialTimeout} + + resp, err := client.Do(req) + if err != nil { + tlsConn.Close() + res.Latency = time.Since(start) + res.Err = fmt.Errorf("http: %w", err) + return res + } + defer resp.Body.Close() + tr.CloseIdleConnections() + + res.Status = resp.StatusCode + res.Latency = time.Since(start) + if resp.StatusCode < 200 || resp.StatusCode >= 300 { + res.Err = fmt.Errorf("http status %d", resp.StatusCode) + } + return res +} + +func buildProbeRequest(ctx context.Context, c Candidate) (*http.Request, error) { + u, err := url.Parse(c.TestURL) + if err != nil { + return nil, fmt.Errorf("parse TestURL: %w", err) + } + req, err := http.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil) + if err != nil { + return nil, fmt.Errorf("new request: %w", err) + } + if c.InnerHost != "" { + req.Host = c.InnerHost + } + return req, nil +} + +// Scan probes candidates concurrently and returns one Result per +// candidate. Results retain input order so callers can correlate by +// index; sort by Latency or filter by OK() to rank. +func Scan(ctx context.Context, candidates []Candidate, opts Options) []Result { + opts.defaults() + + results := make([]Result, len(candidates)) + if len(candidates) == 0 { + return results + } + + sem := make(chan struct{}, opts.Concurrency) + var wg sync.WaitGroup + for i, c := range candidates { + wg.Add(1) + sem <- struct{}{} + go func(i int, c Candidate) { + defer wg.Done() + defer func() { <-sem }() + if err := ctx.Err(); err != nil { + results[i] = Result{Candidate: c, Err: err} + return + } + results[i] = Probe(ctx, c, opts) + }(i, c) + } + wg.Wait() + return results +} + +// RankWorking returns the OK() results sorted by latency ascending. +func RankWorking(results []Result) []Result { + out := make([]Result, 0, len(results)) + for _, r := range results { + if r.OK() { + out = append(out, r) + } + } + sort.Slice(out, func(i, j int) bool { return out[i].Latency < out[j].Latency }) + return out +} + +func verifyCertChain(rawCerts [][]byte, roots *x509.CertPool, dnsName string) error { + if len(rawCerts) == 0 { + return errors.New("no certificates presented") + } + cert, err := x509.ParseCertificate(rawCerts[0]) + if err != nil { + return fmt.Errorf("parse leaf: %w", err) + } + opts := x509.VerifyOptions{ + Roots: roots, + CurrentTime: time.Now(), + DNSName: dnsName, + Intermediates: x509.NewCertPool(), + } + for i := 1; i < len(rawCerts); i++ { + c, err := x509.ParseCertificate(rawCerts[i]) + if err != nil { + return fmt.Errorf("parse intermediate %d: %w", i, err) + } + opts.Intermediates.AddCert(c) + } + if _, err := cert.Verify(opts); err != nil { + return fmt.Errorf("verify: %w", err) + } + return nil +} diff --git a/fronted/scanner/scanner_test.go b/fronted/scanner/scanner_test.go new file mode 100644 index 00000000..f7ce1b8b --- /dev/null +++ b/fronted/scanner/scanner_test.go @@ -0,0 +1,313 @@ +package scanner + +import ( + "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "errors" + "fmt" + "math/big" + "net" + "net/http" + "net/http/httptest" + "testing" + "time" + + "github.com/getlantern/domainfront" + tls "github.com/refraction-networking/utls" + stdtls "crypto/tls" +) + +func TestProbe_SuccessfulHandshakeAnd200(t *testing.T) { + srv, ca := newTLSEchoServer(t, "test.example", http.StatusOK) + t.Cleanup(srv.Close) + + host, port, err := net.SplitHostPort(srv.Listener.Addr().String()) + if err != nil { + t.Fatalf("split: %v", err) + } + + c := Candidate{ + Provider: "test", + Domain: "test.example", + IPAddress: host + ":" + port, + TestURL: fmt.Sprintf("https://%s/ping", srv.Listener.Addr().String()), + InnerHost: "test.example", + VerifyHostname: "test.example", + } + + res := Probe(context.Background(), c, Options{RootCAs: ca, DialTimeout: 2 * time.Second}) + + if !res.OK() { + t.Fatalf("probe failed: status=%d err=%v", res.Status, res.Err) + } + if res.Latency <= 0 { + t.Errorf("latency = %v; want > 0", res.Latency) + } +} + +func TestProbe_TCPConnectFails(t *testing.T) { + c := Candidate{ + Provider: "test", + Domain: "test.example", + IPAddress: "127.0.0.1:1", + TestURL: "https://test.example/ping", + InnerHost: "test.example", + } + res := Probe(context.Background(), c, Options{DialTimeout: 500 * time.Millisecond}) + if res.OK() { + t.Errorf("expected failure, got OK result") + } + if res.Err == nil { + t.Errorf("expected non-nil error") + } +} + +func TestProbe_TLSWrongHostname(t *testing.T) { + srv, ca := newTLSEchoServer(t, "test.example", http.StatusOK) + t.Cleanup(srv.Close) + + host, port, _ := net.SplitHostPort(srv.Listener.Addr().String()) + c := Candidate{ + Provider: "test", + Domain: "wrong.example", + IPAddress: host + ":" + port, + TestURL: fmt.Sprintf("https://%s/ping", srv.Listener.Addr().String()), + VerifyHostname: "wrong.example", + } + res := Probe(context.Background(), c, Options{RootCAs: ca, DialTimeout: 2 * time.Second}) + if res.OK() { + t.Errorf("expected hostname mismatch failure, got OK") + } +} + +func TestProbe_HTTP500NotOK(t *testing.T) { + srv, ca := newTLSEchoServer(t, "test.example", http.StatusInternalServerError) + t.Cleanup(srv.Close) + + host, port, _ := net.SplitHostPort(srv.Listener.Addr().String()) + c := Candidate{ + Provider: "test", + Domain: "test.example", + IPAddress: host + ":" + port, + TestURL: fmt.Sprintf("https://%s/ping", srv.Listener.Addr().String()), + VerifyHostname: "test.example", + } + res := Probe(context.Background(), c, Options{RootCAs: ca, DialTimeout: 2 * time.Second}) + if res.OK() { + t.Errorf("expected 5xx to fail OK()") + } + if res.Status != http.StatusInternalServerError { + t.Errorf("status = %d; want 500", res.Status) + } +} + +func TestScan_RanksByLatency(t *testing.T) { + srvFast, ca := newTLSEchoServer(t, "fast.example", http.StatusOK) + t.Cleanup(srvFast.Close) + srvSlow, _ := newTLSEchoServerWithCA(t, "slow.example", http.StatusOK, ca, 100*time.Millisecond) + t.Cleanup(srvSlow.Close) + + cands := []Candidate{ + { + Provider: "test", + Domain: "slow.example", + IPAddress: srvSlow.Listener.Addr().String(), + TestURL: fmt.Sprintf("https://%s/ping", srvSlow.Listener.Addr().String()), + VerifyHostname: "slow.example", + }, + { + Provider: "test", + Domain: "fast.example", + IPAddress: srvFast.Listener.Addr().String(), + TestURL: fmt.Sprintf("https://%s/ping", srvFast.Listener.Addr().String()), + VerifyHostname: "fast.example", + }, + { + Provider: "test", + Domain: "deadend.example", + IPAddress: "127.0.0.1:1", + TestURL: "https://deadend.example/ping", + }, + } + + results := Scan(context.Background(), cands, Options{RootCAs: ca, DialTimeout: 3 * time.Second}) + if len(results) != 3 { + t.Fatalf("len(results) = %d; want 3", len(results)) + } + + ranked := RankWorking(results) + if len(ranked) != 2 { + t.Fatalf("RankWorking returned %d; want 2", len(ranked)) + } + if ranked[0].Candidate.Domain != "fast.example" { + t.Errorf("rank[0] = %q; want fast.example", ranked[0].Candidate.Domain) + } + if ranked[1].Candidate.Domain != "slow.example" { + t.Errorf("rank[1] = %q; want slow.example", ranked[1].Candidate.Domain) + } +} + +func TestCandidatesFromConfig(t *testing.T) { + cfg := &domainfront.Config{ + Providers: map[string]*domainfront.Provider{ + "akamai": { + TestURL: "https://fronted-ping.dsa.akamai.getiantem.org/ping", + Masquerades: []*domainfront.Masquerade{ + {Domain: "a248.e.akamai.net", IpAddress: "23.47.48.230"}, + {Domain: "a248.e.akamai.net", IpAddress: "184.150.49.62"}, + }, + }, + "cloudfront": { + TestURL: "http://d157vud77ygy87.cloudfront.net/ping", + Masquerades: []*domainfront.Masquerade{ + {Domain: "aa1.awsstatic.com", IpAddress: "99.84.2.4"}, + }, + }, + }, + } + + cands, err := CandidatesFromConfig(cfg) + if err != nil { + t.Fatalf("CandidatesFromConfig: %v", err) + } + if len(cands) != 3 { + t.Fatalf("len(cands) = %d; want 3", len(cands)) + } + + byProvider := map[string]int{} + for _, c := range cands { + byProvider[c.Provider]++ + if c.InnerHost == "" { + t.Errorf("candidate %v has empty InnerHost", c) + } + if c.TestURL == "" { + t.Errorf("candidate %v has empty TestURL", c) + } + } + if byProvider["akamai"] != 2 || byProvider["cloudfront"] != 1 { + t.Errorf("provider distribution wrong: %v", byProvider) + } +} + +func TestCandidatesFromConfig_NilConfigReturnsError(t *testing.T) { + _, err := CandidatesFromConfig(nil) + if err == nil { + t.Errorf("expected error for nil config") + } +} + +func TestSNIsForProvider_UniqueAndOrdered(t *testing.T) { + cfg := &domainfront.Config{ + Providers: map[string]*domainfront.Provider{ + "cloudfront": { + Masquerades: []*domainfront.Masquerade{ + {Domain: "aa1.awsstatic.com", IpAddress: "1.1.1.1"}, + {Domain: "aa1.awsstatic.com", IpAddress: "1.1.1.2"}, // dup + {Domain: "advertising.amazon.com", IpAddress: "2.2.2.2"}, + {Domain: "", IpAddress: "3.3.3.3"}, // skip empty + }, + }, + }, + } + got := SNIsForProvider(cfg, "cloudfront") + if len(got) != 2 { + t.Fatalf("len = %d; want 2", len(got)) + } + want := map[string]bool{"aa1.awsstatic.com": true, "advertising.amazon.com": true} + for _, s := range got { + if !want[s] { + t.Errorf("unexpected SNI %q", s) + } + } +} + +func TestSNIsForProvider_MissingProvider(t *testing.T) { + cfg := &domainfront.Config{Providers: map[string]*domainfront.Provider{}} + if got := SNIsForProvider(cfg, "cloudfront"); got != nil { + t.Errorf("missing provider should yield nil, got %v", got) + } +} + +// --- helpers --- + +func newTLSEchoServer(t *testing.T, dnsName string, status int) (*httptest.Server, *x509.CertPool) { + t.Helper() + cert, pool := selfSignedCert(t, dnsName) + + srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(status) + _, _ = w.Write([]byte("ok")) + })) + srv.TLS = &stdtls.Config{Certificates: []stdtls.Certificate{cert}} + srv.StartTLS() + return srv, pool +} + +func newTLSEchoServerWithCA(t *testing.T, dnsName string, status int, pool *x509.CertPool, delay time.Duration) (*httptest.Server, *x509.CertPool) { + t.Helper() + cert, _ := selfSignedCertWithPool(t, dnsName, pool) + + srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if delay > 0 { + time.Sleep(delay) + } + w.WriteHeader(status) + _, _ = w.Write([]byte("ok")) + })) + srv.TLS = &stdtls.Config{Certificates: []stdtls.Certificate{cert}} + srv.StartTLS() + return srv, pool +} + +func selfSignedCert(t *testing.T, dnsName string) (stdtls.Certificate, *x509.CertPool) { + t.Helper() + return selfSignedCertWithPool(t, dnsName, x509.NewCertPool()) +} + +func selfSignedCertWithPool(t *testing.T, dnsName string, pool *x509.CertPool) (stdtls.Certificate, *x509.CertPool) { + t.Helper() + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("genkey: %v", err) + } + serial, _ := rand.Int(rand.Reader, big.NewInt(1<<62)) + tmpl := &x509.Certificate{ + SerialNumber: serial, + Subject: pkix.Name{CommonName: dnsName}, + NotBefore: time.Now().Add(-time.Hour), + NotAfter: time.Now().Add(time.Hour), + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + IPAddresses: []net.IP{net.ParseIP("127.0.0.1")}, + DNSNames: []string{dnsName}, + BasicConstraintsValid: true, + IsCA: true, + } + der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &priv.PublicKey, priv) + if err != nil { + t.Fatalf("createcert: %v", err) + } + cert, err := x509.ParseCertificate(der) + if err != nil { + t.Fatalf("parsecert: %v", err) + } + pool.AddCert(cert) + + tlsCert := stdtls.Certificate{ + Certificate: [][]byte{der}, + PrivateKey: priv, + Leaf: cert, + } + return tlsCert, pool +} + +// Used by tls.HelloGolang in tests — guards against the utls import being +// hidden and the build succeeding by accident on a stdlib-tls fallback. +var _ = pem.Decode +var _ = tls.HelloGolang +var _ = errors.New From 3219e541da4e8e0deb075643454722bd9dd3097d Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 19 May 2026 07:16:07 -0600 Subject: [PATCH 02/21] fronted/scanner: Service orchestrator + persistent cache MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the layer on top of the probe primitives: a Service that runs scans on a schedule, persists working fronts to disk, exposes a round-robin Pick API for consumers, and re-scans when consumers report failures. Lifecycle: - NewService(cfg) loads any prior cache (filtered by CacheTTL so stale entries don't seed the live pool with already-blocked IPs) - Start(ctx) runs the periodic refresh loop until ctx is canceled or Close is called - Working() returns the current ranked list; Pick() returns the next one round-robin so all working fronts get traffic rather than every dial pinning to the lowest-latency entry - ReportFailure(c) tracks per-front failures; after two failures within a refresh cycle the front is dropped, and if the working list falls below MinWorkingFronts a refresh is signaled - Refresh() is a manual trigger BuildPool composes candidates from the three feeders (known masquerades from fronted.yaml.gz, regex-generated Akamai hostnames resolved via SystemResolver, random CloudFront IPs paired with masquerade SNIs). Sample sizes <= 0 disable a feeder. Cache schema is versioned JSON written atomically (write tmp + rename). Missing file is not an error — first-boot loads nothing and proceeds to the first scan. Defaults: RefreshInterval 1h, CacheTTL 6h (matches Samim's "time-of-day" observation that working fronts shift on roughly that timescale), MinWorkingFronts 3. Tests: 11 new (cache save/load/TTL/missing/version + service round-robin/empty/failure-removal/low-water-signal/cache-restore/ no-config-is-error + BuildPool known-only and CloudFront paths). --- fronted/scanner/cache.go | 99 ++++++++++++ fronted/scanner/cache_test.go | 92 +++++++++++ fronted/scanner/pool.go | 91 +++++++++++ fronted/scanner/service.go | 271 ++++++++++++++++++++++++++++++++ fronted/scanner/service_test.go | 164 +++++++++++++++++++ 5 files changed, 717 insertions(+) create mode 100644 fronted/scanner/cache.go create mode 100644 fronted/scanner/cache_test.go create mode 100644 fronted/scanner/pool.go create mode 100644 fronted/scanner/service.go create mode 100644 fronted/scanner/service_test.go diff --git a/fronted/scanner/cache.go b/fronted/scanner/cache.go new file mode 100644 index 00000000..188dfd99 --- /dev/null +++ b/fronted/scanner/cache.go @@ -0,0 +1,99 @@ +package scanner + +import ( + "encoding/json" + "errors" + "fmt" + "os" + "time" +) + +const cacheSchemaVersion = 1 + +type cacheFile struct { + Version int `json:"version"` + UpdatedAt time.Time `json:"updated_at"` + Working []cacheEntry `json:"working"` +} + +type cacheEntry struct { + Candidate Candidate `json:"candidate"` + Latency time.Duration `json:"latency"` + Status int `json:"status"` + VerifiedAt time.Time `json:"verified_at"` +} + +// LoadCache reads a cache file and returns the working results. Returns +// (nil, nil) when the file doesn't exist — first-boot is not an error. +// Returns an error only on malformed contents. +// +// Entries older than ttl are filtered out so a stale cache from days +// ago doesn't seed the live pool with already-blocked IPs. ttl <= 0 +// disables the filter (load everything). +func LoadCache(path string, ttl time.Duration) ([]Result, error) { + data, err := os.ReadFile(path) + if err != nil { + if errors.Is(err, os.ErrNotExist) { + return nil, nil + } + return nil, fmt.Errorf("read cache: %w", err) + } + var f cacheFile + if err := json.Unmarshal(data, &f); err != nil { + return nil, fmt.Errorf("decode cache: %w", err) + } + if f.Version != cacheSchemaVersion { + return nil, fmt.Errorf("cache schema %d unsupported (want %d)", f.Version, cacheSchemaVersion) + } + + now := time.Now() + out := make([]Result, 0, len(f.Working)) + for _, e := range f.Working { + if ttl > 0 && now.Sub(e.VerifiedAt) > ttl { + continue + } + out = append(out, Result{ + Candidate: e.Candidate, + Latency: e.Latency, + Status: e.Status, + }) + } + return out, nil +} + +// SaveCache atomically writes the working results to path. The write is +// best-effort — a failed save is logged by the caller but doesn't +// affect runtime correctness. +func SaveCache(path string, working []Result) error { + now := time.Now() + f := cacheFile{ + Version: cacheSchemaVersion, + UpdatedAt: now, + Working: make([]cacheEntry, 0, len(working)), + } + for _, r := range working { + if !r.OK() { + continue + } + f.Working = append(f.Working, cacheEntry{ + Candidate: r.Candidate, + Latency: r.Latency, + Status: r.Status, + VerifiedAt: now, + }) + } + + data, err := json.MarshalIndent(f, "", " ") + if err != nil { + return fmt.Errorf("encode cache: %w", err) + } + + tmp := path + ".tmp" + if err := os.WriteFile(tmp, data, 0o644); err != nil { + return fmt.Errorf("write cache: %w", err) + } + if err := os.Rename(tmp, path); err != nil { + return fmt.Errorf("rename cache: %w", err) + } + return nil +} diff --git a/fronted/scanner/cache_test.go b/fronted/scanner/cache_test.go new file mode 100644 index 00000000..51098889 --- /dev/null +++ b/fronted/scanner/cache_test.go @@ -0,0 +1,92 @@ +package scanner + +import ( + "os" + "path/filepath" + "testing" + "time" +) + +func TestCache_SaveAndLoad(t *testing.T) { + dir := t.TempDir() + path := filepath.Join(dir, "scanner_cache.json") + + working := []Result{ + {Candidate: Candidate{Provider: "akamai", Domain: "a248.e.akamai.net", IPAddress: "23.47.48.230"}, Latency: 95 * time.Millisecond, Status: 200}, + {Candidate: Candidate{Provider: "cloudfront", Domain: "aa1.awsstatic.com", IPAddress: "99.84.2.4"}, Latency: 110 * time.Millisecond, Status: 200}, + } + + if err := SaveCache(path, working); err != nil { + t.Fatalf("SaveCache: %v", err) + } + + got, err := LoadCache(path, 24*time.Hour) + if err != nil { + t.Fatalf("LoadCache: %v", err) + } + if len(got) != 2 { + t.Fatalf("loaded %d; want 2", len(got)) + } + if got[0].Candidate.Provider != "akamai" || got[1].Candidate.Provider != "cloudfront" { + t.Errorf("order or content lost: %#v", got) + } +} + +func TestCache_MissingFileIsNotError(t *testing.T) { + got, err := LoadCache("/nonexistent/path/that/cannot/exist", 24*time.Hour) + if err != nil { + t.Errorf("missing cache file should return (nil, nil); got err=%v", err) + } + if got != nil { + t.Errorf("expected nil results, got %v", got) + } +} + +func TestCache_TTLFiltersStaleEntries(t *testing.T) { + dir := t.TempDir() + path := filepath.Join(dir, "scanner_cache.json") + + if err := SaveCache(path, []Result{ + {Candidate: Candidate{Provider: "akamai", IPAddress: "1.2.3.4"}, Latency: 1 * time.Second, Status: 200}, + }); err != nil { + t.Fatalf("SaveCache: %v", err) + } + + got, err := LoadCache(path, 1*time.Nanosecond) + if err != nil { + t.Fatalf("LoadCache: %v", err) + } + if len(got) != 0 { + t.Errorf("TTL didn't filter stale entries: %v", got) + } +} + +func TestCache_SaveSkipsNonOKResults(t *testing.T) { + dir := t.TempDir() + path := filepath.Join(dir, "scanner_cache.json") + working := []Result{ + {Candidate: Candidate{Provider: "akamai", IPAddress: "1.2.3.4"}, Status: 200}, + {Candidate: Candidate{Provider: "akamai", IPAddress: "5.6.7.8"}, Status: 403}, + } + if err := SaveCache(path, working); err != nil { + t.Fatalf("SaveCache: %v", err) + } + raw, _ := os.ReadFile(path) + if string(raw) == "" || len(raw) == 0 { + t.Fatalf("empty cache file") + } + got, _ := LoadCache(path, time.Hour) + if len(got) != 1 { + t.Errorf("expected 1 OK result saved, got %d", len(got)) + } +} + +func TestCache_WrongVersionIsError(t *testing.T) { + dir := t.TempDir() + path := filepath.Join(dir, "scanner_cache.json") + os.WriteFile(path, []byte(`{"version":999,"working":[]}`), 0o644) + _, err := LoadCache(path, time.Hour) + if err == nil { + t.Errorf("expected version mismatch error") + } +} diff --git a/fronted/scanner/pool.go b/fronted/scanner/pool.go new file mode 100644 index 00000000..d0291476 --- /dev/null +++ b/fronted/scanner/pool.go @@ -0,0 +1,91 @@ +package scanner + +import ( + "context" + "errors" + "fmt" + + "github.com/getlantern/domainfront" +) + +// PoolOptions composes a candidate pool from the three feeder sources. +type PoolOptions struct { + Config *domainfront.Config + + KnownSample int + CloudFrontSample int + AkamaiSample int + + Resolver Resolver +} + +// BuildPool returns a probe pool combining (a) pre-validated masquerades +// from cfg, (b) random CloudFront IP × random masquerade-SNI pairs, and +// (c) Akamai hostnames generated from the MahsaNG/Psiphon regex and +// resolved via opts.Resolver. +// +// Probe target (TestURL, inner Host) for each candidate comes from its +// originating provider's TestURL in cfg. +// +// Sample sizes <= 0 disable the corresponding feeder. When AkamaiSample +// > 0, the canonical AkamaiEdgeHostnames are always included alongside +// the regex-generated draws — it's the highest-trust hostname in the +// pool. +func BuildPool(ctx context.Context, opts PoolOptions) ([]Candidate, error) { + if opts.Config == nil { + return nil, errors.New("BuildPool: nil Config") + } + + cands, err := CandidatesFromConfig(opts.Config) + if err != nil { + return nil, fmt.Errorf("known masquerades: %w", err) + } + if opts.KnownSample > 0 && opts.KnownSample < len(cands) { + cands = sampleN(cands, opts.KnownSample) + } + + akamaiProv := opts.Config.Providers["akamai"] + if akamaiProv != nil && akamaiProv.TestURL != "" && opts.AkamaiSample > 0 { + innerHost, err := innerHostFromTestURL(akamaiProv.TestURL) + if err == nil { + hostnames := append([]string{}, AkamaiEdgeHostnames...) + more, err := GenerateAkamaiHostnames(opts.AkamaiSample) + if err == nil { + hostnames = append(hostnames, more...) + } + akCands, err := AkamaiCandidates(ctx, hostnames, opts.Resolver, akamaiProv.TestURL, innerHost) + if err == nil { + cands = append(cands, akCands...) + } + } + } + + cfProv := opts.Config.Providers["cloudfront"] + if cfProv != nil && cfProv.TestURL != "" && opts.CloudFrontSample > 0 { + innerHost, err := innerHostFromTestURL(cfProv.TestURL) + if err == nil { + snis := SNIsForProvider(opts.Config, "cloudfront") + if len(snis) > 0 { + cfCands, err := CloudFrontCandidates(opts.CloudFrontSample, snis, cfProv.TestURL, innerHost) + if err == nil { + cands = append(cands, cfCands...) + } + } + } + } + + return cands, nil +} + +func sampleN(cands []Candidate, n int) []Candidate { + if n >= len(cands) { + return cands + } + out := make([]Candidate, len(cands)) + copy(out, cands) + for i := 0; i < n; i++ { + j, _ := pickInt(len(out) - i) + out[i], out[i+j] = out[i+j], out[i] + } + return out[:n] +} diff --git a/fronted/scanner/service.go b/fronted/scanner/service.go new file mode 100644 index 00000000..8c67d9db --- /dev/null +++ b/fronted/scanner/service.go @@ -0,0 +1,271 @@ +package scanner + +import ( + "context" + "crypto/x509" + "errors" + "fmt" + "log/slog" + "sync" + "sync/atomic" + "time" + + "github.com/getlantern/domainfront" + tls "github.com/refraction-networking/utls" +) + +// ServiceConfig configures a scanner Service. +type ServiceConfig struct { + Config *domainfront.Config + + CacheFile string + + RefreshInterval time.Duration // default 1h + CacheTTL time.Duration // default 6h, matches Samim's "time of day" observation + MinWorkingFronts int // re-scan when working count drops below this; default 3 + + KnownSample int + CloudFrontSample int + AkamaiSample int + + Probe ProbeOptions + + Resolver Resolver + Logger *slog.Logger +} + +// ProbeOptions is the Scanner's view of scanner.Options — every probe +// in the service uses the same dialer / TLS settings. +type ProbeOptions struct { + Dialer Dialer + RootCAs *x509.CertPool + ClientHelloID tls.ClientHelloID + DialTimeout time.Duration + Concurrency int +} + +func (c *ServiceConfig) defaults() { + if c.RefreshInterval <= 0 { + c.RefreshInterval = 1 * time.Hour + } + if c.CacheTTL <= 0 { + c.CacheTTL = 6 * time.Hour + } + if c.MinWorkingFronts <= 0 { + c.MinWorkingFronts = 3 + } + if c.Probe.DialTimeout <= 0 { + c.Probe.DialTimeout = 5 * time.Second + } + if c.Probe.Concurrency <= 0 { + c.Probe.Concurrency = 8 + } + if c.Logger == nil { + c.Logger = slog.Default() + } +} + +// Service maintains a per-client working-front list, refreshing it on a +// schedule and on demand. Pick returns the next-best working front; +// ReportFailure demotes a front so subsequent Picks skip it and the +// next refresh runs sooner. +type Service struct { + cfg ServiceConfig + + mu sync.Mutex + working []Result + pickIdx int + failures map[string]int + + refreshSignal chan struct{} + refreshing atomic.Bool + + stop chan struct{} + stopOnce sync.Once + done chan struct{} +} + +// NewService loads the on-disk cache if present and returns a Service +// ready to start. Start kicks off the background refresh loop. +func NewService(cfg ServiceConfig) (*Service, error) { + if cfg.Config == nil { + return nil, errors.New("scanner: ServiceConfig.Config required") + } + cfg.defaults() + + s := &Service{ + cfg: cfg, + failures: make(map[string]int), + refreshSignal: make(chan struct{}, 1), + stop: make(chan struct{}), + done: make(chan struct{}), + } + + if cfg.CacheFile != "" { + cached, err := LoadCache(cfg.CacheFile, cfg.CacheTTL) + if err != nil { + cfg.Logger.Warn("scanner: cache load failed", slog.Any("error", err)) + } else if len(cached) > 0 { + s.working = cached + cfg.Logger.Info("scanner: cache loaded", slog.Int("count", len(cached))) + } + } + return s, nil +} + +// Start runs an initial refresh and the periodic loop. Returns when ctx +// is canceled or Close is called. Safe to call once. +func (s *Service) Start(ctx context.Context) { + defer close(s.done) + go s.refresh(ctx) + + t := time.NewTicker(s.cfg.RefreshInterval) + defer t.Stop() + for { + select { + case <-ctx.Done(): + return + case <-s.stop: + return + case <-t.C: + go s.refresh(ctx) + case <-s.refreshSignal: + go s.refresh(ctx) + } + } +} + +// Close stops the background loop. Idempotent. +func (s *Service) Close() error { + s.stopOnce.Do(func() { close(s.stop) }) + <-s.done + return nil +} + +// Working returns a snapshot of the current working front list ordered +// by latency. +func (s *Service) Working() []Result { + s.mu.Lock() + defer s.mu.Unlock() + out := make([]Result, len(s.working)) + copy(out, s.working) + return out +} + +// Pick returns the next working front in round-robin order so all +// fronts get traffic instead of every dial pinning to the lowest- +// latency one (which is what would happen with naive head-of-list). +// Returns false when the working list is empty; callers should then +// either wait for a refresh or trigger one via Refresh. +func (s *Service) Pick() (Result, bool) { + s.mu.Lock() + defer s.mu.Unlock() + if len(s.working) == 0 { + return Result{}, false + } + r := s.working[s.pickIdx%len(s.working)] + s.pickIdx++ + return r, true +} + +// ReportFailure tells the Service a front returned by Pick subsequently +// stopped working. Tracking is per-(provider, IP, SNI); after two +// failures within a refresh cycle the front is removed from the +// working list. A scheduled refresh is signaled when the working list +// drops below MinWorkingFronts. +func (s *Service) ReportFailure(c Candidate) { + key := failureKey(c) + s.mu.Lock() + s.failures[key]++ + count := s.failures[key] + if count >= 2 { + s.removeLocked(c) + } + lowWater := len(s.working) < s.cfg.MinWorkingFronts + s.mu.Unlock() + + if lowWater { + s.signalRefresh() + } +} + +// Refresh triggers an out-of-band scan, returning immediately. The +// refresh runs on the Service's goroutine; the resulting working list +// is observable via Working / Pick after it completes. Multiple calls +// while a refresh is already in flight are coalesced. +func (s *Service) Refresh() { s.signalRefresh() } + +func (s *Service) signalRefresh() { + select { + case s.refreshSignal <- struct{}{}: + default: + } +} + +func (s *Service) refresh(ctx context.Context) { + if !s.refreshing.CompareAndSwap(false, true) { + return + } + defer s.refreshing.Store(false) + + cands, err := BuildPool(ctx, PoolOptions{ + Config: s.cfg.Config, + KnownSample: s.cfg.KnownSample, + CloudFrontSample: s.cfg.CloudFrontSample, + AkamaiSample: s.cfg.AkamaiSample, + Resolver: s.cfg.Resolver, + }) + if err != nil { + s.cfg.Logger.Warn("scanner: build pool failed", slog.Any("error", err)) + return + } + if len(cands) == 0 { + s.cfg.Logger.Warn("scanner: empty pool, skipping scan") + return + } + + s.cfg.Logger.Info("scanner: scanning", slog.Int("candidates", len(cands))) + start := time.Now() + results := Scan(ctx, cands, Options{ + Dialer: s.cfg.Probe.Dialer, + RootCAs: s.cfg.Probe.RootCAs, + ClientHelloID: s.cfg.Probe.ClientHelloID, + DialTimeout: s.cfg.Probe.DialTimeout, + Concurrency: s.cfg.Probe.Concurrency, + }) + working := RankWorking(results) + elapsed := time.Since(start) + s.cfg.Logger.Info("scanner: scan complete", + slog.Int("working", len(working)), + slog.Int("total", len(results)), + slog.Duration("elapsed", elapsed), + ) + + s.mu.Lock() + s.working = working + s.pickIdx = 0 + s.failures = make(map[string]int) + s.mu.Unlock() + + if s.cfg.CacheFile != "" { + if err := SaveCache(s.cfg.CacheFile, working); err != nil { + s.cfg.Logger.Warn("scanner: cache save failed", slog.Any("error", err)) + } + } +} + +func (s *Service) removeLocked(c Candidate) { + key := failureKey(c) + filtered := s.working[:0] + for _, r := range s.working { + if failureKey(r.Candidate) == key { + continue + } + filtered = append(filtered, r) + } + s.working = filtered +} + +func failureKey(c Candidate) string { + return fmt.Sprintf("%s|%s|%s", c.Provider, c.IPAddress, c.SNI) +} diff --git a/fronted/scanner/service_test.go b/fronted/scanner/service_test.go new file mode 100644 index 00000000..94baac4f --- /dev/null +++ b/fronted/scanner/service_test.go @@ -0,0 +1,164 @@ +package scanner + +import ( + "context" + "path/filepath" + "testing" + "time" + + "github.com/getlantern/domainfront" +) + +func TestService_PickRoundRobin(t *testing.T) { + s := newServiceWithWorking(t, []Result{ + {Candidate: Candidate{Provider: "akamai", IPAddress: "1.1.1.1"}, Status: 200}, + {Candidate: Candidate{Provider: "akamai", IPAddress: "1.1.1.2"}, Status: 200}, + {Candidate: Candidate{Provider: "akamai", IPAddress: "1.1.1.3"}, Status: 200}, + }) + + seen := map[string]int{} + for i := 0; i < 6; i++ { + r, ok := s.Pick() + if !ok { + t.Fatalf("Pick #%d returned !ok", i) + } + seen[r.Candidate.IPAddress]++ + } + for ip, n := range seen { + if n != 2 { + t.Errorf("expected each IP picked twice, %s got %d", ip, n) + } + } +} + +func TestService_PickEmptyReturnsFalse(t *testing.T) { + s := newServiceWithWorking(t, nil) + _, ok := s.Pick() + if ok { + t.Errorf("Pick on empty list should return false") + } +} + +func TestService_ReportFailureRemovesAfterTwo(t *testing.T) { + bad := Candidate{Provider: "akamai", IPAddress: "1.1.1.1"} + good := Candidate{Provider: "akamai", IPAddress: "2.2.2.2"} + s := newServiceWithWorking(t, []Result{ + {Candidate: bad, Status: 200}, + {Candidate: good, Status: 200}, + }) + + s.ReportFailure(bad) + if len(s.Working()) != 2 { + t.Errorf("first failure should not remove; got working=%d", len(s.Working())) + } + s.ReportFailure(bad) + if len(s.Working()) != 1 { + t.Errorf("second failure should remove; got working=%d", len(s.Working())) + } + if s.Working()[0].Candidate.IPAddress != "2.2.2.2" { + t.Errorf("wrong candidate remained: %v", s.Working()[0].Candidate) + } +} + +func TestService_ReportFailureSignalsRefreshAtLowWater(t *testing.T) { + s := newServiceWithWorking(t, []Result{ + {Candidate: Candidate{Provider: "akamai", IPAddress: "1.1.1.1"}, Status: 200}, + }) + s.cfg.MinWorkingFronts = 2 + + s.ReportFailure(Candidate{Provider: "akamai", IPAddress: "1.1.1.1"}) + s.ReportFailure(Candidate{Provider: "akamai", IPAddress: "1.1.1.1"}) + + select { + case <-s.refreshSignal: + default: + t.Errorf("expected refresh signal after working dropped below MinWorkingFronts") + } +} + +func TestService_LoadsFromCacheOnConstruct(t *testing.T) { + dir := t.TempDir() + cachePath := filepath.Join(dir, "scanner_cache.json") + SaveCache(cachePath, []Result{ + {Candidate: Candidate{Provider: "akamai", IPAddress: "1.2.3.4"}, Latency: 50 * time.Millisecond, Status: 200}, + }) + + s, err := NewService(ServiceConfig{ + Config: &domainfront.Config{}, + CacheFile: cachePath, + }) + if err != nil { + t.Fatalf("NewService: %v", err) + } + w := s.Working() + if len(w) != 1 { + t.Errorf("expected 1 loaded from cache, got %d", len(w)) + } +} + +func TestService_NoConfigIsError(t *testing.T) { + _, err := NewService(ServiceConfig{}) + if err == nil { + t.Errorf("expected error when Config is nil") + } +} + +func TestBuildPool_KnownOnly(t *testing.T) { + cfg := &domainfront.Config{ + Providers: map[string]*domainfront.Provider{ + "akamai": { + TestURL: "https://akamai.test/ping", + Masquerades: []*domainfront.Masquerade{ + {Domain: "a248.e.akamai.net", IpAddress: "1.1.1.1"}, + {Domain: "a248.e.akamai.net", IpAddress: "1.1.1.2"}, + {Domain: "a248.e.akamai.net", IpAddress: "1.1.1.3"}, + }, + }, + }, + } + got, err := BuildPool(context.Background(), PoolOptions{ + Config: cfg, + KnownSample: 2, + }) + if err != nil { + t.Fatalf("BuildPool: %v", err) + } + if len(got) != 2 { + t.Errorf("expected 2 sampled, got %d", len(got)) + } +} + +func TestBuildPool_CloudFrontFeederNeedsSNIs(t *testing.T) { + cfg := &domainfront.Config{ + Providers: map[string]*domainfront.Provider{ + "cloudfront": { + TestURL: "https://cf.test/ping", + Masquerades: []*domainfront.Masquerade{ + {Domain: "aa1.awsstatic.com", IpAddress: "99.84.2.4"}, + }, + }, + }, + } + got, err := BuildPool(context.Background(), PoolOptions{ + Config: cfg, + CloudFrontSample: 5, + }) + if err != nil { + t.Fatalf("BuildPool: %v", err) + } + if len(got) != 6 { + t.Errorf("expected 1 known + 5 sampled = 6, got %d", len(got)) + } +} + +// --- helpers --- + +func newServiceWithWorking(t *testing.T, working []Result) *Service { + t.Helper() + s, err := NewService(ServiceConfig{Config: &domainfront.Config{}}) + if err != nil { + t.Fatalf("NewService: %v", err) + } + s.working = working + return s +} From cea64496705d5ff0f498512a16f0be95b346da3c Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 19 May 2026 07:27:34 -0600 Subject: [PATCH 03/21] kindling/meek: Provider wiring scanner output into meek outbound MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the consumer layer that converts the scanner.Service's working list into []FrontSpec entries ready for the lantern-box meek outbound's JSON configuration. Provider owns the Service lifecycle, wires the bypass dialer so probes don't loop through the active VPN TUN, and uses TrustedCAsPool from the loaded domainfront config so cert validation matches production. FrontSpec is a local mirror of lantern-box/option.FrontSpec — same JSON shape, kept local to avoid version-coupling radiance to lantern-box's release cadence (the meek option type lands in lantern-box#265 and isn't published yet). Service lifecycle fix: Close no longer hangs when Start was never called. NewProvider returns an error for nil Config instead of panicking inside TrustedCAsPool. Adds a live-network timing benchmark (TestLive_TimeToFirstWorking, gated on SCANNER_INTEGRATION=1) that loads the production fronted.yaml.gz, builds a 70+ candidate pool, runs a full scan, and reports time-to-first-working / total scan time / per-feeder hit rate / per-probe latency p50/p90. On a sample run from a US dev network: - pool: 72 candidates (50 known + Akamai-DNS-resolved + 10 CloudFront-random) - time to first working front: 205ms - scan complete: 35/72 working in 8.79s - akamai: 35/36 working (97%) - cloudfront: 0/36 working (0%) — fronted.yaml.gz cloudfront testurl is stale - per-probe latency: p50=218ms, p90=1.47s, min=142ms Sub-second time-to-usability means a cold-boot client gets a working front before the user notices. CloudFront's 0% is the known POP-vs-distribution issue (#3525); production deployment with a fresh, globally-served test URL would lift that. --- fronted/scanner/service.go | 10 ++- fronted/scanner/timing_test.go | 147 ++++++++++++++++++++++++++++++++ kindling/meek/provider.go | 149 +++++++++++++++++++++++++++++++++ kindling/meek/provider_test.go | 61 ++++++++++++++ 4 files changed, 365 insertions(+), 2 deletions(-) create mode 100644 fronted/scanner/timing_test.go create mode 100644 kindling/meek/provider.go create mode 100644 kindling/meek/provider_test.go diff --git a/fronted/scanner/service.go b/fronted/scanner/service.go index 8c67d9db..4ba06480 100644 --- a/fronted/scanner/service.go +++ b/fronted/scanner/service.go @@ -83,6 +83,7 @@ type Service struct { stop chan struct{} stopOnce sync.Once done chan struct{} + started atomic.Bool } // NewService loads the on-disk cache if present and returns a Service @@ -116,6 +117,7 @@ func NewService(cfg ServiceConfig) (*Service, error) { // Start runs an initial refresh and the periodic loop. Returns when ctx // is canceled or Close is called. Safe to call once. func (s *Service) Start(ctx context.Context) { + s.started.Store(true) defer close(s.done) go s.refresh(ctx) @@ -135,10 +137,14 @@ func (s *Service) Start(ctx context.Context) { } } -// Close stops the background loop. Idempotent. +// Close stops the background loop. Idempotent. Safe to call before +// Start — in that case it just marks the Service stopped without +// waiting on a loop that was never running. func (s *Service) Close() error { s.stopOnce.Do(func() { close(s.stop) }) - <-s.done + if s.started.Load() { + <-s.done + } return nil } diff --git a/fronted/scanner/timing_test.go b/fronted/scanner/timing_test.go new file mode 100644 index 00000000..6bae6f9b --- /dev/null +++ b/fronted/scanner/timing_test.go @@ -0,0 +1,147 @@ +package scanner + +import ( + "context" + "os" + "path/filepath" + "runtime" + "sort" + "sync" + "sync/atomic" + "testing" + "time" + + "github.com/getlantern/domainfront" +) + +// TestLive_TimeToFirstWorking measures real-world scan latency and +// time-to-first-working-front against live CDN infrastructure. Opt-in +// (SCANNER_INTEGRATION=1) — exercises the production probe path +// end-to-end. +// +// Reported metrics: +// - time-to-first-working: how soon after the scan starts does any +// candidate complete OK (the most operationally relevant number — +// this is how long the user waits before the first front is usable) +// - p50/p90 working-result latency: the per-probe RTT distribution +// - total scan wall time: when does the last probe finish +// - hit rate per feeder +func TestLive_TimeToFirstWorking(t *testing.T) { + integrationGate(t) + + cfg, err := loadProductionConfig(t) + if err != nil { + t.Fatalf("loadProductionConfig: %v", err) + } + + ctx, cancel := context.WithTimeout(context.Background(), 90*time.Second) + defer cancel() + + pool, err := BuildPool(ctx, PoolOptions{ + Config: cfg, + KnownSample: 50, + CloudFrontSample: 10, + AkamaiSample: 5, + }) + if err != nil { + t.Fatalf("BuildPool: %v", err) + } + t.Logf("pool: %d candidates (50 known + Akamai-DNS-resolved + 10 CloudFront-random)", len(pool)) + + rootCAs, err := TrustedCAsPool(cfg) + if err != nil { + t.Fatalf("TrustedCAsPool: %v", err) + } + + start := time.Now() + var firstWorking int64 + results := scanWithFirstHookCB(ctx, pool, Options{ + RootCAs: rootCAs, + Concurrency: 8, + DialTimeout: 5 * time.Second, + }, func() { + atomic.CompareAndSwapInt64(&firstWorking, 0, int64(time.Since(start))) + }) + elapsed := time.Since(start) + working := RankWorking(results) + + t.Logf("scan complete: %d/%d working in %s", len(working), len(results), elapsed.Round(time.Millisecond)) + if firstWorking > 0 { + t.Logf("time to first working front: %s", time.Duration(firstWorking).Round(time.Millisecond)) + } + + byProvider := map[string]struct{ ok, total int }{} + for _, r := range results { + stats := byProvider[r.Candidate.Provider] + stats.total++ + if r.OK() { + stats.ok++ + } + byProvider[r.Candidate.Provider] = stats + } + for prov, s := range byProvider { + t.Logf(" %s: %d/%d working (%.0f%%)", prov, s.ok, s.total, 100*float64(s.ok)/float64(s.total)) + } + + if len(working) > 0 { + latencies := make([]time.Duration, len(working)) + for i, r := range working { + latencies[i] = r.Latency + } + sort.Slice(latencies, func(i, j int) bool { return latencies[i] < latencies[j] }) + p50 := latencies[len(latencies)/2] + p90 := latencies[(len(latencies)*9)/10] + t.Logf("working-result latency: p50=%s p90=%s min=%s", p50.Round(time.Millisecond), p90.Round(time.Millisecond), latencies[0].Round(time.Millisecond)) + } + + if len(working) == 0 { + t.Errorf("0 working fronts after full scan; expected at least 1 against live CDN") + } +} + +// scanWithFirstHookCB is Scan with a callback fired exactly once on the +// first OK result. Used to time how soon the user could start using +// the scanner output rather than waiting for the full scan to finish. +func scanWithFirstHookCB(ctx context.Context, candidates []Candidate, opts Options, onFirst func()) []Result { + opts.defaults() + results := make([]Result, len(candidates)) + if len(candidates) == 0 { + return results + } + sem := make(chan struct{}, opts.Concurrency) + var wg sync.WaitGroup + var once sync.Once + for i, c := range candidates { + wg.Add(1) + sem <- struct{}{} + go func(i int, c Candidate) { + defer wg.Done() + defer func() { <-sem }() + if err := ctx.Err(); err != nil { + results[i] = Result{Candidate: c, Err: err} + return + } + r := Probe(ctx, c, opts) + if r.OK() && onFirst != nil { + once.Do(onFirst) + } + results[i] = r + }(i, c) + } + wg.Wait() + return results +} + +// loadProductionConfig reads the embedded radiance fronted.yaml.gz +// (the same config the radiance client uses in production) so the +// timing test exercises a realistic pool. +func loadProductionConfig(t *testing.T) (*domainfront.Config, error) { + t.Helper() + _, thisFile, _, _ := runtime.Caller(0) + path := filepath.Join(filepath.Dir(thisFile), "..", "..", "kindling", "fronted", "fronted.yaml.gz") + raw, err := os.ReadFile(path) + if err != nil { + return nil, err + } + return domainfront.ParseConfig(raw) +} diff --git a/kindling/meek/provider.go b/kindling/meek/provider.go new file mode 100644 index 00000000..f548c73e --- /dev/null +++ b/kindling/meek/provider.go @@ -0,0 +1,149 @@ +// Package meek wires radiance's fronted/scanner output into the +// sing-box meek outbound config shape. A Provider holds a scanner +// Service, samples its current working list, and produces FrontSpec +// JSON entries suitable for inclusion in a sing-box meek outbound +// configuration. +package meek + +import ( + "context" + "errors" + "log/slog" + "net" + "time" + + "github.com/getlantern/domainfront" + + "github.com/getlantern/radiance/bypass" + "github.com/getlantern/radiance/fronted/scanner" +) + +var errNilConfig = errors.New("meek: ProviderConfig.Config is nil") + +// FrontSpec mirrors lantern-box/option.FrontSpec; kept local to avoid +// version-coupling radiance's release cadence to lantern-box's. +type FrontSpec struct { + IPAddress string `json:"ip_address"` + SNI string `json:"sni,omitempty"` + VerifyHostname string `json:"verify_hostname,omitempty"` +} + +// ProviderConfig configures the bridge between scanner and meek +// outbound. Defaults are tuned for IR usage: a 1h refresh interval is +// short enough to react to CDN block churn, a 6h cache TTL means a +// reboot loads the recent working list rather than re-scanning cold. +type ProviderConfig struct { + Config *domainfront.Config + CacheFile string + + RefreshInterval time.Duration + CacheTTL time.Duration + KnownSample int + CloudFrontSample int + AkamaiSample int + + Logger *slog.Logger +} + +func (c *ProviderConfig) defaults() { + if c.KnownSample == 0 { + c.KnownSample = 50 + } + if c.CloudFrontSample == 0 { + c.CloudFrontSample = 10 + } + if c.AkamaiSample == 0 { + c.AkamaiSample = 5 + } + if c.Logger == nil { + c.Logger = slog.Default() + } +} + +// Provider runs a scanner Service over the supplied domainfront config +// and exposes the working-front list as []FrontSpec for the meek +// outbound. +type Provider struct { + service *scanner.Service +} + +// NewProvider constructs a Provider. The scanner is configured to dial +// through radiance/bypass so its probes don't loop through the active +// VPN TUN; cert validation uses the trusted-CA pool from cfg. Call +// Start to begin background scanning. +func NewProvider(cfg ProviderConfig) (*Provider, error) { + if cfg.Config == nil { + return nil, errNilConfig + } + cfg.defaults() + + rootCAs, err := scanner.TrustedCAsPool(cfg.Config) + if err != nil { + return nil, err + } + + svc, err := scanner.NewService(scanner.ServiceConfig{ + Config: cfg.Config, + CacheFile: cfg.CacheFile, + RefreshInterval: cfg.RefreshInterval, + CacheTTL: cfg.CacheTTL, + KnownSample: cfg.KnownSample, + CloudFrontSample: cfg.CloudFrontSample, + AkamaiSample: cfg.AkamaiSample, + Probe: scanner.ProbeOptions{ + Dialer: bypassDialer{}, + RootCAs: rootCAs, + }, + Logger: cfg.Logger, + }) + if err != nil { + return nil, err + } + return &Provider{service: svc}, nil +} + +// Start kicks off the background refresh loop and returns immediately. +// The loop runs until ctx is canceled or Close is called. +func (p *Provider) Start(ctx context.Context) { + go p.service.Start(ctx) +} + +// Close stops the background loop. Idempotent. +func (p *Provider) Close() error { return p.service.Close() } + +// FrontSpecs returns up to n working fronts in the meek-outbound JSON +// shape. n <= 0 returns all. The list is ordered by ascending latency. +func (p *Provider) FrontSpecs(n int) []FrontSpec { + return resultsToFrontSpecs(p.service.Working(), n) +} + +func resultsToFrontSpecs(working []scanner.Result, n int) []FrontSpec { + if n > 0 && n < len(working) { + working = working[:n] + } + out := make([]FrontSpec, 0, len(working)) + for _, r := range working { + out = append(out, FrontSpec{ + IPAddress: r.Candidate.IPAddress, + SNI: r.Candidate.SNI, + VerifyHostname: r.Candidate.VerifyHostname, + }) + } + return out +} + +// ReportFailure passes a meek dial failure back to the scanner so the +// underlying front gets dropped after enough failures and the next +// refresh runs sooner. spec.IPAddress is the load-bearing key. +func (p *Provider) ReportFailure(spec FrontSpec) { + p.service.ReportFailure(scanner.Candidate{ + IPAddress: spec.IPAddress, + SNI: spec.SNI, + }) +} + +type bypassDialer struct{} + +func (bypassDialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error) { + return bypass.DialContext(ctx, network, addr) +} diff --git a/kindling/meek/provider_test.go b/kindling/meek/provider_test.go new file mode 100644 index 00000000..2a2051a9 --- /dev/null +++ b/kindling/meek/provider_test.go @@ -0,0 +1,61 @@ +package meek + +import ( + "testing" + "time" + + "github.com/getlantern/domainfront" + "github.com/getlantern/radiance/fronted/scanner" +) + +func TestNewProvider_NilConfigErrors(t *testing.T) { + _, err := NewProvider(ProviderConfig{}) + if err == nil { + t.Errorf("expected error for nil Config") + } +} + +func TestNewProvider_OK(t *testing.T) { + p, err := NewProvider(ProviderConfig{Config: &domainfront.Config{}}) + if err != nil { + t.Fatalf("NewProvider: %v", err) + } + t.Cleanup(func() { _ = p.Close() }) + if got := p.FrontSpecs(5); got == nil { + t.Errorf("FrontSpecs returned nil; want empty slice") + } +} + +func TestResultsToFrontSpecs_PreservesOrderAndShape(t *testing.T) { + working := []scanner.Result{ + {Candidate: scanner.Candidate{Provider: "akamai", IPAddress: "23.47.48.230", VerifyHostname: "a248.e.akamai.net"}, Latency: 50 * time.Millisecond, Status: 200}, + {Candidate: scanner.Candidate{Provider: "cloudfront", IPAddress: "99.84.2.4", SNI: "aa1.awsstatic.com", VerifyHostname: "aa1.awsstatic.com"}, Latency: 110 * time.Millisecond, Status: 200}, + } + got := resultsToFrontSpecs(working, 0) + if len(got) != 2 { + t.Fatalf("len = %d; want 2", len(got)) + } + if got[0].IPAddress != "23.47.48.230" || got[0].SNI != "" || got[0].VerifyHostname != "a248.e.akamai.net" { + t.Errorf("akamai mapping wrong: %+v", got[0]) + } + if got[1].IPAddress != "99.84.2.4" || got[1].SNI != "aa1.awsstatic.com" { + t.Errorf("cloudfront mapping wrong: %+v", got[1]) + } +} + +func TestResultsToFrontSpecs_LimitsToN(t *testing.T) { + working := []scanner.Result{ + {Candidate: scanner.Candidate{IPAddress: "1.1.1.1"}, Status: 200}, + {Candidate: scanner.Candidate{IPAddress: "2.2.2.2"}, Status: 200}, + {Candidate: scanner.Candidate{IPAddress: "3.3.3.3"}, Status: 200}, + } + if got := resultsToFrontSpecs(working, 0); len(got) != 3 { + t.Errorf("n=0 should return all; got %d", len(got)) + } + if got := resultsToFrontSpecs(working, 2); len(got) != 2 { + t.Errorf("n=2 should return 2; got %d", len(got)) + } + if got := resultsToFrontSpecs(working, 10); len(got) != 3 { + t.Errorf("n>len should return all; got %d", len(got)) + } +} From 96b745f3b7864909eb709a7fee5c28f3713c4dd7 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 19 May 2026 07:42:53 -0600 Subject: [PATCH 04/21] fronted/scanner: raw-range-primary discovery by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flips the default candidate pool composition so per-scan-fresh IPs from the AWS CloudFront prefix list and DNS-resolved Akamai edges are the primary discovery source, with the pre-resolved IPs in fronted.yaml.gz reduced to opt-in via KnownSample > 0. Why: the YAML's pre-resolved IPs are the same baked list every user gets and don't move per (ISP, location, time-of-day). The raw-range feeders self-heal as CDN edges rotate and produce per-user-fresh candidates — matching Samim Mirhosseini's observation that the working fronts vary across all three dimensions. BuildPool semantic change: KnownSample <= 0 now skips the known feeder entirely (previously it meant "use all known"). Callers explicitly opt in by passing KnownSample > 0. Provider defaults: KnownSample removed from defaults() (defaults to 0 → skip), CloudFrontSample=30, AkamaiSample=3 (4 hostnames after adding canonical → typically ~8 unique IPs after DNS dedup). Re-ran the live timing benchmark with new defaults from a US dev network against the production fronted.yaml.gz: - pool: 38 candidates (30 CloudFront-raw + 8 Akamai-DNS-resolved) - time to first working front: 154ms (was 205ms) - scan complete: 8/38 working in 10.7s - akamai: 8/8 working (100%) - cloudfront: 0/30 working (0%) — stale testurl in YAML - per-probe latency: p50=244ms p90=292ms min=154ms Tail latency tightened (p90 1.47s → 292ms) because the working pool is now uniformly fresh rather than mixing pre-resolved IPs of varying age. CloudFront's 0% is a fixable production deployment issue (fresh globally-served distribution), not a discovery flaw. Sub-200ms time-to-first-working means cold-boot clients have a working front before the user notices. --- fronted/scanner/pool.go | 23 +++++++++++++++++------ fronted/scanner/service_test.go | 31 ++++++++++++++++++++++++++++--- fronted/scanner/timing_test.go | 10 ++++++---- kindling/meek/provider.go | 14 +++++++++----- 4 files changed, 60 insertions(+), 18 deletions(-) diff --git a/fronted/scanner/pool.go b/fronted/scanner/pool.go index d0291476..1948a6ed 100644 --- a/fronted/scanner/pool.go +++ b/fronted/scanner/pool.go @@ -31,17 +31,28 @@ type PoolOptions struct { // > 0, the canonical AkamaiEdgeHostnames are always included alongside // the regex-generated draws — it's the highest-trust hostname in the // pool. +// +// The raw-range feeders (Akamai DNS + CloudFront prefixes) produce +// per-scan-fresh IPs, which match Samim Mirhosseini's "different per +// ISP, location, time of day" observation. The Known feeder (pre- +// resolved IPs from fronted.yaml.gz) is opt-in via KnownSample > 0; +// it's higher-hit-rate when the YAML is current but goes stale faster +// than the raw range scans can self-heal. func BuildPool(ctx context.Context, opts PoolOptions) ([]Candidate, error) { if opts.Config == nil { return nil, errors.New("BuildPool: nil Config") } - cands, err := CandidatesFromConfig(opts.Config) - if err != nil { - return nil, fmt.Errorf("known masquerades: %w", err) - } - if opts.KnownSample > 0 && opts.KnownSample < len(cands) { - cands = sampleN(cands, opts.KnownSample) + var cands []Candidate + if opts.KnownSample > 0 { + known, err := CandidatesFromConfig(opts.Config) + if err != nil { + return nil, fmt.Errorf("known masquerades: %w", err) + } + if opts.KnownSample < len(known) { + known = sampleN(known, opts.KnownSample) + } + cands = append(cands, known...) } akamaiProv := opts.Config.Providers["akamai"] diff --git a/fronted/scanner/service_test.go b/fronted/scanner/service_test.go index 94baac4f..2cb4632c 100644 --- a/fronted/scanner/service_test.go +++ b/fronted/scanner/service_test.go @@ -128,7 +128,7 @@ func TestBuildPool_KnownOnly(t *testing.T) { } } -func TestBuildPool_CloudFrontFeederNeedsSNIs(t *testing.T) { +func TestBuildPool_CloudFrontRawRange(t *testing.T) { cfg := &domainfront.Config{ Providers: map[string]*domainfront.Provider{ "cloudfront": { @@ -146,8 +146,33 @@ func TestBuildPool_CloudFrontFeederNeedsSNIs(t *testing.T) { if err != nil { t.Fatalf("BuildPool: %v", err) } - if len(got) != 6 { - t.Errorf("expected 1 known + 5 sampled = 6, got %d", len(got)) + if len(got) != 5 { + t.Errorf("expected 5 raw-range samples (KnownSample=0 skips known), got %d", len(got)) + } +} + +func TestBuildPool_KnownOptedIn(t *testing.T) { + cfg := &domainfront.Config{ + Providers: map[string]*domainfront.Provider{ + "cloudfront": { + TestURL: "https://cf.test/ping", + Masquerades: []*domainfront.Masquerade{ + {Domain: "aa1.awsstatic.com", IpAddress: "99.84.2.4"}, + {Domain: "advertising.amazon.com", IpAddress: "3.164.130.9"}, + }, + }, + }, + } + got, err := BuildPool(context.Background(), PoolOptions{ + Config: cfg, + KnownSample: 10, + CloudFrontSample: 3, + }) + if err != nil { + t.Fatalf("BuildPool: %v", err) + } + if len(got) != 5 { + t.Errorf("expected 2 known + 3 raw = 5, got %d", len(got)) } } diff --git a/fronted/scanner/timing_test.go b/fronted/scanner/timing_test.go index 6bae6f9b..a6af0dd8 100644 --- a/fronted/scanner/timing_test.go +++ b/fronted/scanner/timing_test.go @@ -37,16 +37,18 @@ func TestLive_TimeToFirstWorking(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 90*time.Second) defer cancel() + // Raw-range-primary defaults: no pre-resolved YAML IPs, just fresh + // per-scan IPs from AWS CloudFront prefixes + DNS-resolved Akamai + // edges. pool, err := BuildPool(ctx, PoolOptions{ Config: cfg, - KnownSample: 50, - CloudFrontSample: 10, - AkamaiSample: 5, + CloudFrontSample: 30, + AkamaiSample: 3, }) if err != nil { t.Fatalf("BuildPool: %v", err) } - t.Logf("pool: %d candidates (50 known + Akamai-DNS-resolved + 10 CloudFront-random)", len(pool)) + t.Logf("pool: %d candidates (30 CloudFront-raw + Akamai-DNS-resolved from 4 hostnames)", len(pool)) rootCAs, err := TrustedCAsPool(cfg) if err != nil { diff --git a/kindling/meek/provider.go b/kindling/meek/provider.go index f548c73e..5d3da0ae 100644 --- a/kindling/meek/provider.go +++ b/kindling/meek/provider.go @@ -32,6 +32,13 @@ type FrontSpec struct { // outbound. Defaults are tuned for IR usage: a 1h refresh interval is // short enough to react to CDN block churn, a 6h cache TTL means a // reboot loads the recent working list rather than re-scanning cold. +// +// Discovery is raw-range-primary by default: fresh IPs from the AWS +// CloudFront prefix list and DNS-resolved Akamai edges produce +// per-(ISP, location, time-of-day) candidates rather than the same +// baked list every user sees. fronted.yaml.gz is consulted only for +// outer-SNI pools, trusted CAs, and host-alias mappings (not its +// pre-resolved IPs) unless KnownSample > 0. type ProviderConfig struct { Config *domainfront.Config CacheFile string @@ -46,14 +53,11 @@ type ProviderConfig struct { } func (c *ProviderConfig) defaults() { - if c.KnownSample == 0 { - c.KnownSample = 50 - } if c.CloudFrontSample == 0 { - c.CloudFrontSample = 10 + c.CloudFrontSample = 30 } if c.AkamaiSample == 0 { - c.AkamaiSample = 5 + c.AkamaiSample = 3 } if c.Logger == nil { c.Logger = slog.Default() From f19761da9c21542cb8d76fe5cb766f22a191e9d7 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 19 May 2026 07:50:38 -0600 Subject: [PATCH 05/21] fronted/scanner: force https scheme on probe requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit http.Transport routes via DialTLSContext (our pre-opened fronted TLS conn) only for https URLs. With an http:// TestURL the request fell through to plain DNS + port 80, bypassing the front entirely — every probe was effectively a direct-DNS plaintext request to the inner hostname instead of a fronted request via the chosen CDN edge. Akamai's TestURL in fronted.yaml.gz is https:// so its probes were fine; CloudFront's is http:// so its probes were structurally broken. The fix surfaces a separate finding: even with probes routed correctly, CloudFront returns HTTP 421 "Misdirected Request" for every (random IP × masquerade SNI) pair AND for every pre-validated pair in fronted.yaml.gz. AWS now strictly enforces SNI/Host match, killing the cross-distribution Host header routing technique our YAML attempts. CloudFront fronting via this scheme is not just stale data — it's structurally disabled at the AWS layer. Workable CloudFront fronting requires alternate-domain-names on the same distribution (outer SNI and inner Host both belong to one CloudFront distribution AWS owns the cert for), which is a different deployment than fronted.yaml.gz uses today. Tracking as follow-up. --- fronted/scanner/scanner.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fronted/scanner/scanner.go b/fronted/scanner/scanner.go index a78fcba1..b56864c9 100644 --- a/fronted/scanner/scanner.go +++ b/fronted/scanner/scanner.go @@ -192,6 +192,13 @@ func buildProbeRequest(ctx context.Context, c Candidate) (*http.Request, error) if err != nil { return nil, fmt.Errorf("parse TestURL: %w", err) } + // The outer connection is TLS on port 443 regardless of the + // TestURL scheme. http.Transport only routes via DialTLSContext + // (our pre-opened fronted TLS conn) for https URLs — if scheme + // stays http the request falls through to plain-text DNS + port + // 80, bypassing the front entirely. Some providers' testurls + // (CloudFront in fronted.yaml.gz) ship as http://. + u.Scheme = "https" req, err := http.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil) if err != nil { return nil, fmt.Errorf("new request: %w", err) From 4e74a93f553bb0c6866cac0ad200353073232657 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 19 May 2026 07:57:33 -0600 Subject: [PATCH 06/21] =?UTF-8?q?fronted/scanner:=20CloudFront=20probes=20?= =?UTF-8?q?=E2=80=94=20no=20SNI,=20verify=20InnerHost?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CloudFront fronting works when the client sends no SNI extension and keeps the inner Host in the request. The TLS handshake completes with CloudFront's default *.cloudfront.net cert (or a customer cert pinned to that edge); CloudFront then routes by inner Host alone since no SNI claims a different distribution. Sending a non-empty SNI triggered HTTP 421 "Misdirected Request" because CloudFront strictly enforces SNI/Host match — exactly the behavior the earlier 0% hit rate exposed. Production's fronted.yaml.gz CloudFront masquerades have always shipped with sni: "" for the same reason; the bug was in my scanner's CloudFrontCandidates setting SNI = masquerade-domain. Two changes in CloudFrontCandidates: - SNI: "" (was masquerade-domain) — sidesteps 421 enforcement. - VerifyHostname: InnerHost (was masquerade-domain) — when no SNI, CloudFront serves either the *.cloudfront.net default cert (which wildcards the inner Host) or a customer-pinned cert. Verifying against InnerHost filters to the former, where cross-distribution Host routing actually reaches our backend. Verifying against the masquerade-domain rejected the wildcard cert and lost the working cases. Live-network results after the fix: - CloudFront random sampling: 1-3/30 working (3-8%) — was 0/30. The hit rate is structural (POP-vs-distribution coverage); each hit is an edge that genuinely routes to our distribution. - Akamai: 100% unchanged. - Time to first working front: 149ms. --- fronted/scanner/cloudfront.go | 33 ++++++++++++++++++------------ fronted/scanner/cloudfront_test.go | 7 +++++-- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/fronted/scanner/cloudfront.go b/fronted/scanner/cloudfront.go index bc864390..c40a30d5 100644 --- a/fronted/scanner/cloudfront.go +++ b/fronted/scanner/cloudfront.go @@ -43,17 +43,18 @@ func CloudFrontPrefixes() ([]netip.Prefix, error) { } // CloudFrontCandidates produces n probe candidates by pairing IPs sampled -// from the embedded CloudFront IP range with outer SNIs randomly drawn -// from snis. +// from the embedded CloudFront IP range with masquerade domains randomly +// drawn from snis (used post-handshake for cert verification, not as +// outer SNI). // -// Expect a hit rate below 100%: CloudFront edges serve a subset of -// distributions per POP, so an arbitrary (IP, outer SNI) pair only -// connects when that POP serves both the outer SNI's distribution and -// the inner-Host distribution. The probe filters the survivors. +// Outer SNI is left empty. CloudFront's strict SNI/Host enforcement +// returns HTTP 421 when SNI and inner Host belong to different +// distributions; sending no SNI extension at all sidesteps that check +// (no SNI = nothing to mismatch) and lets the edge route by inner +// Host alone. Matches the sni: "" pattern in fronted.yaml.gz. // -// snis should list CloudFront-fronted hostnames known to be globally -// served (Price Class All) — the masquerade domains in fronted.yaml.gz -// are the natural source. +// snis is used as the post-handshake VerifyHostname — the served cert +// is expected to be valid for one of the listed masquerade domains. func CloudFrontCandidates(n int, snis []string, testURL, innerHost string) ([]Candidate, error) { if n <= 0 { return nil, nil @@ -78,11 +79,17 @@ func CloudFrontCandidates(n int, snis []string, testURL, innerHost string) ([]Ca } sni := snis[sniIdx.Int64()] out = append(out, Candidate{ - Provider: "cloudfront", - Domain: sni, + Provider: "cloudfront", + Domain: sni, + // VerifyHostname is the inner Host — when no SNI is sent, + // CloudFront serves either the *.cloudfront.net default + // cert (which covers the inner Host by wildcard) or a + // customer-specific cert pinned to this edge's distribution. + // Verifying against the inner Host filters to the former, + // which is the case where our cross-distribution Host + // header routing actually works. IPAddress: ip, - SNI: sni, - VerifyHostname: sni, + VerifyHostname: innerHost, TestURL: testURL, InnerHost: innerHost, }) diff --git a/fronted/scanner/cloudfront_test.go b/fronted/scanner/cloudfront_test.go index d3f69658..685a8601 100644 --- a/fronted/scanner/cloudfront_test.go +++ b/fronted/scanner/cloudfront_test.go @@ -78,8 +78,11 @@ func TestCloudFrontCandidates(t *testing.T) { if !allowedSNI[c.Domain] { t.Errorf("Domain = %q; not in input SNI list", c.Domain) } - if c.Domain != c.VerifyHostname { - t.Errorf("VerifyHostname = %q; want = Domain %q", c.VerifyHostname, c.Domain) + if c.SNI != "" { + t.Errorf("SNI should be empty (no SNI sent); got %q", c.SNI) + } + if c.VerifyHostname != "api.iantem.io" { + t.Errorf("VerifyHostname = %q; want = InnerHost %q", c.VerifyHostname, "api.iantem.io") } if net.ParseIP(c.IPAddress) == nil { t.Errorf("bad IP %q", c.IPAddress) From fe676af5040d98038ab26974c73f34dd70f3b01a Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 19 May 2026 12:32:38 -0600 Subject: [PATCH 07/21] vpn,kindling/meek: inject meek outbound into running sing-box MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds the radiance-side wiring that takes a FrontSpec list (from the fronted/scanner Service via kindling/meek.Provider) and turns it into a sing-box outbound the live tunnel can route through. Two pieces: 1. kindling/meek.BuildOutbound(tag, url, fronts) constructs a sing-box O.Outbound with Type="meek" and a local MeekOutboundOptions struct whose JSON shape mirrors lantern-box/option.MeekOutboundOptions exactly. The local copy sidesteps the lantern-box version-coupling: lantern-box v0.0.82 doesn't have the meek outbound type registered, so we can't import lbO.MeekOutboundOptions today. Once the lantern-box bump lands the local copy + MeekOutboundType constant can be replaced one-for-one with the upstream symbols. Returns ok=false when fronts is empty so callers skip injection when the scanner hasn't produced anything yet. 2. vpn.BoxOptions gains an optional MeekOutbound *O.Outbound field. buildOptions injects it into Outbounds and appends its Tag to the selector tags list immediately after mergeAndCollectTags (and before the auto/manual selector outbounds are built) so the meek outbound participates in routing alongside API-supplied ones. Nil = no-op, no behavior change for callers that don't set it. Until lantern-box's meek type is registered in radiance's pinned version, setting MeekOutbound is a no-op end-to-end — libbox will reject the unknown "meek" type at config unmarshal. The wiring is ready; activation flips when (a) lantern-box bumps and (b) the caller (whoever owns the VPNClient) populates MeekOutbound from a meek.Provider's FrontSpecs. Tests: 2 new in kindling/meek (BuildOutbound empty-fronts/shape), 2 new in vpn (MeekInjection/MeekOmittedWhenNil) confirming the selector tag list includes the meek tag and Outbounds is augmented correctly. --- kindling/meek/provider.go | 47 ++++++++++++++++++++++++++++++++ kindling/meek/provider_test.go | 34 +++++++++++++++++++++++ vpn/boxoptions.go | 11 ++++++++ vpn/boxoptions_test.go | 50 ++++++++++++++++++++++++++++++++++ 4 files changed, 142 insertions(+) diff --git a/kindling/meek/provider.go b/kindling/meek/provider.go index 5d3da0ae..95e503ff 100644 --- a/kindling/meek/provider.go +++ b/kindling/meek/provider.go @@ -13,6 +13,7 @@ import ( "time" "github.com/getlantern/domainfront" + sbo "github.com/sagernet/sing-box/option" "github.com/getlantern/radiance/bypass" "github.com/getlantern/radiance/fronted/scanner" @@ -20,6 +21,52 @@ import ( var errNilConfig = errors.New("meek: ProviderConfig.Config is nil") +// MeekOutboundOptions mirrors lantern-box/option.MeekOutboundOptions +// kept local to avoid version-coupling radiance to lantern-box's release +// cadence. The JSON tags are identical, so once lantern-box ships meek +// and radiance bumps the dep, drop this copy and import the upstream +// type directly. +type MeekOutboundOptions struct { + sbo.DialerOptions + + URL string `json:"url"` + Fronts []FrontSpec `json:"fronts"` + Header map[string]string `json:"header,omitempty"` + + PollIntervalMs int `json:"poll_interval_ms,omitempty"` + MaxBodyBytes int `json:"max_body_bytes,omitempty"` + SessionIDLen int `json:"session_id_len,omitempty"` + ConnectTimeout string `json:"connect_timeout,omitempty"` + ReadTimeout string `json:"read_timeout,omitempty"` +} + +// MeekOutboundType is the sing-box outbound type string. Matches +// lantern-box/constant.TypeMeek. Stringified so radiance doesn't have +// to import a version of lantern-box that registers meek. +const MeekOutboundType = "meek" + +// BuildOutbound returns a sing-box outbound for the meek transport with +// the given tag, meek-server URL, and front pool. The returned Outbound +// can be appended directly to O.Options.Outbounds; selector groups can +// reference it by tag. +// +// Returns ok=false when fronts is empty — without at least one front, +// the meek outbound has nothing to dial and would fail at first use. +// Callers should skip injection in that case. +func BuildOutbound(tag, url string, fronts []FrontSpec) (sbo.Outbound, bool) { + if len(fronts) == 0 { + return sbo.Outbound{}, false + } + return sbo.Outbound{ + Type: MeekOutboundType, + Tag: tag, + Options: &MeekOutboundOptions{ + URL: url, + Fronts: fronts, + }, + }, true +} + // FrontSpec mirrors lantern-box/option.FrontSpec; kept local to avoid // version-coupling radiance's release cadence to lantern-box's. type FrontSpec struct { diff --git a/kindling/meek/provider_test.go b/kindling/meek/provider_test.go index 2a2051a9..4d01b597 100644 --- a/kindling/meek/provider_test.go +++ b/kindling/meek/provider_test.go @@ -43,6 +43,40 @@ func TestResultsToFrontSpecs_PreservesOrderAndShape(t *testing.T) { } } +func TestBuildOutbound_EmptyFrontsReturnsFalse(t *testing.T) { + _, ok := BuildOutbound("meek", "https://meek.example/meek", nil) + if ok { + t.Errorf("expected ok=false when fronts is empty") + } +} + +func TestBuildOutbound_ShapesOutbound(t *testing.T) { + fronts := []FrontSpec{ + {IPAddress: "1.2.3.4", VerifyHostname: "a248.e.akamai.net"}, + {IPAddress: "99.84.2.4", SNI: "aa1.awsstatic.com", VerifyHostname: "aa1.awsstatic.com"}, + } + out, ok := BuildOutbound("meek-fronted", "https://meek.example/", fronts) + if !ok { + t.Fatalf("BuildOutbound returned ok=false") + } + if out.Type != "meek" { + t.Errorf("Type = %q; want meek", out.Type) + } + if out.Tag != "meek-fronted" { + t.Errorf("Tag = %q", out.Tag) + } + mo, isMeek := out.Options.(*MeekOutboundOptions) + if !isMeek { + t.Fatalf("Options is %T; want *MeekOutboundOptions", out.Options) + } + if mo.URL != "https://meek.example/" { + t.Errorf("URL = %q", mo.URL) + } + if len(mo.Fronts) != 2 { + t.Errorf("Fronts length = %d; want 2", len(mo.Fronts)) + } +} + func TestResultsToFrontSpecs_LimitsToN(t *testing.T) { working := []scanner.Result{ {Candidate: scanner.Candidate{IPAddress: "1.1.1.1"}, Status: 200}, diff --git a/vpn/boxoptions.go b/vpn/boxoptions.go index cda33b58..d5806c63 100644 --- a/vpn/boxoptions.go +++ b/vpn/boxoptions.go @@ -83,6 +83,12 @@ type BoxOptions struct { // prior latency results survive across tunnel close/open. Keyed by // outbound/endpoint tag. URLTestSeed map[string]adapter.URLTestHistory `json:"-"` + // MeekOutbound is an optional client-built outbound (typically the + // domain-fronted meek transport). When non-nil, buildOptions appends + // it to Outbounds and includes its Tag in the selector groups so it + // participates in auto/manual routing alongside API-supplied ones. + // Nil = no-op; safe to leave unset. + MeekOutbound *O.Outbound `json:"-"` } // baseOpts returns the minimum sing-box options required for the tunnel to @@ -341,6 +347,11 @@ func buildOptions(bOptions BoxOptions) (O.Options, error) { } tags := mergeAndCollectTags(&opts, &bOptions.Options) + if bOptions.MeekOutbound != nil && bOptions.MeekOutbound.Tag != "" { + opts.Outbounds = append(opts.Outbounds, *bOptions.MeekOutbound) + tags = append(tags, bOptions.MeekOutbound.Tag) + slog.Info("Injected meek outbound", slog.String("tag", bOptions.MeekOutbound.Tag)) + } initial := bOptions.InitialServer if initial == "" || initial == AutoSelectTag { opts.Experimental.ClashAPI.DefaultMode = AutoSelectTag diff --git a/vpn/boxoptions_test.go b/vpn/boxoptions_test.go index 6b4ef59c..e2b212ef 100644 --- a/vpn/boxoptions_test.go +++ b/vpn/boxoptions_test.go @@ -218,6 +218,56 @@ func testConfig(t *testing.T) config.Config { return cfg } +func TestBuildOptions_MeekInjection(t *testing.T) { + options, _ := testBoxOptions(t) + + meek := &O.Outbound{ + Type: "meek", + Tag: "meek-fronted", + } + opts, err := buildOptions(BoxOptions{ + BasePath: t.TempDir(), + Options: options, + MeekOutbound: meek, + }) + require.NoError(t, err) + + var foundMeek bool + for _, o := range opts.Outbounds { + if o.Tag == "meek-fronted" && o.Type == "meek" { + foundMeek = true + break + } + } + assert.True(t, foundMeek, "meek outbound should be present in Outbounds") + + var autoSelector *O.Outbound + for i, o := range opts.Outbounds { + if o.Tag == AutoSelectTag { + autoSelector = &opts.Outbounds[i] + break + } + } + require.NotNil(t, autoSelector, "auto selector should exist") + autoOpts, ok := autoSelector.Options.(*lbO.MutableURLTestOutboundOptions) + require.True(t, ok, "auto selector Options should be MutableURLTestOutboundOptions") + assert.Contains(t, autoOpts.Outbounds, "meek-fronted", "auto selector should reference meek tag") +} + +func TestBuildOptions_MeekOmittedWhenNil(t *testing.T) { + options, _ := testBoxOptions(t) + + opts, err := buildOptions(BoxOptions{ + BasePath: t.TempDir(), + Options: options, + }) + require.NoError(t, err) + + for _, o := range opts.Outbounds { + assert.NotEqual(t, "meek", o.Type, "no meek outbound should be present when MeekOutbound is nil") + } +} + func testBoxOptions(t *testing.T) (O.Options, []string) { cfg := testConfig(t) var tags []string From 7a9ceb032ab9ce77e93307069658c41145022d98 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Sat, 23 May 2026 08:59:38 -0600 Subject: [PATCH 08/21] meek: add DefaultURL constant for production endpoint Single source of truth for the meek-server URL the production wiring will dial through Akamai. End-to-end verified 2026-05-23: domain-fronted POST returns the echoed payload in ~470ms. --- kindling/meek/provider.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/kindling/meek/provider.go b/kindling/meek/provider.go index 95e503ff..7ec5645b 100644 --- a/kindling/meek/provider.go +++ b/kindling/meek/provider.go @@ -45,6 +45,11 @@ type MeekOutboundOptions struct { // to import a version of lantern-box that registers meek. const MeekOutboundType = "meek" +// DefaultURL is the inner Host header sent through the meek tunnel. +// It is never resolved or dialed; callers supply the real SNI and dial +// target via FrontSpec. +const DefaultURL = "https://meek.dsa.akamai.getiantem.org/" + // BuildOutbound returns a sing-box outbound for the meek transport with // the given tag, meek-server URL, and front pool. The returned Outbound // can be appended directly to O.Options.Outbounds; selector groups can From 46789b7cd6ae5d9d450fedc5e4f5985801ff3096 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Sun, 24 May 2026 08:00:28 -0600 Subject: [PATCH 09/21] iran: add LikelyIran device-local heuristic for meek activation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Meek is heavier than other transports, so it is opt-in by region. The detection runs without network access since the Lantern API may be unreachable exactly when an Iranian user starts the app. Decision: network MCC (Android TelephonyManager.getNetworkOperator()) when available is authoritative — it reflects which cell tower the device is currently camped on, real-time and unspoofable. This is the strongest available "in Iran right now" signal and correctly classifies an Iranian-diaspora user keeping Asia/Tehran on their phone in Berlin as not-in-Iran (their network MCC is 262, Germany). When MCC is unavailable (WiFi-only, no signal, iOS 16+ where Apple deprecated CTCarrier.mobileCountryCode) the function falls back to tzName == "Asia/Tehran" alone. The host plumbing for MCC (Flutter → backend.Options or settings) is deferred — this commit ships the pure-Go detection plus tests so the contract is reviewable independently. --- kindling/iran/detect.go | 34 ++++++++++++++ kindling/iran/detect_test.go | 87 ++++++++++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 kindling/iran/detect.go create mode 100644 kindling/iran/detect_test.go diff --git a/kindling/iran/detect.go b/kindling/iran/detect.go new file mode 100644 index 00000000..934b8be7 --- /dev/null +++ b/kindling/iran/detect.go @@ -0,0 +1,34 @@ +// Package iran provides device-local detection of whether the user is +// currently in Iran. Designed to run without any network access since +// the Lantern API may be unreachable exactly when the heuristic is +// needed. Classification is imperfect; callers should expose a manual +// override. +package iran + +import "time" + +// IranMCC is the ITU-T E.212 Mobile Country Code for Iran. +const IranMCC = "432" + +// IranTZName is the IANA timezone identifier for Iran. +const IranTZName = "Asia/Tehran" + +// LikelyIran reports whether on-device signals suggest the user is in +// Iran. When mcc is non-empty it is authoritative and overrides +// tzName; when empty (WiFi-only, no signal, iOS 16+) the function +// falls back to tzName alone. +func LikelyIran(mcc, tzName string) bool { + if mcc != "" { + return mcc == IranMCC + } + return tzName == IranTZName +} + +// LocalTZName returns the process's system timezone in IANA name +// form, or "" when no zone could be determined. +func LocalTZName() string { + if time.Local == nil { + return "" + } + return time.Local.String() +} diff --git a/kindling/iran/detect_test.go b/kindling/iran/detect_test.go new file mode 100644 index 00000000..014162c6 --- /dev/null +++ b/kindling/iran/detect_test.go @@ -0,0 +1,87 @@ +package iran + +import "testing" + +func TestLikelyIran(t *testing.T) { + cases := []struct { + name string + mcc string + tzName string + want bool + }{ + { + name: "MCC=432 (Iranian network) alone", + mcc: "432", + tzName: "", + want: true, + }, + { + name: "MCC=432 overrides non-Tehran TZ (Iranian roaming in from US)", + mcc: "432", + tzName: "America/Los_Angeles", + want: true, + }, + { + name: "MCC=310 (US network) overrides Tehran TZ (diaspora user)", + mcc: "310", + tzName: IranTZName, + want: false, + }, + { + name: "MCC=262 (Germany) overrides Tehran TZ (Iranian student in Berlin)", + mcc: "262", + tzName: IranTZName, + want: false, + }, + { + name: "MCC=424 (UAE) overrides Tehran TZ", + mcc: "424", + tzName: IranTZName, + want: false, + }, + { + name: "no MCC, TZ=Tehran (iOS / WiFi-only in Iran)", + mcc: "", + tzName: IranTZName, + want: true, + }, + { + name: "no MCC, TZ=non-Tehran", + mcc: "", + tzName: "America/Los_Angeles", + want: false, + }, + { + name: "no MCC, TZ=UTC (containerized / default)", + mcc: "", + tzName: "UTC", + want: false, + }, + { + name: "no MCC, no TZ", + mcc: "", + tzName: "", + want: false, + }, + { + name: "empty-but-not-nil MCC treated as absent", + mcc: "", + tzName: IranTZName, + want: true, + }, + } + for _, tc := range cases { + t.Run(tc.name, func(t *testing.T) { + if got := LikelyIran(tc.mcc, tc.tzName); got != tc.want { + t.Errorf("LikelyIran(%q, %q) = %v, want %v", + tc.mcc, tc.tzName, got, tc.want) + } + }) + } +} + +// LocalTZName depends on the test host's timezone, so we can only +// assert the contract: it returns a string and never panics. +func TestLocalTZName_NoPanic(t *testing.T) { + _ = LocalTZName() +} From 3fb4beed299f6101410d146f2a25aeeb0fedd18c Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Sun, 24 May 2026 08:37:46 -0600 Subject: [PATCH 10/21] backend: wire MCC + activate meek scanner when likelyIran MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds device-local opt-in for the meek transport. The pure-Go classifier shipped earlier (kindling/iran) is now consulted at backend startup and, when it returns true, the meek front scanner is launched in the background. Plumbing: - backend.Options gains an MCC field; the host (Flutter) passes the network MCC string it reads from TelephonyManager. Empty on WiFi-only, between-tower, or iOS 16+ (where Apple deprecated CTCarrier-based MCC access). Stored under settings.MCCKey. - kindling/fronted exposes LoadCachedConfig so the meek provider can consume the *domainfront.Config independently of a full domainfront.Client lifecycle. Skips the live fetch and falls back to the embedded copy — the meek path must work even when the Lantern API is unreachable. - LocalBackend.maybeStartMeek runs the classifier; on a positive result it loads the fronted config, constructs a meek.Provider with default sampling, starts its scanner, and stores the provider on an atomic pointer. Shutdown is wired through shutdownFuncs. - getBoxOptions reads the provider atomically; when present it builds the meek outbound (tag "meek-fronted", URL meek.DefaultURL, 3 fronts) and sets BoxOptions.MeekOutbound, which the existing vpn/boxoptions.go injection point appends to the sing-box outbounds + selector tags. A slow scanner startup cannot block VPN connects: until the provider populates, getBoxOptions simply omits the meek outbound and the bandit will pick it up on the next reconnect. --- backend/radiance.go | 50 +++++++++++++++++++++++++++++++++++++ common/settings/settings.go | 1 + kindling/fronted/fronted.go | 8 ++++++ 3 files changed, 59 insertions(+) diff --git a/backend/radiance.go b/backend/radiance.go index 8ea01106..e9c37a71 100644 --- a/backend/radiance.go +++ b/backend/radiance.go @@ -13,6 +13,7 @@ import ( "slices" "strings" "sync" + "sync/atomic" "time" @@ -34,6 +35,9 @@ import ( "github.com/getlantern/radiance/internal" "github.com/getlantern/radiance/issue" "github.com/getlantern/radiance/kindling" + "github.com/getlantern/radiance/kindling/fronted" + "github.com/getlantern/radiance/kindling/iran" + "github.com/getlantern/radiance/kindling/meek" "github.com/getlantern/radiance/log" "github.com/getlantern/radiance/servers" "github.com/getlantern/radiance/telemetry" @@ -77,6 +81,13 @@ type LocalBackend struct { stopURLTestListener context.CancelFunc urlTestMu sync.Mutex + + // meekProvider is non-nil only when the device is classified as + // likely in Iran. getBoxOptions reads it atomically so a slow + // scanner startup can't block VPN connects: the meek outbound is + // absent from the first connect and present once the scanner + // populates it. + meekProvider atomic.Pointer[meek.Provider] } type Options struct { @@ -87,6 +98,11 @@ type Options struct { // this should be the platform device ID on mobile devices, desktop platforms will generate their // own device ID and ignore this value DeviceID string + // MCC is the network Mobile Country Code reported by the cellular + // stack (Android: first 3 chars of TelephonyManager.getNetworkOperator()). + // Empty on WiFi-only, between-tower, or platforms that don't expose it. + // Used to gate activation of the heavier meek transport. + MCC string // User choice for telemetry consent TelemetryConsent bool PlatformInterface vpn.PlatformInterface @@ -135,6 +151,7 @@ func NewLocalBackend(ctx context.Context, opts Options) (*LocalBackend, error) { settings.Patch(settings.Settings{ settings.LocaleKey: opts.Locale, settings.DeviceIDKey: platformDeviceID, + settings.MCCKey: opts.MCC, settings.ConfigFetchDisabledKey: disableFetch, settings.TelemetryKey: opts.TelemetryConsent, }) @@ -205,6 +222,8 @@ func (r *LocalBackend) Start() { } }() + r.maybeStartMeek() + if settings.GetBool(settings.TelemetryKey) { if err := r.startTelemetry(); err != nil { slog.Error("Failed to start telemetry", "error", err) @@ -696,6 +715,32 @@ func (r *LocalBackend) runURLTestListener(ctx context.Context, storage vpn.URLTe } } +func (r *LocalBackend) maybeStartMeek() { + if !iran.LikelyIran(settings.GetString(settings.MCCKey), iran.LocalTZName()) { + return + } + go func() { + dataDir := settings.GetString(settings.DataPathKey) + cfg, err := fronted.LoadCachedConfig(dataDir) + if err != nil { + slog.Warn("meek: failed to load fronted config", "err", err) + return + } + p, err := meek.NewProvider(meek.ProviderConfig{ + Config: cfg, + CacheFile: filepath.Join(dataDir, "meek_fronts_cache.json"), + }) + if err != nil { + slog.Warn("meek: NewProvider failed", "err", err) + return + } + p.Start(r.ctx) + r.meekProvider.Store(p) + r.shutdownFuncs = append(r.shutdownFuncs, func() error { return p.Close() }) + slog.Info("meek: scanner started") + }() +} + func (r *LocalBackend) flushURLTestResults(storage vpn.URLTestHistoryStorage) { results := make(map[string]servers.URLTestResult) for _, srv := range r.srvManager.AllServers() { @@ -773,6 +818,11 @@ func (r *LocalBackend) getBoxOptions() vpn.BoxOptions { if len(seed) > 0 { bOptions.URLTestSeed = seed } + if p := r.meekProvider.Load(); p != nil { + if out, ok := meek.BuildOutbound("meek-fronted", meek.DefaultURL, p.FrontSpecs(3)); ok { + bOptions.MeekOutbound = &out + } + } return bOptions } diff --git a/common/settings/settings.go b/common/settings/settings.go index 23ef0c59..5369db44 100644 --- a/common/settings/settings.go +++ b/common/settings/settings.go @@ -33,6 +33,7 @@ const ( CountryCodeKey _key = "country_code" // string LocaleKey _key = "locale" // string DeviceIDKey _key = "device_id" // string/int + MCCKey _key = "mcc" // string // Application behavior related keys. TelemetryKey _key = "telemetry_enabled" // bool diff --git a/kindling/fronted/fronted.go b/kindling/fronted/fronted.go index 6eab3b9f..8ec5873e 100644 --- a/kindling/fronted/fronted.go +++ b/kindling/fronted/fronted.go @@ -147,3 +147,11 @@ func loadCachedConfig(path string, fetchErr error) (*domainfront.Config, error) slog.Warn("using embedded fronted config", "fetch_err", fetchErr) return cfg, nil } + +// LoadCachedConfig returns the *domainfront.Config from the on-disk +// cache under dataDir, falling back to the embedded copy. Skips the +// live fetch, for consumers that want the config without taking on a +// full domainfront.Client lifecycle. +func LoadCachedConfig(dataDir string) (*domainfront.Config, error) { + return loadCachedConfig(filepath.Join(dataDir, configCacheName), nil) +} From 7c0423ada0eff29d47ee8024eb626b3889a47ef7 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Sun, 24 May 2026 09:09:51 -0600 Subject: [PATCH 11/21] backend: add RADIANCE_FORCE_MEEK_ONLY env override for local testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Lets a developer bypass the iran.LikelyIran heuristic and route ALL VPN traffic through meek, useful for testing the transport from outside Iran. When set: - maybeStartMeek launches the scanner regardless of MCC/TZ - getBoxOptions returns a stripped-down config with meek as the sole outbound and InitialServer pinned to its tag — API-provided outbounds, bandit selector arms, and smart routing are all omitted, so traffic must traverse meek or fail Usage: RADIANCE_FORCE_MEEK_ONLY=1 ./ If the scanner hasn't found working fronts yet (typical for a few seconds after launch), getBoxOptions returns empty options and the connect fails; retry after a few seconds. --- backend/radiance.go | 34 ++++++++++++++++++++++++++++++++-- common/env/env.go | 5 +++++ 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/backend/radiance.go b/backend/radiance.go index e9c37a71..ad6fabed 100644 --- a/backend/radiance.go +++ b/backend/radiance.go @@ -716,7 +716,8 @@ func (r *LocalBackend) runURLTestListener(ctx context.Context, storage vpn.URLTe } func (r *LocalBackend) maybeStartMeek() { - if !iran.LikelyIran(settings.GetString(settings.MCCKey), iran.LocalTZName()) { + force := env.GetBool(env.ForceMeekOnly) + if !force && !iran.LikelyIran(settings.GetString(settings.MCCKey), iran.LocalTZName()) { return } go func() { @@ -737,7 +738,7 @@ func (r *LocalBackend) maybeStartMeek() { p.Start(r.ctx) r.meekProvider.Store(p) r.shutdownFuncs = append(r.shutdownFuncs, func() error { return p.Close() }) - slog.Info("meek: scanner started") + slog.Info("meek: scanner started", "forced", force) }() } @@ -782,6 +783,9 @@ func (r *LocalBackend) ConnectVPN(tag string) error { } func (r *LocalBackend) getBoxOptions() vpn.BoxOptions { + if env.GetBool(env.ForceMeekOnly) { + return r.meekOnlyBoxOptions() + } // ignore error, we can still connect with default options if config is not available for some reason cfg, _ := r.confHandler.GetConfig() bOptions := vpn.BoxOptions{ @@ -826,6 +830,32 @@ func (r *LocalBackend) getBoxOptions() vpn.BoxOptions { return bOptions } +// meekOnlyBoxOptions returns a stripped-down config in which meek is +// the sole outbound and InitialServer pins it. All API-provided +// outbounds, bandit configuration, and selector arms are omitted — +// VPN traffic must traverse meek or fail. Used when env.ForceMeekOnly +// is set (local testing). When the scanner hasn't produced fronts +// yet the meek outbound is absent; Connect will fail and the user +// retries after a few seconds. +func (r *LocalBackend) meekOnlyBoxOptions() vpn.BoxOptions { + bOptions := vpn.BoxOptions{ + BasePath: settings.GetString(settings.DataPathKey), + } + p := r.meekProvider.Load() + if p == nil { + slog.Warn("meek-only mode: provider not yet ready, returning empty options") + return bOptions + } + out, ok := meek.BuildOutbound("meek-fronted", meek.DefaultURL, p.FrontSpecs(3)) + if !ok { + slog.Warn("meek-only mode: scanner has no working fronts yet") + return bOptions + } + bOptions.MeekOutbound = &out + bOptions.InitialServer = out.Tag + return bOptions +} + func (r *LocalBackend) DisconnectVPN() error { return r.vpnClient.Disconnect() } diff --git a/common/env/env.go b/common/env/env.go index 5b2dcba2..4b440a65 100644 --- a/common/env/env.go +++ b/common/env/env.go @@ -29,6 +29,11 @@ var ( Country _key = "RADIANCE_COUNTRY" FeatureOverrides _key = "RADIANCE_FEATURE_OVERRIDES" AppVersion _key = "RADIANCE_VERSION" + // ForceMeekOnly, when truthy, makes radiance start the meek front + // scanner regardless of region detection and routes all traffic + // through meek as the sole outbound. For local testing; never set + // in shipped builds. + ForceMeekOnly _key = "RADIANCE_FORCE_MEEK_ONLY" Testing _key = "RADIANCE_TESTING" From b2e8c0aade61502af902dc40dff35634d387be78 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Sun, 24 May 2026 09:46:17 -0600 Subject: [PATCH 12/21] cmd/meek-client-smoke: standalone meek-client smoke test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Exercises the full client path without VPN/host-app coupling: scanner (Akamai-only sampling) → fronted HTTPClient (random front per dial, TLS verifies against front.VerifyHostname not URL host) → lantern-box meek.Conn → SOCKS5 method-select + CONNECT httpbin.org:80 + HTTP GET /ip → assert response body contains the Linode public IP Verified 2026-05-24: HTTP 200 with {"origin": "139.162.181.47"} returned in ~20s (scanner ~14s + transport handshakes ~3s). Bumps lantern-box to fisk/meek-outbound HEAD so the import resolves (v0.0.82 does not yet register the meek outbound). Roll the bump forward to a tagged release before merge. Caveat: lantern-box meek.Conn.SetReadDeadline does not unblock a parked Read (the underlying condvar Wait isn't broadcast on deadline expiry); the test reads in a goroutine and times out from outside. --- cmd/meek-client-smoke/main.go | 257 ++++++++++++++++++++++++++++++++++ go.mod | 4 +- go.sum | 4 +- 3 files changed, 261 insertions(+), 4 deletions(-) create mode 100644 cmd/meek-client-smoke/main.go diff --git a/cmd/meek-client-smoke/main.go b/cmd/meek-client-smoke/main.go new file mode 100644 index 00000000..eeeea140 --- /dev/null +++ b/cmd/meek-client-smoke/main.go @@ -0,0 +1,257 @@ +// Command meek-client-smoke exercises the lantern-box meek client +// against the deployed meek-test server via the radiance fronted +// scanner. Prints httpbin's reported origin — equality with the +// known Linode IP proves traffic completed the full client→Akamai +// →Caddy→meek-server→microsocks→internet round trip. +// +// Run: +// go run ./cmd/meek-client-smoke +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "errors" + "fmt" + "io" + "log/slog" + "net" + "net/http" + "net/url" + "os" + "path/filepath" + "strings" + "time" + + lbmeek "github.com/getlantern/lantern-box/protocol/meek" + + "github.com/getlantern/radiance/kindling/fronted" + rmeek "github.com/getlantern/radiance/kindling/meek" +) + +const ( + meekURL = "https://meek.dsa.akamai.getiantem.org/" + targetHost = "httpbin.org" + targetPort = 80 + expectedOrigin = "139.162.181.47" // Linode public IP +) + +func main() { + if err := run(); err != nil { + slog.Error("test failed", "err", err) + os.Exit(1) + } + fmt.Println("\n✅ end-to-end meek client smoke test PASSED") +} + +func run() error { + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + + slog.Info("step 1: load fronted config + start scanner") + dataDir, err := os.MkdirTemp("", "meek-client-smoke-*") + if err != nil { + return fmt.Errorf("mktemp: %w", err) + } + defer os.RemoveAll(dataDir) + + cfg, err := fronted.LoadCachedConfig(dataDir) + if err != nil { + return fmt.Errorf("load fronted config: %w", err) + } + + // Only sample Akamai fronts — our meek property is on Akamai, so + // CloudFront IPs would dial a CDN that doesn't host the meek server + // and the poll-response loop would hang on miss-routed requests. + provider, err := rmeek.NewProvider(rmeek.ProviderConfig{ + Config: cfg, + CacheFile: filepath.Join(dataDir, "meek_fronts_cache.json"), + KnownSample: 0, + CloudFrontSample: 0, + AkamaiSample: 50, + }) + if err != nil { + return fmt.Errorf("new provider: %w", err) + } + defer provider.Close() + provider.Start(ctx) + + slog.Info("step 2: wait up to 30s for scanner to find working Akamai fronts") + var fronts []rmeek.FrontSpec + deadline := time.Now().Add(30 * time.Second) + for time.Now().Before(deadline) { + time.Sleep(1 * time.Second) + fronts = provider.FrontSpecs(3) + if len(fronts) > 0 { + break + } + } + if len(fronts) == 0 { + return errors.New("scanner found no working fronts in 30s") + } + slog.Info("got fronts", "count", len(fronts), "first_ip", fronts[0].IPAddress, "first_sni", fronts[0].SNI) + + slog.Info("step 3: build HTTPClient and dial meek server") + u, err := url.Parse(meekURL) + if err != nil { + return fmt.Errorf("parse meek url: %w", err) + } + httpClient := buildFrontedHTTPClient(fronts, 10*time.Second) + + conn, err := lbmeek.Dial(ctx, lbmeek.Config{ + URL: meekURL, + InnerHost: u.Host, + HTTPClient: httpClient, + PollInterval: 100 * time.Millisecond, + ReadTimeout: 30 * time.Second, + }) + if err != nil { + return fmt.Errorf("meek dial: %w", err) + } + defer conn.Close() + + slog.Info("step 4: SOCKS5 method-select") + if _, err := conn.Write([]byte{0x05, 0x01, 0x00}); err != nil { + return fmt.Errorf("write method-select: %w", err) + } + conn.SetReadDeadline(time.Now().Add(15 * time.Second)) + resp := make([]byte, 2) + if _, err := io.ReadFull(conn, resp); err != nil { + return fmt.Errorf("read method-select reply: %w", err) + } + if resp[0] != 0x05 || resp[1] != 0x00 { + return fmt.Errorf("method-select reply unexpected: %x", resp) + } + slog.Info("✅ SOCKS5 NO_AUTH accepted", "reply", fmt.Sprintf("%x", resp)) + + slog.Info("step 5: SOCKS5 CONNECT", "target", fmt.Sprintf("%s:%d", targetHost, targetPort)) + connectReq := []byte{0x05, 0x01, 0x00, 0x03, byte(len(targetHost))} + connectReq = append(connectReq, []byte(targetHost)...) + connectReq = append(connectReq, byte(targetPort>>8), byte(targetPort&0xff)) + if _, err := conn.Write(connectReq); err != nil { + return fmt.Errorf("write CONNECT: %w", err) + } + conn.SetReadDeadline(time.Now().Add(15 * time.Second)) + connectReply := make([]byte, 10) + if _, err := io.ReadFull(conn, connectReply); err != nil { + return fmt.Errorf("read CONNECT reply: %w", err) + } + if connectReply[0] != 0x05 || connectReply[1] != 0x00 { + return fmt.Errorf("CONNECT reply unexpected: %x", connectReply) + } + slog.Info("✅ SOCKS5 CONNECT succeeded", "reply", fmt.Sprintf("%x", connectReply)) + + slog.Info("step 6: HTTP GET /ip") + httpReq := fmt.Sprintf("GET /ip HTTP/1.0\r\nHost: %s\r\nConnection: close\r\n\r\n", targetHost) + if _, err := conn.Write([]byte(httpReq)); err != nil { + return fmt.Errorf("write HTTP request: %w", err) + } + // Read in a goroutine — meek.Conn.Read doesn't honor SetReadDeadline + // (the condvar Wait isn't woken on deadline) so we time out from outside. + bodyCh := make(chan string, 1) + go func() { + var resp strings.Builder + buf := make([]byte, 4096) + for { + n, err := conn.Read(buf) + if n > 0 { + resp.Write(buf[:n]) + if strings.Contains(resp.String(), expectedOrigin+"\"") { + break + } + } + if err != nil { + break + } + } + bodyCh <- resp.String() + }() + var body string + select { + case body = <-bodyCh: + case <-time.After(20 * time.Second): + return errors.New("read timeout: no HTTP body containing expected origin in 20s") + } + slog.Info("✅ HTTP response received", "bytes", len(body)) + fmt.Println("--- HTTP response ---") + fmt.Println(body) + + if !strings.Contains(body, expectedOrigin) { + return fmt.Errorf("expected origin %q not in response body", expectedOrigin) + } + return nil +} + +// buildFrontedHTTPClient returns a client that dials a random front by IP +// and validates the served chain against the front's VerifyHostname rather +// than the request URL's host. +func buildFrontedHTTPClient(fronts []rmeek.FrontSpec, connectTimeout time.Duration) *http.Client { + if len(fronts) == 0 { + panic("buildFrontedHTTPClient: no fronts") + } + tr := &http.Transport{ + DialTLSContext: func(ctx context.Context, _, _ string) (net.Conn, error) { + front := fronts[time.Now().UnixNano()%int64(len(fronts))] + addr := front.IPAddress + if !strings.Contains(addr, ":") { + addr = net.JoinHostPort(addr, "443") + } + dialCtx, cancel := context.WithTimeout(ctx, connectTimeout) + defer cancel() + d := &net.Dialer{} + raw, err := d.DialContext(dialCtx, "tcp", addr) + if err != nil { + return nil, fmt.Errorf("tcp dial %s: %w", addr, err) + } + tlsCfg := &tls.Config{InsecureSkipVerify: true} + if front.SNI != "" { + tlsCfg.ServerName = front.SNI + } + verifyHost := front.VerifyHostname + if verifyHost == "" { + verifyHost = front.SNI + } + tlsCfg.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error { + return verifyChain(rawCerts, verifyHost) + } + conn := tls.Client(raw, tlsCfg) + if err := conn.HandshakeContext(dialCtx); err != nil { + raw.Close() + return nil, fmt.Errorf("tls handshake: %w", err) + } + return conn, nil + }, + DisableKeepAlives: false, + IdleConnTimeout: 90 * time.Second, + } + return &http.Client{Transport: tr, Timeout: 60 * time.Second} +} + +func verifyChain(rawCerts [][]byte, verifyHost string) error { + if len(rawCerts) == 0 { + return errors.New("no peer certs") + } + certs := make([]*x509.Certificate, 0, len(rawCerts)) + for _, raw := range rawCerts { + c, err := x509.ParseCertificate(raw) + if err != nil { + return fmt.Errorf("parse cert: %w", err) + } + certs = append(certs, c) + } + roots, err := x509.SystemCertPool() + if err != nil { + return fmt.Errorf("system cert pool: %w", err) + } + intermediates := x509.NewCertPool() + for _, c := range certs[1:] { + intermediates.AddCert(c) + } + _, err = certs[0].Verify(x509.VerifyOptions{ + DNSName: verifyHost, + Roots: roots, + Intermediates: intermediates, + }) + return err +} diff --git a/go.mod b/go.mod index 09000312..7516a18f 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/getlantern/domainfront v0.0.0-20260419161617-0bff0b2169f4 github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694 github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03 - github.com/getlantern/lantern-box v0.0.82 + github.com/getlantern/lantern-box v0.0.83-0.20260523214631-138654218998 github.com/getlantern/pluriconfig v0.0.0-20251126214241-8cc8bc561535 github.com/getlantern/publicip v0.0.0-20260328175246-2c460fe80c6b github.com/getlantern/semconv v0.0.0-20260327040646-21845dda05cb @@ -44,6 +44,7 @@ require ( github.com/knadh/koanf/parsers/json v1.0.0 github.com/knadh/koanf/providers/rawbytes v1.0.0 github.com/knadh/koanf/v2 v2.3.0 + github.com/refraction-networking/utls v1.8.2 github.com/sagernet/sing v0.7.18 github.com/sagernet/sing-box v1.12.22 github.com/stretchr/testify v1.11.1 @@ -181,7 +182,6 @@ require ( github.com/prometheus-community/pro-bing v0.4.0 // indirect github.com/protolambda/ctxlock v0.1.0 // indirect github.com/quic-go/quic-go v0.59.0 // indirect - github.com/refraction-networking/utls v1.8.2 // indirect github.com/refraction-networking/water v0.7.1-alpha // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect github.com/rs/dnscache v0.0.0-20211102005908-e0241e321417 // indirect diff --git a/go.sum b/go.sum index 738b3197..90fc4d8e 100644 --- a/go.sum +++ b/go.sum @@ -248,8 +248,8 @@ github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694 h1:iLWm6S/4 github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694/go.mod h1:ag5g9aWUw2FJcX5RVRpJ9EBQBy5yJuy2WXDouIn/m4w= github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03 h1:dUTN7mnTTBcSvsURNs1rTlyKrD1uXUEPqxEZDfl+hb4= github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03/go.mod h1:TGTxpoNVwc8Be4qkBNtf5oj2psJaEIZEq47GOPS7zkA= -github.com/getlantern/lantern-box v0.0.82 h1:hCXqpCxLOQNxYtQZQDYVh3aj3t8NqSBqJjCn2mIBtK0= -github.com/getlantern/lantern-box v0.0.82/go.mod h1:wJhPQKdnwD6qW/ghAfzsrj/IfHZbvFSAfr52+Tu6dbw= +github.com/getlantern/lantern-box v0.0.83-0.20260523214631-138654218998 h1:84Ch1HENJmNlHBCgABBvfjag0n6NLfhHZD+K42VpuLo= +github.com/getlantern/lantern-box v0.0.83-0.20260523214631-138654218998/go.mod h1:wJhPQKdnwD6qW/ghAfzsrj/IfHZbvFSAfr52+Tu6dbw= github.com/getlantern/lantern-water v0.0.0-20260317143726-e0ee64a11d90 h1:P9JX1yAu2uq3b5YiT0sLtHkTrkZuttV8gPZh81nUuag= github.com/getlantern/lantern-water v0.0.0-20260317143726-e0ee64a11d90/go.mod h1:3JpJgwi4KEI6rS9loOAvcBp+F2jP65d0tTg2GQcTPBU= github.com/getlantern/ops v0.0.0-20231025133620-f368ab734534 h1:3BwvWj0JZzFEvNNiMhCu4bf60nqcIuQpTYb00Ezm1ag= From e2c2e029a0f739573c65c501c1808d55b9fa5124 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Sun, 24 May 2026 09:53:14 -0600 Subject: [PATCH 13/21] cmd/meek-client-smoke: drop goroutine workaround for SetReadDeadline lantern-box meek.Conn.SetReadDeadline now properly unblocks a parked Read via a deadline timer (lantern-box c467035). The smoke test calls SetReadDeadline + Read directly instead of reading in a goroutine and timing out from outside. Bumps lantern-box pin to that commit. Verified end-to-end against the deployed server: httpbin reports "origin": "139.162.181.47". --- cmd/meek-client-smoke/main.go | 34 ++++++++++++---------------------- go.mod | 2 +- go.sum | 4 ++-- 3 files changed, 15 insertions(+), 25 deletions(-) diff --git a/cmd/meek-client-smoke/main.go b/cmd/meek-client-smoke/main.go index eeeea140..0d6a29a5 100644 --- a/cmd/meek-client-smoke/main.go +++ b/cmd/meek-client-smoke/main.go @@ -147,32 +147,22 @@ func run() error { if _, err := conn.Write([]byte(httpReq)); err != nil { return fmt.Errorf("write HTTP request: %w", err) } - // Read in a goroutine — meek.Conn.Read doesn't honor SetReadDeadline - // (the condvar Wait isn't woken on deadline) so we time out from outside. - bodyCh := make(chan string, 1) - go func() { - var resp strings.Builder - buf := make([]byte, 4096) - for { - n, err := conn.Read(buf) - if n > 0 { - resp.Write(buf[:n]) - if strings.Contains(resp.String(), expectedOrigin+"\"") { - break - } - } - if err != nil { + conn.SetReadDeadline(time.Now().Add(20 * time.Second)) + var bodyBuf strings.Builder + buf := make([]byte, 4096) + for { + n, err := conn.Read(buf) + if n > 0 { + bodyBuf.Write(buf[:n]) + if strings.Contains(bodyBuf.String(), expectedOrigin+"\"") { break } } - bodyCh <- resp.String() - }() - var body string - select { - case body = <-bodyCh: - case <-time.After(20 * time.Second): - return errors.New("read timeout: no HTTP body containing expected origin in 20s") + if err != nil { + break + } } + body := bodyBuf.String() slog.Info("✅ HTTP response received", "bytes", len(body)) fmt.Println("--- HTTP response ---") fmt.Println(body) diff --git a/go.mod b/go.mod index 7516a18f..aca9f838 100644 --- a/go.mod +++ b/go.mod @@ -32,7 +32,7 @@ require ( github.com/getlantern/domainfront v0.0.0-20260419161617-0bff0b2169f4 github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694 github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03 - github.com/getlantern/lantern-box v0.0.83-0.20260523214631-138654218998 + github.com/getlantern/lantern-box v0.0.83-0.20260524155143-c467035b6497 github.com/getlantern/pluriconfig v0.0.0-20251126214241-8cc8bc561535 github.com/getlantern/publicip v0.0.0-20260328175246-2c460fe80c6b github.com/getlantern/semconv v0.0.0-20260327040646-21845dda05cb diff --git a/go.sum b/go.sum index 90fc4d8e..f0832d0b 100644 --- a/go.sum +++ b/go.sum @@ -248,8 +248,8 @@ github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694 h1:iLWm6S/4 github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694/go.mod h1:ag5g9aWUw2FJcX5RVRpJ9EBQBy5yJuy2WXDouIn/m4w= github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03 h1:dUTN7mnTTBcSvsURNs1rTlyKrD1uXUEPqxEZDfl+hb4= github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03/go.mod h1:TGTxpoNVwc8Be4qkBNtf5oj2psJaEIZEq47GOPS7zkA= -github.com/getlantern/lantern-box v0.0.83-0.20260523214631-138654218998 h1:84Ch1HENJmNlHBCgABBvfjag0n6NLfhHZD+K42VpuLo= -github.com/getlantern/lantern-box v0.0.83-0.20260523214631-138654218998/go.mod h1:wJhPQKdnwD6qW/ghAfzsrj/IfHZbvFSAfr52+Tu6dbw= +github.com/getlantern/lantern-box v0.0.83-0.20260524155143-c467035b6497 h1:yXtbk9i03UD7/S5NYoMjKqE+LfuzPs/t0S3SDTesr6Q= +github.com/getlantern/lantern-box v0.0.83-0.20260524155143-c467035b6497/go.mod h1:wJhPQKdnwD6qW/ghAfzsrj/IfHZbvFSAfr52+Tu6dbw= github.com/getlantern/lantern-water v0.0.0-20260317143726-e0ee64a11d90 h1:P9JX1yAu2uq3b5YiT0sLtHkTrkZuttV8gPZh81nUuag= github.com/getlantern/lantern-water v0.0.0-20260317143726-e0ee64a11d90/go.mod h1:3JpJgwi4KEI6rS9loOAvcBp+F2jP65d0tTg2GQcTPBU= github.com/getlantern/ops v0.0.0-20231025133620-f368ab734534 h1:3BwvWj0JZzFEvNNiMhCu4bf60nqcIuQpTYb00Ezm1ag= From 6f5fbdbdf4e8f21f0154dc7323a7d4d0349c8962 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Mon, 25 May 2026 16:56:49 -0600 Subject: [PATCH 14/21] fronted/scanner: mix in named SNIs for Akamai candidates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AkamaiCandidates previously emitted one Candidate per IP with empty SNI (no ServerName in ClientHello). That matches the dominant working strategy from Psiphon's in-country data (~majority of successful Akamai dials show SNI in Iran), but leaves us with no fallback for the periods when DPI clamps down on bare SNI. Extend AkamaiCandidates to accept an SNI pool. For each IP it now emits the existing bare-SNI candidate first, followed by up to 3 candidates with SNIs drawn at random (without replacement) from the pool. VerifyHostname stays a248.e.akamai.net for all — Akamai's edge serves the same default cert regardless of incoming SNI, so named SNIs are pure DPI cover. pool.go now passes SNIsForProvider(cfg, "akamai") to feed the pool; when the config has no Akamai masquerades with Domain populated, behavior is unchanged. Working Akamai SNIs from Keith (Psiphon ops, 2026-05-24) to be added to the akamai provider's masquerade list in getlantern/fronted as a follow-up: python.org, pypi.org, www.python.org, www.pypi.org, files.pythonhosted.org, registry.npmjs.org, google.com, www.google.com, snapp.ir, varzesh3.com, aparat.com, bmi.ir, digikala.com, go.microsoft.com. --- fronted/scanner/akamai.go | 70 +++++++++++++++++++++++++---- fronted/scanner/akamai_test.go | 45 +++++++++++++++++-- fronted/scanner/integration_test.go | 2 +- fronted/scanner/pool.go | 3 +- 4 files changed, 106 insertions(+), 14 deletions(-) diff --git a/fronted/scanner/akamai.go b/fronted/scanner/akamai.go index bdbdbe8c..dbd391b4 100644 --- a/fronted/scanner/akamai.go +++ b/fronted/scanner/akamai.go @@ -124,15 +124,23 @@ func pickInt(n int) (int, error) { // aren't in the served cert's SANs. const AkamaiCertHostname = "a248.e.akamai.net" -// AkamaiCandidates resolves the supplied hostnames via resolver and -// produces one Candidate per distinct resolved IPv4. SNI is left empty -// (matches production: Akamai edges serve their default cert when SNI -// is omitted). VerifyHostname is AkamaiCertHostname for every entry. +// akamaiSNIsPerIP caps how many named-SNI candidates accompany each +// empty-SNI candidate per Akamai IP. Bare-SNI is the dominant working +// strategy in IR, so it stays as the first candidate per IP; named +// SNIs provide DPI cover for the periods where bare gets blocked. +const akamaiSNIsPerIP = 3 + +// AkamaiCandidates resolves the supplied hostnames and emits, for each +// distinct IPv4 returned, one Candidate with empty SNI plus up to +// akamaiSNIsPerIP additional Candidates with SNIs drawn at random from +// snis. VerifyHostname is AkamaiCertHostname for every entry — Akamai +// edges serve the same default cert regardless of outer SNI, so named +// SNIs are pure DPI cover. // -// hostnames may be the canonical AkamaiEdgeHostnames (1 hostname, -// stable IPs from the resolver), the MahsaNG-style regex hostnames -// (varied hostnames, more IP diversity), or both mixed. -func AkamaiCandidates(ctx context.Context, hostnames []string, resolver Resolver, testURL, innerHost string) ([]Candidate, error) { +// hostnames may be the canonical AkamaiEdgeHostnames (stable resolver +// IPs), MahsaNG-style regex hostnames (more IP diversity), or both. +// snis may be empty, in which case only bare-SNI candidates are emitted. +func AkamaiCandidates(ctx context.Context, hostnames, snis []string, resolver Resolver, testURL, innerHost string) ([]Candidate, error) { if resolver == nil { resolver = SystemResolver{} } @@ -164,6 +172,21 @@ func AkamaiCandidates(ctx context.Context, hostnames []string, resolver Resolver TestURL: testURL, InnerHost: innerHost, }) + picks, err := pickSNIs(snis, akamaiSNIsPerIP) + if err != nil { + return out, err + } + for _, s := range picks { + out = append(out, Candidate{ + Provider: "akamai", + Domain: h, + IPAddress: ip, + SNI: s, + VerifyHostname: AkamaiCertHostname, + TestURL: testURL, + InnerHost: innerHost, + }) + } } } if len(out) == 0 && firstErr != nil { @@ -171,3 +194,34 @@ func AkamaiCandidates(ctx context.Context, hostnames []string, resolver Resolver } return out, nil } + +// pickSNIs draws up to n entries without replacement from snis. +// Crypto-rand keeps the choice unpredictable so scans don't drift +// toward the same SNI set across clients. +func pickSNIs(snis []string, n int) ([]string, error) { + if n <= 0 || len(snis) == 0 { + return nil, nil + } + if n >= len(snis) { + out := make([]string, len(snis)) + copy(out, snis) + return out, nil + } + indices := make([]int, len(snis)) + for i := range indices { + indices[i] = i + } + for i := len(indices) - 1; i > 0; i-- { + j, err := rand.Int(rand.Reader, big.NewInt(int64(i+1))) + if err != nil { + return nil, fmt.Errorf("rand: %w", err) + } + jj := int(j.Int64()) + indices[i], indices[jj] = indices[jj], indices[i] + } + out := make([]string, n) + for i := 0; i < n; i++ { + out[i] = snis[indices[i]] + } + return out, nil +} diff --git a/fronted/scanner/akamai_test.go b/fronted/scanner/akamai_test.go index d40e915f..03283af0 100644 --- a/fronted/scanner/akamai_test.go +++ b/fronted/scanner/akamai_test.go @@ -26,7 +26,7 @@ func TestAkamaiCandidates_Dedup(t *testing.T) { r := fakeResolver{answers: map[string][]string{ "a248.e.akamai.net": {"23.47.48.1", "23.47.48.2", "23.47.48.1"}, }} - cands, err := AkamaiCandidates(context.Background(), nil, r, "https://api.iantem.io/ping", "api.iantem.io") + cands, err := AkamaiCandidates(context.Background(), nil, nil, r, "https://api.iantem.io/ping", "api.iantem.io") if err != nil { t.Fatalf("AkamaiCandidates: %v", err) } @@ -43,13 +43,50 @@ func TestAkamaiCandidates_Dedup(t *testing.T) { } } +func TestAkamaiCandidates_MixesNamedSNIs(t *testing.T) { + r := fakeResolver{answers: map[string][]string{ + "a248.e.akamai.net": {"23.47.48.1", "23.47.48.2"}, + }} + snis := []string{"python.org", "pypi.org", "snapp.ir", "google.com", "aparat.com"} + cands, err := AkamaiCandidates(context.Background(), nil, snis, r, "https://api.iantem.io/ping", "api.iantem.io") + if err != nil { + t.Fatalf("AkamaiCandidates: %v", err) + } + if want := 2 * (1 + akamaiSNIsPerIP); len(cands) != want { + t.Errorf("len = %d; want %d", len(cands), want) + } + + byIP := map[string][]Candidate{} + for _, c := range cands { + byIP[c.IPAddress] = append(byIP[c.IPAddress], c) + if c.VerifyHostname != AkamaiCertHostname { + t.Errorf("VerifyHostname = %q; want %s", c.VerifyHostname, AkamaiCertHostname) + } + } + for ip, group := range byIP { + if group[0].SNI != "" { + t.Errorf("IP %s: first candidate SNI = %q; want empty", ip, group[0].SNI) + } + seen := map[string]bool{} + for _, c := range group[1:] { + if c.SNI == "" { + t.Errorf("IP %s: named candidate has empty SNI", ip) + } + if seen[c.SNI] { + t.Errorf("IP %s: SNI %q appears twice — should be without replacement", ip, c.SNI) + } + seen[c.SNI] = true + } + } +} + func TestAkamaiCandidates_MultipleHostnames(t *testing.T) { r := fakeResolver{answers: map[string][]string{ "a248.e.akamai.net": {"23.47.48.1"}, "a123.b.akamai.net": {"184.150.1.1"}, }} hostnames := []string{"a248.e.akamai.net", "a123.b.akamai.net"} - cands, err := AkamaiCandidates(context.Background(), hostnames, r, "https://api.iantem.io/ping", "api.iantem.io") + cands, err := AkamaiCandidates(context.Background(), hostnames, nil, r, "https://api.iantem.io/ping", "api.iantem.io") if err != nil { t.Fatalf("AkamaiCandidates: %v", err) } @@ -69,7 +106,7 @@ func TestAkamaiCandidates_AllResolversFail(t *testing.T) { r := fakeResolver{err: map[string]error{ "a248.e.akamai.net": errors.New("dns blocked"), }} - _, err := AkamaiCandidates(context.Background(), nil, r, "https://api.iantem.io/ping", "api.iantem.io") + _, err := AkamaiCandidates(context.Background(), nil, nil, r, "https://api.iantem.io/ping", "api.iantem.io") if err == nil { t.Errorf("expected error when all lookups fail") } @@ -112,7 +149,7 @@ func TestAkamaiCandidates_PartialFailureStillReturns(t *testing.T) { err: map[string]error{"a999.z.akamai.net": errors.New("nxdomain")}, } hostnames := []string{"a248.e.akamai.net", "a999.z.akamai.net"} - cands, err := AkamaiCandidates(context.Background(), hostnames, r, "https://api.iantem.io/ping", "api.iantem.io") + cands, err := AkamaiCandidates(context.Background(), hostnames, nil, r, "https://api.iantem.io/ping", "api.iantem.io") if err != nil { t.Fatalf("expected nil err when at least one lookup succeeded, got %v", err) } diff --git a/fronted/scanner/integration_test.go b/fronted/scanner/integration_test.go index 3c46dcbf..1c0e6aea 100644 --- a/fronted/scanner/integration_test.go +++ b/fronted/scanner/integration_test.go @@ -39,7 +39,7 @@ func TestLive_AkamaiSystemResolver(t *testing.T) { } hostnames = append(hostnames, AkamaiEdgeHostnames...) - cands, err := AkamaiCandidates(ctx, hostnames, SystemResolver{}, akamaiTestURL, "fronted-ping.dsa.akamai.getiantem.org") + cands, err := AkamaiCandidates(ctx, hostnames, nil, SystemResolver{}, akamaiTestURL, "fronted-ping.dsa.akamai.getiantem.org") if err != nil { t.Fatalf("AkamaiCandidates: %v", err) } diff --git a/fronted/scanner/pool.go b/fronted/scanner/pool.go index 1948a6ed..403d8436 100644 --- a/fronted/scanner/pool.go +++ b/fronted/scanner/pool.go @@ -64,7 +64,8 @@ func BuildPool(ctx context.Context, opts PoolOptions) ([]Candidate, error) { if err == nil { hostnames = append(hostnames, more...) } - akCands, err := AkamaiCandidates(ctx, hostnames, opts.Resolver, akamaiProv.TestURL, innerHost) + snis := SNIsForProvider(opts.Config, "akamai") + akCands, err := AkamaiCandidates(ctx, hostnames, snis, opts.Resolver, akamaiProv.TestURL, innerHost) if err == nil { cands = append(cands, akCands...) } From 3740edc5769e9a4b84211b9cf238e82a3d605d8f Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Mon, 25 May 2026 17:11:15 -0600 Subject: [PATCH 15/21] kindling/fronted: sync embedded fronted.yaml.gz with Keith's working SNIs Mirrors the getlantern/fronted PR that adds the in-country-validated Akamai SNIs to the masquerade pool. The embedded copy is used as a last-resort fallback when the live fetch and on-disk cache both fail, so it needs to stay in sync to give offline-first clients the same SNI diversity. Smoke test confirms the new SNIs feed through SNIsForProvider into AkamaiCandidates. --- kindling/fronted/fronted.yaml.gz | Bin 65487 -> 67179 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/kindling/fronted/fronted.yaml.gz b/kindling/fronted/fronted.yaml.gz index c59c5056754d0620fdaf14709f68495c49a74aa8..5100ab38fed4c1d7547d4af7c78cd758fff4233f 100644 GIT binary patch literal 67179 zcmV(}K+wM*iwFP!000001I)eGlH5p^Hh8~JQTE@`m<%n-Y%fwW1v8VW$RyYH!U1>y z4&?}lKmfK6zwQtbk=2C{)zf2rVyt^?hJgfJ94)?+##xeb%Vf!)|JNVte?I?V${>(o z$O8W7AEyB;W%$Rll<6Pmr+*BqNB;Q3BE`r ztsPH%UFL(c)2HNW_oCB_)9L+FlAk~Qy7=+*^z|~o{qa^_e!o8*d_5h$U7kDlU!Q&s z9Ud&R`)4n|%B$xtF1KfA#?PzS?nTCEV!s8;jdgx@@$_=Ky+510U%Xxp?=Rkp2lq6; zzfk|ZlIq{?C->^lAIjao<&UqI-}YNO^{OwQIrry3e%x;_O1=DtA7`iX^~}3Uf4xT= z!@c}{e`Z$CsZTw%E4;b7-RxI1ezKnim-f9rrsuF_xS8x1Tr0)-?H#$E)$=>+0rWT3p{Oe|>p6Kl`F+_|m@2 zKRp&t!R|$_{gN5C@y*&EoS){Gr>E@U{QmMZztDvDJa|2Qy8d!@`j)HT&c2kVkD4^D zpB87QtA)D0`|~|z|N50*KUIJ9cy{*d^6KX4S9$X`n19Rf{oAMP{3OSnATPCR6Y+4-};@~x8`kd8kNQU?<+aGd78by?Ors!Pi{UH z_s>tCoQu2nTOpZmz1!}acQ>1i?k8_~diG->jnVe@;ldjIcJgnbe6sjE|9X01cu}!? zQM`VCUK#Q!l)sa&llAoH>-WiQ@$$6Ue4T!jke3e^e=i?D3f&7~i*qGm|M==lgZZ`e z{W|{7WbgU+QppVSXDfT3&VKy(x%qy}ql>p;K70B;Wa*XZp5C3=wvxN<<98)8PfI1z zl&Iak=r1z&$NkxTD|7FkzxpA2d+^Qh$$t4cbq{3kHzj+=*4WH;FZ!(?{#iYo{TeOP z`?=JK0;n#1C;C}n{_4K{|!{qhy z+8SHM)YH%Ws-Bs;#%QqJOS+3wUO#;QdNp{CevkZ%-|x4Bn@cM(Mz@Y}e)eLFmg@gE z%lqqJN?`oD);kK-qn>i;?%&*zCZ47ZJE1Y@_SQ$y7?prH@Tva z@0B!rzOSX(t5VKN+TEW{G+9^|TH@tTmzw4r_te_Gs1|{f%PafoEm@{F(f7dFS|WS! zuJ12@K19Dnuy|Sg%FpdzH_h2x>U(6Tr}^)voBd&*-i;QEApdgd#n0bf!;5n}csIYi z+&swQ=61db#Le)@VV3*p_oNsH?DgWy^?mXbd>{WT;!i>PWiMAwZ}P{Vzl}V2dB|?3 zPvblH#|!(GZkOfr%lqQ})NpScxqNhQ?09{ z{pde5xm;JVeaLofe_F=d>Dqi=v-A1g*O%?}Q#hNx{;RoldU59LU-Yl$*1yI2yBBF0 z@Sm{$ensvn|4&$d{~{#={u9E~#$d^6K>TQOSeFsebU> zzEl7AQ-S)iaZ;=SX`A<1>K25Hkhc~A`lecf&{I!je`-hTUZ-YIP4Yzat#ah|L z^yT7VHczex50B&bBpJkmEPDCktqqYrrZ2yvZ@>K6?=(JDmdUU0%kMXD-mm3|KkZ($ z9$kJ7Z@v^+77S*;ZwfYlFMoV;tgnmF{WZ&eoZbGoU6gOBpFP|f)^I%elHR_|Uy>hB zJaVT$%iW98^T+w?*WuOTJByM?>FV#p`yapZ@WnUZRyTK6`TqDa*#1_^thj%B`1<|Y z4nAGYu7evhUfQ4D_AA=lJo@L!b9ndtcX@U8w0sVY3upUsd-MAI5a-LQi@V>q(pb;K z`=49o1w_u1y5pzQvsU_jlxY7@3?53qS8@Axb0&W5?UL*vo7!JypJMN2{`BkJExo_` z0pA)w;OzA4S$KE*yt(ikcUE3ov%vhdzqMcf^85YIZ!h7OXp<)K)$&vRK7LSw?dJ9I z*H!o=pWKD_BYfb+&E|{vo_xK$f4F)M&V6<$97^foYN-)_fWL~%ELS$en6 z>~(KFMBjuGMFV5?<8I~p{)M>t>V?AiVa&$Xh52i|;sbTI8{Zl(M{~D$*j^2lfAQ`2 z?_gFwysrGc7>R%V-~S`2Ukm#eVTb>rpnuo)oyS{2|LyFw`k%9#AI|If-M{#fnuhXM z<;^IscYi~bK;PcKKaaMXU%^%KHu6J5v_k9Q?B;x6zq$9@%kuQO^>EL}EKegxV zvJirQdHONBG=HYz`rF=8c(!jZw)4BY@acJVd!J-4pRR1%Gn}_|a&Ny`x$!Xc27EL8 zc6a~Xb_e%&v)TJ_{_D+g&Zb$J>~)xZ&F{}2uWkoHB))Bz{8RK>jwfE|zlzmaYJMur zB>4F>EXVQ1&FtmZqrH9qIv-}=2KKXEc){M2RZ=i|{9=47&c*Ze_vr4|4|5z}KfR5w zU+u?iT6`;J=BMTPeDmdPdHQ(y_5PDMzfF>P*`urBmef#wGi4}_A+1I;Mvn+y5V0{Z_r{|+AI*nhKtLyE> zWc|e)S$Fory5wWmjz`nP$nW>O=DPROXY=uK`pthg?&8H|WF&8kU+MJxImv!MyPuYd zMZQ`;zstu-S-v^>!k1r?Im`XWb$NS!w|miSb!I)w;>Y+s`gM0EH`mtu;q<~fb3Y9) z4a<7HyR|+oM&{+U^ZqU(HW)0Y_qVg>`>*4N(%L-j&ECMgS#f*retQz>xsxYf$|C;p zH2LnmPe!xF!~2UdcfN_?;@8dQ;_1ib>&u=ui&;Hg}eO|@fvIIYIcr3k)MbU{;H-G-o{_{V3jf^dJ;_Dyd@I=Tz zn}7L7e{9NdCG4)__{*>V#vA|sP5WE5kZQ`k(&M zw``F*nekbXl9idMkm2W;`&`k?XO<*9{XF8csliW@@d>M<>nu;|D{B7m!_)uHClBB9 z5C5(*KAMAE`7CjKVLPc>`nG7^cKF0Udgs4&&H)RpSor>qOb`FzAAL?5E;rNUq~3Ox z@K`Oj`eOCI=I77<`tv_}d(85#H>;oi$8Y74FHH719(~}kgMa?FUXySZo6g_9s`=^Q zb^E72yi09iBTOY8q@C#ho@|TqfAX5dKe45>eMP<@^NUoNEph+#U;oh-v&dp8*AKKG zta!2c=iXPOJV~?I|ML$gO{3(`FJD%%z9;K*gk;Yb{p((rv1Fa`m|1_7`Jex=r25-X ziRaN|al+eog*^T6oMMTHSys%GMs_==P_QY zdl{U}iDhZKj1lcJl%kyuPiEB2G8`!iohm{-1`#%#QVaB<`tMjB$(UN0jud$eh{;3o zi8>8!cM$W+WOg!B7c(8wE@QY{o{T3aq<1nHE221A3{NKX@~d_fsI`h($3Xp;+F@ze zL2Y$3>lhK6=!#{BnnZ|MwiW1e%Hvq-D;b_BZW#_J72JLuOM2>10)057*0PPuGMrL7 zw6*y&rd9XKPf+JEoRAt}?JDNPlA|F}Qik1GVANu?ab-ze`$K-EWt81{42~kgFq)E@ zf{H*-mUG3h#I&(cYglR{o!XTh4Nm4tfDMj>S;%!;eIDc7Jk6REzG;gH;WnW`I^OcdWzXC`Ye zYC)YmZ*JvCBMCerEjQEoxX}sqGIps_N@h6> zm=2Gn5$s5;Q|gwIHXAl2UWab>(FAf7QjGdAc0oewf}qBsB<%y+rx!+~3H>ViGSF5j zeTG2`55+OmJx6V&JgE>naBZn$*=@@;@wGIzhx+f4kOy^9L7NCWh6s$39s}ysPhB8I zU&q(h6Ox`sTeVMm8cozgM}f%uS=%ObS~6{~g*toP)_BgS^I)|QqpfP(_4`mKYa5G@ zG*x?Gc#wwX_OgSz^0vvJ^g$+$)3$-Yvwtx0P7wQ;gn?R>c zaU4`d(N;F>quA8BxMm$QYDrdO5Rz9THAxO~%e3)oiREcym{KpJ>9HZL5c^OCL~VaG z84hZ7yNfnZy9|xmC(m&-n4Q!GrcL;Gc?{KAljR9DyUZ13(BnrmLTpaVD=p8?h<%2t zGK&=9WbfqD3(_h;NZVi2Bt}UC9v|Q0Wae-8ve*`!=0wY~% zIO-bLrjdgj|F{xjN6`pYq0Jo!h6Z(EMRP0E-8Jp4P~%kYLY35k{U)MLoyBkKkVsv) zL*JUTp5U;hWJz6%R1*ko8)+*)$TJL0Ap1xlc!*`kPU9a#pka72BiHzKj`SGp!7BSi zZKrDyrb}O_+XUNkO7d`N(~L%)oowiov{mu2--!A^nqmjVNUH? zw^3X2I_SouB^6)|M%0M5gz+FTNe;eK$DybJ66$I>>h||`Fb6G^>)u_Vj#1W0Yf|g{ z5PXoFIMjJiqsz6WP}Hbywa0WUxs788U+Z!PVgSTu!ZtN+v{4`Gn$pT+BA$BQjzJ~1 zM(a9G@>Z5zf|yvAx2+1)L*REKAE;w3&AiJwb%{v}XiEysz3-_Z?S4OG80re_wxE+7 z-laB4$?Nr+uJa>FHyy>DkPoV>0V`(2nzn^(ACs$=21}oIA#KEky3)737HX`UUBa9c zqhVJ03OeOQOdPexLOpk)2~E?$`-3QmuOcrB7{=)t>%>+%RnFua5*Cfja)uBAAih%RwDDbu~ea zg+$&OSQjwT&O>WTj*kGpeokCjahNVX79>dON|U;HkyLyg&WSk^Dkb$O+qxT42%bsRQ8P>nx8Z46|snDVx2fH69M2*r}=N8CoaB8hj-7wjn2DM_TYfPz!OIF!)@=Ai; z+#G5%y^c1Fs4HEYVr*);QTvjlIDa2Hz{q{tHbzLDq}_qa9Yd6GdITze5Akvw^*7U_ zz+I+JGPKoMiBQbxd(_c;6nmVzt^X{o5 zK&?YdKJTij>?Ebqg9I44S-L}dISvG#(STUx@5+FvlP%3UjzW%+PCz{@BBZW+X(q9f z#wgpQH8tMeZiFE*r?eFwM^YqDitF~Fwt{qA-acA-33wUPprhG@_nJ(qeZV1*eRtucb9PsAE4n zXXQBJlS9%Tj)Nvv@_coZk)$V6jr&JCSztfl;5d2(NI_f=tm5Oi6VgzAgU>*nPH2it zXoo%Q)=#vUb))V5SgJ!5JI1#k>b^^h6|pt%*&IPGD@ApLx& zTE~%MFCR1o9!CUi(j(&*?Zq4b(CH*2Sl; zuB`xV$w!^xT z;ny;ZyvVnm%tj5XTO9{&4u4g%kK@P}QEyR^A;QZxNSviLY+4W#j~1A~w{LE6+bkRyh*a7@HZ+e8PC zzhwy3nMt!pH|pHc8qe$oMGgIEHS4DuYi7#k6m|B1N)2n9#eV zzL!Rb9f2`8pf)@9Sz1cJX>S{oD!2nyp_d#QHDgG6DF@@&l#V+F#X=ipI7}8FNBs|V zn_}%rj;J#}yTR6$4$c%HBwidA*D{lHMMf&nT0lqPd(~tmzX5Jmlh(Odcr~z zi6V!FY9IlqW43i~F?sP|!!5^A48Ej3jV2pN8^QiCpZ6%*C25DhAA*EZ*X^~{NXLM$ zG91!&EgZnBkcS$YD%YccD;=IpsHwEhjvfcd3u&10pnHP0J8)OyO6^)V6iRKS*TF$j zK*|q_c1CS_)CWRZZTlheLLKvH6fJowu5C7=4$ZZ094Rd2VV}>DOp;zwM}c+?q|`NY z?L-pN*#2QOo4Wa__OYo6wO+-s46Gp!IMjOXD9UYzBkGKCotz|XzxpuT`v@uu=G47D zTBj(|ptjWy>TgIrsC_R7eNe0!6hjR;+=dCMLByJIAk-qgS;m4|v+U}Cs5Nb+T&NLe zTKvJI(6l4c5{rXU58B!9hb5Jy2XeR&`f+GgBJ4N@I1i5`nNRJs?7|+$Fn&Va%knrt zWl7UM2eEAG=v)(gA)kKQ)~g*wzJ<2;`(TzdH9%zx!E*%Oq}FhxQ&Bll>V?mX&%$8O9eb=gbX z1y8D34(5y#yKr>?h!&6fLmLIP1=KVh9fP+pr5?I)IE3P8$~}%IgnT55pE_DuM}cS) z9aS0fWOzb-6!qu_YG1NNz9Hq5eE^8MRj{ovr3NTyO`z!!TuTKbPwhapp35;nV;@VY zE2$-R5KO1Gf9ft{>Y+jn5D@L?;iK>4$q!C($Ju+Py<#qUJLbnk`_gk z`c@h^d+O*<3s7(jU8DnYXp>!3Zg3oZ-_+6kMt0D)wS1`5C-qy}k*w5Q+ZsSe(3w}? z3%S=)1D2CEq3>hZNnf;~PCK%}E+rPcTu)CDH3%|TjcdyrW;j&bAUs=oDDsIR5*6v(sp zO^A{@_%qitua?C5jn-YE*0YW1pdN{~8&!7%;cKN?NLl4WF(>s*v?lgLJA7*gO-bH@ zR-5RgXv2r&X{k$)8tR~Ky4sD5IfB^Fa7f#*`5`1n?Znm4l+|Gnjq>18# z9&2h>q3(8~mK<%nCS~Y)ADpCyl5HJ@BUnZq7d#T`pr+EM=Zd;;uz_=6@c0ON zH*`{zIx<)Xp{R@X8Z}EjhNF&NQ+rLVEl6EnTe*bA+FGn5QTRuZeH&7@TD4PAs0;O4=YBz*C2oY+k~&`7R_0UZn>4RX zH2^hzO?+dQk`6aG0Er+Eyfkf+#GKpqOc0yt4Z!em0Cml&EsrKNNILQSL)M%Yu6+qIMiv>k+94`!L&pv{B##NCYu~G~N?wJ=9?b z2lX(cCip^{GCqLoI*K}v(UFJ`YTZ)b3GJMiy~}b8=HP&QYEGMLp>EjR367(%j;R|b znkuzp2I7WtM;=3vVQ>UfuIhjsY0_zrR6!n)Yas28 zWNabr#M1+&C9Uw-a|?AJTpJmrUd9dql311wb;M)1JXuoPq|Jd)$0+M+IqK7Bab1oh zGDthsU}uvKsq2p0nk-s{zw4@@?&PiDuZh7y4~rS7C0JdePwhswf^l2A3by^3-v(lCR2PI zH73*;A}zArkwB_Yx1qHf{}}2BG?eWzXcZkEq@7%NP(?}Io|_a^Eq`dZ4<+$?we>! zOek;V0Qu)ADqV)uG}>Uf(N`~4%b-rPG!d60a9A`lIVouz%o!yT0Y8pNdp`?fO>7M`9L}53p|FQjdT}tE@S7&Z#aZrL_awur)c9TP-+9 z&94J6@MFlWRD+a`!WT&%;Fu; z_lmZaX|ze%U1XAaVstych_)jB1E$MS+zaV=t3A6=V+*&#Kd5U58We6)DqYU1+O%qn z(s2lN(oTgBHBi(s;|2wix@NG67#{`1F=Gt03I+nQ3^goi?%7Jq18Wji{K zQm7$m{N+%7&^8L}dPu09xdwcQm^zx+K6Qawiyuo3bKLL>sR6VvlskfQJuTA7;dJY6 zUiz-$#+^KZ{JA0y>SmU@tC)6f;m&0_4lJe-?PRC@%pB6V+`brUaU|;?FT5FQvuAoF z#jUiR8wXfjv~7WV@*wTMKNzP?eJu_2;*n4(ZDHvFw@|}mHCZ20$9i9cJ*P$HY`izx z-i-qdM_r-c46&xS1?%p!BVZL>(n$=>aEKa4>^rqFZ0dnqZSTZ!g!D-f^mjsxnn;`W z9%_(?9S+j}e)=maQb&d-GPb){@GtNGU-)Vy{@dTo^ZbNnxAm9*`#W9OA5(2dev+KvvoW*}fDElwW=Z*~c-`G0sBg5fnly1N~hJ!(nIOq+7(Ij!v z8-|lrj#fFIkGgM4EpV!QIJm&X$&^6{&tZwa5GCD*tX@AmNjKfU4kNgC2d{mRtij4g z zAJ1%#FK~!{p3Sro1=k0Eo{cS$c=&#!%fJDup8f}enNKA*#jm@B<%dPv&OEx5i&iZC5BQ<*97J0|33kA+I61ED;( zdAh=aZN8XH5LXQ6O6n<#3q4V0vVaR6FAGeUQ0zro>~`*PHeW1&%$=9H1s5MNWiSfx zhQ&C5n;Q)fA&fk@_4!t0`hdYRqk&eRkeX*nW6=maUK0)AjLoOBb?Xk=PYsiZPu zz^&BTrtX(d0vU3wFOV=C`9jOn?yZlkm531ujwcIzJ2i22ZeTo_ptp~)EFTRRw9&@8 zVygS&Q)nTMhg0RvL&|YQ3Jv(VQkigl==$)7nEl39 z(4(Tq%Q;+t<@<;~CgVzRoOpkY6z^V;YS*jt3^uMn(qTNF^_~&9fa%bb(vKKY-AaTY z@j97e`(Zp@_OEaZwQDWm&@Pl$rtTS`Uk5~M|^%Ckd! zIEl9KuOque-=9|IzANBe{B3S#w}3t|I$0LbTAdENrD%P{oi{itJCX~#zjyK;A{fk& zAes(gENVI^(cMgk8x)M54iyjhC`2|02L69AZ!@9$2l^5Z(~;pKVKp5LOom0il6fiei6@XyhkY)cx@lw( zDn9<(1m1pwZURlF>9mgt%d|uW$#ev*sp)Kq#QhZ6QPZKYFqxZ~fe()*Jz{Vk!sA;G z18L*)VIts=4}`aZyBKXn&mC-axdlArMYlmYO(Q7i=R+Koo(?T6%tkX5^O!Co7>}Ng zmPm^zSF=+IOeYic<=J>(NQorObUK6)B_*dNB#*@mtZrciSUjQ-#&lR@Areiq!D0aU za-o#B9YF=Im=o`A1}|=i45aB2nMbps!6XhQ&Zb!W&t{J8pcTw!GnhA?Evx7|*#E-A zzeCbehu5vZ)&99Kpxl^2${lWy`4dT3fH321VJ48aX0r&N{d|n0B(oVTDVR;L1wS3d zo)6YP^BJ&j<^vdEQsxg&QgAu*5u|&_74y*$sk9l4e@~|l6Dj7387vc+&Ee;#5q$Z4 zFkTGcwJs+}V$5K0Xg;t6G{%k($&S*a{|< zsD_j~gvwUE1hK{3lHiONvjsY&<-mZ2KZ|66?61YjgGUU#u=(6auO33fZMLv@BJ2=s zeK}YomRrm#0}Dvf0x{Kcut6uY92N<(z80g*M3&_OzJ0#x@w{evid=_<$Dr%59O^nh z6V;R{%8`}#*7=GO)Wt0aiNjrFK`f^kiXbhf<0+`~n0s^2O}a(Pa+0AS#&YPc;LprN z#@SNY=19*f;y}O74dJ27T^LB3D3N0#ak89l1+okmgJf(YeX$%4u+z01492ilYB5Kq zuR7fnZeR?PL`!VMEQeJJuahvAL&){ZfQ2^v{MZ$^reZlm$FFE-1ZpjpIb_NuB)b{3 zTbHFHpvF{7Lq^ClgSk1zJP%r*%O%qG%+$q1o%L_bkXc$6X#=rPYs0RyWy-|Ub=7DU zRs=(<%*ZnzvX>&To>Q1>L$XV7GAoO67NcuojP+=T<#L7n^X1ag@pJS9q;PKuDZ#X2 zDc}}XIWERg);4BS5kdhz!tVLf%B&Eo_hpZ9%B(;wA&mervMJzX#!YD=G0*IcFE;3w znT3w1S|Ab!Oc_}47OiB1tq3M!|0GMg1+nSCKes-wB(h@Iasz2(FdQLyRhrfbz1b(gZJ9Ib$kea%FXL9?%ZiNWM& zTmi+LBu-LrBJSE+(wYOw5cRfC53er2-a>v%Kfd4Q3QZ1}QiarY|!n zRkBou61gHQ@_N3qVH>T(0HY)@N}{&O{erUud8;};CDI-)P@7TeJndo1$b&YKdI`4i zH!|rx*3uqA6I@-MuwY73-@c7&blb0V3c)DDscB6@sp34iTOZT9T4z}$dAfc#L2m+! z5*{FiHk2U8Mz+p!ap7bF*IgNoww1eSRDH&_lh4=0EMn#7uEnZQX(!^lnW1z*~I27!*AS4r?L38Wvu<>dM^y7L_@#4M0x ziK0HsMlHgDQrLj}E)|0@A99#X5?jLSkTNwBq~{I6wdLP=kSREV%mSi6TXi{d+|Aq znZ-Zr{t85ACRUp!i>=x=gpb26IC^E8=_X)4@)eBC_e}}IE+*gb&r0hn#g43` z%yy7~GglS)!s`r_hXhGj9f;2QNth_=)d zJ~a1CLul&g-iB#yS4-HXppLXIJ?_3X(=jC!_3FrzI)#oHNi>z<=z3#hgQ!&ocrPnp zt(i{GK{za}k};jZpQ(tD^Q2x7+6Kc3*UD5|X&Md{6)W-6d0gq|B+V>=Dn|4dIjCRL z>>?}+*7T}(lsa$=@7KxdSWowdL<$N8O;;8P$CR#ER>>Jyd}BIEkK<`Nv654fpCuU&MXp9yUx& zPzP^{V8u`_tXcs)K%eKR7_X*ZEM>CZ2SQkyQhftd8=4_U>eF-scmyJgk=)WBXG&s( zl`#q_6`};xf~ycoPnTVz8@e~E-CxM*VPaxY5Ln2^Z+QX=w-5*QD=EM%c{TgD>JCf|Y68yGMsmb2ZLkdKvz~SqGt3z(EmLbuw2juU zle({rF{t*W^wlSPsKb>%Zb4~O+Z}MDb9@d~nLue_f%LVa2T$qA&mu&z4O6LODAhw- z`hN%Rx_dQ4f=$3lIjq8PafKoR*!QSI+WDEyrn6Vk@a~C&%Ca024pPK z0!4TffijsuJ`9T-9=9|ZgXoZoNnn?y(u+|oE%0H$01w8iX{bhY+RkACxhoX`6F$m7 zm@7~MVumpfaUqJ<9InoDNxxDt-3lO>_;Q1Vfx{dfrGn&{qL7A}`DqrjG!>q(ppCAC zEIv9ZZS4M}#&iTjLEIErj#ngz9$33>6@URGYBcCv-RGX9J(6p^5pbD_u5InKucgIT z>YPE;&tl4i&&3J_L(Rm3aw`pZPiR>w_ppRzE#@ZGB_BOjww)J>s=N%&eQE>wGxPv;Wu!8pd5T_RFKzQ?Kt5ijk%5uB>Wa2I$^OYkK~~DTdWYU9;G_-RK`6HtHt6JmOQAlz_6p1 zE+l~_k>$XuD$7ox3ux730h11vuw;%`nKF}^%A$wHhE?Aze8TimJB_|Pd* z2Oq<7rVH4NuRo)q{vi;B9*2;s#q=yVj2J3t*PF&6KFf+&EFeJ|z!J9v$E8M!H#bt4 z9LQ8>Dy$+!rAF2k-a;l*-jiG5)@T5WysRwr99(E)WmX1lL_U~8 z3psp7N*?PHM#P%j(EvEz*Uc>$ zh16*wWl*9L0!@|>qqb%aVEmK`G73013< z1NI`hGIe_z-?f0Kx)eI!lI9RYTa#vq{@zihB{YOMj#cs~>FZD6rY}qnw2&&Y!s!^k zspTMegIQH%RaIHwJt!^2lR7B@p2%hFTgs6`E-}y39?Gy~hAMM-!2u}6N_hdwJccTs z7r11M%hd`dx@*W@@PaK1kiWZP+Gg$P@lrc6&`0!6i%e%fU=a~dLRgT#;v6GzsLeV! zO|G|#LNY7tnXQ7JQCIr!ksn##dH)x{A*?iTDLN#P!)}b`GI}5;l$K_G6bsl1vC4d5 zpjbyuJ%CeJSs?)Si@H#|uWeNAXN?PYRx*{$z>la8S@0{Fj?|$COenpzU@UNUk8gM! zIWh&w(v^t2ou|sMN;rgnS@|q+Y?!iLu|W8RCC#+1^#H3W`nVxxHcaiVG=?68M$pt6 z;)aD)7S0y1aacFXLrJe6FfxQIvvLy{4dY?T;~rd<)fUZBTJcTVN5ugL6$~qccxJq!}`>LoMcpx!K9~ORT9Z&_byLPY=p#@=BSKHYf z5sUW9b()DKqAOpyTKmwrt!~2cx>v|!UN@w|Rp{(up8yWBo{r>ImS!R3L1`q~`E{V( zW;1C)pQKta44tbF4F-q-igYWLUJB8UmF)5nmFs1cJsZ(N$A@aGk>%ZMRZ1Lc@fdaj z+l*@@6|J?p7h$uW?o-=wVO&EW1v5}cz-GFy1j3@(J!oOJPJ+W#=mM;sRmM1ExpGE5 zGjLa1h)25H1iF%nEP9x!c?!>CwQ<)`C0~%5&<_BdK*a&6PPp3$%12knrZP*h=Cr*e z?ORC-8*yy0>PeW{%Hlu^RiCgVaIS6M6EwHEP);etO;Sge^~i)o;Bba5nUA?KgpQo; zChP8)jUN7`v{r~>Mz*i0(|1^G2;wWIJOa6Fo&{b~3G!E}g4g8KrSzOVGY(XToA|aoHP-UY zwqStN-ogQGY7sC5q09k@%j$?80872gEX1Ns1Tc?M_el2)H`mMqk5Z`tPeDdvw7K6sy?vbQjI1ul!zQ@2rl1guh5sK7bg z4v%$v8I+5-XWS9PIRqeb3@iv%eE_TW)<9uAhZ{W_R8+Ozou?$T9)c3SpD0_7!#bB4V<+AbNft%EfPRFNF&Gk4!mwbnS3{Y7 zwOfvI-<9Fk)1Zvurqo(sW>%+5*U)58Pv8Pg^?(LG+4juF&?~|3S;M)kj<&+!-DLt+ z9ywC(p^yQIs1p%zG^Mj0nGniJ*Ln6FY1My@AIV{TqB@RM&mv@8xw@SjEr)Psn?4Ab zGj$~EvF-(^e$d1Zi=gW7$1v;WLsVKvrk=1&KSMsan2(nTVOv;AEI|gr zu8yei)_ST%oOmT;6QnzxGAv>FjnHV(r3}$KGLh)p>xs4rLr3%BYEyjdnXZn3rISt( z@wg}RwWp#^u4l2tLukaRiY;P-_cL6GDNK)pDom#^poLmrKJ1gJB~YIa=B!OzMyA|) zCGFwW@;*>TMI?oQx4SJ|q&|gig6GgqRT2uDS1mAp=NmT6jG<PT>H*UFcMXgCgE)7aFi1iE80yAx`NF zE9NY~saIh#gp(rF?+{oF%XtU1_XDd zvBClyxA7h9+xUY|15#Tv}4 z_0qeZSywnSou5c`D?Osrm0w^BO?WIcdpIUsm8h9U1a+}2}Gq(cQ$1Op`;E|8U}E~*;B0huc0Fh5pRH(=Oa2PG}^_zRrz7Z$3a)qjuO zFC~|{v-!e=Lz_j|Oql>12v_QGy;^;V+?VEeo4ECF@C|xB}bHu|8S&hH6rS4prdY;I0>S!HA6% z3BlR~N7w)@K+?ZX-O3Lx&%)7Yk-8bop6jDB;D|}LqOu;Dqo3$REz(0288G8rS-|+N z`hZu>Jm^75a0Pd=p2jTKF%d+QD?OyMT_qcF?%5She7AD}?%IV5&{8G9!Dv?+Fqq<+ zX^g7@T#>?vQ4!(Xi?O1jfYU0xB+aoa@X+JOc|C*x7hS`x)@eMnuNviuY)?1S9&VQ#Es*wF-0X~t`7Oays9^b zj(~^49d48)3`Pev~IhN20t=ZPc< zuz^?z9QJ6*wv%$QLKx67C>%T?R-b4oYELHouYAuQ@ zBYch4j6*Q`z(VXE__`dN<6ME-j|chD=ejBdnkH$FJEYGHw_5nDXO*GMt9VoA#c~IU zao?(^>VZ4UA>z5Gd@*cPYS1b@AQksHR_}qV=5txVB1)eH1&+NbOOb1sE#=cd3)kl{ zgF_I!s6;>edg?dYtaJ=O%-p6<_eR=+$6W#LJvt-=++NTwnPSc{`1&Nk!qWNL5< z8*ah}M5f*Xf&D#yn;>^c!|&)3k{jm3<|JR&(*dX6=gJ7}aRhvfh@j3yS9C#mL!XCo zBLkHD_DUDmA1afkHpe^nQZ>x59w=+wCLQ+;KhxX*i?kIlK#+EyZCK3oJWa^8c&4>d zfml)s+ey{IqM@9=SYrvMN8qFxOt~nwPO&58n_G}i_myw&@g8(YKeV7>uY^8wM>U}b zh|qltQJ=3TGh?gASMo8dfKK3@Xb6%OM^2C)6EuV9uzuho2jA!TPJ;}JdS974+>bb@ zwexwE%*J_3#niAeTJKXr@6+eFwNl%F5VqTww(Pkz=}744=-Wy(3JH8Bv~`n0j}Gs~$d=GKNym&!nC$ z315*#Jyt-FFd*Lj(m>eD>WJ}Z20w?9Mn8&B0K*q1!=)sFo@u#;CU8>2T!B4SP`bUu zlxKZL^hTXUJv|V8swdzW=q@0e$A~)u<|-MhEVv$-VhB73%ddyEp-lx`Xr+XnSilBI ze`7^}g4Fv>xI|fvRly{nQBPpWN1#l04g&B2k9DDZ8fRgREP_^4;?}o{3@{eIuTdp> zm_JSv;HO9vVmJF6-RS@iEzBZVD5fu7!1B6)*}_cOhQp!F>gY?zHtPNo6ZBlRc0zZ6 zE~sLqcn!ECGGJ8%4kPMTx(zDnBF~X4qK?$!urMQ7Wg!xX0rOaQlssUuU^*ZGOsc>H z&^&(9Iyl|Ws7hBTyhAv1b5{ZVxeI z$h87iWmN}?xl+SzF({h^4oCzVBF*9`%Mq|G>d**y8cS>`K*Yh8abXZ3h%FX-mIdei z21?yv{;ntkmHMg8Ktm+UH$BIu)|$bfR}l2zTLyInawpr{c%sC(p?gUw=_`0U|;#bQS}~Ka^-d#~Gqg3PCZR_f?+jKoLId zP^sG<2Qf5FZb~;xQVli??AaXklBlJ?{U1UF=Xz=@@x7))V9Oi2LxJ%E0d#Lv>6n*UJd8e|n-O^O}ZFf!qwr=P1#EBce)liJnG9Md#bTdWO(U zdPd5GhShgkaq4`ohNOVaXnz{KLu7@FQJ=A70tU)LyX+ZX9c~hi;Y>BUzn;a0&qL-~ z93vAcEM1s!Qx{WVO~a)GRShkqcb*q0wjYWJO1V&5q#)O;cAA(H&NR~AaF9A^5e+Ya zCkiV|qF8PVWcr4g0i9|o~BYz<{mtN)~1Bx$437}=tlsBC9Ml538jH*0&JBAUZuqsf+V8Ia!&29@( zt+1Yh1^(P(_^K6;Vu_>&*>8Ks0qJKx>;HwG$&-k|aTRi-j4LQ_95{tnI=HG*k&Fd( zO>>^OYEkxJcgPHm#*56w1kq*99^DsOMe#bba}krSKozd~_04Pvv_=!f6C(A6suQ|f zf7F9Is!8|V52??fav_;%$_0NeY}jQHIrwK5@i?lc4uo7xAN7cZf?!Q+CUuOa(iiTq( z_SWVQR!HdeFA%7GB>iH87;&4VFxnDD*v60S0&3zY3K9f5(nv+jf4K2S=|GlBSo5XN z2^>j}evG7n6~ilRAGp1R*aAf&oJ_|+&j zU0{dn7EG3zX^)7Lk@De@;89ivsFzzCOd7Bmb6p`rpe1CMRi(kYPI8U(``WaSSX`Sh z#V-Dihp(vjqPoq&1NCRukR$SK}rOM|J135^(ZR*gizX8K>$NFOL>_AqVvs7` zO6)=VFUoif-QD#%h*0l`{se~Vi#8^1A6c*QT$pATQ`n5J>}4)MY+=1lW!497yf#gw z-qzx?iO<`DrPYy%Wd6Eo7VX>t=RFfN)j`3q=en;QReOeT=%VIO<+l_)q#xQHpKANU$9sLYdvG3 zJAPPCZfKo_-5{Vb4;X~q(Z}6%S%8}#U|r+at|(Ze4*{oRZYik)LU~HxtN&o1Ij$=> zJC_ic5MO8wF)b1n4M#A(wk~_NsCR%hT^zgU73;MN|2k9BABQ_*8I+E|#dNXIA-0jV=WB2zmh1MVFgkC*VrqLGtrc&0IG>U!$Ju?0|58_EAB9zfC0x%ZKSYc zJk(9k9rqbT+>QmBh7{KmL@?&JeyFDzGhr({P&78pzVf%kIkCI^PsJtbIC6)_z*E-D z4z1%FHTWNBwF4podsc6AG6q{a)iZq)G7_u*U|48C|1{w|@7qtNHVwaG3g{yzm5oPw7m&s0)%Q>Xb}`ujB--KG7_SSU7PFA4HDTC$b)j z)#srn_F%k~b%x6(6W6ZLhtX03(dTm}zThEd;|gm4I)#ZaIfSlGoS;Xk31v*ea#pi%gb+@sKB~S0 zH$dPdkp`U35!bUU!3#nrkO!6oMFGq%r|Rg3A(=$FSrBzQiiuDrKQfl}DdAX0BC`zJ zP)Z>86bfmPC3w(t7(-~ZC$VWk9`<;uWM^c+Ats3~CQ7iOnzDE$xNr4j6O>@d;qNKu zKK_!%qQ{>IWr7@xL?RGRMZmf|1UDWhnc={5m6ipw-s`n4nCxCdAG%H=O~L%n6)-=f z55#FTAE1v^ZdT_i9i^_YewV8>XE9GWw4b!pOwtVE!K+un@mPtvF&K5IPt0Hmd`TR| zBH=igs+Q7sIf>FVI-J?51C(%pgEAGB`+cmmox-}7q>vWm>db~2)|6Si&wk4)U_*?Q zp+tl37=U+^XD3l7yXG#8fojoXWTw~C`Ki{5CmibsU==e!cubk^^$pHa=c%k~-07X@ zva_Ch*U3qZC(}(`+bz@?86v!t=>a!(PftKnIyRC!YOj!PN-x8yB#pokN;p6uDKeOP zY<7Y^Vk9-38agb9pORJsyzs4S$fN{X3+hI(!JZnH5~7ecS?HqQ6FtNZ)avS@4&C$6 zBiNK!13VxtY2rot6&NdnU@_`FD~yk?tY9P%bWKAuz!2SBpA=VOE0uDNFa$J}eqKol zO@TxQUOSf|42f{;Q%8he!5L&WZuX!Nr*&-v%)+Ej(@)T)?o$&Rflw!&giM1YQfgyT|kJ27AV9iY+%bg0|TYXere8g;Ettb+9 zGF<+lF1}ca5ZZ{kf_Dv?xKnAvy72bz!2_7z^(-OS&7L|Oi7pw5v|Aghh_~ zIQ^*iSXDZA&T>p;Fhk{D`mb{x$N~yWBP(NU*feIQS4~KPoj<)3pwyWSd*oIc>v)Lt zp=X#Xs~jAC8gKy($aFo1jl#;mi4$d5;qi>>sT8~XX;U(?LctUDK-h1{u5`(KcZ4Rb zW;|EDZ0PuNWmR-*(#%x5=_a)-&~qr@e&r&Czo$ilvKeVrbHbn-t)DS)xpKNq`x5Hv z5tzi$Us=EhvdsdPHK&PY7#u@RlQoJ%r|Gr_@h$DMXV)fbVbJ{8XZE`uv@^3b!%NH- z*t^l-UKywlOVc?5_enDxc}&;f)iG04qV@Jk))kdY<19(}R)?aX3zcS(F7rhFK}xhm z#t7Bvr<(xF6TKLgz$A3KE&6CiCw8$JkWGv8#WGx?8#v1HKtf^X1)joC^gJ=IeQO!$|mZusCBT@&Y*dd8@Os`lL#9W?Q9a+S1Pwy zESJ~^&bh%tWLZ~&3}UM1Y#TGE+j4EAi50T4asxJ$Z?+=DN%4&askI@jW6t&Xoi)_) zIm6w&YAaq(A!M#GcQZs^T#quhF@e=W2MU~Y(>q@&=K;qwwnnU!GqDySZsXqcX!>j= zaf(eH2SygGEgHB<8K5QPJoI4io_fH|kXe*-jTw!bxbmvID1l~rt`TBWgwj|OsWL<@ zZ0>GKyk4RB0aHejE~nE4nv|=KMHhwjY+LxgV1WjsMyMK^o?)S5UJV6DLZCjHp1CQx zl_OWC2bWcSqEC0Z*!0P{1)*Vc-CluWE$X0H3OOp51;>U$Lqr1RN%Nqu2v0rH)0~@E zc)vXzt-0{veEZyq9S>@l3NH;F2$MGNfep?>81Be*5FYlRX|Lp%lf2XIg(Zo zd>i$YT;x3gwH$-&s&!g2Pv$UxyES+UL8sMTd@D(jZI?$ZpE$TBR|yI%Nb0kMLI17E`n-bH#6+@Nn{1t#xvecAZ2Z>Vq7=$@0+H(St@59c zF`$mJWTI(n1dqXYFl@5H^WOP(p0m7(QKpugy?+)cJNe19kT5 z?|o$BS4a*}xha<6uvtSd(Se<`$}8F+aku3?ElyjuLUL>?^ehQDg}f%25xh-x60tJ7 zAYtq4K;RPk0aup`!?##K$?G>1T1<6wpL#-1J+PsNlC4v4(rS29PmlOE;05vqwnkqa_cr53){{9?dkzr# z%yv2$0b!YiIyQpdA7M*gt#K=cLrAB3xUymN}5trqgM68P(R~dVnZ0&~zxF4;*7FC5+*1;~sz&MFiEn zNJvLEOjGONP!GsHbN>j^dwc@ObwkjOh}|NiAV|cud!@XFXFxwn?gi zD$qjA(tvzW4O6T^9>LY&@ZQ!lkgzO_yhJ`(F`hw$6;0xBEXfvx5(;gr36#OBtwIy1fWZZ>C1WnLvX(TA-hco)mrI>Sh~w4@HR#>B8!f zmGFd^=3CKQxZgV2owud&9R%-#2QAD56!#TEU@uvHrDy6@A*w=3{1R;ulwu3bmk%2P zVoR*W3YKja%In4oqUaetTvVP?&%tWM$>|JP#p)45oMSvJvQ$gj%s@39_kHR$y$X=ZL!gin(QHP^!c_D;$y6*MrGK ztT2#(dIJgp6+8)wT)^TfO=|kTeG_EWr^=qi;=p4O1h6@)kSmD6UPuocf7**S^(b71 zW;f|Whvg21+(>+F>N~3p&lW7C9!Zanv&ZW%GQ)>RsFeVyK%9H74WP~_hps=@p%>bd zdM$8EoLWVIT4IXga|JU27vb{-dIgLR6oqeNoh+-efX;K;`V1lz=rhvggP4VSq<)ZM z6h3uZz4845rumABDm!jEih_jk->~s>EQ8+ zMX`jUL-*;xphB~SZr7-^bxsY*@Y!HFK**Y<|w7D z&d6YRfO2UUsLfPyJPs_D0>gx=B?ug)Qk)Uuj8d8E$=$+)Q+CUI4EO2cTH(@PWg&2s zdnQ+?+cx9^=?%+QdS zS|?#gy-aL~tWu_*`|am4D|=AON>(~Oz8fVvhu?xlno zu`(%9-C$YtOl#L1Y4<&%4r&Sx+D-}!MYoj*)lo%gkC$bcY>|OgI&M!-Pq}3=D0@}s zXfcfUTo$GYtJBM}8u|gJah49&7MaEt0)MWl5{LH6ZB=Q}`G!)!KH0LUCzo{py}^Ws zLmWBB655ur@^(2K)Tvx{j8vjnW1aoYbRLUW2*ZE=%bzKai^YaWV-^=lD3U*QFaE!V zB|kpX@o_V*hWat+#2K*;1on+At;*Fz$lyGWmC_PU-PPIoj4wiO!!?R5`kWohJnwFp zG-Fm4I*W;P5`(kNI5VZ`!9JM8iPd5OsB$R6l!q3aUe9BbS<)9qO(rLsu9vAp5hZMx zH5E%Jw(Z(cRTKpI*3HtBBpU5nRlw^yvLRIN}jlCP` zauRicWo+RW6k%v})$y}p3Z9rO;wQQ*r0ecAPL^dL-Vc}wW9+%Z6qN^sh?vy}Zx`v9 zE(Fu?n2iVB7`g)zf@MS+m8S-U2TxfdS!ZaiRu=iya5kJtO_`@mT!@vtlFGx&d4gS4 zWmt-nxQlF+?W2)KJAPefq7)@Ep~TvVCEkgMhGS&@G-HOXPQ1zrUf9!h#qcmvI3&ez zstK;ml!flasACU`9ypLdDQIb-A`zZCnpTvS@8r|iFuSkC@e^ONo&g4#k!WN;MDtgkoN10*hoGhD`b$JxLpHiQ)c*_LH|)FB05c& zROae}5{(s_n1Y8;X9k58EBf*UwCuIYQiq(wV>XSXmPgR?ZD^z0T1m4wRK77BhM1*B zPgnj*sXf?=*nnF53^w~|nuvs_9?&z1(1ScQaObR{#CVs5Wu%`W(Wt*(`FOqpv$e26 zQUn^$h8=WAuPsr{6vifcF$!3!Y`CsE;3W$+{;1vcd&-lv2NX|6-Qx>PY4H%dz-kK; zBK>NV!UQ62nreZ{=t5G$ixDnPg`C3_H3>WHHY6QcNIhE#k*3CYb`v0n1DV9!?pCBJ zi%wWqT{W``JeH?Io_9FRT>Ikxr|ip?9LJF@zeuu-C9^6&$4P)BL=a$Lp+tTCxPywU z>TBkQHFkS?9x^&YA^~5|G7S0d%0wLs9F@aV2K|SpCmjXOb=kGkM>YA6AMXGveuz&U zu2o1-@a{MvjEK3=k@cp+vo>=9T9f|pzwIO7SzC9#wh)sbbeJV%Rqo?Ey1_8G+P`S!wIYUcu$s~-Ke&a@K>ww!a~a9%*%TPdRb z5z&OgF+F7Kf`QxJx4A30vrNhC0VTgz-LZQ0I_}bv1Q;3a$%zPdfSS&+w-js`F>q{6 z@vB-`bMb`>L*zw?LMRf)+^qM4El&9V+`k`g+HqNUK2m-%ps2Cm7u^YhRQj{DQr1M5Gr zr4CDP+pmar*fL+LiSM5J;vF!$EwPYKwx_iSzpX^ATbWYlV~=jQaifgynheBA6}wWI zB1d`*{T!O2xZXg?ZVj)k@>iu~VfI}}mP7M<#dU}H7!*n)tb@q#`MoAJ-dpZ+VJXKi z!t>LkuVdQ<#sF^NgU9V-LSKL4bKbx}*R0)^vzVM@$t(r)(dd&pMC-++4vT)azx5xW zluO1-m3Wi;TePB@W4A|N$*#lkt!06wcGv$J#uV)>tP>*WFEtph-KAB2DM@PQ9G$7P zUkFNgCJK45iR<(k{hle=;p(+2lbhbttxGp@r;xO^uA@wRc2R=BesCg)P+Tw5Wl_}E zF9{zXxM~)2x=gtEr*+MP$EMNZwZ5K|kwThSj88cUCUz}g^|U+4_V#Ny00xWq-|z|0-X!_LGVf8urr zcMSV_qKrqf#R2i}&vHave2mHN1)3hM0o|!(@7+SAPb~!x&{fnLeVx#z<7z{$U2#P& zE>IoM5D{=A+5+_%!hi~mT>WsZUG+1`@0RZdw!-1854KIS>-hxaV-%azJ-IC_*Yvoi zT`3juvxX6E!H%?^k4XPAjJlFmPE{^`K^MHb-n@UH$=~M0bV53slTm*kgCIy?-OE1! zHN&bX4~;2SEI9Rea39&m!ElP_I&=pFihbetDbqO)&1&wr(Pp|IKM;e=<-q4gdj+$* zIbk_ysiP}hDQ}3^>unc9&jrbK(EiB37KiF&yltviY>L{ui|DFlRjjWMA>c@Y~1rYs?AkRhRZQM9=wk(>q8HYB?)d0LrjLd zR=&R|4#;#REg0P4IRi!hEc!?7Ibpj%o_~qJx!|0YKUVutczH32pJ5<(L;H)B4=s0w z`yEs5mpC{RgU6%H2kPx)_R~(yb#v+jiTd%n=-2sf?V1JilXK-tXg{01iOl85FIf+V z+1?;vMh@}*0Z*|l)F)T)C^!vQ(mN0tuelX=1gja2i4GpXN4_(t67FOM53~7SvH#h< zxsUCW3nG2kSMnZY1`0PdZ6lzK19}r=WQIK{GPhlD_i4m{Po1aro~xXphF~GWr{|Y9 z_IggUog6dmU&RBEZBfi|ZPjzy}Mi>VPw^@bgE zJz}VBxUA#LZFd;~!4D%YXhCqo+WdyAp)GoNwO=)p*H)|2@T*&|y$CfmXxV8N)C+p0 zTq6;98c&YH?NDsGcXFaGqMAc82K4lj0N6+p0g7U&5EDP_pghU5x9znj2C~I)F zD3u2YYkTOY6d{hNNqWo36oo%eEraWobT1SBUP=WOKOkT}7xI6C_Q*>NZE>TU4CY>N z+>O(q_Gw}Z0^@$EaFyue$fcWp;5Z;}Tukf5pIuzyWydjwR{}1e5M}y}cbPi%@ zFLjDvAqCS!?)N!LG{VTqqic#O`q8$RLJxcJbJX$N(a0gKuGcz`TMkTseMKfxvCDBN zzyC(kf5UD>_JL=(Vc&0z|JP0^_tTth0FKutX!K*jRw1a=% zDnDE}R6(!~X|Y$@(O7G6VRHz%&K(-G=bWf=I)*ouio+ZlsR9!j=#gx!kFLOT-_J9^ zU(=0yVj=&+m0lkcmx><5{gIxcCa=a7=^6RFLh~}NN<}JmK{Z;o&p^v_O|0huL&-rg-?f+B1H61usOFGWLbb%UJV-EMnpDkblRc5{NpUBCGDhu6zMHk#JzCkLt$-P$@uk3a%AR-gO*e!qq(>qjIFPOtG+>s=nad%S~OB2QcY z6g@N&o!{&YBga@-%?-(cz8mNqdW-uFsLSgGi{ z$b-AZPLvejsxr=1pSj99d%-)?g}Ykm8uk0P3KcZHu!7e`8@zhUg=EbW0-p3Vz_n_& zQ>CULrJpE%C@$QT_fm6D>$Y z#Ttae<thVr{|D_{rX3!^+jU+W0~)LWr>YyNey1!}>>VsWYU}afgWuh4uLR3&F3mX0$}pl$D7BEBBA3sH{IZTdY0p)JA=Ts8 zRyP|SKGR4@ed;v>>U8FP-+_^EAAMaqhqlpDw1Dl_k}uSk<6D4mAk9;Of*n0~i5c!F zqyy8#^vC;KAOU82H`}2m{tu?RCJFpggeC>g_>6icYu%3wn;?itwzK>Ixp`D;zh^Yf z8ARXsk7covJkU+&>=Fl$;WEM|;m|EpGPLQNFeX5TussqT;Hrtr*sdIfdAN1Ese=oRA+4-dQj{5_BwSUk)wLjznW>t0K*Qbu^o{#74 zx~d?aofh264un?=0`Xo&suR6AiBvCMbiVqiwwRPTyq^pThU)z!Q_RIZz0JbkU$qIw z7|ptUh5SU{V463V(ITAkQMG|EE93?@?0Ui=&{^jgc5VXT{_hE2(kAq%EDSws*uaWpl$DBuJCyX56xb$05kh^tHa|BE6p$_rU)yy{? zk_Enp7U%*~y5mL5T}ChIr1NTe2$GLRYf(!%+r5=tvcptUn-ljG8C$@wmYgl8t1iC3 zGJ{gfshKl>*JBsj#@adCQT#8}Kn-`dx*UU;Yxob+5h~+`HiD(?bQ^ynO_kP8_i$7@ z;CW*rd$k(CVcCMr^s+GXpfUV{9K~ zN?|W=us@E?s>0-npthPo?GLmBIQ;wS<`r^V%iV=!@(#tL$$Oe3EPuSLS@}4^MMqpu zfTsiZ%GcE*$8oA$$*Hwi)(6$ejV+nr^y=VF6Z<$F8+@0gT z*PM?U=ZQK>FW{NlzzorIRH`r8Yc=NxhSQLP@>QdIE)j~Y$&mQUO}X}oW5MTb5;}o9 zgVOP-%srxx*@unbV|4zoJ=I?lm+Jl8QAOcx&AV`|;&_U*YoSyW2#a;Z*4B^nR65EK4Brd>ZyiH{K1J>C#3XqzhTo!Mhb<(*$y>C zK8D=8s7Yek2Unz1z{G#*QFM}(uK)SRBM$iOJL-_R68*tr){nGA(`4VzWCsq=qMA_zHvz;d2KRv6VKRo#C#<6dl;HwI z_cey?bJXf0e-=v8pdGWEL% zLkAs3u5MPCf<_;62f4J13~R9Tq+q~R&AQY`mg(iXs}@@PK{|E zaffqjir`fbLN<(K&O~txy?-L#xh)F33H1*LU3bQs5^;0_Hbpm`J5(+Pbg{mj6W0Rt z$*EruNt6S>Xg|QlipyF z#}7afEVsHA@CU+#dFClTIi>_vbask$oJMM!j;e+(14ZWALJs7(emu<=0^z^ZRRpfl zixm2@+bq{^(wLx1dW3O>!%osSTNAhV!nOv#;MZ?#X(SS4tHtxrS5K-g(PYSq#}-`c z#IemvbTRid$^tD2U#Zij2B_=x(f-fR-@4iapRFR!NpF84Wq(oW7^{QAB3#6t><;qk z`a>rNJ$lhw19CEa+F{Mcy`G^v#Md1IEPWPmyjYdVeXC*}hV(nc-w~k*ml0M0lbLGw zS+62rjX$HhMdzM7pJ4k2s=X~@o2NePj-D~=8(5hhS8k%}RVab#38pSvYpyyMW+j7p zF#Uoo4P=K|kP=N@XsNj_sIlJHh)wIVA%1OuOfet63%WMl|J^sMw|S&pRz(6%Q2V`* zMMxP=bA3mn44)C8Mo_%+vEbq`?8s)t?18(y9&)Ngm?f75vX46NI?Nb9*eVvPvMts~ zE7s1w{+T;LKX41FUBDIVI7(A1u0&j&fxJ1{!%3(UXB~*njIlpgQpjcS0M8+AH_csI z|3nz&Q~$!Sz^(=s|;f zi9v>y)$HyPqEzKz zvGpi6WLbP6*AipTH$(YOV^@1vQPn;pHReB{8x+f+Hcm4j=-;k~JnflrnxEg_zDaxl zdUt5Ax5b6V;VaYyyqPZ1#B)S>)006t($nUk@=ErWp8Ft^QvD%{hw*?`YogGt^NMNP zC=0mJJ@Gw}ymWwcZrsKMEFH~Ndj!fUc@HAgBot&7`Xw-(9`96FGxYqtAho~j*4u5s&~}VNC_!GI$X!gs-@5ah%HFv3(KnJyLhsOdI1YIQ0DND ztg>nY97N|^-qYfEZ!Fk9kuSn28lmjfT${2SieGz#7&t?F+vZF?DvIN?6A4E55-ij+ zf%9T5x9C6}>gR<<*Pj9rWFoW(DM^)FfV0*coU~asK-KSAn0!)3jEcaK+nHNrl+BmL-Z4ORT6h4>o~5?B&+C>I5Ng-n|$;I zQ^V|W@WFN<3$?d`mJngIUIcdZA^pmK3vxgc)S=`=*s{jPxiCN@hn)%%d0c8fwe+~V z1dC-8d)!_Nw(4YbC&Vmu^k=;t`HMD2JNhMG=^{PGWfb|N6Krzec;xG9PDF@aQ^{F{ zb-yG|?}Pr``?>S3Km;0PkxCSSIz4pB^$M~1F6n?9S1uVQ&aT7Pb26gZh_=38)%9~9 zLy$gB?c^t$;^j_Iz(-O7*H6d=NbYEzO+OasS!JTHZf(;sY1kGan}88ujdM z=;zzRZ?RrIHwcu#> z1Kw@;8@VSa9}l|@pbN8bGq{uAV}+CuNoT0C&tmyQJNOYFW^i!b;YNTS+8!Dz8+D;E zaw!95ipkpLgkeEnUtHg+twWn7J{nls2a*105`_q-@B0@>4TC@zv^%`jt^j<|vY*zCb(v~%`%&!aUOjGY zKrww!nyyAWLyJp^BPp<){LUl#&}XuE;)AUkj!$5LW`{`Wx~`rGJ&Q+-3U%6m8}}^_ z&KRgW*rfFuL5Vw6Ek{23oo_V!s*e|XLM?B-qagopg`^d!d1RNTe%+p)TNgE1z!fi-2prjAfJFOlfmLj~kKJMWL{j!L^jEKpy= z7D1#zc$>phLeA0HeK~iR9s*`Wo2+S^syQiod$G&vBaqw*l(rMW!hCCz?kB3bhLAkf z7+vR}`Ck_wZSrrI2;E)pP8{DMctP0q58XAsS&ds&f2qz$iC=VX-V>CKZv2KPT&;68 z-@9Ay@3V?bl8mZ@opmP|@2gz*Q#e`g; zvCu_6$UGT1sNn(x<22XA=j?>InD1_c!8@8gV@IcHMP`(HoGqVacVc}IYdBx^HUAtn z_+KR6txXaXl8pHv^q7dwS)_?sT;;#?f_-h|NxjmYs)4Ok92^wfnmor|z4{wD%S^Fm zaojqY4|l5rt%Vne2A$YXQHWjKuTLF`nFcfkcp2Fs)UXI6iQl9y8aF|+@kWP15I%w+ zD)VRViB86t&is`Y`=D#qIC^b^*YuvV8e|9;zP(!#8ul6M`KuCSv5HSUo=FQQ`~diX z-(sZ5RZGK~ArhwFd$as_1G`u6zG{!Tv0drGFW6mMsDf6JV>v_&iDAVl;r$c*ieofI32R1YH*qe=9CO)$U+`qb``SHDRI-AIe1Qlk+i@gdA4~1PgkUnQY<)-A-~)O@ z_uH!fo>YY(-*SddJC=RP$<8EmuhsxITD4{b1p!%Ro(gp8t^EKp>`aSm@_#xU?@oN) zn!1_x#EuP1jum4?U+%`boss0>)8EphEeDx-0<`-b?bB*Lv>Qx>_~4tY9Kkhv((?%c zhX12ot_BtPfz}6IgBB*8vm-wnDUb&Zb|(Beeo>hIsE zBdONR!NGB7;U-N;R}gd@_(QFbShXgkd%DO#6|=)+@hccVO%f~59D&r^AgunL-ipu= zmhIZbphYSlJ;xo673%Tk>y!CM;0%&-Hh5k~sk5$R60TZJ`fYql{R6AVrHc8W_9hRv z8z6$rC2W)#G(zF}R&}6nBO@7_WZw*>kkYJ^#c%mUpp#oi5jMy5=PGXDP!1%yl?0SB)HYc9R2tP+DFkRy>T{<@N(jg=1wLW(ccjtk$e?f6E#k9 z+23hbJjwt3gy?bb-m)Ifxv3lDf8kgst&a(HS&=81WYfkyIP*uhaTwsNjo-c`Z!USU z?(yW$g(CZ&d!kSwafQP`$HxthV^3=1%?hdo(cGKo42K+B7DD%&GnL1Q%Jm_lX~LLl zhhdMLbPpMqj`knOX3iOhwvd#U1QZi)P8RleAlbkV1#8D|t{Gh-206F+`OGDbbEvHB zn=b=6D{i6Bst>VN_i#4Dk^Jx92U;Jd)DAb4w4BI5tv0TndxkVcxZMjiA1rBA>hoKc zni5xG@J22qvfL43i1Or$P|%T>&6AeriJoC7XVK0qKR+RTI#(w5L6Tu)>@g0Haz?Z4brH#&j+FG}IjPV;2x8Ynb15DB3QI~O9wtiI%C(lNt zFw~(iUMW_7`dA?7_wQeWhef}exrsZMK$RiD5Yrt~NpG~tdKpxEe7T=B_RxAnl57;v zH$UDJ^XB472rO`hVIbLeJh~^uTg{~h6HNZHRj98gV)1K=ruJp3Q07s>9S1@JM_9KjRX{jVxxBf*(F+ z5}-d+zWuhb|E*82wnnnyrlM2dIagLNKFzVjHe1klBwVs0jFO`&0BrT>zr@IHaHH+* zLr`0kv?p(@pEx7J0bN)3MLM7p+H%Ao0zfw*@J4PSmk58sPqS)LP z@m#BIb{mq+ZoW7F3?UyekZQJY)aS;RMe2YcWYcB z47}k>If`PRMqB6@8(>I2AAu7Wk^`sIdW!c?IFR~hBB;BDM_S(v?UT`ObDOaVZm_Ec zYV{gnsve+?E2&vnnoN4sjOw%h^{7`BEL}1uo^LC;Os6xSQ8Y}slnXGczr^0T+0&k; zy+D$_;R>7lg(K*lqq%N;C1al(D#K@S0Ne3RSh+s)9=OnS_JDzagY9xnXnesP-V^cj z{`jAwU%~b9Hz8g7Dmm|4!SuA2f?Z?Yo(AY~T zxCrKYY~POcj;@;Fh0}48jP4v1C%ZzM(Uq*R`5Ut#-&bLy(|W48fYpL~bes&ZT>q|4+^n z*qpxHG4rrrA}asvP1PPQHrHckJtzXT`K^-UC1-2n(gTPXAB;9}Q>K7=k& zb|*$F)(pUuzBGn}eh*z}RtaFaBa~{ys*Gz-(B_=)Fc*R6O7eqnNSiGaM#l6DDqn}n z6`LMRxi;#f@UZ|zxqDK&qrb7z-U}Y4tYuVpJqThGAwSyVepvpwvs8=J z%-~{+_Bc2Ze=MrTST{X@4D>_^PX;5+v-#rI0h-w-5lyH7roCG48rJn)|Czgt4N}OU zuyg!GK|;i0+PXNOT9ftT3Oks7BDqV@N-RR70DgyXpdnaqcgVcxK}Tf0iY)Ab8XA?} zdN_)mrTmzS-sh$`qh0foQRv&+^z}^f>X5rHP**iB!npkA@`E3g@!g%j^n$nSn{y=^ zCM6M5nEms}rutdKvYt7Q<__G%(uoZpT)r9n@?`7@+ zo{{$#so!9M&~aCq^>4n5GdL(QQ-z+r-}RT)7pzkhrydAT-(!e>oX&Hn6`HabNpQs8 z8YaEu=a!FSxKN!=;>yOIj%s2cchwGDcfnbIy!W&uzS(F4V>yDoEwk4U9OY%47wU*AaFpI)zJ=pRXW2?_a;SI0YU#U z2kkk8(2Zw{2Wbq@!6v&%4ba%H;L37s-=V)0?0t`E#-t*SSa+x?ICm(Kr^`3<9|-wU zm-%1eAc`s;e{|9Nz4=nfeNp>{iG&s?YHaXcCJLqrw!;Z(3_D%y#eNl=altdmp$Yo- z>mLz%^#@{;($%BIJvk^KCPVF02cxHeKyT1m-5IZck8e583m1%VgYrDVEM)53nZivU zSFF*LY%@jCYed)I`LDn~(SWtR0Am0p*t7;1UB#CPyUH2N!b-rwYpl*2 zk)1?%-`hOmWnQvvMRaAJk*eQk=Yl@(m3TiGAQE(+F1j@2H`5?jla9GT}vyS4FRE z6bAT6`n0b_G_;=>AK!BVwgQ;R}+>o|CMF5J^VtO3=bQI+*nCTy{j3abSL z)x%6yu;RFVGWMI?I0>N649TLBnX`Aj*+qb(bi=1m5@%Bs097U^HvWYTP`SBr-03?-cY2PZjZ(&-r_pePRyFU6bVf?7DSnq@zrzuMQHJtc^?;ta$6 zf*Gw1qnCyasbZ}n4m8NjOcxI86PL(WQHs^hX+24wT<9;*{^I6hCfd-etP8R&6L-vn zHoN>(pcFTs#l;|;ly_czPRIB_NkiNV zl=UPd2*E3@FR^|=H~j9NuB#S?xITT_6eEI&@~xQ&J9JG=gtE7jT<67I1t_G~T3zqI z8)hB+DzXmoMu||nD>A4n^>`He?_|7aGXpoBNExoPM0+^@rrgnVyf}TRAb_BV84bDX zCkMr}$Ji=*xO)iw6w`H3Us)Ba>SoM=rqMd~B-5NHR35+^j^3JKws|n z@3YQ(p7H{?W3nv~Wes)K#x2^3iOxb^RP(wW4;<JZJd1cy(^3}AbhS!LBf>6m$AaF&1{-#>LX zuWWWck`~_n^+8*MogKR*vs@>+@o7jwXNW18HSNT7T;ANGuV!m0UU)7#1h? zxA4my13a`~GUWVzg1Psxr=X{We@#GD26L_^4f+?}Tq;#|^baI3MFJi}7d}1SkQ8DQ zY7muwNTklO?_VrNv~Yk3#%59J#BEm|tol#{54tD9CS}&!$92;FQlN4_FCsi~!8EW=I7J%t==i&jCnQkWG1VQb zNTnKNTeM>HwbaElB-=**AgTmIJ35pu44$Bx0cDQ1$l!41whL*xOLy3$<5h9w2IW&( zecT)21v4j?Z_qn##g=HKEJiQLuCbr~S?z*1Nrg-tC#a0oaZ(WMfy$tCV(xGVSl}_x zvVKUx4n1T;qtgfclfVF3pVwYoUP6KM4L zu68FRL1BZ!2FBNPGTiC~PzaY)G+AptD*!%l+knm0+%h1w(mIrhUo*~@cA(nB1=3D) zlZ8I!8qgP zo(pHdQuDMAQAUM}$ObufA-mT?3gE?l{rdILmzGvOt!iU@pwl}-cryVv7|XS*DqG!8 zLZ9_AfD(%Y^!S{pLd~dgmO|NkJW>B>el_5j$7BvTKdQG9r{A{x0iN<*FZN8|{hsy| z`F-^lDA*<_fL3L;)i`N${n;%&ANd%8qVN>gnNNl+#(T_ESYr@qrG77ZTH^KC*H?aC z!ppWNyz9xPj+z-YoF}|!BS2r?jw70nhxQBZ&fs}7oCxLBJFM$kb45(Aj-JxQYPaV; z@p0}PdSGvFf1ewW#>Qg8E}G`)=B4$o!wzjx|I-!$1%=u)3EB} zuOfZytfyx|CcS7JT5=E?ld%)9g?xK^!o&RjnHPrugLUv|lkpyZbsxVA-(qyjIU3<< zNaVUX<*CGFg*(H6y9$0P9u-?}z%ILX=*mea!F_yvLt%cdGu;r^WEOqGOQLy)J3RR* z+hcS-iMF;AISu^~kc;2;yfDyOgwP+e%eox#{Ue=Qb&*S500KeW)wUhA`d2>QVU5!V zk&9LJG_60}g5+;#8OcgTc;X+z|GexnGvN*_Liw#Zqv!q7$VJUK|DQ-qp(zi7d3Lf= z$o+|=r0m^B2&6bHf9P7{iSkhMe(WP$kXwJ_LQ1`VU&Nu}{m1*ezHV7|Q4SgC&|3l( z!5=LW*{KsWTNf>uz}0$FkHE{&KwK1wNfMgOmJ`(AksEB{Hm1UfS{peCLWG|zosi0H zqvKm~I1rGV_H%A-d=WUTyg3Tb3F~8vFJ<$D`-A&I3(v)0#soE#7BtNk>WS*nag4ef zYXGcIxGPDvqS|`CV_6pQ_EQ}?7Q58Mrwz$4)-uW_1YjV)s^Ig%qRG5_FrdPQ#qL%Y zj` zdXa;1rn}x8doEG;r7ih%`2$0{j*-4`h79C6CJ%Oz8>ps2w*)YjF-|7M{(N+(P`_$Tox0>w?`;ps ziBy{PIr5w~Wrw%}e!tWRt zQ@^T%lH%0uG8DyrXO6laefN%bI9UjKlU+9loR)?FcY!?(_C*)aNnYeeau_Cl;I%6Gy2k;8|_vZzBiX{zdLlsR5MDnP-CK+WFGi zfNsz#4h`I@!TYnxBLC#Ji+%Nl-xr>b=G9u0pc_&%n2^=PQ7x;J)D{;@gpghn#KpMH zD3CLi3zyC%*c27p3qj^&I^?o%dJJck_2HJwcTBfYw6X36WbcYf>_#A=I z8t>jYp^vF(iCY~xFyRUF`x#X>+q4PCXv*Lem7> zPkDtfDoPt))V7k+MYE`1A!O(0$Bf#=k<4hz$&!@64qua#6&yFeXQMDe(79^SgC|BJNXAQc6ljSUJFuK1J%tj9-IA>7|C^S z+VaKV-vo<6k)RRCx%LL_%NcispNJTI z;&8S;p3qR*W%}At20w213x|IupmOL^=oEG02$t=^#RrnCZtN(}5Kr8>=WBS5Dq3$x zzWTwoPylCy2f$50TL2#T_TxW^zBGb2lHZu@1GWdf=;RjhlZMojQcL+}%HAzHbE1Xq zij=6JcHH^R43`eNVN)r`I#gXFBo1%GAiDc2#9dj>pJ#zy9o&pK9ceVL3xd*gv7^p; zzrRdEk*cB;%lrtDA4C#p)vVVR{PgzFPbmg;%A!ElxMjta_p4jL14}c#zyEdhdJW>6 zt-u+!JUP*&jJoqn7WbLK`2)CgeQL!?h_FB>I_c!+n)FSJXjYVJ7C6D}OVv9oDr>>+ z>{2PbgwFItG;#fv${m6&Q(U5;EGkDsxEnITbas!Bcqyt;PHYr)7z-zOtffMCo1^F+ za`YC$4&>knyktUkTC*wV5@rlsv|`be&Gt5ho4ZaBY9dXH{>V*oTzfUM1{j&vVrQ_f zT9Uw`&peE5lFRYxq8X}m{n7ANOTaj}2(r+9q9O}JxF+l;q4_8NO9fv5e&nDvrKKboDnvLWi3>AIdIbn02wLI}*@_?K0Z}e;;a)6W^{?Fb zE~frTVCd_z^A${hI8MO6+C(vp&&_l|7w&ftuWwsq9pQH&lUb>zA*_^2n?Q@FwW?bv zQPfxn_!YQpvvcC$rj{G)$Db}pzv7(ZCW4Tc>@li#mXn0iiZ#=<+_itquzS44DR_H_ z8FY2zBiBph_z&q`%rA|?bB)~QLh)IzGHC|=GkF;_pqKR2bC@A13|g12$8OF|9UM~2 z*w{{AKYmPO8O&0^x0j*#xoFK~hdFXSQ6u$BQ^l*=uiWR#7EHacnKoPQ))uT6#GRlO z3yQozDOL(jm=p+f*@l`gg>*R9HKB$>>AKu;3~9BrGdf#YvGmev9b=OAZ5?Zqf7ET&nq)XKKGf z#1_;{ODS<>av}n}Qwr;hiY(a@cL0PUBy#Rrg?Ns(8*X;jP0#7wspQq&cKqaP;zuJ4 z0{E(JUz6a)%u2fy-9Qe?+Ko1<9_ls5=nvSU+PUXY7n__k=;(t{_;SLLRo%(tHt<1( z8T4bmp+90nvyISldqcbE&m#)a$-%vU6B63v=&nAhEmjQa{D?f8F~Gbwl_9 zq}EJ=ogVj{aJbXcI$9y`pu)+D62GX@aZSB6`mx&R(z`@H+_7Z!AjoNn zBlbh&c*Y(1BBBhSDHmq4>tC|dS~uRij22@;M9xUoulK0h8lgwB#v^+?Rau>mBsO@Y62=JG_p;O5Hz9BvrHJrwJP6qiD2hV1r2yBF;`VGKjNsbEh^xXhXW+s9vjJ#eW%U9eICAl3*-0<8Aa8vC`I!;`c_Rg5iYLcUcIk%OGx`3s>Y^k^*@4 zAY_5!N`-{wK@8(iW7Ros?MC}ISWkv{?=0FDcdqkJ3^A4y4>ZR;BE%MD$`{8Kd(%(h zxbrG4unGM?=RhA@aJBPi<)_w-ckUT>v?^#~N5{Mc{UUk{6@@7d(!KqM@UDHWYK^hA z2v%ROdALJ__Rte~Yj0;3RdVq;sdI8s4Z-ftd$Gg}S9M=dAI1uAPCrYsxcZ(G=;!~R z37qyGvYp8Z`W1%qlpNn^W4(`UHK?=w780P@B>?FUe(7^WkD6=K6rEY)i6GpvUsjuP z4CFcQJ7K=4pX;zIXg!Ep)VhFZDtm+yL)41`NxNUFDW}O?LJgz2aYK`@Z0;LhKAdK(OWJr z(TKZ|lU>xqyA)(7=L#0BS`bFv!$F<7Ib$K7kGDVFJBUct$}9jq4K7ck&(}^B@8o3c z1>JEcNN)MZabVUKp8w#))X-E-lBwK?eNE46NJd=zrjc02BGE0QsEO`a;+O;%f zIQj@eN^xG=0JuruGN=euBSL?6DTJIX3iN5zd)Z_%f3m^xv@}vVSUW!))+Mpt)h8~q z%TzaK!#atJCqE{2btZ-2p+2t$pJtfMNf?5d{*Q{a+UDH2rNT#)KTCUWI)o>?Vf0+_qCjSO&3We?i2xVcJ|5QN2cgD$(jpp%KjQ zIj3)~xznPTB312S`kk=$6%XvDVB8N6Vp zg(h^6ZmyCuNQU%lLj^mfr?^}d_=TDf4<{@Rs8DeD(Lou#nqG~OI%MMiaVtD;t3^es zumGbAC65()33E*BDwdgPu#~~a`}2u_DQ>id|6p9vv*eFO+uIK$wZj)D%Cuj-TQXwy zwu5`k5R*M&__XINgA$mVd~w~Gc&L3p;5cg1o+bp@H5&(8(v+MfL+Q<2D+Z;BmBUYi~$y@fc_fi!L7|QGL^E z$H%dZ13IB`yUNQ~eQMq8q#S_N@KdB>pa*mx>xn&4LkGP5-~^5nnKv|KiIgCZnPY|Gb-uGT3Qfh=*tLFa+nxcAS$ z!1b~H;vj=w;NEBPv34BQpp@aU`OWd99SDN>fhF_Zoit}A79Sy-MM~zQlvQKoh((cV z=T6afv~l4vqfhz*ABm1I_hjJc9b~0;DYX;abAaL3c*yzYmEfTHTU572MwQdH)Wax4 zd!tjlFNF35Z#9@VJ=hG1MADhh4P3I@kRjAT3VUH*Cc^42@`&|dbSSy@#EoxTO6k|( z-+KSLQ^})>wbI|e@Q5l42kjzW(fI|?*%7I_p= z`_8Ip2+i0S?I9KKgl|{-nkcH7h_sd{kl%$mESeoVyns!_*P=%jy}(WW>9N7MZ!EAz zPcpW22fMsTTFa`Lk5@SW> z@PzNthXTCPJ2%@qwiI~s#fR+nJh>Uy2ZhFo>WHFPllE72|5qEVaVKtZ+1)r&La{P_ zZx@d0E&`ltM2}s-)sm3V>W&D?{LGev?cuEkuyP&U=r*{9%>@!x0z8d_jE_;6GZl{F zj)D}u;n)jr>x3p#pdQWtU>mJkGvy`0za!KzgB6*LOZrioW1`LjG3C6v1l{`nwVJhB z!(c_;TVQMIG5h=NiL$;la(&|_oyDVa++NhHw=k)G6223E)Y9-0N=62Qgj96HEI;2} z{L_wdUk^-E;eY1-M31Ele|>b5K8-zO!~tw9xelTgmw0mz=)lHz^l{BJ*-T>7QK6JMsu>Oi~Z5zU8t*`+7Qqy9d^TE!?fdkL+{yer)P<28Vkd@|w0FQ~C; z`w7FvWJAb5ffoDLh^-|eaoBQ5F<~rXir&BffDAIYz<&D)^{u|5*B7R5Ki*`%iiv0C z?!qipkNzFLm#P;r<}(jtSHB%wLh;+ho zMwO)H3?3px{&8?SZPxg^HdYPloNE{L?M_%xlpbQiFcz`(9C!P0;R$J`Vh@twcEYZ( zaX&aJ1HOWE_;0v8PzmPXjAR{;ZgFfzjwlgwFK_HTq34{pQKn0 zk#omd;oB#_h%PgF{fBlW${b5{z4c30j73Kg*g8=bTI^?Cfu7>U3*Szq z26Gr{ISi(*f_x+n)dmY2 zcupKr0oA0x$eZ{aARTyn?)sLvZC96OD`$$#7YFrOva$8THAw)UYH7q|i>Xne@G?x~ zyQBY?F6TdBcRfF}uC*x-=^s4XR+FMP zAckTV#fZ>n1P2Tlo+KvosWc;M{nT*>8cs00X>+Q-mUbn=>&ks4(4k zBT+M`?<9yusMj+6kGBBh@h< z6Uhep!hb|m`=LmcxW-uX$*mHps85l)vT!;cZeXDDbViqxe*X~gF9f5Bg2!;|u>tfz z22)b3=|hcmYce3+e){o1}!3PU=RPq-gmKisqa$#|tfia#pcg@th}8&HGkX6PGXYzS`VFR#V(R%pOQ-0D_Gu;N+c zTD`+9a!I??8JNa1({<5`e|{_bKyXz%#k=s@O6)8op?5WibGcL!vkIW8Gv9aDs<J^Cj)BS*dM+y>MH9iA)H%@ zE4M9rnBXX}MFUuiO%YMoMLUW=Rb8pnG`l>#y?>zFAUp_}_CP=$*FTel3KUWrI24v_ zokQ0_M)fNkirN$#z~Rz%_Hc?IN>2g_Q{Q|M4kHRh;xkwm-5ai0ELYjMA8_f!7w&}9 z)b|Ux2!B1Co|+Hr$)Nq_x3&RLH-LBU>g#a6%+PhHYO#UKVyH;h?4M7D?bfEoyVVD0 zm5b95kxF5nlY>$6wvO+sK@g5C?xbB4@;=dW?5OK3+!a~NVNhqIir?lcGfA$>o$3uC zEqhtG5E(H(jN>U`OZJ{zitzT6ms_a==tXlwtbYnx!A2h&iU~%5Cs!rjBEZ)_`xjVu z`p7*SHlgD;>aydIrY>^6F&x-sa@t0{Cg(einy8L;8XE0hykaBjLH|e}WL+@A z^NX1F^_Vfk3GrGJmm>f2FbA;a7&v@@S-x4p=DM*q1ZD=r#SfMN2K*dWMd}2xQTjMq z2p~D3tWs6V;+*(S<_pOmu9+(7e+PcKPdCF{sDbp320nyk4zvbv0HShX$&}#yPiWPjH;`MAC^n zfZ~j6g3RyW=97oFjUr0`9?SiHKPg^Cbz_LFQ9Iies5Uf*7~USkEDiFp;aH(7|@z`O(D`g#4y9y)tk~Rqx5^ zDO%6PaeV=hmp$J+|IdG+^i(^O#FRzN8H3+f=(CXTLKX|N?u&RA9+?h1Ik3X^tKx%nMvQJwPM5zv!HeY5sje?dG+YcV)@ArJ+q>Xf^-5@_ygGdX-<5KY zs1Dq+(2N02w-?Wtb9mUepqxEgJ9A+tasuANeuf@5DE`;G4zk~~h#O6Hf#L6wPP|6A zV08~Z^`O^VT$yqVd}T#V0DK@W{w@c!1eR~!T&dUT9CoQ~O?J=)02CRR5f#hN9`0fJ zF7xLdP$=buiq%c}6Nw%l%@ZJbLU-^Y^&>xZ$3j+zluDSr7?0Qm@*~FueK8(D)aaHK z4W>r&)Vx=;H2TLt?&8K&Cqi323+=0Zm-urbG@a%yYqMS!1}9{K5*LX160t?^339CX zSj&!ZIj9wSi8aK>KPKneLwdk#J@2ATdp)wf7CT&HYLecVKuTDXNO(!(tM%;`g%1i@ zm$EhOEkqHO%DqK}yZYPTH#n3RG!1pvv8vZy(%}G$0c_T=a>gTMrJ^O!_`2w z<{I=Zy2lQ2kHrNJFlvD%AMf)n)CHhwlbk$dm(Q$nbL{6%?wa1Qay&eRc*v`o8ZtY-jKHeF+nyZaj*rr{b(Qsbf>*o zh#t<9TaWb%8pBBM^%D3|$5hXW;?wO_z-3xzACveNId&Zrgl-tmrU z{&(9gu^fib;Nsq0ctYshaT$K=XPgG8%*++l1Dj|}HBp;+=wJvV<^cM{q@f!DE$q%u zY?7HWpMLehk3oKmUSjTUMoTOX{jg5U6mBw#M$4HKDvN0TUM9*@Q|$+P5a*Zu>An>X zQM$H$TPA|5C|cO)Gl@wn7gcwZ)A~{9voLbYyUDx9iRf`T5;{N&4C3iGT@Feous56B zk`FO${f)U^3Y3%4fAz!V%x`UUW0N^TanX8?bvA77q$hY=3#2$2G5ZaTY@{Jx7t#5H z3)EE2mMvHm=03Tu^OhT5bP#3v@@?veT7B8+{)Z)vDgl1v6Rp^`4+~&gldvPCc*}ZL zJZz7S*#>CExKK3Bw@c;jzu+SRfzm$gI2D`ejFMv?s}#PfoXFri#|KVbFN$ji3j2k# z3x~s1wUZK2Ldyk-$c?HGR~nOpmXP%f-J*xU?x7Ha91`O;O4z;kn^U2k1@DT??q`9I z>25WA{@Wl7$W97a9(HHT{`GZ(@?Go4gMhAmOk5lCWlsWy(IZ|m1$ZY2x{80rb#vM` z`BrpEhdib}N((Wji*NvO!_mc)tj)rxPfB8&?Dz(m~>7h)BNBS?E7 z-h-%dEk5bxh?R$a;ciHs)}=Psyk@?l+PCC}9yV@E3J01W7 zU^Xb$O!f(vq*57!z}WQA)xM=OmsK2K4a9VIV%bLGp@}EqPXUu~o97$oN~Q7ttF70E z_#BK487S~5Xc+4|Y-Kr6SY?NzSJAP{{QWuTEL!)GW&1=fLE!+-WeLw7T^KkZ!%1^j zhk<-VqO_(4IB*p(SF>M&uWGX;0VDe)kOidf6=9H=I=pt|$j7!1A7Z#$O?U)>#cWRcdUpn*h!1u)E&6qr(4 z;!1g!c!H+V{HUAqnoK{S^7*qNsPcq`KelII(h{puMWk&rcof%Pl}^78u~|ETVo% zQkbi*Mm}~TuaWOAop`C1=oSqBzFV4Koh$+qwsJ~U5$Hq5CAiq0;SQW%mOk7%-Y1~l z<&~2qbp7CT90(D5riKd)5k_Lc@Rzvap+rLvZqD92n7VzWJJ$a$IYb-<$;>A9;aQrXLM~Sn0e?#T};k^)USG9$>bLH&vvUAAxS{||fPKClr z8-AZ+6B&eJPPNoz&*&4vmXWc*CkndUPxqW?(4ltMs&6CGgoGXYp2B1kd6;{|pLXOz z^;FlOQ*li(mEhnwY@n0yDPxva9;&?VA@5vrKwRd`O&I0;4KvWEB}1&9PFmkPdEayb zZ5Sm@sRhI0l61+axqCiK`9#FO57WH0tiEA>PEM>AAc)C6Bc|*<))x2GBH_j{?*0g34Qe5o^S(bxpWgWS!nSk*uKDvy4uX)1^uFX^s=^x`>4XHcFYHk zN_VvrP%9B%c3twRq-y^o)J7O6+_0%bV@ofyW6(3yl?%_~O6kF6;ImBCnrHTML8$G80+*pQK;tS@b6X--du%Qr9z~EYqGt7yix9D(0q2lUVk7sTVyIm?! zk|^8nh6TYVC%@=$`r2U-cix_S?*Pi+fTkokO8FA%UB(tb9XG_kKDnIW8wR35iM5}w zz}eb>8bxj>toM6g57dJ8doG<|WgHmimlJ&}>28KY$ymE}moEx6=)a=>&OpEz(n}>B zmnNg3&P%=9tA)~toHbV}>FD?Lk9^?9vOY{{2m(YUy{{yT8Mw6Of3r1k|1(>{hS-_J zvC!onqL61ke$GVwQ{QNt%m+g0kBNp8^7;$8eblnFV(6mXps2GgHtGhRi?G71m}|mY z<>Sb8<+#}%tNw5jSs-p~;Tt?H0zJC(kwrr*$92qIC^7JsF4fQkVvm=p3Nj5L{slcW z9gs2+V0>o2F>@~*5wKB-0n+5_iJjXpt?*PX@j5uwRWV3lZ4qYGy5NyU>6!-BwRaqE z@4wOOvL$0;^uJs~^-#FQr(U)$rr}&p>aX9we(--lUgP_Ra0Aa)kZJ$pS}!9~rl`$+ zOvF31wq@lWmMSihM1rGXXfA7tH<8%{W8z9M23j*Ei^{(bV}R`*^}^4|{lvAJ$C%K8 z+vb64&lgrV%JFdaofG+v0#jSYGN>H0{vgO$% z&ZOYhj`X}A-rWN81RL=_@qL4oMnTVn)=%pU&9CbES!!YUk_sk8(B=w|2bILvBVNqg z$H!lf%eF%1kqu*V?X0MLxI93)@1`2+$aisH$MQgTNhNe*5tQ4cg?f9PS?|Uqz3FkQOOvu>xOHZHaoVzE5WP1?&&G zDlT~ayt(HMi9y?%V_jjX=lHZvXK2TrBx~l03k84-bNw08k>4<7%*W1Y(CK5cOtMIZ zBT-(!$R>u_?q!D~fbK+_N_0s{JT;*r#$;PudbS1=E^KDbp}BA|jX00gi4L$@Ew|m! zpMA^FWENoc9ZT&HMaG5A33(CAq0OQViU~$9oc49>_1bOhhO0PmY{E-Y&}$|^xHUj+M1R!ZM!Z{vhjtSL2o(56guiBJpuPN zBuf~0zEHnNDI8vsJ=l&(LgvCJ8vYR1FUfZ3Cz^v-CrB4ic=MU-xt9llhL1NEA4oOa zXKJ>-M`<=H;zo3p1d!T5w{Vb_{+J#m2Eu2rq8ChBMoBfKidl3twHAi}B-T#>(wRP}}1JX`nv{u7d9 zKmQP-^b>6;%@|`F;zrk`MZm9WPpEoB&TAW)sEu*I(4~jsA<1sh*Ax6^z7rBn%dtRo ztC-QNFStp3ytb&Q0H8B1+m5^qTw_C!%_#c20b=OlT3k3+%@>}(H0u;_X|M@5F+yup z7vA{@1C(u(r|m>o1(n#VLoa&eL{U~4Mx@K!_73+0HFWNYAZDU0Ynxe96W)ckDY9gv zw7m2#m7n@4i312za1hmL^^;I}z@*?0D4{2~<9z%3_7e@vZOGi9pklfT=V(Cto@4x~ zFXo<9Io(I-?GtQ#NH2v@LW}soN{tMFq-i&I8+3k{v5(gPNoUVV+1z~d z>O`D|t)H}~lH!sF=sGFFR$`5^wM4nd!r$* z&sH>%K_&<gHoSkfe zW;**rv|?OSQ%h}t*2_!S1bOs@v1!a=0=Qdbn(7@TpzU?kyH9;AWo#`nU|$8Uq*J_U zuCk&n;&jkwuf%(aiWTiQPFteJ&8ZY6eSyItsAsCVob=+{d6_CeSXhB&ZnJ~a z?|`5gJnX9Oe6T$smdMC`0wpORuwB*NU-PcyXT8NGhY;GdsnbF(js-BiOuNi*ob5*W76=A0YVC?chQ!gdgiO(=YxW+VBhsI(eLc{J?Vgg|ZfOv^8b zG(?UzYo6W#o044`6$q}T?#xM)q*xPJzDwb3o;;M}O(*F_(_Euw&Jn3-nEIfHAU6Cw zzt>Uq6D!fP=qhN>EUQqH zlS*dv-LRkq(=(UOl+C*$IlUgEtligaJFthOMDSSVGHrg-=8@Bn63&YC5g4HtE| z*<_fl`4=Ay7;LAr}{*)bYw-oq*{RsLCU1$1&Z5{f;5zFIj%WqX$7#28lKf|Ki24wfUEXI|v> zX>aPG83>oG9bl_flmv0tA5axb64{g-gH=tGe&9~%>y{1l+{c2m7B(BH={e*kqeSZO zx15}p_{I0)wwU$i%uQ6SYS8<8Z^*!cmGSRQZw7O zjv9%jYUxYq2-$!lgM@n3+slDWoewx-oD@fE+ZmuQRL-f;^Z5?eCXAHiXpY8>Jj1zg68xpv zt#UDwvufr_@(S~P*lk7~Dm0{IGs$sJI#gz8c~g^oWnsk^mj?CGa@WE+AGu{58&tu2 zJu3KF$0eot6_n6 zEPiXS6$V~7@uc&pnK5tv%i&$nZ|7a9t|i?=SCgI%(Xw33JDweDEX$f&!P%pfnPC&j zg-N}cf;TwQ<~S-3Q8&3`Yk;o_rj4dgV#%kVNH&pzA?+FdYZ{` z&@JY<6P0vMC5x)#9Z}(3wQ#T$nS8Rxg{DjX&bz*KJ!rFDQ85_!2X(*ta5+r_M-U_M zS)csG?U9mERd%e=WmvbVIB};4jRMWiGntbAzcvI&dv$cPEte@62a0QG2K9{deyQo zqWB~l@X$Uf?K6l2kf_K=Qj|NV5T1}^YHpF&0GHvyD956798J=du24ft@QSyD@ZI_D zi!AvEgoE&|Duy%5?fH%3v$U+s3WjxL(w^r?qB@hNb);7fx}su5SAptPk0a8AlH<)q z)}+A~K7R~~p5h{HU6jPAQ}IsvG1wd9lBTm=Ej_2B@hm&C`KlSF`;0x4Wdd-u41`)X zWwR>LeV_Joe>f3knT<>}r6z>A5`pR*R2@Py)Kel)fhb(Uiy*!+@PPEfl)aAuz7F>N zWKN&NH9!;MBk;$H3i@~Z!`O$5#i{vG(hSGPg1yI<7D_SSAoYbOIX0;g#x!dh%0%5p zY0j$JIY*P24|4wc${5+wl!=d_;)nTk1Jf+S9xF0jkw)pVRa9M0!D~HIY8R-}K8Uu! zo0816sm@95(TRTeiJ{|QO$t(9jkn5b)q*!l?Vd}iK5NwnS!)L8s6_*=NMq?fj+4@7 zy{t;wgS4t2n-oaXJ;=Q7SwVd_CfxY%`4f#IFgjVTETSO>m#rsAIg)YaeEwM{Wt@Z6 zveTK2AD#~%{Dok9z~ZS=w4%p$p!q!sj%vbkV)Bu|6MWUpo%J8FoP1&nTz6PKTQ4~P zDCvYQ2hSKW`_nL8VTzD&ezE1n66DHY3WH1P97{Pu-9$%UzTIDoZR zcAh5muE;FjCypGWOPTeFCFm!SJ#XyD+|{EyYs{N&(XTA~o zoL#5U6Ri;AAfma9b~Z>!g|FZ`YnEWZMBb(@Xd~||R?nAh2U}n|(-7N-!BUV@BF>Cf zb;HJMGPaWN70ql}S`UUDsPl|NYY0Kf531o?vISztuEB8)N8&xbKJE6eRFO^OJZI#* zBGHiwCFuJuT~IE+J;0a6${|NBD0X47g!B;+JpTp4XDKNjigAdwyhL= zI1$VO+n&#q@j`#hh0APVG%38ImL6cI@}X6v004wYHEP^Z+ub?cR-H&k2`tPRBA+F( z-d+_b^hyPX7Xj`0DG{RMiNQfHvr)FGS;;;~jl-^FG+9NV8u09&I;sTHc<0aJ>+yA8 zeIDM->+46;96Qog{}{kSAvm2wk0djc&L&HSqiz{hb4F2^*{um%&&>tmgvZ+s;DyrT zRq*;ZIUiD@GGs$N&&g@*e{=Zo*6wVt%+EJ}4n%$abAL+-eU_7|n5VX<6*E2Sr zEL_o8k~*Q}E|FuzRymPlyF8hSWMxYouCkW&o*vJZc&&S2(MV0!S{hj-%71zZse!t_q=0)jKwoHcu4H#oPR>=4X2N6jEn3R*=S?ilB3 z%}*MD5HGh!GNmw)<_2H588`8Kx)c0iY^I&ds~nwz(d@U+HLqzoSVv{N5cX$>1Yq_? zd{W=)`24rTbFGjlOt_=E;v;qGOXkle#UaQ#pvXxvgBtqHluug z2!KjP)k~W}g2OJTBP>Q4ft>4cSRYdANv#WTSinKO4NsUe@E=YfFBzrIs1?oHD~);1 zfH>bs%znUNtP6XHW;Sr!J2HlI(*K&B=3NB1M7j>$FP>A$-ctvAQks(P83M?vOY%V* zQg0dJM)gJJ^6Se`pZSu6#1S%rTwr5cH3+~=>4!T>x6j8tbsGrn>=c>H6y-(Yq(||8 z@~EAbrsCGhE{rt5sSmj!MP!ui-3FYc1NBT4`0eTbBnfdJlC)-XkU2z#ro+q!<;}E$ zmUqCcdJdbFZuA~n=Efb&9ZvYdpYAoyVPys^0X@B&H#jPl$j>k>SV6W@Gnunakg`K{ zQRar^q%rq$a#FL`wAdvy=eL1%==qsCAzyp)6e`IQ@W?G+kWhQ)1+xkp7;BB17xO~Y z1?PQ%aXHE^X-3Pk3oB9XYSwhM5ZRnN?70|i#Vj8gXT3;^Vsbd7LeN_I=yJx%tLdF~7Qmdqk-9-VO*DPP$KqOo&=qg`Yzh~>Z zXYm1Ee@*4V;7-QKU_spQHUoiLnPLiAvdSc`h5c2On}r{93>!E>9F7mI~!aFoR%+>M2aGGj9g z>PqKCV`0@Yk^zbwzS?o?ENNd}US8~xBDTV};c`Bm*kF#&w3NsnD!VbK!cGo`9SkFB za2?*qM&Jlaf{%*zK(e6#kj`fR>#im@9ujo5o5w=v{HY#n1R36Ruo^iPs6#;Jg!yPW zyqc*-$toKtMISgRg|OX%ejyqx&Cd&S-(e?JTsy+&?9f?W2|M3KbT<2k$7iav)`PX5 zpBf-K94BuEm1Y~W%^JbeNkUHr!6lM#$ zUkt_1$XaaQu%aVtkF~Hpso9jn2|@RX;JjuKjPtP-YBs@S8d@WhC*XiFB%#kH&ECa3 z77f#8R+bu~n}s=9855sOj}@h^em#Q;VDpudn2}#c%s|{9s$XGon!0%(Fhu0|f8$hFdR)<1rqe#X*uSkxeu=ZYNF!kXi#Lr&;ei;T6zFkIesoZ@Cn_I{+IE$3@GmLYtX*+a_OZpm|E0$lz1 zxgagil5x?K1*setA1(}Z#|A=9XzOBg8BRfFBx&NpjF~-Io#K*GF>=DpAA?vp8DR9! zC*HOt*{D)#cI0$oT%D|fi;zrvVXj5G%blz_sH37u&)HC4HOuGKtvZ^$N)n~;=IBwZ zg}_jr=&S?W_UO|SGMn8XX|3L#Tun1Z=<^AdoGZ9#=PGf9_!2#9pB|_a3hRVb5h_{E z9SZESgjA#nCBLGm;?4FnL{M!V*2zy@tJjswC7CPRdp;PdWEp>RmOz`AyAG z6;Qm3;ggnv7$*rh5vtioVHYepU*(A1qVuxu0!N+DgYOEtH1@8P;91P3tAVNsk^Ez%+zNWPd6ok0@wg0Lu@c66>~ zMK+_>Maf9f+M_C1si@|LqTcVR9xe>Vm9d6X?!h4O#xla5RS98%C~@2vBO*O3=zby; zLa;d3h;DfNBxHn(7Uwe~jf-SzW)KpQ?Vrct;yV#yr^2%SJm`WtM7{XTNJ|2Xh=3PH z46*Bcz}ahH5M+ab8nDvUsyX85xFO~f`A6`48KGv>vTR{g&+Y+dNR^l!r<)Es_C;R- zIPR4Uh>(}5$`j7DM+J*nLiHEiBb1PN#f`G0T;AxXW8s$$Xr0iuZHUG~urjh(O4gxM zW`>@~Z0B$>THP^{%&{6Iytw%5f^@FYcBpB(Yjs9$^2>%b_@x%lTpVHS091 zlMY3iC8;LEmHy%*lQCb2ksy4$zMq9bHDd!sgLH)1&4Sg+cHT*XZCjz9xMSCl$xs|Q z*wph`BM)?3;d4>_5;MOG3RSyI>L3^ruQ zcsI0g|6g25vZo_!Q6$#X5O$DFg%Eyn4RGeX^@Q75`n@8r&9ooLTse2Q~NGF)(! z(`8&2m3-6+Unmkj=NIqme11LjL+Rc1Ce}9lF`G zS6}nwqA=Q5Y1IjK0dK`8c_%=$$<-3A22W8o6y(aDxfHx>8IkoK<>ri`16+(jNW;)6 zoP0?UmhNccJ!`KOFK39iib{)ZGcLSiu#%;pEzmV_=B}*j5TScTr zI-G-ZR`1vQHO7P21U= zVB01gb~zJjz`ez3Z^Rf147+CwSvXn)9L1dE&0>^T(<(1;Zcp^R2Ft7lopWRpQriS| zHWONj|AW$YtQ0Ftdd?Y!MGGAfL+{F?gC_f?kj6^=dBa4>p7sx^8w|A6ZGKUG#Y@Qf zv}6=?oTqMKt;jTFH|V)TL}bq**pYccHe&1+x*lth(ZvkG21AqQ4UT;wvqoSLkfcM+ zLVCG|BJ&jqLyFR4`P50L&yQ;th7#VfjMCQtJA@n)L;JFrVX|aVMu}cDWCI3g78{mH zYj-BCJ;%Bn1l~1VLnMiz86^BgfpK!5sDK666`Q3{=HRk$nb%H0k;pGOx^GEUr zgeeqNk(M8YwgX!j%_fiY>f2pwvLZz>ySWEpY+5N)Y;#R)gy%UOg8M>V-&nolBhfnT z=B5XB?9u4-M<7i=u)>IFf^)IBA`5e6lcPIo7or7Yb+D&T{xmK58owIOKesd*Zx66G-2Q zy@Dfjb{xX75oJ70<@9k%G+&gy9^*AL4`^&n*9 z8oK%M+JK8GNx~h=xL#;HW<65ZOD!Bbh-fdaMI%txmr$H^8fjO;Ji#VLl0e$e5^8Zs z!;-^l*n&=l;hza6(73b>Ch}*uPU8w-*3NrmIGUKZlzPx%lnAE6Lnp^DANxsl1Y>4u za1v&3EQ}uEK+#EDjGq#7f>3N;^@7PS+N0`3A;u}U^ZGbyoTy8rrC5%gVroh6{EW$U z>MLcV?kDl6hu!BFk zd3K>hWa>wPro^9;RW@$TjC(E+ETKRcR7|bkzuTik#Fz;!&ob+{2 z8`&bO+O(frqR-EF^FfI=NYpb;oHs($d|4^RV@=F@M#9;k&qURxa-$v!qD<-}pBBbV z?j9a?7^W|6o}6|4U>5r7z~8`eU$bWqj)S80frfrzbhpyTYkybR&Oub5tSM=g8f zL)4*f!p;kUkf~V>Q3Biroq`vUpK-kO+$K-Rtj=XniIS3&D%!2Uxrwu1YbPM+Cm4QT zT#KdtH70Z>32IZzrJF0P$yT}yDUUTPsGMW2MNZ~Ta)oA7xslt{k8zZCmx8s6!a-+L z#3oaijRuoP-F2qBc7V)V5o8BQ4#t{nl!ZvX6r{ezg*I+y$G9;i#ZV6V+~|gX!M#5;7=9cm*G$NcRAVtiM+%Gy#>hA4Gzvx)H{!=mXIa#& zs}%$vw44q*HWC$P=2>1`qCVDaUk6TnL6yQ;OR4(mQWBld)D|wRH6H^f9beQ$zVdd` zY_2yD?zLsnR)b7}feOZ1-xTyHc@6hbLvSL_6;ekEPKr1V{lX2L4J}0c^Y(IoNG|JZ zvYDSjJ=cb)u0qI6H~H~SrKs64>q1^8?#x!3CWA_=S!uAES*tpFES2RfuWe49kuPpb z@tIsmh4XhjG7#W+WGy_FOrBFcnMft!MCrR#nwRuF^R-V)B5TwvOr9%vP1Z1k9$Xz{ z)+N6?Obe4y;P46b571)N6sS*8kiz0$DlZgeC3CXr0(1Vu8GH>=X0YbEAX}#{H?1U# z^Ej=Fo?LAD!GeigpuLrY%)wV4c^ISi?|ikJWf>`5njg(#9R`)|kEoc>=1#3dQAe^^ zS~JZkpS)$rTLzbp7^n95@K}I9mlJcc=^1)>dYt?q)e!;Ld&V`2E2PpAMk@30r0WlfN8FU>n4M;`(h6i5yf#GtoDuMXQCDke#mTjuWLAA!UN{ID+_I zOdGsWzDWiN{ntN!3Fpdboao2&*+^mja^~_MKlZnu`S1U6KjHFHZhh__jH!Fp3Rrvd z=hIj(68NJEefWx79M(I^KmYZgV)rbn)5r7U=M&%U()-8$W1GT<{NtDR^003@_Ew+O zTS@(LR$_-vQ3#%b8Bxt}=?KNo&~^S$nzzGS-=E3PP`Y4gi_gblL<+$_y&Q+)<>g$R zUtg%-9rMexi*PvfWta7AsJmma{5k(zhm&|Xp1{?#^6icK{h~}Szc}J&uR;t@#fN>U z57h5fT>TUD@Kk;b&Bx1!u1U}%UmDv@iosFQ6U`mjIC12K^;kBV#Yw@*}Qq^xW>gdh_bMOtWV8X*$m_^7^nZ> zQMrDD%K`P-k~lVK(CuIUsjcn*`mg^Y&C7rFVj}l8hTljc{hR5<=)7Y>{`DXB052fP z3kU#Y;wEMO(-9CoD+=VW{q>*SYx?|{KBP}ifBPA@2LAfb|Nh^9`+uFj{TXin6yf{p zKXPc>FhCCJ?gjqdzot)*zXQtKKE|rB9rCGA3GdsY>7TD=e}KQ!@awS(1niGp3=E$M zA1+tH0)|7ne|$?1>B~b56oX0Nma=|OUen#vBS3k5i3A172wqTNhdw{So7p{vhmz$T z^4NR;JfyqBTW|n{OlQYGPhZCaybm}d03yQPC`{sb9b>D%K?@=mEywdKzLV!e1T^}n zzli|9HC(%0jOADa0Q=z$UdS$eecj^mcsidSz+&$9yA9VL?yv~v0pc0cBjMv8Y0htq z!rMmApB%`2_$vcvs~Lt>F?WfVIABYEmu3FjiadkCeh!YN5wcK;8B8r4sgPb6+?tQD zHDALo%PJt_4uSOuzeAcqrrqDOBi|j*eR%5#QAOc#cfWvbNFx~Mw(W4_?sv)M2?FpO z_6Jyi{ZslJ-axfh4Bu7L{&5)gQGA9@Wy_}F$vyowyj#8WblCHwRr>$`#cyvN{OEo7 zYgtwUN`!V=oxbB6d}EvsX@uAB598(}MQ{?XeQq_f`~KOt^38^L2)`HoLEKDIjEym7 zW36LtYLv3<*|&-537)q%xS#NZK7@ZYy+|+5annn`X;1iWVV-^gkSDh!FX1=JIwY6V zyG!@G@BtS<$+G-gj^N)?5|5ZJ+P#Lqzq}#f&VaunggAZ>MgsPni>BLcMfPpqr8ifUrPlo|NO3@=9^pg0Rqs+D66st&FEK_%1yZAr$t6FtJz>+%5ponJOLlE@i2!taxAgFH!90YBUqaFwW(&8qp;}gI)9R zJ6_lm*!ex?bKYXVG(SAo3>*CY7{%mazjF5Ngs<~gU5bn3l3*VAA&n4gdn35Ml-CHW(3>mMX`j~3 z`$8G(j~G0B2Cn~fg#!7llEj~ttiv9wN8ugEA-M=@FJH+|=$Sn3!$Yuj%7ni3E&RPT z;#(9k!f$^V*C6vTyaihW!WCF|5nRPJATX|rv=UAmC7GMr{x_fXAxf@(1&EvF48Jpv zz7_9@n-QU2a7=EYjGwhQq%Sd0NVcNTjX~yi819LWr||v-&Olmt{$*3{(zoze>B*oj zXs$&+4$!JT%-GHFPyK)iqWuG0sgKW?7mHBs%rYEcyzdjo)Jui3m!8F?(|dVQuw%nx z;+A1_uw3WaKRl)TCkT5Vp0OGn9EiwTftub7T~TATYpCtu|M~o8YQZ;&tMK)=Oh_hk z{!e{?@AmNSA-I9RJl`d+mh&=jjKiNJUkKBXcC&T31#kQC1Z9J)XpX`k(OU55 z=a(BlVTCyxWOI8P^YCs^o_4G+zm-}1&OhJ11$WSMmhrZATDw}orC+o2cm0L`M6*vH zgWn_T!CWnR_;?lxC9W%m>)EOE-`I65hlH=@Ixt{4FcDRX);i7Ue{>CgUk}-bH);rH zY^%UlFCi`|ufM0MRqe`rSi{|E`qOyfsO& zaDFD_%0u|q0|&TNI{&U2|C^VSK8L@T{Se&l2jW^?eF=YRYdEbL|F*aO z+uG{xDg0i*d5X8R$Re-xB~nng0>;f}#^5$G5D$K3TnPUd$@6Um_c02FLF1?}kKoez zhf#K>4}_`HzJCbsGq-S^iaaekcqe@;IK;cj2U{rq+|76RYwa6Ai-vqmbBAx7$?^H% zh2<+N>*$feAr4Q^9szkXGM^vgI6zM0u@|3@-zg1zll_O~h!AkDKyh)AUm`7q=0_Aw zs&)OX{?+%5J#nyn-{$+LN!dLkyC6NlqJ$@4{shG#!a?yvF%~WNG4dfR5ri-1dn33M z#~#wR2o`h&2G=9J;lXge*PFXd_S>PjZiw*pxfKY|NIk^pZ&|-7cj0r#>v!dbr}O$U ze#7B>+U&ZxV|e=w_F)&k^7xaBGeTNv{hrwFcwUdj<8Sa{B2ZX=fFeS$>%=eza2Jv6H~V`yy(hLP=s$K`w5EhMDo=aSByOJ z+9*6c!|z8M^EV{PHuWM#Pv&X6tLus(yrSSw!tn4Ci$4f=-Znd*e=NoJ-tDhgi09v6 zskXZ{rb+Awbh*{$GCV2z2Pbs9Y~3Bib~%x2yc1rg=qGmSb=!3QrKYf5BKuZc2`}!k z`V!yH(Vra7?P}1sb=a=hci)mR$USR8Z0bWeBei`oVHbhGymmism$JQG7U3nK*1w4j zL#=yxYx~Xc3rae_AYr`Q&auDk$X{?>9)7_!v0c4&k}3_a)V3Z(49e+hk9zy-D!g#g zYO>U39^9m&wYl@OVSe?q%vMDM0nZXpS+6gir)8-fBTDb|FFFa6G10*Js;&)6b-h#Ixk$1U*Oqq znIXP|h|rb0@?~t;nsZ-<2pzdUs4H&oQ^wGcS)Zs5KXYUCLTp#|pL%n@fy=qut|eny zU){7lX1u_EMGfZ{Sjz~KG^^jmFQ94dB4|3TP8a_Q3-PddD`O00kM-wb^P1XrRG7&s zY)@x>+&(|Jao^l%pf=CU?ZQu@_`x##2HWr(7Gk@5dm8<3$U?cZn>PzECM&UBY47e= zhnIf-0SDt3#1|WDV_XtKzal&LJA%&blBM?|!iG73n}7cc&c<##LdbMSY?rg0oQ_}7 zlCmvLX}m$hYoV_{pWEe2C;M`{aOb`d82wT$fx-`gd}CI@3XFXqmD{{{S< z?Jli9`1e}}y^a#Hbw>uKAU3_XE)mA&Cu6(B_5EP{f?~@4H+0Tz$Zefm-oHULXJcaN zDCP7kq=bKg53yy^`d(q%mYZ@Zcm9U+xncZ$e;dD|n6jM);Iz~D7aY(CbJBhg^ljX* zG$tdqu01l4OkNpc;*tWD1*XT3C^v%_~ay!ZMY0J{q3jup_yWG?tVx_-e zc*=GSWYf;6U$8GX?WDW39LL-bAA|TZxzZjJ4FL=~HR01`s*)m8pI*zc!?C#G5eS*r zJa4>)uIX`uj!N*9JC-{xD!P$qy~$&D3V~f zLOU&F!M+y8@Qx4;X#^D)UkKBI#1ZP@eVrJ~Dj};>^-MR)?|kkeNE>VRb>>yIupDkS z;6=DJ{KoLYa5vi#BxKQ6rXA}`<~1T3F46GpfPz_u^UF1BQ?~!|bZH{21_CKmRevOz zRwu)C!YZ5yOagj-N*ygb0{OH6FiEA3UbpEXMxVSN0(>V=Xt=^#?}8r_b}~tko60un zNeYk2?t2#lgl9zqnA9lC`o2rqpcdRMJTXrw=o#F00S?}(p6lDG@tE;`wd@aXF$R4i zBsuVfdC0f%=1+$RMMA(Ja)^kMyfBTFiL-59IfO%m+R%D5*YFjMY#cNh%Ny{6%Hds< zqV404$?r59ja4E`a4O0qwQ+s1u(j?n2)h)URsb?6p(dCB2x{N51I zygojnS&Og?-P>EQ7Vg`deUC7KvzVCDMceLNvfz0pZwU9?PWWMJ-XP$Ddv(;=sIP+B z4L6&)4_~b+x^8I!F1P9-!o;lc>BM(`drMy*qhv3Nu1{^Qq~y6Jzy2)&j^;5q3f10vhC*cRLRILVFnA4b3|3;f6=(M0-Fx0^l@FSCn8WFq zZny<+A7Zk>B%B$W>@L=votF0wI=#4eg5PpMQC^JvZ$|m_=&HoX5)Qxn2H17Be(=t5 zM<8nOfjQF@ri@zM(4)V~6PD_=(#t5`Dm#eCwc{r)M& zjH)sdCopU)5@Ju7SPp(um3b<~ml*uY=8rL`fUpg)I_S!C3p?WG%07Y%8QiD-2@s64 z!uNZWqGZ<~Sn0|WNBAzJQdCxRUV}x4>uve0JiMjh8~ovTaFb@)8QzN(xlge$MvicV z(X+FXoG;w6cgwXcj(Z|~AHGelY(?HI0GJ-w@VbM5pl6k43)XWIcZQcd@WgPppy4Z( zu805|;!-j8%NmBS4X%N4JEq~Sh32BFt$zyl=^1mV!A)nyTK0Lql#Q2zk|@amz|ew; z5Xxr>!XFKf$6vV};TaX44@V>Y6yck9{3u$#U~vB!L7S)INX+cpvu{FX7oL4~$FNii zAE{QsGjmnTjN#_x<;63}65JY9t;$%N3oE|3q+PlD4e=cOsvcnoSq#Q%!4@{=)i{UW zl;!~w0X}}*^v({yFZ^+gk=HJQO7BV#uW@cED`Wz3XaP}R!^gaYUphI4D5*m;vQ_-h zOj$h<-q0Y5g*fn9Rd@+*Icg>wrJCi+~mZzk|UaAieAD7@FaZI$JoQ6?DYxA13CybqX@ z^0}&Iribn8SB7IENFQB!6_8K z@FTozujnwb?@Xy(u04%DMR>nTbVZgN!L?M$iDhZW3&9fnKfTihyYQq(e7-#xQll(+Ej?Zxu)<5QzFYp;<3mzIE16;4F$J)!h3;coIAw9Sb>G10_92X>7CaKNv0~%UZm}S|Xks%#^?waS*U0f30 z7jBtm5JF1RvZXZHv;Z62l&rupDN9Eft+WEj%{dP53$;l1yqkrz`}8^+5uD_fS1dm# zp-otDkATMMPZ2zfo#x^3iISh#GDXWdk>RsOtuU~wn{0uhc+*{oAba2m;g(Abe-HaE z!ohKvV~EG#ZcOts?TR$Za;GvhG#>8bE_{Z}K~a_^eN!bxn;LN8Y{K#!6C)&z^xowi z{u%&KwjR1Ht%r6HOQJ2;7ZpCt!OnL_PkK)IkeuK@l0Ce*gm)P)777AaRFC10(7!-+ z(Jcrci?yl}GHsY;n9~zpLP+5oBK=WJ`xL^bSVtTtuSI4oU*NP|8QHrSEux)Ix7W1u zEqu>-$MU9AgS4(Q)C}NPW)&+zOk{HNv8t&3zw{)xXOWaZH&Hxcp*@4onGM_%L8r{HGSmF+JsBv=>2HOicM zzoyqnfHG#ly_FoE$FWrHnF-oOh~P&+?b)D9v$RK|RO~$wOf+I*VK67w=dH4}S2s+A ze&aPTCTZGzcp}i+1##~seD7e#bRWhe#;z=C-ukLU-YfIrre-IP7 znFt}aH;fwxd>6bn-JKI7EQf!z@LTEU`D+QrLxeuql_;(vhM{4|#MGiEPseRrhL>-Y zd@z>jG!qNoe#~!g^ZZGmz6*XZB|p`w_l|-h%%lVaCY7SJ9KH4FClsthXa+X$I z#n^dBi?fhbCUoIfJK4n;`S35HP2!c;IA>2QWplP$@ggTRjo^;L4DW#cvH+wjf4fdGyYu9226trdeOWlT0pyzD>5 zEQKGFsCq8*!X#zp$pE-Diihv4Q)Vzj$2}&|P6~?QC4N`HxTh?`6R`bZ+~`bOzLHxz zM}#E0I;&b)-kO$~Bd?hE*r4!C=N~|EiT$VGDeaX=?)@Dv!HrrE_jSQ5&W!OW#2>>$5c@*C)xE;K`$PNUogb@TrH@E85 z!Z3a}P56e=zCIg~n-gnWRxjrSoHH1neb)=iWHpF2#LbSpG!ekqF&~Z=ljVSGqt+mW1`fkM^)X;6%ajwT0DKuDf&} zJQ~ov6-Kp#6$(OF>C;l;h*seVvzqq`eSO#?Of0(9Xv~9`W;H)Cq`{V&e+*paXS&^Q z+Sw7_bJHlmh+|oO#xy-dSq?7*le;y14}-?Y%g^HpUkTMmomyT=hT-~RtmkY+cwXd+ zaj?^PFZgye2d8n^a*g_~E5^BuEvdoH#lOIV6qoR1s6PP}18d=><;{9%;oJHFnjLhe zR$#d%lf#!J4a<{~^8%+a=uXltsF`4*cg)en3e57f3jw6Ryr!pTo2-v3KOCE+-NYqWULA1rPLv)D1 zsJ=q*mEV61fA>I~uQUYuy=q(7m@bFpV!Ef?!*d;ehUg}u7JdS~X_ZYx$CkP42;eRJ zS;hmr#yN|@dNp0vw?mh?4k^{8j2^-3CaZvt7y*Yu^-CG$)zBm++Uuj}YBwEk$s#m4%0Qp3P-Q5{eL?szDaxW?2yHzBG%5C$@V+ zxa6wgg@oT4{W@y>{S=26g23_Pg0G&b|qa9-_5Z9_i z1P^VT8M9{C*(Grkp8M*s?2$m2I%k?`Eqt1Vp5jdCxRgPQLRCqn7J7yz!VKZZU0#s1 zTq2JnZ-)gk?lj35ey+_04Lr)S#cq{bIW2siafD&mk$2596Zo1riBL&f0py(!X?8YzwO1333C@9-~c=&`ZKmpMLd>)AyJhu5LG`P31@;A3U% zQ240tJx7teF(+2}P&po=@RJrFKAlt_{>b_~{z|HeP$|GR)pa@y7d-pd2>NT5HQZrv zBp+WtU`rVHevSx%w`Inj-Fxw4I)(2jv00PD4YzE!CwboR4v6KtGdKvS^&4iokFX_t zAzZ18+ab7-N+UopcAv7mb7^kF2FES7S=ZG(ci@5J*&%bYm7!d4nslWB=@rKvOwe=tiu3zYy#&vFP z_;B8;wh>&W=yMmmS4N-*?$^@g7JOg2s6frW~wg50Gdxd`d(4;I=gG~#qP96-^3%Tkkc=)vn$Sph$KV@?0 z3v58Bg}2N~b2Gyz5 zHv@<{>)`L@XmFyLRjT#qjB$OK!M(i`&(e~0qCL9={xV}~7lFMEAh5|TdGFJ#Uf}xO zh-2ZkU{73pilO`P7XAu;k(@Y&$SWH8H$iYKpM!*FZ8#ZJy$%Ik%GtP7zh1}Xf4M-38_Yn>USZ&@UKCf;EwGM;O*klXuXPGxv* zfIpClv{Hm?ZkmT^tKtvmCUh4*MEDboXFE^?|HHv3*#7aw(-n*0 ziz0@~P3jTSf?dh2#Ks0nnB?AV8a#k>a2or5E{u<+T?|fwH-xDjd5rU7I#!9Li9weU z)Nu@|4}dY55J8mqg1|9UnAg1zzFABV3%XLb7Wqgw{|yC2lDtLE;rlxO0O2{WVi%sn z)&~+ZloHxE{__Tq?W{kHga^Mh&*+%n5vSLklmg zc5Q(yF*Vb?5VF*4*#SZyEIg+;9L9^~iR2s&g~*UvLbwLEGFXI^)fB>_;N(RvCeodJ zgRxK^zBR50`V{H#Trdc#_4(e*5@}CZRcTR}v$4Eeh-5AV zoA6TQS0p%N%wzz^CkNqLYQpziIV>l``rdn#Sa^cu1%%~N!n64DYFrzx!w>9rP|mD{ zzhvR*H%xn3qQp2E#G6h=2>$CG{%TvnLd{yf|hiV}|Ff>z$&X$-A^t zS|F8;+}bXYbcplvxMhAv?3yBvWBW28nap`=Xc4H(fbcjFT2nN-dN0Wi^{J>%oYYUUqM81j&a;i*ZaFfhk3RBIG+!5}C&P`|t|bS2TV0 z`AOzJ{usX)CGJNUzUF>P>V1oIbXTCcNp8j3vEMj;iwh>k3kx#v^%|oQMc~|FjT%HyBS`W|Z>o34_b7I5KLtYPNQsRry>V|NJ zBCL%fR?#9zR{B#u(G^IyMdvq}^{`Cs9i2<60C zy%OMzL!QJ^chR*!F#L#=l|XLy@BSf*6)jQ0=)_QItM$+uaM^%3FUKFqEyur)J zMOqBaWWn7gHQd^kFOTV*6fEK(;#?+f?qjdH(#v%b!O9(I}QGO^$h($QHzDG-`%i2_Lm{%qhkZw(x;)D~88m=Cq0xs~8lw zC@W6Zr?sa=2I57pD7@637l2!nWdy}0c>ZX#O9l>*l8GDaFi!LP!j6u#@EFdvkJLT* zFQ8quX5+M%{2O35N>>~|5~1aArc}L(c)1AUC}4EpBe^t6nl1EIKaGj5 zNPAr8HIw!tGGtUcSa@?@I*Q1_iDHa9Q83fD?Cdii>MFIrH36IjWBQP*=N2VS?9MgQ zosu3gv+Fo{#dQk@RzvaZe;f1+WHauKSc8Sg^BbVc|vvi=~Z<=6c~l;fhx zlIx*Q#8Ot^PNNP#j&TYE2bg&d6^~RDRI(M4f9PBl9@9I}XXCIi_$^lWUft zO4>=-Iva{YEX{Gf+xR$H%zkjBlAeiTNo4n~W4|?$Ta_)2O27&v6Tz!ELUJF>yT|c< z4M%xD{zxW=J5H0MKa{CROq9c|!Er8}^XxU7ZXc_s&lksCbtFm%?!6p0#%UDSK(jBU zA@21iU`6p5HP4ki@>b>8N#~n7i(}I?+=iAX7qy9V3(7qkgI5&5BG88HjSu|7bj@hw~Nt;BhX?*+i1m#gnM_XMY`7j3H(OSS>x%6fdPrLB&y(_ zsym;Syr5gMD8c}32L!IzbJcP)lFs~6{*lh?3Mf}jUYy#)DkRtRM4V*v4T@)vSe$F$ z6U84bSy4gYI4?k5j4Oj`bC)Tx%oJ0fPb}A<5ZkDhw6fBmGI}7vyZjAwbi^y3sDJMv2L-; z{yM2VPPXx9crGo>aXegGrG*A>rt4Mm&U&^uk?u}ih~v%xphcax>-g?n9I_2+GO+Fd zkDx%@5BW=+!!(#$XlIqvn#z$+1pnhu)SM4>?_%>LbwDr@B?R~hnrAl@C(4=r+2UZv zJkE{27SEOY^7va`)+J{gr&(t$o{1t{6u;cUP1#7!bUkD~`LKPYNq<%_*)eq%HB(?n zJl7;bNZfwO-?#9A&`0D}`UeWfzMzX4Q%7WxfAM@1a$nu78D;$JR3i~g^ZQ^(Md*rMJ-D~yEb8C`*sn2FIt1G-Z$QiB?Q~R{EjCX2q z7yN5bnx$}yNQ=ChGH;WI9sG+`xgViq{~BSd{v6eP?*_kReh%uU;}Jeb@&#MjClib% zuMj;qN7f4Phn4>8kKfYVohGobgZb-kpNDWCCr!vbGsf0h4OQJUi{{v=ex`==l2ms{coaX=l literal 65487 zcmV)4K+3-#iwFP!00000|IEEvkK0PNHTd4Y!uVbd%OWLeI6yxr=fRojob0q4{SYKW zWN?U}7z|Mo`o}joXz;1h;;CB~*ecvxKv_&G6tQEEYp-48Mi<=onEvbk`t<43r!Sv8 zm8MEcmh!(o%~G~e^3#h_#i#SxC#!zs(&E@xpS^s)wy zt&pcv^Y9XvS7rU&#pUYk%>8*a+P%oNhrxR~UHa!|7tgP=)x+8FFx5{{-@32`kT+fhw~pl9#$8dYWa^p&SvWEEWRp! zePl~Fy8Qic=GD*5Ru9kH72aOmE%z%LJO|JH%iy8fr`Ox^;`!Izz50C{F1^Ru^X1vu z^XwuBF2Bz%&d+Dh>O2T8&t~85hQZCvJ%9X&b}#bS^d`7E>(76Ve_6xOp57&DY6ao1 z?@2$LT`u$4Z4nkv!Sf({(u=p}$6TE))xdpy2yU)6zaMrlnm&zgZzta8(PnNHFLL<$ zQcP^=H+TQm($|R9r=$7FWtO5-@Y!&-HUFoX4mdb{v3R} zPd~G-`el`Vf4>NB2KV`0chS&4k3uk?EJN@7 za9MtST0f_|7e&FVaqsfmMbJN=m6x*_dpv)*oRt@q;Jx(UX3sZY&t~uCth_w?x|uyy zqH*&)Ih)NVmuItw^SxyM`c>XM*MIbMcJ}M?>h}59=Jvfm{#HIDchBbhD)m<5+vm4H z-B!|m{<^q+y>$l{&zEQC<@;>^qT%h??D_oHB=Xtw@AL3l|FGX*gWyp-Jmuz>GNXK$ z+&j0~#o5>EuVoy)oBsO#`eT~AD=sf?cQ1N(zCWCwM^SqI@%?u6<_yHm+x+(ZE`J{} z|1Cd1w-nw_juc==43+6vt<-6X!=<#!K@j4o0zu4^DU4E=54?oxA zA7(K4zIgw*;rw#+Z_b(h@nh)uSL^4^i{&Q%?=raa?$TMdSwH-~Qls1F(Z~DlMb3l1 z{k(p7dHx(;+<)8&#S;G`h~DG-(a?SvzL&+>kBM^a)!pNTZ~qRLT z_Prkbce?ld`{w+7=Kb92-siI)KYlL1-|_6?-6}`V-z`>LdC~0tEC?2196f!1e!iG( z&caI7?q2jao%`eA>|v{OA6~8#$=)9mPd*2)Kb`16_kO!voelhfXLc|8T|NA>e%So7 zr^UnTth@=firT+qKmF|4{;~GY&u-l7srdD?-0JF^hs})dUUXIVR}Y(6t)L%jrG3V( z%Kql*VzzpCd*A)r!}aCrd^5Xi^zyH_S@PrU;pKh*(=MB(-d~oh!*9QH(}&gd+w7zH zL;ZGn;}86`6Iajts-JNp*Y2TmP)&Fkdb z=(G3rVe|2_m^?n^e3h9=|L(({JZzrN$65H(y1L%IXr2uV`FZs8t1LgpGrydApD(|~ z=NIxR`1<^_KhFK9`06UQ`Cb3w`SbAk(q63xi_vX1y2^|9?@#+vo0ien^1)M|Z$GR4 zZTWmL`(A6amxo51z0EEvZTB!6R$}2_R2r{*zN};}jAs7sMU4s^US0*y?|NF?X5Z6r z|mX65ha+x=$G?(NAWEx%sI`OCLAd2t@3 zAKus3+efv&y&Er6acez?%#S|*9%aQZ;ukP0D;w;?1=wIEf|LE%P zUR3FT|K{rNR}{_oe{=QsFM4?||C_6S;7#^d|H0K?KiuA)-5&V4d%vVUfy=Ae?CE^= zJegGwo(K2mv**j1*~}jwA6H{GN!RS|ym*x#Ute++o(JM_`jWh_=Voub?XOQ}5-slH zx7Em5=-4i$*k3w zfA#0V+IhWr9F6r&|M6+?p>;p+o9y*#yl_SFRJ{JqzWqu@zl(f!eg69E`}F(md;Du^ z^XJ`*7WU<}y#2a1Chd=Y->%vCWAo#4=wDClhZ|;ooZbDnn{3{T#5~@)zBL$rE$&{& zulmO`&m!mNX7{4v{Av7lZCy>ivrK32W%1p5`0=ZhuZj0QzrFW2A5X9S)$jYWVEyp^ zc>Vn*NIzeVZqi#Xp9Y`b_bXc7J|*Y+Mc#k^y}3Gjp1w%;B3!-R-M+m%=H>M2;{NxY zau;Ly@N@Mre8|G*+l$%r>};$3{?usyPz@exzc+FBetRZN%RkKjb4{-!8w3@A~@k;qm^}++MCPSH*I;_ucrFZTp|o=X`ndG85PH z&F}u*RnFX5|NZCN&*>zVei44X)1`HDAKAaZjSJ6=Ki+Sju77`6k9*0!@(Y!Iz1TcF zzJGq;_mAP-I1)w9l4xjMj(*H1-;?tF=IrMAhDL-|a-YVym>OxLhte6A}${`m&1p*Ca(Tj{ae)h+y19*Ka9>E4lKpD%az|+ zht(VV>DO`eHhli}diMITxqN##yZqZv3m@+P_-Rq|P#cv0?Xy2)@ZF1GF#b>`es<=Z z$v|8!KW4$0U9N@TU!Q;2m)_4p+aL$=;@fJM8f zP0Y^<@AKNz>Cb0tGsrJ)N3Xx0g4M_M*fQVx!Ar1?(|sg+|NVFN^ws^gJ{K>}Z~Ok& z4{wm)JiiZa-hwCNtiP>C-skE0c=`2xI(xdje)ufT??=vC7O9`!aI^RCo}Y)olRocf zqnk{}pP#=)cfsh#{F`}xeP!2C@^t=yBA#q zbzJ?u3C5orf{r$HX{A>9-_^fs>`WC;(d2Bs@PM?^Vj>X`` zO#WRk-o)T%-<}_rv-kV_^Ln;fPMzQT0QBWO9Vfx;?wPGOmqT`aKl3*0bea0!($VbP zHrXtHo6c`m7sJI@&-U+wiGRrlQIOk?cFTwTU5laz=f!(^a=s-W?tMPF%v}9G`BgaQ zFWUTmi9SzPZ|vIt`CUB?H=FmcoFwY29ucL8M{BWnAFUP_A-J9E2_RY7azJ2%n`(>QR8NYb&(@o)J zdw=og#dQ7;^mCT0rSN&)CPP`wQYQY|Uwx$umI$V~-v49$U?#rkf(1eby?_^j$%3an zl?Q+Q@sY1tuX*R6PyPK}|K=V4>~G!qmwC>8U+`YYa}^twWj#-&e|_5i^FMoy%6-;L zstOz`z6bjZ@fY%`6cHGXPSRuTJz$I%}0*QdwS4gb#|SVx;diu5C3@j zKl#eTxBSDutDTQ_Bj*XzVIqRC$a1w>w{JUq;vc>9KicP%Nk11!vJ=z8fA~jVr`(8p zh3+*!+i0G9O4i?4zpwrH%fEj7kKUfM^4ObmR{oFQ%Ckgx>`QL{amNn+`9FG%<}CNZ zfBUNTql4G&pZeonn&(U5@t&^&UHyM=wch+sUZayRF?n-yYIZ{PpSo{GY%5 z>yqbUzOL*}6D~-TB>(*?>_N}A?B2-k9RyV*%Wy`$LC=~DXjd^D_Z+L|5buRGwR^Tb z=#8h;qS5c!)~ILEpUQAr2`ce+*!`Y0vU}EWOng@cJ?IAoYgWJ!^0h8e~E&9*uPw3{T=r?0%ni9iwq?a5^?_ zN-Uv`|1%n$h9Vu3pGxhNTEvdn!0B0*)pMw|*VeodJ3y`G7*kvOF}>4q;QfqA^?4OV z+Ji~YCiY3K>8LmCSwm9Us6*;e&zce&`thJ=_bi9_x^BZJYQdQH2E(33Y*E@}42TV^ z-M4G2;!rwYR)5&DD!nlr^el%|jUKLKN_sXuYudB>!=62)7LiJeSyR&cV)c7tt7qHe zo;9L&1^fM;J?Qr=i`32@?8ul{qYj5XyKhyhgj%IGS%xX8E}IN{lX1_Q4titK{ituP zQyIDw@k@z)v4fjCqFl(X&|(dUUF0^5qg}>ck5QYs#uFM+E05i6AKW z6W4}ur=m#5l+om&hisE(Y}->AlP4OswT)AV7EVBIG}}QNJsm1i>JWRoBh==;shkgK z-Q&HXwfp23w=!@JrF2Z4p4IR7EN9Xi5eH9$Nzbw!>Nvm7HVk@WY7wm#F(gge)~-)~ z(6jo~2hz8y7?M7T-DdQuK{u`TI)SX*pl92pt2oF((L&S?7ecK%cIm;>h@7ZV72Eql zj<}ijs?de_*0xsG?o+318~o9!B;=@-sWa$V)}&_*h>vB9eWt7|{1G}4oBVBcazd=c z+R8Pxm|D|uZ{pB~EPGHorC)j|q_iHP)$fh0UiAm0`_Uiv+AXn0)Tq)?n`)p&Fiv{b zaCib3#!+MBX!9M1F7io)E|j~mRUfs7OkP^3RzVub{bBNn(crboA67Sp+7)YX*wn7a z&NU@1`s@XSdOsTFL7fw;7eQSq-oi|%Po$0FsQr$nV}Z7BbX$g_%^mL`S+rovEq3rk z%I4IDtu4P1;|2#c^r$j!{gb$_)aCnK?<#q9qmJ$E6Hy!^Vj*o?6N!sGZQlfSywteF zL+T^h!hFf=qRyyiQ*!{c-J&PaQbS(ksa3g6Ua4+FwlQ_7sn%VzhONCOq>K#v9GpXL zT}FO74laRjyOvDkF#3w04DBceEZD^)gxyj5@us z1(ci!ij+FP(VAJxL)mFC(x~mAoI>8ld@}Wv#@dq-VjZ}o)YNeev&~6V9;tC?+m-L2N2!<5lvGH&><<9F)YZ0a z&_tZEZc~EPow7}el)AE0uY#6DZ+Ba1bH)1}#FNNzP*bz+GR5S&%dv=U{2|_)x}Uu5 z>^c<$Ep-o3TN0+Fqu6%qQm1>WXo;L2zs-G}1P3TJJxF_5E$R|N3xcCfi|%`es6DUU zgpU(h2Wc7ffZ>SR4Qv${HPU?7D??4*+W?J7JInrPmZ65;SK@IpUEI_>q-{3P8d0v} zu#!L>DYT3!)WlP*t+i;!o$QV6sZ^S%TU8pOermMjj$eoxo!6v`ZR!-hHR(-<d({SzTaHcQ{iwk$6KWRe=1`~^=$on^rG?*jrP7X2-DgH= zOKrO|p?5-S)H`*4wxzTrb^i{+XzE70ZNx?|9gaoJk+RziQi#t^e~~wl?+Eaz^=J#1 zB#)HpfX$}#dJblGO{k&X?EqJDtU%kaOs&s%3v$1y49|^ zE5x0LhjZ*tBL{aHz7J{I>Cb5Zr-HSfoL1Q1o@=$v4c`jxBG7cC~}ldrPFDF zV0*ALd3$-|5KjW#Vu-Tt@5 z{7}Qe8nzJXrjZ>T1bI=inah0w-H;AB%%#1sq&MY|qr;+(oObm5)VcI_9rO+V4Jyp0 zwzSQdPV&rgi`AoEM}z*MzAW3x9@LDz?cl7_uy6DfE=_+seX|+y%$LIA^wQ!7jLvkve)~J!P;r~$`J_*sF9qiV6 zq0`ggJs{;XJPg{Xi3GPJ#OQCVWA&)pxZ8{*IhJEfia`w(YzVfg3!z)=_el(mcOXe46U`N26eQ4@d>QLAx;eLnh}YC&Q1E7 znlYpSeN*$-wOuRJ^BYE$)*=^-EgwClZM*J%79zDiZ|aaXtwX%?%c-+)P1=dt@7eaNoJ6cd z-H+MkXQ|67+lxXyF`+T_Cov$btIMrb4Zz0+|5k^P`YI!o*il+B4i^r**nw%seF%HuGAqjrtkTGOc@IH@yX zTWIY`Omd(l^V=`Op$=!8dKYmxyAuxT`tT0TK_1=P1M(K;U27(}Y*bf;zKf==Gf~e! zZj9_{4Bn%Snp#K+?F@(QRyfp(s~xUJp5|zWhEflx+~PQ>oxpA0hjx0xKJP<%TMj~5 zQozxnpi*~?Y+C|I-Qt6&X>uBhjGD=&JD- zZZk^La-cbAN2>1d1Eg2w&-NMW#-^S%=+SnI>`N@tXwv!`HLX%QwXSat!4=k=WgR~TT zSV5qkg4m3(I1TGY-B#5kI;a!H+uNf)x?J2;h5$9A8Z@~R!^MhzXUD@@dYt0r}BQ~Sf) zWFYlixwf%>bRygj)L51lL`$88Yi}%d8FV|sf>wbYR5YmPw+=@QrkHlr$}Uu)R_HBl zGId>Li}WVtZ~h}MNnYTo{lODJq4ftni@(Wu-6{+zH4I?b| z$cSwl6X|I1nz*_3!l=P5TUZHg_u+29E-{63vkGed(Uvcmz8>2j&<|H>t^5g43OP1? z`(p$6wrNT8_G*+G^SyOOsri#@zh_LX%B_B#uANd}*`^|EQ{ULOUxjiN`;;IxG3{13 zXhGjw3rn51-o=jeAwqvZ-Z`^NOj2`iwM8E4QTp3?BB$Yiod)iloNj6dQzQra*n>%r z*bQuBdeZi;L*mf^bt_R@52a3>H!a*Ja442TPeR`&Mo(voEVXbnnv}c@*)n|7_L&_X z%xR1)B_F%IbvtMq{kLR>)Oeqkc%2%C)vkklw45^{?%vtaVGu52R|U0CqTg;vJlc2f z6raE)vFN?8?eLxcNz4zUZ9m*PqvW}TI$}Br(>kQzj5g6SrpFdLR*#xPr=?Il1=C8; z8dH53TZv)K`(Bk(sHU6%KyonYS++ym*}sPqQ)`a8ig5~>+@_xAyTvO| z3r5rMM@pfxL|-@eQ$xJBwgYp4@-QnE4iHfgu=AzFbN`n3gEQ{I+C*cCO(sJ^(g=ItPL zPVM|O>!2Q5v7NC@?{xI3Cm!zT7N{vDn?#32+cLeaW>8<(W_HGD5I&GMvA1=ElYq}! z^j@GdqK4EAdZTe~Fz8u*>Z)JsjMAnh_v;v)0@i#urNvJiaHCNB#Eo&IuV>hOt7lVl zj&2KX^exkM+;$SOL2cW%(>qS#NT~aRn~r{J2=6{2N$&P+VOOU?SVN6lXi+VvK{!fZ z_p5zk>X8}So_^{(+d^8XtA33#r|t9G-Phr1RQ;$u^P2gd`nI+BJ?#jjZHb!nP!5{N zDbM7O8V_{^aBJGAV}$K(p=Ri9nT=>cM|(k~p2pNF(-To*#5JB>uP!;c(H3_^igZ56 z$xW$kevf<}<_@k%-MhTyh@&RKZ!{@&uD0!wr6!?h^(ZNy;$aS*x`VoH$|Tk2hy0TC z6_%P4_9TRqI1jcPh)H{Achr51OK! z($4ZY#Gccl;P(y(bzjvsJ$e${iqx+8c8mtO-{XwPbAh{@By|q1%}J8uTAG=I)F_`e z&qA9xKM35YVNZ>Dn~-0Y8f!#ba@&;uu@B<*qGgfHpgN zupQLA7`A2iMs|;u5o|xLojhqh>RE$fZ%iCFZQDht(;SWJ7@Y`vFg2K?0iV;htZdUh zw26*3Oqh^n!1jVcO*y_L&!a|Aw9K%yxwu`A8Fg5{9h*g6>}qWaIX!I~%hF!jZJa>e zlCX_sso8Y4Lo%r~SSzHHQ=v2@7Sn^u8#NBBDcO@&ybfV;r0R4(}Xpb zCf<+MIi^PY>_C&$eY;Kljhbk?sccY#7`7=n>ZX8gmnwas$FX{o6G<^xwA5g`$~|@P zwA&Bru7Ji(x2cIjT7`ZZ+&<*ZRnDj(h^3AtYhRF>QE;ozse_hn0}XYrS(|pD9SpR? zgHgArwnN3J(=P2?{~SNg&loRkaDle2cI;bai(XxB*N0w4Yur;9&aSdZ98PxZr_Q_8K&3h`WAmklY zwl(QZ>3hlBN(wDc@b;!ms6*%$B|wd3*|9vG2GRN8Bw{72|G!|{mMjrID^&j1AAgne zh-sM~%~_)PzdZNnL;vz|v&_CF*F8@j{j^_j=7l`(c`7~jP=Bn;4SK-z zd#U=@1-73$+DP=*jx|>EIbK4#?s?v^5A89_3-}G=ai~)MZ=`Dbh-KM!u>|k1`u$Xg z=nZ{)s3Y_SYd9~_DhFfx_(@ro?KlozpbiZacps+d8!~--ldXP#)GL<9KeaOW+e5te ziC%z}*@JRZ!uJoX1(Hy!-_M~CS_7+OvSjcX%c?$w>s&9;{*U|P0hSQq!9`95hkxJ4 zZ_fl%rNR4T;0mgD%o$wcB!xG5)YtF}pqva=@Q)p9g2jK3b9lnGGwA~9>g(J zm4hkI@h=@#Ck4L(%K3N<4`N*8%!`q>ANz29nG&)XFfZp&V8K=c317F zuvP}-_+4;1&d{1B3hTvC84cf1KsmHsu`mIA!DtS>EZg!0lWWuQ&|E2a?ehW}>dC|v zbLb1$P-hML6J%%Y$pHBQw&lqPsSSG=$T`#ugK?#0kzY3$IMC4_Os2hr9X;XEcrrb1f`G-@Y4k-B$~ALUrW$71do7jGWZ9cpka;r30fR0Vi{m`FLi2O^%s zUtzCA#~G~V0t1+7n2f;cCVq<5BT8X7*4jv{1d~JK zzAvCNHXV%N-;Yz2x*x9%+S~DXU?D>@hKaB7I7T)S0WZeZ6j`aUJ%B&DvLZl_j2i#( z=$DV7fg6u)bll@y!B~E5_t&rOU`mGuO0ETs?RYXl*JA7| zu*Z|p1Z~o^??T|uL{E_aHJQh7i(wQt9w+G47IfT36Q64lNbu9A{RO&mlX2}}0ZqC_ zmulKyqMeyqYmL0GiETXOSx(^F$McTJYg85}beO~ph7MCpbC!DuQ#S3ps*c`{zG4G# zanrsId4xQOsbf$EY2pkVfb$r~<2cgCRm*f}P!eNmMRWKu^N@2kbsP)X*{Owo+H~xS z7#;4!McQOCS$RmEOr4cLp5dgg2LZAdQ>%}Iu4%tNfLN)?7`eVvixuz(3}BIHik+CL zRhRIN3dYoew|<&38Nja}L;_M(7by$b#bdKZm>C|Tut7jd<7+A; zRNyua&!@ieB{c8T4(F8lsgUy`1H#B0aFZGLl!w$j3zmskqElu*+M;@aNF6YrLo5LE z^%8p#Oyo(==;Mmm3*n#pU*-yVF>JboGSatfq_657Kv$881Xi)e)&K>RlhMQm7uoZa zLUyPJOFT@JY|YT;3j+bk%wPEo8d4^7#yLcsF&~FeOkijr6RGl*LH9uT0*3v}UkVQL zDJ)3}nq0V&yb|hLva}<~{ z!GY_{#LDm$+>TVaE|k4Q*wz4@x-2rKP~#YA3oT*@qlK9MOD_VJfWcW&z@u%HX>GFSMpBw3w) zfHAt;Z#k+2GlNUhl?W9%hnH@dU|DyW+|)&$W1oAVH-TlEr|3evOsuez?K0(Z5gLJU zS8iDO%Ex8YWy0&a`YsbqxN&^TU8Yt7za;vCJ-+JT7f3Rg+$eOPTrMIZ16>n@wp zzUE8qb{r27Tt5TbA(&bS8FY!da+$)d2P`jeV}Q$b0hl21g=h6qeb!Z*P+?0YWRUz@&Wrt*#3D(sYF~dTa^~|dI#eZ+GY^|hkL7+R^2Svw z*aP4(SvSB!No;h+vE%oAIhmlp7n@LQ40r)kp@F(}Rj!a?EkMuc&VU^K@|5Rn08u6$ z6A4bc;Ov#>70Z+*C{}Pyl6VTHT|B9Y@HkVZ3n;=K6V*-W zh?1(Gjgq=w2U5q)J{BcBvf+sIz zGH@9#xYn-Pypmzb^PVe?WrI9ce9?vR1wxEe-^c-et-3D4_aUa&3)x2aI9l^U)8u-N ze~~BvP|%CiT5~MvN(Qb;Ao#`$bw}Xog}F+3mKfa=a(*nzsm~x28S<07gk>zj7T5E? z;L=ldK5NyXN5U-ikoK*!EUv5J1?4i(p-7A@x(+hsvaJ6PJ(haKahv8ze}i(;o=C(5 zt=7vD1^_2s1T$BjSc(KDbSg6fL_|m?@-BA|J0>2$!FwW|GgJ$!R{%FK;Uxm&HS&wK zjOlzpLTF0;9RO|UNsi2?7o~6ugvpWKs=l0Q&SdS3LP>=z0gd8X3*FIW*V=~TKeh^g z;Z2v?!>S44OTq5*_jc+HjW%A8Mn< z?|?sajQ7FcXs9iGP`>s;6Dt{f5fbG#JUPc&T?Q)g(P>Mp^HrkqK;%hRg2a$`_E}!c(&Fm4Y#hO0&E}VN~aW{3xX| z>}({WC%|TM8R6Q8r#z)?|H}&Qd4q2TVl0X^%J6tHU`oS#DAy(2Zsjos*&#hShh3Il zD6&Rd;LU&u9?VzMN{u+`JIgh^U4=-QNKggBn*#`lCvz?_5T&vlk%$CSNo`_|8-R3} zs3legAq$zpx-%(IO2acrVRBX!A{IXM(WSq^Tc=cj!=J)+Y?un-p1^v%7D4pDB8ut+ z3=mPbW#>A+@4D#FT#KcE%hb#V{(EWYo%u8U;9y5J>8*Td(bVaI!t+pR2c{-mzU;M!;9Ab)`opwEiROXmf8jn7mA zRyk_de7>yw6wPyVQGDjJ1-_0dVGvvIbDlxqdlfk0B8|7mU8MXbAUol+x{eg0_xo%u zAReXO^Frkv0jtmQ0zw{q&N1z%&(umlm&gwxs>%-v7y|l@Siqu#FML(vRTj)+o>&;@ zZ1~N|!Y8~0wbN9GXP69{|Ar5S$UOQ3tW3q)rD4=R* z+b7WZFqz>H!56+@iGWl+zF2qgWB8#nfz9~U*XV*3kch$;fhbtgwP2Ys1Zb~*G*0pP ze#UYE1=0ncxGy+{8u?5umGC&wse-9B+)%-!&lHj(o^PPdjv)PmuXx@t1;RC8aB^eo zfGw0dLqw0h@ENvpel)cqZp7znxI(ecYk4}V^~GAuSx462pL+{bo&5({JzphRDC8G6 zSEYtF%vU+r$cOQzu6^gDyBgtO$WI}iP<2%cw(6)SRf<1USZh==UgGq!uMEBizSn7j zMA%V0t=76$2EzT@^MRtcHrPfP%R+7HzA|oyj2Il}`bq}S2loxW^Crc6P=7zT&s9j( zBvJ5*c%kWl<@!c>88)O$mI|d;{d}n*H@LsH`xe5u_)C9!yr}IPOm5~YQ+L!HRV}&5 zj_2?Eb)bB>*OEh=Q6&ruVSId|rCb@Az@W+BOktz9zxLM!f*ScNcnU@pyrZ_leY+1q zUcQlWh=De~@eTA5dEbG|pWHWJLX0IQ;gQwcD(j3yi%oC==0G4d$EEUPxS6jZjIe#0?8`BS#b1I6Tiehnl{6z%__hW*%vn4db%lc?Yk`e1+yH&H1wElH!yD z1j9UBBQW1Q=Q{i%e9i!&0oU`ounGidjffrR8uz`=*L467G{z=@z^}>%)QRk4zhEw; z4{2EEtI-$wYvQH zS_2;O2_JCf!B7m2{UNdYfRhfdG} zr!xY@5_}sa4CI1HFOKJIf}C?dVG`wxf<(D230dx!3=ep1o)l?iVt9^TsbW04J5Ysc zNDZKj)Jf>0PJEzLA|!%12b{+l%Td@97!`8JVOfcMmt{vfS;=5-TzIiLuPNHQcHT9h zT`5qe+4SQAFG4J>nN}zj9Vq4d%7?qv=ji8>{b%MZ;U!n z2tnYXbXn+U9fgYO?hkAW$aBcLRFq+X0g3g%s0?)u1f`D^WhDzndN6znnOX~+9|~C# zq0qR}Z-EaJq`?XfXbYKwDTqK7ke4+S9R!xuuQU>?Hj%gA3ykhORX*ncS`u;*b4;2RCPjMOQ4Lv^t$D&zE(;K{gdMnz`b)qn zWv~!%4tL0NPZaP8ANP!h!Wu&YqR_>PVBSTr8mwHD#tXUIVL?TW^**{w%5(^nND^Hr z$#MTtC}gpnxd~1*ftxLJ41@|n0~5*H#v zS;xo6e}N3}*s_o(9c+`K$T{rY2p4XLdEst@4?DWd90&2C&?d_g0pp0!FqjexjaoC+ zX`#F>>{h7qLgifz%9w5{GzwN`L&M|(x(uOV7@!%Nn)qbZF&m>=34YH4&SecNFAScY z5fFJ4Dz&FV1|njZ6mT?UxUxM+R;)5Sk2o?ne3bmvo4K*0G2U z+-su}mVh9ow%53AAT%mv3Y+DPfYDa941<3rlfjxpR@zV%vGBdbpcq_?2UEnbEqvy} z)Mbc69Z~bGb)ZGUe6Dg2lsm(X+(7t^aGAT_D2d)-gsx7nBikliQ{Zlju)y1HnCyT~ zhU<*y9hI-W6dk?wELV64jhNTDMJ(`%!9Yym#T=k8!?g=N)aLMEpG>2Hx?-?!;b9n= zV3|sgh7m6BB4rGXSPOW%t969Tr{HsybLgj<%wYFwON@W?4NKi6*2U+Mdq>eIFuq>K$Ry_fg6TJsua!`2w%uK z$adFUVJXzh!o#?Jkp>e)$|=%fRl-AxB-F=3Phe~(f?R|I0Hqb zslpG04mybd&O#Phs3dm~4U`DEKwhR;h zWe{X6;yi-!vWN|XZe%26(4{9+AJB($=TuJ|Wi1jq;|#d*ky^w2ZX{S- z&pha0Nr(gwO-Ex^6ncoFDN-@A*^$r&*PbKM=68=SAX-Fl0hLxsaWXnmE=;CGUXf!o zKqO2Is!D+6D)Rg}gl$I3g&swt*SLh*BuZhkRkVPgnvnPOakZIKe>8zf@0vUmbNjWS9(KT{RxS zKp;lxjwsWb!R%ml@dDo{9}?fhe#vp^Dq3+Lg^w|>F-}LtUI|$=ol0MHDGEr38S@0z zZ{vF8B~-mD2IpGGmW`dDnAc6lP`}6ZJhtO+h&uo!F;nY$JU4nGGnn%`p2sV62{`K- zu@cw84d%j$*&M+ZYj@)KP6&?rOPcS87`r&a)r6Sm9orOb9At@OAp;-w9z`a_v268< zj`Q}5;~lp#lTpVx&5^>4qctp6RLkQMQY+R$1~z?0W}?%6@pe*h$|ahGQ;WZ>>&!<* zL&*T9IpPRGeq*IHz#PXWS76|F+`_JpFV3txC>LUl{jS(BtaYmge1X3tGILX+@H95E zsLu7c9gK19BUT1e62*%FG-1`RU;^e~VvVQ4$C_nALyFvHnH^0Tu~Koz6I!R(L0k)* z_SlN;QOPlD;ljXR9pVYG)sAjN!zz93TN1ZF?89TNg{xco;B4`@h>^~VDl3YS5ebup z!YP<)!z2z55~kLM<61#%SPbuD!b77H=$aHA;ZU__xYZ(I9jlb8tn*Dr50-~WjVFFH zRS%q52^r606AA28Cd^;EBKL8hWBnd@)e^4O5JZ`=_Fu8%pmN2mvc)~@(nQU*gsBI8ihlNSaL69#gZkkIVoW>Sc9NG;W3jPfk1*85fWA-x*)w_!lhcO6cxYY zO@#4>v5}2Ce)PB04Ku8R$~s}v&%1`7Rks0xv=i<_lJ^)cq-1`CQ8->bsz{z)RK=NJ8Y6hD8NrRKGW1dRiCIN)-K_7F&oz{ z6D}b#y84|8MxP1Ct(BDz2x+?$6{wC=Q=x)^PIX$EOW3WH2pJ?w1|2puNi;?}CA>k% zphx14_OPVMiG$A<2A07R9ty}npQH)uOsua;Z+`USdB;6hDu-GxG0F?EPo+%O;RU3c z0rj42T*SSc2#!ZHBqhu=CRv6O7>V#0hLWV*7i2?ZJX}X-~( zJh((vk5$1UkO+yx|9XNE7+35q0K218+dI}?rRV9TyFh@;|aR7&XwXd z;Eu?Y)fqUG6twaGRBoQkQa%rYqWKd92k>Sf-MQ0st zY^ey<8eSWhVFQpd*mILI4`fPe310rVjnq@L&u_U)%!Y&!JYJcCR} zwG4I~vV>zyt2JN^D|9HjAivF1z%Zq_k2;-u_;=PrD4FUSK$D7?dpW$d0;00&4aK*T zi_kErn*>fsq$=jz=cvk&vK8vkNO_Sf>?uIT!R^I`Nq{u>Sswd7ocEiGMBw{fO9q1a zrM!TSO4@~YOoi92r!Z1BRY6BDTlEB{&rH?aNG^j!XcRN1f~gL@o8lg+REMIg`?FGf zeA%&WGDr+edZlRxzh&AWkdI#bU@*3k@=c6ZGSIkImzqu3QEo}K=R(Sj)CAmz8qBP@ zHJX4srwV-h>$(dN3HrL^66Zfs6{GExXp};_9*nz?=c(~RyxEeiMMr=rJ&$`TGP)2R z^k+-dOOhH779S)py%0`1OxME!gy2e+3S3x9*L?>z#H8y$C9q~KIm?@n8y!vAQIt&A z#S&-3)3wSn{E7hLbtI8z0ab21Qe#rzazdnA)Z2cciB@lDZz`Io8; z6to6=@?%vmzrZbQz@8AxaimqRaWX4xkz#o!HS#YWz97Wmy*^P zS}5n&Y1L$dx%Q%W)2qkbD!a(R!U)wq%tm79piwi zXTDVbg`O#O#^AULwd5>^`X+=^cvXl|l^GL0v^DL1V$`DQ;OgNp$q>n9b3Kk9 zXr0A7TAj<7iUdNqR%oWG@b>o0)F5HchRqAxfcOHJTp3E#w$8hoXP?P6_3ssz{@RM zrd-&Jxu}^T&=QRA*JZF{JGnsiec|~?EiOEm<66vdv0+hnFn0l`GgC0t0UgPd(IIXf z%E}>%G+HBpEU?O$!npRVNChMdYz-PxaEqGA1781yV9GTe5XNkyuqS{~MGL<(A-o8f zjPMh}3%M6Eg_%#Y3{1IRc*;ZKu@DlIR4s%IV(9;6hUYNcT`bZJ^?p=efvNhkrH9)` z77IKVru`KTY{pkv#s$bNEEa__UF60K&qL;IA-;HczkLX;&OD^^7j3iX(OME60Xx!GKlYSw6@?R*#+j3&V?8HJP}Ktqf^T{^IeFPTP!x44bY9bQ7V8T{$jma zWl*#XlO1EGar-f#jWyAd1V$<;xt6zXEU7kni z6^lg#|Jnpb;dE!N(oHBZm@XGtmhgf@=V3AD5<;o+yix|ozeO_{%puGF0!PKU5iLXo zNKO6)0wr=K1Kj(cbLNF91A&`navkJ&sGH`}PZ(s}&IOu=ls6MZFz0vmP)9SSW^+7H zH21tN_?r%U!Lj&Lvy91g8S)%N%GG6u-f_bk{12?!fe?Y;9C8^N23tFI$h#(FXuo@7 zm~>%$syQ#aeveTaHbZMqz!+KAKHeI;J(}lBp6iTrTvXGZWua85o-+@*4BB4`pMwOW z_R1-=PL&;o35z;RheQlIWFqa7w_uH#19Uit$Ohe2KG&hhR!}%XHpk*6BrlchII&Q~ zkoHA;p;8IV66sKx%6Eq25Ol~R;leOnhpNQPi8>VZ4F}4#tXTt(FBQJs)Gf2V>XH!7 zeF0CG2Pv1uoS6hZ77DLMNx&X99j!HL(5l6ecR1tKL-mjb{E&zYKVEpzp;86vl++?w z@*Ja2sw;}Fu#VgWWRA5+Oozl)`w<$IW4@Jz!LUgk1vUFHT1qOqVose1F7Y+4xdvcR zsD;NNb+r!D4x=V=j%UwTONc}#Pns5zbqp!jQB(gux|WpXh0qRG_nIIRH-b%(~ixspwq5%&xdz7=7krU%!NZtbf)q`V@I`M z`CRbC@2Dndk(TiDg7XA_lQKAT)Iuta0t~GXiKkXB6TZQX$J)3d+*jrMupm_ zV=(K`?3l|md`X_=LUWu<)vBZQT`O%=PqO3QMpT#{9F(b*NxH7m%7M5Ry;eTF)h2)y z)`I!G%YQR9u_0#4&;=`m2Z@h#X?oew>sm%I2U@8f*LZP9=chIjPdKg~fGB3b@K~@U z?i!p`Fkf?yJH2(57~OI11(QK0B=BWdD`+ze61;+mm{man> zNd@;pso($sy*9A)*!~jqC9ZDh)X-)@{**hrMw9oI`+G!DNI! z*M>>N4^?m(?{4B=ivr!Ros2(Q{V;#D#DF9z1~WyO04UcrHSYRF}#`aoidf zf+_5v6k%i}EXDpN{aL8Y@kdZk`o)kjLZbx=5 z64d=#)H9yzUN*G-CC`B+H6Bwy)J)1G&Se#9QozrPwMNy9qQ;ys7)DpmxEQWntctFJ zda){C5vTf=34FjTClJu|#P0AC(zax}1An9mQQNnF5;w7}! z#`qYcWmE?p_mcAf%lsxsirjcitZ}!fkwQt0{ds2J8LTFkUi ztV*P2jb=Jj8N64^A=nBCxhPg8a`$RHhKI&&ExC`~hGmE;dklnLE;ATp8lP)0yUjRI z>vjPumtxrgrre6VkOlgUOOX|#W4w(KDZ`1+k#CMq?OrZLhS_vWmL$5!IWMp*=`2PH zAPBTFMN-A~M>TavrcTHp$K4?%gT?!zldEUhK@_zVSu8quL6#jz{bi0M!x-d|mwvLw z)vu)v8PuRA5mErCVaa6D#h$XvIy~x<$sjP$y(wLc+F5E50MO1-t1hVAWHO!N7`Wsv zlgP8K6&d7IFWD+*(6*J8k0$2G%PL*iP`+FViHqV(FJv-+w2mbgDc#G(4^dw*VBYMezr&w!P2A>XTYja$uk5xmi16@qy(C+>6n{R`XvfwI(S)2 z-qmHcjIirdavxH|mR$M_K? zXpk1(@v-rZ6YBX0a8asSbD{-A{XV?l*@~ewT`A-+JM2W^afH-Wmeh8_3tJK z1c?v<1PTKsYW4jPRN3czf8(Y5!oEqB!~qDz@D7iaB09~U6UkLvexe_Ex;DX-076us z(%Zw3lKW6RU3ouC*z|uIx~d9(rqA1T{#GWT2r%EmvJCmNwVe?X_UDnnJ@S@DK1%7*iY`S1Bpu< zAGo)bVMu&haL6CuupeP+y!(VS9#;!1ls41LHK;#$@-4N&R>kolZ0+-uSezsPw(L(u z@R|6OScMc<_|Nt0+b60MpRzQ<4_}V*kj5J>F0ZCoY2|740ULkM6Nu(v4t`wg#dl!T z)B8vv-1T_U9&gY6HT;s=&6_Sb;?KZ4ss^6Z6^{Gacxo4uv!}#>)MuW5eER~yvPG{@ zxAU2BCjV^wl+RDNP6G=x*L%jD@l^fU;smtuo&`app5^CH@NYw5gI84xa%*M$0$>L6 z6zHA$BnQ{pAAkHYhEY9N=7bZpr^NkA9OJ19dw9=$A+Yjn-2EcqI$GeE`YF*}=zJeB zG2sT!^93E&k8ikW5&aXI(cS*SNoUs}0=fC~`A`qndvMy|p4n+_kZAN2GOk@9nRjxy zRC)e3Vg#$_!XM`;ts9SzFJk)RCyJ9tgt^#bjpE)eTtl9vGC{oSZeA1I2i;8Z6nO-% z4!8H7>x6>kK0RKjCfmRN2^Ch3B@S&#o}iVmAGw;K3Er6%!d`ICZci-^^r>e-jjWyG zFNw=vfBiL%emliwWej(Gw(dF%pXg!>(2oE1pC8|k|Im-@`$eYqLU4)a^X1yfh916{ z#qOvJyE8ecNck-5DNqkWfm%4Ed*V6$PTJ!Qyvhg4RH_2Kh2su;O9OrX{D50?pP%gMfK+qjB2)|=6|eE$Ix?(`S>^L{a+-|v|tYl=w@IjNm0tn7;ha4S}#Fzhs86&7F3_2gH71 zJ-qiy>Egj^d&(bwqO5q=HVH*IG}$HYM*xL4q)j#uq~+NdLQQv(q-aY#B^q~?=k5V* z>|+)5GIrO7DIfcN+Tr$M?xy<}55F;%o8H5WJMzct!OKKuEF`dNLoJ}4OV}R*!BfXl zJN~8pXL`Z^2!? zI{bmFs(){jhf1hD0CW-Oi`NEJXZ9AaXC23dUW{IMOo`j|sIS3G*+06>1iT2(f1$5{ z{egY=3qF&z!vcoS>FEh76dcc}XsdV&T}1s*u?pYb;$?q-hhx6Iugc+FKI(J)Z(kJG zThK}HX@jqS!wW6GlXWmus|ZyGjF?u{*;4@)vdTiv;zMj_Zj1fA~8psP^BheSF?nj9Phd ztT4}cIaym|h%kFa=t8l#c+rb}nFktazg(LL8z{e)9nnl*(;YV!UxH;qU#{4DJ5jGYP*`}mt`gQqmLMLTXA&;dUuA*HDzEx+ojq52cMK55I6bc?WdM79HL-;Co?p8$5S{*db<+>%#`$viv}igbFwE;%mAJL{ zdUmA6@EcwNd9ttlbS@eH`-x=5Esh7{2)$_5Rv8*~?#*MRl9!WT?f-{6kL9i~{QvyF z{#h$bd6Jqb?&CfaEX9)b@fZ^(O{UkrP=M(QL2olAqh^IXnBua;6^JTFiIt;;?)97vS@klV z%jC9=zHH+xFG!d*)*Rb*bVnT&1o!Q|)mv$!n@JgD5=&-|XFotjn_-hmzG%yEB`s3B zs><+dmcK1sZfPWz@r1uXp({2F{+wInVkq(LA?v8qQz}!i6WaTM4D7K#991b{mqhkT z-Y$t3ET*y2f{kvbOcJ43M$!l8QxqP2%1Zgw(6!o@d^cyqlhjHplZRT#v&KpfF1S=} z#>p*@mMxX8G&=a}uO=^fp%hAfO)T~vd@;0g*e~Qjg2qKH0*P>S$6BE{-luson=V6SGHmjhX zn`yjJr0+KxZS~BlO_LWxHyITko=Uy2P^Lid@O_)|=#G`rm!*9SL!G?5UX-D5*>Xoc zK%?IC!jm4~0s{JfMcJWSvz@;ds2J9a;ZkNYRWo`x>2g@p^!+HI8G#;?z(Y? zg-le-_X6T@(2{u>AEcGijYha?vOBir>B{qt;pE!OJeP-5M-vJhtr#hw{_ymoGr_rq zeYE~E0FtMq*A-b|y?&kyA7i!_W*ixp~xaM-IwKS0zzPeq1){jGW&(_>+Y7EX6R*Qw&lGH1I-bojmVj^u~iaX(6u2qVKIOXZ>wYC5Z7 ziobpS#|3lNUyWhTRVu|7>;EFJe9Cc>23a{Xof9u)|Pc0zjy&gw^b|o%!X1mj&4;))r!lLSA%xAl|?G~E(39q#U`pw zXMSSn=iC*=#|2bixuD#XUyU-u(>KsQQCz zVET1VyFeR2Lh|C7GP-?7nK~HgRz|z!Dkf(p&qu<17Wy=7q8YJ@r~Qxejbi?`+~VlhyXvD8 z*!^579S42a+#EI*c3vxC!23dhv72kkTAc=h9AV>mgB#g8KQ6+!X51QlNy=>UQMRHV znZ>g~A7GATq04>mSX|i#R}IBcwht^1yHZJ<%L=9MCGP1$8IP*t4C3G4!;#_OW68W% zXnK?)+EZaS5{SlKOD}Pq8Y+!`UC^dAaV%}BQjd)bRL2WM1l)K7Wz~Bz=C8`u~sfMzZNZx1&jKNJ0&9+|@9$q+( zTqDUH%`cLc$~o*0OtlX>i`D3HEAxqJJ1dLyRdd^9*g+z*+`@P}KbTXgv~npeZ@gdi z-i(vDP?m8xEPRK6nPU;}-{C6eN+wIit>8T0Xk3B#%tjKd2$G%8jt*|X>zd*CW%8={ zH2;s9Kc-LlzWtB}ntiqG(TX8Bsp%7eQ9HocSlKx2Nl^+%IQz7!cHB=hUd%eT7#Sjb zjF{VE#%CH&$1)rJbyl^J>rt)ZU{WFSvR8%+RYkjc$21o)G+ES@*@aBIJFCO;aj9tHn!>b2L9zTe{LbXqkeLa#JZ zA@DR_5|_Rxwy}3|rb$uGah#05O+3b3W}}u3Sq|u22ox9cvSlPX*vbOVYelC9WpiX6 zX!0D5%L;KsUDBHh!2yV;eu9rPY2zr9IZ}loe!%FFo|JzD?Kxgz?1P)J$zU;=Id)FN zuuhB1Mcl6qjuO2t62XGAk+&#d;>AHSRe0p~Hv~`q{{y=pqrr;-l|x}(k37XENWruk zBvP!MFmmzex?;+BY4b;=C!hSBVSDZ@0uGSLvbtaJVO7b-`NqNbz4 zZ(ibP-9^s!$YU>nNah^v3>Rm|GyUDqgMia#;*6QSw0-^ruigf?gFkQ0S5#Ll0l_+s z5<`@?o_Iyh(~%x zb7b#9++XO$mBw-9s2NMm(7eoeNybq?Ia=XYr0`0aw*6*?K(>^-e&%q{xt*dGV>`#H z=|ksPjFA7hV25aswcW&yZhbNriJxbT^qx?;{+XzhqxQXyG<}{u+EnCaZ_#FfV!p{N zgp2w`=N2twl~AkNhX)xRm^L@NaOMl?o~%3hi#F<1%N_Ohj*x9{ag+wujq^Au_Owx4 z8f6R!;OB89N?EePGGxxoRxCu=spUe^9+}~Ak&{g-v1VxCaGWuT@r4(siFv$opeoV5 zk5k4GC~6r$_s8RLi>{29NSf zx%!Xl7;cUtl`os)7t8%Q{RM{JeQ2YKc;AU~Nd!Sl$Ai1;L>`X=7G2x8=jvtSfM=$G z0v%Q3c>g7dmGc`bcnhP(tLNmX6^DQ)hGsZcE$kX~1*!3hy6YtI4n_rgd&=7c5SA3; z6IEz%KS|B<{Q5CI9V}E{D#C%GsJ<0iG6f`}!WQ9h6J-k8Voe^Raqm(blGE^%*DD0{ z<2x!RApC$Sot!&7^N>?OcDSA=2|{N1fuQkT7pQT|{&*>vkQkUNhQ>R7z=Ad2%&_o< zT!g5w`g=${XQv1k5ZVf9bS`6BDm@CNgkIHOe>sR8s<~l8*O5`x28;3c0Xt=;6`!(6 zOYI%XQAp1E;(E$2kI^Unxmwck^6R6U4L6@@A*4R_?g33>=DnFfOW3GyVG=ZrK9UwN z-3sM{Og--cgoC4as!*`QG+zsxQ5+T6I81;4`ixXtW-lwxEzj+O?wXIl?-ZI8y!55x zldM-iqLCnos7;(BS1#k+@1?dogN!HsOAUM+9%!da%{qGwmnn&&6lcZ2VW7j90QLPs z#srw^n5y%P=Sdr90}o7zmY*MNo1rR-y4bC7E*HcB@^^YMLr6T$RbwYn)>|2EskIBf zp|IMUGv{1yT%`*|Kw|I|xdw@BGC|;MkPDmCwSC#|^q)k31ze`=6K5k;z-a%ZeU5%e zB4$-h5^3D3dp%$GTN;9Rb_%$Zoe7T?GLuhxb?`tuBGsE0U2a~7B_@?9;i6G6H}9RD z#RqwLE*$xmMjebrZQ6dt@WFPh*cP<4O;@=$|(4}nPSt3;xM&&hS&IRi6=VyJY#mk!c}6`go50CdYuOR z!>QG*uOm@M$SX@NE{dM@EP{VX;^|DR|yU=#l&ee?Kf2jt;aCdLvY{cB+zmSd?GHz%inA*Dg@(0pX z>E*P6t=bv)8#D2ZM*xSg#mq^IRE0CON4g{lPS@1P_XD%TRxxe-ae2%@Tybt5Uc%IV zt@$N!A3pt@R->+p`zYz|+|))Vi)MPdd&6juga81Y^&a27*G3g_7RV5b{9VKC|Ua9@H$q`CHbF0{0{u z*j~39S4R`&H}Gs&z|86$-P&9BdU)ngHqMej`Km=;L7~`Mahh(FMwQK~6|XnPwTo!s z4gZi>45E(llNDUXSpS5J_MjYXT6mY zgX*8Mq9DPM8wHlisghI&+6x_u^vn6 zpNbE)b2h4(He5jZnQGNvO>1}k(J_-?lKML}8dbgZrJJB_@i$4txY1+MDn_VW?{l3> z%6ey5s6TkxIFj8gms5ac^vMnxdzgOq;DPtF%7QmhoOW~fmosr(!t5@DaE9+d(n z{*yt`i2`Ra6i+PNcnSXZq~^AcKIJ*<9yoge?F^$iX{O4vM2e=@fKo98$TONS5LsCX zw9Jm;{DCW&>Lji*!zNWUrfye5;7#H3a9S~RS27~2EUogKX+dD9N*+tOd9SQI^?Mvc=BoOW$2?xr zM>Ng+btOA+f)dz%F03`iCR-{yA1zB(_n-uzxIHLn5QPc#Fpv7yMAeS~IPgpCUW59=+ zb-9x)^V@ZIm}o6trz4gj#gjKEb%WE4jdOux>eS(}9}_`ek!=Y_y;*K^8(OgBF_nDA zT25)VR0+W+rPQn|99I4Dl@vA-ih2$(Ijvj#`Z4Z89;b4tu*LJw0A>6vk3@3foOh@f z-g8BrAC#}A8?EY573g?|`EUxOB-@2!!xhfGD}uLi5aPIyy%NQ-^z{Sz&TTq-IH7ve zbyut@p^H?8zSaw6iWP|U?WJ-6`s8E+B8h5VX~Kc16jfZG=qgbxaKR>^H10=zEZ>fSGhz|42v%cu2aVR?Lv@LF-KIv$~&}E^> zTp!4RGtMlR=fy0ZKU(q%HAYS5E?qLybQC5ilU`t4$$QP?$(EBE^jH<+FZlB(wltcx z<;1xE`L0QaLo`oUZHq`=m)vSmR#6`C^Am?t9A|p?=5m z#QH~JfmwjFu1!DMtukFKzTp(TwpuQ*eKR$~H4)J6ndqfuJb~3pYqMP1jfxEMQJJQ~ zY;R*OOd^YUFeV^NgM|WDq(svKg;rWXh4r2ko7NReVG%&4SWn-Du{PcRoi`76^Fn*o ze9Ju4Ck+})RJa|d<|kSxTSkDIK&2j+1qX+5M>Z>Vj}*i}P8HXqhz^i_GR zFjQp=Y>!f`ul?~gPh@XL2|3z;3F|l>MQvfq#-Vf5@#!QqF&T``RQ(r93Z>2-;5m{| z?C#RzE7Hh+|ITpF&svIuitG~w(8Zc9;?_RW#EW#nS`h!*Q49b-;6>*u5f#Dh9EgmA zhLqbpgxWebt2Q`ZcKlHwHmq_nka(V#E}=8-(H&L95eJ5&B}>pQlu`D@zH%ommNpLg?thN)$ATeh#D#f z^Tf}}v52D0YSi-eWT-r7nVNwaRWk*tG5-y^L9q;K<8%W8^LabvX|Iga{QC9zo5Tm8 zcc=DxA6$$$e3hn%C(~7}UL(r8o(wu8J#7M&SBhtP?X%_;Jj7MwGNaL26a#q0v~5%} zlb09XC&#&Tf^_cMa>UZnPKpBMl(NU_xCjC0S1gqbo~b4~8=WzWXBN|aGyq3hS)lCI+PbnFieI}z44kFCPjj3>NwK~r%FEk%Xe>t(NW5`!3uB-T znKjTN<`Rf7i|3#k$C7K20&O6XG&Q> z{-NkeM~({n6On7pZD*`{)NOPs7N{p1q{4<9wW2iBgotmbvhI!^3mVUJ%X%@3TQqn= z^~Ao|9U)&yvY|-$0G1`Tv~U#I^C*s9uzY-eS$)Lb#~e@UKEHkYoE1xm8p<<4e+xFQ zHhTd*|J^dZ46Tmq3s+S~+&xYmG2Bm;u_R8_y!S~yy20Erd$VS22NI~i6*Pp13ww<_PkK6 zozafIz5*N-vrVdA{9XXG07n(k=tOOy)-B#A+*XmnaCKIM? zOKj>%E**OL>9Rl%u8DKth2GJ4m~eFa0WTZABYA=J@wDpzx-fxC-pTLUASL8D&QNAw zGAB>nDnqzJDPtwbCZ30AwBL zVO785UR_%)6NXD_0{8ihA0I!KUw?khe|#+#ruI?dow`IJ!s&bS2B~2XXh5^Wdz&i2 z7lr*YZ*0M}Ec==4jlFs#b)eXIPMU9aw1$G@tQlEO{ys;>O&`a&pK?m|zFCTzJ;JK;gVhAC$2Ia#_Xu zbGxI|?i33gk6~-ph~aI5yM#Uvc3&>jhk<|@FH`Osr^7QzJ%4aWUV-FRq`X}S7M6RL zbiYu|wS?rU7L`e$`QN0^-udUC(B1VRFUnA*v$O4=W7qg@HO@o*rM4m^{;Yw&GL((( z{Dv1Cty3<&2*F4v>lfId|MvOy{ZyhymZ<5%aI0eNpQyRI2banj)l{^QVb7CbEFUDZ z>Bg}%Xe{(`T*&GyY}8CrF-|jOF?>N>EDu>=@K(DQ?C9hYGNaseWqFZYSRZJM*Q37f zpEC^pA4j}PT@nM zyfR<(ho>ZdG{q+1zr^!fy^>phoYkRhD-8VMOS`z-rPfgp?3>8`jZoie`xKHyvI zk>n0j!&V>?#_Yz1Z=YcH>g886m>WA)1HNFFK2QavB2NMlLss<~a%D>Ss9A8k*hc#Y z->zMgOFhcZY=1M@hQ7%E`FIH`4-MrbJa|8Dq9i+i{QzHawx%d!&FCU4?Obt&B}QXG zLyk=XGGi)xm@by=q@|4eAB)suF#rPA+M!_uG77wX7c=84y}t!C#}qV*5(tmc>b<1f zy_Iq2b6AkD1kT#vJ*a_?_C_Sn2RHuA*_ ze$QI!4*Y^0SK~;Y7b;ot!7u{S!cf3oYnwoaz}cR*ej#k|2|c36J&nI7x015D#r(U9dwJM zFe$>zKJ}62Jc6C^aZ{BSA*0c>T=arq|KE@-kIj{rmfO#ts3K`>*C?>vS=sZ0CoHTH znR0@}s+5uLX`tdR*kKFDj`15wVwIJr@op#&=Gu1z+SN&O{Tz3zzW-^%&GNI~OsPh$!4JenG$P;M6`DO&c8;lrU z3nzvW@`)l9jSyRADL*83J^W!uy!k3ED}Yi>H8$_Zeoszo(mEEiZ)qaLb7Y&^MSR%= zOOdhBr~xBQYs>3z5$5sHefkXi3v;8-NzFKl zFBbxxW!;OR3nE0SP9bZlW=Ui>DT)PW%6!3^%S_g2ILegXGxMWYkh+w0ug-=?Lu|3_ z`yWs!y5}duU#T!%Xs6ygoS`z5%Q#j*VgCF=Gs?d5`v3^$6#u0m2^$yhS;F`ORnu8( z7u3f&DcA4UG@jCwZooWV5u(f8O;PuRT4zKV?WL3@*11751ae$x8lOf#k|jWK(M(}S zCwTKPGAH$7_K98u>+`x_G!d7-EoH|*wxr&Jk*u-t2f?XEX?Zpp`B}%EUR|va9!@+^ z-^r?#kIae8T5d(^Q03Xn^EQpPcs~C51<~W=y_In|pT#fwZ#dR@RL8^?67nQFPSegk zxbjD5ooCoD5pPMn>>>0WH* zWJwRDK7Y$nQ|5SKF-a1uD#Q>KCzUcyNX+I%;dP;B80%HEv*C~L-w>|q6z|3MO-l>M zcD!NNSkH_3Sj@^hgh3=vSs*&_ZEEw;TW3IRZAuCHBK-I|mtoebdq<7j1Gs^a!!mp+VT8|uuta|Q` z_rkondTP-)*u$`p?7N)R6XLCwYCs25;@pZHmkb4=QdZkcbq%T=(mYE%Ug>z-%@Qpw znc(_0i6SEosBtZ>6G34{c0`*)T)7Mw5kJ?=o6EKjr72bc~pc?fMeD%Ff@U#pL3xw5&? zXV<93IEh-mU=Zty8b|F2zf3v_=hx81zhym5Jpqr@h!HCp<3@r_N5T&uGp&pjSpK%L z|2ghnZJlIOZe<$2bIt_g)2dZ_Z(%$mNgNSINvPcj(5T;HWOq2x_WTq>H_D?YZ`nK9 z7&hppwuhqvx}ZIGtAwPbVzXZ_7kV!l*RNEvWEk21@yQ&wC^p#?_qFgNwg(zhHd`45}v!5J7|MSj*h zO2b!q$h_m7kd{E+0~eZ!PZ$Wovy_%m`@(5^A%5Q9{-@|GBJaNm>7!dIWe4@d3d`m` z9I;LnC3ShZ6oG^KBfr9Zg{Qn}Iqx|7ZIY(@Er2Fkt(?!f5d@J=gh;RbWe9ora<@bE^!Al*NnX zOG!%`!qf^#*2M>|j95_n`SJp4dzs@@2Qb%j`gV?Y#;O^fs>F-K=s{8(CulSJ_TCyE z3N4mLZ{G}?6G_)&4O*l*U_=6a7~iH_5;GKGqm=f5F4wBsF_(DuZ&~}HikM72=Ne`^ zWW^FBs8vfar?P75ah?G$^Zz;XG~Cj7xEU)!dd05?Vbkt?$xQWM?8#n3!lLPa=9ge) zis_=D!x?~=nID1~_1Ja6#5iRta$&T>b_S;OwKF8f`%q%HN&v$hFOUtAG#P?6=bkEs zf1xBldx=Z8Wx~i96Hxj(w`ge`Oc$<3TP^@}N7IY)1N}y#-Dr4^%|M4nbLhl>_*J>E zL7)|qz4g&QxM!}$A$N@* ztn1hKGeOqYkJraIFlUK|v4+Mv-RBIO7m@42u*iBywE8I5Ls7RM5eYLpp69e@c;7`W zC5sd?DDJZt6eOzSb6i|5t;x)iUyNy zQ8nygD|S87kF}2L+^j2_HHU&i-`2aYSBh7s+5|Y+(5&NDi zBr$i`wbeFVKnOA!=xeh{UZ4lD(?`_{GvhjYEPj;~&dD`#d}QS4P@JSLhzetezIzM9 z>N3jN5gw)*mOM7NJ@YO#XoAq95XxE?)^Rp69~E%nEadr}PRO`T`Xu*KdBrg6$&#BZF9 zBgjWjnKnyf6N6)~@=O`sQE~b(6tW~NLPw^)<&Z27d7m0mGvozIOU$aZw+5<$?fGkY zPQJOaz~khN1r0YhdInRAQR2BU#;qOt)#wU4ZEV&+5h7()f%Y6LbHcsFlQahCV2;C) z19bK)*s`{n3H?&!$F6zBq#}v?18NGc6FSKA$8Y985b~v|XogZ^l^Sk;OzQpKeW{N9 zGOQaM#RpGLAqdA%rf9ohJM5rp-06cq_*dnE6CQUgnmC?*{Ubs@{D5{T-Ep*dWPt)= z56$bPgV8HelsmLm7wgCO@mtRGqY4(ccwJx?3QcmQaAP!Kji$`q6lI(vig`#u9oRRp z)=)tWp1bV@Fxmi8K&`)uZxi+*XZYti0U3%PJtf{7s+1N9d)>y#4B1)Dt&I+Ft3e`U zhf19FuG0k-FlyAA6-i2UedXzjPv26huy(A%IS>wBOA~J&lp&y{rL0KqykZfjX4LX_);1=fG5Sjfo!yMN;Bm@4U#1Edcm7`?JloZ%xec~4a%KVBFgZ`6BU*d8St z+CYVR6dIR~vp=4Tp$M@C)aFiA9v@{I-i8e@fhxD5hgtHpFIlhJeohw0*?2o=Mk({! zQoD0VSuNf1Dm)I(t|$PqOpt8+7dBwXZ8m?8IL+_@WUh47(AX_I>4P)1ssX12UUfw) z<3YK)7B4yS^DM@)=@3#lls_k8W2Un#u8vU#;vgu%`>>yGy{K3{)`n;7vN&<6Q`^Ug zOP2=37&ju-+}RW*J`Lpn z?Jw@4g=j;svIS&YmO0jpCcB0Ll;TdAgLFy#1yV7OCGa|PAsVt}H=yP2eJMB9VV2(_ zlGra!lgv9f8KkR9Vj!kh-__GCjlxhAdT~}o5YZsU5q9WuU4+uG zJGOI>o0oZb#7LNo|6MST!LN=Z>76p6a`(ZdCNj7c`rn6f81)RqT}TAd70_?@g9vqSkUBT7QEzos;dMf(@zb9v*rLz z@6aN=xt~9;D(}^m0Jvkt>ErY3`?%MZvR;_z1o98cJngvQ&>l#w_?q=^>UQ?6My0`n zVqKt)o>(RiC#JkNJOFkRqIvd!8Q&f6;hKtEi&MVn zY8pxgA|$#{$eX+{JZ8~>QL5%}K^Ryag#r`c7o`N7xDSfU%mN%@Jr!paO=~8S2VuiH zO%7g$A#aW%?wtRDfNTscUMC2w;)LWt7G3n+Tc>5Th$So+sHr8>WZ>xJA*;L<2SK~d z2-wjR&n-ei;k6MoETb=`Gj<12pC8HhwU(YWTw@+gGt}g3cQ)B z)$!sr@8ceHI@z~N6AMqEzuB9MEx+}FMrlP(e~jM|2fd5YFu}kO#B+q&Kko(}8ZcQB zzh7YPy&8(+W8uF#phE_8X*SQ}8{Q<>Mt;&K5}2Y)5aqk(=O>av>_QC>x$t2vYRsF( zhz1T2!PqS-g<|awcKA@L#C6YvP0HBw^X5js6sbNgOczx*sTd4jsNsrmlY+Dg=d(3Z z6{XszV>5=p3VNzkIY&i}Q~vrfmf@o+Z{=n5w7$2$z=^+?$|3WwCb_Gn6fDC{Sza0m zSrbwaKl!c`P;N^bGc0oTfB zs1hyhXi-X>JwY`CDoG16I9$mK(sVzn!!8{^6i4n*z9Fm6WX1#L>i9S49hYK3?U5Fv z7sN@8`)9NZ-XvABx;UteHAMu$?M zzGnAG*hYb0b-U$JSmszWr_7O|R@dU0K%pOJKV6UnldcR47~k?mbIW86(D~VsW41pU z06xs^!dy+ljMPfoTpdNIU9bty)C?RT?X-4Tm|?(oyl>#lt;`SHM#H;wJ^zlzT&tB^G%PqyS#*&p-cs zj)#_fTjh{btw^ zD#;7hb#0{~rq@KTqlg{to`;jllb{Fo`T5rcvgqf}F6@s^o?NdKI5{NAd?xs191MOF z#V!@WlhE46sKDyDq}<@Mm6hV3K%8_T{dEN6;S9z|AnJ;tS~Z*9_%SI(ck&qno|A{g zmxQHdK#Hf#oXht=zoBzT<82zdD85A-D?<(c)S_{)%1b(BzCG$lE<&Qwz?Gi8rGv$| zx>od1sG)H|l;Q_3(3nT!a?O?vlqK@-W)JA>IrUzD6Vr#CjSVmBOqGkfXaH+Vm@XS7 za3TjJ1=u{Ukm6FwLkYRa#X(QApxoc?a7=6|)9dDk_El?bc{GN9%W(=dpRf{_(EucpTvUvzM}Ds!|-_)P>H@o-in#j}Ulai*I%1 zG;V*@qmEt2$8&8HziAw!!+`=t%MRE=ety2-V*dJ3f*`?j>4ox8_kJ`A2juMUEsyu#FRGNkzI}a-$1PzG5@n`SZwX`se`}GH zs+pkK`mDJ|sod2g@Gvw|l2|Ii&TPFv4W4HM=SbZO7dCw|KPa=tLKmcR?sR+(lx|+O z;ZRK0&KH5r%DYf}IjoPJ>Fo*kH|_@wJcIvOGSpBCsGF@Gcyyet?#>zjIURL-T&D z<}nO_3s-D0QtA=36d62OzL*h6Dq4un0 zA$MTcmj9Jq;7qYn*&_x18)S&FzU9HWI!ExaUhyLA3Yc@NlX|R- zA(>}=8Yhv)5Z=i*?wW$ocJ|CQ$J8as#2jwR~`qcAxNJH#E# z6uV{faBy8@i4iJQke34U>guv=NAU%*p0qw3<59%Iy!IRvy&bvBEe<=6O~xXKUFMXc zbuh|qk{5|rRJqM)2vW+0o>O%!}(a?C^+bznVZvahi6+@xt#+Xfo*DC)#0WA&!gewh3@r znj@SA8k+e{7Z{VgNEVV0Iuc1p_9_yR=dPB9$27YVOngrVeJIo3k%HZuVz>|2Pei6E zB(Y5GN(B8*fg;xni!rA1wyFZTI-AV(eK>%=DpKkt2mDVT@_J#xsnYU%WEF6&cJsG| zyqGt+XGjg8Vy`?C*mC)pIHDbtC|a_Lmgy!NWu}YW{;Ns)pg_1kS`xF(&<&{@OlaVG zX3N7)YLAOmA*9#FVjTA#1#+g6_%TU_MNwrFTC^A4At}D=F#dGSBb+W$a9NFwKr?9FIRamk$Xb|jGxx#2 z1J1a>@@n^v9vjNy#Fyht-KTpjwA4}aoj~z%{IBcM&~f06;^mUHaiwv0Y?I3O0_f7y z$MFE6mrCL&u{2M;?+(kq(2=h4oBJ^e5?uf^Wqk@;v;!SmvKFKJr>xzq9d4c+snSZl z^?ej4Ey~8ZNZrR3MpdY4Roh%q&n0jwbL#E4@o;@^wPilp=)*-^Wu7VSN#a9uxE+Cd z80<4SenI6~O+4vyd@vn(f#m`Lx11MAlzW{&KC4^d{2_rBF8_Z4#4J^+GG z#{}K5sn&BGIvgWpwldFw#3zWmVqb*=^y&yL${1<1rhuR{lTI{=_xsx<6sam6$#T^P z@`K1+9IfNrBJ5?4#$}CYmFYaoQL^I9`&}*IhNX31U;nxJaSr0Ut-uwwJd2@xlzgL8 zrcmyn=M%VedySHls4zh%x~SyWmdBHpAf&a~06Vy*wsB=eHC61+eq;)7p|kNp+lkX^0aPK zZiSYprDD;PjSc5`mz#r7lcR_kKXRL8uBTZ8j7+KW3dU6-C%qt&^-jX%p(2vARW0ox z&&aewm9D=vyoV{EI#F;6Jsj0pV})Zv6b}g%VwU z`TX|hZECMkC@(aZa&FIU7a8Zd9psMc0i&3pssr1aC4j z$9$$NfsZs0pl&)pI5p0d#$-dwvqZKKsiZBR9+JLIqj#7alX1e^N#h0I_N$3mPpf=T zq_7W+zy|vr4AtXrY|t=^o>*e1F`U`4(%N42P);(zkr74A)VW=>kDc1}W z0b7AELZIp%kgfQ=J|W8G*l=$a@9ZVc5rn)H zk5RSjv69fS!q(mDWAw)YtH-;#==lLp&?MxQVSCy9>pScB>3Tkz*xq z2%=NsYkY=TIue6krH^BGmN3C4^)r5au>1Axn_KE^Lj`vq`B|?;YaGw38aIyAZ%q|H z)PAiRwCZ@n7TUNzm@C!`%4}FR{wM)Tu~L-UCJ4IhP0hDLI&5oFAd7KK=HvB3A9217i@Awdh<8l}7#wcYNo1k&y58 z4_ISqcq^x&Y@<3Z7I}JdtX~=3>1V~1oLWUK0!JU+fWps`tb@?r( z2P`=(D7qq5bhdZ2%lLVyyj}l6RZ2npu8Z8f4oj>S1xjDh z#$o@htuQ{n7Nb}cbf$DvSFqObTRXxYx}~g}LY{`2KE#6EqFCsoTjJBr3{{!`Ry(-) z(Uvm59;QIukg7TNViL^sa%0%sF_ab#0`>7Hu9b7jx?~EW(~pORE`1%54_9oODJ~3J zg+4h5atgX&KSauLk{a~*)VL@QT(g+B?DVJ_H&W1Gj6)JQyrW8EatJ+mf>}jBT*s_e zu1ArByme#LjXhz(Pqc!Pt{gNLr;nrRK(~4vtrzZX5@$GYpt#V5+Q?C&7AZ3v;QaON z+fzu3YskWIBC~phOSM#zi2K%Osdm& zEYt$CaSA678Y4gPa;TKB(w$D3Ub+z)E`5Ig&wrj{RmDDeFv5PEbQDIZ5>Jk1@!h-dJk3{?~pzK|~V2|$m_dlAA+n+Ws|M_b|{(Hq~g5Z)(4Nc8s zs@Ft?C-VLy9|sI$Gu}>rSri$?@0~~m!wID?OZ#{jlv}AEp5lVw*)vHjRceET}nDR0&AKZN(uZ8f%*TP?-`W^2(I+Cw|?%=asc zs$=8NnF5au!5-qhqlx2fI4@{V%SDzrUQ2hK{_Ycu*Z)5qxY2tkypj|HwFQjkES%Z0 z_u5B;W42!)Ls>r}kp4&#S4EGSqRlEc>4hL%*gq2IqLF;fB$4y@x=y=-UV{viT8W6J zvMZDrBEzM0=)l;N(-yL2UhIwXuus-%12Z~_vE%8GXu)nHcV{PHsotu-uuSKw)l0mH zou8#zfuOa_wm60dVLzcyRv7B@cuB4X{|5@62HIa7EBE8K85~l-7Sk>!WPy&afwug2 z_I{rQ4WWA@ZD|py;M6pwtk3;aL&Igj;@RthTHKwSEIJPFM?!|qTrY8H48o{91?tSL z1q<68{NoClDx#=?{72y~d7&p>(a z4tnE}+O&2)!x-jLOn?M5E5#g#{u`P$gkRh6ye&G7;YM8QvBMW^p!)8+jMa|1gZm|x z%5cIGOjY!13_vz0^kyju$ZNOSk>ThP9CspcsZhq}NP}uU%2DXgek4L-9LP)bt8Rs} zTug90g-$95W9O$}T@v=vUO3IJu5H3GIZD1!9gohAMDSFf9|oUpnC#d?5Yzuru^yH= z_f{%iqS?6q-o_A~B3W8_A|{b0j>c0dSruYWd;f*YOvPcTgh=JZL8u@sgVXREB0g%S ztt}+VFk#M=#8z5B|2}2iq`T9imvUsar|H9ZrQCJuk~|BT(TdqWHWpY@TCs9z>J_!} zq`G$2GitGIbOkTiDUd@8=`M}LA{o+O8%o$IzpN}$;SF^m9*GMjXp=3^3CifT{4R`! zO(vtEC!Y7jC`ql3lS-^*Y0yi!Ql1)?ndz{U+3Vx=LckPRxJs;=(6g+LY5V+!q;>*Z zja`ftWrns(5OA)1WbvHN<=usu0fwVPZRZI zj6!WjiuHE(hlWMV+g$O&ifh-xwT-LAvPUzw3kjkg)h>6f)eS1`*gR+L(-a4Rp$(d{ z%o=N8oVEJO&#~`el6ArWu#IBR!Q%p*d@={)8|;moG_r^0A(fr)NN(|LXv|?OA9O_Z zZJawk&tV+U3Dxa(y!@e0t*mmS127wYaW)J+ppCW*d!mjG`26rLGI+CQpMZk->Bs$$d7{7EKg9z{ffn*nA;(4`;_%jE_OLbdt_}W&T5vi zIX2nm>&Nk?!ToqyT*bOOQ_I-<^xL9uEthRLL2+3xZ27v;RdQN&$&?(*HjXmx>&Jh< z_F)qQGU(^bd=($t6sSTe!*lXm^r9Sy6sW+I`5_m@nbqnQvRRIl`AlVpF>=A8NNti! zv>k2ibwyYD1|NL{su~d5WhO*vY@#%PQ6cFOsdM6l8PTU7T3Ic=exMj4|w>huxl z|I6IFZMTl&TEnl>W8Yglb`EQ$U*#YF1w=v;B9dTuup>YHH$*vEsj3iiYTLuP=&sRS ziH%4kjuUfA^MY-5dRuokU4TA-OQgghJGv-B9p=P7Bn$y$c9;1P*PYSAw z96h9fDU^TIFBJ#ud42xnSGyQ3ru(PIdMj43i`ilbxa>g+qU+QvwuKB&y6e9N&SKyF z*+MUJ0|n~Rl4%Lv9}CXtWkFW5$`=1kEB@q1d6QOk_XnnL|3jU1pg0-1936hyVYPor6^6%1&o4G^aK zG5fteN>P6<{6v0h5_0s;rsG>-7yVG zu_Yz=QcGIA%?}zE8gT(O7N`}`ik4sKO;liW9ltfP>YDb$nuc48x`i~r8PqQYo_G>X zt~RuD?4|y&0$(!kGmdaAV}!1wAdSfkB?K>z0p^r1;R0=~zo4>Bs|Fb^<}gMeCk^&d z$AnVX%3@lmm}D$sU}JW7;s%*Gz}`NJ{8q1Q>I2j5-Bx2HdGRbA$c;u^UV9&^Zel74 zf^^~xgu+NsT}(Y=rFq&pT67nx@(|6tkRlq=1ZKBi`li3YLBXeg-x zg1A9U*30^PcFrUOwvY}21gU*EXb8onSIa~yqC&z(B*oN&lu2Uryi37NP!Z&h9am_Sf$3dJoT!_RPefhE{b zl4u>5YOyauj#40`5jBp3^qk|q4=83R2|%9A7eaec^)^t;EOAapSlQ{(D=6`pwX75z zNh0=SHG1$E;=rjFr$-$oHDHkb+#Y2xXg-eF2yW1_P6I}=qAWz>Y2aKZQuokfH{bH= z^dvwLo0MCx{rud8>Rb`+q~(50?BQ5XaeGXq~EBq|HcThb0G{ z3!qYJ1XGM3VE1}_C{=4=9;zE2vE-!E8<-S2lzfC!QGx?H8J-kjPWFosb^X+-0i2W< zw3IY2+a(G+g`rj^9-F zbrT0x14%1d|~OvIKY7VAvX@Hs87u*qSzgGFG54* zNV-lZy}JjeWpc3qE_TZtTYw%I+T)z8)tegL$3f;%8z@Ps#=#eYNm;Q7R+y3QMb$Tz zV`3XuxOVn(i1PzGgn;6(vu#^ZBNRgNL98Ynqltse$nd@dSM?v3H);UuWysu1j%g7B z7TX8HA^eyPHnu9BX{ItmBk@~O9#b9_IkXZ-WxvRH%ryiChq)Hs%Fcz@2 z*dLk{Sz*<{57~OiGU>ea22!E^lG&7KwBQ<3AK|nZQY?TwayrMfvRtQ_U6Rfqz9~d) z#D?FXz$YcbAQUCC`6v=1`G5ucS;vKpm=cV%GV{0oesfarkqJ98n2m=3ntCZ+uw-Bb z&l}q!EF!()VLnP(A<9&yoxwL{L{4!QNGc+xv@%h#>^Om_Rx{U(!WK@*BL<8@*K;nT z7v(?k?=a+0v-(6KCD>$g5=IV3UQ#{*Sq~OH=uN_vJGR(mNv-hGY78XtjV*lW)wY$( zAzPTF9;y!6gIU{0nA5ImP#)P}gl4Q=DT@h)y>RC&qy>RrZLb|+WLN(N(E3gaJqv%r zc}QW6Z;P(WN}O5=%@epOyMyHSRA5I@RQedvjyPu$bvBrG6m=ssI!B{xV$GkIL_-|J zdGZ8e#^c#%Lvo3n!Zha@@*2+wjjbjBQH7}kaa23-!LaKSw5x7oeGBEK|N0W^7J zwp6mX*D6i&8-#j}cj~_#>(qi49fAmiKXA|m=ss7|RsPuo0Xhw$ylG3WUr`BJbYZHa ztk)pn+!Ff(2qF<|aL-!US}cr+bzZb3`Kz)kr5r|z!*+Ks-3IEZbbCZVo&`6|u0qu4 z2U$JQPAy5-p~r+?Y>Hyw0&v)rnZ4LWP~e(4RFPgSCB@>TSD{NG+qyPfLYc0z?0$$t zrx$Q5J55Si;UfHcqk3pwuqR#Zlec98P@MoC^6{9v^zW9FUwFKda9>UlbBJUM0#}?Wa#aR*J3+(ILsN^(ybcJY# zs@f29$(}5S)XVrViwCf7Zj7|0ggR6gA(BD&-_Kq zI}MLk40r}T1d4>NKFE2;aL6i?!@jTQ1l^*MyD~^gSFg zVO%g8RVbW-I8Y}Hs4UtRwM2s8klQSZb4@zVu}$!gCo-wiR-15N3~5XVk}Hfw-d9t% ztZ~bES07-%B0QboEgG2Q>2+XBsQIMUTNN$#eGn@$Lwk&hR)|Cux|k(^*PcnI!UZN= zqAISsFulY#c2R@jYtPMgG=7VCMz^131A;OeeBqLovs9HoA8J4qv1 zZ(#Cd#8tVF;~t}f`oasSm75;th@s5W zn__MgrBX)JHexjOq6Ea=Dz3kq10*$^IR5HwvZTa5nP(4L0<}0_T<7<`&@(ZiLNJ$MSFjS2pyHVQc zMx8gm9)uSOJ!XGei53S#7AcB9v)^?_%7jLUp6VU=Hl+hgdEh>>MW>;8djS=e^czY4a{}i?2_Iu18!;r1${@%ih*2pkJ8qJ##6IENi_8xwSrD|Ix=>?Uf3qQ|g43P>K; zE_;#nBR{muK(-Dko!#t48)>^>{*mQ^o;Dr?uhCjBHKuwnP_$QSVe~^lZbN;@14vUn z6y>X)6F*vzy3-cI9!+%MSC$D9TM_f6u_I$Z+_6$-uAqy=lbB+4{PsuWy!MdZ#A`iH zf!Q`ow6FONDw~>6FHFRhutJe=qQ{q^m`#xYCf9FP8a4qn2|HW`RI3|TpQ0OCA@0qR%dwtd&E`EENJ|6D z6li|R6xXD3Bdf8U?^?ZLwfH^_()R* zS1(QzSgt4MJ%KTNgsw;(a=kP`qc|ii+8MFFeBT@PB4YXZ{XW)5=6)_d#q%;HQM(Xi zq>zQ8)w)tqF4{Vf)4)M4OCcdLpH}jH!ZuWP!}EqO_3Id zB2Ku167xlIqCSq()RU5VMiCOZ{vfaUAF#EY7C~s?;vUEyMd;je8J_EB96FJi*@1tP zMKp#Sp!7WIUs{h5}4$0L_Ovd5iU^xX2zYy$zuh^PqLn?W*qXpWq{gx~lk9KO~H>wvvNy zeolO=bRwN;DPeuQ*ai^YenMj`Hoht+Wq=&IzR-Gl}J>da2BuP-8fm%o1lf!Ce`A0f36 zAW0rC=p<+-jO4h5(Cn%9m%KB&goPfn-b!=KVbe0p3klrv%GBrdis-ePB0}R$u4TC` zjQRdaVmj#uXpeFtmIZQzxjcX@5|D&sLOmV9`Jr#pzTT}1rLoyWO4V$VdM6fcmX8A@ zY1J}EYz@ps>0AAL1nd`pfgm=xCyjU%hop06EI7u(hhD8)TD|cB5@`|B*#>ewr1_YN z!Rt7H>*GMCfUc@*{GZDDdJ`Y}L4y_v9Yqc}KD1|qjnWwCpy#7)kDlahJq9EUkhvJLWrqhi~VLwU5TVLtq> zoiBe7dV1cc&8Zb4Fib-zd~wn458*C{FT}p(AcAEW()Rm6x3iDb@7)0jtV?j{GK_>om8qG>mzU49+t~Na; z4x_+zZK4;W%k$Ridh)U`fTe6(Bi+mZ)OAQvnxwuIvJ@)x+$+aWQBZT8PH^M5BW zFD%L<4d@ckCJr#CC(_`10E-5iDnW;xeBgv)4rF2W*->Z9PMm@jHBDBDy;v>)K!4{n{;psnJXI3!16JFJ5h_Zcw8k{(v~y1O{pRz}p1q(+GG9cEDPmUNsAtdzb7 zFsASXqU+}{RZSQyg}F+Wio4@6r3Y#8?_L*eEv!$Nj|0VlMiIn>N0wLi-hA=<)gl~lhCRnr?;<(cv)&2A8>iS9T-gl(yJ-heWTE&MhboB|)ngo!s5^CF(*=;wiY+9~ zu8#|js;+9M$O6Da7AT)m$ap5yCMrTB2<9W4#EylUA$xHBa;56dr6a=@(^JUPGe}vNEB~s0AGp`H=ivL9zf1vs)v>(0xtVa)kmZt zINFO7nLQi_C#bP>ocILusxQzbR6{`_N)7`o23%wG)^mbos1>*#*VG;+v{_)1Nc-o4 z1(8oqJgvjk#||C11PY8I0cEg2Q-at^d4&Wa$`U{=M0|SCs8~zITH>q*nc&P9phlW+ zsF?37lNZ!N?Q=FQI1PfV{#@aU{8n>y(=ANKwOhA&1(#j@Bh-5Y5`-bmoJq4SG#b@@ zsi7&ONR6o2ct~NX_v$7uxUpDorW6E$v`TvL5R=&SYEiMp?BW0;f-Hy~!R7!Im54$f z!60d_Tm1t2LElR#{XRgqvb=smZZEkkcp18gdy&)`6LMX^)57c>1IyT`)^OjG>-VT+ z)}I!^inuWgAr2Od;lt)t*0%2>9J~SfmfEag5PXk;L`o73fvis}c2b%sV0=clG%AQm zny9c7*W~kxoLe_|@l;xFI;yHFy4kT7594c9a1Z@lHFZ_h-oAg?Jxi|(Q#VA(G3N# zUB^X`V@H-(@MDEcamco~q&oXhYY;uTUa|FAMhN;%5q}fUC=4>BjBNi$pRwK$@qE+) z_F`GzQ%p@yX~^w)8$HS(I4^r(ZfPfPBSa~|KT>}f5XIicoaUD1RjL)=V?H2Rkz5~G z8v0;L7zQ-r-~%jb5cJB)Tufy!B_?!(1S zr28(cp#-Mo$%BDWAoVu({_a=P=40)vSS9G>)nwb|c)+$kej1WBiVcUk1`%g~aeH?s zHQMIKvZ#MZ@rsR1gkjs{ec$p=Dq2bipMi#ry{usTEikRsXo0Lce7)RkdN z%?SihA~#D10gh2*m9|`TCfBOK36`mK6KaQ|$2383(hSRKi?l)u+`_b`qIm#gFv&1- z&vT+VwekQp2eK~rti*kkBBK(iENxX6ee6__>jw_v^7;I?`5aUA;t z(lV(Q#>&D*iR2*x_iXYCels3GB29~&M06{gxB3e%6d$K4s+0i08kcPg2Av`hK{h=) zEZw^LU&B6;TW8JhAf~xk2PdZndo+q!ltv}DJCH<`QRrz~8l}JN$eyGZ?Lm#ni*97D zGWSy}*8|zLbd(@w=+b->$)!TPE6S!gjRAr^@m*Ga>TwPn0x?AkQ+=&|;2crt6nuaZ z6o@mN%Nki{aPQ)9U-@%Sk(4$$ZvBkC82~Y1WR*{EC5Nv zqz~xo`(Ya2P7S2`_S~E{w?=FpDR!O7g$uU6h*PljL+z;qwy_gcCwojq8fB96Z#xBi z)$4cKK0Iviq?UyDX4)j)%t?RRaM;8I(}vt84Y5-IhhhhXeX% z4%yZ0YcKL#SrU`CG@z#dX})LMJF&@YB4UvGddrbHVB4`1mq9&D7F`lcJvAVB29kV7 zNy%41YF727O07LX)RBd$de1SEH{eEC`y%i%uBou47C`IfL~J5y^trxp%*qSkWG%O3 z2!g=vwdA|UdRt0kPEif$IVNGn8^(+VRSN7#MPbxC#|Jc6*!;vh83*$R?Vg?oi>>btbfJVhetf~$elL2WFVQA(GuND_r4Pr*x$&y2-MpRd8RFR7*WL2oI#RYrjaf%yU6JG@D4JDZy z$l)6 zWwfkGXa>z5qDW{7JFyNED3SQ6MayjpGT+|-@#w&$vY%UR^3H|Ko?jd^ZFLV^o@ZG! zm{tgIKLkw_#3bUH4g)9AUt2!XT((zx&LfX3wDb==mzr^ylb|Zh#^D?FfwM@DHlP}J z5A{3kjt~;5*=N<^9WStl)1rca)eJTss1wPW#_4@lIsVs^2Blu;+`Ul=}SzIRwxlQvldA|Xv2*!Rr(AY(c7vdmFE;4e9*_oiokk6`LJ;9HlSY?9}Y zER-QlogV{^hL3~Lw(u}TnNiopIzzz1+*D)?tA9^S5b#Y1_}~<)fo3;Y`yTKTgiVF4 zNUYw#t#Ovtox`DO!O>rdS(?{iKPBdlylX2${(T1jXb6}@FB2>a+vcv!?Ix1 zoTdkvb?ykBEboz45YB<^?4afC{$B$(vAVV%!0C>S9F$&P<5BXJg}8^()CH8lSeoA^ zL7vd70p7%MlG~|aRX1c4i#)2#6^j-Fr7V?OiHsIF5!&3gMgXaY=U?|?>pVjcJoZSA z$D;36TOx0h%X3mwji}KMcU$3_qAr6TX>{FzD&4)-Wb}bVaCrg)ttgE+fP2ZUm}mub z+L98Ru?})rMw@l`ynej*QtWNnw)v%rwNlx`91O(ImJ39VOzkpn8fz8Vm21iut=QTTJWWxFKcp70<=@`Ba?9Wlt0w=(k466nUz9+wW5l+`-WY)ZSko*P3e&C{X^ zh)zLF8{XK$k|huMgJ(9V1{Rx7X}_{`i7#lqDLZJ@tVribPK4*4gXN4P88cVl)tvl* zX)n>Ja$06|Eg3^S3NeKOI8r4uscXQUa9f}hinMtLY_nLl1}xN*gCOkLV=9FED?3=9 z3fx)@iwb19Wl`HVF*`Do?vuCLV`xcz0 z$l`S4Fdacm_Ky23=GSdfmRuQl2gu#agH#{`%tf`QaPl_lEy#@GJkCsLMbWf~+lp_n)j zM(U+GM1Ww#J$lfjOT$Y5zCnUEtf=h0OX)*f_({qFv_L+BF0oYfZ+G|09xf$GN*WFj z^nsk4U$(%QAHjNq8wXrQ!dvc>cV9XW|9JI)57!z9)ZPxr6*OF(;cDzc`3Ar9=2r7Z zORhh_3fBF=Aq{H@fW;o>lmlB3v_B(+K7f|eA7{B>YpWh=(3*|t84PJthc9#5V;V_3 zI&q4k`ll+g`$98x-)7E1E3H%(u#U6?@s$X^+o8Z zeOIFwRv{K4qFP70&CW^X>ucr!o4H^TqiHGH#Fzy`eQcYP24f%!#|I2KQ6*vmnbj>i zu}Pi4jnu^ISUThg_tJfK+=4(T`6?}ZJ6HjBY)1o;_riPn{kYxzmWFJkP=TmdL{?-d znRDN@09E?ii~in;1zvbz*&VG^3y|AmTjE7GJ6laU4NSY^W^0f2@$7!doAu_WDz4`QOk&P<6{$$CBO7DZZ(@gBk@)XZDFK25v=~gcEO>G;>DNaP??*t%8$Hw_A!st zV7226Q&;x?s$3|DV-)>p;9f?zs`j;ctrEr$Xwk3?e4VT}v=X9wuy~*(;R?#C9H~Hi z6kCzd8R>F$gOktna<>W&UPS#K5Jp*z!1C;#q>~oVQWE31p*G}LXMynnRDKcuJtZ}) z5YrdB3s0^rXH^6Ch#eVmL$F13dkoZ(%%aXAmQ1UzG(Z7W+KVlPPt@FP;Bh&`^>*i; zRgU$(%DyldRsVVwaFFR>3zYE$*sqENK!BFsq`&G==(NT8$h3#GC5_02^x8m6yXaZh zi+^1Pyj6_`%b^Ds6F6CC$fq>tIrWZ~F-5XXTpLE0z;s5|hq9B$(4k68w@GY{7&B>< zW<(J>Oq0fh<%r46Pfp@zjj5G#el=hR(!6xcPJaQ zd$1{hi=DhPlw)GMQ8`4BZ&^((AH`n&a1!;Yk0cxi)FeLOm<(r%oyZ?vDBa#3c2YE; zQ2dnG%cSl^apJ*=lD7d4YpS>drxi&9Z(veUB$46d%K@yyfjp3&|9W{p$w6dCs@{WC z24b|3WI1O;GQC4gkQC>YMel5&$Q{%!XAADFyr!D15HYQ&cjI{f^eFXbAP{JAl^UD^ zOCs&ipgR>sOd6DzqeRZ$Xu#I+&8Q29RmlDLH%-+7<=_PZq*zAek$FPQ1$iCyR1Q6d>lr zlgPj{iO7z&e{gSkmmj6#?1ek-A=a;P08cu~Tt%bfgF)TnAQF4ALrYljcsq89U8&tkH!W82;_)?uUg1?ft$tVMx)Z$;xIyZJg&gO~ zV1?Z9Ljy|4zKgb*Y9k68n=u8BGKOwxvdaogOCv0{5^)SBB~CGltp6TMK2l}M>z^JZ zD1-;YU=p83bt0}MryO8Y?yV97OPbV)7Dq@oRupBHWf)9>l(1OX8xRqohV}*6o97BZ z__klaex%2!(}R6o$Qc%<8dShQVv=mNa8{P@9W+F z!4BfVQ_Ln5Jr;rIk3BmO%Nq+lDXCCDU|Wd!WIDV7cx2bNSz`1Fs5K?K!e2N$tbo&s z?t22)V<>>ns^~2ClJV~Q9k8gr%09j^N@5zVlZ^9os1 z+(8JCNGdC>eg6F*QHeOPxp7z*6ooL3)5&4VY4Hnz8ql3|4g^t%7!!@cx(gUJpq1gs zT|(zM&VHe~3=z3Yg+rk_&^>|yS%Vz>2-=FX$AOX;Ihz!_eomhR%xg=o$7L0&+F**K z%#n$k01+Gt@|-X9LPcVuN=pq6R&=sjpf?E1M9KOGp~J0OFa62bit-4(%LeM(3_b19 zVqBrKElqaLaiMz@!mEKe6s@tA>X~}aZ=Q5y=YFMGw zTjVZz5NCcC!V3t4%CV06m~xMu_y%tp9vbHSEW1(#~GW*o4%|_-Sdeu`eO0~eaUwFs` z9&2jB2x7QsElSvI2QPc6+A6tbK^Zns8@mMrW7je#pthm9E{MT)vpn?83RO<24_5@; z1ENELTlXc$lm_fU1WlZfG1Z%88J)ypREU{hGp*c=J%;Ik#&qJMN*7>{a$}qii8~Hr z+sn|L#w8iQ*c;xn40>+!@XlFYXScF4dQ}8U&5^@{7u8<7gWPp65ayg-pxLz9$y~i& ze425o(CZBrg{&G?o5X24k_Yp6C*4rk6F4O{%h4^9+Ik{Ylp(?jomKR6b(7?!xE78O z>S(c&5GU$`vEs(m1f z9VnE(;lQaceahP3GHm<$;g18jegJx*{3cUDEJ^}}gsS>gmK=)uDtpHVf!3XpVk-;Z zX}2bO*Evx2c2&0YB0Wy_5><3pCM;sm>tA{*eSN&phbBiuZ9&MLqAtN!LddK4g!J5S`?_wB3>+# zjUCAxZ)r{+N^x!nu~FcDWa4fWH(2wNNM6ufuW9r zBM>URMDjin1#k(B4Dl{1QFUT|v+;owDrqCtatjH?_0N4ih5>H1Ui($a#t}hXzer$VuUyl}>p(DjO4)re5 z?%r|-G9Ol8AGnhRvI7{+8ZExjGKQ{))wg8g`mhgiG;(96Ye{Ge#gsL%hC$3a9GEGQ zisWLUGM9B`QxKGjVs4{12;xfO_F=ngLVe7O4ikz#e&AF@-o?)FfYxEE55d%cF+wW_ z{xr-5qM83AmgQtp0AUyW9SWre@JaT@S&6;d0gaD?%-TP3PPs*!O``WyQrzii4LHSd z2xP^jLQ*4!1YUp{9l)4{C))Chcyhs#nFerrvLeDoF}agmm(+X=JipL{L3nt_X?nUB zV(y%L7q_zNx+Z9)13K}-uOS`tjybhp%>9!@NYlT0KFpcE9vL=;Ks2T)_7POrJg=P*1{xud)#A~G)x165kU-NcG-!>6uQq$g_9ks5K859i%t!NKvC!~ z6}a_Au`B&CSz!ue0+(=4A!S&RW^?;G`?fW))lD4g)Z=q)+A}J4Wrs=k=TRo7m8r1JS=n!_1e$z9z4e(K|Ny4)uYKP zL|t?Jw223TRA;>aca$?KOPUsy+d4lEFN(TCTMCp4sCkX=e8M=0LxXnV{S?0HZu@qW z@{1`u(lRp2kjrn1T}Qn{Qi>MGh#r#^ULDxTn_m2*_9zol4G;%f84<p39A9429E(-)}+EsRME<-ruwS&M(paGgi6>s z6j`(l9S5raSzB^y5DCOW$x~wj#k80f=v|a1<;o zZo-cpCZ`9m11A*Q*u8=M=%^RKG8!F?bzk-hF@YNEX<}mEpGKnfPOUCwZG6orCcZI2 zc*pHDZEZJDfn6tUjRU9o<_gUYKWbS@K5&eqfQguT_JK8uB#zmyMBp|X3xdDg-EU6M zH@20ZK|hz6_30`MEHC+?<>o+R4JB*gq_|U^HhmH*?W@#a1Ej=OmZeGvYDh}DBS%af zy=_jQ!g`D!z-ctGHIPJBQq-n$xAA6>B3?Pc|xZ|n!y2s7FVZEk=BXB`4lqB z%Ei&=;0sVz=Nh7Vh8rv>V!1q%KwaxH^Ynk8V$n8>rn{=P^i&*c}WIK+4Gt z#1v7n6Xet$?jH2ekP>vVWevUg_7wU-X(NJ+ZZU+}3%1qK$TVQE80(j{yu+$HFSUOQ zZsY=y09o7zlO;hwe54dnpjmIhk!3CUjnWr!rKeY|0?5S#D|oCp?>A@E zO-fm46jZ4d#4-2~h5flmEd~O&dhieAMk$>!1NFR5vSKU-hyn|^N4*)@laXM?r3Md0 zvq`L*Qr5f>ebqCGJiA^RA&8jJ5fiil1S*p~#zey31tHE6<%?zzh5!EJmvTf1Eu{cq zijLxci@W^CkNxdu{=fgf{6y(XmFM&4g9nZY3_-;B*KY$)o0y=VbNC(;flCYh^MC)N zw@=g`UY{P`9&x*E{(S5|jwyKh$1m^P{cg1IJWTxDNx$57o32nYVKZRhF`qU<=g$a( zy6fWe{j>Lz_!%5DG-m$(;2PrD_{U%StbhHQ`sw#C>35g@a`hqH-}}zC9`a!Kdi`_$ z`5X>(w?AZKlY4%aeqVRZ=@%FK;Wtr!)UWAoxR-vfNB*bL`LTP=2TLrTzv9=(_Q4+>0DiUWU-AA%C$l~J`1}hW z?VI>pWtM$-fc54ryx_W9}lZX8~Aui}TGpEILP z*!}f_><$m=!9BlF|2FN;`GAuM#9uz-*EqF`M`!PurO${Mite`NKFa z>1;l*_3v+m4lmts7?0hU#Z$1T|IAnA{VzCO&~uJt!kBU}|NYO9lK=1j{;%j>{@2qd zy0@kL4xs<;dgtog0=fVG2kv%_+9(}I=Qc$t^Ph3UB?fu>5Er?+szDQ(0 zef#e2q1in=HQQgmn(f`wZA^G82PS51m<$YC`FhnpIo8mJ&3<1Jd4XnTV&fWc8v)f+7Y5X4yy1Rlo zz2XX3;cuSnp?P|2?k|5%&NATrjqDzp`^%q^F}ue8z54s&+wbn0?cL>Xthop{&atNON^bsf4S8A&oFkg@1O6(Q*+lmT|ST-KY(Xb_8Y_( z@o^}ho9E}tn~}Dgdmm4SVgq_n5IDQ*-*FqCEP=YQf(uc`TOvy8L1Jo+b0Sy`NKn-S+a1-BZ)H z>PuMNKXQQWRs6=;7Mu?16%v5&nsE6{==|64&^$dgPnYj8d1^4fH?>QSd`4EdYj#(; z9UY!;$*0_K`*0O&$m;gXk^5Jk>)|TL)5gBZxNV>*?e~E!ezDQ`Rj7Hqzea}YsR@|K zf%y___(fZEcX#<()>B!HY`+u}`YP{uyvn^P+zTFJY#_74GfT?HW_y2y=NO=34t2jx4940SYHT?%y%LwXVnIPsZ7H6qkB8zm3b^+Ov)L2)Vnf7;$%2O@G%s zT)te*sjT~NYC^>Sm@3_0A@BL75qHgfbNOJl-#9pHsP(BRxcs9y+lu#Oe7C!NL_OPx zk1qWcYUw?UUv5eN?PA>jZg$P@i${$1{Auf{HGBDrq-|06xbvHW@o0$CY1?J(lKiE^ zaQP-ni)lU{3SA0d-Vch#zpt5nSv74hpBgXr9O8Lh?9#5?-d*LXEMSV*AS8AXRSsBR zQ2L^}pA+PZd$tzSfKh*?we&?}Y};JEaomyvr|_Se;h(?%;l7!3j=Sdh;xYF9`?F9g zEzzx1khl2ykK*L=G5+-RbB%Idnz6fh-rG_<1Q>F&h!@S5RrVK;yJolBHQU{Dv%7eZ zZL{m;Nz*5Hb@}0|`rfqSGic%W#h-<0EckA15_>ut+h+TG`NskCQ8=gZ^)V8EY_`8I zen!7#$9z|>QlKgDl)!9;uXeb;IHB`DFK&Z&n=x@jX!fq}!Qxj-8DCA5E+0C+ZOdoR zarw8ST~pBI7^>>cU)XYg*KBte_v^DU9cm1a@Z7@XG#kErhh;Wq0VfX#hFo7ZjKA8m z`Ntr1*Ia(MQb-Nl*o7}Qvc70cUI7_5+fcf2-)ang%G@vCD=j8vk3r#=3ff<_Jht~2 z&&Osn4g(w9Xzn*JoP+z4pzWV;js&(d##8&I@)|$y5HFNuM0>_Wttm0A1=hsIL}nzW^Tpx_Fs)rU9oW^7aZqaMd*} zI}HK%|0FT0B#w`le-Q(O)Z&+mvtQyUFYn_AI1h#XISfBu#f%(U_)-(`OV|E%jWL)q z5F@EZ+Xk#Rgihh+b*1S4OOyZdPiD4a&XLv!m7ko()8%uM^X>R^ZLjcxIP1pK+r!Ez z?3AY6H+_+! znTPnx&A7F%yx(4FDE_^E%;kAozMEP<-|R7bIuBPs!TpQa`4fta$D0Q5rD=S-0RHK1 zTmhf?FZ|Ty*8%@UetQL^*|$B_?OL{fY`DV4$oH$?+hvx29>fhhQ|}{{9}qlmJbYg6 z=Iy~Tw`>ainKRxF7xG@|+|Y!Nw$u&#_kUVrx9^<)fLiNz9pjJ0`sOvx^X?jC<^RG_ z-~LkE5R>x9hTFxfcPz&3F^t>Y?Myg5h20glIlucNo^R)*-=D${Kv7;{Q}WwG-kV*@ z&nWMo0EoF^E9xBza!c=YLYm*)JKYY5^5LR?-|RGg&Rj0ftMmOkal=v8M~Qh`)c*;} zdix}Dd&8*x$4B10%)MFO@Rw2d4`{^Q(uj9Qd3Rel&Qev}K4{)gp1o9 zh|k&N?EqSTLDb&NRecH?KLM+D(>1MA0KZ`}^=`urS5ZD5!;ROg7fA09z;NDjXYQj5 z^8>~=KcHQIJB-*LH~AAFAh+90`m|7c^Hl1l)&J=!+|WUt66@PxKR&tX8`5B$T;vUR zKi*%&&7Z;c@~WBt3N-l>T4J}$UOqpH+szIB0wDbXHRlbD_%lel`S#@fwz<4;z`xom zzIo`pA$arsJly^vTtPySv+S7Tu0n?Js1UKOlqI-Lzl4Am(n~s=XnN z*5~c+n_r6?PP5)Qa(=){){hwK{eV&T&GM(u1GO6li}!BSHN*+N>7Q;lOZvR#{}U#x z*U)PE?t!@d+QUz%wtog$@azsogM_{4nBnIn1As^%LU7?P!}m zVdZXj9^N--e?ri_yP2E(%h=!t3{bYWgPMQ38b5&1{C2d>f8i7V3Dh*VBX9n*!Fls` z`P1#8i#Mb@crUcJKL8B#6Gpt-8!n0cxtKp-$Ni=Vj8n7v2e4=Vgo5*ildM0_;fBfm zpDO33tOqAYdGk^G^L12yzxg1pAiV$W^Kd%=$RCK-tr>crA8)yn^f5sB8GBJb0J3+( z#pd_W{R48jyPq&a`3WfV8!}FQB9*&oowp!@ZolY$LzLV{rFR7#`fqP;-rhm|1fbrJ zST4U|&HHJd^#eBCZ%2~+Y0Lfxgsh)IJ9$Hx`^PHn52*cb=&V0^h?_Ht?QSc`#oy9i!rajbghJ%Zt|j z#ci<)d@B?B!Q*-)x`eM{otDhi_Q$Fh}oO zo3Oiz1=)k^&q-eHn%xzgQ4WDHh{te=4!dhCwx9F$@7codYZwqr6L$7)+mM2$w>`j= z8$FThTM9a^AB(4w-e10N{(m-XX%k((VHeEq|6tjB{<&?g!0i+G;5@>3USPWla^^e} zc6SfW?%`=pJg>rFdY%=h9OF6)6)`$IG;wllxS!6uN0)ycIVQFk8jA`vpJT;!gaN*5 z$M2H)-PDZ7U9;QmPUDY@KM@THHXSx#;mB?^9WPbd71Y1KX-4rIyKBgh&xR;;DS&BU zca$yJ-90wD$L;)Hn(gIRjJ{>d$5VN{0&-ld*r%~MIBFEHB?(X0VQSZCxnYkE9GEGl zmH76aD_wp%qR}O8bKD#V&B&fj9HH@MJ#D=LC-V1=`5f~u50%vD4NncFo}4-_1-T0U z>38gSFY&jR&+9erH*koX^Dof$ce7jg^)H^6{VQWmkLL0fm&SdQ4wTf;r2TsMyT5B5 zE}oZY+@s5QMizf}mAdP^@1Kvv!$Wg_1?>rqds4XRDA)r8YPkxp^l7Q%M9L~?BjJV@_~nD02=e`-iXh5 zRllyFG_FaZH;_6GD-YyT7xVH0*XNsY>R~-yL7nn^BR;yRR|vn~c@n2?&gI3f&bQ)E z2L0Xu5oO?VMFN*Ts|I?eSY@5a!fy*>2q@hU+OoiZOUB4MGPetpA%s2 zuCc?e&7YRQYTfxbCjgg6i2lWfJg)Xf?yj-c@Y#qn1|(M~sH{Dwba^QAk;@AZEnk0z z>%Kf{ef6tPfA{tpTfv%*AINPw-1vY#us*Lx_NQvv{=R%z{V?h*W48Cr?&0}51r#5g zVbHNr+BFFc23nbAKR-9W%N4mioBqGB=Fi!=Lh15-bC&kq_8NQLsC#TQm0H(gP*@Nt zO$39n<8THRWO1&S54xAJ>>3K0IIOe=PQmxCxjZ@rEs)u0pWCwy++Mx_#kbUe_nYMkodc?QxW>IX?&)Z#Te-P^Ot^gJ+JQTQ_y9gN(XOCDw*LKp zx@MQBlkHkM_`sWZX20xH2k+u3)VFPUA01u3QPp9i;pjFoLBEc^T$1T4urPhYj1SlO z@Z4N}z2@H-@_64|Ug)Kx4ir0wDm5JXv#Q-I^s72D7#j~0JH&AI82k#}<9miIuz)L= zVM;fKo1QJVWKec!5BJUPuH2c6N0e_`vJCO=uP~4345@MDjeNeemlq`N40-4SoYCc8 zxD77vHqNu)Pk6t4qSXbYen@9_hL(om-8F~>zh}rt?s@s9Ko>9$8sixi<}ysZ{J}iW zf=_PZ@|?WicnZtj?8VEb?u=>nL-X`_1-_3S47^PzV8L04i_7<5da$@BbMEkKdwE)< z9$i8;1U9DQaMm>8!&=3 zXZxirmc}U`Ve<+^+21ncFW|<@6QK5nTQG_e9nr}-_j|~={1EgTMtpSnF3)hdSV2zb zm;%9y?>dF>ZL_=l7Voz$d3tEJmsgzV6TQQJXgqae&x8_Qe!=_O#(b_+FAsw)=443U zGU*R;`#O*3yY{??o6B!?_L=lrXXVu2xjfVO8DIV}#<+a3Jb)XS$Mp$uDT;Q@_VNPj z=b7+1vRocXGLVA=M;PJZ>AXjAe+50vf&B)&X$GVN=vC~(Y{&gI77M>)$0xwi89L7T>bW^E5x()FaKygUw)mEv@aRxJEpfY zw6=i%r&_-}w1c#7ELl_#(3^SvuXxAhUH-b9 ztZ?vMn?459m#<>}wN0P!ine%}YpibCR?!)-!1oo1%Oh52 zThfqi+YH%cIun3DUyzHpFAVqOnh_Grg*&a(A9K}wd8PWn1e}B-sJ&0reCHGcDX@qt`Xd5F|DZ1b$Z01)dY{8v@e2?UJF`)eZq6v}x zNDe~+Q9?ki40;R*UN*$1k-y3K44gHBF&vH_4`|mUx+}}9l;K;&sDc2EUkMEB4rqQE zKr)DB&zj?GMBm3wZ%btwYb%nmz_5Lu9m=_CP`f_yn>Kb*s?n2pc=j81LNa|PwB@o@ z^fo^Ms8wGg+RL59F3rE0(%SMK#o4EC_x$xr`nRVWmEl6Q6}H9sW+R9SuU1$W#0BqX z>&q@EgCV5VJLkRo{LRH|@CMPH{PW<}!Toro{QOIPu^Y;dZ&p+D%eqhitb!H!BSx%I z5@wnwam+8f&~`ei0H!MKmzb9?&$>esJw_nxaE#Y}{#iwP54JPO_4Vn&vK%Xe~*%We&K2!8J1nC2`upvd2xvE?8?nCj0g2>u#?B|*%OKnC|GCNImtEkEIPgl27&FzYZy-zA5U z8#YdUR>vP)ZH8=giqZOUYiaXp|vF)~^jD*0#1wo;~m*q|9o=b{To z5pPPXgk#GhvXEb}et=X~`WaY@@uwwqBIhwg`xK@Z zhOX`w(~iSEE>WEFQ)-^Uv$;|7*P+hR;BTm&o|F_ip4N5{fxxTB{%m6bV| zzna^JW&2s@--@*c1xSgNeds+iZi>I;7dRmP{-UkQ^80j-*{@e|${*}aA4NoC!DA@F zTnO^&i}W7D-Ln_Yx^I;KvwZ@~Ja5e}X=NQ6S%u{>pM@2p|2B90X0#8j)9isY*jd` z3~`>pavFx8Z_!Jrtb>}+-sO=s+X-aRSIZxztOl=w(2X*IDz$dvuub2GWHEfq&mni# zN6MARPuqq1Y ztvwUI?PYqJU#0LlK$`~0kNjDPw^b)&v6@Cf)DS{){JmI4y=8CkK8f0jQAd3#kA z`alnf-|~k1^{wkli9QCQl|&OT2&imH_}t!ET&tdfvuxew$MXpyIAxs2R)MqO;ga(9 z=;Rl$`Ghl^tCY^%tnkYqJ@{$MjzIPvJ2CkgMW60&J0Ty;i~8*0BwiQ_&Cfw}5K7tF zE~ImZMG7-}?jaui{|fd;+HtS9P>9|$PhM0UHLIc>nmmIP=Hf=CsWz4 zJde)y>5?@9R618W<|hRZ5v*d0`SsR_5Vi){Cx-8X3Sy!`=NA$7s)a;^SR{Df|HiM+ zO}YG=m$bk7cujKrddjrpo5~Kuqo-Jqzp`XYfqXknD|HOzb$BU2O4R5fqNqC1A%eV6 zr69L6w*0if0Bz_@E!#BvcC7kevfmQ()>Q42Yf|%;O#V7(2Z+Ug;CRUYEKqhH1+~UN}qGI34oGb~M5IAi!Cz?Uxv=I+8iwK^*hz4DN)o>Zs*kv)Kt{+abuGeg`yB z8Pt1@%(9D`e-0ARn);*LquM#?lQ2N>S0!<5l+yQvzuECHoSmmY&6BGi4ByqWfJSNa z{M*!_mQy2_kT4BQ*kAdBu+mrbSl3BG)0vB#|D@0$Oo5K)c2*ICkl<++O|!C3{xA7* zuh6vMFGEYNEpap+qxa+(lDKCvjfrjkEJoW{s1|7atkWBVJ9lWo$KY%f=CP#A+z85l zV5tb^etG_I+FBbMfzCQ1&jLFE>RKdqw3l;{-%T>KU&Sy#+~Ku0BnSBg7kemsZQn*o z;QXJ9Z80{=)ThHy+&`uj3}O*Xdo ztIF0zZ4|02NFw=7piMZ{v10(i1(ZImqa&o%P`2_CXVRa(ArX^OqQ00e)b%M z3}MR781!F<84KN=VBTzC2p2;erBND8McV>nF;?1vV!rknE|md=R;35ordLCUnSOq! zo&m(oNhd<10;g)`^AFnAB?m3kG%$~AG zt1k+T=rhv_oeiqbQ;8W+eqL>~Z3j`fb9J_M6xJj5uHG1&CP`{zYf75`Y3xv6du7Ny zc8Hsue&qlC&OoiG{_C6OVg7@#3(59OGL%YPpZQ38MIUYF71dnv^oybYaTTGlw^Ta% zBC=myR}`&~)|^Fm6P1;=wSqdNdHuzp4sbm^r>ZqDXzW}S-hy!5pw|Ea zT!mNBVx>wTbw7S(|A4MqU9kwN?X-kI5uIDj6SDWq`XcHKtwtcd%XJ*B?|5v;KUn(f$P&)@W*A($y?@A=Q> z?IsRCMJT^S7tj|oS3@XoOB=x@yn)wDAU~b5#|EV=TJVu-t#sshMC)>0QQ`F{uu0JR zXR(O<+7$zwszle=NI1D8O@qOscn^++-I?FWaD;IMBe4Pl`W}^pl>F=3;myzSd{v*e#-FFNRbyYUxNuJ0$!g!?K zw=xuYqSz#c{{X>!9NzO^{Tl!T?%fN+e0_zmdadJw?(#AMVyNqSC{Bse_hqlNDJsY! zS;zBGhI;!EMd#b-F#kIJ0HUi@sqta7S~w{A1&65+7FG2lPn4J;q^g#UtsC#_czlsA z-mm$UW_F-hEbw`*@&&}>Y1Dd=@xGErSIAa!CjWeHivj~F-^<@^pki2?V!UVbk*W9h zxXBtZ9^I-7!;-05BS4rwj+gv8VIu->J(Q&)IM)pw?EH-NJuueq4L}M@nOgC>Qm$hSl#>GA;>)r=X;&%rP z8cek7{BPZfXHU@#J>r*mvSaOE8()M^j~5G8!T2WYLpBxEVqAxM4=p=U9D)0X&u zgKA?)n_m|1Sx{Tml>EC911f2ULHNT;YYT(tk}7f7-SIXpH8Cu$=iiziP$&aNq6i5R zKz||dq|>FrD17%w>UBA%`Int(2v$dn{Ch(K0&6d!0gsQ_81vkp=VmT#2)=9E`^N{V zQ+QySeUNd?T{4EnwgHE03uWSCk+#|HCcn|#0AcJ)r4teo zbR~QjbZ41y9o(SMbPKYRLayE5;WqupUD$WWdlBz)>6#F`=FkG3x7n> zdD+MLI@1VI>O~(wNbt3W5FYkXW=#~Hmg`e+#tlH0 zYIQfBHS7P$1PH-vWiAyAX&b4z!E!xHV^kt%T$I>(j&2&jlC-j1MFarj@nl$38Ghe- zSF{K_Z=%%*mgihp?Gw3L5`;5k5x z)+$f;X8;r;)XLO*K+RgTJlA&*YFHiI`It^zLm>It*{J9e#)o$_&CgZxXX&w_b-;R>@> zVrc`UY~&{c5T5Ush+!M&c{=S>B%77Pcb+qHOWGFCZ-ggLOaK1T17p}TyxjzvYE+-^ zO7+>Pcps8iI3;JPE9Wl1j`IktCd`E9Aw16zgoa_WR?Y?E!`{XCnrOOhgYP`kYuSTk zEdY7AZ%?7&a6lWtbj1xrEKWk63v5fQ9%m+tC=<`4`9j%69DEYN6~T6~DNa;Vu5ZE( zJiLTI12{Wnop@g5A7NWI=6E9ZAHLX4FN7x*-2%j}kZ7U@{mj|>!66!w2jZGA@{BtE z6yatI{NM2ecb>v^P?X;w>d(<_-|oL5`0WR{$vFNE0k8`N!p7c;691;X-27(zBRHq6 zM-eVc>tXzZzE4|ejT#=F${8dU4(^3J(*rP5my?WTQBKY8ZaCmjrh*&XZ`SJsUuE-x z@+GUAGRtJVwz>+=#uh6@h$6#l;rVD>LwX(?HGQ5Gt@enf z80;*aM}wUYjdDUJtm($}9-gDJAJOJ1@l5yXdl4dd)XESv?%%{guq6Bae~48fZQG)k zNMxDhmsRhvsKO&uiR1f?PRzr@SJE2vDnP&(HSX}qKD>)#etFTSFm2q!d76x>@r|Zu z3OtK@6c8I}VkQtR)L28r8{DaMKcIG1~(JRv0#vzBcoVYH9TTj%En3DO~^+RwS|Dn^C)O2=0fYl^O@2>Oe!xgfA>+$ zEfJpB`SB4N+lAEn_d;)C5(*%~SOgh)GUp5E*m=Ts!&_ff@jy_Gv1bo$;!(_-kUV{| ziv?jl%~g+SN%_)AtI}fo<8k2OArc`>{dNZ7=K+I<&?sYD>s4WHB$pos+ua_E##%{f zjX{~x6`5qhezD}@yKsy;T}(if!BUcx+lT1~&s(u|t!WLZqd2~@#0za}XG7fK7sr!m z>3BkHxG3%6J)30hc*V3hQz5zZ+|yWx}NNj_WjvH=r8 zO52$jtnQ++hR|+*A2t$L;(L2AKAyoWkJ}XQ~^? zIM&67(}5*)?LjhLcs%+Xwz`ai7n%gc>o2Zus6C(2cdiJrrp_#RZeFWpkKt0l?Xe~2 zLa^s?OX;Eb3jMiDklepBu6Te%5X#g-g7+%rmpb=5coGr&J4C2ceTG&1ndR#xf!NY= zSgw5sUm;qLqI)DOv37oV=QK@2k7gt& zikpf}*;SQ70yX)^sm}*^nh~xWM*I#`MbOG#)J<95+b2->ndb>Vk6sNO$Ckmw@_IZ< zYp$rRR54ZcE;&6@>gdmx;L~=?to<4)hUt@GiEv(-3Tp^SGo9_};3>e#P-gKfp1hR| zW6A?~!oIii0;T;*5vRs(1W(~h!mwrJFc_6lVay|2o;^$-?_GE9$SE_E4i5>&CTHeh zHTZj3+JqtLI{ILF5CPiInL4!Kqf9Eg%-wDtC@4FR1SR1q<9InR7})OxGBssbS`Y!X zMnA2st$t6BG?6w-O+Q#NkI+~j<5g&NP1-&k#PN;iq^KG+`jl1q7)6-29cUPqMRFzx z2DDHQ%KoXo<)Lf`Tj7^&?>9(tP1kMIzl&r;9Aqi#g7eB;bfPu3=ut4)7xuaEz1A3t zL28b+lJm;*Kz2ZxX&?;N=sS_DewQpI(*lJ~(dNmGi9n_(!o$cWVpxsYd0t6?QRIli z7~{F^C#g!1=pU0Gwquw#RxGi>Agw2ullN65Ptg)0_~`K>DpjjkLpw|$sMigT#$JeZ zTG?*l$eeh1r=fG`CvoY=%+s}w;VJaVNH)DfrXWv#CX1>LkNWIz$E?iYjvB4LDhtCx8cVj!U5bmOZ#51{xHTvV}g?2SE zX`041s5VUq7;4U+EOl@69ky5np$Psy2f=a^#+!<=dC1^d!pK4J)c>7PpW2fB?s)DS zB8btvfJdN-0%4tJvZSn?QSn~Fu=e`+SgtxoEPaTp^0hJpf5@Ja*8S@iArDFAYIT>| zx;Vawm%%%f<;74CtPD362shNywixU=-XN8~Z?{W%X5GIppi&mp8-HCE666m-TIXC< z<+DGDFVTiZL4pvn^iK0<$X_ZZa;!CU=U*^L|N1u<^6ZcQ{&p6PH5DXJ;v6p-3b(uM zyz}-0WekN&amQw_r2L(ieK@88ZT@ACdj}>oDW2HI2tE5{{u?0}5-XZvknkH#h+TE3 zd-G?HjK4eYbmH}I8<9C;^A)tJAX@*=xBtuIa2zAVF8uR<{=6RY>!uEM5JGIc?drxs sjOb1H=U@N%U(3HgduyUHbucRY^RNH@pa1yZ00030|MmXPh+Pc`01p?o2><{9 From 04754c7b47aeca5439e5308e6dd6de885aa20c05 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Mon, 25 May 2026 22:11:51 -0600 Subject: [PATCH 16/21] kindling/fronted: fetch + embed from getlantern/domainfront getlantern/fronted is deprecated; the kindling path uses getlantern/domainfront for the fronted config now. Both: - flip configURL from the fronted repo's raw to the domainfront repo's raw fronted.yaml.gz - resync the embedded fallback from domainfront's main, which includes the new in-country-validated Akamai SNIs (Keith, Psiphon ops, 2026-05-24) Smoke test against the deployed meek server continues to pass. --- kindling/fronted/fronted.go | 2 +- kindling/fronted/fronted.yaml.gz | Bin 67179 -> 67185 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/kindling/fronted/fronted.go b/kindling/fronted/fronted.go index 8ec5873e..d88f0ea6 100644 --- a/kindling/fronted/fronted.go +++ b/kindling/fronted/fronted.go @@ -24,7 +24,7 @@ import ( const ( tracerName = "github.com/getlantern/radiance/kindling/fronted" - configURL = "https://raw.githubusercontent.com/getlantern/fronted/refs/heads/main/fronted.yaml.gz" + configURL = "https://raw.githubusercontent.com/getlantern/domainfront/refs/heads/main/fronted.yaml.gz" initialFetchTime = 30 * time.Second // configCacheName holds the last successfully fetched config so the next // startup can bootstrap when configURL is unreachable. diff --git a/kindling/fronted/fronted.yaml.gz b/kindling/fronted/fronted.yaml.gz index 5100ab38fed4c1d7547d4af7c78cd758fff4233f..dd02c1e4e7ba97289ba520429d3d15623a9adc20 100644 GIT binary patch delta 67166 zcmV(#K;*ycj0EwF1b-ik2mk;800003%)MEY+&Gpl_&&cP?Y_zs;ro(i^AM|IQA8*< zDWtJ^07*CrZlH5R>`Pp-Fyoa7hJKQF&OKYzK(@4mm6SKl7a24BvG z?^hSj!Xz+r#8R{rO|L|F`_urAd{PXT!{!f?fm@a51g~BO?-BnI_Z=BJdU1{_1p7fEYCM`Y`i|$H`nE_hy6m!r`hf8!u&KV zSHturoPWIj5cxReQ_HojpTB0_sk|LU{QLd)?B#m03YY1*F|!`mW>CIQzn-r1{X)0b zXJ3q)_}Tt?AADk`$;&qQ_I_#KjPLJnp1!-2Ed3FEdUwKyJ0tUN9Bxbk_uV|poq#zn zKiJ{czCUGdKE0W~K9;8gZs%V=2B~#(HXKfDZ+|(RU;X$oo0}8!W8vO?x&P{1eu_yKMwYnuG~)Ae}rWp#TwEpBd? zKTn@8&QBE$U)fjrr>EjM*e~STubFWd->&V!#aVuJcE%nr9xE6cVzTzK`BtZTnF? zJjK~hna$#fe?PsAF3(TDoaUbUo(+ooFMl7)*x2&$@^-(_`}Etx#f9qz7a!klXK&N7 zxOrRMzTd^~GiJTT7Z;=T9l!Z?^|Ez*<92xNy6I_9Stiuw0!JpQ(R|G44&YWDr~eLecV*oe2MU%W2|n|}j~ z$kS}~eD^(l`2MzdPQTr}I14wnyl<~J7i{$LePUYI#dG;GG<@qs(-Q%S-`sL(b zL-}m+5B}xs((s~UzfipXcv%_pIe(PDk}s3>^vBz`$!ziZyxDx2{w^V}9xwl1KK?Fr zFNG~Gl!X1`i!Tl4*V6aP_&<}q7vD-HGt3`5+53F{{riv2w>utPz7O-+^S2>OuTA&t z{@k{e+;yM6DUo?rDv_o{?S7%Z$lUJ_=MOuX`|$F`583;pZ-&qI>yN2>B!7FqD%m@> z#%8u(=$C%@NA+;_bF@q!UeEFydnc%^EB3>Ro=4vcC7W-IFH7j7w50WXsQ1HX8CaQQwfZpH(JP-t`Z;5KM#uTesXnnc5!?8(>}Wzv(>L` zvYuR=CSO;@&FkXp?2~!=P=36u7mrUd-$vPDaQ871UpQ%+IWRX@0u;>RnuhPxk5akHI{)p1kX8Z^Z8gm(QOj&sU>uF<#GZquF(wzJGf< z+}bjCPxA*;e!Bf62e-MRkZ+YVdwHm(*_%?%O4>b~O*C0pms;ZG&sUn}9QVxHFI0=b z$1Y=140J$g3}S3e%3pCVYiE`H`0_RrhqY_9Y@va_@N*YoY+u+Q#C zi$##1UU~7$*SGNU!VW&n)7RTaS=`>uH-WevK0C~EKmD2%%8yWd~g*L1rqUtT{JA7_Sp>wn1QlY48&>$`O%l8=|O zuj9%0r+YU2o-XzaC58F%zsUBZ|Ip-eUB&hx+q3;y8E>a+^JUF0=J#J-w>Qt>Z2I=E z=GNKexpP?PU(Kz5i}m*lX&LaJu>N63?iv42SpTq)k^%n->mON@gYCb;`h~ij^V=gk z_h6S)H*j@*c7OJy8YMMY z+k310cz=2wY=0?bRy@2ve))D|2cNEIH^HqLFYQn7haGKhpZtsDCA|OktGqscUcQ9J zrL%p#yM23kjPvF7<^8WaX{_hr!;h`<0wU*G-SP9;`A+)%F46v>7(AAKZ{qI#_FQ~F z*d^IxHnmS@pJMNI{`~X9Exo_`0bd(G;QZ{%d4G6+_p-V49CudUShK+VdAPNo{_@+y zkFT%cX|zd`_;&yW?z9nC-9v<&sv)ilUYMX8* z2iuKbk4Dy~;5pvhyqt+ItMb?2?mA}1+2H-h+mGeK3$4^Sy-V`p&AmJN^>v<_+5F@E z_J8TiuaDv5fwHfyR0gM)<-_Cqrw4xj=-ka+k;cq-Cqrcbt`^_?{Qc(q=K1CN3`E!awYnZ*Oa7 z`d)bX{L}lun0>t)pNiss`nvS)UfA2gdVh$%3MGmL#_Ie1%JuzAar?y!h4I~(jjc=b z=Xk{j>TEZ@HC&G7Zt=Li9xDIh>#twItbBZ1`3Er)|NOuIM^e8Q_OHSY|3g9lq3t`5 z?*#qV^Rw!I&TqdvZx{Ff;!A28%HNbXqrBe34OIet`|$BH+HQUZ*U9_H4-K&sT7Qq{ zw-*EZ-F?_zm1i$I5BI`rgxmFFbg&dglcR?oetSs$mftw$p+xzMj9TMcy9NvHkvO&cpq0pXSyNHBR|o ze*4`A-!BB6@rT^EqVwr_Xp8I3$A6hUXIF&~{Pg+z=*s+&ikq(oOX0=7yWGz2@5ASp z)!jpqy?(m3ZO?Gt*U5wZZso?~&>Qg0@az4iy zc)GqD1d;f!RYDK_*z_um+7z3{m<{_IKFv)AK$#$PuaBiTFlH(%ZvHu^nH2uboJ%oleoB7 z=0oJlALgVy*muv*6ZLYH>sSAVOWaV5HKwf(b2C7-Wq`F#CwR>|+b_~57c>-dx0 zFZ9)W_hN7O{3&>1VmTM%mu&HO&Uo#EpMQOR+?>7N$DfL`amku=WhXMby~KCfbKS%RN9JeFR@qUc1an?L{9{qsLt zM#dI9@%4{!cp~JV&AkwW5vH;>7T7&txlR>^v8rU9;BV<|DJ4%@_({S;-A=3+P)&+koiR_%pGz6 z^aq5eBoCo-GT)5lyf3?j0x1_u>RQ#&$MP1BrKxue1bUK=9vEGvtAvKVX z_R$NWuEi5lghB8OBoU?xLVIH zDevSE&L0lwQJ`iV|PSE?7$%k2|WWm{Z3&>H;-l$uV3mPsWoI>Y&em&Y@mX`;bjo zaNLu9&;~lxHfn2>T)i!|_*fF#9F_ewB+mlYhe299pzXk=I*I|k;ArYv>9h7a5Z9C1 zYub9SqdL7lFzlSt;5e9H#H7*ac~U+(^61CJ{8~{4X*ugrD3Fvw_k{y<>Q;%J4@(_p zX=M4V7m)?hT*gru1toER9C{Rn^hFd+>E^5#iBM`*X|&3WI?&QY&B+Vnn!Y0H@K>EA zr!5&c2ry#3va@{p;V+Tv`r2P2PcZGOdtLft1(=e(#J z%y-p3q%30A zz?U|`(WqI{#QDL0BQ0q?(z4V>M|~R9PIY4#lW$`OE=Zk!gR2`esSU6ux6u=nj^Tv5 z#Wn5*bdtlH1q)IP{;GB_pyh~C#R359*R0UTBqU0)TUTNrsS@5gQ-VNrK2YDLd>+g zSZO~>I*I##H;y{IscT%D=-{*$tpc>g@ke9mgl_m<*i=L;R;8G2LX>q!aXG#&r=9&>Cq>21vjZbYL z?`yGpq2hXBm=1`+ua6C6VmoX{9n^gbyM54BSnPy4b(u#KA*4-n9M#%V%hJaFp+@=J zMNE4T$JVo>$(!-_)eY3e*o|_b&id?X!by+g(DzN6&OZhZqYeT!t%}q-u4z9fA3eY8 zT<8IRGWlRi3*mo+&q*C2+y&H0TR9GvDK-4`4i%su0m8nF!X-9L8`PVg*kR-@zGhji zT&C1jFLf}THm1K1i1lL-94+GCZ$KW@)me>oOkJ+Ob6e;!A)BhoUR=wl4}AmLiKCv` zQ^W6&rofINvq;UKUB3}+3;bT9lLl=M6;afGby>BR9gTVr{+SPHvtI`=Q=xjkemwR)?oYpJ^v4?}Q?1IAUe=8ROqsbiQem5V@|v;Qq> zz34{~19|7hF3HmeF#oD!q8}Y3qzF}e3y3-)+IR}oA;Bh)j??y}po6-+Wsixl zB!v+QX_y73$J~ zqizXm_r9sir`9ZuAf?^KzOSe!V7k;GH@or{+DW5_^O#aYA2vO_J#nn5YZ&&k$Eagr zb#)x2EqJg=m(-H9;aOtj!vp3IHE}e6VdRyyO4%KO8vnXzfm-PpQM`wZbP&(Eb+9Cl7|zfn(~} zV6AAWF-&&Ru)eeg^u&duRdR=^h19yG=}7EBLb7USriL(ShFXrO>ltEarJ?ok z_c2P^VabO{M%0+TwN*Om$7zh{+jr|+AZcjuw~RHl9aj5Jv^B>&BYi}jS7>zHkhCB0 z*oUKzG}HkP>JjISt|hNI-j4vGj)yg9sXgdEn^PB+9;;e%<Zx$MhL#z_Y8G_G0429#OX! zF#aRjVM=?5JL*_RGaZH;*SC&?(bC4D>66W8V!b^Y_s8l`UGI1JV#Ho=<4 zt0gHIlyuIhV=YaVrw;=KbR9!a&=JTh7W6(!i^+88=%ohn*xALs!CWSF?~fHeY3lxXvH-0e*3{Wj7h~-vk5R`v z_K>#Y9-ymeFtvV|K-5gz2zAo<^+Bjp7nC;HH|j>CL**iWwe3+O&CrW5t?+wtDLwHd zN7R#ncjvL_$83YqfEuN$v42QAIF6i2YOdXl(xz@6t>gK$({P)qmgE!2n()t@`c9hg z5B0>r29{t%U2MG9_XFaM)S8wSlxbf?K;E{|3^(t~e9fM;(@;-yY>tCmuhal9)V$J^ zgptF!)ry6GbRzD-jik;=?n;emO~F0fF*Sl&4bVwi|9uE`kb~JaZUT9oOVcb$-FQ~t zNDwWA(?#5wkcF?l6JJ(+Gns#y+kYwFhS z9absz6p$)nOgnqysIh3)6SrwWElBr6KqzI{QI!jI+w49%N$fi{p=;{Y{Z6L$!|EV~ zNk4cC)U8%c2^4ikbl2NWJ(+h`UQ6xY?~v=Mi+*;lHMLdRw0w~kR2*ezsWU7MtPJ(7 zG?4~>YG0vADNtvKcVnzcM;9LEkq~zm9i@6m@8zh4WKJ#BcV%JJvAM>LqZS{#bPuU8 zJkqSeSH9-jO#+i%NA2KHU$bWpZO|H%W-vm20wb z)U(d(>4l^+Z0}u@?&5f8U_U0V_o5(+G)%dF4<3`&m>i=D(~`y>@`t!1ut8>^h8Wx< zy7VE3Up24xLZ{Hi?6BYeC~pBq;0E5L(ZwwPEG#4AHF@UBt2FvfVB^%{eJ zkQN20nNLHSXIaiFBVEx)AEGS-axbz$Y$dHhI_mHyjr#mnR7&1@UtwWVmxk>M<$B`J zk_QEA501J&vcamS#rru_)Df{JY)k51A0g_0QU@w)E2sx9oSuZ+lMxTpE$2;@8a3!oV|tLz zcsL5%j;LE}c7cYT0EANKIGSDo(zwe}Zh@F*n{r=j$it?zgS3&hFIu+B!|5!`^rSB{ zHK}9z70XgbN_QQbq-BFg@i6L0R3k{K2h#0kic`z;{pcX-tmJOuDtSq|4wuq@PMqHt zhLHztYfw9KD9QtN26fqBHPVT+2MNJs4Q1Lt)gYD!VFMY7EGxu9P}>T@Owq zA8XzeR`etSMQf8Df*t)RcOj2|8aF+G)c#u&`XS|&LyI+a!|1Lzao!6FHX<$WIBuY& zRTLVbr#Phb7>-+O zs6iNaIMmchu$`u(F21RMTl1*LukJ#ow4>0DB|9x7(!T1YCrAynqpbIVpanJLacu`t zM}g+`VbIswHZq;sENrSeX;sT{cOZ3**seCKAEEsbEr8gOA4SSCN7zi1{Bp?1kxmyl zCet2-f|OLJwt@De->H4MT|Yi)^5@8T=|K(7fVkagpRJ|tAKguVPNo(ewcA3i;F>bm zew57hVeHnh2V+TU-9}wqy32D=Gi=ktO1+K76eOS7*NoYu4i7d7WAagobsHLWcA<9P z$g}5r1lL{=2X)S84|hy0&ufc=w9n`$u|VC#v4h;9uK8^eKGZ(b4o8Hv_V|#;?~Bzz z?KAC1ZuP?^T~fz?ed>XIq`NqZPm=eJ*14~K_)X;MewQkyw$Pg@wVu#MKYA2L)EJ#R zL|fX*<9+_ECv|GnZFxJ}n6!xCw?b@c1y@gdptgQ0cXredPk|i!XE&^vy1#jEqEicx zx>k-F{JHUGsq2q+xR}(_iue1V-NtSJJ#}7Vq>G}hIHc`fJr1}~ zr-`DlzgD$l!rS7$Ae0x%>^oVIkJt!m{4#^=xnxC(rY=AU(}`G zja}M*kF@ouFGeY87s;Wxg0|#kUy$C9DoWA}{;`8kEzz5BSRYD#br~gjb?a`%6!m%R zh6eUzyup&#GT!kE^*;78o!mAaQG@6oh=V#fxI;Yb2?RBD;;BIxrbXo5>3iy~i6(bW z-JDn#Qj%`t7yyzyGPslH)REHNBx~xz;|5rNkF=EF7=5}Yo;58>`Y~cEy@6b}759W; zs6&+dCN%o8&Z>`tTFvbuFVvX@9cNh3))O3o4fbTbC3RKju8fhAI1U4RsIg3Tz;@Ig zZBt7?J}Gz)qDININ4Cd|+!m{$BKlGFOPz&lWC!(px~5N&8h){>$mJ9xQZHKk_)xKztgb9$={b zHpPfK%&_ZP=*cL7KDbU*zK6OptVS5_LnXn0+=JU8>QZ+L><~?;%k`Sp;vU$fmFS>t zfIlvWA{M3%Kqqa^`WQu)8trdaK1g1F)VZ%Vp@ya0tJ@x&h#qc9eIPr1OYK87n18eY z&_~BXO{WdUFLm~5KNhYBQ+ky|B_6VQ)Xhqpf7*9)P?x^!=!06pG<-`t;pyP*_X6!j z=krPH<__mUT2^qRZD-^LS&d*Z?g@egH5%f+s(_R}4x^;|FnddbR8r@l>O4AsX?Na1 z>C<{Zs|&J))uRv) zJA#u^|aSppDqpzrI z!|So1)Uu&(Y_qDzHOYB9^h8h zbB_8UL8ucy4Y!a7q;{w;)OoP|yruv31Br^%k>QDq?e-n~%liKdZ;ix%fBT(zo}bWs zZT;r|{ui%=&y(hx^&fESzrBN)+agKh;v|d$H~DYB-Imh!`H3lm|MqRuyg3P36rG6p zzxmD$i%Xt32NMrE4+n3eT3Qe<7m#}zax}?!yD#vM+W?FY@OXB z!{KO@ZonGD!5~N+w8CICNnEtTaI(tLF30mx`%S40PL*W}H<&n?GU(trEYTaHr2UZ9 z^0Sk4)Bfu)g5U1oy)TkA*x6{DmpNR2JX|9RRr`w}5vm1p7OMZij~MD-;XaEsI{*1# z{&&ji@Pdgj;U<@V;_npu;qM1{^++(8XZV~lxC6b$>hBc7VULRda`J4Dz!yL|8E@eq zPlpRk{^OX#8y-y;13=}YsVfb9JhM5zz#;m1Hq%BF+#mdTHnv3K;rop;!^c!M8oOEf zcaGui2_><|e`8M{UNRiGkQ+y1&x4|JyyP+d(uuw)_zFmW=kqzdh`G|MriY~c+=Bay zqzKb7GnJVF-(y04_E@N7IuOcpo2M%**yfAL1aZZ1uB4u_xX=@2CJVUH@v^{l3B_Kd z#cu02&gP2+kh$|Rx8UX@rVK^_R#=P!_;I5FB7~6#KYhLxnLc3f%xIw1C#2?Cl9^Do z567bse#JC@-69)lxLnu_p2KJ~)EOYK#9FY>V33rw6%2P#Y>|yL8U+C&mBj*)`bg;> zM?$_`q%t!dxPu9#Wp4}FaWu=&J?&Yol~}a`Y3GG$#~lurzQl6Tk;?smHwfu)WQcWU z!v$t5Xl0FtmLj7f>v(7-C1m?Jg^GHyFvJSl0wXAYv&Mr3(zBz*7})`%p&7bJY>Xxz zX0?V+kb)}U3r539J0XomrUjKsDkBEmN}c6tUwjhCkYjy;gyF~+TAsFl`p8;|7?I$3 zvcR`f6Ibg8j3*Pc`WVad(SSi4ZLE_*?Ju7~3voQ0DsLWAjw@1Vz|WP+g!@BhH}0~_ z7D@tt=k1?2o((LCtkdxnY2%UUn22!4vuP}RB*4bQksWg=8OC!hWszMs9#5g6KVB?P zeAary%HmnJYdQ4|$aWsjO}MoIw=(R;su#c`9Arp^C<=56q{GKE4>^eAIrhSpiw1cY zG0%9i9DrZPbAzWHU%yx&`$ZiNX1}o&bg1Zm@p29~VEI1ckIA@F94FpiBgOj#Qtf)R zp25ZyNIHziv(7UD7cd=~Qu+}?s#}Q=Bwi;|Y(I?0%kCYHp?0k$9Qq37m8pA%rtD-e z89+(7)M}tzluahnC1Pa#4GGesQ{~wqKAc2b_}7tLqW4cLbKe#4F8($*v)@3M7@aJC z3uvuQhwW0dzT(y!9F;A}h5g?B3i3>qot8LA)lMfNhl;{VSqLo=5336GmGW;hp@#>$5)adn z;UZx*9Slr{MZS`GDe{RYkWhzRE}go6X=D&8KK|PT-r)n?1e#3KX%`cgX^9My=?Gd= z)7cV<`zf-crbA(2GB+~=A0A6O#Na%H$G02?(#Ge*M8F{*2yX?yVzd<A}yj^%~mBaolMZ1XXAk(C6X|I)9DaK zl$4y7kUSPMu)Bp7VDX4T7}H^qg-A5b28#jY%Y{QV$2kl@so58&CY*|I$!S^pb{5vEqb$IOxTzx+m29z5!NV&reGJhiJ z3J_+TEzAVc)@&Bxv!9P~lw>x4gCzyC3AW&;quBGo{%1Y|_RV|%BTUNt;YkWEXFh^- z54mDK8X}c8gYoa_)L|mUTrq=X0<$@M{WOA$&j;hh0AA~If+WTa28ZSYOF(06IiAD6 zp9d&(KQA(Lw)6RTh!o8n2EOKV59vr$crhO?k(Qe4;%xA<)*?WT%xe38vGwJ1sNm-F z5xVYqETJzy9}Nna4^a{n>8QnE5IHPHYEpl|RxqhVHKg1jRJLjn#1?Z)f-_#s7U+<4*dh4z#8k_{2A#}u zSR}~$T8uIiS(Xd9`h3+J;d#yS6uAxyk3rXAIn;H2CaNh@lp`zet#yf$Oe`7!+LLE2 zMt^?57$%99*oavUs}x=z4rwZTR}JD{xK4a)ypy(as3eS}t?QluJl(CC%HWhJhL~x*q~cx z7CNG8gGd}OWnjTuw2}?BBAAH%lPqZ$#HIuP-1@wd$ckah4WyC5aD?PlbpnVLnSbzM z7Hd8nBZpE6n-O4S)07hFA-yt?RU&5vL%**xSdh%Dt;L`sWg>|||V-F{|m1PAdH=KHBMu(YvK0p(>=r3n^TIb$kea%FXL9?%3#9;C> zu7F}r5+^A*5qIsbkYmOK2c|O<+f|Hj;c*1gFd*&uLZftnTMyGnO5`3g&&@)d!(&cY z!JuLyE(~m~>8)@J-&_=#0q9R*p`}aGg0?Os7AlLO-Lgs6Yj_foI5Eoht*v6tlT^a0 zGyMgVe=a0{x;$aQl%&3W8`tRW-qI=rqYS5} zH3_AP^WfL|nAX)k%PPs!_PYss6Ihh+05PP2Q3 z>#JvKcccBt)ozpmg^ReKvBjq^evK$Y9k@jNq>e);CUIt;6|(PcCqagFr{mt0Z`v1kw-Sa&r9|-T4kSViriUL{XPzqc-6{DQrM~mx{rd4>?RG zi7nxENST@m(({Jk+VXEb$P}gu)X$I@OsMG$>GQ5)M?)%_IfWH{W~^*vWMmkP^#?9f z9c1YUT=ZdNg>d0@#989-1R4k;w$wHN(Yf0W1}su;u@E*$8r)4J{1lT~Fd%GrCtGtuGIF%*L?F#AL$9VHX^|GR<@oFdz8}M&|pbgkcwxZ}?}W z^_5~rR#Ij=NWht^ihSX92Fia!f+VaCL~}}qm!v-%1$B)y&tO#DG);rSeJI6lqTHM5 zaD!Qhw$u|oH1|wHXzFPH4Aa`Kmat1f9cf*9+>Jyd}BIEhvR8F zv654fpCul5<{maoOi%}JieSZ1F09%C zJV2l4s2H!NUo2&^&IdwRno_+3R2!NhN9xmb19$`?i;>*YFK2&BVuY133Mmz$1k{47 z5J^XuU85V?KUTZHkkiA&#G)XukdMFP2`Jn`9MrF*0JGq^8=|A$K>Z@jzeOcHye6y6 z`u5AyIhe3hr7)>GFg2(NI8z(R5x=y-Hl)uw+F8snXQ;GH?J?0dTDMMWzcR+4+LO{( zukfJ`SN^yKrBQ!vcfb#w<8!de1WF4Fq^}h{cuG%x79omlm`WW(sUF(W|2uHk!vk36 zOJDu1i2beri5X7tS(w-cRb+)z0cIF!&?odIsScrctj~X2c;@a@C>12n6ooX*%ulnJrK#|Q1#NUCWbx5SX=C>% zHKrpN3gUmJz;e7ILG-}db*lgjAW@@1=W0LqB<+w~>y3chOmuB)t9>mkzEbB5qJ9=r zCVVbdC>Uxc7L;3Qz&k?AO1Xz6ENd}0sV@2Gu(IvEKy$>qS`!5ok3^^P;{!x5CO90;vr0HT1#ix>%)EuUUMf?UaPah*2zNu{CB#Wgo)YdW-W2 z7QTOL#|bBC%yn!a;kN+M35!*EBnPc;u|mLll9@@}SNF!;V_IkOZ1U zmIJG*EIWlRpjDFvOgdP?k~!XG%1mY|iyj&qR(-SZ3DZaIH2U(C*I?KG8$ReD^=OT; zFcpQtVZE^>67?zSZUGs)!x2;)N+&p(#8rPl`ed6Y(EYG5!Y+cPBiz1#P(A9aJMb|q zXS#sR`1&;(>K_78=y3?C+DylW!-%1RcKy*f#AjI%iv=V|16bmg;JDOC@#aPflLMKm zZ1e&isE!jUbqlD7$0gL+E`)!uB#&#PK)457oLuWVpbNt!LO_p-Dj3#s>MKUDZp44$ z1>B)1;)N(um9Fxk(`1!P*ywE)R*|AoBWnw9A(JWZ$gOZ|G=N23Ru*~=F0`>SD}#SFA|Fg4 z@+Y^l&kl+kt1s~|1FKKPGGq%tojFT*0LNcgg^Tr&7IOHElswiYjEFV4qXBT*ubW#i z3aQgV%AiCg1ez=%Ms3X;!1yT>WE6027zh-@%DP%blq=c+Psw9lN`-Wna^a*2TVuE@ z5$EtkClt{G+5tdX53An1qnUqCx7_&5LL{4f-n)rykC-sP#?u_y(%c7SN9vv>ZX;KJ zZYuK*UP47I;CJHH;y6~xqok`pftxJ8Fg?&hs>lkb zWB8_)gJ1=-s>rIUvcNhhEyR;LDFL3yW$atZkwY#q&(jW*_BS7Yu)vlD$lqNtZL@at zc&RTj&`b1}7Mad|z#<}^gs>oe#W_acP#^2yG`ap<6p~qC&ukTRjJnc)kNn8`&b!|L z4q>H%OVJ^T9Cl+gm(c++p|mvfqgcRBh*jnb1I0RO>H(a($_fFnU(|)#U2UW4d)Byc zXC+g~4E%_CkplIchtdccIzTMNblXZQGq$B`pbkStw^xZQcG46B4g_?MN>632!q z+Z79hUs%#i>sk-6o1%*wVrIkC?n-0mL1+X`ts!n$SY_dC0UL*Pqdb)K`T-+DxH2m@ zfzdD?rabPzRatG(9HkZCq+L`Ta8SXpatc(;r@k?9J_}2K8L;i{IZswqVigcjfq)%X z3GRDe6_o=IBu44O!Y{1@sz7$z7pz2RK^WH6b~Z=EqP=pRW@3qG%U7<}J~VEtn{d4L z9rBph4XJP!I=k2%}sRZ1Lc@fdaj+l*@@6|J?}H(|4m?o-=wVO&EW z1v5}cz-GFy1j3@(9cW>;PJ+W-=mM;cUB)O1>a9p&tM^fr zN#I=Dyd!9CbD^A4h?}I2EbEX7iNN6uTQVPWV+b8N+fCN(F&jPnOKGhT#f)rUQK#>) z*vc6m@LE4909bM&jwFUMG~s{?{c-Rf;}m#7 zj>Z-AvD%YaiTK=6R(}&Lymy#cC*ImcTIa+Bb&SwXRSN_RW0~5zW)d@(V^z(WV4r4L zB*0s;L6z)|62LdQ9aRXnZK80QV?`Z_3eEdtWgfQEv%|VXRL1NK1lAQjMyPYZ&Mhn` zH7#VJ3Ed|hycak=lX^Hw0k7Lj@$4`THL)BqX zRB)dMJWPSh;(v71ZB#D-yVMmba1OV_W8Gc`O=$_P3de$CWLa*b)FqZTJ@jf zM{-!7s9%m_)v*Z~SFUdBhn7P)vrQia%$Yipby)WTR6l6qhec5J`(v1Ob8=>tFx%}^ zq=|0>S0y-Ege`Yv`&2LKApfXi6D2(BO!~|RPD-V(aod2S%c&$*%cX$cmfl8&Ka-t3 zApts*zdaRy8ktD+?R7-kgrTGPaJMNw_DomDz|u*lhfRD zH^Fmgrz#1B&8ry{ z!dbs8|p-E+~o5(0mEKjE60E{YdHH^Wc{F+!cb;>x3QQFQIHL3!6G6 z>qw%w0^85AK3TXzHK{>|D)85nAwVTM4w<8$Xhkj3LlhY><6T+6_^x_^SIs==KuK@~ zce0MgEY~p+M3XB$q_bTm8*%R06-|7%bp!6&g&UKAKpz1)lb}Epf4kW9b-EZVy#jHb&GUSfzvOOizvN)x*-gz->22mrQ3glFTr+~4xvD) zs~@lgeu<0fQ~`o;0dw%L`zYlO1HhmHwKddyw-}ix~UJ& z7WYyQ$vjtUQCu0}YqVw@g3$*SV)ww;<=`CW3e@*_kRN@nt5Tq8l6JU5`pj^vh0i*6 z8OpqhH?>|YcYlx=_pN%W9=Nj{BA$E77sE!S2CdQqQgNSSwGL!8pUVOkQTi+>aO_Q4 zid@5NDW3*fxIT{=9D?9QCHmRdQ@_#I`b;C8!jQSoS=iJ)v@JIdQHPk4N*G{Dp3oOMSU*d%o5MD(Qr_o<$u-SbFhO7SQegy`c$|B7|B!w z0c&xT#Mx%No=go+VZ%-MfXLJ;5ZK@Iw+V8GH2jVpA-Q2bY)J;b)o~V3D@s1qjma zvki-xo`0taxfai~Rw@unN?|*xI#@K6(-&(j!So26G=nJ@#nvfygnV-g^69?v?LFRs z4(W#$H0+hoNA9R5^Z*gMZz1aQ^<-vj_4rCYW);v0yb}#Uvf{`I(qn>V5FOSJT;$;U z9N%e>K~e83bBFs82eo!Suaem~Z>g9XRz~aZlz-6s^f_*=)HWc5?e?WDJ8n%n5;{8i zwi1m(0-p(O-K5Z=Lw!HNl}?J0stOtOh}Y2`=GQTC@cTN0X)t9<3Wz}O2R`adtXSn_ z)%x?QgU_Xmq15v;sb@>VC9IgUnx(mqWG2)JZxk|<=3$8<^7y{41 z^6O!3=%WHIv{FJ(EMNnqzp)}fL27*yZc$caRWJ!?)Du|p5h#|f1B}J*YgCC2=8w|^_$kta*niFbMt3^ELkqJA7K-VM7qGl8V74$*w&8GS zvpV_`vW>dG!~{K;J3FC0Ko?Z8QoIM;5gD*50*4WGE8PZ_bdl%C6;VfOaafoUtg;XZ z#DICMJxU(1STG$B047yn0%#sT**Q4v&!~@BcbugkFl0fh6=44$>=6$1Ah-|%;gcvv z4Qb`Mh#;W^>UYT8+B@rLV+({M3&=Jac?v0jfWe-dfSDlD5{M-E97@y}7Kmz+BYFV+ zhz6g1Vq5&Oeh(;*{#dzLTd9DLR_^?BzZaW;r&@{Oz-7HBp*f6kXbJRsnQC-@J&O&Whs?D&MkZ2!Sh_IdrY@$!nuc2msv25I?>sM1Y(Eqc zlyafANI|YweQ9D!IMYab!$InxO*Fg&o+zv=iDJ1ekm(y{26U>Wl!F1}IG!s-+l7Cn zbp!DKL!rJyBB!S)LFq*(^vFa=f_z)oUjt6DyU^*nChi(36B-6BaFjmF3p)kJ0E^HjWu zST$l1YiCsD$=flED1}vlDh3OVSZKCeh-!!R94zqX7Qw-ywbr{m5OA4EU0Um^Tbt)vIDzAW^goKWG*I%E^GE^ztAd* z*P5M+m~;iIaMjB{JF4Umqp~@ zpIOA?sG2^22*Tqr@NJgJmEO7*k@#?wtIfkHr*N-TN z4?7>~vsr|{IkfEz31|&13wtr62rJ!)cYq*7%G!rHJhe%j8mXpfb&S-Cve0z2R|&q= zXN4Iv$T7Yir2>5Ys2Uj5{`bn@YfYd;(Qu5!-r5|(3JJac1p>8?q+e_hBW{xvMq8o? z+xU@PKusJ)L4rU>8mWl+4>$gQC>_XB32VOeIe|lp(j?V}IS`6T9ask+Qa~)_wHOQ| z3O^y#dFk93Mm~)qFy(q}N)wUCT7(#+O1Bbw(Ef`u9z%C`y$&MO`=MWfq57hY ziQ7lkYdjaG`HCrQ##i=#G8Z7WuwJJ!>jF1knc~Vgf88{TwtfNU z9TPOwLBX)+x~m;kdxmi6qUKQLw-g$S0`YZ(m3{Yc+jV3KtPXU^JjA_PXVrvU$VV`7yk2*Ih`sd|76Yt9tccbg zHY;@P;y=)N>y4G=aG#l`LCnW)F@%$3*BDDWR>IrjI+hZnThmxj2CS4@ugkIovN6u2 zw4sZ?F1FhUl2)c`mLTcG=)9}$ZHVEk-(ax>)_TT5cl@x9+|W7;+d)8M9xw>IqmR4k zvH&+fz`Dk-T~V-qM;`)C$J|m<2ZZvJzE}UjK66}GaJFtCFd@Fs8e&=`EE(jebOHt(H}xTf9pj;YZhG#x&miJXvkJ3I!SvSxN@9oMMA|3Ir95fS)iwVIPL z*xIR{>6(y{SltK1LIe7z3Fmp&_hjm$;af}redMIF@d|AA=;7HsP9j~JhnOreheH%9 zO;*fACPQL>ZG^=^fH5)iCDcw@55s^(<)%X*hC~lM>!LTiz{mlKvx1ckNmu$@Y5Hgj ziNj$lOkP46<}&QKF-Le1_9ZbLDSa3v(tQZpc822+)Se2f{V4 zPy^ey3RlmnmRXHxk10g)fq=KmHTFxoVwn#gbA(xcRY|}ew!|$G)Sy+7BkwTA^+VN= z2KJ!bPh=mi^@ImBQy&~(NSbZLPVh_e!S!cLxGI8w+ zeHd*e5M4fJ;tL*PHmGt@Gcl zdkI*7oQkC5@W&t|m-wCwqS{GN!uIAQOcD#3t4RpqgzBT}I&cF7P7-Or=^SxA%MvUQ zGJ!m>Bq$1Cb~#l?KMctv(#?XX-BC=0GWn6QtWOEYIue;>*oIO9xuZ}>i!8x|j>8y2 zqdkdD3-YkXQzbhi0}e4sbTLta4b_yzE5Ut#t0SAB1WOKoPdWGTn=}?Zenlt~`yRT`brNX`=6|k$`5}EEPOJF@}SAuY(&nGG|nDYJN&{gze0h8QVBi3Z&<0PiNxPNG(J z&0QD+)uPA9Os}K!Q|%Q`IMxrqDrSK2m@?n%8l0uhQ(4!z(>u{+XC3#hlam@xrk%RB zTc|TKM0hFF18(e&o`9ruY$SKow?evqDZLD*k~9KGDB%Esq{v|EvH2485+kYM)X-r; z{FJmB;Dv8pLnbBAT2MEN4ffQqln{lq$wC+Xp6DTVpjKBGb?Bal4#B3x8sGtGNfU3< zufSLt1dCDYtS~;lvVxI7&@~Os07GWldIe{Y*|^z(Mx55Q5ikprI!!-8o4QX;Bvn%GbM>o(q+9Bg1x$5T+-7L&t=;G- z1(uGhDN>3lPbAiQoCSvHC_YL%(10~Jfh>0_cxUxdb@36ifwiJY*vWADhr0M;B|>N; z>I&X9XyQ(#4eP>pe-9qO{H|wz3Bhjm)Zs{U$w;K_+E8szVgn_0+$_ZDNBxaerE}{n z$5aM0RPLq!I@f_Lps+NuGRB5YV`h5QgcR8M(>Vc3o!PKMZl$q~he#iKhN-g3!O^Dy z7tnxA*JIcyto)leQHB*B�bCvCE$}B_k^oJW&sX-G=N+m&~_EXwqtb#&gxnhK@g1 zRzt_sHuAFYuu7tXJ1SWCxTNdzv zY_ou6&1s?;2FH-oWR2p`X}aw|d`r9R*|mvU7&Je2nfFq&?z?jcEI&QnZFN#r2` zVB3juC4BAMw@T`cNSz{>7K{XVARK4P3ReNrVlGb~cIZDwSI-mP_md z=iFc+vaBmX1~Juhwv8FoZMnA5#0ptixd9u>H(L?nr1(aI)Y=f%G3R>x&Km0YoZ)U> z^(kIQA!M$9F?TaWUtEtew=sd$LI(<*bkjLsDdz#lG`2>plrymwA#UT|bZGi)C2@*P z9S24htSuV&kupGA$a(0&-aYkzn<29(=NdB_H*w`vcTob(^jssvrU<36CQ@aHTG-s( zlz6{F@dKueBwbFY3p6QL9g8js>-cQp`+@};j2fYTYG`_fg^qbO6dVbG`e-`lrsP(R zT$v7BR`rT5-Q{A_C+8M~hRt<*1&Xz(gJLPB@s9`F+GKt^Lg>wmq42ys4u{d>ilrc>`OctB!k{aU<)0$egKf z4iNgxb~+dVVVQ+GHiFiVuqChdxD~@8q*Fce0lp(FIL@l8eHs88Z=0afsBNO_NLv3k z&{;cp!kN-1S<-$1&;r>CI6HOA97t=^>9oC!YU^=5Kol8hI+V}_jm%&CO^{u9pbyPAJ%)ze8b~lI-P*2Bv9K}D?;PLiN7}F(^lUl-b@R+V)&pM`t zY?D+2RiKTSr2+Y%8m3r-Jc6sk;k~VAAYoY;d5L_oVmyNgE1JaNSduM&2qhHSRud?L zS6hWJ7F=1kH5LbYYMY=yR-r40LtEGHwMswrjO}q;?x=`I2RPx0+ExOv;|KG}SpOHj zq$oNpwGx#}Y`4lLVDQv z(_XZxN8vIwyGb8^IxKf6)RsZ2)yf zIdt8*4!zNi)N6rT;?ynz)Dlw^pDUONxCx&x&=N2{P!zt6b+W9=0$R^$>obT@pwCE` z4`LSTkorN2QTWttb;kD#nC2@gs%-trJl(ecZK(^<^wbc4tZnfAH<-}E#+Zi`s{!Wp z>~$=!vIu&;T~lRCE+Dz3o!f_PG@8K_(JCE(JU+1~mQZx)J{=fTXg;CcH7aeLQ$sR*HdqeO`Dfu4H)@uaKo$9=hOd-a zml?o0o{mtIeutl|C<(=o^ghDsf8jM!;O#fm-mY&fT(wf_SwYCoQ3T^DYR=D(6SqL2Ej>#43whg%ex;x<|vaZzfvK}uDDe4~_X0uL*u*pI!?KtycB&u`) z!h){hs|q8_3=N5?brN>e%fyDrDrNe)+kP&yvIDiOWTn#qyr+)L6e)_Q?r5Nk7j$3& zMt(|v9ojW9bYqzbWrB4EkxC~IftV|E7xgxjP5>g=r5nS7n(8x@lukMXHSCoytMm#? z@0AIh2B5A5k9#R$MyyOqR5w@_9n;!1N7`MFsDqkeSsTC}cE z3fL!G7WL$k_P;ln@NkGD=U779GFIL$hl4tm%Z`ys6l<)rznRWs@d{!1&wu$d<#Dmt z5NXWfA_+zEr|!l7*RbU8&$PVUjH{u33_5W}tOJ2vBTK7tH4!p6&ts*ugj08Qwm##3 zi_qI}jUtO)XU8(n+Z!g$n3aXjVj`Wy;A}I_Olf+s4<>P9wOIhF9EvdIp#`Vc^VnpT z^o3EA$;qZ|F?A@SgblN%VhP2zZC_Ls1wp=bv-Bj%+CCT7{<*7m8!Bdt<)*0HXl|_CvoDFAE zQ|2iX7h)x^r1J1`o?us18J6NCZX;V|`)H)mmS5MIC`E}(D6uwTiN8cd!!a^{f0{AF zRx4g*1uyLBx?*@3DIAhwIMoE#X39eQX4J6~2v9Zf4r%eV4rY?$rW z;`oU#S;qi_%t$n{AEJ7x7D6&Uv|=ex%+1XBhJ|c=!rE9p=22!CIyrPA+8hs`C27Y9 zWfrhTe4iL`+ZRg~jVxBQm!YbEeUv4OA#j<-tZkRnru2Pob3^J?fIvTzvaQpat<}he zh+&y&D#5m5rlMVRINVS8MnG!FxdDMjEsfkBepWUHtV+++PGStXAFwzUGDVMg%*zTH zWG8Oh0NRupK4;K>)QN~z6DF0px}Zd3g(jxpA=H^cVa1BRd;u+ct+LdAA?NUzO(Uu0 z5wv_8+Gw{{(ku>@Zw!YaW~tH9mA_JI54IvUpw>Qv&3>9DBH^hA^h_f3AP)`PIcq2} z-ezGL>1RkZ>aSNmp0B`cEo_h!fyT382kp^oOH?z3v58)c0+uQpuB{Gu$wG}kYPbEK z@+9p5#gkF{_ySW}Jj5=4u=)fEk$yEwVFD31O|?N~bRj9>#RwOtLe61|nuHy;8^ma$}3 z<>xpFkc0>V3@ntWuOD|%kyU-o{IJGuPtQX}M@S^#>sdOo-c)$jW-dT$(jWe}eFQvf z>#o-pViJT7vxKb5eSAkZ7zS6{msAm5nU8GC59nS*1NX&-xUJTEE^!db)fE_t?SsF~ ziMYD;HglkcT}a-4k!p1Bq}N1|ysw-H^u9ns*s`Cv;e<=s^r}8l>c%xaz}=oK-(J{D z?Oece)uX@GnRY_KmUB)V&I^cpD@C+FBAQS*riW}@FmSv3Hg^SgmMNJ%pycI03*XaIT67QP}4c~mVyl<29B*MepL%=F1~PKh+JuZ>t{_2$GEe*J1B4J!W@S| z4@GO@nl@`~gP1f!7@aVPVO=m8u}V?ttZwFbi?hgPUjpm@p{{(ARy0#`p;^{}O;SSV zP_z_!@-iPT(ZDr1cYYq4!Et}udSLx0w$x$iZTl6`4qN6+HSyh3U%UfGwU`|c4L5F-@m-UFIH_V+DpTZ0kD;GKQxw-5DA}#ywN?JAlq}4?3(0b5 zey_Oh5Fdj=X@qqU89u+)q{e&8T`nx;_(gbrdh~T{yTBO0Eqw5}eN5= z`d`DCqP>N6LInM#2E(t(tuiu(E`;o}2W&0P2IwHJ0cPzW37wq22aLM4!QX_Qj^a?fzy9N}^)A?ZOF`TtwSA2cl?6 zt21q`2Zv*o8$NX?&PCD^H^;w0Z*gg+8CL6m(Lb(Li}~Al4ccFCs*jU{)6bc|Wf7ye zFzbVb-OgOt!gMKHHtgog@9hRJvYEWzgjo)ta5VUI9B}$1Z7cdCLSyOC z4_F(-@(Z0onOL0J2A8;q9GJOddDxk_<4@e~;ErKmPn7XUwm2aE{aKEvi;pqcy+G4{ zqcxyAwd}oHi1ewY-~qadTBENM+H_oP$h9l3$i)S!;~63XZbVz4K0_E#p^>W}uC=Rv zCi&g+-N05job|!BX?8uIfP9Q%le#CjW#yV4*R(68B7W8|qAl2w*7FhRUxrav(#omI z#V_cBSJ#{O4>bAPoS05XM{_dj?_&^u1PQEr`3In8SQX`=F~y1nrydXPBilF_PVroa z?tnnCFZ@1bI>(_|%^f$|O!wmlVvxBU_}pl(V0JerEC(%hbfqih4e@%t?PBP;Ah{0O zANkkfP@RmoP4$XRQG0h0UA3%=m3Nlg7kF?f1j-jm{Uol{`pv)hQN+^;%}-~47vdPN zozsqIaPy3eza&14 zDBI0~jeA~4wYjRva5<*OgZI&8edxilB*D#Lh{|)MELal^2T1zX||JNrv0mU0P+o!ZWRZU z0+E-kGaO0A_((MY(s*JC(NjqQ4m3Lv($Y&y%iV?gue7d1^bVadS`XZ`ewL%(v28Xd zNqrL0U@8aiOUn#oZWXS7RF*x^=Jdg_NcD0tH6p3ru!F8g47ClHb$q$)E+ZiLVZ;S3 z2u@g=-*7dwMGvp`t7h`rYE>G3b?dbkp{52cJI#W6L9di+Bmz(4$#J+HicR-UPSizI zb4X_VHu2D>%mV)Cxm{mSURZ=>;oX*y=wQtw$k!2N4XzfY@&I9fZ4dpFBE%6jNpBgM zqVVUbWpKTc?q$N?OR1pZ2L#OLLjF(C9(jqOEpBv^!Q2auyKx%SK22;vVB9Yit`dD5 zxpdPH90%l$i)p?1vx`fdykJ(4Hv}{P|AF1>Xz<*F&Or?ArB3lHq+puJ{XR#DMi@DH zbWJfuKic+E=wT0kevUexI~qBp)%9BEam#@Tu&>BODt0*z<@evH9g(J{p~0^*%2Cgz z%)Gom0V4IsYDYbs4bSvvo(BP^kJTp3?4|APH+c1CnRf8cTjhrfhbjoxAuaYwI~r>Z zE^H1V*SSN3_M8({PRH=3QgN6=BUNA`13i+B_0bi0?)!Ov2KZ~baZfDdU%1liW8zZL zgSbD^Q`F?uxFS6xpI2yJ##O0E#V)8u%k~*)d9H~ze!41D{4r{Y|j(()*rA8u`XqyHuR`#dat;DCWEN zvU`A+FACLv9I{HNme`gD2_{UFsu^vvC(=DB?&MF#s9ni7G~1JqZLUEp1BkHQs8y%Y%1+k9Uwup@fHV>u zkJH2D6F0q7{H075UJhBppAN@Qj{Bqg8!Wxs(k4d4`(7ytD;0egd2qMbiIM_bRmQpM zGgnz>FL-CVa91l`qkjKZp@OCtR`9xLgI904kgRz^z>}T^xK_<}s?-#u^b^Go#f2MK z73}qY;a($Srk-G&=4uaRG79fiZG;l{Mzbf!^3A938_!L zWFI-z`A_-ythLp?a= zlpzNu4v@cb+iM{to`w=bBT<%X)~?il+yviHSZ%|ZW3Q)o=`wTCNeo^p_J>@+tg24@`qWX~^YOf0R~5vw(}G*s zf$(ZUAl|D;b)q*Xk?O^Z&Q~AR7LziE_me@vP`#gIin+L_w^{i6t2V(Hqgl6quaKYU z8%*=&GFpUFKB_hlW`*3~hFwn>1Ul;+!_G|r-2Xk{OWK4Um4%_lPZ)?*^iUf%bFj=> z@Od%CI*sDc)nS02@ih`(>6r8A?1Yg69G8A83UasZX^vp2J=7sSx|;c>L$bj4&;ngx zN_V_yxy$G!opfGJ4?*(LXf0}gDQCO4vP*WDYHD-ho+4ul_|=lL<#g4>_g7|6YB@D? z=I?s!Lfcq7XFH1jr5dQ=?pBv$5OWRxK{`TZ+|Wj_w4H9_Po$~R+UXvSY6m=TOk}TC z12`;OkeOZzrTa2j$@zG`&OB|@<^84_Q)Dc3%6Ecm=lLML!%P&z)9 zxkuD7`>+vwjLsjnr}|6cQoWx$swljzc^9r#98ZyUEtHC)Jml34)b@M`K!5Cdizuh* z-M>IqId=c3T)O~h;{i#^avg2L-z;~p` zk@~0OL*tx{_zZ5if%F5F62EFJ&GjehOoGmp@6t%?ddo9z4qb~sB$0m79ut2MZv683 zJ&#@HUg&0Fqt5NvCUl$4*n9}EXg^t(fQCFTMLe}x|_(P&nJ6hRDZ| zdlxlHEc@V!bPAaGPd$oGvJ!SZAJmMG;J-ID*ID~1Z&Td)H;R+5-p=uhj{;R11pU*u z9?%sG0rD1Y7>JCU35?97Ilto$rc7LBxB(8SLf@C|Yze%7MR+{;@L=e!ONgv8@^j+L zHzF_;mt;y8-`SO%d+cXu(B*4pp^aNjjB$z*u3ZlNlyiXBENoz(M zD(-N9ZcP!q>Oshck<6JWj-mHYw{zlJ zfId0(3nGbf;1}%&*qEGD4r45lyBE>PhhGGuCNf;!79_7pbdwQ>+VI5QL$rGzv0R;h zy#4qANP^{7*8=`Pm@v;g#V5yek7N!2Bq3|aBm zf@_^PwpocT=AK4bpatP8b-L65b-g~?|M~e_SDWCoRm3^z?JuP4FDe~lbx>G@i`bKY z-9cVmf9T|(M=yG7Ku(5FJFMBb*E4j7__||&rOyJ67ppS4Z&j?rkbZ~wJ0cX}GQuig zGE?n7>s92d@n=-G=-hMX6Kvl=wYNoV^VEmk(KBX!11rR%c@Ag z32MI=vIr@|X|C^Rl;JZ1)Ch`KJ{DXYh8@|gm_2Zp*F#Q~2(#p}K=x7RU56Rt2V2EL zRkp<%X~o*v*FSS7=m%~gwF|gn9Y<+u#g&MwGmtkYdpHSo;;aMFnKAa~N(#Au3?AS) z#Okb-A8oUaWoX}tLvef z-CaVIsvIn~9>s<%i!bC_V(j^5DBo%9Y7Z-_+GnK3{0DS{Vj0xNX$A!S+x3vAJu^=8 z^ZVO3i4Q>U4(;`}xX?I!g}Q(@(GAKuS+8k6~$==d)A7oO0sy{^WFdooq zO%%FyUNLPOWdS$3C%z|=mkyB5joX-jrK7oOk3cyk??Hr`go3O>zXYb!kluPPWJ@G*Ex@zG&jC&P zvRn|jNf)tESb$LRO@;PzBd|_GDd>2pF zP%mJ?2Fe`%kyTc0fP?6K%X?ZJ?~MifC-Ox&MI)5Gnrl;*L-A{m5CdmuZ`+)yM@4ab zb|S&(UV?>sCU9P?NL;bwa==xJ2f=q-KAtkAjYuq&mUtbM>c>T?!xaP^NEAFQG z@RsBjV1&vNmxBYbZhoUDPY>03^!Kb05x?8Mz)NFJL7N{q)xB>@m zRCA<(Iz)U!opp2c7}0v(R<6|XE^dsAC)7{uquCMim0S`O15Utv8tXc8Zh$k7Jkb-j zkB@f~@1e~x^-bM>+m9b_;?xNBSSSqy{Vha+znT;1`S-~5G_-Pve&Vi5;;v*J$JLo+ z6YqoU-@rA4rqcpl$;1#*4Q`~25984 zQ$Zq+OUrebB#qKX=|0h(Mz(Qi&o^r-v@NULiK$B^_|%$|b|Z*>(7O zPDWH4(bo5?x_<6s2-3%?o&01|yxa*2_()3N`U$x}3CKX8^B{J)rJ1uj?mzoj%loHJ zeBfex=EH=4T%(@d4c&bg+=&B{3!J>U5f*?v&hpavv_q*q!xL|`G zT>MBDzFn_qtQH*2e!#m8eO)30d!#&ZU%Sqd#sQWBIyiO_E{`{Xa_&y!we3t zJKPA+L)$|`Wuq=MMlNN*OfgxzoG>it>x=7KwN?6moHIJAMzqQflNwd^Z=E7%vPXc+ z>iD=)ujf`-4prC&i>wjQ4f}RB12_}&!04%wDgx`T6bya5BQ3RDJHFUD>}#RBiSYx^ z>gp^8eGo1gSMWU_;d1#LzkaQQ%!C^iap({$E^)0rteA9)o5pEaVc>m1(uWFc|;%jOcqakuvNqH2`td;5Gh^P z)f1s-@rY5OP8)FJzU9Fg19bu0`0VpEzJchl*HA)T;u2WIZqEW)+2DFvbKou%;~7)Da5jB@%sm zsDPYj=lyZrQE7LG1?p?qB8W5yZ*zD`$T=FjFX!&kL%@t^lQoS~H77-HFLqgd1d>~U z(sm+Pm~Tze{X{j_5R#`Fqw5?r|LfwTP5$i?p}XtdiQ_v2F9_TIp}WR6t8uI9FVz`; zDe;TW&3l5f(T(5mgsXL~=35hjkxs^sa6td#?fv6WqDPjf>xto3!P-9}_dVUMKmkxs zMI-gx5OfY>`5>8%yO@wGG#0wZ2bm`W2Q^%PV4UWf_?(>(7xUeXFnC9^XYA-St;mdW zkF({o>`tr?Vh!i3zUH5!2LFr1yR}JwfGf< zm5PIdf?Jd4*sE86BWIZ@)+~-&C-dQMb)dEI0@0uo`zZ>si~IGdBQeu}rT{M^8-yAb zVI=XJ)J5YaXg1#HFbKj&5JYAE%stV`7}J@*(qbQU%^F9qZSb1jb5?^4;lj6ncS}OU zK4U$9Re~&5@u|l%Y2kz)03YyMj1;+QX;?Ev!t{G@mLG3m_v+nO?J+mDD?RuHyK4(o z&?<5)hln9DtT=^S^*LX-dB)>n6Uxf zgN9|uDDdXh%;=x=_7c$4DQKdYM|h1^Zh5`lYSt&OLlP!S*;*H@R=!+-=>j+-_jfp3 zJ|kB|X#KUy^b8)3I26e(#kTq8WIZ--4wZZsp+EGVV=g=J3!bcaU%SVDiAq)wkuMMd zWjl@p>|?1Nm=H{+m96gx8+<^I=zd%E-;=5k0!PA;9o|w9D0?B0tdjpli^=q;q!UXCnpjpux_BKgTa> zbOP&@p+!6)*#8@n<*~W)SX2G|8+9brnmIT)?kwD-3F!)gjst(F6%wn~gmh0A8K`1* zm@Iw;$9N1S^$cpis#}4$d6{CmtWf7`;mQ%!5*>L0BRF4$T(7SPdv2WPY*z~<OOo1{)4&ETM-(2(bNep$rw8A@D`Y+_$RP=yNp$ zC@wLP&{On(49@ujUFJ1<$JH)93HIk@KN%v9e=KEnARGTJ4_30h37-VF8kwUX-$45) z`lL6`#t~jl+|k_0L?ik;;v!kHD zp)M=(B$I5~xCdwc=r#@moVD@Wm*mYQFV;Pt{JBtnWZ!d76e=XHa2V+LxWRGkNo~AY zLA4;7d-I&(kYme2=$>-1~{sY;}Ipfe4lJb&(V#3YI z!u}2<8~CAM?fA_#qf5jf=Qcl|xx{e}m6d(-WdLWzE%aISA=c_1&Sp50|NZ+w>%)}V z;f9ibmJ=DM)yCCx&yc1Fw|k-HgC(s>eSXVQQ{pNN-pGYSmODZWQJ!283OW+AdD8Mc z(K8I?EZUjn=f@9(t2)Gcv3=867rBnDPS9Ory&e0@*w5T&A{fLfz9SGF_%gM*w9y$* zTkBSjF@9s>Hk|8afGIjW>M}0N)~|};%H@UZB2GdFSP z5~wl+7-G6(D(Q_jSucZXk1zML#vWRaNRo{L`sT-bV%}Ul34sO9FbpL7jz{-|c&oYe zV1mhCwhHz2L@a(y(bT?76{;Q5FbKvN!B+>-0~uusi5}rf!6FW5&mUy&2)euPG|!NK z68?JKor*YGMUCNroar5M+{6qV{FT^oLny;PwdSUEUZMfQA9MA#a*cBBv^?tRfljvd zuPRj+oX_U9?m(5S?FJw3U^~EFI)t`Jr*~Hp2XsPv zZdM5*vVhHgIVxbimxTLQ%1LO)=!5+6$<#*_o7*CuYqia8Lz3A|nA+ou9SGciLT#JC zt1|v#pLWKQqcYLX1=@+o@5I%YO$pn9iW;)_ZjCF1fj4|9M^Wt4XbT-<0}RRMBXHtE za^RF&Px1Z<2U7n`1a;T&Nb9?yeKPuOZZkH)4R+N)tzIKc)dRF~B{d66lSz-7QGNEm z9`&k%rAy|-^KB)U>2&5ZiiRnFmvRAS^_SQ?H+$OCv=>OyH(X(pzic?%kQ2?ZCyT#xPBvEI>DGrVv*PLk1` zgW_aYXfyiq-cpl74f)=G#y9G4LiCII3>u_4&^x!#MP~Zf)%B_f8?EcUppPr)M4d}K z_?N7`sv_pPR&%M<4jE?%64Z(zSW}tEO@+X@bT9M&$$0{s)0dl^MrU9Tdmlwk z;6L2S)3{Z@;AFbKiGr#-0AXkgWgZ<|?7Gm0&?U<5#AwBTngN*7m&TCL@1YCL zDgi8agi?)Im2vF}+MM$p<|6Q1Nq!IxX|rX*$e4aXd_}@p~$$=iPW-KPyJJNsRu!9BIHMV+z-n?cb00Ani*Vd(H;jU;*Uku80)47 zkb#~k;mKg6c{X3%IzTh~B%%owz_eHEUBkM*>p!!&xwiCwde;MUa)O_R8X9wV8xkB| z@K+u!Y_ddmDcQgqrSB4K97( zPb7Blm(fiyKXS8cxG75cL zo4%eYULA6O_XX;z#zh#H-&}t1gEGFm^Os)mmVI-sL<7ZOCv#FgkZE#C7jFJ9|AA*! zBIQyb*`qatZ@}GoT^r3$46+%XYWOASLF8{8gs zSM1RSp$6f9>Hj`*$*Wc)!Vk6CCP&`BiafAY^uB1_vc(f2z>4_q+bm`hs3aT`? zNnF{u(@{+fn=F!kN2LI#5WslU@S+lmmHF@D(^G$nd-&m3`t82-1D~40Ea~V zdVYqU+OadD;z{o#p91I zdcQYcD!DIe-!PHT0!57t-pfS6G{JT_L5*Rji@n&dVlysyCOI@g-+uigLa+WnY*M;< zw74e+e+9&3sD0{S^b`>24O*)^|o+p@vOr1MZxas4HHJXxbrYL%i z==wYV75FC_u(lUq44?#?)&Qfc_%dNvIm5q?4Tvg!^l;%;QKvMzMZD_NVus8R`)kz_ zxQUAZKj7MUh_~3CPyqwyMi~+TNvWo<+@101e=8T6uy-s@SP3|Ijn#Q0vXcnVQaL~& zx$}~ot2eHdMm ze<_aoa8{1w<%4<*T8fi*P`;r7BC!wLWE#Or{~a~7&RxVQRVKWs@v7*RjluvQNuTz$ zh=%qPH@gUMly3MGe@fzPiUOd@1jWX`umLK!x&O1`?9~U5tSHkj z7Q1Dy@otk4+!tIDczze?WN@4pIPED%UIf~V?Hhy?F6EDnn9g(-z>15BzL#VQAz?Le;YZ{ zOWSC;K-IBGVj-PeJba(P#HMZQfB3=s;u85PO0n8GttaV|3;hM!U))^GL>qdQbwRdef8vgr&}NsP z3Y6mJv$(h>sXsz0rW}FiQ45jEmfe7syZ18njcS!&1CrS1(7DPATh9!xsY+uZpR%50 z1R;2(^(EF1=!W0j({;Ib<&lB0e+feb;+7M_z|1{Oh6V7G))fwM`F)QZ9)Lrv=hjISO!Wubk-HN% ztm8r*ehk5{NE3JL|3E*4A|n8`22 zK`?IX9k|h*I%+My;xPA0c;O5f2*weCml0y49*hpi=86>LKW0ws|E0xQOUX1MlGqV{(z&P?hYzOs`ai}Rf z*z}Dx!!J`}nJix$?jF<`^m?#w$I9^?Z+%|u&C%p6Zw~|W-1H;k$cvH z!SI2{z z_gw6fM7A?EwUmryxGA}(kmGPvB-*f`foRD*1bR&2hOx|oJ!+sGe8m0)N`hth??6I3&x%+VGZ9M0T!Ax(Gb4x4nmDvsQs zd@8Gte|samVCLlV4SL6|*bR$7NL@oUD}(hgL6 zxIo%zZn7|Hz@O~Ckteie{G(3}+oUuyxeo)3|MNO_94osa1q%c$1Y^|T1WxB*sou|9{SSK%BNLrj1P2rM+k2w;09y4 zc2#Ao`$_1tUItKNk$@hb6IG}gHO^8fdygmTAI+}@9P^mW0p~~cR^s&AmOsE#zU#%F z>AT<4o+7`m{sINt1O?El%(faQZLUANf2HRmA0to{p5i+5$&kf(kC_T<3<9mx??q2b zydL}d%Fj!9+4h8YJ=xSzGoyy{gcofD=*!!2MDy{`e!<-tJa2{*p}cyBbzN(&i0ReQ zQ<_-q_S`2v&YeRK?CtIE6J*iv-%Z#bWu8>d6gcg&a!r2}_*oAI-$b!fMex;;e^B5w zR3MiNc}*2QTQ^hq1;j~5ieD0p)g6rBj;JYy3SOe$d#{sH;!Zwcz%!RiC>Xef+ZRBJ z=fuE0&d0AGC=W%EnNwX9U!sj7L5eP|$Qr^fZ;hg`a4(u%gbVz?6^)`c(!pX}O)FXz zYN-60L3F%xazXu;>~K!mvJ1DFfBYw2!yYi%n?#fPo0zUnHa2{$1&l7dHaGx|b;Wd9 znKG|jtbrj|e?LQt3sW3Q$Z-iUK~J+K+V*zUH8BSbdS1P1Up33zN=hr$L`Eh_UG+^V zMXhm$Af3dSW3`(~W z0`WM;8EzU@ef(9VkDc}OEXbr6jYCTgLSr&^0=AHEZ%=rb-#_!>5MZzl9&Iw-W(6xU6tzIB-|NPsO8R>kZgt*A87d=_I(1uWu;K&vm97;+o8& zPk2c*?{J4FKV^H2&L`2u+30f2sHHi#Sxg|9F4b z*DcE~${_!Jk{xLR-O5qKFIh>IdINkWs^a)KH>a)V9W##A^_ zYa<6ii13r86H>WtbbKog2Lf`_e$LH}F9L^^H%H+)VSQ}zrEH#Xe{er&;ko$Bn4pHz zf~MI*JyAV6j!}1Ge+_{333nyQR#aQhcPz^y-hQe>$6}Y7__QGz##%<%ga8cWR~39d zSTvb;4+d1&u-M(|f*iVY+Dd}DBtbM|gQ&Q{4*$;e(Os<8Pl(nbHXOIsN8T;pOZdh_ zB5I&@bJ%T0)KsHbEu_@9xG!w{;~KFA%4;!yqy;# z5yBkmSFNd2mt5+-?IAglO0zyk9#r0~&C~|2CCdh*e=tq7>=1XrFSuDYtBY%~018m4 zg1FCzbv0jOeu+I+6rcNg4kqExy7GglodfK7tW}1 z8~@Ydaz4>>YED{&uuOS5!#s;Ap`JJH$zcq@EiZjq%MI#&8u4e3-Owt0M;{JYjx6qsnHRHsQFu3QD!h+X|?t zm((EH=ru3G%}X>CuD(ZTnqd1WuMkE>Y2%C9R#LiX7WFHH?EL(gQM)*j8ErXPlJeK# zYjU!J&8BsWe6rKy+%lj`cNckp&`V_%=c>$|dz-t%_HSuOSNF~R(1Ju00OhLt;jBS7 zaI&1G4Mz8Og4yVy1m`S@0flC2qi<)hejWDhpFdWee~xSbU`D;EjNe^mmt8tfC7Yfq>=%U@r%(rRLox_}=!1l(F~6<12F z&)0Lcz`-tV;TV$tzW`!_-Y(*UgGyVz82p=HF(?u=0y)>-;N0{q(E4qwON`)AQ97)T z;ru$6GqYzA=Ra?C%6d8Dj_?x^gHIgJ*2fbXO1n&7JIdh4?SA3#&jeHse_aZlqD~ya zvOT!?K$6vs9pxF~i97dv4bM?U>+Q%_KiC!u;EeD9xCv+rzysfY{3p?uM({@R8iJ_rI=QuR(mX6*$9|Cnvg;QFngH;yyDte*l-RPpvo!5fKlttxe2zNs! zn9lAI5-&wH%88Al4rAd2kF`|jZgUjfLyq1;*nu1zftO6EPHQ&hT*8cji&iX}vf19I zaC6rQLQSNJ(I2@wgRZ9|B^qGf|jj}yKdBT(^D_ygcU&;HQqn%BI`BuQT+J!ms`WkwSyza7+)kA$bvj;iZDqam&t+9JHpilmtVC2!|wb zVMa->0AU0{e@omUTk)ejAj(B9+>6Dl{+0XQ#ne9u41Ha8zJdu5#|hY1n<%F7xtR{= z!u{^y^=*r+Bm6F8GAq?Igq2ch6KL_YR&@&{iW&<6zXF$Sc1|4J)N*6}_|paHSDbU) zL=f_lJx0~ea*|M5v1YoKyY`P6c8|9>1#j;#gRYKzf8=_J9RDHRi}|Hdc&?G#Tqr*4 zRVK}#e&K62EQ47J`1UdsKNqc;>@Y{p zCu*dAX{vZt`<44#*@CGTHq&Oy-P(fng18g3VnLA?D8)*_36lbWF56J^rH~HCnj8iU z#xeDmf9Dg0JV91YXCUMzX(pi;Ekf^6#zlwVGuR_{h$7i&H#(y6H5^d`_MguX~@NZU|q1)S5}K)8oDq4tIK5M=RtVR5)2t z;ulpquBn$sKUN!EdY8zDJ2o!O12@$Af2h!}69hReam0Rz9M8BTUqqAvH08ofcKu6s zTIml97WEY$ilGWqE1Br!BORG;{u*re;=); zgbh8SHunQ`VjohKGy#p*@_`SX>-7lU)i63#ME-tzdqe&xcCcck2h@W_9ZT}QT56IR zD~6T_iBaw%SPiwEZ2$rO(l>Mpx!*U$=i=sahu_%J|Dz$MJ?!tzm&zF;2WBKUk>I)N zDzArP-H_r^D9w=FUTF8CT_=oTe`q%q>`4ii`IN3)UjeY6n^P<>Sasa;i?#z2pdpi2 zl$9i#;7=MO$4vB4wt`C!%v*OdBn$a);0A6c;q`a)+PPswheFs0NCdGKQL7U3CoHfs z@!#u2afFYs_H_8S)G|6~l$)&SDnRRVe`y-i3qo5Zwtb-|xg&MQOkC^Qe}0N^^AJO@ z4}2U7tyt+Uc8Q*GBeYz4`}pgxhpwvFHV?hCUN1Vb8y6yPxFSFcoB!hs@s8>X&b;X! zJ;GnQWyE^HQi$IiXnV(ZIHUXc_*qTZewj4>^>>H-_hgO+!6jSlsjD7Sy*kRaBkwOs z5{$)Wyp8@MR@%Bz{N9LEe=wZT`YsDWbs5ABbm5AeOHu&O9)v7VT&a+-JcwZ&YOFfP zt=(w<2J6WX@0~^4;?8y6i6O>v;(_M4M}*j-O!?xtVsH8>9Cu!&1va7o=N#x`3$Awl zto+ov@yD$xh|nH-B5&>O z%%VyzJ|}ffE~+8e-FYvTnBl7K3+lsI;mzr1NfuY%a{~SR|1*Kp-b1!CIYGa|P@aK{lPDNj_6TyZJMGpYdjHzTlULpQ;vZ==Y1#47xi-;b_J~m zQHxp^5KU!|P-2LBe^DT5_e(Y9G?`1NVKi4RwzLYUmI`)sE`)}sL!t${5g#(qfYL41 zYl%-R(>X_x-#m$(Z-PdFpfx@XDr0?@%E>C2N9`SnFXMy!R2Z6`P!-Cot%ulpgZma$u0jl4$RuZ z^BB+@yL&ENur>!heWljTjnAONTynoa0-E9MDM|kYO;h35W_j?(=ybS| z%>DU>kJv!1n_o|Z-`2W#htf5W;Y*1P(|WpmsVx=uahDohdYe`90_K%{6yg^irg% zJxm|;f0M!oph@zKU`Olv{jv$J4+b*hPEEZ+ELJ3v8|xX3*fu(Y7wojqgbvcpRdNQ& zkbZ5bV5jsHm#YH5P!r91h}4|EnuHPx zH>l*xVFydXEDZyG+?|hM+|V^_^Bw^%P)!vs6sJAAK66FZHhJ9Z!qQ6aLhE`u+CKon ze?KR<5f-nTn#ER3#Z~Eefq_s3#IcEvlW~S|e`O=-<=8A+)q}f&N&9rYwTMTr93yeX$SS z_i%M{hXG(4g;s-y5jy!KyU2b3X52<2e-k{8mTm0~$t@lOjbYK{gCweNdhPf)mT^EQ zG;UXU`KnK?o1K&cuo`}fR1EZh?qfZ%Cu-<`w;!B0tf5VyVKKb22zxeZ3DHWX)La=JM-f0^pb zMcy>{K3*KyujQ8B~Cc#Ja8NL{`nWUKDJ*R zWY7!T`z$`zj-wisGCVfFIi9owK@dN%WWKwT=FG(6BV@Bk$$XTuYK$DQC{pd*DcX)U zE<9%RNnhY2(GljJ3>>|Ktkf>0e|Ca<4lw*04>{kw5*##ti|V$>sB+qtdKhJBZ*+?H zh0wm>tp@X^2b&?0NILVmflGE9GK4xvVK2m8S+4Ax0r#^}m;e3H}CwuT9f$6#%`Oh>lJapIp5-ub9iQfy2 zP#Z{y*hi%WqQ3}jND;%ef2WM3^|o({d9OLnl|Pq05EWCX4l>pcojKb`a=5_Y!aOcj zuOvkxr|{qJh<2RDVD{s_y@4gEj8Ne=RP%8%IhgR>tq` z!cpBtfK!d=u?x6b5)xY75kZ-s*>bQwyww0!uA>{>2G_8;K*CCZr*V++F$#00!cp8& zkfJvnd*N-J&}0hKqxm0fqg89Byd?N{gc@eBBC~NxKT2~<)OjGLoL85iTi?G{vsP;u ztjK!{Y)w68f4@CZf7X{qu5a9=vv^dF+lzYj7ADnC!gu12S{hzL$;e=kkcw`Y<>$ML zf7(&*>w#%1{LkE<=&^L+ua9ohr?H2OIDm~M*Fm)65^wGS9oYDeKCW2}P1|(l;nrEx zkvQs}OTRRD;>$Ey9cb4)qWN$yyYvKk)Za%~s~E**FQGM=e|Lr3f4l~el20a__ysjK zZ9ieSm~067C(vTw8nLxRBo12+DJG0XOws%IACN%?7uate0W$_fqvD#(V}tGrYL}MPOz!RPSFzEH6lX1Nn6#a}#6-vK_scj&I2uwS8_8e>5$;UQ}c+1x4Xv;n;R+a2_L9f$8mUr19;!LJ!~TJ9NiHd8tL{1^-}U zaN_WaJymw=6*hvEz~ys^l+HNdUEwf!}^YVH4 zlT_R3f7uPfn6QFvOoF~tMUiAyLvXw#r1=B6p$8XFdCE;_Q`ZCu@yV!A* zP0${?-X>YjAW~z|7Z1=_MP4{jUP}j+u4im~V@0$V4_LW}*ZE6`KC ze|X{BsnlQ&LoJ8F)K!p=#NvK^*J(fFVaehNtp=koQr&h8@i-QZ_xGPMCJ(ID96{0Ho==ZDs{HsvAx zgJ;`nQuGGIP|Ttj5&DeafC0mk#AH5|W<;%@I_^LNstY<-j2-NW!2P_u=D#}8f6NZA zp`13L4Y5mcMu2nK2s!=%wbtCC43ku$mC-aMNFTNTy|_AZR!~3U6oobbC|Yg}`Yy4v zwu7D-Lj0M|R(pKGJC5_X)SB$RMu@27+y$cpl>s6TxkPGw8sru+JGlTL-HS79ickb_ zb0)?G6{h=cBx(lrodnSc^;)L?fAJPzoO~KrPK*lex}sAllFI|fpJKW%8`6cu$v6g`aEGphHny_8b6kJ;oP&V7&0f*q{9dpjt{^g{IeUp zE~U_KunW?t95;iWZ!;NwZ9Vj#`aFsdRXBh%e*;^?`Ox0G1yBvv zN$5)zi_R~r(4R$v0;?%Gf35(+)$1#q&Zd$Z;LZiZFZG06*GGOI=nUFN&mq;rf!`#1 zw;sYE1Z=X@Clo{y0JoHlIxb|krO@n7cK*xyad|oTV8M<`{vyOO<3?02ERHiU#`ET` z8H=D-Jjqe2{4lYUsbH!(2ceQ60+EW$Pv~T$!iOvtf^Id^GXfS)f2y;<)WFnJ+UUdi z4}K4sCv)!mmxL7fOuiPda(Kq0}i?Cqf9XmeP;`$R^S}xTc(i=PU(ABY3 z;77F3j%KKaA0qiPK7y28YEqsfw@`GQwJRm6hSLV_+#(P+K}oCQwI|JdB-Ot_#{593 z=g?31Z%AQdABV5Ye@UJ?NzFTjy@orAdt5IE(H%z3m|bSEe*{o-S{3)D$|OH1={4SK{`Sd$hprNI!iH|=CV zjT`&J7e-xWeIbhu0@u#XQm6~Rkr?>YHbQ^>RA=4fR z$m9BFl2Cy{N&|<&lC5*-I>@Mgg+o!BVgoo_+Rh$M5k%=pAYtm8FT!C&p-6lN>!N$Z z6^rF68}|b)f1UWkop74^egPNZuZPo9^MO4XwBP*JHUR1d@XlR*9nO~-x(-z>HgH)C z73rG&^U1K?+SGWr`rxc`aT+30Da>TFc;+gxQP$yK>iy&mEmXauCf2Mni?d^`ap%fCbfJm(Cg_f)H%%Dm3TXO_tmS;^Rw9 z>cwgUfA>XPFT~LXisOjAuegFX8aJ-HMh?v<#?yr!+#Bt9d(GL%aVPb1>s3vQR{>I> zljt^^dv_uvDipYi0A5>krZg=uaFM4(4YPW+T2THlPws>Dpq=a(D%u{^rTW^>kWE^H zTMoTWaKy&NPVm$>U47L}Ugbrw=vN;HCGE)=P z(N067-HTUjL_O#q>4U5bMtFV^)4m=vW;h{UYvNMmUmoTF)*J(e4=~F&E7)8&)`q~$ zfVlXUM~AT~-LM+*TYCzO?H56K^G{oNKvVeaJD9@s_^Eww-sgzT5KOTAljmIOc6#gxdg`ce=qYe_bmE^%&bznYfkLs}-)U z#%klxK(*L7=N9b=j&q(!I&lY3oN-N%fB7BUeDd(NQDh0gW4Yh&C&jC%ZVa(CYG=Cw z)rRH}!`ow+#i2l3aE~OIlZ+j+`R?&0L5F+i$}88dxYF7PjS<6bIkbS-7STi29_(Gj z;$9km`k1Wra89v6ybP29eJ3qRZf{@?TrdI|osp>sBJw@xeIIb@M^0Mcf=l}UHl%8s5l9;lnIb-nq3Vjyx zUC3f#)_oE0!XwjRCkIy8epS4XKU4)~A%$3=P{ofg%!tv=$?5XfCwP%uI@R?>iH3`z z#kvfCW_uTWt6mAslvk%u;JZ@pe-YJzTNauz!0Gnl8FLN~8yA$bM{8#;>_kq$d)Uv= z;|9h5de=erdlqq{sV*@5J<^HS2p6pG!KWVddW$Plj)AYNs0n}%#Kqs`fR@1W&6_Lr zI-SEVwXMkxx&VM812dvx`PsugEZ=4RyaNiQoKUg4Nq-{I3Bv0rLe_o`1?bxO$hYY{4pxE91j}17|s`$0F=Qa_g~vL1P%{yX_;|QGB|+3b;&b zP75tjFV084D?UECe{K+~!>G3=+)Ri-TJz4xI{AL|afOKG-{1F9UzxAce8Tgx7wBC` z7%9YgPrO=BI?BUahiaK(!mUXs6W0Z-QoHJG;1nhD{95tU6dhCb&&gc77*wM!dk3B( zot>IF;R#A?ZH^QAI!;#lJ=Phu;@&&nG0p#OyCs&x5E@+Ef4d7$2%S4F!*BhJ(*Tv3 zxuSYt6OE}RYBLWV3}M6^K%ba2bR(dJ-T8@4GE?T$uRi!O$Zye0%-zjsiN&EG)@hl- zO-9jZIdei~5zXJrM0ske{a_E`{IWmYx56Px*S2rVL~s>F3mbhVF=^$Z>W*?+KMH*o zMs9gGdG|OGe?2ZoLI-GpK|KAY%R%V`_GXh?@*$?JzcJTKfpRkXuYS0k`K^s^Y%)hE zE?UpA&W6pM^aO8fffPq0X1}44jWopTB07I?ftsq>vIUF6+$Yy{-g4uM4x%hyzD@m5 zt1mm<|FEP{CBTn-q7~crVF65Q5_W_XZ&}ZZhwafZf7<}97#E7B`F5$?{TF;hAW+(e z9j9V5ol$b^W0k^Jl@l3!=lH;>>qT+xKw-adcHwZis&-N$N@%$t5xG(I;Ywq2&=Rtq zpgRvn41s(+rV||CMEC&j!>`?S7 zI(C`AKL?#f>prqlq$p6yuJI1SBLvr{-Czn5gncljV%WD(@6sBd0gmqSF=`fu-QR+q!h5))HmXCye z$V5P0X$~aiZRb+qtGmOFEYjK(G>}NJe*lKLk^)moOI#`M5>L=nnjdvjUX$quR6c(; z1XZ4}@F#bQ{$wcM#kLw&haP)OGtj#Bd4<{K_uFFh;^j~PD|P8Sx|tlzhrzmxHmSEJ zmg1T`_sKEr9Vb@q6SPo0woki3yNeXk-)yT(A}={HxLK50WndP2QEP@8f6a0*Fs7E{?a3n;$7Fl>(iX?X-PLG~h3G-N*vA%* z|E2jTadz)-sQf>?7sBnTwh(u&oLyda4%uGIBi7%kP&jGB?^A3dgHX(=mYVDteL~nW zG8XtmL6`gKo)Zl^)b3jKZA6-ouw&m-m~0{sbC3Abj$Ejo>Kb$^t|_Jxe;gc#4RjJd zWz5pbLzUM(DVWkt8s=oQS=rajwn=IUF-48?P0e|1xgZS``xf0_~hgl9Zp|6 z4C2n)lkXis8641*e*{M;;n7P{O+6!Of+&zY!y z>Kkp7`9LWBG0|{BUVkCCk6M;i3|+Jv6m_=6M%}=35muNLb4_@wd>py195>rz)gMkG z3&f2re1oS&phtH;vS?`KxQ@9CB?jKor5c(*?C~;HL8c+Zzo3Vv15zdejL*zBX6}U} z0yZi!K$?6#f3b5LrWKybC0+-ox+(?P9)9 z4~h*_18nQK2p3{-OFY4kH8I7hE-fVK>O&m&t-x9NcdZp81lLP5e}iX~CJZTa%lMB! zqdpK>(ZE zVN9-_6_pQ{2PpU5R6`y4F77LNnt`adUp{{Pe{~h%VeNPIg$7JbUid1CN{G6Cn#$t2 z298O35V!-(Z$EyZL7P05!~Fy0tLU*1(jp}-R^V%@Em5!4_sJ~3fc+s?#RadQH}||D zF=$(JtSc<_9G}+d4DGm+WX(Krp#YF!u0KOM@*Ad%`PexPI(7SNY{4+{HA)zjgLXzy~A3~IV zq79`PV{Aj*=$f<$_*Lx*Rd2|7e{CZZwK47&y7W*yB-t(cdV=4~cS53RITna+6*GGE z1viP0*A^8O0Cc8h+mW|{YitOz8AX3LKnz`6iwozf`NH#;W}N~q4L0E>Mre)d!aE;f zfU<4!w4Dg6pb~p^=tZxbD9Q@Mh;*6T-r;_rhR!_^#7vZBZ8K|X!n@Eme?^vTl$Mv? zrSelhC2;^@3J#(=t$q?J5117E0VVVVcbsp3-+rQjxeb{c6jV%C;T#QU-*b##^~Kzi zDyRDhy?ug>59y^4N@x)uSgDZ#kTmV)ZiCJbGxqTsAnEKmDVsYFheupx556`nSe=N| zu=SJnR8m~>09_|V*h;KXe|B7dFMG0I=KM}CpPz3(&`4rk{VsBMQuLQgOrq1bUtG9w z7`xQ@Ds0UEVxIo?{&9gY*SAJw{Jh)sDk)p7zBZ_HwK!P3@rPbr;(DF$8Gmmy`s^e=@ z?nK+*o_kg+i9l9ef1HX{v7-IPX-m|&IhCTMFEBU+^-MLFlU|%VFH;2w3oEe9ZFX?_ z9S}5whh5d354I=75*fKqpdo;ND!%XM!|83Ld`@BsJ&Te0ZuIE zdFr9?QD-@kmxT5HCd$u1zBGQWI^>l`W{bB#*G}bu<9*h`XS8c&Ftz zWEvtzo3%{ufJ4cqK?Q=VsatatB`MYfmTzjDEt7|G^mLLQG|e??<{XfUhNTaB3F4j) z%V!-`e?PGky+}U$LWw%PqNH~0PlAm!2a2(jk5tyhwY^9pceQ6?ydPE2YesiLJ7!sh znw(TIqig#WEtrnEa;Drb2gaGou)9KbcT0P*CQIQuias?I-&%@}=QSfg3CEhYc_wrV53gn|-LXU`-U*|~@CDmyE0TzXQUz&>H&0JbU}oi_S+ZF_ zslzQ6!)(pJd2hgAqvu_Z0r3tOizl@rloy0laQeuH;z;Nk%)pxFe#;Aj-+|pYA*j&~ ze{hLnIXFU602Ui5e!mgasfI9w=C?2vQ~`FHqcu6r{l#3>=B#NOL)gahPNA zfa5~wbJ25oj$nYmho8z`(vYw^)-uEzk@ueGcm=3R@0YvLLfJH=I7MVka96Wiv=}V+&w>E{k|tcvZjZlR#6hfZMQ>JEJ;*Ta!gh=(fR?O(A5p=>AjByXAK-SQq!}~ zO-6~-U%i}M?5A88RVH+s;;4?;@*r~*oL!(7Mq!w)Y1O%J)`?afxL9F00~$2Y^mPAQ ztx~f%wvHN!rD|xW^z~)FDO>4;e|v;QY63;ZD%5Ep))RK{^iE_uNpACcb#F*w+HL;|AcI3**ldqrNwQfaD2t(+K0il2S!j=eNRf|91Fc%?_f>BNJ)GQL1b4}Y8Thrxb<5;#UkeuzWl9LMa}-h+Mjxm^nT`DW<%}g0 zsI5ZwW3*5taRW>!T9zeek9q^bD6+e89KIPD?0p}4GQQ4i-U{iGz<*|OPoQ>^BASp0 zmiB<<2I8q#4f`gVPht-d+KJLWgFFCQsj-(u9(u=OTO35Pu5~U%jHYxJX+UC9&#Me3Eet&c?W+>EcvN$LVZ5%MNV0Ylh`M zV+XQL0HKzFRLiDpQ6;+T(r)PwXQC{NnW?7Kgs@g3P@RM7LuiJ2O5`mNg)4Xw#5V>J zkY3rc_tnF%gL6Nb(^qb&f#KnYI&73!+-U$VDE9Hg;LBnNPXc+ zjzemMG0paS%0yjOX)dbTxj>WH4>EjzXN(+a%EVV+@!fK{foYcEj1`%#NTYPwD5@`~ z;I$qowF}f~??qFfrzC4_s&!I(bfF)|StqNKjv%e-#vujLboVl^J62G?8xwB*_wtQK5g47UcNWnQL&(+< zq#VgOb20y7kTUMUYS?ig^M}{n7k?wz9`Nu~DH_q?IMDK$gg`Z6IkEXj;0-?O<}SvM z*iJsO6|OrxJzK8@04V8%AqUSGvHR07U15ok2!AAmi+`N5P;~(b7-<4fU$%&A~V%J!BdS zC(9YkL4RSQMQVG3TO{(!sbIAjV)fk^hmt`I$MJSUiM*j&EM%YL48Ks+!r+&p&FKjM zC*UYnw&$wtG|#g<2t8!yZS=$_#JGrPsiK|rQc~$FgwC2Jm@tvv)Fo}C&tmm*+qSm_ zmNN};d>A|ma!bU(XjL~Hye4xi3BRIQY)k9juzwwOpK)moAt?Dp4SY+sLhRV=ab3fK zcu(&yo9#Q*WD_~h8M&`Ww4_1_#=dI~%GI~W{dmvz67P@QNCGft||xMv(#lkRsKnaYr3@ z7k_kHbtD5NurLE;K5JsVohnf1l}ZjL0qx~25u)XZ!9_2NS+=QJ$-YR9!?t8JSw*25 z@Zz63ssz$_m+#{H;eA`3b|2>b{cFEJv}CCM)kB0ra60=ANoFXWO|}e2-7>1@jG{1$ zM-z^o+Y7{rh_~q>3Z>Vpp!+xE`jO90b$_M@Gszb#&TJ^%{NJJ$3g>%6+EJ}4n%$ab zU+LGPU_6A|khIan*8vAlR$Mf;q>d=LOVk)~R8HhLE>D&sS=msRtE?q`rpLSGcCLhVOb1bW|4ID002i?$Oz-3_AUSixS&I&PkAHjX z$qB)XbJPqHrJz;R!N<5rYkAWEquIGx*+4ZR<#9dIHIhi_fAi7bvZ%}{WvM`T#Z zEqsmT?ugOFPi4uUwYM1+^FsnuGOAy??Wq4#S#zc_FBuRQ8;Qjq&>QR09%7gc!uFQT;hglpX2<0a0e_rG+hX{| zbE?>TY~f5wQ_?d-09mz3-fKhZEkoX@zR6mCJuUTFZb?X7AtT5KY;2=?0hlTMa3|?@ zdfrmrKxk*D$Xcc-CyA2|#sA5xc3j(vTPwS=(g3$U6fsa<6F#D>GmT=FN`V7;8733&2lR0YzDLYgbWo}4L8gnlvCpCLbgHu9FaT{2Njt|rg`QDPZP)U|R zL~i+tgxV)Bm{mBySZmb0SQer#IPVI~%TaboGg_8iSc!61i>9lA%ztKRapq#Q6^ndi z-1QPNFHdaZ z;!;C%=*A*Dy@6>ggqe&Ij^SW@DL0U#vpsMZk1Q(XRjLyuH2I14V3w--gTO za^fCqe5Rp9{!rPCITdztF>G%bNrP+A9~*%yC<#6)_5;a*0zkT0{jb}aJa|aZ)ovdP zq4TFYun}Z>)56opsYD$TGAGPO%i+~b?Uk&uo>KIIn^FkduILw{!P0zK+4~MBsp8rZ zJ{OnH@=Dm{DSx8DY@eQAsn%Kt)_!?wfM{{K=weM?Z{8`hjKy(!z8m8{WTPG?0@tz= zmrUcbSt_k;+mH8WN=gKdNuMGqWjVIn?}y1?(qZwZV30G(Y0m+%6v7w_iR$vW3u|($ z8IpA55-b9;HsJFXhar$U=`<7;8@k^N#m~rIY`14cOMmtrYhgQ5vnhugg5eXvdCedh z=i?~UVu8u*X^l*tKmf*&guYlb`xKwpG)(u4veb~>tnA6km^d*#c9h!gnW%8*Sx5cK zJR{d5R1$KV&#UQcGPEM&-y%S8tS$`47(Ird1tnL|(Gf{w!LQ)QYV6sJx z;YBBk>sBoj4Vmmpu)UBBb>z9!yn`HjMOJTIcd2T!=Lg5?lM#)|{W9xg=plJuHr#qe z9FHm4k=EeA_M*H{F9(eFoA}{G)`LoD zyoDg15Ps>*G9NJKsD!_?_asL(TZoM^h%w2^tU@tBGSw6~r_|sg$%YDnw9U%pRuWFn zvx20Ibo8#?mgQQxv1O_s%d#w?)u+DNzJH;0h`x%UB3HGr{bAH0Cv>bu#u{Q7E^k{- zakC}+JW$z|i!~j~5Pp}%OUjydEplQ4LjC2vAPvuw@u4RxQaLU^Tv_Oj1B9H=*2Up6 z+=9$V(!|7!S-e@T;*wG^a>C4Cy;!*!VDyJ0Z<>-ER4Fw(aJn$Aj#hyqB+Fh{Yk!f> zxsyEybx<_vIqU1QX8E$ZRZFv1Num^bjt<3I2n^+st~!9X$C#dw*=&1BYxQ>I(==m- zzFc6*xdKnS)QKy^x9C{&@`vxzy z$QE+}u@#WVQpOX@(tCOxU?=juCV!)$BbjZt@YWXtEu1Z_mrri3vTSJZe<*j&;l?gc z@D!-EPfg9Z+XIimaw=?xh@DwNB9e8I=-NqS*e`D8gd@?ctVMI`y|_As8b%TX878lb zOju&3y3=qLP?d!Ggrl;Rt5YuhF7>8bKK!O;s0t`PMSr5DAjVAsPK0XlqknJ;mfWv$ zz-iHCS$Bb}PUyvVg2Paw1K@WsB83zRO4JZrT9f+M87o(P2yEbcX;2Odv^jBwH5erBX`kxb1D zQX+Ev^UzPR6CrjgEbE3|7t|%{#3>^!2|Ppuys~15o%aJSx`AGh1Ahvt$4*zHmWZR{ zfmkl&A0YB&gql&qvXxamnTmEP zl#qGFjk2U%-WaE2Q)YrF3mJ>^q*#?EUw;K_2JBm*h#N|o(|cyE zCN>oroC1YVi5yAXJa4wCUT*VZnSzrxzE;*Pc_%BwHE*%rvDgI5YdAM3s6ZcREac!{ zWLhqeV@=G0pQ%uA**Z&G<31;Ax5!EYBTMSq3}8e0jJJIQ{(lN3$(fF;qn?HOzcEb zw*DL5#G*twye0z|YFUYx*&cGF#SpktbTEqB>oCk-bbo#O7ng<6u}Y(ka0+-MPNYwO zY?G@sS`FT!tS`tXJ8&s@+c2W)J<81)LnpYHgOG-yRk-<*A}r_Cw6}q{O=#|IkLot0 zO~c#?X+GzGWbrvd$nF+EkAvGpfIpG&2_;J;#al&`MOxg0GpJ7-6DDZEvY9 zDy}4~N`KyVf?gq-F;WJESGdpAE<1W$6G2U=HQJ`lVok7Vk`||&2{qu(;)?a^M7b5lrTrT%=+M9E&ZPpMlBv^H%%seitr6LK*vnFSq|sax19GJA3wbZ8L~ zIkO0MWSNkS7~7Sp$691`GefZ6(Byf8YhTE!5f}s{=}^0n-p;AWa!10DqV(84b<*j} z>)M5(gm)~X^fkZ^A;-kfu`E`YEZLM%q7!>^0E07&1Iwhf8%S%2RKNmv#TF@)IfN`+=Cu=0BL#v&qA< z`gYrxtVmJJZs~(CH?0&Zwz(lTBJ!Ls!F?m$H+Jv%NVHDdrR{+&JK35{)j6qKw?_&z z)rl%Gl3TiQn~y!c_^B28xoT8KMj#pLcYjioBj8YkUS>T&cD-VuhJMdF%28DC5Dw%b zC{9`@T%Rlq*^YIi#)ZONwu>D8l8@R-1P-~J=N>sP&;-&xu~Tq`2FD>BJK@Xshc%)e zN9&eX4fXmkum*fRTW*8la6YN}hFLSVofbpAu?;Y8zF4eujhUG4o9`66drPMcOn;H3 zo2R(=fl+Zu&P=_h<##L5w%o;1MC-7@@ODv8Te*2yMydxP8`sdokLLkgEJ+gKSjP3r z;4$lvx?XDG*g?d2aV_=&b$toNNvDx^Cd?CTVk8Nq-6EkDmo%&etcI=VR2Y6ruz<#; z-D4qt@#ySb1I*gxhzwT~^M+Cn+JB7_!Bl$a=7;$UBt!w zDKSS##gOrhRgLZ0l@^hypMS{-7AZ!F zEkeSQJLZ44G{u)^Q(2khO(PS>ZMR%5(vM{~LSXP)RFzs*yvkI~1U!+9QxAUXu9R5b zTaMP?Feuq@+#pPRm2g93%a+`z+>Ibn1?apl;Y2CAx87?;y+nu?wOO57WV!BJTAd8v zw5X(@9ZQ2V+c=rc(q_pg%YU*tTlr;87_2NotWmIHw;XA>n)G>58#yAYnzUPbM5oiI z`JzM{BkCueQf zo0Yjbh&OQE*W%rS>!4_TpuSsK-K{k8+CLSJa}XUUYf4(B28Ws;uYbV8JL{3&u<&)y z9uwsza}!_7@#iNM4(@yXJuGKQS$=SveU?MgMpebQJ7W1LWNt=g@e;Kdo3LRe5i&Ka zAxi*X&?S{ngLKf&<(=31=HuQ8!BNl=>_ zF5O;XO^(uKNO`PTL4Va8b1ibRZjviBo64=+roN1$w7V3nSrrZ%P!XFfVeU1UJj&OZ z_B;WyY(iS8<- z%=C~SZ&iw#9e;}<JS6lEoIa_9nU{`~;41}QUGbAMfsqf?Wom1J`sw^h-bi%r*C zFp(>?x3ZTx#L6QNW7Pg#?sl^*Bc)68gIVpvpwj&T74zBBt(7S1NH$ArrWqBJHw<~p z5b_c0)SjQ73y9}(Vox@`Ll19{lOLoeBEY?8T%))`nk}|Q1~?KpNU(TW-8)<~=Pvih zlBjYN34cZ=2nD33f>b#4VOIOod%mM`Jh_3LlOpO&XQkjP* zZMRE2@}@k;>NH!FRv_EpwISx`jDQ!6x>{=o|A^8JL^#vb0&btBH^y>}Ovc5zu8tSU zUUj0OXvQuF*KTJMnK#+KP@~Y-awO5C=@omXNqU(Q_qP zI)6nWcnW4j?fYpW6n}=U^QY2$>^{0~Ab*C^1xp+Jd|XDP5d6#Ap)cOvhH7|!qrP{n zFE2iX-L5O!tYdxM9*Xs!^UvpS6i}KSQY25Wst@z5t3!}bOWuK5mp2_G~D?Trn8-LK|C3`*$&GE>xvVW$2 z5b6Ri{gB4S$oBZ0Kg*9#QJsdZ&kvZEK>YDT-u6S5 ztG#S@xVUHeXQ0*#u33e^(coX0vflFTrb)+4C%JIz&u>K>Kg;^K|1S4Ec?!nuKX_Hn zzrl1teU2oq4eE9C*MDkjyTAVXzkf;d^5319$-Rx~HC4OCz6RXDU;p{9|N7g%b^7)LdH@vR`|Cfl zZ<-|_Y=g`p)O`D~Jvaja#_at$-KNiX!~hRsyL(S}F+iLW-cLqv1;o>Px_>{lu-oki2A;?>zLxFgDL9raZ;>fQBY1gEHy>Mk8r$&46SpMmA0p~MpTOqz37)`a zySc~bzrLg&a1u7@`+NA0KY;!3H6OKheoAC#K(GoxlZl7M$kGK0`frs)A2J0=t z8$k_jfvi@q`>}(=0S9#Vlz)EQ8wy;ME#TO00Z)X>dLx?2aKN>F4S!Z}zm{Rx8F9|7 z#3f7mr%K}wj|Vc3@OI=kfbi(Ng0Fdf2sD?|^Y%cG=LPO~_{US_YJqd}^KIINw=#YZ z!0T?e&h|$L1olD}DlxsOg`-3MvvU6P>39wQG;V@2o(s4(;myiTIDcGRfRWLA_+W8w zKZhS>F@AE#FYrWm;crP(@QmpnXFqoV$`B*+-=p6ojHUha{9)TfR?``;xZ(7{# zy<#Ay2y7Q4N^ZKEb$_aHlXYv>`VIctzQ;%zyir_oIIvUUQCQLcL}2*IO1?xf)oqqw zSC|Q~47jM>%T7Lj;A;tw1rmD4!K6S;>DwkkWF@N}#gbdCjz2N4{&quMl_f%A-HAkY zDa$JOyQx&Uep~T~Zoq2BKr>apTCP#gwqrkbr+%z@JcoZroqsr2|D8MY$dWK`3-3$; zN0#M3a$pdx_yq{6I|QNVphx zdl#4ZGLGf)K9R0c{t`aC^L`OyJqM2DCVY%_>$P}}VjM(UWIwW%{$ZasQR>qGp*2<7 z^G(W9*SV~5WPj$L!{9%sgl|!<$jyk()#C7Z&~MP3{Ye~ma)ILy#<}^oDEIh`rt-xz zrj48QBYXiH;Ghsd_T%cjznRyUvE>!Tyc%1jPHw1U#-yxA>N1(UOtu#6+-rmrteQqm zZR)is3|>owQ{oK(gY}OHHqHycx|-YQj(HF2d>b2Qnr0 z@JMzMLa}ZXbE$q_yZKWUHbMws)%Us7hU+W6iX7oDXm9J32|W!0{e9Nxr$%{%%J{*T zyl_4iyC~_>Au0Jyz0jwRC|3NqIIH_l3{mQ@egGz0vHeJ&!@E;22=l7^OYrlM-Nx*B zcJ=6|;D2u;W7anO=j|^)R>XrR&>6Sb6~Ng<&6@KKDfr*Vm*;P01O9yXmhN8C=inY~ z#B(%WMQY4tA$xfWZnZLzH3DVN8HQQLJsQnh_&28?7CZcq)omg$;xZwb%sFIs9w+4~ zc(il=_4FO;+JB$nypF$(u;-hYHQo0%|2jbhK^GCI5@^gSK3MToNQ z4`s%n*@ib^!cO`E-kyCEzQ5{=;?lqfZ?quxu6XvN3h&SL*zir1te4eFL+#2@4WAF? z$?-?|h@UKE_*mED)7{&LOAx+&mQTJrVTBnC4jK4`SI-~md-x}jwyZ1H7$8@oU-;ZS zXMY)Q8Ycm*m1@(P4L^;&{!l*(e=%>zGN+IQx0g9MG0U2y{%K_WpOp43hTy?56f)Uc zWjIR@vcgSQKh2>2oRNelbKj2U+LaGa3qXPhdQ_~Zl%latAO0T`zCV`vw&5uwh^EYQ zoTL25cDWzS>PL9PhFVE-U+T3iX?8?5n|~N5_ILGH*L{sZt9F3;j_Z69jP*LMn{AX6 za;#N@o6V}^Q}tT@DE<1+Am};9Tk4o*-R3F9|F4wPyfI1f)A0Gvh4KhDh-;gEu{4*b zMh&d7D-#Mc@^1LnpkE_pEO>0gpV?X~scqEXE&ORATeS~xBiD7&fPvPffd=Xq~xNs`N`0!zPB6 zzwuq%?J=B#k8PB&_4Wht7T)dO{C_0E6K;GlI7k06_Cq5SMs9x{oA*bsm7DuskC#Y9 z-W#lhE9<|8&kk-x5F_}!)m%T{^C@7{54pq-a4YWj7%mWA@Aeq3$Kh^P^6D?b_qc99 zkr5J&+nq)DUihsB>iur7V(z-b^M`Lgl=m}HvnTO>w_`a25u+q<eRRrGH?T7O15gh2-16Zn; z2Z$`g4|(6*V|#mqFh7F!!R^JuyA~|RB>aA*<3Dt``L&;ItursW{j5VAzBI_cZ>38ys7(DsQzfK+|_})3x9gQw=sVZ5k?Vi zcV73b1x)AizB$)uvF}$x{-e2a&&ug^H6FlV-yg#B-5TNZzUKq5Gq!i^wq2U9_x7D1 zFA+quZl{<&Kwapb{E&(C{0OY)`+3c)=MJw#`Ktu{A!_LN^PBT$@$m@hZ-m+K+tc5> zm#04N=C!W2GQ7OaFMrye9}nO(!pmj+;z2yXfq00r(Ea9?W>Li5Y}DLb-#?EekdMeeClo|a~|Dp z?`A3f=xRKGz1rSySYv)m?>$h4wV8Xzmw@5*5y}#q`=uP$2!HdA69Thv|9%|gKdjX~ zlkwL`TJpak-#&sbe}u?t`}6>={GMjwlKMPCt?Yiiu0IICcb}+wgg|2Z03hy|ea-x5 z1mUdPM|d7#?sId$D(*b*x##rhSj>I|Zo(#lROQWeqPvn4re^db*s1%qg6EXBM_`=Z zJ;1)_nY{Xp2Y(n_*}ObNkbifHo$dWX+j*Pk0R(O~_bZCb9oKzFV8?9djxpU?d+HGq zt~*YRT*vDkf&_i%`#FsWJiw8-V;TE8p?<$Q-CV`;0d!67m-k%@mJeXAA3#v_j%DJ#MOE&H}pgybJ z-j^6K3J2c3V0p*Ew#y9BBN&JX>uheP*4N}tP)VmlB9{6k~s}-MdUVj+=^ctnZqk63c*Q@8@#W8lmcN~2_ ze=<;;7{n>B&%f>yjzCA~>cm)92{;L=V|uSVSF~;-==F8A7lw0B12xIQn`zCy2VSjg zot{i|9Otc@RBzj-P0CvK4bDsV#(J)LeoG_l*wpGMJI?m25siB#QGBN#gx&e2M4)n6 z4u3D9WnIan=OX8)7+d1uD5w?;M$2Z)({GJ7eNwPDD^=0JnWZr^16+}^}s{TqcIJOY*C9L9d{RX?jCbnv006NE= z`KgfngkaWuE}Ga~3~~2gz?m(*j?h9ba(`3VeR`C_g z)|=!gc(YfXYRsOcT|++-yh!2Il);81>}V4INAvNKzDJ5p5KLYstn1P*UgWy<3Q^$x zgm2mal+-8-P}-FB%0G*V-~<4QJqink-x3D@588Ua9Atbb%t z*9bm>EF%B_OPZ8Iw@0RVT6GxETao()2jRz*Mo1aU_mJL}{ii5JvvOfJyL7k3l1HTH za}$_L*8BXChM$fAKu1-lH52<@$b797w4Jt6g*R#NSh|MUQmt9Db9%7>-xoZ+@P~0N zM!dx!V*3M`%t@3GR#d{WhIImLyMO7_nEAoquLULBG`t|xFTh+f(U%AuH;1QUEfy<$ zUJxAD@D9fp!&tW3#F%3#nrn)a_WQMjcoY;2e>!|ooKvj`2UIm(Eo4&iq|?09s_@GF zW+{3E(dsKGFEH1$8X5@Cl~nDJeh;!@9`!8DY{FAxZ$NQQuYzCNTb{%eh=1G@!}Z$U z^+}9TdyGd>uf*$@3kuFYxY1bs^h+8Ue#PJVZ$A3Z-93J9eBm!+{WSb52jiUgnzvX9 zYnk423$a$t)7~VU8JnD|-H`G7B`#6)a00?S=e!YG>)}xT5mJX=o&aCj2$ptSbq#n! zKtmRWCoi;(F_V5Hls`g*;D3QEH&*k8W!$FjFYS?QM3~m#J;d_1e)7)#HqYTPoNVHH zE3E4hN7$gtS+mqUe5;FpAH;VfN)MLE^EBBN{&M?ccySe_I{}#0if_^THKp-fgnt}7E!ekoo%)s6GINi2#c_EjFS`hOZGWXG8AP&@=QdTk z@`DjUkJlT=NNS1_4V0n+Z^CQQG^=%@cWhn-w-`4dn7Sh2%ZOklxJf%UD9O3@%66ly zRKL{WMccu5^{rP+{7Rk(ui^bWL}wrO9z)=uY+M0NrIl(`25*k;{$3x>eSusu;_%ev zvVqU3G+Xa0MpA|G1b=YJPs2~EdLn?R=fhP7!siI3=Ax?Y4aL>>I4UIn0OCVM3(sUJ zSF*?Rl*xM+(}kng$~%DKE5-dI%}Cknb|@J^ZG{lo*|GjFqvp_*KYLxP+j*;ZpI$79T8 z8)HPVYM3$HyuH17(k>(D?N^P;SR-W78>S!{vh|FSgTZzM*b;+NJP!#Ua7rDiZ(V@!+V)J8!KOa zW36}k{IflcpuAS|rcsuA)Gfv{5PrO(R$aonCNZ{3Ykw||IG00JksKZBDZ;|vTY-!= z;wgeyc|JWpP*!lbG7g1GJ8mHaDdAqL9T>HHTGH(4L|((H$ir)la8v{TO7EA4OZ_etq2o=6H{&`e>qcvx) zMt}IJ($8bpuwm^|UMl+Gr;PxB(Ffl`U<9$A{U%E>xo3Scvc5ehi^A8vZbUL??S|KH z*fa6XMSu{ME=0=l(HxP#F zAsIsrPg#~R0F3Z-7Qo#yIe4D64ZmD;-+v$cq_>_T#KsLP%!&}*tiuuf%|OD&ApDdD zuCPbG@5s$B!6S|vP+VR`cy*5(pT)Bafy3YAhF2^fQXKsj3amRDb?W?7$etqa??NZe^jx8bE6928|)((S9HXn#@z zL5fXSo?}L}#z`5c_QEUcH;NUmY5JP-J~_hQBwKi132!rAct$N?{DVg={{q)oLwkyl zZ#1eBGTk%Fjyy}ny6)gEf&$eD!sNBcjOAV}ZqykMf3t4EaqXu?Skc&~Sn~CA(cAE& zX|2yB)}`4Teu}we`My=XwD3Ee;V#61C zM?e`f5M4_SpU1Hn@7Y+}L}*3-2GAcvrr{5fL(~igU8ILy3m;3hoac4lre$+Fbkfhn zzug_hyPI|m9`?7qVGZwduTm$DKu5SU8pT{2k@?8eJ1L#;KBnbXm=vDG$$z8bIVwPh zCvyP^Epn4;l?hoZwGw_@sLbK(-)&jcyzy4An_NzW<*zpbLDRm8!SuQf$u;8%A4#8) zKq5E|-+IXCpIfaDfaYRL!gIhTFq4<_J~R`}Cwv{Db)`S;!G523-{I%E{2@5vRrr!l zD{ODopjMTAXJJPS3olNoRe$?|h&j&wB|Ikrr)#l&gEAk>pMOza3NHf+00x_ugwo2` zYTu>ddztH>eYt|W@F{{Sc$<_*Wf`^)RjN9Z?)gwEo%IG{Vgqh}`|Vkl56^rHf^SxO zjEnGAV3!jeA+z}xu&&-YJoTvU8we$tEHZUU&*B(m(<8-%L+0$~3V+~jMo5?c9kf|4 zA0gs|mzR4p`o;;q@Rd`46xW0(yu%zeoyhl|0&CmwzQXJC&y%g;kAf`icv3~Rb`&lu z-r<>8{wOZPM!_%aZ5Up0d@*=ZdK(7p?7s$gL4d()Wbj%^3s3fy!hq>K3O_xHU4#J_ zkK*r)q#wQ?AeBV|ZGYE8ZpFaWR-HPok_4~i_}~$MG&Yfy@?-X%^PBJyrW)(czKfAi zHZM4Y+;r2@tP4@!Z*SH)3<_>O{~e?lM&y@>F5$*@6aMHpNJ`n9-LUTL%ApF+{rx4P zYY8Q|)%hKwbDw`3Uc^`xLMBoK zDok#Z8*!ncPjIjCcU-=hW}AfK9I0PCr`c}I;PK9HG0l|o!t;)P{h%(5f$-`#b4FF{U_FW0M@LHJ3Iqeb+TkvD>5&MjIcw&|Mn7+4y@* zSCOsoVZarX=YPX-Gf@$|KL8o041Au*_6eDeuXv{-kaCqQc*|swa-~HjsU&YW(~$WjhwV1W%k=!u+s!g-Ocnrj{*^wui@JdegVu zV>#a+do9CfAcLxv<&9~WIq-`4FIEWuemc0{1+O?W^nddAOI0nnjp@>&T{{!kYFhY@ zXPOo21jgliooO-+_w1x7)j>$0&q#g!}r;`>~B-s zejU=c7=OksZ`o<}Ik-vT@Eb%r-f`5m@igrbG}h@*pemG?LvOa-g6B^lv$ zbbKJ32U>2a;^hJOgENIE4vR?Uw#F~%vt zk5B4!qO^9b@-B3RkAKH!aSIeD{t;f!XmsF7rGHSb*t^9)Y8A)9lIEvE@{{$Zq=C_h zFivtCn3)R;URS#f$*gP~9EdJ9X;91Ny-zneUZ~upO4t0RN>S^S<@8+UOd;XnuwD5L;j#4)Pit$Y|bn`m};faGct$!Hj8^cep8P@Qm z6E?4%2=WQwco2+Tzcc)v6vJB6%Sx?@?p)<4!aLHNF?@tS7!wn}(yP>a7h-K<;e=Kqe zZyn(CA@gsXC`+>Si!-my+wcrT!=R(a(oX2xBnyCpD{?d-b>oMc^pCh`k zMZ@cF{1VY+H*om3RpprV_qp{@I)5J3%pyD$QAzk(4+S5Ws)Z*w`2o0+^ukx>jcDPv zBuAz9WuuNaRTSoAz3^;3vlp4DcE0_)@XN%#09?i=B7FQ%aEUUiZZk)l@o{sUr`%Nd zX4>xnU1XOcgv*VxiD=mhb?8!Ri4dLPmASMT#0eX5 zNU)PbOZ!~}vm?BvzJmXHrra;#!^ZY>(~80QW}EPt#jRkjRDtk}GXV3ug?`9?3!m~x z)|EnfXxYu;`tY-0-Y}+i%YP<9DB=s@%oW&d!#@Vqa$AEn+dgg5;oao*QIvK?IAwNq z!V9$-)yraipYQZq!t3Xl?iQlky!{oy2X{p}Rn9z0HDf#iadUVWJQu7H->Yh%m%+pc zl`~%u7sgTer4Z&TvG6X8l50s_$3rq6mc)heh%u&R!Y8 zyuzgji`4*!wtbi6EPt;tj)XK_$bx-)GW0i?j77i%H^!x-pY|Y+zKdVO2b1H~EtqA+ z(@Ji7Wh#e{vL_gYs**~rQ1}0s^Nev^{GnW>FTyWCnShjy$oHPAHoNpad?96o(Qt{R zp1kQ-=$+@nV|dZZ2?1&15ZDu$KV!8c603Ymw`2?32!mUUh0Kbi*@IKpEAm&YV)28&|eo;1lxR6Itw zru2|0wNE=;q?KZwUFXqX+v!i?!~DL(q0S@Mj%z#>u2*76*A@(KR&IoH)oG5AY#c=k zQCT5a#w~Y5PJfU7Mij<_O?~&!UT0FCg9j_)m)q97(n2M6CHtLu+wh*w7sG7xd;|>kur|(kA!LW2Qt;;!8CJP1clo6OZ_|g``H@B>6duG$FEJ~#cvr2C{>nns; zjk^`e^?#{E2uV@=l&=LK*U9xaIIh9Vn0_Fxb=2@25--Wl`Ak!20R28?nd)s?Xmv~- zKfo)84gM~A37KmmnOCJ@rmhv<+xK0;Fmr`CUCD8t;=E_I<8=ZZJ zOJ_}L_CqbIT5{`=;mssWg9AFGrdG$*zyo|<@PAJh{Akjyw-$^EGpxhuG+YsxF^_P5 zn|=f@uKpI$bx`bK9@31&_a6MR|BL4|I)xa|sVu!jTycA2aEEXh8nqHFT}ve4Y3oOx z<;?gC$nMhcB;X?lbA~ILPhG-{;YdmHWC5QiEP{Igz;qIQ`{ly}jG96`<>A!6v*C({CShMbTaU*hWDaSg@^cr-tJ4@>?&NkL6YD7a znE@m$&w0Z&1avsWzDaq#GW$6Bnq35O^Izea>xqRgU;GNvrFRnkPK|JIU;LRf?3V_F zm*{s;ij3#lcoajObWiw&g=Y|5t*kohEPwe99)_ot-wx*za|cghM=S-~KEL^wg@f0d z9E!dD93VAYUB`}vrtmXE4nhn0d}^tY?yE*wcs*G^2=g(6@Pp+OhDqd#YJ&gCJBka$ zOJgrQfx{QW{FOu)%$dQUL~dsb-=5;wiFFJ!D-pg~bp z**v@wio?(sB5NSl^_`H2DOS}dje%VU+(S%>ZIk%}Id7S~!cz-on=iVp6 z7z={QAhmXyVDNXJ@Smm;On!Un+J{#sb&zs(a3p8SF`wi32)m-aG5j&@8zs`qxMhC! zOy zR@aN>c^nhJ4q!Ga6Q`b!EPq9p)_5tNKc(UI6A%T?6q~)2lb8{iT3y$+M}^{-ET`e6 z$oxT^$@ps4u~sd zooX884eAb9S#|GRA=#ton zA11os(FMN+&p16BVSi5HSAb^8TpZeoLv$Ygztu=SeMAr?aHtH^EW3H*0Qj~j_NZWz z)m)Rcnd^MQYm|t{6T|4^qnN;gvxe)WJo!o0#-VI^g1Ag0L>T@WVN{y)!gA&(&iDGO0k(_A=;b-zk9MY)7^7TP57k!2wpcz4!R)2YKyx2a)u^65pUfo*s zNY~^rGReJ$&gNvcIHdA%P5W8}^~z?8L*YUcdx3p303zfk(TKkUByk9Bx5R1}3G!$U zg>5z)U!kavIOn5gQnSyMU3u3rrfr-CubUS-DT#waD{61&t$}f79}1Q8Oc};j%*dtO z9;eFe3*&NI!hbIzaWHghRNJZKlXYx$|Ll1@CJx=Hu#U-8Ho_|$+r$ulaX5~=@mt;( zXQF`1V%&DsXX2~J?I@Tnu8LcdYq>yHigSiHKgN7@zaldbvw$UnETtoxK3J>IDek^$#GnO=-0?PtDnTF+VT_6 zd&^Ov{lYZ8>}JG^?YG)DPP63Sfx9lcjsE1|old(v{Nc@seQ^jLe?$0-cRML%JR-dF zwFobl^zX6#Ik6M{YV;;?CChozu_5V7Us5i3@i;UXZ!G7fuW>3rx4@W&)xwKp zIUt!hc3Qc$?|wT~u9f^qj|TN0j|^pP8;`YbPPH@60DlReQWxB;$a7p`;3zps1z(g4 zo%icDL$Fy2&XgI)X$y!%b5?jO^lsv?=e$t-F<2F6=H2^g zxU(9E048z>owP8_*Th`96X8|P9iD=pPNHQM&zM|^a?kymIP*-mAekh#w=pzo9hO?x zjgLjy#p~PnV7MICIR3}Ijq?I0AO7t&7JqlfAu)-kfbm2K48OMaMksSB{5W^UAIl|Y ze~A)o3n|s%JvAN6J>+K6U6kCz55&1e6sIcahvD4ujq@0kO(7b|;Qw-Z0B;&>ic|CZ z{4}-djpt^hIMcd&*4SP%-=$q~7yxG`QzIlHRCdugk5jzaE0!v~%9J@bYN7-``+q)H z!p}}^Bd9-*5Hy2~MXFY5k;tRhGQv2i)J;%kgz`8%*%3;tPNKv{HNAzG=h*~@w-qOlYDK|J*Ra83osN_Fjx&D(6R(L(;Lq z^+~EmWe~J#w(nP`7q3mnICFBp!Zek--lM!L3=m79*K~x=mB%9g z=NU%gJdQ9{Bj!u%Bodj<6UH?@+r$~RMI4X?udQdF6(J+N77d~5K@@ytH|T#%G9gMP zOv2#M9@P|EDHL4eW-eM`7!%FABkZ=UL(~ z830?WGId(hc(^#hIAtVH81qdR_rx(HQb&0!Uq0fa^O1=tJ{VAVj?T|1H&Nb;W}PT- zJYr?}@nxJcj%D$Man;?35|)2x_N_F;jeaDXII=-VfP&mYtSq~n5&WZ+N<3j))VSWG zL`Iso%JO6q<-1`HBhJA3jc~4U<0eW*tjoR82hV10B)K##93vOP#v8Q!TSFQ3r15f8gxWz_59D{0yzAt<4NrUZE6o2al6l<~2pTmApJdHP&i+*q%-5kT4hU;mz+nXHz z;`G_#0IHR?_K@OA1s?++N9n>3#f;q$#kLz!p=REi0{6Af8Rw0N3MHllF;h2<2}M}A zji0Xyep2mlTnkYzOOtn&O z?VFX3z$IvoQ(VQEaHtw?Mly?U{UOf1J!A3IQ;Z`K=ZoTOO5-Tg_@cO~Tt+@0tMA0M z;^VNDYj| zmPaSc5&Gk76aFQtYeXNX7XL3EmZJd0#AIu3aZw6~|#Fncm=-yUT-WVwCB+MI(-D z@Psih3UA|-{#*`powsvMCa-DkIBUpng>!WVaR$C_#WQP;#_7R1K(-TrqRZDA2IIb* zI13Ui|E^W^-H2wkN-_?)+$w*F8)PY}8%SkwmYjGZnLUv> zxvkYbj_eqE_~G0}jze9tJ(E>`T%%pi85dD-^iq5^Yf0^FR4~fHIH(4~ZLd^z7ir_( zky)-S&ugi0vA0jn0VOBn%;6t-1E0=~D(#W2h5VOZdYl39o3LEc#yFA@H({Btv5HeJ z#J|2-Ri%Hel6>%}!bGxX18Z3Vxkk%82HakpnX~-NuDfByIK=cQKgJIV^s!5{qJ|M!3X MKV<#|ft?r#03yJJ6aWAK literal 67179 zcmV(}K+wM*iwFP!000001I)eGlH5p^Hh8~JQTE@`m<%n-Y%fwW1v8VW$RyYH!U1>y z4&?}lKmfK6zwQtbk=2C{)zf2rVyt^?hJgfJ94)?+##xeb%Vf!)|JNVte?I?V${>(o z$O8W7AEyB;W%$Rll<6Pmr+*BqNB;Q3BE`r ztsPH%UFL(c)2HNW_oCB_)9L+FlAk~Qy7=+*^z|~o{qa^_e!o8*d_5h$U7kDlU!Q&s z9Ud&R`)4n|%B$xtF1KfA#?PzS?nTCEV!s8;jdgx@@$_=Ky+510U%Xxp?=Rkp2lq6; zzfk|ZlIq{?C->^lAIjao<&UqI-}YNO^{OwQIrry3e%x;_O1=DtA7`iX^~}3Uf4xT= z!@c}{e`Z$CsZTw%E4;b7-RxI1ezKnim-f9rrsuF_xS8x1Tr0)-?H#$E)$=>+0rWT3p{Oe|>p6Kl`F+_|m@2 zKRp&t!R|$_{gN5C@y*&EoS){Gr>E@U{QmMZztDvDJa|2Qy8d!@`j)HT&c2kVkD4^D zpB87QtA)D0`|~|z|N50*KUIJ9cy{*d^6KX4S9$X`n19Rf{oAMP{3OSnATPCR6Y+4-};@~x8`kd8kNQU?<+aGd78by?Ors!Pi{UH z_s>tCoQu2nTOpZmz1!}acQ>1i?k8_~diG->jnVe@;ldjIcJgnbe6sjE|9X01cu}!? zQM`VCUK#Q!l)sa&llAoH>-WiQ@$$6Ue4T!jke3e^e=i?D3f&7~i*qGm|M==lgZZ`e z{W|{7WbgU+QppVSXDfT3&VKy(x%qy}ql>p;K70B;Wa*XZp5C3=wvxN<<98)8PfI1z zl&Iak=r1z&$NkxTD|7FkzxpA2d+^Qh$$t4cbq{3kHzj+=*4WH;FZ!(?{#iYo{TeOP z`?=JK0;n#1C;C}n{_4K{|!{qhy z+8SHM)YH%Ws-Bs;#%QqJOS+3wUO#;QdNp{CevkZ%-|x4Bn@cM(Mz@Y}e)eLFmg@gE z%lqqJN?`oD);kK-qn>i;?%&*zCZ47ZJE1Y@_SQ$y7?prH@Tva z@0B!rzOSX(t5VKN+TEW{G+9^|TH@tTmzw4r_te_Gs1|{f%PafoEm@{F(f7dFS|WS! zuJ12@K19Dnuy|Sg%FpdzH_h2x>U(6Tr}^)voBd&*-i;QEApdgd#n0bf!;5n}csIYi z+&swQ=61db#Le)@VV3*p_oNsH?DgWy^?mXbd>{WT;!i>PWiMAwZ}P{Vzl}V2dB|?3 zPvblH#|!(GZkOfr%lqQ})NpScxqNhQ?09{ z{pde5xm;JVeaLofe_F=d>Dqi=v-A1g*O%?}Q#hNx{;RoldU59LU-Yl$*1yI2yBBF0 z@Sm{$ensvn|4&$d{~{#={u9E~#$d^6K>TQOSeFsebU> zzEl7AQ-S)iaZ;=SX`A<1>K25Hkhc~A`lecf&{I!je`-hTUZ-YIP4Yzat#ah|L z^yT7VHczex50B&bBpJkmEPDCktqqYrrZ2yvZ@>K6?=(JDmdUU0%kMXD-mm3|KkZ($ z9$kJ7Z@v^+77S*;ZwfYlFMoV;tgnmF{WZ&eoZbGoU6gOBpFP|f)^I%elHR_|Uy>hB zJaVT$%iW98^T+w?*WuOTJByM?>FV#p`yapZ@WnUZRyTK6`TqDa*#1_^thj%B`1<|Y z4nAGYu7evhUfQ4D_AA=lJo@L!b9ndtcX@U8w0sVY3upUsd-MAI5a-LQi@V>q(pb;K z`=49o1w_u1y5pzQvsU_jlxY7@3?53qS8@Axb0&W5?UL*vo7!JypJMN2{`BkJExo_` z0pA)w;OzA4S$KE*yt(ikcUE3ov%vhdzqMcf^85YIZ!h7OXp<)K)$&vRK7LSw?dJ9I z*H!o=pWKD_BYfb+&E|{vo_xK$f4F)M&V6<$97^foYN-)_fWL~%ELS$en6 z>~(KFMBjuGMFV5?<8I~p{)M>t>V?AiVa&$Xh52i|;sbTI8{Zl(M{~D$*j^2lfAQ`2 z?_gFwysrGc7>R%V-~S`2Ukm#eVTb>rpnuo)oyS{2|LyFw`k%9#AI|If-M{#fnuhXM z<;^IscYi~bK;PcKKaaMXU%^%KHu6J5v_k9Q?B;x6zq$9@%kuQO^>EL}EKegxV zvJirQdHONBG=HYz`rF=8c(!jZw)4BY@acJVd!J-4pRR1%Gn}_|a&Ny`x$!Xc27EL8 zc6a~Xb_e%&v)TJ_{_D+g&Zb$J>~)xZ&F{}2uWkoHB))Bz{8RK>jwfE|zlzmaYJMur zB>4F>EXVQ1&FtmZqrH9qIv-}=2KKXEc){M2RZ=i|{9=47&c*Ze_vr4|4|5z}KfR5w zU+u?iT6`;J=BMTPeDmdPdHQ(y_5PDMzfF>P*`urBmef#wGi4}_A+1I;Mvn+y5V0{Z_r{|+AI*nhKtLyE> zWc|e)S$Fory5wWmjz`nP$nW>O=DPROXY=uK`pthg?&8H|WF&8kU+MJxImv!MyPuYd zMZQ`;zstu-S-v^>!k1r?Im`XWb$NS!w|miSb!I)w;>Y+s`gM0EH`mtu;q<~fb3Y9) z4a<7HyR|+oM&{+U^ZqU(HW)0Y_qVg>`>*4N(%L-j&ECMgS#f*retQz>xsxYf$|C;p zH2LnmPe!xF!~2UdcfN_?;@8dQ;_1ib>&u=ui&;Hg}eO|@fvIIYIcr3k)MbU{;H-G-o{_{V3jf^dJ;_Dyd@I=Tz zn}7L7e{9NdCG4)__{*>V#vA|sP5WE5kZQ`k(&M zw``F*nekbXl9idMkm2W;`&`k?XO<*9{XF8csliW@@d>M<>nu;|D{B7m!_)uHClBB9 z5C5(*KAMAE`7CjKVLPc>`nG7^cKF0Udgs4&&H)RpSor>qOb`FzAAL?5E;rNUq~3Ox z@K`Oj`eOCI=I77<`tv_}d(85#H>;oi$8Y74FHH719(~}kgMa?FUXySZo6g_9s`=^Q zb^E72yi09iBTOY8q@C#ho@|TqfAX5dKe45>eMP<@^NUoNEph+#U;oh-v&dp8*AKKG zta!2c=iXPOJV~?I|ML$gO{3(`FJD%%z9;K*gk;Yb{p((rv1Fa`m|1_7`Jex=r25-X ziRaN|al+eog*^T6oMMTHSys%GMs_==P_QY zdl{U}iDhZKj1lcJl%kyuPiEB2G8`!iohm{-1`#%#QVaB<`tMjB$(UN0jud$eh{;3o zi8>8!cM$W+WOg!B7c(8wE@QY{o{T3aq<1nHE221A3{NKX@~d_fsI`h($3Xp;+F@ze zL2Y$3>lhK6=!#{BnnZ|MwiW1e%Hvq-D;b_BZW#_J72JLuOM2>10)057*0PPuGMrL7 zw6*y&rd9XKPf+JEoRAt}?JDNPlA|F}Qik1GVANu?ab-ze`$K-EWt81{42~kgFq)E@ zf{H*-mUG3h#I&(cYglR{o!XTh4Nm4tfDMj>S;%!;eIDc7Jk6REzG;gH;WnW`I^OcdWzXC`Ye zYC)YmZ*JvCBMCerEjQEoxX}sqGIps_N@h6> zm=2Gn5$s5;Q|gwIHXAl2UWab>(FAf7QjGdAc0oewf}qBsB<%y+rx!+~3H>ViGSF5j zeTG2`55+OmJx6V&JgE>naBZn$*=@@;@wGIzhx+f4kOy^9L7NCWh6s$39s}ysPhB8I zU&q(h6Ox`sTeVMm8cozgM}f%uS=%ObS~6{~g*toP)_BgS^I)|QqpfP(_4`mKYa5G@ zG*x?Gc#wwX_OgSz^0vvJ^g$+$)3$-Yvwtx0P7wQ;gn?R>c zaU4`d(N;F>quA8BxMm$QYDrdO5Rz9THAxO~%e3)oiREcym{KpJ>9HZL5c^OCL~VaG z84hZ7yNfnZy9|xmC(m&-n4Q!GrcL;Gc?{KAljR9DyUZ13(BnrmLTpaVD=p8?h<%2t zGK&=9WbfqD3(_h;NZVi2Bt}UC9v|Q0Wae-8ve*`!=0wY~% zIO-bLrjdgj|F{xjN6`pYq0Jo!h6Z(EMRP0E-8Jp4P~%kYLY35k{U)MLoyBkKkVsv) zL*JUTp5U;hWJz6%R1*ko8)+*)$TJL0Ap1xlc!*`kPU9a#pka72BiHzKj`SGp!7BSi zZKrDyrb}O_+XUNkO7d`N(~L%)oowiov{mu2--!A^nqmjVNUH? zw^3X2I_SouB^6)|M%0M5gz+FTNe;eK$DybJ66$I>>h||`Fb6G^>)u_Vj#1W0Yf|g{ z5PXoFIMjJiqsz6WP}Hbywa0WUxs788U+Z!PVgSTu!ZtN+v{4`Gn$pT+BA$BQjzJ~1 zM(a9G@>Z5zf|yvAx2+1)L*REKAE;w3&AiJwb%{v}XiEysz3-_Z?S4OG80re_wxE+7 z-laB4$?Nr+uJa>FHyy>DkPoV>0V`(2nzn^(ACs$=21}oIA#KEky3)737HX`UUBa9c zqhVJ03OeOQOdPexLOpk)2~E?$`-3QmuOcrB7{=)t>%>+%RnFua5*Cfja)uBAAih%RwDDbu~ea zg+$&OSQjwT&O>WTj*kGpeokCjahNVX79>dON|U;HkyLyg&WSk^Dkb$O+qxT42%bsRQ8P>nx8Z46|snDVx2fH69M2*r}=N8CoaB8hj-7wjn2DM_TYfPz!OIF!)@=Ai; z+#G5%y^c1Fs4HEYVr*);QTvjlIDa2Hz{q{tHbzLDq}_qa9Yd6GdITze5Akvw^*7U_ zz+I+JGPKoMiBQbxd(_c;6nmVzt^X{o5 zK&?YdKJTij>?Ebqg9I44S-L}dISvG#(STUx@5+FvlP%3UjzW%+PCz{@BBZW+X(q9f z#wgpQH8tMeZiFE*r?eFwM^YqDitF~Fwt{qA-acA-33wUPprhG@_nJ(qeZV1*eRtucb9PsAE4n zXXQBJlS9%Tj)Nvv@_coZk)$V6jr&JCSztfl;5d2(NI_f=tm5Oi6VgzAgU>*nPH2it zXoo%Q)=#vUb))V5SgJ!5JI1#k>b^^h6|pt%*&IPGD@ApLx& zTE~%MFCR1o9!CUi(j(&*?Zq4b(CH*2Sl; zuB`xV$w!^xT z;ny;ZyvVnm%tj5XTO9{&4u4g%kK@P}QEyR^A;QZxNSviLY+4W#j~1A~w{LE6+bkRyh*a7@HZ+e8PC zzhwy3nMt!pH|pHc8qe$oMGgIEHS4DuYi7#k6m|B1N)2n9#eV zzL!Rb9f2`8pf)@9Sz1cJX>S{oD!2nyp_d#QHDgG6DF@@&l#V+F#X=ipI7}8FNBs|V zn_}%rj;J#}yTR6$4$c%HBwidA*D{lHMMf&nT0lqPd(~tmzX5Jmlh(Odcr~z zi6V!FY9IlqW43i~F?sP|!!5^A48Ej3jV2pN8^QiCpZ6%*C25DhAA*EZ*X^~{NXLM$ zG91!&EgZnBkcS$YD%YccD;=IpsHwEhjvfcd3u&10pnHP0J8)OyO6^)V6iRKS*TF$j zK*|q_c1CS_)CWRZZTlheLLKvH6fJowu5C7=4$ZZ094Rd2VV}>DOp;zwM}c+?q|`NY z?L-pN*#2QOo4Wa__OYo6wO+-s46Gp!IMjOXD9UYzBkGKCotz|XzxpuT`v@uu=G47D zTBj(|ptjWy>TgIrsC_R7eNe0!6hjR;+=dCMLByJIAk-qgS;m4|v+U}Cs5Nb+T&NLe zTKvJI(6l4c5{rXU58B!9hb5Jy2XeR&`f+GgBJ4N@I1i5`nNRJs?7|+$Fn&Va%knrt zWl7UM2eEAG=v)(gA)kKQ)~g*wzJ<2;`(TzdH9%zx!E*%Oq}FhxQ&Bll>V?mX&%$8O9eb=gbX z1y8D34(5y#yKr>?h!&6fLmLIP1=KVh9fP+pr5?I)IE3P8$~}%IgnT55pE_DuM}cS) z9aS0fWOzb-6!qu_YG1NNz9Hq5eE^8MRj{ovr3NTyO`z!!TuTKbPwhapp35;nV;@VY zE2$-R5KO1Gf9ft{>Y+jn5D@L?;iK>4$q!C($Ju+Py<#qUJLbnk`_gk z`c@h^d+O*<3s7(jU8DnYXp>!3Zg3oZ-_+6kMt0D)wS1`5C-qy}k*w5Q+ZsSe(3w}? z3%S=)1D2CEq3>hZNnf;~PCK%}E+rPcTu)CDH3%|TjcdyrW;j&bAUs=oDDsIR5*6v(sp zO^A{@_%qitua?C5jn-YE*0YW1pdN{~8&!7%;cKN?NLl4WF(>s*v?lgLJA7*gO-bH@ zR-5RgXv2r&X{k$)8tR~Ky4sD5IfB^Fa7f#*`5`1n?Znm4l+|Gnjq>18# z9&2h>q3(8~mK<%nCS~Y)ADpCyl5HJ@BUnZq7d#T`pr+EM=Zd;;uz_=6@c0ON zH*`{zIx<)Xp{R@X8Z}EjhNF&NQ+rLVEl6EnTe*bA+FGn5QTRuZeH&7@TD4PAs0;O4=YBz*C2oY+k~&`7R_0UZn>4RX zH2^hzO?+dQk`6aG0Er+Eyfkf+#GKpqOc0yt4Z!em0Cml&EsrKNNILQSL)M%Yu6+qIMiv>k+94`!L&pv{B##NCYu~G~N?wJ=9?b z2lX(cCip^{GCqLoI*K}v(UFJ`YTZ)b3GJMiy~}b8=HP&QYEGMLp>EjR367(%j;R|b znkuzp2I7WtM;=3vVQ>UfuIhjsY0_zrR6!n)Yas28 zWNabr#M1+&C9Uw-a|?AJTpJmrUd9dql311wb;M)1JXuoPq|Jd)$0+M+IqK7Bab1oh zGDthsU}uvKsq2p0nk-s{zw4@@?&PiDuZh7y4~rS7C0JdePwhswf^l2A3by^3-v(lCR2PI zH73*;A}zArkwB_Yx1qHf{}}2BG?eWzXcZkEq@7%NP(?}Io|_a^Eq`dZ4<+$?we>! zOek;V0Qu)ADqV)uG}>Uf(N`~4%b-rPG!d60a9A`lIVouz%o!yT0Y8pNdp`?fO>7M`9L}53p|FQjdT}tE@S7&Z#aZrL_awur)c9TP-+9 z&94J6@MFlWRD+a`!WT&%;Fu; z_lmZaX|ze%U1XAaVstych_)jB1E$MS+zaV=t3A6=V+*&#Kd5U58We6)DqYU1+O%qn z(s2lN(oTgBHBi(s;|2wix@NG67#{`1F=Gt03I+nQ3^goi?%7Jq18Wji{K zQm7$m{N+%7&^8L}dPu09xdwcQm^zx+K6Qawiyuo3bKLL>sR6VvlskfQJuTA7;dJY6 zUiz-$#+^KZ{JA0y>SmU@tC)6f;m&0_4lJe-?PRC@%pB6V+`brUaU|;?FT5FQvuAoF z#jUiR8wXfjv~7WV@*wTMKNzP?eJu_2;*n4(ZDHvFw@|}mHCZ20$9i9cJ*P$HY`izx z-i-qdM_r-c46&xS1?%p!BVZL>(n$=>aEKa4>^rqFZ0dnqZSTZ!g!D-f^mjsxnn;`W z9%_(?9S+j}e)=maQb&d-GPb){@GtNGU-)Vy{@dTo^ZbNnxAm9*`#W9OA5(2dev+KvvoW*}fDElwW=Z*~c-`G0sBg5fnly1N~hJ!(nIOq+7(Ij!v z8-|lrj#fFIkGgM4EpV!QIJm&X$&^6{&tZwa5GCD*tX@AmNjKfU4kNgC2d{mRtij4g z zAJ1%#FK~!{p3Sro1=k0Eo{cS$c=&#!%fJDup8f}enNKA*#jm@B<%dPv&OEx5i&iZC5BQ<*97J0|33kA+I61ED;( zdAh=aZN8XH5LXQ6O6n<#3q4V0vVaR6FAGeUQ0zro>~`*PHeW1&%$=9H1s5MNWiSfx zhQ&C5n;Q)fA&fk@_4!t0`hdYRqk&eRkeX*nW6=maUK0)AjLoOBb?Xk=PYsiZPu zz^&BTrtX(d0vU3wFOV=C`9jOn?yZlkm531ujwcIzJ2i22ZeTo_ptp~)EFTRRw9&@8 zVygS&Q)nTMhg0RvL&|YQ3Jv(VQkigl==$)7nEl39 z(4(Tq%Q;+t<@<;~CgVzRoOpkY6z^V;YS*jt3^uMn(qTNF^_~&9fa%bb(vKKY-AaTY z@j97e`(Zp@_OEaZwQDWm&@Pl$rtTS`Uk5~M|^%Ckd! zIEl9KuOque-=9|IzANBe{B3S#w}3t|I$0LbTAdENrD%P{oi{itJCX~#zjyK;A{fk& zAes(gENVI^(cMgk8x)M54iyjhC`2|02L69AZ!@9$2l^5Z(~;pKVKp5LOom0il6fiei6@XyhkY)cx@lw( zDn9<(1m1pwZURlF>9mgt%d|uW$#ev*sp)Kq#QhZ6QPZKYFqxZ~fe()*Jz{Vk!sA;G z18L*)VIts=4}`aZyBKXn&mC-axdlArMYlmYO(Q7i=R+Koo(?T6%tkX5^O!Co7>}Ng zmPm^zSF=+IOeYic<=J>(NQorObUK6)B_*dNB#*@mtZrciSUjQ-#&lR@Areiq!D0aU za-o#B9YF=Im=o`A1}|=i45aB2nMbps!6XhQ&Zb!W&t{J8pcTw!GnhA?Evx7|*#E-A zzeCbehu5vZ)&99Kpxl^2${lWy`4dT3fH321VJ48aX0r&N{d|n0B(oVTDVR;L1wS3d zo)6YP^BJ&j<^vdEQsxg&QgAu*5u|&_74y*$sk9l4e@~|l6Dj7387vc+&Ee;#5q$Z4 zFkTGcwJs+}V$5K0Xg;t6G{%k($&S*a{|< zsD_j~gvwUE1hK{3lHiONvjsY&<-mZ2KZ|66?61YjgGUU#u=(6auO33fZMLv@BJ2=s zeK}YomRrm#0}Dvf0x{Kcut6uY92N<(z80g*M3&_OzJ0#x@w{evid=_<$Dr%59O^nh z6V;R{%8`}#*7=GO)Wt0aiNjrFK`f^kiXbhf<0+`~n0s^2O}a(Pa+0AS#&YPc;LprN z#@SNY=19*f;y}O74dJ27T^LB3D3N0#ak89l1+okmgJf(YeX$%4u+z01492ilYB5Kq zuR7fnZeR?PL`!VMEQeJJuahvAL&){ZfQ2^v{MZ$^reZlm$FFE-1ZpjpIb_NuB)b{3 zTbHFHpvF{7Lq^ClgSk1zJP%r*%O%qG%+$q1o%L_bkXc$6X#=rPYs0RyWy-|Ub=7DU zRs=(<%*ZnzvX>&To>Q1>L$XV7GAoO67NcuojP+=T<#L7n^X1ag@pJS9q;PKuDZ#X2 zDc}}XIWERg);4BS5kdhz!tVLf%B&Eo_hpZ9%B(;wA&mervMJzX#!YD=G0*IcFE;3w znT3w1S|Ab!Oc_}47OiB1tq3M!|0GMg1+nSCKes-wB(h@Iasz2(FdQLyRhrfbz1b(gZJ9Ib$kea%FXL9?%ZiNWM& zTmi+LBu-LrBJSE+(wYOw5cRfC53er2-a>v%Kfd4Q3QZ1}QiarY|!n zRkBou61gHQ@_N3qVH>T(0HY)@N}{&O{erUud8;};CDI-)P@7TeJndo1$b&YKdI`4i zH!|rx*3uqA6I@-MuwY73-@c7&blb0V3c)DDscB6@sp34iTOZT9T4z}$dAfc#L2m+! z5*{FiHk2U8Mz+p!ap7bF*IgNoww1eSRDH&_lh4=0EMn#7uEnZQX(!^lnW1z*~I27!*AS4r?L38Wvu<>dM^y7L_@#4M0x ziK0HsMlHgDQrLj}E)|0@A99#X5?jLSkTNwBq~{I6wdLP=kSREV%mSi6TXi{d+|Aq znZ-Zr{t85ACRUp!i>=x=gpb26IC^E8=_X)4@)eBC_e}}IE+*gb&r0hn#g43` z%yy7~GglS)!s`r_hXhGj9f;2QNth_=)d zJ~a1CLul&g-iB#yS4-HXppLXIJ?_3X(=jC!_3FrzI)#oHNi>z<=z3#hgQ!&ocrPnp zt(i{GK{za}k};jZpQ(tD^Q2x7+6Kc3*UD5|X&Md{6)W-6d0gq|B+V>=Dn|4dIjCRL z>>?}+*7T}(lsa$=@7KxdSWowdL<$N8O;;8P$CR#ER>>Jyd}BIEkK<`Nv654fpCuU&MXp9yUx& zPzP^{V8u`_tXcs)K%eKR7_X*ZEM>CZ2SQkyQhftd8=4_U>eF-scmyJgk=)WBXG&s( zl`#q_6`};xf~ycoPnTVz8@e~E-CxM*VPaxY5Ln2^Z+QX=w-5*QD=EM%c{TgD>JCf|Y68yGMsmb2ZLkdKvz~SqGt3z(EmLbuw2juU zle({rF{t*W^wlSPsKb>%Zb4~O+Z}MDb9@d~nLue_f%LVa2T$qA&mu&z4O6LODAhw- z`hN%Rx_dQ4f=$3lIjq8PafKoR*!QSI+WDEyrn6Vk@a~C&%Ca024pPK z0!4TffijsuJ`9T-9=9|ZgXoZoNnn?y(u+|oE%0H$01w8iX{bhY+RkACxhoX`6F$m7 zm@7~MVumpfaUqJ<9InoDNxxDt-3lO>_;Q1Vfx{dfrGn&{qL7A}`DqrjG!>q(ppCAC zEIv9ZZS4M}#&iTjLEIErj#ngz9$33>6@URGYBcCv-RGX9J(6p^5pbD_u5InKucgIT z>YPE;&tl4i&&3J_L(Rm3aw`pZPiR>w_ppRzE#@ZGB_BOjww)J>s=N%&eQE>wGxPv;Wu!8pd5T_RFKzQ?Kt5ijk%5uB>Wa2I$^OYkK~~DTdWYU9;G_-RK`6HtHt6JmOQAlz_6p1 zE+l~_k>$XuD$7ox3ux730h11vuw;%`nKF}^%A$wHhE?Aze8TimJB_|Pd* z2Oq<7rVH4NuRo)q{vi;B9*2;s#q=yVj2J3t*PF&6KFf+&EFeJ|z!J9v$E8M!H#bt4 z9LQ8>Dy$+!rAF2k-a;l*-jiG5)@T5WysRwr99(E)WmX1lL_U~8 z3psp7N*?PHM#P%j(EvEz*Uc>$ zh16*wWl*9L0!@|>qqb%aVEmK`G73013< z1NI`hGIe_z-?f0Kx)eI!lI9RYTa#vq{@zihB{YOMj#cs~>FZD6rY}qnw2&&Y!s!^k zspTMegIQH%RaIHwJt!^2lR7B@p2%hFTgs6`E-}y39?Gy~hAMM-!2u}6N_hdwJccTs z7r11M%hd`dx@*W@@PaK1kiWZP+Gg$P@lrc6&`0!6i%e%fU=a~dLRgT#;v6GzsLeV! zO|G|#LNY7tnXQ7JQCIr!ksn##dH)x{A*?iTDLN#P!)}b`GI}5;l$K_G6bsl1vC4d5 zpjbyuJ%CeJSs?)Si@H#|uWeNAXN?PYRx*{$z>la8S@0{Fj?|$COenpzU@UNUk8gM! zIWh&w(v^t2ou|sMN;rgnS@|q+Y?!iLu|W8RCC#+1^#H3W`nVxxHcaiVG=?68M$pt6 z;)aD)7S0y1aacFXLrJe6FfxQIvvLy{4dY?T;~rd<)fUZBTJcTVN5ugL6$~qccxJq!}`>LoMcpx!K9~ORT9Z&_byLPY=p#@=BSKHYf z5sUW9b()DKqAOpyTKmwrt!~2cx>v|!UN@w|Rp{(up8yWBo{r>ImS!R3L1`q~`E{V( zW;1C)pQKta44tbF4F-q-igYWLUJB8UmF)5nmFs1cJsZ(N$A@aGk>%ZMRZ1Lc@fdaj z+l*@@6|J?p7h$uW?o-=wVO&EW1v5}cz-GFy1j3@(J!oOJPJ+W#=mM;sRmM1ExpGE5 zGjLa1h)25H1iF%nEP9x!c?!>CwQ<)`C0~%5&<_BdK*a&6PPp3$%12knrZP*h=Cr*e z?ORC-8*yy0>PeW{%Hlu^RiCgVaIS6M6EwHEP);etO;Sge^~i)o;Bba5nUA?KgpQo; zChP8)jUN7`v{r~>Mz*i0(|1^G2;wWIJOa6Fo&{b~3G!E}g4g8KrSzOVGY(XToA|aoHP-UY zwqStN-ogQGY7sC5q09k@%j$?80872gEX1Ns1Tc?M_el2)H`mMqk5Z`tPeDdvw7K6sy?vbQjI1ul!zQ@2rl1guh5sK7bg z4v%$v8I+5-XWS9PIRqeb3@iv%eE_TW)<9uAhZ{W_R8+Ozou?$T9)c3SpD0_7!#bB4V<+AbNft%EfPRFNF&Gk4!mwbnS3{Y7 zwOfvI-<9Fk)1Zvurqo(sW>%+5*U)58Pv8Pg^?(LG+4juF&?~|3S;M)kj<&+!-DLt+ z9ywC(p^yQIs1p%zG^Mj0nGniJ*Ln6FY1My@AIV{TqB@RM&mv@8xw@SjEr)Psn?4Ab zGj$~EvF-(^e$d1Zi=gW7$1v;WLsVKvrk=1&KSMsan2(nTVOv;AEI|gr zu8yei)_ST%oOmT;6QnzxGAv>FjnHV(r3}$KGLh)p>xs4rLr3%BYEyjdnXZn3rISt( z@wg}RwWp#^u4l2tLukaRiY;P-_cL6GDNK)pDom#^poLmrKJ1gJB~YIa=B!OzMyA|) zCGFwW@;*>TMI?oQx4SJ|q&|gig6GgqRT2uDS1mAp=NmT6jG<PT>H*UFcMXgCgE)7aFi1iE80yAx`NF zE9NY~saIh#gp(rF?+{oF%XtU1_XDd zvBClyxA7h9+xUY|15#Tv}4 z_0qeZSywnSou5c`D?Osrm0w^BO?WIcdpIUsm8h9U1a+}2}Gq(cQ$1Op`;E|8U}E~*;B0huc0Fh5pRH(=Oa2PG}^_zRrz7Z$3a)qjuO zFC~|{v-!e=Lz_j|Oql>12v_QGy;^;V+?VEeo4ECF@C|xB}bHu|8S&hH6rS4prdY;I0>S!HA6% z3BlR~N7w)@K+?ZX-O3Lx&%)7Yk-8bop6jDB;D|}LqOu;Dqo3$REz(0288G8rS-|+N z`hZu>Jm^75a0Pd=p2jTKF%d+QD?OyMT_qcF?%5She7AD}?%IV5&{8G9!Dv?+Fqq<+ zX^g7@T#>?vQ4!(Xi?O1jfYU0xB+aoa@X+JOc|C*x7hS`x)@eMnuNviuY)?1S9&VQ#Es*wF-0X~t`7Oays9^b zj(~^49d48)3`Pev~IhN20t=ZPc< zuz^?z9QJ6*wv%$QLKx67C>%T?R-b4oYELHouYAuQ@ zBYch4j6*Q`z(VXE__`dN<6ME-j|chD=ejBdnkH$FJEYGHw_5nDXO*GMt9VoA#c~IU zao?(^>VZ4UA>z5Gd@*cPYS1b@AQksHR_}qV=5txVB1)eH1&+NbOOb1sE#=cd3)kl{ zgF_I!s6;>edg?dYtaJ=O%-p6<_eR=+$6W#LJvt-=++NTwnPSc{`1&Nk!qWNL5< z8*ah}M5f*Xf&D#yn;>^c!|&)3k{jm3<|JR&(*dX6=gJ7}aRhvfh@j3yS9C#mL!XCo zBLkHD_DUDmA1afkHpe^nQZ>x59w=+wCLQ+;KhxX*i?kIlK#+EyZCK3oJWa^8c&4>d zfml)s+ey{IqM@9=SYrvMN8qFxOt~nwPO&58n_G}i_myw&@g8(YKeV7>uY^8wM>U}b zh|qltQJ=3TGh?gASMo8dfKK3@Xb6%OM^2C)6EuV9uzuho2jA!TPJ;}JdS974+>bb@ zwexwE%*J_3#niAeTJKXr@6+eFwNl%F5VqTww(Pkz=}744=-Wy(3JH8Bv~`n0j}Gs~$d=GKNym&!nC$ z315*#Jyt-FFd*Lj(m>eD>WJ}Z20w?9Mn8&B0K*q1!=)sFo@u#;CU8>2T!B4SP`bUu zlxKZL^hTXUJv|V8swdzW=q@0e$A~)u<|-MhEVv$-VhB73%ddyEp-lx`Xr+XnSilBI ze`7^}g4Fv>xI|fvRly{nQBPpWN1#l04g&B2k9DDZ8fRgREP_^4;?}o{3@{eIuTdp> zm_JSv;HO9vVmJF6-RS@iEzBZVD5fu7!1B6)*}_cOhQp!F>gY?zHtPNo6ZBlRc0zZ6 zE~sLqcn!ECGGJ8%4kPMTx(zDnBF~X4qK?$!urMQ7Wg!xX0rOaQlssUuU^*ZGOsc>H z&^&(9Iyl|Ws7hBTyhAv1b5{ZVxeI z$h87iWmN}?xl+SzF({h^4oCzVBF*9`%Mq|G>d**y8cS>`K*Yh8abXZ3h%FX-mIdei z21?yv{;ntkmHMg8Ktm+UH$BIu)|$bfR}l2zTLyInawpr{c%sC(p?gUw=_`0U|;#bQS}~Ka^-d#~Gqg3PCZR_f?+jKoLId zP^sG<2Qf5FZb~;xQVli??AaXklBlJ?{U1UF=Xz=@@x7))V9Oi2LxJ%E0d#Lv>6n*UJd8e|n-O^O}ZFf!qwr=P1#EBce)liJnG9Md#bTdWO(U zdPd5GhShgkaq4`ohNOVaXnz{KLu7@FQJ=A70tU)LyX+ZX9c~hi;Y>BUzn;a0&qL-~ z93vAcEM1s!Qx{WVO~a)GRShkqcb*q0wjYWJO1V&5q#)O;cAA(H&NR~AaF9A^5e+Ya zCkiV|qF8PVWcr4g0i9|o~BYz<{mtN)~1Bx$437}=tlsBC9Ml538jH*0&JBAUZuqsf+V8Ia!&29@( zt+1Yh1^(P(_^K6;Vu_>&*>8Ks0qJKx>;HwG$&-k|aTRi-j4LQ_95{tnI=HG*k&Fd( zO>>^OYEkxJcgPHm#*56w1kq*99^DsOMe#bba}krSKozd~_04Pvv_=!f6C(A6suQ|f zf7F9Is!8|V52??fav_;%$_0NeY}jQHIrwK5@i?lc4uo7xAN7cZf?!Q+CUuOa(iiTq( z_SWVQR!HdeFA%7GB>iH87;&4VFxnDD*v60S0&3zY3K9f5(nv+jf4K2S=|GlBSo5XN z2^>j}evG7n6~ilRAGp1R*aAf&oJ_|+&j zU0{dn7EG3zX^)7Lk@De@;89ivsFzzCOd7Bmb6p`rpe1CMRi(kYPI8U(``WaSSX`Sh z#V-Dihp(vjqPoq&1NCRukR$SK}rOM|J135^(ZR*gizX8K>$NFOL>_AqVvs7` zO6)=VFUoif-QD#%h*0l`{se~Vi#8^1A6c*QT$pATQ`n5J>}4)MY+=1lW!497yf#gw z-qzx?iO<`DrPYy%Wd6Eo7VX>t=RFfN)j`3q=en;QReOeT=%VIO<+l_)q#xQHpKANU$9sLYdvG3 zJAPPCZfKo_-5{Vb4;X~q(Z}6%S%8}#U|r+at|(Ze4*{oRZYik)LU~HxtN&o1Ij$=> zJC_ic5MO8wF)b1n4M#A(wk~_NsCR%hT^zgU73;MN|2k9BABQ_*8I+E|#dNXIA-0jV=WB2zmh1MVFgkC*VrqLGtrc&0IG>U!$Ju?0|58_EAB9zfC0x%ZKSYc zJk(9k9rqbT+>QmBh7{KmL@?&JeyFDzGhr({P&78pzVf%kIkCI^PsJtbIC6)_z*E-D z4z1%FHTWNBwF4podsc6AG6q{a)iZq)G7_u*U|48C|1{w|@7qtNHVwaG3g{yzm5oPw7m&s0)%Q>Xb}`ujB--KG7_SSU7PFA4HDTC$b)j z)#srn_F%k~b%x6(6W6ZLhtX03(dTm}zThEd;|gm4I)#ZaIfSlGoS;Xk31v*ea#pi%gb+@sKB~S0 zH$dPdkp`U35!bUU!3#nrkO!6oMFGq%r|Rg3A(=$FSrBzQiiuDrKQfl}DdAX0BC`zJ zP)Z>86bfmPC3w(t7(-~ZC$VWk9`<;uWM^c+Ats3~CQ7iOnzDE$xNr4j6O>@d;qNKu zKK_!%qQ{>IWr7@xL?RGRMZmf|1UDWhnc={5m6ipw-s`n4nCxCdAG%H=O~L%n6)-=f z55#FTAE1v^ZdT_i9i^_YewV8>XE9GWw4b!pOwtVE!K+un@mPtvF&K5IPt0Hmd`TR| zBH=igs+Q7sIf>FVI-J?51C(%pgEAGB`+cmmox-}7q>vWm>db~2)|6Si&wk4)U_*?Q zp+tl37=U+^XD3l7yXG#8fojoXWTw~C`Ki{5CmibsU==e!cubk^^$pHa=c%k~-07X@ zva_Ch*U3qZC(}(`+bz@?86v!t=>a!(PftKnIyRC!YOj!PN-x8yB#pokN;p6uDKeOP zY<7Y^Vk9-38agb9pORJsyzs4S$fN{X3+hI(!JZnH5~7ecS?HqQ6FtNZ)avS@4&C$6 zBiNK!13VxtY2rot6&NdnU@_`FD~yk?tY9P%bWKAuz!2SBpA=VOE0uDNFa$J}eqKol zO@TxQUOSf|42f{;Q%8he!5L&WZuX!Nr*&-v%)+Ej(@)T)?o$&Rflw!&giM1YQfgyT|kJ27AV9iY+%bg0|TYXere8g;Ettb+9 zGF<+lF1}ca5ZZ{kf_Dv?xKnAvy72bz!2_7z^(-OS&7L|Oi7pw5v|Aghh_~ zIQ^*iSXDZA&T>p;Fhk{D`mb{x$N~yWBP(NU*feIQS4~KPoj<)3pwyWSd*oIc>v)Lt zp=X#Xs~jAC8gKy($aFo1jl#;mi4$d5;qi>>sT8~XX;U(?LctUDK-h1{u5`(KcZ4Rb zW;|EDZ0PuNWmR-*(#%x5=_a)-&~qr@e&r&Czo$ilvKeVrbHbn-t)DS)xpKNq`x5Hv z5tzi$Us=EhvdsdPHK&PY7#u@RlQoJ%r|Gr_@h$DMXV)fbVbJ{8XZE`uv@^3b!%NH- z*t^l-UKywlOVc?5_enDxc}&;f)iG04qV@Jk))kdY<19(}R)?aX3zcS(F7rhFK}xhm z#t7Bvr<(xF6TKLgz$A3KE&6CiCw8$JkWGv8#WGx?8#v1HKtf^X1)joC^gJ=IeQO!$|mZusCBT@&Y*dd8@Os`lL#9W?Q9a+S1Pwy zESJ~^&bh%tWLZ~&3}UM1Y#TGE+j4EAi50T4asxJ$Z?+=DN%4&askI@jW6t&Xoi)_) zIm6w&YAaq(A!M#GcQZs^T#quhF@e=W2MU~Y(>q@&=K;qwwnnU!GqDySZsXqcX!>j= zaf(eH2SygGEgHB<8K5QPJoI4io_fH|kXe*-jTw!bxbmvID1l~rt`TBWgwj|OsWL<@ zZ0>GKyk4RB0aHejE~nE4nv|=KMHhwjY+LxgV1WjsMyMK^o?)S5UJV6DLZCjHp1CQx zl_OWC2bWcSqEC0Z*!0P{1)*Vc-CluWE$X0H3OOp51;>U$Lqr1RN%Nqu2v0rH)0~@E zc)vXzt-0{veEZyq9S>@l3NH;F2$MGNfep?>81Be*5FYlRX|Lp%lf2XIg(Zo zd>i$YT;x3gwH$-&s&!g2Pv$UxyES+UL8sMTd@D(jZI?$ZpE$TBR|yI%Nb0kMLI17E`n-bH#6+@Nn{1t#xvecAZ2Z>Vq7=$@0+H(St@59c zF`$mJWTI(n1dqXYFl@5H^WOP(p0m7(QKpugy?+)cJNe19kT5 z?|o$BS4a*}xha<6uvtSd(Se<`$}8F+aku3?ElyjuLUL>?^ehQDg}f%25xh-x60tJ7 zAYtq4K;RPk0aup`!?##K$?G>1T1<6wpL#-1J+PsNlC4v4(rS29PmlOE;05vqwnkqa_cr53){{9?dkzr# z%yv2$0b!YiIyQpdA7M*gt#K=cLrAB3xUymN}5trqgM68P(R~dVnZ0&~zxF4;*7FC5+*1;~sz&MFiEn zNJvLEOjGONP!GsHbN>j^dwc@ObwkjOh}|NiAV|cud!@XFXFxwn?gi zD$qjA(tvzW4O6T^9>LY&@ZQ!lkgzO_yhJ`(F`hw$6;0xBEXfvx5(;gr36#OBtwIy1fWZZ>C1WnLvX(TA-hco)mrI>Sh~w4@HR#>B8!f zmGFd^=3CKQxZgV2owud&9R%-#2QAD56!#TEU@uvHrDy6@A*w=3{1R;ulwu3bmk%2P zVoR*W3YKja%In4oqUaetTvVP?&%tWM$>|JP#p)45oMSvJvQ$gj%s@39_kHR$y$X=ZL!gin(QHP^!c_D;$y6*MrGK ztT2#(dIJgp6+8)wT)^TfO=|kTeG_EWr^=qi;=p4O1h6@)kSmD6UPuocf7**S^(b71 zW;f|Whvg21+(>+F>N~3p&lW7C9!Zanv&ZW%GQ)>RsFeVyK%9H74WP~_hps=@p%>bd zdM$8EoLWVIT4IXga|JU27vb{-dIgLR6oqeNoh+-efX;K;`V1lz=rhvggP4VSq<)ZM z6h3uZz4845rumABDm!jEih_jk->~s>EQ8+ zMX`jUL-*;xphB~SZr7-^bxsY*@Y!HFK**Y<|w7D z&d6YRfO2UUsLfPyJPs_D0>gx=B?ug)Qk)Uuj8d8E$=$+)Q+CUI4EO2cTH(@PWg&2s zdnQ+?+cx9^=?%+QdS zS|?#gy-aL~tWu_*`|am4D|=AON>(~Oz8fVvhu?xlno zu`(%9-C$YtOl#L1Y4<&%4r&Sx+D-}!MYoj*)lo%gkC$bcY>|OgI&M!-Pq}3=D0@}s zXfcfUTo$GYtJBM}8u|gJah49&7MaEt0)MWl5{LH6ZB=Q}`G!)!KH0LUCzo{py}^Ws zLmWBB655ur@^(2K)Tvx{j8vjnW1aoYbRLUW2*ZE=%bzKai^YaWV-^=lD3U*QFaE!V zB|kpX@o_V*hWat+#2K*;1on+At;*Fz$lyGWmC_PU-PPIoj4wiO!!?R5`kWohJnwFp zG-Fm4I*W;P5`(kNI5VZ`!9JM8iPd5OsB$R6l!q3aUe9BbS<)9qO(rLsu9vAp5hZMx zH5E%Jw(Z(cRTKpI*3HtBBpU5nRlw^yvLRIN}jlCP` zauRicWo+RW6k%v})$y}p3Z9rO;wQQ*r0ecAPL^dL-Vc}wW9+%Z6qN^sh?vy}Zx`v9 zE(Fu?n2iVB7`g)zf@MS+m8S-U2TxfdS!ZaiRu=iya5kJtO_`@mT!@vtlFGx&d4gS4 zWmt-nxQlF+?W2)KJAPefq7)@Ep~TvVCEkgMhGS&@G-HOXPQ1zrUf9!h#qcmvI3&ez zstK;ml!flasACU`9ypLdDQIb-A`zZCnpTvS@8r|iFuSkC@e^ONo&g4#k!WN;MDtgkoN10*hoGhD`b$JxLpHiQ)c*_LH|)FB05c& zROae}5{(s_n1Y8;X9k58EBf*UwCuIYQiq(wV>XSXmPgR?ZD^z0T1m4wRK77BhM1*B zPgnj*sXf?=*nnF53^w~|nuvs_9?&z1(1ScQaObR{#CVs5Wu%`W(Wt*(`FOqpv$e26 zQUn^$h8=WAuPsr{6vifcF$!3!Y`CsE;3W$+{;1vcd&-lv2NX|6-Qx>PY4H%dz-kK; zBK>NV!UQ62nreZ{=t5G$ixDnPg`C3_H3>WHHY6QcNIhE#k*3CYb`v0n1DV9!?pCBJ zi%wWqT{W``JeH?Io_9FRT>Ikxr|ip?9LJF@zeuu-C9^6&$4P)BL=a$Lp+tTCxPywU z>TBkQHFkS?9x^&YA^~5|G7S0d%0wLs9F@aV2K|SpCmjXOb=kGkM>YA6AMXGveuz&U zu2o1-@a{MvjEK3=k@cp+vo>=9T9f|pzwIO7SzC9#wh)sbbeJV%Rqo?Ey1_8G+P`S!wIYUcu$s~-Ke&a@K>ww!a~a9%*%TPdRb z5z&OgF+F7Kf`QxJx4A30vrNhC0VTgz-LZQ0I_}bv1Q;3a$%zPdfSS&+w-js`F>q{6 z@vB-`bMb`>L*zw?LMRf)+^qM4El&9V+`k`g+HqNUK2m-%ps2Cm7u^YhRQj{DQr1M5Gr zr4CDP+pmar*fL+LiSM5J;vF!$EwPYKwx_iSzpX^ATbWYlV~=jQaifgynheBA6}wWI zB1d`*{T!O2xZXg?ZVj)k@>iu~VfI}}mP7M<#dU}H7!*n)tb@q#`MoAJ-dpZ+VJXKi z!t>LkuVdQ<#sF^NgU9V-LSKL4bKbx}*R0)^vzVM@$t(r)(dd&pMC-++4vT)azx5xW zluO1-m3Wi;TePB@W4A|N$*#lkt!06wcGv$J#uV)>tP>*WFEtph-KAB2DM@PQ9G$7P zUkFNgCJK45iR<(k{hle=;p(+2lbhbttxGp@r;xO^uA@wRc2R=BesCg)P+Tw5Wl_}E zF9{zXxM~)2x=gtEr*+MP$EMNZwZ5K|kwThSj88cUCUz}g^|U+4_V#Ny00xWq-|z|0-X!_LGVf8urr zcMSV_qKrqf#R2i}&vHave2mHN1)3hM0o|!(@7+SAPb~!x&{fnLeVx#z<7z{$U2#P& zE>IoM5D{=A+5+_%!hi~mT>WsZUG+1`@0RZdw!-1854KIS>-hxaV-%azJ-IC_*Yvoi zT`3juvxX6E!H%?^k4XPAjJlFmPE{^`K^MHb-n@UH$=~M0bV53slTm*kgCIy?-OE1! zHN&bX4~;2SEI9Rea39&m!ElP_I&=pFihbetDbqO)&1&wr(Pp|IKM;e=<-q4gdj+$* zIbk_ysiP}hDQ}3^>unc9&jrbK(EiB37KiF&yltviY>L{ui|DFlRjjWMA>c@Y~1rYs?AkRhRZQM9=wk(>q8HYB?)d0LrjLd zR=&R|4#;#REg0P4IRi!hEc!?7Ibpj%o_~qJx!|0YKUVutczH32pJ5<(L;H)B4=s0w z`yEs5mpC{RgU6%H2kPx)_R~(yb#v+jiTd%n=-2sf?V1JilXK-tXg{01iOl85FIf+V z+1?;vMh@}*0Z*|l)F)T)C^!vQ(mN0tuelX=1gja2i4GpXN4_(t67FOM53~7SvH#h< zxsUCW3nG2kSMnZY1`0PdZ6lzK19}r=WQIK{GPhlD_i4m{Po1aro~xXphF~GWr{|Y9 z_IggUog6dmU&RBEZBfi|ZPjzy}Mi>VPw^@bgE zJz}VBxUA#LZFd;~!4D%YXhCqo+WdyAp)GoNwO=)p*H)|2@T*&|y$CfmXxV8N)C+p0 zTq6;98c&YH?NDsGcXFaGqMAc82K4lj0N6+p0g7U&5EDP_pghU5x9znj2C~I)F zD3u2YYkTOY6d{hNNqWo36oo%eEraWobT1SBUP=WOKOkT}7xI6C_Q*>NZE>TU4CY>N z+>O(q_Gw}Z0^@$EaFyue$fcWp;5Z;}Tukf5pIuzyWydjwR{}1e5M}y}cbPi%@ zFLjDvAqCS!?)N!LG{VTqqic#O`q8$RLJxcJbJX$N(a0gKuGcz`TMkTseMKfxvCDBN zzyC(kf5UD>_JL=(Vc&0z|JP0^_tTth0FKutX!K*jRw1a=% zDnDE}R6(!~X|Y$@(O7G6VRHz%&K(-G=bWf=I)*ouio+ZlsR9!j=#gx!kFLOT-_J9^ zU(=0yVj=&+m0lkcmx><5{gIxcCa=a7=^6RFLh~}NN<}JmK{Z;o&p^v_O|0huL&-rg-?f+B1H61usOFGWLbb%UJV-EMnpDkblRc5{NpUBCGDhu6zMHk#JzCkLt$-P$@uk3a%AR-gO*e!qq(>qjIFPOtG+>s=nad%S~OB2QcY z6g@N&o!{&YBga@-%?-(cz8mNqdW-uFsLSgGi{ z$b-AZPLvejsxr=1pSj99d%-)?g}Ykm8uk0P3KcZHu!7e`8@zhUg=EbW0-p3Vz_n_& zQ>CULrJpE%C@$QT_fm6D>$Y z#Ttae<thVr{|D_{rX3!^+jU+W0~)LWr>YyNey1!}>>VsWYU}afgWuh4uLR3&F3mX0$}pl$D7BEBBA3sH{IZTdY0p)JA=Ts8 zRyP|SKGR4@ed;v>>U8FP-+_^EAAMaqhqlpDw1Dl_k}uSk<6D4mAk9;Of*n0~i5c!F zqyy8#^vC;KAOU82H`}2m{tu?RCJFpggeC>g_>6icYu%3wn;?itwzK>Ixp`D;zh^Yf z8ARXsk7covJkU+&>=Fl$;WEM|;m|EpGPLQNFeX5TussqT;Hrtr*sdIfdAN1Ese=oRA+4-dQj{5_BwSUk)wLjznW>t0K*Qbu^o{#74 zx~d?aofh264un?=0`Xo&suR6AiBvCMbiVqiwwRPTyq^pThU)z!Q_RIZz0JbkU$qIw z7|ptUh5SU{V463V(ITAkQMG|EE93?@?0Ui=&{^jgc5VXT{_hE2(kAq%EDSws*uaWpl$DBuJCyX56xb$05kh^tHa|BE6p$_rU)yy{? zk_Enp7U%*~y5mL5T}ChIr1NTe2$GLRYf(!%+r5=tvcptUn-ljG8C$@wmYgl8t1iC3 zGJ{gfshKl>*JBsj#@adCQT#8}Kn-`dx*UU;Yxob+5h~+`HiD(?bQ^ynO_kP8_i$7@ z;CW*rd$k(CVcCMr^s+GXpfUV{9K~ zN?|W=us@E?s>0-npthPo?GLmBIQ;wS<`r^V%iV=!@(#tL$$Oe3EPuSLS@}4^MMqpu zfTsiZ%GcE*$8oA$$*Hwi)(6$ejV+nr^y=VF6Z<$F8+@0gT z*PM?U=ZQK>FW{NlzzorIRH`r8Yc=NxhSQLP@>QdIE)j~Y$&mQUO}X}oW5MTb5;}o9 zgVOP-%srxx*@unbV|4zoJ=I?lm+Jl8QAOcx&AV`|;&_U*YoSyW2#a;Z*4B^nR65EK4Brd>ZyiH{K1J>C#3XqzhTo!Mhb<(*$y>C zK8D=8s7Yek2Unz1z{G#*QFM}(uK)SRBM$iOJL-_R68*tr){nGA(`4VzWCsq=qMA_zHvz;d2KRv6VKRo#C#<6dl;HwI z_cey?bJXf0e-=v8pdGWEL% zLkAs3u5MPCf<_;62f4J13~R9Tq+q~R&AQY`mg(iXs}@@PK{|E zaffqjir`fbLN<(K&O~txy?-L#xh)F33H1*LU3bQs5^;0_Hbpm`J5(+Pbg{mj6W0Rt z$*EruNt6S>Xg|QlipyF z#}7afEVsHA@CU+#dFClTIi>_vbask$oJMM!j;e+(14ZWALJs7(emu<=0^z^ZRRpfl zixm2@+bq{^(wLx1dW3O>!%osSTNAhV!nOv#;MZ?#X(SS4tHtxrS5K-g(PYSq#}-`c z#IemvbTRid$^tD2U#Zij2B_=x(f-fR-@4iapRFR!NpF84Wq(oW7^{QAB3#6t><;qk z`a>rNJ$lhw19CEa+F{Mcy`G^v#Md1IEPWPmyjYdVeXC*}hV(nc-w~k*ml0M0lbLGw zS+62rjX$HhMdzM7pJ4k2s=X~@o2NePj-D~=8(5hhS8k%}RVab#38pSvYpyyMW+j7p zF#Uoo4P=K|kP=N@XsNj_sIlJHh)wIVA%1OuOfet63%WMl|J^sMw|S&pRz(6%Q2V`* zMMxP=bA3mn44)C8Mo_%+vEbq`?8s)t?18(y9&)Ngm?f75vX46NI?Nb9*eVvPvMts~ zE7s1w{+T;LKX41FUBDIVI7(A1u0&j&fxJ1{!%3(UXB~*njIlpgQpjcS0M8+AH_csI z|3nz&Q~$!Sz^(=s|;f zi9v>y)$HyPqEzKz zvGpi6WLbP6*AipTH$(YOV^@1vQPn;pHReB{8x+f+Hcm4j=-;k~JnflrnxEg_zDaxl zdUt5Ax5b6V;VaYyyqPZ1#B)S>)006t($nUk@=ErWp8Ft^QvD%{hw*?`YogGt^NMNP zC=0mJJ@Gw}ymWwcZrsKMEFH~Ndj!fUc@HAgBot&7`Xw-(9`96FGxYqtAho~j*4u5s&~}VNC_!GI$X!gs-@5ah%HFv3(KnJyLhsOdI1YIQ0DND ztg>nY97N|^-qYfEZ!Fk9kuSn28lmjfT${2SieGz#7&t?F+vZF?DvIN?6A4E55-ij+ zf%9T5x9C6}>gR<<*Pj9rWFoW(DM^)FfV0*coU~asK-KSAn0!)3jEcaK+nHNrl+BmL-Z4ORT6h4>o~5?B&+C>I5Ng-n|$;I zQ^V|W@WFN<3$?d`mJngIUIcdZA^pmK3vxgc)S=`=*s{jPxiCN@hn)%%d0c8fwe+~V z1dC-8d)!_Nw(4YbC&Vmu^k=;t`HMD2JNhMG=^{PGWfb|N6Krzec;xG9PDF@aQ^{F{ zb-yG|?}Pr``?>S3Km;0PkxCSSIz4pB^$M~1F6n?9S1uVQ&aT7Pb26gZh_=38)%9~9 zLy$gB?c^t$;^j_Iz(-O7*H6d=NbYEzO+OasS!JTHZf(;sY1kGan}88ujdM z=;zzRZ?RrIHwcu#> z1Kw@;8@VSa9}l|@pbN8bGq{uAV}+CuNoT0C&tmyQJNOYFW^i!b;YNTS+8!Dz8+D;E zaw!95ipkpLgkeEnUtHg+twWn7J{nls2a*105`_q-@B0@>4TC@zv^%`jt^j<|vY*zCb(v~%`%&!aUOjGY zKrww!nyyAWLyJp^BPp<){LUl#&}XuE;)AUkj!$5LW`{`Wx~`rGJ&Q+-3U%6m8}}^_ z&KRgW*rfFuL5Vw6Ek{23oo_V!s*e|XLM?B-qagopg`^d!d1RNTe%+p)TNgE1z!fi-2prjAfJFOlfmLj~kKJMWL{j!L^jEKpy= z7D1#zc$>phLeA0HeK~iR9s*`Wo2+S^syQiod$G&vBaqw*l(rMW!hCCz?kB3bhLAkf z7+vR}`Ck_wZSrrI2;E)pP8{DMctP0q58XAsS&ds&f2qz$iC=VX-V>CKZv2KPT&;68 z-@9Ay@3V?bl8mZ@opmP|@2gz*Q#e`g; zvCu_6$UGT1sNn(x<22XA=j?>InD1_c!8@8gV@IcHMP`(HoGqVacVc}IYdBx^HUAtn z_+KR6txXaXl8pHv^q7dwS)_?sT;;#?f_-h|NxjmYs)4Ok92^wfnmor|z4{wD%S^Fm zaojqY4|l5rt%Vne2A$YXQHWjKuTLF`nFcfkcp2Fs)UXI6iQl9y8aF|+@kWP15I%w+ zD)VRViB86t&is`Y`=D#qIC^b^*YuvV8e|9;zP(!#8ul6M`KuCSv5HSUo=FQQ`~diX z-(sZ5RZGK~ArhwFd$as_1G`u6zG{!Tv0drGFW6mMsDf6JV>v_&iDAVl;r$c*ieofI32R1YH*qe=9CO)$U+`qb``SHDRI-AIe1Qlk+i@gdA4~1PgkUnQY<)-A-~)O@ z_uH!fo>YY(-*SddJC=RP$<8EmuhsxITD4{b1p!%Ro(gp8t^EKp>`aSm@_#xU?@oN) zn!1_x#EuP1jum4?U+%`boss0>)8EphEeDx-0<`-b?bB*Lv>Qx>_~4tY9Kkhv((?%c zhX12ot_BtPfz}6IgBB*8vm-wnDUb&Zb|(Beeo>hIsE zBdONR!NGB7;U-N;R}gd@_(QFbShXgkd%DO#6|=)+@hccVO%f~59D&r^AgunL-ipu= zmhIZbphYSlJ;xo673%Tk>y!CM;0%&-Hh5k~sk5$R60TZJ`fYql{R6AVrHc8W_9hRv z8z6$rC2W)#G(zF}R&}6nBO@7_WZw*>kkYJ^#c%mUpp#oi5jMy5=PGXDP!1%yl?0SB)HYc9R2tP+DFkRy>T{<@N(jg=1wLW(ccjtk$e?f6E#k9 z+23hbJjwt3gy?bb-m)Ifxv3lDf8kgst&a(HS&=81WYfkyIP*uhaTwsNjo-c`Z!USU z?(yW$g(CZ&d!kSwafQP`$HxthV^3=1%?hdo(cGKo42K+B7DD%&GnL1Q%Jm_lX~LLl zhhdMLbPpMqj`knOX3iOhwvd#U1QZi)P8RleAlbkV1#8D|t{Gh-206F+`OGDbbEvHB zn=b=6D{i6Bst>VN_i#4Dk^Jx92U;Jd)DAb4w4BI5tv0TndxkVcxZMjiA1rBA>hoKc zni5xG@J22qvfL43i1Or$P|%T>&6AeriJoC7XVK0qKR+RTI#(w5L6Tu)>@g0Haz?Z4brH#&j+FG}IjPV;2x8Ynb15DB3QI~O9wtiI%C(lNt zFw~(iUMW_7`dA?7_wQeWhef}exrsZMK$RiD5Yrt~NpG~tdKpxEe7T=B_RxAnl57;v zH$UDJ^XB472rO`hVIbLeJh~^uTg{~h6HNZHRj98gV)1K=ruJp3Q07s>9S1@JM_9KjRX{jVxxBf*(F+ z5}-d+zWuhb|E*82wnnnyrlM2dIagLNKFzVjHe1klBwVs0jFO`&0BrT>zr@IHaHH+* zLr`0kv?p(@pEx7J0bN)3MLM7p+H%Ao0zfw*@J4PSmk58sPqS)LP z@m#BIb{mq+ZoW7F3?UyekZQJY)aS;RMe2YcWYcB z47}k>If`PRMqB6@8(>I2AAu7Wk^`sIdW!c?IFR~hBB;BDM_S(v?UT`ObDOaVZm_Ec zYV{gnsve+?E2&vnnoN4sjOw%h^{7`BEL}1uo^LC;Os6xSQ8Y}slnXGczr^0T+0&k; zy+D$_;R>7lg(K*lqq%N;C1al(D#K@S0Ne3RSh+s)9=OnS_JDzagY9xnXnesP-V^cj z{`jAwU%~b9Hz8g7Dmm|4!SuA2f?Z?Yo(AY~T zxCrKYY~POcj;@;Fh0}48jP4v1C%ZzM(Uq*R`5Ut#-&bLy(|W48fYpL~bes&ZT>q|4+^n z*qpxHG4rrrA}asvP1PPQHrHckJtzXT`K^-UC1-2n(gTPXAB;9}Q>K7=k& zb|*$F)(pUuzBGn}eh*z}RtaFaBa~{ys*Gz-(B_=)Fc*R6O7eqnNSiGaM#l6DDqn}n z6`LMRxi;#f@UZ|zxqDK&qrb7z-U}Y4tYuVpJqThGAwSyVepvpwvs8=J z%-~{+_Bc2Ze=MrTST{X@4D>_^PX;5+v-#rI0h-w-5lyH7roCG48rJn)|Czgt4N}OU zuyg!GK|;i0+PXNOT9ftT3Oks7BDqV@N-RR70DgyXpdnaqcgVcxK}Tf0iY)Ab8XA?} zdN_)mrTmzS-sh$`qh0foQRv&+^z}^f>X5rHP**iB!npkA@`E3g@!g%j^n$nSn{y=^ zCM6M5nEms}rutdKvYt7Q<__G%(uoZpT)r9n@?`7@+ zo{{$#so!9M&~aCq^>4n5GdL(QQ-z+r-}RT)7pzkhrydAT-(!e>oX&Hn6`HabNpQs8 z8YaEu=a!FSxKN!=;>yOIj%s2cchwGDcfnbIy!W&uzS(F4V>yDoEwk4U9OY%47wU*AaFpI)zJ=pRXW2?_a;SI0YU#U z2kkk8(2Zw{2Wbq@!6v&%4ba%H;L37s-=V)0?0t`E#-t*SSa+x?ICm(Kr^`3<9|-wU zm-%1eAc`s;e{|9Nz4=nfeNp>{iG&s?YHaXcCJLqrw!;Z(3_D%y#eNl=altdmp$Yo- z>mLz%^#@{;($%BIJvk^KCPVF02cxHeKyT1m-5IZck8e583m1%VgYrDVEM)53nZivU zSFF*LY%@jCYed)I`LDn~(SWtR0Am0p*t7;1UB#CPyUH2N!b-rwYpl*2 zk)1?%-`hOmWnQvvMRaAJk*eQk=Yl@(m3TiGAQE(+F1j@2H`5?jla9GT}vyS4FRE z6bAT6`n0b_G_;=>AK!BVwgQ;R}+>o|CMF5J^VtO3=bQI+*nCTy{j3abSL z)x%6yu;RFVGWMI?I0>N649TLBnX`Aj*+qb(bi=1m5@%Bs097U^HvWYTP`SBr-03?-cY2PZjZ(&-r_pePRyFU6bVf?7DSnq@zrzuMQHJtc^?;ta$6 zf*Gw1qnCyasbZ}n4m8NjOcxI86PL(WQHs^hX+24wT<9;*{^I6hCfd-etP8R&6L-vn zHoN>(pcFTs#l;|;ly_czPRIB_NkiNV zl=UPd2*E3@FR^|=H~j9NuB#S?xITT_6eEI&@~xQ&J9JG=gtE7jT<67I1t_G~T3zqI z8)hB+DzXmoMu||nD>A4n^>`He?_|7aGXpoBNExoPM0+^@rrgnVyf}TRAb_BV84bDX zCkMr}$Ji=*xO)iw6w`H3Us)Ba>SoM=rqMd~B-5NHR35+^j^3JKws|n z@3YQ(p7H{?W3nv~Wes)K#x2^3iOxb^RP(wW4;<JZJd1cy(^3}AbhS!LBf>6m$AaF&1{-#>LX zuWWWck`~_n^+8*MogKR*vs@>+@o7jwXNW18HSNT7T;ANGuV!m0UU)7#1h? zxA4my13a`~GUWVzg1Psxr=X{We@#GD26L_^4f+?}Tq;#|^baI3MFJi}7d}1SkQ8DQ zY7muwNTklO?_VrNv~Yk3#%59J#BEm|tol#{54tD9CS}&!$92;FQlN4_FCsi~!8EW=I7J%t==i&jCnQkWG1VQb zNTnKNTeM>HwbaElB-=**AgTmIJ35pu44$Bx0cDQ1$l!41whL*xOLy3$<5h9w2IW&( zecT)21v4j?Z_qn##g=HKEJiQLuCbr~S?z*1Nrg-tC#a0oaZ(WMfy$tCV(xGVSl}_x zvVKUx4n1T;qtgfclfVF3pVwYoUP6KM4L zu68FRL1BZ!2FBNPGTiC~PzaY)G+AptD*!%l+knm0+%h1w(mIrhUo*~@cA(nB1=3D) zlZ8I!8qgP zo(pHdQuDMAQAUM}$ObufA-mT?3gE?l{rdILmzGvOt!iU@pwl}-cryVv7|XS*DqG!8 zLZ9_AfD(%Y^!S{pLd~dgmO|NkJW>B>el_5j$7BvTKdQG9r{A{x0iN<*FZN8|{hsy| z`F-^lDA*<_fL3L;)i`N${n;%&ANd%8qVN>gnNNl+#(T_ESYr@qrG77ZTH^KC*H?aC z!ppWNyz9xPj+z-YoF}|!BS2r?jw70nhxQBZ&fs}7oCxLBJFM$kb45(Aj-JxQYPaV; z@p0}PdSGvFf1ewW#>Qg8E}G`)=B4$o!wzjx|I-!$1%=u)3EB} zuOfZytfyx|CcS7JT5=E?ld%)9g?xK^!o&RjnHPrugLUv|lkpyZbsxVA-(qyjIU3<< zNaVUX<*CGFg*(H6y9$0P9u-?}z%ILX=*mea!F_yvLt%cdGu;r^WEOqGOQLy)J3RR* z+hcS-iMF;AISu^~kc;2;yfDyOgwP+e%eox#{Ue=Qb&*S500KeW)wUhA`d2>QVU5!V zk&9LJG_60}g5+;#8OcgTc;X+z|GexnGvN*_Liw#Zqv!q7$VJUK|DQ-qp(zi7d3Lf= z$o+|=r0m^B2&6bHf9P7{iSkhMe(WP$kXwJ_LQ1`VU&Nu}{m1*ezHV7|Q4SgC&|3l( z!5=LW*{KsWTNf>uz}0$FkHE{&KwK1wNfMgOmJ`(AksEB{Hm1UfS{peCLWG|zosi0H zqvKm~I1rGV_H%A-d=WUTyg3Tb3F~8vFJ<$D`-A&I3(v)0#soE#7BtNk>WS*nag4ef zYXGcIxGPDvqS|`CV_6pQ_EQ}?7Q58Mrwz$4)-uW_1YjV)s^Ig%qRG5_FrdPQ#qL%Y zj` zdXa;1rn}x8doEG;r7ih%`2$0{j*-4`h79C6CJ%Oz8>ps2w*)YjF-|7M{(N+(P`_$Tox0>w?`;ps ziBy{PIr5w~Wrw%}e!tWRt zQ@^T%lH%0uG8DyrXO6laefN%bI9UjKlU+9loR)?FcY!?(_C*)aNnYeeau_Cl;I%6Gy2k;8|_vZzBiX{zdLlsR5MDnP-CK+WFGi zfNsz#4h`I@!TYnxBLC#Ji+%Nl-xr>b=G9u0pc_&%n2^=PQ7x;J)D{;@gpghn#KpMH zD3CLi3zyC%*c27p3qj^&I^?o%dJJck_2HJwcTBfYw6X36WbcYf>_#A=I z8t>jYp^vF(iCY~xFyRUF`x#X>+q4PCXv*Lem7> zPkDtfDoPt))V7k+MYE`1A!O(0$Bf#=k<4hz$&!@64qua#6&yFeXQMDe(79^SgC|BJNXAQc6ljSUJFuK1J%tj9-IA>7|C^S z+VaKV-vo<6k)RRCx%LL_%NcispNJTI z;&8S;p3qR*W%}At20w213x|IupmOL^=oEG02$t=^#RrnCZtN(}5Kr8>=WBS5Dq3$x zzWTwoPylCy2f$50TL2#T_TxW^zBGb2lHZu@1GWdf=;RjhlZMojQcL+}%HAzHbE1Xq zij=6JcHH^R43`eNVN)r`I#gXFBo1%GAiDc2#9dj>pJ#zy9o&pK9ceVL3xd*gv7^p; zzrRdEk*cB;%lrtDA4C#p)vVVR{PgzFPbmg;%A!ElxMjta_p4jL14}c#zyEdhdJW>6 zt-u+!JUP*&jJoqn7WbLK`2)CgeQL!?h_FB>I_c!+n)FSJXjYVJ7C6D}OVv9oDr>>+ z>{2PbgwFItG;#fv${m6&Q(U5;EGkDsxEnITbas!Bcqyt;PHYr)7z-zOtffMCo1^F+ za`YC$4&>knyktUkTC*wV5@rlsv|`be&Gt5ho4ZaBY9dXH{>V*oTzfUM1{j&vVrQ_f zT9Uw`&peE5lFRYxq8X}m{n7ANOTaj}2(r+9q9O}JxF+l;q4_8NO9fv5e&nDvrKKboDnvLWi3>AIdIbn02wLI}*@_?K0Z}e;;a)6W^{?Fb zE~frTVCd_z^A${hI8MO6+C(vp&&_l|7w&ftuWwsq9pQH&lUb>zA*_^2n?Q@FwW?bv zQPfxn_!YQpvvcC$rj{G)$Db}pzv7(ZCW4Tc>@li#mXn0iiZ#=<+_itquzS44DR_H_ z8FY2zBiBph_z&q`%rA|?bB)~QLh)IzGHC|=GkF;_pqKR2bC@A13|g12$8OF|9UM~2 z*w{{AKYmPO8O&0^x0j*#xoFK~hdFXSQ6u$BQ^l*=uiWR#7EHacnKoPQ))uT6#GRlO z3yQozDOL(jm=p+f*@l`gg>*R9HKB$>>AKu;3~9BrGdf#YvGmev9b=OAZ5?Zqf7ET&nq)XKKGf z#1_;{ODS<>av}n}Qwr;hiY(a@cL0PUBy#Rrg?Ns(8*X;jP0#7wspQq&cKqaP;zuJ4 z0{E(JUz6a)%u2fy-9Qe?+Ko1<9_ls5=nvSU+PUXY7n__k=;(t{_;SLLRo%(tHt<1( z8T4bmp+90nvyISldqcbE&m#)a$-%vU6B63v=&nAhEmjQa{D?f8F~Gbwl_9 zq}EJ=ogVj{aJbXcI$9y`pu)+D62GX@aZSB6`mx&R(z`@H+_7Z!AjoNn zBlbh&c*Y(1BBBhSDHmq4>tC|dS~uRij22@;M9xUoulK0h8lgwB#v^+?Rau>mBsO@Y62=JG_p;O5Hz9BvrHJrwJP6qiD2hV1r2yBF;`VGKjNsbEh^xXhXW+s9vjJ#eW%U9eICAl3*-0<8Aa8vC`I!;`c_Rg5iYLcUcIk%OGx`3s>Y^k^*@4 zAY_5!N`-{wK@8(iW7Ros?MC}ISWkv{?=0FDcdqkJ3^A4y4>ZR;BE%MD$`{8Kd(%(h zxbrG4unGM?=RhA@aJBPi<)_w-ckUT>v?^#~N5{Mc{UUk{6@@7d(!KqM@UDHWYK^hA z2v%ROdALJ__Rte~Yj0;3RdVq;sdI8s4Z-ftd$Gg}S9M=dAI1uAPCrYsxcZ(G=;!~R z37qyGvYp8Z`W1%qlpNn^W4(`UHK?=w780P@B>?FUe(7^WkD6=K6rEY)i6GpvUsjuP z4CFcQJ7K=4pX;zIXg!Ep)VhFZDtm+yL)41`NxNUFDW}O?LJgz2aYK`@Z0;LhKAdK(OWJr z(TKZ|lU>xqyA)(7=L#0BS`bFv!$F<7Ib$K7kGDVFJBUct$}9jq4K7ck&(}^B@8o3c z1>JEcNN)MZabVUKp8w#))X-E-lBwK?eNE46NJd=zrjc02BGE0QsEO`a;+O;%f zIQj@eN^xG=0JuruGN=euBSL?6DTJIX3iN5zd)Z_%f3m^xv@}vVSUW!))+Mpt)h8~q z%TzaK!#atJCqE{2btZ-2p+2t$pJtfMNf?5d{*Q{a+UDH2rNT#)KTCUWI)o>?Vf0+_qCjSO&3We?i2xVcJ|5QN2cgD$(jpp%KjQ zIj3)~xznPTB312S`kk=$6%XvDVB8N6Vp zg(h^6ZmyCuNQU%lLj^mfr?^}d_=TDf4<{@Rs8DeD(Lou#nqG~OI%MMiaVtD;t3^es zumGbAC65()33E*BDwdgPu#~~a`}2u_DQ>id|6p9vv*eFO+uIK$wZj)D%Cuj-TQXwy zwu5`k5R*M&__XINgA$mVd~w~Gc&L3p;5cg1o+bp@H5&(8(v+MfL+Q<2D+Z;BmBUYi~$y@fc_fi!L7|QGL^E z$H%dZ13IB`yUNQ~eQMq8q#S_N@KdB>pa*mx>xn&4LkGP5-~^5nnKv|KiIgCZnPY|Gb-uGT3Qfh=*tLFa+nxcAS$ z!1b~H;vj=w;NEBPv34BQpp@aU`OWd99SDN>fhF_Zoit}A79Sy-MM~zQlvQKoh((cV z=T6afv~l4vqfhz*ABm1I_hjJc9b~0;DYX;abAaL3c*yzYmEfTHTU572MwQdH)Wax4 zd!tjlFNF35Z#9@VJ=hG1MADhh4P3I@kRjAT3VUH*Cc^42@`&|dbSSy@#EoxTO6k|( z-+KSLQ^})>wbI|e@Q5l42kjzW(fI|?*%7I_p= z`_8Ip2+i0S?I9KKgl|{-nkcH7h_sd{kl%$mESeoVyns!_*P=%jy}(WW>9N7MZ!EAz zPcpW22fMsTTFa`Lk5@SW> z@PzNthXTCPJ2%@qwiI~s#fR+nJh>Uy2ZhFo>WHFPllE72|5qEVaVKtZ+1)r&La{P_ zZx@d0E&`ltM2}s-)sm3V>W&D?{LGev?cuEkuyP&U=r*{9%>@!x0z8d_jE_;6GZl{F zj)D}u;n)jr>x3p#pdQWtU>mJkGvy`0za!KzgB6*LOZrioW1`LjG3C6v1l{`nwVJhB z!(c_;TVQMIG5h=NiL$;la(&|_oyDVa++NhHw=k)G6223E)Y9-0N=62Qgj96HEI;2} z{L_wdUk^-E;eY1-M31Ele|>b5K8-zO!~tw9xelTgmw0mz=)lHz^l{BJ*-T>7QK6JMsu>Oi~Z5zU8t*`+7Qqy9d^TE!?fdkL+{yer)P<28Vkd@|w0FQ~C; z`w7FvWJAb5ffoDLh^-|eaoBQ5F<~rXir&BffDAIYz<&D)^{u|5*B7R5Ki*`%iiv0C z?!qipkNzFLm#P;r<}(jtSHB%wLh;+ho zMwO)H3?3px{&8?SZPxg^HdYPloNE{L?M_%xlpbQiFcz`(9C!P0;R$J`Vh@twcEYZ( zaX&aJ1HOWE_;0v8PzmPXjAR{;ZgFfzjwlgwFK_HTq34{pQKn0 zk#omd;oB#_h%PgF{fBlW${b5{z4c30j73Kg*g8=bTI^?Cfu7>U3*Szq z26Gr{ISi(*f_x+n)dmY2 zcupKr0oA0x$eZ{aARTyn?)sLvZC96OD`$$#7YFrOva$8THAw)UYH7q|i>Xne@G?x~ zyQBY?F6TdBcRfF}uC*x-=^s4XR+FMP zAckTV#fZ>n1P2Tlo+KvosWc;M{nT*>8cs00X>+Q-mUbn=>&ks4(4k zBT+M`?<9yusMj+6kGBBh@h< z6Uhep!hb|m`=LmcxW-uX$*mHps85l)vT!;cZeXDDbViqxe*X~gF9f5Bg2!;|u>tfz z22)b3=|hcmYce3+e){o1}!3PU=RPq-gmKisqa$#|tfia#pcg@th}8&HGkX6PGXYzS`VFR#V(R%pOQ-0D_Gu;N+c zTD`+9a!I??8JNa1({<5`e|{_bKyXz%#k=s@O6)8op?5WibGcL!vkIW8Gv9aDs<J^Cj)BS*dM+y>MH9iA)H%@ zE4M9rnBXX}MFUuiO%YMoMLUW=Rb8pnG`l>#y?>zFAUp_}_CP=$*FTel3KUWrI24v_ zokQ0_M)fNkirN$#z~Rz%_Hc?IN>2g_Q{Q|M4kHRh;xkwm-5ai0ELYjMA8_f!7w&}9 z)b|Ux2!B1Co|+Hr$)Nq_x3&RLH-LBU>g#a6%+PhHYO#UKVyH;h?4M7D?bfEoyVVD0 zm5b95kxF5nlY>$6wvO+sK@g5C?xbB4@;=dW?5OK3+!a~NVNhqIir?lcGfA$>o$3uC zEqhtG5E(H(jN>U`OZJ{zitzT6ms_a==tXlwtbYnx!A2h&iU~%5Cs!rjBEZ)_`xjVu z`p7*SHlgD;>aydIrY>^6F&x-sa@t0{Cg(einy8L;8XE0hykaBjLH|e}WL+@A z^NX1F^_Vfk3GrGJmm>f2FbA;a7&v@@S-x4p=DM*q1ZD=r#SfMN2K*dWMd}2xQTjMq z2p~D3tWs6V;+*(S<_pOmu9+(7e+PcKPdCF{sDbp320nyk4zvbv0HShX$&}#yPiWPjH;`MAC^n zfZ~j6g3RyW=97oFjUr0`9?SiHKPg^Cbz_LFQ9Iies5Uf*7~USkEDiFp;aH(7|@z`O(D`g#4y9y)tk~Rqx5^ zDO%6PaeV=hmp$J+|IdG+^i(^O#FRzN8H3+f=(CXTLKX|N?u&RA9+?h1Ik3X^tKx%nMvQJwPM5zv!HeY5sje?dG+YcV)@ArJ+q>Xf^-5@_ygGdX-<5KY zs1Dq+(2N02w-?Wtb9mUepqxEgJ9A+tasuANeuf@5DE`;G4zk~~h#O6Hf#L6wPP|6A zV08~Z^`O^VT$yqVd}T#V0DK@W{w@c!1eR~!T&dUT9CoQ~O?J=)02CRR5f#hN9`0fJ zF7xLdP$=buiq%c}6Nw%l%@ZJbLU-^Y^&>xZ$3j+zluDSr7?0Qm@*~FueK8(D)aaHK z4W>r&)Vx=;H2TLt?&8K&Cqi323+=0Zm-urbG@a%yYqMS!1}9{K5*LX160t?^339CX zSj&!ZIj9wSi8aK>KPKneLwdk#J@2ATdp)wf7CT&HYLecVKuTDXNO(!(tM%;`g%1i@ zm$EhOEkqHO%DqK}yZYPTH#n3RG!1pvv8vZy(%}G$0c_T=a>gTMrJ^O!_`2w z<{I=Zy2lQ2kHrNJFlvD%AMf)n)CHhwlbk$dm(Q$nbL{6%?wa1Qay&eRc*v`o8ZtY-jKHeF+nyZaj*rr{b(Qsbf>*o zh#t<9TaWb%8pBBM^%D3|$5hXW;?wO_z-3xzACveNId&Zrgl-tmrU z{&(9gu^fib;Nsq0ctYshaT$K=XPgG8%*++l1Dj|}HBp;+=wJvV<^cM{q@f!DE$q%u zY?7HWpMLehk3oKmUSjTUMoTOX{jg5U6mBw#M$4HKDvN0TUM9*@Q|$+P5a*Zu>An>X zQM$H$TPA|5C|cO)Gl@wn7gcwZ)A~{9voLbYyUDx9iRf`T5;{N&4C3iGT@Feous56B zk`FO${f)U^3Y3%4fAz!V%x`UUW0N^TanX8?bvA77q$hY=3#2$2G5ZaTY@{Jx7t#5H z3)EE2mMvHm=03Tu^OhT5bP#3v@@?veT7B8+{)Z)vDgl1v6Rp^`4+~&gldvPCc*}ZL zJZz7S*#>CExKK3Bw@c;jzu+SRfzm$gI2D`ejFMv?s}#PfoXFri#|KVbFN$ji3j2k# z3x~s1wUZK2Ldyk-$c?HGR~nOpmXP%f-J*xU?x7Ha91`O;O4z;kn^U2k1@DT??q`9I z>25WA{@Wl7$W97a9(HHT{`GZ(@?Go4gMhAmOk5lCWlsWy(IZ|m1$ZY2x{80rb#vM` z`BrpEhdib}N((Wji*NvO!_mc)tj)rxPfB8&?Dz(m~>7h)BNBS?E7 z-h-%dEk5bxh?R$a;ciHs)}=Psyk@?l+PCC}9yV@E3J01W7 zU^Xb$O!f(vq*57!z}WQA)xM=OmsK2K4a9VIV%bLGp@}EqPXUu~o97$oN~Q7ttF70E z_#BK487S~5Xc+4|Y-Kr6SY?NzSJAP{{QWuTEL!)GW&1=fLE!+-WeLw7T^KkZ!%1^j zhk<-VqO_(4IB*p(SF>M&uWGX;0VDe)kOidf6=9H=I=pt|$j7!1A7Z#$O?U)>#cWRcdUpn*h!1u)E&6qr(4 z;!1g!c!H+V{HUAqnoK{S^7*qNsPcq`KelII(h{puMWk&rcof%Pl}^78u~|ETVo% zQkbi*Mm}~TuaWOAop`C1=oSqBzFV4Koh$+qwsJ~U5$Hq5CAiq0;SQW%mOk7%-Y1~l z<&~2qbp7CT90(D5riKd)5k_Lc@Rzvap+rLvZqD92n7VzWJJ$a$IYb-<$;>A9;aQrXLM~Sn0e?#T};k^)USG9$>bLH&vvUAAxS{||fPKClr z8-AZ+6B&eJPPNoz&*&4vmXWc*CkndUPxqW?(4ltMs&6CGgoGXYp2B1kd6;{|pLXOz z^;FlOQ*li(mEhnwY@n0yDPxva9;&?VA@5vrKwRd`O&I0;4KvWEB}1&9PFmkPdEayb zZ5Sm@sRhI0l61+axqCiK`9#FO57WH0tiEA>PEM>AAc)C6Bc|*<))x2GBH_j{?*0g34Qe5o^S(bxpWgWS!nSk*uKDvy4uX)1^uFX^s=^x`>4XHcFYHk zN_VvrP%9B%c3twRq-y^o)J7O6+_0%bV@ofyW6(3yl?%_~O6kF6;ImBCnrHTML8$G80+*pQK;tS@b6X--du%Qr9z~EYqGt7yix9D(0q2lUVk7sTVyIm?! zk|^8nh6TYVC%@=$`r2U-cix_S?*Pi+fTkokO8FA%UB(tb9XG_kKDnIW8wR35iM5}w zz}eb>8bxj>toM6g57dJ8doG<|WgHmimlJ&}>28KY$ymE}moEx6=)a=>&OpEz(n}>B zmnNg3&P%=9tA)~toHbV}>FD?Lk9^?9vOY{{2m(YUy{{yT8Mw6Of3r1k|1(>{hS-_J zvC!onqL61ke$GVwQ{QNt%m+g0kBNp8^7;$8eblnFV(6mXps2GgHtGhRi?G71m}|mY z<>Sb8<+#}%tNw5jSs-p~;Tt?H0zJC(kwrr*$92qIC^7JsF4fQkVvm=p3Nj5L{slcW z9gs2+V0>o2F>@~*5wKB-0n+5_iJjXpt?*PX@j5uwRWV3lZ4qYGy5NyU>6!-BwRaqE z@4wOOvL$0;^uJs~^-#FQr(U)$rr}&p>aX9we(--lUgP_Ra0Aa)kZJ$pS}!9~rl`$+ zOvF31wq@lWmMSihM1rGXXfA7tH<8%{W8z9M23j*Ei^{(bV}R`*^}^4|{lvAJ$C%K8 z+vb64&lgrV%JFdaofG+v0#jSYGN>H0{vgO$% z&ZOYhj`X}A-rWN81RL=_@qL4oMnTVn)=%pU&9CbES!!YUk_sk8(B=w|2bILvBVNqg z$H!lf%eF%1kqu*V?X0MLxI93)@1`2+$aisH$MQgTNhNe*5tQ4cg?f9PS?|Uqz3FkQOOvu>xOHZHaoVzE5WP1?&&G zDlT~ayt(HMi9y?%V_jjX=lHZvXK2TrBx~l03k84-bNw08k>4<7%*W1Y(CK5cOtMIZ zBT-(!$R>u_?q!D~fbK+_N_0s{JT;*r#$;PudbS1=E^KDbp}BA|jX00gi4L$@Ew|m! zpMA^FWENoc9ZT&HMaG5A33(CAq0OQViU~$9oc49>_1bOhhO0PmY{E-Y&}$|^xHUj+M1R!ZM!Z{vhjtSL2o(56guiBJpuPN zBuf~0zEHnNDI8vsJ=l&(LgvCJ8vYR1FUfZ3Cz^v-CrB4ic=MU-xt9llhL1NEA4oOa zXKJ>-M`<=H;zo3p1d!T5w{Vb_{+J#m2Eu2rq8ChBMoBfKidl3twHAi}B-T#>(wRP}}1JX`nv{u7d9 zKmQP-^b>6;%@|`F;zrk`MZm9WPpEoB&TAW)sEu*I(4~jsA<1sh*Ax6^z7rBn%dtRo ztC-QNFStp3ytb&Q0H8B1+m5^qTw_C!%_#c20b=OlT3k3+%@>}(H0u;_X|M@5F+yup z7vA{@1C(u(r|m>o1(n#VLoa&eL{U~4Mx@K!_73+0HFWNYAZDU0Ynxe96W)ckDY9gv zw7m2#m7n@4i312za1hmL^^;I}z@*?0D4{2~<9z%3_7e@vZOGi9pklfT=V(Cto@4x~ zFXo<9Io(I-?GtQ#NH2v@LW}soN{tMFq-i&I8+3k{v5(gPNoUVV+1z~d z>O`D|t)H}~lH!sF=sGFFR$`5^wM4nd!r$* z&sH>%K_&<gHoSkfe zW;**rv|?OSQ%h}t*2_!S1bOs@v1!a=0=Qdbn(7@TpzU?kyH9;AWo#`nU|$8Uq*J_U zuCk&n;&jkwuf%(aiWTiQPFteJ&8ZY6eSyItsAsCVob=+{d6_CeSXhB&ZnJ~a z?|`5gJnX9Oe6T$smdMC`0wpORuwB*NU-PcyXT8NGhY;GdsnbF(js-BiOuNi*ob5*W76=A0YVC?chQ!gdgiO(=YxW+VBhsI(eLc{J?Vgg|ZfOv^8b zG(?UzYo6W#o044`6$q}T?#xM)q*xPJzDwb3o;;M}O(*F_(_Euw&Jn3-nEIfHAU6Cw zzt>Uq6D!fP=qhN>EUQqH zlS*dv-LRkq(=(UOl+C*$IlUgEtligaJFthOMDSSVGHrg-=8@Bn63&YC5g4HtE| z*<_fl`4=Ay7;LAr}{*)bYw-oq*{RsLCU1$1&Z5{f;5zFIj%WqX$7#28lKf|Ki24wfUEXI|v> zX>aPG83>oG9bl_flmv0tA5axb64{g-gH=tGe&9~%>y{1l+{c2m7B(BH={e*kqeSZO zx15}p_{I0)wwU$i%uQ6SYS8<8Z^*!cmGSRQZw7O zjv9%jYUxYq2-$!lgM@n3+slDWoewx-oD@fE+ZmuQRL-f;^Z5?eCXAHiXpY8>Jj1zg68xpv zt#UDwvufr_@(S~P*lk7~Dm0{IGs$sJI#gz8c~g^oWnsk^mj?CGa@WE+AGu{58&tu2 zJu3KF$0eot6_n6 zEPiXS6$V~7@uc&pnK5tv%i&$nZ|7a9t|i?=SCgI%(Xw33JDweDEX$f&!P%pfnPC&j zg-N}cf;TwQ<~S-3Q8&3`Yk;o_rj4dgV#%kVNH&pzA?+FdYZ{` z&@JY<6P0vMC5x)#9Z}(3wQ#T$nS8Rxg{DjX&bz*KJ!rFDQ85_!2X(*ta5+r_M-U_M zS)csG?U9mERd%e=WmvbVIB};4jRMWiGntbAzcvI&dv$cPEte@62a0QG2K9{deyQo zqWB~l@X$Uf?K6l2kf_K=Qj|NV5T1}^YHpF&0GHvyD956798J=du24ft@QSyD@ZI_D zi!AvEgoE&|Duy%5?fH%3v$U+s3WjxL(w^r?qB@hNb);7fx}su5SAptPk0a8AlH<)q z)}+A~K7R~~p5h{HU6jPAQ}IsvG1wd9lBTm=Ej_2B@hm&C`KlSF`;0x4Wdd-u41`)X zWwR>LeV_Joe>f3knT<>}r6z>A5`pR*R2@Py)Kel)fhb(Uiy*!+@PPEfl)aAuz7F>N zWKN&NH9!;MBk;$H3i@~Z!`O$5#i{vG(hSGPg1yI<7D_SSAoYbOIX0;g#x!dh%0%5p zY0j$JIY*P24|4wc${5+wl!=d_;)nTk1Jf+S9xF0jkw)pVRa9M0!D~HIY8R-}K8Uu! zo0816sm@95(TRTeiJ{|QO$t(9jkn5b)q*!l?Vd}iK5NwnS!)L8s6_*=NMq?fj+4@7 zy{t;wgS4t2n-oaXJ;=Q7SwVd_CfxY%`4f#IFgjVTETSO>m#rsAIg)YaeEwM{Wt@Z6 zveTK2AD#~%{Dok9z~ZS=w4%p$p!q!sj%vbkV)Bu|6MWUpo%J8FoP1&nTz6PKTQ4~P zDCvYQ2hSKW`_nL8VTzD&ezE1n66DHY3WH1P97{Pu-9$%UzTIDoZR zcAh5muE;FjCypGWOPTeFCFm!SJ#XyD+|{EyYs{N&(XTA~o zoL#5U6Ri;AAfma9b~Z>!g|FZ`YnEWZMBb(@Xd~||R?nAh2U}n|(-7N-!BUV@BF>Cf zb;HJMGPaWN70ql}S`UUDsPl|NYY0Kf531o?vISztuEB8)N8&xbKJE6eRFO^OJZI#* zBGHiwCFuJuT~IE+J;0a6${|NBD0X47g!B;+JpTp4XDKNjigAdwyhL= zI1$VO+n&#q@j`#hh0APVG%38ImL6cI@}X6v004wYHEP^Z+ub?cR-H&k2`tPRBA+F( z-d+_b^hyPX7Xj`0DG{RMiNQfHvr)FGS;;;~jl-^FG+9NV8u09&I;sTHc<0aJ>+yA8 zeIDM->+46;96Qog{}{kSAvm2wk0djc&L&HSqiz{hb4F2^*{um%&&>tmgvZ+s;DyrT zRq*;ZIUiD@GGs$N&&g@*e{=Zo*6wVt%+EJ}4n%$abAL+-eU_7|n5VX<6*E2Sr zEL_o8k~*Q}E|FuzRymPlyF8hSWMxYouCkW&o*vJZc&&S2(MV0!S{hj-%71zZse!t_q=0)jKwoHcu4H#oPR>=4X2N6jEn3R*=S?ilB3 z%}*MD5HGh!GNmw)<_2H588`8Kx)c0iY^I&ds~nwz(d@U+HLqzoSVv{N5cX$>1Yq_? zd{W=)`24rTbFGjlOt_=E;v;qGOXkle#UaQ#pvXxvgBtqHluug z2!KjP)k~W}g2OJTBP>Q4ft>4cSRYdANv#WTSinKO4NsUe@E=YfFBzrIs1?oHD~);1 zfH>bs%znUNtP6XHW;Sr!J2HlI(*K&B=3NB1M7j>$FP>A$-ctvAQks(P83M?vOY%V* zQg0dJM)gJJ^6Se`pZSu6#1S%rTwr5cH3+~=>4!T>x6j8tbsGrn>=c>H6y-(Yq(||8 z@~EAbrsCGhE{rt5sSmj!MP!ui-3FYc1NBT4`0eTbBnfdJlC)-XkU2z#ro+q!<;}E$ zmUqCcdJdbFZuA~n=Efb&9ZvYdpYAoyVPys^0X@B&H#jPl$j>k>SV6W@Gnunakg`K{ zQRar^q%rq$a#FL`wAdvy=eL1%==qsCAzyp)6e`IQ@W?G+kWhQ)1+xkp7;BB17xO~Y z1?PQ%aXHE^X-3Pk3oB9XYSwhM5ZRnN?70|i#Vj8gXT3;^Vsbd7LeN_I=yJx%tLdF~7Qmdqk-9-VO*DPP$KqOo&=qg`Yzh~>Z zXYm1Ee@*4V;7-QKU_spQHUoiLnPLiAvdSc`h5c2On}r{93>!E>9F7mI~!aFoR%+>M2aGGj9g z>PqKCV`0@Yk^zbwzS?o?ENNd}US8~xBDTV};c`Bm*kF#&w3NsnD!VbK!cGo`9SkFB za2?*qM&Jlaf{%*zK(e6#kj`fR>#im@9ujo5o5w=v{HY#n1R36Ruo^iPs6#;Jg!yPW zyqc*-$toKtMISgRg|OX%ejyqx&Cd&S-(e?JTsy+&?9f?W2|M3KbT<2k$7iav)`PX5 zpBf-K94BuEm1Y~W%^JbeNkUHr!6lM#$ zUkt_1$XaaQu%aVtkF~Hpso9jn2|@RX;JjuKjPtP-YBs@S8d@WhC*XiFB%#kH&ECa3 z77f#8R+bu~n}s=9855sOj}@h^em#Q;VDpudn2}#c%s|{9s$XGon!0%(Fhu0|f8$hFdR)<1rqe#X*uSkxeu=ZYNF!kXi#Lr&;ei;T6zFkIesoZ@Cn_I{+IE$3@GmLYtX*+a_OZpm|E0$lz1 zxgagil5x?K1*setA1(}Z#|A=9XzOBg8BRfFBx&NpjF~-Io#K*GF>=DpAA?vp8DR9! zC*HOt*{D)#cI0$oT%D|fi;zrvVXj5G%blz_sH37u&)HC4HOuGKtvZ^$N)n~;=IBwZ zg}_jr=&S?W_UO|SGMn8XX|3L#Tun1Z=<^AdoGZ9#=PGf9_!2#9pB|_a3hRVb5h_{E z9SZESgjA#nCBLGm;?4FnL{M!V*2zy@tJjswC7CPRdp;PdWEp>RmOz`AyAG z6;Qm3;ggnv7$*rh5vtioVHYepU*(A1qVuxu0!N+DgYOEtH1@8P;91P3tAVNsk^Ez%+zNWPd6ok0@wg0Lu@c66>~ zMK+_>Maf9f+M_C1si@|LqTcVR9xe>Vm9d6X?!h4O#xla5RS98%C~@2vBO*O3=zby; zLa;d3h;DfNBxHn(7Uwe~jf-SzW)KpQ?Vrct;yV#yr^2%SJm`WtM7{XTNJ|2Xh=3PH z46*Bcz}ahH5M+ab8nDvUsyX85xFO~f`A6`48KGv>vTR{g&+Y+dNR^l!r<)Es_C;R- zIPR4Uh>(}5$`j7DM+J*nLiHEiBb1PN#f`G0T;AxXW8s$$Xr0iuZHUG~urjh(O4gxM zW`>@~Z0B$>THP^{%&{6Iytw%5f^@FYcBpB(Yjs9$^2>%b_@x%lTpVHS091 zlMY3iC8;LEmHy%*lQCb2ksy4$zMq9bHDd!sgLH)1&4Sg+cHT*XZCjz9xMSCl$xs|Q z*wph`BM)?3;d4>_5;MOG3RSyI>L3^ruQ zcsI0g|6g25vZo_!Q6$#X5O$DFg%Eyn4RGeX^@Q75`n@8r&9ooLTse2Q~NGF)(! z(`8&2m3-6+Unmkj=NIqme11LjL+Rc1Ce}9lF`G zS6}nwqA=Q5Y1IjK0dK`8c_%=$$<-3A22W8o6y(aDxfHx>8IkoK<>ri`16+(jNW;)6 zoP0?UmhNccJ!`KOFK39iib{)ZGcLSiu#%;pEzmV_=B}*j5TScTr zI-G-ZR`1vQHO7P21U= zVB01gb~zJjz`ez3Z^Rf147+CwSvXn)9L1dE&0>^T(<(1;Zcp^R2Ft7lopWRpQriS| zHWONj|AW$YtQ0Ftdd?Y!MGGAfL+{F?gC_f?kj6^=dBa4>p7sx^8w|A6ZGKUG#Y@Qf zv}6=?oTqMKt;jTFH|V)TL}bq**pYccHe&1+x*lth(ZvkG21AqQ4UT;wvqoSLkfcM+ zLVCG|BJ&jqLyFR4`P50L&yQ;th7#VfjMCQtJA@n)L;JFrVX|aVMu}cDWCI3g78{mH zYj-BCJ;%Bn1l~1VLnMiz86^BgfpK!5sDK666`Q3{=HRk$nb%H0k;pGOx^GEUr zgeeqNk(M8YwgX!j%_fiY>f2pwvLZz>ySWEpY+5N)Y;#R)gy%UOg8M>V-&nolBhfnT z=B5XB?9u4-M<7i=u)>IFf^)IBA`5e6lcPIo7or7Yb+D&T{xmK58owIOKesd*Zx66G-2Q zy@Dfjb{xX75oJ70<@9k%G+&gy9^*AL4`^&n*9 z8oK%M+JK8GNx~h=xL#;HW<65ZOD!Bbh-fdaMI%txmr$H^8fjO;Ji#VLl0e$e5^8Zs z!;-^l*n&=l;hza6(73b>Ch}*uPU8w-*3NrmIGUKZlzPx%lnAE6Lnp^DANxsl1Y>4u za1v&3EQ}uEK+#EDjGq#7f>3N;^@7PS+N0`3A;u}U^ZGbyoTy8rrC5%gVroh6{EW$U z>MLcV?kDl6hu!BFk zd3K>hWa>wPro^9;RW@$TjC(E+ETKRcR7|bkzuTik#Fz;!&ob+{2 z8`&bO+O(frqR-EF^FfI=NYpb;oHs($d|4^RV@=F@M#9;k&qURxa-$v!qD<-}pBBbV z?j9a?7^W|6o}6|4U>5r7z~8`eU$bWqj)S80frfrzbhpyTYkybR&Oub5tSM=g8f zL)4*f!p;kUkf~V>Q3Biroq`vUpK-kO+$K-Rtj=XniIS3&D%!2Uxrwu1YbPM+Cm4QT zT#KdtH70Z>32IZzrJF0P$yT}yDUUTPsGMW2MNZ~Ta)oA7xslt{k8zZCmx8s6!a-+L z#3oaijRuoP-F2qBc7V)V5o8BQ4#t{nl!ZvX6r{ezg*I+y$G9;i#ZV6V+~|gX!M#5;7=9cm*G$NcRAVtiM+%Gy#>hA4Gzvx)H{!=mXIa#& zs}%$vw44q*HWC$P=2>1`qCVDaUk6TnL6yQ;OR4(mQWBld)D|wRH6H^f9beQ$zVdd` zY_2yD?zLsnR)b7}feOZ1-xTyHc@6hbLvSL_6;ekEPKr1V{lX2L4J}0c^Y(IoNG|JZ zvYDSjJ=cb)u0qI6H~H~SrKs64>q1^8?#x!3CWA_=S!uAES*tpFES2RfuWe49kuPpb z@tIsmh4XhjG7#W+WGy_FOrBFcnMft!MCrR#nwRuF^R-V)B5TwvOr9%vP1Z1k9$Xz{ z)+N6?Obe4y;P46b571)N6sS*8kiz0$DlZgeC3CXr0(1Vu8GH>=X0YbEAX}#{H?1U# z^Ej=Fo?LAD!GeigpuLrY%)wV4c^ISi?|ikJWf>`5njg(#9R`)|kEoc>=1#3dQAe^^ zS~JZkpS)$rTLzbp7^n95@K}I9mlJcc=^1)>dYt?q)e!;Ld&V`2E2PpAMk@30r0WlfN8FU>n4M;`(h6i5yf#GtoDuMXQCDke#mTjuWLAA!UN{ID+_I zOdGsWzDWiN{ntN!3Fpdboao2&*+^mja^~_MKlZnu`S1U6KjHFHZhh__jH!Fp3Rrvd z=hIj(68NJEefWx79M(I^KmYZgV)rbn)5r7U=M&%U()-8$W1GT<{NtDR^003@_Ew+O zTS@(LR$_-vQ3#%b8Bxt}=?KNo&~^S$nzzGS-=E3PP`Y4gi_gblL<+$_y&Q+)<>g$R zUtg%-9rMexi*PvfWta7AsJmma{5k(zhm&|Xp1{?#^6icK{h~}Szc}J&uR;t@#fN>U z57h5fT>TUD@Kk;b&Bx1!u1U}%UmDv@iosFQ6U`mjIC12K^;kBV#Yw@*}Qq^xW>gdh_bMOtWV8X*$m_^7^nZ> zQMrDD%K`P-k~lVK(CuIUsjcn*`mg^Y&C7rFVj}l8hTljc{hR5<=)7Y>{`DXB052fP z3kU#Y;wEMO(-9CoD+=VW{q>*SYx?|{KBP}ifBPA@2LAfb|Nh^9`+uFj{TXin6yf{p zKXPc>FhCCJ?gjqdzot)*zXQtKKE|rB9rCGA3GdsY>7TD=e}KQ!@awS(1niGp3=E$M zA1+tH0)|7ne|$?1>B~b56oX0Nma=|OUen#vBS3k5i3A172wqTNhdw{So7p{vhmz$T z^4NR;JfyqBTW|n{OlQYGPhZCaybm}d03yQPC`{sb9b>D%K?@=mEywdKzLV!e1T^}n zzli|9HC(%0jOADa0Q=z$UdS$eecj^mcsidSz+&$9yA9VL?yv~v0pc0cBjMv8Y0htq z!rMmApB%`2_$vcvs~Lt>F?WfVIABYEmu3FjiadkCeh!YN5wcK;8B8r4sgPb6+?tQD zHDALo%PJt_4uSOuzeAcqrrqDOBi|j*eR%5#QAOc#cfWvbNFx~Mw(W4_?sv)M2?FpO z_6Jyi{ZslJ-axfh4Bu7L{&5)gQGA9@Wy_}F$vyowyj#8WblCHwRr>$`#cyvN{OEo7 zYgtwUN`!V=oxbB6d}EvsX@uAB598(}MQ{?XeQq_f`~KOt^38^L2)`HoLEKDIjEym7 zW36LtYLv3<*|&-537)q%xS#NZK7@ZYy+|+5annn`X;1iWVV-^gkSDh!FX1=JIwY6V zyG!@G@BtS<$+G-gj^N)?5|5ZJ+P#Lqzq}#f&VaunggAZ>MgsPni>BLcMfPpqr8ifUrPlo|NO3@=9^pg0Rqs+D66st&FEK_%1yZAr$t6FtJz>+%5ponJOLlE@i2!taxAgFH!90YBUqaFwW(&8qp;}gI)9R zJ6_lm*!ex?bKYXVG(SAo3>*CY7{%mazjF5Ngs<~gU5bn3l3*VAA&n4gdn35Ml-CHW(3>mMX`j~3 z`$8G(j~G0B2Cn~fg#!7llEj~ttiv9wN8ugEA-M=@FJH+|=$Sn3!$Yuj%7ni3E&RPT z;#(9k!f$^V*C6vTyaihW!WCF|5nRPJATX|rv=UAmC7GMr{x_fXAxf@(1&EvF48Jpv zz7_9@n-QU2a7=EYjGwhQq%Sd0NVcNTjX~yi819LWr||v-&Olmt{$*3{(zoze>B*oj zXs$&+4$!JT%-GHFPyK)iqWuG0sgKW?7mHBs%rYEcyzdjo)Jui3m!8F?(|dVQuw%nx z;+A1_uw3WaKRl)TCkT5Vp0OGn9EiwTftub7T~TATYpCtu|M~o8YQZ;&tMK)=Oh_hk z{!e{?@AmNSA-I9RJl`d+mh&=jjKiNJUkKBXcC&T31#kQC1Z9J)XpX`k(OU55 z=a(BlVTCyxWOI8P^YCs^o_4G+zm-}1&OhJ11$WSMmhrZATDw}orC+o2cm0L`M6*vH zgWn_T!CWnR_;?lxC9W%m>)EOE-`I65hlH=@Ixt{4FcDRX);i7Ue{>CgUk}-bH);rH zY^%UlFCi`|ufM0MRqe`rSi{|E`qOyfsO& zaDFD_%0u|q0|&TNI{&U2|C^VSK8L@T{Se&l2jW^?eF=YRYdEbL|F*aO z+uG{xDg0i*d5X8R$Re-xB~nng0>;f}#^5$G5D$K3TnPUd$@6Um_c02FLF1?}kKoez zhf#K>4}_`HzJCbsGq-S^iaaekcqe@;IK;cj2U{rq+|76RYwa6Ai-vqmbBAx7$?^H% zh2<+N>*$feAr4Q^9szkXGM^vgI6zM0u@|3@-zg1zll_O~h!AkDKyh)AUm`7q=0_Aw zs&)OX{?+%5J#nyn-{$+LN!dLkyC6NlqJ$@4{shG#!a?yvF%~WNG4dfR5ri-1dn33M z#~#wR2o`h&2G=9J;lXge*PFXd_S>PjZiw*pxfKY|NIk^pZ&|-7cj0r#>v!dbr}O$U ze#7B>+U&ZxV|e=w_F)&k^7xaBGeTNv{hrwFcwUdj<8Sa{B2ZX=fFeS$>%=eza2Jv6H~V`yy(hLP=s$K`w5EhMDo=aSByOJ z+9*6c!|z8M^EV{PHuWM#Pv&X6tLus(yrSSw!tn4Ci$4f=-Znd*e=NoJ-tDhgi09v6 zskXZ{rb+Awbh*{$GCV2z2Pbs9Y~3Bib~%x2yc1rg=qGmSb=!3QrKYf5BKuZc2`}!k z`V!yH(Vra7?P}1sb=a=hci)mR$USR8Z0bWeBei`oVHbhGymmism$JQG7U3nK*1w4j zL#=yxYx~Xc3rae_AYr`Q&auDk$X{?>9)7_!v0c4&k}3_a)V3Z(49e+hk9zy-D!g#g zYO>U39^9m&wYl@OVSe?q%vMDM0nZXpS+6gir)8-fBTDb|FFFa6G10*Js;&)6b-h#Ixk$1U*Oqq znIXP|h|rb0@?~t;nsZ-<2pzdUs4H&oQ^wGcS)Zs5KXYUCLTp#|pL%n@fy=qut|eny zU){7lX1u_EMGfZ{Sjz~KG^^jmFQ94dB4|3TP8a_Q3-PddD`O00kM-wb^P1XrRG7&s zY)@x>+&(|Jao^l%pf=CU?ZQu@_`x##2HWr(7Gk@5dm8<3$U?cZn>PzECM&UBY47e= zhnIf-0SDt3#1|WDV_XtKzal&LJA%&blBM?|!iG73n}7cc&c<##LdbMSY?rg0oQ_}7 zlCmvLX}m$hYoV_{pWEe2C;M`{aOb`d82wT$fx-`gd}CI@3XFXqmD{{{S< z?Jli9`1e}}y^a#Hbw>uKAU3_XE)mA&Cu6(B_5EP{f?~@4H+0Tz$Zefm-oHULXJcaN zDCP7kq=bKg53yy^`d(q%mYZ@Zcm9U+xncZ$e;dD|n6jM);Iz~D7aY(CbJBhg^ljX* zG$tdqu01l4OkNpc;*tWD1*XT3C^v%_~ay!ZMY0J{q3jup_yWG?tVx_-e zc*=GSWYf;6U$8GX?WDW39LL-bAA|TZxzZjJ4FL=~HR01`s*)m8pI*zc!?C#G5eS*r zJa4>)uIX`uj!N*9JC-{xD!P$qy~$&D3V~f zLOU&F!M+y8@Qx4;X#^D)UkKBI#1ZP@eVrJ~Dj};>^-MR)?|kkeNE>VRb>>yIupDkS z;6=DJ{KoLYa5vi#BxKQ6rXA}`<~1T3F46GpfPz_u^UF1BQ?~!|bZH{21_CKmRevOz zRwu)C!YZ5yOagj-N*ygb0{OH6FiEA3UbpEXMxVSN0(>V=Xt=^#?}8r_b}~tko60un zNeYk2?t2#lgl9zqnA9lC`o2rqpcdRMJTXrw=o#F00S?}(p6lDG@tE;`wd@aXF$R4i zBsuVfdC0f%=1+$RMMA(Ja)^kMyfBTFiL-59IfO%m+R%D5*YFjMY#cNh%Ny{6%Hds< zqV404$?r59ja4E`a4O0qwQ+s1u(j?n2)h)URsb?6p(dCB2x{N51I zygojnS&Og?-P>EQ7Vg`deUC7KvzVCDMceLNvfz0pZwU9?PWWMJ-XP$Ddv(;=sIP+B z4L6&)4_~b+x^8I!F1P9-!o;lc>BM(`drMy*qhv3Nu1{^Qq~y6Jzy2)&j^;5q3f10vhC*cRLRILVFnA4b3|3;f6=(M0-Fx0^l@FSCn8WFq zZny<+A7Zk>B%B$W>@L=votF0wI=#4eg5PpMQC^JvZ$|m_=&HoX5)Qxn2H17Be(=t5 zM<8nOfjQF@ri@zM(4)V~6PD_=(#t5`Dm#eCwc{r)M& zjH)sdCopU)5@Ju7SPp(um3b<~ml*uY=8rL`fUpg)I_S!C3p?WG%07Y%8QiD-2@s64 z!uNZWqGZ<~Sn0|WNBAzJQdCxRUV}x4>uve0JiMjh8~ovTaFb@)8QzN(xlge$MvicV z(X+FXoG;w6cgwXcj(Z|~AHGelY(?HI0GJ-w@VbM5pl6k43)XWIcZQcd@WgPppy4Z( zu805|;!-j8%NmBS4X%N4JEq~Sh32BFt$zyl=^1mV!A)nyTK0Lql#Q2zk|@amz|ew; z5Xxr>!XFKf$6vV};TaX44@V>Y6yck9{3u$#U~vB!L7S)INX+cpvu{FX7oL4~$FNii zAE{QsGjmnTjN#_x<;63}65JY9t;$%N3oE|3q+PlD4e=cOsvcnoSq#Q%!4@{=)i{UW zl;!~w0X}}*^v({yFZ^+gk=HJQO7BV#uW@cED`Wz3XaP}R!^gaYUphI4D5*m;vQ_-h zOj$h<-q0Y5g*fn9Rd@+*Icg>wrJCi+~mZzk|UaAieAD7@FaZI$JoQ6?DYxA13CybqX@ z^0}&Iribn8SB7IENFQB!6_8K z@FTozujnwb?@Xy(u04%DMR>nTbVZgN!L?M$iDhZW3&9fnKfTihyYQq(e7-#xQll(+Ej?Zxu)<5QzFYp;<3mzIE16;4F$J)!h3;coIAw9Sb>G10_92X>7CaKNv0~%UZm}S|Xks%#^?waS*U0f30 z7jBtm5JF1RvZXZHv;Z62l&rupDN9Eft+WEj%{dP53$;l1yqkrz`}8^+5uD_fS1dm# zp-otDkATMMPZ2zfo#x^3iISh#GDXWdk>RsOtuU~wn{0uhc+*{oAba2m;g(Abe-HaE z!ohKvV~EG#ZcOts?TR$Za;GvhG#>8bE_{Z}K~a_^eN!bxn;LN8Y{K#!6C)&z^xowi z{u%&KwjR1Ht%r6HOQJ2;7ZpCt!OnL_PkK)IkeuK@l0Ce*gm)P)777AaRFC10(7!-+ z(Jcrci?yl}GHsY;n9~zpLP+5oBK=WJ`xL^bSVtTtuSI4oU*NP|8QHrSEux)Ix7W1u zEqu>-$MU9AgS4(Q)C}NPW)&+zOk{HNv8t&3zw{)xXOWaZH&Hxcp*@4onGM_%L8r{HGSmF+JsBv=>2HOicM zzoyqnfHG#ly_FoE$FWrHnF-oOh~P&+?b)D9v$RK|RO~$wOf+I*VK67w=dH4}S2s+A ze&aPTCTZGzcp}i+1##~seD7e#bRWhe#;z=C-ukLU-YfIrre-IP7 znFt}aH;fwxd>6bn-JKI7EQf!z@LTEU`D+QrLxeuql_;(vhM{4|#MGiEPseRrhL>-Y zd@z>jG!qNoe#~!g^ZZGmz6*XZB|p`w_l|-h%%lVaCY7SJ9KH4FClsthXa+X$I z#n^dBi?fhbCUoIfJK4n;`S35HP2!c;IA>2QWplP$@ggTRjo^;L4DW#cvH+wjf4fdGyYu9226trdeOWlT0pyzD>5 zEQKGFsCq8*!X#zp$pE-Diihv4Q)Vzj$2}&|P6~?QC4N`HxTh?`6R`bZ+~`bOzLHxz zM}#E0I;&b)-kO$~Bd?hE*r4!C=N~|EiT$VGDeaX=?)@Dv!HrrE_jSQ5&W!OW#2>>$5c@*C)xE;K`$PNUogb@TrH@E85 z!Z3a}P56e=zCIg~n-gnWRxjrSoHH1neb)=iWHpF2#LbSpG!ekqF&~Z=ljVSGqt+mW1`fkM^)X;6%ajwT0DKuDf&} zJQ~ov6-Kp#6$(OF>C;l;h*seVvzqq`eSO#?Of0(9Xv~9`W;H)Cq`{V&e+*paXS&^Q z+Sw7_bJHlmh+|oO#xy-dSq?7*le;y14}-?Y%g^HpUkTMmomyT=hT-~RtmkY+cwXd+ zaj?^PFZgye2d8n^a*g_~E5^BuEvdoH#lOIV6qoR1s6PP}18d=><;{9%;oJHFnjLhe zR$#d%lf#!J4a<{~^8%+a=uXltsF`4*cg)en3e57f3jw6Ryr!pTo2-v3KOCE+-NYqWULA1rPLv)D1 zsJ=q*mEV61fA>I~uQUYuy=q(7m@bFpV!Ef?!*d;ehUg}u7JdS~X_ZYx$CkP42;eRJ zS;hmr#yN|@dNp0vw?mh?4k^{8j2^-3CaZvt7y*Yu^-CG$)zBm++Uuj}YBwEk$s#m4%0Qp3P-Q5{eL?szDaxW?2yHzBG%5C$@V+ zxa6wgg@oT4{W@y>{S=26g23_Pg0G&b|qa9-_5Z9_i z1P^VT8M9{C*(Grkp8M*s?2$m2I%k?`Eqt1Vp5jdCxRgPQLRCqn7J7yz!VKZZU0#s1 zTq2JnZ-)gk?lj35ey+_04Lr)S#cq{bIW2siafD&mk$2596Zo1riBL&f0py(!X?8YzwO1333C@9-~c=&`ZKmpMLd>)AyJhu5LG`P31@;A3U% zQ240tJx7teF(+2}P&po=@RJrFKAlt_{>b_~{z|HeP$|GR)pa@y7d-pd2>NT5HQZrv zBp+WtU`rVHevSx%w`Inj-Fxw4I)(2jv00PD4YzE!CwboR4v6KtGdKvS^&4iokFX_t zAzZ18+ab7-N+UopcAv7mb7^kF2FES7S=ZG(ci@5J*&%bYm7!d4nslWB=@rKvOwe=tiu3zYy#&vFP z_;B8;wh>&W=yMmmS4N-*?$^@g7JOg2s6frW~wg50Gdxd`d(4;I=gG~#qP96-^3%Tkkc=)vn$Sph$KV@?0 z3v58Bg}2N~b2Gyz5 zHv@<{>)`L@XmFyLRjT#qjB$OK!M(i`&(e~0qCL9={xV}~7lFMEAh5|TdGFJ#Uf}xO zh-2ZkU{73pilO`P7XAu;k(@Y&$SWH8H$iYKpM!*FZ8#ZJy$%Ik%GtP7zh1}Xf4M-38_Yn>USZ&@UKCf;EwGM;O*klXuXPGxv* zfIpClv{Hm?ZkmT^tKtvmCUh4*MEDboXFE^?|HHv3*#7aw(-n*0 ziz0@~P3jTSf?dh2#Ks0nnB?AV8a#k>a2or5E{u<+T?|fwH-xDjd5rU7I#!9Li9weU z)Nu@|4}dY55J8mqg1|9UnAg1zzFABV3%XLb7Wqgw{|yC2lDtLE;rlxO0O2{WVi%sn z)&~+ZloHxE{__Tq?W{kHga^Mh&*+%n5vSLklmg zc5Q(yF*Vb?5VF*4*#SZyEIg+;9L9^~iR2s&g~*UvLbwLEGFXI^)fB>_;N(RvCeodJ zgRxK^zBR50`V{H#Trdc#_4(e*5@}CZRcTR}v$4Eeh-5AV zoA6TQS0p%N%wzz^CkNqLYQpziIV>l``rdn#Sa^cu1%%~N!n64DYFrzx!w>9rP|mD{ zzhvR*H%xn3qQp2E#G6h=2>$CG{%TvnLd{yf|hiV}|Ff>z$&X$-A^t zS|F8;+}bXYbcplvxMhAv?3yBvWBW28nap`=Xc4H(fbcjFT2nN-dN0Wi^{J>%oYYUUqM81j&a;i*ZaFfhk3RBIG+!5}C&P`|t|bS2TV0 z`AOzJ{usX)CGJNUzUF>P>V1oIbXTCcNp8j3vEMj;iwh>k3kx#v^%|oQMc~|FjT%HyBS`W|Z>o34_b7I5KLtYPNQsRry>V|NJ zBCL%fR?#9zR{B#u(G^IyMdvq}^{`Cs9i2<60C zy%OMzL!QJ^chR*!F#L#=l|XLy@BSf*6)jQ0=)_QItM$+uaM^%3FUKFqEyur)J zMOqBaWWn7gHQd^kFOTV*6fEK(;#?+f?qjdH(#v%b!O9(I}QGO^$h($QHzDG-`%i2_Lm{%qhkZw(x;)D~88m=Cq0xs~8lw zC@W6Zr?sa=2I57pD7@637l2!nWdy}0c>ZX#O9l>*l8GDaFi!LP!j6u#@EFdvkJLT* zFQ8quX5+M%{2O35N>>~|5~1aArc}L(c)1AUC}4EpBe^t6nl1EIKaGj5 zNPAr8HIw!tGGtUcSa@?@I*Q1_iDHa9Q83fD?Cdii>MFIrH36IjWBQP*=N2VS?9MgQ zosu3gv+Fo{#dQk@RzvaZe;f1+WHauKSc8Sg^BbVc|vvi=~Z<=6c~l;fhx zlIx*Q#8Ot^PNNP#j&TYE2bg&d6^~RDRI(M4f9PBl9@9I}XXCIi_$^lWUft zO4>=-Iva{YEX{Gf+xR$H%zkjBlAeiTNo4n~W4|?$Ta_)2O27&v6Tz!ELUJF>yT|c< z4M%xD{zxW=J5H0MKa{CROq9c|!Er8}^XxU7ZXc_s&lksCbtFm%?!6p0#%UDSK(jBU zA@21iU`6p5HP4ki@>b>8N#~n7i(}I?+=iAX7qy9V3(7qkgI5&5BG88HjSu|7bj@hw~Nt;BhX?*+i1m#gnM_XMY`7j3H(OSS>x%6fdPrLB&y(_ zsym;Syr5gMD8c}32L!IzbJcP)lFs~6{*lh?3Mf}jUYy#)DkRtRM4V*v4T@)vSe$F$ z6U84bSy4gYI4?k5j4Oj`bC)Tx%oJ0fPb}A<5ZkDhw6fBmGI}7vyZjAwbi^y3sDJMv2L-; z{yM2VPPXx9crGo>aXegGrG*A>rt4Mm&U&^uk?u}ih~v%xphcax>-g?n9I_2+GO+Fd zkDx%@5BW=+!!(#$XlIqvn#z$+1pnhu)SM4>?_%>LbwDr@B?R~hnrAl@C(4=r+2UZv zJkE{27SEOY^7va`)+J{gr&(t$o{1t{6u;cUP1#7!bUkD~`LKPYNq<%_*)eq%HB(?n zJl7;bNZfwO-?#9A&`0D}`UeWfzMzX4Q%7WxfAM@1a$nu78D;$JR3i~g^ZQ^(Md*rMJ-D~yEb8C`*sn2FIt1G-Z$QiB?Q~R{EjCX2q z7yN5bnx$}yNQ=ChGH;WI9sG+`xgViq{~BSd{v6eP?*_kReh%uU;}Jeb@&#MjClib% zuMj;qN7f4Phn4>8kKfYVohGobgZb-kpNDWCCr!vbGsf0h4OQJUi{{v=ex`==l2ms{coaX=l From 5b8be0e87dc55c14e4f17dd9801c9dded5c79a8d Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 26 May 2026 07:58:31 -0600 Subject: [PATCH 17/21] scanner: include FrontingSNIs.ArbitrarySNIs in SNIsForProvider MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The daily upstream pipeline regenerates the Masquerades list from a fresh CDN-IP scan; manual additions to Masquerades are wiped on the next refresh. FrontingSNIs..ArbitrarySNIs is the durable home — copied verbatim from provider_map.yaml into each daily fronted.yaml.gz — and is where curated cover names (e.g. the new IR-validated SNIs in akamai.frontingsnis.ir) belong. SNIsForProvider now returns the union of: - FrontingSNIs across all groups where UseArbitrarySNIs is true - Masquerade.Domain fields (existing behavior; preserves CloudFront's per-masquerade-domain SNI strategy) The cn group has UseArbitrarySNIs=false and is correctly excluded; new test asserts this and the union semantics. Also flips the refresh-fronted-config workflow + kindling configURL to getlantern/domainfront (getlantern/fronted is the deprecated Go module). Embedded fronted.yaml.gz resynced from domainfront@main with the IR-targeted SNIs inlined into akamai.frontingsnis.ir (mirrors lantern-cloud PR; will reconcile once the upstream pipeline pushes the same change). --- .github/workflows/refresh-fronted-config.yml | 9 ++-- fronted/scanner/candidates.go | 23 ++++++++-- fronted/scanner/scanner_test.go | 42 +++++++++++++++++++ kindling/fronted/fronted.yaml.gz | Bin 67185 -> 67116 bytes 4 files changed, 66 insertions(+), 8 deletions(-) diff --git a/.github/workflows/refresh-fronted-config.yml b/.github/workflows/refresh-fronted-config.yml index ac1d1ed1..283d7f21 100644 --- a/.github/workflows/refresh-fronted-config.yml +++ b/.github/workflows/refresh-fronted-config.yml @@ -2,8 +2,9 @@ name: Refresh embedded fronted.yaml.gz # kindling/fronted/fronted.yaml.gz is the last-resort fallback config used # when both the live fetch and on-disk cache miss. The canonical copy lives -# in getlantern/fronted and is updated daily by an external pipeline. Mirror -# that here so a fresh install bootstrap doesn't fall back to a stale copy. +# in getlantern/domainfront (getlantern/fronted is deprecated) and is +# updated daily by an external pipeline. Mirror that here so a fresh +# install bootstrap doesn't fall back to a stale copy. on: schedule: @@ -32,7 +33,7 @@ jobs: run: | curl -fsSL \ -o kindling/fronted/fronted.yaml.gz.new \ - https://raw.githubusercontent.com/getlantern/fronted/refs/heads/main/fronted.yaml.gz + https://raw.githubusercontent.com/getlantern/domainfront/refs/heads/main/fronted.yaml.gz gzip -t kindling/fronted/fronted.yaml.gz.new test -s kindling/fronted/fronted.yaml.gz.new @@ -59,7 +60,7 @@ jobs: title: "fronted: refresh embedded fronted.yaml.gz" body: | Automated daily refresh of `kindling/fronted/fronted.yaml.gz` - from `getlantern/fronted@main`. Safe to merge once CI passes. + from `getlantern/domainfront@main`. Safe to merge once CI passes. branch: chore/refresh-fronted-config delete-branch: true author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>" diff --git a/fronted/scanner/candidates.go b/fronted/scanner/candidates.go index 4a219bbf..687fad3c 100644 --- a/fronted/scanner/candidates.go +++ b/fronted/scanner/candidates.go @@ -72,10 +72,13 @@ func innerHostFromTestURL(testURL string) (string, error) { return u.Hostname(), nil } -// SNIsForProvider returns the distinct, non-empty masquerade domains for -// the named provider in cfg. Used as the outer-SNI pool for -// CloudFrontCandidates (and an equivalent Akamai discovery flow when -// regex-generated hostnames aren't desired). +// SNIsForProvider returns the distinct, non-empty outer-SNI candidates +// for the named provider in cfg. +// +// Both FrontingSNIs.ArbitrarySNIs and Masquerade.Domain are included: +// FrontingSNIs entries are manually curated and survive the scanner's +// daily Masquerade rebuild, so they must be probed alongside the +// rebuilt Masquerade pool. func SNIsForProvider(cfg *domainfront.Config, provider string) []string { if cfg == nil { return nil @@ -86,6 +89,18 @@ func SNIsForProvider(cfg *domainfront.Config, provider string) []string { } seen := make(map[string]bool, len(p.Masquerades)) var out []string + for _, sniCfg := range p.FrontingSNIs { + if sniCfg == nil || !sniCfg.UseArbitrarySNIs { + continue + } + for _, s := range sniCfg.ArbitrarySNIs { + if s == "" || seen[s] { + continue + } + seen[s] = true + out = append(out, s) + } + } for _, m := range p.Masquerades { if m == nil || m.Domain == "" { continue diff --git a/fronted/scanner/scanner_test.go b/fronted/scanner/scanner_test.go index f7ce1b8b..885cb896 100644 --- a/fronted/scanner/scanner_test.go +++ b/fronted/scanner/scanner_test.go @@ -233,6 +233,48 @@ func TestSNIsForProvider_MissingProvider(t *testing.T) { } } +func TestSNIsForProvider_ReadsFrontingSNIs(t *testing.T) { + cfg := &domainfront.Config{ + Providers: map[string]*domainfront.Provider{ + "akamai": { + FrontingSNIs: map[string]*domainfront.SNIConfig{ + "default": { + UseArbitrarySNIs: true, + ArbitrarySNIs: []string{"crunchbase.com", "brightspace.com"}, + }, + "ir": { + UseArbitrarySNIs: true, + ArbitrarySNIs: []string{"snapp.ir", "pypi.org"}, + }, + "cn": { + UseArbitrarySNIs: false, + ArbitrarySNIs: []string{"01ny.cn"}, + }, + }, + Masquerades: []*domainfront.Masquerade{ + {Domain: "a248.e.akamai.net", IpAddress: "23.x.x.x"}, + }, + }, + }, + } + got := SNIsForProvider(cfg, "akamai") + want := map[string]bool{ + "crunchbase.com": true, + "brightspace.com": true, + "snapp.ir": true, + "pypi.org": true, + "a248.e.akamai.net": true, + } + if len(got) != len(want) { + t.Fatalf("got %d SNIs, want %d (%v)", len(got), len(want), got) + } + for _, s := range got { + if !want[s] { + t.Errorf("unexpected SNI %q (cn group with use_arbitrary=false should be excluded)", s) + } + } +} + // --- helpers --- func newTLSEchoServer(t *testing.T, dnsName string, status int) (*httptest.Server, *x509.CertPool) { diff --git a/kindling/fronted/fronted.yaml.gz b/kindling/fronted/fronted.yaml.gz index dd02c1e4e7ba97289ba520429d3d15623a9adc20..057098a326c54f2f78267b3bcb8b3d6c6df1991d 100644 GIT binary patch literal 67116 zcmV(_K-9k`v%iMbBY*v6@;Lqbum7+4|EWLH|8stIbNBSu#ntQk-SyqY z+51)Xulr{n@9r*N-Y+iBL|~ugcjssJ-TQe^tjcL{>YmBzWOF_d-uJ+Fe;b8+_H=H0 zYsV8e%Y1Nt_L5xh7dpETeTy!;$G zJXmIruU>wgSI=EuZO_k*pVzbfLdIxfe+0{ob#Z?A@^-d;JfD1CzF!R=FF%SW_bh+B zRR6t}>fatGkLu5#%Kg9P&+k{?4xe`BRc}6b9xs0Uc-&r=dizg5&d=ogxp$rZ`iwS) zd-ePA+^n8cuX@?-@b3D4bJ)@N#eNxF*^m01-tO|tmtXe}^7oyyF`v#}uFlV2&Ms~H z>igNH`u#;-sQ>%??A!gszP)|mPoM67A(Jg{?d$Ww>gW8|aN>-X_r6>XZRgi_f8d;5 zZQ`@L)JdQ1mvQu*tlwXrVtKxiW8>}7zP&DgKkgS=KF{v%7Uq{(xf-Ug;pFY7$j2$4 zTCQ#V`aSbb<=rUaKOTN$uh)}RxJ=KDnf0_bgYskg?R1^*7rMJXyD@I#7yH{o@P(Zw zuiN1J$EAHcet5Wj{^3rt^k?+t!wDbnjm*DwxG@Rb5A!T{0_ME_WQSY(@tnE&^mh98 zRGtpFoqzirq}J`(a5%BO<#c}a^XF`CPR!4Rdw=ur&AI#%o7Os64;InFyA;F2tu4pb z=4TL|&Z3Wtq7)CYe>O3eoB6k&cgEH<`H$!8@#JQ8cR4L?@0Pz#UoOs16%Ak6SNWIc z;w9KGQxP4ii zpRE?^`W`P1l>O^he*04W(ewHFudD03mtW=G$6)>~fAsHPvWx4$+|KV_-felOsr}+@ zee-r_j4u^wT;v~ThlM7Jzg{kWEnJJe{JwB*k{_dwH`{&^kI!-TOJ=ip;y+C9qRaEs zo73ELKe9pbaPzs0jV%u^@AeCQOus)~T)1v<@%jC3_C6hp+xOMo$9?=UW7d0oaWPuo z^V{E7uUp4A?uO^Co1O;AW{@)LWte{?`-Psq*q3j!arBFwT^O6sV)6L1nE%Me#m926Ik1R4%~mh>Khnn^?~9l8`|Yc< zaAV8+{&su8MxQ?>rgdGsl&?d>w|?jLy?Gy;MP>2$`&!QKUS^*k`-P^D$=#RY@%814 zbNTRjFC_D=PuuI&G^5Q zy%*n0B{R&QJK6hk{^Q5b&G&mAU49Jn*~|AKORr7$?BU$DmE3iozblb>Rw|LEMD2c| zf04OA9?u_lGWYTI#t+%YlW&GE_S?^?dn9|mDcL)=#%8u(=(m3OXZ3LQYqU%s-_G(| zdnc%^EB4chUPeC(C7W-Jo2B^mGvCST+sE>Z?-#nx2V3@J#J$LYuS=fkZnbN4iVH077OFLH2~D+>8uNwe3- zTAIBp<*cOL|VVUjA~WY0h!ato=f@2%KD9+b6I71etQouFYMscJbk-+lEvNq zd=rSf;fup8_sj1|F%H=K<>~EX@)CR>|19D!L3(yLWcHzF$Wo`FuV5HlF-=eqhrd>0-Z7Qkb9r2ibn~Uz%L5 ztJpqdd$vC-&lk>mL?UGT^^q{Ud8~u>BvfexWYs{O-ukJ=i7H4P0HHojoggusG8XUf2)n|GqlQ z%GJ};({|1lLBZ}X(zo#Q^fi{wg)N?zul`4|$_~nVbo!hv-1WWpzMW0i$<0l$`5s@4 z<)`g=uiqjOg!7+r=6so4zYg!tekLE^xcO@vC67-fyWIu{CL3<&{M1_6#q{m+X*N%8 z2T#xA&m~|WUDa+*7_vQDy5AWA<#9#Ictw&ck;oWJG zWx-(f`>tT~&+^9?$GTaJ9&cIpFV#p#~;7)@Xa?rR(B6p`T6`d*#1_^ta$u*y7_)<2Vbsdx51qm zFYPZMhaGM1p8bpDHGKH~ySzSsS-ytGrL%pzzk7duiu2|5<-_lLX{_hrwD zdH8Vuy1DcmcUIn7v%vgyxV2yY^84e@Z*Spgv`Lfrdif>)96u?+cK81L>pFaqFYdzo z5kB$aZgVQWCpTA*PY-X|-Boe5O*fN+?Z&T1BkN1>5^ru_&&18D{5`n8j+t>b`1tw$ zbGh(BD|JrqlYDsl;EsNOo2O`uOt5AD*21xhv9` z`R-(>48YamyPtpDp5MN_UVq+v%+K7}&?~t`rKU2 z?j927`_;wykKyU#$1DG|U%$Vvo#{v6etas5hw0nWyMJZx2kRmFCX^@| z7^@!-E7$ig#odh;3gd?{8(Wv=uknfx)Y)!)Yq%WE-QsC`Jyib1x8J{mS^4z7@(*Gp z{`G(VZ%O@H*uM!o{4WLlr?&4rz7zD{&d;j8G&+Iw7Dum#tFF!_C z=Fe2zemhtSulD`rcK+}XzPzsPACv6u%e8HLhV!vb9_!9pv;HJl|Ri%d9d$ZUMBW)axsWzw^8DKdHLqv+ls-zWiM}U z?8fzQe^D|gT*Mz|Ki;0ME*^hg{oXJ18H>;PY&cFwZ;Z#wRsQ;Y z6O6viFMpQyj~nmj`sF(_vf$DiUyrsyaBVy0A3pegp-a2+tH0OIxDwsA+Wy(1lFwJQ ze7=4>tK|2;_~57c+xUyzFZ9j(@M3TH@+Ej?VmTM%*KF~hoblQRKmYdfv^o2Dh`$tP zT>c{nr6BG?4hw_tX5G0LK|_6duou=9 zAG>xunkGj6c;GeHeVo3U&(G6u{-^N}FRmgZ`B?l)rx&kD_WRZSvQ#W`WBvRtpC@Jc z;p7Wno+fja`_Jq0{^DW3&}?;Xy~^Up_%r(Ta4t8u*8J)0(mHp)46h8!dVjdLzAQ%O z)vfdSDIzu)ET@n6v)9L)@l$DSUJhn&VBW2`J$Jvoi1fnAlhd+@f4oe-d!LihZ1ME@ zX3U*$Vz~Hqx4C@zarJ&T9X~J2``ACbkpVXkVS~r*V)k5ozB%6I^K(($@JHYIwtbt; z)AWb2{Bkw7Kkna+fgIg_dmfDLUw*&NV=v;Dk5*8oW^}L@e_k$E|3E%RvD^rY$4xMl zc`RV!?*r@0BxSx}2~Q6HSUnhtuj(gTg!YNeQ^CTN2PZPN|Ni4AD`6+~ntwj^uWS8> zHU8P(8mq6Xm|K?MCk~ILm$4{1QR?RJzjpup&z6y~#ZG+vV;r6c`FHa#|LBiR8Loug zb{zlm>;GWI|Gd&aTfthLG{5MN31!H)B1w6e9{%}{=WQzB6{?WT^kvf_2RgsdF znW>QB*O>cU(acwtBs~2(;*a|KT6KP8u#Z)8wT7>@4B2+HCd4YQ5&? zumAq@KUzIzdE3hBr~mC$dE^U|eT_$d@YvBm|BseQIEzi^KQ7h$bhO;zsXx|IpRf_8 z5)aZ&^nXvbMftz8OyZx|Qrf;E-;nu5D$E^m|Led0qfg8ti=|vYuzO*}i_JfGE|Kyi z&0_!WznnCUlD|(+SFye)>uZE$&#C_PpvzdY&UnnMf0g-P|FWd|+fa$;(PVMLcWZ?_ z{o^^s5)rekm?z2Ke~rc`llh5yd^8^X%Tq}x{{HKK{jY!d*A0)ws?dt3_7}p;_y7BC z3>TA=;dF2^S)R;BJ=n)^IyqU42{)qdWu*Q)9-qvJcQF{8j8BGR;=`zkbU5k*aVR1k zP8NMQkNKRML=~&dMv6SBH!@V4SWHi-_fcQVVnTfy>c3-kBC{zyeascZP;#x>#&miz z9V(tBmK~#N8*|D#(c4gaSSZm!sqUB4li^@^GSb{a%&@bQnNn{peLUQUm#DAH5LjTAY%e$3e@D21|NTHrE~$v8mqJ z$YaXmQ2biS4)y;~O7?@g9gc>S)S(VS33lZ)(0VSFhEcZqQXR;gTCnSj8PNLq2ivqC zJUgc((!GT|8W6irVqro2sWBk9Buu`1x9EV1EK z(MT_p%Yr!mGgsWAnYJGij5f}294{qRatHsO_+Dn(ogEQNQq3&dDxI8A=bjdG<)z|eMq~Y45q$u&F?1HtV@wlU^iaB+h zqb^V*mK?+7@?<iu+(9eMwZWd5m_M3WgL}JP!h+XM`1``MA4LP&U%pu zrDl~ztIVhaElt#%yfCimE20j6)k$*Nl7WK&Bi1WB%cmdy61lFg{U!1Q)2_;AKzts} zwU7tScY2oE_R%U%XWV+xxk6max~Ed=-1Lq}NoClP6-HV#SzpU&tj~j5c+|Pj;ecA< zHUBP~m9bkwIo?Nm30G5I!j z;DXdSxVkZu+5l^E8$Chk7*425ZgvJKb(W>pZzF2&tuCSLN2&2}NezI|#Gh#EzxPp6 z(qQcouaF9lV#7w)3mG+~glemB5sKcAO#xu5jvv>t^eOd7x~6uJx?Nyr50VDO{(uJ#dc-`%~CI+O=?p@vjxqCmaqdFlx+)sPma z>v*OVacr&`K|-3yKi2rv2J*fZyB8|17l!G882tL!Kqj`scGN-Lx3Jp>ZH2{7s8g4D zG!a7DG{;e`EwwCd>>p~Bzg@(%2XSmYJDR*1e_!1|U5wo*7wW9ft|pxHI1YW^r0M)) z@G$BiP}8bNt>c>ZbMn#iyUv9kAd?TKv=IJB_?*-c!d*a}w3XvvnNq_~?@$5y5g_c# zC|qL0v_ZY;i5*7n;%k=G%4JGj^->4ZX=D2PfLK2U!OF4`jJc z@XV-V=et^)8L{}SF1MlBF&c)LWr09XRTipmy(@x_oNQ(g;%8UF`dcdIF|P4RW(9Z=szudN_|MHS}TA z!`lLapz^rO;+rjwJ{2Mt0+pNvoZY+E+;HI*z9F^}~T9kJj!a`jk41UMqak z1nnQueDYve9XO_r4c3a58pC844eLv5Ku=saS|xXwT1c&1nvTRCBqXbLW@-qNW~k+e zx}IS-F`0VgY2B1a9URTXVcK z(nr*Jg+|8>N&5kheK_h!Lmlv-9&z62TJoCX{Rj~1cvyp$+Jo-1IdxI#v8p9kE=@R{ zdU|24^NERc7sI9V(TKPf9x)(t@?4 zrV?WFv}#qP?w8yd>vQV(ToYEOE+TAn3oYQ_Q5QUQyY3XXcV)6OuZK90Huhup)jyC(aRuI-0jA;)T{!!Fd0 zWG^OO>=AW)0pmZS9j3I0xTB7BG}B?oaeeDJ7%goan!bq>U=49lw|qC|=(0C?Nm9Is zqqbgZaFzOA7SulEzEHmhz2^h!{+hidNFBc3p+SBM0ViT-syjqfiK_1VY?*-T&X>HgcV?OIgN#~3@*3x8o`Y=#H*D>@29f7=paaYMe zOr=d%9(ngf9ekozEW7ffe%R-gLfpo=-asx0z~5K7p(W z|IDfHqzV5}PYi5e2}ab##(RA~Al^u=X=y>3_C*BbZ5z#S^S;d2>`6Nf^)$!kILP%% z4e&zED@{olIhO=v}xBEQRBMo?2SGoBZt)E1ok-% zayYqtu?@9H-EU zxh5M&J?p%lUPvm#_TDw=E{=x=_G99DFAB0q!<75rF=>s-F{&^vY3w0?h&uusWCm)8 z!9Ai&A9DCr^J*`23O$ZV1vot>-N(N8ntIOXE+|LZwt6(=oI35)^5Zys6t(o6z8dI3l;xZ#_v^lZF_MYvo80?T&=lh#Fe2 zF$iftYA1i!JV6~1Yr?jq?)4F(E_I-?wt{-#!s$u4JsI&p-E!VksZoReG^PjX zjEAGJ?TEUyW*2Da2|y@yj-%-nAdR~mu@RU#QA+; z7Bb`W#kdAU3v<27$o!dBB3{R%iZM1a{8nr~FvG2ks z&n+|sK(y#(`zkeh(NUou65mRdIHw)EaolCygMo!Q6h@7zva7PC#(-?*wK%27xJia(-TPTzcryBQeHWA-Os7p(@46)Ei(8u*1GQD!D11^!@(*m^p6r7fzO1Q(A{}D%hl-;PyfjGu)M=Kw z=bYLe+##w^=f0|xBy~ypKFQL9c!yTBl&a-W$Vr{~+6U383yvE+O6qYrjWtM~CEnQ` z)YS}4Abmnzy;ytrq?yq_pqQv#{9S+Zl-lyxcd+)O1e<(P->%NKAAO2LT94tlwT2pm zafd@qodnxyI_lz^x;2k_{OT@bN;?YeShCYXBJHbQdV9@lmdbrfh` z9|nD`Z6njE&BCUtlUB7HcL!3}i0x{#`Vrb6(E^Aa`B9`SbA-)A$uEbD9O-m{V>0bQ zC`d_lY8z-j`kmUB+x6pLJFqWj&ZPeAJyF3Rq!!|vv)Z1uGLGqb>&6rK<@L-cLCLg6(x1mvI7i#y7JbS)J zaP0+gQ0IL1aL3g0ytX(<`;3kf3)D>P z=iho#r$*hDx3i5&iwOQG#HLno^|S|S>!)&ONB!^=$gzKR!-}c;}+N=QT#U_<2MQ?7Oo`sjZ(Hf0`ClrSk13L)wmoBiuvk zebkNuHTYuF>O>u2XwVml?NQAm;{kmkR^zp1QspXGGkac#PpnjT6zB z>b>Y#pe`k-p&+SCj&}tO^!efnN46h|g*pP%=oRW3%Ds9cy_O^SMO_Ns*rokQTaWr; zl#+Il9EvMwOJ4Q`>HVmpB+cL-JNVQRy$Of)q10EGQIc1;?q*C;pT}-!U{A&yEQu}S z9lucTV=vRmZQ~I&i2i{%sDpz$#KWFIP*W$K8iZk5MDCrwr|z0)a_7{|iFF|*={Al5 zAjuTXb?(X-DT(7Sz=s;kWCv_V?a?;11mu%~_aJJN zOnYQ|%*buA8Y-e6Rln3(xJGtR&!=np6sh4Cn>r-&n$F#Ekh4nTwoqGPO~QxT%dgY- zH&t@A5)B|!wkEwg`SKO z=!5H2<$I_r!)k=#K2#D6$UV3nqAqo}zz)%bx?HbmE$)F$T8R$Y2KeK0C}LsS0Cdvk ztdCJ-snPy+<%8r!o%?DNYFNs>y6wS<=;4;s2eQ+*)IL;$`9})?eRLeublPD2QfHs` zW8r!*rB_K*;vt(y-K@0vr+p^}b?M8FKByH;!?&~(o(|rAFVJ3eKA*I1?rEsb?V$tRiI8je4?p@CQn}P)NDVzmf?*0UYhfmP$NavwGE_21xMB~ zc`sOPl~MzA@1um&V;`Ef66%h$z4YisNNhx1g0lnFCq+^{3IWmcY&Cv@+Oghy_&u3U zLM=?205Wy{x-o&sd*k-VS=7CP%|3dOZy6F7-5%$#doucpx;DHX`$;W3nkrM$u-q}c zTVDcE{b>gyjd~p8r&D9i?FD;3ieQF)xEJlqQR~~rdFcUeRXyjZ9}jZWsQ%)w74sARZ_oYt(7*j$Z*wpV zixV?!{dJIXW;#4RF=f#9&|seAC3+wmoCNaUH`x3-O|lUE^>jFws}PiD2&uoq_aEN}M%~%Aq~|M7jolh?0HaBj+Z>fUpmn@1z!Q_d_IR4F;{xk^pLcl zTX27o6k$4MrZQRJdrZjB9t)LB2SRyn^K^v;+k7#ZAg&nBmDIB(e4@-`0XI5c7ML!f z*o(B-ZT-gCe6avBcV6Ze+!EtF;oVRv_)XFzvX*;nJ5_E;>@VAMget9gYmK z&TP2AYz3{X(a=(4RAe0wt)zr(AE!`JFBXPaL0e!1W!8AGKzeqx7$ZAiG&DmOiH*_3 z!>rcO2~to6e8FfqX(y!7$h4qRNoB-jEvLQ#+0Ns+3AZ-jR)*bJ^#XW=gAAzlX`Tzo^5(>^HW84i!CK&fx|u-$(p08CQzq#EaV&NVV(LdIlR; zAn7n3&pOWtT)=c_O6f-osct1gka(R;vHdU}FS~a*hT653aOf+PSElY6nzEC@WB?`Q zQmcV>Q8t-Omxz(|HzY`lPL*ee_;3>XD`4$CvrpiuB9HeTelaND2VWljDmWYQ{h5AbABUw8gb|oIBBf~|)YC0I0 z42ygv^HSs!PavTVyIeYT)5suHeC#8EJ{`FUG?}K;E+#C~5*Z}Z5wxbJvn3MuQ)EX? zhr+^SZe|8PJeG8b!FdReZ#fL4jn9XPfI~hI-U@!jXe&DIV7n5S(6y{;GbpEN1O@$k zh@;Zep@oInXog}Q(?ta1(bLfqX%XdWwkmAqG>i*3?N@Fl=8MCsK6C-;;);*iyI;XX}Uz_(QIfiiGzu=DHi{; znPWR>2ea7>=8b2|D*6t-f8pWZA!(_@Yggdv`?)Zn+?YYi9d3~M6G>NqFym}tCXlvf zvk0I4e2k+cvl%QYm`$(+KOM!M5B5Lv8L)5W0~lda<_}L&a5?i4qA+l zPp1wODdvh9EEAZ`;p?XnTzozlF9z^hmlGs0W-vH3A6Nn!W6SXz{{1{aq5FA}p|hRO z$3vuO<}mOzpLp|0~YQB9em99em9txJ@kE^awU9PT0uVmZxF1ZgoHPeGl> z+?#uD(k@z-lMDqhmP2<1e`Y2!&X&qHM|xHf2l{nx2oGKE!a&kQi5wG&ljU?PkY%_S zBx4)ti{)^Dov!6zFov~Ki#alV)#;}21I92(w8Tcta#*GCS_xx0gj~N2SZKr7k6nRl zDwZ>J{EBu)pw@DkL#A9pvYSD>by+$BYD~2?WP~g;n44qF^Pu&)Tq14HOkGUWTK~oj znWc5bHV_N7Hf%dvrc69tSB-XIMKH9=j6Cxpdnp3zIEA@3B-;chv$7~>F}fzkSci64 zE?3w;UoI^jKSxhM3iprj$qz>6L-35;-dv`hA_jf@EfG zEd~`S6G_B5tT}n*FK`4F=HZHm2|Vw_GcmK54(1YBmsi4PVrB#Z6bQ;K z6|iWWcA!9Cv_Y;F^Mz#tmx7y%`#srv!mTXFmxYJ>v1Tv zXss6MB6Xdp#H|M`PH|&^q4WoA4m3oH$W$n~o|tk2t62=bfkY;hZyy7zM#s!xEsHvb z4muWPB;hO6IT$09_%?VtfR%N636FDluTq8`oFEEl5^JVq0w*aABR9btd}((X1UhnSc(JRwTHv#jJ zuV7@pZ%P<;G5LmnRa##uc4Q@Gwu1zmxvIz)UT2^@BuK*QKs2XxcuD%RQBc=N^9)AS zP17_O+=o)^Cd$2;4mX&EXiGieLvznGgr<)6&oHg+Y6-g()RESu$L-f3U4&)9nqIX=sROt0ex0n2^|Zf8q@YmHbY+onOzDbc zm7IaaH>Q(xIG&~xD>)VUS#l!6RhySn-9aQGWG9(Eih@JKu4<)KqBh$McifXVZ+1(b?~MLRt)9BsvW=s^m&eo@oM_TQYPzsAcUnU)jL47 zp&4?dK20}(MJ8K{Lg^lSrj=RWet9|v6LzW;CUpm<1~ma^Y9l$~mp0gj z^jSwciy7t&m6oYJCfY{p)=BMG#u!w4Qu^u@KGfmLAGe@1s_hQ=p>uo=R+&I)VS)6u zq6bgu$*&?ru?8rmLvELOSF~bQy3lrO*imY%dzzib|`h>nD z)gknbJhUmT4(Bj*U}uk7KtO;CQ--N}2lQcN5XBt=L*EOsqojqu+ysmEsWGvDGMR*i}GMPX=42v8dw=@}p=#Yv@V3(!Ri%~5t@L|9J55}u$ zs7AEf&S3$$D-{6~KFUCtD^LPrhA|IuA&S-&O&BTIoD-C!@Xjv)uu!LnT<|fr8A01Y< zofn91)(HXw)%IH0nE*0N2n3)G92qg?0>w?L@>5isXQ?v??Es2Sbr~W+)?7S zGXn`Oiz$yN#T9Z^6-f;PZ0{xJ0)4Ex&W#STNd`;A#g?|_V8^Dp4gy#;V!^5ZPjYjVDUP31c^RDh)CTfb=mF}=NM%Cv6fI*hSr@Cc>NSgR zw4IXh7%_^)EVjn%sO&>nTW@h5!NPa#IN>CXxsDAa{1zZOVX-QYE}RtQ*+Qk{7! z;|_<_VsQ#f9@JT2*ilOtl0cKla$r@JWv9>uv}&?|Ne4?#W}xC%(0Z1V)V z9~MT~MX+>)+ZPb3M}2h%K8EE?7qA&$zeYp-Lm&!E*dkS%>DX`>F;vj5KN^SlEGuHM zfCOm(OWYD1ml`SF+(=<^AXAl%Ucdv@aU!K|0TuDMggV=W@DG;cag7uR_kfF&Yh4F) zVVFb+=uuGx!&**##R%4oSiFEc6h&OoQ>)Zhw7p^-QGaV?u2FXOA4K&m=|{>G{c6NA zPoNI7WXuy}!>CiOZ0FWfb+I#K1rSb1vuet=9r+|J_#KI*hNkfxhnFpxVLq_TP8B4a zj^wG{tCC-^+`qXWNQy;_bs!kqo!4~#LAa% zjo(>?EiHJ~A%}HFni$q1v+#}Pq0&`8begPk2^+nw!YWc!YGiHUEo3s~9k~^5jRvsD z%gRE}!G$(fW@XSuSG<8CfA>fLNY7tnXQ73QCIr!ksn##dG{N@A*?iTDLN#P!)}b` zGCCk8l$K_G6bsl1vC4d5pjbyuJ%CeJSs?)Si@H#|t8G+$&l(r*tYj*gfge#Xvfx`X z9jQYPm{59a!C2tz9^ddda%2jUr7ID)J5QBim2e3EvhrEt*f3?gVuA1rOPXn2>j8FC zba6w>Y?#_zX$(CGji9MD#0?9pESxQ1@@2jG6;DN*_eOUOV zbwCx!Zu^3j2rUT1y4ud>h*-2&uG35`5pDU()!K)~ZFLil*SYuS$tSEgr*8V4HD`q@uM}`zCDG(S2$=E{tpFqhJOK3D`{cl|WcDy8|uE z)=6-<3tfQKvC9~TELYB`V+QVO3-L(zAAzohv8JTRFo6Uh5}Cpj8Zy(UQ`` zv%76&bJU;)kVdK?bgL1sq?i)wsKnXk+>2O@+#WlV4u=?)n&i7QJCeyVv{#t{8JqJ8 zqP^?njSRFa*)ppSy`A7SFbjG~lt>hc)&Mw`v>>r69SQ4X^l6wKA#pAG)lRn=6#tgl z(dlW6qyx`e@gA&^(jT1juaV4Q4%yCF$V5kxnVn3lq)Y2=S4L@^*b=la+L^EzoLuZM z*M)>y1`JkIDQAZ&>gNW4PO8@A*TywQv~sG!%Dio}t`P=+QPaG^gA-ea5sFUZlj zf<9JzGAj|EJIZQ;h4&6K>%?2TNb8)KppFsRscM0MVJuTy*GyvOa;&O36YSG0iv)N} zHmH)_Q3Cizx1$QdwoMc+bF8Q%QK5N%tjxo9dUjZsh{~9qfxx<=#|U)}*tvxTrKW`} zG@<*XgZBc*haBd+$TimT&9-2G)ZW4YZE6!R1fk3Uh|B7T4ggF2m05^In+RYYrS6gL z7;dha2OgzT1D=kwwPM&hTojP`)ThAGUdPbW?0lf;9XE%?sA>y#N8zSjmLLq_u&O)9 z!r#HW1eLvoaV7PZ(#fO+7tw7Lp;8xwYLTe<2l^u(4eBK z^=>^SnRO79@cl&Davb*`IYM1!GjkK%s1FZ2j7?Zs;kfuNjIKbsMoRPH0BXk^BS{kY zn8)?#b7V8|kcBuA>4cSk-2Md`Q3A3a_dC!g9T9WbyWy;j4)wx~x<0IRn=y9c9g$>F zF(nKOCOb8h*;TvcDED0%ZXFHE7;Z}K1!iV-x^xXq2K59k&{Pj-;FE2~ zYz(~l4*+ ztU5L!&Vm- zmg#562N(145+Q60ONk}OAlTIr72aA$wTKh1WNdUM=qeWmH5`2za~O!bR#+=q7j$?NlY9uz9ru#&2C= z!^{|JR@l|8WCHA+sb60+Q~N^!o;o75thR6rSZK_EB!%i#xa)RDQm8ABpzah7@Y{t> zWjH9}t-eA7_9Ia(+$_W?ePP9%1vvF8Oonh$g!&!gi#S_2(N_e@WrxQcnJj28rEu0z z|aX#1R8wX=FffR~joUfO1)wxUOFW_5y)&iXh$Q@RHmR%43l%pl>JaSb`9+ zh&&!0CEI( ztz&Se(}f13M`U5wU7c4J;PX;cjYNoRZIQ9&R$bSaq!eAk#DYjNJbYCYS=eD>ix5tD zRQH-hD7T8IbGat0j}xixu}39iF6S=vmxV4pKm?<))4JqjU;#K04Yg$hcd23&O?)CGi=WFQJ$5u;s2FDII(s+!9~ALU4MWup|5>l&xi9Q>SDdNfcLL`#IJp z3sinV1{^WzR#es@bMzCf zs6~2+A_Hc;D+?IkRWIdIwpc>a;1lKwyR_#&ON)LiSM>$>?CIvi<7F3_t+ zIU?KB&9sMXfE0nJjjHyKR6l1SqzShej-eXK!U&-+soz~4b_ECFRmPzYg-rdHb`}p~ z;YG^M&z>1&cJgBxA0$98`3}b$KD{qUKfU~XAt&qU<+yW*m^!9iNp%p791FODF z!yR_%FWyWF)*Yr`7EVR}VU=fYB@Nw3fx;Y~i%NbyDHBk0>}9b81Gl}V?7Dq(isrCy z=_T0i(jgQmb@c<5z%OyLRhA?7)XTzD-)p-b^l9)7{#$Yml z*IE%*H}%2U;$G?@ndfRPiYp_0jn<4qF#5nk>>l{K9Gv4^f%+Z~@}tjnRSGms(hhe> zpBZko@L9($Lz!3crq+w)4ie+ORZrCeca}rMb5HqV*r?Q?ReC@w?sKfxfvo0pS->Jn zp9KYuy(vqPYnUzN(?AQ?=P`pr5WJ{FKl^&>H~LziX{1vaGWR(Po4SW~rsWAo7QfF; z216^p;A_#Y)qG(H(E&%VX}GB&YNtUZY9X?y&jp-W;(0b24(hYK8hj3RPyx%rlTe=u zcK{=qiXdPuj*>XrjMtN?!6|IG2_F!dS_K08d;T^-?vRGx(IX@`%!kcMzOJVOPQA~S z5!&Gh_!tpEor$jKg7Ahu59LM%DEaM`F0MaRCQWUQw|-02FvB{ataY1o+%^16a|0~W zR=fZ~+I_ZRG1K!jA=l!W)=C9pNhxe6RR@cPa{6M8C72$8lV&jGqS!jcj*xF|K|bAA zzP-mg&>{WMf`+{k`p6yCgdQM5_bo(yzMjmCtsY;=$E*T6fp?-INLCyf=T$Nr=Peae!^&v=of3MVKF6(<+6IKM-M+MC$E`_6 zLPtm6R-#cz;4`7En-n^9sP8AZ(n&E=RUv~O@jBYW{5mEMeqU!W4W>*<0TJl^z(<{l z6|0=AT7O=3@VS&RlzM(9^=wJFL>6^e0YSomc=t;KVK1vA#-kbh97Y=bC_(`YUziM+ zk_39DoTG@>MZK%f#_8o0mndh0ogo8+z~KW$yjBMVb)1+280+2Y6^<7QsR>eenX8*9FWLX391k z4sBLPUqZG~_m`NU=W=H!v#sJpdZm7bw7z<-@dwmvO~VDB8YTU(O}0Vhj5Ik-UF7f$_o-*CBOAkKrscl zk2+YH_&cj1luAB!44~2NA!ZD@R=}#P>Oe79YPc;1Ws|@Gi9kc7SsZ0K0=7jR8UasZ zi7f?)IJje67z7Ani^ZO0!Fj)dQa6~tE6PBne(GbOp%Qe}JL-w@opK6S$_CQz=w;JS zVED{HDy_$rZWRgg83SdgcF5fT_ecfmK)bp>wcz8Mj$>1M&0x?g2s-dBgSrB_mF?~E ze1wFrpCuXy0_W<2Oqu^U-4Z0G0Us+K)K*~fL78w$>%coL zCSzEF8?r#)#8OZUrm!IZ7{n8IZc3Qt$#LMf>+(Uc;` ziHtDDUQuX+P=)khioQdyNwb=k#aRGs4P{ZQ|D;!4V71b_-GMu%3ej{@h~tsuho7iKGYFZ#%{T>1V#`|An5(lZe4_ z6>_7DD=2RqIE7a_xT;c-j0JT~bDp?rQFdT=$PA9gi_FCY(PhmZ?H5`_@mjNU5tFV! z6|Q>uX0`;{qlw}Pk$OYb3Ei$g>OmdVr2F=V)N4?=kjymYf}O16e9z&6hqWa7a;_q}nhCLNTcW>)=BQh^4$1gJGn6Aw{)qPZ$Q2 zd0;YD6wRUX)cpnmA=P!kuST)y0y|u{V6x0iJ4Bp}ln;*tkFqjAz1-Sh(typF>k1hH zZ6UL)Dh<|ll53>j*QSNU;@X5UuJsBh8`f0^b64SXl%-5|l#WCia}c)q)ygH-8OVh`GXQO0BF?ylECgnB>pD=<`Fv@vn}$a;#UlP3;75pj@RoBvA5pBVt{ps717$mW`(X@{0BO3y|JVvN_bmb$5LW+YZ?p6fR%FVby=1`HpZEhHgxgV#daG((#mwr z5+t1%op;r}4KaN68!VQ!I|yjZ0|sGt^l>*`7U1RwSl9TqD+>1L zL%`{nTT1GHP@dBF>Oa_Lj_V4})-41k#1~paOpAm?!x4#2)L(!#T^ze;iS^or zf1N4mkHej@3`$4fV!Bx95MRon@vv566P8lNu@(mHZ%LHRu!1Q6YwQ)rnP^H>0M*1_ zVWEVc0f2k|6?d3Uz<}eXKBTZ?Jk(9k9rqbT+>QmBh7{KmL@?&JeyF1vGhr({P&78p zuJX6UIkDUPPsJtbIC6)_z*E-D4z1%FHTWNBwId<|->g=1G6q{a)iYfaG7_u%U|48C z|1{w|@A{rheKdTFDWH#>R5o6L%^p2Go5x9{OY;zuCFXF5LZ!)ynaE^Ftc|cZ2rwpQ zzJ%II>tPtMsN8f2#E|HLXI=DW7Z^DpaaORhA?Zq=D@`A5A#pftg~>}O!(4_PH|7Wr z!oDP?Bc%_cM7j?_+s<$tf;u!;7|;#Z!;dj?qS|f6;Xt_N6>4DnR^jSd)iSFQ?JMieyAGKfFBY%p3<6lQ5Pgr)G3(= zU&#qveWFkOAoCaztf52LLFqRZz@e8EG^#ue58 zbP5w;atK|WI6;R}6Uvx`<*a%OuIR)`OO#IQ7*d|Nb^g0`F9C~Fk#rpX7=+{!-*Z7! zI|)kI-kgL@d;qNKuK7NzNqQ|cYWr7@xL?RGRMZmf|1UDWhnc={5m6ipw z-s`n4m~7ue7rIU&O~L%H6)-=f55#FTAE1|1ZdU6q9i^_YewV8>XE9GWw4b!pOwtVE z!Kqj9CuXn&E)qwvNH`9rs;zWgPNFo84rjLN03{sYpiD*Oeitikr?9Ri zDWnCtIvfr`_*bpOSDAAxh2H@S~*-6yOuDJ_ipjz}8ndxY zSj7ww9#iIfU4ygKc`EA~cX}tf?5yM7b#hYU$+T0~b_;bzh6pcZdccj{(G!rAj*aAw z`c_CcrI+DUl1AVNB^)4-6d6oCHeZ5XVk9-38agb9pORJsyzs4S$fN{X3+hI(!JZnH z5~7ecS?HqQ6FtNZ)avS@4&C$6A=s2y13VxtY2r=#6&NdnU@>Z)6~@O`RxlC>x~8ES zV2Ez6ONuM8l}b5B7y_C~zpkW&ra+h_~IQ^)@& z)23u(g@PyQfw0?{5>ra zl+8%1niB@yX#I?V%azk@+LcgOkH933e#-(rkZl&QtT|0I!{8WlnygVAI!(77h;M0^ zJ-aqh3xnpzF0TOEpmE>xODy37;x2Px4O86#AupKbyyPxNM30+Z0`w&QO zYbFv4*_v6@VJYef$Z6jC*ANae%S_mKTWvpLMZ(Ptn_nIIw~dGtDYe@W863B>5#|6+ z=gqQ+Nj%p!OR7S5c;AZPQj`p<1uaHeQ1^kvY?kPZTLk%PGXX~dOD@#Qk-1mZW0+{% z)`nZyY}hy$vL}P3mzxMWnVH2CFuN_ALaEzTP`MGCj$+Ckxr;DG->8T=6&>SkG7&Hw z_?%f;`_%4@dIv_+&DA|5Y0Pa;x3feW(fsMO!Yh%&MaS>(Cp7dZR1NgM_xXy%JhfKtO;m$P@Er);7Qi&_Ue z?F^bXxq+*8Hi@u7(at83U8Qo1#d3*#;G7#QM3!|W$RMVA&bBdwx-Hi>nphz#D>q<6 z`DQCZoD|<^kXjqUI_6xD-&sQ)pEKOet3Ji+D1^*4=5B`Qi|bM5HYTuI=s9O~>4n+{%$F(}ByXUeTqyTx|N}+=9@sxo)pOu@-euEQK7E z%YtJ=p&=px^Q3vuRfMOW=xEN(E4<&1j@DdwaK3%+#Eu6wOof*Q4}?jZcfbbcAq;oq zItUMY(DDE`tk$QFU!k#ip{&|O0>#!9d81%Nu0!H5D4xq)S_OK8$zoi;nTuS&VEd;eyqc2$9>M8>Tyy|Bg|s%?$Hv!2sBXYS6j4b|v;lW8fD9gO z84A-Ws-1Tk)ascn*30^&U^$Xj5PTbTlw9N;0ks^1?5cfQGEe3(f4en!3PGpUxA<0) zBHJw21HIupnCOzrTl9jhlNrz?fF-KBXFhRoORf?WSdi3b34{JylXZCoI};PhZf&x) zX6ClGfUxmfdy7&i+X+Of%eTsZLdJkP%94qutr0v1*I?L^-wMtx2J_hZk$~w=Gazgd zk)VXwwlRF#{$87*@Tl|ca0cq^)!+Nb#;=eZpmI|z!(p?A-l79LX_Z&BLE>)9J6fE! zY=z|5R_Iw0a0+=%G9!4K>Lg-ic0t0{*MYz#^aHLg7lx}?K*{SB3N5DExlcWzrykhQ zL&;XGbTWuPSod4%*1?X4@Mxc{2AdKQD7LIlMPQw%R?)=`*u&p?qrnjQiCbZ33?IJG z?jdVuxX>;$iIG;e8t4z{%xztW=0h7?@3mtMT=mqb6o#W7TULZ8+oEh;B&~)wb@YgD z1709+U~6>Mac?tjWF46^_00i7pV>|aBOolZP{&5l`VqF|)gHHEID~YnM?S!JgayZ0 zb+u0eVB>8QR2sESbR9|S-v&Bs2TwRt`Xo!*F92E~TLEXMZkYpVZ91K{mr-p!t_O%B z15Jk#y1+5EQo< z31hlMa#Bl}4j$7r>{-XukZqD`pbE4Rvos(dRKpZ&kVkNJIJ~#@3?wWIBQKFpR*Yv5 zVMUWT980nVp@c%)Y64~OYO4^&f-CE`#^OLvZ4(s8Ds<&=XzTjDR_Ujnu|1B<9ToBD z04F?A+e!d-{9ryA>;Iyc6h()nR-$r=?N(WfbvJbD#n@JXqOiIT03uRu6R!rS2cke) zFiE$?dHO=*G-eQ;q2M{PR8k4>7W5ZZAq}+tDu=9DthTO;qIm^Nvvw~+)0?T$a3;{; zjuzD*#0Cgyb+8a%MU|~znWx+Kzb$nknw}bhwGH0? z1`}G?81s-~HNc#ny^iHo7D2DKYpQI?1thn$(|g}4m$>6=ZC=e}g%5RfWfv(PR8wpt zH%A|$c2Qy8LhivZ-9@I1I2g7qD_kCkMpK%yHWAwIzBEvduhhsbps-$Dhy@O!TtRT8 zq5v&SWmVgVrM1AQl|=?KTBU=>ClSPBdisyhPTOT3*)Ur6EQAgTrjr=@2$q zh@~B8K8!?_EAf<6(*V@9;BhY{%!rjqiRuQ+qGMXS=19Bi5p_^gaL{&ASSY%!M5vA` zLVLU{%VdiTtkQ8idV0z&i$U3|I!B9PyyvnoO<0{?metS?IE}M(u(rrFwh;JpO_eyb zS8l6Hi`ErN0sCajqMlsR{`UqG9u9Hj97||h#>(5}a8Rdm*)dXyVvTk7AExtIyh0fM z```Xdd0Z?uL>jZWNJ5ePt$XqRJuLa>Gc7MS<7%iMgHD_g>p)=F$kM7@O@s{2^H?b@ z;nZE7t;B20N` z!RhrpHkl=TVbo-DvT0jP9f~Mn!>p-TLa}Yz7ga?;kZ;{AJxQ{*kBMSnN!T&xVI2<; zZOpI{Df1JV#gLM0kyfZGt;^W^kuE1u8(78`zCjU&R#z=QE2iLy$s&HDyF%LTUgKn0 z2IBpInJ~tlJ4{h|P>6_GUGR31j_E=$4UgG)(2b!xAR$;rq)~ZlP==Mhb_d7)~|8wVATez8Q7wLD2yR5-0^NEmS1JQ%BQ^((m+|AkdGbZ0odU zYc;YVVpwLHO0cb%sc07+4)+tj5s(^kZa|<>OCz_3UzLpktI{*IlNdwp2P}?-Owl7A z^Rhw)*@@dWfHq}@&l&U|bt0nGgh^$tE-2Ahp@}JY2z6#qSh1onUqH)Vt1NZMIXq_5 zNNRZmE#HPV+O3r|i$mob!(oV7YIJnvuaw$@t%wb%wa;L)pQedOcy?k^D==FN8ze=b@od;Zd-U28)l6Y*q8FoprOJkDs{>xLP~(r< zZNH~HNjpICWYj*sz?2pbu?ws|K|-WojZ&CE#7$FeP#IlFN_a8C#i@{Un4%_OhwX-> zBMYf#D?T5b` z9|37CD%x!eJtPPbvldyI^5YHWLNOR|GmSIUuB=G5(hrC)qy_WE7E^9@yU(R32ql?F zp(N&8^)(&f>fGmv64cNONeYA-Z3^vcB1vv$N)fdC1zLm!MaMLp@N2qhx9VdS8+H_L z0dG58aqs_6*_ST4jbmLtkrd9fYw_cNBuGL80UC=W>gnemQ0c1vBJN>Ld_6rsoSi9= zz+KNmd#POtSgCsS*SeV9uwW}WCywU@#G{oW+8==?6p!g4TNehp-Thd)!aK{9hCQ(4 z_pUoOuU^L;ElHq};gK9fumja}j=eR(hKU2mwiJI=OKUE8Mk|_4a-mt) zkxf!!=MY*7z44e2mpIThxpaP>n!!nb+InF9C+?}^(%be|WIJrkmuix`r@nYcjBZOT z#wXjGt$^QFqSmd@o1(bhKw-DW*H-ygHObQK zyBaKqme0!T4)_=plO|dRnL*C)HL3C5N|#GZIe8IYo}T%2Y`e%9z^!udq(6q| z8yM)CwcBzQlM|NAD435%->5^h9xioU^t1h~{{W?2GheF28}4t>ifW17o_!^|jmNjf z0!!_#|22#$+FRIWM$lht7^HSbtNd1y)Xq6OQ(M0pD&d(-$fHeCr!VaH%*l>duT`1S z^qy{Ax=A{Pq_uUO$wtmDOAy=-4uS~9^_VV0QD46#a(w8j8Rm4^@Z#TWTOK_(jfUSA z07PyeJqyy>gKJLIt_GS}w=g|8sDF?mpNPEPA{51frK9`G1{1%G1UKW-!_b99m9DCT zmncpf%X)i9vm#PGG-g_3$^PJHKVKNyZJ#0fOy09EHU(+-@3ycc3e#;DPO#(d%X#>5Q z^k@t0POW?IR%7(3CGY@UWv$V#6WVm#Y{<1MuHfPl)$vRb0XJjr!StEJfQp%<`jJ|@ z>St2kt=tW6g(F#?Y?~I>%L&NGC^o5ka$7d3>3L1NnN;9sO(WXM9cjHBk^XHMbv0T! zRi*ePUGV1m;qyD2{M{W)C(zNHjQaZ+fFPlDulxYj469Hcno_J>aO(M#KC+F2=@id( z><$2meUbNx>70aSHFw<1edxY@V+=BvgPa@f6)f)Nz;e)1M_0O1J{Ygp+b)J)3X^K0-X*u=(lYLY(5Y zbK3C?ZdtgM3Aa15$49Ux7rpx#P09_~roLmjAw4z9`J>ezsruJ7Kedk#=WkS+FaE%NI9m*gU`ujedr;vB+<=bh-r|nRqii~1DLL)m4iFHWS}UYMgOS1 zBy1OqmtO)n7oD@p$7&ynFE3{J83yBSY=5!Ip_R^Xe{ib(8b>$8;Q1)?$$C4?e%h(I z-kmx@GW~R2_3QkwcFVy0h+vvI~+6ZU*Q2LHw@h>4<>~o zFI#6g8I19nY67M4#1f)6B?UUr>>#A2mzGw#3-w>kwvEv{cE-$h;HLGn9R1F1vn5ID zlZXaWIe1@MW-!C8(v`}(2XlA&;22W9QcO)usyFPU>w%&6AZ49gZo6XyL_Z8%&;oG6 z+WbbUp?mc7YQJkHudPRVxogJPb6PQmNleWMCC!k+8+8jMT#S8lHM4Zvhe3k z%iww?-DASvqf}7w0|4{6kpC032QM+S#f@$d0-(_jli<9?}hmFVLnrJH`> zBp~0VnAVFwySgOFi)ID9A)5LB5A0q?gXf-f4luMwo#Ho2!5pIW`w}G@VdUh|HN_PD zXxmFMPkZol)bZTW$T6+1_c~8n4o-l5M<%0Um*ZG|{>|DEG&Kzke#Iz9J)4+$d4B># z>W|fqdN>=N>GwR30#2WsO`O?l?jJwNs~^^RC;xn}@^I-;g~2+|VsB<=W3ADJyJN_8 z>CmV>=WME^V|r6fahyYgDlnOWdL$3lM_1^%@0W$(ugy(*Vvv97O0SPeN<~lN{$yTI zlUL&kdPX^~)VxfpQb@(FtVYZB70mkDlDW&%Re@|o0xniBY@}21_ zT`jss{r+vBf~GfC@VaV)S8t_|ta)a@lirMUt(xszO;eE4Pn0|q7j9%#u-B)1n*h?5 z!ud@~aT?a(J^lRrp=XDIDlcUxXOW8POJtamS(%869T*N*PLf$MmEAl=r?eb)hsm=`eW#@yNg-k)Qbc@0lWpinKA@NKh)OQfV{( zPO#GEnuTXs3?tfvQVYo`O8I=qFYD-&_FN$hsUE+!y1Db=vzZK2pL)-LI-PmncVr~o zM_<>@v28Sp7P8%1^TqV#_!cA_pm{1(u%nkQG1DCdIxsyxHi1!AmPWI*y zsouQkeDzUnF-?~6eljQ+tM@aen5%nvo5A1TvU4|Gnr-x`Q5-!O)W@OvEaBstubZSY|EwyqRL1MseusIMUDf z9*J+}nDglDgh>LNlztlva<}d^9Klk1sAGI~HOoz>WPz`t1-rl|J@}&KfzeAk>AadA z0`k#hEo&(kySK6nJ4`jTIk=}_Y(c+Ta<-hVy5#<12Bnr$i)8+;=PtC3wR5(k_+P4l z8t!g&Jq9t?@E@cjRK|_D8(P}Vx9Jb2snXi%o{nlqK5tCMUabajSnmNdy$og^HHP0# zNrK%uHS+zy26a?y?)Gw;W+<*WRZl-cSAQ+()ur0AmBL;=Xn!1=RmG5JL$%cawLj1j zt7(0i6I{?;&SfxC0k_YUWy#$`60NpIkp+Q5v_OH`_F z*=sfD0K+*LN9C&~_gW(rTf>m}DowfeiDTjCZ3dmdok8j3ROX&h$L!Na@-aGp*q-Vy zNlNv8=}cweZOc2jR&hE-+O<#$MS04r8%^8uF#!Fs>n%`D)4P8_YZmGYv3iQkmIr72 z&g-pWpN45sY-X2=(9!JMRp$$2FIe~4^`~Mv>&|!equh~#BlS9Z<0tqYmZ4jh%|or{GP`yOD}Y@v{9FK><+rk zeX#iuV9|cEu7M4C-iml?vnp5EjL^KGBRKev(*?K`B3qIUOD+a|xe$!%XPZv9iT~E- z(w@0A(e4K=WH&w4NQpl>h;>p*zw{e6on)j?OgP)2hA78SdKWcGto!H+It5PrH$96^ zSP8pc4r=B{@ZX!7>!SUXw<+%O8{y=uw{!C1BcMtn&_8|a0bSt`AaB`*!I;4DR0Y3dPrnF7O=P;fElgh1m>WhMYQqzIPtopuMo z^v%{REk4-RB+tbA-CwN9MctV9=cPZJhs0eq!Sml`l# zuaEZs`0-O$n~<|r;GFdF7gP3!O2oBI@0e?q^B3vh01Hr@Z-H>dWlhm+Jd|nD_t+o_L3f4qXJ|fVx_eJV#e2+qO0miQ0eHU{2}B=NA|GwC8Pt>!_*0<~DoAamsd^ z`Br<5<;Hn=?&W}URa5s7U3MM~!F_c-RkM2_M5)Tbu=OZ5WGudzYsp~GH$(Yhrmpt1 zqN;snYRtbuH!PM>ZJcI6(0^PHdD=7MG{1a)e3AGF^zP7JZ;K0!!&gif_-4AqA)X`3 zo1P5Ik>1=LRbI*7n%6#JQmQ{hco>gtwFZT5omXt`cas5bbT58Ske3dS&Q02wz@?+5 zYL7%YCGP=3O`ssF&@aGrdcITLhOw7-PFXy1BASl|;Rpk{>aD!tAmxwjzYFS)dy>7 zP(lJo$Ln~kT8eoRu?1AVw5)2rizjQSH?ZJN${hKT4XZZ7L3F<5JuQy+gC+YX;|n-N z6P3MMYEzbD@oSG112>qxZFAra6Qma4dy2fxIb%Vi)6;D~AO4~2Ne3Gu zolnSVD5>t2s~$BQox%m`&9J&c2X3b3Xhzd9;v4I%o1@3X*7LSXrOtP8Q(V1a{lq>E zJ43!2mw;m630O{J-6qKmbmoy~^P=tJ^K*!g(B_!>rtah0w+}cqQau)vMnnBApuk^; z6X^NZ$n-R{N{D{(t_pD%S;t9rhODAX;$V!|Hu>xeriR&*;KS`eR@2@JTSA1%dI;?3 zL;6kr7Uh5@szWJ>uw{+A*8P?^eT@2d@0ZTILJ?>tLn;vh zb$aN+^$M~1F6n?9S1y?*&aUIva~`1D$hN+}s_U0NhJZd!?c`^h;^kqefDclF)KAO> z3LpbO=Sl2xYcpqc(tq}`md_tL@j;61MGg~lje2!AcK2OyCk{w1Nb;6O7yx;m<y1KxikHRJ6M!x4WTrNMRUw?j%e|$~@E$suOKbk}# z!|D6}4N~JE(3R~DZ?!7~U$pM0bz@!Un%sUAd%9PT+Zs?z-;<{6pq-)Br6iG*SWbTB z5q;=0TR!pORt?7|utc*1Qo63ICqmEgh*6IH2o~mBlXO2(%^eJrr<$Vc95w&z;%+nE zoq`v@wtwob@y%-7s`^WHVM_eax%o^~HoEZ}UUaoC)qHD0IMQkG6CKch`}q8RDA6-Z z)a}G@t8ncf$bHWb3n&2Vsmx@0X$U&Uv3!)wCS6R(l^P3O@IjV&po1DIKsZiwOLERm zh>Q8*CK|lsuxIY*G;hp|a*vCZv+Pc+4`L1HtG?!+qXz#A;@#FHK`F^t4nog~=#oX6 zn8g+Ur5Eg5BTwp;?pz1jO2yGp!L8X#?A5EkNwUlwYlh?2$$Yrm9BC~)AR6Yxe#(T{ z#r^uyk(g;@Q-HUT4MPn>7zuupx@g=?&BhxYhC%oY1yK#Z=br3jOzF&DX|+#t%^F9q zZSb1jb5?_l;e~JS*2IQ=gZ1)N4P~*yr=HKG!3jSAKIFFyD00=(ux5&c>GytEzkQJ1 zt9QR@&$+Q(>B%qHU0bMCIe=*op zU*x|oFUQ)$-Xw$vX&}@g$~KIjKgh2*MpGtn&FJhFsqYJ~uv{NQW=oE{TbUVC-q-Hr z$aYbBV0Hd6xq`z$2v|#lhGohq@WZ>A(Ld?!Eug7W(4d%S_!_O;@^-z|tWRFY1SU(l zw=P(%e5C->1#l+m?|8O+MX89``fJ1Vj2@0S7UY&<+kA7jo|`v^YJ7&!AA8R+m!0?p z&lcX-?s=k;6(I6OA|SToOu#;t+K~ytJhZa)lVO7o=#hEcHvRXc3W9vg89MD4`;wEL zNtRx%0c^BtZ2$^_vdp|G)Ty`jBgwFfSzVL=)8TjzBj>HDn`uw%*s$bSIac)TZmioG zArGJamL_dEV&+NE?hm$4tNGAw7$U_7->`Bd*X(6pFA6aHAMJ8AsNe@$A9M{`m~_rg z@@!Bbj~eU@{5g41lLM?5LyLGqu>UtC%X4$(siyk#C+kS69hTtexU)!;2GSJ;9S8YP z8zok4iRqrM7^re~7#6?4_-T?@d65XD-UhJxOS=*5R%7Awp--#6|2atM;%lc}dWU`P zpcBZN?)$qmmT+Yzs#CMacnl@=3~GN>w-IskGRJh;sLt0al_RSqI^zu)!TAbuy}lys zrEy-e-7J-m-ykdz1I3m}A@^{h>EWvracO&8O_4yUx)Lx4R{fslST?CCRWbXzb%yaA z?XcC8_;Pn#iVO~{apg!;aK*nwnDx|s_ze69bEA&}8p3+Nb}?v?%11A8M`DF~yyg02 z`4KvUG&v7^UT0EgUC9PqwVL$X_(J_dtH-s%d{BFnhuaMiL6#CWVg}7nxV}{#?Au@@ zV`l7|sT5LLbh7v@p9pkH>j+_UUVm(>*?abyl2j%+xn)EGAZU)TyiEwec&0UE5#ztpGY6RN;xKPGQ%@E`w zW$9bhZ1iIr457HhWI#{RGq~grcA2;6om9K#WoUn1_LCvv^xINa2eQfE@?<6358;QQ zTa7HyPi~-n7Jbqim%$mnoOrOg(+~&f@4!bSUtw#a#z`srJMD@m{LfE_9tZC&>)~9Q zx+(q_j&;)dm{8Y^d6FTUHtxZhKe~#D7hgh3?I-BW8 z{^!pFtxr>G#~Vtsp2$FLHf~;ehBQaI-3v7zENNBh^GlZ6B&ovaja&_6xg*68<=GWb z(3zOc%dD>xJ;PAWqTR6m@%Rn;^^5eG3)lO0mk*=K?`LfBrdo zTJ*a`nz(ZbR15*em>!%;dNX&dmr1oJm-|&?PpwCgWFtV|@_0|on~OIfu+SOCK*_$- z(LFKVYA!vQV9J-RpuV1n#cwGNwJ&p}YKLYVfiY(A)e(9i6Q+>t5pE_}#sTf+gDjn) z?(Vx;7D@?!zwS;&9BoizI3Q>BtH}wpWA;IQ`()}Pio3fW!-4-_r18?|JiK5)6(H3)z4LBrU zj=+fv$$?X9J;mn_I*|HjBB;BDN3(qnW}gTBHn$lYaD!bPs8;U)rs@IOxEeJJqscVS znpu7JzaI6ff~8BtiRas9TsEgOp9vbKQpyFI)!$<8((GwZ(_Sb^e~=2>_=`l)heUJT z_zGj68!N*XIDqZ^CTvolc~4wuI(xuC$ia5GCN{p14)4YIdB6Qn*{_iL_=}LPeU+Sd z(oZb3ZEnkvVFvk(h?q{NB5*y^ANjT37MkVzn$pgr-`#E9?Yfd78pgfH-iU%ovGfZ- zR%8804!zVAhvA936Z&`~zEt=$Mgfub=29!j^Oq0Qw6#w%QwK;fZ>JC&rJXf}*ivIx zl4D4=7E6hg*}K7>N?H!<+5v#17VAz5&te%1YCm4y%En%x;4+x&v3)z%JGyFy2dCpC z89gK@&UT|Vqi^pmH7V4PA8mZ24kw^rEN5_FnghLatGQsNf8AWKim;h&+gJ8+flk!9 z#G`-9+N&yJu4^@yTJ4y@4Tcib%3x?sHAHDD0O!)Z%>O6n0XC;EHzkiydd07Y;ildD z1UZ5Ka3@<2Nt>qs*G~!Ls_p>5&<16m9bE3Z(1*|^lii8YiXBE`N?#g7LcfPD zG^+%%+ySMUu`1)%8)|bdcUX$Rb0zr^9MWdX#E~)m%F5TVO2wuJQ>l&m2tF2}D0eTD z9_(*yX77QAX=^hwp^0g2#DDs$iy-Ljn+N|x5C z=-K`@Qw+X)xe4u;w!3Syw~ue%zUlCJ03{)r!{Wp)g^enHC~re@3CH-mm$Zr_8>xGX zxVE`cJ^Lgr6b){2kXnZI)IVjHdJtd}fgkO8Ka79wtf>VxGr8E%9w#T_w?)+y>s=2Z zqj|A}hrvkmY`(Z{q-ORBq6wA2v^VQr!@7RzKeM`}w)FbY19Nh~Pg4zzrMr!Z4lm>@ zPnI@W&|Qj;e7+Q&cSI!4?06pA9`$?YIGAl<3K=Hs5lrGZzU;YEnszj4Z zp=6KN5PlGM=WS~MM?kp0G(SCzn9U6Ji`%2oXx+NSl22mabD<>W2D=_&?M@&Bazd%E z&E2JmdJxa?QR0c2aTz@qzrr|(ovzJ>M`Df+5Ugv0s5ExO_iRD!E`vKJ!fL587|#uE zkGd=NY=ck(_+R?JPg3%#)d={ZHrwQkx9=j4Y!xMvoq%kI#*x{j?^wT()?~rdO;Mln zW6-+}MCAHF*h)(8b zGdL+RQ>C80U-g&P7i@EcQxAow?=i&RPUpGP3Qa6V5*@L(hDk5^rR9?t4yw~hT)9i9 zqna4tuG&%RE;{RvkKU|FZZ_M%Sczb7Ii$g=yw50Ss)x%Nla?5z=WU|_35ojk{53s0 zU*|m0bn?c6uGd+623-vp2po`Qb+luCRda@&?uQhy0;2w7j@om8(9LIy2WgDZ!DhRn z259V8a%H8q@7P}o_OZvba8i*(tOwN;TsoG>)8&i#PlS9;m*rpSAj(ue{^+9jd-J8j zeNp>{*?<-ZH8y%LlL`5-kL0L; z7>3%X4n{A4KyTDq-3?y<9$#{v7bzI&2IX~vS;(eyX9_oc+_*+lvdt7luMu7UkiSCz zL<83L0LBnX@X#7yb`{?y>?&vY=dl4%#gCpY+$!soCbze-)0!)da{o8e_I|XBm4LKWFB-H=&#BR>-Ms4-}SZ$V%rp8@{!Bp zaz3&t8D}JZ!;h-FO{U*Bk#3k9c%5mGY|gx1bgfEj(=EWVkQP!At`Cz-nBu4pXOl=? zzMGzdmg4Lkm2YT(NbUnS4~<}@|Bf13=MHg7l?e|uUKPD^H({iYq)+=+prQTZ`1oED zxSgbC3AF30*|aF6w~nL7bCI5gVhv0k8&z3PWnhb)R9G!2s2*lm!NPI-Wb8M)X$GKf z7?Wisvt;jjvnzn3=EhGU5@%BsAXO$QHvWYTP`S_rtB1HLExq-g1{k zu=%^X>xks;b~#EZg2Nu9KDj%~>U?<|l2UZ-PqVQLCy^8PpY)9q>CrY0QlRQsBv?o% z7Z2Yj@_6M7%g^LuImE4P&_|k2rPJ?+KsdRxTs3K+rGR5$Yd0HT#>3Jxbtq`qr>XjZ z0|U07nV9v!*IqR+wZ~lU%ZY?~d>7oLW%^vVAEefbOVq`+B-PE7C~$M@5KlHb$qX)j z?G*G0Plfo)kL7EaePRwPT@&*DSCvl=6AV$+_Ox@*(iteV_tpa-Od(KtaYKraWZNgF zlM{EiB3=sk`nm}rC9Bp)|2!ph5kzIFK#YoWA5x#)|J_o!5uTP&8|EZD#a~ladk~nf1*@O z9D&zS3mKIydna1%-ec+;)hfRRCb2J}bHfT-&kU}qN^>EfvYliE5WLd%7V9T;!>{h? zx@loZ>eH7^F*1m#+?v^NhpxGaQ1*7lbza>SKq0->>U#gxFzet~$U4NENrtt%kU`x{ z&qtyEPR6S?GjQ{Xl;O4@+SB>B$(@;x7pD&u00@el(U7}-c2rDzimjrjyNA%vF^V;#M2S;)`7GyS zG|$U>HAZ1U-Rwrkk6bHtF`d+f-$`X#S({m zbp3zx;@P5y-i}FoHheFvEM|t)3|!eVp9|QOmG;zoNj|Akt zHTR2bz zW3#AqaNEU$RUZoQpnEdhq|AEzyw2KR3Z^_xOc$f{tc8Q&v#Gozyt~Y_3ddtKA~%hc z+J|E^hrl}aR3UMMy(>{~l<29-@R{P?%FFC&eXoC$jKAk%*96(l)YMWkm*FYV8O>g>-HT5KZ&TbnUj@@yyNTu zFz8t?`qA7fX$n4kvAUY3|KQnh^gEXymP41e9NwbiG)~Vp_EIKFhs3*CaB{PO9i)A3 zye0KM?n6GQ*M?nk4P6@ASGix47M3wO1q(P>s?{Ya-jGIL?rL{J5(FERHZZ=Xli^km zKp|aHnc3RmMyUpFyAX7(l@yfjvG4Rj7qE z&M1_<=M(ks&98AjKeSMYZ1zxs2;a$%*b*7n7(|N+1 zHbV5}?KH9Zcxb=i;RZf$rW2vOdB=5KYp#sx)tMKXSnc*aW;xECV-M`((a)bv z*q>#dRL&GQ?Yc=#e-!vx4+dXEu~S9x%^6VOG*qCJ3wcYGK3lh#@Fx)`olN|NV65(7 zfIBixF%)=-e($|bN{PGii36UcTw=k%t2bdQ`HkhF2$?z6Me!}#2nkYl zX(4M!ySyzzVc}6Uxd<2Je+!MGHqzl@Tum!l6>6yRnn`qgNOEEQ7IrwNY}r-XO!*V< zVGo(?&CsO&BBra8jXOWq0HcG~MhC#LZk#TQDf1@98X1E1k29n=nBr7IPD+58dYY}# zwzsRUi6v;5*VU``RSV`;D6Lcz8BCJ8>YGxETJuOzRiExf`)Yeas+BT6NHe ze!Rzu$3fmdcK(x`0SC;qPC9Sw?2d!dEkYn4$GAb7hD{%T74)%-o}PhBdebEr7M3-e1|%#CqP7U&aRl38}T!^2P6o}=>(w6z`NH1tDYT>P@< zrGeHmg#MIW*5!yF-_yBOmvN~JL?B4I+P0%s|H}7ITI2Kqa?2)}TYr;6O1*!-jD(8MZ=av~x@Fy=95R|iZ;4a{zqLrPQ#aIX9a=C!s`aKG z!Iz=INKpinBsQ5XC#btn;0vU$S&#{IB`=jtz0q8dson`VQ0qIz^3qwdBUAnOz9N|LRtwq71wmIdB^ zszb+W*P7(CF&V~MCTv0o2J%-0KA$X_hEGohRNS!G-RjC5x^udhM0H65G-Cr)+-QgY zkoxEWtMwD2b%+het@V))EBBJVF-Sy>X1hD?HUqVl^5D{o5{$EX=*_X05_MnOl24aE z7|gC?q;HZTgYgoRN4w$%s;SVefsADahe@%2viehAGT01UU`r})y#XJh)Sq=^8bjlb z)2zb)VAsJdM!?I+Acg6;vcaD02;3$y2ZE4A9q`8-Zvs{`088vjQ-spKb2P)_WWjp!bf6&)7 z5B(X?L3S`4Che4YfYWH@>F?R!uSWS9MfU+;lsJqTKJynXYHw zy)!$VECjvDu6IYAmc~GLfxQ{+n=YV}yo{TSyBHLblyjeCcdpH)w-HgS2Y&{@k(1Ke_F& zufE9p;`7nGSvw@^hSUruu$nlkWp$F;;$n#u(mMpW7`GV(bEb0P(z!&NqGEdxWKO0- zF8ij(a8_9#Zn<*DbQ^VhB0@g+En_l4{>u06P@*TFBN(>Edvp%;F%>OwtCIvKK4Jbm zqsnHR?%=q*3re-iyBAVXuc<+@*=t_G%}Zu1QhiUB+NF|qfFY>Z!<++ z%L!LWBhvWu65K72ThKLwmRGhigM_EWOYE5~9G|u67<>zEnb4)X3mzc#QrX~Km8ElUb9dVQtqtkw zzPKM+kZ1y+QguI_9oP+=tz_weqx(BxHhL<-xj-?Xn8mcwH=2_gK=97+N>n=xtPzQ- zRjFfPGnZA)?zpw_o4#C^4!2Y!5Czkz{pKXYxYv#GQM+hv%%K^>&i0A8ZQ+bVhgp+yL4l@W796 z|4H6sVAkD^2L;WSa#;1h3yJTR8l+c@@B?MN8PYZDaSfg zT_Yq3Z{rBv{f*+Tte4NTQm+naMx2f`TDFxzX}Z{%&UwGTO+uNfB8p{sgv<{j0a~@_ zwS_#rJ@j*mft|7l$eOgQyz+i`3w&TX%%7isUA#8*Y7JcSnWFxjGEKdw2Vx_Cs z8ObbErR%qbw^{ z6hD1@`}5k>mln#UuJY!ZRpM~-wgNm^y(I5(uwGM4VDw^8q)wxxMmVGE208Tx0^x7x zH_aULDIaLHC<6)VrtyQfDpi%y$%cc3-e3ocRFbfEcu4x%Y40#qYvf4S`$6L+zwK9b z{o)NU<)lfmezgp2u;0j1J$zw<)GE5O(t|esdiy!G>6n}(H#KW4jv`lb3=>`@ZE_=+ zRV>_p{?OsNKhSLxYn)?}41o#l`vI19!EOLjXtW%T>FMrFUIZ|_RG2z$+2xUw*3_&e z(NF>5kOUWImh=h{MgUskLD`Dm%afv9aN*u8UiGg$_AaLWWysLiW#=oI07;ynef1Dw z8lRi#fG*tco?hR!U>)IikjX5nX$mVfrA?sWX|3uOB8m={0)7FPZFWu)+|+Vo`~JHN z(yzGWxYpSjy_nw`h36W% z&4uDey<*Z#`e)-YXkahtrRT80pfG4%x*oeFH+6JKjj^$ve|`HlPh}j|LcTqQ;^(3@ zvmKWx`9zJ>Z%q}iYQIXKi!GRXVY9j0^02mWy&&lXEi5SVN~Ks$a9~m}&}AEHz7^8x zSX08lz;R6d<@I7A56H^-420Yy%@BIoBJ>e4E;--LwrIJv8jYKv8aqtaKBG}iq~TS3oX69&4}mRefqo{G2T=ilbs-_=&TV_%Llp+ z_EnKuPu$x8wK^Nkov4kVMa?dcbb<5tw{K5pqGV2HVc1Dg2ho3WR3+QEz~|OStBJ6o zN7Uwiz)tKFRY?=jcrPF1(79fZ;9U)qV@2f8kB<-Lk77p)BR!%X40SBzeYMmy!&Eu6 zJRnB73$Pk$JKF#P@}+O=6iUB87&#X=mplH(*8U$2G3{Z0ZN5~_ka1*2a)SiVRabdE z6zj$m*J9E_+3m&b9@=$a3{$(QU{6Z8ET?pn`ig-4+>&CU!K#y%AKDH~fW{1YV_6B= zgn!Z)C1$dRaxc8};JkH*Az8?W12=Iq3Gct7*Uk+iIu^r?fFOvqLahqsPh4PSmcQ3Q zaYT-=_H^X8)G|40l$-3(Rf5)+{&HwcFA8l%Z2QHY?5lHV?hCUN1Vbn^t4|AQb^y*!&-7h)-5uNajtC=o$Xf ztrOP^Mj?K4r0tzP>5T6C_dn_o?tczx`s?qG`R`$lM!_Zb*qg3;PW9?cww>|*l8|65 zH{)&e7g%ZQM)7+iQqgc?wofbs)n$-0&_yb8DM<-DdjwgaxKb%$d4ypcYpgmat=(k* zChN%%ADv~};?8y6!4P9T@j!FZBT{TpHu>VDVsH8>5_jIE1vjDp=N#x`3#oQ~ul&@y z@gY6K&Q=9Y?C6-cuwP`JV`X7Vf^={HA-ro}tJ-0(wE(NH*F4f8QhVsxcx!KG7FD?T zlGG)+sD@w<=RGVj!&TiE)aPKqo72w{7FS<$0{#5|GlA3IL$-@?K)=#Zo|2OrJy`E! zTMg=LztsR}b_qoKLtgq4*`t=)G(|UT@k9`A-7lL>IR@h;?>jJG)X#O;6|^2iEoxn0 zG?hJ4i6PTNfu!9p)s%C{QbLW>aFt?9tAJ{$WJl*hXm~m%TCflBA%g~#ZmC{Nd~uo1 zB|?7lBzArPjY2_da%%EyX(DVH`e22zIgiAhxvc&V7Cw7we}R*G`7(oJ>esHXCmXWW z;MZ(?d=BSx$Cl7-kT%u8RB+1H0l&Q;YG}L-n7ozpl8v|aSEQ$tIh zd5YTLGMn9t6K$nI<3!Y9=S}&ZZOBx#?G(xtBUm_QjX2~0o*RG`@!`VjwDaCoT0d$ifWl#ZCBT|2M z6haP*0(~0wS?-w3pKNfvSsSUGteu~Z>ylXS>Wi1zWv+K;!#2akQy!DLIzu6NsL!jx zrx_+o5~d)g|D$59wmCOxsrV6<&(hwT4&lizxtgDhNrcg057qJ%BgLM!`HRh?kq}Ea z1Ht5%wCyG{ECX!W-w<(an6}gvs@LpKC9}Dqn2F5qC8ytAbEjo51y$`~`kE^0&1Ct^Bb!P>;NiVou z75asm5RW7*38++X_}Nhzy_(*Qkve3O|8XlkZ<}RBDp-Kgg_5UAy@Vwuc9qM_G+4^$ z{-gkGWU;fOln6iPQ*pRwC9;YHsx=ah7oozhh8d}yH;!#=LfA+@34;p;sh;;K+11G22r0 zZV|Mqv7Sf}wWxM_YX`Vlvwu&cgwWE?1^Z)_nz8_axmsSe`eL8D@8RZ_jsw8%CbSwn zOw`FI*%kW%nsFPA40s$Z+u9qGTRa9DxavzXf;ZhI$xDxchP8wONuEY8N{baQMoR9`N5)8zYjIIwZuovtSC zefn*RZ!MR*x1&}34IP5$~8~6F+FLHfszdFjG2i*HCKGsg68kI6U zHorNZv;zT%A6ha$+(~mb#Ns1mv!G-?N?A2VPFxhJcJ35yXYNvXEbNoM!AH;$mY$3p zy@RaOE~R#YdkHY|8V@<&ycs%Z{u0$~kx}Ket@SX<(B9}AAFE;ef{z-84?Wn7$w1Os z&JA6%+mI>L0fjx7m&tH-7d&D;7#&Kky^+SZEv5A9@Nd0;-KpeRVXgG{pL|4>!9lyg zYx=~D73d2$?I*RF^G#7s-4NZRucxGM*io>NGvraA_MKJH5VLS&v?nUwncuGVHCa>} zBGXzj!T252VQ6;j^a3^!U&|g@^njcE(_@oy-&AOgo-o8q?f=s+mGp*FJl}t9r&Em1 zmhXT5p^suAoDVp6vIh^6n6A4?{!A0YV|V>8a2eT8{9MgMwShpyJ}NB|{UNl0B1URY zjHLCpZ;pAdIWAQ`mp%}MDO5)p>xa&qZ6rBfU`Sye*Q!^NkjQvRG{Y$CbfN!M4StiR zQ2X#TZZ<+Oj0gvr%^Mdas>zKbEHm4aDZsCa7z>rd6TU|u3h_$s++rWxQs5;QpR(KY z>=s@h6f@1HPArNwX@6Dsf3v|3?!+xFyPHHxDpn@%?IKa#MS@d}?6Ct}jfBKjcg9ee zpT$bBJ-pQjR<1KQa~oa5<`M}j08itH@i7Z?L#3m*qabB(IQHOeozP?o)uZ_zY@=0c zro1NlcR&prxFYl5l75tym`vx1m~!4+qHcZvTFqLmVX%<*25e0|W`BRYSk^})*Eep` zSv)Go?Pa}s3zO<6kvs8QEsZasFftesQrQi&@_cvrryb?K9+>7L|1AB99!ppG`s^nC z80;Y>Q893^mOTRRD;@dP?9cb4)vH5V1 zU3#KC>aQcLRgAFNOKeT%U6J;muK`f|LnuGN7W;O9ttBII*m6iQ zaV%nr-hY0h3^KaF{`iCHTm6b&UzmP;`@npa6VJ-Sg#}fQ{vE!SsuvjZ4IG-`;r;>O}=Ym)v(UF zc2VE%gpEb%F%}MEfvxAX+ouaJN;8E$NTS;byV1t|;DAYeXOGb(9~qh@j}HFucN-{4 zKQDV;QK%8bqbn~uHk4?x(!>B%$i+4|j~))2^JtSW1J{l130)u0EZdeHO`=r0J=Z4N zO&;j(;m$Qu|N8v4xtF&LceAbSSx+|#;?$2X0QLyj-)*LI|j{z zj+`2fCA!}FB@1KG2?ARu%0jFCQ8%Kec=6!dsnlQzLoJ8V)K!>|#Ox+H#k~jI`<@1N z2;>dHW$kSC(BxOzc9zWx9&x9`{VzCPE*U0~l$ zex|0OHb5mC1iPGngWdJ~(7M*9Jfwf{Y+Fsr-T(~6EQ=AL&kPP2I6Mg^^Qkl=YW>tn z2O3yi(77_$(Vht0FY9~$s}s%a_#Vn>1KJR~6c+|K$41D>52&@~Jz|)o3av~-Q-btS z``^RWQL=*i5$6cn0HJ8PE$F+%&f1Q8W`OuJpRM-ff_D<HF_@a~2fS5}zr`+%q!)OQk~5$d%}|Lr5tIQbe}IWa1< z+r~~MB$r2t$&D*Q;?rcvU2hO>sj;t}(+atVNwdKQ`XYY>s{K@?3a&AB_#v&5QBj|e zy0UaS9&Tiy@^XVNC;j;y;9m+xgM!C+?6C>-0D~zMYx+=Q+vGyfmpr?|N{z?X1SYv- zkvUOD`c7Tn`YH)!%_mwrcb?+5SxO$0EM0bXT}M4aC6aH6c9S7mpJ%Sf@I``C#qVwwp`ZF{rxSEoa3Lsp)zQXBjD!BpfTo~k~ zo{;PMDDQ)vLHq0_qwQL$YM(|i#yr*uiN*_+rftm zc2wgpAeIeoV&%f>Bm;9iZ|<702z$jdj#8C}$)!wzsg@kXN`gp4DzZGGlZ}cTvRDjt zt3l65SU9OJfT@wGC)()4`Hy}N%#$Ve{YyfMd?sHDSvkDoQSuRFz2x7`3>UCq=^Z;h z*XsHcU0NyC9n%{-^w8C@Rgg!tnw`y12YHCbpYah;cBx5uiPA!u>!MvLs2a|9a_3e+ z+<=l+$7?UM$dOe4f*FQyEcG1v3I7c#JlN;q>vEE(PEzx3!d}CJ#XYH)19XR3GiKKX z_HRTDrdz0Q#9%{ki+p)4p0`4SF5)(~IYTR+EpF92-XfQ@qt4(op2b{Ot@xL>vX6$Y zYUlU>udT$+QWAPs1DwlINh~UWrY>^dU8~}LsWQn=lk^(zJ%4-Y(t@iTGed#!kC=uA zbVoO>>d#8BHRE8Yy=jL5HE-+>Ul?_j^(!%)TZx;rEqa)cC~=PiVJ$XAL|qr{DE?G+ zrBc)4^8E4no!tiTATaHrfIO*xW`qhBQW`jvmTaA4*8!vYjSfX^iVfg!X*+v5MS#*1 zAYtm8FW@k;Pz0aBy6WC=#d5jI#{Hm6C%JGZoTk2C$wm0<>GafmU{6NvH-EGZfVu&E zNLOFS^JRvvLsg3nQWjH1x@P};GHkatHQud0IIB{ehR9S3^O78mlDBR8+y(~W$Z#j^ znvnO2mSbnS&eC0xwGsw(HY)r!H_RlZDtD?k1X}j8N+B|Fe3-;j!!6l+<5Hxz-+0_g z9Y7Dw4Ossawt|g5HWU+$057RZyk&r|fA%l5?(|W5Hf};EZ`5TcAx&N6d|^1a%jA5Y z^qO26J^3?HCj?+m6X@XdH9L9Lkz%@b3tsm$nU@67d|)(GC|nN>k&!H@R=aj~U?K>? z#;#Ixu6@YJZ6rRv#iZV>HgaF!dI3ipDvkqtU$}xc8aJ=ICJD_a#?!?-r8nC7_FA%$ zlTPaG)~lKpZvaxTlj!a?_wGbU6co710ABa#hSIda$VHx$X_(ck)q?W(;U#^r9<-C4 zLS@^dx>jHNg|bO&aOd%fp<&nq!dg zL1y{GMmE=twE>tJ5f?vL1|0BnSQV)g#760pXaPWSVp*y7l>E`w-)(Wl!pTvF>+K}S zWBrM`(G<(2#7k%Oy5M--28(t*bZ5KrlB#AlPwsZMl7;up<~*g!rJ5z2$wyELFQz}a z`Pn9u4S!yP+dL8Wml$TBI3^fx>1%A;dAI1hE&rv}seg`R-quCB4KT}YZnVqaw#q?0 zgY8Y3rIpvK6{)VKYU9{IwcI%87VQa+bD0e~aYs;`aZ8l>9o%yA@a_|23CLr4JRT>- zD^xee*c!F7U4d#tbBN*XF)VN>&=%a20p=ug$85QKa!J_X-lg)&wJWZ)HbP^>NLx-V zAnq&lkhKT@vOQ^>nt}Wwv_Kx)%~D-9X$DV_|SYCMa>Gm@kMedT%JlN{%&lgzG`A&`Yc_KL0T}*B;W7Uh8Ft zHtqGu_FC+4jj3t$#)MMBnnc1|8egq%?-6`Z%DTkXw6_#RRI2nAmG0_qf8Xd(9%vfV zU8kyEccjCS7RR%jW1y>dWMxZMX;K*<1{^%gaXl8WCx-hF*DoIqy=gG{WPg+9eYGb? ze>D|7%%*B?<;_AJ?9wcNU6?K>0~^eM2#2eIYKLpkx9FZb#64FRB*3Tz7CzpO2dE1~ z)h0PSWtY#aa&zpL4tGuOSS22wLOk%QW?aYrU_285rssB_@wrk*kPSh6B*cb-A*IVF69aFt#6JKtx z0GDaaX)$Zmi}OkDijOa;8(?)9_0~k12?(S$?~JUI?nbszPW`G)3`o|nB) z??S_oLX!93)q2uV9^N{pmN_Qgnsk`Bu4I+kRcC{wD9H0`#ZyysOx3^U;o8NZ8gCSn2m%XVk*IcY1J||HF1`EQcX9xwsD(UKBcaT!x?e88;(U zW|oTT$xSronoOH{=wOHe<^cM{q@f!LE$ksrY{pDkPQUu#r-0w0mzcX-*b+-ZKdsZU z2{(+Q*>dKD$^y;b%WU%8RQt&u#QAl9xi5u7mac8zmWkvlLJOOHCYZEJQT1Rst)D=j zrI8!&ChwjnqUYsE=mae=!qacQ9F$ICZ#KI%A7a}28*@Dhl#|ha_2cEtZ*6i@lR08> z(Rzt>Hr(AwPw=r7N^u-u_8S`6NJG4?(D|ba)KrIiwq#M5`{cULTWNgRLB#Uq%hZpx z`q=6Ihb4_F0e<8Yt=P6tOJG_v*byk+vYr(W+oNN)L0T~>6o=;9rE>S*@DV_uv=2MY z#b$Fx$+6E3g|8|nGWyQRfm7FuaP44WzeskGaJZ>nGvc|Req?aQW5B(zDkUFhPZLoRGaz(Xo zDGfbs+}0=!NMTe<3G$scXiA^@`ABv;00zWt5Y|lgMVF+gj7eZ@dgyB3(hZjl4zL5o zbat?8Gw{&llkgY7B+};j2D(yd{Qqj}^&!3lpN~`IhwFxhoV=}vCH!P zCFrbL_mQ!EGA>c!0Lf*E&mLVEB_PvDb63aF_{c6=1GrzeHcv-Ihd*>=Pgh zOx-J(+3bJ?O%xB-`O244{TZC8{`m)892al0yurTG>19uuoO3Ka*QJ9lf~3K?CQfja zf9d2M^VRNPaQH)q%b&Lv(75Zw|hN5Vca5l~l} zqd|Gwxm4up?zAI|W@`!>Oe7e9VX36Zl+qfhly}4vHkFn~-IUib{h-R{uZEz?GZ+4p zPSKwX<-6Ec!|Kpuk7*%V*FJAFyZroE2fcVX6u?SdJI`*W1oLsUF0)PQt%;?$CeM9x z40|VuRr&<&RsHz!LkIgx3y_)x26;Ox)GrMRbJf+z#}4uu`Qg%umuiV_!>!|e653tfBw13|4@t+tFhbAVaDgGxNDK^ri5nkE zGz8(@*+)lHw~yw*^}mbp5M^T@+6GC=7kIQ`T2B_=z+`!IRRucMU4k%%ymWesn4O2Z z0yoPtD+Xq2dX@5n5&ymq&0EXr z8|K&SV6{L&O!gHyW$(GQxUUuoH;H*Sni%e|vr(r=!QJEVNtQREkKWr8Zh%=Y-Aqju zT6_t%FZ7~rHcNP6zvvM?*7kHCRV39;`M^=>u66*m8Y7oomwYOz+W!c(0Ru%EHg#xh z&D-pl^bB>A!t=ONdT<$~t!BbX3oD=8kmMFo;&r3#+^9HEl-9E(!(J2C=N2Rj@-x5U zU|XGV_(riZ!9opcvXnBT8WZGx&Lff5Pov0THZ{|J^-x*4ON@hGE zufLJoM=fhM4qdc&D(Y;Djk*U_o2iUEPOMVL+Nf+sVfYZ_J8-f6mh{$#JqmduIK|8fo0L*YHX^s;pw8qVdU z{`&dnH~A0AYjXb>Zs64lGVOm{>t$lf6t&rpLA*n2TQ=!oP30vLBsdy|=CY-DgUluw z6IVlHpdIF9S^4*U7>Mnj>A}y*{VcVb=a|q@+UC*JUM{R|l;h=~*f2N1wvLN%AqKa` z6Z}{cQ=IGCLXxgNByryY&MLoas~jP?U7GnDJ)>skkTSPU|M)ZN1CcGhQ*Phx*4RdM0#=ev8|m>9IJIo6GqdQML3e1>-1 z4YFpQrBEQqFxQ_U9pw$1%=y?kjXHe{%OuNWIFiXL8QH|J*uCs@1kjymQ$d&1z*Cbd zV$8P1rB`b(>B44_9GZ(1(~R?II_Lna)pFYn{oc2XO=f{s-?7w=QDj`WJCGN-9NGeH zP);y<ic&bdC40CX6GG-HCz}3{ z)Gx_)>?fLoR|ljEDZJ&(_0r3eKqJSSiw~q49%f(JEgmBk!;)(|%_X~4Um!^j;oaDl zEm{yrrl;C0uuFVpswyqdJhTA8yTIKXTkC7m4h3v|u&yLKEGXo=6ItNS>}M{T*qYhG zVdPsxp}BW_fm)MWL!Dwz`6$gs1#U!F9B1v@?G3pO2jdf-h23h(^~3@CeywUX zVWL;%Skl9ZjUuf2AQk!BNL63BEsJ%ZpMOx2?2q4sDE&kaCM_Ie8{*wulNJGgReM6! z8*|>;$V6?7`_)`}Djt&TJ^Ffr-^>rgMALFC6x|9ldi4c2iI4Xdl@$QyOv|=2-Ug|$ zDadAm{%)Wcy0{e=&QiQ;-?u;5z}$u`4GJr!D>z3Z+xHyfSA8+}GF8%jq~1Qk#wU6yh7wxg1B)7& z07=t6JZ#YUVS|0X2S_@54rO!a>F`LZ?9tbz1*;Qr8n%Aco=S>q9;xdjgsotWvh(_T z-IM(_oZsp7$B&P1Y$UO5euvy0ivDtm2|9iI#f6K6u}fX9U}OFl^Yo9;?-vSl{b)qS z9}l}-k+Rk5>rQp9R!56B`Ouq7Qm@NBlkd%jygplKB9lxI-gduGqNF$nDLCa+&{nUP zq_9QfSnOye`6)g|;o1`tM zaZ4&?Ngpsc2K7uemy=#xI1WpbDaHNe(6;5tLvr z-*?X!duF}}X?s_=HqweZaEQ(5>)4EGOZ&q(aHJy~1h^#<(!k1)o4@W_D;yL)pss7T)5B5yLYIKG32{7Qixb4nPFka(;G~-UDu5Gd`xt;Ev4>mbD z#rJ5ZqdOxj+zQAt3yy09HIp%*_GY0)II)uFO;3f7IxC61B(C>2oBRsKm&VUkhrDQH z?(r7PwNrWEe4n+-*)AsnxW5fefIOkNrpFu$jn`{@IkfHS%z24RBqRL?=pYFs6syB* zf_=Iv#Y*MTz}b{WO}*3MC7p)r5wmo7ha5`tCMpoDW?J*ZjZ~~jBHw#)rh|uiWV*nK zrhS5D&K*!Rj6S#t;$nCGtV8t^n`jk$_6rhq=|oBGQJ>BnFb9TM>JKQZYTFACd7C{G zdOuXqXT!Ikn<-|3CMO$aY->Hyg4s+PXa2wDzHZA^9O?3Yo}$-x51qF2w_at|TnG@L zG)SZ*Y?HI*-6uj|n^Tnpa+b90)m`0Hbu!aCL5klUJLG;jFwRtl-4(LCTiS~?Sqj%t z^r@lv)>3pluNnDCIM%csm(-9%3e=r|=tht;w_{ebLT?AtCB-Kr=l&tY#weW}u4Z~a z^=t?#=>Y;wa3ao%Ehphe$lGbk?~zi`ZIIXYy?o0vp<8%(HEZdPB|7m=7)6FJ*j8JS zL@bmlNK?FddU^sgD;Ld@&H70lZm}3UNb&oPpiVV}AvCuQuNbb9F;v(DDHuf7 zg6?OI?*$WT>ZG7X$EKh}``v&gJ@zhpXAsF(gM+Vdrs&eiQFICp<N>2p{|QP^_Gk_DN)x#9G26+78r zD4Ri&8)I0351f2nWp6pMd6q?9U$&<1_dOAkH9Z`)ijp91yB(@xNurvPW3sA=)(`lE zu5MUQ?|m#dYv8bvnx1`bGD@WW>gD8OKjpfpGNIcPM|H%O2brVb>;k!AC^A-|P6M%?u!E;} zBHKxFo7by*LlWcGqtaTjyyXyo_EfrMMN<%(2w9IJgM@n3$J>r9o%gt6oD@gfyZvrU zL*$v2Jq9(49@Vt<(}uXFyl{;ks&!pL3X5f-tm%2D1xYTqkkVx2YQ&n!&psmqEfgAU zMNSrDB^ZvewYf~6FJ5*X<$E*LX8k8*JImgwq$w?KD~01LF4sN`u01e<`ARJj1Tf9kF+9f4#xrvrXXs3kTN>^L)z3m zgDiMO9Smt9n7L3-#L?(a%VenI@#w<7dg(FMc{va<14f>MS(YTs9J!WTviyuZoE8q^ zxax#RkvNCglS;=gqq&4Eeq(SH23|PvNyDg_v26a!{!`Fz=ToV+A;Ux0lU_{GvRo_& zo-Ny3mhEc=caKtLhC?J*HuYu--rz`^|YmQO*EZm^#|R@Drucc7S+c)pu)Rq;9@DV_+$?&Lzn!Mw_W3A&=#Yj zqBrnAlz;W%a+*C{LCnAxWAY=n2TDd&*|A5LVc(|WgijF~1)5y|NkF#0WU{;iZsKjR zJm;ir-jQcLnYL=~q$g`)v1i4t6Wm{!!I~wwOFqoNuSKp~CU^Tnnh|o@y_8H^>NK|AbDazebNKZ&IHMhuX0B5+e z%CRUNN0SVtE7Xt@yy6WZd^cQUk+t}M2oOG1#c*f29X=>NOT*f%VAw|{?RkzQs)01E zBfYBE6_qQx4pgT)T#+V}96cA=lZIG$`05qC#YNh>D2Y|4;**SHa5lyjO&6zHI!I+YD98x2UX|~@}ChD?Eb5YgK1)9Wukm36~W8_FvCcgTL@0QCAOtTDUtjKgl z8l}rdQGGcDuk}EwU7${TFPZ{9C0T1zt&`fL3;pmFeapd`6r{cyZg8JQNXD6q`4@wfaSv9*jsuxLyzajE8^QK~ho?%>hz`ermd_*vstL=9%|`-n z@L4x^F@D5$@{z4@-QnrkdMyAzNhb_Bc*cm`pN8oQON2!DBOzSml!dAbNWe(T&Y^w4*bJg?MY|Jltr>4Bo(ae) z70YWh@XJg5wuL&%m92TWfVES0nI`n9$SU3mSB}xG%=*X@jFZTjH+EpowQZ`LFgenZ=)whA;v{SOBL;`my$|fA#~O(!GwwQrY>nCeHN>i z+qS(eu$*a#LCG&_;9Ig4V#j8W z>lzNkdwPG_Y~QISo5*?2$bChkB^63A_FZ#OuD(6)-Ism=@R z20QJ+ZjlC5;`&BXBv#u-3f>{Q-2iWC5V6sbmy zJLwuEl&(CdRfe}P0dR7MQR+jC8NnI z3e|uY|I|?>kjA@w7vB%>+v>FYFz@eQ`~9IML-ns7A{2tt*>^}XL+Na?WjN}VQ9WlA zg;_kBaP-_>AWlTQO%G8hy

~zaiI;e0HicJ(x+pSaD`U>E{0ywNNl$)m08o!D#Wf z&o!@UIao(!oCy1iO9HTZBTm$Bb#!vtWPfBhu(cr#+yqvvHM9x|2~n|}{1>jlySSqP zQd&R?p@5|K40YCGoU>ffY8tn)jT{@s>D;Dl=>1UbfD>sreCw)BWO1ZvhJsT)BEw2< z;cF~+M~p6hDog&Xz0IhY9}=LFQT@_=FCkzT)D;$^j6lxyxU3H;^`zDX1S}AsUX~{; z8Tc@<#Pd*7ECVsn2ptLgES;K|Ww(8`TTIOzDR^Nw?GU zmhuKdJ3B?zGDSH_oOCGuPhPd-+E(0J*_D+Bxb-17q=<~NojZVwbfAuj0)KmYK1o8} zha|1V8e|Tcp=q)5K}9o-pyeH~s-DAPr3bzHhPibIOP3RV;gfq!OIVo!OF(b$=6hU~ zO4MhV7OWsgshP}KD@fU)x+rr)a?+T4IXS7>YZ{yqT8i7iI&^%XZpinRyoE}#1R`?F zS0vOvdBLp00mfRR=EbrQb-{U8U|x>0OPbNL?7~WvyIM3|4P-V$i!&FatyttEwqle2pOq5QU+& ziuO_+8(vhrCWXC}UvIB~UzTIxKJcFEhd14b6ml~Qw zHx}9H4NPMp%w&{s3^WKk)vdVQv-5FOYf)}WrLU6l#M?Kfb1@ZRR6 zW3k`{M_C*q+*sKtGY-R`u5?Ze7FG=-8KB7Fs~xw_lJ@28?adx2Vk`VMTrQUr_gLdI z4JGo2%5Kc5u#<~nd&5W?T#NqL2wXu)@KLcJNDdSL(#7h3-PYv6LxQe$`&bB_Kh=Sa zAk&)`o<>e3>X48*VLn<8uV!kmWR>-lq7U4ZLfCdizYqS)e)JdnIu-MT3W+;9}_F}s|D_XMmSPR>cnoT*}5DcFP&T9tAI3Gu$77I*f zPitiI1OhOIB=p6i*{Ar#reV5Yl%9!~v7^*>&qReg&pPT?<{7yjp^}i> zEKf63;9Od6R^)75kzGNI;^ZC)_li2vZr4~QmLql3oyR~@wz!BXhfs&yy@%3=nL_3^ z^^mjv{hhqGnC?5OB|&u7!?vL-0&qPJ9GewQL#1Be1sbt^UKX-M!Lb_h3DS8Ir(qmG zC|z-eN=EC>4L(qjedFq^q_!vcK3;H2ni_wEX2;KNxm0Uwo*$_8jibyvIevm$y(>O@ zUMX^-m=YE)28nHUa!R%8onRu)ia3rgS@LCd&v2ZH0(2CTa`*$2EouxeI#FD=YME%r zWLJXig=DBB&!y%aqY|rJI zFnlI#*_TvB2YKRTMfreDBx3C4vuYLFQKlOC(|S2zwBN)JC$b(?LgOt2@r3Y8XO{VZ zIY%Y@rM)LPs@XzpltGM1R%R870g|bvz&WJ`7fCi$2&8RRF1M0!dY%;|Wu&8b^|mb6 z%8e~k{aBV|39UZ$)%FdoL-bV)6}hT~?GK|4IiX`MGS(2waCzHuikmIj=Yh($T&(F> zhVZ*AUQ*VyYmpNZ5b7`Q1!;Jej1N6ok;-xT;mSgH93bR`wk{5r;TB{@k|ri*%;L>z z6_=EXkrQVA>cz^<0HZ$~dDE2Sph~IPfzyR?b+if`AzAjqT8nhfo$NWNgQ7{#Szn(u z%a_%yTAIB|5~a{{bSTzBU?`7t)d9Rc#`J{DX4^|ztG6ScrWrHzaGB-AGy zm91Qza_M)eH`VgtH#I|5K=CR16D<(TF3Y+LTy;V(zANO~ z+PhLhWU*MT>Ra(iJxBM8+BFDUl7o-jB zWkFq|Pox^>$|=P!5+nNM0n8E%Blt}Ce8_x|LbRe8MH3k+%zCs`1&5#so8qKukrr7` z^2Lm34U(8wghk=DV{k1iau~HPN=Ay-9#p|fMGZF;^>$0maA7j8j5VAJ4|<6n%LqHD z64C-u;<_mod~g0VOcly zx}YvmCr%k@N#G$O;FT3a?7Sav(GB#198gd_cDfq1L>wIt#Bw430Ff^v)QlRIt*q+V zJmC(h6076%&_T<-X%~R&UdeW!NYHhiL z^Rq06;#4k|m)+N_)vQih6ls>EnhaO^n~zM!d?iPM^zrk>{d3* zK@uF>3iZStyM`==;>y8&yY6GU0aSez%tsxAC`rzAWDSbMni|p$a;Ol}Pp-iS6Eq{#O&WEgTlGnv zT-J(a0OL~(Ey-}fRZi2oE~@yb6~0g;d@et{?_qe|5k41#Z)a9kP1nFO>VOVv)YqVn zd8w4m;AtU0ln9GY9TL0gfsX>BL3oa2442msVPYqevi0BaCKe^i;WZh!P|Hfh%=VBY zEr!6IqJvS~UWZ}!qU+ngxGap0RT_1KQ@|T>B7Fj6n_R8YYVa0ieL+6iflI;Lh7nco zQEtu{I>E&pgftAT!p)ZyVL7j+y$!@|LUV6>RJS2*8s<(&^En43i_Z~4cDDd}9NZ=X z{E385C|M#Y-YTLj(&8SRL4D$=&@#~xemO{MdrNImaV23@^0pK73ek*_G9bLdeWrHV z(c_v3YC^5iHf;UXj_8)1X6(h{%~mup`TaY{b~EOg+{jqnjCm^@b+T z8(jNBR*k?QAW4VXh4gk#MV31fh7_g8_NkLjUtZTP3?;l{8KtiQb_h8phK^;i!eq&& zj1ryLlLHu>SsYjAUE4E0X%pqjqGOwM0 zB2iy*bn7Hn($&Z44O1wpA}v1%ZF{z|noS;-)wkQmWJQW%c1s_GxoM?PvCR#!5s~M7 z3GN%|zOj49N1}DwE^QBN*~!*qs?JH>x;;{$sZLahk=)Xa+kEWl#ZRr!&sC!`G6Km^ zzmu9A0f!>=GV1}d>lF(%^n2D(j-rBxa3B{!and^B`eb3qcB~sUE)?#vUF7hWeAHGV zaLDC6_sDsHCXn`toq{VgI1b_1317ZHtP%A%TDQDvsMm*qHQ?*navKbX^GVe=%$l+7 zv>57*ZGds}#bTvv%*1rxe5csmTRLrEiY(nc#l;Vdic4~4>OC#LTZy*iE|wx%hYg0e zi+bA1&BHQMJqX#jh8})A58z@+k_g8#u2%++S%=j1QVYipBF2kru@|W8ODIk{jkGgi zo?sIrNg(YO3AMPSVJ%=aY(=NS@Kb^XG%oEP3;ByjXYU$d)-Fe6xSE(ZlzPx^lnAEM zLnp_uocl?20Aprq2oe@O7G{rdq39wm=1++^LMpbbdcov39Z|KS5aX8HWqlkqZqy~p zQY^0ZyK36ZoB1jk$x<@ z5dwqXqN>!g;#H<Lo(FsLkrsBFlB((&}XRrbQ(M?N}O|*~ZCimNrX1S(eS&$}eleU}Xtn zje-@sd%31__?h^|fL zRy`C%o771@t*o2eJUwkNOpsKwZX4J(O|saXwK0{DVf!HdWTTra(J$P==vGc77nQgTv7yAilI zaq-vM2uS(~hTk{WVr_nn37tuT+SG9A_6loqlrBTcW6cVx=9p`dlXa6^q1jY!(Y z9Hrf*V9ly<(142AWC?Sx!Q@fC&a~$VkYy`^>;TEZSd)XYkja;V)VG*u<92b48&gvB zbx)F&sJ73fC%1f0R57@66Wu*3w=Ln(4gUte-|sQ~*ioUGkS(dkV)~X87!!<h>cG7HVHW2*Ux@fCGCP7anCuYf#U1PjpuyWu}Mxc&k#>>{tvTr;R&{-KN>1(rQr}tY+4#mR?I` zIm>ICQ+MQ>+ftm8iB!1k?*CT7-W69zB+f8>M+k`w+Aenmnx}oAbD>ir!poy553`T%o;{z04t29(fp}_V04Hn`Id(U78=vY99ub?hmM# z&z5ejL{UewSz0sAsF=KA$XkYxk65Sn{PbKvJeL!DvgsXqczc}uAT<#I?mgog#TC+Q zu{AQlk-$NM#mnm6;i5Trxj&Xfm7_>7GC?RHH5J4Hak$mU3Ry1pV$}odD^%xQv|PHH z-eMLYP)Bryk7a7CkdewfJZZaK;*mGyIaa6HqO=0p2CoeA^^0{&ME>A7A$8*DQVX;QE$?(A3aT z6X&>AWA$f@Uqt?#aX5bbN!UpsML)G$39N@yb}cz$bd7%qWUF5UFW)VXUfFKwm^8#0 zVEUVzno46B90Ypqu@#iabS3`i1G^HWy9(F0kI$Ah0j+EdznY2 z@4x<2Y+glm{Ca&pz3|N@z5dvLSS0u%|M=#u+->(Q`=|%?QBvQWl{k!56oRMVG1R`F zhJW#A=sJHY&ByMe>jv^?C|$6$!OzFNQwqVqydC=D?QN)r_c!W$$5z7PL)h)Qvducy z*X^NL|2hAB4oC5HI6_uo<;Ms0{Y9Bh-#FrD??Uu1#g~1;!?XN-6<7ZR-M^Gy{r>Ci zOV=dmks6PaMMdwX4ie2BuRL))%4Ex5UoxJWT?!c^B;{-jyYM64_NsmEj?av}W$Pbt zexpOP`R>fe8-Hm}><5>dVhV(KdGPftH;{nq9oBY zf1Ji$|I~`FT)Z&qTUGYSb94)sz^`U>= zJ?-ny?HBn&a26clPIZkownCzmmb^IH+e&$2%5zsr43o`P}F6JC|`Z!ld@pCgGIqI%u@ z^`F|>?yvv;mozW`?ZiykZ>+Q+U-)mP7Yi{h6Y{VBuqSu{NnSv%Clj|6^`9}H=vYx8 zUGcB~Y~It?=kzIkdHLJdfXDyqKmYSTfBUy?mBD}>0QDCC`j70JW(f$}AW016{eJ8O z&p?1Ndw)*1>GK^iz=PQC-qT$S5T}IqlhIoN@${Z<0L2FWcNYUkZxSRn_u-R_z@%gVW=?9#IP5S;G z{^Ji||9j0xS*4$97Be8*rBfK5? z4In%^ui$H59|Fzg^t?UL<9UHQ9{%xExmuuC{d}8t;jN4x1n|1st+V|R0)f4dg-T3s zYT=l#|7?={d^%pkKaHE9jOPNbO?b0%6Al*_U}W?jK3Lq_&*4V}l%L%33p|ls_*>Ex zJY)LDF`u8W$xHb7q~Rxa^)}?|m`5j@m+;Q`1}Jzk-r(-0yYQCuMi_8Fcj+#|(?A7> zfA))i$SGswFzcUwK9)}yI)}fXjX;{8M_`E7dmH}an-{NIZR`fq{RerLPFHuZ&n#Ur`_s~H2$ zRQ+nXM(N^?{n&{7vFh<0{vCDVT>W?M%p*&}ye+&l1sqwH|44uSAraX`2=x3AxQgHl z#5L*rJs-kY=Kvsg!mxb;Gx`jV;q4`cH}L~8l_TL|-0fXl;>$Re%lkySO8HCp@Xq^1 zjP)EilAG``)~(m#If`)*ZIS&*O#6p@+C-^O1BBL8Y0oz)OI_!(#_6bk&i((K623*b zA~z#CSBt~vLBBzB_9t=N$pwx-80Y5SqTJ&%n#vc?m^Nsb#0XQ+|J{2|uN~2&dB@$duT_BiTg=#kx_qr}}xr>Q7bJ2qAz~ z-{(>rZYuREa)iI2y{%Iw^fdGJ_p!2{8s!lx;|E{z!ueS2qNGcQq~tgCLZ3dOSn=cH zSoS|LM5({}0hnyX_9J}`?@qlS%&YP*!Ouf>8?)!x)uW$+zm1Gp+wh+k{rp%F51v40 z++tS%$51tE&Nrmsf1gyJznKmA^W9szdr6;zd$bYH(RdZ9F_(qxTvtlqbg@l|p{9kl|xpk56}RA1*=o_E|pp z?t~R)FgRr37hXMor0?OMMB1{hTw{P-iGJa8^PFY8X`I@(R;o>FHvBZ<{6qaH{KdQ- z%bY?M++OD3#4Kx)`X_aQe^T1F7=j1KP{?F&mEkNs$O@O5{WNa;b4C)L%zZnWYgaxz zEdU83=uxqrQi{g9RRI4O=KitFw+&AjK{REaBvo zo2L~2zfw~3#w5j0Is-o!$|Kw$u5J3o(p;VzHL%96OeoCAyWv}devOo|;IR#VW^1ja zvYP#Aaiaae^2${M@aLDVDFXm_QH)v$T+qhpry4t(&-JPEht&9Th zTrjzN3@{fGQusp1uh5Kq$_N>ctE6_~^z75_z$X%(ghNca{@Cn*5H5Uu$QQ)fCxfYv za85ljjPK$p{Je}Wf=dk-PGxu>bMtxF#IW)=zKgp(hI8<-jS{xrejwh$yZxJ=M0moD zF9zr6KgND&gu=+}uVeH62)1%_-|O)biO73{m2hSK*YMfFjR;}{pSPOp=X*W{Z2BRW z_yKOk{T{;w!t320!}U1a%}QSVMfe`q?I$uqqH(*k2;U38)j+-9?N!WOcXZ5n4>Q8Oo2B2-M_Xyo>D}L%GRBglAmdemNu5o^LnT?+*|` zZ13kguQww+E94h%WBYX9%y-PR!gD@v2XRO5Ihlz2naWu?CcG}iFHYs_-LA&Pci!Jb zV2$v8k<9FN-p_5!qucx0h;f<*@5TeTu1$Di_^;f?-K^#OOx*8T%&HOhvsKqp!2Qg` z*0-*MjAkgx{}p z{6~-N0dD6*)B-l)Z`mJe}3?`SN~hU$Ke_*wdSKO6B!N8z5-jL}j(L`&i0Zc+Y> zH+8=X)gR53yE;&JLGSlA<_{vmD8lW|>z=iM>0I77=Nc{c{YuDxG*|9fIi0S?0~qZ4 zLwLShBYfWXd;oUF_Kw}QOY`;KzVqWHf@s$56w?Q&3*D0+GLfDif%SYpuX**{;gu+V zm4H7)4gG$8bN(zo9wGgWFdKe*`g`~C)W_Yt*40*qm$&&v+w%mEY4$TvDG$sFmHX z*YyVh`0f)`j}S;~9{|K1v#*)|j3AtK`v}h?%zbX|SH+#@J@=eG9gEqIz)jdhkgB}7 zPIOmt!qkj@1Uq%VR`8tC_6UsAy9e0!Jd; zenpYFv-Kmkf85;Kc^9a2RIUUEMs3M)bCfPo2ytp zfUe2?^1f@q@&U~C0|<)Vv5Y>mQ}>H2|0tT?UjQn`7K>jL$sT~kbZ0@)(Q`dS0vuy4 z!_C(60bKYUC+ud)#vKRLXSLh=5(7rzz`GYL?>N|YnIU=v0})}J&F$2>`^y#FF`T;k z&igGc_#={e1n2n(Y|G6<%pyNV;`acgo##g&N8Fvqg=XUZncwDqsm46GeSoCvAxL%G zJJw~UXy$(6Y%?o$zfCW5HLm*?hwkXP{up_Dh|KSP<7LgJXL+?v!8kwqrn58&1ALWGtLXcpI)PM zcvP>o;Cl5uyg0^A_>QB`=T8P|6N5PA_4(I*!V%~QU7Z-qDgh@!bxiM-=Ze-%1iikl z_QG)PX`m)qcr&fp_rR-_t<#fl#})#< zgjHOw-(XkR#8zz#KL-WBDG^+p_-@ zrD#?z%x0JFwpj9r^n7jtbIE$2Khp5i5di3@>a=EJ-wTs#3hOzPC%IFoHs&iJsiqELhA6# z6W}Ww!P1Vat^scdXvo6woSl-r8 z-r3*gIXs4wO_d`BIxmY;}}UzQKErTRNzf`Et+PvPV|n=tKb&n1_V=ABzzeWtOPe{ z#|9-i*IwCfl$Gk2I=pB*_^!V7YKdRT6X7+ye~0MoK=>S?)Lc}xy`i}J9!G`b zA3%JlXyKVGrQwN)729B%>eI`; z`qc;ytzzO69>W@e=}c4(FXUFSrU8$>%9wXnDY%EI;0q3-@#p-7p8`bo7|(01ng)B5 z>)o#@1&F~KzZuKUrRuu~@?AGWIhQxX8>@=rL_yaK-YGM@pLigA=54kyRFf-lNRSgG z+iEQ3c#OGhV~i+P4Ks$Dx3@P>+GPa2{i;zJYlJL%W3^x_CgfUE3U5D@sYTbVGyBJ( zqwp8iJl*KYaEWgCGvN>8?A7lIVrDJEhx?TkGI0%aDfWE4tez7O;dSpF7*_=L1amF6 zMeuM4rf2q7fOatg!CwM$<>Bzcoxg_TX8OV(Q%R zFH>h@<;!oZ^-iCEwxRFvsD~f)0LnZ-8+P3&R(Cu;#^6XHxBY zNUsK#DPqTz=>|AxqO(DB;rdW~>geuL=T z3yq+vC)z5_8>aJG9QgXM@N1Nn^CO5(t%)mKX6YlaNQ9JJC#BM8>?@6PbeEY+FH0L< ze^N-pS&{OB=n!984v-t(yRG!5)Y&^z0=&0BZ_CoQj1!?C)a10>BZ zg#NW&wey2dA2H&BPnD(ZAlX59O$1{vGWe7EG-=nH+Ji5Tuez zKRP@$@Y8;_U@|<2>f=U=;0DYOz%(DXOW%T9@tXi_V*u#EVyS)Z%~`z`p~APuKaa|9 zwC2p!2tQT&dF&cCtX;}WML+zs5dbjy;9CfcAl9?rWGN>1tWQSPx94P0_`27PNan2F z@cIpVCce46jBe5@HP^|K@Hci3$y?*e&x|o@wJ!>htP&?K!|36uW_uxvh9}e9Xj1S7 z!f-t#W2oUN%Q6Ol5uVNhxLYO%&$G7Smy7QEgP-))Q-s*KVTD-{qMLO%g1;F^*cgPL z(!dq=$oCz&`6YP7aRZ9Ws|c^|apSXib|G;1o80h<U4en;(fgE$KGAl!Jq!EK9n5l@v{C zAV{$Z%X7@A);KBS)LwXH{YJ6EHBDbr-X}-+n`8^mE8%U%3(u$pjDPT``S;cwP0IIjJ)2rC-f6idE-E_xe& zG_CcS#JV(_!%s1{EZ?`Pmlpm>NYjI#UM;B3IDg?8+AS}{x#$iTWh(J{j3$p!Z1^JY z2qEmi}bK-;bWX4qnK+WG9P(*C#4hK$F$rElfsiYc~m?{1?cc( zE&!oLZc?o>A#0^p!jB7;Ieh)QEsL5r-s*Le%Zaf3^=2Sw+BY$nUbi8+W<22|=`#{Y z1gGI!4;lS)tMviUTx>~r4%h@{@^apXW}^9ouOqas^rt=8?-TDk{5+RG1V_9IU(#uX z?X4QrsjKum1F?Qg$5%ktrwZ$a?QN{?|7 z-U{q;q9bHB{{q(4JBOzpwS5DjB$Gv^PU%@3qilMlm~hCP{agXO%?Ro8zk@c*!dh?lu07%NNsZlTe%^^^4~;+l?7K-uW%2nQ~ru-qEig)TJ>HUj1f{$rsOTh$MVm zq{EK;ttsDxZ=V9X`U!`DQV#4DBL z4QCoMpX9LJCV82j|9SiyxM_wjBfJ(v!#mrK%e*j2ncdW~#nJZgSWIvFmU}Gc`(v+V z_zYxFwX(c14KoK`G5^I1;onaO_q*T~XNF$>eyOSjw=rE>v}}8JN1gkWw9( z6|N4x3d~*PhXOX6L<{emI=sgo_U-&|g4;HK03*r#UH~p>c=$eBm;G&O+pk0V7Q?vZ zEjz6~2RA7keuGHIJC3?Go~Av5T(cK~>wOF#adZ%`@*c;7sbF=sBqO|zjt_)${1<)~ zVaLHjwyg8pu7%x!kMJ)6@&<_wnsiSvJ+AfL@DD*1NvDLzs`=3-#yAD|@kyOdl-7<_ z-i5C4@$dL7Zh_*&Kf>!7jSf7i6zUawxA;e`;y75+{8UJOvfh+5Fd7lYNp1r(b78^j zYPTVom5qY~(Zwds3z*VJ(Ke%I4HT^hY=h3U#MbOgg0EpnnTdNYYYH0Y8Zd?(y zK9F?X9}>Rz=_bbum77!vo5DY-(!&H_A4+%*{fJ2S9lV)O)oXY|21g5+9#Sc4owA&s z%bY1BJRG(wzac!f9^z?j&9vOA5fEJ)4l#bAvXxtRR`d*iz9&pKp_#9|3J>Xvm8>j$ zcVCAe*U>2AbzRW1wywt|U*Q>Af1>b`%?`gL&l|*ry&JrA;tk=d*c|~wu5=+}nT;^2>9I0ngj}I&&AO@K3rDv>Irmc{Pz5wftl$=g)j6(_G8Wt$Y7GHGwMiv| zZ}OhL2rmt!EjI^`_b`gf1kXS;hHieRAUtvKru7fwd}H|OHNzU7bi(Gf6G1)!91nuA z>vx9VlVVtFdReJ8(VeRtMR-SgGlq}w2V-L5S9+Ct??S9ij2z+y5EtjM3C}h$%w*!5 z6@IgN03!T>;J8y9yt&Feli%?Dcf+f8b=BCFN45zsCg+9Vk3~-5tpj{MWd4m4Wl6Sv zaptvo8=iq^xRTXp@4r0#T&Q`8^LTDXGc}>YU)qs)J!bs=b3_-mXn6gNUn08f1`hwW zsvNWaKDQo9$D^8Agr_1Z3191>;Nw!Y@B}A609TS;_{zKyE!>vmsPw*U)bXZ@!knxZ zo~>v0A`{ilw|^IYnYb5#%lJfuj~@yyQAX8m=4dlMZjSSmn+o4d`yHT*>{5hqxluL| zEnA@uT}mwxqBFcQxA@^rghgOZ#V!|iNVV!McRRhQYUz2SU--_NLsIp+PkE=AshL?D z{yE3*;rF$fHtU+c&8GdIpO6;=(uzzZAlJB^KU= zv0NsQVU7nRVTBpsU-?OtZDRyTCSjfMpGKH3kdILNz7fqu);Ii-8Ic%U`J*|9j^S6? z{szsJh#p>O=$ClT%14_``0HiU8=2M^8$@u-$jL~?O|w}x`1X?GXupqO+&VAauk0JS zIDzNz^?JusSuNMk`{sxn=2$9^}z?@oV^Ca=f|)v#fYp$xW|JL~cE|JueH~k8|^IUigFIqVv!O3>E z#_Rt>yffDQ^@DP4Q%5MHj5rKC@OHm0isD9Wqg@#<6qhA1;iuqm16swf5YNmn8B z@Hru%G0L*8YyC&_-~vZ@Ea38(WX)hv%-fSDIf;tL2-lPzGNtxur;D^wth4Jp`fEG= zDSVjUcR18}zfJ--yC^u&M7J z+UrcpbMPR=8^u|=IQ*hV%Zweo=1wAs%Q*npwf3S9Y$FV}+H9YLJ@YggqZm+X-@ zyqhk3JmmTnwP=_u)?^Q_eD4TDHx7rJ8_8R`Cw$dXh+reUQCw<9;fnw_J&KVq5WXnx z58{$oZo{jrBZ_Sb5F8xCdd;#r!_3=nL~XZ;^nQK|>MY+7z95WXZXM*iR&K)Ua@(3$ zTByXXWWO_S8{X6TVwi27kAT4**2WnxgzWHB3cjB|?pzN~7WDf3vtC>H0eY*Nz2Gv% zWTD`lG6GWvU)o~$=9X1$&urS2MX6L_R_QHgeTDFO8lFSqCD}QjX$lRX-={27y-f?Pj;Z4Zc;&Fc-$gGWb4?`ksx-{hwZeP* zzAG4Jt`MgyInGm@w@moaNy0Zp{tcvQZa;jZv+r=}tVzv&s6|yvZap%*nS^O@K!?=S z>bM$sfX@s5$$}qE+V$3gF=2*vIGu(oA~WU@&TrF?;KkM7BDxNWJqNQtzBs^{X$g`Xoe*xKD8lD7vqHn)^c)&3h)E_w-cYp2L@b#i!4ZY0vPzArIzXEg}E!c!tV*2eP zaw^r~ZR_!Pgv=prRDSLvd374Y%bnZ~WMUnKKQn-YDG}?u$QjhW*lj@DlwFN|Etg8;@eBlkN$>u<#6`tCdw} zoh9GF!|=57+u>Yd?%*lxh^1iL=QsbdaPWGQL$SA?1EglF>)5f-6nR^mj} zKSI3~=efoZo{1R_6B2Pe`hEe7U$&lR#jR|LyPON_e8-AFKc=RgNsK@28etUG!*2G^MbI%E^@0R zOO3FUtDkFf#qn?6SZ13p)iW97-K;&8Kl-u6Ab?D6aLdQg2``BUHkCrqz+Q9 z4vyqZIp%X5A7NLtH-x9fz0@uQLeK;l4)&6l+NNANUpT< zsm_g#FwPC0BvQ;ukM%tY<=G*C2axKX*y?)GJdb1I*8$8%W#ZKHk)`O;8ZX83r!>5N z0;0f~VzZZW5;G!GtLxhKs8IZpHm6yo@O;wrjHsghtwTQ9q!(o9F zYT>A^?W>=8wvRY3rtWoKtMZeZ-sH80z>K~)XPK!e-tA^ISNeT;mHuA=xD}|;J4rzr)ML~Df|l1ESZZ#J8_84!~eG$ z$)}G9q67|=VVY$(ZyW&M7R4SFOtPA5vNm&_Pk4>Ibw_#}o;YS3us2a`tv`}84I%tY{)j^wl~}$$2C z@B=g>2-7O>jThUeI2OYb#H(A29_gAKMkcw}(Ak{K7KcWB0(PQp|H(n<0};P5$Al=OltPIvMcX8#_ee)o+-oFiW#|-+v8N3ePLW~OZX)u4u(#RYCDyDvW~6ppFNMq#GyMC z)-jpNMtFr|n;60`4#$xK z$MZfpjtda|8d+!clQ>mde&Ts=ISRC2n5LKAjCisAR{O?jmi#+#*G0F{pB%i?X_tpT zyg9Ki4#DGZ2!HWzC#8%>gm=Cc;pLM4J+?n5cA{U6-XxA3zVSYKS9)t4D)zrZcj>^! zKX!oaIA2EVg$)S~kv#XQYfx6->_yYK_8v-b99MdctZ-PdYXvUFl281uq_l z2IGz8y!16r<>wX{)3922kt_!!6UR;~xAxs{r^>aGAL-Gc{^OCMtZn15_RXnw#u?x* z;Zy2@n-zJEOAH((C#m3za-s8n-KLzyT%)`e#NjllP#lww|47~B*_=+4i(C~=Dq4Fw zu88VPM5Qh{Pc~`ofq|>EqA*>Fy;GgXI^Pt_zIgn73ad!ptxhBF<&vR@8TzOWtc! ziw+?9Jfk=yzu!Qb4g5#(1E{#3t=;ljMBD~7E!&C6nNwlou8Ivnf?zvwR zXP)U6B$LGUHiky6!&2+I@v$hoczqim441N)renE>+)TQQl6&}pIJb!6R0aJooIAd89)q$e zL?apeUrrC;O@mEwYJQ)erdGZ2+>8`wT6fPH+iT{#v?~q+;LK!dgd~K@E*j@?iZ^@3 zQl(d!GUrB3l;CII=Suk5sci)H=MjQtkg-VBDlHOu^jbz3CzZMh%8XDRhbQ|hG~4G$ z9Mz^OoNx1)Xu)QG6i?sSE3lU2{_Fn+IluF_ZI{yn~^XnDmvLm*fHL1!ulOor=;jAR}t}f;4IP)Vd zWWuh~lV*g2y7-3eQxvPya-G*q+DVkysHV5@@;sa1@V4RvQmrVM=^8e8tkZEa-*HB= zTfvi&Z|hY|iX-RP4mH!Ql0JJBcJbyfCDU9MnzgDB5b_g1cIht87U2=bL0HkQZZbZ% zeB$UddZDDQ0K?6HMG{4p z9Zy+rx=Gl=V;kBwR%!lLD6ZTZXE;w4`!O!?8T#GC(R5U0$#vf)Vzmc2XP?E~dRaut0MdM6s;ju^9MMQDZF!k-T zgy34`{D^W$IySgIN!6$ff>zD;{p$4MwdojVPVQHjrc&2?ly`*zVkz{Rj?lUC80V?@ zVYtMpaXKf6LgxNF!$_RR5yoo7d}*CTBGY-oxW;FjIK#Gx1G3EfO^W<=^JZ{^EJd~`lC5yb}s3eVB` zIprqGd(o^D1&&9oEI+=CQ^v6@zA&!38&Sd%&Ayd}xY3Vf6Gt`(2~dz*h?QlRGlGAV zQi&&wiyGH^l*mZ)R#~1*qI@^ZVZ<3&zY)$gZrnu4h;_L)`rz5DjU<<*g=6GG*m#4M ze;hWsR+*5sQXcatj>#Q|>Z(<~XW;3)2)Eb>h+|Og(D!BUJ!!CgisEm*VEj?Uio>DQ zLzXEIL1T9=;>?1ZU7GbKXN}0TXSv30u8HDg49|OqVl5W>bJ#D6r}4&e(GQNJn`3y> za6Qd-dy~UooIYC|K(*4=9#UMX;A7z9C|&rWn6Vq8*mff-)XZB`;J(&5V*HvVYNl;lWjq(?NK^}};C5+@p(6t`K<^~wUDYeMr9Cor0zp z1vniWFxT?vWH~~AoNdCtM0JhmcT79cK;st#Gc+AkM(ot$1e5(KtOg2gr5;P;~h^ z!(iN(6K6q!<=?gHy*GG_oT+G1_&1`t7@9bor5n-AR!PPomskpI$4k23&%6P8Qb7)LVVCM@$c zR&mOO_}4e9sSWNA+An7GeA>9waeA#{Ya-jc17&MVU9r(+2*JRrxwGYHX3d1&@z^59(q=LxiRW)`)^xrT_Zl zyEOmgxiyyA-u(5qpNGH2^NbhOF=K44RbSN|v$$aiK>qLlbNTa9EBGB{1?b=p{_p?$ OU;iJ?OQ6H_69@ngcL%Wm literal 67185 zcmV(%K;pk2iwFP!000001I)cyliWC#F8DsbBJIA)6yf`lX7doMVo^jWHYudBc>qZ` z32vZsaXM-9;|Cz=i?Wg*v%1>qu&t_ZUpWH=fwM2)N#iU@xn;8C&;RQW^*^8gFl7+P zFk}J$^N+KDl`{O}MauM#i?ct5)gyoWVe&Zr^N;_p`Twau(*JXQ_2u^QkBh69x7+L6 zi?g?@>R>`Pp-Fyoa7hJKQF&OKYzK(@4mm6SKl7a24BvG?^hSj!g(at&b;c)=gz~$_wNte%TjOu@%#Cid^`89)1M#F z#&EBGJ)E1>bLv&kyB*$M-)#;%8b905gDd+%pVRAYe);_K?q2@7bvEYX+4I%;`SaPO zZC`ymyHvkF%M0~?pPzlbo7guu_x$n0-7jRa<&AxPK3M&j{~S)7(eloh%c1T3{N@jw zv#U*fcAGlsll?r7o|5(3^J6T}H*##eKG-+c<*$eRLd&Pw?d`(+G%Hub^d+3U{t)>% z{!xiPaI*Je<@Prsh7^Zi1%*JodhoA}xOdLMjZ zr^(AU`1XEj-;D3?Z=SxplPvuaeR_AohdU$lZyat+0{7iK%bkEZFF)Af*1kVwZa%%4 zzCMyKMwYnuG~)Ae}rWp#TwEpBd?KTn@8&QBE$U)fjr zr>EjM*e~STubFWd->&V!#aVuJcE%nr9a70`T5VQ>)Yp_%iR3Z=c_6d8?`Y z;&uJy_0||)D$=;f-_H&UO%#7UU;JFS7JL46;e1KHkKSKx`%yeR#o14p&EkoFKfR4E z&riRc=AQeW4T}3OAIsR-^6>I@ztH>i+r!0$>joDe-)?7b)3LaDTiw3j#qTp_y~P(7 zqxBuX`E~WOb$sJ?c<#FCX^?CNDYKr3`FpZo=<$<%`8pd%KiS!ZvH2(#4?l|e_iQ}= zwtoM(;rwd${q%i3`o7qRx2NUo>&Nxx{)c~O{JdYhF9(|gi^$V#^?dg|efa*icuv3F zyf_Otw!CkzHy3R5@qJ=i*Tr-BGBkYaS8m^#cfnay77xF!^vBz`$!ziZyxDx2{w^V}9xwl1KK?FrFNG~Gl!X1`i!Tl4*V6aP z_&<}q7vD-HGt3`5+53F{{riv2w>utPz7O-+^S2>OuTA&t{@k{e+;yM6DUo?rDv_o{ z?S7%Z$lUJ_=MOuX`|$F`583;pZ-&qI>yN2>BzwOq**mtzX0~7Gmwxz1^>Frcv`imf z&+;34C#bC}_QQ&vN8bx2n{SLSOY!qZzLV8A59Jx(FLa#`w(1`$0sT-3?Q^F7t$eyv zQughA|8EapuC^ED*BoyBf3AuWYiOT%0CfSH;ci;_K{_dHPU( zysQ_GPch#{*uH-WevK0C~EKmD2%%8 zyWd~g*L1rqUtT{JA7_Sp>&WGkduzw*yLBXzkC(HrMYXWz8<;_g`MOH_zd0`u4Bp*4gE`b6DtK&8>fn_4f;D8StO5 z{$WS%8UIgM|FDpf0sjf>A6b)w?Z3hLg}R*c+ao*oV3$-kaCLol_N3&&;!HnyVc)C& z`|2z!SC5a6+c{eV1-rXQU&D{nmsmO%ws>5=`0vFkJ1Fnb=~K3F*LU9Ab~arnU%mvJ zZ}G)ge%PM(@--4cIR7DM&Zo)s%kcK>NAmuan?JWv^6*%)n{9Alvf*~lPpy?*OkXb_ zXY=G{@c1o5vP^z{TYkHJ_kJ!%{CU67dUW+A zyge7(AAKZ{qI#_FQ~F*d^IxHnmS@pJMNI{`~X9Exo_`0bd(G z;QZ{%d3b;KvbppecUIn5v%vg$xV4}D^4r6Yudm^0v`Lfrdig2;7(Xh(cKi19^E!N% z&+fwe9zOEoc5^DeC10){9`9eX+pFSgn{Flt+l^n3M%Jg`Io{m7oQW^1^4H+*I%dY% z;QhzjkLAJ(t<*WaOY-5(y*v8#b)K5p{Nw%h>C3N=;p2g_udP%Drm<5IovO_h`&4q?0R!G zzdkotv)lW``F3@2{(X4*@czO-?3ZtEYiIgic=`O(`@ooey&Ip3;(q$N^zL5R+rfH> zz6vFZ2FB|9{mS+IOL614X z!wppeef#k7GTLr_2G_~^$PW#%6Izeww-*EZ-F?_zm1i$I5BI`rgxmFFbg&dglcR?o zetSs$mftw$p+x zzMj9TMcy9NvHkvO&cpq0pXSyNHBR|oe*4`A-!BB6@rT^EqVwr_Xp8I3$C*86SA`J# z^!fYf%KVXvo395;;l;kY+|KXs!{?XP-9wVSe!8}8&v4$?$%FlF<;LUC8}QBW>;1zw z+Z{aI&t@OP`OkO9IiF@_a?oM+4S%?Jy1p9(k@&h@@=wt(Ii7f-|0Y)FsrjieliD2gIT!@$HuhIR_@8&qZd43Vm<>8aKxL4*wbT>aWF^bw1X`D{2&N3V>> z%T@mJZ4->X&M$wI_V+K|kM;96W@N#oH@+TigW%eB%-?+Q{X&;^?q)9!U&fE6wRt|6y@7eV;`ZGA`Yh55Cr?hxBL4n7`R090 zMzh7^$Ez`SzKY@E=k4b5`TNz|?R5OKEbn6f?28Pzc?cUkY!|bq;^WovE}x!?;tPN9 zov+*1**s0Z8_Q2ubNl`7%^1kh&DW>F=*s zuz1`ALz%|{CjLCIzD!c)3zqQY@Q>Alk@&2BvPEd0*gO?1OnGo3WBbqFezFpFQm^^@ zQ-59SZ`Sx{e`~BhuVQXlf}c1%mR`o9=tQZTKmXYM^FLcg#uhvA^^b9QBIKXVzx<;= zHf6XHcH43M<=1~>#lK(apRHi6PMTlz$AmKETalzZOb`G3+w(S;e|??)r+@S=Tcl2A zd{(4nWo9a5_&Mf2S2XjPB?(VIkN9kA@RMYG!m8*x%ai(wnm_#Q>3`>y$E*CqzpIRo z<{(!-OB`R=PO7%PEt=JipZG^>{#)l9u+WNy@9)X<_#gh!>!jgwGfhtF&(0DatIbw# ztk!FO{`{{$|D)Aomba~}e)=D;$|GNx>~lQ&jmM7u`QKV5;Vd?tzg?>N>1esbQ@^dH zK4BwFB_5=m=>MKY%X0iY0A5NM^$)BgEt61NY^*KVa=T!fC&}A%HXFO)sUuFL1KP;*KHdNwyG+CVR z-C7|}e|t``M8qsB=1KDBAEWWfWPYL^AB_ipc`6CTpMU(H|MQoB-SAkf3axl*e<93# z|3BZxa4|UV7#r84iXgBh4+u3_ClSDfKoaHGT$4uMB4= zqls3xq`Wdz{HpFnUCeMmX?QerI+|*+-jfp{HIR??(F>uj#VP4|9JJhMu%s7dbL~M9 zo9c~?Jf=Jj#jlm@Q2!65WIw3e;b=%n9qJ&IU{_89t>;o{7-g$3)q%{Z1-rhO0j-~Z zuuc2HvvW!!-CM|`0kQiuR>E{RJfRLYH2wmq9NizrjF>bupNs}$VgYs(mm5<1_)4ZL z3K`Bx1z4q5#*33hFXDqES{HwJ802BOxiUv}c(4Z&Oc`Lx_#q889Qn1BJbN$($He5Z zbDhXzKs#Bwq&^VkDOAdZ)@j)b^%1#psgrR7Y67YGW!eMVL-EUkm^h|7l1>~Es{$U% z5*tnxjr2mfEQsSjbHy#1Y5O6;XyXjW@lsMHcku6t?`5Xl*%7fM)y$%;(#Z*R?rAYs z{%n;e?FDfVJ5PJ^nD#>5lghB8OBoU?xLVIHDevSE&L0lwQJ`iV|PSE?7$%k2|WW zm{Z3&>H;-l$uV3mPsWoI>Y&fgp?FK20GL>YHO5Sy)Cu)SQ6VDmHjm& z&jQwmL0UVY?ZBlviUGagXzE(&v-Ua=*OS_7+Ip~~I=wzH?3~izIGA6=q|xYkQa(BI z=*PtTT2TgRIqOjQP49@5RE8Z{VWdTq^|g$~`aGzGN1Y2D z4yYA=Q`ypocA_D9EKc9bV0yCbMSh34%;(r;nNo7gQ5zuXi5%rtsHJ*in9?=|918NO zBj~jZ8x6?QD|Hx(whwS$SVG+=QRlp<8_ajrKBO#r6tNwWR>mDQS@lEJ4j26>6daMa z1x%~xF=^iGC>};DOZQ$JY5C?+297+zQ6=uFBl0Az?U|`(WqI{#QDL0BQ0q?(z4V>M|~R9PIY4# zlW$`OE=Zk&s~a<^4X`G+(G!%8;e@*6W@nI6XIX0fHlp_4>JrL+lo}70)Bp%g{E4>y zdmkkw4b~p<3aRioHo|CoSbj4Hsr%gPtkam-4%-(r^Z@8k$MdQ8v4_nkr;nx{iaI-5 zr{TubrdUI!I=rcCT$||Nv=^-cw8im9c_(_9 z)aq7x(yG~$>=!*|+8zg!x;m^T57MfvV|*Lx_;DRepHh#cYib9n+XZ&^AZbwSH;BQ$ zcns8y3yn$Gk4QFY0Ok-C>rIf5x_)rq_0$ikKA|r8-Q5eRLwR5qYDkqP3e=09r=H+a z4QX+@j%P{{$L5+5B&3P_V~tO3An$9jd!gcbVVDkx!LN@EWMVsPM;+9C3%h;LR#@zW zI(3;x6CtEca~##$Qp?iD{-H+s+eJ)!5XaWDqsg1`_tg#5#n_Es;soGWlRi3*mo+&q*C2+y&H0TR9GvDK-4`4i%su z0m8nF!X-9L8`PVg*kR-@zGhjiT&C1jFLf}THm1K1i1lL-94+GCZ$KW@)me>oOkJ+O zb6e;!A)BhoUR=wl4}AmLiKCv`Q^W6&rofINvq;UKUB3}+3;bT9lLl=M6;af6S+$lO zjd~FNnGb2RUk5L;Cq1mBDcU1QH}Z&FUBXE1CsYGQsSjf}JqsfT#fMMj7wMyA97UU7i zhF3`2@QyJ2NiFmv)cQVL3T=kvSaJ|=WH&CEwA%ToeTB5H<7i4>KO8vnXzfm-PpQM` zwZbP&(Eb+9Cl7|zfn(~}V6AAWF-&&Ru)eeg^u&duRdR=^h19yG=}7EBLb7USriL(S zhFXrO>ltKq4n_hF-qED$%jcs)R?}tRXXa&X^iOGck5grX=w1bj5W0#R{Ku0 zHOD(6eMFsCXms3=v>));hog=()Bz9b5$BDrC9gT&j{u>Lhc#%aJ?K80Qx}yUt6Fm9 z(uC8grx(^bpO{E@F>Kn=;(LH&>SSOO?;yr({jD~>7p;NR7U2#Zoti#&F@5T(aJz<< z8NFlMAl&q5f+4ksy+bFbPPpvyq_m?^j$jG;0gBldLug4XLw0Ty^`!9~TsyU0xa$!l zEm%8hDj_yct5!woe#xD&KBtb)HDPt?BEm+u&;kw~b-`1&Tkm{*@>yuR0hhgqIZ)35 z*}K@(;8455aB4E$WjlJIX{q6sn~(!-vHnr^ntbF|6Wpg39ZmTjb@;Y1f2et7H_nl? ztl&T$)J>#S&Uo5`0`+}_j@t658_;{A;HYOi?F>`u_Y8G_G0429#OX!F#aRjVM=?5JL*_RGaZH;*SC&?(bC4D>66W8V!b^Y_s z8l`UGI1JV#Ho=<4t0gHIi&4L0IeO? z)Y(!OW9=r7QO7&>khbFPDkOw;*HdrmKKz0UqnFOw$ThX@5_A6p0v|YPjhUJ zgIurF058)kB!HuNON$yIGX-&aB+%YwRSq;!hTK|0rb&!MEHf{oW zolDa!O5J!?-%39)^q2jRqNLL|jyQ$7rnL$_(RLN>`GlH4n|6&6HLlCf-snRza!5T+ zV4u?7ar!35O)_HrFuy3<*0>ZPA%1UWnt8@xyFs7 z79YEG52-Lc&9wkvB<;N_7lA-4CQ?a${^a zNr>8&YqD|Fv(D@3g`_fU?_HDb;&^CaKPImCq9BVjOt}vplh&9VqYBfK#vbyAxFfJZ zW}t=`+#|a5A%|Zzul7Qx(Bqg?fYW2ree8>`spov|f^wv7t4Bl5snbqP{=Of+J*^}? zRxITHTU`ZCJp!%X207m04n3p?9Rj+;o4Rea2@Ot&BXT?a){}%aX^7#tR*n?W?nsD@ zsG;>5gOC;lshLkhnrB(gDkELdM<1ds19C62L2M#xs8*>@MKEeMqBrwQA_ll=R|!R z`!0O)+(J_TM2lXwuTrBI9Tn;!@vT&ebK0>R$6eMv7+9!7VbrK9yDD3149KRglsb4_ z4^AW>Yu*%A^dtgBYm**=9sMYGA&(k2J%QBzTNC;r<&{H=HFd-2t~YVs3kfzNE$=vP zprux`J0O4_WWKbXrLF{T_R)(eeM8zIBu6nQ+T!QqB3oJmXg>~)+OMudl+=m9o!vpX zi{r7Y)I?g#blPxV4EfP+O&q!Y6ekf5Z0e$v&vz%bGeU(ji8_sW|GuOM~Q3 zoo1kScBwQ z;+@?=UCq!0(kIl_i?xSOni>5Kiiz6A-}N_7sV$Fv2Wvk{u*oO&?doj%(Wf}1^%#y@ zYp6jOcR1A4NwA%!qb|OwTl1*LukJ#ow4>0DB|9x7(!T1YCrAynqpbIVpanJLacu`t zM}g+`VbIswHZq;sENrSeX;sT{cOZ3**seCKAEEsbEr8gOA4SSCN7zi1{Bp?1kxmyl zCet2-f|OLJwt@De->H4MT|Yi)^5@8T=|K(7fVkagpRJ|tAKgt(rWPHw+d{42nljgZ zl+5*E?AEXcV@Yb=MqORH%X3gOY}3O^y^Y2cB%j&WjM=0P4>k#7@==O)8yajl%i`7Bx zGwnxi^}{AzQpbJjfqkUAIEqh__m0-NuYUMV1 zjvD;A@n@;)k9N42)YFRh`=H&%ZU8-XUSp(-pGV}tzB`+g+WM*Sr)fb|D&KxGr0rNZ z!abzkN9`z3gD*C%PSgR027Qs(9@RWD9?%zJHO?FDsN{W?hg!8AK#r*aE1G8BUbI-# zwg?=GIBAE(9CvGyBO}!0L0z@jB<^WVpIxM5+Lu@@tzmo^zS;wWbU38#UOf)DP^XCN z@FZ#b*%9*3jCvn?L?+^W>`DlzgD$l!rS7$Ae0x%>^oVIkJt!m{4#^=xnP8j)Qv4)gIlY4>hF~ zzfcb|YD_{}FMp4INS(lMYD&ptKuwO8-cql#l0)jC$8Jb)Puy$bsq4FOM#Q~|#~7~E zI1!Dh-iwX}>QaIl3X;0ycvsLspD(U(Wc#65s3Sm)UZJj`+^aXzYdMl%)TQ8!UD}Vd z^{6jKDQOqUp}2y!aK|cZm&SdX-n;23?nC!RGeO8PNkD!qYRw-xtlt`zAE{ zvd*fHgIdk)A}`dL1s!Kt(AEK>D(O$Ijb~o3$+#2Bz&m7 z{5pM4J_@a|NvYGLwE!bc_#CMfYOwgm>>$mJ9xQZHKk_)xKztgb9$={bHpPfK%&_ZP z=*cL7KDbU*zK6OptVS5_LnXn0+=JU8>QZ+L><~?;%k`Sp;vU$fmFS>tfIlvWA{M3% zKqqa^`WQu)8trdaK1g2Fxvw^%hNaxA+a8>V9&Sl}AUl0a?L#$~f3yJ5N5?@;rwzt0 zb@pjL7On?VdX+>a9EP}60_{cT^GWOG4(CBy zR&bZYs2fYpVYFWsWK%E z%N@hJ^(7G1pLQ_PsK+sWIyKhZUa?P4pFp-B}wYUGP9kCr74d?wYUH0|K0z-ie;FJ&{n(q%UWjmuWM%sXR#sD zn8ii)7k{jnpYVTq?)QiO<>z{vgJD>lm|^R$gOoGV;ql*`^Zud1JjqM+KsGoDo9`f?%=&I zk~P@bXq=ZhTz@=VBMMdfiy;xJ1#%Xu|GR;hLi#0m``C$Hc%Ifffi7??Nm*Vdf z`{C~gc=bpynP>Q%GPnc1#_I1B!eNh#0CMtdkiZu}IvH=_A5Vu1O#b7T!y6t=7Xv`$ zqp2$md_1!`zQ7^+c{bBV6x<*Dc{a90;^F&^GQ-DIHX6HG`FD=t?g=Ha$A4o_A6_yX zxR4u1W6y)4a=hd*{?duQDfkLV=kqzdh`G|MriY~c+=BayqzKb7GnJVF-(y04_E@N7 zIuOcpo2M%**yfAL1aZZ1uB4u_xX=@2CJVUH@v^{l3B_Kd#cu02&gP2+kh$|Rx8UX@ zrVK^_R#=P!_;I5FB7~6#KYhLxnLc3f%xIw1C#2?Cl9^Do567bse#JE1A{%MAT-Xer z!)P?r86dF4TCmVykd(9)40lm%k&QGO1py+J#R8G~Na-F&LcU$3GBX{xg9)T%ZwuLR zG|SLE?OCmrShWIa=Y?s<9S)bi#B$M*%Kd;h2j#V{6SVpm%kt5H zK^twXlS1t;pF#_9Je(?T9#W1gQfR=>mCA(sLuWVcvdb1q0_W|YH=YeFiLBG{6lvp; z>6nOc$FpfHd?die!;u|xC>h3cEoG5iHy%%+p+8h4<2m-im5T;>7ctLxvK)Y4$8&?H9bdm#Ap1of z4rafx6?CZR@p29~VEI1ckIA@F94FpiBgOj#Qtf)Rp25ZyNIHziv(7UD7cd=~Qu+}? zs#}Q=Bwi;|Y(I?0%kCYHp?0k$9Qq37m8pA%rtD-e89+(7)M}tzluahnC1Pa#4GGes zQ{~wqKAc2b_}7tLqW4cLbKe#4F8($*v)@3M7@aH&Xsu3%?NYS9;?^4+l`YAI{ogxz z2N4WrNDxhjFcvi(l<01z!wm{XPlt*Jd=#RY4r3%G6a~9L3s04wrh@|b@bfJS@=TST zmN-b&PA4IUio!}+2rUs0s|xj%@^3SthX=Y657Uw1B4ITh3`~YazLI$<@`)#qP={SE zow{jc5Gp?Y+XUX>1Kk9gOw(x>6P9U-43g;xT2s^65{dgMvZJO$VPP^iGXozUOFG2h zJcP%$90t#(3@xDfgvT5Fw^M}MwFDCmXJIaGqAgb6=3m*LKxFwk%dS! z%?67BS93S50Z7Y39YGf26^4KjZs=?V~LoGr`*($;Ji;j^EQag<~>gCzyC z3AW&;quBGo{%1Y|_RV|%BTUNt;YkWEXFh^-54mDK8X}c8gYoa_)L|mUTrq=X0<$@M z{WOA$&j;hh0AA~If+WTa28ZSYOF(06IiAD6p9d&(KQA(Lw)6RTh!o8n2EOKV59vr$ zcrhO?k(Qe4;%xA<)*?WT%xe3w_2qM@;O6rYy6$-_p)Wrl4GNeKQ4$pCsKsCqIV?tM zQh&f!FsVc}q}(A?wrUZ?7IRC2GhWOV=#Z8J0~Y=)k_EEA7Ap@PG4#Uba~~}|gofK} zVev%RA^7y=V2xOAF|Q0PAV~|vRLj8zoy>ArB*^+&j4~5hmJ7K0eAVH3&GHnv4hxS# z*I_x-b$%wQDN~dqEAOp!i4xSsEeDCiU1UKlrx}VMEvDlssPmY6bI(oMMay!Mp&-U` z=&s<;%tXf7QrYH6&nn_Tzs?Qeq03zuNSY{-VSlBY$JWK91gJ4wHyq_ zuvTg@N2aej-4uSn7$%99*oavUs}x=z4rwZTR}JD{xK4a)ypy(as3eS}t?Q zluJl&<@Mx3j62FrKRKN=m|*S z-V#!RX~j~&Pgv!+7)M##m`z0p1^5WN=SwTILa5%C9mXlM0=0!S0>sFsfRh;gJgydCq z0*Dov@L?8fJ{%*5QVE+8U}V#j66qnmGLTgwX9YvQuQOPX%&e`&pdw`=i8zN9XUxJb z6ce~KkcmKAGDCbIECJnqW^Duq@f7C!sWh;(u~Gr$WmBaI7Fgq&Fc#_uwlICoM3F(W zuU^Dp@-wc0Vonk#DL4^#?XHkx#smkZGZWj4Z{cwS(l8+H`9h;~fm;vLNJ``$GSAII zoWo;ISHYlSA}$PUt?8|B3*TH6nE~ieVWFi<(t@@wBo-=*q201c)@yhYkvK8R_N}dA z&XZKasx$osj=;h^T=6i0=bd;aX7x;$aQl%&3W8`tRW-qI=rqYS5}H3_AP^WfL|nAX)k%PPs! z_PYss6Ihh+05PH~PQRmP>$D)iRe1$p(V}ugl z22TgDvQ97IaSrcQ%CLhIL;+1=&9qG5B&A{GCU}D{?Jk2rN6)Jyc$);$58!fg{Tki* z4mM&INU}sxmt~_i;Xo;DKz^5s!I%#@OeTpf;dMxvnhDbLhTz)rZ#~EqrV7;0kQhv; z=?v-fu3|?+Dw>5AeP*m|WMpI*jr9jEQypaK2we1GWQB0yb;McX@B|tNBDT~v0MWVI z4hAezZm|$HNE+NtB>WV`9=H%wJpsG+jWjW#nn}&!0Oe;5SvnGHDy3okzeQp?yu=f} zk41a&IgOdcKkNPqL}w;enGrCtGtuGIF%*L?F#AL$9VHX^|GR<@oFdz8}M&|pbgkcwxZ}?}W z^_5~rR#Ij=NWht^ihSX92FgQ%B&-fZb4rJoq(2)4b&WL7U{u{SO@qOGD8+7~+?(le zgIS2S)Du25_e?`*>S+HA)7q|N+{~pktcNu9WjzfUy zyA1HRtbnywc)@Pi0()Uxy4msjPfr+GV6=l&uTEw6{v=c`t zVUc!SWWd9``VV?6&@~fnI?W8N62+uVrH~eAw`SxsP;jEC1)hi42pE{&vd#xWSejD315_KDAxG-dbOU$Z@jzeOcHye6y6`u5AyIhe3hr7)>GFg2(NI8z(R5x=y-Hl)uw+F8snXQ;GH z?J?0dTDMMWzcR+4+LO{(ukfJ`SN^yKrBQ8nzz?0{bFj(;N(&35uN6IbN>6?kA&PC7 zN*zO~9@^6XJ8;*-16bxuU;V9!{jLCs8BXw7nAiqYWQ9`!W*BMEC-fz$4xxACp-pLZ zIESGFJA2du0s>r^GECJwpbsO1DDDs#`d*M7C1r$-4PTrHaF|?o2Sed4O__|W&s%ur zb$v4+W04jp!lMY3$prFYSmf}yrO6mXhg3`gyDXJnjB06t4+92xFkVeVHKNsa4hzU# zsR)?xQ3k?Xff5iijCqI)QMBf8b)HN5m5OOs0KvqU8!QYQ=IAIDB+nFuG|bFTvzVo+ z@Pq|zbR}f*(Mf4z_a`-`BNz(eroeK%B0==P+I6b{3?NaXLFZ~e_ayC*TaRwx*1CKi-iX}~)|%SyS2B`j+(H>oc9=&-Wwyg+obP7oNV zw%5YW1dv%mAOLmX$cQNyC~i`fpQ744OPxVz2T*jX%Mbyw=HektYg$a08AxzhOnF2p zu8^~;NNN~hdoM8;=wr=wZgh}MGFT!mwzM?|J2uUA5WuP#Gw}g9i)C4cVIbPq46Y*t z?T=VoN5xxvlAEJUar~sp%i!FnHjqC<4^US|DifNgXc>#ix>%)EuUUMf?UaPah*2zN zu{CB#Wgo)YdW-W27QSo82`6dHb!;Hvw*b)zi&c3f2d!_hLcn^I>daFacQ~vTi&I$g zpw0rrj#|2q1e!#a1FNbmJB2QwRg(owI#|MzIo@T;OlB&J9vT}~eY5Zh(?{(z`tp?5 zVAuZ}KIkCzXpONj6@|fJy|E<{^(pFZ0U5i)5mXyWCpekJRY3Y=nZ?2OF)U}gfX(>&H5%$40#WF32&vjk$A-g*p@Me((Ky6sSrLl`BuE2T;+EjJ z)JXB>MhcSynW}8`0v@Q26Df5IsEEfU)Y&eCf3PHvYotK92V9(7>pGwd!z4mLkBTZ7 z)^h4AMzC(g;sxBHDB_BqTBW|C?G@{Y`dce=jk2@zvtyllw~^MPe{svzNXBv18TmHdL` z{>}YBQYN(um9Fxk(`1!P*ywE)R*|AoBWnw9A(JWZ$gOZ|G=N23Ru*~=F0`>S zD}y#7A50`k)E7}21$zxqgg>;v4 z;iL&$W4J33=kP=)6ww3P0YF+0tKPh$nNPRe_{>5in|$88iEWRVFu=ys9NN;{2W3a< zo+WN0SAT9Q^A27@MJ(WV^=%xc8M#@3+_fH3xLDK^LcnEZy6YeA@^j)aSS8LK59?eW zWd<&p)cnnMh2O`0Y8dq`BJt3QF8zA!z| zLaN9Lr(^i0mV;mgv#Q9ds&5ihAN&HxMYmW)e0uMYsg-(z?KEb-(4|nvv%}&sV_0mOZ1l(na+N|A|jrIupoWK zIY!`6AM4;Wx&B-fl38KTY!!5jy3&7-{K)#wyWao~VWojf(IJT(c4IV`(E%}`v^4Xh zSinw*Rptu=#X4&00i3$Z3IVWR)P>qzZKLXY*0^wIB~!@^{D^vy1>chCNF92>gwk6J z#sX*e_=d-kBU6wpU5U8ed8!PnghTk3mCq8#hAG<>3xr=-(oE}G53rk}iyLBQ!_@9d zW9UI>1Wm0WZdh1l;cNjLhjpVol=S)mBSW|{D>s4BFdn8n?!Z-9ZP6U172l*?R2*yW%OBt~3?m16ZRbmwoP=SCQR|)QWUlo-D4%}s zRZ1Lc@fdaj+l*@@6|J?}H(|4m?o-=wVO&EW1v5}cz-GFy1j3@(9cW>;PJ+W-=mM;c zUB)O1>a9p&tM^frmBoQJs$OA9;9T3hBWP}Op`22Po1~5`>yQbFz~KyA zG9Pne2pu`wP1fx(8$J9>X{`{&jBH;~r|+=X${8N;T0bcQtzvkLmXscz-EAwIqXspA zG*ShjTa9=n#gtG-CC)bIUc_SL_Sl(pIK;5jB;TdkkxZ7My~+&8*qm1o?Oi8tWT0Ki zmRWu1?F6rZS||OcU0Qd$GD_pbmY{vn&VML;&+Bb&qt%aC6N(@Fw-3ODVt1Yrn=Royuj{tn(HsO&9_ zE2+1XP9`n5h;BoYF$%ERS<-o{e8oX&iTVu6BMa8qh8Ff*&urE6$1s3&lNrg}gFpKLp3W9XgWb=Gh$ ztD~(jcz2nAl}C=02PkAfBI-m098KwLM<#@F(siC4M_Tot<41B>pQw&w)v*Z~SFUdB zhn7P)vrQia%$Yipby)WTR6l6qhec5J`(v1Ob8=>tFx%}^q=|0>S0y-Ege`Yv`&2LK zApfXi6D2(BO!~|RPD-V(aod2S%c&$*%cX$cmfl8&KT}D8fzOg}?DxR{TZ z2w_`TN-RMJ!LE*|@YXu2MVxpgV-uu1oiZ$8`Hj$M(WMO08ktD+?R7-kgrTGPaJMNw z_DomDz|u*lhfRDH^Fmgrz#1B&8rm^%WYh zABk$=W+6`L3oGU}9*blFeLG>t5`=(7S7IMw)4{4o>^BoGp(;kbt^rh)RkXg3r%<|G&?vZT$QMqMg(=SEaZHjZv=2r zMG9x2h#-*o0cVPC!iKYuMWjOoQv?Gg94?TRsV=G-!U35oghQJ}*i4xK9}uq8Q)!lb79r${XgJ0KkR!Nj9fLESE;JZD zA`83j>b$Z5pO>O)Btl$ki;Ok5>bk}xrRWkS7DSTa;j5y^!VVK#gmA*6y4NH^xm7%! z%QazroJe(#Jt`SC- ziOEQF=miXKig464S9pNvbY%L3$Iwk8!qPPOv&#^vPxI#6lL5C{v z*Wj)fb-{>@6bZrF1V`9T-O3Lx&%)7Yk-8bop6jDB;D|}LqOuN|06Rd$zoVaMMJ>`p z6d5q%U0J~Ru6lu2%{=HpNpJ;svW~_q*D(=9lPf)>vt1<{aqig_O?|8_-fE zz`Vy#jHb&GUSfzvOOizvN)x*-gz->22mrQ zqzF81RJDJk`Z)_BO}NEy4An>$MhJaL{qE|pD>w+RG7fzxWa_uHvv?RQ{}MNjyT%li zjJZ1G3-hYp7&-zT3U|0sk}wz@)Qo3anY1AAjc4f@w@^fExrN+Ek5@HLtz@sKDb<}y zpOah}+~{&W?!)}8SB<=cqIb*STx)MQ!bXt#oGk2URracRZ0##}9R($xZn7^RX)qaO z81vg(d0WH;oOO*@@hayAW8rvgg~}EybE5qu1V{ZP_4{Fso#*0gg2&^IV{*$W(!?6r z!GgU}+J8nJQSA_3rg#@PO7BE?%x5q;Wtyno3SoLKZ?yyUL@n%x6 z?l1+ja4PZ-t2}cnY3N1@6z1?;RPyUdnSh#OFN-A@xa~D%*X^5AG>3glFTr+~4xvD) zs~@lgeuAF5t`(&$H2RP@m=1;B&Bp3Ro7Ng!)vt0~pCv1OaPt zl*HL)yq-)APGQ4M_<+dNDiGM;^S23dhcx_-9wE75K5S0%bv+$$>V2+^&<;ny$A}2( zOmsyTgg5kgC^s@d$#1W8as8n(X=-!4^;@cj8P)-1t=pvIuHk2z8(@*P;sprO?z0Vx znVzQ!xfai~Rw@unN?|*xI#@K6(-&(j!So26G=nJ@#nvfygnV-g^69?v?LFRs4(W#$ zH0+hoNA9R5^Z*gMZz1aQ^<-vj_4rCYW);v0yb}#Uvf{`I(qn>V5FOSJT;$;U9N%e> zK~e83bBFs82eo!Suaem~Z>g9XRz~aZl+gS1Ic}}gHXwxU_N6U5ZcRE8Iy(Bc5{*Iv zp9yW*U=v4*D-PM`#OVZFl9;#h(PZLKI%-YSmk8Z`tz!T z&!vo^)blf`XG_8*vZ%uf2oeUwyI&dzds!VZ9?jtAFw*Ep5ei`V!eqFVB+xT0*U$t` zYM3kVjTMw`Co$z&ml3^DXHicNM6c=yI0m{4$mTKPj)1vJ#wrW0L#7x4&%yHRVQuK6 z0xq;tLQgDU1EjyPB0xcEeG_g`R%2B#324+4Sn?4llbwSAe86K}D4)hzSR;#|9hJEC zts(=A#qVoWi4NwE(**b_(uCN}{zi8?z(WhO2o{Rzix;rGE?~AWQ?}u7XtO%{60(iD zzr+MRmpeP5JwO*!u~NJT+z}bDDguWQbt~Nlm2{Ek$Q4mXYH?VY5v;Nh3B-VTtUXE| zuvjo15CA4sU;=0!KiN4r?a!!>Sa+PIA24J=suf`WAnXwi^dPtp1K|g-fy>vV00ffo z6m!AlxriX41nPIl+}bJ2a35;!)-Arn*1R5gE;wZ}zur2D)2zVMxY$-s*!5!nm zAV3gXEcPr5&if6Ny21QiQ3fjYQy&8jm7uHMQBRcblvB7;Hjs8lFPnY>!)FFkX+5rV zt4NT~7$`%vL+%E+M=DSU+SUE31s~sZ9Glu}27_Kf(1C9m)D_6BY;TX}BP4wNEYUy^ zI9C^B%KXRamLM?=2)PktHn*Sz%L+c!pwO*6CsTa=Mb!m}2))o*3>g1Vq5&Oeh(;*{ z#dzLTd9DLR_^?BzZaW;r&@{Oz-7HBp*f6kXbJR4t$0}y8* zVQ?Jj6)ewDq60@nmFN;3 zjf#rSw_WuNp_z1ylnD*1>$Kw3`CJW20Ux9NX|RUK3K^q5W61;zl!bQLF}^z7Bpkz; zYIJ`+iw&QL%(Xa1CQ?|sFyp2!rox(rTM4QfT1f9aFHmeh6cLnip|(gtu2+3&VoEsE zNPELU>YzAEKINY9i|lFBT`6fT2Mc)A)FN=c20rW83&WP~yHib5NN zDx?Qf^c{Lln$@%{&H`X-D2rPCC*2}R8;!=u7S%*$2u<;mMIj3|Xw zfhq{JF4Umqp~@pIOA?sG2^22*Tqr@NJgJmEO7*k@#?wtIfkIuk0^%^J0I$^S%kkiwCxNDXbmk3 zdoiO3E8U29fFMN5+J`wjwMm>BsitXljMR#<&~&s{3BJ{5g&8x*F}@z90(||b8W`06 z_sZaFO`t^4aE!#>+8n|P3BCUX0=18%Uu+N~Zj%&7TcQZt_>o;eO&mo*fw4De0U^yl$8PM<<BzbR^Q4gSd4l$|uOvXp{ufz#6j^*R@Bf z^0`s2s8MK0z^yAF56J#&J=`hlC}E6Bi7f$KRkXG`1Hx-PiV8m=)OqRL7)CygA~5B8 zZAuf7$6ACKq)N9Ed(i%iG9E*BcfAfG)cc`dfuZ`MjfvYw)@wW$rum8~Y{pmiG8Z7W zuwJJ!>jF1knc~Vgf88{TwtfNU9TPOwLBX)+x~m;kdxmi6qUKQL zw-g$S0`YZ(m3{Yc+jV3K ztPXU^JjA_PXVrvU$VV`7yk2*Rz4aCr1FS==h}Ir9D|GGRKhSyWjg{qapP8mX%*Spq zgp*{~7)v@V6g<&dd5O`{IHJP&^im-K|o_3FbKP&kGtuz05?Cty2h_vQLslJ0#3)=Qc?$m z@|3<;|G_?UTvu?mZXqxszR((CS|ltQj$nLkU3Pq;{sOG&;@Cw?tk*95>r6?19PW%| zP&xt^)5SuE_)-pyhqV%$u#_r}wJ>OZOQLLs6-4=8W3M>QL{p*ys3!gl3nlan0Nnep zxWjY;1{^o_A%z{|p>BHaxX&Qsb}Y~|q`00Sf-%4KLmkbS30vWTqOoaqmA@s!LTiz{mlKvx1ckNmu$@Y5HgjiNj$lOkP46<}&QKF-Le1_9ZbLDSa3v z(tQZpc822+)Se2f{V4Py^ey3RlmnmRXHxk10g)fq=KmHTFxo zVwn#gbA(w{Nx&Yq#4QrkpjDA0?=Z&oL)DN5{E*P`l-9(Hx*(aNPRT_0N>1SF6V0NC zg%j8CLF8DyBI}@7eI9yZ55`+rXSi%KaqS9y7;PmGT|Q^x3m#%NuCNB6Q^WUv|30Rzpq~q|%AS9Rgo(rPdNl?P}<|IrK z3z@4)2;qe4qv|?v0|ZVIX~5|maXrftED$n*Jg_7v3Sf3QRYyMz$t2Rvf~eh5OoTG| zk+G~#3CB7TnPu39QUbZ7P)Lg`!Gn&&7($~xiA@Xgu*Xv+J0k-QF-deWQGyNCl*KE- zeXApzpae?}e@{90@tZUjJ$^+f6Xakd5`lOs0@mdrxbZm23LF@q&=kvNJ)!f`NFZKdmS5~XQ$II~p;DB%DHWhyH7yI5&Eg>@}SAuY(&nGG|n zDYJN&{gze0h8QVBi3Z&<0PiNxPNG(J&0QD+)uPA9Os}K!Q|%Q`IMxrqDrSK2m@?n% z8l0uhQ(4!z(>u{+XC3#hlam@xrk%RBTc|TKM0hFF18(e&o`9ruY$SKow?eupy$q+4 zGy+E`;Q)c8$YAQR`4aRJBdOuk&|yLRl(ZV)g>PL$CMD2XP&bMV_SCSH5QVhKLKpp> z=plBXR#z8w=$?lT!KTC--~nk#6K~S5z*rdsi&5*WFh0Jrf{{SbH4V)GLv(XpQe26x zRLVKR5YSZmc_k$@1ri;2ZQX`2B*L*z9T9p3XOP*r*?~r!*0m8Z3zIrcKS7(iPfa9M zQtos0tAnIl>XZdcbynPFXzQ)r=qLr2j;kqBiYZSd)_R-;hUh3hN;}YiH8+7QcPe;i z^-*>45wn4{qDa`uaQTP2_+lkOXd~(h-Zg0APNfa&!gqfU9>DyrX9>Y>_SE4>bje7h z?b=XnPhtZlb=)k(=|}yIRi$(5EXPy^GgR)S|2o%!ETFJ7vNFboO=D(y)r1t-`O`T8 zN}buTLvE$9j)zDedWNa8%E8g60Tt_sHuAFYuu7tXJ1SWCxTNdzvY_ou6&1s?;2FH-oWR2p`X}aw|d`r9R*|mvU7&Je2 znfQEGP zq0%hUWuB-%NQt({7@<1-bQ55CqBp}5n1oKZMHkKJ#4a`ivMCaeS-^dWHh2 zQWd(x`&I;(qGVVtXfe`)x(_5~vqWdyBFI;p2{;N^a-m+1%)P1}!$jk@Hr&Ey!^Xjo zJsB*$+(gjH%q*UO*=^YrO5Lu4%8l4`6jScVU4$w6Mn%l2=ooL4iGbn2=gi95r*?1D zJ20AVuI?d8W6o1dOG)G*0btvSawUB2+qX*Uj!2y%m>745sJ&v1+J)7#=>UpSr{#$b zT#!virT!*Hl#yk~BF`K{XVARK4P3Re zNrVlGb~cIZDwSI-mP_md=iFc+vaBmX1~Juhwv8FoZMnA5#0ptixd9u>H(L?nr1(aI z)Y=f%G3R>x&Km0YoZ)U>^(kIQA!M#GcQZs^T#quhF@e=W2MU~Y(>Y%$=K;qwwnnU! zGqDySZsXo`X!>j=af(eH2SygGEgJZdGC*6%dFa93J@tT_A+spw8Z#OTHoi7Obps}%h)Qyz4Y-2=WbkOqP?%0p?YzsN zR?lp)Ue+fC%aOE#;M=I9l32E&&8R&Z`Hn8((S1Wb3D0b!Gf1SQ0_jp5Vw z_u34FN1bnnGf-!*{@zD6eud-!m78K24x2Uf79H40tGuEO5_enP(c-jaDN3lg@z4g@ZtA8>WKFkHm~N?xx}Xff5!ed-B4^}vQ6O15I9lR^B! zy5CZ_4t6|*NBe9w*p!Gsv1N5C0_#MziY{)z9{$!F4Ti{1+zLBm`0#~x4_Q0Ig?5=q zjI^@VKz~SQZtFrcAKKu0uN`aPs;5S!FdX&RvLZa$7G>)qX*Im5qepxj@B(=QTcfLv zdz*11>&Tp`Zw?Up%yv2$0b!YiIyQpVkFX`L_P7(8*iJS z(x`2s>quJvHqco+c*2>|Ct1>d0nh^33OGA;%N$5+)9JLmjB4v~JwOy0XgZY81&*m%&CO^{u9pbyPAJ%)ze8b~lI-P*2Bv9K}D?;PLiN7}F(^lUl-b z@R+V)&pM`tY?D+2RiKTSr2+Y%8m3r-Jc6sk;k~VAAYoY;d5L_oVmyNgE1JaNSduLW zB^26L6DWgMTZJ$dTv@j@76*E2o1j2ep(}?&Ti5TkN9Vz<4 z)y+2W9*Pnf(uLI_E8z(-&9|bnaDV4yx89b)Rs zZ2)yfIdt8*4!zNi)N6rT;?ynz)Dlw^pDUONxCx&x&=N2{P!zt6b+W9=0$R^$>obT@ zpwCE`4`LSTkorN2QTWttb;kD#nC2@gs%-trJl(ecZK(^<^wbcnZSej#n9#z;n1>Xr z0p|4Vbu6#42ztF;Q)NpoAi1TT-uqU$#2sI2^J*q5e5j)tFHB#X1H`Ly)Z!BE3QtDYj$j(s&<0<71E6mCe zPN7g2))9*>%^an))fpKK4^S@c0=1bcj>mz;Qec=+wFQBrREje~oKY%MJ-J($aLR6( zkKuQ^xK_CIS6K)g<&Mb}>b4EJ0J=NjC9jlhp@>)EbTb+VI-<_ z0m6c=;j0QG%M1;PsdW-|)XT(%$SP&}x!Zm&v$6xVtYoFr0lcS<%oHh#r|xK=ix+fY z0Y-jG9ojW9bYqzbWrB4EkxC~IftV|E7xgxjP5>g=r5nS7n(8x@lukMXHSCoytMm#? z@0AIh2B5A5k9#R$MyyOqR5w@_9n;!1N7`MFsDqkGqaa$8kew60JJ z*e6>S_2iQFzc-lhaEK%4SVG$}R^Bd$gF2PVj*&_fYpk=sna*SJ3Ss!qfB7@zak1DC zY0Tmx2}Sa!?#2Jtu;lO0w7lGmtD$}jI&ns<1A$#5ORI7<5i&T>W2Ll&Q+IW?KI4nf z+i;B{i(Y5PGSAx^Ce4_Yh0bCkoy6d5GtNwDdaw^BabmSu0ID2{Fy)~Ir`Pk?WR~=W zQIpBZrfo5GD58W7v!-GR#kOrRHZ21OWJUA6qIn1UxJi};D|3TeB0jgw^=i1!0#!Wet* zFh%7-AtGjV!P`YTrVGI|JZ9rTH-_$jgkTwwM&+qN;lWduNY)wJtCdB5HJlA+Qd8zB z6BlA7ucY$ua-LvURT-AzByJ;HW&3EP(UxD=nJ7hxOenE7Vu`;*M8h#Mf0{AFRx4g* z1uyLBx?*@3DIAhwIMoE#X39eQX4J6~2v9Zf4r%eV4rY?$rW;`oU# zS;qi_%t$n{AEJ7x7D6&Uv|=ex%+1XBhJ|c=!rE9p=22!CIyrPA+8hs`C27Y9WfrhT ze4iL`+ZRg~jVxBQm!YbClqHKHaGA!eZI{%h^nGq~L+Vw4KtGbQt<##V)yRg3VVP+v z!M0+iqFr=2+)wyMKx)Xj0f9y>joco7RyGE#O3&0zVhp(-us9YnMUQyQ%L*A}CvMvS z+LReSXV8DtiHKGcCY8CmphRPZCZ^ya)R{qH#frXs0WEv2veY5x@R&^_spS#0d>h(m zw^q_D4wY{VhaqOE(b1K^Qfd#jA~vAbK7-AEnkFLQsR#5-BJ>~+4cs|vC^6nTgh*3k zJi7^y!+}g^ma$}3<>xpFkc0>V z3@ntWuOD|%kyU-o{IJGuPtQX}M@S^#>sdOo-c)$jW-dT$(jWe}eFQvf>#o-pViJT7 zvxKb5eSAkZ7zS6{msAm5nU8GC59nS*1NX&-xUJTEE^!db)fE_t?SsF~iMYD;Hglkc zT}a-MYIN_U*F=%Lubc?eB*f(;`Ej;$$vRSRn_zHniPTxsiPO$^7lv%5PeZ|cGvhd~cTYvP(VYi)y= zG(#AjFo;Ivye3Di)Q*xnM)`3k@Lg!Gl6ngS9A1=|r zH92>F9-6^%f7*Ir{U^56Vd-uA710h`=1Vp4-BVw@14g$c7V^pVv=-sFm8f+qQ|f%| z(G53ll<{4YfjFsRS1MEFNROePLsJyj8z|YW;k8x%s+26uz6;56XnwD_?hqe?LTQ9` z5E(wd*QCaK%Uv!k<@iN-etPtEY`ef1z%6|6xP46M>rZ^n8yM)CwcBzQlanl&rC>f9 zeNu;Ly|~n2(a-j`{sWY9$#|&}Z*qT&R#bEB_UJ3wbvVAYEU?t>`d`DCqP>N6LInM# z2E(t(tuiu(E`;o}2W&0kGqGG!3!U>jKMB6wAqG(C0Gi|O1hhvo+K6NP0 zMbZ*C$G<^uacQO*R_oC}u2qZq+jtGyUvH|9lY`UGnZIQbqqs2ZgN5DBT-d^NDO)z| z=E~(W7YYkOj&Seo1~0OiyxxRa4xn%}_;eg_`Xp^D`XfSP>Cq2Z8^rPpok5vcoY@AK zxQHB>xnp_QnYiOm-0t9xVP8*_@kq8fApZSXj;M=|G10gFXSJKL<%Ed3}f>+m@_YXAr+nktA zNJn!r>hEI^1PQEr`3In8SQX`=F~y1nrydXPBilF_PVroa?tnnCFZ@1bI>(_|%^f$| zO!wmlVvxBU_}pl(V0JerEC(%hbfqih4e@%t?PBP;Ah{0OANkkfP@RmoP4$XRQG0h0 zUA3%=m3Nlg7kF?f1j-jm{Uol{`pv)hQN+^;%}-|+;ux=;(~f6w^Ng)bu-%zGK7yrO z^zLV%lpC^5eaC!5dT5mMv(+D|`sX!2w2vA%AEJZ5BtDEN+s%TFdtOJixvI%)|ll8wAYAA>KdWDYk|Bgv3+tuq!0T_-h<3Q;ijf-1hjELZ-R`>uqQ?4whQh)jTrE$ z^R(V`l{3^3EJXP9{PMKtuq`+#`s7z0n&J43DHwY z0S+`f5z^92OUvDb`meOEL-Y=vFG3 zb?dbkp{52cJI#W6L9di+Bmz(4$#J+HicR-UPSizIb4X_VHu2D>%mV)Cxm{mSURZ=> z;oX*y=wQtw$k!2N4XzfY@&I9N5B-!P#1S<~ZyA}Q@aL&zaJ`c5Wy0S}si5Kq1kC3` z{!h>zd5NJdZgi8u+zXDoaT?S9A6+%FZb5`7%Gbkh$U2jq>5X}$Qfi%XomU{;Vf z1T+8tf!*t9@Z5vWK@9DsPVp4mtrlz66uQJL}&!)`0ygvaV^~Y*QJ)8~C^k<$20jH1E zCd}-m?d>;s^=6rN@XuT2hYN=)2-YDj_DVY%YYi@J4k6dMLxc956ID*f@TO96m_s8~ zU?KxOl8yDz6?pFZc?S4vx^Yh|to_l(Sx`@(o@vr)wm)(BcE4jUdC0aNX0Iw zM$7gYXnC%QHh#J)kZny(KT}k zHQs8y%Y%21caTfuY3sj&E8@y^n_G*3G!h(-)5GNxH@#H+rA!uH4q3vV4#!W9`=k3C zEWO*(CPu{jUMUGH6@3?ZaJSfrk^)>+#<}Ve<0S z<)!TSEJ9Izjtpa>1&OFwgK)Tfl4y~s?CK#J_vSdvfZyXO&1VSc`v+<#ApF46dT{RW z&chu7vg+~TMoKM^#Zdo-wVYrVV_Oh{a;Ef^X<**k1lxjI)HU&uuW5q5ufv4eA1 z|Hv(MhBP|vFmVBK&w@h&Kk@h96GRRbZey^KAXikS!e;!HV7bku8E07;Mzjf~7Lrrs z^7)Wo*3l>Jxr#8Pdi>hzX2Zj08VRXSy=Fk2&b;qCFcR*guS@69Hd=}nu-#hnh5B-Q z3lI*Zc`8t_qvtL$!yScmV0xJTcz+8dz)bIEJJiJg!F1Oofq#n7q~IB!QO{(p`;lQ2 z1QE%0mLDKDk817rjHWq*=o|mBELM^Sy6K!<;@~k{M%W}Ax@Ag+HhmMu1jrD!N1_8< zHBp(o#rvd9R)i>FI-z`A_-ythLp?a=lpzNu4v@cb+iM{to`w=bBT<%X)~?jt1m93t zZNr&kucvqEGIP;M3|>HGTx{7s5d_XI?!+c_uJ7i9{#xnp1-B_XpVZ!Qf1t1S589{p zhg`s{s!sg+)KT5@@w{DE6~wdCf?L^v@M=LI-m6G;qBkdz>cxxBS0B|DlQM_*lR?2y zy`N-?xwxmdS@`>_Ho+L9S+}o{pXeJ*^X4*Igi}7MHV|fo+~9^?PZ$I`>m0+*O#s~g zJ>g5*gdUZJp~p`ch*k7Z8#Z&W%v$hyF~vHK;?UJ$fS>U-5?|?<^XTk^kpmo;ek%%c zx9(|_XdEJ7+tJ|D_tJ;qF$KV-Rx<|3NxJW!%t4 zu(X|S<4>fi(%R`Bj%o)yZ%kybRs%RJTacMv7G@qahF?!fg55ba^7X)sIx42kUQW{t z#1*IN;YaA|*PNbRsy$jM?Bxyi$FW&em^=~GRuicGftCP=e_!3aLT+ohyO2!Yp?EZT zPjiIjkC!zoA4j<8i0cXPbl{#D{)Q@4K(!8#5=0hcdUANig`iL)_nYy$s*nfT_Q7&2 z;jf|hEZ_VsGiialbKLiu^HJkGQAgwC7p_$tPmy*l zl!~G} z5!nmWeRln+SkAKJUH!m!q{xx_r{hE8oQ?PlZn%N;1C1DDQ{EU z`8SG_uinn_i;n_T8U+2*w;s?H3<2^MZ5W7*n+c4}q&dIi4yH_8X1D;y8-`SO%d z+cXu(a!VW;S%#*0*!wT7W(|^$Q}2a^M&32iTaLR1RY-k-Hbs$%kJAq9!t2-WDXUNpzDD zhuZMO-b1u|AF*7Wf4u$p0Z4-7R@ValK$tMkJjEx+l%R^vPO*;DNNv+m)zD?2$Xr{< zfgIP5r};u4{Fl0lz%_c2LSJ^9<=Rae6I4l$Fs^XeN&04M;uc@n*5DWX`i(7(M1pL! zc>ek7N!2Bq3|aBmf@_^PwpocT=AK4bpatP8b-L65b-g~?|M~e_SDWCoRm3^z?JuP4 zFDe~lbx>G@i`bLhL0(;d=;WYBFM4Z0PKHlAtl7BNGjxaex?_N)&jOAYt1`K7Rjk91 zeuwxwA{5~=!YW`gQ|&(MRphJjXH>W7+;is>Y~Mh&w?%C8)Q8>CGiH4QE7Rl3O;o)K zB~U%V)MabURp-L2WH1k=Uy!AN>@W*bqNxilHP;0-*83W5?`V|aGXm5IidQ}sTpWfS*{qm7aF^FZPL&9=Br|6SMq6(+XUA^Q-js5_Kf3{?Kkb-A8oU zaWoX}tLvef-CaVIsvIn~9>s<%i!bC_V(j^5DBo%9Y7Z-_+GnK3{0DS{Vj0xNX$A!S z+x3vAJu^=8^ZVO3i4Q>U4(;`}xX?I!g}Q(@(GAKuS+8k6~$==d)A7oOh zKSc2`9?)t{6uNa@F>M=V0XMoQz9*8G4v@}`+n9i*qq%C2KshDvL4=xwf~-Qn1g6vD zo$6|ap5HlS@$iXgJ{o`{EXY-F`JK<84ihJv)jjYgX50xvFl+9?m7!9Q-g+-&OC)hE zz_Y{80Zsa{ToAZP7qL-TfKc&Gh4yrHut3>Sk?l|Qj#?TiAq7Z>>v&nU6nX%$1*v>t zS=D?OPu5T`V8I5;9R872R&9WT=zPn2S{(0<1^XxRML0zxl)aj3QZRIa&CY# zk37*6wvUf@6YrtTG4)N|+m9b_;?xNBSSSqy{Vha+znT;1`S-~5G_-Pve&Vi5;;v*J z$JLo+6YqoU-@rA4rqcpl$;1#*4Q`~ z25984Q$Zq+OUcit6Di6T&^hc3BZAvWJ79dP5yCBwwo zb@+NtMpPTo*7vKre(qxk(#NTt{A5$S+zAT!NJ`-P3AsQC$Uva;Aa=Q>nX@|XKl@nA z`=?HP;9`5`!-QO;p4|=IeHYw`1Ck4zytxq;fIQCf()qMQs*P6-=iO6m>On45z5KXf zgC1P`NEW_buV}0m9L;{fyA6LM_XOqRVb=k4VHR!%ck+9zkP;&43|017EPrSRKjOm- z4z4@g2+%{@LqlbwE;L3iWxz}^S-YGtEa>Zt>sz%|`kXU5sz$WR4wD*H^>3XbXR=3t z%j)>JQm^M$Sq@d$28*l_&<*=`HUl^l^T6n-ktzb~uM`Y@ydy2OTsywlI_ztqyNU4w z&+6(d27M4N8CUQm1(uWFc|;%jOcqakuvNqH2`td;5Gh^P z)f1s-@rY5OP8)FJzU9Fg19bu0`0VpEzJchl*HA)T;tyJul~G6@_6i#soL8rYzXh5enxe5`BB9 zfShON{c+tTB2{h%^Xqb9hR~IU2h!=kC%&z>H{Cq-{Bc3FJ{l3Rh& zb|P4qZ%xwuL^anClBXJ@>l`%y>*AwL{_PT>yX)PF<2wW|2;2UlyT&)GajWVt)fp-A zi_Xn^g0j(#-|&R1b*|=H6M~UW#*c77|Ksib<4~eUmZ7Noe&rE-HkAKN3&<_=rpa!jB<~& z<+JQgtPf%h=c~TvpQ8rF&~5;6VW+~G%<^-{Fh#^uZ=vZSGrR*u$78~ zgMwR==h&-Pe(km$r#g_ztUnKbj=z^uWj&}-g8!i4B^7JcS}OUK4U$9 zRe~&5@u|l%Y2kz)03YyMj1;+QX;?Ev!t{G@mLG3m_v+nO?J+mDD?RuHyK4(o&?<5) zhln9DtT=^S^*LX-dB)>n6U1?@M=bWV^^cusZ)3U6I282v~E2hGobo z@aEOb=%4iV642BsXrh=$c#T$WdA;6h)+et+5++O8S{JNVzFdIm0yrc0cQ{)m>dPlw~(iO*Y8H`AWjv0=%vVyx)P-B`CXl01C+Tbi`xATv*ZcE6*2TFr-c zgNYCye3O+UxMoj!J|V#Hf3(Zhpdvre`k-sj!lZL{o;-{Tp>8)tWgtIPNUmqzUN?f{p`!s1*{c)`WCV7a6Exc9<-F1>>hl zV&$15ka`=0)nD3;K(|^JK5zQ8>f@K;(#6+KyYx=>xke|DHQo1DY0Tk@MyOM>$9N1S z^$cpis#}4$d6{CmtWf7`;mQ%!5*>L0BRF4$T(7SPdv2WPY*z~<UAq{xNadsFxWlnRJ>GnMGXDsiK~l~J&+904)|E`cRjWzA zjZdk6VD-3EF(1_4c0PkLeZ^0 zQU6MTnFm+@iuiK?kgId5!VQ?{c)iT6`CRNMatZ_s@dpsH3TRwF_F+y^bF4V z16}4dddJl+Jqh;bWj`4rj(;p=bs!u6Ee}?*y$PQLw;GwFAKyUxDEg!~&c+d5PTbMl z$wVXiJK`gfuVQPW#z`*wJMD@m`JbN-1~{sY;}Ipfe4lJb&(V#3YI!u}2<8~CAM?fA_# zqf5jf=Qcl|xx{e}m6d(-WdLWzE%aISA=c_1&Sp50|NZ+w>%)}V;f9iy6B(%0#?^Dr zkfsQ?d!gooC9O(*e#=r*;wlW@$c03fJ3dXiebZPMxsI()&|PD_9sA4J&)jDs7{n^RBM=?sF63eq-V`oa<$P zDLOprGA_&3uZrR1*@zT|Iuyn$#mY|~3k3cC{cG^B=yx+Wapw}KG6Wc6x??KojW$^? zgKCd2_p`Rp>_k?(>x%6Oy$zQe#_4Pz7eofKT zzDyOW9nvre#u&j@2hjr=WeSNN;Yz_G4rtFGWbO#MyYDp5kP`lS-JOa!T1AcFfSl8oaYHD>KegtjbzY(Y!XI<>wsMVf?X*1V>48qR^{*;b7o5-LweCQbtnCIL z?_fK?T{?ueNT-@`?XOLzr!Hb6g8xGgul!+63&-)O@vr=n0f*p zY0v*>T*A1K#jH~B!^cbl^oPo~-!}HY_372tNH*M5bm}|j$_mD(IhNRF3;K?POICzY za#RI?tsecC7}*VOw7q=@YKxNg*~Hp2XsPvZdM5*vVhHgIVxbimxTLQ z%1LO)=!5+6$<#*_o7*CuYqia8Lz3A|nA+ou9SGb)ZJWTWGX7$pcE*yUGSSWj+KI^T z#MPHg3EP2+8nX9pjVpwKH+(5aQS8%b3mszv49VvsaN${~lk9_$&@!JH81k*Js`X7n;r< zFc5ICU9Jg@FSx^dB7WW<|5NlUxIX?Sq-$R#=NPtRJ_91A{*A$20iMkVddm+A5__T}y zBJ9n%R^aE)AE;?-pJb*^AjP!Ca5++p*r!RWrPBI!=<&orB_JS7u_4&^x!#MP~Zf)%B_f8?EcUppPr)M4d}K_?N7`sv_pPR&%M<4jE?%64Z(z zSW}tEO@+X@bT9M&$$0{s)0dl^MrU9Tdmlwk;6L2S)3{Z@;AFbKiGr#- z0AXkgWgZ<|?7Gm0&?U<5#AwBu0hrR4#*onOp$p9_0W5cfQjJ)ZaqS7(obw&#BJf;E zeh?06vt`1_n0`U!>rlC3(}OA3Mtu}M7N971PfB<6H&)tv!Nat*8JN(-v^3&B{8ju} zdIVY_x7W7%2j5wMkx1Xcmg%XR`V4MfPYfkX>s0h?f14l%-#y(Z?U%N@YqPhvA3uKR z@Oc4BiewIo6FV0+s`w$l4bCMPMb#MVrU#ILo+#nTV5E6AU)(xCGy5c>2^GM! zSL>8h8h}kcN-EMUhr2QEo`zxcPZZU`BHS+B_d&F$K%-c zsNXwB06jp$zeB4*3KVeam)~4| z@PjhGyYrV`@RogZu0#XHU?+1@J&6+%XYWOASLF8{8gsSM1RSp$6f9>Hj`*$*Wc)!Vk6C zCP&`BiafAY24O*)^|o+p@vOr1MZxas4HHJXxbrYL%i==wYV75FC_u(lUq44?#?)&Qfc_%dNvIm5q? z4Tvg!^l;%;QKvMzMZD_NVus8R`)kz_xQUAZKj7MUh_~3CPyqwyMi~+TNvWo<+@101 zD;JrtcPvg=2{?F-)p;YblL*jKIY1$~^OBt84=e)Qkw9X0Q3;1E-CFs#5u#j=*1`U7 z%?2{E|IAM&qtigYDmJX!%d&pxZIg&?Lx9O!F0;$|$fjVNk?;*as_r(Ke%(a4VQ%1c zq(QPedOqP=71pL}5X(YXNJVjd7+sPnj{0y`j^yQodJI~MlXpEp}32wVEP) z$^^y6zpw!+x4Hkb;_TH2kgO=vFBZFHukmh^5Zo7B5_olGOWSC;K-IBGVj-PeJba(P#HMZQfjfYTAy9dCCdGTQ?UTdFi96hJbbe|T%Cx={;R0`}bfQeN z><9E$``WXo1kqNUVYpu~qqSl5(y$>_tX0H;2AP@Z!eM>l68S1hvD!JUC+U+5{RP@z z++55=8+w&>LAGV$j+xMAm!Arh;^wosxF)GTLMo;lf#*>Rk;<0cfR?-WGWCsWm0tsr z*yqr>$_iW046dn4V-~4btb<=g)*;>~5o&iu26d$#k3#>Qj2CTY;HDEP!*!Nu59i;M zJDQFcrw;Ib<&lB02}1aV|>llY19s} zTgDUA)R?I2;p#+~$uGr0FmCG|xY3>E?i%_^%r5ZvK|0MoR+qQx3eHl!SXG_@Y!5T5 ztokP%Gj9ye67b{ur|#yJZ7>@oJ1ud~vu{%YEirtn>EanAs@7wd4N5DO%Zpx&?Ey2h z8AHH0@;__`^^tL?DLdHojWxqBQ(~DcUmNZo)EV@8uy4o8@f~k{UhK`$7+Iez{|ShZanRoZn9{_dfO%^tAA=38>0o&efzr|H7L~rOJ-} zfdr;Vz+>pbr^g$TLTo|}qVf-k)H(M3i^Yf*4iLfEEGnJ2?aG5yABx~X_e9vF%zFE{ zPTF4zRPHCHi;;WQg2C{aD((n3myuTCaEwOyrh!uXaBRj9ScjgfNF2%D6{t6I^i*Z| zsJNH%GJ0Ac^>2{z_gw6fM7A?EwUmryxGA}(kmGPvB-*f`foRD*1bR&2hOx|oJ!+sGe8m0)N`hth??6I3&x%+VGZ9M0T! zAx(Gb4x4nmDvsQsd@8Gtdn3GH=H&7XddIEU5{;C_=mps|_R~MBUGOHUkcs02m9aWb z3W7aQ8I(@U9S#8tJO*0U4=MOTM4f0#mMiiOvjc=dk9yI!=2i()@ZpQq)inMG&xWJl zxqMm-U0QQ^iH^fKJ=xfEnaCXy?q-FPn@Q{-?PJ9)srPX=`J`SmJLej>G_=pMU6U4; zWppYm;9#Lv7pHgvjXvMi?t~;LY*5(1_?k|JTfG1Z;gX6bYt3f`zz1#{u(_IB2BcP6 zhcfYN#@W&iRC~BU+G%dGFlxY`?7opFv}OFGPY&F9#Mr>~>x75G@(X0)rAwty>8HE+ zJIjC(sPfA4l;AlSXT02V;S5-6p7tTisBjV4Ajd9b_gY8+yx6Z_zaIM1(#oe*ZHy0e zdPfLvCg28Rxpq}$tNTglvt9;JVv&FzpA%K688yyQD0`15>L1Oo1|0L4%mL>|^;Y8a z+m=7TQ@-oPp6R>a)1D%~ul@oB+XMyBs?4?;CvC1jyQSwNA0to{p5i+5$&kf(kC_T< z3<9mx??q2bydL}d%Fj!9+4h8YJ=xSzGoyy{gcofD=*!!2MDy{`e!<-tJa2{*p}cyB zbzN(&i0ReQQ<_-q_S`2v&YeRK?CtIE6J*iv-%Z#bWu8>d6gcg&a!r2}_*oAI-$b!f zMex;;P~bFFAeReyO%*;{H&gfp#7RerUlNSf9gN_Ps40dDUZUT7uai>ZPCjA4GnY#! z7`TPo7eI>V#K1ky$FCnK4@HrgQ(Y8aqKzU!iY~3l8p1AbjiRt{FPdD03;e$ojiNTv z!D3uZD_Rw5sQj8ibi8wNLH(BOa8B8>3%8m4CtkxIFxi_#llq&Ou1+>Ke5?hGF1$84 z0FHIVbXl1)uUxEwAy|JuLy8Mi97@P>2{1uVvnAU0cGWd82Mu~&y=q@I%iKyzE7e3s zCP`iOO({jKdAO*m5BG$9wLKx#av2}E8-;ZqKU6qB-eZ-=0p7pt{6{_mPB7Ct>AbPC zI}A#<5(4o!#u;uJR(r8T^eo7v7mY(p4nkuxb^^ALZ*Na{nBPD1;t*i44jyeX z-s7+C<9Fd(jBYtcBRma>TsNmYmAI^MXE<u+30srT=TI8?m< zcz@T|Ez2&-Ap;$HOQ0h7qeUV+b%JK=q6HJUT5swRco`aqiy|>eLX+8Yf*L$>gH7DV zR5(#%S&drT40*941N8vePeQfciY@Tp`a6f3_x%kVN zpoY?drrAP0Q9U}2QFmhvfb|J?CCOG)ThDha%Oc)>szb+OmzwyrAsNP6M%jb_4CGf8 zd_Gt-nRgEcRM@cC-RgoIx^vn}g1RI@G-HFPxWNwp&h^n(4qMjiF(e)2zb)#I6Hdj0i6y3n@&;l^J`o zBXBFnAUT(!tAgDdI5Q#1Y$?~(&mmITK8_f*KxJzFFAJ<9#bo1pAPYE|K-^z%xTrx9 zqb)5FjWqXMaF$CGAcKaE)svo=bAWsHbEu_@9xG!w{;~KFA%4;!yqy;# z5yBkmSFNd2mt5+-?IAglO0zyk9#r0~&C~|2CCdh*Fio`V5O=^YxLG!oSZTgb7Ox^irK#1R=0XJvKrSe-6{*kn$*#h+l56+tN%&Zu%5 z|I^}fKGAb(PFjSpOnEuOJc}uzo;U8vVGO`6FMV3e4eEXx@n?_Unj`2fj@gbi#q<8g zaQmtvaKt7!*>P$;teRr#S9MTQoVs0xqS)`uQP-pI-q8*x3qfzP>*j#d(h%S-u&2Sk z=mI*)i`+==LQ+UVvR8JC7;Uwz4hIXnsK}v!A)ShaGVKj1*t{v!dpN%#GEF9K3cGqH zf_{^MoGm97W1I|MR#l)@w|x?oR|lWrgtnJ$M6K=-@9z1;f>UDRC{+bKtIhmvPdF*T5A$?Luv*SvYI%m zWp$F;;$n#q(rbda7`GV(a;9?O(zyhiqGEd?$ec`vT=q?m;jFSg+;aJj={D;2M1Owt0M;{JYjx6qsnHRHsQFu3QD!h+X|?tm((EH z=ru3G%}X>CuD(ZTnqd1WuMkE>Y2%C9R#LiX7WFHH?EL(gQM)*j8ErXPlJeK#YjU!J z&8Bs@BZFhb5^!=3jrq4K*;X%k#;J;LSk zbNYJxwqF&YBV|Zf^HD-;N4VpJ*`|7sNxS%Ug2-z=;VNl_8-HAayIJHGbj_f7=YCA@ zSc8q+^Wb6b-F^ogy}|O)>DGmo8fv}~C@%6}O_zow;c4+w_RLls zpS9_j_!itUpi6fbd4SMMWfkYD%$<9iyTkTxX-HT1&Hd1VL=ynzs{7%rK{s%+oTUv$ z_jiKX=%EDXEQ$ezW@@8vX-;Yof_E0LM76_^H6l>8Ds?Dm=CbhF9o9B})0gYq;n!pj zHoAI+Q%_KiC!u;EeD9xCv+rzysfY{3p?uM({@R8mq{p6Rg_|xA0hICNCK^z_1c1;-X8iX#ehy(6v!I4thn-i zbqjc4X{Pu0zph@dL430nIK!4FC%TkTcYev@J~KFf0GF;$tvCr07U)DLo%~#rzG)H7 zic-x2C%Ap7dS^vtE!dr1DutKOnVyIyuD?>bL$GCvOB9qv}-llMK*9k&Rq>0fV zxk-*|uV&T&Bhy;!4Axak5?J(^hmno4JwbWGlqf4*z0OE9LzS*S8s2IN7$+A&7P?PV zWMK%`g#9Em|HOX@!CSjJlc$xSZG;s;7&YEM?IPnpNU( z^R^OrvU*8g<6ym}7=_U*gCcbr#WlhiT{rNlClLsLIlpPms`WkwSyza7+)kA$bvj;iZDqam&t+9JHpilmtVC2!|wbVMa->0AU0{OWYw_ z@uNH-%0({Ri^Z${mHXbs)ISLfeO-3Gf(a1E3D{SgD5mkbnGWc}{qEuQZHufU{4QiN zE7dfFl~QRFXz{dGbqghm8Vdox0+(%eP8{6Sa%27Y(*@~QoO9en5b}~eM%B)8l2BT) zX1bQU_Kz8MkGD7lZ|^XJu8w@E7lrBQgUk=tA-KI>H`&7glKFM|g3lAd}F zGbDvU>(ceu&AF+ALuwft+v)4ak7+D}Sqk{}G88`-t(ojFN6sf|q<(3tcvbtA`&`+A zsTVfWX3O2$g7t#96SQJMkryb%O2G+}0)Z~uQ1hjb4#%1t1`NhA^_S-pg*-u4PG=zG zCTS+27cD~XQN~4w;4|1GcZed{Xg4~d@iiP#1LNZQ6muNJH=~k2!yVsjIVs5Z@)P!0 zad|1Hp=v|cEe3gd3jRVA9rTFToVBHMhuH1b#yB7ueFzyAJO!VGWd*A^DN@I8F+E_( zVL;O@dOn*=H6Qa#?N^A{f|_Y5C9X_PM1XfnVVzNtC0pVSfKY@)&Rwez&(U_n&F;GC zIlViTyt>(z>Ddq&>6A@J?=gatp*2@(~ZCCb$DE?o!us*+ky+}i|dbvBwiQ5%sK zHM=~(1zFKOM87qdC2Z>ScB3KQzooxUC{?a#e z3c24m#OLDXa);m8(*L6&rakQM&6mmME~?V%?D9QYg)k-Ck(-qFpD9 zVQ4oM>`4ii`IN3)UjeY6n^P<>Sasa;i?#z2pdpi2l$9i#;7=MO$4vB4wt`C!%v*Od zBn$a);0A6c;q`a)+PPswheFs0NCdGKQL7U3CoHfs@!#u2afFYs_H_8S)G|6~l$)&S zDnRRVe`y-i3qo5Zwtb-|xg&MQOkC^Qeu{AO5JRvJd>jg`Sm`cyiJoyIv|M`o`0KBS zuBzBJ552QqFFLXt7b0)CB0vk9|Kkktj_M1}yy+f2!e6>&#CpL}h~FG&d&hS;qx<;y zSxwk}nKb_OcZdAGC0p#Ns~%ImI?A>q?=MLbjKyZWjs7B5+PYEv-iTB%oY49% z3qf@m#0_-eikwSQ0M8zTEKppjkgz<6VH|3#I>)WuX#WQ5$q?_IMcd-eb>4{~#&Y6; z=D0_M*rH7N;<#dO`Y9ZDUZn*#q5tO`=wl16cK)pV)VlG`J;RPx1x@Ven75!`M314O zFvUT-xBn2{wXapJF}4=L>gzQRcZkp)dLnP_?aZP|EApOBFeU9i+ zb8VWUGiy8%gj@E@YEzDZJm-BU%op`@9d-q+2T_Y!7Z6Qlk5FQWdQl*0_e(Y9G?`1N zVKi4RwzLYUmI`)sE`)}sL!t${5g#(qfYL41Yl%-R(>X_x-#m$(Z-PdFpfx@yDr)XP;UgFfhq((s+gQK*%iBcE?lrS2R(hI*3FI2 zpu=2pzd!<-;p{0%{{>A`;n!w)@W<$MxRK2L`G$|!K=n0u(bbNcgZn9#s<$haVB(_j zYz;tWiO`!RuRvbAmWB*RA3;bd&Py8rHwjz@6`^WG=+7>NkdsA$K8<=Wn@r|UHaMP^ zMk)tu=ZC|(B-Xq7#ASAw>gH@%CvoxQ$E2>#q!2vR=hfiT43jwtLlD#dQL$FroEx`P z_=xgnY41&k@MM=<%@4#RlF?uhER z-P1`g6=>6n&EmWP+|m1p)SSMWgc1rjsN~CG2TQ^%4Fi7MosVJM&^2uH9sw>;O%*N_ zr#-tqb4AuRdED#5(n{_^>v}rcKLEi$C%6$7ubZ01R!qfJ{UgZgiuMlsXe3U+l1M0> z2#44-=-0;6L^GK_LTyGq57%Qpq&6)tbHx)Yu03X3s@^RMt!k(z5=1Sko!(j_Zr14E z)4(CLv~z*}ScRr6g1}rXu3CMu58d~0b#sRSU>k*2gNG41`6Ro@egJ0NMk5nEj+Slh z4aqGY1C3$P<%1-uZ+h+cIF@lhCp2zXdHJeOt(%>c1F#x?ic}2rfbL^Gu_tQifVUr< zfK>6V!Q00Iq1qe?F%yo`T!7@@KggY=Dplm!nH29rG=6~kXo)4c2WaEILY`2}Z4kG; z<3E*8Zn+Icsx}m7V{*DVHks{K3*KyujQ8B~Cc#Ja8NL{`nWUKDJ*RWY7!T`z$`zj-wisGCVfFIi9owK@dN%WWKwT=FG(6 zBV@Bk$$XTuYK$DQC{pd*DcX)UE<9%RNnhY2(GljJ3>>|Ktkf>0c7l5jF#H-1Ip4ez z95jE6>bA(Ja@v-97-eX0bc*+d(7xcU2J@x|n<0@%I`g@KOLiMFggQuJFU-qCSlvY) zu^x;LCD)#~@oh^f{W|Gf1=i?EhIpy{fBL23-f)cP`>*wMiqYBf@$08PiWT8}fpaH&@F0Qd zx*Pe=G%-AM*Z&eOBl?No3yn}4NQl@+r3IqD2yI9a!?mZ3r1iFMig~X&&XqrxJ`fdC zs17pL51l#NNOHKq;KDpERj(vPBIC)?Oh#F!3;pkE@CP@A+J~=kwNVtqfN&74o?PIl z#y1YI%xn*)0AE#Ntf(BG@ICrafLD6wW_!n$0#Cm9klmgqH{<%C&^S>YQ50*^{;KZ( zYJ)ZI#4Rqn8%IhgR>tq`!cpBtfK!d=u?x6b5)xY75kZ-s*>bQwyww0!uA>{>2G_8; zK*CCZr*V++F$#00!cp8&kfJvnd*N-J&}0hKqxm0fqg89Byd?N{gc@eBBC~NxKT2~< z)OjGLoL85iTi?G{vsP;utjK!{Y)w68f4@CZ)|W=EZ``D_cvOzti+c4ICe=^EcjAv) z8eT%l$Y79=if)+Y=evu4+EMQ7foUrI&)lErv2@|Dk8aYZv4@N}fQ=>BLA2r$Z|(sd z*!Ye+e$IO?8DzchH_%QRUXXxBWV`EW10^aOd--$z)h7{z8Up*5Lz zh1-9;29T0ZCY<;MH8yQOVYrxV2>B<_V&59EwL~NiTMj8Ej73b*`}ZG^K?WDtZ$F{F z)mQZT!u0LOo6J`+@vPikn5F8`zr*)Z^&-Z6217Hvxc^09W-?UoUqmb~NPPqObs}>U zWCyYxy_k+~;HqLGBkm)2HNCZcZV@ysyk1mfF9k*6V&T|!YH%JSSAps6Z=~_pOJEM0u%2=mq~^V{qb5^JI=`q7dLFIAr7-%eO2+2C?Ik6sqJeQb_={kb&QRLgT~9 zh~&1Ot|+)>Dg+pjPFT*UlC+$`Lxjjb4sNH-8h_WuszIG|?V`Tj2`h@yLo67^BDS96 zZXYf@AVH4lT_R3*$u*&u!3z&g1%Hmkz`gwaJ(d>`2)G32NzFy%1vlf*8~ai z&OZm|UGisc5fblLdlxcOgEt|bYT;tQSC9_>4VMQh!5o~CtmDxwj?KssB|`4yjh!d- zobxuybP4wAgg5g|&>p(pCRxrQ&1pfiK~9f3L5b&Tuv2h$NZ6B0&XokiKgBY_?a?6a z8aAP?J6a3|t4+IAMr z3+{1;!~T~g8DOW{U||E#i9;%&n)DZW6Q2X518>h=-x9a&>e6iGOp*EGpgv1BwqCd< z3E)#LjhJjPH7XQdhKYP!vZbbg__|zR$9(02UHvt6DTnm8E&$92C0J{ytK#W_YRs5S zEMV0qgMxiU5#3UcRuwB>vK^*J(fFVaehNtp=koQr&h8@i-QZ_xGPMCJ(ID96{0Ho= z=ZDs{HsvAxgJ;`nQuGGIP|Ttj5&DeafC0mk#AH5|W<;%@I_^LNstY<-j2-NW!2P_u z=D#}8%nq-ioHn2hu}g7AfOFXhIsO5)*4&~DlT@LV(KIDUAGQCzxH@uHP(R`ng*E^v zT5b*cF0r$=gPs{e{F%;Hdwjt=j`O(Gn(V$th^XY;1)~F%0U{5%L~48*+$QfF8(TN{TgosIjhmA>d1%TtTJAeQg4h*s+LCl#xE5>swzrp)C1C zYiGkLZk@Q~p=9B*v+FwO5z3K#O|Y8`(fT}LMTTz@oEkrtc;Vc$tQayU)1<=)7>*CX zA^fu&ye_JFrr+BR&B4D?>dgP?U9bz%s2n$go^LZ5er-MUpZYwC5LGyUGk*hH!}-wO zy9H1U)=B6~6^qURP z=)?IBeh--^bME_>gcSHpz80`@c*djT1IT*Lzbl!GuwdaGJ3iOq`V(DRF4Y~<8$0yS z)v;CJN3_t6W~hcABKb2uf|OlqQl2BXP;{NOD?o;pd*JB7W5JBoW;F9*>bM$MRAX0d+*YB1dleItww!Oi^T zwRqkN4Y-I~-RcNdJZoI5ceq6^X_qwnYyU93{4B0Bf-+BI>$mNAahsE0vmNm#4S)4|E%Z2O-lQ z2*~65XOd8XLP`UN!ji3X=sL)#euYC(n_>evT-weaP7y@uNg!eBn=is)M4?E02J51G z!xf9=DjW9$E}i(oop74^egPNZuZPo9^MO4XwBP*JHUR1d@XlR*9nO~-x(-z>HgH)C z73rG&^U1K?+SGWr`rxc`aT+30Da>TFc;+gxQP$yK>iy&E9a`1)u60_#p6xo5*Bbo@qLb{x{wMb0;d1G`L4+o;#%-01P2i8>)b_A~(w zPM?$GR~;dyYq!Gd9!Gj|5X}chLxsZiq9HPX1=V7g&Ke|w5Nzx!H0Rn)mfQy7<4a8H z#cBihMO-h$(FTg+h`q14f;JjAuDeDK%_qjwg&y1+?Rb05*~oDx^>XV~O^a6nQlOLQ zHk*5QA|xslxQYN?TXd#0EiiDAr$i02dbL_m{xDDOgY}@D>=-KA9@VA#+RuM3m>bc=|(TU;ALpD8F=!t`FqH;2(7GgaGBn-9}nS>5#q_Q~(Z8B36)zMBv zquq;FY(zciAL)av3r2W;5!1dNGiEp;UTfk~hYv8zH!Ij&H`a#0%z(J~ z!7{*rpTnw1ogg+!A4dxTBqx-WY7faDZT;OAS16nuWw_o>3VEzQQ8yZ6xs-V6tX>x! zubX7iu7~by7hF=+jONMRj#jebeX}|bsdA}i4rlxkRKg4OCpSOaM49mOGH&%i*q>vV zeaJD9@s_^Eww-sgzT5KOTAljmIOc6#gxdg`ce=qYe_bmE^%&bznYfkLs}-)U#%klx zK(*L7=N9b=j&q(!I&lY3oN-N%`5oMR^6<7%WC_4yx!><6#jB`p46!w8XS)K`hUO5% z+hdr;p+H-3k0h9rj2*N2?(ro-hkNJBE7z{L(%J}(5yNdcw1C(a(L>fA>|Mm-UK)S; zn5^`0PPWEXW?aZ$Kt{GFjZ-s_KZF**W4l?X%gzsez^;36mym6|43q&Ta&;6s*v>mY zx|o8H-_)j81}>@UJvlu^>$y0tF97ng=bPvM`7e~7YG;y|vZy&@@cRmV7V=%lVqw;O z5%0ny(_tqER@i=3ypTUs1!f_ISfEhFk1x!K(ap)}^4BMLkz6{}^+kz>i=oB341Z>O z7ksN;3C)yOr%&L!QtlDefm;@uF~I5e;u&)e4;vShvqx)ZF6=~3zacQ;vbJtf&cq55&da<$#vJ^39to^*WuyF14-6 z4!Qtwx+#>D56rix2SMefBX9ehw_4^q3$|X^}0(s9AI%gxhV#? zdY7zh!77a_9Q}o=^f0Tcxs_Kd>R^{< z0qnwfIT_f<3gT6)g*dgw*xWEBMEwJR{ecpw-090*~lc((RnN@C%{oKi2 z(>qpN!z-y1fdxOlwXHEm1GdN4_gQ zKDllXtHY?bCfrPjKw9(8$U6Cc^l^oV<=@};QD2#_(tN`6vKQ!GNEj)^c~87rPdduO zTZd|yV#2LSCll8NtWvw`Y~U0n^88xy)D#_4_0P#%yBJiXE_(-_BAuO@IpGOPY;BGc z`Z`Wl`aRYewc_48-Z9PpZo4Ix!w?!=+`9`;2%S4F!*BhJ(*Tv3xuSYt6OE}RYBLWV z3}M6^K%ba2bR(dJ-T8@4GE?T$uRi!O$Zye0%-zjsiN&EG)@hl-O-9jZIdei~5zXJr zM0ske{a_E`{IWmYx56Px*S2rVL~s>F3mbhVF=^$Z>W*?+KMH*oMs9gGdG|OGJuXK= z2WWvoJpHE2LFokcW|Ld;A*QXrG1p6hax(g_ez=_Zt&MJMGDj#bTFj>Q z72Eb<0ZeNWc7zmfSbpO0k617HBm2F04mKH-v7Dq|2Bn;yE_w{+&RiUX{Hn9fct+ekb#@g)2y zU=nWgd;?vnH2#0J_4*K>gRvn41s(+rV||CMEC&j!>`?S7I(C`AKL?#f>prqd)Xz_190hI4+(tzrnu3>17X@oKq}4)}<3&1Wto-Ntocs|I+b0#;aXJa`;0h zmp_4--ny2{YZL+$re%tRbyjKVFr7M4>P8WU0J4kYDm=ThOTyTgtw z(%KX>kVvoqhPjdgQ%Xx*Den?b&{UcqbyHrG=?7Fke>MbFp0MyIcZ&XGDBs1l8dirM zdrULXy7qa6+2!}!V)WwWPyj1+={&lb9L$Hox{NldwT1H7F@)GtX2bJf+z$4=xm^4+BqFVzy=g5lqHOY^IfMPR~KPN^yaedxFZ z7uz%3f%D7Khg-+{1hl)naq(J1(W6JstR;0I|pGI^1|t<#O!S9BDh(US!G}rdr@nK z8qIPrFs7E{?a3n;$7Fl>(iX?X-PLG~h3G-N*vA%*|E2jTadz)-sQf>?7sBnTwh(u& zoLyda4%uGIBi7%kP&jGB?^A3dgHX(=mYVDteL~nWG8XtmL6`gKo)Zl^)b3jKZA6-o zuw&m-m~0{sbC3Abj$Ejo>Kb$^t|_Jx92|!YbP_&g%+kt3mDfGwol6dg%bd9hqny8C z2KuyQh}F|c>w72fn@*q&qogUdU|3v|E*Uj<&u1y0i1_zmnzxqKH_Xq;iPZuGG1+It zl)cB=;=WoW+&JdlU}D(B&PJUg1-C`>4wg5ekKWr8ZU8NpZh|HYExrWX7kE)un>oCo zUv!UN*7k58RXEj-`M^=>u66=yCF0AjOForU?SF*Y2m^&1Hg#xh>1B2ddWO1k;dxvs zJ-7_qRwH4h8I@1YB)&zEc-?3_Hz*Dix%DiG&})+QxfPNH_?fS0Y^xIv-zZcjSW$x- zt%WwfBt58p=QCGf=nzk~RgTSd6aw|+BnamS#9uxNf8iy zAUwbYQL0i?%aH*Oev|r$dJ#$A;6`Sn=M;b&%MeR^!Mt<=orniE6e0>3T&r=0IZ^Z$ z9gZkeTwUw&%H``;?A5J0*#EmU{gQrEHM|VE5XlUiQj=2jZ2Hw)8 z8k#`t@iJ9GrXj??pogXdQYHe7&&)Sw?u8=)HYzbdntVO6a~q}=p2{U&2dBC!1_`V! z!mL^sJkls#)1bQcj^pk9H+o&RWK4|ymusjV3b**w%hts-oXbi5_50Tk{tw7&eE$$` z;Moc??SEYBWkkvpwb_q}c!$=utlYy=#U+wRa5N0fWlixWGMivbTnWZNYo=sT`S)QA zu-&6x_&K?sxK{HR6FP9)JW%cV!sFPrq z_pQKL`FE`qBLvq=Gk=3;lqL)*bIbUTKchYnS>uzh(ZEVN9-_6_pQ{2PpU5R6`y4F77LNnt`adUp{{P zbrs=Z?RWKs224#}_$rD@h`N57%Hp{Oj!AkDxC6{@KYpM=n>?1o{R8Ez=&=yeA|)+W z;A^TaQLoka$t=Hs{UKMy1+Sks_q-u7Xj^lvD=hUKpVsLN?YNU<%{+0T0FYs>KSMh5 z8>Wo;*f|Y4eN2`~7RhiV$_p6T#4y{v>~I9oooG{uE-8tpCRD_jY>P|J)?mVg&CEG8 z7cQm|=aD+m0amN!wj27hZyB1*0<6AcsU4!oxUe}PFJd{gS+qeh!RUq4zK*?KyN%s& z6(K7@6!%MOU+c8PVT=+!8AL9BY*$(|gbMWc}=>iIG zK65?y@*vRg@y6l7SNY{4+{HA)zjgLXzy~A3~IVq79`PV{Aj*=$f<$_*Lx*Rd2|7Z6g!4G42<-^iVt` z*)95dg5S({LZWFo7Km;YGkWy}H;Iqe78Ml$bf#t7k+*?sYzVR$MSnLy3|(A{3+Jl& z!tM|+>#f{hR9r4UMJ5g%BokpYl2?dEQS&JQ#8@fslM z>^Ui$I}e9PTxAcwHZ544h|{q3llD|nT=D>2Cq>vwtWkDce=mEoU*`NyFQ1=pKhQ{G zUHvX{cT)71OH88Ew_jYia2UJP`6_J8|6-p0_Wp5!FxR(6Wc<9_^(rY_t-dy>bG0~F zyzz%#UE+G3?-_q@H01T!iY7A11mR`(D@v3Q=fDLgp9`s^e=@?nK+*o_kg+i9l9eoQhSkqW#8cOVqeIm7=6CFgOJDOf{F2 zUYt8GQw0bME3nLMc5wO~5Hy2_UDcfrwkO0A8M#lOBn1Sv>-qZa!sl;pHBFG<@YT{Mlw-tF+}^FVQ22!cY%M;Pso7zYk;gd+iNj({{Udz)sESK7!MRsi4C3RvqmVco+~P@Q-hA2HRR z8+l{TB&-HkFrPpMoENul=mg7aG?HfA$<(z?mN~b>z4O5)2d8+8c09T>u)?hZSw_Ke zi9*dp45+8c&FtzWEvtzo3%{ufJ4cqK?Q=VsatatB`MYfmTzjDEt7|G^mLLQG|e?? z<{XfUhNTaB3F4j)%V!-`Kd}?NNIv^Qi8{Taq;~92f{io>im{ZBRMy3{y+|T=wP#|y zA63w6Mt4CwW?6-roK!KRYx@-~n2xz}rra+F#+k~nyFzw%OM9^$C|d|k{Xgofw~hA-3W5#cFby4=6%0s7w`-6|8Al zj+SV#>{zml>xP^T6K%C6M{Hbllu=B# zNOL)gahPNAfa5~wbJ25oj$nYmho8z`(vYw^)-uEzk@ueGcm=3R@0YvLLfJH=I7MVka96Wiv=}V+@7z&&$7tt%huHWz9&MmriY_eQ4+*$w?kDdNmNsEOjb3~`T?KN)eYlj3N5x8H4Ph&;2h$Dn4> zqnfsU+7Q>27p~DmwXRD@VX-WfH9haNAj#zxQkslhjaW1J*=J;+g+imP$jM@?1j8}5 zHkax1#mlavd~c@Otp9{;XW2WIG^NFDrEq-3<=ThAwFgE}SA9=P5_!bnMu z{lU1EXSf$mLcFwiR3S(`MAALPJUplN`2WKxO)d?`x8;EUftE(x5(C z?nXG5Gq;T6fGR|<2L)g2xTG|{qHP8CkyfP5;aGsd6hw^=QbuQgNSnH6kOi-(gCQ*h zGZ*TKI2!$FnGAJ29$na1FFmF@F9#xKz{qnj%aVkdBiC|EmYEZOqO@RO}s6Z=bV(yJMye2 z(^k!$^khve_N=&dg8M5oShECo$%h&Ewa9hLyKx-885!(-A9^yr&TQTa>5{-^aZjLjk|LUr z2$uGMEcvN$LVZ5%MNV0Ylh`M zV+XQL0HKzFRLiDpQ6;+T(r)PwXQC{NnW?7Kgs@g3P@RM7LuiJ2O5`mNg)4Xw#5V>J zkY3rc_tnF%gL6Nb(^qb&f#KnYI&73!}YOX?{TDsQp`6zjj~!b5RFo&XKK}Fjrt;c%@74YH%&ls`$(=c6OiI50?B!r8cvQTva2^eV^8UcCUB7Ire1Gl)c zf;c*6Fy!{n9Lc+!D25*3_4EZ9=HPx_UGyX$n?dxgXmA|ma!bU(XjL~Hye4xi3BRIQY)k9jupM=uacK=9DEUPVd`q@M?AYvaUBiKRPwy|A z?K{#4V5dFUEz*EW zT;E8F#A@3}!TTe@EU?WmP{s@6F_$j0mDQy1iW+)>oyz-0kpcjaBGssIM;&(;bX#>K z10}F917tpHV!fRzQ0SFP4krQalb%#(Ax-F zh31JmX&SN>OZssf#p%tm3QPx4d;dxNxd0cjB24e(E+9E`!&!?CdyjkT$qB)XbJPqH zrJz;R!N<5rYkAWEqO+o!gWRy&tL_a3T$dZ(X&CERHnIP;jb8WLU{9e2wMqh|$GQ zWyznlw;2`lLjqJXs$aVAB?Rn(y24_V5y-h7m-Qi~p47U4fCU27%kqRJ1OMd&@{&>N zjC!J3bEYvb84wp6iNzn#8|%^@VwerW_Lj`yob2`YFQrC6p>N3a|dvd4%9JG;BQaQCrQZrkfgO(gUlf_ zG%Z#>sA#4Uw7dgW)pIzk^q_a&Ft_et>2ks^d~&a82`e*T3Fz(Je2=SAiTVuFf)(T_ zHIq4O1t~jJ7iDfpP8xGBCnq&~O@mWHOK}@mhmH@_4f)=Zw@^uzKtyi&iiFxHFPK$0 zz*uY4yjT{ZE;#QB%*#=BNi$lOU08{7SBs{rfy`!Tapq#Q6^ndi-1Qr*^N0B zc5*RnZx~5~YtbJYfh#BpJ}UMD$$)_M+nPLhNYK@89}A)Lr#i3^WO~!W)5xhr z9TGAp%ty=N)lBV`tg@a`^nsgF2-~jc7ox$^d|2804kxMN+7Uh%m(KD^*ySmr!EB$N zU#Zqw2iAUhYk+8Rx#(g|UT@whvy8=YdcGUuK4haFCIZ*86PHZmvRNvvY}=3bXG%&0 zj!B;)DP=jf+wX_TVA5gnr(lpX$!X64u@u4>3yJFTxC?7?tQnGYtnA6km^d*#c9h!gnW%8*Sx5cKJR{d5R1$KV*fw-U0ItV@W3!@ZsMHI*KqI!#%R-hYI95YGK{`+3G>iiXr7O-*$!OiV z!3Qd`Z(N;~)b<45#|utLQ{#`&?D*L&muhXz^8?ksag=!{$4_vpcg1JVD@9HeQ^LZ< zAhFF(PN`PC6HLTe5y#ObOTMh`8IChifQ~{^4u4>>MUCM_CyMJ`Jh`kPLO? zxzxOa9D7ApZ(Mh&YO?1C$Lf<2jmrHp>tpC4d0#f%dPN+MDcOH5kWcoS?YUeNhR=j8`;w~Y zAWxjEC?BwiM2x+BR;^+?%2XqNS}zBT_M7{GKewB%B(^$Kr+=7IH%O$BFTmdfwaxabu#u{Q7E^k{-akC}+JW$z|i!~j~5Pp}%OUjyd zEplQ4LjC2vAPvuw@u4RxQaLU^Tv_Oj1B9H=*2Up6+=9$V(!|7!S-e@T;*wG^a>C4C zy;!*!VDyJ0Z<>-ER4Fw(aJn$Aj#hyqB+Fh{Ymv^mlRXD@P&DZ|>+7>-`LeoIOS4x= zq7-_L4#ips4CRroI)Jywn4XZ?Y*abG-HOoTwuw$0#Ccti7Ujn=vedeMBPw$ zPS_Qpisf96o!aF<%58?wD{@w*!|cY=Lvb1V1~0Y97IOiy6_CeL#uLlZdwLyUC-S`} zqoE_2ZMX2&7XvMvEv=VNZmqIxXz+h1cg^9(E>G|jsI^Z`&A8hGkHK;(Y=?-QSwbR` zb&}}XNo3eBZsvp|(X6aRbLzdgI)xfW5(F70uZv7rVy3#&a28ONg!+V|vX!e-F8wa` zrdmGyre>%LC_Y7hqNO0lO#)7YYVo6R3YOfja=>ZPWm$KDt4`>}cZFPAdsj+`EEdaE zeJehx$Ei9>D!OzX7Bcla2nYydK|Kc1S5!RBnkGRvop{V!hTVnn|@fLVfJ1fL0?519{Ah*mVCXd**}S&x>g;1D!nQ=C*S(jx0gzL*iMK@#(d zuqfPi46bEG4x`pZ$w<-KgDP05sNsg9-fpQGE=o(P2yEbcX;2Odv^jBwH5erBX`kxb1DQX+Ev^UzPR6CrjgEbE3|7t|%{#3>^! z2|Ppuys~15o%aJSx`AGh0}86gPFJIrh@<0yST5urAo68|no+~Dl~p~PC)^=bVs)Gz zI%wH9?E-M!E13`>FH@CA+-r{t7K?=HZ}20Oka@+8vZP$z7^h?7mriJ%(6-$ZgN0ya zWU*GP!=TLc9Z}iN!7*ChGLp>f+M4hdRx}eDc&W;9DwZ90!xWNOtu1$OewO7>oXX|$ zviq8~n$<~*BF&Oili^B#^O4DzujELOKAzvt%A%TafMSnygvG;x-O6S;NP=Tqp`N&7 z*O0|fTsgR}m#auP4G#vM)Wg!aJENo*WNQYupa55R5@Q>B*{z-|)^paHeVp$bx-e5_ zf+!0ai}R#dl_p;WYXCE#+&pi#sa|gLVwr-IHojKY zEqNy^!!>WQ-m%yO%WF6{D5yXmXe{L5Uu0S?kYi2Ef}g2SaM?ObTjM?_Yq!Ws0wYW6 z+6-Vr`i!@I1O9&sCCQnNtU-}jQ$yN84i!TB$u;<3f@XxeNuy45t3Jt-%UaP4V0?<9 zB^fTb%4u5HMHL^l!WW8!&*g{rJq)iq!slY}?aa!m=^9u@9ne9I`Wn;qn?HOzcEbw*DL5#G*twye0z|YFUYx*&cGF#SpktbTEqB z>oCk-bbb35mxa->N~4Z&3V0(NccJ!`umJKIedB@i{`s?iN6ggWE)aKaubWB}*j5 zTSb&bTHJ#(s81XfS|&QeF9&IDZ>cRRt|Y8V-gbgsA(}B#2836*&(tnEdR!AhO{g{6 zrp;nauxXMOr<@5j;LhT8d>8gyt85jnF6c4V25jTqaNsmEGmbTdP+-q7TEgKJ;Nsu36j zBOp@erVqx3bv4k5?H(6KC5m@L_pQKA!jasY!f ziv!D~wHrul&#^BDiFXZdh$J!WdkO!cz&N>2RKNmv#TF@)IfN`+=Cu=0BL#v&qA<`gYrxtVmJJZs~(CH?0&Zwz(lTBJ!Ls!F?m$H+Jv% zNVHDdrR{+&JK35{)j6qKw?_&z)rl%Gl3TiQn~y!c_^B28xoT8KMj#pLcT$rh;828K zW<5Z5y<(w;e$P6}QB?2{4&)*zPFg2ipDYa7j&-BPg~DC7iyZ!vkJ?HE4!NA?9yu@2 z1kygSQ*ea_#~~a$;mh}jHKHCz>y}py_4+Wd27EnRZiC@)KB@YKSu?hs7DK(U4KQxL zSgdr7nV9aI?-aXxOQ#J?k)@lbxcGrlaY@chy{F}OE77*x#ZpA;u)*+lQBPaBd00lO z2O%5R(8G`C0bDFe65&|J^~&He>yWx$YT?*H#CUNn_5yW%3B^gLk#;7`6KrB638dX3 zp%#}ktOcxwt>{!3eoC-_#--h3A%F4c>|F!Q+U1B0R}=GwQV-gV62Vk@=;Rodb3dsL zV9ZPnLBgWP!t4<)6kWu{{3$U_FPQwMBdS&uV%&1OtdFC{jk-ixisd*drq=Y% z2Q02rzfv~pei9$`v^jlK@x{ZMR%5(vM{~LSXP)RFzs* zyvkI~1U!+9QxAUXu9R5bTaMP?Feuq@+#pPRm2g93%a+`z+>Ibn1?apl;Y2CAx87?; zy+nu?wOO57WV!BJTAd8vw5X(@9ZQ2V+c=rc(q_pg%d$CJ`DINQtSmvSQLtjS9BH_k z^m$PmIU=i?v|D;ar_-nTqC^`c>X{}k8X703>1&54XKmM;mAN{IH*nq8;@yMmplE%dzFS${tu*r5KNXI15FIFMN?N4` zhngU-z`{H0k>0TIbhVHLD>@0AJ85coF%4>!p_tc|ulorbQ)6N=~Y1Hv;!2F8*2@0ZBi> z@cZUktj(`6p)*NPn;I_NUSUm+(q%|_tXVqPs`swk15e;oso*`#q)~J1R62vL)46Oy80MV}ddA%{h&NQN@k;vg06& znzglpiS8<-%=C~SZ&iw#9g894v~g##+caBLS}jV0)y!Je(rc+KXL)UN>W+MK zTZ&UMkqVc6JTegAdSnfJELl9KW-^gV!im;*qcksRKl8m!OQLGDU)elY@S5yl2;I9r z$YMx-4VYFoqrl}87$2a;s3}kWHrJ zu}qB>GE$j`CvCS&Jo2VI$Lcg&lvW_y;I$#<=Zt_CjJjHD2mgrD4MaH8)BU(Q_qPIz=IP3T8y@`)MK+e}=B}r_y}vKDuroe}>WpOB?)rTt=i2{L9;+FW%mU zYIuL6zIUuIFFu6bt}ENDV}0EoiuIrK&*yLyPlqFfnpS>%P~Tsa>GX{we)cXz|5AL} zr+Pr2K{vr8e3fJ}{z zz8F8^ZLiwr?)c2uTekiY=QlbuoA1tiyz!UzM1Gg+Wlzu4$>B5@8v)SMaQ<1(!yat3J`BzA z$g;Ageh}&cFa40+yFT=(6gR96!tYxc@HqJ$VYo z?LT-`&cDHQL4A%St_|vS^VffBYrDVx`@c!^^5319$-Rx~HC4OCz6RXDU;p{9|N7g%b^7)LdH@vR z`|CflZ<-|_Y=g`p)O`D~Jvaja#_at$-KNiX!~hRsyL(S}F+iLW-cLqv1;o>Px&ag$ z_}^U&9KA`f+wBJip2#!4mhI*#IF>ALktszZczI4YA6tAH+wjK|wn*|?K@Dz!tX8l4v4g__2Xyz8e%u=hT$C-~*lqz&gv)v(n#pj$wS5hLR&c+TVb~dQ z&aK2HOZulu;}4GqGLP_fsG0o|p$2u}mY`v2KP{2`}|k;ANi`uSKsVdxzGel`NRUmk%WTJLT6k8fJs z?Y&|krU+~oBT8<%nsusilXYv>`VIctzQ;%zyir_oIIvUUQCQLcL}2*IO1?xf)oqqw zSC|Q~47jM>%T7Lj;A;tw1rmD4!K6S;>DwkkWF@N}#gbdCjz2N4{&quMl_f%A-HAkY zDa$JOyQx&Uep~T~Zoq2BKr>apTCP#gwqrkbr+%z@JcoZroj6zjojdc$k}z)z?@R$l zmgPTkVt+_PHW30nKLoBK_yTcF`hL%cFxEK$$el23pTLYh!((`RiQ!HBKuqOGxEObP z7nk@lj^*+`k*-qy5e2jJLwRnzV97J1WKeCnnVV^cp>eB$BHC5X4 zP0CW&xvX(y=AXmhKc|FmQLf0%h|bmG@OjX0(475A9Cvbo;}6EU`L`(d_>89V#WSXj zoAe`m0UO|;5J2|h>b$?1*O#&76~(+7Tcu8JsAI;YtVilHnY>K47VO+>gcGcqMon$% zwI~c;ON3M64FH4nj|eu-3&7;}pQ40d-FPUpD0phw>F+$ypK8KS=`Oa zr{HfRW7anO=j|^)R>XrR&>6Sb6~Ng<&6@KKDfr*Vm*;P01O9yXmhN8C=inY~#B(%W zMQY4tA$xfWZnZLzH3DVN8HQQLJsQnh_&28?7CZcq)omg$;xZwb%sFIs9w+4~c(il= z_4FO;+JB$nypF$(u;-h?-snJ`C^7bc=n?T@6Ywv@J*Dgm(@x`?aEONpAY59@kjZH zpDbkfSl8pz-P?yt5WanuPrf^0g&7PE8Tf@)&mZY~_$QIJtSi?TAXlPa_}n~a8E+aV z0j-s4)0z!GjlKR*KMH>_Z^tsHkOjAwIXE%Pnxy_|Wc{C%_AQ3s!7&sv*;{2eOAoTb zO;-5{&gauA6O?6LPFogPYB& zqEXE&ORATeS~xBiD7&fPvPffd=Xq~xNs`N`0!zPB6zwuq%?J=B# zk8PB&_4Wht7T)dO{3OB?ZhSE~NB=SQLn9PMZhsw{_eZdmoBLjmmq%WH2 z4sJvcBlx`4TtDCQDPYqNxx^1}EAICgE)ZVt_86|m;ciy)>Mz3gxNbj@5fY8tokjRw z_^k%&{cf*f?z+SChi^ZW_cKwmC-Hu_V>ts6qa<+S^^DMBy3J62yhNZT|KeS2?-cxqg3u2x5Cb-+8?m;aMTScpKZN`)0mlrWKy^c{_+Zde6y3+|N|b z$}!<}DSmM(U+;D`F23{rCIV}O_lsm^xAT5(V;XG}k83wlRmc{Wt{YsAme&->Yk zKROEcq-Knk>LFSRA9suLXS}KVRjB@GuH4mux(j;0w=sVZ5k?VicV73b1x)AizB$)u zvF}$x{-e2a&&ug^H6FlV-yg#B-5TNZzUKq5Gq!i^wq2U9_x7D1FA+quZl{<&Kwapb z{E&(C{0OY)`+3c)=MJw#`Ktu{A!_LN^PBT$@$m@hZ-m+K+tc5>m#04N=C!W2GQ7Oa zFWR0T58yPy%VqrHK|H{Lc!;vl{pOZtQN-PB)ZAR(Kcc%QW$040ji6+5v%`3QfOzVD z!x{5>X?Qu@UtEpw()+(jJnuUgFj7Qf%>UkgC>~>c>TV}<9^G#5W-0#YYCM3w+TL$i zV}48TJy3?VnR~~VfZ_EK$`YIVr5x7?^Nte&vvB`@9OOT&)jgB(*GO9Ozaif~f-irB z$ZGra0IvL=X5y0iJVLGPe!Z?g2*7ursCtAzV*3Cf?wEbe{AUE=tlLL;9%1ftbH6I? zJny;Z^yyg4egtm9CW2Ju&2^%?k`tz8^ds1*`?Z4Sl(t7;oZdaazUP^|`iut{TiLuk zM38@XiJk5JLfd(p=K%z6Huo!v%pKQ#M_|Wn=Z-PmS$pac60SQ=jaJ#MOE&H}pgybJ-j^6K3J2c3V0p*Ew#y9B zBN&JX>uheP*4Hf67dup1T4@6Y$!mnO@n_OwWz9#!MjpIdC+bU_eK8T#Bg5Ii%%er?l z6eSUa=?%HSbT{pci=f}&`|B=70i@kh_vHC`-z2K?pJD>g3 zyBG}~_-rPt6`yfl82`$-L@$T_Nx(%dnHkPryqpf`K3gla#;>9p=Djkq~{{%rx;t};V7sU z3`WayR;=CCDa_r(cpwF{ED_RlJhw`xrI42A^>k#@f*+P~xjo>UH2j_ghe@(Ci1lUU z@MPYCI~7DxsH*--GB~yn@FlF`a{UIo!X~zAV*onGo%yMd{DffEd@h>UT?}#eU%;6y zy^hdAE^<@ZeR`C_g)|=!gc(YfXYRsOcT|++-yh!2I zl);81>}V4INAvNKzDJ5p5KLYstn1P*UgWy<3Q^$xgm2mal+-8-P}-FB%0G*V-~<4Q zJqink-x3D@588Ua9AtYlHw2tI-=BLDzPnv_DfN2YmNbr{fF zk^2S*;m4FlNEyrbklvR4rzl0Ua$z>RbhpKlN2KR-6PQcZ`}~oHpN;@PM^&da6Z>As ze619;owibiH)-%#x`x?Oty!~kda(iD7d*Z2hjA@Nyu~15`vaNGNt6&)RKl``bpmX= z>C~9{!QZb1CEGN-Ak;6wTr$y@2pl(ur(!J@D|}uM9M|v;#}~s`w%Wv)V=0QLn`7mkSEcKDg0X{q##3 z8Ggmz`fon^&)q$KZ+zh|WBoMzD+lA8_nNm@32T|&a|^Ln&ePr`oEe*(tKE?C`z0<> z^l$>gJmif_^THKp-fgnt}7E!eko zo%)s6GINi2#c_EjFS`hOZKWs~M6#0SHdVUvgAqZG*Bi%3YKjsKl%fJ}!fVkqt97Dx zY+ePo7&jo8x+3Arh+rkSNjo+u$+`B*cB8CRztrJH+rfABtyfF@N}dR>;r%;AXCL<- zL*SrnTmem`m1w>7Lq!YEWGPp&$MclQdm3K0dF`{$b-M6Ma_5*+v`C9w z3%49U_bCleM6B2b(^Q{c?$xhGaA*}1pYRyg2ux?9a(E%PiZu;*^i{^Zvr54|LiBvd4H{Yt=N^n_TaHO({SO*7(g>b}m)lMUd~h8Opi58Qxe`94898X7Em# z;r+w|;WKZujiH)ci9>>%AlX)9DaT{XWgBBev1*tx+`PTLdD1Q;=S!{vh|FSgTZz zM*b;+NJP!#Ua7rDiZ(V@!+V)J8!KOaW36}k{IflcpuAS|rcsuA)Gfv{5PrO(R$aon zCNZ{3Yc7sBmqS&N93AQ@!ouHMfs8idDS}w!gv1NQwP6u{0Q?pl*CaYTPhPOXq`ee& z*!j6x$eM!R6j5|8I3Mjcw`C(vtEs}d_Z-}E0-CfHIL2md^0h)my4>FI)rC0@e-?D` zyL$tSYgib**n>4Mo;s6i*DGJ>)MC_JZa{IiVd3fVqAfCeNN{j~%OXLpghw^@S`rOE z{P{OTo`a6pX4h+k8=BsezyNvjvmkK~x_%QUo_(egLNVxLx`d+=|}>U>gHK z4;D-9b8pV-wFniyHU4>2exo&Ku15H&($8bpuwm^|UMl+Gr;PxB(Ffl`U<9$A{U%E> zxo3Scvc5ehi^A8vZbUL??S|KH*fa6XMSu{ME=0=l(HxP#FAsIsrPg#~R0F3Z-7Qo#yIe4D64ZmD;-yi&>x1J)z z#tkdXiV)qb!x8+=K*Gi#{FDZ+ut&b{$jvXoBaRzTTwXiks5o+A`L{so|2go-ZOjx;aRwn(!q7i(O>OIjV?aNLOGq81ST$lUx$ z+-XU-;iViL6lGb`?W?3{QUgJXO<0~|MzzLC8K?HbE9*Ck6|QOen({t5!rvrYcwPx_ zGhTQ`EnxhEM=k#X*H}Y)ijZ$KsuD8YGs})VOU1hG;4Xp!)d<4mwaAR+UM+6a84rK6 zZozTwr$t!N*rr(W^>fkN@S|z1&m`8R*&Kd~xn=pjRlT(EPePg={Pb!;b;kJ%&(Lmp zAL#E*mkwerB23@3w zT?-#ewVda5-=<}AI&{*{#J}Ag#k-q!4IcKlykQORbFWe-jzCAaGaAKQ8p1h z@II#HR+to?#L1)LIVwPhCvyP^Epn4;l?hoZwGw_@sLbK(-)&jcyzy4An_NzW<*zpb zLDRm8!SuQf$u;8%A4#8)Kq5E|-+IXCpIfaDfaYRL!gIhTFq4<_J~R`}Cwv{Db)`S; z!G523-{I%E{2@5vRrr!lD{ODopjMTAXJJPS3olNoRr`U6InMqiJSPIDYq5QUG9SyI ze^FivF9Qky2Ah_I(#qIs-=*Pund_f@xq`d!DS|3^o0Lao8MY5qsydVI`A{mI^#)>M z18#r&?OB!&&wLAlZ&rGYi||%pmlGW!v-uaWuHHF3^{DL|2ql>;GIdJN;uvMqBgKS6 z=IrMR;B7`om;W8KSuP(T;)Iu%do%jR3BK@^Q-2iKgebhj95$WE_nrc4+wi`^>+{c( zt>KS?EbVwwMYVPmE-K#PnOOcPF2hE_FYIj?UU7Uecv5;B2JGy=26sV#!E0pjT1g8} z_Lahb={yQQJ&Ij~0T++r?~J4$z8@f!MFMTtLvF>u)mEK4u95_=<@n$cfHXFdmGWcu zp7WdV5vCgJ&c2J0P&O|(gxqw~(yR+n-*0c$ISdMJKK~u07)Iomh%VvAb`$>SI7mv_ zoZYbQ?8>1E&;9)+qH75yxYhX`qH~{r8(zd%6+$Li(Im{)T(Yz`8{7iZi1odFXW7gL zf;6$3!jJl2Fd>oKDok#Z8*!ncPjIjCcU-=hW}AfK9I0PCr`c}I;PK9HG0l|o!t;)P z{h%(5f$-`#b4FF{U_FW0M@LHJ3Iqeb+TkvD>5& zMjIcw&|Mn7+4y@*SCOsoVZarX=fiO`Q4zd902!wYe4fbm37L+sc&8$ea+NH2%Vd#q zr9~y=S_5M)SsuP7q9k6aByTv=kohEs?Ka8F^!(4`-@r{Xd>P@j7#iN$c3kF#Ny_Y| zmMxC9hsR=i)3@AXIo}_9EyHIZgQ}I~jcJ%U@QV2_RtW!oI=J5juQ)UG^7l(sEx3*8 z(xP2E6W3~5_>X6r73u`W<$IlJGL4XL!fy+_3C6TcIk*o35LRA?PQO{#sr9`m=S)4g zo1WlwN?WwCEX}~w?S+);z^rg}@Ks>$B0m(c*(6$c-_+qf_ONf~hZEek`2!e9=Jx_{ zNyEeU*}Cj+Q`>$W(zh7KEpORr^*Ojn;qV(oI^J>Awed9V5#*Y^5M1wL_=ux}c$N1! z9!v$Rvn3hfb##0noa4Xny9hfD7P4iX-*zqR4t#`v36M8PY|x~8g6VOs?}mQ}sz^E| zJXXz*HZjI2z>iPrbfUC&tnw~&g^z#7XK@P@C;ky$&uDbuNu^M)*t^9)Y8A)9lIEvE z@{{$Zq=C_hFivtCn3)R;URS#f$*gP~9EdJ9X;91Ny-zneUZ~upO4trY$UHJ{+vGov7Yip+ER*it@+Hi>R3zecxAuFGf{Z$?)!pUreQB9AP86)HhRcqEw4PQ9A4a&Kn5`ik9QDOzR zFs#mTjg+zA-cV}@5UNco8GMuX^hJ1SAZ@uhc)W*ETqbx1qA_&yI|bp1gEy^z80QejCiD4!a->mSP)dLXW4+O`Z;^56y=9&D4@4p*fwX3Vft~|0$criII z1b-}Y3U3|Y^C9zZoG44O^@}sF&D-z{M8lP=K70S=>E}YtOPt4ZGn%Oh75>tW#OpER z_n#xWutme`Z~PL`WjAp6w^iks_4m2;P&yvf%pyD$QAzk(4+S5Ws)Z*w`2o0+^ukx> zjcDPvBuAz9WuuNaRTSoAz3^;3vlp4DcE0_)@XN%#09?i=B7FQ%aEUUiZZk)l@o{sU zr`%NdX4>xnU1XOcgv*VxiD=mhb?8!Ri4dLPmASXMc11X4 zc6GuFwHejRVtt?Q^jgB}=a}vmqT9Uv6~PC0MLJc^JW4fVJOXiZco;kvtP$U3(J3$i)dfhp*Q=p2}*ue%{xNkYhLy{;Ka+?V<>U6o*CfBhFqK z!Mwty2#eJKhqir}FTyWCnShjy$oHPAHoNpad?96o(Qt{R zp1kQ-=$+@nV|dZZ2?97PLJ zSs_@)Eq6ptkN!p!#)D0L_t0KvQl5hcDc&f~(#7EyJz8e$;5By=NnFkWz^=6yePA15 zxYcI+9PF8=(HO;u!drKL6zAP^;o~9Kuc$@CWU(fDc;$OX7`kyd+}uds(mmm;mO=y@ z;f>-_GYVe>xam=hgn{ryaeok(#Bv*6WgSs$Q-I*$7}jf+)fr~qej{qTO{DkpTTo~D zhVTVp1as>k-?efRUYFa}ywXA?b|w3rdE4-w&KJXM^Lzvh_OLe2cp+qmpHlGs{Bh@c zc(S0^=b!c3!Vl0})$9eADJBaA@01akI{4BS!#B6AYI|nWt}IHW3bRUYIqNHgSB<+B z$@Qs32uV@=l&=LK*U9xaIIh9Vn0_Fxb=2@25--Wl`Ak!20R28?nd)s?Xmv~-Kfo)8 z4gM~A37KmmnOCJ@rmhv<+xK0;Fmr`CUCD8t;=E_I<8=ZZJOJ_}L z_CqbIT5{`=;mssWg9AFGrdG$*zyo|<@J|-}Xwt5?7K{lqti$OvToIWuk8pmQegrSB z{ua@7Q0!qI(u~CS9{jTZi{~^tg&5DNEWJcraeHHMhj17gwGu5|OC;fG>qnmD%=in) z?$Yoi;3EffhAWy+UBZmvNJ;W!0iP!uA9yyb{xIACXh34sTnJ$0KA8X`}LU7s;#B7+&t=b|4e$DEyfLBrMN) z!!-nSIK;k5dA&0GIQg1g1ab3U;hF1+g)d+H3eu%_68=t&aByGznKSH{285UBcTkFq z=h}D_L!ER__=SaM5M8aTI_oU?4jzW5mER8M5_1PnVMia<`Fv`rk?yNTS$I8JKM3uV}j}0%eE~(q?;sF8|BF20f6oyN`B2Gx? z05qx+#)YSxsLEfLD?~gLo=`3X(nyhVml)OCnlmS%;ud)3HCAX?Vrr&&A!MnU*KF=K z0&jj9qg2w(sosY3s<#p+s{Rq`tvJs$hVV?xa2PMux$uoE2h!Dqs4>bp**v@wio?(s zB5NSl^_`H2SdXUZ|3qP;QvG3^^A(#yDIe)i=uK@z9@;SXfS z-;8pd{gF&-JEC+J&p>jel}~kUbcAtk@FbC9R(h=OQ7F$20X%?I_rzA$i{^P86Tc2% zHYyXRo{ua=m)3YGoU&J>%yl#`ednOa@fwnv5Hmn^5@rO5n2oXPlcQmed7 z4rr>%gtr+lysSlxbsr83oKOo#b!}h$%(H#Oc`jcF3eY8@4?h9^Ydp^rgCt7Xt#ldOPN$eMHI@48y1ISb{s4u~sdooX884eAb9S#|GRA=#tonA11os(FMN+&p16B zVNT&!fM&^D9NLLPbRPb{)kr>lL=Yu#s0`CAyLsaP__iqas9=)ST$8n#>wLm%l!(X^ z!|3Cqn81RwhU=s}`AOBrp=^1AxJ)BN82%bzRGRa`a^@${2d+EP}JG^?YG)D zPP63Sfx9lcjsE1|old(v{Nc@seQ^jLe?$0-cRML%JR-dFwFobl^zX6#Ik6M{YV;;? zB!i!`%AelIJTDi6FemhmJmHbGL z2K6703}tN_kF{@3wKL8De+i#b7u>AKb6jHJC^<<5Uz7`-_v<$0Ean>JwIB|sNrmE= zeEdi1CeP+{qFm&vXj0MI({V*qXCf-aaqzw%E=ME|+0hrqj7lGe22geNO+auaFOJeh zrOy&Wej0>v-isfI%gV+mkxHdek=or?fMOfoLXNTGhc~atfk<~Rkr*t$z;s<;9LK!< z5)o#Gu@G@C6Stzi(_Hdin_6@L$>$lxA^H6V(rn;AiXTA5^=$2y&pHy3Kxk!{tuK^} zvjV`1w9b?n$7u_QL~~YnEA(#Su;;u`{4rP+XXf4eX}Gf*hX5vW2%WSr%-6(Rx)b45 z&K;hDpH8A>70;MliE_{VnmF@Jw;-7$wzn}fY8{qZ*Nu-w*~RPI_+Ypk);Rvhy^Zq% zCm;UpHWqirAu)-kfbm2K48OMaMksSB{5W^UAIl|Ye~A)o3n|s%JvAN6J>+K6U6kCz z55&1e6sIcahvD4ujq@0kO(7b|;Qw-Z0B;&>ic|CZ{4}-djpt^hIMcd&*4SP%-=$q~ z7yxG`QzIlHRCdugk5jzaE0!v~%9J@bYN7-``#x8~&rWS4s6USoG=q#qs#a-{$fMUX z!Z@kaO;Bcp@;E%%U!mDPN8+e9RpES_&qND0`=faJ#vWH@4zEe&QD(6R(L(;Lq^+~EmWe~J#w(nP`7q3mnICFBp!Zek- z-lM!L3=m79*K~x=mB%9g=NU%gJdQ9{Bj!u%Bodj<6UH?@+r$~R zMI4X?udQdF6(J+N77d~5K@@ytH|R_p9PeZ&6m zIP5~i)90A~rzS@Y?1raDVe70f3c-EnS>iAm09&gvbz0MSxH!Q$Wh74+^Gz4`#4#gM zM|mq>KH{VEk%=fi7*KeQ&d(_~QQnJYohWcTVrBX9Wt=jOW$}e^)!m2^mT2~^G{lX5 zB%3(0K}djt+(N7@yPOgHqm)WKVO-R>-lIfDnzzdGWD@1OVGbkC!1|4Fu5sfgN=B^9 zz0n8HW^E+7G%Xw>7sAFHwEW|+$+gOatd;VZM{!KjmSFB32v@r5>_Oc?cT2a}j42-0aen&O?VFX3z$IvoQ(VQEaHtw?Mly?U{UOf1J!A3I zQ;Z`K=ZoTOO5-Tg_@cO~Tt+@0tMA0M;^VNY*nqi~M<>e>`r~X9{w1nwL?5RX|1TbvqX5OkWNU76 zwVEJb1gRr|sczKCyl$w9^u}%lG@k5TtUTmbcwXb>MOJgx?%>j_Z9jC?*hsm^1mcAR zap@JuVJ4a0;F!D1gKA=w>AFQDj%)CQF)s>lm-jP|ZEzfJIaIv>f%>gAR|x$jVkStt%dxT zUV5AX@SCt)(#ANF5jSC(ud#|#F2ujSSyiR2l6>%}!bGxX18Z3Vxkk%82HakpnX~-NuD Date: Tue, 26 May 2026 12:23:08 -0600 Subject: [PATCH 18/21] bump getlantern/domainfront to FrontingSNIs yaml-tag fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit domainfront#8 fixes the yaml tag mismatch that left Config.Providers[*].FrontingSNIs silently empty for every parser. The runtime fronting client's arbitrary-SNI cover code path was dead because of this; the scanner's new FrontingSNIs path (SNIsForProvider in this PR) needs the fix to see the data. Local verification with the bumped dep: SNIsForProvider pool size: 4652 (was 1 with broken tags) All 14 IR-validated SNIs visible in the pool AkamaiCandidates emits Candidates with those SNIs populated scanner.go sets tlsConfig.ServerName from Candidate.SNI when non-empty → ClientHello SNI on the wire matches --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index aca9f838..799aa263 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/getlantern/amp v0.0.0-20260305201851-782bc8045e58 github.com/getlantern/common v1.2.1-0.20260326210434-cb69537aaf46 github.com/getlantern/dnstt v0.0.0-20260112160750-05100563bd0d - github.com/getlantern/domainfront v0.0.0-20260419161617-0bff0b2169f4 + github.com/getlantern/domainfront v0.0.0-20260526181805-9687c4606538 github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694 github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03 github.com/getlantern/lantern-box v0.0.83-0.20260524155143-c467035b6497 diff --git a/go.sum b/go.sum index f0832d0b..73762feb 100644 --- a/go.sum +++ b/go.sum @@ -234,8 +234,8 @@ github.com/getlantern/context v0.0.0-20220418194847-3d5e7a086201 h1:oEZYEpZo28Wd github.com/getlantern/context v0.0.0-20220418194847-3d5e7a086201/go.mod h1:Y9WZUHEb+mpra02CbQ/QczLUe6f0Dezxaw5DCJlJQGo= github.com/getlantern/dnstt v0.0.0-20260112160750-05100563bd0d h1:TrauJ2jdJqOAHyQB5wIL0kWN/dipqKagERE1I/TRVSY= github.com/getlantern/dnstt v0.0.0-20260112160750-05100563bd0d/go.mod h1:LA7cwZQtgXxBJdSJDj2ZgQNo/UY3Qa7nxNxzOuMMIyw= -github.com/getlantern/domainfront v0.0.0-20260419161617-0bff0b2169f4 h1:/Q9FJvKPyuXfH6tfA+C+t9/AbvGWs3Yp9iqI74FYvb4= -github.com/getlantern/domainfront v0.0.0-20260419161617-0bff0b2169f4/go.mod h1:nsdIvgenGUqPKnRFjkssbfxnV/WYWyC0c/t15qGym/A= +github.com/getlantern/domainfront v0.0.0-20260526181805-9687c4606538 h1:dYyou3MwHJUgT4IFlvdhOCvoZNOWOnIKlocakE41Hzs= +github.com/getlantern/domainfront v0.0.0-20260526181805-9687c4606538/go.mod h1:nsdIvgenGUqPKnRFjkssbfxnV/WYWyC0c/t15qGym/A= github.com/getlantern/errors v1.0.4 h1:i2iR1M9GKj4WuingpNqJ+XQEw6i6dnAgKAmLj6ZB3X0= github.com/getlantern/errors v1.0.4/go.mod h1:/Foq8jtSDGP8GOXzAjeslsC4Ar/3kB+UiQH+WyV4pzY= github.com/getlantern/golog v0.0.0-20230503153817-8e72de7e0a65 h1:NlQedYmPI3pRAXJb+hLVVDGqfvvXGRPV8vp7XOjKAZ0= From 65f353f0c33bdfe271d814416bf8fcf08bf91868 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 26 May 2026 12:29:26 -0600 Subject: [PATCH 19/21] cmd/meek-client-smoke: lower AkamaiSample to production default Once the domainfront FrontingSNIs yaml-tag fix landed, SNIsForProvider returns ~4650 SNIs instead of 1, so AkamaiCandidates emits 4 candidates per IP (1 bare + 3 named). At AkamaiSample=50 that's ~330 candidates, which the 8-way Service scan can't clear inside the smoke test's 30s readiness poll. AkamaiSample=3 matches the production meek provider default and keeps the candidate count (~60) scannable within the window. Verified: scan completes in ~19s with 32 working fronts; top-ranked working front uses a named SNI (turkanime.co), confirming the FrontingSNIs cover pool is exercised end-to-end. --- cmd/meek-client-smoke/main.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cmd/meek-client-smoke/main.go b/cmd/meek-client-smoke/main.go index 0d6a29a5..5963d32b 100644 --- a/cmd/meek-client-smoke/main.go +++ b/cmd/meek-client-smoke/main.go @@ -64,12 +64,16 @@ func run() error { // Only sample Akamai fronts — our meek property is on Akamai, so // CloudFront IPs would dial a CDN that doesn't host the meek server // and the poll-response loop would hang on miss-routed requests. + // AkamaiSample matches the production meek provider default; a larger + // sample multiplied by the FrontingSNIs cover pool produces hundreds + // of candidates that the 8-way Service scan can't clear inside the + // 30s readiness window below. provider, err := rmeek.NewProvider(rmeek.ProviderConfig{ Config: cfg, CacheFile: filepath.Join(dataDir, "meek_fronts_cache.json"), KnownSample: 0, CloudFrontSample: 0, - AkamaiSample: 50, + AkamaiSample: 3, }) if err != nil { return fmt.Errorf("new provider: %w", err) From 3fc145c3bfd7c54223919e4eebbcb9c5f3eca5c7 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 26 May 2026 13:10:33 -0600 Subject: [PATCH 20/21] scanner: publish working fronts incrementally during scan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously Service.refresh blocked on the full Scan (wg.Wait over every candidate) before assigning s.working, so Working/Pick — and therefore meek availability — were gated on the slowest probe. With the FrontingSNIs pool now ~4600 SNIs, a high AkamaiSample produces hundreds of candidates and the 8-way scan took 40s+, during which meek had no usable fronts. Add Options.OnResult, invoked per probe as it completes (concurrently across probe goroutines). Service.refresh uses it to insert each OK result into s.working immediately, sorted by latency. The first hit of a scan supersedes the previous cycle's list, so a re-scan keeps serving the old fronts until a new one lands and never drops to empty mid-scan. The post-scan bulk assign remains the canonical end state and handles the zero-working case (clears a stale list). Measured: with 334 candidates, FrontSpecs(3) returns in ~1s instead of waiting ~40s for the full scan. Tests: OnResult fires once per candidate; insertSortedLocked keeps latency order. Reverts the smoke test's AkamaiSample workaround back to the production default of 3 — incremental availability makes the workaround unnecessary. --- cmd/meek-client-smoke/main.go | 5 +--- fronted/scanner/scanner.go | 9 +++++++ fronted/scanner/service.go | 39 +++++++++++++++++++++++++++ fronted/scanner/service_test.go | 48 +++++++++++++++++++++++++++++++++ 4 files changed, 97 insertions(+), 4 deletions(-) diff --git a/cmd/meek-client-smoke/main.go b/cmd/meek-client-smoke/main.go index 5963d32b..9e78de99 100644 --- a/cmd/meek-client-smoke/main.go +++ b/cmd/meek-client-smoke/main.go @@ -64,10 +64,7 @@ func run() error { // Only sample Akamai fronts — our meek property is on Akamai, so // CloudFront IPs would dial a CDN that doesn't host the meek server // and the poll-response loop would hang on miss-routed requests. - // AkamaiSample matches the production meek provider default; a larger - // sample multiplied by the FrontingSNIs cover pool produces hundreds - // of candidates that the 8-way Service scan can't clear inside the - // 30s readiness window below. + // AkamaiSample matches the production meek provider default. provider, err := rmeek.NewProvider(rmeek.ProviderConfig{ Config: cfg, CacheFile: filepath.Join(dataDir, "meek_fronts_cache.json"), diff --git a/fronted/scanner/scanner.go b/fronted/scanner/scanner.go index b56864c9..71128746 100644 --- a/fronted/scanner/scanner.go +++ b/fronted/scanner/scanner.go @@ -81,6 +81,12 @@ type Options struct { ClientHelloID tls.ClientHelloID DialTimeout time.Duration Concurrency int + // OnResult, when set, is called once per probe as it completes, + // from the probing goroutine. Multiple goroutines invoke it + // concurrently, so it must be safe for concurrent use. Lets callers + // consume working fronts as they're found rather than waiting for + // the whole scan. + OnResult func(Result) } func (o *Options) defaults() { @@ -233,6 +239,9 @@ func Scan(ctx context.Context, candidates []Candidate, opts Options) []Result { return } results[i] = Probe(ctx, c, opts) + if opts.OnResult != nil { + opts.OnResult(results[i]) + } }(i, c) } wg.Wait() diff --git a/fronted/scanner/service.go b/fronted/scanner/service.go index 4ba06480..04faf275 100644 --- a/fronted/scanner/service.go +++ b/fronted/scanner/service.go @@ -6,6 +6,7 @@ import ( "errors" "fmt" "log/slog" + "sort" "sync" "sync/atomic" "time" @@ -232,12 +233,35 @@ func (s *Service) refresh(ctx context.Context) { s.cfg.Logger.Info("scanner: scanning", slog.Int("candidates", len(cands))) start := time.Now() + + // Publish each working front as its probe completes so Working/Pick + // return early winners instead of blocking on the full scan. The + // first hit of this scan supersedes the previous cycle: a re-scan + // keeps serving the old list until the first new result lands, so + // it never drops to empty mid-scan. + firstHit := true + onResult := func(r Result) { + if !r.OK() { + return + } + s.mu.Lock() + if firstHit { + s.working = s.working[:0] + s.pickIdx = 0 + s.failures = make(map[string]int) + firstHit = false + } + s.insertSortedLocked(r) + s.mu.Unlock() + } + results := Scan(ctx, cands, Options{ Dialer: s.cfg.Probe.Dialer, RootCAs: s.cfg.Probe.RootCAs, ClientHelloID: s.cfg.Probe.ClientHelloID, DialTimeout: s.cfg.Probe.DialTimeout, Concurrency: s.cfg.Probe.Concurrency, + OnResult: onResult, }) working := RankWorking(results) elapsed := time.Since(start) @@ -247,6 +271,9 @@ func (s *Service) refresh(ctx context.Context) { slog.Duration("elapsed", elapsed), ) + // If no probe succeeded, firstHit never fired and the stale list is + // still live, so assigning here clears it to the (empty) canonical + // result. s.mu.Lock() s.working = working s.pickIdx = 0 @@ -272,6 +299,18 @@ func (s *Service) removeLocked(c Candidate) { s.working = filtered } +// insertSortedLocked inserts r into s.working keeping ascending-latency +// order, matching RankWorking so incremental publishing and the final +// bulk assign yield the same ordering. +func (s *Service) insertSortedLocked(r Result) { + i := sort.Search(len(s.working), func(i int) bool { + return s.working[i].Latency > r.Latency + }) + s.working = append(s.working, Result{}) + copy(s.working[i+1:], s.working[i:]) + s.working[i] = r +} + func failureKey(c Candidate) string { return fmt.Sprintf("%s|%s|%s", c.Provider, c.IPAddress, c.SNI) } diff --git a/fronted/scanner/service_test.go b/fronted/scanner/service_test.go index 2cb4632c..ae37e85b 100644 --- a/fronted/scanner/service_test.go +++ b/fronted/scanner/service_test.go @@ -3,6 +3,7 @@ package scanner import ( "context" "path/filepath" + "sync" "testing" "time" @@ -39,6 +40,53 @@ func TestService_PickEmptyReturnsFalse(t *testing.T) { } } +func TestService_InsertSortedLockedMaintainsLatencyOrder(t *testing.T) { + s := newServiceWithWorking(t, nil) + for _, d := range []time.Duration{50, 10, 30, 20, 40} { + s.insertSortedLocked(Result{ + Candidate: Candidate{IPAddress: d.String()}, + Latency: d * time.Millisecond, + Status: 200, + }) + } + got := s.Working() + for i := 1; i < len(got); i++ { + if got[i-1].Latency > got[i].Latency { + t.Errorf("not sorted at %d: %v > %v", i, got[i-1].Latency, got[i].Latency) + } + } + if len(got) != 5 { + t.Errorf("len = %d; want 5", len(got)) + } +} + +func TestScan_OnResultCalledPerCandidate(t *testing.T) { + // Unroutable TEST-NET-1 addresses fail the TCP dial fast, so every + // probe completes quickly; we only assert OnResult fires once each. + cands := []Candidate{ + {Provider: "akamai", IPAddress: "192.0.2.1", TestURL: "https://x/ping", InnerHost: "x"}, + {Provider: "akamai", IPAddress: "192.0.2.2", TestURL: "https://x/ping", InnerHost: "x"}, + {Provider: "akamai", IPAddress: "192.0.2.3", TestURL: "https://x/ping", InnerHost: "x"}, + } + var mu sync.Mutex + count := 0 + results := Scan(context.Background(), cands, Options{ + DialTimeout: 500 * time.Millisecond, + Concurrency: 3, + OnResult: func(Result) { + mu.Lock() + count++ + mu.Unlock() + }, + }) + if len(results) != 3 { + t.Fatalf("results len = %d; want 3", len(results)) + } + if count != 3 { + t.Errorf("OnResult called %d times; want 3 (once per candidate)", count) + } +} + func TestService_ReportFailureRemovesAfterTwo(t *testing.T) { bad := Candidate{Provider: "akamai", IPAddress: "1.1.1.1"} good := Candidate{Provider: "akamai", IPAddress: "2.2.2.2"} From a788c4ff4dd28e5c9997d78501e83c83f5211657 Mon Sep 17 00:00:00 2001 From: Adam Fisk Date: Tue, 26 May 2026 13:27:46 -0600 Subject: [PATCH 21/21] bump domainfront to merged main (FrontingSNIs yaml-tag fix) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit domainfront#8 merged. Re-pin from the branch-HEAD pseudo-version to the merged-main commit so the dependency no longer references a branch that may be deleted. No behavior change — same yaml-tag fix. lantern-box is still pinned at the fisk/meek-outbound branch HEAD; re-pin that once lantern-box#265 merges. --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 799aa263..0474bb90 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/getlantern/amp v0.0.0-20260305201851-782bc8045e58 github.com/getlantern/common v1.2.1-0.20260326210434-cb69537aaf46 github.com/getlantern/dnstt v0.0.0-20260112160750-05100563bd0d - github.com/getlantern/domainfront v0.0.0-20260526181805-9687c4606538 + github.com/getlantern/domainfront v0.0.0-20260526192615-fdc839bc10ed github.com/getlantern/keepcurrent v0.0.0-20260422161259-54a4d9a93694 github.com/getlantern/kindling v0.0.0-20260516120759-a9712f95df03 github.com/getlantern/lantern-box v0.0.83-0.20260524155143-c467035b6497 diff --git a/go.sum b/go.sum index 73762feb..441d8b0e 100644 --- a/go.sum +++ b/go.sum @@ -234,8 +234,8 @@ github.com/getlantern/context v0.0.0-20220418194847-3d5e7a086201 h1:oEZYEpZo28Wd github.com/getlantern/context v0.0.0-20220418194847-3d5e7a086201/go.mod h1:Y9WZUHEb+mpra02CbQ/QczLUe6f0Dezxaw5DCJlJQGo= github.com/getlantern/dnstt v0.0.0-20260112160750-05100563bd0d h1:TrauJ2jdJqOAHyQB5wIL0kWN/dipqKagERE1I/TRVSY= github.com/getlantern/dnstt v0.0.0-20260112160750-05100563bd0d/go.mod h1:LA7cwZQtgXxBJdSJDj2ZgQNo/UY3Qa7nxNxzOuMMIyw= -github.com/getlantern/domainfront v0.0.0-20260526181805-9687c4606538 h1:dYyou3MwHJUgT4IFlvdhOCvoZNOWOnIKlocakE41Hzs= -github.com/getlantern/domainfront v0.0.0-20260526181805-9687c4606538/go.mod h1:nsdIvgenGUqPKnRFjkssbfxnV/WYWyC0c/t15qGym/A= +github.com/getlantern/domainfront v0.0.0-20260526192615-fdc839bc10ed h1:M7ND7KQ3JLEXo/wV4mogdb8BQRt4q3j7iq5sEakee4I= +github.com/getlantern/domainfront v0.0.0-20260526192615-fdc839bc10ed/go.mod h1:nsdIvgenGUqPKnRFjkssbfxnV/WYWyC0c/t15qGym/A= github.com/getlantern/errors v1.0.4 h1:i2iR1M9GKj4WuingpNqJ+XQEw6i6dnAgKAmLj6ZB3X0= github.com/getlantern/errors v1.0.4/go.mod h1:/Foq8jtSDGP8GOXzAjeslsC4Ar/3kB+UiQH+WyV4pzY= github.com/getlantern/golog v0.0.0-20230503153817-8e72de7e0a65 h1:NlQedYmPI3pRAXJb+hLVVDGqfvvXGRPV8vp7XOjKAZ0=