From 5d7b6d1a74ee143cf1b62f0e9d8cf9b4584b2d0c Mon Sep 17 00:00:00 2001
From: sivasathyaseeelan <dnsiva.sathyaseelan.chy21@iitbhu.ac.in>
Date: Tue, 2 Jul 2024 12:33:47 +0530
Subject: [PATCH 01/59] added documentation for PR #9960

Signed-off-by: sivasathyaseeelan <dnsiva.sathyaseelan.chy21@iitbhu.ac.in>
---
 .../verify-images/notary/_index.md            | 209 ++++++++++++++++--
 1 file changed, 191 insertions(+), 18 deletions(-)

diff --git a/content/en/docs/writing-policies/verify-images/notary/_index.md b/content/en/docs/writing-policies/verify-images/notary/_index.md
index ce1db8b8a..2c641b1c0 100644
--- a/content/en/docs/writing-policies/verify-images/notary/_index.md
+++ b/content/en/docs/writing-policies/verify-images/notary/_index.md
@@ -40,18 +40,32 @@ ghcr.io/kyverno/test-verify-image@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82b
 You can also use an OCI registry client to discover signatures and attestations for an image.
 
 ```sh
-oras discover ghcr.io/kyverno/test-verify-image:signed -o tree
-ghcr.io/kyverno/test-verify-image:signed
+oras discover -o tree ghcr.io/kyverno/test-verify-image:signed
+ghcr.io/kyverno/test-verify-image@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105
 ├── application/vnd.cncf.notary.signature
-│   └── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265
+│   ├── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265
+│   └── sha256:f7d941ed9e93a1ff1d5dee3b091144a87dae1d73481d5be93aa65258a110c689
 ├── vulnerability-scan
-│   └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd
-│       └── application/vnd.cncf.notary.signature
-│           └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3
-└── sbom/cyclone-dx
-    └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414
+│   └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3
+├── sbom/cyclone-dx
+│   └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322
+├── application/vnd.cyclonedx+json
+│   └── sha256:aa886b475b431a37baa0e803765a9212f0accece0b82a131ebafd43ea78fa1f8
+│       └── application/vnd.cncf.notary.signature
+│           ├── sha256:00c5f96577878d79b545d424884886c37e270fac5996f17330d77a01a96801eb
+│           └── sha256:f3dc4687f5654ea8c2bc8da4e831d22a067298e8651fb59d55565dee58e94e2d
+├── cyclonedx/vex
+│   └── sha256:c058f08c9103bb676fcd0b98e41face2436e0a16f3d1c8255797b916ab5daa8a
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:79edc8936a4fb8758b9cb2b8603a1c7903f53261c425efb0cd85b09715eb6dfa
+└── trivy/scan
+    └── sha256:a75ac963617462fdfe6a3847d17e5519465dfb069f92870050cce5269e7cbd7b
         └── application/vnd.cncf.notary.signature
-            └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322
+            └── sha256:d1e2b2ba837c164c282cf389594791a190df872cf7712b4d91aa10a3520a8460
 ```
 
 ## Verifying Image Signatures
@@ -145,15 +159,29 @@ Consider the following image: `ghcr.io/kyverno/test-verify-image:signed`
 ```
 ghcr.io/kyverno/test-verify-image:signed
 ├── application/vnd.cncf.notary.signature
-│  └── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265
+│   ├── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265
+│   └── sha256:f7d941ed9e93a1ff1d5dee3b091144a87dae1d73481d5be93aa65258a110c689
 ├── vulnerability-scan
-│  └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd
-│  └── application/vnd.cncf.notary.signature
-│  └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3
-└── sbom/cyclone-dx
-  └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414
-  └── application/vnd.cncf.notary.signature
-  └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322
+│   └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3
+├── sbom/cyclone-dx
+│   └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322
+├── application/vnd.cyclonedx+json
+│   └── sha256:aa886b475b431a37baa0e803765a9212f0accece0b82a131ebafd43ea78fa1f8
+│       └── application/vnd.cncf.notary.signature
+│           ├── sha256:00c5f96577878d79b545d424884886c37e270fac5996f17330d77a01a96801eb
+│           └── sha256:f3dc4687f5654ea8c2bc8da4e831d22a067298e8651fb59d55565dee58e94e2d
+├── cyclonedx/vex
+│   └── sha256:c058f08c9103bb676fcd0b98e41face2436e0a16f3d1c8255797b916ab5daa8a
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:79edc8936a4fb8758b9cb2b8603a1c7903f53261c425efb0cd85b09715eb6dfa
+└── trivy/scan
+    └── sha256:a75ac963617462fdfe6a3847d17e5519465dfb069f92870050cce5269e7cbd7b
+        └── application/vnd.cncf.notary.signature
+            └── sha256:d1e2b2ba837c164c282cf389594791a190df872cf7712b4d91aa10a3520a8460
 ```
 
 This image has:
@@ -161,6 +189,9 @@ This image has:
 1. A notary signature.
 2. A vulnerability scan report, signed using notary.
 3. A CycloneDX SBOM, signed using notary.
+4. A CycloneDX VEX report, signed using notary.
+5. A Trivy scan report, signed using notary.
+
 This policy checks the signature in the repo `ghcr.io/kyverno/test-verify-image` and ensures that it has been signed by verifying its signature against the provided certificates:
 
 ```yaml
@@ -227,4 +258,146 @@ After this policy is applied, Kyverno will verify the signature on the sbom/cycl
 ```sh
 kubectl run test --image=ghcr.io/kyverno/test-verify-image:signed --dry-run=server
 pod/test created (server dry run)
-```
\ No newline at end of file
+```
+
+## Verifying Multiple Image Attestations
+
+Consider the following image: `ghcr.io/kyverno/test-verify-image:signed`
+
+```
+ghcr.io/kyverno/test-verify-image:signed
+├── application/vnd.cncf.notary.signature
+│   ├── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265
+│   └── sha256:f7d941ed9e93a1ff1d5dee3b091144a87dae1d73481d5be93aa65258a110c689
+├── vulnerability-scan
+│   └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3
+├── sbom/cyclone-dx
+│   └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322
+├── application/vnd.cyclonedx+json
+│   └── sha256:aa886b475b431a37baa0e803765a9212f0accece0b82a131ebafd43ea78fa1f8
+│       └── application/vnd.cncf.notary.signature
+│           ├── sha256:00c5f96577878d79b545d424884886c37e270fac5996f17330d77a01a96801eb
+│           └── sha256:f3dc4687f5654ea8c2bc8da4e831d22a067298e8651fb59d55565dee58e94e2d
+├── cyclonedx/vex
+│   └── sha256:c058f08c9103bb676fcd0b98e41face2436e0a16f3d1c8255797b916ab5daa8a
+│       └── application/vnd.cncf.notary.signature
+│           └── sha256:79edc8936a4fb8758b9cb2b8603a1c7903f53261c425efb0cd85b09715eb6dfa
+└── trivy/scan
+    └── sha256:a75ac963617462fdfe6a3847d17e5519465dfb069f92870050cce5269e7cbd7b
+        └── application/vnd.cncf.notary.signature
+            └── sha256:d1e2b2ba837c164c282cf389594791a190df872cf7712b4d91aa10a3520a8460
+```
+
+This image has:
+
+1. A notary signature.
+2. A vulnerability scan report, signed using notary.
+3. A CycloneDX SBOM, signed using notary.
+4. A CycloneDX VEX report, signed using notary.
+5. A Trivy scan report, signed using notary.
+
+This policy checks the signature in the repo `ghcr.io/kyverno/test-verify-image` and ensures that it has been signed by verifying its signature against the provided certificates:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-attestation
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: verify-attestation-notary
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      context:
+      - name: keys
+        configMap:
+          name: keys
+          namespace: notary-verify-attestation
+      verifyImages:
+      - type: Notary
+        imageReferences:
+          - "ghcr.io/kyverno/test-verify-image*"
+        attestations:
+          - type: trivy/vulnerability
+            name: trivy
+            attestors:
+            - entries:
+              - certificates: 
+                  cert: |-
+                    -----BEGIN CERTIFICATE-----
+                    MIIDmDCCAoCgAwIBAgIUCntgF4FftePAhEa6nZTsu/NMT3cwDQYJKoZIhvcNAQEL
+                    BQAwTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl
+                    MQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwHhcNMjQwNjEwMTYzMTQ2
+                    WhcNMzQwNjA4MTYzMTQ2WjBMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCV0ExEDAO
+                    BgNVBAcMB1NlYXR0bGUxDzANBgNVBAoMBk5vdGFyeTENMAsGA1UEAwwEdGVzdDCC
+                    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJkEGqbILiWye6C1Jz+jwwDY
+                    k/rovpXzxS+EQDvfj/YKvx37Kr4cjboJORu3wtzICWhPUtVWZ21ShfjerKgNq0iB
+                    mrlF4cqz2KcOfuUT3XBglH/NwhEAqOrGPQrMsoQEFWgnilr0RTc+j4vDnkdkcTj2
+                    K/qPhQHRAeb97TdvFCqcZfAGqiOVUqzDGxd2INz/fJd4/nYRX3LJBn9pUGxqRwZV
+                    ElP5B/aCBjJDdh6tAElT5aDnLGAB+3+W2YwG342ELyAl2ILpbSRUpKLNAfKEd7Nj
+                    1moIl4or5AIlTkgewZ/AK68HPFJEV3SwNbzkgAC+/mLVCD8tqu0o0ziyIUJtoQMC
+                    AwEAAaNyMHAwHQYDVR0OBBYEFFTIzCppwv0vZnAVmETPm1CfMdcYMB8GA1UdIwQY
+                    MBaAFFTIzCppwv0vZnAVmETPm1CfMdcYMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
+                    AgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQB8/vfP
+                    /TQ3X80JEZDsttdvd9NLm08bTJ/T+nh0DIiV10aHymQT9/u+iahfm1+7mj+uv8LS
+                    Y63LepQCX5p9SoFzt513pbNYXMBbRrOKpth3DD49IPL2Gce86AFGydfrakd86CL1
+                    9MhFeWhtRf0KndyUX8J2s7jbpoN8HrN4/wZygiEqbQWZG8YtIZ9EewmoVMYirQqH
+                    EvW93NcgmjiELuhjndcT/kHjhf8fUAgSuxiPIy6ern02fJjw40KzgiKNvxMoI9su
+                    G2zu6gXmxkw+x0SMe9kX+Rg4hCIjTUM7dc66XL5LcTp4S5YEZNVC40/FgTIZoK0e
+                    r1dC2/Y1SmmrIoA1
+                    -----END CERTIFICATE-----
+          - type: vex/cyclone-dx
+            name: vex
+            attestors:
+            - entries:
+              - certificates: 
+                  cert: |-
+                    -----BEGIN CERTIFICATE-----
+                    MIIDmDCCAoCgAwIBAgIUCntgF4FftePAhEa6nZTsu/NMT3cwDQYJKoZIhvcNAQEL
+                    BQAwTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0dGxl
+                    MQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwHhcNMjQwNjEwMTYzMTQ2
+                    WhcNMzQwNjA4MTYzMTQ2WjBMMQswCQYDVQQGEwJVUzELMAkGA1UECAwCV0ExEDAO
+                    BgNVBAcMB1NlYXR0bGUxDzANBgNVBAoMBk5vdGFyeTENMAsGA1UEAwwEdGVzdDCC
+                    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJkEGqbILiWye6C1Jz+jwwDY
+                    k/rovpXzxS+EQDvfj/YKvx37Kr4cjboJORu3wtzICWhPUtVWZ21ShfjerKgNq0iB
+                    mrlF4cqz2KcOfuUT3XBglH/NwhEAqOrGPQrMsoQEFWgnilr0RTc+j4vDnkdkcTj2
+                    K/qPhQHRAeb97TdvFCqcZfAGqiOVUqzDGxd2INz/fJd4/nYRX3LJBn9pUGxqRwZV
+                    ElP5B/aCBjJDdh6tAElT5aDnLGAB+3+W2YwG342ELyAl2ILpbSRUpKLNAfKEd7Nj
+                    1moIl4or5AIlTkgewZ/AK68HPFJEV3SwNbzkgAC+/mLVCD8tqu0o0ziyIUJtoQMC
+                    AwEAAaNyMHAwHQYDVR0OBBYEFFTIzCppwv0vZnAVmETPm1CfMdcYMB8GA1UdIwQY
+                    MBaAFFTIzCppwv0vZnAVmETPm1CfMdcYMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
+                    AgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQB8/vfP
+                    /TQ3X80JEZDsttdvd9NLm08bTJ/T+nh0DIiV10aHymQT9/u+iahfm1+7mj+uv8LS
+                    Y63LepQCX5p9SoFzt513pbNYXMBbRrOKpth3DD49IPL2Gce86AFGydfrakd86CL1
+                    9MhFeWhtRf0KndyUX8J2s7jbpoN8HrN4/wZygiEqbQWZG8YtIZ9EewmoVMYirQqH
+                    EvW93NcgmjiELuhjndcT/kHjhf8fUAgSuxiPIy6ern02fJjw40KzgiKNvxMoI9su
+                    G2zu6gXmxkw+x0SMe9kX+Rg4hCIjTUM7dc66XL5LcTp4S5YEZNVC40/FgTIZoK0e
+                    r1dC2/Y1SmmrIoA1
+                    -----END CERTIFICATE-----
+        validate:
+          deny:
+            conditions:
+              any:
+              - key: '{{ trivy.Vulnerabilities[*].VulnerabilityID }}'
+                operator: AnyNotIn
+                value: '{{ vex.vulnerabilities[*].id }}'
+                message: test1
+          message: All vulnerabilities in trivy and vex should be same
+```
+
+After this policy is applied, Kyverno will validate deny condition which checks all the vulneribilities in trivy report are there in vex report using trivy/scan and cyclonedx/scan, then verifies the signature on both the attestation.
+
+```sh
+kubectl run test --image=ghcr.io/kyverno/test-verify-image:signed --dry-run=server
+pod/test created (server dry run)
+```

From 421f979f13a01ee34a2173bfbfd9bc6c2ac054db Mon Sep 17 00:00:00 2001
From: sivasathyaseeelan <dnsiva.sathyaseelan.chy21@iitbhu.ac.in>
Date: Wed, 3 Jul 2024 16:05:46 +0530
Subject: [PATCH 02/59] docs for issue 9723

Signed-off-by: sivasathyaseeelan <dnsiva.sathyaseelan.chy21@iitbhu.ac.in>
---
 .../writing-policies/external-data-sources.md | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/content/en/docs/writing-policies/external-data-sources.md b/content/en/docs/writing-policies/external-data-sources.md
index 43a71f72c..db81b4b24 100644
--- a/content/en/docs/writing-policies/external-data-sources.md
+++ b/content/en/docs/writing-policies/external-data-sources.md
@@ -714,6 +714,55 @@ The data returned by GlobalContextEntries may vary depending on whether it is a
 GlobalContextEntries must be in a healthy state (i.e., there is a response received from the remote endpoint) in order for the policies which reference them to be considered healthy. A GlobalContextEntry which is in a `not ready` state will cause any/all referenced policies to also be in a similar state and therefore will not be processed. Creation of a policy referencing a GlobalContextEntry which either does not exist or is not ready will print a warning notifying users.
 {{% /alert %}}
 
+## Default
+Default is an optional arbitrary JSON object that the context may take if the apiCall returns an error. Default value can also used in case of a server error.
+
+For example, the policy below uses `default` values to validate: 
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: default
+spec:
+  rules:
+  - name: default-apicall
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          operations:
+          - CREATE
+    context:
+    - name: testString
+      apiCall:
+        urlPath: "/api/v1/namespaces/{{ request.namespace }}/invalid"
+        jmesPath: metadata.name
+        default: default
+    - name: testJSON
+      apiCall:
+        urlPath: "/api/v1/namespaces/{{ request.namespace }}/invalid"
+        default: '{"metadata": {"name": "default"}}'
+    - name: testInteger
+      apiCall:
+        urlPath: "/api/v1/namespaces/{{ request.namespace }}/invalid"
+        jmesPath: metadata.resourceVersion
+        default: 1     
+    validate:
+      deny:
+        conditions:
+          all:
+          - key: "{{ testString }}"
+            operator: Equals
+            value: "{{ request.namespace }}"
+          - key: "{{ testJSON.metadata.name }}"
+            operator: Equals
+            value: "{{ request.namespace }}"
+          - key: "{{ testInteger }}"
+            operator: GreaterThan
+            value: 2
+```
+
 ## Variables from Image Registries
 
 A context can also be used to store metadata on an OCI image by using the `imageRegistry` context type. By using this external data source, a Kyverno policy can make decisions based on details of the container image that occurs as part of an incoming resource.

From 66ed9c09367df0f570fc400f83c41ff70261acac Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Thu, 26 Sep 2024 19:12:43 +0800
Subject: [PATCH 03/59] feat: Add imageIndex field to imageData (#1362)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 content/en/docs/writing-policies/external-data-sources.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/writing-policies/external-data-sources.md b/content/en/docs/writing-policies/external-data-sources.md
index 43a71f72c..113529d9d 100644
--- a/content/en/docs/writing-policies/external-data-sources.md
+++ b/content/en/docs/writing-policies/external-data-sources.md
@@ -736,6 +736,7 @@ the output `imageData` variable will have a structure which looks like the follo
     "registry":      "ghcr.io",
     "repository":    "kyverno/kyverno",
     "identifier":    "latest",
+    "imageIndex":    imageIndex,
     "manifest":      manifest,
     "configData":    config,
 }
@@ -755,7 +756,7 @@ The `imageData` variable represents a "normalized" view of an image after any re
 ```
 {{% /alert %}}
 
-The `manifest` and `config` keys contain the output from `crane manifest <image>` and `crane config <image>` respectively.
+The `imageIndex`, `manifest` and `config` keys contain the output from `crane manifest <image>` and `crane config <image>` respectively.
 
 For example, one could inspect the labels, entrypoint, volumes, history, layers, etc of a given image. Using the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) tool, show the config of the `ghcr.io/kyverno/kyverno:latest` image:
 

From 25dbcd78f6ce2f51d841f9e34226be70d91b8a26 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Thu, 26 Sep 2024 19:14:34 +0800
Subject: [PATCH 04/59] feat: update on metrics exposure config (#1363)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 content/en/docs/monitoring/_index.md | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/monitoring/_index.md b/content/en/docs/monitoring/_index.md
index b37819711..ac341ab5e 100644
--- a/content/en/docs/monitoring/_index.md
+++ b/content/en/docs/monitoring/_index.md
@@ -138,11 +138,19 @@ metricsConfig:
 
   # Per Metric configuration, allows disabling metrics, dropping labels and change the bucket boundaries.
   metricsExposure:
+    # Counter disabled
+    kyverno_policy_rule_info_total:
+      enabled: false
+    # Histogram disabled
+    kyverno_admission_review_duration_seconds:
+      enabled: false
+    # Counter with customized dimensions
+    kyverno_admission_requests:
+      disabledLabelDimensions: ["resource_namespace", "resource_kind", "resource_request_operation"]
+    # Histogram with custom boundaries and dimensions
     kyverno_policy_execution_duration_seconds:
       disabledLabelDimensions: ["resource_kind", "resource_namespace", "resource_request_operation"]
       bucketBoundaries: [0.005, 0.01, 0.025]
-    kyverno_admission_review_duration_seconds:
-      enabled: false
 ...
 ```
 

From 1bb401a9a3106eeee214569a2eb7de9e73e46461 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Thu, 26 Sep 2024 21:49:29 +0800
Subject: [PATCH 05/59] feat: add generate foreach (#1357)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 content/en/docs/writing-policies/generate.md | 181 ++++++++++++++++++-
 content/en/docs/writing-policies/validate.md |   2 +-
 2 files changed, 181 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/writing-policies/generate.md b/content/en/docs/writing-policies/generate.md
index 1b6c6bd73..ee29ade0b 100644
--- a/content/en/docs/writing-policies/generate.md
+++ b/content/en/docs/writing-policies/generate.md
@@ -223,6 +223,183 @@ spec:
           matchLabels:
             allowedToBeCloned: "true"
 ```
+## foreach
+
+The `foreach` declaration allows generation of multiple target resources of sub-elements in resource declarations. Each `foreach` entry must contain a `list` attribute, written as a JMESPath expression without braces, that defines the sub-elements it processes. For example, creating networkpolicies for a list of Namespaces which is stored in a label:
+
+```
+list: request.object.metadata.labels.namespaces | split(@, ',')
+```
+
+When a `foreach` is processed, the Kyverno engine will evaluate `list` as a JMESPath expression to retrieve zero or more sub-elements for further processing. The value of the `list` field may also resolve to a simple array of strings, for example as defined in a context variable. The value of the `list` field should not be enclosed in braces even though it is a JMESPath expression.
+
+A variable `element` is added to the processing context on each iteration. This allows referencing data in the element using `element.<name>` where name is the attribute name. For example, using the list `request.object.spec.containers` when the `request.object` is a Pod allows referencing the container image as `element.image` within a `foreach`. An additional variable called `elementIndex` is made available which allows the current index number to be referenced in a loop.
+
+The following child declarations are permitted in a `foreach`:
+
+- [Data Source](#data-source)
+- [Clone Source](#clone-source)
+
+
+In addition, each `foreach` declaration can contain the following declarations:
+
+- [Context](external-data-sources.md): to add additional external data only available per loop iteration.
+- [Preconditions](preconditions.md): to control when a loop iteration is skipped.
+
+Here is a complete example of data source type of `foreach` declaration that creates a NetworkPolicy into a list of existing namespaces which is stored as a comma-separated string in a ConfigMap.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-generate-data
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    generate:
+      generateExisting: false
+      synchronize: true
+      orphanDownstreamOnPolicyDelete: false
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: networking.k8s.io/v1
+          kind: NetworkPolicy
+          name: my-networkpolicy-{{element}}-{{ elementIndex }}
+          namespace: '{{ element }}'
+          data:
+            metadata:
+              labels:
+                request.namespace: '{{ request.object.metadata.name }}'
+                element: '{{ element }}'
+                elementIndex: '{{ elementIndex }}'
+            spec:
+              podSelector: {}
+              policyTypes:
+              - Ingress
+              - Egress
+```
+
+For a complete example of clone source type of foreach declaration that clones the source Secret into a list of matching existing namespaces which is stored as a comma-separated string in a ConfigMap, see below.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-clone
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: 'default'
+    generate:
+      generateExisting: false
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-ns-1
+          apiVersion: v1
+          kind: Secret
+          name: cloned-secret-{{ elementIndex }}-{{ ns }}
+          namespace: '{{ ns }}'
+          clone:
+            namespace: default
+            name: source-secret
+```
+
+See the triggering ConfigMap below, the `data` contains a `namespaces` field defines multiple namespaces.
+```yaml
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: default
+data:
+  namespaces: foreach-ns-1,foreach-ns-2
+```
+
+Similarly as above, here is an example of clone list type of `foreach` declaration that clones a list of secrets based on the label selector.
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-cpol-clone-list-sync-delete-source
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+    name: k-kafka-address
+    context:
+    - name: configmapns
+      variable:
+        jmesPath: request.object.metadata.namespace
+    preconditions:
+      any:
+      - key: '{{configmapns}}'
+        operator: Equals
+        value: '{{request.object.metadata.namespace}}'
+    generate:
+      generateExisting: false
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          context:
+          - name: ns
+            variable:
+              jmesPath: element
+          preconditions:
+            any:
+            - key: '{{ ns }}'
+              operator: AnyIn
+              value:
+              - foreach-cpol-clone-list-sync-delete-source-target-ns-1
+          namespace: '{{ ns }}'
+          cloneList:
+            kinds:
+            - v1/Secret
+            namespace: foreach-cpol-clone-list-sync-delete-source-existing-ns
+            selector:
+              matchLabels:
+                allowedToBeCloned: "true"
+```
 
 ## Generating Bindings
 
@@ -284,7 +461,9 @@ When a new Namespace is created, Kyverno will generate a new RoleBinding called
 
 In some cases, a triggering (source) resource and generated (downstream) resource need to share the same life cycle. That is, when the triggering resource is deleted so too should the generated resource. This is valuable because some resources are only needed in the presence of another, for example a Service of type `LoadBalancer` necessitating the need for a specific network policy in some CNI plug-ins.
 
-When a generate rule has synchronization enabled (`synchronize: true`), deletion of the triggering resource will automatically cause deletion of the downstream (generated) resource. In addition to deletion, if the triggering resource is altered in a way such that it no longer matches the definition in the rule, that too will cause removal of the downstream resource. In cases where synchronization needs to be disabled, if the trigger and downstream are both Namespaced resources and in the same Namespace, the ownerReference technique can be used.
+When a generate rule has synchronization enabled (`synchronize: true`), deletion of the triggering resource will automatically cause deletion of the downstream (generated) resource. In addition to deletion, if the triggering resource is altered in a way such that it no longer matches the definition in the rule, that too will cause removal of the downstream resource. In cases where synchronization needs to be disabled, if the trigger and downstream are both Namespaced resources and in the same Namespace, the ownerReference technique can be used. 
+
+For a `generate.foreach` type of declaration, Kyverno does not prevent modifications to the rule definition. When the `synchronize` option is enabled for such a rule, Kyverno will not synchronize changes to existing target resources when updates are made to the target resource specification. For instance, if a `generate.foreach` declaration initially creates a NetworkPolicy named `staging/networkpolicy-default`, and is subsequently modified to create a new NetworkPolicy named `staging/networkpolicy-new`, any further changes will not be applied to the existing `staging/networkpolicy-default` NetworkPolicy resource.
 
 {{% alert title="Note" color="info" %}}
 Synchronization involving changes to trigger resources are confined to the `match` block and do not take into consideration preconditions.
diff --git a/content/en/docs/writing-policies/validate.md b/content/en/docs/writing-policies/validate.md
index fc740d635..2e8a15b82 100644
--- a/content/en/docs/writing-policies/validate.md
+++ b/content/en/docs/writing-policies/validate.md
@@ -653,7 +653,7 @@ The following child declarations are permitted in a `foreach`:
 In addition, each `foreach` declaration can contain the following declarations:
 
 - [Context](external-data-sources.md): to add additional external data only available per loop iteration.
-- [Preconditions](preconditions.md): to control when a loop iteration is skipped
+- [Preconditions](preconditions.md): to control when a loop iteration is skipped.
 - `elementScope`: controls whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
 
 Here is a complete example to enforce that all container images are from a trusted registry:

From 08d2ef51912ab0cf803249a3d003b2c163fc4eb3 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Thu, 26 Sep 2024 19:25:31 +0530
Subject: [PATCH 06/59] fix: docs

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../writing-policies/external-data-sources.md | 46 +++----------------
 1 file changed, 6 insertions(+), 40 deletions(-)

diff --git a/content/en/docs/writing-policies/external-data-sources.md b/content/en/docs/writing-policies/external-data-sources.md
index 8ee79fbba..7a7b503ac 100644
--- a/content/en/docs/writing-policies/external-data-sources.md
+++ b/content/en/docs/writing-policies/external-data-sources.md
@@ -714,53 +714,19 @@ The data returned by GlobalContextEntries may vary depending on whether it is a
 GlobalContextEntries must be in a healthy state (i.e., there is a response received from the remote endpoint) in order for the policies which reference them to be considered healthy. A GlobalContextEntry which is in a `not ready` state will cause any/all referenced policies to also be in a similar state and therefore will not be processed. Creation of a policy referencing a GlobalContextEntry which either does not exist or is not ready will print a warning notifying users.
 {{% /alert %}}
 
-## Default
-Default is an optional arbitrary JSON object that the context may take if the apiCall returns an error. Default value can also used in case of a server error.
+#### Default values for API calls
+In the case where the api server returns an error, `default` can be used to provide a fallback value for the api call context entry. The following example shows how to add default value to context entries
 
 For example, the policy below uses `default` values to validate: 
 ```yaml
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: default
-spec:
-  rules:
-  - name: default-apicall
-    match:
-      any:
-      - resources:
-          kinds:
-          - Pod
-          operations:
-          - CREATE
+...
     context:
-    - name: testString
+    - name: currentnamespace
       apiCall:
-        urlPath: "/api/v1/namespaces/{{ request.namespace }}/invalid"
+        urlPath: "/api/v1/namespaces/{{ request.namespace }}"
         jmesPath: metadata.name
         default: default
-    - name: testJSON
-      apiCall:
-        urlPath: "/api/v1/namespaces/{{ request.namespace }}/invalid"
-        default: '{"metadata": {"name": "default"}}'
-    - name: testInteger
-      apiCall:
-        urlPath: "/api/v1/namespaces/{{ request.namespace }}/invalid"
-        jmesPath: metadata.resourceVersion
-        default: 1     
-    validate:
-      deny:
-        conditions:
-          all:
-          - key: "{{ testString }}"
-            operator: Equals
-            value: "{{ request.namespace }}"
-          - key: "{{ testJSON.metadata.name }}"
-            operator: Equals
-            value: "{{ request.namespace }}"
-          - key: "{{ testInteger }}"
-            operator: GreaterThan
-            value: 2
+...
 ```
 
 ## Variables from Image Registries

From 051966a49dc6405d037cd45b8e79e093390baf7f Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Thu, 26 Sep 2024 19:27:57 +0530
Subject: [PATCH 07/59] fix: cleanup

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 content/en/docs/writing-policies/external-data-sources.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/en/docs/writing-policies/external-data-sources.md b/content/en/docs/writing-policies/external-data-sources.md
index 7a7b503ac..3d64e9153 100644
--- a/content/en/docs/writing-policies/external-data-sources.md
+++ b/content/en/docs/writing-policies/external-data-sources.md
@@ -715,9 +715,8 @@ GlobalContextEntries must be in a healthy state (i.e., there is a response recei
 {{% /alert %}}
 
 #### Default values for API calls
-In the case where the api server returns an error, `default` can be used to provide a fallback value for the api call context entry. The following example shows how to add default value to context entries
+In the case where the api server returns an error, `default` can be used to provide a fallback value for the api call context entry. The following example shows how to add default value to context entries:
 
-For example, the policy below uses `default` values to validate: 
 ```yaml
 ...
     context:

From 6f4982fa933ab2dd8e7273fffe0c2e89e007351f Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Thu, 26 Sep 2024 19:40:49 +0530
Subject: [PATCH 08/59] fix: refactor

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../verify-images/notary/_index.md            | 43 +++----------------
 1 file changed, 7 insertions(+), 36 deletions(-)

diff --git a/content/en/docs/writing-policies/verify-images/notary/_index.md b/content/en/docs/writing-policies/verify-images/notary/_index.md
index 2c641b1c0..588bb8741 100644
--- a/content/en/docs/writing-policies/verify-images/notary/_index.md
+++ b/content/en/docs/writing-policies/verify-images/notary/_index.md
@@ -262,45 +262,16 @@ pod/test created (server dry run)
 
 ## Verifying Multiple Image Attestations
 
-Consider the following image: `ghcr.io/kyverno/test-verify-image:signed`
-
-```
-ghcr.io/kyverno/test-verify-image:signed
-├── application/vnd.cncf.notary.signature
-│   ├── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265
-│   └── sha256:f7d941ed9e93a1ff1d5dee3b091144a87dae1d73481d5be93aa65258a110c689
-├── vulnerability-scan
-│   └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd
-│       └── application/vnd.cncf.notary.signature
-│           └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3
-├── sbom/cyclone-dx
-│   └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414
-│       └── application/vnd.cncf.notary.signature
-│           └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322
-├── application/vnd.cyclonedx+json
-│   └── sha256:aa886b475b431a37baa0e803765a9212f0accece0b82a131ebafd43ea78fa1f8
-│       └── application/vnd.cncf.notary.signature
-│           ├── sha256:00c5f96577878d79b545d424884886c37e270fac5996f17330d77a01a96801eb
-│           └── sha256:f3dc4687f5654ea8c2bc8da4e831d22a067298e8651fb59d55565dee58e94e2d
-├── cyclonedx/vex
-│   └── sha256:c058f08c9103bb676fcd0b98e41face2436e0a16f3d1c8255797b916ab5daa8a
-│       └── application/vnd.cncf.notary.signature
-│           └── sha256:79edc8936a4fb8758b9cb2b8603a1c7903f53261c425efb0cd85b09715eb6dfa
-└── trivy/scan
-    └── sha256:a75ac963617462fdfe6a3847d17e5519465dfb069f92870050cce5269e7cbd7b
-        └── application/vnd.cncf.notary.signature
-            └── sha256:d1e2b2ba837c164c282cf389594791a190df872cf7712b4d91aa10a3520a8460
-```
-
-This image has:
+Consider the image: `ghcr.io/kyverno/test-verify-image:signed` which image has:
 
 1. A notary signature.
 2. A vulnerability scan report, signed using notary.
-3. A CycloneDX SBOM, signed using notary.
-4. A CycloneDX VEX report, signed using notary.
-5. A Trivy scan report, signed using notary.
+3. A CycloneDX VEX report, signed using notary.
 
-This policy checks the signature in the repo `ghcr.io/kyverno/test-verify-image` and ensures that it has been signed by verifying its signature against the provided certificates:
+This policy checks:
+1. The signature in the repo `ghcr.io/kyverno/test-verify-image`  
+2. Ensures that it has a vulnerability scan report of type `trivy/vulnerability`, and a CycloneDX VEX report of type `vex/cyclone-dx`, both are signed using the given certificate.
+3. All the vulnerabilities found in the trivy scan report should be allowed in the vex report.
 
 ```yaml
 apiVersion: kyverno.io/v1
@@ -395,7 +366,7 @@ spec:
           message: All vulnerabilities in trivy and vex should be same
 ```
 
-After this policy is applied, Kyverno will validate deny condition which checks all the vulneribilities in trivy report are there in vex report using trivy/scan and cyclonedx/scan, then verifies the signature on both the attestation.
+After this policy is applied, Kyverno will verify the signatures in the image and the attestations and then evaluate the validate deny condition which checks all the vulneribilities in trivy report are there in vex report.
 
 ```sh
 kubectl run test --image=ghcr.io/kyverno/test-verify-image:signed --dry-run=server

From 40ece26e532b6674df1714e13787a57e7e3c1039 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Thu, 26 Sep 2024 20:02:54 +0530
Subject: [PATCH 09/59] fix: refactor

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../en/docs/writing-policies/verify-images/notary/_index.md    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/en/docs/writing-policies/verify-images/notary/_index.md b/content/en/docs/writing-policies/verify-images/notary/_index.md
index 588bb8741..1d1e816e4 100644
--- a/content/en/docs/writing-policies/verify-images/notary/_index.md
+++ b/content/en/docs/writing-policies/verify-images/notary/_index.md
@@ -260,7 +260,7 @@ kubectl run test --image=ghcr.io/kyverno/test-verify-image:signed --dry-run=serv
 pod/test created (server dry run)
 ```
 
-## Verifying Multiple Image Attestations
+### Validation across multiple image attestations
 
 Consider the image: `ghcr.io/kyverno/test-verify-image:signed` which image has:
 
@@ -362,7 +362,6 @@ spec:
               - key: '{{ trivy.Vulnerabilities[*].VulnerabilityID }}'
                 operator: AnyNotIn
                 value: '{{ vex.vulnerabilities[*].id }}'
-                message: test1
           message: All vulnerabilities in trivy and vex should be same
 ```
 

From d5c01d91df68bc670bd9e929867d6dcff37bbb2c Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Thu, 26 Sep 2024 20:14:04 +0530
Subject: [PATCH 10/59] feat (docs): add support for signature algorithm in
 cosign cert and kms verification (#1337)

* feat (docs): add support for signature algorithm in cosign cert and kms verification

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: case

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: add signature algorithms

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 .../verify-images/sigstore/_index.md          | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
index 5208bf35b..01dfc66d3 100644
--- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md
+++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -747,6 +747,28 @@ verifyImages:
 ...
 ```
 
+## Using a different signature algorithm
+
+By default, cosign uses `sha256` has func when computing digests. To use a different signature algorithm, specify the signature algorithm for each attestor as follows:
+
+```yaml
+...
+verifyImages:
+- imageReferences:
+  - ghcr.io/kyverno/test-verify-image*
+  attestors:
+  - entries:
+    - signatureAlgorithm: sha256
+      keys:
+        publicKeys: |-
+          -----BEGIN PUBLIC KEY-----
+          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
+          5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
+          -----END PUBLIC KEY-----
+...
+```
+Allowed values for signature algorithm are `sha224`, `sha256`, `sha384`, `sha512`.
+
 ## Ignoring Tlogs and SCT Verification
 
 Cosign uses Rekor, a transparency log service to store signatures. In Cosign 2.0 verifies Rekor entries for both key-based and identity-based signing. To disable this set `ignoreTlog: true` in Kyverno policies:

From 3331b544027c286471685a3fe7f19f812b7cfcdd Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariamfahmy66@gmail.com>
Date: Thu, 26 Sep 2024 23:24:35 +0300
Subject: [PATCH 11/59] add docs for VAPs (#1358)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 content/en/docs/kyverno-cli/usage/apply.md    |   6 +-
 content/en/docs/kyverno-cli/usage/test.md     |   6 +-
 .../validatingadmissionpolicy-reports.md      |   4 +-
 content/en/docs/writing-policies/validate.md  | 147 +++++++++++++++++-
 4 files changed, 147 insertions(+), 16 deletions(-)

diff --git a/content/en/docs/kyverno-cli/usage/apply.md b/content/en/docs/kyverno-cli/usage/apply.md
index 557d5921f..07e30f0a4 100644
--- a/content/en/docs/kyverno-cli/usage/apply.md
+++ b/content/en/docs/kyverno-cli/usage/apply.md
@@ -806,7 +806,7 @@ With the `apply` command, Kubernetes ValidatingAdmissionPolicies can be applied
 Policy manifest (check-deployment-replicas.yaml):
 
 ```yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: check-deployments-replicas
@@ -863,7 +863,7 @@ The below example applies a `ValidatingAdmissionPolicyBinding` along with the po
 
 Policy manifest (check-deployment-replicas.yaml):
 ```yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "check-deployment-replicas"
@@ -882,7 +882,7 @@ spec:
   validations:
   - expression: object.spec.replicas <= 5
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: "check-deployment-replicas-binding"
diff --git a/content/en/docs/kyverno-cli/usage/test.md b/content/en/docs/kyverno-cli/usage/test.md
index 63f1b0e83..1ebd7d6e6 100644
--- a/content/en/docs/kyverno-cli/usage/test.md
+++ b/content/en/docs/kyverno-cli/usage/test.md
@@ -701,7 +701,7 @@ Below is an example of testing a ValidatingAdmissionPolicy against two resources
 Policy manifest (disallow-host-path.yaml):
 
 ```yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: disallow-host-path
@@ -823,7 +823,7 @@ In the below example, a `ValidatingAdmissionPolicy` and its corresponding `Valid
 Policy manifest (`check-deployment-replicas.yaml`):
 
 ```yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "check-deployment-replicas"
@@ -842,7 +842,7 @@ spec:
   validations:
   - expression: object.spec.replicas <= 2
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: "check-deployment-replicas-binding"
diff --git a/content/en/docs/policy-reports/validatingadmissionpolicy-reports.md b/content/en/docs/policy-reports/validatingadmissionpolicy-reports.md
index 2040e3e28..9baf38b28 100644
--- a/content/en/docs/policy-reports/validatingadmissionpolicy-reports.md
+++ b/content/en/docs/policy-reports/validatingadmissionpolicy-reports.md
@@ -14,7 +14,7 @@ To configure Kyverno to generate reports for ValidatingAdmissionPolicies, set th
 Create a ValidatingAdmissionPolicy that checks the Deployment replicas and a ValidatingAdmissionPolicyBinding that binds the policy to a namespace whose labels set to `environment: staging`.
 
 ```yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   name: "check-deployment-replicas"
@@ -33,7 +33,7 @@ spec:
   validations:
   - expression: object.spec.replicas <= 5
 ---
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   name: "check-deployment-replicas-binding"
diff --git a/content/en/docs/writing-policies/validate.md b/content/en/docs/writing-policies/validate.md
index 2e8a15b82..8ec815eb9 100644
--- a/content/en/docs/writing-policies/validate.md
+++ b/content/en/docs/writing-policies/validate.md
@@ -1697,7 +1697,7 @@ However, setting the deployment image as `staging.example.com/nginx` will allow
 
 A ValidatingAdmissionPolicy provides a declarative, in-process option for validating admission webhooks using the [Common Expression Language](https://github.com/google/cel-spec) (CEL) to perform resource validation checks directly in the API server.
 
-Kubernetes [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) was first introduced in 1.26, and it's not fully enabled by default as of Kubernetes versions up to and including 1.28.
+Kubernetes [ValidatingAdmissionPolicy](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) was first introduced in 1.26, and it is enabled by default in 1.30.
 
 {{% alert title="Tip" color="info" %}}
 The Kyverno Command Line Interface (CLI) enables the validation and testing of ValidatingAdmissionPolicies on resources before adding them to a cluster. It can be integrated into CI/CD pipelines to help with the resource authoring process, ensuring that they adhere to the required standards before deployment.
@@ -1717,12 +1717,12 @@ To generate ValidatingAdmissionPolicies, make sure to:
 
 1. Enable `ValidatingAdmissionPolicy` [feature gate](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/).
 
-2. For 1.27, enable `admissionregistration.k8s.io/v1alpha1` API, and for 1.28 enable both `admissionregistration.k8s.io/v1alpha1` and `admissionregistration.k8s.io/v1beta1` API.
+2. Enable `admissionregistration.k8s.io/v1beta1` API.
 
     Here is the minikube command to enable ValidatingAdmissionPolicy:
 
    ```
-   minikube start --extra-config=apiserver.runtime-config=admissionregistration.k8s.io/v1beta1,apiserver.runtime-config=admissionregistration.k8s.io/v1alpha1  --feature-gates='ValidatingAdmissionPolicy=true'
+   minikube start --extra-config=apiserver.runtime-config=admissionregistration.k8s.io/v1beta1 --feature-gates='ValidatingAdmissionPolicy=true'
    ```
 
 3. Configure Kyverno to manage ValidatingAdmissionPolicies using the `--generateValidatingAdmissionPolicy=true` flag in the admission controller.
@@ -1757,8 +1757,6 @@ To generate ValidatingAdmissionPolicies, make sure to:
 
 ValidatingAdmissionPolicies can only be generated from the `validate.cel` sub-rules in Kyverno policies. Refer to the [CEL subrule](#common-expression-language-cel) section for more information.
 
-In case there is a PolicyException defined for the Kyverno policy, the ValidatingAdmissionPolicy will not be generated. The PolicyException is used to exclude certain resources from being validated by Kyverno policies. Refer to the [PolicyException](exceptions.md) page for more information.
-
 Below is an example of a Kyverno policy that can be used to generate a ValidatingAdmissionPolicy and its binding:
 
 ```yaml
@@ -1795,7 +1793,7 @@ status:
 The generated ValidatingAdmissionPolicy:
 
 ```yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicy
 metadata:
   labels:
@@ -1832,7 +1830,7 @@ spec:
 The generated ValidatingAdmissionPolicyBinding:
 
 ```yaml
-apiVersion: admissionregistration.k8s.io/v1beta1
+apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingAdmissionPolicyBinding
 metadata:
   labels:
@@ -1893,4 +1891,137 @@ Since Kubernetes ValidatingAdmissionPolicies are cluster-scoped resources, Clust
 When a Kyverno policy matches solely on Pods, the generated ValidatingAdmissionPolicy will match both `pods` and `pods/ephemeralcontainers`. This occurs because Kyverno inherently includes `pods/ephemeralcontainers` by default in the corresponding ValidatingWebhookConfiguration, and we require analogous behavior for the ValidatingAdmissionPolicies.
 {{% /alert %}}
 
-The generated ValidatingAdmissionPolicy with its binding is totally managed by the Kyverno admission controller which means deleting/modifying these generated resources will be reverted. Any updates to Kyverno policy triggers synchronization in the corresponding ValidatingAdmissionPolicy.
+The generated ValidatingAdmissionPolicy with its binding are totally managed by the Kyverno admission controller which means deleting/modifying these generated resources will be reverted. Any updates to Kyverno policy triggers synchronization in the corresponding ValidatingAdmissionPolicy.
+
+In case there is a [PolicyException](exceptions.md) defined for the Kyverno policy, the corresponding ValidatingAdmissionPolicy will make use of the `matchConstraints.excludeResourceRules` field.
+
+Below is an example of a Kyverno policy and a PolicyException that matches it. Both the policy and the exception will be used to generate a ValidatingAdmissionPolicy and its corresponding binding.
+
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path
+spec:
+  background: false
+  rules:
+    - name: host-path
+      match:
+        any:
+        - resources:
+            kinds:
+            - Deployment
+            - StatefulSet
+            - ReplicaSet
+            - DaemonSet
+            operations:
+            - CREATE
+            - UPDATE
+            namespaceSelector:
+              matchExpressions:
+                - key: type 
+                  operator: In
+                  values: 
+                  - connector
+      validate:
+        failureAction: Audit
+        cel:
+          expressions:
+            - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
+              message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."
+```
+
+```yaml
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  name: policy-exception
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - host-path
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        names:
+        - important-tool
+        operations:
+        - CREATE
+        - UPDATE
+```
+
+The generated ValidatingAdmissionPolicy:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: disallow-host-path
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - apps
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - deployments
+      - statefulsets
+      - replicasets
+      - daemonsets
+    namespaceSelector:
+      matchExpressions:
+      - key: type
+        operator: In
+        values:
+        - connector
+    excludeResourceRules:
+    - apiGroups:
+      - apps
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resourceNames:
+      - important-tool
+      resources:
+      - deployments
+  validations:
+  - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume,
+      !has(volume.hostPath))'
+    message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath
+      must be unset.
+```
+
+The generated ValidatingAdmissionPolicyBinding:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path-binding
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: disallow-host-path
+spec:
+  policyName: disallow-host-path
+  validationActions: [Audit, Warn]
+```

From 88196ca2c6fa519f429d0fb6ace8aafe85dc636f Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Fri, 27 Sep 2024 08:54:30 +0530
Subject: [PATCH 12/59] feat: remove beta warning from image verify, exceptions
 and cleanup policy docs (#1366)

feat: remove beta warning from image verify, exceptions and cleanup policy doc

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 content/en/docs/writing-policies/cleanup.md              | 4 ----
 content/en/docs/writing-policies/exceptions.md           | 4 ----
 content/en/docs/writing-policies/verify-images/_index.md | 4 ----
 3 files changed, 12 deletions(-)

diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md
index bbf7243b9..8fba6ad83 100644
--- a/content/en/docs/writing-policies/cleanup.md
+++ b/content/en/docs/writing-policies/cleanup.md
@@ -5,10 +5,6 @@ description: >
 weight: 70
 ---
 
-{{% alert title="Warning" color="warning" %}}
-Cleanup policies are a **beta** feature.
-{{% /alert %}}
-
 Kyverno has the ability to cleanup (i.e., delete) existing resources in a cluster in two different ways. The first way is via a declarative policy definition in either a `CleanupPolicy` or `ClusterCleanupPolicy`. See the section on [cleanup policies](#cleanup-policy) below for more details. The second way is via a reserved time-to-live (TTL) label added to a resource. See the [cleanup label](#cleanup-label) section for further details.
 
 ## Cleanup Policy
diff --git a/content/en/docs/writing-policies/exceptions.md b/content/en/docs/writing-policies/exceptions.md
index 89b019cdc..8ec57660d 100644
--- a/content/en/docs/writing-policies/exceptions.md
+++ b/content/en/docs/writing-policies/exceptions.md
@@ -5,10 +5,6 @@ description: >
 weight: 80
 ---
 
-{{% alert title="Warning" color="warning" %}}
-Policy exceptions are a **beta** feature. Normal semantic versioning and compatibility rules will not apply.
-{{% /alert %}}
-
 Although Kyverno policies contain multiple methods to provide fine-grained control as to which resources they act upon in the form of [`match`/`exclude` blocks](match-exclude.md#match-statements), [preconditions](preconditions.md) at multiple hierarchies, [anchors](validate.md#anchors), and more, all these mechanisms have in common that the resources which they are intended to exclude must occur in the same rule definition. This may be limiting in situations where policies may not be directly editable, or doing so imposes an operational burden.
 
 For example, in organizations where multiple teams must interact with the same cluster, a team responsible for policy authoring and administration may not be the same team responsible for submission of resources. In these cases, it can be advantageous to decouple the policy definition from certain exclusions. Additionally, there are often times where an organization or team must allow certain exceptions which would violate otherwise valid rules but on a one-time basis if the risks are known and acceptable.
diff --git a/content/en/docs/writing-policies/verify-images/_index.md b/content/en/docs/writing-policies/verify-images/_index.md
index de9f15764..920b5ec8e 100644
--- a/content/en/docs/writing-policies/verify-images/_index.md
+++ b/content/en/docs/writing-policies/verify-images/_index.md
@@ -5,10 +5,6 @@ description: >
 weight: 60
 ---
 
-{{% alert title="Warning" color="warning" %}}
-Image verification is a **beta** feature and there may be changes to the API.
-{{% /alert %}}
-
 The logical structure of an verifyImages rule is shown below:
 
 <img src="/images/verify-image-rule.png" alt="Image Verification Rule" width="60%"/>

From a78e00342bf923515be522065bd73669867c862e Mon Sep 17 00:00:00 2001
From: "A. Singh" <32884734+A-5ingh@users.noreply.github.com>
Date: Mon, 30 Sep 2024 01:09:39 -0400
Subject: [PATCH 13/59] doc: update hugo installation for github codespaces
 users (#1370)

* doc: update hugo installation for github codespaces users

Signed-off-by: A. Singh <32884734+A-5ingh@users.noreply.github.com>

* Update README.md

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: A. Singh <32884734+A-5ingh@users.noreply.github.com>
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 README.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/README.md b/README.md
index 3cadbb4c1..f6e693df5 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,15 @@ hugo server
 
 By default, Hugo runs the website at: http://localhost:1313 and will re-build the site on changes.
 
+**Note for Github Codespaces User:** You will be required to install the hugo extended version. To do so download the extended version from [hugo release](https://github.com/gohugoio/hugo/releases) based on your operation system (mostly it is Ubuntu for Codespaces). Use the below commands to install and then move the hugo directory to `usr/local/hugo/bin/hugo`
+```
+wget https://github.com/gohugoio/hugo/releases/download/v0.135.0/hugo_extended_0.135.0_linux-amd64.deb
+sudo dpkg -i hugo_extended_0.135.0_linux-amd64.deb
+rm hugo_extended_0.135.0_linux-amd64.deb
+sudo mv /usr/local/bin/hugo /usr/local/hugo/bin/hugo
+```
+Finally, Check the hugo version by running: `hugo version`
+
 ## Update Docsy theme
 
 The project uses [Hugo Modules](https://gohugo.io/hugo-modules/) to manage the theme:

From ca700e95cc6f879f7ce5cbfdf8f43aaee14cecf5 Mon Sep 17 00:00:00 2001
From: "A. Singh" <32884734+A-5ingh@users.noreply.github.com>
Date: Mon, 30 Sep 2024 03:07:08 -0400
Subject: [PATCH 14/59] chore: updated JMESPath function (#1371)

Signed-off-by: GitHub <noreply@github.com>
---
 content/en/blog/general/why-chainsaw-is-unique/index.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/en/blog/general/why-chainsaw-is-unique/index.md b/content/en/blog/general/why-chainsaw-is-unique/index.md
index b38450952..a374c948b 100644
--- a/content/en/blog/general/why-chainsaw-is-unique/index.md
+++ b/content/en/blog/general/why-chainsaw-is-unique/index.md
@@ -120,14 +120,14 @@ spec:
   template:
     spec:
       (containers[?securityContext == null]):
-        (len(@)): 0
+        (length(@)): 0
 ```
 
 In the assertion above, the first three fields `spec`, `template`, and `spec` are basic projections that simply take the content of their respective fields and pass that to descendants.
 
-`(containers[?securityContext == null])` is a JMESPath expression filtering the `containers` array, selecting only the element where `securityContext` is `null`. This projection results in a new array that is passed to the descendant (`(len(@))` in this case).
+`(containers[?securityContext == null])` is a JMESPath expression filtering the `containers` array, selecting only the element where `securityContext` is `null`. This projection results in a new array that is passed to the descendant (`(length(@))` in this case).
 
-`(len(@))` is another JMESPath expression that computes the length of the array. There's no more descendant at this point. We're at a leaf of the YAML tree and the array length we just computed is then compared against 0.
+`(length(@))` is another JMESPath expression that computes the length of the array. There's no more descendant at this point. We're at a leaf of the YAML tree and the array length we just computed is then compared against 0.
 
 If the comparison matches, the assertion will be considered valid; if not, it will be considered failed.
 

From 03c1967d402a48cb8c5c95fb20309e48f7e44faa Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 8 Oct 2024 18:21:16 +0800
Subject: [PATCH 15/59] chore(deps): bump actions/checkout from 4.2.0 to 4.2.1
 (#1375)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/d632683dd7b4114ad314bca15554477dd762a938...eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/check-links.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index 87569e92d..3567d9db6 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -11,7 +11,7 @@ jobs:
   linkChecker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
       - name: Check unrendered links
         id: lychee_unrendered

From 95b13ce1da86a0ee9aea3f33a35da2ac27cdf6e2 Mon Sep 17 00:00:00 2001
From: Norbert Szulc <norbert@not7cd.net>
Date: Tue, 8 Oct 2024 22:46:18 +0200
Subject: [PATCH 16/59] Enable CORS for RSS feed (#1369)

This will allow using the feed in a Grafana dashboard news panel.

Signed-off-by: Norbert Szulc <norbert@not7cd.net>
Co-authored-by: shuting <shuting@nirmata.com>
---
 netlify.toml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/netlify.toml b/netlify.toml
index 77fa86e0b..ea2573b16 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -45,4 +45,9 @@ status = 200
 [[headers]]
   for = "/*"
   [headers.values]
-    X-Frame-Options = "SAMEORIGIN"
\ No newline at end of file
+    X-Frame-Options = "SAMEORIGIN"
+
+[[headers]]
+  for = "/blog/index.xml"
+  [headers.values]
+    access-control-allow-origin = "*"

From 7e798764f81d3db3bf94ee1263209269299d6216 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 9 Oct 2024 11:13:22 +0800
Subject: [PATCH 17/59] chore(deps): bump lycheeverse/lychee-action from 1.10.0
 to 2.0.0 (#1378)

Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 1.10.0 to 2.0.0.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](https://github.com/lycheeverse/lychee-action/compare/2b973e86fc7b1f6b36a93795fe2c9c6ae1118621...7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/check-links.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index 3567d9db6..848d54e59 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -15,7 +15,7 @@ jobs:
 
       - name: Check unrendered links
         id: lychee_unrendered
-        uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
+        uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
@@ -48,7 +48,7 @@ jobs:
 
       # - name: Check rendered links
       #   id: lychee_rendered
-      #   uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
+      #   uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
       #   env:
       #     GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       #   with:

From 846d8236f5e6748c23af8a7207089352d2aa49c8 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Tue, 8 Oct 2024 20:14:10 -0700
Subject: [PATCH 18/59] fix footer; update banner (#1376)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 content/en/_index.md         | 11 ++++++-----
 layouts/partials/footer.html |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/content/en/_index.md b/content/en/_index.md
index 59867c9b4..8483e4f5c 100644
--- a/content/en/_index.md
+++ b/content/en/_index.md
@@ -4,7 +4,7 @@ linkTitle = "Kyverno"
 +++
 
 {{< blocks/cover title="Kyverno" image_anchor="top" height="full" color="dark" >}}
-# Policy Management. Simplified. { class="text-center" }
+# Policy as Code, Simplified! { class="text-center" }
 
 <div class="mt-5 mx-auto">
 	<a class="btn btn-lg btn-primary mr-3 mb-4" href="#about-kyverno">
@@ -28,18 +28,19 @@ linkTitle = "Kyverno"
 <br/>
 
 <h2>
-Policy Management for Kubernetes and cloud native environments.
+The Kyverno project provides a comprehensive set of tools to manage the complete Policy-as-Code (PaC) lifecycle for Kubernetes and other cloud native environments
 </h2>
 <br/>
 
 <p style="line-height:1.5">
-Kyverno policies are declarative YAML resources and <b>no new language</b> is required to write policies. This allows using familiar tools such as <code style="font-size: 1.35rem">kubectl</code>, <code style="font-size: 1.35rem">git</code>, and <code style="font-size: 1.35rem">kustomize</code> to manage policies. For efficient handling of complex logic, Kyverno supports both JMESPath and the Common Expressions Language (CEL) languages. 
+
+Kyverno policies are declarative YAML resources and <b>no new language</b> is required. Kyverno enables use of familiar tools such as <code style="font-size: 1.35rem">kubectl</code>, <code style="font-size: 1.35rem">git</code>, and <code style="font-size: 1.35rem">kustomize</code> to manage policies. Kyverno supports JMESPath and the Common Expressions Language (CEL) for efficient handling of complex logic.
 
 In Kubernetes environments, Kyverno policies can <b>validate, mutate, generate, and cleanup</b> any Kubernetes resource, including custom resources. To help secure the software supply chain Kyverno policies can <b>verify OCI container image signatures and artifacts</b>. Kyverno policy reports and policy exceptions are also Kubernetes API resources.
 
-The **Kyverno CLI** can be used to apply and test policies off-cluster e.g., as part of a CI/CD pipeline. 
+The **Kyverno CLI** can be used to apply and test policies off-cluster e.g., as part of an IaC and CI/CD pipelines. 
 
-**Kyverno Policy Reporter**  provides in-cluster report management with a graphical web-based user interface. 
+**Kyverno Policy Reporter** provides report management with a graphical web-based user interface. 
 
 **Kyverno JSON** allows applying Kyverno policies in non-Kubernetes environments and on any JSON payload.
 
diff --git a/layouts/partials/footer.html b/layouts/partials/footer.html
index d76e35c31..174610ca7 100644
--- a/layouts/partials/footer.html
+++ b/layouts/partials/footer.html
@@ -22,8 +22,8 @@
         {{ with .Site.Params.copyright }}<small class="text-white">&copy; {{ now.Year}} {{ .}} {{ T "footer_all_rights_reserved" }}</small>{{ end }}
       </div>
     </div>
+    <img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=8be4de30-8c1a-446b-a3cc-9a02346ccb1d" />
   </div>
-  <img referrerpolicy="no-referrer-when-downgrade" src="https://static.scarf.sh/a.png?x-pxid=8be4de30-8c1a-446b-a3cc-9a02346ccb1d" />
 </footer>
 {{ define "footer-links-block" }}
 <ul class="list-inline mb-0">

From 088f7bbdc411d4f285eb4cb80ececaed3ac5f651 Mon Sep 17 00:00:00 2001
From: Ammar Yasser <aerosound161@gmail.com>
Date: Wed, 9 Oct 2024 17:53:56 +0300
Subject: [PATCH 19/59] docs: Modify patchedResource key in variables to be
 patchedResources (#1380)

Signed-off-by: aerosouund <aerosound161@gmail.com>
---
 content/en/docs/kyverno-cli/usage/test.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/en/docs/kyverno-cli/usage/test.md b/content/en/docs/kyverno-cli/usage/test.md
index 1ebd7d6e6..7472181e9 100644
--- a/content/en/docs/kyverno-cli/usage/test.md
+++ b/content/en/docs/kyverno-cli/usage/test.md
@@ -49,7 +49,7 @@ results:
   resources: # optional, primarily for `validate` rules.
   - <namespace_1/name_1>
   - <namespace_2/name_2>
-  patchedResource: <file_name.yaml> # when testing a mutate rule this field is required.
+  patchedResources: <file_name.yaml> # when testing a mutate rule this field is required.
   generatedResource: <file_name.yaml> # when testing a generate rule this field is required.
   cloneSourceResource: <file_name.yaml> # when testing a generate rule that uses `clone` object this field is required.
   kind: <kind>
@@ -416,14 +416,14 @@ results:
     rule: add-default-requests
     resources:
     - nginx-demo1
-    patchedResource: patchedResource1.yaml
+    patchedResources: patchedResource1.yaml
     kind: Pod
     result: pass
   - policy: add-default-resources
     rule: add-default-requests
     resources:
     - nginx-demo2
-    patchedResource: patchedResource2.yaml
+    patchedResources: patchedResource2.yaml
     kind: Pod
     result: skip
 ```

From 9ed98d6b73e193ab3f3ff6b80f3938b37e63c4b7 Mon Sep 17 00:00:00 2001
From: abirsigron <abirsigron@gmail.com>
Date: Sun, 13 Oct 2024 22:07:05 +0300
Subject: [PATCH 20/59] Credit for the idea of Assigning Node Metadata to Pods
 (#1344)

* Credit to Abir Sigron

Signed-off-by: abirsigron <abirsigron@gmail.com>

* Fix credit phrasing

Signed-off-by: abirsigron <abirsigron@gmail.com>

---------

Signed-off-by: abirsigron <abirsigron@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 .../en/blog/general/assigning-node-metadata-to-pods/index.md   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/content/en/blog/general/assigning-node-metadata-to-pods/index.md b/content/en/blog/general/assigning-node-metadata-to-pods/index.md
index 3dd7b9592..098b4ff69 100644
--- a/content/en/blog/general/assigning-node-metadata-to-pods/index.md
+++ b/content/en/blog/general/assigning-node-metadata-to-pods/index.md
@@ -390,6 +390,9 @@ spec:
               # https://kubernetes.io/docs/reference/labels-annotations-taints/#topologykubernetesiozone
               topology.kubernetes.io/zone: "{{ ZoneLabel }}"
 ```
+### Credits
+
+Thanks to [Abir Sigron](https://github.com/abirsigron) for initiating the idea on Slack and conducting a POC.
 
 ## Closing
 

From 78347b337a5551434dd04f0b782d27a7f2a7c445 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 13 Oct 2024 20:59:03 -0700
Subject: [PATCH 21/59] add shallow substitution docs (#1377)

---
 .github/workflows/check-links.yaml            |  2 +-
 lychee.toml => config/lychee.toml             |  0
 content/en/docs/writing-policies/variables.md | 77 ++++++++++++++++++-
 3 files changed, 77 insertions(+), 2 deletions(-)
 rename lychee.toml => config/lychee.toml (100%)

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index 848d54e59..641024d05 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -21,7 +21,7 @@ jobs:
         with:
           fail: true
           debug: false
-          args: --no-progress --include-fragments --github-token ${{secrets.GITHUB_TOKEN}} -c lychee.toml -E content/
+          args: --no-progress --include-fragments --github-token ${{secrets.GITHUB_TOKEN}} --config config/lychee.toml -E content/
 
       # Deactivated. The --include-fragments flag is causing failures because rendered links
       # have a trailing '#' which is probably a result of the link style change plus the new
diff --git a/lychee.toml b/config/lychee.toml
similarity index 100%
rename from lychee.toml
rename to config/lychee.toml
diff --git a/content/en/docs/writing-policies/variables.md b/content/en/docs/writing-policies/variables.md
index 657fc00ea..7c9199ee0 100644
--- a/content/en/docs/writing-policies/variables.md
+++ b/content/en/docs/writing-policies/variables.md
@@ -7,6 +7,8 @@ weight: 90
 
 Variables make policies smarter and reusable by enabling references to data in the policy definition, the [admission review request](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-request-and-response), and external data sources like ConfigMaps, the Kubernetes API Server, OCI image registries, and even external service calls.
 
+In Kyverno, you can use the double braces syntax e.g., `{{ ... }}`, to reference a variable. For variables in policy declarations the `$( ... )` syntax is used instead.
+
 Variables are stored as JSON and Kyverno supports using [JMESPath](http://jmespath.org/) (pronounced "James path") to select and transform JSON data. With JMESPath, values from data sources are referenced in the format of `{{key1.key2.key3}}`. For example, to reference the name of an new/incoming resource during a `kubectl apply` action such as a Namespace, you would write this as a variable reference: `{{request.object.metadata.name}}`. The policy engine will substitute any values with the format `{{ <JMESPath> }}` with the variable value before processing the rule. For a page dedicated to exploring JMESPath's use in Kyverno see [here](jmespath.md). Variables may be used in most places in a Kyverno rule or policy with one exception being in `match` or `exclude` statements.
 
 ## Pre-defined Variables
@@ -172,7 +174,7 @@ The result of the mutation of this Pod with respect to the `OTEL_RESOURCE_ATTRIB
         rule_applied=imbue-pod-spec
 ```
 
-### Variables in Helm
+## Variables in Helm
 
 Both Kyverno and Helm use Golang-style variable substitution syntax and, as a result, Kyverno policies containing variables deployed through Helm may need to be "wrapped" to avoid Helm interpreting them as Helm variables.
 
@@ -196,6 +198,7 @@ value: {{ `"{{ element.securityContext.capabilities.drop[].to_upper(@) || `}}`[]
 
 in order to render properly.
 
+
 ## Variables from admission review requests
 
 Kyverno operates as a webhook inside Kubernetes. Whenever a new request is made to the Kubernetes API server, for example to create a Pod, the API server sends this information to the webhooks registered to listen to the creation of Pod resources. This incoming data to a webhook is passed as a [`AdmissionReview`](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-request-and-response) object. There are four commonly used data properties available in any AdmissionReview request:
@@ -482,6 +485,78 @@ spec:
 
 In this example, AdmissionReview data is first collected in the inner expression in the form of `{{request.object.metadata.labels.app}}` while the outer expression is built from a ConfigMap context named `LabelsCM`.
 
+
+## Shallow substitution
+
+By default, Kyverno performs nested substitution of variables. However, in some cases, nested substitution may not be desireable.
+
+The syntax `{{- ... }}` can be used for shallow (one time only) substitution of variables.
+
+Here is a more detailed example.
+
+Consider a policy that loads a ConfigMap that contains [HCL](https://developer.hashicorp.com/terraform/language/syntax/configuration) synytax data, and patches resource configurations:
+
+Policy:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: vault-auth-backend
+spec:
+  validationFailureAction: Audit
+  background: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: vault-injector-config-blue-to-green-auth-backend
+    context:
+    - name: hcl
+      variable:
+        jmesPath: replace_all( '{{ request.object.data.config }}', 'from_string','to_string')
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+          names:
+          - test-*
+          namespaces:
+          - corp-tech-ap-team-ping-ep
+    mutate:
+      patchStrategicMerge:
+        data:
+          config: '{{- hcl }}'
+      targets:
+      - apiVersion: v1
+        kind: ConfigMap
+        name: '{{ request.object.metadata.name }}'
+        namespace: '{{ request.object.metadata.namespace }}'
+    name: vault-injector-config-blue-to-green-auth-backend
+```
+
+ConfigfMap:
+
+```yaml
+apiVersion: v1
+data:
+  config: |-
+    from_string
+    {{ some hcl tempalte }}
+kind: ConfigMap
+metadata:
+  annotations:
+  labels:
+    argocd.development.cpl.<removed>.co.at/app: corp-tech-ap-team-ping-ep
+  name: vault-injector-config-http-echo
+  namespace: corp-tech-ap-team-ping-ep
+
+```
+
+In this case, since HCL also uses the `{{ ... }}` variable syntax, Kyverno needs to be instructed to not attempt to resolve variables in the HCL. 
+
+To only substitute the rule data with the HCL, and not perform nested subsitutions, the declaration `'{{- hcl }}'` uses the shallow substitution syntax.
+
+
 ## Evaluation Order
 
 Kyverno policies can contain variables in:

From b7a815c77453c93e76092410ab07a718bef8d953 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 14 Oct 2024 15:30:28 +0800
Subject: [PATCH 22/59] chore(deps): bump lycheeverse/lychee-action from 2.0.0
 to 2.0.1 (#1383)

Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.0 to 2.0.1.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](https://github.com/lycheeverse/lychee-action/compare/7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67...2bb232618be239862e31382c5c0eaeba12e5e966)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 .github/workflows/check-links.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index 641024d05..59ee77c25 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -15,7 +15,7 @@ jobs:
 
       - name: Check unrendered links
         id: lychee_unrendered
-        uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
+        uses: lycheeverse/lychee-action@2bb232618be239862e31382c5c0eaeba12e5e966 # v2.0.1
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
@@ -48,7 +48,7 @@ jobs:
 
       # - name: Check rendered links
       #   id: lychee_rendered
-      #   uses: lycheeverse/lychee-action@7da8ec1fc4e01b5a12062ac6c589c10a4ce70d67 # v2.0.0
+      #   uses: lycheeverse/lychee-action@2bb232618be239862e31382c5c0eaeba12e5e966 # v2.0.1
       #   env:
       #     GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       #   with:

From b7072adc0f2ba7679db4fe32ebb3b8bbea79960f Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariam.fahmy@nirmata.com>
Date: Mon, 14 Oct 2024 14:55:18 +0300
Subject: [PATCH 23/59] docs: add warning for the generateExisting deprecated
 field

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 content/en/docs/writing-policies/generate.md         | 12 ++++--------
 content/en/docs/writing-policies/policy-settings.md  |  2 +-
 .../argo-cluster-generation-from-rancher-capi.md     |  2 +-
 ...fig-syncer-secret-generation-from-rancher-capi.md |  2 +-
 .../generate-networkpolicy-existing.md               |  2 +-
 5 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/content/en/docs/writing-policies/generate.md b/content/en/docs/writing-policies/generate.md
index ee29ade0b..40cd1b5a0 100644
--- a/content/en/docs/writing-policies/generate.md
+++ b/content/en/docs/writing-policies/generate.md
@@ -127,10 +127,6 @@ spec:
 
 For other examples of generate rules, see the [policy library](/policies/?policytypes=generate).
 
-{{% alert title="Note" color="info" %}}
-The field `spec.generateExisting` is no longer required for "classic" generate rules, is deprecated, and will be removed in an upcoming version.
-{{% /alert %}}
-
 ## Clone Source
 
 When a generate policy should take the source from a resource which already exists in the cluster, a `clone` object is used instead of a `data` object. When triggered, the generate policy will clone from the resource name and location defined in the rule to create the new resource. Use of the `clone` object implies no modification during the path from source to destination and Kyverno is not able to modify its contents (aside from metadata used for processing and tracking).
@@ -506,7 +502,7 @@ spec:
 
 Use of a `generate` rule is common when creating net new resources from the point after which the policy was created. For example, a Kyverno `generate` policy is created so that all future Namespaces can receive a standard set of Kubernetes resources. However, it is also possible to generate resources based on **existing** resources. This can be extremely useful especially for Namespaces when deploying Kyverno to an existing cluster where you wish policy to apply retroactively.
 
-Kyverno supports generation for existing resources. Generate existing policies are applied when the policy is created and in the background which creates target resources based on the match statement within the policy. They may also optionally be configured to apply upon updates to the policy itself. By defining the `spec.generateExisting` set to `true`, a generate rule will take effect for existing resources which have the same match characteristics.
+Kyverno supports generation for existing resources. Generate existing policies are applied when the policy is created and in the background which creates target resources based on the match statement within the policy. They may also optionally be configured to apply upon updates to the policy itself. By defining the `generate[*].generateExisting` set to `true`, a generate rule will take effect for existing resources which have the same match characteristics.
 
 Note that the benefits of using a "generate existing" rule is only the moment the policy is installed. Once the initial generation effects have been produced, the rule functions like a "standard" generate rule from that point forward. Generate existing rules are therefore primarily useful for one-time use cases when retroactive policy should be applied.
 
@@ -522,7 +518,6 @@ kind: ClusterPolicy
 metadata:
   name: generate-resources
 spec:
-  generateExisting: true
   rules:
   - name: generate-existing-networkpolicy
     match:
@@ -531,6 +526,7 @@ spec:
           kinds:
           - Namespace
     generate:
+      generateExisting: true
       kind: NetworkPolicy
       apiVersion: networking.k8s.io/v1
       name: default-deny
@@ -555,7 +551,6 @@ kind: ClusterPolicy
 metadata:
   name: create-default-pdb
 spec:
-  generateExisting: true
   rules:
   - name: create-default-pdb
     match:
@@ -568,6 +563,7 @@ spec:
         namespaces:
         - local-path-storage
     generate:
+      generateExisting: true
       apiVersion: policy/v1
       kind: PodDisruptionBudget
       name: "{{request.object.metadata.name}}-default-pdb"
@@ -582,7 +578,7 @@ spec:
 ```
 
 {{% alert title="Note" color="info" %}}
-The field `spec.generateExistingOnPolicyUpdate` has been replaced by `spec.generateExisting`. The former is no longer required, is deprecated, and will be removed in an upcoming version.
+The field `spec.generateExisting` has been replaced by `spec.rules[*].generate[*].generateExisting`. The former is no longer required, is deprecated, and will be removed in an upcoming version.
 {{% /alert %}}
 
 ## How It Works
diff --git a/content/en/docs/writing-policies/policy-settings.md b/content/en/docs/writing-policies/policy-settings.md
index a42f936b3..a678f66d3 100644
--- a/content/en/docs/writing-policies/policy-settings.md
+++ b/content/en/docs/writing-policies/policy-settings.md
@@ -15,7 +15,7 @@ A [policy](../kyverno-policies) contains one or more rules, and the following co
 
 * **failurePolicy**: defines the API server behavior if the webhook fails to respond. Allowed values are "Ignore" or "Fail". Defaults to "Fail". Additionally, if set to "Ignore" will allow failing calls to image registries to be ignored. This allows for rule types like verifyImages or others which use image data to not block if the registry is temporarily down, useful in situations where images already exist on the nodes.
 
-* **generateExisting**: applicable to generate rules only. Controls whether Kyverno should evaluate the policy the moment it is created.
+* **generateExisting**: applicable to generate rules only. Controls whether Kyverno should evaluate the policy the moment it is created. This field is deprecated as of 1.13. Scheduled to be removed in a future version. Use `generateExisting` under the generate rule instead.
 
 * **mutateExistingOnPolicyUpdate**: applicable to mutate rules which define targets. Controls whether Kyverno should evaluate the policy when it is updated.
 
diff --git a/content/en/policies/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.md b/content/en/policies/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.md
index 3998d7e43..b4297e31b 100644
--- a/content/en/policies/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.md
+++ b/content/en/policies/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.md
@@ -33,7 +33,6 @@ metadata:
       "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053
       "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".
 spec:
-  generateExisting: true
   rules:
   - name: source-rancher-non-local-cluster-and-capi-secret
     match:
@@ -99,6 +98,7 @@ spec:
           }
         jmesPath: 'to_string(@)'
     generate:
+      generateExisting: true
       synchronize: true
       apiVersion: v1
       kind: Secret
diff --git a/content/en/policies/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.md b/content/en/policies/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.md
index 15e3d342a..0b416ad3b 100644
--- a/content/en/policies/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.md
+++ b/content/en/policies/kubeops/config-syncer-secret-generation-from-rancher-capi/config-syncer-secret-generation-from-rancher-capi.md
@@ -30,7 +30,6 @@ metadata:
       required by the Kubeops Config Syncer for it to sync ConfigMaps/Secrets from
       the Rancher management cluster to downstream clusters.
 spec:
-  generateExisting: true
   rules:
   - name: source-rancher-non-local-cluster-and-capi-secret
     match:
@@ -101,6 +100,7 @@ spec:
         operator: NotEquals
         value: '{{ currentKubeconfigData }}'
     generate:
+      generateExisting: true
       synchronize: true
       apiVersion: v1
       kind: Secret
diff --git a/content/en/policies/other/generate-networkpolicy-existing/generate-networkpolicy-existing.md b/content/en/policies/other/generate-networkpolicy-existing/generate-networkpolicy-existing.md
index 8410ea4a2..fd0fa3913 100644
--- a/content/en/policies/other/generate-networkpolicy-existing/generate-networkpolicy-existing.md
+++ b/content/en/policies/other/generate-networkpolicy-existing/generate-networkpolicy-existing.md
@@ -31,7 +31,6 @@ metadata:
       is additional overhead. This policy creates a new NetworkPolicy for existing
       Namespaces which results in a default deny behavior and labels it with created-by=kyverno.
 spec:
-  generateExisting: true
   rules:
   - name: generate-existing-networkpolicy
     match:
@@ -40,6 +39,7 @@ spec:
           kinds:
           - Namespace
     generate:
+      generateExisting: true
       kind: NetworkPolicy
       apiVersion: networking.k8s.io/v1
       name: default-deny

From 69c4d1bc5ad6298b8a7a0a3b3f30ac36e42db939 Mon Sep 17 00:00:00 2001
From: Ammar Yasser <aerosound161@gmail.com>
Date: Mon, 14 Oct 2024 16:38:00 +0300
Subject: [PATCH 24/59] docs: Add maxBackgroundReports flag documentation
 (#1381)

* docs: Add maxBackgroundReports flag documentation

Signed-off-by: aerosouund <aerosound161@gmail.com>

* chore: Update flag docs to use ephemeralreports instead of background reports as changed in the container flag itself

Signed-off-by: aerosouund <aerosound161@gmail.com>

---------

Signed-off-by: aerosouund <aerosound161@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/installation/customization.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/content/en/docs/installation/customization.md b/content/en/docs/installation/customization.md
index d6323fb86..e1747030f 100644
--- a/content/en/docs/installation/customization.md
+++ b/content/en/docs/installation/customization.md
@@ -393,6 +393,7 @@ The following flags can be used to control the advanced behavior of the various
 | `logtostderr` (ABCR) | true | Log to standard error instead of files. |
 | `maxAPICallResponseLength` (ABCR) | `10000000` | Sets the maximum length of the response body for API calls. |
 | `maxAuditWorkers` (A) | `8` | Maximum number of workers for audit policy processing. |
+| `maxBackgroundReports` (BR) | `10000` | Maximum number of ephemeralreports created for the background policies before we stop creating new ones. |
 | `maxAuditCapacity` (A) | `1000` | Maximum number of workers for audit policy processing. |
 | `maxQueuedEvents` (ABR) | `1000` | Defines the upper limit of events that are queued internally. |
 | `metricsPort` (ABCR) | `8000` | Specifies the port to expose prometheus metrics. |

From a29e175a8b50008e671cc6e120a90a66f36ca7bf Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 14 Oct 2024 06:49:52 -0700
Subject: [PATCH 25/59] Simplify instllation (#1382)

* add shallow substitution docs

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* update installation instructions

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix link

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 content/en/docs/high-availability/_index.md |  2 +-
 content/en/docs/installation/_index.md      | 11 +---
 content/en/docs/installation/methods.md     | 71 ++++++++-------------
 content/en/support/nirmata/_index.md        | 58 ++++++-----------
 4 files changed, 51 insertions(+), 91 deletions(-)

diff --git a/content/en/docs/high-availability/_index.md b/content/en/docs/high-availability/_index.md
index 38b2b4681..e1a9a6e34 100644
--- a/content/en/docs/high-availability/_index.md
+++ b/content/en/docs/high-availability/_index.md
@@ -77,4 +77,4 @@ Multiple replicas configured for the cleanup controller can be used for both ava
 
 ## Installing Kyverno in HA mode
 
-The Helm chart is the recommended method of installing Kyverno in a production-grade, highly-available fashion as it provides all the necessary Kubernetes resources and configuration options to meet most production needs. For more information on installation of Kyverno in high availability, see the corresponding [installation section](../installation/methods.md#high-availability).
+The Helm chart is the recommended method of installing Kyverno in a production-grade, highly-available fashion as it provides all the necessary Kubernetes resources and configuration options to meet most production needs. For more information on installation of Kyverno in high availability, see the corresponding [installation section](../installation/methods.md#high-availability-installation).
diff --git a/content/en/docs/installation/_index.md b/content/en/docs/installation/_index.md
index acdeaf3be..a5f6623a9 100644
--- a/content/en/docs/installation/_index.md
+++ b/content/en/docs/installation/_index.md
@@ -40,24 +40,19 @@ A standard Kyverno installation consists of a number of different components, so
 
 ## Compatibility Matrix
 
-Kyverno follows the same support policy as the Kubernetes project (N-2 policy) in which the current release and the previous two minor versions are maintained. Although previous versions may work, they are not tested and therefore no guarantees are made as to their full compatibility. The below table shows the compatibility matrix.
+Kyverno follows the same support policy as the Kubernetes project (N-2 policy) in which the current release and the previous two minor versions are maintained. Although prior versions may work, they are not tested and therefore no guarantees are made as to their full compatibility. The below table shows the compatibility matrix.
 
 | Kyverno Version                | Kubernetes Min | Kubernetes Max |
 |--------------------------------|----------------|----------------|
-| 1.8.x                          | 1.23           | 1.25           |
-| 1.9.x                          | 1.24           | 1.26           |
-| 1.10.x                         | 1.24           | 1.26           |
 | 1.11.x                         | 1.25           | 1.28           |
 | 1.12.x                         | 1.26           | 1.29           |
 | 1.13.x                         | 1.28           | 1.31           |
 
-\* Due to a known issue with Kubernetes 1.23.0-1.23.2, support for 1.23 begins at 1.23.3.
-
-**NOTE:** The [Enterprise Kyverno](https://nirmata.com/nirmata-enterprise-for-kyverno/) by Nirmata supports a wide range of Kubernetes versions for any Kyverno version. Refer to the Release Compatibility Matrix for the Enterprise Kyverno [here](https://docs.nirmata.io/docs/n4k/release-compatibility-matrix/) or contact [Nirmata support](mailto:support@nirmata.com) for assistance.
+**NOTE:** For long term compatibility Support select a [commercially supported Kyverno distribution](https://kyverno.io/support/nirmata).
 
 ## Security vs Operability
 
-For a production installation, Kyverno should be installed in [high availability mode](../installation/methods.md#high-availability). Regardless of the installation method used for Kyverno, it is important to understand the risks associated with any webhook and how it may impact cluster operations and security especially in production environments. Kyverno configures its resource webhooks by default (but [configurable](../writing-policies/policy-settings.md)) in [fail closed mode](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy). This means if the API server cannot reach Kyverno in its attempt to send an AdmissionReview request for a resource that matches a policy, the request will fail. For example, a validation policy exists which checks that all Pods must run as non-root. A new Pod creation request is submitted to the API server and the API server cannot reach Kyverno. Because the policy cannot be evaluated, the request to create the Pod will fail. Care must therefore be taken to ensure that Kyverno is always available or else configured appropriately to exclude certain key Namespaces, specifically that of Kyverno's, to ensure it can receive those API requests. There is a tradeoff between security by default and operability regardless of which option is chosen.
+For a production installation, Kyverno should be installed in [high availability mode](../installation/methods.md#high-availability-installation). Regardless of the installation method used for Kyverno, it is important to understand the risks associated with any webhook and how it may impact cluster operations and security especially in production environments. Kyverno configures its resource webhooks by default (but [configurable](../writing-policies/policy-settings.md)) in [fail closed mode](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy). This means if the API server cannot reach Kyverno in its attempt to send an AdmissionReview request for a resource that matches a policy, the request will fail. For example, a validation policy exists which checks that all Pods must run as non-root. A new Pod creation request is submitted to the API server and the API server cannot reach Kyverno. Because the policy cannot be evaluated, the request to create the Pod will fail. Care must therefore be taken to ensure that Kyverno is always available or else configured appropriately to exclude certain key Namespaces, specifically that of Kyverno's, to ensure it can receive those API requests. There is a tradeoff between security by default and operability regardless of which option is chosen.
 
 The following combination may result in cluster inoperability if the Kyverno Namespace is not excluded:
 
diff --git a/content/en/docs/installation/methods.md b/content/en/docs/installation/methods.md
index 9f8e23eee..5d57e84e6 100644
--- a/content/en/docs/installation/methods.md
+++ b/content/en/docs/installation/methods.md
@@ -6,44 +6,36 @@ weight: 15
 
 ## Install Kyverno using Helm
 
+The Helm chart is the recommended method of installing Kyverno in a production-grade, highly-available fashion as it provides all the necessary Kubernetes resources and configuration options to meet most production needs including platform-specific controls.
+
 Kyverno can be deployed via a Helm chart--the recommended and preferred method for a production install--which is accessible either through the Kyverno repository or on [Artifact Hub](https://artifacthub.io/). Both generally available and pre-releases are available with Helm.
 
-In order to install Kyverno with Helm, first add the Kyverno Helm repository.
+Choose one of the installation configuration options based upon your environment type and availability needs.
+- For a production installation, see below [High Availability](#high-availability-installation) section.
+- For a non-production installation, see below [Standalone Installation](#standalone-installation) section..
 
-```sh
-helm repo add kyverno https://kyverno.github.io/kyverno/
-```
+### Standalone Installation
 
-Scan the new repository for charts.
+To install Kyverno using Helm in a non-production environment use:
 
 ```sh
+helm repo add kyverno https://kyverno.github.io/kyverno/
 helm repo update
+helm install kyverno kyverno/kyverno -n kyverno --create-namespace
 ```
 
-Optionally, show all available chart versions for Kyverno.
-
-```sh
-helm search repo kyverno -l
-```
-
-Choose one of the installation configuration options based upon your environment type and availability needs.
-- For a production installation, see below [High Availability](#high-availability) section.
-- For a non-production installation, see below [Standalone](#standalone) section for additional details.
-
-{{% alert title="Note" color="warning" %}}
-When deploying Kyverno to certain Kubernetes platforms such as EKS, AKS, or OpenShift; or when using certain GitOps tools such as ArgoCD, additional configuration options may be needed or recommended. See the [Platform-Specific Notes](platform-notes.md) section for additional details.
-{{% /alert %}}
+### High Availability Installation
 
-After Kyverno is installed, you may choose to also install the Kyverno [Pod Security Standard policies](../../pod-security.md), an optional chart containing the full set of Kyverno policies which implement the Kubernetes [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
+Use Helm to create a Namespace and install Kyverno in a highly-available configuration.
 
 ```sh
-helm install kyverno-policies kyverno/kyverno-policies -n kyverno
+helm install kyverno kyverno/kyverno -n kyverno --create-namespace \
+--set admissionController.replicas=3 \
+--set backgroundController.replicas=2 \
+--set cleanupController.replicas=2 \
+--set reportsController.replicas=2
 ```
 
-### High Availability
-
-The Helm chart is the recommended method of installing Kyverno in a production-grade, highly-available fashion as it provides all the necessary Kubernetes resources and configuration options to meet most production needs including platform-specific controls.
-
 Since Kyverno is comprised of different controllers where each is contained in separate Kubernetes Deployments, high availability is achieved on a per-controller basis. A default installation of Kyverno provides four separate Deployments each with a single replica. Configure high availability on the controllers where you need the additional availability. Be aware that multiple replicas do not necessarily equate to higher scale or performance across all controllers. Please see the [high availability page](../high-availability/_index.md) for more complete details.
 
 The Helm chart offers parameters to configure multiple replicas for each controller. For example, a highly-available, complete deployment of Kyverno would consist of the following values.
@@ -52,12 +44,11 @@ The Helm chart offers parameters to configure multiple replicas for each control
 admissionController:
   replicas: 3
 backgroundController:
-  replicas: 2
+  replicas: 3
 cleanupController:
-  replicas: 2
+  replicas: 3
 reportsController:
-  replicas: 2
-
+  replicas: 3
 ```
 
 For all of the available values and their defaults, please see the Helm chart [README](https://github.com/kyverno/kyverno/tree/release-1.10/charts/kyverno). You should carefully inspect all available chart values and their defaults to determine what overrides, if any, are necessary to meet the particular needs of your production environment.
@@ -70,30 +61,24 @@ By default, the Kyverno Namespace will be excluded using a namespaceSelector con
 
 See also the [Namespace selectors](customization.md#namespace-selectors) section and especially the [Security vs Operability](_index.md#security-vs-operability) section.
 
-Use Helm to create a Namespace and install Kyverno in a highly-available configuration.
-
-```sh
-helm install kyverno kyverno/kyverno -n kyverno --create-namespace \
---set admissionController.replicas=3 \
---set backgroundController.replicas=2 \
---set cleanupController.replicas=2 \
---set reportsController.replicas=2
-```
+## Platform Specific Settings
 
-### Standalone
+When deploying Kyverno to certain Kubernetes platforms such as EKS, AKS, or OpenShift; or when using certain GitOps tools such as ArgoCD, additional configuration options may be needed or recommended. See the [Platform-Specific Notes](platform-notes.md) section for additional details.
 
-A standalone installation of Kyverno is suitable for lab, test/dev, or small environments typically associated with non-production. It configures a single replica for each Kyverno Deployment and omits many of the production-grade components.
+### Pre-Release Installations (RC)
 
-Use Helm to create a Namespace and install Kyverno.
+To install pre-release versions, such as `alpha`, `beta`, and `rc` (release candidates) versions, add the `--devel` switch to Helm:
 
 ```sh
-helm install kyverno kyverno/kyverno -n kyverno --create-namespace
+helm install kyverno kyverno/kyverno -n kyverno --create-namespace --devel
 ```
 
-To install pre-releases, add the `--devel` switch to Helm.
+## Install Pod Security Policies via Helm
+
+After Kyverno is installed, you may choose to also install the Kyverno [Pod Security Standard policies](../../pod-security.md), an optional chart containing the full set of Kyverno policies which implement the Kubernetes [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
 
 ```sh
-helm install kyverno kyverno/kyverno -n kyverno --create-namespace --devel
+helm install kyverno-policies kyverno/kyverno-policies -n kyverno
 ```
 
 ## Install Kyverno using YAMLs
diff --git a/content/en/support/nirmata/_index.md b/content/en/support/nirmata/_index.md
index c07950e08..f067a722d 100644
--- a/content/en/support/nirmata/_index.md
+++ b/content/en/support/nirmata/_index.md
@@ -5,33 +5,19 @@ description: "Kubernetes Policy and Governance from the creators of Kyverno"
 type: docs
 ---
 
-
 [Nirmata](https://nirmata.com/) is the creator of Kyverno and offers several commercial solutions for Kubernetes policy and governance for platform and operations teams.
 
-### Nirmata for Kyverno Open Source
-
-[Nirmata for Kyverno Open Source](https://info.nirmata.com/hubfs/product/nirmata-kyverno-oss-consulting.pdf) is ideal for open source savvy users looking to protect and grow their investment in Kyverno. It includes:
-
-* Use Kyverno OSS or your own fork
-* Get 24x7 emergency support
-* Collaborate via email or a private messaging channel
-* 24 consulting hours per quarter for
-  * Best practices assessment
-  * Policy authoring
-  * Policy optimizations
-  * Upgrade assistance
-  * Custom trainings & workshops
-
-### Nirmata Enterprise for Kyverno
+### Nirmata Enterprise for Kyverno (N4K)
 
 [Nirmata Enterprise for Kyverno](https://nirmata.com/nirmata-enterprise-for-kyverno/) is designed for savvy platform engineering teams who are looking to save time and costs, and for peace of mind for operating Kyverno. It includes:
 
-* Kyverno LTS for long term support with compatibility testing, CVE and critical fix SLAs
-* Kyverno engine health and lifecycle management
-* Policy data adapters for fast in-cluster processing
-* Curated policy sets covering all major security concerns
+* Drop-in compatibility with Kyverno OSS
+* Long Term compatibility Support (LTS) across Kyverno and Kubernetes ([support matrix](shttps://docs.nirmata.io/docs/n4k/release-compatibility-matrix/)).
+* SLAs for CVE and critical fixes
+* etcd offload for improved performance
+* Curated policy sets covering security and operations needs
 * Quarterly trainings, assessments, and upgrade assist
-* Custom policy workshops
+* Custom policy authoring support & workshops
 
 {{% videos %}}
 {{< youtube id="LvZ66a9UUNM" start="0" class="video" >}}
@@ -41,23 +27,17 @@ type: docs
 
 [Nirmata Policy Manager](https://nirmata.com/nirmata-cloud-native-policy-manager/) provides centralized visibility and governance across fleets of clusters. It includes:
 
-* All Nirmata Enterprise for Kyverno features
-* Intuitive dashboards for policy reports
-* Role-based access controls for teams
-* Assign ownership of violations
-* OIDC and SAML integration
+* All N4K features
+* Centralized reporting across clusters and clouds
+* Role-based access controls for teams with OIDC and SAML
+* Auto-assign ownership of violations to teams
 * Customizable alerting and notifications
+* DevSecOps Collaboration Workflows e.g., exception management
+* Auto-remediation with GitOps integrations
+* Pipeline scanning and integrations
+* Continuous Compliance
 * CIS Kubernetes Benchmarks
-* Built-in compliance standards for:
-  * Pod Security Standards
-  * Workload Security
-  * Best practices
-  * RBAC configuration
-  * Multi-tenancy
-  * Supply Chain Security
-* Custom compliance standards with policy mappings
-* Continuous Compliance reporting
-
-### Kyverno Training
-
-Nirmata offers expert training and custom workshops for teams looking at accelerating their cloud-native journey. Reach out at: https://nirmata.com/contact-us/.
+
+### Kyverno Training & Support
+
+Nirmata offers expert training and custom workshops for custom support for teams looking at accelerating their cloud-native journey. Reach out at: https://nirmata.com/contact-us/.

From 8ce82a7970f9ef1bee43daf1f75720c1df4143d4 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariamfahmy66@gmail.com>
Date: Mon, 14 Oct 2024 16:50:52 +0300
Subject: [PATCH 26/59] docs: add warning for the mutateExistingOnPolicyUpdate
 deprecated field (#1384)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 content/en/docs/writing-policies/mutate.md          | 10 +++++-----
 content/en/docs/writing-policies/policy-settings.md |  2 +-
 content/en/docs/writing-policies/variables.md       |  3 +--
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/content/en/docs/writing-policies/mutate.md b/content/en/docs/writing-policies/mutate.md
index d242745d4..bfd9e7403 100644
--- a/content/en/docs/writing-policies/mutate.md
+++ b/content/en/docs/writing-policies/mutate.md
@@ -470,7 +470,6 @@ kind: ClusterPolicy
 metadata:
   name: mutate-existing-secret
 spec:
-  mutateExistingOnPolicyUpdate: true
   rules:
     - name: mutate-secret-on-configmap-event
       match:
@@ -483,6 +482,7 @@ spec:
               namespaces:
                 - staging
       mutate:
+        mutateExistingOnPolicyUpdate: true
         # ...
         targets:
           - apiVersion: v1
@@ -508,7 +508,6 @@ kind: ClusterPolicy
 metadata:
   name: refresh-env-var-in-pods
 spec:
-  mutateExistingOnPolicyUpdate: false
   rules:
   - name: refresh-from-secret-env
     match:
@@ -522,6 +521,7 @@ spec:
           operations:
           - UPDATE
     mutate:
+      mutateExistingOnPolicyUpdate: false
       targets:
         - apiVersion: apps/v1
           kind: Deployment
@@ -622,7 +622,6 @@ kind: ClusterPolicy
 metadata:
   name: sync-cms
 spec:
-  mutateExistingOnPolicyUpdate: false
   rules:
   - name: concat-cm
     match:
@@ -635,6 +634,7 @@ spec:
           namespaces:
           - foo
     mutate:
+      mutateExistingOnPolicyUpdate: false
       targets:
         - apiVersion: v1
           kind: ConfigMap
@@ -660,7 +660,6 @@ kind: ClusterPolicy
 metadata:
   name: sync-cms
 spec:
-  mutateExistingOnPolicyUpdate: false
   rules:
   - name: concat-cm
     match:
@@ -673,6 +672,7 @@ spec:
           namespaces:
           - foo
     mutate:
+      mutateExistingOnPolicyUpdate: false
       targets:
         - apiVersion: v1
           kind: ConfigMap
@@ -918,7 +918,6 @@ kind: ClusterPolicy
 metadata:
   name: demo-cluster-policy
 spec:
-  mutateExistingOnPolicyUpdate: false
   rules:
   - name: demo-generate
     match:
@@ -951,6 +950,7 @@ spec:
               matchLabels:
                 custom/related-namespace: "?*"
     mutate:
+      mutateExistingOnPolicyUpdate: false
       targets:
         - apiVersion: v1
           kind: Namespace
diff --git a/content/en/docs/writing-policies/policy-settings.md b/content/en/docs/writing-policies/policy-settings.md
index a42f936b3..0897b33e1 100644
--- a/content/en/docs/writing-policies/policy-settings.md
+++ b/content/en/docs/writing-policies/policy-settings.md
@@ -17,7 +17,7 @@ A [policy](../kyverno-policies) contains one or more rules, and the following co
 
 * **generateExisting**: applicable to generate rules only. Controls whether Kyverno should evaluate the policy the moment it is created.
 
-* **mutateExistingOnPolicyUpdate**: applicable to mutate rules which define targets. Controls whether Kyverno should evaluate the policy when it is updated.
+* **mutateExistingOnPolicyUpdate**: applicable to mutate rules which define targets. Controls whether Kyverno should evaluate the policy when it is updated. This field is deprecated as of 1.13. Scheduled to be removed in a future version. Use `mutateExistingOnPolicyUpdate` under the mutate rule instead.
 
 * **schemaValidation**: controls whether policy validation checks are applied. Defaults to "true". Kyverno will attempt to validate the schema of a policy and fail if it cannot determine it satisfies the OpenAPI schema definition for that resource. Can occur on either validate or mutate policies. Set to "false" to skip schema validation. This field is deprecated as of 1.11 and currently has no effect. Scheduled to be removed in a future version.
 
diff --git a/content/en/docs/writing-policies/variables.md b/content/en/docs/writing-policies/variables.md
index 7c9199ee0..4b1ab639e 100644
--- a/content/en/docs/writing-policies/variables.md
+++ b/content/en/docs/writing-policies/variables.md
@@ -504,9 +504,7 @@ kind: ClusterPolicy
 metadata:
   name: vault-auth-backend
 spec:
-  validationFailureAction: Audit
   background: true
-  mutateExistingOnPolicyUpdate: true
   rules:
   - name: vault-injector-config-blue-to-green-auth-backend
     context:
@@ -523,6 +521,7 @@ spec:
           namespaces:
           - corp-tech-ap-team-ping-ep
     mutate:
+      mutateExistingOnPolicyUpdate: true
       patchStrategicMerge:
         data:
           config: '{{- hcl }}'

From 444baa756ed3eda23c3ea029ac3b2400d37e2765 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 15 Oct 2024 12:51:08 +0800
Subject: [PATCH 27/59] chore(deps): bump lycheeverse/lychee-action from 2.0.1
 to 2.0.2 (#1387)

Bumps [lycheeverse/lychee-action](https://github.com/lycheeverse/lychee-action) from 2.0.1 to 2.0.2.
- [Release notes](https://github.com/lycheeverse/lychee-action/releases)
- [Commits](https://github.com/lycheeverse/lychee-action/compare/2bb232618be239862e31382c5c0eaeba12e5e966...7cd0af4c74a61395d455af97419279d86aafaede)

---
updated-dependencies:
- dependency-name: lycheeverse/lychee-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/check-links.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index 59ee77c25..586a47087 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -15,7 +15,7 @@ jobs:
 
       - name: Check unrendered links
         id: lychee_unrendered
-        uses: lycheeverse/lychee-action@2bb232618be239862e31382c5c0eaeba12e5e966 # v2.0.1
+        uses: lycheeverse/lychee-action@7cd0af4c74a61395d455af97419279d86aafaede # v2.0.2
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         with:
@@ -48,7 +48,7 @@ jobs:
 
       # - name: Check rendered links
       #   id: lychee_rendered
-      #   uses: lycheeverse/lychee-action@2bb232618be239862e31382c5c0eaeba12e5e966 # v2.0.1
+      #   uses: lycheeverse/lychee-action@7cd0af4c74a61395d455af97419279d86aafaede # v2.0.2
       #   env:
       #     GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
       #   with:

From daab8d1c75354883d2ad6cb1e2c416e01037324f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 24 Oct 2024 13:48:18 +0800
Subject: [PATCH 28/59] chore(deps): bump actions/checkout from 4.2.1 to 4.2.2
 (#1390)

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.1 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871...11bd71901bbe5b1630ceea73d27597364c9af683)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/check-links.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml
index 586a47087..596e9ae87 100644
--- a/.github/workflows/check-links.yaml
+++ b/.github/workflows/check-links.yaml
@@ -11,7 +11,7 @@ jobs:
   linkChecker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Check unrendered links
         id: lychee_unrendered

From 0b6e2cac63af2ff5b9457f2818ef2b63b993b7b7 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Fri, 25 Oct 2024 13:50:20 +0530
Subject: [PATCH 29/59] feat: add documentation for new reporting configuration
 changes (#1389)

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 content/en/docs/installation/customization.md | 1 +
 content/en/docs/policy-reports/_index.md      | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/installation/customization.md b/content/en/docs/installation/customization.md
index e1747030f..a610105d6 100644
--- a/content/en/docs/installation/customization.md
+++ b/content/en/docs/installation/customization.md
@@ -372,6 +372,7 @@ The following flags can be used to control the advanced behavior of the various
 | `enableConfigMapCaching` (ABR) | true | Enables the ConfigMap caching feature. |
 | `enableDeferredLoading` (A) | true | Enables deferred (lazy) loading of variables (1.10.1+). Set to `false` to disable deferred loading of variables which was the default behavior in versions < 1.10.0. |
 | `enablePolicyException` (ABR) | true | Set to `true` to enable the [PolicyException capability](../writing-policies/exceptions.md). |
+| `enableReporting` (ABCR) | validate,mutate,mutateExisting,generate,imageVerify | Comma separated list to enables reporting for different rule types. (validate,mutate,mutateExisting,generate,imageVerify) |
 | `enableTracing` (ABCR) | false | Set to enable exposing traces. |
 | `enableTuf` (AR) | | Enable tuf for private sigstore deployments. |
 | `exceptionNamespace` (ABR) | | Set to the name of a Namespace where [PolicyExceptions](../writing-policies/exceptions.md) will only be permitted. PolicyExceptions created in any other Namespace will throw a warning. If not set, PolicyExceptions from all Namespaces will be considered. Implies the `enablePolicyException` flag is set to `true`. Neither wildcards nor multiple Namespaces are currently accepted. |
diff --git a/content/en/docs/policy-reports/_index.md b/content/en/docs/policy-reports/_index.md
index 04db46c78..51382bc27 100644
--- a/content/en/docs/policy-reports/_index.md
+++ b/content/en/docs/policy-reports/_index.md
@@ -5,7 +5,7 @@ description: >
 weight: 60
 ---
 
-Policy reports are Kubernetes Custom Resources, generated and managed automatically by Kyverno, which contain the results of applying matching Kubernetes resources to Kyverno ClusterPolicy or Policy resources. They are created for `validate` and `verifyImages` rules when a resource is matched by one or more rules according to the policy definition. If resources violate multiple rules, there will be multiple entries. When resources are deleted, their entry will be removed from the report. Reports, therefore, always represent the current state of the cluster and do not record historical information.
+Policy reports are Kubernetes Custom Resources, generated and managed automatically by Kyverno, which contain the results of applying matching Kubernetes resources to Kyverno ClusterPolicy or Policy resources. They are created for `validate`, `mutate`, `generate` and `verifyImages` rules when a resource is matched by one or more rules according to the policy definition. If resources violate multiple rules, there will be multiple entries. When resources are deleted, their entry will be removed from the report. Reports, therefore, always represent the current state of the cluster and do not record historical information.
 
 For example, if a validate policy in `Audit` mode exists containing a single rule which requires that all resources set the label `team` and a user creates a Pod which does not set the `team` label, Kyverno will allow the Pod's creation but record it as a `fail` result in a policy report due to the Pod being in violation of the policy and rule. Policies configured with `spec.validationFailureAction: Enforce` immediately block violating resources and results will only be reported for `pass` evaluations. Policy reports are an ideal way to observe the impact a Kyverno policy may have in a cluster without causing disruption. The insights gained from these policy reports may be used to provide valuable feedback to both users/developers so they may take appropriate action to bring offending resources into alignment, and to policy authors or cluster operators to help them refine policies prior to changing them to `Enforce` mode. Because reports are decoupled from policies, standard Kubernetes RBAC can then be applied to separate those who can see and manipulate policies from those who can view reports.
 
@@ -86,6 +86,10 @@ Policy reports created from background scans are not subject to the configuratio
 To configure Kyverno to generate reports for Kubernetes ValidatingAdmissionPolicies enable the `--validatingAdmissionPolicyReports` flag in the reports controller. 
 {{% /alert %}}
 
+{{% alert title="Note" color="info" %}}
+Reporting can be enabled or disabled for rule types by modifying the value of the flag `--enableReporting=validate,mutate,mutateExisting,generate,imageVerify`.
+{{% /alert %}}
+
 ## Report result logic
 
 Entries in a policy report contain a `result` field which can be either `pass`, `skip`, `warn`, `error`, or `fail`.

From b692d4ef29c5d901c182cef47f0926c7ca8853f0 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariamfahmy66@gmail.com>
Date: Mon, 28 Oct 2024 02:16:55 +0300
Subject: [PATCH 30/59] docs: add --dumpPatches flag (#1386)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 content/en/docs/installation/customization.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/installation/customization.md b/content/en/docs/installation/customization.md
index a610105d6..aae4919ee 100644
--- a/content/en/docs/installation/customization.md
+++ b/content/en/docs/installation/customization.md
@@ -365,10 +365,11 @@ The following flags can be used to control the advanced behavior of the various
 | `cleanupServerPort` (C) | 9443 | Defines the port used by the cleanup server. Usually changed in tandem with `webhookServerPort`.|
 | `clientRateLimitBurst` (ABCR) | 300 | Configures the maximum burst for throttling. Uses the client default if zero. |
 | `clientRateLimitQPS` (ABCR) | 300 | Configures the maximum QPS to the API server from Kyverno. Uses the client default if zero. |
-| `eventsRateLimitBurst` (ABCR) | 2000 | Configures the maximum burst for throttling for events. Uses the client default if zero. |
-| `eventsRateLimitQPS` (ABCR) | 1000 | Configures the maximum QPS to the API server from Kyverno for events. Uses the client default if zero. |
 | `disableMetrics` (ABCR) | false | Specifies whether to enable exposing the metrics. |
 | `dumpPayload` (AC) | false | Toggles debug mode. When debug mode is enabled, the full AdmissionReview payload is logged. Additionally, resources of kind Secret are redacted. Should only be used in policy development or troubleshooting scenarios, not left perpetually enabled. |
+| `dumpPatches` (A) | false |  Toggles debug mode. When debug mode is enabled, the full patch payload is logged |
+| `eventsRateLimitBurst` (ABCR) | 2000 | Configures the maximum burst for throttling for events. Uses the client default if zero. |
+| `eventsRateLimitQPS` (ABCR) | 1000 | Configures the maximum QPS to the API server from Kyverno for events. Uses the client default if zero. |
 | `enableConfigMapCaching` (ABR) | true | Enables the ConfigMap caching feature. |
 | `enableDeferredLoading` (A) | true | Enables deferred (lazy) loading of variables (1.10.1+). Set to `false` to disable deferred loading of variables which was the default behavior in versions < 1.10.0. |
 | `enablePolicyException` (ABR) | true | Set to `true` to enable the [PolicyException capability](../writing-policies/exceptions.md). |

From 1ba849a81fdbabffc2f561bbdd5ebcf29e5dc512 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Mon, 28 Oct 2024 04:48:36 +0530
Subject: [PATCH 31/59] feat(docs): regexp support in cosign keyless
 verification (#1327)

* feat(docs): regexp support in cosign keyless verification

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: grammatical errors

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../verify-images/sigstore/_index.md          | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
index 01dfc66d3..4703703b8 100644
--- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md
+++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -506,6 +506,35 @@ spec:
                 url: https://rekor.sigstore.dev
 ```
 
+The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/signing/overview/) with regular expressions for subject and issuer:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-keyless
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  rules:
+    - name: check-image-keyless
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      verifyImages:
+      - imageReferences:
+        - "ghcr.io/kyverno/test-verify-image:signed-keyless"
+        attestors:
+        - entries:
+          - keyless:
+              subjectRegExp: https://github\.com/.+
+              issuerRegExp: https://token\.actions\.githubusercontent.+
+              rekor:
+                url: https://rekor.sigstore.dev
+```
+
 ### Keyless signing
 
 To sign images using the keyless flow, use the following cosign command:
@@ -539,6 +568,7 @@ attestors:
         url: https://rekor.sigstore.dev
 ```
 
+
 ## Using a Key Management Service (KMS)
 
 Kyverno and Cosign support using Key Management Services (KMS) such as AWS, GCP, Azure, and HashiCorp Vault. This integration allows referencing public and private keys using a URI syntax, instead of embedding the key directly in the policy.

From 6f1653f7c919c88fc94839b36b3201023f126d8c Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariamfahmy66@gmail.com>
Date: Mon, 28 Oct 2024 02:19:42 +0300
Subject: [PATCH 32/59] docs: add warning for the validationFailureAction
 deprecated field (#1345)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 content/en/docs/applying-policies/_index.md   |  2 +-
 content/en/docs/introduction/quick-start.md   |  4 +-
 content/en/docs/kyverno-cli/usage/apply.md    | 11 +--
 content/en/docs/kyverno-cli/usage/test.md     |  5 +-
 content/en/docs/policy-reports/_index.md      |  2 +-
 content/en/docs/policy-reports/background.md  | 10 +-
 content/en/docs/policy-reports/examples.md    |  4 +-
 content/en/docs/troubleshooting/_index.md     |  2 +-
 content/en/docs/writing-policies/autogen.md   |  6 +-
 .../en/docs/writing-policies/exceptions.md    |  6 +-
 .../writing-policies/external-data-sources.md |  8 +-
 content/en/docs/writing-policies/jmespath.md  | 55 +++++------
 .../en/docs/writing-policies/match-exclude.md | 11 +--
 .../docs/writing-policies/policy-settings.md  |  8 +-
 .../en/docs/writing-policies/preconditions.md |  5 +-
 content/en/docs/writing-policies/tips.md      |  4 +-
 content/en/docs/writing-policies/validate.md  | 96 ++++++++++---------
 content/en/docs/writing-policies/variables.md |  2 +-
 .../verify-images/notary/_index.md            | 14 +--
 .../verify-images/sigstore/_index.md          | 41 ++++----
 20 files changed, 152 insertions(+), 144 deletions(-)

diff --git a/content/en/docs/applying-policies/_index.md b/content/en/docs/applying-policies/_index.md
index e80ad376a..70acaae65 100644
--- a/content/en/docs/applying-policies/_index.md
+++ b/content/en/docs/applying-policies/_index.md
@@ -13,7 +13,7 @@ The [Kyverno Policies](/policies/) repository contains several policies you can
 
 On installation, Kyverno runs as a [dynamic admission controller](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) in a Kubernetes cluster. Kyverno receives validating and mutating admission webhook HTTP callbacks from the Kubernetes API server and applies matching policies to return results that enforce admission policies or reject requests.
 
-Policies with validation rules can be used to block insecure or non-compliant configurations by setting the [`validationFailureAction`](../writing-policies/validate.md#validation-failure-action) to `Enforce`. Or, validation rules can be applied using periodic scans with results available as [policy reports](../policy-reports/).
+Policies with validation rules can be used to block insecure or non-compliant configurations by setting the [`failureAction`](../writing-policies/validate.md#failure-action) to `Enforce`. Or, validation rules can be applied using periodic scans with results available as [policy reports](../policy-reports/).
 
 Rules in a policy are applied in the order of definition. During [admission control](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/), mutation rules are applied before validation rules. This allows validation of changes made during mutation. Note that **all** mutation rules are applied first across all policies before any validation rules are applied.
 
diff --git a/content/en/docs/introduction/quick-start.md b/content/en/docs/introduction/quick-start.md
index a1fb7ba39..c1f6bba62 100644
--- a/content/en/docs/introduction/quick-start.md
+++ b/content/en/docs/introduction/quick-start.md
@@ -22,7 +22,7 @@ Next, select the quick start guide in which you are interested. Alternatively, s
 
 In the validation guide, you will see how simple an example Kyverno policy can be which ensures a label called `team` is present on every Pod. Validation is the most common use case for policy and functions as a "yes" or "no" decision making process. Resources which are compliant with the policy are allowed to pass ("yes, this is allowed") and those which are not compliant may not be allowed to pass ("no, this is not allowed"). An additional effect of these validate policies is to produce Policy Reports. A [Policy Report](../policy-reports/_index.md) is a custom Kubernetes resource, produced and managed by Kyverno, which shows the results of policy decisions upon allowed resources in a user-friendly way.
 
-Add the policy below to your cluster. It contains a single validation rule that requires that all Pods have the `team` label. Kyverno supports different rule types to validate, mutate, generate, cleanup, and verify image configurations. The field `validationFailureAction` is set to `Enforce` to block Pods that are non-compliant. Using the default value `Audit` will report violations but not block requests.
+Add the policy below to your cluster. It contains a single validation rule that requires that all Pods have the `team` label. Kyverno supports different rule types to validate, mutate, generate, cleanup, and verify image configurations. The field `failureAction` is set to `Enforce` to block Pods that are non-compliant. Using the default value `Audit` will report violations but not block requests.
 
 ```yaml
 kubectl create -f- << EOF
@@ -31,7 +31,6 @@ kind: ClusterPolicy
 metadata:
   name: require-labels
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: check-team
     match:
@@ -40,6 +39,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "label 'team' is required"
       pattern:
         metadata:
diff --git a/content/en/docs/kyverno-cli/usage/apply.md b/content/en/docs/kyverno-cli/usage/apply.md
index 07e30f0a4..66bfe29f2 100644
--- a/content/en/docs/kyverno-cli/usage/apply.md
+++ b/content/en/docs/kyverno-cli/usage/apply.md
@@ -264,7 +264,6 @@ kind: ClusterPolicy
 metadata:
   name: cm-globalval-example
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: validate-mode
@@ -274,6 +273,7 @@ spec:
             kinds:
               - Pod
       validate:
+        failureAction: Enforce
         message: "The value {{ request.mode }} for val1 is not equal to 'dev'."
         deny:
           conditions:
@@ -362,7 +362,6 @@ kind: ClusterPolicy
 metadata:
   name: enforce-pod-name
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
     - name: validate-name
@@ -378,6 +377,7 @@ spec:
                 values:
                 - managed
       validate:
+        failureAction: Audit
         message: "The Pod must end with -nginx"
         pattern:
           metadata:
@@ -446,7 +446,6 @@ metadata:
   annotations:
     pod-policies.kyverno.io/autogen-controllers: DaemonSet,Deployment,StatefulSet
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: example-configmap-lookup
@@ -495,7 +494,7 @@ policies:
           dictionary.data.env: dev1
 ```
 
-Policies that have their validationFailureAction set to `Audit` can be set to produce a warning instead of a failure using the `--audit-warn` flag. This will also cause a non-zero exit code if no enforcing policies failed.
+Policies that have their failureAction set to `Audit` can be set to produce a warning instead of a failure using the `--audit-warn` flag. This will also cause a non-zero exit code if no enforcing policies failed.
 
 ```sh
 kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml --audit-warn
@@ -551,7 +550,6 @@ kind: ClusterPolicy
 metadata:
   name: require-pod-requests-limits
 spec:
-  validationFailureAction: Audit
   rules:
   - name: validate-resources
     match:
@@ -560,6 +558,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Audit
       message: "CPU and memory resource requests and limits are required"
       pattern:
         spec:
@@ -703,7 +702,6 @@ kind: ClusterPolicy
 metadata:
   name: max-containers
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: max-two-containers
@@ -713,6 +711,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "A maximum of 2 containers are allowed inside a Pod."
       deny:
         conditions:
diff --git a/content/en/docs/kyverno-cli/usage/test.md b/content/en/docs/kyverno-cli/usage/test.md
index 7472181e9..04b775050 100644
--- a/content/en/docs/kyverno-cli/usage/test.md
+++ b/content/en/docs/kyverno-cli/usage/test.md
@@ -228,7 +228,6 @@ kind: ClusterPolicy
 metadata:
   name: disallow-latest-tag
 spec:
-  validationFailureAction: Audit
   rules:
   - name: require-image-tag
     match:
@@ -237,6 +236,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Audit
       message: "An image tag is required."  
       pattern:
         spec:
@@ -249,6 +249,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Audit
       message: "Using a mutable image tag e.g. 'latest' is not allowed."
       pattern:
         spec:
@@ -544,7 +545,6 @@ kind: ClusterPolicy
 metadata:
   name: disallow-host-namespaces
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: host-namespaces
@@ -554,6 +554,7 @@ spec:
             kinds:
               - Pod
       validate:
+        failureAction: Enforce
         message: >-
           Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
           spec.hostIPC, and spec.hostPID must be unset or set to `false`.          
diff --git a/content/en/docs/policy-reports/_index.md b/content/en/docs/policy-reports/_index.md
index 51382bc27..08ddafe6b 100644
--- a/content/en/docs/policy-reports/_index.md
+++ b/content/en/docs/policy-reports/_index.md
@@ -7,7 +7,7 @@ weight: 60
 
 Policy reports are Kubernetes Custom Resources, generated and managed automatically by Kyverno, which contain the results of applying matching Kubernetes resources to Kyverno ClusterPolicy or Policy resources. They are created for `validate`, `mutate`, `generate` and `verifyImages` rules when a resource is matched by one or more rules according to the policy definition. If resources violate multiple rules, there will be multiple entries. When resources are deleted, their entry will be removed from the report. Reports, therefore, always represent the current state of the cluster and do not record historical information.
 
-For example, if a validate policy in `Audit` mode exists containing a single rule which requires that all resources set the label `team` and a user creates a Pod which does not set the `team` label, Kyverno will allow the Pod's creation but record it as a `fail` result in a policy report due to the Pod being in violation of the policy and rule. Policies configured with `spec.validationFailureAction: Enforce` immediately block violating resources and results will only be reported for `pass` evaluations. Policy reports are an ideal way to observe the impact a Kyverno policy may have in a cluster without causing disruption. The insights gained from these policy reports may be used to provide valuable feedback to both users/developers so they may take appropriate action to bring offending resources into alignment, and to policy authors or cluster operators to help them refine policies prior to changing them to `Enforce` mode. Because reports are decoupled from policies, standard Kubernetes RBAC can then be applied to separate those who can see and manipulate policies from those who can view reports.
+For example, if a validate policy in `Audit` mode exists containing a single rule which requires that all resources set the label `team` and a user creates a Pod which does not set the `team` label, Kyverno will allow the Pod's creation but record it as a `fail` result in a policy report due to the Pod being in violation of the policy and rule. Policies configured with `spec.rules[*].validate[*].failureAction: Enforce` immediately block violating resources and results will only be reported for `pass` evaluations. Policy reports are an ideal way to observe the impact a Kyverno policy may have in a cluster without causing disruption. The insights gained from these policy reports may be used to provide valuable feedback to both users/developers so they may take appropriate action to bring offending resources into alignment, and to policy authors or cluster operators to help them refine policies prior to changing them to `Enforce` mode. Because reports are decoupled from policies, standard Kubernetes RBAC can then be applied to separate those who can see and manipulate policies from those who can view reports.
 
 Policy reports are created based on two different triggers: an admission event (a `CREATE`, `UPDATE`, or `DELETE` action performed against a resource) or the result of a background scan discovering existing resources. Policy reports, like Kyverno policies, have both Namespaced and cluster-scoped variants; a `PolicyReport` is a Namespaced resource while a `ClusterPolicyReport` is a cluster-scoped resource. Reports are stored in the cluster on a per resource basis. Every namespaced resource will (eventually) have an associated `PolicyReport` and every clustered resource will (eventually) have an associated `ClusterPolicyReport`.
 
diff --git a/content/en/docs/policy-reports/background.md b/content/en/docs/policy-reports/background.md
index 0d0dd1510..e1a66ca6e 100644
--- a/content/en/docs/policy-reports/background.md
+++ b/content/en/docs/policy-reports/background.md
@@ -22,20 +22,20 @@ Background scanning, enabled by default in a `Policy` or `ClusterPolicy` object
 
 Background scanning occurs on a periodic basis (one hour by default) and offers some configuration options via [container flags](../installation/customization.md#container-flags).
 
-When background scanning is enabled, regardless of whether the policy's `validationFailureAction` is set to `Enforce` or `Audit`, the results will be recorded in a report. To see the specifics of how reporting works with background scans, refer to the tables below.
+When background scanning is enabled, regardless of whether the policy's `failureAction` is set to `Enforce` or `Audit`, the results will be recorded in a report. To see the specifics of how reporting works with background scans, refer to the tables below.
 
 **Reporting behavior when `background: true`**
 
 |                                  | New Resource | Existing Resource |
 |----------------------------------|--------------|-------------------|
-| `validationFailureAction: Enforce` | Pass only         | Report            |
-| `validationFailureAction: Audit`   | Report       | Report            |
+| `failureAction: Enforce` | Pass only         | Report            |
+| `failureAction: Audit`   | Report       | Report            |
 
 **Reporting behavior when `background: false`**
 
 |                                  | New Resource | Existing Resource |
 |----------------------------------|--------------|-------------------|
-| `validationFailureAction: Enforce` | Pass only         | None              |
-| `validationFailureAction: Audit`   | Report       | None              |
+| `failureAction: Enforce` | Pass only         | None              |
+| `failureAction: Audit`   | Report       | None              |
 
 Also, policy rules that are written using either certain variables from [AdmissionReview](../writing-policies/variables.md#variables-from-admission-review-requests) request information (e.g. `request.userInfo`), or fields like Roles, ClusterRoles, and Subjects in `match` and `exclude` statements, cannot be applied to existing resources in the background scanning mode since that information must come from an AdmissionReview request and is not available if the resource exists. Hence, these rules must set `background` to `false` to disable background scanning. The exceptions to this are `request.object` and `request.namespace` variables as these will be translated from the current state of the resource.
diff --git a/content/en/docs/policy-reports/examples.md b/content/en/docs/policy-reports/examples.md
index ef48b331f..50445f2b8 100644
--- a/content/en/docs/policy-reports/examples.md
+++ b/content/en/docs/policy-reports/examples.md
@@ -18,7 +18,6 @@ metadata:
   name: secrets-not-from-env-vars
 spec:
   background: true
-  validationFailureAction: Audit
   rules:
   - name: secrets-not-from-env-vars
     match:
@@ -27,6 +26,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Audit
       message: "Secrets must be mounted as volumes, not as environment variables."
       pattern:
         spec:
@@ -76,7 +76,7 @@ summary:
   warn: 0
 ```
 
-Create another Pod which violates the rule in the sample policy. Because the rule is written with `validationFailureAction: Audit`, resources are allowed to be created which violate the rule. If this occurs, another entry will be created in the PolicyReport which denotes this condition as a FAIL. By contrast, if `validationFailureAction: Enforce` and an offending resource was attempted creation, it would be immediately blocked and therefore would not generate another entry in the report. However, if the resource passed then a PASS result would be created in the report.
+Create another Pod which violates the rule in the sample policy. Because the rule is written with `failureAction: Audit`, resources are allowed to be created which violate the rule. If this occurs, another entry will be created in the PolicyReport which denotes this condition as a FAIL. By contrast, if `failureAction: Enforce` and an offending resource was attempted creation, it would be immediately blocked and therefore would not generate another entry in the report. However, if the resource passed then a PASS result would be created in the report.
 
 ```yaml
 apiVersion: v1
diff --git a/content/en/docs/troubleshooting/_index.md b/content/en/docs/troubleshooting/_index.md
index c5e7c6285..427546bcb 100644
--- a/content/en/docs/troubleshooting/_index.md
+++ b/content/en/docs/troubleshooting/_index.md
@@ -82,7 +82,7 @@ Use [Namespace selectors](../installation/customization.md#namespace-selectors)
     pod "busybox" deleted
     ```
 
-5. For `validate` policies, ensure that `validationFailureAction` is set to `Enforce` if your expectation is that applicable resources should be blocked. Most policies in the samples library are purposefully set to `Audit` mode so they don't have any unintended consequences for new users. It could be that, if the prior steps check out, Kyverno is working fine only that your policy is configured to not immediately block resources.
+5. For `validate` policies, ensure that `failureAction` is set to `Enforce` if your expectation is that applicable resources should be blocked. Most policies in the samples library are purposefully set to `Audit` mode so they don't have any unintended consequences for new users. It could be that, if the prior steps check out, Kyverno is working fine only that your policy is configured to not immediately block resources.
 
 6. Check and ensure you aren't creating a resource that is either excluded from Kyverno's processing by default, or that it hasn't been created in an excluded Namespace. Kyverno uses a ConfigMap by default called `kyverno` in the Kyverno Namespace to filter out some of these things. The key name is `resourceFilters` and more details can be found [here](../installation/customization.md#resource-filters).
 
diff --git a/content/en/docs/writing-policies/autogen.md b/content/en/docs/writing-policies/autogen.md
index 9ac6ae785..06922ee1c 100644
--- a/content/en/docs/writing-policies/autogen.md
+++ b/content/en/docs/writing-policies/autogen.md
@@ -15,7 +15,6 @@ kind: ClusterPolicy
 metadata:
   name: restrict-image-registries
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: validate-registries
     match:
@@ -24,6 +23,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "Images may only come from our internal enterprise registry."
       pattern:
         spec:
@@ -56,6 +56,7 @@ status:
       mutate: {}
       name: autogen-validate-registries
       validate:
+        failureAction: Enforce
         message: Images may only come from our internal enterprise registry.
         pattern:
           spec:
@@ -77,6 +78,7 @@ status:
       mutate: {}
       name: autogen-cronjob-validate-registries
       validate:
+        failureAction: Enforce
         message: Images may only come from our internal enterprise registry.
         pattern:
           spec:
@@ -139,7 +141,6 @@ kind: ClusterPolicy
 metadata:
   name: require-requests-limits
 spec:
-  validationFailureAction: Enforce
   background: true
   rules:
     - name: validate-resources
@@ -154,6 +155,7 @@ spec:
           operator: NotEquals
           value: skip
       validate:
+        failureAction: Enforce
         message: "CPU and memory resource requests and limits are required."
         pattern:
           spec:
diff --git a/content/en/docs/writing-policies/exceptions.md b/content/en/docs/writing-policies/exceptions.md
index 8ec57660d..0b16c5989 100644
--- a/content/en/docs/writing-policies/exceptions.md
+++ b/content/en/docs/writing-policies/exceptions.md
@@ -32,7 +32,6 @@ kind: ClusterPolicy
 metadata:
   name: disallow-host-namespaces
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: host-namespaces
@@ -42,6 +41,7 @@ spec:
             kinds:
               - Pod
       validate:
+        failureAction: Enforce
         message: >-
           Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
           spec.hostIPC, and spec.hostPID must be unset or set to `false`.
@@ -145,7 +145,6 @@ kind: ClusterPolicy
 metadata:
   name: policy-for-exceptions
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: require-match-name
@@ -155,6 +154,7 @@ spec:
           kinds:
           - PolicyException
     validate:
+      failureAction: Enforce
       message: >-
         An exception must explicitly specify a name for a resource match.
       pattern:
@@ -181,7 +181,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: restricted
     match:
@@ -190,6 +189,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       podSecurity:
         level: restricted
         version: latest
diff --git a/content/en/docs/writing-policies/external-data-sources.md b/content/en/docs/writing-policies/external-data-sources.md
index 3d64e9153..0aec61627 100644
--- a/content/en/docs/writing-policies/external-data-sources.md
+++ b/content/en/docs/writing-policies/external-data-sources.md
@@ -120,7 +120,6 @@ kind: ClusterPolicy
 metadata:
   name: cm-array-example
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: validate-role-annotation
@@ -135,6 +134,7 @@ spec:
           kinds:
           - Deployment
     validate:
+      failureAction: Enforce
       message: "The role {{ request.object.metadata.annotations.role }} is not in the allowed list of roles: {{ \"roles-dictionary\".data.\"allowed-roles\" }}."
       deny:
         conditions:
@@ -517,7 +517,6 @@ kind: ClusterPolicy
 metadata:
   name: limits
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: limit-lb-svc
     match:
@@ -533,6 +532,7 @@ spec:
         urlPath: "/api/v1/namespaces/{{ request.namespace }}/services"
         jmesPath: "items[?spec.type == 'LoadBalancer'] | length(@)"    
     validate:
+      failureAction: Enforce
       message: "Only one LoadBalancer service is allowed per namespace"
       deny:
         conditions:
@@ -558,7 +558,6 @@ kind: ClusterPolicy
 metadata:
   name: check-namespaces      
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: call-extension
     match:
@@ -580,6 +579,7 @@ spec:
             <snip>
             -----END CERTIFICATE-----
     validate:
+      failureAction: Enforce
       message: "namespace {{request.namespace}} is not allowed"
       deny:
         conditions:
@@ -831,7 +831,6 @@ kind: ClusterPolicy
 metadata:
   name: imageref-demo
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: no-root-images
     match:
@@ -843,6 +842,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Enforce
       message: "Images run as root are not allowed."  
       foreach:
       - list: "request.object.spec.containers"
diff --git a/content/en/docs/writing-policies/jmespath.md b/content/en/docs/writing-policies/jmespath.md
index 2ec5d2744..92be54ea3 100644
--- a/content/en/docs/writing-policies/jmespath.md
+++ b/content/en/docs/writing-policies/jmespath.md
@@ -319,7 +319,6 @@ kind: ClusterPolicy
 metadata:
   name: restrict-ingress-wildcard
 spec:
-  validationFailureAction: Enforce
   rules:
     - name: block-ingress-wildcard
       match:
@@ -328,6 +327,7 @@ spec:
             kinds:
               - Ingress
       validate:
+        failureAction: Enforce
         message: "Wildcards are not permitted as hosts."
         foreach:
         - list: "request.object.spec.rules"
@@ -383,7 +383,6 @@ kind: ClusterPolicy
 metadata:
   name: add-demo
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: add-demo
@@ -396,6 +395,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Enforce
       message: "The total memory defined in requests and limits must not exceed 200Mi."
       foreach:
       - list: "request.object.spec.containers"
@@ -438,7 +438,6 @@ metadata:
   name: base64-decode-demo
 spec:
   background: false
-  validationFailureAction: Enforce
   rules:
   - name: base64-decode-demo
     match:
@@ -455,6 +454,7 @@ spec:
         operator: NotEquals
         value: DELETE
     validate:
+      failureAction: Enforce
       message: This license key may not be consumed by a Secret.
       foreach:
       - list: "request.object.spec.[containers, initContainers, ephemeralContainers][].env[].valueFrom.secretKeyRef"
@@ -587,7 +587,6 @@ kind: ClusterPolicy
 metadata:
   name: enforce-resources-as-ratio
 spec:
-  validationFailureAction: Audit
   rules:
   - name: check-memory-requests-limits
     match:
@@ -599,6 +598,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Enforce
       message: Limits may not exceed 2.5x the requests.
       foreach:
       - list: "request.object.spec.containers"
@@ -637,7 +637,6 @@ kind: ClusterPolicy
 metadata:
   name: equal-fold-demo
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: validate-dept-label-data
@@ -647,6 +646,7 @@ spec:
           kinds:
           - ConfigMap
     validate:
+      failureAction: Enforce
       message: The dept label must equal the data.dept value aside from case.
       deny:
         conditions:
@@ -719,7 +719,6 @@ kind: ClusterPolicy
 metadata:
   name: check-external-url-in-configmap
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: validate-external-url
@@ -729,6 +728,7 @@ spec:
             kinds:
               - ConfigMap
       validate:
+        failureAction: Enforce
         message: "ConfigMap contains an external URL."
         deny:
           conditions:
@@ -971,7 +971,6 @@ kind: ClusterPolicy
 metadata:
   name: require-pdb
 spec:
-  validationFailureAction: Audit
   background: false
   rules:
   - name: require-pdb
@@ -988,6 +987,7 @@ spec:
         urlPath: "/apis/policy/v1beta1/namespaces/{{request.namespace}}/poddisruptionbudgets"
         jmesPath: "items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)"
     validate:
+      failureAction: Audit
       message: "There is no corresponding PodDisruptionBudget found for this Deployment."
       deny:
         conditions:
@@ -1115,7 +1115,6 @@ kind: ClusterPolicy
 metadata:
   name: modulo-demo
 spec:
-  validationFailureAction: Audit
   rules:
   - name: check-memory-requests-limits
     match:
@@ -1127,6 +1126,7 @@ spec:
           - CREATE
           - UPDATE
     validate:
+      failureAction: Audit
       message: Limits must be evenly divisible by the requests.
       foreach:
       - list: "request.object.spec.containers"
@@ -1388,7 +1388,6 @@ kind: ClusterPolicy
 metadata:
   name: parse-yaml-demo
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: check-goodbois
@@ -1398,6 +1397,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "Only good bois allowed."
       deny:
         conditions:
@@ -1455,7 +1455,6 @@ kind: ClusterPolicy
 metadata:
   name: path-canonicalize-demo
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: disallow-mount-containerd-sock
@@ -1465,6 +1464,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       foreach:
       - list: "request.object.spec.volumes[]"
         deny:
@@ -1498,7 +1498,6 @@ kind: ClusterPolicy
 metadata:
   name: pattern-match-demo
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - match:
@@ -1513,6 +1512,7 @@ spec:
         name: deptbillingcodes
         namespace: default
     validate:
+      failureAction: Enforce
       message: The department {{request.object.metadata.labels.dept}} must supply a matching billing code.
       deny:
         conditions:
@@ -1621,7 +1621,6 @@ metadata:
   name: regex-match-demo
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: validate-backup-schedule-annotation-cron
     match:
@@ -1630,6 +1629,7 @@ spec:
           kinds:
           - PersistentVolumeClaim
     validate:
+      failureAction: Enforce
       message: The annotation `backup-schedule` must be present and in cron format.
       deny:
         conditions:
@@ -1831,7 +1831,6 @@ kind: ClusterPolicy
 metadata:
   name: round-demo
 spec:
-  validationFailureAction: Enforce
   rules:
     - name: round-input
       match:
@@ -1844,6 +1843,7 @@ spec:
         variable:
           value: 10.123456
       validate:
+        failureAction: Enforce
         message: The rounded value is {{ round(input, `2`) }}.
         deny: {}
 ```
@@ -1870,7 +1870,6 @@ kind: ClusterPolicy
 metadata:
   name: semver-compare-demo
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: check-sbom
@@ -1881,6 +1880,7 @@ spec:
               - Pod
       verifyImages:
       - image: "ghcr.io/kyverno/test-verify-image*"
+        failureAction: Enforce
         key: |-
           -----BEGIN PUBLIC KEY-----
           MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHMmDjK65krAyDaGaeyWNzgvIu155
@@ -1955,7 +1955,6 @@ kind: ClusterPolicy
 metadata:
   name: split-demo
 spec:
-  validationFailureAction: Audit
   background: false
   rules:
     - name: check-path
@@ -1978,6 +1977,7 @@ spec:
             urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.namespace}}/ingresses"
             jmesPath: "items[].spec.rules[].http.paths[].path"
       validate:
+        failureAction: Audit
         message: >-
           The root path /{{request.object.spec.rules[].http.paths[].path | to_string(@) | split(@, '/') | [1]}}/ exists
           in another Ingress rule elsewhere in the cluster.
@@ -2077,7 +2077,6 @@ kind: ClusterPolicy
 metadata:
   name: sum-demo
 spec:
-  validationFailureAction: Enforce
   rules:
     - name: memory-requests-check
       match:
@@ -2086,6 +2085,7 @@ spec:
             kinds:
             - Pod
       validate:
+        failureAction: Enforce
         message: The sum of all memory requests in a Pod cannot exceed 1 gibibyte.
         deny:
           conditions:
@@ -2119,7 +2119,6 @@ kind: ClusterPolicy
 metadata:
   name: automate-cleanup
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: cleanup
@@ -2177,7 +2176,6 @@ metadata:
   name: decommission-policy
 spec:
   background: false
-  validationFailureAction: Enforce
   rules:
     - name: decomm-jan-12
       match:
@@ -2186,6 +2184,7 @@ spec:
             kinds:
             - ConfigMap
       validate:
+        failureAction: Enforce
         message: "This cluster is being decommissioned and no further resources may be created after January 12th."
         deny:
           conditions:
@@ -2220,7 +2219,6 @@ metadata:
   name: expiration
 spec:
   background: false
-  validationFailureAction: Enforce
   rules:
     - name: expire-jan-31
       match:
@@ -2234,6 +2232,7 @@ spec:
           operator: Equals
           value: true
       validate:
+        failureAction: Enforce
         message: "The foo label must be set."
         pattern:
           metadata:
@@ -2266,7 +2265,6 @@ metadata:
   name: expiration
 spec:
   background: false
-  validationFailureAction: Enforce
   rules:
     - name: expire-jan-31
       match:
@@ -2280,6 +2278,7 @@ spec:
           operator: Equals
           value: true
       validate:
+        failureAction: Enforce
         message: "The foo label must be set."
         pattern:
           metadata:
@@ -2311,9 +2310,9 @@ kind: ClusterPolicy
 metadata:
   name: require-vulnerability-scan
 spec:
-  validationFailureAction: Enforce
-  webhookTimeoutSeconds: 20
-  failurePolicy: Fail
+  webhookConfiguration:
+    failurePolicy: Fail
+    timeoutSeconds: 20
   rules:
     - name: scan-not-older-than-one-day
       match:
@@ -2324,6 +2323,7 @@ spec:
       verifyImages:
       - imageReferences:
         - "ghcr.io/myorg/myrepo:*"
+        failureAction: Enforce
         attestations:
         - predicateType: cosign.sigstore.dev/attestation/vuln/v1
           attestors:
@@ -2364,7 +2364,6 @@ kind: ClusterPolicy
 metadata:
   name: automate-cleanup
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: cleanup
@@ -2421,7 +2420,6 @@ kind: ClusterPolicy
 metadata:
   name: automate-cleanup
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: cleanup
@@ -2520,7 +2518,6 @@ kind: ClusterPolicy
 metadata:
   name: time-since-demo
 spec:
-  validationFailureAction: Audit
   rules:
     - name: block-stale-images
       match:
@@ -2529,6 +2526,7 @@ spec:
             kinds:
             - Pod
       validate:
+        failureAction: Audit
         message: "Images built more than 6 months ago are prohibited."
         foreach:
         - list: "request.object.spec.containers"
@@ -2568,7 +2566,6 @@ kind: ClusterPolicy
 metadata:
   name: automate-cleanup
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: cleanup
@@ -2852,7 +2849,6 @@ metadata:
   name: verify-data-volume-image
 spec:
   background: false
-  validationFailureAction: Enforce
   rules:
     - name: verify-data-volume-image
       match:
@@ -2867,6 +2863,7 @@ spec:
       verifyImages:
       - imageReferences:
         - "*"
+        failureAction: Enforce
         mutateDigest: true
         verifyDigest: true
         attestors:
@@ -3063,7 +3060,6 @@ kind: ClusterPolicy
 metadata:
   name: test-x509-decode
 spec:
-  validationFailureAction: Audit
   background: true
   rules:
   - name: test-x509-decode
@@ -3074,6 +3070,7 @@ spec:
           - ValidatingWebhookConfiguration
           - MutatingWebhookConfiguration
     validate:
+      failureAction: Audit
       message: "Certificate will expire in less than a week."
       deny:
         conditions:
diff --git a/content/en/docs/writing-policies/match-exclude.md b/content/en/docs/writing-policies/match-exclude.md
index d365e0547..33a227908 100644
--- a/content/en/docs/writing-policies/match-exclude.md
+++ b/content/en/docs/writing-policies/match-exclude.md
@@ -151,7 +151,6 @@ kind: ClusterPolicy
 metadata:
   name: require-labels
 spec:
-  validationFailureAction: Audit
   background: false
   rules:
   - name: check-for-labels
@@ -163,6 +162,7 @@ spec:
           operations:
           - CREATE
     validate:
+      failureAction: Audit
       message: "The label `app.kubernetes.io/name` is required."
       pattern:
         metadata:
@@ -239,11 +239,6 @@ This pattern can be leveraged to produce very fine-grained control over the sele
 
 ```yaml
 spec:
-  # validationFailureAction controls admission control behaviors,
-  # when a policy rule fails:
-  # - use 'Enforce' to block resource creation or modification
-  # - use 'Audit' to allow resource updates and report policy violations
-  validationFailureAction: Enforce
   # Each policy has a list of rules applied in declaration order
   rules:
     # Rules must have a unique name
@@ -403,7 +398,6 @@ A variation on the above sample, this snippet uses `any` and `all` statements to
 
 ```yaml
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: match-criticals-except-given-users
@@ -461,7 +455,6 @@ metadata:
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
 spec:
-  validationFailureAction: Audit
   background: false
   rules:
     - name: require-team
@@ -473,6 +466,7 @@ spec:
               operations:
               - CREATE
       validate:
+        failureAction: Audit
         message: 'The label `team` is required.'
         pattern:
           metadata:
@@ -487,6 +481,7 @@ spec:
               operations:
               - UPDATE
       validate:
+        failureAction: Audit
         message: 'The label `match` is required.'
         pattern:
           metadata:
diff --git a/content/en/docs/writing-policies/policy-settings.md b/content/en/docs/writing-policies/policy-settings.md
index 8609aace9..e98a2dfbe 100644
--- a/content/en/docs/writing-policies/policy-settings.md
+++ b/content/en/docs/writing-policies/policy-settings.md
@@ -13,7 +13,7 @@ A [policy](../kyverno-policies) contains one or more rules, and the following co
 
 * **background**: controls scanning of existing resources to find potential violations and generating Policy Reports. See the documentation [here](../policy-reports/background.md). Defaults to "true".
 
-* **failurePolicy**: defines the API server behavior if the webhook fails to respond. Allowed values are "Ignore" or "Fail". Defaults to "Fail". Additionally, if set to "Ignore" will allow failing calls to image registries to be ignored. This allows for rule types like verifyImages or others which use image data to not block if the registry is temporarily down, useful in situations where images already exist on the nodes.
+* **failurePolicy**: defines the API server behavior if the webhook fails to respond. Allowed values are "Ignore" or "Fail". Defaults to "Fail". Additionally, if set to "Ignore" will allow failing calls to image registries to be ignored. This allows for rule types like verifyImages or others which use image data to not block if the registry is temporarily down, useful in situations where images already exist on the nodes. This field is deprecated as of 1.13. Scheduled to be removed in a future version. Use `webhookConfiguration.failurePolicy` instead.
 
 * **generateExisting**: applicable to generate rules only. Controls whether Kyverno should evaluate the policy the moment it is created. This field is deprecated as of 1.13. Scheduled to be removed in a future version. Use `generateExisting` under the generate rule instead.
 
@@ -25,11 +25,11 @@ A [policy](../kyverno-policies) contains one or more rules, and the following co
 
 * **useServerSideApply**: controls whether to use server-side apply for generate rules. Defaults to `false`. If set to `true`, Kyverno will use server-side apply when generating resources allowing other controllers to know which fields Kyverno owns.
 
-* **validationFailureAction**: controls if a validation policy rule failure should block the admission review request (`Enforce`) or allow (`Audit`) the admission review request and report the policy failure in a policy report. Defaults to `Audit`.
+* **validationFailureAction**: controls if a validation policy rule failure should block the admission review request (`Enforce`) or allow (`Audit`) the admission review request and report the policy failure in a policy report. Defaults to `Audit`. This field is deprecated as of 1.13. Scheduled to be removed in a future version. Use `failureAction` under the validate rule instead.
 
-* **validationFailureActionOverrides**: a ClusterPolicy attribute that specifies `validationFailureAction` Namespace-wise. It overrides `validationFailureAction` for the specified Namespaces.
+* **validationFailureActionOverrides**: a ClusterPolicy attribute that specifies `validationFailureAction` Namespace-wise. It overrides `validationFailureAction` for the specified Namespaces. This field is deprecated as of 1.13. Scheduled to be removed in a future version. Use `failureActionOverrides` under the validate rule instead.
 
-* **webhookTimeoutSeconds**: specifies the maximum time in seconds allowed to apply this policy. The default timeout is 10s. The value must be between 1 and 30 seconds.
+* **webhookTimeoutSeconds**: specifies the maximum time in seconds allowed to apply this policy. The default timeout is 10s. The value must be between 1 and 30 seconds. This field is deprecated as of 1.13. Scheduled to be removed in a future version. Use `webhookConfiguration.timeoutSeconds` instead.
 
 {{% alert title="Tip" color="info" %}}
 Use `kubectl explain policy.spec` for command-line help on the policy schema.
diff --git a/content/en/docs/writing-policies/preconditions.md b/content/en/docs/writing-policies/preconditions.md
index cb1b6c3be..a4539b33c 100644
--- a/content/en/docs/writing-policies/preconditions.md
+++ b/content/en/docs/writing-policies/preconditions.md
@@ -101,7 +101,6 @@ kind: ClusterPolicy
 metadata:
   name: any-all-preconditions
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: any-all-rule
@@ -119,6 +118,7 @@ spec:
         operator: Equals
         value: busybox
     validate:
+      failureAction: Enforce
       message: "Busybox must be used based on this label combination."
       pattern:
         spec:
@@ -140,7 +140,6 @@ kind: ClusterPolicy
 metadata:
   name: any-all-preconditions
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: any-all-rule
@@ -165,6 +164,7 @@ spec:
         operator: Equals
         value: qa
     validate:
+      failureAction: Enforce
       message: "Foxes must be used based on this label combination."
       pattern:
         spec:
@@ -214,7 +214,6 @@ kind: ClusterPolicy
 metadata:
   name: resource-quantities
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: memory-limit
diff --git a/content/en/docs/writing-policies/tips.md b/content/en/docs/writing-policies/tips.md
index c51a5b5ad..ab87cf1b9 100644
--- a/content/en/docs/writing-policies/tips.md
+++ b/content/en/docs/writing-policies/tips.md
@@ -59,9 +59,9 @@ Depending on the level of detail needed, you may need to increase the log level.
 
 ## Validate
 
-* When developing your `validate` policies, it's easiest to set `validationFailureAction: Enforce` so when testing you can see the results immediately without having to look at a report.
+* When developing your `validate` policies, it's easiest to set `failureAction: Enforce` so when testing you can see the results immediately without having to look at a report.
 
-* Before deploying into production, ensure you have `validationFailureAction: Audit` so the policy doesn't have unintended consequences.
+* Before deploying into production, ensure you have `failureAction: Audit` so the policy doesn't have unintended consequences.
 
 * `validate` rules cannot counteract the other. For example, a rule written to ensure all images come from registry `reg.corp.com` and another rule written to ensure they do **not** come from `reg.corp.com` will effectively render all image pulls impossible and nothing will run. Where the rule is defined is irrelevant.
 
diff --git a/content/en/docs/writing-policies/validate.md b/content/en/docs/writing-policies/validate.md
index 8ec815eb9..1b3f4e9e8 100644
--- a/content/en/docs/writing-policies/validate.md
+++ b/content/en/docs/writing-policies/validate.md
@@ -5,7 +5,7 @@ description: >
 weight: 30
 ---
 
-Validation rules are probably the most common and practical types of rules you will be working with, and the main use case for admission controllers such as Kyverno. In a typical validation rule, one defines the mandatory properties with which a given resource should be created. When a new resource is created by a user or process, the properties of that resource are checked by Kyverno against the validate rule. If those properties are validated, meaning there is agreement, the resource is allowed to be created. If those properties are different, the creation is blocked. The behavior of how Kyverno responds to a failed validation check is determined by the `validationFailureAction` field. It can either be blocked (`Enforce`) or allowed yet recorded in a [policy report](../policy-reports/) (`Audit`). Validation rules in `Audit` mode can also be used to get a report on matching resources which violate the rule(s), both upon initial creation and when Kyverno initiates periodic scans of Kubernetes resources. Resources in violation of an existing rule placed in `Audit` mode will also surface in an event on the resource in question.
+Validation rules are probably the most common and practical types of rules you will be working with, and the main use case for admission controllers such as Kyverno. In a typical validation rule, one defines the mandatory properties with which a given resource should be created. When a new resource is created by a user or process, the properties of that resource are checked by Kyverno against the validate rule. If those properties are validated, meaning there is agreement, the resource is allowed to be created. If those properties are different, the creation is blocked. The behavior of how Kyverno responds to a failed validation check is determined by the `failureAction` field. It can either be blocked (`Enforce`) or allowed yet recorded in a [policy report](../policy-reports/) (`Audit`). Validation rules in `Audit` mode can also be used to get a report on matching resources which violate the rule(s), both upon initial creation and when Kyverno initiates periodic scans of Kubernetes resources. Resources in violation of an existing rule placed in `Audit` mode will also surface in an event on the resource in question.
 
 To validate resource data, define a [pattern](#patterns) in the validation rule. For more advanced processing using tripartite expressions (key-operator-value), define a [deny](#deny-rules) element in the validation rule along with a set of conditions that control when to allow or deny the request.
 
@@ -21,8 +21,6 @@ metadata:
   name: require-ns-purpose-label
 # The `spec` defines properties of the policy.
 spec:
-  # The `validationFailureAction` tells Kyverno if the resource being validated should be allowed but reported (`Audit`) or blocked (`Enforce`).
-  validationFailureAction: Enforce
   # The `rules` is one or more rules which must be true.
   rules:
   - name: require-ns-purpose-label
@@ -34,6 +32,8 @@ spec:
           - Namespace
     # The `validate` statement tries to positively check what is defined. If the statement, when compared with the requested resource, is true, it is allowed. If false, it is blocked.
     validate:
+      # The `failureAction` tells Kyverno if the resource being validated should be allowed but reported (`Audit`) or blocked (`Enforce`).
+      failureAction: Enforce
       # The `message` is what gets displayed to a user if this rule fails validation.
       message: "You must have label `purpose` with value `production` set on all new namespaces."
       # The `pattern` object defines what pattern will be checked in the resource. In this case, it is looking for `metadata.labels` with `purpose=production`.
@@ -79,13 +79,17 @@ require-ns-purpose-label:
 
 Change the `development` value to `production` and try again. Kyverno permits creation of your new Namespace resource.
 
-## Validation Failure Action
+## Failure Action
 
-The `validationFailureAction` attribute controls admission control behaviors for resources that are not compliant with a policy. If the value is set to `Enforce`, resource creation or updates are blocked when the resource does not comply. When the value is set to `Audit`, a policy violation is logged in a `PolicyReport` or `ClusterPolicyReport` but the resource creation or update is allowed. For preexisting resources which violate a newly-created policy set to `Enforce` mode, Kyverno will allow subsequent updates to those resources which continue to violate the policy as a way to ensure no existing resources are impacted. However, should a subsequent update to the violating resource(s) make them compliant, any further updates which would produce a violation are blocked. This behaviour can be disabled using `validate.allowExistingViolations`, when `validate.allowExistingViolations` is set to `false` in an `Enforce` mode validate rule, updates to preexisting resources which violate that rule will be blocked.
+The `FailureAction` attribute controls admission control behaviors for resources that are not compliant with a policy. If the value is set to `Enforce`, resource creation or updates are blocked when the resource does not comply. When the value is set to `Audit`, a policy violation is logged in a `PolicyReport` or `ClusterPolicyReport` but the resource creation or update is allowed. For preexisting resources which violate a newly-created policy set to `Enforce` mode, Kyverno will allow subsequent updates to those resources which continue to violate the policy as a way to ensure no existing resources are impacted. However, should a subsequent update to the violating resource(s) make them compliant, any further updates which would produce a violation are blocked. This behaviour can be disabled using `validate.allowExistingViolations`, when `validate.allowExistingViolations` is set to `false` in an `Enforce` mode validate rule, updates to preexisting resources which violate that rule will be blocked.
 
-## Validation Failure Action Overrides
+{{% alert title="Warning" color="warning" %}}
+The field `spec.validationFailureAction` is deprecated and will be removed in a future release. Instead, use `spec.rules[*].validate[*].failureAction`.
+{{% /alert %}}
 
-Using `validationFailureActionOverrides`, you can specify which actions to apply per Namespace. This attribute is only available for ClusterPolicies.
+## Failure Action Overrides
+
+Using `failureActionOverrides`, you can specify which actions to apply per Namespace. This attribute is only available for ClusterPolicies.
 
 ```yaml
 apiVersion: kyverno.io/v1
@@ -93,14 +97,6 @@ kind: ClusterPolicy
 metadata:
   name: check-label-app
 spec:
-  validationFailureAction: Audit
-  validationFailureActionOverrides:
-    - action: Enforce     # Action to apply
-      namespaces:       # List of affected namespaces
-        - default
-    - action: Audit
-      namespaces:
-        - test
   rules:
     - name: check-label-app
       match:
@@ -109,6 +105,14 @@ spec:
             kinds:
             - Pod
       validate:
+        failureAction: Audit
+        failureActionOverrides:
+          - action: Enforce     # Action to apply
+            namespaces:       # List of affected namespaces
+              - default
+          - action: Audit
+            namespaces:
+              - test
         message: "The label `app` is required."
         pattern:
           metadata:
@@ -116,7 +120,11 @@ spec:
               app: "?*"
 ```
 
-In the above policy, for Namespace `default`, `validationFailureAction` is set to `Enforce` and for Namespace `test`, it's set to `Audit`. For all other Namespaces, the action defaults to the `validationFailureAction` field.
+In the above policy, for Namespace `default`, `failureAction` is set to `Enforce` and for Namespace `test`, it's set to `Audit`. For all other Namespaces, the action defaults to the `failureAction` field.
+
+{{% alert title="Warning" color="warning" %}}
+The field `spec.validationFailureActionOverrides` is deprecated and will be removed in a future release. Instead, use `spec.rules[*].validate[*].failureActionOverrides`.
+{{% /alert %}}
 
 ## Patterns
 
@@ -146,7 +154,6 @@ kind: ClusterPolicy
 metadata:
   name: all-containers-need-requests-and-limits
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: check-container-resources
     match:
@@ -155,6 +162,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "All containers must have CPU and memory resource requests and limits defined."
       pattern:
         spec:
@@ -181,7 +189,6 @@ kind: ClusterPolicy
 metadata:
   name: check-label-app
 spec:
-  validationFailureAction: Enforce
   rules:
     - name: check-label-app
       match:
@@ -192,6 +199,7 @@ spec:
             - StatefulSet
             - DaemonSet
       validate:
+        failureAction: Enforce
         message: "The label `app` is required."
         pattern:
           spec:
@@ -235,7 +243,6 @@ kind: ClusterPolicy
 metadata:
   name: validate
 spec:
-  validationFailureAction: Enforce
   rules:
     - name: validate-replica-count
       match:
@@ -244,6 +251,7 @@ spec:
             kinds:
             - Deployment
       validate:
+        failureAction: Enforce
         message: "Replica count for a Deployment must be greater than or equal to 2."
         pattern:
           spec:
@@ -274,7 +282,6 @@ kind: ClusterPolicy
 metadata:
   name: conditional-anchor-dockersock
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: conditional-anchor-dockersock
@@ -284,6 +291,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`."
       pattern:
         metadata:
@@ -305,7 +313,6 @@ kind: ClusterPolicy
 metadata:
   name: equality-anchor-no-dockersock
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: equality-anchor-no-dockersock
@@ -315,6 +322,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "If a hostPath volume exists, it must not be set to `/var/run/docker.sock`."
       pattern:
         =(spec):
@@ -341,7 +349,6 @@ kind: ClusterPolicy
 metadata:
   name: existence-anchor-at-least-one-nginx
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: existence-anchor-at-least-one-nginx
     match:
@@ -350,6 +357,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: "At least one container must use the image `nginx:latest`."
       pattern:
         spec:
@@ -381,7 +389,6 @@ kind: ClusterPolicy
 metadata:
   name: sample
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: check-container-image
     match:
@@ -390,6 +397,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: Images coming from corp.reg.com must use the correct imagePullSecret.
       pattern:
         spec:
@@ -438,7 +446,6 @@ metadata:
   name: require-run-as-non-root
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: check-containers
     match:
@@ -447,6 +454,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       message: >-
         Running as root is not allowed. The fields spec.securityContext.runAsNonRoot,
         spec.containers[*].securityContext.runAsNonRoot, and
@@ -542,7 +550,6 @@ kind: ClusterPolicy
 metadata:
   name: deny-deletes
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: block-deletes-for-kyverno-resources
@@ -557,6 +564,7 @@ spec:
       - clusterRoles:
         - cluster-admin
     validate:
+      failureAction: Enforce
       message: "Deleting {{request.oldObject.kind}}/{{request.oldObject.metadata.name}} is not allowed"
       deny:
         conditions:
@@ -576,7 +584,6 @@ kind: ClusterPolicy
 metadata:
   name: block-updates-to-custom-resource
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: block-updates-to-custom-resource
@@ -594,6 +601,7 @@ spec:
         - custom-controller:*
         - cluster-admin
     validate:
+      failureAction: Enforce
       message: "Modifying or deleting this custom resource is forbidden."
       deny: {}
 ```
@@ -608,7 +616,6 @@ kind: ClusterPolicy
 metadata:
   name: deny-netpol-changes
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: deny-netpol-changes
@@ -624,6 +631,7 @@ spec:
       - clusterRoles:
         - cluster-admin
     validate:
+      failureAction: Enforce
       message: "Changing default network policies is not allowed."
       deny: {}
 ```
@@ -664,7 +672,6 @@ kind: ClusterPolicy
 metadata:
   name: check-images
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: check-registry
@@ -679,6 +686,7 @@ spec:
         operator: NotEquals
         value: DELETE
     validate:
+      failureAction: Enforce
       message: "unknown registry"
       foreach:
       - list: "request.object.spec.initContainers"
@@ -703,7 +711,6 @@ kind: ClusterPolicy
 metadata:
   name: check-ingress
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
   - name: check-tls-secret-host
@@ -713,6 +720,7 @@ spec:
           kinds:
           - Ingress
     validate:
+      failureAction: Enforce
       message: "All TLS hosts must use a domain of old.com."
       foreach:
       - list: request.object.spec.tls[]
@@ -816,7 +824,6 @@ kind: ClusterPolicy
 metadata:
   name: validate-secrets
 spec:
-  validationFailureAction: Enforce
   background: true
   rules:
     - name: validate-secrets
@@ -826,6 +833,7 @@ spec:
             kinds:
               - Secret
       validate:
+        failureAction: Enforce
         manifests:
           attestors:
           - count: 1
@@ -873,7 +881,6 @@ kind: ClusterPolicy
 metadata:
   name: validate-deployment
 spec:
-  validationFailureAction: Enforce
   background: true
   rules:
     - name: validate-deployment
@@ -883,6 +890,7 @@ spec:
             kinds:
               - Deployment
       validate:
+        failureAction: Enforce
         manifests:
           attestors:
           - count: 1
@@ -937,7 +945,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: baseline
     match:
@@ -946,6 +953,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       podSecurity:
         level: baseline
         version: latest
@@ -990,7 +998,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: restricted
     match:
@@ -999,6 +1006,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       podSecurity:
         level: restricted
         version: latest
@@ -1045,7 +1053,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: baseline
     match:
@@ -1054,6 +1061,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       podSecurity:
         level: baseline
         version: latest
@@ -1086,7 +1094,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: restricted
     match:
@@ -1095,6 +1102,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       podSecurity:
         level: restricted
         version: latest
@@ -1156,7 +1164,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
   - name: restricted
     match:
@@ -1165,6 +1172,7 @@ spec:
           kinds:
           - Pod
     validate:
+      failureAction: Enforce
       podSecurity:
         level: restricted
         version: latest
@@ -1214,7 +1222,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
     - name: baseline
       match:
@@ -1223,6 +1230,7 @@ spec:
               kinds:
                 - Pod
       validate:
+        failureAction: Enforce
         podSecurity:
           level: baseline
           version: latest
@@ -1279,7 +1287,6 @@ metadata:
   name: psa
 spec:
   background: true
-  validationFailureAction: Enforce
   rules:
     - name: baseline
       match:
@@ -1288,6 +1295,7 @@ spec:
             kinds:
             - Pod
       validate:
+        failureAction: Enforce
         podSecurity:
           level: baseline
           version: latest
@@ -1388,7 +1396,6 @@ kind: ClusterPolicy
 metadata:
   name: check-deployment-replicas
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: check-deployment-replicas
@@ -1398,13 +1405,14 @@ spec:
             kinds:
               - Deployment
       validate:
+        failureAction: Enforce
         cel:
           expressions:
             - expression: "object.spec.replicas < 4"
               message:  "Deployment spec.replicas must be less than 4."
 ```
 
-The `cel.expressions` contains CEL expressions which use the [Common Expression Language (CEL)](https://github.com/google/cel-spec) to validate the request. If an expression evaluates to false, the validation check is enforced according to the `spec.validationFailureAction` field.
+The `cel.expressions` contains CEL expressions which use the [Common Expression Language (CEL)](https://github.com/google/cel-spec) to validate the request. If an expression evaluates to false, the validation check is enforced according to the `validate[*].failureAction` field.
 
 {{% alert title="Note" color="info" %}}
 You can quickly test CEL expressions in the [CEL Playground](https://playcel.undistro.io/).
@@ -1429,7 +1437,6 @@ kind: ClusterPolicy
 metadata:
   name: check-statefulset-namespace
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: statefulset-namespace
@@ -1439,6 +1446,7 @@ spec:
             kinds:
               - StatefulSet
       validate:
+        failureAction: Enforce
         cel:
           expressions:
             - expression: "namespaceObject.metadata.name == 'production'"
@@ -1530,7 +1538,6 @@ kind: ClusterPolicy
 metadata:
   name: check-deployment-replicas
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: check-deployment-replicas
@@ -1540,6 +1547,7 @@ spec:
             kinds:
               - Deployment
       validate:
+        failureAction: Enforce
         cel:
           paramKind: 
             apiVersion: rules.example.com/v1
@@ -1643,7 +1651,6 @@ kind: ClusterPolicy
 metadata:
   name: image-matches-namespace-environment.policy.example.com
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: image-matches-namespace-environment
@@ -1653,6 +1660,7 @@ spec:
             kinds:
               - Deployment
       validate:
+        failureAction: Enforce
         cel:
           variables:
             - name: environment
@@ -1765,7 +1773,6 @@ kind: ClusterPolicy
 metadata:
   name: disallow-host-path
 spec:
-  validationFailureAction: Enforce
   background: false
   rules:
     - name: host-path
@@ -1775,6 +1782,7 @@ spec:
             kinds:
               - Deployment
       validate:
+        failureAction: Enforce
         cel:
           expressions:
             - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
diff --git a/content/en/docs/writing-policies/variables.md b/content/en/docs/writing-policies/variables.md
index 4b1ab639e..f77f75496 100644
--- a/content/en/docs/writing-policies/variables.md
+++ b/content/en/docs/writing-policies/variables.md
@@ -36,7 +36,6 @@ Kyverno policy definitions can refer to other fields in the policy definition as
 In order for Kyverno to refer to these existing values in a manifest, it uses the notation `$(./../key_1/key_2)`. This may look familiar as it is essentially the same way Linux/Unix systems refer to relative paths. For example, consider the policy manifest snippet below.
 
 ```yaml
-validationFailureAction: Enforce
 rules:
 - name: check-tcpSocket
   match:
@@ -45,6 +44,7 @@ rules:
         kinds:
         - Pod
   validate:
+    failureAction: Enforce
     message: "Port number for the livenessProbe must be less than that of the readinessProbe."
     pattern:
       spec:
diff --git a/content/en/docs/writing-policies/verify-images/notary/_index.md b/content/en/docs/writing-policies/verify-images/notary/_index.md
index 1d1e816e4..d3832233a 100644
--- a/content/en/docs/writing-policies/verify-images/notary/_index.md
+++ b/content/en/docs/writing-policies/verify-images/notary/_index.md
@@ -78,9 +78,9 @@ kind: ClusterPolicy
 metadata:
   name: check-image-notary
 spec:
-  validationFailureAction: Enforce
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail  
+  webhookConfiguration:
+    failurePolicy: Fail
+    timeoutSeconds: 30
   rules:
     - name: verify-signature-notary
       match:
@@ -92,6 +92,7 @@ spec:
       - type: Notary
         imageReferences:
         - "ghcr.io/kyverno/test-verify-image*"
+        failureAction: Enforce
         attestors:
         - count: 1
           entries:
@@ -200,9 +201,9 @@ kind: ClusterPolicy
 metadata:
   name: check-image-attestation
 spec:
-  validationFailureAction: Enforce
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail  
+  webhookConfiguration:
+    failurePolicy: Fail
+    timeoutSeconds: 30
   rules:
     - name: verify-attestation-notary
       match:
@@ -219,6 +220,7 @@ spec:
       - type: Notary
         imageReferences:
           - "ghcr.io/kyverno/test-verify-image*"
+        failureAction: Enforce
         attestations:
           - type: sbom/cyclone-dx
             attestors:
diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
index 4703703b8..971dbdc09 100644
--- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md
+++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -23,10 +23,10 @@ kind: ClusterPolicy
 metadata:
   name: check-image
 spec:
-  validationFailureAction: Enforce
+  webhookConfiguration:
+    failurePolicy: Fail
+    timeoutSeconds: 30
   background: false
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail
   rules:
     - name: check-image
       match:
@@ -37,6 +37,7 @@ spec:
       verifyImages:
       - imageReferences:
         - "ghcr.io/kyverno/test-verify-image*"
+        failureAction: Enforce
         attestors:
         - count: 1
           entries:
@@ -142,9 +143,9 @@ kind: ClusterPolicy
 metadata:
   name: exclude-refs
 spec:
-  validationFailureAction: Enforce
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail  
+  webhookConfiguration:
+    failurePolicy: Fail
+    timeoutSeconds: 30
   rules:
     - name: exclude-refs
       match:
@@ -157,6 +158,7 @@ spec:
         - "ghcr.io/*"
         skipImageReferences:
         - "ghcr.io/trusted/*"
+        failureAction: Enforce 
         attestors:
         - count: 1
           entries:
@@ -242,10 +244,10 @@ kind: ClusterPolicy
 metadata:
   name: attest-code-review
 spec:
-  validationFailureAction: Enforce
+  webhookConfiguration:
+    failurePolicy: Fail
+    timeoutSeconds: 30
   background: false
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail
   rules:
     - name: attest
       match:
@@ -256,6 +258,7 @@ spec:
       verifyImages:
       - imageReferences:
         - "registry.io/org/app*"
+        failureAction: Enforce
         attestations:
           - predicateType: https://example.com/CodeReview/v1
             attestors:
@@ -345,7 +348,6 @@ kind: ClusterPolicy
 metadata:
   name: check-image
 spec:
-  validationFailureAction: Enforce
   rules:
     - name: verify-signature
       match:
@@ -356,6 +358,7 @@ spec:
       verifyImages:
       - imageReferences:
         - "ghcr.io/kyverno/test-verify-image:signed-cert"
+        failureAction: Enforce
         attestors:
         - entries:
           - certificates:
@@ -416,7 +419,6 @@ kind: ClusterPolicy
 metadata:
   name: check-image
 spec:
-  validationFailureAction: Enforce
   rules:
     - name: verify-signature
       match:
@@ -427,6 +429,7 @@ spec:
       verifyImages:
       - imageReferences:
         - "ghcr.io/kyverno/test-verify-image:signed-cert"
+        failureAction: Enforce
         attestors:
         - entries:
           - certificates:
@@ -485,8 +488,8 @@ kind: ClusterPolicy
 metadata:
   name: check-image-keyless
 spec:
-  validationFailureAction: Enforce
-  webhookTimeoutSeconds: 30
+  webhookConfiguration:
+    timeoutSeconds: 30
   rules:
     - name: check-image-keyless
       match:
@@ -497,6 +500,7 @@ spec:
       verifyImages:
       - imageReferences:
         - "ghcr.io/kyverno/test-verify-image:signed-keyless"
+        failureAction: Enforce
         attestors:
         - entries:
           - keyless:
@@ -645,10 +649,10 @@ kind: ClusterPolicy
 metadata:
   name: check-image
 spec:
-  validationFailureAction: Enforce
   background: false
-  webhookTimeoutSeconds: 30
-  failurePolicy: Fail
+  webhookConfiguration:
+    failurePolicy: Fail
+    timeoutSeconds: 30
   rules:
     - name: check-image
       match:
@@ -659,6 +663,7 @@ spec:
       verifyImages:
       - imageReferences: 
         - ghcr.io/myorg/myimage*
+        failureAction: Enforce
         attestors:
         - entries:
           - keys: 
@@ -898,7 +903,6 @@ kind: ClusterPolicy
 metadata:
   name: signed-task-image
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: check-signature
     match:
@@ -915,6 +919,7 @@ spec:
     verifyImages:
     - imageReferences:
       - "*"
+      failureAction: Enforce
       required: false
       attestors:
       - entries:
@@ -934,7 +939,6 @@ kind: ClusterPolicy
 metadata:
   name: signed-pipeline-bundle
 spec:
-  validationFailureAction: Enforce
   rules:
   - name: check-signature
     match:
@@ -951,6 +955,7 @@ spec:
     verifyImages:
     - imageReferences:
       - "*"
+      failureAction: Enforce
       attestors:
       - entries:
         - keys: 

From 86cd83f0f88d2198d283f9363d9cd07a49424b16 Mon Sep 17 00:00:00 2001
From: Ammar Yasser <aerosound161@gmail.com>
Date: Mon, 28 Oct 2024 02:21:32 +0300
Subject: [PATCH 33/59] docs: Show an example for selecting targets with labels
 (#1373)

Signed-off-by: aerosouund <aerosound161@gmail.com>
---
 content/en/docs/writing-policies/mutate.md | 28 ++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/content/en/docs/writing-policies/mutate.md b/content/en/docs/writing-policies/mutate.md
index bfd9e7403..7a7763b2c 100644
--- a/content/en/docs/writing-policies/mutate.md
+++ b/content/en/docs/writing-policies/mutate.md
@@ -498,6 +498,34 @@ Installation of a mutate existing policy affects the `ValidatingWebhookConfigura
 
 When defining a list of `targets[]`, the fields `name` and `namespace` are not strictly required but encouraged. If omitted, it implies a wildcard (`"*"`) for the omitted field which can have unintended impact on other resources.
 
+Target resources can also be selected using label selectors. The below policy example shows a policy that matches `ConfigMaps` with a label `should-match=yes` on `Secret` events.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mutate-existing-configmap
+spec:
+  rules:
+    - name: mutate-configmap-on-secret-event
+      match:
+        any:
+        - resources:
+            kinds:
+            - Secret
+      mutate:
+        targets:
+        - apiVersion: v1
+          kind: ConfigMap
+          selector:
+            matchLabels:
+              should-match: 'yes'
+        patchStrategicMerge:
+          metadata:
+            labels:
+              foo: bar
+```
+
 In order to more precisely control the target resources, mutate existing rules support both [context variables](external-data-sources.md) and [preconditions](preconditions.md). Preconditions which occur inside the `targets[]` array must use the target prefix as described [below](#variables-referencing-target-resources).
 
 This sample below illustrates how to combine preconditions and conditional anchors within `targets[]` to precisely select the desired existing resources for mutation. This policy restarts existing Deployments if they are consuming a Secret that has been updated assigned label `kyverno.io/watch: "true"` AND have a name beginning with `testing-`.

From e2f15333b1b99f8ae5a46f1f4979bd38964e84f1 Mon Sep 17 00:00:00 2001
From: Arturo Borrero Gonzalez <arturo.bg@arturo.bg>
Date: Mon, 28 Oct 2024 00:22:14 +0100
Subject: [PATCH 34/59] =?UTF-8?q?docs:=20installation:=20scaling:=20mentio?=
 =?UTF-8?q?n=20kubernetes=20core=20components=20resou=E2=80=A6=20(#1295)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

docs: installation: scaling: mention kubernetes core components resources footprint

Introduce a mention to how many kyverno resources may impact the
kubernetes core components regarding their resources footprint.

See also: https://github.com/kyverno/kyverno/issues/10458

Signed-off-by: Arturo Borrero Gonzalez <aborrero@wikimedia.org>
Co-authored-by: Arturo Borrero Gonzalez <aborrero@wikimedia.org>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/installation/scaling.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/content/en/docs/installation/scaling.md b/content/en/docs/installation/scaling.md
index a68d9b55a..219233e38 100644
--- a/content/en/docs/installation/scaling.md
+++ b/content/en/docs/installation/scaling.md
@@ -81,3 +81,10 @@ API requests, operations, and activities which match corresponding Kyverno rules
 | DELETE    | ConfigMap  |                                     |                    1 |
 
 These figures were captured using K3d v5.4.9 on Kubernetes v1.26.2 and Kyverno 1.10.0-alpha.2 with a 3-replica admission controller. When testing against KinD, there may be one less DELETE AdmissionReview for Pod-related operations.
+
+### Kubernetes api-server and etcd resource footprint
+
+In clusters with many Kyverno policy resources, the resource footprint of some core Kubernetes components may be affected, in particular the kube-apiserver and etcd.
+
+For example, if you create several thousand Kyverno policy resources, double check that the kube-apiserver pods have head room to increase its memory allocations, otherwise
+the cluster may crash entirely.

From 647765ba0381a4f8f08b511b9684d03826a1f520 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariamfahmy66@gmail.com>
Date: Mon, 28 Oct 2024 02:23:04 +0300
Subject: [PATCH 35/59] docs: use v2 for cleanup policies and exceptions
 (#1372)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 content/en/docs/kyverno-cli/usage/apply.md     | 2 +-
 content/en/docs/kyverno-cli/usage/test.md      | 2 +-
 content/en/docs/writing-policies/cleanup.md    | 2 +-
 content/en/docs/writing-policies/exceptions.md | 8 ++++----
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/content/en/docs/kyverno-cli/usage/apply.md b/content/en/docs/kyverno-cli/usage/apply.md
index 66bfe29f2..1e1bc1e5c 100644
--- a/content/en/docs/kyverno-cli/usage/apply.md
+++ b/content/en/docs/kyverno-cli/usage/apply.md
@@ -724,7 +724,7 @@ spec:
 Policy Exception manifest (`exception.yaml`):
 
 ```yaml
-apiVersion: kyverno.io/v2beta1
+apiVersion: kyverno.io/v2
 kind: PolicyException
 metadata:
   name: container-exception
diff --git a/content/en/docs/kyverno-cli/usage/test.md b/content/en/docs/kyverno-cli/usage/test.md
index 04b775050..f60590e49 100644
--- a/content/en/docs/kyverno-cli/usage/test.md
+++ b/content/en/docs/kyverno-cli/usage/test.md
@@ -568,7 +568,7 @@ spec:
 Policy Exception manifest (`delta-exception.yaml`):
 
 ```yaml
-apiVersion: kyverno.io/v2beta1
+apiVersion: kyverno.io/v2
 kind: PolicyException
 metadata:
   name: delta-exception
diff --git a/content/en/docs/writing-policies/cleanup.md b/content/en/docs/writing-policies/cleanup.md
index 8fba6ad83..ac858b68d 100644
--- a/content/en/docs/writing-policies/cleanup.md
+++ b/content/en/docs/writing-policies/cleanup.md
@@ -18,7 +18,7 @@ Since cleanup policies always operate against existing resources in a cluster, p
 An example ClusterCleanupPolicy is shown below. This cleanup policy removes Deployments which have the label `canremove: "true"` if they have less than two replicas on a schedule of every 5 minutes.
 
 ```yaml
-apiVersion: kyverno.io/v2beta1
+apiVersion: kyverno.io/v2
 kind: ClusterCleanupPolicy
 metadata:
   name: cleandeploy
diff --git a/content/en/docs/writing-policies/exceptions.md b/content/en/docs/writing-policies/exceptions.md
index 0b16c5989..fdb51aa02 100644
--- a/content/en/docs/writing-policies/exceptions.md
+++ b/content/en/docs/writing-policies/exceptions.md
@@ -59,7 +59,7 @@ Auto-generated rules for Pod controllers must be specified along with the Pod co
 {{% /alert %}}
 
 ```yaml
-apiVersion: kyverno.io/v2beta1
+apiVersion: kyverno.io/v2
 kind: PolicyException
 metadata:
   name: delta-exception
@@ -198,7 +198,7 @@ spec:
 In this use case, all Pods in the `delta` Namespace need to run as a root. A PolicyException can be used to exempt all Pods whose Namespace is `delta` from the policy by excluding the `runAsNonRoot` control.
 
 ```yaml
-apiVersion: kyverno.io/v2beta1
+apiVersion: kyverno.io/v2
 kind: PolicyException
 metadata:
   name: pod-security-exception
@@ -247,7 +247,7 @@ PolicyExceptions `podSecurity{}` block has the same functionality as the [valida
 For example, the following PolicyException exempts the containers running either the `nginx` or `redis` image from following the Capabilities control.
 
 ```yaml
-apiVersion: kyverno.io/v2beta1
+apiVersion: kyverno.io/v2
 kind: PolicyException
 metadata:
   name: pod-security-exception
@@ -278,7 +278,7 @@ In this case, the `podSecurity.restrictedField` can be used to enforce the entir
 The following PolicyException grants an exemption to the `initContainers` that use Istio or Linkerd images, allowing them to bypass the `Capabilities` control. This is achieved by permitting the values of `NET_ADMIN` and `NET_RAW` in the `securityContext.capabilities.add` field.
 
 ```yaml
-apiVersion: kyverno.io/v2beta1
+apiVersion: kyverno.io/v2
 kind: PolicyException
 metadata:
   name: pod-security-exception

From 9d433cea6924ab36de11d8489a2186fee5ab2701 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 27 Oct 2024 23:01:52 -0700
Subject: [PATCH 36/59] update products (#1393)

* update products

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix link

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 .../verify-images/sigstore/_index.md                |  2 +-
 content/en/support/aws/_index.md                    | 10 ----------
 content/en/support/redhat/_index.md                 | 13 -------------
 3 files changed, 1 insertion(+), 24 deletions(-)
 delete mode 100644 content/en/support/aws/_index.md
 delete mode 100644 content/en/support/redhat/_index.md

diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
index 971dbdc09..5886bdda8 100644
--- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md
+++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -510,7 +510,7 @@ spec:
                 url: https://rekor.sigstore.dev
 ```
 
-The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/signing/overview/) with regular expressions for subject and issuer:
+The following policy verifies an image signed using [keyless signing](https://docs.sigstore.dev/cosign/signing/overview/) with regular expressions for subject and issuer:
 
 ```yaml
 apiVersion: kyverno.io/v1
diff --git a/content/en/support/aws/_index.md b/content/en/support/aws/_index.md
deleted file mode 100644
index 399b5e3f0..000000000
--- a/content/en/support/aws/_index.md
+++ /dev/null
@@ -1,10 +0,0 @@
----
-title: "Amazon EKS"
-linkTitle: "Amazon EKS"
-description: "Managed Kubernetes on Amazon Web Services"
-type: docs
----
-
-Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that makes it easy for you to run Kubernetes on Amazon Web Services (AWS) without needing to install and operate your own Kubernetes clusters.
-
-The Nirmata Kyverno enterprise distribution and Kubernetes governance platform are available in the [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=e3783cfb-7d53-4c0d-a30e-b7e8c9d21ece).
diff --git a/content/en/support/redhat/_index.md b/content/en/support/redhat/_index.md
deleted file mode 100644
index a52115952..000000000
--- a/content/en/support/redhat/_index.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: "Red Hat OpenShift"
-linkTitle: "Red Hat OpenShift"
-description: "Kubernetes management platform"
-type: docs
----
-
-OpenShift is a family of containerization software products developed by Red Hat. Its flagship product is the OpenShift Container Platform — a hybrid cloud platform as a service built around Linux containers orchestrated and managed by Kubernetes on a foundation of Red Hat Enterprise Linux.
-
-Kyverno policy sets are supported as part of [Red Hat Advanced Cluster Management](https://access.redhat.com/products/red-hat-advanced-cluster-management-for-kubernetes) and [Red Hat OpenShift Platform Plus](https://www.redhat.com/en/technologies/cloud-computing/openshift/platform-plus).
-
-Additional details:
-* [Red Hat Drives Greater Consistency and Management Across the Hybrid Cloud with Latest Version of OpenShift Platform Plus](https://www.redhat.com/en/about/press-releases/red-hat-drives-greater-consistency-and-management-across-the-hybrid-cloud-with-latest-version-of-openshift-platform-plus)

From 16d64e44b8baf473fcac4082e86858d6d6398abb Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 27 Oct 2024 23:02:46 -0700
Subject: [PATCH 37/59] Docs for 1.13 upgrade (#1394)

* document breaking changes

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* document breaking changes

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

---------

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/installation/customization.md |  2 +-
 content/en/docs/installation/methods.md       |  2 +-
 content/en/docs/installation/upgrading.md     | 59 ++++++++++++++++++-
 3 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/content/en/docs/installation/customization.md b/content/en/docs/installation/customization.md
index aae4919ee..55c022030 100644
--- a/content/en/docs/installation/customization.md
+++ b/content/en/docs/installation/customization.md
@@ -203,7 +203,7 @@ kyverno:reports-controller:core    |  --          | --
 
 
 {{% alert title="Note" color="info" %}}
-The Kyverno admission, background, and reports controller have a role binding to the built-in `view` role. This allows these Kyverno controllers view access to most namespaced resources. You can customize this role during Helm installation using variables like `admissionController.rbac.viewRoleName`. 
+The Kyverno admission, background, and reports controller have a role binding to the built-in `view` role. This allows these Kyverno controllers view access to most namespaced resources. You can customize this role during Helm installation using the variables `admissionController.rbac.viewRoleName`, `backgroundController.rbac.viewRoleName`, and `reportsController.rbac.viewRoleName`.
 {{% /alert %}}
 
 #### Customizing Permissions
diff --git a/content/en/docs/installation/methods.md b/content/en/docs/installation/methods.md
index 5d57e84e6..0f7c06895 100644
--- a/content/en/docs/installation/methods.md
+++ b/content/en/docs/installation/methods.md
@@ -51,7 +51,7 @@ reportsController:
   replicas: 3
 ```
 
-For all of the available values and their defaults, please see the Helm chart [README](https://github.com/kyverno/kyverno/tree/release-1.10/charts/kyverno). You should carefully inspect all available chart values and their defaults to determine what overrides, if any, are necessary to meet the particular needs of your production environment.
+For all of the available values and their defaults, please see the Helm chart [README](https://github.com/kyverno/kyverno/tree/release-1.13/charts/kyverno). You should carefully inspect all available chart values and their defaults to determine what overrides, if any, are necessary to meet the particular needs of your production environment.
 
 {{% alert title="Note" color="warning" %}}
 All Kyverno installations require the admission controller be among the controllers deployed. For a highly-available installation, at least 2 or more replicas are required. Based on scalability requirements, and cluster topology, additional replicas can be configured for each controller.
diff --git a/content/en/docs/installation/upgrading.md b/content/en/docs/installation/upgrading.md
index 52c2e1818..864c73332 100644
--- a/content/en/docs/installation/upgrading.md
+++ b/content/en/docs/installation/upgrading.md
@@ -16,4 +16,61 @@ Direct upgrades from previous versions are not supported when using the YAML man
 
 ### Upgrade Kyverno with Helm
 
-An upgrade from versions prior to Kyverno 1.10 to versions at 1.10 or higher using Helm requires manual intervention and cannot be performed via a direct upgrade process. Please see the 1.10 migration guide [here](https://github.com/kyverno/kyverno/blob/release-1.10/charts/kyverno/README.md#migrating-from-v2-to-v3) for more complete information.
+An upgrade from versions prior to Kyverno 1.10 to versions at 1.10 or higher using Helm requires manual intervention and cannot be performed via a direct upgrade process. Please see the 1.10 migration guide [here](https://githubviewRoleName.com/kyverno/kyverno/blob/release-1.13/charts/kyverno/README.md#migrating-from-v2-to-v3) for more complete information.
+
+
+## Upgrading to Kyverno v1.13
+
+Kyverno version 1.13 contains the following breaking configuration changes:
+
+1. **Removal of wildcard permissions**: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default `view` role was added. See the documentation section on [Role Based Access Controls](./customization.md#role-based-access-controls) for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the these controller may no longer be able to view these custom resources.
+
+To upgrade to 1.13 and continue to allow wildcard view permissions for all Kyverno controllers, use a Helm values file that grants these permissions as specified below:
+
+```yaml
+admissionController:
+  clusterRole:
+    extraResources:
+      - apiGroups:
+          - '*'
+        resources:
+          - '*'
+        verbs:
+          - get
+          - list
+          - watch
+backgroundController:
+  clusterRole:
+    extraResources:
+      - apiGroups:
+          - '*'
+        resources:
+          - '*'
+        verbs:
+          - get
+          - list
+          - watch
+reportsController:
+  clusterRole:
+    extraResources:
+      - apiGroups:
+          - '*'
+        resources:
+          - '*'
+        verbs:
+          - get
+          - list
+          - watch
+```
+
+**NOTE**: using wildcard permissions is not recommended. Use explicit permissions instead.
+
+2. **Default exception settings**: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See **CVE-2024-48921** for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.
+
+To maintain backwards compatibility, you can configure the Helm chart values to allow the same settings as the prior version. To upgrade to 1.13 and continue to allow configuring exceptions in all namespaces, set the Helm value `features.policyExceptions.namespace` to `*`:
+
+```sh
+helm upgrade kyverno kyverno/kyverno -n kyverno --set features.policyExceptions.enabled=true --set features.policyExceptions.namespace="*"
+```
+
+**NOTE**: limiting exceptions to a specific namespace is recommended.

From 66ad8540d0509662ddd12d23735c9ccd103347a3 Mon Sep 17 00:00:00 2001
From: Mariam Fahmy <mariamfahmy66@gmail.com>
Date: Mon, 28 Oct 2024 14:21:17 +0300
Subject: [PATCH 38/59] chore: add docs for disabling exceptions by default
 (#1395)

Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
---
 content/en/docs/installation/customization.md  | 4 ++--
 content/en/docs/writing-policies/exceptions.md | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/installation/customization.md b/content/en/docs/installation/customization.md
index 55c022030..6f9965fb9 100644
--- a/content/en/docs/installation/customization.md
+++ b/content/en/docs/installation/customization.md
@@ -372,11 +372,11 @@ The following flags can be used to control the advanced behavior of the various
 | `eventsRateLimitQPS` (ABCR) | 1000 | Configures the maximum QPS to the API server from Kyverno for events. Uses the client default if zero. |
 | `enableConfigMapCaching` (ABR) | true | Enables the ConfigMap caching feature. |
 | `enableDeferredLoading` (A) | true | Enables deferred (lazy) loading of variables (1.10.1+). Set to `false` to disable deferred loading of variables which was the default behavior in versions < 1.10.0. |
-| `enablePolicyException` (ABR) | true | Set to `true` to enable the [PolicyException capability](../writing-policies/exceptions.md). |
+| `enablePolicyException` (ABR) | false | Set to `true` to enable the [PolicyException capability](../writing-policies/exceptions.md). |
 | `enableReporting` (ABCR) | validate,mutate,mutateExisting,generate,imageVerify | Comma separated list to enables reporting for different rule types. (validate,mutate,mutateExisting,generate,imageVerify) |
 | `enableTracing` (ABCR) | false | Set to enable exposing traces. |
 | `enableTuf` (AR) | | Enable tuf for private sigstore deployments. |
-| `exceptionNamespace` (ABR) | | Set to the name of a Namespace where [PolicyExceptions](../writing-policies/exceptions.md) will only be permitted. PolicyExceptions created in any other Namespace will throw a warning. If not set, PolicyExceptions from all Namespaces will be considered. Implies the `enablePolicyException` flag is set to `true`. Neither wildcards nor multiple Namespaces are currently accepted. |
+| `exceptionNamespace` (ABR) | | Set to the name of a Namespace where [PolicyExceptions](../writing-policies/exceptions.md) will only be permitted. PolicyExceptions created in any other Namespace will throw a warning. If set to "*", PolicyExceptions from all Namespaces will be accepted. Note that wildcards and multiple Namespace entries are not supported. It is required if the `enablePolicyException` flag is set to true. |
 | `forceFailurePolicyIgnore` (A) | false | Set to force Failure Policy to `Ignore`. |
 | `generateValidatingAdmissionPolicy` (A) | false | Specifies whether to enable generating Kubernetes ValidatingAdmissionPolicies. |
 | `genWorkers` (B) | 10 | The number of workers for processing generate policies concurrently. |
diff --git a/content/en/docs/writing-policies/exceptions.md b/content/en/docs/writing-policies/exceptions.md
index fdb51aa02..0d6dd868c 100644
--- a/content/en/docs/writing-policies/exceptions.md
+++ b/content/en/docs/writing-policies/exceptions.md
@@ -5,6 +5,11 @@ description: >
 weight: 80
 ---
 
+{{% alert title="Warning" color="warning" %}}
+PolicyExceptions are disabled by default. To enable them, set the `enablePolicyException` flag to `true`. When enabling PolicyExceptions, you must also specify which namespaces they can be used in by setting the `exceptionNamespace` flag. 
+For more information, see [Container Flags](../installation/customization.md#container-flags).
+{{% /alert %}}
+
 Although Kyverno policies contain multiple methods to provide fine-grained control as to which resources they act upon in the form of [`match`/`exclude` blocks](match-exclude.md#match-statements), [preconditions](preconditions.md) at multiple hierarchies, [anchors](validate.md#anchors), and more, all these mechanisms have in common that the resources which they are intended to exclude must occur in the same rule definition. This may be limiting in situations where policies may not be directly editable, or doing so imposes an operational burden.
 
 For example, in organizations where multiple teams must interact with the same cluster, a team responsible for policy authoring and administration may not be the same team responsible for submission of resources. In these cases, it can be advantageous to decouple the policy definition from certain exclusions. Additionally, there are often times where an organization or team must allow certain exceptions which would violate otherwise valid rules but on a one-time basis if the risks are known and acceptable.

From 85408591ff34a24a5c7ceec5b768edc64e7485f1 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Mon, 28 Oct 2024 21:13:17 +0530
Subject: [PATCH 39/59] feat: Documentation for TSA cert chain support for
 cosign in verify images rules (#1396)

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 .../verify-images/sigstore/_index.md          | 80 +++++++++++++++++++
 1 file changed, 80 insertions(+)

diff --git a/content/en/docs/writing-policies/verify-images/sigstore/_index.md b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
index 5886bdda8..d6bcdd461 100644
--- a/content/en/docs/writing-policies/verify-images/sigstore/_index.md
+++ b/content/en/docs/writing-policies/verify-images/sigstore/_index.md
@@ -886,6 +886,86 @@ verifyImages:
           -----END PUBLIC KEY-----
 ```
 
+## Using a Custom TSA cert chain
+Cosign accepts custom timestamping authorities during image signing. To verify images signed with custom TSA, Use `ctlog.tsaCertChain` field to provide cert chain of the custom TSA.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: keyed-tsa-policy
+spec:
+  background: false
+  failurePolicy: Fail
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: keyed-tsa-rule
+    verifyImages:
+    - attestors:
+      - entries:
+        - keys:
+            publicKeys: |-
+              -----BEGIN PUBLIC KEY-----
+              MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEstG5Xl7UxkQsmLUxdmS85HLgYBFy
+              c/P/oQ22iazkKm8P0sNlaZiaZC4TSEea3oh2Pim0+wxSubhKoK+7jq9Egg==
+              -----END PUBLIC KEY-----
+            ctlog:
+              tsaCertChain: |-
+                -----BEGIN CERTIFICATE-----
+                MIIH/zCCBeegAwIBAgIJAMHphhYNqOmAMA0GCSqGSIb3DQEBDQUAMIGVMREwDwYD
+                VQQKEwhGcmVlIFRTQTEQMA4GA1UECxMHUm9vdCBDQTEYMBYGA1UEAxMPd3d3LmZy
+                ZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNidXNpbGV6YXNAZ21haWwuY29tMRIw
+                EAYDVQQHEwlXdWVyemJ1cmcxDzANBgNVBAgTBkJheWVybjELMAkGA1UEBhMCREUw
+                HhcNMTYwMzEzMDE1MjEzWhcNNDEwMzA3MDE1MjEzWjCBlTERMA8GA1UEChMIRnJl
+                ZSBUU0ExEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9y
+                ZzEiMCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJ
+                V3VlcnpidXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFMIICIjANBgkq
+                hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtgKODjAy8REQ2WTNqUudAnjhlCrpE6ql
+                mQfNppeTmVvZrH4zutn+NwTaHAGpjSGv4/WRpZ1wZ3BRZ5mPUBZyLgq0YrIfQ5Fx
+                0s/MRZPzc1r3lKWrMR9sAQx4mN4z11xFEO529L0dFJjPF9MD8Gpd2feWzGyptlel
+                b+PqT+++fOa2oY0+NaMM7l/xcNHPOaMz0/2olk0i22hbKeVhvokPCqhFhzsuhKsm
+                q4Of/o+t6dI7sx5h0nPMm4gGSRhfq+z6BTRgCrqQG2FOLoVFgt6iIm/BnNffUr7V
+                DYd3zZmIwFOj/H3DKHoGik/xK3E82YA2ZulVOFRW/zj4ApjPa5OFbpIkd0pmzxzd
+                EcL479hSA9dFiyVmSxPtY5ze1P+BE9bMU1PScpRzw8MHFXxyKqW13Qv7LWw4sbk3
+                SciB7GACbQiVGzgkvXG6y85HOuvWNvC5GLSiyP9GlPB0V68tbxz4JVTRdw/Xn/XT
+                FNzRBM3cq8lBOAVt/PAX5+uFcv1S9wFE8YjaBfWCP1jdBil+c4e+0tdywT2oJmYB
+                BF/kEt1wmGwMmHunNEuQNzh1FtJY54hbUfiWi38mASE7xMtMhfj/C4SvapiDN837
+                gYaPfs8x3KZxbX7C3YAsFnJinlwAUss1fdKar8Q/YVs7H/nU4c4Ixxxz4f67fcVq
+                M2ITKentbCMCAwEAAaOCAk4wggJKMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQD
+                AgHGMB0GA1UdDgQWBBT6VQ2MNGZRQ0z357OnbJWveuaklzCBygYDVR0jBIHCMIG/
+                gBT6VQ2MNGZRQ0z357OnbJWveuakl6GBm6SBmDCBlTERMA8GA1UEChMIRnJlZSBU
+                U0ExEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9yZzEi
+                MCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJV3Vl
+                cnpidXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFggkAwemGFg2o6YAw
+                MwYDVR0fBCwwKjAooCagJIYiaHR0cDovL3d3dy5mcmVldHNhLm9yZy9yb290X2Nh
+                LmNybDCBzwYDVR0gBIHHMIHEMIHBBgorBgEEAYHyJAEBMIGyMDMGCCsGAQUFBwIB
+                FidodHRwOi8vd3d3LmZyZWV0c2Eub3JnL2ZyZWV0c2FfY3BzLmh0bWwwMgYIKwYB
+                BQUHAgEWJmh0dHA6Ly93d3cuZnJlZXRzYS5vcmcvZnJlZXRzYV9jcHMucGRmMEcG
+                CCsGAQUFBwICMDsaOUZyZWVUU0EgdHJ1c3RlZCB0aW1lc3RhbXBpbmcgU29mdHdh
+                cmUgYXMgYSBTZXJ2aWNlIChTYWFTKTA3BggrBgEFBQcBAQQrMCkwJwYIKwYBBQUH
+                MAGGG2h0dHA6Ly93d3cuZnJlZXRzYS5vcmc6MjU2MDANBgkqhkiG9w0BAQ0FAAOC
+                AgEAaK9+v5OFYu9M6ztYC+L69sw1omdyli89lZAfpWMMh9CRmJhM6KBqM/ipwoLt
+                nxyxGsbCPhcQjuTvzm+ylN6VwTMmIlVyVSLKYZcdSjt/eCUN+41K7sD7GVmxZBAF
+                ILnBDmTGJmLkrU0KuuIpj8lI/E6Z6NnmuP2+RAQSHsfBQi6sssnXMo4HOW5gtPO7
+                gDrUpVXID++1P4XndkoKn7Svw5n0zS9fv1hxBcYIHPPQUze2u30bAQt0n0iIyRLz
+                aWuhtpAtd7ffwEbASgzB7E+NGF4tpV37e8KiA2xiGSRqT5ndu28fgpOY87gD3ArZ
+                DctZvvTCfHdAS5kEO3gnGGeZEVLDmfEsv8TGJa3AljVa5E40IQDsUXpQLi8G+UC4
+                1DWZu8EVT4rnYaCw1VX7ShOR1PNCCvjb8S8tfdudd9zhU3gEB0rxdeTy1tVbNLXW
+                99y90xcwr1ZIDUwM/xQ/noO8FRhm0LoPC73Ef+J4ZBdrvWwauF3zJe33d4ibxEcb
+                8/pz5WzFkeixYM2nsHhqHsBKw7JPouKNXRnl5IAE1eFmqDyC7G/VT7OF669xM6hb
+                Ut5G21JE4cNK6NNucS+fzg1JPX0+3VhsYZjj7D5uljRvQXrJ8iHgr/M6j2oLHvTA
+                I2MLdq2qjZFDOCXsxBxJpbmLGBx9ow6ZerlUxzws2AWv2pk=
+                -----END CERTIFICATE-----
+      imageReferences:
+      - ghcr.io/kyverno/test-verify-image:*
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+```
+
 ## Using a custom TUF for custom Sigstore deployments
 
 If you want to have your own Sigstore infrastructure to be fully in control of the entire signing and verification stack, including the root key material, you can set up your own root of trust to use TUF. To configure Kyverno to use your TUF setup, use `--tufRoot` and `--tufMirror` flags for custom Sigstore deployments.

From 904d8fa9ea12e5fcba18a2712cde28d459967e06 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Mon, 28 Oct 2024 21:16:00 +0530
Subject: [PATCH 40/59] feat: add documentation for emit warning in mutate and
 validate (#1397)

* feat: add documentation for emit warning in mutate and validate

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* Update validate.md

Co-authored-by: shuting <shutting06@gmail.com>
Signed-off-by: Vishal Choudhary <vishal.chdhry.work@gmail.com>

* Update mutate.md

Co-authored-by: shuting <shutting06@gmail.com>
Signed-off-by: Vishal Choudhary <vishal.chdhry.work@gmail.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.chdhry.work@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
---
 content/en/docs/writing-policies/mutate.md   | 4 ++++
 content/en/docs/writing-policies/validate.md | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/content/en/docs/writing-policies/mutate.md b/content/en/docs/writing-policies/mutate.md
index 7a7763b2c..e2599c34d 100644
--- a/content/en/docs/writing-policies/mutate.md
+++ b/content/en/docs/writing-policies/mutate.md
@@ -415,6 +415,10 @@ spec:
           - <(emptyDir): {}
 ```
 
+{{% alert title="Note" color="info" %}}
+Set `spec.emitWarning` to `true` to enable API response warnings for mutate policies upon resource's admission events.
+{{% /alert %}}
+
 ## Mutate Existing resources
 
 In addition to standard mutations, Kyverno also supports mutation on existing resources with `patchStrategicMerge` and `patchesJson6902`. Unlike regular mutate policies that are applied through the AdmissionReview process, mutate existing policies are applied in the background (via the background controller) which update existing resources in the cluster. These "mutate existing" policies, like traditional mutate policies, are still triggered via the AdmissionReview process but apply to existing resources. This decoupling also allows triggering on one resource and mutating a totally different one. They may also optionally be configured to apply upon updates to the policy itself. This has two important implications:
diff --git a/content/en/docs/writing-policies/validate.md b/content/en/docs/writing-policies/validate.md
index 1b3f4e9e8..72f37eaed 100644
--- a/content/en/docs/writing-policies/validate.md
+++ b/content/en/docs/writing-policies/validate.md
@@ -87,6 +87,10 @@ The `FailureAction` attribute controls admission control behaviors for resources
 The field `spec.validationFailureAction` is deprecated and will be removed in a future release. Instead, use `spec.rules[*].validate[*].failureAction`.
 {{% /alert %}}
 
+{{% alert title="Note" color="info" %}}
+When `spec.rules[*].validate[*].failureAction` is set to `Audit`, set `spec.emitWarning` to `true` to show audit policy violation in admission response warnings.
+{{% /alert %}}
+
 ## Failure Action Overrides
 
 Using `failureActionOverrides`, you can specify which actions to apply per Namespace. This attribute is only available for ClusterPolicies.

From 051ad9813a7c4f1fde000e5a0dd9c7e312297ca3 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Mon, 28 Oct 2024 21:40:27 +0530
Subject: [PATCH 41/59] feat: add documentation for auto webhook deletion
 feature (#1398)

* feat: add documentation for auto webhook deletion feature

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: clarifications

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 content/en/docs/installation/uninstallation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/installation/uninstallation.md b/content/en/docs/installation/uninstallation.md
index bf5449c6f..b7534727d 100644
--- a/content/en/docs/installation/uninstallation.md
+++ b/content/en/docs/installation/uninstallation.md
@@ -26,7 +26,7 @@ helm uninstall kyverno kyverno/kyverno -n kyverno
 
 ### Clean up Webhooks
 
-Kyverno by default will try to clean up all its webhooks when terminated. But in cases where its RBAC resources are removed first, it will lose the permission to do so properly.
+Kyverno by default will try to clean up all its webhooks when terminated for helm based installations. But in other cases where Kyverno's RBAC resources are removed first, it will lose the permission to do so properly. Kyverno supports deletion using finalizers to ensure resource deletion in right order. Use `--autoDeleteWebhooks` in admission-controller and cleanup-controller deployment to enable this feature, this feature will be enabled by default in future releases.
 
 If manual webhook removal is necessary, use the below commands.
 

From 7451b092ab3257e23591e2288e6d2f8ed725fb39 Mon Sep 17 00:00:00 2001
From: Frank Jogeleit <frank.jogeleit@web.de>
Date: Mon, 28 Oct 2024 23:16:05 +0100
Subject: [PATCH 42/59] [Enhancement] assert subrule documentation (#1329)

add assert subrule documentation

Signed-off-by: Frank Jogeleit <frank.jogeleit@web.de>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/writing-policies/validate.md | 118 +++++++++++++++++++
 1 file changed, 118 insertions(+)

diff --git a/content/en/docs/writing-policies/validate.md b/content/en/docs/writing-policies/validate.md
index 72f37eaed..dfdf7d2b2 100644
--- a/content/en/docs/writing-policies/validate.md
+++ b/content/en/docs/writing-policies/validate.md
@@ -2037,3 +2037,121 @@ spec:
   policyName: disallow-host-path
   validationActions: [Audit, Warn]
 ```
+
+## Kyverno JSON Assertion
+
+Starting in Kyverno 1.13, a new subrule type called `assert` is available. This subrule type allows users to use Kyverno JSON assertion trees for resource validation. Standard `match` and `exclude` processing is available just like with other rules. This subrule type is enabled when a validate rule is written with a `assert` object, detailed below.
+
+For example, this policy ensures that a pod does not use the default service account.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-default-sa
+spec:
+  validationFailureAction: Enforce
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: disallow-default-sa
+    validate:
+      message: default ServiceAccount should not be used
+      assert:
+        object:
+          spec:
+            (serviceAccountName == 'default'): false
+```
+
+The `assert.object` contains an assertion tree to validate the applied resource. If an assertion evaluates to false, the validation check is enforced according to the `spec.validationFailureAction` field.
+
+When trying to create a Deployment with the "default" ServiceAccount, the creation of the Deployment will be blocked.
+
+```
+Error from server: admission webhook "validate.kyverno.svc-fail" denied the request: 
+
+resource Pod/default/nginx was blocked due to the following policies 
+
+disallow-default-sa:
+  disallow-default-sa: 'object.spec.(serviceAccountName == ''default''): Invalid value:
+    true: Expected value: false'
+```
+
+assertions have access to the contents of the Admission request/response, organized as seperared trees as well as some other useful variables:
+
+- `object` - The object from the incoming request. The value is null for DELETE requests.
+- `oldObject` - The existing object. The value is null for CREATE requests.
+- `admissionInfo` - Additional admission information. Contains user information like `roles`, `clusterRoles` and `username`.
+- `operation` - Admission Operation.
+- `namespaceLabels` - Map of labels of the target namespace, not available for cluster scoped objects.
+- `admissionOperation` - Bool value which indicates if the policy was triggered from an admission request.
+
+`validate.assert` subrules also supports autogen rules for higher-level controllers that directly or indirectly manage Pods: Deployment, DaemonSet, StatefulSet, Job, and CronJob resources. Check the [autogen](autogen.md) section for more information.
+
+```yaml
+status:
+  autogen:
+    rules:
+    - exclude:
+        resources: {}
+      generate:
+        clone: {}
+        cloneList: {}
+      match:
+        all:
+        - resources:
+            kinds:
+            - DaemonSet
+            - Deployment
+            - Job
+            - ReplicaSet
+            - ReplicationController
+            - StatefulSet
+            operations:
+            - CREATE
+            - UPDATE
+        resources: {}
+      mutate: {}
+      name: autogen-disallow-default-sa
+      skipBackgroundRequests: true
+      validate:
+        assert:
+          object:
+            spec:
+              template:
+                spec:
+                  (serviceAccountName == 'default'): false
+        message: default ServiceAccount should not be used
+        validationFailureAction: Audit
+    - exclude:
+        resources: {}
+      generate:
+        clone: {}
+        cloneList: {}
+      match:
+        all:
+        - resources:
+            kinds:
+            - CronJob
+            operations:
+            - CREATE
+            - UPDATE
+        resources: {}
+      mutate: {}
+      name: autogen-cronjob-disallow-default-sa
+      skipBackgroundRequests: true
+      validate:
+        assert:
+          object:
+            spec:
+              jobTemplate:
+                spec:
+                  template:
+                    spec:
+                      (serviceAccountName == 'default'): false
+        message: default ServiceAccount should not be used
+        validationFailureAction: Audit
+```
\ No newline at end of file

From 01e599a7a60ba440fc548487ae2166ecda99c7a9 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 28 Oct 2024 15:33:56 -0700
Subject: [PATCH 43/59] fix links (#1399)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/installation/upgrading.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/docs/installation/upgrading.md b/content/en/docs/installation/upgrading.md
index 864c73332..2fb72a121 100644
--- a/content/en/docs/installation/upgrading.md
+++ b/content/en/docs/installation/upgrading.md
@@ -16,7 +16,7 @@ Direct upgrades from previous versions are not supported when using the YAML man
 
 ### Upgrade Kyverno with Helm
 
-An upgrade from versions prior to Kyverno 1.10 to versions at 1.10 or higher using Helm requires manual intervention and cannot be performed via a direct upgrade process. Please see the 1.10 migration guide [here](https://githubviewRoleName.com/kyverno/kyverno/blob/release-1.13/charts/kyverno/README.md#migrating-from-v2-to-v3) for more complete information.
+An upgrade from versions prior to Kyverno 1.10 to versions at 1.10 or higher using Helm requires manual intervention and cannot be performed via a direct upgrade process. Please see the Helm chart v2 to v3 migration guide [here](https://github.com/kyverno/kyverno/blob/release-1.13/charts/kyverno/README.md#migrating-from-v2-to-v3) for more complete information.
 
 
 ## Upgrading to Kyverno v1.13

From 42569c0fcd2c5fa6fb4ad7b1cbfe65766c3b3cbd Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Tue, 29 Oct 2024 18:41:39 +0800
Subject: [PATCH 44/59] chore: link to CVE (#1402)

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 content/en/docs/installation/upgrading.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/installation/upgrading.md b/content/en/docs/installation/upgrading.md
index 2fb72a121..420a9ee62 100644
--- a/content/en/docs/installation/upgrading.md
+++ b/content/en/docs/installation/upgrading.md
@@ -23,7 +23,7 @@ An upgrade from versions prior to Kyverno 1.10 to versions at 1.10 or higher usi
 
 Kyverno version 1.13 contains the following breaking configuration changes:
 
-1. **Removal of wildcard permissions**: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default `view` role was added. See the documentation section on [Role Based Access Controls](./customization.md#role-based-access-controls) for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the these controller may no longer be able to view these custom resources.
+1. **Removal of wildcard permissions**: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default `view` role was added. See the documentation section on [Role Based Access Controls](./customization.md#role-based-access-controls) for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the controller may no longer be able to view these custom resources.
 
 To upgrade to 1.13 and continue to allow wildcard view permissions for all Kyverno controllers, use a Helm values file that grants these permissions as specified below:
 
@@ -65,7 +65,7 @@ reportsController:
 
 **NOTE**: using wildcard permissions is not recommended. Use explicit permissions instead.
 
-2. **Default exception settings**: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See **CVE-2024-48921** for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.
+2. **Default exception settings**: the Helm chart values of the prior versions enabled exceptions by default for all namespaces. This creates a potential security issue. See [CVE-2024-48921](https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm) for more details. This change will impact users who were relying on policy exceptions to be enabled in all namespaces.
 
 To maintain backwards compatibility, you can configure the Helm chart values to allow the same settings as the prior version. To upgrade to 1.13 and continue to allow configuring exceptions in all namespaces, set the Helm value `features.policyExceptions.namespace` to `*`:
 

From 125df1793f698a3f2db4f6a2796f0764a6e62a6d Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Tue, 29 Oct 2024 16:35:24 +0530
Subject: [PATCH 45/59] fix: add warning to set permission in reports
 controller (#1403)

* fix: add warning to set permission in reports controller

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: update note

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* fix: case in kyverno

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 content/en/docs/policy-reports/_index.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/content/en/docs/policy-reports/_index.md b/content/en/docs/policy-reports/_index.md
index 08ddafe6b..6e69cb76c 100644
--- a/content/en/docs/policy-reports/_index.md
+++ b/content/en/docs/policy-reports/_index.md
@@ -90,6 +90,10 @@ To configure Kyverno to generate reports for Kubernetes ValidatingAdmissionPolic
 Reporting can be enabled or disabled for rule types by modifying the value of the flag `--enableReporting=validate,mutate,mutateExisting,generate,imageVerify`.
 {{% /alert %}}
 
+{{% alert title="Note" color="info" %}}
+Creating reports for a resource require permissions to `get`, `list` and `watch` the resource in Kyverno reports controller.
+{{% /alert %}}
+
 ## Report result logic
 
 Entries in a policy report contain a `result` field which can be either `pass`, `skip`, `warn`, `error`, or `fail`.

From aa06dd77b46af3b7c4bd41c79209956a676c16f6 Mon Sep 17 00:00:00 2001
From: Khaled Emara <khaled.emara@nirmata.com>
Date: Tue, 29 Oct 2024 16:57:28 +0300
Subject: [PATCH 46/59] doc(gctx): cli variable injection (#1323)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/kyverno-cli/usage/apply.md    | 21 ++++++++++++++++++-
 .../writing-policies/external-data-sources.md |  2 ++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/kyverno-cli/usage/apply.md b/content/en/docs/kyverno-cli/usage/apply.md
index 1e1bc1e5c..8d1372ab8 100644
--- a/content/en/docs/kyverno-cli/usage/apply.md
+++ b/content/en/docs/kyverno-cli/usage/apply.md
@@ -75,7 +75,7 @@ Apply a policy containing variables using the `--set` or `-s` flag to pass in th
 kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml --set <variable1>=<value1>,<variable2>=<value2>
 ```
 
-Use `-f` or `--values-file` for applying multiple policies to multiple resources while passing a file containing variables and their values. Variables specified can be of various types include AdmissionReview fields, ConfigMap context data, and API call context data.
+Use `-f` or `--values-file` for applying multiple policies to multiple resources while passing a file containing variables and their values. Variables specified can be of various types include AdmissionReview fields, ConfigMap context data, API call context data, and Global Context Entries.
 
 Use `-u` or `--userinfo` for applying policies while passing an optional user_info.yaml file which contains necessary admission request data made during the request.
 
@@ -494,6 +494,25 @@ policies:
           dictionary.data.env: dev1
 ```
 
+You can also inject global context entries using variables. Here's an example of a Values file that injects a global context entry:
+
+```yaml
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Value
+metadata:
+  name: values
+globalValues:
+  request.operation: CREATE
+policies:
+  - name: gctx
+    rules:
+      - name: main-deployment-exists
+        values:
+          deploymentCount: 1
+```
+
+In this example, `request.operation` is set as a global value, and `deploymentCount` is set for a specific rule in the `gctx` policy.
+
 Policies that have their failureAction set to `Audit` can be set to produce a warning instead of a failure using the `--audit-warn` flag. This will also cause a non-zero exit code if no enforcing policies failed.
 
 ```sh
diff --git a/content/en/docs/writing-policies/external-data-sources.md b/content/en/docs/writing-policies/external-data-sources.md
index 0aec61627..e305735c2 100644
--- a/content/en/docs/writing-policies/external-data-sources.md
+++ b/content/en/docs/writing-policies/external-data-sources.md
@@ -710,6 +710,8 @@ context:
 
 The data returned by GlobalContextEntries may vary depending on whether it is a Kubernetes resource or an API call. Consequently, the JMESPath expression used to manipulate the data may differ as well. Ensure you use the appropriate JMESPath expression based on the type of data being accessed to ensure accurate processing within policies.
 
+To use Global Contexts with the Kyverno CLI, you can use the Values file to inject these global context entries into your policy evaluation. This allows you to simulate different scenarios and test your policies with various global context values without modifying the actual `GlobalContextEntry` resources in your cluster. Refer to it here: [kyverno apply](../kyverno-cli/usage/apply.md).
+
 {{% alert title="Warning" color="warning" %}}
 GlobalContextEntries must be in a healthy state (i.e., there is a response received from the remote endpoint) in order for the policies which reference them to be considered healthy. A GlobalContextEntry which is in a `not ready` state will cause any/all referenced policies to also be in a similar state and therefore will not be processed. Creation of a policy referencing a GlobalContextEntry which either does not exist or is not ready will print a warning notifying users.
 {{% /alert %}}

From f59a17283cdae50e21f0261fd76be5ce79078ae1 Mon Sep 17 00:00:00 2001
From: Marc Brugger <github@bakito.ch>
Date: Tue, 29 Oct 2024 14:57:49 +0100
Subject: [PATCH 47/59] [1.13] support inline exceptions in cli apply (#1234)

support inline exceptions in cli apply

Signed-off-by: bakito <github@bakito.ch>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 content/en/docs/kyverno-cli/usage/apply.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/content/en/docs/kyverno-cli/usage/apply.md b/content/en/docs/kyverno-cli/usage/apply.md
index 8d1372ab8..07a2596bf 100644
--- a/content/en/docs/kyverno-cli/usage/apply.md
+++ b/content/en/docs/kyverno-cli/usage/apply.md
@@ -45,6 +45,11 @@ Apply multiple policies to multiple resources with exceptions:
 ```sh
 kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --exception /path/to/exception1.yaml --exception /path/to/exception2.yaml 
 ```
+Apply multiple policies to multiple resources where exceptions are evaluated from the provided resources:
+
+```sh
+kyverno apply /path/to/policy1.yaml /path/to/folderFullOfPolicies --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml --exceptions-with-resources
+```
 
 Apply a mutation policy to a specific resource:
 

From 3a93f7082de07aae29e714e4a33b60c0333b43c5 Mon Sep 17 00:00:00 2001
From: Khaled Emara <khaled.emara@nirmata.com>
Date: Tue, 29 Oct 2024 16:58:16 +0300
Subject: [PATCH 48/59] doc(scale): update scale numbers for 1.13 (#1374)

* doc(scale): update scale numbers for 1.13

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* feat: update scaling numbers for 1.13.0-rc.2

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* chore: point to latest test script

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/installation/scaling.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/content/en/docs/installation/scaling.md b/content/en/docs/installation/scaling.md
index 219233e38..a12776666 100644
--- a/content/en/docs/installation/scaling.md
+++ b/content/en/docs/installation/scaling.md
@@ -32,17 +32,17 @@ Testing was performed using KinD on an Ubuntu 20.04 system with an AMD EPYC 7502
 
 The following table shows the resource consumption (memory and CPU) and latency as a result of increased virtual users and iterations defined in [k6](https://k6.io/open-source/). k6 is an open-source load testing tool for performance testing. k6 has multiple executors, the most popular of which is the shared-iterations executor. This executor creates a number of concurrent connections called virtual users. The total number of iterations is then distributed among these virtual users.
 
-The test was conducted where we installed Kyverno policies to enforce the Kubernetes pod security standards using 17 policies. Subsequently, we developed a compatible Pod test to measure how long Kyverno takes to admit the admission request. For more details on these tests, refer to the load testing documentation [here](https://github.com/kyverno/load-testing/tree/main/k6).
+The test was conducted where we installed Kyverno policies to enforce the Kubernetes pod security standards using 17 policies. Subsequently, we developed a compatible Pod test to measure how long Kyverno takes to admit the admission request. For more details on these tests, refer to the load testing documentation [here](https://github.com/kyverno/load-testing/blob/main/README.md).
 
 
-| replicas | # policies | Rule Type | Mode    | Subject | Virtual Users/Iterations | Latency (avg/max) | Memory (max) | CPU (max) |
-|----------|------------|-----------|---------|---------|--------------------------|-------------------|--------------|-----------|
-| 1        | 17         | Validate  | Enforce | Pods    | 100/1,000               | 42.89ms / 155.77ms         | 115Mi        | 211m      |
-| 1        | 17         | Validate  | Enforce | Pods    | 200/5,000               | 73.37ms / 432.37ms         | 136Mi        | 1148m     |
-| 1        | 17         | Validate  | Enforce | Pods    | 500/10,000              | 210.56ms / 1.54s           | 315Mi        | 1470m     |
-| 3        | 17         | Validate  | Enforce | Pods    | 100/1,000               | 31.06ms / 111.42ms         | 110Mi         | 96m      |
-| 3        | 17         | Validate  | Enforce | Pods    | 200/5,000               | 56.56ms / 248.38ms         | 116Mi        | 315m      |
-| 3        | 17         | Validate  | Enforce | Pods    | 500/10,000              | 136.77ms / 666.04ms        | 167Mi        | 524m      |
+| replicas | # policies | Rule Type | Mode    | Subject | Virtual Users/Iterations | Latency (avg/max)  | Memory (max)  | CPU (max) | Memory Limit    |
+|----------|------------|-----------|---------|---------|--------------------------|--------------------|--------------|------------|-----------------|
+| 1        | 17         | Validate  | Enforce | Pods    | 100/1,000                | 42.67ms / 141.24ms |    114Mi     |    148m    | default (384Mi) |
+| 1        | 17         | Validate  | Enforce | Pods    | 200/5,000                | 80.74ms / 409.35ms |    215Mi     |    3237m   | default (384Mi) |
+| 1        | 17         | Validate  | Enforce | Pods    | 500/10,000               | 203.86ms / 1.5s    |    471Mi     |    4851m   |      512Mi      |
+| 3        | 17         | Validate  | Enforce | Pods    | 100/1,000                | 35.61ms / 92.61ms  |    104Mi     |    289m    | default (384Mi) |
+| 3        | 17         | Validate  | Enforce | Pods    | 200/5,000                | 67.37ms / 327.12ms |    122Mi     |    1336m   | default (384Mi) |
+| 3        | 17         | Validate  | Enforce | Pods    | 500/10,000               | 163.08ms / 3.02s   |    239Mi     |    2769m   |      512Mi      |
 
 #### Reports Controller
 

From 10412d71cefd3dd2b407a3e35b45a8fd2a16fbb5 Mon Sep 17 00:00:00 2001
From: Khaled Emara <khaled.emara@nirmata.com>
Date: Tue, 29 Oct 2024 17:15:52 +0300
Subject: [PATCH 49/59] add version 1.13.0 to menu (#1404)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
---
 config/_default/params.toml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/_default/params.toml b/config/_default/params.toml
index 51a3d13b7..0d5fdda5f 100644
--- a/config/_default/params.toml
+++ b/config/_default/params.toml
@@ -143,9 +143,13 @@ js = [
 # version_menu = "Versions"
 # Add your release versions here
 [[versions]]
-  version = "v1.12.0"
+  version = "v1.13.0"
   url = "https://kyverno.io"
 
+[[versions]]
+  version = "v1.12.0"
+  url = "https://release-1-12-0.kyverno.io"
+
 [[versions]]
   version = "v1.11.0"
   url = "https://release-1-11-0.kyverno.io"

From 9f4a0244870d1ae7f9f28e4b91457e15d686caf3 Mon Sep 17 00:00:00 2001
From: Sebastian Gaiser <sebastiangaiser@users.noreply.github.com>
Date: Thu, 31 Oct 2024 11:30:32 +0100
Subject: [PATCH 50/59] fix(upgrading): v1.13 use correct Helm values (#1414)

Signed-off-by: Sebastian Gaiser <sebastiangaiser@users.noreply.github.com>
---
 content/en/docs/installation/upgrading.md | 65 ++++++++++++-----------
 1 file changed, 34 insertions(+), 31 deletions(-)

diff --git a/content/en/docs/installation/upgrading.md b/content/en/docs/installation/upgrading.md
index 420a9ee62..9fd79b988 100644
--- a/content/en/docs/installation/upgrading.md
+++ b/content/en/docs/installation/upgrading.md
@@ -25,42 +25,45 @@ Kyverno version 1.13 contains the following breaking configuration changes:
 
 1. **Removal of wildcard permissions**: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default `view` role was added. See the documentation section on [Role Based Access Controls](./customization.md#role-based-access-controls) for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the controller may no longer be able to view these custom resources.
 
-To upgrade to 1.13 and continue to allow wildcard view permissions for all Kyverno controllers, use a Helm values file that grants these permissions as specified below:
+To upgrade to 1.13 and continue to allow wildcard view permissions for all Kyverno controllers, use a [Helm values file](https://github.com/kyverno/kyverno/blob/v1.13.0/charts/kyverno/values.yaml) that grants these permissions as specified below:
 
 ```yaml
 admissionController:
-  clusterRole:
-    extraResources:
-      - apiGroups:
-          - '*'
-        resources:
-          - '*'
-        verbs:
-          - get
-          - list
-          - watch
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
 backgroundController:
-  clusterRole:
-    extraResources:
-      - apiGroups:
-          - '*'
-        resources:
-          - '*'
-        verbs:
-          - get
-          - list
-          - watch
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
 reportsController:
-  clusterRole:
-    extraResources:
-      - apiGroups:
-          - '*'
-        resources:
-          - '*'
-        verbs:
-          - get
-          - list
-          - watch
+  rbac:
+    clusterRole:
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
 ```
 
 **NOTE**: using wildcard permissions is not recommended. Use explicit permissions instead.

From 181181f7a5504aa4eaeea76135baae65f556c49c Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 3 Nov 2024 01:26:59 -0700
Subject: [PATCH 51/59] fix quickstart (#1416)

---
 content/en/docs/introduction/quick-start.md | 22 +++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/introduction/quick-start.md b/content/en/docs/introduction/quick-start.md
index c1f6bba62..8388e2e06 100644
--- a/content/en/docs/introduction/quick-start.md
+++ b/content/en/docs/introduction/quick-start.md
@@ -13,7 +13,7 @@ These guides are intended for proof-of-concept or lab demonstrations only and no
 First, install Kyverno from the latest release manifest.
 
 ```sh
-kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.12.0/install.yaml
+kubectl create -f https://github.com/kyverno/kyverno/releases/download/v1.13.0/install.yaml
 ```
 
 Next, select the quick start guide in which you are interested. Alternatively, start at the top and work your way down.
@@ -212,7 +212,25 @@ kubectl -n default create secret docker-registry regcred \
 By default, Kyverno is [configured with minimal permissions](../installation/customization.md#role-based-access-controls) and does not have access to security sensitive resources like Secrets. You can provide additional permissions using cluster role aggregation. The following role permits the Kyverno background-controller to create (clone) secrets.
 
 ```yaml
-kubectl create -f- << EOF
+kubectl apply -f- << EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:secrets:view
+  labels:
+    rbac.kyverno.io/aggregate-to-admission-controller: "true"
+    rbac.kyverno.io/aggregate-to-reports-controller: "true"
+    rbac.kyverno.io/aggregate-to-background-controller: "true"
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

From 453fcdc201ec0d3470141ba26fe61e67a6fdc250 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Sun, 3 Nov 2024 20:40:15 -0800
Subject: [PATCH 52/59] update quickstart generate sample (#1418)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/docs/introduction/quick-start.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/content/en/docs/introduction/quick-start.md b/content/en/docs/introduction/quick-start.md
index 8388e2e06..e663db342 100644
--- a/content/en/docs/introduction/quick-start.md
+++ b/content/en/docs/introduction/quick-start.md
@@ -244,6 +244,8 @@ rules:
   - secrets
   verbs:
   - create
+  - update
+  - delete
 EOF
 ```
 
@@ -268,7 +270,7 @@ spec:
       kind: Secret
       name: regcred
       namespace: "{{request.object.metadata.name}}"
-      synchronize: false
+      synchronize: true
       clone:
         namespace: default
         name: regcred

From a727e3bec0c4c8a38f1c33f3bdffeee14700d65c Mon Sep 17 00:00:00 2001
From: Fernando Ripoll <fernando@giantswarm.io>
Date: Mon, 4 Nov 2024 10:58:29 +0100
Subject: [PATCH 53/59] Fix typos in the introduction page (#1420)

Signed-off-by: Fernando Ripoll <fernando@giantswarm.io>
---
 content/en/docs/introduction/_index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/docs/introduction/_index.md b/content/en/docs/introduction/_index.md
index 492177616..8024d6f9e 100644
--- a/content/en/docs/introduction/_index.md
+++ b/content/en/docs/introduction/_index.md
@@ -10,7 +10,7 @@ description: >
 
 Kyverno (Greek for "govern") is a cloud native policy engine. It was originally built for Kubernetes and now can also be used outside of Kubernetes clusters as a unified policy language.
 
-Kyverno allows platform engineers to automate security, complianace, and best practices validation and deliver secure self-service to application teams.
+Kyverno allows platform engineers to automate security, compliance, and best practices validation and deliver secure self-service to application teams.
 
 Some of its many features include:
 
@@ -18,7 +18,7 @@ Some of its many features include:
 * enforce policies as a Kubernetes admission controller, CLI-based scanner, and at runtime 
 * validate, mutate, generate, or cleanup (remove) any Kubernetes resource
 * verify container images and metadata for software supply chain security
-* policies for any JSON payload including Terraform resources, cloud resources, and service authoriation
+* policies for any JSON payload including Terraform resources, cloud resources, and service authorization
 * policy reporting using the open reporting format from the CNCF Policy WG
 * flexible policy exception management
 * tooling for comprehensive unit and e2e testing of policies

From ee59252edd939ed32a0356db272781b1c6c225d0 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Mon, 4 Nov 2024 23:45:35 +0800
Subject: [PATCH 54/59] Add 1.13 release blog (#1422)

* add version 1.13.0 to menu (cherry-pick #1404) (#1405)

add version 1.13.0 to menu (#1404)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Co-authored-by: Khaled Emara <khaled.emara@nirmata.com>

* change version to 1.13.0 (#1406)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* change menu version string (#1407)

change version_menu to 1.13.0

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>

* add 1.13 release blog

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Signed-off-by: ShutingZhao <shuting@nirmata.com>
Co-authored-by: gcp-cherry-pick-bot[bot] <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Co-authored-by: Khaled Emara <khaled.emara@nirmata.com>
---
 config/_default/params.toml                 |   4 +-
 content/en/blog/releases/1-13-0/index.md    | 645 ++++++++++++++++++++
 content/en/blog/releases/1-13-0/kyverno.png | Bin 0 -> 241186 bytes
 3 files changed, 647 insertions(+), 2 deletions(-)
 create mode 100644 content/en/blog/releases/1-13-0/index.md
 create mode 100644 content/en/blog/releases/1-13-0/kyverno.png

diff --git a/config/_default/params.toml b/config/_default/params.toml
index 0d5fdda5f..d4cf7ca2c 100644
--- a/config/_default/params.toml
+++ b/config/_default/params.toml
@@ -9,7 +9,7 @@ showLineNumbers = false
 
 # Menu title if your navbar has a versions selector to access old versions of your site.
 # This menu appears only if you have at least one [versions] set.
-version_menu = "main"
+version_menu = "v1.13.0"
 
 # Flag used in the "version-banner" partial to decide whether to display a
 # banner on every page indicating that this is an archived version of the docs.
@@ -19,7 +19,7 @@ archived_version = false
 # The version number for the version of the docs represented in this doc set.
 # Used in the "version-banner" partial to display a version number for the
 # current doc set.
-version = "main"
+version = "v1.13.0"
 
 # A link to latest version of the docs. Used in the "version-banner" partial to
 # point people to the main doc site.
diff --git a/content/en/blog/releases/1-13-0/index.md b/content/en/blog/releases/1-13-0/index.md
new file mode 100644
index 000000000..03c48252a
--- /dev/null
+++ b/content/en/blog/releases/1-13-0/index.md
@@ -0,0 +1,645 @@
+---
+date: 2024-10-30
+title: "Announcing Kyverno Release 1.13!"
+linkTitle: "Kyverno 1.13"
+description: "Kyverno 1.13 released with Sigstore bundle verification, exceptions for validatingAdmissionPolicies, new assertion trees, generate enhancments, enhanced ValidatingAdmissionPolicy and PolicyException support, and tons more!"
+draft: false
+---
+
+Kyverno 1.13 contains [over 700 changes from 39 contributors](https://github.com/kyverno/kyverno/compare/release-1.12...v1.13.0-rc.3)! In this blog, we will highlight some of the major changes and enhancements for the release.
+
+![kyverno](kyverno.png)
+
+## Major Features
+
+### Sigstore Bundle Verification
+
+Kyverno 1.13 introduces support for verifying container images signatures that use the [sigstore bundle format](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto). This enables seamless support for [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations) to be verified using verification type `SigstoreBundle`. 
+
+The following example verifies images containing SLSA Provenance created and signed using GitHub Artifact Attestation.
+
+Here is an example policy:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: sigstore-image-verification
+spec:
+ validationFailureAction: Enforce
+ webhookTimeoutSeconds: 30
+ rules:
+ - match:
+     any:
+     - resources:
+         kinds:
+         - Pod
+   name: sigstore-image-verification
+   verifyImages:
+   - imageReferences:
+     - "*"
+     type: SigstoreBundle
+     attestations:
+     - type: https://slsa.dev/provenance/v1
+       attestors:
+       - entries:
+         - keyless:
+             issuer: https://token.actions.githubusercontent.com
+             subject: https://github.com/nirmata/github-signing-demo/.github/workflows/build-attested-image.yaml@refs/heads/main
+             rekor:
+                 url: https://rekor.sigstore.dev
+             additionalExtensions:
+               githubWorkflowTrigger: push
+               githubWorkflowName: build-attested-image
+               githubWorkflowRepository: nirmata/github-signing-demo
+       conditions:
+       - all:
+         - key: "{{ buildDefinition.buildType }}"
+           operator: Equals
+           value: "https://actions.github.io/buildtypes/workflow/v1"
+         - key: "{{ buildDefinition.externalParameters.workflow.repository }}"
+           operator: Equals
+           value: "https://github.com/nirmata/github-signing-demo"
+```
+
+The demo repository is available at: https://github.com/nirmata/github-signing-demo. 
+
+
+### Exceptions for ValidatingAdmissionPolicies
+
+Kyverno 1.13 introduces the ability to leverage PolicyException declarations while auto-generating Kubernetes ValidatingAdmissionPolicies directly from Kyverno policies that use the `validate.cel` subrule. 
+
+The resources specified within the PolicyException are then used to populate the `matchConstraints.excludeResourceRules` field of the generated ValidatingAdmissionPolicy, effectively creating exclusions for those resources. This functionality is illustrated below with an example of a Kyverno ClusterPolicy and a PolicyException, along with the resulting ValidatingAdmissionPolicy.
+
+Kyverno policy:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-host-path
+spec:
+  background: false
+  rules:
+    - name: host-path
+      match:
+        any:
+        - resources:
+            kinds:
+            - Deployment
+            - StatefulSet
+            operations:
+            - CREATE
+            - UPDATE
+            namespaceSelector:
+              matchExpressions:
+                - key: type 
+                  operator: In
+                  values: 
+                  - connector
+      validate:
+        failureAction: Audit
+        cel:
+          expressions:
+            - expression: "!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume, !has(volume.hostPath))"
+              message: "HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath must be unset."
+```
+
+PolicyException:
+
+```yaml
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  name: policy-exception
+spec:
+  exceptions:
+  - policyName: disallow-host-path
+    ruleNames:
+    - host-path
+  match:
+    any:
+    - resources:
+        kinds:
+        - Deployment
+        names:
+        - important-tool
+        operations:
+        - CREATE
+        - UPDATE
+```
+
+The generated ValidatingAdmissionPolicy and its binding are as follows:
+
+```yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: disallow-host-path
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+    - apiGroups:
+      - apps
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resources:
+      - deployments
+      - statefulsets
+    namespaceSelector:
+      matchExpressions:
+      - key: type
+        operator: In
+        values:
+        - connector
+    excludeResourceRules:
+    - apiGroups:
+      - apps
+      apiVersions:
+      - v1
+      operations:
+      - CREATE
+      - UPDATE
+      resourceNames:
+      - important-tool
+      resources:
+      - deployments
+  validations:
+  - expression: '!has(object.spec.template.spec.volumes) || object.spec.template.spec.volumes.all(volume,
+      !has(volume.hostPath))'
+    message: HostPath volumes are forbidden. The field spec.template.spec.volumes[*].hostPath
+      must be unset.
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  name: disallow-host-path-binding
+  ownerReferences:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    name: disallow-host-path
+spec:
+  policyName: disallow-host-path
+  validationActions: [Audit, Warn]
+```
+
+In addition, Kyverno policies targeting resources within a specific namespace will now generate a ValidatingAdmissionPolicy that utilizes the `matchConstraints.namespaceSelector` field to scope its enforcement to that namespace.
+
+Policy snippet:
+
+```yaml
+match:
+  any:
+  - resources:
+      kinds:
+      - Deployment
+      operations:
+      - CREATE
+      - UPDATE
+      namespaces:
+      - production
+      - staging
+```
+
+The generated ValidatingAdmissionPolicy:
+
+```yaml
+matchConstraints:
+  namespaceSelector:
+    matchExpressions:
+    - key: kubernetes.io/metadata.name
+      operator: In
+      values:
+      - production
+      - staging
+  resourceRules:
+  - apiGroups:
+    - apps
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - deployments
+```
+
+### Validation Rules with Assertion Trees
+
+Kyverno-JSON allows Kyverno policies to be used anywhere, even for non-Kubernetes workloads. It introduces the powerful concept of [assertion trees](https://kyverno.io/blog/2023/12/13/kyverno-chainsaw-exploring-the-power-of-assertion-trees/).
+
+Previously the [Kyverno CLI added support for assertion trees](https://kyverno.io/docs/kyverno-cli/assertion-trees/), and now in Release 1.13 assertion trees can also be used in validation rules as a sub-type.
+
+Here is an example of a policy that uses an assertion tree to deny pods from using the default service account:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: disallow-default-sa
+spec:
+ validationFailureAction: Enforce
+ rules:
+ - match:
+     any:
+     - resources:
+         kinds:
+         - Pod
+   name: disallow-default-sa
+   validate:
+     message: default ServiceAccount should not be used
+     assert:
+       object:
+         spec:
+           (serviceAccountName == ‘default’): false
+```
+
+## Other Features and Enhancements 
+
+### Generate Changes
+
+The `foreach` declaration allows the generation of multiple target resources of sub-elements in resource declarations. Each `foreach` entry must contain a list attribute, written as a JMESPath expression without braces, that defines sub-elements it processes.
+
+Here is an example of creating networkpolicies for a list of Namespaces, the namespaces are stored in a ConfigMap which can be easily configured dynamically.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: foreach-generate-data
+spec:
+ rules:
+ - match:
+     any:
+     - resources:
+         kinds:
+         - ConfigMap
+   name: k-kafka-address
+   generate:
+     generateExisting: false
+     synchronize: true
+     orphanDownstreamOnPolicyDelete: false
+     foreach:
+       - list: request.object.data.namespaces | split(@, ‘,’)
+         apiVersion: networking.k8s.io/v1
+         kind: NetworkPolicy
+         name: my-networkpolicy-{{element}}-{{ elementIndex }}
+         namespace: ‘{{ element }}’
+         data:
+           metadata:
+             labels:
+               request.namespace: ‘{{ request.object.metadata.name }}’
+               element: ‘{{ element }}’
+               elementIndex: ‘{{ elementIndex }}’
+           spec:
+             podSelector: {}
+             policyTypes:
+             - Ingress
+             - Egress
+```
+
+The triggering ConfigMap is defined as follows, the data contains a namespaces field that defines multiple namespaces.
+
+```yaml
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-deny
+  namespace: default
+data:
+  namespaces: foreach-ns-1,foreach-ns-2
+```
+
+Similarly, below is an example of a clone source type of `foreach` declaration that clones the source Secret into a list of matching existing namespaces which is stored in the same ConfigMap as above.
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: foreach-clone
+spec:
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+	   namespaces:
+          - default
+    name: k-kafka-address
+    generate:
+      generateExisting: false
+      synchronize: true
+      foreach:
+        - list: request.object.data.namespaces | split(@, ',')
+          apiVersion: v1
+          kind: Secret
+          name: cloned-secret-{{ elementIndex }}-{{ element }}
+          namespace: '{{ element }}'
+          clone:
+            namespace: default
+            name: source-secret
+```
+
+In addition, each `foreach` declaration supports the following declarations: Contex and Preconditions. For more information please see [Kyverno documentation](https://kyverno.io/docs/writing-policies/generate/#foreach).
+
+This release also allows updates to the generate rule pattern. In addition to deletion, if the triggering resource is altered in a way such that it no longer matches the definition in the rule, that too will cause the removal of the downstream resource.
+
+### API call enhancements
+
+#### Default Values
+
+In the case where the API server returns an error, `apiCall.default` can be used to provide a fallback value for the API call context entry. 
+
+The following example shows how to add default value to context entries:
+
+```yaml
+    context:
+    - name: currentnamespace
+      apiCall:
+        urlPath: “/api/v1/namespaces/{{ request.namespace }}”
+        jmesPath: metadata.name
+        default: default
+```
+#### Custom Headers
+
+Kyverno Service API calls now also support custom headers. This can be useful for authentication or adding other  HTTP request headers. Here is an example of adding a token in the HTTP Authorization header:
+
+```yaml
+     context:
+        - name: result
+          apiCall:
+            method: POST
+            data:
+              - key: foo
+                value: bar
+              - key: namespace
+                value: "{{ `{{ request.namespace }}` }}"
+            service:
+              url: http://my-service.svc.cluster.local/validation
+              headers:
+                - key: "UserAgent"
+                  value: "Kyverno Policy XYZ"
+                - key: "Authorization"
+                  value: "Bearer {{ MY_SECRET }}"
+```
+
+### Policy Report Enhancements
+
+#### Reports for Mutate and Generate rules
+
+In addition to validate and verifyImages rules, Kyverno 1.13 supports reporting for generate and mutate, including mutate existing policies, to record policy results. The container flag `--enableReporting` can be used to enable or disable reports for specific rule types. It allows the comma-separated values, validate, mutate, mutateExisting, generate, and imageVerify. See details [here](https://main.kyverno.io/docs/installation/customization/#container-flags).
+
+A result entry will be audited in the policy report for rule decision:
+
+```yaml
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: PolicyReport
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: kyverno
+  namespace: default
+results:
+- message: mutated Pod/good-pod in namespace default
+  policy: add-labels
+  result: pass
+  rule: add-labels
+  scored: true
+  source: kyverno
+scope:
+  apiVersion: v1
+  kind: Pod
+  name: good-pod
+  namespace: default
+...
+```
+
+Note that the proper permissions need to be granted to the reports controller, a warning message will be returned upon policy admission if no RBAC permission is configured.
+
+#### Custom Data in Reports
+
+A new field `reportProperties` is introduced to custom data in policy reports. For example, a validate rule below adds two additional entries operation and objName to the policy reports:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-owner
+spec:
+  background: false
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: check-owner
+    context:
+    - name: objName
+      variable:
+        jmesPath: request.object.metadata.name
+    reportProperties:
+      operation: ‘{{ request.operation }}’
+      objName: ‘{{ objName }}’
+    validate:
+      validationFailureAction: Audit
+      message: The `owner` label is required for all Namespaces.
+      pattern:
+        metadata:
+          labels:
+            owner: ?*
+```
+
+You can find the two custom entries added to `results.properties`:
+
+```yaml
+apiVersion: wgpolicyk8s.io/v1alpha2
+kind: ClusterPolicyReport
+metadata:
+  ownerReferences:
+  - apiVersion: v1
+    kind: Namespace
+    name: bar
+results:
+- message: validation rule ‘check-owner’ passed.
+  policy: require-owner
+  result: pass
+  rule: check-owner
+  scored: true
+  source: kyverno
+  properties:
+    objName: bar
+    operation: CREATE
+scope:
+  apiVersion: v1
+  kind: Namespace
+  name: bar
+```
+
+### GlobalContextEntries Enhancements
+
+#### API Call Retry
+
+Kyverno’s GlobalContextEntry provides a powerful mechanism to fetch external data and use it within policies. When leveraging the apiCall feature to retrieve data from an API, transient network issues can sometimes hinder successful retrieval. 
+
+To address this, Kyverno now offers built-in retry logic for API calls within GlobalContextEntry. You can now optionally specify a retryLimit for your API calls:
+
+```yaml
+apiVersion: kyverno.io/v2alpha1
+kind: GlobalContextEntry
+metadata:
+  name: gctxentry-apicall-correct
+spec:
+  apiCall:
+    urlPath: "/apis/apps/v1/namespaces/test-globalcontext-apicall-correct/deployments"
+    refreshInterval: 1h
+    retryLimit: 3
+```
+
+The `retryLimit` field determines the number of times Kyverno will attempt to make the API call if it initially fails. This field is optional and defaults to 3, ensuring a reasonable level of resilience against temporary network hiccups.
+
+By incorporating this retry mechanism, Kyverno further strengthens its ability to reliably fetch external data, ensuring your policies can function smoothly even in the face of occasional connectivity issues. This enhancement improves the overall robustness and dependability of your Kubernetes policy enforcement framework.
+
+#### CLI-based Injection of Global Context Entries
+
+Kyverno CLI now allows you to dynamically inject global context entries using a Values file. This feature facilitates flexible policy testing and execution by simulating different scenarios without modifying GlobalContextEntry resources in your cluster.
+
+You can now define global values and rule-specific values within the Values file, providing greater control over policy evaluation during testing.
+
+```yaml
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Value
+metadata:
+  name: values
+globalValues:
+  request.operation: CREATE
+policies:
+  - name: gctx
+    rules:
+      - name: main-deployment-exists
+        values:
+          deploymentCount: 1
+```
+
+In this example, `request.operation` is set as a global value, and deploymentCount is set for a specific rule in the gctx policy. When using the Kyverno CLI, you can reference this Values file to inject these global context entries into your policy evaluation.
+
+### Security Hardening
+
+The Kyverno project strives to be secure and production-ready, while providing ease of use. This release contains important changes to further enhance the security of the project.
+
+#### Removal of wildcard roles
+
+Prior versions of Kyverno included wildcard view permissions. These have been removed in 1.13 and replaced with a role binding to the system view role.
+
+This change does not impact policy behaviors during admission controls, but may impact users with mutate and generate policies for custom resources, and may impact reporting of policy results for validation rules on custom resources A Helm option was added to upgrade Kyverno without breaking existing policies, see the upgrade guidance [here](https://main.kyverno.io/docs/installation/upgrading/#upgrading-to-kyverno-v113).
+
+#### Removal of insecure configuration for exceptions
+
+In prior versions, policy exceptions were allowed in all namespaces. This creates a potential security issue, as any user with permission to create a policy exception can bypass policies, even in other namespaces. See [CVE-2024-48921](https://github.com/kyverno/kyverno/security/advisories/GHSA-qjvc-p88j-j9rm) for more details. 
+
+This release changes the defaults to disable the policy exceptions and only allows exceptions to be created in a specified namespace. To maintain backward compatibility follow the [upgrade guidance](https://main.kyverno.io/docs/installation/upgrading/#upgrading-to-kyverno-v113).
+
+### Warnings for Policy Violations and Mutations 
+
+A warning message can now be returned along with admission responses by the policy setting `spec.emitWarning`, this can be used to report policy violations as well as mutations upon admission events.
+
+### Shallow evaluation of Variables
+
+Kyverno performs nested variable substitution by default, this may not be desirable in certain situations. Take the following ConfigMap as an example, it defines a `.hcl` string content using the same `{{ }}` notation which is used in Kyverno for variable syntax. In this case, Kyverno needs to be instructed to not attempt to resolve variables in the HCL, this can be achieved by `{{- ... }}` notation for shallow (one time only) substitution of variables.
+
+```yaml
+apiVersion: v1
+data:
+  config: |-
+    from_string
+    {{ some hcl tempalte }}
+kind: ConfigMap
+metadata:
+  annotations:
+  labels:
+    argocd.development.cpl.<removed>.co.at/app: corp-tech-ap-team-ping-ep
+  name: vault-injector-config-http-echo
+  namespace: corp-tech-ap-team-ping-ep
+```
+
+To only substitute the rule data with the HCL, and not perform nested substitutions, the following policy uses the declaration `{{- hcl }}` for shallow substitution.
+
+```yaml
+apiVersion: cli.kyverno.io/v1alphaapiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: vault-auth-backend
+spec:
+  validationFailureAction: Audit
+  background: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: vault-injector-config-blue-to-green-auth-backend
+    context:
+    - name: hcl
+      variable:
+        jmesPath: replace_all( ‘{{ request.object.data.config }}’, ‘from_string’,‘to_string’)
+    match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+          names:
+          - test-*
+          namespaces:
+          - corp-tech-ap-team-ping-ep
+    mutate:
+      patchStrategicMerge:
+        data:
+          config: ‘{{- hcl }}’
+      targets:
+      - apiVersion: v1
+        kind: ConfigMap
+        name: ‘{{ request.object.metadata.name }}’
+        namespace: ‘{{ request.object.metadata.namespace }}’
+    name: vault-injector-config-blue-to-green-auth-backend
+```
+
+### Improved ArgoCD Integration  
+
+Kyverno-managed webhook configurations are auto-cleaned up upon uninstallation. This behavior could be broken if Kyverno loses RBAC permissions to do so given the random resources deletion order. This release introduces a finalizer-based cleanup solution to ensure webhooks are removed successfully. 
+
+This feature is in [beta stage](https://main.kyverno.io/docs/installation/uninstallation/#clean-up-webhooks) and will be used as the default cleanup strategy in the future.
+
+### API Version Management
+
+Kyverno 1.13 introduces new changes in the policy CRDs:
+
+* Both Policy Exceptions and Cleanup Policies have graduated to a stable version (v2).
+* Several policy settings are deprecated:
+  * spec.validationFailureAction
+  * spec.validationFailureActionOverrides
+  * spec.mutateExistingOnPolicyUpdate
+  * spec.generateExisting
+
+* These are replaced by more granular controls within the rule itself: 
+  * spec.rules[*].validate.failureAction
+  * spec.rules[*].validate.failureActionOverrides
+  * spec.rules[*].verifyImages[*].failureAction
+  * spec.rules[*].mutate.mutateExisting
+  * spec.rules[*].generate.generateExisting
+
+Note that the deprecated fields will be removed in a future release, so migration to the new settings is recommended.
+
+## Conclusion
+
+Kyverno 1.13 promises to be a great release, with many new features, enhancements, and fixes. To get started with Kyverno try the [quick start guides](https://kyverno.io/docs/introduction/quick-start/) or head to the [installation](https://kyverno.io/docs/installation/methods/) section of the docs.
+
+To get the most value out of Kyverno, and check out the [available enterprise solutions](/support))!
\ No newline at end of file
diff --git a/content/en/blog/releases/1-13-0/kyverno.png b/content/en/blog/releases/1-13-0/kyverno.png
new file mode 100644
index 0000000000000000000000000000000000000000..3695f1b26c26f84bff9081e0d1b10e119ed29cca
GIT binary patch
literal 241186
zcmagG2|QHa|35yIlnRxhvbM`wA^TFc%D#-9QL?Yu_cck1N|vl4+l)1hZI~HJS}cjN
zGgHbo#?W9ejQ<_IKc7$P{r`RSz;*9A_nh;3Jzx84ir3fGJjimK1q1>eynap15Cmcl
z2Z0z9_wE7iTnE?7gFq~BXH`}G>#C{(`re)n&TjS~(6#uKG-hL?nZuD=A-$?sweCkg
z`<%JNsd8hlD8~#|;~L}L!?y$k2ieW7q7W}mGID+{6sqS`;pEOYGvf$>K32bC&b2>3
z|EHMO-gy*xT;8+mxdikqxw~U4mx`0%0=-huJbfeT2g5b6!+q7Ju^EG&i@u}mm|ao=
zY$YnGtvXy6W1=@0PS&iDets2;ESeMTEw$RBZAE~Y_>{BvgE;Pb@rY+<K3LeN2K83|
zb^xT$%#QB*c%X+P;G{PA)WMUX5f6?y1m1oyQFQEJk=>iCW_yhoFv&7JcNjsZ<-Qd=
zdLMbLa9aAV=v{><_M3;^h?SN)E8I;w>309EfYKM^aE;M`pu@CO3Ehn3*6WXdcGwg#
zkxpFWD)f3q>z-J}J<T}zygV;S@Vvp?k!UmZ?;Z2!ir222AFUJgN@Z%AS#{QZwtBbw
zl5{p$;*&yRT&}PC$CF#;iClrzg+Z4FZ`O3^Q4VC=-?6y=+N3GHEz3SJu%hC$tktaE
z_nN}Bnj@_z9c7K!tDRDNlT|k-Z<!gQ%?_U==87-*=fVkR#zI`y1E}DtLRX2yt)VYN
zraG3pxh_q47inG(nOIa*n7Z|*a54WtfU~H<jmMHXx!**WiyiOX7;q3^`#w4>Fmvqe
zozNJEV^u20uU#=dFpc3~`@x{HCj#=WPs7YPU!+>##Ko8{HIJjYU7X&XoS(}@%G^Nd
zjg=Bft@6W5ig%q%r$V_AAg`{BtSq-&^4b^(zv>LS&o&jhCkFK1h6(@Eqe3l9b|Mp{
zbyQ`y_xlhPCMOWD?OyFDaMdnd%)vlLDEr<wDw1Y<>IDwHJegg&+ZD6tF&j(E<*NP9
zqBijYB}|%_i=P>XTY|jyS?!X>@Gk6Kin_AE@-UjsmN8m@N9~^AW0sfuX0Dul41ODF
zC7}17pCu|k&rFcv@YTak2VWl&y89sSQpsUhOn8*;m8m>oeeosGY}~!Py3dYBnUZaV
z%2)}llNWY5yb1R@+Qgw7X^I*0;%j0Oi-qG`y(B{UP<wDuRJ`fJQI;3C^(CKie&lFV
zsn(AwIcltM<Do^IkV?u6nEs=Z%f?)@oG>=2==Hnr^3OZT4Ra9hu3U*LXqX01`%Rzp
zJ=VxM_HbSeca>70*@L@q`{D6-yC?47w9CJ+FFhqaRC{01ai7CJhkTeN?yp6*-EubD
zRi@a_%>78`O~pITo0MCbRZ~^XgA8*=S>udap5wFbM9Hv<?Mh1;iIIOOpMZ?#ejE1o
z6JBc3Bv3r`fX)5xwlq9p(Q!d~QGDUZ?x1MCmM84j@P}UQwcHoC*ZnTx?v*#Y4WgV>
ze9zuHlzgB2e&Jh<Z|dLdzR4ducFg@4^K;u{QQC>xr5y&(KV90qlzZ*LX}iM-ukW5d
z;eG=9xa$eu<MAgSZil_%mc5sCW&CQzDX4(*nTThF?=wEUvJZMiu>WMAY47<Fm3r#^
z%!i9VQa{*#N_o$lh7^-NsrPsw&GCcJ_kj;-pK_m~&nXwF7*rYWHNFNBG%PW#&%f~U
zzEPj)lJWQRljr%2n_kGMTruz!6k$nw^~C$W_mfN4+6)htxVaogJPy7)tjY^9G=639
zK;NR!xWd<>H0fUcOz+@pj$xDGi^JB#Q$e%jbn+_sa<^+%fX{gS&ro}5dz5#Sck)l(
zAKgN}V7-*vDMTSrAwA<B*gIGYOc+8bwK3*>u9r=c%#}ym(yG_ku(ncm2zCV4g&Et3
zeb*<|*Nj!44e1jvNpkuuIV$;7(%&Vk=V<>+r$#3h$pDueZ0L2<e2JO!ONPPc!i=?a
zK51&@LrSp)QhDw#cq_8uV=p(=;!0XS#}5pZ_U1{z;HBIzkQ#MYD0zHWlJe3@>MSd@
zJgsml%7zii;R&?IQLh+A1V&!8;Hyszea3pl-c0%GeyZ$HtKg7RWzRvo!NGo+p8C<%
z#(i$L98X>ta{Yn?)nIN$d0oLqhZLPQDsnDzj&VjG>+HaZ43xFaAsQ-z9<KS5#mJtV
zwVdZU<3#w(g)G)BCM{~sQHV>m-z-ur$7;`7hL~5@c_6~=>~6Kz4LSPYQg3nFB0to&
zuE4XKvj;1BJO*tBl=@L`XnZjr_uk^TC?;>qGs@d9|5`rO`?XJpm%`*~T5_q;E2HM#
z&sSq&H)7*BS!G=1eX@kJsaDfs)nd$6>sAOW*$PNS_o(k^pa<4NJYA#X^yJM+*MR*2
z)zs^hJE^B!MG0BVA6rKXFa_;KJrbie9puuqTGMFLn1PbIa*7MdN9icPaxPJcGC1od
zhD=nPbtNJD>w1&EbIqDgQaW&h&^a6@h<SC-+}^;ZYo1TM473FH-e#WP8+!OQ`|Fd_
z1Ga8n`d&c`WcE*wrA}DqJ^TD4Z#j?u&1h@wJw+Dj18H{y)ZVL$#Fr!-O<KAyk~o)e
zDanG{Pt-!nf_?0GOhWwq(!^tya}9w5-&)SpYW++bwRWlU#eNa~WSmwgBHwJ~A?vud
zXr}FU+bwL4OIM)yfdprJBK$u0k5~1`hRQ&XrtGGhC<%1>*2!^MluWo_i|kF!H(vR!
zx2}J?A9+UbNYnM7*N1Z@b9mCNk`<mGe*Wdz1HDH&if4>D&hD4*mHc8-xcop{Z7m-K
zP89YpKMJPC!+Z0V3TMiX8Q;Dzn|ky{_~RwV#@nfm;a110f36C}Lf$~e%-@-3*4W$*
zvEOPs-kgDKw0qQ_anN;r;L?CeMNEHNIl-*5M#*#2HZee#xaZrw?+4L8EWUG2p>RhV
zszvn_#m{--nMwS|f7+AV)+m={-G{eMt!uU<DQ1>SlZH0RBTc;!pYy9;E@&O9o1WE6
zRZgKvHk=99>NY`^Q)_S5?W-Fbn{RBcHOrGh2HI+35+}2lvYF&@BnuSbM!e1k+SuE%
zr(<D-w8HWbUy9oZxlp8fPPZW>$SBsLZSuilb5pZ4rGe-=T8Tn?ZB6Zp-bE2^7S4n(
z!EdnMVsqdN4Hx{TKhXU!mjHvn_ruZsdtKLER9)l=bA;Jh>}=g-%)zJkzP4(y;$*(v
zd5P$GUHvM)-#CziCxs_$O>0g(AZd-4Ak!r?9(a|c)^`2lhiHcqS$NRvGu4HaQjG}8
zGg4{d<>K08bjGGdZw1yS++t>_U*fGqkmK2Ihg@Fyb8^z&N?$ir+J7c$a^;JS&L5bc
zYnTpL{CTEQi>oo++EH8{>Vf_i_@fW<4x8%gKahcRN9xfWs3RZvkU5itl>tjnnNcT#
z^<c<k5uuY@r{H1T*og`wcIC@A2egvL(RJT#aAD({dCce8#uYk3WfldeE>7NQIkI-{
zj2<?}WYc3Q#3<JqHxr&jn|I9X<~!)cY_s`<)}GeVH1&PzjJPDU@1XfX1Y5{KTwufM
z54>;>JpRdsGMH8t=)SuC7U~h<m!$EC6?F*xJk)YY_lI?7NG65X?uwnB^2_k_qvES2
zKdV=cOc)JJz3&!3YZBfPc7D@k2|>)n)wL&=CMTavOqWn(dBGk#F~JaMxeFwF9K>=-
zm7S}*qqmo_Gjx~skySkf2_L-#UeKfa&yOdVO@U+{l!UWB<*qh5WsuGtSzcZ!Cr{Pw
zo-vA6N13q(YWKwOYWZN4Z#&%Esvt#JTu8z0+32P1AC25=p)0e60=(B$d$a2fIyxXB
z;Ce5JiQzD47jVS@`~xu@2Qh75gFrVJxc_@?$RPO77)B5%&Kb1(pD`A|Z~E6`;2W6z
z&+lDN?}3<szYYW6cV966XEby8i(UV@W=sU0fvy;-UcV0fHnQ`!xA*XI^7NIvIOhS}
z*ynZ4+y?~WJVXCxxNdlQ0dT!XosG?W&2+To>^$AYZr=91WiJ-!?nQqONFh)TxOBJo
zy(tjr?&jem7pQo0dxRWtO}{OEQeb<CudCuoGaY>aRZnkwfy-hS#4emvVi6D!Q1HI(
zAZMti@y~SNFU6BizP?^^;^F}T0b&6XVxHcP;umFQWyLRC62Ejw6c{1u6XfB0Gf>pS
z=hUy4{O3Jt_C9vr&R)LGo*n}9_ujna>F29>@+5ts|9<`2r+uLF|5ozw`R7=`0mbQ0
z#4n0n5dXJnzRnK+Khx+>eofmx*RSOi=r5Cl_}F`^db+#Yd-y8-kKzj3EA4przkU9i
zsP7zT?`Edv49xTa&ZKlv_M*%`)Bb$)uT#zcH}$fV<nJ?od-B^%`WfU5?R`Am{OB}<
zcsTniT~ZMLx7&ZtGW*{&rHhi1;urs!_WS)m=a~Qh%=!KPpL6uQodGi5q;F5@KWqGc
z@1OAs;&lH1hKFBZ+rA5+O^HQ8{J+RmV!6=SR{{d5fUc`uF%D#y8yoUIwU+v0>d~<*
zJ3eovAQ%!mhBeImu(bD5@{Ib@wctJ0*8_qXtgoGY?$L+E7I!^U)y}%kUVv=PL(p{9
zG&CI4ybdsa?<NSm7hvF5q6pMfg_5i@o%eC>W>*0*{6Bw06@p8|i8(bBdj%pvjQ{T+
z*CX+1`x*Y<?*pEic{4=g&L~ICDg7Vs+bf{5@JZ_bTz0QW1E_`cG*`u+|NmTDVD-oG
z|Le#MyHl+q@c|$71dvJp*OB+KZ+IX4zbT_7_Sx#^rX%Ih&b7ynr0WzL97wX;m=wRL
z6bQCgN*pQ+C7Ex4|2hb#$qSQ&U^sUtw%iF9a(qk^s_A1-E<kE6P!0G{@jLb@lB*)y
zd5S=Mx0t&{I!fALx4+DC2K^~OVD92y6mJ3#uEuSN@zLtG3Zn7nJkcxj=Mc|R1JIbM
zKbZYV82@qnmKVn+|CZ6*X6}~j?YK%ilkdCHpF(a7`TPl@@IxioiBDT!BOXw<7SUTj
zT#IurPEe#zhwj9O*{!Ho4`-^1F%$^LW^206{;Rk%O4)OAf9?}~`13)W_!ebLc7;~C
zMKp!3K=+16sJ`La0pKWmaC%#rNZ(|T_*tZK;SlO|piRHehwxK>U})iH6me@JBEDw@
z7qPrM8V9|zz_sH5wn0n^?;SJrPRftRFOGKuuNgP`kn`7Tu1C>uG#peh4o@-V*<jki
zG_zX_-4w-f9iOn`)*}`Q;)|uX2mW9``|7jE_3)YV;l}%0NLJBFI|z<>wciOvQmYB8
zi7|B{E10ho+}!$ez6$;b<2+3YAjQ<-P_-SBoNBJJm22}n>C}kn0^Fp##<{vfvlaE{
z2_iAFOnbw-_r2@g@#?5p4*i8p3Y+mF^=#2*!F}(>$H))5C;p&fBxV_azfF>`tNM<m
zmEbC+YpB+Ni1?;Dc!%^>*@%PPj-%1R>P2SUjh2pJ9o)5p@OW=V*ovR)R1aKPcy+9x
zll((6Na{~8Xq{JCKt3yel&!I2-S9(#2_lyefnBUNZN8(XnNvU0JbxbhbMoHNeSrFr
zzmp+*?e~@I5x~OPy7w-IE*A@~$6XY5B8R$mOEKTuAz1>E7|q>#!<D03>vjT9ol8G?
zDm_v6)+#w7@hTQ2(YbDaWykJ-@lnWgDhnZ$E?LcozrVHanr-UTlU$y+)1A-)9yVuk
zXhN50T=efl0P<mifQ7pY+I)6$is{IED)Ys08q$HvdeWhnX+++ic?S;Z8b>J&P>@qk
z9prbg0R!IO@$u5nahr$!G){XZgUqQRuxAwZZ#KUI*ev$x`7Pz0OH+1#bmJLX)YV>r
zzAJkVSp-xO-=T<|SYTJdcLB4<pBr^Xo%{_ynDWE=?=vZsQ}Us_y|gC|)Gw23CfQKd
zJ%8*y%7=x0Bj?D&;+@D%5Wv@VRV-!Cq3^#+7kMLA&9>uY+W?E91MGfx(audLusj<Q
zJR4VO2%q}mo@2g)i}bbey8D6c&h&P-{JtXQ5=)1J{q5%L_er&Oa&tYCLC5q?Qg?8X
z&LS`{*XE)iTy+QMD=cj<i`u=S_<V0i8ca?Q#(4;uI|k69afV%B)jB%)t=R8W0x|k9
zm{Nm_NP!dpl+=qpnU0;*f5Vk1fUCN0Wz8M-O6%-}OiqKWIrXB;-ECF;H2M91$-=)F
zSdk|x&mY}tBFDVJ#Tc(4)sS5kJGVqXs1(2zn^R)&odQ^4Xls&sk(Uj;K|9)pH*?Q{
z5VbO=;HMp||KyHHIRMBnIdc9yzw>)OBXVkuGo~P&r^yghcDehEdk$$>3bXj<`U@uj
z31<7S;P<-#tJt>eE=ms9X2q$6zpA|4eGH4*?;k$MyJHMMb`QfyJmu{2(B&P(@Y0BS
zZXw6jI*~rNRR+V^ynS}L+wtXu^Pe04cjaN`A2np`o<og$!rvV4eMvua%6o_{e)DfG
z3v&ppHeb~?iQOUGR%t31=hXe13NCjuyO6V7C29!69E3jw3BU+2+xkuNJFy+mv_1l?
zM+?6V=uHsMk7sMB0ODbM;11LSL|(lMQ2bov>L17MWt3oQ4)WA%A^ATmP|73e<g(Z9
z01=(ri~zUA@Yipq?U0rz=x$@8yaJ#$#sqa)v6Dgho;{OmT>MHq(NCWPh=n)rPA_S{
z$OU0XtQ)kGlAWmc28$N?lhVMtR6v4B2@3%`SZHgo+X2{fY&4GeJ{ZXo9``!P=9y1x
z_|Dhw6{xZWX7BgE`Ue7R#V%y(*vTDxIfPQ*68spdy&&KI_0$e5(ACt&4FDy7+jO2N
z^Cz0)BMAzKp!wd(pgXz;L;lj!Z}tJy8a;nAZU?m(_LX#!CA)8VuL?aF*L`*b5hSMN
zv~vXgm{B;e!0M(oC+hwVgp8J9v`<vFj?a0?|4c4O|8Znk0XKL4CgD$_iM$55d^MNP
zpLK^^!2r3M+>Ch--q3B20bI_2l<0|_qDx;|0#MXB4DrP~DVb|zJ9)VqwzBMo(@rwP
zqG-qeMUDKsMB<Bf1Fo3deEawJ?l}}YliM!jj!;~t9IqSK@7trVZBJK!_iElM{Vwa6
z?8E8cWWhagPbmJk<mB=?$=PyL9+5wp#dQP_s&wwkt2>lxg*rwwdq0Fa2`F72()p!M
z1n;l{bpK`HKjjL~2{3FtKlwx6?+3?-vg>P2-5Tt5!;JwJ7J?8bhk3Td|6u=<XZ1FK
zG9oP76L;_e)3EzSCs~wZb@E(@3whMBmejBmc<Ilb2bcmVo6iYJ+@S_JbyQNCf81s_
z*TbUDQ4J>Tn9u;mU-!PH{k}muKC12m7*7Z^89ev9h}0)D=8)uhd0bH>U5=On7(ljX
z_!oaF1QmP}FnJ0*v9@#LetQL%vUL*PuLD#Ed?4PpWk>#G)`$pTZZf;Y+IKidTBj~#
zrd;&PoSLxiT!kP!l>mNy$x`&^_;Y$D7r?JI9}M5l<CG2u$jz$zFP&ux^IaDI7m#_G
z0F<t|v8eF-VO8*r0LU7QKWDNf87;{30x;99bagHJ6Jdbj&jVybRH2mT@b7F8NyBus
zcwX*zgCc^IhLVPEYiCaVkc*uY{e2L9qtarZn-&#qnYZ~r|1fgAxBt@q2<_Y=Wmkh<
zQ&-w4(RJ!b_Y`#EA7xSpSp81y_?paFs<@pTpFS}JsVA)&w?nJ}9fzR1(EEjdp)!4c
zee?${a}AF5Q{o?w>OMF+WfbPl*%_=TSFTa!f4s+~zn}t5h&X>>h2ZiM<6yh(Vb=d(
zw11+0QO0<Idh+83ed+5nT<89cdaMBTd~6qux77@JpUhIW&?xVe{n8$Do^JkDkv$Xn
zEaBYCW&}w)pK`FJE3qCu9>1L8;0xX}KtS|n;K}Z3j=u~~l{TZq*iorYjVJInAOCt@
zd!^F(bc>=GTj<{)dk4f9o*Nuhy8x77h#X$imfDUNjWN_oCyt1au*1r8OLm&M@=Kyc
z_Ao~O`Vo^tl1njP_k87B<<M#{PRTmyoaLC=%;kdP8hX^Jk)RYW<88Qdrl<4*?)FLL
z@kicXJQuSWWBwp4@Mo4KAYG%ko3_;gUW8F-Nr!<1#VvhP-t;;e5$1PzMAHrtWRl=0
z?Oh?KVhaBPb!B+~B_@6GSqYw44Zw{idFGb2Kd?}N3(9md6%oni--B4`u)rAZo2KBj
z!KjLrY#vm+VNLjy-Qm<(nL+a%$fU1Ze+QsCw=&ZleS2Q=OnV9x!UyNuw#da}tGx*}
zJO_WKJ5`X3Q&4Dh$G6*NN&MqWc3C>TB6y7gPN=e#)>ls#YFSnK6EwQA-E^C}sYV#e
z6&*6H(<l7p<!<$g%BGNjK5ss*kVk(}AQuV{fSg&Q4r~kGzyCW+KppnWT5h<)17-AF
z8%ij!=1qC_rp8JfuEU=?)l&a(fVsvA))8PN5uvz6xl_Q++qrROsd+h#m6>jiMim+A
zg7|XOdPWlRBLMs9LM{`s{g)IHpjfceZ^@_!Q@`M{z`#&fJeTw!uv+>dx@oq}Mvo|L
zG)=gH(`$ZG?w=OCd5!p@j;(#MPTGYnOvX55`sBx@v#Z56TT$8HKK)WoBKeWwbq#N%
zm4^~K$YJMHuj14d^yZHIDWh5^fxz(exd&tPSU6Q3vsUJ~L~9z*<0qGn_vz*lhmtUQ
z0mvz7=7K=K3lGOHBwZ!k{1v6){r61=yqu&uxGZK-{OyX?Q2*wTr~_aY7iuSL>ws`m
z6)9x3kBp%c{Ki<dkl&|EkVV>jvhsqu>E@(*9%s)HL>OON{3H{X1=~OJSa%(RCKV;4
zU||9IGP3#$mZL?j6J~!}6cxP0{tFWniI^H$I^$~hJ866Ju)UI*cXY0(#Pum{<x9Uo
z@R@El4iE6d*DzDiBbC3>O13AMHmG;x9*yRCdP3cEGy$ve{z%(jaeI{lqw$7Vcf&0`
z08mkd>|QGJA0I5G+q@X2jKzpJBGSLt^i8f^U0Xy7PyCbD;k;&hSr|JhoA81539yC+
zx;0G0^8Py$9`rq=8UTs2W8KHMLnDzY6(L(gygURH+E7)?X#g+1^LqaaF=PeP9=m~G
zYV<{9cx8$aB8X4Te?jQM*Xm&fJ<^L^aeoF@AVyOl<PS;7DBDjrCIb8Vz=P{~(<^Th
z9GSW^)m$NI76Y*X(Okcr2QOa6b*8Bx)EfT6s{*2+W{my^lAl|=-|w!)wya=y4+EA+
z^<1VZ-6v3rQz<yq<JMo$126_mv<a<&@l*^roL4)$)+}?Xayz|ZCK>g7SRn~Jxu(vs
z3qs|j+hvJ=vC9tu)A}i}f6x)wt!)&O)zpad<@{b3<0#^p!<N#)9_Lj&rt4BvZ~r4b
z9x)j03HG9in-2qM6-i-_Bmq`j&N5BhnJWXBmB|Tgct!%VLg$?2S$t^ih{wAJd^+c9
zxvVyB{Ajl@RRzB#v#&)9PuTw>Igc@J8JZX65<iUZ?_A?`8TV{Z32Cp`X?p28?G=mF
z2Jf1^;;j{KI*swcOvV|=Vdu9NrY)5gN&{lXF!-^S<zSY_19Ig~&_Kn3kdiXqZPOm*
zv%kZbn0fG&@_78lZ8V@3Dy#o`KZr36@NApQ1S+?qqScg0pK(NrNg1KXu#Kc14XrH5
z8>kRcSP333{YEj({3`y>_6srEb_X8Z)FX#MfiU(8f@GMZ>3@8C-T(cFQm02oZ)@Ht
z(UTWiVpVw<|K1jobK(42E3|vL9PUyNShVuK`34)u_oSy#&R?nLNG7XAd6^sTIiK9}
z(O)K?@89*mSN?NVp#i8+7asF%0mhU@!u_O8EUQZ~wY`mIZIz}!)-c?{I!tKdw2R`S
z{fLK?uYVo9%8b!oDZVL!eXXZ<SYhh?UYjz-+n#?3x~(~&P|}t=s&RA<M6=X44)_E~
zn}P>xxebi8J|*<cUN-(pNbRxF(<Iz!BdrO?adE_tZTq?PHH>X^d}j-4oMQ<qU1_f2
zVq{MI!vtWY=-$OHAvhhp^RFUR$7_Xr6*B`=lN{{$26Gf?es?P0t-ouu&<N@BloDPQ
zgL}_y)4fjBmh(s~DmiArz+qzK&NUvUKUM8sk%xdg^(KqOe>Xs?dPT;H4r`+11WjYg
zSE<rcDR*<V?}vFM+(NNV>RkF7%CT<Z`SzO=gf9qx>iZ@u9}GmhL*M2FLv}ck+hca*
z_c)=L7Scqg2V@z(u%h6eF(O0(LJ=w<dwQC@9%MMtR(z9f+c3_TV0;x!7LZ4JlQ+|K
z669f+o4?1&za-ud@bzudM7D$L`Fe~+9awL^+(pAv*rIdtc?^{Kt#AdW$#jTkc|mQD
z2Y6F#QafTX=9iv}I&=850`5ag_mkW?_3H@I;cOZIKlAiaKMnyv%<*Z<p(~q&GZ&0j
zVeNCxap+0=!ruFFnc0I@y;-=%<dL;gVbp>M-;qbX_&VMSTDeg8@_OCK&thyXoIPD&
zwcthQw%3h+$22+_)I_xdqI=PVjdzqd-e0O7;OBqP6g6`0b5mH{+e6!lJ1b;ltF_|C
zrRuU*raxXGf>k4A@Q<9F^-1eD;ILtLR*rEE?d~c&zp<yU^YH`aIRhpcJ)eWEn5=wK
zDq)2Vy}gLOCBJgtB2rfIqorg1QU64PUWJSjn=~P^2;j};ALRkEbvOLX|IV#;0C@gS
zDq1EpQrI1W_zv>V(7RP6{c4jETmycDMeL15pD%$3ju=Ez^?kwz8keUJx?U7@HAv;J
z?DC5xH8SEv5%=e7GrkJQfcF#Z?G4`g1|BY~weDS+CHnVSy1Vz5ztjuZBA#=U=gIk%
zNWmcXJLOdF!fgbe``Dv`{@mp)+=n26x&Nk><ypXve9{$+qx*|iX_1z~#h1G(8X*ZE
zL;I5Ey!1qc*?I>oGudt-)^sEr$6oL6x;X;t4{O3c(hTM~n2^o^W9{EkdM$IohTwuC
zy>m{O)(|xw$n=JqQgz!~k2bAcCm%|Bos9)*G)LXt>l$A12^};6l|3^<KEGtkh-bS<
z-cDLYb&KfFYLqT^;lMOL!n^as3K0(Bm;VY5vH>(TOB849qT462vlrMx9bqOJ4ikd+
zHU)#@fQr!()wrs5=AP*i808bGz=!k%=4A;(m4EcLEDu(=vjB(TOsNyoSZ_p#|4%9v
zf@TeuHXWH+qYWB+WpUP}m_Y7SxKkoFj1E9I*`**<e}1Kelygw^sTK()j3rCV0EA(*
z^eVo$weaB5`Q7~6i1W};LAMqq8$7Jt;_Efgqg(__*YLajDF{Hg)ePu|a^*H20lMd_
z%V4_Vay>%GO%yUF->CsJl#8DWR6ff*l3`HKJJjO=Ysx-<z@wr<v-XZS<a_PXns#}b
zwLd`?P3a$5)CV^S^L7#-)G0QsY=g>xEUDi@m~VP5hiz29jnw2d(BgAZE`E{b>K-Ca
zoOm5k2Ajxs@>EQmFK|2$@^Bv?pp~gN*W@$ei&ol}(H#uBwi{7&b+9nR^yQHeOXxXf
zaSjk$Z{Xc-)DbuK|4G(ASM&7LS+-0k&uRKeI2qKNbwl*vuAfdOcz<KTC8zU{)WhrH
z(&Yh$pEH(OjS(-UE2Ufq8fMF|4-DPY6BY$Jaqg0clV@saHg#jht0VCTJBjYngo_`(
zoDHv0t>_@WKF$(8az`%-!qj$tX_-Ig{2a)_=THJIzSi=kyQ53?b4F)GR#y^ylb{fo
z&-ppYklU#)vZ4-Y;5t1pHZ%9N?)p#9l}PblrpIfUvDfXWxt_Gv@=8I6@`BdFtn{bj
z+Zyse8iRf=JS&jY8*fSOIzd;GXmENV%S&?>Gwc`hD9;MnyWz>f-!K6r2uo=3rp@}e
z@rk)IUws9m64?2s_4MeW4{FfdqK!eFjAd)cSif%TXzH8M-~;cL(}gaC2i&Q(9N;Ig
z#PJ@ktbA>Rs6ttF5|$e|R#J!5!0(GaGeR<lnb7ezoV0O42xACTo-IdXs)y`^GX*u}
z9mBvgVW0{|e8waQ?Y@=u^hW^YZuhU<*I#AW%+G*XwtdGJDy=MQX`#0^J|+C^gtFJ~
z0fH`975fyxnqa={l~Gvk>e3Z<X+PE3Q*I%b6aW=k2;*(Akkeyk4Fxv}Rb{U=gpbWo
z`)6Vp`z#9b)*9VoVJs$7p!1&}4Vt;Psdlc7eI6Z;N!D&5ZR{f_AtbvgsH=d)SG?x-
z-0#yI&Ww<P%=KqhFjh=5=Xxj+H9M)#oSRu99Wx4K6lEW}Z9yc*7}pomdU{0gEB&ob
z748~F3=7(X3{L@~FvG%z+QOl2maqWs`>UfXC*=cEJoIn0kiZqWkiV)iAVw0vITXBw
zUZ2HSA4+FN!4z&tgz~QDbbSH}A_gPh6+6j_*Pz1SmyH>9zEV|ROwjS0nQb>c;YT{>
zU0mQ+K1q(Tr85UfrQ=IEsWWHJV>UYztg)7z_+>&7>~z-y=kLKft;FYWCkujSaYHlh
zXjgdi$6o8jxJwWLLf}%5Xo)qi)q%d_jR8lG#158I^$fvYnh;C{$Rlu%S4|;%J<LoO
zsSe6Iy1MO9;azrrv^sTUeLW0@gBN<}uaDvKOl!{f|Cu=jL~?hFI2Qw5%G!4u%1^Cz
zjK)v0@*%Tp9KOR|4X{PnxR`k6Vd^@@z6?Q7x}mtqGW21sA-J%&^&;Vc6;o-VceBi0
zUfl<SN<3{{i>LRTLfkg-o2Moa5{rk6C$8k=Py^xInJ`w5(nr1p7ujOr556@{?lXn7
zCEo4r@16bPNK++<zeY>NqWy>wc|)yh9}FZDSFjZp?G(I$@4T{(PoyO`g#%PswAr6%
z8ltmGrOkXLZTl=-9O<xOX%aD3x$EOqbV2x9vtJA3=cWHz>HlgKJiRW(|MDw0oqeK*
zueA_GAjH%)HJ?4q=MVTz%a4Z?sQAi5-UZWam5vu3yGyF`r9Hl<db9hd&doAaoDf+@
zFJRdtBC8!9bA`n>q`=BOCxTiO06Av$uIIyP8~y_mGn*-a;Ss<g&W|k1@rofC>+_)2
z#b3+N8?@msxMsce+n0MY=Q0i|K$bnnZu)Os^Wm(s^Y*kP=7MQT`rw8B0;h6Mbvt`e
z2&mZP%lRhS=R?1&7Q^l?ffrD<HI)M9;N#CP9DB)~+_fN-^Dlg~G6US^H@;1DWopJ4
z#StmQ;HNdEV6+Ukkb|%L<-Z7Mq6&@n%gQSmvxnv%Yd8WqmEA>B?9S^<9^hC<C9k{i
zT3A1<IhnX_&co&tR<W6`yw&X90gp*yHqV-FNX{Ql3wl~MC>{H$LP)oT6l%n8mTO8{
zs9QJFC_UE38tEEy1OnxKYt}yBfX>-Mu7CgJgo`LUhGB^uW0XTAudEn;vns#)Pd!s6
zE>hm%`#I`*b`AV;_XKXd)Hl)ZSDx&@T-)}yfE?0pw4=c{Svu<uv%GvT*7wC6T<H>!
z<&45RY2GA_6O5NLmRIax?5~ZrzMJ2$Q-1m){QK%A?D_C%I0xnR;eed?a)HaCP{f`7
zf{a61Ih#)qr7EV>Z_hCvn;V&mH^68j2dI13S8`MGyucti!m%|<n<LsaaZwH2J(11T
zW3cQ=Sxl>bdKG`pAi#c6;kIrbS-gF@XBR$m8-;tXVQzZf@qXN>^9;xgZA{i3*Zp<>
z_jnAGLa*MPKPOBt)OeWTU%wg1^DLe1Z;HrrSapb#ha^mF^2Ro|vnYZ?9n7DpKY25h
zFz*M8gFxJ@queq`A;Zx@C?!2|r*Q)zPB^&xXHlIh&Wers9SN;I&oZikOrG3FB};|`
zqN;sDwL|i48;YdAk)tNXCMS%U6l5PKM=#b6s{|M`jG`!l87>UguC*x=@}oJX47ql8
z3frCpV4Z++$p;(Q>T;)P1?}&WC&TUvdUmfd)?AscE;<=KTlHd_D;%<Qjc-aSxI2~w
z)efQffRY&Avg8X^G}kdBgdng&bQP~ol0pPllwRs*JA)~Pps_60*Ry`O_?6-Zz)k4u
z-Vrs{5N4`WaQN2;ILcFK_iDNDDn!=9rFCPxE~2JZFRZ1!JY`+zwpf1Ai>9oHPkUD-
zH;78Xe7v#f@<$;(R%4+^ItNW@HiL>=m-v4LCKZtpXoq(B^Q)pYPr?UQO$7ffX%-B)
z&Xogc2)a2Q5X9q6;HH7*a_=EpA7-lfhh{d0=e(qU7L2`@><y4RuEqgdfLzED^0Yn{
z$`mpQ8?jJ5;Z_4tv;tGR3|-`pFrmY>A#EY4<wXym%;<0$k~$M9#e}v7<4oKOt?z^m
zO<WuK?C%n8G+y%<oTW(;WMTfH8S=#a{A$>OOe0&arYkvI5@3+i`OuX+)WBs6=9Yi*
zVW%0k<_$IXF{9h?`qEZ9FdTT{cWlw!D*6HF6@pGo86O}(^_&do(ol=91nFniUo&}$
znm`Ux=b=Be-8ibU6@RH4+?Z3FzC@_-igWQ}LbHSsh!qwW0*o%eIV9a%My|JbnwYeB
z!Y<HO-(}}Dw)xm-1MMudtHTp6*{sjG$CgVFFj=$&bH$7-Ka^ySB4A~*DrOD^x1vlY
z4PcNJHE?fdGxHP0@kc8$jx3S6f}rphoSz8>l<@lXKokQbzF{|=OHuN|Kt};zss7T6
zpK5=6qucF({^(tQ7jV0URTij0%|plOs0(5^^UT8_ixJvfJ;#FUSxGqBOuKjqA?RNS
zo1&&xr27fmi6-h*246o`Y#}e*=-T5e{2d`0`(hpO%`<DyiwZG5pyrW<#FB?r-ni$T
z3q~o^gnF@Zys!Oh`P4L92!RSW+D!*~AP}Uf&s}HnWz8J0#mz&@ADpXDTSBvN%j%zV
znPy=$ci-I5W9|@;wBN?p%L6c4c~G2Q(x%JGJ;XL=L^3gMu(ieZktY=J22c#z2v~f@
z%S=u9hgJX651)YU6lCbsLq!dsQ$^@8BNTD6|DlcPsxE85t)<E0qq9%=Nv7lwY|)^5
zZg#rdf#!8}FsfK0j5`A{f}+U8zJNo+_=WXQ4>XG57tx*ss8Jg!@M*i+iP<JUa`DOs
zNS(()qAa@Cm#0_?J?!D*r`V5LFF@&QK(CMkDTR~gV2_H%&2l;A<|XcZ${mgiKtqKT
zavNMM2$lBhGPCWsDN}$J2XtSGBTndHc)EqkKqk?ptJ(yAdGHrH1N2_>ImLcx5vEtn
zP$7=Fr~a&R;vE1n^X$(pr;8asr_4bQBPqD!s@wwa(ycPs_=j=$QT`@_RU}u#WKUP$
z{17=rkwk$_j6Z|IG7#hX>hNft?s|7z2nW!Brv`Yf(}EzKlu8zRf=gT3`x?2k#QVbG
z*3Iy)PISfi=7K?S)c_Xt+~)fLIz(YvLn4D<Sxs9;8zO(iT^ckIo*ZC_gqCzJ+jNW$
zTQIo4x|V|BANnkdO1bJA_u0NEHQR+j@z{)2)=SJ7w%=OTmp|fsLh&&AQ3-q#F?9&J
zo(5Xw`Mj+#&Ag-fo~WV|&T5V{o`4sd14+2hb!zAbwnt-sWB9jL6AbSWz<<m*G%fu&
zVetY>XGW(nR$g{6ez9wRSRePt&4P5H139t_%dW63>tm_AJ~hJJ2s%vZETNgM+$@3o
zFK-M4eID|KPjuY~T=CHP>SZx*(%98EE^D}8+2w*2LuGyox77<1jAg`i5ObOt(HhVt
z1>9>rzy}@h=O$!kG*D$;X?EuqBu$K&8aQ=T3rCV~DmM?!g90aoY|*q`Bl4uQW|Vi)
zLV*6uV~MOdMdrX)=;UGL06xLJrc71M3e@`fV;FDWy&c<5h!>J6)aUUo9ME@`dG{V4
zUj&jZz2L8Qgs4~`?Q31q+tLM?@oY{nndf}4VZYc)_zm#7+?*d|CXhPyKGEN3aQYaE
zHFS!Ywfsuh+)#2R5*t+sca_iXvuQxpmd=ig-}*5#&=a&OX+fa$^#?(~7}9POi5S(s
zAL$)XR@+$!i*zL4z*BN4G$`+U*RBbXUXh90`C;C^@@#s|5y7v)w980g*y}J3;cm3n
zS5hFg`27k_FdfTHDu|jCHu)L|d((Kb<aNets9f#Lg^#-+cEa}~Mi|!<NQUaZT33R6
z>=h9hf2OLW&ZN5bMOq7ayHg^nkTcyuH5Mg*k(UR?9T&c3)kDfI)VMkIcMMnqWW&NQ
zyIj5t=z>rc3`0J;@MRx4NDJY<asanDPdG~4cv;)!$+0?L2*X+A-7u>2(ap1i9H2%a
zatNQu7JWgnl~a^{@Z9CPzAtMZ(t7;x@E{cNQHTLaXh8>zBAaf~imb}z(>X47aU|xD
zA9;4~;+sXBYVOaK=4K6#a18OdGWG>E+hb**{`1{tpZ^fJej+>Vki4?y#CJi6bxKCB
zW&Od|M`naAthBRq$2$l_%?k6@ws=?#gh`=sOGYk<H#MU0@@J@8L9+!S(qG;!wtvQH
z^2!RB$Oiva9hGI+^2nLJS3c*YNe)X|mbZ4#f#VjW>x|rv?ey*dXK4NzJ<^vOqxTqy
zJj6J&X9z_(u!Kr=`^(K}_RDLZ@SIHT%J`AVKd<&2W@7yn-v7pQw04lMH0;$RrSVPO
zJSM<T^#th@!Z#eozHIIbjQ9wNgG(t+mANNKK-O2{%)uK)cbDeYSwl3>uVODEwTgE2
z<35DptP3dc8QE63d$p6G0IYXI!DfKvoOY5``775LR9TG+Yt=4W=4n#J_vl=zZ?GS0
z3gL&$tRfS-)z00=bR@h01Wo+uru?`NR!rbUM5fxaL~<!?C^j2Mh!*%P#`i7~rpVIt
zs9$WalbWh*zmCc}uYO`MBy$S4c_NtWf{eyrfl58SO)^v85pXQM0+=SR6etVzh$LKx
zv3`V{$>1lonTbB&HRNoLku3I?J6?#9hO7$ZH#Jg{Aj+BVx?n$zC49ze8xW|xND6J{
z08Tu=oCTN4*f;q=7%~D0`Q~%?8Bj=}Xf`-(2=$o=WL%w>cw45VQFmXrrSc7KX;?pH
zu9%Z(S>AtNL+gZpO`(_HnGDuQexVIW<orkHhz>ngW5uxiudQ}NlQ&$6!E38^7O|6C
zE@2HLT7<7c6Ej}=?v^=YKq`xx=KvDErbm1QQM68r0E2S7uF?ALgcp&zliDxMkOShM
zt@rcNawdXTwUM0;K!zlW`-osowNRLpqfJt2V?f|r(7zPZ7wB!X%EgyQu7aY3kEBoe
zk}>nm+CuKdA7Aq9u^Dm@uRcl4^ADbUY~Z;&ZB3?=)QP<}=$>_sC6ufRiGv9tj%KNq
zrnX2xnu}_?(gtTeZDy;wwu*ylmQA#xJkK46Ex5zq)D^fGD{ll@GI$jrO%P{M0=7j$
zlgW3&EfxvVXq=)JdZ;D<bwP`mJvJMZ4*r@7B&^H#HINjhPUX5p7=g<0bv^S%Likh*
zm4JEW`1rE+kjgKk->tr`8;c@}?U*s@a^hsd%qiEc?{%T>x>H<EED>Nvij?PIQgW*k
zQBmgLK(6W6_2GM6tvC8C+<%~1>WN`j$a?dm$8sKbJzc@652I`(*5vQ!&K97js_F_^
z7EO%6{VpwI`i$D3&^>1Kz_8Bdg%`pTD$P|oq1sqI-GQcfC?4FdChznbbAiteP$aI@
z90UACIfgi&3Yf^!wWw!G>!kCpMh=rV-rgIb31ww48~H^n7Nz#O44BWXH9wDjXK)*~
z=O@o#{4glVIv)1?b>Y?bh7wM^2Z|SnER+Dgj>4g)3V@c!O+@2HD1cK{o`qz~HO;HE
zl!G6vj`{jYEO``+&REPe_3`UI0+XB5X(82Ln+nP)$O*~iFl<!!3xOXI?L0SMvOe&&
zHpbu7RF4(QxbCFvFcB5KTD?L3P9kPGMkv3AI@jJwdHK$*<Z|zDqNSd60EZHxDS%H=
zulzM{EwWLL2?MJLmseerV8+bgQdb7bYbCOkO<gJXf|iUTE6F8CdioI6K(%fChOnZ^
z@FOSWM+>SPx=ZPM3%zMPYDDNl@8G@CVR>XH*>_M&+7q&M)7vsBePU<N6CJ+4mBKL0
zOg!2_T|}AQ4YSzj_RZ^A_1RTIhk0po=X}n5vnW26=}H{5axQ*+qt~^UqU3s^Fihub
zo+Iu2f~X{1+NjO3=;L@#*QfM3lyNM{V?DTZ6P+l1pZL|TBKmDG?3;UiVNLYA`2z7<
z%WDA{u~cJ7wQI00oMpa3@KivXr>Ak}s!mP3a-c~B^`L25Betd$H)EWL4*S@Ee(C_K
zEK{#RK6T)#gbfcfEI3h%CAEUQtKc`v?I4y(y_oURl`WxKd7MF|u&j39xI7$&jH?X4
z=5rsZhklUK4uuJs6A_T?QT_c+b@+->{(we@u#=TR&*M-YJ;bU2QXo%Avw<6b;spNo
z(>J)%iXXKruC54hQf=en91X@NJmV9GJ_vOkXv*CVQq0sCk~{_Xv;*z3!k~T`hG7Nq
zZ_c-Jf6tiGQvmhLKn9?W#^DpWca)VO&VjYa8*+m0;HyEU<87asuLRF6pJmyrsM+7*
zDJoZPp)ff8)`-avs!$SL8kaf70g^UmnzNl9X0#<1q!}X!EI7Br4HnYK@&&ah(ruC-
z?2>5TN&rkC5T+v22~r5N4qgOre4T*9XNRIZ3&sovOU+-o5_*QeWDT`LOJ<j!!)*Bl
z7sl>4qLkV0RoeDCgOyAtdLKYd?Ta}FrerjJpq_whj-JPhFF7<qNo^4}a%RTq7N(Xz
z`noJ?9*wv#WCOX1vI|N+pWMTgAfT*+>obq2eIC@;F7m{;;0=Q@cKqxG2#ByJ^6E&Y
z6SbT<2@HzxI}XAny!#j|7r|Pt_-w7QVnk>uyYP93yynE}O-J^K5NtvkwUuL4_e)U8
zq$DyJHRkp<LnxeIcw=*ZCU_&Wvi4iURlFb58&O0As$#Q=G1!EjjJHa__~u{kj!^|V
zauA+RoVl^2a@V1we|75tTu=hKmZ=O!Q9zeK!YO>6?%1vVyh=EG#HegM8a>nA%@Q5}
z1|fe+n_ioC`<(aURo5VvJkFE&EhQRW$yeUSpX>RSi_O%CsY*C{^WGffp3(XD63-dm
z7<#ViLZsv%uDG&*bPH<ZM``78qmsav(y`PTov&Y_iV_J#*Ufb;ky61va2o4nNXpRC
z#`t`&B=(z3C(%!8reBo_#a2*wx!bQ3T`pw>5kf3|({kI$PLsp=c@e6-o-wW^G;Lb<
zu9cO(8X?|;3wc&jVEz)2FGZ;zb9~BVF)U`5@XRN0u<tx@9Z7IOTO%U*3d!b0vKZ8H
zy^#lKpAN3I*K(BJy$G7Wdi{usJV-2&?N*u3GY2u@XC6W0KR>#-bX!x_y!X!icyOVK
zKNbcX>sp)24&PW?zP_QuwlyL<3pcbr*SkfV9B}rVP<sN4HsW@Ij3OB$e)=7QD%&K4
zz+Rh*Sy`K6bAFzq$GAwQ4IkquPuL1??zF?1O*hA1{W5f6_-}R1Lj_RYdp-{V^^q(+
z0VX5ZaYaMRDRlEpTdoaHJKIPYB9FKIvxMy!%V5yxj3K<!a5^yG9}#!XoM+ar^?J@E
zgK5jN$!3@+u~1mEcLk>6R^;VYWLwpt0b5;sh>nqLl{UJc&O5JGQTxV-Da5`gk|ep%
z3<LEbzb@2PxJ(Auq`=GxF3zI{wu8f8<_1HOAlP*oISL=DT%a6YUUMT_udRZnS~OJU
zft@>6{a_Gx@17&hP&Br^VwKmPWrYY&E;9<Tk1CEaLSkogN(l|^8B8KIRwg>k-@QL2
zQQ&bFzIyGdOc<qz29jDm=He!;2bo_#X$u*M6@J@$a94)>97ryt$})B(hoNch0^+-e
zU=?Kz`2e&!_L)*V7QQi+oA^y!JY;cJB?Xnyodq9TCW%ALvK$x)vK3waXR6>~Bb^p*
zC2i~AA79YuAk+guB19gmWRT=#zSKwV^7H=OX$|z6yr^mYt8>Gv4)|OMsef(K>5!Qm
z1G7=i;%p>kYV68JT5i&WxXTs7N|zl|bPj<q)r4HF3_sEzwV(!h!z#cWycudz)`|)t
zxI~mazG04SOY5VVVjr`HLJ%`I#zhdm<MDI0@=Pd?V^&#v?p1(pAYsbk&Fx$`rear*
z87tH0K8lbEmwUwZX5*oeuq6d16tR=J#|-kxHVkdzIelh;Yt=+EpM1v0^l@+(sg2Wg
zEfpJVY>+XdkZNs@<+2<)2mQg0D8ko`dlUm|geGddDK9%})V9Knh#XJ6D*B@4NVZ;c
zX|9m3Q6y=oBiCy4TrS>K#=5=HBTNx%e9^{5ethz_yYMhuuEtbe7m(b6v@|zD5YsDb
zzL618&!jd-zM%PY;RCSw&0>DmUbJ|Gl78U|X>(+KIZ9@uyiH|l%1`#82l5bM%%Kd<
z<XboPFmdG(y`BW9dD>bzcQgwVn%*S-K_AVvgpB&PN)rRUy-&q48ITlz21l2iLm^(5
z;v<60f$+<PG}r%%#Ec?UAl7qKC-kQY{w*x8ICdlL-K|fUYc)GbOD0J|LQ&K=65;d9
z#Vokcd<^BZ)sXy`hy6YCaKWXZJQ%cYUI&uJGSD<84CPsuTX0A8!2)%_d2Af)N_rBZ
zNVXgk3Abgx?i!t&B&Ihl33D}UelI@PRjOR*q%`BJ<pX^S{q+dfr^L&rE?wU=Pt*Wo
zU^Mp%_mV~vAlsiGz^4$uab2n)==G+LcHf?1&v_){AcI%NRH%BfY1|x=)0n~Pt=r26
zY_dULAD@EJk7`Hu;*Z33s0-^t8ic9Nfg?nt#!@Bs+{W@U!M!16rPd;UD_JOP3ytP4
zTA4-}<jdLTDhXD$OB=6B*>oq#69Zoa4O67-MtmZbd(Q-<9{J=$_gP#IE$CR&!t^0j
zpsg{lf*s4&<2uCmueu+o-%~I0qJUDlw9o~%6opnw=U07+FzOwJ^pbV*L>`GMPh74)
z1LP1@w`SDEW1Hv68|{vn)kQ3AMHZ)X&%gK*Z1{eP1<Dlue0WROcu0OIqC5%q6XNGo
z!2+!#00HdFp<dfc+9s6frW56<8s%Z<r^<jYm{tfbdY})9g(==~od{=%9$Og#qafyF
zKjtD5%+;oBcsCO3U-WsLVSeq?Ej{6Izxif9Qx8)@P=NfvMne`atTvNPaw|X)G9tG-
zr^JtPo1~MmYp$WQP`Hs7lv`VXdeH3cfOjo+Kwe7vk}^?n#pRfi?BJutl?0A!NZ81U
z2-h%S7uHoj>rhz!$QEByc-)L9EAwKvGCypXA`q(DrUqG}(So?@;QpUUelj4MMoqXh
zWR1WrOz$s@8WF+c>yFOu;q`L@>Qrf$yX)56eBAz*`}=hzf&${-Z@H&d*rVh{@tBp{
z>1``LGOWSo53L(QqHI6jOx-mxHgU&gaqe=rI}-}3XrYyYW{rsOynZ6RZi=&sg)&;(
z@VUtb-9i9$wN%2x_A~kP#t)NoOxCSVD^Qz>-Ds1}e4rBKz_OabvOb(KlqsYF-YCSF
zLS4&B7+?EYFwAn{R2C-7fX`;}4o<STx!)N#nw%;&={~>OsVf{lbv&13=fXfV`RHBe
zT7ZOooTc_GcHE97Ds4G)dcuDC@1GW03SbWgYyCK@T-UL30Do2VQ~QMRojIV#;Jnfu
zKg#AgtW=fX7IAH>ne($vF8_0yb&$pi6q@_;`B0@)?*IhJb#NdoQ8BJTIp<xEfEF=#
zzx7^G+)I^}5O5kJVcWs}+^rO_1$;;_m<Q;<tr=3+<PrJC@JjDbY6?`j0p8*#|96AX
z-Sdwlf0hbq8=m=!x+-MKp_@RCyYF);&Vro!`rttdu{OhH%_`~MRa;ZqWuAp*q|6DU
z$f*n6<PaYOr4#EtfNc){evbJGypZfGc_Xjth!lwo5zE0@_M-ZYn@995ajBN<o=)%J
zF-nltTBBH!i6qixX4JQ>c&Zr{z+>8=>S&fWWY|{OHPB|M2nScsjeQv*KR?H!Bz|}`
z_hvx%3I}t#j%ghHiv<MZQBEBCkj>o9u`&PF42&82>H&N2mq{vhSduGQE}Kc%jYA`i
zy#3Cs`OXsD5BGi*KyU;wd54g1x-5<@S~(Kagd@2<$mIkF)M`^8l;{1*o}i7Yu_SuS
z@&3-Pm9-4HYV_N0%g8q&FV`?R+;g0tJMY0#t!=vLDZJ6E3|rcw<U8x6s8WZGb)T)e
ze+$38i~zz)pXv5Lq=N5d3?@l-vO!h{e2~zvESsMPv8AxXaV&?Sq$K0TkSs==E}XCY
zor~{Ch3<ymwI3|w+Sn%NTEhG%<D1VZtiWdnxFljd3x&cAEj5V*NHaEb<qGm^YIA9}
zPcio+sm@Hl`YBsIz`+btjHs=CmGh=~&2<T;hqRfHaKnRo!027E5fy_g+!I{p8<)5m
zS;40rU_2|qn+S?-kGe_N;(!duWOc;&2jIYCMeyb69?rEtH;YSuj*ugOfZPr?E8ZQt
z^l<!Ax8I}HqDYr5anvHzX2!Kb1Z&eMZijmo6ve*&pZ^Qsvk~ICr<zRYk?dmJyIHdG
z^t*fhZ{=GmEA_e8*CP<h*YZe7ED=fTL2`QNvdwR~g+4{@_3P41AC#7*L$2Fw*an^f
ze7c2wQRXvZ2RvHQ#hIA(*)Dw`3Haur=ikk8%k(;7rMRmmC`yaP_-k(TX~<z+h++^p
zMUwR;&kfpZ>HAoZQzr7AOHNYYsz%!tNpo#%h6_o-;LH@hSh@W+wYYCm7Gf#%qzoo2
z9u!Gx8eL1TBf`cS->9EyWC?*l)<0vLGrq!S4NceN+<dX6yRMm1x+s)v$k<>pYmoIa
z&?B8`!3-54D~@ehbohoQYp0-Hdaa$BZP1nRnTnIoJ{FVvy!JbpGFG~~^v_ScS8z4|
z8tPxd*})Q7Q!r+n0?!`U;@B%#wM>JyeZvM;R84`>e&}y${47bL!nFIXZXxphLw>G3
zg?)K_vwL|=k*_Tx=+3iY1yZ(?3Bsx}xRiDA0qYVhAaR-Ah+%sAg0LjxRdN`4Vob2+
zNrWJ@C&T>UuaejA((iQ<a0?O|7KMP%-Dxv++48<?<n<X7edwCT7Qq|c@N?kn_aylk
zGpKXhjp9Q@lT(*XM+{8uzav}nzqL!YR`zi>8O6F5j<5=2kRJ=@{kvQUbL`a>sa>px
zji%x3cYb_GgDr%;TzSI{!NaFEE}{MId_2$V)R^rL1s7I)=^RU?KE0;Ys6D<5@rch}
z-K{e;oYS=w`~NZa-a$?1-PW)mD56r7qS6FJ=^P6nUFm{!Lg=9M8hQ^!MFgaY6zND0
zB@{!4Ac!>Sga82oNKJsyArQhBJokR@bD!tjciw+wWG2qIXaDwIYwxvoSR^@u%T!bV
zwHkoe%vxDpi@EH9(AVn{ZIBxxakK!Q3jP^g@$20^SGH`xpWY#V-yREK;D?$GdoMT@
z6po|KgUp-RE;k3ZyddBKT5*XJQdzwEz|LbSGWUS*Jj5ZJGPQs@9U$NvaXxES!97xR
zN0-DAEZr$bc&WVox;1^QFt>5U$$@{63ry#b`p)%*8V6FmzJ*>K);z~#2Gq7@RmEvN
zTJWu#gKkGy>XAI+JtA@W9xQ0q5FwU!9TsG80o!Xr*}v~2HDyApSK#vSsR4Gj%2;B#
zBygkPP@eP4+kXBn#5FYI<yI5EMQ?<?%J)|$yFuw`$f@;;;`Z|eBuM0HT5&_#v2|*}
zZD<xxU_$}*6SIxLg*hN#iY8g%`+~es(Mmhx#C`y99{k{r87yp*pUS{wvqB!-L&V-{
z#TzmHcI=UUs^c`2;CjD1>9fTnf(CPZ=@0LY&}Hem>>xI?8Q!_uaH27+o~u3$d$Q{)
zM_lTxGR~w$>==nZG@ZPDZR+xAle2iK|D@CLAx2^f!Pu&87oB-dv?>(agbs@!JN+jr
zI;-;-w6BzqX^*num48S%%`kjZ`%2Jlt@DLXg+&{nP6%+_wV3O0-c}{4K_fh*!8XDG
z@G)iPVg%f(|N5*9d(oD!Q+X!&azwfrK(LV<Se0a(UyE?{Us@9f7_NMQ(_o)80c<)T
z$<3DaYnCLqBSdMPHjmAz*qw6-_{QP)9{1bcWm@ZTu-;q~1!o%f%Ry^dj2&NoW?}75
z<~<3Sh6C@3kgvA~F9PT-e17iQK)=Mn%~!@aD<$2;&u1a-DC3!-n2Tv-WnX?d&{RS~
zy3#I6OHAl!=dfI<cK2p8`zzGDpb8b-BtN~;CQjVK>29G+&9qJy`bO<6?=>MWE5Lj=
z3-}LPrK9^y;kf5VmEgBOPxpPKCx+mN(K)2WAFk?}7YdsF605maW6H+%WCeMq(e_Un
zcy653$R;~Czj83zi(*SocWN$|@@ZqPSC9I`Q?4?suy|Ll_I3dwp?hWMK&P}g2n78z
zKxj%WxYSbPd8IsTQa{Ga3^9pu+{DGsZm}tTF+Mb?v0K3shPwDE^lmKg2M9X@8CzKZ
z;UHkmE1-V)B*|=0*xue~e937D#CR{*KK$x|cf`jAU3}j6dz3LHl7}}=Qsvc8AL=|s
z>oHcDcuE<XM|D0R&4NQ+G0S1^A?{6(xdFho)GU~>V<X#&q;J6w2d9yl+B(uhuzkqi
zMXvW%jUY%U%VpNBfGk{ZBJ}nCWL?z(;;=E&^6^Y%&if??v+!T%Zl`p9)Y<XzJsQpX
zYtmpxDLZeUiJ76+>Cu>*7Sg6MB6}c&xI;5a__PeW;7_V_ZPiqt@rH76QS_m;9N@$p
zF*s%;5q$9PPC+sXCOwiN<l*4eK$1}RhFdK{-^8NMlDP2QI0$bq6K+s4;~89Axi1(`
z^E2SBbnw*epDp{ppX?%cgVU*NKJONW3c*ax&0=E7r>f*@iL_^|R^h%`Gm>m^d0zXA
zDq_oYzg$XXI_k!C1uVmxTvwWpJ2_r&;C)M4Jk65Qz3W!?!%nKKqtSc9tON-709E@d
zMe<Taj*YcHLN*|0@_WS*Y*%+})%5s1nH=j#fX^-_1>Lo1FaBPH$kYK0iIbjD9g1s5
zlBShSl;2Vgp(S2y{@~VFhWk+Illx+4^Bh*E=^^EGetM*%Wc%EOdl=p9YfA^Cn|Fyj
z)yyKk5f2Ue*3lJ{gYb!k+SQ5!um^~zHL#K1LdHBA03Zm@^8`J-U`~pRuhug;6LoKA
z-Y4j~)eV&r*SkQx=l*7x$B%#QDx?NPqL}~^^a1kp1dx_F#uThxFu?waTMgUUL3;nK
zkB?vhS)IY4ug|t_lqaK6C<a4_?!E|Avt1|~$YAZ?RJsc>sk5mlxihhmBHDo{{}SQY
zC9P{OuCrt-w%Yk*P;^!cT&%@>*}_4yata_mHqtO_q{Fk_@}$XksRR;;m}-Fe%cTi8
z@m;HMV(H6BmT=lLwE(WfJ_`Q^9K#qD86jFn84O996Oet$Cp4Z>$BZ^hXL?A&Vpw!|
z{N+m03cAqAzB-S8E|b~eQl&s>pZxn0?^S7Hxso2#!GX!k3_0J+jP5$FJCkgTgKMih
z0Px4clxAMI_pPorM2`@<Gs5Vr<_T=qQ{UA<(daXmMy`-@R4kP7fQSt7qYLqC%rdSi
z8dwC@-2S636wC+(sikSYCux>$;k9?cr!|eo^G$9iy)^$Jt8AM&_X3%$q~|GF@=;DJ
zkGrJ8{hQgdG%&Bb16nvDS_CPLmKZ5Mn%fofzpndn`l=~=N*!vS-v2X-+_FZ(!E33o
zweX;EzxIu3ozwWr^?qP^$+5WJKJHgo=IjNZRTCf`5Sf8||3(t%UyF0{fwE^tXo()~
z=aO5LcL`;hUB`sAtG7Pg^%3<6(a(=daoHy%D~K8CII?>h^%nrx%Fq_RTlF8K52eDt
z?K7HjZxoj<`KE0L;SyXg`BjK5po$)c#(jOr&Zj+eol@4)Ebv^81Ss%3T&v^zYtxba
zn}W4P%9=#c_qTE{y<~9M0Afl?*LGgTnicHDAv~#1csArL-75(<o(9?GsOXdn4wNJI
z15LK=OVeFb>(|BnWJt+Z*-c)<rS6gy{XLgIM1>kGa#rJ=5SIe}&lUUs@j<xRQD)#^
zPkaxF0S|~rLFzP+C;E&VasAJ!Ykxw7_nnO{$1rDCiK{b0T%%7sKy)UKA}u9dj&)yT
z4`rX)mdQ&2&iKE1c2<=7VX56%0zT?jec{+B+27T+3Ib$)u|1lNOO~IFwWT1HR_Y++
zUJ&3q((78*VIT|B<(P^sHjToEx^t@slgA@Tf;62;Cyp(~bpzhLVkwVz!CiTcIjk4N
zSxO;PpduDBW0SbAV1l%9lL)uo$%?%AO$Nw)-;<R>$XltnR@E>Zg#V`r<hZ;J<v_Df
zX!I3rmaBumoz3>Wv@IeMP~|JF`P{8K&`xAvw*(5V69BEfk3eWD0FE+`FvAd{hO0p?
zuF&?Cz_kO<KaAW&AcrHLWPKaZ+S_e_I-*IIyK#1*|F}0pvNMrJ9!=H{KF%o3RZu@w
zcN8Fi144NEPrbLk6>1+uY$!uUHsU-0?=%s2fMi>gqe7Q${U643+@!Qki^L=k20vl&
z^B=G5SbmS%bF|aFFzw@QC2)s2Bpq_>;ySB`UE$cX-AZV$C;2WeLk0+3{odZ;Aazf$
zOjlju!El|6`!8&zdojMsKX)?XaYRV4sRjZ2Y}E6unZ|l3+S7*Zr^u;C0G+6riUwdq
zOtUlu)#y|G`&1t<rE|elGkTTOs2KZGd^(SsVKv_1nd48sTbmNytykL5m}+TNwo{M~
z(#&L3S8Uj6vXO$BFU$rt%+6fHTC2t*yG%BYHhThsphJi051h7DNfay;)JeL#M>j|!
zBvSY1@U5=9&DoIPnWTRj%^5O~Fu0P$&GpM9ZG&!G?k552Y(9b+33H#uxI!cesPrs|
zR|H>W`I{~W!0AbkD3N&cK6Qw1+=G&(-L%@@&ql*i-rCAF(+ZD!_b$=Zl{`a+nVIYc
zpwemgZQU3N$Ga7!Z}w&Cz^(lysZvyd%R7<A?kg1sEtW^b6FbEk1~ZMazec|oDp<~3
zbUR_P&<c3c2;su57Lo(bj(?H?lO&EdRs$R>Kn5G%86icgr%(30C$QRt2mRY@nEM~T
zKaJbSb0=(givWmI>tEFsn43V2Tkvp|G}vhjIa*E{^#PRa{Nv`C$r$|49k)4GDt$P5
zdNOa7<A>K+>GH{J%-a>-|ImC`UZL=-^SPpVqlskcg)<ckeDK&hi9yMgav`5@#YvqW
zIn;50Xdo9Rgu=}HB|+d5tZ2{?h(^#%H0aT<g>Yk86_-Nq*smx^Q9M36qO=6#r{I!f
zk~JS_?2Vze7(6jM!JKGgGQ{S@TC-ZxmJcOit)0=OWik=S?}53uyDBcULL4pZx(fz+
z6j!{84MtMB|4LcDmLKH-(?3|ZumB3LX(06=Ou*GrxXA?a&~W+W0V0O_Z14B;y|IN!
z&IVL62d#(Mpd^Q~bk~AUe}yw>t#Nh;UZrA^=|{8_4R1xuq4YaJ;;`qSfitoUtC_#`
zQ3hmZf<lNX3E-;9wO9aNN>eU7W#4ZC^e<bCzxNsS;PVY1F2h5SYC3>SrI@C`)E_lc
zHXSP~OWNi!Qx~$1w`%X>%s~t))NSv7m)NF5D8G?c*9=@ZU}*yMtyDn_qy2{O<ogWH
z{shJ$$7X#LYBZ1l_vu)K&tq7dXk%#z%T!8Jy}oVMb}31-zWKPQW~J|r+^=Qvsr^)Y
zpUM@9qTN)3;HHi}eVr^<_M@e=8w%97gJkSH4p`CR5gkWOklC}o!LDt`5VxtF=Ek*L
zZOh>C@fDiDQ#bV$S9PIGZ_kbvgpV|`pT?pzb2o*yG<hJM`i)d0efvi3`N5+wDV`jT
z_Q!*V8yi2pRvpm`nryO{|5FYaEkde0M=Kv>6fcC)Qa$zcP=%GaIVzErT`W<7C<ax8
z_P$Cj4LJ-*)Zd=~?&k?`v%Tvt4V5#X{PIQ_pkYhRA_EzxPkFm&1t8}r&8!mOgBws0
z7H6Ys(YkcY2ZI1QALiY^R+?SK*VVA{jDs}1P?EE6&37WbgtE>K8NA*Mp3`k$w5Tm%
zTbIsQbk8vwlXGB#DWExKGm2;McLB%85_U$qfGS}F3n+~{n7cD-N(}02(wOiylOL5m
z0}OAf*nV)>=niTre>TCmZf7JlcuuKYv)jtXVyx3}>1+Z=Y?&kzOsn3nzrAz+B1x#+
zBc*|Q2(`oo3OYABgyXnX>9A%l!io}L0a0^D%|n+nHrcW6Pa;oepR!&cP0blwN_eU~
z%(|@M%=cSQj~!x{@zt(&(?G^;9l6n$^DlymjEZKHOT&PY5TZ<Znpd$;3e$;%el`%8
zEfgT#q|GP@+{o9f@JFybJ*fyfuq(uBUp8BPsI#>pwg{q8+0HXgKifyVaCF~v8b*HW
znAZ~G+d?EtH`NvRtYx854oJPq6F(;<&mbvka8t<}V#yne!8+Hq2F&rx)e}C`RuZqN
zGiZaa*g9s)v1Kc|S2K6|<!myInglkp-ue$ZDOg0JLmpY;2PCKM>`k`;%rk-h`!2-+
zI*j!+R&f8Xz1>7bA-4#?)z#lGSoy#0vyOc?^gJ#^yhQ5)Aa)Ls=>kVGBgfMt6R%KN
z?Tc?$(zj<u_x%bDMp+=q&P~@V6drB-HoFpvHpuJkinZ(JKuf*lIB|lB4VwGFu!xEi
zD^$xQt{<fAHnhRNPvq4Se^{T1w=mydfI_uKL|2`Lb5DxoEf5C~wg%fn3|a-jZwA<b
zB*W`wBTukG{aa>{P>ynkU=W~lljZib@~P`gyIajl21)hVMt*fQ!r91LXODI?2yHYF
zgr<}=SwENa{(;y3{fDmsX{9-k6+puph9W70VX#rRKA}`3!%xZSW3}Azu=c6Uyo9M|
zak?MISv2%6tZzAIEIkC!5ptJY=!*DX0nIm461(>Zzh5PcFHOR;9uwSZN_&6XGF~W3
z0&IB6eVavX?>o|f9P>8vcl7ucC1|HgJ#$Q9YpqjaBP-KMP9etx$=xKw)#E!Frmtip
zQyk4UlLzEB_5eMy!^kIgy5-$PC9s1CC<;&GWa{R)(p*vL3oc-!)j~<gwcz+IU>@e!
zAIVb%Q2uon$Q#*HsWf<M+&OVGV@}n`%eY3mL!=CVLk<A{cxk25o|OI3KFSjuq+QsJ
zFn>xnh?{<rl?mBaGP%fQ(=4OorH&WWVYK?ESc4%c$Ez)YrqQj-hXZzF!S*VwzcluF
zJ;PfAz=h+(6+gXrw$oMe^hMV&JrOK3hJXv}5<mDawC*F|vFvO^=EzUv!{5T3rn|j2
z2)B_~tG!|TC5pO!l2l-NJce4%<?#2)>2rvw+|V>8w|%ae_tT*?FLCVt^f*4O;tT}H
zB!*8V%8l&fwOul0nvl=kRM5VCUU85Ecs9Rz(d?mKMG)yI=;r%pq!Ws_`H#Tm7yODj
z5*n|5{D)<p;a?=gKq<w!PCD{oS{`a85CM0QV{jztIyFdBA4q%M2X4~nX_$4618M9S
zViK1!8YT~ecyAUR{0K{5fiy0RaLz<_SO6Gs0;;pv@&fALc4-NX4O42Kx}*%z-$)jw
zxjN%`(im{DX!2W8P@T>&GEpFHMspfDl2wrhgzTL9`_joldVMXzperY~ke%`<$RK-Y
zQvh;fPzHX;q5p-b0($^2!kE{29%#^K&6|X`G(KgkIGN{pj#l2lY#p8R@282O!S|E(
zyeV&IDh7YMX(MK^slF9>Un=Wd<oQ37JR3kt@*0nthorIFIyqlk+GT5m^QdxDNpjsl
zt#O(Q24Be5|ERoZYy7!e;as^RpLEDf*MTwUl0bO6bqzyzgUvV8&L;oMSqauo-$5~b
zvoeetz}U4OqU++t_80v6q--sQhqU{ge9z%nwGqD!>9Bx~csd9)p%@h<x4c=f{w6Dq
z_xJC@ynI$qj9q%b8V%Lc$R&SfRD<_!S_NDs4SllIL9*NV!bTx)j`7qmTAD|;OZsPG
zW9|Csj^8BJc0nnJ1ULNob&?D~n_Q6{o^&uXZtv+>89Fjp`34~i5x4T6RBwfJFzPgD
z-1!PgOH%VJAaDHfQK1rSNm;KZgau?GELG-37br5dZTP(mHCq9FBDz}#Im*Pym_dI#
zN6#{hdzM}>M8F+~n~<gaVsLOZ6Nz`;CUJUovPwG|amM(<ps|qYPo0R?jnO%vif_1z
zO{uZt7a5RJP`Chm7=TZ6PnF85^B(Uf5Ag?=8MU7JwaC3>TqI_JgzLK(YP69tms*#z
z?31A&`K@b?KzwW98fimzrr9eP?I0HAAgj5Y8K|Z8mQX64%`9=l{M^Yrof9f=KDgf>
z7^oAASpMROW|6+_{O?y1NdMdavppqUbH!wE#RUzGvcOKLZMcnD4!@Gz$}zR2w?eLj
zniVvb;Ncc>vma*f0<DcmbZE-q!aAmF_nj+ED7Qz!PZ`*fx0D0abH)CK$dkN%Y!|kK
za_?=7W*MY^Q@Y!$vf)>BY0!*teW{gWGfM0zil$e#)}v|R9&FmQq#fDtJQ;gDq(Kg4
zJR%lLw90K9jIyFhREY+B@eO3q?0Qf_0d=2K$q0eg5l6tmTR6@zeHwuJIxQ0^;0Fg+
zo5HAt->0dp&e*&+*D2xsuyT7J@x0o`WD-;DmfgBT0(Em@R7We;57*aLe)}BbRbe=n
zr=_eH|NQ~fk)~6JK3Tw6YBCCj<RqG!SRbpS9nizfk9n|G#>~rFdEhfrox_&<Kpeda
zFpd0Na9z=S1@p@(<+j|jydQU80tUBbERIY7)J@(v{kX3g`B9p639~X;KS&Ozrk$O&
z7RLTNu0<|Qj8G|zu+xS0IV2#zLa@Aj9kP7*I$;SUVo~Qu^1Aa0`u45Zm}SfxJkIS~
zb&ACu3~PG^scg#&Wm;@r_X2+$y?z;BVh1y8y_*Ad82o$?v<Awq=#mTel_Tz_n5?Dk
zW?=E&%e4b~0B8*35sd{==BJd%>nXXHLNC*geRYHIUG`p*q-A8l_w!p5B<IT6;k)G%
zro7+XalVWM+Z7_{O&^ZJ>HnAX{0)ZB|2lB)m=}9+?zATzl=L+D*`o>?VgI4{%D~;@
zR-%tMK(r!O#o>|*X)8XK?s&%P9iF`Z1dGgtdMaIxp&2w^yN;f%93vohzkw?%S*J>f
zb!q(&>N)p9rlCA8(!9}uh)anx7;Q!rk+7N;AXOku#+0(n)uq{VuGS-GHK(eaPKq*G
z_WjjMDLD2P<Wi-t65<CoO%Lk=sM={7G+rMB{|<#lL{5oi^KR{nZY{g9$~k8jPx;;o
zqz;PnwrW!awAy8hoSt+!bD--hVTI|p$IJ;FXIpoP{SK>Ge$NoJI^%JyZW3;8MXqaW
z1-_~r*^*j<@H7(|wu?z7wy-KX?LHqf<N13(sYG_VC0sMV7KF}A^$&U%l2h|PYwDj8
zdzF_2okJgln~~(feOL1jV0q6OPOZXQAtUZN1&0pNujG2=K~n+a&?y;lp!nBWk5t2O
z_#p;DZV;Z|@eusNiokFT;eQ010qk!o&0@V*S1=ZX4*ffiE){*xE|v0)Ro-68gB>Z8
zWv*O<mM(eKnZ*@~k?PONl8|iI9p@#nUnWj2lx;NqEr?RJU~T|3fLM*hX$KoIsa%xB
zxlXRvq9aZP&DpPwjgZFrd4Ax(UWP$I)Tx-|3l^Xhv!LBK7muLc8VxPG@Uvxe=~?69
z7|Nog)<*VH7Ve)9C8i_4m%>%fy5v-94|R9Jq9`PqG!5Yon<4t|<Ldz3RnETLrc9rZ
z=NrWvs&XPKGN*Mv!d!VrgDhqYfBwVtT@XTon_shTACS)b2=iz|xQcGkj(kM7lNlrn
zgpGb|T??j05|k_6B9e+MoRZfH`9n-f)L<q4@I#~&pPzTBDX>iQNrZP3D<1)XU5>s7
zFH%`BDlb^3Fenc$?bW&r7a3ddJ+YL5EuN}zZsnC%ELS_ylwQ<t@tI9N)V+%&EIj!Q
zJi!|E2xPvu?KU?nwd?At;F{HjK`-{}Z<CfA`4>YXT1f{{y3%$DQ(-twIpT3+(Ht@i
zYO9S6)HA!e;=)7B9bIF&Ww3OX1nFTrCPv`cf7YDLj0H;}@RDQu!Amy*$NYPzYlGC_
zv(LuTDUiKP3BTlWP)2b~R|)xqi^ku~Odu!wOStjeip<Qj!tBid^4$GvhP82#j%f<-
zOuj;sid;LnYo}rHf;dN(VlKXw<{PUYf;!ygfeO8&6IR@fWR@Wba{*E&0HS0?84^=c
zu!W?4#X|FauTlB*FLNC2C;?En(DG|xAD^(|$en5YjJX5>MG=Efyts*5K?;m**zIn{
zHZxd=!G(<sPm;;B@Xa1fQve_gC-v8`DW*Z;A+8fM6OI~#(jg$Cl|($KMa{OH;*`uG
zZN3n(`36WMiF=;myE-NgrtJYiP3=fPTkEGFA=A!<A>`v^ct|b%Sw9EI4>+Iziuw?^
z?9u2GG_!^dTQSo*K>z3=&HFo;Lt?jyKF7w?U>JAF0uZoW00|+vz2gm~8je<hVcnAF
zg!Ygkh})>p5lv8(qrK|-&Oa^!{-4L5-jK{L!V_0s`H}*+L(XT2NUtGn{nf+akHcH|
zO!a)0;%t(Y%-L1&YDvk|?tRj6FcEm%L5m9M02@=C+MO9qlJKgKv<=aaTC^XSpDaC1
zAn%t3c$kY-?qZ8bPOWiS>$FqJECxPauM;!}N7j!+3+KWMN8goI02%#tWV2swvku&)
zUIB&9zRkpO!$gIpuWo;hR<Hn8@)LqRLU`Eusc`l_8(-Psw4>sb^-;*0479xuv?EB)
zd;{Paq&JuDDqr8&hD7b}H$sLEX$QxD!|}vd1fT_oZ_jLa-LcO1;PE#Zm%3Z~R?Wch
z);#7AozfLEz|W=;;FZ(0Pp|DGezf|_i);EB)CwTL!hfcaQap2Kw%sa_BblK=h5p0+
zVyb`erjjmLQ3W#}Emk^_TE}y;%MeE`>^N**3`PUngW*55TZFgN1dAv`Ltdgid21_<
z`wm*V9F{>E0C-kSQ$=#0g<OS7MenpDBj89XW6|M0)~3S(r$-$M3*-ib*>)PvgOd3}
zeFGEqZ3z8|`$s$T#?-P+)CM!LlBei5JUJDlCC^NaU7xH$!I~3gwiV?RO`S;f(H17H
zGf1nvPUbQ`VR@`Ez?+^KcyxTnJ*mb{ys2O}F5u{Q?Uer^0Pl493=I%*1#h?!1R6+H
zOBTWpX8i2yEj;_amD-hUA=cMI>8vOuGHgnUWE0-Np#2MQpab=#DH?F}_ZK8TWkJJ4
z^x9cEc;)Ijg91>kGQ&~QCpwsw++a)dPGcj|gz;aW=$|!>3yDD?mHVPd3KeCFz5C^*
z%taNi^;zupZ3r_ns@v%ul|=Vz7H2tIfX5n{Px!Z7T&AM~n)0+t<GsyX-oy2-+C~Hh
z7w6~+1u8H$Ht-vlGL68S60QafGv-xL_eZ^86%Y&}K{OG>>thZQ4FkI|7OhPC==V%&
z&#myI{Of(g`pwqVn?-1BNdihQZR}(xjl9`#P(tW*SmE2v2a>ixbGZroqFSWn3t%If
z+3X86*Xw3jEU4Jg1^5&$d#m7fYe;}QgH*)t)l$i6#y0Z`fju(^@!$BjNk_CH^&Ds0
zCztuW4qq-h<{=DLHZs|c4-g9^0e`x2a^u3Og1V&G%+rKS-aYN5pga=*JY*Fgbbc+Y
z-i)NIG=eOh#=3^O!$84JG;w+Vp(qYBIluNMpe1lQylsY2^;MFw1an7NJ3lPI#|C$q
z-%EFK=}QsBo)wNa;;gzT3G*YWxn$R|E0&L*o=pZ0;(o>o^*x>wYI%Xnf3WM^0!dq2
z%i8>6zMC=_VN`0@*n~;)*BnWF@nY@Ex4Q(&zu;iu_}7JxUKrlEprxuBde05?BetHI
zzG`qbBHPNtn-XQWgx-)BRG;K~gbPJ_Q^9GnSt2F~+9K|T+^Ojst`jQzCQe>=(~=$>
zJPGpgl?i%DGxwZ`4kI_n$4Y;`x6hj^%lM)^sFq6s#cL+TePi+B4gb8)?VF7ZKFFO3
zvqW@??SO(F0*!e<e+D>SnS3r9w7-|y6`8Ofk#ygskmGjXC@YKIi6La~8U|ES8glB!
zP3Ri*75eLLCvKMi<6v<BD`c=WI;r(CRC~+A%rr-~R_wLYlw@QidVR_u9)l#Q<f)#L
zBgx4$Zq$d=#+tj)%KRYCMxvdDakHu_ZS-ywtYrW8!}2@5+k)?Rsi9IF>7%&27g&%k
z;=jfX@Gouff^RkzI*Ak#NC$ldr!)UzTMtgk`SeAJ#DRB;77~2bI=$#XDVx6EcfMmz
zuk#FHtrFl|WP=ht5t_jRxD7wYs}GXN4G+E}0#F~uWXj&ky&(Y1Y7KhMqWQ;1pgXg^
zyl~HfznbKDIPVoa1ABQ=QabnV%&76PDLi4-Y&Y3xtTDSr>!bdv<=vF8rpGS`>Fa-d
z7-$5_x7gkhkb|)sc%CTqom0k}GgVxE$EpH{?p&&fK+ne<#LZ#bqrjcxP5BGad#CtY
zL!xB#W-?XSuUEeW(yuvXDrI~3?4sTuZSVpQK6f4Mxo>kzlE;Q}|0P4QZa&ER6|5-i
zRkq_Tx3@rw2<i9dG5xn6ZOz<sKXA>5@yJ0^P?Z%g=+Z>5XrBJ)p4Oz;c2b+A<xmbX
z0M-u1DBA;LC+1{CS*B(6@XK$x*pX3_ZXv#u1rL%3b-lQ5%>K@{bvj;zYO*GNG-F7U
z<mlxd;G^7n=pPzaD#Q&0DO5A<-X6=IIEi{#u$R5QZ*!I>slHSy$>8C@&07$^$#ZED
z*D0zNJ@I2eGF|hFFrbSy_EGE6L}GKtl(Gqb{FaFJlaRx&H(CSU^fJFWp-KX^@K8P#
z&E$N+Pc&)xT=0gtbn2~l(rb)5J_E<(aa)_P>jo`hzXa=`Gk{7RY2x=P)#5Z8?qe7)
zN#(1Ec*5Rd!5h11i9hkWND<I@1~|~zK)Hx6h!AdPbkVN;XRQ7!fNf9C6D`gDxQdj6
zbG`I*Jp!E|=J3~blXo9*V1Dl2st^}tdd07N&A?^uLC|}dnDWno%JnXvYj|COJsr{E
z6;zg4hf?uB<GU0xG5rz|f%J)4blI5{`63clD0&JjRJRI!e9VDkeT&f}UCGOwsm-r#
z%06gKN~>>_9>)UO%=3?R7~e25ZqVGbyWO<0$7p;#y<hwQ6;Y(oXF=HCrB*{n8A)Z2
z&?>v4E~K(4mAmsk3UcCMmTjoH6MW*9`0U-IgDJXdoWRd5d4laDP5`e_)+|l!pktpB
zGW;}C^FyUPj`tS%k_kW14{b#7{gW|*Y~(WJU1<?oS1w6y6I#`gO|y6Z?E(JRtF-h#
z50C%JxXCh=sT_r(t+$l&ky>V+1}b{2^<unYaY1#lZJz+AnV{AF$Nn1Cn#VR<H6O&6
zCQcUz(h|Tf`EV|9oTk;)xo9fb;|SKZ0{XTVP5b>Di^Pq0cktl?ydh5gVm_m69`nf^
z_upB{s+ioZLYEL#SJD>yxfqjn4@|}?p_Ro<&t3hKV;D}?y6v!s1KEOIRa1vSaCWtZ
zYqjG%+#wGi6W1=J9H|)~93wmqgAaG^1#SPXN@x}7Zkb+P@mHpi8okq*4|>GA^-OFE
zequjLPB&ipT{e2@g#Xp}lG0C~D=^900-2vquc;_~w0s6l)#<|+GHqq7pI!<c!AXUm
z4V>4gu%+jrB0NTm;udn>pXaxmw!37d6nVDr{M#e^@5J&re~TW6(7FNodIPEtw>Fer
z1k;@gH5sl*3*Jt7#*?mVZb1*{<xX5%zbxdUR9(<h5Mb3}Nl~yA=%UcAETdPy&>fVU
z=J6>u^2(g0L`b&VtXg@$f8Nl-eiv_o?>IH5R<J2wst6awgOaWYS%C#0^#n4$_2hv@
z$Ex6M*C|K-LTMNzXP>2aq-GK7Ogch&li#i+IBCU@dah6Ss|P?Xp|yIPc#MB>R0lfb
z1Z$PK$dv@yS=2BX%$CMC)4C>i;Cj|h@G~*m!nSn9aJHPSnlvixOR@aBE=tq2j~r?g
z&L&T0cdvRUgyKGlNO7sS`Fh{1vwskbzL<2@ONv-BH5olTW=Pu4)`9!|buJTrs^*9P
z9IR08%6O`$+fDH^%Sk?@NFQ?2m4dMoj|{X=$2Aa7%cvfQb=GuOy>#ebcS~H0_WV+K
zH^k;SVR8nbM~I>bs<n8#r=JC+|55`8rM^g?uToULh0t5~<5W&E0rJ^`oEhX}SsS=0
zMRF+7mzQ1!Ke+0c(89+)={2%*L%ox~)9dEzI*p6gnKNJxAIBezPZYruKW6bcBUI?n
zZMl#ZW_Ea44#6d}$|viJDTwU}rH@mA>Cx(eBk3DrVz#bkMK5Y;nkgP1#C?5siSkMJ
zrbL2bKXH6mj_~$<<=7Pc56}riv^}|iSElI;#qSZNYa#CE4bKunwQ7$1zR&=!j=(-2
z-96D{G?PpHr?P&YQNM1GJqWgotl&VA0xQf&Hi=Ze{=vfI6Q)7RE7$^Zr7Ag;Rekwx
zS9N&2YC%DYOdavK)C05mm2k@1ULCn$z>y$R<$?3L`^Zj%7?pYxA9xLaa<o)}0Pf#t
z;FrR%_FA;GMsaEC{;2p2Sq;$PEaD6tO)m9?#nYsZ(N6Ri9^V4suB7%fHio&tx-D-W
zVQv9+{0B-}Z+;1(T00R^Lx+R}(Xm@ufT_l-!29cwV3;|%$&z@mTi&}~U(uj<{kxZv
zXTR*ZMY-1SYTclS@8FfP_~!1~P-gXRPzfmXc|?e-3v{yg!3oj{Qd<fBdA539vfI9L
z54j)|uzrK&J+ISO`s&dll8)vf|6HruNVmu+GLAAM%(o=ZKdVnSwCr4D^jLjLvxdGg
z)1G(1``JgHYKadIRV^4|s)N~;5ygW{cb|Y<m^7-Uer`6X(9CA>g_smtW~%)beyV!)
zt3KYYV2g2B00!0nnl3PDh!5;pgmxQeT3ACpxK?T+D`Q`KUk%?Ia2)WUho*Qc6MBD=
zuq7CCwo_^Q1EN2A{c|n-jt!PN)_0PkQn1t}@AS91Xb^t!UeGRqUlsk1FAxM`?6C7S
zsM;}qnAC6#{Bb-KPE3iC`C=8co8u|}wU5mHx02U;Dz~MhnEWH2m4e_}C)?G;6Bf2}
zz+@;$AsI6|BpnbtRady0(g|rsj-MB*e+N_NwY)-<T$5mq-8}p$MXvrXluGc!tgsrI
z=3bJ=uD8ww+JgG<=Z|%-iROQJ*!L=Gf45TUptE|WrA~pUpO91>A|;*wqg=G)W>k+6
zGwgBgJ=Z&&sY;P$l0CXcQK)OIXqyD@1@6ZgKz_s%55&HQtaI|?SAjw*=GGr97)G#*
zkp2WGgT;dRF?)q0v5x2t(+Me8dGfkSpli4lLt8IU@R3PZOWA9`+QzXWO>?x`(Xvse
z$FX_V2(sSj4YlrEGHv#((ba5AT#!?q{i)=QHK&{~3;vtB4O~8hHY_+9zJ;4Zt;~<%
z@f_EkwY093we5_l#?M3J`Y?~>;{LoSz2|M~8v?oBNA1p8Homyd|1C_cVM@>2BGF1~
ze9$7&2Q#8Wy`rmqHhJqrm}0oXA^>amtly^hCtmcXe0@#no?M*TqbP!ql?7o=d2(l6
z4R4~-GZh8N6{7s>$9kFiO9N%P&n;VZMc=y-Hx^4LWvr?MA+BESZhOW87S%h$vuM8O
zg!>&E{hyXt%|&e5)gIoYZn*Yt52d(yCj`}gjKBY5`HD3Tn`rA7tX-GUbNo@&`Bjin
z!P}9e;;C!sR~v#Ohf6vgs;7OcDlnaUU?u?We)51Wo_PE{puWb88Z+qb9uIEtAlMpo
zzi7#h7;3Ba|ByrBRP%;ck$6Kt*L12;S=i<;GlPf||368y%AFHvT6AeU8c}0Pv-olD
z|20fOx5)HPKHaQET+37z+MA*?E_M;of8?R46It!8nQ->R%v@>PMA1=#y`;eE#S(wJ
zo`j<b-Eg@N%K4*BC&`y%)eSl*N^<f$%cpPkcYiY_#%!QSl;>J#oCZ~8*#X^rXgHo5
zxLU1c%wIN=hCYi@rxY9+IWpP5osKoQE0GxA>CToI-(l2u7I^byJwn{zZrsg9oq_ZK
ze;*iet(!~I#PaC0l-dz}bG-=r+-EGM;P}RxK$+sPEO{4NcADz2wlDXyN|h8DKJ%pl
z;k8YcaQUY$NoL9To%%dl&oA%Z9Y<p!W->HvRF-{VnK^kae}H$THI>&LLllr!q0ao3
za4wGTL2yc0bc@74cepm)b2y;u3l%590a>cOueD2uF)mpq@li9mfZB@-;(ChP(L2bo
zk5=+2?-k8EejX8NdeOx!X>{+=^6c!NIt;8AY@9iKUxg^?w@yGK9ykH|t~5nCioHcZ
zd&>au-p9=~22?EZ16=%%={~NdZWLHlwkGq`jpa>vL|@mk)~<RJ_()^GqWeWj*ytFb
zA<_F9!q?J>O>f`IXCR)#$!Zj=?~;2Ub6rH6EqfeAWp#3IKfdeMp$j!T-Ehlu*X0Ot
zU^{dZ^iD-ueP3{Y?_MVZoI)%=n&Rm*g4!3h-~QXh3~NH|b>IN&)BAm^FDepWOwDI|
z|7mo|REn_QLz4b%jZZ&3U6WGJKb`pJAd$$<)$<BY2?>5ls&DmP6pdWLRk<;kMNXwJ
zPrpgtG<Zlh$-AJ_prtqI{PII&7)#zYRkadPshOl9#Wj>NczPo<Z3hSy=@2$t#64VG
zitaG>^L~fe380U*VaRp^D|0|*tiFL#<5a64)8AS`xfospecHK}n{=XyxpA6tG0#3i
z9vt{~uroRqeq(y1Yi8F|lc8Mj5d-iK4dEa2H%MB(*Zwl+iAjRdOS#EX`3rUBXTo`d
z?@XfF$P)Hwefs8Wnw;jjRnakwW2=@AUyOP?FOGA5=}DXM<Vxg*<F*v5cl1^Il|S%v
z1($M`mAy4&Ro&7%I}-TQ(U@4tT5G0?BBrr-gKc)#|1YnPQekdA_V^88rWE_9O=?m7
z$bT)Q2-6dDvg*WXg~+ThzBA;?yxtQu?Cf@vE>`)I#<QB90YiUp-|?OJY^TE3q^Kuv
z45dq+Yg^pFqnv#^o)_5Q9dH?9LYJ$?@^xbi{WME9xG0Lutgkx9$<7P3Yrlgoy_}})
zf18r){mo9XMRlG6Gx{VS<Z6}Pb=_mAB2P^T93xbv`ieeT*QQG}GZ+j2F6{v{ZA+50
zSakddJ5QP=lRF<{tckMNuLhBO02;K^gk(stuMA;f+;PJ8TF-$$fBE}W(Iz|R{+sdG
zD|~H;Glg%UoFhgDkbiJL(QCZ;X!}pwt2d?i{O0bPBNreIl_8hQJLdll4!BV;T_d3;
z=CY3FMpD9Uu~R5M`lMbLeWPj=Nbun-6xMZ!dZ`{o5l*GPq`r6<PM1jSL2X?u7`qz}
z7azaMD~{|rM2TWocp>i{-!{r$q5WRhQdHG(rq;zAiN8ax=kKWA@L9B6wPM0UR^wD#
zQZKIL6C883EJJEhJlR-HF$n7>@`Tpn{lT_u+(p4BI(oSW8he#m20Tg_`K?--tcahz
zqw!`a>d6>3_9o7nM*5KnYV{JwhLpr_&*@&~#(CXJXru>wPJL{j)#(r{!1ik%k-=~e
z52jrvJry(u8}EI87PZc@C`v@U-QVIPEnQhCSrqg*!I!UJkXt&`NHVyEn~)K2yUAkb
z-Qll9QabQU#vdl^*!LY9bEN6YW%#<DrT^)UDdC}l8%b!O&)|&aNwp?+<qtsp=fR94
z38zbm@}52;MbwRl>X~e0Dz^4+LHBKe>MHU4J38;|xW0t#0cQ1_v#Q{tTuy4%2IM>9
z=`X_5>HPY~)9B&7CntL_k1hFF`TG9aA1jkmu7+9jYS+1#mbRJrN19MP7{E29nvkrI
z1kpEUi@C>SBf$I$s@a1V1bcZxZER)#yVSbrR*b-h`5&P!?<QXs4=M^8beDhNdb%4R
zV?AD{VCy1f4di@-6jNwyzVsqam(gkSdGMtB3nzq85$M@E``7oxWh2V!!?7)G$=CEt
z{Z!SS+FiGOK2P1fVXlaSZk8t?ePwEwnI6g&R6Q+j{XAMdGC-yN6a0yED2h4fp<mxg
zHs14-tfu@sFULJ@@X`<5N$w7sG^=S_;GzT2Y7^KeeG%dG52H~pp$&iH`w!Jl@F5A0
z3A?WZjIxGd--Iq5x{S+5s6e$;&7N6x4t+QZSA5B=rcAj17>q^nkv%9Vbk0_)n3eCD
z)NQr+U|}Q+mxM$}I!+IKMC8-2NS8h7sJpP^1-GRh??;$Em3DZ)Jfm5!B0Tx2+hSxp
zR`F5PQ%24BFtf4oc5{P);k6g`Y;c<XQ)XqN&k6M~mG0~g;VZ+&a4@&|<)@x^OF{w-
zEg#$szgd3&o@^I)w)1a<URk#I%Tp(QOY@>Wfjy+L1*KrPPe$qZ=PHF81zcXGbI{<U
zWq%&R+BWC-Kuml@@nHT<<x47KcH=hBjyGKwb?_DME%FWkInU^oYJU!Vi>BJWx7eV%
z=aqYFs>CbQgX8NDu<}=1tlhp=O7pLtduq-ie}X1>h5VT4n0K_n2ghmOjO1~s7w`Dr
zuv_va(qm646lmd$ZSz)o#`KNX$Yyt%)K(Y9czdEhr!9>684i%ray0xAv_{Xj0^#sk
z&$s;Zl|!FiL+Q(X4@%jVfQDC*)+g8KB}>0f!>W^$5#LmmmzZULv>$zA|1t$wTwoi6
z^L+R@v2^^JG-foPlu+NFq}&yQ3^R!h=pNMS9QZ&~a>G549^ZG^^~kZ0btyw~N~*}k
ziB|GBrEq@AI_DhJ1C{vh_@2P{q{TBvvJ6xsW2phBh~9+agP#6rmWgMyWVSa8p!zKq
z(h@Ww_<7!-vxTt_mP^kJh`*o1Q`7uE{EpdWnv}BZK{qwgtOeTjtD;Z17OEBu*n~GD
zhX)+H@)8T22YDl^$3|ZhB6u<4uX68R)$>wVwbOo;PI*X|eOUJgzWjAawZ(>zo&3!n
z(O<K4c-qE1J}v%3;1BKkr{N;<HYvJLPh231Ei7E+t^sEn*o|!g*r39BO|Dxw%K>UH
zN}qd$s)HfQLgoe?{O6@?fAkY`wRdSRirRmwF|m7gQniGIZ<Thi-{ZcAiMTa<MIfgm
zt@l>69V4u1G~9Wab}RNd290<vwy51$IH;Gp6U^;eWxe^eJEpr}x`Or2ya3BeSf(dS
zyZCSz-S|nqEoqK9PDTHb%}8#S&S;YHiYfHnkM9B=WLA3D=2KBY>>hM&x0f!O&nPlB
z&pvo$#bR%CCmZOvxD9qUyc%brUpZT0!tw2?R^sPa4Akh;HY7zAZF--r)}SVN@KBsq
zyj?{cxEB4(z8AZD2fvAaGAjXn!<O%nvgAqL2@R8`faelF8gImhuEs%<CN>+kHeV3z
z{%+%RWS-Ew&_J7P9E;$V3>-)9vmjbr4UQ{Xz-=ly3hy@7@X!p6fsR^EH3pC2XS-53
zxf7$1mK-WNzhVh{uE}g)&7o_QpR0!|+jLo;-em2Q!~EO)Qc&Q$dN>URH2tX_s_h0B
zPbT>xXv1x(Yui$x55DvpSB#2dRH}j>^GcQ_z?UfAafo%smsJ}u_23smgQ|J8?Ouq{
zd@kJ@w3TVmRkd=;xE52`JwU@MfO46N_OHW_X=MXutxE!xj%vGSQ1@s-V4Q>fy3Aws
zW!IWl6dQBWqi^Dc+K#4oxLp-6;&*bv0jzfh;j|?qYTd4z@7p(L;?WH()mRhGx2Kh=
z{S*)b?gK<lwkZGoj-|yi)?X|(f~}K#auq%beaEkiVIgPkV}}wuhpy$z9U{2$_aOvp
z0qMqu*AxU*9~4fG&<SV6N2^JG&r6Z#lexEB+6tTg1yBuPuRc2XGYxNhba&{j;s;C@
z1&sAe;0OAveM5hNI(F{1nJN!FDdF19*pWm}<1{Ch%S)7hKY~Z~n5J_atb9)M+!yS;
zoG7KMI<Y^_P4%h4R?G8hLVz-PsYcorOvxGR+2Wb-Epm_L7xQ9y`a-WLBC-xeA3NSy
zH<79ewTNN-yGH$aPX9HH-|{5k*Hel6L>5vi7&1_NyZkPxiXLt#<D2vwXfVjUe%+z;
zm+JGe*b-K;K|Hz7_uJ8m**2rzvkdv^J9WX=h9lBN4B&=WcbitgJ3xb9qxZEC_hI6c
z^YvAqu5zG_uVh;ak;tZmGnBF2k<*Hzc-E=_{;(*<t;W;!`O)hQl;7#6j3zDlizDKa
z64o6`2U8k)MqOe9%ojK~z&jxYzi#M&jpqq5Ly{9$i_mA+7kpW69BFp%c0VUCs@zJx
z{;kCLyJ4rXs+9QmdEYp(w`EC(f`hmhN00r3vlA{i(A<_yPp;HZr=-RUN@T0g?*<CY
zbI8t8`}(Toer(w-h;JniRZAUdp_0XaZQ0CSXs!H9IKOohg4VI@dp#pu`@Ozl>jLr8
zpJ%dsldK@po?SNL<<n)U@}+yDK|Z7V6^v+D$&NCw9Kp;Gf5fq3y5A?*yZq^wgVL|a
zRna6{!gS*9%O8Y<HjRFsOK~*2M}DqGFlm(TtUz}eG8SDVK@3kMU}e;nYxk)QcxTTv
zc;${|JU!Q6-%phqw+Olki8~V-vj}o}UgC+ehyMGt%`Kb+ZUV#SPD)5X(^8&7QL!rb
z-VQXn-}Ca0BX3gd2aylYO62vFJWk|;IrCC0A9a9DPgwcZ2Mj8Kt?(xD$s%bepMG0c
z@@}0jD56%s2)yH6pO<we%nj~&Ea<UKpN|8vyS|SDLFJE^bxsRE($$_ayZm}FDc}*O
zQCs}J5!etIXC6L2@3gbdZu!>V8e%c&B+xrcWrzv*!XwMJqR4Z@*i66JCHfe5<CFuS
z&7G$>PyyPR;N;kfdCL43-dTvFyex*Z?eQF^$<k}hD72tNYR!9p0gUCTAOTkQw8f`{
z_A|CYmE*(eDdN<d-D$pJ38+l@JX5&HjUB_aq-5NCb!?b#No5@7`JD0^4e`YYPG)Je
z7JFUF^%bV`9cRM*|Gouq-i5;`m7iIIuv_7j5}kb9O!W`V_X`xC?S8noJN|3Rhj*4}
z&Dk3G+yAph@hn|!)lLfjzNcov9^FG{jD-x=ZY10*)ynHm5tDUc28y0(y*v@gl*;+q
z&{I1-0&~lpi9Ag4{@}#SmGE>96U*gv%h899&{j}0Ar{6erfmKnQ?9udsw3Bpz*pNA
z=TK~#`vO^k1~;E>5~}VkKOh~}@yWZlDy@B4;;oq*e*|XxMvs6_5ZCc%lS86wDBa7{
zg@bfEMm-`sz@%6c#rcW(q0NNYWV+mz*8L=EEL{dIs4R8Fm$?8$HZn?OL0?aoHFd<4
zT&-(BG^cM#h9BCCeA9|uh!LB$V)4{<)h_Ig3C>yOAbJP6CLo;otBr2yh`U_!*5<A|
zuz0tJxzrHK8QgO*W8S;4+16kv(wQbjqTArF7te#D{RZWG4KPA_XPazQxno%awhN(N
zNC|`JH8)TZt87z~ZJbnmE9R}b&T&?l&Otorg9W9m^=DK-J(tJRFqu3t8}229E9`C@
znExSb08yCq)KXO_78(>2am_$wu}(Z#ggX37SF&GbG7Fh)+}j+bX~)Iss*g&Z=6r#S
zp%XT)A}I;QI#-6*=y&zV>9h{0M*JdCSE<3>uli2{s41FzudF@t`SBU``R)*+tk?bb
zi``Hd+sU=$iXY=HDU44fd;q6!{|)c9C2`I*!GM=qvL{Gcb6@Eh#+<&Djf%H~w%{3p
zsZ9w5<C3yk5Rbqlm^wH=yC;%x#P-eP9h5JGlTCd>4y&Uaerye8GS41UfYIN^qrxvF
zllx6`y?&@Ji!Mi)*0%r@=hL{m1f%TS;z#6<_<TY7GOrXi{(5p~@!CH!^D%|nWd!JD
zS>5qOlpE4&dg|q&r@PETuVJipiFOsGe(TBs--g6AH}jTbx8-RDYC?&u*@?pK*jd<8
zOgCCWb#mj;(dTw_mVvzby+_;*(>{0RuQp_Bc6H5~^0}>>9__!4*&6OgRKA^RY?FZI
z58<f2R27a3sck;vxSiQcaiX?Vbn&NkRC8Wroy~u9RVGF<@`!vc=RAJ>UaEec=JRPa
z;%*K;QPqXAIJ{krD*qiIa)tfrFlp<sndq~)WEIFnRyI9d{g%CV|AB1A*&o*bKT#TK
zz~rXXG@u?+LYgp<Rs@t}RJ;si4;^l!S{?LO<;PPRUu^T1uH2I-9ML6w`Yj%IyvrZ;
z8P2mF;>oMEOBcpvgH->rH4|;^7rC>?fL&1*px&UmbK`7Y2R|ORpr8D+3ENN^R^Toh
z-K#&|&ReK7Eqah0ap|C2XlYZXo&R<LRCSJ>sW%`llerxvd1qoWSMXD<)k`6=3wKCz
z#3|>6IxTHsj@Q7JLsrJE`}h882n9`F$8VrG`vxOTX>Lfrids!iR}!rB%+*b-mf*zr
z=2N5I^K|vbH%X*uL@<t3HpMq{%otyXx0#>NM_~cSbJZkaB}?vh-1OwmNnw>l3ORQy
z`K`k8#j*GIUZ{q3+@dFAZ6BZPIC1(Ll~ISeDmuQ!JYRLw!uBHCTUD4KSImu6EZ6Ac
z%R!CxwsGwP9Yg+mw7Ca+(b}i;ak<33zNaeUVIQqj)`eu=%s%_`&-`oIsn<Mj7nuPl
z6oyKWo_s2GBkCxr|1o6jDZ2Pc8Z&cC(SyE+f+2cz7FWt#ZJzr8lzL5;LT1dBD5;Hj
zcMg9Ba0Z?2+>@SxMzkc}SG1P;_W6W)2Z%vGz3gWCdsn>VCSA)~Wykhrj(t*#*Cj^&
zq9^I=%UI^zoec|x(@9@W$;k&uf$;zrH$avsTbAebw+^O>cs%grAhQ)vd*k4~6UF5x
zcbu<%y%4<rF33HiSV8;Y%?t7Bpa^zF`%6;G=`56GmB98sg@jGRh&=ufj@I@;RrB{T
zAN03Zm8*BTu13P&cm&$XaJVYmL!*Thj*`nmJimNPXvORb2>5vXlxrYQLQ9skMR-kp
z9$`kjFub)bP->?~7{A5=oB3Pw5&hvAX_5ZSJ{$kT!D6H713Do3Lo;%c{uV76rBk6B
zmT%_lx~8zWLh#D-;-KBjALc}iZqn6vAGiJe@&8#z{*{3!DL;FczkWN(?sNZCtYGko
zzullyGQH31wY!bq9P*`gUX*~Lsr4gkdIY_nn-Yoq@~nj&{r&QOJB>_PIAr^*J2z{d
zeEF-h>30`g6B5PcDOnTHwb#E-K76yYB7a#Fma6pyw$&fQ1$C$kz7lMvx;wRtlh2G`
zsA5}B5DI}7&mNua=470}TP7QUCbtF5Vrcb$P0=|w2g$qI@wHZk-9H4~;EA-P#|wWt
z=;Me}Xkq+)?5eOYo3O&=XOmk_=sA|?axzkeM(rsr383s>wMKT<9s?ko{#>dzUzlA~
zDog9xjV@UDOQJe#gkg^QTO}*}<L%(@`<|jvc;AzsA*3ZK38CDhs4wBOdFPzPopJ4#
zgmwPKqjVB*nd7I^o->b<2zq_`p0b+sy-Kcpp!XQxGh2LP!R+Bbs7FX_nY8o3PVLUR
zs*r>?@jI1B2P=Rn_X7_97RA-b(8iopwM0VU3sv}M=PaGmftwCISC`3ae>J>hPoKM1
zJJ{eB(cB!7Wczf^-OweR|6tI2JsaEKtzU9{>hQL?Hesv*w5qAVb@6t?`(B{pqOye3
zVxIH+K%GR^`mWrtV;K13$Q8<>?%~4{6Om9aPNH-12Uxz>ErBajv(kQy9wtzosOehi
zx=0F%<nII~ezOv9S}hYg>=lLzkQIb5)H~SJ@Tr4I5|o_)_PO2X`l=;1Y4?sHbeEU8
zja7G|47PHO5A`Jc2;rS`fl9Cc@g-sYZP@?E)>j6_!DZV90>Kj8ohG;ix8Uv?++7+E
z?oJ@MySsaU;O+_T?u`V8#$J<e?%cUG?<dvOUBx+D*Is)a9Ea6d{qzlgTg+h0?c=gQ
zD#o(rm({;TjVoH%We9EO8Pu&Hv?jf2-}3FFtH8DZFC<83kal^g9n!MUX~%TJIPTe>
zZ@SK&y@(2KI}rlYoRpQSL;gQ_PjZAGMrU$FbM`po=ZpOO&=i0ZRw5ERDmbHhDi6rD
z>Z3l2lDRiuY^TQ%r4=~BMg7LL(Uhoz4^BO3fw{Og4LnJ%H$U)$tyn325<_ox4f(vz
zcW?<TW=dmR*v{U&r+<Pi<L^X@)f9G4+xvk4{|g?17Da1IR4*QfaOoRO-L7_Ez0gsF
zInFdi=^JZ$1spY6K)unFT>1dN`oO#UXDcVFuGRWx$sFN4B|{;UU_sc|$BwV*AOs$}
zW7lggtMJW0dwL#m>ZDO06BH_*>SP^Xa}GQ#>=nWV%6#h}E;P<SB&H)`hh#3U%hqjg
z*uDO%ZSteloCSynpZOctzo^T5zP3s=8t@v=>pjxcYmfcun(EaA!E@bC>gP;q>K-<K
zk=_5CT^dNg0*w@;PoE&)wEqS#C_9{_HrM9?lhFC?7yH^FU_yFF4YA*@RWaaCz}@(_
zyG(_2t=TUWnbLxkwCZ+<i8KWiWqP~Se8NxKW3g~|IU#@)uSN~QY^+D=#qx{}0JZBp
zVs6f39ct&&du#P5VdFE+FnI-1p~9>7zUTA^6~mYJhKoE)68CL5b>-UMBPwE(DH7U9
zR`outw^sxq&Mg6a#lDyK?N|V>f66oNLC^xZ*i8Rjtfre9+dzYC{Rz%fsKt*XM=cry
zH#|6iBN9gJ$ARp`MlP30qKik`dAktfj~-q=rvyam>o0!?C4%r@(_pGqQKY=>m#D(3
zR+Dp4U?dE<Q4OARNt>W|swo>CVW%DoL=;2+e~@<-0rVx6Q=2W{#tG!t{C}gxETJY=
zJAM~$RM9iOq)(iPd1yokTgP;<A2~}KqYqJ53NprbRN^+hr1lqs9<}`eFV&(qCiLE%
zejg|+JMi6@F+GSn$|g%)25$;~Gzw=6_gE{j_t%0i8US;8Uh0Gw7YJzO)d(8hYdr^R
zW~~3nCg(vJsGILVFw}!K-qj=CDC4KjJzCWn4rNH_R=(HD(&x|br18D*BP7nSCeCIT
zMn^c3*$`=^9(AJ03e86U3ROcs+fdbQMbYuRSDULx^*7;82<4~<P`p9hN){v?J>%W^
zyp<sW&W2dn1|piInPhFPH)jIzGe^Sd3(LovfSa5Kx?@y<#{Y6d9R%pAyLR-2rvivM
zeL{c+xF<%d7TEO_RaW4eUVk3*VW4cx<s3SX7`KU=2OMD+zAvLSErlP+Y}C0sKBcue
z3nsZmH+(6uy!Y)lls=)0FxTY6sZ)NayA2j|fy<M}p0pX#rzvJ?y3xh_8d7bp?hjq!
z#;bvqzRRvr5Kf`mNi(!uu&dr7SG7)}_oY`VvI}~u@0@CM-P5%g)5jlhw>ggGx$bvN
z^nC2}M?Q8@l{|Gs5FB@g59<Zpwg<B<^drNS;Tzlhb&>TiNeoPO@f4T<>es>%;#Q>a
zSMUH(&Q+v*v|ClGwEY2m9js-(`ZU@P7x+(|QoEyMoex8M)Rp<_xs5LgITDk%o+kqV
zoUg_B|0!n%Udx$C-u3iTczSwh<wxNg7e#_2!*KmtrCv<Qb{H$akJ!yg^Qs(^Z#kS(
zCMSnIMVDyc{$P(x_YuX$)uMBy^MCLhjQj<3?&T=>bLv3`OmO^}>~fiEJ40E0;$soJ
z&RO=Qx^U@M4o53%3A=1P@R#UQhVH6~Y~S2^k6PbZWTX+-XPZ!yybr_ah$yxdK?<ba
zBtqa3;kGb<M$!`Pd8b`e2PzZ&B-312ou}GzTcuFP@ntpDX#Kdxk#N#i_%77*@^uDf
z)PCWwG3ry0|IaK$Fxpe2*r&&J(;*v^=cR+QKK#!AwYx8aA6leRS?apE-&XYaL$F6f
zW%g8&!~Wlp&IY{BE3Kp*x&7GYD@@XRDDu=Ax+HdEobs*Hn6fXi%2M>}aqbD3)P(WW
zggCKRUtG%=0#`a)WSLE-YM-2lP3`zS@uTF^H!1rH!`2f49FrsKBUw$30M6(eQeXW*
z-EFNh?{yvIjoe7zUGAz*j{u$>Tgl{k`u%#<pKYLid-FD!q)Nr^srv~v{>O{8chc*Q
z3wq<}vrPuN7IpCs2}6R9Q>P}xu%G=g+b2+I?F~a&G>j!(ChJfXOfSx_XQ+DCH;$S9
z-gJrx3{NF~!Pz$m4-7@sUFda^-Q`G{LpnKjgxq&#C$hckT5#Jnk@^3RFmGQuB%yjY
z96YZa5}FT6I4=2S2aWijQZ=UYRtU{{)kelJj|Sdz%O%dU`H!DayUXpPiEHwkD=~~t
zX_l?AwD`=AEdII3!9G1hh9AK!Q|+EXI5|S#m@M(8lgKTPJhj$ID4wGaUxWw7?W@nt
zw~Xr|!K0>@{~U51zFxKv%O!HIan(bBG~-6Oa{Q*dGDY-kht?lRC#$QzC0@r+;^vM1
zICyUyN*y5TGWn#lTqh-$o0t5h>0fOZl)rqtaFipY$_l#kf$(T`WMJqw4Aq2CNd5@d
z>icfksT>7~2Hbz3(M>pOwtrCBbA!u;jCT@#UHASc$oCiP`@dY<HSsRT2o8FZ?3s>F
zT_a1@9Bnu@+EQUDBe}NpLXS!6!<Hiq_Dv7+cJtmL0>ek{jR|6~75h3|Yr6h9vZ3Qx
zl6;cVyKk_$=RYs>F5Ue~NCTW!d86G&I5z5XbF}S0?tK`LjLq>&*mUtE;NAahLK$cc
zcl{M_w>n`CN#U++`(Z>!r9WY=VpXaN0ao%ri|5Rvt}`&RqPJ~FDhi%j(&;_TQ8IM8
zwXY%9o2ae}a?*!+d8~BvJ@k=VQ2#4G@qjmDW7wA97H6thw(<QQ4#%)ro{hkzET$14
zmc<-vyxwH^^JpCDCl(bAq(a{8P|C9P1Gi}R(S&85(RX*X|CPSG&~P#Q7ps~EDiVCh
z{+3lJWTao@ix>N{&e=p!QvoL)tC!Se&Cv-7l??Z?(+hl5ah6R5NrCrY=%#j<7=>h|
zBU_`izI?3FBZv(pYNBUIhhq|cP%V>pY)Kp0w(+XkR#^IzZ0Z0>+tkM^2#b-r<UYa6
zTFeCD3+ClJ^`)dp2d3m4rtVpc3AF+^o0SG(n^g!Z>-CluAjLj++wFIxSk>F87aXr;
zoiG_`b0{Me-C(Yq&wA8~$Y)fmT#sLLyxh>|?Dl;t`wkXF9k?Uh`{w4})~&x@y0h5S
zd+@|A5r_evyEWu>oZpt^<7QB$+W@zjCP{1<czp1LfhCz%n;AT|ufs@AyWjy3i3rZc
zznJilnEfB*?a?Smc{sY(yT&hJFpT<3{0p4(gx}rC)#U@S$dfb<y|Xd8BW>z<efP|I
zf)@JshEB>l^&Jz&d^wJXb&gA(N;8X0!n_-ABA#m%6?b~6dMYdNG4Fg2%Vx5E{ouV#
z;v_%zWok?xz(iq+n&Fk~*D8n{YGW9P^xJCv&^k=Gu8Y}X0Y#2cSl64~`O_IP9|fgx
z%}+u&2}M60c%!@AGhd52L$qJ*l@W#BZQ`h^+iYsQ$PN&7ly{!}ME<v=zd+9LK3wk`
zseC`ol05h5IH1oyq~6E2&j<j#oQ<9j<Ga#aBUWa0$W!TpkB=w|j%|mkR!K?DIBY+I
z#Gw_~yP}+m5zA3KU5^QEAly+_{73cwdqA%#4hTt2Z9u-G69<?iBB<S4u}qBFa^S)o
z*(b7+5McexcYv3QGER=8EcN*bI<`$pf4Yssw#n{%cT}@8%%Kdw$fj%JQIXJ-QQ)Z$
z+!g0)C>cTVs;P^W4P<Yb14TcW1EwW5=R3}FLB<Wj{-GN_^=FfFdJ3-qYmx8_)bj_V
zFjR7dAJ04`g{If^fL+?b+0Wfa&X6g&KexCblnIQWSc!LA(mH3__K3$Up+6p(fq#ND
z)Wv7EEMKP<_bPUU#AQhbtgTz|q1=J-lNFR;ZIaNHIq$v0r;Ra)+82e?X6)*Z{uUSE
ztwr@cY&LS$r<(sd0|*Bc77~9a#5mn3UhhN$rnSx^<j1iQ)3R9qlIgaUM%|~>z^mXD
z>Ai=Yxde`ckjjTI?F!OkF1yqXHSVWIv8$l+g6ceefO0%)1P!t7=m}*2S|Y;E*Gb|9
zMtwo9iGnp%k)R)#o!9OAK-4%;vmdP~B~^NLAU>LczQtRPFZ8KP+>{U;fy#S6@DJ9v
zDWxpIDh2ZIlj6kh9dLdBY1xy51*^+v;7Ys`*Kfn$<}#L#`w&YQRG}JV%}=jj;^6Zg
z#ndiFro&Koz?Wyc2>U$fN$w(ur^j78p$9vNA8jQv>~XdHI-J=<M6Uk+pKkK6^OzQg
zw5pcmM}tm~!%rp4(Wz)JA@Tsugaf4oStuIZ+4}IrHfTaiFTNFqJ!a3DO`#TdOf~o2
zTZ4cVL@~WKDAuD^F??rYRuh(LJbQ1HTx<N3$7lvG5M6w%$#k{Y8%sIXcpJlMY<a0$
z0>QY#`b5045Cz{VL{bZqvrx#>S0eXogFv1=t_EOMa^`cP_my0$XeaeNQ`4j_=2no#
zdnkrho0%!d`?p8~2ITX=nan#PXx_hvqXP@=*c~R1!Z2v34n>EdxuPeA^q2w3zhpUn
zqPuu=UZ2VcgRb>o<`sWl;$6mFmqK1Zv>pDMbzi)f1^Tf8>4vZjo=E@8E<QECHcHL9
z+gPth(u|7Qz1$7afj3|LZ0$5O6KvOh*eehgD!nfw&QVlw_r+)3TCpJ&Td1swl#O>b
ze7EkzIh1^~7%G~^Yq*?#OzckDA$EC1Y}{egvE}fLsDeXGmh)C$BTIKT0t<@X)D>0g
z!;{SIWW)QY>e|_!)0S`06mPj#RXUa_8es&GN{%z9DQv>faiPu$KFF+uXM`4<jhy1K
zw}9yjb-L$wz&sJTov#e<dkH}(ene91h`Y++ypDc3;DG+8OO%NDUuZv!V7}_ol5SJa
zWci4_(To-BHln_W(Q?HXo13D6^-basUhw6J6ah2;XYKm0N;XCNl|Hsybsi2`1?g&o
zA4233{$_FSUF**A<)9`_F|0xrYD+zxe+M}*)#LV$%zeG&Y|=~zYN|3<A9t*I+i+$=
zrc(&v$VmSCxy9MYnB|53f#|`siW?5M3XymDKa2Dm&es-y8k*G1VwpN#9$+Q;K8S1G
znjDUcx6kTIZ{Q`lZJ&Q+)8j*Gxz3D9BytXLc`p+*QDe)>%O->du$tB(F$+dkdQpoz
zK$53#yOxjldk>9-netmZR(YWq2d8WA71{AG7kra$zIz>67V6-mzlQ}Wy2K>zxQYB-
z(fl4y8pZ?KpC3Un%N?VS4$F?09S;)@KJqNt@!kyqEB|x^|B+o@gXb~)-NbR-ZB6qe
zng%+IY~ggb7q*z0?4$H~`D2F&8|suiM{k`6_I>%IUOuX}NQNQ*Iy4txTT8;Tb_<8S
z$nhgeI)?j>INk&RHA4Kjh|KkRD4vNkw1=~;$yBXJ3Vt(2+9-!mn;Nvw7QQhyVm5TP
zQtQ<Rp^BCG>T9*<$BXz3zTI^!<|ciVs9KF7Il#kH^gS1$UipEeO;X+=qkDh=O%_M(
zJq_4C0V}>pT6_B#rq5ON!uQ(|TxSFzVdkI(0PFrCU4GJsr=As>A#D`A4$C3ep-4zx
zd5t?`AD|sCE!A&C-d=EaI)}Dwf0$B|C9X)76n@P6m_#?+gE?M~Rl)<$pJ427W~TM{
zzVVG#N)jVvmEZSBX1wAWT<N1a&6H-t#QE7y%Y0i0_t5uQsdl}e>13UCn_q8Iuh)9>
z17)iKuH@OqN7*Z1U!D7>t+6*-roI`PinniMbmKXisy5v`2#8*W|LLkAsT{I6Gt4uS
zz70>$3SD%U2y0IStw^hg)+xfaKzXB_Gs1%GDAUv=Q@MdjsnwMe7g;vQ?5-7@U>(mp
zkIgRP$FZdyRBWGE=wy3qOTF^buCElB$r_9`bW=g&*XVw$cU-F~PYY+C7TH2bYnag8
zuZ<#twA{J3R<G!L|2CRL1cP8tKA+p@B*eFE1FdDn<7oxni6&8{MfkwGWUZIP<8-~W
zJ<y~H6`J;hcm!8dXB7K!CGVO!y<s&8v-3N1!dE^_=YOVbkO7hh8Zw3#(@|UPC`i+r
zY67B<Bo86ylahY%F+L0Z<@RJu&38w1*-HZxZwU$a+AM*fNgXWX7O<0XI|t?9&}q<~
z5zQRaSoD3UVB*l8juwh$%&LLB-K6(cPmvAI*y>){lZ+}}WpKsI#1;7y_AR-!f)m=7
z-Bq&VINWu9Ks2zb62W=JZd6VXf#CZ74PE=p8SXkFqFDvqLN_!q=AYbk6iI_#xc%ZR
z=uW(|0zZ$yT;@#g$BCcB24$>_I)~8|p6KsFRK6#!VgPOMjj`bdace@N4f_`AY73sw
zE63fQ5l~i{f`$~fZ8!h4l=RsB0c}sca9eyYY&`2y`%xto{^#3SxlT0vhxa%Sfr9ue
z+S})a`kw#h$zj935)BKBe`ZB>u}kC>ixDI3AgfK9QSpBK#!dQhy5DhVWG_`N+d9@a
zVKxJ^PR{Y6iA=#Xnf|@6)*m@LLA(L_BGCm}*Rv%mU!02))B2suMz0aT5**T8g#4((
zcR_h<*;IyLm!_Y#R)#inc$@1U<Is^!V<ot;!(7%xKM~PBHVs5Uze{Shkb8eqG{;!E
z<P;sLPSeLkzr_0MI&8ImcTG*t?1XXw`k_bRf#7fK{6PrQphU<nMJ7n>PK+2ewO8`m
zC#A5${7_>E4&wf%YE+zsP;N0n3A~^pQ{FFH$Vgu4MU?G#ppe?gbi}8Mi)n|EwK^^J
z`)Q(Ojia1TeIk|KrM`mLItF?xaO;7JjcB1HNPo$J)K%}99*>#4I0<l`^)2=K#>VN8
zJ^WkJ(r)c4e=Y~6)hhFME{f+>A+fakG!d%857ttYwltN?=0b3k(a+_(rZ?|l4L{9Y
zr=2r!GD6nJ9_wvqoUKG#Bza)@4<42!9fxGe+1$-ea=TPE3(lN+6*cgybjU+0Kk59m
z?jDG&aSNPX#>L~u*Y6q5!m2@%S{sxqjrcxv>=<qEV&WGZ$+^mjc}F?6^RB42L@=n3
z_B;Ekh_l^z>`0h33v$;64^~m@{1MMCF`eT|RX4|Bc!Pf4xv>!5h8ZsNK*LL)2Iw26
zUe|epsxBz<Uj~7T05J!NfYJ412ysU}z>jhP)tiVRBvB+mOcyxm_AFdQvTlhazI%mF
z<$IXe;5rq*lviziGgO&BPsS6OC|9pl61J`)zs?q9xViUM1#C9otZ7l3V|32%vFQia
zM>N8&RfYmJ(s!gUs7YXHezmFxJwB5>{d`h5_(6Y{_OKv#)`@s{p*3VS>{&j|z>rGQ
z)tweO_!Vy}`Lo;Vjv?ucksI!!$$`;*#kd68<q_*Yum>cJt}KfseYK|wvqx6q|E=lG
zG$EJX4v6Xs0Fc6}6_;KyVk!Fr6>_m)u){@Ljke~8;Lw87$VDVg!mY{beOOKA9fmX)
zd&2RP3DMfc_rk8?j$+M=EFBFGuStKBl6-$;ftIk&rxnVA<9hswctRe4ZEC7;6q$k<
zxUlK%Q=Q&}%Hs(?o=O(;uE4wX2R=(V?@mF-a6Q-|vNK{R8exnRQ4X8yDzDPI5=G1?
zT!-a?cq_|5_d5UDbl1=4bL4{(4AI$d4>v=^Ks9WTxEJf1%J<u^?$gQ-3#~tEMwYyS
z+2M?d30w#+Io1mABIhaa@4%DThF+lrE?UKhjagz=0TE&2$bGuaK33b1hvM*yM&5qr
zH7K#}3sBj=_FSK9LybdCL?o6>mQ3zj6H9v#DSP4RoeYT|TC3+eU&5Sv@;Cf}D_+Zz
zmL9yy35<lu6p6G(Aafn&K8Oc3cC_SJWQ*-kPKwttjR{83S($K~RIO^`DM*tg>UMTN
zCBofrnO@s<zf-=yd5ic}H>;hvv9q9QP>7?oIRNdhAzCj5Lqqga95nFzCmgk(^JkSv
z9EyLL%@Bx+^%bHrBRU;-hQUUIis&;@0!DC9E@Ky39nD5)=R4;QNiZZ$?OaO>D%J%$
zp2OkX5NW}?GB`Fm=gE;`e?=`aqoLe#d?#j66jnA~WgGN(N`$QiqHn!8&-*%cY1usq
z%>YZ5y1arAe6qab{lLF=#X?skrSRu+5{Ytimft<H@k-_bquwCsv2o}!yVKj<=k455
z7rH;wuAK=10#MQNawD%t8<U}uaK$4`(P8Tr@aypmQk>YQ!hdaH>K8>Pa0LPxXWoHL
zp?CKkVfLV)Y&s&s{O&TPf17-1ss+e0wplPDb(03ChE*RAM5e@OEF1c?T!-wSZN`sL
zTPXMS-CutnCW0p-|3KDG+O%V4fHDN><xKj|^(-<4-(6~jvyV@ULc8OUK#kjAptb_&
z>#f_ab{Vn`B?2&}c0Z7Vl*LWTNZ?>rxk2*epLVVK-OdCJ%1A(v?MfyxhRCmZB+Gzn
z&1Bqjll#N{HWIlni&URjt(VW;^iBC-@sg9?;(#JyjCDa`Xgl8$5>EG{?{9DML3%^>
zDvbfznCZ&0pf<e%_n?O_pgU6wBHG|dnLnRvJi{?-)qNQ3^?x-I$G4jz;ntitxG$e#
zAoetNrdnYM<6d}qWmqse<!CHQqe9)P(Rka)iyk3G)*l2t^q*TJ@f@Ij2F$~rw2Zm_
z=7)SfkOs|Ihb`Lslt}u1)!G<3^Ud2TsnTHv($(W$0m#!$<JR5mA<0Af(AHfdJ8mYo
zbMxozi4ItB*fpnL>?5Ih{<nN|3W1;!PIF{>M39u=1_u=@ul0*LH>ymugf_t2fZ}07
z+xI5Fvfg;>Q((AKQ#baZ?*#b4d{CoCU&D{7pb!(?Zl<H;lP6Jxd8V9oLn<tDy5=(C
z$hYz#+lbF*LcEoLDfYl!C)<Z2w0Px2N;bw2G75=`pr}Q|x0I!l7T8@jm;){21mB4g
z2FZ!7f3GppeT9__v*@&#cKF4yX_|s&Q~e>SB!mY_tck-Lv-F>ZE`N7H!7@^BPAipF
zj>C*MsiC&#kVU{Vv93LA<qI0gUXB^6OocxG*krjITpB}BvQy^tX8V43%nRPz$WLsh
zCGZG)zw?tc&=3$(v2rswO%0;9BVghIa^VuO!Q+AENlY#GU^sH*#wf?;K&9VmV{gi&
zXWD2mQ<Ty64tgI?-_F6o{0uh{Zl`rV8@kkkg_ZnW*@!9B0C}2ckdq~T1_qEpkDBPC
zN<w?<4EiG`yAzQBdAPKwgaN>UcZN6gXXR$~4l0&Ln6bX@ZR{cnFh#47n`)u|uJ&}p
z!^3!Q0xSxp-=olH=ky|#!TY%DD*gt<!wg!ZBRxLuFesaej9G2%1*g7&CgwKm7dbkx
zgd?;@`B(_|@o*6^rQ?+EQmF9Q@s4Uh%lakN&|K};Wf5>zqu%=6EMNG+Bjfz`##$@o
zEZ>ANA~h~|3h8rJEqmucU4XOn7214D2QLs=>W^RPMGGaUx&vvvovJ8JPk!{cp1fZl
z0-(L(S@eKcN~%${dnS=TD8vujR<yJk%aZ1r_G66^ZD@G8iD6E#+dHiMi#83+Czfef
z0E0Gz<hu7vS@p27+sM1-i<|esb3^2GrNKCN(iCaIcXG)KT}HWV7XyQ^=5sxACI$2b
z_1bN@{Th-ril$;Hhi=`WgLm~&seX?(*@T8nPib<k+8Lc)v6QQBg!wGVS7;tnRf%j|
z*2YD}a*S!b?>odFg$F?31coG4q<_`5R4@%RICQ0?K8d%s@79SfXY{Hg$ZP(<9{@7v
zf@#xtI<`)f?SDU}+}Bj3i|y>%`4CFq`d}e83ov``TgLM^q#Ln_?$3~;oU8qO;0F2Q
z<bt0_Aj}N)T&R1jVc`_+^sx6#IAo-<iHL;;Fx5kaTbcU!Rop}4TsdxF>$l`-n$3Gx
zeyH?o;F*N-Msxj;BNX3YAecDsv~d?Y3#m=BvKi~MbWBy4Oz*)O6JFr0hQQ{JLfC#&
zoLPj#;vrSOa93X`(!ObX@JVOTQalssR13DEnzqlf<*GTORsJcG)-<{xsnJij{Y%J*
z1H><n2pxNL?^rw4P93PFixSDIDafhEhdfL2LTEMl{7zn=E<2||$;k+h={;FZA>q6R
z-3nL?LdE1AS`U4+z0M=X1)T*7roaDKPt21XfZ(i9`AnM8fyfYMK;xHKWMH+fZ9F?C
zu=77$<;NgM2oW&ctbRqS<k3EXwmP<&mt#EG5fQL0q+*pxN-hnCF(qb<D1yU(CzOOE
zc7*ru!yR#t>!<TT12M;$BDN&wY!}#Q@K^re`myxK7aau2){Ygy#IBYYsgxiCfAhTk
zj<uL>D5U=5DNKy|gd8_#S^QeYv#8o!Ex|2RCuV19iAvfFX_>lWL^!;E@BI=-KO^3Y
zB0kBLIds22<_h0#ip*TgT*&C9wM*cFp=B>=6Gnk~5?1-S(v89^i|`9+SBB6%W1~9_
zNMjWudL8&991+a@%CVq_c8p?f(*VjB3k6w3(GTVj(~hL#?D40`><-;(`AO2OhW=@X
z-IPJrN5f`rVZGFPLjZ#@(hWT_LyyRX_OY>8KWHghKgSF5f@f&$);ao7T~4v0y|r1e
zDhFyuAzWvp&seVB7r&i`)yRoJNh^cc<T`0aR8hsJbEd1^Wbt3anI)m1i7(i&>gHrD
zVn$V7S13h)*n4mu_e@s{c(7fF9T|?%e?5?9@IN;z`XU-iJgY6@>%Y@1_Ds8Q$2s-F
z9*Op`>#K%NKk2Zqf<528uEOl@=gr1v*7dk+Q@lTVA-CU|jM<yCA$E3WcYjF*R^Y`>
zwqx})4|&VoPi=2J-};&@b+TV%b<j^mV;|Vx*4s<lN1j$HCyx?qbszrYU=UQszx)-j
zD?f!2=!66boiIV!N7^$bS>eLr-KkN-{h8<qZ<2dDWSLHdq34Q<Ay;ge!$UeHri#bH
z4xx0dkzg-;9?^_<VZReNvg>LOXCLg-3Ooo?`6$BlfemusWTNzKVq}d2Pra|F05U-)
z=L7AEx=(;0Y;4`qkFkw;-o?v2kt8;%9~DKu)-c&-6Q=P15(lH~N{3~|j?EcdQytl<
zl!m^M{th_|l_pfkDe(xPCH=+#*Q|Q)MftoO%757D`Z^=sa73+fhaqSiiMAkc1o%w0
zRO`xDKGH)1-ybp<;KU%|v#$0OO8ZOCI$f9?x2kD0Z?Dl!J}Om9rl+{yH{2K_6{wOT
z<jl>Mbx(_NQ`56>EQifKi6XUlK8Nej&OdkgyJg4WY*!DPlN%~NUt)OxtfMGC=6%-q
zg?otwEVVwOLRluj-@bq^5cIhdd>3tI2y8k?uG*4cNXxYc8TU$Rm~z?@h&%Z85>~<l
z<?56v(-l2`k>4Y9hG2HE_MtP9qRB5nLfLH`?4h0~dZrBia0LA}Ce&Yq7~7X27}i1w
zU9hD;$i7S$%GrbGA?OSdXe-`QkOj<)In?8=TJSY>BLE%ow82q)v=vM%=`;|33X5ky
zRqu#MN1cChEubmrPd^|h$L}HYgz+~Uyv`M8UJ(#0MX>*?|6{|yKcHj?Pw1tsufv|w
zbR_){*3nI{#?5Vq!tzOG2w*MaZfK0O<^GMwr?_?cUMZa;oG}rQ2CJxcGe<8z1`Xsf
zcYC0Q#$(}Vlhez)&U90W$TknDjr6aeu|sMDdW4-e!rSbEz1yr*?!WCVzRLnebNfqP
zf1Gq`V9S<fUFQjFO&}cCocR!($(#FjPj_J2z3*(}68ot_XK6<jnw$7*IFI;t-#;L>
zdYB&}0zGw^5(3}u`^@3w0W6MR3McUN7|>$`=o$^-D{-dhY~i~d!5aw|zG`AgrHAO)
zRSSO7<LW+;Npb}z@QJ0|3E5L8JzokdG+ieAbBV`CmQ=;wqL~D*9p38)BNDlRY-r?!
z!RD_ooL3Yab<4Mh5~>|${k-%?tZpREth3Y{)5=ceStF(+0h1LGZ9h)OfUCFiPFw8g
zP%R7JswLYI(UQe>ZTs$c&oawNG|5NNH69R?WRlHc1=#ew?ONios5xeh{6{HN@Tz^D
zvq|ZF`@Ic02P~uJC6{DsyfG72hAfq4;}FAYUBFM-^wD>wYfP9w^BR<cm$O3>6`s|}
zy%V(`Mye&=g;xc#1$_;F3V5%!Uxzc#t|$T_{dtH9vSBa&uanaWL!6urdQIV#nA%H5
zIx>`Jk}A93L}sr9rj<~arT4zW^<Em5tYE`#A35hu_tGM%>NS1oKVZkU)JibrXvi5O
zQ0t9x$)98A$MF<JI8IJ<#VI#u$cfxZ-vn@2M$iF4HJ)<-(1&wgavn7~=2<S$l16t`
z$RPPC@IxU3po}Cq>``h-5I;m6M-Bh2r6b?uQ_*D4b%gp~%CQjX#F;iT9oP+-c}&+P
zjumYFN&(P;X^71-S|cuR8QCV@tDK}c%bR&tewxg~J&XwWl@N_W=1qoVY`uTKWUIs%
zY(sX5q#}^UN9#tnZaF`!Pws&J18KK*5Zj%})12Jfp|{22gge6FdeeAdr-43#{Z`E?
zUz$bkbe%*tmfPt<9V9om=dQX_-g&1l9Q!!CC^WH+qV7@k3<!`HZIl#?^p5Que=3Fv
zmHT~@+OLGz!zQuOHB$VN-ttD$GGiwLN#y{vGMDL=k((0LRd)VJ5MY5R%4r(+$d}XS
z0@6+*@xGpZk*xZf&_R8+Pgj#-KvC7HY8VNATDr*qt|PE_#C9&VUHJ9hURC`SXL)tX
zIry=8X_L9i>+Qc&P(aSN`mp7x)#&j&Ii&{&?&$FNDa8QQV^>k}+OX#FNW8c>b!0}H
zcsV;W=lFg%;!V4+W<oB+YTL7)p@=NF6Ub7qcGE<;KV8b9HO7jWpU?IFA}g*@{UN|m
zP_#Orv1*NWQev>}r8mt#=(aF<q0++{VbdI$d&1kr`(6mWlgj_vC7jy4-pnN5paXli
zUUWSA1Y%B?-v!NM)^WDX_XxHw-v`Z)qiMW>DX2(@w6O&-I^FfCTCGq#Nr^_CmDC9&
zZnrz529S<R;~^=>8UT=37knnHl>{sIPU<LTGZc=j#tX&p^~{&e)6eQ5TqiJox2VA0
zoSpyVqirh9uc?Y`G8{1jHPUkerVhgj^@$3oVgdBVwXrym+jad5X80}MSp}c-vl!ix
z)2^JJ$hY!`z=2N326>r68d(#ZjvjBrr{ouIwIz`$CL<-%QABQMQ++Q%t<pJuZeJ+`
zw&|XBX(&Oli-PK>i_V}6@7S_S-ifi?C~Kv%Q`IEvIB#lA0ST%HRt45i(>{L!|EI8~
zhrZ;E(AAJ^--3kJPhVh2!QW-2g@0-`u*1YV$cmub-*7~c^{7XiGSWu@-%9*`yssxP
zWd+`T*^m(^g6zF_?p)!8#AhgH>xVL9Hpl9;!^oH{$c`9ja(U&luHmDgcK+kYKdfL#
z*$Vc47gZf+wNbzPWu<2T{1~jX4k>M)dcxK%XQrl{1r<eSdw=osWekw56B-L*Cw))3
zoBUDeB|b4d%juiFk0S*y7Yo{}fVuY!@~CdPB`?5nj|oKtr|-{2>T#;n7)`g|fL_QG
zluk_5n#jEOvkRtiRgu+VBLL^u^*}R*?5BfII(G<2Lu)_KMo3=T(HzX|MwgtFB9`(W
zE9wlJxP|NSml6X@b>8CX3>FaTKV1o=*gSpKz)+Y{ph;*#v^|`O>iM1hLV`Ipxy7au
zPk5CvITELRiU8_-7C=z#E;N7|NUbcyit)$y&D?N<jZ*CZlh{6Z$qPKZvdUhUp3OqL
zwkCd=g?=Mhg#5LK47KnPt&4SsX}@ZCTW!c5U2#;d)iVAl&5bFV7oGB9CEbB-(eQEl
zZ{pLTfsVmZzH?a^N`xM%kX`=~qGLJ!xC8mj9vf<$SF}rzeu$&VFBmB9lBGgj=gQf5
zMib7z7%yK=y)gy!ClPLaG9FrY!;I%m%V!jgjgSYrY6o1M<hUG5ox5GdnGda7tL`9E
zn3~<^cXBpng>|KvXnpT5hVPfP>~+k3x7)DKTMd~GX|(W|qU)>m_iJYljNHuH5Qs!{
zP-AE^?lwSkF723}#Lz9yoMGs^#aF4Lm=p2NccS<B&84#DOw(>^xKhg6%oF@E+hy}X
z(CP-=eM+5wZ>{yRMqr}IJ8zLtVaE==xrQDJ-8%c}Y>W@26Y*knJGYqeJNn;Sia$vp
z@aKAT#LIun(O~04h3Rv2i-FVPBuqjuI+0fM_3kM|1z{lVR^1i-%46S!L3j`|(w0;@
zUB7_Z*~zwg$z6?m*4(un!9z^&4tye@(*6PCI1?vkg*hPD#bB8(vD_YglfrrmWE8;^
zz**m6U64($Rd|&cIF%<xSWdJ!oB7L>zKLvGcGE{zK)Rc+5Rk50+9wv1rlrHN`90T^
zng+O=$l6kS$u*<ThwKkBIPT$NXm(=4JoU2WqUkcy>Q~l7`&9(0p9l4g>_D|tcWkVP
zv)pDESF+62p7{7<c|7bmm(0;E2*i6>S_PAmRtacUB?~;mseow}F7mMIXOb_HL1JZR
zB_1Z1zcgviaXye#SN}8H?%E}V$b#%{9Gm}pl<+SjB=naN6~wM4qSxacSuK9-P+86R
z*%xwGO6YGY@+LqSCcu$&#7I4<#NBZsiR5`rvhZui=S*xTlrSr*+<P#>$NsgiQNv2#
z=`oc)3{!5+1O1DWJeB2PJq%>*U=*6|c*_&;-x^8m$hRu|k(K=EAX|#zwCpPKjW7+(
zWkI>bne=N?$FG~Oma~|9R-U$?iLX-n2{YoqoJFTfNgli{pQt(Ms-SkgW*grqaay7o
zCh2w>J}rDyw`qoGz#P@i8crF5E)OqSX_hZFj6nG8+RHSA3pLE&MJ;ZaSy<|`rzPBm
zj}ZDx?ZeNA9DUOW>+5GHt4=~z25cM+l2bS{zMJ1xfWG;}IQiQvKikcE9`~di#;L1c
zChK8p8i+URHb1tG=n}6}b;;gG<0=4BvDnD_fh?Ki-U^Hb;LZqyO@uR?45>l1`}NOm
zBkk7`r<K#AnN^<FTK7Rp;G|QZC@l|f;DOJL&_KdK+6AVzLBv2xl@wMR<%4kqPv5B#
zhEZWH;!RyCF$@WNmM=jzFMs*}F5Qe_Ld@G7v6^J%pIP632qjd(Kyk#h)wxqP7gsQe
z<+;7yDyo41!4eIn?e~NO40_{$%jugth3Yk)1T;=?r2LpWSzE!D^288f+2UhmG#R?j
z@Vom#djp`-PxlvX3A__Hj_bA<iY0p-ZZxTL-bmq9<rqC~$;^wuPF4bCa#c$HrXfAF
z;22)OF{vK;E=4k5qa?`^xw2@1vhsouHG&Aa2dNQdx9oLtu=V*(@kXQh+(M>W<R#-d
zU%U^dOUubaZrBv3?>0HOk<Ec=2}+dl+?(7;-WKCXhGw#jOYz|L+sApoA#T;8!^d#L
z>TG9SS?M<s4Var6;;}U7on%OM(AkuX8;R@flk8w>6SZa_y}XAk`Q{bhIPMwS*4Ou|
zB?z|El4285zen6ZU=TbklA7AaaTL{Pa#EZmNIEr&%{K;ciE=dkuv^Fw+S!2buPWR^
z#GdR#1jIRyM`;7!J1~V^#>@13oA}e?D`ZmMzSD#!pplJ%@2j4u6ihP-f#b6LJjyT7
z)*;g7QsIq=oHFo4Ti+zYc%x8*`SNZHB5IMpd8H@&)o#}NV4~RYB>ANuY!vsfl<xE^
z^lgtijR0VC(3yt)G2KrPEH!U{Kc*baPGBCA7=TnV|3j=BZRAVES+h&<=SvL}I^1uF
zk)Dz-8UHvhBpb6qZ%+z`@CSGP{x4G?^dA)yOfMqhSZ>rT8|Q!etLGBr7gqe9V5Pj|
zj^hUhxUAT)yVm>9v)PXyD^R)ClRRD(WAz`LO0PsGBy+9OK^Ztb%5xKSUnkD^5xFZu
z#CG~V4&S98o0nIE_{vB^m+Ct;ZN*}3r>OyOb<`q-sEJ25_#eY1SM}iHVpj4_wv%(+
z?^qg;^@HZ5WYMW_tAJ&*=2EfTs48`-Njyr33X8H4@3Vr~X3SYNU~$gEbGYC$r^!9D
z-kDvxy}wQ$D$fI>L0fB$^bni0NXlwPa1JN02)i%uX__cJ^1(<AvXeopJf&#12??y_
z3E26+H0cs>6b(?Mi)IOZPa=7o7-)yDN*dCK@2QPALds2{YPPeztRnI~HeQ6=CWSKu
zXdlh}cACkbgrDI0<Qj#%KCipNL;pvROE8Rz)t%Q45uKs8ogB%w?qDJZ8Oxm?p&MMp
zkTF`tL<p~3-C_LvOMR-ty|<sKpkX{Vo<n8ndmzievBYY8<d1bv;BC#o=->)YmQyqr
z^DYzT3F{8o$2>Pt-elXMbCHw+vRteg(l`#^ZL%lVi1pzlA84$)Zb8zn3GdNfPe_A3
zBXv7JJS2;DkI1-ick*KD{W+0;cdhJAPDz==4Q)sD(HgC`CxLn0RS4Vu3K$vvJbSmJ
z%$mjcc8+0yc<u}XvymL>wD6%b4<$Qfy87kQ;x(6$?qmMHdgFN{NC2r;_w}@fXekJF
zaR{m|Kl7Lw(w<_y?g5CrVSX#71V#?~Yh~(weqopiPD@v6QTn@;gsCg70agz*ME;|K
zf_-uD`lVCKu)xGYC6W&v8<9J+$?YAN?n!CCfnj1-BO^%+aKM;x57nJWOwT&9+1?pX
z>RUHH1j~CyGi6t2#a{N?>=1B$HK}6Mfc178Tv6oV6#mG9ehS|oHq1QioB(LK0{QKJ
zPRK?a9XXO1w9FIka@>tn7Jrk}CW4Ey-kzQCkpZ_Z>LLt+nHvgt&-_~81&7Dh_OglQ
z)FhI~FrEqEbclEtCYdm$!%<O}l$m0(g|D0wi@A4=vmUZ^*%`dIhJq?zfbZ9b$!yjw
z(K^S~8OBL|p=3T{%LDhVNH74}9~Cbl?`YkjG9hv%gpgqk<J-#;FyaIsx1OAxv2KTU
zb^-O=st=-8Jk?$lF{Rw6eX^LWldbQR$<G|80)^ZoX?!a8tc65*xP49O24hMYWajda
zWvB*7u7W0|1dKhL;KlgjqkMz8#)}=5HH%mw;jeu-`p9(%=JkH8&V?Wwn;L%-T4dRY
zB>;ayD>1iar7z{%@kI&uNxxvB)?EBP!*h!1Y~@r?ETB|F)`q30{?R>f3o}?R`2IK(
ziF4=i6W(H3`$yPOYWV!_yE1{Np3}+^nH5Xw8o_Qh<wVfh2t_GK2}&BZ3o-Avn=%+`
zQI1akvY;Cl95u?Ur#_@z(V-aAE82~Vv2jfDcSi)Gip38vdn4!TZGVyU3Q<y!<#4xB
z9w`+QXraYBJL>cUg3#1;lU4NvA|dwkGtiG?df`^CIF2k`oU98)>Z#{nJiRbKj?0GH
z;&EF@UuZ$>QGbOFIxKdCse*>Gv6tCQ`SFlyBOdK#voP=R(w2GVotRRv)%Z*`zoT%^
zrIchTqAMB>FGD;{YQY~y0D{*XY*L(1>wGb`$o+_U&+LGv2^Y%{M~*U_CgQ+_P)j~0
zmM|2XgS@E?fiK0CWe(}4Za<?_6d7R@(X#g!NNNGSWo~_l;zRI&fu>44R=JUusv7_&
zQBe-PJP*;t7N8I-ekh_>%#sdF^h`xO=5=CN%N~eC7=oP%TKLRTu||){->eu@DXLBT
z0t!s(84B$YW}S(VtV$IIPbAPZ?la+XTQ1+iu=SN4n{JC;x6Hb)lbmQQNSNb2jKIl3
zw&I$|d<GkbZy}T}F|MaQl<)Tf+V&wAsL^1eRepJGTg_3!vD*i$Jpo*Q;`r3<xoB;y
zptgZ`j=D>%V23zvXhhr3EEo1GD;@X>_##yLFHR)__fw~EB7P5-%?HFHT|$_{0Pw<0
zPhDuztlQz{y8pZfuu?#r*O>*D(PSjO=wnjiv-@pDw)*MG`o}3tat*A<Pl<l`@Q$;k
zH(Q{;`2IloVA0)|hth*(D&JeGfo2_)<1~|sB$B7BjWh+hVBpQxS%+^}wlfiEt*i^V
zkgY^H+B#Ok8y@(`@UN&-F9HE+77alXuM{&hG{0?A!>JF~YMAm?mG)Y8@yTJ4+Rv!d
z9rDjn@THxruj*?H*dHu8FfUrZYS5X9w8S9a)3<D6O7Vf8hYRONhxQ%*M+;zG;Z-(f
z)ZfphufCR2xsL;!q}13%sJmPF0}<v<7`r=m7j3R854xVWc+tagbzVs)%jeckyh2`B
z^1W4Aq~|VnqLmCs&IlZjlv3u7IH{=xENF5mzEk6Qa1%ruK=9?#I@TkGr)VNl7*BZ6
zF(N#NAU|vj?VN(ZmgbMBMU)I~lml4iK5W3p7R0ebE6tC27LR&Y#0Zx^uy&gZV3`j1
zkcC15{6)3DG^o56=Q(o$W$ZM@UiRiKS|vmsoHSKvmS$P&+87CXv;#>(EakpUwWjVm
zQTi)7g&7V@73{F?)271a&ge^2`{gt))hFCWNd_9DiG*}icg^E1q{HZwR?J#%+gKJA
zce7osPb}x<o-l~ED!}4FXXdbBht*De>cJB*K{K<t0Nj9b_PhgTOy8H=I)K$2OxbEg
z;x3}HKm9HlMU&pLcerQDX|v`)a)2i#O^;4XDOSZNO(k7RI{#0zRKB}wV1eGlTVEEW
z^W3)?U1c&|25;#OG{|KCke<*RBUN`0fjo9Rnmp;|W9YNRMCqs<4tV6=h5Ii3Q=Dw1
z0U*r=`-z)f6ZxlT_y#hFG;{jqq7cL9Mcxl^iDo72-*SjqdEAMY51bt#JZt}tNXx3>
zk{4c-D=XANp1iyEf%{lKb7%ih@$B*7EmZ2JE9&l>CkN~^+Z&NEiIbIR1VSNU2T~!U
zp)bi+*O&T$S3A=R_Zm3n3O^>a%H10zX1nRIXTJ#pX(D~V%mZ|l2|O-V2#5`R*CD0h
znZ>9d!$QE;w%8Xo)0t($QbgW6e%E5I^gLq5F|p3=IKFrJ7FCr77~m8mJK{?Flagi?
z8&OSlH_`3|mDcy+tVoy$hv_;SXy6$mi*Kh4kN-Q!!!;w%*ko9pE@JN;w{>9<$+ZXS
z?{b|D<yI<O73`?-TgU?~v@e@`x5{<%*}g=y`cEhW&$s74@B^>-B7(y%z@v6#D=&O%
zCgIcyQK89=QZ18(Zw6Z|RLLs-U@K*h34@O=w=r#@lJcON(RXu*8ao+z3ZrzNo+owQ
z?j%!YSJHnEtel()&Cq$#&R#&`?VK{R0FI34I8W8@sUv=jF&0W6H0dTo7&y>XX^{#3
zEQNMR7xBo$u|=i-$l2Ds^n+v{0*(gHA2z>Oi8fDR79d(1^TLFEQhPq>VL0BkESB7L
zIK$dz8x+|7XYgkK1i{^J!PhO#3ur04FdAwpWw)qPx1&^poBExLDC_N92#xPr?h9@*
z?S;5pKinX4Lyvy<1Edv#O)(&%tt39qzI=~2n`UlbohT9%U&3+!C9yMx_DkFpsqvkQ
z_tF(><H(r85!K)Mj&RrUDj7LGQ%8Ly7#z>^y&*-~Tak~FEU+$}lk7c73c&t&yRJ%U
zVt((p6K38E@JNE@{JR6*Lrz5@shQSJ9pr)35NIaYTykj0O+7XPf(yWMSkf^VBkVs3
zTYSXEq;gZ#*W`z)H5R#%rLS;dEFN}DOAM!VpHA0ntwM%UQK@J&wKe$FNnV%-Nb;yP
zO_rmWx#XqFNt(~Jw3n$K^7S#49a&uMP6hTgT^i|_TZVCeb4i`Uqh@(bx{oMT?kA2m
z-)!s471{>PC(PZA7;1M<G`qcUeqUy|7^fCEb_0DNZylbtcDW{p&SIN#`?GjH@v@iD
zq?h&w*ADsS1}U-@f8^?-S6|yN^c3q`5d3u0ss!YT#I6j!%hp~U+Oq7vQdY$&arPm-
zFw0T>$ffqs*(OcrPVY1_-|)m5G1VIUVhpT-_y9__iKxyyUxwo9(+CVKUNaMacI8C#
znmeXA0<VfZ>mcSh8aquzxrm=bBiE3no&TXcW4$f~AZiL!LHzE0q#t&`tT^xE-4Wa4
zb!hLO>v{~8XBQskLpq~{*Thf%4!TLqFkL{SIlf$5)Gke@v)_wnWi)~Q?93g45&f2~
zE_`)gcIYv>27k*kyaejiri+KxE!V1tF}i*D?-70+dt@5`$#w8FlalT;M$@qGE_g7{
zO<K$(22*QfJf-`cJ9?Wo+KkfmCpJa?IZ{i8Nn?E>ZY5_WUf1*z1^p-Z&2vt2u*oEE
zRHTFOO-B*9-IUwD?SraM=HVu{5--)GeQSf6%c`bo4Zu)TBTAd+L#bRRtBmHZS(McJ
zuzD5W5C@Thdp2viHnmMH32}U%dWWi}FI}>O^$X3%EY;3lUy>V4MZdiJ1BI7nO+KW~
zuMUkbf=^-i8fw1){)Jg;{04k+bv*C%cl(p3l-393R6CTx(hNLu6d;0SbFfHXHp2ek
zv6?Q^95Q*m1o^VuIo*3oT$Qcz!mGKvgnB{kZ7clS(E7lYQy~eLY{}gbjW#=c+g9@t
z4j%)e>Yu+HF%;KnG{j8WiC5(#_J{b5owtcU+x~8+tZ%|X<Rl&_c=`di<#fX*n5pm#
zULTWoPYbt%MITAh-?6jZHuK_(`aNl77uN;toeUY|ob{c-Je~Zz^23F+4NL<=>zfcy
zXB8z?dkC@Du?a4InEi9*%s`mk6adWLX79U0`i7^rjPi<|lL&TIEj+&y%p?V=OI-ii
z*5g<iywIGRw5*t1Ilq6qabNv92cd;exj=c4+m*pIBunqHv}I8!jPpT#rGgSd?GY%a
zeUrq3Qomn*VM|Qbw2){1@;$7AO}giCJUZZ*pNb4AF<HGp@2Q{jb7#=!&1bekfO(*c
zDaq_5CmGyts_T5o*563nIb=1W*dwQ!*T-XBE-qIda(4(cYD)JbV2!f2T1RK(vaSVd
zqIMSRy}9T51@T4P!ES;9Ums)5=i_oN6lP}*02aFQOk7Y`L&kUsjcI*_P9Yye+5<b*
zvd%*7rP<OBXi8Y_ok*wIGyo_}yyOw<Fi}a%M<jlvkE8o0_7(Jpd;Y*Utm>&W%H0}H
zw1~c$JWK}GgQmm_c#+5qfOh?v^G0KtIdM_oTEgoD>&(aOmOWVe;MvTjU*%`<VTX#j
z*Ed4BDPObAG3(XrEx0m$8sF;;;?b`A(r^_oiVCDQ610sP>)Q+mluCXa?n(z2@ZCDY
z;29f&Q(JT1uS!EQ-5>YV6VVyC=DfO3=?L5bjys=obUKw~|Cd2*=HJD&u3BFbN-_;`
z?J7Fx8qu^867^-n?2L{?{B+I|n0u^#sdW$!{m<1=f5Bv=mbIghZLPk18z>_8Dci#l
zVpddNZohN2*U_siTFg;dM4n{Jeghhp=4nf++APW`#2&UuyB>wp!2oK}uXDrtTK9V>
zX5`D=9PViZ&t+MV#|XTgv|WvaEi!mOtTWmlwJ>%~jnCjt6)=`!o-2rBNDKhwDu!{(
z9juh+GU-a(bj7ujQ(BucDn-{G^<=(2bKmivgkcJ3)X4f0t(}0-**=(fMJpZS^9o~N
zmnD!Inp5T5*ur(ALC**uQQh>s3G(Ei*cxTu;!%(nlcP6`YHdC?&B#N+MjHv16s@qv
zkr9n#yazVg<6aBA)bkW@!E|&*|De+|Wf&rZF4M;}pFoo)p#th~c1*}9QrmM+ScTUm
zQK_xj`x#8IfDqV{F!LcmYiYqZ!V5>Lq}K43Yw5F;QddBLNds+sUL(#SIO{kie@=o+
zdqO(^RyDd7NkbIoVOD9Ew#Mw}RxOeV8X<k9xqSVFX2<R`06vUaJf}-ijCS*5OY?AQ
zCRvU6+#wkG^51$IW6-atpnuul`x6%y>@L5iR4V?gr3_vwW^(<_tQ`C_4ynXHVL~Gw
z{mKdgE)!Hn>8=9;nY{^)E}tp?P96q?a^@4qo!A@5e2VK3c;zV`Szo{M7Dn{$!tX9d
z%<=LM4Pr%SKew9i-6gQfwSI35&p(X@*o75U)k^rrkYiG#H2hb5Fh~~hvLftrh8$2d
zy$xkt`75EYSW+|K6hf$-yTLB7tk%qyN@N1%C_{iaTD3Nl79LwAfsyB?$krO~Iyg&l
zzuyf=PbJ&5f}{!pBVhGw;^OzfHkE}$DrE)kpuNp$ZEKKcQ$AeZvUZ_DPWbzz%aA2w
zwK2PPODzFE94LLjqiDFa6pu^pnp7l8>{ky9W>!&V!XM&n{FMFbK?aA!+-}1(+9IjT
z3!cDm5C^v*)=beuc5ElGz@puBpP())un3o%=XxW)`**0@++9v~fzKD@>u-oD62%WY
zTrb<l1GwALcj{6UH8<%mh`te(-12Jq*rmT2=I_9a9P`Wak5Py@o$LRkNCOKP%9IZu
zypetLA*qcE8VArtEPwDPT9WLqCWS0~-@J2ZzvKS+ULQ;2<nrr%UWWL^3d>c{G;-5A
zf1hO7tBm-`AJsJkukk5$DF6R)_0>^Pe%t$`bP3W864D^ujY>G8bPplj-95C3N`o{C
z3=BEskOR^^(k0#9@Eh;_-0!;gx7PXNg~eLD?>^`3{XEa!XP+l8mQr-{E>1GvhVNC#
zKEmJIHyuPj|EMC~xPJM3vv{&H=FD=A{oQU%t!*y-CwosX)}PpP>)W-<6tu+LBbC_Y
zfHzOW6n<*x6BJ18@roU1hN%z81!c^7zvmuq%e^lD^0^`<uuuKQHEKx!us+(yCOI-A
z5r1T`<H+e!MExzYVg2{is{b^mk>9=-D4%7x`+Dz7jb!DF-dvzrb(Fm7g*!0GYX~$c
zvd(Q!k69Z3;z?k`G&6b4pOm5RgvQrfhrp?qxbB=cR<`rDpMrHo<}sRHCHxE+jC*fc
zm(z(WrMhUeU<&6s_D1(z1k}7qmUQfmt~r0l5a*G)?_1u<u60HEJak8we9!M+>h`}g
zW|8fdT&em~{Yn4Tnd(hc`^QZ7H`6}OiAcj6Jw=;E*~^!D2ZogfJ>^0vDRpQnw7#-M
zraMqDxIZd}0+IKX*BHOnneh=(x@o%-QTpV}EUi8x%hGMBoWZQ+M7`>r-`V;jd=;WW
zQ%IiuT)z}J5UVFX9GQIrPE0)|%QWLo{>rY0Tc^y|FVB^4WwgHc{l5Clv4A&z0%uS}
zwgjZasXw%u8bnvgKmyJ$A2d7XwzA6q7Dh`WGjjNSVNE*jD4SrWOeBV1eIrh9<6DAU
zZCke75M4vEFkbh3>0kx_hf!r+L<4qfPNG1^jcTkO?GrL+-tAlZahaNWn%Ca44Z8;9
z9X#CM=Xxu-i96sdmy|Vs*oGoO%e>u^&!{SQt?zzB%!coLczqXh;;5}PW7hk6OMl65
zO~y&rBs$=X5o1S26ObD#Hr@4ak>>B-=lXl1?OAn@(cgGXg=TPMM_@G~BpJuxV}PyJ
z<5(Y{Nc%Q07TQk!i<CPhS}X--^$vr(DI+if@cw4aNk_v#_Yrw36t)oyhLTU!vH05#
z47CD%M+sAw_pLt?+XqSbKT|YoCPRy}NL_J!nJjd#<%?WMx62T-9!Z*3>xuo|@WQC|
z%N}~M8bPMxHyTqprCw;sx|z~B)m=`naC~NUp@~kfeqyH1uoQgBR!SB<g%i4?%`)H4
z*OI|zemPhvAH4!B*qSxWr3)O-ZAi%3I(m&W+iS1sC(w+&4?83O_2h@RPR^3KOU{%(
zqx%PElJEUfS?Vd;dP*_~D{{e?&Awb@&O!K%33QT$vr0V|RLJI9aexY6Cd176GRx!~
zHFHd<6Zu6`caj1exZ^t@1)3?4Kbl&M*`^wv_rA2LL2bPfCB5{;n~(61UvD)c?(5*m
zv~SNoz3?M^9m^Q8$LM^+Di+$TUpaA+-jGmN*_Nx+wClUq=~FND8~SRQ%jr6+SLR#r
z=zs9`6$%n>2cb|t{_Qa`$c|<pg}k`u^AM|I)FvzUN~wMIwZn|t^lM&=A<#USM<n+u
z)N=+a?nWe2Q-7&=vcbS3_-NrFx=cxKfzq?-TTO%V!6Kk<sjR#q_wUUvU{o}{j*R`h
zzGv9W?l2!PD(#|@s@VYvv3~xp&TC<ZH${`8PrE?)4#_iS&J4)YZFX^el^j+GD-#5B
z`ZzIcqUz7fXHK$2+vT^<>swSYu@Y4jkT|=dTIq8vzlOCtkk(vNrjxpBFH!l<!Z%A@
z>o@tpaop2Xfw`{N{>72Y&$V3y50qa%XJZOtQnp%<J`k{;9TviBxEpxaNJ!7&Ps-t6
zw4w0~cp{@c8*#S4$Os&OH}ox~O-7w%M<~%w0tbN}jN7{-Fv3V0hF-mB0W{txo>$94
zYg7*JK1KOOxWpMU%L`Rcff+JSK7`^h2Ni`Sn5Nuxn(RKrhGjtt{UfBg<qoRJmcvyz
zOAE=|487UecW{7j`4ieit&J^o)BD;||L_WVh4!W1m~`M(o0@vi+(TTCh>%j~-zwz)
zNzD}}$i;&CEM!QhW7DfT6)~!`VG}C861@|CjRfL8dbY=AB=g-r577rJ7c;}Qc_;+U
z1E15xik~dXJxCl&X1AqX0BW}?<Tn^{#~X~9=jMbK&oaEw?|hK|sj3#+1AyYim{@yF
zRfd{c|6`F~)r^yv*qljnb)&<bMSYfCFEw`WdBYD*#M{dB>K%0VzL_u-anx67{lIgh
zw6NzTYEmS;wKIJc`Z^{`pZYw=Cir*PvSV<XxN{P+K26oI?dgsat$lbb(fU<w;MLAt
z1yFx&E@~cwBjkdaqJLS0_QWGWt&#KdM{Wz!{G&&kL+NIk-f@Q^#lt@uKB>v|KaoA1
znwm=d56W*THU{n?HPZnZ`a<>#Z4DafgZ<@$v4bFd23+45dK8;Oib4evCUi7L<r+ZG
z7X{|f@XajrcfW0rJuv!@Gmp+De8qc7A3tv*9>T-eMv^t%V<*`rS$;~H0_P<n7YW1y
zM2FVxNj6+iO4fgBtQArYE%+RV8{VwuR<uetec6|q_<ehQi%r+@T$j7^9-m}hWbi{G
zU31QA)9gy!v*Rn{$>MrU5j{p5uo*WLa?{>oePkezD4xi>Syxo+#T9uS-lNz8RshkR
z8+D_GL<0^3Ok)qTHqy-QujKQ?$Y12h)}Pam5TlY1hhAZ@-ob53bYnxXjZjfzL%Hyj
zy&nyR7ECIeFhT8{cl$w@HiEa&e{xSWpz^_fffzO%I`EsTwVDB04%zzqlcWz4P|?&k
z2Pv6xSFy4fczWAIw<tA9c00qL4)%>fZCaxZ3H8wr=e@|IV>@y`I+z*Jfb8uwuHiHp
z1&PbFx4*VSnEB%{I5cYw$=3t!u9CoYr}LNu*d)+ot&Y#@3P(dzS>h>?%U4#cw)Jn-
z=AXE4kIBbnG(viQgDR?;(m(pkxiX`+aof{sM{qGSQ!WV!dd-TE>iZD-j9zELRoKNA
zO2S<;;4&j~SeSwj_mc%eLK|?1>dH&YPyD#z)-;R$RFQnREonp>0e^I5I4%SY=#uBJ
zF`Imk_2#=*(cuZHgB1?vX0GUrWbakaQki{Wh~<xuW(iBf2XEqv_;^hlL<+{nOtLO&
z;$6p{>4G!$Oq8Ww%CZ0~_h_9WNp2i=AM7V_qBsVxPUH=6fjz1%R;Oy(W)U(6=&W--
zT_J$q>n_2+yu5yubzMfhSD~97wC5VY_8_Wvofl&{_`I=$K$;9W+%@Dn4~@KGnkE><
z2`IoEcPGd@57FtL2NQ;GoQk4ko6>R0M}Cna((izGrDMY8M?GG2Oa8>J$5@-HJnOHW
zzm?-E-}`6c9UNE>eTXw+x*tn959eZQe>im^y%;i?n94N1^eA%@H5q<-Rtfzf(Si+X
zZz1^}65$sYgnoW-q_zrA6ZMc-5@!j?ya_6a!G7Bv%zSaWfMpwSl>hq|ky%UfFwF^>
z9&w!=Gr^8s^@bz)qvoz+2F^QTzn=|l-4J5a*T<Jbz-AJ9xM|ScFIS`1p8Dee-v_ak
z?&u+=+1fCPLNX}jl4O4ZnvJ>nP`-;V{jq3MP?y>}xQxFx$DLdGyIQuCm$ad@MC<mK
z0*-oyUrudm4e9Uol%#b@D}aQG!&Y&xttW-xwL_-0!Q3=gxu6y@Z>CYeQNKAVhCS~l
zpk{i$?{3j(#>#!xP}+1@R%R=U4q@kP7IW`SAd76u2!7b(1EbgoMtTkBzAdE3+b1Fn
zgE*fuAOuaGRGEd|)vUj;!&vg@$gbpOP6yoVXH%$|_?Uyuig~JJ_?OsK>Y7pmGuFaB
zcLyJ>(UZV6&o3x`GknHTX*~|aO+FUqSFfJQ>h?$LaTcURc&LwCx9VUZ>v)vRny}Tb
zvcV7U?3K+9a4cPfeqyt8u!QPTymksCIkqPY(uPtAUAm~EFs2UZy=>?aIZcv~8NMrf
zB8oAZRHU%T!_?_daBonMDS6Bg#v=BkanTBTlYOu+GCwb@<Oa(O1~&P=MBI6vAeRvZ
z$#Q~0EN2j&C>Keb_{nS>g|G^YG!%zTZj*6Mc2^4)+ING&Fm!Xk8{10e$4Ry<A1azs
zvNZrT1-+bFe_OtCS*`)foX(>p)lOh$37B4cpwgnojgJFEYqzQS9yey4b2HE@Yz}IU
zgNK(Bd?id2S47RDSEaTM%IEKBJ$anj-JDfyapp8T;su8EjH%Y2Z_4zpf@cseGLn-7
z+3<w5GzAN40D#PFAd`r(-1$4hT5qe$x|$8^CiUj4J(#cfh#0+ttjn-PP?Ccy8JH;^
zQiMLCWCHTP#)SGXnQ3<ypZ*3vCsXD`nE)hhx;)e*c-=Sdz)-I*chZAvOcw21+C*|5
zQ6LZBvTa=Vy(AEy28ifZsPc#hm1z@+99oMAK$8d~+coeMhBfU=<AI8bl8q<zJszMc
z>o0B@H1-;spX0ZKfE*d`t|}HD`oFpo7A&=Ya#Y3e%}+SR2>etDW}Qti;r_d2kz<qO
z(~&<t)x8mNmRGTl4rOIHp1gC&Pt)sLQxt969I4YFM_tSTGUz`lk!>`7n!9;c$+h9y
zg-ch~mR%Lpqd{E$sy--Ruks<i`~hIEWafl(^n|B7@4F}dWxv2{yjoXL_cK7G`+y<4
z%oGO4nIGufq2+Fj?(r<zo0+voL27Uv&m1J$faPTBE+!8xGy^hs+|cR5!@<&VW<`3m
z-fNrEAUCoIaz+e+jjzY4y<#S$=Ylgjq;wXz0<M|QnzFT@29066Sp<&T&N<+}?GEP<
z{YnE*oth{F<yvN4Xyx4UiwY|Z{+NY+3cUxpenj)R`?Hm#m5CtaCR<U!X?n$Jy-qcu
z4oFTOayidfexu6=rfMATw8U;<$i)fjgjrmJ8doHy7J|bgg@Z#G8*xL45o(3hg^(>q
z>p0#3s_cdq@aYO;*3Ev@bKWnN((V-vBS!u-M3ZKhiCz#WA(~5A-*HORQN~E5vI`^o
z1MumsAeQ)|WU(zC1-ZGvlliU~D)ot&vWkCC2attv#oGZ{tA&hwwb-NXVprM@^OwQn
z5?K42v}jv;=iA~AY)8FbhL-$P>{WqwpOH>5faLq>PeU6I9*Z1pui`<9SK0f6r0vl>
zi!DUNa|2@Q=1zaKf9HMIZhIge%P?*1uNWbw!nL8vE+R`Hb*Nt^>U{5e+NKO6U%o3c
z(+z%TJx%oP<$bXJlpq00*KjeIcznl;R#m!S+Zw2p9D^o93&ZK%s`X~;5mD_RpnZ3Z
zt%XW-D`>-~w6H1|vG|n+T<bOPY~OX_*-HFyr>pdbJyKp;;A{EQa~Ah&cak^YtLI9Z
zO6%@lPnDd>0QS7z6;ZoK#=5Qk%Nfo=ZW^roFHNQ0_A5-YdPnqhB&8m(S66W|Q#iT1
z(>`XUzD$fOyUO{g@h`6=hoK^GW+2;`6c%~G`Ok9xw-uTBBQdx)s6?4tZ*oqTZ|L+R
z*2$^?Dawo*XsF~LJT4m;yAKrceg2Tk+-Do!on3<cPKDy;BAQaJT*xrDSiy@A;}Izi
zKlXND0lQ89&PL0gPY-2J2)V1j2?uT7!KEUkN$raDUeaO1$WAwXfwI<|_3~93Ko&&j
zct#I~u9K9~7jg2iaweRRIzP^jGr#kGrw<>Ge>}Ci71RHn;UerdYPU>%4U{Eeit7=~
zH7KtWcop+#wfTALa;q6FtN$7+`0xdSzKMLNib3W^^o{w}kwMmXP4Qj=mOq<*Yxy|C
z%DnJVwtqgEh4H(08j0K#uQJk8|JQ)OVhs5`CoIrkawHkm6t^ZNN%sbWEe2)5p;eQ{
z-3dYWc&Cbu!Xp;F3-&s+S9)1l@Z*;<J!$FN$Epai?RC@p!wrsd+3P2ef{}fnwPo}3
zM17iXqMMsO1*A07yD<qrTg&YSUumXtVUmC0Oy3-eaE^uGY;tU3^el|S>2zC9xpZ64
zF)@}h@3*`q3@1oadzVZ<1(8YwRSXd)wysGV){dXfI&H@_mCd)KQ7O$vgLgS8<7l}!
zI=)1s7`2`^*0mC{i&owaiONdCf<W4Ii`VwT->FWe4r#7FD^nk)pC-QB<olNqjs#F~
zU<^WITL1n1$milH6rep|sbQ|#;5+Kh1OchBq;ScPsMvNTlJ=JHfi{2W8udt9!{K&|
zX}}ecP7OZ+WU~7?2o@hyT>t4;6k+E@W-qTAr7$&4Q4Bp9{-)took6dQtX7cv{&lO}
zxe}Fbf=u@A5XK!wJ~ufk|8!#&bfw?rYMSw8eB02d(TSu(_g(LF{w}&lnKA2VFY)_p
zP;+|XugBk_u9p^-z!{vwk67nH%}|va9of`vY$L`LF2v2g`slP$Mcl(`=%^|DTrB#*
zM#Fe|bG>fK`RyH@8}QyonRf0RBycnP&&QgPVVn^P;r^U0!3Kr=*J$^_US8y;YcpBv
zvm3!&sCOq0tBVQ2jt@n#!}Lyi8+_SAB&IiF6f%{WJBN6$Btn|;6CALgGU^!%ba7R^
zTy~_q&EiiycT*s<Vlz!^ypvj$?V_#OSkAIWr49UOv7B}J{6@gz9=`TTnBswFGU&d}
z5PE4iIDo~Qq;~;{^<g`^ssGI?H?B%_d?;i0)rLuF<24?edgc{PaNpXC6r(db+8jK~
z78Z$M7zEQUC~%1xqK_`F3pV%zi3xtyz0=X5a`zRFBeqPm;zFEA`Qp4}X+~FcvMz0n
zZ;_Jrm^0D!QY@IaG#%Nk6UYiyM1I;|JoxEI(pegO`V2`O{%?e)Glv+~mP_L5YK$rk
z)@%+<&TLyE!yS&?-8ta2;rI><#OD(J%$_*nAd`zbp<cT?Z=kBhcf_bfCSqw#_0il3
zsM3<;Q1GckZ}+8zsp@o}z+T$04Q>=MXR&9EOf9DTHjdv!-)bQP5EP%c<-NcYa3a}o
zwhn`y+$`|RNW$BgYYO`8!<fn4kNt;Ln?928XqEgxh`G>5O!7udjl+2+^Y6Q#oo4<5
z{?cY(liplAjhTAUoB#D<kxN(JL$F{kZUE8w1w-lK9R|Mg?k{rXZ9Q<_g|iu6u$Pg|
zW)aTu*zHtr-LoX$MfKa_qqw<~l!b-U`8N{Ye~pl4hxQbC0PA+r=f6yX{IxS$3+Mdq
zs>;!dVH_aqHZ$f_n%3h&S1IIphs+|8;qjM+nY+sqYh=QAj5DLtdeu4a&+D>=h5pLN
zGCTv~;NWYaERSY3>>?LXl9xPWlr}Q{YtClEaUXig7MWYSB!&{Fm?FB&h9p5}w?FAo
zv~C9On_VYVi>1yISg%wICW76Woe-AWr-*&HFHhmLNT_7OePKrD8e8)1z!e`tf@Wv)
zn9%qrZRGzA_D~59xoM1y6t0c+)FyRc6Jhtc7w0SbxG)oF8>h1adIe^@Xmq=0!dNy0
zSG8>8)(OXj)bDO^V4l0riVh~>#o4<A20O+O`9B^9OTav7uMN~GJWv{r0-Q^0hb~pW
z@&A`IMaEx@w{>s+$5zCl0wl{r=9LLFKk|;sZrXsW;4V-*7KUaVOuQRr{l*G91HNSO
zlJ#+m4;GY=Ff6?CAK(dk@Tc&|03QTWRKhL4tW6lJsk*)xu5B|+zReIkPId(|g-<$u
z0{AgqyN^1MW-y8rtt^ThQ{I2PrB0ShyDJ=7MBg2p6^Sr;<N88Z|7Eldfr2Rx0H)8~
zsrKQl?(#Ts$d=Sspy7H-6(`y$5aHYF@3Ys$`x&$429?~uPMz#vr8O6gc_c1y9&eno
zfR?|6-lib_UfZ3g;J#IHWQqhZl(BxjP5^>6451pe3)j3g^z!8&`D(`-uKaS^n3N6U
z)K5J*5XW<YMhoUyfhcWF42rAPH!Whl%V5bmO-4-r$Vl?hLJ3!Q9?l*CJc-X?`Ij#y
zjthxc())eJ{Qp_-6=Qp5DXLTc_;qh);_1OwMuZH2X5$NrQ`2cw5KW?pN=EgC4Y<WD
zsTP!m{o!Zl^UEJG@*e5JrVk&P-x~Ca%@EPT^3uLUtx@2;AJvf{la^R3{s`2ty7)oV
zyYAt%0<|<{d$zED|Kw1pTwuSB&@n)rG-Y~N2x>iZP-;PH6a&(?;db4Ba5lzq-EDN^
z`PxIfN7UwBBg41QVscO1c`zK)zAMUjqHskZ;c=^g{lvSi7b{x?qm3wQj#!y9kucB3
z^tU6W0L6pMG2gzyOk`DH$U_K}z`VKUa#q;%o~-E`$)k}`2het6ono2^B^9!T$%zXZ
zANdpa<2fg*G!ZWf2Y8_t(lKI2cc%4aD8dh#t5K@K{qZuMf#T6sN@FDI5+i>7;vkNb
zw7ev`%HYLcbDnA<Np(vSN;d4jJbMVXI#+1N&;+>?wde|3e)yj*n$8J7C%Xo0bxu@V
z;R;dN<^V^W<02Zc-`eThQni3^7!d}b&R3~P$2ri}$#nY4p#W|<>z<paDG?Oj$2@~c
z_k`|;;gWl=*25nI$q{YmT})NYJFaOBqTNzv9e--k3{k3c{JbBjlg7~qcZmFb&n39-
zyj$s)t-@-DzyQdy8dMG0aA>PXGe5NFuD`;F6aSVHlNc}(B{V^958)x+mB2Fm_FH~s
zG^@3I0nar9?>Xf;?M%<F-8a+-O1ri@+R*w$t1bu>8kTghNQ2-dOYo%!^p_W9Mwfkq
z^!o;AMf2Q-FuSms%Axr$+I3r3L+di(jYR&PVr;;BD%9Z~nY{syI4&_F9u)>)huu7(
z|NO*A^gwfX#;@L_$B^IK`xCJAt3%EZp<*LEa`v{eNx6Ty#@BycWA)tR$NycdsEgmM
z28EPO;R?m1zg~cm^ALmG9(kx3@7Q*ii9^}bv&)9Y-qsQP6QB=WjJ0ntIzMnW!g6W^
zi$APfymnoQ#(7W9LZiVdIn|QXwq6%YQrD{mtI?a>N*qY?Dq_IbFhj~k4wqP(V@#Jl
zdiqV8;`K?v58>zApPJKtmS~%CS1ic!%xVcl>l%|=06$kyn314HfT!n5^k`3hw~ZhF
zURc7VTYq)a8!_@F00tZn7_oQ-X-20Hkh2nvb~d*qfLtSt%wv)WKpk9pV)5@W-{^24
zfnLTyx;i0W9!er&>{058KpH3h`q1r1M3ZvJM0Vh|b=<|))d7@tcb?6b{bDL|87X#+
zh!pcm*XR6;DI%@lu7F&PSst~T+W&(ztrJn4JJ;BNmo8YM2>>C!uQx$Ls;}5tkwO}A
zJK%Syf5pQenli)2qvgZ5HEx_U1P?^RVUUudgl4CemBZz$z(j*|Eyn&LigPOX&1%!Q
zW7i!bTtptgxoBM((JtSSfd-9O@}UK`#xj%I|Ey-v$9mae?O9CXY>&p#T{p8RxWQX7
ze}%6(L6GHMJr`{`qP7M<JzQ8ZeQdV3XfxQW6^EoqItUTocZgF5XIwN-eEXuIf)MmX
zS*wqu{204N<{^Her<e^Gja=8j2K%%VWQCKa)umDOWUF?!HHNuIDj_P=h})&2#g10{
z326ATIXd~g)G1^r_90G^n7gbrYn3xk9RHynjA)10thawIoMdk_|Hn#5xCU28>Ev_T
z@=o&J-}so}1QW;w5wfERsfLX0X5S+Yj(UTIy$#mkC8ZzqHTI>1Kmo&F?Z7RrOFV(c
zBTlfXs=kp@f%;UDh~!!q@9KJ<9*SuRjcP#EuWyuN25yO-uj>*bQI!2*z7BQo(a(VS
z1i)dtatm($Co>T$d%@%l4tZvPeWWx6`3NM*00y`wLbewQ=yZc`DkQItgP|LElk4z+
zB6P6|HLLn0M8r#x#Pna=AK*Y3X+a=-WNmh5LcH~Sl04<@pP{L5U20qMFJCe@X<+l}
zXy6w!X7RkwTBFpg0<EjJ{bq>#*wop$jFs)TF`@bRDb7Rhv;`Zh#{IaLJTfRJnB1a4
z<Uczu)Eg=AwgK}F|9|WrgW|l^W!%{m(vmllS@#$1vW2721<C9<i<;j5+1Xu+V&30q
z{Uc1Ll}+C>iMDe;eQ-DH`F1lE5z1?qR$Pr8u}YM$#!2lr#G<RtddKYZEQ~LbGM0?Y
zu{I%2?lBN8urE@<!>#ujHfP#cT{c$%15-Z0Vegul&&Fj<j|Xfds%rbh)5f(LGBUmj
zL6TC{q{oQejslmvlAEA}Yh`b)p6!=PL+|IvY3645{&?c>+Ai(9M09P+4Gz(NF`~hH
z<3{XP!*-!?q|C6viLGeF!`(@R4-nJU=kMjWKb>8T{6lVQk8UroZIoEMQjmcID;=6^
zKK*)bT!_d%XFU_8U^}|{56G9pSVThG+r-E=(*J|C|9VJcMvH%A<!CxRT-eMXJ75{B
zsipBO^ar~fARbQ$$zSbV3(Hl1>5aedrW(&9j_%uBoz>87eynSJ3@4w@CeE7py;Tm>
zct<207YF))TudMHSQ1y&PJVX0G7z+>EP4yqn|XjP`zr@rieSQ9ctrX>tb|F=<`}P}
zx<3nJ>gj?iT$>d_o_M2&Iq#lpl|BZ3${6sj3Jw}#4x8&XRgqy|;J8avyz4oSJ6<{X
zVwjG|%CiRm1<(gfj#e6tCH*h-pQs~=MmR@CFB%mtth~oiL1XbLINcYwqyGDISDAXA
zy<f<i!APh35B6GXBPnB=@bDEIgqC#M1$!h8H|z0wX$P*v8c=T{{|S&re<S94{2Bg#
z7TCY-6^g@3?Bj?nrAi!}<a(N2N3(vF-R|@*Wg}f~DSJBTc5o^;&?cX6S9@GIeOe_n
zoMil~VXmP^X|$R?8)_jF%3J=k6|$nE%#T1?&RM;PErsK`h(iF*8?uykj89#a#F5+t
z9f{sMw*Wd>l2VdZ%1vrB0TlcGn*}!7WE_iTrt$RfrwRr(6uj<<btH}(X3B-NG2wfB
zQdhF1*;j#&HU&P1z<3GFIu|e-=@Us8FE20CNKMoD-dfQempyHJdl7xZ2}hdQ&PVM}
zmMmSt%Z9gkJk0zZ8Gs%#@bT%zFdo#L<W<hw_QIOhXo#(_cY0WR!CKQBRH)l&UfJTq
z*RqBCIxgo$jSXm>bc!r+ZyUdth&h0)0I#L>mbxT;Qh;cM;(YB?udrR9{eJdttAT5Q
zZ>3IHyYoCeS6pkuOt0YPY+n5mI-B{Ao$<Ahc0L+B!~Os5%qXXuyA(2q*s)T9PKcp8
z>X0g#(c@fYN7=XC8E#1!wjT7`H-v`b%1h8hepT?qw1De^{h^LTDlgd=D1Yq8bD!<_
z<9K7bq7DDKLyIuQ=F?Z&%z&o2RNAy=CBCN*7ihiSsb=wq|9nSmKIwWT&78EtjZZO{
zRhK$*o1T<WZF0{~X1CIk*bI2j*M6TJ?Vg?7#4ALN#Wkn8^0iKTyQ!$JyRE=QdP^}e
zFQ-R0n)&^_yTq>N40HZ39zv+gbY=97{^b$RV%a56zE3HIim#yZ`);YtWe0*tRZw|K
zRi3eqH)WU;xxgWtdN?PhNio@I!axtBuL@s5FlX(l_TXahgK23Bp8S{LB@Wyj;?4d*
zLENQq^yb!k{N9gq3SaJ44LCH3AeBV9{r1!amjy^tbS7<7c70u;t8ypNb4*Fob3&^}
z?n+p6Zs_t=7XE%kq5Vu$1-MCZB;$Ulo90aquF$AuKukV(PW4`jF!(ysb)ZF`ji~t}
zOSJzIJ}V@uv1#=7bo#%L^!I_k3uEizJn^yuyosM%tf_%foQvWVHX;1xxS`K4<?Az2
z>B01j@fm;*N5x{u)osx(ZHw!9?~<J8s|{X!;tv|V&WIh5w}N@Nf_A(kF^Q2uGv>-s
zMgg8584YIDi}?|}+=s=lq6hkWb;ew-^d2qMCax%edDSyWOb4+^0JdDY&AeiQrOHqS
zM?CdVf%|a6>LA}D`$((dk}$nTf5z^~YHHT?ocfbQQ|#Wo-sy4b#c;2762hTc(fFE^
zx?87Xp^LRZ>_MtGP_xH$_r?yHZhyvG(qYXq)4_~M_P`mO+t0!v;2=6F7n8c6jQI8j
zL{p?+5F=(Go1r1%^e1#s%?=k<dP?IS)Yf1#r&{Z)=_(pG+eGH2-z#Y-M|1U+XnMZL
zo%;Bo951_UnJdx+&X-EAj$xfyBZdW+7Bc^SzT+$+N|h}8`8pahdWsGjFw_Zd4Y((5
zKoOX*_`DR(KQF5{5l9J1(KJnryLhlqeNM_P2x`rPahM<u9?8Ql@IVk2mlegdV!4sa
z)P&$W*-_zAIvF(*vBr7}%@hB-EQF4UcDj1k>}mM!3ry$CB%jv*gh|ThNQJAQuq-g{
zza<`|niG!_i8o@T<N^PP3=C<OXf4-6P~GWUo{9ze`7Ik_x#cwVf$KS#fEJ|O>&zY@
zZ~1~Es%qF}kHF#yOW2TdJhm;aIwX=GL>k}7Td`C}ow;x?N{s$?UsMA%1P$9Le|-px
zI2iV_fx~!!eHH!2jPc-InpuJeDWBeBJ>Qelrkw^RBRTay?)#TMCR=jx8YlgxeWyG0
z2Xc1{?pD|iWb+mY()`81n%bb=o9gDrY0oA@&PyP9K2stj)Yt7^`)pJCrLgySl82p}
zjQ-=OBdAScyLTcmCdiUu;;Y)GXzs+W+n{k9W7w({IONI%N}J+bZWV|1kXk>l+))>B
zsvYmo%|_Mf>bD|37D%meDZJ@~gUA}cadiJp6k*cjOBFnLWgFX0<=(yOA3zXk-pyQ7
z&j-a9!G&ct?C)=yXW(GW0vtCUdW0*QWhtBY(!Cw2E}$DSC2z#-u-2M-kLP^O3yMft
zNrP(4h}aLZO&beTA6@$er1$i*9s}HOfMf6W7oGX}4)d0(d5@U(#$B~SDK?+V+z^^I
z*GC~fl<^Jka&59~lr%<k^n>dX3Op+5Hgm&*{!NzoZIIw+SU-B#<A20kWNV#KeTzC#
znrLl4wLyj8En21JcWC$GbAG3Bl74qsq#Q!mhHUXhH?ttE?|tu#W+Qw~BJG{;(UPzE
zHbC*r9@)Ow$Qhlodhcj|OHu3lYyGJhBc~G?!l|i0L2In7xAfJWNY5^XrLa<tU{qQ!
z2jjs^zIB`ns{-w<OMzk%@5?x%C^eEZ2J@FMBf72WI<LX@ZN3hWs>NduzN$R_o|}<{
za2`^*8sfgZ#Q@OrS=ezC5*e#Du<jzfw0XtlAYZ{pPnpNMKDwMSB)%FO6}Y&bRN2gn
zxdnw-JMM;zEs|wlEnmh%Rc;LowaWPdbK{tJNyuEeC2TclORzIs3f89V+B3?8I~3xH
zX3ZfR!~yzcB19BkPdqD9oW;DmecdgMz~(27;$k%`8TWq<0k^(%!&5&Sb$N!<HBFoV
zy;R-zg5=#~IYIVo{m#X`FC6-AAB(Pb6`}Di`G>Hh_~03fWTx!HmWP))frrSBGt)cP
z?6Lk)qbBhDjM)X#^to@Y(=G6#x?^esrSve|2;X6?dg0XYf?Jjn!3~zh-L1WKqgr1v
zXj{%54ML~3^7@7y@$rFiMYKY5Jm}v@c9G>1yd?k9t2Fq3WZAzmWhu^4R1sE5M3U-q
z!o|i`>4@?zMW`>6+$GPNR}#bH*nB)2Hjk4Mg$ggavMYY)8{2b{{KQAp<PpP-zI;-y
z0~OaWO~7Jd$(tFB@-&OI9%+`(wP?{6HkX(Yjo*~bBxM`r%oAUN%sld|dH3`!4sD;1
zm2(&z$tPc(O^365=~TYm=L2n?4;{zv6qMu&1}?2--QA#OE%Q|%@7;bY)OeN8w#%-|
zc;yO^+r;)P@&=?%-5k3$9x3=x8qxy4(hvzGIvcz{Qtr$Xx7}vz33v1h?&`!8YilNM
zA!@q~u4uClxf~oYKKdkG5c~Cz;b<`U*;^uUQ++o&-V8N<ilsU6+1|cC<8b4u8~j_<
zU<-Bj#nLM`+2r9|=3JXz>oac>i@?t!meo|vUSojSpj$EomQllJR&pb>E{oz7lipt@
zCxZjQ8kcq<Jy=~1w9)0i=A?hu2i@r@A!~}<Mpyvm+i}5=<Hhd-bdIl|15g#52@z@+
zc(>OUp%O;;pK8*ajSK}Yw4A*hd(aX#GIJfrG)}LRY_|?di1H5q*@^Ag-H%_mLjEU&
zBBQ8_G6pwur6=X$$9Q5xU*(}mbL8L4FphR9Bn)>Ldf!b1cSd5HCnwgBi8evpTsCx^
zf<w1PDhCCqG`hu`Nyyj(Sn;aZDzR3M+{X6y?(u^%lmncoR`*sZ9x+g_@}}<8$7SaD
zXk*C<0`^fauEpowGsC-jZeAn9E-t1!gA)L*FwzP4gF1?N=%dfx2*?kL^ipL{;axrw
zCiYY+Vo3&l^B5q1L!9bl;NXY~wvbR=b0*GPW-hAkmY9;6hb6=L7PYTiK8-y;SjJA^
zLb4oozxsFya5Bc!fcI<HERunZ+Md<q(d;avcFWuH4PFXwrH}TbPWlmn6o^_i2R<ob
z(9G6jq(7|Mo}yr-pmwFxIOp<B7R?%DMl|mrGoG%JH2x_=zf8QVwUY-oe;&HX7(57F
za(dbLZjWIF4r7q`L%RQkPbC+5E=`*i>g>M2{<|aw4mFuz8gkc~_?q=y-|xr2FlIac
zQ>2<7p8Zq%>3?&cP<{5%io;Awp?yzwo7P;9Am$?y)Y#X=WZP#yWp9V;0CA~fX|_%q
z<rNi?=aiKTT?zivPZJyUzwjEvoE0hP?S$E8wg#=}M*BAup%V|HaX+k-92`m*F<u;0
zVq9*oc0FQ3YKWF2%Aecj$B@KxIvy&rD)X$q9eq_h5aT1zONUvEtgKNADNvW|<oI1R
zeaHhH2zDks?c5=Vn@jYs_OPwd+3V~I=Fj6aEs7JKag@9O+8h=sV_^|zZi&TLM;?#4
zWU*Ox1II#5A`RQ{ds#8(3JuBYI=C8S!rL$Xb(>G^GnXiu`3o3GPMETmL6gNtG`72q
zBJ;Pj+Ui(lXI}XPXl(W#d~WIskF!QYAK&I1=bW#i?M!_WIb><OdO|x47&$MOmfwji
zYpJ=U#sgXuqG3oQ0?zv=*@76B!=7~`wT4G>#B?xxHJ7i;-W&t<aZsorE#6?RuGw^^
zt}e{p-t@Wb={6v!@3@1*OQLCRjxWDOX@uk-Dy4@(c20|zX~OzX2J)Xh;_?+k3Ysbf
zJ)#8uKxSyo`myD<iqIj)Cs?VfXRbl!1j%XkKe92Dztbwe#MbbzJ@y+5xEHd}UQ>P{
zG(6R1K?-+&mnJ07D_^lxC9+-Jc(YXl?6zH7XDO54oiL^WV2^w!@WA{gasZ9Q3XZ-H
zoT=Q;+|wb7%sN=97q9*W-W-8@epBGH?-J^4s=4il3h|18%f^-NPV&o)g0W2*A5!@m
zHwIvh;F$H^F}m;dl;3f&j(I>ju#PqRvJXQUQ?7IHUrJ0vv|mdn)Ky<Z{wf`72t^2%
zc%y7OC+@3Nxdx<?7!Qe$Tsp>@bk+6{I_A^E{jE?tx1>o|?Yx75Sz@{G<~T0a@d7)t
zYfjym5OyJlQr^f*Hyx5+DdbI)M=`cZw6_$@wY4VHh62S7sZ!_wP}vkL%5g}BBDYBP
zczN_2g!9v}EMR$@!7^FUy<VIJW7gVT+Cw|XJ=!APX9sd$A}k*Q&4B5E;rxSZ#tJ4u
z*?3eFLn=CBBUmKn6Lp&_WKly3GD(icp9@VZZoQueU%v7xK_F}A{>GqoWsG-s9v)-n
zXOjO*+E7W<Vo;oNB0Kr)p1r=(!1?LLg0}WtP5_eNSC+6D9LaJNg(IOK`@?lXpFxCy
zSv9X7w`66L&7wMywUWkFB$mdbwVv^N-O7!{f(j|eYW-A1WB|v(g5pbI+NQ>x*eQ}?
z4mnlIN=LG+p|27yB*<&%Fob#tV&lmiIc{`F?2VhTNaDxZag-(KM-&|gr$uOOiPeVo
zCB=eheMm2;-31jtS`2O6t^UMO^uU2HD0p924>03?yXEBm&aiFP{o7gz+9=0#F)HrA
zT5t8JNNZ{I5|d3rPhav&92p1vE1=;Ur0&&1WIUjRu@@81T;2C9k_gozk0<t<h3nH^
zsSb;I^3=+?#xYOz<Ii|_+<w%+I|Tvia<Sr?G!`RPg|P-NEI{9~v6+T3sMgjg%a9E3
zdW!iIA0lvtzSjZ`+qa^E-OKU2yJSpSzr7j#8ff#Et9I~%^u_(8FB~82C=qvjiq}Z+
z{j5@0--xg86Q0BCOz#zr2UWwWPjASc4};Gf0z5}WrZJOhX7Z`I2hEM`r^7T~{LzNm
z1Ug)>Z0fA_5SjCsPc{+0HEq}oXP`h82()l<q(R0o_UonqSh4f7z_*HDnx}R!2Uuw~
zVM+FqmC}w9-JE~y{}GFjN5hexl(}lQ;ve!3YQM#J608e*)V_c7SEP($4T*~pSEoG3
zcV+g~Xk|*OEI|^DLPZpJaWd^(=-Lj0vG2Z!-30TASSa?Td6ytG)HFgdl^MX%4Jo#$
zEuFi(=-DMyB4|>g;R~*%Zo1xavj`1icA`J1ePO3Y&KM7=AWLn=G9=G@?fs$$l{7R@
zAsyujfYb12+L2Khwoc>mj~+=100Pnd^O9QTPS!_Cf|7=q&$q4hi#<QlQoe_&ylbp*
zG3OJAiZlH|Z@@Sv7IDIsQbk^|hbt9H6Xk$Mnvg|f+(+9Bmh5@-RC^IEcIF$1UfpcF
zGU&YrnGRSw!Uq<UTLX3$OpeLdx%@aM+)$;5dj6wA^OTqYzCF0Fz;R0QYzUI$A^)VO
z_9=#=I(7U~hP_mH8cr&Ak82a7K-VHpIvJOSWfxksLWhzluM0<){*W?ZQJrMH9<!I!
zjj|$cV0zJLLL*fp5hJtUPUFLwVP;Y!tsNmdtu|RAp5AZB+03IIB5DIZ0wyp|AG^xR
z%?lAH4qmdcDNzmj1M+fls6G&-puh)Hk*O$pyM?(%3BbLMS^_6!Rk2KzF6Ng25$m3Z
zSI4<7Jh$ECS}qW|&k3upB(BpQ`zI|lX(=A$-abe`^BpCZp-Y*{Oszo%&aTZ2#b%H1
zfY+UGP)z6k`EoY<dMp(&jbx`^#IEAb%|D+`*#84~mIaZr0Ut}@(!VI?vZ)Toe|iD@
zT{MMCjEh4dUkJeq$R7r=QJaMBH1R~^Nc`1wX^r{*%9O<^C>RXWMn%}(80I$H?jTy1
zrsu8OvLW)v97KSxp3YRc10a1|4cAH<vaXEEAVC{P9Fp&tp!!#$^#ainpY=g)%3_qQ
z&9HioQ9=x~*eLmug8<OiPi%uRDkRZhvFVLMGc`aWVZ+O`^f`)rY&u&FF$m{i@6-Mi
z1*+p+&cX>yLn9b4-+~axO0ZcPqp{T`m9_EA9ocj3Y_aUEoG=N@3Ye77w-&(pI=!#^
z%B5wa+cx9<8Kx{l7;VocJPyVj>%Ey>N}bGOoR%F3vK*3tTUGLPs{|a2YYoV6fsG!!
z=V3ilhG}nPGt6H1a!0!Ig8MARhgXhx-Wxq38H@kG=PbpKn%L<|7)P&uR8%D%mT)_)
zV>cRj>NN~_^fM2fV_TigtYk?4o{{G+Y)iwb&~@#2o($;=&o3$>Y)?33(n*gKMAoU*
zm7zoR8Ub6v6yj??IjvWdRTWT;|BwZ48(Cpgi+?7qABj+(6m^n%MCC+P#qkU0<dr19
zUkYjVJw6S7on=JaiM=rQJU(~4p9fKKm~k{4iPwfKC$RvTPzYSGUFdT6i<=tON7ATk
zE#Ik!r-;`uIi23GUHxJhjn=Y&Td>QOr~W%&4ALP*2Y1A}g!#W@B{Q^@&ObO#-!r@v
zLJ~tuy%qM96{WBL@ZYHXbs;jWW}O&Li|KQz0waoIX)^Pv4?IY?e2%fzv_tRomo*d0
zV>|WUQRsvVR(u1*0|{1M*jd*z1negUKctBB1C1s1gr4!Lsa(JFF}|riywTwJF6YZH
zz@;5BKm;h)=_OMjun&kL=~&t1h$SW`QeTN$rCc?fAnOR|KC1U74!;Wvqn&Sy=g8?8
z%5PqI>mXmq1%6v<ETC#>k(XG`!Q4@o^J873urS1OtUBILq(NNyJ(P-SCIRxx#~rtW
zqcGEmWAF0WLL?8jn^~*5#KM}=(L1s=J)0I6l+Y}+!aB)cKJ8K~;+c{+i<K27BAD8|
z@S}`q^6-IU_2}pJe4C6p8<5eC{86SaHtn20PEV>gPOq*7*P^JHkm32@dZlh<tM@Uc
zhl|*t67sl0Yi-It+llNLp8kgNjR&d_S_a9$p6&%HgANUCFOIT1H*3dfS0o0dE@hHO
zjR8howr>8DnYe5Hcsz8%psPbQj^8RT<g4v5jbX-nhkp}Cp-r`J(nV)j+^li|LV~%*
zOwo;rk%Ao??909OTm?DlDDv?5F)XfOMbNrPv;g_L8K_zE@wLkmgY3=7=sI`={NwwS
zCUPE;W0;+B<uX9zCIJZ<J`jVB8lL3}`phoxet7wzmo`dHY0P;vFTApgR$+ur7WGW~
z>^5ufz31MQ<SSLO&>5EY%xt>Fc<VtSdvv?Mnv@gTJ#>_O=NJ9sNkvTC`a{Cydrf=>
z9XA(3a+1rxIl&=~xy5|5@mPreV!N}RhtvJG_l6NS6YuYc<}HTUVOcN^5M*5>hMs31
zU^t>wNN8b6Lma4I_L4sLxK3;)nV1_NFlVRU<*1p;pezuZ5YwX}5`W)E-A3uHF9mOO
zg`gBT(2T%@dim^c-z`&nvE&{c^UlY}Dt5OJjo}~naQ0MbTLQa9A_4H`OyJky4^29b
zuIN2S51mgWbUAa11z^l_*c7qlQJWHz0<Mm7xHy|cEOU+g1sEOkc3XsXx$e|4fp7cP
zy9E4bXnK%SxLbsEuS`t_?!v?*=GTDI?hw_x6FwX#ZDZT)Nw1}+w}rt2?h2WLJ0nne
ze~Ld`%Vyu6T|(PTgiyWu7P9U=PJn{QhW~6olI+9VcbRxwBh$8TQe+!72O}xh?7)ft
zC`Xcil_O2l9d#u$Kb&P}lDqv)w|LK3Mts-jUeokqR@-W%3x`{5sa?V4&U{;35B(Mg
zzbh%R>SrIqHnq-Pjl5bbhl$znH4}vgbx%0ZW}WS4@sHagH-3Cn$U?kzpd^UT1N1LZ
zF$j%}f9s||ug9Ry!|J#=*uWyG@rrovm&DHxpp2k3%7bde=!+-{E{^J|3tQ5#yq<S!
zM4z9|!*o)=G6a=4hV#oqs%jqLQzVD;5or^V1Mc)9M9<L;Ky@O~oXimerI3L`#SVuX
z?4$eSFr)h!Z=Zl9nI1}2e3$v5N|sq#@K*o+NX0>gIP>+2Y*9j1BS%*eTOtr5fS_Sd
zi}tuVp|(8G%d+oYA5iI*$z{yBzuJ_|cr!!Wz@<m2(BX<fb3LOMNtyLoRQMg2#&_lT
zt7E<;Myh3Da`M6&Y`#AYSct<%{Dp<fnhO~@CjS?rCWfu`MeJ2zXF9yh!E~O6!}ne#
z)JRvxh&G{O_IgRWgrH`Y3+dTNP#5VrH{8MR`^=vUD8cY@)H@nJbupm$mOq8-K4_#a
zA2#777MebP-X1h);px?wR--z6v%9uf_t2HZiR(sN6+AOiA9#0GI5fVi&DehM%N$I&
z!SguOs~_CurlNhdnPs(fva~ZzCL!NU94gL6j0>A{nXbC9ln|xaq%6@i{+kb#QK~w4
zvGA6x;shiqLczx3GV%LJK2q2SFD~<6Rh=nqkyrj^!VYVDGIEYXB6fy?8!ySaj`Xq4
zy|&+Vm*k5zx8x%t@|{x;S}B$k)2?ciF-Gd=F3Ie$i?Ulqr)}8s*Kc?=;J76mE;$mb
zeQj2jJofA3dHz>xk5zj544!5qcOmqUXC77ci!!1V_U7hY^JP>@GFq#Y3{X>FJDp7t
z>qn~-Uu>9|ZWD}$JiYUp_=N8!4-@dE4y0cqrYkppinb$KBYhWc`?KLlVqsAQdHGJT
z3xQGD#M3}5JwMQc&5*ZyK&C$x!V%i3?Yc@tD41AD76=i8xYs6J);c>1$k7~MzuH(6
z%cubUB{@iRLWm4oH4~{4q$FtuXm__ZKMY(3>cYytyxruOa}8>jja__1k0b1Qx??ic
z@2ksW{+w4y!97ZIKYb*qi}Oz<&)0=ni<#EhUFaHHw!Vi>%Tfc`ld_)jgzy(|ISyjY
zRi4P1!x|2oK5;|djfE41u?pTV^8@=5e!}4<fiP2XSv=n}o*NHHERAg%Y&7U^(IrSO
z04>n9FT8;5qbRWPe3ikd5}B)^6h_6>@Sr3o*Bw+gY`b8rQ+y|8mOXHCjs<SIjchc?
zB>rfz0NT_DR8nqe$ZZY;!K4F33?izu6|!DNF5AweWyqBXFAS&#--=@EBmv`ACftS@
z>QfX*7nXWuec3IXeb;itgG*kO3Q<^_o>?VWGcfb-DzeW~b|qHhp0fw5@ch~3NHOSH
zS_TE=v<n=V)4I!JQTSAW1tSq+G$TB^#t{=9=*b5k;slCIr3T@fHEq>Xjw=4-^moJJ
zlP~HGYP9S4|J>JX_zG0}Jl;MMk&Fb_svTeECXd5Db<6cOEfBPOdT!SQ3o-@yAyrd`
z_E`5SWGRS|;UgWMU{1Gx<tv;YNUHg->{KvD@h0Er>s^{`2=Z1`R9rO=Kd^#aQ%&2l
z$zlDxe3!c_!Q_vXp@p_YCG$`DM?-b7&5fE&kdK54Z6<Sno^mK`HP^rMx~$}B$}Rxg
zdj_02h6GvlcKU`s6uA3i=0CO$VV*fo@w`9k70F)Ong6w?cZNq%?v4sS{~GJ>5=e4d
zzkRVohuE%mUJ}maeX#c#UKq-l>lWi^KQD6%>{VStP9wfni140|d!_=W^K=P7+v!SY
z>lyOpSy)1do|0eR?XZJjG`z4X>*OEgHW_gFV|i9n`9G%>BgR;+@OX!d#LKmPDn|n2
ze!lrJt;f*72!^oN_N9lvh~AL$9$}RJm{oR=+4Z2mKRYCzzs*0~CUQUSQ(q`UgAO%E
zOK$XsOW1^QQqWm$-(?>WRo*rCmlYKAMZnj3UCd=3J1|Pjd-_i$5*%jd_{zU=?LM<1
zY0j*y$Oiq{Y;`h{6<wjP1104K?HaT=F&6u7mpwjJ5$@fWoV4KuFGiu<VS6TCTHtIU
z{q?ZvgKKw0$ZYEplo@RMV+x&t!c3BImqHXkN`q&Nly@1egW~Kr57Z*nO$;5)3GHRp
zAV<Fr%OCvh4lxT>5r@w1H~EBjD@2d6*QbMa0!cfcW-I^UomtArq_O_{Ga=;h2FTOz
zM{h{B3A^(ObP&FJE7woaT*|_q!R1FHm?ba~sjm;>B;Oo#)M1jwo~CvyB%QN*R0-j{
ztuieqn`aj#pLfM8+d3{6y%k4XD1?53naV9K>G3q1E*N_?AbxHT_9WG5aD>Vu_?yz*
zPiivX91!OpYD0sFARh~Mqwz$<WI4BFTN<}yV69ss$MaIoVenQ|p**QcZse;SKV2p;
zf%&48(CyrghYCfb_4vf>eq`nkLJJk=2RM@_R*v5wk1X6P|8%N!pvO}Kc-Q!yx+50C
zCu*)W?sjpUPqc}BZ^;xWF%<7IUC$zWJjDo^s5Q+TU*kr$63(_<_A`Ib_x`+E$y2)G
z=}9ko!2&nNS__pbUC}<`c3!NBM4L`ZxuE*ysN!f%)M>faV_LEJBD;+q!y&O_Qlu$J
zzy#_%y*9-B0QIB6^Mr(~zFw<xeNe|XqXWXb7-X+glzViYf_8p-w^fT%HY{;mq>3E;
z?o7e&9;PRMh2I*Qxg_SM0UATy;Z89>ztH`L+fHfQo_VE=DP=SL@^Ys%vh|(}xHqCl
zdu-#bGq>8Dmxq6hcEOk5pIO>51Y_{`d0$0Y&`#+z9q|MfGdH?PPtNY;1*l%WzN}{i
z9TEhUg%;-+&`G-z=!X9rQCcS>i$eAHK4hn0t5c!kzPdKzCG&FTOXqR{Hj>1u5o2=_
zPA{Xiw!L#Ba^_ZGEzfu>WgG0TMRfsriO3IH*=j{CsmCIL8T89f@--K*(Jhqkt2a20
zEp#3-DA1aya(j^Qj=eI~mnHWh4IsWCDlU(?@vfX2%!W1Txy`B4AtK6Xf=ill^P5E(
zFJz!?W=;psm89L1d*#G(mM63)kT1!WCbwK?Ofk&HKvL#*tLdWp!<P9|1PXcRNtCQ}
z8be1%nyK8LQ1`4uXq~e5Z$`>LFXF%+`)y_U4;J>Dk-&fe2S_{`(d<ClA9_rB?2fOQ
zx$?Db1U9U8{`s26UvVwbEd%pLyQ`(KNwr|A3BxePurmmbWO&KYzV3<qBf-3HIm@9a
zk+JU@s-0$~!I^s$LrCS_gaZ^BLZ~h=O~t7`mQokE-C3yZMn-dK9Q=T&I^ZD}e-93}
zI0Y#jK`Ff66<(6a4@t}sa1)#F@dFX!^`}!-pblro*(Go3X;6aa1Y`Nk5Oh-~*>yxC
zV1v>Gx`rkUzpqZ>_+C9EzssfD9ri82)7A}4U_(HeRY?SCinGL!aNdRLykxTWx~xAs
z=IV*Ww4w7qs%i6CY=^FG<neep{y)0DGOEpW2^WF|4}}KzmcquNKyVACEl_M1cZyqZ
z3WVYoq*QRH$S&?qg15!p2~w<halh$4a?d%pcde|fkNhC{-fw2!XJ(#xUZqbm)J&?+
z)jTJsy!0HG<u_e+rHFeUY<!=550mMkk;K8h{F}#$iIT2_PtRjjUX){Uf~Oy`?wE-4
z(j6i%d7I|8McgUsq?!5T8x)r5jFnoB+)BTH1L1Sw_g=B{O;|hFPyj>YoT1{Kf3*fb
z-S?ZC-NPc&WF8zA3SF`S2FF|$2z=o*lQEt9PWi=Rv<j)Wnsibpme@C0?g?pjmHY;_
zDKTrSa&cG-R`Ts_+84Uu99O{jxZu4dwbwm-qvB&BkWatL)uMzNp=)gM5)9V)q|mYs
zR$Ze-)q%B-L3%Ht4;<Gfsmp$@Q|r3i%|KHiD{&`S-S(5;@-+a0WvzGLCYJWNP4B1@
zD#eVLcEywrUi#AnZ_1emi$pb_z#B#~<&SR$yP{6_xQopt((*VL^+_4#O)Qyf-=I;_
zO;#gIC1}-34DA{ili3;_yYIJ-g3ist?h7q8-kz&RF2REi4dd@WW4MqK2;Yp9sS`zE
zZ+jbE%qsFY>$#?M&?HYodH~wMBF2VPLzg%0G(C`jOX~EyKFTQ>ha0UH^1U|;rabrZ
z%Fn&Y28$b_WlW7ivb{m38aB<ehSxtSplDxClf}!?k1k8IflXf<wI<$Sm)WbfqVH_E
zuc(7Xs4FWn`7?@7Oxp;z-&8vvH;9=uqjoVM8)erLCV2jhVc{cvR%6Fck!?#$@0U|L
z6)UwLUAJ@O;sgn;)8AL3)q4i?djC;~On&x@nNnrwsl_Icfy?>eV{}nrh~9=(gWOyZ
z^^dC{!k}({PN75bd;W#xZw6{(pKcIcdNTsrx_!nD5fHQJh>|1jcJIr}k4J)t#>PK+
zlZXA_wJS|bR_M&e#+mvZKN<DE=}8YbP-%rl?>E@p-ipn@Y=jQ^YH=`+{OiNvBdICz
zX|G<{8*DZb`<sq@m4pYev2WBXOza3d23KtEY{}Zqnk_Aq-`!|0ZRHLG;5c{fCYAYa
zr(pO~B1ZP)#^ymM(#r-+M;mO>5GGtSn9U)r{MI_y#eExd)N?+=+*&&BC{;_MQ42ed
zRA5N_3IwlWcA=c1n}Z0Y-yqk!yCQnV$!0kRa}YC?t@7DeM=0Aq%FP(*wWLUar4P2#
zZ`|!pvlURwEQE2!ov%!!iDo_d+GSBH7^iPj7iasE!zg>Veu(88Q`;jSKbW0+i6884
z{f|D-%T-cH4|GhVzhR#&?Bvr6d;f5|{kFPp2Q`R1?Uhj@DK<^-Qf{IVAwto|iRS2J
z`Edr*UhDAMqWtbYS<lSjdl#N3b1R+VJ!NhoECU8(MtWl%C&ga-jm3*sBIj@mHaG|Q
z#s!VolXYRT%wQLK1Spl}J&(E>LICE(*yqo%dhtW!7mULsNy?Zl{`e%tfCnI~7Wfl%
zx5Om}`egRq=sbxI`Ef~d!5E_{#AY^_+xlA6{7tb-VY7`f&2r4^w9XdZle_i0EAZwr
zcZ;{+uHHld=9!TbE^(xx!;1kg3b6ncO55;rh8shSw|W81TnQW;esa8FER%WCpyLc@
zlCaT+s5EuCeZ)hQ<U{ByOgI^0qo_Y>fKVcziIvv{bB(t&@+2!;qAowc$k&(X2GSxI
z%CXZ=BOX#dcv}{7l*8E`X(GWwyEU)iFB+!6mq}Qj)7d*!5Evlgg&k+)kD`G|Ff~UQ
zE}fCA@I(C}q~c8Km#)w_U83O~<;lAGfKZ&2%JvxfeWn(Xr2Xk`KOoG*OjJ*OdYyz}
z#7xVmnUs%8pjd|ha>0zf6mK~L313Y-97tCl*pN-0OF_{38sVM>v3$j|h<Q{XXDl}^
zfj8d}>_O;!Guk7aR1CM-eaf>w(i$!5eaez)=^7bZxJ_<ExZ>tYXi3Cp`DCtI#wSss
zz?lA=`lv{BGU{|Vi}VxrPVn3dpH>BF)94?fJsfsHz>8&f7CbY=%O20zlXR8sqTZOc
z0`@F-A;ZtvLu1GVMu|OFHI)DN^Hs=dZSCQYgn?&0zJ}7ays8WnffE7$C>4jZyuFoN
z1`$kY|N47L3UE#TDCtz~?Gaf)R{TdSJpav*S?d_A!s3?)FVTZ~Lq9yAW^TaYT}!dR
zw3Ffd@U)+^7)l_9;sOoIBd*N81&D}JE)MVI$Z&+QFMbODCO!jn#aRgHLmsXWxKmZt
zJ+e&Io>Psq3tt(Qvwem`*sTlAKV_l&*`zd5cJbqpuHI}Qqz*d*EfR^^261T=zEjYr
z@C<Y{i3uTN&#7L{o$9+~vbbWMAGYhK+mzzSJJ<?-tO+P<<?C`Jf;i$h#Ke8Z-+2vJ
zplAt+)R9=(tRhPa$UNIYyjcupv8rrd{Ve#6fxhibK!(P#brmN~GOSx();X71j75Ui
zkfCwHy$4by?mL>4^hn1wP8;?8e7)0NY1Jn^&v-m%Js4L4F1e}P#DC#_>S@9H(_(((
zb`n=V66wXrN)K^Vq4zFvt|Lsoam`q5u#R;Yf6~VDE%{2yeAvmNMC(8%ToJrNH<(ps
z*kkB@R__>-wc)mRQB;f&6#?1oX^2KY!xk+ZlukQ(V-AnMAbu!GWj=O3-@YvluJQ4i
zHd4BX<^Wq!fhUcyM~0}<UT0J|;M@ZU`Mjd#AC%Z=d2&*Ir^p+<At>G^km%$%Qw!+b
zps~C@7Bs5a>?E7trFsL8Ocm`B0GHdxWXy55tS_hDV|d35u3u_O?5(Y-sBs?L>iFqt
z`Bh08oELkTWOaA4VLATgCg@Aw_8(~B-Pve^A&(E<pfz=!^d!be<f33%soO>7oYg<c
zx~K^dX82rW-t*7@Zbt^O0uP>Kp*seg=QpeA+Z0=L)G?H1jzIc_7D9ArXPj8lYSR=x
z3FHlDOod4<;foMc)lJ=K{@n#?(S6CQa!UkcBZG-nL-iA9Y8~jsq%@G5QA&?Lu{PSh
z_Mto5I#_1_+Ytb}&xaIR2~nF5`l3jYY>`6vf+~o>^EvC1hJQ!$QYVxT*y<?B2#c}H
z*LcAi3?NeyzD*-0P}P$p?*P7Wwxs5p2qY%0f|TPTaJfv}Nn#e(h}J#qf6B{C>-vJ5
zh_{A6je#&{E^KpRjg>yDq~u$2EQ_4z_eiheABljxz8#tb>oHf!j>P+$p(o>)pw?9T
zT=s&qi7Vv<L2oTMyGNeQ=#e)n3dY=644xLQhp#8|nfa%M-1o0i0w(WVVTauMh)%sW
z{qQO)T;YM`r%GAaI!#?AiTS$?X4tZB=usg%20RSaZL%sJUc9;`Q7=Q(!QSLeFUI~=
zUq%{~)RM}e0t&il?VeLay^1|BqJ1&x_Qo+NFXMe_%Pv39lK8ua%1OrT9ox``A}k9o
z-2P$dIM=Z4(D-e<a@yrH*oU-0!XBE4(@V{CSn5?*`tnsy>m!BGftU7=R%0#W6$J2>
zrOHZUriVs9s$(ydl_tOc9@Z--M~)`G>IZ0i4<^T?jxuCEBWr!)QI%1zzn*EXeq4WT
zXZnvlgzfFUAd<!T9bud2S7XlqNFo03JBug4Y5q?c|6>>DyScl$+WO3u^?Lj30y2Hc
zUquyiY@$FAF4vC0Z3<hw_?xYRkmCKCPJW!jVWUB+*S?^4TL-(c{j5aGu?UM6i7rC_
z6D|uy7UCt&F5(_{8FzoGQw%*(y4#def}mqRO67g9_H^N((E=#_;MNKOSTZU=y>e{^
zZ>h3!Qynx@eLQFt_bc4I!JHfkZuDb|*7gZ0&gh^Y%8IiU5QdNT2r>-9O0H<irO8*s
zl=dmx{f5p}!$2u33>7~1u<r^9QW?dkA3OGg8`pQwV7Fx8h|s&iu;dq}?2i8CIaqC}
zMR9`G#6+s+-6z4T2!(yB*mBNf@kuwmP;-QR!$IKGOTI3F<)kA)5A_HI0f<E*HuaX7
z6dkw!+KKSy_!U50U-NoRcj8I>D1mR>-$^*ihwxR!7w047wOIWH|K08@&G!t*)m<D$
z3<my>>2W9vKK3N~Q})QVz@ktO+3~%<TR>C*k9GN-T*QdvqHLplh)V}pi>5$j95-46
zQiIkMcxA*LMtJpH^O48h&#-+Xho+}-#l<t!9_m%r4v&s@KHcH>G9R;tJ)%5Zo_t)m
z{fs$WbD?@PzNCFNN0_d19K1ass21@Do*O0nYL!-Tyhkw4gX=O_xd`8V$0C5ls2Jz1
z`|(E}Ul0wBRFfZEnSUsYXG^Qr0Vm@-)f)m+*6S6no)KL1tq5R>mVltRa!tl(SMZKp
z5*2{D>mRqy-NiQg35%Jd`BXE9ta-=UI1<K0)Q&gRxu2Yga&Y5E;ncRqTB1LyYlO$3
zI$W%ylV1GY+4_|lVB}8*0w(l-mGb`mLhXQ1v7$(|4JBC}b+JY3LKjaCHi04B9RpF&
z{Y8S2J~^PJ(=)__-C{6K4t_bYrP~GF)$$epB(g_kDK{YWy#P+aBCDt<)#*$U9Q*5K
z!p+p(nUA4#Zr-8M!5hm_S=`A-$wfV3h8!kjJ?=h>AzwBqL~JFz{W|tnw-w__q=CsC
zw(lM?U8gwRR6eFLq~hOjrBA=3-57M>-afs2WJ$3TBQ_)G+d6a*GxbCHpROgqi)kFZ
zP*MLY<DVb=W4KG892dqu$bj@fEm>#$%{oqg4S*kFPgvR9{%LcGtBzYFzOTG0Abt{6
z=-Z!RL|<^pQ&x6JhtTacQ3n4_45FdOrlKDCmn^}*|NDCt7PA{9m;vdN-X;IS*?mIj
zzoY%XxLpnR0B+YNgkFq)VlagQz$oae!OM_oA?U%Y7s~0z=N30^RfNZRpG!>04D8{4
z5~=o8hUJqPiYOhmh!MS0l7Sg_xvgHzx4QnCH8|QlRa%fM4x#Z@_RaW@XZG)hhba>a
zV9Lb8^NkWB6v@v4ptk_DA|o<!+q08SZbo6m3SpJ>buEXI%zjFBZDznb?<!b^U82>C
za;0tG?c!Y@_?)waGH4@hbUdSVLhdJ=+N|x;2R8CVG|RhD>%M7cKt|Jhtq=@8;)n|*
zADMDtWL>A7N_kzXE9Tmoi~nDC^snEfN{9JD?<d*q<AMELK}=!nz~BJlxXjB02j(3J
z()GL0OnTo-YGYTsi8bm(7LJ#ysw)_I7DDXki%fzfow3)kmQ&J;-n%!9P){%8vZ|$M
zL~&U~#g5xrYTtdtV2+Eh{!6yx?~5XpNeVKTZxN3nx{?viWrngfZR=9Jye?*ge9iuN
z00A)O)Siis*k^k>wQ9H=seuHTUtihA4-O-}C(qH;ZJ+-8<&4R~lz0w>rzkM@e2L35
zNL!{}JU3O+OorP|hKn9ttb<!I%07|WC?+nesM(7yrY~z~akh9zh=L0~<6HX5pvAGS
zNb`wuTvEo(_;eTh(u+C1Q`+5YgY^{5@`HM~oQjB8g&RcV@Q7^xJ?G|EscvzHm$C))
zaVCQ^Si$8}kQybrh1UAhk9XF)0}Kq8PHEL?Wevdr#!zH#`M^R(XD%t>mAj~yM-$uI
z7%b|v<W=f2v`IbA0`&+6js9og`;TiGHcTUw{lR4rrV;v-aQNXD0zA|CmJ`<V(TBFV
zON)sPt0U6Wq}%7qXGMF&6cxCK-o(MIUF{PNWffJl(P18xiN$;&5d9`XHLS!u*rx^W
zt-(?koMZl#Cc}XWm-sUyYBKccAU$Qk%_`2Z%R-Ml^$MH-o@uJ*y6`eG)WJs%mv0IE
z8qzv*My8NsFJ<~X;FEfV-b+e<#SO1B8h7xDw9@q{)8&1H2<PSKP2X%9EmV4Aq<m*?
zWmbe|78L@x1EgQ+eUZn8Sl)cT9Aw{x>>A-(2g~Wn&by2r8rFwB5_UC^ApE^Q(qLoE
zkv;IUF{US&uEgR&Jc{?cJ`U~7^79NU0SSupGEt=QrzdJV!J#C<ks%kk)*BHEp>K_O
zccLmcFM8&J&1U|Z(c&I-$=`}Xu)UBiyZZEVHC;|tY&1%4IHGgPf%TFa{sbFYd-RQ|
zodVjye(Z!3%+G+r4t?W{o!biUlJ$f6`9**tyiE<W5+_|6?%^sDp~MkH1sc=khdi!t
z{%k!z47j?XlklgQAgy1>HkG9MNwL49`K9-IM{tlnmtTypBm3#9xhBC?ZHRbgL|${1
zD>0kEdWn*s?f`9iKF;)W@3}WJ&LIJ8nCTcaZuXUd5YRGHl62$kA1uB5{^W!it-rH%
z)CDGjW)3|;V)&3xqXH*z!dSY1dd!|Ck|5l<W*E+1Tf1%(9=ZvOO>;PirQZO_aoL7&
z?H{&_%(^fhr?et9i&SH5AZeC_g)1=dl(te5R_ox<B#A<y+yIGuvKE*aoIvb~G&q2o
zjW5jq)QK7nCGhrhnX<YTy(I5oxk|LmL8{v~Od=!6PUm1i=3Pq)tlVtYKk7EIOps)i
z2L+9R`Z&|`3m74Wu-#GqRZ5^AL25Z6&ty5sdu!3j2}!iU2e$Xw<Zfyj`D<|dY<tVn
zI(zrbzklIH-=#=1VrmB&gw<l_Uf1HvP8FmA+tnVoxvqxZi~&zD>wyJ4_Vu}QvBaiX
zXw!pqz4;f%>|bI0-?AH!G)zFKZrm)y#AG`VO#_~5USh(a2Z0w0P3<OC=)pGQZYs`)
z!wQch5?p!8Xm!Rc0M(ns_5l+KA~=NDopC%iEbXm@mfw9oP3YIe$+G5qmf1;DOIT%1
zj<SHu@v>tl1KjEQd1@uu$U~g=I#P-(KGW!Wnac?Hc1}6XodX4Wr(b*S8QS{bDBGq3
zhQb33gm)`wL!DiaUJrq&heYi<{9Y4Q>Y*L&gWti7ZzFF`KDk`p1O`-#s~j>Nc~(3P
zxp{v05Ty{)&K66)!83<izyk${mxq+?3o-V)LT-dhmIneB<g;>35!@bod1L~)t?u2q
zyt8j{AYS}G!q^1daeYY5e<))eCVd4w;*PN1Q}tB%_qO<77jM%sYxSL^mf-J-huk4y
zH&bLaEYOSM$YD@DS{j6}Pd~2w%5gZ{2R9*pDF69!+k^Av7m9~TL&PBLfiJcM5wL=<
z=QHfUZ|0=>(INSs5U3i<s|>wKO49BJ;(@Z(blZ=pezJ`Ffexj{eXTO4bkJ)Km2JHx
zozuW=fuD^#Xcf`u(3Ujxk+_!x#~;?4Sm9WXs{~gzPyyrINhD%(jxMZ&$OsilG?|!;
z)f_0e!(`dSx>v;~%-H7dQEA)B);LlwecU>rJ2+FZIw<YMd8*jwnT+8Zc-)*h4u&J}
zW~b}B>(~LQBa0<C>E(QlMt?baHm_mHP?rX<0*(~1rpS;{VbGS_>~xgXRK^8%p74K3
zxcu9?g5oh)>?S$tm(POU2S!POyl6-r$V?|at<r@V+IHbkN%obQ5KddoSXlJw(m_nM
zrUQ}7b-0Dr(xDI4I~rvbil4EKZ~EwS(kieL1a$vuWWZfgO+10FkuhdUD(OcyG;9s}
zn3C5fbFHMYCsi(h-so?O1nSZIz^oP13n4T%#N7%lV6iLVn70L3B&=>rGQ4f@sLMf6
z;1$JiPD4B$%EPDFB|_18#fkHKnk4<<K;2WE+QiP+&6XX0SQ}pPo+;|<i*F;A$6R@y
zG_uRi;+n<f4KBC!EjOVaU>VlPPs!xYA^Nt97Gjm?y91nTdgOk&Sh5PB<+LIWvYL4j
z5RVu!avOg3Kcis(1g3ISm>O%I#;7}HQ{&^1JB$P{I)Cwn{q$PethLpH-U=1eyH{8`
z%iqdmPt$9Iq^c=6jO3pafg};Yr#)oeWXrcA?XPk6G$Nn+d|>6gpR}kX$Ih+Cwwxj-
zd!BPhnvqKNgJx?!{L5Upz;rN{${=_vM$e3>(@wGypA8m%wGj*e4wmjFopSDXJS6h2
zKjCF-+rp~zaVf?w@vUS&{(f}_MdBOz3xX!&xy}{7^!h(Ui~bPy(|g(uv61+xJX%f_
zbeJ77<RUlStGAN8lFmDV-G6?%7F%J;g+;zz(sgrorFC~Ni1v}(a#9=`%MQ22<QGfj
z-(lxJFCf1#$<fTF7{=L>KmvlmLHeHCOV2J|cCtk0xyiYWGE(daidG$DJwH?aALp4P
zqIHi#=)2^5y^Z5XYLwTX^7525PS(zqx$VY9J;UqyI;v(%X4douW4Abunuvp$uM&g#
zL)*zh+t(+FDK|EUKYd|lahCK57CJpEY5jC0yhpDLqn-2))ti=wRz%?8mre~C5qnzn
zP3;?!JnqH}^YOh*@46wMK9h`O@Pk=h@$!rYHq2QsI2}72o$#AQzs5O}GQKK7JB%w&
zmpkSV_UVB}kK#uP61OdKo>JaCR~FlFq%|dmVNu(wBv(K5C^oucJ}$ZC0#vJDO<{^t
z3d{9lT_;&00m}ZGsm7@in7-@(yHr8qEEv%nG70@cPCy=;Ts@1!iO_m|BVHx71w*$y
zQ5y%5f|LY>XOBnT>30DbmsX1f{T5Zeb`j#~N<}6oZvM8n8t!0jqOH#15Hl%7bX&}s
zh~OPBv|Wtf$lHY&j%e7Ez-@Zb$1s@(3keucZYNj0?v@??>fwDBTtGM$6MPDyoyQEe
zMTJ@sUBdvvD|2f<-Mq-pm$|oj31I5p%h4{mrgJWWHp?|uq-e6dCa1x-yj_X!zk1jc
zu%C-ckw{F9VpR+WTE-)k1bX}n2+Sy+QN+OqXM~`)Qg~)vzT8!C+>9LKXjCZ0CLSkq
zyMxqXX9}HA+4g9txyCOy`OS+(2m^i+G`FHKmcx7x$kJcIWP3Bijv1opO7}Iv5wmID
z)kqdriU5p8lr!8Qch?2Fx&2U$z?_OX2-)^9n@*xdMc;RpTjvIn`JB(BR{>cX0{f^n
z6>83_BtTAtM6-N7|M{t9MtQbFX-<v+p=K7D%drzyp>0I&<J=<YW8pW6yos7~jnQpZ
zaJ|N+8C~gywavvc<oQ<-6B#c?$T97NS^_$vS+b-V{?a|s7-88N+dn(V#Kdu)4L5-^
zD+tU7G$el*$qEa5sA>uiWfgQ{6X?VB8K|0VE86edcTGrL8=GkSZ5|RSX8~w(NTtc~
z!YF<`#{$HVQ<H_E*Nc10Zq^%*SeQ;YJ5D|>7JIFS4g|jaewI!xw;48_7G%kZLqOpc
zXk1no^JT+8_GijUwkSImEXHS#X{Tcg!MP@;&Z{$1Nc<jI-8)ew)ZU1WQza+E;M};}
z$MYp6#%a7dMz4?R`aV7%_SfG(v!9csP=3VUj~%_r3%qpd;_@coGv#}`bXWHL>pl)q
zeEgH8J9%=?X4d26tE3|^vOm#*&(v5zUiQ(lH(U5eI#xj515kEB`IJP*Mr=4CQWqXe
zx7KKn{;z%aAGt5){VhH=7o(lVxD3>cj8I@D$ytiIgJM<h2D}~2R&ZaIIWi=w@)PHz
zW(*mN^98723%JYR$ew#y8Z~vUv{EoQNroZ<u(CHxUP;29jcpNQ?C(X;L3DRJxqh|u
zj%nPpco7TC7=mU`z|j|6bHhLZyV%=<2T!i|-(s_WV7(rd?=xsC3SuN$I~TuD(?C{n
z(b$VFa^AWnJfohX?fK?C;>;)TE3+23!Yvt;+WtCr=zyr>*i;a?I`<6!?Hy@9m5W1j
z?K~FI$K?o;Bj;m~fN`Gx^!xn8ZZU4)RW%st=$Fs-@tuIu@@Sqdlr<_>WaTsFTP2mS
zO7vAK5e98Bd#4nwX?06}qsYl}^SexY`4Sg#RUwa3Elwzp0A2@MdLL~uL0X#MSUKSt
zOsSf$UMYiJ=wtu+Q_JdxV^xmydahIMUM9CJWBe!p)8#lg1v4!EtIyg)c;Fj1L|4dw
z{L8q)Iz9b``tKajEZ|qo1>H84f{<eaco1E}27gjih!*{&d`R^vsB)?cWkfd8hlltv
z07ihUTvw_2lqM<n<YP$m48aOcE$qu5W?n$CCC6C{uzGIrVH9ikMw0WXwe2Gg`fl-<
zC3v|$h2PNcOI2^0o$7+&X<zRf6=-<qkH1_;Zple+83KP!)>lf3Ns(D*h3HTw^bpkT
zGuYp(m>tr|DwgL4u9)XMp^h^}QV!;SDpamaIua#z%@Fxmtps&gMT0K}#ru5G46>1i
zHv3(B27|ASY*de}zH_(LH^!{~y_stQ8q8o6@4SDSgr4n9Qzy_`eH#0(A-8`==^%29
z^zIE-BqpY_fnu>TsunIOj6Q-0XmK3LkhbNFQkanspqPG>pV|R$Bf}4GFj&LS8&e_p
z_L341V$JB<d6lDB|MlrsTvURGKx*>iu2?gfiO2SlA<~hlR6xHHV+33im3kGcAUXe0
zrUBQ(U9o{Uh*X(l#}ES3G!;u4YGewX^3VVAv!uBHwws-pV%lgG#J1IDja#Wiu83uw
zVG@1oDoPZ~H0yHWpzqy8RA0p1H8Y{w8g9W8rv1d*{nqW4gu9z;y@ar>5NtP{Zfqof
zv!ImLR|ms_&q^;=+n!`I5}~ji1hpFp@0e4{V{z+}6of86Okt6LNCXHk6Ig#lu?bk=
z`uZ?eoP~ldGIv`!{fDxu#x&gj(T)1w=xtVlNzdZ$*OPGosucqj$Q;&uK~`MXWNX0u
zX@?i`4S4Ram6bV^OrnFr);x6$n%ASxQ@e*a_s$_t&dhpi&+0VNs82$-^e`*M?39fV
zEZLWcc^bK)0L>j6PlukT_L5o?BHv=?M31$@S1K%c>bTZMdij*vc^unlBU@=3>WL>(
z`##uX^oG}?i!n8bD!Y{cjw~_dO79w%lSD~B7uH)Xte%EkGnELj%dgN5^I3sS!#K(~
ziapCkv4d)$BM~x2C4ALe&-*0XbSrbPqt;0w!1L=G>v^J%ppC9r1q`RdMU;7vH?nPa
zfp@A_Vq{ad;j{_#T^O{k=D}2D3K1nJGj+eUaI{9;3)q0$ZeQCZVWANK$o0k2iNo|+
z?##nH;on21pd*aeNoU3W8c&BYVFN`yNPJ=FORCMyOhyH7Mrh|cXpMoWjT?j`))7G%
zLSLp~NaRqhl@~TvsA5hyWVi34_+Wky@$3qg-$6=3(H8-v(qCGY;o@W;oOaNFuB%x=
zDD;WFGR00=8-~@Mot2*OX4H2I<YbdSvL#DEHr~U91A`s{gD<R3`IStMcUM05X^;21
zzZT94Hfs-61R^)*z}+2rZQ4|;F~r22<I2WHC|8s_Ft3I7<$`z0pu<Pg7cZnZbBDjG
zE$*+(uzT%go2qQ;@{Oaed8*W}jy#9U!NsIWV#ZSe#5d6!u(t5{dcJBT;&K+0HBuh;
z40}>cbJi?`vJ6>a+PE3IVKy?VX;QX<f!3;wL75R}o1)aOMGlz+8sgL!?23MA#sB6d
zpo2l+z0rmQltHvCa#M_5bc>Ps!~{fS-)mSu$pfE?H{cNytCR&oY@(I%ApU(0Qv(#K
z%HzV_>`n6KjE~#D;aZG`@^(-dbsb5-?z~vYyf(2G-)u7&p~w{8k_SPaOI193%3-2?
z9(I-B%r<^8@dSQ9*hehpnJ8cDrr6v_?WB!3RDwEbc`xjXgT?-(S|l<JjMLv{MQYRZ
zWQ!$#ST&&mD`>jYy`@t+$rQe@Zwd@2*fbsgk^hug|2lv8nLNdc1&Xd41a#8GGX668
z<>JRyyAL_Lw%{aJQ*IWvtPrrLa%@@UQCn2Y=G^EdsqT;F`c84g<-kqDu_Jlhk{fNg
zekjC$AoTil5X^uo&v?@ii^m{Y77?&39~sBCS*?Nted7m0G(W`xc02S)uTr~D7bZx)
zP^Svw;sD8=lU4+F86k~Ascznhbla2`{C^UiU-L@u566lzn&d#a(=Y*=Cl7@G5cgPy
zc3}mDvpKt34SW>aZ}?d|2i|rh8~!GDu!~T}5sWZp#nR>>*~Ze=P;fk0N!>0{#9f4M
zr<T8Q9Vn$PBN!R3pUp~IVC>PCgA!$wf&!L}tZ%fVo^C1wTT60gmA(rZFC-X``}`%|
zxcswpzG34tCQl*(gZ9%SBtH!9@i0zos!*D$UnZSo(2{1jEAarc1D}f7+1-Z|Ya%aB
z8y#9MyRBHLMoWJvdqyg-n%#NvPSR*D-UdevP$>WCmmaXlWDWL%eUXegF$X(TAl+(}
z`ezKwe6J|4>}yk5C&wBycs~r67F=dUR^$}LPnk=>_SP$5d4ZRMYow>!b$#Y-O-brT
z+XK~Y>{o8zA88JO0^kw>;!|oZ>y^K_$o+KKD$Zv55oFXhN~WQY9T+??WzOH)F$o3(
zcMgyKinFQ=CzqZIA!PHuUc#buG|`GwSSqkU9T#cXM+a|J8vh|)2nZKF_psaa2~hFD
zCv7T#1z16gY|kwE8D<oUecb4ahqs9}aWJ1_FvqGb>*eTud$!RfPn){sR{ViYSp_k%
z*XJPBEzrY4>_o(iR0Za35p7V(V!)<-y^NsuX4H}->^!rUvMsUy@XJSn6HA9_YB0{9
ze{hi0E%De4pucqR_dJ|)iE{=L1R*V6995IalFJgK2JPLn1(b|;iqbrZ*Nq9u_I_kU
zI4=)wV9K*hO+QD_MllIF!gnRHH{Z~mc#a6srJX@VIqMk74gNVO1tjn-z17>417e%D
ziS-_lNQ#4N+PR`%2xbxpJ0#1!-8%2KAywgOa8#QrVI98szm1`P74(07B1eL;QcJlp
z6{uMzp$71nrq;j)>c)BfgaZF-41i+Qg7!+~Fi8+ah0n_*`q|ggLTho2<-w@@w`8-P
zHiKPLs9g1WdHnejLd%ihEKV4bqyf#%i)1TwSy^j2<u@MokTKk~esW;2@EyDK=r0ZL
zydw1t8&^BLvO&Z3?}P2#8DS8b*Ous?3A_gAQLb-O-sEQ)<Y(m(wo9rU!4>g12BbEV
z;WB$uu%6&Rm_~oz^Dmcepn$aGYO3SPrFO8g(PHhSCzTWJf^loW)Jlf?8qp;ub)(^5
z{nkQMfmaAo0hia;d+lWoe=;jh2c_}<PzrSizcA%{aR7O;j3u^A+xtseRX`H=Tt8%g
zNXGu!ErDP$+trPN-=I1~-Ud^|`JL%0QbKwQgpUJ`0hoH&YgVkFp27o%T31cQ`yIrq
zS^NvxeH!OqKYm^(8er!T#X#p0LOSJ|oMhZb7T`nF#UDTL&Q?RWB)VProL+GHk7(i+
z3K$`&vH(5OL)+m2`3GuD9^t2#3O-Z}IeL9<ylElLfd>8NXfjr^03ViP7twf(8oCgl
zgkcHGXIePDc?s;XR#!pt{sg&GPH>|UJINS%njqy}&ueWSkzW3F=cSyi88n4DAI_eK
z8+GE+F{94$%@U2Mjs`Lf0nl5OL^fDVVO?FUje!Azm*6-nK8a;dPMUF-+a<^)Mza~^
zL22gXrLwvN5ayd-{yz2pG|>LJL@+LlJ0`J>Qeptl3!ny1@UX+-7b;_x61;#ePP1>7
zG4@Zo91>S398P=g!`11aBH|_N&sn)5;Mxo^*;lhnoN&z@s|D?zXIdJm8-{(4Jk97M
z%z`feqHw9vMhvvyf3ArHCW!W?mcx8F7Asa&$;zC^JqFDZu*mMUx`^wH)MMkqnMDw#
z;lh4mE8-8GuRiSrZV(q54F{=!-6z2i)H7;YoXbE2x7$Yp&dW^dZK>}U*5W1=Ln}W&
zPk3X(J~>&t116E=gTkM*hrd9zyPUklI1?B+oy*ezzhPB*-rv!<&G5f)?jPwn3nAv_
zpKWf{vSB21czhG$G@#s9k!GKO44!#&VuqaTKWG8>(sT41ZY{*&vJe(L_9rBB0TlEZ
z1DLxvW9$mpycDUV45nFlyFYPpvjjOhP_HsWd&Qrk*qS<{YiPgr)3`K2gh51%xmnsX
z)5yr9K{NE}M+6?5Q_j*B$aUVKb3lzin3@afyIUefxH{JZ0Xt}5C{B!nXjLfDdIz3M
zQ`u3>Za9wQkNKu#7Cd+iHSp5Io&4cu-frFbr!b&ik57H4#Q4a^9fV;48q-rz#m6q*
zCtj|P7^2fN7p0BW;{N@un-Kw_tsydag}EHRrn5d^;XRo5Khe}3%MH|bCm(F*Oe1`{
z4lHF!qy@ZFl2Z0wH}NNd1Z+JG-E<JFDPp$Q9MbGEO{dJWD76;MD}Mdrd`2qzDHZT*
zhs!wYHB%s-!`72+(^K+o)H_)v1qo>B5dU7oQ{-BJUT=!)qQ|Xu#9zF9f_?5nQ~cZQ
zRfGF2jtsraEBIN0Lq;XoNjwtb_pn}M!4?&=l^EQ~j=YMR+Nc@AQ~;Z&8$RYdKKSmU
zRoVSA-2lAeLt+~Vhd?sn7yPz~0S_@jK^~X$8ea#k>+T=iq@?ywafyE?K7U^%12ECE
zF#G*Dlp>i5KsBf;7aR#yw&iSq9%+m&+jOwlU#+X2TT#Iz%7#fC!aJ1ui_DweaQ&e)
zD;y@+kf;Xzp{zSLA(b^J_keU^h-!+BPSH6257tXD;@g;gs~CQz&My{=4^fR8fg<T!
zKMGI`cH5X?jDW4pIzhzwkJmH!WA|317cNW~iRtyY-M=K;3>r2y(B_j(NHhA1it1%G
ze<vzA!Eh@>@UPnZC*6$ksnazMY9&_nB0DOhN77!*)lg$1SQHCLA|OQzYuVcwo%AS|
zdmQ-NG8`BC+fn0rE=dOwU5sDY0;qIKnE2Qd;L)})ttVcy@|!tk%H{&5LBp0Sj!^9V
zszfbl70uSYP%B`339IUIf@WvZ=2MRQBU{llOT+iS(f7*?I*=)S!eU@q9~;@FK{x`I
z*BBz1D>4+bQV$U2n~t{!RhfuWKL!+AheIF7b?WLAneSoW%ulSFP4`MbPf1j03`s^|
z+ghX6gRrG-#?EfFgmK&teODiEdc~p3NuFu6C+W}rYAZisxEuyMnhlPgq~&X8X^VDL
zh`Sbw(VE5@tQM_F>E8Gr4o|r#nc)ME(MeZ=H_^VCL3|TjzuhlmVlfrl%ACm{jC=^8
z9CxnYsA9`!-F;#th&YdCw`ffxW<Z#zfk>G%FEFpkjoqyJMtCpfB!q%srvz*_-Z#f0
z0TxkQCfQASFCHxb&N0_Mq7sn970Ae;B6OEVTd@&+@;KG1v24}p@v(7>*;PC1(kGu~
z>tMZi8V<`ym5aRnG&j}bNDzmP-1xXhYqY!wYcrZ2F0E#AHa(Anw6G4aJ!xHvj`S^<
zlMv~3VI~NB)zpYUZ0jJ!KW``T7X~_QOq3tdqZ(zCh(*g_wp+t&0(1a>*^cWy(Zc}T
z-tsB_c7fCoyYk;|d%rqHxqq+=d#^~aV$8;zP)_cr2KR@(XFY6VRuQ{Gq+cJ)HC?d)
zt(SZ9xy6VDzd}E8p0)u8UeW748fQR)n7MSqI^1ya?(x^9^@F;bsA?r|B#Mq6fP#Y>
zGc`Ao2d4u^8YzadT-avVpx(esj=}Zi(|qB_`E6Eb5hrGSq5;E=3El(RKo%B(6-c(Q
z$DlnVO@$eb@Rn@(mlnV?U7oy5+IR-n(kDd=imxz3iv6P7Jcj;ak`KaSg~viod!)-t
zEbm}H$g62WgX<<fS!bZbyQNJ7M4sm?&tgP6QMQCI=RCf~sJ0esOU;OX3Ecf}T{>tJ
zlf^%=$+w9{8Bv<?8X*@%&t8#>oYAz>ykvL`gOg60;K=j2|Mg0W$N7@-P?o{QHYj?9
z#UWgaA*3^ML&Ama-cVMVMsb+K34G+4rs&U}BZc+zL6e?4s6YIJCCn6u)mKlRw!B&b
z2|-r$?7m$U)w<%?e>RDu@p>SCD2&dDZ*sG3)kpsQOxB}T0*b7JJ;i|&;#2sgZiwad
z^s+p=3j?_=B{<h34rH!YD8tr@7LoWFcMQcmI6`)m1L;DW3>v|T6~8hoY+hKh{#$F0
zl>3ai%YtZaNldEv5Gx^!jG?&jHCq+Qt2D$=%1{-3V@%YO@6JgIq>Ra(kqBz$j!=Wi
zO)HYxA-XOO7+zA#AJ?_D<ZPk~Z)HMFDG7K*MMwK=R-WxJ_h60fswmg*EB=Y_vG#bY
zrSW~csrPCyr1?X~YkRS6HC$9M&K~{l_Dn<6G(>9P7<$UTJzpg%(sS6)9cpH6_{M0i
zMQ&br`{v0EK3q0Z+j)QAOtZ`Ui_AANHmTk+!cF46UtOf5_+EO3t6bxQW6me;^PbxT
zH142Co*<TQ#r(6?0go^>gf(1&diVpEb6%5j+9QVDCeO899i0EqKBoZu{^%2<eK^KO
za4CUGbWQN>2HH6Wlj&_@M8=KN)U2<wX8`R$I+qOvcC77^MkakG)~Q48!_ch3Tf-^e
ztI^s+5vs&IM7+6lyBDXUBFn2*!yTXVQ`KE=mTRr^f=%MY80EM>=IP!<MrVW=AMX<D
z8qHMrmZt3Fx{FIxL{z!8se|Ak)Yln|>ehhRkg?5KEMbG@Tu+8R|B63=h)_z_e;~1s
z#?|QTL$=d?y~oen?ndl{`4EReMMfiuHxbJ{hw9iEZNJrvp`t@fI$V_D<e45(RP7I@
zsq2K!<w;NZ9F5nS$acCeJuMhxLL#aT?PAi-Dro{SjjY=Ayf)Eqw<io311e@Un<8jq
z7R+Qmf&1y9a{q^#_wSAciv$K0jp%Qsun8b>&9+IFfFcQDhX{&{kVhy^HhG3)vO43V
z2}?|wR>^5dm5<yB#AYN~fTfHbmCN3>xL#~(L<!K^fHAKu9<XT)5gX@tv>A*Ge|#wO
z4w&=^i{p;|l-#mR^Se*c?L#&qF9v$d*+#~3p6T2o#asQUeI;uQy4NDhRRKFcb_^rq
z7Z!La1tM~z@U<W`kkm%bY*0zI@w7_6x!Cw&`O??Td-Tm76Jw-v(lWrX5!TszdpN{c
zEFZ*7t{EoR`E-qHVN*YD3>YzdA2FXllo(G5EGN=jG8<QW(anR4;Pu0|31v4op{ro`
zI)29?+a$7stzuxm40h9n>jL5CcN+y9^sAcRw=)8PP!5bTpU@xDnz-vpf#NV0wvl`r
ziUGx3n#iY2&<P9!2g2vTM|{Q-h9+Um#q*c_gnE7$X`#6R>lNW7QGgP$Thfx!Zafh*
z34sd<O|sck#y3(VY(}oVRzxvw=5*fs-muxBZ}8@#%gO-(ivSzFzQKofxIqlUcTJnr
zmcKi8P|W&Vip8Yqp6+7_j(0jr#Rsyn_VQaO^4^0?p3|%sy+52E{u&qQ6?sWBt|%6r
zym@=d!XRdHyHk~)+h^X6fA!JbYg&mSXA^Pbnt+-VhD0&XSYY?K2sgdn9FU-1sX@z2
zE|1#mLFlEw>(O5}`2J!nZ3354$MRO|$Goq58bxEuJZGzaM`ytxQ7McWQKFUXvw^Bu
z*qqr^c3YzZ3SatOQ4FO=G4*{D7APgnHKrb^OeswQ6Q~|?8ge#tbP$Cq7{v)u^u-<Z
z2;>^;qu*1YO2v@L4sS=^DmEv~K!8eK0a9X=HJe&%{OdM-3Po0E3IE#nn1Q|8LM^Fq
z)O0@RZYQB{?4l1|X5vl;C+Qe5w=mu5n>^+Aj)4m*q?Wy8hQBz3HIORz_*fxFV;SPA
zS!adj+c|#B&^DBc_jVjTVScq7lMj*T>e;vgSxfrOm1%|=qQOp7My_@P>#*-p7+;(}
zUjD-dIjVGhSACX=PI#c7m=&fo`~_F5cyvryy1LrP?b)8}5WkeoYlxKa*uu++e62@9
z2~TZ9!7XPgekgVjmI8pa%m&{m?L4J1BEr;f|D&K@$X<N}(pnR#I=QEEoB3F-+oK4x
z;Kvk8a6pI$-2|HqusN{Z`gYm;GWzqq-&-ZB=9ju%DQ})z6pD%>QvR(PYQTZWLfv<_
ztT>CI32apBtI~QK_MrMa#L8~>c(|(tN~a(cmWJE)q=BH|+^6(yD0Qc`F;TI+K~SQX
zNxMC)w?xe@L26UQ!hlW~{h;Je?FyL}yrrpn)@;YQMMzt8#cfolF*SFRag0tf=*MM-
zYJC2E(bA?fnFh9bsj*qH%x}49RIMBGFdzYBdak=P*?4}N-*`~Q+T(&Vxlkj+_{!p_
zn?f;_uW*bz4g4nAxo9iEH}lcA+0ty&!k^sMIfjZP*3q0XYf=^GeWF2#oo`9THCy{8
zPw_j)fBM2ojrc!}<<>{F6cc2@n*+McNI(2VNWFc7mLD|aB@>j5@=`N5lehQGGcGt{
zufb@`2{_>H$OOS~z-VfmD4w=*cw@hT+Mg!B!_L?g4bqrQ!6m-c4IDJXij@$N7?2X{
zloYY_?K~Y!kfgv|;*JmJS7}dH_>)klO;C?w4DQHLx69CFRXyL_Au+xZlK8?H&s845
zY|_Yv`+z8<MwIc-;oL6_Ap*%fJdKa%r>ys-UAIou5a!PvzAB~YO^ttR>T{A75^FiJ
z_}cZF@{|B%SjsH7R7^c&M8TJ8C*L1nIay~r*C5#X{K4_02^B7a8Qma^IWdf=RZl#5
zv#+iio0vxLZFqLpLcsSbZ|0^~&R^?HB~fNQ^jSD`7O=t>4wv&cHWhKQ;a`XZ?=}(L
zSB&FsskweQW%YJ&#*IKygC0fyH95jJ114l7iXwpe9fAgHQ(p&D;1yWiZ#a!$Zldct
zomAngtpBo5gV*~Dx#7au@@JUTf`jnjDx++R-pU7natA!Q>VGBu=l`C7@y}ImQ2Vv4
z@7sQYgJ@aJbSgo<qacEXkc~1EJ_C}r=Qw5Fl{-rvuUU$vTl$?k*0`0Vqm?l%8%?p=
z7VF7+T|2RwAEirD1|eF|Tw()*6f%2KqKhw~U!WZ1@>iMM*(Mi$>c$e}ti{ZItF(5_
zZPA2FR8V)&6TADfJV{1diVH87O=ebB$yf&UWl@JUL^f9%$Fc1b?!HcAy`FVFyL-Gj
zdITdhud{Yrf;X=s^gYCek*SeqlAGUo8{hLaw%7;DbPx4k8Uqt)ZQINPLJB0<d#eL%
zaSSBK-pSP84D)OnG`ygZtX_n8#mc9!Nt^h20>9K$#oM4Lrud#1(rEJ-5k(}fdK{Wu
zo=;}9-Qt0lB|!-zWr~p!3{t2oyi$L6a?I@GYPqrXNgOFtinrjM7HXCib5KTLhf6iS
z*bwXl{r#vL3oY#)EI0AL822B!ZcqZI=fX&va}N~M%>s%>){yW@`IEVVR`^Xubq3tX
zE6?#kuACGpn>ehW@hR$YUEc!S?CrV{Wz%St)YaEDfX@v3hUvpUSfQo{mt^N|$xX@K
zvSCX0)|P#1%u?>+dRJOL&b<xBG1g8~@1*Wkr1sClmxw?FX`XIjX5K_9nvtO)Le_7J
z6d~3;x^-6giQ}$%*}fySh7XQQ2c*tBkhsO8KQ_p%%_U+WU!?9a6k&}d1-mfi2H^7r
z@rJuL_qex#B9V?$ufQw&lZy0?BPB152&YOzPMqK4h~hVR`IJz<p)kDabRapmZICFF
zC#r-KB4J-mteX|)nZE~6)O|o&n|G^jdl;36MVO{+st7VuKPEf6;gm9Q$6z5^b~7-N
zCS3tx>chE&x~KO0%!vgM@=M~5hM$oaK&*!9l8?;SkF<>?00mrFfXgzABeIN(g_5yU
zTBDqE?W9$SQD9u;AETn&3Y%iB4;Ux|Twjppz9ii%*v^?)!dkgcKWv0m$jVZxCFe_o
z`0{Ace)y*;1N9JN2CV|CG0vmqCb9Y(8pk1?GG`pY6hpm&FH^izUg_xC4i3BFmm7!F
z1Svxk<T4!q5zl<h0zxE+qxezpWLsyKqqX1)jCC-%o3^2BP}av>&{_L+gU<_8Ed*~w
zDP_8#g!{*UPm6vH_d=1@^~sb`6g6uX`Zh?T!ijCsjg&8M1O*C^Wq;kZ-e$3a6)dqw
zUc++cyt2g<5U83^M=B*)zZ0n+(@t13I5gTVymCEya`cgLJG#m)>DTTA5<r-C`M4;Y
zuid;EzUn$2hd%sm(FGJVhdG7v>~xyjh5|FOTZzj9WX)Y;X{%vjIkcS2iN&!+g%C=_
ze5G%ScY668*2(~c=-Rq-NXcK<wwP5y-rD1>aImzWz^bsY2|LX8WT2*cHylg%k~&V=
z)GHx8R(7q8O@w^v<|%~UEg&Lp+bL^=PHIS$=cEqk+P;FwDV-@;`rKrs?$5-F6{JZ>
z^A>AK%#4?ZOMhLB&v@irs-mMQLUFE6)T9DT7P^O9Iybeaa9rv;wb|ljXqzN7FH3Ir
zvX^Q2m27smY-kF8*SteHePqi(h4Dxde#TB}ShCA*Q=`*l+e|6JqGBKvE${ln=a*6p
z@BCRBC}8U%CoJe;)p^EjfmZu(GnIm5OpSuenc+T0LjOHh32-17HUJedAQxqs9VMy=
zgJh~jBXOwGEiCfFl3GumnALcH6#5csXpPq;h5wkYMr%akEkKKIGPnkRKwj>7D#C7_
zjQT6xxUI*X{M_i8J3brhd4(~($5o8_E^zlbaS3*}X_I|fo=exkVebCP?)EB?chc^q
zC(%@lbQ-2=(Mqo3jIp6|$7F7cJ;U*+4m-pyQPNP1jZ-kMrERV>Z-CI8bs*xakxU+Q
zO}{VAhRI*+?<LChuO$DZ^ijvLojQ>W3cIzeISlWPpA?a#(#m)M&{ht_(V&@1>Tsb%
zOCNIxeSzEk_~R4c|AS<BF|OyQvh=YO*e?+TnQty&`MkE*PDcgMU`!05f~O6zsR0N+
zGle~%L=4@LcmyB`v@eDGlp8+tNnL(hW0n!7Zipe^#^(C;^iXVhlTMrfVcYZPx{6OU
zl4GYHzxs#uXDT<RRM^$%Y?5m#2E}DNQQS?eTw0gaKRwA$+eUKuDPCJOH#L*14ZE=P
z)R9gXG5ccsU;#|NbQ4b2$zPGd0+11yjj@46xp|#+UD(7u5qwG8;8WMoc2n?a74wh_
zQn51WH|0Yo+Xf`sT$Ucnz5hK@jzleC5_YmdRU1q`{}%J?S3#=U+>!6EmS{^P4s#R1
zIagT+D`4j!#Y&gwwj;@6nO__GGyM1nM#Q|)h_(`(5A9rBYsXX}I*ET>3$6Sm^LS*+
zNM^rHaR;p(>cwbuonbpLP0gzFD9J1=VE->}RJXgAC4FL>oyXYls93ss&4aNtA5;){
z|CwIPMjaD-97mb9N%gsa_35#3b-Q$UWdrLam<hhy?H}E?nU#vUv-Jo$VsIOS+4!e4
z8~<LC?-H*91d2F*A4COyk>1$Z{{*mAG~l)vnnnKQ;B7>i=%dyXDsontl@XG^Sp$5w
z4xkZKsNVJ-u&BW71cxtHx%5JwAGdzO>HL|bvjEbr1`*mZ5_L~C@>lFR%3tTJ?0=>8
zHPI?SVC>*A44t7QWl9OBcq5U*f1W(z^(`3DhArxTv9rP#=hJJaH!NyStLCtWZ)rbT
zMW1-3?LMH@-z$=4V4`&A2PEF3hRFt?q1zCn0n>exOAFHxFlLL`dN^#aa9(;C5PH7s
zam2Ic?Mtun@V5kqf1ZW-`cDW&vKIhk!_w3Zl6>5kT#+x#Oj&25q&f`;hQ%6EziScL
z#Cu>sy3Td!?5rsFtrM3<C&URcY-a;MT081!i%*%e*iniMwPyY1<&;}WAJTZt<V~8J
z>q6)BeB{^OU~%#}Dm*c3wjQTB3b}d4aBPMnYG$rmcy9Pd<Bw$<_o+p?;g^2O_?8Bh
zZ4nM1rtFz?=4&)wfOQ-Ng3D$E<#mME1e9<M&P^(lf8GZoK|zHUuSTd2H8p=5k)YY8
z7?^hTF#ne=`%(sWm*|Is%~A+P29OP5b2dFcxHH+jI9E;=-q~^PN^Q-GVq-_~A!wN&
zyA$Yyz|2XyC06hoyeDctnpCv&6Bj#oy>vq5Hk*TU@9SB&E7af>@2&5q-1M;i;26_S
zGFW(w7`_gn=8J6@qY@cl`!m;Nh>sx}8O2jZOfqejZb~+5JHZ0zTyqcE%W|nS=DHkJ
z^QOzhb(;gh%~N*fL>>~~Wb%HF{Y7T$UrAadIFMFEpyzy@li}|^WAfJj?4JJP8kI}=
z_MmxFTJD58$Q2Zb0*4stL<_6wZHTa5iXH;$Nw`OJX!k75zq*gTk7@(Gy_Zs=Qr>BQ
zFj8+V^3*|tXo3p)_(UEny}y=krDJrBFAPrkW^0n3e}kS^?`AQ$VrU)lh@#x<HQu3V
zR>N8$It9Y0?3bogG<)`~=V2yT3Etzn=!>gjia8jzbjE)hbNFQ%ufeuyN*C1YXOrqD
zE$fA}xq#qyx{Bd?p8>Z%8H%Onf8rK|22uxH+yw7~4X(dU9DS&XiDvy>w-b})V1)b(
z5P!9>36$cpOn0#s73i|wPG-tM|44agUR%4tV2s-d--#u9<_dfY!WP~(EIT-N&<zay
z0BsqDKp#f6;drstIPoOH{+bu+a*qrRIya1%a3R@sEDLg}an%eU3I!cjpDndrjZ8VY
zf;hg}quWxGoT70k_{H?~s=P|6S<fd0^g?tl^R?5?K8`1ot$5O^=NkhSaojL4&FA{Q
zk+jQ<rz*GEFYI;nEO4?_&4+Huo0uS0P_=77Mxg(Z?!@!oa`*%>$kw>uOSe?Xj1AXc
zRj&ar95J~LccGoNU%}hcq;!RH`y}`Y3z~D;K3v)pQ_`)B*(RnQ+M1B$OGunpsvsSz
zi<SSN!e8FZ!6TS<zlOggfcvW18hhS;KKnJNl4%oHI50!m2)(mFQ0M%A*!l{fxVEKh
zAh-?=!6CRi!8IhoLI~~<+}+(Jkc8kG2oQq1y9Kx41A_#Y!3XC*y!&qMeSdvb6g4$P
zF>}u8-MxDC+H0Hf@w?3Fa4dWM@_%kb2lO9oWM&Okg~b-=oFo+!EuEh2u0vVFoT+A4
zlL-#`7o##gYX$-y>oK!DKPpk#K=9a@-IBR4J~;g@7Q85_kPKB<|GzrTAS7T<m`Bi4
zU3J2sDEypWN_JEikON2|**-}3cKmap|H@OPmhsFZf{=X9AxRq6dMsm5uEWKsSd5yD
zMhG5qghNn=n?RUfomHljF?YGt93XUW$Nlut4^v~2zz3t^%<NXv1%fs4CJ8LV$L<;Y
zy;p9u1mZRlF*dRr$KAww0}7<+1BY^Z1lu>SDvMS(9-xCxch*u5UaKyoGvKHSW<G9a
z!bcR6ED0i6SMo+F>K-}8ila+IlVth!e=RP+)l3p_?0~Cyq%b6@09Tey9zL`QhWhh4
zgWqXPT48~q$<3QY4e{^8pZDnXN=v>b1l7CV(Dcx0h0t=?;W;VNUt`PE^gnmZ&-nQ^
zr+Ev#W;}ShT&BcuR@fEWPBGCD54vxaI_OH8{k*p7Fe%Fqhj@(BXrR?9mmX$Xem9*B
zk9L&CuS%uy3-qg-WXY}P)()uf=?RvqhA-+!P;9=j5yAA6+aJK85X=SsaCmaS7|>RM
zf&+o~WzKZR3YRxYV7f)$_4NPeM*l}w!1c&(byrWN0@0fcic}>JE#BbM7gr<y#{XUW
zUYaD7ezj3l@P!mJsC+FoLm_>7MYH1453{(FAMIsw&D5Lpfm9AJ<IL2ETD!bZtqNPU
z$o7%Bs76%tmcC=<pZJ*tQCaw`B@Ow7kVZ4q_E-qHiiO#Z2=<(<=C=ey2)Uk@pySd^
zbYU5qu>^Ac7=EL9D$B`-YKcy1i5ockdD2;r^(?g8_3ufOKzo?tkHGF9@GIKjazipV
z3X>|$ADiXt|NYcrLjV-&^yb}D;IfF(-i!yiG4w)2WuLYER5GtFL;K3LD{`UtrYS}C
zLD!e11{B-fB<KglW%H-%T;kR1?P9OcgM+D5LFfP{5x0ul{L7(~*w}2a(0l}{=-1?n
zcmDXy$$HIu8g2KC4m;_J@`wZe3T5jY^pbrkBo>14Quwax6nV9rYxZ67^`!6Ox4b`m
z3522P<qarlZA*OHZa!E`b^Q&;4os|vMS?W&ffkOu59bBWh>x4P#Q(LffNN)ZWFdQt
zd*qBN(L7<5&p9_GzbKX4N?yw8%@N6dGkRM5F%;-uWtB>ogSZ-uXL63{$jtMvgwP}_
z@-{e^IC$fndD_>WTF6Ik=utJ3*bwy$<8bt-4ef2lr6esmL&Qdr&#mUE(VC`^E&3Kd
z&?lIm?-`vBS?Pr^4Kri}kR*_KeVeJ{dik3J8UOc0K%ci}h4WtgW9Nit*)>>?+u&`F
z3`^T#FMZ8`fblYL%;*x6=L+g|v&g;T@{!MVp9C%RpudisOWWo5`U9rtW(lRTv=k(B
zn&mq<3-0D_PD~Z8?4M^jj0{|E^@K7@KI$+VyvsT|Mi-)7b0WXXogxjVKon#uQthd{
zxKj_thpDFodm(M$6z%bPRma;D<&J6Rr@0jCOoBU;WJzDw&Fxh~u5zQh!~ydN>f0x*
z_j{oW8M8{{L|`Hb(w1~7UwcT|x{dxa!lig0O*_Ccned<be|_YEDp6C4EqY*fOnp!j
z{uXNyz^i$QUR6tu1l4o=l{pHF0|vY>Nqu?<!rrB2lN^Gt!59ZkNuO{Ql*@4vi-(Db
zJ?bOJ`PwHOC<3QMwP^2(SmcveJBchrDht#a_XS3VTm4DTElEPY*yZr}&(@@o-2QaK
zRJ5jL5R(CaM4P1tK};MZMYKg|TL=Oks>Q|@@$7yIU@d+=co|P?IYg8^;eMvo>ux*4
zx?DZMt|6!Wj|{Nm86b+zL{!fQMA44QaGYe86I;~VZ)$jP9q@7;Qs`u#DX%9Kc7^go
zU%^Ry-`Pyf*0=|MZr-Ytao~#@FAgOLOpRj>mtp*lUru8b!Z2RI-13rJaLjHf0!>fb
zR;`Xv;%Q=l(vW36>M$|95ByMaIVduXzrni?L;JA?PDxS6b^2XJKvqseyxd8@y(1X<
z5s?j^U!<bH#YV6P_n(krm{?qo%G95I`TDl5rDNVgoV-L=<Z3M%>hHXv!l{4f+81hg
ztNb-0*OU5^!Fh<}XT>Jo(Yr5!sG~t~+?dvp5o<JCAP_TN-AeEGC@3R(=q(>Lp1^Cy
z?J<-xf9I8_8@Uj9ZjvlkMe4(ZVr;TtxEr2cJxoON?9IC<yHq`$eqSWJNGYtDxFAqQ
zAW7`{_)E+FHx(ATN!;U@2in3f0+u~$r=DOMaD2sb!i?wr8t|EuHT-+C@;`(CV8Q~>
zQV3~}Z;=E`QtvBD3Ovo_5;iMAoU2Q@G?AO~#pRN^U|8heRydVYtp)yU`xRU;f?-AY
zvENmfdWeMg=gAki4PHRpDYKO}byZ6=PeUJ2L|xc$-i4c&ZoZ}p2&r&hiFWWO-`1lL
z6-O|y{ZKa~aXC}!4{L88&g>6CYj2QGhAm6|7Im2pQDK@}y+jwB_;MR49UW4X&mT%K
z@4j>H18S?s9eocBp2I(IcP1O;eg<K1!zlCcE?IKbnR@j6jc^xG+5E^h)bP>w7(tlv
zu%oM3c<g3|IKkJ2`XTg;I-N)g8Ba(^Cap-n<{dUXTi~sZ6X=x;|2-Lwr5KgJeH<e#
zzVJz7iNMdQ*UnB`gg9U#YvgGtgh$pFoc%*yij2~~=Y$dUroUo$6AmS+9b;zTo&J9_
zT#5()%eTs2sRQHuzsSD-{06c-fj?PduJ-Mqj`j7T0=*sx0p!P=@xDH*akx*$b6+YF
zONsYYAg$I@1ntA+Sx~<Q3Z9=ub(iZy%#n0)`gfQg=cP3Hd#$uz=(1hpY%*3GHugc!
z9SMm#$z4f&sW}&T^bz|_tY&jPQICZ>gI)uXL~9N;>UbOBcsZaBlaQni*kj3tr0Lp{
z{p3r4E36nN34A>v?gEP%vKN=uecREF0snyAB_h>gLAFZbvPWJ+wK&yJZ{btLKCxK=
z=U#DAkfWgB?oIMFk+WOz*BCa<wRA^Ba`0d>tgPi`LHz=fj#PpCP02X>&8I&N%QXO;
z>NypKU;ZytG}1%7TubECPfz59ZqBdK$FaKQ1L|`wHh2g6CIr?AD6%`2sBM<8!!6=m
z+yEFabg-WxrFToOqww4w!9IXD9f!s>V516zu2zE`rfbnB5Z6un%j6c>IH-(4x%1;w
zu6sl^pQ!L}Mz89MHn5VHJy&)~o_!LVbIQ+zD8ZFc`pWw5$>2wtJ%5TvZaXT45zCpi
z+yHg1(6UH>d!|Hd;6}chH{6s=)cQ$aH&dpDy;(+@hQemZ43nr~FKuyb1VPAU3rF+z
zD2DiC2mPsi8$BGXptuys5`X<nDLmSt)qMbJ#-I0q7cQ?mFxs)u+o!AIiv<h$)oW#q
z%uzdp<7l<b_n1SIh(RMW<^|g<mW=Rqbo%65hXEU(K}_qfn37zCQZbAogGy}NZ%9qv
z24GCUnDs=v^IZfSID(aWDNL7?K*(c=5~;yxUy2B|NT-mvOZ*kG?<-P%PTx_uBq%8u
zEBWCCezf7pG|pElf6^EMNsm;iAAK)&I4(^jnDXSwky8VN9%Ij7JR;HQcxkNc_Bg*-
z@|OcaJeOAKgay58%0DFxEDn^gdI&Ph|8{L`L_r;E$(3~JwLB$OXVPw!!hzNz9}t<a
z-*)JD-;bH=%d@^#s+JElv2^xY+A!)&X?|cw<c-t;oo`tOOTMfhebsX`V*fP@<a-Kh
z5ATJVqDCkPZp{cY$&*X-qP+gLt&?^fYHa6wea#69H0-RF;|5_73SJC~lSH<Wm%Q=3
z#WCMez|B6~WF9wgSn@I3orS)?|H+!=|Gw<o6sw0mE=Tv+^6g0C@`DL?5Mk1qcdW4V
z-!W+<{8(Ay+}|+&iQC5)MnS0KYxR^pmx;Yl1pbyE!lj5S2!h!44cc1Q90BKsBXWm5
zVM$hI-0K_B-8?)lTTw$|*PUk6dfJMMq~&TJ$LvX*CDO@Rck_f<_wyw(YL4fM6E}4X
z(FsNQSXxiJ-Hre=%dRw$7q|11{hAddVo4S;#ZQrQSr_Ao7Fi+p9)Kq8$Bn>3!f`M&
z91sm5L0lf(4S__bRvsre?Trk`#kC+Rt$&eLiXuUaJ}g=8JS^G&Jg>*rx<eL~tIwf&
zl%!oQCcBWh2*0yLRxU>cp&~1^SglV^|Ngo?)ssKo#5kMF{F<xpg_47~<CQ$5k(|v~
zNhsvIfQp)EX02A60_S}%GV?bY`*boRoiOE2f{4IZ6IDlN*?Mf5PRHQ()LzR2&#~I0
z*21EgK<#UePU{<y`jhU5sLM4-+MKmUn|{Rd8OxIL7M1T*TimF@U12eue>GSf;;O*(
z2OkDWJx)fxq{I>bD|rHmlq4&#(aXL8+2lsx2mJ%B9uZ&n=`TP7K^vsSa!^$P(hq)<
z*bGaIVFcm0kM?xo;*NCeESr3GGRKGy;IffxlFF)g|90bqzDS^+ob^ELaxg4~!L3!I
zG7@SNF$-e<h=CKp6|?8bvp%|fzio{|HL}?I>&tl^27<<Z;q%C1R>++PzMmDp9d}XT
z3Z?Av^Hf9r`W<e0%_VkC-<yPDiU3uSWp{|`{htM|35<Gu=qV2Xd#Zoe0TM=dA+PY_
zo~C#o)MHKV)4o@lR#6?)h)hHbdgkkGtfDvaPy<4f>6WOl5K!v0scGa`hV0@7%{7lW
z%i@<qt1Sy@L#3|IM8_`L?Ff3J5yyswRqfI>u~N5Y=>$dtgHaGSi`wYo%zcpvGbQZf
zlw_J8{$@#wVe$dNKKs)}WS)~m0me~^D)coMcKiV^MEs>h1`n#QEB}s|4%f#Kb>>0t
z+y5bcJACngNdjv7hFXJH*)GzhZ(Wr&|2bky7*pv1`k0Z})xIH!_=39xzpz{X@Yi~J
zF2ZD{OH~Cz@jy9E&Rub%r?Po+!S~QS;xM9C23v{iWmyQhi7I1N*aUu-BYG@x`fzzF
zeX)$5&qJ%G6IM^OzUy%^ENysGrul(@@_}xR)&VhTacV0K++!H|E37}D>WJV>qf6j@
z1Ny&)LtGyKT1DBk_`Bktr||d!usKq^ENv7vOq(e#oBrH8+#*oB%ioH~^o{-m#IwTV
zv622TVpgC1ylG;Z&lJ%}JMAa?*E<7G&Bh82rT59kwPJE*@$z!7_vT%n+W$0c*dTuB
z-GBzHe=b=sQDl<ng^;toAgiq^CXUy;Iwgw?r%!>O@;fq7cG9^Cesw>ALxk^jjgnbG
zp{chzAVE6{{ZxDy;HZw;5d#j7nRijQ`5QQ30l>i`FZ12&{|T5B90ZWJu4D3CNk$V9
z*kDk7&6ls(np*_Xk|s^36{rPNOS`a#2<>ZzXV;_3Pr~W*a~d#VqadH;_G`nHx0gQ2
zKM8=xaFjEjJ!R(R{edGZ;K(mAsqOm>o055@ZBjdgPJF-3tNFYCRiKww(hu&os@%Ji
z$h{#I?+p&H$k=G{tERlsrH4WFi{+;4ogf?9_hCJdV>hh)Kg~B6B|`P7D}UBC3*rBK
zbx@G*vvHmn2n+a`^kWufuM4d*kVU9`x6rKVcfweYxc5pYnt|u)stS||3lFn2FSF1T
z7}0UwnU~NdpMUQ^Z6YwHey%zz#FoaZt1_Y4&J#1F<tt!l+KU_UytX9@o;bj{HczEY
zRoH376w_aatJu&*$^Q6zd%cgUXhJ$OjYQnsNa{I?`IYXn-ww--h(BmCxOQD{$>JU9
z-#1+bq57&vGy>}@%m2o^3CNPB#(1Q^Kjdid_pTRrntpAIK7!*NS>d+N)~DW=`ra27
z$&3Ej^&PQDBDymP^%y5fF7@uiDS;^gC#}8aqf0k~Gt9v0?y|6T0tFY4pVc{;idny=
zoOiYnSl>Hmh5DH<r)nsDKS@a}^RGVY6K-Xw7F#T{Ng*#sjMjpyuD;mq?_E%UZVie4
zmnclG@n;X)B3zQ~`U`=z4%VWzTRBw)4l39zHo11|k#yvyB5S5su>(lnc=jjr;jv0!
zrpzYc6BEP9KMx6LVWf@j{Ye!uv=e3iE`5Kg%2p79G^(SL_s{E&7Ogq#W4kdNYorhv
zBm<?1dXvts#p-X*1H!Z}Eh1G^sHHn6m8XV5In73Orq*tYY`)2D_nOH|-jrIM4CV!t
ze#8W{#t2SE%wMXq^eE-Y=QOI}iH8VhWiz~Vmfrf7CdcXLIh%KJmSbQ?8u=H2qes?v
zO2){{o|@%G4wDR*sCYre*aBdBrRc?m^(2rGf?qr4SsJ@L=QsD1e6(uO=c`6l$P1MQ
zvbtS)FZ15kG;Ew%cFeWJR%ZmJJ0=<b^6!C%FG>_?$i6Qw_Vu?rP9sx-1iaXx5(ebe
ze@p249u4UmUb0a9f5BReHcm(z3emut5t=qJGM;X^CO-fSNl3Eb*p~4?VpXuL=EU-c
z^hU;fqt1q+H1kL}c6u6}iH+mQsQ~Apu?Hl3XDTm@In}Ug=3YrB4kV8mZLI<eL8>kj
z7gwkBT+ZI*lVp#w%X?@Ua`7T^XqRwkmw7D#YP&Z6vjmWznvIA4VP`#u2aGgSreQLC
zWBa=r=0R^AAUJU`iwv(#;Jh@jjZNEE%us<B@OZG{y6gJ{-PYIz2=*o2u)Y1Y=5}4M
z{)w$5VBGT_y#}q}voc3%Bj5F#Rhl)~ZYAC&g?N^G1}>70U4*@jh54@=jKz@D?eISY
zAsZq9>@X&VfBY|Fs0a_=WMb<%kxZmX5X29x5yfyg_C+3$$Vq%apwCu-^VJPV*J$7+
zx9n6bDCau{Jl}|C8&122S5L%<44*=I*8#WO&*y}G^TKEiQzN#bM@~jNpM7NoTSs0G
zsAGHR9e0<PU0%p*F8i6~a)!x}ee4N(mBKX4!&&`hj8G4)UzKZE;&#*wDoz>W<EoQY
zpiw^_r(4zpn+Y9kj6cUH7}yY*iB}67;RZ+Ol=*wFM2oaHRtpBW(bw1jV1$2LI9<A_
zmT?g;gkfb<yzwl(*w@=G#L$yH-`Gp^^T+t>@pDgjN`k>=2cy<I?Zd1C^hv6}!y?G)
z(Iexjj+EKI3pgkUi5hNxwqGq2qmO8fW%MrQ5Xn+a-RT<jO~q>>jaB6fW)my#PL?Mg
zjjo0wKN1(urrrG&dfXL%C+T^ww?)Mf6jym<=h)4TgdN<@fM;Wg>X;iCRcQO5FK607
zaOt2Y0CeXHI@(`SslfEJsMPLmXj4tHD;xr0S|Neii1pXmT#=SSkxnp@bJEXnWj(6R
z3kY`?>KZ@WQ^$LGz%qVzEs3&ypCTivk(`~UJ2Lf|$mf;2T{paE+-wJq><Sh9guZrb
zP?IGvyS)9xe96!Kec4y5=PIjy1jVLJhGX`k!Hc_gn)g~jHWizdEoWf=!@+=w9<jfi
z!4<&p{WG%Z$i-d3@I-BM>v{X_Xc3*Qga|8SmlYv_T9P~JFi_1#*OBgqJgE(`n2{6~
z>r!O(0=47wICx6>=-YUD0IFtp#f)<K(&^eAi5{hj7#a^#N$2#bzDuR3uh))Q?j{S0
z$l=+!A$Y#{fzP8O_QAVUG6KrjbeOND6{OA;HV7cLwOEmsV^A=Sz6uW2X)?#$RD;Iz
zc#1;<-HcUI#s1V+HH_=Ah1A<3s0DebTS}oZOacC;b~?VW>iRl<99p~iw(7~!g804R
zxltj(q`^6{Pa(#iEyq@ex`cj_WEejo5YVH@t-@m19@e+{2Uj?*16X5O$k~kPe|o%_
zS2?}O<(@(I$FTRu%_*6ZwUiR@P2^!n6zdk|haI&pmKzvOEbyu_8g1+H;-3g;!h2W4
zMX+g@pRgMC;fzQG`mEaZB<BOYv1_~~{qs-G@gl0fK5=+56BN90s4k=6iPy+m-HqH)
zh#6m7Y?nIo3xQJU%wh{nn51ZQIcZ%Ntk4RDRei9Q%Kk~P;_o?CrV8!5&duL7%FkHK
zn<$87&oXF_zZg!B6n|~CS9lY-b5reS&FCXm>dUFn9^^Udijk?KBdEDXPGAcANmI_A
zl`hrFbg!{er`rWJ`(3O5cNSe?0APCStA)Y;93}ZDwGyRD;uF2AX<(jOBX%OpG`Zz)
z_IR@-|4cGySQZjHWGluy^d?3IU9-ljXHpOKlcQ|tl#}rKrT1~x8p$FTP~nnIMat~c
zze`YTv=qJVh{j7w0h%QVM|h6%h|ILwDpr|Tk&s#kGia*~^(eFgzciHjo(S@=w1#bA
zd`G4*wd>Ik#oa)<H@jxfm;mD3o7JVkNuDmvmh%{_SvI%bC0TkO&(n$5e0G)J=mqcq
zUDb#USVF2o9Np(0SNLVzT9f^}&*$uM99lD9uvtehRLVZ3CvA(z(!v5}4}TthG9Jl2
z+V$kK+W)VP0_ID2mb$lH)4YlSTNm`O-ZYyS)YxQ6l72y~;$`rKOLA+(SSBL}QYWAh
zczs5}c{q@dY$F9_aVO(W&AzH@xxqx3U+O63E%7C`H39$nbt24WV~iyd90Pd3i)zNh
z!1K*i`d%=4SwmlFES>?}miIBNw2{c%*Fe^jqRDO8jSo>ZI?gGwgS~;;zIJnJcebQ{
zqHrhC=t~M<pr-RHN&G%YAZJ^bG)`i&h|(`S@*#m$^a`JCc<Qp_?(Cx)4@&)#V^Ov&
zc=N>-;+WvmUjolwXZ|5ExEKI{+K>2l;GebspFE%^16P)Hm7B!5Lb|8P?O(o{zeEe7
zH=?C6xs(R;?>%pLGP>*)D^#H}!p>2O!c09dDTr=&oy1PW+jI4dO{eu{(Wipi4^eO_
zez+@nrp&2_T3?HJslr613#*)}hs)R2y2+wU3Jlb9vK|8pFi%Z0Y+Oz5?reM-7v@2t
zFm-rV!uhQVB(t^nL2!wB(Fj>*27Bji>OP4}qj$^Rj~kK5R$rcvF<bT*A0~@f1FqoU
zJ&7wPlG)68#h5U8kK599=6l?3JEpNEbjVjfA(LXNp=JVX)Zc6lE^yU!Ts8l@&S|-r
z5h{KK@vGqjnm?T?;)XK*qLwdZsKcc2k@RShVXjYx=K%XkHCA26h-PHgrs+>6??y?B
zipsIqxeEoUn(_+++-v5P%PT2bbxr#|Qpk~{Uk}1mC3SB5q`7~wiSEgqLmBjVXN`_^
z`y*y*)<J7JO1=>^OXeE{U7YN$>6YcIJ<>8ko#X^qt%UnWW#Km+-aZjIVms)mA>?b8
zv#Jc@5?{nyozD|EL7GE!wan}hdlo2;NcVkUF-AxIrk;;>Q8&EhtC%eu8LjulF;+&4
zOd}=#xNG!1&Id`TN1gEwJnRm_R&98@I!0D`DNYoN4@q{xnRjg5+Z@d^|G04&eMYog
zTI?Enqhnlq$*mcQ?@68hp8iW6Di{ww+PDT$-}|_{>}cC3lF5VpV((?{6#KN<*XmxJ
zJ|VX1of)t5hzEFu12@!bkdJ(%sfea%X9NVDocvwb#(VOl3UhcY)wozo8nV&Ksd6>X
zgJYSDEPCrg!xlG=wtzk!B<aW5UZ^W5ID!bH8zIarTYibyPG;{Mlg;0%mqH<KvngW?
z2jKqn4)(`!C^1N}dF6Ela8FY!{W0SGJ8C20`RMc_qHY0(x1YhDSKl?x_;vojOrng~
zfLtGkw7yT@1rfX5G38vbHLejps*ir?@xI%9%6`n9b+9-5kyWpYVEA_MC?FMck1F1g
zM4Uepm{t58MlLS{IkjynE_yLko4hC&L*~eH-zLhg(8Ax2245yFd0QU_TJZ~CL`mR1
z50n04I0fOxk7VTKXstmbUQ+4Ha84m#nDEbW_Ph8c+jPnflrRXPMI_pgP<w1h#!vS3
zY6J|A(L2V}Fs)?eW>50+x)R7W4A*x|YPB9fMW$tOdl3?mIwjs(Al(K8OrvOe=|h=e
zC-HV-?JXy*XE>_CQCZSovnbJ+t{Eo1_$EFQ)w0nq5|ps`Kqm?;=o-DSS(i+_o6A2@
zvNg!ZmJh>|TWRq#qO%IjbyO-n!ovUNgpU8}!W<-YMfn7E%HG;EnB*VsYSlrmIvwuX
z28nOOdsbYMUo+?lY)C})oJF;N?HKXauvXIiQ8gOLEx1dqh~65Q7`T@HD)0XC+h>vw
z5<czaH`dM+|7v7p@H@I0^mzq-^iHt5g>!@|102gXgAs7j#6^v2IH76jZyp=ivwL@$
zv`=n*nYBJ_Y^v)OW#4M|6_tFMgQ^6TFZ8eWQR#|TFH)0Q9V0RV$!v8Lc$3^{(<6F)
z8e->WzFW|$Ile;e5e?^dDMq1Ey0nWM7;*WD>mcIW$Wh6M9lvL>Y<<!s5|%^i-MPJ0
zGXI<*spIC;h7vw>J}wWF<*Usm!`g|!>uq9kQFG3U7p4=kY14U}1~2<+*WYdj$YA>#
z-);ZMtSquYX&(2}?o%}s`k*0^`JV#^9|H!EVm-U%uw0y4sYUFBovO~aKD-SDEx2OY
zlFP#Ag?H0meb2B7`?9Dr(j-#+Jb4SJnuaQgahm*AN%GUpcFC@LJj>zGtKP)o$T42a
zux512T+Vy8Ej4=|_ALQTo)zvcrkS#{+P@F!0Y33mI&kf6wN4NrQJA65tu<gv)L@73
z)$F|)lwEJnpQpZLXZoP%M$BU|qd+_WRgpl5^#)4w{vhp5nv~vjD!xD3QwU*AAU~_t
z6P2&EsGZQBUgecTQj=T{*sz)J%IgL-f`X&;7rv0OnZngWo0gFXDM-yi-CPTuRz)3q
z#8swHp#hgkMUOIvLkjilS#X|WO{}@10R}NQhtxD%nSvvQ-|wl7oFH7qhUas%Vb^_c
znTd-#?5-lA=`U9E|H)cJkM^TTb^%So1^LiXsfoL@i*X8Kva%P&5cqsU^z77k;3Y#?
zSzpqr6(E+pkd!!NSnYPlnrS8QgZPWPv<HZ~QQ-`hVbY|Sz$yS)(d9&PL?X0X<azxU
zg{E3_@44TuS${`5Fyt15M{lpNw$`zgZK}<H?*4G6<yt~yD&yCqm<i91Z*N{pZ%_UH
zIf&ItKVxdic`4s!LYgS)W8xi!$Hk_E{=x4U1-b%jYpcAQaZ>&MWF(X#nQu0Ylp*1k
zgqZL`*p;)0f?6n3`HmRULQ7)tE+-n9+Ad-g3N%zr5@gP~6-u}XR56625iB%v-c4Qw
z^d;K2*aOjp{2fIvR_hIFJK^b`O?$Ci6C#;mzg7^yjqpSaN=w?Taoo%a?E6A0<Eo+a
z51c(!2GV^?{Sp27`cHeE4$2G-aQax`;mWteA8z*_cLQ>d1}x^uLsgn88k^IcYQ4KB
zjfBAgi}*tm9U-??MaZ9;fBP>!camrqaW;(Oe){y>uK$`MH|JGk+w(}U?svf?J@llu
z8vmKoI}n#!^xwCz;}*Z;ly*tmTXW3UOX6q3*6q3~mfT7osv`)w<Z#a-qU>xZU*zii
z;XiX5QH4^wc+Gc>m9N>&Ul8Ez^_pr*DT1eFA9hBMR*mfY0x9{;cZNav)Zoyc3dy76
zZy29XY`EeD3->B=$k3Aui|ACOrCXr4yD(ipC5ik#(DhUlEtcc9Znx%AEZFU=VV$Pl
z5sPA>df@xas=;L|{@DjBPdWit*sn)Fz`uTYA8%8v;7UdBmQ5XlzaF0vnyysKVzqOx
zI_`~o4us4zE?;3wgEz{BTZi0=TS?(tZ)SIrz37%U1vgI$N2bT><TXxYTf4uIJJm(B
z`2qMhP7e)4un%B&3y!VDcj{Kwu8wE$z@ip3h^F6;*=K!3&%XS*U4Rila$uvkKnw(r
zQr1Vy?t`F6J^;?f6X4kWXozUTcjue4!4qQ-^{miabenpf5?PvS>oih?nzK^Ec<P0R
zUFCp>2k=gDd&Bi{mO|-rsv*sBk}e}4SLM^QEYz$UX1`|Ywdz`EbC15Ps(8H#TNhQ{
z+$E*;LU@8}874L;s{k=4ElC6U_Y2|r<$3PvFm%Lk5`p!^%E3YBUg-3{V!m<<Bz*qk
zX-4u9SdH*OBaqdKH*)!xGIY0RhVmi_7K_YN7g`FMZ)!}I#n_q+Ayo4gTSKX=NjBz4
zqWkfz(Mz%G&2<^>V~2!b2~lmQcqkDVeU02F24Y1w5fHQc^6&l}kdKhSYu(m?*6X#I
zJJn51P3D=50cq$mB3l6yI5i1?KNb!To6!yde1c;w92<4t1*-wZ336CNR7&nEDRTeb
zzDa@V!SQ^`FVZ9rO;b%9!puy-?z__ms5!gxHKE9B%Z_2Z6Zh}O0Pgea686WR<mm0L
zotet%y0#H>^?A#tLPlYfGDmRS?gp4r6Tub3KEIg~v~K~QJip%9XD?nUZvE3Kcc4Ck
z2snp(Ws0Nz@DHyul|LnLWDHdp-8=8gK@68EnqfW`n<uGd+44kw$&-gW8l8SOmeXQO
z2H_hH3;797S~tp!@mG7rKR*3gKZ>|3)G`f8wIuBzwjAZ*cgN~lxG7c$1n4x@@8aE!
zDX!C5+ivC&Aq%UFWRXEs@|&Ap1$zzDVTCJ0LWPM-vj7=o0gN%ziz)XzOpbfl8i^6R
zM>O#{V$>>r4+E61c+~#n%Sxl2tmfN|5P-F=Xn?gKZ`tKe+u&v3eNErOg(TMOl60s9
z5hWdVw~g(Lkig_o2bCH=Q>tIOftuI9yNIeeVmlR5WP9-a8zVd(0fRA~xbYtC%~`4B
znV3*fLo$^L7y_Yas*g1F_0%}$j*PffBGkF&*it*3$PB)@?)>57<j`x!W}zocKjBeT
z`s3Fh>}j4E*l5+G@J8ogcwOO8+kq-EfD#SSK9lqb5v`ij7I9>ogcqv}pn2hD_)(Bb
zEm>KtD(sfn9bb04gM$wpssNW|`c}g8=k+mUqM_Emed+m9fm-?CBz#EXc7~AhVZdw#
z+T73!qi`M<lwIEKl*fnK$oo|AWsZ%bR1yH14b5Tti|_VX^JfB{Y{24JB4lDZB{lnH
zfj^UQn3Zs4RxBu%VVSeopsTR+=O&!VNOn0$d~qFC1fk0N&46q!ziT-;7_Z(;Ey}=7
z@MR%tv9aL_oyI7Wz(9Hh#gHT26()FcNEX><xMb+G7zrKHY6m}V?E0J3l+6)@7cb=h
z;dmTN(!L%yHY*};M;L^}5V-dt$%cS;`$Zk*-Z(&vg&o}#7gHQ|HGMGY`Iu)+OtSYu
zQ_NCc=Sl!HRNn$4(r63l-y+t$JHeLbD)HS|@ZuQ>exnrW{I?eX1jem()rXrdpsnT7
zhyrQI-+I8bft0T{d3t%)_qK50D%71^@gp0xxSdZPzaNx9D(XuhMa?OWLpTENkv0YP
zQ=4G@;-ELU>n#DR8b2@F3<9Z^$X;P;wD0roi&T1IZe#}cy}|u+T|{v}5(%?8xhiwS
zmw+1ub;G)ob8oH=KIO$&H2IWuA$ZO~kO|z@Jw3-HSC&HEfCCjZz=AlM)NosR9CQ;N
zZ9ZSDflcXuWpF_3E*`pSTIok4l-djZ8N~w3=7J0mnJy=JfFVN2_)R*i-=zpx<N^H{
z#$G4&{^^ChYWZ-Doin26*n7n(o)TZ&q58{vMosT{_uJdPX%*0rhjOVbBT7yDm&K4q
zn(MUb%^yR{e)}i!Z6QZDr9-yj&I9D3il|-P%C=MJV3B0;R=(Lig7Yo6Xqh7=$;*5=
z(OpR|Y)Tv2I)`fRCiO$P<(KL9S)cqZ6&;ULr0RO~oUJGhvs^$e>q4r7Q0g<+l0S>z
z^HHmVBcIQMga}F<Ok{C`QRYH{CDaIU2Tlf<^teoEGp>C*kg}-vO6Ex49U^AHKOu;-
zXV`m&g=Y0HHbWD{#mcC4t8wM5&M8$+ov%;JMF5XZMDWC>@CM{%D7}C8gm#rxE4<Ca
zt;vltgly_7dO-p*Lq{j~`5Fz_rM+5fI6t1#uF>DwXl9`)0z39>7oY2=NVsPW8fs$Y
zyFNDWDVs%(=5vB<VvsLYS1>+;c{EW5!AW>J)5)YdYykRDUdzf}x8+5RoZ83hg_*l$
z(~m3mt+OgKsV!mmhTu2*ffHtICtR>BP#)3F7;h6C!dA<OGXXo9|31~nGc@v!r{>k9
z1C!bkt)~w5lfe$q_$4Y4#=}z@c0V!_QsIR>cNWrmp|&w7dovYfd1FL6QvDY>a1yTn
znG%`+;lG$1`%t*-zBKio@emO?dBG2l8!Gyw15J>S@)ss7s-LkzTZ4{n2Ejjh7}(ek
ztl&$mn$X70co#nfJDeM#lm$-2ZDL<$7E?e|eT=G4da0i(<>7J>kAj{}?JZUegB{VL
z6F|Pq*Uni#OB;R-QY0HJIy3Lb7gkCHX<FFDtaP4QELQ1{8QevP_*_vn7_2(`Et}e|
z`$hFiZ~7$Q&V8!WUOy2Rz&5UvKds#b`Q!2ozth>|Ht`x6B<+HI-#KIYA@C>5L`oV0
zMdu>y6^arse4KsxJF>%5)!w`7Rn%-#7(Bv}cF`siYCI1;D8a1uqq|Cd64)bNW2yRp
zzCPS7x|8mnh$LU@-;)#IfHys6>9ccgfBM@|t@WY?wHF<0u%s~%)mcx8mkpzjIqqx0
z4nTAgv!_7ZNdhloMz86Vi#W_K$X3ZbKE=}Peu8A5*}ARZ(cy;PX4&6JjGFhx-YC^R
zLyeWJ>}Y?C11P-xUwi9Fdi0~axEmM*xP>x99MO*Ld!mB<&bJdpd|-JZURO|(FUO;7
z^<T~7Qchg6DMQjtdBUv4ouyijbhA^AFsLRQ47+kY747g8x)zepDJRCg-aEejlPQgi
z0q#<N4mh_iT5YDZEAh0`YWfa)c2uHG+|@xmyK%kxN3m(oCKI>Lc3<jY2G#OFvjfew
z|A)D@bXIMAzl}97@#}c&Kf-=T8N{RU8ChRL^!AJ3^YAKl0a`9iL?d<;SjBWmJOf~R
z$0he|m!`*{$FDTAi_kG&=(*GTGNWY!Gt2y?KomqBznKYh0<Thb?!pa$dVcDCR?6%5
z3y~a=2@2^Pz@SId^RiX@()k_iyOSkn64Bx8s&s?<?K~mmZeN+^I?2P|<AYq|3sT5T
ziNOw~4<FJmuxQA}H#Yxy_s!kZHO~79xzi)HVH^@J9H+c*yuN6z1%IcIKp=ytQvrZM
zDYCi0H_hjK=hxj0l_8jlDt-xVM*hQ|g0W!c>xP35qF|Bo^jheJ&P@Kuq$UoOcggCV
z=ie|aD4h|G^{LA_=IX3L*|IO%mps&AK6q@)d?VM33;Eg5L`w>dw%Ts}$k#XKgu<_+
z-WPN#8LxVAesjB6HGJTVY=hE(^C*lD7MUn@Gd7voPV@+wlU_>h>+^KZ>Y8Iy)x+L$
zH5e$J$qgS&2?jVZw%?_*`d{{zG;@ksEW7s@i7ByKqj%7?Npr_Q7{VX}+OM*83G--P
zFmsOD&H5}aygUCRa7+OV!~87@ir$Sg!RuV}xI=N}An}Zc<>ePkRF22K&d3uU&lC(}
zM?-zKY=u`3%gmRuv&w)ApV7h2<@9g(+3r$9TEq5t-l0aA#mhNY#Mj^(L6<e`;rnvr
z!_GtTsLYl;%26;ve_6AezvmjWG?X$=7hd0(l3J%2D@nbQEYTY3_<+Xk7vIXd#od&e
zsWrd#Y*kCtsw@LPHN&G{<j{LnC!g$Ma9KC9Ex@f;P$EsvBhOXfFrz@Ym1McNr!x)u
z=Ea0+>1S8nc$@dRFyUro(rA+!N8=LK(m_-6W07g4Z(V<Kz%VzE9bLc;r#k%N;eyoH
zJmJvvB{kUTqKwO_FCuJo9oG+-KJr$a=sQVt^qyXLk8V&Ss)1(y#kbIMQN!!pbWP5#
z-6+qguLsgktv=fO4F`il^j6X5R)wv#Z<i+!qvwlmeG|WM8<LGAxOj}>9Xiwmk^1mw
z4K#a3cR@W%{YWQs(52eXc5pO(AF5e9Yh4a3$C`}_9UEWbo8I!c^RWBNfAMFhyg)4V
zn`a|pz=Wpu(Qx>zCRctq$Bwf7hh+jks`~}U^q$8_cF00r3_aGqRfUPW>wDB(Xw;3b
zR-IORUe8%RH|LUw1DgeS>VO`$w5|@@R_<iqddtDRNfk;*Jzn&ut)u1AMWlX{8fH>T
zYXh0LexB&QfcoaP*X^5CA6iPJ3a(>kXor=RK$Ca)QTj`ZuR|YRUFOUA=l>q`aR80M
z7-M!6JeJR^WuR?7@V$P~yRKgQecXXrx734iCv95`hy9{`lgh@ifO=-que`VHA1fRN
z86!oN#sub!w}e6V2(D1QA2Ul^>s2>)TXT2luu+j4xkZ7&c(~{`<{qg2NFnvb=F%g&
zIXy4~P-^o#gtDl!j^!l+oqwcKL2anxJeAtwA-$Z4#d6i2yD=ZJ|LVsYZ~+;~x??w)
z%9fsJDt3vg{8%cK_UVS2%Z}c%-vKaY6ThfyG@%l^(^d>hYI8zwCzzG@%SLFcxz60?
z6IdmlHnTO=N{Tl)j+)Vm`ZE#)qD%XB)M<TGcbe&1!y2nT;4Sy;sO#~qfBClZ>PhNN
zcqY^CWN!UOrACx=FBrcpr2MeFVI+}F)-d*M;;smrPUatUR&j)ADK%9=yi)V-?9hss
zG8*nLQW1<0L{j2sT5*<tv{xb8hPzyGqG+b)y-{XkD^X8Uo*05t=6-|=36S%}nmN`N
zGG09)@-#@LhvdDv<tyHu_+t38?Wgsnhqz`^b*qc7R}a^BBl2^5VkL}!1pqY=QBM%2
zR_kQ~=`2~#!*382AdfAHiUanNNMsu$$d452@g=I#$0hY!b9<@_L{!g-^N_Pyq!{Fv
zaH%SUT`!wQp#1N4FBU&15u5!hTVFYwzeNkby6<DYOwmV(ZB5Imbzs4u`*r-hBTsi-
z*1mV+Fko+T52k;x8U)~mrom+&U>qKGC88;@)DJUqb6>@J>l{9q3zW^VJgYYG+3}~z
zr)WyPTfdPuad{>EOpiO(JjmUsDusmq%;${$yA3P5Naqy3MZ=*fB;kiowU4!vA7mde
z*s1<uw{>q^h#0ygDhoL{&(OYZYp7qVn{}@H5L}Tp6+vHo`Uio_!XaL!AZv~pT!s~I
z0WtNK@vm`s%2R~nX8={<EaeM1zF!bLCbsHVvx@8(;%Keg;7M1}bKgVjfoPVU9ph+T
z-7ZWk;~e-nS?4I`P`jQgdh{Q2Yu#M0d8xXyb?uv-=O4vvB~D<)aDRh)g2~o*Z02Rv
z{7;!ueB6DF_C(_(4>#w#ZiF1vsS>$<)PiUhHeIOZ0@EuJIHGj&^myfjDK=7oZ}0Ma
zFAJh8unH5`6XT>Cb@<GYCC}P4`qznde|>p4__mjJ?|fqo8@)A>|9Y!|9iis(L*Xe0
za{VxV>QP)!uthMH77=6B5Jzpz=G)@M3ucbe=E)mFy#vIV_UV&b?C{)t&Qkw=lf#&#
zHKPYy<XhPEOi~+hio73jk2oCMPxoJ6u2~xYy8s_QBnSh5V+NABSX0vfNnC`iZuQlM
zH4Sa9r!78O&h)lqa%UURcvqIgnIxXW<C)JlhpRt)oGk`Qi6)nOtFy)m^U1!G{|Q@O
z<&I_`C+SASDD>R?*$Y)KMU5N-K`eE~-SV)_{cT3rsen?=rCioI*s$^$3AJM=-5g8L
z_cRY^`n7H$UT2}kMD5i~zSvO3vTEX#mD1$bnQv<T4E-DvfUms#%x+^^5I(w1N$WbP
z*bR2|ec%7aF?5U@apkiJtJ)dGL6m6FMB&g?jgM#HN}HLUq1J5~C(x=hD?r-FUZMPp
z1>r}u6q&N+J917ZYFCH8I8Jk^0giV54>n_v>R|Kd^@=&R*@@7|`pR!5v^6T(660h)
z)SVoO;OOnuO<xTPOrF(8;0{+Yycf}vXb+N)ojgKQ*-QORQbD1D>mVs>MnqTVqNR!L
z`6SR$9q^L)TYcH!1eAUU@<yJPIJf|+H?!=WiKokz#C`!@06&o5WYdA}ITv9mKEz0K
z&9U+J5I7;-fwCke-2zCy(QTgNR8!UWZqvVj)2aXdhbaLFj;G)s>Uw$6#ET!ik7zyb
zi%XwIci7^S6dH9J8m%ij)D8SNt5@h)gTB2~>X_z5p`RYrYxUhtLzN%@p2#g(6rPNW
z<)TI&A+qghKag)!L{{%|c^!M`6OmyAPZqI~t{t!q7JOhmd8s9xuTp;C<D6B7kNq3A
zw)L^3Nu}Ek(ZPBjV6%@)PR02-W{1D~w1x-SV}Y++p=2sIOn;<!KuwtI5FtkkQs{Cp
z?AhGQF{omua*4QlMVUoR&o`LIKGwS@rFAWRCdMq%<bDsd);<p#!<hudWy>V~zn_@`
zy`*5af^gr7pHslRETkD2I0P+P942p**}eKl8xq;Ugm^Sqttvy_&FfP%LfqLc<`nl9
zIg=IGts@q6q)D-rvX7$g*?O&X_psrW6e!W_|9&C+K4JWm3?AyjnE!mlt57@KLyUSu
zL8!I70<R*S;%O6KfkOcPlTSY)nh(!L0_I?9d9Egu%$9CLQm-*zNp{BN+KQ&SJ85kf
zfRdBBy?M!CdfskBV1abP3U$u+lNS2NU7aNXv(QFhA4+$Ec6ZO_;Jrv>*y_sn`Hekh
zPlk)kF{q!v?Nne1TO}%nk9Id-mn-efbr0l*>zl>En%^5yU&fxAZeQ>0X&=^689!Yt
zNW9(<Uf<Vs78|HuE#PGPS5IN|2`zMtEEDtDt@}yJP3^@xL$-X#!os@kk>Zec!<{h6
z!D+CIS4$?@H;Q>*{kI3Ax?Ja_Gimk@-`187vziQ7m#?rk<qOp{i)HZYh{I<YW}PIp
zMrCO?Pv*bnjo*;xKH`}2ExX05C;t6KI)C6S5Q`+yfdSOEorCr83O^W1424?8mh%>3
z#{IK}A_nys0T6hm1lOK)8B%o9PsTZsa<?Nwf5ZP%ZU3ZB;$E+ybk83yuABTRpOL&s
zF4i1oU1{sM{F>C_Je$_0_DmcFhTk`S{fIZ)>;bn+({UcgJG!o=ueniW;4qZ5;HJ(=
z*wshyNqP+X5aSA6IBK2y&FZt7_FK#KuutC^clY9XX3hw}9l`}D<?C{M8kKzMZ{!7R
zz&VO`+TCSDVS3UF5!kkwOzm4@YW^zO{uOQz>ZiQ_q8qFd>|(WNlXoVQr?;21zCw_c
zJb>cGbznS1mSHm{dgN*1R%a5IR}%WTpY89aE*CM_f>hjk?mf;ct<Sv<aPPUzXZDR3
zs|Qz|=eUEPXZLsOCx5Dx={|LQ<HIe=t@uP_;l}%!c?8N9-*I;!QLB8#z8?w(1R|c%
zFk5lCB+>g_&vt7Jxq#4og03-6DaqlZ7df3E@6NYHt$~KZ#pT}9kda{Bfx?yRR0%qh
zq(gPHgO_@&KxP(0(`yjtwB7d7c_3@%m@J#VpVIE2E4Pl;{_XiyoLB&J;-@}!lSaf#
z#|!1gz~ioP+`V5&wKi@&J#N>oAj!h0GqScG`?X%-Qo~EUIR=4S#rC-@>`9g|)L3OW
zV$-u1U<2$j_4L(vI|pdXGhK4x40Dv4WG{n{;bk`pb03;WWAjGvIU?*pqc?cVj*gz9
zF@ziuR^g|lc0(_Ah7)ZZurx!SeAWT^bVCb<(%?DLishTjoG&NTvBeu-9M2I_-mSbH
zN_SksOrBsMaSv%?tNh5>@+tq6qxtG5e|Bc$!UUt{kIruGV?@TcY)F<0Jc_WYvjQuT
zLGm*kms7>nSy#gun(r!xejnY?pCg?=StnWenkn^h>}U*63c*;Ijq0?*pW?SwFZLj%
zZIkbewt=^ZRi#51{;5^r2;V;t|1q63Wt*iCp>SREU3s#^KvXYB&l;C-(xohR@|4}*
z!&WKwmaJgPzv9rb^XVO)tQ~4M9*Vy?^9!)G&+>>LEJLUt3(>l+i^0==Nsnh=8`#hW
z@@WsK+06p$yW1#iIr;e{S3HywTl*TzXzCnPT^;Bb>!YY_?S`=!%#G)PyWgEPxi(Mk
z>l~;??ku@}{Xr}sJGiVqQ8xWEC_#Up$)x|aMO$5QYj(GgP_3XVrL7HlTqpA-nMTDP
zfi4!THogwO@I*!Pm{T59gwHxz>ut9re6pjp<7fS4J;y7I+2H49SNO_LO474A0*1vb
zk7u)$lj1!vrbR$Sf4JvXF~)s6ghHF%gk3vrWa#<Q@i%x__y@SsxiWh7$u}{@3xpXb
z^zu~~Pdk5oFIm#lvkNB*D=Ra1v=yCiy$+-td<RHAnkXqt(M7*$xgrpopdBp+&Gq^k
zcI1mrULGYG**(9_-*JhS_tbE@)z4EO%<0!3y4N7@i(3}VD1FRRXD_sW=fBt6?g?kz
zMd(_4-3jzrpOPB+H9b#Mmd{;S{FWbXhy+q4dLVl6Nj;o;_XF~gZSoax;mteN^U1~q
zWyAymgZTQ41OZ|hMul$uQa8`ywz|D<f-<eRKj0QxdZm8Z=)B6Y@}R=WLuxuG=yh;?
zs#clz%3AyHHEk4x<|;8XM>lZg5)}%O+a)`2k8cAp1|Ch@9zBaD&30RiFdT^7a=qXQ
zpnNb9nKJhN#J8}6jBzXVCPE><`t_3E0%s#IT#`BybI-;eDtnjjv-NXemQ6=|V)!F3
zyLa-bRb-pOVLD3j;XIKX<jc@ATtmj&<8h}^{#3-~#a?U9Gmk8aX*Xq|OP5F!%#S;s
z*mlINtz42#-5D<WC;C<k)^N^cUdtw}i`w<XO=JVm6+{2D%L!eFj$Eq4h35_{-dhnG
z_bqLCvqGG&^s3@Cu44x>Lt`%9(;mKk)w3$F=i3h1BB`ku8x@#0sd%1pCF5}H(Cm2-
zCXPPkW?N$*+N`-GtPF(A=os|uiM7d@C2@_^P`@yv#rtvA_+@6}y~HcG%;|NlMOXE3
zvC-qAYl_=NS-H9PALrpvi<#N9PuEwxzEq|U&K#X>Vd6=E=7Q%^S%~vR1;KB-YNM$u
zZhg1(Pt!TCHEYr(f&;E-7GF4G&2qgQGVIQX@Y`xxTjf`*Lo?|A9b;zDuLs@N&5TWr
z-VkNX7%O6%`wSI7c%6O}L()zpSh*fPhHPQ#kvT4|_SjP;&<E~uHb7nwu_+iN9_T+I
z&OJ@L&}@7VaeOQM6$im+(ZN)^+hDqBZg$>x_P50P!PA*@9e;RU-w6I8i?WlQT9NQ`
zE78o}h>!unV_$q=uZc{^dimG>rC9omVa~?<{)d$xK2W{8Gf)?&==)HP&+H$x*JHQD
z{2^+W?=el;`cZIuN=L=+=Vab%nv$kTUAg85VMM;ViTD+%&K)!E;Bz9Bej8kWiAD7V
zh21bEY4Z=DrX9zD_xaf9m=g-Yc)95!bMu^FI)+2uMr3$>yVri2&dnA*OlgSIIa2%D
zr1hOuLu)s>$u(u8#LBW4@en;~r&5b$TT9QxBucx7c8*ckdNZ0_nBJfmc(}0~Gz*)*
z_^fL<+Te<Q?0tkFEbLY$2Xp199@YqZDb^I%@Wsg!>}B8|Ww!DDmC3PhfM?&qSf1Nq
zO~(Z_M=vh(wO8wCGHr7+Q8NmY>p@(}^)Fhh-0tIk-8m?&53R-0p~)9Ug)T_nmS1ao
zlVOSA)Y18-c#PV6-4_p2_K*u{J|#ngnV_T_*OAc_u<O#O7g9D)*%nU;Y$$Tou8SO|
zrr5=}kga8oJ@Zm}Tj?~!hClgrlODrP6*DJXA@#WG_jUj1*W?`&owQ7OBf)(*<`dE?
zzRzVh^fS1d9b*jR%FbC7<uik)x&=PWl+w+|g^KFN@e5919~j$7OZ}2n9czz6n8YXT
zJ(uR#L3fN%X)_+KGT85`iZ8Xd>@>J?eb=wyYsgE3=U4dFMvJPrD%&{cO_5H-R%F_F
zBMa>7XbCHJ?{9^XdlQpqyXjJ5r2#beJ{$>-q-We0tTWl7LPyk{=}}54D1`N-8r@=@
z@M;n<M%yelo><i?LR{zjLRulV#pg+WjHk^_!G0~_UYPfb{9xoKw36n&cl?+IMyW`;
z&ZFN3$Y<Hb`<{bBx}_-Wa`iK`=d?|ikUWDlLi(zoqTHcts4DfT+Unj`@#pokgDBP2
z5dmYc_Az9S#Y2TJd)?@QOUb^lYXaWX)?B0m;;WgOf@&Z8hH{9`mCxnXov^5cWrxv>
zgY}e~-dtyha9A<hd##ZnbWHAQRo2GAWintETdY7dqfeXAUFhh45;&{CmgQVDZI|45
zGnWX1bpN>QK~^BW(cXx4b_oo?AA`GajDk4WHMFT2ydYV0l5AGGmBxG$Y|7ozT^Rrt
zqb13*SM!12p^Lu|$+f{CWpFeeg-{UqAE3;HwJ!WEY5<}?53l2N=!#BJ)8rt6snPq8
zmbbn5Kmdp6lIy9clCFf62N8!6qj_tIe_sEEw~|AV?t)^ljZ{}1UG(hMXv7*zPtILJ
zv`?cCf(^v9{xpAIS%JSAyQWH3Wv`N)Jppo{K-9mu#fBJraNgqM6woWyUcX;AQ$3et
zsf&H_@^Db8Bs_}A6HQqvD3>UVRk^KzMt$*DKa~zI?L8L~vhUihRLE~Oxo0Hfdvuut
z6eecJ>U>V0C01A%mRBP(ru`~}tCerRny+CX|C&UPCCu+wk&~P;tKjQi;8iM+uN*fK
zoN9_KTE*F#;*#^K62)o}<#HlWeEu};;}ftSp`bSf9{mlje)^R6rzxg$`{cY<5Ya&L
z1o3Q41c5K}(WL&(tIEx|V`dF&^I9rk{=cX^5xHl67t{3rxOxkwx}tVT7$-Qv9fBV?
zxVr~;5AG1$-QC^YNpN>}cXx;2dT>78xpU{vH$Pxk?OnB2?e2cM`>97^B5dN4mX3~2
z>B88gzBX0B9y%_$mR6)k*e&xr#MHQ%_x1!2(1E#-jTF|sdqlBlup~~}G`+Ym;G^U~
zDIbs?K-j?;=lqxH{<u8EoAmJQY`{Ya7+F}QCLkSo8a(gb#$E=KUT@2!7m;6D9Kti$
zVNTkCy_IR+%>7D0pCC+$%<&|Bx#clcRmeD`%IQZsF?ckR>0DSg=J^9!V>|BH<b<<p
zSZd{`m7}G|0$szmXrig#FZ_Ge*tZ8H0rN_mggL5})wSEnHI?5C>Y{wqOBll~X&U4n
zKs32D+sAHS?MHF?8Hcdm5q-AE+bGgFz=nuv_?KnoBU~%#0{Ok}hv}LPE9n%v6RX_`
zGiEX0%BV-GU)0-jE=Yw~2O?GHv>2}P5jkgomJmpGPMpYbtFzyb1q?BjiYjK}*W`>K
z$f}hXQ%R&I44+ZP(6h9PQLb2&>Rk$C)*iNri({<b4}R3ciG<LKcNd#kR&S^osf#YG
z4Foq|i!Y0{w(*`UmxshBDD1R6SBf0sP87^_{t+oz9xtsR)2(vPBj$nP(M9J~yOF_W
z3pI`T>P#kfd}9dEcHVq)<@W8mHNxrLINE<(*lItI&k73|8oHV_9D*O<>Fmj8E=g`B
zi%-OUcSl6vVfC+!a(8ca*bv&+3$E7%q1K1vOF?yH`oKXr)#6^Jz_R=KIxx?by6SZ@
zX9?1Izpl63#clSUWSovUD=idNt_gssi(-ccq1${Vx5{HY?6wYiUa4bG9NcWKxL&o#
zZ@hfoAi3xw*7vT$yxb;hzRDNR4fjS#bZp?p%<IR;EQ1l?r(OxLZc4*@ZRp;X8qdC;
zPRnV*sLsm#AFTBA+mjiCXO=<uGZ0Ot?g>e9;)Zu_YqqId!{|P)>BP<6_KNOY^&$t8
zD`>h~hQUk2<_g|tLq8j3&}()A8)Pexo8EYJHeLFNmdkMV+(+{3(FLtnm}mVF;_i+X
z!;iU!eod5M`xun6vHT@KLu$M$F>*Hp|H<9_bEZW&gT4qU=$o~G4sc!+O}b?1H)?NQ
z_fXKKrA@hW`_bj^F!#<nNEe~Y&ctwzf_#;}P{i@`toJdGaWwU#-L8Mqr4VewMO4yT
zYt<oEN$ji_KHqSwjqz~l77*4mHCGsCw5L&YSZHz*Uk830)e$C_ZwmQU&43|84k>@O
zJj;A9V}6U@ekPoQp~-o@i@>k=z4&z{X3lwGa5-l)q+k(m;IHa^sW76pLBlBWLF|dd
z?pku>bFN;j)g6|e+m6VOFq<`bX<ce=-f~SHWcl%y6aa?1eb`s#LijeLbY)YJRQF!2
ztqUF6<e@LV)nkakgaHC}DYcADr-1=Gp~bZBa_TqM!=xaXTwk{57@f&!AK&hv2)h6K
znIAiN3XdNXVxna}G_2_A?BoM3Ox-zA^2Yap>oPE0zACbdDrSdd;kBh-Q`S{QI#>+k
zoFn<m1Fz`Mb8E>L4pEPsqFv%<n67re8lM4c#bGW&iD_=qn=xvY_|m95Gofk-x^a;X
zXH$`~Lv1sCDetKdB2B$cgYS7d9NnnD+-z&<Qs*h*bF@}SxekoncTrxaaYZ-DHawB-
zt~Q7Ho>(r$^cV#K%d8=lR;Cp|+^=cgUY~}9>8N)`Q(1|Bu>HJ0_XGoh17?ravKu0o
z1v2>K)YzAk<*0x=Q@9IQoEm*0q>8ADC+qEM&5)A;8gZNACd2i<NxweJ6&M&lT3D;=
ze#<m#53nlZ$vA|DC$=*^?d~ld9$4$AUYbW8LQ2G{j@(eM{hF-2JWEI}J6Q+0@%KZo
zxypV1LC*)gmvx$IJ)djBkt-YIun6d7#`5nb)|$^qBAe@JIVJd{sP~bSMsI47Zg9Vv
zU->c_&Y73OT#RgNTl4z>_+MfxGK7oXVD8SxKhVu<)^=tGe{H{Mufy=@uU0;YS@yeW
z&LuU%i?BJQc`M#wxu~Tn5bP&L5M<i)#CCsWLA(@<ceWNcCk$#JF0q$oXs-72ymYE&
z_i=)Brdw0cljX6fJfeJ<@vJWIv7``7rw{So737y}f2e(fYSr(^WR_6h$6dxBJgtUg
zQ_f_jcMD3)yERx0SiHk^vD0IG7RwslzQ<VN+wl{3TkyMcxf89z1&i6`_%h&T($nb)
zxaU{-U#~BQzi?>||4-hcXAx>`nz`3N+t!xHH!k7YlWpjE!*lDS%jX2=qRU<^`XcSo
z{~~w?@l(nV<#hI-mEinzBZkmxSBAC{q&Ky}aD}{iRrAO<5NX<_Qc~t*0MG7xu%Qb_
zycSQq#a;U2qk^t@lO?R{^V)cluS>axvpajq_#*N3udfDC*8#m|Yvd&;8y#fOZFPJX
z8ijcyJloCz^=$al-V!OGPaOn*2|d;pOw4lQq=8M~r)(=Nb5eoeTjoB_9|6(r#pzTn
zkh~$;YH)EvD<_<~z!nrrQ~QVkouYsEV8;@fHZDzx_;zzT(77#=fjYYKmi-Kp%3M$T
z#b^+ZWuj$i0lEk@8E~R+;S`;5LKI-dbqu$F2^F7$pU!#esOLxJizgFPh@kBbIIbp+
ztP1l9mes+zn2>lTEgmLa9!U%s%TC5{JBp^-{5up{W@pBgPN&76R@2jD&<g0Ag}A=6
zAHCSYduq{h`r1+`7g;k96s8hn0@&nPCqcf$jdHTPxPA|wq&sE2a6w+dyZ2oHRN$Y5
zex@-ltwUWVjhjW*49R5rHNf>=_h$3HD1!&`)vds)50>#%yDH}g;Aun%sfpwnfLCP$
zpIw~I#o!ExNuTs|30qvRO?zH*Hn-M>8AnedR2#BU=!`X7aYWmE-MhdQtp<Z?XOJ9U
z1%Zs#J}dMD64&6MC087odQX+XM)+Fnb@wY8k&4QEZR5#TtYatZ4f7)VcgzZF%^|m%
z)K>;MRJB<YYU)oI>~~*xZ{sVc6>sYZwLhKtw1gG6L}~J+8@V~a_G<KT%8mL}PA0fV
z%%wjOLX;C{?_23e7%y%L>_1*{Ad%fR6;6&C`yK8k%=HkO^pDVyrFUOdYv@jlX7DDJ
zp+ul6cIv0P8snYiQSoz9W-ta>=n(09{JT)x15(&;o6h5ZrorBIodN_=N7*~3YQjwh
zLIdSa5<2_*sZMf<?UAm|bJP8N-6Dh_TYLa@j{2eQM*0Q4?!39Q7p>K795C~T%Z%$O
zOY^w(FS2VOFj#A=z1Noy)2+?zo*fwN{sZ}Gqz1gBg-GX?cXmy!-TP81@H5IK`5E==
z+j_X&<#rEb6tnT?!all;ufgR6DY*7<yfoL>D!rwkZKU`svP}qjQoP|5I4?j`CWnmY
z<vM)@6V2FQ&DIkCd4Cs!qj;f`(;~ywkB=?~O^vgmd6b%Gug}3d220~yGkBZA`El1B
zevegEkiq8Kp5LGGsdWDf0&<D3;^m~>`c`q=U_6~m)!e(WVT%j={xj*%!kXn?Z<{mo
znY+hB>fhu0Uh@xd1zs1VAs~)!|1G%_03EMiYZFQ*zX9R@F`4|Y8aw`RsH^Ss5q-}C
zf04c`if_l>jzuU@+Kc9{2<S#H4Rr_e-r~9%yWDyQcfq&ooyws7OcBufR4or@2sH!~
zfOl&;u+h#a4gB~bDo`%Q`B$%Ek4EqKGnE!J2t|H*(ixx!^qgJJUEpsd%QoN39#8RZ
zN31dL8#nLb6bORe#BV8kG<4Qb_uWwynCsi7jUp2nr}|(V>7S%YJ@rUpXzh%Of+jy+
z<{5WNv@}?>Pz2$ocr&=lZI;V7Od$tJVcd?r)YVv@=oWRfOG!@#!R1MAgj1_|^Kv@o
zlAOeuNhFr)CbNS)bC~Mg__)SNQ^+fX4c^nC=gGC%-NDD}c^P1*JF-WAhg$jxZ)_>z
z0;j*6DlxJ>x6a*dQz6WKiDY>er&)3sBwdXis-B+RRJfX*4RcFV21fg3*T>}#LRE!7
zR$y1I0QX(*UVHpRDf-T*bdX$efokIzQ0~zjH%80Ngg)ou4kp~G^4YJ{Q}*!VvF4JL
z5OaNQ#2`f7D<}L{ymxzqK7zsRVb>ody@NbgkgOial}1_^is?9?Fsm|`Yq$4y()Hl<
z2M_R&Vl*{bh-bc-Ftlb07F)Y@IH<Q!4>ZduQ5IAbO-RtsDeGL+ZK+|2Q?GNw?+KbV
za}g|2r4uf@J$QQD(|u41Ru-)GKU}D+I@&&;>Q6~CE|UccQMyexIn9T4?RMOX995Ne
z`Qose$6JAGw1-lz4yJH9h+6okj(*^s2wqQ0PQE*y0euX7$OQeEOhzvr<GKfy&bNp6
z&viiT@y*WQv#t*xlviw{Wrv-<UV8$>{mXt`c<;_IA63DuCzCV1vl=K<=vC3<0^=F|
z75-MA!*Tajy>f@5t*&AX3167*W=^|6NGtQ=cjSjPq3xnW)=IChQcC-lix+6+U$UVD
z{l@PeElcI(*{^NYyEKf+H^&V)u6lV;^DH7nDP3=Jt?ennGrD$PB}0*<*WADW3nrPm
z?22@TCKB4|?W-$QJnMD<gjEz{^&`YjTsMwbS&g^rLED48>mBJPF&9fkDA665Z`btW
zfGpT$CbM12b>GF@kw#*^D7}~6)bQ?1anNsfQm8h3>%0&|DU4G{bijTC72Xmtu-!gH
z?AUQ}HNKqSyk%|F|0`HfSUpd}#=Dci1#;D<_kpC7`||Ckj*;2eeJRf>VgxHhYVMMT
z^DV28JD@JOZa1tN_}CdFLZA6eT2thcrc;Ok{a3qs4Q5OYjQV%4XIMFamGV6TKPV48
z&~w{uoZGI|Dd4}y**#h4Vf^h`0(O#5*>|Q_6*<0WNV(!XzE)4$R6csw`Vr}^BNs9Q
zOBFo!zRO)MYb#SG=)PpbcKCYK$|Nt}&I)o#UT#f3u)o1J@YmfHhKo*JXjqwf(Z4u^
zGdbYq#xq2Bdp5w(u3^^C)IGI&`Prs&N#u2I#lIxe+7FbB3R@Lutzv!~Ymg|AP(Xnq
z)O*{xqHw<Hrcf{h&X8Wu8;o5Ls&Dl3I7fPpEN|#?>O%-=Rs$E^Tz}OD)@9oHnRu8N
zaJC~DJkAS^4hXaXO5%E!Y`UjU>7_Djt6{}j+z2jz|FHW?;)bW_>9-;-PdM$bgT*qx
z3_r_j>&5xZRWAu5XWN(&t9hV;opNJI_QzHxqmnDakh{(oL@oBH2NqQz9^ghWc%tgZ
z7(7e&4z@#d1yKD(e<UtAs(W~?z!pr^hn5~UvjGj?l$Dp7KlA?Cann<2sC0$({AOSd
zYb}3sLCCMo?@uib-VR?Ib)&l~$IoZGxDj7}akAoYA*DtBusIxK`y<yBeHmF)Xb6d3
zm4sC2+g2c|jK8y)fGs3H^@6n!m?@%Sgg7GYp;&<&xSRHS@AA4jpe;%(N0T4BoNa)$
z)Ki<t$d|s;W@??@F8eG2t3KtuALn(Rjs@NwLm2S*@whu6dabjej7yuHQnTgU#gKYP
zpeu7u)@zC`mrluVK-_4;Lz(cUpidbxW9?&KC{!(4D}Y^Hb=jnXcFi|W#xku%{8O)j
zR<_=*yOe^&{pC^X0N*}tPFF;w+E&bb3rDPhY53E%Xks7QE2yi>jpoOpBrPZw^+Xtc
zw2f)4^_1J4iFHU`&klP=L$>`7>^eqwU48TIuvk&$dd`^5$A49u3#Y&n_3^Jt4+hT;
zj1KTVu8WOzVW)OXb8X(9y$3uK1)?uzl662H%a^+42hxHU%C$YVp3IcZ@LQ3!vZHA!
z|J3+3${kUM$uw@aw@3QDz1M(#&oaB3EL1tZIoGncm#XsCXQZgCZs_*j_>0UxOYAhD
zwHVSGc|@m?T+%+iaP0;Z_$Q&ukJ1>+`@XGl4$-Ol!JWEh^m7;@zK6b$6FE8*u{?Cn
z?tuRA$cxS<w9NpMs<nl8ZOqGW)4B~VWcUkQ6+U5rG!9Fg4qaZC=-YH8QDXwF&mdtN
z&e1Qhzubzgb`wW1jkUw>L3r1piGgo@G#&KC_Vqa3U)b&Jc%B<jZ+m@u@{oJy*L#8w
z{oLWZU558!;hby)BI|HDHM4r|EY1;jIclC7k-B!@47Yt(r?RfIw8VVP?Pj!EqSwtz
zFEoDrPX`f;V2{9<6UKsoeeb^Ruv+B=mH&?Byy@)mR9+L|J0xxAz*dZrheF-E0l!zv
zAv3#+nRvV(gPZHk-t*N}%x1OSmCTQLHKSb%nXTMq=f_}SC<dCE?Di98R@m?HYQlQk
zdM*t5>5Z)k_J9F&M7oc(M+N0}YHdNF=C`D%XNhvvA?l(Y2=Nd~wJd>+eP+wt<@9oF
zey`x)5?44_?q0jH(qqmotwoCr!*ws)X%bKf>Tg@;GF}60v<?b3Thvdv44(j^Y~i@g
zK+A2i7SAf-6Rzfo&W<W8f^DU@^w5SGIb4l{sy-wZBYf<<iMq`dHSNzNfF^N%i`lc5
zca;S3t4L0RAh3YWy!9uo5d0#46^o7t(+@R7gx)AEN<Jpq@o7_yyU$68JJz|&qrWME
z!~y8^XFM`fS~KoBP9}((h<#l9uYC_pbiM{c%R1Y-?^M6oOUC<x*Eu=P1iv|0ff!I#
zw@I)#2E~5qT^i-}0bqC+%n85I%14Op8e80J!*RU058KD<EUCmhYayZ_XT&b2+bY3J
zY`wF>l78jN_7faPpez6A@s_1OT;WwI4+$Q5_f6eV!CJVzdQ`0(U3S3gf`SkAnv7Ob
zq8!C&PaM@!L1#7c^|C8l71hO|tbmN*z~4C2DWDkjn%nnv{FcNmTG9_|++|cTUSIj!
z=(R#L8OAb3vo|~RQbvYX{*#b^>{*W+w{mQ{4*U9V(s)amukEGg#5T9TQ0B<-hq4Yq
zP&%rgFw#!~B&ICnU{{G4MgW|j^T^{H^j_+w7w_>Go2tKaBMHyPn2dYwG}v`vF-peu
zW&Q8J<sh#NcX>9zgQnfxeoMHQt1R`RnQjjV*ZBOXmf#wyHGilVkeN(fzdgchO2ppu
zWEr|c=A0vaql2-ze&HN?uM6;gv!Q(5v7%KYm(;rYnBUs&B-6MmbG_G(g)u>>Hb|L8
zQOJ9e;h0B!6_mb>Mg7R#E=+drHT1Z94Y0Y;6!;{>E&6_Ix+T#~b|pPlI+;kelZo%^
zPPj<>IM*DW+WjBzd`Yn2ax`;?#Y<@Ho$#$R)N6n(TX!~g3tvzWRW`AY4_JyDy#OKl
z^y$`;y`NeLr5{ynjpQ1F4A30bhU|rQoj$>RMP}35{PgK+>)Q690**c;InsF6DDeVm
ze2f3SFXS;N9y=^K@aQiE@tohbGhLTqe+<H5JxmMv_#N{Q3#!juxgCD?-6_eB4<#;v
zy##U_N5}T6?DsgU6XZ+?#*Zg7ybwPzr`5;Dzs1|8Og>EdtSNZ{rFMoxvyN@c{ri1f
zk02oJoNTc@612s7=kzB(;^zxSMURl7hK*VDBV1~$-)Hn3Q;si<!4UuUH4g2Ovk9Mo
zs`URgRid2nNr5A_B*ni*o%2}^K_`D}`a`!R{IoHe;rhl;04)|*_RiXif6b`F|9N}J
zrI$5Na|MbW{vztk*oj`fSCs_u_U#H6!6QxPy-$$e&_C>^+#;i3TcA1O8K__OM4GEN
zV6sd1SM)2rZCDqjQ`04jB%%~spb!@6G`w!^a4&5Dh*|CU(Y$Zsawg1KZzzy&+At&z
z`OvJvG`~(ab;j2ttuGP8uz66PL1<TA5s6P{v=iMO7Bg%dl^0!kSyuH5_Yc;a=>pSm
zXTLW{8E~ol=GhpG81F=8Q-u$+53@Q~^wy*^z;rDmd9s1&i43dmL<f@6+mv9li;Ox7
z#Da*0Vi)jG9>2Wi=^4hV3!}0JiLZWXtmG|d7xxJJ2i_#0#C-R~JS_4wUMkEqbMwe7
zUHp8*Bycx1*d6C=#($b=OIAzj5O%Y<?=T+(ZZh7G$gam)Z=4U3CVjV-qg@lwcYZbn
zEmU+`q>GQMGCbu_&FTJTcp_+5dmr)>ubE@I8`cB1T8EPlJsu3;Uj2~0_cu(xETeUi
zwI><;G0<0ixvUS4_$5!355a;EKF)BodsX6G8e%o}0^i`qOzS1McoNKQug;fukMg7l
zL1A{p$CO}3{tv~2EJi>_u*q#*;y&ibm6tBKt`p;P`CSan23Z6Cu10S?3*vd*Z_`~~
zHt&s{nU=iI|JrWsmiqDNIs2!2nPJnigc`PbcLH*^NgsK5h3)dd2L&HTA6<hF`;r))
zlR=+mS9}e?;ds_b{Ho1<z6KecRR`0l^i7a&B;WeFvQ9y{($A2TFO$i(EhFkdXH_2=
zY5iXbkTi8*dM{W436kjv)$5-!#tO8#>sG&MJT38dYCqS`yn_oYtd}(g&E=a^*QIhZ
zI2-3S@=cl{oDQAeG8Fw(L8ct;azcX2*CP?fXb7wd1s|%fWuJ$su1zauw)R-s_S?I-
z3o1xb&}Io22|B=WIr!JOdFB#bTC<$o4Uj#<<oiu_(mBx3PaW$n53Gp__R&WCd7KnE
z>^e>z5@<_?)FBifb@SAKrclb7?Mp7bE%FE&Tr0&A&Gr7(_49Wj)K9o9pueW;#E~%N
zKm1GJSL0@88@(Ez-edoprt@$|Hym7xfB<{xq?=`dnG#{&k#Qk^;M9N}6Bri%KU_0t
zs&zbIo?uY;53=x-x5VmTuEpWC)EXI@@dxF9*}8n;UTZU;FpGrY3`m0fr({s<CD{R7
z&-`LLK{tnaNvJBl!)$vMWgFW5sKYr;E*7nKk-m+ASj!<zMO%VeCrE#BftAt@+=o1t
z${9Zkz)nB@iqXepl+;7*uL$v<caK7Q3QZ79A6{TbnJ?UHjySqvbC`3wE#hJpA^&%8
zlp;?k@cqx|Pq&2&a~I;zQ4w5!(jy*kuaAC|Y7_hWr7_$`^Mer&T<%2WScUh7Gp~r6
z9i!Z7{5q`n<LN5dkB3N0m+$VXRkrVZEun=XOM_sX&x`^{${oWuBC9a6Nt4^stu4i|
zCk^o-tUEecZ^En=TCxS$kU-_!@y#m+1~p2(t*uP$#6?O^v_L9->56gA^j+yBKYm=B
zeQNh@sq_ekjM!@p+<&iLU_2Fzq@*RImutB8x&hDnzOuxZwQ_?x>=rNAZF8<w)znFg
zSL2&3CKmsK!Gt<cLS7Xx2!V|H9R`w7#m7uz{7jga8iBpBf8v;Yv%G@15%YVf;DL`i
zVqDQ^$=;3>hJ;|o(cdiFEXwbsGC;c8JlmaJG>6q|e><7qEAv%Qf^<Byb<D|&Q&{aQ
z2o&$@VX19g6uaJ4;R_oIh6sTdHMertm^#s{?m`EFS@`!%O;SHE#ETzJ2WhW3iov!L
zU!5!b;@Lb?FQpVg!AVXUNc85sBU<;c${#KrVinT!_da7>6y+(#Z5L+0J@f;Gz~0VW
zi#(6=Nwp(CALh?SKkv2~8hx+vH|1+X8le!^3$?EkL$4)-X+-MoNKm*5=xzNm7{tI8
z^s}g;HFFHq?Aokzne#-t){EyK={=_}Wj^-Xu@gUEgou7Ll)+f4K2lf7P{`7x6o#8F
zLHCsr9_!C+HwWi$)vKD1>s_cms&&{+?rnML86iTSErY6`bB0LC@dnr=a-YMCod^rD
zcmA;|-2FpWIQ$T<IIxdhMUMq;^sv49j*nrVSv(#L1-oeXvtXQJQfaIg=KhwR!j65h
zr)MrP6w*4ZsCbH@La^kMtNqwgfnq@4@Ku2E_4eHaac@{T5(Yv>b(fS|XWYhmm!V7P
zAs^aR1ao>lB|W-ou$GAb=R_k(kX(*1&J9itt8Ml0oOs}u#a981y7ZQDC5~ctUnK?S
zcx%@~pjQF1{F=^v^Y*B5S@m-2>?|-+0wdFK0_c*NfFPtyYsmq5I^Yfx16)pG^j(u>
z#&tN?pC`Vg!>hMCpz|Sf8W%1?;$|9JmUsy@$1zq)e`T#(Y|2bn7&LnSeRzd;MnKYy
zUxp4};nRZ)3Jqd@3q@mu$$V3#2y=2dU)*s6h$*FY;<e|P%QdDOA*^@~6j{$}PFJn5
zy5(j459fy|KMS)C1{j!yF1<Xv+S}Nqb9NS}oZ1=OwDeyL?tk4~912D${iGg&5~zQO
zlo`2_M=ZEklyrrIR|0D!=^4Du5c+;u@G}sgeI2&Jr)k7p@~O}pju-RS%|wnw0SQI_
zaSeWctv}yY3vy;n5BZUlxI*{@)VY(pI22#T#z5QM9Zb*XDHuF;L)o<DY?j$rI;KtT
zR0H6I4nYu!C{r!pf9|@7)8{JE6P}2?^4ml$nEz|h)oLAZ=U_sRI-74#&blIxJ+Axk
z`moVb>!wwED?!We!_LCi{|r*gj>~>a#!4*uRG8{sO*zvBDBCwjDD_%bTnE>RW<IY@
zCB%~EbO{N$J9^vKky`3)EyW$z@$b#Yx)znaOWH&#&J|POokZ2`$T9~{{``X$v26{2
zwKIxHUg^(f1I*RJqY(VyLG@+@s6Ep79)yvrSfER#re3);n3ZjqO8>xJnx|p7a8%gC
z#61Nc*M^O}z4NlR-l88~-S*IoaJp?Tlti?TC@c~?=~~)@PU?!)wOLEJpB|jNEO&Ld
zq7%cG8a~H1H-0Z#rka(fn0W4+|2I_d?YhMof~^6q$O6_TnJtJ_7q>f8jmRTb2awR!
z)x6u;qv_OBhkjnTj|UmasL;KmG~`Kq1gWiz1H)xqH=y-GggsW;Ox?8ZtP|=R*Z%hT
zbXGo!Qa5n)@ugTX6D9mqy?)RjK@qZVxETSMVcw^mV1`8f8E23q^t+R)i{{9q`yDrn
zqVZre_L3b8^C`a6HLYuqjAs*;_)|=sOmi+iH+eoKhX`e$%!=zDXoi_6j=^DTQ((z3
zyK|KIc&qK<ezqB<+Oyh0`+Fix|FDL+A#$KB^#c6}5Q`)~&F63M7hEO}uJ+j$@GgD*
zad}mHd$>BTksmDfOOtC}C)|km5o2J_D<NwzHMe-p==n*|de&QcI=ga{%w1w75%Y8C
zpsT~kZaUEjMQ5P32DUX&(+%@}Xf@P&AnZZ~ZU*+Ie-C@`Dt>6wEeZ{X;u=3ia3jX~
z75JTg*CS5CFN2FP{jaiMS%!(V7hZpwBLI%odqH&j)j!RfJ+U-)Ha_^2=n6F!G1t?i
zQ?$PrXBjHbsCxh{Yg9;iO@)^NK1P%gDJ0;|&Q-a}yP40I3zu1%`;y!0fbi@!<V_{{
z-Bf3YEj_Ub`N@_vq?iG#TYPIjb=8LpI5lsQk!L+Z)a~Lw8TlTrB|);Ud3#}y@o%d2
zu+buNyJ?J3S8^e2wBVj^Bl*mhwu24CReP1;A+llQ@qhnkaVYEna09$XP7hvyA0Kq8
zmy{{_I45&AKGSPIb>ot@r;=IZG?2xmGuk#m;EQU`pYXtK>*sHs6zW6Ur~P-t#br+)
zlIM$ICK;F#;ZIShADjug)OyF~^iOA=XNjLTiw~pN&DBzHO^m&mjs~^q3sm#6OSr6N
zSlF}0b+=QE#iNjb-?`m#*drPnLgk4!7(@r;aR>4ItI1~@>X{Cpx8LHP376Q?8W@Ey
z9A0L8YP51cd_JRM*2A6&q1*n6ZrF6C6r2`gz*3(p9#D1k%VY`iuX8a_P<YO4ZD}Y9
z&`C?KYMOZF{?dflPK~_Ol5e!F14da3PLgE&P?VtDB1f2xGTaF6O1{O8)B_GYav)ch
zndO5;sjoKQh~D}OKSh!m@}C8rD^%2Nn^H|*igE6)t@XQ@_G{wQP+IB%i)|(1bwM?g
zkpmJvoC7oWxo~}{RjL4&_;m)Qmk(V8){onh?24IY>*T1z>}1_T2!_Q(`6$i*?g9YH
zk1RA;99c+k+zDu}SZ1TGHly7gMBp`6BR+cjRB(a{yaDG54ZakIS4i4JzbsX%=vL+i
zO{-L=Tc&5Bc9g)Zd6|><W&CczEKUQJmI9!>g{bGqz8*F-i63>X8~B*M(v$UBAjNyc
zX`X9F{oC?2VYi~5$QNEIG(jdqVbxT#&s5`x!Apw4vw`u3kCrxRKtZk1UmVxyzj)3q
zF7u)+{^y?56<!@j`iHDFTIF*i^gOi@urr23qBVMs()`OJshpt!=ZJxtkV3F(xcbuO
zWDCplqi^VXE1UC|6n1!~XRfeK6@qO9<B{S&!{_KZYy`ceuJh!#e-~XFN@wZiv5Hgx
zZ-lizIRWSIL<}$p*%n-Zfx7qeD$AEuQDT}SM#YagYXzRvReuG#ofkp;9X<!|o0t^e
zV<F()>X<`QZ#b)=oSYA4ek{bkU!4D&smf`kzDGxWPs}?W<nN3A&y~%m=wVykvqC>4
zrJQj-BN6fpXJ^^(uj$;&bVDax!kNcT6ujWNtbLb@&a?&(tIAyU56&B-u7VAR$ZgrQ
z<;#PA|M>ocju$3IBF(rv4+G@)YMi(^p~~Gt$E%z?D%711=Pm38&zA<p#-RN6Mj{jO
z3{5tRMI<F?6KyK`R0TX?$;Rjb%A2qc7%;=_XKjz28m|%%V_>hqW{ebTn+J+5jg%a;
ziZw<@EVM{rh~GqtvF+Y`bTLDO@TeegYcZ3q8L`a=-3pfQC09?3&vC<ST4AKGqdGRo
z`3#gC@xW#>uzluF&bn$=68Fgjmg#Yp{0Bk*@4xVWAoX#apsj;)iPq+up~_p1NRTfF
ziB304#)3?n^r%=#KGQVj?Gva0ANu<<HCc`5s~B<4=Tjkuq{H2tHnFWDIo?mbzmsZz
zJm(IU37DxE-X<k$d8#F!L$rauKAw~GIo++@Os!RXMzwo)L7o1#T4|gx!km1P6fA#h
z26|hK#VF|`)WyEGj8lW`0ttLP(HC0kx#8{vLr6#9G|$flzcqJL3v_j~levx{Bo2x-
z7K3)VX_EgAz4pqHEbitFJfFlQARYpwR4Tl!A1ulsFc$y1Nwj%W2tWYDiU@k~FjJ>E
z7Uj?5qfE3x4$gyBx$%b=mb8h(N`CbM6cIcJ`-LO?0Q3^z-9A4V{2@(>0fR|#1dsNH
zy^&%R@J|nqAs6&ktUY_;=2M8M#_PX~INn_ZcL%y2TaKOpT=m#8lQWku^z4Ix=c`_9
z?2*@LX*(juE;S*S1MNn0;wFVRf*lM$_MV&5S+B|uUs%fEN@;5nJgQq)V~)VPJMMw|
z=M?Zu=jXU@s^`aw1#8^|Yf_m}FSNt3C-t~)tB+|d+<v;%+TG&j!zdlyMoqiD#;%C8
zaxPGxp`Yhrnj4}du;RD5$t)JK6fRXuu=wn&xaMG8*ij=dV8+!wS_MdfCUk_%zk%oI
z`R~`-BK}c$s_3#B#g_k40&+uiGEZIIPNuhMYxfL0mI&`$&fLKISwXpuB8Zel0yM^=
zxZqFWj<rNh{3yO9fFrM^q_M99mU<?w^hQ4lVc=sUJ5AYowmi%oD>frqd@^#!oGH`1
zft50@s{KlOMF)g;dvjPHyA!au8Im{I9qLLd^77!`gH##Jk7CaW2j4tB5W`mplOdzw
zQq1w5M^BD0r>)!C<jLu{-9y^2I$O=-H2O3zIMdK2KRD2>v#qQgkAn);=%QYxs^h`Z
z7KHf6*XqWfP~L9@^vTSh5oPeRg(Ca{mpg@0d98{L(d?s+36r#120syUI)*{;Q{m1~
zJfTo)Q@{87|6*Tg>|}P`=b6uoyj>+@_4DPh$vd@;o&)x!e6XY~T*aj3xB!rf-{fji
zD3Ty9C8|<8H~lI^VjY!a1Iy0tU)f=xo|TgZ2iJ&~oJL{k2F-{dUjh$Uk>im4r^s*P
z!R2f!=<>fBY9lEcDt(~W&&CtarVKOq+^T_k&c1r_6OEA41X$zGCiBj+11DXrn7ca0
zdL~I1SN2cPl6OSz+^g$eyU+4ZtlV(Rww1*4dyW&t{{@@>iv#<tqm87?h7dM?(ci?u
zZD%XaN`evr(fw#;s-q6C3Gv#1;wxpq^#{3Ytp@S;?Hky4ztefP5T6t!weRNVN7s#W
z>h+ErK!J`{!_?UAu?w=xK;_f%*PvY%poZrau5uE6N-qKgmTtL&`h>XIV}dvR8N*tX
zs_r?@K1|k=&(Fx+`3Mg0ks;=rKS|$qgfvIDD%bibjs3Li`800~fw|xKk~-$I7GgbL
zYGNG1-_5r#&NU^`y|rf^XcF_pz9*$^UnwY6S=g!?5At_?-A(2eq6ov<2n2I&vwD=X
zn2m%zQ#=z>nkE`A_tQ$L^s1g3Po<HS>^kG;=P6ZM!=oZai9z$jhM#y)sZq#c!g%TV
zSwgdsCLA{E9BgV84YY@pTC~eyb@*JkCsNcI6%wh*_m!$zN?P%kw~2CP3Qi|UEAeMt
zL$p%nj}Y$+bTdz#KJty&)L72c-u|-BX75F)ZfIJ=X4tfGvOm#fSy}oAr1F!6Aj^JO
z&ka>d=+cg4FBM#Gu2F0}ezbI9e{-|3*`yz0dTSiayUlaP#qNv?s*=p~zz)qkCHqky
z<U=#2Xws@eRTYeF+vwW($TPT?YTsZBT375g1jNs+hcE0lobzyF){y??YNU%tPc!p#
z#`LKDVZ6+L&`>JIz>D9)Z?_-0=-yUIwDgt1_<3KJonp5b!HThK_JDk-Qd@*EdKDCv
zFLJq#ez^`D2pgp3MZY$!sgsE=5_<1JJDzXJqW{YD2tQgzU9?o&5gQ2gkO4gGlixix
z1J?t7fzG`(UzD~VFqo<Ws)yROrC`Lry}b_-u}zm?q7uDAx3tG-&J@-bFnEQoyE%uw
zS15ji<Sw0Rp-1pxXG~v)<yltlHL2S7M;$r{M-!Z}{t^CU-&AhK|3oy(T#B-yhPVG8
z=J)mwEzLglnDo*_-eh72FO7Gt<+g`yL~4YoBMQnRdqMnQw9oyeQtv_=06I3|QGK9&
z{eDA`EhAQCF279M@-X<$MATUm;GD%OK=kHOs+~|=^5~PTrJX%N#~=-AXXaXQ=UDZ;
zxikJe+#lVYDw(mMJh*`+6eCD_YQ^IPEBK2H@su`f=p^(yU59r~I=qvi-;PHsnf~+^
zt;Yz&<6m3PCa~$8_tLjzb|rTm`zK6%#RUAK$dm}>XZiZgZ}p$d7^dQx4dL-qA~!+_
zwM{j3RX6oAW|TWz!fXW>0)w#!TQ576K%esDJFb~1lK&surS^}MA~|M3X8A!b<7Onx
zcX{KfnEt`ndn|6${0EnqWql;*ku{BZ_pqN?(L1n-cBs_W<&gey@<71X?KE~qOX;Of
zz)CRLy^hA%Lt>qH4S(*>{h-HP3`SwMr=9ifMc~=i8H%MiM!05azbcME^e6ID6pq9b
zu(Dq6gif((b7rdnWc(-McCQg6oLqMsHvJ~Xh-q0=t`tf>0_9qUyqb&#UM`(vle^ve
z8$sjodDgOO7x8!2AK|hv0f~V(tdwvwfjz^!;1>sFc-*H6GNbQJe|9i9FWK(l9NJ1y
z?pzyo=`VBo*P2<oNs2y~imy9qmj|2Kv1C!otL$Vmo)SGm>}cRIBGss=i)&Jt;b{BJ
z_V7*SIw8HG;tWfEy|;O&(5Rw+eSY6>IC%a8K%^`{d6gD7a=U{lLB9`WSXL^rW~1GD
z6)VDN^tX4TViA>-AqC<D|C!2Z8N+i47%{cC@8^E`sPFsr8dj=BIO6#i_TG_@nZeO^
z502K{n2~>f^MOb1-B5nSijz|OUbpu<$S0{`S*@H^*anAZuF9;fO98{*K*%Vjb|g(3
zwfFHCE!lV(I(E{OcaM@mOHHm!E~FSsRW!`tga4!MRtnG4#i$V-YVV?*ZVaWextIc4
zJ#~2c7|LOwQ>3NZL&kF4$!<BAD7*qB{y<^uF7e<&Vyafaz@2~6T?O8l2cNdip0Nkv
zL^zYGoQq*pu>-rK*|OCzr1iCPzWsnOG1eQe&!6MXe_Eae8d^(yazyxc23LcW!aBpK
z#`H5_j;flG5|2D%4wtlAzsT<*hhPvYe5&8$eHWJC4~h*J=F}Fk)O%UmYo`dc=MUJt
zIA+o9p`xiTtB&gr2#xv|b~S_Yl0iRc*B5Ot);GGJcEOD=$6kzeQkH(9Q@TM_`z|xM
z2E#0eBgR6fCJ0{Gl79SQK$%;t=N=<;2cQ`p{zr%9Z-HuIeEtuwZ@q4HC8KUc_oi!S
zT&nF0ric@sj`-%AmTJ<^$V1a_@H{Nd!iREL_2`g{W+P|gecTA5v2i<AlWJ*TPgnQK
zL2d5tp}W?q6TXh<9~}KS8%~r>CX@vCDtlLRr}q~)M!#BypOpK>gr*Ktm40l(6an#K
z7}5U&+ry@gp{hx;=hvg{5vPTlMOO%#ryf>Ks3%XtZ2n7`YDH5Yu##e2ME<+{0XKk=
z5^Kq3K(}M!;cFvGv>cyj#4MRu!L#IQyWK<E@IrDuMz?aRm?<jrRs0?(8|d>uSI|}F
zEE}ewhI<ry`rpd)|HjR*ae`B>;*r}ZBoo^-@Y7V8k|r`@<GgL7@*jK;hedVN^l$;_
zF`^<Pq2@j<#~X>#0!doF?}rx$C@-ki%h`232awKaBulfTvqXo1_2!u!{WT8SDQuXY
z1BQpM@+j4-YxZIhJ1PeX`Q^%Xrn=I5kOR+ov3t~yl{!rjZqDvn#2X+ZX>1%J`WY%#
zGn-ZuD}HcAtScZjubusis8qJuTH#H|2I+j$j2|3{eX@iPYPXE?gsdyG-lh1VrXs*c
zcXSUsawhv<iW}CTm2481s$7Rar390&2z`$2c!sODm`#o+gLiREPz_L8Kk4NB;Z<1b
ze&rawT(8&o6%JpMl7p43rDyLg0)*sE2Td!rbdjk}g`jjj$pD3>58ed7C-SY1(V!zn
zJj!uI8J?~JvY4c=0H5}sN>$2VSp~eaEOSMRG=~=C10^i?-(DNb5Mf9cmYpp<p<%tl
z--KM>L`k3XgFZ~ECx~-8GT(>+-k)Wb58*?EQjYYh{aA=Y`^u3lZnOj$>v0yMT=TXD
zCVYOX;MHff)H%#P9-2#B6?~)rFhp-=lq`0^?F#0{iV~`s!RjneA@531&qlD@hCWF5
zG%WT2JC+xdZB3-l?wB6Ci$Z@^b|4<kAy;@ww~nBefC4{?grP-=en7rJruLm9O$tX5
z@*+s=C!^faq((H6+RMoT5^e|><fd_WR3<!?3mOS@P`TK$!IXcjXaQuv2fTlRu(rw2
z4VVGflxwPLrU%0<S4w{OmIGy^#QXuNc4UNk2Q48m(n&*_tIFbirr-EqU|bj19U^0x
zZ-*9T^)m4t%(_YGiUe$Xt9RxgoT--q!W59)!2odyEzyWF5MRno)OF;B(dSJm$4jS+
zmzMhjH-yley7o>wzfys$<aZOe0>37exKmGLvDxTgDKy$-i6LivTulP%_N3h?nJ0MJ
zebuawbvm1-R{4`{M?Z$ItWa)~pT@7a1bdZ_5D9@*O}-`P+_HaT^V-)Mo*RTl56n+~
zvR9xU0o+`&d_{=Q6EtcLm2m&F8S(H1*7WBZ$ubY+7@B^B7FRwq(*6NO8vE&(W2lzA
zU*HJ0D7dVZzYDMn6jsaQ5mZ0Tdsx;*Oaav3+B^|6gaBwp7o|ig*g*ms|FTqPSX)D5
zDjc_I=Q5=N<sf_iITwTdCF6&W=ETExz2G_ZF@EjqDTCQarDoN8nr*e-4h1)Tv7P|~
zIU9e_7H{T+z=zxhFT$_i*mv9Jx@0JKK1z_>{DGUCu)<>v0u@if-}yo_EuPYx{d^QK
zFr3*%#MYGFURD8Dl)E_@Qkq=9aZnNq(S!L(SS6+mZB2E5xH4xeor%6BG_LLP*&g0%
zqC>nN<Ohp57pN9nC#zw+@{SlG0xPy>Uf;$J6e9Oyt69fX-6YZ%+<H}?EsrV>PR*np
zqLbYLKF29)h9<s$*f9~G{z$&W`UX>9qL|!7_VIW)!AnO4{&N5MoW}Maf&71_U1=2l
zE^_lJsqRSVXdh@+DsN4~FXCY!%Cz{AUQ`BDGX(!%jdFpp&-4-Gk6WHU#MWJvDBqhg
zx&`>w;X%V*gv+}iyy4pg5`gAVwK8@{ou%ejRi*>_+e4?b=8JA7Z(O8SQdrXg)D~tC
z`5BfR3lBh-waBMS9PzBcPB+D5nGLXeIkI_Yr1`n`_g=vUsh07eAd`Otp^AAZ5`y^O
zbK1MM+Fy;oTiva;XG|oOB<OU$jNMj&CAjePwB>EGGpR~Ld3j!youRAaXs)f0Juu1*
z0~MGb1C_5(6jvEZB+cabNy!>kMw|F!FM>jtjCn!*0WV!i-2(iZ869fBir8AvNOz{W
zS*CCzZ4W>0(}A_yo167oHusZ`jvG+H3>xfzDLt_M&5sKe^$Ue3_R%0w(AIec3u}4m
ztxwi7gf%HuTJwq}5z$52&QbfQ+cCuyw?2Y&5*<dDF5%8I0uv<!DXIjX;=fMS51_;+
ziOH;<kGt96UX|Ox9M5i<@ue5dO+cG?)%8zB?a-vT;oGi=J{?Fm-M-T4+NnZfg*Jx^
z4=aR}(8MmJq)wjQn~0>}Ys1PNL>Q?<8k~KZQfG~EZx2rZ-ag)CdXpWhp-OZ0C%eqI
z&3!HgDGkk}Gq+87pmb9AU*nD{{0Fo{$^2b!Za72AP(r(<i+F@8#an*Q&a;pj&LVuC
zzc~-^C0{MuF)=FT_s-g4nhgEO9xlKU<S=>v$8pKvx!7+#ic=3vkv0tSaC*%ui#Wph
zV`+v~lgYJ*Zxuz1!%W^jMgEg4@R~%raF!OdQ;^g{;i~{|0Sw?d&9o~@?;(r-%~Z=q
zYQkCcWooRRjU17M|9E9|@hD%bS5+k3gzrusMVyq{XtsMAv6LYJhFbQmFq%%kTgFrU
z<H3jRd(F$Hv7Sw1ZC{^d9%FdKSNaB9TSZr@NOrih<LC*mWOE~OgGwj<loaKX$)`%F
z_b{G)6#|8Uizt8rKB1q~@-QxWnF)?R$U$#qwtx39^I}ww4JYNEpyZRvl``>6>4QFI
zOphE?PIyoH`buQf7_>P4U&{M>ieM{4GYVzZz8C3Hy`c+PizG-IMzZkY3vImmY@#I6
zAdR_XN8BUo(jbd%g!xFziM@})4{GsR6(Z118<MPA-%a(aFInmfeP0c?f>D6<-7?qT
zuXxU`_!@6|F=>7teI_ugVs*B7EE$ib6a;l}O0518X>Q*g1`^62sdG?9s@uvP*&#(G
zFmePf5(LxatI)kE^HI6*m8iy*g&Pw<z0n%m8nmaS2;*@q5GtT3rgBOeA4GCsgoxj!
z2z}!UgzYDcQ8o%5Max25gUISp3D98I=LWwtCiMti_8iZ|P9)RRAwCt8$9MSFMq*kg
zwJyg^{aeDr!0!d~?Dx=MGUTN~I6?)Jt5Y%h?B5<%BjoWu|KLVTU1Pt)$8@ajWOb&c
zYZwzyE>?%ZZqzXP97`;EompQ@`u|H*B=XYDq9V2<zg=EIr*NI-(NRrB!rHOHAs<bQ
zNob#N+K)$;8*U7JsCp_C+<TLWE&Fe{zEp$pfQeV?Fd>-P?blo6;Rv@z1n<{rlT?qc
zxo+;V`EH1%i@ulS%!;)cyF$_9LRx}!sckBI63R7N(>lDZ2L+Ov&Y8|0TZKme1r$aR
zC_>VduS#l$Ita+xnDtbb1slY#f~G3VyLm;@Y8cu(75{oQPGRS+1;YZMmg}Zhl~ug*
z$Yp4`mT8^IbR9=72-TFNW<7OoTPdC^)W4Qcixj}agCzx6YB-N?-pOiyTW_<sonnXx
zK|@?9+f;Ja#VUgehNRa}d@~$;`Sn^*kTv}NSMLsrC+W~+SZW-lBcX{GQ%EtCca`?J
zI7x&@iI;RAUIdy@gkY+I5IBW7Jm#fSWo-L9AAF3W3W=W=><FZx{##CXZ5JsR(I!Bz
zWBy}3R^g?q(bK*nUJ(b{E=qivHkpUOy-}zp64qL$IwCJj1h<oVke>d}a)Y3ev&C%6
z7*1_yaV79b@l8ol0F-VV(C4G)0Z|3LkxSN02dKvh^i067<6RI2dqII?{zAg_`PUJ=
zUP%tLX-<10D0Ra$w||oUL?YPo(W|GJfCDKWm}x=JB}D=+)lEz{7!797D%KR+OipT(
zN_6-nl;$iTC1ecUF04SmJJTGgcTq^0$9S<zrzpUs5k^}_rC@O{_$pv-L6(zL8B9kF
zOU&1p0%RO2vP#!Aa2X7#%gD%~Ifr9ZZP!5xw7lt0NU8vmYuN1<uxsGXjl>26ffc=x
zV3CXxp`>X{ibI`$dvk}AxFl>6<@@@|!O14UjNfc5z4({=s2<l$6k(<-xV(!FGK;l}
zxT91Z)z6gKy`7TsOACz;I-|w#Hi)}D(WLaS>^lzK%bS{NI@^+E4CP1vl89pYyGJ4F
zO;ayB^Et|D4Qa2psdc!C*vArTV62H?S)Ob~8fLurhxfA>EeRw;ngRMk{_^Y;k@4>&
ziwbgWdqYUmM0mdxy{T%o+Say&LTk|CK>~>k<)5RuT5WSf+25W8Xv{>Soq4@A;L03N
zv_aHAyBzMc`E`9YxXGIS7b%K>Y8js5ZmD=hxzJRQ)paE{XBIGM*t*Bh(Aoc8@e_;|
zPGeayK%xN<cxvp&uLAzz9H^U_fcccA83%TZAOIFYlpi4<AH_mEKVU6~UK*?l*e}{K
zQo0P*0dp^qa?E&^7Q*}LxHEhirn`Py3(<K(6Ik0;Y`S(V<2^=eY~J<f67ggm4Rf&Z
zmD-JY`N!5?(6z^<7@GHI%VbI8S~HQU?0#cozN=+#5v#CRCC`jFcnxEA<irGo*0<5n
zF8{aatJKE(+nrd7f#Fv2W{{P|a2K!|#g)S{lhqQr7NJIsuiam5$4Il&?fugD>LIZv
zYKfO6t~W64n%5YMIXc}6c5ooszwvP|8upi6-g{_ei|xOrYgrfUV#32xnIqoUbz90;
zE!&MHB8D2xmzHvYq5o$ZaYgIDD@rjh!%fOh<Fl>a<Xiv1yMOMOyWiJJ4#SvUVYdn9
zfJsq%xeIyD16Wl+E4Uy0l^8p>6{^JPh-~A;4Je%!FRqrzAEYHjck&%b-n-ttXdJz|
z)Jq(^8agP!C>WQf_J&OBVG4~G{~11+=UfZCh8q6PvXy{4HU>>gV=Ijt>foqMyt9gu
z3Q}J_N5$yVS2l%19Bi**c2PhbBV@d7r&8}KSNdJUagn8K{GM^fEjt)+;|<B^yqTZ$
zp}1$n74pEOX614x;|X8U58j&umya1A0X#9uey6t`<Hn?L(I~|-=^WE3-2ta!n7HS#
z$-k0#eie;qb*;-Y^%}%M!$_VG{Ha~9uNXhBpu6wG1}sx_AeEk9)|X5zA5!KweW+D&
z!j9393Wmj@h=4diS{nY1a=Vc_2WK*JDlQS~7-Rd``m@(r=aphRg?Cx~@Rtm8Bnl~{
z6|}dKKM}biL4oL-(AVtosqpdMyUPT+)ue*y8?Rl}v2rK}CyfOKvkvC;9&|9OcT7cf
z)rgdyx4RKx>cUuJ0Wvg_+75M`)s0q_fqBRwdBpZp{=Es)XnAv8Qp$$Hf$in_Dn%Qn
z)HMRS3Z-4g{&@Of(ghP21rBl4jrcT`l2rHOUXbcdb6%~~zGl2lE6rBSmmi^B>&<$j
zfw@pJt2t-4tn?c={8*vkpPdqR&P17U73oq!d?In0C{N1`J>^<#lVVdCI#Touv6e*G
zo%$a%sqf!<Bx$9S<myIwwr3T1>3_#VdON8iz*YVBs!a>DcUFx=P%8#AJ*P7S2cyr9
z!+f7GgczFRxd6SZ?S~JtMNuS$@cc5V=_Y1o2mRgWcM*9aIh1fv7rxyyN{$qh)*&y1
z;e+k8qk1$PiXb?oRs#UJ0H2uZ`hQ08n8b1;crmFgp#PF?<ZhSI33RVyy*=Nok50FR
zY)kA;I71S{X?<5(4(CKSL3}!awZAISzJ1(78g<gdx^erxv!=83J}jkH+=_j=U9<D|
zb}N<Ebkx~QK9ZwhBnX<oQ%U7&?AB4f?oy}S4n}LQ-(S<}P#0cSkny@4I7EA|QBn8j
z0yC#$<7TC&lRXlA2dNxs^Eb_{$Ho6g)>|;e8E)IUSO*R6ZjFS-6WoG3H119yArRc%
zT^o0Y(73z16Wm>cyPvFe>(<?8-{0_k_0}A7K4XmE22rX4<margEf%h^#S`7j3(vSk
ziR$p&Wjd+?lK;hxcCk12M_6O-J7x82HI&-SFe?EvhwveJ(_Hzq0{15bV@0~h&J6y)
zvbgPLL*qs2kKnGX5N&=g_#4qLZ#CsBv|RE3jF{2yg&%1`UBztMcFRV3IbN!?;G2x@
z&1C+CV=EB%Y&NRBH#N_yBiW`zpD>Is+xD1vJG}kG%;Xz$%aWUXeaP+$SY-6+mXM^d
zD3C2$sUVGia*O``NH(7rvG5Nm^U?=oIcE6MSKUt9k_b=qx!L5=N`x(r2V+l&1gKsu
ze3LS$@uU+200>(cYE(ud0WK^z;%GzhQa5#Cx`L!_9=yD(-nw@z^LH!^S_!;U8C6vX
z2J(d*g>T9H`+F<dO3qoH^cm-Ln#!@7dTp(xiZO#Fq?F<OJv`K%o4w^c8hu+u2X*rh
zj^UyOPawpuskXGeurOBRFtPY!5&46g`NAwk{{Nbuz9aW}4mhM47>@}^_Wx31@EHty
zlmGJ(SoVz*(I#C<Cy3=759V{CabaJPP>%2%IfS*~;q~mY2qaODQ7H6cB9n;1vLn|v
zu#*w~CnZ-Qnr?4w^l@<#@zp~G&fCk!>uNlpETOfAR6h|8h9JAEuTOC5W@qF%7BLby
z`q98uYku(3O66gFIX3?K*dJHj;i-vvkKD;J&fvpK?$W7C5m;iZ9{>W88(NR7)q>Ow
zW$b)saG8`kXGJ>I?57Gyk|qeOmqkD01!!~}i3zfl8ICZshigK2YAAGfFO+AeCnoM<
zb6A!C<`#5&agONWez>IS;Of0y#u*7dQL$W4Y&{@3;nxr{EgT$m!<vDBYQ5>BLr-%l
z<9cFW!5i!A+^n1T{(k5@5^0t!r2fCjND5T5n#Kp}*+w*0b7&^L7{yG$T_6=IiR>~F
zpu)p^%AosQgIPcjuLu3$7dBL-L6xf>lR#@mBl6DWtQQ#%|GbyNY;fPy`S3mH=SL=W
zgAPSl4JuRI{?%ZJonED0F(@!+quNui(O&VDH3%&NI1A}g#iFTI&M_tmr6vx-viB&r
z8!{OGOZGN8%G}y0@jV2<CJP?Wx$&FmA-F8UGsER0AIvi(fc|@;d;ch~%KN(PM(Dj(
z!^``R=Oz>4WFDCniO$qf(e&Zar60wrsurmQjk@;mfBgA%cHbi1_xrV~@v%TA((sP=
zakhQc6)@(RK_k9t#M~3PAOv-_orVO0W}a(H#V{)C2K!-;P!m~0Ec_UZokKa9>q<Kt
zR^8ve(}It=8b@O8{ZG?(bnq;7<>{e*RKDBuhr{$m9Erpj;70wiURnu$stNUNZ*co2
zc(6_hWb?4G8tVVL66niSb@;6XV3aK+J`%1dfL5jXjOt~kmxu_DUn_6sl_q^6>i-?L
zo%E0Tmml+1TH=JyN@jacuL<MBN=<#59?CY)#9RVj^0Jut`xzf9R++Y&dSi)*R%wWE
zwA5;2!-6yx9LWr8p%IDo6<Apwk@Qbt@YUV$Z5Lx*HSTi4XKq6of(v#oliow1;M`v=
z#%2Sm;u2?mF7wT;(dwV{&S?`2mEXdpSkb1O1cWQSU~fY_d{WGQYAi94M`Z_jjkT5_
zw0IZL^{6-g{SLe8_xbhKcu*v)hUMGT<>&vbN$8VBn(fkUn%|iWO!a<uQ~?(Jvj&Q{
zc8D>mQe-5&sB$w9Klmv!?|!$O)YM3Uwk0L)!lTeyzsyS3X8<<9>W^7Cz7b7v$Fn^N
z_l(iYQ>n~HvH{!^`s<7@UldBGRhpwenue>`YBbTk<DwLn>=X@z9=d=ewx%aqhr8GJ
z&CYD~Dd2;%p$NOOLboz*<Rko?OKCeJ<JU7$9x7w&siZ&K@8p8lVfeE8+nzN{Ya{2$
zJ7lQ_(R00>5#>t+EeI+%(xI!5GbsBuk#lK+p8BGJs<wf8BrgRIl5VaSXNh_==Z<U@
zNE1*<3QDFd%b?(%wgzfz8&n97>jBS6K`~rP=3D&2_9^B^htx{4Gi#;0!WThNsupKc
zdr*Jn#;S-;m?Mv3gueFF_B+3!T<SYT0@JT-E5EJ|7OC6s*ufHmcvQ9h=WtgeN)Zy^
ze_!}nvLcK7^Zehu;&_)i5#{R^q=%j2+MSz~vs#MLJivj5t*sO9s~Uiq=6}6?I6zEJ
zoNz0s_>VNvefmAZi9AjpwD$_yDJPzB``_74-SYzxU{8@f4<;5>@YA-UCdHpUV#51U
z&y<0=eBlW$$AFv9@Z<%2SXa5(k31t(LU*R6kK+MR!`#a&_gT0Go|{r%VI!>|?gc`}
z;Kg95Aqxkyq_S;AUhIn2^m-eU27?jMqa<dX)VC!|^;I<~E@B-P^@|Y1^wNrZlpEs}
zOK4XmhfF-fiqC9%&_gFY&5mInm=P3@Ai?w+79WW5z_9&KM$s8p{(jCs5ypkn3bD5I
z*&tDw%6Sk|{MOK=F%UEqt{=o;UTr@Rb*V7ddwbn#-A;~gHJkMI-44Rm<guPKM>KE5
zTF<c6f;%-DF_`;cj=8W>xP3hP<n2nlt!<t&vo)y&BtNRET2t}KL+d$q(L{y&`Eflt
z>*Sy`T#D$1`MdX!qZrG?Ilkti77qtY9+8NnR1J7tM&V<G2(E$FUM<Ew|0Qlxhu2n%
z4fUaNnxe|^3FNb9j&G}ngVR+r=vuh796;P+v-F2(4{L$l1_ItR7n~aS^cD?sC0BD1
zWfJ<zcdjp7*OLaoiZO&LddCORu<TXmNTx~&KX1`#vng(swo59&V&WmZ$92_+=prkv
z|A4+fPLt@;ue3k4a1=sE0dS#&6M74wsNR^Ub4OC}MhLaJj6WzXV8F+dw1ppGRluKA
zgzjhA;RBhu=U{MK8S1P*YC{SbXu&Tt+*+|4vA||#U{s3<y6CAkv}^q6#ThTy`ovVR
zqV`uF*$`<fGHxuxF2#`3m4!=%JL^8bj+$?o&#D9K7P|61-Wjt1r>7w9%szOB>I@K3
z6RLk_0*4z9VtCl=pWl^=qG<rS{ys60Tc9^p<d?o5n6A6xmJ}006ubj@d9B9Z@w5Ri
zK&weJ5U=t2cU>ZGM}s;Fs=IUEBn!MB;yedmeir^d8=Sn!c>OByPFcu`O05Octrd+9
zj(T7{BG&p;r0<5w8Z8yfqQq2MSpoV!9el<KTAy+nTQq{jmNn8F9c+?ulk)J_otAZz
zi+<il2C|{{8iY*}Tv5WFPu5-RHbb_xq*nGCh|tNGPZk<2mkqr?Q<}3_?){m12#i2G
z{38`Vnl`{aN#dGGFnN<*%_by*Pd}P?7c=-Qn{($LKzY7}g0c5og@q~RcFcjEOWD-%
zKg;3`Uj)Ur_i>hsQ-=>LZuBJ*6DcF*{q54tg7;S}84NEP4XLQUwAaX-<c~o0+TrnM
zwPF}G5=%+A<Oe*#12k0%6_||L_Nm7bDUKEFVM+0nQhe$ieWsShVw;t?EFwe|Omds{
zOnI)ez!$mNe?+KWu{MS+w_<zmi!2#;C#e6te3G8&-iLcBIUcirwJuLNF@-`4sc>yT
zOcF?H*BeLBY2HjK`Mt^Ugp<*)esN47kx!f8vm5RWEzL-?hYk7Ju*c{=6Ju%NL*m}A
zB=OrK4k8&kl*}zCL@pRc(vQljo*3->Rew+jM`=M*Yg^jU-Eddd(;1;{3M=}RJN|v&
zN>^%<6=DrViHS9`NotQB8e$nsPFdelcX{0J9gZIuSRWls!a;?p{U|eeyUdlA#DUwA
zjaw7)IsExwE8pt2%J8`~-7}qm;#q<bbbqSD^wiL^>e0UD`Gua@{ZE#}=ii76CPe>5
z8U6=87sKiYzI?tke@QQx@(DB2A+0r;9A)idPl{x4sZJ8T>~VZ8UsW;zhmOh#ZMt{p
z(zRn{2*7g@j1Bg~<4Z9xC>MA;`1GD-o)?!HBwqRv^Xy*)X4H^j(O<(;U~)WvF-g<H
z%%v19wbw^Mf!GHQ0VGK5{keCI*Kx;^;F^uYLOta5R=0l;0YDU0nzNRjB?u`bgK~sU
zX`q8_XE-jx(6`~wRKig35)(FniekUI<?}hR)(MVX0`*Kr9O6iUQ?qfqanMZ76DRI>
z28URqQ`Tcf_)AP3Fc3KLMf-LAQ&P{6FZ%%f8v@JbG_I|!*|%W;eK-K5XILW05QA=w
zjK6uxP2zfdEcNI%5&IKkX3ELKQIyKBeg&0Lz_YySpdOY|^9TF}HI+@UthkpjE0Aml
z#+*mi4!Yc==$@nK)Z{O({FN$*-x*h5SitMxHMlG>=lH9S>o~q6))aRi>3|kwVoEkC
zy+u(tx#s@lS!GP-Qm!+XcAHoc)oOsni-eSWoCNdxp09@kq(72uxwS$9fx+JnKAHn%
z?~9EM_}HO5w{9n=|Hk^*<5L({C7USOX_0x^Mdye$i)??H9CzJ=?=xD|mxgfG$LzBz
z+5Wf&GJTm%{xX(}+4~150=%4pe>f;aq5`PcnUjI)vZ5nEmArBiPr(vrJq`7)hQlbV
zOe`{%@itsQ#Q%N9M1zrbz-x%<i2}^4um)$?1vG}NENIXhuA2WWS0cAG{>ngEUtC!c
z<V*z{fkbGiis)5=x+Q&DF!5=!e9n|H+MF56KGL2>VHySiXh{A5X~+C_H;U}|Yx1>M
zaF#|2eMI|iqduq;|GbI~MQ89h#=Y34?9-VYUl#(>!Y@+dfN+P8JKdXLu$Hh#t#z3W
zKB}F?7+;0PaZ;Bhh%A%z6a6z$HM>E@i2YOW88e1Wg#!7iPVJshxD}+NNqL}$0KmTx
z^o*K{7%<Lz#{KWOsJ&ZLY%xNnUzyI`yG#t^m%TTvW4&}}y^gT})&#WTRBjZ&*(@7h
zNMB@_Q(Ppc^S99VbzBW)9!zBn#JREDiX?a$<A%AQu~Na(E|JQT4~INmcIa7YL~Im!
zMn?aanTLpYNKINjwYdxj7HeB)e0ELLgtHfV0BfITDW&07nW(_pm`lW25X60OPK$9p
z<2Rh7Z4{p*5YT!w7!bw3Fw>TRnK5p)+Nvb*1A5nwcak$56pm$8HGPl_b9TIFCM~ke
zHhhQ)llojV(47{gDmLumaU?aaSwO1?@wdIL^-0{mUov~XQ0jReU@A9lh=Ze^1^b8B
z%wQS35vhuQu23ds*?5!{hI;){tgxgq88r1J!f$KOk7No}zv}xUyyh*)>-pTn64`2D
z!7=yGDTAp=<`v`NbsXTMaOG}Zag+fY&2cxbVLaBG)vp_FS+UeSAe2fk8!1R*ZqxX_
zUs~>+Tu=GafTb-z1OZ|TE*r#geLA=Qfx6-fHOK^QJiFK29~0<?P;{qT^!Tyxz}Pu7
zv6iwz-;T%*kE4dK)>!w7Jj7m$%j;3(XS0F%eTW;I=TBF*_xd1~*coqXpe+P`rl(mp
z3paZ3|2r!F2V~fc$2J<-&Q{ENvki9}D|u)y`1y|iyLA#Z-&){<7<v$=PCTCJDpHD!
zO`G@y74eCIkmGYe<J}!ioe64Pp$$S<iPEGcs!i2IBF0S<;@kGRy6&^kETYdH=iW}8
z@EQF1Ft72SXs&g7ha+6t6?~qLg63CwzHmVp2Mpb|cF(dDuW_T~3GXV6<*Ig!@vL7U
z4n{#?@t6w@{}iD;_9!=K`8QX|>?j}j`o-c8tNcT~gdNDkPVUA1U*2WSlqk5VGKTc>
ztAVFzEfx5CZ_<@&oXEzebK)y^bxxZG2)SH(^r_xH9c$6AR?c)d?kT2_QpC?6%H(y-
z1oju-#uTEV;I5Qv$QbZ{D!&V9x5L~)>c^J#pbSV19c&IcyFtKnEI><#?9we%62mt*
zCj_k&fqcL-Feg9w5|8W2y5%m;&on+{6Db=R31*_ADz7e$|G<PMi^(KWA~hKndUn?{
zhpVjiQBSsMtW{<x^7X-crc#)M=fId`&po$rbwW&{0mKYGcBhd&1WZO|KaY~0BsT^u
zrUIgQr-!|0(Oic!7mzdlk=GY#5OC?x%RegxqhdM~VMi?JEwYUIFHXdpKmS@Sg3?;H
z;ZLPEYOBL%6?f*5M8YcxeT(SXZzkRPeHl=<)HG(PACC2*<H2&E+8!N4tnEv`o;5IJ
zmSJ10c~q;p^aK&W>#<egv9YK8P-Dn+uYy~AL*v?H0LDFN^7o!0vFDSg*SnDafrJIj
z2&qy`mZu#f%-;}f*gbw@Iz4*hck}Fu&v35l3ihCygsnjRq?YkT^sCE5hgweb-kr-=
z)66@T5gOQaK#TLFg7<t65`Nm^AHU-VZMrtQa~U}L#uzK|N@QIX(T<rOBB(ytlV$ji
z$epJBz+$cVhr<kz+tk5~nID|Tz6pDT|5F%#t*y^KQRECx%G0U>98kUj3)Zd}$Q|<w
zczA7PKRB`dd-B|<y7QanvzB_T61RPx(#<)S*0v-z0*8)Pv^>3uknaJaSw{Gst^m!g
zXD4HtaJeij^aOo$Pv0%AiW?zy>v>&1Jx3c8=Yq3cC5dQt6#WLe7H=Vr&;0s8T8UL%
z`I0B(%fkFY@!H^+E=z>)XUu_|bXS1#E%F?@l-6@me<lAhcGKYR|EMERT4V@655`6*
z%{P_$K5nDzB1)?d{n<B|E{WYKVmx9axxA-<7T41T=;N6}1qj4Q(iO<+5Tet_#{8C#
zEH3+3c~VC^$E14bEpq}fIl>7}%GY})39<SoM(IqEBIWt8(n<<f)@OkL^i`W@M10>}
zud3UDaGkprbBr~nLC*%!`Kcc<e;s7iC9};pU_KSTzg(r=1-_cp+%0u#=epA_bUE`v
zxBKSnYsMMv07*ZiDaIKIbw?Y8)1d+nYi5rF@Y)d-xOy<Etj~FS^<kR+L-B#$Pr|V?
zF6V0w&2H=A4NcHeZcZIbyd}2z(`_A%>h(qq6a@;g4%urx{9U|pq};5X8ou>pIB$wk
zoo1_|rs5X`(vfqD)Hs;w2Kf3YFE_DiV*6t!Q8(7}olm9WK`PJT4P?#F^{b!WF<A;W
z+NZ>ccqC!#(%FxXc@+Z@cyk1jA}m1lnrGhmZ@N(c>O>+<;({TZv!6OL?qf0<s}y&R
zK0M13iZY!5^o$+1|H)DOb2EKM-fb(P{=tz_0g18v2T!9MQZU;0Aj~EhDI^h5(uW23
z^ChKBInS4xT~`Fjj!Fg47I%Qz1Q2_~QAs>w4+5^?y>8y;M+&~^nmw9!j`&&o_{C)e
zw-3EsSPYd|qsx*~i`xmegGR-LzU{<6m9C=Jo>R)gK)`KD^%VQ1oC266kIrCdix!8;
zZ3JLG9CW!Kb6b;|h(O4rHflInyXj9gryfLs(!<Qy)mHg?6=ubq#Omw`&VkFuRaC~;
ziR?8rXgydjWTsNXGv#PgVB+h_c|IE$9TGAtVHZ??K+^o!->=p-Rl4s>|J(l;VIJmU
zoG6u^#rbI7wa6=N;rF;KH|4_7P&T(<t_44zc%W>m!Z3~mwlHffgKQc!!T9Rb5k*n}
zyFITu=qjim^WH2mOz(7`muV7-iQ<#kW7M-Pq=P|wU6!i9iIjYT=vxHr^=2%=f!3~X
z&)==nxnW_!w*7vhY#D8LeN!KqSJDyjIUJA^FYo8CwrGs^e>yOTicEvwOmYQfKMi2B
zge{$r$n{B-*GOSK=v6p1I)6484S^qEwmj6uKpR3Td?ub9VfDkaVy)-#ef92itFrE=
z31`PGFtDAT2YQdh>HR?@wFy_kn!I8V+-R1bK@v%<kw{wgu-%LNxk!@U59?BJ(@rB{
zP~V~9#<1gr0dBRugywvTY_1$DEr(>z3wJ-~00^vg;bUy2TLi;%A`LXM*XMZNHB3*k
zg<H8E|IVum!ylW#9cQpL6cr%b-*Wgp2e^M$HZ=>v5WdzyqE0hVEBH&J&(vW-5cIoQ
zwV#yJdNeFK_Zu;CpP+?d(rdcPm_6&-l3^;8Y(#X!U!6JRxBUpL%>%IRU+a2g(E0SW
zwP7!aZb>tX;MZqYUzbAcrpMiBGq@0mqcZ0~FX#Rd1JGS(ORG?GVRbKc(PDz2k>DE&
z`V^5i!7S*HOE}JmNePE!jF;i2P{Y7_cT4e3Ll#AZr?;!XK{@r}H<9SFc0w9@TDMpK
z(wL1B8cmU-AcP>Eh#>EdhCK_Uv;AiJOFfPcm$-U<<w9WWB|-yPIDL%V2f-Oc&sM6&
zzSbJKI6|hF{|sq<v^o4#+`UayNv<-s%>&FeQ5gX?%@g{aeP54AnrRNY?1(U@H_0d0
zGnY4<v{}5lJ03Swt}H9Hgk$nZQ6BY9z&mc|Xqj>((S<L|UXPYFw>$4~_6Og6QPCX*
z7a9e{J5Au&TgxvtCA%z#X~tovpkjN-@d>dAoCZKWMQT`_O=>EqfDjh^+v*CT_#T(@
zIUL<r69xWGP?=#bMo#*-l>9@8WtqrpVDh$u@#&M<?Ut~1ZluKJdW4k9k01PSy0&Gk
z->rBFVR_|B?8mBmSC`KG%q3p>->a_dwtnOO(Rxn0qs>~%txAU|CjCOb&GbD0Y78^@
zY+1X`y7$7(Fd|;MNoY)<E}SXO``mZdcV3Dyen}Q14@MT53_x@}=0?Fm=}_+aCH$1o
zVewPuvXx1|K)Wo>rVmDpj!`aHCC#1wZX3B?DSQ{mJk*7qeP16~;7s%AADM+j3d}D`
zwpq=F3O#7dZ^bWUJ*+I@cl1!$Bl)Qde3gDoifb^An{m1A7FN)(5v&_qU0~bkppy?L
z>Oqtm3RbRF2cXRPFnDPb+Iuo6(F0~S3uTjC(*FL4V(0k3K{B3Vgk>4jYn=TCu+u-Q
zmujF7hLO{mE?;N5{Qyj9uQ=8RX-)F-Nyq!RbWa5r^;q~H48<i0U*x{iF?CnqU;hQP
zE9dT-8g5jYAKfPYi$#S1sANBmsO!;f1N{84t*FT+FvtQlKIcZHRt5U@AOzu3)YwTx
zM3_RqJ;r)L3@ePKkyOzBygXvh@dtu_nF9w9f7-S!Ehi?LGPG5MO1`Rn%%k?D<BMt-
zXTRL^<-~m)RKN~LxGNTyA)4>#PlJ{V)1aez$EhFyfwH)F+HEXyhR`;sB{T7f?<oxx
zD^ED##zD8AIlWC(_w~zohTG4?smL(ChG&LM`)5bKDG`Zit<klOq}wK_1Q@RGq(CGH
zaYU#@4F`B0Na<RnT%A@W-i`#fhf$%uR7M2EMA5?i@^7t|08ECts*9qaKLWKSGvfbj
zw37h!r{I11FhU$?hY;3-$eM4j|Gb?E0@S|)QIVl~)o?m&c@(j~Jy2L}0ld4x)BwPa
zuyC8uWAbF>5;JIiEz;*<n@^%)&oDIK#&{A|f&XaJKFmIIt90Fr7S((c&*&^1a^Etc
zOuOZuL<4b_QmMNBbQa!`)b%C*`^b(TVK#0~6aC3gD4;W8)B>NhDmLJ5AViR=)DvK1
znROC6kb&yRrA#UEMtZA*Bh~~X<wjt$pX{~KXM$4+AL)R514^qFU2rO;;IYJHXz%2*
zGsM}AA1)=W4V0RedDQ+li#f)XXFRaJ^evhQ>j{v)oOM6#8h&Z`=fc~1_8r83X;#!E
zpk+)BUZwo>VBgf(&%L8|VoCRx!#UB*C@3AiOy>?}-8{ybdATG?jVujywrWW+Sv2_5
z0)#-<@)CVS2Re))4qx^<f@~{0TX$jqpo5T%ftyq9i;!hY@P26C9BdAT%B}Q$)9=Lt
zxT0i2GV$Jtxk0!_8J@sNVuq#a)y~@L-<P;MfVf?+0Z)7Z<^{2(*4H4q^4zR*DY!_%
zltP&KK_SS)s#H_*<(NhH&?+m=TE3HyNjIdzXrEy7q7%#Midz`Mg#F<6an$lDT0*r`
zT0@K7lyRbdOiEH{{0XM~xWTo?5^a*k?~s7<DEO`0L87_lw+U<i&d!DVOppA+ce%lb
z|EQ_X1_S}&7F?V)^$Gdj$p*PC{<140mM&5-N@Zb`?s@=Ta)mtpLxhZ&5X=j%Wo*Q+
zT1CQp4iMQ=h4FpAl0VZ00<x5Ku@xO}_8r4dpa*AIx?v*iU-_K))GEOg=tJB}*lNAh
zr|{3-atmjp<yUDB(codrn!g@6v75sdSAy(0<!5&7+?H8(uUlrX>0(Te%F$;+?{@ZW
zG<%h8L5?WBxyM+MIauW5R24%tE|>f5!*i_f#kghfjpf6=%bK=Rdls(QWao;EY7g`V
z6)4M0<jOT??e3&373~V5-z`EmAzD%t$^EE0H&wI*vt{-YQF+8~0o<Zf53_@suD{zD
zt&>-DE5+Q#3S!-g(Wf#S4q??KaQ%zQkH0Xk-fsvb*sIO=HVQY+IiAu#_yGexw5hDc
zneQU84?iZ>E5F!uCjMPlyhHyI2D#E>4X8-YGR<Ica{b!QQ4HwSk*~Vz?^K!>dgpHT
zK<8fb!y6-wLn)#jw9pz2kmM_G=9Bfn?W}ncH1RQ{AhV5{lcpx>{a>X1U_w{P!>en}
ztF_6znZu8c(no7WI|~lM5|J6clp>Xm;QHIqGWql`0j|0Fw$&D+dAMy1Y|45USZRXZ
z)qi*Nds&$|n?E9al=Et#-~;4R6a4u(!w|NZj13^`EUrxc`Q5D`Iksx-Q<p-f_FveD
z8tfC@yCMmqpf5m*k?M@_$)n%jKge!Qqz09bj-ENDAmdpO2T{rzuG(z(kVMS==wHh{
z8brY`!`|BwLIL1z+)(^$nX7m15SMV$9Bm0o_LM2`s^i4dVVGIMxDqL|jJfL;17yB_
zE7kgw)U}?;2#3CR!r9E@?d7rX+{9Aqi}7B!p216IcT8&~lHm$d63``_X%rSHPA}J~
zOxppe=a~P)V2386e4G-CooIkV6}}DFqYHoMUoaPBcFRMM(^j|bb`BYkrt0G9Spz+j
z3QNJ3vj<7=N@dWf?66GBgz~S($6_1Lv6#m_h-~R5b_CJm%3jE|Z?Ycy)%1RmS6&uI
zOGo3)O&~^4bVnKhvv5{al-nu%D{~WkW;{O$dM27r>)#`QIAo;AcFP$76E6{cJSRoI
zzAqTAOA|HN0B9?M@@4rIBk|D4M*J6u__W_r+4QK?u5qcXlvyJ_>i@pk9?~RQ#W--9
z><c>6XKd`4rcV8}hn@QHagAxQjJrIsJhYg6h%?eM7AH&ecbB+x79&Z`QUmJ=U7MJ>
zPDi^u5QWXpr|XDyzzuZwa6Hih@~S-Ht+E+a2DPkkO?fZaYk|42Mn<PO433+>?9!k{
z(LnrG8@0zSZoRbUkI9F;Z=YMd@4d=x2N`#iZZ}=_IV)msUUfBSSH-F;4weu2%#>YU
z;0~OVQGn7JRRbyYk%?V!kL9+4GlH@0b{k=hdg5?Uj42B}V=RTjotUKEGT#%3-FO4S
zh7bf=c=NiAZnNw*aM8B+7V76n_5Wr8p#F>`I(}d{iVuf!eHAeFD4hPW3~#fl;p-tG
zoRtu%T4A1*?a<klDZsmaDR`2SZn-T+-WNnuOZhe3<9m0I?$0&EI-d*EwQFrqKoEP<
z+TiCg=~*sKbTl!6P4bv)X_0s_SD_IkmZSV$eJ?b!`v--i$gO{8g$jf#mb5Ji9_w>h
zH~tdtAad%eg?NKJMCWSp7;~WOz@gM;alj6cm0Sosk<iNqm{8lQc=tr4%?bj9Tr_|5
z79mN@niH8zBKlJ-+)bgz%X{Ugwb`-W@R3iJAC=E~2_U0VUxP9sADXApK-T8PIQp*u
z{g)3Ab$%tGSz}_l`|J7~pO8OOCJlCO)~iE=@m^S-v)#^}*~v5o-HPxl*yFe+xhhM&
zUO%jCGe<iOG!YS^e#+GPbYXb&Y|)I>sfnBS+U{k#{~02&dGj0^F)KNM>2W~41>a6D
z^maZR4Vey6G0AHKeNmGKsfa;sNKc`N0tv7LSQamQtk<f}_{ti%-g}5X;bJ%^OaAZ-
zRpb`>wL3TxcCiR0f}cXE<5}^?TUovDvPQ3)F1{JiJ=m)^3oWR!NGqrnSsOr9?M8Gb
zpR5_T-jfrX(>LBjAdkX}H7UuqJJ1&f>UC|j8V1yj+sd~EGlh}opc9u{?3{M5D3X+%
zl<}XTi6x<}8#V7H(6i1&5?4mArGo{pA1S-_92w*PzjqEut4z<+v!yNHt$row68Z3N
zn-`e!p7a~NIK9_V(Vq1Wo$dZqdJo2SYN}Vbe9a?FWDxNPGZR`NQbQqekW5bQ+~CD`
zl`5>$IVK4&nVZI+otV`NtQwt-h0r#}h1$vj@z9tXy;uoMl;!&cf422g%j{4izt(Y~
zIQ!-od5yGtn=_eVJlWYC3X5a^vYiuLUgbhkan)v#Py_12prB9q-xxmGWq&6g_MoN&
zIlh7sKJ@WWoL66%S877*tM_Y8HgqsV$bdtxG_nNX$eHXQn5K!2hNp>eh?jOH+~`*r
zJ(+lQ&hM(LaO$5r8q9}7K!zucwLV4wDYUW~CQ&tQ**-tJ{pS2qEd^-<f62>$8BY)H
zr?Yz8igiw0H++1nOdal_F0l(dEGFrn#-rpJWzG?4&oy+NME-sro-@A0XNA^`4BV5I
zg}&c9!S`0MXwfCS&qE#N#vc~wQC=$xar*(REJM|w`rXgv3x65c?9@lxGKPqFdX-QP
z0zA9yJ<*i?wx{$Ua8~*yLdo0VUh35qtLssMHAjdPu_|>1)GEWOUG-3ri`Ir{p%j6*
z_^8(ia1M)=&s38;fJta9VUsC5XWO9=e8utcFX*A@c&ud5Hh1n;LQAPa?kK7!x}%G~
zM=UBv9ZK)CW=m0noz-%Yv53mjWM{x=x#OGkSMi(ndtfX(Nlhwy9)lPr;Cln3GGn19
zD0yMmfRKA`V`%w4S1+ViiCv>cLlocJZ~RG8)6Tz~7S1k@;OH>O83YhpZB&<P=>nv_
zR}7J?>oX!#{Mf=GhvRZFyB&oiT#LvZeqamxJDa2!CI$Y>93A0?uW#gcY^BK7O{E;p
zh{WykapR-ShSUu>7C;LcGX8a@d45+m`p~vm>s6RarYUMQ1`w>-Ni#N{P|zRT5NhLl
zBw$=55?i&XzS&#%{{dkaGylzJP!*3}05p{}BE0&Z?eFc?6cj9r!n#l~;Ci>G^Qm?!
z<kemK^Im}GMIsvq4TkqBxA;vA)J^f?uQ}^3Vhf8hTmEb?1-h_UiPS3Z&QX9gB>-yY
z(Z)JT0`j&_^CrH7Iueg*as5Xa4JLL$`Ex52gzszqV!OyIKd4m3#VnFq9v&QM1+xEQ
zxE#xFc~-6TaOrZ9Ck1GBhoNe-TA<i2F#2|?z|a(vCLeN{I(3eBo!@CvjluBvXjBmf
zuEOiI4+}MFfzO6T9c55jnCut+zM9Wrcsq<bv$GS1`m#jx0^$f!Krc1h=gVZ;=|84Z
zFPQZ^e-R_5|N3k2r2IMN-V6Y>NMZJ@PiD30sYcOnaWk~>6Hb2KMNDwhj?9zhLhBn@
zw2eS)E5J3$%EOK9ZWW8-XvW@1*tUJ1&h8)mGce96V%Nl60pZox8sxIaI!)uEFzbuC
zZ`w>~Vfh=&a|+fk-NXv}i=K^rN{fa&Y%(B&a~~H(TT&)5ZBG=1`U`qM0Q|#y+8LSt
z*Ioi3w4f9ih&4%?uL0MwUzdFuzp68dJlHdLl8{Nik@)6mem@yflaZBf=;$+9X^>p=
zHen`_G&Sndd6iOA-(bkmHSsm&QeKK*V8K}mlSauR3g<3z-TP*6_^ixuH5u3ZW3O+~
zE)QSU{{n$2MBz>$h1@={Zex;?{pTT=HyhN^hdvJL(Ky=*(*T`$li?rdAyF7>o>hBd
z_Z1KaEk5Qk&i45mp;Vk7d9@{Uw=v{g;}InjCTyU>ibXG=$ImOf*HR&YUp6Ou;u{#E
zA<Jqugw`wK87`=;sEGh-8z#eF<d&U^jG)`;tn$F^TY2AD#jrYQ;?>s@-+yH*;8Fc>
z**jWA?#Wj3cj+#)thuxnKoGo+#4`bYl{>mi`Ckbu?_0mlwy1B)Cz$LbpOQjzKwY=o
zBb2LgdA7S^Lg8`-btY;hEQwb7`CmH5>=_7gt20mjdNCH<QZu|v9gVVL(k*wnUJ>!U
zJBHtPSMdZ)E-Y{00I==X2wq*m0z}CxTPByZ16yR%<>f=mnkbB`7?nn_mGW=f48A~f
zo3RKXI?FL*>!G&+rFvHw)IKk5Y7TT>QW#yF2`=L*7XfMZ9l*!s1<jGE%KCdQ*^M%l
zvD_Pp;5`Tb6JN>`4X*A5I+W5Q%4IwYnaF)S?^2u5@Vxr1o%DN!#F^OYyJlSH$~}Ct
zJ)!x|nO3<EkpxwEv_yq#M4BlSSIWdxoS*{X<gp6lalK`vO0^?&+dBt64e91ixm6<o
zgtC@jPk+p4jq&#<>(t}j6H!yRptVjPw>2AgaEg0e(7@*iR&1_m9$dPs>yl~g)HUHh
z8SWXVGR#EO<p3EOV<5g8ZGe<0ba^i1?k>mc+n#$0Ptuu&0ftd`EN!tX`IO%<N&-Cc
zn}{-T&tiW#75*tmYwP{yHd=t|uWL6F#YvOY{3RT`bwK1~s*qn2pTMZ{)AkRtz3OWT
z=QIh-zOSHTsUc3xJ@yFhO$)gI;s_1&-X!UeZi#lB)8gi#R0&wn$fZAQ^AGyIdaej3
z(WCULoX{rIkAF7#pE0GF3DM#!2<py=WP2BCgd``vgZ~_8_Sk20(bNX?lC7OL#~eu(
zxogCuPF9tN@yYr#EL=w8``ey-RCrv#58LW{j9*Wuob-BWYuW4a(JDq4M@aiBZb^}e
zMmaS*_T5s2KR;D_;L9$gs<Z9?H?(LNxVd7nDmDrr1KDOKxh)(CB%&^Vb+B{DpG-eH
zLSoTMYjd9bME*JUTE_Uk&0cgV@Pn;1RPfV6xbnhv6T*+<X7u~^jlXg7y_BB&mE*!u
zkAcFlA3i7B2qB?RPkxNo*bT8VVnoh<r3_lrXYPZ<+tw5i(BNLBH76D!+&H!#S_%6c
za>F)1?^d`)pXOiC2JBVp`JVsk%px7pzu3Af!c90YV1row8s|r&;T}e<k=Ji>AFaB!
zB2l5Pkl8AU5)GW%L6(fn*r%l+>d73E!o&i)#@yDbIOa58?|Rf<dt6>fPEKB}7AVeh
zCUGhjk+mU^^p*COzA#KpE`8)n*b=YyclDu?l)QGx^tGIvILox8xeAlNc>FQ5x+$X3
z$shC1q22sixc~UGep}lWCJE(6cc_6)q7?ZUH!$GKTxNp3x1GWK0+Xio@Tpfk_gwKZ
zeVSL;5!0%E{-I%P;eGtSSYs0V$9A(IJ2qqk%!RJYzrM>pyYURdp#Fcdwt9vf)#;q*
zRIyeZUP_YeTV4)D!2eR79&(iXEES5M6UJ0W+P<m1bTr!ftl+h}ne#W_;C4*9>gvf6
zGHU0zJ}RGGiaDdx_9}Jq#IE_V^&d<%k2+33aZIm8C_FZXzU(I?^E+#{<YLrcUyr_t
zjPd6hlD^n$rGR7cRmT^zg5G-fzjp9?Dx@YWd$a7+5SJM;9#_3d*rijviGBJkS^kx!
zkntm*l=UgloXSJdWbamm;tfm}(xXyls@~W;mkfXP!HN7^V+PVoKnL~IrIbBmtMU`I
z4~QNNx!T_Q5mxdM^`pU<rEqS!7XiWSorLx?%L?Dzd=9>Hb}{U4S;UU~h(f}tR!R*W
z?)jwp``vKJp-NvU_d`_7uy>TBZW&0oZ*vAC<4{&Pr)uyN_4P1)F(HWyE;s)J9DYx%
z9d5nFD6JAY<45hUh?*n+PQMb|9R2RZ<_ZAoICH%^s_ZNAlF*M4gCDi+@?JWM+M}&u
zW&Hd~(KLX#B7SN!yi<sP)u6#1zdGFAfMLcq-$ru%jXbs<^J4;+dAjUjVjKhe4Ru_e
zZw<3dYx>oWal6n_US^HlZbR&WOaRc&9#gZrkv5-om+oOtSG!#93{gd3YKF-%++1yW
zZBy<E(6bZ%Je835(8|;}uk~f&87(rDyiqcyxrgw!Ig3Xz&Sr=a7QiI$_Z8`RL!A-X
zHYN<tsuD>qqUOyY>t%&t;S~GP4|2&=BOfiO)+#jmR3w^58jb!(`!F^bMwwV`B;$u`
z%wKfy{E$%iaw@80-EfIM?~HK}afC$GO*=iRLMtf?%HKBp*nn!>c%bciSaDL@QJIUZ
z!R9s6bi3phxH@>Q9rgZ-q)g60+_u1zZ*U&t#)g(Zev^dM^TK5D`>S7;m0ir2(DTyi
zv+&~Cb8%E9_Go3_jybq^3*wlj*A4h&J2WKpgo~24wrty|oJDhCQ+#XBXIq-pR5|2G
z0NcHdP&<{$dx^d+A(puqadDAfh0FXW&c>ybSy5s}HcO?Ou{LLkk&P8iG2@DZEJ5W5
zUNzg&8X(Saw0n2JOHC+OmF;mkzGCi6|J=JmvxtRpe0ke=y01|{$6WSFfRVsNEQ}~>
zEH)2Tep1PR<=Oe@phKYpwDF>17yWv8`2XR22O+){^+fkP7R@D$qz2Febv^&uRNNf!
zXNFhXVG`!t)bG8u)6SURn&kYM$PN57?S#K82ph{lDE7LZhuE^N1#o@{aaZ<zl$^W7
z5qqJBfWL7{H(3Mv2T|hp$lv0%N4J}kpytwvhrtGlG1js?MQLznpwHqCeC1Hslf1-f
zmWY(glLBuZ*L(Mx=Nl=;n=>tAZtYI0<VjRGWV*<&#ha>ej1V(lR7wdP@#i*^;fNXA
zug@a+UHtJ*hwSGc-Mx>>!RmFztTw)T<b+MlZp`GSd-ZX<4>ExxEPVm;7Y7a~amt;_
zPuR!W&6RGM&@^!1S*QCas~u+#gdcxqx&T3M(=#lyf<=jj04z506Ufn^Aujx2chf?u
z84wVO4d`<!DShgWK|#}HQq#&O&4S^?Vm?k_I>{{F7`?iWWA+AWz5Xd46HVo02#ns-
zcp%))XC5ep^8z*HJ?`}Q4+KN5K-fG<dP_gxBtYSNOf^sDKKqXnr!J9&T(^(SencTi
zrzE5kQ>Awlc5N0%#Q=C+;n(g69OccOJpRoOJkp{zD354O>{kEx&6Q0KZVdPjXh+EU
zGwUDfN)Ghuq4bb{3y|F`u;TzmcT<j<WpZ<3*f24|qOlGI#N+=SNZmBW3){Z5I5lkw
zMAc+$djY#Egp+9l{6<;ne)m5IfJww?-L>(qr9vTeyq0NFxNbQ^TFIlwx+;`8Rboq_
zw*;)n#@dS)kXvM@-3atbat73DJx?G(`(I7h`++RH?IDDwPr6vlbMV98EdtfhrJUjy
z3vt)}6`pX{B-L5Xd|=s9LP_AFxL9()l{?TSkz41+IT4Qz92PI&<PMGdO%a+XlElz5
z{~7&EX8QK9KTmj<1_#1M1sk+i^lg<>(da-Tol7VgZZ8#=fdNUgZkkmfy{Ia66q`_i
z<kw~VuVek9+95pF@1?I=sDz6<*D$9Th+cGEBfm6c*%2V-68Nk|nnY4b#dp@sD8#!x
zSlu}sJPM}N$yF^`1uzni8PAa#PhCypuoxWz{?6T#i!&I>gH5a64E<xwjJ~Qz>9e(p
z_K8jMc`)V<jHB*&72-N6I$TUR2tbOr*x}!}d0HJNkIy@Q6qq(*?o2YqM8TIhSTO&v
zytR%erhzc%txJW@^uW3ayP|vj2jp1sqyX$+e#8wce?wId^YtdbFuO4d6<Zn0pfWXe
zyvdwp+FeHSA1gmyZPDOoVP1)iVBx#*voeZn$v&lizKP7YUS68=GV8L)#;Qp%*2f=f
ztYmhhuv&d}&~LCEwphp#t*5v_HkW17_wnU!ig73i>y1dvZ`m*cv{Gp<M>@0~TeJs8
zm*8Cfndq|f`Sxq$<uQwyxay~SSk71Ch2jys>75>y?G5S66A4-sgPw?P^{fT^0-RJ)
zEZ+|`_9dK`5{%xzjyobHzIce@7|uw^j}mLSGEpst^8cJD7T519<tiqU>Okqvgpp*C
zHdNbUhSxTYdfA(9VfNmzWHkk4nA%}Gb%W6A$ix$s#W_do5JUtagRF%Q{U%Ra<%wF#
zIl}?x&y+di7izWyC=*0V=QOYbh2G1R7mLr&NfsM0>UVShe)#{QZeg^T_w7V|%l__S
z&^RKzVC}A}ogp@r-s_MSj5<(qv3%^6gJj`{%}0&x)%#jB>A`+0H*#%ZbF{8j`vMel
z`WiiJTK-A>rQ$HB)%qKVE~+dA=4>1O9i*u&>FERf*XIZhdz}(hHuP|{Q4ac6BT7us
z-Qnk&HOkSs>*%{q{Wd$z^AxKDQ)@X`g>hFeXMjcBLrWf?aSm%#_JI)AtMXr2<Ve)R
zVcAknrXjnW*iIwgsX%p_>pYG{1?u>4rVtC7)aV_e9p(AT$+?D3S*#~b-8XUyGF*fK
z<!uB7K6@|4<FB0sq+Lo$*xv;5t=%XQs7tj(vn+vnsvAvkHRYxtv&I~oU%N|iTHl{=
zljqZy4c&|tMsyfWVhUfPgka^idR~|e2Bo{LJ0MEU0h@43{;2np3B!^S@B^ErY(?(T
zM4cw+sLHT*WQyMa<lFRTWcLD6r;A>%KWiS>-pkq}3@z6KX4VBs@#Hf73qIi86B7N;
z;5<p>wh)BiKZ)oPNo;;$t`kZ8DeQMH|BP}Q!ivRYyawNTb_01qPWXkPTJx;T{H4c+
zVdAmPoS0l~M#Et<0Es!JNiKSym&e=P>Cy7xA}IbJllWn-D27TUpuq)K(>LWOBkj5(
z!PS<lZC}T#3LQz<PyOfZR%II0IaSpW28po8F@Kq{`*rWa{%Amg(^bf~IUef0SC+Xa
z=bPXkAToLKdg!C2`;6G<H10uu!OZ!)ifRvFjw*_B!yhX1D76)ry`9w4(KGnwo1gFi
zTh@%YiyH*olZRe{CPm9=!2&Jpb9)SQm_k!K#}8+>Uz$A(s!5LAD$ktk{H0PDzGvI#
zeT?Rr=z+UC?Rz@OgmgvL$BK>6Ox0Oi??5JG7uXri7|_A;G*YX89Rs3;!Uh%e8zGF#
zu9iKSQtZBiy2Y*FfhjNTL-wTK^}nQNU48c~FZ=851eTT)I1CrC@jF{<M9>=tVUKDR
zt=qdG7AZ)Nre4Ev!5%6c>-L?$JHt&_ast9W)YdZDPzP)%pQV!b00Y99ddDhPd&=;)
zcg_f{#zPu4PM4j&rn;4Po7?LAKu%r4w%Z9p?mtx0hf`Um7!qt+HMN?Sj4s^e+~gMk
z&Laeu9Fgk--H%Y_Vqi?y{T6&<hv==2BUsO%if`)k9d&;yX4Ua`fTG)Gm`Nox(W<!3
z(e+^SKG>WX;^9a-(uVWTi#b0-KSWw;S&hp14&3WAgG9Duv#btxm2K;p`!Y|YnKh4R
z;RUqE<N6d14UK}hCOPn{x=>|r0RwzJzc%^w=o2JF1sVy3I}lwxfu4rm`kw}<ccNNc
zQM=UJ2B~BXF}nU#tn?`{bjUsLJFzZl>1TO5xvV91fatmtxx#IXK-WcHyLe~=s@MVE
zwr8_pzu(LY)FgW(%Tyr*Z$p|NCI=lKUzJ%(mgF)d=v+zIJhwCR7AH$;)B*)3w8sJ$
zBAHKL$6r(Pd&KPp40Yh5{%NCWL@=}{`p;Z#I7z6SDhbwq)2VZ5yVjiMyYbRHi&hD)
zBFmZu(kI%cl&BYCn>;^f6NZ%nb+W_+)X|d63o>(MiCAxO0t<Gm-E_4!edcoZif{ff
zI>anN(VtyXvh+`8nq`8gc80MS#kuKQCw-y?Z3`Ld&21QCc)<)i$F2$j!^(F=-=9+I
z#0KCZ=u!g?&F5I55N_dpZ|?&%LL>ck5}I9LHFjFartpeMAr;fpBKp@CiZ&1SCHEV8
z?Z~%esG<3(E>vQTj)nGqrHUP%PqE>~xIm`Sb6Sy8)~zz<f}*gNLHx^c-R+0i;UB>^
zVyLPpv)*?q>rZd*=|APRqSPA?Q2&+Ye8(a?E$%p0&yY=v>WO#`5O_j-LwuFVZh3Ec
zITRBLK#@v>w==H~`7X-uot4Q??iDI`bejD>`iw_mH6hmdA)mRHxrbfo|3)buK4XVg
zhW|^gFOIwW6(yS)A=!7mmT|~&U~c2_VG?;F#01K|P(OJPuCc+f;l%_*p3mEwZ=zHM
z*nT*J{_`Li9!a18h<FTSkso_;v;{`SKRLSI_v{_x_1}*4%^G}BAH?yB75CcTbs{&k
z^9c+czK)MeR+|b!)#`3Ri7<y=SDCo8l;sO*Q*3k9>Aa$Z?5U*9v^$FHiUgTB6ZAuI
z!x%2sk7@3lnkn^@L|m1k)c4^K2=I7hovyKYZ%N&{IcsG1;6|Lin?4MPj`N`W{<;?(
zZ6bqX4nl=l#JO!*9$jx^@ZSNHZ7B@ZDE6<2GmIu)->{>4RLi!0yPuXL|Mjb3zZ_bW
zeS)$Tz4t+vpm43uMM{<slB?ybpWM0)Y$nu)@Uz}MM0SjEflWUYn;n3+5u_paZjh^{
z5y|Nbo$y|LP&<`p1-#qWL`<Nx*5O)W{dLPOafPS4!4irA4!_x0gyKaHd9v0^hgd4B
zxnt81ddhVbyz`Tjx>uM=v{&%S`j9A0xlzzOD)Ez9Q@b{{NTNBA)n24GP;a<&Usps1
zUPP@^A}aC3{>a^sCBVn6&@1Xo);)%V;4|fK!WF10eJ_&^ZH{0iuvK9=&dz@lw((D&
zY=mM@@e63A!NRgdcC2GVGFzvr3qm1Vt<LCWcmLME_RoH+qugV#oZF<D`5`GV-YElf
zGV4cv+<C@2<0Bmo;S9dv_k___93woh9;yACrO!?%-eHy;)cxchpB*Z11j*mzNZ<mj
z@QC%>`ijCbV&Of%;971Y+honMWLY!JHt)wi-koK%gQuQtoHd4G<vCSpz|^^R<914$
z$&GXPzxxlWrGmY?^4KJ|A{JmENp#!MNH^1*M69_FzIcs6P1K+)Z595r^)BM9>RRlq
z&tnc<;-_Osq;4OK8Hq6Y`H$TBnlpvixqwnAkUQzQAWRxAkWX@<YbRsjv!=?6P@+q)
zHS5f@sv&p%A?#N<^srt%-xbFeCS0xEm@Crc$#l^6A`fU1IF!zx-HlgTyYg8S4Y(Pd
zD1tY`nubQcw5@r@ktkWw-a)KE@#jAb>`M#w#rUr$^dUir+sMT}p{D1*NOXhkC6qJx
z-MCZgwc4O8U2&I(i7BA4GL)-OGO$VM;is(F{HG0ELc5UOs$LZROZu3wMA(oZz!x}P
zGbtn_)Um_O-S}WQDdp|d4+WcVRrd~ufbA{U>pyy)RSW0c|BOUSZw2knl}Z)ias5^<
zpSO}n4JOCjbU_XUJ;f^`y4SX9^o>l10C`QS0e976P3|q+23J)E<cP({l$@bhE=-pa
zH?*V<etWE!!x)XHvyO))1CEE-cw0RE2v$xH<L`2;l`>7<30c!^MK`ky>a5H6vG*SC
zTfJWL(fGk+|E%XrPnY)zk9)Vni9lwXd4my-1$D+>y8U~cq`*nZq_Fs3Z6llx$RuGO
zut9qa&BeD=v1hH=Grw-Wt1l0BjQtgCXYPNUo=9pzCzveMIkMu=t5oI^iHeE)UrVNt
ze?f$<9J7DL9O522xITFc2L}2)^9WFp%YSj;&~2WCRpBJ1YE-KPkPCboBG!13ZT`Mc
z`PB5HH=?sjod3YLE#_ikG$Y>*D;zes#25E1-m?T_oj(D-b@!huoxjyWFCH6hlnJ7|
zRm8rO$2BA~2vZ!^&g<px-Nok0jFgT5w#+Zlj+<L_^6L5~yhOj8jekM|`F(VTlsjcW
zp#}<h)Xd=6X85Qqx@2Bx7I_QwNXvsp-tSSv1DXwu^U8U`a8=NK@$Bz7C3x?2&I&e;
zc6dBwb-ph8(T7v-NY6-)YSD{6?fwQifbBP8u@T?)+eR8R%X=k2D?fv!5dsEuRR)*=
z9A{Z}nO<VDf{@=@Cub)>5bfezIZwACdKJf=<#`7_Ue2cXle=z3MB$Jch0LHS?*VFg
z^^rJ|+yrYA2TZY#Bj!8$ZkmViYNDxNR6XnSYu*FE`IyZw=l^i^7EEzP+qx+3t_{Hn
z?gR_&?hb**9fBq_?(XjHZo%Ce4K6`~6Wp!w%RaB_-F<G2Kd`FSoO9SGW>SPlR4Ne~
z&(5J)R$#2iaui%+SU0hLZ+dz1?^Q;dk%&)ecE^hFzpOK9K=fSp&MZ|j2JS|^#I?%|
z6JZe#;tKtD!AAP_Tk(tj+aDfy1Fq_H;;VL#GWpKo6IRtzi>-;9JKub;5+7>#P`+f4
z1m};pkRHJ*8W5^yPwbz@{5ZQ|f&!a`FkQlOH6>A$x{x9}bXAG7hV@4Y9-${Eoanze
zsiaO~T6p;UXx6oZVKN3wYcl#+F(;%P1hNLfaFB`$bSAgtf+#TYJM@Go%$y491dQn)
zBJw3i)h!6dj4Qe+rI=XXn1rRmpJiSJM<*cg630?&Bvs98c#YC(<5Xc5A-WrM(=6E;
zqy5H;$@iGGgRtl%e+PV&{%tiFBpB62y1uTPS3B1Ye1U$baxfsfImPnK!@v6DIL6(!
zmG=1o+kn1Fl<8gt*dU%|<-VcfpOxw=R+>NbA^#s6L_MNuyr-AraVbB6$LI>|YAA=6
zy0ap_P%+y1y6x0h<Yo7Z(HL7a47VK#)`f#MCnOq@y9dtRi^+8qaPjNyD)&S}K!BT7
ziuy49PL3Hl!l55PKoUy}vKnl-mlvEH@l3uGKE#m1VICYUuLv|j`_GCA(uOnoY@~km
zTQvghhtjqG_MB$wf!8C94E`o4;uiC~RE+_)1lNM_NT<V19!{Uw;RSB}uTU>c9+Vu9
z12KsvQ)7mfp#Pis*h-Df6P$A5#h&dS!4faMZb@yFggn&+XhT}dy^z3M>J8L~MYg2h
z7w;MusZj&f?Ylo1{0M(h7*wRIvFk7)CPnbeRkqg>Vhx~2V-6F|XE3*S_gP5zC$ie#
zf3{lfpz<aS5J~Q!Z)h;y@VF*q5^~S;5&60x+&~|+&AVX}fM_E{Qf=-s8Y*u`;NVjD
z?>5uf1qRX<_{`2S+ecK04w{$8(qWEZR4K6|ff^sv$Q$RrKA$K5wR|1=@Yk^W{mfkK
znU(xRh&82m$aJI3wpnGZ1z%Y7?>${KzBc{!wylGqi$ceMB^;U7hXttcf&uNbs{F}c
zLJ_4F@^`(|)!y<8-950u2)-z>Od-`GSm6rrU%bfwJX0GAFu&bOBM>V255h;=MlQVM
zAdc<oq|n{cd!m%tq1LXroRwdCbLSDg?#;TWhyQWwsT5kz@@gw3x?4DuBav5%>C>J(
z*5tqX&TuB(B4gebhVASVwtGq^1nr=v#oeqTBAf`YAl=D0(4O6y)#-7GwU$gfD;&WN
zQ*KEQGtqVFUNI6>3(g?gClk4wvv?%E0;8n3HpP>yHon@DxIGa$gpT(G66+bmzlx_0
zet`Ls^L6iJw3owCn%2;k`bgQ>hf1PVc?c>_tD?C%Sf%D`97L^HbjY)Jw9q`YH)Ll!
zDTfzW7}j};A?QqJv03NC=v?D$QgBkiv)`?ta4E>F_zSQGsN#JX^1Ain(SGUct|l|-
zs+KK)#G)!+n>ddMS9|Kx?C{oAO2YlT+&62J)!?>h|Dbqm1#|p?{bqs}jsF!%07sJO
zK)Xd=Z&xUz845<>3v;DUUsmC)k>OtxG+X*iF1IdYe<|1#CQ6mgEG-Y0V0*sRD_Aqt
zp_;qY!=~1Yo|I|1PqZ*7Z7rmq*Mc~@=-Z392B_u<O6e69sf#z3FvrkUGi9UhuCMm8
zX0A0qOPq7JMg5I8b%PzwImg$PPcv+?#8Dy8sCC18wH$7*MNf7-?-XZ~&X$h2wEQb+
zpX<*=M5Mir%=cvyBSu{P?I@V@G?V%DVpI2S0CW9Td-<vl8KGyDUriuB{=G-0rC>=1
z!9(K_D`ULcVBuJDvP`)}da*E<n}yXF)2=n*nsQM7Kx;+9ZA>yg;<?3x(B!XnO*HuT
z4W~=$>Dj8m12H%wBkv<Iru0p4*O8O6xIz(ykBge?7822Cd5z`PnlNiMK=%1-2eiI&
zf8~tUG`27Z+=w(Ztm|>N6`QhZ-IxDHX=4ONHoK(yi^D5Cf_t+sQDAp|N9lTQNC0m^
zgW~9n&bIpdHODTirR!kBXHuf7kKbjSL5d6rz&Q2w^D>&ADhe5cd8Hb-+#4K93YsJt
zY@(sakV*>%u(%1&?H=p78ww}q#+V2H55+D?ev9g%115{G(J?cFUeWdMK}s#X`!dh(
zm?aAGl9-uF_iK3*e!AQdotK${SPY$<(CE@+9>A|Y8I~NYg$j$_6xr>D`YD6pmXRbC
zL46`#Yn`*t*AhU=&n1ZY<Si*%guPE;iULhjT#;(bOzyefWnVMyofcc6fa?Uj-x;Qa
zyEEH7R!GkNt&o{0(oUNSTN`yLeYq?}!@sr)p>WO(q4#Os)UyfCGE447ya28|H3#7m
zg2hPr7`ZItQG6NlYX*Z}?qwSLrr=a`FGV|*l9oyEay*c%|CBWYrEhDSA6K=TbQaQF
zZ`5}-Up+Zni+`s^bQ<cuzrCM!Ke`yoCH`}7NTA4Acd0sNjghuAy9on|UcAF4Dq8AW
zN(&vI>o>Y=qu@LjUOcpWW%CgdQb55NTWZ5Oso0bCNM*CUfPy~<Tk#gvRlZ6o7W-H2
z2`-z%*OvM%CM>a~=4q3UA9|I)M!3H}8FlmCR6Na-w-H$ehOLCIM5GFg^wR@~|2rV|
z=$GLOv}zvb;fMt$kXQTPZ(yvwpo2=8X`a`y!COXu?-$Ecc5lIgQ%)A@3b`vf&hKw(
z&+&~zj7f|4E(=4=*~u;gpNfB>y;vOD5l`CorlZ7;Sfom(_J-5-yx)5+=jvc`n{?Og
z2j|rug%~Rs+~}1LR6za-7>QKT#nEaVNgsa4NsSH))GEitVBoQsF>bd?wHj7f-k1R}
zTiD06d)#7QOP@SqH)FBmk=yQ&Q$qoJFU*npP~FVX1wn6xf7PkzpBc`)A7#xYAIYe@
z%7EHguhtwd=etBG4Z$4arUNCjQB>ewjKujPc2+@L6}G$v5?7GLCswF+f1dBlyW@=%
z5-eRRGNK$ETlkRm(0$!|04!viL&1trFg~EyYK5)tvO;_g5XDj0wV1ea(TsP~gVqef
zty737t%9u&o?$|^S_`Q5;}2$?bq3w<WXO<r&#KRbadQ4yBWzpp%=ItTf-{6@MsEjo
z+w`_3IIc-^3_`7O$xa~slNuwi3k=wwyW*49MsH=nqsCX^4uBHwD|Qa)kHTaH*hQN~
zKL%^yQTK}l)JF0i%e%)Yp?pgReV0n3O-(;-R6aKTjeA1a@lU@#++u_q2w}HyHJb-J
zqKO{BgijL4e*Rim5l-j<Mj%Jta<F!s__0WF8Z$6_R(>?Cd);Hhglz_6cApu20rD4#
zPxEAcj>%r?#+dz(S;@js7EpMsf#>4FEUhcN;dbS7(WVrvQu9b|;)T#o*bq`}t#idH
z|J(MKGxECQ0!=#7hQHvNF*{G;+%W4*BVw`8w}UCvCKN16aQJetLgxcGj#ZrtN-!=3
zLCjUbaZUiQQ-vw@GlSl8SbKsg{9=;C&<{{z+_}RiwXbm!BVR31u)F$dxmAxUySf3K
z6~Y>oZmJk!fSXVJ%ewnP-Qm4nSGo$qc2X#Y(@Q@bcDZUxa@#i)`DlgvHIMgwJIh|D
z+NXy{_zV!;?(<bXv-a6<wC1qKE;J$(wm!`<tC2UC<o+Q2k%xLJ=)L)~I1C{a;am%r
z(D3k>Yw2#*@q@7)m!M;Pc0Dkr6d^97aKv1yXNV}f>F1CAnwsI{+n)U_J_6#f`^t24
z5<UFmHsM2>Km6|IcVc94rT1Sb1!2>79D>Wk_3+URIoY0>p6|yzGg&P%1$&9JO0D0~
z9G?B&3CCa+0jRuWJ~XjhH6;h67mHN}CUy*%I^^g6UTR<Juty-2G0di!f222ahI<6P
zMcy9Y7cSltW^ZE7QyORjP2{I9jUZb~NAk=QSRSI4r8`R)+6$Y4oBdfQsB{_fxXaUf
z$<DbFgikz%SC601VECRi^@<e9lD{tEjE!6vd5qcdgM2i|>3Uv@qI+%2teo_Nb`@`g
z$STQN)rjE{+Hxf54FwBn0Q+UmIt_x!aX&ZNgkMhHd;YxMym#}N8vVOnz|h@`!74BH
zPKg6q8~;~q-E+rJONac4qqrjBMC&a{_KQ#d-n&A5I7h+gQ;|;C^y4+1WCV0Cu5iUE
z7PCzVyR(*~@yP%*v|Q8#m>CpcBTvZYfOAy69{eeMyr$~zUFstrN9gC(Om|VG<n>-#
zBZ9npQF^#Wkizz*3m?FX$3zN>I$MhlGGbR|nCp*G-?35vNB`-)4iGfqwfJS2CZ>u7
zVBY4=YIWlbKTU;3DiBfI@EU0psks*#!o{mANAE^kp@34|b{R;A?Y-W6p(=#q2h0Af
z_FXkYRwPQiVicHB&s41ZRJ#gTelhNm#E85{S%iDVCHl^eWtu%a<1dB?3(NjOl5O42
zm~$+yd2>uCxF{MW=X+@~WL9T%|8E%eWlJ?w>#p}f>1S1hdpwn^+R46^_xUK)v~aKA
zpQNxxv_)p>SZL@X3=YadGSreirXg!7qnB82Z4Tvpg=lV2&HQv8hFC;V44H7=FS@eS
zLSM=p&lP(uu!7@INnRg1to(jlIE|8f3Ar#p6xiE_aH$9r>5qv4lYb2|x^5WO@OZ(&
z9q@t-y^=|f*`xY>VGcN9jpI0%5<_$KiSV6iTLOf-ckMVp79j>Cw>Y(1@_dEwDe*4-
zN`9fszl6oqgnhp%Yv)@_(W^rHK0zVgeXBg~*I%vYm&N<EK?my%pssl*a>L5c3BqA9
zv@l{1O(Skiz<@n5%UK2`HGRG+E|7&0Nis=&G%yiedXU`v>SAQ_ZVtv?ZnH}&5#z>*
zXj6ydrf;c~7RDjTnG0}@!6(ANca1?sg04mpx6U5=yhTLh7Pm#R6$E`QvHnHA?CeG9
zab4K?;Ye#wxD0K*2YhT?!EfrkJg+8b;vIJIq39%qJzPDPufoo3m0eX)rI3E*F)2gR
zfzc>G)KeP)x=G9Z9mRPV+!&jpP#;@qfv#KhRdn{N0-tAv6>Yc7f3hSb#yUS|Xh+9J
zWJr;t`JgUAZQ28~YxieJ3H<&`Qcn@ov1zqR7RgW&4+q<~v6!S^6UR_GrD-(t3x6xn
zXnkK{tJ4k-zEPv@T=pOr`@%@a-ZauNv%kz46CI_bPZRonM=oYT+m)S0JpY8kq+09F
z#1hl>zUxP5=SjsU02F*Hd++))x6y0INvzM~_h-0?A4yxVx4p}0gG*Xwk!Nn^{?8cS
z6!Kr#J2aQu?G&MJEAu~9x^|Doh2}hYmRGc2%>}ot3shPMqHxi@2UZ~JOqE$EJ0_DM
zxPR@fP(rGAB)2+B+*0luBGf2O<q7}NFRAUGYAVo>_xg21Ku<<5Q!l3??`%<FM(;PK
zuiIuq(Nz`1v#|$*OL=6UwzMcn5pkALh1nYAa;eWgOwXLiE+^^9Fo$=;{9ZS2pGC}X
zU&kimzL2qGHAf2m665#9x8RotJO9@^VQjsH!L@~0=n4wke#n;h9f4Pv&Q5WtllTib
z$}3Tz)>4`re7MyBC$)m;ZOO%m^xtlO<9@>9U^I0y^%IZoyC1y^5@9pj@%O_b_>yAp
zAtZPrMyApU>!G}p(9!%jJ0a-U_(JP#eWZcFdH>-I)=h!Mh6Gl!g9O>Uo--Ds#Yj>|
z^ox4V?s0F}Z`vZ8ccpFEwp$9?U1k0v)4-PPB&iH`M`C-e7(02m)_m0q-4q!eBn}!|
z0!smVNn6A}6Mya>+2c*x24VMVk(+3iPLHduWJ2YY$2;F^gzlH>@!z&bzp*t((?6S<
z77rh?!#_yo2`$rXeL(&9A>{}h8*^2<2vE1-?i>n0vps>uC>^ehdd;=)enrwoGeC0x
zx6l=xx!rFuOqUIx>tlMLko96n!PXzhX%9Sp_ClHW<Rz?!#J)Orj2aa*p5%h78UFfT
znJ}O=Onw|ZGels^=J?^n+!DayvNDhDX5E!*`-{rBc$#ZyN#r9|(5tOZXe?=>@sD+j
zV#aO0JCDf`7(lE&l7jDV<RfK;+hxNLU`V|jB9=z1Z$$gXR?P%Ncrl$vlq8Uam>$b;
zsM5J2*A?c%CfcdvR1%5?9Y3vlYljyTs<N0a@$8?IA*%`Lkw1__*u}x8wqY7Xu{p)Y
z0fqU-t^S>ldQGj(dG5MIRw%LOg0jQy={{ec?$;JTCfY$5Zw0)ThH4o~q}&=AiCjog
zM;<iTIOFz_b=9Jkf8)R~IFPbUU~bX$FTzVqLc!0f`;+^^(Pjb$qXqn;2LZyHpZ(Kf
zOL$Fhqkt=++b4A`5+nEFYBiU?Rr!->nj&dnT9ZR0M+Hi@kR;gmlL_9v(+3%GPFqif
z4%yl_WYz|-B>B?fZm~ylg+nWZPTNzr71ZPLtA>&C=AgziLl{*jAxjsN3PN6EgoMBQ
zWGp{U^OjC&0DqWClw0md2jOGxfJaR$vtf#sL`UcMBqh+N2EO+n@7FiAb%+afDBs&E
zcOor@Wt`AtFj&NtyO5Z3(RYg|oAUfEWL<dr{?Za(LB)~iB$SvSS$3SJ$!e#;IqZpI
zCd(rN8KP8Z)HIjlpu!quA#AH57zTtT2j*NttA0Q8n}(8}<9}iC8_Jo_0+Q3{6=*Ns
zKSUmgb5FaC1fO>O^gk+PnKSHXNebKYFcM4nJ}cOIQ!i}Z3|!~wn@B31!4YQj0BX0A
znUg7-tI8YyMK+Ahx3)j8Ykp1J50`hFv_*A$^rR1GuqHSLQk_Sm!9UW!Y~0L)g&nR*
zelq#5Gb4k%>1*0N80=1$zba*+tPHFO8{XXjvZ)qyKa*oUNh%I263`C|w=+L83)R@9
zlqL<n4&S%Fn>0K^n7S|Q+f}+(V{=WW9}cojC%7|dXCupohEN5EzKZLWvh;!k_-}zd
z<nPyhEW)O@J`W1^Rt0Z4#zmwceW%8W*2ska?q~qSZRqHGgUaudu==?tjrIUvM~UfP
zc#_vIRwYaX?+5?#xka^=*IWDdY@lL_q5}wVR;uiieHdUVz&Q5+p~TsUea449i$R=D
zjwew56e0W7wmUXtd)ZntgyJ<5rpM6Zq{}moQVSTK2?d_`God(vW%?Alk1y`vvHc~I
zeamB=cfHV+4q8eSkHhqdIPoyVhl*ooyX5(1jpftq3~C3aS<xr0n^=LAGWGav_J=Z`
zn>STp2Vztjr|)X#((`;_4IZbSv-Vk^_%mb}6+P4(&5YU4#_X3+K|0!2op>>h9bO`|
z2>%i$^@RjWZ_L$gN$L|A5JO2uN@3KetVI2z9~<(SY;4Yars#qL%DaXm^kLWTXd8>o
zVy0h(TY4!L?ud9^5z@5BmTTm#c&U7CMlo#syBJDP1;Mx^W(1IoQZ0<45+!%?Am+ul
zD-}(d)1ZO`7@l3QAc0|vn895)gP0nK;IJ|0yoo;z&9@x6F2zr}APG}M2JB)5mD~n#
zkUzb#a38Hu8G2J<g6UFg-{f+CX7>V$2l>(ji<sUj)pmg6tZH2zEeFl@$-tu+*^|ry
z1@srN%LXwukMF0#OhX0)@?|nGpkr?r3IwI0DC%Y%*=}AA8ONTvU2P8kJYLx%pV%y%
zQvaQs7AcOKHg`*@&eh=!8>$%^SFN}yc>Ejs@bPD(LPt0`JWZL7MH#&h3N1VMF+Hq1
z9a;ETm0g2sbz>ZRk2GuQpH!ha)6-DO8{QehG7fIe04j#83dOK&^fsWkL)dQ810J0=
zZz{wV7azB_FN*Q%{_oP=pQ_K^C0giilvgsa6;}G5(Jb5N&MaDgzY~b#4BjS|mlP@r
z>LXlD3WaDP{y`+JGra#%Hf!I0u!qLARi4f@{YlW*_+@_t(FSUkyZ|NNnqwe_dj^5m
zOqYD!7-B)CW5$~s`aRl%i{zsOY2!wB+TPtcQZNSIeL(#-Tu7tYiK0NOv%~XR>nuoI
zxyDT)k$t~0A>j_9E@s!zE9Cvav*+uqG6e!%+4UH<@_xkq%karj9CanG{sbo$<=wJJ
z780K*hSy<@OZ$Yt>G+Z-)g8vMn2Y&FcLbvoMaVf#Un^X`-R&~Eg575B#Ol9rEgAy-
zpAVuB8S_CxM1dmXkWOlq*>|yxUbekgCNs*IghfajZUKNA<1tGx*^f&11&A1pyLu?f
zJlt|sf`ZmF(kZZtc|S6on_9Z@{`^kIHcL)O_q>X`G$AnJ!THI~m_9p#KR!v1G~Nd6
zv#g`BIY|9tV!od%cw{nwf`(&$dXvrpC85T15OQ6GU|bO49sO}l$vmr(4>S@>l0~{w
z6JC1tWdOGvZ^EFfoTr-tT207PDhDMTz&{1Gi$qMmoX@4n%&gtIisvyL@TPf?XKqDg
zd*uX?_JIt(cmA30=_yvhyz{13aXtCfk60qQjP!dnZgQsYzr)amBG>=;D}8QzJ~vvg
zd&!j%@<tSyz;3}UCoK{4Y)7aP<{2kxxSh+Af^Zca^;YS<g^3Lqx0}m&eW(pG(HRoc
z3s~QIo+1gSz?Kjk)M2;4sHI*)O?EPodCr&H9A0B*-yOSE#a#m}e21NE%-#_Io(A`^
zd5PEEcVSVq8u3KVunZ4d7F2bakzR%`qAZ%!FTAyaD!=!xJ#Y?JW5KEP6$ZyXGox0Q
z!+vE)GOqW2z7j<MOAsYC52Xk~a}d-<#BPSHyKmtDNyDlA4Ii0{9MdKJ=yvIVLx>~#
zFii-EJ}~PGZSnN6%S;fAI3bps8f1?ypM;uJxLAbwD%~&&^Al9g7_va~;(W2(G{MiN
zM_Semr*sMwyK>#`<=y$s8#fhT?H10|0sONNnGZ1+oai#@Gt3t<N2{^v>&fZ7Y}=Rb
z!RuTELauCZztEN4xPl54IL#+!AV378=&@5&uWYb1)H)pAgcuAlcf%v<v_~|F-^)|O
z2-?IZF-l*sdlrp>5IXRJLv!cHBqCrV@7|O(m_a|Si(LvCtN|XytefK6!0`4BBjtp^
z$MXEM!q-p`-0;*^OkMA)PWt(N=wEgn@MNsw^GzBAh4NO}<)m!vEs<wsl_?ttm9q~e
z&Lq~ZVq7Z69R+SGs?zs4{FUjHvk!|276x0Den%0`6z$~BrLmF}W^#@2ruwUvr=h2n
z@I<{sJOHr5yx7=XKF)5|vP{iOdR)&gxryizSDsheVLua-Cg1<D1+%k=7R^*&8m^Zl
zialHjhuGnM4UJg!1@Ol$NVju3L1{@APH9-)SoWZZTG-a3a*;#6w-3&MMl`V>Kc#&Q
zpicQJI1D-vEW-OrW<A-I0)=3F{y?{mx;R&si*XL`{|sfC1`n@UHjz;mmOZbO!kCvc
zFah$+rWRTjE&mCWR_2xbFeK0ibE1hHh)IwA=V;f-!2YPnjwUkzaCjfK>tmA0AM01!
zv9RGA=>E-TP3^1vL#VZ?`EBP#PZRb>JzikY^&0BGar&qhQ07>n7pnN9Fts)BC8Y%x
z+eBkB34LJ$>RX^gNGsiF410f=xtwp6NP<y|dbWjx0Vzk{Z*v(yl-Q(@I{L!<ez##;
zv;bT$c9@PG9A-Z`vvV5e2K_%nOrqh9vF#njD&CxiW+<=`QDB_NIde;IQdxO)?<ajm
z0BpU1>>VsQ3$9}ld90?izix>ff16Y8Pqk#;?sUq(&*tI6EAMT5sn9o~8{N+$?^%8$
z<QwD0ZE0Qub3_%p#NTXHI5S4e%W{~rqu_#=;qvk#890Gp-@B5^t6;F%YKIdn21>FH
zn&6{g+Us`xxWCI+CqnoSn;E&36|}GIxkv>lRp_@^Vi(gFzQEJt-G<#b$5$`6%RGW_
z)4fT&4>}vL5XI?$?+Sjzn7YB!5FaG6=#FctvOgLdQbVJJ4fAFCDN5kKyMNs`k~}WL
z-h22|Maa6}zY6(qdzcxTf1;Kr32+-Q+>;jMV*jsjVj?cL%93nJ&XI+PSpj_MLSA|_
zX8#h7rU&f}G^qcEgF>5LzOpBUS0i9kUr5kzb^h*f^?D=26K=xZZ+Gq{BdyRAzn~DD
zdxn3!y*cKo`7_4Oqx?JOZG-p8jw~>R@ojstwi}a!bLX|Qp`aV}&NPfJ8%Syn2xzh<
zzrnNauZyj<k^Ii|!4x2wZO+XvPva;ztzY-8XWgX-_F@u<jJaY`-!rf+_6?GWfnLb)
zzAkEt>U5Ql3~}d{Fl)TLM#)5#>4R~FhP>h%DzF8EyNtsLd!tiEu)@XSeXKWaMD)?}
z?$Pj}trgvDgy5a1vdlQ5C<9)tuILA`CUPqq!psLOG!}3p%dUbQEl{vPP|6L|<D!&1
z-#&ff47XkR=27ocB9tU@>JaYk0f2^5luV^gVi9M3ck8=xH=6jin=^4?$1-f_byOI1
z_!UQfwj6aKXf%NnOhb*1;1PZJ>`-U^WJdPX<*^t5Sec>Q4KC5^^=WaCKr};y8pLDd
zWD>tDLZM+_HC;b2L+!0*>sRrf)W|Olt~=%yeBDMcv+&XJyew9`t+`9&Bf>Re4%dS;
z<L#{2jAu)SUS8Vqvr}AV)LYV>R|yR(D<A?k4>g?B=oiTHN~)IlD?fd=uqvpqY2S9~
z(YJsNh05)D={kLA93U#PP1;&~+AwR|svK<pb}(sx`1R+co#>bI?ljh*Doi7Bz-+Oj
zRlhghmmy~#5ky`)$<ozHCei8X<_!8oY*(S#R}2-`7y&=gz%W}oeAWIjlGd;g#&U_y
zlR1WEGqh4rblUcEjmsn+!p-haEf<w5MzJmG4}ZgNoIsJe?vm8*ho`q%WW(%T&0(@2
zL-=@rcRTHqhvX3iw??b4Bpzc#_MTYwuPfEB&o(wG2gDv+IX2e|9=x#h&|X|j6P8fa
zUp~&T(+KgFKEM%8{xN&0eH?bHW6DCxd)+G)JlA%6PbfR(#UU#|Gj2TkR>jk1Dq490
zN73ZE0gt!AJkw<*wL%+p{6cbgz=I4eB5!ufqN2+C^I2S+Iv$b_xJAME|Fr-f7nc;S
z17T04Nt_UXmN_jCSQHxeS#%cqWcOQN9_bKBut9t$j`dB_qO+{N=L*g6an5>d4BrBY
zg`*UU=UTBPf*Q)aehJNuF}0;<z(uF)-yl=}Er<@GLnL>|7Vv&O7`}gapWo@{1-<te
zR68EsICTqzj#wWfllm_MnkJ7>G0vYWaS{K8@VQ01(*s8Vpou?TkYmTFq8uF_xGHs*
za4T>TaoBeo6&38DwJ?v44->tuz#ID7pQB>>A6`bL;9B3SSp+ucg_JG@zQ)bp8Yef$
zewR4mOlN_7)%3@<MM_0cA6860#zz{&;0n;f&EQom+WxawR8gGcp2hRv&X^x0j}Wu>
zmE2;cOoaT<C;2P6Pxarp{i<85%{X=wLwHOp?`mlgTN2Wq$4<ex_o!6dwEl-0u(qeI
z$}26<>MW$nZL5vbl_h%pzpI{^z8agpI2V#*ce0yHh)`Y9rlH*XAGwZcHq?oxrcK0D
zCQFYv<}^Sq&v^5}_k;brs)KvFO#8RD;TGEZypY*Fdl_JmV%ISZoJ76;^*9*Vigj)?
zNC)!3vr=yXqJoSD@`rnV`K4SDs!*inS-3op@z^&opL^`Gapx{TrFj(Z-HTsl3hGE7
z))1Or#gxr`@i6pZ3W7}Vdhx7tLjR89b4tbj0EodXfkyhC?Q|4yd*^`t0Onqgd#9@u
zx8KFWp%?d3Jw~!H*iY4YY5W8jf|Ty}dpV4QYzixdYoLgBe-Nh>T<?sT_}kSW%T3=~
z(Jg%4tZxQv%+_)96HK)ZJ%U6ul%fQP*KE{yS|05P#C$<Mj;aVl@!?)LN9`h$&-t{O
zBnI=Z2u{$~s8>YyWqyMCqR3VVp*+jOp!5_E4t*y-Yy*%4dg@8kseT~U?&UEYfP(Ou
zv-2|~01Q)vKOD3wZo_9EGNRYMWpPGU;M9#;H;LzgbHbBSJ?5Z$el^<2wDYBdDiXuD
z)qh#TiUn)&nRsaK>zQ(cesaXK?={l5zndimzxfMx2^3;dk<<LhHtkCb+OHC)+}cIE
z4adgtJ|qCt>*~+~Xcn1Gp~1b|s8pt0W%uTAUr-spDBid0Xv{R5X_)m-tbNf%i?10C
zq$X~!ugl$jJ5^-2>mKmiLG>JyHPSr_Q~;A`>0gD?n)+-|enaItzp2?d$DvHW5?Hx1
zvJImqY#rhhIR3VnadQ+e8ZncA0W+D%P%0`?YbB$<n)f=If%1)vKIuN~2+`ptAC-1O
z;Kn5WL6x;9H7k49m1xWNroL#c5Z0!ve?{5<gqq3PN$56Axr3hN1X_vv6%oabP1t;v
zdsac{20M()c8d&&WkfHhgqpt$I$675ZYUvk%uy+K{3HT-uEI}nv~oNAKWiOdZsHI2
z;9xlU%TO|Fw6Od97Ll~kaXX`{pMW3hv*3dT1#7j&bJxs2^dB8$>5A4AtfYB0=uTNp
zi6M6CM0M=ma=GzR`>B-Yi=$kaqjiZ~*&)oc8`F18<`EO*xBt@5=?D{_Z3dY05piCM
z{mhq}h6bKDDo+_3%g$eN&HkDQYOW2fZ8#>E-F}BdbiG6ONqn_<MI6?p0!Z{c5vY7S
zd!Bf^9_e)4cX$rEe|h!2+B)$A3cmbP(PxFkT|@Z}OxV2ye>yeclSBx?HxpnSQb0Pk
zA63bKm^N1jVe(w=Y<pcEv+)p<O&EJL_MUjMp+>(=dJ&`j6{!%}Rfh5553du3(P6Wz
zD5alkaH_fh{n_q0{g}sHB9d6QxCs>Gjiu~v?v7w8dVKdnn*m2F$J8YU^3HPGJZX;Y
z2+a<oDdXjSIOk0L%42<ve7G2_dsljWEE^t7d;g5NbwT(ElgvZJSO_nYf7i^jlqX^6
zuWr*D^>W<y9QK4FdC#+rGvv7L`u6o^NA}f&c@?OgeUtB22r8`t(xp;|*aXX%{_lBk
zDtG-$Hg22*)xa0+9zq6QwBFY02cs_?`!X}ay@Ehtny~GY{PeJ&ja`y_HE6lgS)P=S
z@<4t+$WsD(3cx#K(w8pHa6XNrg!j#~zS<)U90cVd6OM3|*!PTxAb{oz@VkOo5NW1@
zeHzg*nM3q(2NrdmUq0!0U04Tyr&KErj{H257?FmJHV0tV!^wDcx{9^v6}um_dzswh
z#!>!u1aBZ5a_8G<>G&73Q~z3zzYi%^to`26{(_sK?gu(hOLfEx6{rFtna|yi)f;bF
zlxQJ_M-}eylanLZlb}UYQ!&qfxqoayOZ^tbLi;a?^{x-zNwU~b`Vl_Bb5zEzM02YP
zvq0u4TgZ2IUuBK~YzI!0l@>5pl9Yry3Gu{%VXiyC<n(PC;h6Z+WX1U!jLpcJx)S!K
zRwE89$1iLNv9Ow+pbXpAF+v-J6^!zd`HUY)K5{8R)G>z%`x}+Ww|9O78gzKo(6^93
zZ?$uDMcW{)P?k2uyO%p37N*z9NDnrsLKBrlg7%9<!EMFv%TZ}tBJq9zP&fjUEbDGk
zd1e?(S+_EGUKYb}zDysXUMX?aLYW$m;@M9t70<c?-s}u2nI<!zi$`-Db-CRMvJOmN
zP&7RWP}dtNFbBK#D#zm+_j_ciJoJaXrl-q}(U}Yl<qZ3rr;bMu5y{+ho!}L60~EqN
zpOg>!6|PS7!5fDL^MWp(#$T35S*uR^zJEa;Yv)s&YZ~}-u*+IEI%9|<Bx%jO<@wV|
zz)e<<Qy%SOMQ0`?nmppD9e2pXwWYieAZHofb99D!JktyPJ!r0v<D)FO)Fa+9m~2v)
z6Zw4vb6nzQvCg-#rg!>&$ri=iSMB(;vM~MW$KcO33xwd&caoPa2CoD(Q_iK+iEx}0
zXbJs_Zz#s&OkLzpW2MY9X=!B7Rk>uOEKB60Crv{3vbKB9<$O&9#plfosAS=Z`>LV&
zok=B!M%=6`K_wO6=$A(_^`AiR2Yxyt*`uyky%r+iLG9bGZrWqHLPM}z2&^#?xG@p1
zchpb6Ue3i1&0B``{zb0w^#xtF)g9{0otsj}RX@pw__C>8Ycd6eEdT3yI?X}%K<s^4
zGd-!QBm5MX$Hqe@^vzz__ZSpZ64Xj|Or+^)({cC%CIn?`u`8s@ljAV=wD$ob{08xL
zE~W|4BY=Ponn%Wtpb?B%Bw`xk<)Y?F%$$zPxcpuYOmbNpb;8905X8kI&0mBQp<NG*
z-gM5Cp4s?g^v?Ose=+XX!!+?Rl5MNJ`gyi78JsFrTdaA1pJ#^f*dt+CFtO*d6|&?2
zxVN0<Fr8(w?OMdDKwsCEM_TFpTA?AT&z~>+?$muCrVV$uC&T}AHV+@xCq$btFIT~C
zzxh?NaK`oz@M<yj6Tf*u$oxRNo3pj19>h(GyaxgkVb6L9pc9&>#<7^#c%%1{q)Aow
zf&X2>2-)T5ntAX=+_JxHxDvkTk3K$fWmK4`VQ%T{C;YscNCr}Y;<hX}qjej4w=xCA
z^Mv%jy&SF4-9HH>(tQRSr49=Hqtv&F?!6iq-~d8xHH21@*S{tfa%QR)SzWvqnR(d?
z8xxHpu0E@9TyU!_{kh=*IxXEu6^@k%E)ZX9Up*poZMzeZ4xDH|VO1@K0jzMyF!!$y
zy(t|R4OzIo2ckYZJ%tqT-Olj2e7%#;XBZygTsJlL4qC2@ZUu<8HY4tYV&!-QiWs9J
ze$AXGkRVWaI3IO-Q6?MY(OkXEnyEw-#?VVuyLBE7j^xlZy&S$-3YA|f-WQ>27H7hL
za!WD9g4L&@|EVoI3l03ey-h0Zc0cIz;Oyh<^x2HH{<01ssSJ{hU=42yh-UP<&h>5m
zG$CZxXGv0nss>V_BS#N$qJuF#<j8%%P}%SI*|KQD<YKjxGtPuQpTQX~VGN(aHw<;&
zO+Z^^TSz;^y|D31ukEn#nX46#Ybi-FmJ@hddm(TF|3Yl(*8mb}Ri@~gSHqw2AqFsv
zi*j+SrxMT*9-a&0eay1u;H<;e`>l3q)`IaE6dH0?a008H5Bm%dU)N;`1~PCe<3kOf
z3^;4uwJk7t8#I_DtEWb+TMPR8xId#Fk<$2Z3&?DLNA)bFlUMT5m@TRB4|{*=#CriU
zvaB#($@A@0UnCM<Yyb9yimT`;ERt#TJ(ZYBpYN5BJe1#6J@e^3#BOz?80iec+Gr@)
zB`dZnNb&2Jyh_^nnH}yP<0BkslHn@McmuBy%M7O+!M98;A`m!v5RH>P@-+O)b1VO2
zwyF)1zD<;&z^&RLk#QexGO(sV`|tBn`%=wtd#2iddU_{J;w?Obo<Gi%!>T1dvRA2s
zOTHD%CB)0B&^KM%CpK3)NY~!~h)<&Yj~#x^u4UH315~_U?-sS|5f0+d^bJ6DL_wvx
z6{Vw8WV(#0`#(AUF<T-OXf@)AP((b#duO@twaXG13+sgLJa=#uXPsUWBOQj#5BhlI
zzTv&LRg^gEiKo4}ioocgGfjb04Hs!TQ`Ny$DX%vDM-KtoIu3#7IixjaAQ@>Pc!qoG
z*vQE^bG@65=8gk^^lOP1me+5yV4)?K3B+p*LqCZ1*d-GzJ2{;FD0`(9T51q*_haoi
zPC?TFcsu3z-ENYN2vpC!ft@zJ$G42mBRf+NLCkS4$M%P_Q1(O}N=}z1`**~|fYWtr
zxQ+a(Ixaj2_`;#yG;)>sz*qV%wjSq0s9G+nK-%O8Th}J}&ulCV``2+~@wb_B9Gw_3
ztd}{MUptY>zLVGS)O9_j3X5fBtI83s@o|`c?A(1^y&A6e^Z>Uj(;m+eX}3Tfqgsbb
z%!t2fz;9DN))HNNda@#APwBhC4FUZdp+@({8(Jcjn0IEKD1M^|uua06x%rI%uPL~b
zWu0KPn8E-3rrdGQh>X<Ol44p9UUtg!_8v4Iy375+p=4nT;7t(tG+gvG?f`|K&xk{T
z%eIgJbNNpl`#tIK{Er6;@=NZf-w!#0$MczpHcs(TIK#e&80pvlhCfBp#QAx&I!aJT
z%dVVuah(^14dlC%@c1rvW^;Iui>P<8XU3L`9V$!6n)25dr^$8Y_s**KY#xo^41zX2
z>x^z_EY+=})<L`Y2@HO2lnriw%vAJ<d^p~GTSw;l%I;5hatMVoUE*~F-d-@w^q*~`
z%GgBE@_@>keEnztW}uZ2Ac$H@0E&@PVEmQw2d~)bTHS{}jyaX){D=OTZ7`7xWw-Vz
z*_ZFyOoKtcrRV4{9q270_6^T;ya!PEyJ&BUtpfRy43H3t#tXnZv4WwSpp1XiUU6R2
zYMFr}Ff;>_GO-+Ean8RJSL%KT-OK;<3kCn(P%68(wKde|<%g&ogr|A<{wnE?A|Fkk
z3PU6AT%bdXSue%HLUoAXQ$t#<%|#h&aT0T`qJvJI@tpHd#XD)5w@JEKEx%+8?<8<f
zG_Wi>VCd{A`zAGuSz;#7;JjxiZ4lIvx>W<#TTc=vZ1SeeO8bd4O^4bY<32v~{vn^)
zQICzUI_$qLR?p1Ohv26`kA5al;72FB{bpN`c7?(+d1k@v4q;sBV<;C-lpl$6Jtr=p
zocyjP4E{}m$S0tx!+LPQ(qj<o)g$72+04GLPUJom<z}YGAJ9e!^@)iiemphOdm7@h
z^9p7t5|!M_f1BCkOPT^@ctE-Ps0I>~Kx8$q{-;qnH-zQ4`a!mIm-xYY9LbzALbK$#
zeL|oLhoRbb<2<=(Q??xTxVip<Yg3DAA*hzy`}16<>05%A9D$d9;|p7^Pv?%_Lo}@d
za{Xsi@AQL6iQIN(H3Fv`DCM7z-x7{AWVhgn;z=KI$b`)51zxSqQkjj98<U&epselK
zo1^eRk5|)_(MC#`j4n=s6XwH)l9$+xID<M7sNAVurP(50b<|n6f&ExPccu>#fS<e;
zTnl6kCxF4%wYjBUPMqUGsBVyw&1eHv+7zNM0A&!V`ayBdhC)ziTcS)?U5{k}jBbOb
zlc00jH6g1mGx|p@Me27-ESDUOE_p~S=J@Z;f@hE~nN^U&Gud%Bb7lcU`(zW+hh@Y8
zI;d6ou&B^N`+!j`#maa60!A=O_;Td4oj}wNqK&wXH}kqPc!cvGPio{!^L2|Ow@gpQ
zG>Ke?jl=;ledjtvp4`GSY5wA@W8h8ubpaz6*w9Ia)*{6)@&6Z!GGU$XB^eO#fr91y
zdnr|MKV89VGBkbgn62E=Ez&`iyZKsM5_A&KFZ<xs00C|!H+QjyjwH2~p|1H_Tn{%L
zX@HG@oCA;w!mssqqGm4^V>`XQv9G>*C@u=XkEv)a11Wfuy)Bfm7NXwS$@3O^OZAy&
z7S{7%7!?*{0&jQm@o$t2u#y;-m8`4mklAB*zqwmg(<@CDF`Tu{>}+C!a~gP_;p3T?
z3sTYTIZYWC>PIJlx$G*w99&DYh`Dlkr7vRhINmjO;!GLUP2bscp+I#J^lB{m_}44P
zN=I2P@7RP_`yk|-N@k@kC<ATz{nzWVH$0aoqM{pxv%6<EuT9`y*oYY6DjCb@U+ns9
zFurGTB*(3q8PYDtlXs;>6S;jQP#%peGA&#p?vU3PFm-kB(>Vwn-0nxu`Ou9|3Dt*J
zuq5qgl1A@ZG7?00+?3%gUprKg!BLecwv-vSl#r4vkSR~+kkVZgw%y?ix(Lupux(Y`
zmKz<C|MkThbCbGz+U;7y1<xifBzL*;&@}Gbm_MK|?-{!4`s??6ov^P4eKWgT+zDDx
z=!+z5n>BbM=#mkl9ARfC7gP?J{LD>82AbYP4#x7BEIH_@SHRE%)|1pn_Pk3U^up8z
zyZPPEK3WFw2k9T5594d;kgqif<ri{KnEy&OTyK{;jr@cAXJtl##?M{mp)dYb+a#(J
z#POU8d7N16{grwy&=ww;K;GCM`~MFwst22$)dAVRi=!Ly)DBJnP3#cqLWNQz2!1kO
zNWZVBh3!A!gCAHeS(7O0#~~=rBh9A?jV$W`(~Hmy(*L=4T@;#aoUzP+Ke*BJjPOfS
zPYtKmm%dzq`3r!4V&(RSo627PL4>bm)De9Us8x+BgLfi3AZ}@tcz#p)GaMnMa}e;f
zBY?<M4Y?|v4RbG^c*C!L&VD0sB64{w@6UwBzwELb>&z+X>ppEVT`uDF6ZLO(B!-vj
z-?QuxH3v<QvloBUTj;dlDy0~3=^3xXmmt&|Za#{<m<!l(J-7<-!5kTG1;`RHE6}Of
z=I_4iPyXz?tg-)T3OF5Ru~4HVz+!xAnwyHs)2L~&2x9TECXt+cWhXCq8w&cipNdq(
z3S5g#fLf(>Ysgmmw?}s~TfIt9H$;tw{@>vZjSl%LJ1xPo=NfrEc)6B*?WLlaLxwq*
z*h==(L%RhcsEHb@7@*T(JSvcb+!{rjtXaP5jo{v(n85k=-S%S6;i4`~=ktYX-Oqaq
z=J~WV&V5t7rJ|>=)0+dR-?muqLD<_q)%R7eYiyiv<NIkoRvaij$!QI+7mk6u!?Eyw
zps!mcg+zW@i#HcMyn^Yyxnn~PgNYCtF#W4!N1t&d-K~sIOf2FruEOsTI?eIwLW!@M
zY^))fJGi76w{tf@X`}n{zX^yO;19yzU34+hewq+zfTM#sJNWS9!glJjW(r{zP-6}9
z&DyMXq3R5GktcyA?lMw6YF{I-2F{*eLK(9&xlM{j^{k`R&`Q2-7=b3F-BPnQe0#SW
zf@KK3hoY#F_r&=FISuQTxz6uPM%?v%Uut}fCj7}JEEUKq)RcE4P<=vU$L-Km90X(h
zQkNgs;t)5OR$So<h6I1Yr7#OgM^D{qJmRt}zBZ?V!09m${JF<yh7+7Jvo5J9l=6bM
zj5U8=q2E^qJjM-i{K=>bszX~T4A||A(sA6E1NSsLHJwNF6cUFH1nJW}k!%j40WGVu
znDQ#G8b`XOL^(9pRM2KALyr<t=-l&mJ{nFMsK))W6BVg*^mRQ&jcU2b*hKoBKGVwi
z?Kx(%)qv{6sMF7Pp96lBkH;T(*$*eT=Vs1QNZ7*tZSO&3Okayon(IO_nrl`3@|gGr
zZ?DO*8`{@!r=!(TD*L$rYl=HrvEy_ufO%>cLwH8*>rrbhwOAuD%$N@jrBncYq<X7)
zsi@(vyzz4;c!!(PqWJ{m>q}OmoeM#k!>o>-zdi-gHy%)>Q;zJa(ZZ#o;69C6S;Ks2
zn@)a)AK`CDVi!4O`+(_-tE}<`<XrzaGSvdF9T@(i{{Wn~zH`kOow%L-a+XTwYk1a}
z^T2oVJX!xeZ}{l(3@(D^+v5%-*t&$Lz9OtQ@iNtN9t3#%rYiXs<Q%pOJ7b2!NbPJ=
zr6V4y$ymc@XbOA8Js@2}%Xt*$jW-@|P=gXrQ?Y%s_-H)FFy5ErNyUQWdgp>d92zxz
z^X5v8XWVd}KBs2rCaxI=!Y(~ffM}HzNYklx&4%eqNEu5_2nuw<qH_pIt$vhy4i~Wb
zAMD@UCp@20-wxM)4MjAU1v0bV5d>aCF>5zzEy1Q0K;h-3NfAphPiUhH(}mXAI}VL&
z#H$T`m?vr=dB>QP9I0elZE|E49wi?t^oUfca>=)V-%*HIT8W7XOq!gBhn=>$5Lq<v
zWd5I3Wfbuxu8QEp9tT<av7T)4t>7LVPOioEiuDH&s{z$ltGuwRu5Zptuo#>^?=%6o
z0MIqZPrE9P^w3VlEJ{V#NIa;!FHc!aqj9<8VsVrs+SsEg%n%o<J&39bt3q(_8b!dJ
z-nc|d03kz>om>>G?$$g83Hp(L4^eYbcs}x_@vN6($_$m$L<VV^@3L|5?Ha}B5d}}<
z^{2IcecggBVwj*5Np`0TJre2qv!wnz4A_$KYB_j9xbhFWeU@QA0JlM<dzwRf-N+pB
z3Y<U}Nt%t{uMIFbfM?^-`$-zxJaQe-rGACu%Qna+{eYViKn~an`so5SPb3@S4841o
z`Q&1Dwf+G-9ou5v1%w(6iuM{eaU`hz6R^?&$#Fh%G@8n6)dyqbBN|3ev;Eq;Ns@WK
zU%vxZ_Z?c<G&-nK;d)8}T>w&msM8<O%jaPSGCY%xW7jA#s%S{CWZA!lAtx5O+@S8s
zrh7ZE7vHhcSJ``+Z3-+sjA3S`7?RW1XyH72$HzhV=!b#}>zOjG9Vjw$K5|Xlwf9pr
z?mtoviQN5)42da0!jwhY8z}!+(7lYpcCbBNeduK@qz@nr8JgQ~GX<t>b<tOb@Ta|}
zT5z-#(*^ok><1S3L;Dup283c$CX!eBbSt*i|GfCC5jq~`))LTL=w`D!+~sP;<DJVD
zf=2S5K^wD7suT(aYn5}$d<*}28N2BbRL`Uil8RZyor7FJUF@oKP{J-dur!9i8{r=&
zQK(Gu5q9a*R>OyBo5y|J!p7Rm??tJe?8A>=G{k;T-E|-~4wdI#?RYpm0(I-f{oguI
z(e_9GlT6kN5csa1P$>?+6Fg?`b^U(oAaHSoNIGd?(O?8EO97p$-r;gTX%Tkf9*~l+
ze<~mo_2tB{WTi}b0aBo%D-?=e%LS*+JY_S^{>~zL(d98e`@@mv;o6&d%8=#!x$t;I
za@|~}q~_dpuT6eUx%_luC+I<(@CU`0b|K&4>NoVjDJqkJa5YaiF@et^7<HfSIlb&r
z``D5H92W`7H`NaQP2`nF+H~2JSZ>6Z8a{s}`K0E}&^+^r0@+(Rm089{r_Y^%gS!46
zm-&{Iya>r7%<otw#&o<1)2Aj9!@gLYMF?16>jIS;Ud6ndajJ!A|Dtk6T!OJ&ZEqg>
zvElf?(UXsGt@eQr=rtzyMxI-_@Lj06eMx|L8tivUdmTY7U$X&a1Bt;&EN9=IQtmlk
z2PZ~2^~a5?G7M<l;x;e53Kxz3MoO^l+biESZjf~a^^UqfzuIyFlCJu(5q<{^Z`#YQ
zU6R$Guvz3A%==bM=A&YgC39p@=6?2%DX+YCYX?SOcSAfQbwj0*#TQD6C~Bx8l{AnA
z6MN?p2R6rHpH@DxXfW@d^(WAlzymI<q)j0iFAJZ1x&R(|W*%r}^+Q1qomO-_RI9Rd
z+kvRW!OP26R}tvh7ke}>VxdzKcL5KC2n@#9(C5avDO9Dsk2Mn%<Bdbp&68g?Do$@Y
zw=Gg6(Q{}GjKf>1=CppAps6J%2qBmj*QN=j?k09?DtrlBW_w06o3T_hndBx<94v&(
zjKJF$Pc|KgkUmTGzKI$MHbVaewhox>I<}OB{A(7X<+ktE<S{!Z-RL3q1LT|;BGNEm
z3n^>T3Jqkx2fJ&y2>SkFP%%U6y*BXmHy}nu(+)JDZhvZHHV|F04&GL8n+XwUfD;b0
zjtwHYjFlt6OeWG>z&D7iUA?t<$jFUKUpE-Qd);~uAD9V!qdDj>=;4@bihfM>Es#;8
z*xoFo$-23*fmk3loe#SFu4CGSbQSb{FO@L#>S=Q$9CgmA)rIdwap>1FG$7@=cf;Q5
z(K{e_g71_U`4#unH>8&K+3zxF)-8%Dx3;2IYL;vUrf`dMsIq6xICd%_Kbic2zC~i|
zZLzkhDl2<XOf0+AMDn3IC93G{fZh}S_9%s3#>CdKqj&#R+2@D0f{<&|sl<=+3HfLI
z2Y+gz|4g$UKDKKIgs~k2(i`qbtO0*3h{kHSIRBw74Kkj+*H+Vf+u@AXDG%~bpHkpm
zruh_0u|ARb(0$Z#hrD1}cYw`blF96ze58`!*<?HFC;t;bIFn)#wz2}7u{t7xzaX97
zuemKWR4Q=c3hv|bmDt#7-czQD=mwCFm672vtI;jlBE!YAE5-Q?X0XDv^xq*p^Y}a}
z&CN_&eYMsTzf58$jhF712bKfzwMSw8pvesOqV)e5$C;h`inf+I(in`E#LQk433s_J
znoumlwx@(|XqZ&yI5UT99~2b2<}Mp~{y)9>|Gi=#>%?%Yl#d>9(QQ<S-DUg6Mv!ZH
zh#qswx91H`!FP(_^BGkQ!kL(!4T_eYQvx6Ag>;6|)!fTL9r?tch}POJzdNrwi=X>+
zf%t^x_(ao_5IJtKu4{@Z^)A5|v#uN8|3lbYMb#BW*@C#cUfkUwNU-3p!QDN$%f;O;
zZovsoaCdjt1PJbWF9eq~)vw>Es@K({$Nt#+?C-PAS!=Gj=B!??_S8VIM)PKsohBb@
zL}oUHr%9wMO(=u_4wn?+p1#93X(;pHs&^+9^TfM?4w7HLD!v4kyajGwe2eua!YCc$
zRnBMxRdv;zw=p7<ZXL^b0*DrN6VW>AAlg7*MrZSQcyp*Q@z!!S8Tt52K=$^8n4s@V
zBzfj3FZS@Y<ve=W!H2{VtAq2O%)Jk$+>W)O2hER}9m}Jxy{cYT1k!v`8~VlZQc+EW
z{S#csVE)7f|1{3bxM$TQk1u!BfRyeh(XS<3N-L|K>eKZJR!u{=#F%H!n5~2i8|85`
zJZu>G`<;KoKA<O2U8Ek0Us+D77IFjLqZxDP8d&mSXz!=NuE`)A@L#KmZ=wj`EO;n^
zk;oY@%f?9$nDH^nT=`<~S9E8s6F4g_*wDSoFp#BL!O36X_TukE;eoMAyVZBTV&ljZ
z5M=sseLiMbmY9{wxz5XfsYD*{5jjMNtcwDEOF!x4%wL%oK$sGjPos$YuhH@F*fF@f
zOYM{Yy9iosf4H~@quSo$7t(TF>)sQ*8r17ktbk$Hv#tXv?6t&-p5UU<PyJ+Q31@5R
zI_ik04kQ*Ju5o5;N4(&#=(bCUH@!Wc5or)tECb|v!2#GmgmbT+$?K>LYfKMDYopOZ
zThCP+Dsz_O@ibgA(=BUj`r1`k{{kvJLd~#8=j=>*y`w{~9;3r<bIu)|l}!FjCa~8K
z<0}%|{wWGvdiO0KyMVCJya6%F=rUxy{v$1ACZ3<zh-c_`zg*GM7=h%LP;a}`x@+u&
z7S0zdN!hVn<7nMxH=KAhF7y1GhC+*=^Ac6Y>xRZxkLsUb|7U0E4M#;j9r--*CsSCS
z;%e-y*P%(@M**G;hN0_~Oy29W{sKQL6@RulOMZ5mq!(eRd<-cKuc(9>vYMYh{rb9&
zG=6a1WHb$hbW<#p+d}LO`H1pjAUz7%r}c5BK-QGhWdUz#l!@}<$R_<x%Jb?A?LBIG
z(NwL6)L4$|xw9Gjv~IRIA&ZVFf!~K5XJZJ9IBnE-V%#5Jm;YQY7U<2#c?u^Ta&wWq
zb01w{{?!ZT7BdmR+*92yw(4)fFViY6xA$zv$-LspRRc1DCSQbw5?td-6F~<9?miyh
zEdCTNzC`6zWK0msVjq>OIz$>Ey&9(u3quUXwV>B>Fk5YKUsm5=wMVz_$oxyVeS16J
zT_BXZzuS0!<oX=Km$=O{Ez4g$V~=-cveW<O(hkjJj#u!(-rIeexs8f5@gkp$X2dj9
z{%Cq_D~74_Hg<C=8@a(2q*2((kAM)zwm6<Hqh#-cN7SVIgO&Qv<0k$Y4Ky_W?fL_I
zjcGWl0E?_6Hr9Z~4JHY2xY<1AB{AsBXt?Xh&~3G;38oj=*~g#p`D_WCGU0_@GzLiw
z(?&jFe+PVOYvXh8uwhGOz23*<4sH73$@bk5Zy@wAZlXp&KMIC&RKrKs!bX;Y5)3`C
z3(1IwBi1D5T=9-1WaaW#+_y@|1k18L#ETDZ^;T(mqT&J}Dl&ar{o^=;a~CbFLv@cf
z-7>&4&W%su)i_gd@L>Z;o5QP_A5lt>BI_fb&zc|zD-}b$$k%Pc^_&XgwxD*Dvz#1u
zX2O}HgTA1Fz0or!iD|YGkTEf;YwZc*^MtnWnNo=5^b8%7$Ey|Aj!RGf$yt;U!oUqJ
zA4pWT+nzVfEni>D+$Bg-dKdTDg;=DW)T&esr>F~pD4x9p3e?3tc@{BH)L+*81$>}h
z{&2@GKwWntpvhSRlAsyP(Ywnu;+JPY<TecuFcd~Xod)RVJepW*IKEU_niw8d<dh-r
zrCx2(TU!SL0WEbl5xVN)ypVzm=+BrHgU^$Rl$Rj0c{{(aa|ZF7GrT+blOg!zeKvmV
zkc5;tGZIJsa!!4W|42B~5!$m>BXEdaMG{IT^K3g%vyq~!@{bMIcbO_SK+?k=!``vW
zSKV6qH&%BF1ZaZQddzmeGqS{kI^rMgIFekF7r!gh=0Enxy(1U@5HP{9)lSn%^#_f_
z{Z7_o`n7yb)fNYY;tQF!nJ8*hs67bkXq;jp>Zq-8X)eyF$T3Ka2&%lMGObeH+9}Em
z%#Qh-d7EnnyX)3uFdG+r8ogwBZ~ylD)?Yp7o^!-2?a9>&r;)kZJ>6u*3x=e!DCEB`
zj*<``(;REPyXlm<pds*!mES>}nj@%+R{zLLFPl8eznj?aX&%EYyU<d45w1pz6A<|3
zVUREE^E3a~{vE!eXjg}@KVDtwgLC)vNkiX$Ud*l^%}zuxsiK6v)33;OitS0pN7J!<
zKi2C<iLDlgn?|D{X<gy|jMvZUYRu{@!w=zlV*E%u?4*I14v(dnr6R~|VSA~Ui2C`y
z{*YUpm$-uMiC`ZWS|SM>zVTA6T5vYL3$l>U(666Xu~zi~ckf~{<FG_2ZM*}ZwfYuE
znL)`rDHmDpSMpz7#FAapC8n`YdNllJesi(CxMU|oJP6TIi&W$rKEFgWxN5q~p}-XV
zM4guSe;5%!S{30IEck(cQxOUMWt%QO<u_e}Ni(qtE!sp%R;bsP1V)j4L)}9yHgof9
zHUNoZ9ExTZ%YpT!t<Nyf$`YBdox|h)l#(cl!hJ6;%R~#XeW#YN#l?uRi`b(C*Xi9q
zL6nwKLCkZ9Q70NVJEe)elI6``)kML|>dkTl&`Uf&a_saxcXwf-Z0DV2Dn8uYm^a{k
zgot?xnV}Jd=QBj_L0lspsh;Q<XqKc_)Qx@5G~C)^wQ5?!BxnBJv=o&lCnWwVs8H=G
zYYiTlIkl+qZlAZ;@dgyl!FQIkA)(#-Z-#F`yj)x`u@uMtn-1m1akMqtj{rLBpzBU0
z#g*e+=lIXFW};isv#Y;K8ZZLlB^X6nj$V&wkKcW&I4X3N!!QFyPuBk#Dw^b;PJqhZ
zLl|5E97y=_)F}@xXtU>Xn~xfi9uxgl0K;k{TXtx<NRA!6jv5WRc7hwT1oYE1o9~B@
zFq$O*qdA!8ISE-}@3R6P-`D(n^6E3gFun6+qW>7VZLuw!-R~w|m2UWB7CJ|gx8Up8
zZXz$e>_I1&3XegLT(-<B;E<rdN1Skts@a|0V{kP^@20q!DYjO)G_mz8@_4s^$Xr|#
zB7kj`iGw@tTX9Q=J0IJrh#cT##g&!93w<0g?XFY!o49!xpZE_#^hx#)IK7mS5iReq
zcj13N=9cbd2I`8_=dw=!otUIk`yZWwbnp4gMt+fIl}ar<pGE?>xnHsDVUBY<F_9B1
z_PewKIE*)>OOMq*v=`Dt+}t5~!p0!g-kX#Wz{-~G#2#=Y{}Ud}M&JqtO@5}>Ro2%^
ztO)hmZ^OEhA5FSnLi(@Z54{Y(i@6x_%cq>x0PP%WrBePOy&m;w4hz`wrE!lTQ&*rI
zoYMNf5x(C*@aRp0DlgGo%AC?<lLsfc^0?FU1SR>9HL(b7U3aq@klshQJo%v|qhl+X
zkU75&L>>u2*)u+R;xyf=3RIO*B#|8wj1}aj{WC4TQiiZFb`k--R~g@XAv?9zX}}G$
z0kCfW9TKTt_)ETV4XxRs+iEl!BVKh8aK<^^lT?&}i5wU>$GysM6E3sH9h`{)A4d#J
zA&5Z}>scWfPa6;%yg<1B$bTbeLu41Jcq@!J`z&hIogPADw0G%0Y}tkt_Psqcm9tXp
zpa8?l@L(SiZFPJ6@gE$}JPnJqFBFu9!j2q~DU-gHGJr%QVnHE^_-Wq|MT+;wPBI^U
zmB`%(_dBlc6MG+!ot#$&;x~fYz@LN=V9Gfw@k2nND^y6qi@A?GV)Q#M7r{=!H$dyq
zuQ$yXj(_4)i_X<`eqqVG!32<)_cZ+~+ko^fyKPDSV0>g#4s^<A+WArdd!3RD8E=^Z
zwZ}aZ0&x&qNO9(g8?b9zjeBNKwGnFDK6ycUXKK-Ceg6+SVGFonktX3IcCL$R<3d+T
z1;dCtFy7$HE#Q1r^r-dthw^$PgD!5P2m`Q6&Y{zvM|h{AHyb?>?=%|DonD|~4tKb@
z@Poh%`z^I?hM8Z^_UX}n8P7m(+113gneDb<F*~l(DdnzIX$*9xjke@E)R4n#BdEDt
zlI_wHk7LXO(+=}n9uUadi5K8UszYQ?|D#p?X7>?B#XbWgjU2t;fZqDzq-{x7a$*vZ
zC9>1r_5rUuHeWldu;)A46cgE=B(kWf5yDs>GwG;{wKTlGDK~yS20i^MI#J2U$PzkH
z*x$!|%H*WH1IKciaU7N}gR!4`g=S)+j5CO?af8@aaQIEDS{!3YD2bH+vr_tx)0H}G
zlTAr6$sG3(*x>mwZ|riRg|6&jC+EZ}w}zBuZ9X9(ov%^4WN>W>iJ5!c?(0SzwgdhB
z#Qo~t3n7R=cD?Uf3_<7!W&6Tbu#Fzw>gS;8A(JuK8}}d(Tdh}ENRK+_&4|l`+^+Gl
z2hBam|861m7@(K^7dUO6ISs`##B#0QEi-T`Z@$2XjKx!l)`4|AI@T-lC`J~^Lo_gQ
zZb4+n_1ZXg?!Yz_P-DgBYTvkk^Se;#dvquTiq=kyE0u^@sL7UE-O@RsMPtIBK~>Yr
zX-xkyKFzD~l60%slD>Fiscg=6Os9#14xB=&tz~FfUWC>1GyV)JUP-;Wik6=q1VC#z
zJ_iXdkqGrQ`H`D%>8=OWW9#QSGRq7%g>Ut3?Adn<!9C@YQOA+W=FKM(3Fxo72p;j*
z7h&;KZ>4CP2JzU@bg1z^!-h0CAg`<bbW^Cx&krs$TqL=p$<|J2D7%#u<Ujx}L@J00
zD7t7oaevRt1{$?J@)GY&l<5fI{2VO5bJ<nv+E?Tnti$)_VV+0SBL;w^s^AhyV+=67
znri;jetjGJ5@7Y_H(>#pHHk+xjmVdbWYVI0Ac;ECSrQ&2=_dJfs3!Ov?Mh*RO7@Ep
zvnHZc+`%^8Jpo0jx-x1M?e9dG7LgMCH^njC$U%GN0x6&nl>DnOrd;J$&61M<pe-Z*
zRfQBRpK3w+rBf7y#r*S_Pkh2^A14sQdXS8}D7>=fYeo}y6ToNXtbl8@C&Zy0Jw3NK
z4K)ycl89h`4wm9;1IHDjBMn%)8n=FO=>AlOJ&ZzNpIjF9VRO+n@_Ch84fXBNM;jVA
z2fF<rx^jrfY-4gi2QJ@bd2F^78&TU~+Y*I5Q8akO6s@sP9z<~p2SHf~?8$X9y6yXr
zp*P#`dVWwYRe$ZTiTILzg8jeiDxGp@lb<76#*A@&%(btqz0Gb2zJ1wy=Yoy>W-VPN
zPR^P76JQX%KLh^+9mH9BOnOg8NF{cFZnyeTf-V4OXE4KCCt28+TUs+i>Y25Z$JHi#
zPC|$n^S^b#HnS04S<^739P{;;v(%<IKjczkf|7jB{7TE>^S{@<AD~(CC@}6ftnjxj
z*wxPW3d-4iB|%tzoK~!yv}JG}`x1Don_sbht0N=d?f17XK~oQ`hisq)e%I2+e6`8b
z8n9URU5WeEiIV01gD$_o2kXn`W(zhN>@2Y&Rh?rj{!H09#imlDKeL`NU6m>CxRIpf
zU?y}2_5f8nloLt%FpZyV5bJRa<a)yflkiLLACn9F(3f^$Ij!q5uzGtgPT!7LRIKV>
zi?9C@gah?%o=Aw!z}hV#2A5f{W9O)<+Gsg|*ad8Xl}~$-1yWd%txx!Qo<x{j^}X|r
z!#-=Gjr^=z1;`pRo6$;ejRp8(l;jBv$pifP-SgHM6sneJ<rmqnh88hB-cQj`G?z>+
z<GN%HcDv)ca*Q#e&E4$?SQc3O*NMWuL|*`EJ*w;iaIxOk`Q0a+jTV%mNlr@vyMBL9
z;e2@dTZ07CdO4+pllhr|b05~Bt%F0&!WGa5&L}`XW=EzSX<_|5ziwv-)j2Rg^IxTL
znMp{Tcot{Lq&2pWk~pGyIX+LXz?TmyR&IY3%83Q6AG7SgNJN{m0qMva0_$vTzaF?w
zBNUB=G<}#3+V8>y+eBkonQ$q{Pf1_)NUz6NrzHJiUcd6CStjIGcZB!(uFM$BLN-5S
z4JV)$;xmm2`NdVfOXxzBA)69HO@)#{v4-$$_E`yWr7}IXJI0ZD%i|rTQ*E<6wWx+H
zVBG{)`I=TRVjwZ^Fy2?9Zuf*^8jAa18)xrsYv8**r)1w-JZ*NuQFcd31w;t)(K2&D
z7dEROUCKP?@4gK|SJa|#FhI)b?7&F8{pB93P(x$606NEi@t_e}b1#?!hAAv@N@ms+
zW7jQ<{S6gTxwG+k&99$!_kFc~t7^^E{0T#0B?&7DYoY+#SDt$JKs)6*HuR<Hg6ZKi
zL}&9fGj6tpDbGY#9jdSKv2FC)>P%5DM{X+5OK+pMmg)pm*6+WkR{T}aBDhbGNZ%$O
zQR2w$ZCf4V@0V8{t%@qP83mc?&Z(2Q%d9P%KeX7fvv#QQWufi(GOWH^$uvOjis&s0
zCQ|>ZZi^xh)iD4G;~s1f-G-EYFvks43y*FC7U*Xz8^(BX#}r)f+R-am9bV(miVax5
zGtsc5o&p9|DHb(JZA1U0&e-c9oQ^Wch2<`M|J8yC$TY>$Os<u;i<kHD_zlHavhGd<
zWzuJo+0)gn)x@z$C6bQ?=#^jD8ubydcmzJ&xIhdM^et&fNgX;=Im}2?|6Qm%xR>7H
zb9zd7-DWnR8z15BZ)ZG|yeS|k-sd+{4RXVClB$TGiVA5NvcSjAZ!J&fB&n#O-u-3R
z`Wau8>7$~Ed4U+S0Q>HU8Z(4O<m32F%^w7fMhBR%qBN`9AtRd5OU!+j%>019M{nB}
z8H|@%n-W4sfMzn~$wYhS<9)V|s$7v#jzm=jqJz=3Jt<a&EwYu9T7UjhTuO}6i^wUL
z(`n9^PmCH*1BMn*EkxsGG-D#OA`-(~cs)Lqa-Jt;zVSZUQr@qnVM_})>d-eNEGOdD
zVW(UrS^oYbbtJ6zlH=mZj2lPw?J(wh?eix;4XeLYuHk#Z!l#p|(E%(I1cb7qdeOMw
zGI|87;$i}<l`V?s1ZBQMsmr(a>uVui9VqqJ)W{_O*R|it_xJp>Y2Qq~Dpy)n*ab}6
zvrDW)horiW_P8oiY}7ONw~Dr##dv1amE!;~dg}^HYDG>@bG*v@ck}|FN<o3f*B2bU
zlj+2Jf|R7q{DbX6@Kuc6sDIq^YD|sOD;;cxI|HkVYg=4ZHy&EDUI-djI<$P4Wt=sT
zL|ha0p2zMoUI;o5O7NT8;6!=JD)EVR&jh?B(nmxvOX@QElGf_(*ZaW+Mg7cQ_WrYU
z=BN$9=P$>XHp!hC=x6xEDR_yCLcH=HQSrZ5pF8^WQLE3V$<U9&A<z3&dhcg|aQ+99
zpug2@h+D(+I%#`Du%9X7Yo)eyl^us@eo-2qj<_vqOqyS>>U?3;<xrACj|-n@rrp*0
zp>Z*h569jbo?7XU7zqt0NlvcHJ^%LVw4JX3$i9ToOkGR*YGi*_PHZA(zceURpcA#=
zw)fOg#;fipG5KUUNt6eUqYGMd{QD;JLiUeZ6yhhEj4>S8k54j;pC+Rnt9wRVw+$qs
z+P0IQTf2TBG?_~E(2x+fXhX~9)^0SUmvNmdkhLfuAP`5#8+^nMD6Ru5CB8*Na#syI
zJ+<B1(=moa25g;<p(G|w-qnaz9RDhtgM+zlScqo(l8^tYF766tm=S<{APAtvbm>ox
zJBq%e>7GSdz(CNC2TZ;c)Uhi`4(AI@cquZ~Q<2j}e<p{gWyu8fZ(MxM0B^AN7!G-C
zDMLKQ#dZuLo1*-ewVP#3E2)PprNYosqj07}VZDXwuW~v$t>8Gb_hht5))`V6{mK0_
zp8BU!t*G(w@(;OO0&kD^9X6i|Ac^YS-s-?(@Nw}Pi6RqgU_Zk2PxuCh)dWr~A&NYq
z6=gB^#fdl?ve+di4)6g*FPjdYYcp$)FkkKrlag>!XEdmkueuReRRum8@tpaDLnjhr
zw;u9>+#qDvOS-gHl#6DPd7Ta>j7Kyz8u_IW>Dtyo^zj~3e@x@EKeP;Yv)lDrEAQ8~
z{PnCEwKhuq1)C4z-#Xhb@9X=$gaWG%kywK-=%Pj<N3yU@>_Q%X(kWt3G^8kUA)!)L
zFS+SK#d&viOr$_C39NY@h()b)!$+<CvbhgNI08jJKhz!n^xz-yQF4fjiZY0^d7eiQ
zaeHGE@x9o}2o|B~duaB!R^tMOn&rO%&lMRb?f(L5p>6iD(f?ak@?SYR|Lbh13j4vk
za$U=r;EphRy!5#7S2PwLE6Z`ZawH~KutWHjT2xyu6N4=Fq(|?rp%>*<t1`zLWd@a%
z;{q>&z&yz*7ojs7naR|;pp&|SsQ;CaBc(@Dd;-c!u|nSzE1~fIb76u(MDmQh*`d`~
zDn#K0ZZhkk1c?iB4pg;bw4B&OEWQ-^m$ggaM88TC{%wTAhs6l1AQqNJEjj0A0p~->
z#M$xN_=~#(gltM=3ifZ9Fe@mLQ;jE?*h5l<Q%cMj##Q--XFJxLK2kp8e%Js%`XS{l
zFN1C?osjhze9!^sW{@NR=al$<iq#<e1N`B5oLm~Hcb09%!$p7ZVmba`_IZ2lkAU)*
ziUxEX!ElVZ=3JYL>?!i$6P*3gtM^EBr1H<LB6xOP!%R7aL5^aXuDD@CFQBn!GPe7V
zwClraGc=)4-|a6U(dr*r;#7dP1ZWh-Ekge0%tB#Mt?GSs3=vRC6m&5b&rfj-!@1yQ
zkI5IsO3fX^KI-3_psFQ-tM7xlr>qoj_WBr(32iA{e2t6Uxx>nuJ0gx{RWoj3h`=z4
zNj|IE!`jl_gG-6l>+?^7|0PT?i}D6SfEiN{iQ7T3nb&BXd^z0lKO4|KAwG()-RDis
zi10cH5$8Jw3I{QE*2?F{61C|_@1OulDoNB0euj;HzA$nXb30f+X58==JI30qDQwSq
zgvBh?P-X;Ezh+LXCgAgfxBz3ut(3>NZ`9lcM&viT+zbp)3e|}$G=5Ziq%><>3j<nq
zL+!=2qcAjK?#cbSyS@F0)P^jNzmCFG8rR!4E#wQ4e-b2wYK#!A`H2SZZN9yn{~7V-
zAU}PsI9vz5jc$H#JQ*EB)G)pqEY&<Yqa5L%hCz7m9Js`l|It)8LSpetQAjA!0|2}W
zN$5@s3TQfa!2Cd^2K#TnOUNrAKQD1T(aw0roS&CCwx;#(^T%&RvWexiCM6gI(jF0u
zJuN_Ao~RU=41zycTk5iymXvz@WaZW7!~gqZ{{OXS+7~J}3~#Q%8Q@R1C=-Cp9`io^
z1*OLRZg;=oma@;vt?vG@Q_SbijjO51wVR_6#@C#pwWpN-S=F-URU2WnWS@brpKR)@
zFTLbZZ_@e!%MhJ-X)@OF%;OXsZ96_!_64PnGLb`v1<|b~)SGzf_J#kmSTi^p*jh`M
zyb=Cm-F|yF3q!}DsWNr+6=4j|hy@^9{8f@<Y`E|^S30wYglm$k;on!|PU9+F+${hF
zSLXonmnFJwTyOH9P(M&6o?ZV*;T|;<aF8$KHOW#dS`*uR@y*9=6;V*j<{twSD!zy&
zkKxIfWH4A440GN@RE8oPVM?jY`$XO~aTnUV*?eF^0QaKa+Lo*~zPWF-192Hvm3mvx
zYE#x@f&B|0LpTOYT=R3i57`aV(aAAbqN!3I;h7|F#TjtMR&x2Z!zGC$<}WLYVH|s(
z16fAkZ?T^sOx+A(QHttqh?wLYlnowup_z<?Jv}<j6<2nM5(DiENuYF8sga(->z}L0
z%-9jw^*4BdNV0+FX7z5;{)7hjj^7l|3EdN6$I91p=yXdw3Z?j&&>Q%A6sJ}ny~?Pp
zn8vQsyi~-p%?*0ITm<DuTD8?h_P79g<&xRAZxSWxA?ANQOI_eiQ?oI6n&&&Xf9g$b
zOe~k)HTl$ktA2W7?XFfgu5Lc4mT7WQi*%T^66W(UMU@|&YKMl3JO_ngy$~0^W(WuV
z&b+UjHQVcql*)Zbvd=(s<*+p5xhWdCmO|(N0;M7zE<m0CcAqB4R6&J5&&#fZI=ySo
zw=#9$c+5Tn6XcHiGbiFxp3lZvpTvOqaXXZm4cD#;8;{j!)yz9ZuPSR-eSPccyWVpw
z+9&>`E#mZGED|d+Jen4o#8s*_vA~)S0c-ISEDrn0vu=J)a5?~zz#H6F_wb-)qxD7F
zc}~6a`be6F|GzZZ{<GcopC=bB^kpdm*V1g43FJDn$DS(cpeYxnL}p98?9zaQ1nrKr
zM@=B+){%L&T0*w46D*eHBuP1<xf0L5E6cIA^7yDFKe;?Z`Nn<y@X4?x`1E%XdQqzr
zO2&u8EoFR+lM4^iHxw0EHev;eDY>?~9DWJ{zSs4~7buIO4-xAlWy5qdOa@-g>p=%=
z3+_LUOi>s3u=OqnNkqjtn>IKFF}B^d5Y3V5TIVm3P*7q}@>1fO_vLMv1QeDo!WpO>
z+{D_DMna1rmH?%X&Iyoy#;ShU;EaS#3oWoah|4dED_j0HOQ0MGlGK|Zz&#-y$q*hQ
z*rI@B3n!b5tHp$@M^5Gn^E*4qo-<MI|3o;SjVcRrE31R!GX4gT<Me4Vx!J({zV)48
zsLvmZ2Ep$FQ2pspY!}_18nfe1*#3yYDYg+c&zj182ascKZPAK#jO-cCYS;c`Mh8H&
z!x4Y7>l?}LC^ZI)E-;!OtdKv5-BZ-bT#*HXV1pvXw=P5E+r0tMV8wqib<jXC^nKZr
zW|!$I3+cAW_nSvef**sl?(c`_bc72S_xYSSLzS3B?BQGQM$GSxZ#@c>r+P5qksUOI
z;tBm^jih~K$l~}brH`g=7$B|piK92wbEvadNXlp@mL?s)4CkwcO16Z4;Rxp;yblI_
zj+Sc(5qx%)t$_0vu9DwH-W?eA^XJ@Rj5CvQSRU<i1fqngOuy6abv;Ln$ZN+>xKT&S
zr);u=Yp4$@T4}3<r^Y*Vkt3NcGR|392m|hXmh$@og59Y1^*3?h%ybjnU6LjsSHh2J
zoHb5pJ_}d2_+b>=7w09ZMs;xY9Yrr;`nUT-EG+t`k6>h07il~IkX)MER>l$5o$tJw
z`Nw3*Sw-!OYHmr*<iMNJl+Zb0H8ZLIR9N36IIbbbpZMjMfiR7naJ?+Kh}b-r-|iOv
zv)RN8!wHtN$;iD2LT#Ya(W<FS)^U}`aP_C)XBx)zmzVs8zerRs%!|NLy8Zur`~T<D
zM@)F&Y8!q1*=4A*j5c(wmHtc;Io0cgll$H8d{i2?)6P5_;G^jkDIV91F>EH6AZTsE
zbi37~U||UdMRUSKH2SW`(}Q>uV8x*&9F+YkBK#F~C(B?t{1Z0rpegf^?XW(91{!C~
z%t0Hp)%-@PI0)#`c3?FnCHPWZD-tJfu1xs-Lo){ebxEp+7MIZ>U6v-TTSt(y!-)fJ
z$ht5E_bGK*Nv`SBEkE~b;{%K0Ikgb(TmPetv3YR;jesyw?WfPK^faISpC=`6-v;)M
z$6kz&aA4^p4`_(M_KSH03#|gN@2>2pW=UJqhcaB6AJt`sZf97I?_^f|l$h9F1}x)3
zzEvyLAQL+D$YhD+<A@w;-M!Ku(GRDY<etD%Dyn){tx#1F?C783yWsZ}m|?lZ1wvJw
zZuf<ammV4tF-Vp5ljeQyw`UJOc8^M`c&xL1Qg?9V!>3WC`vSuyLd^K?;5uyrJ}fV3
zca*8mP!@*s{H$~6*K?K?R=L;mUu4HCDDK{4oSXHJF#sjuX(}Xn!hm*&OW@tRn!oJz
zRK;xXFe@~<Pdv428s36N2+c1L4V{YeZ>Y`_M(dOz1o6Pn^O#UL?!C7S<6I136|P2R
z9d4qW1LG@?5CIqs7AEssZY@=}JMdXh&MY9u3MxO!9ejKC{h$zlv-#t0W#h4?L#(^l
z1X5lPqtmB4ux0W_yP4KWbjLEa>PhaXq=Q^*bxzy_V27+93tRub*T2c~CjsXUJGjEM
zn%SlaVzu3hKg^2wzBR7B;R2C9Yyr+=I|5t#d$d9zv-Wr+YT&YNoH7#A$Zz3Be7p9Q
zQn=sTW|lqa<}_+KesH~$y9bFb$D%y<A2@SAzrS7P>(ql0`9d35i^X3kwPFN>KD#NW
zo^h|bJ#-?7uB1F0I=9_HrV!Q)JTe$bt*o_I*FYXiVs^qP<EO_MMM0mKRYB=({$9ao
zrF?%9hX4DZ+yD7=X)A`y&T?#Meq{YY=#`!7BVxTp?n=B&5BpJlor-*Jr?EKYsDqUq
zwh~?qRcQ<UJW(^qqwM88uJEE(R)3sR|F+b&>l(fLkR`u2vha}z#WlC7>&cTOCN%Px
z(gnuj3l#3C$B0Ky9D>%%?~dCV+SpSE0Nbl;QVSXN2Z{t_NBtIGNzI?vq}u6%oxvtt
zv@8n*QuFH53$(l%31%o^{J6_LZ|1pM$&gH--dr;W3j)1QNV7VY5JUDZ+tQC;Bt)u}
zY;1N30f1!8Ql85B`a?S_JSSNcm<deW{dc?1--sT;04rqsZdu0)OJB9KYH>=p7h%nb
z%TdN@l&pFEAaD`NGsvpxHzBUYaq8tqTeHWvltvFSBp3C5?1MtL4=e1TVCrF0dD6DH
z?>*O6+J#OOirF2+z10t)k~m4Vj(|mjd)za9_vn|Kye@hMI9on8Ari}Y49SqB{3JV7
zg&RVpmnlnRuAtbuIDzp4B#2(bA<j&>i=J%TLuEiDO-2C{DRNE6T%IkPJP6qo;UHJA
zt}7sL$l^DJ9+Wf9S5uw{F&iccK88863fRAfV&q!Gzl)_{m7KIR_lbtEEMDahOwd*U
zS6ncTQzaCtF5R!6=QyjVs7CKU45-|btTePjYNDY9=UNmqVvkQ6^NN!k;qCD|X1a@B
zEO`IErSUanL`Y@i!*ipz*Xb(E5gRqk;KT}j(Efm<_6*xKoBAh;&mJ!8C5f(toQB&(
z*`g6YgwGxYVyw>fMuN2n0c!#C{VlT(a0yTCwRhzRRy&%x$DIBnw+$#P1g~!&RA@h{
zA&z74J})_<g||t84S0blI6)T6@YV)s-|BBCAxfcT$eXy!Gc^bxd$0=9Ek>y=_qp#~
zL{tn)UU=ZB6MZfr5!D`KR5GZYYv%2xwIYyXf%bRZ9<(KY(5&^})Oh+82?`ZBK9|f5
zzQhipyrp>#N2ub#jjwTHwITlgs?TtjcZVEb^50R)|Eh2Pzs@^2ANbBsYa;p?b2p`#
z4+Uc!viGa1tbl4{fpVH5+9pYU6*&T1%~=q_O3}LZ(rOvq(d7|ORWpGpm7*Gng{If&
zkDoQ2jVr9iABu|q(2e`JU+vuhVJlnIJvy!@Lxt6Y*$~1_B`p6Np(G1ZZh6(<0y|6{
z-}lL+JGGCPKy1L8K-86?Rz;VkdDQ4AAC8!k$;r*Vo-GZ2TgEm#DKj66B1k6D)?2@A
zpno#4tuqPqIU_F^pU*>R$vVN5P@3m~cM@@H_BmLqsm|*e8rky%V0c-wnr`d+AN(Lk
zQEY%Sct54&6aJj29())&<be0b^nfL-eFt8aByl*|Yaow27Gtqkb7>Via0hdrd27Pw
z{r%=j%y{ek#x1=lq!*UGLlXa|1~+=EhMs&@*H$Xz;U^m1Us&=c=ax2($W&P0(uiFh
z+&|6VPd_C|hM53}2KVtuSyR!RKQMo>t>t*W+aF;YCt{>j+#0=;u%oPmKY|rVcb?2%
z3+En#VK{CupLYiGCv!P`Y@o}VWmCAp4Wxr|P1e3#f*-)xoQx%y-B@^47MgM(_=j$L
ze`L9-4}QtDDXXY{QanA%rf}ASulkg<5ph5o)4nQEC@1*>JRq7AZ#R2pt1xISu*~f>
zee9s@OPMLAV|NY2;{X=g2W`Jaj*0C%=Y>JCXq`3_?Kz2icCaiaEDnakaL^8(`TRnz
zST~ARI-;qB4IWudWZ6K`Y#`mWV3xJ2Wrvs&L4k;FX4$$Rqrf>okAy7dgRVTGZPd|f
z>U_+tfDaPPL|k?xXy<@Bu&R5npX-oS2mADgenv7uDUJCyt_RJq&%~n@d?<}5!sP9m
zkLQ*v-;07Rv6>G01NwW~!SaFOvFP)Cn0EKPaa+JJ?56h|Mav3ejVrcS!ihVFnAf8M
zN~{Gdi>qsJ0E`%gT0xtF3kQa($*kVhxs7p5Sn0vP*W0lXlRN*Pm`)fNdWW#@@O2ad
z%xXuJ#=Ae`+n0J2DMU`gFl&LEi0ue2vtzOppTI$dU{_M7s*rZ_r3L^H@_3g(Ilu7v
z{}}T6e}hSzAqdYgnOTxy;~$y~Ayq+fj3Rb^lA|w0@UemBUPOo7-;@}trF91I*hdNH
zNN^mA@001j_4#%>hT+Sw(8rkA8FSGmTjkxx^I`ua+L2(&P0WjeN*%3Qp}naD*V;8c
ziFv8t+y6-mL82k>&zS5`_)Fn~^ZONcDu6x!88%wTiz)js)5<s<6D<ODNLQ(LLsI_6
z+}4W8i2k|YN*LVR*nn89kFwe*PP9kF>p*P93>SDE?E5Qhr1L;9W#Cngyzh|6t|CW(
z!D3j-1u-v+a!eq&h_&11gOm0y@1oC)`(%vWlL&L-mAEtVcnK@BDP=Gv@|}Z>^I(Wa
zF#I1lH^b2W8{m9qQUQ%iG&k8;1wP9A$?PgK{()EE_i=_*{*b@msJ@b47Yk0NR<Xw-
zPU;~rk_v`q7&XIDSu*^g4IzVoGxId^q7iO~F<iXr-ypW1sbOA3RD*5c18K=Z(F6OD
z@SX*7j<)-FxQrwR8fG($_9(gx&HY9o18LC4Ca>{<evOE}FgD((ra_$854YJ7a0NOk
zUf6=t*8?eXvu?~Pez~COMuBUs>%c{Tj?#L5@18T_2Ob{%wnpKNcm3iQvPOZ><ecxw
z(VKq!{2|mY91N+Cva2@Q&vB3k1cgy8=X|^0G-6U-O4?P}A%q#2K)EwS3ZlTDYGk|h
zrV!qwOZf2VV0+4dP)qJwquB%6)YeQhqJk<w$&Zgm-)%7Oc1OZSibUm*hwL`L1oY}`
z43-EV^Fep#PIdk`4G>u1HJ!<Cd5@M&VEQ7mai6kiU_acG#MeuR8l~#)QptLS?P>+(
zokDp^nUvw8A00gth9R!lfCDL#xhS8_{~MG%@G#dGVED=k3my{z8m4abHdo#cTT96n
zv=I%-PK1e&&~U5;YFF*#oP#oG<tEH~J)<42XvZ3bC4>eeh+XDn*nq>zBZ?v{AEt^6
z5sWe;|7WW7e?HsT?!10m<$Mi{6b!0X?y~FT;DE7M<XN)oUt(n+)gsZWTsmNTPtvu}
zwSVkdawPfqtqZ0=2<w#4I+`hyM&~W(7<OBtir^9jCPjLtrn$a9R2}wq2X4n+WuWP?
zR!)HAox7oCf~nDr^PwK__=$gD<>Rx&AwB=IgrXlwKmeC<tNvhtmPfPu&fO{sWW|&w
zDi2JC+~m;@L)b^^N2J<<<~<EYXmc5`sWKkWoGV)*x?MC4WlU6uR0~&rjEK`@Obln)
zz*c1dfYg#iFEoP|;9OS+`Hx~1zAYab*s#5rl<p>?pEjDBK$n;e4k~N7Rd}1k+0M^I
zSOrHgbnoqzKr>4PyV6+#<h(`6IRaCtk{d!6GDR36Us=Lvy2H6()F<FEmeh!i%#!-C
z1{P-lB_Co<zjr;;7p@~CoXQ5IGSplTj%3eL%r%j)Uw{OnwrgMi07MG<5=1~;w*K4G
zKM-F(vD3#E*{m>zTv<9b68?2y8`D>$*Lb+(5k?s5%59oI(sVgnJHU<FtKHW@SLP3A
ztP<yeua=7dBmU%meHM;lz+Vrh%?8`PL(q-GC<ubytaS3%Wv{9qh%o~WLU!MKGA`e*
zMp|d<qWH=nX7WCwRYPVO=SZ-~#!ELO*tz(b%O)I~-G{j<OLN_iamP;76pl`dSEAu>
zh9V}k8_eCgL2$F6&NdhFjigGhi55hV*6glx{?&O2x$l)b=7C@-{cD+fmV-(zi>LCw
zVMCc`FP4Y)iT>#4!>=Y&zi?l=2yOV@?YUs`U<E<&YNICLA&T}HXO!YSF^QT+R(itY
zYK6USx;Y?8@6ghN*xDNCS#3W-`|IPzIVdjZ-|7Ay1JLr;n1vOb9Ak!#nb;2tPZx%G
zD=AppaHRgcw|+o(=ehl?%|a%uqeKp@?e^9~;xcULpoq#wcuq9BvVG`$jwt8o4!m<`
z@I<nnF?c##)E2?{|3XLq_r1;%)Dmm{Fgbajj>fNRbmrsV+RAOdi+>3Y;Q4Wzs%`(`
zR!=wh4eBFa=PAO{TdyqUhv$%%<!9Su1OzgJ82s-}`+soeD{kFBa5B1DQj?;o)lKY1
zPxuoXrl!QMWd~bxsC6eKHXk&_N8}g=QNm)6s_czO(#MS8j8dld|A4>BqHub7%h6Bk
zxJi+8A%KcNt`$=xe^t`|lF~odEJf!pm?8>(@6ORo=d`A~3s;&jEQ#%=3j)*@Gf(o6
zsmtNUhu46qHlwG*zf76#+udtMD%{I%a{gIHtse~QrBV6ufGyrNns8dq73%huwKL}a
zd|I-(p^l(4I{hp^9!cN`rS`2y&Zgq0D2^B<iPm4&0oepl!S=2={hZz1P;d98@D)G|
zrKi`f{NE`9Sq?=!Klk4ZuAD4anV=y=u>p`eLa0QBbU{2NYexL64=lRkNHOX?(g@Ox
zHU$pnksiBO9teh2Kp9qi0=5TWA`@4(mzzvTE>jZGZHEjnddkcHFj}yZ!Vl#+jdjm*
z9mZ0|rom|WjNS()lN8ms$n&g;f>6)>`Vs6@Xuo8~Y-W}SORfv7{sL+C{}%a-jC<4*
zAo$;ZvnD#>=Vk?Rz=A1^MQ`k304soV!KXcj(17r-g2>jA1=a|??5IpSTp;V8Ti^Cy
ztu9f!p=GG&RmNnFaNC`F1d;ha3Ilk$F2nTvxEFd&Vx6eAUD36hD->c(G6+3tOh!j8
z;#3CsILD)X&J0@j?lJ&d{GIPMzklm``>X{1{@b=tw8(Xjr4Xj4{W)avNmfQy?x}XH
zh5I(wWK;I(G3+l$5DbB%&?Gy{e~u!|9RnzMBGlvcnCgC}j4vC^B_qV%%tjhR8iY5(
z7=C*~>1j8v_Z<4Y7d9)~YVato*toHzvzCUbud+o^26j!TWm(B@4UhfMHCj!=xsadc
zjRLiT4{S^<(GE?{Wpgl1_e$snU`!mz&UbM3u-R9Fh0=R}Vw@JP*lg`*f^MqFr9uBQ
zfb^fYE{en_^akdkiayyf3*AO4^_ZY-gRggWWXdXY9k*d?%<{AD)co|KnP-B#>jGZ~
zPnjvb)C}e(LnR}KtPWYL=!c;rccTVk2I#uo&884c#lKa2Ghok}JA{r4i7EAhjQ&k&
znKs|Q+c??vhB2q_!Vkx5ovauWt*gbt`U@%hBP6h3T(3W?v(*YX$@=@Qk2{_tLjd<H
zZS_EiiGCnkm!Fs{Kmu8vh9gTc%yi0D&*eabh%G>=-onQ^TcH~#$aj#u1wgWN?)~P`
z;3R1<4;OXFYH1|=VOSYKD`dS8Vn>sT12~@-igd{s8Ue?(arn}&p{@e{0N`d@ikZBF
zm|UH=PE8)i)Z#+Y57mF`c<XF+-an^*RXH^{od^DE06gcUNvcvzh~2zf?EKjBf0-0Y
z?8hFGiuj7C&`34-Y}h8tgb*;w@jQ$bC%zhq#Ori<5+;#xXyoOYg3wz*NWsoYo(vXk
z{TQrN3E+@CcJS>9oPVGDm{#(f`+Plnuu8slFJ6q+n=yZkeVmpQ11BhnNO5T7f6uoF
z81m+o`FHBzi+>&lFO1+QDIJ){@6bpdkxT;jdXCA5&m9{NvK0x#IZ)%WIw6*1clCWX
zpWjZl;TSFHv(45ux3r|NCP~Cu$%%jeD7Kk_n@cGx_Cs4UK|Vzk2&N>_pJqqq=?x)=
zVHN8;@E8EGM|@I^KZu2B+l0(yJ?HDCIi)q}DHh^(Ht5BzQ!^8)P>Rt`45-MdD+64%
z2GkSZRRQYor{n~WdMALZl*0I>7)>262Y*!}9*yQ=4*h=v#CM7V7M%@$aFAE{1vpHK
z4v428@1rPVJ7j9kNr%rfS5SLXy+tUT>$mTdg;`Xel9=X<w+R8Qu2U#RIq0*+hIcTF
z%PhI4L(wC>vrOrbWVrm{E<yg@ppG7&N)V9T`Bq%huv`F>exKuKDS83skIYbT%WcM|
z<7(TR281<?T0-Y9<hFG1M8NF}zb{v7*Lso0Yji~6z=S)I+F4*dJUOEtf8zcpwk^)*
zy`H&AlncA}p7>u4of3h~v_?_}IF#cB)G)uXYm1--Bl6WhTpf4$b<FK_(Mm`s*&ek&
z|Ns7V))vLS_s7Pt*=*!0Dh+=CwJo2Xh2U4mqp93F0?5Tgp&tG<J(OK~?oVbMW$^kc
zmGj&xJ!r2)1wQ}#S3zFY>6D+!kQe5tm-6S_C<IE}$!Vt1O2{@D3MNF%6q>S)2B}_F
zzowM8*4%c+O8mRR^sSs3>zES~=uKz-FXl@NojH<Ds59AK8n99;_unH`Z{K9BQR|;K
z$!*x>uUi#;L@k#)ElBcC2=?dYs6~$Znl<B<I$T$dfvei>QTm6&_DZe1flqiwE<y%E
zLQT3{xwFz08IgO*oQG9}v6Mn>b8x7y$~7u`T|YRi0&E;iTPyCEZCYSqMW2Vxbsbbc
zy;t#q0u}_<exkDEy5>ClH&>CAGgSkBSN&oM+%0k%R7b1)Y?k4liCo2nP>Us1ArxG1
z9J>$K?>fUz-skVv?fdgmN_Fe@atmM(LS?mIf2prNMZX)C(5RJZ%pDzHvE~$AQ46sO
zCLf4Z*`ejl!Od~TD2eM$XC1pX-Z=XGy0;trWs+slcD8*7=KBVWDhn*$6-@%2_C*N%
ztaWet+uF5i^QCLIQt)lsgbm)Z)WLz}1(uk-hpm8dSRo<(!RuQlQg?6&&ErFx>K)te
zFPUuD+sCBK0bh0K@??9n>2^Du0~fU{!5fzd&61$l)M4L)XHRiNp@75wqm3Rf%D3|b
z9n8kkTcOtd40rPPz>2`<6#S?FhTPAX6t6XfuU)zQLCGc2=?ilQrb6=x(B-_`tn^x!
zFoeks>{iLSaz8nxBN^or9T%mt%?GADQxv}?SnTyoWu31?%tP>Z6&*89)2W5zmR)Wa
zg~E+vgj?7?IwNuUYcyTeSqHVZl!Lt7@}Iz29MdF6*NA^OTx{RLd89ec`H$J&H^y^)
zw;B-pJ0~Sp)I=MTR08D__aYIxeP~9fqpPF+$|F1uX-?2#+REE5Ll4q`;rMme7*E5D
z$;wF6m~z?HZ>|}kIWnUx_Zr5)5>*!PBJwuzv2=BTXXDJRb8(MWe!+3h_wM?lFX!=1
zfX}00euiyfUSFU~bWhKZGp?S#LFOh83p_aX4k=DfNsj{K_im2~;lkHkN#I1eF?wd)
zMU}o1=Ve1sP(vgNu^8b{{->=L)Nk93LSi&->+y|)O+Rt_yyQhX9dP;0BH-JwfT7H@
z@?O_j|BiRI3El=*HQMDkX<Dd6eqO)Z;JA0`TNM9yisqc-zZaD{OlIw(LP0DH7_HLX
zUj^%hs1f5_Q<d2n?o3~0=&MTwENlNNh_!~kZNE5MY#h@7_g${-_}PbSoO10lelx~K
z!LDLQ6OxaM;kFUj=vJI~m06%6o;T!Lf9rVa(N+`nk1t_I+XoCYSx_z08uub1$5_Nl
z`@Ja4EJ62T6%sobb+??T1LiF@R6m2kavFrvGuzb3wAj9hz);lK`IEA^uAFvTzMGGs
z7yOg!Yq~yBaMiMg5I)QUpPYo8B&Vwf>V@n4BNkURPmfVbrmzaem}kS143qXnLjvb^
z<tP<IGcj6H2sj`#w}Xky-~QDO&4*B>9Kmvw*=Ve4``B%?5#@^iv*2&*J57TwZi+@S
zKks7TyC89{uW77LF6WzRVr8%nWWp|-CPQnb@14DTVT!>^t)cTNW)ypSE&kdDk^BT-
zP)5Y)2&;&Btqcj`LY`Mmu8o%O>tNH%8-IIJfMS7vP<iW1G<?XkVae@Av|YsG=f0h^
zr4JmRn4;-(AUWyl^E*plsHxptx-nt%@z`Jrx};&z8DP!ZZLvg;=p5IheReVJ%6P2i
zdO%^g$6rkI^^JemU3toI<EZoHAM4Q)K_TC-RDd0P@Ulh!-YyHiL73|UIj&q=%$bl@
zPMab4i@szH?VKS~QZ0G?n=Yxa^ms2uaSzQD^Pvju=vO42W-!+DEltfsX?KQjW3dEd
zl8?lR87HtNZ#sX@a^J)>cN%em%D1R#Tthj0oV|}B>k|n2HxG>Fdn~0V?M=H>*_NZx
zNa<)dtCc5oLAGIkXlt*lAK`iUP0_-fqxE_+GsV!|j0dXA8Ub!nG0;BL)3N-D5j#gc
zX33ZLT$a7+3fRvSAIHusmn;5eZ}dOD@Bh!`6>Nxg9Mjk}F!-h4%Dm*fwOxHJ+bB^=
z_g2tXh&!YAdwcZ=XLYAR?uyE85x#g3pl_idJ@?zpBnnl~ceU9<6U&ON@h6t0rn@5e
zUldDv(t;Qx7Z)hyYJy*T;15rKAKg*xGFo&U)BJq5I^>A7VlnT*b42iH9cwYy=0H22
zK_J(<>?|X_G2+X~o#i|mQoq;Srhk2ZD$;p3kN=XK`rSF_YmX|w!X2Nl21!(GD$<-w
zl9Evmy0g2jh0>V(qmqGglQKP3=kV%?x=c+`Tlf#Ohu@U{G^7ode#$l@mo6I+3jtnT
zh2IM=^ZQ;Nl5_pbi8<U}{a3tBoXV|9+_5u{2B+(()DXo7PdIT8c*!41_I4|f8ECQ^
z*5g+;wnfruwiA&Om=Y{p$`}u6WB}zbW5{)GY8dHAO{OYj+EbwFz#trgpk9CbV-ADb
z_a}7&YKLMU>7V#JBS>Tf<5^egscv3eZQaVv%+0qti6jSawJZL0hnnwe&iZT>&YCYI
z3vQ$JHyDVV1`Um&$?1oqVxFz`uoh>xze&Yo_s0|P!%{eG794)g9v&F<^x2P4dNxM5
zUqBV!<SZAp4I<;LM9qFuQDHi^tv2M^(;R&Ym&|qsk&kzH)?^~+`u5eqkQ1K77>85s
zJ+HB5nJHwI+912KE>SO3AbQo<5)sdGQxAB`1e!XE=MfE;G{*8^6vOkdN57poezTgX
zMBTmmIvKu=wu!HMH`Sv=n|I+Ca(kDqebv<RTp*b39`BiN;nl8gY%{BYGRlgT2MF~T
zCY{sj61UmPok$KSUIBL_4XEJ$3-B|y;knIBWjoIv6Q<~BJIuJtU@AK9<jOrW?$^GV
zW-`{5P$li#47x2%ZJV^1z1g&Sw~O^>ccX}HEyVo_RR1pFyiS0z?Q-PCkxU$D4e1KL
zru?V8Eq-)}8?>>eVq#W#vjdp>m9$caUDPPZE>(Cp5<dp3nnuvLmpL0h>yRt?8T19z
zo1LbB2NNMirH1rBZWj`!X5IR<C3yFl<BVh1?4*76et;cozRzv^@zajq45NdiK<r%c
zjQn3@elNLvzpW`vviNRlXgF}O(bl+54NA!5()p5!o#SZrL{C|r_K0xhY#uCIX0btb
zhpYjdN?)fA6Hep|->)BJB9O5;Q$4<}>vQJ&cl}<lTaj{$h`6_vtPK^*w4s>mJW>@a
zpik~et7^?Ad6UZF5sTA|R>EiCX+CcqXVshiJQU~RVRrE)Rh`@he-_ch<%xh{_Y;0A
zQb_3oQufj=IUX#PjO)5z&C2Y~OI~j8H|+SK5U(<g)L5h1IOI3~8(gUhuAJztRLLO#
zGiYSfG-fG>Em6<$B`!DIS!Iu8A^<bBXf&oK@lP;GSakOhIdU1*r7&a(lN4^)l{4I3
zf&<eBe?2+xK|tk38s;(J!zU>O>W2VrU_u!8XK%dHy3NDR`t<}Z$?Zn!L`StD>=L$Q
z$C5SeQ_(C|X3Ebs-Kfwg+*MfA+b;>uFx88rQMXx_>8|s=_@m!;pQSLIbN>hg5vd9!
z091|Nrn+&|$PE^GjcbzxW-QJ`_nU=3d+?5J+b5RqpS1L1+L!CN2Q-{f9CJDj`>trF
zY-#_}4MzA`;w)MLtVtRBGGJID%!0Wqx`;B+cTQ41{(tfHRzY#KO|)<z5Zv8^C%7}f
z06_;QxVy{Xt|0^;+}$05ySuvtx4{YSep09Y|L%P6-L8GLt9Cz6ukK#G*3X!G<RP`j
zTx860&^$nonod2rFq8_>1|}f_eF?y)?HqcPU4l3zM<_IsE0a#O%oDA5+?mAUyuUV@
zo^;#j8+TWsT5Fk|zBn&miB$KR4|h1iDIpmZ0c8<DtOn|(^gVk;i1p2F`dg5gWE9&k
zFJ?H(HEGso`St@tD8<*f4jAzvSwlW28LPpHd(;QIlLGs2&S$sT7U}+@BV(K}Lk#p$
zn?o`oP+kMbXl>1{fWo@_VX^0c^GT-uWG~iV0<IfWsMgpE3dnwZIi<@ogP%u&BxZcw
z;}bU!4tYwtOE*wVw>;kQY2VsF2yNz^l|}aPXgmwMH0p#ZM<n51BfPb^e&O0&_tIN0
zb->{NeH8xh`EY=NMPW=r(~Bh2K|`k|+j{_~_;A9!X1UGh&O~f;?CO&1CCOhB>9ZJ3
z1^`i~0X~<uR3Xio+%iTl<^yp}9rK8Ox#zEMuXqYnL<wdkjnpBcLh0PPc@C<M<EV+6
zT@q2JwtW{63rh_8cpiWA=cW8WVOJi|f;)h)*b0hQjV+>vzx#~^<;dbzzUwcxf-J!T
zZRBiA-pJ~;^}@MqWrok4hk@h+DBazdYO|a<{SA;W8m(?1OY@KVZ21UB<wD(Rwu5WZ
zaQ?Qx>{za%Ae!M)BdSvFr&ly`d>KRfN93(IRN2a=z%^e>p4Ft}5;pj;(ljHwf>3aw
z%;3uLDb;`jn{hts;flX8rakG*^tSLF{x?KTL4B}e-rB(anyENUV^|CHB&2ZMei}fW
zi`OgWu4d2eSRgq2W8MFzhtY1i_qOY`zo|yC4<=vjjAHMb=#TY$5C86vEBx?S;XH*t
zJSIv5HDv;mt3V+>uis+=m09oC>(utyFIAfxP03$+v8GaB37+UQ(0;-rOj2Yt`{jx`
zKZ$$Q{ESI#w!M~nI+Z?*bSAWLw#A50ke|ZW&S4oxH=!i899n_Nd`6C9K4Yx712a_C
z7)a%ZpIYbn65!jWIw&`t7~rqs`{2d8kJfDnVFbyZI6AL&%W4Ue^kMJ({fSytplL!r
zrfG-MS@AKI+CHiyMPv6U8@uA$(B<fBzkvR5>ZooQUpGV|e2@i0Ob~zsB=%%M%b%SR
z)vQEx)@#|hCB<iLquOn%-aKACM6kc-sd{CCBwn<OW8dSB3<s1+<6b9wmR8Pl`)}I7
zU#9Levzph`@~Yo+C>B5Rr#F>w!7hB4E@m~dI~{-J)>oa4LVhA=XSIESB7ixo6h(k{
z?nkau@pdH#-j!xEhu^Ho9m`lWL=A~Mu;$b<2i2$Ao1p<*@i-|6Rty3rrQ-kV!v7cL
z-Q1W`-m<|AE8{Hj2q(ll;kUA49|G4}Co?N**#FV>(l#x>@IzCsqj%cAQ)$udP@6H;
zLR3bhR9Gyh`-c<2>W#l6sd==`;i1C%f^#xdsAJoJC;3nN4p%F-EP1GL4E9LaVJt$V
z$uMc8KrQ4c$4@fTI+e;#2lnUnu$TyHw*D_ysSkG#)74sHO426`lp$Ay%VD1mo)YEC
zY)50{KunC9>~>IGlb~I9ZSF_q$<{yqS&ex5vn?d`jwkYxzE3Q<I^}?4k*02H$WA=F
zV3X(mYA>KiYIXYePc2ETH&J&K-SVTkxr))y2*k^dT}?i;sIE89tz<ZdZ_|qPo2Sxi
z^OS=QvagFukqR~aM#sFd^Y(5EQq>xHBSz<VRTE+8Nf&){WoJg;uUZSc_u$|r7a*<T
zrW<U^#&W*%ZZ$*c?@$WXT`ptz$Mh7|%8D;a1lLkENol4LgeFY;QK0M;%Q+BpjRiyI
z7-L_VP=?AlZAMuOGoyl9Cv``ar^GuPof54AMTX{0^q9BnXPx0P7Cz718Zu_rElbRi
zs5}R9_VYwZT!M?wKNfciiUIuqq66E&*G)gKveSj=7c%oFD}LoI@snGwqAa?fR6<l4
zGG>ujQ7!vKMCrfSs}Ez@`bXLd9=d&lEWhxY{4Ln%Oj@rI4crRXwA{53Zv$>Bn%A=k
zdL;B?A#E;Y>ve;v#azYL3j!KxJ9(*6r1I7mqJtdb>ULrgTX0xeO9?-~%5!vLMVVYD
zW^`Ey18-5V^e=x)Umk!uJOdDti?QQ>c~<@4lQ1)BGRx39>%<Ib5pg~Gu;`+a7|m0h
zcRJSdayH}XP2MkvYCgYHJs7v$Qp%Rm4){pFa=3fyD04+1f@q^08!6;DbyFur*e_!M
z<~!A6kJ`QPZGDWU$hJZkw$lNI%>7~gpanXz;>+n4p@P!Q@6jQ$nXg^mWK*>))Pcmt
zzLSn;I*BJUxy19A%l+^8-$aEaRM|-}J~=Y?Eye3XT57^ppldE2sO!mtvzpw^1W-5b
z@;aNWsF{C-G91nKL=m9=(zFEwZ3oQ-YU)=&8x<y}zK`p5k*Hl$wjVHtrb8yO?Pp5B
z-d`n_VH?NP@LMt*e;uus$Cw^21_!yl)sme}RVng>ICa*JB2#m?3eJwwlf=$QOIpf^
zu?Y<iY8jz;jc%f=5Fl@-?EElqY26a<YmS5xg%mb1ERN1>ZUE!rbzG%|_8hPUY%6W@
zL^TyPeRNC2Lq48BL^3#!O;Dx?w9Q^bqhvBrUcKu_Lqg)vNl)38vtM%VY>ll&L$i*)
z<oIji4VGDvdUd`02LD{B0?<%csgd|fXk@AsAvym!+VShCR|^OkV&Hh7hhK9irr)%>
z{qlORsuR28f(8;lv;e9V!H_h^b#9By%&!kO!w&jF=&u|;Kt1-_`urD?rT}J+XKZ)=
z3#lF)?ia+{8QUa1eDVB&mKVys@}DcE3|am7%!vBjs>g_c4LZt+0h~zMS0uu_xgTp?
zf;kyUM+!{Ts1ypqhMalk7!*Zn26ICx5l!=1_7GtQ^6gwqqb?^d-d~PVn|k)!rf;%W
z@nFX{3-krPp@;Oz!Hv}aw!f-xCubU^@nuS`pTd^uV#cFn!sVJ81`MiPs+%iuISXqI
zdq6c+YAjHJ7p@!lM^*&QXF-?6$iO#abeu@Fu9`hgogx2+hb7k9i#3y5fz2gfkeZw|
zdYB=W`BQ*AW@RZkCDK0H)nl?_7W31+$aQk73Cqw+fZ;+y7x0NR>4w}rlh0m9swbl=
zP$7mH&$k3*rGCGUY;s0%2`dXE(K;GKAz7Q!x76`;JGuxrO&lR`>_+3G{PQPNMT;!?
z^A=3)RzMPH>^{!1lP@z9X_DIDN<;I%fQmcfFEp0ZlZKu9vl!opIJW+yi-zUx*$>ur
zW!Of@VEM4|FKp)Be`XV88>JsqLxR(XO}6Qt!(nbU!9jpsp_LCz^a-M-0txKN3(Zbi
z|HOGfPN71#$dc;p#)$6^8yTZRX1m>HHGw*GT&4nuky@4F<dSxcNw2RHNBal<U8|($
zA=iI4QGI?YSBRh&CnwZ6k7G~c1jzfZ)LegqRGezDBq(_z<>(SOXE#<RJ5s$pKXhok
z*5Vawm?>rN{d!ZVe=D+9y@XLb$Dq&X{Ty|T0_<2xuC&`T94vL90TsT{#PMqjBGPX3
zE5y?H?8FpR7)fo`yX6W**>=J_z8tkpbiI4nAMkDdxVzVn6$$)B0v-Q|p*^a{HBw1$
z;F3%|j}*Kv(qj$gn{ni++ex-JT}hSVyOdaN8^UTib3S(PR?SA7f0QC$BgC+6sYpDD
z=GCUXpP!`4D6JTOmM<UORN0c-`jMOGM#|kHW!Wd2@HtrSH*x%^sv7^cO8=29E9uk0
zoeh54l(JlLXUv{4&FL<;p5s-?>Lkq&y<VKT6&uwm%xyzwuD-&4xo8Hcg78J8Jp29G
zAPXsieghxa=o#fSJZu7?Kka1;P!@5K%B&!S&&@r#`eDFjwdI5^FxCD;rLrS)?>F@|
zLsLOM1p@f*fzuhB>_yM&6jKM<fG;nK8NVNmi<~^TW}|4DbJaqUm>usha<s8wvQF2a
zpM+YM6oQ5k{?!|zRexoI4jT4dS@`PoS&^kS%O6<X=j<iDlW$;$L}pBYI(F+aM@n$D
z*wZS<t<6GkG*DmI&}ko<-Xa$wGB#ab`k+33t!lPvFpPE?0}RpoqG`T2vwmCh`e+-T
zEa6nhx~VX9<h|SYe%}SW4>!<13$w=<dbxWgOzfHAP<fBR_=m))W16_#?e1#Gu_+!q
zSus$m0E#V=LO6K%|52W<A;Z`*TiK6b{<C$gZe8H@L+fpFyZn9#rHst&`(8uI{|Rvk
zu-pql=s-E@vkmWd<OP-BpigSLerYLNSrrodF3Mua=fJa(lv1hf_>gtH`ty9Z{`KKf
z9H`$#!XuM7a1=3;;b1K>j&dN)G`R^%`%<C3t5ew38B6&{0Iu?^XkFoH@CNv?hvo-Q
zhEm0f|N1O<rx_jhYPn`^+2~5rYG&Pp2-yIjJd!g+jh(MF`T6@l4{v^7i@&~)MK&%e
z#vaS}qAg7heDH{o6zpY#@KSr0AGD|!*IFNkks8|$p(tMIC@@BRFm*5`ELHR_v}?li
z)n4tHU`76h6U$TW^#~8fi2^)tWMwQLMbyP#83J@}SJSZSXgvD!KIX<sZ>d~G#%CUe
z+W>b|P0MZdr5rMe3*7Xj_@JpAxJ4Osg1<I*!hMJ((#el{n;?!*w{?l3-0183!lx%_
z^wb0@`T@mF&!#3viQ0KVy5DGj(G;mwU`I5&)L^xs?ix9UOon8A@)}+7fV9?>B(GQ-
zocr)N0)AdTI{Q~FATr567D~=yk1I%U8=&0Q@RY9hSD(Gau^a#RU0z}Ho$_Etk(J!r
z=GI|D1zjXQYd&Btojk6<KWlx)jhGUc#NnNG%-MvaMn~+g!fmHJxxjKP$(+5&x<Y`<
z9&Ud1J%9D1ASVZ@2f2Rz?a#zdKP-z)O1rM<I$d~pWVpiI7#n{$Y^)^^TnzX^L?-3s
z<EO4QO@faGUOk<gFQZ_+V71X}J*~nBk`!+K&JMZCgP5kc87#=7wLc4CfL4P(&nqz!
zGe0p8R*%7n;h!5%{2rxSUUhaIjo9I%!$k7qTF#{cBKRH;4)FFmKE0hT#813GoH$qB
z`4)kzqJ5(+^bdS_G6#lT{V`|r9@1TYFL7grX1T)TfpwRb8AGZxo*R{LMB|0~Y*f`M
z{&xok7xn~kxDyW)O_ST`btdH_7Mprh8Hof7$t9Gm*;)Q(EtfXacnz<3VI;L@o0{}3
zcO)#958pK%<#u@V^fVs)y*~_ZHg~(b7x_&IJ+pWv?}2smL?EZuHalamY|~0-iS36;
zN&m&EaV>C)O$3+AWB7;SWL5mV)7vP;o&P(*rp7#jNab6k{igMpMGa8|-EiynxO8UC
zbV%!tF5hr4!C#utr#877llDQaTR8>sMsL5;e;5Czy~3sqcQVlVRi}$m#Ecdx$P(`7
zbVN*k(4s~%qJ%mbfMt2-PJmC+U{vHu(~&eK{<8hnU+TD5*@fOeDl}oK7c)&^CCHgH
z<U@H%4+iM30NC+mTU;mq7#{XXyDfEP=9}<C`V?B%p?ZU_C4plx?W(IK+ra3NgThvf
z=UU_8V3=P8II%;S)Nk}SF4u&TDO60bDO?#8CGuymIqfFWZN&apR`0H`8c`J9;Q9OQ
zHATAch8<7wXUe}X69$7d)k?D-5}tbLIry4pIb*1K2_o>kb56J+mYtHtQUb)wk68A9
zlCUO&4A0stD^4)Gt&uBFUw1tFb!R<4hwwt57b2+nqO$DXru>JGo;gTC53>(v)z2kI
zYv*B@?xc$*r4Sw9h_y5?p)`Imht~MhU90o}*20}?zA}SVq)T)_ai4bL7Xtqo@*U4c
zc9Vv+-@y_esaCkT#RhhyzH#_Y<(8kgO47JmP1JpwHfD0DDq3#!s0JBGq?T?fpKd5%
zd2y$<Ac_S)gmUc{z)uEHLb;+st25iPez1qAZNFb%r%%{)RM$6!flpsgz3g0O2|WM0
zU{1AKqNokDqm>HU2{tpfrq{KY*Xqj;eOVagw<NkYR0kzV`@~rI;9W*={TkO|e<0cR
zLMK0pM`5kM9uThQ7tZKZ<P|>LLsS3Y9L-zxkndxdc+KlQ=w-2or%x8J@hAMo1NUBY
zCnOO8J=L?wBX<KqZI*%Q|2=>Dzy0`TZdj|}8mvzBmkr`6R+(>gF4*;NO_#ip6@>cG
z{_n(-WGe_0pnWl@OB%{0+i$x3(|``c@Al4xLXa&$O)G-5qy(gy$8T&gl;A#JNZ-rl
zLTOTv&)-1kvTXC-g0Q0DNqY5<(^5d<3vz>@TdgAYlvrf9q;w)hefZu>#`$s9*yFR`
zb(fzf^dI~U@lL0p5d4R?dx(lDpSE6PxjAu{>86!@)Wr}5*&;$~@bHH4bg=5K2=nhv
z`2705deb1>_v}Yz%=qLlGRDV>2~TS?r~~3<JHL*A2<bmLWf*PjYdNu()iu<Ut?Dnx
zEe}@3{4DUjk-`>o4i$o(1LqGw%x1bjA;6yYN?!z$`gL{it!7xtUVxl}|9wSTGNNJB
z_Dn_>HUi%o`3z6f21g>Ob2r$zB}k?&E-4w)&*yPT!Cbv$xpc(^i6{Y`=(>Ew-8mOI
z5@8S?Y*Ofr$~4nwuzPNLO+4+svf+IWRWTX3XMg|0YR~(x9<KGg*C#Cfo0as&VNiV<
zD1A*yIrH!hYAJ%zp#~niKtW=rf7Fvo{$|3EeWR{Q^p($vBXLhoLJ`ZdrnTqN#}Ve`
zevdHR(a#ce?!N<^l`-f%ACtv!BenW%=0AB3j*n93!LtmXys_kZh&yAq%sfQcrvI>$
zl{7v>dy(I@8hc8av6MEQGk!=tMK&~J;Yst=!J1#^xmozUhB0uE;(L#PJ<bsmrxXt~
z<_&Jf7D4USEie6KF|kWTV~303KrJZ{D6A3;-yoYG)}+Q}eg{~7M7=zNhxj8Ir1wEc
z+5Fzb2|Qe`e$Kwn*Bujd(A*rfsR(1dR&Ly_t<J%rAK0gB$3>qFZx0_O<%WG3Fe<wI
zO}Lw>aap_;8}bA|3?(rsyrLyu$u)m?98w_pJKv2C|NgLDs&VwL$LQxt6#je?pg(v;
zdf>OFF!pC)0f2SeJlnbk1AAjFaC&1lz^XV6T&qhBo&IP9<{DpSQ2Q@5j|EFOmtfyV
z;8WYQ#Ht##8S(wO_3H2?h#8%vWGINm?Kl*35}n9-BxV~o(4N?L0s|vT3R1Q|wAM~&
zz)YsD54S!MKyy+kOT5}QUrG8pa?rL6GO%(fh{4OW{W#(_WpUu+ZkLY-;qc3k>QHww
z4iiuhqtXdlG0OL&!~F?U9z13G#h?CwHTY%-WDou&loWXWnAM1`e#o3W6EJsZEM>2N
z(Qg13LPE$CA1gdNj5uUlVQKD4r-T2VTM3-nT{731I@?keG`4?T{AIo%Bf4E3u<lFf
z8)iZ@L{P4hjUvz}(U`B?{K-Cv#1!sGM7KC8*spt{#}WqPDcFtFyMd4~EqYf<c*boi
zdPip(;vQ{|h8xLlyQKY>NqanGpTBxMMqvA=?!GubS$Eum#nwZ9BYGo_-bO?}sV^x=
z82eY}#wmO%xm!3Jxnp-(uLG8}!6uGjUhb&y;PbPb57-YX$M<$Sv%g7vZeP!QmtQAn
z&pJ8U<2=%9^jkPvRa`G)eI{aQ`*U=FbRww&$c0<bv{F(<;Tz#ADzih;RK5YC7I=ce
zR>1exxX+-|zx@$|FWTV+JDPy(XLP5y`5hM0p9MzS;~0G&Do@Es2{DA)m=VqX0Q5+2
ztZP9HHjt1{rJqEtAmWd+`~}(BnS!Rj-YA1!X&k79(;DEoxVI=S-jlPNNFj>V{Z7YK
z>=4U?T5!P-!+E~maJJDQ0vfl71gi^#^SSrlYn{Y%B)F54?2N~~)^|`cdAPW!Lf+^^
z49lH-e^H{ZA8P7~o*zPUF|j!jOQpPYTduEuO+nGQ{_^6*n&qGN&%@Kn?>8S)E|hft
zu6rai#sSG^|6KJh4t0fN)P-1?1mV|Uc~CT$fi!e_&+qA9@AI(b?KOVF-`eJ`%X*{J
zCv8=Lvx~^Pmw$>*r=)qq>^0`384VUS&duZRAwgnh7fmoE>#%>kqWXU^5B}Z!TdjzO
zyE1(%xHU$szPhzne=fPHzrC-{@BfqcS^q#_LXBE!lrY$RTu;UG)L3ivF`1bMGV+mP
z(2PV2iKGJ>R;bM#{&$r0ZaiH=dGWA6PyTRQEb3E>LBrm)<ltFkWbgasalXc}@!_E7
z^S++X^>;es$~Ux?BoUpRX`iCHw7`Jua|CLrLDi-wqXA^5rDHeiPNHa;XI7SS9vOG=
z<g8JJI!f{w-aTXXh(<I?<8_pBEGetP>8VMbqHFG+WO*^o{+0NXnjKjyqynR~p7DlC
z=<YF>)TDw+^6r`*fv0};k}-D}4f;Yu-GhWYOWqxj1u*W$?9j19UC>mQq#zd;=vcpo
z`rht!W*l&6+WZw~t?|;?OXoDRv8^|cO8Jp*5d8fYUSWk?pW~$4^5)5NXLPi99gayi
zHXqUkN4wY;EV5H$xl%vk`RdE|9!A)Y3e=uI7htF8yDW3qdyoZ4L0vC?wU5`8>QYUo
za}-wO8Pp(6&jG$>*~WKv4`!Se(y+?>qP4?WhwvO)nv(k<=s1xj@=>%K2gqv7xw3cA
z=!QaAXti4V0>Kw2gL$5aU>TI)?$5)gg+pC-uVwSW(?n$gMJEFDVV>4BkD^t64>%Y@
z&)=>k%t%I7%w)!-3X~C$AtF;^*tvI;V1HVuj3kyWWGT%i%Z3CIDySp)9AZS-lAK02
z&X6~tkvks}V-+_y17qRIW;4lD%fl<^Ze#YdMKhK=v!#sgbB9`X+Nr73rx?S#Wp(-w
zc)pV74m8LPqjjj|a4XbgB6xl~KS1V4c20@=aQG2?Td@>R;&C39E#IEtQqXhr?>}4b
zowsyp`4=%WI6Up&P1W%+Wdeg{<dGY5PR^~V%0W$3jA%00fB_gG>~a(n%DxPG;Q5m0
z*5O4r>r6HC^Cp+O*6B0BX+d`ccl&T(-I&78Uy9vQSW^;w(?FRQvpu{GTo{Z{^^}^~
zv*&ibgN07W6zLLqB&;7`aOY!7-hUMU$&_robzEm)V?ICDk5@LM#qX}hx&xnA#Iz*A
zmWeY7cy;DGX_BYrg>_hJ$!xY5W;xtqP36O0n68QlY6X-TZiZMPcTyXz(Y1r;@m~)}
zhRV;Qc+RJ?z0${2GP<k@NQBO<@Yp1@YKE;1hZ{BGDg)cu9zbh&{btS##edFM_^%KC
z&^sLuG)^5EK7BFaUim;m?<F6rm5^~72+JU~Rjb^OE~jUORnF$9?^|^mo?YtKc;Vx}
z@-%PO55@?<7GfIcZ3RlS=4Sf+39Gx}TLq43g?%Ih1>`OS3AyWDL3k-wxM!564!ZKt
zQ*;{oF}W-K+dp>`UX~f~P4-;4^Kow4r~w!?iEf@Uoa@nV-najMEdVuXDg7A&WibzX
zH^aCk(|0Jaf2P+B3P?T`*GR)FKEzUpR7dd2weREDp<6qGZ?O(PNt+<yYg=YmLkL8%
zCvz@6l1_I>5=t~lSlD`>A4Bi5S$Giuv%l#xA~>H|u<aBgPtgv1Y;qyQk`%~o`UJ{U
zJ<`+_r~zSTD@c{dIdn15xmI%Ko-1yZHETRtlTug@Y~eHnCSLgr-FLnBTldg=jRdG|
zZUcHp#5bq+5A$P;mVZ+_gxeg>H3To=EQ^owGF2*$Q;!vqi<dwQ*uJL>Sk=_Fq4WLD
z$wk>#{iuZVnI)I|w1}WUyO=zcCI~qUV|$*bv+7An=I)MZwTKem7uVzdF^6MWi0#m|
zM0=?C_?)M4R)`_=>7S>TRMU%{Z6m8EaB)HVq(b!KUMN3fb>Tv(Gp<9V{=N*Mg3p~3
zZU|%C2oczw(uu5^KCnY*hW;<vR&-ibK0i%$b*{I+nb=>eJEt5FvUX&YPurrOWOe&U
zYSyz3!q#3})(OO~8d=!+E(0t%wYK_=eDL52qERFWaVj?U1lA5GixK?d^6$@ufy*y?
zQJWN<-nE`(kK@O$OKF0myX_MAJFy_M#cxJrO`y*QuGw2E;wCW^%KRM*oEcD}(p8)9
z*#AY;aicQ)=mWlO$H}gurG~h0c<=o9P6f_3vPCnoBCglc!hyo(vnz0<x~b8b{<@qW
zRMk?`3yz6j;2GWO4-2prkn7vA{?dW0k{H70H4CK!%zbj{O^FDMcQe{+uqEm-!B~iS
zQ7V7P@&R7l3n(_wUZs+D5w=+^g~2U57B)BOCC*#EPaAvOC<^5+O3pe~|9rrxe0i-h
z*bK^7{bWs&r$*0cI36mZ4?^);j$!NSP35+TO2d1VJX9HU;H!1$t>L&2LVc_<BlUll
zQm`!u1hJBu>A9;6F;!nG`W6c}jg?b2I31^w!V@k##??6C(U+dMA|WYkGmo39KYkYd
zx}fo@ZEr+H48>tu3Qhuxb(ypo@Zo53Pw)&LT={wIjy^u;@(H!ag()cY%*<eEmXnXj
zp*r%jQJ^nS0A#d|o@L6Vvn?BloyVMiJ;r{{rN2at_fw=K?61z)M?0;CA{JwXvxTi_
zF6W;&T#>AwawW#!v{{6ZpT9328#KyKEp)j(A#+|leLk-u>kf@$B9$Q>jILLq1EAM_
zWJp~VGm&R-M0S)prr??jVqIz#rXs&D+6Tnpye&kSRN<Qzo@0bxJN4C&g0@K)87vYH
zI+G^zW7e(dXIw&u6aJo#yh!H!QoNZ96XKH;VzXS?uCdPfnRH86bzbEr!%1OPx7%$!
zSdzaE7fGY%VSwOk#_Sq)JX4sd9M0pn#kWKMVKXp_J=Ub#Y|FmAe&V&jrIGoY3Q9>}
zuw3%9^<vW6Z~E3Uzjb8Z=#;+0u*pi_3J;5z1HI&#xT)|BmeIq%0w$p$Lc6<`J&8|I
z*z7vL7%_xiFDv$RX66Nio;?VMA`sI0M#sS~U2_?4o9}*Yj|7{qd$ds?3qO{ula}Fo
zztpkesAPa8`Kz>=62&Dx*cZoY_%*bsfd-tZx$d@?@<|VC$I;&wD)NJqH#MKtb?R~T
zUUBc{-$+Y(b9)~Ly&ck9w@6sdmdh>~<?!9GMVv+uaXL*BZ|xII^arGiP|Kf$Br;8S
zU2m^*Gj=5w>~Tb0k;H0^{~J`<69=>uGLAFr2I@2VbuIQ7L5b<6O2^h!NwoUpm~~1c
zD>u^AgBR;Co_W?zYv2nY#el90&`sY9F+Z{v*#VevZ#RRenc0B0#DHETT43g%jJab@
zU<kVcE$Y^3&cJT2@VsxOVS=zqRI@LifArps;Jx|;VXD9PwSH9jgZbCh7vr0(23|9&
zXlqqEwDE+4Zq2vij4t7Kx4d%<W5|Yml$Mzc%zRzee&-4;O`q(!*=kPk$M`agUjmZ@
zx|tEse`e@SnuTZ^->_+8@&kW;q{bx-JLDOO?O`yk`hII|u)^lEne3GCr!Y)JHJK<3
z!J}c8eNpU{kmM#e^I$0YuWC2e)iVkB{x9B^Qx2jS=~s60JOsB$l>D#TZivz>&Q#S2
z&}6&;rzCQ#4};dTDfUN)Db=b>Z)X(Z47W?6$W~<K@WPgz)u-hMUL*qQl9SY=vWEDZ
zOKY3$%58+_T`zZb*C*NMy!H*Qe@Cn;$agct9bR_eLUC$H-9C#%nC4^U%%AnGFVzad
zDhbZtKTNcwQZm9jA_sT_qKq5147lDM-=0<{-ALIdofS^>MRb@22E(4iyma&gb=B15
zD$N$<lN}pap&yGm(3?N5+bo4=`PhrtWvp}*FW@OuyJaUv9WJ{z{O$kY#fQjg*PCe&
zGnq6PAeOEn<5YE<p-f_BP%mFDHHD|K`sB+Uo|b+0NVMa&?Q`IXeH{oq4nL_S+FhFn
zC~#zIRnW`ZEWUe$Cwfu@o9J$@#g%E(mS4{P^R46nwu(R3PR;YIFfOxqHhPb`>L4N)
z)ZfPNPp1=nYM#Mqx=zL%;6f<W{zYz4<0@c+`AT7<-|pkq{+PUf?r#PEUge+hFb99$
z5Y(pep^ovBiR#Z&I5!eC`YF(x>vYo8*z`XYC*Hz_ketou@0tF{eMVzT+d7?V!VUZe
zQ#|^%Pa;wJjb`sk*GUVH(^@d76edw~_xdIZZOjW!v0%NDlve7J6FsV}nwXEGl#ITP
zZ(gbl^7Me;-AXJwrTPE+c!+M@AufHu=i#wsTQaWUb54NX-(3i4BCStK8Zh<%ss%M;
zxzeumWKm0fqH**8E(fT;4quElHf=W_nG39*GKmogaG0765?yMRD>@<@LFB2Ke2xGj
z(SRaNWjiuuMa~~{QaoCAk&tOT%iEaXr-)(>K0lAz8fRo4qOgC&wDPgUyCOTwQ#TXS
zqSKDoUM$d$t4*276Jf<YpzrxYEZ{w+Yhh=R;On!t5dl7bH6CYq^HL+>5R!)?D8eSM
zsRbR_fid@i;x$y|pImC<$N53mC(c`q)DbMPN6R^xv7#~xU8efN;-wKngin(qjV47M
zRrTxF6e}zw^h4f!Q>V=dO&l5I>~E<kW7I=U;>+9J$Cmqe&S8l)6{;rXYE^P`z!66=
zUii1!^4k&RJKsXJOan>7X>1S-<YxU*Rv<|6kbo5%I4cMXQg$CDwNh(#cotzy(_((r
zo;1+Ud$`_R(=pG^8W_WSlm|!5!^7dI<jbfX=JXlSC7`co?8%~@1}Aekx?J*3f^ML@
ze*cKCc7r|7%KUFRZ)URgq|!cP$u)NLWge%1xQk|c7=%~cT-ZOk+B$%ve__Nru@yd<
zG2BP#^`#?<yQu{F!@HtUJX2s%)H)&JGA@d_(}>us={Y<F$f`re0`-c8VK-fW3NP8e
zK*>GAEM%n{N+$~^zUO-Q#;e%`&Je4#uPkQaBY;E<{xLBMM3t9@?s*@`tgcnGS?dIr
zDIx~q2_9ZnMM2wYLinR^s8G@8uAMv6%L!=b-H&_kAiG*bQU^<y9?C!O9EDSEGY_|7
zUJp7s*eIb46M^)Dsm4#xw_m_1j*%uI)1$pg4;acp`Sx#^{EvQB$pF8{*UU!0e@_M}
zeHJT&f}JK)O@CVmqPpOBXwg?>p<)O&rvU9E#6*tc`jJ`IRnlvw+0u9ertOVV?|s>c
zKN^2ia_pb{Sn0W0X_vRl*>?y&xd@BmU-#AG9xJMW_Fya`bmCjr7-7M%9=i3XS@NR+
zON<uti%S31f@(q>Mo$89b|pZ0VII@O{$?LLkcgS}TO<-m&Mn39Kq?5EUo%xuJNVhR
zjCR3y?ceDCmhe<7lS3QHx;R3isz%(Cl;~13THCwZl7-M3sVJ>Kk<_EmrC2rxlc#|e
zX2qm-xzW!U7THva1qYIofaDoGP@ld1gV33$yObxh3=gs7=!qyN)97iE)OMjTNiN2M
zeq&YvVY!_acaRvp3=fuqmg?Yd3K>%=vMT8|T~fgvw-QR8IL2+YP{3G$@FtqyZ@+$}
z9{h?P*_6woE_SW@ldEH4B7|eBl#sr3Nv`>JVmUIou5AD?rVa`8c{2*A)WuG*(GguU
z-NeW<A8%q|`%6Mr!H}q&oQR-;#RA2ObksH$5>J$IIv)1{x(pAW;&|Hc9Z4AbDdGf7
z7$6N{!c;-Eui97QkGgBIFJZ12&X3fOz2BLSGEjfJsx&19wZmPiZ-<d}w?-pgcjJJR
z0sex*s_?g4q36Ey+EL`ht|A&SCe!z1CPYz8Xe!Za`l?&Bh-V^GyEkUEK*rw&g8qLA
zh<D(_j`ncRbUZPr;eH~nYJxD1BO|y2>b<&?yTe4J$528Nc2|g)GwT~3qFL+twVSta
zhjKr$tTE`e2Q9)AK}a$?rx^M#|1rlmp9)cr#m|+5HQLLzE5kzfzcm4Ig!OZ_HhS)s
z>7Uf^Qdj25g6pGyc7FblA$IT53a#+ZbF1M`w{P{z>c*+e4;_>E)&EMWv^i@;!MN@@
zv)v(t_v5-oKz!X@?74yyY-1vgHgFj+cV9S2eLB|pQD7w=+%6q~*|VgCnaH1e*_&Z)
z$R70immq>7gz7slEA|D@bk$UU%kZuCD*1pio7JN{8L%U;@y|a|?cU<#&*K>Ka*Ybg
z&%C74o%u+id(L=FGF4$`0-%Q@<Z)z-nDyogi`9zFJ+*K9f~?UsDTmY@Yu3ebYb#<d
zTqN{~eu2U50I{UW84(k#BM9P7WmiSE3IaN)*8f+U5QVGuS$=8=WQ4HpJ*>k_B`Xx2
z%yr^Brc3k@GKzhbbSFjf3AwrXd$d2nsoohp_eX(vbSwtK%!h$NugBJWJoU+oRGZM=
zVD$S~n93LRZOezSAu|_RKMDk6C9Fq4O#8kx5=onD&q&Cl)=52&cZl(9Hrf<2JK&u~
zjCV5J!3AVeH(?}1U=puL2*wcOL=PYF?2(z$l;-B^_&ReFahUkq63fDw0kFO^`c1eo
z#g7$XHvQhIdPFOXv$q_q`;niT@`B#{MFJgx_?4Y6@lcpF0pRP%<QZg5ywo#mh%D88
z9gu_nYWxpi0uZM&g^Xz_qC`o%wgRc+?H7?pg~);UE=XJlk!V9CDNaRV#?-0L`eviy
z4VsaaK<LN=(qSG2)f-=R0`c#RJ1h&7O^0V0joDr3jhRA^SSOWt-sKJ=>!+>h-qeAz
zBMO78M}ZMQq+b)xgKGIv1FWV=g1t@lsAoT+;1CfL0yb;%gHYf#q!sXi1LGq_tH@+a
z(&|SFYj`>ZQD33udkWGSK+S_)-B8UF9taz~aLG^bDdh2(Z}o}#Ig)?h7nYnqr&u95
zC^ELYm}QOCp*CP{v)+ukoVcU!2YbrkGMs3+${r9pt>FY|S{WOIgM7^xfzY1W=YHi@
zXq6l-(9w(ery2$8%=Ddi73Mlm(Jp_A!5}05Oy`#3^~3^^*p$9JgPq{3KBhGos#S1+
zFh!%EK$z);OA%c(D%GmCcI6@>v6B%{nMKmdd*w82;2OP^UI(!_!_bFc9sGUXrj>Ga
zlle=Wghq^Pc*%72{>6<SibmdB63YlTt0Da5yv+5I^zIirW!8{*p*`S7Ddj%v-V*Ij
z3}3~a<GG1|nOpaR{J+AZW%yBY3SS=)YDTATZ7kr^RljvPhN6IDXGzBDSR(W(JgT34
zKU2Sbn(%HCruP@#g`x|Gf#+9PvMigd3)FBu@sv%-yW=FX4pQWSgQ1)b(7p6KQWH7x
z5&s!kz@gP(fN}eBpWD>NB%k+ZKJj3#_Cv8!{{O1Ze}{fc)9DuyFYXNlSCe+(Fc}!g
zb)19w9hd4Cu~rBf`~Gck(QclP#2N<PZ9#hcibag$b%Pl|TBsG`nq;AKJ(60cBaWd;
zBz?Yw^=3Z?5K#o+zmoK18pKBYMlY>Hb3olp`F!ta7>g25DjB_-GvEQ4I~QlXaFAL4
zA+Iwqr_Hi|^sRAqL)4@sBJ#OxE*Q-G#r$^FWLxH+!4aDawbzVMJLr>3je<Puzzj|Z
zvJN&>)5LqS$?0v9tV>G9YPMI>gW3>s7|oRhT{3*uYNRobm~d$CFRSJ%y8o`M<1EQc
zVM;1k!`f8DOGfgEm=J>In%wvSBLrviTw@AKl3Z8wjpB#d3pZcDM?+JJz*vph^37C5
z01Ln|??8qZI{dJkKx4q1AMv`2^-nYx-uGok+<EESO#PilVE@shc!?-PWIwSezNyEz
z3@;nNwRxn|Wxw~W*Qo#4iuCAwBjT)CU-^3)0rLy9(q%}zpi9o=yjem2S~!861J{m&
zc~k&vIlkvMti=~}CWW0F`bp)C-&>J=DbH$?8iT@M_pX3e>{v;Z=^y)Dp#}~?0ylRy
z^el+-YEs>xs;B<k2G861P4xj0;z=d81IXk0DufDGEfm!SZD={`;49<R9)``;cHpu<
zi#tVf_pj7%avBRm9ohEzLt{8z+aj-y`;8LmgPyox6xvEVdy@MDO`@@51^qNb?k}fB
zQM;~(^XrZ1EjQ~f;<BYAWJ?p<sp`3JzUMUtaaUs~)|&OqD@RxIh<gCzj2ZX(Xm&<~
zmUAR89?iyMth&__7e@S`D$hdOjguk*04BDtgczX(kRZ3atEm`Vz7PsJ78b01>0O*N
zX)J!P_AG1}4foAXt7>_=2d7VsZ>vlh`Eh1=%YE12_Z68xRTiwz<{S2nN$w?VbF3ZZ
z-5FmFRopxu(3)%>KES=qz-VXt&^d#CSdV~~Bfb{fy2cD!7dDHH%4Ck2E8YGh__}GP
zQshQ<ce7H4w(>u+hGEo?2@a}6sC(3yMq=-pxsI;A8nG<<3bZ<wbN35s-KC(yUstPn
z1q(P1Ho}A0;6?L{WGs9weL)&e{YqM!s$r|(Q%Y<)zOUzYqPw%|V?)Sm%7Ai+NJNZD
zVB0KVvZMNV({J2BnQ=$ij{H-Hr3)sb7VC*%zv}O+;QCLi-;0jKO966|;wW`OqO0Fs
z9d(a>Q=lWLFO296%546zS7>LZXRJ*sKlvgn_>~s|J*1FycIoT+NsX2-P+qyDjZ;kI
z+q{?XO*4zRY)gc~u8ZaE6PFZb@}SQY4;7Z}E*uOBDfad>jK$?p_RnBrlr>AZBTVIO
zmv5$h_#xCLKfwB@)hhb@Y}guqD5!*<6N{$nQ+T-G66Ip+c+G_iFq|-#k(k<qpa+2t
z1$q@PKurCED@k%IHNmLvb1unckq-#0tY51$p9DxH!w=jJH$;=3<%fuqjmxvXC+6a~
zve9XM9riFQ+%n;d^;m{OVCB*`{NTK^We=)C4!K73U450wB?CqHImf%^3a@5!HNORP
zdU`a}&nk~ZbrE=PZy5{Cne(p33mzQJd+qLOO0W08AP@uomPV4>FD_~8oa=ne4rdix
znO7a#SE7FH^EHUZ9Jpn+>44vA47<-?1yK%=al!1b+mXEPcB(w@Y#b9C)}uc4gMyho
z=>trk$a}UHjpT_|^X58Df(~yULWT0rEmis_C<b&J%gYh>j;No6vr%ry93O6qsedm|
zCOJ*IvLwhJRGEc$+wP34llw-UpGHvmZi5gq8Yn7EDt3e~NTbx&4h};6zJ?#5tj5>X
z!Tq!EoT}KdxMeNBU&WNngU+AaY1#RZWVD1q2@n9QW)wE1ev|8jbL?Hu=LiACRO}jf
zckDCJ!zyu`5Q`5lMe}<bSQjZ2pE?;$nL-y4;5vF*cH7)f%YOdv9pO%8ILQ-@y6oUW
zRynpMv$V)M(k_D|%)^OUO~S~PX{|~dn`%+pVt`C<O5}u{gH&j8%`Ap#tOJ0kaaoch
z183V(I^Uk3<)`qdtJXbcu6{JwboC45YH>-@<8O3<v6(qwZ;2s^M+KeJ^Vx>d{2GWG
z(S=zlPJCC&fI5dP@k;@Kd*)S8-!QFN%%V(7CO&;c!7SI9`zo$r(763_8-2f#cC9+-
zA>fBaEUy`w%);Ls{5zMGA8Ko4Bd`8aTWD4B9Sr{NcVo069#dnREFrvv0>-DY1KtBy
zAo*9Z7cQ&A*l6^9Eu<V5cbDG`zBlTT#w-Tt{$?O%H^HmTdoPt$s366d#PAy>1j&Y8
zWk1Vst_itN|BOQgilSrP@6k9Vk#;j3_vZFD_dE8FDn2IsVxE*foRFp?YFGXFF=cuc
z=pE!+ac2fmL33)sY$PTlW+b%;|4~SGG@t7j5pQV_)jNJI_~l$;G~WQPc}gs5cG&%=
zSJ7LJ*L~PSou8$K&=;D$;@aUwKp<5+Iw4Bg{e__usd<~=MsT=t@K7<fioiTR_m@Fj
zaQaR0c;yYn@g`ow%c7Va3A!9{uDX-rKufa1j7<~s^MtecA?J$!6j)5C5)m$cN(j}r
zscF$YL5cDyiu$*_2Aqt|p#I&q3&mDewIziQZp&T(YDSkYDaRyeVxF!G^0{oo^->V?
z_VJFD^<OjmJrFx2ZTPQl&zh+k8{_=5`e|C5NCaE90NSTNl9gG;;T{SMH|=JV){tFU
zQoiJ8k24bihq24d+?x8oR%?u&=g=(vV@pJjoC8Y=E9S|F51mMdJzD|ITVPwf|L3OS
z|MzkY8wTP)K)UzP@gbv%GU9FM245i{RD_aQpaQjrL!2@4l0fzjVFpPHsea7VBA*4j
z-+Hx{#jQFe=?0%z{8xV8E5%_T){5&_5yquAY-%0_Lhe7{KBIv6vL-dN{-fH`y`?uL
z_v0<85Yz^dbfS{PV6;}n<WLl+5$G`gG#^*W&5vLc7-(zcDPX#O<v6m@<4t~3$+z-4
zvvIdS)%;`oBSLEEJQjaJ{ufcmX@!u<n67}|tKPt!ul$~CM|xf=dYHjdqL3kQ^%Cp#
zMg;od!m&5B;x1T>F2i95Z^9&>J8}1FSjgqekM2-PS}V%r??(=ATymMKG^tGk6yK&7
zC`ALUVyHa1KgkRW7obd1)eOg8OBp`;^=J-wvhaI~v%PcjL{H#2UOE3Rgv!|}6;q#z
z4)D{3DE3E|vhZzEWn4^o5;d1Yo<({eoY`)JtaNo_wW$0i7_obgB;mQpwXiILT2ACE
z;0(7C0rgLM3@k<8b>YM88<3u;vg23?sLuX|k6V)90rnnoPay|Veg;Vd9|jwh*rrqF
zYoc0#zZzXDr$ZdA_PS%GfSfKi7n;|y$Psrli+e_)F*!_|7`T@yc+5k#6zMx*tu$sj
z^U61cRuR(!DJRCuzXOT>Jc%Bq^sOBj`^B5<U&-BY78g?g#%oO*j<R84v>BYUKIvJC
z+E7T`PQ^*V{6r^$0tbmbO#L$^s^U2+3UvT7{<O2!6Z#5^3P%A!ibgKfUW&I7oI`26
z`tPX1g-IW4MUr$QfcWr_UV5vDcjY*_2)%-@OEa-KT8+za$clemJNydkbKxMQZd)m_
zebv&h>vQ|)PHam3>no&@rCN4_Y_3#br99>-v3pCw+b6Gm#WE!EsJAx~jY&DP<`wrS
z1iL_9OvrK0r^eAMPbpkg0JF?Axl*cMEJPP3wY*Xj=*+VBPmueb_EG)V-hR{mt#YBW
z;%U#j^dQgMH}c`(5Aobh#EJ?9$%>hgMFXA=_)1T{(Zla|OeMfMV(m;W9(RR@JYqNH
z_A~TwEJmN-zh}Mp8kVO`1VZgO8ag>*xG1#yl+#Yd_em~faY)jT@G&72cE9cif``@U
zfE~;s0Xo(1Fd{~uRNhWK%y7nYdO+CU54gAagK3XU@U7IX--CZqn-~J+*;Gr%VJ(LF
zJ#+g^5+1Of2_KxNpI~}Kq7XF-?Y%$$Tr9!Y%hTiAcPKdx3}Z;+lN_)Csxv5N7CGY9
zuH%<|@3-b1+%>>*wV9pgAtwB4UHlHDo7Znr3+!1xk*sWDc0o_9MGMu9PEQZsd=Ef(
z%(rwkL&=vvTpFrxa|b;un}y7P>`1O?J@Kc48`|5fX>O-+`2!7)Ii)J2wX^pK3&B7f
z&&RPSqrq~^?Tf}QC<Qj_J|U?&aRW1}G^pQukNT-q)2b24XJ2rU-gd#BU-eUG=py8-
zgR<daqJI%$q6Xdh8k`|JnwH>Z^3afo!T;Cn-u>q{O;cOm_;#n44Wtqb1H@oe)JC3E
zo&#2x^3Q!lSl}NBA2a*(CY1fqKchB~!VTMv;QI-EtXz%Ix5MDa7MWsO96Fvd|6o7p
z=M0zb>8`)FIE)6gYKx-%l!@Q|x^f))0qV88)XjpyLRn5T_c(^%vcaOE!~cGH=W;!E
z?)38JSL@klZIIDfF=$Miv|CUy(@i|+N;JRV#>@`^^X`Qj>sY8i``zCRQ*OH7AZxBr
z>aV~>agASE8h&{W(wh-()$;u<vTZ)|X$8rSnL^q4(C!lc7(V1z5OCz!Q5?f+F7QP5
zM~&5SFpLPGzx#7_-E}C>*Z3EqJ8|dsnGb?j(4N3=0zqO4zhf1h{ut?%$fA;mF{1~#
z7^81+YG0uNQ#VhJftgNip}R9%)A32pzc|a+&4K7WA6oh1CfetM_8lPLD7xU;NqoxQ
zt&Ts8c+!6={*YzLXe*jA)^Rhh1dB4Bjv04=8A8@PSGXIHv0VHSxV7YOEXnZdrvoZ0
zPjA%XVgl^n5*ue?)JIKlDy7@bwfo5Ib#a6<+}$-1^ppo0_~gKEXgNG)o9x9iUk_@!
z!dSk>n!mNG+Pt4Vo;(?;{qoCvB4t{eD^DRLA&BCT<qJhkjat|f`P`i|eIzowbGWBq
zFL>y9{W*b|_J3E!54BiQfm(IB%bJoA)e}q28d009ZGly#f;@oxj>;mdAe4``MZ-?*
zIBu%5pEMHe?gVRACPAT}(czi#j}$!$^&!iogdOXC4U;Z<R(W;lh2G0&v~cnXdyiD2
z)1r3?lwKBRSQf?45#of?)DXNlfVYW&Zq-#oA8%)sM;>$5yN5en@%hNUL089I*=FNP
z6JO}pWRBJid10=YZ1=ii6h=R-(|^sm(u_{lTkt=+rne97Dv&<<@vBq|e%^Jm&ot^_
zAlYXw@mD+Ie-7yPAnb`gi9M<mJ)?B8;YqCRW+#L+&v+rmhiV+<<<k#=sn?<Ge^w4W
zCAEP8)E>cgp*xakaswP^GzGvUI1SR&QZf3{F3GgaPU8tr&>1d$V3)cVx#_7pHWhzO
zPN&aE_sw^z3#{B8qjh!0bFaqG6w7!ObP_?Ua?!IWDX_|F8plk!BVORM{xyR+KK#~P
z3$S%E)>Fx#63-yKErRQ|S#g^AQ{z_=3}&B&y<^`H^FB>mSY?G>r;e^ZSIW*K!A555
z$kbSHF-E>GklGnt@gC%K`l4=h9Tf9*hEeVaS%S00mFsfjAY7arC|eOTb45+u-hc7{
zL7ct@=k%iqyUc`dYTlL?2sB*!O3IfX{|8XkhqL{W%3DSB*LvWbG^t7`s3x(~fY_gi
zik*&*`mb8|#q=@sWShuRg<F8h{1pEaz~_}f_qtKH@D@jLkyEQsKtc_!HlkYrTVRML
zI3}^JWhL4EsWvV7T5$7La7JcRSb^vL_UUwABglRiPDnuboH0<ZQ!V~BCsRYcbnf&b
zQ3m}MyqW*8@+PtGzU@H!)Z3?;&u$fX-WNeBG-d8GwP*@xco_@V^4I$@>ipqW{_k&w
zy)eU-+tq#JO51ESL0?}_j8gH&N|Qe;@M&2x5F*?~TGAf@oQC(g%XB+V3c8C5VRi^6
zoY1ne0i2Vs%;bBt>$DkJqZ=CI3`et$$`ackRNP?;2<@iY4WXxZx;WP>1MFES{jGzn
zOAQO%@A^posvN^n)I0TWJ$T_8O67FyS_gO6#_ht8)2z|6a4qw;f)`s|#d8Lqp_}=j
zjWoZH04(Pea=f{-#|Tj==@7Ofl&HmS(z?~__*x~4{tO!A1tVEVX_$TuLSXlU&fvZK
zCoP2ngnYBF%KvlB(f#K~w;^vj_s}OImC;LqkNc}q9-4=<kzHKgHWe{#Cn+h#no#gB
z<|h`V?9i;I0y1n+B1tBZUUbCDdTQR^m^JMD_Lu^jmsFBKen};gMV+;BSLeOoq5{51
zdpBl<tO^?jxAL3sPq(N02LE<GyB=3N57Ie3XudQBHLlG|Bj@4-yEWRI!`lP=8&)))
z1%(ASHhox&&t<{aay|xJSAE+gd$m3gw8GCmv<UJoK1|b^uCs+haO1ctxk)KAEQz-l
zL~G=F-v%9jxWKK0+S5)xZP4I^6bJf8-nB-h3X}-=#m?4}Ik)2=+~)Y^QQxvF*!j<u
zF(!x808;5PI46{4#%E1x6mi{OTMPEDlfOvP#+ejgWoxqy`~=FfM)>Br98ZTF*+Qaa
ze0ok*sAo37nGLKNYq7<;54EZ0cCT6WSW$Y8f}z?<&IKP+ejS~1T*a`<p2z9kOoe_U
zf#du3vW_&v@k+#9UiQDWrylk(yP4)tt@j>Y_r3hBtA~EDSaqFBs^fTBGgRZ-*lO(R
z$6rWW=_yLsEu6{Lqc67(W}oKN;jvG<KDBj*4~N)<uqx=1b^&}9T{{=teGJ~i{tsVo
z9TZp8ta~RwfI!dygA*VS+}+(ZxD4*@E&+lLuEE_cxDA85yF-A%-5oCHt9$Fbx9U5$
zYE{j@yY{T^)&1;#erx7#ZTIbI=VW)oKg(tvGGYHzG{b4qA{?Ip@0`)x;`I(p;dVo-
z@4LF#gfzMfEP}oKz@A+k6Ebx#tYEINl<^I=4)<dQ%cqq1wUrq%p@B^k%BpRzeVDH`
zv3Cu6-p<&TJqmFWC#hEL{hZNRzh@b8nBU+(+-wCQl+MH!_tN<W@tl^0-B=9E;YxW?
zGEBQng^6EQse)@Vs$$5N2xnL>J~g2z+08*xe+kb=O+lUlmmo{^ncM-T&Q5T}@SK@F
zTKXRdO1bH+_UkMDb|XXzr5``%49&R17OusK+TT8P!`dm7s{hYB8xSB=*J40&#&Kzu
z9rybFYRPym{E`Sqos_3=HvNv?bf=rrTEv@M%^J-)^3C9E)vCn|kWmmA9W%gjd$yU<
zjEx=&?}x{eGq3MklltSkujRGW{wd4mb@p)MuGr=y5vmbk-=@+n&u|r!Gk-=i0k5m$
z@u@Y)9CGq>e6hJ33K-D4coHl3%{{T!VxkS|(TZ$WfAg7HY+SpQfz%FGJeh}ASLEJJ
zW}s@s)XV(&a?&NLo=(;@Z=fa5g}bcT-f;c&m1)L1xw(T!FbS&VY!<Fq*!42cYCTQo
z*m2{BbWpcTwP~4-%_+&m*Ob{&=M}qwsB>M>)*Tw!dHBsj%<p)gw}V-!Rzm}s5A2pC
z@jq8>J_m>fA(oV>PS1V^nOcv6QgAkJz3{_=!EU!jLGGK!6cgn>D^?q<wr9@@3LE}!
zxoVLA8UWJo053hO=<vN=oVqwWd7UP8?p@-z7grCfND_~pxUAMrrzC;7{Ltz%uZ$~C
zUrrA;cL&ah?ezqBmkCMwtTrH98a^#soKR`)=feAUG@C4j#Y76^0~f!9bcbrE8eUo_
zZ;JQaBd8kv9tmUc0Xi@oJGft&z6!UN3f7@jg|UnL5Y!9X*Wvb@9!m248Tm2I1fV%W
zrTsr!-Ge)$F!n>zv@g7kzmyx0{uRnu60kkLrqRVPa<#8GJlWXp>!R(kusg~iE%$Id
ze*OPyN|GPx+4>y`J$IReo!SRax1*ls%ddETFAtHWk?9L&^J7^=?G?8u=8UwS4}ND|
zuaHKU_jsD*^wl~U;h0c_Uh~h=7-T^7R%vOUEy75)K}G7d=*^fgzF%&nu&#7l;(v!*
zk{S({Xud!9Dl$wRH|O^%UjNX%yFByHFIb4Z)hHd~MO2LGJ9gx^=RCZP@7EPP@-?E{
zw^#q#z#|cdl9*E3AuasBK4mjWeygA=8v1KQD~l%Hw<yxt$GAniK1$cH1yDMqg0l<z
zwKwJRnOepeE2=UB+p5sMV*h0lvhn2TOgTZXu&Ppdy5r;TR%L&ewbJ!e4%vRHQ@?+G
zx=R>4d+*BDGye|Xf$h&S%7bQFj)zrQzpfTjf;Aq8a|vjDjX`_G13n9PQsure?aS{!
z{#u_hz!&`gq~W8wawBgVPi{Y#MvMHDK=ep68PXyP2ZU~l{qfkU;V7j2uh_l|>YR63
zBh%HbURwEG>FLd^j>eEe!pg&N=ENmY1>~nEt~GGwO2(*+{+~+`qyV9BW3+gBA;@kS
zyASjOXQl>fexwd+aBS5~hW(VGtu&i+V5f7)-mKO7o!hmaOITeBedb0+hG){*nfBb%
zQ~I6T?d!#^T(p7jgvK*h*hJ`iC8Euh2^pibM%jJ>*EBd+-Sfv@rKq(JtZzLSTm@x7
z1i>C)&ocWbVvh#<ihGn|`$SvDh~LUMLmKThnxNMIGC7WhOwrYh>(9PFxd$$yjr;<A
zch6*9eX}*(y?C8lFJopUp<nEIl)m5R8|GTse)R*g|CbJ=OYkw0X$^fwHf6g>R5?!M
z-@6mID7?IhC}Q!plu7+LB;k&;(f;+s<VrhwE#a=F`%X+@?JKvR<2l6Bz41W>)qt?8
z1_n3u%+vjTm(zD?3-6u1LWnVRc6rJ_%`w4ql@38bsJLC*;PZBBemK}k7*lk5gm^f8
zTZW$Z9nil0RXoK2CetoLEKSD#!@}Iz6eR@yh0_sq?>p@ehnIXykoRWx&{$J85BMK#
z&JLW2Z0X3t?wf3Fky7u%7D1xyFlU$$KJS{#ZX($qftTtrX7%T-!55Y2jqLZt{?1X^
zf%4nZ`Y-Kjm3t}fe3(DnP*I1gt4+a%&@5!O_o`{}_yFxytMD6|+9)}G=x~rw#c$lK
zEkvx7^ZKH32wE1N=`U_+>F^5*@L0S9MR&P}mFH3QWnDmSy)4z;|Gl;Di!lC$qILK^
z!%~SPKrEHYF8&`$6&{XhjO~X5x1S*FtJ=;2NN8E0eOUulM+CArk~~&%_##j1_ttwc
zGOWk#F(D>6C;7|q9p7*l)D(KU(_n2>McBUpQdxqZzr~m2@zvT)-#A=baQAL+ugicu
z05>{(-#o5l%6+r>qvs&!w=9_PP7beLbM{AM@vi^5PyR*;y;3SGfRpAm`$^D@eRM>W
z|9=}c0c;q~=eH#k5O9$ua=(ekj{cu|gT|)FzbmrX1eTszcwYI@D5qyi%J)B)Q!Gc&
zER3lM(WT3fcB4w;EX#_5F?#*3*nD|it62Rm%PQ$Cb-&L3{_x4;61MHQzB^?OGAQQ6
z%T}B^zh2Z*xxC{IskrSs7*QXOiMi!u%qFsXeZ0KbW!w;4^0~WqxYFEs9J7B~R?bk+
zuO>`})nwUro1z(f{J*S|-!S$&q`?#6C4TJm&Y=$XCoD>|+K4_n?-}!GVrDlj$az)J
zTz{0kMX&7f!po!5aU<`{UfD%HfickSAhs=W6J)WwM)lAFFLl$kcC9Z>4M)ra16Va?
z81&k&to3V}f18Kt4)dqhbnR%z$}_sZeveqeaJ;U^_d&TCciFl7B(h2QY%k*9`N>Mr
zt8TTfbsF#aEW`2MZGdrH@3Mgh7lCodkx&QK1H)4C4Zb>~k;`vq@8%HL=+=MW?eKRY
z10v~kFR=dnGB-1JH}PJJIr8|vld1%Ew5V4zI&eCCV+O5g|I;jL@HpZ4%0_yf`WsoO
z6=vj9A#FLjhY(^t$r##e)4OVZ-?Dqb&$jasr9@Wsp@_i$Gl#z0t?%t|Wzk__1aO$?
zMX&iMU`=9$cE46OR0nH~;&NunovP#Oa3)^1!VZG+4C?BsXp^GmT=L`H^x7Sni|kEx
zkc0G|e!TAj?rK%*N)p6N$4(Gp_kB}ltPOL<O{KbU^8KF7Bbs4Yv41q%yQq)8S||bq
z?Xf!18wgx<GKGvJ0S+*AbF8Rqe8xxSyuXq#HZC$nAP6?*)%QR>Q+|2ls>eQ*dFZg>
z3Q=Q=DQmf}*3gK|#&(aS_L_J7L%I6H>vm{yI?1)|#*YDn^n72!j<EyU*Y>W1mCPa7
z>yfAaShcDDh|gV&K@zIp^y?d%<@y*K&*%4LA1$_@bclBAd5hmP)+XkfMgDOh>iPvW
zXKZua47A38iVyo*n#zHN)vndeI9EB#^h#jyDdB)nz}n}X@yO7H5bv4&uWpY&Dy*=p
zybn&jF<Q%BHRQnyHIA~IO>};3embSkX))B_D*#%>>k1pRiR+b<GMm=S)rpMLJt79C
zeAP4_3op@<)P8}=KyE(`VMZfT2NbxFz0i|PnXg;dQ7&9AI}<39OrBisC+Mhq=L0T}
zt#Wcd+0JeAfDZS|2j!q94?BfbSlhGrU}$tVlillR_o{t(LVK?)d@IhLiH8peXakmz
zmN#yb=pKCOH^!kAAer35>i_FVtP1?)-?Gm+dd&ITUv?HPqWqr*pFRvs%8S4*;07h;
z2<w`!&5%C@D;<<o+!&!JxmVfkE{|wRoG9bI*2|mRwBB|!%Ukt`+9%I1&}T>WIuA2{
z*bd0G#s*5QRDODC=XICe|I}kVoMzPi%wE=<EYKeK6d@O(SVJ)DTHXzMRR1R*O<msS
zHs8idF0OXZPU^t8=F2G3K{;!`m~8zV4X#IKFkP(N4i;w|U8TS3&Nw)AC0$`>u`k>~
znN5w5t4VEL__?n=T4&{D6pGL9Zw~GM<SqkFkL2xyGGMi6u)}ZG*?nV%RyO3DZZoE7
zs-cD^Mms&@hrA!PO`-;ADZR_3(#fa>Qk!r^#H0C6_fG7Ys)W%y1-5K~F88%83*|o8
zTb*MkneRRU)pD<FLH@;O@r~=3&_?%HX@w0y3>p~b&+|X~72din4Hhn6V+&WFDJjt#
zZ2JE+bCaTXXcrw_(^C4u_9=o29^EArze@&aA^K1w+PpDEXOF!MT+O2UX>8m%#;E<a
zkXN5r@UGaeVm>Up9Rx0%&kY^<X3{?yJ!QbJI(N8V@W+?<Zf=U73_W#D_98EmgIEAe
zD0#ceXb|oLiPH30Utw{eZj5fHPfrE=6rii7f1@nAqWroG9O!u%a^mr=kKvbjXvhL%
zjp!t&kl!Ntj<Z#hH`d9x77>$KhZ!E++J4iX(gZq6dn01`p&v`$oYwU@nP<Zru&SZ_
zGyYCx4RCsq-;YbD9|dW`Bql-*?`W3VpVrOzolW5&8*HESH~JrsYd4iw^W9aXuiSC;
zfHgVvNDSTFm~r6jw@V*VK$~dJ#3DL3rQ_{wcyr0rRjs@NC4=&l8TQi3$XqLzPeVgp
zMiavNvZwzQbl>3Wa%po{()Q??)Ar(-TtUC`nO}hK+{)m}dahanNj8UQFnI}z=2d@)
zAS3>t%``3suHVwVyZmdjWe3^eKrf<tUxyUjeJ&q0@sxxElL_TYLzF!&%g_13O{Vvh
z{4$K^b~B){e!Rko_Kz(ZSEdOsqDcd4hIv}C;m)pi4b(!8T3DJd1?6QkbFYaOE#{ye
zt~fAH@@e*81ABo}M2M{j;A&q*eGX&!;s6e@6bkb8<5W{G<%nZh)A13T8vUPr;Oie!
zw$vUeuIuIJZK~HF2Vu%XIk+e_-EN`2rQo`5>0)a|i3q)eELK%Wx8ROKjdJ+`am}Fq
z_hJ@a)~Y_EUD>B?%#hKn(%G<7PRoWcdE_b_JbG><-0h>)?06n)J9Qs(8a@5V8`*;C
zD~AT4b29SJCR*Qse@EuPlHuUgy4KO9&UTynail6rbgb^-i#8-B4CH_na&(o7G3{_;
z%qJU+>gGAIUc8Z!nwUgE#{pJBjh&Dlx3A@HOI2FY8>0R*?*3QDLtVRbb>#jdDQAzb
z_gfxUkx7u{+Xr+=kS0;&mv{PMXwB>KbLN{uC#lbqTgvbM$iz74lhrtQ!NnU4&tVqS
zfz;bNAM%&))kr(hb}W?OQtiZQA7jiew@k;l;k3*YG7DQH@oucb=|e{;`qcNfX=<AI
zDNg_WY;<xnH@jE~CAuXZI&BfU?X@lvzYGjS6FeIJqaWw^DV;X?*+jFl#6x;bG@P_m
zdtc(pAyg^B9a^a>u$NJ+zE~}lcDK&gKqhh*?>PoY)LeHT<vHgR&a8#H-|)LDnN@Yg
zI!aCvUCKv;i3mZD09_C?(9=V~W@j~n$!Iy(Cay@azy-M5HV>5Hd<8CXF5KTzv?=gA
zd8cY5JB;y|AJ_FJS%Z1|IX*mcEmA!E3{gLKZZc1KwZ8Tyo(S3E@u)a&G@p<eCp?QY
z+`F<eaB`8FC}4k|EX6T|nbQJ5dpxCYzsuER_Sg>M=GE0&2b+Vp-(>eFq)(#mCfK#K
zO!`xLac&>IzO&%qUaw}>@(d_-i44ZFg2=8SD(ald!?Eg%CaeP5%DsTk6tlB;n2n05
zwn=vR8ni1<Y8@lXs5C3&kB2wVN!o$4V!|(K3mQ?KF6pyk*ZOi&Sz`}Al=ZOcan4&$
zUZ=i@0+bYQClOetln9kR?M};$CuutkeFxqyRK?YVV8Owur-c7XhULB;{(i^w*)a{6
zf6iW=yg=qjH8UD4Q=}Q=Q$)%nz16MWWsd({7CSH^%60sbxOlG6oWN_L(L>~8gDcwT
zy_osq()(<@Bv`QB<Wex@pOsx&YKlBe#+{TcQ!(H+T0#UZAMMnejmxr{lk}2ZQ*JSh
z%W7iHcdn4cX`qk4VzEw5X&-D=H)FUlEV7H(o5h#iH}Wzua-iEsBPe7)VK}<8+08qq
z<CZlENK*1CuZU_+Yoe>|t{2fReKwkwX;LsEcLw$Sjw`$WbIi_g&;>nm!MN*=;~P2Z
zW(fPeij0e+rGgB=<BgAc>oyu09qC^P^pDfMeMRkK_=fi9+9F2GoqNc%SN|Z~Hnu~C
z(4+X7nggq&cpt}xd#aJuuB0pTGyb9epze2s{t1FiS16sMX#1&1KT0{oswOo;#V7)(
zHpvyFgP^}S0Wj556&Rt8>=5p1a2jH4TsoW0#ns}D`GzLmFBa>%7AKg%wY`MNW4xw7
zH>v-9?-?|@+o!FhgQ2V=Q343ZvsW|`Gn6pLM(ZVQ?LR&~U^&QJ{8GeFENR9*{x#)1
z)^@Y2X}Db`W1%*)RXNv|`A#8~)cdSqj7C#+ZErqMAZaO;xrU4KIKW@gPR|_{Ao;B?
zpd^y@1N@X|J#!E3ZnARp#^>aS_Xa`q7x%&*7At7!Pj53e)M{nwGf3r~jPUW_lkEhv
z$~5=Lux|Bj!#0lO>H6;A#?{(_`ndKEZ878C-9!urV-}%p*1IGnsl5rZ$>^#063t_r
zZhnGe>uF(${aL4%t@!9ah3Zam#QHZ+^lKFiKRLGT9t$t9)XyDk7&L^BDF1GQxB{u$
zHzn))IT#iDabp~ki%4ys8R1&Ofx8u5!Y2jd)7KnpMzyZv;wDd-=blS(?Z~6MRbg2k
z{qZW`ory)W@bDXn8u;EXF<M5XYM$jw$XjILvD}tf+Nw@5L!aBI=gU^e3h;SZ;|+0c
zlgA>)Fj-$2$)|K0jt7fgW3y2(sY{I4(Mj^OzKfXFgKd*-BStFX6aH)}jUZVLw)3?v
zXOcU5u*5)z()M{W*ztZWzZlZ|Ym;Z9_^!kEQp7TNfT_JSLf}FW4Zq800V95_c{eCy
zS|0oZuNSAUjkH;o05`;90z$`vFt++)CwSZS%Q;NdEMHy=_(xOQ=ez3*rO^*y(O%}R
ze*S!B1uv_c1<!f4q<f<5Wt9jlzm}jh*G+D@vy(8v^*;AXT)<JTSX;bva59vBKgbZo
zm*OOR7#KgkoW$t$EMJ?_f$cqxV+?hvB_nL-%kwsaj!j1iBB9)sho3IG;CbjOC$xkq
z_JuxMOQgIc-4zhatRtZ{-f_1Sn)OQEue6mk#4ika2I=lty02*IF@Bzwzr}&&=D}|_
zmn`@(#v<D?`<(Y2XBzTyE|-n1otU}<Ova`CdPe4{b-+86-M~yyg~@s~^ScKOLIUvI
zn8bYXV%Iiv)z#_UR(g>xVU^HhX<!<0D@9N4C0*-x<M!h<z@~<?ixE=bJw@nsJn?d^
z#Ee-kTk+*KK|^&S8zFs?irzpw34jsY>6LA9c(i-w-w>@l_su&=&lVI|^(j8P+d4K4
zJ_G#-t!b#cM0=9aCxpyc=|hiQ9vgYEXa7@2>!d(DC&8?NzKM^@2kJ9rJj!qHM|SDD
zzITcYF!=S6Iz$+;(K8b4>;3ibc(cJxI7-3oUCU=u(|EQa@%}{Kn3GZ5MYqvXiD-ka
znFM~8L2G4m`l}Sn3%BX(w`5yG>4Q<}W}{|;&_T-w9UJM5VT&8H*Pl^2cR%@Sp-*s@
z!thqP-M==_QRo{HHB`p?l1)=A!?j6)m4V*7%S)W8xlH*wW%ZF-0$1)P85D`R*YRw%
z=DRc#8T(H?nr_K!n5@f#K2i7T8|>YYkc<v;#ojiWF$*qKBq@%f^oAsH@hgRcnDz=*
zdZTz*r>)E;2Y~N5dtvKrc!B0>f_cGw_R6#Hlq)UmXKT+vyN4m12DeL9Z}Y{{p57HB
z*=L>>yhjw39;;rxf@s@>&1Gz~Q*}z(jJcU`yoWEFzvfIE(r@selbb*tW7EJT>()^Z
z^YC$g<zmeV@YSFd8d`&g!<PeUo|$nQkRwYCjhpg%<i!l7`oLux66chE$fRybUGjs<
zG9#i{_=D(=({Gs^NvXsNQAM3K6!wZLUA?kCx2xgZnWkaC&EyrNES%uube@%ItZhom
zKLPSLoB(p3cf&Oc8p5r^HKR&OQ&NtZGomwHmWRjT)j!m#@|iJ;L&p0v@XS1sBW4k0
zQY^>B(wWCGSv^&ZBH3T(jL61oHBu!E=>@RxlYpCGz_fa%&TsEhj^E>E3h`JBF8f2o
zmUN=ah2*xSpo;rUxOpBTpGkDmXxQey%sbNSf32}otU0VP-hK(RPVc)`=6%<mA_j0Q
zbUT8+aze(uzXeToecV`^gM01lUDH?(jq-tHt&*5h+z`%*BfB=Bu<7t@kB+H95VUvR
zKT!|9TWIcU=M?0myZ;Xh;K~@XLmSFS>!XFi=X_r_E}IFdx{hAfGx~3R=O3-auQxGh
zmw!+3o9ek>^5Vx}5}ccDGUc*!WMKmilO&5C&5nYb{ET`+$a9I}UiFr@_oEr;a{A#&
z<WbRmaRNSIEC(J_7&y^}`7<kUo3B81v{(4>yH%24T{__>*>KAYr18pCi_oDJPwE$i
zo{v4!cGfjP2XD%89T6cs2AKlI<0>k?)-`RmZ)Nqej(YU$DsE=!F44oI?<uve7L9f4
zaj<Jv|LQbzza7OHK5nHsz>uOkWn?f9a>ByeFI6(C`?avS_)lxn65Ob4!7QjJNq|in
zfQLT7%};_R+L9%lT2U!Z2zA!?<d^63L?l1O`M#DX=B^GMn8RzAtEIS+F$^t})U`=I
z^ySSDxzFO9pT7?QhgBsOlK`NGs+Eznhgw*;<!(OF3bB_08}FF!Jkbb{7CrwAlFIU^
zVYXPxKeE6P7ZFBI<tjj1MN(T~Lp<xpy57?~e#z&yh|&GJUYWRLL38Vd3d}Zm42%i2
zMVvyrgbe=y7wS@1aL~gyT$P03yl6aG$B}C_&tjxx%=sChT};K5>tW|YKL2z}70J-6
zuH`RjSYNPzGubfe!<Wb`o48ST^@-yhAA9MnL}^4@i65yf#VOchhhD{eSM2MtB)Yov
z2^$dgL>{tTFmH3Sq*v2<#&meVYG^l3=Bbeh+{<?8RlkItxy{4HD64BLoIh>0Q(A2D
zLWGW9g7iB$Dbv{P%trN-Z=YjImS?-k4BtVfW8wHHfoF=-zf=o`sdylu5I{)nq1VWI
zGuYWg>xE%Y;M^85zTXDF+{fZ&7c=@>kGzJ=Kq5lyhv)0H>TJSQjB2)iToTodIm?9Q
zn?m~TuNToQv`Z3CY0^S2z|HSLg&1Avjn&A-3Uiqhse>roAI+@hv{CO`kLCT+d-5$e
zaDS5<n#1_}u$jw!*OlKJpZcSpL3~rI=j5>e(Mc*A8i{A{nTqYkD9-o<iFHGDMmr<)
zm?9H(1C~GRg?<B4S$F8x{w@xE^8E7zFSP2~U=7D<<B3iC-~G8g?8ld%LnO3q_@nj_
z$o?9!o~g0GZjc`0>JONi&df-?pxjY~4d0ilfhiEIN5nRwU!n_d@D%HC|JxM>FIk@A
zjhOYIHS@5Z!*x^l6V_oIQ6ZV29)~R*YtO7^#n4ZK9#J!3fWNDPev$U@26k2FY=BHB
zl{LhG7$xPaeR<9%i7)MI?kWSefS~V(nj6t7n8nH!C9^2YrEHnD-uTy?)0wFb>#+ci
zqdS3#cyFq5zAFh*8A=soomVc7Mrg}<MTR~+vu7e_|BqYrF*VnN9lQ1&d02eWkgxtR
zz}Pv@unM=1u)V$7!V#h9j~I=WuN>^dAane$^53?9voI`JI7GP&#G$nhIZxgL8%>25
zrckn!zlEJF%TyNiLv%uml!@dB`RAGKx4c`O#U%14`WLzE7)I>3@?!=rB>VHKpqatW
zbb`xxEL+lkxAHo8CK;RIwMz?JFe^6hsU<~2WSbVUO_0FIWLUs=5{)SV&uSv=`@E2K
zNsTy;#FHuF7NNI*fhlVKzT}%~s7;*MVjih^Qgg+>_-pO6lEKMPoXMp}D$PL@_~Sn#
z#Ao8(;kFTVZn54q<zfthCbF+MhHW7fsN8AQN-jEosOGDwTi7WRh$+~&(-DKCC0g~v
zUGRh{PMlu)a!O{{JjN6UL7}NdY3e%D@e^8$Ar0#><_go)hu~Xpw>KfJ6Hdl!zTOGs
zXzyCXqg-rPvvvO8BokWSTxkZXv$U?~78RorNV6ojxOo#|xCp@sJX^VZ6YULP4oVRT
zzOTT>84YMx&hr8Hp9c0%?mH+vk~(RxTHpp|qFQ<Uq)!8ykd&cgXsS$$B5T_aG03%L
z7}O#FZM;QGB;}c#3Wv1}qw&r<d}iJ%DljTN!x}oyO89*<x$Q||t?rYI`^Wv@^N4op
zC;1_cBavOECVWFg`0*lVNQN<er=EGmIseA7W!%33{ui_ND^VR^oy4-pN*jmr6^!|o
z;#<_8@q6D@FZX~CDp93<qJPpkNl`V`H*4|l!W)hJyebfiF2~17JiW~`AcVWvg5Xzy
z>Wp5+XyWiUgR6ROuWUjhn`rSpf(|z_*`kh(6(R_3mL@$Pw;#5+2Ut}uad>$XET{UP
zDCSOi^nb;2S#_7&)zMlK@AF`x!9oOOsF#5xIHI`GdSCRoyiY2)V>>7_IK0RHH2Qnc
z^(^K-v@xUhtiI+d;LYBDT0aa6G0&T#c$(^p^O)um@_Q!v=ocwZGNE8P$OGDfC_D)3
z7T8L4zTQB%eQ_RS@rL`QpD!}JmT4k#8<j~^)6-)XOv=wuFXfK^NNGx>ZO7F_kiX?_
z25a1W(p2P{2sWH`d7JuC_Xaoi&{zg>??#Qq=XRLK7A=a*h>*&!iQF=FN`6-+hoyEy
z(c*^`R8QUtl#P^6*O?d9x@I|5zUUQxW71~>@S`2fNJNhghNjm)WkAe{+unGc{|em^
zniHd4#d<w5CzFb9D_pJLtSF&vR|qjK9mtC%UdR`jqr~N|ej<~snq#mQi##A<4osL|
z^7QVFKPH^#-wirr9s4%kUL4gP6Pc7qO3Fnhn3efEfPchOqpn1>MVVw8IA>v#wP5?n
zzzRx5Fbk>*aO+tW22CJEJq$a%{Sbv#uIm_>`a~(jF$kCrzdAV_drvap;eR6yHHR~1
zE~m_((C&x9|G|DHn2~kelD7ERmsNLnTK5{6GZAUJMFivhrV{lu6<1PUJcRsH!mBoJ
zL3JFn3Hj>`Hg%oA`z0f62U`5`!B|x{UHJMqc$Xm-yW^tF$I$S|%q3@G{)XNTa~pAW
zF5Xf}_|OTlbP#5{Inb4oEEoIGbnj==&xKE9pLD7G<G7=b=oGn((<vmXa7eI-@}?%x
z;kTF+g37FmF%;wYr+e$`PqAZ~H_mm;Jc`Z(m7mvD*Y7K~UVp;@>`fnl5z5VTBUjNZ
zGaw0>yF+S_O%{kR#)YezSqZ20Dwo}BFI`+p_rl^2V@^|k@}9haB%QpRwa@BaZ@Fw+
zCIv~Z#Vb%$4`<w`Rt=%UHPk%K-&{qaqmIs<l@GQs)Y5BQTyGd@X~y1sICfz_e~a>y
z@6jia@W4L{CO0qHVsM<mpgcpj0jV=3^R(==>Mu>+##GAGp|6`vG`o15GAP^5<<EIV
z0<lfFp}DP8#`7nQwz8VE2pajku~iHu*5m`w!*B)8;-S>yKp3{{xo6b9cm8DPi^HRr
zz~z&!O*^7jljDJx>w%~AH^MO6cS%@D^1r455I^qDY-MdClv4soCsriW3g2z3_Yg0~
zg3!bD-Iu4UvD6=K&#{;8K7AcAL5n)Vb+)V*lAHT;!yDvNj))`{E9Q-nyS!a)kFCUq
zMumSx4tjgIyPGX{Uzm#g+aw(F%`|fVL$V9O`15j08n?$8Db4;uE1dHpbQ@#-nqF1!
zr?IkchS0fb_I6P>)^(+k9%R0;vIOe-QcSO~KC~!-m(;Hrg2CV)8AFA_#!GR6^~>-?
zvh{Uh5=9{&z3<8AI4=BSK1@IT+kiiR2W!t!LeppsTP$mG>XzI6KdEkExU<M=S#TSo
z=EWNU@3d*>bsQHp+|h0Z+Wo(54SVzKC#NNnD90{AM&G_!xG5rR#DG)5*R#c_M9k`n
z`|R&(z+9u40O88{4Lv+#^UH4oTUFnj(cRsrK##`j(rY=Deo@>-&v+p7zgMeoX)%%H
z1BPt&ScA`+T_8SfEKj`adgnyR#@#z|f+aPx6Wra0#4(RTpM(wC!Ry{7V}MC&=xLz&
zylv{F6rKiXJXJgO&l@osZXdrMRdqrQ%eudImZ_C1j)Z-OP$x1uzv4Fgh=)%u?A@14
zNC#bHO4*Nws9P#iKfGo78Pz67H~kY_iK`%M)cJK%4%}0Mya9dCUOT`3vZd>_(5PE;
zfl2`Y6?LH!a*g~ccE10EY3~eF4k^rUb86Bd2gG!r<K1#$i~Dsz8M7Jbhw+Fk?=^t&
zTxe!UR`hhnt-7cKN{7SDw(t5+SDone3OT9Gb2oTweSDSopWm1>+Z78~ESQ7g*{0!Z
z<&8g%PFOfpNcG_@yWKsY?xf`Kx%|oP&KD|=iTN$|_lJ*h=Y(I-KgNCA|Ml_uO#@3p
z>76S{f`{vRzt1&%FXYl6hapIwLxsqa^UuHo5pfewZ!<3TTln|yLWrbitE+b>r&=91
zB|tUr?3v>1yY*}P4Q~atN^NVkle4P!C)LWjyRHoa<m9fB5@Zrnnz;rE=0*qK#n?(B
z*6EV0bhl`?fw`My0Yko<@fP(aYLNe;YI-(+rU!Q>B@qi<h`SW#kAA6WX*)jFX`!!+
z@WjXO+UH(F+apw-&ms%@G*>+BI5-UK$bzCeQ$u;$ZwmV<(T5Y{Zom{{5@Us1wSjNr
z{(~lT#v@+$kyMw@cS3K;n{}wy&u8c!T`_)HSS_z8L4weWKuPMoMll>?)W$sY6JZt3
z{atWFK2IhaRs+Eytm`4;mvlB>8>p=#mQ|$SToQABO3}}$EAF_+LmjISz0V}g40#sz
zhiXV^hkpVpbqRJVr+QrHJN{ucrgc;F*S@^4#Bmrvw)un(Pdto`f*Mf=OBY{!XC<a2
zb?X|?wq)DPeP;ugH(5DcWVrc2iu@X~+4I=mF?!8Fju^T9=t<C_lfIZbLPej(5yJ{S
zt4b7YWS#P@ytwkQgbOL*PEmZ!a(KTYgG~P`2!Ob=vjFq-jGHt~p0VP!{`8>bCp{WN
ztv$epfq2g8=lHhn@~>)T`Z<etCh$2m8YR2QVS#bEN4f6h=9Zrsh~?9Rd#Tg5bJ!CF
zCuKkZ=O9DB^<}PZ4x$`xZ!Gj%h)zLa)fe>PR9VMd4aNP0IMIG>d|Omnx6_dP4ZV3z
zl0&vk7)VcE0+QsGG|+&7TsDEh<qO0|k;w2c9b3{*-#m{Kp>4fLC3_Mu--Z77DyPi3
zDm0t!MZ+)emq8$q?i3`+mmYgWFs17>tWi**E0F%B5eTUp*kBza@-O@3$BrHz{!&r$
zXq4`U10aF?GDrScBY4W&WSR=5(ohWzF5>F@D^*bU8A@t9-j+3Z_!QIX-1pJh78dyv
zvt$5Gqplmdv`dW)V9+Ia{CdlG(0w*aR`R4nPsNCon3a%fc;qH1n_gD}7T7N1pgRli
z#91G~^tZkuA}##ZoUHJi%i|tC_)vY_h4ibjP$L(yT7p{F@=#vJ#cey`06sNelU0@P
z;8*^{v4C*nu<Z!vN?bIc|C+>!I6^Cneq*InoSNXE(1e<oKz_H1biM6jNF3BVJ;KU!
z9&P6%QF+;kh_4Ti%eU=&ZJ?s)Kw|dO&Q=4>u+E_FM1Rgcc^IbgS5G2Ih6F~M{TbL<
zc&nfD;x=?Sq6<wd)nw(MZ;6jzfDZkxS^ybY4pY5E(6&K<R*L{grjKX<#gFY*AoHwU
zNt0uK^0HV55do~B&b&8qc;pn#Ul^@#hzV5Xw2Wdf5}4oioBOzFoq!tg)<J~igvk4J
z-w><86#sG*k(hM&CmiW8zRc@{i}CZoa0iZf5gPkD*&=#by6Atrvmy{yA5WFYrQOmz
zAUC^c!bV_h+*%ANkvA--M8r2%UWc_SOkXZKXT<iZ_-j#ZD_U1oZG%w$H^f}H-Hr~G
zM!l*vkmO#0DZ_fUEWgkgen54cHxjfsTf|lm&I<91cH924oxd6pZ$gfn%<clX8BEQL
zk-Q$c)mtCg20TQ<<8h4>KjEEF&B{@q)g_DXZfoqsn)(`IK<aFAa`#m_Oj8D5hc@C6
z_xBgiU-u@+n0IFZRT`JmA7W2Bq7?7rYN96M%6^y@JVqRevmNZ{qOF}S!x5YW>X~oZ
z|9Qd$XotG1AQda;;%gx^s5|f{ilSRmAI(xuaNi*bMq~3~b!Uv>RW|h?q=Lc2@l_cy
zZB*AsCUp0UVxUZtDU=rc&9O>$>xBirXs2z%;_+39FSD~jL)^cPULD%8wIEdke_R0j
zl5im>t;CQ`b)Q~<Z!K_vxNL6y#U0!oO7-t7B<sx47G29GYtHSPD4xInr1=XkmPkP(
z_B<(mDo%dMOn65em*V9IIyUyBZN3UIGySm66dI(p68#y~<@u|12vt#4gS_t1PR7*-
zdjWvBFl@(t<YqScbzN9i)6de*$n*MVUlG)W!{8V1>DkrW`Zu>04!U)QP|Fx<V?GaW
z{1N)wg_6h(e|W!}u!|@-b;%FKc;i6+HR$(V))kE3@?84jt@5Y$eMIfNjWUxOek<;J
zZ#i;Hdzi{WesFfoBx7B=7rE|mAoSAJ{i80Ru0boG!1qp6d9oO+^dH;+r%EWn=hzSb
zdsT$}8izrk+fI-yfTh8T>)cfMkX_gib1xSKz&SO$R@i9SR+O$A$joT8;g>l>oDS!M
zLC}QGeQwt@ibErQ4r-!sR1l*<v6vsx%3wt)G}59lcP^Sa3D=F?@uV)Uo6?E|)DaJ>
z4<5-Zi9j`f$BO4n4ynbJKL2(IcbTo?mEA^egmCNAyNXl;gp-AhOKYEWrKeXGvU09?
zije3kwbyCesl0s&W2NT2O$|=e@@mojTJ46c^pvS;$$NwQO_mNd<;>z6W*glMC_L?t
zYPHA1qW6Fc<74ORv!<*jPF;yTiX07IzzQ@i>#sY*Y8v}arp`%h-s7pdnXD~k_*_8)
z<G*h<8L-+#B&Bd<C3YAl;aJ#c)09J<7LT+M4sCK*uldd%t?U@iPj!+bKI5bseszr>
zW>~oZ{ewT$M%9ZJ10;&;H=*Z!^W-kN-N}$3ZY|U_wbS^%`$NOZK7uJlBd1cqJYLuL
zOK;vk8!0Fei@BYrN27He{p0{M)2&y<Y>_`8wJ~%ckk%pebjZNp`)TH@i`hxb%$zFs
z)#O9?rz;=Sw#Mjy;aaMamM5XMxeGx1xUb=F8|9CzbWoIQf;>{XzYIHT8?>%ww!tuo
z#>iTxL`lH3Ii9Jo3~L#q0fH`ylC;%mdj=c<B}T@Vw)OBH84C4t8R~t1Je}GlhQ4T0
z6w}Bq(!^YXesS&<)WL4sdh~5U8z(%ZD#FtJlHQSb6HOI|3%JI-1&}pm?H5^DHSfj(
zee_g%%(*qf?IM{=sXfGAAW2j%ev50$qfiDoQDJ+kp~_cZS-Ij?;cMM0FIsaPrB3Kp
z`nty?DHPXa=nBwTVIg$QP^r8AL?^dx<q6qOz%?N-S$3k1XjP~dVEi_q9+NU`KIgfB
zR=3(1<=c)^UNLK3H8h{oSgLhV-KA5{I-3k{IMuOQ@(vdfqg=RrpPhj=7xlcWxDgX)
zUJI;&J%wnh#<a`zM~K%u$f6JSPW4BYSYuwbcYGnSan8bfKQXCpob%5LxB$x3UikNY
zGk9A*=giAZwiF}BOv~LHn0%Yk6ShZnZlV*mr86&aoMV3=;|R+00D;hwcz21%oB@r9
zdoX#xeeetKu`F5q#t*^5xa{#<TM-h-D&J2=t4}6csJ`VU|2RdBLg3V;g%p^4p2$ug
z`%FLY5uR@Kk&x-4nL(R;9XEA5Ic=c&55dD+f{wYO{{U~#R{;p#Z9>(bJjF#_98rc$
zj{|v;{2f2;50|ehrX~EJ;I$EfxsTmuMLcddBX!2Q&%wwR{;pP&oKJ=Y%>MkD5Eag6
zbhoQKNb~n29zm&3bP5_&<$fqB|2%B(>om>-M<cw?1)_30?cmv$K;l!}UIb^G^SGB(
zDyX<Ld+V)o0<Y=PC3qxcd!o3tk>MesqqdkPzpT)&p<*`k%qs+>S4tB-Y*YhK`$|h=
z(4CJuR_+*F9NV@aGGILt0aN*KF>Fe?qt|LlQHHd1ms8KznD<N1wRcVA>&W&<cWSK(
zEl_3XL~Y@SPL15MSdHUTQnK%`TNWM%ZF3|1_OKt;4<4-Gcr#Ef2k8zv_RSg>21O*P
zO`P^;n5KqDo9)A0PNc(cob3Cw&&iZD&cfBc_K+(pV%7G&@8D{hu>t*1QEw$v!!`K8
z2IXC~JPFU^gFmVmSZZ1wvvy?yBIV4cJY@u0)<a{WxR$EXG6=XROzKB;fOH%6=pH&7
zd}q(<)~}Hh*ry^GZ5q4C*h+OY=CR6}5=Wi0E%>I1ec>Z@zPSjWfW4t)F0P{MNPhKs
zd6NfXX&^t&Evj8-DmX*7afXGRNTze2ADD`2!V&V^O?Xby<RCe%(bfc$+OHbpAKF*v
zLnrdO=D({t@n{<+-q}P%l1L_OYD(IUv+*bkGSJ%~H@H<S0xg2O<Cns3OSs%l|1M-o
zOkx?MyBkfo2Kp&VMpLWIIi|LqrP`<@Q`o=tp*u1Dt}56?cC9gmEe~p*JgZ0Yr*R?K
zq_L?7TCdsgz7?`Pn`zyLN9c~HmS{O@BUrCR5d%ES)547@^Q#g^K2-Z8lGqt;?eMA3
zRX$ALomSq?014X(@+{2SuYNpLRh3RRK1sNr@QtGK=(mn+LzNLofC6`gwP(w}HDT-V
zo&SEQE5otJ=}a;(zNLKyQSzt(ta9-5FR5<ugLFqz$D?*5f;3FzrQ!bA8?IUb6@_Q>
z7*>auf}E)kj6?-24`1k736}JZyad9r+z+e^8*J%w^*ub3X#U9E4ScE1T&8lz<HtYm
zV~#g=RPq_$T<<b=t@3nOII;A*Qz*S`>@_8RTUL$>wdYFmTFIf}20s%T{9Bk}A`M7F
z?`$yzAY?e*hFWODIoU1eC#%uOGz$!(xhjr?7YFFGi>wpfOP7U%52)#mB&b%l)5T$0
zz<&#{0AfH5Ow#M~?)0KT$*OqEPa9Id;QseAKtXiL=DFO9W<Qq!e0LZ`gp!_+<Xmj(
z2pWt`RE`dlKR}y2PNt0RbE3tOT4n$r^<Nq(10fKH0LA0O5u#+zwU(d6-n1-$P!p!U
z=Z{`I*%s__T;b{SKS!3#$30Ylo_~Rr(FT1vd!~r(cP9!KOS}BLHbN6Q-a3^*>U?<u
zcP`<+<6gFAgH?uKX_h}>L3da(RV3P58@*DwhaCa1m8@ElJ;O>1RwjwTDYfX>i<1tD
zTvO*NSGTs*iIsj!)A5akfzbStQf!feq~O&wY+-eaOC=>`DzW#+9m^XOvua#wi2${h
zB+n8|>E5Xy;yjS897rh849thFLoFK|P+7l#z`yK_zjpvci|W4SK1(*aMCPG;)h-%d
zI(#WC`CYM!<QYfLPC0&udjq#yhVH)ib4eywDIzY0=34Di-RAcs?Jc0ebCW|gcg6;&
zA8CQ0%HP}wb<9X~<ofCxXGy(0_b&fW1NC)r5M+-ge-5TAsP$PW{ualf0oIJ9mL}@N
zsd=~pEel18mh!%omuX_J)(zG!vb5~u6QofslR`*m>dH=ks>(a*4tMw)aVAY{JEUd?
z8yvX&{>;^{dGJT3ik9xgTPgp#CXw|_cW$68R_9l-pS=F`sZa+3!&Jd&eyNB~jJP}H
z%7$_21Wjh8<qp!6V;h}F(Tt?5wz{%9W|aECjcUiBJEgixbb7^#3Al2;ek!e*OH40n
z1YU*$ngsgHZg3E3+az8E&?uOkYdXfHSeg8#OWtOM?S4Zg@k0dPbT)W&dKAo(&}xJE
zs6@qq&FPv{QKjPUCtqzH;wwTDSwUb(YH89Asbip_DV(IT1var!+jbYkn|^C){53n2
zj1O9hGG`m=?p92xY|Y(r(nsPSN-K66klBb|cw+!TyvmG)%X6^EMNwAk_U8B>f2F|r
z7DKD7AF8jUdLz&8-ACDP6wF2`c6NnN@G`b3+@yx-Q=BENrqK1AVDlhX|JAJa!8v3-
zu`eo!QjZ)^cj>o`0QA>8rDLw}6a#u%=>21l)7f9UQ2QT@4A%w&fLLoJKVKw}#o`Cj
zDXW5fnuN99+{t$TBX-o_4iyRhC@m)Dxhx+hx{fAv#>srx#?Nl2@6+3tis8gwxVZ^+
zRIATqtZi33;>s=aVlDlWFEIVnwBE6hy%pWu<pfM)NqViVnE$TamN?DDQ#I_MFU2u2
z=CS6eHz`qJEom3i(-(4qt6POs6i_!C)uKK<O!lB!IOm1+$<BHM&1syHT;m-w)-2RC
zva2VxzNbnQuOF3E7s@8rzEQBblH|g|GDbE8N7L@ZX<l9m)}F%&mgSx*F&dNKrv(o4
zK+F<|N@bmwgMk%5-sDp;pXHL7c@Zk=;k@dtJOv)DL{<H^{bbi^t2{R$Zz0tuJdMDM
zFgKYF({;eKJQnt5&oEDaY?APwiQ#`|u&i|Dw>?pJ)PNdfPoez3$vO*PZw|#}TU+;K
zf8fm^C<pp2MozJ1W*O1%%VZtFeM$*vtwjiqA`&?cM`VxV<QJeaNWcQO|B1;}V|XF9
z>+Z@CcdI%v{ko5eBUf@JdXq$lPxsp^0MWBR+&4@;1Ls$dB+ic9tkhv`EizddTe*l~
z>v2U!oG2v3MD~H<iMNCn>9WHaNbrR?WLU8>yBw(p1Ao0}f$V^13WukOyGgaku7Rc@
zxa>;@!{F05Q|#2$(+`oil?oHw<+l-eu`gJV9<a>LSyT&cK`=>Da%=<-5flG*cZ|s#
zn}1%(kvj0w&y!#YsM6?2)SA^FzzFYqYPu+EwQTs6-lGLmmNdng@=Jd~zDtm^3R;a`
z269Sn8JXH(lG&PGW{-L43ip98YG6}ff@MgIRBl50O(f#Ae|272Q#V!Sy!pb!<+DY@
z<-=?>)pvS8Db1=*Oqw6|%^d1Li;~C0_<OUP2nL*h$3Hd9PsI4Ws_(UzXxYccK}O#B
z)|}6&#&-zzX-S*~V^tQ$`RlqV0UOG{sD1?Opih3C9Pj1=u;0_h>G@RY#p*ayoR%+W
z>B?S{#WJ@3J(sU_TnbcWM5m!0cWv=7L9Rx2mX-hGdMK0pANwBVvw=EBHV+x_9fT<k
z6B;k{#lGNj2}m+R(UBWAaW|;Ad0~DZQY;W5dwHK+ynaIa)syb9gnt~_#Al|$KdTz&
zMuc?w)`!NYL`H|i?Q2n?=aH8*AU{&p^S~q#Je$g94{=H%A1v7I<Fia`v)M<QYEZA5
zqpT=D{OM^yzcCB&V+zT$03`%hnN?P}a#&)y4nhm1RnW{m#0Y=dq=m;9DBog*pH|(%
z21r*bsd!&G;q1xfZZDM}`6c!L`irR+Y*Q-9sIengwGf%Xy6kec>gX#ErJtT&wk=b}
z^y{u>H&WjeJ-p6f^v(TP8Pkj0F!>^t>9QOfthY(`_yHr4CMmC}aXWZZsIgYu7qQ~z
zBQn6#H+SB&P4_tXOwKkvGhcpD?69wvFi(Qgh#4ecP0gug0yb)qZXq!`5|>SDt@0X@
zfTypUWNqPtR#gyA#vDnUs+6iM8>JKwKDN-9N3^~!+4Ix7cmq$OLA#fmH*!_usmrjs
zBjKt|2CWUjmiuX1o1{mxsB+{q>?px9njZMWA@W+B-)P0-?eB`}+{EQ&^3_E%!~RZE
z*Cv5kGx-3<hE5=e*&K-~!h(8(`s{>IrHm=@<0<26MDrl3r>42q^+;Mx{52JiTK&4u
zGnEw*$vxeE#BK2c;ekGjGA-L0F{b?}ZG$QY{Kx0AhGJ33vNg4~1%c{b3uy9uj5e>C
zp)^C-)W1xGEsV&yumZ%2=Cp5;TS9uaLpP3BP7AVHN2(1SPdVH~(b3<4_M8>*cbh5c
zB7%<hlL-np?fzhGlWO++m3Vqr$Y!(rbUnuAF=gl5qqz^wQFAD)2)+ESb7Vf))v4CZ
zJ|fSK-LjuLN=Y!7rAY)+??&uR(kWKHRmTRsub>ifkWhY+ZXf2!Hbe0C@f#q-bpIkF
z+YGy?KUJmWnZB&IX>Ni8fijk)GoSNfV$n(&IKg-+xZ8ULZf4Aaf(mX`^toIer+({K
ziklhK4P}-cr0WSBcVjG*-Ic{kS;cd;fRN0j|GR(+hGSx;md_`oE~6kxAbjB>%Qh|0
zrC%1-d!Y7ZQG^MF4cMJ&h}OvF8|n4&d&{c->u;ZywMLV@w?mtG<<X4>Iix0_JiA;`
zQ~`O=0VprY=8(Xals_7anScD{SvW5%GpW67FRMZ-Ook53=31>ja8*@Vnhxc;8O!M>
zyL|Xmx8M$x!ehFmd<5PhDS9PW3N!3QrhVbm*}uk$;OUf57We9_7g=oPBf*;MTTBrD
z)}%%|mm(wW%<YpbfZtJege+Uz{axTw$e}EzZf(2jK*;Tm`&Mo3aL>0y_@BPlp5+V4
zW2pYrWT748kIlUN>%o5GGDX9Cfz5xp>rb@za|JH7dbH_&j9CD@YAn^iYa#5FF958j
zQlFa`7NjMvk~Hp!U8nvOZ1RF?$&;u^?^4tvUgww35h_KrO?aOIbP16vr<G@@)m%wY
zbBmQD4}EOJV~?CDtu2dwoPOp3G!)*S9?jFp&MhpzgoGRuXsIOzCL@RF*=ffc?YptN
z+2vPA0L5{FH;M$7!|EH4pIfv%lpBs|%vW3S_};H61y_uFj<|?Jp}_^NXWO$?qDy%M
zJ$d%ir!t#FM=sx}o<ksbI0AKs>C}<@*3zWaa$<T1xhy8)WgJB%XUq!nP~xY@+++gB
zG1DKJ`BO!He7yg4c#+#kQb8{;25bj)ZD^etEsP%4J#d}sZ16fYQ11A#USi()$T2#}
zy-Z9^+8c9S>#rfratS3d6TjAFs@Ep#9$WW*YG|}2oMZQeCyKPJq|hye$q6N~)h^p;
z-O{Q>n$L;0cOZ$XSVF0Gfd@`ns%B2E<6`!@<;f{U;^djlJaD4f2s~;d*ssnwsSeO?
zTt=Gc)_#q~P%ssiR=Fiyp<Q!@>aa-4#IfN<cu!E_@)^bpJ-g&m3eRASV{qBA1gl3v
z$_t}4MGQSn&cX(dB^ynt`IV>MY4&_DYIOTv10HzE+EF>{3e3bfBjq_pB8QA{ccANh
z@y~Bg_yZ?o@<Ym_r;1!#kyr$B5u#EyZ*T<>mcSt%U2|NgHu_}3U+=nv@o_$P`yY83
z`LZ^C-K~|B!P#WAey#CY_p%;l?EfL)QGb*ZxV}OZNa(ee*U4eU)D(odH>e^h9#PyM
zd>Z+&`X`nIe00m!?i%`hiwWW7rx4sU+8CYxRsA-8mIoJj60KkIB?E0ad4#;WbYDj@
zwzN^V@+Y;a@c17;l`nlVy7IVXX=P*V^cB*qQD5mfYS~X*wnqVqA+QvaNf&vdQX72M
zo>#xY;Ny-0<>=XZxh{aG%Q5MB1S4iAI^&Qv(|rHB2<mQkjE&ZSi)azDBr?JnF-IW7
zgj^5SFvYZmzaCD08cj(nUTv$X3Y~!EKMe@srbzZ$8rfqQJ%MJE>*g2zf>=hS!I+HH
z=#FwLZnvqBRW19Cs$^{yDw|1!K}P}Y_A;nMWr6s9XLj-C_dC3kJmM$ltrZG)qf{ka
zz@7o1n*}ZDoERxff_aopd_x31Rl9>9#|*u79fjVl_FS`QNs%zW_UDyWzTk&iyW;$o
zI7qE<!ohKRM4tS@P#O0OtFrJ^s6ySyT+q@^u>4;AU*-YzLZc3zL>ezhgwUJ%Z>!Qt
z&qe`{OgcEmWc}v-)Y-tAg~Gh>LAN&br*PsBJ?3A$abFG()&aamy3&VBvHO}a&a`OI
zpVjO_Du%X}uTC;kAoU+|4rWnb@I!R&4^CPURn4&9L;CE?|Dx+Fqv~3cMu8ACxVuYm
z2_d)z2p-(sJrG<DF2UX1-Q8V-yA#}9&p{sF%-qZ+^X^*w=zZ3vcUN_JRaXn|i7SPg
zSK-5IXwS4Ot96zyMf6S-g(wb}t;vO-%UR}@7iH02DY$q`D}R6c4j;>Xfen!jSJZ^A
z4{IdgE&n&E<FK!W(7R3BAu-~H&9giFaCQ=kwVJ{8veF=1iUln8RB8<JQ{g3~0wb>_
z3}6!d&@bm0?gLO7knN2XUT!F(l2A4E`oqL(gCv^sFjh&#CVphR8$&(k-n>--^xh%c
z+@qoEo`EncHt3|uhtr-w+^gwlF*=4V!t@xnPg@+Si28*0;V{P%z)E#UUYUrOK(}mf
zOV#&h#wXu6vu`X<vx+~vqpyhOaPBSqJ&uiT&M3+SK(kqN^-o#WWn@owKNaSb=H4$>
z@#<*Awux?4GR|+zAFxduG<i%=OoMhs**Z@;-yH`L^G-1m@44z&b2c0zI<LfG-W=C)
z9#=oRzn?EaI`(Y$BVNSN<a>jCN6*1515r%j`CXFF1eh=XsHMkyo+F1bF8=;=<LU)l
z4yNm%<)OjXXhBqB@c;a&5J8-0La`z&xDZ*oKum3N!Qz)ex>4(khY35nh4t&F<X@@J
zPodtmDpH+tUc6M0%}-k-EwYd?LN-*4n?{4)FC*X+?OgYqeJ4ScI;Z>yR3R=0izhWt
zSlmXD?eMr8vwVj;J33u{H`xn)x!h`QsEi+7oTR{Wr61Cnq^L@Ej~sf<l_f;hW19e7
zC%1PmM~>OVpA)B~3;z@~r$_AyXQLH34Z%IXQlk<fsD+hIp6`OXer^5CNcg!!2{X%}
zyK8*o!ONEm{DX&1`Vt8Wk?l*(78b=ou@~7bj{A_iQe#sL`+P5E1hG&$@!YByjlGtC
z&1%l5RJTv)m<EeI`u8QNRE2Gu6(W;@TFS3fn<`^Gkb#Qzml(W9%PER0W#@Z&djYVc
zzxHu#-a8&C??T&2nz|T`wx4-*1X|FDv|>oY+ipE<*X2dAm1vb?Wir06+W83=$*zCu
z|5jd7fJQvtD%P)H_G5;EtCiw$g3&$;3onD6WQ-AyfGUSBphFb%7k=bR*Tb`dYt{ET
zaXZWb@(dOdu@yq81CJVh{<EL$-wyj_6_bni76=lI_B$^(q8)EbI)%gWv2AsR+iEEb
zAeh7$ndy2<FK-8#jW}3`N-HxvOZTyj2AFafpRtz{25e{a5XU@c@%gpKR(~g3q#iY&
z`ASw>i~zUx!V+J5?)~dZWZC^nZlWY`{EQ7WwlYd-4E?xajy}Cq&rnTGWNBn$eG7<l
zlNCY8@b`hjz=4Kuuo@l?BQyJ1XD&`|>n_vKN0#xHRq_3mLeq_PgVH*@WrNWHvu4!~
z2(wW*=X135;1Jg`I__B({JNG*q6WmxVf*`GzFco2X^cU2Uc?0-BQ?EQk>h+mB{L%X
z!pc(GQibC$)PV$&mko5!0R9&e-05!nBB}(smoF%@b}$eX`LIM7`jvJR48MOP$sAXX
zC@-n91MA>h+Tt!*ioES;0n_RhurNJ(gWLP`n?X@3K$b9(pu&Eo&WIc*#QZrWQ`_R@
zHbMgoXYS$UH@oUx_y(%#OW)a*&I6k!J#tas;xjrE%v;ZulkBjp#&(xH@R*EZarHDT
zDTd_(oGBmT5X$MS)3FSG4m5Pw&wo5Gm%96O)uQFG&6&nWi}Z0{R1I}xu<|%ehyzX%
zyx+~msQ8GLx7=Uo12y;7X%;WDTG{>HQrFXp>2v9t80fTxV?<(I+1J5pJy^#Rz1%<j
zGz1ueY4_a1<EEMTlF;hFMIHYxv3j(qYn%k-*&4da(PXd$sPj)l#}k`oqWFuIiM{Np
zGSY3bFx;pkRf7Q^e;{$33s4MY4#z+uazS8^+=%h`m)fHQgWu6>s}^*VPQ}n45VlCP
z`OybMOtHN0hk)`H#`W#;B@`e_T_4W!hl(%@=Nzm@6RxTQgK$R}uh9@Jk4om##O~D_
z>$s1N2m3yiCg6%o7v1X!LP+ZRuEb!_y^u!vkVP~RUlPIE9i~LDDf6tNagI1d8cYu+
zfGJp99W~4(qSvW)Ey<_ef#hA;^yR&rYR^P}^Dis4f%7{<&3OS&FnDc;e(h!0jQ5;=
z{HU0{AN<0$vqcx@3g-HB(JFYRjzlxZ3;o634+3lrQ}+p?)G{bq6ai+b++ow-HL--=
z?M5ExavPJ_k=!!;ScXW4k@RD#dU5)$&-@tm(3>LrIdXSdPvj<meXGg7ZBSpYf{80T
zsG5L$7UNPA-S@?h@gFN=kCS@VR;au!)W=2dnA7vV0_oqOcqVqTL4Y8euNR7hIOcmM
zaea((nVJW1IQS|&X?K65LHo7TOu5NZ0dZ4?cTG%nnq10$wS;_ER5*$;b?ZcbLewF_
z+0BGIGr}8nj@<tK3CRscs8FhO6vD$ygStjU$tu^3iJDFW!Cq&85-BA`mI_#(qt;V)
zXxWkY^NDu=JLY`VQZ8P~LcuuM4Zu&hD{8E|+XXv{HaOgvFJMG19E+>))=~DT!hl}I
zx5I)&S&C5t6`U%BZ;80(rA?CSiU>z@7{j`dl|2h*RdB?<F@hyuUo?9(TK%BmSO{{x
zS!2m3amuK<Lp-PEmJ+4zw2bdminDJUPu7#B0GS9$JeNwuh7XM8!88LSUkYpY4~8^?
zg-U7U->+B4x9Mp#3Fa!hq>}ULlxR#~dN0@#D$D`FAH|Zq!jj6m0Fw^0QZivtPx0)J
z_*>v*Zchu>Q!yKt7^Cn5Hog?8qN-&xi=y^<wo?Kt1(z^TM!9(sZ3u^TlP4y`0c!E<
z37bur>CBwH6zV7FYGmgDm+w5*ikW9rOWey=H{A-dNMOzuFhHxtzEM|mV*yNsat}NK
z1Yt|-O7-dY44K7B-+oj^^?yEuzs6Q)wt_lvJ-%c9VXnlB_=!O)zn`EVE*(~L2Qcmp
zke+#rYx7El9NoP=j+!HUMx_GMB^CK7?C&)D{ep{HtY-JzT*rIUF5vwhwuBj+=YC5{
zhQ0lb(}L6;4!0XA;}Rai-(n%LkVo=Aq*{7o0pngJt|ak%K;MRBkCH0)r05P8ln8+!
zn;_=k5C(_=y_k|WI)hO9E&#q0%1;q_w<l4;J1PUwenOgVo!(R@PMwfMEcRQewcHO0
z9(0f|w-VO4@VBEEQlad1{is=~_Ijy?J~r_Ba{4Y}NF$wfb!<XRTb_I`c=g^-Z7!nc
z`$-8ysFf~)nbPF+dMzwGznqsR1Ex2!<V>l2T}lg?k1&p=@8?eYT5(#-PrAQ|7z_FZ
z5r>*G$Uf3UJ5<6HZH^hlDI4b<>a*6H6JGPU1!g@t>W*f!H|oUpHqT&sPZY&Y^6PHd
zV5^cymz3p4zD=7TzmR?Z64B+V!-jKKo!H8Tsnv=Y9HX4^@}?C{a^y<4cX@IIH>Uoa
z`VpBY`f|JsXJ_i6D33i-vlyQ4$N`utzRyZ0NV!@u9%vqdn-JR?aI%>5Cfi7`A5E>!
z?0&iP-s_SzX&48q#t>x_9t*c7TA^4-baH^y=W=ySQDM4iLhF|d`Wd5j(skADrE#9x
zptxUQtukzjb*LnLfI*{|{m@-P*{F}6LF|RzQSW^;n*`6*hj_~)C9jQ18SC<&*=eUL
zp8XBhj8HtuO2qg!Kerc)A8MO)g9SV{Lzv_Hp{Au6iL@C5messdLBTcnjClraIc>NS
zvh^u7`z{|x&Z>J@yIKrW!bOX@6i)Ex1gPV84^j$K3qBo?*FNXT&&(JN(<lNe+V39x
z6li;5^J7=5)Udx|8gCF;3P&*1zd2T{SG;Mw;2w|f{_HzdfD0lWNUvu4rr2r!)&C3K
zRWNUFV`kAfg6f|C4;mGcb|F42r3lrb`Eb!~9Q_W+IJ<2*wM06_uc9Y4pHu~-M$`qS
z9`h1LD2G4H%1$39V+mp+X0P3+1P6WT<v)IDOjQ~^u4x6gc6a(zrEX9|%3h>s$S3lV
zf@=$8(Cq6CXN#J+YA@n0LY1SOpg*vN@dz;qk#<0)%@D<0?qUA9>@s56b)w%s_bPKP
zaj)Q3z;R?zXPteXiNedCG$TJX-PMFt`ZRL~t~S$b=)VlIj*MEs*E>y-ysC4-deEF7
zP_b!|1Sx{n!9QzrC~rqFuR_?NpO&kK+xa%pcaxHcjz!GV+6I_Gx25|F+0k|#t%dRE
zNA}xPPa#akK|LX6YdIL6SmjvN;$bKES^D8j40v#@zCjf$H3owP<-!k?j6fsJJLJLX
z5T*`NvsRyzf@y+HP({%NEnb*C-Gy>6znt}R?i@$9zR>VI)?7bzm&b|%WiZ!#mezy0
z)=WlVNPAVOl6YZsa$`(oBV#pN<W4Z>%+ab~;g=O<l8GZ2o8np8aPA{A+N$6?P$b*;
zKE;a$E7~01Ian`J>o~tQgVHUQ2}?%|<LIF-nU7;QANEp%N@6tIIq|A-4|GXui?Fsw
zL$|90Zg%~JS#mZ3Sz{)2#oLlpw$~18ORM-vRkvmZ-#K@(1?51DEALb%HpL-@VQ6&o
zk9MQnnX@N~B}>Lr*W^a8Bi|cN_zntYGr{>WjO?=2EN8JEUB$(!7y4KoWi)cPT-+5M
z4m0dKXUyb9yGBTnZoWr#w%?VR4w%bJ31;eYe%nfSWg&~m{#KhJB<z<9zWRxY!2@-N
zv~a41lr3|Z5)51b=|P_)Nw`Ih;u^7q8(S}vI?J){9^~WUHnnxCR3VB!Y1x_sjK94E
z*Kl%L8%TY%R{+bWt8Gc($C3-z#Ay|gkCDFLo5%OUCZDw^1qnw>KFl5)6~t6pX$Or*
z3*CGox_3(}{5;0Bm8CT~;End601=&8wDdE>(ZwFlJULkCxL-}Z9C|ruF*tHMEIUNM
z)L+Tr)AUG|+yc^mNo<LUxm^4Lxp7nY&_Q;zdgXh4y4tL|;|-OY@^k>Q+q*q`Sz()R
zKRpORPutM&U}P|KGHjh|WNw2n0=i7I_kt6!4MjkcwrszuD6chdylV0a6v!qt8!|P0
zyx&EK<Q2FO$3L@@3>)+(&iz7jF<I5Di}!IX#dIuTbR?Ik?C9`+-Nxw!i=L4}`sVX8
zj&7cCNp@}H&BMdoNJ}6XG?2}^+3gBC2^`ob9bY63_oftH>&jbM#nfi6$mPc)S&ES@
z9fU+FyOg3nBucI=9YlsIN+VT!BY}xs2xbN8>DXO2ZqA77?TM8RkF-Pt8*2`D`B=aw
z!olHu&PzTdmTj#F6^vPdj<SVc%ca|eCyEfOj5HV#W9{AqpKTRj*{f2g#w#g%4B>`u
zDXrrDeDD#7YPyN(KBCAmWnXXwZ>p{|(p6S)S|v+ly4%J&Cef<2fWtmSjS29-3OWGa
zyhbZ^;1?ddSP#&F&G#!a!`%L+3__-NGzD7XX)WM114vG5CuR^pcE+mo#<sNgoYM|e
z<`$A70bwnwNczOWYFC-a`vdetGk0{72j4~C(Im?;UxW%W&(=~Z?@D5079RcBob9<(
z#g5gLrHQ>Sz;fq$SdiT<I*UDhLTEPoiC!n$u4~#|1jSK>#c$opa6J6rxzBI!sEmIF
zjSjUeNjG$2+qXy^jK+nRKmX~<CNcN%=O<&W_)yC6mun;a`)UV)-F$XrvF>oWUoNeH
zGt65r1XE=cGWnIBW|o&W;GHPF2MTF@g}43!E3<&jAlfNU?(zoED5aWwX6^llMM7^a
zED3?^Wpw2_q+GNy2|4l0hN4_rld}2vjgI+R<^xiM+dbGPqYQZ`U8^6AxWSUAU?RK*
zUv%@WcfdZHWY`}1l^Eeb0T6K3{u?m<SLB$IG{P9&-SQ{LkXZQ7FF>@lHXI7_Z(m?_
zzU&TGqn~LQfA(aC?Z=MeU=NbNs0-xsWZQ#pgm%|0x%t8-e<Ur7NMMaP;&6=Vvf#q6
z6lnXYAi{8J)P`y@g%)Y?Ly;x((pHFx-93XcHX>XwP$+fA=c{8DCI$svP0dn-r2S{*
z8Fvo4WDzKM-mHXUAwrh-#*s9bMY6vN$>V}UhL_qL5KE0>l4iq7kDRUE4mX|L_I;5V
zZ@R78D>UOplhjI7_Opoh2+KIL$hXSpvn8q$AAOf{`^!lszfBUI(@ZJGRTTxD#XOfP
zu#bXZlCdZ}#)2@6gLV8ePdb>AwklN9l+2mY$ds3_n{LiG<5Pg<bT#Y@xO(XUF2VF3
ztgE+)4#A|Ag=w*-?9!0%$d=qmf7K|7O6XZM!H(oY+*YvOaaO@VU1TH=%~!KJSG3$L
z7RiX6P1<Xpm&CH2_>Tnz)Z5j8AiYR>*QzWx;T#&@W&vFVm&JXPwI;pU;Vb~<VN7DA
zK1EDbI<jOEB6g7pKX2i%Kr6ThAajiE@n=T<2uY1>stnbUo#q}>fmzDiC=n&LA#abe
z13G%;qUpZU9h#y0^&%w8D$GI+;n)@$$?>**<>n6tY=uh{1PB~NRO&;&3c^CG@syRX
za%IhfdK*m5gKQ)HcJox83Jaf3KD@2$!SW7nE9@DHl_9vqt|y&|hju%kLciO`7AwWl
zo%uxX>Pu7VU#cOy;_IcoIqLY|SkC_ib-WBw&cuSGKWs^1eX{E#(Xt@n&3k`<sTixH
z8Y-IzIU5Pq$I@4UAnT@?iCYW<X1;~B)>PLFz`AB0AHQNg-E2qP%NW*5ceOUOW{_Z;
zD!Q@AoOypOonKZoDZi$xyst8Hv9`pY%yE1T9X6NKx_$diFSt{>*}f9S)Ql`fad}p(
z5mmTzOZEVhQ%X<D#c~3$O}CXAt>@T1`&pI396gFOxfn?}50^}l<d#z6J7tmN*V7={
zYrAd{xzb{ci$;xt8P$n$sji6#E_TazKrEQ4;^~)Yb@?qbyQWc#6uI79BIX4dx4Hl|
zyrI@j<$DL$6(y%eWb=>l-}^Lc3{8tr#a^<jdFB8MD__7$hYHf65{KThT6jF`xJEro
zrFWb1g{`%SQef0vs2olddqHi2A;%^G^-$EYc-mA>bX;qln>_o8lTwjl=Ba}p>Ln+b
zA%Bel8d=}lBayo5oGCd0&e|wIEW-zD>8j!sQw&k1njo~8-uUJ>!D+i`IuP-WSh0F0
zyB79Z28G9!=u#WDQrz0iI8i?Yx0_j1(!B|ne!a2a!7o#HH|{xgX)NQUa%G0F&vh7p
zf0K&Oj!AP}6mgpqjhPW_q4YVgkvEAxhKmvN$j=t#Va9EF8}GfHLAQq8Hwe=iXRr*|
z@CTMNJd1>=zl!GmUHbYC*~IvR)~vI{G)bsigUK+7u{cBknU@udCP04CrHIueF?~2;
z7OW!Nl3o;f+Q3DvK$iI_*rIVak2aR<pkE=zs>!W-U|f-SH*~AcHctsp)~vSq@tx1C
z$3S>S&0=BE*O!arHyh~&a3<p2R4sU7f@Na0(CI?uYQL#2Dgk7X;XyCnnZV5_6@1+q
zfZn_0B8lTK#m%ZSW|>ivt78I7eRFqNH8bxOn!gUz3Z<%@q#q!qmA@HUC>ngXDAez+
zP*x<kx%Y({)A##FV;~pP4gUKXJR&s<gUnU5Tga@1!6uDQ)RUb<0+|i?B#g_Y9!h;<
z10>T5AB3+g`KP0AZf!fv_!Ul@0hZ<pKD9LBize;cB`S)FZ<U!<%kxkb{JOWCc6c-l
zMGyz(^;z<4B{4W_KVPFh64qIT`GT-#XNH&+CG0YkQ`=Q){CQnN@l7Fkh(}~igSOdb
z9LCUTYBdHD!+e9Fwo?0mTOv>HBHxGcAteeJWm|bcb55G<UB$NCIwe`)&eeS8a`^af
zKB)<V3_Z52-EZZ=<h<G+XVyF_OA#G@<<IHfv5>rJ=lO*GyJq>{13ED<G+bD3k|V{(
zkMTqCHF*%Q`2LVggLOY@N8%0L$b5d(!Ifly>s+l;tphN(Sc>|rtyE|fvx>f&+24!j
z(%5lE;c3bj(yI<kx+A&&)e9gvE>o4G49<Mcq^1_7kl-vYS1_TPV`@*WvMg4P{#&vf
zZ;sBjX6P=bz{E|&R|BDqu7ip}hU)Yp!fu4!g8@s8l`mw)19=?T7kg%LW|Z-9-*9K%
z099jHGnZu)4OOgF79DLIqkC-jPnBim4MYzR4&K3m7>H#Rr-&>Sr_mR514J`EAa$io
zqy}o1=E|`(Ftsf|o;V-lhZF@N+9##qsZLDcd$jb9v1r(jDjQ5EmVaW0n+_rf`*_4Q
zgBDV!sT2y*WW1HQG5q0Qd{9)8vr8tEi8CiPabx^-{-|hg{#o$EAvys|NmTM9QfSJ)
zJwY>XQ(b;rp7(V(@47R8O&(YFsM6$s+IYAF#fYjK0tXx*#666&WzCZBXPnoXu3F3=
zoD@RrSty*Qb=S2rUGrtu0LA)qHhOf2KXOM7p8f)Ecg|9J+%`mEc^?P5yII=qt`&D#
zd#QLGf${XT;-kqy3rxMeyuInX8S1{;ePT|jP-*paXC+Xe^lr$#8Qy2;D{c|BfpDFD
z;&ArjPdHI0sCRZp;Xce|Wed*^)W%bFT}LmOJ$~Mjr5b}?rP>QtlL^?FI(wa&Z>$=u
zbjK-#VvV>;nz*$@S!{`VyE>}CVY#@El;i3AxrawkyL|{$$L#3-ju}*?kem2272!fV
zvCkB4k|kU}Hatf?O@0ts>RjX6TkT=jxJD+!ZPOKe2*`~cGVmLct>H-APclVdQ@=JJ
zQR8GGkm}J(k&~Z8M}nso($|R!+jhq}B`%iQxD1?B&E`=jWAEOJ`^I}RUYmD+>56kf
zU{(9nG4}z2k3nzU5t1+H5BtU+riV^=a^Qfp<tLLZ@sKgz2)Drio+0_SJCwl6P-cQ|
zZm8x!J3T@ShB192*Qx!m<$4>M=rr~Neba3lsn8?sGL=OSrIinf+sFjt1jyIp+r8;p
zp)f#1U=&Gnb7aXc)&**UOg7Zj0k}7f%inp=!oPE61?!px0BR;b%`Noj4bur2{y6wy
zQ<z?B`_ZNtue@Q4fuZp0m1>_Y;plKBt;T1E*qvWS8wyM6mf6L%=?(R?3O}KZSwM!z
zqg63f<{n?o5&Gvdo?(3@jt^LvWyUvtWmiqNG3MuwyxcjNKxn(7_+6#eM<{Il?5IQS
zJHe+!DzmN_mm-p{_0;d~0xZ59eSZrDKpKne*NXhR;O-zH^;{78`C*8GpO6*)r5cYk
zxTCyy^L*@D{!@3^RX;Z@{t2XBihhWrdu?XA3|O%VW)9r-Xhl3;=1jv$qN2Cqd#t!?
zUJMK=hukMTcE@_Xz9?4O`R>I!hSH9e97?>|@t4;8ttk0jIfRr;xq~&7maNa7YWhs~
zW$#R+r(d$oL0ZmSZ$>c0100ncof|=|lbT5-se?62ivc5gROrzBWmW}cJuVq&BP1$n
z*~|^<=%<LT^dKfZb|n@$C4fqQ&BrVcTI<6vl^QPn@w1=gZekyo@gZkTdWw=KmA^ky
z2i<c8MhJs{mt!|xcl;j0eM0fyT<?qED**@pNor>_aUV4J!oe=IcbVgf3E{Sa^0O~l
ztpGePD~OfguLua%`%ebht}Lb3nX)HSL+aR-AX-PK1XaQzvKZNr<DU7Uqm7EOk|nE>
zZ@y*Y?^3ANVh7oj9Uod!L(Q!0Q(Iltt^M^Yg1%EBJ{>TXj&cGkitL0nRU#*fnikl#
ze0=5{In}B<M`{TcR5tLI)SAm34=;@PT?5Brg;)THgEpFC+2;1&lqMaV4Hf|jd{6)h
zk)OY-*8eTOKR`D9_!5tX@srUm%nRh2KLf=Potc196J|~R?Uwj!>f7NT7cZ3yV%09_
z=37R!1g0h>vnwlO05N_En&rm?i#@{9h*P+czSBh-nMK8<@Y5yA0?i3#&BzH#PYxq2
zcJu|86m-0%H~Rd9K}86ww+L2N`ajD0=a=Vs=I>@tX5Z-9fBIo$|1dk_;)5jJR<l<$
z+>!R{)(h*>_T8KIH-Xfozf%VP8YFn~|Fma<?IdV-nX}IE<2krq7}Nba%`5?t9MplE
z`sQVk@|nA%Q5_@{6+_W4+!0_mx9|zJ1RgvM{m?sBdd?H9e+QR82mZzUtc0xS@TQle
z-EV$|jC5yfk6@Mf?@_&fyU*?rm4RLgZ4yPo@nRjy`S>Vz^r6r@q=syl|8=kbI^6f~
zUxvwahUqWLhCejy&V7Ue#P>%o{_$#}rz8{UJlC;2{7-JXn@nrfDHfqB5kKMA#_?~k
zy-*-UN=nbd)=*lgDS!X^uK~6Y7}`7ML666eg_!41HV>;IGp>;H2Y1qcg7KdfRM<ka
zJ!B!C2|rM~j$_%bo;TaJ)R6yuPA@4jevdL`BP@AbVDIN{ZE-U1cDX><fxMia)IUD{
zpR}x(Juy?msveT7(Yhmn)6{D=S$>4kQSt&SCkIN&Nm7#!6g%F(Kpq-3BLwYi^#@vh
zKblK+%xW~1uMXpe_PRUwpW;U6alOJ#!xCx-L7O~h<XJ`;v{SQZIn1|PYe-MFyTc|&
zb(&@7S1<q09)I$Mv@7i+ZExAUMJ9y)DD?_Qq72}$dqXLL-Az+Y*7=x*9rZtn8eM;;
z{lP8&v3*{MD<WQnw3>RD74u5CeQ_pHXi@p&A6WmEfHLmv+tTX>u`<O?i4l=a%n0d0
zhD7j>aN~XUbbPQvHu)&@dTG?)&s}?@dd+S2&X6wWsdDglg1rFszVBbY#;*;B1l|Ab
zeCcl-{@;M<ONNGgWlL%G9V1APT)Sf~H(6LU{hSSd^_&al?|Joqp{Uhs&Zl0y`*d%n
z@hv3k+cfWzTS1D02wSqhlgHo2DqIjk@C+@Rj>mVCXs=|W1ujIwmmbJ&N{k!LsSB=L
zSw2WZjg<&q!&j^O8`mUyGL*&~(gK>xsbh*+Rnu|)+(2x~bu@T#TM6ssb1uKcw?k$M
zlDrB?T_SldZvVJEX7C=jO$t>gfU;zi|En)osKVN<k<U1liMSh@$?{xq%x?`?!~E%)
z{Aa7dVCjPS&;5WFSXB%c!yVTC-S1uj8_|L6l_0Xm{w0$be6^Q5pZWwSypA<<&!b-C
zYyIl8e*>77xMCVLm|^;bsWBpQVP8#XAp*hDO-+S!f3mtEt*vvuUXDt0%}&O0!usm9
z-^(k31}|ycYZ}gS<7jtf!8^UvM4G=6drd(sUX|eL#WjwSbVp&@AbagE+qs?EFX7HH
z;V=WrBd-7d#Q5S6O#^y|^w~;k*mpcJ(1Dh(n4#mBI5BCR;`8TEhMii0C`Yx}<vCLY
z$#GRu{7rZs&;*KFs=rz9j{!F6cuBF-L{!1y3D9ueF_7d>${>U3c}GTx^(9z2>@Mh?
zvx08$w7479--z$;6RKc(p#;+cbBtY=S>Ln|Lx>x`BA<C*$RKCo(H%Sw;Vf{iL^YG~
zxnT-QwytEOA>5rm?7iRd{y3qG`W8I_?FOB7M-Jk`*J>d-$`jgh(`psJJ2qq|(jnY^
zl*KSMmYss*<ir0TlO;UhCG}VAPymo5HOXrz242)}kHS#>y;-SyI(qxnp(AL>`eAYB
zqYKqHhn_!3?Y9NiQ3N~RB%xK=2{DpYI@vSyvnV;^%`2#hy_)g7xcwpss$qTef+NV*
zi`jvT$uCC@uFABR?+?qt@pJpV%z}Oc{Kr5XqE}CRbVnG6+H6ai{-s!_^Tn)rMa@i-
z#A9?hoF`i|3N#<agPQ@&trb;yn7Cz+v48{Izm-}4E;0SrpbymqQ|ZbTc(JoK_hMMl
zaVx!YV>*n;$0bQwAm9(O9EPaS6IAwE+tmymfkxLUvcVcJ$M^nN=YJk`*dQxry)Bv3
zE=nk%02punb~5N+Up0eZ_VTQOT{e?l6)aI*J`a`z*<LQ*Q|rnEL%c@Y@7?h_ha`U}
zhI{uAw%eoj>Ye#5NP~@a$6GaT6UNU`L)MQBA{majUfM`cJAq6et^qpaH<RzSmjC}N
z^@J2bt)ReuY0eL)5<EdKSF$o+gz%=F%(Tk;HEbD_$Y^k4=OxDI%;gcDr!i2T%&nft
z*J<K|28Km~ZLh5H-*oX}m-_NI9&Nl3uI{=c1(WG(O_Chr`PQlOvLSj7Fr{qh($6@A
z3Hgx+2~3~GTZf7L6_EdBFfR;L6&FiCuQiOUT%1?*Z2<?dog#SY<c7?05!CE*ZKVwl
zERx(#_C|D!dJW89H1N@%zfoig<jq5L-NFp*Rr*_q{okMiMH0;M`amNKZs&mUVMyzK
zGfnZOx#ziRn=)>vPQ5(n%m(ti&fNc>W!J}%sma>vCiNb_aS&cx*l6<}+>hfE*NMNP
zT2UJC<pn%6M6vA??U?*L3dV5fQO5^COz^d@W6jHGTewF5v}<ufV6xi54;Qjy!@oo{
z|3DR)=RCc4vph@XIC1$yT{)D?F*|?_EW~zonmE3wNO}nW725s_bcYJWw##sqpWBO(
zqoP;x$`AubrG~N7RUZ?pQ1+?6XV8|7YX)3ftzTGa%hPbbSi7&7@waNJpo1_hQAU9G
zf^_G37#8JWgr|vpg)p5dRQ`-PDvSZr4BBw#zK?#UZvksqg;2gchU3cjXD_FV{@Sa*
z4`xHa;`FclYH^&dm)t1=W^n$;h8d^QvC)hM;p;Jbw^N&I#gL~CIX;P;&26bsRiiu-
z=-k1B0Om3O1^sU%`|_g!#7dWBeDzQhUGRtCx^LYtYPSCm+1KF&!CT6IhS{k_ZN57B
zzVVQq@H#|%I2$o&-nK93AC*HwO2_zQkcTRfH1=I8J_XxrWT2s*;Rut<-(eP_bKezL
zYBVlkIX<XmIH~~-u!e4`&MNS%1znb3>yzJ{@nQgNCrRwbIzGgGNcclJVT)zFTNdZV
zvaHG!Mu4=gTra2I%TCWPU0pWH9(6NtE%`mmAA<r|J9ApfTNc90Bge;4Iv{JhxzPUz
z(+)~RPU8q?pC_Rr=LffU7dNadU+A;AC|F*46Xp*{*zb849|#Tn!(M*LkRhIxvXd1q
zq6n?UK)c5s+3;3SK~C^m;}sGA`=-B)y*+<Y+pc3>!bEPy8so~LR<@8eG*i%TFlaY|
zur3kYO;hjqX~KUfY0I(vfT@Lg|Bo^x%(EnKovPmL7?PIpns0ibNwVMv<(qZ_p1++#
z`xoJ<LBKo=@j<#ABWmZU`6_6eWqE0tsExCewij&zNvhGi>X_qR?cv|ZHO7;nXdYLR
zu4{`8N7MYg7PnBNN3*?ZgpN){MB;x8MXxA+NPyvLMIhD?{AE%<yEt?5I67L`2YL#(
zXFJXvGE8#J!coO8EIH@G@zo*B#6NcUKl|n-CB;v)OlM9d|1|j)Q&nif9)~1*m_|h{
zQaI7iSv9p2ZQfv$pgqXzPg~Fjk}0~QhxADdC+ls_9TnQUWV<gNSZIjOKdaw*pn&yZ
z8ah>C<tPQ<|07N*V0Bi6wc9YsoZUz~a8J+iUOXE|u@Hq<6y-G{0mcdk>9idw;L=~d
zdL7K=f%0(8<*6uaM?TP8LCjb=9xubMfW<o<4kMglm3x#pG92&vhbQxwctP;G30r%A
zzrl0z)GHTMmTRJAU|WCM)dG_*+sOsMfcR7GiXe}}l)g2)9@YBE{D5JjE=hkxF@@T=
ziREko1Gx#GuSS*Ft1&J<GdQHQ@ef951Q^VKcM#+7r|>(u*1_g}ULh3iPUH1C0p>pp
zDQxnHH|;P_iy=bM@9z<C(0d0caR&zdJ5JF7o63Mw<@Pih7KA%B9`DY14fV_ap@zTo
z{vKLF7iUm;zmB``obJ|&oZH~4cc(5#w<r%ZT;3ltmj@z2Lr2gHJ>2<b?W$Kl?VPLq
zz8+wIK@#qa$yQzA3=5}6aiayzcOmCd@cI90BVP->|2*<jW@snJv!S{7T-Nw{7~VsM
zyR2rJ)2K*Svf&J1ZrO}AVUx|W)~!c9GQHO3FROVA4ry#DsB3!L+=g3KYZknAQ1bcY
zMi^OTyWtXRrvZN6_N5jzvM7}Q=RXPqN>4Vll3E3G8q%6)To|n@#+~Az0+us%GJ_wl
zbwLK{IvU((TSKGF=QCls!1GeMK$Q6rM)tUV9{nleZ;7O*&k>vd<cfYpJ-bF#cZ=Lc
z<37Q;R*|hlFlS+qD=Zl|c}sMC<eBgXYTltlm_j}cvwzv<7`rJj=5E1pjvbyBBm@ry
ztKbEy?vmc97)x@TMbRYt>d0j=-d)z&_6<w^A-w+cs3VUyE?R^GUXpwV|KsJKhvn#l
znVqIDV@ihSOFLg!Mji?8g!|RzNPgz0L`jfeAAzV>@|UzFjfRCydk>jP9`2adm7Pj*
zsX+7?((HY{XAFy7oOM5b^f@&H_0<Hw!Lh)Es2V^Wv!31M$qvN8cv!VADbXo}I;71i
z?$m~T*jT#%A3ITp+$-TTajbPT!w|ln4dIKD)@*NhVVM?-E-#(3hj>os=zS=`R@@W6
z(t`{ZyUd<{+FD|mFHXvH(nn!hu(#sKDwkCiFS1lKzy?RJb;=>0$zziphULHYxc_1R
zY)VftKVdU_Td%LB;>ayCEjhUB!Z?mM4#}&J!CZjM04`76?6;B%3W4>bo*aKzLH~K2
zzk+lF&(&a&MVXa9D$}Mb*&}H0<!O8OU<LFN0(-?m6_DVP<j5(Zu)>K!g>&LT*74%s
z9O1%U{g)wH&j|0W+8|c+j7V|+2StC$eEyD;^_dw|)qo#{Xv3uI<}oE9*BDc~*=eEh
ze^x4pphT$pLIKVLjknlhxe3op!rkJK87T4Pu)^J>gQsw3{pP!xZR*QG-bA5@AW1`o
zrI=UV?r+xZpd`!C)llV1?DB?(i<+~?`s~TWM-R`?^wCF@M|52|{Y~qjj*a6VIx0>8
z3=Iz9kyIsE`6n}SPwmKujF&sU5MVC^OTwM{2s&VZNk+@}@NZ)q@#Fpx+!U}jCTo=S
z7K_Q!L4IGhq_>YOZBT)|A>l4Ndw)tp8GfH?l(QLAKPd*}lGvue6|=9(+`pt(Q_^W5
z+SHT}!mZ<KU+u+TGM>Dm5Y{AT4))G*=W-~7emLiS$%u)k3Pd}+3+OaYq%ZXkJ%}yJ
zPu2`GKO{lO>}wspVKa6oz7L^w=TJEGxRkd6kA$N(&gHQkImUw0`GPnkj*VVS)|-%_
zh`)D5d$o{^|8wP_iw9lA?~`uqF*V&IU(Rn2b~yE0i*){J6B2_<l9J0M6ODvaJ%(d5
zm_2GcMI^$eiRR=1pqVbJ1mvGx7yOd`$*TRr53?7YrjO8zDQhPtQYC*OliolH;U>Um
zb-zu}j?eLGS^N+Z$bn-1lH^yTT8RoyMUEF{T07WD(m#S)kXJES-FDF#gE5A4$nEU)
zyv5+PzHrx~{z-#>38X31iu9Y_)Ha*`@{9;JjFRqo?_s^9xRy9!!b92@fi#7PbMonx
zJdqR!i-!A2YeDM8<#3%IbA3Lx(Fd5qa=aPJtB!6Mo-<I@CVIA*LYY@V6!}N;VFB0l
zpNPez8w$ieWEwc23C=?<@Sh!ii8gFVIsA!QFxU@}OvM#H{G_QrtQFoZ3sT_@40||}
z6dZc350LF0qM`03$d4pM8Yljib*}~;MwA(clnpCb$y9M_8On3opUbohMFrY@8NJs0
zHlRI5l1~3XFZoy02w2Fc!xBNl4Z3!M>cE%S>Dd<&chl7!Qm3wnp`HQ4%Xb9Pop0fi
z{AE7mdRIyPL-a=HJL>qSvWJ+svdk}FPU5ptR}|(n_b6j35|J0^n3{HP{a>Q2qZ3`N
zuj1KW+o%zPzHb32%eB_=UBX!9wdHXe(rdzv)pI8|_KA`TOmBZk*^@iH+Z^RJOMDfy
z_?v8?L=L7_`4E|lQBt-C{DCfO=&YXKsTNw+)PQh$x6-re-~8INLPLxA;p^{eQ(xv5
zJbiK(+U$P*R=&Mi8D9?q6)jR27I>i9&d?wKbtamI9}DND>&|{eOTA`A!!^*3Vo`1E
z<81zJ@hvV0Q6^dUS>L1o_>i2ln5x|kDH}*}QE))eX9H?{ARPZAwBQN(kpetbZ7@lE
zd7I0xpI84_7)ulA_&8+QG4!MTy!m|qykpWU<sT=;Pl<_pH#7aFZonMui#azkIt!%#
zk+gQI%X*pi%#5@6>_}^biwb@aLUdl4wI)&C)~MkX96OUJfZ`GUxnd?clVS#};R7eV
z_r9sQF-2QAdGdNjw8E*=H%%F+Pg(H5dD=~+ox|2lDYruKO`01=6YXs4ae>x%Zwb&2
zSK4PiuHM+L3ut$g94qgQNUU%>NY~Ykne*gLh*yNPWv)b!w5M%CKQ;at73uIted&ol
z(y*n;8ri2Yu#=o%cd!g2&MT_F?kE(Fj`u2f>_rv>Mv2B7Ii4cT&Gh{BrHM5}Yanjs
zC;D)=Fn2%v=OBKjq7T^bL{I3Z*_njD!3&hMLhnv_`P?M;n(%rnv!c!<EwH3U_*-zS
z_&obufcinb>_^6RlBTZIL@C-|)Q#(NEH4&GpHM8CxvUa=;h<L59;?RI-|ft6R-|H3
zR!3PSrp*#>sM!W?HhTcHc01IKI~F1Q4tqHlxrsqRkG(d14|x5AAP#nYP|!`M(W%#c
zjf__HWW8lIws{x$#5BTUR(mImdrxI2Ha*C16YX)O_EcxF^*JMK;g|(bKQ?j)U?|&9
zVCYA5+Ta#=uF!qw#rXACL)q5DGI5W^|HRhfMEQ4uIB9#DU|E_hNUakzL?8%gi&WsV
zhF;<dNNlyQRNM>Gb!-V5VZ9{GhfXgyDC!}H$kHhas2HV${kb5q43xYT6b*{JMR|gQ
z+SZ|L@0dNp(0UON!LkRP7Xq4Z2qi&v=?OO@KTX;v&>$0TmI2?@=9}ex)cP&cqwRvB
zQjv9%417EwACbwEoBB=nJ5HJ><9O=#wMNq}JnfzX_;@w%f3-^lL*GzAj(udBWf!}h
z`wab#i5FR={rlLH9q8oE{+|4pWPgg=X^r*m=vAtDx#ag?(3B0=&g8_B(FafHmS_~h
zwcbx{>+RpB#caPCPd#y2jXU_>B-KpZfNc_ji-#00Ih;yB=hx?=$?&NsttPdBLTRTq
z2pn@Z?X`{V>5kDDT#duTkbs@LImLXJUNzr#5%vo>K;AuSOeUbYICBvyiO+5li?kt3
zeMlBOA5%52%t037AaZQC%hA^Td1#)GJp0g$Uv58bYwZuoxD&f?KUz!mr$4RR^>wF5
zlr@<g_kD081#5K`fVk;TO}aU0VH-JKE8ZO<jFcj9J*}y*R_3fYb@=r$dv{jkn>k07
z<eyO@b8-G11J3$L4iv&`x?t)%>u`4l17vAXlVnNZOD=+q2i5Mi1@9;ik)Ug`K9`S5
zedsYjVLlUecyiEtE8nUlH`Xk*H$44z_FLsIJnu1>$(1%&50@Q}hf=#8A;Q(eZpSuf
z%O>D(e2&b+aq*N`mTSr9_M@;b@QkWp%^!oglw<?AP^}xywO#hj*P<Bi$NBPtpMkM1
z?7LIxpv!&m@K5Y3&QtYM^xD7(NbX|>k$HygY76>B8be(^1?2-0qNZH87|miXaYi=*
zqJHNwFCSF8<@maEfV9ig*rQt0Esn8Y&@^L?d7G`N%Wkm;>v3epDo@yAlEW8IO=}MO
z(mKt+{#wn0&AZjgU49oJV;gs>T{$R^z4d6prT@52l>-pSG^}(`%)i=qkCgh+kEq6R
zsqAsT&aZSokrCu`6(Pz~c47ZG_ssUV@_aXDx;A=h0*39i#yaNe!g<QUC@Gr$%@+8e
zu9d5=>mYtoW{G!ZdsTYuIFLCzTU#c`4tysvc9$EUk0#wH13Zk^BJS6r<k=H@k@wD*
zL?#v2(i2=yB;hiQch}F6H%F_nWsMub`!~sLWZ=K<?aD&-p?NQCOm|0y@un=-hT4c?
z-iGkl8lPXa5=Nvw2hHVrIE~OwN@?F^0GRa;wm`X9Z5N^Y@K~)>?!eIY_{Lrv%g6tv
z4^c$$bd(JT?J-iY5RQ*pnuNtPU(etMna^Ce@C|QbUg-ox0`Q-7OsV{nIh0eT{!)T9
z@t6v%mas-H6FYR&`f{YtGendu1118c>>CJD;wjREwXR<Y`{}^*c$%jUJ)XC5ueu1@
zm%=%CS8k8KPj054FWXJJOUs-Bv*X3b9eJg!YuEIIiO#W&?>bX|1d?q?i_Md=J#Q!z
zZU!SbGMvPNExhpURR7bB%v5c>c2wJSZg{T#7D`9uuakLM-pzPV*>I^PSRt`&qFJo{
zfQIXNqs$q@%>4El8cT0(7x46nXX&XMq^1f1u5p30Z^11hwctF<`@tQz8$XQmupZ+1
z#6Y*lQbew&TvM^ycR3DsfUev3V*o8+F5lDA)sFI$c+=&QGR$TvutERMFI<*;k*hp2
z_^B7Z|HiYX-E|EdVL<$rEf5>zdG7DlsBMA<IB(dN1u5FTzdWl}KVewqsO4$BLwcsP
zTxlcIyb8CLP}aJzX(Y3^<~;nhn|GOZo^nO>1X7>G18fT0ir%wd%g!kS9#(9X9~6MV
zUEUNUKiZFw5yJ?NJ(!!cHyD<B=HYk;`Y8q8EwN2!Xb)HT5$gwD&iG5h?k$%S>c&%w
zlZ<Y<n@MBtUz~LwHp-4g`A*zsK#Y8kLi-85EBiV6_4^4=ck0^FWz8Fxt<0g#2ULb3
zfX#Xz8^WH-iA&K2z3%M%bHgB<#t8gnSAIj+TcYuP!%h6UQyFZuSItcSZ3*H>LRwfA
zpxOVNcTalr-snuJMxmWMcrYgUOm<9k3*0#WwF1e8)yeYeKwb<L<#7bZ9YFEvqP_SU
zTE)Annnwv#F}V}afPWvOPg_NzHiqs+(Spn*$i9O_C^;v7cC1BpG%kv`MhTwB=&?tz
z-)F5EpLSW@o-)dPyT6|&v3l4(!I|r&u^if<458<g!|I)JH=@OjirdZ+)R75gi=rA$
zzv%N2c33W*-hNVK_aOV-)XYelgM{CIU2Pw&v$6D|xqQiZn|UCL)U(d`xdrN)SV$eE
zLny;~4ZJd*|7JOk-n4&~9=9SGsDlH}_E1L$$j5jh7HU5m*v}^4!)oVxmweVN0a36=
zgop;n#{@O#ABNNz3QWRCc8dhUMfcXopCGT)ANO2cwqGaJc$}_Y@o8T~o4U+NEka%K
zI_`^3Vews+UBQ>Txi_uH16UtthSO;6=NVyBhTH16)%s9!>NZV4;qKl9D!OjJtds~G
z_o4@g!*y7&J+T@D!q#k|<R6SmA2AtkhK$Gd&H|-wmG4fY>P|s>ms30^&Sow%jL!;-
zmm?k%{VG1kSmpO}O;1I`lVj~0GE-z}wgOF8r_b?_jfTs|FQj@=);`II|8r13<NT8$
zWW;7dhW4GN0pubxR2{4%q$mocAH&CGX2O1icBGI;(GEON@Mid<ACkp9<B>N0CN`4G
z^f$sl1fcp2d_T@6q@xv)>*V`=C=RNVmg79Tt{<YbtjllL!c4d69#edofp6WfmadN3
z>pL+(jZzK%qb(^isCCjHB$f5sjFfsC&Ca%xF`<@P=l{uwbwIuN6G=a9nAp>z7{_Et
zVyhT*bWX?&fBIEqFd=YURGo*dA#i`T2zn*e!ZaX0Hg;%qL44MlMJ6J@=~9*?W0Xf7
zTuLoJw<C?ld7E0UGFv+199QBf0y5>wks@hvj9CtK^@dzS#ug$r6M;~R_jqW<z2iAP
z3dpzCaMN9658yYA5(S<}sBfdx7;_(iCijtesWd%CV)vUEJwC2DtzcXXY^Yv)b?7%L
z!}O3e*q;WZ#}l3<Q00!bJ&uv{H;Ga&tb{ahIUE)m=T7zR;;dZ`*bO7BNzT1=Sk<tx
z;S?bB3F(+sm3cb13!fSlCvx2+%5x1QfQX$BT>+6ta5-vl-afn9H2o@0mtl9`Cv8MS
zOKaxx$P6GR2Kd}GU#OSf0`8(GIl_4vQ@>pln$D%x=a&OcviE_E8ZpwmE=q4A_dpDd
z)fai1&{L{1cfafw-w?%xaqcu+)k^S1x7pw4Pw~QT5Vq?VL!sr{VAWf%>xZkZrl(yH
zX+?!`-ppV1Gr9{bR%#RO9(mapobWIuTQzP1uOi!@i|sncp3OKfBX@H(wVOZV{5siF
z@6>;%5BURSzNfNFKk)PuQ|ifmM1Ssg!fW3e%YNDYgJHh(HsGyCwwK%y*PSVo))k6I
ztNoZ8=hG9C#M<}K&B?<2^jIt4Z0-Ie(zDQ_^HTlP4^eByx&~M*uW=i^8!UHzuzRm?
zCk@UD509p&q2Wm!s*{M0(-Nrl@W@L0{yE;{)u({=sJel8DrAE`r+Jr2)BR;4XF$^i
z*{OIl#n*QW3o?&`AK2>Y-S0|0(g@w3zE3`mIhR1HS&J#VUA)<ED%VWP+a886PQMMY
z>$~Npw2WM1XuF6C&$V{DdE7^D1Yruyr`rA;bs3T=2uFGtNzW5~xh4I=#K!gLsvYo4
zkHaBdydQr)d7SDD4C}0uQkchKqMT9ts?4r`j!`C`_Xu_$1?l<8Zpbu0KXGB<O1}L<
z9AQ!$n8u#BQt#G`I|Yq+5;^0){{x#0EEEBJO?^8hiT50Eq23uTbL+8}JvqYi#0Xg9
zn$!gJm*2?O=BC3tP(6Bw7~2s%&ed>kY9zicN_mm!_%@IRq%_g^KSlN1{6j|FBMzQa
z%&sYa5wwdgdl?1166Wh)k^kk(TL@BO1|kkxHsgMX;sz8e`j}<qL?iF(K}KKgXgSNH
zMVhy^n0{5*r2ytVvD=Pixvx-I&wIPs@{zDqjSO5yown@z*SOAU+G6dtejxT29oum9
zBD$#A%_VwVh|lw}-TlR;{b=iQQJtP%$8)-tAKt!uI@$jORNSB5tSd&+#{^k|m+7Cn
zKVR+TbF;cX9G6S6ZXk88tDh_;6Ox0s!vjtXO?Qv$bFBwYJ9$s`$HZjX*7GNOpRc5^
z-!re)T$X9>7wWk#<THqKl>=*dcd$xMBl^$MoKNH@vpvpK_oc8rzP@RJ5gDS7Kvk)G
z6wpRaX>mVw16Hoxt?hg5a#J41ifVWq2T4o`5kB5sB~bD4xC4Ej6L@dp+moevjl{!$
zl|t7Ao)k~LA-dVKd$ga+QMZ0@aG4E$jy_pB^f<mZy-l5yIJ5uA_k@Fijdiy&=WhBj
z^|FB~*Ss7UZ`W_HEoPizR|D09a@7Mh3bPEjl*h`eUp}j?`8HQ7S4Vs&#dVugJw`Nk
zr`2yg#})1<rgJ6&EB$;$tCc?LcGf+4T)&!P6|-gx*n!uMl6D=)W}^<i+1X|=fK)>I
zqI2cXb(>4%zCa}QoR(tMzMW^+&0Z!J&hxCgFUALKxpMTlaoq>Xv{R+hc_~0r`VhIj
zv$P4BxaG3Cw@OM)mOyejik^~+_Yizj*`SZ<NJUid&am>N$Yu21c9-EqI&HxrCCsl}
z6S!b^Iio$xrEv<X_&!ya9WEum6ebn!ydghD-}Ml=<^kY54e+3Qe3H<Pc{-M9qvp9<
z<JM{bP^>(6t|b#*_gqf7uDPXO&D=i4J|VJsum93N?TWjq*?m%IlC}%yJ5SqZ<~!@&
z-#OJte|k^`sEu~Iqt?VT)uemRv*UAx^sAcU>0fELlWQ9_987+we>CBNuCQiRH=6vB
zzbtY3Ej_A()w_;4kME{#E{|T$|45`!$mx9_6+yLB<SL!^=TE;fcXQM4ub&yVd#`HC
zHR47AS7=xGPQ&KfrJUGf9CwFaYxnm)E>e|;q0=B0<v0JUtx&{?+myna-8QAQ2h9jC
zi6pn0ngNCrZ_(ryocd2uTsjskU&Y(!RUlXjJ3J&AJ~ZGNqSJ>zsg$nl2Ul6L+;=<(
zS%LiA^Ywu=9mzn%<ZGGQr9GJm1_-T&sp%8aS}y%lGOum|Q386e>S23!WCL!+lNk5e
z;3s|H9cVRi^%lz`ArJ9H3SORd-)0P;>oVI8%C#$ooGp7gQ@<`-fGNr(kQ_ZzG2w>7
z!6TgEqGenra2*S9Z-<KFv;DO+3DUZSzHlwi;^T==yXlJ0rQ$oJnyl3Z8Z`Z?lF4E8
zczAqqpq^^4T6Z760@rhih8-VPNjmpLdG~Q}ds<GaWb#4y?euGfxS+reoJE&`+vh+i
z_qE&latW+K&0JHI@Dl0$eyxkONwjnu0pOLNwRH2zT^tnnDX8F*Z4VUhaiu+F`22vl
zlD}WdH7W75^_+95eHL|<`FvfB`>Dr0xshN&rh<DX?N+L~`g_+2Tq_s4fCzUPN1ap6
zMV#rcr&5o>&dp}>K=-lll=>mfO4e(wjF02(9)3{n+Rx4HNo7wzp>4WNIX_jCwVu^$
zM-$$Si{_|XHOY$L0NKhNBY1yNX-5${oS;n|0(SXwi+QiXTbn_iXMkVUZJazHtf%iT
z*BI#%%{MDWws&e~-Ps8?`FFdkmpfPU`Mj);8?;a4?t7`$V)5=<EBiZ#?UW$v@QA+6
z8XIK>?^SFh(C#C9hP#F*-d2A4b;i}Pd6{_or95B8<*nr{H_zjZ_S4!`vIj8l>R!g}
z)8p(VfS6#pTK?v|;3|l{jgja0`FY{0(Xo}pGC5jQYnXRq;@8VO9UrK?7T4S-+NCbJ
ztS2{}C*KeyYF!k~<)=H{6Xn-Gk22<<ZGm8Imi372Q@-$35Fqox{J*;1JF2N?Yad5?
zl`04b0hA_Hsz5?7A_^i3N=Kv#p-3+YAWfu1L<IywFG`nQLod=r=_Ft%B7{&v2!!(G
z{oUVt*Tv6$v*wS<S~;0B`|R2Kd1jy4+uUYvJ@hUBGOF@j>UbQLp9cd;o*WK_DrEY>
zcvzg_6DEqiHK&vnH84FbsUCun<e6oYH&$YH1gG!RZ`F-RDL+jaJf}Crl<&B<W}i~z
z84>=``k1@oAx{ep7e)$iG?=t%@H*4NeBd8J@Y~O5y3OBU!|wSqk@RLzGtPG&v!98_
zkO!W>{`HSI^hbg0YFdVd-}#z(QkAhT(WAHA;C3dAG?6oG<mNk?+lsrAk?C5Mz9u*1
z+==0O64ymyP#QXXuA@IJgOD)9onZgr6x9L^_4$Ip4vJAD#f9xMoHflD(whn@yD!4v
z1O3BOVdSK?JC7q9g=if83P$F)earrY<d?9-%{4kdw&i1rKTjKwb%Oowk2o2|8HMhA
z@xh|&?vi-Kk+-o=I3e+$<a}+7lwS}PFjMe_=I<$zZFjJbAO~5)Gak6R>i%;B2lo$x
z+ao5_PO=p9%U%}k4*95=$EJ$mv7h2l$)}Har$UJSD@na7+v!yk>v${TgbqiW6&XS}
zYv(O4)1Z7p{XqXf)#~6(EXA@^1I4=C+-<VAK8)CTRpS870{#g!Bul<szFpC0hOC6C
zBzAQbn;fl9o$Ac#@a7MyI5R&#_Z|Z3mo4aqc<-nIY0&-%eX;>!VSQ1b>PpOn9`fX1
zojc{Yn(_woqu$IJY-q`~WYihT*?f*<0`!t&Gg*o-;Io7}bvXJajLb4rb}XS(^xs;@
zLY}Nn6{egGa8Go>k4teM{Li8&ON)wbJc!HWu3j4a8L)|OTc|HMJB;JV#}dc0^o>r(
zv+k^&P1E5nFAu8iRpAQaB=0FgPX>>!y3FgJpO6xMj+P9P?xI7JhA-2t7*I5na1wVj
z(-BE+o;!LI_9MY}kAADQi1Mhks)5y@F-XzV0mftdpd%Q953IKIz9#hGeo#zx13O@1
zUF&T7qg?&Lq|bLy;={w?DeI5O{izE5QOJ(LM54*aonZGy1r&3FJu5{04a14%Tdot3
zAF&iwkhwgL_C6wbWr*DtewJ~)2TNnrNyq>Mm^R_g+6?E86-SSfY8)JeS`Qha5}B0_
zp~|{PbZTayt7PjNW+(TQ4Yu6M6&MM>>KpA{`%L@)5o~Br(p7hQo|<BJ^UI!WR-T<{
zg3PJb4G(j?s2E^BB%j9xpK^iIT)q;XdhhoQvQhVssLA&!r@e(g_+Lla%+<7ipqTMA
z;$7u0?usOrTHbMFy<+s3?h1FkOK5>sLo@TqY#k){sL|{=jgo|US>>n!JpmaB$wp#`
zc(q`Mrj;+F8y>m5@A=kGcnNQD#xycp(=t+Dl_1NQ&5uz&n{{cp0wbtMCS;_dpzOS)
z5e5~UzWchhllK{7oL3<~09SbotT+len?t20rlo&Gt!6&XqGt0*ZWgX+*xsM5;CZPh
zO8PzPY&&ZGmQj$oGTPYao?^&SmM>r=@DJnX(LvRhcAa@q%%u^bM2bgcGWd5N8a$i!
z3q4%l?zjIiZInHz@j*~!erh|QSu6RKh&K8jhBKwXFZnx+rZnq^9v)aHt8UjR=6hHM
zRRO>G`_EQ22xH!=^O3%9ve`|<*W9lWtBBxzpPtr*Wu0rg{vo3-Pier<*RN>1E$VaZ
z)lnL>RkORHaK_<-eg73fKuVwJXklI?>(;}bC&#O12tHUq-J&h<)ltI)uXspZe#P0w
z<Mq_w%p}LUyXvgr7Bq6mkiB7-DJzwUfuhXM9U%;pija{^DVb@k1dE%RY2w1i^U5@9
zNc<n%4BgrJ-r#&uAvSQ6b%GTR)lkNAj_TVGx?{daRh;hoe80>Y%!12`&T$KXRb47<
z&<cEk&0H^Lg-vG5LPrVsbVNy$q7Ct<kH;a;Y8i`9&q8Z`2vPaNsM{PrY_QJz+uHFu
z_b&H%gBXWDm%YkuwR7A2OIYyWyU+J^r=ksy7F{Kmf|i*>F;&e)(GeQy588^yr}CuV
znY$Sw8AibcMtzz1Y(dVf8}VLF(&j3dOQ_^F2^fo-XJ5klG%M`g=}11=OT(p|X~K66
zaww*W|757|2ln_%B4+x9U-&;xzTB3f?k6`WvQ91jW=XY|Et<BySilO<mrm(EmQdSz
z>UcIyC|<jcW~xrP5JdF+O+$E2#(#6*XqilK_{ACfiq}XgT-}lT6->mxL!&n3?*5Yb
z7Zhis4}`VG25)En%1?Lz`%xeuW|94s8z6+p{e9o&<k@T>W+f;^Na*oF!)V$O;TJXp
z{YNflF{OoxNsGy?1o(~6jB3$UfqqM4G*q<ls-ntk;*s!YJ!KM6>3|@G{1<;ES`xIf
z!R7)r)Qcl_uZpTwn@eyOHm8qf1N*@1%)8EO6(Ps1FZ;G~kvm8GVp2xU9xaj!TD%=%
zj!iwPrwIHAg<;7TOEh*qrcs)VT=Vr?_S_HVLE0emyOc}g?_@Tg^%;B$6onO-uH~D4
z{P4Z%2k?bUP;s}iv!A?_vo(u|<mWJ^$gufqwzjEaT_LDIxIbop*zx)EuXdlj;DRWm
zYeg%5*7f9oHx%IyB0@N@+)<<V_f_2HBN=CmlU1FGTWXU%7N*wCM><>Wg1C3qa9^pj
z;jPn24!2)@QtJH+8^`mzYaG*EvhMZw4bGl-QC{9Y-HmQ>xCZE1=>_x0W1&p@rl)p=
zaq~LGOdDg44*k~AijLGT64P>CQMFc;#52~&)7jKPbP+wo`<H5fOB`?-_{s=nX-CU6
zWviXY7PqDqth3s#X<2NF2=z~A&g%^boi_XR8iKU4`WO|I!`}EI%wTXN$YQ_yUhruS
zXI*u}ccG9?f%NUu&vmW%J$&E#)M2&cdcFp2I&L-*t2rI>EkuvdRwdq2v16yVr0}Dp
z%Y3|c!}J*#c~`7mKBQcSDNeD}26IKX#ig|D)5+Xzk1>6t2lE4qq7P(y{Kc0=ot+Y}
zY7-?gNRIehl+nPV`lD*^u2215^T(l7J(!iz6HW=px4FIY#k#8rfHeosPYcynL54Yn
zbpm{(7ur}H%?*V_ZhL8nrt{jEjk#tGxJ$2U=$0L~3=1?fM&ZJb`ACC>NPPS5)6TM%
zM^cbQ1kQ3;_d>R&G)VBf+9ZzL?`f(#gl|*p)wl)t8WrG!jS(;0oGUA`{J${hIWIg6
z;AYooT>eyp3xa4le5M26F9T0j`X>8VlG??uml-U5RC|*OEdNr9-`lTEfB6i2Es52~
z3-~^g_xZRZ(;ccu^gjIWF*@b+6vJo{l7~1kF}d`;-yWOfku2`Isb~#ie9aQmd5&Tn
zgILVetsdt>JhK2}zgtQ9=bwo{3~4$p$!In=uo_doaXR?IRH{C~)$FN(_2-3<Gr-G}
zRnR)51==A_Jl%`|cWdZP7kkCb5Lk`s=n!5dpwo7c!U3EcNbY;9leUlU@P_D}N$?YJ
z!Zw@-vS?BD(Y1tuRE<NT<Kt)s`h~Mg?dmHT?%*Nqxv!3C@}&VtuJ%M1qxkwfUSdOQ
zUGGMU8Dmx5(f;XASv9}HV*2~z(b(oJc}2xT&`f<V*rMh1pe-m$ezJ5&x|fZQCSE|<
zM6~m%S(sptGhE#)DRq=#VsCz%Wf$B_;9{;ze=K_XT`N7fuDYyhU<+|rqVOlo3!i9j
zRHKJIHf8$Qg=vv+G>Ks@$};fKl<I^$g{$bQF6aujOd8z$(w;r66FONSVqq#D`Ltw?
zrQuNH>&`}%zV!0!;0dHi`8U@2<=&I5VFJp;s;r*yBHo~MSj%OvwX`ROJtCTZAG+JR
z4d7Zq{n$>*OFqwHy_3eL+)yL{RBSU*VpcXY;bdmIbfNvuBcI>OwWEv>t5;>})$F1}
zJdXh~-fHeV(g#HaZRL$xF0lXS72&+X>gdigS}yhn69GdHMr&^KjXb!Tr}sHdBS++Y
zPF|^&O61xTnBGt@KUHT-QG?OtgI^=Wq%E>7d2-j*?-3tfS+SWz7`<Xo9NH+X-=`~-
zYKi=c0AKDN(xuKz6QA^p>TKZYi)lIJi_8I6e|l_C)^x+TXiPzGwSKRv4wn4tvB?5E
zhNbN;2?_6pzP84rNNc36eJ{_my-?qjxUv?2judSy#mY}p`s?M+PI<w1E~}rh^Ud$Y
z0)Sn;iJ`EBX^(iXvWXreHRrCYtDN8?@XN3h<|uq6@5Ykwy*iE*samYHUtvP=O>eJe
zx$228$lH{y^e6cwcctb(nv%!qLTz2b!4|hrlM<g?5p6`F=4}hLnmpmm7e*)|<Y2mB
z`dX{BlJeJ^68*DTyrE-A$ZiZ~7%kisHsoEf{p)$|+qS^qI3D?Zw_udsX!RVzlO09x
zN(n2MM%K{ge99qlw`}||$E^@lDq+#q-q%I+@aRp&L*k4{e3v+CMecY!sp{V_0hWf3
z0rPXaqoBL)8d)OBFF|t}D;<Co*Wq_mjYq^V(CG@x7h+IN0yxlbzR_$ZT3!r{B=bK~
zZottNNy&kHL?2Fq7oO$eLuKQ4+uP4BkFjKNgq|L}uek;b6hmIm4B!df@rYXkX5B<L
z%kO4)f#=>8SzU90&~8WcEuG%kFcsf{{*P+<C9SCn)eRDh-n<KrX^ir*vewewNWrFg
z37-00{g|;qUSVF>e;ITX;Mz_!g~2Wncs)U@7{Y_4cK>S_tEH2HOpGi&{wDx94|+vq
z-)dKwc(Sbt)>bFK(6Sj>r~!laaqB6-A*$tZzPoPKsjwyZ!V`md-E$?4V6?EhsHCB^
zm&_m{3WB6eGW|!FyqDC1aJw<T@{=1uGC3K!H-4lCkaCW$CMMGz>`KyFE-AcUrO!#H
zo7YNSa#$c^b6^_{NL<L<)*IiCqNuKN++Yh1nP;xETL-?s(opX-{?=IGl6Au%Jl*4M
z1pk95-^X4qMX>_xQLBP`@G5)0eASoOjykVl76c>cP7EL<-^vFAR&ebF*Dd?|6I*}l
zm{$jVZmoIQ*t(G~s&Jfe9gH-ouB>y5`0zeuMO#1g`9LP5CB*US9Sc{nBg!S_U)L#y
zd7dPHcs3WAY&f`|EC7|Av;pnn;=qLT%U@N>l>xtGB@7>R$PXtlm|8x3MiJG+L}Bru
zd#yj2-}rZF_faYA6zh)(tLJrG3)xA>XO3opOV0466&-`-3`{wFEqehfcHcOu`;Iff
zPfj!93fRb+J5x_YC2oElPM?~Y9G1s>0Mtg=RZm^#8p@D8-QfEwo2diBLLgeJB7bKs
z3?;|MqKv?BNHG4oB;K*oPd1Pdw1`nyITqVYBVuc2IaUd>Me6r2!KX|+gHzy(A!@&z
zmHgi1B_s?h_#ntO-=c+PGx~UIYST?ED0(~ni+EqT?*I1kn<m(UI{<*{&TW0aa*v_P
z%*0q7QQ@6=mr0z>9~QhYZFkjYEm)?r>>BV-t{MfVX%eWiF>g>-P%xu_Mn}?e6nYOo
zyLU{yC;yGO=sEQcf5fw~ORogR(xQo5HJ^H_t%^gv#zRzATZ^Wf3*jC{XPc%R$it;e
ztsN*oLI5J?OpP*g={!RVHh4^>%nw6*O|c#kn(159I`}O%jQaI|Hg&8J33|lI)Rx}S
zMMYO7=IOLH8?@0sSbQt_?k)kd05ff6y<kU?S|q*XWei(<-s7`j-`IfAY9_muYw-4t
zjkmv;b&BzzFAXAB5?C#nXKhPzj6D!Vl-G`^B4Q~Y=PnlXAg39z=ZS=<5i3l)yr<)G
z+!UioBdbFc9;bz<aiCk9&e@(knbHST29>rFtFa+8q;|$n&J<lTa&Lv+yCn|3lz3>L
zjzFN54+PqLW;5{{0F<ND3HWpCe!Ets(B`_ccge|N4zaW|0kP<N*9-TV3R@4e^lYpT
z#NM~@uSz}Gt`gME%Ic1GXpz#vAk+ggZtsh$pm#lHJB0ytmmD1YSUMR2o?|)IJU?3`
zC94Ydva0OWwrSFX4&~BSHWVjm#|honVbytwS<ZBDxPuCJ{ZoyfVP^Bm2V5lKL5qp(
z#EuUf(}Ie}-Q@(Nk42+f6-Z@GAIn6sR1ff~p_@K1BpNZs-ZM_O!qVCYt$ft<0Zf}Z
z`&;e-{08>@XPk-_z(yxqP#f34<E6f70!=dbkS?w?Xw3G2ZH23zjQ`Hrwiw5ZAS%t>
zre$B1crv>66`ZaxJ=fbdjP(A~S6W*zU@G<0dF85_4vMEB0wY^LZ@<TT^5JA1$zAq^
zp0{P&LrA!=o&A;YEIe?q)^A)f)Y;}JD{Joh0m|NW>9NIwC(nsF7*<2oVJ#cAolt-E
zO)1Y_w$rqR>($$EzR|OH_(R2>kPwf~*loqW-FzBET|&Z62S2!M;g{<gl(4(u#tW<{
zK}ruLrV*grN<pE`C$1^xUKV**mO#IPu?Kyi696$uj*Ez9=nY;15?PL-H1nsapby&R
zgT!{+@co3SC?@z0d|B)FSr?hY*=u{ud!r1Gi0FjMHF)6sH!9P){E5*z!O@X=e_r1V
z7_4;t1L&wfR$>3UtJ|;*#~jEEz5;L~m~H2%Acg;Fkt<lT@83a>_}a`yral@NjM31}
zd)>DV61EJutj~)`)Zo5=GMK_aEZN4F^3LD;VbqP9;{ry|-(&O;`tcmIZEsi1U@S8b
z<JTF!rbS_jN$Ng*=(EDr#`fi{?~Vv{(dLlYl^bs?*knum>Sl4Sl6430L!|&wxLdLz
zF;c#R3?D_|y_p0+xfPW8np*1`O_v7$eyPr8X~1NWifL|$l?ggxci6RhTdG^UvOX2k
zE0nSGG(BK8&Gad#UrSfYre+KZ?Mf-jZ=8HHF2p)#8!%4+JLx@-fjCeDEL~mUkX~Je
zoBQ6S$>_m|8#~J7GsGY9>16@!Br5K^F`Em?M*GzUS(#4fr<c6_ejbGWA(bKCQQ&4D
zttGl=MQ@J@&lI(Vw9-Kn81@x5IMizU3Q@LQOpc0gQh2bOEzl(*y%%9p3UW?QaHPZ(
zwD8R7lf4udv_Z*c6_w+3={l<VORhpmH-R9YJ!t;eg5#?2!D^~Ph1CnSCcKQwQrFt_
zk3A_JwY@UO69WazS8vRTleM!}H2qFxr)6^^lP0=uHf58_%*wgX2sCAg*rpZZdEmJ3
zYq1mvnu9lCFN?W>Ye-+`;&2kYZ7>FriW=V%v(D!CITfwMMi4AF3=#Nq&kucNZCc;S
z>X~pR)U^1u#FVl%FtiTjIXG2T>{1<Ev!yL!AM{rC!>(0WkvJ>owiQ}-QPv*LpJ%Y>
zGNjG87gDM*^wOFYCH&FpNq;DzR!)AVHU$p0Y1lGtCVb*PnUxp&IAeq$KAzi75w7%;
z2i6&9VSQSP5XsKoB$JJfy9mZ>drx;&+5D6yrxoXWDLf|af9*$sf3p&%FtN8ZQ#jBw
zw-`FAk5}%SnVX!f;4eppK&O^PPfyj}_~vIFV<3{pL8xuy-l?zrh8tDO$0-ECY;7^Y
zmNn}>aMJoB)=(!u61sF1F1KmBJhrt9TY~^L;e6D2v|kPzyA6kff5i&Fb3<LL3zGPY
zwrP=D8pn1@0imK{4zqkCwjjfRa7VwoCysi_4(42?WsT#r=6}k{KHs{AU2L0?DWe{s
z9hW0ZN}l?fko{v!+{?8fhO%o;;JG*y$6MN^oXh4?!Ut?>pg`YTvzp1#EA3;dVI$wz
zaqaz-|FcVPrY>db8N-ygCXv07N{T{h60C96q0Z<M%<fehmnV<b&+ii{&)C6A(G|nB
zvGNWxjyx?7=-R)KPE}de=|{LzjZ7)jJQ+?DXojvP<Hv>obMu^vv#Q%I39l?;+==`|
z^nu1}2mEJ>+`Yvl56$0bF4yyVkEFa`8Y=I=9FVXRr_^7)9~H#Jxv6&==XDf=N{_h8
zeyjCpC05uA*h2&ESznW#Qg`pTUU9VrRx3BzWzjIw^CU4LR}jlVKkIovQBOEt6e{aw
z`MeV!2*6htH~iqLbMskxw<c=2d-xFOVD>Z%BRlWoO1T!DP*cV|xfsIKcWBukWP!fS
z4ecgwqNJL83$1`ZX<wK%I}hT&WA9vZUGDL}Zt~#8&vV+zehhN!BX-<+S?VCD;p~8z
zrV6^^E#4xWWkfdBK%p2kTu2<;!H^q7j}<;KSbaVyy>QJa#9whzenzjNZ8$n{da7I%
ztqt(k*=G_H7q2NSlRrfoi^DW!v>?@BWb#S~oIZFMu(1ttc-myW$xW;zb2Xo`2RY!Q
zd}kED#)b-K-g2~3^%hDjp~>lKq^vr-pU_UUsXng`1%`U;3TEvtd%X5NJY8MFM!-><
z!c7f>vOCeW%>M}x&imnQy6wZRT(>I&2{}z?(ph274=vqAD=NEp;|w~HupJGFKZb|%
z_4jk&#Mv&>P@Vro&5Kz&VPBXEq_?jA;UvAH1vF`)%{A*c`8{~@Ky5XUvs{yA)IR;l
z*mjSNi}8?mTE>TE%C$_=zvNph@6%qS=e<n9Aiak*xhdBv=H0pm6-wVBzu<%x<nKvR
zeAf7kpAl*mQgRHE)a`gb)uSMK>hQ;=F2`ZJa)|Dgh!*x8cTas8({;t4_3bKz3F?7#
z4?4hM6rG=2#6t89)YGXGDBGAwLlu^jHf_^nKg`l*T9_6x-I#3}Hr9KkfGxpd=#xe1
zHB#A8;*+N|16iNftQ(hFMS@HSxZthgTH5K-!=Da~ei<~)JfHTQm;-%!Q|(tUheH9d
zo7B0MCjP?2SVrcXCic%-7k_fOtLN16sZo!3w$!?z2Nhbr$W3MOSw37Ioqc`FBmCeG
z``p*n3I$T%)ajoKt=HXBNM(tJFyzprylG;(+2xzw*6Rm(Owmdkw=Ct;_VoH@Gy?=>
z3y9o(2X782eMQ@o)s!}u``Gk<r3Sh?JBUtZxXaw8nQNb~rbDikenVV}u5kRNGEh~W
z6=J<(wb<y>>VryMgFHhK#I;V$oUUal5eI;vR!+&eEJf7WOX`upV`+hP?xXHg>BsNe
zH?Cqmta&xR2p?>0rV%J+F96PS@Ts1~uf8!Najjlu{paA=$b1()tsUHjaa;udayGof
z^kMOu>fYO*#uq#>!HG3ngPFWSd;cX_q+jnAYeJ$(Ze84SYk=z+*VNg4NqTU1uRm%Q
zd9xsqEh<mjBzK{vPn*Avn&UySfpDD$t3=^6)Gd954gd9OXjA-3#iY=v$&b0qqu;s=
zm8f_-h%<zPdv&M<@0eOQbMRv_18>q9_|Yiw;hpEGya3J~d1OqiZ^*Su@d2u!4B<(b
zul?D9kD7HVuSF9BJPsqB<t_$c80~q#!A<)NLi=j0pP!HY3H56p*Lv*4!P0aXiRQBy
zs@H!?Ip!RoL(>tML!~F)?3yBtw|e%VZ)fx8qS_LJmK^TNdY2E#U$eK~m8{J8<<fVM
z^mqog(5l!--0`5LNvxK%R$;8s<Np8<k^T|Dc7MjSi4o~10Ppp7lU$JU00wfTI<=-A
zA1$;@G`9J6-nIrj^~1N=w@xeaR)-!F?cYFRF#$P$Z^a3WInj(I<{L+cX55VJy^MD^
zLYGdx?sNA$(sez?&p4GQ#$8|xFxKo^=6E`@R%hEv#@HMUbi^~E=N-!&e|A$R-=ypT
zAAJ&+;CLUok*qLdDzal~<euxv7PQ#<=R0O%szB<F?nkj%tJWuzADWO-K6I~{zkQxg
z1g%`JgIJWE;Dzhw=56L(B9`nvvEFFzmqx15zH1yQl&SKlk~H!y1#IL?Zpd-Ztxr=*
z{VvT6xZkIHhCJFiN}TeYRNXKUaUd*nzyqfz#nZ6JZk&(fpXo%7LWQb@@_6~l1aL2U
zVL=!k=Zltjx`m~Z!3_-`%!J3sSQV00(RJi(KnJ$UVc;I`=4LZ-Vla_?&Jc@+e0NyK
zPpsU^Y7??jwBp@(A$8Gx@{vN4)t|LACZ)vlrG2qYqU-1nFb3iS*+Zl=^rOQ6q(_)l
zT(EEI<U!FSWi)3o4D+-u;C6UFUkg*h<t<Kkg;Ps%{E>(j)nVS#&h4?CUFXtBQ+qT>
z_EVc5$JgAk$FBlf72%5G=2eAatx8mk>czINlZ_|P_QrpBNtcKBUzh<8!{~}|8JOXW
z!^8)RJg+MUWh+|y&$OuopfVtr6Ay_g;?`20>4hDN|IhT|DKCw{rTG(Cw3MmpQMOa#
zzt@gQ4uC0uL=dH1`GaC7s-lFySYrxxd!;A(`YkzUH$tfOYj$Uk8w_5Itlgp3-QLF<
zN_1-h_c#-xc5+ko6Km(9NOVBu{1yz1Hnf{KRfne|bRWV#G<{I#*HoEs<v7cb=Vlam
zQI9N~<FZ$ai`!0Qiwv6zQ6t#@89v!kAbD};A3z5fZrgSEoTgfCAEFsW)+J7#XhnxV
zWaF(LrRYbe#J~S*icPvCz1q^kl@2(*hAm1MDn5AkVSK)#l&bPRVB-kZ*Y6}kj=nKE
z@z4t$8K`Lab_WRipnP4O0p{AeJBUhkM$=g3kDm~=6@Af76`qLzvbWJl*jA|UkKBt=
z38UTwksimxY3819MQTd5hA3S@Bis5XxNie^5g92}AtO!w=qY~Z>lbxsOovqNcFWDW
z{=Kk1eTC(~47s(!yM4Z)Ik{1LUH~pTZj6}_gY%Ri>CR`L&tGr0I+8*@c-vqOT%iw|
z9{fW#GM8Y9(U)%U!@F+Kt{FNn^eC}qX=@ly3$sel?$4)WH6KY{7#?KUo<NV3zj{q$
zhas8@oX}0)aVYZVJnO+NtxgC1BA1Ms;N$2ZUMgjCF?|r`FUkJ@U$aq6uP?RTPJ0D(
zdh+r}^4oE$bcnU!X7bZ3CdE##j9D(?gWp`?-QTm@xt}S^c6;9(k{yxld>a#Dh)MFj
z-qQv0Mz66{ch6~GIw-xWFeLK#e#O5mkvih~;>7i<@?FY((xaBjgG{q&tWvzIGi$a?
zTS_A(*-*O?iUt(_MA%<z@6?^t{oaF5Q8^l7k<B-_?>3&spBWgURen5J?t>zhr}x|<
zvMO?uN@HYpN!1GeQu_Zjf;bh@RIZMD`WcctO3Cy2v};D!sMn0&?j5pyjC@FgxUBa#
zhm>T_HV$WtMEQ|*ff*>dpBdkdlNe^B<f9GVtAzw^`sq&x+e4WX11UvkqR7C1-SYp6
z7{KiLGsRmlFypR%q5ki~^q~w}K+4(5(~%y+4?4f|M+-x;GCaPZ4yRtEa=`i0_Gr$?
zz}3+%kdt_Xr&c_0xu`NWaLXRPb`>)-rxD#Z@5w={HNyB0827KI77o=Vc_*byAI_01
z8u%bk$zO9RB@L$vSd-N!I0?M#^H2*mmb1L*tNW<O`nN;f-2zmndE6uUHb^Chm_7+Z
z#XdH!dA#J&Ql2oi`zDlC94#_hrFpxk?C(|dFT8-$BRvfSE<n<5$Gp3j@5xd4@VpbE
zja_?kPSh{|gQ%CYWZN;jT|SueHM0&lFX1SKP-n2od1+K(ed-+g{K<&Db^7wt5gTdS
zPD!>K4%4Flhhl|ZUwkK(m*0_|qFE8wn(-*dzXITt<d9$6O*SoTw!AZkLb4{9{Vitc
zo3{3m%ikovTEC@64DcIO-5#ukB=1Ae%7~?B?k?ZPRBk`QJI)&26uz+b{v8uLi3t;H
z%iz(VeBlAtyHDpW#D6TiX8zDygh%Kh+n>g>mYZCkFG$IUF+5|No1P(P{U~%G2hhC4
zth0cJh+MYIPCKwiRbRH~P<=D7Fkw+E@ZSf7M3YchXGtwJJ>lI_8Y=N5QFVBCuW-50
z=wVb;8hu2?Kg6TXLDQa1tw34F?^o?$XSTh@pJ{wAJ)-tl?$huMUAn1*{q51)j+~a^
zCxvcOPL)1Y++T$L`_L6)q`2*#u-#urZR;I}mIe>oTZ{@9Q;9bQ(2DQI{$jP+uH@f4
zE5uqfs14`1Z`H_x0v6&@B-U2eG*x3{c!{s%-@ooMD;2dbaLqK9xS)jpju!>AGQ9@$
z>q()k4(wC~-xutqKJp^jB|utRsJLP-2o=W`p5ZD<Zo>hMsP|ysYCX-9-b8GVe>T$x
zhE%hKN-&4nC2L<Vu%b46Z$r}#+CMMh{ojTRM{1KG+w4F#_cF%zrb2)7;k|gHG(GyU
z%HaYq6cWexljFi=zv;+}mxJDPN*%=Z$GwCzs6oNBS~s#ZJygFE#(kE&qWdU--GOXG
zTDhIO*TnuWy%lJ8VG}~xqrFAvy-y?6hKg(r1z{_PsUA7%8AG)Vx8n^2kCiq4-VkfL
z$0vNOS>xNISlsqDG=gMv1OHvRBT!LYWLF4rOse>B-gba-s`2io>3v|YDx;d<g**SZ
zjDH)EhbU8Uk0jel_C#5~ZjC-<J2NJ6L>??@5rJx}@=Q=!&a)aMW6eLPB8c@4x%nep
zZ6Nb6PRSOG9sKE=TzYcbZ}s$`Wq!Cz<(TxXH;7`!@!LT}$DM+kkL{=8t)8rYxcl#=
zbD=W^qn0kM4!t(Y(;BQ)#1e@FZl;Z90|7+O_(pc|&sQpv&h1r@ncSlb)A-Fx$`+($
zfZM%4AJUa5AZ18VrAXb@D`jH$e!0zXSW25BB<xd7ho^R+B_MSNz7Ww69Q66W;HdvG
z)!9bOo_$tsA)}3K&lkrx1UxkOzec4#>u90<_LX2vG7=Tqt1ftq|6Eiy^5%aX%Kz9q
zbq_xEDn(qEe<QHlA_&toCpkLtfW|H+w@*ro*@14m;03!b?Z`ypz(aCf=QZFKsJ1?f
z&H4W@Clwx~lK9>k7JB)^x5%lT9?QFIAzd;1OkubBShVeEJC>eB1wkPQ0j|so`oBp*
zis{^x<VEoArrE(;f7C85wsVs&@{z`DYezpA#cd5Y9e7v>T$PnGHq=4VotP$H5dObk
z2pBV<xzQ<AU}HqTPp^>zn6R+k-rWaLpq90Q&)VVpK<yeJG<ZGvas34}k*&x&ov=;U
zp^)Te5=`4BXZoz)2^u>a-4p7PtxgzTyK-BP(Jp}4xvp5FS$n(6D@c}N|NaF-{O`YO
zN)GGO-BV(A3xU{_t{IHlMEV+@&C{hC|Fp!d#Ng}%ba)X9hjKqYUYI_PgOtrF=~bVU
zH`7a5&foQ%o1T}|4vuv|l%9_J^yJp%C+Yh1DWyAck2AJka*5^)^RZXo|GyT58hPi?
z9VUp9nr8TUg*SgC7|Tf1*UCut!P}_Le0eBwv^h8Fq5>Q+_tPMpzwfbmrWM4#3pk4w
zP*lym)LFeG_QSULd9|GR6Uy;a72W`$Yk^7spm6_^{g@QBXB#<L!EbIE;5J~*)X!{n
zPvjWRtKaFdnEjWVZFd!Huei^^A9J;%F?(z{X=?U;`GrW&e}J|CF!}DbPMc~$D0tK7
m!v&%J&F%j~r*X8TXN=PJf?Q2&X)+||AAKD|?Q%`qSN{)Rw=Wj}

literal 0
HcmV?d00001


From 2d29a90088b628bfe3d673c47b6a7101edb40cb3 Mon Sep 17 00:00:00 2001
From: Jim Bugwadia <jim@nirmata.com>
Date: Mon, 4 Nov 2024 08:32:46 -0800
Subject: [PATCH 55/59] fix typo

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
---
 content/en/blog/releases/1-13-0/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/en/blog/releases/1-13-0/index.md b/content/en/blog/releases/1-13-0/index.md
index 03c48252a..9f3b5fcfc 100644
--- a/content/en/blog/releases/1-13-0/index.md
+++ b/content/en/blog/releases/1-13-0/index.md
@@ -642,4 +642,4 @@ Note that the deprecated fields will be removed in a future release, so migratio
 
 Kyverno 1.13 promises to be a great release, with many new features, enhancements, and fixes. To get started with Kyverno try the [quick start guides](https://kyverno.io/docs/introduction/quick-start/) or head to the [installation](https://kyverno.io/docs/installation/methods/) section of the docs.
 
-To get the most value out of Kyverno, and check out the [available enterprise solutions](/support))!
\ No newline at end of file
+To get the most value out of Kyverno, and check out the [available enterprise solutions](/support)!
\ No newline at end of file

From 6f68b1a95f4487883936709a77d9f633186b81a5 Mon Sep 17 00:00:00 2001
From: Khaled Emara <khaled.emara@nirmata.com>
Date: Tue, 5 Nov 2024 10:13:45 +0200
Subject: [PATCH 56/59] doc(release): update release instructions (#1408)

Signed-off-by: Khaled Emara <khaled.emara@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
---
 README.md | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index f6e693df5..0e7c95e34 100644
--- a/README.md
+++ b/README.md
@@ -120,17 +120,38 @@ To create a new release branch:
 
 In the `main` branch:
 
-1. Update the versions list in [params.toml](/config/_default/params.toml) to add the next release.
+1. Add a new menu version corresponding to the new release branch in [params.toml](/config/_default/params.toml) that points to https://kyverno.io below these lines:
+
+```toml
+# version_menu = "Versions"
+# Add your release versions here
+[[menu.versions]]
+  version = "1.8.0"
+  url = "https://release-1-8-0.kyverno.io"
+  weight = 1
+```
+
+and change the older release version entry to point to its own versioned url, so for example if adding 1.13:
 
-2. Update `version_menu` and `version` in [params.toml](/config/_default/params.toml) for the next release.
+```toml
+[[versions]] # New Line
+  version = "v1.13.0" # New Line
+  url = "https://kyverno.io" # New Line
 
-3. Create a PR.
+[[versions]]
+  version = "v1.12.0"
+  url = "https://release-1-12-0.kyverno.io" # Change this line
+```
 
-4. Clear the Netlify cache!
+2. Clear the Netlify cache!
 
 In the current release branch:
 
-1. Update `params.toml` so that `version_menu` and `version` reflect the version of that release branch, NOT `main`. This is so when users navigate to the version of the docs represented in that version it shows the correct number.
+1. Do the same as above.
+
+2. Update `version` to the new release version. Following our example from above that would be `v1.13.0`.
+
+3. Update `version_menu` to the same release version.
 
 #### Submitting a PR to multiple release branches
 

From a6e32c84ee8366cfbf207ea0093bd0a26294327e Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Tue, 5 Nov 2024 23:23:56 +0800
Subject: [PATCH 57/59] Reschedule community meeting (#1427)

* reschedule community meeting

Signed-off-by: ShutingZhao <shuting@nirmata.com>

* fix typo

Signed-off-by: ShutingZhao <shuting@nirmata.com>

---------

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 content/en/community/_index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/en/community/_index.md b/content/en/community/_index.md
index e23df12e0..bf0777789 100644
--- a/content/en/community/_index.md
+++ b/content/en/community/_index.md
@@ -20,7 +20,7 @@ The Kyverno project holds two weekly meetings:
 
 This is a public, weekly for Kyverno the full community. First time participants, new contributors, or anyone interested in Kyverno are welcome! This forum allows community members to propose agenda items of any sort, including but not limited to releases, roadmap, any contributor PRs or issues on which they are working.
 
-- Weekly every Wednesday at 9:00 AM PST
+- Weekly every Wednesday at 7:30 AM PST
 - [Agenda and meeting notes](https://docs.google.com/document/d/1kFd4fpAoHS56mRHr73AZp9wknk1Ehy_hTB_KA7gJuy0/)
 
 To attend our community meetings, join the [Kyverno group](https://groups.google.com/g/kyverno). You will then be sent a meeting invite and will have access to the agenda and meeting notes. Any member may suggest topics for discussion.
@@ -29,7 +29,7 @@ To attend our community meetings, join the [Kyverno group](https://groups.google
 
 This is a public, weekly meetings for maintainers to discuss issues and PRs pertaining to Kyverno's development and roadmap. 
 
-Topics are proposed by maintainers. All in the community are welcome to attend, but non-maintainers may not propose new agenda items in this forum (they can instead  to the [community meeting](#community-meeting) agenda.
+Topics are proposed by maintainers. All in the community are welcome to attend, but non-maintainers may not propose new agenda items in this forum, they can instead add to the [community meeting](#community-meeting) agenda.
 
 - Weekly every Tuesday at 7:30 AM PST
 - [Agenda and meeting notes](https://docs.google.com/document/d/1I_GWsz32gLw8sQyuu_Wv0-WQrtRLjn9FuX2KGNkvUY4/edit?usp=sharing)

From 917c908a62f95ce7d95a5cf797ff200ac48be058 Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Wed, 6 Nov 2024 18:42:13 +0800
Subject: [PATCH 58/59] feat: add upgrade guidance for dropped api versions
 (#1429)

feat: add upgrade guidance for dropped api verions

Signed-off-by: ShutingZhao <shuting@nirmata.com>
---
 content/en/docs/installation/upgrading.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/content/en/docs/installation/upgrading.md b/content/en/docs/installation/upgrading.md
index 9fd79b988..220154372 100644
--- a/content/en/docs/installation/upgrading.md
+++ b/content/en/docs/installation/upgrading.md
@@ -21,6 +21,8 @@ An upgrade from versions prior to Kyverno 1.10 to versions at 1.10 or higher usi
 
 ## Upgrading to Kyverno v1.13
 
+### Breaking Changes
+
 Kyverno version 1.13 contains the following breaking configuration changes:
 
 1. **Removal of wildcard permissions**: prior versions contained wildcard view permissions, which allowed Kyverno controllers to view all resources including secrets and other sensitive information. In 1.13 the wildcard view permission was removed and a role binding to the default `view` role was added. See the documentation section on [Role Based Access Controls](./customization.md#role-based-access-controls) for more details. This change will not impact policies during admission controls but may impact reports, and may impact users with mutate and generate policies on custom resources as the controller may no longer be able to view these custom resources.
@@ -77,3 +79,18 @@ helm upgrade kyverno kyverno/kyverno -n kyverno --set features.policyExceptions.
 ```
 
 **NOTE**: limiting exceptions to a specific namespace is recommended.
+
+### Dropped API versions
+
+Kyverno 1.13 drops deprecated API versions for its managed CustomResourceDefinitions. The migration is handled automatically through Helm hook. To upgrade Kyverno without Helm, or Helm hook, you can migrate existing resources via [kube-storage-version-migrator](https://github.com/kubernetes-sigs/kube-storage-version-migrator). 
+
+See affected CRDs:
+```
+- cleanuppolicies.kyverno.io
+- clustercleanuppolicies.kyverno.io
+- clusterpolicies.kyverno.io
+- globalcontextentries.kyverno.io
+- policies.kyverno.io
+- policyexceptions.kyverno.io
+- updaterequests.kyverno.io
+```
\ No newline at end of file

From 6c074db9fe4f9848b3dfd7a7576feb5480fae8af Mon Sep 17 00:00:00 2001
From: shuting <shuting@nirmata.com>
Date: Thu, 7 Nov 2024 15:54:15 +0800
Subject: [PATCH 59/59] Revert "feat: Add imageIndex field to imageData"
 (#1431)

Revert "feat: Add imageIndex field to imageData (#1362)"

This reverts commit 66ed9c09367df0f570fc400f83c41ff70261acac.
---
 content/en/docs/writing-policies/external-data-sources.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/content/en/docs/writing-policies/external-data-sources.md b/content/en/docs/writing-policies/external-data-sources.md
index e305735c2..17c16cec4 100644
--- a/content/en/docs/writing-policies/external-data-sources.md
+++ b/content/en/docs/writing-policies/external-data-sources.md
@@ -752,7 +752,6 @@ the output `imageData` variable will have a structure which looks like the follo
     "registry":      "ghcr.io",
     "repository":    "kyverno/kyverno",
     "identifier":    "latest",
-    "imageIndex":    imageIndex,
     "manifest":      manifest,
     "configData":    config,
 }
@@ -772,7 +771,7 @@ The `imageData` variable represents a "normalized" view of an image after any re
 ```
 {{% /alert %}}
 
-The `imageIndex`, `manifest` and `config` keys contain the output from `crane manifest <image>` and `crane config <image>` respectively.
+The `manifest` and `config` keys contain the output from `crane manifest <image>` and `crane config <image>` respectively.
 
 For example, one could inspect the labels, entrypoint, volumes, history, layers, etc of a given image. Using the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) tool, show the config of the `ghcr.io/kyverno/kyverno:latest` image: