From 18fbd84bcb0d8344558d06af317a11744405125c Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 4 Nov 2024 17:05:13 +0000 Subject: [PATCH 001/308] Get notification for events in DMS --- .../modules/components/dms/cloudwatch-alarms.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index be99cd4ee4f..ffce2b41dfe 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -106,6 +106,16 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { tags = var.tags } +resource "aws_dms_event_subscription" "dms_task_event_subscription" { + name = "dms-task-event-alerts" + sns_topic_arn = aws_sns_topic.dms_alerting.arn + source_type = "replication-task" + + # We do not filter by event type or replication task as we wish + # to be notified by any event on any replication task + enabled = true +} + # Pager duty integration # Get the map of pagerduty integration keys from the modernisation platform account From 24e5822619c11b3755c79fe19aa527dbc62a4af4 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 4 Nov 2024 17:27:10 +0000 Subject: [PATCH 002/308] Restrict event categories --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index ffce2b41dfe..0fcf0f0656f 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -110,9 +110,7 @@ resource "aws_dms_event_subscription" "dms_task_event_subscription" { name = "dms-task-event-alerts" sns_topic_arn = aws_sns_topic.dms_alerting.arn source_type = "replication-task" - - # We do not filter by event type or replication task as we wish - # to be notified by any event on any replication task + event_categories = ["state change", "failure"] enabled = true } From a1dad194ea455a0290b728087eaf1d158f403f8f Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 4 Nov 2024 17:44:01 +0000 Subject: [PATCH 003/308] Modify definition of production with respect to audit data --- terraform/environments/delius-core/locals_development.tf | 2 +- terraform/environments/delius-core/locals_preproduction.tf | 3 ++- terraform/environments/delius-core/locals_stage.tf | 3 ++- terraform/environments/delius-core/locals_test.tf | 2 +- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 5 ++++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 5ad2a0cb6be..df009ab3dc5 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -139,6 +139,6 @@ locals { user_target_endpoint = { write_database = "DMDNDA" } - is-production = local.is-production + is-production = false } } diff --git a/terraform/environments/delius-core/locals_preproduction.tf b/terraform/environments/delius-core/locals_preproduction.tf index f24addabc45..439fa1d281d 100644 --- a/terraform/environments/delius-core/locals_preproduction.tf +++ b/terraform/environments/delius-core/locals_preproduction.tf @@ -150,7 +150,8 @@ locals { user_target_endpoint = { write_database = "PRENDA" } - is-production = local.is-production + # Auditing from the Pre-Prod environment is considered production data + is-production = true } } diff --git a/terraform/environments/delius-core/locals_stage.tf b/terraform/environments/delius-core/locals_stage.tf index f083e3e0687..4220c9d49b7 100644 --- a/terraform/environments/delius-core/locals_stage.tf +++ b/terraform/environments/delius-core/locals_stage.tf @@ -150,6 +150,7 @@ locals { user_target_endpoint = { write_database = "STGNDA" } - is-production = local.is-production + # Auditing from the Stage environment is considered production data + is-production = true } } diff --git a/terraform/environments/delius-core/locals_test.tf b/terraform/environments/delius-core/locals_test.tf index b441b13a5d0..030520bb504 100644 --- a/terraform/environments/delius-core/locals_test.tf +++ b/terraform/environments/delius-core/locals_test.tf @@ -138,6 +138,6 @@ locals { read_database = "TSTNDA" } user_target_endpoint = {} - is-production = local.is-production + is-production = false } } diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 0fcf0f0656f..d9bae4500d7 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -110,7 +110,10 @@ resource "aws_dms_event_subscription" "dms_task_event_subscription" { name = "dms-task-event-alerts" sns_topic_arn = aws_sns_topic.dms_alerting.arn source_type = "replication-task" - event_categories = ["state change", "failure"] + # If this is production then we expect to see starting and stopping of replication tasks + # as this would not be normal behaviour. + # For non-production this will happen nightly due to automated stop/start + event_categories = var.dms_config.is-production ? ["state change", "failure"] : ["failure"] enabled = true } From cf19e42f785d9876f03c6e138c0cc7c59afd535e Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Tue, 5 Nov 2024 15:05:13 +0000 Subject: [PATCH 004/308] TM-604 Fix backup Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 78 +++++++++++++++++-------------- 1 file changed, 42 insertions(+), 36 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 290f66f9c5e..6bbaa5a8eda 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -177,6 +177,7 @@ mkdir -p /stage mkdir -p /oracle/ar mkdir --p /oracle/software mkdir -p /oracle/temp_undo +mkdir -p /backups # Mount all file systems in fstab mount -a @@ -187,30 +188,30 @@ echo "---setup_oracle_db_software" # Install wget / unzip yum install -y unzip -#### Create DBA user (only if it doesn't already exist) -# Check if the dba group exists -if ! getent group dba > /dev/null; then - echo "Creating group 'dba'..." - groupadd dba -else - echo "Group 'dba' already exists." -fi - -# Check if the oinstall group exists -if ! getent group oinstall > /dev/null; then - echo "Creating group 'oinstall'..." - groupadd oinstall -else - echo "Group 'oinstall' already exists." -fi - -# Check if the oracle user exists -if ! id -u oracle > /dev/null 2>&1; then - echo "Creating user 'oracle'..." - useradd -d /stage/oracle -g dba -G oinstall oracle -else - echo "User 'oracle' already exists." -fi +# #### Create DBA user (only if it doesn't already exist) +# # Check if the dba group exists +# if ! getent group dba > /dev/null; then +# echo "Creating group 'dba'..." +# groupadd dba +# else +# echo "Group 'dba' already exists." +# fi + +# # Check if the oinstall group exists +# if ! getent group oinstall > /dev/null; then +# echo "Creating group 'oinstall'..." +# groupadd oinstall +# else +# echo "Group 'oinstall' already exists." +# fi + +# # Check if the oracle user exists +# if ! id -u oracle > /dev/null 2>&1; then +# echo "Creating user 'oracle'..." +# useradd -d /stage/oracle -g dba -G oinstall oracle +# else +# echo "User 'oracle' already exists." +# fi #setup oracle user access echo "---setup oracle user access" @@ -304,6 +305,20 @@ else fi fi +# Add TCP keepalive time to sysctl.conf ---> keepalive solution +echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf +sysctl -p +# Add SQLNET.EXPIRE_TIME to sqlnet.ora ---> keepalive solution +grep -qxF "SQLNET.EXPIRE_TIME = 5" /oracle/software/product/10.2.0/network/admin/sqlnet. +# Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution +sed -i '/(DESCRIPTION =/a\\ (ENABLE=broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora +# Add inbound connection timeout option to sqlnet +grep -qxF "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" /oracle/software/product/10.2.0/network/admin/sqlnet.ora || echo "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora +# Add inbound connection timeout option to listener +grep -qxF "INBOUND_CONNECT_TIMEOUT_LISTENER = 0" /oracle/software/product/10.2.0/network/admin/listener.ora || echo "INBOUND_CONNECT_TIMEOUT_LISTENER = 0" >> /oracle/software/product/10.2.0/network/admin/listener.ora + + + mkdir -p /var/opt/oracle chown oracle:dba /var/opt/oracle chown -R oracle:dba /home/oracle/edwcreate @@ -318,11 +333,6 @@ sed -i "0,/EDW/s/^.*EDW.*$/ (ADDRESS = (PROTOCOL = TCP)(HOST = ${local.appl sed -i "s/^\(define EDW_SYS=\).*/\1$SECRET/" /var/opt/oracle/passwds.sql sed -i "s/^\(define EDW_SYSTEM=\).*/\1$SECRET/" /var/opt/oracle/passwds.sql -# Add SQLNET.EXPIRE_TIME to sqlnet.ora ---> keepalive solution -echo "SQLNET.EXPIRE_TIME = 5" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora -# Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution -sed -i '/(DESCRIPTION =/a\\ (ENABLE=broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora - chown -R oracle:dba /home/oracle/scripts/ chmod -R 700 /home/oracle/scripts/ chown oracle:dba /home/oracle @@ -354,7 +364,6 @@ echo "export OMB_path=/oracle/software/product/10.2.0_owb/owb/bin/unix" >> /stag # setup efs backup mount point mkdir -p /home/oracle/backup_logs/ -mkdir -p /backups mkdir -p /backups/$APPNAME_RMAN chmod 777 /backups/$APPNAME_RMAN sed -i "s/\/backups\/production\/MIDB_RMAN\//\/backups\/$APPNAME_RMAN/g" /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh @@ -364,8 +373,9 @@ chmod -R 740 /home/oracle/backup* # Create /etc/cron.d/backup_cron with the cron jobs cat < /etc/cron.d/backup_cron -0 */3 * * * oracle /home/oracle/backup_scripts/rman_arch_backup_v2_1.sh $APPNAME -0 06 * * 01 oracle /home/oracle/backup_scripts/rman_full_backup.sh $APPNAME +00 07 * * * /home/oracle/scripts/alert_rota.sh $APPNAME +0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME +0 06 * * 01 /home/oracle/backup_scripts/rman_full_backup.sh $APPNAME 00 07,10,13,16 * * * /home/oracle/scripts/freespace_alert.sh 00,15,30,45 * * * * /home/oracle/scripts/pmon_check.sh EOC3 @@ -423,10 +433,6 @@ chmod 744 /home/oracle/scripts/cdc_simple_health_check.sh chown oracle:dba /home/oracle/scripts/cdc_simple_health_check.sql chmod 744 /home/oracle/scripts/cdc_simple_health_check.sql -# Add TCP keepalive time to sysctl.conf ---> keepalive solution -echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf -sysctl -p - #Update send mail URL echo "Update Sendmail configurations" sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.cf From 6b060d02f315ed9c27a5e623a9d2f7ff42570852 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Tue, 5 Nov 2024 15:30:47 +0000 Subject: [PATCH 005/308] update /home Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 6bbaa5a8eda..9f305f29f49 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -81,7 +81,7 @@ sed -i '0,/infraedw/{/infraedw/d;}' /etc/hosts # Updating hostname file sed -i '1s/.*/edw/' /etc/hostname -mkdir -p /stage/oracle/scripts +mkdir -p /home/oracle/scripts # Disable firewall sudo /etc/init.d/iptables stop @@ -110,27 +110,27 @@ log_group_name = $APPNAME-OracleAlerts log_stream_name = {instance_id} [rman_backup_log_errors] -file = /stage/oracle/backup_logs/*_RMAN_disk_*.log +file = /home/oracle/backup_logs/*_RMAN_disk_*.log log_group_name = $APPNAME-RMan log_stream_name = {instance_id} [rman_arch_backup_log_errors] -file = /stage/oracle/backup_logs/*_RMAN_disk_ARCH_*.log +file = /home/oracle/backup_logs/*_RMAN_disk_ARCH_*.log log_group_name = $APPNAME-RManArch log_stream_name = {instance_id} [db_tablespace_space_alerts] -file = /stage/oracle/scripts/logs/freespace_alert.log +file = /home/oracle/scripts/logs/freespace_alert.log log_group_name = $APPNAME-TBSFreespace log_stream_name = {instance_id} [db_PMON_status_alerts] -file = /stage/oracle/scripts/logs/pmon_status_alert.log +file = /home/oracle/scripts/logs/pmon_status_alert.log log_group_name = $APPNAME-PMONstatus log_stream_name = {instance_id} [db_CDC_status_alerts] -file = /stage/oracle/scripts/logs/cdc_check.log +file = /home/oracle/scripts/logs/cdc_check.log log_group_name = $APPNAME-CDCstatus log_stream_name = {instance_id} EOC2 @@ -247,10 +247,10 @@ su oracle -c "/stage/databases/database/runInstaller -silent -waitforcompletion /oracle/software/oraInventory/orainstRoot.sh -silent /oracle/software/product/10.2.0/root.sh -silent -# Update oracle login script -echo "export ORACLE_SID=EDW" >> /stage/oracle/.bash_profile -echo "export ORACLE_HOME=/oracle/software/product/10.2.0" >> /stage/oracle/.bash_profile -echo "export PATH=\$ORACLE_HOME/bin:\$PATH" >> /stage/oracle/.bash_profile +# # Update oracle login script +# echo "export ORACLE_SID=EDW" >> /stage/oracle/.bash_profile +# echo "export ORACLE_HOME=/oracle/software/product/10.2.0" >> /stage/oracle/.bash_profile +# echo "export PATH=\$ORACLE_HOME/bin:\$PATH" >> /stage/oracle/.bash_profile #Update URL in bash profile sed -i '/ORACLE_HOST/c\export ORACLE_HOST=${local.application_name}.${data.aws_route53_zone.external.name}' /home/oracle/.bash_profile @@ -317,8 +317,6 @@ grep -qxF "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" /oracle/software/product/10.2.0/n # Add inbound connection timeout option to listener grep -qxF "INBOUND_CONNECT_TIMEOUT_LISTENER = 0" /oracle/software/product/10.2.0/network/admin/listener.ora || echo "INBOUND_CONNECT_TIMEOUT_LISTENER = 0" >> /oracle/software/product/10.2.0/network/admin/listener.ora - - mkdir -p /var/opt/oracle chown oracle:dba /var/opt/oracle chown -R oracle:dba /home/oracle/edwcreate @@ -358,7 +356,7 @@ su oracle -l -c "/oracle/software/product/10.2.0/oui/bin/runInstaller -silent -w /oracle/software/product/10.2.0_owb/root.sh -silent # configure environment -echo "export OMB_path=/oracle/software/product/10.2.0_owb/owb/bin/unix" >> /stage/oracle/.bash_profile +# echo "export OMB_path=/oracle/software/product/10.2.0_owb/owb/bin/unix" >> /stage/oracle/.bash_profile #### setup_backups: @@ -373,8 +371,7 @@ chmod -R 740 /home/oracle/backup* # Create /etc/cron.d/backup_cron with the cron jobs cat < /etc/cron.d/backup_cron -00 07 * * * /home/oracle/scripts/alert_rota.sh $APPNAME -0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME +0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh EDW $APPNAME 0 06 * * 01 /home/oracle/backup_scripts/rman_full_backup.sh $APPNAME 00 07,10,13,16 * * * /home/oracle/scripts/freespace_alert.sh 00,15,30,45 * * * * /home/oracle/scripts/pmon_check.sh @@ -413,7 +410,7 @@ chmod 644 /home/oracle/scripts/alert_rota.sh # Create /etc/cron.d/oracle_rotation with the cron jobs cat < /etc/cron.d/oracle_rotation -00 07 * * * oracle /home/oracle/scripts/alert_rota.sh $APPNAME +00 07 * * * /home/oracle/scripts/alert_rota.sh $APPNAME * */6 * * * oracle /home/oracle/scripts/cdc_simple_health_check.sh >> /home/oracle/scripts/logs/cdc_check.log EOC5 @@ -426,7 +423,7 @@ chown oracle:dba /home/oracle/crecrontab.txt chmod 777 /home/oracle/crecrontab.txt su oracle -c "crontab /home/oracle/crecrontab.txt" -# Download CDC scripts from S3 and set permissions +# set permissions for CDC scripts chown oracle:dba /home/oracle/scripts/cdc_simple_health_check.sh chmod 744 /home/oracle/scripts/cdc_simple_health_check.sh From 761f69e8313dfa1dced1fb67420bb1c3f9f70a75 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Tue, 5 Nov 2024 20:12:17 +0000 Subject: [PATCH 006/308] Update ud Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 149 ++++++++++++++++-------------- 1 file changed, 80 insertions(+), 69 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 9f305f29f49..04cb1f8cac9 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -2,7 +2,7 @@ locals { db_userdata = <<-EOF #!/bin/bash -# #Disable requiretty +# Disable requiretty sed -i 's/^\(Defaults\s*requiretty\)/#\1/' /etc/sudoers # Redirect all output to a log file and enable debugging @@ -11,11 +11,12 @@ set -x #### USERDATA ###### -#### install missing package and hostname change -echo "---install missing package and hostname change" +#### install missing packages +echo "---install missing package " sudo yum -y install libXp.i386 sudo yum -y install sshpass +# Hostname change hostname edw echo "HOSTNAME=${local.application_name}" >> /etc/sysconfig/network sed -i '/aws/d' /etc/sysconfig/network @@ -27,20 +28,28 @@ search ${data.aws_route53_zone.external.name} eu-west-2.compute.internal nameserver ${local.dns_resolver_ip}" > /etc/resolv.conf chattr +i /etc/resolv.conf -#### configure aws timesync (external ntp source) +# DOESNT WORK IN LZ, DO WE WANT IN MP??? +#### adjust the NTP (Network Time Protocol) settings to use the AWS time sync service as the time source echo "---configure aws timesync (external ntp source)" AwsTimeSync(){ local RHEL=$1 local SOURCE=169.254.169.123 - NtpD(){ - local CONF=/etc/ntp.conf - sed -i 's/server \\S/#server \\S/g' $CONF && \ - sed -i "20i\server $SOURCE prefer iburst" $CONF + + NtpD(){ + local CONF=/etc/ntp.conf + # Check if the server line already exists + if ! grep -q "server 169.254.169.123" $CONF; then + sed -i 's/server \S/#server \S/g' $CONF && \ + sed -i "20i\server 169.254.169.123 prefer iburst" $CONF /etc/init.d/ntpd status >/dev/null 2>&1 \ && /etc/init.d/ntpd restart || /etc/init.d/ntpd start ntpq -p - } + else + echo "NTP server 169.254.169.123 is already configured." + fi +} + ChronyD(){ local CONF=/etc/chrony.conf sed -i 's/server \\S/#server \\S/g' $CONF && \ @@ -66,9 +75,9 @@ wget -O awscliv2.zip "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" unzip -o awscliv2.zip sudo ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli --update -#configure variables +# Configure variables export ip4=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1) -export LOGS="${local.application_name}-EC2" +export LOGS="${local.application_data.accounts[local.environment].edw_AppName}-EC2" export APPNAME="${local.application_data.accounts[local.environment].edw_AppName}" export ENV="${local.application_data.accounts[local.environment].edw_environment}" export REGION="${local.application_data.accounts[local.environment].edw_region}" @@ -78,6 +87,8 @@ echo $host >>/etc/hosts sed -i '/^10.221/d' /etc/hosts sed -i '0,/infraedw/{/infraedw/d;}' /etc/hosts +mkdir -p /home/oracle/scripts + # Updating hostname file sed -i '1s/.*/edw/' /etc/hostname @@ -104,6 +115,11 @@ cat > /tmp/cwlogs/logstreams.conf <<-EOC2 [general] state_file = /var/awslogs/agent-state +[cfn-init] +file = /var/log/cfn-init.log +log_group_name = $APPNAME-CfnInit +log_stream_name = {instance_id} + [oracle_alert_log_errors] file = /oracle/software/product/10.2.0/admin/$APPNAME/bdump/alert_$APPNAME.log log_group_name = $APPNAME-OracleAlerts @@ -135,18 +151,22 @@ log_group_name = $APPNAME-CDCstatus log_stream_name = {instance_id} EOC2 +sudo chmod 755 /home/oracle/backup_logs +sudo chmod 755 /home/oracle/scripts/logs +sudo chmod 755 /etc/awslogs +sudo chmod 755 /tmp/cwlogs + ##### METADATA ##### # #### Install_aws_logging - +# Very difficult to install aws logs due to outdated system so logstream does not work # echo "---Install_aws_logging" - # #Install AWS logs - # Does not work in LZ, need to fix in next ticket # echo "---Install AWS logging" -# sudo yum install wget openssl-devel bzip2-devel libffi-devel -y -# wget https://amazoncloudwatch-agent.s3.amazonaws.com/amazon_linux/amd64/latest/amazon-cloudwatch-agent.rpm +# sudo yum install wget openssl-devel bzip2-devel libffi-devel python-pip libpython-dev python-devel libpython-dev which initscripts cronie -y +# curl https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/awslogs-agent-setup.py -O +# curl https://s3.amazonaws.com/aws-cloudwatch/downloads/latest/AgentDependencies.tar.gz -O # sudo yum update rpm #### setup_file_systems @@ -188,30 +208,30 @@ echo "---setup_oracle_db_software" # Install wget / unzip yum install -y unzip -# #### Create DBA user (only if it doesn't already exist) -# # Check if the dba group exists -# if ! getent group dba > /dev/null; then -# echo "Creating group 'dba'..." -# groupadd dba -# else -# echo "Group 'dba' already exists." -# fi - -# # Check if the oinstall group exists -# if ! getent group oinstall > /dev/null; then -# echo "Creating group 'oinstall'..." -# groupadd oinstall -# else -# echo "Group 'oinstall' already exists." -# fi - -# # Check if the oracle user exists -# if ! id -u oracle > /dev/null 2>&1; then -# echo "Creating user 'oracle'..." -# useradd -d /stage/oracle -g dba -G oinstall oracle -# else -# echo "User 'oracle' already exists." -# fi +#### Create DBA user (only if it doesn't already exist) +# Check if the dba group exists +if ! getent group dba > /dev/null; then + echo "Creating group 'dba'..." + groupadd dba +else + echo "Group 'dba' already exists." +fi + +# Check if the oinstall group exists +if ! getent group oinstall > /dev/null; then + echo "Creating group 'oinstall'..." + groupadd oinstall +else + echo "Group 'oinstall' already exists." +fi + +# Check if the oracle user exists +if ! id -u oracle > /dev/null 2>&1; then + echo "Creating user 'oracle'..." + useradd -d /home/oracle -g dba -G oinstall oracle +else + echo "User 'oracle' already exists." +fi #setup oracle user access echo "---setup oracle user access" @@ -219,7 +239,6 @@ cp -fr /home/ec2-user/.ssh /home/oracle/ chown -R oracle:dba /home/oracle/.ssh # Create directories and set ownership -echo "---set ownership" chown -R oracle:dba /oracle # Check if swap file already exists @@ -241,16 +260,11 @@ fi chmod 777 /run/cfn-init/db-install-10g.rsp # Run installer and post install -export ORA_DISABLED_CVU_CHECKS=CHECK_RUN_LEVEL -su oracle -c "/stage/databases/database/runInstaller -silent -waitforcompletion -ignoreSysPrereqs -ignorePrereq -responseFile /run/cfn-init/db-install-10g.rsp" +# export ORA_DISABLED_CVU_CHECKS=CHECK_RUN_LEVEL +# su oracle -c "/stage/databases/database/runInstaller -silent -waitforcompletion -ignoreSysPrereqs -ignorePrereq -responseFile /run/cfn-init/db-install-10g.rsp" -/oracle/software/oraInventory/orainstRoot.sh -silent -/oracle/software/product/10.2.0/root.sh -silent - -# # Update oracle login script -# echo "export ORACLE_SID=EDW" >> /stage/oracle/.bash_profile -# echo "export ORACLE_HOME=/oracle/software/product/10.2.0" >> /stage/oracle/.bash_profile -# echo "export PATH=\$ORACLE_HOME/bin:\$PATH" >> /stage/oracle/.bash_profile +# /oracle/software/oraInventory/orainstRoot.sh -silent +# /oracle/software/product/10.2.0/root.sh -silent #Update URL in bash profile sed -i '/ORACLE_HOST/c\export ORACLE_HOST=${local.application_name}.${data.aws_route53_zone.external.name}' /home/oracle/.bash_profile @@ -258,8 +272,8 @@ sed -i '/ORACLE_HOST/c\export ORACLE_HOST=${local.application_name}.${data.aws_r # patch the database to 10.2.0.4 chown oracle:dba /home/oracle/patchset.rsp chmod 777 /home/oracle/patchset.rsp -su oracle -c "/stage/patches/10204/Disk1/runInstaller -silent -responseFile /home/oracle/patchset.rsp" -/oracle/software/product/10.2.0/root.sh -silent +# su oracle -c "/stage/patches/10204/Disk1/runInstaller -silent -responseFile /home/oracle/patchset.rsp" +# /oracle/software/product/10.2.0/root.sh -silent # Create a blank database chown oracle:dba /run/cfn-init/edw_warehouse.dbt @@ -305,6 +319,7 @@ else fi fi +#### Prevent timeout on DB # Add TCP keepalive time to sysctl.conf ---> keepalive solution echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf sysctl -p @@ -323,7 +338,12 @@ chown -R oracle:dba /home/oracle/edwcreate chmod -R 777 /home/oracle/edwcreate chown oracle:dba /var/opt/oracle/passwds.sql chmod 777 /var/opt/oracle/passwds.sql -su oracle -l -c "cp /home/oracle/edwcreate/tnsnames.ora /oracle/software/product/10.2.0/network/admin" +if [ ! -f /oracle/software/product/10.2.0/network/admin/tnsnames.ora ]; then + su oracle -l -c "cp /home/oracle/edwcreate/tnsnames.ora /oracle/software/product/10.2.0/network/admin" + echo "tnsnames.ora copied successfully." +else + echo "tnsnames.ora already exists. Skipping copy." +fi sed -i "s/tst/$ENV/g" /oracle/software/product/10.2.0/network/admin/tnsnames.ora sed -i "0,/edw\./s/^.*edw\..*$/ (ADDRESS = (PROTOCOL = TCP)(HOST = ${local.application_name}.${data.aws_route53_zone.external.name})(PORT = 1521))/" /oracle/software/product/10.2.0/network/admin/tnsnames.ora sed -i "0,/edw\.aws/s/^.*edw\.aws.*$/ (ADDRESS = (PROTOCOL = tcp)(HOST = ${local.application_name}.${data.aws_route53_zone.external.name})(PORT = 1521))/" /oracle/software/product/10.2.0/network/admin/tnsnames.ora @@ -336,27 +356,18 @@ chmod -R 700 /home/oracle/scripts/ chown oracle:dba /home/oracle chmod -R 777 /home/oracle -#### Setup_owb -# Create directories for OWB setup (already created in ami) -mkdir -p /stage/owb/owb101 -mkdir -p /stage/owb/owb104 -mkdir -p /stage/owb/owb105 - # Set permissions for staging directory chmod -R 777 /stage/owb/ -# Install OWB components -su oracle -l -c "/stage/owb/owb101/Disk1/runInstaller -silent -ignoreSysPrereqs -ignorePrereq -waitforcompletion -responseFile /stage/owb/owb.rsp" -/oracle/software/product/10.2.0_owb/root.sh -silent - -su oracle -l -c "/oracle/software/product/10.2.0/oui/bin/runInstaller -silent -waitforcompletion -responseFile /stage/owb/owb104.rsp" -/oracle/software/product/10.2.0_owb/root.sh -silent +# # Install OWB components +# su oracle -l -c "/stage/owb/owb101/Disk1/runInstaller -silent -ignoreSysPrereqs -ignorePrereq -waitforcompletion -responseFile /stage/owb/owb.rsp" +# /oracle/software/product/10.2.0_owb/root.sh -silent -su oracle -l -c "/oracle/software/product/10.2.0/oui/bin/runInstaller -silent -waitforcompletion -responseFile /stage/owb/owb105.rsp" -/oracle/software/product/10.2.0_owb/root.sh -silent +# su oracle -l -c "/oracle/software/product/10.2.0/oui/bin/runInstaller -silent -waitforcompletion -responseFile /stage/owb/owb104.rsp" +# /oracle/software/product/10.2.0_owb/root.sh -silent -# configure environment -# echo "export OMB_path=/oracle/software/product/10.2.0_owb/owb/bin/unix" >> /stage/oracle/.bash_profile +# su oracle -l -c "/oracle/software/product/10.2.0/oui/bin/runInstaller -silent -waitforcompletion -responseFile /stage/owb/owb105.rsp" +# /oracle/software/product/10.2.0_owb/root.sh -silent #### setup_backups: From 9cbeb9697ee5a21fd6b5e7afc910e17b57e2017a Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 6 Nov 2024 01:13:24 +0000 Subject: [PATCH 007/308] update ud Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 171 ++++++++++++------------------ 1 file changed, 69 insertions(+), 102 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 04cb1f8cac9..a97a776d4d3 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -208,35 +208,35 @@ echo "---setup_oracle_db_software" # Install wget / unzip yum install -y unzip -#### Create DBA user (only if it doesn't already exist) -# Check if the dba group exists -if ! getent group dba > /dev/null; then - echo "Creating group 'dba'..." - groupadd dba -else - echo "Group 'dba' already exists." -fi - -# Check if the oinstall group exists -if ! getent group oinstall > /dev/null; then - echo "Creating group 'oinstall'..." - groupadd oinstall -else - echo "Group 'oinstall' already exists." -fi - -# Check if the oracle user exists -if ! id -u oracle > /dev/null 2>&1; then - echo "Creating user 'oracle'..." - useradd -d /home/oracle -g dba -G oinstall oracle -else - echo "User 'oracle' already exists." -fi - -#setup oracle user access -echo "---setup oracle user access" -cp -fr /home/ec2-user/.ssh /home/oracle/ -chown -R oracle:dba /home/oracle/.ssh +# #### Create DBA user (only if it doesn't already exist) +# # Check if the dba group exists +# if ! getent group dba > /dev/null; then +# echo "Creating group 'dba'..." +# groupadd dba +# else +# echo "Group 'dba' already exists." +# fi + +# # Check if the oinstall group exists +# if ! getent group oinstall > /dev/null; then +# echo "Creating group 'oinstall'..." +# groupadd oinstall +# else +# echo "Group 'oinstall' already exists." +# fi + +# # Check if the oracle user exists +# if ! id -u oracle > /dev/null 2>&1; then +# echo "Creating user 'oracle'..." +# useradd -d /home/oracle -g dba -G oinstall oracle +# else +# echo "User 'oracle' already exists." +# fi + +# #setup oracle user access +# echo "---setup oracle user access" +# cp -fr /home/ec2-user/.ssh /home/oracle/ +# chown -R oracle:dba /home/oracle/.ssh # Create directories and set ownership chown -R oracle:dba /oracle @@ -256,68 +256,52 @@ else echo "---Swap file already exists. Skipping creation." fi -# Run Oracle installer -chmod 777 /run/cfn-init/db-install-10g.rsp - -# Run installer and post install -# export ORA_DISABLED_CVU_CHECKS=CHECK_RUN_LEVEL -# su oracle -c "/stage/databases/database/runInstaller -silent -waitforcompletion -ignoreSysPrereqs -ignorePrereq -responseFile /run/cfn-init/db-install-10g.rsp" - -# /oracle/software/oraInventory/orainstRoot.sh -silent -# /oracle/software/product/10.2.0/root.sh -silent - #Update URL in bash profile sed -i '/ORACLE_HOST/c\export ORACLE_HOST=${local.application_name}.${data.aws_route53_zone.external.name}' /home/oracle/.bash_profile -# patch the database to 10.2.0.4 -chown oracle:dba /home/oracle/patchset.rsp -chmod 777 /home/oracle/patchset.rsp -# su oracle -c "/stage/patches/10204/Disk1/runInstaller -silent -responseFile /home/oracle/patchset.rsp" -# /oracle/software/product/10.2.0/root.sh -silent - -# Create a blank database +# Update permissions chown oracle:dba /run/cfn-init/edw_warehouse.dbt chmod 777 /run/cfn-init/edw_warehouse.dbt -# Check if the Oracle SID is already running or if the database already exists -if ! ps -ef | grep "[o]ra_pmon_$APPNAME" > /dev/null; then - echo "Database does not exist. Creating a new database..." +# # Check if the Oracle SID is already running or if the database already exists +# if ! ps -ef | grep "[o]ra_pmon_$APPNAME" > /dev/null; then +# echo "Database does not exist. Creating a new database..." - su oracle -l -c "dbca -silent -createDatabase \ - -templateName /run/cfn-init/edw_warehouse.dbt \ - -gdbname $APPNAME \ - -sid $APPNAME \ - -responseFile NO_VALUE \ - -characterSet WE8ISO8859P1 \ - -sysPassword '"$SECRET"' \ - -systemPassword '"$SECRET"' \ - -databaseType DATA_WAREHOUSING \ - -datafileDestination '/oracle/dbf/' \ - -MEMORYPERCENTAGE 70" -else - echo "Database with SID $APPNAME already exists. Skipping database creation." -fi - -# Check if the listener configuration file exists -if [ ! -f "/run/cfn-init/netca.rsp" ]; then - echo "Listener response file does not exist. Skipping listener creation." -else - # Check if the listener is already running - if ! su oracle -l -c "lsnrctl status" | grep -q "Listener" ; then - echo "Listener is not running. Creating listener and starting it..." - - # Ensure the response file has correct permissions - chmod 777 /run/cfn-init/netca.rsp - - # Create the listener - su oracle -l -c "netca /silent /responseFile /run/cfn-init/netca.rsp" - - # Start the listener - su oracle -l -c "lsnrctl start" - else - echo "Listener is already running. Skipping listener creation and start." - fi -fi +# su oracle -l -c "dbca -silent -createDatabase \ +# -templateName /run/cfn-init/edw_warehouse.dbt \ +# -gdbname $APPNAME \ +# -sid $APPNAME \ +# -responseFile NO_VALUE \ +# -characterSet WE8ISO8859P1 \ +# -sysPassword '"$SECRET"' \ +# -systemPassword '"$SECRET"' \ +# -databaseType DATA_WAREHOUSING \ +# -datafileDestination '/oracle/dbf/' \ +# -MEMORYPERCENTAGE 70" +# else +# echo "Database with SID $APPNAME already exists. Skipping database creation." +# fi + +# # Check if the listener configuration file exists +# if [ ! -f "/run/cfn-init/netca.rsp" ]; then +# echo "Listener response file does not exist. Skipping listener creation." +# else +# # Check if the listener is already running +# if ! su oracle -l -c "lsnrctl status" | grep -q "Listener" ; then +# echo "Listener is not running. Creating listener and starting it..." + +# # Ensure the response file has correct permissions +# chmod 777 /run/cfn-init/netca.rsp + +# # Create the listener +# su oracle -l -c "netca /silent /responseFile /run/cfn-init/netca.rsp" + +# # Start the listener +# su oracle -l -c "lsnrctl start" +# else +# echo "Listener is already running. Skipping listener creation and start." +# fi +# fi #### Prevent timeout on DB # Add TCP keepalive time to sysctl.conf ---> keepalive solution @@ -359,16 +343,6 @@ chmod -R 777 /home/oracle # Set permissions for staging directory chmod -R 777 /stage/owb/ -# # Install OWB components -# su oracle -l -c "/stage/owb/owb101/Disk1/runInstaller -silent -ignoreSysPrereqs -ignorePrereq -waitforcompletion -responseFile /stage/owb/owb.rsp" -# /oracle/software/product/10.2.0_owb/root.sh -silent - -# su oracle -l -c "/oracle/software/product/10.2.0/oui/bin/runInstaller -silent -waitforcompletion -responseFile /stage/owb/owb104.rsp" -# /oracle/software/product/10.2.0_owb/root.sh -silent - -# su oracle -l -c "/oracle/software/product/10.2.0/oui/bin/runInstaller -silent -waitforcompletion -responseFile /stage/owb/owb105.rsp" -# /oracle/software/product/10.2.0_owb/root.sh -silent - #### setup_backups: # setup efs backup mount point @@ -382,7 +356,7 @@ chmod -R 740 /home/oracle/backup* # Create /etc/cron.d/backup_cron with the cron jobs cat < /etc/cron.d/backup_cron -0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh EDW $APPNAME +0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME 0 06 * * 01 /home/oracle/backup_scripts/rman_full_backup.sh $APPNAME 00 07,10,13,16 * * * /home/oracle/scripts/freespace_alert.sh 00,15,30,45 * * * * /home/oracle/scripts/pmon_check.sh @@ -397,13 +371,6 @@ chown oracle:dba /home/oracle/crecrontab.txt chmod 744 /home/oracle/crecrontab.txt su oracle -c "crontab /home/oracle/crecrontab.txt" -## Set permissions for CDC scripts -chown oracle:dba /home/oracle/scripts/cdc_simple_health_check.sh -chmod 744 /home/oracle/scripts/cdc_simple_health_check.sh - -chown oracle:dba /home/oracle/scripts/cdc_simple_health_check.sql -chmod 744 /home/oracle/scripts/cdc_simple_health_check.sql - chown root:root /var/cw-custom.sh chmod 700 /var/cw-custom.sh From 4adf94209dddef7138cb924666903a464f27d923 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 6 Nov 2024 02:07:47 +0000 Subject: [PATCH 008/308] Update ud Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 108 ++++++------------------------ 1 file changed, 20 insertions(+), 88 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index a97a776d4d3..17fbcd9c940 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -208,54 +208,9 @@ echo "---setup_oracle_db_software" # Install wget / unzip yum install -y unzip -# #### Create DBA user (only if it doesn't already exist) -# # Check if the dba group exists -# if ! getent group dba > /dev/null; then -# echo "Creating group 'dba'..." -# groupadd dba -# else -# echo "Group 'dba' already exists." -# fi - -# # Check if the oinstall group exists -# if ! getent group oinstall > /dev/null; then -# echo "Creating group 'oinstall'..." -# groupadd oinstall -# else -# echo "Group 'oinstall' already exists." -# fi - -# # Check if the oracle user exists -# if ! id -u oracle > /dev/null 2>&1; then -# echo "Creating user 'oracle'..." -# useradd -d /home/oracle -g dba -G oinstall oracle -# else -# echo "User 'oracle' already exists." -# fi - -# #setup oracle user access -# echo "---setup oracle user access" -# cp -fr /home/ec2-user/.ssh /home/oracle/ -# chown -R oracle:dba /home/oracle/.ssh - # Create directories and set ownership chown -R oracle:dba /oracle -# Check if swap file already exists -if [ ! -f /swapfile ]; then - echo "---Swap file does not exist. Creating swap space." - - # Create swap space - dd if=/dev/zero of=/swapfile bs=1024M count=9 - chmod 600 /swapfile - mkswap /swapfile - swapon /swapfile - - echo "---Swap space created and activated." -else - echo "---Swap file already exists. Skipping creation." -fi - #Update URL in bash profile sed -i '/ORACLE_HOST/c\export ORACLE_HOST=${local.application_name}.${data.aws_route53_zone.external.name}' /home/oracle/.bash_profile @@ -263,45 +218,26 @@ sed -i '/ORACLE_HOST/c\export ORACLE_HOST=${local.application_name}.${data.aws_r chown oracle:dba /run/cfn-init/edw_warehouse.dbt chmod 777 /run/cfn-init/edw_warehouse.dbt -# # Check if the Oracle SID is already running or if the database already exists -# if ! ps -ef | grep "[o]ra_pmon_$APPNAME" > /dev/null; then -# echo "Database does not exist. Creating a new database..." - -# su oracle -l -c "dbca -silent -createDatabase \ -# -templateName /run/cfn-init/edw_warehouse.dbt \ -# -gdbname $APPNAME \ -# -sid $APPNAME \ -# -responseFile NO_VALUE \ -# -characterSet WE8ISO8859P1 \ -# -sysPassword '"$SECRET"' \ -# -systemPassword '"$SECRET"' \ -# -databaseType DATA_WAREHOUSING \ -# -datafileDestination '/oracle/dbf/' \ -# -MEMORYPERCENTAGE 70" -# else -# echo "Database with SID $APPNAME already exists. Skipping database creation." -# fi - -# # Check if the listener configuration file exists -# if [ ! -f "/run/cfn-init/netca.rsp" ]; then -# echo "Listener response file does not exist. Skipping listener creation." -# else -# # Check if the listener is already running -# if ! su oracle -l -c "lsnrctl status" | grep -q "Listener" ; then -# echo "Listener is not running. Creating listener and starting it..." - -# # Ensure the response file has correct permissions -# chmod 777 /run/cfn-init/netca.rsp - -# # Create the listener -# su oracle -l -c "netca /silent /responseFile /run/cfn-init/netca.rsp" - -# # Start the listener -# su oracle -l -c "lsnrctl start" -# else -# echo "Listener is already running. Skipping listener creation and start." -# fi -# fi +# Check if the listener configuration file exists +if [ ! -f "/run/cfn-init/netca.rsp" ]; then + echo "Listener response file does not exist. Skipping listener creation." +else + # Check if the listener is already running + if ! su oracle -l -c "lsnrctl status" | grep -q "Listener" ; then + echo "Listener is not running. Creating listener and starting it..." + + # Ensure the response file has correct permissions + chmod 777 /run/cfn-init/netca.rsp + + # Create the listener + su oracle -l -c "netca /silent /responseFile /run/cfn-init/netca.rsp" + + # Start the listener + su oracle -l -c "lsnrctl start" + else + echo "Listener is already running. Skipping listener creation and start." + fi +fi #### Prevent timeout on DB # Add TCP keepalive time to sysctl.conf ---> keepalive solution @@ -389,7 +325,6 @@ chmod 644 /home/oracle/scripts/alert_rota.sh # Create /etc/cron.d/oracle_rotation with the cron jobs cat < /etc/cron.d/oracle_rotation 00 07 * * * /home/oracle/scripts/alert_rota.sh $APPNAME -* */6 * * * oracle /home/oracle/scripts/cdc_simple_health_check.sh >> /home/oracle/scripts/logs/cdc_check.log EOC5 chown root:root /etc/cron.d/oracle_rotation @@ -405,9 +340,6 @@ su oracle -c "crontab /home/oracle/crecrontab.txt" chown oracle:dba /home/oracle/scripts/cdc_simple_health_check.sh chmod 744 /home/oracle/scripts/cdc_simple_health_check.sh -chown oracle:dba /home/oracle/scripts/cdc_simple_health_check.sql -chmod 744 /home/oracle/scripts/cdc_simple_health_check.sql - #Update send mail URL echo "Update Sendmail configurations" sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.cf From 0f41d4b30440d7c6fbe62c1a7cb310044d3da01f Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 6 Nov 2024 03:22:21 +0000 Subject: [PATCH 009/308] update userdata Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 17fbcd9c940..48eb0dbf548 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -82,6 +82,7 @@ export APPNAME="${local.application_data.accounts[local.environment].edw_AppName export ENV="${local.application_data.accounts[local.environment].edw_environment}" export REGION="${local.application_data.accounts[local.environment].edw_region}" export EFS="${aws_efs_file_system.edw.id}" +export SECRET=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.db-master-password2.id} { --query SecretString --output text` export host="$ip4 $APPNAME-$ENV infraedw" echo $host >>/etc/hosts sed -i '/^10.221/d' /etc/hosts @@ -151,7 +152,6 @@ log_group_name = $APPNAME-CDCstatus log_stream_name = {instance_id} EOC2 -sudo chmod 755 /home/oracle/backup_logs sudo chmod 755 /home/oracle/scripts/logs sudo chmod 755 /etc/awslogs sudo chmod 755 /tmp/cwlogs @@ -258,12 +258,6 @@ chown -R oracle:dba /home/oracle/edwcreate chmod -R 777 /home/oracle/edwcreate chown oracle:dba /var/opt/oracle/passwds.sql chmod 777 /var/opt/oracle/passwds.sql -if [ ! -f /oracle/software/product/10.2.0/network/admin/tnsnames.ora ]; then - su oracle -l -c "cp /home/oracle/edwcreate/tnsnames.ora /oracle/software/product/10.2.0/network/admin" - echo "tnsnames.ora copied successfully." -else - echo "tnsnames.ora already exists. Skipping copy." -fi sed -i "s/tst/$ENV/g" /oracle/software/product/10.2.0/network/admin/tnsnames.ora sed -i "0,/edw\./s/^.*edw\..*$/ (ADDRESS = (PROTOCOL = TCP)(HOST = ${local.application_name}.${data.aws_route53_zone.external.name})(PORT = 1521))/" /oracle/software/product/10.2.0/network/admin/tnsnames.ora sed -i "0,/edw\.aws/s/^.*edw\.aws.*$/ (ADDRESS = (PROTOCOL = tcp)(HOST = ${local.application_name}.${data.aws_route53_zone.external.name})(PORT = 1521))/" /oracle/software/product/10.2.0/network/admin/tnsnames.ora @@ -283,8 +277,8 @@ chmod -R 777 /stage/owb/ # setup efs backup mount point mkdir -p /home/oracle/backup_logs/ -mkdir -p /backups/$APPNAME_RMAN -chmod 777 /backups/$APPNAME_RMAN +sudo mkdir -p /backups/$APPNAME_RMAN +chmod 777 /backups/EDW_RMAN sed -i "s/\/backups\/production\/MIDB_RMAN\//\/backups\/$APPNAME_RMAN/g" /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh sed -i "s/\/backups\/production\/MIDB_RMAN\//\/backups\/$APPNAME_RMAN/g" /home/oracle/backup_scripts/rman_full_backup.sh chown -R oracle:dba /home/oracle/backup* @@ -293,6 +287,7 @@ chmod -R 740 /home/oracle/backup* # Create /etc/cron.d/backup_cron with the cron jobs cat < /etc/cron.d/backup_cron 0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME +0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME 0 06 * * 01 /home/oracle/backup_scripts/rman_full_backup.sh $APPNAME 00 07,10,13,16 * * * /home/oracle/scripts/freespace_alert.sh 00,15,30,45 * * * * /home/oracle/scripts/pmon_check.sh @@ -336,10 +331,6 @@ chown oracle:dba /home/oracle/crecrontab.txt chmod 777 /home/oracle/crecrontab.txt su oracle -c "crontab /home/oracle/crecrontab.txt" -# set permissions for CDC scripts -chown oracle:dba /home/oracle/scripts/cdc_simple_health_check.sh -chmod 744 /home/oracle/scripts/cdc_simple_health_check.sh - #Update send mail URL echo "Update Sendmail configurations" sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.cf From 1c3bb83e27612166519d37b1ff5f427a58058aea Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 6 Nov 2024 04:17:29 +0000 Subject: [PATCH 010/308] Update ud Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 48eb0dbf548..b89f0540a71 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -83,6 +83,7 @@ export ENV="${local.application_data.accounts[local.environment].edw_environment export REGION="${local.application_data.accounts[local.environment].edw_region}" export EFS="${aws_efs_file_system.edw.id}" export SECRET=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.db-master-password2.id} { --query SecretString --output text` +echo "export SECRET=\"$SECRET\"" >> /etc/profile export host="$ip4 $APPNAME-$ENV infraedw" echo $host >>/etc/hosts sed -i '/^10.221/d' /etc/hosts @@ -192,12 +193,12 @@ $EFS.efs.eu-west-2.amazonaws.com:/ /backups nfs4 rsize=1048576,wsize=1048576,har EOT # Create file systems -mkdir -p /oracle/dbf -mkdir -p /stage -mkdir -p /oracle/ar -mkdir --p /oracle/software -mkdir -p /oracle/temp_undo -mkdir -p /backups +sudo mkdir -p /oracle/dbf +sudo mkdir -p /stage +sudo mkdir -p /oracle/ar +sudo mkdir --p /oracle/software +sudo mkdir -p /oracle/temp_undo +sudo mkdir -p /backups # Mount all file systems in fstab mount -a @@ -252,7 +253,7 @@ grep -qxF "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" /oracle/software/product/10.2.0/n # Add inbound connection timeout option to listener grep -qxF "INBOUND_CONNECT_TIMEOUT_LISTENER = 0" /oracle/software/product/10.2.0/network/admin/listener.ora || echo "INBOUND_CONNECT_TIMEOUT_LISTENER = 0" >> /oracle/software/product/10.2.0/network/admin/listener.ora -mkdir -p /var/opt/oracle +sudo mkdir -p /var/opt/oracle chown oracle:dba /var/opt/oracle chown -R oracle:dba /home/oracle/edwcreate chmod -R 777 /home/oracle/edwcreate @@ -262,8 +263,8 @@ sed -i "s/tst/$ENV/g" /oracle/software/product/10.2.0/network/admin/tnsnames.ora sed -i "0,/edw\./s/^.*edw\..*$/ (ADDRESS = (PROTOCOL = TCP)(HOST = ${local.application_name}.${data.aws_route53_zone.external.name})(PORT = 1521))/" /oracle/software/product/10.2.0/network/admin/tnsnames.ora sed -i "0,/edw\.aws/s/^.*edw\.aws.*$/ (ADDRESS = (PROTOCOL = tcp)(HOST = ${local.application_name}.${data.aws_route53_zone.external.name})(PORT = 1521))/" /oracle/software/product/10.2.0/network/admin/tnsnames.ora sed -i "0,/EDW/s/^.*EDW.*$/ (ADDRESS = (PROTOCOL = TCP)(HOST = ${local.application_name}.${data.aws_route53_zone.external.name})(PORT = 1521))/" /oracle/software/product/10.2.0/network/admin/listener.ora -sed -i "s/^\(define EDW_SYS=\).*/\1$SECRET/" /var/opt/oracle/passwds.sql -sed -i "s/^\(define EDW_SYSTEM=\).*/\1$SECRET/" /var/opt/oracle/passwds.sql +sed -i "s/^\(define EDW_SYS=\).*/\1$(echo $SECRET | sed 's/[&/\]/\\&/g')/" /var/opt/oracle/passwds.sql +sed -i "s/^\(define EDW_SYSTEM=\).*/\1$(echo $SECRET | sed 's/[&/\]/\\&/g')/" /var/opt/oracle/passwds.sql chown -R oracle:dba /home/oracle/scripts/ chmod -R 700 /home/oracle/scripts/ @@ -276,7 +277,7 @@ chmod -R 777 /stage/owb/ #### setup_backups: # setup efs backup mount point -mkdir -p /home/oracle/backup_logs/ +sudo mkdir -p /home/oracle/backup_logs/ sudo mkdir -p /backups/$APPNAME_RMAN chmod 777 /backups/EDW_RMAN sed -i "s/\/backups\/production\/MIDB_RMAN\//\/backups\/$APPNAME_RMAN/g" /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh From fe2127576870fdaad87e20efecd05438a18888ec Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 6 Nov 2024 04:56:26 +0000 Subject: [PATCH 011/308] upd ud Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index b89f0540a71..0e30be54875 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -288,7 +288,7 @@ chmod -R 740 /home/oracle/backup* # Create /etc/cron.d/backup_cron with the cron jobs cat < /etc/cron.d/backup_cron 0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME -0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME +*/10 * * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME 0 06 * * 01 /home/oracle/backup_scripts/rman_full_backup.sh $APPNAME 00 07,10,13,16 * * * /home/oracle/scripts/freespace_alert.sh 00,15,30,45 * * * * /home/oracle/scripts/pmon_check.sh From 944609155e2d6d067860e4b3e74a3b31951e1c59 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Thu, 7 Nov 2024 10:59:19 +0000 Subject: [PATCH 012/308] Add logging --- .../components/dms/cloudwatch-alarms.tf | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 20e8466cd76..862797ae8f1 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -2,6 +2,32 @@ resource "aws_sns_topic" "dms_alerting" { name = "delius-dms-alerting" kms_master_key_id = var.account_config.kms_keys.general_shared + + http_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn + http_failure_feedback_role_arn = aws_iam_role.sns_logging_role.arn +} + +resource "aws_iam_role" "sns_logging_role" { + name = "sns-logging-role" + + assume_role_policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "sns.amazonaws.com" + }, + "Effect": "Allow", + "Sid": "" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "attach_sns_policy" { + role = aws_iam_role.sns_logging_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSNSRole" } # Create a map of all possible replication tasks, so those that exist may have alarms applied to them. From 1d1ecd4149b326f314c2a1e8009ce563326a2c56 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Thu, 7 Nov 2024 11:37:04 +0000 Subject: [PATCH 013/308] Log all notifications --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 862797ae8f1..4e0a93adee3 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -4,6 +4,7 @@ resource "aws_sns_topic" "dms_alerting" { kms_master_key_id = var.account_config.kms_keys.general_shared http_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn + http_success_feedback_sample_rate = 100 http_failure_feedback_role_arn = aws_iam_role.sns_logging_role.arn } From 915c4f2df241ff42a8d36ec8be10beab449dfa31 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Thu, 7 Nov 2024 14:11:21 +0000 Subject: [PATCH 014/308] Add Debug --- .../components/dms/cloudwatch-alarms.tf | 110 +++++++++++++++++- 1 file changed, 105 insertions(+), 5 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 4e0a93adee3..b2081520e7a 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -101,8 +101,8 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_source" { evaluation_periods = 3 period = 120 actions_enabled = true - alarm_actions = [aws_sns_topic.dms_alerting.arn] - ok_actions = [aws_sns_topic.dms_alerting.arn] + alarm_actions = [aws_sns_topic.dms_alerts.arn] + ok_actions = [aws_sns_topic.dms_alerts.arn] dimensions = { ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id # We only need to final element of the replication task ID (after the last :) @@ -123,8 +123,8 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { evaluation_periods = 3 period = 120 actions_enabled = true - alarm_actions = [aws_sns_topic.dms_alerting.arn] - ok_actions = [aws_sns_topic.dms_alerting.arn] + alarm_actions = [aws_sns_topic.dms_alerts.arn] + ok_actions = [aws_sns_topic.dms_alerts.arn] dimensions = { ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id # We only need to final element of the replication task ID (after the last :) @@ -135,7 +135,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { resource "aws_dms_event_subscription" "dms_task_event_subscription" { name = "dms-task-event-alerts" - sns_topic_arn = aws_sns_topic.dms_alerting.arn + sns_topic_arn = aws_sns_topic.dms_alerts.arn source_type = "replication-task" # If this is production then we expect to see starting and stopping of replication tasks # as this would not be normal behaviour. @@ -175,3 +175,103 @@ module "pagerduty_core_alerts" { sns_topics = [aws_sns_topic.dms_alerting.name] pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup] } + + +# DEBUG BELOW - WRITE MESSAGE PAYLOAD + +# Step 1: Create an IAM Role for the Lambda function with necessary permissions +resource "aws_iam_role" "lambda_sns_role" { + name = "lambda-sns-role" + assume_role_policy = jsonencode({ + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Principal": { + "Service": "lambda.amazonaws.com" + }, + "Effect": "Allow", + "Sid": "" + } + ] + }) +} + +# Attach policies for Lambda logging and SNS access +resource "aws_iam_role_policy_attachment" "lambda_logging" { + role = aws_iam_role.lambda_sns_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" +} + +resource "aws_iam_role_policy_attachment" "sns_publish" { + role = aws_iam_role.lambda_sns_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaSNSPolicy" +} + + +resource "local_file" "lambda_handler_py" { + filename = "${path.module}/lambda_function_payload_logger.py" + content = < Date: Thu, 7 Nov 2024 14:19:00 +0000 Subject: [PATCH 015/308] Policy not needed --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index b2081520e7a..bd4850c4f81 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -203,12 +203,6 @@ resource "aws_iam_role_policy_attachment" "lambda_logging" { policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } -resource "aws_iam_role_policy_attachment" "sns_publish" { - role = aws_iam_role.lambda_sns_role.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaSNSPolicy" -} - - resource "local_file" "lambda_handler_py" { filename = "${path.module}/lambda_function_payload_logger.py" content = < Date: Thu, 7 Nov 2024 14:40:27 +0000 Subject: [PATCH 016/308] Use index file name --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index bd4850c4f81..bcd63761b35 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -204,7 +204,7 @@ resource "aws_iam_role_policy_attachment" "lambda_logging" { } resource "local_file" "lambda_handler_py" { - filename = "${path.module}/lambda_function_payload_logger.py" + filename = "${path.module}/index.py" content = < Date: Thu, 7 Nov 2024 14:55:21 +0000 Subject: [PATCH 017/308] Remove unneeded cron Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 0e30be54875..63432c140de 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -288,7 +288,6 @@ chmod -R 740 /home/oracle/backup* # Create /etc/cron.d/backup_cron with the cron jobs cat < /etc/cron.d/backup_cron 0 */3 * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME -*/10 * * * * /home/oracle/backup_scripts/rman_s3_arch_backup_v2_1.sh $APPNAME 0 06 * * 01 /home/oracle/backup_scripts/rman_full_backup.sh $APPNAME 00 07,10,13,16 * * * /home/oracle/scripts/freespace_alert.sh 00,15,30,45 * * * * /home/oracle/scripts/pmon_check.sh From cad3e20e0ed18d4a5400fe4616a9704d2efd2916 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Thu, 7 Nov 2024 15:00:38 +0000 Subject: [PATCH 018/308] update tmeout time Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 63432c140de..bed141cb424 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -245,9 +245,10 @@ fi echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf sysctl -p # Add SQLNET.EXPIRE_TIME to sqlnet.ora ---> keepalive solution -grep -qxF "SQLNET.EXPIRE_TIME = 5" /oracle/software/product/10.2.0/network/admin/sqlnet. +grep -qxF "SQLNET.EXPIRE_TIME = 1" /oracle/software/product/10.2.0/network/admin/sqlnet.ora # Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution -sed -i '/(DESCRIPTION =/a\\ (ENABLE=broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora +sed -i '/(ENABLE *= *broken)/d' /oracle/software/product/10.2.0/network/admin/tnsnames.ora +grep -q '(ENABLE *= *broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora || sed -i '/(DESCRIPTION =/a\\ (ENABLE = broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora # Add inbound connection timeout option to sqlnet grep -qxF "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" /oracle/software/product/10.2.0/network/admin/sqlnet.ora || echo "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora # Add inbound connection timeout option to listener From 064f3ffe04bbbfb3d00bbaf38774977d56137fbe Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Thu, 7 Nov 2024 15:02:27 +0000 Subject: [PATCH 019/308] Force code change --- .../modules/components/dms/cloudwatch-alarms.tf | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index bcd63761b35..fbc6a30d1bf 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -209,7 +209,7 @@ resource "local_file" "lambda_handler_py" { import json def lambda_handler(event, context): - print("Received event: " + json.dumps(event, indent=2)) + print("Received handler event: " + json.dumps(event, indent=2)) return { 'statusCode': 200, 'body': 'Success' @@ -240,12 +240,6 @@ resource "aws_lambda_function" "sns_handler" { } } -# Sample Python code for the Lambda function: -# def lambda_handler(event, context): -# import json -# print("Received event:", json.dumps(event, indent=2)) -# return {"statusCode": 200, "body": "Success"} - # Step 3: Create the SNS topic resource "aws_sns_topic" "dms_alerts" { name = "dms-alerts-topic" From 01f6fa0678289d3f704faca598f9acabbfaa4e39 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Thu, 7 Nov 2024 15:14:19 +0000 Subject: [PATCH 020/308] Replace handler name --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index fbc6a30d1bf..d7e6924cd24 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -204,7 +204,7 @@ resource "aws_iam_role_policy_attachment" "lambda_logging" { } resource "local_file" "lambda_handler_py" { - filename = "${path.module}/index.py" + filename = "${path.module}/lambda_function_payload_logger.py" content = < Date: Wed, 6 Nov 2024 10:53:15 +0000 Subject: [PATCH 021/308] [TM-618] changes keepalive packet to 2 minutes --- terraform/environments/corporate-information-system/locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index 731a1f29488..7818a3cb75e 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -15,11 +15,11 @@ sed -i 's/#ClientAliveCountMax.*/ClientAliveCountMax 3/' /etc/ssh/sshd_config service sshd restart # Add TCP keepalive time to sysctl.conf ---> keepalive solution -echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf +echo "net.ipv4.tcp_keepalive_time = 120" >> /etc/sysctl.conf sysctl -p # Add SQLNET.EXPIRE_TIME to sqlnet.ora ---> keepalive solution -echo "SQLNET.EXPIRE_TIME = 5" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora +echo "SQLNET.EXPIRE_TIME = 1" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora # Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution sed -i '/(DESCRIPTION =/a\\ (ENABLE=broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora From 8ed6f6f12fb67f2077c88f77142f8ea0cf1c0729 Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Wed, 6 Nov 2024 10:53:38 +0000 Subject: [PATCH 022/308] [TM-618] changes keepalive packet to 2 minutes v2 --- terraform/environments/corporate-information-system/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index 7818a3cb75e..54634858466 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -19,7 +19,7 @@ echo "net.ipv4.tcp_keepalive_time = 120" >> /etc/sysctl.conf sysctl -p # Add SQLNET.EXPIRE_TIME to sqlnet.ora ---> keepalive solution -echo "SQLNET.EXPIRE_TIME = 1" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora +echo "SQLNET.EXPIRE_TIME = 2" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora # Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution sed -i '/(DESCRIPTION =/a\\ (ENABLE=broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora From 0c8f0436ae9ffe7f0007733c116ec42c85993338 Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Wed, 6 Nov 2024 14:30:48 +0000 Subject: [PATCH 023/308] [TM-618] changed metadata options --- terraform/environments/corporate-information-system/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-information-system/ec2.tf b/terraform/environments/corporate-information-system/ec2.tf index 6d9547aa1cf..15b466a576a 100644 --- a/terraform/environments/corporate-information-system/ec2.tf +++ b/terraform/environments/corporate-information-system/ec2.tf @@ -27,7 +27,7 @@ resource "aws_instance" "cis_db_instance" { } metadata_options { - http_tokens = "required" + http_tokens = "optional" } tags = merge( From 5b1bb8cbc30870e4a024daefdf1ec39e84890ffd Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Wed, 6 Nov 2024 16:12:43 +0000 Subject: [PATCH 024/308] [TM-618] changed metadata option for ec2 instance to required --- terraform/environments/corporate-information-system/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-information-system/ec2.tf b/terraform/environments/corporate-information-system/ec2.tf index 15b466a576a..6d9547aa1cf 100644 --- a/terraform/environments/corporate-information-system/ec2.tf +++ b/terraform/environments/corporate-information-system/ec2.tf @@ -27,7 +27,7 @@ resource "aws_instance" "cis_db_instance" { } metadata_options { - http_tokens = "optional" + http_tokens = "required" } tags = merge( From 9287303ff59df7d91fa711a7651430018e1e418e Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Thu, 7 Nov 2024 17:14:29 +0000 Subject: [PATCH 025/308] [TM-618] minor change --- terraform/environments/corporate-information-system/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index 54634858466..54b6182f93e 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -11,7 +11,7 @@ hostname ${local.application_name_short} # Increase ssh session timeout sed -i 's/#ClientAliveInterval.*/ClientAliveInterval 1200/' /etc/ssh/sshd_config -sed -i 's/#ClientAliveCountMax.*/ClientAliveCountMax 3/' /etc/ssh/sshd_config +sed -i 's/#ClientAliveCountMax.*/ClientAliveCountMax 5/' /etc/ssh/sshd_config service sshd restart # Add TCP keepalive time to sysctl.conf ---> keepalive solution From e9fa7600010d12d67d0d337c63605f765954743b Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Thu, 7 Nov 2024 18:03:57 +0000 Subject: [PATCH 026/308] Use Lambda to create Cloudwatch Metric from Event --- .../components/dms/cloudwatch-alarms.tf | 179 ++++++++++-------- 1 file changed, 102 insertions(+), 77 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index d7e6924cd24..c2d207a9d73 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -1,6 +1,6 @@ # SNS topic for monitoring to send alarms to -resource "aws_sns_topic" "dms_alerting" { - name = "delius-dms-alerting" +resource "aws_sns_topic" "dms_alerts_topic" { + name = "delius-dms-alerts-topic" kms_master_key_id = var.account_config.kms_keys.general_shared http_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn @@ -101,8 +101,8 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_source" { evaluation_periods = 3 period = 120 actions_enabled = true - alarm_actions = [aws_sns_topic.dms_alerts.arn] - ok_actions = [aws_sns_topic.dms_alerts.arn] + alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] + ok_actions = [aws_sns_topic.dms_alerts_topic.arn] dimensions = { ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id # We only need to final element of the replication task ID (after the last :) @@ -123,8 +123,8 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { evaluation_periods = 3 period = 120 actions_enabled = true - alarm_actions = [aws_sns_topic.dms_alerts.arn] - ok_actions = [aws_sns_topic.dms_alerts.arn] + alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] + ok_actions = [aws_sns_topic.dms_alerts_topic.arn] dimensions = { ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id # We only need to final element of the replication task ID (after the last :) @@ -133,17 +133,6 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { tags = var.tags } -resource "aws_dms_event_subscription" "dms_task_event_subscription" { - name = "dms-task-event-alerts" - sns_topic_arn = aws_sns_topic.dms_alerts.arn - source_type = "replication-task" - # If this is production then we expect to see starting and stopping of replication tasks - # as this would not be normal behaviour. - # For non-production this will happen nightly due to automated stop/start - event_categories = var.dms_config.is-production ? ["state change", "failure"] : ["failure"] - enabled = true -} - # Pager duty integration # Get the map of pagerduty integration keys from the modernisation platform account @@ -169,97 +158,133 @@ locals { module "pagerduty_core_alerts" { #checkov:skip=CKV_TF_1 depends_on = [ - aws_sns_topic.dms_alerting + aws_sns_topic.dms_alerts_topic ] source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0" - sns_topics = [aws_sns_topic.dms_alerting.name] + sns_topics = [aws_sns_topic.dms_alerts_topic.name] pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup] } +resource "aws_iam_role" "lambda_put_metric_data_role" { + name = "lambda-put-metric-data-role" -# DEBUG BELOW - WRITE MESSAGE PAYLOAD - -# Step 1: Create an IAM Role for the Lambda function with necessary permissions -resource "aws_iam_role" "lambda_sns_role" { - name = "lambda-sns-role" assume_role_policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [ + Version = "2012-10-17", + Statement = [ { - "Action": "sts:AssumeRole", - "Principal": { - "Service": "lambda.amazonaws.com" - }, - "Effect": "Allow", - "Sid": "" + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "lambda.amazonaws.com" + } + } + ] + }) +} + +resource "aws_iam_policy" "lambda_put_metric_data_policy" { + name = "lambda-put-metric-data-policy" + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "cloudwatch:PutMetricData" + ], + Resource = "*" } ] }) } -# Attach policies for Lambda logging and SNS access -resource "aws_iam_role_policy_attachment" "lambda_logging" { - role = aws_iam_role.lambda_sns_role.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" +resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_policy_attach" { + role = aws_iam_role.lambda_put_metric_data_role.name + policy_arn = aws_iam_policy.lambda_put_metric_data_policy.arn } -resource "local_file" "lambda_handler_py" { - filename = "${path.module}/lambda_function_payload_logger.py" +resource "local_file" "lambda_dms_replication_metric_py" { + filename = "${path.module}/lambda_dms_replication_metric.py" content = < Date: Thu, 7 Nov 2024 18:28:49 +0000 Subject: [PATCH 027/308] Add logging --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index c2d207a9d73..36cdea4b629 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -269,6 +269,10 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_alarm" { # DMS Replication (Events are NOT detected by CloudWatch Alarms) resource "aws_sns_topic" "dms_events_topic" { name = "dms_events_topic" + + http_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn + http_success_feedback_sample_rate = 100 + http_failure_feedback_role_arn = aws_iam_role.sns_logging_role.arn } resource "aws_sns_topic_subscription" "dms_events_lambda_subscription" { From 7da882c1e09e211424c0071c7671be1b2692329f Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Thu, 7 Nov 2024 22:09:38 +0000 Subject: [PATCH 028/308] Update cronyd Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 67 +++++++++++++------------------ 1 file changed, 27 insertions(+), 40 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index bed141cb424..c4a56f8fdad 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -28,46 +28,33 @@ search ${data.aws_route53_zone.external.name} eu-west-2.compute.internal nameserver ${local.dns_resolver_ip}" > /etc/resolv.conf chattr +i /etc/resolv.conf -# DOESNT WORK IN LZ, DO WE WANT IN MP??? #### adjust the NTP (Network Time Protocol) settings to use the AWS time sync service as the time source echo "---configure aws timesync (external ntp source)" -AwsTimeSync(){ - local RHEL=$1 - local SOURCE=169.254.169.123 - - - NtpD(){ - local CONF=/etc/ntp.conf - # Check if the server line already exists - if ! grep -q "server 169.254.169.123" $CONF; then - sed -i 's/server \S/#server \S/g' $CONF && \ - sed -i "20i\server 169.254.169.123 prefer iburst" $CONF - /etc/init.d/ntpd status >/dev/null 2>&1 \ - && /etc/init.d/ntpd restart || /etc/init.d/ntpd start - ntpq -p - else - echo "NTP server 169.254.169.123 is already configured." - fi -} - - ChronyD(){ - local CONF=/etc/chrony.conf - sed -i 's/server \\S/#server \\S/g' $CONF && \ - sed -i "7i\server $SOURCE prefer iburst" $CONF - systemctl status chronyd >/dev/null 2>&1 \ - && systemctl restart chronyd || systemctl start chronyd - chronyc sources - } - case $RHEL in - 5) - NtpD - ;; - 7) - ChronyD - ;; - esac -} -AwsTimeSync $(cat /etc/redhat-release | cut -d. -f1 | awk '{print $NF}') + +# Install chrony if not installed +if ! yum list installed chrony &>/dev/null; then + sudo yum install -y chrony +fi + +# Check if the chrony.conf file exists and is properly configured +if ! grep -q "server 169.254.169.123" /etc/chrony.conf; then + sudo bash -c 'cat << EOC9 > /etc/chrony.conf +server 169.254.169.123 prefer iburst minpoll 4 maxpoll 4 +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift +# Enable kernel RTC synchronization. +rtcsync +# In first three updates step the system clock instead of slew +# if the adjustment is larger than 1.0 seconds. +makestep 1.0 3 +logdir /var/log/chrony +# Select which information is logged +log measurements statistics tracking +EOC9' +fi + +# Start chronyd service +sudo /etc/init.d/chronyd start #### Install AWS cli echo "---Installing AWS cli" @@ -340,11 +327,11 @@ sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_u sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/${data.aws_route53_zone.external.name}/g' /etc/mail/sendmail.mc /etc/init.d/sendmail restart -sudo su - oracle -c "sqlplus / as sysdba << EOF +sudo su - oracle -c "sqlplus / as sysdba << EOC6 shutdown abort; startup; exit; -EOF" +EOC6" EOF } From 44c10d00ab18a49953e4404b0e5ffea695cf5782 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Thu, 7 Nov 2024 22:10:10 +0000 Subject: [PATCH 029/308] Remove secret to prof Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index c4a56f8fdad..538a720415a 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -70,7 +70,6 @@ export ENV="${local.application_data.accounts[local.environment].edw_environment export REGION="${local.application_data.accounts[local.environment].edw_region}" export EFS="${aws_efs_file_system.edw.id}" export SECRET=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.db-master-password2.id} { --query SecretString --output text` -echo "export SECRET=\"$SECRET\"" >> /etc/profile export host="$ip4 $APPNAME-$ENV infraedw" echo $host >>/etc/hosts sed -i '/^10.221/d' /etc/hosts From f3a7d73bd233fd18ac9051e52085699a4434c9bd Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Thu, 7 Nov 2024 22:12:10 +0000 Subject: [PATCH 030/308] Remove deprecated val Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 538a720415a..27d895bc488 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -339,7 +339,6 @@ EOF resource "aws_iam_role" "edw_ec2_role" { name = "${local.application_name}-ec2-instance-role" - managed_policy_arns = ["arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"] tags = merge( local.tags, { From 47ef4300a0aeed34e07690aba77dc20a490cc8fb Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Fri, 8 Nov 2024 14:13:50 +0000 Subject: [PATCH 031/308] allow staging perms --- .../electronic-monitoring-data/ap_airflow_iam.tf | 3 +++ .../modules/ap_airflow_load_data_iam_role/main.tf | 5 ++++- .../modules/ap_airflow_load_data_iam_role/variables.tf | 5 +++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 39c25bcf55d..9e6bf09a62b 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -30,6 +30,7 @@ module "load_unstructured_atrium_database" { secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } module "load_cap_dw_database" { @@ -44,6 +45,7 @@ module "load_cap_dw_database" { secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } module "load_alcohol_monitoring_database" { @@ -58,4 +60,5 @@ module "load_alcohol_monitoring_database" { secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } diff --git a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf index 0480353be84..186b8606f9a 100644 --- a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf @@ -21,6 +21,8 @@ data "aws_iam_policy_document" "load_data" { ] resources = [ "${var.source_data_bucket.arn}${var.path_to_data}/*", + "${var.source_data_bucket.arn}/staging${var.path_to_data}/*", + "${var.cadt_bucket.arn}/staging${var.path_to_data}/*", "${var.athena_dump_bucket.arn}/output/*" ] } @@ -30,7 +32,8 @@ data "aws_iam_policy_document" "load_data" { actions = ["s3:ListBucket"] resources = [ var.source_data_bucket.arn, - var.athena_dump_bucket.arn + var.athena_dump_bucket.arn, + var.cadt_bucket.arn ] } statement { diff --git a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/variables.tf b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/variables.tf index 8a5b748ba4d..9ed20efb3c4 100644 --- a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/variables.tf +++ b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/variables.tf @@ -38,3 +38,8 @@ variable "oidc_arn" { type = string nullable = false } + +variable "cadt_bucket" { + type = object({ arn = string }) + description = "bucket for cadt" +} \ No newline at end of file From 913842db009cf9571d7dc152a817fe21c272cc7b Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Fri, 8 Nov 2024 15:21:17 +0000 Subject: [PATCH 032/308] Log lambda success and failure instead of https --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 36cdea4b629..b5cca6e8062 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -270,9 +270,9 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_alarm" { resource "aws_sns_topic" "dms_events_topic" { name = "dms_events_topic" - http_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn - http_success_feedback_sample_rate = 100 - http_failure_feedback_role_arn = aws_iam_role.sns_logging_role.arn + lambda_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn + lambda_success_feedback_sample_rate = 100 + lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_role.arn } resource "aws_sns_topic_subscription" "dms_events_lambda_subscription" { From 80d4ff7e9b13b1724f0e57cd2b79b7baf50f5851 Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Fri, 8 Nov 2024 15:22:04 +0000 Subject: [PATCH 033/308] star database --- .../modules/ap_airflow_load_data_iam_role/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf index 186b8606f9a..f0894049713 100644 --- a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf @@ -64,8 +64,8 @@ data "aws_iam_policy_document" "load_data" { ] resources = [ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog", - "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${local.snake-database}", - "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${local.snake-database}/*" + "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:database/${local.snake-database}*", + "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:table/${local.snake-database}*/*" ] } statement { From 107c7f30598a7b0bc9dee0a260c42abf43f4ff30 Mon Sep 17 00:00:00 2001 From: jodiejones-moj <168634320+jodiejones-moj@users.noreply.github.com> Date: Fri, 8 Nov 2024 16:13:28 +0000 Subject: [PATCH 034/308] Panda cyber defect dojo (#8614) * Added EC2 instance to host Defect Dojo * Removed installation of docker and cloning of defect dojo from user_data * Removed associate_public_ip_address * Set associate_public_ip_address to false and added lifecycle block * Removed lifecycle code block --- .../environments/panda-cyber-appsec-lab/ec2.tf | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/terraform/environments/panda-cyber-appsec-lab/ec2.tf b/terraform/environments/panda-cyber-appsec-lab/ec2.tf index d87e5b5bf93..e0ef2484906 100644 --- a/terraform/environments/panda-cyber-appsec-lab/ec2.tf +++ b/terraform/environments/panda-cyber-appsec-lab/ec2.tf @@ -1,7 +1,7 @@ # Kali Linux Instance resource "aws_instance" "kali_linux" { ami = "ami-0f398bcc12f72f967" // aws-marketplace/kali-last-snapshot-amd64-2024.2.0-804fcc46-63fc-4eb6-85a1-50e66d6c7215 - associate_public_ip_address = true + associate_public_ip_address = false instance_type = "t2.micro" subnet_id = module.vpc.private_subnets.0 vpc_security_group_ids = [aws_security_group.kali_linux_sg.id] @@ -53,7 +53,7 @@ resource "aws_instance" "kali_linux" { # Defect Dojo Instance resource "aws_instance" "defect_dojo" { ami = "ami-0e8d228ad90af673b" - associate_public_ip_address = true + associate_public_ip_address = false instance_type = "t2.micro" subnet_id = module.vpc.private_subnets.0 vpc_security_group_ids = [aws_security_group.kali_linux_sg.id] @@ -76,19 +76,6 @@ resource "aws_instance" "defect_dojo" { # Update and install dependencies apt-get update apt-get upgrade - apt-get install -y docker.io docker-compose - - # Start Docker - systemctl start docker - systemctl enable docker - - # Clone DefectDojo Docker repo - git clone https://github.com/DefectDojo/django-DefectDojo.git /opt/defectdojo - cd /opt/defectdojo - - - # Run DefectDojo using Docker Compose - docker-compose up -d EOF tags = { From d041177c393aaef49d2b614c9898b51d63447999 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 8 Nov 2024 16:16:36 +0000 Subject: [PATCH 035/308] TM-500: enable endpoint monitoring alerts (#8617) * enable remaining endpoint alarms * improvements to endpoint widgets * fix --- .../locals_cloudwatch_metric_alarms.tf | 54 ++++++++++++++----- .../baseline_presets/cloudwatch_dashboards.tf | 16 +++--- 2 files changed, 50 insertions(+), 20 deletions(-) diff --git a/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf b/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf index c7faceb83a7..4629216a4af 100644 --- a/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf +++ b/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf @@ -59,6 +59,13 @@ locals { type_instance = "hmppgw1.justice.gov.uk" } }) + + "endpoint-down-hmpps-domain-rdgateway-test" = merge(local.endpoint_down_alarm, { + dimensions = { + type = "exitcode" + type_instance = "rdgateway1.test.hmpps-domain.service.justice.gov.uk" + } + }) } "preproduction" = { @@ -71,6 +78,13 @@ locals { } }) + "endpoint-down-nomis-reporting-pp" = merge(local.endpoint_down_alarm, { + dimensions = { + type = "exitcode" + type_instance = "reporting.pp-nomis.az.justice.gov.uk" + } + }) + "endpoint-down-nomis-lsast" = merge(local.endpoint_down_alarm, { dimensions = { type = "exitcode" @@ -146,8 +160,13 @@ locals { type = "exitcode" type_instance = "cafmwebx.pp.planetfm.service.justice.gov.uk" } - alarm_actions = [] # TODO: remove when IP allow listing fixed - ok_actions = [] + }) + + "endpoint-down-cafmtx-pp" = merge(local.endpoint_down_alarm, { + dimensions = { + type = "exitcode" + type_instance = "cafmtx.pp.planetfm.service.justice.gov.uk" + } }) "endpoint-down-hpa-preprod" = merge(local.endpoint_down_alarm, { @@ -155,8 +174,13 @@ locals { type = "exitcode" type_instance = "hpa-preprod.service.hmpps.dsd.io" } - alarm_actions = [] # TODO: remove when IP allow listing fixed - ok_actions = [] + }) + + "endpoint-down-hmpps-domain-rdgateway-preproduction" = merge(local.endpoint_down_alarm, { + dimensions = { + type = "exitcode" + type_instance = "rdgateway1.preproduction.hmpps-domain.service.justice.gov.uk" + } }) } @@ -183,8 +207,6 @@ locals { type = "exitcode" type_instance = "oasys.az.justice.gov.uk" } - alarm_actions = [] # TODO: remove when IP allow listing fixed - ok_actions = [] }) "endpoint-down-oasys-training" = merge(local.endpoint_down_alarm, { @@ -257,13 +279,18 @@ locals { } }) + "endpoint-down-cafmtx" = merge(local.endpoint_down_alarm, { + dimensions = { + type = "exitcode" + type_instance = "cafmtx.planetfm.service.justice.gov.uk" + } + }) + "endpoint-down-cafmwebx2" = merge(local.endpoint_down_alarm, { dimensions = { type = "exitcode" type_instance = "cafmwebx2.az.justice.gov.uk" } - alarm_actions = [] # TODO: remove when IP allow listing fixed - ok_actions = [] }) "endpoint-down-cafmtrainweb" = merge(local.endpoint_down_alarm, { @@ -278,8 +305,6 @@ locals { type = "exitcode" type_instance = "www.offloc.service.justice.gov.uk" } - alarm_actions = [] # TODO: remove when IP allow listing fixed - ok_actions = [] }) "endpoint-down-hpa" = merge(local.endpoint_down_alarm, { @@ -287,8 +312,6 @@ locals { type = "exitcode" type_instance = "hpa.service.hmpps.dsd.io" } - alarm_actions = [] # TODO: remove when IP allow listing fixed - ok_actions = [] }) "endpoint-down-hmpps-az-gw1-rdgateway" = merge(local.endpoint_down_alarm, { @@ -297,6 +320,13 @@ locals { type_instance = "hmpps-az-gw1.justice.gov.uk" } }) + + "endpoint-down-hmpps-domain-rdgateway" = merge(local.endpoint_down_alarm, { + dimensions = { + type = "exitcode" + type_instance = "rdgateway1.hmpps-domain.service.justice.gov.uk" + } + }) } } diff --git a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf index 632a203f57b..6a19ff3ae4d 100644 --- a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf +++ b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf @@ -442,7 +442,7 @@ locals { } ec2_instance_cwagent_collectd_endpoint_monitoring = { - endpoint-down = { + endpoint-status = { type = "metric" alarm_threshold = 1 expression = "SORT(SEARCH('{CWAgent,InstanceId,type,type_instance} MetricName=\"collectd_endpoint_status_value\"','Maximum'),MAX,DESC)" @@ -450,7 +450,7 @@ locals { view = "timeSeries" stacked = true region = "eu-west-2" - title = "EC2 Endpoint Monitoring endpoint-down" + title = "endpoint-status" stat = "Maximum" yAxis = { left = { @@ -460,16 +460,16 @@ locals { } } } - endpoint-cert-expires-soon = { + endpoint-cert-days-to-expiry = { type = "metric" alarm_threshold = local.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_endpoint_monitoring.endpoint-cert-expires-soon.threshold expression = "SORT(SEARCH('{CWAgent,InstanceId,type,type_instance} MetricName=\"collectd_endpoint_cert_expiry_value\"','Minimum'),MIN,ASC)" properties = { - view = "timeSeries" + view = "bar" stacked = false region = "eu-west-2" - title = "EC2 Endpoint Monitoring endpoint-cert-expires-soon" - stat = "Maximum" + title = "endpoint-cert-days-to-expiry" + stat = "Minimum" yAxis = { left = { showUnits = false, @@ -921,8 +921,8 @@ locals { width = 8 height = 8 widgets = [ - local.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_endpoint_monitoring.endpoint-down, - local.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_endpoint_monitoring.endpoint-cert-expires-soon, + local.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_endpoint_monitoring.endpoint-status, + local.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_endpoint_monitoring.endpoint-cert-days-to-expiry, ] } From f3cf2ca1d5b996a74bf525ce1a86fe56ac0f8bd2 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Fri, 8 Nov 2024 17:10:19 +0000 Subject: [PATCH 036/308] Add lambda permission --- .../modules/components/dms/cloudwatch-alarms.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index b5cca6e8062..0887c6e0ca3 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -249,6 +249,16 @@ resource "aws_lambda_function" "dms_replication_metric_publisher" { depends_on = [data.archive_file.lambda_dms_replication_metric_zip] } +resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publisher_handler" { + statement_id = "AllowSNSInvoke" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.dms_replication_metric_publisher.function_name + principal = "sns.amazonaws.com" + + source_arn = aws_sns_topic.dms_alerts_topic.arn +} + + resource "aws_cloudwatch_metric_alarm" "dms_replication_alarm" { alarm_name = "DMSReplicationEventAlarm" comparison_operator = "GreaterThanOrEqualToThreshold" From 0f7eca1d1ed0542d602892b1eac6fd3b180aea11 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Fri, 8 Nov 2024 17:49:03 +0000 Subject: [PATCH 037/308] This is for events --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 0887c6e0ca3..6238249f13d 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -255,7 +255,7 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis function_name = aws_lambda_function.dms_replication_metric_publisher.function_name principal = "sns.amazonaws.com" - source_arn = aws_sns_topic.dms_alerts_topic.arn + source_arn = aws_sns_topic.dms_events_topic.arn } From 62c9817415c5b2957044192bc66ec3eb8a133101 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 00:42:16 +0000 Subject: [PATCH 038/308] Bump github/codeql-action from 3.27.0 to 3.27.1 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.0 to 3.27.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/662472033e021d55d94146f66f6058822b0b39fd...4f3212b61783c3c68e8309a0f18a699764811cda) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index ce44bf42441..29f53b136b0 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -38,7 +38,7 @@ jobs: run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: sarif_file: tflint.sarif trivy: @@ -63,7 +63,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: success() || failure() - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: sarif_file: 'trivy-results.sarif' checkov: @@ -90,6 +90,6 @@ jobs: skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: sarif_file: ./checkov.sarif diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 819037c674f..57cee81b822 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 with: sarif_file: results.sarif From ebcc4d6baac89168ce2ab5660560913286636077 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Nov 2024 00:43:08 +0000 Subject: [PATCH 039/308] Bump bridgecrewio/checkov-action from 12.2893.0 to 12.2896.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2893.0 to 12.2896.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/37026823bd2a0a70f8aedd88f8a3e9cb342418af...fbbe7f00cc6d32c5d1c1c781a419e5fc376e1ee7) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index ce44bf42441..1d850fee1f3 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@37026823bd2a0a70f8aedd88f8a3e9cb342418af # v12.2893.0 + uses: bridgecrewio/checkov-action@fbbe7f00cc6d32c5d1c1c781a419e5fc376e1ee7 # v12.2896.0 with: directory: ./ framework: terraform From 4394e92d72f8c6431c15459219ffea37502ceee8 Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Mon, 11 Nov 2024 03:49:31 +0000 Subject: [PATCH 040/308] [TM-618] new snapshot for oracle-home and new ami snapshot --- .../corporate-information-system/application_variables.json | 4 ++-- terraform/environments/corporate-information-system/locals.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/corporate-information-system/application_variables.json b/terraform/environments/corporate-information-system/application_variables.json index a3bdf9ab278..308610dacd4 100644 --- a/terraform/environments/corporate-information-system/application_variables.json +++ b/terraform/environments/corporate-information-system/application_variables.json @@ -1,7 +1,7 @@ { "accounts": { "development": { - "app_ami_id": "ami-05f27e9e0cc893eb2", + "app_ami_id": "ami-09a122ebf3a5a5542", "ec2instancetype": "m4.2xlarge", "cis_ec2_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOP7IqwGdkp9hyFBXLSn1qCUhIdvTIBuCop/z1uZXdpDix4oxNb1fpuRusMm+l50dLIqCLKS11d5XOWgE5vem5PyGWLI21iqEt+oJFY8NDFs93rEU/og7wVoAmJ5Jfih2kIp8GDvxvhHJh/E4Gom11XKkL2FOwWAT6Dh2WaFppj2T2P1QzBHhpvcx4XJWHtbeq3xdN/vVqlw8JpXK/xNcrKnlW91dM04etKy/+dVqUCsjKGOEBEv4bclwRaEEq2AVwqeUnutLoJH4G8z4KhesCijronfGdF+9DlCUObCF54scHBn/WnTiz1adjyYXG8FcONLHhSdMU30pjegUW57Cx vladimirs.kovalovs@L0854", "managementcidr": "10.200.0.0/20", @@ -12,7 +12,7 @@ "sdgsize": "1000", "ebs_sdh_snapshot": "snap-0e6bbcd9c3b0160d5", "sdhsize": "200", - "ebs_sdi_snapshot": "snap-0da4c0de5e4da1ac0", + "ebs_sdi_snapshot": "snap-094056e2e53b8c1da", "sdisize": "150" }, "test": { diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index 54b6182f93e..16402459232 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -24,7 +24,7 @@ echo "SQLNET.EXPIRE_TIME = 2" >> /oracle/software/product/10.2.0/network/admin/s # Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution sed -i '/(DESCRIPTION =/a\\ (ENABLE=broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora -# Changes to oracle files +# Changes to oracle files - cis.laa-development.modernisation-platform.service.justice.gov.uk CIS DB without Volumes - 11-Sept-2024 sed -i 's|cis.*legalservices.gov.uk:8080|${local.application_name_short}.${data.aws_route53_zone.external.name}:8080|' /home/batman/bin/dkj-shell-funcs sed -i 's|cis.*legalservices.gov.uk|${local.application_name_short}.${data.aws_route53_zone.external.name}|' /oracle/software/product/10.2.0/network/admin/listener.ora sed -i 's|cis.*legalservices.gov.uk|${local.application_name_short}.${data.aws_route53_zone.external.name}|' /oracle/software/product/10.2.0/network/admin/tnsnames.ora From 7deaa2e298f59eee82caa989443c274d496f1b55 Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci Date: Mon, 11 Nov 2024 05:08:12 +0000 Subject: [PATCH 041/308] Updates from GitHub Actions Format Code workflow --- .../security-groups.tf | 8 +- .../cdpt-chaps/bastion_linux.json | 1 - terraform/environments/cdpt-chaps/database.tf | 10 +- terraform/environments/cdpt-chaps/ecs.tf | 48 +- .../environments/cdpt-chaps/loadbalancer.tf | 48 +- terraform/environments/cdpt-chaps/outputs.tf | 2 +- .../digital-prison-reporting/cloudtrail.tf | 4 +- .../application_variables.json | 22 +- .../dms_data_validation_glue_job.tf | 2 +- .../dms_data_validation_glue_job_v2.tf | 2 +- .../electronic-monitoring-data/glue_locals.tf | 2 +- .../export_bucket_presigned_url/main.tf | 2 +- .../platform_locals.tf | 2 +- .../electronic-monitoring-data/s3.tf | 10 +- terraform/environments/ppud/alb_external.tf | 4 +- .../environments/ppud/certificate_mgmt.tf | 4 +- terraform/environments/ppud/iam.tf | 800 +++++++++--------- terraform/environments/ppud/s3.tf | 6 +- 18 files changed, 483 insertions(+), 494 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/security-groups.tf b/terraform/environments/analytical-platform-ingestion/security-groups.tf index 8bbf1c609d0..a3539ac2d2e 100644 --- a/terraform/environments/analytical-platform-ingestion/security-groups.tf +++ b/terraform/environments/analytical-platform-ingestion/security-groups.tf @@ -199,11 +199,11 @@ module "mojo_network_debug_security_group" { source = "terraform-aws-modules/security-group/aws" version = "5.2.0" - name = "mojo-network-debug" - vpc_id = module.connected_vpc.vpc_id + name = "mojo-network-debug" + vpc_id = module.connected_vpc.vpc_id - egress_cidr_blocks = ["0.0.0.0/0"] - egress_rules = ["all-all"] + egress_cidr_blocks = ["0.0.0.0/0"] + egress_rules = ["all-all"] tags = local.tags } diff --git a/terraform/environments/cdpt-chaps/bastion_linux.json b/terraform/environments/cdpt-chaps/bastion_linux.json index 8d799d15fa0..522cc744c37 100644 --- a/terraform/environments/cdpt-chaps/bastion_linux.json +++ b/terraform/environments/cdpt-chaps/bastion_linux.json @@ -17,4 +17,3 @@ } } } - diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 1be2bf66c2c..a47cdbc5f5f 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -38,13 +38,13 @@ resource "aws_security_group" "db" { name = "${local.application_name}-db-sg" description = "Allow DB inbound traffic" vpc_id = data.aws_vpc.shared.id - + ingress { - from_port = 1433 - to_port = 1433 - protocol = "tcp" + from_port = 1433 + to_port = 1433 + protocol = "tcp" security_groups = [ - aws_security_group.ecs_service.id, + aws_security_group.ecs_service.id, aws_security_group.chapsdotnet_service.id ] } diff --git a/terraform/environments/cdpt-chaps/ecs.tf b/terraform/environments/cdpt-chaps/ecs.tf index 62ba1c1480d..3405facd5f4 100644 --- a/terraform/environments/cdpt-chaps/ecs.tf +++ b/terraform/environments/cdpt-chaps/ecs.tf @@ -77,13 +77,13 @@ resource "aws_ecs_task_definition" "chaps_task_definition" { network_mode = "awsvpc" execution_role_arn = aws_iam_role.app_execution.arn task_role_arn = aws_iam_role.app_task.arn - container_definitions = jsonencode([ + container_definitions = jsonencode([ { - name = "chaps-container" - image = "${local.ecr_url}:chaps-${local.application_data.accounts[local.environment].environment_name}" - cpu = 1024 - memory = 2048 - essential = true + name = "chaps-container" + image = "${local.ecr_url}:chaps-${local.application_data.accounts[local.environment].environment_name}" + cpu = 1024 + memory = 2048 + essential = true portMappings = [ { containerPort = local.application_data.accounts[local.environment].container_port @@ -92,7 +92,7 @@ resource "aws_ecs_task_definition" "chaps_task_definition" { ] logConfiguration = { logDriver = "awslogs", - options = { + options = { awslogs-group = aws_cloudwatch_log_group.chaps_cloudwatch_group.name, awslogs-region = "eu-west-2", awslogs-stream-prefix = "chaps" @@ -131,19 +131,19 @@ resource "aws_ecs_task_definition" "chaps_task_definition" { } resource "aws_ecs_task_definition" "chapsdotnet_task" { - count = local.application_data.accounts[local.environment].create_chapsdotnet ? 1 : 0 + count = local.application_data.accounts[local.environment].create_chapsdotnet ? 1 : 0 family = "chapsdotnet-family" requires_compatibilities = ["EC2"] network_mode = "awsvpc" execution_role_arn = aws_iam_role.app_execution.arn task_role_arn = aws_iam_role.app_task.arn - container_definitions = jsonencode([ + container_definitions = jsonencode([ { - name = "chapsdotnet-container" - image = "${local.ecr_url}:chapsdotnet-${local.application_data.accounts[local.environment].environment_name}" - cpu = 1024 - memory = 2048 - essential = true + name = "chapsdotnet-container" + image = "${local.ecr_url}:chapsdotnet-${local.application_data.accounts[local.environment].environment_name}" + cpu = 1024 + memory = 2048 + essential = true portMappings = [ { containerPort = 8080 @@ -166,11 +166,11 @@ resource "aws_ecs_task_definition" "chapsdotnet_task" { value = "https://login.microsoftonline.com/" }, { - name = "TenantId" + name = "TenantId" value = "${local.application_data.accounts[local.environment].TenantId}" }, { - name = "CallbackPath" + name = "CallbackPath" value = "/signin-oidc" }, { @@ -203,7 +203,7 @@ resource "aws_ecs_task_definition" "chapsdotnet_task" { } ]) } - + resource "aws_key_pair" "ec2-user" { key_name = "${local.application_name}-ec2" @@ -268,7 +268,7 @@ resource "aws_ecs_service" "chapsdotnet_service" { force_new_deployment = true deployment_minimum_healthy_percent = 50 - deployment_maximum_percent = 200 + deployment_maximum_percent = 200 capacity_provider_strategy { capacity_provider = aws_ecs_capacity_provider.chaps.name @@ -605,10 +605,10 @@ resource "aws_security_group" "ecs_service" { } ingress { - description = "Allow HTTP traffic from chapsdotnet container" - from_port = 80 - to_port = 80 - protocol = "tcp" + description = "Allow HTTP traffic from chapsdotnet container" + from_port = 80 + to_port = 80 + protocol = "tcp" cidr_blocks = [data.aws_vpc.shared.cidr_block] } @@ -624,7 +624,7 @@ resource "aws_security_group" "ecs_service" { resource "aws_security_group" "chapsdotnet_service" { name_prefix = "chapsdotnet-service-sg-" description = "Allow traffic for chapsdotnet service" - vpc_id = data.aws_vpc.shared.id + vpc_id = data.aws_vpc.shared.id ingress { from_port = 8080 @@ -641,7 +641,7 @@ resource "aws_security_group" "chapsdotnet_service" { } tags = merge( - local.tags, + local.tags, { Name = "chapsdotnet-service-sg" } diff --git a/terraform/environments/cdpt-chaps/loadbalancer.tf b/terraform/environments/cdpt-chaps/loadbalancer.tf index b544f76a085..fd429ec922f 100644 --- a/terraform/environments/cdpt-chaps/loadbalancer.tf +++ b/terraform/environments/cdpt-chaps/loadbalancer.tf @@ -22,30 +22,30 @@ resource "random_string" "chaps_target_group_name" { special = false } - resource "aws_lb_target_group" "chapsdotnet_target_group" { - name_prefix = "dotnet" - port = 8080 - protocol = "HTTP" - vpc_id = data.aws_vpc.shared.id - target_type = "ip" - deregistration_delay = 30 - - stickiness { - type = "lb_cookie" - } - - health_check { - path = "/health" - port = "8080" - healthy_threshold = "5" - interval = "30" - protocol = "HTTP" - unhealthy_threshold = "2" - matcher = "200-499" - timeout = "5" - } - - lifecycle { +resource "aws_lb_target_group" "chapsdotnet_target_group" { + name_prefix = "dotnet" + port = 8080 + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + target_type = "ip" + deregistration_delay = 30 + + stickiness { + type = "lb_cookie" + } + + health_check { + path = "/health" + port = "8080" + healthy_threshold = "5" + interval = "30" + protocol = "HTTP" + unhealthy_threshold = "2" + matcher = "200-499" + timeout = "5" + } + + lifecycle { create_before_destroy = true ignore_changes = [name] } diff --git a/terraform/environments/cdpt-chaps/outputs.tf b/terraform/environments/cdpt-chaps/outputs.tf index 234a8761e4c..a1ab26351b0 100644 --- a/terraform/environments/cdpt-chaps/outputs.tf +++ b/terraform/environments/cdpt-chaps/outputs.tf @@ -3,7 +3,7 @@ output "chaps_task_definition" { } output "chapsdotnet_task_definition" { - value = length(aws_ecs_task_definition.chapsdotnet_task) > 0 ? aws_ecs_task_definition.chapsdotnet_task[0].arn : null + value = length(aws_ecs_task_definition.chapsdotnet_task) > 0 ? aws_ecs_task_definition.chapsdotnet_task[0].arn : null description = "The ARN of the chapsdotnet task definition, if it exists." } diff --git a/terraform/environments/digital-prison-reporting/cloudtrail.tf b/terraform/environments/digital-prison-reporting/cloudtrail.tf index ebf371adc3b..5c97a2e49ac 100644 --- a/terraform/environments/digital-prison-reporting/cloudtrail.tf +++ b/terraform/environments/digital-prison-reporting/cloudtrail.tf @@ -11,8 +11,8 @@ resource "aws_cloudtrail" "trail" { s3_bucket_name = module.s3_audit_logging_bucket.bucket_id s3_key_prefix = "cloud_trail" include_global_service_events = true - enable_log_file_validation = true - kms_key_id = var.kms_id + enable_log_file_validation = true + kms_key_id = var.kms_id event_selector { read_write_type = "All" diff --git a/terraform/environments/electronic-monitoring-data/application_variables.json b/terraform/environments/electronic-monitoring-data/application_variables.json index 0ca0289e8df..478e28a0dd0 100644 --- a/terraform/environments/electronic-monitoring-data/application_variables.json +++ b/terraform/environments/electronic-monitoring-data/application_variables.json @@ -15,9 +15,7 @@ "resource_shares": [ { "glue_database": "dms_data_validation", - "glue_tables": [ - "*" - ] + "glue_tables": ["*"] } ] } @@ -33,15 +31,11 @@ "target_account_id": "593291632749", "assume_account_name": "analytical-platform-management-production", "assume_account_id": "042130406152", - "data_locations": [ - "emds-test-bucket-name" - ], + "data_locations": ["emds-test-bucket-name"], "resource_shares": [ { "glue_database": "test_db_name", - "glue_tables": [ - "*" - ] + "glue_tables": ["*"] } ] } @@ -62,15 +56,11 @@ "target_account_id": "593291632749", "assume_account_name": "analytical-platform-management-production", "assume_account_id": "042130406152", - "data_locations": [ - "emds-prod-bucket-name" - ], + "data_locations": ["emds-prod-bucket-name"], "resource_shares": [ { "glue_database": "capita_alcohol_monitoring", - "glue_tables": [ - "*" - ] + "glue_tables": ["*"] } ] } @@ -78,4 +68,4 @@ "enable_airflow_secret": true } } -} \ No newline at end of file +} diff --git a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf index 4034713113e..a9be0c55565 100644 --- a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf +++ b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job.tf @@ -372,7 +372,7 @@ resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" { resource "aws_glue_job" "catalog_dv_table_glue_job" { count = local.gluejob_count - + name = "catalog-dv-table-glue-job" description = "Python script uses Boto3-Athena-Client to run sql-statements" role_arn = aws_iam_role.dms_dv_glue_job_iam_role.arn diff --git a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf index 7fffe595c44..0e7515fd280 100644 --- a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf +++ b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf @@ -318,7 +318,7 @@ resource "aws_s3_object" "parquet_resize_or_partitionby_yyyy_mm_dd" { resource "aws_glue_job" "parquet_resize_or_partitionby_yyyy_mm_dd" { count = local.gluejob_count - + name = "parquet-resize-or-partitionby-yyyy-mm-dd" description = "Table migration & validation Glue-Job (PySpark)." role_arn = aws_iam_role.glue_mig_and_val_iam_role.arn diff --git a/terraform/environments/electronic-monitoring-data/glue_locals.tf b/terraform/environments/electronic-monitoring-data/glue_locals.tf index 65f5295b94e..2a5b23e100c 100644 --- a/terraform/environments/electronic-monitoring-data/glue_locals.tf +++ b/terraform/environments/electronic-monitoring-data/glue_locals.tf @@ -1,3 +1,3 @@ locals { - gluejob_count = local.is-production || local.is-development ? 1 : 0 + gluejob_count = local.is-production || local.is-development ? 1 : 0 } \ No newline at end of file diff --git a/terraform/environments/electronic-monitoring-data/modules/export_bucket_presigned_url/main.tf b/terraform/environments/electronic-monitoring-data/modules/export_bucket_presigned_url/main.tf index da5091b7e33..a1ef21b85d9 100644 --- a/terraform/environments/electronic-monitoring-data/modules/export_bucket_presigned_url/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/export_bucket_presigned_url/main.tf @@ -72,7 +72,7 @@ module "this-bucket" { } ] } - ] : [ + ] : [ { sid = "AllowedIPs" effect = "Deny" diff --git a/terraform/environments/electronic-monitoring-data/platform_locals.tf b/terraform/environments/electronic-monitoring-data/platform_locals.tf index ad77afb6e40..3433dbaa9a7 100644 --- a/terraform/environments/electronic-monitoring-data/platform_locals.tf +++ b/terraform/environments/electronic-monitoring-data/platform_locals.tf @@ -22,7 +22,7 @@ locals { { "source-code" = "https://github.com/ministryofjustice/modernisation-platform-environments" } ) - environment = trimprefix(terraform.workspace, "${var.networking[0].application}-") + environment = trimprefix(terraform.workspace, "${var.networking[0].application}-") environment_map = { "production" = "prod" "preproduction" = "preprod" diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index 26a582665bd..f593475b4f6 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -656,11 +656,11 @@ module "s3-p1-export-bucket" { module "s3-serco-export-bucket" { source = "./modules/export_bucket_presigned_url/" - allowed_ips = null - export_destination = "serco-historic" - local_bucket_prefix = local.bucket_prefix - local_tags = local.tags - logging_bucket = module.s3-logging-bucket + allowed_ips = null + export_destination = "serco-historic" + local_bucket_prefix = local.bucket_prefix + local_tags = local.tags + logging_bucket = module.s3-logging-bucket providers = { aws = aws diff --git a/terraform/environments/ppud/alb_external.tf b/terraform/environments/ppud/alb_external.tf index 3dd3e380570..e87d21f0175 100644 --- a/terraform/environments/ppud/alb_external.tf +++ b/terraform/environments/ppud/alb_external.tf @@ -83,8 +83,8 @@ resource "aws_lb_target_group_attachment" "PPUD-PORTAL-1" { # WAM Internet Facing ALB - #tfsec:ignore:AWS0053 "The load balancer is internet facing by design." - #tfsec:ignore:AVD-AWS-0053 +#tfsec:ignore:AWS0053 "The load balancer is internet facing by design." +#tfsec:ignore:AVD-AWS-0053 resource "aws_lb" "WAM-ALB" { # checkov:skip=CKV2_AWS_28: "ALB is already protected by WAF" # checkov:skip=CKV_AWS_152: "ALB target groups only have 2 targets so cross zone load balancing is not required" diff --git a/terraform/environments/ppud/certificate_mgmt.tf b/terraform/environments/ppud/certificate_mgmt.tf index 2e44a2d23f5..d54c550b2f3 100644 --- a/terraform/environments/ppud/certificate_mgmt.tf +++ b/terraform/environments/ppud/certificate_mgmt.tf @@ -103,7 +103,7 @@ resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_uat" { timeout = 30 reserved_concurrent_executions = 5 code_signing_config_arn = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:code-signing-config:csc-0db408c5170a8eba6" - depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_uat] + depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_uat] environment { variables = { EXPIRY_DAYS = "45", @@ -181,7 +181,7 @@ resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_prod" { timeout = 30 reserved_concurrent_executions = 5 code_signing_config_arn = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:code-signing-config:csc-0bafee04a642a41c1" - depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_prod] + depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_prod] environment { variables = { EXPIRY_DAYS = "45", diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index 2407f385b67..8f1c35e5eec 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -148,46 +148,46 @@ resource "aws_iam_policy" "iam_policy_for_lambda" { name = "aws_iam_policy_for_terraform_aws_lambda_role" path = "/" description = "AWS IAM Policy for managing aws lambda role" - policy = jsonencode ({ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:Start*", - "ec2:Stop*" - ], - "Resource": [ + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource" : [ + "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:Start*", + "ec2:Stop*" + ], + "Resource" : [ "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] - }] - }) + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] + }] + }) } resource "aws_iam_role_policy_attachment" "attach_lambda_policy_to_lambda_role" { @@ -225,47 +225,47 @@ resource "aws_iam_policy" "iam_policy_for_lambda_alarm_suppression" { name = "aws_iam_policy_for_terraform_aws_lambda_role_alarm_suppression" path = "/" description = "AWS IAM Policy for managing aws lambda role alarm suppression" - policy = jsonencode ( + policy = jsonencode( { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "cloudwatch:DisableAlarmActions", - "cloudwatch:EnableAlarmActions" - ], - "Resource": [ - "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:alarm:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] - }] - }) + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource" : [ + "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "cloudwatch:DisableAlarmActions", + "cloudwatch:EnableAlarmActions" + ], + "Resource" : [ + "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:alarm:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] + }] + }) } resource "aws_iam_role_policy_attachment" "attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression" { @@ -304,55 +304,55 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_dev" { path = "/" description = "AWS IAM Policy for managing aws lambda role cloudwatch invoke lambda development" policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [{ - "Effect": "Allow", - "Action": [ + "Version" : "2012-10-17", + "Statement" : [{ + "Effect" : "Allow", + "Action" : [ + "ssm:SendCommand", + "ssm:GetCommandInvocation" + ], + "Resource" : [ + "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*", + "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:DescribeInstances", "ssm:SendCommand", "ssm:GetCommandInvocation" ], - "Resource": [ - "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*", - "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ssm:SendCommand", - "ssm:GetCommandInvocation" - ], - "Resource": [ - "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "lambda:InvokeAsync", - "lambda:InvokeFunction", - "ssm:SendCommand", - "ssm:GetCommandInvocation" + "Resource" : [ + "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "lambda:InvokeAsync", + "lambda:InvokeFunction", + "ssm:SendCommand", + "ssm:GetCommandInvocation" ], - "Resource": [ - "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" + "Resource" : [ + "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" ], - "Resource": [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" - ] + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" + ] }] }) } @@ -394,55 +394,55 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_uat" { path = "/" description = "AWS IAM Policy for managing aws lambda role cloudwatch invoke lambda uat" policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [{ - "Effect": "Allow", - "Action": [ + "Version" : "2012-10-17", + "Statement" : [{ + "Effect" : "Allow", + "Action" : [ + "ssm:SendCommand", + "ssm:GetCommandInvocation" + ], + "Resource" : [ + "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*", + "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:DescribeInstances", "ssm:SendCommand", "ssm:GetCommandInvocation" ], - "Resource": [ - "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*", - "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ssm:SendCommand", - "ssm:GetCommandInvocation" - ], - "Resource": [ - "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "lambda:InvokeAsync", - "lambda:InvokeFunction", - "ssm:SendCommand", - "ssm:GetCommandInvocation" + "Resource" : [ + "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "lambda:InvokeAsync", + "lambda:InvokeFunction", + "ssm:SendCommand", + "ssm:GetCommandInvocation" ], - "Resource": [ - "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" + "Resource" : [ + "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" ], - "Resource": [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" - ] + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" + ] }] }) } @@ -483,55 +483,55 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_invoke_lambda_prod" path = "/" description = "AWS IAM Policy for managing aws lambda role cloudwatch invoke lambda prod" policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [{ - "Effect": "Allow", - "Action": [ + "Version" : "2012-10-17", + "Statement" : [{ + "Effect" : "Allow", + "Action" : [ + "ssm:SendCommand", + "ssm:GetCommandInvocation" + ], + "Resource" : [ + "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*", + "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "ec2:DescribeInstances", "ssm:SendCommand", "ssm:GetCommandInvocation" ], - "Resource": [ - "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*", - "arn:aws:ssm:eu-west-2::document/AWS-RunPowerShellScript" - ] - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ssm:SendCommand", - "ssm:GetCommandInvocation" - ], - "Resource": [ - "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "lambda:InvokeAsync", - "lambda:InvokeFunction", - "ssm:SendCommand", - "ssm:GetCommandInvocation" + "Resource" : [ + "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "lambda:InvokeAsync", + "lambda:InvokeFunction", + "ssm:SendCommand", + "ssm:GetCommandInvocation" ], - "Resource": [ - "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" + "Resource" : [ + "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] + }, + { + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" ], - "Resource": [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] }] }) } @@ -571,72 +571,72 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_dev" { name = "aws_iam_policy_for_terraform_aws_lambda_role_certificate_expiry_dev" path = "/" description = "AWS IAM Policy for managing aws lambda role certificate expiry development" - policy = jsonencode ({ - "Version": "2012-10-17", - "Statement": [ - { - "Sid":"LambdaCertificateExpiryPolicy1", - "Effect": "Allow", - "Action": "logs:CreateLogGroup", - "Resource": "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" - }, - { - "Sid":"LambdaCertificateExpiryPolicy2", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:log-group:/aws/lambda/handle-expiring-certificates:*" - ] - }, - { - "Sid":"LambdaCertificateExpiryPolicy3", - "Effect": "Allow", - "Action": [ - "acm:DescribeCertificate", - "acm:GetCertificate", - "acm:ListCertificates", - "acm:ListTagsForCertificate" - ], - "Resource": [ - "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:certificate/*" - ] - }, - { - "Sid":"LambdaCertificateExpiryPolicy4", - "Effect": "Allow", - "Action": "SNS:Publish", - "Resource": [ - "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" - ] - }, - { - "Sid": "LambdaCertificateExpiryPolicy5", - "Effect": "Allow", - "Action": "cloudwatch:ListMetrics", - "Resource": [ - "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" - ] - }, - { - "Sid": "LambdaCertificateExpiryPolicy6", - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" - ] - }] -}) + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "LambdaCertificateExpiryPolicy1", + "Effect" : "Allow", + "Action" : "logs:CreateLogGroup", + "Resource" : "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" + }, + { + "Sid" : "LambdaCertificateExpiryPolicy2", + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource" : [ + "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:log-group:/aws/lambda/handle-expiring-certificates:*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy3", + "Effect" : "Allow", + "Action" : [ + "acm:DescribeCertificate", + "acm:GetCertificate", + "acm:ListCertificates", + "acm:ListTagsForCertificate" + ], + "Resource" : [ + "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:certificate/*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy4", + "Effect" : "Allow", + "Action" : "SNS:Publish", + "Resource" : [ + "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy5", + "Effect" : "Allow", + "Action" : "cloudwatch:ListMetrics", + "Resource" : [ + "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy6", + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" + ] + }] + }) } resource "aws_iam_role_policy_attachment" "attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_dev" { @@ -674,72 +674,72 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_uat" { name = "aws_iam_policy_for_terraform_aws_lambda_role_certificate_expiry_uat" path = "/" description = "AWS IAM Policy for managing aws lambda role certificate expiry uat" - policy = jsonencode ({ - "Version": "2012-10-17", - "Statement": [ - { - "Sid":"LambdaCertificateExpiryPolicy1", - "Effect": "Allow", - "Action": "logs:CreateLogGroup", - "Resource": "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" - }, - { - "Sid":"LambdaCertificateExpiryPolicy2", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:log-group:/aws/lambda/handle-expiring-certificates:*" - ] - }, - { - "Sid":"LambdaCertificateExpiryPolicy3", - "Effect": "Allow", - "Action": [ - "acm:DescribeCertificate", - "acm:GetCertificate", - "acm:ListCertificates", - "acm:ListTagsForCertificate" - ], - "Resource": [ - "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:certificate/*" - ] - }, - { - "Sid":"LambdaCertificateExpiryPolicy4", - "Effect": "Allow", - "Action": "SNS:Publish", - "Resource": [ - "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" - ] - }, - { - "Sid": "LambdaCertificateExpiryPolicy5", - "Effect": "Allow", - "Action": "cloudwatch:ListMetrics", - "Resource": [ - "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" - ] - }, - { - "Sid": "LambdaCertificateExpiryPolicy6", - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" - ] - }] -}) + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "LambdaCertificateExpiryPolicy1", + "Effect" : "Allow", + "Action" : "logs:CreateLogGroup", + "Resource" : "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" + }, + { + "Sid" : "LambdaCertificateExpiryPolicy2", + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource" : [ + "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:log-group:/aws/lambda/handle-expiring-certificates:*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy3", + "Effect" : "Allow", + "Action" : [ + "acm:DescribeCertificate", + "acm:GetCertificate", + "acm:ListCertificates", + "acm:ListTagsForCertificate" + ], + "Resource" : [ + "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:certificate/*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy4", + "Effect" : "Allow", + "Action" : "SNS:Publish", + "Resource" : [ + "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy5", + "Effect" : "Allow", + "Action" : "cloudwatch:ListMetrics", + "Resource" : [ + "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" + ] + }, + { + "Sid" : "LambdaCertificateExpiryPolicy6", + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-preproduction"]}:*" + ] + }] + }) } resource "aws_iam_role_policy_attachment" "attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_uat" { @@ -777,74 +777,74 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_prod" { name = "aws_iam_policy_for_terraform_aws_lambda_role_certificate_expiry_prod" path = "/" description = "AWS IAM Policy for managing aws lambda role certificate expiry prod" - policy = jsonencode ( -{ - "Version": "2012-10-17", - "Statement": [ + policy = jsonencode( + { + "Version" : "2012-10-17", + "Statement" : [ { - "Sid":"LambdaCertificateExpiryPolicy1", - "Effect": "Allow", - "Action": "logs:CreateLogGroup", - "Resource": "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + "Sid" : "LambdaCertificateExpiryPolicy1", + "Effect" : "Allow", + "Action" : "logs:CreateLogGroup", + "Resource" : "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" }, { - "Sid":"LambdaCertificateExpiryPolicy2", - "Effect": "Allow", - "Action": [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": [ - "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:log-group:/aws/lambda/handle-expiring-certificates:*" - ] + "Sid" : "LambdaCertificateExpiryPolicy2", + "Effect" : "Allow", + "Action" : [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource" : [ + "arn:aws:logs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:log-group:/aws/lambda/handle-expiring-certificates:*" + ] }, { - "Sid":"LambdaCertificateExpiryPolicy3", - "Effect": "Allow", - "Action": [ - "acm:DescribeCertificate", - "acm:GetCertificate", - "acm:ListCertificates", - "acm:ListTagsForCertificate" - ], - "Resource": [ - "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:certificate/*" - ] + "Sid" : "LambdaCertificateExpiryPolicy3", + "Effect" : "Allow", + "Action" : [ + "acm:DescribeCertificate", + "acm:GetCertificate", + "acm:ListCertificates", + "acm:ListTagsForCertificate" + ], + "Resource" : [ + "arn:aws:acm:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:certificate/*" + ] }, { - "Sid":"LambdaCertificateExpiryPolicy4", - "Effect": "Allow", - "Action": "SNS:Publish", - "Resource": [ - "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] + "Sid" : "LambdaCertificateExpiryPolicy4", + "Effect" : "Allow", + "Action" : "SNS:Publish", + "Resource" : [ + "arn:aws:sns:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] }, - { - "Sid": "LambdaCertificateExpiryPolicy5", - "Effect": "Allow", - "Action": "cloudwatch:ListMetrics", - "Resource": [ - "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" - ] + { + "Sid" : "LambdaCertificateExpiryPolicy5", + "Effect" : "Allow", + "Action" : "cloudwatch:ListMetrics", + "Resource" : [ + "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:*" + ] }, - { - "Sid": "LambdaCertificateExpiryPolicy6", - "Effect": "Allow", - "Action": [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource": [ + { + "Sid" : "LambdaCertificateExpiryPolicy6", + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource" : [ "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:Lambda-Queue-Production" - ] + ] } - ] -}) + ] + }) } resource "aws_iam_role_policy_attachment" "attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_prod" { diff --git a/terraform/environments/ppud/s3.tf b/terraform/environments/ppud/s3.tf index 819be445ec5..c27b3b03114 100644 --- a/terraform/environments/ppud/s3.tf +++ b/terraform/environments/ppud/s3.tf @@ -113,9 +113,9 @@ resource "aws_s3_bucket_policy" "PPUD" { # S3 Bucket for Patch Manager / SSM Health Check Reports - #tfsec:ignore:AWS0088 "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption." - #tfsec:ignore:AVD-AWS-0088 - #tfsec:ignore:AVD-AWS-0132 +#tfsec:ignore:AWS0088 "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption." +#tfsec:ignore:AVD-AWS-0088 +#tfsec:ignore:AVD-AWS-0132 resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" From adfe2c0a3eeec7cbe16a19f2fdf27988303c6755 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 09:07:07 +0000 Subject: [PATCH 042/308] Allow Lambda Function to log failures --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 6238249f13d..a69d2a9b68b 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -204,6 +204,12 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_policy_attach" policy_arn = aws_iam_policy.lambda_put_metric_data_policy.arn } +# Allow Cloudwatch Logging +resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach" { + role = aws_iam_role.lambda_put_metric_data_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" +} + resource "local_file" "lambda_dms_replication_metric_py" { filename = "${path.module}/lambda_dms_replication_metric.py" content = < Date: Mon, 11 Nov 2024 12:18:44 +0000 Subject: [PATCH 043/308] fixing kms_ID cloudtrail --- .../digital-prison-reporting/cloudtrail.tf | 4 +- .../digital-prison-reporting/kms.tf | 45 +++++++++++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/cloudtrail.tf b/terraform/environments/digital-prison-reporting/cloudtrail.tf index ebf371adc3b..6dc35d7d33c 100644 --- a/terraform/environments/digital-prison-reporting/cloudtrail.tf +++ b/terraform/environments/digital-prison-reporting/cloudtrail.tf @@ -11,8 +11,8 @@ resource "aws_cloudtrail" "trail" { s3_bucket_name = module.s3_audit_logging_bucket.bucket_id s3_key_prefix = "cloud_trail" include_global_service_events = true - enable_log_file_validation = true - kms_key_id = var.kms_id + enable_log_file_validation = true + tr event_selector { read_write_type = "All" diff --git a/terraform/environments/digital-prison-reporting/kms.tf b/terraform/environments/digital-prison-reporting/kms.tf index a5371f44895..f657b460603 100644 --- a/terraform/environments/digital-prison-reporting/kms.tf +++ b/terraform/environments/digital-prison-reporting/kms.tf @@ -203,4 +203,49 @@ resource "aws_kms_key" "operational_db" { Name = "${local.project}-operational-db-key" } ) +} + +### CLOUDTRAIL KMS +resource "aws_kms_key" "cloudtrail" { + #checkov:skip=CKV_AWS_33 + #checkov:skip=CKV_AWS_227 + #checkov:skip=CKV_AWS_7 + + description = "Encryption key for cloudtrail" + enable_key_rotation = true + key_usage = "ENCRYPT_DECRYPT" + policy = data.aws_iam_policy_document.cloudtrail-kms.json + is_enabled = true + + + tags = merge( + local.tags, + { + Name = "${local.application_name}-cloudtrail-kms" + } + ) +} + +data "aws_iam_policy_document" "cloudtrail-kms" { + statement { + #checkov:skip=CKV_AWS_111 + #checkov:skip=CKV_AWS_109 + #checkov:skip=CKV_AWS_358 + #checkov:skip=CKV_AWS_107 + #checkov:skip=CKV_AWS_1 + #checkov:skip=CKV_AWS_356 + #checkov:skip=CKV_AWS_283 + #checkov:skip=CKV_AWS_49 + #checkov:skip=CKV_AWS_108 + #checkov:skip=CKV_AWS_110 + + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } } \ No newline at end of file From 012489690bc72512cff13867becebef0b2f6e66b Mon Sep 17 00:00:00 2001 From: SonyPimpale Date: Mon, 11 Nov 2024 12:23:53 +0000 Subject: [PATCH 044/308] kms_Key_id cloudtrail --- terraform/environments/digital-prison-reporting/cloudtrail.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/cloudtrail.tf b/terraform/environments/digital-prison-reporting/cloudtrail.tf index 6dc35d7d33c..8ac4882eda8 100644 --- a/terraform/environments/digital-prison-reporting/cloudtrail.tf +++ b/terraform/environments/digital-prison-reporting/cloudtrail.tf @@ -12,7 +12,7 @@ resource "aws_cloudtrail" "trail" { s3_key_prefix = "cloud_trail" include_global_service_events = true enable_log_file_validation = true - tr + kms_key_id = aws_kms_key.cloudtrail.key_id # Get KEY ID from Resource event_selector { read_write_type = "All" From ab86f697f90db2e390c971d06594c65803aa9edc Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 11 Nov 2024 15:52:09 +0000 Subject: [PATCH 045/308] GlueJob to hash table rows save to parquet - v1 --- .../dms_data_validation_glue_job_v2.tf | 64 ++++ .../etl_table_row_hashvalues_to_parquet.py | 296 ++++++++++++++++++ .../glue_data_validation_lib.py | 42 +++ 3 files changed, 402 insertions(+) create mode 100644 terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py diff --git a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf index 0e7515fd280..5477d06a337 100644 --- a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf +++ b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf @@ -371,3 +371,67 @@ EOF ) } + + +resource "aws_cloudwatch_log_group" "etl_table_row_hashvalues_to_parquet" { + name = "etl-table-row-hashvalues-to-parquet" + retention_in_days = 14 +} + +resource "aws_s3_object" "etl_table_row_hashvalues_to_parquet" { + bucket = module.s3-glue-job-script-bucket.bucket.id + key = "etl_table_row_hashvalues_to_parquet.py" + source = "glue-job/etl_table_row_hashvalues_to_parquet.py" + etag = filemd5("glue-job/etl_table_row_hashvalues_to_parquet.py") +} + +resource "aws_glue_job" "etl_table_row_hashvalues_to_parquet" { + count = local.gluejob_count + + name = "etl-table-row-hashvalues-to-parquet" + description = "Table migration & validation Glue-Job (PySpark)." + role_arn = aws_iam_role.glue_mig_and_val_iam_role.arn + glue_version = "4.0" + worker_type = "G.2X" + number_of_workers = 4 + default_arguments = { + "--script_bucket_name" = module.s3-glue-job-script-bucket.bucket.id + "--rds_db_host_ep" = split(":", aws_db_instance.database_2022.endpoint)[0] + "--rds_db_pwd" = aws_db_instance.database_2022.password + "--rds_sqlserver_db" = "" + "--rds_sqlserver_db_schema" = "dbo" + "--rds_sqlserver_db_table" = "" + "--rds_db_tbl_pkey_column" = "" + "--parallel_jdbc_conn_num" = 1 + "--parquet_df_write_repartition_num" = 0 + "--extra-py-files" = "s3://${module.s3-glue-job-script-bucket.bucket.id}/${aws_s3_object.aws_s3_object_pyzipfile_to_s3folder.id}" + "--hashed_output_s3_bucket_name" = module.s3-dms-data-validation-bucket.bucket.id + "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name + "--continuous-log-logGroup" = "/aws-glue/jobs/${aws_cloudwatch_log_group.etl_table_row_hashvalues_to_parquet.name}" + "--enable-continuous-cloudwatch-log" = "true" + "--enable-continuous-log-filter" = "true" + "--enable-metrics" = "true" + "--enable-auto-scaling" = "true" + "--conf" = < {hashed_rows_prq_fulls3path}/""") + +# =================================================================================================== + + +if __name__ == "__main__": + + # ------------------------------------------- + if args.get("rds_sqlserver_db", None) is None: + LOGGER.error(f"""'rds_sqlserver_db' runtime input is missing! Exiting ...""") + sys.exit(1) + else: + rds_sqlserver_db = args["rds_sqlserver_db"] + LOGGER.info(f"""Given rds_sqlserver_db = {rds_sqlserver_db}""") + + if args.get("rds_sqlserver_db_schema", None) is None: + LOGGER.error(f"""'rds_sqlserver_db_schema' runtime input is missing! Exiting ...""") + sys.exit(1) + else: + rds_sqlserver_db_schema = args["rds_sqlserver_db_schema"] + LOGGER.info(f"""Given rds_sqlserver_db_schema = {rds_sqlserver_db_schema}""") + + # ------------------------------------------- + + rds_jdbc_conn_obj = RDS_JDBC_CONNECTION(RDS_DB_HOST_ENDPOINT, + RDS_DB_INSTANCE_PWD, + rds_sqlserver_db, + rds_sqlserver_db_schema) + + try: + rds_db_name = rds_jdbc_conn_obj.check_if_rds_db_exists()[0] + except IndexError: + LOGGER.error(f"""Given database name not found! >> {args['rds_sqlserver_db']} <<""") + sys.exit(1) + except Exception as e: + LOGGER.error(e) + # ------------------------------------------------------- + + rds_sqlserver_db_tbl_list = rds_jdbc_conn_obj.get_rds_db_tbl_list() + if not rds_sqlserver_db_tbl_list: + LOGGER.error(f"""rds_sqlserver_db_tbl_list - is empty. Exiting ...!""") + sys.exit(1) + else: + message_prefix = f"""Total List of tables available in {rds_db_name}.{rds_sqlserver_db_schema}""" + LOGGER.info(f"""{message_prefix}\n{rds_sqlserver_db_tbl_list}""") + # ------------------------------------------------------- + + if args.get("rds_sqlserver_db_table", None) is None: + LOGGER.error(f"""'rds_sqlserver_db_table' runtime input is missing! Exiting ...""") + sys.exit(1) + else: + rds_sqlserver_db_table = args["rds_sqlserver_db_table"] + table_name_prefix = f"""{rds_db_name}_{rds_sqlserver_db_schema}""" + db_sch_tbl = f"""{table_name_prefix}_{rds_sqlserver_db_table}""" + # ------------------------------------------------------- + + if db_sch_tbl not in rds_sqlserver_db_tbl_list: + LOGGER.error(f"""'{db_sch_tbl}' - is not an existing table! Exiting ...""") + sys.exit(1) + else: + LOGGER.info(f""">> Given RDS SqlServer-DB Table: {rds_sqlserver_db_table} <<""") + # ------------------------------------------------------- + rds_db_tbl_pkey_column = args['rds_db_tbl_pkey_column'] + LOGGER.info(f""">> rds_db_tbl_pkey_column = {rds_db_tbl_pkey_column} <<""") + + rds_db_table_empty_df = rds_jdbc_conn_obj.get_rds_db_table_empty_df(rds_sqlserver_db_table) + all_columns_except_pkey = [col for col in rds_db_table_empty_df.columns + if col != rds_db_tbl_pkey_column] + LOGGER.info(f""">> all_columns_except_pkey = {all_columns_except_pkey} <<""") + + prq_table_folder_path = f"""{rds_db_name}/{rds_sqlserver_db_schema}/{rds_sqlserver_db_table}""" + if S3Methods.check_s3_folder_path_if_exists( + HASHED_OUTPUT_S3_BUCKET_NAME, + f'''{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}/{prq_table_folder_path}''' + ): + hashed_rows_prq_fulls3path = f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{prq_table_folder_path}''' + else: + hashed_rows_prq_fulls3path = "" + # -------------------------------- + + rds_db_select_query_str = f""" + SELECT {rds_db_tbl_pkey_column}, + LOWER(SUBSTRING(CONVERT(VARCHAR(66), HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66)) AS RowHash + FROM {rds_sqlserver_db_schema}.[{rds_sqlserver_db_table}] + """.strip() + + parallel_jdbc_conn_num = args['parallel_jdbc_conn_num'] + parquet_df_write_repartition_num = int(args.get('parquet_df_write_repartition_num', 0)) + + + if hashed_rows_prq_fulls3path != "": + LOGGER.info(f"""An existing parquet-table-folder-path found.\n{hashed_rows_prq_fulls3path}""") + + rds_db_query_sample_row = f""" + SELECT TOP 1 {rds_db_tbl_pkey_column}, + SUBSTRING(CONVERT(VARCHAR(66), HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66) AS RowHash + FROM {rds_sqlserver_db_schema}.[{rds_sqlserver_db_table}] + """.strip() + + rds_db_query_sample_row_df = rds_jdbc_conn_obj.get_rds_db_query_empty_df( + rds_db_query_sample_row + ) + LOGGER.info(f"""rds_db_query_sample_row_df-schema: \n{rds_db_query_sample_row_df.schema}""") + + existing_parquet_table_df = CustomPysparkMethods.get_s3_parquet_df_v2( + hashed_rows_prq_fulls3path, + rds_db_query_sample_row_df.schema + ) + + existing_parquet_table_df_agg = existing_parquet_table_df.agg( + F.max(f"{rds_db_tbl_pkey_column}").alias(f"max_{rds_db_tbl_pkey_column}"), + F.count(f"{rds_db_tbl_pkey_column}").alias(f"count_{rds_db_tbl_pkey_column}") + ) + existing_parquet_agg_dict = existing_parquet_table_df_agg.collect()[0] + existing_parquet_max_pkey = existing_parquet_agg_dict[f"max_{rds_db_tbl_pkey_column}"] + existing_parquet_count_pkey = existing_parquet_agg_dict[f"count_{rds_db_tbl_pkey_column}"] + + LOGGER.info(f"""existing_parquet_max_pkey = {existing_parquet_max_pkey}""") + LOGGER.info(f"""existing_parquet_count_pkey = {existing_parquet_count_pkey}""") + + df_rds_table_count = rds_jdbc_conn_obj.get_rds_db_table_row_count( + rds_sqlserver_db_table, + rds_db_tbl_pkey_column + ) + LOGGER.info(f"""df_rds_table_count = {df_rds_table_count}""") + + if df_rds_table_count == existing_parquet_count_pkey: + LOGGER.warn(f"""df_rds_table_count = existing_parquet_table_df_count = {df_rds_table_count}""") + sys.exit(f"""Both df_rds_table_count and existing_parquet_table_df_count are matching. Nothing to move, exiting ...""") + # -------------------- + + where_clause_exp_str = f"""{rds_db_tbl_pkey_column} > {existing_parquet_max_pkey}""".strip() + + agg_row_dict = rds_jdbc_conn_obj.get_min_max_pkey_filter( + rds_sqlserver_db_table, + rds_db_tbl_pkey_column, + where_clause_exp_str + ) + jdbc_partition_col_lowerbound = agg_row_dict['min_value'] + jdbc_partition_col_upperbound = agg_row_dict['max_value'] + + LOGGER.info(f"""jdbc_partition_col_lowerbound = {jdbc_partition_col_lowerbound}""") + LOGGER.info(f"""jdbc_partition_col_upperbound = {jdbc_partition_col_upperbound}""") + + rds_db_query_filtered_str = rds_db_select_query_str + f""" WHERE {where_clause_exp_str}""" + LOGGER.info(f"""rds_db_query_filtered_str = {rds_db_query_filtered_str}""") + + hashed_rows_prq_df = rds_jdbc_conn_obj.get_rds_df_read_query_pkey_parallel( + rds_db_query_filtered_str, + rds_db_tbl_pkey_column, + jdbc_partition_col_lowerbound, + jdbc_partition_col_upperbound, + parallel_jdbc_conn_num + ) + LOGGER.info( + f"""hashed_rows_prq_df: JDBC-READ-PARTITIONS = {hashed_rows_prq_df.rdd.getNumPartitions()}""") + else: + + agg_row_dict = rds_jdbc_conn_obj.get_min_max_pkey_filter( + rds_sqlserver_db_table, + rds_db_tbl_pkey_column + ) + jdbc_partition_col_lowerbound = agg_row_dict['min_value'] + jdbc_partition_col_upperbound = agg_row_dict['max_value'] + + LOGGER.info(f"""jdbc_partition_col_lowerbound = {jdbc_partition_col_lowerbound}""") + LOGGER.info(f"""jdbc_partition_col_upperbound = {jdbc_partition_col_upperbound}""") + + LOGGER.info(f"""rds_db_select_query_str = {rds_db_select_query_str}""") + + hashed_rows_prq_df = rds_jdbc_conn_obj.get_rds_df_read_query_pkey_parallel( + rds_db_select_query_str, + rds_db_tbl_pkey_column, + jdbc_partition_col_lowerbound, + jdbc_partition_col_upperbound, + parallel_jdbc_conn_num + ) + LOGGER.info( + f"""hashed_rows_prq_df: JDBC-READ-PARTITIONS = {hashed_rows_prq_df.rdd.getNumPartitions()}""") + # --------------------------------------- + + if parquet_df_write_repartition_num != 0: + hashed_rows_prq_df = hashed_rows_prq_df.repartition( + parquet_df_write_repartition_num, + rds_db_tbl_pkey_column) + LOGGER.info( + f"""hashed_rows_prq_df: Repartitioned -> {hashed_rows_prq_df.rdd.getNumPartitions()} partitions.""") + + hashed_rows_prq_df_sorted = hashed_rows_prq_df.sortWithinPartitions(f"{rds_db_tbl_pkey_column}") + LOGGER.info(f"""hashed_rows_prq_df - sorted within partitions on pkey.""") + + write_parquet_to_s3(hashed_rows_prq_df_sorted, + f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{prq_table_folder_path}''') + # -------------------------------- + + job.commit() diff --git a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py index 9b661d732f2..7061ce348b3 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py @@ -183,6 +183,38 @@ def get_rds_df_read_tbl_pkey_parallel(self, .option("numPartitions", numPartitions) .load()) + def get_rds_df_read_query_pkey_parallel(self, + in_db_query, + jdbc_partition_column, + jdbc_partition_col_lowerbound, + jdbc_partition_col_upperbound, + jdbc_read_partitions_num + ) -> DataFrame: + + numPartitions = jdbc_read_partitions_num + # Note: numPartitions is normally equal to number of executors defined. + # The maximum number of partitions that can be used for parallelism in table reading and writing. + # This also determines the maximum number of concurrent JDBC connections. + + # fetchSize = jdbc_rows_fetch_size + # The JDBC fetch size, which determines how many rows to fetch per round trip. + # This can help performance on JDBC drivers which default to low fetch size (e.g. Oracle with 10 rows). + # Too Small: => frequent round trips to database + # Too Large: => Consume a lot of memory + + return (self.spark.read.format("jdbc") + .option("url", self.rds_jdbc_url_v2) + .option("driver", self.RDS_DB_INSTANCE_DRIVER) + .option("user", self.RDS_DB_INSTANCE_USER) + .option("password", self.RDS_DB_INSTANCE_PWD) + .option("dbtable", f"""({in_db_query}) as t""") + .option("partitionColumn", jdbc_partition_column) + .option("lowerBound", jdbc_partition_col_lowerbound) + .option("upperBound", jdbc_partition_col_upperbound) + .option("numPartitions", numPartitions) + .load()) + + def get_rds_df_jdbc_read_parallel(self, rds_tbl_name, rds_tbl_pkeys_list, @@ -318,6 +350,16 @@ def get_rds_db_table_empty_df(self, rds_db_table_name) -> DataFrame: .option("query", f"""{query_str}""") .load()) + def get_rds_db_query_empty_df(self, rds_db_query) -> DataFrame: + + return (self.spark.read.format("jdbc") + .option("url", self.rds_jdbc_url_v2) + .option("driver", self.RDS_DB_INSTANCE_DRIVER) + .option("user", self.RDS_DB_INSTANCE_USER) + .option("password", self.RDS_DB_INSTANCE_PWD) + .option("query", f"""{rds_db_query}""") + .load()) + def get_jdbc_partition_column(self, rds_db_table_name, rds_tbl_pkeys_list): From 7d1a7f826b2b149765a34cf917af355bb3bfab0f Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 15:56:13 +0000 Subject: [PATCH 046/308] Place lambda in a file --- .../components/dms/cloudwatch-alarms.tf | 46 +-- .../dms/lambda/dms_replication_metric.py | 310 ++++++++++++++++++ .../dms/lambda_dms_replication_metric.zip | Bin 0 -> 3048 bytes 3 files changed, 333 insertions(+), 23 deletions(-) create mode 100644 terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py create mode 100644 terraform/environments/delius-core/modules/components/dms/lambda_dms_replication_metric.zip diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index a69d2a9b68b..7acc9e9b9b7 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -210,32 +210,32 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } -resource "local_file" "lambda_dms_replication_metric_py" { - filename = "${path.module}/lambda_dms_replication_metric.py" - content = < { + replication_task_arn = aws_dms_replication_task.business_interaction_inbound_replication[k].replication_task_arn + replication_task_id = aws_dms_replication_task.business_interaction_inbound_replication[k].replication_task_id + } + }, + { for k in keys(local.client_account_map) : + "audited_interaction_inbound_replication_from_${k}" => { + replication_task_arn = aws_dms_replication_task.audited_interaction_inbound_replication[k].replication_task_arn + replication_task_id = aws_dms_replication_task.audited_interaction_inbound_replication[k].replication_task_id + } + }, + { for k in keys(local.client_account_map) : + "audited_interaction_checksum_inbound_replication_from_${k}" => { + replication_task_arn = aws_dms_replication_task.audited_interaction_checksum_inbound_replication[k].replication_task_arn + replication_task_id = aws_dms_replication_task.audited_interaction_checksum_inbound_replication[k].replication_task_id + } + }, + try(var.dms_config.audit_source_endpoint.read_database, null) == null ? {} : { + audited_interaction_outbound_replication = { + replication_task_arn = aws_dms_replication_task.audited_interaction_outbound_replication[0].replication_task_arn + replication_task_id = aws_dms_replication_task.audited_interaction_outbound_replication[0].replication_task_id + } + }, + { for k in keys(local.client_account_map) : + "user_outbound_replication_to_${k}" => { + replication_task_arn = aws_dms_replication_task.user_outbound_replication[k].replication_task_arn + replication_task_id = aws_dms_replication_task.user_outbound_replication[k].replication_task_id + } + }, + try(var.dms_config.audit_source_endpoint.read_database, null) == null ? {} : { + business_interaction_outbound_replication = { + replication_task_arn = aws_dms_replication_task.business_interaction_outbound_replication[0].replication_task_arn + replication_task_id = aws_dms_replication_task.business_interaction_outbound_replication[0].replication_task_id + } + }, + try(var.dms_config.audit_source_endpoint.read_database, null) == null ? {} : { + audited_interaction_checksum_outbound_replication = { + replication_task_arn = aws_dms_replication_task.audited_interaction_checksum_outbound_replication[0].replication_task_arn + replication_task_id = aws_dms_replication_task.audited_interaction_checksum_outbound_replication[0].replication_task_id + } + } + ) +} + + + +resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_source" { + for_each = local.aws_dms_replication_tasks + alarm_name = "dms-cdc-latency-source-${each.value.replication_task_id}" + alarm_description = "High CDC source latency for dms replication task for ${each.value.replication_task_id}" + namespace = "AWS/DMS" + statistic = "Average" + metric_name = "CDCLatencySource" + comparison_operator = "GreaterThanThreshold" + threshold = 15 + evaluation_periods = 3 + period = 120 + actions_enabled = true + alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] + ok_actions = [aws_sns_topic.dms_alerts_topic.arn] + dimensions = { + ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id + # We only need to final element of the replication task ID (after the last :) + ReplicationTaskIdentifier = split(":", each.value.replication_task_arn)[length(split(":", each.value.replication_task_arn)) - 1] + } + tags = var.tags +} + +resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { + for_each = local.aws_dms_replication_tasks + alarm_name = "dms-cdc-latency-target-${each.value.replication_task_id}" + alarm_description = "High CDC target latency for dms replication task for ${each.value.replication_task_id}" + namespace = "AWS/DMS" + statistic = "Average" + metric_name = "CDCLatencyTarget" + comparison_operator = "GreaterThanThreshold" + threshold = 15 + evaluation_periods = 3 + period = 120 + actions_enabled = true + alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] + ok_actions = [aws_sns_topic.dms_alerts_topic.arn] + dimensions = { + ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id + # We only need to final element of the replication task ID (after the last :) + ReplicationTaskIdentifier = split(":", each.value.replication_task_arn)[length(split(":", each.value.replication_task_arn)) - 1] + } + tags = var.tags +} + +# Pager duty integration + +# Get the map of pagerduty integration keys from the modernisation platform account +data "aws_secretsmanager_secret" "pagerduty_integration_keys" { + provider = aws.modernisation-platform + name = "pagerduty_integration_keys" +} + +data "aws_secretsmanager_secret_version" "pagerduty_integration_keys" { + provider = aws.modernisation-platform + secret_id = data.aws_secretsmanager_secret.pagerduty_integration_keys.id +} + +# Add a local to get the keys +locals { + pagerduty_integration_keys = jsondecode(data.aws_secretsmanager_secret_version.pagerduty_integration_keys.secret_string) + integration_key_lookup = var.dms_config.is-production ? "delius_oracle_prod_alarms" : "delius_oracle_nonprod_alarms" +} + +# link the sns topic to the service +# Non-Prod alerts channel: #delius-aws-oracle-dev-alerts +# Prod alerts channel: #delius-aws-oracle-prod-alerts +module "pagerduty_core_alerts" { + #checkov:skip=CKV_TF_1 + depends_on = [ + aws_sns_topic.dms_alerts_topic + ] + source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0" + sns_topics = [aws_sns_topic.dms_alerts_topic.name] + pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup] +} + +resource "aws_iam_role" "lambda_put_metric_data_role" { + name = "lambda-put-metric-data-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "lambda.amazonaws.com" + } + } + ] + }) +} + +resource "aws_iam_policy" "lambda_put_metric_data_policy" { + name = "lambda-put-metric-data-policy" + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "cloudwatch:PutMetricData" + ], + Resource = "*" + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_policy_attach" { + role = aws_iam_role.lambda_put_metric_data_role.name + policy_arn = aws_iam_policy.lambda_put_metric_data_policy.arn +} + +# Allow Cloudwatch Logging +resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach" { + role = aws_iam_role.lambda_put_metric_data_role.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" +} + +resource "local_file" "lambda_dms_replication_metric_py" { + filename = "${path.module}/lambda_dms_replication_metric.py" + content = <<@Ag47(=6_ve-eHUoGqD;IjrWhk*mdBtHkUsj&p2TrYcazC!XBm z&Q%Y6&h^Ros+!tJLtdC;{DpYB#DNMLP|}esMZ5oJu-W9t-v+>GE0e6Yeq~-0i9}Sy zU4)_CnIWrquK^mVxon(mh6yQJQZh!VIleunUX5Td8B{U9Xw(H0R+31Zhx+&5c(Gv5 z2iVfXXJo^Wz`19m4eGxqEAJn;ZcZqs@jK*6InJ@t?v10av=1iEMc0T_IfbHc3&m0B z>8{F~Am2+07OSbk6$O{Epw!{(uyYxOF^f2zLGe|RE0dnOg@@60uKaSkt>Vps z@ADVi{C5vaShix`c+}Y`@Hk+5Dkr6*4j$hLYz=m`zxnh^=@{nH^Z;qN>t{r8b_Hm&JIR3R4-AC^iWmn}WQf`5ED2V56=A**ki7|c z<&p)L+zPKD!Gs~M3~p$bn~?=_VX(nU{+;)o=pwsnSjXLbP4jGyP6o z!Q77PgFNYFMo_idRV_?&ome%o=eSZQbKJPXUs8${uVnL@mOjiY!Dc`~`M7zY~!erAegpDjOC$_{df5gxX=Hgf!7exYZzfz0{^eT-qIN$zu!p z^!J4qtDnRY_3tMbc@1vG&DAc{jc=-7(#z|x%(qV((39XQqY3V46Pr4dHZN3dXuOY7 z{6KFFiWOYm#Q%0>r-Y=W&4dt559ppyWIQA~kVeaT`gHvjiB7O-S~*BSEWgKb3vjMJ zSi5mvHjcG?-s*H=?w6L`{BWxFr@Vxd?Z+gMnas}A-AL6QGCdNN&{ik}LMUW`C5J^8Etclo5pAJ|dP!b@$d zY(q&7;`vE}mp+et!1PQ^wMPC9j0uf~jf3GlrUd-9a1SFWza$w|bz4>vxVf~m^gJgl zIA@mWVYDaMkdQ`Z1UXy_pm^Dq$kE{MXz+NIm8L|yFsDo9fA77%1aT%GG$&cI}@jZwmu2Qo$WOyZJU(DG6c<(#I){*dPPzGOt z)DvbB+adSG1P@px>*H-L!?N$$_zB)SpBb3l1zX~3@YUQ!lw1l&NW4A)=kp*xaG4ky zGy3JFlD9<}ThdkXLnmb|#C*4C=58*%zQ02FuGFSb1WA@>Hs-~FG%R~a+`NIi zDU`cumm}bYLevY0L2$u1S*yDxMBy3dGBtZf24VS&Fj0meutV=r zn|xvHxE!zCFQcteRZU=ACG$-lK?qrSBiE&c(IlVxerdcw?YocBaKDMY$~<Xgz89nYK68uzVrX`1{Yqg`oCv zI;0$D1mvOV2+`RjHF7ab){bN(M_re znJ+Y&k|>3(jcb-Z7uBlR-}cu1JD7hRaNC45wK6X2Tm5EMEwaWBJH0nus7V`s#YAQJ zJlflRt7-gd%HXZqI`Dp~*!^m;_AV>uUkUL!JP zKGH5?I(ask<}#bt$!+!=<#3UGZt~0yLxlSf{xpx;fy($5NGF4TYiFu<9OLd(&Jx6e z>LLPpom2@!g$;2@;TV2Jc~um@u)Yqz2_aq=@#0DZFDsT%Yn(SC#w|hL8y!O;_r0GB zUX#f~y}!SaKkCPp=49oTRU)*+n6K5;Uo_@0cIZjcP867L97stR8(9co(sFbB`HIK5 z+1W#YOVO$_DlQt<6c1tP<0Lwxl7_&EE*y1wOzd@)+-AzewsY#V@2+?6DXgna`Fa#{ zn7txb9P4n(wJ7>?rFm~Tc#VkGb%n948voVJM%{1|l#axZ{mR~=_OA;Lb_zKc3@3Gj zagU1^6keD)HP;O}8gq8*k@Z;kK;L3lsFAAjb?{O!+S=RP&*{#nvJ2RSPJEj+T$yMo zmCrc`%IB-#xKIa;2Gl>ci=Hjy-5u8>5=di+SU?7C#E8)y6IUzCl(!`8b4((N1nX&ZMpk5yzYx=0<*Wdsq=x zqfVxu*G@NL9@S(DyY_{hR3P18Y6=haz_|fz1hmqx^@OvFq62(z7A}e`xbHk1ezqS1 zAy5v7I~K?7&v2x|A>eqk79f8w8(*G$ty7UOT$CCuJA+G$7;bo7HAZ`P>|V5gTWWOw zRr4SuC3edFheXy&=|OK3{Fdx9!0Mbg*tP8tA~H&F)LFeMm0m!M=tlmWDxG{zz9rFe z;5YTgqxuTfb%};A>565dwOG`?91KD)s5G`VBrT|IDi@@d&7=e!uIE?VsBDXB{=>5a(Iaql^Aa#hM z&HU-8;}9T4^ooUv`S{D;PTQdu{Xy%~Q+sO`RzdgjT@!Wyz(g4Uu(xJlJj?W782{hf gKQR7pmB#;*{x6!_TZ5SYd0_Zs^FRCXpLzh`U%DT-^#A|> literal 0 HcmV?d00001 From 32430e1fb8aa7d836fe5c701967d8ec26c416c73 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 15:56:47 +0000 Subject: [PATCH 047/308] Remove zip file --- .../dms/lambda_dms_replication_metric.zip | Bin 3048 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 terraform/environments/delius-core/modules/components/dms/lambda_dms_replication_metric.zip diff --git a/terraform/environments/delius-core/modules/components/dms/lambda_dms_replication_metric.zip b/terraform/environments/delius-core/modules/components/dms/lambda_dms_replication_metric.zip deleted file mode 100644 index bc2d09f1d2c8fd3736a33c7616c5b1aff6a878b6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3048 zcmZ{mc{me}AIFCcIfonxIW}M9%E*1+XUy4zlryx&T!k`MtvN$TVPA7g5jJNcS6M^k zKBLIyCanDW{_#8h`MuxI^ZC4==ks~qf4}UlnSf^jtbYsuNMQer|LEMG<@Ag47(=6_ve-eHUoGqD;IjrWhk*mdBtHkUsj&p2TrYcazC!XBm z&Q%Y6&h^Ros+!tJLtdC;{DpYB#DNMLP|}esMZ5oJu-W9t-v+>GE0e6Yeq~-0i9}Sy zU4)_CnIWrquK^mVxon(mh6yQJQZh!VIleunUX5Td8B{U9Xw(H0R+31Zhx+&5c(Gv5 z2iVfXXJo^Wz`19m4eGxqEAJn;ZcZqs@jK*6InJ@t?v10av=1iEMc0T_IfbHc3&m0B z>8{F~Am2+07OSbk6$O{Epw!{(uyYxOF^f2zLGe|RE0dnOg@@60uKaSkt>Vps z@ADVi{C5vaShix`c+}Y`@Hk+5Dkr6*4j$hLYz=m`zxnh^=@{nH^Z;qN>t{r8b_Hm&JIR3R4-AC^iWmn}WQf`5ED2V56=A**ki7|c z<&p)L+zPKD!Gs~M3~p$bn~?=_VX(nU{+;)o=pwsnSjXLbP4jGyP6o z!Q77PgFNYFMo_idRV_?&ome%o=eSZQbKJPXUs8${uVnL@mOjiY!Dc`~`M7zY~!erAegpDjOC$_{df5gxX=Hgf!7exYZzfz0{^eT-qIN$zu!p z^!J4qtDnRY_3tMbc@1vG&DAc{jc=-7(#z|x%(qV((39XQqY3V46Pr4dHZN3dXuOY7 z{6KFFiWOYm#Q%0>r-Y=W&4dt559ppyWIQA~kVeaT`gHvjiB7O-S~*BSEWgKb3vjMJ zSi5mvHjcG?-s*H=?w6L`{BWxFr@Vxd?Z+gMnas}A-AL6QGCdNN&{ik}LMUW`C5J^8Etclo5pAJ|dP!b@$d zY(q&7;`vE}mp+et!1PQ^wMPC9j0uf~jf3GlrUd-9a1SFWza$w|bz4>vxVf~m^gJgl zIA@mWVYDaMkdQ`Z1UXy_pm^Dq$kE{MXz+NIm8L|yFsDo9fA77%1aT%GG$&cI}@jZwmu2Qo$WOyZJU(DG6c<(#I){*dPPzGOt z)DvbB+adSG1P@px>*H-L!?N$$_zB)SpBb3l1zX~3@YUQ!lw1l&NW4A)=kp*xaG4ky zGy3JFlD9<}ThdkXLnmb|#C*4C=58*%zQ02FuGFSb1WA@>Hs-~FG%R~a+`NIi zDU`cumm}bYLevY0L2$u1S*yDxMBy3dGBtZf24VS&Fj0meutV=r zn|xvHxE!zCFQcteRZU=ACG$-lK?qrSBiE&c(IlVxerdcw?YocBaKDMY$~<Xgz89nYK68uzVrX`1{Yqg`oCv zI;0$D1mvOV2+`RjHF7ab){bN(M_re znJ+Y&k|>3(jcb-Z7uBlR-}cu1JD7hRaNC45wK6X2Tm5EMEwaWBJH0nus7V`s#YAQJ zJlflRt7-gd%HXZqI`Dp~*!^m;_AV>uUkUL!JP zKGH5?I(ask<}#bt$!+!=<#3UGZt~0yLxlSf{xpx;fy($5NGF4TYiFu<9OLd(&Jx6e z>LLPpom2@!g$;2@;TV2Jc~um@u)Yqz2_aq=@#0DZFDsT%Yn(SC#w|hL8y!O;_r0GB zUX#f~y}!SaKkCPp=49oTRU)*+n6K5;Uo_@0cIZjcP867L97stR8(9co(sFbB`HIK5 z+1W#YOVO$_DlQt<6c1tP<0Lwxl7_&EE*y1wOzd@)+-AzewsY#V@2+?6DXgna`Fa#{ zn7txb9P4n(wJ7>?rFm~Tc#VkGb%n948voVJM%{1|l#axZ{mR~=_OA;Lb_zKc3@3Gj zagU1^6keD)HP;O}8gq8*k@Z;kK;L3lsFAAjb?{O!+S=RP&*{#nvJ2RSPJEj+T$yMo zmCrc`%IB-#xKIa;2Gl>ci=Hjy-5u8>5=di+SU?7C#E8)y6IUzCl(!`8b4((N1nX&ZMpk5yzYx=0<*Wdsq=x zqfVxu*G@NL9@S(DyY_{hR3P18Y6=haz_|fz1hmqx^@OvFq62(z7A}e`xbHk1ezqS1 zAy5v7I~K?7&v2x|A>eqk79f8w8(*G$ty7UOT$CCuJA+G$7;bo7HAZ`P>|V5gTWWOw zRr4SuC3edFheXy&=|OK3{Fdx9!0Mbg*tP8tA~H&F)LFeMm0m!M=tlmWDxG{zz9rFe z;5YTgqxuTfb%};A>565dwOG`?91KD)s5G`VBrT|IDi@@d&7=e!uIE?VsBDXB{=>5a(Iaql^Aa#hM z&HU-8;}9T4^ooUv`S{D;PTQdu{Xy%~Q+sO`RzdgjT@!Wyz(g4Uu(xJlJj?W782{hf gKQR7pmB#;*{x6!_TZ5SYd0_Zs^FRCXpLzh`U%DT-^#A|> From 92c3a08e309ff697e7c9a90ebb20f4a75b308003 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 11 Nov 2024 16:01:03 +0000 Subject: [PATCH 048/308] Adding management production to the trust policy of the data engineering role --- terraform/environments/analytical-platform-compute/iam-roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 71793fbe57d..c631b3a8289 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -314,7 +314,7 @@ module "analytical_platform_data_eng_dba_service_role" { allow_self_assume_role = false trusted_role_arns = [ - format("arn:aws:iam::%s:root", local.environment_management.account_ids[local.analytical_platform_environment]) + formatlist("arn:aws:iam::%s:root", [local.environment_management.account_ids[local.analytical_platform_environment], local.environment_management.account_ids["analytical-platform-management-production"]]), ] create_role = true From 22082340e2f36599fc881d1a7a090ae69b718d85 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 16:11:49 +0000 Subject: [PATCH 049/308] Put the local file back --- .../components/dms/cloudwatch-alarms.tf | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 7acc9e9b9b7..a69d2a9b68b 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -210,32 +210,32 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } -# resource "local_file" "lambda_dms_replication_metric_py" { -# filename = "${path.module}/lambda_dms_replication_metric.py" -# content = < Date: Mon, 11 Nov 2024 16:13:49 +0000 Subject: [PATCH 050/308] Formatlist returns a list so doesn't need additional brackets --- .../analytical-platform-compute/iam-roles.tf | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index c631b3a8289..b8c42113cb6 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -313,13 +313,10 @@ module "analytical_platform_data_eng_dba_service_role" { version = "5.46.0" allow_self_assume_role = false - trusted_role_arns = [ - formatlist("arn:aws:iam::%s:root", [local.environment_management.account_ids[local.analytical_platform_environment], local.environment_management.account_ids["analytical-platform-management-production"]]), - - ] - create_role = true - role_requires_mfa = false - role_name = "analytical-platform-data-engineering-database-access" + trusted_role_arns = formatlist("arn:aws:iam::%s:root", [local.environment_management.account_ids[local.analytical_platform_environment], local.environment_management.account_ids["analytical-platform-management-production"]]) + create_role = true + role_requires_mfa = false + role_name = "analytical-platform-data-engineering-database-access" custom_role_policy_arns = [ module.analytical_platform_lake_formation_share_policy.arn, From 561352fec5f0a327ec28dca19a0818839099ff74 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 16:18:03 +0000 Subject: [PATCH 051/308] Refer to a file --- .../components/dms/cloudwatch-alarms.tf | 52 +++++++++++-------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index a69d2a9b68b..611cda135c8 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -210,32 +210,38 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } -resource "local_file" "lambda_dms_replication_metric_py" { - filename = "${path.module}/lambda_dms_replication_metric.py" - content = < Date: Mon, 11 Nov 2024 16:25:54 +0000 Subject: [PATCH 052/308] Add the local_file resource to allow it to run --- .../components/dms/cloudwatch-alarms.tf | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 611cda135c8..6e5f9c2ecc9 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -210,28 +210,28 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } -# resource "local_file" "lambda_dms_replication_metric_py" { -# filename = "${path.module}/lambda_dms_replication_metric.py" -# content = < Date: Mon, 11 Nov 2024 16:49:54 +0000 Subject: [PATCH 053/308] add initial alarm scheduling to DSO-managed environments (#8629) --- .../hmpps-domain-services/locals_preproduction.tf | 6 ++++++ .../environments/hmpps-domain-services/main.tf | 8 ++++++++ .../modules/baseline/schedule_alarms_lambda.tf | 15 +++++++++++++++ terraform/modules/baseline/variables.tf | 14 ++++++++++++++ 4 files changed, 43 insertions(+) create mode 100644 terraform/modules/baseline/schedule_alarms_lambda.tf diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf index 8a38912d500..bb72afcc886 100644 --- a/terraform/environments/hmpps-domain-services/locals_preproduction.tf +++ b/terraform/environments/hmpps-domain-services/locals_preproduction.tf @@ -153,6 +153,12 @@ locals { }) } + schedule_alarms = { + alarm_patterns = [ + "public-https-*-https-unhealthy-load-balancer-host", + ] + } + route53_zones = { "preproduction.hmpps-domain.service.justice.gov.uk" = { lb_alias_records = [ diff --git a/terraform/environments/hmpps-domain-services/main.tf b/terraform/environments/hmpps-domain-services/main.tf index a23f7e6d41b..04db08b1919 100644 --- a/terraform/environments/hmpps-domain-services/main.tf +++ b/terraform/environments/hmpps-domain-services/main.tf @@ -177,6 +177,14 @@ module "baseline" { lookup(local.baseline_environment_specific, "s3_buckets", {}), ) + schedule_alarms_lambda = merge( + { + function_name = "schedule-alarms" + }, + lookup(local.baseline_all_environments, "schedule_alarms", {}), + lookup(local.baseline_environment_specific, "schedule_alarms", {}), + ) + secretsmanager_secrets = merge( module.baseline_presets.secretsmanager_secrets, lookup(local.baseline_all_environments, "secretsmanager_secrets", {}), diff --git a/terraform/modules/baseline/schedule_alarms_lambda.tf b/terraform/modules/baseline/schedule_alarms_lambda.tf new file mode 100644 index 00000000000..b4b2e7750ee --- /dev/null +++ b/terraform/modules/baseline/schedule_alarms_lambda.tf @@ -0,0 +1,15 @@ +module "schedule_alarms_lambda" { + source = "../schedule_alarms_lambda" + + lambda_function_name = var.schedule_alarms_lambda.function_name + lambda_log_level = var.schedule_alarms_lambda.lambda_log_level + + alarm_list = var.schedule_alarms_lambda.alarm_list + alarm_patterns = var.schedule_alarms_lambda.alarm_patterns + + disable_weekend = var.schedule_alarms_lambda.disable_weekend + start_time = var.schedule_alarms_lambda.start_time + end_time = var.schedule_alarms_lambda.end_time + + tags = merge(local.tags, var.schedule_alarms_lambda.tags) +} diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index 0a26b3a6b70..7261fba7a95 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -915,6 +915,20 @@ variable "s3_buckets" { default = {} } +variable "schedule_alarms_lambda" { + description = "" + type = object({ + function_name = string, + lambda_log_level = optional(string, "INFO") + alarm_list = optional(list(string)) + alarm_patterns = optional(list(string)) + disable_weekend = optional(bool, true) + start_time = optional(string, "06:15") + end_time = optional(string, "22:45") + tags = optional(map(string), {}) + }) +} + variable "secretsmanager_secrets" { # Example usage: # my_database_secrets = { From 461dc8bb8f075721b991741e6ed5b181e2ecb5b1 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 11 Nov 2024 16:51:26 +0000 Subject: [PATCH 054/308] GlueJob to hash table rows save to parquet - v2 --- .../dms_data_validation_glue_job_v2.tf | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf index 5477d06a337..da2083ceaf0 100644 --- a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf +++ b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf @@ -395,24 +395,25 @@ resource "aws_glue_job" "etl_table_row_hashvalues_to_parquet" { worker_type = "G.2X" number_of_workers = 4 default_arguments = { - "--script_bucket_name" = module.s3-glue-job-script-bucket.bucket.id - "--rds_db_host_ep" = split(":", aws_db_instance.database_2022.endpoint)[0] - "--rds_db_pwd" = aws_db_instance.database_2022.password - "--rds_sqlserver_db" = "" - "--rds_sqlserver_db_schema" = "dbo" - "--rds_sqlserver_db_table" = "" - "--rds_db_tbl_pkey_column" = "" - "--parallel_jdbc_conn_num" = 1 - "--parquet_df_write_repartition_num" = 0 - "--extra-py-files" = "s3://${module.s3-glue-job-script-bucket.bucket.id}/${aws_s3_object.aws_s3_object_pyzipfile_to_s3folder.id}" - "--hashed_output_s3_bucket_name" = module.s3-dms-data-validation-bucket.bucket.id - "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name - "--continuous-log-logGroup" = "/aws-glue/jobs/${aws_cloudwatch_log_group.etl_table_row_hashvalues_to_parquet.name}" - "--enable-continuous-cloudwatch-log" = "true" - "--enable-continuous-log-filter" = "true" - "--enable-metrics" = "true" - "--enable-auto-scaling" = "true" - "--conf" = < Date: Mon, 11 Nov 2024 16:55:54 +0000 Subject: [PATCH 055/308] Workaround --- .../components/dms/cloudwatch-alarms.tf | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 6e5f9c2ecc9..f8055e99e8e 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -213,23 +213,7 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach resource "local_file" "lambda_dms_replication_metric_py" { filename = "${path.module}/lambda_dms_replication_metric.py" content = < Date: Mon, 11 Nov 2024 17:02:58 +0000 Subject: [PATCH 056/308] GlueJob to hash table rows save to parquet - v3 --- .../glue-job/etl_table_row_hashvalues_to_parquet.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py index 1f6d2c73c9a..a4381c8a023 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py @@ -52,7 +52,8 @@ "rds_sqlserver_db", "rds_sqlserver_db_schema", "rds_sqlserver_db_table", - "rds_db_tbl_pkey_column" + "rds_db_tbl_pkey_column", + "rds_db_table_hashed_rows_parent_dir" ] OPTIONAL_INPUTS = [ From 4d3271ff4b36cfa56144ffc30d305b154ece0922 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 17:04:01 +0000 Subject: [PATCH 057/308] Force dependency on zip file --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index f8055e99e8e..8704bfd2643 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -240,6 +240,9 @@ resource "aws_lambda_function" "dms_replication_metric_publisher" { METRIC_NAMESPACE = "CustomDMSMetrics", METRIC_NAME = "DMSReplicationEvent" } + depends_on = [ + archive_file.lambda_dms_replication_metric_zip + ] } depends_on = [data.archive_file.lambda_dms_replication_metric_zip] From c83788b8e10d22ee4245255e8c79350c01d66580 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 17:09:15 +0000 Subject: [PATCH 058/308] Add source file --- .../dms/lambda/dms_replication_metric.py | 327 +----------------- 1 file changed, 17 insertions(+), 310 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index a69d2a9b68b..4710a732ec5 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -1,310 +1,17 @@ -# SNS topic for monitoring to send alarms to -resource "aws_sns_topic" "dms_alerts_topic" { - name = "delius-dms-alerts-topic" - kms_master_key_id = var.account_config.kms_keys.general_shared - - http_success_feedback_role_arn = aws_iam_role.sns_logging_role.arn - http_success_feedback_sample_rate = 100 - http_failure_feedback_role_arn = aws_iam_role.sns_logging_role.arn -} - -resource "aws_iam_role" "sns_logging_role" { - name = "sns-logging-role" - - assume_role_policy = jsonencode({ - "Version": "2012-10-17", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Principal": { - "Service": "sns.amazonaws.com" - }, - "Effect": "Allow", - "Sid": "" - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "attach_sns_policy" { - role = aws_iam_role.sns_logging_role.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSNSRole" -} - -# Create a map of all possible replication tasks, so those that exist may have alarms applied to them. -# Note that the key of this map cannot be an apply time value, so cannot be the ARN or ID of the -# replication tasks - these should appear only as values. -locals { - aws_dms_replication_tasks = merge( - try(var.dms_config.user_target_endpoint.write_database, null) == null ? {} : { - user_inbound_replication = { - replication_task_arn = aws_dms_replication_task.user_inbound_replication[0].replication_task_arn, - replication_task_id = aws_dms_replication_task.user_inbound_replication[0].replication_task_id - } - }, - { for k in keys(local.client_account_map) : - "business_interaction_inbound_replication_from_${k}" => { - replication_task_arn = aws_dms_replication_task.business_interaction_inbound_replication[k].replication_task_arn - replication_task_id = aws_dms_replication_task.business_interaction_inbound_replication[k].replication_task_id - } - }, - { for k in keys(local.client_account_map) : - "audited_interaction_inbound_replication_from_${k}" => { - replication_task_arn = aws_dms_replication_task.audited_interaction_inbound_replication[k].replication_task_arn - replication_task_id = aws_dms_replication_task.audited_interaction_inbound_replication[k].replication_task_id - } - }, - { for k in keys(local.client_account_map) : - "audited_interaction_checksum_inbound_replication_from_${k}" => { - replication_task_arn = aws_dms_replication_task.audited_interaction_checksum_inbound_replication[k].replication_task_arn - replication_task_id = aws_dms_replication_task.audited_interaction_checksum_inbound_replication[k].replication_task_id - } - }, - try(var.dms_config.audit_source_endpoint.read_database, null) == null ? {} : { - audited_interaction_outbound_replication = { - replication_task_arn = aws_dms_replication_task.audited_interaction_outbound_replication[0].replication_task_arn - replication_task_id = aws_dms_replication_task.audited_interaction_outbound_replication[0].replication_task_id - } - }, - { for k in keys(local.client_account_map) : - "user_outbound_replication_to_${k}" => { - replication_task_arn = aws_dms_replication_task.user_outbound_replication[k].replication_task_arn - replication_task_id = aws_dms_replication_task.user_outbound_replication[k].replication_task_id - } - }, - try(var.dms_config.audit_source_endpoint.read_database, null) == null ? {} : { - business_interaction_outbound_replication = { - replication_task_arn = aws_dms_replication_task.business_interaction_outbound_replication[0].replication_task_arn - replication_task_id = aws_dms_replication_task.business_interaction_outbound_replication[0].replication_task_id - } - }, - try(var.dms_config.audit_source_endpoint.read_database, null) == null ? {} : { - audited_interaction_checksum_outbound_replication = { - replication_task_arn = aws_dms_replication_task.audited_interaction_checksum_outbound_replication[0].replication_task_arn - replication_task_id = aws_dms_replication_task.audited_interaction_checksum_outbound_replication[0].replication_task_id - } - } - ) -} - - - -resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_source" { - for_each = local.aws_dms_replication_tasks - alarm_name = "dms-cdc-latency-source-${each.value.replication_task_id}" - alarm_description = "High CDC source latency for dms replication task for ${each.value.replication_task_id}" - namespace = "AWS/DMS" - statistic = "Average" - metric_name = "CDCLatencySource" - comparison_operator = "GreaterThanThreshold" - threshold = 15 - evaluation_periods = 3 - period = 120 - actions_enabled = true - alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] - ok_actions = [aws_sns_topic.dms_alerts_topic.arn] - dimensions = { - ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id - # We only need to final element of the replication task ID (after the last :) - ReplicationTaskIdentifier = split(":", each.value.replication_task_arn)[length(split(":", each.value.replication_task_arn)) - 1] - } - tags = var.tags -} - -resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { - for_each = local.aws_dms_replication_tasks - alarm_name = "dms-cdc-latency-target-${each.value.replication_task_id}" - alarm_description = "High CDC target latency for dms replication task for ${each.value.replication_task_id}" - namespace = "AWS/DMS" - statistic = "Average" - metric_name = "CDCLatencyTarget" - comparison_operator = "GreaterThanThreshold" - threshold = 15 - evaluation_periods = 3 - period = 120 - actions_enabled = true - alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] - ok_actions = [aws_sns_topic.dms_alerts_topic.arn] - dimensions = { - ReplicationInstanceIdentifier = aws_dms_replication_instance.dms_replication_instance.replication_instance_id - # We only need to final element of the replication task ID (after the last :) - ReplicationTaskIdentifier = split(":", each.value.replication_task_arn)[length(split(":", each.value.replication_task_arn)) - 1] - } - tags = var.tags -} - -# Pager duty integration - -# Get the map of pagerduty integration keys from the modernisation platform account -data "aws_secretsmanager_secret" "pagerduty_integration_keys" { - provider = aws.modernisation-platform - name = "pagerduty_integration_keys" -} - -data "aws_secretsmanager_secret_version" "pagerduty_integration_keys" { - provider = aws.modernisation-platform - secret_id = data.aws_secretsmanager_secret.pagerduty_integration_keys.id -} - -# Add a local to get the keys -locals { - pagerduty_integration_keys = jsondecode(data.aws_secretsmanager_secret_version.pagerduty_integration_keys.secret_string) - integration_key_lookup = var.dms_config.is-production ? "delius_oracle_prod_alarms" : "delius_oracle_nonprod_alarms" -} - -# link the sns topic to the service -# Non-Prod alerts channel: #delius-aws-oracle-dev-alerts -# Prod alerts channel: #delius-aws-oracle-prod-alerts -module "pagerduty_core_alerts" { - #checkov:skip=CKV_TF_1 - depends_on = [ - aws_sns_topic.dms_alerts_topic - ] - source = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0" - sns_topics = [aws_sns_topic.dms_alerts_topic.name] - pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup] -} - -resource "aws_iam_role" "lambda_put_metric_data_role" { - name = "lambda-put-metric-data-role" - - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Action = "sts:AssumeRole", - Effect = "Allow", - Principal = { - Service = "lambda.amazonaws.com" - } - } - ] - }) -} - -resource "aws_iam_policy" "lambda_put_metric_data_policy" { - name = "lambda-put-metric-data-policy" - - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = [ - "cloudwatch:PutMetricData" - ], - Resource = "*" - } - ] - }) -} - -resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_policy_attach" { - role = aws_iam_role.lambda_put_metric_data_role.name - policy_arn = aws_iam_policy.lambda_put_metric_data_policy.arn -} - -# Allow Cloudwatch Logging -resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach" { - role = aws_iam_role.lambda_put_metric_data_role.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" -} - -resource "local_file" "lambda_dms_replication_metric_py" { - filename = "${path.module}/lambda_dms_replication_metric.py" - content = < Date: Mon, 11 Nov 2024 17:11:19 +0000 Subject: [PATCH 059/308] Remove dependency --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 8704bfd2643..f8055e99e8e 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -240,9 +240,6 @@ resource "aws_lambda_function" "dms_replication_metric_publisher" { METRIC_NAMESPACE = "CustomDMSMetrics", METRIC_NAME = "DMSReplicationEvent" } - depends_on = [ - archive_file.lambda_dms_replication_metric_zip - ] } depends_on = [data.archive_file.lambda_dms_replication_metric_zip] From c0d7eb582a179eca707b3b3eae132d70e3756d66 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 11 Nov 2024 17:16:44 +0000 Subject: [PATCH 060/308] GlueJob to hash table rows save to parquet - v3 --- .../glue-job/etl_table_row_hashvalues_to_parquet.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py index a4381c8a023..bce946f5663 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py @@ -174,7 +174,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful HASHED_OUTPUT_S3_BUCKET_NAME, f'''{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}/{prq_table_folder_path}''' ): - hashed_rows_prq_fulls3path = f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{prq_table_folder_path}''' + hashed_rows_prq_fulls3path = f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}}/{prq_table_folder_path}''' else: hashed_rows_prq_fulls3path = "" # -------------------------------- @@ -291,7 +291,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful LOGGER.info(f"""hashed_rows_prq_df - sorted within partitions on pkey.""") write_parquet_to_s3(hashed_rows_prq_df_sorted, - f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{prq_table_folder_path}''') + f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}/{prq_table_folder_path}''') # -------------------------------- job.commit() From d4510b4978e575d0cf17f5bb641715298abdabfa Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 17:17:42 +0000 Subject: [PATCH 061/308] Add hash value for lambda source --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index f8055e99e8e..b6a65e247ad 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -235,6 +235,7 @@ resource "aws_lambda_function" "dms_replication_metric_publisher" { handler = "lambda_dms_replication_metric.lambda_handler" runtime = "python3.8" filename = data.archive_file.lambda_dms_replication_metric_zip.output_path + source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256 environment { variables = { METRIC_NAMESPACE = "CustomDMSMetrics", From 2518bdd95c924450d0bddd44ca5cc091d56ed89d Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 17:30:43 +0000 Subject: [PATCH 062/308] Put the zip file somewhere else --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index b6a65e247ad..9f8b7ffb4ae 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -226,7 +226,8 @@ EOF data "archive_file" "lambda_dms_replication_metric_zip" { type = "zip" source_file = "${path.module}/lambda/dms_replication_metric.py" - output_path = "${path.module}/lambda_dms_replication_metric.zip" + output_path = "${path.module}/lambda/dms_replication_metric.zip" + excludes = ["lambda_dms_replication_metric.zip"] } resource "aws_lambda_function" "dms_replication_metric_publisher" { From 87be709f23d871e1bac7ac2146881a9dfe56835b Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 11 Nov 2024 17:32:04 +0000 Subject: [PATCH 063/308] GlueJob to hash table rows save to parquet - v4 --- .../glue-job/etl_table_row_hashvalues_to_parquet.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py index bce946f5663..1dd92c4437d 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py @@ -169,12 +169,13 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful if col != rds_db_tbl_pkey_column] LOGGER.info(f""">> all_columns_except_pkey = {all_columns_except_pkey} <<""") + prq_bucket_parent_folder = f"""{HASHED_OUTPUT_S3_BUCKET_NAME}/{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}""" prq_table_folder_path = f"""{rds_db_name}/{rds_sqlserver_db_schema}/{rds_sqlserver_db_table}""" if S3Methods.check_s3_folder_path_if_exists( HASHED_OUTPUT_S3_BUCKET_NAME, f'''{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}/{prq_table_folder_path}''' ): - hashed_rows_prq_fulls3path = f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}}/{prq_table_folder_path}''' + hashed_rows_prq_fulls3path = f'''s3://{prq_bucket_parent_folder}/{prq_table_folder_path}''' else: hashed_rows_prq_fulls3path = "" # -------------------------------- @@ -291,7 +292,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful LOGGER.info(f"""hashed_rows_prq_df - sorted within partitions on pkey.""") write_parquet_to_s3(hashed_rows_prq_df_sorted, - f'''s3://{HASHED_OUTPUT_S3_BUCKET_NAME}/{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}/{prq_table_folder_path}''') + f'''s3://{prq_bucket_parent_folder}/{prq_table_folder_path}''') # -------------------------------- job.commit() From 76ec5c43fada46fd97bd1d5e81bd2eb5fb48acfd Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 17:33:01 +0000 Subject: [PATCH 064/308] Specify source directory --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 9f8b7ffb4ae..046c546eafd 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -225,7 +225,7 @@ EOF data "archive_file" "lambda_dms_replication_metric_zip" { type = "zip" - source_file = "${path.module}/lambda/dms_replication_metric.py" + source_dir = "${path.module}/lambda" output_path = "${path.module}/lambda/dms_replication_metric.zip" excludes = ["lambda_dms_replication_metric.zip"] } From 766656374a58a82e8d715c4afdd9cc895d73048e Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 17:46:27 +0000 Subject: [PATCH 065/308] Update handler name --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 046c546eafd..66af6d3fc34 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -227,13 +227,13 @@ data "archive_file" "lambda_dms_replication_metric_zip" { type = "zip" source_dir = "${path.module}/lambda" output_path = "${path.module}/lambda/dms_replication_metric.zip" - excludes = ["lambda_dms_replication_metric.zip"] + excludes = ["dms_replication_metric.zip"] } resource "aws_lambda_function" "dms_replication_metric_publisher" { function_name = "dms-replication-metric-publisher" role = aws_iam_role.lambda_put_metric_data_role.arn - handler = "lambda_dms_replication_metric.lambda_handler" + handler = "dms_replication_metric.lambda_handler" runtime = "python3.8" filename = data.archive_file.lambda_dms_replication_metric_zip.output_path source_code_hash = data.archive_file.lambda_dms_replication_metric_zip.output_base64sha256 From 3318e1a7659feae9d93560ec0673727ffff1d2f7 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 11 Nov 2024 17:59:54 +0000 Subject: [PATCH 066/308] GlueJob to hash table rows save to parquet - v5 --- .../etl_table_row_hashvalues_to_parquet.py | 6 +++--- .../reusable_module/glue_data_validation_lib.py | 17 +++++++++++------ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py index 1dd92c4437d..8c4211d0c6f 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py @@ -202,7 +202,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful rds_db_query_sample_row_df = rds_jdbc_conn_obj.get_rds_db_query_empty_df( rds_db_query_sample_row ) - LOGGER.info(f"""rds_db_query_sample_row_df-schema: \n{rds_db_query_sample_row_df.schema}""") + LOGGER.info(f"""rds_db_query_sample_row_df-schema: \n{rds_db_query_sample_row_df.columns}""") existing_parquet_table_df = CustomPysparkMethods.get_s3_parquet_df_v2( hashed_rows_prq_fulls3path, @@ -210,8 +210,8 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful ) existing_parquet_table_df_agg = existing_parquet_table_df.agg( - F.max(f"{rds_db_tbl_pkey_column}").alias(f"max_{rds_db_tbl_pkey_column}"), - F.count(f"{rds_db_tbl_pkey_column}").alias(f"count_{rds_db_tbl_pkey_column}") + F.max(rds_db_tbl_pkey_column).alias(f"max_{rds_db_tbl_pkey_column}"), + F.count(rds_db_tbl_pkey_column).alias(f"count_{rds_db_tbl_pkey_column}") ) existing_parquet_agg_dict = existing_parquet_table_df_agg.collect()[0] existing_parquet_max_pkey = existing_parquet_agg_dict[f"max_{rds_db_tbl_pkey_column}"] diff --git a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py index 7061ce348b3..6d8e0d56d65 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py @@ -133,12 +133,17 @@ def get_rds_dataframe_v1(self, rds_db_table_name) -> DataFrame: def get_rds_db_table_row_count(self, in_table_name, - in_pkeys_col_list) -> DataFrame: - - query_str = f""" - SELECT count({', '.join(in_pkeys_col_list)}) as row_count - FROM {self.rds_db_schema_name}.[{in_table_name}] - """.strip() + in_pkeys_columns) -> DataFrame: + if isinstance(in_pkeys_columns, list): + query_str = f""" + SELECT count({', '.join(in_pkeys_columns)}) as row_count + FROM {self.rds_db_schema_name}.[{in_table_name}] + """.strip() + else: + query_str = f""" + SELECT count(in_pkeys_columns) as row_count + FROM {self.rds_db_schema_name}.[{in_table_name}] + """.strip() return (self.spark.read.format("jdbc") .option("url", self.rds_jdbc_url_v2) From fb81335e63d3e93466542b4ab5eca3df30faaa71 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 11 Nov 2024 18:09:55 +0000 Subject: [PATCH 067/308] GlueJob to hash table rows save to parquet - v6 --- .../glue-job/reusable_module/glue_data_validation_lib.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py index 6d8e0d56d65..9c57239c1c9 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py @@ -141,7 +141,7 @@ def get_rds_db_table_row_count(self, """.strip() else: query_str = f""" - SELECT count(in_pkeys_columns) as row_count + SELECT count({in_pkeys_columns}) as row_count FROM {self.rds_db_schema_name}.[{in_table_name}] """.strip() From f9369aff4b6888ecbb9183f0edec242b3bc2de68 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 18:17:35 +0000 Subject: [PATCH 068/308] Reset metric if the task starts --- .../dms/lambda/dms_replication_metric.py | 47 ++++++++++++++----- 1 file changed, 34 insertions(+), 13 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index 4710a732ec5..135ea33ee23 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -1,17 +1,38 @@ import boto3 +import json def lambda_handler(event, context): + cloudwatch = boto3.client('cloudwatch') - cloudwatch.put_metric_data( - Namespace='CustomDMSMetrics', - MetricData=[ - { - 'MetricName': 'DMSReplicationEvent', - 'Dimensions': [ - {'Name': 'Service', 'Value': 'DMS'} - ], - 'Value': 1, # Trigger threshold - 'Unit': 'Count' - } - ] - ) \ No newline at end of file + for record in event['Records']: + + message = json.loads(record['Sns']['Message']) + + if message.get("EventType") == "replication-task-state-change" and message.get("status") == "STARTED": + cloudwatch.put_metric_data( + Namespace='CustomDMSMetrics', + MetricData=[ + { + 'MetricName': 'DMSReplicationFailure', + 'Dimensions': [ + {'Name': 'Service', 'Value': 'DMS'} + ], + 'Value': 0, # Reset Below Trigger threshold (Task Started) + 'Unit': 'Count' + } + ] + ) + elif message.get("EventType") == "failure": + cloudwatch.put_metric_data( + Namespace='CustomDMSMetrics', + MetricData=[ + { + 'MetricName': 'DMSReplicationFailure', + 'Dimensions': [ + {'Name': 'Service', 'Value': 'DMS'} + ], + 'Value': 1, # Trigger threshold (Task Failed) + 'Unit': 'Count' + } + ] + ) \ No newline at end of file From ba7e8f5c50c009b75e62813c86eb1dcbbfe40ef8 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 18:19:34 +0000 Subject: [PATCH 069/308] Always report on the state change event (filter at SNS) --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 66af6d3fc34..943e27a9833 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -294,9 +294,6 @@ resource "aws_dms_event_subscription" "dms_task_event_subscription" { name = "dms-task-event-alerts" sns_topic_arn = aws_sns_topic.dms_events_topic.arn source_type = "replication-task" - # If this is production then we expect to see starting and stopping of replication tasks - # as this would not be normal behaviour. - # For non-production this will happen nightly due to automated stop/start - event_categories = var.dms_config.is-production ? ["state change", "failure"] : ["failure"] + event_categories = ["state change", "failure"] enabled = true } \ No newline at end of file From bb16bfc698f413f0cb7eae5c3acea2cb89e72ce8 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 11 Nov 2024 18:31:23 +0000 Subject: [PATCH 070/308] GlueJob to hash table rows save to parquet - v7 --- .../glue-job/etl_table_row_hashvalues_to_parquet.py | 13 ++++++++----- .../reusable_module/glue_data_validation_lib.py | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py index 8c4211d0c6f..e6d8a02291e 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py @@ -182,7 +182,8 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful rds_db_select_query_str = f""" SELECT {rds_db_tbl_pkey_column}, - LOWER(SUBSTRING(CONVERT(VARCHAR(66), HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66)) AS RowHash + LOWER(SUBSTRING(CONVERT(VARCHAR(66), + HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66)) AS RowHash FROM {rds_sqlserver_db_schema}.[{rds_sqlserver_db_table}] """.strip() @@ -195,13 +196,12 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful rds_db_query_sample_row = f""" SELECT TOP 1 {rds_db_tbl_pkey_column}, - SUBSTRING(CONVERT(VARCHAR(66), HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66) AS RowHash + SUBSTRING(CONVERT(VARCHAR(66), + HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66) AS RowHash FROM {rds_sqlserver_db_schema}.[{rds_sqlserver_db_table}] """.strip() - rds_db_query_sample_row_df = rds_jdbc_conn_obj.get_rds_db_query_empty_df( - rds_db_query_sample_row - ) + rds_db_query_sample_row_df = rds_jdbc_conn_obj.get_rds_db_query_df(rds_db_query_sample_row) LOGGER.info(f"""rds_db_query_sample_row_df-schema: \n{rds_db_query_sample_row_df.columns}""") existing_parquet_table_df = CustomPysparkMethods.get_s3_parquet_df_v2( @@ -229,6 +229,9 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful if df_rds_table_count == existing_parquet_count_pkey: LOGGER.warn(f"""df_rds_table_count = existing_parquet_table_df_count = {df_rds_table_count}""") sys.exit(f"""Both df_rds_table_count and existing_parquet_table_df_count are matching. Nothing to move, exiting ...""") + elif existing_parquet_count_pkey > df_rds_table_count: + LOGGER.warn(f"""existing_parquet_table_df_count > df_rds_table_count""") + sys.exit(f"""This scenario cannot be possible & needs further investigation, exiting ...""") # -------------------- where_clause_exp_str = f"""{rds_db_tbl_pkey_column} > {existing_parquet_max_pkey}""".strip() diff --git a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py index 9c57239c1c9..e5d9b8ae299 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py @@ -355,7 +355,7 @@ def get_rds_db_table_empty_df(self, rds_db_table_name) -> DataFrame: .option("query", f"""{query_str}""") .load()) - def get_rds_db_query_empty_df(self, rds_db_query) -> DataFrame: + def get_rds_db_query_df(self, rds_db_query) -> DataFrame: return (self.spark.read.format("jdbc") .option("url", self.rds_jdbc_url_v2) From f649a99e53102fac2fe225b9c0c83635f6610194 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 18:45:49 +0000 Subject: [PATCH 071/308] Change to metric name --- .../modules/components/dms/cloudwatch-alarms.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 943e27a9833..a08dcdb0a7f 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -240,7 +240,7 @@ resource "aws_lambda_function" "dms_replication_metric_publisher" { environment { variables = { METRIC_NAMESPACE = "CustomDMSMetrics", - METRIC_NAME = "DMSReplicationEvent" + METRIC_NAME = "DMSReplicationFailure" } } @@ -258,15 +258,15 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis resource "aws_cloudwatch_metric_alarm" "dms_replication_alarm" { - alarm_name = "DMSReplicationEventAlarm" + alarm_name = "DMSReplicationFailureAlarm" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" - metric_name = "DMSReplicationEvent" + metric_name = "DMSReplicationFailure" namespace = "CustomDMSMetrics" period = "60" statistic = "Sum" threshold = 1 - alarm_description = "Alarm when DMSReplicationEvent metric is >= 1" + alarm_description = "Alarm when DMSReplicationFailure metric is >= 1" alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } From 7b72e1c994d1df49b6cc151498f89a1a703bf79c Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 19:06:29 +0000 Subject: [PATCH 072/308] Add debug --- .../components/dms/lambda/dms_replication_metric.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index 135ea33ee23..90185a5bd2e 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -1,5 +1,9 @@ import boto3 import json +import logging + +logger = logging.getLogger() +logger.setLevel(logging.INFO) def lambda_handler(event, context): @@ -8,7 +12,12 @@ def lambda_handler(event, context): message = json.loads(record['Sns']['Message']) - if message.get("EventType") == "replication-task-state-change" and message.get("status") == "STARTED": + event_type = message.get("EventType") + status = message.get("status") + + logger.info("SNS Message: %",message) + + if event_type == "replication-task-state-change" and status == "STARTED": cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ @@ -22,7 +31,7 @@ def lambda_handler(event, context): } ] ) - elif message.get("EventType") == "failure": + elif event_type == "failure": cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ From 66f61b16498e89860ed8c3f82d9827157fff017a Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 19:20:05 +0000 Subject: [PATCH 073/308] Missing s --- .../modules/components/dms/lambda/dms_replication_metric.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index 90185a5bd2e..e1dea16e042 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -15,7 +15,7 @@ def lambda_handler(event, context): event_type = message.get("EventType") status = message.get("status") - logger.info("SNS Message: %",message) + logger.info("SNS Message: %s",message) if event_type == "replication-task-state-change" and status == "STARTED": cloudwatch.put_metric_data( From 16ebed12633b948895fd36fc1ceb5ddf8fb3b587 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Mon, 11 Nov 2024 19:33:32 +0000 Subject: [PATCH 074/308] Use correct attributes --- .../components/dms/lambda/dms_replication_metric.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index e1dea16e042..a4cae889425 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -1,6 +1,7 @@ import boto3 import json import logging +import re logger = logging.getLogger() logger.setLevel(logging.INFO) @@ -12,12 +13,12 @@ def lambda_handler(event, context): message = json.loads(record['Sns']['Message']) - event_type = message.get("EventType") - status = message.get("status") + event_message = message.get("Event Message") logger.info("SNS Message: %s",message) - if event_type == "replication-task-state-change" and status == "STARTED": + if re.search(r"^Replication task has started.$",event_message): + logger.info("Task started") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ @@ -31,7 +32,8 @@ def lambda_handler(event, context): } ] ) - elif event_type == "failure": + elif re.search(r"^Replication task has failed..*$",event_message): + logger.info("Task failed") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ From 9a7228c9bf76677dd4b66648019ccf2f9f5d8c78 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 12 Nov 2024 00:50:26 +0000 Subject: [PATCH 075/308] Bump bridgecrewio/checkov-action from 12.2896.0 to 12.2897.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2896.0 to 12.2897.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/fbbe7f00cc6d32c5d1c1c781a419e5fc376e1ee7...d1f45a54390aaaf45ff34d64698cd0ced79401ac) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 961101425b3..1701d59d6ed 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@fbbe7f00cc6d32c5d1c1c781a419e5fc376e1ee7 # v12.2896.0 + uses: bridgecrewio/checkov-action@d1f45a54390aaaf45ff34d64698cd0ced79401ac # v12.2897.0 with: directory: ./ framework: terraform From ec80f580fb72ec733db65c668ab3633797045e84 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 09:46:24 +0000 Subject: [PATCH 076/308] Add secret Signed-off-by: GitHub --- .../analytical-platform-compute/secrets.tf | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/secrets.tf b/terraform/environments/analytical-platform-compute/secrets.tf index 6b156936b4e..a35bcc4f52c 100644 --- a/terraform/environments/analytical-platform-compute/secrets.tf +++ b/terraform/environments/analytical-platform-compute/secrets.tf @@ -141,3 +141,27 @@ module "actions_runners_token_apc_self_hosted_runners_secret" { } ) } + +module "actions_runners_token_apc_self_hosted_runners_github_app" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 + + source = "terraform-aws-modules/secrets-manager/aws" + version = "1.3.1" + + name = "actions-runners/app/apc-self-hosted-runners" + description = "https://github.com/organizations/moj-analytical-services/settings/installations/57058653" + kms_key_id = module.common_secrets_manager_kms.key_arn + + secret_string = jsonencode({ + app_id = "CHANGEME", + client_id = "CHANGEME", + installation_id = "CHANGEME", + private_key = "CHANGEME" + }) + ignore_secret_changes = true + + tags = local.tags +} From 7c2ec68432cae4ff4417864cdbc1542313e933f4 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 09:55:38 +0000 Subject: [PATCH 077/308] More detailed metric --- .../dms/lambda/dms_replication_metric.py | 36 +++++++++++++++---- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index a4cae889425..2e445e60a0e 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -12,35 +12,57 @@ def lambda_handler(event, context): for record in event['Records']: message = json.loads(record['Sns']['Message']) + logger.info("SNS Message: %s",message) event_message = message.get("Event Message") + event_source = message.get("Event Source") + source_id = message.get("SourceId") - logger.info("SNS Message: %s",message) + dms_event_id = re.search(r"#(DMS-EVENT-\d+) $",message.get("Event ID")) + + # DMS Event IDs are documented at https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Events.html + # + # Those relevant for this metric are: + # + # Running Replication: + # DMS-EVENT-0069: The replication task has started. + # DMS-EVENT-0081: A reload of table details has been requested. + # DMS-EVENT-0093: Reading resumed. + running_replication = ["DMS-EVENT-0069","DMS-EVENT-0081","DMS-EVENT-0093"] + # + # Stopped Replication: + # DMS-EVENT-0079: The replication task has stopped. + # DMS-EVENT-0091: Reading paused, swap files limit reached. + # DMS-EVENT-0092: Reading paused, disk usage limit reached. + # DMS-EVENT-0078: A replication task has failed. + stopped_replication = ["DMS-EVENT-0079","DMS-EVENT-0091","DMS-EVENT-0092","DMS-EVENT-0078"] - if re.search(r"^Replication task has started.$",event_message): + if dms_event_id in running_replication: logger.info("Task started") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ { - 'MetricName': 'DMSReplicationFailure', + 'MetricName': 'DMSReplicationStopped', 'Dimensions': [ - {'Name': 'Service', 'Value': 'DMS'} + {'Name': 'EventSource', 'Value': event_source}, + {'Name': 'SourceId', 'Value': source_id} ], 'Value': 0, # Reset Below Trigger threshold (Task Started) 'Unit': 'Count' } ] ) - elif re.search(r"^Replication task has failed..*$",event_message): + elif dms_event_id in stopped_replication: logger.info("Task failed") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ { - 'MetricName': 'DMSReplicationFailure', + 'MetricName': 'DMSReplicationStopped', 'Dimensions': [ - {'Name': 'Service', 'Value': 'DMS'} + {'Name': 'EventSource', 'Value': event_source}, + {'Name': 'SourceId', 'Value': source_id} ], 'Value': 1, # Trigger threshold (Task Failed) 'Unit': 'Count' From 87608fc534d892bab7913f466ba518d4562f319e Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 09:56:46 +0000 Subject: [PATCH 078/308] skips and formatting Signed-off-by: GitHub --- .../iam-policies.tf | 39 +++++++------------ 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index d7595c772cb..63610c9d3bf 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -198,29 +198,18 @@ data "aws_iam_policy_document" "analytical_platform_share_policy" { "lakeformation:DescribeResource", "lakeformation:GetDataAccess", ] - resources = [ - "arn:aws:lakeformation:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:catalog:${data.aws_caller_identity.current.account_id}" - ] + resources = ["arn:aws:lakeformation:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:catalog:${data.aws_caller_identity.current.account_id}"] } - statement { - effect = "Allow" - actions = [ - "iam:PutRolePolicy" - ] - resources = [ - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess" - ] + effect = "Allow" + actions = ["iam:PutRolePolicy"] + resources = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess"] } # Needed for LakeFormationAdmin to check the presense of the Lake Formation Service Role statement { - effect = "Allow" - actions = [ - "iam:CreateServiceLinkedRole" - ] - resources = [ - "*" - ] + effect = "Allow" + actions = ["iam:CreateServiceLinkedRole"] + resources = ["*"] condition { test = "StringEquals" variable = "iam:AWSServiceName" @@ -243,9 +232,7 @@ data "aws_iam_policy_document" "analytical_platform_share_policy" { "s3:*", "quicksight:*" ] - resources = [ - "*" - ] + resources = ["*"] } statement { effect = "Allow" @@ -253,11 +240,8 @@ data "aws_iam_policy_document" "analytical_platform_share_policy" { "ram:CreateResourceShare", "ram:DeleteResourceShare" ] - resources = [ - "arn:aws:ram:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:resource-share/*" - ] + resources = ["arn:aws:ram:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:resource-share/*"] } - statement { effect = "Allow" actions = [ @@ -282,6 +266,11 @@ module "analytical_platform_lake_formation_share_policy" { } data "aws_iam_policy_document" "quicksight_vpc_connection" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + #checkov:skip=CKV_AWS_111:Policy suggested by AWS documentation + #checkov:skip=CKV_AWS_356:Policy suggested by AWS documentation + statement { sid = "QuickSightVPCConnection" effect = "Allow" From 195c90a54a1f898694a08b9a8c9b4e30fd1bcfd4 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Tue, 12 Nov 2024 09:57:25 +0000 Subject: [PATCH 079/308] GlueJob to hash table rows save to parquet - 1211-1 --- .../dms_data_validation_glue_job_v2.tf | 20 +++++++++---------- ...=> etl_table_rows_hashvalue_to_parquet.py} | 3 ++- 2 files changed, 12 insertions(+), 11 deletions(-) rename terraform/environments/electronic-monitoring-data/glue-job/{etl_table_row_hashvalues_to_parquet.py => etl_table_rows_hashvalue_to_parquet.py} (99%) diff --git a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf index da2083ceaf0..7adb634abb0 100644 --- a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf +++ b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf @@ -373,22 +373,22 @@ EOF } -resource "aws_cloudwatch_log_group" "etl_table_row_hashvalues_to_parquet" { - name = "etl-table-row-hashvalues-to-parquet" +resource "aws_cloudwatch_log_group" "etl_table_rows_hashvalue_to_parquet" { + name = "etl-table-rows-hashvalue-to-parquet" retention_in_days = 14 } -resource "aws_s3_object" "etl_table_row_hashvalues_to_parquet" { +resource "aws_s3_object" "etl_table_rows_hashvalue_to_parquet" { bucket = module.s3-glue-job-script-bucket.bucket.id - key = "etl_table_row_hashvalues_to_parquet.py" - source = "glue-job/etl_table_row_hashvalues_to_parquet.py" - etag = filemd5("glue-job/etl_table_row_hashvalues_to_parquet.py") + key = "etl_table_rows_hashvalue_to_parquet.py" + source = "glue-job/etl_table_rows_hashvalue_to_parquet.py" + etag = filemd5("glue-job/etl_table_rows_hashvalue_to_parquet.py") } -resource "aws_glue_job" "etl_table_row_hashvalues_to_parquet" { +resource "aws_glue_job" "etl_table_rows_hashvalue_to_parquet" { count = local.gluejob_count - name = "etl-table-row-hashvalues-to-parquet" + name = "etl-table-rows-hashvalue-to-parquet" description = "Table migration & validation Glue-Job (PySpark)." role_arn = aws_iam_role.glue_mig_and_val_iam_role.arn glue_version = "4.0" @@ -408,7 +408,7 @@ resource "aws_glue_job" "etl_table_row_hashvalues_to_parquet" { "--extra-py-files" = "s3://${module.s3-glue-job-script-bucket.bucket.id}/${aws_s3_object.aws_s3_object_pyzipfile_to_s3folder.id}" "--hashed_output_s3_bucket_name" = module.s3-dms-data-validation-bucket.bucket.id "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name - "--continuous-log-logGroup" = "/aws-glue/jobs/${aws_cloudwatch_log_group.etl_table_row_hashvalues_to_parquet.name}" + "--continuous-log-logGroup" = "/aws-glue/jobs/${aws_cloudwatch_log_group.etl_table_rows_hashvalue_to_parquet.name}" "--enable-continuous-cloudwatch-log" = "true" "--enable-continuous-log-filter" = "true" "--enable-metrics" = "true" @@ -425,7 +425,7 @@ EOF connections = [aws_glue_connection.glue_rds_sqlserver_db_connection.name] command { python_version = "3" - script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/etl_table_row_hashvalues_to_parquet.py" + script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/etl_table_rows_hashvalue_to_parquet.py" } tags = merge( diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py similarity index 99% rename from terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py rename to terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py index e6d8a02291e..ed707ce8448 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_row_hashvalues_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py @@ -171,6 +171,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful prq_bucket_parent_folder = f"""{HASHED_OUTPUT_S3_BUCKET_NAME}/{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}""" prq_table_folder_path = f"""{rds_db_name}/{rds_sqlserver_db_schema}/{rds_sqlserver_db_table}""" + if S3Methods.check_s3_folder_path_if_exists( HASHED_OUTPUT_S3_BUCKET_NAME, f'''{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}/{prq_table_folder_path}''' @@ -292,7 +293,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful f"""hashed_rows_prq_df: Repartitioned -> {hashed_rows_prq_df.rdd.getNumPartitions()} partitions.""") hashed_rows_prq_df_sorted = hashed_rows_prq_df.sortWithinPartitions(f"{rds_db_tbl_pkey_column}") - LOGGER.info(f"""hashed_rows_prq_df - sorted within partitions on pkey.""") + LOGGER.info(f"""hashed_rows_prq_df - sorted within partitions on '{rds_db_tbl_pkey_column}'.""") write_parquet_to_s3(hashed_rows_prq_df_sorted, f'''s3://{prq_bucket_parent_folder}/{prq_table_folder_path}''') From 7acb03dcab7d756ac735e7582e9b59e073c3f302 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 10:28:47 +0000 Subject: [PATCH 080/308] Use the matched pattern --- .../modules/components/dms/lambda/dms_replication_metric.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index 2e445e60a0e..2eb8bdd1881 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -37,7 +37,7 @@ def lambda_handler(event, context): # DMS-EVENT-0078: A replication task has failed. stopped_replication = ["DMS-EVENT-0079","DMS-EVENT-0091","DMS-EVENT-0092","DMS-EVENT-0078"] - if dms_event_id in running_replication: + if dms_event_id.group(1) in running_replication: logger.info("Task started") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', @@ -53,7 +53,7 @@ def lambda_handler(event, context): } ] ) - elif dms_event_id in stopped_replication: + elif dms_event_id.group(1) in stopped_replication: logger.info("Task failed") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', From 960b2707d3df7b480aa8d335137a34811f83db73 Mon Sep 17 00:00:00 2001 From: koladeadewuyi-moj <136330532+koladeadewuyi-moj@users.noreply.github.com> Date: Tue, 12 Nov 2024 10:45:26 +0000 Subject: [PATCH 081/308] DPR2-1447: Add S3 retry configs to pipelines (#8605) --- .../domains/ingestion-pipeline/pipeline.tf | 8 ++++++-- .../domains/ingestion-pipeline/variables.tf | 15 ++++++++++++++ .../domains/maintenance-pipeline/pipeline.tf | 5 ++++- .../domains/maintenance-pipeline/variables.tf | 15 ++++++++++++++ .../domains/reload-pipeline/pipeline.tf | 20 ++++++++++++++----- .../domains/reload-pipeline/variables.tf | 15 ++++++++++++++ .../domains/replay-pipeline/pipeline.tf | 12 ++++++++--- .../domains/replay-pipeline/variables.tf | 15 ++++++++++++++ 8 files changed, 94 insertions(+), 11 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf index 404ffc7f182..9bd7ee262ea 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf @@ -104,7 +104,9 @@ module "data_ingestion_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_temp_reload_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } @@ -192,7 +194,9 @@ module "data_ingestion_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.allowed.s3.file.extensions" : ".parquet", "--dpr.config.key" : var.domain diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf index 42e144db5b4..ba2b14db3ff 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf @@ -229,6 +229,21 @@ variable "retention_curated_num_workers" { } } +variable "glue_s3_max_attempts" { + description = "The maximum number of attempts when making requests to S3" + type = number +} + +variable "glue_s3_retry_min_wait_millis" { + description = "The minimum wait duration in millis before a request to S3 is retried" + type = number +} + +variable "glue_s3_retry_max_wait_millis" { + description = "The maximum wait duration in millis before a request to S3 is retried" + type = number +} + variable "tags" { type = map(string) default = {} diff --git a/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf index d00824af80b..c4b0b577f56 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf @@ -30,7 +30,10 @@ module "maintenance_pipeline" { "Parameters" : { "JobName" : var.glue_unprocessed_raw_files_check_job, "Arguments" : { - "--dpr.orchestration.wait.interval.seconds" : "60" + "--dpr.orchestration.wait.interval.seconds" : "60", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis) } }, "Next" : "Stop Glue Streaming Job" diff --git a/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/variables.tf index 6a10c2a9dd6..a16130e7ee9 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/variables.tf @@ -157,6 +157,21 @@ variable "retention_curated_num_workers" { } } +variable "glue_s3_max_attempts" { + description = "The maximum number of attempts when making requests to S3" + type = number +} + +variable "glue_s3_retry_min_wait_millis" { + description = "The minimum wait duration in millis before a request to S3 is retried" + type = number +} + +variable "glue_s3_retry_max_wait_millis" { + description = "The maximum wait duration in millis before a request to S3 is retried" + type = number +} + variable "tags" { description = "(Optional) Key-value map of resource tags." type = map(string) diff --git a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf index 84701c385e2..7ef9bd52c4f 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf @@ -78,7 +78,9 @@ module "reload_pipeline" { "--dpr.file.transfer.source.bucket" : var.s3_raw_bucket_id, "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } @@ -119,7 +121,9 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_temp_reload_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } @@ -229,7 +233,9 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } @@ -247,7 +253,9 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } @@ -265,7 +273,9 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } diff --git a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/variables.tf index 9894fce67ba..ea22b35cf8c 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/variables.tf @@ -238,6 +238,21 @@ variable "retention_curated_num_workers" { } } +variable "glue_s3_max_attempts" { + description = "The maximum number of attempts when making requests to S3" + type = number +} + +variable "glue_s3_retry_min_wait_millis" { + description = "The minimum wait duration in millis before a request to S3 is retried" + type = number +} + +variable "glue_s3_retry_max_wait_millis" { + description = "The maximum wait duration in millis before a request to S3 is retried" + type = number +} + variable "tags" { type = map(string) default = {} diff --git a/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf index 995119d1442..9d35ca65005 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf @@ -89,7 +89,9 @@ module "replay_pipeline" { "--dpr.file.transfer.source.bucket" : var.s3_curated_bucket_id, "--dpr.file.transfer.destination.bucket" : var.s3_temp_reload_bucket_id, "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } @@ -129,7 +131,9 @@ module "replay_pipeline" { "--dpr.file.transfer.source.bucket" : var.s3_raw_bucket_id, "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } @@ -146,7 +150,9 @@ module "replay_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : "3", + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), + "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, "--dpr.config.key" : var.domain } diff --git a/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/variables.tf index 19f23b08cc3..f84fccb9b6c 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/variables.tf @@ -235,6 +235,21 @@ variable "retention_curated_num_workers" { } } +variable "glue_s3_max_attempts" { + description = "The maximum number of attempts when making requests to S3" + type = number +} + +variable "glue_s3_retry_min_wait_millis" { + description = "The minimum wait duration in millis before a request to S3 is retried" + type = number +} + +variable "glue_s3_retry_max_wait_millis" { + description = "The maximum wait duration in millis before a request to S3 is retried" + type = number +} + variable "tags" { type = map(string) default = {} From a136860bba234547446c88c61a183418f11eb0bc Mon Sep 17 00:00:00 2001 From: Keir Williams Date: Tue, 12 Nov 2024 11:10:15 +0000 Subject: [PATCH 082/308] fix missing defaults in baseline module (#8640) --- terraform/modules/baseline/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index 7261fba7a95..d9ca54bf9d2 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -920,8 +920,8 @@ variable "schedule_alarms_lambda" { type = object({ function_name = string, lambda_log_level = optional(string, "INFO") - alarm_list = optional(list(string)) - alarm_patterns = optional(list(string)) + alarm_list = optional(list(string), []) + alarm_patterns = optional(list(string), []) disable_weekend = optional(bool, true) start_time = optional(string, "06:15") end_time = optional(string, "22:45") From ebfdd7e30faeb43d8be27f344f8336f3d559eed5 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 11:14:43 +0000 Subject: [PATCH 083/308] add new external-secert Signed-off-by: Jacob Woffenden --- .../kubernetes-external-secrets.tf | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf b/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf index f12d4541e66..9f4e19d46ed 100644 --- a/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf +++ b/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf @@ -90,3 +90,56 @@ resource "kubernetes_manifest" "actions_runners_token_apc_self_hosted_runners_se } } } + +resource "kubernetes_manifest" "actions_runners_github_app_apc_self_hosted_runners_secret" { + count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 + + manifest = { + "apiVersion" = "external-secrets.io/v1beta1" + "kind" = "ExternalSecret" + "metadata" = { + "name" = "actions-runners-github-app-apc-self-hosted-runners" + "namespace" = kubernetes_namespace.actions_runners[0].metadata[0].name + } + "spec" = { + "refreshInterval" = "1m" + "secretStoreRef" = { + "kind" = "ClusterSecretStore" + "name" = "aws-secretsmanager" + } + "target" = { + "name" = "actions-runners-github-app-apc-self-hosted-runners" + } + "data" = [ + { + "remoteRef" = { + "key" = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id + "property" = "app_id" + } + "secretKey" = "app-id" + }, + { + "remoteRef" = { + "key" = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id + "property" = "client_id" + } + "secretKey" = "client-id" + }, + { + "remoteRef" = { + "key" = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id + "property" = "installation_id" + } + "secretKey" = "installation-id" + }, + { + "remoteRef" = { + "key" = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id + "property" = "private_key" + } + "secretKey" = "private-key" + }, + ] + } + } +} From 68939917d68f9b672f158d3544f0f5d3de5173cc Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 11:24:09 +0000 Subject: [PATCH 084/308] Set Alarm for Any Dimension --- .../components/dms/cloudwatch-alarms.tf | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index a08dcdb0a7f..4aa696a550d 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -256,17 +256,17 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis source_arn = aws_sns_topic.dms_events_topic.arn } - -resource "aws_cloudwatch_metric_alarm" "dms_replication_alarm" { - alarm_name = "DMSReplicationFailureAlarm" - comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = "1" - metric_name = "DMSReplicationFailure" +resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { + alarm_name = "DMSReplicationStoppedAlarm" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = 1 + metric_name = "DMSReplicationStopped" namespace = "CustomDMSMetrics" - period = "60" - statistic = "Sum" - threshold = 1 - alarm_description = "Alarm when DMSReplicationFailure metric is >= 1" + period = 60 + statistic = "Maximum" + threshold = 0 + treat_missing_data = "missing" + alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } From 79076888fb0146e94b9e49aa3fcbe05ee91a3416 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 11:41:42 +0000 Subject: [PATCH 085/308] Treat missing data as not breaching Events will occur rarely --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 4aa696a550d..7a7e2dd8b99 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -262,10 +262,10 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { evaluation_periods = 1 metric_name = "DMSReplicationStopped" namespace = "CustomDMSMetrics" - period = 60 + period = 300 statistic = "Maximum" threshold = 0 - treat_missing_data = "missing" + treat_missing_data = "notBreaching" alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] From c91f55143b5d3d79abfe52813aa153cf309d3bf4 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 11:45:15 +0000 Subject: [PATCH 086/308] Keep existing alarm status --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 7a7e2dd8b99..a15549ea90a 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -265,7 +265,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { period = 300 statistic = "Maximum" threshold = 0 - treat_missing_data = "notBreaching" + treat_missing_data = "ignore" alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] From 821f01b8f48614772010f8dee99282381c24e3b7 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 11:46:11 +0000 Subject: [PATCH 087/308] Reduce period whilst testing --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index a15549ea90a..4ed9be0ae83 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -262,7 +262,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { evaluation_periods = 1 metric_name = "DMSReplicationStopped" namespace = "CustomDMSMetrics" - period = 300 + period = 60 statistic = "Maximum" threshold = 0 treat_missing_data = "ignore" From 03cf0c6aa59a2da564ab39f7b106f054fdbd151f Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 14:22:53 +0000 Subject: [PATCH 088/308] Put more information into the log --- .../modules/components/dms/lambda/dms_replication_metric.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index 2eb8bdd1881..bff16021b90 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -38,7 +38,7 @@ def lambda_handler(event, context): stopped_replication = ["DMS-EVENT-0079","DMS-EVENT-0091","DMS-EVENT-0092","DMS-EVENT-0078"] if dms_event_id.group(1) in running_replication: - logger.info("Task started") + logger.info("TASK START: " + event_source + " task " + source_id + " started") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ @@ -54,7 +54,7 @@ def lambda_handler(event, context): ] ) elif dms_event_id.group(1) in stopped_replication: - logger.info("Task failed") + logger.info("TASK STOPPED: " + event_source + " task " + source_id + " stopped") cloudwatch.put_metric_data( Namespace='CustomDMSMetrics', MetricData=[ From e2c31196374596e74a5e5cb5f1895e6bfb42a983 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 14:54:48 +0000 Subject: [PATCH 089/308] Add decodingStrategy for private_key Signed-off-by: Jacob Woffenden --- .../kubernetes-external-secrets.tf | 5 +++-- .../analytical-platform-compute/kubernetes-secrets.tf | 2 -- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf b/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf index 9f4e19d46ed..90b5d90ef84 100644 --- a/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf +++ b/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf @@ -134,8 +134,9 @@ resource "kubernetes_manifest" "actions_runners_github_app_apc_self_hosted_runne }, { "remoteRef" = { - "key" = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id - "property" = "private_key" + "key" = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id + "property" = "private_key" + "decodingStrategy" = "base64" } "secretKey" = "private-key" }, diff --git a/terraform/environments/analytical-platform-compute/kubernetes-secrets.tf b/terraform/environments/analytical-platform-compute/kubernetes-secrets.tf index fe60697d038..6000872340f 100644 --- a/terraform/environments/analytical-platform-compute/kubernetes-secrets.tf +++ b/terraform/environments/analytical-platform-compute/kubernetes-secrets.tf @@ -70,5 +70,3 @@ resource "kubernetes_secret" "ui_app_secrets" { secret_key = random_password.ui_app_secrets.result } } - - From 121fce7066f5ce6869b92b88ab75efa315822441 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 14:59:14 +0000 Subject: [PATCH 090/308] Sum stopped tasks --- .../components/dms/cloudwatch-alarms.tf | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 4ed9be0ae83..f33074c94ce 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -260,13 +260,29 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { alarm_name = "DMSReplicationStoppedAlarm" comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 - metric_name = "DMSReplicationStopped" - namespace = "CustomDMSMetrics" - period = 60 - statistic = "Maximum" threshold = 0 - treat_missing_data = "ignore" alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" + actions_enabled = true + treat_missing_data = "ignore" + threshold_metric_id = "m1" + + # Defining the metric query to sum across all dimensions (replication tasks) + metric_query { + id = "m1" + expression = "SUM(m2)" + label = "Sum of Stopped Replication Tasks across all defined Tasks" + return_data = true + } + + metric_query { + id = "m2" + metric { + namespace = "CustomDMSMetrics" + metric_name = "DMSReplicationStopped" + period = 60 + stat = "Maximum" + } + } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } From 3bbd1863aff1cefdbb6104ffe7e129942cb3fca0 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 15:04:30 +0000 Subject: [PATCH 091/308] Threshold is zero --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index f33074c94ce..c3b2abbf877 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -264,7 +264,6 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" actions_enabled = true treat_missing_data = "ignore" - threshold_metric_id = "m1" # Defining the metric query to sum across all dimensions (replication tasks) metric_query { From cda4f4a86f834685e0856d818a60eda4b8344448 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 15:13:00 +0000 Subject: [PATCH 092/308] Sum over all dimensions --- .../components/dms/cloudwatch-alarms.tf | 26 +++++-------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index c3b2abbf877..0ddd1c8d3ef 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -260,29 +260,15 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { alarm_name = "DMSReplicationStoppedAlarm" comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 + metric_name = "DMSReplicationStopped" + namespace = "CustomDMSMetrics" + period = 60 + statistic = "Sum" threshold = 0 + treat_missing_data = "ignore" alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" actions_enabled = true - treat_missing_data = "ignore" - - # Defining the metric query to sum across all dimensions (replication tasks) - metric_query { - id = "m1" - expression = "SUM(m2)" - label = "Sum of Stopped Replication Tasks across all defined Tasks" - return_data = true - } - - metric_query { - id = "m2" - metric { - namespace = "CustomDMSMetrics" - metric_name = "DMSReplicationStopped" - period = 60 - stat = "Maximum" - } - } - + alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } From 6c141aa6e4b534ebe751995dea799beb70f011e0 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 15:19:04 +0000 Subject: [PATCH 093/308] big sad Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/kubernetes-external-secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf b/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf index 90b5d90ef84..46b36ca5f7f 100644 --- a/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf +++ b/terraform/environments/analytical-platform-compute/kubernetes-external-secrets.tf @@ -136,7 +136,7 @@ resource "kubernetes_manifest" "actions_runners_github_app_apc_self_hosted_runne "remoteRef" = { "key" = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id "property" = "private_key" - "decodingStrategy" = "base64" + "decodingStrategy" = "Base64" } "secretKey" = "private-key" }, From 835c1e41a2094faec92b31a344eff71479635e85 Mon Sep 17 00:00:00 2001 From: Keir Williams Date: Tue, 12 Nov 2024 15:30:31 +0000 Subject: [PATCH 094/308] only create module if args are not empty (#8642) --- terraform/modules/baseline/schedule_alarms_lambda.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/modules/baseline/schedule_alarms_lambda.tf b/terraform/modules/baseline/schedule_alarms_lambda.tf index b4b2e7750ee..ca7a80551c7 100644 --- a/terraform/modules/baseline/schedule_alarms_lambda.tf +++ b/terraform/modules/baseline/schedule_alarms_lambda.tf @@ -1,6 +1,11 @@ module "schedule_alarms_lambda" { source = "../schedule_alarms_lambda" + count = ( + var.schedule_alarms_lambda.alarm_list != [] || + var.schedule_alarms_lambda.alarm_patterns != [] + ) ? 1 : 0 + lambda_function_name = var.schedule_alarms_lambda.function_name lambda_log_level = var.schedule_alarms_lambda.lambda_log_level From 85d1b0f60c17d7eb65a4b3cea4dea44d7736e795 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 15:50:58 +0000 Subject: [PATCH 095/308] Use maths expression for metric --- .../components/dms/cloudwatch-alarms.tf | 54 ++++++++++++++++--- 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 0ddd1c8d3ef..5b0a456854b 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -256,22 +256,62 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis source_arn = aws_sns_topic.dms_events_topic.arn } + +# CloudWatch won't aggregate across dimensions for custom metrics (it will do so for some metrics published by other services, like EC2). +# resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { +# alarm_name = "DMSReplicationStoppedAlarm" +# comparison_operator = "GreaterThanThreshold" +# evaluation_periods = 1 +# metric_name = "DMSReplicationStopped" +# namespace = "CustomDMSMetrics" +# period = 60 +# statistic = "Sum" +# threshold = 0 +# treat_missing_data = "ignore" +# alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" +# actions_enabled = true + +# alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] +# } + + +# Define a CloudWatch metric alarm with a metric math expression resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { alarm_name = "DMSReplicationStoppedAlarm" + alarm_description = "Alarm when Stopped Replication Task across all Dimensions (tasks)" comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 - metric_name = "DMSReplicationStopped" - namespace = "CustomDMSMetrics" - period = 60 - statistic = "Sum" threshold = 0 treat_missing_data = "ignore" - alarm_description = "Alarm when Any DMS Replication Task has Stopped or Failed" - actions_enabled = true - + + # Query for the custom metric across all dimensions + metric_query { + id = "m1" + metric_name = "DMSReplicationStopped" + namespace = "CustomDMSMetrics" + period = 60 + stat = "Sum" + } + + # Metric math expression to sum the metric across all dimensions + metric_query { + id = "e1" + expression = "SUM(METRICS('CustomDMSMetrics', 'DMSReplicationStopped', {}, 60))" + label = "TotalDMSReplicationStoppedAcrossAllDimensions" + } + + # Use the expression query result as the metric for the alarm + alarm_rule { + metric_query_id = "e1" + } + alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } + + + + # SNS Topic for DMS replication events # This is NOT the same as for DMS Cloudwatch Alarms (dms_alerting) # and is used to trigger the Lamda function if an event happens during From 94461318ce84fc3423717946abbb90510f1ade0a Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 16:00:03 +0000 Subject: [PATCH 096/308] Define which metric to use for the alarm --- .../modules/components/dms/cloudwatch-alarms.tf | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 5b0a456854b..a7caa65b3f8 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -291,18 +291,15 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { namespace = "CustomDMSMetrics" period = 60 stat = "Sum" + return_data = "false" } # Metric math expression to sum the metric across all dimensions metric_query { - id = "e1" - expression = "SUM(METRICS('CustomDMSMetrics', 'DMSReplicationStopped', {}, 60))" - label = "TotalDMSReplicationStoppedAcrossAllDimensions" - } - - # Use the expression query result as the metric for the alarm - alarm_rule { - metric_query_id = "e1" + id = "e1" + expression = "SUM(METRICS('CustomDMSMetrics', 'DMSReplicationStopped', {}, 60))" + label = "TotalDMSReplicationStoppedAcrossAllDimensions" + return_data = "false" } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] From 7b155f4719e6cefbc073efb58f82165e99437df6 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 16:08:03 +0000 Subject: [PATCH 097/308] Wrong attribute name --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index a7caa65b3f8..b9c43a4aea0 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -290,7 +290,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { metric_name = "DMSReplicationStopped" namespace = "CustomDMSMetrics" period = 60 - stat = "Sum" + statistic = "Sum" return_data = "false" } From 9d14a66a37bf011cddcc3e9395451537ff614887 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 16:13:41 +0000 Subject: [PATCH 098/308] Metric needs indenting --- .../modules/components/dms/cloudwatch-alarms.tf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index b9c43a4aea0..7c5a469807e 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -287,10 +287,12 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { # Query for the custom metric across all dimensions metric_query { id = "m1" - metric_name = "DMSReplicationStopped" - namespace = "CustomDMSMetrics" - period = 60 - statistic = "Sum" + metric { + metric_name = "DMSReplicationStopped" + namespace = "CustomDMSMetrics" + period = 60 + stat = "Sum" + } return_data = "false" } From fda1535ea59e7a72061dbe77887c91cf0caf0e5b Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 12 Nov 2024 16:14:42 +0000 Subject: [PATCH 099/308] Need to return the data --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 7c5a469807e..26cde0670fd 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -301,7 +301,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { id = "e1" expression = "SUM(METRICS('CustomDMSMetrics', 'DMSReplicationStopped', {}, 60))" label = "TotalDMSReplicationStoppedAcrossAllDimensions" - return_data = "false" + return_data = "true" } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] From fa0ed889adf00ac3bc3344d0edc8857ff605f5e6 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 16:58:37 +0000 Subject: [PATCH 100/308] 2.320.0-4 Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/data.tf | 4 + .../helm-charts-actions-runners.tf | 84 +++++++++++-------- .../values.yml.tftpl | 3 + .../actions-runners/airflow/values.yml.tftpl | 3 + .../create-a-derived-table/values.yml.tftpl | 3 + 5 files changed, 63 insertions(+), 34 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/data.tf b/terraform/environments/analytical-platform-compute/data.tf index 483190db413..9738c4e53a1 100644 --- a/terraform/environments/analytical-platform-compute/data.tf +++ b/terraform/environments/analytical-platform-compute/data.tf @@ -76,3 +76,7 @@ data "http" "prometheus_operator_crds" { url = each.value } + +data "aws_secretsmanager_secret_version" "actions_runners_token_apc_self_hosted_runners_github_app" { + secret_id = module.actions_runners_token_apc_self_hosted_runners_github_app.secret_id +} diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf index b74d7884690..076b828e5b8 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf @@ -6,17 +6,21 @@ resource "helm_release" "actions_runner_mojas_airflow" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-airflow" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-3" + version = "2.320.0-4" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ templatefile( "${path.module}/src/helm/values/actions-runners/airflow/values.yml.tftpl", { - github_organisation = "moj-analytical-services" - github_repository = "airflow" - github_runner_labels = "analytical-platform" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/data-iam-creator" + # github_app_application_id = data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string["app_id"] + # github_app_installation_id = data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "airflow" + github_runner_labels = "analytical-platform" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/data-iam-creator" } ) ] @@ -30,16 +34,18 @@ resource "helm_release" "actions_runner_mojas_airflow_create_a_pipeline" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-airflow-create-a-pipeline" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-3" + version = "2.320.0-4" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ templatefile( "${path.module}/src/helm/values/actions-runners/airflow-create-a-pipeline/values.yml.tftpl", { - github_organisation = "moj-analytical-services" - github_repository = "airflow-create-a-pipeline" - github_runner_labels = "analytical-platform" + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "airflow-create-a-pipeline" + github_runner_labels = "analytical-platform" } ) ] @@ -53,17 +59,19 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-3" + version = "2.320.0-4" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_organisation = "moj-analytical-services" - github_repository = "create-a-derived-table" - github_runner_labels = "analytical-platform" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/create-a-derived-table" + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "create-a-derived-table" + github_runner_labels = "analytical-platform" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/create-a-derived-table" } ) ] @@ -75,17 +83,19 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_non_spot" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-non-spot" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-3" + version = "2.320.0-4" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_organisation = "moj-analytical-services" - github_repository = "create-a-derived-table" - github_runner_labels = "analytical-platform-non-spot" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/create-a-derived-table" + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "create-a-derived-table" + github_runner_labels = "analytical-platform-non-spot" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/create-a-derived-table" } ) ] @@ -101,17 +111,19 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-dpr" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-3" + version = "2.320.0-4" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_organisation = "moj-analytical-services" - github_repository = "create-a-derived-table" - github_runner_labels = "digital-prison-reporting" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["digital-prison-reporting-production"]}:role/dpr-data-api-cross-account-role" + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "create-a-derived-table" + github_runner_labels = "digital-prison-reporting" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["digital-prison-reporting-production"]}:role/dpr-data-api-cross-account-role" } ) ] @@ -123,17 +135,19 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr_pp" { /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-dpr-pp" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-3" + version = "2.320.0-4" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_organisation = "moj-analytical-services" - github_repository = "create-a-derived-table" - github_runner_labels = "digital-prison-reporting-pp" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["digital-prison-reporting-preproduction"]}:role/dpr-data-api-cross-account-role" + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "create-a-derived-table" + github_runner_labels = "digital-prison-reporting-pp" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["digital-prison-reporting-preproduction"]}:role/dpr-data-api-cross-account-role" } ) ] @@ -145,17 +159,19 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_test" /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ name = "actions-runner-mojas-create-a-derived-table-emds-test" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" - version = "2.320.0-3" + version = "2.320.0-4" chart = "actions-runner" namespace = kubernetes_namespace.actions_runners[0].metadata[0].name values = [ templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_organisation = "moj-analytical-services" - github_repository = "create-a-derived-table" - github_runner_labels = "electronic-monitoring-data-test" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["electronic-monitoring-data-test"]}:role/test-data-api-cross-account-role" + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "create-a-derived-table" + github_runner_labels = "electronic-monitoring-data-test" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["electronic-monitoring-data-test"]}:role/test-data-api-cross-account-role" } ) ] diff --git a/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow-create-a-pipeline/values.yml.tftpl b/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow-create-a-pipeline/values.yml.tftpl index 50c2b82b5c7..a7cc6925e54 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow-create-a-pipeline/values.yml.tftpl +++ b/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow-create-a-pipeline/values.yml.tftpl @@ -1,5 +1,8 @@ --- github: + app: + applicationID: "${github_app_application_id}" + installationID: "${github_app_installation_id}" organisation: ${github_organisation} repository: ${github_repository} runner: diff --git a/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow/values.yml.tftpl b/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow/values.yml.tftpl index e0a5a1f35a6..4fda2868ef3 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow/values.yml.tftpl +++ b/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/airflow/values.yml.tftpl @@ -1,5 +1,8 @@ --- github: + app: + applicationID: "${github_app_application_id}" + installationID: "${github_app_installation_id}" organisation: ${github_organisation} repository: ${github_repository} runner: diff --git a/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl b/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl index 6b5dad3733e..aa2b16ae6c8 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl +++ b/terraform/environments/analytical-platform-compute/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl @@ -1,5 +1,8 @@ --- github: + app: + applicationID: "${github_app_application_id}" + installationID: "${github_app_installation_id}" organisation: ${github_organisation} repository: ${github_repository} runner: From 860d01eebd3d9fb6123e30f8d9d6c6c2a112655c Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 17:00:39 +0000 Subject: [PATCH 101/308] remove comment Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/helm-charts-actions-runners.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf index 076b828e5b8..666a4f32a67 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf @@ -13,8 +13,6 @@ resource "helm_release" "actions_runner_mojas_airflow" { templatefile( "${path.module}/src/helm/values/actions-runners/airflow/values.yml.tftpl", { - # github_app_application_id = data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string["app_id"] - # github_app_installation_id = data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string["installation_id"] github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] github_organisation = "moj-analytical-services" From 999cf10da315ad6b590c45e8cf9fc33474b1c4ad Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 17:05:38 +0000 Subject: [PATCH 102/308] counts Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/data.tf | 4 ++- .../helm-charts-actions-runners.tf | 28 +++++++++---------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/data.tf b/terraform/environments/analytical-platform-compute/data.tf index 9738c4e53a1..b67d53501d6 100644 --- a/terraform/environments/analytical-platform-compute/data.tf +++ b/terraform/environments/analytical-platform-compute/data.tf @@ -78,5 +78,7 @@ data "http" "prometheus_operator_crds" { } data "aws_secretsmanager_secret_version" "actions_runners_token_apc_self_hosted_runners_github_app" { - secret_id = module.actions_runners_token_apc_self_hosted_runners_github_app.secret_id + count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 + + secret_id = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id } diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf index 666a4f32a67..936a236ccb4 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf @@ -13,8 +13,8 @@ resource "helm_release" "actions_runner_mojas_airflow" { templatefile( "${path.module}/src/helm/values/actions-runners/airflow/values.yml.tftpl", { - github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] - github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "airflow" github_runner_labels = "analytical-platform" @@ -39,8 +39,8 @@ resource "helm_release" "actions_runner_mojas_airflow_create_a_pipeline" { templatefile( "${path.module}/src/helm/values/actions-runners/airflow-create-a-pipeline/values.yml.tftpl", { - github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] - github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "airflow-create-a-pipeline" github_runner_labels = "analytical-platform" @@ -64,8 +64,8 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table" { templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] - github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "create-a-derived-table" github_runner_labels = "analytical-platform" @@ -88,8 +88,8 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_non_spot" { templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] - github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "create-a-derived-table" github_runner_labels = "analytical-platform-non-spot" @@ -116,8 +116,8 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr" { templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] - github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "create-a-derived-table" github_runner_labels = "digital-prison-reporting" @@ -140,8 +140,8 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr_pp" { templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] - github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "create-a-derived-table" github_runner_labels = "digital-prison-reporting-pp" @@ -164,8 +164,8 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_test" templatefile( "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", { - github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["app_id"] - github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app.secret_string)["installation_id"] + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "create-a-derived-table" github_runner_labels = "electronic-monitoring-data-test" From e6ac529bce878072ca2a4a4b7d62e527c2d83b20 Mon Sep 17 00:00:00 2001 From: Keir Williams Date: Tue, 12 Nov 2024 17:29:19 +0000 Subject: [PATCH 103/308] check array length instead of comparing `[]` (#8646) --- terraform/modules/baseline/schedule_alarms_lambda.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/baseline/schedule_alarms_lambda.tf b/terraform/modules/baseline/schedule_alarms_lambda.tf index ca7a80551c7..7a195694a5b 100644 --- a/terraform/modules/baseline/schedule_alarms_lambda.tf +++ b/terraform/modules/baseline/schedule_alarms_lambda.tf @@ -2,8 +2,8 @@ module "schedule_alarms_lambda" { source = "../schedule_alarms_lambda" count = ( - var.schedule_alarms_lambda.alarm_list != [] || - var.schedule_alarms_lambda.alarm_patterns != [] + length(var.schedule_alarms_lambda.alarm_list) > 0 || + length(var.schedule_alarms_lambda.alarm_patterns) > 0 ) ? 1 : 0 lambda_function_name = var.schedule_alarms_lambda.function_name From 2215ddc0d7760d05eeab44a40175ee2221017131 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 12 Nov 2024 22:00:36 +0000 Subject: [PATCH 104/308] Add DataSync locations Signed-off-by: Jacob Woffenden --- .../analytical-platform-ingestion/data.tf | 4 ++++ .../datasync-locations.tf | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 terraform/environments/analytical-platform-ingestion/datasync-locations.tf diff --git a/terraform/environments/analytical-platform-ingestion/data.tf b/terraform/environments/analytical-platform-ingestion/data.tf index a523b55ee10..da5f11b6917 100644 --- a/terraform/environments/analytical-platform-ingestion/data.tf +++ b/terraform/environments/analytical-platform-ingestion/data.tf @@ -37,3 +37,7 @@ data "aws_network_interface" "datasync_vpc_endpoint" { data "aws_ec2_transit_gateway" "moj_tgw" { id = "tgw-026162f1ba39ce704" } + +data "aws_secretsmanager_secret_version" "datasync_dom1" { + secret_id = module.datasync_dom1_secret.secret_id +} diff --git a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf new file mode 100644 index 00000000000..8319a128dba --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf @@ -0,0 +1,23 @@ +resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_management_investigations" { + server_hostname = "dom1.infra.int" + subdirectory = "/data/hq/PGO/Shared/Group/SIS Case Management/Investigations" + + user = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["username"] + password = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["password"] + + agent_arns = [aws_datasync_agent.main.arn] + + tags = local.tags +} + +resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_management_itas" { + server_hostname = "dom1.infra.int" + subdirectory = "/data/hq/PGO/Shared/Group/SIS Case Management/ITAS" + + user = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["username"] + password = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["password"] + + agent_arns = [aws_datasync_agent.main.arn] + + tags = local.tags +} From 85b7507d1deb411db40f4341e8341b5d101319fc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 00:41:08 +0000 Subject: [PATCH 105/308] Bump bridgecrewio/checkov-action from 12.2897.0 to 12.2901.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2897.0 to 12.2901.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/d1f45a54390aaaf45ff34d64698cd0ced79401ac...4a99082c85209d45681ede7f3f230941caf8e366) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 1701d59d6ed..982dcaeb11e 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@d1f45a54390aaaf45ff34d64698cd0ced79401ac # v12.2897.0 + uses: bridgecrewio/checkov-action@4a99082c85209d45681ede7f3f230941caf8e366 # v12.2901.0 with: directory: ./ framework: terraform From e42c8bdee470ae46f991164d36dadd675b689380 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 13 Nov 2024 00:41:12 +0000 Subject: [PATCH 106/308] Bump github/codeql-action from 3.27.1 to 3.27.3 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.1 to 3.27.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4f3212b61783c3c68e8309a0f18a699764811cda...396bb3e45325a47dd9ef434068033c6d5bb0d11a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 1701d59d6ed..2d67a2a3af9 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -38,7 +38,7 @@ jobs: run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 with: sarif_file: tflint.sarif trivy: @@ -63,7 +63,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: success() || failure() - uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 with: sarif_file: 'trivy-results.sarif' checkov: @@ -90,6 +90,6 @@ jobs: skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 with: sarif_file: ./checkov.sarif diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 57cee81b822..c93801ca55e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 + uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 with: sarif_file: results.sarif From b431b36f782daca18041f4154db164c3e29698f0 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 09:12:46 +0000 Subject: [PATCH 107/308] GlueJob to hash table rows save to parquet - 1311-1 --- .../dms_data_validation_glue_job_v2.tf | 67 +++++ .../glue-job/dms_dv_on_rows_hashvalue.py | 235 ++++++++++++++++++ .../etl_table_rows_hashvalue_to_parquet.py | 4 +- 3 files changed, 304 insertions(+), 2 deletions(-) create mode 100644 terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py diff --git a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf index 7adb634abb0..445ca67ca7f 100644 --- a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf +++ b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf @@ -436,3 +436,70 @@ EOF ) } + + + +resource "aws_cloudwatch_log_group" "dms_dv_on_rows_hashvalue" { + name = "dms-dv-on-rows-hashvalue" + retention_in_days = 14 +} + +resource "aws_s3_object" "dms_dv_on_rows_hashvalue" { + bucket = module.s3-glue-job-script-bucket.bucket.id + key = "dms_dv_on_rows_hashvalue.py" + source = "glue-job/dms_dv_on_rows_hashvalue.py" + etag = filemd5("glue-job/dms_dv_on_rows_hashvalue.py") +} + +resource "aws_glue_job" "dms_dv_on_rows_hashvalue" { + count = local.gluejob_count + + name = "dms-dv-on-rows-hashvalue" + description = "Table migration & validation Glue-Job (PySpark)." + role_arn = aws_iam_role.glue_mig_and_val_iam_role.arn + glue_version = "4.0" + worker_type = "G.2X" + number_of_workers = 4 + default_arguments = { + "--script_bucket_name" = module.s3-glue-job-script-bucket.bucket.id + "--rds_db_host_ep" = split(":", aws_db_instance.database_2022.endpoint)[0] + "--rds_db_pwd" = aws_db_instance.database_2022.password + "--rds_database_folder" = "" + "--rds_db_schema_folder" = "dbo" + "--table_to_be_validated" = "" + "--table_pkey_column" = "" + "--rds_db_table_hashed_rows_parent_dir" = "rds_tables_rows_hashed" + "--dms_prq_output_bucket" = module.s3-dms-target-store-bucket.bucket.id + "--rds_hashed_rows_prq_bucket" = module.s3-dms-data-validation-bucket.bucket.id + "--glue_catalog_dv_bucket" = module.s3-dms-data-validation-bucket.bucket.id + "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name + "--glue_catalog_tbl_name" = "glue_df_output" + "--extra-py-files" = "s3://${module.s3-glue-job-script-bucket.bucket.id}/${aws_s3_object.aws_s3_object_pyzipfile_to_s3folder.id}" + "--continuous-log-logGroup" = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue.name}" + "--enable-continuous-cloudwatch-log" = "true" + "--enable-continuous-log-filter" = "true" + "--enable-metrics" = "true" + "--enable-auto-scaling" = "true" + "--conf" = < {CATALOG_TABLE_S3_FULL_PATH}/""") + +# =================================================================================================== + +# s3://dms-rds-to-parquet-20240606144708618700000001/g4s_emsys_mvp/dbo/GPSPosition_V2/year=2020/month=3/ + +if __name__ == "__main__": + + table_dirpath = f'''{RDS_DATABASE_FOLDER}/{RDS_DB_SCHEMA_FOLDER}/{TABLE_TO_BE_VALIDATED}'''.strip() + rds_hashed_rows_bucket_parent_dir = f"""{RDS_HASHED_ROWS_PRQ_BUCKET}/{RDS_HASHED_ROWS_PRQ_PARENT_DIR}""" + rds_hashed_rows_fulls3path = f"""s3://{rds_hashed_rows_bucket_parent_dir}/{table_dirpath}""" + dms_output_fulls3path = f"""s3://{DMS_PRQ_OUTPUT_BUCKET}/{table_dirpath}""" + db_sch_tbl = f"""{RDS_DATABASE_FOLDER}_{RDS_DB_SCHEMA_FOLDER}_{TABLE_TO_BE_VALIDATED}""" + # ------------------------------------------------------- + + if not S3Methods.check_s3_folder_path_if_exists(RDS_HASHED_ROWS_PRQ_BUCKET, + f"""{RDS_HASHED_ROWS_PRQ_PARENT_DIR}/{table_dirpath}"""): + LOGGER.error(f'''>> {rds_hashed_rows_fulls3path} << Path Not Available !!''') + sys.exit(1) + elif not S3Methods.check_s3_folder_path_if_exists(DMS_PRQ_OUTPUT_BUCKET, + table_dirpath): + LOGGER.error(f'''>> {dms_output_fulls3path} << Path Not Available !!''') + sys.exit(1) + + hashed_table_schema = T.StructType( + [T.StructField(f"{TABLE_PKEY_COLUMN}", T.IntegerType(), False), + T.StructField("RowHash", T.StringType(), False)] + ) + + rds_hashed_rows_prq_df = CustomPysparkMethods.get_s3_parquet_df_v2( + rds_hashed_rows_fulls3path, + hashed_table_schema + ) + rds_hashed_rows_prq_df_count = rds_hashed_rows_prq_df.count() + + dms_table_output_prq_df = spark.read.parquet(dms_output_fulls3path) + dms_table_output_prq_df_count = dms_table_output_prq_df.count() + + rds_jdbc_conn_obj = RDS_JDBC_CONNECTION(RDS_DB_HOST_ENDPOINT, + RDS_DB_INSTANCE_PWD, + RDS_DATABASE_FOLDER, + RDS_DB_SCHEMA_FOLDER) + + # EVALUATE RDS-DATAFRAME ROW-COUNT + df_rds_count = rds_jdbc_conn_obj.get_rds_db_table_row_count( + TABLE_TO_BE_VALIDATED, + TABLE_PKEY_COLUMN + ) + if rds_hashed_rows_prq_df_count != df_rds_count: + error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != df_rds_count ({df_rds_count})""") + sys.exit(f"""Row Count Mismatch: \n{error_msg}""") + # ------------------------------------------------ + # + if rds_hashed_rows_prq_df_count != dms_table_output_prq_df_count: + error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != dms_table_output_prq_df_count ({dms_table_output_prq_df_count})""") + sys.exit(f"""Row Count Mismatch: \n{error_msg}""") + # -------------------- + + all_columns_except_pkey = [col for col in dms_table_output_prq_df.columns + if col != TABLE_PKEY_COLUMN] + LOGGER.info(f""">> all_columns_except_pkey = {all_columns_except_pkey} <<""") + + dms_table_output_prq_df_t1 = dms_table_output_prq_df.withColumn( + "RowHash", F.sha2(F.concat_ws("", *all_columns_except_pkey), 256))\ + .select(f'{TABLE_PKEY_COLUMN}', 'RowHash') + + unmatched_hashvalues_df = rds_hashed_rows_prq_df.alias('L').join( + dms_table_output_prq_df_t1.alias('R'), + on=[f'{TABLE_PKEY_COLUMN}'], + how='left')\ + .where("L.RowHash != R.RowHash").cache() + + unmatched_hashvalues_df_count = unmatched_hashvalues_df.count() + + df_dv_output = CustomPysparkMethods.declare_empty_df_dv_output_v1() + + if unmatched_hashvalues_df_count != 0: + LOGGER.warn(f"""unmatched_hashvalues_df_count> {unmatched_hashvalues_df_count}: Row differences found!""") + + df_subtract_temp = (unmatched_hashvalues_df + .withColumn('json_row', + F.to_json(F.struct(*[F.col(c) + for c in unmatched_hashvalues_df.columns]))) + .selectExpr("json_row") + .limit(100)) + + subtract_validation_msg = f"""'{TABLE_TO_BE_VALIDATED}' - {unmatched_hashvalues_df_count}""" + df_subtract_temp = df_subtract_temp.selectExpr( + "current_timestamp as run_datetime", + "json_row", + f""""{subtract_validation_msg} - Non-Zero unmatched Row Count!" as validation_msg""", + f"""'{RDS_DATABASE_FOLDER}' as database_name""", + f"""'{db_sch_tbl}' as full_table_name""", + """'False' as table_to_ap""" + ) + LOGGER.warn(f"{db_sch_tbl}: Validation Failed - 2") + df_dv_output = df_dv_output.union(df_subtract_temp) + else: + df_temp = df_dv_output.selectExpr( + "current_timestamp as run_datetime", + "'' as json_row", + f"""'{TABLE_TO_BE_VALIDATED} - Validated.' as validation_msg""", + f"""'{RDS_DATABASE_FOLDER}' as database_name""", + f"""'{db_sch_tbl}' as full_table_name""", + """'False' as table_to_ap""" + ) + LOGGER.info(f"Validation Successful - 1") + df_dv_output = df_dv_output.union(df_temp) + + write_parquet_to_s3(df_dv_output, RDS_DATABASE_FOLDER, db_sch_tbl) + + job.commit() diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py index ed707ce8448..8bf67ab2ae3 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py @@ -249,7 +249,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful LOGGER.info(f"""jdbc_partition_col_upperbound = {jdbc_partition_col_upperbound}""") rds_db_query_filtered_str = rds_db_select_query_str + f""" WHERE {where_clause_exp_str}""" - LOGGER.info(f"""rds_db_query_filtered_str = {rds_db_query_filtered_str}""") + LOGGER.info(f"""rds_db_query_filtered_str > \n{rds_db_query_filtered_str}""") hashed_rows_prq_df = rds_jdbc_conn_obj.get_rds_df_read_query_pkey_parallel( rds_db_query_filtered_str, @@ -272,7 +272,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful LOGGER.info(f"""jdbc_partition_col_lowerbound = {jdbc_partition_col_lowerbound}""") LOGGER.info(f"""jdbc_partition_col_upperbound = {jdbc_partition_col_upperbound}""") - LOGGER.info(f"""rds_db_select_query_str = {rds_db_select_query_str}""") + LOGGER.info(f"""rds_db_select_query_str > \n{rds_db_select_query_str}""") hashed_rows_prq_df = rds_jdbc_conn_obj.get_rds_df_read_query_pkey_parallel( rds_db_select_query_str, From 76af2e8196ccd7ba709f2f58bce2f47181ba50e3 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 09:21:59 +0000 Subject: [PATCH 108/308] GlueJob to hash table rows save to parquet - 1311-2 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index 5c12fdd8293..c5e86ea5a86 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -170,12 +170,12 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): TABLE_PKEY_COLUMN ) if rds_hashed_rows_prq_df_count != df_rds_count: - error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != df_rds_count ({df_rds_count})""") + error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != df_rds_count ({df_rds_count})""" sys.exit(f"""Row Count Mismatch: \n{error_msg}""") # ------------------------------------------------ # if rds_hashed_rows_prq_df_count != dms_table_output_prq_df_count: - error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != dms_table_output_prq_df_count ({dms_table_output_prq_df_count})""") + error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != dms_table_output_prq_df_count ({dms_table_output_prq_df_count})""" sys.exit(f"""Row Count Mismatch: \n{error_msg}""") # -------------------- From a64befe1692edb1b25b5cc5e7873709d056e798c Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 09:32:13 +0000 Subject: [PATCH 109/308] GlueJob to hash table rows save to parquet - 1311-3 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index c5e86ea5a86..c3c2f324386 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -41,6 +41,8 @@ # Organise capturing input parameters. DEFAULT_INPUTS_LIST = ["JOB_NAME", + "rds_db_host_ep", + "rds_db_pwd", "script_bucket_name", "rds_hashed_rows_prq_bucket", "rds_hashed_rows_prq_parent_dir", From 1843be99892f98161dcc3e374e8d32d7345686db Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 09:48:17 +0000 Subject: [PATCH 110/308] GlueJob to hash table rows save to parquet - 1311-4 --- .../dms_data_validation_glue_job_v2.tf | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf index 445ca67ca7f..a36b3d400fd 100644 --- a/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf +++ b/terraform/environments/electronic-monitoring-data/dms_data_validation_glue_job_v2.tf @@ -461,26 +461,26 @@ resource "aws_glue_job" "dms_dv_on_rows_hashvalue" { worker_type = "G.2X" number_of_workers = 4 default_arguments = { - "--script_bucket_name" = module.s3-glue-job-script-bucket.bucket.id - "--rds_db_host_ep" = split(":", aws_db_instance.database_2022.endpoint)[0] - "--rds_db_pwd" = aws_db_instance.database_2022.password - "--rds_database_folder" = "" - "--rds_db_schema_folder" = "dbo" - "--table_to_be_validated" = "" - "--table_pkey_column" = "" - "--rds_db_table_hashed_rows_parent_dir" = "rds_tables_rows_hashed" - "--dms_prq_output_bucket" = module.s3-dms-target-store-bucket.bucket.id - "--rds_hashed_rows_prq_bucket" = module.s3-dms-data-validation-bucket.bucket.id - "--glue_catalog_dv_bucket" = module.s3-dms-data-validation-bucket.bucket.id - "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name - "--glue_catalog_tbl_name" = "glue_df_output" - "--extra-py-files" = "s3://${module.s3-glue-job-script-bucket.bucket.id}/${aws_s3_object.aws_s3_object_pyzipfile_to_s3folder.id}" - "--continuous-log-logGroup" = "/aws-glue/jobs/${aws_cloudwatch_log_group.dms_dv_on_rows_hashvalue.name}" - "--enable-continuous-cloudwatch-log" = "true" - "--enable-continuous-log-filter" = "true" - "--enable-metrics" = "true" - "--enable-auto-scaling" = "true" - "--conf" = < Date: Wed, 13 Nov 2024 10:42:43 +0000 Subject: [PATCH 111/308] Remove unnecessary local_file resource --- .../modules/components/dms/cloudwatch-alarms.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 26cde0670fd..1edccccc1b8 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -210,12 +210,12 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } -resource "local_file" "lambda_dms_replication_metric_py" { - filename = "${path.module}/lambda_dms_replication_metric.py" - content = < Date: Wed, 13 Nov 2024 10:51:14 +0000 Subject: [PATCH 112/308] GlueJob to hash table rows save to parquet - 1311-5 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 77 +++++++++++++++++-- .../glue_data_validation_lib.py | 20 +++++ 2 files changed, 89 insertions(+), 8 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index c3c2f324386..a6e465d117c 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -152,14 +152,44 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): T.StructField("RowHash", T.StringType(), False)] ) + # -------------------------------------------------------------------------------------- + rds_hashed_rows_prq_df = CustomPysparkMethods.get_s3_parquet_df_v2( rds_hashed_rows_fulls3path, hashed_table_schema ) - rds_hashed_rows_prq_df_count = rds_hashed_rows_prq_df.count() + + rds_hashed_rows_prq_df_agg = rds_hashed_rows_prq_df.agg( + F.min(TABLE_PKEY_COLUMN).alias(f"min_{TABLE_PKEY_COLUMN}"), + F.max(TABLE_PKEY_COLUMN).alias(f"max_{TABLE_PKEY_COLUMN}"), + F.count(TABLE_PKEY_COLUMN).alias(f"count_{TABLE_PKEY_COLUMN}") + ) + rds_hashed_rows_prq_agg_dict = rds_hashed_rows_prq_df_agg.collect()[0] + rds_hashed_rows_prq_min_pkey = rds_hashed_rows_prq_agg_dict[f"min_{TABLE_PKEY_COLUMN}"] + rds_hashed_rows_prq_max_pkey = rds_hashed_rows_prq_agg_dict[f"max_{TABLE_PKEY_COLUMN}"] + rds_hashed_rows_prq_count = rds_hashed_rows_prq_agg_dict[f"count_{TABLE_PKEY_COLUMN}"] + + LOGGER.info(f""">> rds_hashed_rows_prq_min_pkey = {rds_hashed_rows_prq_min_pkey} <<""") + LOGGER.info(f""">> rds_hashed_rows_prq_max_pkey = {rds_hashed_rows_prq_max_pkey} <<""") + LOGGER.info(f""">> rds_hashed_rows_prq_count = {rds_hashed_rows_prq_count} <<""") + # -------------------------------------------------------------------------------------- dms_table_output_prq_df = spark.read.parquet(dms_output_fulls3path) - dms_table_output_prq_df_count = dms_table_output_prq_df.count() + + dms_table_output_prq_df_agg = dms_table_output_prq_df.agg( + F.min(TABLE_PKEY_COLUMN).alias(f"min_{TABLE_PKEY_COLUMN}"), + F.max(TABLE_PKEY_COLUMN).alias(f"max_{TABLE_PKEY_COLUMN}"), + F.count(TABLE_PKEY_COLUMN).alias(f"count_{TABLE_PKEY_COLUMN}") + ) + dms_table_output_prq_agg_dict = dms_table_output_prq_df_agg.collect()[0] + dms_table_output_prq_min_pkey = dms_table_output_prq_agg_dict[f"min_{TABLE_PKEY_COLUMN}"] + dms_table_output_prq_max_pkey = dms_table_output_prq_agg_dict[f"max_{TABLE_PKEY_COLUMN}"] + dms_table_output_prq_count = dms_table_output_prq_agg_dict[f"count_{TABLE_PKEY_COLUMN}"] + + LOGGER.info(f""">> dms_table_output_prq_min_pkey = {dms_table_output_prq_min_pkey} <<""") + LOGGER.info(f""">> dms_table_output_prq_max_pkey = {dms_table_output_prq_max_pkey} <<""") + LOGGER.info(f""">> dms_table_output_prq_count = {dms_table_output_prq_count} <<""") + # -------------------------------------------------------------------------------------- rds_jdbc_conn_obj = RDS_JDBC_CONNECTION(RDS_DB_HOST_ENDPOINT, RDS_DB_INSTANCE_PWD, @@ -167,20 +197,51 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): RDS_DB_SCHEMA_FOLDER) # EVALUATE RDS-DATAFRAME ROW-COUNT - df_rds_count = rds_jdbc_conn_obj.get_rds_db_table_row_count( + rds_jdbc_min_max_count_df_agg = rds_jdbc_conn_obj.get_rds_df_query_min_max_count( TABLE_TO_BE_VALIDATED, TABLE_PKEY_COLUMN - ) - if rds_hashed_rows_prq_df_count != df_rds_count: - error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != df_rds_count ({df_rds_count})""" + ) + + rds_jdbc_agg_dict = rds_jdbc_min_max_count_df_agg.collect()[0] + rds_jdbc_min_pkey = rds_jdbc_agg_dict[f"min_value"] + rds_jdbc_max_pkey = rds_jdbc_agg_dict[f"max_value"] + rds_jdbc_count_pkey = rds_jdbc_agg_dict[f"count_value"] + + LOGGER.info(f""">> rds_jdbc_min_pkey = {rds_jdbc_min_pkey} <<""") + LOGGER.info(f""">> rds_jdbc_max_pkey = {rds_jdbc_max_pkey} <<""") + LOGGER.info(f""">> rds_jdbc_count_pkey = {rds_jdbc_count_pkey} <<""") + # -------------------------------------------------------------------------------------- + + if rds_hashed_rows_prq_count != rds_jdbc_count_pkey: + error_msg = f"""rds_hashed_rows_prq_count ({rds_hashed_rows_prq_count}) != rds_jdbc_count_pkey ({rds_jdbc_count_pkey})""" sys.exit(f"""Row Count Mismatch: \n{error_msg}""") # ------------------------------------------------ # - if rds_hashed_rows_prq_df_count != dms_table_output_prq_df_count: - error_msg = f"""rds_hashed_rows_prq_df_count ({rds_hashed_rows_prq_df_count}) != dms_table_output_prq_df_count ({dms_table_output_prq_df_count})""" + if rds_hashed_rows_prq_count != dms_table_output_prq_count: + error_msg = f"""rds_hashed_rows_prq_count ({rds_hashed_rows_prq_count}) != dms_table_output_prq_count ({dms_table_output_prq_count})""" sys.exit(f"""Row Count Mismatch: \n{error_msg}""") # -------------------- + if rds_hashed_rows_prq_min_pkey != rds_jdbc_min_pkey: + error_msg = f"""rds_hashed_rows_prq_min_pkey ({rds_hashed_rows_prq_min_pkey}) != rds_jdbc_min_pkey ({rds_jdbc_min_pkey})""" + sys.exit(f"""{TABLE_TO_BE_VALIDATED} Min({TABLE_PKEY_COLUMN}) Mismatch: \n{error_msg}""") + # ------------------------------------------------ + # + if rds_hashed_rows_prq_min_pkey != dms_table_output_prq_min_pkey: + error_msg = f"""rds_hashed_rows_prq_min_pkey ({rds_hashed_rows_prq_min_pkey}) != dms_table_output_prq_min_pkey ({dms_table_output_prq_min_pkey})""" + sys.exit(f"""{TABLE_TO_BE_VALIDATED} Min({TABLE_PKEY_COLUMN}) Mismatch: \n{error_msg}""") + # -------------------- + + if rds_hashed_rows_prq_max_pkey != rds_jdbc_max_pkey: + error_msg = f"""rds_hashed_rows_prq_max_pkey ({rds_hashed_rows_prq_max_pkey}) != rds_jdbc_max_pkey ({rds_jdbc_max_pkey})""" + sys.exit(f"""{TABLE_TO_BE_VALIDATED} Max({TABLE_PKEY_COLUMN}) Mismatch: \n{error_msg}""") + # ------------------------------------------------ + # + if rds_hashed_rows_prq_max_pkey != dms_table_output_prq_max_pkey: + error_msg = f"""rds_hashed_rows_prq_max_pkey ({rds_hashed_rows_prq_max_pkey}) != dms_table_output_prq_max_pkey ({dms_table_output_prq_max_pkey})""" + sys.exit(f"""{TABLE_TO_BE_VALIDATED} Max({TABLE_PKEY_COLUMN}) Mismatch: \n{error_msg}""") + # -------------------- + all_columns_except_pkey = [col for col in dms_table_output_prq_df.columns if col != TABLE_PKEY_COLUMN] LOGGER.info(f""">> all_columns_except_pkey = {all_columns_except_pkey} <<""") diff --git a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py index e5d9b8ae299..3862c16a1b3 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/reusable_module/glue_data_validation_lib.py @@ -220,6 +220,26 @@ def get_rds_df_read_query_pkey_parallel(self, .load()) + def get_rds_df_query_min_max_count(self, + rds_table_name, + table_pkey_column) -> DataFrame: + + query_str = f""" + SELECT min({table_pkey_column}) as min_value, + max({table_pkey_column}) as max_value, + count({table_pkey_column}) as count_value + FROM {self.rds_db_schema_name}.[{rds_table_name}] + """.strip() + + return (self.spark.read.format("jdbc") + .option("url", self.rds_jdbc_url_v2) + .option("driver", self.RDS_DB_INSTANCE_DRIVER) + .option("user", self.RDS_DB_INSTANCE_USER) + .option("password", self.RDS_DB_INSTANCE_PWD) + .option("dbtable", f"""({query_str}) as t""") + .load()) + + def get_rds_df_jdbc_read_parallel(self, rds_tbl_name, rds_tbl_pkeys_list, From 1e9c11b9e6e3eec07100e43ea792d5cb2d9bddc9 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 11:04:34 +0000 Subject: [PATCH 113/308] GlueJob to hash table rows save to parquet - 1311-6 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index a6e465d117c..d7d98aac815 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -49,7 +49,7 @@ "dms_prq_output_bucket", "rds_database_folder", "rds_db_schema_folder", - "table_to_be_validated" + "table_to_be_validated", "table_pkey_column", "glue_catalog_db_name", "glue_catalog_tbl_name", @@ -211,7 +211,7 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): LOGGER.info(f""">> rds_jdbc_max_pkey = {rds_jdbc_max_pkey} <<""") LOGGER.info(f""">> rds_jdbc_count_pkey = {rds_jdbc_count_pkey} <<""") # -------------------------------------------------------------------------------------- - + if rds_hashed_rows_prq_count != rds_jdbc_count_pkey: error_msg = f"""rds_hashed_rows_prq_count ({rds_hashed_rows_prq_count}) != rds_jdbc_count_pkey ({rds_jdbc_count_pkey})""" sys.exit(f"""Row Count Mismatch: \n{error_msg}""") From 37e9dc5d9fda571fb70c47f97177eed1aab332c1 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 11:19:03 +0000 Subject: [PATCH 114/308] GlueJob to hash table rows save to parquet - 1311-7 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index d7d98aac815..dcb5dc04b57 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -264,6 +264,9 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): LOGGER.warn(f"""unmatched_hashvalues_df_count> {unmatched_hashvalues_df_count}: Row differences found!""") df_subtract_temp = (unmatched_hashvalues_df + .selectExpr(f"{TABLE_PKEY_COLUMN}", + "L.RowHash as rds_row_hash", + "R.RowHash as dms_output_row_hash") .withColumn('json_row', F.to_json(F.struct(*[F.col(c) for c in unmatched_hashvalues_df.columns]))) @@ -295,4 +298,6 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): write_parquet_to_s3(df_dv_output, RDS_DATABASE_FOLDER, db_sch_tbl) + unmatched_hashvalues_df.unpersist() + job.commit() From a3530a41d2ccea6e59672aa73cbb9fa9a8930da2 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 11:31:12 +0000 Subject: [PATCH 115/308] GlueJob to hash table rows save to parquet - 1311-8 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index dcb5dc04b57..23888fa5b55 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -264,7 +264,7 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): LOGGER.warn(f"""unmatched_hashvalues_df_count> {unmatched_hashvalues_df_count}: Row differences found!""") df_subtract_temp = (unmatched_hashvalues_df - .selectExpr(f"{TABLE_PKEY_COLUMN}", + .selectExpr(f"L.{TABLE_PKEY_COLUMN} as {TABLE_PKEY_COLUMN}", "L.RowHash as rds_row_hash", "R.RowHash as dms_output_row_hash") .withColumn('json_row', @@ -299,5 +299,5 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): write_parquet_to_s3(df_dv_output, RDS_DATABASE_FOLDER, db_sch_tbl) unmatched_hashvalues_df.unpersist() - + job.commit() From 3b657576062a40ed9c9e2047fef1345a1510c507 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 11:43:55 +0000 Subject: [PATCH 116/308] GlueJob to hash table rows save to parquet - 1311-9 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index 23888fa5b55..5c51f0cf791 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -263,15 +263,18 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): if unmatched_hashvalues_df_count != 0: LOGGER.warn(f"""unmatched_hashvalues_df_count> {unmatched_hashvalues_df_count}: Row differences found!""") - df_subtract_temp = (unmatched_hashvalues_df - .selectExpr(f"L.{TABLE_PKEY_COLUMN} as {TABLE_PKEY_COLUMN}", + unmatched_hashvalues_df_select = unmatched_hashvalues_df.selectExpr( + f"L.{TABLE_PKEY_COLUMN} as {TABLE_PKEY_COLUMN}", "L.RowHash as rds_row_hash", - "R.RowHash as dms_output_row_hash") + "R.RowHash as dms_output_row_hash" + ).limit(10) + + df_subtract_temp = (unmatched_hashvalues_df .withColumn('json_row', F.to_json(F.struct(*[F.col(c) - for c in unmatched_hashvalues_df.columns]))) + for c in unmatched_hashvalues_df_select.columns]))) .selectExpr("json_row") - .limit(100)) + ) subtract_validation_msg = f"""'{TABLE_TO_BE_VALIDATED}' - {unmatched_hashvalues_df_count}""" df_subtract_temp = df_subtract_temp.selectExpr( From 206577e11270bd969c142dd34b8c8feefb353e87 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 11:46:33 +0000 Subject: [PATCH 117/308] Fix metric query definition --- .../components/dms/cloudwatch-alarms.tf | 22 +++---------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 1edccccc1b8..bdeed1ee304 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -284,33 +284,17 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { threshold = 0 treat_missing_data = "ignore" - # Query for the custom metric across all dimensions metric_query { id = "m1" - metric { - metric_name = "DMSReplicationStopped" - namespace = "CustomDMSMetrics" - period = 60 - stat = "Sum" - } - return_data = "false" - } - - # Metric math expression to sum the metric across all dimensions - metric_query { - id = "e1" - expression = "SUM(METRICS('CustomDMSMetrics', 'DMSReplicationStopped', {}, 60))" - label = "TotalDMSReplicationStoppedAcrossAllDimensions" - return_data = "true" + expression = "SEARCH('{CustomDMSMetrics, DMSReplicationStopped}', 'Sum', 60)" + label = "Sum of DMSReplicationStopped across all task dimensions" + return_data = true } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } - - - # SNS Topic for DMS replication events # This is NOT the same as for DMS Cloudwatch Alarms (dms_alerting) # and is used to trigger the Lamda function if an event happens during From 673c7cb7afce9b4c3a4ee66aa92253b716f7a60f Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 11:48:01 +0000 Subject: [PATCH 118/308] GlueJob to hash table rows save to parquet - 1311-10 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index 5c51f0cf791..6c7b5da007a 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -269,7 +269,7 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): "R.RowHash as dms_output_row_hash" ).limit(10) - df_subtract_temp = (unmatched_hashvalues_df + df_subtract_temp = (unmatched_hashvalues_df_select .withColumn('json_row', F.to_json(F.struct(*[F.col(c) for c in unmatched_hashvalues_df_select.columns]))) From efa6b4875883f91bedf33995cda1cd2496364975 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 11:54:30 +0000 Subject: [PATCH 119/308] Add evaluation period --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index bdeed1ee304..5b0d92dd749 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -282,6 +282,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 threshold = 0 + period = 60 treat_missing_data = "ignore" metric_query { From facf0367accc57839cec5a539d5384129d32a5a9 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 11:59:36 +0000 Subject: [PATCH 120/308] Redefine sum --- .../modules/components/dms/cloudwatch-alarms.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 5b0d92dd749..0269b19b5e3 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -287,7 +287,16 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { metric_query { id = "m1" - expression = "SEARCH('{CustomDMSMetrics, DMSReplicationStopped}', 'Sum', 60)" + metric_name = "CustomDMSMetrics" + namespace = "DMSReplicationStopped" + period = 60 + stat = "Sum" + return_data = false + } + + metric_query { + id = "e1" + expression = "m1" label = "Sum of DMSReplicationStopped across all task dimensions" return_data = true } From 85f59ff9f8cef09d97469a286947bb7a92bb092f Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Wed, 13 Nov 2024 12:04:35 +0000 Subject: [PATCH 121/308] GlueJob to hash table rows save to parquet - 1311-11 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index 6c7b5da007a..39d6a3fe49a 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -147,6 +147,9 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): LOGGER.error(f'''>> {dms_output_fulls3path} << Path Not Available !!''') sys.exit(1) + LOGGER.info(f""">> rds_hashed_rows_fulls3path = {rds_hashed_rows_fulls3path} <<""") + LOGGER.info(f""">> dms_output_fulls3path = {dms_output_fulls3path} <<""") + hashed_table_schema = T.StructType( [T.StructField(f"{TABLE_PKEY_COLUMN}", T.IntegerType(), False), T.StructField("RowHash", T.StringType(), False)] From b300ca4967c996c9ee5753f1041f9b061f58967a Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 12:11:52 +0000 Subject: [PATCH 122/308] Refactor --- .../modules/components/dms/cloudwatch-alarms.tf | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 0269b19b5e3..5b0d92dd749 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -287,16 +287,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { metric_query { id = "m1" - metric_name = "CustomDMSMetrics" - namespace = "DMSReplicationStopped" - period = 60 - stat = "Sum" - return_data = false - } - - metric_query { - id = "e1" - expression = "m1" + expression = "SEARCH('{CustomDMSMetrics, DMSReplicationStopped}', 'Sum', 60)" label = "Sum of DMSReplicationStopped across all task dimensions" return_data = true } From 2c4cd4144fbd9ad4a09edd97ae9b758272459f4e Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Wed, 13 Nov 2024 12:18:13 +0000 Subject: [PATCH 123/308] Name to lower case for Tags --- .../digital-prison-reporting/main.tf | 26 +++++++++---------- .../digital-prison-reporting/s3.tf | 8 +++--- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/main.tf b/terraform/environments/digital-prison-reporting/main.tf index e017cf3091e..1b56ff54ffc 100644 --- a/terraform/environments/digital-prison-reporting/main.tf +++ b/terraform/environments/digital-prison-reporting/main.tf @@ -789,7 +789,7 @@ module "s3_glue_job_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-glue-jobs-${local.environment}" + name = "${local.project}-glue-jobs-${local.environment}" Resource_Type = "S3 Bucket" } ) @@ -807,7 +807,7 @@ module "s3_raw_archive_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-raw-archive-${local.env}-s3" + name = "${local.project}-raw-archive-${local.env}-s3" Resource_Type = "S3 Bucket" } ) @@ -824,7 +824,7 @@ module "s3_raw_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-raw-zone-${local.env}" + name = "${local.project}-raw-zone-${local.env}" Resource_Type = "S3 Bucket" } ) @@ -842,7 +842,7 @@ module "s3_structured_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-structured-zone-${local.env}" + name = "${local.project}-structured-zone-${local.env}" Resource_Type = "S3 Bucket" } ) @@ -860,7 +860,7 @@ module "s3_curated_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-curated-zone-${local.env}" + name = "${local.project}-curated-zone-${local.env}" Resource_Type = "S3 Bucket" } ) @@ -878,7 +878,7 @@ module "s3_temp_reload_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-temp-reload-${local.env}" + name = "${local.project}-temp-reload-${local.env}" Resource_Type = "S3 Bucket", Jira = "DPR2-46" } @@ -897,7 +897,7 @@ module "s3_domain_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-domain-${local.env}" + name = "${local.project}-domain-${local.env}" Resource_Type = "S3 Bucket" } ) @@ -917,7 +917,7 @@ module "s3_schema_registry_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-schema-registry-${local.env}" + name = "${local.project}-schema-registry-${local.env}" Resource_Type = "S3 Bucket" } ) @@ -935,7 +935,7 @@ module "s3_domain_config_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-domain-config-${local.env}" + name = "${local.project}-domain-config-${local.env}" Resource_Type = "S3 Bucket" } ) @@ -953,7 +953,7 @@ module "s3_violation_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-violation-${local.environment}" + name = "${local.project}-violation-${local.environment}" Resource_Type = "S3 Bucket" } ) @@ -980,7 +980,7 @@ module "s3_artifacts_store" { tags = merge( local.all_tags, { - Name = "${local.project}-artifact-store-${local.environment}" + name = "${local.project}-artifact-store-${local.environment}" Resource_Type = "S3 Bucket" } ) @@ -1002,7 +1002,7 @@ module "s3_working_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-working-${local.environment}" + name = "${local.project}-working-${local.environment}" Resource_Type = "S3 Bucket" } ) @@ -1471,7 +1471,7 @@ module "s3_application_tf_state" { tags = merge( local.all_tags, { - Name = "${local.project}-terraform-state-${local.environment}" + name = "${local.project}-terraform-state-${local.environment}" Resource_Type = "S3 Bucket" } ) diff --git a/terraform/environments/digital-prison-reporting/s3.tf b/terraform/environments/digital-prison-reporting/s3.tf index 440a22ebe1d..6886ebd1446 100644 --- a/terraform/environments/digital-prison-reporting/s3.tf +++ b/terraform/environments/digital-prison-reporting/s3.tf @@ -11,7 +11,7 @@ module "s3_audit_logging_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-audit-logging-${local.environment}" + name = "${local.project}-audit-logging-${local.environment}" Resource_Type = "S3 Bucket" Jira = "DPR-471" } @@ -31,7 +31,7 @@ module "s3_transfer_artifacts_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-transfer-artifacts-${local.environment}" + name = "${local.project}-transfer-artifacts-${local.environment}" Resource_Type = "S3 Bucket" Jira = "DPR-504" } @@ -51,7 +51,7 @@ module "s3_domain_preview_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-domain-preview-${local.environment}" + name = "${local.project}-domain-preview-${local.environment}" Resource_Type = "S3 Bucket" Jira = "DPR-637" } @@ -71,7 +71,7 @@ module "s3_structured_historical_bucket" { tags = merge( local.all_tags, { - Name = "${local.project}-structured-historical-${local.environment}" + name = "${local.project}-structured-historical-${local.environment}" Resource_Type = "S3 Bucket" Jira = "DPR2-717" } From 73cc5e46255cf76a79bd4fb2b1dbd0a6fc398616 Mon Sep 17 00:00:00 2001 From: Keir Williams Date: Wed, 13 Nov 2024 13:03:51 +0000 Subject: [PATCH 124/308] allow schedule_alarms_lambda var to be empty (#8652) --- terraform/modules/baseline/variables.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index d9ca54bf9d2..8ffe0df2a46 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -918,7 +918,7 @@ variable "s3_buckets" { variable "schedule_alarms_lambda" { description = "" type = object({ - function_name = string, + function_name = optional(string, null) lambda_log_level = optional(string, "INFO") alarm_list = optional(list(string), []) alarm_patterns = optional(list(string), []) @@ -927,6 +927,7 @@ variable "schedule_alarms_lambda" { end_time = optional(string, "22:45") tags = optional(map(string), {}) }) + default = {} } variable "secretsmanager_secrets" { From e3235730fe0d7242474a4e1a944392dae3a9db40 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 13:23:51 +0000 Subject: [PATCH 125/308] Add KMS and bucket Signed-off-by: Jacob Woffenden --- .../analytical-platform-ingestion/kms-keys.tf | 13 ++++++++++++ .../analytical-platform-ingestion/s3.tf | 20 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 718ae01036e..5b78c254c70 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -226,3 +226,16 @@ module "datasync_credentials_kms" { deletion_window_in_days = 7 } + +module "s3_datasync_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.0" + + aliases = ["s3/datasync"] + description = "DataSync S3 KMS Key" + enable_default_policy = true + + deletion_window_in_days = 7 +} diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index d91581cc0c7..e75d8f4723b 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -160,3 +160,23 @@ module "bold_egress_bucket" { } } } + +module "datasync_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + bucket = "mojap-ingestion-${local.environment}-datasync" + + force_destroy = true + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_datasync_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} From 14a94028e001e1ed05146ed8343e2017cacb71b3 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 13:34:05 +0000 Subject: [PATCH 126/308] Add the slash Signed-off-by: Jacob Woffenden --- .../analytical-platform-ingestion/datasync-locations.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf index 8319a128dba..3f218611f7b 100644 --- a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf +++ b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf @@ -1,6 +1,6 @@ resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_management_investigations" { server_hostname = "dom1.infra.int" - subdirectory = "/data/hq/PGO/Shared/Group/SIS Case Management/Investigations" + subdirectory = "/data/hq/PGO/Shared/Group/SIS Case Management/Investigations/" user = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["username"] password = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["password"] @@ -12,7 +12,7 @@ resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_manageme resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_management_itas" { server_hostname = "dom1.infra.int" - subdirectory = "/data/hq/PGO/Shared/Group/SIS Case Management/ITAS" + subdirectory = "/data/hq/PGO/Shared/Group/SIS Case Management/ITAS/" user = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["username"] password = jsondecode(data.aws_secretsmanager_secret_version.datasync_dom1.secret_string)["password"] From 7d2c0fc155ab84f04e521aa11d794734001f3baa Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 13:57:07 +0000 Subject: [PATCH 127/308] remove bucket and kms add policy and role Signed-off-by: Jacob Woffenden --- .../environment-configuration.tf | 6 ++- .../iam-policies.tf | 44 +++++++++++++++++++ .../iam-roles.tf | 16 +++++++ .../analytical-platform-ingestion/kms-keys.tf | 13 ------ .../analytical-platform-ingestion/s3.tf | 20 --------- 5 files changed, 64 insertions(+), 35 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 9f598f02ce1..8a4c7404739 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -28,7 +28,8 @@ locals { notify_image_version = "0.0.19" /* Target Buckets */ - target_buckets = ["mojap-land-dev"] + target_buckets = ["mojap-land-dev"] + datasync_target_buckets = ["mojap-land-dev"] /* Transfer Server */ transfer_server_hostname = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" @@ -72,7 +73,8 @@ locals { notify_image_version = "0.0.19" /* Target Buckets */ - target_buckets = ["mojap-land"] + target_buckets = ["mojap-land"] + datasync_target_buckets = ["mojap-land"] /* Transfer Server */ transfer_server_hostname = "sftp.ingestion.analytical-platform.service.justice.gov.uk" diff --git a/terraform/environments/analytical-platform-ingestion/iam-policies.tf b/terraform/environments/analytical-platform-ingestion/iam-policies.tf index 03bd4ff09b2..4d6e4ddbc87 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-policies.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-policies.tf @@ -23,3 +23,47 @@ module "transfer_server_iam_policy" { policy = data.aws_iam_policy_document.transfer_server.json } + +data "aws_iam_policy_document" "datasync" { + statement { + sid = "AllowS3BucketActions" + effect = "Allow" + actions = [ + "s3:GetBucketLocation", + "s3:ListBucket", + "s3:ListBucketMultipartUploads" + ] + resources = [ + for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}" + ] + } + statement { + sid = "AllowS3ObjectActions" + effect = "Allow" + actions = [ + "s3:AbortMultipartUpload", + "s3:DeleteObject", + "s3:GetObject", + "s3:GetObjectTagging", + "s3:GetObjectVersion", + "s3:GetObjectVersionTagging", + "s3:ListMultipartUploadParts", + "s3:PutObject", + "s3:PutObjectTagging" + ] + resources = [ + for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}" + ] + } +} + +module "datasync_iam_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.44.1" + + name_prefix = "datasync" + + policy = data.aws_iam_policy_document.datasync.json +} diff --git a/terraform/environments/analytical-platform-ingestion/iam-roles.tf b/terraform/environments/analytical-platform-ingestion/iam-roles.tf index f7e375fa225..6974341fdb4 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-roles.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-roles.tf @@ -16,3 +16,19 @@ module "transfer_server_iam_role" { "arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess" ] } + +module "datasync_iam_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "5.44.1" + + create_role = true + + role_name_prefix = "datasync" + role_requires_mfa = false + + trusted_role_services = ["datasync.amazonaws.com"] + + custom_role_policy_arns = [module.datasync_iam_policy.arn] +} diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 5b78c254c70..718ae01036e 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -226,16 +226,3 @@ module "datasync_credentials_kms" { deletion_window_in_days = 7 } - -module "s3_datasync_kms" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/kms/aws" - version = "3.1.0" - - aliases = ["s3/datasync"] - description = "DataSync S3 KMS Key" - enable_default_policy = true - - deletion_window_in_days = 7 -} diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index e75d8f4723b..d91581cc0c7 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -160,23 +160,3 @@ module "bold_egress_bucket" { } } } - -module "datasync_bucket" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.2" - - bucket = "mojap-ingestion-${local.environment}-datasync" - - force_destroy = true - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - kms_master_key_id = module.s3_datasync_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } -} From 8ddb9b1a9f0e9906d5b48c0204069e15e8d0db10 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 13:58:04 +0000 Subject: [PATCH 128/308] Create alarm for each task --- .../components/dms/cloudwatch-alarms.tf | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 5b0d92dd749..4835c7c8771 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -274,22 +274,26 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis # alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] # } +# Fetch all DMS replication tasks +data "aws_dms_replication_tasks" "all_tasks" {} # Define a CloudWatch metric alarm with a metric math expression resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { - alarm_name = "DMSReplicationStoppedAlarm" - alarm_description = "Alarm when Stopped Replication Task across all Dimensions (tasks)" + for_each = { for task in data.aws_dms_replication_tasks.all_tasks.replication_tasks : task.replication_task_id => task } + alarm_name = "DMSReplicationStoppedAlarm_${each.key}" + alarm_description = "Alarm when Stopped Replication Task for ${each.key}" comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 threshold = 0 period = 60 + statistic = "Maximum" treat_missing_data = "ignore" - metric_query { - id = "m1" - expression = "SEARCH('{CustomDMSMetrics, DMSReplicationStopped}', 'Sum', 60)" - label = "Sum of DMSReplicationStopped across all task dimensions" - return_data = true + metric_name = "DMSReplicationStopped" + namespace = "CustomDMSMetrics" + dimensions = { + SourceId = each.key + EventSouce = "replication-task" } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] From b2d1678363324fd5f2e921dc5d31222cc4ea8157 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 13:59:27 +0000 Subject: [PATCH 129/308] typo --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 4835c7c8771..61044e9670c 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -275,7 +275,7 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis # } # Fetch all DMS replication tasks -data "aws_dms_replication_tasks" "all_tasks" {} +data "aws_dms_replication_task" "all_tasks" {} # Define a CloudWatch metric alarm with a metric math expression resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { From 524488959ba6e3b532be7ddf3d73dd618c41d713 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 14:00:02 +0000 Subject: [PATCH 130/308] typo --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 61044e9670c..72971c6553e 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -279,7 +279,7 @@ data "aws_dms_replication_task" "all_tasks" {} # Define a CloudWatch metric alarm with a metric math expression resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { - for_each = { for task in data.aws_dms_replication_tasks.all_tasks.replication_tasks : task.replication_task_id => task } + for_each = { for task in data.aws_dms_replication_task.all_tasks.replication_tasks : task.replication_task_id => task } alarm_name = "DMSReplicationStoppedAlarm_${each.key}" alarm_description = "Alarm when Stopped Replication Task for ${each.key}" comparison_operator = "GreaterThanThreshold" From b87ce895008b58d6c5ed03e0406c394d18a80a5b Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 14:09:55 +0000 Subject: [PATCH 131/308] Add S3 locations Signed-off-by: Jacob Woffenden --- .../datasync-locations.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf index 3f218611f7b..7b0eee96ac0 100644 --- a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf +++ b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf @@ -10,6 +10,15 @@ resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_manageme tags = local.tags } +resource "aws_datasync_location_s3" "mojap_land_dom1_hq_pgo_shared_group_sis_case_management_investigations" { + s3_bucket_arn = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" + subdirectory = "/datasync/dom1/data/hq/pgo/shared/group/sis-case-management/investigations/" + + s3_config { + bucket_access_role_arn = module.datasync_iam_role.iam_role_arn + } +} + resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_management_itas" { server_hostname = "dom1.infra.int" subdirectory = "/data/hq/PGO/Shared/Group/SIS Case Management/ITAS/" @@ -21,3 +30,12 @@ resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_manageme tags = local.tags } + +resource "aws_datasync_location_s3" "mojap_land_dom1_hq_pgo_shared_group_sis_case_management_itas" { + s3_bucket_arn = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" + subdirectory = "/datasync/dom1/data/hq/pgo/shared/group/sis-case-management/itas/" + + s3_config { + bucket_access_role_arn = module.datasync_iam_role.iam_role_arn + } +} From fffc305a0a516e6fd4746034ef27b45b6103e7a7 Mon Sep 17 00:00:00 2001 From: Luke Williams <108728588+luke-a-williams@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:17:04 +0000 Subject: [PATCH 132/308] added emsys_mvp --- .../ap_airflow_iam.tf | 33 ++++++++++++++----- 1 file changed, 24 insertions(+), 9 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 9e6bf09a62b..5791f96e4fc 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -18,15 +18,15 @@ module "test_ap_airflow" { oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn } -module "load_unstructured_atrium_database" { +module "load_alcohol_monitoring_database" { count = local.is-production ? 1 : 0 source = "./modules/ap_airflow_load_data_iam_role" - name = "unstructured-atrium-database" + name = "alcohol-monitoring" environment = local.environment - database_name = "g4s-atrium-unstructured" - path_to_data = "/g4s/atrium_unstructured" - source_data_bucket = module.s3-json-directory-structure-bucket.bucket + database_name = "capita-alcohol-monitoring" + path_to_data = "/capita_alcohol_monitoring" + source_data_bucket = module.s3-dms-target-store-bucket.bucket secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn athena_dump_bucket = module.s3-athena-bucket.bucket @@ -48,17 +48,32 @@ module "load_cap_dw_database" { cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } -module "load_alcohol_monitoring_database" { +module "load_emsys_mvp_database" { count = local.is-production ? 1 : 0 source = "./modules/ap_airflow_load_data_iam_role" - name = "alcohol-monitoring" + name = "emsys-mvp" environment = local.environment - database_name = "capita-alcohol-monitoring" - path_to_data = "/capita_alcohol_monitoring" + database_name = "g4s-emsys-mvp" + path_to_data = "/g4s_emsys_mvp" source_data_bucket = module.s3-dms-target-store-bucket.bucket secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn athena_dump_bucket = module.s3-athena-bucket.bucket cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } + +module "load_unstructured_atrium_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "unstructured-atrium-database" + environment = local.environment + database_name = "g4s-atrium-unstructured" + path_to_data = "/g4s/atrium_unstructured" + source_data_bucket = module.s3-json-directory-structure-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} From 7b87142676e1eea90e0028eb080b2eaf244e4b58 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Wed, 13 Nov 2024 14:20:37 +0000 Subject: [PATCH 133/308] Loop through list of task names --- .../modules/components/dms/cloudwatch-alarms.tf | 4 +--- .../delius-core/modules/components/dms/locals.tf | 11 +++++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 72971c6553e..1c6de5c623f 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -274,12 +274,10 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis # alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] # } -# Fetch all DMS replication tasks -data "aws_dms_replication_task" "all_tasks" {} # Define a CloudWatch metric alarm with a metric math expression resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { - for_each = { for task in data.aws_dms_replication_task.all_tasks.replication_tasks : task.replication_task_id => task } + for_each = toset(local.replication_task_names) alarm_name = "DMSReplicationStoppedAlarm_${each.key}" alarm_description = "Alarm when Stopped Replication Task for ${each.key}" comparison_operator = "GreaterThanThreshold" diff --git a/terraform/environments/delius-core/modules/components/dms/locals.tf b/terraform/environments/delius-core/modules/components/dms/locals.tf index 7d7b9f0a42a..1516a8e8441 100644 --- a/terraform/environments/delius-core/modules/components/dms/locals.tf +++ b/terraform/environments/delius-core/modules/components/dms/locals.tf @@ -41,4 +41,15 @@ locals { dms_s3_writer_role_name = "${var.env_name}-dms-s3-writer-role" dms_s3_reader_role_name = "${var.env_name}-dms-s3-reader-role" + replication_task_names = concat( + try([aws_dms_replication_task.user_inbound_replication[0].replication_task_id],[]), + try([aws_dms_replication_task.business_interaction_inbound_replication[0].replication_task_id],[]), + try([aws_dms_replication_task.audited_interaction_inbound_replication[0].replication_task_id],[]), + try([aws_dms_replication_task.audited_interaction_checksum_inbound_replication[0].replication_task_id],[]), + try([aws_dms_replication_task.audited_interaction_outbound_replication[0].replication_task_id],[]), + try([aws_dms_replication_task.business_interaction_outbound_replication[0].replication_task_id],[]), + try([aws_dms_replication_task.audited_interaction_outbound_replication[0].replication_task_id],[]), + try([aws_dms_replication_task.audited_interaction_checksum_outbound_replication[0].replication_task_id],[]) + ) + } \ No newline at end of file From b46c0a569bc1811e44a69617b5f00083a0c2ca76 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 14:40:22 +0000 Subject: [PATCH 134/308] Add KMS and S3 bucket again Update policy Update role name Signed-off-by: Jacob Woffenden --- .../datasync-locations.tf | 12 +++++------ .../iam-policies.tf | 20 +++++++++++++------ .../iam-roles.tf | 2 +- .../analytical-platform-ingestion/kms-keys.tf | 13 ++++++++++++ .../analytical-platform-ingestion/s3.tf | 20 +++++++++++++++++++ 5 files changed, 54 insertions(+), 13 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf index 7b0eee96ac0..d4a9e65d0f8 100644 --- a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf +++ b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf @@ -10,9 +10,9 @@ resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_manageme tags = local.tags } -resource "aws_datasync_location_s3" "mojap_land_dom1_hq_pgo_shared_group_sis_case_management_investigations" { - s3_bucket_arn = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" - subdirectory = "/datasync/dom1/data/hq/pgo/shared/group/sis-case-management/investigations/" +resource "aws_datasync_location_s3" "dom1_hq_pgo_shared_group_sis_case_management_investigations" { + s3_bucket_arn = module.datasync_bucket.s3_bucket_arn + subdirectory = "/dom1/data/hq/pgo/shared/group/sis-case-management/investigations/" s3_config { bucket_access_role_arn = module.datasync_iam_role.iam_role_arn @@ -31,9 +31,9 @@ resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_manageme tags = local.tags } -resource "aws_datasync_location_s3" "mojap_land_dom1_hq_pgo_shared_group_sis_case_management_itas" { - s3_bucket_arn = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" - subdirectory = "/datasync/dom1/data/hq/pgo/shared/group/sis-case-management/itas/" +resource "aws_datasync_location_s3" "dom1_hq_pgo_shared_group_sis_case_management_itas" { + s3_bucket_arn = module.datasync_bucket.s3_bucket_arn + subdirectory = "/dom1/data/hq/pgo/shared/group/sis-case-management/itas/" s3_config { bucket_access_role_arn = module.datasync_iam_role.iam_role_arn diff --git a/terraform/environments/analytical-platform-ingestion/iam-policies.tf b/terraform/environments/analytical-platform-ingestion/iam-policies.tf index 4d6e4ddbc87..f8dcfe8361c 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-policies.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-policies.tf @@ -25,6 +25,18 @@ module "transfer_server_iam_policy" { } data "aws_iam_policy_document" "datasync" { + statement { + sid = "AllowKMS" + effect = "Allow" + actions = [ + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:DescribeKey", + "kms:Decrypt", + ] + resources = [module.transfer_logs_kms.key_arn] + } statement { sid = "AllowS3BucketActions" effect = "Allow" @@ -33,9 +45,7 @@ data "aws_iam_policy_document" "datasync" { "s3:ListBucket", "s3:ListBucketMultipartUploads" ] - resources = [ - for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}" - ] + resources = [module.datasync_bucket.s3_bucket_arn] } statement { sid = "AllowS3ObjectActions" @@ -51,9 +61,7 @@ data "aws_iam_policy_document" "datasync" { "s3:PutObject", "s3:PutObjectTagging" ] - resources = [ - for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}" - ] + resources = ["${module.datasync_bucket.s3_bucket_arn}/*"] } } diff --git a/terraform/environments/analytical-platform-ingestion/iam-roles.tf b/terraform/environments/analytical-platform-ingestion/iam-roles.tf index 6974341fdb4..ebf2af0a9ed 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-roles.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-roles.tf @@ -25,7 +25,7 @@ module "datasync_iam_role" { create_role = true - role_name_prefix = "datasync" + role_name = "datasync" role_requires_mfa = false trusted_role_services = ["datasync.amazonaws.com"] diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 718ae01036e..5b78c254c70 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -226,3 +226,16 @@ module "datasync_credentials_kms" { deletion_window_in_days = 7 } + +module "s3_datasync_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.0" + + aliases = ["s3/datasync"] + description = "DataSync S3 KMS Key" + enable_default_policy = true + + deletion_window_in_days = 7 +} diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index d91581cc0c7..e75d8f4723b 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -160,3 +160,23 @@ module "bold_egress_bucket" { } } } + +module "datasync_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + bucket = "mojap-ingestion-${local.environment}-datasync" + + force_destroy = true + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_datasync_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} From cba988415ac48cc77f7722303250aa50bdc38a24 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 14:46:41 +0000 Subject: [PATCH 135/308] Update IAM role name Add tags Signed-off-by: Jacob Woffenden --- .../analytical-platform-ingestion/datasync-locations.tf | 4 ++++ .../environments/analytical-platform-ingestion/iam-roles.tf | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf index d4a9e65d0f8..bf7eff7a03b 100644 --- a/terraform/environments/analytical-platform-ingestion/datasync-locations.tf +++ b/terraform/environments/analytical-platform-ingestion/datasync-locations.tf @@ -17,6 +17,8 @@ resource "aws_datasync_location_s3" "dom1_hq_pgo_shared_group_sis_case_managemen s3_config { bucket_access_role_arn = module.datasync_iam_role.iam_role_arn } + + tags = local.tags } resource "aws_datasync_location_smb" "dom1_hq_pgo_shared_group_sis_case_management_itas" { @@ -38,4 +40,6 @@ resource "aws_datasync_location_s3" "dom1_hq_pgo_shared_group_sis_case_managemen s3_config { bucket_access_role_arn = module.datasync_iam_role.iam_role_arn } + + tags = local.tags } diff --git a/terraform/environments/analytical-platform-ingestion/iam-roles.tf b/terraform/environments/analytical-platform-ingestion/iam-roles.tf index ebf2af0a9ed..6974341fdb4 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-roles.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-roles.tf @@ -25,7 +25,7 @@ module "datasync_iam_role" { create_role = true - role_name = "datasync" + role_name_prefix = "datasync" role_requires_mfa = false trusted_role_services = ["datasync.amazonaws.com"] From 6ed376d0789b8f701d01f5af0555515a2e4935a6 Mon Sep 17 00:00:00 2001 From: Luke Williams <108728588+luke-a-williams@users.noreply.github.com> Date: Wed, 13 Nov 2024 14:55:59 +0000 Subject: [PATCH 136/308] fix the file path to the parquet data for Atrium unstructured --- .../environments/electronic-monitoring-data/ap_airflow_iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 9e6bf09a62b..6271fd17139 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -25,7 +25,7 @@ module "load_unstructured_atrium_database" { name = "unstructured-atrium-database" environment = local.environment database_name = "g4s-atrium-unstructured" - path_to_data = "/g4s/atrium_unstructured" + path_to_data = "/load/g4s_atrium_unstructured/structure" source_data_bucket = module.s3-json-directory-structure-bucket.bucket secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn From 7b27a1af515d25cd6f8a8d7aacf054cd253c0730 Mon Sep 17 00:00:00 2001 From: Luke Williams <108728588+luke-a-williams@users.noreply.github.com> Date: Wed, 13 Nov 2024 15:00:41 +0000 Subject: [PATCH 137/308] updated ap_airflow_iam for fep --- .../electronic-monitoring-data/ap_airflow_iam.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 5791f96e4fc..bb251703775 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -63,6 +63,21 @@ module "load_emsys_mvp_database" { cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } +module "load_fep_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "fep" + environment = local.environment + database_name = "g4s-fep" + path_to_data = "/g4s_fep" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + module "load_unstructured_atrium_database" { count = local.is-production ? 1 : 0 source = "./modules/ap_airflow_load_data_iam_role" From 6da42a480771d2e154a33db2460b48731d5f6716 Mon Sep 17 00:00:00 2001 From: Luke Williams <108728588+luke-a-williams@users.noreply.github.com> Date: Wed, 13 Nov 2024 15:05:27 +0000 Subject: [PATCH 138/308] Added the rest of the structured dataset modules --- .../ap_airflow_iam.tf | 105 ++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index bb251703775..62f8423cb9b 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -33,6 +33,51 @@ module "load_alcohol_monitoring_database" { cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } +module "load_orca_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "orca" + environment = local.environment + database_name = "capita-orca" + path_to_data = "/capita_orca" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + +module "load_atrium_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "atrium" + environment = local.environment + database_name = "g4s-atrium" + path_to_data = "/g4s_atrium" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + +module "load_atv_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "atv" + environment = local.environment + database_name = "g4s-atv" + path_to_data = "/g4s_atv" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + module "load_cap_dw_database" { count = local.is-production ? 1 : 0 source = "./modules/ap_airflow_load_data_iam_role" @@ -78,6 +123,66 @@ module "load_fep_database" { cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } +module "load_rf_hours_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "rf-hours" + environment = local.environment + database_name = "g4s-rf-hours" + path_to_data = "/g4s_rf_hours" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + +module "load_subject_history_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "subject-history" + environment = local.environment + database_name = "g4s-subject-history" + path_to_data = "/g4s_subject_history" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + +module "load_tasking_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "tasking" + environment = local.environment + database_name = "g4s-tasking" + path_to_data = "/g4s_tasking" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + +module "load_telephony_database" { + count = local.is-production ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "telephony" + environment = local.environment + database_name = "g4s-telephony" + path_to_data = "/g4s_telephony" + source_data_bucket = module.s3-dms-target-store-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} + module "load_unstructured_atrium_database" { count = local.is-production ? 1 : 0 source = "./modules/ap_airflow_load_data_iam_role" From 2ae4d0f4f0d10e1ac0e2b831300ef9c872fb5a0e Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 16:11:20 +0000 Subject: [PATCH 139/308] Add replication policy and role Signed-off-by: Jacob Woffenden --- .../iam-policies.tf | 57 +++++++++++++++++++ .../iam-roles.tf | 16 ++++++ 2 files changed, 73 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/iam-policies.tf b/terraform/environments/analytical-platform-ingestion/iam-policies.tf index f8dcfe8361c..a4880257c7f 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-policies.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-policies.tf @@ -75,3 +75,60 @@ module "datasync_iam_policy" { policy = data.aws_iam_policy_document.datasync.json } + +data "aws_iam_policy_document" "datasync_replication" { + statement { + sid = "DestinationBucketPermissions" + effect = "Allow" + actions = [ + "s3:ReplicateObject", + "s3:ObjectOwnerOverrideToBucketOwner", + "s3:GetObjectVersionTagging", + "s3:ReplicateTags", + "s3:ReplicateDelete" + ] + resources = [ + for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}" + ] + } + statement { + sid = "SourceBucketKMSKey" + effect = "Allow" + actions = [ + "kms:Decrypt", + "kms:GenerateDataKey" + ] + resources = [module.s3_datasync_kms.key_arn] + } + statement { + sid = "SourceBucketPermissions" + effect = "Allow" + actions = [ + "s3:GetReplicationConfiguration", + "s3:ListBucket" + ] + resources = [module.datasync_bucket.s3_bucket_arn] + } + statement { + sid = "SourceBucketObjectPermissions" + effect = "Allow" + actions = [ + "s3:GetObjectVersionForReplication", + "s3:GetObjectVersionAcl", + "s3:GetObjectVersionTagging", + "s3:ObjectOwnerOverrideToBucketOwner" + ] + resources = ["${module.datasync_bucket.s3_bucket_arn}/*"] + } +} + +module "datasync_replication_iam_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.44.1" + + name_prefix = "datasync-replication" + + policy = data.aws_iam_policy_document.datasync_replication.json +} diff --git a/terraform/environments/analytical-platform-ingestion/iam-roles.tf b/terraform/environments/analytical-platform-ingestion/iam-roles.tf index 6974341fdb4..05f2ff6b9a8 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-roles.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-roles.tf @@ -32,3 +32,19 @@ module "datasync_iam_role" { custom_role_policy_arns = [module.datasync_iam_policy.arn] } + +module "datasync_replication_iam_role" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "5.44.1" + + create_role = true + + role_name = "datasync-replication" + role_requires_mfa = false + + trusted_role_services = ["s3.amazonaws.com"] + + custom_role_policy_arns = [module.datasync_replication_iam_policy.arn] +} From 5a5ff455d00deb07062eb631198c7a9d00e9ff2d Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 16:15:54 +0000 Subject: [PATCH 140/308] Update resource, was missing slash star Signed-off-by: Jacob Woffenden --- .../environments/analytical-platform-ingestion/iam-policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/iam-policies.tf b/terraform/environments/analytical-platform-ingestion/iam-policies.tf index a4880257c7f..240c7d9f89b 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-policies.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-policies.tf @@ -88,7 +88,7 @@ data "aws_iam_policy_document" "datasync_replication" { "s3:ReplicateDelete" ] resources = [ - for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}" + for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}/*" ] } statement { From 24c043cab18bf801d8f6f500735ac69d4c46ea8e Mon Sep 17 00:00:00 2001 From: Emterry Date: Wed, 13 Nov 2024 16:16:17 +0000 Subject: [PATCH 141/308] maintenance --- .../eks-cluster.tf | 4 +-- .../eks-pod-identities.tf | 2 +- .../environment-configuration.tf | 10 +++--- .../iam-policies.tf | 16 +++++----- .../analytical-platform-compute/iam-roles.tf | 32 +++++++++---------- .../analytical-platform-compute/s3-buckets.tf | 8 ++--- .../vpc-endpoints.tf | 2 +- .../analytical-platform-compute/vpc.tf | 2 +- 8 files changed, 38 insertions(+), 38 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/eks-cluster.tf b/terraform/environments/analytical-platform-compute/eks-cluster.tf index f96b5254937..d5e7be40b72 100644 --- a/terraform/environments/analytical-platform-compute/eks-cluster.tf +++ b/terraform/environments/analytical-platform-compute/eks-cluster.tf @@ -6,7 +6,7 @@ module "eks" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/eks/aws" - version = "20.26.0" + version = "20.29.0" cluster_name = local.eks_cluster_name cluster_version = local.environment_configuration.eks_cluster_version @@ -172,7 +172,7 @@ module "karpenter" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/eks/aws//modules/karpenter" - version = "20.26.0" + version = "20.29.0" cluster_name = module.eks.cluster_name diff --git a/terraform/environments/analytical-platform-compute/eks-pod-identities.tf b/terraform/environments/analytical-platform-compute/eks-pod-identities.tf index d3a85bf50cd..8b219126c30 100644 --- a/terraform/environments/analytical-platform-compute/eks-pod-identities.tf +++ b/terraform/environments/analytical-platform-compute/eks-pod-identities.tf @@ -7,7 +7,7 @@ module "aws_cloudwatch_metrics_pod_identity" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/eks-pod-identity/aws" - version = "1.5.0" + version = "1.7.0" name = "aws-cloudwatch-metrics" diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 85e815d30ed..cbb49e64162 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -29,10 +29,10 @@ locals { eks_cluster_version = "1.31" eks_node_version = "1.25.0-388e1050" eks_cluster_addon_versions = { - coredns = "v1.11.3-eksbuild.1" - kube_proxy = "v1.31.0-eksbuild.5" - aws_ebs_csi_driver = "v1.35.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.7-eksbuild.1" + coredns = "v1.11.3-eksbuild.2" + kube_proxy = "v1.31.1-eksbuild.2" + aws_ebs_csi_driver = "v1.36.0-eksbuild.1" + aws_efs_csi_driver = "v2.0.8-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" vpc_cni = "v1.18.5-eksbuild.1" @@ -86,7 +86,7 @@ locals { aws_efs_csi_driver = "v2.0.7-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.18.5-eksbuild.1" + vpc_cni = "v1.18.6-eksbuild.1" } /* Observability Platform */ diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 63610c9d3bf..a9acae46b9a 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -18,7 +18,7 @@ module "eks_cluster_logs_kms_access_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "eks-cluster-logs-kms-access" @@ -45,7 +45,7 @@ module "karpenter_sqs_kms_access_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "karpenter-sqs-kms-access" @@ -71,7 +71,7 @@ module "amazon_prometheus_proxy_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "amazon-prometheus-proxy" @@ -98,7 +98,7 @@ module "managed_prometheus_kms_access_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "managed-prometheus-kms-access" @@ -147,7 +147,7 @@ module "mlflow_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "mlflow" @@ -168,7 +168,7 @@ module "gha_mojas_airflow_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "github-actions-mojas-airflow" @@ -258,7 +258,7 @@ module "analytical_platform_lake_formation_share_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "analytical-platform-lake-formation-sharing-policy" @@ -290,7 +290,7 @@ module "quicksight_vpc_connection_iam_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "quicksight-vpc-connection" diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index b8c42113cb6..2de24c1e9fe 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -3,7 +3,7 @@ module "vpc_cni_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "vpc-cni" attach_vpc_cni_policy = true @@ -24,7 +24,7 @@ module "ebs_csi_driver_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "ebs-csi-driver" attach_ebs_csi_policy = true @@ -44,7 +44,7 @@ module "efs_csi_driver_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "efs-csi-driver" attach_efs_csi_policy = true @@ -64,7 +64,7 @@ module "aws_for_fluent_bit_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "aws-for-fluent-bit" @@ -88,7 +88,7 @@ module "amazon_prometheus_proxy_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "amazon-prometheus-proxy" @@ -111,7 +111,7 @@ module "cluster_autoscaler_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "cluster-autoscaler" @@ -133,7 +133,7 @@ module "external_dns_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "external-dns" attach_external_dns_policy = true @@ -154,7 +154,7 @@ module "cert_manager_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "cert-manager" attach_cert_manager_policy = true @@ -175,7 +175,7 @@ module "external_secrets_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "external-secrets" attach_external_secrets_policy = true @@ -196,7 +196,7 @@ module "mlflow_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" role_name_prefix = "mlflow" @@ -219,7 +219,7 @@ module "gha_mojas_airflow_iam_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" - version = "5.46.0" + version = "5.48.0" name = "github-actions-mojas-airflow" @@ -237,7 +237,7 @@ module "lake_formation_share_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.46.0" + version = "5.48.0" create_role = true role_requires_mfa = false @@ -264,7 +264,7 @@ module "analytical_platform_ui_service_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "5.46.0" + version = "5.48.0" create_role = true @@ -287,7 +287,7 @@ module "analytical_platform_control_panel_service_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.46.0" + version = "5.48.0" allow_self_assume_role = true trusted_role_arns = [ @@ -310,7 +310,7 @@ module "analytical_platform_data_eng_dba_service_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.46.0" + version = "5.48.0" allow_self_assume_role = false trusted_role_arns = formatlist("arn:aws:iam::%s:root", [local.environment_management.account_ids[local.analytical_platform_environment], local.environment_management.account_ids["analytical-platform-management-production"]]) @@ -330,7 +330,7 @@ module "quicksight_vpc_connection_iam_role" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.46.0" + version = "5.48.0" create_role = true role_name_prefix = "quicksight-vpc-connection" diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index c65dedf3689..ffbfa4b740a 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -3,7 +3,7 @@ module "mlflow_bucket" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" + version = "4.2.2" bucket = "mojap-compute-${local.environment}-mlflow" @@ -66,7 +66,7 @@ module "mojap_derived_tables_replication_bucket" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" + version = "4.2.2" providers = { aws = aws.analytical-platform-compute-eu-west-1 @@ -127,7 +127,7 @@ module "mojap_compute_logs_bucket_eu_west_2" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" + version = "4.2.2" bucket = "mojap-compute-${local.environment}-logs-eu-west-2" @@ -179,7 +179,7 @@ module "mojap_compute_logs_bucket_eu_west_1" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" + version = "4.2.2" providers = { aws = aws.analytical-platform-compute-eu-west-1 diff --git a/terraform/environments/analytical-platform-compute/vpc-endpoints.tf b/terraform/environments/analytical-platform-compute/vpc-endpoints.tf index 75b40822f0b..e096613bece 100644 --- a/terraform/environments/analytical-platform-compute/vpc-endpoints.tf +++ b/terraform/environments/analytical-platform-compute/vpc-endpoints.tf @@ -3,7 +3,7 @@ module "vpc_endpoints" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" - version = "5.13.0" + version = "5.15.0" vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets diff --git a/terraform/environments/analytical-platform-compute/vpc.tf b/terraform/environments/analytical-platform-compute/vpc.tf index e82606e1482..f134388e418 100644 --- a/terraform/environments/analytical-platform-compute/vpc.tf +++ b/terraform/environments/analytical-platform-compute/vpc.tf @@ -6,7 +6,7 @@ module "vpc" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/vpc/aws" - version = "5.13.0" + version = "5.15.0" name = local.our_vpc_name azs = slice(data.aws_availability_zones.available.names, 0, 3) From 9fbda39f9d453c4e6e81d31312c6c15507e3660d Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 16:28:18 +0000 Subject: [PATCH 142/308] Add replication configuration Signed-off-by: Jacob Woffenden --- .../analytical-platform-ingestion/s3.tf | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index e75d8f4723b..802fa974c54 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -171,6 +171,44 @@ module "datasync_bucket" { force_destroy = true + versioning = { + enabled = true + } + + replication_configuration = { + role = module.datasync_replication_iam_role.iam_role_arn + rules = [ + { + id = "datasync-replication" + status = "Enabled" + delete_marker_replication = true + + source_selection_criteria = { + sse_kms_encrypted_objects = { + enabled = true + } + } + + destination = { + account_id = "593291632749" // TODO: replace with local.environment_management account ID + bucket = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" + storage_class = "STANDARD" + access_control_translation = { + owner = "Destination" + } + metrics = { + status = "Enabled" + minutes = 15 + } + replication_time = { + status = "Enabled" + minutes = 15 + } + } + } + ] + } + server_side_encryption_configuration = { rule = { apply_server_side_encryption_by_default = { From b1827c53baf3e78461e57224e8b379e59bac033e Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 13 Nov 2024 16:28:19 +0000 Subject: [PATCH 143/308] ldap host value for pwm (#8654) --- .../delius-core/modules/delius_environment/pwm.tf | 2 +- .../modules/helpers/delius_microservice/outputs.tf | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf index e1c63853045..3f6dce6ec86 100644 --- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf +++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf @@ -79,7 +79,7 @@ module "pwm" { container_vars_default = { "CONFIG_XML_BASE64" = base64encode(templatefile("${path.module}/templates/PwmConfiguration.xml.tpl", { - ldap_host_url = "ldap://ldap.${var.env_name}.${var.account_config.dns_suffix}:${var.ldap_config.port}" + ldap_host_url = "ldap://${module.ldap_ecs.nlb_service_r53_record}:${var.ldap_config.port}" ldap_user = nonsensitive(aws_ssm_parameter.ldap_principal.arn) pwm_url = "https://pwm.${var.env_name}.${var.account_config.dns_suffix}" email_from_address = "no-reply@${aws_ses_domain_identity.pwm.domain}" diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/outputs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/outputs.tf index 532500bac32..b90e74d8237 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/outputs.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/outputs.tf @@ -44,3 +44,7 @@ output "nlb_target_group_arn_map" { for k, v in aws_lb_target_group.service : k => v.arn } } + +output "nlb_service_r53_record" { + value = aws_route53_record.services_nlb_r53_record.fqdn +} From 0462f168205cc78eb6ea93d773e7f7ef6642458d Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 16:33:32 +0000 Subject: [PATCH 144/308] remove KMS thingy Signed-off-by: Jacob Woffenden --- terraform/environments/analytical-platform-ingestion/s3.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 802fa974c54..36010cf916e 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -183,12 +183,6 @@ module "datasync_bucket" { status = "Enabled" delete_marker_replication = true - source_selection_criteria = { - sse_kms_encrypted_objects = { - enabled = true - } - } - destination = { account_id = "593291632749" // TODO: replace with local.environment_management account ID bucket = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" From e5ffb88faad0e0ce98c6d8f80eb0d13f411cf455 Mon Sep 17 00:00:00 2001 From: Luke Williams <108728588+luke-a-williams@users.noreply.github.com> Date: Wed, 13 Nov 2024 16:38:59 +0000 Subject: [PATCH 145/308] corrected capita to civica for orca --- .../environments/electronic-monitoring-data/ap_airflow_iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 62f8423cb9b..1e1ce24aded 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -39,8 +39,8 @@ module "load_orca_database" { name = "orca" environment = local.environment - database_name = "capita-orca" - path_to_data = "/capita_orca" + database_name = "civica-orca" + path_to_data = "/civica_orca" source_data_bucket = module.s3-dms-target-store-bucket.bucket secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn From 4f566bf1f61e6a44d8632aefcc9d0a08d50b3a96 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 13 Nov 2024 16:49:48 +0000 Subject: [PATCH 146/308] update expire time Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 27d895bc488..e14bd1e4c4c 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -231,9 +231,14 @@ fi echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf sysctl -p # Add SQLNET.EXPIRE_TIME to sqlnet.ora ---> keepalive solution -grep -qxF "SQLNET.EXPIRE_TIME = 1" /oracle/software/product/10.2.0/network/admin/sqlnet.ora +# Check if SQLNET.EXPIRE_TIME exists in the file and update it, otherwise add it +if grep -q "^SQLNET.EXPIRE_TIME" /oracle/software/product/10.2.0/network/admin/sqlnet.ora; then + # If the line exists, update it to "SQLNET.EXPIRE_TIME = 1" + sed -i 's/^SQLNET\.EXPIRE_TIME.*/SQLNET.EXPIRE_TIME = 1/' /oracle/software/product/10.2.0/network/admin/sqlnet.ora +else + # If the line does not exist, append it to the end of the file + echo "SQLNET.EXPIRE_TIME = 1" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora # Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution -sed -i '/(ENABLE *= *broken)/d' /oracle/software/product/10.2.0/network/admin/tnsnames.ora grep -q '(ENABLE *= *broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora || sed -i '/(DESCRIPTION =/a\\ (ENABLE = broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora # Add inbound connection timeout option to sqlnet grep -qxF "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" /oracle/software/product/10.2.0/network/admin/sqlnet.ora || echo "SQLNET.INBOUND_CONNECT_TIMEOUT = 0" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora From c5686021c7fb076cc7eb59512d9970dbb461e4de Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 16:55:33 +0000 Subject: [PATCH 147/308] Add KMS source selection criteria Add destination ecryption Signed-off-by: Jacob Woffenden --- .../analytical-platform-ingestion/iam-policies.tf | 9 +++++++++ .../environments/analytical-platform-ingestion/s3.tf | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/iam-policies.tf b/terraform/environments/analytical-platform-ingestion/iam-policies.tf index 240c7d9f89b..f584fc66802 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-policies.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-policies.tf @@ -91,6 +91,15 @@ data "aws_iam_policy_document" "datasync_replication" { for item in local.environment_configuration.datasync_target_buckets : "arn:aws:s3:::${item}/*" ] } + statement { + sid = "DestinationBucketKMSKey" + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey" + ] + resources = ["arn:aws:kms:eu-west-1:593291632749:key/2855ac30-4e14-482e-85ca-53258e01f64c"] + } statement { sid = "SourceBucketKMSKey" effect = "Allow" diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 36010cf916e..43a1240d903 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -183,6 +183,12 @@ module "datasync_bucket" { status = "Enabled" delete_marker_replication = true + source_selection_criteria = { + sse_kms_encrypted_objects = { + enabled = true + } + } + destination = { account_id = "593291632749" // TODO: replace with local.environment_management account ID bucket = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" @@ -190,6 +196,9 @@ module "datasync_bucket" { access_control_translation = { owner = "Destination" } + encryption_configuration = { + replica_kms_key_id = "arn:aws:kms:eu-west-1:593291632749:key/2855ac30-4e14-482e-85ca-53258e01f64c" + } metrics = { status = "Enabled" minutes = 15 From de3b940396e1696179f73ffa41274297c58e51f2 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 13 Nov 2024 17:01:11 +0000 Subject: [PATCH 148/308] ud policy Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index e14bd1e4c4c..27c8b03195f 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -385,7 +385,7 @@ resource "aws_iam_instance_profile" "edw_ec2_instance_profile" { ####### DB Policy ####### resource "aws_iam_policy" "edw_ec2_role_policy" { - name = "${local.application_name}-ec2-policy" + name = "${local.application_name}-ec2-policy2" path = "/" tags = merge( local.tags, From 85408a1501389a40ad872b7c89ebbb25a3e03381 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 17:18:55 +0000 Subject: [PATCH 149/308] parameterise Signed-off-by: Jacob Woffenden --- .../environment-configuration.tf | 6 ++++++ .../analytical-platform-ingestion/iam-policies.tf | 2 +- terraform/environments/analytical-platform-ingestion/s3.tf | 4 ++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 8a4c7404739..71ece692fc4 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -31,6 +31,9 @@ locals { target_buckets = ["mojap-land-dev"] datasync_target_buckets = ["mojap-land-dev"] + /* Target KMS */ + mojap_land_kms_key = "arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-plaform-data-production"]}:key/8c53fbac-3106-422a-8f3d-409bb3b0c94d" + /* Transfer Server */ transfer_server_hostname = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" transfer_server_sftp_users = {} @@ -76,6 +79,9 @@ locals { target_buckets = ["mojap-land"] datasync_target_buckets = ["mojap-land"] + /* Target KMS */ + mojap_land_kms_key = "arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-plaform-data-production"]}:key/2855ac30-4e14-482e-85ca-53258e01f64c" + /* Transfer Server */ transfer_server_hostname = "sftp.ingestion.analytical-platform.service.justice.gov.uk" transfer_server_sftp_users = {} diff --git a/terraform/environments/analytical-platform-ingestion/iam-policies.tf b/terraform/environments/analytical-platform-ingestion/iam-policies.tf index f584fc66802..885365cb44a 100644 --- a/terraform/environments/analytical-platform-ingestion/iam-policies.tf +++ b/terraform/environments/analytical-platform-ingestion/iam-policies.tf @@ -98,7 +98,7 @@ data "aws_iam_policy_document" "datasync_replication" { "kms:Encrypt", "kms:GenerateDataKey" ] - resources = ["arn:aws:kms:eu-west-1:593291632749:key/2855ac30-4e14-482e-85ca-53258e01f64c"] + resources = [local.environment_configuration.mojap_land_kms_key] } statement { sid = "SourceBucketKMSKey" diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index 43a1240d903..e1910df7ef5 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -190,14 +190,14 @@ module "datasync_bucket" { } destination = { - account_id = "593291632749" // TODO: replace with local.environment_management account ID + account_id = local.environment_management.account_ids["analytical-plaform-data-production"] bucket = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" storage_class = "STANDARD" access_control_translation = { owner = "Destination" } encryption_configuration = { - replica_kms_key_id = "arn:aws:kms:eu-west-1:593291632749:key/2855ac30-4e14-482e-85ca-53258e01f64c" + replica_kms_key_id = local.environment_configuration.mojap_land_kms_key } metrics = { status = "Enabled" From 9972975a2a0e85b000dc6f7d9c7e3c0f6f6548e2 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 13 Nov 2024 17:21:03 +0000 Subject: [PATCH 150/308] Update rootrotate Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 27c8b03195f..f43bbbf4ff9 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -69,7 +69,8 @@ export APPNAME="${local.application_data.accounts[local.environment].edw_AppName export ENV="${local.application_data.accounts[local.environment].edw_environment}" export REGION="${local.application_data.accounts[local.environment].edw_region}" export EFS="${aws_efs_file_system.edw.id}" -export SECRET=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.db-master-password2.id} { --query SecretString --output text` +export SECRET=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.db-master-password2.id} --query SecretString --output text` +export SECRET_EC2=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.edw_db_ec2_root_secret.id} --query SecretString --output text` export host="$ip4 $APPNAME-$ENV infraedw" echo $host >>/etc/hosts sed -i '/^10.221/d' /etc/hosts @@ -266,6 +267,9 @@ chmod -R 777 /home/oracle # Set permissions for staging directory chmod -R 777 /stage/owb/ +# Replace the secret in the rootrotate.sh script +sed -i "s|--secret-id .* --query|--secret-id $SECRET_EC2 --query|g" /root/scripts/rootrotate.sh + #### setup_backups: # setup efs backup mount point From 8d75bdce9f5fc8164dfecf2379ff27a77d1b1ba6 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 13 Nov 2024 17:21:21 +0000 Subject: [PATCH 151/308] typo on aisle 3 Signed-off-by: Jacob Woffenden --- .../environment-configuration.tf | 4 ++-- terraform/environments/analytical-platform-ingestion/s3.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 71ece692fc4..b3ead9b3f77 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -32,7 +32,7 @@ locals { datasync_target_buckets = ["mojap-land-dev"] /* Target KMS */ - mojap_land_kms_key = "arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-plaform-data-production"]}:key/8c53fbac-3106-422a-8f3d-409bb3b0c94d" + mojap_land_kms_key = "arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:key/8c53fbac-3106-422a-8f3d-409bb3b0c94d" /* Transfer Server */ transfer_server_hostname = "sftp.development.ingestion.analytical-platform.service.justice.gov.uk" @@ -80,7 +80,7 @@ locals { datasync_target_buckets = ["mojap-land"] /* Target KMS */ - mojap_land_kms_key = "arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-plaform-data-production"]}:key/2855ac30-4e14-482e-85ca-53258e01f64c" + mojap_land_kms_key = "arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:key/2855ac30-4e14-482e-85ca-53258e01f64c" /* Transfer Server */ transfer_server_hostname = "sftp.ingestion.analytical-platform.service.justice.gov.uk" diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index e1910df7ef5..a3519d8c667 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -190,7 +190,7 @@ module "datasync_bucket" { } destination = { - account_id = local.environment_management.account_ids["analytical-plaform-data-production"] + account_id = local.environment_management.account_ids["analytical-platform-data-production"] bucket = "arn:aws:s3:::${local.environment_configuration.datasync_target_buckets[0]}" storage_class = "STANDARD" access_control_translation = { From 8fc6bc3b81e5d5bd8cc83a46745e8d35a88dc50b Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 13 Nov 2024 17:23:45 +0000 Subject: [PATCH 152/308] fix typo Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index f43bbbf4ff9..9b078b3b6e9 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -183,7 +183,7 @@ EOT sudo mkdir -p /oracle/dbf sudo mkdir -p /stage sudo mkdir -p /oracle/ar -sudo mkdir --p /oracle/software +sudo mkdir -p /oracle/software sudo mkdir -p /oracle/temp_undo sudo mkdir -p /backups From b0596a0fa62a4a18434983f51a049229b2d2a96d Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 08:06:43 +0000 Subject: [PATCH 153/308] Adding external sftp users --- .../environment-configuration.tf | 14 +++++++++ .../analytical-platform-ingestion/kms-keys.tf | 29 +++++++++++++++++++ .../analytical-platform-ingestion/s3.tf | 26 +++++++++++++++++ 3 files changed, 69 insertions(+) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index b3ead9b3f77..ce55494e7ef 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -92,6 +92,20 @@ locals { egress_bucket = module.bold_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn } + "darren.brooke" = { + ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu" + cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] + egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id + egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn + + } + "aaron.willetts" = { + ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali" + cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] + egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id + egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn + + } } /* DataSync */ diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index 5b78c254c70..dd4f9cba5cb 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -119,6 +119,35 @@ module "s3_bold_egress_kms" { deletion_window_in_days = 7 } +module "s3_ext_2024_egress_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.0" + + aliases = ["s3/ext-2024-egress"] + description = "Used in the External 2024 Egress Solution" + enable_default_policy = true + key_statements = [ + { + sid = "AllowReadOnlyRole" + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey" + ] + resources = ["*"] + effect = "Allow" + principals = [ + { + type = "AWS" + identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/read-only"] # placeholder -- will change + } + ] + } + ] + deletion_window_in_days = 7 +} + module "quarantined_sns_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index a3519d8c667..c0e3b55b138 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -161,6 +161,32 @@ module "bold_egress_bucket" { } } +#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket +#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket +module "ext_2024_egress_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + bucket = "mojap-ingestion-${local.environment}-ext-2024-egress" + + force_destroy = true + + versioning = { + enabled = true + } + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_bold_egress_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} + module "datasync_bucket" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions From 8ec96a9fdc04d01f9502949157fccbefc69d81cd Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 08:19:43 +0000 Subject: [PATCH 154/308] Periods to hyphens --- .../environment-configuration.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index ce55494e7ef..8fd4f32c37c 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -92,14 +92,14 @@ locals { egress_bucket = module.bold_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn } - "darren.brooke" = { + "darren-brooke" = { ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu" cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn } - "aaron.willetts" = { + "aaron-willetts" = { ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali" cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id From 7821712ba8b0cf1fc442055d556f24f1add3a573 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 08:46:47 +0000 Subject: [PATCH 155/308] Shifting code into one tf file and adding landing bucket + policy --- .../ext-user-2024.tf | 102 ++++++++++++++++++ .../analytical-platform-ingestion/kms-keys.tf | 28 ----- .../analytical-platform-ingestion/s3.tf | 25 ----- 3 files changed, 102 insertions(+), 53 deletions(-) create mode 100644 terraform/environments/analytical-platform-ingestion/ext-user-2024.tf diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf new file mode 100644 index 00000000000..6ea013d702c --- /dev/null +++ b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf @@ -0,0 +1,102 @@ +#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket +#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket +module "ext_2024_egress_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + bucket = "mojap-ingestion-${local.environment}-ext-2024-egress" + + force_destroy = true + + versioning = { + enabled = true + } + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + kms_master_key_id = module.s3_bold_egress_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } +} + +module "s3_ext_2024_egress_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.0" + + aliases = ["s3/ext-2024-egress"] + description = "Used in the External 2024 Egress Solution" + enable_default_policy = true + key_statements = [ + { + sid = "AllowReadOnlyRole" + actions = [ + "kms:Encrypt", + "kms:GenerateDataKey" + ] + resources = ["*"] + effect = "Allow" + principals = [ + { + type = "AWS" + identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/read-only"] # placeholder -- will change + } + ] + } + ] + deletion_window_in_days = 7 +} + +data "aws_iam_policy_document" "ext_2024_landing_bucket_policy" { + statement { + sid = "LandingPermissions" + effect = "Allow" + principals { + type = "AWS" + identifiers = ["arn:aws:iam:::${local.environment_management.account_ids[terraform.workspace]}:role/transfer"] + } + actions = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject", + "s3:PutObjectTagging" + ] + resources = [ + "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-landing/*", + "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-landing/" + ] + } +} + +#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket +#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket +module "ext_2024_land_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.1.2" + + bucket = "mojap-ingestion-${local.environment}-ext-2024-landing" + + force_destroy = true + + versioning = { + enabled = true + } + attach_policy = true + policy = data.aws_iam_policy_document.ext_2024_landing_bucket_policy.json + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = "AES256" + } + } + } +} \ No newline at end of file diff --git a/terraform/environments/analytical-platform-ingestion/kms-keys.tf b/terraform/environments/analytical-platform-ingestion/kms-keys.tf index dd4f9cba5cb..86fa0b9549d 100644 --- a/terraform/environments/analytical-platform-ingestion/kms-keys.tf +++ b/terraform/environments/analytical-platform-ingestion/kms-keys.tf @@ -119,34 +119,6 @@ module "s3_bold_egress_kms" { deletion_window_in_days = 7 } -module "s3_ext_2024_egress_kms" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/kms/aws" - version = "3.1.0" - - aliases = ["s3/ext-2024-egress"] - description = "Used in the External 2024 Egress Solution" - enable_default_policy = true - key_statements = [ - { - sid = "AllowReadOnlyRole" - actions = [ - "kms:Encrypt", - "kms:GenerateDataKey" - ] - resources = ["*"] - effect = "Allow" - principals = [ - { - type = "AWS" - identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/read-only"] # placeholder -- will change - } - ] - } - ] - deletion_window_in_days = 7 -} module "quarantined_sns_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions diff --git a/terraform/environments/analytical-platform-ingestion/s3.tf b/terraform/environments/analytical-platform-ingestion/s3.tf index c0e3b55b138..bfeff2602fb 100644 --- a/terraform/environments/analytical-platform-ingestion/s3.tf +++ b/terraform/environments/analytical-platform-ingestion/s3.tf @@ -161,31 +161,6 @@ module "bold_egress_bucket" { } } -#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket -#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket -module "ext_2024_egress_bucket" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.2" - - bucket = "mojap-ingestion-${local.environment}-ext-2024-egress" - - force_destroy = true - - versioning = { - enabled = true - } - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - kms_master_key_id = module.s3_bold_egress_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } -} module "datasync_bucket" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions From c22fe2012f74ed404ef6f3c2763cecd187a7c116 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 08:49:52 +0000 Subject: [PATCH 156/308] Adding external landing to target_buckets --- .../analytical-platform-ingestion/environment-configuration.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 8fd4f32c37c..eda0a25e429 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -76,7 +76,7 @@ locals { notify_image_version = "0.0.19" /* Target Buckets */ - target_buckets = ["mojap-land"] + target_buckets = ["mojap-land", "mojap-ingestion-${local.environment}-ext-2024-landing"] datasync_target_buckets = ["mojap-land"] /* Target KMS */ From 501e1d54255c51cdc2c3b92a3ecad8a6f504358c Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 08:50:43 +0000 Subject: [PATCH 157/308] EOF --- .../environments/analytical-platform-ingestion/ext-user-2024.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf index 6ea013d702c..75207e5ea77 100644 --- a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf +++ b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf @@ -99,4 +99,4 @@ module "ext_2024_land_bucket" { } } } -} \ No newline at end of file +} From 267466c0244e466aaf53226e49ee0ded48854b51 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 09:06:03 +0000 Subject: [PATCH 158/308] Splitting IP ranges for external users to get around duplicate security group issues --- .../environment-configuration.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index eda0a25e429..7bc85be90d4 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -94,14 +94,14 @@ locals { } "darren-brooke" = { ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu" - cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] + cidr_blocks = ["54.37.241.156/30"] egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn } "aaron-willetts" = { ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali" - cidr_blocks = ["54.37.241.156/30", "167.71.136.237/32"] + cidr_blocks = ["167.71.136.237/32"] egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn From 8c21d96b9e583428a832e45a9721930f7ad77124 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 09:28:35 +0000 Subject: [PATCH 159/308] Renamed target bucket for clarity and fixed KMS key ref --- .../environment-configuration.tf | 2 +- .../analytical-platform-ingestion/ext-user-2024.tf | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 7bc85be90d4..71ad724ce2a 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -76,7 +76,7 @@ locals { notify_image_version = "0.0.19" /* Target Buckets */ - target_buckets = ["mojap-land", "mojap-ingestion-${local.environment}-ext-2024-landing"] + target_buckets = ["mojap-land", "mojap-ingestion-${local.environment}-ext-2024-target"] datasync_target_buckets = ["mojap-land"] /* Target KMS */ diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf index 75207e5ea77..d3be68176d6 100644 --- a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf +++ b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf @@ -17,7 +17,7 @@ module "ext_2024_egress_bucket" { server_side_encryption_configuration = { rule = { apply_server_side_encryption_by_default = { - kms_master_key_id = module.s3_bold_egress_kms.key_arn + kms_master_key_id = module.s3_ext_2024_egress_kms.key_arn sse_algorithm = "aws:kms" } } @@ -53,7 +53,7 @@ module "s3_ext_2024_egress_kms" { deletion_window_in_days = 7 } -data "aws_iam_policy_document" "ext_2024_landing_bucket_policy" { +data "aws_iam_policy_document" "ext_2024_target_bucket_policy" { statement { sid = "LandingPermissions" effect = "Allow" @@ -68,21 +68,21 @@ data "aws_iam_policy_document" "ext_2024_landing_bucket_policy" { "s3:PutObjectTagging" ] resources = [ - "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-landing/*", - "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-landing/" + "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-target/*", + "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-target/" ] } } #tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket #tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket -module "ext_2024_land_bucket" { +module "ext_2024_target_bucket" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/s3-bucket/aws" version = "4.1.2" - bucket = "mojap-ingestion-${local.environment}-ext-2024-landing" + bucket = "mojap-ingestion-${local.environment}-ext-2024-target" force_destroy = true @@ -90,7 +90,7 @@ module "ext_2024_land_bucket" { enabled = true } attach_policy = true - policy = data.aws_iam_policy_document.ext_2024_landing_bucket_policy.json + policy = data.aws_iam_policy_document.ext_2024_target_bucket_policy.json server_side_encryption_configuration = { rule = { From f2f83ea5e46535721358af00155525145a051ff1 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Thu, 14 Nov 2024 09:40:25 +0000 Subject: [PATCH 160/308] Update_141124_1 --- .../ppud/cloudwatch_alarms_linux.tf | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/terraform/environments/ppud/cloudwatch_alarms_linux.tf b/terraform/environments/ppud/cloudwatch_alarms_linux.tf index 116d1e7d440..b665f78ab8e 100644 --- a/terraform/environments/ppud/cloudwatch_alarms_linux.tf +++ b/terraform/environments/ppud/cloudwatch_alarms_linux.tf @@ -44,6 +44,32 @@ resource "aws_cloudwatch_metric_alarm" "low_disk_space_root_volume" { } } +# Low Disk Alarm for Linux instance with additional log partition + +resource "aws_cloudwatch_metric_alarm" "low_disk_space_log_volume" { + count = local.is-production == true ? 1 : 0 + alarm_name = "Low-Disk-Space-Log-Volume-i-0f393d9ed4e53da68" + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "5" + datapoints_to_alarm = "5" + metric_name = "disk_used_percent" + namespace = "CWAgent" + period = "60" + statistic = "Average" + threshold = "90" + treat_missing_data = "notBreaching" + alarm_description = "This metric monitors the amount of free disk space on the instance. If the amount of free disk space falls below 10% for 5 minutes, the alarm will trigger" + alarm_actions = [aws_sns_topic.cw_alerts[0].arn] + dimensions = { + InstanceId = "i-0f393d9ed4e53da68" + path = "/archive" + ImageId = "ami-0f43890c2b4907c29" + InstanceType = "m5.large" + device = "nvme1n1p1" + fstype = "xfs" + } +} + # High CPU Utilization Alarm resource "aws_cloudwatch_metric_alarm" "linux_cpu" { From 357d2efe67adce6fc489d7657ae538f7ffae9108 Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 14 Nov 2024 09:43:18 +0000 Subject: [PATCH 161/308] update rest of addons --- .../environment-configuration.tf | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index cbb49e64162..4240dd2b18f 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -35,7 +35,7 @@ locals { aws_efs_csi_driver = "v2.0.8-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.18.5-eksbuild.1" + vpc_cni = "v1.18.6-eksbuild.1" } /* Data Engineering Airflow */ @@ -80,10 +80,10 @@ locals { eks_cluster_version = "1.31" eks_node_version = "1.25.0-388e1050" eks_cluster_addon_versions = { - coredns = "v1.11.3-eksbuild.1" - kube_proxy = "v1.31.0-eksbuild.5" - aws_ebs_csi_driver = "v1.35.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.7-eksbuild.1" + coredns = "v1.11.3-eksbuild.2" + kube_proxy = "v1.31.1-eksbuild.2" + aws_ebs_csi_driver = "v1.36.0-eksbuild.1" + aws_efs_csi_driver = "v2.0.8-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" vpc_cni = "v1.18.6-eksbuild.1" @@ -130,13 +130,13 @@ locals { eks_cluster_version = "1.31" eks_node_version = "1.25.0-388e1050" eks_cluster_addon_versions = { - coredns = "v1.11.3-eksbuild.1" - kube_proxy = "v1.31.0-eksbuild.5" - aws_ebs_csi_driver = "v1.35.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.7-eksbuild.1" + coredns = "v1.11.3-eksbuild.2" + kube_proxy = "v1.31.1-eksbuild.2" + aws_ebs_csi_driver = "v1.36.0-eksbuild.1" + aws_efs_csi_driver = "v2.0.8-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.18.5-eksbuild.1" + vpc_cni = "v1.18.6-eksbuild.1" } /* Data Engineering Airflow */ From f1be2bdc6b3dfacae4441d938ed8a6ae022db209 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 10:36:38 +0000 Subject: [PATCH 162/308] Removing bucket policy --- .../analytical-platform-ingestion/ext-user-2024.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf index d3be68176d6..5f4eaa2e603 100644 --- a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf +++ b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf @@ -89,8 +89,8 @@ module "ext_2024_target_bucket" { versioning = { enabled = true } - attach_policy = true - policy = data.aws_iam_policy_document.ext_2024_target_bucket_policy.json + # attach_policy = true + # policy = data.aws_iam_policy_document.ext_2024_target_bucket_policy.json server_side_encryption_configuration = { rule = { From 94f0e7f828a581a85c4ab8a2b9a767b9e1c20062 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 10:54:12 +0000 Subject: [PATCH 163/308] Now with 100% more bucket policy --- .../analytical-platform-ingestion/ext-user-2024.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf index 5f4eaa2e603..8984ea89b88 100644 --- a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf +++ b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf @@ -69,7 +69,7 @@ data "aws_iam_policy_document" "ext_2024_target_bucket_policy" { ] resources = [ "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-target/*", - "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-target/" + "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-target" ] } } @@ -89,8 +89,8 @@ module "ext_2024_target_bucket" { versioning = { enabled = true } - # attach_policy = true - # policy = data.aws_iam_policy_document.ext_2024_target_bucket_policy.json + attach_policy = true + policy = data.aws_iam_policy_document.ext_2024_target_bucket_policy.json server_side_encryption_configuration = { rule = { From 87cabf9181943786f7cc0592f9fdbb69d4ff873c Mon Sep 17 00:00:00 2001 From: julialawrence Date: Thu, 14 Nov 2024 11:05:22 +0000 Subject: [PATCH 164/308] Desparate time call for depserate measures --- .../environments/analytical-platform-ingestion/ext-user-2024.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf index 8984ea89b88..2033dc85f7d 100644 --- a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf +++ b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf @@ -59,7 +59,7 @@ data "aws_iam_policy_document" "ext_2024_target_bucket_policy" { effect = "Allow" principals { type = "AWS" - identifiers = ["arn:aws:iam:::${local.environment_management.account_ids[terraform.workspace]}:role/transfer"] + identifiers = ["arn:aws:iam::471112983409:role/transfer"] } actions = [ "s3:GetObject", From dd468870fa8144c162de843351d2dc7ba7b65717 Mon Sep 17 00:00:00 2001 From: Keir Williams Date: Thu, 14 Nov 2024 11:49:57 +0000 Subject: [PATCH 165/308] adjust default disable time (#8669) --- terraform/modules/baseline/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index 8ffe0df2a46..e50df55f260 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -924,7 +924,7 @@ variable "schedule_alarms_lambda" { alarm_patterns = optional(list(string), []) disable_weekend = optional(bool, true) start_time = optional(string, "06:15") - end_time = optional(string, "22:45") + end_time = optional(string, "20:45") tags = optional(map(string), {}) }) default = {} From 29cd4134325406d2bf51c8752e419d9f9ba16b0a Mon Sep 17 00:00:00 2001 From: Matthew Price Date: Thu, 14 Nov 2024 13:10:49 +0000 Subject: [PATCH 166/308] ELM-2758 Configure MDSS feed landing zone permissions (#8664) * Allow cross account policy to be specified * add mdss account and role --- .../modules/landing_bucket/main.tf | 16 ++++++ .../modules/landing_bucket/variables.tf | 9 +++ .../electronic-monitoring-data/s3.tf | 55 +++++++++++++------ 3 files changed, 62 insertions(+), 18 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf index ed708c6f3c7..54231a132b0 100644 --- a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf @@ -54,6 +54,22 @@ module "this-bucket" { } ] + # Optionally add cross account access to bucket policy. + bucket_policy_v2 = var.cross_account_access_role != null ? [ + { + sid = "CrossAccountAccess" + effect = "Allow" + actions = [ + "s3:PutObject", + "s3:PutObjectAcl" + ] + principals = { + identifiers = ["arn:aws:iam::${var.cross_account_access_role.account_number}:role/${var.cross_account_access_role.role_name}"] + type = "AWS" + } + } + ] : [] + tags = merge( var.local_tags, { order_type = var.order_type }, diff --git a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf index 35ef8acbaa6..ac72a17b0d2 100644 --- a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf +++ b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf @@ -1,3 +1,12 @@ +variable "cross_account_access_role" { + description = "An object containing the cross account number and role name." + type = object({ + account_number = string + role_name = string + }) + default = null +} + variable "data_feed" { description = "The data feed the bucket relates to" type = string diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index f593475b4f6..c68dba4167d 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -1,5 +1,18 @@ locals { bucket_prefix = "emds-${local.environment_shorthand}" + + mdss_supplier_account_mapping = { + "production" = null + "preproduction" = { + "account_number" = 173142358744 + "role_name" = "juniper-dt-lambda-role" + } + "test" = { + "account_number" = 173142358744 + role_name = "dev-dt-lambda-role" + } + "development" = null + } } # ------------------------------------------------------------------------ @@ -591,12 +604,14 @@ module "s3-fms-specials-landing-bucket-iam-user" { module "s3-mdss-general-landing-bucket" { source = "./modules/landing_bucket/" - data_feed = "mdss" - local_bucket_prefix = local.bucket_prefix - local_tags = local.tags - logging_bucket = module.s3-logging-bucket - order_type = "general" - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + data_feed = "mdss" + order_type = "general" + + cross_account_access_role = local.mdss_supplier_account_mapping[local.environment] + local_bucket_prefix = local.bucket_prefix + local_tags = local.tags + logging_bucket = module.s3-logging-bucket + s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn providers = { aws = aws @@ -606,12 +621,14 @@ module "s3-mdss-general-landing-bucket" { module "s3-mdss-ho-landing-bucket" { source = "./modules/landing_bucket/" - data_feed = "mdss" - local_bucket_prefix = local.bucket_prefix - local_tags = local.tags - logging_bucket = module.s3-logging-bucket - order_type = "ho" - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + data_feed = "mdss" + order_type = "ho" + + cross_account_access_role = local.mdss_supplier_account_mapping[local.environment] + local_bucket_prefix = local.bucket_prefix + local_tags = local.tags + logging_bucket = module.s3-logging-bucket + s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn providers = { aws = aws @@ -621,12 +638,14 @@ module "s3-mdss-ho-landing-bucket" { module "s3-mdss-specials-landing-bucket" { source = "./modules/landing_bucket/" - data_feed = "mdss" - local_bucket_prefix = local.bucket_prefix - local_tags = local.tags - logging_bucket = module.s3-logging-bucket - order_type = "specials" - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + data_feed = "mdss" + order_type = "specials" + + cross_account_access_role = local.mdss_supplier_account_mapping[local.environment] + local_bucket_prefix = local.bucket_prefix + local_tags = local.tags + logging_bucket = module.s3-logging-bucket + s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn providers = { aws = aws From b2e478e4e09daed4ba4a99719b3c3f7b1e21e6e0 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 14 Nov 2024 15:54:05 +0000 Subject: [PATCH 167/308] Delius core fix task defs (#8670) * fix task defs * Update ecs.tf * Update ldap_ecs.tf * Update ecs.tf * task defs * Revert "task defs" This reverts commit 6b379c0a779ad6af20e539a9ead0236643f0b3f5. * Update load_balancing.tf --- .../delius-core/modules/delius_environment/ldap_ecs.tf | 7 +++++-- .../delius-core/modules/delius_environment/pwm.tf | 6 ++++-- .../delius-core/modules/delius_environment/weblogic.tf | 3 ++- .../delius-core/modules/delius_environment/weblogic_eis.tf | 3 ++- .../delius-core/modules/helpers/delius_microservice/ecs.tf | 2 +- .../modules/helpers/delius_microservice/load_balancing.tf | 2 +- 6 files changed, 15 insertions(+), 8 deletions(-) diff --git a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf index ab34301e0c2..2825a4dcf2d 100644 --- a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf +++ b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf @@ -23,7 +23,9 @@ module "ldap_ecs" { } container_secrets_env_specific = try(var.delius_microservice_configs.ldap.container_secrets_env_specific, {}) - desired_count = var.ldap_config.desired_count + desired_count = var.ldap_config.desired_count + deployment_minimum_healthy_percent = 0 + deployment_maximum_percent = 200 container_port_config = [ { @@ -59,6 +61,7 @@ module "ldap_ecs" { account_info = var.account_info ignore_changes_service_task_definition = false + force_new_deployment = true extra_task_exec_role_policies = { @@ -356,4 +359,4 @@ resource "aws_cloudwatch_log_group" "ldap_automation" { name = "/ecs/ldap-automation-${var.env_name}" retention_in_days = 7 tags = var.tags -} \ No newline at end of file +} diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf index 3f6dce6ec86..bd1443e9d11 100644 --- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf +++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf @@ -88,8 +88,10 @@ module "pwm" { "SECURITY_KEY" = "${base64encode(uuid())}", "JAVA_OPTS" = "-Xmx${floor(var.delius_microservice_configs.pwm.container_memory * 0.75)}m -Xms${floor(var.delius_microservice_configs.pwm.container_memory * 0.25)}m" } - container_vars_env_specific = try(var.delius_microservice_configs.pwm.container_vars_env_specific, {}) - ignore_changes_service_task_definition = true + container_vars_env_specific = try(var.delius_microservice_configs.pwm.container_vars_env_specific, {}) + + ignore_changes_service_task_definition = false + force_new_deployment = true providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index 554eb31fd4e..fd968edcdee 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -30,7 +30,8 @@ module "weblogic" { cluster_security_group_id = aws_security_group.cluster.id - ignore_changes_service_task_definition = true + ignore_changes_service_task_definition = false + force_new_deployment = true providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf index cd68c989724..8ba7f2a6d9a 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf @@ -88,7 +88,8 @@ module "weblogic_eis" { platform_vars = var.platform_vars tags = var.tags - ignore_changes_service_task_definition = true + ignore_changes_service_task_definition = false + force_new_deployment = true providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf index 551ef78f499..f03b5554344 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf @@ -38,7 +38,7 @@ module "ecs_service" { source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0" container_definitions = nonsensitive(module.container_definition.json_encoded_list) cluster_arn = var.ecs_cluster_arn - name = var.name + name = "${var.env_name}-${var.name}" task_cpu = var.container_cpu task_memory = var.container_memory diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf index 867cf3b3b5d..7f46a8cd665 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf @@ -150,7 +150,7 @@ resource "aws_lb_listener" "services" { resource "aws_route53_record" "services_nlb_r53_record" { provider = aws.core-vpc zone_id = var.account_config.route53_inner_zone_info.zone_id - name = "${var.name}.service.${var.env_name}.${var.account_config.dns_suffix}" + name = "${var.name}.service.${var.env_name}" type = "A" alias { evaluate_target_health = false From f000f11886c4dab67f0eacacfa805c78dd4cd4f9 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:16:25 +0000 Subject: [PATCH 168/308] TM-679: fix planetfm tags for ssm monitoring (#8672) * fix tags * fix typo --- .../planetfm/locals_production.tf | 28 +++++++++---------- .../planetfm/locals_security_groups.tf | 2 +- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/terraform/environments/planetfm/locals_production.tf b/terraform/environments/planetfm/locals_production.tf index 3d373eef84e..b40f8633313 100644 --- a/terraform/environments/planetfm/locals_production.tf +++ b/terraform/environments/planetfm/locals_production.tf @@ -50,12 +50,12 @@ locals { disable_api_termination = true instance_type = "t3.xlarge" }) - tags = { + tags = merge(local.ec2_instances.app.tags, { ami = "pd-cafm-a-10-b" description = "RDS Session Host and CAFM App Server/PFME Licence Server" pre-migration = "PDFAW0010" update-ssm-agent = "patchgroup2" - } + }) }) pd-cafm-a-11-a = merge(local.ec2_instances.app, { @@ -75,12 +75,12 @@ locals { disable_api_termination = true instance_type = "t3.xlarge" }) - tags = { + tags = merge(local.ec2_instances.app.tags, { ami = "pd-cafm-a-11-a" description = "RDS session host and app server" pre-migration = "PDFWA0011" update-ssm-agent = "patchgroup1" - } + }) }) pd-cafm-a-12-b = merge(local.ec2_instances.app, { @@ -100,12 +100,12 @@ locals { disable_api_termination = true instance_type = "t3.xlarge" }) - tags = { + tags = merge(local.ec2_instances.app.tags, { ami = "pd-cafm-a-12-b" description = "RDS session host and app Server" pre-migration = "PDFAW0012" update-ssm-agent = "patchgroup2" - } + }) }) pd-cafm-a-13-a = merge(local.ec2_instances.app, { @@ -125,12 +125,12 @@ locals { disable_api_termination = true instance_type = "t3.xlarge" }) - tags = { + tags = merge(local.ec2_instances.app.tags, { ami = "pd-cafm-a-13-a" description = "RDS session host and App Server" pre-migration = "PDFAW0013" update-ssm-agent = "patchgroup1" - } + }) }) # database servers @@ -228,12 +228,12 @@ locals { disable_api_termination = true instance_type = "t3.2xlarge" }) - tags = { + tags = merge(local.ec2_instances.web.tags, { ami = "pd-cafm-w-36-b" description = "CAFM Asset Management" pre-migration = "PDFWW00036" update-ssm-agent = "patchgroup2" - } + }) }) pd-cafm-w-37-a = merge(local.ec2_instances.web, { @@ -265,12 +265,12 @@ locals { disable_api_termination = true instance_type = "t3.2xlarge" }) - tags = { + tags = merge(local.ec2_instances.web.tags, { ami = "pd-cafm-w-37-a" description = "CAFM Assessment Management" pre-migration = "PFWW00037" update-ssm-agent = "patchgroup1" - } + }) }) pd-cafm-w-38-b = merge(local.ec2_instances.web, { @@ -290,12 +290,12 @@ locals { disable_api_termination = true instance_type = "t3.large" }) - tags = { + tags = merge(local.ec2_instances.web.tags, { ami = "pd-cafm-w-38-b" description = "CAFM Web Training" pre-migration = "PDFWW3QCP660001" update-ssm-agent = "patchgroup2" - } + }) }) } diff --git a/terraform/environments/planetfm/locals_security_groups.tf b/terraform/environments/planetfm/locals_security_groups.tf index f25c372f83e..e35aeda214d 100644 --- a/terraform/environments/planetfm/locals_security_groups.tf +++ b/terraform/environments/planetfm/locals_security_groups.tf @@ -105,7 +105,7 @@ locals { cidr_blocks = local.security_group_cidrs.enduserclient } rdp_tcp_web = { - description = "3389: Allow RDP UDP ingress from jumpserver" + description = "3389: Allow RDP TCP ingress from jumpserver" from_port = 3389 to_port = 3389 protocol = "TCP" From e95332cfcc47e71c773942be70135cf476adc16e Mon Sep 17 00:00:00 2001 From: Emterry Date: Thu, 14 Nov 2024 16:16:59 +0000 Subject: [PATCH 169/308] add bottlerocket and helm patching --- .../environment-configuration.tf | 6 +++--- .../helm-charts-system.tf | 14 +++++++------- .../analytical-platform-compute/locals.tf | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 4240dd2b18f..f422c9c8752 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -27,7 +27,7 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-sandbox" eks_cluster_version = "1.31" - eks_node_version = "1.25.0-388e1050" + eks_node_version = "1.26.2-360b7a38" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" kube_proxy = "v1.31.1-eksbuild.2" @@ -78,7 +78,7 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-developer" eks_cluster_version = "1.31" - eks_node_version = "1.25.0-388e1050" + eks_node_version = "1.26.2-360b7a38" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" kube_proxy = "v1.31.1-eksbuild.2" @@ -128,7 +128,7 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-developer" eks_cluster_version = "1.31" - eks_node_version = "1.25.0-388e1050" + eks_node_version = "1.26.2-360b7a38" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" kube_proxy = "v1.31.1-eksbuild.2" diff --git a/terraform/environments/analytical-platform-compute/helm-charts-system.tf b/terraform/environments/analytical-platform-compute/helm-charts-system.tf index 7a1daf7d9fc..c7d2e120b0a 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-system.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-system.tf @@ -4,7 +4,7 @@ resource "helm_release" "kyverno" { name = "kyverno" repository = "https://kyverno.github.io/kyverno" chart = "kyverno" - version = "3.2.7" + version = "3.3.3" namespace = kubernetes_namespace.kyverno.metadata[0].name values = [ templatefile( @@ -71,7 +71,7 @@ resource "helm_release" "amazon_prometheus_proxy" { name = "amazon-prometheus-proxy" repository = "https://prometheus-community.github.io/helm-charts" chart = "kube-prometheus-stack" - version = "65.2.0" + version = "66.1.1" namespace = kubernetes_namespace.aws_observability.metadata[0].name values = [ templatefile( @@ -96,7 +96,7 @@ resource "helm_release" "cluster_autoscaler" { name = "cluster-autoscaler" repository = "https://kubernetes.github.io/autoscaler" chart = "cluster-autoscaler" - version = "9.43.0" + version = "9.43.2" namespace = kubernetes_namespace.cluster_autoscaler.metadata[0].name values = [ @@ -119,7 +119,7 @@ resource "helm_release" "karpenter_crd" { name = "karpenter-crd" repository = "oci://public.ecr.aws/karpenter" chart = "karpenter-crd" - version = "1.0.6" + version = "1.0.8" namespace = kubernetes_namespace.karpenter.metadata[0].name values = [ @@ -141,7 +141,7 @@ resource "helm_release" "karpenter" { name = "karpenter" repository = "oci://public.ecr.aws/karpenter" chart = "karpenter" - version = "1.0.6" + version = "1.0.8" namespace = kubernetes_namespace.karpenter.metadata[0].name values = [ @@ -283,7 +283,7 @@ resource "helm_release" "external_secrets" { name = "external-secrets" repository = "https://charts.external-secrets.io" chart = "external-secrets" - version = "0.10.4" + version = "0.10.5" namespace = kubernetes_namespace.external_secrets.metadata[0].name values = [ templatefile( @@ -310,7 +310,7 @@ resource "helm_release" "keda" { name = "keda" repository = "https://kedacore.github.io/charts" chart = "keda" - version = "2.15.1" + version = "2.16.0" namespace = kubernetes_namespace.keda.metadata[0].name values = [ templatefile( diff --git a/terraform/environments/analytical-platform-compute/locals.tf b/terraform/environments/analytical-platform-compute/locals.tf index 47a6272f27e..78e3b560296 100644 --- a/terraform/environments/analytical-platform-compute/locals.tf +++ b/terraform/environments/analytical-platform-compute/locals.tf @@ -17,7 +17,7 @@ locals { eks_cloudwatch_log_group_retention_in_days = 400 /* Kube Prometheus Stack */ - prometheus_operator_crd_version = "v0.77.1" + prometheus_operator_crd_version = "v0.78.1" /* Mapping Analytical Platform Environments to Modernisation Platform */ From 4fb21d461c2f11082379fa9278848b2564cac231 Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci <74247767+modernisation-platform-ci@users.noreply.github.com> Date: Thu, 14 Nov 2024 16:44:02 +0000 Subject: [PATCH 170/308] Workflow: created files in . (#8674) --- .github/CODEOWNERS | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 6a678e46030..4a1b1b9d2d4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -27,7 +27,7 @@ /terraform/environments/delius-nextcloud @ministryofjustice/hmpps-migration @ministryofjustice/hosting-migrations @ministryofjustice/modernisation-platform /terraform/environments/digital-prison-reporting @ministryofjustice/digital-prisons-reporting-development-data-engineer @ministryofjustice/digital-prisons-reporting-preproduction-data-engineer @ministryofjustice/digital-prisons-reporting-production-data-engineer @ministryofjustice/digital-prisons-reporting-test-data-engineer @ministryofjustice/hmpps-digital-prison-reporting @ministryofjustice/hmpps-digital-prison-reporting-non-cleared-team @ministryofjustice/modernisation-platform /terraform/environments/edw @ministryofjustice/laa-aws-infrastructure @ministryofjustice/laa-edw-developer @ministryofjustice/modernisation-platform -/terraform/environments/electronic-monitoring-data @ministryofjustice/hmpps-electronic-monitoring-data-store @ministryofjustice/hmpps-electronic-monitoring-data-store-appsec-202410 @ministryofjustice/modernisation-platform +/terraform/environments/electronic-monitoring-data @ministryofjustice/hmpps-electronic-monitoring-data-store @ministryofjustice/modernisation-platform /terraform/environments/equip @ministryofjustice/modernisation-platform-engineers @ministryofjustice/modernisation-platform /terraform/environments/eric @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform /terraform/environments/example @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform @@ -64,7 +64,6 @@ /terraform/environments/tribunals @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform /terraform/environments/wardship @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform /terraform/environments/xhibit-portal @ministryofjustice/cjse-xhibit-portal-discovery @ministryofjustice/xhibit-portal-dev @ministryofjustice/modernisation-platform -**/providers.tf @ministryofjustice/modernisation-platform **/backend.tf @ministryofjustice/modernisation-platform **/subnet_share.tf @ministryofjustice/modernisation-platform **/networking.auto.tfvars.json @ministryofjustice/modernisation-platform From def7a55eb620dfe1747405f5f1f229b1e1ed742f Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Nov 2024 17:24:08 +0000 Subject: [PATCH 171/308] Revert BR Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/environment-configuration.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index f422c9c8752..51a61845f62 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -27,7 +27,8 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-sandbox" eks_cluster_version = "1.31" - eks_node_version = "1.26.2-360b7a38" + # eks_node_version = "1.26.2-360b7a38" + eks_node_version = "1.25.0-388e1050" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" kube_proxy = "v1.31.1-eksbuild.2" From 1187fed5b5889337d62dc27380cacf6945372547 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Nov 2024 17:28:59 +0000 Subject: [PATCH 172/308] testing expireAfter Signed-off-by: Jacob Woffenden --- .../src/helm/charts/karpenter-configuration/Chart.yaml | 2 +- .../templates/node-pool-general-on-demand.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml index 2ac953cac14..81c00bc19ad 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v2 name: karpenter-configuration description: A Helm chart to deploy Karpenter's configuration type: application -version: 1.9.0 \ No newline at end of file +version: 2.0.0 diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml index f9401e55efc..7f0add0aec5 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml @@ -12,6 +12,7 @@ spec: labels: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "general-on-demand" spec: + expireAfter: Never nodeClassRef: apiVersion: karpenter.k8s.aws/v1beta1 kind: EC2NodeClass From 73fe4196d9cccac11780d86c3c40ca20a9158d4d Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 14 Nov 2024 17:34:18 +0000 Subject: [PATCH 173/308] Delius Core Stage - Task def fix (#8673) * fix task defs * Update ecs.tf * task defs * Revert "task defs" This reverts commit 6b379c0a779ad6af20e539a9ead0236643f0b3f5. * Update load_balancing.tf * Update locals_stage.tf * force_new_deployment = false --- terraform/environments/delius-core/locals_stage.tf | 2 +- .../delius-core/modules/delius_environment/ldap_ecs.tf | 3 +-- .../environments/delius-core/modules/delius_environment/pwm.tf | 2 +- .../delius-core/modules/delius_environment/weblogic.tf | 2 +- .../delius-core/modules/delius_environment/weblogic_eis.tf | 2 +- 5 files changed, 5 insertions(+), 6 deletions(-) diff --git a/terraform/environments/delius-core/locals_stage.tf b/terraform/environments/delius-core/locals_stage.tf index e512826aa10..eb75a5b6631 100644 --- a/terraform/environments/delius-core/locals_stage.tf +++ b/terraform/environments/delius-core/locals_stage.tf @@ -27,7 +27,7 @@ locals { efs_backup_retention_period = "30" port = 389 tls_port = 636 - desired_count = 0 + desired_count = 1 } diff --git a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf index 2825a4dcf2d..27ccc657d48 100644 --- a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf +++ b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf @@ -61,8 +61,7 @@ module "ldap_ecs" { account_info = var.account_info ignore_changes_service_task_definition = false - force_new_deployment = true - + force_new_deployment = false extra_task_exec_role_policies = { efs = data.aws_iam_policy_document.ldap_efs_access_policy diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf index bd1443e9d11..3509f9b3016 100644 --- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf +++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf @@ -91,7 +91,7 @@ module "pwm" { container_vars_env_specific = try(var.delius_microservice_configs.pwm.container_vars_env_specific, {}) ignore_changes_service_task_definition = false - force_new_deployment = true + force_new_deployment = false providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index fd968edcdee..658c0e24bdb 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -31,7 +31,7 @@ module "weblogic" { cluster_security_group_id = aws_security_group.cluster.id ignore_changes_service_task_definition = false - force_new_deployment = true + force_new_deployment = false providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf index 8ba7f2a6d9a..503c863ff9b 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf @@ -89,7 +89,7 @@ module "weblogic_eis" { tags = var.tags ignore_changes_service_task_definition = false - force_new_deployment = true + force_new_deployment = false providers = { aws.core-vpc = aws.core-vpc From 4f1c39415b42187b86e492314140bd279f21ca6c Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 14 Nov 2024 17:34:37 +0000 Subject: [PATCH 174/308] Update locals_stage.tf (#8675) --- terraform/environments/delius-core/locals_stage.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/locals_stage.tf b/terraform/environments/delius-core/locals_stage.tf index eb75a5b6631..c68bf61590d 100644 --- a/terraform/environments/delius-core/locals_stage.tf +++ b/terraform/environments/delius-core/locals_stage.tf @@ -21,7 +21,7 @@ locals { encrypted = true migration_source_account_id = "205048117103" migration_lambda_role = "ldap-data-migration-lambda-role" - efs_throughput_mode = "bursting" + efs_throughput_mode = "elastic" efs_provisioned_throughput = null efs_backup_schedule = "cron(0 19 * * ? *)", efs_backup_retention_period = "30" From a87396d1ffee0982351f84943ac8256f6c899cd3 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Nov 2024 18:10:39 +0000 Subject: [PATCH 175/308] Revert the revert Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/environment-configuration.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 51a61845f62..f422c9c8752 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -27,8 +27,7 @@ locals { /* EKS */ eks_sso_access_role = "modernisation-platform-sandbox" eks_cluster_version = "1.31" - # eks_node_version = "1.26.2-360b7a38" - eks_node_version = "1.25.0-388e1050" + eks_node_version = "1.26.2-360b7a38" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" kube_proxy = "v1.31.1-eksbuild.2" From ea876d83cbba7a19065f3944a335c9e0a91d6551 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Nov 2024 18:56:41 +0000 Subject: [PATCH 176/308] Add spec.disruption.budgets Signed-off-by: Jacob Woffenden --- .../src/helm/charts/karpenter-configuration/Chart.yaml | 2 +- .../templates/node-pool-airflow-high-memory.yaml | 2 ++ .../templates/node-pool-general-on-demand.yaml | 3 ++- .../templates/node-pool-general-spot.yaml | 2 ++ .../templates/node-pool-gpu-on-demand.yaml | 2 ++ .../karpenter-configuration/templates/node-pool-gpu-spot.yaml | 2 ++ 6 files changed, 11 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml index 81c00bc19ad..8ce4103e8c8 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v2 name: karpenter-configuration description: A Helm chart to deploy Karpenter's configuration type: application -version: 2.0.0 +version: 2.1.0 diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml index bdf49b77d92..1c057cd7f2e 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml @@ -5,6 +5,8 @@ metadata: name: airflow-high-memory spec: disruption: + budgets: + - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml index 7f0add0aec5..7a75bb3132d 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml @@ -5,6 +5,8 @@ metadata: name: general-on-demand spec: disruption: + budgets: + - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: @@ -12,7 +14,6 @@ spec: labels: compute.analytical-platform.service.justice.gov.uk/karpenter-node-pool: "general-on-demand" spec: - expireAfter: Never nodeClassRef: apiVersion: karpenter.k8s.aws/v1beta1 kind: EC2NodeClass diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml index bceb43c80fb..d5693c34795 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml @@ -5,6 +5,8 @@ metadata: name: general-spot spec: disruption: + budgets: + - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml index 98cd1594723..4a33dc31414 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml @@ -5,6 +5,8 @@ metadata: name: gpu-on-demand spec: disruption: + budgets: + - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml index fcefdfeb057..7e1a3030375 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml @@ -5,6 +5,8 @@ metadata: name: gpu-spot spec: disruption: + budgets: + - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: From d40f6684bb65c23bcaf357103a57836dac6a352f Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Nov 2024 19:41:12 +0000 Subject: [PATCH 177/308] Update kube-proxy and EFS CSI remove spec.disruption.budgets so it returns to default of 10% Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/environment-configuration.tf | 4 ++-- .../src/helm/charts/karpenter-configuration/Chart.yaml | 2 +- .../templates/node-pool-airflow-high-memory.yaml | 2 -- .../templates/node-pool-general-on-demand.yaml | 2 -- .../templates/node-pool-general-spot.yaml | 2 -- .../templates/node-pool-gpu-on-demand.yaml | 2 -- .../karpenter-configuration/templates/node-pool-gpu-spot.yaml | 2 -- 7 files changed, 3 insertions(+), 13 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index f422c9c8752..031d704d8d0 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -30,9 +30,9 @@ locals { eks_node_version = "1.26.2-360b7a38" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" - kube_proxy = "v1.31.1-eksbuild.2" + kube_proxy = "v1.31.2-eksbuild.2" aws_ebs_csi_driver = "v1.36.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.8-eksbuild.1" + aws_efs_csi_driver = "v2.0.9-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" vpc_cni = "v1.18.6-eksbuild.1" diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml index 8ce4103e8c8..462add8abe8 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v2 name: karpenter-configuration description: A Helm chart to deploy Karpenter's configuration type: application -version: 2.1.0 +version: 2.2.0 diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml index 1c057cd7f2e..bdf49b77d92 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-airflow-high-memory.yaml @@ -5,8 +5,6 @@ metadata: name: airflow-high-memory spec: disruption: - budgets: - - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml index 7a75bb3132d..f9401e55efc 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-on-demand.yaml @@ -5,8 +5,6 @@ metadata: name: general-on-demand spec: disruption: - budgets: - - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml index d5693c34795..bceb43c80fb 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml @@ -5,8 +5,6 @@ metadata: name: general-spot spec: disruption: - budgets: - - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml index 4a33dc31414..98cd1594723 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml @@ -5,8 +5,6 @@ metadata: name: gpu-on-demand spec: disruption: - budgets: - - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml index 7e1a3030375..fcefdfeb057 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml @@ -5,8 +5,6 @@ metadata: name: gpu-spot spec: disruption: - budgets: - - nodes: "0" consolidationPolicy: WhenEmpty consolidateAfter: 5m template: From 38ae704acb7afa9f33319ffb27e1a8fcc4f8c4b7 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 14 Nov 2024 20:30:39 +0000 Subject: [PATCH 178/308] Update VPC CNI version --- .../analytical-platform-compute/environment-configuration.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 031d704d8d0..c9a7deb68c6 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -35,7 +35,7 @@ locals { aws_efs_csi_driver = "v2.0.9-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.18.6-eksbuild.1" + vpc_cni = "v1.19.0-eksbuild.1" } /* Data Engineering Airflow */ From 025f6faaaa9b48f98ffbbc6a2da0ce4090b2a7c9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 00:26:30 +0000 Subject: [PATCH 179/308] Bump bridgecrewio/checkov-action from 12.2901.0 to 12.2906.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2901.0 to 12.2906.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/4a99082c85209d45681ede7f3f230941caf8e366...7558bbd06cd18ae570180c7e44ad5d8eece96c82) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 27abd750109..680852141e1 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@4a99082c85209d45681ede7f3f230941caf8e366 # v12.2901.0 + uses: bridgecrewio/checkov-action@7558bbd06cd18ae570180c7e44ad5d8eece96c82 # v12.2906.0 with: directory: ./ framework: terraform From cc9201a3dde9c6e1d95728ed1832b024f6901ada Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 00:26:36 +0000 Subject: [PATCH 180/308] Bump github/codeql-action from 3.27.3 to 3.27.4 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.3 to 3.27.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/396bb3e45325a47dd9ef434068033c6d5bb0d11a...ea9e4e37992a54ee68a9622e985e60c8e8f12d9f) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 27abd750109..21551993a16 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -38,7 +38,7 @@ jobs: run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: tflint.sarif trivy: @@ -63,7 +63,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: success() || failure() - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: 'trivy-results.sarif' checkov: @@ -90,6 +90,6 @@ jobs: skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: ./checkov.sarif diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index c93801ca55e..c035475ffb6 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # v3.27.3 + uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 with: sarif_file: results.sarif From 0d12fd27f82fad1834e9d8b7375975845b150478 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 15 Nov 2024 09:48:22 +0000 Subject: [PATCH 181/308] Update_151124_2 --- terraform/environments/ppud/sns.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index b8074317957..95b3f4c27b3 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -23,6 +23,14 @@ resource "aws_sns_topic_subscription" "cw_subscription" { # endpoint = aws_secretsmanager_secret_version.support_email_account[0].secret_string } +# SMS topic subscription to be implemented temporarily over the Christmas period +resource "aws_sns_topic_subscription" "cw_sms_subscription" { + count = local.is-production == true ? 1 : 0 + topic_arn = aws_sns_topic.cw_alerts[0].arn + protocol = "sms" + endpoint = "+447903642202" +} + # PreProduction - Cloud Watch resource "aws_sns_topic" "cw_uat_alerts" { From ecbf6f0eb7e0f0e84b440750da9cc4f8ea834beb Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 15 Nov 2024 09:53:33 +0000 Subject: [PATCH 182/308] oem: tweak endpoint alarm thresholds (#8681) --- .../modules/baseline_presets/cloudwatch_metric_alarms.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf index 1f709639fdd..1fdd5499444 100644 --- a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf +++ b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf @@ -332,8 +332,8 @@ locals { ec2_instance_cwagent_collectd_endpoint_monitoring = { "endpoint-down" = { comparison_operator = "GreaterThanOrEqualToThreshold" - evaluation_periods = "1" - datapoints_to_alarm = "1" + evaluation_periods = "3" + datapoints_to_alarm = "3" metric_name = "collectd_endpoint_status_value" namespace = "CWAgent" period = "60" From 2f4e14b393b713e4fdd77b0e4de4284ddfc49182 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 15 Nov 2024 10:06:36 +0000 Subject: [PATCH 183/308] Bump slackapi/slack-github-action from 1.27.0 to 2.0.0 Bumps [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) from 1.27.0 to 2.0.0. - [Release notes](https://github.com/slackapi/slack-github-action/releases) - [Commits](https://github.com/slackapi/slack-github-action/compare/37ebaef184d7626c5f204ab8d3baff4262dd30f0...485a9d42d3a73031f12ec201c457e2162c45d02d) --- updated-dependencies: - dependency-name: slackapi/slack-github-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/awsnuke.yml | 4 ++-- .github/workflows/generate-dependabot-file.yml | 2 +- .github/workflows/nuke-redeploy.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/awsnuke.yml b/.github/workflows/awsnuke.yml index f2e72543c55..d49ab888f49 100644 --- a/.github/workflows/awsnuke.yml +++ b/.github/workflows/awsnuke.yml @@ -131,7 +131,7 @@ jobs: --force \ --no-dry-run - name: Slack failure notification - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 with: payload: | {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} @@ -215,7 +215,7 @@ jobs: --force \ --no-dry-run - name: Slack failure notification - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 with: payload: | {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} diff --git a/.github/workflows/generate-dependabot-file.yml b/.github/workflows/generate-dependabot-file.yml index 0bce6d591a3..24bc2998bfc 100644 --- a/.github/workflows/generate-dependabot-file.yml +++ b/.github/workflows/generate-dependabot-file.yml @@ -34,7 +34,7 @@ jobs: env: SECRET: ${{ secrets.GITHUB_TOKEN }} - name: Slack failure notification - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.26.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v1.26.0 with: payload: | {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml index 44b0619b862..80c2bb6772c 100644 --- a/.github/workflows/nuke-redeploy.yml +++ b/.github/workflows/nuke-redeploy.yml @@ -91,7 +91,7 @@ jobs: bash scripts/terraform-apply.sh terraform/environments/${ACCOUNT_NAME%-development} - name: Slack failure notification - uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 with: payload: | {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} From 4e7e55b5812b83dcb7b7f5d6e4fd63af452d8806 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 15 Nov 2024 10:23:27 +0000 Subject: [PATCH 184/308] Improve Lifecycle Management --- .../digital-prison-reporting/main.tf | 15 ++- .../modules/s3_bucket/main.tf | 91 ++++++++++++------- .../modules/s3_bucket/variables.tf | 45 +++++---- 3 files changed, 98 insertions(+), 53 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/main.tf b/terraform/environments/digital-prison-reporting/main.tf index 1b56ff54ffc..4bd8d37b61b 100644 --- a/terraform/environments/digital-prison-reporting/main.tf +++ b/terraform/environments/digital-prison-reporting/main.tf @@ -995,9 +995,18 @@ module "s3_working_bucket" { create_notification_queue = false # For SQS Queue enable_lifecycle = true enable_lifecycle_expiration = true - expiration_days = 2 - expiration_prefix_redshift = "reports/" - expiration_prefix_athena = "dpr/" + lifecycle_category = "long_term" + + override_expiration_rules = [ + { + prefix = "reports/" + days = 2 + }, + { + prefix = "dpr/" + days = 2 + } + ] tags = merge( local.all_tags, diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf index 3b13f641fa3..157c0f24a6a 100644 --- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf +++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf @@ -31,53 +31,78 @@ resource "aws_s3_bucket_public_access_block" "storage" { restrict_public_buckets = true } +# Resource to define S3 bucket lifecycle configuration resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { - #checkov:skip=CKV_AWS_300:TODO Will be addressed as part of https://dsdmoj.atlassian.net/browse/DPR2-1083 + # Enable the lifecycle configuration only if the variable `enable_lifecycle` is true count = var.enable_lifecycle ? 1 : 0 bucket = aws_s3_bucket.storage[0].id + + # Main lifecycle rule for standard categories (short_term, long_term, temporary) rule { id = var.name status = "Enabled" - noncurrent_version_transition { - noncurrent_days = 90 - storage_class = "STANDARD_IA" - } - - noncurrent_version_transition { - noncurrent_days = 365 - storage_class = "GLACIER" + # Short-Term Retention Policy + # - Transitions objects to STANDARD_IA after 30 days (cost-effective storage for infrequent access). + # - Deletes objects after 90 days. + dynamic "transition" { + for_each = var.lifecycle_category == "short_term" ? [ { days = 30, storage_class = "STANDARD_IA" } ] : [] + content { + days = transition.value.days + storage_class = transition.value.storage_class + } } - transition { - days = 60 - storage_class = "STANDARD_IA" - } - } - - rule { - id = "${var.name}-reports" - status = var.enable_lifecycle_expiration ? "Enabled" : "Disabled" - - filter { - prefix = var.expiration_prefix_redshift + dynamic "expiration" { + for_each = var.lifecycle_category == "short_term" ? [ { days = 90 } ] : + var.lifecycle_category == "temporary" ? [ { days = 30 } ] : [] + content { + days = expiration.value.days + } } - expiration { - days = var.expiration_days + # Long-Term Retention Policy + # - Transitions objects to progressively cheaper storage classes: + # - STANDARD_IA after 60 days. + # - GLACIER after 180 days. + # - DEEP_ARCHIVE after 365 days. + # - Does not delete objects (no expiration). + dynamic "transition" { + for_each = var.lifecycle_category == "long_term" ? [ + { days = 60, storage_class = "STANDARD_IA" }, + { days = 180, storage_class = "GLACIER" }, + { days = 365, storage_class = "DEEP_ARCHIVE" } + ] : [] + content { + days = transition.value.days + storage_class = transition.value.storage_class + } } } - rule { - id = "${var.name}-dpr" - status = var.enable_lifecycle_expiration ? "Enabled" : "Disabled" - - filter { - prefix = var.expiration_prefix_athena - } - - expiration { - days = var.expiration_days + # Dynamic rule for custom expiration rules + # - Allows adding additional lifecycle policies dynamically using the `override_expiration_rules` variable. + # - Each custom rule is defined with: + # - A unique prefix to filter objects (e.g., "reports/", "dpr/"). + # - An expiration time in days for objects under that prefix. + # - The `id` for each rule is derived dynamically based on the prefix (slashes `/` are replaced with dashes `-` for compatibility). + # - Rules are enabled or disabled based on the `enable_lifecycle_expiration` variable. + dynamic "rule" { + for_each = var.override_expiration_rules + content { + # Unique rule ID derived from bucket name and prefix + id = "${var.name}-${replace(rule.value.prefix, "/", "-")}" + status = var.enable_lifecycle_expiration ? "Enabled" : "Disabled" + + # Filter to apply the rule only to objects with the specified prefix + filter { + prefix = rule.value.prefix + } + + # Expiration configuration for the specified prefix + expiration { + days = rule.value.days + } } } } diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf index eb0f81d8f5f..71b57b9545f 100644 --- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf @@ -58,25 +58,20 @@ variable "enable_lifecycle" { default = false } -variable "enable_lifecycle_expiration" { - description = "Enable item expiration - requires 'enable_lifecycle' to be enabled." - default = false -} - -variable "expiration_days" { - description = "Days to wait before deleting expired items." - default = 90 -} +#variable "expiration_days" { +# description = "Days to wait before deleting expired items." +# default = 90 +#} -variable "expiration_prefix_redshift" { - description = "Directory Prefix where Redshift Async query results are stored to apply expiration to." - default = "/" -} +#variable "expiration_prefix_redshift" { +# description = "Directory Prefix where Redshift Async query results are stored to apply expiration to." +# default = "/" +#} -variable "expiration_prefix_athena" { - description = "Directory Prefix where Athena Async query results are stored to apply expiration to." - default = "/" -} +#variable "expiration_prefix_athena" { +# description = "Directory Prefix where Athena Async query results are stored to apply expiration to." +# default = "/" +#} variable "enable_versioning_config" { description = "Enable Versioning Config for S3 Storage, Default is Disabled" @@ -118,4 +113,20 @@ variable "dependency_lambda" { variable "bucket_key" { description = "If Bucket Key is Enabled or Disabled" default = true +} + +## Dynamic override_expiration_rules +variable "override_expiration_rules" { + type = list(object({ prefix = string, days = number })) + default = [] +} + +variable "lifecycle_category" { + type = string + default = "long_term" # Options: "short_term", "long_term", "temporary" +} + +variable "enable_lifecycle_expiration" { + description = "Enable item expiration - requires 'enable_lifecycle' and 'override_expiration_rules' to be defined/enabled." + default = false } \ No newline at end of file From 0ec0fb535ab12e82099a4513c4995dcbe2028377 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 15 Nov 2024 10:30:16 +0000 Subject: [PATCH 185/308] Improve Lifecycle Management --- .../digital-prison-reporting/modules/s3_bucket/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf index 157c0f24a6a..5c6a36ede53 100644 --- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf +++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf @@ -54,8 +54,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { } dynamic "expiration" { - for_each = var.lifecycle_category == "short_term" ? [ { days = 90 } ] : - var.lifecycle_category == "temporary" ? [ { days = 30 } ] : [] + for_each = var.lifecycle_category == "short_term" ? [ { days = 90 } ] : ( + var.lifecycle_category == "temporary" ? [ { days = 30 } ] : []) content { days = expiration.value.days } From 5c9920a686f2fd1c910cfc53d7212192eb015226 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Fri, 15 Nov 2024 10:40:49 +0000 Subject: [PATCH 186/308] Adjust the rule filter code --- terraform/environments/digital-prison-reporting/main.tf | 6 +++--- .../digital-prison-reporting/modules/s3_bucket/main.tf | 9 ++++----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/main.tf b/terraform/environments/digital-prison-reporting/main.tf index 4bd8d37b61b..91adc19f6c6 100644 --- a/terraform/environments/digital-prison-reporting/main.tf +++ b/terraform/environments/digital-prison-reporting/main.tf @@ -996,14 +996,14 @@ module "s3_working_bucket" { enable_lifecycle = true enable_lifecycle_expiration = true lifecycle_category = "long_term" - + override_expiration_rules = [ { - prefix = "reports/" + prefix = "reports" days = 2 }, { - prefix = "dpr/" + prefix = "dpr" days = 2 } ] diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf index 5c6a36ede53..4cf22f0992a 100644 --- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf +++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf @@ -90,16 +90,15 @@ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { dynamic "rule" { for_each = var.override_expiration_rules content { - # Unique rule ID derived from bucket name and prefix - id = "${var.name}-${replace(rule.value.prefix, "/", "-")}" + # Generate rule ID without worrying about trailing slashes in the prefix + id = "${var.name}-${rule.value.prefix}" status = var.enable_lifecycle_expiration ? "Enabled" : "Disabled" - # Filter to apply the rule only to objects with the specified prefix filter { - prefix = rule.value.prefix + # Append '/' directly in the filter block to ensure proper prefix format + prefix = "${rule.value.prefix}/" } - # Expiration configuration for the specified prefix expiration { days = rule.value.days } From 63aa1c32f1031505ad50a7d2c26f52c2d0357974 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 15 Nov 2024 11:07:32 +0000 Subject: [PATCH 187/308] Update_151124_3 --- .../ppud/cloudwatch_alarms_linux.tf | 2 +- terraform/environments/ppud/sns.tf | 36 +++++++++++++++++-- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/terraform/environments/ppud/cloudwatch_alarms_linux.tf b/terraform/environments/ppud/cloudwatch_alarms_linux.tf index b665f78ab8e..d2730fbe44a 100644 --- a/terraform/environments/ppud/cloudwatch_alarms_linux.tf +++ b/terraform/environments/ppud/cloudwatch_alarms_linux.tf @@ -66,7 +66,7 @@ resource "aws_cloudwatch_metric_alarm" "low_disk_space_log_volume" { ImageId = "ami-0f43890c2b4907c29" InstanceType = "m5.large" device = "nvme1n1p1" - fstype = "xfs" + fstype = "ext4" } } diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index 95b3f4c27b3..d3302357327 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -23,14 +23,46 @@ resource "aws_sns_topic_subscription" "cw_subscription" { # endpoint = aws_secretsmanager_secret_version.support_email_account[0].secret_string } -# SMS topic subscription to be implemented temporarily over the Christmas period +# SMS topic subscriptions to be implemented temporarily over the Christmas period + +resource "aws_sns_topic_subscription" "cw_sms_subscription" { + count = local.is-production == true ? 1 : 0 + topic_arn = aws_sns_topic.cw_alerts[0].arn + protocol = "sms" + endpoint = "+447903642202" # Nick Buckingham +} + +/* +resource "aws_sns_topic_subscription" "cw_sms_subscription" { + count = local.is-production == true ? 1 : 0 + topic_arn = aws_sns_topic.cw_alerts[0].arn + protocol = "sms" + endpoint = "+447879063551" # Gabriella Browning +} + resource "aws_sns_topic_subscription" "cw_sms_subscription" { count = local.is-production == true ? 1 : 0 topic_arn = aws_sns_topic.cw_alerts[0].arn protocol = "sms" - endpoint = "+447903642202" + endpoint = "+447584337970" # David Savage (work) } +resource "aws_sns_topic_subscription" "cw_sms_subscription" { + count = local.is-production == true ? 1 : 0 + topic_arn = aws_sns_topic.cw_alerts[0].arn + protocol = "sms" + endpoint = "+447884053737" # David Savage (personal) +} + +resource "aws_sns_topic_subscription" "cw_sms_subscription" { + count = local.is-production == true ? 1 : 0 + topic_arn = aws_sns_topic.cw_alerts[0].arn + protocol = "sms" + endpoint = "+447887576466" # Kofi Owusu-nimoh +} +*/ + + # PreProduction - Cloud Watch resource "aws_sns_topic" "cw_uat_alerts" { From 4cfbb6520af08a5cd44464418a69735407110457 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Fri, 15 Nov 2024 13:45:48 +0000 Subject: [PATCH 188/308] Unit testing Fixes - 1511 - 1 --- .../etl_table_rows_hashvalue_to_parquet.py | 69 +++++++++++++------ 1 file changed, 48 insertions(+), 21 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py index 8bf67ab2ae3..63d9561b5d2 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py @@ -161,13 +161,24 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful else: LOGGER.info(f""">> Given RDS SqlServer-DB Table: {rds_sqlserver_db_table} <<""") # ------------------------------------------------------- + rds_db_tbl_pkey_column = args['rds_db_tbl_pkey_column'] LOGGER.info(f""">> rds_db_tbl_pkey_column = {rds_db_tbl_pkey_column} <<""") rds_db_table_empty_df = rds_jdbc_conn_obj.get_rds_db_table_empty_df(rds_sqlserver_db_table) - all_columns_except_pkey = [col for col in rds_db_table_empty_df.columns - if col != rds_db_tbl_pkey_column] + all_columns_except_pkey = list() + + for e in rds_db_table_empty_df.schema.fields: + if e.name == rds_db_tbl_pkey_column: + continue + + if e.dataType.simpleString() == 'timestamp': + all_columns_except_pkey.append(f"CONVERT(VARCHAR, {e.name}, 120)") # YYYY-MM-DD HH:MM:SS + else: + all_columns_except_pkey.append(f"{e.name}") + LOGGER.info(f""">> all_columns_except_pkey = {all_columns_except_pkey} <<""") + # ------------------------------------------------------- prq_bucket_parent_folder = f"""{HASHED_OUTPUT_S3_BUCKET_NAME}/{RDS_DB_TABLE_HASHED_ROWS_PARENT_DIR}""" prq_table_folder_path = f"""{rds_db_name}/{rds_sqlserver_db_schema}/{rds_sqlserver_db_table}""" @@ -184,7 +195,7 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful rds_db_select_query_str = f""" SELECT {rds_db_tbl_pkey_column}, LOWER(SUBSTRING(CONVERT(VARCHAR(66), - HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66)) AS RowHash + HASHBYTES('SHA2_256', CONCAT_WS('', {', '.join(all_columns_except_pkey)})), 1), 3, 66)) AS RowHash FROM {rds_sqlserver_db_schema}.[{rds_sqlserver_db_table}] """.strip() @@ -195,14 +206,12 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful if hashed_rows_prq_fulls3path != "": LOGGER.info(f"""An existing parquet-table-folder-path found.\n{hashed_rows_prq_fulls3path}""") - rds_db_query_sample_row = f""" - SELECT TOP 1 {rds_db_tbl_pkey_column}, - SUBSTRING(CONVERT(VARCHAR(66), - HASHBYTES('SHA2_256', CONCAT({', '.join(all_columns_except_pkey)})), 1), 3, 66) AS RowHash - FROM {rds_sqlserver_db_schema}.[{rds_sqlserver_db_table}] - """.strip() + rds_db_query_sample_row_str = rds_db_select_query_str.replace( + f"SELECT {rds_db_tbl_pkey_column}", + f"SELECT TOP 1 {rds_db_tbl_pkey_column}") - rds_db_query_sample_row_df = rds_jdbc_conn_obj.get_rds_db_query_df(rds_db_query_sample_row) + rds_db_query_sample_row_df = rds_jdbc_conn_obj.get_rds_db_query_df( + rds_db_query_sample_row_str) LOGGER.info(f"""rds_db_query_sample_row_df-schema: \n{rds_db_query_sample_row_df.columns}""") existing_parquet_table_df = CustomPysparkMethods.get_s3_parquet_df_v2( @@ -211,28 +220,46 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful ) existing_parquet_table_df_agg = existing_parquet_table_df.agg( + F.min(rds_db_tbl_pkey_column).alias(f"min_{rds_db_tbl_pkey_column}"), F.max(rds_db_tbl_pkey_column).alias(f"max_{rds_db_tbl_pkey_column}"), F.count(rds_db_tbl_pkey_column).alias(f"count_{rds_db_tbl_pkey_column}") - ) + ) existing_parquet_agg_dict = existing_parquet_table_df_agg.collect()[0] + existing_parquet_min_pkey = existing_parquet_agg_dict[f"min_{rds_db_tbl_pkey_column}"] existing_parquet_max_pkey = existing_parquet_agg_dict[f"max_{rds_db_tbl_pkey_column}"] existing_parquet_count_pkey = existing_parquet_agg_dict[f"count_{rds_db_tbl_pkey_column}"] + LOGGER.info(f"""existing_parquet_min_pkey = {existing_parquet_min_pkey}""") LOGGER.info(f"""existing_parquet_max_pkey = {existing_parquet_max_pkey}""") LOGGER.info(f"""existing_parquet_count_pkey = {existing_parquet_count_pkey}""") - df_rds_table_count = rds_jdbc_conn_obj.get_rds_db_table_row_count( - rds_sqlserver_db_table, - rds_db_tbl_pkey_column - ) - LOGGER.info(f"""df_rds_table_count = {df_rds_table_count}""") + # df_rds_table_count = rds_jdbc_conn_obj.get_rds_db_table_row_count( + # rds_sqlserver_db_table, + # rds_db_tbl_pkey_column + # ) + rds_jdbc_min_max_count_df_agg = rds_jdbc_conn_obj.get_rds_df_query_min_max_count( + rds_sqlserver_db_table, + rds_db_tbl_pkey_column + ) + + rds_jdbc_agg_dict = rds_jdbc_min_max_count_df_agg.collect()[0] + rds_jdbc_min_pkey = rds_jdbc_agg_dict[f"min_{rds_db_tbl_pkey_column}"] + rds_jdbc_max_pkey = rds_jdbc_agg_dict[f"max_{rds_db_tbl_pkey_column}"] + rds_jdbc_count_pkey = rds_jdbc_agg_dict[f"count_{rds_db_tbl_pkey_column}"] + + LOGGER.info(f"""rds_jdbc_min_pkey = {rds_jdbc_min_pkey}""") + LOGGER.info(f"""rds_jdbc_max_pkey = {rds_jdbc_max_pkey}""") + LOGGER.info(f"""rds_jdbc_count_pkey = {rds_jdbc_count_pkey}""") - if df_rds_table_count == existing_parquet_count_pkey: - LOGGER.warn(f"""df_rds_table_count = existing_parquet_table_df_count = {df_rds_table_count}""") - sys.exit(f"""Both df_rds_table_count and existing_parquet_table_df_count are matching. Nothing to move, exiting ...""") - elif existing_parquet_count_pkey > df_rds_table_count: + if rds_jdbc_count_pkey == existing_parquet_count_pkey: + LOGGER.warn(f"""rds_jdbc_count_pkey = existing_parquet_table_df_count = {rds_jdbc_count_pkey}""") + sys.exit(f"""Both rds_jdbc_count_pkey and existing_parquet_table_df_count are matching. Nothing to move, exiting ...""") + elif existing_parquet_count_pkey > rds_jdbc_count_pkey: LOGGER.warn(f"""existing_parquet_table_df_count > df_rds_table_count""") - sys.exit(f"""This scenario cannot be possible & needs further investigation, exiting ...""") + sys.exit(f"""This scenario cannot be possible & needs further investigation, exiting ...""") + elif existing_parquet_min_pkey != rds_jdbc_min_pkey: + LOGGER.warn(f"""existing_parquet_min_pkey != rds_jdbc_min_pkey""") + sys.exit(f"""This scenario cannot be possible & needs further investigation, exiting ...""") # -------------------- where_clause_exp_str = f"""{rds_db_tbl_pkey_column} > {existing_parquet_max_pkey}""".strip() From c5403f02e9841ffbb18731fc5dd244c1b5383545 Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Fri, 15 Nov 2024 14:08:29 +0000 Subject: [PATCH 189/308] Unit testing Fixes - 1511 - 2 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 1 + .../glue-job/etl_table_rows_hashvalue_to_parquet.py | 2 ++ 2 files changed, 3 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index 39d6a3fe49a..d7fda109944 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -245,6 +245,7 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): sys.exit(f"""{TABLE_TO_BE_VALIDATED} Max({TABLE_PKEY_COLUMN}) Mismatch: \n{error_msg}""") # -------------------- + # skip_columns = [f'{rds_db_tbl_pkey_column}', 'SmallDateTimeCol', 'DateTime2Col'] all_columns_except_pkey = [col for col in dms_table_output_prq_df.columns if col != TABLE_PKEY_COLUMN] LOGGER.info(f""">> all_columns_except_pkey = {all_columns_except_pkey} <<""") diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py index 63d9561b5d2..87f4b75aaac 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py @@ -166,6 +166,8 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful LOGGER.info(f""">> rds_db_tbl_pkey_column = {rds_db_tbl_pkey_column} <<""") rds_db_table_empty_df = rds_jdbc_conn_obj.get_rds_db_table_empty_df(rds_sqlserver_db_table) + + # skip_columns = [f'{rds_db_tbl_pkey_column}', 'SmallDateTimeCol', 'DateTime2Col'] all_columns_except_pkey = list() for e in rds_db_table_empty_df.schema.fields: From 6d28e43c7c22728ecffd71e021a2a0ae11d9d40d Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Fri, 15 Nov 2024 14:20:09 +0000 Subject: [PATCH 190/308] Unit testing Fixes - 1511 - 3 --- .../glue-job/dms_dv_on_rows_hashvalue.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py index d7fda109944..98e2286f2c1 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/dms_dv_on_rows_hashvalue.py @@ -245,7 +245,7 @@ def write_parquet_to_s3(df_dv_output: DataFrame, database, db_sch_tbl_name): sys.exit(f"""{TABLE_TO_BE_VALIDATED} Max({TABLE_PKEY_COLUMN}) Mismatch: \n{error_msg}""") # -------------------- - # skip_columns = [f'{rds_db_tbl_pkey_column}', 'SmallDateTimeCol', 'DateTime2Col'] + # skip_columns = [f'{TABLE_PKEY_COLUMN}', 'SmallDateTimeCol', 'DateTime2Col'] all_columns_except_pkey = [col for col in dms_table_output_prq_df.columns if col != TABLE_PKEY_COLUMN] LOGGER.info(f""">> all_columns_except_pkey = {all_columns_except_pkey} <<""") From 916c60ea78934d65a85a82a674038ad633b80eb3 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Fri, 15 Nov 2024 14:35:43 +0000 Subject: [PATCH 191/308] Bucket policy now points to actual security role --- .../environments/analytical-platform-ingestion/ext-user-2024.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf index 2033dc85f7d..dd723bd1057 100644 --- a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf +++ b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf @@ -45,7 +45,7 @@ module "s3_ext_2024_egress_kms" { principals = [ { type = "AWS" - identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/read-only"] # placeholder -- will change + identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/security-read-only"] } ] } From 4be43a534b3c1ba179f3eb64724662b8c99b0e03 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 15 Nov 2024 14:41:10 +0000 Subject: [PATCH 192/308] Update_151124_4 --- terraform/environments/ppud/iam.tf | 7 ++++++- terraform/environments/ppud/sns.tf | 8 ++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index 8f1c35e5eec..f0aaeb03c21 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -872,10 +872,15 @@ data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { actions = [ "SNS:GetTopicAttributes", "SNS:SetTopicAttributes", + "SNS:GetSubscriptionAttributes", + "SNS:SetSubscriptionAttributes", "SNS:AddPermission", "SNS:DeleteTopic", "SNS:Subscribe", + "SNS:Unsubscribe", + "SNS:ListSubscriptions", "SNS:ListSubscriptionsByTopic", + "SNS:ListTopics", "SNS:Publish", "SNS:Receive" ] @@ -889,7 +894,7 @@ data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { resources = [ aws_sns_topic.cw_alerts[0].arn ] - } + } } #################################################### diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index d3302357327..d1d6dfa7b2f 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -33,28 +33,28 @@ resource "aws_sns_topic_subscription" "cw_sms_subscription" { } /* -resource "aws_sns_topic_subscription" "cw_sms_subscription" { +resource "aws_sns_topic_subscription" "cw_sms_subscription1" { count = local.is-production == true ? 1 : 0 topic_arn = aws_sns_topic.cw_alerts[0].arn protocol = "sms" endpoint = "+447879063551" # Gabriella Browning } -resource "aws_sns_topic_subscription" "cw_sms_subscription" { +resource "aws_sns_topic_subscription" "cw_sms_subscription2" { count = local.is-production == true ? 1 : 0 topic_arn = aws_sns_topic.cw_alerts[0].arn protocol = "sms" endpoint = "+447584337970" # David Savage (work) } -resource "aws_sns_topic_subscription" "cw_sms_subscription" { +resource "aws_sns_topic_subscription" "cw_sms_subscription3" { count = local.is-production == true ? 1 : 0 topic_arn = aws_sns_topic.cw_alerts[0].arn protocol = "sms" endpoint = "+447884053737" # David Savage (personal) } -resource "aws_sns_topic_subscription" "cw_sms_subscription" { +resource "aws_sns_topic_subscription" "cw_sms_subscription4" { count = local.is-production == true ? 1 : 0 topic_arn = aws_sns_topic.cw_alerts[0].arn protocol = "sms" From 85bf724f698c2df34fe79f791d5b9ad830c29247 Mon Sep 17 00:00:00 2001 From: dms1981 Date: Fri, 15 Nov 2024 14:45:19 +0000 Subject: [PATCH 193/308] Renamed platform_verisons.tf to versions.tf (#8685) * renamed all platform_versions.tf to versions.tf to allow customer management * remove the old platform_versions.tf --- .../{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 terraform/environments/apex/{platform_versions.tf => versions.tf} | 0 .../ccms-ebs-upgrade/{platform_versions.tf => versions.tf} | 0 .../environments/ccms-ebs/{platform_versions.tf => versions.tf} | 0 .../environments/cdpt-chaps/{platform_versions.tf => versions.tf} | 0 .../environments/cdpt-ifs/{platform_versions.tf => versions.tf} | 0 .../cica-copilot/{platform_versions.tf => versions.tf} | 0 .../cica-data-extraction/{platform_versions.tf => versions.tf} | 0 .../cica-tariff/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../environments/cooker/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 terraform/environments/dacp/{platform_versions.tf => versions.tf} | 0 .../data-and-insights-wepi/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../data-platform/{platform_versions.tf => versions.tf} | 0 .../delius-core/{platform_versions.tf => versions.tf} | 0 .../delius-iaps/{platform_versions.tf => versions.tf} | 0 .../delius-jitbit/{platform_versions.tf => versions.tf} | 0 .../environments/delius-mis/{platform_versions.tf => versions.tf} | 0 .../delius-nextcloud/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 terraform/environments/edw/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../environments/equip/{platform_versions.tf => versions.tf} | 0 terraform/environments/eric/{platform_versions.tf => versions.tf} | 0 .../environments/example/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../hmpps-domain-services/{platform_versions.tf => versions.tf} | 0 .../environments/hmpps-oem/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../laa-mail-relay/{platform_versions.tf => versions.tf} | 0 .../environments/laa-oem/{platform_versions.tf => versions.tf} | 0 .../long-term-storage/{platform_versions.tf => versions.tf} | 0 terraform/environments/maat/{platform_versions.tf => versions.tf} | 0 .../environments/maatdb/{platform_versions.tf => versions.tf} | 0 terraform/environments/mlra/{platform_versions.tf => versions.tf} | 0 .../environments/mojfin/{platform_versions.tf => versions.tf} | 0 terraform/environments/ncas/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../nomis-data-hub/{platform_versions.tf => versions.tf} | 0 .../environments/nomis/{platform_versions.tf => versions.tf} | 0 terraform/environments/oas/{platform_versions.tf => versions.tf} | 0 .../{platform_versions.tf => versions.tf} | 0 .../environments/oasys/{platform_versions.tf => versions.tf} | 0 .../observability-platform/{platform_versions.tf => versions.tf} | 0 .../operations-engineering/{platform_versions.tf => versions.tf} | 0 .../panda-cyber-appsec-lab/{platform_versions.tf => versions.tf} | 0 .../performance-hub/{platform_versions.tf => versions.tf} | 0 .../environments/planetfm/{platform_versions.tf => versions.tf} | 0 .../environments/portal/{platform_versions.tf => versions.tf} | 0 terraform/environments/ppud/{platform_versions.tf => versions.tf} | 0 .../pra-register/{platform_versions.tf => versions.tf} | 0 .../refer-monitor/{platform_versions.tf => versions.tf} | 0 .../environments/sprinkler/{platform_versions.tf => versions.tf} | 0 .../environments/tipstaff/{platform_versions.tf => versions.tf} | 0 .../environments/tribunals/{platform_versions.tf => versions.tf} | 0 .../environments/wardship/{platform_versions.tf => versions.tf} | 0 .../xhibit-portal/{platform_versions.tf => versions.tf} | 0 61 files changed, 0 insertions(+), 0 deletions(-) rename terraform/environments/analytical-platform-compute/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/analytical-platform-ingestion/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/apex/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/ccms-ebs-upgrade/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/ccms-ebs/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/cdpt-chaps/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/cdpt-ifs/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/cica-copilot/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/cica-data-extraction/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/cica-tariff/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/contract-work-administration/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/cooker/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/corporate-information-system/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/corporate-staff-rostering/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/dacp/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/data-and-insights-wepi/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/data-platform-apps-and-tools/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/data-platform/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/delius-core/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/delius-iaps/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/delius-jitbit/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/delius-mis/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/delius-nextcloud/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/digital-prison-reporting/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/edw/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/electronic-monitoring-data/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/equip/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/eric/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/example/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/genesys-call-centre-data/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/hmpps-domain-services/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/hmpps-oem/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/laa-ccms-infra-azure-ad-sso/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/laa-mail-relay/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/laa-oem/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/long-term-storage/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/maat/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/maatdb/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/mlra/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/mojfin/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/ncas/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/nomis-combined-reporting/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/nomis-data-hub/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/nomis/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/oas/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/oasys-national-reporting/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/oasys/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/observability-platform/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/operations-engineering/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/panda-cyber-appsec-lab/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/performance-hub/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/planetfm/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/portal/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/ppud/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/pra-register/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/refer-monitor/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/sprinkler/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/tipstaff/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/tribunals/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/wardship/{platform_versions.tf => versions.tf} (100%) rename terraform/environments/xhibit-portal/{platform_versions.tf => versions.tf} (100%) diff --git a/terraform/environments/analytical-platform-compute/platform_versions.tf b/terraform/environments/analytical-platform-compute/versions.tf similarity index 100% rename from terraform/environments/analytical-platform-compute/platform_versions.tf rename to terraform/environments/analytical-platform-compute/versions.tf diff --git a/terraform/environments/analytical-platform-ingestion/platform_versions.tf b/terraform/environments/analytical-platform-ingestion/versions.tf similarity index 100% rename from terraform/environments/analytical-platform-ingestion/platform_versions.tf rename to terraform/environments/analytical-platform-ingestion/versions.tf diff --git a/terraform/environments/apex/platform_versions.tf b/terraform/environments/apex/versions.tf similarity index 100% rename from terraform/environments/apex/platform_versions.tf rename to terraform/environments/apex/versions.tf diff --git a/terraform/environments/ccms-ebs-upgrade/platform_versions.tf b/terraform/environments/ccms-ebs-upgrade/versions.tf similarity index 100% rename from terraform/environments/ccms-ebs-upgrade/platform_versions.tf rename to terraform/environments/ccms-ebs-upgrade/versions.tf diff --git a/terraform/environments/ccms-ebs/platform_versions.tf b/terraform/environments/ccms-ebs/versions.tf similarity index 100% rename from terraform/environments/ccms-ebs/platform_versions.tf rename to terraform/environments/ccms-ebs/versions.tf diff --git a/terraform/environments/cdpt-chaps/platform_versions.tf b/terraform/environments/cdpt-chaps/versions.tf similarity index 100% rename from terraform/environments/cdpt-chaps/platform_versions.tf rename to terraform/environments/cdpt-chaps/versions.tf diff --git a/terraform/environments/cdpt-ifs/platform_versions.tf b/terraform/environments/cdpt-ifs/versions.tf similarity index 100% rename from terraform/environments/cdpt-ifs/platform_versions.tf rename to terraform/environments/cdpt-ifs/versions.tf diff --git a/terraform/environments/cica-copilot/platform_versions.tf b/terraform/environments/cica-copilot/versions.tf similarity index 100% rename from terraform/environments/cica-copilot/platform_versions.tf rename to terraform/environments/cica-copilot/versions.tf diff --git a/terraform/environments/cica-data-extraction/platform_versions.tf b/terraform/environments/cica-data-extraction/versions.tf similarity index 100% rename from terraform/environments/cica-data-extraction/platform_versions.tf rename to terraform/environments/cica-data-extraction/versions.tf diff --git a/terraform/environments/cica-tariff/platform_versions.tf b/terraform/environments/cica-tariff/versions.tf similarity index 100% rename from terraform/environments/cica-tariff/platform_versions.tf rename to terraform/environments/cica-tariff/versions.tf diff --git a/terraform/environments/contract-work-administration/platform_versions.tf b/terraform/environments/contract-work-administration/versions.tf similarity index 100% rename from terraform/environments/contract-work-administration/platform_versions.tf rename to terraform/environments/contract-work-administration/versions.tf diff --git a/terraform/environments/cooker/platform_versions.tf b/terraform/environments/cooker/versions.tf similarity index 100% rename from terraform/environments/cooker/platform_versions.tf rename to terraform/environments/cooker/versions.tf diff --git a/terraform/environments/corporate-information-system/platform_versions.tf b/terraform/environments/corporate-information-system/versions.tf similarity index 100% rename from terraform/environments/corporate-information-system/platform_versions.tf rename to terraform/environments/corporate-information-system/versions.tf diff --git a/terraform/environments/corporate-staff-rostering/platform_versions.tf b/terraform/environments/corporate-staff-rostering/versions.tf similarity index 100% rename from terraform/environments/corporate-staff-rostering/platform_versions.tf rename to terraform/environments/corporate-staff-rostering/versions.tf diff --git a/terraform/environments/dacp/platform_versions.tf b/terraform/environments/dacp/versions.tf similarity index 100% rename from terraform/environments/dacp/platform_versions.tf rename to terraform/environments/dacp/versions.tf diff --git a/terraform/environments/data-and-insights-wepi/platform_versions.tf b/terraform/environments/data-and-insights-wepi/versions.tf similarity index 100% rename from terraform/environments/data-and-insights-wepi/platform_versions.tf rename to terraform/environments/data-and-insights-wepi/versions.tf diff --git a/terraform/environments/data-platform-apps-and-tools/platform_versions.tf b/terraform/environments/data-platform-apps-and-tools/versions.tf similarity index 100% rename from terraform/environments/data-platform-apps-and-tools/platform_versions.tf rename to terraform/environments/data-platform-apps-and-tools/versions.tf diff --git a/terraform/environments/data-platform/platform_versions.tf b/terraform/environments/data-platform/versions.tf similarity index 100% rename from terraform/environments/data-platform/platform_versions.tf rename to terraform/environments/data-platform/versions.tf diff --git a/terraform/environments/delius-core/platform_versions.tf b/terraform/environments/delius-core/versions.tf similarity index 100% rename from terraform/environments/delius-core/platform_versions.tf rename to terraform/environments/delius-core/versions.tf diff --git a/terraform/environments/delius-iaps/platform_versions.tf b/terraform/environments/delius-iaps/versions.tf similarity index 100% rename from terraform/environments/delius-iaps/platform_versions.tf rename to terraform/environments/delius-iaps/versions.tf diff --git a/terraform/environments/delius-jitbit/platform_versions.tf b/terraform/environments/delius-jitbit/versions.tf similarity index 100% rename from terraform/environments/delius-jitbit/platform_versions.tf rename to terraform/environments/delius-jitbit/versions.tf diff --git a/terraform/environments/delius-mis/platform_versions.tf b/terraform/environments/delius-mis/versions.tf similarity index 100% rename from terraform/environments/delius-mis/platform_versions.tf rename to terraform/environments/delius-mis/versions.tf diff --git a/terraform/environments/delius-nextcloud/platform_versions.tf b/terraform/environments/delius-nextcloud/versions.tf similarity index 100% rename from terraform/environments/delius-nextcloud/platform_versions.tf rename to terraform/environments/delius-nextcloud/versions.tf diff --git a/terraform/environments/digital-prison-reporting/platform_versions.tf b/terraform/environments/digital-prison-reporting/versions.tf similarity index 100% rename from terraform/environments/digital-prison-reporting/platform_versions.tf rename to terraform/environments/digital-prison-reporting/versions.tf diff --git a/terraform/environments/edw/platform_versions.tf b/terraform/environments/edw/versions.tf similarity index 100% rename from terraform/environments/edw/platform_versions.tf rename to terraform/environments/edw/versions.tf diff --git a/terraform/environments/electronic-monitoring-data/platform_versions.tf b/terraform/environments/electronic-monitoring-data/versions.tf similarity index 100% rename from terraform/environments/electronic-monitoring-data/platform_versions.tf rename to terraform/environments/electronic-monitoring-data/versions.tf diff --git a/terraform/environments/equip/platform_versions.tf b/terraform/environments/equip/versions.tf similarity index 100% rename from terraform/environments/equip/platform_versions.tf rename to terraform/environments/equip/versions.tf diff --git a/terraform/environments/eric/platform_versions.tf b/terraform/environments/eric/versions.tf similarity index 100% rename from terraform/environments/eric/platform_versions.tf rename to terraform/environments/eric/versions.tf diff --git a/terraform/environments/example/platform_versions.tf b/terraform/environments/example/versions.tf similarity index 100% rename from terraform/environments/example/platform_versions.tf rename to terraform/environments/example/versions.tf diff --git a/terraform/environments/genesys-call-centre-data/platform_versions.tf b/terraform/environments/genesys-call-centre-data/versions.tf similarity index 100% rename from terraform/environments/genesys-call-centre-data/platform_versions.tf rename to terraform/environments/genesys-call-centre-data/versions.tf diff --git a/terraform/environments/hmpps-domain-services/platform_versions.tf b/terraform/environments/hmpps-domain-services/versions.tf similarity index 100% rename from terraform/environments/hmpps-domain-services/platform_versions.tf rename to terraform/environments/hmpps-domain-services/versions.tf diff --git a/terraform/environments/hmpps-oem/platform_versions.tf b/terraform/environments/hmpps-oem/versions.tf similarity index 100% rename from terraform/environments/hmpps-oem/platform_versions.tf rename to terraform/environments/hmpps-oem/versions.tf diff --git a/terraform/environments/laa-ccms-infra-azure-ad-sso/platform_versions.tf b/terraform/environments/laa-ccms-infra-azure-ad-sso/versions.tf similarity index 100% rename from terraform/environments/laa-ccms-infra-azure-ad-sso/platform_versions.tf rename to terraform/environments/laa-ccms-infra-azure-ad-sso/versions.tf diff --git a/terraform/environments/laa-mail-relay/platform_versions.tf b/terraform/environments/laa-mail-relay/versions.tf similarity index 100% rename from terraform/environments/laa-mail-relay/platform_versions.tf rename to terraform/environments/laa-mail-relay/versions.tf diff --git a/terraform/environments/laa-oem/platform_versions.tf b/terraform/environments/laa-oem/versions.tf similarity index 100% rename from terraform/environments/laa-oem/platform_versions.tf rename to terraform/environments/laa-oem/versions.tf diff --git a/terraform/environments/long-term-storage/platform_versions.tf b/terraform/environments/long-term-storage/versions.tf similarity index 100% rename from terraform/environments/long-term-storage/platform_versions.tf rename to terraform/environments/long-term-storage/versions.tf diff --git a/terraform/environments/maat/platform_versions.tf b/terraform/environments/maat/versions.tf similarity index 100% rename from terraform/environments/maat/platform_versions.tf rename to terraform/environments/maat/versions.tf diff --git a/terraform/environments/maatdb/platform_versions.tf b/terraform/environments/maatdb/versions.tf similarity index 100% rename from terraform/environments/maatdb/platform_versions.tf rename to terraform/environments/maatdb/versions.tf diff --git a/terraform/environments/mlra/platform_versions.tf b/terraform/environments/mlra/versions.tf similarity index 100% rename from terraform/environments/mlra/platform_versions.tf rename to terraform/environments/mlra/versions.tf diff --git a/terraform/environments/mojfin/platform_versions.tf b/terraform/environments/mojfin/versions.tf similarity index 100% rename from terraform/environments/mojfin/platform_versions.tf rename to terraform/environments/mojfin/versions.tf diff --git a/terraform/environments/ncas/platform_versions.tf b/terraform/environments/ncas/versions.tf similarity index 100% rename from terraform/environments/ncas/platform_versions.tf rename to terraform/environments/ncas/versions.tf diff --git a/terraform/environments/nomis-combined-reporting/platform_versions.tf b/terraform/environments/nomis-combined-reporting/versions.tf similarity index 100% rename from terraform/environments/nomis-combined-reporting/platform_versions.tf rename to terraform/environments/nomis-combined-reporting/versions.tf diff --git a/terraform/environments/nomis-data-hub/platform_versions.tf b/terraform/environments/nomis-data-hub/versions.tf similarity index 100% rename from terraform/environments/nomis-data-hub/platform_versions.tf rename to terraform/environments/nomis-data-hub/versions.tf diff --git a/terraform/environments/nomis/platform_versions.tf b/terraform/environments/nomis/versions.tf similarity index 100% rename from terraform/environments/nomis/platform_versions.tf rename to terraform/environments/nomis/versions.tf diff --git a/terraform/environments/oas/platform_versions.tf b/terraform/environments/oas/versions.tf similarity index 100% rename from terraform/environments/oas/platform_versions.tf rename to terraform/environments/oas/versions.tf diff --git a/terraform/environments/oasys-national-reporting/platform_versions.tf b/terraform/environments/oasys-national-reporting/versions.tf similarity index 100% rename from terraform/environments/oasys-national-reporting/platform_versions.tf rename to terraform/environments/oasys-national-reporting/versions.tf diff --git a/terraform/environments/oasys/platform_versions.tf b/terraform/environments/oasys/versions.tf similarity index 100% rename from terraform/environments/oasys/platform_versions.tf rename to terraform/environments/oasys/versions.tf diff --git a/terraform/environments/observability-platform/platform_versions.tf b/terraform/environments/observability-platform/versions.tf similarity index 100% rename from terraform/environments/observability-platform/platform_versions.tf rename to terraform/environments/observability-platform/versions.tf diff --git a/terraform/environments/operations-engineering/platform_versions.tf b/terraform/environments/operations-engineering/versions.tf similarity index 100% rename from terraform/environments/operations-engineering/platform_versions.tf rename to terraform/environments/operations-engineering/versions.tf diff --git a/terraform/environments/panda-cyber-appsec-lab/platform_versions.tf b/terraform/environments/panda-cyber-appsec-lab/versions.tf similarity index 100% rename from terraform/environments/panda-cyber-appsec-lab/platform_versions.tf rename to terraform/environments/panda-cyber-appsec-lab/versions.tf diff --git a/terraform/environments/performance-hub/platform_versions.tf b/terraform/environments/performance-hub/versions.tf similarity index 100% rename from terraform/environments/performance-hub/platform_versions.tf rename to terraform/environments/performance-hub/versions.tf diff --git a/terraform/environments/planetfm/platform_versions.tf b/terraform/environments/planetfm/versions.tf similarity index 100% rename from terraform/environments/planetfm/platform_versions.tf rename to terraform/environments/planetfm/versions.tf diff --git a/terraform/environments/portal/platform_versions.tf b/terraform/environments/portal/versions.tf similarity index 100% rename from terraform/environments/portal/platform_versions.tf rename to terraform/environments/portal/versions.tf diff --git a/terraform/environments/ppud/platform_versions.tf b/terraform/environments/ppud/versions.tf similarity index 100% rename from terraform/environments/ppud/platform_versions.tf rename to terraform/environments/ppud/versions.tf diff --git a/terraform/environments/pra-register/platform_versions.tf b/terraform/environments/pra-register/versions.tf similarity index 100% rename from terraform/environments/pra-register/platform_versions.tf rename to terraform/environments/pra-register/versions.tf diff --git a/terraform/environments/refer-monitor/platform_versions.tf b/terraform/environments/refer-monitor/versions.tf similarity index 100% rename from terraform/environments/refer-monitor/platform_versions.tf rename to terraform/environments/refer-monitor/versions.tf diff --git a/terraform/environments/sprinkler/platform_versions.tf b/terraform/environments/sprinkler/versions.tf similarity index 100% rename from terraform/environments/sprinkler/platform_versions.tf rename to terraform/environments/sprinkler/versions.tf diff --git a/terraform/environments/tipstaff/platform_versions.tf b/terraform/environments/tipstaff/versions.tf similarity index 100% rename from terraform/environments/tipstaff/platform_versions.tf rename to terraform/environments/tipstaff/versions.tf diff --git a/terraform/environments/tribunals/platform_versions.tf b/terraform/environments/tribunals/versions.tf similarity index 100% rename from terraform/environments/tribunals/platform_versions.tf rename to terraform/environments/tribunals/versions.tf diff --git a/terraform/environments/wardship/platform_versions.tf b/terraform/environments/wardship/versions.tf similarity index 100% rename from terraform/environments/wardship/platform_versions.tf rename to terraform/environments/wardship/versions.tf diff --git a/terraform/environments/xhibit-portal/platform_versions.tf b/terraform/environments/xhibit-portal/versions.tf similarity index 100% rename from terraform/environments/xhibit-portal/platform_versions.tf rename to terraform/environments/xhibit-portal/versions.tf From 30b3a6cb8e9777d30b3c73cbb56cc0c6780d1639 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 15 Nov 2024 15:05:38 +0000 Subject: [PATCH 194/308] Update_151124_5 --- terraform/environments/ppud/iam.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index f0aaeb03c21..c0d5b92848f 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -881,8 +881,7 @@ data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { "SNS:ListSubscriptions", "SNS:ListSubscriptionsByTopic", "SNS:ListTopics", - "SNS:Publish", - "SNS:Receive" + "SNS:Publish" ] condition { From c35ef2cc91fccc4e70bae2c96cd8337905cd8967 Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Fri, 15 Nov 2024 15:31:26 +0000 Subject: [PATCH 195/308] get partitions --- .../modules/ap_airflow_load_data_iam_role/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf index f0894049713..d4fc62fbaa8 100644 --- a/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/ap_airflow_load_data_iam_role/main.tf @@ -60,7 +60,9 @@ data "aws_iam_policy_document" "load_data" { "glue:DeleteTable", "glue:CreateDatabase", "glue:DeleteDatabase", - "glue:UpdateTable" + "glue:UpdateTable", + "glue:GetPartition", + "glue:GetPartitions" ] resources = [ "arn:aws:glue:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:catalog", From 19b9066fafdfa40f5335320f5691bbfab91204a1 Mon Sep 17 00:00:00 2001 From: Luke Williams <108728588+luke-a-williams@users.noreply.github.com> Date: Fri, 15 Nov 2024 17:53:11 +0000 Subject: [PATCH 196/308] provisioned temporary higher memory and permissions --- .../electronic-monitoring-data/bastion_linux.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/bastion_linux.tf b/terraform/environments/electronic-monitoring-data/bastion_linux.tf index 298a5d63887..2cf65aeb413 100644 --- a/terraform/environments/electronic-monitoring-data/bastion_linux.tf +++ b/terraform/environments/electronic-monitoring-data/bastion_linux.tf @@ -118,10 +118,11 @@ data "aws_iam_policy_document" "zip_s3_policy" { ] } statement { - sid = "AllowReadDataStore" + sid = "AllowReadAndPutDataStore" effect = "Allow" actions = [ "s3:GetObject", + "s3:PutObject" ] resources = [ "${module.s3-data-bucket.bucket.arn}/*", @@ -144,7 +145,7 @@ data "aws_iam_policy_document" "zip_s3_policy" { "s3:PutObject" ] resources = [ - "${module.s3-unzipped-files-bucket.bucket.arn}/*" + "${module.s3-unzipped-files-bucket.bucket.arn}/*", ] } statement { @@ -190,7 +191,7 @@ module "zip_bastion" { subnet_set = local.subnet_set environment = local.environment region = "eu-west-2" - volume_size = 96 + volume_size = 250 # tags tags_common = local.tags tags_prefix = terraform.workspace From fff50dc11ca4b5f0fb4180c54ac4d98bdc3fa16b Mon Sep 17 00:00:00 2001 From: Luke Williams <108728588+luke-a-williams@users.noreply.github.com> Date: Fri, 15 Nov 2024 17:56:03 +0000 Subject: [PATCH 197/308] removed trailing comma --- .../environments/electronic-monitoring-data/bastion_linux.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/bastion_linux.tf b/terraform/environments/electronic-monitoring-data/bastion_linux.tf index 2cf65aeb413..d39ad118f55 100644 --- a/terraform/environments/electronic-monitoring-data/bastion_linux.tf +++ b/terraform/environments/electronic-monitoring-data/bastion_linux.tf @@ -145,7 +145,7 @@ data "aws_iam_policy_document" "zip_s3_policy" { "s3:PutObject" ] resources = [ - "${module.s3-unzipped-files-bucket.bucket.arn}/*", + "${module.s3-unzipped-files-bucket.bucket.arn}/*" ] } statement { From e2674bd08e950e812f38b3e1d254f165b3822ca7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 00:31:26 +0000 Subject: [PATCH 198/308] Bump bridgecrewio/checkov-action from 12.2906.0 to 12.2907.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2906.0 to 12.2907.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/7558bbd06cd18ae570180c7e44ad5d8eece96c82...d3664c62ad4f01820e5daac1bf8cf0986670641f) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index a2e724e5436..ad09c65f5c9 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@7558bbd06cd18ae570180c7e44ad5d8eece96c82 # v12.2906.0 + uses: bridgecrewio/checkov-action@d3664c62ad4f01820e5daac1bf8cf0986670641f # v12.2907.0 with: directory: ./ framework: terraform From 6a4c8282e4802fb9b392f067aafd52b29ddc5ffe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 00:31:30 +0000 Subject: [PATCH 199/308] Bump oxsecurity/megalinter from 8.1.0 to 8.2.0 Bumps [oxsecurity/megalinter](https://github.com/oxsecurity/megalinter) from 8.1.0 to 8.2.0. - [Release notes](https://github.com/oxsecurity/megalinter/releases) - [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md) - [Commits](https://github.com/oxsecurity/megalinter/compare/b38cdf1f0cbe056fad4112cb7cd99c2b574c9617...d8c95fc6f2237031fb9e9322b0f97100168afa6e) --- updated-dependencies: - dependency-name: oxsecurity/megalinter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/format-code.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index 3ec740f37bc..b1dea43397b 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -40,7 +40,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter/flavors/terraform@b38cdf1f0cbe056fad4112cb7cd99c2b574c9617 #v8.1.0 + uses: oxsecurity/megalinter/flavors/terraform@d8c95fc6f2237031fb9e9322b0f97100168afa6e #v8.2.0 env: # All available variables are described in documentation # https://megalinter.io/configuration/#shared-variables From 382f8b958dce7220f645ee1ad9e82789417d4210 Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Mon, 18 Nov 2024 03:26:10 +0000 Subject: [PATCH 200/308] [TM-618] updated ami and ebs snapshots --- .../application_variables.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/environments/corporate-information-system/application_variables.json b/terraform/environments/corporate-information-system/application_variables.json index 308610dacd4..f11350b9eb1 100644 --- a/terraform/environments/corporate-information-system/application_variables.json +++ b/terraform/environments/corporate-information-system/application_variables.json @@ -1,18 +1,18 @@ { "accounts": { "development": { - "app_ami_id": "ami-09a122ebf3a5a5542", + "app_ami_id": "ami-0b2fcbd185872a43f", "ec2instancetype": "m4.2xlarge", "cis_ec2_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOP7IqwGdkp9hyFBXLSn1qCUhIdvTIBuCop/z1uZXdpDix4oxNb1fpuRusMm+l50dLIqCLKS11d5XOWgE5vem5PyGWLI21iqEt+oJFY8NDFs93rEU/og7wVoAmJ5Jfih2kIp8GDvxvhHJh/E4Gom11XKkL2FOwWAT6Dh2WaFppj2T2P1QzBHhpvcx4XJWHtbeq3xdN/vVqlw8JpXK/xNcrKnlW91dM04etKy/+dVqUCsjKGOEBEv4bclwRaEEq2AVwqeUnutLoJH4G8z4KhesCijronfGdF+9DlCUObCF54scHBn/WnTiz1adjyYXG8FcONLHhSdMU30pjegUW57Cx vladimirs.kovalovs@L0854", "managementcidr": "10.200.0.0/20", "testenvcidr": "10.203.0.0/20", - "ebs_sdf_snapshot": "snap-07f51fa6d20dc0cc1", + "ebs_sdf_snapshot": "snap-03f6e3e1792369657", "sdfsize": "1296", - "ebs_sdg_snapshot": "snap-0ef2dea3603e26637", + "ebs_sdg_snapshot": "snap-098fb54a3d82d0456", "sdgsize": "1000", - "ebs_sdh_snapshot": "snap-0e6bbcd9c3b0160d5", + "ebs_sdh_snapshot": "snap-032650fbb7a97032f", "sdhsize": "200", - "ebs_sdi_snapshot": "snap-094056e2e53b8c1da", + "ebs_sdi_snapshot": "snap-04d4a697cc1e66d09", "sdisize": "150" }, "test": { From c2c78a83ef3732e21b4f91c688559234cb09a778 Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci Date: Mon, 18 Nov 2024 05:10:33 +0000 Subject: [PATCH 201/308] Updates from GitHub Actions Format Code workflow --- .../digital-prison-reporting/cloudtrail.tf | 2 +- .../modules/domains/ingestion-pipeline/pipeline.tf | 4 ++-- .../modules/domains/maintenance-pipeline/pipeline.tf | 2 +- .../modules/domains/reload-pipeline/pipeline.tf | 10 +++++----- .../modules/domains/replay-pipeline/pipeline.tf | 6 +++--- .../electronic-monitoring-data/ap_airflow_iam.tf | 2 +- .../modules/landing_bucket/main.tf | 6 +++--- .../environments/electronic-monitoring-data/s3.tf | 4 ++-- terraform/environments/ppud/iam.tf | 2 +- 9 files changed, 19 insertions(+), 19 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/cloudtrail.tf b/terraform/environments/digital-prison-reporting/cloudtrail.tf index bb1889b9122..08a22cd364e 100644 --- a/terraform/environments/digital-prison-reporting/cloudtrail.tf +++ b/terraform/environments/digital-prison-reporting/cloudtrail.tf @@ -13,7 +13,7 @@ resource "aws_cloudtrail" "trail" { include_global_service_events = true enable_log_file_validation = true - kms_key_id = aws_kms_key.cloudtrail.key_id # Get KEY ID from Resource + kms_key_id = aws_kms_key.cloudtrail.key_id # Get KEY ID from Resource event_selector { diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf index 9bd7ee262ea..12c44bbf026 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf @@ -104,7 +104,7 @@ module "data_ingestion_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_temp_reload_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, @@ -194,7 +194,7 @@ module "data_ingestion_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, diff --git a/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf index c4b0b577f56..4281d701e6f 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/maintenance-pipeline/pipeline.tf @@ -31,7 +31,7 @@ module "maintenance_pipeline" { "JobName" : var.glue_unprocessed_raw_files_check_job, "Arguments" : { "--dpr.orchestration.wait.interval.seconds" : "60", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis) } diff --git a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf index 7ef9bd52c4f..0c08a0b111b 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf @@ -78,7 +78,7 @@ module "reload_pipeline" { "--dpr.file.transfer.source.bucket" : var.s3_raw_bucket_id, "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, @@ -121,7 +121,7 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_temp_reload_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, @@ -233,7 +233,7 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, @@ -253,7 +253,7 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, @@ -273,7 +273,7 @@ module "reload_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, diff --git a/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf index 9d35ca65005..ea6f367fa08 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/replay-pipeline/pipeline.tf @@ -89,7 +89,7 @@ module "replay_pipeline" { "--dpr.file.transfer.source.bucket" : var.s3_curated_bucket_id, "--dpr.file.transfer.destination.bucket" : var.s3_temp_reload_bucket_id, "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, @@ -131,7 +131,7 @@ module "replay_pipeline" { "--dpr.file.transfer.source.bucket" : var.s3_raw_bucket_id, "--dpr.file.transfer.destination.bucket" : var.s3_raw_archive_bucket_id, "--dpr.file.transfer.delete.copied.files" : "true", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, @@ -150,7 +150,7 @@ module "replay_pipeline" { "--dpr.file.transfer.destination.bucket" : var.s3_raw_bucket_id, "--dpr.file.transfer.retention.period.amount" : "0", "--dpr.file.transfer.delete.copied.files" : "false", - "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), + "--dpr.datastorage.retry.maxAttempts" : tostring(var.glue_s3_max_attempts), "--dpr.datastorage.retry.minWaitMillis" : tostring(var.glue_s3_retry_min_wait_millis), "--dpr.datastorage.retry.maxWaitMillis" : tostring(var.glue_s3_retry_max_wait_millis), "--dpr.config.s3.bucket" : var.s3_glue_bucket_id, diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 2e784fc55c6..46796740c63 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -21,7 +21,7 @@ module "test_ap_airflow" { module "load_alcohol_monitoring_database" { count = local.is-production ? 1 : 0 source = "./modules/ap_airflow_load_data_iam_role" - + name = "alcohol-monitoring" environment = local.environment database_name = "capita-alcohol-monitoring" diff --git a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf index 54231a132b0..3c5c67d8f07 100644 --- a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf @@ -57,8 +57,8 @@ module "this-bucket" { # Optionally add cross account access to bucket policy. bucket_policy_v2 = var.cross_account_access_role != null ? [ { - sid = "CrossAccountAccess" - effect = "Allow" + sid = "CrossAccountAccess" + effect = "Allow" actions = [ "s3:PutObject", "s3:PutObjectAcl" @@ -68,7 +68,7 @@ module "this-bucket" { type = "AWS" } } - ] : [] + ] : [] tags = merge( var.local_tags, diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index c68dba4167d..8de10c7fa24 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -5,11 +5,11 @@ locals { "production" = null "preproduction" = { "account_number" = 173142358744 - "role_name" = "juniper-dt-lambda-role" + "role_name" = "juniper-dt-lambda-role" } "test" = { "account_number" = 173142358744 - role_name = "dev-dt-lambda-role" + role_name = "dev-dt-lambda-role" } "development" = null } diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index c0d5b92848f..303a03e63e7 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -893,7 +893,7 @@ data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { resources = [ aws_sns_topic.cw_alerts[0].arn ] - } + } } #################################################### From 2b10d0d09475332459b7439cca31a5809cfb972c Mon Sep 17 00:00:00 2001 From: Buckingham Date: Mon, 18 Nov 2024 09:01:01 +0000 Subject: [PATCH 202/308] Update_181124_1 --- terraform/environments/ppud/iam.tf | 2 ++ terraform/environments/ppud/sns.tf | 38 +++++++++++++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index c0d5b92848f..52b7a8a3db5 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -859,6 +859,7 @@ resource "aws_iam_role_policy_attachment" "attach_lambda_policy_certificate_expi ## Production +/* data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { count = local.is-production == true ? 1 : 0 policy_id = "SnsTopicId" @@ -895,6 +896,7 @@ data "aws_iam_policy_document" "sns_topic_policy_ec2cw" { ] } } +*/ #################################################### # IAM User, Policy for MGN diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index d1d6dfa7b2f..f7025b4817a 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -10,11 +10,14 @@ resource "aws_sns_topic" "cw_alerts" { name = "ppud-prod-cw-alerts" } +/* resource "aws_sns_topic_policy" "sns_policy" { count = local.is-production == true ? 1 : 0 arn = aws_sns_topic.cw_alerts[0].arn - policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json + policy = data.aws_iam_policy_document.sns_topic_policy_ec2cw[0].json } +*/ + resource "aws_sns_topic_subscription" "cw_subscription" { count = local.is-production == true ? 1 : 0 topic_arn = aws_sns_topic.cw_alerts[0].arn @@ -62,6 +65,39 @@ resource "aws_sns_topic_subscription" "cw_sms_subscription4" { } */ +resource "aws_sns_topic_policy" "sns_topic_policy_ec2cw" { + count = local.is-production == true ? 1 : 0 + arn = aws_sns_topic.cw_alerts[0].arn + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + "Sid" : "SnsTopicId", + "Effect" : "Allow", + "Principal" : { + "AWS" : "*" + }, + "Action" : [ + "SNS:Publish", + "SNS:RemovePermission", + "SNS:SetTopicAttributes", + "SNS:DeleteTopic", + "SNS:ListSubscriptionsByTopic", + "SNS:GetTopicAttributes", + "SNS:AddPermission", + "SNS:Subscribe" + ], + "Resource" : "aws_sns_topic.cw_alerts[0].arn", + "Condition" : { + "StringEquals" : { + "AWS:SourceOwner" : "data.aws_caller_identity.current.account_id" + } + } + } + ] + }) +} # PreProduction - Cloud Watch From 3c111fc3c586bf1c4a8d495db3f96929c507cd50 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 18 Nov 2024 09:02:58 +0000 Subject: [PATCH 203/308] Update Prometheus Signed-off-by: Jacob Woffenden --- .../analytical-platform-compute/helm-charts-system.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/helm-charts-system.tf b/terraform/environments/analytical-platform-compute/helm-charts-system.tf index c7d2e120b0a..546726a9de2 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-system.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-system.tf @@ -71,7 +71,7 @@ resource "helm_release" "amazon_prometheus_proxy" { name = "amazon-prometheus-proxy" repository = "https://prometheus-community.github.io/helm-charts" chart = "kube-prometheus-stack" - version = "66.1.1" + version = "66.2.1" namespace = kubernetes_namespace.aws_observability.metadata[0].name values = [ templatefile( From e971ce2d19553e7f2516e31a15993a79d3be04b8 Mon Sep 17 00:00:00 2001 From: Prem Basumatary Date: Mon, 18 Nov 2024 09:38:09 +0000 Subject: [PATCH 204/308] TM-631 weblogic connection to ldap and oracle --- .../delius-core/modules/delius_environment/weblogic.tf | 10 +++++----- .../modules/delius_environment/weblogic_params.tf | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index 658c0e24bdb..0764b8912a3 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -44,14 +44,14 @@ module "weblogic" { bastion_sg_id = module.bastion_linux.bastion_security_group - - container_vars_default = { for name in local.weblogic_ssm.vars : name => data.aws_ssm_parameter.weblogic_ssm[name].value } - container_secrets_default = { + container_secrets_default = merge({ for name in local.weblogic_ssm.secrets : name => module.weblogic_ssm.arn_map[name] - } - + }, { + "JDBC_PASSWORD" = module.oracle_db_shared.database_application_passwords_secret_arn + } + ) } diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic_params.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic_params.tf index 07a9d6f421c..53344c64792 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic_params.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic_params.tf @@ -135,13 +135,13 @@ locals { module "weblogic_ssm" { source = "../helpers/ssm_params" application_name = "weblogic" - environment_name = "delius-core-${var.env_name}" + environment_name = "${var.account_info.application_name}-${var.env_name}" params_plain = local.weblogic_ssm.vars params_secure = local.weblogic_ssm.secrets } data "aws_ssm_parameter" "weblogic_ssm" { for_each = toset(local.weblogic_ssm.vars) - name = "/delius-core-${var.env_name}/weblogic/${each.key}" + name = "/${var.account_info.application_name}-${var.env_name}/weblogic/${each.key}" } From 71110b2d782342010eaa300fcc89b60343764192 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 18 Nov 2024 09:45:56 +0000 Subject: [PATCH 205/308] Update test and prod Update EC2NodeClass block device config Signed-off-by: Jacob Woffenden --- .../environment-configuration.tf | 12 ++++++------ .../helm/charts/karpenter-configuration/Chart.yaml | 2 +- .../ec2-node-class-bottlerocket-general.yaml | 4 ++-- .../templates/ec2-node-class-bottlerocket-gpu.yaml | 4 ++-- .../templates/node-pool-general-spot.yaml | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index c9a7deb68c6..df1d8fe7f6d 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -81,12 +81,12 @@ locals { eks_node_version = "1.26.2-360b7a38" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" - kube_proxy = "v1.31.1-eksbuild.2" + kube_proxy = "v1.31.2-eksbuild.2" aws_ebs_csi_driver = "v1.36.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.8-eksbuild.1" + aws_efs_csi_driver = "v2.0.9-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.18.6-eksbuild.1" + vpc_cni = "v1.19.0-eksbuild.1" } /* Observability Platform */ @@ -131,12 +131,12 @@ locals { eks_node_version = "1.26.2-360b7a38" eks_cluster_addon_versions = { coredns = "v1.11.3-eksbuild.2" - kube_proxy = "v1.31.1-eksbuild.2" + kube_proxy = "v1.31.2-eksbuild.2" aws_ebs_csi_driver = "v1.36.0-eksbuild.1" - aws_efs_csi_driver = "v2.0.8-eksbuild.1" + aws_efs_csi_driver = "v2.0.9-eksbuild.1" aws_guardduty_agent = "v1.7.1-eksbuild.2" eks_pod_identity_agent = "v1.3.2-eksbuild.2" - vpc_cni = "v1.18.6-eksbuild.1" + vpc_cni = "v1.19.0-eksbuild.1" } /* Data Engineering Airflow */ diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml index 462add8abe8..649c63ed2ae 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v2 name: karpenter-configuration description: A Helm chart to deploy Karpenter's configuration type: application -version: 2.2.0 +version: 2.3.0 diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml index 710a0e0f9f4..bfaafdb48a3 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-general.yaml @@ -21,11 +21,11 @@ spec: blockDeviceMappings: - deviceName: /dev/xvdb ebs: - volumeSize: 100Gi + volumeSize: 200Gi volumeType: gp3 iops: 3000 encrypted: true kmsKeyID: {{ .Values.ebsKmsKeyId }} deleteOnTermination: true - throughput: 125 + throughput: 250 detailedMonitoring: true diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml index 60e96cec2b5..be59088d0df 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/ec2-node-class-bottlerocket-gpu.yaml @@ -21,11 +21,11 @@ spec: blockDeviceMappings: - deviceName: /dev/xvdb ebs: - volumeSize: 100Gi + volumeSize: 200Gi volumeType: gp3 iops: 3000 encrypted: true kmsKeyID: {{ .Values.ebsKmsKeyId }} deleteOnTermination: true - throughput: 125 + throughput: 250 detailedMonitoring: true diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml index bceb43c80fb..792f049909a 100644 --- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml +++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-general-spot.yaml @@ -35,4 +35,4 @@ spec: values: ["c", "m", "r"] - key: karpenter.k8s.aws/instance-generation operator: Gt - values: ["2"] + values: ["4"] From ddcf9c62b71e794afb09be6a20c0f51b4a019db4 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 15 Nov 2024 09:58:42 +0000 Subject: [PATCH 206/308] feat: add cross-region lake formation (lf) role for adding `mojap-derived-tables` to lf fix: add sandbox/dev role to lf admin style: remove custom `local` for ap_data_prod account number --- .../environment-configuration.tf | 8 +-- .../iam-policies.tf | 60 +++++++++++++++++++ .../analytical-platform-compute/iam-roles.tf | 41 +++++++++++++ .../lakeformation-data-lake-settings.tf | 6 +- .../analytical-platform-compute/s3-buckets.tf | 4 +- 5 files changed, 111 insertions(+), 8 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index df1d8fe7f6d..7749b6c78c6 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -1,5 +1,5 @@ locals { - ap_data_prod_account_id = local.environment_management.account_ids["analytical-platform-data-production"] + ap_data_prod_s3_kms_key_id = "df8888e3-4080-4c2b-a71e-1425e72f98e4" environment_configurations = { development = { @@ -39,7 +39,7 @@ locals { } /* Data Engineering Airflow */ - data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.ap_data_prod_account_id}:role/airflow-dev-execution-role" + data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/airflow-dev-execution-role" /* MLFlow */ mlflow_s3_bucket_name = "alpha-analytical-platform-mlflow-development" @@ -93,7 +93,7 @@ locals { observability_platform = "development" /* Data Engineering Airflow */ - data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.ap_data_prod_account_id}:role/airflow-dev-execution-role" + data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/airflow-dev-execution-role" /* MLFlow */ mlflow_s3_bucket_name = "alpha-analytical-platform-mlflow-test" @@ -140,7 +140,7 @@ locals { } /* Data Engineering Airflow */ - data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.ap_data_prod_account_id}:role/airflow-prod-execution-role" + data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/airflow-prod-execution-role" /* MLFlow */ mlflow_s3_bucket_name = "alpha-analytical-platform-mlflow" diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index a9acae46b9a..45440e61c81 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -298,3 +298,63 @@ module "quicksight_vpc_connection_iam_policy" { tags = local.tags } + +data "aws_iam_policy_document" "data_account_mojap_derived_bucket_lake_formation_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + statement { + sid = "AllowS3ReadWriteAPDataProdDerivedTables" + effect = "Allow" + actions = [ + "s3:GetObject", + "s3:PutObject", + ] + resources = ["arn:aws:s3:::mojap-derived-tables/prod/*"] + } + statement { + sid = "AllowS3AccessAPDataProdDerivedTablesBucket" + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:GetBucketLocation", + ] + resources = ["arn:aws:s3:::mojap-derived-tables"] + } + statement { + sid = "AwsSseS3KmsSourceAccount" + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey" + ] + resources = ["arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:key/${local.ap_data_prod_s3_kms_key_id}"] + } + statement { + sid = "AllowLakeFormationCloudWatchLogs" + effect = "Allow" + actions = [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents" + ] + resources = [ + "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws-lakeformation-acceleration/*", + "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws-lakeformation-acceleration/*:log-stream:*" + ] + } +} + +module "data_account_mojap_derived_bucket_lake_formation_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.46.0" + + name_prefix = "analytical-platform-data-bucket-lake-formation-policy" + + policy = data.aws_iam_policy_document.data_account_mojap_derived_bucket_lake_formation_policy.json +} diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 2de24c1e9fe..ce4aa3ea769 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -342,3 +342,44 @@ module "quicksight_vpc_connection_iam_role" { tags = local.tags } + +module "lake_formation_to_data_production_mojap_derived_tables_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "5.46.0" + + create_role = true + role_requires_mfa = false + + role_name_prefix = "lake-formation-data-production-mojap-derived" + + # number_of_custom_role_policy_arns = 1 + + custom_role_policy_arns = [ + module.data_production_mojap_derived_bucket_lake_formation_policy.arn, + ] + + create_custom_role_trust_policy = true + custom_role_trust_policy = data.aws_iam_policy_document.custom_lake_formation_trust_policy.json + + tags = local.tags +} + +data "aws_iam_policy_document" "custom_lake_formation_trust_policy" { + statement { + effect = "Allow" + actions = [ + "sts:AssumeRole", + "sts:SetContext" + ] + principals { + type = "AWS" + identifiers = [ + "glue.amazonaws.com", + "lakeformation.amazonaws.com" + ] + } + } +} \ No newline at end of file diff --git a/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf b/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf index 45a19024283..8d7f889e1a2 100644 --- a/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf +++ b/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf @@ -4,7 +4,8 @@ resource "aws_lakeformation_data_lake_settings" "london" { module.lake_formation_share_role.iam_role_arn, module.analytical_platform_ui_service_role.iam_role_arn, module.analytical_platform_data_eng_dba_service_role.iam_role_arn, - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${data.aws_region.current.name}/${one(data.aws_iam_roles.data_engineering_sso_role.names)}" + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${data.aws_region.current.name}/${one(data.aws_iam_roles.data_engineering_sso_role.names)}", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${data.aws_region.current.name}/${one(data.aws_iam_roles.eks_sso_access_role.names)}" ] } @@ -15,6 +16,7 @@ resource "aws_lakeformation_data_lake_settings" "ireland" { module.lake_formation_share_role.iam_role_arn, module.analytical_platform_ui_service_role.iam_role_arn, module.analytical_platform_data_eng_dba_service_role.iam_role_arn, - "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${data.aws_region.current.name}/${one(data.aws_iam_roles.data_engineering_sso_role.names)}" + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${data.aws_region.current.name}/${one(data.aws_iam_roles.data_engineering_sso_role.names)}", + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-reserved/sso.amazonaws.com/${data.aws_region.current.name}/${one(data.aws_iam_roles.eks_sso_access_role.names)}" ] } diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index ffbfa4b740a..b771cbfcda3 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -38,7 +38,7 @@ data "aws_iam_policy_document" "s3_replication_policy" { identifiers = [ "arn:aws:iam::525294151996:role/service-role/s3replicate_role_for_lf-antfmoj-test", "arn:aws:iam::525294151996:role/service-role/s3crr_role_for_lf-antfmoj-test_1", - "arn:aws:iam::${local.ap_data_prod_account_id}:role/mojap-data-production-cadet-to-apc-production-replication", + "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/mojap-data-production-cadet-to-apc-production-replication", ] } resources = ["arn:aws:s3:::mojap-compute-${local.environment}-derived-tables-replication/*"] @@ -54,7 +54,7 @@ data "aws_iam_policy_document" "s3_replication_policy" { principals { type = "AWS" identifiers = [ - "arn:aws:iam::${local.ap_data_prod_account_id}:role/mojap-data-production-cadet-to-apc-production-replication", + "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/mojap-data-production-cadet-to-apc-production-replication", ] } resources = ["arn:aws:s3:::mojap-compute-${local.environment}-derived-tables-replication"] From 15ddcebb39b503f82810f6138ba09fc2d41c1b52 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 15 Nov 2024 09:59:48 +0000 Subject: [PATCH 207/308] fix: uncommitted changes from previous commit --- .../analytical-platform-compute/iam-policies.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 45440e61c81..33ba29da1dc 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -299,11 +299,11 @@ module "quicksight_vpc_connection_iam_policy" { tags = local.tags } -data "aws_iam_policy_document" "data_account_mojap_derived_bucket_lake_formation_policy" { +data "aws_iam_policy_document" "data_production_mojap_derived_bucket_lake_formation_policy" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions statement { - sid = "AllowS3ReadWriteAPDataProdDerivedTables" + sid = "AllowS3ReadWriteAPDataProdDerivedTables" effect = "Allow" actions = [ "s3:GetObject", @@ -312,7 +312,7 @@ data "aws_iam_policy_document" "data_account_mojap_derived_bucket_lake_formation resources = ["arn:aws:s3:::mojap-derived-tables/prod/*"] } statement { - sid = "AllowS3AccessAPDataProdDerivedTablesBucket" + sid = "AllowS3AccessAPDataProdDerivedTablesBucket" effect = "Allow" actions = [ "s3:ListBucket", @@ -321,7 +321,7 @@ data "aws_iam_policy_document" "data_account_mojap_derived_bucket_lake_formation resources = ["arn:aws:s3:::mojap-derived-tables"] } statement { - sid = "AwsSseS3KmsSourceAccount" + sid = "AwsSseS3KmsSourceAccount" effect = "Allow" actions = [ "kms:Encrypt", @@ -333,7 +333,7 @@ data "aws_iam_policy_document" "data_account_mojap_derived_bucket_lake_formation resources = ["arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:key/${local.ap_data_prod_s3_kms_key_id}"] } statement { - sid = "AllowLakeFormationCloudWatchLogs" + sid = "AllowLakeFormationCloudWatchLogs" effect = "Allow" actions = [ "logs:CreateLogStream", @@ -347,7 +347,7 @@ data "aws_iam_policy_document" "data_account_mojap_derived_bucket_lake_formation } } -module "data_account_mojap_derived_bucket_lake_formation_policy" { +module "data_production_mojap_derived_bucket_lake_formation_policy" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions @@ -356,5 +356,5 @@ module "data_account_mojap_derived_bucket_lake_formation_policy" { name_prefix = "analytical-platform-data-bucket-lake-formation-policy" - policy = data.aws_iam_policy_document.data_account_mojap_derived_bucket_lake_formation_policy.json + policy = data.aws_iam_policy_document.data_production_mojap_derived_bucket_lake_formation_policy.json } From f87fe427e4f5b0df6ac7ffe93856bab0857e67de Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 15 Nov 2024 10:48:02 +0000 Subject: [PATCH 208/308] fix: shorten iam role name --- terraform/environments/analytical-platform-compute/iam-roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index ce4aa3ea769..761905df160 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -353,7 +353,7 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { create_role = true role_requires_mfa = false - role_name_prefix = "lake-formation-data-production-mojap-derived" + role_name_prefix = "lf-data-prod-mojap-derived" # number_of_custom_role_policy_arns = 1 From f0e77bc74ad00a37ab2705f3cc5d698d463623d0 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 15 Nov 2024 13:56:06 +0000 Subject: [PATCH 209/308] feat: remove unneeded `s3:GetBucketLocation` permission on lf bucket registration role --- .../environments/analytical-platform-compute/iam-policies.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 33ba29da1dc..f562d08b056 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -316,7 +316,6 @@ data "aws_iam_policy_document" "data_production_mojap_derived_bucket_lake_format effect = "Allow" actions = [ "s3:ListBucket", - "s3:GetBucketLocation", ] resources = ["arn:aws:s3:::mojap-derived-tables"] } From 5f74668f10f7f2959f46b3250b6dabc1da145135 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 15 Nov 2024 16:12:45 +0000 Subject: [PATCH 210/308] feat: remove unneeded cross-account kms default key ref --- .../environment-configuration.tf | 2 -- .../analytical-platform-compute/iam-policies.tf | 12 ------------ 2 files changed, 14 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 7749b6c78c6..574db8dde12 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -1,6 +1,4 @@ locals { - ap_data_prod_s3_kms_key_id = "df8888e3-4080-4c2b-a71e-1425e72f98e4" - environment_configurations = { development = { /* VPC */ diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index f562d08b056..de2f63d22a2 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -319,18 +319,6 @@ data "aws_iam_policy_document" "data_production_mojap_derived_bucket_lake_format ] resources = ["arn:aws:s3:::mojap-derived-tables"] } - statement { - sid = "AwsSseS3KmsSourceAccount" - effect = "Allow" - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:DescribeKey" - ] - resources = ["arn:aws:kms:eu-west-1:${local.environment_management.account_ids["analytical-platform-data-production"]}:key/${local.ap_data_prod_s3_kms_key_id}"] - } statement { sid = "AllowLakeFormationCloudWatchLogs" effect = "Allow" From f6891361f6d92099533012b85e379e1e0eaf1386 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 15 Nov 2024 16:52:44 +0000 Subject: [PATCH 211/308] fix: principal type for aws services --- .../analytical-platform-compute/iam-policies.tf | 6 +++--- .../environments/analytical-platform-compute/iam-roles.tf | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index de2f63d22a2..3c6f1a9e4a1 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -303,7 +303,7 @@ data "aws_iam_policy_document" "data_production_mojap_derived_bucket_lake_format #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions statement { - sid = "AllowS3ReadWriteAPDataProdDerivedTables" + sid = "AllowS3ReadWriteAPDataProdDerivedTables" effect = "Allow" actions = [ "s3:GetObject", @@ -312,7 +312,7 @@ data "aws_iam_policy_document" "data_production_mojap_derived_bucket_lake_format resources = ["arn:aws:s3:::mojap-derived-tables/prod/*"] } statement { - sid = "AllowS3AccessAPDataProdDerivedTablesBucket" + sid = "AllowS3AccessAPDataProdDerivedTablesBucket" effect = "Allow" actions = [ "s3:ListBucket", @@ -320,7 +320,7 @@ data "aws_iam_policy_document" "data_production_mojap_derived_bucket_lake_format resources = ["arn:aws:s3:::mojap-derived-tables"] } statement { - sid = "AllowLakeFormationCloudWatchLogs" + sid = "AllowLakeFormationCloudWatchLogs" effect = "Allow" actions = [ "logs:CreateLogStream", diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 761905df160..2e6279fac81 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -375,11 +375,11 @@ data "aws_iam_policy_document" "custom_lake_formation_trust_policy" { "sts:SetContext" ] principals { - type = "AWS" + type = "Service" identifiers = [ "glue.amazonaws.com", "lakeformation.amazonaws.com" ] } } -} \ No newline at end of file +} From a5bc5d90fc04b2f0f7484d324c1936d5af389271 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 15 Nov 2024 17:04:22 +0000 Subject: [PATCH 212/308] style: rename `role_name_prefix` to be more readable --- terraform/environments/analytical-platform-compute/iam-roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 2e6279fac81..770afa0bc8c 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -353,7 +353,7 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { create_role = true role_requires_mfa = false - role_name_prefix = "lf-data-prod-mojap-derived" + role_name_prefix = "lf-data-prod-mojap-derived-" # number_of_custom_role_policy_arns = 1 From 426a6708c2e75c9c46bb149e098ebe09768febff Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Mon, 18 Nov 2024 14:18:19 +0000 Subject: [PATCH 213/308] Code bug Fixes - 1811 - 1 --- .../glue-job/etl_table_rows_hashvalue_to_parquet.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py index 87f4b75aaac..bc6896c1eb6 100644 --- a/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py +++ b/terraform/environments/electronic-monitoring-data/glue-job/etl_table_rows_hashvalue_to_parquet.py @@ -245,9 +245,9 @@ def write_parquet_to_s3(hashed_rows_prq_df_write: DataFrame, hashed_rows_prq_ful ) rds_jdbc_agg_dict = rds_jdbc_min_max_count_df_agg.collect()[0] - rds_jdbc_min_pkey = rds_jdbc_agg_dict[f"min_{rds_db_tbl_pkey_column}"] - rds_jdbc_max_pkey = rds_jdbc_agg_dict[f"max_{rds_db_tbl_pkey_column}"] - rds_jdbc_count_pkey = rds_jdbc_agg_dict[f"count_{rds_db_tbl_pkey_column}"] + rds_jdbc_min_pkey = rds_jdbc_agg_dict[f"min_value"] + rds_jdbc_max_pkey = rds_jdbc_agg_dict[f"max_value"] + rds_jdbc_count_pkey = rds_jdbc_agg_dict[f"count_value"] LOGGER.info(f"""rds_jdbc_min_pkey = {rds_jdbc_min_pkey}""") LOGGER.info(f"""rds_jdbc_max_pkey = {rds_jdbc_max_pkey}""") From b7662543b15a7e17df437882e9c1425464c9275e Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Mon, 18 Nov 2024 15:23:19 +0000 Subject: [PATCH 214/308] style: remove custom role definition, use `trusted_role_*` inputs chore: update module versions --- .../iam-policies.tf | 2 +- .../analytical-platform-compute/iam-roles.tf | 32 +++++++------------ 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 3c6f1a9e4a1..bf5335398af 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -339,7 +339,7 @@ module "data_production_mojap_derived_bucket_lake_formation_policy" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "5.46.0" + version = "5.48.0" name_prefix = "analytical-platform-data-bucket-lake-formation-policy" diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 770afa0bc8c..34d64c22da3 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -348,12 +348,12 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "5.46.0" + version = "5.48.0" create_role = true role_requires_mfa = false - role_name_prefix = "lf-data-prod-mojap-derived-" + role_name_prefix = "lake-formation-data-prod-mojap-derived-" # number_of_custom_role_policy_arns = 1 @@ -361,25 +361,15 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { module.data_production_mojap_derived_bucket_lake_formation_policy.arn, ] - create_custom_role_trust_policy = true - custom_role_trust_policy = data.aws_iam_policy_document.custom_lake_formation_trust_policy.json + trusted_role_actions = [ + "sts:AssumeRole", + "sts:SetContext" + ] - tags = local.tags -} + trusted_role_services = [ + "glue.amazonaws.com", + "lakeformation.amazonaws.com" + ] -data "aws_iam_policy_document" "custom_lake_formation_trust_policy" { - statement { - effect = "Allow" - actions = [ - "sts:AssumeRole", - "sts:SetContext" - ] - principals { - type = "Service" - identifiers = [ - "glue.amazonaws.com", - "lakeformation.amazonaws.com" - ] - } - } + tags = local.tags } From c42193d799437a19ae70f9f314deca7a84eb13a5 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Mon, 18 Nov 2024 15:31:25 +0000 Subject: [PATCH 215/308] fix: need to re-shorten `role_name_prefix` --- terraform/environments/analytical-platform-compute/iam-roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 34d64c22da3..141b9de42d6 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -353,7 +353,7 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { create_role = true role_requires_mfa = false - role_name_prefix = "lake-formation-data-prod-mojap-derived-" + role_name_prefix = "lakeformation-data-prod-mojap-derived-" # number_of_custom_role_policy_arns = 1 From 4084445443410afe0f75a6422195af3902d8d014 Mon Sep 17 00:00:00 2001 From: tom-ogle-moj <142220790+tom-ogle-moj@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:46:38 +0000 Subject: [PATCH 216/308] DPR2-1435: Add DPS Case Notes service secrets and glue connections. (#8699) --- .../application_variables.json | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/application_variables.json b/terraform/environments/digital-prison-reporting/application_variables.json index 1e739363277..5ef69277647 100644 --- a/terraform/environments/digital-prison-reporting/application_variables.json +++ b/terraform/environments/digital-prison-reporting/application_variables.json @@ -94,7 +94,10 @@ "setup_sonatype_secrets": true, "setup_scheduled_action_iam_role": true, "setup_redshift_schedule": true, - "dps_domains": ["dps-activities"], + "dps_domains": [ + "dps-activities", + "dps-case-notes" + ], "alarms": { "setup_cw_alarms": true, "redshift": { @@ -269,7 +272,10 @@ "setup_sonatype_secrets": false, "setup_scheduled_action_iam_role": true, "setup_redshift_schedule": true, - "dps_domains": ["dps-activities"], + "dps_domains": [ + "dps-activities", + "dps-case-notes" + ], "alarms": { "setup_cw_alarms": true, "redshift": { @@ -446,7 +452,10 @@ "setup_scheduled_action_iam_role": true, "setup_redshift_schedule": true, "enable_redshift_health_check": true, - "dps_domains": ["dps-activities"], + "dps_domains": [ + "dps-activities", + "dps-case-notes" + ], "alarms": { "setup_cw_alarms": true, "redshift": { @@ -639,7 +648,10 @@ "setup_sonatype_secrets": false, "setup_scheduled_action_iam_role": false, "setup_redshift_schedule": false, - "dps_domains": ["dps-activities"], + "dps_domains": [ + "dps-activities", + "dps-case-notes" + ], "alarms": { "setup_cw_alarms": true, "redshift": { From 9b921668136ba7b22e74a809dbfebb99f8a24240 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Mon, 18 Nov 2024 15:57:15 +0000 Subject: [PATCH 217/308] fix: role name rather than prefix --- terraform/environments/analytical-platform-compute/iam-roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 141b9de42d6..6bf418383fa 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -353,7 +353,7 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { create_role = true role_requires_mfa = false - role_name_prefix = "lakeformation-data-prod-mojap-derived-" + role_name = "lake-formation-data-production-data-access" # number_of_custom_role_policy_arns = 1 From daab388116ab84d9a4290390207d2a38effb34a0 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:59:33 +0000 Subject: [PATCH 218/308] TM-679: ssm command widgets (#8701) * add ssm_command widgets to nomis-test * add alarm * add alarm * typo * fix * Add to oem * set period --- terraform/environments/hmpps-oem/locals.tf | 2 + terraform/environments/nomis/locals.tf | 3 +- .../environments/nomis/locals_development.tf | 1 + .../nomis/locals_preproduction.tf | 1 + .../environments/nomis/locals_production.tf | 1 + terraform/environments/nomis/locals_test.tf | 1 + .../baseline_presets/cloudwatch_dashboards.tf | 66 +++++++++++++++++++ .../cloudwatch_metric_alarms.tf | 16 +++++ 8 files changed, 90 insertions(+), 1 deletion(-) diff --git a/terraform/environments/hmpps-oem/locals.tf b/terraform/environments/hmpps-oem/locals.tf index 85a417ae61b..7879ed9ac6f 100644 --- a/terraform/environments/hmpps-oem/locals.tf +++ b/terraform/environments/hmpps-oem/locals.tf @@ -32,6 +32,7 @@ locals { "ec2_instance_oracle_db_with_backup", "ec2_instance_textfile_monitoring", "ec2_windows", + "ssm_command", ] cloudwatch_metric_alarms_default_actions = ["pagerduty"] enable_backup_plan_daily_and_weekly = true @@ -105,6 +106,7 @@ locals { module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_oracle_db_with_backup, module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_textfile_monitoring, module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_windows, + module.baseline_presets.cloudwatch_dashboard_widget_groups.ssm_command, ] } "nomis-combined-reporting-${local.environment}" = { diff --git a/terraform/environments/nomis/locals.tf b/terraform/environments/nomis/locals.tf index 9b644f9da66..ada318258c9 100644 --- a/terraform/environments/nomis/locals.tf +++ b/terraform/environments/nomis/locals.tf @@ -48,6 +48,7 @@ locals { enable_resource_explorer = true } - security_groups = local.security_groups + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.ssm + security_groups = local.security_groups } } diff --git a/terraform/environments/nomis/locals_development.tf b/terraform/environments/nomis/locals_development.tf index 8aac9cb8aae..1bbb7f2192c 100644 --- a/terraform/environments/nomis/locals_development.tf +++ b/terraform/environments/nomis/locals_development.tf @@ -41,6 +41,7 @@ locals { module.baseline_presets.cloudwatch_dashboard_widget_groups.lb, local.cloudwatch_dashboard_widget_groups.db, local.cloudwatch_dashboard_widget_groups.syscon, + module.baseline_presets.cloudwatch_dashboard_widget_groups.ssm_command, ] } } diff --git a/terraform/environments/nomis/locals_preproduction.tf b/terraform/environments/nomis/locals_preproduction.tf index da5b3cb1162..f700b241da6 100644 --- a/terraform/environments/nomis/locals_preproduction.tf +++ b/terraform/environments/nomis/locals_preproduction.tf @@ -49,6 +49,7 @@ locals { local.cloudwatch_dashboard_widget_groups.db, local.cloudwatch_dashboard_widget_groups.xtag, local.cloudwatch_dashboard_widget_groups.asg, + module.baseline_presets.cloudwatch_dashboard_widget_groups.ssm_command, ] } } diff --git a/terraform/environments/nomis/locals_production.tf b/terraform/environments/nomis/locals_production.tf index 0d0d90e3b71..0ee530ff77b 100644 --- a/terraform/environments/nomis/locals_production.tf +++ b/terraform/environments/nomis/locals_production.tf @@ -51,6 +51,7 @@ locals { local.cloudwatch_dashboard_widget_groups.db, local.cloudwatch_dashboard_widget_groups.xtag, local.cloudwatch_dashboard_widget_groups.asg, + module.baseline_presets.cloudwatch_dashboard_widget_groups.ssm_command, ] } "prod-nomis-db-1-a" = { diff --git a/terraform/environments/nomis/locals_test.tf b/terraform/environments/nomis/locals_test.tf index cb832c11907..e691faaa08a 100644 --- a/terraform/environments/nomis/locals_test.tf +++ b/terraform/environments/nomis/locals_test.tf @@ -45,6 +45,7 @@ locals { local.cloudwatch_dashboard_widget_groups.db, local.cloudwatch_dashboard_widget_groups.xtag, local.cloudwatch_dashboard_widget_groups.asg, + module.baseline_presets.cloudwatch_dashboard_widget_groups.ssm_command, ] } } diff --git a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf index 6a19ff3ae4d..6145a80509a 100644 --- a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf +++ b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf @@ -466,6 +466,7 @@ locals { expression = "SORT(SEARCH('{CWAgent,InstanceId,type,type_instance} MetricName=\"collectd_endpoint_cert_expiry_value\"','Minimum'),MIN,ASC)" properties = { view = "bar" + period = 3600 stacked = false region = "eu-west-2" title = "endpoint-cert-days-to-expiry" @@ -776,6 +777,61 @@ locals { } } ssm = { + ssm-command-success-count = { + type = "metric" + expression = "SORT(SEARCH('{CustomMetrics, DocumentName} MetricName=\"SSMCommandSuccessCount\"','Sum'),SUM,DESC)" + properties = { + view = "timeSeries" + period = 3600 + stacked = true + region = "eu-west-2" + title = "SSM command-success-count" + stat = "Sum" + yAxis = { + left = { + showUnits = false, + label = "count" + } + } + } + } + ssm-command-failed-count = { + type = "metric" + expression = "SORT(SEARCH('{CustomMetrics, DocumentName} MetricName=\"SSMCommandFailedCount\"','Sum'),SUM,DESC)" + properties = { + view = "timeSeries" + period = 3600 + stacked = true + region = "eu-west-2" + title = "SSM command-failed-count" + stat = "Sum" + yAxis = { + left = { + showUnits = false, + label = "count" + } + } + } + } + ssm-command-ignore-count = { + type = "metric" + expression = "SORT(SEARCH('{CustomMetrics, DocumentName} MetricName=\"SSMCommandIgnoreCount\"','Sum'),SUM,DESC)" + properties = { + view = "timeSeries" + period = 3600 + stacked = true + region = "eu-west-2" + title = "SSM command-ignore-count" + stat = "Sum" + yAxis = { + left = { + showUnits = false, + label = "count" + } + } + } + } + ssm-command-invocation-status = { type = "metric" properties = { @@ -958,6 +1014,16 @@ locals { local.cloudwatch_dashboard_widgets.network_lb.load-balancer-peak-packets-per-second, ] } + ssm_command = { + header_markdown = "## SSM Command Metrics" + width = 8 + height = 8 + widgets = [ + local.cloudwatch_dashboard_widgets.ssm.ssm-command-success-count, + local.cloudwatch_dashboard_widgets.ssm.ssm-command-failed-count, + local.cloudwatch_dashboard_widgets.ssm.ssm-command-ignore-count, + ] + } custom = { header_markdown = "## Custom Metrics" width = 8 diff --git a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf index 1fdd5499444..13e4d2c84e8 100644 --- a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf +++ b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf @@ -388,5 +388,21 @@ locals { ok_actions = var.options.cloudwatch_metric_alarms_default_actions } } + + ssm = { + failed-ssm-command = { + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "24" + datapoints_to_alarm = "1" + metric_name = "SSMCommandFailedCount" + namespace = "CustomMetrics" + period = "3600" + statistic = "Maximum" + threshold = "1" + alarm_description = "Triggers if there has been a failed scheduled SSM command. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5291475023" + alarm_actions = var.options.cloudwatch_metric_alarms_default_actions + ok_actions = var.options.cloudwatch_metric_alarms_default_actions + } + } } } From 472522edae9770ff354d9e272d7f437193884f2c Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Mon, 18 Nov 2024 16:31:04 +0000 Subject: [PATCH 219/308] feat: add tags to lf policies --- .../environments/analytical-platform-compute/iam-policies.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index bf5335398af..84721171ddb 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -263,6 +263,8 @@ module "analytical_platform_lake_formation_share_policy" { name_prefix = "analytical-platform-lake-formation-sharing-policy" policy = data.aws_iam_policy_document.analytical_platform_share_policy.json + + tags = local.tags } data "aws_iam_policy_document" "quicksight_vpc_connection" { @@ -344,4 +346,6 @@ module "data_production_mojap_derived_bucket_lake_formation_policy" { name_prefix = "analytical-platform-data-bucket-lake-formation-policy" policy = data.aws_iam_policy_document.data_production_mojap_derived_bucket_lake_formation_policy.json + + tags = local.tags } From 225ada80ba026544719622260b3ac1d9741a2da8 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Mon, 18 Nov 2024 17:22:56 +0000 Subject: [PATCH 220/308] update secret Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 9b078b3b6e9..a258566ec81 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -70,7 +70,7 @@ export ENV="${local.application_data.accounts[local.environment].edw_environment export REGION="${local.application_data.accounts[local.environment].edw_region}" export EFS="${aws_efs_file_system.edw.id}" export SECRET=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.db-master-password2.id} --query SecretString --output text` -export SECRET_EC2=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.edw_db_ec2_root_secret.id} --query SecretString --output text` +# export SECRET_EC2=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.edw_db_ec2_root_secret.id} --query SecretString --output text` export host="$ip4 $APPNAME-$ENV infraedw" echo $host >>/etc/hosts sed -i '/^10.221/d' /etc/hosts @@ -110,7 +110,7 @@ log_group_name = $APPNAME-CfnInit log_stream_name = {instance_id} [oracle_alert_log_errors] -file = /oracle/software/product/10.2.0/admin/$APPNAME/bdump/alert_$APPNAME.log +file = bdu$APPNAME/bdump/alert_$APPNAME.log log_group_name = $APPNAME-OracleAlerts log_stream_name = {instance_id} @@ -268,7 +268,7 @@ chmod -R 777 /home/oracle chmod -R 777 /stage/owb/ # Replace the secret in the rootrotate.sh script -sed -i "s|--secret-id .* --query|--secret-id $SECRET_EC2 --query|g" /root/scripts/rootrotate.sh +sed -i "s|--secret-id .* --query|--secret-id ${aws_secretsmanager_secret.edw_db_ec2_root_secret.id} --query|g" /root/scripts/rootrotate.sh #### setup_backups: From 55d44fa53ae90d704ae13324574f5e5f85f516d8 Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Mon, 18 Nov 2024 17:54:54 +0000 Subject: [PATCH 221/308] [TM-615] added files for creation of s3fs ec2 instance --- .../application_variables.json | 4 +- .../corporate-information-system/ec2-s3fs.tf | 50 ++++++++++++ .../corporate-information-system/iam.tf | 80 +++++++++++++++++++ .../corporate-information-system/locals.tf | 23 ++++++ 4 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 terraform/environments/corporate-information-system/ec2-s3fs.tf diff --git a/terraform/environments/corporate-information-system/application_variables.json b/terraform/environments/corporate-information-system/application_variables.json index f11350b9eb1..3b3149a6755 100644 --- a/terraform/environments/corporate-information-system/application_variables.json +++ b/terraform/environments/corporate-information-system/application_variables.json @@ -13,7 +13,9 @@ "ebs_sdh_snapshot": "snap-032650fbb7a97032f", "sdhsize": "200", "ebs_sdi_snapshot": "snap-04d4a697cc1e66d09", - "sdisize": "150" + "sdisize": "150", + "s3fs_ami_id": "ami-0a6006bac3b9bb8d3", + "s3fsinstancetype": "t3a.small", }, "test": { "example_var": "test-data" diff --git a/terraform/environments/corporate-information-system/ec2-s3fs.tf b/terraform/environments/corporate-information-system/ec2-s3fs.tf new file mode 100644 index 00000000000..0e10d7ac2d0 --- /dev/null +++ b/terraform/environments/corporate-information-system/ec2-s3fs.tf @@ -0,0 +1,50 @@ +###################################### +# CIS S3FS EC2 Instance +###################################### + +resource "aws_instance" "cis_s3fs_instance" { + count = local.create_cis_s3fs_instance ? 1 : 0 + ami = local.application_data.accounts[local.environment].s3fs_ami_id + instance_type = local.application_data.accounts[local.environment].s3fsinstancetype + key_name = aws_key_pair.cis.key_name + ebs_optimized = true + monitoring = true + subnet_id = data.aws_subnet.data_subnets_a.id + iam_instance_profile = aws_iam_instance_profile.s3fs_instance_profile.name + vpc_security_group_ids = [aws_security_group.ec2_instance_sg.id] + user_data_base64 = base64encode(local.s3fs-instance-userdata) + user_data_replace_on_change = true + + root_block_device { + delete_on_termination = false + encrypted = true + volume_size = 10 + volume_type = "gp2" + tags = merge( + { "instance-scheduling" = "skip-scheduling" }, + local.tags, + { "Name" = "${local.application_name_short}-root" } + ) + } + + metadata_options { + http_tokens = "required" + } + + tags = merge( + local.tags, + { "Name" = "${local.application_name_short} S3FS Server" }, + { "instance-scheduling" = "skip-scheduling" }, + { "snapshot-with-daily-7-day-retention" = "yes" } + ) +} + + +###################################### +# CIS S3FS IAM Role +###################################### + +resource "aws_iam_instance_profile" "s3fs_instance_profile" { + name = "${local.application_name_short}-s3fs-profile" + role = aws_iam_role.cis_s3fs_role.name +} \ No newline at end of file diff --git a/terraform/environments/corporate-information-system/iam.tf b/terraform/environments/corporate-information-system/iam.tf index 41598ef9743..aa2fdb4a3b8 100644 --- a/terraform/environments/corporate-information-system/iam.tf +++ b/terraform/environments/corporate-information-system/iam.tf @@ -1,3 +1,7 @@ +###################################### +# CIS DB IAM Role & Policy +###################################### + resource "aws_iam_role" "cis_ec2_role" { name = "${local.application_name_short}-ec2-role" @@ -34,4 +38,80 @@ resource "aws_iam_role_policy" "cis_ec2_policy" { } ] }) +} + +###################################### +# CIS S3FS IAM Role & Policy +###################################### + +resource "aws_iam_role" "cis_s3fs_role" { + name = "${local.application_name_short}-s3fs-role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "ec2.amazonaws.com" + } + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "cis_s3fs_role_policy_attachment" { + role = aws_iam_role.cis_s3fs_role.name + policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy" +} + +resource "aws_iam_role_policy" "cis_s3fs_policy" { + name = "${local.application_name_short}-s3fs-policy" + role = aws_iam_role.cis_s3fs_role.id + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::laa-software-bucket2", + "arn:aws:s3:::laa-software-bucket2/*", + "arn:aws:s3:::laa-software-library", + "arn:aws:s3:::laa-software-library/*", + "arn:aws:s3:::laa-cis-inbound-production", + "arn:aws:s3:::laa-cis-inbound-production/*", + "arn:aws:s3:::laa-cis-outbound-production", + "arn:aws:s3:::laa-cis-outbound-production/*", + "arn:aws:s3:::laa-ccms-outbound-production", + "arn:aws:s3:::laa-ccms-outbound-production/*", + "arn:aws:s3:::laa-ccms-inbound-production", + "arn:aws:s3:::laa-ccms-inbound-production/*" + ], + "Effect": "Allow" + }, + { + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutRetentionPolicy", + "logs:PutLogEvents", + "ec2:DescribeInstances" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "ec2:CreateTags" + ], + "Resource": "*", + "Effect": "Allow" + } + ] + }) } \ No newline at end of file diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index 16402459232..e1b29786030 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -4,6 +4,8 @@ locals { nonprod_workspaces_local_cidr1 = "10.200.2.0/24" nonprod_workspaces_local_cidr2 = "10.200.3.0/24" + create_cis_s3fs_instance = contains(["development", "preproduction", "production"], local.environment) + database-instance-userdata = <> /tmp/oracle_startup.log 2>&1 # Start Listener as oracle user runuser -l oracle -c 'lsnrctl start LISTENER' >> /tmp/listener_startup.log 2>&1 +EOF + + s3fs-instance-userdata = <> /etc/fstab +echo 's3fs#laa-ccms-inbound-${local.application_data.accounts[local.environment]} /s3xfer/S3/laa-ccms-inbound-${local.application_data.accounts[local.environment]} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-cis-outbound-${local.application_data.accounts[local.environment]} /s3xfer/S3/laa-cis-outbound-${local.application_data.accounts[local.environment]} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-cis-inbound-${local.application_data.accounts[local.environment]} /s3xfer/S3/laa-cis-inbound-${local.application_data.accounts[local.environment]} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#cds-central-print-temp /cdstemp fuse default_acl=bucket-owner-full-control,allow_other,use_cache=/tmp,endpoint=eu-west-2,uid=502,mp_umask=002,multireq_max=5,iam_role=' >> /etc/fstab +mount -a + EOF } \ No newline at end of file From d0092934fb70ac50746da8279a6030c37830d9cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Nov 2024 00:59:00 +0000 Subject: [PATCH 222/308] Bump bridgecrewio/checkov-action from 12.2907.0 to 12.2908.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2907.0 to 12.2908.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/d3664c62ad4f01820e5daac1bf8cf0986670641f...416bcc9b9b7e2e046b8003075241629761c3a810) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index ad09c65f5c9..7b298dbfeaf 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@d3664c62ad4f01820e5daac1bf8cf0986670641f # v12.2907.0 + uses: bridgecrewio/checkov-action@416bcc9b9b7e2e046b8003075241629761c3a810 # v12.2908.0 with: directory: ./ framework: terraform From 216e3e7643637608b5e417ccc838221d1f540099 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 07:36:36 +0000 Subject: [PATCH 223/308] Base alarm on math --- .../components/dms/cloudwatch-alarms.tf | 30 +++++++++++++------ 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 1c6de5c623f..d673d485a3f 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -283,21 +283,33 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 threshold = 0 - period = 60 - statistic = "Maximum" treat_missing_data = "ignore" - metric_name = "DMSReplicationStopped" - namespace = "CustomDMSMetrics" - dimensions = { - SourceId = each.key - EventSouce = "replication-task" - } + metric_query { + id = "e1" + expression = "FILL(m1,REPEAT)" + label = "DMSReplicationStoppedInterpolated" + return_data = "true" + } + + metric_query { + id = "m1" + + metric { + metric_name = "DMSReplicationStopped" + namespace = "CustmDMSMetrics" + period = 60 + stat = "Maximum" + + dimensions = { + SourceId = each.key + EventSource = "replication-task" + } + } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } - # SNS Topic for DMS replication events # This is NOT the same as for DMS Cloudwatch Alarms (dms_alerting) # and is used to trigger the Lamda function if an event happens during From c99e7314d698dad47984dff3764df92826c6034f Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 07:42:46 +0000 Subject: [PATCH 224/308] Missing bracket --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index d673d485a3f..83ce2fba90a 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -306,6 +306,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { EventSource = "replication-task" } } + } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] } From 0e6f56de9686f43280aa3ebf1803254b1997693a Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Tue, 19 Nov 2024 07:54:43 +0000 Subject: [PATCH 225/308] [TM-615] small change --- .../corporate-information-system/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-information-system/application_variables.json b/terraform/environments/corporate-information-system/application_variables.json index 3b3149a6755..52583142bda 100644 --- a/terraform/environments/corporate-information-system/application_variables.json +++ b/terraform/environments/corporate-information-system/application_variables.json @@ -15,7 +15,7 @@ "ebs_sdi_snapshot": "snap-04d4a697cc1e66d09", "sdisize": "150", "s3fs_ami_id": "ami-0a6006bac3b9bb8d3", - "s3fsinstancetype": "t3a.small", + "s3fsinstancetype": "t3a.small" }, "test": { "example_var": "test-data" From 58c88cc7efb529e52304c2b00dd1192be40797d1 Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Tue, 19 Nov 2024 08:01:22 +0000 Subject: [PATCH 226/308] [TM-615] changes to s3fs userdata --- .../corporate-information-system/locals.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index e1b29786030..a41ea130f90 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -53,15 +53,15 @@ yum update -y amazon-linux-extras install epel -y yum install s3fs-fuse -y cd / -mkdir -pm 774 /s3xfer/S3/laa-ccms-inbound-${local.application_data.accounts[local.environment]} -mkdir -pm 774 /s3xfer/S3/laa-ccms-outbound-${local.application_data.accounts[local.environment]} -mkdir -pm 774 /s3xfer/S3/laa-cis-inbound-${local.application_data.accounts[local.environment]} -mkdir -pm 774 /s3xfer/S3/laa-cis-outbound-${local.application_data.accounts[local.environment]} +mkdir -pm 774 /s3xfer/S3/laa-ccms-inbound-${tostring(local.application_data.accounts[local.environment])} +mkdir -pm 774 /s3xfer/S3/laa-ccms-outbound-${tostring(local.application_data.accounts[local.environment])} +mkdir -pm 774 /s3xfer/S3/laa-cis-inbound-${tostring(local.application_data.accounts[local.environment])} +mkdir -pm 774 /s3xfer/S3/laa-cis-outbound-${tostring(local.application_data.accounts[local.environment])} mkdir -m 774 cdstemp -echo 's3fs#laa-ccms-outbound-${local.application_data.accounts[local.environment]} /s3xfer/S3/laa-ccms-outbound-${local.application_data.accounts[local.environment]} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab -echo 's3fs#laa-ccms-inbound-${local.application_data.accounts[local.environment]} /s3xfer/S3/laa-ccms-inbound-${local.application_data.accounts[local.environment]} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab -echo 's3fs#laa-cis-outbound-${local.application_data.accounts[local.environment]} /s3xfer/S3/laa-cis-outbound-${local.application_data.accounts[local.environment]} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab -echo 's3fs#laa-cis-inbound-${local.application_data.accounts[local.environment]} /s3xfer/S3/laa-cis-inbound-${local.application_data.accounts[local.environment]} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-ccms-outbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-ccms-outbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-ccms-inbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-ccms-inbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-cis-outbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-cis-outbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-cis-inbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-cis-inbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab echo 's3fs#cds-central-print-temp /cdstemp fuse default_acl=bucket-owner-full-control,allow_other,use_cache=/tmp,endpoint=eu-west-2,uid=502,mp_umask=002,multireq_max=5,iam_role=' >> /etc/fstab mount -a From 37c481e3a95b6afbcec436535da60318f656c101 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 08:05:48 +0000 Subject: [PATCH 227/308] Missing data is not breaching --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 83ce2fba90a..346dadc69ea 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -283,7 +283,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 threshold = 0 - treat_missing_data = "ignore" + treat_missing_data = "notBreaching" metric_query { id = "e1" From 01e9291b337e782dcb2c3445f5f551d2d728f4d7 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 09:12:01 +0000 Subject: [PATCH 228/308] Data Points to Alarm --- .../modules/components/dms/cloudwatch-alarms.tf | 1 + .../dms/lambda/dms_replication_metric.zip | Bin 0 -> 1035 bytes 2 files changed, 1 insertion(+) create mode 100644 terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 346dadc69ea..e0bea7f9fb8 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -284,6 +284,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { evaluation_periods = 1 threshold = 0 treat_missing_data = "notBreaching" + datapoints_to_alarm = 1 metric_query { id = "e1" diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip new file mode 100644 index 0000000000000000000000000000000000000000..639ae399f939a9ec11c996f5dcf7bf396b7d6d21 GIT binary patch literal 1035 zcmWIWW@Zs#-~d7f2E{HQ0SA&mR!VMhd{JsaPG)jqNoIatd~RwALNk z!~;K4?)DekS5%zo4$9;{e`?id$Il;U2X6YSdnN1W(^Y@3SV&k1XGv_|SJC>dd3$T% z;~w5y{6CtMa+2S@yIb6N0&u>KK)jcCvWa%SB^z< zRTgW_Rs5p9^xn;rD;JB;`MG}X9IIb_taHyrB#M&W4Qove zbzjW)IyO_wZHUPydRJaH~-zG3SYVNAdF_J93Oz|tW%wsZp z&c?N6R{FZ$CFbupPMUOD)Fw%@!c8}PlQ74In+IRMy`t7b_CP&*9pL0r% z&XitOUc$bO#Y#_mdD*+Wx)NJW?sOGDpC^{#HS6JwJ0ZtbB^miHw>voDVO+`EnE~F% z{j2@T_kD@Ft5~{jwY!kQ-LG}FF~!oWMRScxzL{S8<+M-k$V_?3)vcDYRh%x(Vs$PH;}Vzc{BOK{r`u%h zg9>vj#g=@X>)viyKk?44zWfkX-Iu+$^UL<7zWnpEGuh;QWqQ5;=YD?v?UU=hO5&f_ zFUp_$U+Lm`n~VGtfA78iv3}<5dR7L8|NjHL**X4QK4*~5%)k)I&A<@g&B!FejL5IZ ga-jSQ14|k~ES$MFz?+o~q<|3!-GTHvpz#b00M9$g2LJ#7 literal 0 HcmV?d00001 From c294e7f8039691b8189a7396e6274dbe8a2a6e1d Mon Sep 17 00:00:00 2001 From: dms1981 Date: Tue, 19 Nov 2024 09:20:25 +0000 Subject: [PATCH 229/308] added zip files to LFS through gitattributes (#8706) --- .gitattributes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitattributes b/.gitattributes index a1569593e28..daae51d4fc9 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ -terraform/environments/nomis/templates/jumpserver-user-data.yaml.tftpl linguist-language=YAML \ No newline at end of file +terraform/environments/nomis/templates/jumpserver-user-data.yaml.tftpl linguist-language=YAML +*.zip filter=lfs diff=lfs merge=lfs -text From 1769058b05f9875b6096f92ca6468580fcc80884 Mon Sep 17 00:00:00 2001 From: Hari Chintala Date: Tue, 19 Nov 2024 09:26:09 +0000 Subject: [PATCH 230/308] Adjust AWS Session Timeout --- terraform/environments/digital-prison-reporting/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/digital-prison-reporting/main.tf b/terraform/environments/digital-prison-reporting/main.tf index 91adc19f6c6..2b6d6b3d95c 100644 --- a/terraform/environments/digital-prison-reporting/main.tf +++ b/terraform/environments/digital-prison-reporting/main.tf @@ -1000,11 +1000,11 @@ module "s3_working_bucket" { override_expiration_rules = [ { prefix = "reports" - days = 2 + days = 7 }, { prefix = "dpr" - days = 2 + days = 7 } ] From ee9aa8e39782e01b71306e748bee85c795b04278 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 09:33:09 +0000 Subject: [PATCH 231/308] Typo --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index e0bea7f9fb8..32d2912f1ea 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -298,7 +298,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { metric { metric_name = "DMSReplicationStopped" - namespace = "CustmDMSMetrics" + namespace = "CustomDMSMetrics" period = 60 stat = "Maximum" From b65666bc3e9a1cb588286a87b3293762f46c03f7 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 10:28:56 +0000 Subject: [PATCH 232/308] Add OK Action --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 32d2912f1ea..588146394cb 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -310,6 +310,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] + ok_actions = [aws_sns_topic.dms_alerts_topic.arn] } # SNS Topic for DMS replication events From d60cb122b13dd9d36f18559c6f9597117eab0dd2 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 11:17:54 +0000 Subject: [PATCH 233/308] Add commentary --- .../components/dms/cloudwatch-alarms.tf | 61 ++++++++---------- .../dms/lambda/dms_replication_metric.zip | Bin 1035 -> 0 bytes 2 files changed, 26 insertions(+), 35 deletions(-) delete mode 100644 terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 588146394cb..008badfd48f 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -165,6 +165,13 @@ module "pagerduty_core_alerts" { pagerduty_integration_key = local.pagerduty_integration_keys[local.integration_key_lookup] } + +# Raising a Cloudwatch Alarm on a DMS Replication Task Event is not directly possible using the +# Cloudwatch Alarm Integration in PagerDuty as the JSON payload is different. Therefore, as +# workaround for this we create a custom Cloudwatch Metric which is populated by the replication event and +# create a Cloudwatch Alarm on this Metric in the usual way to allow for raising alarms. + +# Create Role which allows Lamdba to put a custom cloudwatch metric resource "aws_iam_role" "lambda_put_metric_data_role" { name = "lambda-put-metric-data-role" @@ -210,19 +217,8 @@ resource "aws_iam_role_policy_attachment" "lambda_put_metric_data_logging_attach policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" } -# resource "local_file" "lambda_dms_replication_metric_py" { -# filename = "${path.module}/lambda_dms_replication_metric.py" -# content = <ALNk z!~;K4?)DekS5%zo4$9;{e`?id$Il;U2X6YSdnN1W(^Y@3SV&k1XGv_|SJC>dd3$T% z;~w5y{6CtMa+2S@yIb6N0&u>KK)jcCvWa%SB^z< zRTgW_Rs5p9^xn;rD;JB;`MG}X9IIb_taHyrB#M&W4Qove zbzjW)IyO_wZHUPydRJaH~-zG3SYVNAdF_J93Oz|tW%wsZp z&c?N6R{FZ$CFbupPMUOD)Fw%@!c8}PlQ74In+IRMy`t7b_CP&*9pL0r% z&XitOUc$bO#Y#_mdD*+Wx)NJW?sOGDpC^{#HS6JwJ0ZtbB^miHw>voDVO+`EnE~F% z{j2@T_kD@Ft5~{jwY!kQ-LG}FF~!oWMRScxzL{S8<+M-k$V_?3)vcDYRh%x(Vs$PH;}Vzc{BOK{r`u%h zg9>vj#g=@X>)viyKk?44zWfkX-Iu+$^UL<7zWnpEGuh;QWqQ5;=YD?v?UU=hO5&f_ zFUp_$U+Lm`n~VGtfA78iv3}<5dR7L8|NjHL**X4QK4*~5%)k)I&A<@g&B!FejL5IZ ga-jSQ14|k~ES$MFz?+o~q<|3!-GTHvpz#b00M9$g2LJ#7 From 3aef4a6233c6f40f241880068fcbd5efd7b2b9f7 Mon Sep 17 00:00:00 2001 From: dms1981 Date: Tue, 19 Nov 2024 12:15:25 +0000 Subject: [PATCH 234/308] Revert "added zip files to LFS through gitattributes (#8706)" (#8709) This reverts commit c294e7f8039691b8189a7396e6274dbe8a2a6e1d. --- .gitattributes | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitattributes b/.gitattributes index daae51d4fc9..a1569593e28 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1 @@ -terraform/environments/nomis/templates/jumpserver-user-data.yaml.tftpl linguist-language=YAML -*.zip filter=lfs diff=lfs merge=lfs -text +terraform/environments/nomis/templates/jumpserver-user-data.yaml.tftpl linguist-language=YAML \ No newline at end of file From c12620eda12d8eaf9ef8c9a37a968946e96b9e0f Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Tue, 19 Nov 2024 12:39:15 +0000 Subject: [PATCH 235/308] [TM-615] changed userdata for s3fa --- .../corporate-information-system/locals.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index a41ea130f90..0e06ba70799 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -53,15 +53,15 @@ yum update -y amazon-linux-extras install epel -y yum install s3fs-fuse -y cd / -mkdir -pm 774 /s3xfer/S3/laa-ccms-inbound-${tostring(local.application_data.accounts[local.environment])} -mkdir -pm 774 /s3xfer/S3/laa-ccms-outbound-${tostring(local.application_data.accounts[local.environment])} -mkdir -pm 774 /s3xfer/S3/laa-cis-inbound-${tostring(local.application_data.accounts[local.environment])} -mkdir -pm 774 /s3xfer/S3/laa-cis-outbound-${tostring(local.application_data.accounts[local.environment])} +mkdir -pm 774 /s3xfer/S3/laa-ccms-inbound-${local.environment} +mkdir -pm 774 /s3xfer/S3/laa-ccms-outbound-${local.environment} +mkdir -pm 774 /s3xfer/S3/laa-cis-inbound-${local.environment} +mkdir -pm 774 /s3xfer/S3/laa-cis-outbound-${local.environment} mkdir -m 774 cdstemp -echo 's3fs#laa-ccms-outbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-ccms-outbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab -echo 's3fs#laa-ccms-inbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-ccms-inbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab -echo 's3fs#laa-cis-outbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-cis-outbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab -echo 's3fs#laa-cis-inbound-${tostring(local.application_data.accounts[local.environment])} /s3xfer/S3/laa-cis-inbound-${tostring(local.application_data.accounts[local.environment])} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-ccms-outbound-${local.environment} /s3xfer/S3/laa-ccms-outbound-${local.environment} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-ccms-inbound-${local.environment} /s3xfer/S3/laa-ccms-inbound-${local.environment} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-cis-outbound-${local.environment} /s3xfer/S3/laa-cis-outbound-${local.environment} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab +echo 's3fs#laa-cis-inbound-${local.environment} /s3xfer/S3/laa-cis-inbound-${local.environment} fuse _netdev,allow_other,iam_role=auto 0 0' >> /etc/fstab echo 's3fs#cds-central-print-temp /cdstemp fuse default_acl=bucket-owner-full-control,allow_other,use_cache=/tmp,endpoint=eu-west-2,uid=502,mp_umask=002,multireq_max=5,iam_role=' >> /etc/fstab mount -a From cf1da5d23747911f3562371e0e8e4ea5a0494b88 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 13:53:57 +0000 Subject: [PATCH 236/308] Remove Math metric --- .../components/dms/cloudwatch-alarms.tf | 69 ++++++++++++------ .../dms/lambda/dms_replication_metric.zip | Bin 0 -> 1035 bytes 2 files changed, 47 insertions(+), 22 deletions(-) create mode 100644 terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 008badfd48f..96e8ffd7adf 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -267,6 +267,44 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis # The SNS topic dms_alerts_topic is used to handle state changes into our out # of the alarm state. This is the same topic as used for the standard # CDC Latency alarms. +# resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { +# for_each = toset(local.replication_task_names) +# alarm_name = "DMSReplicationStoppedAlarm_${each.key}" +# alarm_description = "Alarm when Stopped Replication Task for ${each.key}" +# comparison_operator = "GreaterThanThreshold" +# evaluation_periods = 1 +# threshold = 0 +# treat_missing_data = "notBreaching" +# datapoints_to_alarm = 1 + +# metric_query { +# id = "e1" +# expression = "FILL(m1,REPEAT)" +# label = "DMSReplicationStoppedInterpolated" +# return_data = "true" +# } + +# metric_query { +# id = "m1" + +# metric { +# metric_name = "DMSReplicationStopped" +# namespace = "CustomDMSMetrics" +# period = 60 +# stat = "Maximum" + +# dimensions = { +# SourceId = each.key +# EventSource = "replication-task" +# } +# } +# } + +# alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] +# ok_actions = [aws_sns_topic.dms_alerts_topic.arn] +# } + + resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { for_each = toset(local.replication_task_names) alarm_name = "DMSReplicationStoppedAlarm_${each.key}" @@ -274,36 +312,23 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { comparison_operator = "GreaterThanThreshold" evaluation_periods = 1 threshold = 0 - treat_missing_data = "notBreaching" + treat_missing_data = "ignore" datapoints_to_alarm = 1 + namespace = "CustomDMSMetrics" + metric_name = "DMSReplicationStopped" + statistic = "Maximum" - metric_query { - id = "e1" - expression = "FILL(m1,REPEAT)" - label = "DMSReplicationStoppedInterpolated" - return_data = "true" - } - - metric_query { - id = "m1" - - metric { - metric_name = "DMSReplicationStopped" - namespace = "CustomDMSMetrics" - period = 60 - stat = "Maximum" - - dimensions = { - SourceId = each.key - EventSource = "replication-task" - } + dimensions = { + SourceId = each.key + EventSource = "replication-task" } - } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] ok_actions = [aws_sns_topic.dms_alerts_topic.arn] } + + # SNS Topic for DMS replication events # This is NOT the same as for DMS Cloudwatch Alarms (dms_alerting) # and is used to trigger the Lamda function if an event happens during diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip new file mode 100644 index 0000000000000000000000000000000000000000..639ae399f939a9ec11c996f5dcf7bf396b7d6d21 GIT binary patch literal 1035 zcmWIWW@Zs#-~d7f2E{HQ0SA&mR!VMhd{JsaPG)jqNoIatd~RwALNk z!~;K4?)DekS5%zo4$9;{e`?id$Il;U2X6YSdnN1W(^Y@3SV&k1XGv_|SJC>dd3$T% z;~w5y{6CtMa+2S@yIb6N0&u>KK)jcCvWa%SB^z< zRTgW_Rs5p9^xn;rD;JB;`MG}X9IIb_taHyrB#M&W4Qove zbzjW)IyO_wZHUPydRJaH~-zG3SYVNAdF_J93Oz|tW%wsZp z&c?N6R{FZ$CFbupPMUOD)Fw%@!c8}PlQ74In+IRMy`t7b_CP&*9pL0r% z&XitOUc$bO#Y#_mdD*+Wx)NJW?sOGDpC^{#HS6JwJ0ZtbB^miHw>voDVO+`EnE~F% z{j2@T_kD@Ft5~{jwY!kQ-LG}FF~!oWMRScxzL{S8<+M-k$V_?3)vcDYRh%x(Vs$PH;}Vzc{BOK{r`u%h zg9>vj#g=@X>)viyKk?44zWfkX-Iu+$^UL<7zWnpEGuh;QWqQ5;=YD?v?UU=hO5&f_ zFUp_$U+Lm`n~VGtfA78iv3}<5dR7L8|NjHL**X4QK4*~5%)k)I&A<@g&B!FejL5IZ ga-jSQ14|k~ES$MFz?+o~q<|3!-GTHvpz#b00M9$g2LJ#7 literal 0 HcmV?d00001 From d936c83ed1eb37f5b7cd95bcb937c3d20298cb33 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 14:00:09 +0000 Subject: [PATCH 237/308] Period must not be null --- .../delius-core/modules/components/dms/cloudwatch-alarms.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 96e8ffd7adf..8c3f7c71920 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -317,6 +317,7 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { namespace = "CustomDMSMetrics" metric_name = "DMSReplicationStopped" statistic = "Maximum" + period = "60" dimensions = { SourceId = each.key From 70ad718f19439572210420beeca8b53d0e7b1004 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Tue, 19 Nov 2024 14:35:49 +0000 Subject: [PATCH 238/308] add onr config secrets bucket (#8710) * add onr config secrets bucket * remove web secrets as un-needed * remove secrets policies from iam * remove web secrets * spelling --- .../oasys-national-reporting/locals_preproduction.tf | 2 -- .../oasys-national-reporting/locals_secretsmanager.tf | 8 ++------ .../environments/oasys-national-reporting/locals_test.tf | 2 -- 3 files changed, 2 insertions(+), 10 deletions(-) diff --git a/terraform/environments/oasys-national-reporting/locals_preproduction.tf b/terraform/environments/oasys-national-reporting/locals_preproduction.tf index 542f6fcbe87..a61ee51aa57 100644 --- a/terraform/environments/oasys-national-reporting/locals_preproduction.tf +++ b/terraform/environments/oasys-national-reporting/locals_preproduction.tf @@ -135,7 +135,6 @@ locals { resources = [ "arn:aws:secretsmanager:*:*:secret:/sap/bods/pp/*", "arn:aws:secretsmanager:*:*:secret:/sap/bip/pp/*", - "arn:aws:secretsmanager:*:*:secret:/sap/web/pp/*", "arn:aws:secretsmanager:*:*:secret:/oracle/database/*", ] } @@ -292,7 +291,6 @@ locals { secretsmanager_secrets = { "/sap/bods/pp" = local.secretsmanager_secrets.bods "/sap/bip/pp" = local.secretsmanager_secrets.bip - "/sap/web/pp" = local.secretsmanager_secrets.web "/oracle/database/PPBOSYS" = local.secretsmanager_secrets.db "/oracle/database/PPBOAUD" = local.secretsmanager_secrets.db } diff --git a/terraform/environments/oasys-national-reporting/locals_secretsmanager.tf b/terraform/environments/oasys-national-reporting/locals_secretsmanager.tf index a3c1e266ce9..8bdc296d758 100644 --- a/terraform/environments/oasys-national-reporting/locals_secretsmanager.tf +++ b/terraform/environments/oasys-national-reporting/locals_secretsmanager.tf @@ -7,21 +7,17 @@ locals { } } - web = { - secrets = { - passwords = { description = "Web Passwords" } - } - } - bip = { secrets = { passwords = { description = "BIP Passwords" } + config = { description = "BIP Configuration" } } } bods = { secrets = { passwords = { description = "BODS Passwords" } + config = { description = "BODS Configuration" } } } } diff --git a/terraform/environments/oasys-national-reporting/locals_test.tf b/terraform/environments/oasys-national-reporting/locals_test.tf index 22d3583217c..096a578a62d 100644 --- a/terraform/environments/oasys-national-reporting/locals_test.tf +++ b/terraform/environments/oasys-national-reporting/locals_test.tf @@ -252,7 +252,6 @@ locals { resources = [ "arn:aws:secretsmanager:*:*:secret:/sap/bods/t2/*", "arn:aws:secretsmanager:*:*:secret:/sap/bip/t2/*", - "arn:aws:secretsmanager:*:*:secret:/sap/web/t2/*", "arn:aws:secretsmanager:*:*:secret:/oracle/database/*", ] } @@ -407,7 +406,6 @@ locals { secretsmanager_secrets = { "/sap/bods/t2" = local.secretsmanager_secrets.bods "/sap/bip/t2" = local.secretsmanager_secrets.bip - "/sap/web/t2" = local.secretsmanager_secrets.web "/oracle/database/T2BOSYS" = local.secretsmanager_secrets.db "/oracle/database/T2BOAUD" = local.secretsmanager_secrets.db } From 28b9de4e32916127baacaa44af9930344c54849a Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Tue, 19 Nov 2024 14:45:40 +0000 Subject: [PATCH 239/308] TM-718: GitHub monitoring improvements (#8712) * add updated GHA widgets * update dashboards * add alarm --- terraform/environments/hmpps-oem/locals.tf | 30 ++++---- .../environments/hmpps-oem/locals_test.tf | 6 ++ .../baseline_presets/cloudwatch_dashboards.tf | 68 +++++++++++-------- .../cloudwatch_metric_alarms.tf | 30 ++++++++ 4 files changed, 92 insertions(+), 42 deletions(-) diff --git a/terraform/environments/hmpps-oem/locals.tf b/terraform/environments/hmpps-oem/locals.tf index 7879ed9ac6f..73791385114 100644 --- a/terraform/environments/hmpps-oem/locals.tf +++ b/terraform/environments/hmpps-oem/locals.tf @@ -18,22 +18,23 @@ locals { } baseline_environment_specific = local.baseline_environments_specific[local.environment] + cloudwatch_dashboard_default_widget_groups = [ + "network_lb", + "lb", + "ec2", + "ec2_linux", + "ec2_autoscaling_group_linux", + "ec2_instance_linux", + "ec2_instance_oracle_db_with_backup", + "ec2_instance_textfile_monitoring", + "ec2_windows", + "ssm_command", + "github_workflows", + ] + baseline_presets_all_environments = { options = { - cloudwatch_dashboard_default_widget_groups = [ - "ec2_instance_endpoint_monitoring", - "custom", - "network_lb", - "lb", - "ec2", - "ec2_linux", - "ec2_autoscaling_group_linux", - "ec2_instance_linux", - "ec2_instance_oracle_db_with_backup", - "ec2_instance_textfile_monitoring", - "ec2_windows", - "ssm_command", - ] + cloudwatch_dashboard_default_widget_groups = local.cloudwatch_dashboard_default_widget_groups cloudwatch_metric_alarms_default_actions = ["pagerduty"] enable_backup_plan_daily_and_weekly = true enable_business_unit_kms_cmks = true @@ -85,7 +86,6 @@ locals { periodOverride = "auto" start = "-PT6H" widget_groups = [ - module.baseline_presets.cloudwatch_dashboard_widget_groups.custom, module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2, module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_linux, module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_linux, diff --git a/terraform/environments/hmpps-oem/locals_test.tf b/terraform/environments/hmpps-oem/locals_test.tf index f65876d85cd..ff162caeb4f 100644 --- a/terraform/environments/hmpps-oem/locals_test.tf +++ b/terraform/environments/hmpps-oem/locals_test.tf @@ -2,6 +2,10 @@ locals { baseline_presets_test = { options = { + cloudwatch_dashboard_default_widget_groups = flatten([ + local.cloudwatch_dashboard_default_widget_groups, + "github_workflows", # metrics are only pushed into test account + ]) enable_ec2_delius_dba_secrets_access = true sns_topics = { @@ -15,6 +19,8 @@ locals { # please keep resources in alphabetical order baseline_test = { + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.github + ec2_autoscaling_groups = { test-oem = merge(local.ec2_instances.oem, { autoscaling_group = { diff --git a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf index 6145a80509a..6bd8fbdeea2 100644 --- a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf +++ b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf @@ -831,45 +831,58 @@ locals { } } } - - ssm-command-invocation-status = { - type = "metric" + } + github = { + github-actions-run-success-count-by-repo = { + type = "metric" + expression = "SORT(SEARCH('{CustomMetrics, Repo} MetricName=\"GitHubActionRunsSuccessCount\"','Sum'),SUM,DESC)" properties = { - view = "singleValue" + view = "timeSeries" + period = 3600 stacked = true region = "eu-west-2" - title = "SSM CommandInvocation Failures - Per Account" - stat = "Maximum" - period = 300 - metrics = [ - [{ "expression" : "REMOVE_EMPTY(SEARCH('{CustomMetrics, Account} FailedSSMCommandInvocations', 'Sum', 300))", "label" : "Failed Invocations - ", "id" : "q1" }] - ] + title = "GitHub actions-run-success-count-by-repo" + stat = "Sum" yAxis = { left = { showUnits = false, - label = "failed invocations" + label = "count" } } } } - } - github = { - github-failed-workflow-runs = { - type = "metric" + github-actions-run-failed-count-by-repo = { + type = "metric" + expression = "SORT(SEARCH('{CustomMetrics, Repo} MetricName=\"GitHubActionRunsFailedCount\"','Sum'),SUM,DESC)" properties = { - view = "singleValue" + view = "timeSeries" + period = 3600 stacked = true region = "eu-west-2" - title = "GitHub Failed Workflow Runs - Per Repository" - stat = "Maximum" - period = 300 - metrics = [ - [{ "expression" : "REMOVE_EMPTY(SEARCH('{CustomMetrics, Repository} FailedGitHubWorkflowRuns', 'Sum', 300))", "label" : "Failed Runs - ", "id" : "q1" }] - ] + title = "GitHub actions-run-failed-count-by-repo" + stat = "Sum" yAxis = { left = { showUnits = false, - label = "failed runs" + label = "count" + } + } + } + } + github-actions-run-failed-count-by-workflow = { + type = "metric" + expression = "SORT(SEARCH('{CustomMetrics, WorkflowName} MetricName=\"GitHubActionRunsFailedCount\"','Sum'),SUM,DESC)" + properties = { + view = "timeSeries" + period = 3600 + stacked = true + region = "eu-west-2" + title = "GitHub actions-run-failed-count-by-workflow" + stat = "Sum" + yAxis = { + left = { + showUnits = false, + label = "count" } } } @@ -1024,13 +1037,14 @@ locals { local.cloudwatch_dashboard_widgets.ssm.ssm-command-ignore-count, ] } - custom = { - header_markdown = "## Custom Metrics" + github_workflows = { + header_markdown = "## GitHub Workflow Metrics" width = 8 height = 8 widgets = [ - local.cloudwatch_dashboard_widgets.ssm.ssm-command-invocation-status, - local.cloudwatch_dashboard_widgets.github.github-failed-workflow-runs, + local.cloudwatch_dashboard_widgets.github.github-actions-run-success-count-by-repo, + local.cloudwatch_dashboard_widgets.github.github-actions-run-failed-count-by-repo, + local.cloudwatch_dashboard_widgets.github.github-actions-run-failed-count-by-workflow, ] } } diff --git a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf index 13e4d2c84e8..539376c48de 100644 --- a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf +++ b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf @@ -404,5 +404,35 @@ locals { ok_actions = var.options.cloudwatch_metric_alarms_default_actions } } + + github = { + failed-github-action-run = { + comparison_operator = "GreaterThanOrEqualToThreshold" + evaluation_periods = "3" + datapoints_to_alarm = "1" + metric_name = "GitHubActionRunsFailedCount" + namespace = "CustomMetrics" + period = "3600" + statistic = "Maximum" + threshold = "1" + alarm_description = "Triggers if there has been a failed github action. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5295898661" + alarm_actions = var.options.cloudwatch_metric_alarms_default_actions + ok_actions = var.options.cloudwatch_metric_alarms_default_actions + } + github-action-metrics-missing = { + comparison_operator = "LessThanOrEqualToThreshold" + evaluation_periods = "3" + datapoints_to_alarm = "3" + metric_name = "SSMCommandFailedCount" + namespace = "CustomMetrics" + period = "3600" + statistic = "SampleCount" + threshold = "0" + treat_missing_data = "breaching" + alarm_description = "Triggers if there has been no SSM command metrics published. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5295702082" + alarm_actions = var.options.cloudwatch_metric_alarms_default_actions + ok_actions = var.options.cloudwatch_metric_alarms_default_actions + } + } } } From a8fb9b290f5ef7bd6ee91f676c943f939d07e9a1 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Tue, 19 Nov 2024 15:56:38 +0000 Subject: [PATCH 240/308] add alarm for missing data (#8713) --- .../cloudwatch_metric_alarms.tf | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf index 539376c48de..98cc4948e7c 100644 --- a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf +++ b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf @@ -403,6 +403,20 @@ locals { alarm_actions = var.options.cloudwatch_metric_alarms_default_actions ok_actions = var.options.cloudwatch_metric_alarms_default_actions } + ssm-command-metrics-missing = { + comparison_operator = "LessThanOrEqualToThreshold" + evaluation_periods = "3" + datapoints_to_alarm = "3" + metric_name = "SSMCommandFailedCount" + namespace = "CustomMetrics" + period = "3600" + statistic = "SampleCount" + threshold = "0" + treat_missing_data = "breaching" + alarm_description = "Triggers if there are missing SSM command metrics. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5295505553" + alarm_actions = var.options.cloudwatch_metric_alarms_default_actions + ok_actions = var.options.cloudwatch_metric_alarms_default_actions + } } github = { @@ -423,13 +437,13 @@ locals { comparison_operator = "LessThanOrEqualToThreshold" evaluation_periods = "3" datapoints_to_alarm = "3" - metric_name = "SSMCommandFailedCount" + metric_name = "GitHubActionRunsFailedCount" namespace = "CustomMetrics" period = "3600" statistic = "SampleCount" threshold = "0" treat_missing_data = "breaching" - alarm_description = "Triggers if there has been no SSM command metrics published. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5295702082" + alarm_description = "Triggers if there are missing github action metrics. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5295702082" alarm_actions = var.options.cloudwatch_metric_alarms_default_actions ok_actions = var.options.cloudwatch_metric_alarms_default_actions } From 56ec5e9137a6e54e2167b3cf2662e7b02d3a70dc Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Tue, 19 Nov 2024 16:26:06 +0000 Subject: [PATCH 241/308] feat: remove `mojap-derived-tables replication` --- .../analytical-platform-compute/kms-keys.tf | 20 ----- .../lakeformation-registrations.tf | 16 ---- .../analytical-platform-compute/s3-buckets.tf | 85 +------------------ 3 files changed, 2 insertions(+), 119 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 73912ab83a4..a7b2d2bf3da 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -275,26 +275,6 @@ module "mlflow_s3_kms" { tags = local.tags } -module "mojap_derived_tables_replication_s3_kms_eu_west_1" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - - source = "terraform-aws-modules/kms/aws" - version = "3.1.1" - - providers = { - aws = aws.analytical-platform-compute-eu-west-1 - } - - aliases = ["s3/mojap-derived-tables-replication-eu-west-1"] - description = "mojap-derived-tables-replication S3 KMS key" - enable_default_policy = true - - deletion_window_in_days = 7 - - tags = local.tags -} - module "mojap_compute_logs_s3_kms_eu_west_2" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions diff --git a/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf b/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf index d98037a6e0e..e69de29bb2d 100644 --- a/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf +++ b/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf @@ -1,16 +0,0 @@ -module "replicated_cadet_bucket" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - source = "github.com/ministryofjustice/terraform-aws-analytical-platform-lakeformation?ref=0.5.0" - data_locations = [{ - data_location = module.mojap_derived_tables_replication_bucket.s3_bucket_arn - register = true - share = true - hybrid_mode = false # will be managed exclusively in LakeFormation - }] - - providers = { - aws.source = aws.analytical-platform-compute-eu-west-1 - aws.destination = aws - } -} diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index b771cbfcda3..28cfe8c8a0e 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -22,87 +22,6 @@ module "mlflow_bucket" { tags = local.tags } -data "aws_iam_policy_document" "s3_replication_policy" { - #checkov:skip=CKV_AWS_356:resource "*" being applied to replication iam role only - statement { - sid = "AllowReplicateObjectsInDestinationBucket" - effect = "Allow" - actions = [ - "s3:ObjectOwnerOverrideToBucketOwner", - "s3:ReplicateTags", - "s3:ReplicateDelete", - "s3:ReplicateObject" - ] - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::525294151996:role/service-role/s3replicate_role_for_lf-antfmoj-test", - "arn:aws:iam::525294151996:role/service-role/s3crr_role_for_lf-antfmoj-test_1", - "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/mojap-data-production-cadet-to-apc-production-replication", - ] - } - resources = ["arn:aws:s3:::mojap-compute-${local.environment}-derived-tables-replication/*"] - } - statement { - sid = "AllowReplicateWithinDestinationBucket" - effect = "Allow" - actions = [ - "s3:List*", - "s3:GetBucketVersioning", - "s3:PutBucketVersioning" - ] - principals { - type = "AWS" - identifiers = [ - "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/mojap-data-production-cadet-to-apc-production-replication", - ] - } - resources = ["arn:aws:s3:::mojap-compute-${local.environment}-derived-tables-replication"] - } -} - -module "mojap_derived_tables_replication_bucket" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.2" - - providers = { - aws = aws.analytical-platform-compute-eu-west-1 - } - - bucket = "mojap-compute-${local.environment}-derived-tables-replication" - - force_destroy = true - - attach_policy = true - policy = data.aws_iam_policy_document.s3_replication_policy.json - - object_lock_enabled = false - - versioning = { - status = "Enabled" - } - - server_side_encryption_configuration = { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = module.mojap_derived_tables_replication_s3_kms_eu_west_1.key_arn - sse_algorithm = "aws:kms" - } - } - } - - logging = { - target_bucket = module.mojap_compute_logs_bucket_eu_west_1.s3_bucket_id - target_prefix = "mojap-derived-tables-replication/" - } - - tags = local.tags -} - data "aws_iam_policy_document" "s3_server_access_logs_eu_west_2_policy" { #checkov:skip=CKV_AWS_356:resource "*" limited by condition statement { @@ -131,7 +50,7 @@ module "mojap_compute_logs_bucket_eu_west_2" { bucket = "mojap-compute-${local.environment}-logs-eu-west-2" - force_destroy = false + force_destroy = true attach_policy = true policy = data.aws_iam_policy_document.s3_server_access_logs_eu_west_2_policy.json @@ -187,7 +106,7 @@ module "mojap_compute_logs_bucket_eu_west_1" { bucket = "mojap-compute-${local.environment}-logs-eu-west-1" - force_destroy = false + force_destroy = true attach_policy = true policy = data.aws_iam_policy_document.s3_server_access_logs_eu_west_1_policy.json From 0bc67f09d9b8f150e0c9c7eebbbbb46f27439b15 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 19 Nov 2024 16:30:54 +0000 Subject: [PATCH 242/308] Remove unneeded dimension replication-task --- .../components/dms/cloudwatch-alarms.tf | 48 ------------------ .../dms/lambda/dms_replication_metric.py | 2 - .../dms/lambda/dms_replication_metric.zip | Bin 1035 -> 0 bytes 3 files changed, 50 deletions(-) delete mode 100644 terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 8c3f7c71920..ac7017bfbc7 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -258,53 +258,6 @@ resource "aws_lambda_permission" "allow_sns_invoke_dms_replication_metric_publis source_arn = aws_sns_topic.dms_events_topic.arn } -# Define a CloudWatch metric alarm with a metric math expression. -# Because the Lambda function is only called intermittently when a DMS Replication -# Event is fired (i.e. it may be very infrequent), we use the FILL function -# to interpolate between data points - we assume the metric stays in the -# same state unless an event fires which causes it be changed. -# We loop through all Replication Tasks and create a separate alarm for each one. -# The SNS topic dms_alerts_topic is used to handle state changes into our out -# of the alarm state. This is the same topic as used for the standard -# CDC Latency alarms. -# resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { -# for_each = toset(local.replication_task_names) -# alarm_name = "DMSReplicationStoppedAlarm_${each.key}" -# alarm_description = "Alarm when Stopped Replication Task for ${each.key}" -# comparison_operator = "GreaterThanThreshold" -# evaluation_periods = 1 -# threshold = 0 -# treat_missing_data = "notBreaching" -# datapoints_to_alarm = 1 - -# metric_query { -# id = "e1" -# expression = "FILL(m1,REPEAT)" -# label = "DMSReplicationStoppedInterpolated" -# return_data = "true" -# } - -# metric_query { -# id = "m1" - -# metric { -# metric_name = "DMSReplicationStopped" -# namespace = "CustomDMSMetrics" -# period = 60 -# stat = "Maximum" - -# dimensions = { -# SourceId = each.key -# EventSource = "replication-task" -# } -# } -# } - -# alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] -# ok_actions = [aws_sns_topic.dms_alerts_topic.arn] -# } - - resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { for_each = toset(local.replication_task_names) alarm_name = "DMSReplicationStoppedAlarm_${each.key}" @@ -321,7 +274,6 @@ resource "aws_cloudwatch_metric_alarm" "dms_replication_stopped_alarm" { dimensions = { SourceId = each.key - EventSource = "replication-task" } alarm_actions = [aws_sns_topic.dms_alerts_topic.arn] diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py index bff16021b90..80195163a82 100644 --- a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py +++ b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.py @@ -45,7 +45,6 @@ def lambda_handler(event, context): { 'MetricName': 'DMSReplicationStopped', 'Dimensions': [ - {'Name': 'EventSource', 'Value': event_source}, {'Name': 'SourceId', 'Value': source_id} ], 'Value': 0, # Reset Below Trigger threshold (Task Started) @@ -61,7 +60,6 @@ def lambda_handler(event, context): { 'MetricName': 'DMSReplicationStopped', 'Dimensions': [ - {'Name': 'EventSource', 'Value': event_source}, {'Name': 'SourceId', 'Value': source_id} ], 'Value': 1, # Trigger threshold (Task Failed) diff --git a/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip b/terraform/environments/delius-core/modules/components/dms/lambda/dms_replication_metric.zip deleted file mode 100644 index 639ae399f939a9ec11c996f5dcf7bf396b7d6d21..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1035 zcmWIWW@Zs#-~d7f2E{HQ0SA&mR!VMhd{JsaPG)jqNoIatd~RwALNk z!~;K4?)DekS5%zo4$9;{e`?id$Il;U2X6YSdnN1W(^Y@3SV&k1XGv_|SJC>dd3$T% z;~w5y{6CtMa+2S@yIb6N0&u>KK)jcCvWa%SB^z< zRTgW_Rs5p9^xn;rD;JB;`MG}X9IIb_taHyrB#M&W4Qove zbzjW)IyO_wZHUPydRJaH~-zG3SYVNAdF_J93Oz|tW%wsZp z&c?N6R{FZ$CFbupPMUOD)Fw%@!c8}PlQ74In+IRMy`t7b_CP&*9pL0r% z&XitOUc$bO#Y#_mdD*+Wx)NJW?sOGDpC^{#HS6JwJ0ZtbB^miHw>voDVO+`EnE~F% z{j2@T_kD@Ft5~{jwY!kQ-LG}FF~!oWMRScxzL{S8<+M-k$V_?3)vcDYRh%x(Vs$PH;}Vzc{BOK{r`u%h zg9>vj#g=@X>)viyKk?44zWfkX-Iu+$^UL<7zWnpEGuh;QWqQ5;=YD?v?UU=hO5&f_ zFUp_$U+Lm`n~VGtfA78iv3}<5dR7L8|NjHL**X4QK4*~5%)k)I&A<@g&B!FejL5IZ ga-jSQ14|k~ES$MFz?+o~q<|3!-GTHvpz#b00M9$g2LJ#7 From 3abe20f00a0a05de43e78523527805d477126b68 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Tue, 19 Nov 2024 16:34:22 +0000 Subject: [PATCH 243/308] No more backups --- .../analytical-platform-compute/s3-buckets.tf | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index b771cbfcda3..860c7faa407 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -100,7 +100,10 @@ module "mojap_derived_tables_replication_bucket" { target_prefix = "mojap-derived-tables-replication/" } - tags = local.tags + tags = merge( + local.tags, + { "backup" = "false" } + ) } data "aws_iam_policy_document" "s3_server_access_logs_eu_west_2_policy" { @@ -152,7 +155,10 @@ module "mojap_compute_logs_bucket_eu_west_2" { } } - tags = local.tags + tags = merge( + local.tags, + { "backup" = "false" } + ) } data "aws_iam_policy_document" "s3_server_access_logs_eu_west_1_policy" { @@ -208,7 +214,10 @@ module "mojap_compute_logs_bucket_eu_west_1" { } } - tags = local.tags + tags = merge( + local.tags, + { "backup" = "false" } + ) } moved { From f66496f6baf480ded6fb8707ecb902d80f4d3f2a Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Tue, 19 Nov 2024 18:06:54 +0000 Subject: [PATCH 244/308] Fixed if statement Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index a258566ec81..5ae96713cb7 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -70,7 +70,6 @@ export ENV="${local.application_data.accounts[local.environment].edw_environment export REGION="${local.application_data.accounts[local.environment].edw_region}" export EFS="${aws_efs_file_system.edw.id}" export SECRET=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.db-master-password2.id} --query SecretString --output text` -# export SECRET_EC2=`/usr/local/bin/aws --region ${local.application_data.accounts[local.environment].edw_region} secretsmanager get-secret-value --secret-id ${aws_secretsmanager_secret.edw_db_ec2_root_secret.id} --query SecretString --output text` export host="$ip4 $APPNAME-$ENV infraedw" echo $host >>/etc/hosts sed -i '/^10.221/d' /etc/hosts @@ -239,6 +238,7 @@ if grep -q "^SQLNET.EXPIRE_TIME" /oracle/software/product/10.2.0/network/admin/s else # If the line does not exist, append it to the end of the file echo "SQLNET.EXPIRE_TIME = 1" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora +fi # Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution grep -q '(ENABLE *= *broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora || sed -i '/(DESCRIPTION =/a\\ (ENABLE = broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora # Add inbound connection timeout option to sqlnet From e805b764b55b17281f25a88d29a31104c22edb13 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Tue, 19 Nov 2024 18:43:16 +0000 Subject: [PATCH 245/308] Fixed all cron jobs Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 5ae96713cb7..1d99b105de2 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -311,7 +311,7 @@ chmod 600 /etc/cron.d/custom_cloudwatch_metrics # alert_rota.sh - set permissions chown oracle:dba /home/oracle/scripts/alert_rota.sh -chmod 644 /home/oracle/scripts/alert_rota.sh +chmod 755 /home/oracle/scripts/alert_rota.sh # Create /etc/cron.d/oracle_rotation with the cron jobs cat < /etc/cron.d/oracle_rotation From 32f8b9ffe5fdb7abd15ba9b21105e17127c95804 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 00:27:32 +0000 Subject: [PATCH 246/308] Bump bridgecrewio/checkov-action from 12.2908.0 to 12.2912.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2908.0 to 12.2912.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/416bcc9b9b7e2e046b8003075241629761c3a810...6fe02213c515948c8da243a6554a3bff49129295) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 7b298dbfeaf..a6642609d96 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@416bcc9b9b7e2e046b8003075241629761c3a810 # v12.2908.0 + uses: bridgecrewio/checkov-action@6fe02213c515948c8da243a6554a3bff49129295 # v12.2912.0 with: directory: ./ framework: terraform From 7c09052b1249eb214b90ed1c52da38a495452ccd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 20 Nov 2024 00:27:35 +0000 Subject: [PATCH 247/308] Bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2...18f2510ee396bbf400402947b394f2dd8c87dbb0) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 7b298dbfeaf..cd070698010 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -53,7 +53,7 @@ jobs: uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 with: scan-type: 'fs' scanners: misconfig,vuln,secret From dd510af23c1deb89e8a8ee6c349ac1793918619c Mon Sep 17 00:00:00 2001 From: Matthew Price Date: Wed, 20 Nov 2024 10:09:28 +0000 Subject: [PATCH 248/308] Remove lambdas for sending data to AP (#8676) * Remove lambdasfor sending data to AP * fix incorrect ref * remove data to AP step function --- .../lambdas/send_metadata_to_ap.py | 144 ------------------ .../lambdas/send_metadata_to_ap.zip | Bin 1153 -> 0 bytes .../lambdas/send_table_to_ap.py | 137 ----------------- .../electronic-monitoring-data/lambdas_iam.tf | 138 ----------------- .../lambdas_main.tf | 76 +-------- .../step_functions_iam.tf | 86 ----------- .../step_functions_main.tf | 18 --- 7 files changed, 1 insertion(+), 598 deletions(-) delete mode 100644 terraform/environments/electronic-monitoring-data/lambdas/send_metadata_to_ap.py delete mode 100644 terraform/environments/electronic-monitoring-data/lambdas/send_metadata_to_ap.zip delete mode 100644 terraform/environments/electronic-monitoring-data/lambdas/send_table_to_ap.py diff --git a/terraform/environments/electronic-monitoring-data/lambdas/send_metadata_to_ap.py b/terraform/environments/electronic-monitoring-data/lambdas/send_metadata_to_ap.py deleted file mode 100644 index d3091adae52..00000000000 --- a/terraform/environments/electronic-monitoring-data/lambdas/send_metadata_to_ap.py +++ /dev/null @@ -1,144 +0,0 @@ -""" -takes the json mojap metadatas of each table and moves them to the AP -""" - -import boto3 -import os -import logging -import json - -s3 = boto3.client("s3") - -logger = logging.getLogger(__name__) -logger.setLevel(logging.INFO) - - -def camel_to_snake(camel_case: str) -> str: - """Convert a CamelCase string to snake_case. - - Parameters - ---------- - camel_case - The CamelCase string to be converted to snake_case. - - Returns - ------- - str - The snake_case representation of the input string. - - Raises - ------ - ValueError - If camel_case is an all upper case string. - - Example - ------- - >>> snake_string = camel_to_snake('CamelCase') - >>> print(snake_string) - 'camel_case' - """ - if camel_case.isupper(): - msg = f"{camel_case} is all upper case. Cannot convert to snake case." - raise ValueError(msg) - - snake_case = "" - - for i, char in enumerate(camel_case): - if ( - i > 0 - and i != len(camel_case) - 1 - and char.isupper() - and camel_case[i - 1].isupper() - and camel_case[i + 1].islower() - ): - # Character is not the first or last character and is upper case - # and is preceded by upper case but followed by lower case so - # presume is start of a new word. - snake_case += "_" - - elif i > 0 and char.isupper() and camel_case[i - 1].isupper(): - # Character is not the first character and is upper case - # and is preceded by upper case character so presume is part of a - # "shout-y" word and so don't precede the character with _ - pass - - elif char.isupper() and i > 0: - # Not the first character in the string so want to put an _ before - # it. - snake_case += "_" - - if not char.isalnum(): - snake_case += "_" - - snake_case += char.lower() - - return snake_case - - -def make_snake(string: str) -> str: - """Convert given string to snake_case. - - This will attempt to convert in order: - 1. if string already contains `_` then just ensure all characters are lower - case and then return it - 2. if the string is all upper case, convert to lower and return - 3. otherwise pass through to the camel_to_snake function. - """ - if "_" in string: - string_elements = string.split("_") - return "_".join([make_snake(element) for element in string_elements]) - elif string.isupper(): - return string.lower() - else: - return camel_to_snake(string) - - -def handler(event, context): - # Specify source bucket - source_bucket_name = event["Records"][0]["s3"]["bucket"]["name"] - destination_bucket = os.environ.get("METADATA_BUCKET_NAME") - # Get object that has been uploaded - file_key = event["Records"][0]["s3"]["object"]["key"].replace("%3D", "=") - file_parts = file_key.split("/") - database_name = file_parts[0].split("=")[-1] - table_name = file_parts[1].split("=")[-1] - file_name = file_parts[2] - logger.info( - f"Copying metadata... Database: {database_name}, Table: {table_name}, File: {file_name}" - ) - if not file_name.endswith(".json"): - msg = f"File {file_name} is not a json file" - logger.error(msg) - raise Exception(msg) - snake_table_name = make_snake(table_name) - destination_key = f"electronic_monitoring/metadata/database_name={database_name}/{snake_table_name}.json" - logger.info(f"Copying to: {destination_bucket}, {destination_key}") - # Specify from where file needs to be copied - copy_object = {"Bucket": source_bucket_name, "Key": file_key} - - try: - # Put the object into the destination bucket - response = s3.copy_object( - Bucket=destination_bucket, - Key=destination_key, - CopySource=copy_object, - ServerSideEncryption="AES256", - ACL="bucket-owner-full-control", - BucketKeyEnabled=True, - ) - response_code = response["ResponseMetadata"]["HTTPStatusCode"] - if response_code == 200: - logger.info(f"{file_name} succesfully transferred to {destination_bucket}") - else: - msg = f"An error has occurred writing {destination_key} to {destination_bucket}, with response code: {response_code}" - logger.error(msg) - raise Exception(msg) - except Exception as e: - msg = f"An exception has occured: {e}" - logger.error(msg) - raise Exception(msg) - - return { - "statusCode": 200, - "body": json.dumps("File has been Successfully Copied"), - } diff --git a/terraform/environments/electronic-monitoring-data/lambdas/send_metadata_to_ap.zip b/terraform/environments/electronic-monitoring-data/lambdas/send_metadata_to_ap.zip deleted file mode 100644 index 890eac758e35b47e784d418836ecfb91ef257f80..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1153 zcmWIWW@Zs#-~d7f2E{HQ0S970R&i=xN_=i=Nn%Q3Nn(6SetcqqUO{C|m~Z}V3*mjQ z!+9bkCNM_(N$+`ouz@f0)wXVvy9>_AmGL?+I63jGixTT3FC~e8@418Sm+i9p`1s)& zW8?EZz8su7wQkJc8a|{qPd92}^6v6`%?DzfW28GG)B&r7fo3DYQ{oG!mISswx&A8p)6ey{cVA8Z^!Ztx>oVT$`5BIH z=S_&*z@GKcf%lDo>J-;y8t(53SDrAaJoak;&8ua1UP)?i>NOFQOqG~)@~gNJvyge* z-mOhp*$VG`+?Snb;XS#C(Q@UR6$j0<|1LgzbsOvPlwC9H*Ia&Z^$Xvx$GbE5cd*p2 z%AdW6d*-SO@;}s{go#d_@Z0ZHpvb}LZO?`Jlus>}w6SvYw)l3&&-jPdpUCI`UG_9v zWrSt*UQ+Wra_rKch8@DCS9F(D@h+dZ(W>Ol&ej4O3G zEd8Es>VBbg{E1FmOVPY3lNOu#WUg5$7PZrAdp}3oi8WzC8!Fc=+2F;!bN+TqC2^^> zrBf#Lc?yXop+Pv8;>gCUR=!jrn20&*qj$_VkN;+Un|Eve&7IPhTAq zs(gsc_$7Sze8=kILiE z>hAM7k;Ah4u$G;oM?5n>n|NrNI?85BZ z@`c8d&tHWunzuZ4+S$7z*R-seuN&S;+&an6!lv$u>bD6mUHycX?eO;5UA}mI+}-V5 z_w!DCKYqM@>(Xr|+q+WU7s9M(?#wmHu5zMM?l)(w82#ZUd4yIyh+SM`gnj~7KBDiq1R z9GhNP^*%B0+vSUEmmN}Ab5G(|)^~<4?tgg$n45336_!rWGkfA~!Pog`-jUrbf7ZH1 zXK^0q^YV#*vs61nUvX3Lozj)RKMQ^|()aPWbK!k`)b)KUd_(j9>L^^kbwKlnIRnH0 z{{i0Y9ETT3us>#IU~u4MU str: - """Convert a CamelCase string to snake_case. - Parameters - ---------- - camel_case - The CamelCase string to be converted to snake_case. - Returns - ------- - str - The snake_case representation of the input string. - Raises - ------ - ValueError - If camel_case is an all upper case string. - Example - ------- - >>> snake_string = camel_to_snake('CamelCase') - >>> print(snake_string) - 'camel_case' - """ - if camel_case.isupper(): - msg = f"{camel_case} is all upper case. Cannot convert to snake case." - raise ValueError(msg) - - snake_case = "" - - for i, char in enumerate(camel_case): - if ( - i > 0 - and i != len(camel_case) - 1 - and char.isupper() - and camel_case[i - 1].isupper() - and camel_case[i + 1].islower() - ): - # Character is not the first or last character and is upper case - # and is preceded by upper case but followed by lower case so - # presume is start of a new word. - snake_case += "_" - - elif i > 0 and char.isupper() and camel_case[i - 1].isupper(): - # Character is not the first character and is upper case - # and is preceded by upper case character so presume is part of a - # "shout-y" word and so don't precede the character with _ - pass - - elif char.isupper() and i > 0: - # Not the first character in the string so want to put an _ before - # it. - snake_case += "_" - - if not char.isalnum(): - snake_case += "_" - - snake_case += char.lower() - - return snake_case - - -def make_snake(string: str) -> str: - """Convert given string to snake_case. - This will attempt to convert in order: - 1. if string already contains `_` then just ensure all characters are lower - case and then return it - 2. if the string is all upper case, convert to lower and return - 3. otherwise pass through to the camel_to_snake function. - """ - if "_" in string: - string_elements = string.split("_") - return "_".join([make_snake(element) for element in string_elements]) - elif string.isupper(): - return string.lower() - else: - return camel_to_snake(string) - - -# lambda function to copy file from 1 s3 to another s3 -def handler(event, context): - # Specify source bucket - for key, value in event.items(): - database_table_name, source_s3_key = key, value - bucket, source_key = s3_path_to_bucket_key(source_s3_key) - database_name, schema_name, table_name, file_name = source_key.split("/") - - ap_table_name = make_snake(table_name) - logger.info(f"Copying table {table_name} from database {database_name}") - destination_key = f"electronic_monitoring/load/{database_name}/{ap_table_name}/{file_name}" - logger.info( - f"""Copying file: {source_key} from bucket: {bucket} - to {destination_key} in bucket: {AP_DESTINATION_BUCKET}""" - ) - - copy_object = {"Bucket": bucket, "Key": source_key} - - try: - # Put the object into the destination bucket - response = s3_client.copy_object( - Bucket=AP_DESTINATION_BUCKET, - Key=destination_key, - CopySource=copy_object, - ServerSideEncryption="AES256", - ACL="bucket-owner-full-control", - BucketKeyEnabled=True, - ) - response_code = response["ResponseMetadata"]["HTTPStatusCode"] - if response_code == 200: - logger.info(f"{source_key} succesfully transferred to {AP_DESTINATION_BUCKET}") - else: - msg = f"An error has occurred writing {destination_key} to {AP_DESTINATION_BUCKET}, with response code: {response_code}" - logger.error(msg) - raise Exception(msg) - except Exception as e: - msg = f"An exception has occured: {e}" - logger.error(msg) - raise Exception(msg) - - return (database_name, schema_name, table_name) diff --git a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf index edb7b7d5feb..8dd8f5c058e 100644 --- a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf +++ b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf @@ -150,144 +150,6 @@ data "aws_iam_policy_document" "write_meta_to_s3" { } } - - -# ------------------------------------------------ -# Write Metadata to AP -# ------------------------------------------------ - -locals { - metadata_ap_bucket = local.is-production ? "mojap-metadata-prod" : "mojap-metadata-dev" -} - -resource "aws_iam_role" "send_metadata_to_ap" { - name = "send_metadata_to_ap" - assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json -} - - -resource "aws_iam_role_policy_attachment" "write_metadata_to_ap_write_meta_to_s3" { - role = aws_iam_role.send_metadata_to_ap.name - policy_arn = aws_iam_policy.get_meta_from_s3.arn -} - -resource "aws_iam_policy" "get_meta_from_s3" { - name = "get_meta_from_s3" - policy = data.aws_iam_policy_document.get_meta_from_s3.json -} - -resource "aws_iam_policy" "write_to_ap_s3" { - name = "write_to_ap_s3" - policy = data.aws_iam_policy_document.write_to_ap_s3.json -} - -resource "aws_iam_role_policy_attachment" "write_metadata_to_ap_write_to_ap_s3" { - role = aws_iam_role.send_metadata_to_ap.name - policy_arn = aws_iam_policy.write_to_ap_s3.arn -} - -data "aws_iam_policy_document" "get_meta_from_s3" { - statement { - effect = "Allow" - actions = [ - "s3:ListObjects", - "s3:GetObject" - ] - resources = [ - "${module.s3-metadata-bucket.bucket.arn}/*" - ] - } - statement { - effect = "Allow" - actions = [ - "s3:ListBucket" - ] - resources = [ - module.s3-metadata-bucket.bucket.arn - ] - } -} - -data "aws_iam_policy_document" "write_to_ap_s3" { - statement { - effect = "Allow" - actions = [ - "s3:GetBucketLocation", - "s3:ListBucket" - ] - resources = [ - "arn:aws:s3:::${local.metadata_ap_bucket}" - ] - } - statement { - effect = "Allow" - actions = [ - "s3:PutObject", - "s3:PutObjectAcl" - ] - resources = [ - "arn:aws:s3:::${local.metadata_ap_bucket}/electronic_monitoring/*" - ] - } -} - -# ------------------------------------------ -# Send table to AP -# ------------------------------------------ - -resource "aws_iam_role" "send_table_to_ap" { - name = "send_table_to_ap" - assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json -} - -locals { - land_bucket = local.is-production ? "mojap-land" : "mojap-land-dev" -} - -data "aws_iam_policy_document" "get_parquet_files" { - statement { - effect = "Allow" - actions = [ - "s3:GetObject", - "s3:ListBucket", - ] - resources = [ - module.s3-dms-target-store-bucket.bucket.arn, - "${module.s3-dms-target-store-bucket.bucket.arn}/*", - ] - } - statement { - effect = "Allow" - actions = [ - "s3:GetBucketLocation", - "s3:ListBucket" - ] - resources = [ - "arn:aws:s3:::${local.land_bucket}" - ] - } - statement { - effect = "Allow" - actions = [ - "s3:PutObject", - "s3:PutObjectAcl" - ] - resources = [ - "arn:aws:s3:::${local.land_bucket}/electronic_monitoring/load/*" - ] - } -} - -resource "aws_iam_policy" "get_parquet_files" { - name = "get_parquet_files" - policy = data.aws_iam_policy_document.get_parquet_files.json -} - -resource "aws_iam_role_policy_attachment" "send_table_to_ap_get_parquet_files" { - role = aws_iam_role.send_table_to_ap.name - policy_arn = aws_iam_policy.get_parquet_files.arn -} - # ------------------------------------------------ # Get tables from db # ------------------------------------------------ diff --git a/terraform/environments/electronic-monitoring-data/lambdas_main.tf b/terraform/environments/electronic-monitoring-data/lambdas_main.tf index d05f0c4e12f..35b62e0b881 100644 --- a/terraform/environments/electronic-monitoring-data/lambdas_main.tf +++ b/terraform/environments/electronic-monitoring-data/lambdas_main.tf @@ -77,45 +77,6 @@ module "create_athena_table" { } } - -# ------------------------------------------------------ -# Send Metadata to AP -# ------------------------------------------------------ - - -data "archive_file" "send_metadata_to_ap" { - type = "zip" - source_file = "${local.lambda_path}/send_metadata_to_ap.py" - output_path = "${local.lambda_path}/send_metadata_to_ap.zip" -} - -module "send_metadata_to_ap" { - source = "./modules/lambdas" - filename = "${local.lambda_path}/send_metadata_to_ap.zip" - function_name = "send_metadata_to_ap" - role_arn = aws_iam_role.send_metadata_to_ap.arn - role_name = aws_iam_role.send_metadata_to_ap.name - handler = "send_metadata_to_ap.handler" - source_code_hash = data.archive_file.send_metadata_to_ap.output_base64sha256 - layers = null - timeout = 900 - memory_size = 1024 - runtime = "python3.11" - security_group_ids = null - subnet_ids = data.aws_subnets.shared-public.ids - environment_variables = { - METADATA_BUCKET_NAME = local.is-production ? "mojap-metadata-prod" : "mojap-metadata-dev" - - } -} -resource "aws_lambda_permission" "send_metadata_to_ap" { - statement_id = "AllowS3ObjectMetaInvoke" - action = "lambda:InvokeFunction" - function_name = module.send_metadata_to_ap.lambda_function_arn - principal = "s3.amazonaws.com" - source_arn = module.s3-metadata-bucket.bucket.arn -} - # ------------------------------------------------------ # get file keys for table # ------------------------------------------------------ @@ -134,7 +95,7 @@ module "get_file_keys_for_table" { role_arn = aws_iam_role.get_file_keys_for_table.arn role_name = aws_iam_role.get_file_keys_for_table.name handler = "get_file_keys_for_table.handler" - source_code_hash = data.archive_file.send_table_to_ap.output_base64sha256 + source_code_hash = data.archive_file.get_file_keys_for_table.output_base64sha256 layers = null timeout = 900 memory_size = 1024 @@ -146,41 +107,6 @@ module "get_file_keys_for_table" { } } - - -# ------------------------------------------------------ -# Send table to AP -# ------------------------------------------------------ - - -data "archive_file" "send_table_to_ap" { - type = "zip" - source_file = "${local.lambda_path}/send_table_to_ap.py" - output_path = "${local.lambda_path}/send_table_to_ap.zip" -} - -module "send_table_to_ap" { - source = "./modules/lambdas" - filename = "${local.lambda_path}/send_table_to_ap.zip" - function_name = "send_table_to_ap" - role_arn = aws_iam_role.send_table_to_ap.arn - role_name = aws_iam_role.send_table_to_ap.name - handler = "send_table_to_ap.handler" - source_code_hash = data.archive_file.send_table_to_ap.output_base64sha256 - layers = null - timeout = 900 - memory_size = 1024 - runtime = "python3.11" - security_group_ids = null - subnet_ids = null - environment_variables = { - AP_DESTINATION_BUCKET = local.land_bucket - } - reserved_concurrent_executions = 100 -} - - - # ------------------------------------------------------ # Get Tables from DB # ------------------------------------------------------ diff --git a/terraform/environments/electronic-monitoring-data/step_functions_iam.tf b/terraform/environments/electronic-monitoring-data/step_functions_iam.tf index 477a75704fe..878c35619b1 100644 --- a/terraform/environments/electronic-monitoring-data/step_functions_iam.tf +++ b/terraform/environments/electronic-monitoring-data/step_functions_iam.tf @@ -37,92 +37,6 @@ resource "aws_iam_policy" "lambda_invoke_policy" { policy = data.aws_iam_policy_document.lambda_invoke_policy.json } -# -------------------------------- -# Send database to AP -# -------------------------------- - -data "aws_iam_policy_document" "send_database_to_ap" { - statement { - effect = "Allow" - - actions = [ - "athena:startQueryExecution", - "athena:getQueryExecution", - "athena:getQueryResults" - ] - - resources = [ - "*" - ] - } - statement { - effect = "Allow" - - actions = [ - "s3:PutObject", - "s3:GetObject", - "s3:ListBucket", - "s3:GetBucketLocation" - ] - - resources = [ - module.s3-athena-bucket.bucket.arn, - "${module.s3-athena-bucket.bucket.arn}/*", - "${module.s3-dms-data-validation-bucket.bucket.arn}/*", - module.s3-dms-data-validation-bucket.bucket.arn - ] - } - statement { - effect = "Allow" - - actions = [ - "glue:GetDatabase", - "glue:GetTable", - "glue:GetPartitions", - "glue:GetTables" - ] - - resources = [ - "*" - ] - } - - statement { - effect = "Allow" - - actions = [ - "lambda:InvokeFunction", - ] - - resources = [ - "${module.send_table_to_ap.lambda_function_arn}:*", - "${module.get_file_keys_for_table.lambda_function_arn}:*", - "${module.query_output_to_list.lambda_function_arn}:*", - "${module.update_log_table.lambda_function_arn}:*" - ] - } - statement { - effect = "Allow" - - actions = [ - "lambda:InvokeFunction", - ] - - resources = [ - module.send_table_to_ap.lambda_function_arn, - module.get_file_keys_for_table.lambda_function_arn, - module.query_output_to_list.lambda_function_arn, - module.update_log_table.lambda_function_arn - ] - } -} - -resource "aws_iam_policy" "send_database_to_ap" { - name = "send_database_to_ap_athena_queries" - description = "Policy to allow start and get specific Athena queries" - policy = data.aws_iam_policy_document.send_database_to_ap.json -} - # ------------------------------------------ # Unzip Files # ------------------------------------------ diff --git a/terraform/environments/electronic-monitoring-data/step_functions_main.tf b/terraform/environments/electronic-monitoring-data/step_functions_main.tf index c5b8b867f63..8cb6b5726ed 100644 --- a/terraform/environments/electronic-monitoring-data/step_functions_main.tf +++ b/terraform/environments/electronic-monitoring-data/step_functions_main.tf @@ -12,24 +12,6 @@ module "athena_layer" { }) } - -# ------------------------------------------ -# Send Database to AP -# ------------------------------------------ - -module "send_database_to_ap" { - source = "./modules/step_function" - name = "send_database_to_ap" - iam_policies = tomap({ "send_database_to_ap" = aws_iam_policy.send_database_to_ap }) - variable_dictionary = tomap({ - athena_workgroup = aws_athena_workgroup.default.name - query_output_to_list = module.query_output_to_list.lambda_function_arn - get_file_keys_for_table = module.get_file_keys_for_table.lambda_function_arn - send_table_to_ap = module.send_table_to_ap.lambda_function_arn - update_log_table = module.update_log_table.lambda_function_arn - }) -} - # ------------------------------------------ # Unzip Files # ------------------------------------------ From 460e76f628913d81c2c8a973c1e5c1029d4ca195 Mon Sep 17 00:00:00 2001 From: tom-ogle-moj <142220790+tom-ogle-moj@users.noreply.github.com> Date: Wed, 20 Nov 2024 10:45:24 +0000 Subject: [PATCH 249/308] DPR2-1435: Enable heartbeat for dms postgres source. (#8708) * DPR2-1435: Enable heartbeta for dms postgres source. * DPR2-1435: Fix tflint errors --- .../modules/dms_s3_v2/main.tf | 1 + .../modules/dms_s3_v2/variables.tf | 10 ---------- .../modules/dms_s3_v2/versions.tf | 15 +++++++++++++++ 3 files changed, 16 insertions(+), 10 deletions(-) create mode 100644 terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf index 078ccf9d24b..f4a844d7c93 100644 --- a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf +++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf @@ -136,6 +136,7 @@ resource "aws_dms_endpoint" "dms-s3-target-source" { postgres_settings { map_boolean_as_boolean = true + heartbeat_enable = true } extra_connection_attributes = var.extra_attributes diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf index 97351185cf8..5dacdd25fd8 100644 --- a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf @@ -39,16 +39,6 @@ variable "tags" { description = "(Optional) Key-value map of resource tags." } - -variable "availability_zones" { - default = [ - { - 0 = "eu-west-2a" - } - ] -} - - variable "subnet_ids" { description = "An List of VPC subnet IDs to use in the subnet group" type = list(string) diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf new file mode 100644 index 00000000000..d2163a87985 --- /dev/null +++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf @@ -0,0 +1,15 @@ +terraform { + required_providers { + aws = { + version = "~> 5.0" + source = "hashicorp/aws" + } + + template = { + source = "hashicorp/template" + version = "~> 2.2" + } + + } + required_version = "~> 1.0" +} From 6e4007dbf1925921a3b945fd710bef95d5bc6df4 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Wed, 20 Nov 2024 11:47:58 +0000 Subject: [PATCH 250/308] feat: revert force_destroy change on log buckets as we're keeping them --- .../environments/analytical-platform-compute/s3-buckets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 916ef53af1d..e0bafa32fc1 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -50,7 +50,7 @@ module "mojap_compute_logs_bucket_eu_west_2" { bucket = "mojap-compute-${local.environment}-logs-eu-west-2" - force_destroy = true + force_destroy = false attach_policy = true policy = data.aws_iam_policy_document.s3_server_access_logs_eu_west_2_policy.json @@ -109,7 +109,7 @@ module "mojap_compute_logs_bucket_eu_west_1" { bucket = "mojap-compute-${local.environment}-logs-eu-west-1" - force_destroy = true + force_destroy = false attach_policy = true policy = data.aws_iam_policy_document.s3_server_access_logs_eu_west_1_policy.json From 707821c70d36704f69a0cef3d6d986a95e8d3360 Mon Sep 17 00:00:00 2001 From: tom-ogle-moj <142220790+tom-ogle-moj@users.noreply.github.com> Date: Wed, 20 Nov 2024 13:39:04 +0000 Subject: [PATCH 251/308] DPR2-1435: Enable configuration of DMS source ssl mode (#8716) * DPR2-1435: Enable confoguration of source ssl mode to allow connections to DPS Postgres databases that require SSL. * DPR2-1435: tflint fixes. * DPR2-1435: Remove unused variable causing tflint issues * DPR2-1435: Remove unused parameter * DPR2-1435: Further tflint changes --- .../modules/dms_s3_v2/main.tf | 2 +- .../modules/dms_s3_v2/variables.tf | 6 ++ .../domains/dms-endpoints/endpoints.tf | 1 + .../domains/dms-endpoints/variables.tf | 55 ++++++++++--------- .../modules/domains/dms-endpoints/versions.tf | 9 +++ .../domains/dms-instance/dms-instance.tf | 1 - .../modules/domains/dms-instance/variables.tf | 22 +++++--- .../modules/domains/dms-instance/versions.tf | 9 +++ 8 files changed, 70 insertions(+), 35 deletions(-) create mode 100644 terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/versions.tf create mode 100644 terraform/environments/digital-prison-reporting/modules/domains/dms-instance/versions.tf diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf index f4a844d7c93..7b1415d737a 100644 --- a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf +++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf @@ -131,7 +131,7 @@ resource "aws_dms_endpoint" "dms-s3-target-source" { password = var.source_app_password port = var.source_db_port server_name = var.source_address - ssl_mode = "none" + ssl_mode = var.source_ssl_mode username = var.source_app_username postgres_settings { diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf index 5dacdd25fd8..346d5f716d3 100644 --- a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf @@ -264,6 +264,12 @@ variable "source_address" { type = string } +variable "source_ssl_mode" { + default = "none" + description = "SSL mode to use for the connection. Valid values are none, require, verify-ca, verify-full" + type = string +} + variable "bucket_name" { type = string default = "" diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/endpoints.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/endpoints.tf index eb6692bc87e..c02a86a5962 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/endpoints.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/endpoints.tf @@ -16,6 +16,7 @@ module "dms_endpoints" { source_app_username = var.source_app_username source_app_password = var.source_app_password source_address = var.source_address + source_ssl_mode = var.source_ssl_mode source_db_port = var.source_db_port extra_attributes = var.extra_attributes bucket_name = var.bucket_name diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf index bad7e200ead..aa7f9023442 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf @@ -57,19 +57,28 @@ variable "short_name" { } variable "source_address" { + type = string default = "" description = "Default Source Address" } +variable "source_ssl_mode" { + default = "none" + description = "SSL mode to use for the connection. Valid values are none, require, verify-ca, verify-full" + type = string +} + variable "bucket_name" { type = string } variable "create" { + type = bool default = true } variable "create_iam_roles" { + type = bool default = true } @@ -82,11 +91,13 @@ variable "iam_role_permissions_boundary" { # Used in tagginga and naming the resources variable "stack_name" { + type = string description = "The name of our application" default = "dblink" } variable "owner" { + type = string description = "A group email address to be used in tags" default = "autobots@ga.gov.au" } @@ -96,6 +107,7 @@ variable "owner" { #-------------------------------------------------------------- variable "identifier" { + type = string default = "rds" description = "Name of the database in the RDS" } @@ -105,51 +117,42 @@ variable "identifier" { #-------------------------------------------------------------- variable "target_backup_retention_period" { + type = string # Days default = "30" description = "Retention of RDS backups" } variable "target_backup_window" { + type = string default = "14:00-17:00" description = "RDS backup window" } variable "target_db_port" { + type = number description = "The port the Application Server will access the database on" default = 5432 } variable "target_engine_version" { + type = string description = "Engine version" default = "9.3.14" } variable "target_instance_class" { + type = string default = "db.t2.micro" description = "Instance class" } variable "target_maintenance_window" { + type = string default = "Mon:00:00-Mon:03:00" description = "RDS maintenance window" } -variable "target_rds_is_multi_az" { - description = "Create backup database in separate availability zone" - default = "false" -} - -variable "target_storage" { - default = "10" - description = "Storage size in GB" -} - -variable "target_storage_encrypted" { - description = "Encrypt storage or leave unencrypted" - default = false -} - #variable "target_username" { # description = "Username to access the target database" #} @@ -159,69 +162,71 @@ variable "target_storage_encrypted" { #-------------------------------------------------------------- variable "source_app_password" { + type = string description = "Password for the endpoint to access the source database" } variable "source_app_username" { + type = string description = "Username for the endpoint to access the source database" } variable "source_db_name" { + type = string description = "Name of the Source database" default = "oracle" } variable "source_db_port" { + type = number description = "The port the Application Server will access the database on" default = null } variable "source_engine" { + type = string default = "oracle-se2" description = "Engine type, example values mysql, postgres" } variable "source_engine_name" { + type = string default = "" description = "Engine name for DMS" } variable "source_engine_version" { + type = string description = "Engine version" default = "12.1.0.2.v8" } variable "source_instance_class" { + type = string default = "db.t2.micro" description = "Instance class" } variable "source_maintenance_window" { + type = string default = "Mon:00:00-Mon:03:00" description = "RDS maintenance window" } variable "source_password" { + type = string description = "Password of the source database" default = "" } -variable "source_rds_is_multi_az" { - description = "Create backup database in separate availability zone" - default = "false" -} - -variable "source_storage" { - default = "10" - description = "Storage size in GB" -} - variable "source_storage_encrypted" { + type = bool description = "Encrypt storage or leave unencrypted" default = false } variable "source_username" { + type = string description = "Username to access the source database" default = "" } diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/versions.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/versions.tf new file mode 100644 index 00000000000..14c498acddc --- /dev/null +++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + version = "~> 5.0" + source = "hashicorp/aws" + } + } + required_version = "~> 1.0" +} diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/dms-instance.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/dms-instance.tf index 189fd5288d4..e2bbe3ff80b 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/dms-instance.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/dms-instance.tf @@ -6,7 +6,6 @@ module "dms_instance" { project_id = var.project_id env = var.env setup_dms_instance = var.setup_dms_instance - availability_zones = var.availability_zones replication_instance_version = var.replication_instance_version replication_instance_class = var.replication_instance_class subnet_ids = var.subnet_ids diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/variables.tf index 22440676483..48c11f49880 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/variables.tf @@ -1,10 +1,12 @@ variable "account_region" { + type = string description = "Current AWS Region." default = "eu-west-2" } variable "account_id" { + type = string description = "AWS Account ID." default = "" } @@ -20,6 +22,7 @@ variable "dms_target_endpoint" { } variable "name" { + type = string description = "DMS Replication name." } @@ -77,14 +80,6 @@ variable "migration_type" { default = "" } -variable "availability_zones" { - default = [ - { - 0 = "eu-west-2a" - } - ] -} - variable "rename_rule_source_schema" { description = "The source schema we will rename to a target output 'space'" type = string @@ -110,14 +105,17 @@ variable "vpc" { } variable "availability_zone" { + type = string default = null } variable "create" { + type = bool default = true } variable "create_iam_roles" { + type = bool default = true } @@ -130,11 +128,13 @@ variable "iam_role_permissions_boundary" { # Used in tagginga and naming the resources variable "stack_name" { + type = string description = "The name of our application" default = "dblink" } variable "owner" { + type = string description = "A group email address to be used in tags" default = "autobots@ga.gov.au" } @@ -144,21 +144,25 @@ variable "owner" { #-------------------------------------------------------------- variable "replication_instance_maintenance_window" { + type = string description = "Maintenance window for the replication instance" default = "sun:10:30-sun:14:30" } variable "replication_instance_storage" { + type = string description = "Size of the replication instance in GB" default = "10" } variable "replication_instance_version" { + type = string description = "Engine version of the replication instance" default = "3.4.6" } variable "replication_instance_class" { + type = string description = "Instance class of replication instance" default = "dms.t2.micro" } @@ -180,6 +184,7 @@ variable "dms_log_retention_in_days" { #-------------------------------------------------------------- variable "identifier" { + type = string default = "rds" description = "Name of the database in the RDS" } @@ -189,6 +194,7 @@ variable "identifier" { #-------------------------------------------------------------- variable "database_subnet_cidr" { + type = list(string) default = ["10.26.25.208/28", "10.26.25.224/28", "10.26.25.240/28"] description = "List of subnets to be used for databases" } diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/versions.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/versions.tf new file mode 100644 index 00000000000..14c498acddc --- /dev/null +++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/versions.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + version = "~> 5.0" + source = "hashicorp/aws" + } + } + required_version = "~> 1.0" +} From cc00f621f46bf31f9aab31041f33df85abd438a2 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Wed, 20 Nov 2024 14:29:00 +0000 Subject: [PATCH 252/308] Fix filename Signed-off-by: Fani Foteva --- terraform/environments/edw/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 1d99b105de2..73dd891836b 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -109,7 +109,7 @@ log_group_name = $APPNAME-CfnInit log_stream_name = {instance_id} [oracle_alert_log_errors] -file = bdu$APPNAME/bdump/alert_$APPNAME.log +file = /oracle/software/product/10.2.0/admin/$APPNAME/bdump/alert_$APPNAME.log log_group_name = $APPNAME-OracleAlerts log_stream_name = {instance_id} From d8b9b2ce1798b697114d1342ee7ac4edac25126d Mon Sep 17 00:00:00 2001 From: Matthew Searle <65017209+matthewsearle01@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:12:51 +0000 Subject: [PATCH 253/308] Tribunals: Add Cloudfront to fix http -> https Redirect Issue (#8578) --- .../environments/tribunals/cloudfront.tf | 108 ++++++++++++++++++ .../tribunals/dns-delegate-route53.tf | 4 +- terraform/environments/tribunals/dns_ssl.tf | 4 +- .../environments/tribunals/load_balancer.tf | 1 + 4 files changed, 113 insertions(+), 4 deletions(-) create mode 100644 terraform/environments/tribunals/cloudfront.tf diff --git a/terraform/environments/tribunals/cloudfront.tf b/terraform/environments/tribunals/cloudfront.tf new file mode 100644 index 00000000000..286aadd461a --- /dev/null +++ b/terraform/environments/tribunals/cloudfront.tf @@ -0,0 +1,108 @@ +resource "aws_cloudfront_distribution" "tribunals_distribution" { + + aliases = ["*.${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] + origin { + domain_name = aws_lb.tribunals_lb.dns_name + origin_id = "tribunalsOrigin" + + custom_origin_config { + http_port = 80 + https_port = 443 + origin_protocol_policy = "https-only" + origin_ssl_protocols = ["TLSv1.2"] + origin_keepalive_timeout = 60 + origin_read_timeout = 60 + } + + custom_header { + name = "X-Custom-Header" + value = "tribunals-origin" + } + } + + default_cache_behavior { + target_origin_id = "tribunalsOrigin" + + cache_policy_id = data.aws_cloudfront_cache_policy.caching_disabled.id + origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer.id + + viewer_protocol_policy = "redirect-to-https" + allowed_methods = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"] + cached_methods = ["GET", "HEAD"] + compress = true + default_ttl = 0 + min_ttl = 0 + max_ttl = 31536000 + smooth_streaming = false + } + + enabled = true + is_ipv6_enabled = true + comment = "CloudFront distribution for tribunals load balancer" + price_class = "PriceClass_All" + + viewer_certificate { + acm_certificate_arn = aws_acm_certificate.cloudfront.arn + ssl_support_method = "sni-only" + minimum_protocol_version = "TLSv1.2_2021" + } + + restrictions { + geo_restriction { + restriction_type = "none" + } + } +} + +data "aws_cloudfront_cache_policy" "caching_disabled" { + name = "Managed-CachingDisabled" +} + +data "aws_cloudfront_origin_request_policy" "all_viewer" { + name = "Managed-AllViewer" +} + +// Create a new certificate for the CloudFront distribution because it needs to be in us-east-1 +resource "aws_acm_certificate" "cloudfront" { + provider = aws.us-east-1 + domain_name = local.is-production ? "*.decisions.tribunals.gov.uk" : "modernisation-platform.service.justice.gov.uk" + validation_method = "DNS" + subject_alternative_names = local.is-production ? ["*.venues.tribunals.gov.uk", "*.reports.tribunals.gov.uk"] : ["*.${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] + tags = { + Environment = local.environment + } + lifecycle { + create_before_destroy = true + } +} + +resource "aws_acm_certificate_validation" "cloudfront_cert_validation" { + provider = aws.us-east-1 + certificate_arn = aws_acm_certificate.cloudfront.arn +} + +data "aws_ec2_managed_prefix_list" "cloudfront" { + name = "com.amazonaws.global.cloudfront.origin-facing" +} + +resource "aws_security_group" "tribunals_lb_sg_cloudfront" { + name = "tribunals-load-balancer-sg-cf" + description = "control access to the load balancer using cloudfront" + vpc_id = data.aws_vpc.shared.id + + ingress { + description = "Allow CloudFront traffic on HTTPS port 443" + from_port = 443 + to_port = 443 + protocol = "tcp" + prefix_list_ids = [data.aws_ec2_managed_prefix_list.cloudfront.id] + } + + egress { + description = "allow all outbound traffic from the load balancer - needed due to dynamic port mapping on ec2 instance" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} diff --git a/terraform/environments/tribunals/dns-delegate-route53.tf b/terraform/environments/tribunals/dns-delegate-route53.tf index eb64f64ea4e..d2ec71520f1 100644 --- a/terraform/environments/tribunals/dns-delegate-route53.tf +++ b/terraform/environments/tribunals/dns-delegate-route53.tf @@ -72,8 +72,8 @@ resource "aws_route53_record" "ec2_instances_migrated" { type = "A" alias { - name = aws_lb.tribunals_lb.dns_name - zone_id = aws_lb.tribunals_lb.zone_id + name = aws_cloudfront_distribution.tribunals_distribution.domain_name + zone_id = aws_cloudfront_distribution.tribunals_distribution.hosted_zone_id evaluate_target_health = true } } diff --git a/terraform/environments/tribunals/dns_ssl.tf b/terraform/environments/tribunals/dns_ssl.tf index 83ae0ea584e..cc96e8d1747 100644 --- a/terraform/environments/tribunals/dns_ssl.tf +++ b/terraform/environments/tribunals/dns_ssl.tf @@ -343,8 +343,8 @@ resource "aws_route53_record" "external_services" { type = "A" alias { - name = aws_lb.tribunals_lb.dns_name - zone_id = aws_lb.tribunals_lb.zone_id + name = aws_cloudfront_distribution.tribunals_distribution.domain_name + zone_id = aws_cloudfront_distribution.tribunals_distribution.hosted_zone_id evaluate_target_health = true } } diff --git a/terraform/environments/tribunals/load_balancer.tf b/terraform/environments/tribunals/load_balancer.tf index af24f204f27..79c4debc3b7 100644 --- a/terraform/environments/tribunals/load_balancer.tf +++ b/terraform/environments/tribunals/load_balancer.tf @@ -105,6 +105,7 @@ resource "aws_lb_listener" "tribunals_lb" { } } } + resource "aws_lb_listener_rule" "tribunals_lb_rule" { for_each = local.listener_header_to_target_group From 01c1c1c863206dd87f0742d8cc74abe41d8e3667 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Wed, 20 Nov 2024 16:43:34 +0000 Subject: [PATCH 254/308] Tribunals: fix aliases in cloudfront distribution (#8726) --- terraform/environments/tribunals/cloudfront.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/tribunals/cloudfront.tf b/terraform/environments/tribunals/cloudfront.tf index 286aadd461a..7a2703c4283 100644 --- a/terraform/environments/tribunals/cloudfront.tf +++ b/terraform/environments/tribunals/cloudfront.tf @@ -1,6 +1,6 @@ resource "aws_cloudfront_distribution" "tribunals_distribution" { - aliases = ["*.${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] + aliases = local.is-production ? ["*.decisions.tribunals.gov.uk"] : ["*.${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] origin { domain_name = aws_lb.tribunals_lb.dns_name origin_id = "tribunalsOrigin" From a1c6537e12b93a7474b76fbf2d37c700624b133e Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Wed, 20 Nov 2024 17:04:46 +0000 Subject: [PATCH 255/308] Tribunals: fix route53 record (#8727) --- terraform/environments/tribunals/dns-delegate-route53.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/tribunals/dns-delegate-route53.tf b/terraform/environments/tribunals/dns-delegate-route53.tf index d2ec71520f1..eb64f64ea4e 100644 --- a/terraform/environments/tribunals/dns-delegate-route53.tf +++ b/terraform/environments/tribunals/dns-delegate-route53.tf @@ -72,8 +72,8 @@ resource "aws_route53_record" "ec2_instances_migrated" { type = "A" alias { - name = aws_cloudfront_distribution.tribunals_distribution.domain_name - zone_id = aws_cloudfront_distribution.tribunals_distribution.hosted_zone_id + name = aws_lb.tribunals_lb.dns_name + zone_id = aws_lb.tribunals_lb.zone_id evaluate_target_health = true } } From 44ec46877f0b56026895d33ad7fd94852903848b Mon Sep 17 00:00:00 2001 From: Prem Basumatary Date: Thu, 21 Nov 2024 09:16:15 +0000 Subject: [PATCH 256/308] TM-631 connect weblogic to db and ldap --- .../modules/delius_environment/weblogic.tf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index 0764b8912a3..c3be3e11fba 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -28,6 +28,25 @@ module "weblogic" { tags = var.tags db_ingress_security_groups = [] + ecs_service_ingress_security_group_ids = [] + ecs_service_egress_security_group_ids = [ + { + ip_protocol = "tcp" + port = 389 + cidr_ipv4 = var.account_config.shared_vpc_cidr + }, + { + ip_protocol = "udp" + port = 389 + cidr_ipv4 = var.account_config.shared_vpc_cidr + }, + { + ip_protocol = "tcp" + port = 1521 + cidr_ipv4 = var.account_config.shared_vpc_cidr + } + ] + cluster_security_group_id = aws_security_group.cluster.id ignore_changes_service_task_definition = false From 6b2c4916a4f829d9cf189d0b68169301989f94b3 Mon Sep 17 00:00:00 2001 From: Matthew Price Date: Thu, 21 Nov 2024 09:48:14 +0000 Subject: [PATCH 257/308] Add serco export ips (#8728) --- terraform/environments/electronic-monitoring-data/s3.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index 8de10c7fa24..4fda5db1821 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -675,7 +675,7 @@ module "s3-p1-export-bucket" { module "s3-serco-export-bucket" { source = "./modules/export_bucket_presigned_url/" - allowed_ips = null + allowed_ips = ["137.83.234.93/32", "130.41.187.248/32"] export_destination = "serco-historic" local_bucket_prefix = local.bucket_prefix local_tags = local.tags From f7f1c16f5fb74b339858819aac8889532e6f7912 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Thu, 21 Nov 2024 10:18:49 +0000 Subject: [PATCH 258/308] Tribunals: update aliases in cloudfront (#8729) --- terraform/environments/tribunals/cloudfront.tf | 6 +++++- terraform/environments/tribunals/dns-delegate-route53.tf | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/terraform/environments/tribunals/cloudfront.tf b/terraform/environments/tribunals/cloudfront.tf index 7a2703c4283..489a37f5dc1 100644 --- a/terraform/environments/tribunals/cloudfront.tf +++ b/terraform/environments/tribunals/cloudfront.tf @@ -1,6 +1,10 @@ resource "aws_cloudfront_distribution" "tribunals_distribution" { - aliases = local.is-production ? ["*.decisions.tribunals.gov.uk"] : ["*.${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] + aliases = local.is-production ? [ + "*.decisions.tribunals.gov.uk", + "*.venues.tribunals.gov.uk", + "*.reports.tribunals.gov.uk" + ] : ["*.${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] origin { domain_name = aws_lb.tribunals_lb.dns_name origin_id = "tribunalsOrigin" diff --git a/terraform/environments/tribunals/dns-delegate-route53.tf b/terraform/environments/tribunals/dns-delegate-route53.tf index eb64f64ea4e..d2ec71520f1 100644 --- a/terraform/environments/tribunals/dns-delegate-route53.tf +++ b/terraform/environments/tribunals/dns-delegate-route53.tf @@ -72,8 +72,8 @@ resource "aws_route53_record" "ec2_instances_migrated" { type = "A" alias { - name = aws_lb.tribunals_lb.dns_name - zone_id = aws_lb.tribunals_lb.zone_id + name = aws_cloudfront_distribution.tribunals_distribution.domain_name + zone_id = aws_cloudfront_distribution.tribunals_distribution.hosted_zone_id evaluate_target_health = true } } From f69a8fe9956f512c204fe2337eec9c8616e8ae40 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Thu, 21 Nov 2024 10:36:32 +0000 Subject: [PATCH 259/308] Tribunals: update more route53 records to use cloudfront (#8731) --- terraform/environments/tribunals/dns-delegate-route53.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/tribunals/dns-delegate-route53.tf b/terraform/environments/tribunals/dns-delegate-route53.tf index d2ec71520f1..a73f3ff77dd 100644 --- a/terraform/environments/tribunals/dns-delegate-route53.tf +++ b/terraform/environments/tribunals/dns-delegate-route53.tf @@ -97,7 +97,7 @@ resource "aws_route53_record" "afd_instances_migrated" { name = local.afd_records_migrated[count.index] type = "CNAME" ttl = 300 - records = [aws_lb.tribunals_lb.dns_name] + records = [aws_cloudfront_distribution.tribunals_distribution.domain_name] } # 'A' records for tribunals URLs routed through the NGINX reverse proxy hosted in AWS DSD Account From e5e5ecaa9c75d174e7023410cf554fef9451865e Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Thu, 21 Nov 2024 10:51:16 +0000 Subject: [PATCH 260/308] Tribunals: Add circuit breaker to ecs setup for smoother ecs deployments (#8732) --- .../tribunals/modules/ecs_task/main.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/terraform/environments/tribunals/modules/ecs_task/main.tf b/terraform/environments/tribunals/modules/ecs_task/main.tf index 591416e7893..31cf4a6f371 100644 --- a/terraform/environments/tribunals/modules/ecs_task/main.tf +++ b/terraform/environments/tribunals/modules/ecs_task/main.tf @@ -147,6 +147,15 @@ resource "aws_ecs_service" "ecs_service" { container_port = var.server_port } + deployment_circuit_breaker { + enable = true + rollback = true + } + + deployment_minimum_healthy_percent = 0 + deployment_maximum_percent = 100 + force_new_deployment = true + depends_on = [ aws_iam_role_policy_attachment.ecs_task_execution_role, aws_ecs_task_definition.ecs_task_definition, aws_cloudwatch_log_group.cloudwatch_group ] @@ -188,6 +197,15 @@ resource "aws_ecs_service" "ecs_service_sftp" { container_port = 22 } + deployment_circuit_breaker { + enable = true + rollback = true + } + + deployment_minimum_healthy_percent = 0 + deployment_maximum_percent = 100 + force_new_deployment = true + depends_on = [ aws_iam_role_policy_attachment.ecs_task_execution_role, aws_ecs_task_definition.ecs_task_definition, aws_cloudwatch_log_group.cloudwatch_group ] From fdbe7adae76b4749e60f5ef17068e87b0387fb32 Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Thu, 21 Nov 2024 10:59:34 +0000 Subject: [PATCH 261/308] EM: Add role for FMS Database and new S3 bucket (#8724) * add iam role for fms database * raw formatted data * prod not test * add lambda set up for jq * Update terraform/environments/electronic-monitoring-data/lambdas_iam.tf --- .../ap_airflow_iam.tf | 16 ++++ .../electronic-monitoring-data/lambdas_iam.tf | 42 ++++++++++ .../lambdas_main.tf | 16 ++++ .../electronic-monitoring-data/s3.tf | 77 +++++++++++++++++++ 4 files changed, 151 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 46796740c63..39ef390469f 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -197,3 +197,19 @@ module "load_unstructured_atrium_database" { athena_dump_bucket = module.s3-athena-bucket.bucket cadt_bucket = module.s3-create-a-derived-table-bucket.bucket } + + +module "load_fms_database" { + count = local.is-test ? 1 : 0 + source = "./modules/ap_airflow_load_data_iam_role" + + name = "serco-fms-database" + environment = local.environment + database_name = "serco-fms" + path_to_data = "/serco/fms" + source_data_bucket = module.s3-raw-formatted-data-bucket.bucket + secret_code = jsondecode(data.aws_secretsmanager_secret_version.airflow_secret.secret_string)["oidc_cluster_identifier"] + oidc_arn = aws_iam_openid_connect_provider.analytical_platform_compute.arn + athena_dump_bucket = module.s3-athena-bucket.bucket + cadt_bucket = module.s3-create-a-derived-table-bucket.bucket +} diff --git a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf index 8dd8f5c058e..2f80712abc1 100644 --- a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf +++ b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf @@ -631,3 +631,45 @@ resource "aws_iam_role_policy_attachment" "virus_scan_file_policy_attachment" { role = aws_iam_role.virus_scan_file.name policy_arn = aws_iam_policy.virus_scan_file.arn } + +#----------------------------------------------------------------------------------- +# Load FMS JSON data +#----------------------------------------------------------------------------------- + +resource "aws_iam_role" "format_json_fms_data" { + name = "format_json_fms_data" + assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json +} + +data "aws_iam_policy_document" "format_json_fms_data_policy_document" { + statement { + sid = "S3PermissionsForGetUnformattedJSONFiles" + effect = "Allow" + actions = [ + "s3:GetObject", + ] + resources = ["${module.s3-data-bucket.bucket.arn}/*"] + } + statement { + sid = "S3PermissionsForPutFormattedJSONFiles" + effect = "Allow" + actions = [ + "s3:PutObject", + "s3:PutObjectTagging", + ] + resources = [ + "${module.s3-raw-formatted-data-bucket.bucket.arn}/*", + ] + } +} + +resource "aws_iam_policy" "format_json_fms_data" { + name = "format-json-fms-data" + description = "Policy for Lambda to virus scan and move files" + policy = data.aws_iam_policy_document.format_json_fms_data_policy_document.json +} + +resource "aws_iam_role_policy_attachment" "format_json_fms_data_policy_attachment" { + role = aws_iam_role.format_json_fms_data.name + policy_arn = aws_iam_policy.format_json_fms_data.arn +} diff --git a/terraform/environments/electronic-monitoring-data/lambdas_main.tf b/terraform/environments/electronic-monitoring-data/lambdas_main.tf index 35b62e0b881..f45cebed9a6 100644 --- a/terraform/environments/electronic-monitoring-data/lambdas_main.tf +++ b/terraform/environments/electronic-monitoring-data/lambdas_main.tf @@ -326,3 +326,19 @@ module "virus_scan_file" { PROCESSED_BUCKET_NAME = module.s3-data-bucket.bucket.id } } + +#----------------------------------------------------------------------------------- +# Process json files +#----------------------------------------------------------------------------------- + +module "format_json_fms_data" { + source = "./modules/lambdas" + function_name = "format_json_fms_data" + is_image = true + role_name = aws_iam_role.format_json_fms_data.name + role_arn = aws_iam_role.format_json_fms_data.arn + memory_size = 1024 + timeout = 900 + core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"] + production_dev = local.is-production ? "prod" : "dev" +} diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index 4fda5db1821..03189aeaae2 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -1243,3 +1243,80 @@ module "s3-create-a-derived-table-bucket" { tags = local.tags } + + +# ------------------------------------------------------------------------ +# Raw converted store bucket +# ------------------------------------------------------------------------ + +module "s3-raw-formatted-data-bucket" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060" + bucket_prefix = "${local.bucket_prefix}-raw-formatted-data-" + versioning_enabled = true + + # to disable ACLs in preference of BucketOwnership controls as per https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/ set: + ownership_controls = "BucketOwnerEnforced" + acl = "private" + + # Refer to the below section "Replication" before enabling replication + replication_enabled = false + # Below variable and providers configuration is only relevant if 'replication_enabled' is set to true + # replication_region = "eu-west-2" + providers = { + # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the + # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation + # Platform team to add a new provider for the additional Region. + # Leave this provider block in even if you are not using replication + aws.bucket-replication = aws + } + log_buckets = tomap({ + "log_bucket_name" : module.s3-logging-bucket.bucket.id, + "log_bucket_arn" : module.s3-logging-bucket.bucket.arn, + "log_bucket_policy" : module.s3-logging-bucket.bucket_policy.policy, + }) + log_prefix = "logs/${local.bucket_prefix}-raw-formatted-data/" + log_partition_date_source = "EventTime" + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 183 + storage_class = "STANDARD_IA" + }, { + days = 730 + storage_class = "GLACIER" + } + ] + + expiration = { + days = 10000 + } + + noncurrent_version_transition = [ + { + days = 30 + storage_class = "STANDARD_IA" + }, { + days = 90 + storage_class = "GLACIER" + } + ] + + noncurrent_version_expiration = { + days = 365 + } + } + ] + + tags = local.tags +} From 9a8abec56c229c408159829899a836566459d26d Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Thu, 21 Nov 2024 12:21:31 +0000 Subject: [PATCH 262/308] delete lambda for removing EC2 instances from AD on deletion (#8734) --- .../corporate-staff-rostering/iam.tf | 75 ---------- .../corporate-staff-rostering/lambda.tf | 64 --------- .../lambda/ad-clean-up/.gitignore | 2 - .../lambda/ad-clean-up/build-lambda-zip.sh | 62 -------- .../lambda/ad-clean-up/deployment_package.zip | Bin 1350761 -> 0 bytes .../lambda/ad-clean-up/lambda_function.py | 136 ------------------ .../lambda/ad-clean-up/requirements.txt | 2 - .../locals_development.tf | 8 -- 8 files changed, 349 deletions(-) delete mode 100644 terraform/environments/corporate-staff-rostering/lambda.tf delete mode 100644 terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/.gitignore delete mode 100755 terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/build-lambda-zip.sh delete mode 100644 terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/deployment_package.zip delete mode 100644 terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/lambda_function.py delete mode 100644 terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/requirements.txt diff --git a/terraform/environments/corporate-staff-rostering/iam.tf b/terraform/environments/corporate-staff-rostering/iam.tf index ab04adda575..ac1d95191f1 100644 --- a/terraform/environments/corporate-staff-rostering/iam.tf +++ b/terraform/environments/corporate-staff-rostering/iam.tf @@ -42,78 +42,3 @@ resource "aws_iam_user_policy_attachment" "mgn_attach_policy_app_migrationfull_a user = aws_iam_user.mgn_user.name policy_arn = "arn:aws:iam::aws:policy/AWSApplicationMigrationFullAccess" } - -# AD clean up lambda IAM resources - -data "aws_iam_policy_document" "lambda_assume_role_policy" { - statement { - effect = "Allow" - actions = ["sts:AssumeRole"] - - principals { - type = "Service" - identifiers = ["lambda.amazonaws.com"] - } - } -} - -resource "aws_iam_role" "lambda-ad-role" { - name = "LambdaFunctionADObjectCleanUp" - tags = local.tags - - assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json -} - -resource "aws_iam_policy" "lambda-ad-policy" { - # checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints" - # checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" - name = "LambdaADObjectCleanUpPolicy" - description = "Policy to grant AD lambda function VPC access" - - policy = jsonencode({ - Version = "2012-10-17" - Statement = [ - { - Action = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "ec2:CreateNetworkInterface", - "ec2:Describe*", - "ec2:DeleteNetworkInterface", - "ec2:AssignPrivateIpAddresses", - "ec2:UnassignPrivateIpAddresses" - ] - Effect = "Allow" - Resource = "*" - }, - ] - }) -} - -data "aws_iam_policy" "HmppsDomainSecrets" { - name = "HmppsDomainSecretsPolicy" -} - -data "aws_iam_policy" "BusinessUnitKmsCmk" { - name = "BusinessUnitKmsCmkPolicy" -} - -resource "aws_iam_role_policy_attachment" "lambda_secrets" { - role = aws_iam_role.lambda-ad-role.name - policy_arn = data.aws_iam_policy.HmppsDomainSecrets.arn -} - -resource "aws_iam_role_policy_attachment" "lambda_kms" { - role = aws_iam_role.lambda-ad-role.name - policy_arn = data.aws_iam_policy.BusinessUnitKmsCmk.arn -} - -resource "aws_iam_role_policy_attachment" "lambda-ad-policy-attachment" { - role = aws_iam_role.lambda-ad-role.name - policy_arn = aws_iam_policy.lambda-ad-policy.arn -} - - - - diff --git a/terraform/environments/corporate-staff-rostering/lambda.tf b/terraform/environments/corporate-staff-rostering/lambda.tf deleted file mode 100644 index 1e1a227dbf2..00000000000 --- a/terraform/environments/corporate-staff-rostering/lambda.tf +++ /dev/null @@ -1,64 +0,0 @@ -# START: lambda_ad_object_clean_up -locals { - lambda_ad_object_cleanup = { - function_name = "AD-Object-Clean-Up" - } -} - -module "ad-clean-up-lambda" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - # This is an internal module so commit hashes are not needed - source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0" - - application_name = local.lambda_ad_object_cleanup.function_name - function_name = local.lambda_ad_object_cleanup.function_name - description = "Lambda to remove corresponding computer object from Active Directory upon server termination" - - package_type = "Zip" - filename = "${path.module}/lambda/ad-clean-up/deployment_package.zip" - source_code_hash = filebase64sha256("${path.module}/lambda/ad-clean-up/deployment_package.zip") - handler = "lambda_function.lambda_handler" - runtime = "python3.12" - timeout = 60 - - create_role = false - lambda_role = aws_iam_role.lambda-ad-role.arn - - vpc_subnet_ids = tolist(data.aws_subnets.shared-private.ids) - vpc_security_group_ids = [module.baseline.security_groups["domain"].id] - - allowed_triggers = { - Ec2StateChange = { - principal = "events.amazonaws.com" - source_arn = aws_cloudwatch_event_rule.ec2_state_change_terminated.arn - } - } - - tags = merge( - local.tags, - { - Name = "ad-object-clean-up-lambda" - }, - ) -} - -resource "aws_cloudwatch_event_rule" "ec2_state_change_terminated" { - name = "Ec2StateChangedTerminated" - description = "Rule to trigger Lambda on EC2 state change" - - event_pattern = jsonencode({ - "source" : ["aws.ec2"], - "detail-type" : ["EC2 Instance State-change Notification"], - "detail" : { - "state" : ["terminated"] - } - }) -} - -resource "aws_cloudwatch_event_target" "lambda_ad_clean_up" { - rule = aws_cloudwatch_event_rule.ec2_state_change_terminated.name - target_id = "LambdaTarget" - arn = module.ad-clean-up-lambda.lambda_function_arn -} - -# END: lambda_ad_object_clean_up diff --git a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/.gitignore b/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/.gitignore deleted file mode 100644 index 8c4ada9706f..00000000000 --- a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -*.log -ad-clean-up-lambda-payload-test.zip diff --git a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/build-lambda-zip.sh b/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/build-lambda-zip.sh deleted file mode 100755 index ade698d613d..00000000000 --- a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/build-lambda-zip.sh +++ /dev/null @@ -1,62 +0,0 @@ -#!/usr/bin/env bash - -# This script must be executed with the Lambda's -# python source directory in lambda/ as the working -# directory ($PWD). -# The ZIP file must be committed in that same directory. -# You can test the script and resultant .zip by running: -# unzip -l deployment_package.zip | less - -readonly LOG_FILE=lambda-build-$(date "+%Y%m%dT%H%M%S").log - -exec 3>&1 4>&2 -trap 'exec 2>&4 1>&3' 0 1 2 3 -exec 1>"$LOG_FILE" 2>&1 - -readonly SOURCE_DIR="." -readonly LAMBDA_ZIP="deployment_package.zip" -readonly BUILD_DIR="build" -readonly VENV_DIR="venv" - -msg() { - echo "$@" >&3 -} - -dependencies=( - "python3" - "zip" -) - -for cmd in "${dependencies[@]}"; do - if ! command -v "$cmd" &>/dev/null; then - msg "Error: Required command '$cmd' is not available." - exit 1 - fi -done - -msg "Creating virtual environment..." -python3 -m venv $VENV_DIR - -msg "Activating virtual environment..." -# shellcheck disable=SC1091 -source $VENV_DIR/bin/activate - -mkdir -p $BUILD_DIR - -msg "Downloading requirements..." -pip install --requirement "$SOURCE_DIR/requirements.txt" --target $BUILD_DIR - -msg "Copying source files..." -cp "$SOURCE_DIR/requirements.txt" $BUILD_DIR/ -cp "$SOURCE_DIR"/*.py $BUILD_DIR/ - -msg "Creating ZIP file..." -(cd $BUILD_DIR && zip --recurse-paths ../$LAMBDA_ZIP ./*) - -msg "Cleaning up..." -deactivate -rm -rf $BUILD_DIR $VENV_DIR - -msg -msg "Lambda package created: $LAMBDA_ZIP" -msg "Full log: $LOG_FILE" diff --git a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/deployment_package.zip b/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/deployment_package.zip deleted file mode 100644 index 263a890c894fbfca18f962e1614822a9ea62c8ea..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1350761 zcmb5VV~}Xgx}{sTZQHhO+tw=Ewr$(CZF7}v+g1JT9ryN$zPLJyaf#o0PywCDE3(XaGQvS3m%Of7eLSu(8`@L-@JT7p%v(0&YzryUYUg8&5R2Y%LW? zZ0&FC&nKlaqfWw-uRawRN9knk_8nK>* z@vbLPENNy=I1nl9$jM-u8jjmBSahNS%s!cR91Qd)lqOrpT_dTeaY!`uRFjqO;U1Nw zYj5_!IvHZY6^SyFk&d6E_>%kElhJHS-i@>EWGpV8pNw;rLDMW{Je1R#aZ;+VXn!X-7Inxyj5YC6w>1{#j5Ty^RgLPx)?VQI zo&p+mduC&5KEQGntM=pYd=7-{Fk!uER0Ux`NN!&2Xx2@g3-lMoZ?wax;(YAW%Rjz; zWf3e-8!(cPUv1(lD{$N+Z-EQqhg*t0(Q!(|cFP-reOjyLVT&}E-|joQHPO)V>xQ?c zAQ=If2a%u_TM%dc3z(8)a@{eP=|XVNGFq;V-{wt)9J@u9xMpZWdTHF6!@fkdsU!aU zNh@uu0u#Y3+aXDdn&y6N`MrX#?%5mTpILHxFt4+c;>dq2boyVGTtq>$0Bh2E2uicH zXF80r43d?wP15SqbS+eOX#2Y|;(18(_}tioS*V<#v5B@C@UPYk!fbR{M_{d3S2&}R zLnsc3nd;F03PIaqxw&8UIrzaT8`6;2QBDI1bRxXW(SeDW+HwKo7YB%GV|~rjq@e!P z&&}-Dc=`BOtOCWg>aqQ0T*n$DFIw{-s3W}eybgr`mTnJ-fjD}ID0^;-T!jRlekGcl zz=1j9Y~#U=8*47{n|BCj9)uRBFbsTGE__$2=@+$(2+JX$AFz{#%`SM?pVr#G%Y^bLbINPAwNDN5V>*ZDG-(Am^!x#XoPZOU6YSZl&;V_ zpBT#>c3v^~eVhsbk3}znU~B%)5FaWQ&Y1%)yHos_aip8)vu^pz!LS-yPouJAofw<3 zK27!bsfc>+{ES+mBhYI9(jRkhxk3xAWF(FygA3*@@Z(;cx@FG4wB>%Y+w<|_YkMt2BM-^E1Y$zesKD^6UF{CF`IHyx%FBt{$mW;autJ{oZGB<5YxmkF%d&K8A(s zq$0pq#ML~1j{nEgm$Qqj@5|BGV+D%R%F|3@7r)mRT9KE_*USA$LIS&tkFy@#ui`Ll ziK?E_)T^^JkMvg&fE0*PTo9|{BO-x_+^N0Npx`b?UY1)U3@bNgg7PDF&&EN`g1%E7 z^9YR$doToQ9R*%o2XEXOa0KzAlW#u0S(wHP?c?Dh5J+naBzVIm%WiR6c`3XpZW3R{tr_X{oTK|6>`f6nI|RMXXx>>3sD# z_ZnyoyCE{yi~2@=v$87~E%jaFst7vvV=X9xhyonD;jyR8S|B$ZL^1lSzhY*)8A=4R z8WwC@*HF*zQAFMcKA$!-uCUMdXGJ=F#pj3?s$-vq&I_LMYNe6QfNmSD-_YMq8f$$9 zw0=sbSyP{sNQ;+@*Nn7FG+b-FPTM}8p!ETc6~^7py5L_+99+D_kQULQkAjN}B{lYj z>ghwIE?X`Jzcfx&$}(h?mG;$*#Vb#RYo|*pND8>HIDE&W=hyS1B4UL?f9Sx10 z|Jy?U#diR)1kxKY001{+007MYy^x`^v!jTq+5e0A|HIl^)V1xfI8l7#l7H=&D}k0N zEjN6OvZRs|(QMEfgUhj7P??y)ws5Vjyb_OhZ#nVe?qQx9wP=+fUOIeEtv(lu#LLLz z&Mu#h7-3kQOkszxqr!0=0y48?L8nPwk-#=~zzRYcfVQYjMp^%|f=@k<#=~lLWA6^4vV&RPwjX64+w0OeCJd%X zbg?sxanuR1n+6OqpzUpA>3{6cYtEc-f7MIP?aOMlz zNY)0GyTuz%2b~3cdeJi@EK=%L(RwzE>7E@1jXP=BQ^4q>c^u56q47nV-IBL4pT*to z3Hxzf$Cc*J4h2znQH{IWz zfYFgFpAEVAabd&S)_o|q_vYxy+lK1;W6RZZP`){Yr_pI*j7DpdIVyAdhP|^wFwGgv z+;E<79v|QlGD$Ry`f`O8M;%MmW-qDoNY{ZUU3M+J;jYL$cX@@(!j{#N;i6&C3Q}eH z3)bn?)NH@Z&f?+Wby90Or|9Jzm*6_RbV{4{EL#CjDu|$_I?<7^dt*~<+lqEz{y1>s zz=uArZ$ICW#VbdPrv2tPs$&Yyt!(~0+j+AuXHtznqNM_*R;kvPszLh9beKeCn?u5s zElscluzzPQ5CmMFo3LTZ)Y|{ft=oUOzNPx-gMF-Cw0W z)vDAl2TsxKa;nuwQe`8(wd_eS(s{uDsWwh6)qp4;ivUf6EHD$bm3$#b;2aVM*lyA> z$RgfIKE}{iN~`twKo4(3NhsJ;wM6X1eXc>4-ol$u)Uw#Tv}f%=cTMGp4Zu*?W}qzJ z->~9yTQxF3>-uZ($3|)dET=UjRbm*?jAQAXi)~@v!9p1Gb2o-18As#Z11rI zqnLH4Bx;t${`?|rH0@{>y5vdDBttk=VKCM~Z@DB3K0EAOdgQec$mbhSQcg(O!?c3_ zDwlH6zWpUX#k%}r#EpKOzymj+vnc7*B~E!Kic_aF%ekQNbcepG1u6W%U6-P3A}rB> zKs>^Nl?z`*p;m_#R(GXM*D_%TGAePeW9#5C+aY`Qi>*}qF!T=jnZv1Gsb`K$n2ud0(ofVkgav~prxWlWz2Qk1m@c?5R6x;o6b!|~TkytzqrSY_SY#b@$ z^=GM29TZVsm2r*I_Q@MP1iDbC$p}saQ%=cfrJ3k9Wh9nca9q4nH(*0#^=#6@TR06* z6}{qloengyiz4Kq2JOrWA9|I)1=z*sMaJJ-g!|WUx5;k?{T;3A2QKb}^>S{iQy&bX zZb_|ONzPdJLZPjF)yhe#QY6l1|7r=s#H7~$~YE=~hA5H7c;I!^g z6qjA+#w&(-4%qbXt=rB`SB=1@x>Kry4FzS(m4d}r7g0XM+#P7%Bp6G@0~RY%yltFWDs%AopM>%c87wN@xqX*E$wiu!fo$c= zxPZbU*obzwSfQMI)aN%E)F?f0qvz#g=nnOV3NAf~QtRTF#N{eyZ4TmWI+Sk;m(^dE z0moO^kRVd%JX4YotEac>sP4mvc z{1mHW&@qM8LMdz$%gL{E#wrh~Io~DvzAbwi@wME642o-=)H2b!1GP|I?vIj3cpc$g z!gI-fL1UnDGt}i`aPe8K4p}NiaUh?`e%;uv1^4FFJ-}{%+kVN*{{a4r#Qz1*VsOSV zxPQPN%>V#^{htA9Y2@N;`rjb*TFb_1lMU&oR=*)lMr={FAm^nNf0@InQl=}@fhLE9 z{J9+qPDTg`J5mK;zV_$)8i+ttD%pDMp7mzM#yU}h<^^_+F4g<~K=c~)r>ZBoc2DLW zAQ7XN-}{mN^e)Ef&G?!$)>(;FUIbfi=qPl=0Ydj{24yK|+oS_&-@5jR#y!Tbm%o|} zcTN~`iQ&NCFHMF*q7(tt`aP&(SQPx zH^B*ypz1Ou*G(uex|+Z~k-)2Tki-@c-a)4y79Ht!Kg^nRstzJv6NNu z2vx-5#QP-lM_jT!|rle-;USHA(woIEe{o_kU#IP#wR4sNUg zNk0f&4Cl~8z1M?k=HP)5`+58hxc=}Y1)S4eo6QPWBrJx#$dCjUF8xAvQYZ{i26J|t zp3BEOuo2@uW0~zum+?qZNuH$-vs4x+x6h!dop(x5Dc9@l0;3y+FhWS69?Ibes{oOZ zo!JzvR(LpDJG&gsY_5oOToE%=kGt85l~N*20iuaS$WS|!QJseppBs+#$Jg(}or#h) zPCi@HHDNdV)$`8x?*^}v*n8KbpVL9!+s>Ug$Guo4F+Q!SeZM!IFxlRnbqDi#*$|mv zY7nsW5;;^%)w_~$2-O2g)ci+Yyw7&tgN%|H2(iQ2H=`ritw&>)NO3^>i&(AoNBExo zw?e1XUHI+U`;xGIgQJ`0IqJ}zSAK%J$bbT`9gjF+Q;#B()J?{WmNRszsaj&Z=6+nb z&mpw0EzIXmS`3)aL*KTzhxWc$MU&Tdv2av!Lz=WLa_j*E7er{fBnV-P@iLwK6P?ws za7jp9Q#V!OjvridmQB`ve34%7qrFg3O7Y=&5ZVoE!z*!1|2c|O67#`4foZw1yJHw~h7@A8=l}>FH6zufsnb83qL2Ux!H|K((hpeC z8a7+VjJ9~lYtjjC&7^@qZo=l|kgk^*;Li`!EIZ6?shA@=Al^{9=%WP>-JwSd%_U{- zZ{4QL76Eld3zh{UVOEw-j_(PZj%S}m1=bZL-+vxwQ` zjP&qU2@b>V`79>O{ftft@MItldedlTtex`~rS#)@8Ih70`6ZwuKa|BHRt`rD8AZHjW~%_V*8Rw8mN?xWB~MSr^fN;4GM?Ug-j)_9E3EZHRYCC zp`c1kTG2+Djxa_31%Rxgj6x9Z*1;%1fa~HswkX-_!9~RGO{Mwxjqhw4tW1}z``rBy zwTF4SDxt3{`^6c|CyFZvw?E{6mf%lP!;xRPeqQA*jtVtu`EBEk1uW%I6h(XOHj)~L z#V&4R8;66sue4H_tk^`GBz{n775t(Ei_+ZH?N%Lo1FKXFYSf|;sx5mt1Yo+rJ^Z9+ zKJP5hK*a`HL0hfaLg)fW$wG3Fp_8(+n^}BDQTg6;5ti1pOyiAgXXo(`0b>RHrL{~GGG2{hVZ^UL&VQGl1U1g>s+Nx$j zJNI-^h7QO|5lMmLGd%k!bY|S8%*hEX$wQ+;ACviIH=7_uw@P7N60*xoRx)+nX2aQZ zpByj(45DuINP)5n}>(s!sz4& zDw^a4g=SsCTL#ZY!3XIXO)94v@VtDET>Am+_P3z0$BFHoIq963v>;EsM6KG+eg5xw z{Y;sB!?UNVXY=M&5d}w(g$0DnY;AEP_$hW-G*qur+4_qPYJRtYCy(7O=DmOX!p!CSd68Z zSnW6~o!xh(#pnomsfWS>0Ywt0b%#h2`&AQDW-Yc_Oto-Jf^2+ogRS0*EJ`)2`=?a* zQmoIXR4?@!&qoAWxgJFFbZSju|3@48@QjqrlVyK_KuMJfTcx&Nh!e!MG;%&##b(?R z)_X#b9^?kUn}wBHcUvJn;Yl0X#zgF&(e~s#8njN++7k``Iz{oQ0<+a|hs}~qn zml*N8otD>_6KqE};nc`S$pL``%C8&E@40cgBu}li9C%m;TXKx+8pKstE_C@%G%jKJ zrgGmW@j06ikG(1djRN`d8+@wDBg}f50@MJLz-(%C7 z+W%vh?#GlqH~r0H@Z;OEjk;oy6{1PuLl#)qm_<`p*OtcssoD!VUMkNv@H?w+>(zDV zcC&plORqQ`HGqqcnenK+a;c^(a2aRi%0SnfP1Qx-H1NH{g4WC5v6MPOuki!@ze-F} z=1Ut}U;qGD2mk=A|6OA0>s#7dI_vBIHwrUG#U}1R4Ccpo@f-Zl=f0LDv{##|s*Qdz zN~2c-K|aY9lqxD#IH58rvxOPZfv?YXe6TLW_5-1z(Psnx=l#~!miL$aP+S~-Z%}~X zJ_BgY-qiMKo|jwS(+z)8fQ{ZclMUXU*0jTs{2g&m@0PBU z9FwIXtrLi+U5G>eT6~$2*KQSWC9w7y7-F?vR}aG*0J!d;6a_=N)Md0zYODYbM9ND` zfKZvEj{(4kS|ti>JIp`&F)6l(MlREj8q3W{F?W@&T_ zk4iwCj+9OsP+aC+NRrkzkW?e~-+~6`&`&Z|Sa;|RhS}FaMnGWCDF=Rq74Y$jLz^?u zZ{#VI;z|ML9#Sz(L&UM3X(tV$WVAI?Uu{)wE_cYpx+F~?J&rJR`p9mEj9;l)7NN!i zxHyHzzbA?D5%GwVxaGED7@rG!)FJMEU_}HO%FlNgBn9|mcN`J@K^5qv0|smlMCr4I z=Oiy)0E~{B;{dm9?z*s18|j6}Ol`3DoHJ`m2_8@xe+g$iLL9|Op)?W(e_mlQrH{01 zs1{}U6(I8gyo4Y`zt9_@kH~F4EKfin16iwx`Wcm3| z8ov2GySW_>NSoXdg9U;5hROsa$wle<3_l?KLF4=zMK$9neB!V z<`&zPj?DK_$OZQCUc|T>rY~<*%8W@38eGEAY_39t=`%zgM>xWbOJ&-PEo+KEHzApZ01|jmHBay7CShU9B0P#C?%u21^UVtc;bW6YOH86*Zi7-jU+? za?%ecoN5A)jSAeBvwjDO>Zs5}ezfWwN*BYEo-YeW?>(zhaI3=BhFb+w^(U z`Z~6^Hv6$@xi<7zPYTh^YslmM{(VUN&vx&BI3()p+j|%r8e5p^>;GR^w+z->4Zm3b z#IpPV04)D$TllY{c1BjF#?JpTa*gdhoGt8ZX_*-r|Jg5$|EJ^pFK74v6W$JU*;r$X zyLL^%CmbjhlSn1gL}*PU(r$dz<3hHYXtvT!L?CNR(U8Vsl3;6fHCjFj=ju+N32v8g z0v9M9%DGt}5Qbxahbv>B7yKmPi)~VSgK8a-uWk1aw*tYS0A~78Edq&sl-Ze096t!h zI$iIpRgL9jyzX>oczp7i{S#r{SV7gM{@FAV=NJ9vHtn?T*uDKl>>o=O2%!i-OQ*m! z7J`w5L>s_r8LlRz=Gg@CT1IOMyK1OZP@P6}9L^>ruc(Vu8`B|FkA`hvbQ{O5f?SFB z6kkSu4DD{%P@tvcE^=x3P~i2bjr}l!EdYDCiewx8BINflE0S$EQE;+Ww@|MpT}Ju? z+cLT#WYZu(A)pNNOhnplrz8~f_a`Kzu($aL9O(dLjt2GVM?l>#Y)Vk8DpKsAkc7@x z{B-iLF`8^79~ zp`u^M>~uCK*Eb=r>+WK?T8)|edE-)f30b+L(ML^WifFNt9O<5;K9=M_P^@ZIGdq@^ zq~`AtMd>%bSHp@@qvx2f!l>Z7&V}lyom`XdxUSwLo3#PY#6i!FfB$Xh}GZ zCfc0%(bVCBghpoc^wj)K7s(`#y#e_#wFN25AJLv*?0@Ol2bF@GhjZl$6 zhh$iF;4>L&BP5%@>i}H6R5{QY0uDeM$zRM9wBipx*96bqLw1`|FBpPTm`bjW^W&?v3r&M`uB(;tRQ5-Y{ z(P+pS6na?4F$m(SRM{lsWnJyb9+Spg5Cpm?9Swv(S}ZgUl5vEoyIvyEy>#&Lk8yFq zEk>FK3ZkBcq`6V_f>U-Uk%^@6tFN656A(Hr`obpo6?oGA%5S(-d*#Oa`^PP3Y2d=rwFYQ(@y{7Leo-( z51`yWmdQj?(SQ7f^W>Cy&8V~Lx#A|E991^SN6;@n&HU0@j8=hsafg_a^4I~Fw8(p! z_F0-CEMjigL_n8XM)l~Q5-N)I7`9!kCQVV*_Q;arf-rt%DbJ^yzeT_w_9xQ#O!vp9 zsVlI_EAL8(aUDo_G29RNhsJ+kuu!Y3*g87=NpG1H0qW>seaGqBR7a7mDYYX%fSOOF z{}|F8y#R?#s!d<|c*c0xsnq{ge9$c>Q5DKBqZ*gY>tt%?4-|4LJ()~k)h!m!K-#P} zvQdxvb$P7hHWr1Vv}j7Jwky3Dd01Sm(oJ8&7Zyc{Danc%(N;PowDt2$>4uypYT8m| znj+`+58|MEnB1K#)4aoXma(c2BuHw}^7nzbvZ>iyW+ustfbap~F|OB(=pd7m_hW>B z$`Q>zfUCC+(~=;tZ_vh&UOq|D<;HhpC#+Sv_c-np@1f{Dc)tDqfcVFq#YI56d#zE? z+@}llJ(vT1VMU({oDhLp!pVsejAn-h#FBlRQx7~_Id&7QQ(`)wz z&`+y{ora|mL;E~p01Df2ONfITJ9xMgU~zOXa1iay4u=;BxjTRc-j7O*9(;TdAiAag zKv(xI$BPjo@!&($#*w~Z?3Un%f5b`f==EdCOotaQY4`!!!6v9f0l9nPrCM?n?8BF{ z%~sNe-?{y#tEwr2*HhMx!;aZKe1AWj;T)6-?PNR~XgnrExgKNf0myYTIh`SfzWexA z*wIki1iziDxF)vxybo*M@LjYJ@o^{J?)Io*rN`InL<~@Xt~q0!P}}yIMAXnN*sB&7 zP+rie*Q<(^@Bok6(y-!T&kQe7*kf%AKQ!P2D-eB4EbnlXxw|A#O(^k1A44?hxJ!S2mRwcUVD9FVhSAKcp6Zib zm=$O(q4hb@mVXqxwfloIXSm{op?*8n`eGejGRNa^Jvb6;?JqrNP#v%vOPPzf!W>uy zZ?gHx8~|vs&RuYoqx33QQq#6|$vCo*a?Kr@#~dR#(m=o2lg6T>ij%Y3iM5JutFNdd zxPm$?(|JQz1)Owr{-^6>ar20BYL(ZF8?ONus!Q9{&HV4SyiUtz@)~C|sL)kMllVP| zD*U{9S6JiBbzW=D=GwJ(3oUlpO?UM&TzL!dW-{?wG25%EMT>CNT3StrX8j!U@v>Xh^EQFVHAv6#<8G@>^-c_Ly0SO9>h47J?U9=CtC@@?jtVw7^UgqZ8KF4; zTiC)aTw+E91>8-l5o4Ppw1ueRATJ%Np#`jmSn>s%@0mwTmfB89+ z%~w0+Xs=*@7xh*?e^QKzk4(HzPyBb!+uoA5P}N=gQTDGVNw43>L$I)LZ^)4b@=Y%l z{YAVH#IMzrw}r$5D`j09_kmcOhTJ%7%-?w*O+#^2SC*u{Hrjb9h4C&vJ17C@fg4G% zGOpnSwR(*yl#jGYS~KXjNMNX-E(5D|7M#*|DM6&%VEuK=O6HKf5nD`SD73&^y1}{) z%sv(s0BhoGk?RvA5WF8%h*Eah#&pkyWKdjLO65DqWm$w5g{<1h<#;-@upEJ1n5XK9 zUf?r_aieIP46&HGJqzl?zmh_TUXgNxl|mAha7I8Or;YKAMNGL0s*J^3Hi?Ba#V}l@ zh~V;)p_h_Og0?p*j&^k9q^Zf9o3z)Y_tBIY%RvyqBM_^I!m%#~_Tht}{M`__f&v_9 z%hm2n0!;!a`I-cYi#Ur&Bnb&1LSYWf*uc`U>>x+>Byegv2ydVusk*lUP9uZV?`px| zS{D*`i{RI15Wak&n4M0cd}IAU+m@^$Jy6!ah_Te9Usw*=`@rEG6KqNE^smy;>2!cj zVYq^aVrykR7qtb^e;~5{2Cb{zEHNX5@z__?B%L>Du6kWwjryi+Kc-)M4Zm#nd>AO5 z^WV=5hsc~IVntFRGrAC!K8-O&H7?ToIq`PH?A9(#`|am7P5UV=!+K(+-N7e=K{(It zQTcCz@ZC38=Gs~(!I^4%E~f_lrNAXJ@F_INGDF=JTybL%zOg>_-+&}ba>XY#=mC@Y zFt%GGwp%;lemzCG4Zpyhh|kK$8@ZC7=K?wUi0$HI<;bqUAN|hGmt^OS^X7E}hQ~tL zby#uZIpqFv-c-xqa8vXTJ|Bg z&F^feK^ebsqP2vQHz$}c1~$z6^&Od{+}9RT#}5aRfY+of=_MnH-icTz@%%Wk`iF-r zCp^kn^7HM|?f^~gcV=b7Oin)5UbHiEEzbnk1?6RpHxc{~Oy zkDUDj8y_>uPYr*9H&nxF1`~Qr(!SSmPH41Lvw@Vf^<%8DBq!_*S|%n5Ae$Bx{rU4} zZ>^DQ$b1KN8B;MwQeb79u85WY>>hgScQ^kQ9Ug1O;BMpB(t@4w`R8licUziCnX;)j&@CE6s=ka*u=Mvq+j+xumBjt9z}8p3F3jjku2ZDy%;MdJhDey z!q2%PatXi37F3#5=5!Gs9#WTf)?jtBnelD?j(jM~$?Daxz;Zi_lbk>fMKDR=2FjYBmL{@iM)&*)MZYw#06#1wZ!$wZ7pR(8OkeC0Z3_Y zR*&SzI0@J*3Rt{mX|u+mS*A?|l6D)JL`jO`ll0r7dEWJ6<4-#*o${R$?WK*oY-Zb$;28dKG?c?f2K}9CNIIhoj+y z^y;U~gpzXuVMyB^kSJV}4v(K?vgG*i?o>qF&X!m>^ z?{yr{b(Y%55-gzn=z=btr>fplorR-`#4U-ZY2O1)UBko|#|YIh&dIg(c;AlW!Hnim zUpnjrO-oi{j81T2CxtT*{+|;jz|m~_3D#0RY36{9N%uh35tVU}3up|=QWoTPx$SzL z{956w`?7O>i@a3|qcY#SePmkV`*EA%L}y~m=wVaDks-y|W+!NhH)|<9MslhFD;98+ zOj)gHF_RfISsiplNkwPyPfc>TCSnaI4hsSx0rsehErEx|L;@4d%PVb9^I9Ri2(ptJTml2W95W?#5v*FLunX z5GUWXm43InRTsBY?w`4~D{XtQNy4D<$FV#ZD(#1JJ${QF9x|3ZTiX>~`oFS}Aslp41u3R?!|Y zQK%;HOB-tLSPHtLj1Lf_ZVcK*{M>?x<}J~VBlUEkJXCD>S7B=774pJo8aIY3@+6^0BSq}ziBi1pYqm<(pKPFJ4WtM z?iNu*i%af^Tb!xCR6yMN| z`XGrv{)S$&1+(;2cA;OUVX7K> zskD+0z3@<0OIeNvzDDRk8esJM_2W}$IAv|fv<`eiO61M1vR1m}WDRw?Fxhs;R2He=6;pyy zE5Ryf>vPT;vPi2;UrU6PHwwUPNC7h{J)?@%tgS67xAB#)-mdZrjV`Ft5$2@L%blyC z5DA!h%FVG$d4;@prAvrNpUT&H`FE%!_%=QNJP({+K<`_(JDM9j9z?h+i9{%6nXCNb zmP#AeKT7|Colm_ZU#WGwx+U=Y*H1_(qlb5ky#@AlG|1#-0>^lvL;JT~&vUCxNRK_d z$B06LEm+`*6#U>btVEd{v|>gzWpsl z97G>fyesLhK>~MP)nW3HWs-AOw+JwJ4Vk1BU2obiD>xl|j9Ub3E%N{F-uwmyR*|)4 z8vLaH&}01>6>>U~gBN|GqVt5x8h)58q_Cv<0icrNv(rXm75`xdKq-m-3(yk{Na%*q zH7vRh$OTHUt}|bohDFl3MT@g1#P&e9KWVa;TVMp>aD!l;UpeXBD02 zTp}X{YtyGwG{b5(t=OZ(F@?pHHl3~>@m0P#UD3FhRWZFKHJ6b;GtR20oT--&Iwc#{ zvFcr^#&g0!tD#Oy34P$3$#W-^Ds6bREhRpK|B^m8FJ-niP8kKOd2>{AAcKzaDCVa@ z|L{xtVaR7ry&AX5nwibGA@D1MKa_FQnv%zusApZ}`dG2a%%}4(Qd;{RCoQhI!6ZbsjvuMehOCf`f{5yexm~ch%OW#|A~wef4=`me*m+JqgU7ZiW{w zLY8`w&4x}+0wN+MN<_P5lf+dj2)QgvdJ_SPUc#q5UR4!^iYjnf%159uU+M`kf(R9o z1fgrSu$o475?^3L>Nte_WZHeLt97%TAaS9Amz$ZJo7?GxdzZ5*aOHeaQ{ItzB~VgQ z!^(N5=+CB!O^-e^9)U=~I1QWN!*i_(xh*_Fj&dDS}-i|9v2#AHXO@zUq#(&+Yj(;a!+r{Ml|PW6ulEvQo0p&(boW zB=5cJpM~>)egJ+B#ve5P9d@L%yaRBcpwa+?mH>qKfPt3`%qty;x-ARF%FNyylC3sB zB{yA!!_a7wk`K#jO<$`W6T=aG69fFAemvo1thye7rENe)cOkgk9k|egfq0bcw4ld> z!Nr$BD{n(pEsZqv)x!Z79s8-eHNqjD)`di<RGoPT zqdi1oxEB{F>L>HE69A6~9_!CXW`tKdZ;*_=bjcxnmLsTs5w(W_Ilxg>iyBCv6Ig3> z{9X=pP3Vv$38M4+QC&F{gsL1dPSOXZeZ`j}WF?@WVg4M(x84GD>>Km$xZMIN;21xp zM`h-hxPqj&Daum#zc=jZzV!HSdmojXa6lADu((T?@( zYy@2wZF2v7?)ZxAI{5&{NV&~1x^eY$c^VjemA+q9%q*~9VOndRaT)2T_1b>*!gJ;4 zqH;)LVyARWssycz61+$xr+e)@MDwBAceWFGfuHzM{8Fv#AxPrUvD$FlLh@2}SR14b z%xL2vaX4gRr*k~yzQJ1G4iwZ{hbR*4jS(lCN5@u+g}sy~?)qxH43|i}2pua6%I7M8 z+?dyAQ<>gJ#7T#{C^v5Mp5m3~gmgD(pxnJC<2~x7G(%GO&46aErLA0*x zX31t|O+T-mgF@wRRoFxl?$e3Ly@@~86p?Y2c+q^WulBC zZChoh6&i-nVd(!Gw~yL7;#l!Z*U_d>Z`oK93vf4rcDE9WU>m_uqlV0Q%hH?%$NyqR zk4^+Y4eZ;lOv+Ysen)H)8?kFnF?Dqk`n&6C4N)<9<>v4W$h{OP2C z{MIn-9w8DtwEY9DRtQ^czmU!VJp@!%P##o_=S^-f=tvY-3!ZORGJMiUB2r57dUYCE~xbFpZT>T6_YsxJBl#0HZzQab~1yWw7M2$X_6b z9?>wEB`f)!!dveWY#U?MQ0Mhs;ZOHAV8Df$f50$pSgzrMj}7g=Qwty^7_s4o^^RTPp{gi z_C3yjP;ybB!)o`vN;z?!l*89B|B4ff48d~{#u(rFbfl<-$LnD-UyWIo0dpC%nm1hM zS43Oi-t9TjZ2|L$=AZ2_36w^Svsj7&7EfY74;65VX<~e?L&8Ihu@~p?QLOK@7fH=0 zQW^)$+LpwzMLN--Z+V^X&>oXmbnak$nReN>_T2twp@6x5W|i@4Z5l@DA{^KVb(L_A z{K3PQ5lbto|5YfLzmE-BQm^6Bn}TcX5s1S>f`ssX5t>{uTTs%k0Kk}BL=Zp=eN{kb zISrZH3zFae4$njf?4EGZ-b_TBbC6u((4?TrSyJ^6kPw4;H(|DD1fD6c? zlJI=f7nx~)0glE&IIR^sX++eEoEE~>)AJttR@X)0<>Li5tiCtARWyd#VWFw@IC>B> z5ru|ZB~WT>a-*u9?G%M$oKX8f0K>iMZa+IdlD-H$D z(m!T@ZaSpXh2ZVO7485d5eEa34DG#+Xx#r9D1>ITMO4LDf~!QEkrXr^-cAgRjqD-? zeU4mD4EzvvQkoZB$VOQv%uEUt8%CF`yw2f;$)#I2oqh@S=JOeKVQT&b_+K-4pA>vB zC)Iy$Ma}{MF#i9CZN@H+PIiv}S4mqBq&@a|2F2<&2Lu8DVB(%n06XD50;v)a<;5PL z(y~JFurZ0yq5uMRvA}*lRz4gQjz`;xsU^P+4EF~6T{T&#E>>0(o_R-|nN`NH+?(E) zt7_J3qHSqexDaZUhNMn}a!PRHSj(a01?lfA`}`T0K#VI}mbjqbtDoQRcaGohvcWj% zy#7cJF#0z-$UQ$|BERavdsiPZPE_&?zy6esw=9m zy2tVkju)J-x)+OHjc(MAlSK^qT2<3!w`bSRpL%SC^we2VLys4px&_;(%qudxUfx}8 z1Nu9(4d@=Tu61n_`oVMOTqC=P9+0%6*JRJBE7KiEua34sy?`N@Tq(Ph9;m)kkIEj_ z7pyPaCynlw7cIM-9=J5)hh;D9E7%<|FXER|ugvb57qc(DJqa+^uIufcq?aU)-eIT7P2=19 zmkqBTpBKJc%TLS1{C}dLv_(_?0*C{1mByj#Z|8Tf;BOe+fUPDJMydIfTSVuS%Pn~n ziX0&sH@q>`qIRsc_vUs$9CJa37EFgA=WQ0ln%~IjZ`ijQ6P~rxr_Qsz$;Pn|Z>)`D zt=w07{=wVXeCo3oA@|s^YbQ{hsWVm7yL^^DLc%VhTy|b&24?PScQ0!zGgkwiTIshk zYv3UV<3T4ED{C_Y`>hvji*i-uxr|)g?2N|sgGz_Z&DQ&N-@k08*bXq!`nc&?v6mpb zAd#7o)ZpNyHsxrWDVm$Z@iUCfZtHBgYw~k4F|yHQ-Y25!^NhEzwC(7)Q*vM}G$J0@4D%_fZxKnZ_W1Cd+~)+ zjYD#v>%eWGukE3Sz7)t@hLU?N9s=I$hIp8|t(Bb=w6Z`)o1`;OhmZH zuy}IabJ0jD5J@ud5=1b-#lXwRbAy@H#l*zH%FGn>%ESU-W#Eju*o~kfyy{&X&qBJ64J_k zF;k(!74R{MsOgqzbrELbvfyo}U zZoe17_G=z_M}=!{vfub9b#hK=eQIoPtxmqA=<|4c9Q3&d@?383f0gm>zuV=- z{4H!*=(N~=WRzPQFWjBRsmlJueG06eQ=Q=ZrM-E~C%GX%`<)Zn#kycOBNP!S=}_jC z`vD30m5IhCv(?ipvY-Mfa%B|3O^ixB)lv>dS-g)?T6dh-hf1J`d%#aE!~gd4Bo!It z(a@b}$?qc^4GCR8Xr8w~9qb+8Y2*>0UJ4|m^X$3wTn-Z-66!+R;$tU)+>7SeL3HMY z(b@t`_S?CAE>zONYg@y0UP#Oa)Bv&g)4$$Jq}@mKc{e?Tj97z2suJURU>b*wXAz|( zCe6mKD)@j~#+*MvDuVzng*7Mb!FwaX0PqL$!ceXt%{{;vuWc@Y${$k&`zll8?^&D-zd+0Ul>P6<}N!F1|?LC)bZ+mnlMytQj zsqNrhcEF*&Frx14PLOa*7=A7~KP??b$C=yr2@1%(Ec#b6xJkj8vBo{Fxu`+B ztTIuJP+hbtp{mp=KB^w+$Vx{`{RV1+!jksk+#8Auo%gvJt^-UfZi{EbUxzp+Ob6LU z#Fo!S$QCdsZcC^Wpu6j2!>KUsRRIF2!FygYLJft)^% zBrsG(Cmiae#9L7L!Y3f{kawC=B}+|B`v!YOji?4Tr9l28RfI$6LLSAD#sc=5wS1e% znvnEyf~cW1VW2j7Fc++bs91+&Et!yXqf4&NQg{QQfuvNAiEQ^KX?h`^jmq-XkQVYd zzgd(}mW5w?BVLWKlH|Ubzu2(Uf+ej8RMW}gh*NE$TXPDQtxO3-o1}hxk%@GmXnkqn zLcuot4KfpzAK4rXD~L_9r{kgVCtbwn4~(mX62&p4x9XyXM%-erOkUr^KN?ed#0~W! zLYo`b;aGB)=#5ILBXt<5aTa}$uy+aTs0!utz!_?>`JNbOrJ{4;V@1v+pE~61_tpU2 z2OrqE2?ICDBzgRWoc_yec`4B{@La48pSXDF&~ML(uk=9Wvw_2dAE1e;!Obsa6CRt3 zOD%P-b`|V28xbq4e(cZ6 z-!kKj2KUF9wJ3?5<{?)b3vaaj*w}=M3F+90fhY)bXP8YfghCVNS{`TOZqyv|M?7Vf5&qXVd8UPL?K=dgo-~!Z#bM{H^lQCG!O)gi+0?0`)H{j~- z!0ihJod`={%+LntkGOi?;}4)%C6vKb;Glqux$k1obN-IY>x}27IytVBK)_tYsh!KH zHdMfp-|b_XpkUZFm_~45j>i=N7eX&2kZVv2gN)yU+TeQVnqPsE9Y8n6b6hCGjglA~ zwBOz&jNE5cby-TO3-HJ8q~i44h#Wv1>#$P z=99F*;d(glS)oynEiitsBb7T|40YpnqeuzpTJb$@Z~++dUtpKj9E+7VtSg@y zV@HP9mAs}orYqug4F?3NZQ01>TL$o3OkcdKZ`{#0a{6Xo-^}Wpf2}JDFMZViSv6aC zp3@ERx&gqsmdKc~j5k_PCPQ7!RQ|s4`$o=G%bRLhQ|(?^U9@jwmG3yucZ{-gci1vF zSLWu+-0K&UFzAX72!pme)`+U8+cTC$j(p_dj3;>G2`KSMthyy~Bb>Wm)eH#T8SI3$ zvBJve@QX>l;T&6d4yDUKvpx2=lmB{>8=mEdXHlEqAxEI;HvB-*G4qjKbLWn^bJNP1 z`+0LeYwrJY-`I#yN<(+dVtc9l@3nuYWvA|N7u@^>H)nB&4SR*vAFgnPjeKDvlrco^ znM*!YMb#?3Fapobw=T?Zpk5i2P}UVW^%{F$FGZsm(lAg?Y~g=5S2 z>Y9Gk^r8vgYgqgf5L4-Xr6H2!s#-wX&>ZI)lnoHt@r)MpHov5{UAOY0{4Q zEcsUri82uSn;nHi<*7wj#CkGIPLw1~tx3KyEvN?78`U7@$*h4^OCgrE1cwC+rDf7N zX=vGL1cN46lu9E*4<(1ayyi?eLK1Xfv-3XJ}W9sgomj^@Rg*&C;HxW)uz>0 znpUF=m02wM-a$2%N%sjE+D$BpsPfm%esRYrPuq3Gx}qr_isbKgsCsI3AF@9YOCq|? zJV$j`yrv~0D*tsYp(|J4I5%B&7ej{TL3MJy(>32HzXj#5#rY4}59vBYw)e_P759+W z6YyWRX99D7VpTgdJ2gEyW$Ck^*U5DUIaxB*eX0P>Gz9Mg8%xYB& z*!(n3n`gN$a%>02Z^jYQeA^jtt!jZCFBGS?T%VpDyt%5eT*qAen{l0 z1FHs1`F`Wdk^zehR5E#J@GAIC(Dx^EE!iZ@AinJU;uQ0A?y`-2`9Kd4&9+w5*14T&j1w4iz<*;&GiG7!pzbA+*N{8~d;BzEPL4kt` z8{`{Nj4ED%?*e3pN7iaFhGeadYaIeX=x_jT4Kx~R3@m)+Ti^f{z|i10p)(9glpg1a zn;dCmWjyDOGXNNUTnRmbC>}q9W{5yGU;^R>6r-MUIce0X55S`dtlV}48JCNB2;O|? zHNOwhEdhktJDiA!g5||L2ImeQ9goY$xZzFf4)_su>U9R=YM5k*>{1J371z3aD_)pk zE=0s6r&<8fpI$tuGU5|jE)1ZAst^MFFnV=L%*xl7L>ivA^W~kKzVowDPJeoxjA^v% z*FQWF2|jAr!AO zK0U|ljsjgVNyhYsa9L#LhjSmyMT0M%@Xe!K)djxl0+)Z`*VkCguXD`6{+NOO}wrNiWsG!h>8z`AB}8ueR7U#IL$Yl=4$%+ntm?7pPjkJ&ji@> zkJe?@4tHgeBc91cd_=8O%z z5eOo~T{33M4`2VNYeV^o_DAPloa2g)BNDugJ?YrIvw4S|b#O(uKA&IWik3LjQaDk- zHO|*J)U`FgJ@c#U?Agm`zV=?Aw$MLzevzMlg#6dY zQHs6lK)(YK{^BtTHD;We#vbhEPg9AC*{XKV*ufh+puQW_<}lxNL3kCb=3Dx?`ZIj} z8LsHecHkxbZ|}0BbEx=1@(Q(GuwB4&e+NuTcJ`LxoPG*2ZdKj{k>d$A79_c74`k{DpxejnTEsUuXP3CF1F0d z>5lNaBZ$b;+R2R|-!Uk>3gaF4=meTDp+wi!bn`XcTz)sF??%%_Z(#H5KAPSz^Va@d z>&T9EgtK1Ytrxh)F}`t(%O86=#N|(ZJ~hYX&vE*>^?`jfCt+B$i%OjN$j_%gE8Lv< z^g7o$z;_OCZG(Kc9KzG|I7eu{HEr1UmD9%kSQNIP>68I*lfbf`-JeE-)6d451 z1L`sL_wYEc_^t4e?{%owImK-VoL4Nut~jq?V2_+r1i%N6)MgBiFGSx1%8B<~^nmJ| zP$aEf#2)M#7L};ejHY!>Cd~<345m4c5Q2y_N@V+!;}>uuO;}0h83D{jyj=zmef!DNC#VJ z%HR!2@UQr2OYn}%X9+ToEJ1%ljvRD5J)TDvK~n(O?86fl|AHmK zoNdodGC9W|+A9{a^t_C!)~cE_cwrq?m$qWy&a;#0_oH6@*!k9qs=qN*fp;5@`Q5;S7^M?oe)c z%u#kY`{tlNDkSYgSt{-}~K zY-II~U+x)80lUagIWfIyefU6u-oE_u%ipUBeKEp5$2pyq*I5q;t+qX8E`9&f_b){o zICC>^ZeF+j+E@_o{`TtA)yS3aJUJlLhW1!VW#r1UhhgJhzBxSmz4B+}5$E@-fr;H7 zv&?;d!@=HiaW@wD8w;Fe;q&DH8+^nquky>Q?Anu^WmE=nmwZgIOCIz?o>A(pB(CxI z@VE--2s|t>{HP64Z_H1xj;wLTZG3SXYiips zZCN+$>5Bhsh0|5>x+>_%(|da3pQ*xYQSasqr|;wSeXPE3FRwVf#^p8gd5x^5F#!D6 zKh_(G@8(u2{+z5-WULnnx+2wTkVotV6gfuCvWlc*f*K$F~kO~_nZg#KfLfVwpN_M;{ zO;)dalT-=ZNg2|u<&uPte0nmJ8!)1}MA(D+RNfUbOfmBaZ85q7RWF zy+ag+gmRfY)H-#lb)nqUyN{%mD77|K;*zKz!^}u~K;A?53C1QbRVormYq6jo*%s1f z*S$fth%J`aB860r%OaRXL5gqr(B2~g7S#UZhqwQ0p*9~5kqm}*nXpC*&!J))CP$ji zC-W_m($ZyR>r*16U~wv3UUtABO(!o6)g$7L%u8uH=3fQtB{fL|8`3;DVbz6HlqEeK9X-Y=)#7Zg}Tn75Yi!)_=)@J9$*>ORS=g>v8Mlu@Cyi?lJ6 zi)O8f&W~ENAN z1A%~hQJ^{ny9FR>!3P!}3B_PcKe8D8Wn=nrSDjh{aLKiJ)rn{Vod=*s76L5)&PZp=ZGe{MjXaFh# zbh3ck;FD*OfGY4M1ZtjkEjS^gP!H(sdEKa6e2b}^a%KZ$YNk_$Fo;rYhRVctfRemu zXp>-U$Y2)?Ff2|65$0HHowhgws8a($RPBm8a0dl|R7q?ksKK ziP9X>Vxb~QyW=ebgVQrp14AHfbVx*{j+EKUO2Z~{xq;(3hofmAmT*c?^`7MTf>G|<9Z%}LDS)f%BEg>i%t zcLza@FWHaHtGeb?XJSUe$jquP)xFKDCC!+Hg)$_{#1cJAvmmP0H{X2HSgi#dr&7|)yV2gkh29+wwoa?x?4SeYOzWI*jTo(s(sCQ&>$waS>g5UIH9 zdK6a+u>w~Et61jAXDss_A}Og9JBImB!2#2RxFKPmBeV+3G1Ijw;araE{HUWCECLP0 zwE-A9F!YKmoU|aojH_3cL2S<40*|CQ!AHv|i`nOQtOQUAUO(+#aL;3jV_dZYY%c~* z7N!*((ACC_n7ApyZW5J2nSVwkR6H5Ly%^BPuohshjL=zFSrRe?;wqduUW*klvnsSY z(B8D*e#n3bQ-I%$z>_Fn3Qc9+hA2(4-X?TX}4!^4MnSR`+%TS2@a8j-omm+rnDj zR2Q3_XPdpzhwQQQeDlC|JKubTML)L}VjB=7d|}f8q0S$sHhMlevvpzn2H!u$9-R`x zK!SQ}nZJ7P^OZ;3%42@z@y^x9LR74|W4F0)r@3#d=NJ7iOWCP+_%W2&$B+5B=4HNl zIXuRj8(4G0en|~q(){zYY)LO_f6*|tkFlH?_xO2g1iBm^ zza@w%tcMC2Vn1<>Z!B@=?(*mEqJe9L*6>G9 zv*^dHegWJVJfI9YOyPWcCACp2Uw8boVXmZ?2f)buzF12q-_pZ2_hQI#*Bm(@4Ed+f zh@uu85c;B1drhqyGoLuN?(k=4*&FY$kDq)2*w1w+eSum6uoncbUo+V*KS* z?!+vAVwSVK&0F4P@$WzZNe|S7j|`B!_c4oqsNQ$UQK<4=a!Pn$hNS$_d5wx1_UhYz zzQWaa^Yz`R^|jOFUPJTGRU2zt-j_36!xY~z#WqasHJ#tC;+iJ;rb*T^8LMoL9X*LV zFxJ`~&W-dwKf{@*}i$JDY>&6#?5Qx9wE`2$FtL04JZ8`E2M_02o_<_+a1 zMo!w8#z&wh1NG{jeT9S{Xt2l)!SXzdxR*v4Mgh*oC4!9m7a+E`QLeqn8N=EZfs z@jP32{(w;Ccg9L8o;~JEj&GjjO9uIptEir$ZuYu^zrMg-6&1e5`+szxFQby8&tvv%<;Cm=%s52&{&8sc6r}IA7np)y~(CvGrix za+PvG+%3ujDX&sq@cF2a;9JA}M!icxRhF2!dn=DKkGx!E3+G_gp$RbiPWU2QbAJ0Q zS966kPyJ!vSjK9~GUdsl-SUqU2;dqel_(DrH;3002pxO_NjRbj#ggA7J)&rfLR3_d zEoHjgktCklLSTnTu2v^Rk4aG&rYDk8u;B@-QsBA+_LV|=lF}TC_Qi7qaURY5ib$8{ zFh3$BLi(h%NQb}(0FL-AV!yz=o)ar7dv*gIk zom|xkbQrRNfkIQvRPuh__wynvoT-sFHKNt|Wz1N-o+pfmv=4HUBl0UMF(L|??17X@ z_0za_XrvZNth_3QVNOT?nvy2hR3Q@kPOPbccDxS?;71V+DWQNx}le87p%N$|rd2nnf}l8_?1JU`vOk0dbn z+>i25=@{K*R5HQ?kAW4fo0b`A{MX`Z4$j5!Ap6@s!NeP!V1T-q(32&YaNz3 z11z|>>h>dSO9c-n!#E!?Am*}a1=0a4Ujn(yaNxiuz`OtlVogUk#`va_d=o;NbBgM)6Up7H0Mn@lT*WEA0wG(9GV3o# zw{0&^asAVL|1=I@uif0eHotRip1bDauen%vVAuU<$Nh+NKjz(!*=vt+s#rry#1=sy z)J2zes*WLG6JfCm3)<$&>SC4kKb-hrVxya@?Bpvu*~-pXWo-md_Od#JoRxyqwWvB) zS`|_K+R_wV`H|s;Av}iB&!4+Kn`7I~aV6*Z5`>847S+X$bZlz*BYpf48{mdb*oj=+ zt7(d^Zl2<5PV+UV5m;4i|0d_9mYue9=dbhUuj3H*mV5V>f9IB;yLFGhb&p+n^7mlb zj1g#fyn@FCI49wO)f3@?a>iO(qpGMXR(oV)X{Q#UpkyKpp{1yaRZTHV^H1}BoVT&U zS-N>kH*4vRSsJ4%)WoVL)WphK=#@I$>_7ZLvVBVrRPj;@SRn5MyHIu!h_Ju{6d2_m zrU3`GQ4)q=+9nSNboS#lB-{8UA~;IU_6$)edo4#w;3PFRC#Ba?q_I(@xpPuEWZ|M1 zQL1{B+6L1$Drrt#w$P|VI46NpVilFa?x)aJn-7Na%nww+Uc{I08Xnh2XtKmCS^>6b$U2 zafQ$S0PQC(CoLGF<^n?n@~i~nW}#rr^>BKUp&AFi>cZh*{+bZ+7okMFWdWZeO%=tE zyeR`0xN1(a3#6eZVTS@X8z>x>MAW>ohOIxbgRvBCDb@klH<@=$mK~ENTDsBjqI%QJ znNISilk2KjUDIye$(_2Bn-90mzpCK}Zm{pnb9FRdN3W}%>UmAgUQ_$VL$>Dv-!aBD zUF4fC3gPwpmKNcyYOmJ%qVh-8FRBH9bxdP;s^8Vr>}YDDO5W1TY5I6gAFJs@8zO+z zikwH)7>L+VJG4{AcH8%n@9QF`^7##buKA_KydYpbHF|!6Y85s3_-_wJ#^63aRDC2p(DSlwc}Q-tw$@)wK4o!(=-BE(|r= zw*PWXduUl{H;;e>_mBRC)CewGnKfUARGCIO5$^jil$(-Kqq>*Zbf`2@lE*AceM_Rm zI;4|e_m<>aa4=P4Vug=}bce{4Nv1b@%pon%WgKym+|hwU zCoX32Ehc1$5Zl(5ql?m+%DU{mVi`^5%_?bK<&$6azAeA`Ky1T%YjbjPXLL zbOehqTmgvz7Dz{CJ|^Qj;Hf9Bdc$hCah(A25P)oL5dD$t@Oc@gfTbb_eEvB$C7vrk4J9aBe}?JgFfYqMej?;ku4?B8lbvN06w{ zvFu-7@j&B5$qPnrm_2a78qKN~_$)f1^>_$`24X3Q$?u`%9fP4iE;fO5FkljaQJlD5 z3KUk>%oLL3ITCi43FFP8B+?@b9s#UpT#+=hcyd4}wTOH2fGhim#3Gy#3L6d?-U8yrfOT?_8#ClTbsP{T?Q!e?bIP$>babca=$7&q+F0LN zzVEGA?{Mt=Fn|79%r?oMTH0LQT>X4@4%g!5W|#QcrP%0O{OCfgyZ6(Z2L__J^%bEm z9wxuQ?)u0<9$_whc8)JR$`>NiP-8eAYd!YK9Btk&EJ@@!1+3k!SlbECd?Y*&z8`tGk-w3@UsM15314$64DzGr4!-I{cqCR{ z{k(%O?+oW0)FzvRomb#|LCC_gIbVMHW!AU`LTlL7wCreFHcB>|wpuvN5U&|xHADM4 zV?t&41VVpz3mbO|8>4qN?!CCn6&~jckF)yY`-%HD^2UT`_Q5$DE!kdn;rX#UJOVq{|TG6xt*+5Gh-vVs! zA}ABwh#pO^=Ro?FO^{#`$RD+Bd-$W%{LyQl-?+PT^sW%aE{EXW5^4;lf{mIH9xj*? z_egj^qWwzC^GUw4f46dIr*dd}oU6RTS6*Q&uf!l?xANRh<+*J=S9yuAyu?;s`tr-Y z>Za$OANZd8@GT?zx(eu(&Y0y`atfm#sHS(~@Bm;!{|z-njN~c)CQmt1kn=Z1ByzLc zD}hCpT&q{c$4tk*RoTeo+&v6^zU4zYhnIAk2pY2Dno2 zw5o(1-zx6-*tS58v$#GMtY-x_vQ+Eg-xFZ}p4fC>u03nBJ#Me5pQO5C%07#AsS4Mi)I^Lp=}DGS@^tzdlQnB zG#odn(Q;t z8#S+aPOd1$%1uz zHcg^Gg^@XeyMQ$=3cpC>mg^Uump%O1na{5+?3`UdVPTaRE$AF6$t?X0o0qtvg-ZW9 zR8W@aW5^!u;_Lg+lQS;zC_uBA+2f+H?KY8VQbLny#DBGvYzKn}xmf3Q28s#vTrq*C zP4+?SOAT7-KV;C*fR!Z%jL|@6Y01|Ok#G?~wjlzes6c}-L?sKtZ+kYPdajRN<4fB= zYu_n7FGdI#G$=5l9alJgkFqa_?@9+ssQSB5%^DqZ+JM6x9$i2d1p@x?< zKjA`8u4I8nZs8(dxX9`k;k>&;3TZJAA1g;DCMK+9%zFSzt^*XDRy;0;Bd&KKY}4sU z+!_%8c))C#iGTyA@b8s+I5hRezE|Emm|8F93pfDtv*qGv) zWd_!I@DX1Bcyi)~3z~R%7URwsNjf&@r9Z-AiR8b7yjm5)LgdZ}S)8Q(8O$UVNoFr9%Lnj?Iq0xmK*_;xD>!?Z(C{l|}-K35>%{xJ=$`1&M zdy7)5P=3)d)xw+TjF5S%q60#7EL|#unuv~vRH*6^DwK3`Noc6(pw?W1flaw;LY;>I zO|2M;aD~xUaEy@M6HM9_E~Q=NQrmM} z8oQP*qSfz__FR_^?j=pTr&sTi*h_#Fb4I)lZW2xl&2!~Ra^+^mBx(}_9+!($gMsYRM!%qy(`)1X4x0k?PABZxQ!#z)Hox5s0-4f?`PUjX_* zQ1^BEglYvk*(#|nQCc9#Nb3;TCxM`o!CV#aic(eFr;-wqX&HGRr(HDDmk`H30<&je z3osbDNb1lE;CojBL5ovpK>%SN0o*h{gOz7n1}26(Ca0{j5y_|pED@!EBrm{`)t_pI zP$jA^F=aqlOk1W=qdjP(T=!ibOUnp4YFt(T(ew6p-(nkS3%J<;of9q;TbN%G6Gcd?}eDFc3u&0AKT+ z)$~rzW(*x7Nz5Q>a^EPG*mhiUO0YmgC1RMv@{=+%5Sg)uoOmq_)@Dx!w```f&_z}% zB1J92{kcImwi`%nkpeE$hv-q}tTkUa(*d=Bd+{@_hWh6a3-?9|it#{C2#iL2XVe)2 zTj)wI;xBTfU4AB9ua6m-Doo%B1TfsWjR|0@PN1GJH`JG`D6SH;)Zub30fsEM<7U0V z7B^+pD700)y!Jl>l^lqWod=xeA+LGJY97Yw zPGDLyc}Hq-1-=Z`T#6prz4{J_w8U!a;aRy?QS*b7&ria8>0YDtM{mD)8{X?;l@@rG zAu8^>x!=kCHX^>)^}m)|ln-D^UB#C4Zgp|`^Su5%oBRQiI6w-Cz6pJ2C52H-M`ue& zur)~Z4({Xs3c4njNRW0P^vZ%-edi+n@Sr|O%ET%l2 zGI~9b|1Bxr<-K3mEKKUJ?=lho5h8sPmwj2`jlM2IVgr9Gwc0x5LFWoSb`u*>;`9~2 zXB0>oA59>_EVb8=S%xRBnuqel8G?OmiU9n*hG;k@tW-^c?Zs)Tcuf_X{Jo~(apKMI zlOpjhoa&atP5-5**K1RWry4F(hZ+6 zgSUuG2xx?h1F;C`{~)p~qhjeg#wWlojM6OvUtppkw1(7t{Mt=5d0lmKb4{?(VT5aU zG_{kslKJoQ06F;az~_`k&I6=h^c6DjZC{imdKt9U-|Iw;BHOnMO8Ey z;pU<+C9RTvn#qT7qBVu|7VKf-rUO)N54nB%5T(l3adfg@C(peO+Eo5D_eh`WU9VdIcr+qcmDAZ zpq6~IGSc!OXok}IO^-hiqkhA-G{|#*Q@B7eWJy9rNR%){+@A3qmgW%Uqbw>VbnXhl z4AO=W_2(p=7gGN@`Jr-67nIyG9h9i2WC*XSvZtespbV0sIwrXWAzfkPk4XfJc7uw#OFUuuK;X?QrOTwFRE3goeW}l#>pV6cwzRGdG&v}%=qVBpa7A&T1{YcfGPHU z7Xyr&#GP=0@ix{MLB!eu<97LI&m(NyEs*~SHc8^JPTAF`8=NPN%kMbBy1Y3_kTqM9 zTwb{`ygOh?-87A$a%1y)CSmrD86UtqvWZvCfgv>9jz_1k1k4P;S}tEvO(A^s+{9Pp z=~W6Y$gZ6kVc=edRppufv+u525&%I_0z)0^;iOEZS9L<~U?Y31^Yfek2mJ|l(vozE z&*}u_pVj%zzej1Ug#wlW0#bq2fbY5qnkV>@HV`lgTK=F6%bX)X3hTk2nTuH7ucmXe;nSmB%~`(YEQsJM z_e}-ss=fS@h>|aD;qt9~zV(3U(00E9XMG@6Sru_UAC3-3#@WJ-aA){Rcq%;gtUKJj z;anfaQh$kYt|nGk^!};upNe$-uq-HQ6>{o!GW(XJW+9u7Wx!Wx@i5mrO@UP)Di=BwK`?(x-~yVa+5 zs!wexxaxksx}PgK!1EB8%B8~GcZpO`nz8o+j%??Tdv?#gDyg_1Op=p|^^{qp>4x zthqT>Qhh+^in?PJ)scGF^~19toaHKx@)bun2Kb8h%>}li|A0`I^~M^SH^>cY zgL*Og(}^EXa1C92Ll+oC>>uymbZ*|>y!~nOU$_6ucJBBfe|&JelRs`_D?760+Ptzk zwK>H%^x*7J_w$n*#cV|fRMd^K{Pg0FFaBu!#kg4fr%i{Ig%XrhJbMxi@+GZ&N%sMv zDLNi&Xn8TYIm|co?luhWGz@Nca}8sB!&pQct7zCzu@!9xgu3iFc4E%ktni~3;n#X6 za%r#T$j`gEnohn3^f;;}$vsQ`N4AYKTWv4RoMnQyOt6-Ty}HiLHm>eGUw59ZJRhrS z+MrqZh9Zf|Z0U@uaNjD52FX}yRkV<8?&E6vemT8e^q<>*VdrW`xzf>yDx%sitzv7t zJ_~Gh|JCZJt6c2>S2}<~&1I44?~R9T-?M?a$UGXF`RBRO8LreCR((&kZyDYWa+bHg z(WiA{H4V|}=aS@SuJAH=`4i9=E`!t0iPS;^=Z8*E#Z*)p_i-h zOK5K0v@AcOBQHvo_5=B8Bc{(NyE6Oi2$;TpRz)SoorkrTL~CG8A;XXl#ThZJ`FKqU zpZdj^vI5ZvlGGuI)s%2y7osVRYpTOam!{AD;Y`}_TFO}+Qc71aZNf&?lKw*R3R)+{ zlqGx%y*#CaKFbN^NWMgLVG&boXgv-fDnt_%%@(A8A+78htDHj&C2}NJ_-WH&lkXdu zS9p=c)4`AiwOYk=WodbN+KkZ3(`22w>9Z(f{^53e;iIau`tlR|Y*$+T0@Om$EFS_@ye zl(MqMR~Tm_s_>U-a=2}Bx}1GbY%Iu0|RfrN`|mzf03BPe8IY7SqP z1s{sH<_gr={{;@V7tmungL(go4{QbS)l4cc+>Xvz$t2~L!JoC+udK$r>V4s3G%c_2S10u*R$s;ItDfWh~r`=GmAfY8Fg$1KYhZVnqg<( z=1*Pa8n3eUn_S~f&UBL%zloV&5g7*c?cQIWhW-evTjl8*Wqh_n0vyQ&3=d71FxOfHvk((-NnlrVC74KWdzS&1Dg-@j%*Pe`Y zJwLr$(YaI6xmnLuoa8G`;^3{WU!2}OJ-KswlD$05ou1)O&*1Qw5x&y-)^0=hP6Hxk zPVo(=SR>f78;(g@`{MfM39j)ZXF8dJ6t(-Uuo8MeU$8y`h7i|Z5v{1i!V(^I>=lM1 z+4>8)*h+#gIxc)XG)o$6tYO*FTR43kudieEb^8^S>*IT+)sY}y)613i@uhtSM6sdm z6*ysK%v2dAIa6&|AG6dWdaZe2yMb>WWi6v@=~P4+QNElFs}e+U&z705KD%2zyi+~A zJk$X*-|TCYTcOL?AjtfJ@xTT)GI;|a`(k(MAvl+ulqpAEAwxWf{Up4lJZFBv-{D) z@2^3bx5!kXvzymGy~(u=er|i4y=rH#-(aubL_hxOJDknI+Z*sSCu8yNK!JjA_<@?JZR9PTo3)#Dn{~XUTVkT|no9{lr}WK5rP3ps$&p$? z`_$6!#UO%8B6^Y9Ij4~$#WKQ6k}jKS%%QiJQz0_rHetzUT(QXXt;-38LQ#J&p(iCW zLHh)rX&=7-RQ$?@M59VfxmuP`HG?xa_0bY+A(9ZcVx<>Aj~Jjh(yd0Y5--SHtqRE< zBwrG6V-F$uir)W80BVppsDz3Z;b;PNark_MT>4tu_@as}?)|gH@Zx8-bzPcW$(e*% zN%v-u)A#?s++BN29M^iES@to&01L}w0b{U@!E4?&egv=+n@7yU*p9IsW2clb3nm7Z z&aNNfu5bKDDs3X9lFC=*4_^sYPUWhu>OZQAR`*uis#o$KsWh`XDbsDOQmJY0Qwvnb}#4W8FroJ^I)^Gjrz5%(vh9&iD9zi0_g39>cf3I{dgw<~kAADRG?; zM-rE~>da(%gKciGFOj@czD@Fu(@S;)fXZM+R_vhtIsi&#i6~>7eXW+*GFJxMj?`ktpHI0eT-o7BMT~A&P*2OHKPsdE)I^qInu9HwO4awv#|F2+c0(= z#n_taY2|OCnL<#3jiU+ElNd9?+aw3psCc2L*bwwB0=3CO-X}zz+VX7v29u>y3&U%` zq_=?Y0hZ@J1GW7sXx8r2Q>J>>1)1+fe6Pg!S|VkX{6L!V=E9uy;QhoI2o3979#mjX zuTAo`pSsuHllczBcSwAPwlguf<+%Hcz5CaMM|1Mt!)Wi}r<2LOSUEYBh%LugPc46t z_+WiZ;!bTNaQ}|^-hVk+QsQXw>nKnS0Z#<#{EK;#pgL)cNh+{z%a_}W+y+|Yshku-{cBw^*NV7SiEFjW+yCEOGy7t$xpL+l=9i0?PLI9S-~S36(@1g59TN2& zz4b1{cE1G6kQtl=NA=i3_jG8W39ZwmGAp-e%|F_PUxsyl>D?HU`60v)N&HY2etC0k zT;|#l*Di7G+4%+D5Wq%!1?f%0`1wQlVjuHPCBcYtdVLvo>C4O?u`IJ(B~bB|pd@OV z3Sbtg$O9@swMAb^l}u=WZWA-%1=T;gRH?7CGj{zkJR1nI{007hpHYI4D3seq2$s<$ z<(nn-$&&iDx8;&nRMIN(<_7V#>VfJ*peJdVn#qsmZ(T3(qp9ESM`Lkz*fNJ5a*vH~ z(H_Bd&tn-uc3s$-<4o(qIS@#n;as4Rf;^edg`EU^u{#btB;kr?{R65Zpc!bB5eP{I z)SJ)5%q}v`ht6hs8l}f#B&V==@G7LiJOi&n4p`1NP0Mc46?ZRq=_2uQ3KxeiKdW_;OnQGn$ol{~IZlE$$NHInubA&pPTyr8iyAp;d3xitMQv=AR75a-T~*}1TOB8-4k zdsH7;v(bO%Kit0-v7?3dX1@r2^O!00tRnpy##n8)O5KC?7I!|M9-`(`dRY2As;Yb1 z9{i^3_D98kho2}+f1y0_KjHH)fc%otL&I%QH+d$Xq>3}%PAb>9i%_+F&b|+XWT6n- zG%-t)d7MNwlPTPaOq244@5aIl0^sXRE(nvNkm9w=tAIRYHA8ISw#B@|$i>reDF98t z+62)p`=Fs82w=^akT>eA39?yxu2#*HjKHpWl15OiqGws6N$j#|5;M9cF)E!O`~31% zXc)8RcdxLocyJY-^$1R=^NNwR?q7;Lv8^^i|7^cJUvsJiGGw%|!*uug@u0r=;P#&$^y1o|!A-u#QR;|`3M5ZPt zL_p;d{}~9(A|j+Gi7*$6TR=#*x1ZHx%e>KW3|tn=249kdkXD03!PG;Rzv2mKd!5yp zY6yrek^5tv{0OwtTdXCK+ZFI|X$HsvCJ?+otd!T@Kc`eTNbX?TUFdI2(Wv+%)=KK$@L*{ZBq%4=g&Jw+W+crVE0(okzC+;>{IFARgl5|p-@2O8S2C3@u zfa8LqciDc{b2QCRbkxOrcBL6B*;VX0jnB!T4f$|{l~g&kxjbz!T#ayzp6)c0g{W@? z-h(B1TVGFo1x#foZ-;Zn-C@tTH|!hd!ns1B;QElYC0FO+_97uCqdi~n3!V?zab74E zeE4qxq;roK3ME25{-!5m2ZRFrt(fG9l%~8_L?|gf>Ws7Ecd5Be_kFaZ^B&fGNQ)Uz z;L1Q+p|EwHu(tYHZd=mBkFoY^30R^HXSSfA%D5-1ebz*(^TSk&S>9oQ! z5<2PB1F5$es}?tA8t*7x?7>VGVpIMptZqf-^~hAbkSo8naC0GYXQ6J2WT4g&y<&g# zTi5>RQoAKnRpmS_QLmY94CCyDCh1I||A%}juX-&iFZDbT!*|HgRK#2oshcqq=fhAZ)YF$r)LUt#+CGPQ zxQK|{t^6{WeVdfZT2y&3F{IeOLtt*++R*w@)IA~IPmJ0ZTjnz{`$4?r{&Vnxa6;w{nwEHnnX761rK~WAQv~G;wGr@ z3~u19y5m1R{L|RRz+cCI5|_J2@I~dikqp;ur|P+lt-T|c9!8~yrP9N;h{?JJa36UA zoY$K0dQDGw9ej3Fx_DLQ#}Pj+@#9KSS)yPYZ$X_ZY+Uz0v4D~q%o^<`K)m$wmvSa$ z{KRsdj}tOLpzu$O77!UQytH*n0B%}0BLcExUQ@>=g zNE?DtNhFsIL{pVOl;j~t65W3cWRM#!p@PI^2%iEXX!J2GmD1uzZ~Zk0pejuO1+dnW zdqfG;pg;o(G^t@FbyvT`ufDh%71yh>qL?2#=tPCv2rP{V+5$IS2ElP0rX0SOKY=*#qLnwG?#iRJk9~5r-_b2`P*TS;D z8Tp$ffAcpsadci6M+48iGJg*7=Oq4|DT@ZCXl=rPw)iXNrJyZx@N5Z4$2MpSTGy~7 z2Jg)89ef$TcXmh!3lnRQ5Iz$ULIj0JU9Q?t8+>-u1}A(5J9lc>3>r`B*bMF*!y)}* zY=-CiT1is(DJ4Pc`L)bG0+<^u*NsBS71#1!dOn~$ z$(C!=rdh3i!BW*!WPW}&23#_AV{&08Y{Dgv4TN%1J~2FvCCUxe@RXfHkRVZ)M$5Ks z+qP}nR+r5#+qP}nwr$(4n*NtFiLsAl$3ANYaF&Za~4(jH>AR|3K}-1}jxV(xT!LOzms zSdsuw01w38zo7y|8l`6_PK7%`liz+p^wQoudXp|^L#fv_!nou|06a<|v7u_H%xYoG z2r2T>AXd~6H(m;@l&2-0-TInw4%yV~^?{*sruo)dmZ)fb)<#emT=j#AioArWJq733 zOqFbL7mz1uILHbI?V1(jZ#Ty~lf=u&Sv7`RplT;hlFxs=y}RIZ7410(5z1Fi%{?=1 z+zi)XZ;tol6`P@rP$qs@ys#(7gJU!b*Hbi6sb?TPNEAWn*&B*v_pFC}Fpc`$OXdAY zj|P9U)f~cD6@5N!2qio=8UTT^DM+*Vh`si6BR5~K+5AxmigJE^eTnk}i?K64X+E@L zb1IfkRH!^7IK-R{tviGzFp}Ru<9_>0WWHFvNeo&^-aXI9c-~x%G;UU0ECiN9N~4Rk zF9jJ=D5@2Lbu%`3h=wL)0vp4uEVvk_nrHj~-y`N%X~kFp0|%%FE(!7qt(?)rVfL=) zb@2|Qq}~hm%f|xqEWtw_iH{c#U#EL|O0R&xHyl3G-1sPk4{wi%8ElG22WhBdeO z7rK95#AHsy5%`JjiED3AAd^TrVD0(SxCbg!C~GCU%9B)TUVaU+MgAV9Ok{*MXC~W@ zPqaKUPmDXw%4d1*xXEF5QMl}C+-lt>)bs?^>?nlH=I_5It;!Wcr&YYrW7@0I1Kb#Q z9LS$Pu3$lInhWQey6&<=O%9jL))=(G`SkQ$$yhY z;mQq;A@+Z}`g)PR&a#i))W{P-n^o#7_u54QZ1dM;)ySz|S59(c#=X%G`kkJ->daj9 z=xoG-r;%1=>Tdm9yIviB>$7t4onGBOeSH&#ml`w}t8Tq`dwI7_IyF$0Ad~d+V1SC| zz3?90WzB-*jLVs<>NoA#`7SsJN9&o;Z1*M@{Al6l)jTPJX_YqU&U36h)!wr`)otd8pL=Zt+Jd! zq7lIp^Ud2NttvA6usvv3o!g|Dn~^UWa(m7&tYcA*V)ADNI?5iucg=?9Q@w$EZtuXn zH@g7!Q`qxzm5-cFQrz}Yz1N$Fy8u4Z`!sV=?@4{=d#OJ(s}%7_E}*8@#RizTIXYc3 z8!6Khi!;)wA0yn)Gq^ic#2X$3^0gp#^Qj%rxRw{_4D;nc3sizdwwbEUU5SkR(Lj~75nAXPV_EQnAxm9Be4o*A2IAo@w-0n4de zaCzYY$qY2}<9wF=1N;n~$uZ`Ke_$oRF|-Hn!jJR=ZDps!ztjl`W<=(em$_E5D!k(d zl0wv}k4N0lR3C|*?nY5U$3X&!fIw#|43786JCjN&Ro@;#6^iUSpPIQ@;a@V%I)pDZ zqA!HKbBA7e=_zzQE(@(ESCQy!NpAsHQ^0k!r4-K};8&#*L_h0tKugXOcPUdDvLoex zWbqE+YdTgy%F86_tb{~mAzO`>N@xOjXv!)Q?+kE3lU)P5OLJ8%3*alIGp~KdUwWdY z{rqsB^+W%*|G1GFs&!z-Z=x%H9z>i1#(qV|Za4IbTH5%ci2no68JE?=-%{vAkN(@GfhE;AIStaO9SKKiKy1Gs3z#n*$)PP^YTaw}TxiLsSQHhdL<4(4!PvYGOC0~~{ zh*MoiGJ6>4*Ltl5Rlw(8Bwo%($K-B_Ed!T%rjguM<9aLsn-T-*0#rH$sK&h7;NeT+ z;d{8AH(s7q5d@#kuY+3Nr#PR2KiqS0;pw0IF$79w;^oFm$5Pm4%O8~48XVGDamTtv z)!?Q|XQKLH_5^f}`57$kW<9a<_q;W|jhn9ThJW4J5UMubbUEKQI3L?O-&b7i@vb4x zMQFA?E()bv3+rSKH7i!FWtm1sFSOf_O0$kP_Iw@Ks6^(r^h9G$IuQy(?TvciFei=KIq zL!*2r{glAC{e6e($y$;crT5E%jm3VGtW?<)r#q?LaT+94jB->h|7Aa^QC7ZVlg*&L zj!tQexxd7xmCiPc*2N2xm~HNAnDb{#oS(R(m*d>N9jrB3;adjimh<&5YAv)$ZvII6 z1(w=}Cv6E%irUK=qDh&)rdam3oxX$k?Si=}qvZTI7T^{pXl@;lpu(4T;eq~MN`3Km zlFNu-y#E}!_YXjNg0LXs5>B&3!E}*Oi4BuBvQ3b16<<&y=f+<~e;mmI%%U#DKdxr3 zg4x@IZ}i9N&p=Yx{xJA16``lXB_AsB)nHA0>xmwGGJ$6P0?#KZbb?|88VDvEvys84 z=*vj6a8AAfcHHw+!q$zw#i%I776Qw_8M|?E+ew+H3XfSs!7WxV{@O)Sl(h0k8&{t} z9p%N=-F}72C$j`UQA4@?%1r4c1kkmys+51ge)|_jrSXST4>Lt!#|yy9@2AWTEgJr) z*zv?-%}$DdYDY_nTAk z3d6|fZKtq^(19cjv4?+w+T-rA6oQb);+i*dSR})WQmz)r3h#mPw<{S)LB_wPt+4`2 zyB`b1CO8wvL^T2)PNizc6GOaNytq$s4gqZac_x||Vqtwy$xXx7b7#F5Q4CmQ6m!lc zYesaby^I>#$I&u$Vd(p&>d3FJ#$%Sj!44!URUimTGW3F%m_M>bRJWH1S0)SJOnOLRmzHx zr3F#Q7+&gTFQpWN$b6E}QH@kAkD3K%D0i{Oajh8Hn4hJ|OM<}`jCLw?LsU)a_yuQZ zqfYJ(PF^~rKEbjDt-uV{F=HDRzY*a%WnWBOxch(sBJHbuY%5D^os4SWZRf6fF$?eO=4R2Qwc+If{St*)_4b{OuNZ8 zlXgoQ9pz_9pU@+>9n>O`CVMbuQiDBIqjZBElrs6hTg#-Z78_n_8Hs-noMis92smz_ zl&Jl?S|t0=>j`>h(w!L13AfY>v^_kGO%K53J^Cl$2>cHG?ANC2f6|O)Chlp_bimeq zRtAMo8?OGHPkUAPy=}KYJ3ZWf-Dsj#@G*@yN0-OBL=sAx1 zIYIsh-E}z?ydVP|06@F;XE}{yM`NZz?QR?RFF1CmI8V7xy?4`Z zd4HTr7sdMI7nf;Wiz5ksvgdrJ)-P9oq55Yb|Fwi*#xV*^ruNw5K#Waf6pg2j*oUWl zou&?2hp4_#+jen^jnsNkceM*z(zfkGUr}K|?{R&_r_S9*sJ@dKQ+H9FKDRMuv8p3f zKP!z{e=;Z3F8Yb7G@F?&s2o7k2$eaU7<`*-)Zc z59*~jPBz$9hT2LY?U$JsUQn&PB#Vi#_BC>3y-fvd6OFi88M$1qybUazRm!J!nyOutnunOp$bggi92OcMjsg>thm6F2mh5*}{a&ptO{M22N(r~{ z9%Ezi;&ZSu79%mRG1gqIu{m2Aq1C7w%_P}-pP}G9XrUOh@YSvn`jdd37SI%?`6w$R zD@S;^TX@=tnURT+$x$WUZow4IuwyMuh7pnz-x^^WLh?f%5B0_Q5*xS4zR5-* z3Naf8&JCmyRvFMBD9M2SRSOB68_^(aDm=Y(tCJh?&3uEXc~RIL(jVv8YjmVqAru6N zZx;=KRU1rP)XJ9bKO>r4yl)3(Bf-fd2EyGJnimCoflSrRFb^VdP6wmu#Xvpt>HjzR z#D#bo+_x->wv`8paP;PYGZZL9GUIXXo@N&0AjHrLs1pO{$TA7J7cwn27~A6Js?0So z_#6a-ds?8G6x1Z8#*Z7}B!oa0U?J)69(L@JGGASDU`iga*X+MBugKvP?=_?2G8rfN zY7@2oTl)(fxEmyIo~|EY3p8nNWx4p{4byccIr-XM3}FPoFyENJ!=Cz4?+L;pnk}}v6gH;6es`!9T6x%7r?fGZ&5T~M(dpr8 zYvc|`L<^PWt9G8z{|4_qc?eF zYpy7H#@#2?ZhA%uH!$TQRI=q3EPahkH@Mza`iR-qLtZ4a@+t&5-59#3$H(wF-X1AN-*YNKPY(b>{4Eqs6oDo90ZVMQq1KY@%4J4~pR(2+AY*mqvB@JQO$sL7%{OimNJ zRz-^~Iq8M)GtK<=81>`K`lJJg^uH(dMmQV>m+ASrU>4oxB;TkB=|#5wk(D(j2qDBH z6q5nnb@*$D0#;CSgKuj^Rw$4t(i}+94FZgnS`lKzO8AiyO?L;CNtR(HZ}L?g zled_NntodlRK27W=4hU$Cwv+cyx3Tuf+w>JTBsShq^pMf1iAu|*i%#ig*j2v=qlNU z-SrBo1T@^c#O8u-SOwqHh7S4*AvGn-Ao}9aA%&9l5FA$j{QY24l!J>}xtY#*VR_t} zC|m*0Qdy*4eTsDTBjEA^Elogs2m+K(_y7%&+T}zX?u~Vaa~`gQ@W<=2iyL^>Yv_(&?9>!N+ymP`YZTR zSIp2aYs{lXWR86m005(^z|J$t#p|Q>%0e`sO#Y`@+;yHvl>bx{-zVH0wwkvnix8Xv zoWo*B5HM<4MuvnWPgrzSfM7J3F{w?l?=P_OBs7Cwkj@hNpZM!sQJbbRBgOEc1KaWj z)fyXFOvNw*nQZsn^gpVlHk+|JjR1vdwEr9e=B&78nu{D4+rkhX>$Y=hi9;S`w~Irp z2Oal3f1>|-ay!8|2E|C$f7FDofkd?O%{-WoC@KSnrU>|VLwPt|dI3!9f2Q5Gq&7!G7qL7?ItF700<}TqtX!JA4OY?^*nJNP;E4>evREh^UHP+4L9mP zyd5mwnFPgmAl_kbR=yy#rA9 z>anqvp5fm>~3+ zUe7B3nl)MJZ#a}uoiBt5B9y&rLJ zWBXcej|tt&j~gpGa+T=|)x;!}`dkA`rrpb=sU_HmQkpjD_ET`U|~+gI4)hTUiTK2DO1&S2-=#ZKE4*d9=`8h0#?USNR9ef zQ(k^m#XPz4p&qjUAxWCx9t==p`y=%W)Tt9efZPp%;u)&V7&XBjj{yJ?{q&m~dX3=h-^#N)dncRLx8|vziZ5x@LIWDQyf!x|9g(9V!kfJlCs=1(u z0H}|wnAB#8c$?f%9K8iNOvVW6EJISd;nJ0+D4=gUu8hVf)Su>N%tt5M(16do;Buww z^{rMxRlu5hlk71C1#+U+Yqc35%sfylFGjp44N_{6FuCaq+9T+9k@AFZB)|`8#c36T zjc3!(gh%Py=PoCecij-l=v1s(ZDrO9UKtbN&7$sHytHTlK(NFhN$VG0E&l7~ax(PP zh6h*l%ner%3lIe#46w5NNkO}uV^m^#fLg5wpt2j-k1!j5oe3s(J7vykn%X={v_Z(^GH$}3pEh07}*6M19PdiCNyNAOyGb|`xv zYqrqiVssK>brLG*Bx9r;>}cSuTVJK(B3&kj8}{0dyWk&hJf$>E4nsCo^-J=$Z>oG*T_XhytQipXJHiO?0TAqim$6hRxEuNJ zqeugwkD*}CLcO`hgP+kfmZ+7Ft?OeO7~hk!A;dDdCl<8A)c8wz&FGP9ONad-oXE{n z^%W(s`~gZQRxz{FLcaMHu{$4mO~3fy&USp>S(30if_CqP*SkutoXQ4m-=W^<9y7Vt ze?62g8O+4e^$>S$D*ET6xrUyoH%croX+}&h$W_9{RvGmS7I7I@NtJN1-MGBfOTB7} zqT#membBy2aigriZ{oN{_j8u~K_m`AKXMR)+l|AKT#rY=9gpfT8dR>Z4YKlD_(>6g z9b58G`?PDt&p7ywuID&i(hjpFvZ9MlMOBpDOL3t}eBC7#VTmn%fAK~kXnW)~DI5eG z0dV5rZC*Al-&Pc;hKmjOv&3|dxb>Oe!mqN}!86j3?@*na0NP|FRiuuSujsa$)eDbp z2*aZ0*@H#jLl!gk3Wo7`x$)^%a3`YEp3`(Ad3l1Gu4J-+IY|U4$ACI{gr5jgoXWY@ zvg4=wg@L(A1PL=KmUf72nN7HQJzvs!JLg1swWtVr{FPs#=^&aA^!sSCrm(=UIhv@4 zAt=)3(SbWB^wmDXv5pGmSVop?0QiB3j9X;blG9FcI&A zAX^vkCVe+po~=CCtc@RQ>|m{hXn-Zl2Aj8YQ!NXrB z)+q805pHH*h(B~KGxH{+v!}Ur72a2ix*go~HSY{>tIAFmKdGYg=z?y3K3Q>f zKy+JWV^?`7~#&s`9{#7WR0 zWd;;bMNrl=?o_E;HXa#>r$9o$05K4g9`fMsqWXsw?-UD2luyKo)ymEZ7w}3Vt{?~- zf&d;U&I*My3|Pbx95DSI{qHxRD}p{6SD5>ZAdZ&}BDwj|xKqKe?)vQ5PukI*2{<`d zoBd?fYxlyF)@*ioX)`#R6@1mKR5P!mt^7nr{c26R=%?IMP9A8`RQdU6W32fw^XV}& zy6E%f*A2DpS(U!A2>C}bpiYaO`h~_$ij$xHXVq;kcyXccdzn6uvj=Y%9@;<2UGe0> zOjuhIO1W8h2c~AyX>mB}rlYF!e^`~dP`REr zrGra~PtJFz%;CBwo@CVrH+J~BN!sBiYX;ApT}>}C)n^6eSGusfYtM%XT$m26q+WU4 zFa0uGb8^W7DR>qeOd^#lDf5%{?}=O)kq88!0HfmxfDVc&#{jjo0*8PkTQL^X(lCtM z(hvp%g23T$Jn!~$`vQdFaY{^(GWDJgx=FG)IQd;$JFi<*g_2H=Hyau!Z)SRY?ag*x z>qql?|6QP~Rnj;j4Y1iUQ zEiChND{_D{Rf|lsdGK-Ja6lXL4?!Pj5`+~43ot}0=S~u-B{GWxJk2oOo_q?AkVqU6 zF4cl`wDy*X&>w#>D;=XYtk>=5=6fWW6hGGRttWssqTHTfcDCO#up-G0pM8a-lyOUA z0k$7k18#m$RS`CZ7g}vb01L(^z29-`?vLAUCS&1+#UIy~{$%jz&*WnWGDaDBI17_3 zV!@e2q0~^5>!{vj1ZWwLx}k6g2FN_Fsue^bm{Nt7KxT||Fe<*opp-5lI5R(w79n%>{tthSG0pgeSA#TVL>n zB1HC5+p})TgQ`DMRs9IZUnHjs=`~ntN*4zp3NAfTA{eyZbWv8SKyF&SGtM$&V#QFG;C&$rVR>+`Qd(Ck)JSLg4Y zw|!_>ePN1zbDMfxwLet)6;fWPN)@?F6^W8bJ~km++a$zm<`kDFwZ zxhDGNNUhf>v#&iaxnLb#k5jd0)RxrSsxA<6dnosCX%ct3r(T_GJJRY?uim=|xP{FW ziPxN7N_LZ-Cu6^XDY=niACvWjH@T2!9;5Y$+8t{jv-L#JStVXSp!r5_^}CH_dz0rc zleSLidZ%tpyCH8S9v$KJh~FH09rN|X&RryK9$kOAD!r2B#=G5dOLP;qE5F?HEw~X! zJ!}4GdZ718?@ZsOe7^g7!1s#d?SUV4f9bt*{&0H4;U|T@5qhNIr@Y>OhQ*W|JwEvQ z@|Uxd!;gW#2R%UW6X74gj~9NGd8hHy#NHdT3@eaR)E~ow00@;n=qY)C*$?E zl`bJ!(FC9xN+Ah-|1=<*JMAD|uy1ho7lGH04T153C;+_#I6qtft~NdE0X#MredOD> zkWL*Qd?p7o7s6XG)3f_D=`UKQtkhvf35i*)B@#lma${<7+ezw4o%xYLGV7N4*P*$* zG&^uaf*K6G5%MYuYjxV+7NY#TXotLVa$m^^eMGv-^CW_SE|^svt$1Usd<_j8c$ z@XwqdLrX^{3|O#l&=p?+%z#6>oIDs%V$m-+NN`b~v(TfZ10@;`R3=R+^<<@Hd6iJM z0|9eyBn=ymRpa+@emq>LeDpG4#E3^6GH@{n+;B0uhz}?lAsr3`Og>~(A|>QxK=EO< z69$Rr9)q9&YRIoq7Hh!!cPeXj_}H-^98-ZwYaw|IL+Mh(IxLhD^z2E>=ZN2G~~1>x_6>zzkGb zR+dyveLACX!05{&?aDx^%2T%fg}ZJR^+~;aa4DXN2vEtVQ$kesf;_h6I(o!_!I6uN zljyIHBn5qJ#-PcvD~3OcqDm}qCQ?G4+(cL|Q#M)!g}zZBaUp~yUn`41_A*u}P9E|m zGUe!Z4GT<(BL!7oD~r*OC_c%TjHZ~5k6A2l)f_C58s{{{moq`}kFZDCc}jfh3rx`X zo6S;(p$vAiAX&$F;m^Rqz=6{1Xl(y5vbXo+18%paaQYYfzEU{#<$&4Gg@CIrPUCFV z2r4b+N0ZP)LCz8!JRy8NAUJcQ*x8DJas({|%&5^|%jl17-&PPbJ8Y;xiZDV7R^+C; zd=5vT@h3BYpHMYBOZCQ$TCLk_^@g+fsi!e@UQBcf9)%9JcFwFFXP!MLK$v-8o-~ zgV5$J7IanABloECBlxTK+*5Cd9NpPs;weSc+0Rb;l2GJ_5OghS=N0V|)4hyk^mrFi5o1evBuY-dR&P7Y$fvXdk3rXBK2DrU~{&4_>N^#|df}$we z_DC}4zuJzal1ZZhh9Ff|EJ<>b#?o|2f>;qtN7q*n<|@KbV1$V+M+~wz5U18+kER_` ziz%)I?s)xxAjSYN=0dWW^*Mp!Q+2v>LD@Axuo)y&;E?AL&dRDWM$Kvr;-o`~jH;|U zXqB}%1&${h4p3zJ2o4~WVRLzErY#~+B8d?MZy3iIQi~B0dTEDAkV|(&HNNG|tjF@e z!p}@Y8y!4u@P3k<**%~0t26Nvo<5U>FS_tww>e`i@R!$v>mU2C>J867GD0iJ)UlKo z7*1L5Sdo$^Zgs$Cl3-zio*C~&lJI&{T{LDvMr0H~i~};v`btS|V5Bq5==JL!Vk9hx zmXA{|fjZBFfSGL8C~!-qnIjgd5p<3D&M zvoV_pn61?@wVl?tF4eYPldmDS-G{gEehx>C`N;60awegH9|{bepGiHRDlM-~J6>Fu zyx-^EE8N*G@~2v+GrDuL)90rwbG^2Kn%KUV|137UnI5~p{YiXZLM{ANuc3`Th~4xF z=aG8~XOLNHLAe2pSq4HNgmr8~X zoh8q@i|aX<-R5MM*&fb6$5pS#RiCDfrl-L7x}1y1I@bEuzh$(SywB(DRqPoq;<7I( zu^D_fW6qDS&8v3j+k>93`!HY7kD9l^;`EZ5wMj101nX-}o)7$3oBF&Dk;K-6>m%8o zhci)LrAT>f9z8}F66rbi)eHUGCdEWaOfbWnEbBoEdoL=A)$Od&R)F^W2rw*3Hu6H; zq22lA0o&)6Uy;fD`tRr0ovq9u~vawM$Wbgos_jTqe;V)+BUa9Eok?MW_0MBjaJOtlsb}r%`kPh2Hd{AyiBN8 z-qLz1^1J-88&*qiwV~coiP%wtq}yD9!dv~Y>6l`;+X+okbR)dbC|U-i)>{xZG)-n( zsQ5SXd~eYi`K_@FAxp>Oc6cH>_I2ABDkVo@2X^&9?VM7p^q9A21RVlwoorTbiN$Yz z(=reZ1ruf{Us5YQu^H8WwQfBZxkCJ2WX6)N(Cn_IhoSwT30FjA*-)Ql`xP2=tm9}EZ5~7}q`dFHn_!O-D>m3~ zyf_a)#__k@xD*Iku^*qKXDLg9b|e9EzAN$c_FP_PQx#4K%+9%!>%>~M(K_&x%TD1xY}9A^rWvBP6m`4n+H2+?vRq-ZCa zG?jQ<6R`iR91NbKHH?9hgv3=#A|=0GJR(q1wPxDuHwbR%R*;HdKY{ zLrh!OaTR4xZ1G7%E#xEgg}udtRN8?fKh(64Xwhr|aCU)ypF03_;wNcuTlZ@X@%Gy6k)zQ?=>;uSuMX7!`huX_QM_M3p`f)*|wITuE+IfzTFCaH>Y>$lF84?RJ@Ll zIQF*r*Q{}3TD%O}5Vj96CzaW4;o4h|vyJz(2JTKgk=^b)3zn}sei;QMeI1V^Jr8%g zV1z#Du9NxA5CgPkU68HDe%ZHVV$Z`I@QfXfD)yLu+?CDe`Mchzug5X|XkQ+v%6lRo zAoO8*D1*Qh*5BGvrm|4W8&Cbuy%+I}p5Le*eklmdpW>-4Qy;nUJ19aM9%k3wmkjG} z+e@EMpHKE!T?P~;JZOUlVk);$4f3AKoDFa38Bq{Et^UfM2jU7AJPV>zA&O~V8W(L> zNm4-A=C(1!pRL6*FHhzeJ*JAd+2W}V_HTh#9 z(_^AQO^~uR2O5gB)MY!WNQp#*JV)j>yeZ%=_%gRKf(O4?%#j;^P|&@*HA62H0sH9f z*EA}Bwv8RwO%nJD4KL!ZHl8xera>w6zD5<*ZQ~FzRe&B7!0tz*cmaP-0UWhs?<2(z z_(^diwgk6`81A%SXCUWrR)FmSXoG4M@{Y-dWW2nU6vfK`Ep@SHpk-w-TL3E`%x1+W zplee@t5p_C#m=v`P9Iy~t=jY#N`qy3&zdqhYZ zq>}q){jw73wUXs+P1uNSpn-xZg5Zh(dc-A;7`0>zXW=%mi{_2@e%{%Te)tu}R#$%8sXsdA+D8ARVAWB5#(3<_0^_-IZ^+uT@5y� zatt_~GpMn&;5By{CUA{qKU^}Io6dclcRVDzx>CF6hbEGpNodOtO{`!zLtxj%6Ez@D zOpjzZ!ER9Ze=L!>?F%s+{iCQ3l1WUns7_?38)M0c-JJS)6~>H=fRt^EC6;yvs#&Y1 zO|)GvX*=iDs|NJjhpT2{U*MDpYuCCdYu7#oA0mc%@>%iICK)`bq*IQups%GIql2@E z##zzoSSPCs-n^x2>U${SCt0<`Rl>NE^)04F$0wLFZza&}`?|{tj+m6A0++wFE?+HM zCL))MJ0HTY&N$uNp{WJ%d0%fpyY$SGntFB`sTAm z5JViH0865hm?0R9bQ<>CAD0s=8}`RCL78b^jH%EIu6w@!)6imNJ*pEj=mLXqo1ZM~xGqdY_qD69>?QjC+N3aWJ-sSjpHy4p-0v+6*r_}6z#ulL;4{7!AZ&ux3~XSlpx-0Vbk zqSt7@hV-uAIqw}bq4#?lZ+82molnFPYlCD;CC#RH-&`UDuCe>~t=`|TmvE8UgB~P(g zjF8w=dg>reUYlS_MN`K~>~NFWBk1VFK-?gUqi-J(gVyO?}F$#aYRCan4cN+C}h*MwlANck_sUZm( zhD~TMNoD(>)u@_b>lKF;5xLt;hhnwKMg&RyA}UV?3&)nb_aACHyBe$!+QGv6;sFK( zYyR?U{oFsq4#5vUH>eS5t6=d^2a7a>Sv#qjSK6L-SeIU53Dg8UZIm20lr-O6I-)McG((>E3FTZGJs;vA@$9orGg(he8a~rmw2u!tT zD)~4`(pd_S5`^ry`focYZL`#fteo6LjmLbC)$2Q6?b6ulM~)Q>mpMxugbH+ZVJGjQ zhDdRd)Cg1Jhi$M`7vIv4tFbq91iY_zkFW2tj}TQlwK5hSiDs!EbY+T0S0c8T!J|G) zp72eOUU;BHgL{gyk}SPtT-4R9RpeC5DIribOEQv{c#_Y-&HPIaKAc3A-{<%X7WaA> zZl@!!%>Tk*nNRA`#igp&mUqgUU$6qd@0wlW5f|4@s#-Rw(4P_?IlpsOL@$^(1#lph z-Ix#v@I9unLSZdXSR@#j5yt0u!Y2uSc%>|R_e)&t5MrwUCCH)|ab=Qr$R%tfd2sQ4FltSX51U)_R_bmu+xy(IUvMAi!BV}xv2ZN$0)>uZ2bc#9;>q|R=~T_Q z{;T=%f};}+se>qt*rjF6BQq1jW|#pibSrPydnb(VWg1W5Fkv|QuzHgtHFVqr#6jZC zkc@9h45fV$P`7|%17T1iH%VfKf**ui22Af$ZfP{$WT@$1z$mk`Bj##`e2>5BWBTaG z>(xt7hr)$sXZ4s(9m|C6P0-1%lHTfEL9Vr3-+wThCXxx;$AThw64oCf81bq`M)|Wq z^k)6TZJ1=o$1RDDI!*6zJCemyyCC*xVeHBexDSEKxRj6F$a?wTaC`mIS8Gk&gCLO~ za}98W(f{0?Xs&Pkt&$y@0va*1c;37HT#@b|t@+H^M%4XqaZZwTRe6I%0Ua-JKz`BI zDm5EC&kkfa(+Q}XFiE7b9zjW#>9As;SJMO%whLSyQTMdCEbK6sN7q082ZWAxsjlO3Z_k*TWw6 zMoRW^f#**K3>eQ63*ljB3)UTGS$a>BH)t!_b=&I2Gh{9k*EI-1yby#`1I%8-XZ)cy z_~0esVCOJncjwKMZ$0+4ui}M=V#8;lA=A#AM4g+&oBaTN`giPHQvY8+e0bla_P^kF zUMHbmvS-CL)!Pebn zF7#HsV!3z-Zw&GFit|%xQVnbZJ~^8qe4MuOzSlBy{a@~UQGQ&RnL#8MA>{v-6ErZ; zDE(cdn@wpWV)hs!@yU=vzZ)plot z!9!e&#Dvq(7C%@!CeT-cgMNdvigj=Sx!`wBTX%6ka|iGc-f0q#B-4o#G(9w*kCq&; zcjA*AlYYoS#}QGDWQH+|xqqTorB6Q0gJyGR-iD@qmrXf`wFG@mr~Aa1Z+M^N1sX=Y zl|2KZNCTGXH9QB--DEQSEB9=_=T-7NfiQ#R=20qE{lw)YfjLQ=uYb>~qpc@{Hcp_Q zcS&|4su+@*qrDeG#58(ZV2LdYW%OfzKCh0SZ@4@OACZXHlyO|37NS|7fXuUn>In>x z9z}%vP*&QDK%n@T{Q}KTlxFv==Ll^T=Q~GT`||^gBv_h(XcEA>eC{?Lt(Uav1p* z&-cz?0tYVyOEQ2m#Ug2AevEjDSLxsG20T=4%FW#<$lTCi^Gwr$(CZQHhO z+qP}n#%kMkueR;JYvf+q9cg+rlt;}=q8Aik6$7`#(_-OmlJ)Kb)Q>Aqe&`Pd zu(WeD;h>RfXoA|rk!@n@pU*R$Ct6tj0i(h!-vI;RkuJcJ#u1m-$?sZ`^&_aY zoC)UrI{pAF_zHV_?P$Gw2)H2c%8z8~txQzTvJuuv9c7=TsqAKI)Tu9arLDr2cIsT- z?7Y2FTeGy;l{Wi;!Gpp8ikE0}4kHS}#Y3pSckA3^YE>q6fR3<8YYuaIl$q4$fHm!F zi!PG*O_@5@Zh6m4&{&CcFqKL-5sJ6ZlvqpKCb30^3nlz448&IBcARPVwUEhQ?2Hrs zFqfGEc~!m`tH#LV{W)gL81s@p#GoBFH6IywZ6;bY2$gUl1LC4`1L3nr%jRA|A2NT? zne1O(6s9#R38-cY-N?d=?}N_&tTf53G?S!2mYsooFvuWA6S z6aj7ac+IHvDROdhpZkN{P5teAAP&vmS%Zkbcu{`1m7+oti40p0)so6S`Rs}cONAIl zI@|bD=DNNKkAQ6aBMFH#&5M^?9_7B#YsW8>!Q>?9WhB%=CNPt736Eh!q1khvtB;zR zkvX{;BP%SDsJi^yn6*k$R_#-~R;78ZX`L+bsjj1g)Nwg(bB$5EAH(f?9!IwlFB4VW za9irZwm`Zy7h){CmFvy~P;uKeRTglWDSghtx4pONcW~Qf-K+l2p5C@i<`kL z{XgW)1st&PZL$02-?m}*@V{-%P9q#u80npme`F=LLz1>#@RkS#EO+p&oD7@K8QF|U_>C{4a8tt00C8ewJy-M^GoWwGm`XV-4 zplz72M6YQa2n>*9`453XiJ%ET&e&V})c+$o>zEOF77-r9X#j;bk2sSeLWfA8(oz~% zY{Zs$Yl}dgGP>hX{yADFMXS5uL2~0akZi-R$zJ!Th3OR?eN4Z980B&CdAfBTF1QnmqVr`|5}I zZNHSBu_$%n*3`x)mWkp0HAnop??>?5!8ObtkKQt~LY`ZmV;zOMjjUu{B~_|#EM%HK zy6n@GyR7Y_sk4MTH60dG4~EM>ynEafmck4&@1-jjOt)Ju&2~9A)7>mCjW*YEIakxg zqz#)gUzNX`eOKAyO+@mgCxTnZGnPd$uZb+eA(dtVi9r6)L98E8iQbK1HsxuG=OFf> z_m+FPmwVB0`A9w|uPoG67iRh|oQkfOkwOJD}y<$*}A=N84LvyDGq*CyisqjM_CO{W|pkNq7*jVdkb z)(NAuc5S3Mi^SF%Qum{Ziz@pAtuIr?JUSHRsWppkzuW%%v|i~8PO#qa`)4A!{6)}e zuh9eo|93(e93I!xvy+>}m6U@$v*pO!*2xPk2xu(?-Rgu)f5iS|rGc-$ny@VLS$|t< zLk_9m-cvouFpRvmZr;ej>SK|`4AOa3^a!QOYQPKeR5SOz|xukBMYev zJ@AMu>y1Oa)4K{c20Jo1raT&qCWzW*TjYKMtJ#7+U@69HEcWqdqO^Lc1B~G#@StGS zkYQ(t9|&N|9?%WCHIZb}#YpjK?#`32&v_br!j{19)wn0r;4BI&I%2o-H$t&~)-l^3 z%K7VnAk~ZPFZDf;2O}=bh-`9n^x!){uRe0?20}nSBP1+q1z(6i;9Why4=eyo*4-_@ zPq3mbY6vaYUx#8sM=ar>SOe%9o?eiI3MLYfU<+4N3O=wj%nV7p_=${Dz z0=*Ougdk_=deEb-Bnt8<4ki7Cpg;IjcEy8Hsx^n(Lo}!g$#~9>gKNq1VW9%sIUdO7 z=n^=wSy#Um2~`n#i!HH-1nIpm%kAosnc;~M6`LXdCbPbglUj+s048(3QQc^r-HG1zH42s1BCgzuI|uq7<)xX{zo64c6cAbT zO(K`T{2tFZ=JMD#c^%$BQbvD&{wdrkv7{ayg;7+gq7TyN6%JLi! z?8WOfDm5*>{M3t_$t?)t6H)iMosMqbPPCVp!kpsyo96^SeK&f7Hy}G0?q8ZZ*@u-H zn_EFQ1kZJ?l#7#8=SCr|ogSN8;g>$zQ4?$>EA9Jr8*Cy1HxbHeO=^*uVWkZQu`N!K zfQLoV$e&)O>L1p*+I6;SEPlPDYPSNa1SM4*Q+C}gezrO>yE$J@vTm_NYZa$hJGEPl z>|(%z(uYA>=(-zqZ5-wEf9|^GZUc)=lsZMJZ{?~>b-LQP!Z5$(hFj@+oonG0KCGWk zRA8=LaE+0jwgWsJclce*&%>|1xPJ%s_}FZr@hQnK%0u{HW5bQ!kZoy2{bhIfD6h30 zJ*x~?A-8;yn`FiOAyvYgPS`rrTx(72)fmTrx@ftN|3X-Y_E0OeY}EphsXMXrN6*r8 zxk^PvG#W*{)uc|LZB5E7{jfq94&KRyXpHZeqi;k-s|OxHMEqaqw39308r?BhkPf|+ z`Dmgwkr&Pv7;(jPv)wC?!KCeO>s_v4%O}YuFQKc9&0sdIhV!RH2?H=>8JiJ@@EWmV zo-V`m&=hnS!nfy=0H4Q_K$UXat-x0J!plOp@Y$JX%ePR>*7j}(mY^(f!PObgzf7N$ zI>TjGjq}~$F7ebj!DYsxCwzhL@|3*Ziqnim){w3|b+6Z=-J?l3`b|fRDNPOM4Br6& z9|?n)EhdtGj_N8kwjgg3y@`knpkwf7U&^yydPKK;YbTlLo3 z+-_zc_jn!Fz$!8$v(gf&^hJGQwg>%PY~?ZpEWQdg8P9<_bp~R=H8QJ&r<_*WwexWuLb? zY}`zNnNtO41U?Iew<_2^yWDzhTutk=yvxLQy+5x~KJ`QD_II$CKEoF{R@HltI3P*)@X^niU>_plMSJ=Y227!;}3+A)KN zLJFt)jR2y=z(H?P*GduU)Ah^3oq| zw4420=A(W1Cs-0}-PdYUvvPH}xt+|;r_(u^%%@*+Fz7GzVR+B`Q@*U+B^vBkgD9Ac z>%(B5=B7b~z?fVf!r>XZNNezJC3&Iz;#FlF+kfm*W&Kg(1&p%_6evuW#1dqMRXlRX z{oA9@r4Lj$4`mFRq#RG=FP9hiaUQPG)2 zoPKjUZWlA44b+8hZg@17GM4dXM>D7aD-m4PRI<-zy$Mo2!8T~36ty`qDq3iM-YK7= zx}D67v-?2dE_SaAC@CQuxs>sCB48*}!oOoUYx^L9yPISew0#P;G_RiI=b01YHKTkn&mK zubaghiz&W(pG6Y@byZP-iHh^LIo^%|^Mshmjhg>~Z|{?@6H?3tq_a15&KeZD%kO0+ zP;LH~D^Ojb;+j_@sIBuoQ@iIk-tjMx4gPX_Q+`Dqf`K0neI8=2FQe(%Tvj@8z8lXa zLQQSa$VVcgW|a`2NoA}C*09Il1bU6l#M0dOaM!Iw)oO!FZ)$|VSRi5=Lx+}FSQam3 z?6Z7I2HlzhGxOaKnv#Jc z^<^VyC(S1IY6?bCp#X)Pu}ZmRBus-)w=R;7k5nfp*ssXt-(06bDy^ZHgNHzS0R4j> zB=I<&&=uwb>TU+#G+RrEaKfO`6v}pQ@?}U+jCd^PAcK1wLu4epIe(z+H*vLLIWPH9 zLsC3>U;`4mkblrkuU(~nZfGmnBg@t{Di^=%S4A|{Xs8^YHe{MEZ9P^T?bf0^=!#RWe?Q)yw~y^-?jHfC4Syn< zrp1OB9eXO`8&L<9qCH`nQl`E}sBGs|2ak4Eij*yqN{>_Y;QGkS2;POZN(ViE9yVlGr(X@(KwGEq`@YSyC{4^ENv1_Ni zdL(d!{?%;4eo>p|2z-VGsu{i9v?hj0{cZZE$Uo0fg1BjTS9hhWKNF^p7o~*GTM`~v zdT!QLFxw^mk}m|R7O9Y2ZA7NS$Ff_VcfVC9rBqFH2Ya!9(iFB(Q#L$n&C{36z}{-q z{W0bgR`3^v?`q{Rr<&c$A*uIq%E=-L4ROqA*+Kdx<&sp2BH`hPwWuL65I9JqW(i8o z7OVVyq4+czEVv$w`J|D=B`r=P$(w7NDZYbgw%rYlA)zEuLAI5*jBLTFNX!R?9gGpl zdAy!-xa>|UPr3<3$+JD~7wGk=ZB$FjOHAuKQj^s>zO+}CZy^S&=bTui${qh@{P3*iSbCu?xu@bR z#zEIFo`v}1nciEoV88YJDs-|n%Q85PzlOKf_W79sPBbXPWwaAUvb<1EL41z0KkLBk z-&Xq@jxXNzaGM+ZdF(8$&2Lru=?73zG$rYHIfvkmm8NW$TR1a!J1^>{egdzu)rVHvSp< zWFX^^TPLBuT_SPx-*(&_WClx_q=da(6ZlE~I*iI`YBMT(@T2|idUxwT)=$bipuJcX ztF2fz?EB<1SWj;>Oy%a4$rY|1 z;sq@=e)Z&IUtI29`4ym@_{%5Tt?%z~Fa-pbH~&6vx=7`pPPY6Zc|0HY9Hjnl69lnA z-F^CYIO<)BIjqGv;5pPaBqht#>eS@FUhXxf>R(jLGZtTYE)2eUhJEbO|uLl#L%KN~gv9dQgAeXeKa@K@@Hw7=PZ~l!E z9g}e05NF(Vg0>#>^Pl>Y8jo!XH{pl;u$bqqnhhgsX7QU1MR07^-8&F6&IZ(H@FL5c zF@N{8pvY(c;nn?9k>YiK_uXMnUz}HX7z+Twr+OHHBdG){sZW{1!z;tO>$o*|s+$5$ z`R7|zuCHDZSzIyz4?L6uv726kN5g*F9^fC@&3WB|tZax)$jz=6@AEU%tM(PV`nakVF~-|l;(gX5sQ zeAi^7Z@inl@Z!D=rE+s#WgOL0f{#;!#KFNu)-1=d)0bIE@f3 z+gV(D0io^9dRMVxxn$^5=HE0)Rsd+h+Im42&4fx4qbk^JD^O)#rj^IC4_9M0Cba$* z*N|A;ddzgXVX~83(RWpfUj>pq%vtw34gHiF%#bg`6#lP@e;Jwro&g3i4>=U|-ocC+ z-kObVh%0Wzn}HJ78Xayi{SKgUSk_}9TKHAZkZ5B?hLuz*xK(=Uf87GDIA?dZ2{o|M zz0q!Icl7Br=rri71x#ZrYLHVq(ZC}{eR!$P0ZhOA8eRCQYz0cg70>TSknh1JYZn;1&5a`Jn&$F*%mz8&=dBp1d1V$j;g-Cn5h2M*>yX}R)rMiDuq_VB3fB( zY*A~jBXY+2E-v){u5O0ZJyu-us2&EY%)th=3eT#dH*yXCBYsJPUIH}1-K_#T+Cy%7 zBg`|@;Aax2MKzQP0bK7(?JB)jE%)Vg`v_9l3YOA3=t!#s5~Wo&lwO?6r--*i10Ej8 zu$&S&pHF?`8ZzIkZq-z2a}U4gQrDrIuV(eT{H(q^Jwf@qLh1IB#_Wm}w}&b>pDok; z{($QT6C8%beK|{wox1m#W$>0Cu*dlqqyV(i_^I0I&wlpYp@-_Pt83}GK+6VKSSmQ= zh{PpZ69*mP@H-*K_JoVoLC0MRy|Yl|htdBire%ODoC`pJiZ18ID<}k0v~c!G!k1B>#Maxqmegpct$I4>x)(;_qH~351VaE8qaTZzVkQ#rhXfnk3SzTCleM{fTFfS zbkwk=t((}yI6kd~9ad)~|)LPa;w&tQ< zgemMKDDXW6pUstv>#^k@zUH6Il(T0LcgRmsdmwX!iiZX$+w;vXdML)5rzZSFB5rJY zSYum6;h0mV%yDKc!|4lz?-jdyzRLRX1)QLJyaM$SYgH4ib~UuxZG8JYEp1WL75-!Z zv{CW)w3<5;r=lc}=9tbk>&N}N<@BGS&Tb2t+ugHF&lYch^T3V3?~O)K%5}^(Y`kY# zj@VAmdiUIASu$=x;BG4Fje#YnF3m-?0n1Ng$8h%Nm)%@&aw|S7s_=q1^sg9K zd~n^~6V34+YZ54!fTTG~uon^ci=FeY3A~Q@$+nvine4ON(h%qRp3wT8cV;YHGJ0t4{?iJCGt<=9Kp z3PS@*Y7_)0>-Qlo%NkLsu3^$0>Kk(o_>qtH|wQB+}QF#kMA zsqBVKb}M#TQ^u|zvlf4g&;R_Cx>PlxG`fV-?ohL<-PZ1))1)W-MY8W~$!m9qL{=PG z$`5(e(r4!6WNR#VVogrniwbuysi4zQAxB{?C<5ydS@+IFouU$ON2kYNlBR2JTD{>g zOkn>PXx{~;v3T1ElJ?H)1~KaMnGk0-@Dvhm@}3blN{F5??AtJoEihBeqX44KSw@UJ zj&j=@+yi(VnmS4w#pE503m%k9@GBryfJ@wjKk5>EbxQnVZTQLRHyK>U!2*inm&*%@ zDR&-5@JT6kw#HZpOok_@;u3@Sr-yN;OvC+b!&Jo`WhFOmSvKU7>}@Lf>;b0h3i;wh zamR-Oc^p!nNOpV`v++5^mN%#teZ$LByPm@V4>o3r6AZ5&2BNJ`!qC2w~RL<%WyvRP+?+YX|)728io5+0?g2x3{`(4+i3eIos%0a+#kH zbs-RXSBIV^4uvfgI-9|;Ued_v)jWO{bsrpP4NY*a2a1J z^7|KjeXJ7DeotqPBJ))(l$==-tHe}G(AH1s9IiSp*8U435tGtTowRys6G@Dt5qS#;uC=9EU5+X#qT`Jy_~K37vntu;Wmlt zc%$176t2o(mqjtM;Pj4BqeBSsbVV811>%k8gR76f1CNcV$U<$Ink@h&2 z4Q)MJgH_((!K&@U1}mg+YN%G^-JZrO~{LLlS?&ARyRK~rOlyk9TP)^E*|4~Z8t_FJ>k)~Bt3ECwKv zJSf@+)fYO&Ecb10Mll+nJDpH>-Tx$$y<$ zzS1Bej5r%noY?~B@$3)}Fos;?0R)HJI_=yS0MA~Smz`cAn6RjX$aKJ)MZeca)Rol1mcB| z6WkNWl9+e+K0&C)5}d|x*)3R(=Sc?i*A`B$j#D9tkS_AP5KWNxN2ToAX~9pa*)VM0ALgwc@71Tu zgSqsfv{?i%#GxVWNgB?YnSr21txrG-(Eelk z!g=1YCgIwA!F+EwO*>g0a{ru3;K^>J(2k`2Z8jDyD&n7Vvz>^9*)pPPZ@W4puhLjQMZTp_MIi;}$Aq7WIOgry)*<*|>P z`j;PIUSds1X-Yzx(jkBV(WLp}3Y2*7TrfR_f&p2|zM_)|^lt^*(TwE3mjkV!1WxsQ}EbA6m#Z3If zsfG=<3!1gr(oAlPJ!K`Xh22G^i2h_uA0sMis!H=lo)9}Gc1tROB)Q`ygAr=i6o+>+ zH(OZ`dKrScniX<_EBrMi`{{AiMLBqgHgRq#Xm!){l#aM)P!!f(Ah6#7YQI$RMXU{hQPOyLe`z0vho+4NV25m1S~x|r=Gp)ZRpQ+){Z&TNh?ss z`AbhSlLv{#t+Nfn=ATj$f&NK(gvphrsUA#?GHC)kD2fpTi59GuNMM2jg24pJNyYr( zgYPn8sw7jHk!y!Oz~jgOKPS>*1G;$=#0z%Q%^lKaY?v*>$>!`ExflF_d&OAbUGX;G zEW+1Y0r~ELr)`|<4tUv*0H>{-^bWFYYalr0&NvQy*^hvy?VS7$fmGzg`&Va=fU(7_ zf?NH~AA;f`fW5WkG1f2ss`fC1-WR>`?PrBuSTTgYle@)op zFWObs;}%f9MRkzLv^MN%NqH#~NfkCC#6r}$?k!42T#)D4cBC^+HlHjsSu3;Y0PK>h zhf2?z9cP}_?#67YYTTXGzaJQZ<7(J_-K4U3HWXAuOQP3~nItu3%8)Uc69QQyMGwQx zK9aRu{~9MjmPsqS$e3XzQ;v`T6ZM?0qObE8pg7@&8mG=)?JY zm>tC+-cW^gLmkwO858_T-2|ZsDn*YIXsmAer9dfEvIa--`B(5<(LIJsf$I^OY^zf6 zW;fKQXl+$qQIN*;^zAJbrmu@beSZPk>qE8Cef4=tL%gB~`-|#V@y?dHZoH;wGgnz{Lta@c>xb>Tbz@Y(yOG7;3ZXOB0@rJ4$!q*bxW((T-coo^ zo|ak$M!oIcbZFf$#Hw-cOHR#(Vx5MnAB_6z-h^b)aA@Cv^rl8_F@dM=(e%zVdxFolikuh6razy zrsh#t?-ro70h(h>ufGA?gUnkGA-xAWKi;Rt!;2tDSf(dakB(PP>o7EQYt44-y@ zdNlfQh)Vg;$C`W>f7iu-nitX?J;=B^xjGsCcxm z+q)&TV%v^&HW&shpUfmy_e#&#?+w@Qoy+W|#`ZCb8%^WY45bRs)M5HUupH8LQO7oL zO^)u)B_s=uW7)#+X_1h@@4N4WLQerQ6jic*Nfg3xgB#)2&T`bX2m|IKWqhdL!<)I= zpQ~$cd-M*tDf-jxqQc{SH2`asOBtzss!V)`b5|d&NkU89Mbm9`T zF;1$&Uck0no!TzyvUl&?4=9Vga-E}UJP{NCnjUQwmeFL{Dff&j`QZRUCAD}VHCU+; zZi^ff4_vxpbo!ra9j-gQgT35P3pJ5wO zCzzR)ILNa@nYo&P-`#Yl24^>$?!)K(E1ofqlM{4K`5z!wcpI%Si@vOpJ=MFb@|ZjN z);mu{xOqIC$W7ckR75wBT*uV34&n%1T&;A1N{vJl$Ns1vQU%J$NSHA0(6%g#CTxQe z$;kDte&jogkKAN~8M`pOrrCf3V4~zkMHr4tpcXS#V_g&=s1N#lh;-mtEd>@NGKF0e z`;ULp8-R_g(im7Qrp6}^d9BG;U$Fv(M+OL;dU)GB4+ban^^5XLUy$Qji+xR=AJi;< z#mQsm4~)(j02i9IXAV9Wp4IW6z6(bz@MziM(XzzbUtDVTSYMt{U!PFl`pUoZ=-=YV zea5=_IG+oa_Q9jS3<^IMV*;z8N(eePBZ|(^M^waSE043$53oopQ_%vXIg!EZAwi6j zQcyJR5eUm6F$qmtupWd(YPF3Ks*s?D{7V?seNgdycQDE@w)k)(e?5vBPyAM z?3vLuDD=$DB?ucKm5$dqZ0;bAIed+g@)I*3&u`(tg% z^-+h|J>yar+>AoSfU+W3jvSMqY{ZJm;k-l;LVtCQ?KI09!{}b8cOhk0->XZQ8vRIg-HbF2*_9i zUOV^c7Y2uZw1;>>J=;Tm7u@ajnBLM14>VlKs3ZTD{O!+Mk{kYD|8LcwRaesJ0|Wq| z3Jd_i{6DLHeSJ$iOBa3p|BdW7Rg#t85m!vLYn6BR~d|XSNlv_@XKJLAS3iY)P`xd<)Xt;O#gE+%jwpgNZ`EB z88?DKdh}O=yDG=iFH|9$Y07y_`j>MITO{&TmCv;i+0n2I?UHh#{lO56@X!?jDzuC; zdrY?Eq6+imw4fC0q)`Vx+PP-JOO_3LlyY&|OnC+Vw-hr<2O8Sh!Kk9_tFbP`+WAmo z!8#EO*C*{+xD=Ca<~=y9tg@_fc_`M~Rc@g?EYM0ymvJQwuZ|zWGFEN-(=e{^tO+gr zhR;EnglcZ@u*3CBP_?d@`-HqB%KUIM-K&pvAVv!KO4>Y6wqh?`LAC0}wGYPq+OYNG zWv2U}!9Of4H@f$6XT1wOiSoH-mu=WDz3G~*=@mEqTDol|&5PLWrZY*_!Crpon(xsu zToOWa!GNG;30wE^7B^mJ^C?(ADsMov`(9<1?EokwQQX_xwC}r=^iy#f?UKBx}4ftM@APxB5 zlz^}QzI4M%jYj@W6R}3EkN>-sSvRrRs(p%H?Die{zbCqEBtd{BCIA3(Gynkl|3A_H zFPhH5Q&j~L02tfx&J^e0>*@gw00{C52mkI`Wm&)E z{=AY~zAh!_9(PSXwPvORAC6`i4J%qjVk-Xoy)}YQaB8iKv_M zb~xuI*|v=^nt_xv_OR&ReP~%o0x6`jg-06lYMLnfws|}}+r@~J5*;O_MITiI@VBGq z2~f^5Q9#prOQ}Z&Li6lP61{{Y55c9NBm{;b@{uGlfD5mw&0ZmqSx};5Rj~bGrrAZp zLdKNS?*=h>eVJ= z001+3W~6BkU;^}HPQ(2|(vH%Xk1f4x3*_`<&B~LVo*u89$HYu*c(CQ;>EXniA72@{ zxq0znB09+-QbJvCd3q0nL1JJmFvTPXEq$ShwE}=7N6-v&Llt)y+~XFYCxMQuoE8Er z7$%jr$LLK+%H18DZ)}}USfil4`?|n{$ePK(AR;pL5?ZRkNdkg=chF2d|2&?)zP=W3 zxiC*YY@I^hmU{dwS=igdYh(m&|EQUq>t))%zC!reJ=lP9kVES3Q=p41bIk~1Sh}Fl zPx5~F39gZ5HYG{s4f|AW#))Mky(j&xX)5O>l*hoHYhx&55ES3Ly>2Yayr7L#)|!9L z8vx^=fFhDwd(&>gh&35}_W{F!Jh7i6I~8`~d*6$mm^cvm@pJZK@qK2)z{jn;ZJyY; ze{&$(4=K%x#@U_o)CpUI#GL|CWbFQd$!(Ko)x4e8KW673EMXNv$h6+V8as?kI)+%!vBL4!3g z3~)jLtB$nDH8%+p=AW`h)A#-9&M)D?VDDT;8^i>SG_NR(B!>8jMq>$KY<-AS+GL8j zJ5LZKw~>z14;VqgdI>DlX#+SSiaBTlZ_x$do3X3qGTLQ;8wQ#iq);xZGnDd)NjA$7 zIUFQeHItwHrqUZsW(uhc~&$KUY>@5J!G7xN&?8 z5elz5XHDk!^?q=k&A#;R<5ZG|BO6El_NmUM|7ZAo!llk?n(U~!9gu=r&)v)GkkZTf z1OIGJnIStTX75bYew1AN=>7c4_Rh@9uP&7!YyIBE2WOl-Ea9YOouo8re&hJ-&;u_= z9|tdJkr6Z7B&zz(HR5+*{@^My%!DaBcQ)+!@0*Vo2Z?#}();-VC4=+B6wW#uCy;21 z#844IGD^z4CnQ+u9Qj6oH7dh-xF*yjS{bxP4MHpz)gPcLyA;)ubuW=PCanTE5^DuR zj@-r=K{CK>NI`%q`GCLrL>V=L2<40^&(K)`7R3p4>psXF|HP0&9elyM&p6hYAreFi z+_+?#Qng%Wgni@8!95PCCn3A?ewI$gTxY;mI4?Ny(2HGV| zY+<~@EIY-a{`3$`Pc_F1M&c4S1N1o%7?rW{h;@J=NG*zQZs|lCJZ)ehV7ejXi9hH? z*f#Vx4@M%g6tMw0z%?3>BQDy~2TU>hD@0V|)T&$=Wd7(^wDpa-j*IFEb)< z7BFAbV6Zt_i@vLRByjkbG1RW*5Avk|7Xuk^9w0c?!7(o(Wbs}T$MtYWVD)x8*~=O3 z4%+u%0VdU228R`pKmWQ_gE*i)62o8aii)agqR2mi*FwaHixNe<3w6g*uq2V7;b1E2 z8%v{N6&1J*C(7dZ{*0MGvw#e^f&p4sBziBzExPS`7M&A<_^i_silL9bCbRs$dO=Gk za?%SLGO`QH7GQkvP`s{NbOR$`!(muc8JobpqooFlx07lCMVFvlCr#Y*Yeqy+)sy~b zxj~<(f7&TKuoWAi9C@?;YRh662uWj#M1UVZz~#hxXARScTzZCIES-)&doQh#mp4x& zo&dz2Hi&q5GUgW$!piCYSUYimlV7UZJD6Iq)uAec13H{zWe$rhyu+zABthFRU_2c@ z(a9W2WKaPD{e=LlqCaCJ5D?EwUpALp9Jm7ES16~)sn}f#TKGCzIwa3f0D}@9BK?C< z$^e$xl7{44yfGlmK5x?^<6C)3}9SmQM44oHLRGq%sU z4+@20e)egtVI4fF!qvMa0RDN#)ex!^h!G+wv`n(#ivx2C0U9x!zUWOB&PWTBrRb4i z6sN4dWUV%VD3otnaiM>>R-G7zsSq)@EQ6|SIks_gNa%3ROa!8^1r3H(D-P7(%|Xv@ z$fR(Fi4dZHa=Vmz+BKqT`)GZKy6d>|#^3NKY{aEgH7bcRcHn6|+ofA`Nr%4|gnd_& zZ)OEcq5~4TGY?7u`1g3)k@HTWIJ1g~bE zDLP8Lh9y%^;HaoJx^*-DevvdA@4Q-?K^BjjxM;`mRXzEK`?g{-zo3!2?r#RJRv73{1>iI_&}-=AB`izwaXn3|F|3@9-hAMw z{kTKQ*ys(vE<7jL>4GhJxU5LTlH5^mtmWdk#!Kr1Z$3o&b6NkB!aSZvhuRQx_T$D#&uRwEc++uWn<-=}C>0A9Ci+-h~g zn4(q~!H>&3V8Zx88o)ULeP*37F^|1}BL?R>A9&#?_NpV;Ix-p^1erDnB0H>J_vWlp zlZ^2+BGAPq1`Ku!*1mGJl1L}?yhyCpr}rz3RPm|$vteNn$luf2!EfXmR90ZMTh#MK z5`w{0qDSRcR>IBdPa^6XT$Bu~c8b5o=*8JP7ugaQ{G6$@=DP3HV#|vb{w+hXWw_19 zc$m{6X{zFX%}eWd%?MHB7|&yB^44OQJ`U-JhsZk^k1NRds&^?wSyOsr{-#?n8MXQd zVjOGIN-5R$Go*p^w#&OC*XDQ_h_fE+v~&58u|lXXuL;(-U_{Nl10wH?L^=?cr`e5h zVJ%lr;`jBY%YN>RYZk77SG-J#bBL8cvqOP|^F|ZFrYm*O?T3*55PfUz+xOe|+)QNGIGo7eMpoj2p^@#fmHIuYU0_0o|$A&#ZKqs=)T3s#z+O zNsvpE`MKm!O&5cR@>jseZyPkfi#L$MHpak_F|pt>;4Z)sT!4sV7eZ!h-WH6k?JH|S z8CyzsyoN~&E6{CE95LYfIt9!@=-)-!HG`@*KEIa@JeKOFIb4s#g0cV=RZgZ)hUgnf z|Kz4Ku2`_`e%DP{&qb6Q5VgYbA|+2SzTER(5uEyrT~U*xvMwGxy}uAEuz~i@^=1TB z0v56fD`_acmkUu_>{s#+3f8TXo+~l})SHqzDXfTgnFEWh;RG~5sqP0af1*CBya49I zsi3vIXHCrhxYvR4a1Ys;s^YP9fLm~FMJiyE>Y8QNXoE8$bi?SPpw?T;uP_;(&ln{I zo#8Q{LPrO(1Yv>i!EWSD0fIF$VuL>B!7F5i`=sZJZ8k(`5joQrRJ(SX&ao_Oc(Lls zMQ&#XmR~iYm(m!IG9YwSI(oYkZTmE94Uf2L<|U+%3mvZ4tJ?9BVbu*Y^~D)}H@Rw^ zd#HUg`*fZ$E-WaxlfEKV={P0|^Z&`|v~#syT^;<#)tqf=1AQHZbJ-2f_~M)ni^J}) zp*$yp)8^XToO&AANNffxYApcw=2C~&@j*HEnp(sO)PAT5Ur2V9DAa$h5;TTymhIe4 z2>|)Q63t%enzw?tM#n(Sv}~N9gcu--dtbJ*51s^KHFpfy<6=SZ3i~}*$Y1J@cpM>v ze5|tw9D-(-^eo6fI}?D(dlT4F$9eJ=-uBxg?+s+ODnP336@0M?!JKTVj~yAfH*Xb+ zHyceR5@HUQMA8Yy{{D7X5Am4BKZcSOV{gI%2VDiJa2k+y|r?9Kb*8Q8V~obtDqO)Yo=_&hXH#wIt8qDHb-Ay z^smm!epmMOPJI34@wFNauP5`BdgIX9@@9 zI%q(H|RMeSExc!{*8QU1~04iDNtS5Y_SobTvk06Z!HerRs1- z7lZ7!TrxdQCjjL<)41`lx&&-hu2X=$j@zQ;~r=k`;)?q4KrlR zc03jc_PLN1mg2QSUToS25qjHqfACy--y-1D@} z3ChNI>`wX?K2x#_YNw#X{yf|Q2|fA6dB@EtR1I3&qdR_BG0%H+ zFKg>)Po{lY^#f?aj+?Y2mdx_!>jbnygbS|n! zQn6QV`U@_wYh-sIXKb+}^?^uZfa>D7j#`~!P%=ZpqiEp5Y?Os}#)efE`K4>^1sz`I z3VS!brap$}gT}v)Xk_?E3lRh3c<+GzuqS)D7n=RNU5Xnd`vok$3T(5|5qKwl7PwyF zvxNzF#~)DQ+S>w9ak@=tDtZoH0>w3y=*W#6@6id2QerBg%-#Pqh--ir#bd_4$N``# zX>Re4HZPF&*Xq_b!s-^c#2S%&Zy(ZZy+ePwg&5C!KTFe0-)jQ=GPYz|q^FB zzf)RsnNJq`>qF{U3c76R?0k0hyfK5XY1>SGxCS%y<~Op&z%JU#2j)v+eo&B!PKN0N zS1TH0V|7auChfBJ=PIB3o3DOY48KW>da0V*6=BBLP(m7H2=A{dXhBEW*z;lu`1NX9 zxFXSpw|a2uIFmJxiZ8s*IYSRNt8liTFVJozpEE&#+y-SHZxhIzu1@ZEUgR<@E!Ficc{x*3E<$lN)DZDx^3vNu;`{bb7h8 z{R3R%9k6Tqz5++YsjkDu?)en=992Yf#HwL`*tl(ZECzC2X@LCO^;$oa{BQrW6`~DM zq9lE|IQm#J@qw!K^Q;eU(W@mm9tGXd){r8loTt_;|3jSDl8_+h#1CtOjayHg1XYZ5LPiyt~(-v{7po&sJ1?NY_T%y7h#S^x6}Uyp z$t`)f%|am0;&ObVT$)RrI%baiDr3>E>hgcNiJ4ORyZtUEXQL017sh?@kQ&&DmEsvU zDdvz;8WQIj;8Pt3glyErn8=VXkMY+^8O5L2G97S znh(Kb=Y(i=64XGr*-bx|4OrX>KpFn**olv@>At~W#R7klVvn5jU9h%00_2Pe zt5_r3p;&2MFYJ9gDJ_D6r2UDVzlTcW{Xs|91z$D&OD9~Eyj=2W9q*b%{DM?N-N^$q zcta|Nv$aYa^CIf-=OHwuiJ6npjqEvYqs;ES$@QIZqdcoUqxPbWUc1_D6slc|1$(W? z6;u=52=P_1GeE|SCDGnvwq@8#!)nWFaC#+ETHdB zB-drRTHrRLn^~iqy}#4Nu74jx~x?=srp zmFmT$R&HBIp`4Mti4A*JBEnELYxe6`@BFGx%*n_vygviBS#b<#hy0u^`@!_P9AAs@k$O2WafR1*JY3&M}-+Z2EPrkyvoCd zP^>iTT98wh+ipDo*xdBk?P6wMGqX$(*h)2NZv?SPg>!t>dw`_tupHq0A3M8f{8urC z@1ZXo9PW=?I<_y+x-VS4QMr_OhJ?HP9;_m@ajbi$;x1i|Rm?NgR60W`pJ0Q%@QJ&V zo{{&L^|eW*VXg44%>W39uxlG{XGnaaQddWqvu^~xFqTs1uJ0xXr=7YntZ+!(v;M8&Z~!Q$Vgo zkh%u|*|4Uv?727%p1q&y7L}t-T{1Y=Ea5jx9S~Q&rVR~@;fw9hFqg3u8o4BdKH5i` z88*;++5i?Jz749jj2wKsmZ-e&8jmc-<@e|ElsbT?_7!^YhdopVKfb?IfBV3;eJQIm z*=Y1dbGB3Ky^7+xqf<@^tn>w;JXk#oKE_sCeQJxks26QQjBR?~k$V&bX@6^avXL_q zYtnZK)#!9>*`-CDZeuDXJ5=g!2hnm#4`xq4GWl$QO9sZMEmhFBk;zFZ)q%Z1GQkCK zM?k>bj@>2Itz9=-Vw!d3``k?Q%X(H~8KQkxBRLd54V?w_b^~)CzL}PqB14(~s#Ytq z9e2h4bqvpikbKfwmR7$=IeQad!pAU##T$OYog=x-Gm|c#dvDhW@hpCbdE5NMNgwJ| z`bKBvwwHEFwofIk*Zx;*Qf{B)>&?ja=hEx@O`B3Htm$Mr080k@>n?D~Kc)W2b14%s z0mqZ6mE@9s@1_m(F=F@ZK?QujtO73}jD;J+$2yMsj^qyLPF zgmeG^*#BL*u{W|ZHFo(AJL3Oey;;Gswclj>@DBU|&kY}BJE_!d`%Gj7)fqeYNgL(d z6vQ?O6VP^qoPFDGTe&swGKHUBDKmwlnBZrN1|T>NgxRk z6QnMbm;>=fCJb^%7Xw5l*=R~)=!8xT>+|N|DNCn;GqeGY#waQ5lu|3yONQ<O%cOuz=^;gEJ@A2QYs3ePq1j7tbl&ib3R|GlK1^kv|$hnjG#(_y(J84 zxW4EOcG_+Bg{M($0*mJM^bgsG6?rBHse8tp=Ec&}nW5t+kVV<+jZU!TQEH=fFGPlo z^v6WNDE{J_P4b1jPLG#|$HQIm0@Cx9YWjS*ZpZVC8=KNiWVl=r@C4@}V#G$j)`Laz z2y+wVa_Fl;<9Rh7D$ZAz*%X5`GpcESg51SEyILZhlMq(a>Kkg#OOWz%ZMPb0wZlGBI3GWuZ0w&5C8^GR@5XEn97*6*z z0*UOr&gxfmT@sLmh%sB>QiM@%K#NZhF@9L~X!{r#%0k#KYJfY<{UbYH2w|sje-bD{ zq!YUj?w&ti)ESk@KtQy4)47en4*Y4-LV(UpY1Fxe7vL>F{b-u`Au~(B>0C0EgrAGU z1#dy`vwSW;@m=5m(|J22>}0#*i-{!x)g>^-Uw6fDpaw*%6I8;~zU3?~N)(f5xE zZ8uM-0@x0C_AqFs(lpYXS4=JziXu`WHRzw8oJNZo6s#owIG+t67plPcjUhFGN(?l* zVjG(pr*IQVD&pwH61qov0`hxby!+u-Z$@Z#;F`59I(d3g5JOJ2)++o}N(&ct&1^r} zr8*oNNi#4LN0+z#EG)Als5T7lJLOF$DZ4b#F)Ywwtbl(D?~F}b`fL864WHHtjlpIH z>szmEedq(mR9uj1byhDAzueoRgts5tHYj*UcgXti?!Gm9abx^;A+tUkaC9C3;7th7 zRfYJ1?5)Y^{0()pI&>cV=oHC2Q-9C__$FIpz;2q0JcI|_K#b0yy`;dUkSFahLUm$X zg!z9|3Urf_!rF>^pu;d}wL;P3<@8zi0@b~DE}9`)ja=3%;o9*aKbG$=d0%{JeAP9^ z^hbnu6d=_TC&a(Os9bkP{juLLOErDL<)XJ3cPp~0iT#HGm0a@y+hha;tWHw$B`D~^ zZ-FtqInJH*MyjGczKDI7a2H45lNz70IEfGG>#RcmuyOX;9;T>pQ4W!{g!2(DMxW9X zw%(n5ou-zyt()cFa#QueO|5E=tWoxitn|EJzc0^9l4XgkaaMQIPyQ57hlL{J4F_s6 z8{WAB^B-ZH++qr8)Eq#!%A8hUR!IOi%jG&m9I$$_co#7EaT-^DmYMrz<-Z zQs*_%|rFK)B_%uOJS)yfe89bUptV~w5 zj($;{_Um*>ix$?-ZAA6bdspi_ij;0|CA(B7S8NucY%V_bRlLE=4U#-9}&dz=JZz$V)_+<30J0;W#m&e9-ppWNJiI70`cJ>B!D zS->-7*k{Sj+8neYBs{Q81W(FFrnkE^CJ=vm@anUOAR-}&-=bZ2yO^cDVro(EQkIvf zb8R&GM||9sR*aV^h^KiHfrG(Yoe7w1dl7DNN2}kiSc+@6o4&f!>_cv*1Vi~)i~)A3 ze!X~G=>w*`#c@^ju*(^co%pWEZU?CDz=z)EtbmVr*e`pIfEo%eTH== zw5Q}eLQ+tQ<&HIDahx+97%bQcJPCjO((8&7Dq2rD%3Pf)4w{Gv8(}@_9e~hHOw-JN zGZ*<*m9v^RT%pK03fx$xuTGA%UX{&h&-_yCsD)zUaS&M6_~r=xwgK_;wm4RUP70F5 z3d-tDS{3lD>Gh6b0@F-8c3O?;;QN#x3o=Tyv=p?Di}$b*9*K8c2 z9)!}Cvm_PKNF0noH0JP^2U%aBzc7^D6r!u%zJwusB!D_a>U~% zjz5mB_8%CUW74a%y4gjfv$;qS)Q12)3q=cw7eJ+pp(U-+ z8l6wg@di=`*ZmUYWWIQEeA?B9W z2RJLbh`K+H%IC|+34XNILTHhn!x$Uv0Jra-^6^-#HFW=XN4QC4k}YG(Pmos;jVD4c$BflOoE?QJPOQxgZP zOKn{sn6F{3nvM=oTM`e?m8P!!O&NRU(5p^tZl8{4CC@i1dHrl#cZjt?jAg5XA0))}(u_`kKe&%II zQv#7oWdIZvtstp^;grmLk3T8qw^4`EQrGh3VYpfgW*Fh9zN=YiqEUnN-7JJGPL|PL zg#!pmUlsk7gZ|DAtAFqv_-M)pJr#UNsw)I$kr_a?a}Zy1JNw5d%Mu(o-`v^GT6}~Fy$C&c(|CLz+D;teMBLM&~sRRJP`0t~Ev8$7_z0?0N7aa3i zJ8z05?mko3%aM}M!x)>l-2@|*#HLz^yGIrm9l7dgp+XT6KwCr21Lm8SwBEGo^PhYZ z2x?B8+-Rg|keGS>=k*b4K9_sV6a4GeEAf&=bQ#H0QFYXHO8>*;`D66(rSIMwK)$5v zuFT#waoPBjuBw`GHT2s=R}}vFye+KU+jm~B{s8;+xc%s`^qAEsTRUZ%(BJ2-xkUQx z+Bn_R#V>!x`Tb|EHmgu#M4S71Lktl-w8F%^wj9}pFX6l%!gDO!~TcHSB3-uUC;?(FUh zmms&Bi-$iqCx^67?qq_6GiP=V{&g2e_H^Pr>-~IU-6oO59F#~^;CH6Er&JUO=tMLv zWh(Xb3r?-&-x|%+Dan_{z!hEe9dUjt5%f;wwggyVy|H#@$%mBGbMTYA>=rIgpSWne zk6fIgVLkgV0-_{bT~g)Es3bJ<$A0PMja%RM%g>MBL$8+X#mRS@G+xQ~%h<%MtMV?8 z)0AmL|FKO%A#1&3$~Ky3Tc`-UuB#O}vo&Q8;f_vD;64G=@w74e zyKJUuy0p;GNr311?QHw~>i6}%AKWyh_irLU1Xw7lYvm)^`{=w#z9~)G0O9hH@=*t~ z2Qfv#=jT6_mX~I$EUwI@_(ue?j$~7!skG|2 zc4eZT3Raaj=C+Oy|0q+Y;GgHTSCQw9(^@vhuT#_`s_U)^Cj_f!ab$JbfEO1K2c7gTe@7Hh{Bp5Mb+}zxp z40@UY6I(=AY3vr`)}2&g&VP%xb3pj+99C2yzg_OXnBKWCuVD9nzlNf=r;58*6~JW`;W<#~-rWI8HqzWl^_V};rCo$>4Q8z!g|(2S zh&^*pZwZ?&KLD4{s`i`s85eFU2TPg&Lo6pW$dFzLNcUm z6R1@vRQ(dWRIOiq0+X>6k=xJlU~Qw!f%L1m@VT3E=L$n}(Z0z?q;mCu&R5)1Q&|latr` z;g0zGWbk6e(5b>f07;e!#E|@B#2%Rh%r$~fMNn_ZdImXLWw93-ub0x_%22i^9H4o9 zFgbMZ2ucpez)5k`$EOhmCQNv`3K`Vs)&Tj~X#)kSaU&b3v7U|SFaap6t=Xtr zkw70Gy^l79^@3jztBo8#RDnTT&dWL&PEhq&th<*y+5v_bjjkMdAq%cUm|eQ!3#RA_sSQL1V`q%`-knV@p}_MK$QcL_g(P8 zG-z_==+;#ec8K^LoQc5nELT{G7Z^Gc-+~>bk}_W)>UAjXI*y?<^d?h^_1lu2f)6zc^+o2K zt}|_K;E<(4!%Ay2BDdZqpHo9Tn3nsB&r+|fJtChPz1(QwJpw2o86g`>CueV8782dx zQM78F}jdd_gU;wBpv}Twi(>+IW)zW zqIl0le>&{253)5QZ1FAxd|aP_~>ClxFh0eYR3 z&X^kk6ieS|+ za5>a(U0090&I3OH{pqrwRP^|$Hsj}cKY;lI-6LxzIKdcCwzi3vuph5?dsve zm*xG)+?5$oy`J|1X>(x64|%=4&UjYU#7z5~7K%`GK!Xz#G?+%16n34B@sgg@SRy4}u?&L*(q1mN{@ zwVrJ_@Qma^S_WpEc=!gK33yNC6a&Y)96{w-W(rJzWxQuLi>63&KG47-MJQ*LJ#<-I zn@@P)ijIKh$b$mY?cZlZZa2N^RATY-@kv9pvg@lg{*4|Jaa`QL^&qMkf$UqaC`qeH9GD z$?3;otQM^67q?uN@e#CcD-)Z3N!#L;Wr3xxJj)+=cw6*ZynMVHB0@G7vZcerZg(uI z1a^N60pRxLjrpqX!A{en2jBaaO#kHPg2bjM%$szZJf>k8&?N3xCy%eV*ssn+cp#RT z0CWPpb61(aqfY$yYqNX{X2H5#e7X|tGrE+CLDLNRByPAJyp$%kVVbIC|W@E+1G(nAsi z%p;79%c|isdi#Ntvm+~rMm?yr#PE=X%yFk$gNkq}!^7`%Pjh9ZPE`4G*&)#KqCl%w z)sb-dxW~1cj*?*C;@wt}-*)rCmz1vGBfCN)BKW+*0S++c4xQ;5S~_oEEb}Uz2p8L_ zTclM6%-wYp@|#Jszaaoe?4H;HtDK9Ht88&XnvcvTA`tE@hl=U%)|DQTho!LA=vW*W z4H*Ezon2ipLo=mp(WE#IK8!#%4EF;E%AEp`<~&_Yl)$jdKgOnrpKr zX2^hO0vYf2ILlhax7n?(Y3)2%SSpNPnjSN6qIEU%*a6tTap@z}61+WHs~}}S2vKu` zXBvNqJS{xu0^PO+=P8Al@_@Tb#iW za=#8FXIPL$h6@Ad{0`n>W1jH(W8K@js2q_{JcQ(%3?~F5?~&|*n#;qF^|9d;)zq%b zVe|cOLpbGG6Y}5aKN{8DfiOBCvC0Z6=k4r%^aELu<)5hW9V?T*6x=`t$59d!%%pLua{O2U^3o<%@>?CYTc5LH3L$c(CS>?>_W$_99>gJ57Vfy>rQ z5IS%G|E-!#gksd?)x_CxN@*FWwh$ECaJ7nJhW3J5VM%#%ZFJBx`E4Ygb4@&NaJqC_76LqwYh*Zh z*QI9`A%GZE^g?ho{f=#*UmRPKB~{A=p#PSqgDcT-P@$joz(%7=N(#IjutO2T>6Eh3 zCNRCF=e6JMLPgJ~4EkPSC?=gQw=mD2SO!OTA4(UM2?bbSI95A;m3fGq@?vuK+MIti zGU8&(;ar+TjW9;z!V>tP*?2bc4p^>ImychYJcv;w7*WV549&FW)ZwCGJok0*-OzP{ z9i+NrpQ0_+DPP$w*10P@`@^KnY-2t@&ED=eFhE(Qex648bmLko$-nwZPB{rWm8az=Q zo!&iT^l!$2Jaq9^r`f}3I?!TAGM`y#drn_vr?P`kyO#7ihj>zr8WZoF1chO4Z!~Vq zkz-qJYTxo0VkV+xA&DO!CMTK}VuRo{K5QSb$C~uwE|+fEW2EIj`Z$u5lBV|c2AT&* z=Pk4rtl7mafXBAOXE*Auiv$QyB1-sYunW61&ed9wXrdjx($g+lYsX4uPo!i&TRflIAf_H2XeE-Sr zUSas=z~bL@X7xMRTK9Ls7Q1puSoaJ`KTKgo6O-_-3Ejgr?{6ryF~~%x?a%{fQ~OsW zdt_b4FZsbsdnT$=Q$T#YvZr+B(M~G*gRzCQ-pAdI{@wsNVrk9^b{=4t-ZFYlHZ417 zSgUG}9S3=Af@(*@1IEV5XMJ6xmxM<6y|yoCbB&w?D|++7P+Jh|MpVDrZk8RUNmq1X z%EqB%c^i&MvOqBCX(enNdIi&3ubu#}#3pY!_xvr}!*adnbKme+BwD^A%yN-nk)y7^N27%or}vCa_a&BWrFY7IwpIPaz;O0a3MiJnRSxU*p?LZ-wtLvUO#p zS}#&U9TEBB!$!4~dI9>C6^t&bq&OKkk_CYe%9GU2dMk1LfzR8buONOyBtYChw8-i00%&jx(`P90NR zkYF=%tG0H)y{mz5NWFE1!}rU|&@#&Nv_5TzUuGlR3K428Ih^isUt_WeK={DMtL zmR~82SLMp4cyLq>cmK9%eS6+B(v)TpO2ev8q|zgi_uYr)z662TrogVJ3Hb*GL`zcs3L*3p5|2@H&aw&HM>Tt75r zR%*1_h?=GP9Q`)VxPcmB$#2FFvN$CJs)jj9+_@?Z4mh-G;7IGi{+d22gK%hEl`l^% z81EH&X@TZu6%2v3ExK7y$s`0KA3U&GrvBG zX71&YgJI1WjvFG>Mb&S?92v>cMMx5Yw_tbGt(rzYwQ6lFM6-ilb!Lb15}%Y0=lygRlPfHT zwMk*O+8D{<=sn3ArTHWlBelavTNl`X3p|u?4rw!6))+PqSlm(?Q9T`p`k$*#CTmKu zXzk_ zoe-%gGH$C*>4A|^Ru^^fA#8VLSaVX8P+h0CtnafA3w3$KdDvG?p8EEgKsfqo;~;`B7$o7i#THEC+Br*P-+K zfj08TgchP5igYL=BBG_Bn)_!S6~vrL(Ekj3qY$0nBX9eRS{aV4 z?RIOSK(|krqt`X^<{^RGdz>E0e}i1}=CQcpr}*}jMH~Yh~nct%U1 zgX1=h(VaQOG#iSxpxds;P||f1Y~}oj3AZ-?t`qp&cJ#Em4L9-oyP${kf< zw?x)wBIT|ES<_iJ`#r-e#;(vYoTZR9!lDRTp9u^zB^t+0#l?#0S>=wqZDi-9{lyKs_Q7vw zNO&E@d<*$%H-yqVN^6X`cnwZa77?g}S~Z;Pz@vl5A)@0e2>IML*&8UBR!|7yj3P4{ z90VgtSA|`bpk_&pyaQ2;M{f|s|H=bl+E2G$*DVc-k5x^&w6-VMx*YHk5_DyJ(qbkg z0*2wxjN~LR8?0ylJ7hI*IpfZxGzyA*-OMRU%5w;i8z%(Q2f|$|Ek!@1W58|8)K%B2R)^3h7o-Cg|03UIwpd*CLD zq#uKM0VCxALsQt)-B0l(*SMa)-zOs_+Q=0&qpXSEvRDjoOL18%TUz1VcPEa&r z1D~7-6qu@^ITmoT#e2#i{6oJTWl%Yz22p85(OWb3oJ|)o=jw(%i>{Y;4JO)&qgWH< z!Z?ZIb$WxtlWmD^*Dxix8+Ydt;ouz=Db z#^a97z@47-7pfy5zIZHf9w*`R?`V`VbpgPU^xbG}8nkomBSChB>x?W=)?b%5Z3R<) zIEk*0@CS3C@j~eE-7n=%thtl~9;%R%l%`(*y-_K3q*^N->Dt9lBJ`g@fRbQH5!`2M zfHK*GtOvE|lo*8d$n(O=CC7T&1EU1SIKL3TQy;4hS(jeVT)n3F=HrgGOxkf@WrpPj z?swa=%@iblz-9MEWjo$)iX!kDeFuuP`{$r_(y6`V(_|q=MB3>2N`V!+TV2QRfzVB6xg@Mt9!9;P#q zlNw@9R6sO>mILqbeH#u*5ObeOyQwNLojG`yT!jmsghrMsXOR$y3bt;Vp?^t#`=}1B zK#-qa@ii+@9=^j9pl(%mwpCEu;A4;(@g)>>=l@E;IOr<5waU=Qk4kqkeoNm#jeiJ< z_3LMku1|&b%jSEaZ+|>R;1g<`$Py(*~7V4ac zn{Y0|$)9qUj<)@X{ar++**l&qDH&@VLTbNr$?F~7DEdz zYU4{DQOd*$I!7Y5-@a{p4Ta$<=v!+2YKix!$C{5ub9lVKQ;EpvSM#|Yp~MVEHjX`? z*-{Us>Bv@WDIbd6$BG^-2sHbfUwLl>aPr`#TDhp~u9TGJ0JkG_#xF0fau|Ko{0n}AGhwVo<}v0tuc zg)Ub3)fs0)2O6=vK#1nX{!aI@kl0Az7Q-O1W{Lp#jR;Lx81Fr}|nb*~&pc>h9X zB|VsT#6J>+(VVmd9H03Bk^zeAQzJimqM%6A!lVN1ca1saQ)21avkm(okIi(E!sbxZ zeWa|mKffD}&Ra7{epriF6VK-CvACnb8f?#J9nU>w4*$Mwss`5A>vR(dDsCnK*4MA@ zYIB}EJK^))p~Yi^dG?na$oc|)hhDw`PYF}eUz11;9}jRXNac)&Rfbx+G1#9s(H>F} zbNh1djHjRtwijz+7P-+GbtjUGg83i3kDpbrRgn@3EL#I>aPxit{pol?288VJ(8*ET zh26DQMX0iId_^_vD-Ls${^p0PU*8NNzzg_0#20UMZ~=JA`Z8w7mcVq?@0Ix!14Iw7 zMn?(f93#l2XF*T^s=fTi5*LKhP|yeyW)uv)Uuey`>TiYxdKHVgM;hs$;5t$jYO2bX z@ehtw=@d__KvD;P2j`=q2nI%=i212p8;Bm9zN!mgoRLH_9qd%$0tLpwI-{#HpQePW zejl?fh^4>kY)4$$ePbvyHHnlSm?BJ|$4d28t_A)W>DKZfF7!EH9*1`7E2u`?0&Eah zR=$L=*CGY`FZ3|`j_~Izm~6e47nOSZ&~6Yw`n$t>iwEVCBD{te1ISHCGftKhLz3-y zfb_*m+UzTT&N^^WMRYLs34afjs`8@Upv(?Y4o&eumR{=I#7t0H2tx?&V5xt2{^f?W z0si@r5S=!p_^MN&wMj^R@aJfB(xzNs+>76riYGLu(4>-(DGl39%c28S&_kiOear?x z!J<8A>>4k8_gAu<>`(0mQ@uL13^wMUt>PnhLVp-q>FX;~2|Y zC2=y)g$?D&Msb`Qb7%*e&Zz>t_8%H`O=Qc>241X54W2cta#`9Uv6x*%ZM%HH6nU3S8tZwNeP^+bOZhTK|zH54dukm+yDJ)Fd!6y(bGUrhSu0}q7O#?`nVn(bhTOv0FF>#qTS{8C$Yml{ip zmA_mS2b>S`%AqLVtd3_+SJTTFufldb4(b)@wg$ z7gE$mQfCmPO^L8JPGYo7j5QAMOhv4(R~6C?z7W$Fws3V2K4S0OBU7OHQ3CH8dHf~G z#kg1#K|}sSp1Mv(yak9#ds$1tU14FY6b(z`St4!s(A5}zE!(4Y;!(G70JA$QlzFoT zc?PBXGEqeY6)%$S6XIfq_z{qrrT$<$&ikQ%XOV^jBv;TqLt7rvXM`XZb<3=0^ksJ^ zkPQ3>CV#v#2QEjSNo}_RnT~Cq136uswekjRXF>=xTT2 zv|Q(L$=5CstuZ|jg55+P-t642Oq>MFpmKBrmEopiQLliU`51WkSl!ZhUg=mJV^1

{ZuLxO4Q90mWs?$s4|kkHxDmg`r_q}A0LnKQi!pN zmh~@e-@8DjzQ!+8H9etpR6}pp?rICVch>h*)8o4f{w_!PE-weK)U!6E{63WD+f+a7 zc|#>{SE|5dcK#YsmwnC$jkB}{EmS1X@AOk>s-JI3rA0CG?(r0b=m-(VaYr<(J4Bj@ zO9{`)8sd7oncmsxabgaTHbz~I>2ddh7^P_faXN`VNe_J5gwbM)z(+&}?SLP}G?dg6 zly(fbscGr0RYr{+Gzae!~eb^ z{2!muKl+7}p^K%x9sU208ueep3|hsLZ@2$=Yp$kcL-%x07y*u`bnq^|ag0 zv9sUxaj~&*@UdUlcY7FMU>U-2S_A8rw>%s@5VPJWcMbI}9c;ess9qz7tU$Qb-2MvEp~0T=}Bp?ms&rL$FM3YnZ-WF)#|eZ;<7Oq86)*P$xrC?iod zP2v|reA~nIq9kk3R2MhBRyEe(0g+0>Pzo?g);W$kZ394>IUys zw*oh2k$*FU7^>UW$0_ z61;SD?GwE02bH?BB^I$XQi&_yz4*Cgd8Xk-<_@( z+De*GyFZ>ZNxj47t*z5j&aG_^ix-D@l1XPG5RL#!-Qoxpdoe005CWkUZZd@Gs!ySO zlL;6Mur7L&wt^T2KprSjL6`~%*M=4_uYgbp)Fi}EX=vrUnhJge5nj$Tfu~StfDk*E z9`?m>!VeWQ5Sh$9Lj^;-G|j@?(WXiYg4&WEG!K(r06QX4uNNyh$F-AE2Q|PhZsd?P zvjKoIF}l_o_JT$<^)dHC@k2EQ&@suU&QK7c9xTLQ=ZV|{C0xNMRpd6#!g}LM_w(_| z47!}ztK!D%+HrXyr&NZNjI^FE@W>X)j;ACT30X(7kGiYizwsqOejPI4NS}@1-GVRG z^JfbD9Aj)}a2i_@ytO=wHGE>h>j$BwZ3gI*b4*8#TExgV4) zZWXI+it~|0!F*dbw684~F-kz0qB&#A^IYy3Td>*V{hLea&n*m9%RlSIbO;oT5W-?R zkFugqZJc;>d~DX_m`dbYtfeQ`f$#g?W^7Kb!UQ(ffSIy9oAh&9*1L8|U)rST--t{u zg>^nPu2}H<`6*YX;vQ@ey{oi*IH+(iOo z;p!mRtZj}4j472BdEW>mtS?xXFRHQ@%mOM{4K0>8v2EcXNhANlR;uK9S<7JBnu}I; z2<}p$t40X+ofo3dc((2}0p8Nl4(QZW$Y1XcY3IgFY-cVVNA1n43xZ!Nuh07Qx;_h-_Ij_4Cz6m94nX zFjjE^3I{Lw0!*n_8bC9}biEu92;-GFLph zA2vb=Cs@q4;%!^61;0|0r8Y4%T(yqYU=b~p3LD~}MG>_ZsDekM0^Au#=v}`7sV&HK zDblDqyZ7;TGa+o!FOTKNoq4mDK@PR##nPl@ohRF_heygpR`Fp-CdIL$*bbR`f-z49 z+=-cH8I(J6(#H4AuQo>uO4Rm(wcYG)OGwSh4`Q!Kx|HNC^A&>yAk@&pd2iY1dp-?f@KXxN<_ z-RZST89sG?%qBhq%<)mI@n{CQs;(le@;wrL&qoQFWrmm48z&HB+bS*^h}5)|HShOU zw+zTBAeP7o2G2UITCz#8<05gq>pu&tg4l(lbaEv>)3MGncV@T?WNnJqP~xmXW>SSL z2S4RPM(QuGmPyZxaNOhU=q4LKQ2%>;<6Hr>3H($D4?jfK|EWT7u{E@?{eOkH7$u#k zbp|AF!~=es_B7n$8MXI+O=|WsiOg-W4!E)Mk_s0tH1Z^BiKutiosN5{Maj#E4JB)M z(-$?6L4v*P_ENpiKmnqr^+2QsY#B4%<6d@5fu3uU$x_DXkC+k_U&Z`#LVI)^itZ=Uob zSyDq%zSXPnTm8Ol0HV{Hms~n1C!)J^-xcZuE?`t=GhD2+q3H@_k<(;T&bTUUFsZnSnEu$(=mfx%5nqoE^O^!j z?sQ*$qghq;P}03)YP%;(Rwo2K=2;fMjYjcfF2A0xXPdgN7}{lY zyP}{Yr+9b2a2wPUU)QY9@D@z(lO$rGZ+1WiuF($Zy6^;}`dUG*wlOpg&l-oev)uQZ z{J$?riTs4x>7Rm?3H85r;QnX%YvS%~Vry*j|5}vYYU{Q{oJc-#$$k_j_&^bt!FBfo zwyK8E;{=R-AQ=j1gvK44{}hcHTe4`dr+e*E-eFkU|C+KPN_6P(xtuKyUqwYl-8aI% zx%fT-|1=p7^2USI)MCpVpA{`w?|@V{6E`MSf|2-6+xjmSDbcgY>y2+_Zr-?&-H_THOgEJ_kXbI8{4b=EByfLlv1LL(n~drom1J z5K?*;scjJd9iFl6BBn|ThS`u9G9!yGMBwRj0oSTw;S*+dNda0Gq#CGT5(cJ-#{sAb zFLOgF+*+S2ym%zzgAD}M96%6j5@L+J;06=YaQw-9S5R-YCI;2>T96wIqilkVyJ_ad zZ-rbK-TwDWDZI*i(x_a&8yfV_h(8*tX;>HZu9MrwYp@o;@9C}kl(-@6CsF^)k>0W8 z2xW@~>|4~{|FerTcwoSXC)a`0ABeyp_g^7>vT2YPjl;nR=7Rq~zOPC!KIxCN;XGP9 z?8l&FvacW5$`&3lEI^aOajrDObur`cynw%|FrEL-;e%MgThDCL&OZ){FGavEdh;=v zDs}OA{rI?`5jhZV?t(Mof4f5r^Bh%kgwMiTDBMlo4CPLMYALQA+QaV%&4NBsppl}% zl)hhVh_Ukutz{M;bxJ}Iw;`JaSLtTlrU{mm={+Ijs3x}^Rr=BI6VIz ztViu){N~=n7MA?Ns$(sK6uJ_RGlSJr|8;Amt_Jg0F=>G6%IR;W{A^6NQEj@lm@!2G zn!e>^NE8AB927mP02CSx8_^>ohj5h(sNCgT`Sy8JS@$kbO%`*y^S9>-0+-HAEQD86+f6!gtqNUWAErep1KJ@`l>I7g(v)&*Oh&`-9*~$w-E=A}g1q*=5)IG|! zhWYY-VJ!y6g#=*OJ<_@`j7AaS!LQpO|YKOdYhaYV!?| zT*6+erk$?Qsa^(o5y0aE?8X;iT}af3fLlrJzNAXP@8K5k*2P$TJTg4tVnY3fO(UIU zlISM4wYd6F&s&C_L0hau!h?ZK9D%2_Jf8NOR5mbHK|W=0O78siCY*sQK~@p2RgrPn z2a@fw7~hh3I&@A&s?v-C-O_h1fG+{}XY>!iBi==qw8{&WGU1KxbSW7<7W2nq1Y3lb zIEBEwN?uJ_Qy%IuKg-gkTwT`OBIGE}Y zty2h~+u)=sJvyuy)EyqXxPlX5W-R#iBEq+tc(T6_PYnCV_A$Auv@v3DJ1-Mm&e*f$ z$;wo_t6>vCa%#n0OJB;jX%u!T?-Jj1vRP7jXv?Y^!Tqt=Mk)^*GXjs3s|f{W*gUmZqKvl?TH5p*gX+DfrT$ zex*RIv5YLSIf#Y!PSM{Ga*epmKEQ`-*IG3e4fFtWBwHqEbuoZ0!|8*mZ}MzfdDlYZ zqhU@SCKDk{X>5g_;5U3cDom-5ET1)&)>2|?nKFILu~+LMq<2qkT_XOD^HAkWuy~}|GsS)O8j~JOn+b3?!5J83hZeCgqEa=MGvq#e8(=vcoLY7(*q_vNtkkzQwgAZ^N>6$&rg)tbIn%34-3z<1pXtM}?ar>5=h~ z2hB}+CAaXT_a7PJe-=polhN>>8RCDlM`sb>VnpdB5BDgMTJb`k!vN{udgg4&ADeP%_5XLnDv5uCih*?GBirg%&P#~aV zwrTj;=ns1^DB!ojpO{Z*2m}fo>HQ)n_(c3q&g%+pI}xSCrh^-0c4M^tIM?Z_{dk6x z`CEFy6{P0UO|=~%fZ!{syiGdf-R%=i&|8)ukPs=N9Bf<(PGqlv&|oJf8hJw0STfz6 z+31KiI;53Jb!%kRo!jUbFFMGLNjBHid~3MPoqhj^H(CtGNOtj7cVzPY*KfVq#d~<^ zpk-SLmb>+I8_l&$^S#gLJUi3O*UKqaU&zKFI|I#^oGIC!6pKSpY5(ovi@o)9wlCTv z+MXPXWA1bWU-rhV?ZJy(?hIMJF|b#<(x~mpi^FHe_ZQpJtnJy0W3P1lp0v|LL=JJ%B2twaG`<-yrYP(nD!7F$xRDRf>2kzB zdtAt#8c7^b_Rf?M8K#&W&o1X8W+3nu9fihT8kyS-xF;UiG$)Fc9Yys=K^ZPC_jGvo zr-{17VP-08WmVo0H5^wiXs<5xNJnj_e1T@PB|wgo%r4&bC-N4S$3Z5Mjo)+ppkv34 z8}C<5iM3Z?bae{sWFC}gupDU$9jufnLIg4L1ec`ZB^ujcA%Bu3n-#gPY8i*5l*L9x zK~%PjSb$2~F?8giELZJ@f}1bkX70=W*wI#w-Bdo88XL?;L*1u@-()3_$PSOfEQ-LA zWjzPT!|xXV#fAVYRx~O+`z2m7bl{T{e;z$10&FI|NG6Y0lud$8ef7@=Ytoar|8zC= zp6FK~LDkjR6g)HsQYoy`suX;pB^Ms1ev`=`AX-6SQ{Q|5Ifn%qAtEVq89;KZQi&L@ zBq9T>47;97xpTQRY6llXvQV-P%mn}lp9>zEkYGbjJIL2?`ExDmfZp#}zGV*G8(#QE zViThNOWW3ZUKJYmuU;|N8?5Z=M#6qA-Ge> zpmoS!ND550gj~cT#2?(tDxeX)?j|(g?(U!2jX?&z7}!o{tkc&Y?h6Hedb2xYH1Eqt z4*Fpmq(B0x@Blp_zX0t(g$4`z3t{{TkYXSJwRX1uHwMOvx-o6fPK?6VBh!2y^$X%? zfKeD;LHqkESyY)2J&@Lg2*lF3zEobGnn_T4pHCQzS;$)=)SwFc;H1fNqywC|A?2Y) zvwz0JJn4r_Md1)Z>3};DfeeH~h6)9?eDzQ~^rE9)o7<^SZ$_0NkWKMe=fmp*Y1DfC zOm_ABh{x&t@a1C>+5NlI>Bf}4r}X+k`l)!Y!j_XNkomNypDgw^(EBera_?M{C&9Kf z3@3T zd@u7Lj(`+)XaQC+CCa)D0#e;R6|w$8@Oa@umf=WDMkY}GmKq^(pA94ohgLen$r=x_ z89;U`*Y7#%Wju`^7-AKc6@wXkX?1^BC#Q`K2ECDHsEo-a?N~=wf;i4tFuYh=#E=zm zr=sy%Ax)^VVr8;ma~+L4x;l;BlA(o-`lMnbUHH-~^_!9>V`@EH5YOpe?}#`0b}G^K zyZF>I3lGKzF{c=zB%zr>E72fL0nS(TJd$5U@OwP6aJ!)tu&qU?r3K?rHt?I&DpAp| z_zK4+>#9QKvx?HD+$$O#DX;Xl9=DnDU&dY;h6;2tRQnAXt2>I~#<`yXocNbYa63vg z2JW&9ve7XzfzODDgYC?~Wk`$J#}H&;GYz1}vvScosyL5;jEH}I#^!-|S^B#lzkjLt zc)pucpir`VK8*Z39GB-{V&cG7wCFzk_(OpLBUfqL4Kqvd1{!!q5#2YqGS>GOx@-2f z?=ST~Jc@Sw@&$SNx4eB|kwdp*Ks^t1KDh5TQwi@sA zo_Mf4pO({zGg^dyJjKLjP2+NXPQ5&i`CCk4V~=BF%>X0Jxwj%Kh1A!!5?WeK-4CSb z2#^xfcwn^d-!L~oqYafgCa)xc_xKaCsl##Do^kFG6m3Kav{WZjLT*%=y1Z}>5R)q&_+$H z+TCV4c0_hczapu)YpQR)E7a<(!R=-mc2e*Tx4?Il>S^R*L&5h0PZ>E@%TiIwO6kiv z*9#TG?Wm$Wa%g7woiyOGCJZ&mqt0hFF@kQMe+Jd5CJ89y#2hTnI&{FdkG*?O1tQ3E=IvR$LgDOAp7m zQN{L8kep7K9A58c`_g6C0=b;zQ@ei;WYw$grVzgTFzXuib85z znhXb<_kB%yvFdWc3S9BPZKbL>9+;hutCmJWtIoc5RaDF?WF5r$BT1L3A5_~=#clMs zfVS&Ryu*al-kCzSrqU=8h9kQ4e)Z=i3=j?ndV||sBxX&Z)%5}&xz!+_}>BDz)_--nsnrmU`=Z1bT7Pnc}{mt8SF!(0f2=WM-ct9om!ynE#l81&dxV z-Teb0IbJ7>vr$!wx0D;CgrimX+6>WO!i79fT90O%n`T|UaVz3`*(cD`VUNI*gaSRw z!6yUjH3jn&;xY**dZl(K^mtS%J*oAL)Vy4929aj~wC82Id2=a&Y5 zlB0~Pvk>M0^hPuS8BtBo@kV1XyKur7iyzW!4cXR>DtWj2;nqGPb0k#yiu~ZKH8^ zg{yn)p+PMC+8ClBqf7~(EX+?q9rwzn7;zw%)d+8m5OPL+s34QEy+yXw?9;~&>h0fA z;#r;96^KdMTL`qo++SdKkx4^!vFtY02^Svjsz^00i4q--T&*-GNxm;aqE2%vafes& zvX~>iRZG7!18n5OsoG(DW7mSTbo7P2z$j~9pLr0dJt{`JOYNH^>Gp5E=yv|3yPVBl zw~v`y(ogya$z$%d88_WuOgV$?GrQ6C`}+y6YbE<0VxX}|VPh*bPtKzPBdqC8KglV` zBg$-eZ&vd|%Fcv_+X*8aO-y2e^{lzdV=KPaP9u^wLaKf{SnZ6v@i8aktw!4i6YLVc zni?K&Ei_hoFjspp*TbvFGO zyB2+?%ceiI)kDpCy|Lv|N*GIvzzp^;ikY)0;QJsN?kxJ^4VC$h)QB)n?_KkH*3;#98@JQd z3^}NV+cT9x={E6#Pnq7v_+!l9hZvLh5hkDg_MY369;vk+sf-@#_8#if^Eqoh<#(i&>Dl}D1y>T?a!=ydJxwKSLZuV=Nl(ZebZC4bs_tyM5#n2_UT92VK?p>;1JR5tqqHF1o&$Vvxrr%;s zy+@sT_GcBA+1n(4oyi`ob7RiZ=Dv4)p4@k6zpuA-0lO^7A#Ey8kH=B$TDieqIILSZ zW~^M-cITY#*pJ{$cnDjVQTW*tT>jPpwC`Qdymc~v)sOG#yk6QztfmKa{pP8J`t*&LtHo(9 zcVzVu+jSCRwHZUtT0PbTyTcJ)=l)40^4C1OPCE9WHiE*j!}O?pZI_N50zdcD$MR%H z?aM^c^t-~$y8<9;xEqSwWeemFgiHJE>CctOMPO**wfHvU`_+qnsCIyUTTV~#w8Ho; zHt}}qkjKelRy!daI{YucWh=-i<+QMNQO*839PS4-%oHri5A#wJitDVKD%kcysT%iTM&ZcIl=>{iC9Th7styw= zQd60(0OmYV!=S38HLM#9N=As)(wI6cr~ItFC1Zg{4g`wdp~yHr9pxo(ZNPoa*5Ojs zgUxCtO;ZiE+DYe=huGBuU2J9{W22#PPOiq;PGjp6ZOvS`WEkV;-=6R!8BTi_!RBFO zEktx7CyCw%DpM)QrF5+a{;F~|RVNDOe=sJVD#OR3Jv^MzL@(9Z&srHKz?^&_+?)!k zmFnp_+2@s0@IkUp3q+|^cd7ohe2@Tav`RPOo2tP9UM+t*eX5$O4887)cuwrx+7BUD z41wDUVGethaSK)Ix2V?O?P>i(IOE?*63UVvr_vPTKfuHB@DKCtkL+ zP#ZksQ|uGJci>K&dUB~V!WOKeshRw(iH9lqg;r$f3FmcXVX*PC#qwIVhTU(HW3%yFgx7H<90>UjE0kV3@LFO>G;&($j;uY`%43p+m#P( zq}D7dqiA)wZlTKPe((fvW)-O%RF#LgK;62MX%QjVRj9An5tSv9j79nLQ`*ApXe zlljk@in0R#)Rkx0Qg5gpK<@A@Gt)TIl=Am@A9D4VbuODee(dzRzAms3!7h3(u&_T+ z7O4R=Td=^?(JD#S&|1t>jV&H)b@pW`sg0vl>!$7#+qz>(CrYJq3cr>}b&c}~Hg?p6 z%GaOjx2Wz8n}v1BOK+!WpV;4PSw6}-OASZa8O-<7&(rr=*NpFHljn5L8v|#VlLp7l zy;B3eOq_2*zL?U)MK7ayQcB|LxH}}g{!PfqCO)tv6?vxPL=4k4WD5slw+>Ak>z=cPmf9kAN{=ZvCEH zWHe6#m*M-NJFh!z>T`AD8s`Zf($N{`2+?fE znrO!C?X;8M3p3-ru3auU&I7$mzh8|=I9tv^ncT_dJqnbEdo5o67PQqmfI%6P4TJWamF%WU_|QJL(0 zh}m7XfhanAgq;J4GB-)cf@?XcvixhS(t>jd@vVE)ot$7u7C5wDK9%~m&2kQU;uebG z^Ag{45_}^$UP)T&do#4RbN=mtQtXO`>CuV)a~C*pN6SEHo}%Xh9kPGV59YapEMr!D zuGthZ4PACkL-lMxa=nuID`WDdab}tvDq8&6CaZjb3p2@zEk-g;W!I+ehlLVI$7U$? zJ`7+EqrkTdUzA17gAXz6TMF<_)8lbssi>Qo7dObX&(Oj}4uvx6#qfuZ6Md2=>P=iN z#*)eMiWyxq&yu(i|GYpwY#Dfiy+6B!$MFQurb6YZ`xkC0_gyePJRrv^9orX>nA!|S*zHwYJ@(_3qY?Eo!OikW(Ia!h}u*!T?Tr` zxEmzvul>8(!c!WTn8@WeZUC00Usb1y|GQOOQF&uw;BpRXCAYBh^X*B84_xOJAF{-! zswnIBZ#?J%vi=(V73kdrrSHE`J+cf`qMJGq`lRYfE?2qYG`r^iK0RrvQbj!y3!lk5 z`63fN6lgtxNs}Ua;(h9`UGJ^@ncmD#_u3fmcwD%e>N)i%pe74H0OedLB>e(}IKL@}V0E&r&C3P{9q zKxWYcS;U*?lU1&1^;QF_cFyfsCXrje1P>dXh@&YT;(B;iy3ywq27HK@VrUK{(^ZzjBd z?JHv_Rv2#=PookY%2W2%LQ6y-Sb)BQd!?AdTb&8#<@>B{69|sE3K2}{e_t`Yh`oGq z!^9hO{X^gAeV8lZE($o9LfrDQej>-j7nfy>lqE}7yZI5_W7SaqnRhq%Zv{W5f<`E( z2!q=B{ZnqO7AsY?wtNJzVJlcV5U8A2^>XiA-adiFE_ycOz!cLEefv|r>)!6$_C{tW z$;pp}hONal^pY9>Fnm&pO$cA_C_ zEJ326R+ph1YT5S;SHYLNsM~DN44iSrgJ~NFF7I>OwAn;+Gl#8j2`zhA=RC*SuF6-E zCZ~a+$Ge3?rzZ3aq|WHzwZP>!2x_y5H#`+6JJl5$)H)oT!nDxZyQ0(-j!?JV!c^Mt z!I1aUpi@c(sZ6i8+E3mrz_yuSsN{^Q9FJqdE2ctP0s@fcMUBCfZ;dR5YAbo-4-_uq zE;58f%Iqgem~w_o8!7x?j^&U8CF4*isESz<`1PC@Ya6^N=OUmHM*;~B6XP2=(v`gZ zo{BW=VEADd*KjQ5#j31MXjWTxLchwWHW*}!`U~&EsN+;~(VO3+0B&0^9(P--CbowF zdeTIdQrKdy&G`jIY#a!WSuE3FOX=~TAqXs-p&dcPVdW|*q3ifr7dIB3W{@-IZHsK3 z@e1nxOAkoQP2?dwmO4OXv`Lr==nSI9VKv?RQ`sKh{KGE1-rA2>DP8^ zJNE=FPaJr?;X$=IpeRUnV@HFe$+U(!cRd{O**l%?+J|xP;63SWm}L!)X7COV`Ht!l zm+nrfwwaO9VHP>R-TZuwt^>k{p2-Igth98#e2d`IuwOjlfAg^XfARQl2})k?5O$-( z7X%QV_+Hh$%e|`{LMD;`!VVFwelPjrB$0IOIA25)9WtmQI6cUb>X9duf?9ELn2b8P z@R7&u&qH8iQ+)#rPI!T*Ac?Tlo3@xoFqEjA#iHKGP^}V+2y?#EE!hqajECync%%E~ zE`2(uK(R-W2h_%SBVRlZ%;hlZ@u@&Au?JO=emOLc7)J9dCbBQ&kd+5z0}MCUx6HC1 z`+9v_U7!x#g1yl0vzQQ5Iyc{q&UDj^QK4B2+RO3CvMq#F)4A#fHloAy&;p-Jo*$6k zC$~ewl0OT;lCf9*&=vN|1ZJ^f25_Uhb95r)EbVJZYeJ>c6@j^f)>!6zUmII5eTz)W zY4X|l%wx+Q#QcsTQUjiPoOyuD<6ZKytg-WUHm)(tZ#{mfO=r_}P<1Jvf+;cplSNt7 zNk9|WYfGpTB*-*|C3FW#F(+;lCS2(;T(fZN5~egOKwl#=4P%HALo@sS-^r_2tUWkCnv=>|m_)}qC0<3uCiN1vc z>;j>Ytt=I7hkRc7y5i5a&^i?$E1Do`=(%q?VtO9O&3CnG`{xM5+IBa#N&mAxhi`*# z=5$ohv3JOR!Hzde_d$-n@KnnE4Mjt)mMN(&X6hfLG4zp|6RVwlBZBh2z-ttTU&5rW z_bX48ej{QU?r}rx{hF)o$D^0uEB@K9K|G_4DcYL-W$H*sDXW%Lg;Pdt&uArVHqY_p zaY~ulC6VlGxAn$HS}0SUA+u{cV?DxGIaKZo(di);Zecm!dG#EBSmS?TTwgQ=z62wc zq%mpd+-1CBbVCnXp)B4qho!t%Q4 zO0c{U+;+$u84kN+`vVH({>(Bv#-kxgXqd8=Aph}rw66bvL=>!85>TvaxkPv~B+@vY zp;zLBv4}^a;hlU&E_udM2P`aQW{Ztz)hK40&Ny=~|JtEa zbC?yodq_Qb<&)y|3iHjiCPuVtWtb>5`jR{*t5{*wpBw@%#fX7{ioq2Iu0jrL1p=!S z9I`eW_=*DC!H$6zPBZ0#5go1m%Y`O=^9It3L3Zbos)Yb(CO9NQuC-7S-a>tA00cX4 zvlJdjvVa!L5;=FM9Vz0XSD*)tAi=s^zzF8wFJDNM<7KEA5G{Di4rInvano0BS8abO z9@MA@B#hljo>jg01GZIeuaY{qFRRW!TJ~<2TY#J|{Q!$bc=W}+KmhmWmI2AESMECMDeB+wdTO9FopUAj;FtkJb3KN@I%@NK*v%WM%sfAB&#;6xc%?b|uT z%P-ow5b4d;MOwOqJv9|z=;GjJtLNx#!04!XgwohzluY;SS$xD<{4HsVE%5@hH5W4F zjgZplk{rP_$+EQL#5iVXWVN?3Mbko-VCW7zl^{on0UWv#t7JY;+)E z0S#Cr;;-C4BIyup=&`D~>7ZzB{W9WHL_r%U&{^Z+y2H*i;@bozHBws%-GuEk%96tu z{MkYj@3VTfLTlfD)ye;!oU1_X=iwQC@SBu#u9p4amqk-6)R%i#uYkU(+ZM*qX@OeOiI8YlRS{x-a9+I@Fy<_+JN6h}<_fd|TP z2O_~k@Shn2Vi>{!a_#?QaXpGq?rKg1R$u^Lf$U#qmB`eQnPo8!A;%%I5=^CK3# zSfxOIfb52+-U50BdK<&WCK&wiBR{W*=D{zvX0g@wS?oGInvW}dDB}1u=aBk%6+LAY zIgvR$MPCr7kPNCSqY!Z}_Cx*fgL?T5y=!;)jT56~dUrGKt@E2SMCo;Rx{kge@aGJA zV0{+84kopcKQ~Fc>L6%a6m+zVBLLPL^M&%GaAO#1P(YZu?DC*~ zm4*;_UXwBAGJ7vM=i_&%3nnr4%4>52znSImK9~3BTn)+F5SmYJz=#=Zgo*GBOMx|o zW+|A_m-n=oys3-aAcQC@ckkIv0fg>mf`o-j~A!oZxj_5d@@2U2)PQEZ@`L0Cm zI!@LfBPDn1vl)4UQMhjYk(&ZF^uKo79!AgDd5{d4gML{P12&u+DZ^*wt z7bOQ1*d=-2M!Ef`pG1f`rRVFS%*5zZ9d~KvyIhvg^-RcbzS^T2R?Flq&ei3YnU!%& zN4JB;eXKsjEVWT$!sCSXSiAFuZZ{FMk29$?RkT$7CT68|-v;H{{}(@bDM+H6gnF>z z7c{z8nFv!Y5k>y?ABX# ztD$=kKZb>fk25t4drvyXG$}1rh(YEIiS=w``IB@T@)sd$&r7_L+U<7?xViH7hnR_* z*i}q$5-R(JuWQ$tKYHSiPvZPCgzVG~C3;{owb>`;~P)%Yk>PX^I*wQdsGt>yc7~b82~2(ixbFew1p; z@9SqwHdfnS({9V(j6>IIzRM>PU*y~7^d4Ee!mCnS2c~!%dnmcxL$rD$jno@w=sf3t zKCRmPE?u5cc0&vd_TT+dy-j*2c^YaruN?u`I<4r1zG@^_+v^gAUnV>fM4&Drd+l#* z!Wc%Ud5JY|jdfgo#LpyiJy%a-0#{yHkd*~cp{9MpZwd97ftk2nNhQ}8_!kR}j$6#tPZHI7;y^n4-YY_R6F zk*Eh5ji4QEfEQ7=UW-J_I{-K&`wPAY(P;~S-vt3H`JfCYot&hdkTHVORWzns~+br(DPwI&kvQ7#xQ=l0$;6%pY)-;pQ zn*l601EK>;u3Z0d7=g$tN52|X$`Z^-23WSz^cynUxgLr9G={)nUyPH`UvJXn3~;m= zEd}0g7wMQck~ocBzgRwP_J`|5UbNT<8B#l8RI2%{izG(0xfo!Ve?~sl$h6odSlB18 zO@nr=XBDxn%^hDp+LH>;RLdKSJ6gZrHlU+blomX>c+%~y)5aJ_-%CeBvo~p%KbMt$ zvvy*$yKFOH>9)o=Vad`HB9Eu4L`@Ce)fPK$(yYy%1E)Im9aIoLj1PY&gJGg=1GaRY z9Dqp$x^+P~%pcaOLD)Tw(z&xrjgvj%1KxCARw`sZ*?uZ(@MI%?Jx+7L`uEq5Q59Uq zj~5F>?s;O=kEVuXOiIooTQw7ZH~zV=ZX9#SuWodyHf`UI zvutvP^Rl8~>IONdZ}fT5l8q4#k6sA8moVIT!5*rzR>|%y44&P{%~X|c6VP_4Qv|=t zK=_Bj*X(8IBt>Pp*Wm#@LPinW64tPNZMl92l@JcwUCd(4R$2NE3ry~ZJ<8R|Rtb9D zoNHZz0D`FsKzir{P!9Ja?{Ll=?3M-2X^G}l2(eowj4Q#X^0_Z(MT;m7zaO!+*Kn&ZHw|7`e7P0o%Vl-r9G!EYcBpaWroUI-A!(QlZs-@n!d z$F_k%6kb1$rAGk8z#A;)U)%x>3HQB0VN4Hr`}{?a-J>sJ4?C;AU#$;2IYuAXyZOEt z%f?JtkntJ>VRQ8K%j0jSV#V6!92V_dop6FTObi6?nhoY}S_|_y{_S$}Y)KL0+l1!b2`S^4 z`Eq_jsMo_2fYFq9HtOes38Wf0kr9zJNX0X1HM3Ji`y`8K^lBAG@&;A0$)QMr3yd0n zQerJg(mCJyAm8R?=-SM7yZ$@QYLqOx8ZqLmh#nskQ+)f`joJ57xdbofrY65|EY zi^2|RYOQ9-WMibfcOQ`kx+!-5S}_>joxSSs*%qafLsl;ix9i}B8*PwaUhrOf~(CJq0_U7P4OLa zW;Ns))GFW)l0)?v0A|eGE5v6r{d~>5e`B1*s1d#aB_=j<>ut1{*AB`ftG+cO+uq#> z*EL?OAsN2mr)|vXWrvcrDa~2XS#{JVOV$zRC{nO3262|G?GYcBD-`?P-e_Bx+!9x) zhOiGFwF=~RWSZ)3Otj)+nRGNE(OAq8+=8l5FlQ!4%R$x9$A*lz(tmtVvmp0z$5hfLbTJ=@F#|uST>Dg-beP7TW z!V_EGud{*j9%+!l*=<2NWKK2MHZbN7ycBa)*=(_>3ajIv;5ew#k$l+66b|Q(ZXd*< z8^RM_HUiX4&91718bucOw6qoBjFM;r56KwV!f2G`lfWzUgXai5Lx^X&66< z%JSEv`Ps2GB*wYb>+GRNZ+Q!=^|x{Tobc18jF-qYqB)bTahy2q0CJqba?_Y8){?FI znCduevRp3Il5MmI?-9gpsn&?Nqs-k=I-tkD^L*h4er1mD1p@AcN6ZSIOQB^_#<2iG zLQ5GeRDL%-U164($Tzn&$Y`o-AT}vvw(IaFr(}vMzG-iswf#AwbtQSXXZPmtJFD?T|Q`1(0RhX4@d$Epa z@8+7rpCwY}if5XvkHE=p-hh156>*rJ1WE)an2=hmbodAlCl-Z<9`@7T$8XcV+LU7^ zU@PvNm)Y`mRN^v`R)1We)JKN@oe$^wofT2eEU0;y#mT)uf`gV2#JgVek4cS5h5}?& zSd$VQ7|f0pxo`f?i}+cLXmA~4v=Uv5BV2Bupyy2U0>PEtXCqKDb|;b8V#L@hK?WRq zFDb&R?G_5gd0)WI*}eI63zjm^aartvB-^Hq9UspRr96(EwBt56h{7HU5`nUW-*Z`C`$TXekJ#m@bA%T6w4F!ON;tP_Pj9%N0@#QoSA=HD;!fF~DvMkg-W!ahn| z4pO}}I?A{Uq-qdT3iP*YzQ)W6iDOmrhm({who2h#(?Uc~kJfVXv`XZ%FTV<7u#|OS zod(%R-0oTt5t=iCr8pW)vp_WhZ4AQn7(-S`@i9%1Hg%Ettf*qSCBm37Z!@`$h=<+B z#lXSB!}jRmVt)Q%X{|Vh>)3Qq7?nU^z9;BU`jjFql+ff=x4DN-a|3ae|?9(#yLpO6g+}Des^L0-!Y>Wq`2A2Qr5jF3)$WwAWpad*Tp8 zGYSqFbG~-~9^vD&f8W4jEY#nX-`wbV14}t$>ml7blz#i~-B#UkpJD7jK(Ah$_s-w% za@KEhJP&-9{h!APekkwcO89zzwaht$YKY_zpB{>-1P8VUu1uBJ0;#nWH++ebjM`o~ z_GI<1{s2sy5Rp=#SeO#&O#Y@+C4m$}U}khEu|8hsX>nt+id_>`$vrHNL|K5)Tb-AZ zcq&@+w)q|vsTC4ei8)vhxN`eCUD8o)(kEYS(^Z6L(;>w`zi!0usg9X&kIpYW8PC!B z#;)Q60o@s;_SiH-&lmf2uKhdeQsWV|bm^mZT~MP*Rkh}P9=Rqk<92OXuXUvP3PT5MWxe~U(b1flG1@2qd{XK`~qmVWNyM~rld{C zCcDG~;RC*gMjno=yzbm~5*zvB$FSA=gllluGp7E40LI}Z@aW?GFFXA!--ejR9U{RD z$qQoq(8SoeB+v)P4Zj|7%X9H|2M;Z~uRmfeeWzSxgi9kYrm9x*F6e%4Z%NnUabM!*MD%&^3v!mX>op${eAM1vx~IG~yq2LFEvXQ_F^5>g z4XL{j8sF58JIoE@7b&3R7YMMU5VsT)BQ1*?V^Y)DF=WfbwW_xZu`a}}lFEV{X%n18 z@8juE#?W+}uA;1QAzuLE>s&Tr@ngkR0RNy6Hk(CZg2G6GX+>6yt&sdA64@eWbk3mA zc(^`pf+u}u`mbFN4o&}0hQTOiwHlJ?hTpM;4%irJ#k6q50_Lhv(^%uBQ3nTM|GE$} zfrT((`%l1>p?zCyo@SwV|%9Z`O!4C5ES~*Qbv#uF~vILL>68ywuI7;^=Ht=dF2P2V1)SqVL))uo)6G( zlB$%u379WM9D(Z4vR4KjOBsyG>xd@u7~#d@Jcz+BqYu+GXcJW zI4~ihTaA4Ib4Ns(`v7bFOhRJtRtytUIOmU~f#?%1h8#KfWC?IQqGx083TGl&a?r)T ze5&|ZyX1(HReBTHQ9n(ulJ4K{FO=!MNlH@8!FUTIG?S(9G*%>*dGWHL@KDk*Z{$q2 zg6~o|SgC=9eyEh~t%RN*c?t;@s7<|11>rfwPmABD?EacqPXb%d2CEF8p5J&>OrU{J zDYF1v(LG8s?M%k_1#^o=K6D1&9&w`=NRL8pXUcT-nT#g z7u&+9PrEeVnp`u^7;R2r424>T5I7mUb{nn^qyK|qV7Q)~Fxmzn0lDh~`Y$6J+IL_O z)PKbXEi!NoTzp5CkV69jvHXLP&C15m%-BuX`adz9B`Hgr;sDUHKjveM#=}s>lb4eW z#MVaSD_5*7#~I6{;mjnv;AKn$C}^lB*L2$F#v0Cg7V_x+#u~sBIhnz5716cbFE~W= zy7voB_~*_j+L+HPjFj1^gnOTt77|b5Y<1cgZ*@OSX5hQKw`cF6nIGK?5T?R2Q9$wI4s?4+HN(DL z9u>8K$3V_U*-EX9bAB$iEC@BN{>Hy)iU@P2-^2cmRGB-1#2vK zU@B=hEg(8|f@z2;u-jCpDCJ`fTxcjvI&HQa>#>ful83cdqU0YJTVmB$r!CP^PPces zt6oj}Jn~KIrxyce@Yx$XItN*;xQ~$u@Y!d$d5n#JHwI$BIl%S1|L}ng<_+GZFb*O1 zQmF+W{@H(n7af8G6Hi?#5@FfVo!>5QJ9{yt;|cdukygoah@2AX^(F9C+*3);M$DH? zz*b%02}FbJ!F8Mgx!Q`X-@3kq6FilE|AM?pE6s73xv`63o;2TzA~}6aPRt!^scb-M zeE;Mo?7c)Y<-Y3Xrfhs(Q}eLCGf6i?txI@)OygChy)cPR14doGDuPpe8ZBIftjeOz z(QI9VHQekcbx~L&FnNGOE~dF7Wpr}$rXnjiZZZxK3V6FBwLM%`r=28$$|VK$#o>PL!ght=>At3Y4W?k=H6C3!*=ru^1ieh(`CGM4y~8!_ za^2pIc>inz??mCzY11y0Kit$4th=qC3N9hIuHWh)uPd%ZgP)(fjVL#xqNZA4*R@K* z`BR=ot}#lDLat}PzT!%u<&ziv)RqZhl=ONSoJS@uAvlPK3aqpo2BjjDBjakdopR9;VuBvoXP+;zK3R2~TL|xCot} z9%w7s+erA-RhW7oZgyQqwo!d0LR5L;bI8X$?@pXgDIWklmiV}Dw_Qj7%yHQJ_LB5& z-S@3hs#y&)$o2&(D`&cDl0)%ki^8Q&{}=9c@(oM_)PM)SeD?DTe{q_T2LKzPw^gY zcue!gjQcDsa#FnCZPVR8aZ{f9Q1r)8CVfl30X`)hR1$V9!-b}PVNCv%<|r!^)Tsr= z*ss!*5qeP?;#tzGU>*x}9Qg=+SWYn2r4jcTicUgajoAydWe|CcYZNRZ8DK68wC53* zsObfhLXwRlrcuo>*`)x}h-T=mQq^k_FMs}1%(a3GAwXlmL`yMOP_=0aQYeJjdh!~* zBcLM)bQYAwsOEkD(XM)Xc9uZ(iJNLo@x4nQDG z)4LdVcaStxT{@|~-Ro_U_#_`jHneU=b{op<%81(E_`~ptX>B;!!NVHu?8rdVNmh2O zHhVKZHa=#*^~xo0GyU^h^fU1r~gK+ll7M zM94`Ut67k&{86|`H@dXL!{>F2P71SVP8}^t@qMi5Wo#llM%HLo zgyJE^{KGlM!9^*Jfjhzau-ZdkCZasU*J9(0{S>#rJxZQ5fQzdV8KHSqoFP$Ky9;M_ zD|*kUEXklSM9g-7Xd(Z^_JkfCO3mWgPa{4;(X&w1QGCf*@PR_9NJ%o1D(Ixt@R=lu zaFp!*-o++ICScgQ9jHByQz?ohHN`b@q+^BXX_~k5rDjY=vo7Ebjp=ACsS zf@MqnM6m~ZrMU#Zcy~;#r!?tHGNX3?C-(Ejj0HA{>1PkAtKRh5w(0QZ-0uLi$DBqY z_7GZyc0n%v+=iM%8TGmZ3j~WL?siN8;Ek#}vvbkQr^??UD8A+dln{aSx-ca3z?)HE z$+bnxH15ADYMOhV0*uJ-)>fVUWGe^e#pP!*p#v~~i=3lg;%{IOX2pTnZB_wCxpF0R zlN&AxXGv-P-FqICT-Hw+9@@sqNRO1(ij175k($z;*BIR7m5?+Ob+tD){@h!6H>Bb5 zG1D-BwnTDi%{WA1dpu7u`4fj?-=%gCcgT@LkHHA2gA;96T#zF2SyzpnA!wAipKtpX2}WiE2h_mKu!hh6RZu$75Ld# z0B1|V_U+_WNFRhg+!dc?+8j5G$2s0r_T_%^0@%ka{5N!xAXqa7CnFT69Q%R?P;bJ&u^u|HMl|Blk1>&pcSKw#0t2Z ze~XAE>lQ*|lSLsEMvMFwJ)V8%Kq=|EUmpdGlK_7=AOxCTRj6V7n$?HWXt;!=mX|8`%Y?7 z4uW*4`&zLhk1FjA1nMq^@n`T>>mehQm@5}ofefp6oABb^YN#$n7P}}qFz&jYy)0n* zcB#^-=`r|Y4eX5U#I>~){GnM>OUdZoVr*7pFv}ovyCKmzJKyyW3_7(7COB8(Nq7-F zK)|gZqy#|wnSQqkyPA&kDHUo3+UgNUp35MztCJj}6Ra{#pd_O>F@UqX#5pDeJj{o!vQ7U*33^9Mkd zQ))yzDLd8tTFrl0pQi*krmBzmERTzi3U=zptaH2>=AMFn(2*_C>Hz6J`#cu1NAXGg zczvD(AEnAs0wJvbHJo5#D1qR24h6xaK&)gSO}e59DslIS{2uE5T)Ibw{NR_gABd|& zciB+YZ_axG0kE#+tfXq@?D(nUeh68V;9n3;FM*|#h*3%gZzcHr@2($0dHXx4C3ALC z7aYyrgf7~@y@DPuCle$*de*jLJhoKTYzRXy?ov^BN+71IbYsszU^@71z~{~Is2qQK z>MOQGELQhrTJ@K#tm&$A|27P!yT?n}PE&F3H@D$1NyunNU-wg;@;YN~pTeTA?W%NO z`jDi*js{A}bAGw#WxNQ!)9`+z>g<9SW!=h#0F9|zH^_lgYGIFRv5#TR#W47z&Ff?G z>Ww-y$^D$>!^ZzhL7vx#oIiSxCP)36wjmffm6`>5hX+W`*3plMy+3~&ZgTWSAB0p@ z@HZ>OHk<{gN~7wQ5=)0#n*$q*MABuZO3W`>D9yGYSD1ClNe%M?#ve^p10qbmT)AdC z?c_Imm@MhV<ipFAb!up5>uqP z_KT(+?m-=>gkk2?)s>Sr!|Pl`w5%Re9mp2FmlY^?m_kDN%%US3bI4hB9gzVh)#C=^ z0m6K}+o$1bl(Ok9aE`CC84;5UB*W@9Pq*xCn&PL)VswK@#VBjAK^O{4%xsf8kaN&+ zpU;xo(@$jZE@Beq%+;-<_#(;apOwGqta$Ki>T;^WILa$i;}A{U%r|e&13Q+pD)23IJNN_V`va7*-(RtW^Fs>M zu`TSipEZv^Fs6((gL=U4U+7II+aj5Sq+(QNaN$q~pnTncR4Me2)$@}JW7nRY{I!oroz|517hFdD?hm-d?5_S5ZIN!-X=|xz&+b(pczt&$KPK3xQ zZg!4Bat8RXRJkA*r}`dFqWFRyFcIK*Dm=RL@v;;UwR*h(Xl!!VyDX3f-Cva_cZl8Q z$zDh3+ir^?CzfF7ONz%ZyeA%P&-d32&-0%(9BpU3MQ6NCXS_VP3M-HApLkl_m9<&H z8rtKco(5(HC%aCWglRF~;NaB~YWBD5m7$%UNC9K7P9&}u&+C_SAACij0&`Oq_K)M* zz0)M^uI<3roDJ`#d!^SuUkg2(A7iUz4OUId@YTR=*2zA#XDa<6oeY-@(@VV7=@(^Q zPZgp{D_EjELr!QVkyMe%rSX(xRNOHHqN1_7K@*`NuN2BlD*C~KM!(?Xl^P@cpf<+J z+rFF*)s|vUd;TS#E!5_6Q(J4Nf;KoJq6$a?~<^p5(PYa z^V*`0ewxA;M)YLth=Y-zUPb)9L8?S>V_Mj#pddCvNmJqXbBHsh0y66gC_6D15iiW8kQ<3VyQ6&gyAfVR{6e~A*t zSd&bWiK9Y)hEkI*1>x>sqOA(rAM>xtz+zd`4(13Ffzv-cTgvJcQKXxu(=oA3?rA{< z5Qg*7DGuv=9h3#wKd2f~ymAfb+d$ndglc{GS+ zGdYI@kEQ3udqJy!K4TT6K}!(+;PStRkfdD3CMMsRqPPDFa{Px*`TwSn{|CKtl+w1v zx+reXJpGr1ls5x+vmUHA%zV0NSVJ>{tNI!^gaLEGPfbSfykoksRKw8{Njp;*w-x-_ zz9EGX0@+Pb-AD3syBKHWMku&|x{xlcSB8=KOG7}@FDB<>zV@1K{4BnwkGvc*@&;e{ zrp4i}5ukTy(O`zoo^r-#V1gMSD55^U>KP=hI>L5^U;giD$0OBqaw{6I*enWS#;Kw( z{csYSpc=1e#$Si)X8MVn15?@?YyH4ciLz`qKF#Ve^)7a`M>B}Lfvi8IQ9Glc8MAtG zvv*g3n|4BJ$WTMImfUF~qMu8j-MxUanWh^CxUG4EA!DHfoTLd*8lbn8QHg+A3(&Ae zU|aWIUgnc8QQz{!>po{lUYm~yq(C-HkCVPVERXf`)k@ZzrOoSo&9luK6&>TA=Z*K% zPTP+)iV5d>?q1`zOB-a`^FKW#pPo*tmlu8-zE-p!8R#oytU__8?veWNr(@GZ4FJee zli63{#^4b8bYI%=Vafj_+}gEe=tAAWhTwn1WpGyZ?1kXKrZ{3$2MJ>An)XgXjvfjk zpTU@}D8+oFJe3ut+?|>F@wp{`vktk< zd;GWBv5?yEwzKm-t&`K0F9TA_lCo|nDBAdyGGiL$Oc)3=(gF8|Xv)W%o_PrMlU%kl zF$HH|Jmn_Vlcph&q7ooBM=U?YTGkYSY>{PVn87VgpWFOEi2&jN2{>u^oc$|?)ro$9 zgg~SJW=CrmB|r9aj#<3JOoC*M<_6~JNPTfh8nb|2D&&Ae0^W*gu#;raHwp4hX~$y{ zC zPxa@ko$Ez_wHYyu)jjjvz|R%PUx`<}tuSXAY!X-yw>15s#h!ce)3=$V^;TUj21W-D zvcG>s6{4mzpOb}8<3AZ{-QJ9P1K)Jp!O6_CF8}gC&>`=GV061&vYy z?B-CT24-=UO?(q))S|&8|Ak*MBIUxd97+V}a-8=g;9_A@V#OO$0Ra#wBAE~faytn6 zo7hP=UPGvOy}+Vcjp0v$xSf2V+D=R4)giLE zi6pHRSvoZc&2InYrMipf{<}#p{Ccaq=BTg&^~2Tz&#pUg{#7Qp z=9e4l6`kcQaM)ekd(^RDBJSi!mc_hzZ~qiV!f@*b5$%SoKj5r$$m4jgw=~Jq0cu>e zRqg`YAyunYq5UmRq|d$@e3t4dL{L+6TgYo{G9mcnOLgo@{-o6dDS-;lfJ?#DY*g!) zbFK$)e9s-?x+8YctStoojwgV;DH}&fbf6wu5hpz6yG{}F4o&zel}gQcvA*8AEY&73 zX6;EV4xcP>Rs@o>IEs-!aB}Ti0ut)EOrSP5<{hWuYh5y`Zs|TrUgdnDo?=niT|e7{ z8HINxFm*&MpYtCebnn0gMuUbs1lDzgQOvMrLBiB+IWh0mIbJ|t~N9J@r={8u*Ln#s>%cY5zMANMgSr83THFP8FTQ-#9t>XO5M)gN)2NjfW(dP z7L|T}t;f+Kmpyqn`}^mRnzh*|)EmX?+O}LB_$MA%SiiOBLPU%;t3`vAsne?qqA;IsPazyW5N;-bTCHPrll&`@u;M_7=LWw&P$3>Jzx1T_0|{EyCs% z*O7jL7eHKkFEHVHpyzb{C`BQbIM&*}?cf~}AOzO*<0wT1&Cydr7g#9WhoC0l(wlWyKBug{SM;c*Y-XFS8x3EXr5xA8UKjxsX&11_Wi$#ehT#VDnqnwg zo`|K@8EMyN7sgkblhDrr8F1OC@3vkkIRY17;7m|I1b@KasYP6$@FUd77wc~ylA9G_ zQe@=${;}krOHEKMO=g%YtORJUii|hbO?J2X6-nVpIvK%Ap(;(PEp$VJFu)tN==SiR zUGQHbNW1?^P`(*aZP1Q(8EofSsrQ77dC(i_Rk$CR5xAdUm3@x+L`v~X(SbYnt?|IbXGhe zwS5A(MIcl~Ae~?%+mpePAz+T_ksF_QbOx16Zz{d~jgN)+ot@pWJXPut-HM0e9RYa9 zh&rUgzcVPKNQQ3iZE*T`|3nToBv1+Hd2`W7abjQyjJ%diGETE(XT+0+?Ck9BC%%{AwKb|(XPZ>_4WJ!NH72Xiu1d*gFsNf7 zkT8s1xiizetyw~XSHKKoC?O-j-p1ERX7?07$+eucs6^XD;CQEro#(z)?3SK)Dy#cx zFAX-u)ZYFy+?c)qS&}jDOA|lfis{w?x$Dx)cUW$&pDjTfNK$el_Nh)b9-YnLsJv9e zYD{k6J&u@%#s0_XHxoRP*pj&81aCl7&~iP-#d$yV$@Ux}<4tqy_18Uyh<76;?$XnM zF(zb{ErABbbq56(%A2Dv$eysYFmVj$pOkK9i*Dqfq%B7louT#qmBm!#HDW&kwu{C_ z-)ssR%=bIjIH>dPP_X%XC^oQK=#^cT@0qIa-5ESES}RwilRS&Umt<~twLJ9ugpd5y zV-L`KxYP|!$;H^J$1){@!3PIiz%^55-%f2gsUP!O?G!%WFC`Bwj1)>`Be|%@KAMfl zsDGfI>StC0B4JMFa{Jsb3$iY(ignV`V3f{QlS&9ACq_zIvI7%wA-3>3sI`^ReMkux z2?M`%oH!70Hs31fl@Fi7VuW!@H38&5AyfxshKc_!jum58mKcBEXlLKYKb8Fd7c1}| zl>A0;P(g~dZFaK2p+$;J0DEXg_^ykg=kzik=qp7>{w zzOVrEiyW=2ePN>(jAHi(TTho6PnQWEZAV&kutecHhTfw((|p_Lw@_eQ0!VR| zEQwqwAVk}O0J1UgLv!-m#%ls#`+H4yl$Uz@7F$q| zh&3tX>cBrNntSihW1oNe=^BQ(*l*NKS^-x2O!yX5DrZAZa!sJhyw;gue%tdP{S}Di zcK5uVVcO%g4p|SHMuHPmde4i<8qgB~IaM5~4r@=5b1 zd7hSx{&&Ua z{VIoA_g(G%`QBXePdiEeCzby{_)n8mHKlM=v9qyauGqePs4cNL2zmzbNSS|!7|uLWeAdz*hFI|ry-R5gI!N%NvQb;ub%qj zu$6chjx(v9R40}K4xP&BTf39Tr6Pl-eoxaM`t*fMVu*$mE={xpabg4)7*7?-J&;14 zff-^Gc9qzQYhGRvL8M%-5q3+)-;<}|1ePAhqC4s7Z3tUV9COh+!^dvp!M*I7Tju|p zckt)aEnAw2#vv*z&4^Q{*+$tv4vc!ex^BZV^GceL#0Ebf^GHaQ%bdx{7x%;7g5 zdh{>{9+$Kw6U-mE2EijsreMv!QbFb%6<52ri)E5*+3bmiZoen>YNzd9i+hYP8-ZJO z8TZ-VSnXDlS@EsXIAXViAtKMmh6{8OIZ&I)JJ${sNgJL|p^*LPxJ00bM=%o)-n_%@>cJqbJX^eBf9ks4?flz5q}& zM!jDc@4zdps~G$G;?XfA1vG!|d}|Y+JV7gP-3-E>Cxy|L!oVLC1V83pq^#!Mqtw<3 z7oBOcbn%c*P8(N~NGFEmZ|xq|dR?;gl~a@!iyjTJyS~!b#X`IJMwiLi9wnnb#t)M~ zW)F}(l#?0s4?NDAwo^Xz(7EWtol*+hCCy#hXH%BNG{+kPf!$R>&D%00 ztz%v{7Z4%YQTJAVpPbjOFcLXMhIXIDU$w8e{xa{ZD@tlYik>Ul(Tq$eC9{U^+>?;1 zLFG1ZM`kiqt}YtJ{zZ%80LBH*q@;5=&FAGI&8@J7k~fK7DuwCA<@J#&9#8nApBQFF z8WI^nN+~ij;g`K9QbX)h4;cZvIX)Z*_u)4J6qZiEnQ7e8G&*YVL{y z++msBjIX&fU8$9aU`A<-x}4XaEe~Yp5v<3=d75(XzU4;EF&(D+H^aw=?dpVrr+Cn8 zJ4ij&3)V@9#uOVMwGZ4MPhgdb)MYIo?!`a7Q~B0ngtG99z20ZUPOBIW0me`il5)*? z?_quEq1UtG$tSR5gHkk1aZ+}kG+e#*-(eU@wChKZo#3|fWhBE8EzLkpMb=EltA*)_ zlw_0{sG4ie!3X&iY*DDSmXkk4X5`IswoCNYTqn6d}{>%jw3@Z-?%P6cO| z_b02Kf51Csn6{$!jHr7O*_^U9-9ilLm!fN%4oZl7ai@8cS(RkDHR||>LL0xLLNim_ zYn##*O>(0cDQ#N#>7vZ;4CUx1r3zSKxWJIt^Obf?ySKf|`|%~xW>)X>=;mEPhe^Y& zQH0}R@G)M}MnPJ+!C4j#X3?SSU^!k{Ir-*hPg-I-fFRfcK=EyWFT9l8_wk=#5cC%P z$j7j;wL><6*DB4A@mQugb5i(KqJ|o44k9GI!|vZI0sniqVgU+cNaS@QD24At3M%o` zTJaBB%HUBZ-$Zo62M6fjC;=WM=J#2Y544Mvl7@*bvd&Zs1GM$6T9npl7o7V!mdi5K zp1GWGVE2j6SU4|z$1qs8@|=$fHX!bNpHn>xrv*Fot*@l@b5h4`@Z2ip+ucvt5@T~_ zt}vQ>#V~-u3~Vh|qY4rT9DpmdNYHQ>7tS!uJp=>S!ZsD(aylwqU4+`X<5**(e?V(? zNJKH(=bSiRNL+DG?fi|VoR@mons0$}A@U6V%L@JD>ENKE@uQK*VkyeN^NS<$q)pw& z8^UYcieWN=K*v@~|ZoPQwC)`YK?jbK1^^5~^#RNyzd0tK>KqRAW4I2z0{IxbL zPlbG_#scZ~^uu_+3xd^PE?k@rPiKFlf?&oV-VFRuXCr_gcJ~`h<()KPA#fr0*9C}_ z$`HkF1(xHsLQtv2ga{!9uv0w?DkSLIhQW%{LG@*SS>YfFn$`|#A$|5qK6w^Lu2VNf zzxa{@p^`4Vmc@CzZrh!jxHcsT$sf?I5@$W4gs*`EKAM3uD0^wy9(ejqpWrORKCi?@ zISH5QGU+nw|LSxjzTM~;g?dOCc$HN6Al35_ZYT5FVOU5PX{Yllg*MlTARii-%Ya66|!gZ*OMF`nuyr5c}bzmBc*5tD@rC1^AHIk-&})W%{k^E z(diu@ z4QX?*QL5b^%RDS>L5j>UP-B~*-)s0&;i2DW|49`A{z8(-eRsPD*OvB9oh zp~emCPqQ>29MII*KqEQhYILGaZL#9g2NrU4wDgEb6CVNt!JAaiiEFGdYpX_=t`ll2 z-jkx6YTVT@x{_(%vE&jX!tr2E$DL0(;J&DcUIIoWmXDSbUc9IC&7`xNyPDR$Na|0p z&sr7}Q4|mL)CtpGWg8#f%fv)1+Inu`s*UC9e-5tH3Qa7Cub-y;T|Tj`$jVER@HsV? zB*xfa_lS7R#B%d$Z=G9P7H61DB#zz8LT~|gf*eYAkwAt3`+9_Kr!>QFrZ4txfO#d?6vpL*kk4Voh$~VTl8u%l={7ej9hBPZj}C69K)G7RHg|}#U7bd* z0bh1THM;%$x6abIM1#Ty;+q==2Lwd_4+Ft}aT5Q7$}mgizlVX^S8F<7tY7@jlyM-G zG71~TL1aj4g=LCL=oLi*nxLE3T^WX>pBxQm6nWJne!r+5VkMHG6c9O+a$(8<(YTzp zwG~y^QHEtGd%fV1zLK(?>g11HEKol@wkI;&t|lkgue#D|@@J9!UqD7FA`C^1Sw&46Xnw8pO_n&Q%N#XyUQWM02(aZsHVA5uz_?T3*c)-sRs!mg zdDEj#>nx?VQ#OYQ`aVVpIj=brtl|Q43M?yVfUFW;A}FxDhXTEe=gF~9I#Ro@y}6i^ zFt$7F`Memh2=c_$y;apID3Yb$k7Q)C`LhUT#n*>UAN;E_74tMp8wv}yc&gMmD-W#} zS;UUD2dPXS6Dg?!-vs6=NdOvkOa*#yk)|2>q8E+g++)@`m4}vd4HRbOG^^oi_-J_* zxv`HtDz_*q16ZgL$@(MZj2UTDFTAOj0n-4+ECb47w)r3Jh}!{NF7q~T*ajkpd}4g1 zk~yOIU$@9=tyryCjW1o6Xdi>U91G6929zt7VPp480HdKK%tx&xy^yX7DhQl*=Yaxn z3y<1;ekfhjtq9dKn>Y9VP1R%LRtihkrHfg_)hhTY>!--)@IL+45sWq>AAC6crP^_CMk0p=5Vfe0 z&h>Bso)_l8hLpRpX{BJ>ohpo7^!}l7l7;JQLoh|C(A*#3+TW=c98f&PTfQfC39;s7 z!A6pzGJUug$MtBTguFJ`dKU|~Zu1IeuD?$YIYgnIWTa-rM4_p1QmrEci$H`E^#7VZ zzf^5x=1U5%L{pw=6!|rW9x;IZ`*5g`-bO>X)J5N&Bv2JzU7g62774U98LyHe z^1*GKnK)_ql<1tciDGvlvTPKlSz%Ai{I99C_epIt3zPkO(`*r`g{amTEp8UK)cCp3 zX_u1DBz`?9PsK_|b;Me#^@;(dbXWEm{klVO+?*k$4~x+ur7e)4MErs3-8czMliJlF zeZRj>;Iu{vv!>S3B-`&ACNSldFeaQbi#5GT-X4Q+sfCn+8G*_wEhV z9#~SJ<|#l>(uSb}!`MY-f4*-=%MS?1VN>-{lR;=-@Z+2CG0;beJ%AGp-UwEV`h z(H#Gh6)ZlLkdFMI&u*nF+A;5p9Dk^DQb~CsNVO^{^SEh1DAfjcnY$}wKr-sSK47x? zL(xWtsWs;naq*&`UVhuAgs%DGhPwq#=FbQ;l`EV)pu+L7(#6J+yKB_`D0iMyEez2{ z$Nf3Z;aG{2?_i*0$B@VjA~R3)g(U#eIRI$`I4|U-hk)g%9v*|YPuQ7iFShL$ZOr*X$Z9g|m zaXo>oX85ubmwB}!PU+i}-H&wt>2^P@?UPe&A0vZ}Fnl_fpLXrhN+|R`oZdF?;(HH( zu;uYEd2+^A62=<}#vASFr~awGMfQ9339VXYXIdGWJ-}wA8*Jx|@T%?mX9Yzm(E*Na z9up^c7550%(R@5-a9K1@G8|o~%6<`GBnxQ&7Ky!!!1fD;N$C%(C`#=rB7$GH&!LNK^)r-D9zt}Yvp~CT3 z*0x)ma(l41rW;k|nK}EISW06{(Z1Tem~jv?X3ZN`ri5dPlK)hHq`tl zuew1D>F*)P>trPF=NG6YXzvuzxluiVyh_tlpd?{CfP zU!SMD&jVXEV0Vypqt9em-!I?bVeP>hAEBKbUr@LmsAwrenCmz^>s1ZlET6QMi5cnP~;H7DDuXI?N^*6Or2>*W;X=>+E3jqpLl@QkX{qwHXas zkc7*ce_rE-sS&YQj~-TZZ3gz@)bt-7?a$kdwO>iv8GN`IaiYwlseVS$4yhQVH;h#e zBx9NoGfrwBVD7~wttilRW7p>rqL5pjS6#1jcUGF->pMDgVlPX@(Xw@oj$>;RvW$~s z;njx|6tO-r!J_*~Pg234ExDlSoR!AO>&OTZ7K~$A*HfxDRA1l9NQ8;u;uEnT{$+QC zk_QOIp->8{2qhj$s3c~wm}R-FCid3BbLQ)UlWr;OiISt0U|SoG9TW?0P}L zKbHgnh4Fj#jOTN@ZGCz05%;`>k-u^e{3K_!&N&SAQcMo@C*GSn@N!5VN$)W4aj*8`PlGWfryHPe^&`UhE|6z;Cw0D zI}K=CA3EMA4@ZXqn^Wtx1AO(6y{c)~Q<|UQJ%SD<0miU^g{J0u`=!3wXPO2T;WWpw zxS|I1u>q`Z;gTjBE}~1sJRc$GMy-(VjrcQO8W9Q1XUub<^~Z^*Mz9vRuSiu`iCu6t zSaLffNLLU+Ikatqc~OOBIQAi+5_qWVk#UO8efsJROw~dDTJ7fc{ej*ez2gp zO6kh6L5-EQCnSjQt$lw=T!eW@YhDcTf;v;<<~%jh)-{t2fo0+A27g0BIK$P>n?Hu9 z2mYxpaSiRl*9RcBvBXRE6JXTUaZ|8gpOB0ZVbd09hgKSw8AC(=!P73~ipdr#jSO^F zlf+N&SX19_AXgMOc)%^d3St?)G9Qwt&ZGXtg8E%jVcGDmymxLQnB>}GT5)=&1nt68 z4&KNikPr3mV4;rK$LO}P)OAqXkT@r-W46%km^g5EVoyP(AqNFzbTZXvi%Ex@ z88Ky|EcK`H8c9loDB@_cz3Zz6p|Moop4C~Tj(iPvAtJDSF%gvd;g~m4w!mqDREa??+TQJXWQ&G?m z^vT)eQw;|-&7&1185;hIf z>N8D}(i@1+`Q0cfN-=>ff2s`LRc0qC4CnBJaEdzyi(X|Nh|-IY<@)|-j^bt>=4G16 zWm-x0(X8h5GSkZiee6n#FqlPn96Lk1_!iN&o;AD!+^9jLxG}?Px>oPq78&0V45Pc^ zzWxB~#P2|kX(D4JnzP!!@H}d7&KI`b3+(s%`rh`tDGjH8^SL^ejw33(Zu(ye_%Y8- z!a-AzS+#4QKHesJcbjmPYoE|Astf8o@PCS4is(G#|9WGE(&Bw8e4FcAR5x|VT8p-)pGb_M&m6OZAm&T zk0_oP3TNjE0boYhMJmIRr}Fh6$0emkYCbcAj{dzpSP)=~3#hL--CgYMe*%#aqp}5Y z+8U^L?FFWA<97JmmuWil?BgzU50UtE7}n+4Qrym=dFEI8z|SXcktJN7_p^iXwq1ie zL}hkF@mYYIe0fa;yK^SB%2zjH!i=uhB*zg5}-F0ONxYvoM3N{?m6U2>Q29!DAUK@|fokRtuK_~x>v6oaNhI7+(8`SHh zJ#9O^BsR-M;hjYbh$52-0{8F5!Go||+qptDMNLdxIP#0RPLW0|SZ!cdhZivfS zgyZ?AE3x$Vke`Ph`c42wu6$BHo;YmyecKa@*l>0wX46vtLNrE2)>t6_YkSsi2Ekf& zo2W8WeLCgT7f>^B@>nhR^zuZrD=Fc`?;W~*(*&AXN#LQWV@MLCXp0-pLau$Rgw(5# z^V&K??0t{s?;rKqnobBqt-tswhpqqZS9<%quOa(gk-2|IC1CzPCJ+A~%<@fjE1P{b zl+W(oPe}cz0FqwiEo=E+Ui=-W#03t3vy~exF(y=`@Vb!E96-V@D*x*vII+})d$rl4 zH;d1e*xs0<2GOJupU>0v>oVZo?dy^l+s+>qg-CSv;b1Y!>t(dN%^$vvT`GZg-^&rd z4pYi3Q1m(iHPa?$<#VK9l1)DInERU&eT!Dt5(TCKU=+N*!n*^jV-5e+*;D5L^FZXX zoQXuT!o{g4^Ljj@fTkDD0ZklteatB>Am+~iPyYkJjUjqgfCgki2@eezP0kIx&Wbe| zN%3$ABNK*N=^#(E#Vt^O#RUMT3j^o*6TnG~qSuk;B|dm6MY<>?iB!Y18xY`=BNy-r z6RjK_2iXE&9gE^8!JZQi72%?i&jCfR=-jI3J|GY7-1s*cd7Bx95|sy9uj0|H`P0W)1NcS*7RZ3~$BE7lj00!hG;#PKQ*tyaI<32G&aIh>=mPUF<`V1PJ2J z|Algwghrh5yeF=OL(U1vtV9}g1nGZ4`ZX{5k zB?9lf+-ritXk{dUj@HkE*A?^xr@#s^jnIV};3SxZEe(|i!g@UXA)(G;>{t-F^f^(9 zCv8$u=Rxlv`eh~C%VAP&uW;f&WFf3R_Y0)*^^HyZ@gpLle^<}O)SS7yEwsU5V36NZ zo!er{d8D}rfK_;>|IU!X!F&C+pv^0l5`m`yhl%?9aA=!(Rb@PtzXQ{Y%tlTWg_=h? zku_+)_fl|Tl@R-mjg-U>e(~3tL(`vLtCQH^#@9%P$=i{`q_f1?L@g9_|M$~n{HM^W z-xv%zOBhJfA|hBkX{Evec`FUp5F>Z2WrLjcwE7YHy5D8(hj1=0<9BFVE3&Fb&#~vrlx9?NF zro*s*r#A2y+)HbH#aDhusV~MQYu-!Zy^gU421$V z_!#6h`)~-{Hf2QVN`e5MukkQxP@w^1VhU5rjBn`El~BFt^bR?`Z7{X=1a6jlS`W6Y z_LVg@j2kmUi z#ljWh46)LTArH3uepv)v&di?|vy)b0$d6*qt&IdK;q0^9Ij&5D5(QF%ua*UUpwV7s1^y>A05kq2Ylgf zaerR8GNyam9a0z22TRiZJ1=Q z;Ochf#-LS#-hr=&QR!y-PU@R5p966rIirDvA;QGbviCQ5f}nKP@YIINGYw(-JwZuast4U$(AVpm3BZ$HSco zrit=O$jdo`Ci`O--Uvi#HthYoBwf zk-kz2HcoiLPvx@r2*=W-iF{a5?-eH97Xe<14-9i`5-qzZ8Y&4w5V%ya&QJsQy+1ppg)PW|Bp(Xm{4D#cML*u zp2l+sF;c}K9XpsFIr=tr1{&W|JS@#UcLq&POqAIj8osk%=ac{F9Og?!&OmEOQK44&uN23p{QG)-t~oy_rw)db3Dv-f&G>ZKGtoxqel`cu8uR zg8#_Hb+I=MMfhj0#3tOaw!QjFd|(wQZK_OsE%z-`RK(Ex5}#QjO^=@O{znuiqWFm3 z__Hdl3jZ@5`7iLvzp+IBAA53~|JR3Sb8~`=RAj<y{ASX1SSTgx5czwQ2ZT3np?pLP{{}9P@c5;tCUMYC zv_IK_K-%JO>3a&Vep#nbIr8QjKe`P`il>1}DzT$cEPVc2n(a{e+k8@ZbV8EHw$)L7 zkxFL@HRA;&XN1_gZa9O;0tNOtLp~9#47bH>f0?^-`7Cb%bTtm_E$Q7~lhY`IgoaHg zmF|`}kBib_6r|E%_gb)Q0`1?C!<)WNpF9)61>m=~jSx1s_+8mU(4sUB#B05GY@_v^ zc=2Fw0x0`%HPp;dy*7p)nAHwPAYc#br(u2bUM+wyMeB@a#O&eXd69*{2#i-QN#WPd9VZm#+3s^V!C;d;RwS@6|Fl&c?~PV^{N}x2o%+l0m6%7`_bFq!i1|9J!&uLk z{ryU>m6+S$g)2X9kM@(tXz(L;;LhdloJU^Lhl}*0IK!niMbz}-+iT8|$>=zVp-#lY zQ7+QsnJDoUNAM*0%WWLO>4DQ9-ft%jWR!!MQh+n&R0JSapvo0@qZmy~yF|j3iZ=sWz1XY+xvBduN3pke zr#R^vO-xpioA)ic_3qr zx<`E24jcj2WPqw|*WmNC+P{`b&S$^vJrWPJW8*avM(Gg4K@`VI#v2-?$O#lelpDp= zpW1~}x%`gXCy%TIE${gw>@m=58c;2#>stO?H$TbFixMv77&J!=SuHPRea|D7+!V0# zP%uB8N&j@%A}IyQx7Awyq&CiT_D-YPJLSrmC$c~j5mpPQlQQtQ12A($O+(v%K&aFv zpikKzV?c)6u{b@t^*mZRk{mt0JZJ8h2jcvD%5mSa+`KV`=2D14s-Bed;)i%wM=QO> zeGYKc2;*gS&F-E)H{D1&UH#1X!;hPso|8F+HG?nyEZ6!3HDXIu(08g7Z$0}C{=hLD z2yLAPF}Km`s!>XQ9aAdNn5D6-ytsC!%UkJwL5ec|$AY8mF)pFDpw^-&UBHk}?(usy zs_3{Jd$SyTz1!7_-A$e0@5U?F;+G7G4fLO#@(kDS#>?n^a;Ec zxtXT!=2s^QA~`wep(X07o5Wo&z(yKCYMx%)1vj6563Qt!8Ek&q<4uTC<=53xEzPRb zi%32lAs)0fo6Wl(FBx$gXJbZs9z&C(pk1ME~!~j6T}jSlg0V_&sV~u ztOhgH4;A+FwI@j|7J|`fHlI3>TE@0uC}A1z=oGau9SS*4P%I=BBd%o)(MZ(EI)G<5 zv@KeSt=6_7;C;dy+aduQl0~ZJw6ieexP>!k&IX-#-4zsxESh?IrCQ|sRs=gr$&0*w!e&6p3dzig4J%p%c*`%B*Z1pj-0|b!ED`;Xxlo_~gjjlP zu7A(|WLGvjkf^M$W4ohGx{>xTLb0oUg3uw#7fhs_Qf^6QD0N3Wjhf`W=j+939+aCG z_K^|da8ln+B|Vi`$FDnXEnHU+kaz#)$S8$`(#U!2q}GWAIX!ji#LB3uh=RrNR_d7l-p3@BvNYuqOzGW+$o1w=@=3U|2pY;m^lUi~%Py4z_YlwY1M-rwJ+r5mn`)}}7f7RGgZuXZ=pjm{Ew zAE|`@!K1>(~PG&u43y{-CHn9qd=Ry60>L+cW#(5Bufi z8dK=?-|G;dtdJwusnRFq>@#J|fqvvpn$g7wAkYTNOI1NDC8;~1O+k(KQ}|^MvJ<;2 z`Q_*(2k07`$4}3u5TR933TDfo)e5);V?c!v?=3R`TLLjyyJZ>CvQ=Gz1 z!Ht}a-dbix;j1v?limqte!MJ@f$&shsxp@_*}%Q3UTS~iTb`=l-7-*{v|7V@i9D#I zRkORnKVkIxV2@bt`b8?pW8`5yC%9+Aza3(3a$4C)}9dZM<@2BbjdE?D_;i8wGWnqb}2knL07CK9{M+v2$ z&Z-x1=2XrB>YGk_xzrG)g&A0-f%Q2}2NJ^e0eOlbC!tjp&->ld3axTPd1VGg#8|~L zVT5u4Oo|XFvd3v7NbG^TX00iU==03#^&27kSLh+Wr3INt>VZ{xkkR$c z2Bn`9)`? z;8n-3XNj@hcV}$;H}?+AAJ|DB{3%`-Po4)~ld0 zHPbuVkNJ-?4UZ0sz31?8+qy=GX_PjidAGbumj2hb0O=>kR2VwX;A8jx$^nbAbb8AD z6@tpccWKU|IURd?+*pM9g@(kBkK@!K3}}fK0E|{8E54y;Yv&HdxeK6>0T7Se5E&fN z=)VqbkB#C;e_0pfUbb2V;0Ij-{6Yxe&2~`AEApeXI$ESilB@3FqSxb1@%sfHH;(fD z3lmnAYF4Gy9 zhwof()~;uQw#mab1M4rwZskz4N$PV%8Z3zu9Lb7}$S7w3}1KG6>8K z;K>RG;OXdO(*r@N?ZukUH{CXAuo6103E_GuI5U4b1+NTtlnoQesaXIGiyGrLG2D+w zdkD?>70~GJXDn#lFVW_1%^O1~y1|knr)(gol6(>El_*sKw#firUP{LKp(jbgMx7P# z%|M_*M?hP|iL%wHHU5U93e`6*;%tMd$)L%y5)P_j!6t+4_Ziw00}do8r;h4Fetwsm z5*eCchjpS_TE%WdO~g&>=jiB|8i|coNsU7{qv}%(%lmyKCU!8I7(zM|oyy_tlsy2A zaQu+cld7;mmRmP9$K3)Q4a zBGRG%Bz9XL5n;#4t+Rq369cVB+gKRx~dSYq4U*s14dAli7u5D{*#xY)z67yRqo3a83EEpEPAe3cr*wG-o>{sYhVg75BR^H!9_H?LhfQleJcI`MP9^r?TifyIg-X@%X|9Z#9e&d#UG1KZyr!MzU?BCO7o&Md;;t-|Nf1T z6}pq1*k(f1orG_-$((QJTozkd6aSmPxj4N<){qmKo=E2&RjnVX{ykAyO3O<@UR2hFWdV-DDPq|On)#bpeI=*RByvo7_x z3tVNjFbGdHNfZ*y)?~4G zOz+ji^GR;AA&xha$uQWCdQ#D@kYNN`iG6g03Tz6r)o0^iBF0DB%xEJdxA+3&(!H^N zQ_5Dma_*ivD91FIUER!s;Bg#Sk6!i@n%jY!peHOQzt23P!V-oj=N3DHOVbpiOOFA3 z(cZ7s%qY*#TnDbfD_jLIvKyTGRp;LOyJtF553Q6VI~5*u)&odo7MVGlS)GnS;tVdy z5ZMkxtAd<1M6eXl&Ffe_14Vw{<9Kq^42nU+VW^N%w>`mD5JO~N zaB-V+I_2;|5;s<_=d&!npQlZoYyj8BfA!`8u3AE8t3RT zyF|)GTbN3n?n7D9$1BP_WQ)3seL*o{5xe)$`Q^$JRHZGSRsD0F{kEeMOXgNkNKhkLmd%%82BLv+)kMuaCc-&L}gE z^PN~Y1x)QZfOOmw@^4Xu){smZ3&mNnW3c*(K=0~Bn~g?)+rrf1ax6{b9;{w{OFe$>x6lR_$UW#IVe9QtIqS545l!17l|j605RS^(Fz#Tb+Cj0?Cp2@oS_Z*{z1Q$K}n)+ZkKBz3nHCAL^}F zTndww4pX4`&&fo%!UNacPKgwVHR0l|ry=0d;K?Yi`u7ikK9Wu9wAjtC$fk!M{$j5u zhM~4%YS}M_cEFzQsmq@vuQGIZB4ab*;OaP_$af&qAQ5Ha8bB!H+*?ePC^csFMwBX^ zGyx+|tfC`ZOsI9&@$Y;wr}3f68G=+3o;v>+p{)4u`}q_+?YzqOnJ~^MYa(Md(*l)k zm*b0Cg+sO!i09;vWCeLD2cq^@Rf-$67hhfd3#Uj8ajx_Y>5ayU(*V?tR& zXJt-AxXLAVdzQTRQK{++|FG4oiFT;KrTgnmld@)Mi8(yugsRo_9%lIqC4)t|5o)bk z1^l@Km4*Ol)LT2!M8s`GpVEB@MHp_I)S)69*Gq=qC~P#YxjHUp^%ofCYn2<+LI+Om zDEsUAS3ZP-QkQU2*<~o}2~rhD1BPOr;vzx0c-3$?v2Ayap_C9j8qFmNjl(6mU+RXx z9Xt(gx=(E$t*SINdIfeyD$y2EpvpoAEiGf2Qk?He#BY}LiMc>S^5-%6_8~^~W$}l# z4k#k+9Vt^?uQNKNwB8I#WA6RHZaA>S$pAk&BUh-WC?rz>xtxp`JkryLsV8x#C3a}W zO$2u;K~k?D_ZQT^soi+7d|+gH&vL&^3yZHW-PBl|MYb@LBwF=CH67oU#OCXPiJG793Yd>`l zdMtoYR#Qld+%^oeFIyjyhY>B&h}7=KDODDFV=Lpom{SlDr4U0vrR~JZ8^>tZva_>1 z3>uMrd2?RRok3z7x2%R$)=D=Pv$X%7dICY;194_k8bPla%xa+mLUpm~!6P?y^`g={ ze*3aVh=A@x&GV3>gcSJ>RCK~bRYnkQ+63{ZL@ILIYKwp;DpPTSU04t6sTR`RD{Tm+qvC%fm{ups zYE`;Ga0p&$W~0TrGvos_X=ExB2=$D){SX9=n|+A&j7iPzdn(v*AXcUw z6GbISjfQ9dkKQb!C^_+%U?3;?R-R)sB7%Y6Vm!>0$}1?Qh0tiaW+X+Y)JIQ%&Mk|Y z3xMAEhT&~2^9~NYK?m>%7r{~HL6M*^Z;f2qP|~aU@>b3UmUlaUqc7Hyvc*)i!W=Zt z)vZ;3q(yk+VGy6EeDBmvH>PcPL*<=vn_;fPtWK2Jv&G>2?AH{z;gm;oQMoqE${V@l zxq0zci~^Op)RH{)`_hmWX39g=Ct}V`75}Tj&90_W2)u8Kl?)ZaxWW%Dz=g_j%FG9^9&+GQf3e<7JS)ptXgtPV{ZG-UwZFUDFg8a#4!^`0qW7j|XSd zf$(bqewSsR7O>og^3{_@+&vf=5ri|**vm+rFXTwYx~2ZVyHJC&2M@OI8qk6KH-_I5 z>#WepC-x*hhUP@rRk2n0BmE)H1^O>D(haIU&{CIqe2-BIFFtCFlyI#e1VB@^y7O4rqo^Jp`Z zk$eu_$&kX{e_)QUzeck?WhMWM^htEaLF%V%;u~4o;&alPtpSs2^fa4nY>P9Vu*pRi z!1Q9E#j>QY|FG$PDlBE%;6!~C& z5klu*8d8wXw_i3RRYIEYVq8<3J7J1Yxg z<>+&cv38PKooE~0upr`PSswwL6} z`kiPSX%){hoi06BiHR;t>0H~SHZ!>U;?cWv;)6vo&Q*V2LVG)Tkgd~>oQdaxnjt23 zFi!&Is6>D=G&RV5Ne`VsO%=rjbs)AAqF;Km8hON|c0`+Yvuf9yv7Y>kq_(JD(bk7m zr)b};Ywt-zr+%Z? zf@$8}?>7Ky(Puwiy*)qc6g(H5JVS}=h5G!)!iA4k2snrjCDAO$ZBlM z5`$n4d3yK=w=)c>58CE1A3$Q=TE(MEcccqpj|^N1cdXwxXBKD0h^ER}#x&TPz+RAJ z-83Oi(S7f0e&%J{ue-+j(JBd;Xd-iM{WV4sYZovzuxf_Wr_vDG?&`_BEoXOPv!3fT zTSG+9wd$#YSgUC1M~1`3IG-P3VCOZ1hL+CC25DN*_-tnGJb<%6z@sK4h59SEUhlgA1O zjF5~{?WlLp5HnX*Pss`iblEnhuM(Gg^-NM5fq>l4jAD7YMuRdJ#hFI4zT=pS;%zZ7ygYjCTGqfD)aObw%f~<&F=>OG^&zQDhZS&FNa>PaMzZGpoH^ z!E;Pu2kmn*CmJIqW4`ZRjt98Qi`z5#bolcy-xPC5Rxbo+yhW*T1WUOf%NO8Dr*&lR z$Ep;x;72&ovm>GF3LPoOZ5%P2{Xu9^qX9!op_tTh=M-0CXNb=An!TIgIC*Pbp{+$b zH!d3EbqkVv$IrN6SG_vx=9REJ-VwcW9E|~2$_&-5sI;)E8&|;m&KU3=O^3?2sXDbA zGS7Mz#rmHvpE}tf-94tMPJ6nw2Om*}^4%vyH6qy1gf$SbJZ%uZMwAwX-_cr3xQI)L z_TBgyNWOlSRQoUGDywESfzn6!pZPcPhIG4EiuA7wT*5V=iE)E*&Eo_nJ3FU*EBgC2 zR|MXzy#?Oo$~ENALM*N8u4jwGPhaO><&voa{@!b>muFCv7bX6XDL(B z5crG|n{cINh_bWARw3N8O&j36u-(<_xV(n6rL}j09)w;@H{=&)&sW*)+gyMQg|?8H zyL0tgb>Z{N;UDc0ZnkkN-~Y)d;py~4_Ub2D6#gU&tp6fe{2zU|f0Zk=ZP&$6y#KKQ zk<6n&Ndtv?~514MzuQbkZLhms%e9W82U(#2$mQ1Q0&62tonvvu!xx9K?Z<7|+= zcYJ*Oc0S^xt=k=#BVa-gM6o-l{l4A(ez@IAp=YRLgH+CWJ9d--*`F`EGg(KunYgBM zXKWB5F&gMFGqh!fdeCtw|7pjvb9kXoi^y`_qS4PZAgbp@?W< z59>M#5`(3M*%SvPN4a%1gEXZ?{wzR%^yg`qcZPbqKj!KMX((PIf>Ndo5c^8ILlEH= z%tAy(G*EH&k2!SPL=O4W7;7X00gHc3+EHluW$i;Pmoaw_dUq=euL6}*#|}nW^Z8F& z=_FQc3rHaE6z4Se-Y^2uLd^@AEXoULEgpoFQgjg>VjXZ>qb?nT^}w6zj>t0IesFlb z1oSoP{51; zy3yYStku0R-vgy_gC^cJ-2h3=r39z!ev9Iu8_Z!4F-Mhl*m%jjSx_?mn8I2TXA2%$ zQpWR(!M$6<(x6KgtD#A+JWzLDN0U9|f1CYQ{B{vt)Z!)QR$l}f#0X-hnO$5u8A_{i z^z2--+AJQ^E>CGSZ;$QyTxd2WQ*i*T$)qqhB3EQf3Ls{28A!mhOmSd@rcEn9)S6Y0 znI1!#2kZldHOl|Tp25tT5{}QuqRooc@Ad``z^}~060Giw$IPS0OEn4IYasYC!Qn;+ z=f_=XJg z7Llby#+OYswS-aPvjx$^v~%Gg92nalmtd}l@^Fs^J~Hn=YXO~+7`UWu2HLt2y4MED zN#`r{22kJX5G?{*xN)3&EzgjF_;V+g9w)`JZ>7C7->yZ$7o~yyw*K z{Q8T}dWjNaf)J37N~55beKU;X1D&aSGLGOLHg$qjEIM$FaFa)udZO*3B2mz>-Sq_~Biu70yK?{Wm6!=G|r&O37GT$nNKuN_QtB`TTPN9Nzbr6hR)e z0FRpsnOfmk4n80ieBLEl=iRK*6bt?NjxlVOcvts@lnua-J9}9w+uV1TI_eVaDIIqX z5j4kI2Y*sib8VXonZ#QU_}h;Jwq|P-ls7qs#)k2pv}iUePoo10yLZU#eJwepUBgGn zj0*>pJ$i3977f^%v3dQW7HykFB6T{e2&l?^e9 zpfGQK1N=v{;d`f+X!oO7=J;b|^# zg%0sZozD1+iCjS?CY!X7XVt9aXM1WgD@_1>x*;G4QZCKG8f8a0L=1*L9~_BiGq@zBY@v|wk72EB${Pf;quP~EZ;B`M5T5=a@qq(u!tVcHeyehQ0K2qkIA1qw2He0 zq*KP?F%J8Lv1B?Zb%JHgCdv$DODbSF0k8V)G5wlWyW^3BwurVoa*WY&1#UyosJuy_ zWG0M7Y4oP^)|hx?@!xz1H;(l1`>^Gq<_L78m8epwh;9fT@;I*-?dbe%F#|^y`v6t5 ze*`3NZ_rGi>dK-iutuP_uy$s>Si-3l#?}zcry=i&#Es%+Lq1<%Xwa#OR#!?kd~~$l zC+v`^OogkHM^q^n|!vac9k4eGaKA~5SD|D=>uo;RQ4 zKl)58V7G1ncGT#^`CV)es?x!n_}>ioI{+5G?0gZo{8~EP?geFwtxQlw;$MlFM|JD zD2wiY+WGiLDE!yYp#0}&Y;0YOt*rj#Yya0B&T(V$RQ;zibAbZ@5dAl=S(!UJDHz*X znH%am{!2J-{j;Qq@Uy4&t)KLc5Z4Bp*wilRnXDCa7)Sm~&`F>)vAKTKZOM3LOMCF{ zhU+5LPhvd;J|sKUG{@bfOG{f@TSx2f=+Q722Ie80;w)51;BE@+_3Ca2&Ng}q?aDD8 zUhuYkF-X+uIIis`kv2}$>S4{FpqED$oDa=gN^~^FA28p!JK{ghSJKs{FD>MJyFK|U zU@3jWG4RE1mV{W#zhCJG%sZYz3<0W|>te5-D;a^q^R*}xoAn+2fcfP&tgl;k&j1Py z$sSQ9v$i1NztqA&it%|35LsgGky8v$YBQmfcm0a$tV+B5$ULqBm3Vo-di`;+Bu(4Q zC0YD_&yE~8wLQRM%m&X~AYA~9DSVJTRec(!Qa~vCA9v)%I1Civy$DFSiICHn6kjS^ zNrLN=Rnk3_q6Rgxc)=EuXH_rv%F##1b+rv*NmxNsK%`?aYPAFZfO+4j!Z~yaNZ(v3 zvPzcv(9m%URvp?seLQ}MNO}!v5!nU$fMLa^G`dk3z3?0~55MnJ_R0`p#*)*vxE54#<^g_5`j-1#hI6t03Xf_zxd2bkYzsT$T5C7Qo4YD6D~Js3S7xfZ@m6fJCUl)2RH z{l&o~I`P!b&sR3v_j`7BZeFYkB}%4B=q@;0zOf%}WK15>FbrP@^Cd8&$CNtvNS2#+ z4*tZP{p>|4LKSAqG#N?U#FeZW35hj|zb2vWCaWcqwDN-TV{?Dv(DKa0*cU%!l+Yc~ z%+Sjun|ip%i`me)?UsaGWzAh|>*@e_D@=;HC5KCo7EEe1e!ns?y{d*U4@cM{^7KE& zf$}!Ow*sTp{c3B6=9!P(!-WPj`s?PMVg)Tt*hAvU&OTEkdDBMi?NZHO`W{Pfql~Zt zgbc+o_egym4C8v$Ef6JDINOX~gGw9|j6@qlCGMevA1v;TJS#F^DW#xlV%pS{Yof7N zZf9!H_zhqs-vMxQdYm{PKtpjSwqJx8pMBUsJbE}Iq3Nm6ZPTVNPQzL`=U$%;{ZKJo zdM9cQrJeL85-C2d(9u|Ie{45WjFwx_i+l7X6WlYmv|>)Zbv|MS_a$62uOP(?iP_rt zevRt31WbOmM`m9Y!;3_XQw0Ya6P^Fv(u!26{{{9R%OPdx%s}){#ERep0MPt5QEO;s zY-stTh3RbPC~a(QVC>*%W^VVd;`d5jQ3HHMfNcj%*C!B}c|~@LTmCmY`Z!UdLLcOpaftB(*|x-Ey#{QfR+V3L}D&1 z=OL^PZ&~FwN~wKX$-fcgE*&xa5(u5Wb~m0XdgiuyhZ6Wwpa7zD3I;RpmwJL0c(aaR z6yA(5+az686rUJ0r)-MZ98Uf0NOG8=+isi%kMu#!5-ZEC5Bt~OttpJR)YjV`UaTj& z(bk;<0~mtod(rE>Ap=ZkA(23oM3ZO_7WI`EYhyJs5^ z@3!;Uk-@~w$S;T*8xhr;8gRfq7P4k`K<=yka#*wuhW(ImHP1m?h90csD5A7R(HMKU zb~hnZ%%C)V&(XL#wXCspmi6}qb?^J@a~C&v8IFT*c-q;v{;}htCD0JXxbU+8kxHL5 z?8Zx6+-j9dJ<^3=@{NV7SB0@YFl8=q@FkS$e0>F{G`ie+%%kJ&67$8RWMpZ3X>}F> z3yHy*xoJj>jZ|G$2tlXue!dXxQ?Xi)`%S(qNwL&ubLBYX!fS`Z9~l?@bZmhWiTy@i zo-A$G1G1kN{OB^^h5c)X4!0M2N?}DIIC$c86>CYdglCgsuPCH@S)sm%5emOP2DPZ2 zxul8?^QAurfmaVkiG<&w*hhEYWM&{&(S*Mr>$K}YQ79kjS@6ox>Ouc9h~fE+ep4a^ z!~M?uS>kQEGCI&h>N}kcjg=5*Un!-$2+;k2wj#M*wCJ?Hin5~1Vrg}R?Uluq zx|TX{xy6QR+0cVLGz)!61XbvASi#>L#oQGnT{DRmE&U9esIo6fJ5zn`Uaot`kr1rD zWAbM>$g5#7dobCffI6MOR_*9*-?NNsJT-$7I9-zLXf#KH+p)mGZMjU2dDW+n1^9=Z zv9Oi$%3}B&O9tGJ+i9EDYnTVp%)LLELlPo=U8!=)Ytn?W+@RglE?1hSA~MIq`f}KHd$g1Hj6sh zURCt!z@JE4MNhnbyh`@V(1vGiBNj7Gn$ z6$kNzbxT|>rzTxW@@sS(`u!Le>VL%-N!b2z{3~nUcG=i*dim{`D?9F8cL8zftwwfm zNV7BGEo9@WUJN5ZZq^>JLhwalHaDtA_l>pY5rEdtDp*DSFaUT75I zFiDkpVxLw1TDQV^sig2@a6(2RxEwz7i$9vs%xDJIGBb6mDbVKUHU%?gzrI_(MKzIp zCcN)f7_{XOxe0?8zdn=bA)%!)xpWILl0MCmg>-})e&SU#+biB=Jb|io3QG2*s#IoS zmGWfTfy|$LQvs86_{6IHa9*)DiWT*kIYaU*yk1RCwv&k$6{;|$jHQhExZ~tg>T=2> zi8jbIs_f5kXT}D{jm7qyx~3hZzsW)?yzzR6e<%MDcLEnJ&a8_EndPHQ;0d)&@At2z z%6piVaAHk40RNs;1p6SA)LN^*X0A-N=_n!}!7-)SX1&SX2{qTQx|!7&Yi=O3n>C7g zE#i7iY!;>~dsjF`3*`l!FB;%IS4V9X2Ds})PL$Mz2DZ}e$Ga-7cWNTl*aa%R!!z)4 zR`kA!BAcdOfO0(K5-ZQxZ_C^Hkz3hxtZcq-Tb)j)Njn)^%h#GoArVzw#3-Wf)$A?l zHkz0;W-2%4cAk`aEW4$jZ?ztjN@6ze!4gipty6=j4=r0=+@c#TTdZ9)h@0JQDOTMM zfJzgtrdKK!_NoMLxmUWqEJltg8e383$>w6fs9fBy|4DrpP>IAs=%@YVg#`d0{BLT$ z!~aI<;x;C>{{pB_sqWYkvLXEAnn*v%6M*=f&%t88sa%L7L9hS>@Qk8@(#XZMpYw;9 zqr>_39^KYn?bFWa(fR{?>0!d-`!MwiZfa^;N@n_X@py>q1nUsWUbtD#4f9(|!=#Ub#?>7+DM*e+&Gn)zovutqlbo9tZK5>2SbD_RBCw zr(uAo%gxdNq5piyx~=~Qn8Og(^yyJoF&X4=0NM8`d)2^JIZ-E6gXh&t4V(4RAmU^s zKRLdpzV8vi%xW}j6$%WJL^ZUdAi@X*{UNj?JQBS`GK^)}3F+gKHCB-G=aPQigsjf+ z3%CSZHlywyH0DqST>S_0p3Rl(2blfV23EfvKs@Z4FM4*<7{y-((6LBi+(b+=TmB0NuXgL%aOcZqWG7Q#F*Vt%g_eV z$2PVruY%Y~>sKDHH{rA0N-msdBIM@psC?kUX}9$o9ym@zjNdV$@QHZ9Y5yeOcSvLe z>cvJdaM9;e!g=MrY2uR@sQ+S>Pa{UK$R8rehjw>_;6+MSqY<1b%y3^^51y9ucD?*o z-h(zH>|Y`2b}Ry5G&d`=z&&B(?#q$ae-@Cm1HilF%oj?Y=RjV`LVU^auX zqh>5-(X~`KbjK;%*RyFEQv- zG5I&+uaQf;L6ISIDD55G)IEr4{XIucj!=T8rm+%lMwPvz2hd|UL;ifF5cN5lu>#zC ztgk8QjByD&q%U+c^zv7{cCT$ct7R))?KZm8E z3F~l}LGD@RAejF}v@N}k=Y{@m54~SF0-&V zn<{${Ws(=vriykTHC&sdh}RkU*m`tk%3`xu15qsrXx75M?i#w~r zvyB#SZRdQ=9py4izD|>6RE%daDcjxlPc@ z66>y_Lmax|t`|m9&Ge@jwdGkJ+&z`*OrYd0@IsbCS9m@*n|Ai{W=Kr<0(@6JiYTKn zwCy_qlm-7k=PeU8iUTu0Ov2=k5Ch47lb?)jjFcSoZ5;Itoy>oH1^#EYE?dR=A1UhJ zxC8*PML?vd^(Li)Fgr1daKA?sVMNBxM!ls~&ldC;-<@=CK%|UL#TVen-#P!_5=QLo z?d^SB`teUp@$+uvz@qxGPMg+wBbS@abQArpyQ!xYb>|S42ZghYc=bxF{q4M0b&*49Hp4*k8G!>_-u)A zforDVb>ornMKFPpG|sQeS{$VkB+Oxxyj;gO#!Z@Tb8OWJkSp3K`x47^8lAiAXv=sO zZ7SP4r%y?sZXXDmq*1DY$VhTn1j)5O1>p-z`YC%j|L*9-mhl_WvkiA@B=8Ky=7wxG zFm&69^_+M6iS+iC-MuXr4x|qy9gVT?g+%7wAU=u#th}if$+zImgRtCCZ5&o1n@9<} zfSjNJ?tKr7F=cU?`k{#GcVyN33%qRMU7Tmh8|^iDdq45bcouXN5&< zEnVwIwOWRhT5H#$Fplrv(A_ohEbTx9pk6TM`aGoeE;cm-$&CF=vqt1&ry#HI{#$7p)(Mt_+}ZpNP~TcF0{obO`yh z+l056wbt^q_!iS;#};gLAZ4$I+s2Q7JJAB!s)0H9$aZ-gL=!liT@Mxa%vq4`M4gIUm zSm|zb#T$`G1x+6Dvi;Qlbie6t4phoq9Mz%Bw1^Gc(yRl((}yI;145#)P1>bnBoRuO zz&PRK@1Ezse$c9JpAriE4nj59?=-KypBbUjf$$<`A@GRFfmbo>Msmqe&gLbHebgRe zJpSG;colrwBM})8GN=b5>DLX#3&v&8=Evty65c;a;lP>tvg zpnVsSXWwZvy&dpSs!cZJoH@UP39&RrMQB=U&p)*Z_LGr$F- zUCbBBhg{OZh~69CAkV7ji=?}#lA}+Mm(MfZe`GKoy|UjEf3n5XPqrZYZ?c7>lfHw~ z|Brm3d}E8nf$;gmJr0t80>rZei#xST(vjJR$q~aLSZU-}Xrync*G;c#Za^RP_TJG> z#0q3Ic>ydRusv*N*1w#epWpBQ@zvJp3T)xOrU$FuEt&hsX1P{-hymhR{7@;WH{ut=Ro`+!pjz&$_fsxPk@Nz@1tmga|&WKxuDsy70>%>_D?`l z-QEwrdiw8xCWS*{->&gL3?9(*b@t@hpR_utNQdD> zitL6JlMhk7r~I9+7_N$Eo}X%;vGf#yy&4=ACRW+yi~gRY8Tq z?3f?=u{N%wT^Pl*-qI-rEE8q)l|}G^$02==I~&BhB7BN9qZXRQ*77JS5*qS9-dD zaM>%;9wH@MlubJCHCEMl#?;39aqi>EaSjW1Yn3`jKN_Jgq85sdI~~LauxsVYj()rH z)NBbx_8>0CjlU=MfE@YW06km5v9>%0>WZ-W#{nM|_v7i1>T?M7$`9!%le8$7iD;+$ z*ONe$)T>5lRD)7ihvBJbpQ`;6C&}@6E_7Zo+vH0Fy4*P3i7q-I77@Do8(G*sKcbs@ zL@W_jf9;;A=89&QFPkYd@TUiK=ynfYY4oLjzHZ!Wg-`_7F&xG40PZP|ySdCKLEEa? z4#zKjJkc~A9LU~U&EZ-Lwe~@LZ)e=$clF7=8gzFb9;Y(L*+N;upOJzEI-o0VY&u;k z_hR~^HGEzudT98Yclmumo1;XV^~m=>#=P280=&mh%;WyV{Qnh*{zTcZn1N z1T~A4DILp{3R5;bu>$`A3--S{&-z<3;SoGda&|J=?v|F8j)s%J+q>LAfde=7fi(J^ zTU`e`Y}H$30r8=sQq3KqUj%I16@b7VCvbT~z&UrY>!-EUA#2ZWI^MPJ36aqhe&!Cm zCnNqc{G{ABjfNuaw{wd>bBFQ``@q(^70{udxr5Np+(B^fA9DwBQS8-Ip(0OsKF?r@ zS-%McoQ&uv)7RloBS^!h6oZ$4M1JEwe+0$|p@=aed;C2Y>)?>#@5_mSpH{}F2*@?# z_9yb20e>RjYEDf+_rT){a!W;a3>Nmy|u^EtldeLtf@H2M+!K~TL zaq|q49sFOMonw$~;gY7ywr$(CZTpmM+jYveZJx4ioU(1(nz}t5Gt)iY6Zg)a6>I-l z5qrhX-1)sv=9~66@lt_3V*9g(q8GcijcG8)POX`t2)#5A=!JcbIKd3sp?^-jM*)t0 z;vW3PC31d_#?mM-2HJvpm-_A}?$ZT^TO{~KD4Ip$g=LVR4B`KQ9jc{gRr%p7z~@&j zS=yeNmAn2hhGT~w%B1KRBn8gZz^15t#&f1_yK;4G##F2JHEOyY?BcAyCcfH{vw8wY zF@DVCOJQglkFVbRBkl(r@e?gj-KoZ+UAdMLD7!=*?==`#?YYHURQhMYQkiWpTO?a2iAGe>j zW~IMzJMus2Y@V>lAHl=vL0kDiIS^Lf@DO{Yxwfo7;e)joBdud@3^{Yodq>m`*EIBO*YxUq`iC(SJSxu4mZ0XA4Qdd z-a*~$QqrmeMdhn6r$n--P8q@+-j?#Ser@tdV8!~n)h>GGaFFe>R!x}UesmL7%q<^? z_Vb>Zk#~)rNf(|8m}62TEuwz`%->o>C*Un1C)Md{w>7P~@7MoAgcTs%bixmh{iM(= z6K0ZTSUNCNkyW6*oQzB6Fpv5og(6Lc*#3VoPW=DoZ~cGy)cqgjKlcCackJKm%*g=IwsWS;&77tHeL?l4umz*0Xlgdzoxh;Q;MhdLx-&NrtnxH#geAN?0_I20huIUOlM z^QA7MjV8JhbgLK4izOsf;k()j!hS1nUkvy7uU91AuBUtCdVG(y?Ak;0xtkSNeDo4O zU|V8!Z(dKZ_}9iqF-Z(F74GpQ{$kMmLzQ{Vq_dTJd-#dj<276!z>~YnX!sW>!N)EB zLOo5KMo4}&V@E~-PDf1f3l;8D5WaB5!>ZeyGNWn~9X3QlO>ViM%84d9brN)_z2Z;} z)llk;bd2TtL`0678g!_!M$%HyA#_bSJ+vl0Lfng}5M+g)2E zWh<9~RAdB&)vD=wdd4Mi%_Y>hL0xYAt!~mUlibOzAxya=gX2WZx}j?v+fp&K>v(Bd zU(Gx32x*BbViPb|7t4ud122%C(nnl{MIQ^$?|=$ALDOHywbuydlf_H#$n`Jp_4CL^ z_3kuy`2483!9y>`)$tE3C{|_FUoU=!%JV5y)g6Uv4eIXF@YP5vo|o zLadH~3FSkg^9l`eZrP#@GzlG=bxGtayE3A>Eam!d`aYBxBrQ~$5p`6EzZBI?Zkh5Z!EWCg z2-)w>QUALpgDiOoJ_x5shZkTewi#CRa_$#a6tpcv^Xu;^c%Cfxjr-3>sNBX^<8=A% z6AoiHoN6K*o_3!+GpD^uX839A$xq+CDD3>HF)02<7w^IKtcsf;6SssGLBpSMv8EI6 zPz&c?X&02&VMFZTDGW^Uv-2em0Mz-s0zF&mpjUaO9~ihYKE}#{&n9UXwR9!qnZYg3 zEm_TF{#RK0;bxJ^6hSjTw9)AIMNrEDY$LnQ8F$&}mVjGbrqve;Ck#fIDg+5OKsJYO z3*}f5GQ!`C=Lspbuols(CiJi=i0hfLI@U&j;XRE4S?#)abX7JN(tpde=ddBU4?TWr-Wb0AUW4n4DEp8<$F}2FuYgY{T-UT&`Ti;;+|3C&wr8CQ!u|0kBTcFg&+`<7OUHzlTj+ZLIRy zgE;chu=FlTSi>VuQbDI>XJ=btsJK0{Tcm%X?e{0m;-}ZnbQVvGuAL+IPEwBKn5e5pxEW8g6(30 z6+H3ppq){-Ojqy+_JP(0Ic~4yKD;ku+t=Xw0sqG`)Cn<0`0{5*3HJ{?7yl;`zN3lF zPgl*qGjuUWJDdLr)&CV!_f1S~>-DANqQ?~LSJDY3tjy-bH$;9U?)pp?$;1`Mi%#So zB=#Di$VOUiBHW+fh+a^>#zNJKih*z!zn!^KDWsZ_{_A8Ys#PRVF$@|Z1PBAeL!lqt z9H4HuD_wai>Tv*#RSTke*z=atRok(LhlEd3rq#gCnxjW{IsxOwwZ^b0$rU_2;0r)u zyQ_YD zcQ$a2#XZa2@R$L!_Eifilp<~o{23?jYQd@V+w9BxY|H0YFZ!(8$FeqZc{gV_y&Ja| zxu0$26}zLmc)6C>H`(_tZ}P8iKF9uvnt5Uv{8M02n1R~6VXmGpU7!OsZ8ga{PWsfJ z0LZs2k|5~e4<}>~cBR8Yav=Ca=r^zrgUY9ndE`VZ?v^pv_(Nz>H_W0paMtGQft-dq z<9%#xB38q6N11iUmkZt4;v7#~PZ0SIe?(+v`ljw=Y==R447CW%z5Aq)p__jP&;!#d zHRG_8dPyHmxpqMIte4LQvKmJ2_UFb8GkTxILO)5s)r!=SPMBH|yK;%sOvZI`Y?i_{ zIwZ9kwL>Os$VvX$0a(4DT*Vp7*$LovWZxX9S3Hi~$qm^61=ns1P}XZ0(I$$C1j`%K zwg=F~%LI3xUifNb7@vt77R=I@}OCN;txX!KbUKdT6}W$!`hF` zjVgvc<%^6pT$Z-jhrVYry`}mEi@4`W`5|RK!oAW_jH}5Py6O0<`=I_6$-ztOysFh+ zOj_KY>lzn2Vv9z{w-LmCTGjzH-g}F%JL3p@44;rlZmkag5xT)16l=O{H_IEtkchZ| z>Er^De9%K~kSpR3NA&hs4`jMCcd{%!G@3QXFcRZO zSF%V6Vz>;ow`B<`AL%^QX~B2m&nKZ0)NXrM6jPJ1OghhBdZL=0I&l^+F6ZifraSLMY~5#&Gos6;j&mS$uX3luT!itkGc&~oPIU5d83Ib;)^IQpwD2aulGu>T z-I5Wd{l@-Anq&lEoUZti@dFzu(utSloC(-?VR}b_49Iw%<&uPn0etr>o<12_m`3hoLqFOu1CA*Y%GkHxrYJ)Sq*q&0p#fesyh^F1pA4jc zC__n=EYpHVRUTrwTgZI}La-BORL@t+B5;KPw4}1Jep#l@?r#{_RefOt$=Y&MCP5BTGW=V4)3}INZf2Bd$Q6*4X`H316x~i1!3F zF;`g)6}QA*kdl`?j^hp@_^D;{)yCDNX8xb=;revpR1HxCc z^H-0Knt5xdrlE+xR(lUq>a$Od&oj7ET<=JMvF=9d_=^$np(-0lOZ}dgAe} zzaWwPw$;JQ?&?JEg)V0aHkK+=VXkWF0G_y#Z}#ncRC~?7TOjE<45z{cy3yvzPkQ!9 z_DoG1=A(?>$=gVgIka?gXFp5*nZ!!hj6;D#^J5bKh)N+5iYfVA^i%$n9*uhh@D+HQ zIkhp_`4dnZ+KutH@m;Ln&O)7?6*6Yx2K7Ck)}P1}QX;1$%z>|$KwBoGy`VR{K7L|W zs2|b;;WzCwCb`h*Y>7vfTB+O`2Y&U*S@?tu-z{vGbz8dJ>N`4P3H z7DJcLKmI9vb)AjRrJN`q9`MbS>>I9TC%Qupx&EQDLU!OIIr~OUL##CsI$GCk^Oc1z9ykk;j9s zJnJdE-eM8I$0Cr%aFFS#mMSYG%ndPFVnPO+pdA&--Kcg&034XeR*@va(aFwe))@#R({uG>S@Q#RsHJod zZ`sm9q<;o*F~>z3VU6;;Z>C^&scccIh6~P_)`Jm-rzj@PN4S#$t7S4vEFa`eE#co# zkm1h?P6o01LIY{}C1Ti+;48PqOrJrsohU51DS3&6dJ69LIgV~PNreCbSfE1+10Jml z8%Nwg=}3vD56r&NT%Zc3K^my97r>gz6@Ds4aY^eBF{6!c>E>qqOzC81$DF`Mlb z-TIyAhE|_a>+NuaqCKie+*qyUNzew5b1qX>HOejZ0=c0-q#32|75>9(B?0Cwdn=CH zifw0QowLoI?0QY&HEYOjjpH$Dl2%d{phO#m0p_WDH(PEhRa{iID)h^P)Y=E*DXm5= z7b~&od}W6IBJp>M@?iMHP1gAY8D%6+*cXfF4Bxw z8%$@u;nsgW1ah5gWG}ws0?o<|L7qoAY76eX=d`QJZ#q^k%-vFcJ{E_&jGBL70Jb0x zBD7EK+94*CUU9?RzlC43VlY>?Q5(BuU)XAmOoGx%J=VN0f~!};Z)L}*yNxeq-|pGe z*9^rE#gpj%d}aG4ijK9t;^@d1!}B?-3A5Ch8dcU&)#^yJV#6?<*-i+Z7P?Rqx6cTd z#V&Ld>XTl4_w&?ub)nl(Vh6j93!Bu4^<}UTQdg~v^yF2}xN9h1l<=WlU5PdJN9|8c z!`G(d0XIGU@KJ6q68+rHLjAQ__%!7~Orh~wMY_=938%Ra)K^CkQ$H{&U}QZ07&Z9Q zmQXyyHmk#n?0q*}$1eFZoVfED>BnP0r<4;wvZlXFt`}k(XU_uqvyrETzW%po(o7Gy z>nL3~mjwXBR-q;*+|7Q>#?8LK$QVl{ut}{>sdd%blqxHIyOVod_JOBo*YDXCy zJ1aP>dfD25UxGq?=DzsKyZKF1q^$M`{Qsc+qT7MT(ocnhk$^o$EMd#hFXfP4V)UwE zAK0a~nbQ^=BbUfVC)p;j%mVO@@e)}j9+r_>8z8%3&~(eS)+SxQ%Gf)=W_lfd->e^~ zKV5MS4RY%3bK&+oUij#+3fC%FLh@CO;E9BFRGe~rwnPl(R@_n5BQ)YGUO~S9RED1Q zgiusp@{jkxM1LdDnMdXcs8opR7a@~k|^K>h4A$0%2k0hklU@9o1$q<-1srB`#7 zlqWkS@mh3u6g)U3@yCgYy(i{N_gu(RW^YrXEAp*+_hQ)oBJ~`+=nb$pi)@-~puPgo zq0&y&r|ZsZpQYFR6%+F2tZJfv7-9sT1u}YdRIDhjV==ZXiF-E>Ujkw@) zIRDBP&E-{G^Q+;Js5DOx5n}Z5BgZAU;=Dr!ZnT$LMR7i3c~GkNad8ZES$!v3bl?S| z@1(g1dBy69;>Bz409OEYjpOQL#f4?-HCNpkmwm1L8N8Iwe!{uH1}k9)SwZ&fbQ4X6 zUb&sj8LTDCeuEVb#RX_R*s2_zOYIu=-+*hy2E7b<>YuWA zmz|c_W;}{IL82`c*e+RmZhrVRp{8zB5rnu0{!z;m4SaD;97@a*{k0=bgDQVqKnvow zydLO)DXr5?yiKAwn#GG_g?P_Kl)hZNAA{)VHi0&|($H3q=$>>tN|5qvF*}!=wbn>8 zQh)2jxd3*~LF+M$)x)Ma>Rs$4bU9>-J-xMCuCus=J_Tk*m%ZQSmf;3AcJ0@u0i;(b zzBS_vGaED1gFQDLS3u9M?Ujn7;e+!r5eS+pU{2mwTc+-19?Lv`56$uF7kTc)>t1I1 z#EhB#q-&FzvTiH9N%?l6>V)|vSz}5-Qm!K@Kk-8TX_+ay_rMmoPu5>W z8b+@I3Q&*0D8eAC>j>1z30=sutJETIF$h`gcV158z=`aENz#oLYY+~*Bw*50f`S48Zh%Q_0aAp9m=OWc z50>l;p-0dMHr`>8`I?Qhz{E`1d8`OwY`QSab`{tZ5A7Is7j;Cgyl+t18t$DP@ou`{ zuY%C-L^HW|y|-%)_t~3KFW1wehnf1k&X}S%$se0uTinB^G``u55#2 z3*4VY+`N}?XuH@wW{A_Vu4(;I`D%OAaFsR|c&lvBM0D$AMXahVIa%3Fc{Z?ETO8Xe z@nx)S+Njr3>KU8a#&Z^7T_jy1rhk_vs$N9XSREOU-I1yOX|3Xl?P6V5k}cvkqB^2c zq4h$}EU|PEVAZvIiMal-w*dGI z_kupC8DOypls*TfDcIj1%Q8)#6oVKZFFe~=p!&cpu>^rRq8lF6uJsNvgJzoGo* zbNDfTn=9Yrt)N`uW71wBv)u9iag`6|uPZE%=y#dT@oD_=e$KD6o&A1!=MrruY-NvABgxM-E%pd_tVem9Fyo@1Ag`0#E+D{85@|kl0X2v811@u{Kh40y>7sdZlsKYKj|w z@TAJx^MHezx#tQeJ8!u@yFv206AjB+|LXSwb_(Z_1sRC-$=*Dv-%Fu-;@6G0%}ENs zbEID5)%Ddvl9Lx@M3LXGJ=I*lT`^kL{ZiAHt;-C@=5g>^Ppl)0+|npxoT4ZhbFDEk zlf33bnSyHW zo9+kK%!nrUTIo>K46)vsVWNXLMsRaNfc(~qkw6Zf!62d5CFbE+WL3AOI$^B ztXLI%15u~0nsTAv%~&ojjJufMzcJJQJ%YKobDeSgqeox-Y_AgfCn}_$-P!*xMyuHU z|4Grv>aM1H>W1Xg6Asn{*(3s^1B`JA0EehZ;6T9$cK}L(+_zE4yv)9}b#(wiRuhXZCBcJre!n!)<2(8Jz;hC>;#O2Y~8h(aN89`6G^ z2si8Kitv}hUOL zVm{!6w~pdDH0xwJpEr}thUagb+^?0zaGiJkvsdzIddQvTZze(1Dqx&*CGf5HmOc}? zW8{vqEg;X6ngie&I9%wN@f(Y1MFeXEHu{$$@rMjzCo=Xb-c&3G`hA@&9U;F}(+79m zQ`f^AcCP)!QVc}CBlYhzJ%8;!H%Df%+uxK@BF;Lf61mNX!Gw$2EVj+#xG$U1{GyMD z!Z^p@5iHUB#D3u!#2y=-AlfW8Z0v?5_rY^C;SWpbOEOO@T`bRAQM$X;NJTlu?=hbP=^doR?tF(Mxloh|$(g zMn|nPRJx{9p_;H8CwoE<*FMza@Z*Kr39Onq=X3j7@63!WbW3LTj8^QZEk331=ZhdHxS6z$2SZrZPDf4)u*p!GI9vBLKzFJ#_oRr1 zvP4(Xcd;p-kP)e?xr5(GIa`rXOVu6J=s+0bQ57|vkA9=>@z59G4`^l$U!!jaz_h1M z7kn!w34+vX>k*7c5R6B0DyCqoS6FAo(1l~!N0IKmR393bAdbmU``DHw^O4U>oi^l3 z{@fAIOX+iQOF1<91l&71DGv{VnxQ>=YV4qne z22n?@0+?;1sN+#ijFm94W=btuQ_b`xSGG1>Pd3iwik6(V_Wcg1^cik5Uzd@~5a8Ob z-OwN>`LjFJmSjDBh^d4uarV0}P_XzguR8=1ltc%-lp+QyzMEl!iH{J$6g~lk6D!Bm zqJfxKEL5C4FO`>YFjx#TCT#7DfHI2Nn4uTicqJE$JcL1VmZd$~VfU1h&#Q**Zb8K+ zEeqF-gKR47M}fvPLEsLZHrbpRy-0a*uYtGs!P-0Ln=?b7>K&`Laht@(PCYvzDM z8HK*Q`AM@o>ii!Bot*?gph%RUn5U@BQ#X8c3?Ul;wRjm`wW!7XWn_;ysn>1!10Z~!OtDd`NHHFYk(jN(vyTcXpTW{wk@3?!xI-u#%i0u zpNgUJqdNH=m%X+#@eZ1KlrxP0zWm7_9lFc->=2n>z>^Vi9@Y}7)qU{H#6P6~q)3^; z6Z*mSWJyC(75@azD5Lg#-DT(t9$5k1z?OCIXDp?h^Hsc0K8BwgJ(t?XXQ0bZ4eab` zV14gv^u;#^R>(>5uRwSAV0NyWu3*ltIj)P_D6x^HRlhQ|9<0gQ1(vyD!2# zwi*T+$?fzD`U)_bS5k^%w=Cp(er)$Lt?F>+HKFeBg+F_KZQPe`xp~b8&D?&-i)ZQ= zhOZ;MDDE|K;Fd~S^!T}d!A(HTR3mF?H}IFem!4nO^t65NqS1p6?gL`zw8jm8uV`jS z0v74~e*H3SO|}WmR;(6G$$6 zgt!4jvt%#Bnj$Vi|m@5%pV-jKgVkbE3qKMT@kbFa`i?A6A@X$(61OeH7ian zws%?dwaMAqMry0|q-rGGmH|9HvY_?0s||$WsfE6x)w{tRr@N~NfaHdU`Sk3b#V zVa4@pL?`5-HGIHzK<69bzm91LvUzk%9eiT`0yU7Ow`YYq3~Tjd zIkrWxx_O>fUnEBzzvzalCDE*$ge%;fI6OY9$I+M4+LBa+H zctqn6gAnO9mMXlr=yAK2IkyNA^#!B?Muy{yHH9~8TjOhZdf>SIIZusNK1S@S8<#;B zA&U+;Fa7|W=&4y5EdLHbhGhZy)~iWPF~b0WEb9yTHuU&+2}_r%8S^ccD$DNO?>aU+ zPT2*$Fj7u(k3^7{6mvIJoCfiIYR2MjJKY zorW8c4F6Y|M~{1*ymPjA+M9?&kae}j$YjVgO&EPkxH?cl785Mo5nx>OWrA%J297qRzgDvWSEi zRW8emj45YXlW zC8&21`jI`()rJt=bQ|c z^~t21j2yNdvpJaPTpbIJ3syWJSyPma;!|-x;4vf3`B~3!8`?1359Ie6E>Xvtl^fdd z*5GQ_;P^36!hrU6g3YSU#w$28QdtZ2hb1#ocC!GWlzf{il)pqwN(NYlrLu2la( zU*5vCbut}k{z(~u``zx?6ve4+rxvA0kNf1&6|snZlxAu=JyM3x;a+XoyI?6si``He zZ$XG~khz;Dh8peJZSjb`SCJDYFY`kl)8LrITYX_ZryxqVY5X5~{!N2k4*1cajb8K+ z*Aq95FX~=&Wry_;*_&O2*#p*>>ZkIlR{Z{xeUzEO_`%_iY_<5)dCv1s9I^g`Ijg#o)T`k}-1%}?i!nwUM?s%3PKco!9wyj1Ysyz?0uUDjPw!<#wjkO+~>`;&$7e=^pn} z&s*5vu6rU-f?jT2qBZ0QZ`dx4E3m;iG;Wf*F6|5#`W`M?hs19ehtIGf!V3}7-kNBY>=uv zOUJ+tchiSkCBuBGjotsk=xMr{MTd^eBjxc)HZQSp7D8K#8{sq#jKDB}Ci4x9D8OVM zB5$QgM~X5m0T>wx@;!Pvftl&$?Z#;M)N=RH5!Pa{fMSSHd#~TOS-)8i7ptRcZ^-qY zs2B~R?5DtsM#xJ-W1sgRea?5ZA*(z{(y{eqV+WV=RU0$uV|rdX^=6AZodsnM&&y4C zgu3;fTACo?5DY)&Y8HQqYj8@Z)v3?dMis(rASm~8mAlt51QDJ^+kCb-l^Y_jwI}cx z)Oy4qHVWG=qocJs;ZtOHuBhQkkt{2<{3%6kHfl|)E&2Gp9<`dzsx4KGeBNwRnwnf5 zo6k}@n!q1SPGc97IueC!8x;r?rSF_AP!HZqkq=ytI<$!!%{UGzK(YuVzeKkChg;DqNP8(8=oak{Q4%ot$cQTI$oo18Xcr8 z^`YS$+)0vz0nah1)_oD=;USRN@;ynwPU1>}V;brF;2bx|1D`y4Z4ol*kj7DyMo3J} zp!PHhSt5@`_+*`bafj^gNSug9Fl=gWx_S7MtJLv{e%^_H0ULD_%!M{JR-PmJSDR=O z2M5Rf(|&FLR=t3>`M!V@-ONhp`IE2VSDWaTqf%dIFIn-NDE5`X*#mmgL0w1UxzH5EG7`)B(UjXdM!jfF(FZ>6vYA4#Er zCS1LQ*LDy9AEPZKhIB9IZ=U{Fu5p(qvWyD1XR?f{p9@yC+q0TC#6Xum`r~f6-|BM@ z`=mqX_kZf9yt%u$(fnb15kEvg^q)wr_CGUy7XO(3)i<$qcJ$CUvU9O@{+C#v>eN4S zZ0@RVwfbDU>mrG)ab-L|QUTj+YBpK^@D9C@gaR<74G~miC%5ZCmFw~!VsSR8B*O@3 z-iHPF6T+}PGLEnhz%G!rcPM8B=s+R)06dksps{l1j#()vIkmzTyDhK#TicIs9uW@8&`4Ji@ysvS5 zD)A8sBhsF&NR(ncd{yGqj*6lF!0G{LtDssa;qN>E;NH)F_v*;Dfy#GN8Sb*Cl>g$k zn<6yE+&FFJj@Z)BZ|IaG8n2klYxJ!Q&T#5K){rm7J(Y*phbyq6Mojv)^}5c*Sz1Cc zFVR&KiZUN0tM@I#m^Qw4|{o=-=Z1n3G?Sdl!KZ;PEz zHT!d_!pmg?P>S#R%ADWYIn8O&@|B3Ec&mgG&w zU$|9i@~Fk(4HAJA!)h+xNReYL9t-;uyC-kQUi4bRaxHOReR6B+TmWpqv5c4L&9RIz!8X$1#cmFRw`ES^ zI3+S28MF`k!MACVcLDVBeY;Z|6fN)w5DK{KRl-|$UWb3thvW_PT)ru2@J>3i;|H*f z=O3*H(8?(lJ%~c!Xg9>tTZj-BpChsl{``Wq1as}IC|rt0+!6d8gWNfYkQAKu^hv`JUB+L_CuH{D8{Vxj6% zq5cu=S`ss!yByU(6YYC5SLSkIe6L|izp)#9gJdnA_5K)Cy31e7*YPyMYF6+!je>$oh&kXMTxojU{re281s!P6Lq1*37W{AY#2R(hi?c0QS-Gvu<#IF zF)5;4)n#}hqCu1Pv>Pn<1PzH#e9UO)uvK4gK$mG~qvxt^`&02*coh!fH%;(e)H%5$ z$Dpk{%j3+i4s@mKR^f<(bgHh6vZg6VD%ob*q#CS4TK)&(if~0N7hzj3Mz;ae=lk=P zOhxF-K^0lv=;ejg$hNF+)NmC^&6auVpKYup`gxeXQs z;y0q#PFciB@FN`8hfJLN`qMD#qq6{2Q~Sk->IlTGQ2{-7VmtX?LP-HDWZEQ*RGL3r zk>^^ZuOnoQj?z$+RdYZ4-e?xgK*>Ne1}Fw5ol7pTv}*pA)fuB}ENc3yZyvIo-f=$3 z$7I6QT~i#D;9#{Ycy=hvsb=KEE@#+q*alv=NPo!(kyDzD6Sk;oQZ+?wW*Du(x#&=W zFF1`gDahtm+sIZd=)ybLWN>l01#!tBRX!=$|8a*Ux_{3ixJb33L%(6TqI;giS`o| zN4YjiM{9@lx3H>%wW}a%`Q5Guqod+38VaJFa+N9d#%Y1e^bI5Eq$-{HzO&%I;gIc- zArv{e3Y}Dsdj9UNQDREKta!k36+C*pyC`Q}*F4PMl3^*@^rl7IEyJltph46Seh4y{ z>bsrbQ`)xLG(JHUB90UiU|_VV5D1WJp1Ty>*O(|?9dIJ0`VT@4oWGtgUVkG;mAJxK zSpE^we_%hY4MRFZZyL&kCAHER-XvYF*|dvDMnyJM#DNCy<9%`^4c3e5 zp$bRxz=kvW^T*Yv`OcWDKMpM6yLea zsklvr7I(K+J%tplSW|e2X3LKfO70}S3+*9!8xxX{qlrpFiH@rC2#v_JNhjAFB#Une zGL;dByE~q2`ux(WZ8VFoM~_ioz)wO#JbBNrX_$i$DYPf>4S#sDIRBb!@;->HpBdrf z_V_fWya)7z+>9Edipu=GB7#%@hGs{GsV&f{AW=A2DkRb8R`os+J#pNV_Ue7~=jPF# z5*gSyPy6EJDgH9()^;f(c^`ABsAsf|);(-l8mRUZCl{fbUCl@U8~7KTkEkmSM2W1BL4|i z+c6w@FEy*>?>mW_uVfxe$3|ayk+t+nt2Xsz*OnTaHuY`Bm*ktv%y^!`F&xuf#{L}A zSm{YlwOXrpy!^NOi=HwWZgt=(vAih=>j~mi@+7Ov&gC_)mZs-v!{(pPT-@++ZX+T58yA1M+yQ zRf@zN143iB-%q;Wm6w&cG~jUjUn~RLqAxL{KPsv47J!3_T3K5xq=z4Gyxf)`H7%1G4=JCx`E(<#3lXJ62loC zY`mkB18bbi341AhO!5C4bsqQ=s? zAoO9FhsN=dgFU=%G;-QJrnjc7x-0G)`Irxfi)W)A?$^^XrIMz#?+0Kll6DZKvVm6E zK@wYWkhUASgn7|HIwBzvXJo}as?IR)0~bvSU@{?PE5j5~WtYr5bK-nT1Pk%>63>TAV0~F%FJCozIzaBu5gc;+cw;#f zNz15&g_ZBvA}|QaY~A!}*9VjH_vkm@&Fvn~lW4o6$9uc4%K|=B*5Ts^VJA;%AQ-$4 zX9G=Ut@i6qi$<7J`w`^!4oY^!*<&Qny9CBCmqQ;2gB(tYy^KaY+>we^iw%gJg&^|$ z0|>9EhD6o^@R*><<}3yRShZzC@{H8fx8&(yS$&#VW^nlu`FLF<~b{LFNDLrLGUU|%ipq%C^)I`FxB*6H3;R~-#y zTEN>%E&g4>R&KJ?O@?RHs_wOXvfK(jVbiffgs@t9@w%8WgKekb+<1$cN>4+j*wvvBvK_+J?H;Wc>-#=Dp#|c3``D z-m8f*?db?>Z7!#C^UD0EOl#)DT|BO@DQO5&kM67d>7c(ldT8!`_c?yJ@5GCD_MlvM z8#?JoaCttvqUBnKeja%5o+61GZWsl{nu9(K>4cqw$LE{mj^~$ve#j0RM^)3^;&J3Q zO~avd@i4{kS^h;GZ?%%sGCSD4uV(1tW40xTWKi`>d`mP@Z(%N8+!~go9HepegNj8# zoay&u)P~)OmdEqNR?mYs@`8L)d!HVK{<^23)x-91LuqE&H|S_DSievHG*3eWqO`XK~Rct zxR|n@%jxrYG~91}M>q6*N7DSUF*irpIleGe`j7+J!Joao5&P&^SAPdWkq3ZM#(-7* z1q3|CRZ)jp-K+8fq=yIvwB)eHFG3xLK)(Yf|3c1>sC)zp-HV4Utqnl|?8dLi9TfP5 zWP;>rv|`mx~TAEH3EB)BquAxHnW~)$9zSYKCV1m_N z^t$X&PIrDT6=F*)RG`^8J!{!iN#QuQlEOJ)5@26q-b(p{ABVA^mpr$ZGN7N=A5?bt zCXCzw6(qP%0LHz*?SiOYO7od}ktjC8oQF5mEh;F)YzRa1ED^<6bF0D=3lPp7$9F#7~TiT>cU7?H6 z8H5Ozh!K1451tl?APIs_srjkJZ^os0sS}5k@+u9Ih}GTLgz#~#UuYH;VTCM0O3KC( zj-unnQrJzHRVibWI_Wh_l`L(lYm-|!gfp+jjYMfCPFVY`)oTkC_095gm!J|59w^36hDz^U*Xa3nUfb&q;qqk?9+(4j(U-x(W-ug<$L!B#my7%`+!19jh@c zgy|ALCw-l}@uu45GWjC3%f*g1MmK1mo!!yDwh-0tNt>g2c?go$YbaV=!LQ*puetQW zuO4s!#MAr`jB(_DQ30A+f8Ho%PI(X)U3JRUhY@Fn)oU+LG*cHCa1X9A$(1M1Z;HBhrU!n z27oof;@$Cz_2dI#dBSstNc7&qKL6=GM$bA-y_`d|<&T;eflja($~bKLtj6 z`C!M`1IV|+vKgJ|Ku2tp-#m$58Xm!95SszEp?ufEWZR8vc|iyMb0T0|q+-Zp5BzNRm(Y6O=jbWf z&%Cnc-Yp*4Ru&Cw4tDlh(VO%cIbATnXg!|3ZVtG*i#;6(cRyJVco&9koo?Ts_!B|6 zCrn!!1gNUJwb@=nJ-uyBBTa2~spG`UL$u4We=1wLJYUf6en^UA=-O=(1X(;_s#fn{ z8*48?7WAR+r4EtAg4N>6AP~;aXcaBiWH?kxGk)fAV@lJ!X&iK@lfcKq6`?mPcO)~d z&+&e8O%-Np#8Ui`34xcnB0oA0&&(L**qy;{Xj{SdlWS{ex#>+CT^#uR0Xdd7#~UWz;J>GKo}G=t)J9XqL9~ai#`5|qBq}I zBQG&&<5khIS;fyKVLMq*mHEb-Va=ypkOh)kU`fO|s5|-2y@H0Y`kxyp?DIO*^!*5| zm=GM30BD#1OmO0E&0w=xu`OWY9Gg`XnIY_JzPp*}o>H&R__cFcpYZ>+1C^p_%xUs1 z>UrNM3%vh=sQ*K_=)WcDGT(7Le>=9VSs7;V{~5;c$3jtH1I^BwoCFXB4s@=36qTeZ zLdC+wmAvmiM4eGl#o^{#)Iq}~GZp3e$Lm%ks}_aeT@Syf3>1sXLpQYNga*r)8g5^~ zPduM4C%x>pC%vw{>^}B;`7z?Cy5|IYqyXMQ+pBx~?w4Q%yTP$W0bwmO;UcwT0-dMN zy%k0whxlpbQJjeOAw6q<9Fjn=+oPKMzwsj@woC!n4z$1?3u@X!k`%7ccZ#J!p5V19 zy2j-ZUOGYVb}G?FgIvSuF*H`JQfo}O(KrL!B*k5Nr>#hhMn6hgPcT~_gcp*Qo0o>E z!&-{7ummmHwzM{DDNWLVIL5UOTio!D-fGGtUkzmP!)HUA6XoR(FATIR)E_fWW4r1W z9V;2+$efK)4M3w-0t}(oC)ZqlQ+jO@y+-s9Y50U?Py8Cap|J?a_v^Jv=EoM>4&Eo7 z8Iz@p7@f*M86{>&l@`*BISJblFF@rO?nDmYb^?Fakrprim|0jY6c{8r48CiQSG0yM zo5`hG71ygPL*K8t9z&zGKEfrjJF4q6JR=!wt}Hxs7S*AXJ3n;xv~}&)ZdOaGZ;x-| zk*QgN_0VXBTGk+sRf~6eO39}~fi)9YhHf!FuXb8zHrAQY!o+0wF&feq?yMuqqadg0 z_P4Wwhe+pQoHo+oyW{4Ama>{)J?Zc64tb*BR$pKNaqMlJj_tEfqj3iWop42wb2 z^8P^c&dL04x~@*RkG{r7gkSd=c#K*uo6T`+iq-LD_(8NT%fUVFH6LLh@YWUf}oY*-Alb9 z1U?i zhL1$bmAER+@NG=-$$fHu-T%>>UfKKY$-N$C=C^J>ShHeF&9XPKWVK}FH#}0lk}gDE zKEJJ4Nhrge=Hco1T+!aR8i!^zZ+JfoY3Y>rUEsSm!lIUk4?KC`23v;}`cwg9tOCO9y8WDJQsRQl ztOjz&-}zy2Za3F8)_DDs(GPjUACfmxZtem^9hh*+YgVeHxUnOeDnUcSZ3Dq(O^u$F z0k4q3OeUCgl*c+vRf0TAF6IpS@k|jvw-;{g=eHe$P_c~{>n}E<_)aT*Yj^!zKs~Пwy zDXh=hx68EHQM&EkMZ13OGbkE^UtQ&%bH3RR`g)`QUr~S@yJ8^}xw5MNQ`~++Ls7f% zr+K6r3R~q55hbcqXFP?ZXhq#;68BOa40eGru^?{X$uKphUDiC#Cv@wXrbL&$xQGk?`J^6{~`6*9j_AbSr$H@9^8`c)=tZK3aOuVM1xFIg2gN zB(ACYcnvQqhSox{X*obQW#>f)(<6_Em`S_MYKkIt#nEo5bED&0)kuQ~0Q%9u^Z4OJ z#j$#wVGG;EkiB)hp3MWEExQUxhY20-WfZx5U-4hxpJ^Cf=l>DthLDZ!)bS0&I{5yw z{|n;&zeD5xnXKdd-wARuF#=Hi^eDo}kwgLR0CGF|z7~k6gT$?KK4D~4easRI>iZJh z0q(SP^7bpqG(TR@?DS2UVt4I-Vhwu?t$XM3-LP$UiMkEW!pYn`go^i_IB!KXi+S@g3b-EGHb*f)h)hl*+V0!wXk49;y-y0ZvY3 zH3E&5hWmSspaK_3(UKw%CD{i_PgPyjFip`W*jYcnHDa)o14TIm`_>CA`22%?srBS& zq6-WFAPD|Dwdh}XSpOLV@NYb?ZzjO^$vR%n@8pBz&U&LI8{gHKOLmE>#bwQAWb!Hp zi9Kdko8)=Cwu&Fr=bP~b#!VgBI=^ESVhRojgLx0Ce545vkPFx^g7WOvws zNmZolx(l~-5F?2yN*+gZ!KZ<%-Z*E4liCM>?Q`sC^H(d1_yB)rAJabuH8;>B zFb@gHwgrfHS^c)3rRQsmUkTW^a#;UW{|?6I6E?g;@*=QC1TArD{_YWIQFmzB$OU=^WMu=}$yb zy~pg1i{e33eY;}7P&_0~RqbF*6`tE+gGsr;fVw%l5Sce(06VHsG90fOM7n9_2%IrI1ft^>?~6 zN@qmo7^()J3PYw+g060SWyLhTP(aDL;`F7IRx^P1HM8c@obf@;2G+0YxIIM@@A5oK+1&Z?|74q8T%L5 zav4N3Eb$_62zYsG`~jq@K$*?v({Ztr(C7IrLZar^^)d5lPKnc5A&+DadKw$}m`%+mFsD!bE7STdF8<_^meAO(a*u(A&zlRGTXKUQI-GVEujk$YK9BwY zI_lPb!H-p#f}3+U?%k=^gRKT4HlzS}TTOQga6nSTX@Fxzr3d(A~aM z%Tq4k7r;&-`)A?{Gn~VBEawE9sB3oQLCZn+(PgUIiLcnp;&syq(d*`Pon^E)K3%PM z)Z66MCEM-m=C?IJ^OkeeOEq^9*TltY24=9#&*iWIfNTHW-|O?{Wz!tIq1gI~UnthS zSR~IrT=ib$37b=f{-$CPHV1rlaciIQsVuJ$4OGg_xOcT+KB!7msp1)r3)Yn48Y*}8 zA&*hE8 zQ7M)n1rdVP_C_pJU|#)z=^N5ewc=AGx+FS_;edLqnFIm=Dw}-|3Q$kVxJ^M*P&!n< z<%ar!fRTU&?ly`esGmCJB^$h7E=Y*qrlMpUP8G~~nFVT0G*z-5Ci04^{GY_k#EvBx z`#(|ZTT1+LwsX4Tt?kneG+KE$ecyHl4qA@!Y4~(q#h|y$`^Xi!-S^+81aOAo31}!K6d!Pc~0}`bP9<# zee68;2CsxhO5Sf5wqrhw9_I%4A?@A+_L-DqF3Zt4nJSi94Da6Kz0kj1ne4t}#rK|*j`I&wL!@;I(dWZp8F zY2Qi*mW-RtWV0agduIuv35{aXIW5m*x(qd-)I$u=W@OLPr5H-_>~v%UOYM83p^2Ny zG2*3zj5)?7m>?ObWG#zm=vGjAt_D8)qieuslkMT@V~YGbe_$O#^z7UMe{g5{Vrg~f z-Uf(2kr>{#{V97pyv44wGht#LI;}f;1=((_!K6~3NuOO=@vt^JmpiQzedmec-t}!< zfMeMoGX)d@0?mjiOZTLm%+?V7@=Zm*|$MsWUp zh2g>_g$vV>RTR$-R_3QiyE(Z!Q+YRG2e4ZG1^Zw3j?T&t-XY(BJSzeK0NQ_2G5=Yv z-+zjw{cjc(ml{@fL}F+kyz}p&8Drr3sg30DHYD|x!WT~>@a>q~=i*eC1ixo>TxNKlHB!Ha&e>}8x){E6dtQ;INlDYm2-v;vpU(Y2 z?RucQKk?8f*M2Ne5rW^ugp>Dk1UkLTG2c!c8#W|bx6P{}b@zXJ)S7LwtA7Q6N>S{* zg^0r%0$K>NZiD%TcF|WrOHll%`!*n+0=N`Z1?kGqEz_nd7|`zQ=nkbSN2%^A$dpXzw_%mjfKj6^)>a@8AKy@*O2?@DGYzGS zMd_9er42Pmo({PMK5nnmkDLruv%9XH41N(92Ua50$iN@4iqVEwzaYI{BBc=39X%t1r*kZeWius*0`_tKpFL>?|_?gI4H={F(wq@DXIn3t z%-)Nyt*Z?h_$Qa8xdQNw13H~`?QAsUQcw{k+dJTXMVxVZZv?kOl#}#tWJMALqmV2d zp+FJEzSQNDjhyMT`;7I_+efZMra#9!P|?ujtmHK47<50OH^GBdKfH<_P3>KqH*Et+ zXMhM(&B_)ErauGM(Z9Dc5CIr8P$!|k)?O(0_58e_6&O#-u13V=qO69y2$my}zPn-i!+*D1m0?FFez& zh9bLJPHKrz|JmvdU$r&mg{f_bV?jBBrH?!+wyx7UeCD6@8<0Z{@9*}P!MFfv7W(s+ z3(D>m5bfVk9Z<{G3bkW9fR+KeS&(KL5ax6y@a-^dHw3ti81A9cVvZ`{fx7(>TQ;tQ zHKA8t!`)d}b}7Z$r-0Y8o9*&V3}btM>gF@R7Np%Ev-0>IDN)XJ%JV}p0y_&;DGgJ} zzT;dX1eW#3DTZ}jayhkVG1Ph@sk4M)vJ?Rn%i+(a>KnU;KFy~ixk@_a29se_3(97g z^YtHv=rGv9XpZ2F15kJe*{t1kIJ1Tu)V51Be0#fK?YV9C)m9a)PofX$*YyK6l5(t z7enq?zu@F4AWb{4@TjAxWatCii!`erb33yqD^@{;+^MTg+d_nP@{eM7uGlbFKSVH_ zO1FAd1qR2~Krki+M&^Y9OSH7~$D2Gw*cUG3qJ;aQMVcv8t9~u1QfW&@K9$xdn8J2x zS;8-osVE_>2FbQ}6S_TrhY6r=T0ZTF9GmxU(JkjWfdpe8H6z6vPy#)v`} z**FbJQ$DJ_`nQ45Vs)Pvw2CTb#wOxUhepuUDXDP!{UI$ISJY{eR3O?{fF%P6i^UOoo#b_HVZQBfyu9lQ|mTE3K zI=g9u#w}QEZMQW2ex=X`e0{*IX|&7A?TS=xICcT@JFU+i0@p9VbuHgeHZo+O{}}5X znRDoN)_EOU_+4jm9q*td688{6qQs>mka1v)m4 zQ$s|@RaLIpUF0PJYYj5erDYl45{8)O{W%3GwEb%DrC)x(9iQ?TwTMhh$6o zR-DULI4mf8knLrp5tZ%rPr(l87zcLhHX)?T(NJn``@r$y>NC8T3po|K4RAj79mL=C zwv(0v;Zz<>Gt8N4Ij)MLU;ARl4@hQ4=a?(K?SGu#_V!D(c(v2%(xWEg4#dAA*xv+4C!XzPzs*cP;b;Lz$FtkL(pKTONLm2c~l$E2)Y0Yk4-M z({a!#{>6{k!eoPU2KpYK%E09rk8U9YL#&kD@W;O3&vOcE1q!UIoeq<^`Wr;TK?r;G zRGlOkJhwsnn}=8Q4X>Vl#qnjzq&A3JPOu4sf=#8LU{e&PM?<8H>+Af1~pfCBYTP!HWcmU$BAcK z&dpddA-<;NcC2I$AGMid3E!+K`L)fTq$)Xz$Mv!W4(vFqs)y1UHbT6Ibx@ph{mc&tF9{K zZ`oX2j$Aj(R(@tG!{M_eQD4wyuOUa!8blR>K^G+qb5 zKg_io2{eqY^&M)|PBEAHsyLqynO~J>NFnU0r}uQVsr0RxV#F({bXQpEMM|0$H*9QY zvj85?XPvqfyEl8u26p;oB7GIYI8ThbqZt*JRi8&(u!MnpS^y?BN;mc^A$dp9JJtSR zyucRfnOHgU3;6R7>){jYHkRz~6t=qm2YThd1snX&FHEwEK`a&t%e?er*~6UpCWYiw@s?i(w=x58Y`BBWo!d9O56 z1JKKA;~>KMbN<&`6N*b55zHq8L!_S7ip#bd+%-+O2L&_S&q<8uBt`(&8j-QqD>_2- z+Y4ZALL~}JJ7Qa;2RX{$&?Uh1 zvnZ6JAQ3FLZ{)l1C=FSgHHx(pc#c>k{P%0)`Hfz=0u`{USO1XgTNLCRqQT1@Bufm4 zlZe|LzYK2?dtrxo#s5+CJYvqRSsBLj{kA3cdBedk0C>`$gGMU&aa@7YYk_^US9<@0 zy;3(MG55cjOQ?S_mxRV!#C>Aqt;2~z!^kd{cplWXEt_bCQ+@H2pGz8+%o!h;lzh#M zkk}w1(x_W|e*hNg08^K}(zwu`vu6CoUYTyxU^~ouA{`tK|U z6%5>Jf_4Duy8Wn>rw?H&Znw^P(kCF*a7A!;p_Zy7G;7)LlGn$CWItiYl&O4_0>8-Y z)rQy4TNH^khgREtq6H_*C4U*_iAPUF} zlh*)|EqsrVVR%xn$fx$cQ8qsk7KwQYlR^^mFZxog;9nAu`ZoyxyN}&3;Rq@K^@b{0uxHkL zmmOOajMzhamN!h45Ev!-=Ey?rT_S#7$$8C2{z$;7BAz#~{gVv>RSYqA)KD3WMiW|X*6z3YCLrh83KcCzUwV(gm zgGf_-8-8gklPoTk$9MH2oV%c9LZ7GJ}9U_=}$N=x|!=T4Dv0L6lSU zo{^OI!qOvPLfwNV6+Ql7xjzW5_6Fp2JS|`BxSwTawCReL?r-JytWa{W-9mxvvEJ{U zi|Iu#W|;Xf5lE?wkSDcSfg%gROY?xZ2kW1V_A#V zNw3ST;`i$^*~St&!ex-|8{^#`_Ex&)xg$lA{e($b^JNiL)KiP7>YJ!<3ZhwK<1=y9 z&0-1@)o(X?t0c5us`ej6jrvZM+;{Bp#0iO-Xhj%4v{?=09dE};KP;+5b3NLjJXG6STQG zHb^mW*2`Kqt$4(#!2>3GooN{Ul4=bo?peDjwDwypOI-^0>zlO~NZtE$YRBq0r1rpf z>MZh7n&&`Ydv-{82fdS%yj6y*2V=_)8=>j-@bwR|V<{${9CqI=GQ{r|8O1-*g8wFJ z?0*)5OAQ-4EU~{cTho03G#y|z>9mj8#5M@b7(?bZ@J9&K{m$^QNydKfeCpGDo zod~(?rw1eKr*}ZUkYy4Mk?S_ZSu?DtAn9%|A8)It3OJPLO%Or7^^nR0qzR$M?xIsK zYSB$yC@DZmi#=sXE_+1>5fI=KLZmIm$m&E9V1q)%1p5VptlJp?-06-8lXH(zn3JJR zoPR~$PiVE~O75<494aS3RPRd+0=4P`9!3BO6ini>l;riLTUYL+F&vUHfKG$#Ay0wW z0h_ea8i*A2Te&BeO9HGD6!uvl+2F(xq=;4rtJ)FthneMTT^;L&^tOU#MUr|li%~x~ zOyxt6p%{vkI4m|V4`cDdiC)*(ip_R(2F7;n*1B=DzoD`jK{+H>mj)U}nhYXf;wA*0 z!>-vN@IHi+Un>+o+uAc=Z00@MvtsBx+1c(~SVHi$Ucrh5CayWuh$Oi z@-q=EP$7U?q1;OIQS9Wt;X)iSzZ6=F(8t955H8@(r97lsZdRs4wwEAYcc%9Gt0^V| z*^EFB1KwRzJCaMf!C2Rt875I~loli_jKao=FUrUov*WsAAH}ljQ`n#%?V~sZs99e7 ztR6TmUZ@BuoELJgJ__}fB1OG8_)Rq&d{k4p&Vm#}31=AqVwF6l7?8~k-uM|+C(LD0 zDdTLTEfa+bYdH2${KX;4RVm=Q4xSppp~d+qOwPjsT_>g5kLXozNy0meC11hS_mFu+Xt2s;i3L=f>FKU=1J{87Hh{qC&x0G)DTzwIUU}20k3$@} zVS#qmG_N_2M5)H&yvy5zm2ss2pNamAw_%;=KSj&92n6Uu(wRckADtSY)N*CM;9^br zD?zQzEOPkR*q{~QXx2!f^yflTmFVGGH&Ld=6I(IuL7PjnSc(q5nyM5W3fg6z3F#CT zS>decxKCyNV8c6nhJ>H3DM6Jg=BA}=?>(zhU>1#Po)So4C-D;M{u#2`vZA<9UDrYW zqXbQ16tBJ(G!LyRa|Cx`;-arW>F@Hm>H1tH^tUd5F^hH8c$DC2N&H{L_FMZp;6p4( zyQ|o?_7_UlAw1=aw~=%bDmbV0Y7t17lZoEVd2`N>c*0@JA7xA8a&|Z(rzl^uAo%Cm z`q(FEvJb9#e$Lm}hq56A(UQbgQBuEY*zE+>8sUX1Pp$XMVBtB}k;3()42~B$;mwra zPGgGKXV-@F)XTYcCXzES3y;Yzy7PX+3EbZ)6|8|W`83XMR-tbgO;&SX1yT*0OO0=B zCPIUIZ$p$pku(Gv7{P4PGAA@N)KO6#RhDv4B31Xz%#Ol`iqhaxpWnhfD)IhV#EssZ z%z4|t^&vjiHR=@UuDdPtTu9oHg~0w&+}>auWhoOGKK?+niQoPX{d;R-wE;iP7IpRq z?+h(~NS;cuBE8CrcPGZ^5Ais?Qb-|TIm3X!%-I_Aa8;442XaC)O=gszdyAe*6M#<{KpUaKUQ=b z3nNE6Cp%N;e*=w(%l%O|`n_Gy{q7q4Uy$bib3+$fYda$=0i(Z1IsDHHglHA5*fmiU zUp3f$i2FuiDtR4mWzmQJ7%@&`v+^*G(T!NBkUdeG^?<#WJv)$-{WaJ_BJnQ*~0j zu>p-+9m~o?yBn&mExu1_4)L~-ATx*uUV0OLvbdp(o4zXMh`?krD8xqT$#4psUX3FJ z20$pI>gc`ojW}dr=|P_|eLAD;%qrma36Ur$=?H!K%cf`p_?df_NqMUTo&x?MM)jlh zC^7ndM5yRqh@`GLis9vzCv6N_>Le9VP_l$~rhy`R0FE(K90d!`flyB6!&$(x${bpz zl%GHzwXQsZJ|R(zz6>A!z5|S4v`{5w+z16p-iRZ}GmNW52Uv;RPEd_){&ovH6Nb1y z*|vMxW}dq|YX1Z#l?9Ou5vNqYe8xH4Ne7`IA4#`Xh1MAPJp@a4@|84L)Dk|>r-9wy zT7o79!{dF=4*iN*W||2-T+^dfHA2@9MnlsC|H|4c{DD@)AUfb)Y_*47UPBhA0Ykw> zw8SCkOA-b{bXNPNBXk~VqIdx{@4_p!TrlLwl*PB6UDmUS8IS!YB8R4~pZ+s$7*M8? zw|E!_?Bny)+0l*2t!VABfidRF&++nNW1Cd+s?S9yLs=~Gobs-1nY_V>w9&*TCvNHwvLX?z z&=g;(Ka{yfd_quKc-U1L5PVYVHma80fj>+P#WEOUiPE7vphqVUB+Vg|V^Rl`TD!SBC_1aYe#ncNkbUx(Zqh zlo>YZCIm~y%aZKx(FI20yLT>Sv*oSxc(SNRi}Elv%xpO-1m4(D3JYlNuT_;axhb*C zw~gYQY&ZtQ_MFHK;WgrC71Ln>b*Yk4C%5RUTyk_yg$iY;h((}x(#|jI=~yHGM$JC|>S1?4@&c9^<)=)X zmBB$871VDa83b#5XDM7a%)K%;z4*1tbTrLQvM5>sWr5rdFG{&)-K1C`Db<3BFamLuro9*R&-FEDKeEqs2BSQ<7J&kSB zT@;-EDZs*AJpO#Yz|Wh{PATaS##AJ~hQd-brNBhwmbxqxW85K`bfijPE$kx_kz&_ibQJ zoAFp4=x{FOu~@B|tKN@$7fKemal6)4yz9xe#o@e$ z@Yz4G??)g#zk7z2Jh}H;*zLB`b6bz}@;YQVpz-3KmtE9tfvhzFu;0?{$Z=ctns9qA zKSh)DDRbfdQW`ve{GjDMV*YiIzl%9R|4U+_@&^RBl;jx3)NF&H>dr|b3m(n1ZfMIe ztOYO6gb^gvFb2)cturOXSR+QworOjrLk=3cJ7>%gb5^e*D=`ZcJv-ec+v>v<2i`r4 z0ZeCLuSPdfq7@2?9Bs_p1H z$O)5!4tAZU`YC&&w1l%FYl=T5P!(NKBG9NAdp^_AAvIdq3q)dqyHIN%^DK%I_XU%6 zdY^_N1~GuBQ&i_=Yetl?lt#)SDMhx-Y5O@N6_;hnOkX<(S>kRm6vhH4JyKS3Z>K+0 z#4kC_OTeEJMS~f_B92=i?k>Aza&n{$ttx|3%+tm07L%)013G~1b6#&$Cv#EM`v=yl zM>?-_)e z62|Gibx7ko2SCL4d7xmSy?AiSutOn21H>2ad-9eJ?k`mXVrb|^?$+^L42*2T*@Mxu z(mxU>VMbwOZ|-`nsa=?9M#Y564y=DPkj#V&{up9Ni$~~znClOomq3e5z(^GW12~Ry z4+nrMaYg`RlA_Zdk!Y+pM&$GY%Y4B7*+J#;>&FkhX+}J@Apd z{XU5G{o`xMq5<a!_-#uYW+*7EL*n!6;IAwh4hZZ$up8qeyTE1Gfza^45+!Yx zh~yTwF{$dAlX0yfQjzggE!vF);|PcHE!~TeRwJ$#)G8OE=c}N1KSGyXDQnixC~{v! zK}A|AH3*Z#>cJ9Rd520o1blJ%v+V%t?<*NtFDgoWJ+9D?dAo1Mg0Ymq9nIck0or0I z(XKv=(W-x;m2SHpAgHftM5o#!(V1>aZU{-+lr7Jd^CW1r{Q0mmc@QyV4nL_0Tk2$3 zzKq>|QF^}a;Jf}K6w5e3fs8}1Cb#6f0{F|nqZ;@ABUiD^jYr+-TXAmInvz=FB15VU57L+%`dp(lJiNo34G3&`FGNSHqq zLMVxmx2;DM9=>wES`vn8J_bAXB=PpJR}&~F(nnP~6-9jZApf4eqr}{Xr&1Io3_$*G zlI*?<95Qq~XkcEeAog5Wu@pvj-|H&b5d z&OdD{FLl;CGysbiFX#%Fj;<@Ya+rn0)iZ#KVyXk0P&!L73W{15o57PFOy(LkiJM@8 zZ-X!GvU}V=FFq>J$%cdypqyJOuTqj-+ZOle)V~^jZ*+Sr*EOD>dUxZCyz->;pzRB@ zqAjFrAl?VQ6HT1^$jvLwjg=~Bmlw7l>F#QX6oMQ zd3c2U=qM~iWnUs5-MF8VC0H+U0a65^1i86=kmD{-U02~15c>B43MH)W?OFUchkdjHt!kHy;@_cs z=E9;RVu1(NaoVs69b_NNjZ*E#HER^x0)0ZF4IZ8oSnMTW%{W$?jwg3Zgc5_(`)z5z z5o&S6&(aI0h@HF%Z8IXGri2@aBCIS#vRUwLU8u;R{DwCC_A@;va+Kr7^iv7SA(N&R zp(i02O_}n`hf_tYmslGNXG790Y&0qIE(6ve`eaB{RpV9SOGFd<;4UN!2M3|(M#8!B zc>-w4Luzd-l!&3$$X02`Q8=5;PzbX&gqih(Gmz)X4P#bESR6c%wU%T!{5L1^hjTIm zbu^*E9sEmL#6gj4NHzlYECK{4Nrjm}QQ62*NOUVHvh~Y(3X(>(KcksY!_a+voz;Tk}(Ty zWG4c}(%dVWi>izcDSS};(NR`}!a)LgYt2q_#H@fOnC1*bQJ%0Um|Q=DBh>M0b5K`t zHljJ?1qcu`*PJk|Ds(5zhGi9g9ANDguFEV34y6ll0Q*O6XyrZltwA>ob#wf{^j21E zL>6HIld^rPcGmZRz2ga23o)vX!2mj~G_DJ%D_W#ZD!g~WTld^?pvZRNZpLEOHE!KE zX}1&eQhldBeL~@uJP>VPmeXTCw6fm!)_^TFp-VEyI(CDWdVlhCpYP4#+ zw&`D{=;DYtz(rS|VsriK1|K6!C0%k}vC|J2X4B|o6Ry1;P!xfe@2AVW*oDE?bSy2X z%&)yxwf>B?Yl_n09o1}CLTV%X+H;3&+P<1InC>UGzLTfddVair_GIU9SvC|lacMj} zUF5DCVzxPm*vxknHkmJ+2d$-_sE8 zrU|K;5Huw`ATR-M+TldEo1_RTd%RM6LAxAM`D3?QrE>M`HcY$_np66?!qWQr{%eg< z6?fK;{SFQ%`#vb;|JQ2Ff9;0;8(jex<^PyMZ|btD$>IY_Qj9{DR0sWqJ5MY{fa?Qn^mWHuu#eSj7r912w9Ob7T>SX+IP)~uw#iQ3n}^z>)< z+!I7>iddxOh@~5viw9c&sltz7Ko|IVO{sPJGNQ5%7po2${*p!=xW{n^w+hVVM3l36 z8dX0#2C344i+SIc>l{t)85&pfxj!`BDd6a8d^S1bTBJ@A(K@)<{oGiNEYAn5Zn!2y zlfgNN+J87)=k1=;FF$J&_w1q(Efdzs(>z>-ba}e;#DK?8+|-*2#^0;Hq5q?_;5mPA zWOLyst-=2bzKymBF}PH*LV@htI|9c^}Mby=F!VLRMn+L=l8WibjhUTB-4?( zmFtiWZCY4wBuPNL62pecdy2i-QMDY6@dQML?N~Ef;MjG-Qy%dWl$;LFxwh1y4bBhY z`S^le#WWEF*_JSUq7en?u%L}8M#)fzfaHSzkFs~{vNhb2L~|#1VyA7}wr$%scG|XW z+qP}nw(ZQDr}}nR*Qq)+x<0J;53Difj3**yM0V&eV$f1t@U(JE4QP44oL~56LIss% zN#ZK|q>!O0P1<8N`pSg(?9?E>5b1;mmg?xCC^6-jN4Rks1EPya!p}eb!Cj*O$`TG> zii@%U(|Dh0k+UwtzVE8E`B=suy%naXzeCNMjPR&f<7Dk%iF||v&m3y4SbL#?$$RyK zsiZ+JCxKccBrp(*I&$^dY%tjSqADau5YVhD-DXRqB|UCm4}Y38D3q+Y6go!K^|Z8; z#tZL2R0bbpQLe~`3d~yL>*U%fl36zMtVV;Xk{IaA+D7J#>I?MNYwxQxYgYoL&C;}L zH*W8U(F&MM*^n9!2MG|dF{UsJj|665K|OaB5qfS?Q3ObuhM$6kKXYf>W<)W)vqZ58 z*GP9;pzaN)5nph&V|vUyOs zza5;sS@&T~u!YWRyh^=JX)iPpZf0wR@AgGj-xNLfiytpzFJqHMWZp%1N~f6#crVIP zJa=DcmZ1X}`x!S*c;uZ|2V!U5dUk__S(Rh=+} z^{DO8sW&^WVz3S&_D%I;R0guxpmL2hNCnK*Ig5`-YF6G}q)TF#f0%F8uER}!j>;<# zk`y-o$^kCaEV}G1noluT%*EB8nA@#wjGc_-bqpWllher&FxwLFEds!pe~$Uye~mG; z{fArR4*&rB|JxumH2bUIYHjd8LD`YYQkEFQNLgB6->L9Mb7hty2%ilV;!VfbL!5xl{Glf7V%dCV~|Y%eheQEU%2^vEOn zzkUIRVY}t)J?|-)IE^mW)r3PQ|Kxi!*c^5K18?gX)YA4CS>{7_qXF*V^eB0Bz70YU zdxLV4{>s`ji!GZaO2h9Ed06NmvYAx5Tl^sEF1!!(Rj)y;2o%SYcnaNBFF?!%_`?m@ z@omuqrt2^b)YDbWBS$s_hQdqy5C-ubPRfvw`r>l5oQ<4Lo`A@g6!v?Rbe}HRf9?c9IGYi?f8^$8-E&tA^G+(q|RJz42CF2|O@7*qD zsm-O#x|u`Fs`f99UxEOc*7GL`XB^lCQrEjno@Xmjj>u9F4Q9<7Pr9S$qS};f1dX1m zcN}pz62C+sbjeOc`6vT1$pQ*%2m)&n?FxP;WrVoG>rBJ~XrsDW)7key?H?xN7Vl{> z5^RtkEUA@h`a|INr)?$H0ZMrb!77DJ*s3YT*38M~>c6q6X`|$zC95peu$A*x`2sf@ z4UNNtAt?z%Xu!qfr3pL^g^}7)>L`y_P=-=5;E7`TF_D%U#cooD|KZebQMRtbPbfPp zL(>eDYFdMJVNj2UGlWw_&nq*`D^l^*2g$^(3aqd84*4k77*Qshsi`-J!6eohix8No*;!aMCNF(3{>VQi9iS<-6H_sQ#5BBK zOs`>+%9n&h$Y-=#nY*Pn`NV`UunbM?4X}xb+CFp39flG6lE3bDppW9hfBfatUj`jN zVSR`DT9xI|%y56AeY`cB3O=#HBur8xHXxeWOer!KJju-|1F5tfbeMTiUIpYCvg! zn3HY6f-hNUWH4CEV_;B3t0Nv(=7cN5_Fa0e)I_U(XF$u|*mG~Qzw4Ugs~q7fOUA?B zNA{8P_Ih_<%Q?SBVdq9-C?q)S8lgG-S zh^EIw%CN2D8|&KlI6JfM<%LzcHUQW5-Wen7mAAg_pKsAW4MXb-$XkuySMg|lHE2Du zp}o>OWB5TGEI@x&+gG6?r*_w%5ERQtN|cou5(>v&=p1_K_mr(L!yf~%H-z2u`bHg1 zchlJX=)je4a11EJNrsif&@MJ}!q9ee{jkb4OtEFrF@^O(IwPr?g^TN7FCNDgR!>j+ z5-C*b=U2y7GnhS*zw#8fH!C-6K!o55$ma#{i&)qRM4>?U+9=6lN^x6f5cAXGIMHW1I<2@uQ*jus0&wR_X%5#MP!rtQfsO?Auo+&ZoN95^}?P zhH|Buyh3$T!#kCR87+!)vjcH8($)FIFb~!F#PJ$@HA4+UzQ{B>nK4UY@zy+XxSRRY zFwNrv$yzbY!-9Z^?1w?q5nW#mg-X8_&4F+Bu)}E z^#+^h#7QU`6}vxbhmt)SPOJK;dyvs2?f8;m7alzKSRF=WooRCpBO7os-7B=J)6!SI zX*O))-#;;0*WYaqDKH%SG3jPHv1fkE3homnhcn;|J#`%udN_NSUh9T>@&3wP= z9>HSE0&kdy+ zi-Fq$%^5)ga?*(l3L3Z&uUM2UglPmhn@Z(gcNfBJe z)2#Z?`8HA<3{@%Ngc&!(Y;5mR^hZaS$DuXnWT$U)fEGcOZs)HjFxw$nY-o|w+N>yC z)$Q6m9FA^p{2qVJ#hbHIIB^y?6=qXU96lr;CQl?&<~X#|(>R^gHFf6zS%`$;;$pgh z#;1&32T1)0$AWBwlI_h75#*c4CHAX>0FN|ai$VN9u(a!*bghvW{n}JoY5~##3fOplOF$=B$) z#&&p=&%`z7Y#)azLDo*j+w4|^<pA{cl<~OQ0bMc33q3yJgCTbJh)7*pdC`H>1Qoof!IG&N5Y)3XE8H4zTiMd z=Q#SabO2q5H-MVCyxXZ3ogI@wb-kl0Rlgbe1nAq=^+jP~(I7-Gw((?}l|DcKdAhpgZdqGuwbpPEN40sM9<9!3}oiqQBN^Pty4cR>~ut~9E~;~Xr+Ii zanxa~2yQ(7xi|uDU;Pd*gz^>yYhCiA60^0!iEHk3r9hW`Vsub_0%W=DiS%4-&WuWb zT^rk0c8?DbMH+qH9$)7KEB-hJi`&Ol*~+jQw^miGuRf6fDzBMAMQ?gAa{}(Jyc8Pz`#q zY}hoz_LJj;0fTgDQnwc!k|czNQ^l`Bs!=FvDFCP`jC*L-p~i-4qG6mW8qKa)1Hb8U zj_uen^JPe&G7Hqx3J@Y&UuRY#GnStWT02so;`8lQv;w^i4$@ZRk1wg=gann%YRz{lW)c8MJe}?GZU0TF2 zCrKgTkN!ez*R15!en*H+*B?VuF?Qq`6WM#p$@7w2nERPt&^fv-X+~JFGyKl*<=A~T zn=9*5p1b7yYI9EVf~1mPdoK~IY!gEJK} zwkxWh5^k8BkU%IrhZ&C*dK11AtVu{vBN|s20RM|yhb1&6Q95WzPB@6d@{#(-&wHEbD=c~T>!b36q<*-SOa+j$>JO5Amj z{6ZK*@+f&9xT-TM1hc9Tt5z;_$rlSFSo(~ERGQJ{%x1H)m*QP8qjw3lpz7`Exz(q! zy#74wy2x|jBeFe4jT6aAtV|C~9WN$l?62X4pLB>sN0#AnO87cf%AF&Fp!J{AZ@g|s zc!y`@wF;&+VT=Y42*WJRO==;V(NW$VNF~7CE+c=@fw45gwO7XMU7^G8gPTQSX#eAh zIxq9Zui9sUYnpYhMP(FpOlz1+Rz>Gg@|MhP#0@HQ-;V|k8Nd-OCYsYhZGAd`JY3;b z>jUEv9wx@RK_B=1^*yfeTYZ!-2moi2iMqEX{{tNQ?#U0~x6FdB-f{%a-zwTA-YhlK zeT8ixXvsPO(Z-p3JqYwWpptRhSt+s%blUsUJ~rhCRO5iRr3^AhrNAIJ8WuNpNKI)^ zM8}SQ`K}pR7^Bl#>|RFd7ISvi?O}&8p%mF%#F)o%Dzjs=v1AQU7Fp#DeiNQg0Byge zKmGy*--X^J8hODqz?Fwx5_HA@GuJfqf$S7ILK`T8?YhVHu$#lG0|Z0L)|{)niyJw^ z7WK9BNesLXT;3Fiz-hMo=nl9l37ysE#M*9fpdhJ%=vxKrQ`!p{fbVN2-6SUU5Qc6( zs~Qp#bY{9jZL9Y(nW3`1I=?Cs&}dfD8A7#h#`Aw{u{KeNNC76@GJgW2_EitCQ7^$! zST?`Y@s7e_q0Dvm&V-u*_89u2?Eb@jgEaF+lXe3froxR**$QKN1%%|+a7hJrvR7!d zjAHFA_hRZi%2m)Bd;`{Yv90ydTW8;YHGk2G{{Yb&Dc8GsHM+we5%g$T6v`h zc))hYJkhzYeop8Uk?;klqRnlRv6Re~GtoaAlvtZEdK^}1NOk>DO8<=25Wa>tFAp{D zNSA8UgwlXvDn zm!@9qv02@e!&A@nC2m`aBl<2m!r2^!!;8+Hv@AGU>+KvhqoSb{tcQGx?gd(53v? z0YU4O=iaxLt2GsB2~fRPC*hz~U&o-^wjm(mC-ngR630FlAwZgrg8bamu`ai?n>w zB?Gg^$@I5rZCYdqe2(^|E+L({e_d+!IK|?=AZ|O>WS{afJ*wocGvI#00RGS z{Ee;AUwboqho71@1tYz`2B!ZbB1cv39}YLqX@(#24wXb&^ny?-BgVl_IaEMY*EbMW zv`)(u=%TJXu9ES5LK5De%fNUjMo?Iz@&sJPkM%tl#U9ok#=J6bykf5uH1UH9Ja~Lce zj|XCbXU|oB4j6S;Z+Q`^KV0S!$Xkg;<`jA@mROYsEn&<+t9)wW62rN~WodhLAB_ZD zjs_5h`K5_Ugf_Gh-a>{^{sh41nun!K85O(&4!B@f}p#%CnP{LEOfmRh+W; z-zZB>hieMco~|~Kr)ei9-{+x8TBOCLQkmW$-4={m3bmQP9nq^vDNgtp(9t$m)MyNF z%N7(OQJsPr3|wTu*G8=JM>4^;FV=!8riDbS{|@~n7g`AZ?)GRzUTs*_J0ZV3CvGl1 z1yNH#X3fgv5z}4AnxKV=&CU6?wU@^}Om(LMLk$&c@nwFdPo6yrFpj1=05ljwkXd>FwpO;!Hk&C=#=P`=cz2Ug1);YIL#H=J|Ef zI_P6lZ(@DARVT%R`GDzp1NNlW&2Loq_FXte%dPnrTQ=^zVG;3KxszZD?u9lS^xR2b zfq-fT@XS*dekmkDkfGb_)JIjerRw3g%PzWyt+9bKw#>`LRbO}x-GFC!h9N6~;j!6x zw+F*euGZ0-Zb&brk3a2WRjSYS@H?DNgWTY-6j+~Q(jwHhWY~ZKc@$JyRYf8NLz~yj znT8Lk_e(!l^VRL0{)LSR z#H!C)s*&zfVJl_^IP5-(Z*9X{4-iuTu(8Vemd}G9o(_}^8 zl=gU&3^;rS#=sN=)B1q%gh}hzh54&Sb@M3{(qoGjX&yvrT238`%7JAvjret+A9%<)Zh$qZ@+$;_Yq ze3S<02ufJ`CfQ$d#x$G4?n-wm(K^%3E7%meT-f+|}|CByFn<;HJQG5&tMl4DO|%A0@SJBreU?!x>4e7>>Qp>lp(cx)nO3Mw%Lk6=L*cc~eq zHtSDQv1DF%^T3mOOb69Q?BkSx+p!B7qqHDN?d*&PMIOt=G6u94%k5{YeE-0_tb^6T zQp(oD6%G$YaMVdIf#6@jZ4~U0LdfhB6z*jj!v{$7(*Sb@bMl~Wj90IU1zYr+Q%i;6 zX681emPG0rZ}T+g;36QuKM(A`oi^0Gn!*F}6}T{0q{8>F998gC+jF3v7J>;zSI{-$ zeFUJS>X^a9&t`?f7hcvS?0#n*%Bkd<9SH(zK6tE&z`}(Afh=PYS_@x+D z@YeH}DRZZCYfKd6Jjjg%ROr)+squku_$9u5suPopfk+iryp(~a0E5g%{Srpaj&E$Y z2207T*`6f;BM*Ug*tqtLnTz%+!131Hh zGr5>vrrH8V=kEeev>U|U-%rq%aVA@k{~*Y6MrhTaUTXc zk;7%(66Z4Sh)Vb3XhJEze2hW+QCuYMn; z{v>-tU&hf0Z`cW4?vT-{Z6Mvkw;C76_9cG$eDrvXOqA`IS0JvW;-l*tjtY(zbc8p* zDGZkdTFA)4Hw=NLx6@T~-3P$yPvXJ*#@LlIe0x`^G3=8KklRvBlc zdWs?Fy~-f`2^1|S=0SIwnkG$OU`_&t6XkC?erT8*Lu8e-UxhrUmY(mBSD7b-hI@dE zC*tz~t`<5%ZSJQuC$hAkhV;GIzIXb-e|ixU&w4?m(Gl(h+M$J{D5L(dg|=gpFSoR= z$=43MPN+ZPKyUfRCLQCN61zMGq70Cd3uEu9He2DXld=UFpeO921_w4Mq&*RDkZq3h zC)F=$w9MbnFdH)8RcOgjdkUIe1n>RixPCh42_KVWKrKaO;{B;EOIFlK1fVbu@sIUj z%U*8^XfhC5kzFufb8^$CHu{$-h^wtgq~#SMSa%poNNL_gNGEN4^=u&-2jpdo zByh1^yc}w)YO zMM^aU>3NlJ7tY1=TC(GH|Z1(QRu?4LqHUlc9`& zD{?+?r{D~!$`~sx4NEf&Eq|fu6(~ajW#GF<*4=Mm&OS*z+OUy`5~3ksrfs!$3xtt^ z-@sKMy$q8=OCSe~Gvm73zTu3fjuyML;lIbTzA&qqBvLhU#p+}vEaz{#jbTvfAwr{UjdJz8WA}{Qy(O}KfKYNI)LkJZSp|d*huCkOn-&ILk=}TN#W8;;v%#`hQYsCl|HsPdv$GEe+nhN^HWbL z91CTBUp1?TB2wIV^5j{1d?4p;DjTIBDNf~=_kPl@*CY(9sNojIXmL0-7qwi9bFd00 z7Q4YHtIPQDVEe6)<7RMgfyGmMw6>#b^8~5%lBR%ay)dTC94pa6SM{&&OzU=ljWpsh zO^M?U!b9y>ESe9d0E7#KQq=a^29~oaX_;R11tPwxHxk4ep{}M`_riRO2fQeiXNId# zOTRQPQ^rS7K+VpqbQ_oUNl&Yz!7*%e%^@}Ukym0b&TlYMlPR%*>VKhdE&eH+aBFf9 z1+U;l+W$$FMDDG-k}n6ki05i>?yn)L?cqv+LjcS$@I_np4GF;(l!(Ymyu=I#c!>m{ z3!g!*_uN;!2hrc`8j_t>Yz`Gp0QvEz@a7Xbp#{eIYKc<`yihXJNi4KZKy?_c__p&6 z7m3DRXi6*mRB@s@`XZGIIBU!)C5pf?(ViwoZt5c=yI)JF|5QFOIkpfOScb|8pA@)h z)R59SS_uvml&++~Mt1+YJTnfr9TXF6h~bD~YjmDg(`bXtJ8wTmy7)C8c+>BSA8;G6oB9}BjCz>v%Q`iLB-mZT z#i7{9=jk~J4X4{4R9DFqWd+}V(*6Tixdev&sZO2aRWEsq&B zJ*_+STXy1yF9crrZrx8Lmr90}Jju=oc0i{+Yw(h4ZC4sC{hF|!>MWK%@9~x+bG%Ml zgFxZXxvVR3&PzhPQC}GsQ8n+g_?ZIT1)A!iOACk zrznWoI0==ie|A$3K26A{NzFLWd9lh{k(%s4RU&NVn(rhzdG4iX7`MP(KQZYKy*3B( z`Zdi@a&&SV<qJ-r-W+edpqsjL& zQ>N>MQA{+*yoJ|YzO|w<$YG@`$_Yv&QO)QMaL!#$#a;xcBcddxB^x}X@xx&Z=Xxx2 z$w*^j{goe3A?Sd)%$Hc9<1dER0eJ8#!M{S0D8&y{JML!ke(^qkyV-7jm*{jy)U#jz zdf05Dl0mVzGJ}@|bZ{=7*($Oebhpk}`0Pn^ZOnFna^ zqHni48FBD_e@5QVHI%kDSA+nUaxqMIL}&W@`+s%q+Og7oG{hHl7CpyPqgp4jounxD_j2Z?6VBIdG?y!AL$8@Hp%y z^-%l?fNhqEGncs`=(({Bq6SQyBZInr>ZdMe_W*kIjOcgRi@3x1=g>HC3nec@BW^T( zA3jcYE9^~342GorEJej6l?R4Yx8}CAo~Er6-Nz;tyi)YHt|g4j^RrJDutEqvb!%i^6<_Sr*k@#L zL>%G1+n@lIribAINqa~FvN=3X>S`HRgiiHavb&xH3BJEwRjZa;u2IAgxs_-q^V0B- zwU{-Jt_Pne5G80_bsw|P2;WT~|5=0GgeI1ktv)q6ZC8SE+;tCc(bYB@(tBnAy|1x{ zMU&Ht0n{$&wma6)o>54pg8pw?X>AOU2<}ChU>n6ze-K)rP7`vaka|l zYb{fFC2q?A$}d|U^#$d-(8|X7rB*d?>Dwde@NO++!kH~|F-sKiQA?Yqg0wumE92R{ zvhZM+rt^}4+*~9x#?~6?YsKS}wXIn#cgR9yA&cr|_0cQ&#WEs)$zio-4YmD1NpM8Vg*_@~CA4RCYGnisS9*aF#`+Ch=<|TnCWegs&1^d}3CR-T(`P7bMX|LzZ37 zcg>R_#Rg7dmv$(vCvD%i%;H7F+-m17VTJNcex2pc$Ra14psgTJ46XG~j4RWp=GkRQ zpBg4?w?#~-<)Hmt8L~%BUgomv3~=XdNB^KI7klNyI&4m!;sxj4)g`x=oBfqwjA1;j zho<3_MF+ZUDxhW4%KQl9ZGNQZw@d}wAm*~wHlpR{Xp!mC4*Fi>2dyN*s~)b+C%Ur9 zlS(w?SgFISA|H|aHW6$Y^Ej1}YmZ77f|0``PZB^IOn99 zV9{xdoBJe433pbek<82RP4&Khe&^xp?WSnOAJ*O>4jekIbQxULoY}a;n z;}VvxCF2uatYz7Bp-p=*o0ynHGQ3%I_)7#%=t9Z&3DeN3==4Wb< z3(ovCbCT3Ud7}3Z0hdL!w?fo048nz?h0B%zu|T^&%(^fmMW7?61^44?Tw3z=Z0+*& z!B|K;s*=mmC)+RyPY|)~CqP8^g(Kj|Lx=!3uXT1(Ng5#}0aS_GN!^uq0AQP>Sjn4v zfX;@HVbcaHz)wMDNa_S^tu?mF>j+Mm(^SV6(gr~VLV>1>#RwzDBMh?{o<~IfojPQc zc){FxpQU><=Ju_U7SB2oc@J+g){W*9IppJ%O?Rb`gOTMy-6$w zXuudzyf*wH+Fll_i!RXDB-)OFw++t)3b(kxv&HVGUy4Y9ViPNdb91=)xqtGshAe)I zxgo3DUrQk%0W2&5JLkZwz}rnYWZ8Cn+`dVz8cG>s?wI99^Y*cvGpkD88if1XlALJq z+VJJQ|K{m0sx;1Za6Gg}Cq_gScK?^|jPLeaydD^6|LqNV2i6xIX7Uo;A%4#_TwC4@ z$jW4nHxIl<(wz%#khs{Qoq;n(*jlB7zrliXQO2kke@2q909wmCDaD;@e-N+uR z=Dr)>BQiQ#Rl>v%&-D{?@waiqXPG|==^=Hsc2=zA-@3~F1o2z41XFS5mXP(Jdq zilN5bsJopI*Yb}NrWScd;H7L_fj-p1o{U==hT^S*R;27W2iDkduc)}XWw!^f<2wC- zfC3K`2RtyPU4<^}??>|9*rEkpQXs7m_=v2A^FJmqFPS^Cf+u5%g@nVmSq@_Ni8)mx zcIT{(h>liR8q#&7$f|3~^=Z3FaCpD0$(X=i^=gf(W(>t`&9Rg9VXnYD*^R;sj|uA2 zg&9$mD&q46oH^uWGlk$9$;slwd-aZx3!ej)h%D=KwV%Y$%=lrJjxvi*92Yur8QA?k4=+6$TSe#s)(VADA$36FaQuhu>ohfa+hJUk zkOrw;J>a4C3?-;g(t1tN6BbXgTjG)89MY|X+tre~XH}!~oG(Xg2QuTCA#0=YhBmmK{5L=F5?lo#`32RcQb}}y2 zmM#btrD{e`4THy#1WTi;mXZ_a?ZjE1+#AS&grYu;&IneFj0me&;Sge1B0AryIL%}^ zz65%9&0NUDI8)HP1nNYQdrp0T-;Q*6PEwdqG40bA8mD1>2u`>>&IvA5qNfd&(lupy zZjJm50120lR1r=1IAKVi-#XXB3Q~yZGQ6Yw+PE%7d@ogF5XK_Af_^x{bmKBT(qG|> zwJc{P0Uk~U{Q#a6*Gsz;Xs)6a0}m(IG#LzJc&E)~D&I4mDnF~S3`bc9qe*Mg?6dqz znno*X5!M5oGg745PI*mnw6&D~#l2mjaC1+7MyjVD=)`ywYt|SIJiKLg;j3lGek6}T zEZ$FNS6o~TM=j&KF^~6}p+&XGWx81H3)XbWZf?EislfUHlflpWxBh$OX7{^tzTbO$ zkLK|lu7AGrt-ridJ%i-w%3hoid`72--h>9BYFz%U2O)N`_<`zML@-jo6f=X zjqcJWxC$!VqUcF;Tq5pJQw!B`-{wEUdU%pajp?7eAXO*;0MdUA>;LKA^uJ##oyt}g z>!Lr|i6h>q@?lo8iNuFjxXXwhQSs;-D=W}M3AoI2BihniNbMBuM=jr83~tS7wx6~c z+@folsU};_PZt*#4+jxC#UwVmhO(>?yc8`S-nZf2cDp)X!oWp;7@B8~Ag&6wzzYc@ zPN*_SM+q{qBQ$L^sll&L>|ei_juwU0LyY`*w-r&r*nTr{&L2kZNOvKZ^4+46Tqws8cXR zq^NEd7YThpDU_TVFrV;k)TZu$>U6N?O_G#aQc+JOvBz$KGIkDOn=cl+gvE<&Dfut1 znIOBjzFHtqhq1pvb#DORLLJDTy+7docflAR3p-IXbAS-{l~G&|1HUod6g*8cv;B=@ z-5aO7YVXb0PhmAm`0nS~t+Rd+B0Q3_D(|ROn&=O>kC46Mbz?bqkli1PFys#6;Q_{QF2l|c@q<0moHrx?Z| z>rRT0#9s-)lFt%I;Gmb|6-9cQXEUUXHEo>AtlCp^;YyptA$fMzWLWIxAvzuk?;y6< z(1rJ(n*x&1_S|4i*3Qhnes=e+q}NG*bd^7;JBSeEmMQGu|}Vrup@-;tfDGV5@bR6VG zLVUwvUe_0uT<5*(1oxm`y<68t)LzcF=k37mO!CW=Q9g6V5>&&vbwWv&VR%S_Sv*%1 ze$@y+mLau8yQ12&k>upcvYN0sl2hfV@UjZ|6D*ON#N%phw2@ctGp*icuVT6GPQ!=! zo#UQ%nQpUpqLe^n&uL8?Aur($4V#fs8AsI|( zwcj)?kEJi$gE>{o>`m*&3h#3PS~wo=vU=sEfY(Aa%O`+qGE7)kpMJSmJNZtYV&UsE zSmY2djHeE^l{5R>J`2d>%I=sJE>v)ds*c7%7`aOhVq<+V!uUEsq7z2KYO1MF=RJsj zx7`MtpMjT`GsWx{s{n*af3c@MIq>a~;+P@E72)kX!`_ceRmD8}8K1KU@6&C#^e2ap zt#u$Oq#d#4LLj3HaB32HKuJ9MZ@c>`NFhg~ma4lx4AWu|^zC1ntli2V&-j)6L2a8YtU~%$)Juv^1 z=j6X1nUyLUHtWoYUeDF6qS%x$sd0@x%!cy-G>-B>YI|(ZVL7Bw>g;tba|OckVvpC( zqN7O%5=Tx5YlM5Pp2yOe85s{hWwqCcRgCoE;H2O-)Lt)i9WP`ZFRjkv33_@Ag*3ZC z){RsCXqaQH6HFGPon z5Wj?+cL6UX$2Ep$B;HV+LG+P=L=V;sTA=pb$ zB6DJ0c}n2u-K1gCKY#>+R|AGAF=axhhgDcH!RWs=DdeXqRqmi-5VZOk%muD*oPHur zoI%Co(|pu|wf)C3SA1}jaY-jIMyaMTzz}xkEG87Cw+stHKiqfudjNB3Q;_#2@Te#~ zP^Y)Hd8Tw-o`G?K=1*^|pB^A@<<~;Ord7@M$~A4}C8tb@t;ABqdU5hk7v1Afzqq@w zrn7#tYDSwl=LdtebY=I!68E24dOW&tWb_@_vA24o1_HpG@ZybryIU$`6GG_vCE4kb zXJ?a^2LXfu(?3NdY@)t0^cuh_NMU8N%MS*`NnBsE$0hcwJjWN`ZbnihJZ|q&u`#E; z(L3r+a-whj9 zZ^hQMKdRFGL)K{j^ZZ}sRGu>@a_jsDOG4|xvUn*9 zI>+F>;VN2O0azcbx~@fQUgNJQuvi~GVY#VhoLy0P+PwF-6$TzbzjtrCJzE!zr@XqJvK{{q7-6Y*GlaI#tkfI0BtDy zIIeQ$h1+zn2C_oP$5ac2@4UgNkBG)H0@nL}&IrFgh{|pXLBCA_zWt!FaY#J*Dt?vr zWtmzeURmEl+bO3_+>sIoX338BWx>To94O$3?$h31P)x2Zb{CXow7SI+C@pE=Mys60 zJV9%|Q4#pF4XsMET5$W%8(9A;dA3wpKJjIy;Bw=s!nyVezitgTmZiyyPikb6Y4eI) z!vvPg)g*;pZhfeNxpgKF_lw0mmKF&7(DPVjd-De3@_`{e*->Wc35A22)5X z4y(N!D=?$oq>pnu4ck;;Dw&TxHdM{+cKh6>{N{CR4)QXzHS;Lbc}Dl61v;6^a`Lef zrJQf6?CbH8(-oVAr3RaZ#r5qH+s$V=69}lN^RP|6+Vsk!0Lm;<5v@u=1})w4 zjAp7j5Xb7c-lQSEc0~%Q>Sd!r1SsuO3}*)Rlbehxyw<H!%x zL`#SJm);la^uu2yAtz%Bfi_{r2cn+>V;#CEek)yBO??MLX7R&KVc!2#OxyLA^P=

r?q%}{=x4_UlOe+Y+lySY72U z8LHzrshQ&mx)Xm^5yP1d{8MNF$_Rt`)^g^Rbc^k}(#>peOhQZoFpJ!Cw=@(6S2pS= zv*GWd1qIy10YMXdCBs=Y##DI!wjxDt;;{0ZuhhBuWaNG{#!gPyfrSPS>~)#s=*SZ9 zXM+9d-$6;@$f3PrM6>aHvT(Z>dYRLMho1EnkF&c;IR3iNX~9CCg_ZzjLK_boi}KsS zq(6#vBVHw~tA)}uYZ#dLPOXJjZJ3;K%N=f$t-S-cr+X-0S0|p9C^ox&z6Tf>_PyuF zks7xfB$Y~$x&Y%D7G(TKQ!mg3O?Na)ZceTsC(pGBua&z*f6XBmE0+0j!EPYsz{$e7%i_AHX%uW4ldKq!xlNKWxRJ+%M* zno3;dSv=zZ%RJxmHtqt}Ey|Jln`~N0Gv(#*!NR`0sAWc^M^aP~Y@R?2|SL&2h1(eJ@HL~if^`J)SkVKr#J*o z(4PU7-Dq-B(HM9r6_z2Dq7q3px>jU&IC8mIW{c;7VLKqj#?fSx@RZ6gZI-iA`EfI< zZ$9Mp%3kil8d9TzmAJW-UWk%Jnvfu*hviKU&bx@fM$S0oBzmsPNZRksYSa!#;VdOY zR{*NJ2r{y}Va;nS;w_fz2z+CBlBXuA#mCLa(!dO`W3YkSdn|>M{*g1z&Wh;LV%B}b z&1Pe7qn_Fl-@22=gI!kU5{pcwPz@lM;Axhj9gTIVgEx zLUBC-(`%O2F&WE0o}o~s@i1UJqfQt`e98y25`Qw7u?0Z9qq!<%-1-sU-tv%zjZu$q zT2G4zwCxfoTrF5sFy9Ie@Zj;ZKjJoE{`+3SI1vF9jUR((kLZtb<~mn8`(dn#{=1us z5>rO1%g8Z>t+r@DiVT@2$~A)e@Wde)oEP2jjmUYus$g-iW6;7Z(KmIuhH;TFN)5GC z6Hnt?9A}ZkFJdK_m-O zQi*w>Q$HRjM-w9zG;GDKPyulK0}aPpF+SLCVvrqXXRM->-!T+b$w`rR)&Wn%Z>XcE zKbp7tW;i8VL7xzL0%ymTJi`&!gg40FMX@$%V!M!)FCE}s$dcH3&4y_NQdqbT>UXmZiGAPOnFkyu^pXLwd+(?{Jun>4lY^P}*PCen; z7RuEnNA-1mT)v~H<#(tmbnx($i9aES!|xNbTKB7})Yx`5{ePtX^`Us%JgYT99#!>I zd8hpSGFd@1j$vw^H0=(q&Cq0OW?=nZc&n0g&Fu?#e_xw!=cI-8o<-6kEt@tcCVz9t zMAwz_B?Q(&_hJc&o8fy&E4LEJ2Jwb!{Db&CKYa$p_?+R7{PKB5CQl@O%&*o+jJYp?N*S~+hz^%#bh zOE2ma^?#JTLy#^?6D``d?e5*SwcFTj+qS;8ZQHhO+qP}nzUP0lH@OjaR#AhBij0cP ztjt_%Rq(~wLTYEWAGKNLG5oDTIEzd_@yi6aRdm>rv2&t&8nX2}m=JXKzPJG3-sON~ zUCyaa6nf8VlWpc4`Z6@FRNSh&k-7$79t}7?{DN;b%5$0S*E8aOGiZEg>2`63gfZUo z|Nq;<|8R&>V*G%BZUDglH(0!pEdXF*^gmqu|4V0hO4Gs`Pt4`!uN&c@7O9A2bs(|D z{hUFy$wmqfaVRt03>+^@Q?)~ugkyzx%+fON#ZA2U^_bQALrvF94TF32_A{VKLLavd zlPM0|kQ6w<8RV$e+`Lf|bS4)F_)E_37waQgZJC#Mdpds_NH7k&?z3C1w&%6tV!1N# z(LhS75GXer^Cmu47Ch(|O*>cg^Sc=XCFm85mIxTqP99;72xb8Y1`LZZL6|jaAPZrV ztqEhWq7S3L1x)GphPGeb&jFxXx7Tr?lvfmeUzbNINm*w(YStRz`ZUZMmZ;F3cV5WJm+hQ zy%GC7N5Uz9oCD^H3OR?u$uBfd;`1ZOgPa%S3K==$#3@BJ50EX8@PNWE2%R^$YX;_+ z5Ia+FO5zJ6C>ot(id)_%fA@U)^Mu4;n-aSiIzN~Nh%Y@OIYX{lq~@0-6po!oJp(%> zd64+v^vDubNP4t+pyG-yIfu*G_v*weY&1{F5iR|@`-flfbPmrOg?Id2_8l%;?2$F* zAnP^(l{GxU37F2VN6ROoL_VTKA>)zPA%wm_cpb$*=35BjxD1AhuEfRH^Iuq!W0xokwez}@Jr1xfazaD!lE+1NSggNO&T&cQb~ zZSA~s)66;YJM%Z+2Vbe!F-mtp%^c<&>=Wb}gNbLe)A)zBK;#lqc>ip#s#Tms@=~?L${1b#XYWMgg!i4R7>-^>u z{u4sCKVZ&vzVpfK%Jqe)@!YhM7f>>MODPUv&}8AucN3p1B@Hw3m3> zm|Fm6p2E{3QK_W;TTe&-%D?ylM^qyf1X%9?;=AfxC zYrJ$;GzI3Osf`DH4jl!d_b0GcKr|ugq7%`$V zWy;mLP-RRCO7je4%8v{U$ulK$GNjU;%hwDuA~y>o(~U8VS?2oI&knpG@a+H1@iH~m z4w#)Rt}E5A8&i+CH~zuTjy7?(+Tc8IS-Y&p%$^=nRBdK&1y?m^51e!iUtFJB2VX%y zUsH;#A99*H!95s1XGuvHmEG7*8=D%P{#a`Sg2OjvpP9;r_*{RRVrqPG;=xHR9f=aL6V`AmX)XmC?DPA-!otC3GgjFy%C2xi@xF8p*J=kma1OwQ#Tg&BqU zdbuWD!v1Ynhz#SJ!?h4q_d#uL!)naUx%G*asEGXeThd$>2oolRtwCtR=6PyX02?{s zF4A3;)NhngVrdFX^A{Y0)}>d9Nt0DI-0;Y83y_6XSyA1bYEhqrPtmR-F@DLKk8^IA zpJxeC@7$3l>u`?u#zH660g!-9Z#p>1$_bd4rEa*E3Bm+Df~g0?mqyZ>j0aJ2rP3Hn z$qVfS)sc)s8;}1IaXl_GFn=#DFqrH}x0Y?E9C!a}BE<}!)Y9q#s;(=##!G{zHI|~s zsbWM{OnIhas0nO^IMW#&%=~n(M7&L&aTe%O7P{3Nu5+8K|jzDUvo#DUgkAJMz zD*IPDNX-=nRdiAKfNqS$0zgmKBk0XhMaQax1HBPWE0H_kM*!yv|*yyNt+-}=my&f z(-sg0KPwr{ays$6d@g+UNULK1q*Izg4UAjc1rUbR6DWELPSb?UL`A&9CW6!XBAY%Q ziAZE>tD1;seHg!t9mN;6KU#$zHIs-DaJhKd$mq?~9Mj|J@DB0OV3M;W274Lc9pHdi zcu~>tOQRp|ON5n;4{%L6m?(}Y?w=XUE<^E5Bszn(U$uUej`BzT+{8zZC%Tf$0shJE)bP7A;8mO-sp@q2K)V-WZFI{MF;T_BJ?e?=&Y69pF8N)l}>7c z^4LNz^AYy#jv}~{CQ!m28w3W_<^dF z1ha{3YxYxX8dwSK;cy}^k&6yOziHR_Dyups@Q~>OP)0?f<(G++4!--sCuL%(E6jtZ z!sqMO!R$vl!C$U7BK?NQzz0;FuJoa=Mml%CoD_>)EK6}qLdgq<@WLNz!>o4nVd!n9%@K~eN2wXcy z)W@H(hW-t54uJ(J3=VDI^zgeNdIJNm@_LnezI|LhuRCmqPaFbXIceJYCNE^`I+}&F zehDFBd~i0g(mGfen~~E$uHK`^5`DuCH;=wVwR=!gIfx%@R5ruRTQ8eCWx7`h7a{xK zt#rHxW;4Zv2q8p;a-I6izhC`N%(c#5<(;91uYp zxh3M@g)rRRRn_+je&V(io4~)(BOYv60V_v}+2MCx+VN(gT-t;3;M$S!;M$||WQwx@ zdQKuGmxMHDnp6I6DHeBOw*nGG?ZA*W?QnTEaf!|k6t)mrxUqEJ4G;-?qSa9V*`(+p%4R-w|roL6vKx8ADuwR!5J!1)d!%5X-V#MmTRE0e+LNAZ%w# zct8NmoW8)jooHA8TH+n}Szh&^Q{B|uL^s5T%(Ge@2S7Du&f1D;GqF3644K@bc^E!0^@xB3^Ekq-Un1 zfM-zfy2FaX&4?J>Kpa?N9GZdvk(Jgu; z$-YjkD9eDS3ejkMmI<018mUAK0K{SA*XPhsk{Q@Dec!(fprOfuvFJH`cM6K+iwm6 zH%5V2Dw_C+TVYm-oj$?L^CqDA;=K>3&sh$yXV}eek)0m&SIxM9>bK%ZTUZqJ^bY0`y_4U5rS8hfMtnCP8G`Lgh#c{9yir?cM+d7TPy)v1-7_~2@Whn z#XYRvSV(*79t`Xzws?GMN)#J=6$0(C>rp@1%rx)ZK8$qc&cQO%vts9JvFt+qx=#f&)bBFENS0S5rk3KE|YG^f0 z%l&`(&xl5ua5LE3uIsHRry3Jq+HycF!`jCJk0l% zvCU_dr3qNgaAW!mNrxBTst9L#3S=OIwsaH7Bu*6U?6-WPB&wnEii*{`K0PKn-_Krh z3Z&rQb9G$dKr(#%38u^cxDQrz|1U!%~pu(8Ni4z2R4GdhDZ#QOz-J((QF$rpD*Y;=mgF z+taAczI>F&M{vMY$592OYT5>o4T*C)|5j5YnRn}^gvQ)G{*j0(C|Uodbh`|jd)Gc{J-sQGnR(x40GbUnj7Ur-OS4Ck zalr^|b7V+Omi%E$OFny_G~pBlAkI`AX_2^vXX%lP?%dZ+0T5dh*CD4*{vMfg{&uni zjgjGbh^!V1?ci_M;9Sj2w#M5lny^E1OU?b26YrO(sySPvsV_(N#5|Q1UatEZ9C2)P zmf}zuKO;`9tA;SnKJK#a%bA!U{%O*!(Zp9X;BY0-Ca<^84(~;8((zn$$j4~L8<)hg zLh4%~r_)2S$)Q`StN`4-1>%EUVoJ0!W7nQd5u4E*XUxjyH#obPIpxayY8s$7Rt`|L zQjt?~*V{Cr9yArzy+f6^Hvse|a4P}aUy=@up((IENY84S4%vprbmtQ7a?ovmY2CoY{cmsc^tyM*vfb&nmN38)!tc!R4qFuhw@jFVgq!X>(6m2P%reW{{L^9QhlxtQvuR2{~ zcWO7O=cf*0f>-w_U-thE9Q-Zi?U>!pu|1#1xvLnQuUZXg6NT14@hmlpd=^g)y?n9b zMHs!fzO$3vH83roRjNJk#ahK!$KpME;p%LZrs>X87-WmF%~w!^>3mltu?s|41th&G;MJhENrY}fZ~cia9+cH!u@l3qfp05BSlx?2 zF&m0{40yc%odkXAIXzDe%}N05Wiin`1HIM_{&&E{zK6f((Ef*?=hFU%zvq+%bfewC z;NQY%4G8zG`*)Mn*}!5QLIKsUwecvmp@cI0-4p5S9m|rGe+<-9(`r1$KiGfm*wk_S zcB&!eN@;v*!TfT|-8`G~S)(YUYxdo@I|Yx!}%_S{k7{$3izF=X6W~8y7)q}l@FF=)f~q&tw*8cSbl2I9j^Q9 zCE&<#=IW-0wF);RyHt>tMn&x28lsKgkSivi$7P1_Kq~0g}Zx!?^#MWr%;lO7F z^eRc}FZwDo9`#)1{*Ox=Bm5VAZ%yz^+m`6%qyCR=@+!cgZEI-pS1ROrql`G{$gVA7 z_^Bj?BaQEA|92=g!OtN(uh(kelblN2k9(##IO0ODvf#(64RLmV^e=;J?7-jAQOC98 z_DB~Cq*RFViu$Vs^_q(Mg9Y{f))x!v)fMp!O4eeYms#@1hui&NUA#ZG^t`sQqtU** zFv7UcQ6aFPgI66Qy_>MNwL+i)3yoyNS8QMZ;jq7HC{FluIBC!Jr35eem#;!mfjfJS`V+j{ulVMZZ_{r%;5A+|V-e0NZV*#w z+-mjLb#^KuSQ@`pvB^J!t*VoZ_{*6t$2KaIm!cqVIj}%aSWY(Mz(6FR;*d}h;A!92WV(W^K%kkf z*47ct61}epleKKL*e4bnY!(V!Nb2R**?+BrD^v>poG40oO72=(-V}U+?xb|!{T~TTkZMX`KG4;4=nZY~@Ybc@NCdf^XSpxk z$uu4EXr{1!K_t05ETnrGj%A&uaWfK&2k6=Z>5%eNBKy0DqZ`#x>AVXty^0yrnV#Sz z2ha$T4D%Zm#==@#pJ&~+z(>&0-w!OsA!GS;$m)M$i3oBfG_|;Lu8Y-F;ix zjP5+?I;=onR2jx+49>81+3IorBmXL4Tu@;xF!Jiw$_rQhwQpB2taMn?yDJ+TfI3)7kLJH znmU)T0_}VW)XdYaX4WD~UL#tNy#5Sfmm_XBWTLe~1~4^LL{tfc5Hc)=@WQJZy;CtIV7(x6C3JbPDD> zEs@qdrdCEHFB7BU7r2Zwx=+T}Fc0-YejRXD5sg0W62?jJ?nU)7j7o3ZR6Sm7KYk7< z^_c%8N$a~9mNvvtx{&X9K&@u0zgBs&gXX!)bTx!5RBq+Db`6Noqux8TWyPooXOFYa zgSR`{Yprikw#1)KHWP?1xu9mlsKFk-M6e-jUM5H*$aj)n$lB0s4P9~-xA5?_t&DKT z>_ya%;(HAP=N|yoaMm5?!xwFo-vg!Qh$`qsL*eC18S8!dvI%R+RTVlK9RI9P0G)$yc35~d)V2OwtMNX-AqRU&E6Lz z@|~DHr~x#=G1tpc-jS?NxA!xq{p(TL)8Pp#(ZXKga+LQ5E2&dP9&%@P+fyE&9^5%O z`G{$(%+WHJ6r|18=tM8#UBj&g!4@li>mhB~aMdwLnTR$U`?+&G0+T&0$+c{J_YW-y z{VTw<)8P*p&s}mlvD%gH(3)#An;l?Um}s(>D96v2MtaiL*g1}EUJ(qrC=;cskEB%9 zUDYym&HZ?`VXLivUancr2~L^3NJfa(QFqp8G4?a^n z>Bf>&kWq!5a(1s&e|1^$|I;u3keAj#0N}X2=Is$EL${+gdL~8%IyBkXb#;o_y_Rtf zFn#)y8kOSpnEi|Q>EEtBXv1xErNG8LK67Uu=tP9Q8SJaiIB{bzrO39~uD0x|NYR$A zBwuDhzcNh{5ixwBS9kR*yi5;uB}ChTRKX)0y5eOd_bh8vI{gG!m0(7ntR&P3ZczQm zrmdXV>g3JUkZ2X(&1|VDRSRyh7;75gozBfh=NWXWxZ#u}M1VnHkgkScR%%)Az|tCR zB=CRMUwO=qH=rSWeQ41HRwWN~mQJ;Mx{nbKI7CW6cwv%|(`IS<4;0Hz$jv@WsD%_m zcQ+%_-yU{;YLy=78Ur(gz}u6ZUOf+OOL5Ne;md& zn7rjRUq*7CWk?a>zfIN=3Vv%D=0DR`&%yF@27cVL)Qu-c?}?W9JHjMRT~23`u(Oe0v5}D}`-Cz;1fORwfz_^DTd8-?7aJYQfK-^ayIIGaph= z@?$YWux4L^&OVqaG&vDQJ1ng<#(b61Tmg$vdGwd%i^?4_jAz)U= z0s~Y%b@V4B*Nf#$FwK)|nNr#KhK(z!LR7GS6dRag)zIzVp^#~8ug+MCp_z6kjUaN5 zbmk45Sp}ln>vbycsB7-e&T{CV7?$ser`)LG5DcK~bma z5kmyy_^^)<293`QEy%WOK?Rdhl{(0)W3Fp;Ou>K zqjM%Up3Aw}p-6?imSPob8|9H&cnO3EB$Dwg&}W4|yx<@Dg;4i#@_5q%+rAuI8AmJg zIEf&T!#w9uQ~|X}0WvmEVsY9=dvLu^KNH1%hEP2+()m&ChoL)j*|QT$lDP_;3SvblRt2BooESIXJLQZxf7 z^8xL7xbugrrgz7c1IOS$&EQ`fAo&QFVo$q_($8f+&a4WWuSKa0Hpr6U)wMKy8I+Y? zJRN**RR)XWsqoMy!fn=2I2mq?z+$_qv*gqW)=>}W+d?87E-t04_+jgiVY2Cvio8x1 z#}u!GTfP{&-Lt6#$dcnM$0*m8N%|IN&9t)5=K2}JF_Bgad2Jq+#X<+Wo_i$)%SEd;aP zy{pj~A2-oQ(8p2Lx>HoL=gUGbiAwo}i1n2tpmcHx(QKy#7mLF)LhR^$U|4iEo}7!O z5J-oLSu;~fm-Ik8G}-CO-As;wG8yHfQwMSHKnG!JFauO@$;TwS<9^}_X5pu-c!y&e zO7a1fy!EpLJ(G>=>O_%LLLXE-4ci0{i$;;Mln-ci$e|xBG zPqvbx35f@5yn>P1MS@P+6zt?i|E?Z0k{su{w3ACY-4~gsX(K=oyDuQ4M<9tt)qN;@ z@#NAf*99Wgm-st(@JLRg(|SaJ2q>Q8VAc0)N~y_P$Pp=$vW!<6fU(0bz@5dGQ*Ky$ zlm={kAwM2DnCgYCj-jig zV?2KQEqr{(6QdhTSoi`(KD)xvu5b?>vl&hH@A3iHf!mg&(5kE{K3927sqk_~t{ZVDaVOsSMuSxRgkLx%}fy80io@}CcfYbuHcfbp}bVJ z!GVscBCErJo~a@myY0|pp>ZTE@_iIa(8_Aoe%DD~s3Nt3Mu-kts3PNJLz!quk*`XS zA4m?}OnPQM?zEu_PEt%pqfyH*x@PH|V0ETWZt}iJs=VNAuc*px6(Z}OP@%E-Y|<<* zKU7?JDOV~kS1K&JRw~t08m%t6Rtc??*+tH*0-y*+olbs4ty8&mqzFSS&(p+B@o%m0L1fz|#Tgq}bE_*(${@a7n6naAqV;FZO$dnaXzdpN^O zxMK^#T>w9!6@RRrXSQuF@`jn)p>&1?loo?hNes&-zEXV*6_0oLZ5yqV_DOW=qO@3@ za|Cm9v`uSvbaS@%%)O10&?cH~mgGHDjHtCvo^%gKi}$Kg&!yW9#H|*R7i^ck;E845 z3T{&6>4eLyb(I;0Uhb(U0E(Bx?J%0wq#H+#r3HdYZTHG$SE$Msm|^GSGeAf$jswD^ z#>4tqsip>YQzz9(C-pwr$}3gx?BP+=w}bGbo=qUVOL$hShbubtv<0UX=RVW1EA=qi zzv|-&UGy&5iO`)h-8gMP=>z`80*Np)ym?mKUGvuRNDuoY1EBspyAX_)J(mj>b(wLK z^rLkyG zebfoKA0gAwMQzzBc<`vTd4(|S2IlciyzM4?LaEV8{|T+ZOYC^qL(74OYP>~SAoJs7 z&?Ug&N;qMY^Q#c9Fw?rQvTkyS&@C|aoWwt89mj`9tTuTQ*|G-7j^ ztxgrfsm=HBN2OKnJ5h3~bowkjf?K`11rQ$QSs8>}>DaSP$>$XzwU!69$rSH`QW@W} zZvN+id=2jM4n_kZ(N^LdanuVRFhkH9TLFtwhd`>*`z$w&npA#$mLqOoC_U6yZg0XN|kp^|SI#``? z{^!J&%r97}EIgO@GtlKlBf(6F-u}uy-NwzqfBXXZsQL@AZeMq;qFL}JAcVMb*bTww ziZnXz0~Pd2kcv$&?rvZU{X#qVAdLG84#W|NaEU*WhC5yD-*N0-llqjbdbdXEX56^! zlFXcM6C_yWmqwl;_C|E5p0DcrLMGtFnFEE(R&OH8@=pXlc!@{Fr4dp24Z($jqtK8B z6Ak3sCzpfaqMZs2fW%t)GNd(Z`Zq$MK$6NPG_|qt(NnK5O$>s*rV~Cn?B^MeEQ^p4 z?V;oAD8o$gU!4{(->D|=&~1cZ@2POM@VoH^Kw=|RzV=?-2RQTm(HOlRZP}C?*^oO> z+Q+;Vz1v3Y4L0$>vp#rrD(!#vhaHcWN{xZei${w(39stP*Hit)3K@7VVl#aia0_y> zk920EO-jI1V$E&TY|;$+w6%FHROcVaca^velK71uSoGLXGuXx+leu6J04VZ9{*@(+ zb9ju?n%iCQ9c2{!-i#CeaLt1|mph5uD$lyd%izv_gs+npK%n0h=!Vw+oB4=?G<%{Q zx}}XkaSYPO%!r7ckl=agg^1@cQRvFHfGY6ka{3wy7D*~2U7D{wWk>NQ|Rq5m%K6ag*larg7OV%qQE3BtqVvnPP zKG)mOhrsZTFpV-87iS)XK5dS?znDs*8UYZbR-+Cqnq<&3lsA*i1aIr|5 z%6`KXUKgKbVas^#M+8X=H+<`gt^64gbYIZGA>4&RSLE`K=>m4`r7!Lte$XQ(-+}|{ zADjcYSdB;xLlxT6Fzm$}NUZ$cJ`7K+W_uOMf&9DjD>4C#FAuQ<$v8CWP6N^66i#U5<~qU!h-5Z0p2D^8Hou*WLNq%`1YL*st? zPS}*EHH?zuOri=>R2O7!$GPmXC$g^poF>s}CkxU^;zJzdeaUHPi z=HYR5{*_rBgmMF7Erv9(^(S7I0 zl!|6=bM!G*y|S4tWKk%;F$|h<`2ls{*OsbvkaRS0$kE1n;H) zc@7}&qj(mDo?E%m)U(%1JYOVt+`XBS+r&bVRa#Mm(L1`XZC77fJVz&4+oV%BJh3aW zgErX-ecWuT-V0##yqM`w=rtu`7oGf`=ua%zI32&`;yoByll#~lTIH*A65yaOS<+OU@IX1FWs>WT89Vw zV32Rp*F@9UaXiR2wGS6YG#hvWJbv$=vF^Cs51NJAz@6JN67E~=84_+-yhIlG@4A1;Qv+Kz7^z-fb=SZydZn9%uS-q-( zK^^b&0D6NM4TA<)qMox3K)m~pfhxwPZagXeVdfBXobvzzz-U!K=g~fLkVj)-ZwFYP z;^qPuqc}a2=A2xaOne^QqXL_StKei>lbq0Y1u)mk`b~Nkf*BB*x38?tru{6;XIgos z4aU_XI{r6#m=Y=?`gUWy*ICJt`}G#Z^s2?oKWX^Ew$f6kcn5tKi8i9XF~U3ySSZMq zodux08#uQvu}_mvK%6TL-f4K~&@gDd0T@OvZDTYMh2fY372xVbGk`H_$K}#7Z$KR_ z328M05aXAXYy9O@K+&OGthlt;bB}dHW~9QrMv9C^-{dM*tp5uIWls8b1xC=7EcE-A z)SFx%v|$w_-VLB#$rDu5-B+*T_&ceW_4*se+g1xJykg+Q%WH-g8%TH}{u;(tb&F;j|kr1FaER`xDS;#!%Rzt(?)?jex7T z`BSP@;MQ7>gIRG~Z7#|HXAk@Kry1?}`76Om;0= zcti6cT$OB@WSnzX$3K1M&9VI$oHN>&*^dxsU&C_tWzjApKhsESZ0&%+wK&sX-RD(% z9lDo$-Wsjzs4vSSZHh?czao|J$;~cBA3k06$1rNV`qeC&6@f2H6N1O zEt+xjR3y7MC7M6yeig-?wkX}BJ^&IJowdcocMC+~OCFyqGW0WP1GHgk@g)e{iv(*_gx`(Ym-WGY}((|Kq$< z9UCM{BfXd>O&H5${L{omyz9w^dBgFagq^D5YkU`V1puYG*k~~ohprSxDAqc|u&By- zZ~13~lpJ{+nVUMl$5>Y|D!yXsete!uCY>M(_T$@F_D#rfN8k=U&EU)dsw7JdLcZQ^ z4c+D`p!dUAswi;MPtH2p*x^t~Q@K#KEEgucS=G_|=Z+OuK&yzdTxzZs+ue^2c%Sj) zp4IYPA?_XQ84yPO0W17aRf{pB{4h7#$#H@#I^G#^Mi!PE1z~l%9$n0FYu<}L(zOXT#${$cr)=9FtT=pw{Js&-9NLj} zqd$lAcjxCAXJ?*{v*WMWt8eY{P11v;2`M7f3pthHi9d0Pj9rs`47-C$-Kx)C_~vUB zt_voCiJ!I!|E;w^6S5L(KTzicqnhX2JkTu{d0UKqjgf%)990r~EiQ8e0+U=z^OmcZ zatj`E2SwZXEmUG@I~4;a3~WAO6)xOzw_ga+J`0?!2_IFp_iM!1q9{Nf&nPEJr6+Uv zn)Ckc_;JfR&G#>H7v4U-$a}+TaKmbQ!z${sGtF}M{lyL>oA2fO(xZ74w{ytj^nMn&i!E(K*;v}IpLG=`0CK$)D)Uc50V zBA>%ujeS4cO#4W0hyUWh5-sL8$wJv`I&$Bma;zb@SbcV3`E^%@_36;zxT8KUi@QQv z*H|#aqlsEj1C922vTac|=smGRC(Oc3P@}TljoX$}oFjoY$I*azg_RSnMxk)5=6ge- z(7Hm+m3cwK$4h{`1bJY&Ta?7owRZU?VeMw`)xqUQP)Co}peF(L;tMo;wt zeKZIrOVQ~WcKBkq3+6e;IE8%oFP+b)hFkmd;Y;uNPbEO{7*s46RP5b*G{}3j4VB{X zQ#Qh)Cth`D!Imt1$Nr&Rb3L?52z@j-;xOy-P4jy1pl_N42c%F~I-$Spr0@i?y30!4 z4&Je5pMp$hGCtO~FBK12GR7{3#HvUNgHev}oG779VeLQco7)m~RM*Gb)%&O;W;=EY zuEFqGP^al|H_gqCb8n6-A<`Bk08jHur>jT<*W6r zJimmoSlgN=XEXif%p^Qu@v)}Fw+3we*6LJew05T-YQQo-9UoxD*pnU($?$+IH-$Ds zabCsB6`(zid79~HvJyTqlnH5 zcZeN(b-M_HOEdVUwD%bNC-eYrinM?&xZl;!%QB0So|X+-+a6)0(E19;?fZw>bD54{ z(Tem{LeAbJT(rJLz(N>V5$%? z3lT}kKY-tN9<{;=1iJ%ih1mlSv@5Se(x!c@x%R`p*aEmvLEe|n1MzR;xSVEt1wl<7 z#qg?N0TPfs(yNdx;#lr#-yd_douwk@Kwu^#=N)C(-x=ikwv zXKO{6D-Ts+gZXKm{uZ0z6|`2iaj>i-UZ>%9nwu@>Ueon2d-_{Eq%6?Oz^O+SKAo`7 zYc&ek!Sd7DPZvbCG(IazoH33c=3duJ{pjPz3{cVwHTaYKlqtPy1M#w04Oy(->giM; zd184TpF9A9#<7y^P|}Q+kO`$*B=80d*Or79D@lXYpD1h9<-h?O8+k+}7!(q*=g5~@ zsr9pv+4--b3q{PR3IbQ9bM^~+>TH6LKx=%oa`NOAAze$X?0ff_9JhUqg#F2-^2Qrj z5Q%c?XRGtf#)8{y0RnxG&Oe!mSIRPga};w5&>u#CblK2TsJ{cW3r7Qf2Svz-)~3s~ z!)h!0_5YeldeTZ&=AJae*>6K`T;8|xP0}4{%J~(}4erGI_KGx}@G4;&2g;H|60tg+ zrv-F>0$L)64p^i3J1j+)$U)XmE5Kh};*U_1BX-$HRl>_?|0QSr8wd5Iq&`?Ojr2oO zw#hT(-J?SHAvEylom{of;~j@bbJAG>^lwaSbguTvBIrA>cLE>rwiw#PXl071%Fc9H z$#nN_G-xr!H97osZ%$B*@e z?DB*u^R~)Oy4nNQ+Nn!}_Pj#h(Txp}mfmN)sn^(Q$$@0+I?UVS9Q%tPDc+|w?fSA! zh+#wXSF3bq+qV&V#zIp2=-LzPGv~R&cry9_``46XvI5`8;gUgtf}9%I`+n*dpFc`I z>N}sDHp4;Bqq$``u%R*FZ*|K{faEBEB2vGs{_=c$&zEN+uD&~%8(|d{JqMFOpUu7b{MnSXpg{_ zyO#fEXr!P{N-TOd1zAQPCvXFRAdQs$I9^acQiZ7ceabXJ`TrX+g)8-K(0?=;u}%$R z#cwQ*SN@Nln?dR?xgI4Pj!{eS0IO>k9?eo{TluML)gH>AhmnP(LK%g4g}t6jmHZJ) zZh~2{r59D+zla_pC4PLa#Js*hs*eB{GP-QVN`^Kc3I{*Q@wio1r765dKNr#z^hsZm zMDjQ&=6bITJR!Ca)$bl8{7ogbEoDIa$g9IH3C)rByNHXyB)OV^%m%uC^b<|5p%y!^ zd(jF>G7CNw9YafSRZKKdtP7aZn6qNF&nHA>FO{jDopr|dum?#ZH6lQe1> zxueGMm~yJsYo<;Yvh2|X^}^b?sH+rku_*wODga$J6(%0k@Sc#fC3g$Oav})6Bq3dOM%`Jf{2H?6Jdru%|G%R zfwkx(@*DjyafZ&x$1LamfTe^v93KOnGb>hI!5H#kK~I6aL83J%2PC0gr^;h z#oxja(Van=BmoB};^mRn`mv&q!4LdEjScNV3$s9?Wvm-_2n^wa*bW0Tqo_v_BP@&` zJ1ACl3f{fZS+Dv=`E@L6VWwd<7PT6)-J)|ut!9tHyTZGst4vy-HRN_%X|u66S23rW zR~|Ar>Vih-#s`H!FA zYjM)GcBhkCtf2kQGPnVu1fqA5-vh*}7f}WeJM)5&;EGVf5;g|$MfM5t(j2w`vgohV z2<#M$?i~XDGszi(pg549WNv#Th)lUDsqv<)srwK=MLeH)EL8h{hVUB46TrTeG9wD> zBe6^&B1M=*6<;-#sw+Z@ToRwBE|n0*+kAYI0rCMJ@ac~yz4QeoLZnzsyGC}G% zx(_Q-#(_srl-3E+-ytfuRDCQp1*y_=*_y%FkAdvp6$H8ksyz86yZtgO7<=K_S^hr& zVnCh0{O@j{5bQ?&gO06;D1Suxqw=Rk6anSW2sDTd1%mR&X>c5|dfaR_bA2$o%*{i%!t+n&cHfsQD6}janb8SeQbf+ zO9n_zd4#B4Zt4-};>rajCpt}@`pRV(nI9u<7|ImJ)rKD-ha($6BzY|Yybb<%j7(3> zOf7_L;4xdBhZCXB#X~vZUPQejzG*gQH?XXbP5V0(%8=*DpAitUPERe|3OT}A^oF7B z5ZX=ScWe6rZ{*WA1X2p5sUy@adMHh6RvO&frC%N)k3(9J5w$tkpqZfr+F|FNmS~~C z6$dG_$@IQHXx3|BZ(mZsU@uNs4lQ!zF}2?OF}iqDYW@s2e?}Ii@>`fZzLF0-vpctj z=BPKZ>)eW6o<7SdUO6D;l;fQ8yX_D@?Ua4`iVSWzr zbBgDYb}prz3r~U${;8vI%~2>him{^@If{ds`7nOA{8_<)<&h=Zk}a5#`q{AKfa0ksG8>|=Bq5@L7K{?=$|BqH1)c^@$DjUY3e{xX35*qnIB>{OE=p zoX(co%q=h6zl{qk_W?2=Jl^z=UgYjxS@`-kcGn_z?Gqtb zape14T+tD%I*O}WUhHzX;4>hkuV{Mr^iMeuN15sDSC!7*wB9m+27OY?C~hGgU{d0z zFh7O(Df-p1Y|T~np!d6hZwFTIJV`wcDr^^Y!+@cld{o|;tVJ)`-)Optw`CdO796`Qu zDQ^PjO(6OU=9jG0+#h~0yO!So*Ig|;gf5Mt@hK_qD$cu#@~*x%aPuyWo99VGr)>Bqe&^PrS@7H6J)anZ^?dGwQ)^5m7-x>yrR)wf!h683*d>)LgpI!>yNzi=!` zs^>^L#(rN_{e*jx-UzNI{2Xwd%6HT2u2rK)yv>Ui8JETkX0B%h5Y5-hicx*F|0So3=o=RU@wWqleUJ5LAY`oi zi;TbO@aG!Fe+yGDi{Z;Ui|=I&%s^XR?{t`7<8XM+Xyu%Sa%w+*X#Xu~li#cD5=hdu zWjRylSm>82CpdH-q?5LQezhBe`A70|%<_d)F-eS%iGGtQ`c*%q=z3N1!ZGHYjOaHx zkg~<|cSSw_G%>{l{oWH9|Iw!CH(OUCg8{h>+TPXii!>N%AVo}>uinab>_|;ImR6_8 zp)gq6haLu--(_#oGCRd&lY8rJ|GqfI6ca>SWHI?iN*Yxq@$i4kcs9Prvfs6MFp|v{ z0p|fo895H{UGph_Cm7vbkX!&IBI^*Zmt-vNWo)=`walQ@4bou#KG+RFC;!K=sT?o1 zsHLmpd{g%+Ga<@il`tCxDMjDPe-REteSr7F92J!2Py@AS%r^_{aC96fEpQ!Truzq= zG9}6mV*sJF@ChnJ=&($Lv@JJ7LjEC2FVx-0?hNl3J@dz7#U zoPt@ZAgQ(}n8hYz7OOBDN>Q1Ee-EcLT@q z^JYl5nD3yGwqEd?@P+4kzR;xbh1y5elA{qj8j+(>(ax%vVT5~@k-fa*%iLe(-fcF( zg%QQxBDT*(G%zgjmoR?`@s~F2>G$f1shd)_Tz$WunvZ0Dbq}s=rgOpc9ZORP^sRBJ z)xpxL?+$%?=+SPe^aL(F@#qs=+JtyF`E8U|K??RX1|y>aWVUsvrsHW%&st57RMUrR zh;d}O#5I8xdlXVqfXud9haqR&It5nlxb?a`xhYSmH||zCA;p6w_2@*ORMNLC?e4w@ zSq}>(XDxQtBEI&yedp5nZ!SspG7P@O<5Oyb1$D%V>@q~NZ;~yf<>L?bJUm32oo~c^ zBjOvM?U3cOJC5NU$B^TgLT8*Q4K#@)GtZpv2i6B?R&P8K@QF?|aTQN|g3jNj?v}my z{3s&7o42V)@@Y8hN$WhcNSievPw0TUHfxVO5#&rdxg{5AkLv<|^xJ_jn;bm`A`K0X$Fh*D!w#@z<#7ePqpbWL5a%)Zb5`#`CCq0C~rx z8Ufb`l4~5h##Q6{ncn!er4E}K-&YmmyBB>-?fk4MoHd2ArWoTJo#-|QqjP86pLfQ0?n?S|9!FB0Z47VE)HddAZ)O_{afU78 zH`yZbt>1PMOswfd-CG(fQ#1IQ3M8@q>xiw*$nZ9?wHa5iG2i!?azauRTU)hS!Zy+t z9KnKbj6kwzr823MS+`EkVT~bD(+jE$R}`%9D_kH&NDkPqs12JE8UTxO-O zlaLaA8$T}E12$cal0+Nx9v;1RJ9V|wZDpuwvVJY8buzIkxO@GxX)$!>WSe=bU<=p; z`(F{;C!#+lFBEIr3Jy{xMN9@daK+He;OGqzb)0V})>t$PA-cyKy&Z1w_7&3(*ZX*j zWrwSF_Y&uCW|uYpR%Fc)_I@DC2leMidczk1hv?W!Zx9oSRW&O*%#Wp6^Q4qlNY{CU zb412g`Vd?7-Y@9=@ppk#ffrLL`$~->0ptzri?K=rY2>a;4Wx-_TWVFAY^6nMRrSuI zWNU|*_TJmBN-G<)?d~reVM=l$Jc)CeE!DI0N9jRfDPOd5d4_UouYQ>MTQdK9b=e@7 zX8iTVBs@$xA#33{b1vyyAUwEbJJS9BpvrG5v0eM)`o{XX5_T~pNh^`V{3SZ8?OP>DxunPB z1v118Dka=>J5@@kr$^d$`CFhzZ}R3-AZD0w9%g8;_D{@+;5^%x;T10ar^;}e1ffWn zRf3jy&h(argC2~GP5b7lehsuuWdMR`2K6B{=O@d+Th#r`O)%@{%QX#OlTHfkD#^6GynL9_nVB2Y3sV%iFoK-< z|2s-m!k_@3Aea%VA0i3Whgi*j0D@6uq3W&!^YZUe@q?!CPJes)cV`}+Q8Q(AS8mI> zrk4fk{YIg+#A>IZk~AqRVVyiu#JGp$;5S^hnm{wC+aIjOi77uTwpkr8>U%9-TQ zGXX1vJhRAOMUlHg{|3yGoN#0ux$@Q!_gRR$rIYz3H%$9xMg`xA#iHo7l}r2w)HPqO z>xFJK=tUR2sCD$Q?@7gz-T!>$@fGA7{R_DlFP1RvuUE;=_-3gT>Xyt$cPjEZd4uqS z!-!HTDJ_7jAA^$GNUaq@S|$@xd5cYbnC;e;i-l0_^cW`iw2)F!UH{Y*QFnAA3U|1f zs7;2P8vPtq*k~voo}7O8@+D(ZpM@onD3q?Vo8Gz>WswXb9uoXU>APB(h zDBAPsH=YN1(w-W;rv{PV)D1NGDJiz`ksCQmg6TOBu;rs*o*Tqj1vFXm1YNnmUi{_a zm*TI)mB5;-8YEN&!HOd&yZqU}7!u}QfY|FaCBIx71ZO;J?FY@*AU6P+Fd;<_dgA`z zSf%3 z-2K(W{fQ;}M&^DR_b9l(2Jw40u&rRDWsN zp^4Pw1u9aLXM_8z(UEq%{~TzFJe-`OtdD}OeNSEGYp!z1br`!2qhtNZ)ek}=vUYeD zeY!|$eUodp(#aWl(r=}hzTYaB3zjzh*n-*yB+nrB3`(Vg+ftiVu2z44QYvV{1uZDM z<@Ls15ZF;Mo$ZapbQ`Ynr><(!btG2}cGaL0KIHO+m30#V`l*11Pi?hckSG1}WD-v5 z3OD&~rE|MinjhF#d-0J|XxN8`C(&vDA*CY@Zj(jv`qtX-}P$UXRo3LAcpu%JnA{ zQhpwFUxLt^S>rfs9A%BaHX!u@rQqo&*{J8Dl+};3`cYPYP}APcthw8P?zdRwZzE_( zz~{%;r*5vDzbWU3ssHDs0pCi6r^oo`6pY{SXjEm;->aRqdK5Z-UIav1v z%o(ikX8A(W=J7cw&r-d&=!k4Q>;7zk8G0CnXT=8+w%8)Bs4bEV4&F?7*4yqk1zgFQ z^jwvW3k-c1>{x(> z!^}JrIdY+zslQ!F71D(CiDYs`Cl-#fM>SlVzLE0Wee&E zHr?H8Uua|Mty6iJvITp3KB93BVZ6JjRNQYYuGbCBMHD5kP z3YKays2{>GOuhy>7$#>`0}T5@mOnVRH-POuu(Fts2oORNQouk6??6IA9>&;Cco;*j4Na-(%zx8A_7B>P)a-0mOQnv4x{1b` zX(eXW)zUUIMcr0&u5}nJG)U1(l~%J_iLBC5cmLY^o$JTF_BD_++0F>`UEh1pJ&$|r z@BF^+d=IYqCT_mD3s?YLtf=!{if~+;K7|7=%_#1|hWCu(o^beyaOhW(B5-(FoAZI} z{1qe4u3lE}@H2M%7cMTd9%u5yPtRyvJGP$jY1uc)o5R*k+uiSAgTt&4ybR&cr3hMf z^unQEF+lw7=s`G~0m@gg!@sqLciz1J=8Dyy1tu=~^MUfS&(&W@Wi`tgo3XJO8JeHe zHu?<97azREF;)Eklgip%DnZ{y3ltejcXEsbbR|Pfu*rarpx{e*onV>=e{MN)fK06&JLkqpiD1P{(dERofUD z!Vc(_SDSnue5#Y=3Y<#Ce{&`iFL%~SnG)AS7WE6!K-L=oNKV*1{;@U$659tUyqHN z`}`$+ps?;xki=`ZkmU{@n%HzM`iB;U>p?|!i=yL4P-Ooo_7Ryw1y>ZxKPXgJ)S5pe z(LA+*Vi!#D@u~_&PkMCug ze1Hd|ASHKF&uj9LBodWVLNjHtyS7sWLk`QV(+;Ovm*aJdd!Fz9G(s!DQW`hi;*00 zAzTka^VfLk<|RV&OCf09y57U-2C;4s=>}t=IV5X58<})MAW`GlXH@KsC=yK27{7o3 z#Ope1FP>C>by9Wll;*1@ny2!H%4X&NKM)T>(u1XAR4ysSZsieR>sEVdyDGTI|A%}T zwiF<_+?@rAJtBX{ON#(Ug6Ok)ftIwn;1Q)gj1ebPl6NXH3fL2bipudIR3AC>sty1` zMWTkNo}gm(y8s{*hUy3+nkE@Y!~T*lIlOoy7zi&| z7mxB<`HogXmW^PhN^mE4g~t@>6*zYbqsZ?v=NG$4E{@x?^RAfCbTK26;*>-2lQ0ut zLQ+F&Ewl3;{sr+b(RGJ~V44Crfh~IhmkcPxz8K;~8u`v)l=JjT^bFN(^dhT0c+n z8ec%ix;K06$l>IAXK?Qfnssvq4>ov^!4qH%?{&S~g^X1`&6)v@S?*cx`Bs`cnePGQPUgE-)CzuxW<_v7m%!c6EW~1i11M7!*WhCI zC|t`X!{X^*V5Bf$^}lIP@6aoMr&o1kYkqf>?uZH$7G9+Tf8ndN)CAP4@Twk0ao;HC zkobn6(iKE(2&$5-w+RPW4`oe4;|2b*CwLR~F=owmJ+e<$fqCBn$Db8< z{AxK>Nt6oaMe5Z+0B;!;OauXlGAV|Gj~OH-#9_xotA1Dolj5T7+9i!wLsT&PJ{Ly? z6L~K66{%p-ymG0cWtDhdjXmXIdQ9H6=SL2@#p>w5z9ie1mrXt>K{CR*%I-FO{c z9pf6TxWUS0jpMBGco9hBiTl$bDgH7VA-OS_Da=eEW-40TzZELjvoQgd2Fy*&+(gVx zk+|>jm-K*GZ&ske%Xshxy6M1!w>PKm`3LU_*Ms8zPiXVY6!!;1FrsDsETF`?=86{_XY0?8(Sy)E@ zqHv|j*W^~bl(&}rVy@N4E^senT~9sKtg_WT*|wo`LM#_j7SJ zq*Kcvo$PrrCGV-wn~IR9K%P;tH=+n(@_Q8^?EP2fvi4HtZ%b9}m73q4pm{3K-Y>i| z_HL*45+3c;l0wYD-0u^X7(P#;#0prkND>qqG9&^YC=De)bDl9-BsCn8sX@O_4b74o z4#(7xX;<1+PVG$Ul9Hwr6lBPesU=5Ti#;LutWKJLDE2wxe;9rrE^Q$tz4AIGu&*CH zcN!TMt9T*inHXW7Ekix|tzCU`!pAVNfaWET6t~swwA^vKt#gws#2)Sl@y*z$rF=6z zKCXxLiG_uVEe8Ub%USR#V|#$WPX6}cId;}FYnydeK?ka)9qhP+oprPS0&EjJCCXF+ z+iVMCf4Jp_FK`&Ov&|rjWQpC-XDwtvpckzI{`t3re|~!a{uu+=j}Q{jXTROSGY##!Z$Cj40qyHuk7?2f5w)#JO$nVPYw`GNX@n&(wGyYiD{ ze|FO@rG^64KE`*CGrfjQuZaq%{n-%vN`E$BxPYYp0aN8l&g!tQku#mern8ZUd>ViD zDPWa+tre?gUnyrggH2~1sGn5UEb}b63^8TjueJw2)`b7#Me}K0?+``v$p%1tB=Q~z z0Wf^z85MgYiUdJ$`~q(HV*Dn%w?rJA)0Fvj-;N^EGeXZ(DLdodqQ;l*&7OoUbCd)xtYSN zB00apF!iA(Mr|jx%Zh9nB}Q8?9oX*b@E%r1G9pAgxGQgS1)jJ(r`^-GO5S_VogEi; zMr9KtZ!mEw38LdmJb9DsT5r+VL95-J48WS&ch8 zF;QM#!t7-HmCerS1CBU1?uZXb=T}Be8a4m?tY?Z;nj+i0ASU>I+!57EhA)gxmSS+xg+!VNJAjTbk@*!wZ3Y>g)pFq>Xjh-P;LPw{3D# zaJPfJmD~DYyM67Q{li@?!|fJmZm~k#X!xFdV~h3i3h%AH2Ee$@1lzyVJ~YtZHxz9C zgt*4gE#bw>ccCmYDf=`l!OrBVIM`XgH+J4mp7%^T-Bm7rp4oMHpFf9N#H9{qlm&ly z_8+K_;yj`=kLVx#ln|*2HW!H6yevfosG-vB6yZxEME(7YT!9uXHsPxk(V3e=7<@b3 zJ!zYCzG0cO+NP~{9Bw!0>7sq&*wnmUVH_LAkzqWLSGbjT&YyQ~ z&Hk^G|2(;oibigsu?enu5;sqBc~dxVYWYGSC-41p#OXnJZN}gDqA&un8O49tm4(fDC@*i>Ztx$puE~=#O1GTm3R8fJ2y03`2a2- z*ebu`FTa9DM!E9qxcvHq^gxbj#e#C`o>GSF(>urNe8V5#Ky9Pw#vSh11U@$LpcDL; z8o9hWoL2|_OE%)abOBY7;pC6w{Be{&9w@2UDrxtZw6EL0ocw$e4ctVQ+h}5r>$rvP-4pp57^MTw^{xiaPloO$AP$Ur)oQ`}xN!25J6zo~~#l4brA*I@luF&nTM0 zMN_C~Do}A^tD?(a(X~lvX^tfExHJr;&38 z+gxbQ!3@=yyE{XN zek2j{6v#8_wOs}O zeT45v(6an^V>T}U{V4ku^H|4ietnz(O}>CB@+V!lXCu1&vUmj`66M_NtTSA+ELB(p zkI|tOm8j^W*4q^-q*Wrj%tX=8+;Mm;P^%DdUucFcrNg?Y?Tk6ru`oG1@3w@1z;?R$ z62HE0>%tdc4V~ndNU6#S_5~J=qO~zNvS53p13!Z$vW94`b`vQb1GZ*`yHt8oLm)$s zGm0T?WIZ7P@Gst_k}~Rdq!w8{WNm6kh30iTXXwU;Ze-}@+3Ukph;t5mrpx_=r6Hy$ zz!>g#Z!vX#hF>H&rU^4mh-nHG)f0oSf*QdJtPak0^`Vvtc?#qiCAk)t5O%Rwf$t2I zE=R1I>Irv>R=-uzPG_+~W}$HevEA=hR{kLY|K(S48n#_IOs~O<>>hCLF|<(5?*1yUpU>*j0C;41euPafC0v zZdnb8M2ny3Rg#Ehgi33R;dTe9Pjm44#In02yJEDdRgQc)dxEUDo93lUeCodKG`GXb z+9pE&Lm=0=XIYPBmgNCEk+1%jKE7BmK0oOMi`x7ib5}?H?7U}g-V<@5A{;MG;BzY! zB~E<;L7UiaAn=7{|4cy=6pzE{+)j9%o%A?ZCl$jNgMLBVsY2gEJT2MkbXvx(Zbw7i zcA9h2<=~msoRx)~G%N-_YXadRneXRq3*2^Zr;yJ=Z@1MG4l6$==6vle(} zF-O80r8nOPzW7f9U(`}*hloUQD9J!bApI!tjH*C>(TAzaso>jk{E?AMZ^Y?5_|v8q z?&MaX6X(}+(ZDFWa~I{ZTrP`q+2!P&+{)EaF1HcqHZCUzOec`3>625-X#r#9ma)cf ztnrm|#&g(sZaF28nGLx)>~tV2_q{jYee<2A`%9~|A6Tve!~s*auh6IGOsBBv)EbRV zO+0ir82?fGbM0pFsWtVwk!$Qnm&UlpF|OE(i$y{MbL73AcY8KXCw<-PRb1Tw8nSYA zR?akzP2(J6!;B3vwx~_mt04r~wtgL5y23Fdm>EILNFb|V*A#j!5%LtsGwHS6B8oBW z7Vlp!9wAJ9uL5rPdA)5;F;^)c=hHx|ROVXE<9eE>?3?^e+yAw9?J;pA>AkvVdYBg& z%m4$-z%UG$Suog(F$UJ)7Xz5}*lXj*uGhxE3@kPey9aE;g4epN6z|5lBhf|6u6DJo zvN~}(U(Si5lcOY(bJ}?QN22s_y`eRdFV4f4i!Msq3712ce^TGqGds`~1y@1Y&8fY`vn`4q+9v}G8c*_7d#)eX;V_ThPn;m5QCbgIkKF*DII<()zVeK6$}dPMkPJIZysP0O*3ISsVi|rvEuW z;rEz+dOLK-bKXVf9a<&LN3MCTKgeHrM(QYgio8cFbGtgkoB*G2-~cO#cFDeLP#nY= zE`{fCDvOKB+*F*dSza0oPlc~v<~!#bv&;||BQzpuuPl-OZ(z~@P1?<$k)OfLK}g31 zRzYDn4CYbTm*M&d`>LX*fI10h+4IWPU_9@=gZG^e8^rymg)?Wx{jUoh=d>kdL&Zkg z#Mjxj%$K$;2rV1t^Z21_?HYGsaIJA4rZhYM4@^o^^Zx`Zl&{#xUqB;Y)irY0WmZAq z;v_ve#-33O>x@IQ9#b6rTw&`-b~xgy4Cxdr-JAB6f#_uCTVKY^b#IPx1Sq zPdVUcf5kM+v+W+gDP|8(MP~W%AabW;7NoK0Hx`MR#;3r!K`akls|}8f^CPnpLwqbJ z6doNyvPY$IA{sjE@Ci_q%0!3dXQac>I9ekB=sLx?;W^s){3M(kp*3S%Xm;{)gr6em z%hYvPeA*Sh?LR{i62Q;lIgRij3gNXCA0Qmk`i9FLpF;0(gW<``GjlNu{L&!0z`Kr& zUc6SGLg{UGqGROl%RryOJz429NcLkJ~b_Kk82xO zXFi=;=9WY6+azGEa-}C2sd@*c*xV9|7CT;v?mjN=J|0hz$}8YUk0pNe81tmPGutOCTmePrH<^AYoo8N- zM?Xc}NSt@zImH!DsNEg)v5-#)r7!Ae6djF%qwz_F_rr^;rS~1eD<_5X zAz^k7mA8&6wy(zEQ27SbgW?9_lI_WJ5}`mUGX;%t%66qZ>ewziwhNB!k12WD&m_Kz zBs>M!(8tMU`d!GDFVB|^kUo7@2ILsL)7>7ZFg&O*2D~{BY8Z-{)x0jJ@gn0q$0RZE z&FAJ8dq&46!pQ;HpbU~QKJx#;;Fed)h>Qj?P+V6((#EW~ zCdS1p|4X>PpGoSZnr4RhvG7bv>8bjty0H=}mUXOz#Gk@g`AdRpS!-gbv{)(;P`^|r z=G;of9^XW?uvsi@h7Pskk-KW8cGVYkH;L}1r9et|Je=r`2ksw=I{HLMpWx_woL{`2 zU$vHBwc=a%wyt?w?;U(-5>CDV-#se>_PbjLiVxHqepGKf(3JC|7a58=NiX;!vETi~@MZmuF77_l z?gcC{kv{|O{h%77vx%(f11Y_!PS@)+`Jgvl)T%S&XwH*7dZM=!&ZJ1u^2OPDTF7w6 znAWefrV{3}Dn_Q=8400>HT6k&D_ZwbuN7a%A@nRj7tq?4c^22qmN{R@oY}_N^Qlni zWN=f|2fm@(U*TO@rCtnLnU*`2)DdQZxmmlQ^|7GJxkSnqGWuT7N(RlmkUSq{uaZce z?jCg!nYApfW&YH%*toKXrahB?sckjYS*^3@?<4%qMZ?$d{tW5w?;9W=Zn$B%#w4U^ zP%%esRg}8X#i;pyol)Kz9GLG4Uk{JW;vlbRc7#J{l6$J%Qxj?MsG1SVB?uG1nO~g% z0{p)aFw?Bwtloj94q_Rf}P5uV} zr~vWic!`c)hKJteMi(25Iq6G6Ode< zkNZF9fB(pbN0yH~@&dK&Z5O@mf~!4Q!!wLp#rwO&gQuXLr$y&!!Fig}+Nh&)ch?_x zh|LG_{Gsu$Y+~>0Ukru57#$ZbToigQV!SYOU7UG~w!|!2d7v?9F83HT&dcm+H za+GeuT%AMn!_i81w1DJ6gWzb`T%C=d?oxx?ocMMSo&szTU0hZ`n&4R(B7O98zO~=c z<2C$+`%q25z&>D^9t-=xU=4I~4{{pZts-|YdOk*hSgrh1T9@< zuX}c`dBFDY_WO>{Tv1O@^aPiT-_AwqQZT!aYofC{m78cKpD`1`6=Fi{1T)Dl8YT^k zMuv=mTPEfZITu_sEts@hg{lpveY!=CNo%j^c`R3?ZE)r+a90`RpPDk=ohquzklROT z-i+I)A=BF+PM?y047WMyGx-)R=#Iy_XkD-_ST130d6rJX#kXw><}AOT&cCjqCEBp0 z>x&jeK`BYnB*jJUq;RjnnTT#1G^OPET+Cz3Ru6Edk|g*vx~(o+2jc>v>1@cNVI{I! zTMrACJGSr8C;nbi$aYKOzK|V+=u^{24QWq4N1r?wzmK)7-^XWP^Y>w+zqXIIOAf84 z#so|LRe<)8!)TVr6ad%!SA*;2!HRIJh zsh)f**P58s=F{r_rZ4zswq?$l=4$E3*>)4AY?;ZngiP?>`MR|?|4mHggGXe`*VG9ElW*}qrQOX3oIRxN_?w*LP-mdPJ1Z9x9+T4bJnf8qs~^**(x|& zHzj+~w}S5mg~}Z?+zLkRJ4O3W!M;hd!vpP(a|C}S~jIJ*R6iZ)j%oZ+!_R0pu2YY z)z#3QOJd_b!M#7~-Y>fMFIlDhvX4S5d)}Y=a4MSL0N3T~`QEjB?@F)aYm`~it2hei zWlt&x-0iA4X;=xY1Xg$5ExULAVL;q_LO3}hgeJt3lgOn$h?x!nSx<2TQBL3mc2si! z>K~m~T!X_L`z9O~*|(6GRXh+}V9^Bu95$4L%(1>xG|o^^vjHF{!AeR>Z}s5YwC8pq zq`ysDLD!eO&04w~uoQJ6EL)}Wy4AyXuiQDZR^CQ`rqoN@X7$RaN7j8^Yrd}g=BTev z^z|)wORnmVgC7J}TcWO=qHCw%+9|oJmb)prTRmj$Y32 zkTdpLavs_lihd^GX9t4*oFM!S1eFoiK+pY#0Se53p9==yGA9s3IgNqfz<}QnP|p2+ z{ueM_SO*6ur$e(7;lV*l&JJFg9hv}j0(zA*I2f89864!nY!nZM=J~$^0GkN>-vVp` zl)(V84n>(S^Pny4E|pbCZsr&v?YqmWG=#RJ@j`o9VQH7~=Lx)lKla%E~cRN-s1)*)*oA7T!sDrR=7^+pqk5+JVvo zWfiieoqI_pdRSm+ibTJKqEgv%j)CYjJYayTaW6oG9?oN>bIxMkG~8z(^h2RdMQdkk zg=jroh2NIBO1RboePr5N@Of6s77sp18XjUY+<1T~LpKA{6#kGpqKKNMy^^WdY~_n=EaP%C6B9=i5@)V z9G$ZD&>sJQ-SGXoHJ`6rw%2ndGD!!eze6wg|2|)WFJ3G4=X%gR*6O6+w-s*<6$9|>H{rb9mH@rD^v$eSpV_BU*Tp zilZg~2(j|ueVT{WhBD5AV^!V*0ILcfsB0cveDXd3-2OtT1XvaDz~e?$J;hD~nrHy) z3}^^KVNN1T5;&Bx97Py3qS#;q;T0ad$?|^=(1JNY5FZ)?Tofu4E%>pG6{uQp3G=Lq zdDu22I5ml(5Z?|7z}JZ7B@=+ttLVJ#O(_o?5)ScU9{hdsU67ccOjJzS^ZSsNhP188 zw1j0h#r)jClsgqu^@>Nj?vy)~v_n&h{r#SlI~78k2k)tTAEv2>F8I-r7x(OHOA6-3 zO7uoBLgQnUI6o3Ju+dfVO848ok z$+)4>@Ck@N2Juc^{P8gI%ZG+1!u%`v)N1nN^vI?CSl)3+C{h#92H_k0^wjihgg>GG zEj~OO!NNeuDdy0`Cx7RpzBrKbJ;qalVua58r}V`^9kA-B^~GToPR!7rILV($c^$K8 zA(?+Q{Y~s{+s(g*-3vPDSvdPsIC~wbn(+0J@MS0=!k>er^8kYY7XXF;h5^v)A#m$) z0mhF4ps&L>0LB3>lB7oG$n?}z{u0EZ^fgEUDS|)KIDROZCZ@-fHC=LvhuaUR>xn)g zfQcD1E4f2c=qw^uq+DJG`6l#ViGoY~b?i3qWbeV*Zvgxjw%q z0}?d<5C7}HPMD*NK!VwVMCt{7kTQH7Wr99PdHrkVu`N4-(lS=tFvoWh!~6pbweK*)8aUMD_^! z@O*bQ3Hl(BWBTi)O-vXvZ0Oo*MkyqwAFatw+2Q;k~f|%gU1@oJz+@ z%MQW#(HQLG=b~V6d%>buimjq)%;?aHTBQWon>|h>8Xy`G^_;_YQ z67z!a>>#`N$9zHz0a3cZP@O$*&~hnm(r{^?h(hIQWFizIdEFT1S)~;ho^y zgw{RCBb&Jdw>|MAU55DAy%;@Bqm`8dz?<^cZ3zSU|lvC9)o}j!?`V(nYX( za30iYFwDT8fjlJiFiA+>X3uu(6|4SyWmerm0B$FFTkRplx9aMBcB8Uo=3uUi*+~ua zB+ATWDHJ)_AnWC`xUP@sX|+|G*-ZJ;R6ctPORFu!q1ZMzZTe0HXyReTv(>T#Z?@w! z>z~q3Xze1_S(hu6#bbwJqn>JQ+eJU?j#@=1C5UXzmoQ-S%a;3zda4n{;iJiP(Q;8kSzEiVa;+FNGDEid9!yY~il+E^=EEz?+Jf$I3g8I+x`)h9fRG z{}>fp!FHLh%Cx~$V+>WLvJ34XGfb#DU-MOx0a%bBc&MotWU6vR(@>?hvgvDI`I7AZ zR;5R?!B(Tbp;S)FGR!9POi+&*^25Bm**eUJeYoNvY(odYfFU<2<)B|Vf%}gbbcQPy zz#=B+olqP(S%i{3Nop9zR3WmIt=V9q@z3+2ah0_p0znScFc;^rN@v_fb5#Co;+$Zm z?O$tEDolB&$WpJXHgiG!VTVf1#lbGcJ;BYsZm#oRj29wgrc`1zE9ZC(cyV(i}Z?q8!y#m9&_OrM9FyuEzyot;^fZbstc7IELNq; zPcttSwObD}<~!L=hU&6WC!kOB+UVBjk2+=Z*uv;x42~Ev&yN`(N;B$WCkPif9Q@M7 z8g14SUu-P3$++{J>eBA4pN#Z~E^G0TEzXJy!q z%)iT|l&++sjI0JTZYU}r%gj!Aba-{%s)+y>oQ(okTnxd$5*&kGZ;?k^zx6I^peMnI z>>@tnaTvT9^5d4S-~ID2~n&RZ0onZB;DlrvthxbseLm+tnc*6M85rv6LX(k#A!=w(XkCRFr@3 zkqlTGMOD@&41??nogPvhfh@*vo)4>L>Ug^@IC^ErFng#t%vKO{!DY(>#+*)(@39=zzUd7%p{#uQ_=#0t*R`ivZ6@7wPq-VQ0sE z%vO>YR;hRQvn7}8yghwZ*)y~H&}DpFszBF8FEvUdI83D(p-JjL&OrV=;vvT00&v|Ic5i zlbCF~2elm+j>F>NEO?xrA7kxxF~Q7}F+?zM^U6>lnB){`YTZ zR;~~^y_eQmh`M`%85+rJ>AI>6pMtsd7!GH>6F_h8JC@$WFORFYx76mm_7?@&R2Lbk zvo3`$kq5Rki(67?a!M8?eL6-zObRUY6(_lmEx8I!Z^{#a>x73t~dY_vPL znTh$>16|dSGdwCW`upB?{d2c7J9EpgO5YHD=yUbZEIwB%gO28=o}8VX-+#}&s~mf} zzu)#LPEVVSzq`I1Po1NFlq(HJVZ z&l?XjEx!i(ZihCyFNW<_`S_jk^%(Oy{`Q?ck+i7|?e^@ah!7*Wk|A#siMtP#i0#0# zl$v|n7BX@kI~m8cd*o%sax$Jf6~){`<>6RXSAT3789R)ho?vrW)+b<#PSJmC$rwMT z&epJ|It&RJ1B*|wnVopsGTmtElyXidQ2%L?0{A&*9>~flMxVSj!{uq)R@;4SNg3M) zFlp$%wwH|b&1LP3V3sCCrdi5m=9V;NP14uAZFw7`FXl#$vZPtIK!)u;v8Jw4UMx_- zWoMMRPrrO2!%4;%a!%irb28$Eq!%GhBS~}k@m=|HEG?hOb)yYZuYK6PM)SMT%NQ|t zO^}uC^1^tP`@~4oy+v{FyD-@fiP2;E=r~?%ch~1_fa*9tZ0m4HToci?pVaZgg^f!% zjL)~y;1;}4rs=$>=LQ>_M6=_eEae_0M*S=d+DArP(s@kw(uOjdOgWCL`dwRch>!53 z={%$ngus~4IF57r@!`=WG~mL066+8JkyMK{@WHK)X~eDgq1whbV3oNgMQh&=ZJKNq zH0Fi6Rru6t>SS(cJCuK#SUZiw`7xv1#NYc%+kUV+?F%#EiyrX&B1pQ2O4E5|f4hUi z%5xkqXg%CFU;4?Gmg~Ai=*@pwY`ZZx@y@UaJwh?LE@YL)NsO4XCSH+~Xp)YO7aoo5 z{UF_n!u_-4c8KIGMn($tD%o{DUqV={p_C+_pb$Ls28MdOr%j6fG9aey(DcP>&Qr)T7<*LMS;p+2p8zb!Elc7kIl9$n5+7Wb?+`w-pN$Z=!uQ)B zJpI(ap#Ke2^{zGTn*YJp&3~Kz{|;33^(}2Jo%Qwqe~_wdtUPp}0B(qRA~DE0P)>fx zw@3tXAxTrk_gAxuGpNOJk*%)kDZn->&zp z*tTNej75yRJSjyf%cMeJd^H?e2wQTz8c#tZ@Ik=osQR_zwMXZ*-X%F1SMB!}s|l-) z0Kcj=*^S|t2+#7FprLo-i*NC;o-%|l{HsxeDe|tD=}-|#Feq*U*6`}^!3q+C)W#9 z29rr-|J!wAjx<>S5Q*9x2a?qcfj|`qrVMdoejIEQPU9QWS`jH&)`q4FkZ2N3ciJN@ zSp_*yN6)*x!!tZw$=8kkz|aVaW$4(i_Vgqc>JO2=U|$VXQQx17<;BG$zdX9{=-pl^ zRJ8jG@!rLZ$E$$1tJio*A81rd2v_g-$2&8w?yiZ*bEZ)W8f>TBd*5}Yi3Jbu-lGN2 z=u)IZQJy$q2B>cp)IChWgz$V~lqpLM6YrAw`oSwls?R^MUx^9lZv?G}Rr4I_K5ba? zlPjhHO7e}LjX2)dhkn4)=eh%hd|2}2t4VzCmK@!f&*RJPFPG0pw>fhC>Zf=hc^HHx z9B7;{2_%ky4p~kVO%Uj;dd@={xQuvSRw$yx*i7K|czM!ZXqw!tAzsPOvdlYBo7|H! zm`34mM8yf!b99|!Gw_p~0r|VqZ05J#%_PL^5d&u%s{34+_SAr6@~Nuq15nxl(fTow zgat@@5A_VnW^QcX)SP)J#|S?ud?O;GdX1q>dgb3rnM0zm#MVg}B~mPL(3(z%O1n16 zykX?m5=r(=MbpKd$%_mQ(gFKh`}Dt=bgIG~0|LMGcos8tGQyaoz>%^RO_jh3K&}Tf z`yOF`0kbp>S1eSjon`#hss;Wyt@zvhS3Ls08XQP(ARaj5p6t)EVE3nXX1KYu4J~ZA z`V&&B2yRef5@5R0l&oyHFsNZYVFhj$`mMiEe{B%&Fo&T)C|;Ae>*|Kx;@?bA{h|Kc zEH$d31)b0WVOg{=F0obe6}38sN~H-II~X}xdL20Q0HR|GYpF5NcsO_iEVpTW+oA;R zxUk~yUtHlSlxv`pgkofl8WKT>u$o{TZjz0jAO&g2(Svb&)ahlU)DKPmYo*n5j18nP zmdHmuz9L@lQ)>Q{L&_s0(Ex72{7Qgh!LAGJ5l=&6l)`{$FH?w5NH6`uFJ83gJ<0kB zSkIJ;BaC=7s6dXGD8f51>67n?;!1g+O3ZBtbD@IpSa0l9gV zzR_%|P!nNdm;}bx!OU7+vr0_h^VRQLXK2boqHI}|x3CidQ>%F~&~jwGeiy5YvlovN z3f&MQH+{$zja5nPh3=}c?hVFR#m9qYi9}&jU8FN{;eHuD_tmNmZZM%b>iIA?8Syi# zTd1lCk9YwwxfFO~ZK}{LM=M)B0gY7b&)cFSIA39&ZVja|4d3Leh&L+EJJUw^|_kV=MFP&vxdR(L~oUrWF-C7D|RL|0mr zRLKh_ErOV0u9`s3?dP)}HwL$GTd_~rIHszVrDLyc50S)EQAXzy{l4@$^q8K0nv_T9V;cP6zK1#V7j9A<{8*-3Qo zp?#FIsDA&X=beVgfF=f7;h0CDFevMbiKk{oQ45sfDD)z3H|;$*)26{ym3F+I@qD+# z-p1u?5rb)F4dvx)I6%E)?rG6veJ7soNcF#i0sv2!ZhCXRzx3c8I_hz%xrIs9O?=Fr zmbb<-_@O@&>G!S^#95iG`JGr936Cbd@ud%%`EX*{+_Uz=v)|;w5=v^XLn=E5E@arH ztvytC>*By=>-FYeA03c=buj&h}2XO zfO@`uU^Vd2tjar<{PQm^nU9Ry^P{ZO2o=arf_Td%)U8X1VNl7@yz3#+&J$}?OhN{W z0}*lsMMvAQd+1yU8$UX@OKTG~-8FE4Y2E-(kOuWL5pq-fxw(FUz1w=LE;>D~D-?2% z0w(+BrF|b75VESjo8=2>Gz1PP(Vv)c#*AwBXHCCR`3EVHOX1jHkXCOO5Z{$al z{9-Bk?_6Jc3PPJFDT)^YF7R8~bDdK&M2n=$O6GQp~Iv&aHzOs{C^^W>z9u ze8So$P`7y2XxmhsRFyD5B-oapF2^GH#Hg;z9h(LARK?P=qt~*Q$i(>zgXT*I?@3c! zU3R`d}rz89NdZtVu26)mFW& z^2L%ocap=^sjtG?bhS~SCQcv{rFjCpP=|_Vp)@G3 zl>uKJMCu3r5q!r%_KlUpP5ww+#B_Bct*M*<+d&> zR){aE@m%T*vh7;?u?ghvaaN+3ednDM56CGU8cjVSrcMRSK1tE-R(sdHgPPPRpy z2E73L2=xK`sv!<@MTBQVM=krg@$U(QMpL5Ko^(4-A4(3{Y>0Y5ci2Dm(YancPI}+b zb$Hj$%~7vjF-7rG-VX>oU8yBh*1^k+QfU0gnB9o@sDXyYnP2k4{k4WV)$mvC&bP|xN5}!fWLNra zL;1=eVUmI(n9R;2zD1ZW!cY*2&rDMcU<7)bPFnZ(;R8tjWNOO5o^w>wsvE?V8*G#1d)r z92++C8!fLRu7Q8x8xM9=BawNeVOaTKBeQ%Hsw0APbakb8KtIyyEzI18JWgykGIjDk z6MhEJf%`b0PL4n9altR??CI`yj@%{8qzWa5ZO^MTwrS3B~w+dRF zjYA^5tO6jc?=5i>b%TT6jK5jkj#2M*-B!xLPNF~VYw8(!{Vt4u80+3HiADrT-Kucj zSY`SA#;>b=`0?c81yk|W^-6)tncl0P`XKFkFC9!n24|{Rkm%N_Y2TsDkaDn!shzIs zQMny$(yDiX-T3})DY_6CNi8P|Bzdi2bA#VW_{}f|Vom9N-1G!w!9z?hS%kF*yMn(E z)c*CqvCC8$*l|>LAfR#~U?9x@W|zixwzj6m&X#tz{|}OR?eoWJQ>^jK?JqQLr&6(; z#Yh~fi@JG+mqmoDvwEGhROe_(xdI}Tlt$7&e!sC&`qI05lluw-Mz-#NT!b8jIra2! zO*y|lJ@NQ{z0DiH{hd#;sFO+J$`KXC?{h;iu1i2jp&>sIttWTY~wiOKOS_^Jq;aE>H6Ll;yqI z=#^Tkpgn#FE0uQ6+cdc?Yr!1a{gDntC%u0_WJ3LQz7)Y}D_0ot=*+4;nhg4M^v#n0{rA1YdfG#@P*C-wAU ziVdAVxA%6fck|`I6)!tITud4-ClF0SO^_=1GTWG`Nb>gwG|4rJ4sU#+dp3iBVF1p^ zJ^sn9_bOI&A@dVO6ZDn6z{xa&UghL=@o{?v#gKYG!{+Me)7KD@BH&LH z^_IHJ10lYjOKa6TcYR*>2g80`dTua|pWR^8q@TCtzr`OLHJFb4lfmz9X=K&kc8XM9 zy32=FMN`XEJB-Gk;iBs_A>1G84hM}sVtume{tbts!e}CM`0&aS+_(CviT;EiU%iT^ z?%$8!Zx$szO44WI;^yGT?%mouu0_Sly&&lI#)N%-KD_>%**mi()*a5D@7p8n)Gc!5 zqQCQW#u{>vPoiQ1Fs|c9idOIM?g$23fxgnjk$93G)y)r)P_g88@NWfGpKk9Zd3d;S z2)elVaRgWP_X{3<9l5X(X5r;x!%o;^C;IPq+?`pt_%21m;`{bTQOd2|NvR0p$j$qL z2G!Tb?#JKneR=piTZgVtjac_<0tS{8hwK0fUlXR$yDag>J=L zmx@!`q5Lt}SjcAQ`Y}{t z;!*Rkxr6z?Kn8?ramyWkcMu8@aW8&nqITp-`{#o6fir_GxALJtUbm<7^YIe29K|wK z&xNVgV6wngLrIU_ynA1{?z`NafevsSF|*=w2bcT%CZw2j-x_5Mz8q~x-6en|G+5E> z#YzXoC7xSoca6h4Nv#1IH|U5jFHxuyb46JqpqC_S%sPg$2kS4^R4h-X3YovVTs0SM zbO)MjHN5#|$PRCo{{E{m!*xu{_Fpxi`L8jErNfRP(vXk?`Ys&AmL%nx9TJx+(>!mb zpa;Kk_KUk9!Ab9H2NNxE3L1vh`;6?kNOKpEXMAl1Gmr5N0O-8>C6b)oNONmh@R4O; zd({(#bfv?E`ZHzpKdY~PNcN;aH1$9xm?ZmkZxE$!!!yW2DJoGvG@YSZv1a@d!Gx@4 z759!WLA|IiLK%aBWf;g2Kg3m{iN|8TQb-wsZ9w~nA1(UZC(4}g`>(-%_RQpu&V}YD zw=v)&b2NyziB+PNX^V+L!)f)D@Ge)eB0}{Nf%a790DTb!I%nw6sXj$kCCoD{}8%O2-$-fl1egml!lpKX6BPmKg5g!wCL96pi&t z)f&d`2}6NJbR;YDB0gy?Sk;X^I!7YTGG>@pq;xs8l)D>!IAkVP)AZuqAjr=?x_R6a zVO(RTm@2-UO;QVJcpYOY8cRNMWhpVoDj^1o(zVnY>7k~@E}Y9InlC@Jl~Y`zsij}s z$<_Wqh2PR9RxT*1dcjvR!hR-s7aTT064oix8j@lk@Ad8d(WIDLwB$8wtWV{uZr95% z!8^K55@q}JYSi#blrNy=GB{F;m!p)FO1i{8b~x*Jb>u8B9jA(^v%PG(5UpY=S%wmM zYa`YRM7t!<>4{RLEa3!%J$y4&{4T-hA8MQV=XfhU&4nJ446|pB@Hb)+H*6NRIQRa| zWGhM!jslVpDkoNcM(#xpK7+-%i+{ts@PfFLD(Qi3q>z1`27G3+sv1IQn0bjY=EH1* zg(D2M{T-`!NTjToPHNn`+U5yK1oj0qdEjHdNPLX${_b`#NEj97un5UY7BZeo(Ea^verF$8VvdppVOGozUMv_1D&^-vYQyHOHmdK(dJqDU zbn27e27;!<^RGD>KfAY`klZSxzjvJ3IZq@fiaN`WKeKri@#JOgTLVD4zR`nJNuo-p zxP1Z{4q`rPn-Zkt;pzLe@rJ2p)fB(~EE$4czn{~bY9}|7HYNq0z-!x>@*JSr&uu_8?Yt2vL3_DdO7Uf*&=!hFqg}YC7rCbs z$yFts`ZtV=#Z&U?ypI2I0W!Y}KGyQF=#b;z;BU6!5;^VqPVgFqu2y`0U+-WLaxF~( zC!`Ews%3MVbz?^$8vMD|OX#xKnuBc0K3JlurGFTBa)LelbrHRkNg=)Xy7*A!X&ouBfr<$y^YyshGF6V5 z6J4cTxtMs$I=qMIpKjrQ#4}#*L%VcH|HF zzUrDtfc4n7gQ$kKNyGyw4jysN37X|`N_WNnIS7-z2|2s1hjFU- z;>4I}{4^#?Z=Xzjs%c|6E_}{L^~ecGlJM!Uk)n4vDQXrT>m7$V76AC-O}b$CO6-9G zjP$IOwT9K`{IN;KT!VhUrkiq#6bPqL zF*y}7NK!&#)C0N)B zP*k%An}osZaZjo zNXjK?zg2i@z!m`_>y+KlD3Q8QH$p?;l+~SW>mulI?e419c@djW3T4R4^Q40-NHtV& zsk+m|?-<1(N7-YtD9yb1j*Oh3!sLsda7vjXAuYd#gKJgC_qbxD8mVGZt_{*kL^4?e zs1~#$)z-U!uI+hqN>xKTEytwm0*+xL?KvY#%$=%WZF&t8b@SxNAUSb-nzB%ouNLH+ z!47fkQSyfUZ=a5p&>B|_zLZS=BJbUqbK6(PH;c_-D2Oj`C1FOcx*Dh&!mz|Tr5C|$ z9jhAi6{3Rp=&FuWEw*b@3!-Z)$0sP8@_>&cKXgeiretfd-c+I56|%;kAoyTE^fz|K zoS2!>ud6b10rK<9fdMl-+H+>~)5I@LbdewXCl{5Forv_OC6Z9 zQu_L2Bqr66{6<4QO3SSd_~Qvztc|nHn5Zbl6HrTsWNc9WxB)A}Y1~LJ`q}0xf`!8TJ;4il<1^2@B%1Ux&qL zMK3oHYd->87p5VO!5VTzERM=P6y`jUR2>DNp0+WGaNWow8_N!Nzy}yzdS%n8Kim8p z`a)E3)BU9+opp%A89TjPKqJDaGn@$CL_X#?g4;=iF@sCnICmuU?&_M70sSp%RBJkt zNK_cGno+#DAH>i1>A{126Zi5DEhi1Wxx2GmP~u?EDEP4Qk3@lxz5+kSpWo!C0A%tC zk8+OMynqM{A!Hw|bRB0YW%Znrg@`VS`qF%5%8s;C`U)pf==JgoS>v*uN%gFeUkJ^y z-vy|ePKc19fa{Gjc3mjt_Atg~f8R_A0J#6OL<|R9z=ZklI`jd-Z^TNav8lLjZQKQT z>-Ov~yoXvE`+b*wR4f7<457H;5y>w@UyeJ_QKyG~Z&Gg{Ee5jHkDsCwPA>VUlD`%; zF~J>uJdNEDULiV360OUFAUH>>n)K0Pi+?R?gHmimL54a<*zrv7BllmPk)C;P?RLh}Z&yaps!ix3Ov83Mi)=UJihcgQl)~ zY{nAfg??RU5W^{=yyiy-3jl9VvDt$uwj!d?5LF!)0$0)1T6H{)r?1XxTZ8@{^L#Fh z9M>kdF%S@9n>tEz*QUq95^ON+NI@ymlO93Kz()2I>HwR_=RM4yo1&Dox@31|`7G3Zh4BD#H`c|X z(AaB!5D&sz`}{x#B)^dgQQCnxMrUfApilmG1b>E7Y;4?W;fZxnwZl_wQ6V>$pr&Ne zEWo>{`J1xAGG%Y4Ey$n5c2yUV6UL#l*$?&X1Jz_+-)C@Eq1plw`!{|y?RDgY`!ikL znYpEo3}O>9sEOG}TDsM`HYN4BArp1?J4D;lM)a=f;$1%L11qd8t$vE!p?6HuH?uN4 zkqay~_4@p?!i80)_N?NeOlm&xEMZ5~(l!_?aGfM30B^D5M@T;3O%Y!5A-oN=8K0>T z%^HVj{|CD1U0*bA7{6=nV<-l5%Nw*Xs5sv3;#X?&D^_&M=)5YIECYX#fojxT199>Y zlSW{=ZA4j|LXAHY<)%?6=PTrxng)v5n}6nSLJ2IC_A&y=#hm%m(iXWNGBF`GHzleC zhWL=Rr@3=?%a^IfRcI0`>H*yn_VG{H4K*M?lSQ{Bs5!s)Y7Hg{i}j`paJ)<$fz3r9 zFDY(k@5YFSbt(xrPAYpgZ&ynMINCJ1SAUMvpo)@=ImtC=sjUiR?sKEp1w~H)G&^gO zccyE5^D0N?0oL-?t!bZ+s5_(i%N;PAT)QoSObV*5Zro6M9VcxS zqnx2OVbRP<>CO+HF#MJ(*R@)kk^7iyD*^M|X|y*vLu>U}wWdz??O=YTtjZ|>jVu6d z6-`&Q2pHwuryC3Hb7{g=R?T+n+NuL`_6&aiIzyRT1F)@f(^~WcZ2c);XxdnroQ9wC z$IMqWq$h@Gk(U^I(H1UKxiBjQ$9k$d{mg85SRIg;Df$%0ha(&U!&a_EX+XcgkZmv{ zmVcFP1WGfpw>`@cb!1@yVdJhw2HX>6E=ofitLvpI7s8vmB7Z(P2-_&hBEKWqYVnjR zR%!a))mJMzs@`I@aEe3zP0{h0RT;)EfT5-^p#W#3hg5AXfjj3UB?A#0F8kZ(Yz~-Y zb}qo079P_D2Lg}3W6AJ=QXxjIJHL2|16f9=^JGN{W-1B z_g}WFqzLZa!3pLAxe-1IQl{*xDm}9G6k7)?_S&Omo=x5eB~WJiO8yu(C-%ts3n(>T#{l&pS( zDgL2N>OgxM!;s&(=i2ZZz6BSX%gG^3rV&P>l|^Vk%K|qG$g_tFHDvha$!-#(V^$v@O!~Vq%--glJ4sQO&O)d5vgGR6Ww;H9@lzu7NlX ziudcVqf{^?6Jc50`#?pxxcFukg>`5$}W_f+R>;Q03ti@`r9N&;A}ofysS2imY1}!V@~Je`-zb z7ymUtn5gy~HyO8AxvqFJId&_n<<;0!Jh`!b1i{T18r;r`;MmJ-Z`ycgp+X4_^OW7+~I$o&m9OrK~`Rf{RA?A6XU zO?Xdc;QQ|Eyc8D7<{&6|_kfGvw(+a?Elm1Ub02{;dYZy$vP-Pn21fDoAM&&f|GW`& zP+rn~z}nH4_=uK@&eV>&K8VlE!B|WB9><%wI%X9=K^~$N;LUx3 zSjG5FuPZ(l@sI?f6uYk*9i-5i&P-7wr2QIuYa}x{*EtEHlP?X&78yuwrp#lpW4+)A zD;F=dW<*U<&f(Tug2Kk7q2zV05rP{Wj5okt8(GKMRe1U(fFoXf@_nLGjyL(BYR)~= zjP+9rn#B#3P7!87#gMr1nt1qr!b0y1G`^|^xxsdH{A1($@gOWA2=X|fy*#RO3-a9H zq`3c~v7h?v;SH8!#Y@rp1rq^Ui4>6&i!xBAlK5#R{Z~EVrxop-;199S>8knP8y@sI zE` z%tlS-DBP!|{j=d!H-%blo9(gUO!*a=}p{~fdbBA8-eIgz@if!t2p4@NZR($e6 zuVzMhUJ&$qpr67X-Ov-dD130dtjIRrg~zf3;MG%419>hVl9wFkD?D{V<1pxF?wvb4 zal#wq++VF-H7A+e@VRs4%TiK1P)F-*{& z(x$304!1*+gdq;Q*Hmg!QRkLPdb>kMNDnd*2`(}Fv?uWa!`vkLs1p-seY;1~ zXOf+pd6}Wu4tPlPOr2o}05y>*qI@b4@stoO$9a-<+)DI&0CE`9AyUPelqzI-9VH$T zOd?_{76E6QG15N1hzV^1{NxgKWTIC6-33nzJ0mNd_YMd5 z5*(9rD_MvIU945bQemG}_>B^@*lZ?-^>X8k=mcUjtOvfUR%k6y@%d4xD@tDUY>iQo zv;ogQ;ASck;->BbZG@#Y!~V{2`7?QBg{tUngJ!Y9g=!&61_Rl=t`tt}6y`A3kFruU z9=C?dH-Hi_HEzc)nenGR-?guOHp1>;=uJ`cx}5BwjK4FS`v`n(0c!h3B9ulhHLH6T z2i~ap*9Ed|^XsqLX2Qc@kVQ6l1jqSBup#Ri+ywLeT8`LS2ujJw?`iPZ$(2$UnFM=&=u>UQfp+ zuUN``6u$61VUtCZ5YX`I*)gdD#A@mTnt`p^*k(V^l~altKLT&NE9IY3VF8Lw^`F0} zU;Np)5be92k{ROtRWk!{UWjIMp(xu3^S%rYs4WBvJ#ranjPoWzTco)s_^+yW4Bb8L zw(5b`_G}Pj{apb;d9wTLgdOH{!+_%gJntJHa@|Blyamgyj(Ogan?zb31BQ63M}J0= zB8gUH2g$6d#X7a9>Kj+z_Y%M$eb}e24vY-2gcRp(02a>M5MP zShkM0wdha-c#%V(HaTiv=&q_j!CORq{jz3kK7}#|O(u4@%B(^l4o1chCjGF`+`VQSj zt5gjIDb%h-!@jR|9>xsM8hJT)H*sXivn-CS=kK|z$~iAiMa@&y7MY5+q02`#L{Ler zi>Td!Au-3B6ty-D;GU=!IaQpBFj`vb+bVPr^sP5nTj7kEgu^hLFa+onKFUqJ-21yH zd^y}>8wjR@#?Qh)gg(V()96|CyO&NnirHE*nmaqor}@&F7ft<^Zj;*=+2q`KHr}ta zIpNepf@>)Qls?9T;1cwF+%h!gK-4p~9?_GoT03lql<&o;zJJ>iH`uq->O7;EWoeUu z$$U31LzLsxrZPzVSRPC@R(MzSHD24$2!GQEQ4vgFL!GZR^uTEwriewo|QE{Y%$&6QDH@p;z2f>ye2WZ2IjB z*cTlQ7YhUN26kbC#-ib9(eK*J70|mc?0-MvX{A4xT`ydSd!yK@6eNQ6ifQRuh@8o6 zpuW8C@a(GLyYSuhYd>_)-kNn15r6VE8hpPeFAxl)7X$cUR8tpD{FolKLZ9&|^akid znVx-k;|H7BjUXFUdh_TOLwTT$&+%b))@O8EN_e?%C{IF!McHICYwdK9)LAX&u<#7Z zTQ@%RsBBi_1lidzY-^a|%tRLodCe~JGh1pW|8rfIok;C|CZtN?ZL%(zKpE`amMN39 zrNOQBb2Q#Ps2Xy@qxd^=V+`+8Q|kX|;P`W4&4bOEVOGHdg-8(vYgGa9S#*Eq!o%}5 zdUrjvJidg5)>{jHAksCKs>$nq;ynb)vLDx4)nwIij|NxWNML}xpm2}DfDRFN;}K&_ z?cPBB$w$kK`gDigDnQGluh=yS691%3e}hftm)Dp>*F_SVO{NKHMRmM*CeTTiC5O^5 zY4QNFQh~w$b1dGxQm&mAb6NEZ%rLqnZyt9-p=|PeUY)wwos(8O097E&gzKu6EA^~r#4u0F!tE-90l~;*s3xQfgi-6o zx(hA&4ryq0SZH{p!55}FmLiZ5PSV+E`5@7SG5vt&;kR!A0s00g*ox%eTURNA`Q&7Y4_h)`D@Ux6p zLznmCie0ad7PodecxcNvav&QfEV#GdT`B&h1Wjg{#X7&NC1rgXP$e=hEVgNr#phvV zZH}&_p5M?$Pt+=1rfeV7Ak9v&s!Ic(w;y3lBoe*%*(TcRt`FWsvLbm_u`@^pvfJ7E z*__z*Op2jxyQapfg}dAD1}DkxmGeD2G-@ie9K@iq-2T%g_EhFg2)+%4X`f+V+}jjf z@|UFFFidMWQPv=HXOd4uyQNX@{nW%%j)a7&A2bwf8s>$`u1Qz(>6`y!;!Pdz?6 z0F@k#la0S$rj0MGnk3@Z6NVGltE`C0GRahLbLk|$T%JpvM@b)1ZxuRD{a^@3zg29~ zKnGa+N~`Z~8-xd3aSetSt=x|Q5j#^DXuu)rgGD(iHDrYOU2z%ZNGb(I7T_c=!69sL z_ih)2tRoOOvLSj;9nu}eFk_77KkDO=P^27()u-0yin%ymUjPmmqY7p#G^nTP2c|E3 zxwv0!91kpA9jvq!%QJunAo?aub33D(kPxu@pcv?oeN+RVQfj_XnO)V3$z|rrnejyt z2$6$-Oxsl8z*lV8&YnMMEkrJ2cMSjK3+|F1y9xhRiqytdcicbTqoM z_p~SR@-RnPz&?hNYTbW)J3<2K4P@th06QK zacy5JMX@T`0au^U!71(>v8m)Xw$l|m#m04Ky%5C#Pvoalv%jo%+uSDe?<29nsKc9FTy?WVut}t7hME0=4F8ry+CHW{a z^yjRLBF&r9@#lXAVHeO=j5RXDASAN^PrEBRuKZr>JLCV<9Xy^u?38hw)79Rof7Ae) zKLR66{uiwYtS#25kkbLL%bdKKMKvtQzF>WBV#OgstNAP+>W%0OSuA({axdJ9sQfX3 zZ<`!}&1zt>9+7{a0sR}B#IF`$se=mqA2m^0Q0jw&RSb^SPr4rNqahgd5>mZeq z22LA1L|>KCX&Qr{OLmoLl}!FBJrPTKhANZ^RwzQ^x-%aD?mZ48;=O*$dXn*Wo~#ZI zj-SD-lm!mf40F=WR3nr#a~!NtC}XqG5@o#epxIpe+j!J-Z}Iq&#Kf}MI0x@rhYrxj z-M0JLuP|4lu5{p2AteiBA-2&PhQbZq1wME!tFt6V@%0OdYid;@mr5Cz6c;(yljZ1Y zWpMw>qmbahcsu5N0{`&=_WS()A**SUJ}ZwduNoIgX>IP!5e8b8LG|>vdW8>58mDj+ z!o1-hYDXTF7TG4NQL>yw^8ls<=*^L#V3xgrdL&MnwLOo%*~hg-cC;>Nzlfgy5iIm@ zZvLkok56x4)bN4nwqxmp13%HS^*`2^^8vR6Rg>RrAcgj+)*H^ z_;-Y!Pu(=L>rcPPigf@})8D6X0#FQtbm1n+l1Gb2dyoX*9P{!c4cM42WB8h_5c~0O zDFMHVDv3k%Y#t7sM*93#)av}B!u}I3&}Q@;fk4hsuv@ys<7Ju%zL&zy?K9&i8)pZv zh^J08kR$PxW&*F={?D4taC{js?o1?$7CqWK1!e3UO0CkLu?kv5JJW}`G?2j*XDDPk ztEg7}2}AZ6a+{V;f(^|f!p1v{cIE#;*gFM_5_D;s+qP}nwr$(CZF`?>+qP}nJlnQ8 z=lf%(W4dEvx-K&6s_wEPbFFth552<`PJrH)Mv_7Bc$Y<}tdZ9)cc&Z!f(`-dnh`fg zbKLC<_Peajgj5iyj(-80wKjElf!S7_M=#H9K`H3>6x(mqX;q%WygWoR=#){#^U6Q) zU*x8EQ2~jojZ)H9=X5EW;cu^C7p|F7R5MN2GWUQ0llp(dNEc}a};&^tM#*6gA!ZKuIuocXB z4uIX(1dh!%hS3;s&2e`TcAB%^C%OJYK`#Gk6dm{9DV=58C%&~#xvx7{-95j55a!#t zhUO+>mFqOOO@GID{ASIE_;RZ6e%%3F>1XBh?yynaetmAF@yA&@`o^Vbl?P~vUW4-< ziLa3wfsfZcIbRK3b>c73g>%kVQ_q3P8;g;cr1`nRn}vy=fy*|=2(y4O=l9u8ls|go z#rJ1V4(;KV^roBtPu^+kUg_rb#BoCF89ccz6YE8__e16ZRUev#QE*y{Mc)JAbs-)@BSSicDlLz*90?ok@+J>4^G$(velE$k&RB~K(!UNEz#r6AcIDO11Ih|%`a5+b3&EJ>Q74-Mv44O ziVtSK{ZeCUVaw}-fzMzQd=_|vN44ap(Wo7dVi}hrs_71VA9Q{M@(r}$U+$h7DXM^4Veq8u=wBeRonRaT=ymb(}npRGwN18Se z^Wd3S$S(7zks+vBfmgOhYJ*SC;kEBW{+1`HoO@B|dakfM#W2y{H>$y1&5#xK)j21b z)Dcwp@p=MU)d^QD^QNxQaZIK&n(1=0_{;@J^al-PRi11BP9IjDU4Bo9`+LA40Sw>? zQx{7tM0Sedk=5>MmMj&%_rgtunTJ0IpI$Uw5rqYeP@_a16}v^MwJ zSXr)?Y4Cz_bQl~SvMTVm0Q>A@iP`jJ>a2^XQ=;IX3+z|DU7R~N74m_u70j!_VBQWV zyK@auCHU6+bu13-DL973zwAC_^@Pq+kD_FV3Yl56+QTtL-n1Z#*n^`xmY^t7-)Su% zQI>MeI$5VNcud^IWr=D(UIZ&rixrAZf8P9@Mx>TOn2+!|;1b22>6JsB5WjS=l8pka zo>c=k&Hg%;b?*`ULu!%6)rcg%@)_p=*5b$hqwColri+`0BPW*v8l*BWyj#4XeTryY zQlZIPbdEce8UcQs&6be%k}tSsmYK4FxvVSmFg z4o?t0mT;{zwY2p`wcOf5a+M0dkxCZ0-=+P1j!=t#nHgw1TzGMKE*KE^i}hM|8YxmO zHjLK>z0}cbK!viMMQjxR1mmZ;#eJS`O5_tckgCJ6?_Dd4#xJ~?`g#0;58N`sm=KUv3= z&H2ER)8PH(u}PKDD_#4ohS26(J>R3f%E^m^hr>R6#bm8Z`-f&v;~eL<{K59+0Qo?n z^@V4e=NQhwJ$KP=TFtfuGs>6wAxwZu6WRgrVh8|&^9JShN@I84@kb8!9hwawCnsjG z-A_6pQbi|=v}a$<1N40Y>^!gVYzHWG*YM3$T}TH4KNt60;9@IP#g+d_QE{qAwFL|{ zs>s=0c&T3dz3wz-9)Fv%g+`X8ugzah-7bEecYfF<>ZV9~e(tz@9E?oi=knf?uUr@d zkaflKRyJC;w)2`kF8Zm--v20ihJdkq9`jyr%i;WS3gMjSl*-bAV4%h-z{LOo54S&D z`n$UqW-oUCGhlLibX#<~oOI)@01dBSy*iCv690HK`Pt6{#8ki7P#rJgl9E7gV(P;ttz1-zAtujt29wrO{|5 zA!iW4btA6?rK&zjWr^nU$^twzs2-8<2uNtSGC~E>DDlYm4{gH4U6hfUB?3{=nA)^I zkC(HP8v_saNQe~l?ArXE6G%jvA&G>`4FeDgDBqUEyhX!x1j3xJSeQqqctqF{E;meG zYR>8^1yoV<^NtPe2M+$NOnt=`Tb4X~lKB)N_`bY+9Cel0;S*0&iEy9e+ z()vy~v;Fod-eNYJJMQWm&+z;^1fSCK*gt z1{&~BWLPZX>L4z4RiVZ@*>);bA#BqGR<~&Ude0zsjGEm}>88ag8oXX+4(cUUYgySo zT!pSw7PdzlTdKlm$LNn8urf0;$1L|cjazjVsT+Iyv4ySE=7vU8%Y>C_d&nw9S59LB z_rtA0CFCc41t0G?P?1@a3jonh1j6XCH*OKM4Y5Kr|iFui*WzMykrQ9M=$ zR^y_lKuZ~Dc&5nPG-YR$j-5IyZQFUq)^*|Z4o1VhWOZ!*Bm~4$qT%$rInr~Ecs>b= zDemfaY{VQ@636>;=-f?36+hT=**@qwn!6p#s7O*4jfWlGi`9;i0oq(cHmeKkWOx+1 z5`!zYzRE`n(LeE5T*F*llW3aPuL5_?iUm@(q?0atC2g5_=0_a?_GvV5cwdY5hph&f zImbdC0K#g*&|j?Vn+Ard9|zpf4l!FU={a>3OE~FbV}z=Frl){D`gI!;q1I0`9N#7_ zLQC)~e=$#FxCSs&=)MR?UX$Hp+lbuQbktT-`gr=!vy!XsYWTJ3)l;ZK+G^FU6NoL6 z0&2))lt2#DNGM*0vBrKP&d8Ul|H(ZhC#L$1viF@L;SMEb-~I~CmBd=jUq9WgPuMMQ z+$;apD;)dH$Vcwef0~a#K;mVSNC?|6353QLX_oQRG|i!*#aCvFyayP zl3XJQNfvL2-}g61KwP-Tk0+QlO!Aam+pPhH&RnANywuXVMLs_g7XzhhQiO8uWCX&Y zx&+qO78odpQ1&1vi#8M0D!8Q+nwM5UbMi5$PZ|k7YF%{RPN}&$UcWeb@&eio_BDY` ztOgu{KJ8jy_t=QJn=+}h_!!gYma_mjj))4)5rG_gcM?6V{!-o)8)Iu)g`Le~0mFTD zFpA#y^C`!S{YSI(u5pNmRoUvUo_d3CG*8Z=S!u|XTdK^gL&q3w*ow?;>>8j^CmM-h zij<>s!FrkZl*VIo(Y_3@omLK?-SKoG`c_;ZBa_H%8iI^wUqD!#xmG>6Fxw?m`N}DG z>rF3%4~)*zeZLE-;ja2ive3eNnL*u%x~iHkalSnMW3nC{79M`}RR!D+2Y3n0xbf-f zLXwYw5xJwwQ<+0_K4#fjS&=99gj_0fLE+-<^){4^w#C}{iU6Dl{-!)4L-xmg{rN$D zdvkQnzfOuJ)JZi|PKC*GYuDH+Rqkm+Ed4duI{-+ts$SG5-Jml$+XnBRshsUhm|j=e*t7PXl~Ex2MutLq2+#2AeyccWMuARupzdb z22)QLD7f?}5VlctLgAjcXeG9rHZ$S0m@aJI z5sgZG_cI!BKeItX(G4(}yDRO<14MydYXjCzc831CN0@Y`-FeQ&*qQ60Y8-+&n_&1^ zPpyVLutqqg3Q6-CmC^_U<7Dsw^YMd1iG;Ho($Tks6hLdi!3r}bNn%8qxVuN~@#)zf zPpp%g)mf6xt-Yl$Bjt1zt*1e=K`I9TSvdgRRyw%tlEq^u*ul21MXSgTM`9*Rl5B2_ z*FdH)L|!vywAI+b#`-Cp^J>Er*TPi@0t!-Uo72f+g665YQh7dG>(Cm^&%$7A#~f*P zT$Wib+WTm;HFXiEFOoAArpSVUN^abjK6nG_fB8ggum+>;5G75ZC>}b-j=9@dc z%LVue0vZ8sF!w;n5gm=7(?0*S$2PYaCMS;kntT1CLSv%4wLrDIgAG#d7w|y`Q^ZvI z5-l7rzLsTnhP`@kx6BXKD=v$cp7yIEYrH$ONP;$7Tpmqvt(Tcnq@Rf-1J+E-okv{U zrgthEh(F@n_uKV&7jxeS&D!m@-UW}P5dJzgC_sn5;QyWBlA#!*c>@aofF}s>Kd0SHJu*Rpfj!K)lPINPO|`o) zx`8^!vL^lK65I7{m$V&MWPlgnU1}FOCAvKyPcC4;x;n+6h&jltQNYfIx?cD8dOrW& ze7~x%%@dK|)0rTBNDP_dfS^#`@y9h-s00shrW@oep)~)Xv6VhOX|B?t2Vu(+hM4sm*QHBRe6vW^#oF~HF2v%NJ zl%M4+b`^uj0uP8c#sX6spfS??plSKg6t zBcTV?F2;fo(RBx~cm)7?*H)F}BydCC&GU_Rr?pbqyZR{Tk`m1e^M?-$B< zz-C@5S29ZE6+91!0bY)404f_M|k_q&b;ZTv@Ht zrr>x|E3?%rJVBO28RSg<(v3I<1WG3fLz!R7)DNUetUtd`jQdNbzZ0)ut{+bf?`?Ub z6qw>Fd_ZkH%bE#QgE1{W^FEPV%Fnkf*r1YhJApZ<85U~LBZ>&&%)X0*Pr`n$x4V1W zHu#9nWUI}OOX}&RtgEUD7W$PUrkzaKVJ`w_QQSR7BoZGTHr1-mWsEhgl9W5sa=q3{ zvy^oPJ2mw@J*t8ok9$+d)z!9uv-YE@u#(wTt$Aa!Z`1a-SLklan$a&T6K^NfOd?G;C=Tc4B4nx{^sDEJTv)p3E19TfRir*|DDGr9-Zvv0_$ zn_x})s7_WzSkc6G_|~9xST{&zNy!AmgOFP?xI@?|MgS03GV72dzhx;M&02Ev{%-TO zd}FVYAZ6zDdP?GcgIdaxU&#JP2Wf@pue++Fl=WHWKbDrjVf1J@=gG81P>Bk&Duy~M z3PRsBQ^np8f(8Xp{j^62jTQ2#ldh(3b?D{;%?p5 z*y89TC%y;Z+9uMVBUr;cY8kDn)9d`q9DqHR19U^}d2_UbruA?pUg8ti!V<*t_>i|D!6eGwv90#&u-5hK;dsr*AU zZ?%tybR%~@S4cfZ$Nl}h51C!l-?w->gqUIHC^)i_sBx{ddYeDl&g`S|e3bWZ@K_7+ z6jA_Jt-!9E#Xo-z{BpLB2iNwQ#^s`?JARl7hQB?qE@BG3gPdIq-Oxa=v8O!p`64H zLLhzhRB@8PSi*7<@7aIh*NzUKHpN(S*DU2wk=JrobMVgWsj<@UBxm~N@BjF!D zP)wCt@QK6WfX(hQAeFJ@J5S#wj+10fTkVJS_kp0#DTt;SV-)0g zaC6S;iN!3yieSTzclJ9N2({ygL*M=F9|SH+fTD4@y0)mtEzyavlnH)AhW$3{bgP{^ zDonpZenBquD^lbU>d?A_A){k8#t+8u$F?SUJV!qmAuhhBjO!Qf_kJxhO~*9OKp&ce zI7E~Ig0KF7(xc)V{HKZ%*_9wR528fyvZRS)a!9seTP_M9@WzW5_z80XS@cE1)n{dl zB|M?W9Ke%nCxKC0MMPT|x?><_d^=8u{HH==x7SB3x0Imx`az|r@1N+!?@egI>~E2~ zJ8>mYXw!qs2V>-(Z_N1G4E^BL3^jWG!Cfip&?2PFM+k9sp;_@Id}=7G}>Wfnyf-q?e?5g)OpLhBc? zcBl*n3XXR#K4R4g=GqO+$zB61j2l0}@HVT2QI;KlXWU!V-!)@ch?4~o9`i%jIV&MB z7EoUA<&`ij^vBH+ZQH{c2=vU~s};BS=c7b1t)y>O7OJ8y3^V9#eLf*9Dub{(4i>?( zyb^QpVy8Yq4vjOI#_gtGf*dNBaM)+*pNz~M4D@P!D-jGjkFfdg48i%dk%dJ_FD%Zv zizSOiLai>bWxW(ukhQInYlT*)mLqJG_ReCGS5&Pt2=&Xi71D}z-BOIp4U*dW z1^wvkYv;$Rboi}niuq}Iexs+RvQU*AHrVCX@f2hDMJu66uOT@rRV%ak^6HZ(oU8W| zUHCcOZrHq)cfXSSHyZ|JY>#S1UlexG`L02VoQlg3;dTdT=9rVbr#m2#ii>T1;WReT z#imXg7<6xw>e@PxJ!O3r2u?OH*Gpc>fRRIjYHt}0>t(;-@6`rgs+?LVx#AW$hSYp6 z(mjdUbBs{rY9)&NL32EKvIVc{A*NRK^{zVWIvoKxa`2T$__88jZcF(Isg$j*?UgYc zD%yr6bcL>Pu0a=1lH%Pi1u?jBf#bB`1wEPk3jWL?g6a8!rW%|a*^aq&F*56k|7DAX zo_y41?IVV;nx`IdJo(WUNsC$sH$H0{^8+1j!hzy1_qcxW9ce%&XGd~W6!e> zG3~`@|3>RB@xnU>bMER=!?N_%cT`*P9}1WPnMAU<9vGq3@znIcyw&elJ}0$^eg~=n z=*0N=ke4qZ{t3o;-(?i`*@Z;^2;`i)V;}d6gN6_Ve6x@Vlm{(q^+?EQp;t=q@)cYj z75%!UNld=CDbY)tCVEJFWmI-}E7?dTl>&zYN4R7ADp!aSZ`3pZd zpRh7;875dJ`4~vree7}Gi~+INnt`j-aSDS>(|VkGg%N+4=Agu}j554mNsGqPN8;@C zs~K}8Ak=x7qo}FzNC*{N5*yJlqw__fr~6zWHb&6&2S=pGSL*`CoB7K8d^$c)8xBLm z)!%h<>(Y`cJ;a3y`2m`*IFP`Fn9aTs9pOao?Os?3K4h}=aWJ~|28_*GNQuK4U7p*z z(})Bn$IIOrHA{B!&Ig;K)y1i~`N!DR2agUYrwlnF>e=mdcSBC=(m#EXOrmY|uNBUn z8YV_K?aN86HQkUM(zWh~B4Wtf7UeU-07^GJpSYc{X2}LV;QN72!J)$Id12qu{9eb* z!W?_EHCaS}wo07xJVC!@su?-R;@00hxrjf{~ zkMtl&(L6f0Cy3qqn|j=*+gt{Vs5{EJT0}pwNc43YSnu zCI;&8Zfg@L z-!6rJp|~BNgENS>jZOwqcUA>FBc&kaQtrMF-WQz%wbSk;VC)EGp9bN}br_sHLg1W4 zGW=vfOYh+S7)fNT>LT71U;$p=iilXWorZL6%FOc_;U@}v_48#$M3z5I!J2>*nqNf8 zQ?!I`)5aGS_r&RN+TnDFE4~MW zcfJi%ok?o77c!ek4)>A2ZGP+$xR1PeC@(7*oVO@9m+JXsZS>l?FLYe`-pC?Fl#swJ zuqpe9vJ17Oa8QiqIN{32}iuDYp~v_{=knrX-GTzupI_xs~=?S26` zFaUrG7ytm;f2Xv#SlXI;+1r`^FN~I0m0SBw283_Dir=A{&w4eZK-)|**GrNxsc;cM zL4^@=lLP1mv#W78gY)KJUw280=AAm92;98AuGiVq?3|pO-0b_yrz6rQoTvb#>cF-f z_S>S_tn$Y|Ae>7y!loM}yW|}xW0a>e+8~QT-mEmankEIpzpSwK-2R(5=99veEI_dx z4uCdLT2WuR%U9)m9GP4qcWkiSfA5f_v;~M@IFcv9%hW^({s0V)x4PChD3y>R&ubZy za6w=S3AEj32lLyBIb#&QqI3xc%UPtOP}d+~RD#5cBalR?`-J`JP%{O+YD(552K`8V z6IEDk20$IbwOR1|2y_2bfi;A#HqLcMTn_-wV!jDdNz1P|fS)&ifu|#-P);;sBNxYX zOdQKu#8QI@9c!Mik+MbHw?pv9oijd*LvvWmk?Sh*xKCtTLR3O&(@?IEtwm)_A|#ig zkYs1x)|213)7+9YNlCR}6B|J*Iez9wdUM-EN)^2mn8EfMg_iiUSik>K1YxXQllo{D zhw#yJ*3rq$1>kkD{Jh}SU$uhI+M*DSJpc@aca8Jhwx(kjCMm7gp(+}5^1M+js{z{v zB4%qhKM5~V9P(MY@d_+`#xhS)oagdvD7%-mqfe9+bHglAF59w2U z#VLUV#ry?lq7Y$D!|T+!CB5=M`xW5t*UeMXy{QbSjfLFbXW36$Pdlub(2I+X^&u$P zmW_a5L#+=aN9JIH86pUjEutbJ$DSdA04a#1%K!(Cws5ToxZgz+2?5?gP5{Xdu@dg} z=J5*ACIXS{O9J^<5C(pOtdwwjF@YpVAV92w-AJA&w1x8`jD0fM)DUW$VHlpobOHiG zlr!9X5R`9dtFa2m0VIYx+mIjy7)PUWGpArhJi>9fs+9NDnw~g65^Sdlg?Ez}?c+`8 z5Q7bbNw8IuXK~dGiEmE5Z;!v$!0QzxuPl1x$?o|Hn(7dxFqtO_Ckk&dorsBRI9LR4 z!7lXf+>7xOH%n%3&i=HDycy5#q^j%k7|HGiogp;*+=w-gcUKPm?ylXVU0*LAFjXW& z6eYkrqRp$(0fU$b7%O`5o;+JWP;3e5eMlbh71hBD8zHFU=YeE^{RR4*yBWR z?gl^i#2sICI{7!={@))wG)~eMdb%xvffFcD@4GXNDMv@AySqEaU6Rer#~tzXJ0f~- z)au%XlN%rmIPoceEX7bEZH`!B4>58DXg*UWnTt_2g1|DAk<33-B>bNS_tWs>F46!a zsI{tp-LANIl?0NFF;dK-M`N2_?9Q(3vBV8t?x!Wkp{gXA@IFsvAn^r~A4MI*J1#lbwp24F|(dJ2P7q{~@CABmuyt4o@5 zLz>)?gI+>FxObOaYP)zq60Klqbd9qrwJqbvMznB+9?S`z!Kf)8 zrL7VzLovQ-V;Xd8G*01xeRyh$ejaj}dEknqK}kriYK59=u2K&)qc4Q#?7Gh#XUUi{W}iKPV-mK~C|)-lcYY@^-6KB2TLMm&tx z-@YS865hY}O-7||**_pHH4L^HX52AZRq>?KJ>Az+Wy?xq?mQI~NaZy(G1rKp#vrL9 zYL!5j%YSU_wsIZb)%X|(TiQJ3`;9L1(gCL5x>^Ou#*QJ3wX2fDP6JxXzT@f)H5_j{sX4+T813sR zvOM1|p;mgnZqe8Y=7qSXOPh=$?_USQ17*zecGTV!aN)R4aYqq6mJ%CWpcO?5xFX_| zkH;GjVp^prw)t%H_S^>;5pC3H!-H%7nWF^0Qu{vNUk2xTK3_9*kZA#|X?vNJStr!mCkQ2V2)upS%dNzGwQrfA1 z-c{791aGEwSj)PIIG@ONEw8kdKT^!C#KI1l?NsHB*G-h?tlHvgl#%b7S8ch8%zmz` zw3I)hi&nM$WODDAo^Ma~Oj&@r#x}}>(grS|f3EDoM5JnHqFGCCjT>(dXJL<{QFYI% z36dJXA5l}{i6tPLkh}3#2QQ;~IZip}Fr>Gtv#N7M-Z{b5n7Eis606hV)-QNAC5WfQ z`~tjn5T>~~n<7yO6RpJ<7s1UUaHT>qEW4?Ct)E~mxY z@wDBqr-hyo%BTiv*jBA2(ehPpDOfU#yCP96_WVF~Nw4P?W%YdP$elVjaTZeuS_UxT zSFG52dxG1jN?NaNWF&CZ*V3qQ)pf^~@khJ1?_sKtDBYs5X=jak&ihp0Gc+cnGuGJC z>dUw1!h2K+e(Wd7Nfhxx<8!0ill#1GBKk(K#ZiQf>pR$2O&SMS8FhZ>C4U3(n{KWW zKM9uJG3MugAQVN@R_bg2sj-}Z000pF>lEQ;>g4>tqZ4@*b)$1rK7=woxckO@q_Cu8!AeMJ6HiyY2WS;z~jJwTLbv zl1GYh%?6g3tXv2akr;`$1CtnQ(=EiuW+5AejVy+Ydr)HE1DC2Vv$yZE#(sFcLA@2u zIZY!=b^K(Eb5JGCi<0g`ZAIGegacHM{z2i=@NC5dcMAJ7ItFWSJ``%19*Y+|@~E84 z|1sgL5qzB4xQ=D8h^fz6z`gn;0s)5oh$JfpSOa;8tS{s6T!qEZWpSanFahqr)Tvr< zsA86X!*n<69>u(Cl$@r5`lsc?pBa&YRC+x z2Ns-U|D7JM5&qv|hX1lu{Qrv?a@4h*t2mJSPSwkq;N{$yXC<>u=1k~Shf|TQ7(4*y zH2D=lrWm;~c!Wp}zn?!_KrlW{%;aR1Abr)Vx>l_IUC1=e-VTDoZ)M_<*rQC`NPOK9=tSLdNCR@DZi#-fJ8_g`07%0^=OH5vrsM8f_DAm+UOtzd- zYF_8TE9lgOm|75JAUkR-0EKe9L7hca17As?2$QmBF4K6VGqOqw%R!{~5fv+AH3pWa z^e$y566+m9WTn&PRn*YZWK8y@U&u^Avtu_?u)Nc%lNp?IDIWA1oy4us9X#ipLOPas zHr@?`sZ&um4@$QU*|9YSe|DRA%;|$xQZ&}yNj?eBH1r59x9&Qsv zH~UfT2Q?;JyLf^PZN$hzH;2qI((etvU|>HN9CIun$2OKDdGNw)F2JYFoVg>i?+06e z+4Mo2`HzH0g#_gw&wd?k*0>}g_NB^6rl^}v|0$3M27E@?Cb9(FloNXfdO}LdE9~WP zWk@|WyDz?56IrnFJ|9aCc@+zq@8(BFJ@Tg#a13WNQA;{aP}!d1W0ktXtEygKU;kPw z!b`t2qpt-lpZVFpT#Q4AO&hE6K!QlwtL?>e2(3%$s* zoh1aKay4~KMOqLjT+Od=^a4*sZ(|xh;U?(Lx!;b|bBMusc$ zWNjnv80-OKYw$npCxY|6-=l=RY!d+NBDk za*R!XICC-+jl028J~5Fv34HQaQ)YD;yZImNSTvq(Ae&QrrQG|hm|wXIIh8qn$Q0vV zlb>H75uD_8$@a?orV-JCVW@-uVEdJ$?Ve{}84twAN#RPO=0%<9)fclTP^1)F?XLjz zN$74&JXh1NEKl6?*SuJJ0~L8mA1qKO+__i`15+OP=1qqe||yOwiy1>1(wzM zb)~Wh-YGv@6?X2mUqjl7iPf2f=n9Kba`fe>8w%*`A<==>7d=P*59GC%M-6k^Q7*)w!AR%vU6{?&ymM_(uS&)@(=@&jD{K zq03jmp+Wp75Nt`3L$_nU`F6Ay6RzwS>Bx>E1q$J2j>il_n!|alYyW-859_g`xK&~p zUOxO^tOoq7Tz4UC4Yw*wY+7`@vx|OrgPd}FOE4cqJPfc>+gSgr?(>8&JAB4W)Ms)y zMbDRN=i&iZ0KHJ7Mw%56&=l0mMXqMX5UY!#N+IpniTTmiu{oboMPS%+1euD0Ov&Gdt35?hTst1NJj6S;epuJJwx!w`Ib`xY-C)gefhx! zb0)4RaWi0CuCwQV9nh1r+tp>r!SQTLfboDnfi37Sap&+Sg*zMjgG&!Ai7jtAi|IiK z4b|Hc9nCqnw`uq_A!kU|<+}}$`;D6!1410=x8&99pxkr<`+8GQ5}FGRvW84&4#_f1|k2+Ur4TkHYsD1)J8`F^C$VrFt>* zEXax#(GP)S%~Re=&_tBbx!SekUL z!e`YrD`)A$_@jMY{Tv+yrI9KK6Zj!d?8|%h-y2ae%wO#@Jjx`SoMpu;Pp@KMBqn+w z@xRXioph_Tq6*-K>k)3fhRm{A($UcSN{!0Wi!gPhy8F49U7V`-;6!yzC`&{5F%fe} zVR|f{JYV>|A}r9UHaA*pQF{3AunGXR30!Bg@y0Y0D>(3sT+04#PEQWK1TJ6E$02{G z#~e!c!!8jRMYjb4suxO`mgdQX1x$#qqy%OKZWFYGNHwX{oY@9eIOp`VUKW^-g&`dd zL?R+m7Hj@mTN#s#2(a6H=o%9*Yvk==dt+xfil0xN-_JsbU~qe9m!{y+GlDnJlcBrlY7*Bp1@zfFz-JCMcF4Px=4t7pc~U?IX>WS~OWoYJ&YpRC!$F8@C)J{Ul-* z1uqbPa90sn_y6O*tem8x^tp;deq<`IL%f zLCjNu1n&Ms3cUnN6>V_&`=6@LKhf#G=Re-l|MT*HFEIag9&>fEv~i~YKdz+zc#{4< zTuJ}EHiUOmpbG^903go=0D$^GzVeTZZDwiyzf@dnw0-S2WsrXRl=_A$-2hj z?xB9Y-w)syB{62!LxvGKc`fy^$kj(RvF-MGndeR%9|C>g4#2TQ0nht?S&A;Vay&Yu zf;M=BCz&6>{Bm-~(YzlCNS6pqK>X+}|0H@y4MOVXVqT(tLGR{}#U!%in#Hpi;*V3! zM#>Zash3PJlVq4>2AF_|C9^*ap*fIb&?N-WnJR*mmS8g{F`gh2#d|w;{!Lw{k^Q@C zj@A$oW|9y;)KBiV-$Y>=5~Sckn$rYn6sw+HA6?jPtti0`=93BP=pv&5@QVD<{|BWv zsp-!O)?NBA~I&6Y*dy z>y-~6(xdX+ji);S@A*r2?{R1GB}}9w*vb5*tDUX01X$Zp;Gq^6A)Rmo1`tb@$0R%S zG>0K3>|nFX7u*XwDB%!f#u7N#=T*}_ph)pBIQ-JC@Nl6a&P@Aa2`_XF_w0V{+HVY> zvLBm`!Yr0k-ce)1ZnB7@n~c)@#qA@Fwx7r6%l-XAx@ZR?c~hI=0J-lcJg~8O<}mc1 zS|t`sn4fI3Bmf-a(MHIuMV@JmqhNcnrm~SR#adQdZxgTG`q%T-rfuV&9ZU`3rAtm< z=U2VGjrR+!-_Di~TOre)FHXr{ieFF}4A+oAHm`2K&02OGWpy?HDfo>RJ6G;`arqM@Oh=^k!H1Dt4s_ z2r8>yAHht2l+yXaJ=QcdNod~@T~W+`ZQ@k2nIN+t95?s$@NmSPQkgWH#YY3=fr7@K zcEF4*(vG}i$gOAwAoTOm1OZn_i}Vhfz?fEWa0X!Y3-!_&vYE8A6`P^0V%FR+iNEKo|{IU&wQNaVf_0pAoa zsZKeP+deRMIn^$ZGjTIXb2V!{Sb}&i443Wh4o<#pI=RK0qZN*>en!n(=IH2YVp|;S zyLs7daggu9I*N@U~ z>%9z{Wwu{lT1n39*V+2bd$@3(4Ph|*1~UgH&szy|Tc8gFa?BjDGZP>O#J=A?`_WY` zo&%ClnzB5v_iu|J{H*!O$6I08ueIO1`|WqPjRB*$#66lJ&k?Yo=HLB(-j62Z`I@R{B zJ$vd_!&b`ecO9;KNX!dU=ui~d%}g=r9T~~W=Yk1~sZ;Z>`8syzuM9>=YIDSb3s$au z!Shp%GfzHDDFIUAt->y8VVTjHsY8uJbSRAw<6<h7sD1z4K@@s_0LI!=0h0DOHO99`gS?nnomR~68ktQpBFvke*aJ6pw0awIp zZ8d>SV07eTlAw>Yk6$>(@R0b4$ge0V8udokjR5Fm)f4&U4=84pgHnTF1C!jdX4sKs zV7%;9c#f%3^EK-Y)|m-C7GhAO&Kn$aX7y9qoxFd=SZC#T^_^Iae#wEgYx3P?gMaU7 z$EZ9_{8+tTIxja<$M-kuxFc~BR}~CWA$Z_mfO2r__B)c{=e1CuM=R$sO%m@CoB%{M z)zX37EU}SPLYXLP7(#D+kOYijtfQIpo7=!;i{2-8cQ%wwqOWpaP_8vU;BkjuYGFG! z-_VBbDdh)$vW7OHz#UxhD9lmqMa8zgImDQ&G#j?w7XxnCgoR*u?NWK5f<*&tIgL`} zTrbhS`e100ozcV;J3i3|QQhjSYiu3eJO__$g`@L~NrX2U?QQFT!ZiVmUm>e>!rZmf z0cz_8Fw*-v;T*08)98!-hz|&1wJI}=Wq-;wcp4N@g3z_5BvH`zdtZhC!9J>6YZN;` z6cp}55eACb*JD_G#{^fgOFBXnGuqs9MEVC+8DLL}!`lFMq?6+`=2sQ|%>!AYl-}o} z>}i#TX;D3=95VUcjOK}?apHv*G9 zK+L{LtZi*=GZNq460)FEWP~XooG z2uvJ5UwQYIc^GKMkaj3IVJXo}#i;>Dty$cxSqq)^*r1^IqmT+9kE9L*TkX2k?=>KF zsFLT8(_71?z8hJ>j+EmaaLcJvA)In8J!O>`F z{6j3#MT)-`siGWr2?8>R)@6xXcQF!{f=hI#7>^ICS(SOlw@-KvS!pX)1p9dqLL93r zB{;C;4ZN3Q(?Pyut3@e(?el5KoLlj@Dw-HYIK7i?N*`o|Q6NNi+~hl7UeKmCsrwI~Q892FLIn*u+amV3Y}w3#LSD$nrC%qInpY&tQ=IJW z;LR2OYO01L^pjblc zV?XiA(Bg&i=EG4fDLLnGm_Ze6<@~P#;P%vxwl2hlWgXZ8YXFw$9GDeM2j=i`P40`3 zmTpPtuvaIPB&#Y7)g$oJVF);7o1dtm{R~Hr25s&{^31T@Ykh}bUlHdK%K}wRw^}Sn z2g9ZzLHK+OAZI`>rnT;Bj~P~iFiyS?s*(M16~M!M!gI_;t*B6of8~x9W?qIpyTqJa zCw95H*)FWY5|{<+iWk}<_%drUUtw;~)BTZIRV?zdtC1_G9M+p}wkmrMuG{iMo4uXn zgLzclWFj~gSQ6U1v-9b*S$ZN>IOdo{c9Z!u3)|%Epofg`jv(028BfOX11{I+JVGts z9fGu)CsH+=`<&8wgvv ztg~b=biUnH^S<1#a!vbKZ!4QA^IcgQRANHJ$1u)$EtnPOTVK#knOK*j4O~>o;SI0x z+Eg)C^-Ad_7TJSE3j721Bm4I=$%OiqM>4wTiG+opWyj zX8qq>pWnMUYSQ|*2bWB%+OOo2AoM}kcUzc(7Ofwi!+YV=MmF1#-S>5^pZ{|fAY@(# z?-b%+mIDU>0O@~RENtxmw_8Pzrmg)J2htB7!M~ofDB=5R6^X2O_{<3C_OM*+^Jw6q z4gEMO80`WZq9zgrSMBfjOhPj4g45#Fj-J9Y66ful14nUOTpS#H+*#jHaNfR>Q>h1t zCD5(B96uQO+bs&YMQxADqe|{ji$tF0ABgth-wY$S52l$_rRftX=Rx|n#~%~?dkZ?J z^r&>;A2S&$i82In8g6KsP``qWiX)r{mr6C62WO2kX$VcAKjK8{N;0WXp%ey^F47kEEhrO9P|d6(>QyFGz%u7Y=o#JH^j32>&n2 z&LK*aAk5O`SGH~2c;$L!+qP}nwr$(CZQC}d=FDcgXQt=$CUY07I2jrDzxRH_p*E^6 zn>+3pexi-DZs~a<4v9fL)k4?hD}h^7h9W=shK z;F&H%7>L!Vr4!Pe+e1t4-tBEaW;@!7GbyqIcsN%u&NCOA`D`G?%F|;DRL~rX>K_gc zmdsHm5WeO@e|6#2bf_GnLlsu9vgEnbee2@Ms#a2*d|(QiG*_xK5unr zuLPi^Vc|Fj2=-U}6+FK;yDzl%A3Qv}abSf5CiwAmW^SK~ncg|kzk_Y?LeF#xrl*un zAa!`NWBu)-v!Q}&BMstivB^B?N;LPikvid5NM#ar?WAi$5lGl34AMutzoEBHYTRGx&-hNJ6P@+s9R%nT10 zvgA5e@Lsrl9N%5ozeD3}{G;8G9D6fl z2iqZ7Cq;FMKBX#DYi~HK4^qjPCbb0iR(cKsgPbb$SbU?W?#rN24FB>kP{63~*8N59 zC%O}_o`Hh{_&Jw7S8?GS1xo4% z<%;)d&=Vg8B#1bSep|1&^UYeB_lR~!feM28?0_qip@+idYT$LqrXwlnP6x9>S91TlX&hf-%VHubcS1l70si(W;_t0ID+a&LoSTUh_2RXB1*d zV1iM1?XuCXt@hcVeH6^kv#b zfiI$@)G_rt%@jb5oSE|HvnYQN11#`$@Qa4ENakIW+iC949$nWGDN_*P*q#R9Jz-A0 zJ%#8XZ(29hhFFiN6-!%T|4@s)B*It+vc;wM*B?jQ935+xZ>XvU1oxqK@nl&&hex(u zq*m@w1EA%?>`Q34Ewghj4UaU)Kcxj@gyt85E?T(UKiO_?kRJA%5 zXLMZ2ta*3#!Jn;HOZI+qh6$-6ppZ7yNXk{CT*8uQ6^cqd9SrO0Z1ED;mz-LbHWD}@ z(PM}aVTSfnh!>FYG6pn=N~UQ;XCQD=PJ>t@rqzav+1o4Vsz_JdkIU~?nyhh48!8;o zAn{h&+=$1PQ->U-$fh*9Z4Vd7te8tQ?@fFt=Mr-}Do0W@-k{KyRD%uOB=qDTO{ppq zT?xsqgw%hE_^Jhz!rMK>OY{t$^MLKJNYYNs9gfWiyIqnuHiAKBP3 zXm_E&i)>1`w%R%FtwK!m@Qo`u*}M&D71+O5^A}K;fCM=Nvex+UydEVtXy%>2JdVrO zIen$v(yiQwLNbG+K$C}j1cE8*VZaOI``Y)@U%VvJZUT1G57ggTPHSDt<6Gk__-3_;_A5t)F zKn)S9qDVyG4uGg7cx*qX)~x&mGbWlIlgV_h+-|X$@5>wo_JZxVT@(D<%~WRJUj4L% zH5@!_eX@;^A>`qQ&KK6<*SgCQGW~=tgVU?V&Sr>?-MxGCYI7f;m+{xy-%7sG?@>=c zHq@);==o_`kdO|`oB1vp^Z44&*cEZj4s)2k{c-znw4&g}w)MDF7Vy+W2t00JUO)I2 zuq*eu{i%5aW=rG37y|2@=`z=1n!F?GQO9Iv82f}=$!0*}9b#B~jUsf4n zg1MxlCV%k^?oW}$7=XLDj|XFpM*e;S{Ddt^P_fwDU!dR6r=Z;xM)8>9WU_n$Hm<5u z)zu5&&cY5E`N$=Q-#nB{?&h^Oi8N?{9e(@t*#|{=^ zr>O=WU2NRX|1@beUuy@MMF0TElK$U)djCt&wRW_$`u`}gTYoJa*2R-|6q0^sJrr1a z1L1pDR|bYPBrMmA>A-Y)$6Og{lOi!I!*DB!FKe4vdc3C1%8HaLp77h=7!^r^uOF@* z+GTRA&r)=}-M-GzK5u>vdxx7P!lF|9ZG}5mI4=2844MyJCrBeqRZqAOd>hj&WitI_;sWPffcL$4 zDhphUdHeugDvL$kdI=j_1y)s~gX(f@xq|?CwIr_jr1S2ZOoI~0MhFoCwA{HifypP$ z5KXx|WHXC!yKEf$zo1*I{WsAPv%pecnNFJhCcbm-y1sn~bLlTdi3C+zqW429{sOXG zP|j}EW+_~XHBiT{h7HMeEm5ABl$C}K5)7%Ev6DGZo^;xqA0*%3z(ESnLTKWVr4zQxF2|mp3EU8p}u{zeMH^m7V8-M17)B)igfEKRUm&adb zJGiK3++?;~IsnLd--CO6deom{q@~}xq7f{6nqtS+U$B9`Yc+z{9dQSzmQ}s10!j{c z&~>43L64o-MQh;%&Kuhz>=?Jtsia0N$z6rv+k*uUzGv;pZ-#Dabbc`+*ak`8^!{YA zY;RwtZNjznm8qd_;+Mm;nmt@r#KKpO&E073R5RDPXOZywjPTv|cloGW z^iGXp@R-x6X1l8w5qC?Djhz`5d_Q%5QV~N}J3USvQRus1o|cY9XA>V9QYJJCSLV&w zG0CCxRDu4gnUalXC<0GVdBQFe7FLjY7;#(zZM0+s6^UWqp8h!80^6}OZPPoA9$Ft4 zZ!G?f2!{%=g)6-O5WfApT-vr});$@rr4aVf36eQNk4(LbXrAsK?So}Sz?(wzj@NHo z*7eI|Om1z;==gZ?gXIZK@%T?T{12cOU*rAg(|l(9OntP>7oe{E6*NsxTpThNd-o;d zHqc2>qcM<+fo8$@z5m6g0Uhc)Ghr6gcOikK9izvP=7_vN9ixB`N!lj_q?@t5pR9eh z4B0mdd7-(qv?SCy`;kxbAd!d{v4Fm-6)Lu0-FjP>RI@UbzCI8~#0 zQelD`M^tG344HDYr^mzsF%22P>gPp~&Q3_?9(fQ!!PLG8+y{^Dvv;m~RM&%^2W8O(<%5H&K$~+9}zhyCl&EEl&>X z!b~Xn4c@)_+OfYE2FRQ>NO&=7>-xH=Z76DZW6z+zzg-?bTbE5eot=_uV+U=!2JUzB zTy&%!*G0!?QxD^t=}fakwcs`=Ct{ogBRyMi1P3{Dw6_hN#WYdlYh;?fKS5Im901^y zAebJ`Fx2(bvQFlgtPB0HXKMrCW(0K9y^j$mvIH3p5@sL=K$IW**(=KjD9(#sCf^u? zO|p?CPr8heD&dzjPq~Z>AAb*Z-e4D39APKwMHsSOq06MKqsV~FAEz$tJ40T#XYSA> zL)X#GBa28I$4B@rl2c4D;wJ$}7Od1rwi~~7f9vzpej%RP3GXnU9auX!o2>#`4ZT%2 zkybjT*83NmQq5XAS>6P_PyI&Z6xoZH(T$757aZ>n(0^_{w@O%9Y;`VFt6v}NO!|he zB5hcFLH-9JTb35Q`!t0?)D4{vPd=wZN_$(;=^Lo z7^wU^tp|CO#4A1)+&xCBm>=_{oM~V8dpIrs02>g2R!e?fxrl`q#HPO$%Pv?I4c(LI4Av%#2CH1B5=G7vn^@%w_nI#%+0|m05>~JIBsK z1ggJ8+}G`hr+zELz?7u_L|IpjqWZPB+tK|m{d%-1#IGpjVp4e2GjLbC$t)P*7Iu|-;Zf}XrFe4bNda90eo zjRiuNZPN@wCb&BtKDVfn-Oxf{<&6e8^#X6tkVV+!~9Q*JMZIqF`wbD+1Gj zObdX(PhC4R?N;cG5DQ1E8lnoKLW2Fuy!EQwN>|$`)6!hGB8BNsht^B%pCZ7p!cx}? znU8kQ6g9j08musjgFrrbT)b_iW~2!R<0B||-8W>=;LfO-vc8K!n~eUH6;UL2>|I`J z+t;|kVCkaA zNwFvpejKPyUhIJnC&V86y&jNO8Vmv0S=|KKXo!k(dROm&q6?sHs(@4R&KWF((s|gM zCGmC%Z=nv-Ga#e_iu2ECG~J zJ+z9GAY^wyg3;4l-$A5zFV?C0y79TJnun;f@qo<0POyg_#maW(c zRX5DUTGm$B9nAyFnBCS4E0VtlQ0X#aQU-gG;j_y`5dQa)vjP0bXTzp98@q# z)~4Ec7HQnpz7+FpwJ8T9cFmf=TX_^EDsrKxhfM+Wg0O_q{q2Xa&`4lt^oyx*XC0j>DPlyH1gmR*7ep+*&c&vb7w2zRO$*>FQTm~vHj75ght(F3^44S$@g(L|4_k6ahAb#t zZen_DF!7Ov9>9MR2R^I+-o*vhqh+giSIAc#D5K`n$FLCLqQyw3IZEhHK(^y%nYw^g zm&yewC>rPFCj%k*S6QnIC4+>)gjI#*5YdzY?|fyEdAt33Bl8+A@a0le7ii|h#8{Wi zFuy~k#rOR+*DPhb9TxOH+Dz4{Hx80a$>>F$+I6GEvIGAT%e zy@6Ib0+cocF+V%3JN1f!gZy(VxKP(^I~5Z;^ViTan;0$Jx4<@^_C-aQv~l$D#Wc!X zjHbx}A1(V=Va;&|&_iQetG?upOm-~_3yPf7dP9B$#iJO&za7{k!WN(w<)wrbOB0f( zXJFLsLg-MY{!1SjXAy@e%X~|U?H??^RMDJ9b`MIGe@@}3*thp{EWY1~d>rp{8%2&$ zi?22K2x1Kzcg=4wy2;hiDR^k`Sg{O9`NB0&v7JJWS^K$Px@H%Ob!^t@-kbuNywbR} ztk`#MDbzadwhKN=xu)mjGLuMIz55+yZ}!p(Vx7$Xa$|#)X97E=!+*q@6$(p-nMnJa zQ39pR6s+B8r*u{ZWfK3oG(^$Kyy`=23gYMMbA@3U{pI7FPzN`92SN^+qn3QHD`(`q zjxc~cyUNIqfHg;xwbVip@DD&43*EQl_ycMW6jb`#-;oc4$oz`NAh$bwAxk}|;i+Fe z2rXyF=Neko3xCIly5tM_^1X|RW6)7ly=FQ5cO%Tb>b{T|mf%{YZ53$UshHq;0)V#t z9_zRnRq{9z*n@k>+F~JBs<*VsE&Q$oAq>3v>(0||%TLUh<1*cw*!pyfVKX%iPOwWg%4E{J zt*a7ZoQt}q8nE*wC;EG*`0TH$wUmF;#*^5;4MOv+JuEWF>}Sz@d+3*r7&$MpS$Yv5 z_RXM!qs_$UT?}hie>0^TIvFm;V_c(1>?sOJkZ99|8^3B~RRZgCwSCL&D zV5}r`Qei?JyY;;qr1BZ5%V3umuE%Ph?P<{lxGkJ=4h_Orq(mY@ENH!;X^xl$VgB~I z`m>YKS^(@T{ z^&D;N|9=fzRfeGJv$ySxp{ATZ^fA@ zsFRk8(vmJzyWm%A+(D5itu^It$dxS_Dm_hUAP|!ME6V2}yZe5x@3zA-uAnRzh+x!Q zW|s49hXRBixgN3PZn*)OFp?=kiLQKjp&=X+bWo|NLHSYqoC5!!7)5XnSgBoCk<>#b83V@=**4Dc!!ZcTnij2={o84MG1Gfw#&@2$yqpOm);qf_?_XyAFq`+xxjNIpoGA|?2k?7( zyt^)G;V%*rVH5A{_3P?^JwK>a-F5CL6G9`d_GxCy^43h7hC`;;N6ZW|FE47yr#(`VEdM5-m008ZOv7&*QkePuat%0qZqp6KG4HE;yuM%qTUwK@c z)U7O$R?>M)h7VTn*bjC=xCX^8Q_(Z|pb79~5y|1@Tlv~uAdrC;S6oSVm+j{7i22M5 zE5fymRMt9Z1qiEJHEvL>29nK*uBr!>U0S+ad@Ow~W715^U)93{8#nO28W_*D%Fb)J zPa=7Tbto>Ir^hbtGHYHsPrh8IxgP44)Zu1Jo~kNumAC+YARO^XU%svg310x=Nc}Kw zV@vXF)6)x!&%`kOQ@5Z%2AuKLbCpMsFKGQ!_rO}kbU@hfWgdb{?b@yDVSyk!fn1Ma zccXxw5MX-A9KFZIkjg3qok;r>l}(PPO#FJjJyd^SzOPCcVN8w-XO~KCNtwB@!n7t9 zk7&E|Y`G_yGr7MX97aZBaNwjhKNAj22HuzC-hSaKOAxw<`6%+9L^4}`3CuD(fC*rJ zdoV7&BBeuQLD31qlOKjSHbRSmZvQgV;HyriLe*d0h19nFOOs3xtahtH?SGlLtl5H% zaV-SxK_RBx8jQ~dd9AjLsA&3kp~z`y!bEyze9Vx58(Q(=*LG@lT@fbRr~=AwrqTT zIqE7$P8J0Fy~U!Zrib18qr-uG0C|1%+iY(lb*-(iG1vYaPrWMM8oyR~t-S2cG_?RB z`K^s!T0=yUh<4O~75phSnD^sjwr8RDkZ9*Yf)aY0z3lGIL=GDU-UCNVaSZ8epZ(lU#nfii92V;Cz`8`(ddFEbK0cFB)lFZV(dZ-#v$)an^Rq?`K#{62F3=InnO zfN>=SsrW&>D`G0cOL0lnJlD_*MZ9G?>I}20>~>B)s!@@Hn}aS0W()xq_evN~j{|Ki zSrVu*^3P8AQ9+;RJe6TLoc$lGxMjb~sxJLsqyz!ejyRC5B@$K3xqu?qL{SC_j7b`^ z<>u-3W!07Yz<%d)%aTdw;;U%G9~Z1l;INrZd1A8;CXQI_(fQN&j+^d?2GdlRbd6q* zC$7_&U0BXah2#8QAz5oa2;%sdSxg>^P@zWxyK|2f`f%i@0V{oaKj;COD3jFFNf`de zg|zmIJXg{9L1?6u!O_Z9u+W&cGHar^E8}<`w&;mh5*vde8&T~j2eZa4 zL-}lHS238X+G@w2*?sag;37x3abUu=0H`)@*8=hvM5jvYf+G)wM5nuQ@&SKiL^GcJ zaK^`G)=}PZ?~=-dO3xv zqKZas;l0u(lkb>JWi=S~pK&+j5O_6Pb%vW3rvu`Qm-*ozje`7Bk5)`tvkx$cIy6s9F-S^HK5=l0~SB^LX8^KWq@C z@D!1wIX2&NwnJ`d{i#rX5R`xjfw~9)vwM{wU!-b!nai=?@=(H05cp|Noym9n?)b6d zF)>oF7mQDF>_8{-0$Se(!U*s=6sffNa7G zhw`R+&|pC=vAkvF@9JA5lV2x%51up=T6ov5jl4nB&Nbs#L#;gy1J`kCGb_o*g||u@ zxI^_SO}XKm4H2zRA9Pz@XIpz71L+-~x2up3FUdU(f9rXgDL4KsT?JTd>Y}1oRW}YK zWqPcieYAeCZTWOu>{V0eVs?PLy_k#{OiY=nh?wiXF{jtHSsZPicaJ2%;&JP=z5MJPN2qZ^-5HR*(dGG_F3PEQWBG<#2 zU}ginL-x;vyf9c+xI|c#-fUVeAEvLJM6&;+U1&4ZoC$Ng-HH8ma-1)k2JnBahtoKZ*cWCbOtB|wYmV7MjM2(ma4I~fs{Q89^WEhRK2vM9jHYDb8! z#0U}Py^_9_WuTOQ{Y=S-ISnb>poh~S+J;k3@tL_#nqH41L+dFAxek|W9o0*x+as_v z>s`&~P>o#$RZk^rjs8sTPScqQ7a2LC!bmJfvHs@4@iIr=a;&h5m6sa1S?U<^Ghp-U zIg7o}#%0ilWc)g-l=#{+RZ*L5+9x%sAQA%~H1 zI+eKP(2jFL_T{{KWf*eD$>dm#^Ql2$EWiwyu?{J4KhtP;ldA<4gua71M0Vc3k3RjiPkw*BwthOPJNvnCx4{eXiK{(fc{dVlm^US!%px@vcbcx6q};Po97y<&b$YrlWo zHuWS10S-9}HQ~fP9GTs87ZPyT-H4mZT3st!ax+pSy>`TouEXh2ADGaN;jPF@TdEoj z^CPPMdlGuB6Y6p_9tx0W5*%IeTf{1KBm>;ibaYGh7z;~UfGT{~uejp79KVyLw;2p* zI4)IuD@6+%w_whpSkbi3DqaxEf`IP-^9oG`xxn<`uU%EQoKniNd|{7;z`9l`2cYewwhonwMSSD8gs85Ie+RL5em79)k3^Td8?a$(8j)<1z@ zpIK4|bZ)hdIIqf$zZR@A<0Y$~s;WI^L9GuMS_m$s>vm+((Q+%hR+Riv{=}X4H7zhRR~Bg?3gwex?N#+;#k>@$LM+^2 zgQ>1R4gVTZ7U~hnS8}qI2TAOZp1PLs5I)G(Ul=nh3L9jXqb4NSmVwS_PrRLNrq`i* z&%tgJ1`Tt5`s_wj_od{f0N7{xZ8#O#i!UaL7U5J0oRB&-EEAZFX$H7vgM6*ZMkC;d zx}`i@_OmDiSrmh<=)g1UVWas(Yj8R%h9E#qC82*8xUt`2QHY64x#vhZ-2D;iBm^v$m-eCwLKhXjqA)KIm zk!E3yU~t{BYz8ewW6ev_4?d)OumusRLyw|2DTrbhFuGh9xOx2D_qS27(cu$yk=uBs zSDK7#q}s$y8aNSbpxWxBc^luqYlOlP(>h++V-i4D z?(O3mq@@05aoMks!pcVKsbV|D=wm`{cGVT57zc;qY|m>OtP zMbz|l(znljwQy3mf%y(Y(MjsxXQ-kRG;tHrE9kN6Std-j2~58R?xn}N3$|($?JMr5 zBZ#J#%zcg;_vspr=>okBx&dBxt+QtBOw@L0wskLxvxVDp+M<`*br01wJ5?UevddJ( zb-J>v6vGn|W@_``;H%s6E7O+L;gvk$1Oqb>jdHQ4OAQ|^#^Sw?WbRVN`Ojhp<5TI0UCcgC?2C?a zXG)Tl%A%FZVKLPV`s{o*PH%he*$}Dg?2AAM8?q1qWIjD$TtnKxOn?RZzw-Uoe3yiG zSrHWve3gS&dA~1h%f;3&xAmCBrAXhRH~r~8)$4z?H~8Ab28;N*xc7Q&aeI)s0u{(& z(+$Xd*!=cDAMO6L;A8bx17znvU zisuYdfwqVfa#%b7ezw&>tCM2IB|D~mzo1Ns^BgF2_6=-WQ!m;+ey#@RsZXQC5A@{Z z3eW$g_v%TMWa%9hz&BMgRHPYL7J>2ySeOebHqdkrAeUlHTJ{R?9uDxkKjF})Z>z-b z`5M})8|0TZ<>axG-euGD6Q)&Hu!Rw~7WbLKl#-i$zQOv{dZ$3C6j)ldcV`3~+iDDhK`M5xX^^#$wt&HQ3j>eEC}BtwA` z1S8Hzw%9dL+#-d(sD;+x|N2&w%tOZI+fXa_g-93=~s6!VV_?Yje+~JaxgOeDanpL zX}gzZst7I-m!{gu=Ey?5pG7iL$e5h4(7=>0q%AU`>UhP-!D~r7ny1LRlM&oxf)z4& z0T2R3ockjTV#Xe*1}OlH2uSF~d?|w!e296};kbpmS=%EzAM9m+WHi-(AtE{1oBekbq%1`VNh}fc?7M20FQ5<+0eT8{bRPGzFDco=cX?^XD`<8~Z{TN>V;NZu;@TIl_U-KvHisdZJOv!t@CqG{p zJAqetffzqgvp`@!0y1Cj;lq~B6XX5|;7*^}RpU1jmDNXf z5wbL7slQXzxXfdhsUfXY1%5$ydY^8QaLg9X0ZKR~?vto5ni2Cwx|`oPB|PpG0_9 zgm`>&nPm|<9Y-`3WZ-NG`AOPZ19CRmF;MyFJ6FAbZvB(|vlh^<2{RYvaLvD}`_CZp z0Zet8lapZSfKK9}M;qQpLTOX&L)u4OZ#{q7|=-XdCZB=$f4{k<0_`=Er ze6n{pwc&Lro@Jy&TEj0_G!9;qEVxi*vHK>2f2dvnHKDJ%-1wQ$2eYNb%cbj;d#`|o ziuTh)cKHze#nojX_1wPFNt)22_2OW_`I9w-(|-ZrFZKNY)Jn0q8mb+h2r!a`y>cox z#k0X5#yXiwlK=s=gbPXR*~wLn5B+|NZkxeia{gQbYs8@Y-s$F`wMnXeCXRT%A}XL13|5V-+bhU1&A{_F~HdoZHMDKXSrU-0fl-HnR`oI>$b9%N#8(WN?>GKHAElYyCJHXXi=6I zWE$_iTI{{ryvh8m(9KSDLZgK;YA+|Xe~aoeYT%JB!d5~4ko~QDhx;CW6U+Q)dumx; zndosOw!E%78$4XZ%gIx#^k~>G=`IQ2h3&4VXwFWoBJ<0h*$Tb!6;O9k-(YJqsiM=+ zq2av|UDS!PuiG1mm>Xh`0O*2LODUESL6vv(s^k!BF$Acp+BUP?CXd-vaD;)-5>(eg zDpGK_m`qyaV&schibh%jQPy$Q@!FhYL*rrPB5jy)CZXea7$au8W|-HNdROCbjn zN*X^~`g|*dgEMmu;RV*`%GMcV3$gCS(-q{gmhFVT_3~%^ffF?Z2iFq@CJ1XKm=o&_ zW?oBly;+l4NJ5{trJgtR%3lodV!gb%F(C)YKBq%@z;5aRDpgbV^*qTs%t(ize^!r{BUjLu}rVt0qQH zuj<=wU1f?~us?Md^y*%AtSvh@R?loVX;TlGv$Atk`BoE5H-vkeCds%d*oRL)WeNClYiu0`rhLwX34_xt$`MWTm;L(-i5poQ8nrw!tzG{&9sNC@MOH7}gFk#EF)&|DV8Xt{=6Q-K7VdCCMw;IbNsKkbcu|qkLKc@x za96>00dAK*e1OV{KSa^7;$PgofV%z8aK9LoKWwNPy2=jhq@*GT1PmDSxO4Fk-k>IE z(d063X6(hB^f25aDj2u}XSxWF;#zi#3*8Yz6nG1CKj7F8xXKKmKy|u_a3IJM`0!B< zR0xAse!Wvkx+M;^2E4{Bd~gD9FLd2MFja9LVT6nB17{ zb|&ohCXSB!p7+yPhxWVDr^j;^1Fs$K4yI=02-48u{Ckviu-Xtp+7ZKpE5U?&RDxk0 z`%SKvg%7YPG*7xYF4s)4bQ_vK$;s)IO2c zB|dSxWCQB4hB_c{Q?@yrNGKrtVqK*V3x`+!L_c4+scv8y z76n;L!&S#dVSa)+Vs!c$R6O^ImIhOnhcWf@GdeUyAV(TgMi1K?!z{@cVzU1+2|7^A z-x%L~Mr2b_=>O{^{&o4d7$i=Wp=K0@16i6R8XNqvP81{GlUlqQ1Z$lk*>|cSY|C@VfvB0| zX_{ih`~I%9U?T>}F>y%p39S)`iQ78i5>+08ccz5o?t3_W5n}s=V|z&Nzb#hE;++I> z^(7$Dd5}5^DBg_)B8*MPRa0p$IT{{Nidk=l+s=~Zp7+(yQ4VQFYfC8(PeopD!O>AK zjQat-#`xR{vvbc0pyqV0ztQ?lZ|fU6S>=bZn_i=L)M`rQ=M7bu8dF&`kQ4&NXZ=LX z&-jEVswK|e29^}8iS2Fqe=7wq75NMm@cK1#*d4_Za~AHVpdaFM6|>I{TeLgOPyAn) z3H~q7l!5-eB@zso1VuV5dtv@QT(V9tS$rYASRP0+7Mfkg`~zGt9X*8iT4J^tT79zQ zw6=SzOSBBzPU9|hP?KcXP=XGDFr=ptH1-B&X=o z)tMABS{kPRSeR*akHO?NvrHXoT}x^iQ(7c!M2k*|*jM)f6*0xY$7WA&U}GudWC{*u zrA=pVV}4AzwOOe)!<3jTG|=-M-!CU_@{ljViWl=QC74i9(o}IhO)f=ojrJ)t!iBn`DDCq?TFA4kW}1FQ6Tm zZ1gJg9WOw&b%y!f>E^M&HfK_jjq~+#a6h`XIjYunp;>*AIoVi~6L)#V#d4KaG2a(< zMSAv_|GB<@(%_Ua*V#bARR6}QD0BG; zW6AP$d|xmjv*W$(B5D6+dH{|7rID7A;eh3^u>i_s!Q{(E?8{PmlM=3i*NVKP+d}~6 zkpwgXZ0r=k4CynANuP@SMH!%F@NbLOBq*`<;8thN$eeJq_RBwSy8ncMpfR5Wjt+51yniW9l(tIjok>!MBks|XyVfiD9o4Wq}-PF%}5%6~ST^L}FXdq!}+yZ?{9EKrRcV~0ExfbwjEPu=)=Bt6k*L^~c@O};C z;kP~^{}?;m4*D1+R){nl*Y`qnnOuvQuumKYS;?k^{*AzpL8@?!7#(s%$$l|X@<5MR zT>&g?4`SW%VpRmHXEapXbtpv!YKeTdv-$5u{1Z=zO`&3nbfGnt=qDyOi7Vk7x@cr_ zvW?CITa)y97&tD&5x!}LSYsE>svhm}XDgg|xX7`qgSO|pnIWs4hL*#F-^qo5wLZUj zN326v7VAx;qoHzrh5bqBCS$qforaC@`V<^Y%r8YYri%oOaaciufBIR^<4QH*%Hriq@Go3y@7HF~R z?aQLfi4G@^j4f?9=Z_tpWGyI;6(Hsf@`i&HmY&kF)CL|b)A=% zlI~(-akgG+fqrEjH+Wzg-H^hrFrhv{ne3FR$y0569lSl)8)Y_Qk-X^Z*yGX@ zPr&h3M_2dHv(!P!%cMEkc)Qf{=tV`hCb~v(5tui8ZFg74!3=VklIba# zKeX?tbkvh{$p;Z%%(h9)|AVq~h!!m9vh=fU+qP}nwrw+?ZQHh;&$eyb?yRm+*Pwd+ zlZd#JJBzjAoU`}-AV%8*`pJ>^Haq~g=Y>t|h`g>ew3(1KcURVK#m!7EGqRtfhqB)Z zkL|%MeIFNlZ%c!_%7NeP?{2%r;1M&MJ}>T5ZFuvVa?{cu`HS(cPX*4RoO{omm8E-c zi>0$pAfOd?rZj7?jpF z)GsL4y{OE2Ng2ytPH0WreEsEjl-}+1<8yq% zjXIce3kT>|rfy3mA_1eFNr|Y`V&y~sFmyl@doC^*YcKjm`WEbs=Feam0t{j|@Vw!}o-Hg%+B zkR79!VYzYsWCP2C>*@4nc^C1DN$#4P#yxw=H7ndCZnohTo%(bnzj{++dUiT;0#srS zfBl48r6Fjj`XNb0UM-35`^5?&Esu)bOLBLKwBwKE7-0E10=w=az=Z2De@dyQr?HK6 zxO1t4Kt3}pP_ZvCKVP8;Su^LJIHm-%xJw(jYlKd$+2T_}Z2OT54DBCNRg3vngX9qk zQF`hvP9sjIyQFuk>uDstld1OP7`Vx-tr_#1A4v&m<7fLlGDhBZvn#dvn^($a%!dY| z-TP_f`U{P16$#YN?3!16Q%0gpodB@II@Gns(ykc%s}lU_cAo|Zt5#%}FU1=ePLrv-bnv}XsqQ++UWm@ru!Ek%&_)3-n&h&6r?Lp>r85ETXlIGn$e z1${;qA_=wIbDZVk(dR|DilP8KtSd{WcL)unm2U(+47yY06-eSp9vR|O{|Bx?d#I&< zZ1|E!D7ZZ04Rap}Xp01J85Kv1kYWG1cIa;#h>q1hE69-&exFHV+-OucMZ6ELEx5fZ zvU`YKrAG#=QH{V3uC5Y4(`Ho5L6|&ntY56MvU_*8(xb_gnZ%a-UmK*NM1VLEQIau& zT-o{HC}j<&`_fDvMsEHfkRXyEZ3r{Ot&$fXpSKYgo$pQ`r8jda-o^3DdSp;u*+o!X zS>||jK#Y<^f6wD3#EOS;W$=;-a`|V86!~5!4G+EM)?;n0drLb?jOP_L zhs>2$SK|Re#%JuG(~lV-*Lb{XW{m8@Kz~#nv zlUZ8O)xEeL01_(9eo$7^z{pj%Vn*x;n+a>l>}){uF(T{;y6r%r&vAw<=qk7u!anoA z|D#m~%=eOP{*MCPfdBuI_5OFf?0+EZ9oCSQA(l*yWx@Cwt%C)V38YjGcyDMJKv8j3 zO`9ZH&She|W_ccTag{repm6^TlOu;vxGrzWO!?p_+uoVS5pzDvQM<(v-dhDX{~7$`c(5CXf#!Hbl%ab zw_QJT-J~O46Kz@}Ydv(c8Bntsbi3-uZAW(Bx7!N#Zb0sGz`q%_SbYdTV6}@cm0*hZuU-zE`k1 z_!jE`Ee}ELp@cE4yw+!p)a{Wu!V+r!XVXLLZeP<-heZ+(8R<5hjOR5NvLH_eeUZR5 zqO^|ef;Xy{Tn24>sqz@y>s#6PfaEg_W0_^%TXsPab91`*in3KcG8GZyKwHt8)9;|(nSmzk}q?-_%M#0nWhXzkiTW1 zv?#-a3X|0VcRaawbG#wXzHuC5(p=B3K08lQ47qAPMx&zrU#3GE2&X!g9Ymr6f~ler zX$1-8%EONv=cg78L?m%s2=7ff1$3B^<~ap~(+g`1bx&T|Hl43~6AhIvM{Yr^Pyo@FNsxri-diPS|Zew(%57+1#Woaf~4Yw1S?}1O|DS2FNWYBg|&GRl6l$Sr(I(+1(6jzmlkX-rZg~c0PmlWv7NS8)0Eeca9 zmL{#h4dK#CiJ_G)7OUuNywBtNFKy=nCB!A9SkiCTqu&Jr9QEBC_z)pzL;uBk())+n1^q(#EAW5N(#}jNkRU>Y=e{9uJ5u#vbfv{p<9PQ4EF`0#4mz>5 zAj@HRQ)9#G$b_R-8xt2))Jt#ic+>DC4hY7A8!SEY?Tqy8J6h! z0#!-+M;(lzPBtn`MP?N7DmtPvXQywcIX%o*YRpJ=@MiR`=agL64OQbHn>e0< zswDfvTOZuq{-FBt`+e+)dUGzx5?(9Y`9AH)$lrS@&5$wk=rSr-xqPL8jF#p# zoJ;>jmKNcRJ@$AJrD=c^tS(W$?B-&g7(0gAO1|Bks;0H>r5NauF)O4$i+;i~a2-(N zaS^!RNU{wdkYE#;p}cuZGNGD&xSSu-qUwQTSK7rNb~kmY80|AK#`LI5v7Giw$s|`V z%24?zp{to&U%qrBS39(RdMDB38z9Rw;hSXYoG47eqgBxSlBZTdv$xQ_Z^^VTanmdt z0W_{;E(I$snQ3NYsBtZ=31nQwlm=c@Gq-`2@y>B%VMyg#T<_PolyL_(u43+ijqaIg z$HEZLIkz|9x|k9GUeq)X#Y(T`V&3X^!3W@42zXg~?tzuDkGY@hl@`NW)s@%LV^>kV z_Trr}XqhbE$&u}m-=6D|i(}SU?(WL;%Ihs~&%raVuk^gNzVLks-EsBG9;iI&`OTkq z-V4qB@2~amz|(hZua$F0u&T_{zz=Pd6>BB4`g0xHox5JHe}7i(x>ZoVm1cjcT|9(Q zW4+D&C{KmWe5LpHc!T9Cy_|!00sX4zh58{r>`O^D>qpD2V*v-s4MPC|d?XJM=(mxC zCNQv30s$E!+y(`7Pf;s>nCdx6^FHnndc@rM871NSMO%=l9TIz1Lf6&g7*yW3uT zewekwBG)Ua$ULU6xy<3=t9iIzS7H6}ei9-}|7&Q{+O(^T^;UjlO(@OmobAU}aS*CT!>5Ff-{!c(de z4-Y;Fy|c-Z|E7uKjqhS=Y{9jwF|;L(6hCZO(W4&$kR4`stzUUNt!-u z3;r5=v|3_>z;+Hj;LDjt58hJ8TJK)mUd~nL`tC)spw5!)UnuSwo@%mNDCN!WNSo72 zuR70VjOV?{Do^u>YE6G0m#syt`lJGS8g42Fil3u}ud1j6nigTI32H81)1>+&0y-LD zssmakU$dw>RJmts)KL@kShn&`6!J!^*EV}IPW96$OYRme4rhlHkVE)2#CZ5qY6E<{zxAjcv$VU__UOBK-;aVBF zggzrpv*VnVCu5Ir6P0vMFK1IXV^b$_S=A@FGIQ}lkk*y%&&GOXq_xWc^mpVN+5m>_ zMhAe|@Guv&9?fQ}24E#J<`boVYOP%uuo@Qol`Npe_^=j)0h;Yb9H7bQP!5Cvo9#vr zpvm~~2ABby?S>oRvVQ~@+#u)8sqP>GxRA=0zz2>9 zHV8NYumSP_GyIf5FTexR2zrQK&DvG!KX{qq1kf=tjbxpmgzA+%iiK>Q$#~0fYbMN6U?H2PuS|6ck1+XX z#l@1Xz$uD)2x%dcZgWI+MjCmaw&pzbl{E$Xe%_>#)%d1lizCKJ#yXAiEkUXytk1bW zkM5Zlz$fTLDR0Fk;}lQ9nB@ks<~;F1H{Wi4iNBatmrn=8$|*G!N{hL8o$Pg?T!2|h zdW~6NyI}pjb;U(ZdAhp!$rqdgzec!QYtgiLbDDzoZQg9a+S41O{G346L~BuY$)G7> z0Z-k(sjP%lkGy2&^!8i)s4g(+eRlSQpFBzb$M6^a^Jtj*;Y->WLhIuChnt2j(LSlb zigOK2#UVk%tff@C?OK3#n>-b?<{ZhIT4C^M8*6F9^ArcNo1kxq9METhGS@Y7h)7C* zQJ(ZXPjSN&FRhWMt~ohw0*OQu@@KntPL@q)@b{YJa@f7f#Z)>G0|CD2;9oA8>9ex! zM~%MU0=uqWD_`#j3k|luPBn(qr*#3%SR;w7ezj1fEpcY4cPmWR$x@-VE`guOMgOwv zk@+Nf2-41M6nqKrMu=aNuAtK=}c3M(a(>T{P5 zOa1&svu(IqJbF<6&jo-JJkpU5dxvmy=m>S-s))74$@UwHpm9nAH%QE!!^vM4h9{mg z!t%NWei2&gL1GYCwSP%JTvWuyAf8mjMFilK>-y);$V=Lo&wnw*?5b=)j%XucRJ(up zX_Mwf|CzLR@dwt0BLX8&*(B8Y1$l3^XjDzi$ojm0wjX!x{C=a7V#k|eB~d?+KW`*aFItDxSPG7C4J?8(EnfMgW}E0)C~y$z_#lDu6+2v33dNLF*n7fZKEyj z_WB@uPno##DacC`(MS@R{Cp>^wO)t{ie@YAg0w5^ByB0iWXpFnNxg|g;?gCn=vg2d z0=l3YXrhiERUQ2#Oo>*`zfFXHE-whR%IXN%0vHMKoEL2q(Eoj&F}d1PY+`;`NP(Q! zamr|JHj~ZiY$n#%ra?vVw!F(blm|w6!B4qfN2TufS;r#!ohgJOOo&xc=pr**Ze%4U zi>!mYJk%V`R%+~mR2y+&3^qdGYh5&wp1>%z+i3x+OqfD8LXu)O0#m|g6`_eqEsGhE zOlTFgj>#=sL1FU?gZ0}zhg-^IXIWHVlylIWKR>3jQ+$y5xdi+yd%+h&6;F8)-GPCA zH#G%mVpypFsvJ`-1KY^hGB&eRAXSRTnGSYjf|U?uDMX%brZU{F$hsJ0m9C~T*<8R? zio48At_Zvsh?OC?G~`lXHWIug!)|3L7dV4Aw;g3s3cq^5r4xtkKy3GSdM!rV;h)Fs z`i438m36i3}k~Rcq6^3 z9sjc)AAWDq0|9>DkSAz%uPKV`1jm9CUW+auRnZ4ezrQHT$_&PHZamK7guMKaI1*D` zF$v}3D_ltT?ZDiszOd6^SXzQz+Ot!C0d*GgMlm9@fubg%PBDshxi(I4J< zT!QGPKy;Dl#GW+KhX-dc!0Jr`27F(*Zz|-F0x?(~J)FkT1JD^qjDs&vAmQzx(k(;( z4A--kh<3ivnQ&nEFAugD&3ydPU_(hUpvS;m%K7@b^^)@)%LV88)uS0uCWHk^erkXf zP`EaqJK`Qmej)%jAR7=3NIE0~q5+A3d_XJ!Eg%+t$uEqDW5!u#N)18Mfhx; z;?`()bluY!uIIF|34(7JOzwdlHl?0-H5sex5PSt+Fd83y^8=qm&EjRHE2}+?RL#6p zg{#&8?R-P6lEX5oj%#;K%mH;IQvJr*hicv6gq}L#HCJ`3hpFN6_?aW_0$?ey3^;G| z*vLPNN)Rfa`Y|P`PD)~z7L{RuU$2%>oXamc(ufnJhAgU}qCYGo&~KuQx( zxJw`@CsP}}>M8x-zP5HQ0UobdkD~GzvYSDtdFkEp5{p0R%LyFxSitZn_ek*4am2kB z^Wj>5PE*lErD=S)2O4l<4;+wyu_7iFuD6^>A`^=vvHj?8J<{68dKlt*UjJsh6C#S% z=k`?ZUgD?sJ?8U&^xxv+;dtH=boBG3_i;N^<$a;udI|58j49FMpBRX~&NR$3H*olm zV8={(rl}D?4fQCZ=waQ_JtkNzV4oH>^p>E`iw1#bF#}~q;cNjs9n+ z_(*Uz#{w%K4<<|}^!=l;SZt`!r(d+GzsTx_B@b(OmosT#!H3fMAifJ9;UoXXdobnU zd1+&KaoggrHQLnO9ss*<&bVw`qi_AtMj=&H?81HN4wIv5Z_r-9g3p8sOW9h|1Vwk5 zP9}n~!itzldzXWMyzct@YY4Kk*~*w>VF9*Vu>oNR)>&Jz3&aC>ABVnRC)r9jp-N|M zfGU3m;&>L6PLns;WV5kCl>YN4rgYqMXD~HfEnU^YBO8WJk45jg~VkLE^lIPx!n)^fcWZIXoKkAdqmhz3bV?)Xu&Mfruq? zx8WS`I<5B};%)nTSj?RnPVc0vLT4vw82yMKz@}Q80?^3n?NZ1Ud1y4uy?@38=b#gW zyeyd;Od+!5U{ZDHMPa$wcC2M$I4K{B?wIH@HT@14sk+`=MB|hVdSbt?|IkN?#0mF= zifwG^+mm0n+uK#=j<3}Guk)pqRM`{X8Vj{DpKSPq?K@0=Kf3})S+wG8P`7c=w!VES zRK#w3i+=U(of71`=X$i=)zu_aL~r{F?e?21Uk{I`3=9NVtsir)4q2h zvB?eUeHyr}8R_ri`S~RGsCS%eKTFvRQ>rT*WNmRIozhNWRhbXSwP6DPKbrX&#DBtM8GOQy8y66NGq_m0e}^cmyd`EphiF}fLsY+ zF@k3DQBFc?SS`Ssrf4hBlB{?w(2}Z19cV>e#1)Ub;Zi6SKz9T%>k^47xF$v?O3X3y zuRRvaqDEO-BgqImZ;hgDKy>Gss%8+v+EfZujj*{Q!5bsg7#~SUq#14-^`}f-0t+Qw zF;JC)Aqj|?njs3PiAt-DlA#NzO2q&U^hCvgP86CPMI!~Mif#>*h)BC=Z<(r|3skMH z9}7jJ2*_H=U>a(wre6z1qYB7c+29)Lsu<`}!5{~!S~}1ZMWYRfyQJSM6639$i(+_i zGFNY&lb(}`J1?AG1Z_RU!h?~r^DejqWYlG~~iKNcx_FcrfwxPqq=m$>Bs0GK|kxx-3l9m%J z?3PZPW9s9J_)6!G`98%+jRX^kuTQ@iF|-DkZ$zw4jEM;&oH=X7ASf1`_#=xpl1dQP z*^-kDoO2=Y2dtwOp-TREGA3chaFos;eMDLuy~t2?jX$0|vy&<(kco`@TM#3WiBMoD zCxcNs9AsFHCi%;!+-=<;<4ox+Sw&_w>)ClJ+WQ_j;)Yj_PC%wq6*ZuaYr?xu96f}&G}KDS z1gRFKldb~NWRP&y4ZTTn##xYCgC&BT(aA{2Le`zp+LC7L_$Ns_rpx69M}t;wo~Cie zPI>$^0#bmYkICw*zN<9oyzyn1vq<9TBDiX9I-(m|Mum3cqr@t#qYU>8iE2n*RW`ND zJ|9PT6C`#g@$NLY*js=Eb1&|QPNYU_|HWo*slm>awJz-q$!E=owNq*}&D@aC%sYRI zZ{$71CNb47RZOg!Y<7!p>`-8netjiqN`7g$C?&`>YqHiRn#fb0b^6} zLcOT_%i}~<9J^Q?`_&6(DFrW%XM5L}j2EVtNqp~(&>ElRQ6)YdgVa3?V=3aLv>%bap#qzT@HxI6VuXIQ&3{#E_w72iZeIr+$rt<2!^kIb4zmg9;I zte*Hoy;}*4 zuDzWM)=Ywva!L*{YN;BvOwD+v7So9?mHQqxCdS}qaogX$6Xlr}y zZ{!=vgm=FqZdI+_(6N2Qo`wUl&O;ih_wH**?lf)X!jTP;V_h2>Mhc{#q7lrkl-C`( zOp<6f;NGQJp9^qxdv~Q%dgJ+JZnrnGJX(_Kd6Mg7;ez<|WiZIcV6?qQ0*(_;7`|o1p(nOsK)#07NQOSjhZwaP3W^o z5{dYNP!zdnk=gx>jtuY(Lj2=HfXO+gLjg$J(vnDP!iz17jf5sqb91p*v6?O|NQ`d!*~# zul07V{au)C@n;GF`YN1mSxTxtLMnffdw%EASL1U?-nW(avrh_Rxyl0LDjVOM!cwmQ zKp6wSi24CDBAqNGLtaywmKC@y%Z|A1r9OU9<({(GT?>1Ov(JX+DW@9^R082488vgb!qy?y9Y~>AqZ3_|an}GYczsSB;V8_N${iiafH4Rv!iS zJ0nOVXcR_ zRFzR}b?myBssk??sX|_hIb19(M+B^C3c+`yLxGS3Az#@TxVc?eIj}jLk4&kYm0FNa zOMQ$Avzq}e5XYXShA$Fu@nOcl7*@E8`gT++cEYCAnst~8QCv@R2VyRyKQ$kWmn46D z4OjYb*JYeCnD7nbQ22j$ZjeD^jzX?W9KE?mio^;7n>O<>v)p25E{39UtQPNC7&GuQ zvs__g<+8oQWp;zheuEzwi+phS&Y^HLpJ$PsqbKjYp?!-(;z`|cgCEv}T z=d#6=<`@S#)7WBABeW&Vu_U{}LC@?r8)^{Q=lndc)s47)aqDcX({gkzhT7$4+04pJ zf0mw<-4rxiYB0biVJ`+oufL--Mn$-^$d|vAO!vl&$BfrC4GDB^(5rkdn*ENLjHtC3 z((Y18KqLsIi2Zif0L{BMN=t^QkTeKe6({H)Qnwr4Cfcwcc~NA8jyUTG>jZX-Of z-sMGhQ%q`eaa9k3DbR%1t8hQ{B?abgFn0QCe{t9 z@pT4sdEb>#-{hD|-MZar+4x zdPJOa;QaKEK@z{IE4fD?_&!F{l&6n5n*Hk|+@tulCCdR1S(ZoSZdv)bs=twX=zb9K z>FAUpC^s({7l%#a)K}f(7?G|(l%130|`P7T*&#_oh@5l%w6&cVv}%j0uqaA z7uNw%kdzU>liQJpbO%jTDvTk*;GRTKGH$}gZ(0_VR_8>5jZo8pHuze6X%c9GQ+YtaAd#eHi>QDd zhm~DCaq9z!>MzpX_+XsYe|XyNuDo7rghyP!i6D(;V(JEp_^k4idUvW)!ANHBB?$ zXc=enTb1~PvHlg;+uyRVb?>lI(+;IEgdhU3l7UeWg7MJTvx9_fvUCky}e}PNcvezA7o=1`A zw-J0k8FpC+S>*LLu*BWA>#U93R`@bm;vmbTcqL43{3fM@^E27!ZxUC=WG{C@Uq`~_ zHUbwKzRU1i_aSDtGy{G}-s`JBxo&QDG7u-Nbx|8)i=~VMEH6P;OtCy2RHzwt`V;&K zonLwvWo?UT_P_Gvvshb8DLXx0n~AjRi8REJeF?PKn|tVf`{1db7{=HPbv9VTf@EOP zGPNKeR*ktiZerY~ZANJ>1tAelq`LEsF@q*#c4ltC+b$D%t*;hv&$zBUhi(&bcE1!k zSIIYZxwks!7Z=Bj0|$%qoV%V|&V8Rbx1R5<(Czm`PsEQbwH;oCwYke&Ti!q&az?9? zT=@#C0hb>K(M9E-*Z^ZHsC4a{l<7J2m7PUqjT+vPZFB5Ts=sO9v(M%BSg*2SylV^7 z+MS@*!%>+xz~6}@;g2of4ImUPC*D-?o-(!m(W^ThcgzYO zi8nb~V}u_C)i5{#u7!WWov)*{v=3wiC11TRd;QP6^hV`#1c=G+$0UE2EP0&3T6zPu zcLRp6MN)H~pty=w2PJ3~FKao9$ez2pdL8&2YxP9BM(=JI`z-}i z(KO9XwNBGsxctP?8*c|*c)LyIedr7Ra3sO89IY&5W!o+%R!8PlHQ9WF9;N-ss{dl1 zbP`qmAa64;gbF-;5~RJ7?p601>VYS<}@-|Tf-&-Ize zf?_Hy_Hh(}?X7sC22heto%%@qXe*zB`b4#rjLa8~O&Q!N9y7<4Zo}VEv1RJAl5RR} zj2LK6ANhZN@A^OYcAD6;|S3?_PS=ZWYbJCleS(s>X7cRTuq@e zpR47y&kObOZT~Pxs*aI_uJYf`nNzAOnei|> z?k10Gd2@BgtR9}OSlMzj@R#IL``C`R*?(xU^4Z`)d!#j_r7B63qN*rK6r-{%Nt82d zTCo*uu}oulQPw@_D~|;T8(;yyA(^i;MgI0y83gE}b&ry~z#=$MR?MB4D})o4{oCTX zl(vt&2rf=u3Lg`oitz+~0|zh{V00ov5uX<76)|A61<`C#PR2}q!N`(Nx@hn(k!r}> z>S4{0C{rFkGy4vYpOKZ-FC5|qUkIInAX3e=!=a|T8zEftlztp!{ivC-if4sPwI&Ue zBm#O~Uwe-ZEQpx}YC0oaBJ0_6_=wPRNQcgHGofB_RtIuMkYr7>gLX5;c5)^J+_5lF ziOO{p8j}d042WD!#beb%N-b7+&TpZ7EA;7FV^>aFo!9z%asKBVoqR|1+qvDJu0}or zHH!<$qy3jw>%iA}muZToOP&yUN4mg#TjCUsGNiJTl_*HfwWv~0 zXL%Bt^2^mLZQU`$x~7^_YX#?iKNV5sWWY2xp3gMwR$GzC8Jx|XKv&!-+5w+Q&B&N^ zK{b((=GdKVh32Mw7`I|DCU}hL53O)P&=Lf1Letn*=(MfGYAQ~_X&C<22f%r2(hsHP zH^V}l@i&K!6evGy4;w3bPNp_{N4SfBvMs>@Z(#F%iSKC7$>+57OKN!!Dbi34o(cZ& z%lzE_+&=8*%iR8|hMzBST~*Tc`kpc~Q=HKw#X^jf_ex}RSG^!^(`>G=p-2)l!^67tC@)f9Iiwxr?dBMPLD)dA&w?&0aUwZC)frBb>ii`YIq4= zv9sCIz=3N`v9}#MghZH1E$B|t4bXkVLv+GacjEL0+Ik<6%&mQ~bJz&TmclbWkH=U| z{#QH`htd!C#I%U7&dq$G&Rr<0?66#>8(+{Vc65yNlynhi_wT@1qy_z0iP)uF5Jx>NVjgJ+6s&n~C47~Z0Ald;bQty#6ni;DdP!o+IQ*w@jLN!!X} zHqy*r5kCpiKX~@3I6_T=<-YVONI>94+LT!57A}bYZq-QS83!j4e|wxEownAU(1qI% z>DCNB!;{-ZlrVdOANPvAK3xQmw+VEp29_dAfE2jnIe|Tf4!hQ1ZBj@ty?RB zF*RFjZT;HX%Xa30RY(Qy70mVe5fLvQzZ?j&L*D5uBIyO9v@owg7x_S@Ab9`@;kFZFB0$t^>8kGs< zxYe=WxClp#ytndx8*QVfk4vTKbVoFJq$wI|-oLs0OyBIDe~Cyo18sA%Sima{qXF{@{D@V8RFs|)eXmjhdGb@RK{f_gCr z6*}rPbG{X^sf1U&b+yj;uCTg`f!LjTIfjfu^|bX(_V@~}Y7%GOJMn4mfyM>F&JbS1 z+0fyariQ#|T5IBCA5-kcW@Bk?d&@X&%&cI&fvVjU=G2ExUH48Qakl7^g1@pFPK4B8 z$$<+8hCh24&xna-l7bXON!MVez$6y`4Cne&K44B&nwT0+W|@|M)^t!iTzRZ%);nAO zjUr~DAbqRI&h$zwvKhAh4UwQiJOV1)DUuNZVD|JO#~>`($HwVnpeM0&0d;rETqK7S zk~oWzDlZSBI}Nx&$Le`q2z;;(C~8A?Klfv_+3~tjS=kU9sW-^dCqRSGg=cjqx2?yN z;%J}86yzcPdD;;)ZhGAxe`HN8N6@IQ1*G2ym^g%UbBmP6-p7NVMoH}_He{j%0|e8%(Q@*K~U>$>GVg>yWAhq!^X_IPmH zioJT{Is2Z>-S>Ovw1sk1^Oty#Tt`G!jJ0NplFb~8xE|$93PkpE+tZ8l4?X982s~~t zzN=n8ZeB%k#^xI;g3<{O0@P>YVu2F4#yxIg|ho}ah!sp47r`_j0o z+4<2`U%~vSaOlo7k+lT|T?H{U*;PFj!_?F*Gs_o?h0+v2q!w?`NgN6_9)fC`!1&q= zX22*jaqzB`^ud~FzPJT``*C~eC$Usx-Jf7}G zP}0A18Dlx>v~eZKBWCxwaGE7Eozl(dy?z8U2J@fwOwrP0KPCd_eZmgF06>n(9qSLi zOfrKxrK=I>u^N~nBi^*}0h}+kUU{FDfez@P+4*a#;v4eQ`Djplbd7nY2CMp>X4YFx zFQKrq5-KyZu@dV#7ougk5p2hH=P;ZXSWm3m)V-Cz&t~1W?AXI%uG+?O-_m2N(|El8 zoT4>4z|d{DYq zD402=Z54F)UbUr-$?r^sbBiA6@F&Km@KX(zNj;s7oh7g<>R;@~ORu1-XrD_TZOB6} zEIcTG0U&*wb|pM|zFM*;v81|oe3(2y^!2gPrgy~do7qu82P|HkK+~VwSBA6HXswvU z4KeH*hFJEswhJL^7SNbvRx3!Z6n_C``P5Bej)=d_fJ^nsef5&HjK%C%^pxNzI6)rA zW=raW4y0uRv$y)RJmfzlBkwy3f~jx+rJF-%`pUgVbw!zA6I>{)W+~-4IN$pTD)2<= z3)yg`NQ?YJ?#3;o)p(up{FT|edVg#PqWzernXZht0r~~*SPnsJu{y?nn zq-(|@=}wNtTEy=J;hcOrhTQ^7V!^JeLzoUL5;KLsw($vc>fD!f27%Po+HK ziqsWf)hR2gT^xG`bL&COg^};oY6}!B8p;3)+D7C~o~rJbG7UrXoe{%DkdwpD3%?zlFlX+unLN-9MbvJNVmbK&Wcg7l-iFZnKMuUE;$PQ=Upt3 zvFY1HUi9ke4Qcv=!Xkp#<-|rI=FO3}ViVGrIha%BQ6kND< z-3KVxfRJBkBE#J0;AZBR8Z4al$q8^LFhUi6hpxlX#js1%>q5sd32GwB$Q1K&;0I-Z z+5himKt8paw$H%D<=)5U;&D=RK9~1h5$>s$l2*ycB>par`yiYpv(6F1d%V2l?c0@= zN`mw$g74kW8fZ%wpCR!{VNqi))$}<1OG8-Evo8O0>-tTEjJ4OF z3_|X?mlrM~%0V-U)M%#qXAbhrXpJhjV(JG%1~>1Lm;u%2L)@VHzm_NICwYU&w6nZ^ zjQ?7a@6YqvrG~jcRFU(35T~BIJMc2L*RJ%i^s)R&EoAFW#GxR}xSMHW21PmdlIIw% z7$%v8A7;fQNi+IVt9z&bb)R{Zy9^1F(jeT(XV*ZgV$7vNY~dPl47oeJx)hYby$M>` zZjLfOL^S^p#cK2gN2?KYv_8soD2R8B_ketCva}8K%F_EY#DM@uEBeFb(4$xs-{38z-lq12Q1`SYR&;%9eFsMMy zsbIFDVO6HN+&h7VvO=R#+vt%J;+~30<|rr;C$o$$M<%Y66nYc{w~S`E%;^s$DvJWC z8e5@ZnEli_tg{>KZ_3645k&Ga!cu3LOI)v zCi6eR4*!9?sz!BM9$OqG@BU*m9yAL@tH`XlR2CO7ilI3IB@l-lTtC021EE5bw#&HN zsK?rD)CV=0=()cDoT!8Q(p1S6 zD|xA6xj1@Bt93?p)J<~Q&_uIIMi|-oU`b-paEmn47GcsQkXs*%kPEIOgdv_}iw|P! zA>Ib~e(d-P@=l)qp_KS6_>RhxQDO=EUdMEXaxdH#fd* z_+QTU55umf!1?}GRLI#i=43sQ8hmqHVA@VXU2Wp|6GBynee5?nH)^=dfNezD{mb)5 ztbp=6<9AOq5&11h%J;w0B!+9fUn!#;LMFU?gM9Py+P7ym>ifkz7@x#lMa1qOleh}| z`s(V%%Mey=4pJ-OYz|_-BR`A!k&SQMYcS>ftBIzf&1VrOu#kG(M^P8UTB|gAx9?nXE?BW zx4gIY5*5U0qS-Slk)9nIk_;{{;?b0nKu<-YXX#2SX$QH()3F^6dxH`Lijj;?mmalW zbnUtRLU*2!2@nS>U^pqCqBdOA8NEv_FNMX7`4qvNEKFGeL4R?(9=&y27s*mNb*5$ zkWmXQ$Hcy9(Vwdg0))nROE874^6ehv=6)XZ{1SaDi-h5W{r}a7TD-B0r2PwF1pH_F z``<_&7KY9irY8SMKGrnazkDp!mzl-e=$tjlGI$B;OCz^n<`_YBUF4J~y7b&NJEGSMoxH{QZ}6EsYP(5CQlCgHTsj{NK>Q@Bko40Vu_+ zQe~uC<|Ja~q-v)ma;KzvuM&9M)Sj++M~mNy`tTBfycD360GMM|gp_~W<*XM#CCl$T zXsgAGAw+$=n$3DdtqKDE3e+70^9{p)O96l-6Tnnvqo`_ND5X&5Hx#5s#;Vb@xvBdHtIsg|19~Pa4HfBU+IM@1zwKFUo zin-n04>U}EHjRjbZ=ca?ROIgXw(I(Ce>!-}l~|c0*%xrhZL!1;^#%@w!jEf@kx;BM zhaK_IoMAl6zPM4p>i|-vb1<>7c$}Afbyrt7sIZxVwVVSfO=EuJ2!ST&>xzZ((gh67D~8Th@c!k6;bOjjlN=2!`u|4pi4OYN* z?A_*Ixdu+?nGctt1MR8g_Ma!)>NzZajiE>E@=X%H}R5lfGOdkHC@`=%yvbWLNV2BQr&t zQw1M|h+xP|BX?{axhga2^jVdA4kkZx4j)$yqBjh&=x`5=We(L{W(=K&1O4*R=;2wLC9Ta8eCY zcv7l>ln7QsVqRM%=HY-={@74Xa%z&4MP<%zOq?!5s-)B2ipJGEtW34N*xF_;ZG!H& z+F{B$p3#%im6fGp#wCp@Lv1>0ta`cnXzGhZo|M&XGlTLV0XxyCGtQy39A(TpW@c7f zNSA;DXn_>Ye;f zX5`vq*j=%f9kI=Q%p#}JU(O`d)Y95I$qfNDbfRA_qTM48)yj*2oJ)pN@A+*aCcU}; z)cbkcZ3-X70c?~Be25KvxN`jG%D-}^PerTE(!DmtYx?$Y%B?!4u>BKhelWYIVde4O zMY(Hk=kwOXoNCc^;ob)7DZfLu16^AO);T2vJ(dqS=JGsLTZxeAX&0{hDVh#f@ zXIBZQ;i<?39K-fMpl z(^AUX&whS0^<@_A3#Z|2iJONIw{@f$?)?>1@4#;xbdZ5%bhv4#m_=~RX#p{+9giyox- z^-hRyK<=2Gpf?8h18*(*URFt#0KI-f6y+gSNE-%ACe7Q zyc}ecre`h^yVbRK4><73PU#hRR^5WKVWw&j5_Y|&EZcyCU+e-JL~5bmU!CLCFV#&w zNvo<5T=i?c#p=NAPlGi!>0OwV%tI7BguPV)&Pb_W{Qukj{0yiH6o3H$(*I?%{UF(4CS{bduSXFNeeb~5|B`h z9Oj-*e}24o*Y{4FD)o)-i6Z+}1AW2a65p>rx`z)E+vNk$IgsKf7Y79OC2t4Ory>V~ z0O^>c=uuXJq5`V&N#=l3nyVKkRH8KzZ~>|NqJ|B4w|4;v9Pln3p|-_t9g)k6w{IXF zJsTx?ka0g!$fnp$zp7r&7AbKwHhFpa?0f%pH?g+~pQJLeQ8%eKR2qH6dHVCvK+qcq z;=Ypa2_S7LCHLm>t6joT;-tyD@AG-ugAXj#)GTdXTgksO-~N3F=N)QN(e0w(Izoy8 zm|}71?(czEx7FKdSA=@wtlIIL@$6a7b!&7z?EOQ(`tOh2D~h#Q_6Hj+qV~NtcqFf( zprGKRN7h3by1Xek99cnEy)D^{(WYc7KURKcIKUB|c zslhAflsx3pbPiax_nD$NE&CMS_UOL$uLL|EX?WH^ieRxGQQPgI<=sm$4`NKulsi6i zAUc>fk`26D3?KM1-fYh@Y)ocwQR_lRY!g#0F%D{NrMz1q#729Mbg77Sb3T^E^OWK4V z2o>CEBi+7#AeFt8JJCb-E00*+@pTe^LH=*qo=0;IIimppv@-wavNf``artk`_DIv$ z3PsH)cRl_2=VyPrd39|KW^GLuxTT(Pq>lq*Qy=Mq1Ov$~FY|r|18t?#)D-5$GI~x& zR)?yBnFXa3T~DW6Vt=6A;+DvMxmXhN{J5f$GmtEzIhlG1jk4@lT_hgC_xW?@%EN4w zk72r8ae4VF^L6L-v*-5p_0xU#kMFs|I^>&5mfoIDGsyjI(2dzdPwtlg9$7zPAc&Yl z2?mED7E82zAWHaxaui0rf5~*3gTv-^$@Q)IBy1Z1czu=pe#=7 zkT&s+z@H&0j!mwkyijNdI5*FBrWwdvL$}Vo>%*;Egg~DeU<1ELLG=MtA@zxO0vLx& zc0RjgdqDB(LrDUf(=tFJ<)5e~K2aI?bf%X4Y_2yqlKy-4iF=BTUkqnDVY4mZ?pplI z>)RVxe4cyFTmBIayQi`IpTPB`%HOryXFQIjY#A`wM@9C8FnBS!P%#aE+{#I1!`*5LNP>V7CI1YF+=-o&yFf+P37<&d zyb~7jYEGpWL6wmKC)4FAf>pHpNn)3YB-F@I3Kl$;!yBaWPE-R6-if2}lnTHZ#2HPO zl6dm+S}}=x$1y>gDIS?9MdXlJ%R97$sh^}WMU4R{$cW!?cZVQ!h!dII5XxG+BXS@j zL;fO9jt8Rp1hi@T#$%MqBA`o@v&$VvC<-GTp-+79rXLP}=lg(vQ-0`O#F{++V4SR^ z%3+!=CIw_blV~Xotq;HRU5*X=NISHk+#4;zSXVI{%l+(?G4zW=g1Kyh>c*wzLx!WL zd$7$g7LYK^vomuNW=jld35NZp!4v81n4ihpMbyPYK9Dv%qrs2&V@ud87*xnHDi~Z> ztQHq%@$sM@92L$%T%!oG%Gw_#{-W5ZRF@}PTlCDkT-z_)zZnem_>2t^kn7q2-XN62 zIOBN`y^ZJ2FQ_a%otqb`eR0KQTL6O!0}BWK9k?Uj=c+jHIZk~#$?U`mM^$71oh7z zL$UbxImcBZan>(Ub;>kjg(nLsj%sYRZ$~l`VaT3UA2Mh!pSy22mXNPsz@%DLU?9m9 zV?fA=w9=8I5!+;)b{M)|k5Q((HF!t#mr#W|p_D0Y!U1Qc$7*VffbN(UN^O03I(pCXj>(~yh-03$#JB0a%UCeqb|J-mgd)kE-g92%?BR1Q& z#)Dj9>qRnb^+kwkd)1yhr(Qj*C3X1}xTDEs={YErpjgJoRM~UKhiK2%# zEf1Y%EPb223BS%A(oVxKb@ca&l)5(qJ>{@sp{C_r*V`#~Pt(7tho$?u(f_k_X{Xir zn&X+xBcRFIHu4Y;cda+3t#xKwM`*he-YM~^yBlSQkNkSuX7UscIigb> z#Wl6yZG|6RVvBscTlS*o&m3~W?W#NlUc>8E)0Qo3z8iM<0hbiv&lEQqtnDVMhVs*$ z5I^7`I==(h8xWb`Xgi2#+H;nazHmNH_B?eGagX6%Q_T=1JI4d=-Wefp(2`iBHtNf#L>+1f7B-(ZzIDkw1s>Q3SyZ_M zP+Ha{_i3l)Km1!{08VKB2Y!+OZy8vb%xJtLv3`=s3St8U9hGs@NE-O;cX1MB{O*_WRyvtMAKG)V6sh*rv8pO6GYgdVC2ICIirJa^nHiU-xTH$) z>9WJ~d7S*V3N0TTTYa%wgz{h4R7F|Wk2QNNtd5HItYvh2M2KqV)7z`Aa=8j$&K13~ zE-TXwa2ka z)S~JDjEKzC1&rr7!I@+1bh9`d@;v_;99l$6_ztK2n{n1WM02DS$v25G8vu7`ub3O~ zx?OpQh0eC`qe%9)w{Vz@*n_TZM~LnU8QFkB$98bUr`X-KeKBm$5R&sreY6MuVzc3q z*%MvRCF&ew`nL4hv4D|}GT5}%VN=-l>wP8gSN`M=2d;eVxT{AzccT8{E%%aJ>*Q6R zTtDVGFS0hO4kIh_$oyuc2(sytiEXq|Xn+OX-^W>n{N=e=R6=p9Cy zF7H&Rcx|fezBG|qyK~+`u2|CHJvh^nZ|}wp>M6kjEu9BPkjd7-{a{GT z7d*l$((2lTHB)W53|WnNf^>X9dZD5*(!&9X8p!5A0(ZZYSv_{70XEL~Y%E|>znDb| zCMr^47ec0fgH$4>ECkHM2jepWwgIWBui7g$aA+skM_SL$;Tir!2VM|X8M*MmFf9vm z$h*k*2u5A7`jDT$L;|s@kpGxBuy`Fv96@@~pFgcpz<5Ok_UA1U5P&>FaH#q?~H@wryqIS`W$!6*mes{zydm9B=t!uVcDYOFo zUndnDas=02XOLeM&!OeisWrL@)yYy^CgaW*Qd^Xn{kOVdOi-yM3b=;&m9ozOBi7(q z1xf`t%~%s66Cs5P>U}0#2t$g!G~f}JNbdIYeArB{W)UIk@w@H7a2gsg5wqIb4Q^KR z-=!vu5)tboK~tC+k)kAk&irfPK;-c}y(aLMmhV7}p%QTp`E_UghSD zhwhDO(kLDQs$71b?sH|fo_BkkP7|)qmASJkN|jn%P5_Pp%HdD9v5#e}a}`}XeJ#F| z|1GoLHnN#0?eaDIxc~g&^6gYwf9g2kE$E0HTOpQ1>?@MT3=1BcOOVnN8c@{?#xY8-Ot9YEa>%KE5HBs0b)lL4LVZ<;s`YwdHv>Z6v>wq_95 zT-Q=iq&UAS7}h3wEE6bk6iG)Xot>x-{DC|CQA~957xtL`F3w%l``?G!^}nlXjLTsv zF6+MQ@%XqH1mYF4ou3DMr!&-wY_CP|{hM7J*J{u&dFqL&{#Y ze1-~>Z){w^M`gaOEkhX{14=CA^qY6MUBlTXW0h=M&I&1qa=h2(|A%Jaf z4~s`c);jl9O|}sq1jV=dqE?4sY8dv>|6-kvRK60-(&TF@)hdm&w_>L}si~6mIxo7B z+jqVcq@~>7n#l)GWoahIxAyUSro4voMRQge-oc;E>ymV3)#CkJNa-qh@O%(Dxm}k& zmg+9Yh3?Sx2xe4JfX0pkC2v;a+r-Mp8Hu`ZcmTzWGxQR%1AwDOVguBV7N^^ECqeMA zfBsU{Ty5nNLe!6UR4xn%iwIV$2M~}(d=gXDm{ej+o{={vACVi$O;`*Vh#kekv-@}% z?JiyTAPXV*X_w%EBp*}TRWpk-Pn}9x3UpyFAHEFU!{+_B;;Pi7b@Dcenw4uQ0~czs zgvr`95}%=yad!JC75LZd3qSVP^sY7VLCW@k`<;Yd%t%jcmhWGpaX|qV>Tx1b$&}|r z$@e1pPOT#Mb496c%L<=Yj9iW5IP6CSow-y5du8JRb!XNro$L}4`3sfHHz>~JhWGiz zGkUeW4Kt29P+go;g_0V$ft_RRj_S8e_aA(G;-I{IliBvy=4u*fTp?(a^D;0E-oXZP zj>Uhp$F%TRG&5jLorKfnbBN+9POK10gGt$I%$7y#egJ?3R zO?SSg%KDy1#lw~qsc$PH;ITh^aXOKc;ILjD%Kh1ksx;UGfZ|aw1$HEvJK5246e&~W z0HyNWgg*P7lH|V`T4=^+%EQT!#ZxaT1lvdo zM#@ot2@Yr=BPhU8ogMv)_G?%}aZzztX;}{x8)Xu0IUq*+5&hX7L7fWLdx4 z5VAZ4fhc9#(@UvZZKO7)lm|;^in{GeMZ0G0V41>%F4Hk7Pb$dLDg3Vca<}tkp_6`m zMh0}?%6CXlmKK4`QNA;OEuS4@xj)ZPfFi}m-QOi$=l!u@TQx8ya+%pE!mROP9Y#c_ z6CZT4RLhJOU+Y*u6zNJn5VxV#Xs1=9X8W`JP2-Y&)R(np2~XL}yP{Uk<%MSeXfIE_ z)Z+pTVnc-)ohG-zS4%j_It{J1ct>V@=c4p+CZRTf5OX^v&Qy&zt&wx_>|o(a(5*8p zV8y+{bi@>VN2(`RnH#pERG@|JsP9V>G@nT} z$47*~H#=)(4$U+tS(>?*leFR6y#g=My>@?G-oCkr&;Y+(pcg0rGv{4a1JUUU>LTa^ z>;V}h!A1*&XD}yFrv~e-JV>Wjj)VB{m75 zg!c#RJ*)#}JNAA$t!!>?$zr0Wh(ngiW^Z>L9xOM^CaAQxgb61F`X{2kE{herA;G;ztSZ}QuEcUT*-25^P=KP zZ6#z9a5JSNQX?v|R=+^xLn^#`T&4EkSTkZJ+%wukZ3~trN@OvDqQ^KjI%kdjn19`K zt9*L%GFV>0yQa^+g}kRj{>mI$Af(#oOGQ-@>ti{a?G~5V7q8f%6)w3c^-Hwt(?sPO zm+0r_Ldh;rOX!^_YlnDVE!61d@L}Wsa{kzcyf62Yb@SPbn+lh>MZGV#cH37+}ai$^Vd1R>JZuxXO|&RAB%~3u!kGuG{_p; zUNT_qI^%{(ukV;HXQraedY1|IRI%)GsIBF4mq307)3)nqY&Oh+c%MSalg&P8XHP23=?F0yXP zwT!2ii!p^!U=vwKh$xX?3N9cW(%SN`LZdNwIB*J>8#Au}Pl;1TXGD)EVL;~;8b?mL zDR{~s<<~$qaklI=97nV4ena3G>z)3Cr)fU`HRujS)$}%w%)5Eq7z!FVo9-oBY6{ve zYGGRjc+C!xPrca9E(egJmhQTV|JOs11t<`Ui^@!Mt!m%+StLp;}37X^@5)%o`-> z=;k4lVzm3PzM71S3cdy@jx#JL$?_~Kh?w+Z`Vd;YR0gP?J(O4EEG>Z@PC%P?lovGR zt^I(|hJ^S=c`)YId(6p^!rXnlK(<2elqZ(~QyH><(KPy3+oKVcYSyc)r>gOksCdM& zd5nAx-YkG5od9tC-!laeIXVgN}(d0;r&43SGJ4g>(xv6 zq(4tML-+4c#4qGQE#QJ+o!EmgewesL;L|`xolo_B&pIDj{;c1&rv6zwwrFurK8>MF zbpdLg0J%c=ID^<-@P+~y4FY^yQ2bqvAB5wAI5Biv`uaenO1^$31nom@K>~0GRujQ6 zLOy4L46x8{M*zHmFk5-KcJbK($ZQxO9caD(kHLJwU#m{{FRl#lUtHOLO2xFYHT!Rr z?QP9}Zj4cnoOPWYiFg)^$R^`>BonD7;!8^{Srn-TQmq(Nj`|~PWL(o}9f>H)gdH7? z1_BOF5h#Z8ND7fCcF?E_`008%#UXfWIX|?r?3||a&6>KJFi;Q(iifyRAQ&&Wy~9)& zQ#F!Ql&oLzaSlxZSP(W@CbghfWSn4 z{xI==i^4%^WW*#xx5fb(Y{D>>8Il;KGKk2M*ce6w+}7dhc0NNBX+&%zIQ7gaVS)9c z6&PAW<7>opBZ&6QD)G2ci7$1kD@mLTLc2EpE@PLhp)$a))d(=$yvO~U@B;^_mV!B|BaqG{7 zVM|QQVK)X|VJnP2!oX9yB_~1{kW9^I)j8{d=DZQ#d5y zhBQEmK31V6Nc#^^`}5EwEbtV@N6ve%+ECiM|m`u1^qlp{*e zD^K7`?wx0vJWXO1LsmwXF~=|igWK0vIfL>P%w&mC`4emsTQRxf77Oi{u)a^(S_t^Z zu1DgryGOz|RklCXF z@Tu@s1c%JymsNxj3OZfn#icsbR)kI^-tq-fgg2N8N`<#0EF-!8Acddf-!_JWr*-npS(E~Y!-g~ za99HvLro5be+#o{zc;%B{uVh(gc&k&M7)uac^-ES3JkAjFYEL_q$kj(NA`&(xgsRk zwDjMm!sbF|7v~yU#?^WIBl*`Y96rSCNS(_p%fZ#7=9T&tC+=;cIULRQ6zch*`ST*X zCRW7Wg^V6T>EeWH$PiiAmKlh9klhS%89eD-`6#7|p+_z!WPABZPgMBzpfRMe4V`p< za((Oodr$d^H*bSJO-RB$rVde)|UE9WpDN~26jY*Z)a zED~~!^JRw7qNPex(mCB5D8p@ z{0wLuaZDnXUVwxLOcmK`NznSiK&Ul}&#V9=!6NFMJ)mdwT|B;3S$cImwW{Y~_8RaW zJDgnrYEFkfJ83}`hU3nC!IGONmKYRmt*eh+3ag(mIhzcOOufCK=xuJC(@g&;$P8>E zj!x42*j#BD5D!)fvC#LI;*5(x-ZWMURrb6&N1&XTMyL_tqabjRdFo)NhE|$kr3p~Z z$=&_b{$(4MO>=@Mtq9qBii--`GK?gOjpD&v&N$)%cTnm2iQ-CvqW)^nok^EdiGWXs zzrgx!HJdJUi>}=X)v_(igdkX38l}`mGYUoh-8Qduz2EccT4qcPz_~S>U6$_gWm#|Z zVg;?Ga=A9_6};_t_rbAr+Z{>3Nd_2}EWpdUH+{2doxlmzx-HA602Y`bmpL)u*YG<( zopj@iw4NQz-mL>Z9y2Hj!r2LJ_zd zb}Fve`rWFH;r8Y~VEPW@@G_X+{gjQ`MS49Qu76 z|0MgFbe(2`u>|&i_8x^J|4i;n)!Md4KVxr^mL4L-T60lx+vB?cedf0#N(Dfu3uSsC z8%=oNqGG2G6i+DVApo~{=vMJF!hG<4m?PPgi>`$X7{*w~eIWm5I9at77mx3exMEG` zcx?i;sbtIK825N-s4>|uz1R>ce3^gy#u>OGaK?W-_9kDn6mrmCD_!4%vpaSswEr5Y z)n8R~jJGof)TXr-Y$kN{{C%cnBCY1Xck*HxW}Qhy8-a z7Het4!h7;W0(4W7E&#=}rDHz712x^!II!wdL`<{;^pV_xinZ)fPCL@H&t|K$NRQhl zf@`59VKe4je4g4!40{x$Va?`c(~HL4!aG7Mkl$bHH|$3-Jn95oVJi6DIGL99?)?p& zA3dcLAElodrH|;`_3ZjQYbCUJWpsaKMBF~SMNLxyy@%2G5++Kl#aL=l9xlgNCyB8|aYbR}2z(hm0zjnKUGcr|k%E*a4 z@KMkkmoSiIBx_=b6_zWmm?8)N%NdqoTAu+h=m7+iE~+wIA>OYAtI+6kT@IOGbRLZw#M``8KcWoQZ19Dn6-Y zGw{s68VIeJCkFTAH7VtP2v7e*!2J=7f}vCCY1Vv`J$fs93LrjsI5Z0YB8$+gWN~8E zQe#qG^S8N1s)CDV6?Z0UI!mM`61W-t;>RTwhWLj*A&zyv5H7n%m|~ zz1dm6wA6FE=P>aPug~GjbTa%9u~2MhC_-|kY~&zxFL+)q20>g_;1EViV=j9v=rFvp zOL*D>Qz?TKzCCJhH{`Ndqa-fmRE)U|^mqMQr7<7TW^C9yms+eUO=xQLsO39X!N1_> zx0=glWZa|PCLv*JF1cQS*~T>OZe5P5vuo@91+5`P(EN7Yweb$Qn5b+Rr7g@Xu8@1{ z*vCML56J)%*%I~}potFn_Q*UIx+cQ7LYaaFd-kF(e@sn(ykZW146jSJ*NkeLWmVVL z5@RlkO*q4;kA|F!;~LmZYDe*9uzwrenGXxTEtEWBOmScmM<@&Y1d&l5uXWNrY9LA` zydlD1ZR!P=Ei_<&$=CiBlawrGkF4s0Ng{Y>DiBcR`fGi#hX#A;^EkZDT(JPOYa^`B zjhKSVaiZ-5^INc0|KgkJZ=epoNOO)|mo#=5*6Y+-{$N9dpJ+PSf?y%){JC!P7H4`l zNyP6oC$`(R`g|0aUwnDZj*ZQV=L|ibF&Jm2N#9MHwvBkl4n-rDugv4H^T0ukq4c^4 zI3tGzri5gSYjaiEXK9xrb|YnJhkeHwdN)(&ZKc}nD3xe(Htt~3d7X(=9$jgK74lKm z3rK}r;jjdp3$omJMwsW|GLhdXcFlb9f`M9*n&mdIpb@YNClyB-8A)6{7tVsTnF+NV zmM4jXuaZ}<7>4T4>HezU^Ez~KQ_%K*%@!O<4Cv6AR9G#gi#njFm-2W6o!nQu5;Qug zoBsu=o!;EoNZXpE^*xN2_B2`C!C}Dq*bnj5D}nm`Hs5si6m7VUx4uxA#L#Z#vc(>{ zK!zVB{VcP>N4+k*R2egTmQ?X}P{}pF@dP~3&cm?}W~P=|VJZThj4weC9x3RGUF+#9 zNMlv7@`-==?G;e-24wsvXvisi7v`OmS_M!kLn@n8Wu_gFF<^qu4ksxXtp-xc!<8`E zhG&XuyWRsu`E#edY{N>FaAIb{6z0R*EGH2N$o4ft|a;oy#O{B;GILFPx{2$3LKekS4yR9nKt)7an%4 z%&pjvJR7#|?%lEp&Sfz|Ph6>=xL?Qj&Gx#)Gvy6JT5RF2FY4U3il1 zC8N9n{1v&LWMPlBz;QC}*1}*iY6B8H@FaXhf^Co_i#73{C7MJC1qUAG;5kXXxV9*l zaeS8q+3Vj~4R!X5Il`_leUr{Y!!Z#kdpOMo z`?FY)375}5WwxFolx2!DuJKioBO;3h?)}>B=p*tgFS0`#_v*onDGm>xxtpfz>9nig zTWr%NS^1z)>l$Tv-k6LgGy^$Azk-;2MzlN(8DiZuimgehe~YVL@SU1rhrdkRCfoe@ z!Zt+NVSe1zKES5QHv_Hqp~2k1^m55-Sa>R{Vmt(v+5z(209 z9bTAETO}y0FBv7(1$PEjVk@K~-*XHXc*CHpi~3g?t~ks?2X88f`{yX@E9c+!xpS}R z|17X1iB;ka>zO}-Q*Diw9pN)N;q`Zw&O5!bjxUj9X4I9==Male=2y|zop9A%a1p#~ z8tYAF)H*J&zU%Wp;3j*E-Iq?4UdrODc7#TdT=Lzu7Q%16(tCLeJUN@lqW|U;Kv&)f zZR`)tY;cv5*cM({Yd_xTJ>T@MlDcmi+iHz8>^srJn&|j=5$ygjlVMW*btGyuu+Vc2 zap*fT?-lbl`fh&i`TqN<`B+&wT`M`wyUS-^vTrz^@0mEyq^2|BXTR5dSsEpGfkoIRJz|?Z#&}4^J87Qv_ReZWa$py z`BVMcscZjK;B=7Sb&!xk8MFBJ@U}LlmtI#!@{rP~)Q$bc z4XM7UXuOF#9nD=J17#>&Kh)9jokcGii{_5$?R>e`kBUt{YV@Ij%^Z{eT#%YYwZ zv=1CXiDjZ#Z?4Q}J;H?(^TTnqN`dmT3Vkh<$Cy1rp(aq>wxBI3KCBoXxFuY5Deu|Y zfvfw~9`Xs0C}ipU-6|lk=SB<2hf|>& zb`e{40}1!BJf;rYzqBXfoToCXbu%j9|bH8Iyc4(?b`X**uOUp^9bgDa(? zk?J`f|4hW|8spH%qd`St)1GT8!{yKi_KG5r0u@&58pDMBqOVt-MI-kUh2L8#pTwMB za>rX+9T0;<5eEitHSP}t*v2mfQ>+!n7DBL6&?03wJ2li=sG_68*&876Zi0VTAhh`g7XGLQ=szln=R0+N8a z2|thlCWy#)Egm3mVT@1Oz4+nX-c+w82*mIIXOi~ek|~kH1pu(;0sx@;4?B;>Hvf$x zRqgp#9$PKLymjXm9RgvEfFuy{#2^qC9Gj0pADizE7>6s$nr11wTD>Wc6sIsugDQDl zrRz$D++=l3X*|Zp#ZokfgmtTWi|VHPanRAVg^jPXJV!FMLR)0J^F5wVtAo|GwdKpm zwbxM-i59XeXI&+{koVNdU=kyR=wKCjKZc#7?u2%x#H&xzCIe2&17iu^bG9rzL zB0*7PjAJ>;QkJJUXHnWhJU~$?Bg{qiPx0XFMwrhGgNdJ+!-V*GiFA_3g!DNdK?#jA zkI9!`R)Zp0*?Jk+1Pm*eiGN1mgFIUq2PM~%b`tOe)&!&p?Xq}#-Y9G@>z$Sut3vag zmRx&&tA9l%0Z^xILdosCBJf4lJ>GX5)Gq9(5yxK!G^o&0Vkd6d#`-K-n;*PuYW@=| zcPAiCZFJEPx>!c|fOrPhfv5(nr0*P%y*N>Os*8c$+g*bBa+2`0 z2qN;Zq6`%Us*s{F6PbiDgiUXX=UIa(bmMv-I#8nS`y_?~ZSu z1-sa+3}f9Az+LpyZZU2W z9(oC*Kowc`ykjGS_jXC+7Do1L-1rP9Oa0*eS@8uz^X>2EQ8OCq9&{gmIWg1VLQXTm zz9oTHPVxCA=fT7JARz~IMhtjnrRjS(*~F!enr_LFb7AugEXc8#28cTcrzUN#Ik0>X zBj-Ed0xhm=Sowak9;KfipC3Z6_&2fKSC?E~XVanZMvaT`LeSr@FNL$)!8_wS?{{9V z++#b%huh4H@%|iSymQ!)vrjYh!?z;oI}oT@x3@Y`p~UsN5$EZ86PP7|D6FuXhMD@1 z)_3TiS`?}f<5rW%MJuH1*_1AgCDE-;r6Ed#>pjT|<@T>~oxTg%D$vn7hDND*<$9P> zw071BJMrXE8;M26HM7W;hrHv5pB9sHnjmteXXjHfKNny0vwWRz$09xZ;+8b5E$8

~(B3EI7Kh$XK%6wx6Bezn;6c9lo2iEZPHw zSencLNMk_ax0+graQT(Ttj)b*^uJExl>{(OGig#bhIH-FPHs}MDtUzdYb{Y*{sMAZB)r7hRs^7gOALnw?avl8f>0f_EypFTopo!ZUFCdc}Io(SV^k*e>;}(e@^#hE&WrY`Vm;t5qRLm z(!p7JC{k!r+E@#P`R@G(Y8<=Ml{2MZ;VarZz z-7)Iq0T-xUJ?u;WOrfm!F(l9878;E9?Jv>{kBJK^kfDKzzRu8!9vC$BR}vrkF`N_+ zG&Zt8e{O6LZcLA{i;igS&B^tW*vdBCkqP)*drG*}v$=r~mO#(UF2V$-V;`mFyZux_ z&#S;vS>}&vBwdb|Q-nO{nR4MmgP!h(>GQDwJ4C@GM^d#Q`db{%TVOPx=Ya3gztDpu z5V(UIG*o3J;M62Dme*JuCm1`QLUy*`p;N{op~*g)6UeDY;gzqab|e9X>9`LVKN)AG z&z-`)DOkQt^03YPo{8o#VDOyNeGzL|;Yagec{5ng9licS;iJ)ph`iuzMnUoTU*k+$rR4)@y1*9@ z$eiiMO_%$hI(np^P_*F2C$xxLGZnX&&QnmVse5_EQwF>U?ruVS-5O6QtvAb#pS+#j z6n5eyE|r3VRROCSS?*X-&0}`W$I}XacTuD*TA;#k5`nj z)_jDNu5e+K?BW05bq(Qa)VPed1PEwak$`J8W++ADWhq*EM^ks(5mUdSJ~c*C%y8Qv zg8Ux*8;1a4;rCr29B}8b3`Nud#`^4S9Uit+OHhDZrY0b~*>8gw4<>XaExb{rDj2;(FsiySF-x{kLL z1u3RRk_B|UG?9c1nSwYYaAt_mrcQuE-r~mV@pfjQnOMS{7|^ZM5>--C{4zXPMi)bH|x_ut<|}IzC(md{)a@Ws-uaXCmqwn<8ZO&Dkpj*$6;Z<2t5aj z|KPc}x}ftLo)lMIe6z5hJ3qjAxlM_f!Epz^bF38^ZFIstJt9f8p+;QfRv($7=1j^^ ztRlc>3<|;-HHaq1_=6odNo>NF0c-?lF8Zq^R#kuAPyl##Sy}UnQs0V>nP30M5*S1k zz(!y3nK(IsY`KvjNFQ`KS*6x*%O3QIT8$sbSEa^ph?-zhmHz-0Aqnpr4Cb&3-C%H` z4iq)Jj6XsXEk-;RTvZ;KfusJ>05N{|0GVhnhIk!;$LkM<|c8 zIyO@}*2e*v&$PzGjQ1DN$7|nwa?1F7{Y~?3U8w)Q0M!)0v@XwzqnJ@rv zddnA6mG%ARjb@SjlQeZln6dhi>3Qv}LVWllp)LEJg^u#pBD5VnLGy2srpUk0vne2> zerFhQ^LUc@Z*Ka7UC{Z@y=B*99Sz8TtuJlzUxL&3Y{t=qOQb=7(EeUP^_NmYjQ0Z3zu>wp^JhpR zx#8ZTfRK&545R8w8juC$z6sSQ-}+hn#O`UXFnuq34qRG$Wk0J{4L2a;l!3@7QZq}L zcA5~TP)AkOMWNW5%kT>ZgYw;ES9AE&GCrRFW2{#)h%ii+uX~@Z1B%r6bm-p``SNf# zLVz*8EDId6EA-0VjPzY)mJPRnV(Mj-I=)22t3-@}z=@I2I9@=Six28u0fc+oM1B`G z#?Ck(F6w5IH?6pempjXy zNSZP_ew%gnSYPj&U!!ZnhgXNPXFjdS?6f{{?e=x}X8YiM;qO1YuI#=$-?oa;S>v>m z;ItFrwG+M7MD$d0dzqR0yztHn2d`7`alz}^o9=I>yZ$lVK{ZVoN++F}S^v{&3Uqat z*hQ}$taF!*?0xF?CcAxL8~V21IdI+ib?teFS~}oYSizz<|G8!TWbB;CF z++S+YKTpWXskq_A11Ol+_Uc7!P+weoALE_%Q6JB2y4=+sx$2~H*@9Gv9U;Kbsd%Br z^!6!kiEd5AP=N>-5WN7skQG(gGQvY(=$R*?w6f4tylr^Xpuyj$Pn6m$H5^s>885m< z^aE9u^01TeV^xus4+Ax8x@N=HRO)BXJ+EFMNnfByj~wlJs=*0XV=Tz!cCxWHb|lrn zWgu$m#sDH);A&f7LJtNlN;L1iHa*`Zkf%7EnW5JPGUz+!s3h~t%gj4;HXTBVc&PKoMAzg=yZawNg zcrVkFO;%v&4m1Q5k2Mo?tVSd@mp&< zHcPMV$<(?UAh>DpGbWRNU9#6f+F^5_qV)@-WGA4od$(?(8yjbyIu6t5B4WkYwbMKA zqiy4FVv@1yk;66IW03Eh#`m2w_mQJ7712UsD{hle;wfuDJf@1SwX+6KY#0PQ-?S4GFGG)-sJbX8e4uY-#N-ljWgZkwG zfzZJiTb*MhL6)g`5Ty_NDE#T%TYqEWpP0h|E_@Kc5F?9lBjnW35HTquC|zPC2SiTs z;Pg(eaE`99)QZfVp?h3~p>=)shui%=mkFuD+1}dAv%UI5;Q`dlQlWi)VMeO`GU4Ba zE83Vg2@ULOjymYv3t;8DhR#cZha0j?PVE1s5FJ{7>Pu)g2#xFi}bUs5+Md*^o zezFbRi34UfAp)Pn?S*2OUkP}lhy$+6%(*78V{Y;=r1F=3-#H`dV;7W17^s#qTBNJX zDR31Fs-P=@xFT$l)&oc?1rSKs(JSHnfRh;&OowSJ6;NP)nm|o};F2188RY&ds&woz z4mnTU=SeFk0S47Emghf7pdvN1H&tj{1E@);xZMDDbx?JEQm;V&$SO8h(ITH-EJHH{ z-UCK_t4zuFBrbE!*-~i$Yv%wr#DpZQHhO+qP}nTy5LNYMeeh`{w&D z{+<6~CgWx%GnHADsv7myQ)aUJ#6mTj&s%Q0GkhTqhd~&$|Ibg*;aR~Q%6z@49Chl# zshlG&61rR}%*1Xsob-z2Oo%3QJ*r$FU@@DLkDZ^lDcm-VYFqimyx}cY;JZSSFc8{p z@Yr#_@L8$_mhvzv2gIUjxgL9Wnuv3OqT`hSaUmQU=ls(;y3PW4{n|RY+h!|W`Ep{1S0s zQH_5a1)U4ju%%TWPq&i!#Uves%s@`9_%k}vo!txd`(x4nKVFq`_k7Qk@4d2rT8;k}uqSxX%NY?AX0^X9{Rb-f_eBe_nMgU?+bbO&I8Us-ArXIWI7grpk2m^C$ff7X}j zqJZd;P2ghCNI_G^yrS5#8#0-;Qo41YhOiSeueW21*($PBRCGg_*Ag?;4oIniBk@45 z@L3XR;=oZzXsXX$?qCY>46p4HvF6qN6nJji8?61#3>&Ym7_xnT<2Cgj70y69we9vr zN%Mpa?p(W0z`&g(Oy@Nt$qIKjy3Zm&S$?gg;v2EK#d9CY%APEhn$q=4VR#hbTiM7_ z*pwh!=mStU@!_7+aM8|Rq;{eLcaCP4EP69g96|OwC*4TS!six7#Fn0rn~oxh@Q30;qoY|=%$tXx6YJUP{ctnD)xo( zUZJBXix7p?ZHKdWB~j>MH}3oIv&YbDWH%u4J44%dz?tWXkIaG5X}MW(^d7hUu{TfS z6^MUnp@XQ0LvIb!inshO1GmG75s$f!ks}Kt%*jwnjBlZqbD|NcrA6P^7h17jka;rlnXHG;?yPv>5f-HVjTaI8g_Bq z(il>drYVEugBU#$XligybTo&tc(_)ihj|R|m46v=DgW@lF!T%AF7d`SXsC(Kw+=>} zFa}&HDVadeeSx7aGx9N)s!+1C)4Y~j-nttL9RsU=tIk$wW-C)Zi!2A*#mwjub$Z3> zFyQk?YBqo9ldE3)ZfooF{pWG1x0|X(5_MSg7&lvHwP?^=AY2b3BIQ4}EAz8cx4fQU zHcB63B|KMM_!H9ty1-x0_t3^VNA7p{UUQm7-M3B)r+YxJhX`H=^+!oR}!F4!^#_>$`Vkcc6h=H8a5jcmVj)PB;Y^6GX$s~oCt5`M;a^61kNU6 z+YNv8W-sv#ln4Av|K))y@z(TD0gS|v@GM0OgnR8Mz09#4>eC(R9f5=^zB-PlVHUhP zvuRwTDP@&Lo8`)eT?@KS2j!Sjs|aeU2r5|!zI%qmK@Y+efXR>-7m6FzYqEkme54a& zcjRh+8C59Eb|m9VWqiS5T>AR`pXsY=IC=DLcC~}K24921E1a`1keHQ%>SzH}rTof4 zjuyt~W{HYVo#JbI(nI) z@o0h3iF*+x8jh%DsX2WTEGRLIDs|%`8~vM2!&UPubMD$=Sa9w;az9B-{BUM$QHl`1@Q8i=$>DZe8{OoZ{c>hVO(NZX>S9V5;qBEV@GW zWlpP5fVhR7-H2z9G(lTDxK3#NI}DY>;=3HjLB#SJ9>p72r{?lfDpM?DJFayu+p|W_ zv8hnvSktPpiT}l6D@`^>__95Z@@x6}WpojqWr_MQL+P>^fA~5)Jr=E}@7cFjX3+SdfPEDABl=UM0_G zZsPbit&)nAH7>~P;)41zovOn0)*omyN!cdPCa_T=<%X_Asl3`!&GYthzu+l?%6bKk zSdwGQc7+CNr&5hL*+3&kxEs1Y3e5x|fGIUY7S+A2&jHxQKytXwP>;6sZb{(j0LGPM zHepabnih;WfmGSdqL{o8W?4R$JF0WwQQ(6ZBz6fVyquzcSWrga-|cqcA!e1&j>a3^ zDn~S4B_o!FPJHq+vJ`==_mGh@~by%!-=Qs*VLuZrQm?8cr)$+Y#7^&OLyrFDrDM^$li|{ zae!5({Gh%mx8W#dRLJJagEqOL3%aD=R_GE9>h;LehNom3?^r*K3QnuEa&az7L-SQI z=pJlxFU@bx2uEG|{rFcJGi8QY!EtC9?4?7PYf37w-j+ z$9XT`nla!fTKGt}P+)~#VpqyBz9$Ah&T!IK0?n~oa>0c&G?w^=BA$H0k|zDiF8dkLKPoqv^wA7;SE(#6w!S!eVQxvDnpN%hzg@|MrQ39=2Jhx9J^t>gEr zU${SzXuf(UzYo>+&zr&M%-S`oHEv-IaQ;lI(9N5>fD;xUAQHZyfQu*6cfKdr-o$xX zS%tZ|Cs$e054~tFKLzR0cv&zlHg`8@XP7TW;pu`^#DqfhLl)TQE$Qz{v(`qnWA$;> zJKz!CBPmcC)A*7=6JS1R>$u4iA~r$TASVS&Mj?E&GzgNa{qj1&47DVZ47G$}FgTz{ zzCfOF7ls*yq?c8e+G;}MBP z(Lf_TDlRJt1h`|-xFC?GO6BHFiTv0H!#G&LG^kzOCuJ(K31VZJTnbdkMp%~=^fU>6 zNX4e^c7fISXOF_}v&NzoRrI&NKd}F~AgA%R#+M5U0O0mlNxuUcum$xPATGpGZn0zEIMK`@8j#nemPE9zXk;la{%cK^T+_gz!9UPbPH5md?$u+@5 zDZ-Tvpr90?aP~nkE@t7ym{@$TbN3^3;4Gy-haw~2%VKmh=tt-Mb%qR0f}OW(rl zogA|C7^2@qbMLo2AALV(wNoa)ghjoIh<&`^?-)(Esf|}RPJ*@se?#$n5Y0lv5 ze66A+bYG8?PfGrpuBGnO^td_dO0q`_h1b|9btzIMNL^%dMpgSlR&h&S@ixTbZ~_jL zB2Y`PcZ+GHD*bu1IAopscH6kIrO5b{@g8QpzQp5_kLkR5H<39f*5rYT*M8MAUc9ix zNRn`M*pZ=vJN1KyL0=0(9N*`?f)G$vOg(XJ%&c9x*beFf=mKe~Cb`4=?DFfZ7^$$O zMpq7!5>w#}Q5)R^;lzHkQ6UXl(h5Qu#lt4=14pp|O@=1(H;Z_|c4heZSM0pXnGWN@ zT$flo@nOhPQqUvbq|@8)fp`>iWhcp^tlzH3r>+s)tL4eeI|x0|j{%Rb79=FN7~$t(~hJ)`eT%-os4<2L81bW%II%z3gf{q6jj%(j#BDKL7x zWgOaUwwV?0NxN{CSD~xEf(KO>kivRf(^oj{*UXJ_{2`b1aeU)Z8uiOpcd1;;4Yrsl zo7YgGhg$;htJ3ZlSKSuy&v%7v_cxQ5mfVxC5;3&L6W4ciZ}01$B{gT;ixy$~odEA` ztLnZO*T+;y=LNr+7v!4FUj9sMVjIVp72xHfg-AWz$WLmqM8*HlWJplxBUz>PNAl4QHL)RZ;A|?gW|T9JkTZ+O87oaPBq)nWqKbj!a?&8ET<94q z3(DXmNTN<78Am-GM;!+Cbloes^=4UFq1milEPh_b@{HJ#Z(y3Lsg|m``mfb}Qmqy*D}!bPx?sB;ZNt7Byms6k zOxoC#u2<#GSDFTuKd%ohDr2))jrC>aWv>WQ}Q}x<>cY= z3@1RA!aID1?Aq5C9X@9#1#!e}M54RfHhR|7cK9{c_&V2Ew48seT#v4FRqODp2+6r6 zR%pgo?iVU9%b->pld3p65*<`^c;mFUDx;`vDZ4_cYxl7l0beJx;(*3ffyeMPCj%-Z z^(*&MBJJ$fG0QoCNe`_tEKJ;wu(h6Jw(~wORvPWP53uRE$*E=| z5}knBy;>6lKEX6H%ei`B_jCGQy-z5)!>DKX6CJ+Su6rCR=9R8Gx}KwIsF9!Lr+kWD z$)|k6@PmI`i?4EP+so3@E6W~>MlPd3_12k{?_pA`g~4vfHRmxCu*~v(V#&c@+5-NTvWj5aUSm9%mTTK2rU%3>z+i~m z?ciFAfRqn{KQw#3l=Nz_eSrDmhWZ8&32B5{61pf&1kdYe3d2JEzqhB+ofMV%sz+k0RuAIw%mfVH=1&OVaIAOr z1@J?z0>|z&fjSWa!3cY%O<3$csfVC|QI(x+wA5Gus*FV|KGv*@(Kd&^AyR@E-jbl0 z;xdVH5*jpM9n4H+rh*xjU@&1x8teUkOSQz#s2U^**!~9V$Vi(ti^3^SNm4t4wZHTr zlSdKtQ_C@pR)|f8BX~$sG?LMoy9}cRgr{TY@%Rz?o?L~TGcO$4A&MF8eI9k_N$2Hd z&u?40z92mTj*-$rO){P*IfM0cRcfu3I&%}4Y9_>Z0KIdz?n~9iA)_dyyqdevuhmdV z(ER~#&o&!sUSL0p6$l1cQxDL=JcrHvhzPpIbC^h`5bXB9KTxc8-P{VhWmxKpfi?>02Ehim@ygFmB} zNB?}IaZc0q`-cI@8(hv=jt}23j)#$_jiz}4P^6ArddQz`JhoeTIjlw2ZK2jWhXBTM zeE_zl$d*PM_-4A3>*i51g~4n-~5-o?9FY`(ukk8C}Z-7EY|Rd^lU6csjq<6*TgG z@aeOZc9pjd&W#5Fzf1E+R*k4^>R(aH*TUkr`Hb`}k5oc&PEjsKa`83J^K#%8?o=;4 z{Z703o|;ZjG4^`-%8SaF9?mPS$OvNLK81pP@;JVaWl$^V=dK5kvyzUISQnE?GqqAO zV6X3_`nYeIZOj-bDPr8AZzGMm5jlQxGH21b^-KOo|HrH@Y-J^i-H*hoTG&DoSLssl zlzJwIbZAV8#IK#M`7~taZ20Sb^c+z7VlVvM%6|YAjVK~37f?)q^a8H_B!Bs&dRLk^ zKRq;=N-8X)sIcbH^?Z7(wz#g&;}~q+i7J_*V|WLk5bY+`k0y2}d=8P}vGA}&$ zI43Yk^Lo8VlX{J2wE{k^uR=VkQ4M~=|7V`M{~ahi2n_(RgAM>d|3BoZc8@3&Kmg?({H!S$x$MkqX8BY60l4HN>&1hP(Gc)N-|$ZQn;%)OMDaaunQ!}h}#Wa zTzjYy(#FgfHi&7zHUDI2SYH||i^>N7rDT!px+sQbg^Ln-vDxD5B+^H~d*iXYb-vCdGJO3(^C;;rnvRH~%{H0a`-1h_G?)th^-0 z16e|QmB_)bn!^oL2oK_T%+y^Xok(|c?eCppkpU0J{0<}?=n&xLg}2AEU&D$ClQ1dM zki-*JEr8V=1QPt>?{lT42 zgI1h*OIEF#c}r$3n|a4fTJmOX(x14j>Z4Y+BX2t7l6N)DD@2C2jD zi!{t?-OW3t4S|DWE_E9vLtXzQP9OvDBrqGM)oh?H>zzYLuMoLZ}j zGh`yiEA3^Tq0>l|O4UWQh7+E8Za7&H0;&sSpG z?4GdWU-NX`*vT>I$o1b00!sr$Zb2`|@{J_RbpI=#cPXB!136cZFy$ z6+?(2l-wvfY$AE|7;u3*jBO^^!pA$f`Kcew2-L(@ydrxn?c%A>xO{r9k&4=<}n!EkF!E`Qkh8fu92uRexbB8Df9 zByw~>@jQR``hBQ7p9?iovgRQEDirE{RahqJFXH0)Z!s=U`nF^RRWa$Xz=htAc$l|1 z8$}L>&EWJ(9qukU#yR;`qiq<#4w%*EX+~R28O@?7*D!1s!f%!&>hksPDp|uk{FV_& z+EuO?E{;*6LBQZu3mu~!L2+|oM>ncr7?RdQ?(j|SPP;mp4cP^j(laNcWGD$y#c$_0 zTun!Exbk)vV~H;dzdR3HMwiW1uf`*AGagOdlqp{nJhK`q3#qOL z8d49g9X(bwqAeeJ61YA)bZiR5PscCg~EE5!7 z(-&?pCni4KqCxE5fz5EY)xw>PJ=E4zgscR8xceUU3t!7AW%w9j{!8b}wUp|HWbgko z7qi~%%I#YBnuHIGsuzJ9Hyqo{T~muY7YWSiK%n$Zg)0tWHZaJtMM5mn1XH5{+YQy- zRX+$UHQg*We=4Ah9KnCI07>U0?wU=lFacN*y~Bi>1EJ%S5Xl6Xh(lF4>dyFPP6AaV z9@3aIfUj~C6^f9W#-c)zAb-@~1POj(Su{S76&*wc(PU^Rdo>f@^FE8)2F{27;e3`$ zy~&w=i6hP7teYnr10>a%-#32SlV|k4;c*@(ux7C zCW)q2;c&%6V#|2N45-!W%8Z9*xu9Y$v_ZUi#gme)moA?ehg};VNN0&VTrv z|C(lXI8W)m(tWS;^yfBW0#*XFhSew#XoP!TNX^3q% z%}2=g;{-l&DAp!u{$8sv3XWP4mO@7Pkkd@qq;^e{j$@v23$tQ3Oji&(F1=|zQVYz5 z;qYluDj=mglFU-e+-;JrIB-Ejx~1k3we*liR<%Y=?nmrP;D_reR)-!O5p#1{0cqDB z1UhZO(m|33{u5b`GkyePZ(hqs$2cWz(=tHex8gy9s?;Q4!so@pE_dOwU?lkGE&N9) z!Joev54UnUXE0QSMH5JQy}AB&TDnz__~O|?17W?TF6wkT9B66<7YGCvV3 z-1;(C`x1|V4yN_IcM~`xl`p*GMb(FhwitVDJHF6Xx>|ON%jHpdbvw`L^%C|yx3{`I zXvONV3i+LkJ@a$FyUWPM@%pQ!?FN*&Rv7ai;a$j43ageU<>B8HL^q$P1<&!&BK4RF z8AQ;zVEai_1P^icXaO90Kth3p;!({S1pT=%4%kznMVEHP!w7XpCwQi+WCY4EX)C;P z_X)E-HMf4UJnl%sD^Q_rv+UvB0pM;1%)?)Z!NT@j`Pvk9m;|Fz=+~n_ZlHvMM~`U} zQ6u&?NdlS|BU(irvXp=)>+ZJGzds!}3)1(OTRkCJ2@zJd3go5_Y1}-p*Xp#p5>p#vcd~(_ zNJ}@2RgUcxIfk8whVDc2MaCxnJj>q---JV}Ly(Pd=q=V_5LtuaLsW!@V-EVUku*8$ z%SRlCW)^NDn5B&KG<8!EP4*~w8^do77bL32_EE*W>6~TEb1NMie~qYS6k`? zq@qouSL=d1N@CsFn*-q{!a?%LT2)uKn0ojbuGGC8^;^~=FYS01F_s%5Jcj`{25PB^ z1djO7V9oWe0LET&RX6M{h=4^%Oo0EgVIub$boN^ z+0jmF6S%-F)nbm%Ff=KX#jEe{mKd?eu6UQN1vD26YFM{#fWyRwvv z5i0NczHfX z*$TuMvTf>BA|Sm$^moG{pG3bI8eFolq?B@l3%XddU3Am7n;MdR1W;)i(M+wj#?ORk zx0`istH+UO_e>J57Kb_Og?2)Tdh9VaHoM5|xW-${%)#}tRom)z@)Zim&MQcWRVyK8 zc{R)`O$4{XirPM~2KJdg($4*?>qD?%tyi!I&%0g~r9o7LyeE*bw{8*&3!^B5(+csy z5-T_2Ph_dH@<1mtaHb~~NIO_b2%?ai={VeFn>@P|<>%fB(@L7{Tj=)JDJS#aUo!lE zmI}>PB&MwZ003LR55xaZD(LB1*jhO2>HTlo*;=zxQzHN%iy`=mf=@fO2{7rxn z=P;Bo12CDmZS8G7#@prRQj5u_C#CJ~|^7Vn&t6`~^__hKJnqZ8|>V4SF8 zVkf0&sHh_r_ox#gqnKa>@w(;sg?jNC`C5tU$+?<^Stxl%8ChzE6?sV+#d`7@i3xdS zc}a=t`qg@xi5b8wbbQS8O(cA}b@>nIVKTP9k`}U+I*8QEAtRpx2f)n4#E0Nu7z)EM zD8K;!X&(`3euY~g0D$6OniKMW+2{Y@E9^Z~lpz6tu^sMAaDE>bcW3}WkXJwe01%X4 zla?qO*ljQ%eCbyF>@WLLh|@S%wOUx`Br|RhF$xftA1Ik5LN}ORjl1T*zjAW}MvgYi z0#inOdEf4IbsZfX9DH64>dem371SkYNDE51yM4X**ncs$e~b7J4KAKYzV78#!6qdN z=haR(g56XVE_$bE;X~S;z1)1rg&k&NkGBitdkr*$rUZyK*qQSDG}5snY>QNQ5tKh_TI}$VzMgk&mrZJoAH)Sf$XhuDEh2aNN_z4giv>RGr(2e(O#~wW# zum*EWf)Gj%Rp7ar`(psIFX`Nnqt}hO$qP=**cRbE<4IFLJwUk?I8@tb zqK4LU`^L2kR<#i(S=U80XUw^8@m{)$m8Qd(Y=28dWkLM(jpmbq%^l$?UIRyAw#=Oo zcN)jqWrdp`_~SjOl&LFev~;;1Yf1f#JQ*^EW4+U+UcV1GtzPI7_vSUzapjNC0`yFY zi~Q7miYU$JxvIa&&a`b{71NgP${4b29w^ksLhr7)AZ_Y4&q~MSn&&Ze8e%eG{U| zKnc2apl7P#;8S%%O`D5+sXHk3>E_`p?w$w%+#t@m_rtk_rVL{-d{Xx*G-z|iwwfKJ z(4fOKvstf*87v)mlE9!EWnqdq43xBxvB;p55UvK|ZL?<1<9r88}MXJ>gx?`noZ(|Q% zC#eFe51mYw4c2tz55`*NCe!Q*N-5Uu*?H)DZ2}_1H7_!=Pz2I2KUN~Hl07<1`^K^qC>MJ2!><6Y~vuINu_wZ%BI~<_w@Q;@I8aQCNm#z+!i_I zBuq(|K|dMBPqy~wtM!qs&Tg8SO&u@#rDoJUJ!)iLGMe?hD|0ufGT-?`mJd4LfF0VN zUY89FUGZbN1@Zn#Q(L2bdwheqYjb+Pn7QPYtEHp6TymKQs@bva zc7vZN8cYh#AVFOk6gH8BXO>PEpNV{=Wd8hc@nG-qoiQmV>P5>yn0R^TCv>aO8+h6U z8_LzLR~FG(Mk$_?BsOS@T~%ft1~D@LV#_L1|Asw?qXLR(fr5lxqB&3paGhW*E6WVo zO6K`M(4TeTN5{KsJCJ5wi`tsB?ik2@MTjbTr zIV(w}Dx%iH*x4_6D|M*nw@fup-blC3H-y#1Spv$G#ou}mYW$FoeAXp5phR&=%@@+pJk^J{z4 zP}qLFZ;CaEO?RPx3cl9z+gL0~?-~EI{A1Mix+Hx zfGFK+y~u9aI>BYa-Z@1-i2|p0Eo{5__x@*5=lMnqE;L}z_L319Y9IA}@0^YCGN!o4 zfR0nRO^a;_QBesdaWtz%-0m(Ev^};bjV_XC@@R!)VO-DQ0e|E=9*`e{xd|^rDQy#p zU+E{&GGfCXs{;s$WAv%ALt`-WCx?(lHHI2bNscwOE~`y}g=nQXVA7-j zO@diQH&XuaNrb-ne!0BzunMh-3=JI$fx&!UT(7MJu@}Ck)foxvC z&G`J}^-a;cb0Kc7|^1n*&PyA;lii;WT*U zoebMCp?{~&VrQH9xH#hA4jI7CT#-mKW}H5c$t%yyUIy<{I!ZU2lp?^=lT$ID$plVX zi~kX6l;E_fNyKB|K)h%mfou||Ju|3y|E@5~*i~wi=qPzqdrUH&Ok|2RK8!ljD*?s0;NhMg0K zO+avEF(8`QqyY}yk$&{hZ!G(lBW9FH#vIBGawd=oS$>!7 z2UpZZF}IN~EQk_glsoi2Sma%U=ECJUVE#52wLdXn@BMx5%&}MmI9@iy51x%ex|9?L z4_@}?U?;BVP9A0nrMYqeBL{vq%xLS1@3OLN|4iSWD;S;kbmZ;pZuia+T{XmeaMTwg z_RFgea#w%=9!Vf*BlAJSac*pV3w|$xZ`3#PSNQs)@#bJvH?T)dWWcCSn|Dur{7!^A z{fPAxxe6o+|2^xExZsdQ1!(lLECfQ_k7s+a^|)Y!%mFzg66%)0UP37)(j1d z=!-}4J9hrzR+<0=yNBM-t27M(8WLAsi2C*DJiv-Q^6AYOmcIm&JC5$apH2ibWF~cC zY?9OL95ia6WH88%8H_vN0nr;ZIvt3GInPut#F{iANJdMH6bTl5bl@5+CIDoQj40N% zPBcqwe0Oz6G9&=DZ$GHC^&^DrpEZR1XOh65udCZOnN>`KY!1i|ZW_o$J6?22bpZp4 zQNZ%~g~JlRo=>2o^Wg^pL_572MI(f=z&WPEZf8K5u;BiWjIR|F3`2u#FeU z7+NJXH43gD-zkwbR+@$JlSyn-%OXokeiUKCpTguNw2_pAbMPU!g*Ox+FlD$rLh=4@2TF5ZQ#scLFQmePR5m=N=hGs!>wv5Qw9J zoCJu4EPhGjDrKBLtxHZNe$W+9dgY%)gv$C10#+XTe3yx6p$AC#ZtAz0Pnue>gcbV!EGG$XwOUXV8T82jNe2@9GrsatKz+S)RwWY%CCSdW8_F zklnmO&lI4?UhtGsAc+)Ef(GB#P(eNHs;f1(?~La-l~vL1oUe#)t;i8H7vt3H&WQ;{we;wIyYMjC~3wULb@%AWiIJA*C8W*cDP#`C^ zsDJo}_}et)7R@+b_hLGaoW$!HnThbqT1pAn-ZAohJHnr8FL@7D9D%BT8HycEs${1x zNEX^$YvIz{z&Aot9*0`uvtFvpCLlAVBtNNV zcHQJgt8fzE$Co_MA6L^1_>Ncu-q|u*2?KELOKzFBimE`l z@Q%Ja&Uz)DOx@rGbh3pgkSINLNUvQ}nqZe%s9d_0U;yWg)yM(Vx9l+;qm5`hqi?w)A;JL{PY1VBu{FTwo)N_n2fBx9%CF zPkTj@zL@EXDiXF(apDhSLOnd+i^ml^H>V7ATnZVi(@Lxxv{9i@nA^dtKc)BVs$H#4&UFyD znjBIU^_PjFmb(cd8Z}J`?pCZ%+qO#Ux~M-&O|N;-H+pVL;d69yt$eGxQb9C;)SGK4 zf}w8FUhnwVEjedVzj&DR?5r}$qBZ3pHJLzTH_49NXtwIA4xOP#w7jG= z1OUQ5@A`)A&qHaS-^%r>fF^CB^=uG?p-WCf3dret&JC4QVlUP=j#>j^lDleSq=G3& zPvvQgZx@ufOUIVwyU0VvIxK;dY*si($Gcd=r#&6SDjEn^04VSQ+qEsxQJE&HFHQl7 z`Fu@8QdQ%=T|{DTn?ZOocqr;L1aW}} zzXRYww+65FqfZ7kp2_anYO4S2lhYJ$MoJ`{qw~{4?(| z2!ZCelP zyuJ25lW>o|Fmk%&L)(6=48g8sFsotJ1LKhKAnVpvbQNJch<=sd2p;9m9W5|)1IOfN zBBuRW{-wB&OSfSNIY_L-xdNMbDZ>A$k`0LPyx?}#a%KxmsR&MJF^)WHC-Sb7tIDFg zw7P}e@05ns}2U`Wv0;BJs(-NNl1ig^(#%Ky+E6TgOM8yiUi5FhN!l z?~GkQvBKA`{eCf>hoPq9R0Mrn_MquUo9GPI{ykMA51fm-FXGHjEo5d}yD!4o`^Fs6 z4=U~#1gAi#e^kf08Z56L&TX&A5!pmoA?K0bW%ah&AzWMmn5=*X330$6G~JF)Q)5G4 z2>HQ^0J;wEyXet!$co}~tR)ytcjz47TbhZ4mZsX+QroX%L%Zm`tZl1&V`;6o>PX1V zT)oJQg3HyUx=qccepV%h9*yc#fw{-MJry`-2JZmfQEi z`PXCH3-`)dueaL=wcGc-ntgq{t&5K>sDR?3l_?D0@5d6)F9;!E%YVl2$f5hOOB@g6 zU;f{oaeL{&U4J>5@E@)#P~Y2;sXV=&i|4^y_<`z8*v>if{i-`rgw`Q|t4p?+?+3Ft zZtL%FwR+wUgMXR#`UzrtVuc9E#S$Q@8z9a#F>Ki9Sl8D3{GWAwtKXdqyK6W!Pa8Z-&3Xm#>mI=W z_jZUbw^F>ba%#KQR4XkxBmf#<$p1pPl!7klQig~Zc?r)@!(pM%G}7X!NSdE3DV~+s z+58tAw9=fTMmut;UUWGXw@|g@%>2Knr@|v(;JAL<{awFP{z(5-RJ%A@{6DJdV>KJQ z4RM6;*}8Pa9DihoL8(GE8AnG-i3ErOfm(FJDkgVGFEi`TF4@7pJ~KBPf?zh)+d~bY z%`WD-*{P@GrGM7yk@Z~<-C%aIaF!S+d1(=VzF;~;XU;r@bcb??c zQ*L9G!G4DPj-UScZOTJZ)D_jkeIEr%vRW28*oy1`l#~eOeHbvQ z1k#p<1+b5t@l3+5qEG0vNGyO?W?fNX45B%tUv*>Tt$=L>8kG2yBV+pR<-<7+niShHvuy=iyS2h& zyK5j%@Hg@wo~82&gKicADQl|QL99KoDd4wpzoA;6O%uCE25rP6z#u%cCnQONzY49syG$C1dc7qNj5I9^<2rm z;guVI6gUl@_oN@ncKcfX;1%4tvb^r|g-*|2yggo>d2Z>#E4Plo21KTt5F#i-GC5cm zAnQfThuN-Xo&MFeZaT;2Xnv;`dz61s9s8x+{bbyDP1JJ3dj%9D>oEzxa5TDcq?>pt z5x1Ou*yIF1i<_to=*MmPwRGOJR9)7TovNz4Z+$ynx`w&?+zkbLV9%^L_P7}0b=!{| z(I2YKSlC|2b-r$mpm2jOnH?f{_n)`oSD!D-2mYiP|D8l2dfrs(X{`!oBY#3K)yNN_ z|1NO6mtmZ0Vm5hZPU)%@%&Oud(V1h_M~oUdb6X2PkmrT-C_i$(W6L z?j@JD-TVM|j$zU)v+J}CI!Q<@1(H))2fBb2NZw^|zIE zBbB!RD{cM@GbN!vcQI9S%AUe>o9O=|?45!{3EFJYw!Pc7ZQHhO+uUv2wzb=~ZQHhe zJ0|WuasQc!GxbnW`I3*dzFfHgJx8hc{<;I5msygKDr)Se*rEW&%krV|_c^Gv@eX^y z%Vtabvca@#SK`2!ri^E_+!W|bF*K7d2Cs}m8_XP;pFLZXMvb?CiC8uHg-V&;%h7w2 zy_~znl54F;|3eOSGxuYv+~$!c(n`0Pt6~+$p4(VqOX=OSy7kZMn-<5>daDcjyIY@93V&v5FHF)yP+vii&E} z^OK7uj_Zx_kyttd29uGK`_)l8$6`efU#P);yMI~6dTK&Z0V_gw@o;`GbMfBCY#aEm zw5MlN`ADM0x1&iQDZuCUM;Nx1&L_uQA1_}O0e^aUJto~c<6=M+sv~`u2x=)34Ec-8 zbqe->?JmhnNr(o!QZ#ZGCy$S!L0Vu451*T-Xpq+tC+x~wXqMqasZ{~o)Dy>LTxusI zdm6mLd^<37mPlE^EYlhjHiey0W)8*6rN-0!A(H4N_cc0Z)YoZ9-f*8Tk%m$_)fVXa z7ca?4OjKpnp1QuvmYpPq0>xFtd|?4O0cWmAabq=bjxrSX>Uk0Kfkg)#fmG^Tqv*~Y zO8eRxwV!61z(_Peea&vgB!vgQkSn^PbPi{CYUIX!4OhzM7fP=frs6^8q%ubsO=KP- zq)F@w+MzK(_vLUyW_|X}-ij@4r_YlOUo!A*EO=7L;Br>Ml>_IwlDfs9qZ3;zn%FJI z9B-Xs4En35avl>z2euGF&YZu)I$Y@;WzTDCO&x8ZEA&bu9|iB%%@SHBF-+d%D4lRW z)_oCGV+-5^H7fbM*6DBiUNx9s6AX+)GT}1bUE(`lE-4KS{k=`=kYbcO>lk3?8^Qht za2Qko9K;+6(WDuDV4RR0I**B9@xHnpsg@q3P7w$V`8pe!do`=!u2d_n)kDN>@ge=J z?HqF-9&CX&_3xR#MMMfZ<_XS{1NZ65~GDMBJ2wGY@uC9)7oeQDDf4CQ?Ec+jnT$y?Q8aC;zv zsU=i0FBE`eOh)yS0~*92*9(ij`|IqEQ`cc;dL6Wh1g{&C?c2NI|fr%nqXO_UOA zN^ogSF-SX1nLJCGg8)L?z?_YUcFZI2tI_XhN#;ZJ7jvsPrI`u=U1SA$CN3eN_)Cm86nsA!0V}HXb~Xm{^lQ2NC62wwivvbjNUF;QS6Ug z3S_?*hQ9+bv{|Sst?2|U~3Q^{2KsptYHU6vPa}zc{?2yM?va&I^OTO|-zl_lKS;C1^~~E0Ie7BI|;rW}s_nZBAJUG*-888Wu?FI?&!E(Q5eS8)W+_t^!bMQzadSBB{5GTav4}wNq z!rt7zVa#gveazCeqmtC9uEyo}M8^)Y*EeL(eErg%=-aX0kIf~pK5>#HSy(O0^n_S7 z6r^b}?q}eAR}u3?$x_4o*4r~8pxhe9OqAe}?U z^ka0`50Rmz!Bc#`;|hKN<=i!;BP65^$4DF@3V8~64kJIr8mh71YQ$v|0)MBHN)qdC_p*q^` zt3g**hb6&`(O1|>EC^2~4`M#g`{UVfe`+W+M=ctgiGI)nM&IIuSgVc@+dC=->*0?E zMCV8_CB}@IAb2(zH8txe2SCz{56=4rJISp0Mxy;Je7AjknD7*##Vm8*JUeciABc7IG!Uit0+YiNfh z{h#VKBRgBy|K+TEg=yuqE`HC|Q!r7JR0KlB>QEm}w@rz95Tsdq1>EUHyCDWUuTP4I zLEk7Np&T{8NE;RN?ZVr8Un=mI;Kd9#x>`S5&2<3S*H)*qxrFvH&8CFPY49}%46mL zH3tHeJGIm5sIxu4PJE1=V4lERpN7}RsQGt9FszL(ff@BcB!XB`KmUg_!T|NnuwK~P zy9vSvSBUc{?%q9R7VPo%>=SC*Jz;m94EH__)V>WJyg!g>?~Z=2H;%|NQMxU*Xjm%T zO)?6GnaCcKz#}Ds+!_e26?XtQ_K$Z6+nQ{K?wUG|HNO75t+jmM4!zd()PoCI&I13#mo3}OQk`=6W%bZGw=ib;gz0y=h|`6;74(R z;e9Nv76>R%h4;FW*cOVATAds`wzz(TV-mJH%*fSS=(gg}{kK8-$!!D!fPAt_&OT3{ zE`E={FTC2V3f@1Q@*Tvrey&*264+DvlStp!ag7-H(6Ku>_p_1S%pBYAS+-c7u-U<- zhADg_+KKjCFg~+i7b-8E3plW~bRB`DFd;sNj9#2Qf)|gRYX>}XV!Ft(gI^E>p;PRf zilX-M38p*_gq_Sp+XAv)quyy@$SP7&7_Fht_HT(J#YUtU!)p>B_d#;P}#a zu(^da1#^VR#MwB}J^BD~vxJ>|ys?5w*`qPD;-||arPSiBPKyAY^ldOkFeMPtnEQm3 z*6H^kM8Gxy-LfSabaM&=DMIp|@M?rYxuucpAe(Vs$eWCdW5GkhMqLDiqhO3dnSzrb zpiU5N<``)AnMrJd7ORB(GKTa)XXJlCVyK?1w8*v=o|o3_7db9mW0;8YKn}GXv{RC-V$>-8Rk4Lq8^4evE{ke+Nk|e=LkgPl3|E%; z0NJ}o_HvYMlT}avHI0{j-VUUZ3d#$LtmyLt84AGn6egz*{#uyc+X(bAi!RlC>rsK< z$&bCvXdu>D>6rx1h$7a%(GIqb>I#jINE%PtsdAh_>b^X$;uZIDfxyw4mrauW+u_5SJ)yQOz%uf zjtXeijp{8OihHCDxUJRg%Z5J}=I4OxZj0Q<2NZA*N{FobRu!L0IeyGAdbbpjGp_o- zykoHr;pXr<_2TyAoTd|T_i|^mp}QK_%y9W%iN!>i6I-ksS*h?j7=}LfRx7QeO`(+T1 zqk&JP!Rm82&Yjf#cCl$NCq3v)7|`n>ia00^h5<(}Z7tC%N&1vUd25)357p@Cnn8Dt zUO~?-gq^7n&(9Ee!~qQ~0WcGF5i;yly|DKR8>6=(J|m+T`|*e^syALE^^_ z6`K(4#Ta};K%D84QEaU*hI}u^`e}uO%6XRe zcuMq{#CKGjw>4{)n;p-r>yxeDDJsWzh+-xke~*s^%0)I4mTA1?k+_}X3)#|~nCc~R z0jb*@V!6XGJpDXk=AzT4&1czKUSZqrDyrwnwgILzp398B5(V;8VCW1ta3(9RjoZlP zNZq%JUPl7w>Qk1c2WJkx^`@20%J(W2InK6LWy&nWD52`+bDeyu!v4%zO)2hHeY)Qf z6Qu5FO(8ifCpnvEjvg3d6ukC7Y`jJgVRZ7(jwpsDwVZkqPQ{cW`eyjHi#O=nXp zq}*|}hvqfnZ`5^GAFH9H=!*@NlS6?RyjCETF`&7HCk0+23_IekMs70wP>t2p2YZIY zMwhH{Gf%tJ^GC_|%Xecdp@WQt-dJx|XSHVrO)`oM=L=8vMA!7gD$S{l*1F@ipq<_= znYAXJp@Mlbg{PH>hUCXdB-ARj(K07$-O|)zxW3@rjll6mj<aj)_KF9Ko9ep^R39txMn%R!kac7GTC>Yc0Ba zlpj@%xG8vH$wvy>Da9h;LT8nKD^N@9tN=)CpJU+-KpbD3A2xNIhd-&CQr3+cSpXlT z76@)NhfcI{{J?!x)eFi! zW?a)8+MEmkD0MZA_T?*1%=Er*wmvz!>aHOLL3Cp43-8TTZ1D85+WGYHy8+(FY*Wy2ogkv+mA z>=o0%j^2{$6QQaPsBG?OA12b41@#rJsLfOH1L(Q~=&S-rojT!uw8=<8rmKaE8LVV; zlVNvPL-Yr2-d%E_@JOMfgHl4o43#*N8krwYXKm2+Xw@ZK2u%^n>2~S>z7i;13G6R- zn-;LK5-Bwa2L8jW+$8EKCOYZ~SmFM-3@O=!yV%@6{>1w2F0taqz8ktchx$J6{=*R} zynmYT`sP$_UsvlRUIQ}&3p8{r&`2+Ny zl$n1qVO|M10KgLN|J0isS^SsN{eLCP><(CwzH#w?4BEdCI!-9pwtU$SX@`FGF3YXf ztTNct0nGI1;mzTrNwP(W?>lZGMb-)h#-(&*_;obXAKY0O_gfuqq2M>CJ9~XC_PX{Z z9zf|q@MJfBVY1)2KCfZWjjY;dBC1*aWbs|UqVuc+zmjw<-kEzBf@5eK_C2r9SNnNU zZVd=frg+ERnJg5{dW<5-2|m%7{?EK6jXsVt>k>VUJ~@NzYJ5{9s2qr5=)1;wa$(@a zF$dLNMyWw-8KB!ONzzV$uH8J3I_083U+?zzK&cw!8lU|HH0t1sB_&G3R%C|M2wn4@_6Xx;*B)UX9B>GS0rrzX689!fM9l6`YF7^z$+c3Ab z`-f7o(EFcmO&NK6I?g*kWr2PPbJK)i1L;;%LY3l!mo&X#(Gp1N zRp=4!5$(>ra2P}3)ol)94eF`GO?I8(1y7&vqjz8Lr*L{D-&oqYwz=rOqB_uFrnq$6 zzk;>jZL^$wJiNX>KGDaHC?-Rn>`k7Fcd>|9I675w@bCb+8u2u9%gjd%BpM=@6eav- zVfQmsQ#p#?=|^pG4}h(7q2Qk@X(yP&A=b*st#keJu9BSG^wbK1-B>!=u_cKg z7jra-*tmlfN>DFF`$mrfl=%$9KZteLZ;l_+5kWKhoG6N?XN{%qoI=8X_GfAs!%x4j zJIsV=%04PNp*xMZ`5KFFU8cT>z$Yg|hV z;PmTTL)QdN zn<4elE|G=_KA5nWYazeor%kt!Y8o?B^UCx+Rm9O#sCswoB0TAJ*YuYUJN7BAQ@UR1 zNg8oPrea45D>7_^G==)9C}o3qV<`lWdwr2l>3aBk^tscf8ET>pGXEuNuwMj^S+};W zP>^sx_ihjtoZA73Njmra`%e9zteZ1Rl};WroKIS#`|nEh>ej_ zCMzTh`Gjf>mkKHD_q|NL?E3yNA_0PQ+y5;*3;KbvYwB@ft8oW zCWOVm^DWC7@S{FKVo80{5)Guh&Dw|op=CMIXMWS0M@ z8oC+19>ae7aW9kUVP1T#6PB5#XH-pXa@v-0R^HSyE&RO%l>-GZL~_!z#&baG zSaKj8WsS6OV|~2h%Av0)F=1BNC{cR|05-wq7E+?@pvT1bJtFX!9z`0XBx58&a=;4hJpvPC%HM`7F?%|HxOlUFKd0l&ZbSv4%e+sF9q z>w_(hL-p3{-eKL&s#nbVVo=5$AaSS=sy&EHayN4^I?bpt%2O3&%GH;})^JL+HoZSj zan_foSPwQ%-;Oj*%lh32VhM!Y$5@8xT@YscoZDipIfVF*S;m`HAX<#J6n@x6pOOxa z+ve&c8GPXs0q>=jPBO|erWjwy5j#5VehBfT!uyZ?yLm}c09^xG%{VL0`f2J2+UDMbC@I-NFh=2)QzaiDYqh`d(k8g^t|D5-!|sDjM7a4 zolaut+pN>o3plf0ts7fK=3JFj|6S_rRqE3={756MThHZvcy`NFF_g2{as-n{KOwi}U$Zn=;vNW^}e`_{-CDk1z)* zLdrv@QQY^%Uou`=jBrzm0vx{|-|RbZkCxdraEO!7)^H8Roz1dhOffPS|3Oa4#ej-P zfGDrta#~fkn$RND>@BXV#yMWENXO5Wu*fUuu9ZR>uBT}hUJ?uyJzqYAELt6RN8i3LV)xsAhfY*oA#t0jnN9=yxy2Q|D?$pwIdR!Hv($t9|WF!{MsOhk1qyWAZ!TN z=nCIX#-_5KM)X$czRnu?a{S)75QHEMQg)n3#y3K`!4vxOM&SUjH0Ny=}FE z9E2#1OZ4}PTA@N%)S*{#Zir*J?sR&%yPI!5QGd#p*_DCf^8Zabm%D0)Ka+^q>4Iy0+ol(=-Jh6zN2~W4|-8CYA|p$eehyr02k! zehvyByyYNlWiwW+O6V0T_9~!9Qe^KZbVBE|%$siN0P`1qs11F68R7gRz z%+KbFyXL&VHdrE5)uaVYJs0NpQ=+$jEp%l%A}S$x%Vfc$qYbm??ZQyB`Q*-Ec;(8O zw8*X-1C4@R6Y*m;!y^!z`Az&ddobI6$1hi}9g)Sw!^@0zEp(b!am7w1n(ywY7n=CH zNMS_r*hwyaEx7#`|Hh~WV?x=sj|p~9Jcl#^ZL}3usII`xn=2+dtk1q;Y31Jhe2bZ$ z3i9qR$QpFT()!J|#uMjn6=ISAG)+EWEE8>Nufie_H+KE5)@HD69^RK0`9d?1Sb|;C zrkx|^QmYT_E&(rAVp1yY%*TpH&!S|KnGXsX!8lf*ZEN>oAIfAP9{Gb(fgx?S0PPXd znD_V2DK26I_8MmV(OCv4`eJ{p&8y44*wzWVE9ozI zx_tj2_z+ViiX!o^V94w8=?Bi0<*ZZ;GAOuSD!ErI8sT_e4g{!T3H2Y-YwVT{{`G*p zU%7$W2pC2OW7`U~U7Q(yq^8|{vokS2N3qoEmLF4p*YLj_9g(w}&ru&v!vmKDHKAE1&$f&e<#)zY|V<%%)pqV5qZzWWykn$Y`oy2QRmAfaq{T-b&R#5ktbJ^75 za0hEPTLNZiFsjtqG_~SNX&lJ7hHf!ggujj!^54SEit;8OMdzXRnN6wH_fj8(n)Bp$&A~Fb6$)BM z4>cJ$l=)TgpFsT(7*^Rz|H}|?lcnWOKnXG&0U)U9P8vlMg=xJ}ao^*!E-xq%Uy<@) zrlN@}lrj*J2E!S#DJI6AMQvj~nMtkF;zXc}9FQEr=-VE4z=|Y+S1{-vSsB5g3Y{?F zgz=G#PxM?LU)rOkNtLr`mHp7-W1xhOHhiz;96X8I5hc2wI+L4rjd*5!{b_T?geOiS zz_B{@(-HrqpOk)^kwa4Jfcu6q^oez{_Gwp@7|L%=D#{+qrl=HRmWh4g0<@Dlh^m^s z@TDJS|D72(-nUmxb{WpA*ZKUPYGY^Lc@}xpsiT61Mn>UdVP;4s zsdQkS4I=xEtT(UHWz4v)@|Sb5fqqV#H~0=xSlPGH*+rZSWC#xjSMph|8%s2v{c(Mw z%1FhtPqNs@zM@vlUQ6DM!K6xqDpz;NV`2O-nRD5ja3ioN$UiK1-fm)Z1r$5OzPWB7 z&a9xwN-!{FOVbq*n_9r?24D+9t)wIt%JE3eib9!*UFg1Jp4z)Ut-6bRSS6WG(sJ7U zqcPZFV};JJ{Gi_Vb5^-hjSV1;&~i$M7&=lRXszpagB>%oOW+T?iol{p_{kMDH}K&< zXHYk>fgN^te^GV8TJogy2)`j&oS6mOQqBfQ@_8cI97LXUcWb0mzsdNqTOfV0qi56> z_AWgcb4)(`f#vgH6mx!pdjW>+y?MF8uxp~sCv;{)a1Q8z*@2iBD)-*X`0#K6=O0=5 zu+a$9WNFPvd(h zp-_N*OsoI{(#B?w7JdLEBy^?gDU)lZNGSr%bA2F3Te6&W!+)X)xZKRKuBS7^{{_Ne2-1h2p}iNK{~RQCoo zagEyzjz_?08uS;V7{k?z87h70(3&|tzS98v+@i4qNpj}6023?$hIs~GWN+?vh%H2z zJr|F7!oi%mGjld1IiQ?<8`m^7#x4>Pq7BEY1v9ZlqbJ&_n8d`^4BHOkx!|YxmI`nl^R4geSZf zH1tpwkkB@vN{p~(sZ={t#-eX-Sr1dKMDiz4RZGL{RntmF9#o@`V#KBCQ-UmwqKmA$ zWUYXSJIi^#X}%Lcbb<0n1{syE$lYPK zf0gO>3a&(|sx6sg)=NU2uJ4A`il$JaZrCSC5B3JMZ$f;X4oVqHzQNxYG|9v`bE7=S z1QG;c_$WDU87|JKS5_)czbJ>Fz!>Wh6c=}R=Q+fPLgCo9OOY6~pd8zkPZBPAVN(4?PC<}I)j zbx)LK=#%Q$)`-7%xNBQ2uQ6{p$;dbu#Cr@xETsgrC!JArfzASV6x|KAua+ETaU(b3 zy(9~HrdcHtqMP0<;aDUWn76~HUS%Fnjp~tcESF>y)pVGY@u`iPkb~e-(D506b}0>R z+}1xT!>*iGK|W`q)9fFvYvUMQLn&>s(_6=6)NbqGG?J`6Yc`EWZ9 zhiz|05Bqs@J&Mui&ol4>3|+Hnf2kMp7t{YLcx5*?@JeTZZ3RmMCF8)9! zQ>VdZ155CHuFkAgKxw+bay}>eGzF8Jx15V?@Y97h`%e4647-@@J9nU_MqZ3_F;`O3 z6ti=1UuQ16zBr*MgR8kw*h$$O=rum94pBzZ?(B72(9ojK!Cy;r!@L2Ynp1^a}FXS!xH^G42nxp&(wum*G=|=uItxPbT{p|4G&Z2{b`L%Vkn@%w3D8)Kl z%K0x77+;(BLr9|3$1QOw)j;YwLJyOAK^N`m#e0eGs_%RkbV$g=&Y^tlK0iVq&}ZYTW#FYHak zzFmIqlEfB*Z?~XD)EDus@Orzg1O;Nk+KdovpiV)fA~#_?XsxgeiQ;>saZoXUHc$9M zpC8(N296-1Eap96%7zR6rMqAc91{ti**qgv^7@sI$L1p+m-|T~1uMNPl^2A4ck5PU zo5sUw@wSPfoJj1T4<1e%5KwBq!z6Sw_P2YP->q9 zgKNJ`U){p`p}m}3X8Cip&G>IE^@b8LD>8`|ilx({9bkMQ9E44#QrRe@GHlu7RQ#ag z*z>vqUZ;LxM@NB2%LRy%yNIQAknK}~%jEN7%xOa7ku5HDw9kXRS0(t8P}39EWu?lT zrJt4Ek^|RQCEQF=#-D+(7j#GsQ<<0g?7c4FKvwi$MUGadtpY4v*Svae>O&hSPj+iC z+FA7xZ6+NCOPk2>5nN?4kIc(6!f;=(=p1KpXG`c~o-V89ajRu{8VS+xeT(s{ElB%) zJqeSPs5VMR%6W3NygZ{$n{JiLb8A_uRZ~}u@LA1P`cU`W%Q!2`CN9pnZtgX5_WXV= zwWdL(R>u=@rqEq`GDSOFq4W+G)difAgiB5eaQ+{sd0LQV};=?QJ|3*xQA2-!;IiASc{CWos!4k|4PmJWnq4we;(HA|Ml_zzTp24 z0@*v-Iolc8S=0UB60`o3-BH|awOs#&GV=dWLI0nPY%Gi%?VRjPo&Oh>r&`^{ZeJYf z*OWs(C5{%y4lZ7wIHe;?2vRQ&!hX3)i5V?##5UVfvazy7D$w$2`OvP&!ZcN#zrgQY5?p0um}(?TffL9Wb0aZ?`8lwvdK_KoW*3m=T{KE zWgTu!vSwXFgZ7DH7rkyUZ$6DItsx0`^BV|1h&&%;Z05h!5^HKlNdZby@*Xbk2}%_& zB+V|KL0?Rgd59@uj?c}3f`m$Fuz+%Zpg8@9QecL{oDyxEoSx3@3;a}}*#0KQkx~L` zz&oKH-IKaRTLIrZUPHktBd=_1{N5#sAfFB7w_5Sf6i6+QNh_U!L~*|xyO!1ceFZ*o z1jQels#JW&0abxSwK&5xwk$gC9nLg>1J!+P z$BkWr0Mj2tU%MF5Dc{FewxXfNJz5<_vT&OEq^JZMnDMT1N(E))~H~>M*sDjZSSL;$%3H06|%YMZpZ{NWx zN@jW)ec2S`2CUy!vImI4uyVIjIFWee+w><;X6J(p2i{!L1{N`4Q znqu*#4EKZvW{i&|#d2hu>`ii@vw}x7v|(vNlbeZGq!Rw#jJ@4a2rX2}yYR9>jlHnW~|qk%MuPm-vx{ z4{Hvl23`+Trh3biw_WYvWY+Yn2{LK){DG>AG5ArUs|*ntWfEUJKw*>S`JB5QrEl~( z)r-r!zU-$h9|{nGF(?-i|Ju!T#g)%xKwjUEHe&MW(J@)3a@fE>M8sLN?bi8sRVS;h zctIH!&MKl{OFyrDm4ZEs4U0#Bv;f4!(_=y;o3m>=J*ac7BOi-2&1sGz*dB8Bz+9UvgGlP0}g z7asMj2~=X_4QYlzy1N7^y@nMaZ}WQ?TkzM zpD$Hy9*hkUtQ?hW#ICzt&86UXby-H|M{9oizKEtn$4}L zDn^$|Q*u{sNYLOOP>T)+l#2JeQ=b9Jke;o+sRx64;Fc!MJa$IVV*Gp0a<7g-_~M$M z&6ZM%tg$NNS-IrO>}I~VJZLZcT0rWk)YW9_vOjbwnb5Quc${BTYr|{;TJhzFyVvo= zV)M$CasF3Ox5mLp!(W%~zo!9A${vuC*}|WTI3zB(i!EmIpi%!veVV8IM_A>`c^&3M zz$Y5Xej)x|5ZW{OpM6)~9?XSU8i#Ml1AYon_z%Afnutt?r>?u}6?h{)F4lg%))#d9 z#+@3;KL(1c0RnksIda?|HmblE8>@c-lsCqd-hW!etEwIj0NSR;Httz-#bZq-B$b|w z1S78A4+m3gZZNr&bl!?^nFA&sH05h^b+kW`76YBUtFeS4R5}X1bWRsvh8+6gm)>2# zM-a1^>N=uzejKQ37cKH9y4fJTWT4Ex0@`EWedb=DbbKq@+%d_Ri`|WVw;XPcJDPG= zdO8Sikk1Ku&U#78y?k>u<|!GBz8F0Zkxk?0)B8ufPk z%hz#BSl=mkvYgW2=A;Rrq)$i~bAEmTyyjZDkv4w-{}V3FU)sSGKmY(pezPah|0nL+ z+PRuoTmLUuxumvXd%%j|10UyyZj46=ta;RI9@(hX>w;YiP-`PD+w8%JZejeVSb|1k z?PA z9!MnJI2v1qg)lv3gHp*Il4-@?Ac@&DMoL;VNG%cCcv(J-CK}#ZUGAf^ms=e)1dN!_T1!#J z_rF=gEYk8=o}rPJ6`*NEUtBdH~^hqcNjy(W;HiX0S}h^Q7> zjs&~7`SfWh{d8-nsNF$da$A|ai(GEE#ke9*vOm{q?`eYKh3tJC$ap6Ke;6U>rPnd; zTp@BZ6%PKSFaAJm82rSn4!Eq|Fdv}TbRaI~tHr(>9F*w9=DGcOYIk4)2%DP|1i!UG zGc)-&8cm@&99$l>qu>o2k4zD@3PLdrc@L>z948;r#Tfz@2}u%Kd^(=%v=nW7Lwnh% zJ*|9|C$pcSke*0_2Ei0J{;n^+WJhH6Fp-#e=8Oqrf=JH8jria(Id`nHr*4E(2=R$$S|Y;=L1nZL|~cw`P9UpzFV<0l>?Aq9aV0nV*Xo+T?*&7 z#LVkFk!5JO_5zY(G5}RP69(O-N5x~x>YD!7L`;a@$Tp0}g!oVQ2fgS8vn%h)fxt(_ zHWu^GCA@8>0=6sHE#ma%?w-It41u(Qrmfj_#_9Ue9^kA9riG89G;hDduk)t|yH<@EB3!1`;;b*|%&-SEyX9rF{M@lkn(s5w><4xim#p zWLy56E@qps56?mK@n-mB^G;)G1B1ya@;!8VZBg@U6(f5bb-h?5IVHXlYj~ScAx{k@ zK0=|uJYPyPssr-wi-*xyQtY`R90r5G;sg#T)$%J8TSm^GD>=SEEDhsZ=G;~`V&W4m)P>oAHQ`Ud` zJn1&;Z&Sq$59pt9>8>>92};(T$F6nKn1TWHHw*ca0Ykc-S*2^aza5~DbaB<*tY{yK zpF7o$szN)o8?Yjv-*z3Ujpd=!r=V}VPkRN19f?$GF}t=p)Xzy%E2d{*{&kO$bv)8< zaw6;`coQRB{71pK`!VQ(B+@X?2l*#Rwp45#f1aO}8T&$x{ohPA_{Y+O)vl zxSXi{M`y3#G{bfJ8MFnj=&%R2oWK7YIR(~SM%^X`08nxd`2Pz9{XY}EorUrL@_%Z~ zwsP8FO&!^BE7|d1@YyrQok%W=tiE<|2c2oi`PKW;oeo~UzbnIuzS;YFBE74 zvr-3lm3att7d&F?Eg1FJrr$0_&X*yEn$dcK$$Nhm|MAQTS&%T_z+-x5lI?jiKa)rf zpr3Gtpd0Zz3=zo>&mQdO-uKyDS{#9Y(`z4b$1z&u@ltUkO+M2dkb!y>86MJgaL=H3}T;OpCx|yGek2@M9SI4*1o!QAs&rx2exNXBvy@5cC$-b+^Y0x{Vi; zcG3NLLGVtl*cs+LT-farfMi`jQ-0WP(Iwi|Y2+s;G9Qv4r8AD5qMff5Suq6YEd>piV23;S%$(yBfDfY+OK$igHqPt7pfe|0 zmFmEtn;C4_@Sk>UXl!ENygD~6+QZW6FuiJ!S>!Fqc%?fLCUnIdLB7ZqKFzC``3?Z% z8Rzh{C&BDAYd&3^$i%P}W5@+H5k{@dG$89u*{=PT0-5w^*l@5|w=-IJg0Js-1!hAs!E0jnf`j#|+l zU+k%n!qTUaA#)VB8u&>UpwWR4jAbUfkhfP}(`ah1k)EOW+4Gb=4KH$Mbez1{Fr?ck zyR?gXJ7g%6;BXa?o?8%fm%NcXDR)ZUMnBU2-F~7pNuqCH7VvoPq*B;?I7sVUD5*&i z&dCt=T5;%S{zX^db{6~I=D^Hb6iTG~ z)!VU@jRytguRb$b<4}Q+us?OeVlqb~)_3Cv;<}8dcFPSY_LXb$vG*5#pMZopArEVw z9J%N{m}+AqmF$L(Bc9A!(I-r}$vzTfRw~W+n&W?QQ+&r{oCvS8iC7>A6 zBZ;vE*!xOI+&ERCc)jgR>l*xybJp}YJOV8__t5op5{I8#KT#oZ17iU1yn`n_rNKS9 zF=hu#o*e42epoyLOCv1uFw?0vPl$&{u~qVSE0wLqHY-p-2UJh|-k@iY2_D#jA27nu zx!pR&XfWFj^Y%2OV<$?72Y7i#fyHHcmr_6zo{B)+O`Ajz{R{eae@R0b2WjjvT$6wL zzT6>`ne=?UGw4JoF4@Fyhh|jAMm{F+2oX>CbYN+H6X07TI^Z5rW@YIh1omW zyw_6t7by|)`Tg~fJp8j18`*^-aWV&uPR?;Oa1j-pcUD0>)CnbP)3OQe>rt$+~+@+JbNZLD1BolmU3rR8;wtHQ^Vh(R1&jZLai~DhW#MvQaeT=X@6UYYm#VhA^4hD%>9xggDa_^`o#MXZx15o))M%7`8|-xdCI$O!R3O9V%48ecdw zKYfq+LpZh>K4gU>96M9cMMEbE1;tOdcTswL()sSg$aj+Ge@BO)k_NAX@x!>?+1Acl zW7|!C-W6UO#Q9fm?k|)>lLV5t55t!iRR*oZmyKj-(oT`Y#NnF~mBC={8%U%Y9Gzj- z@e)c3c2D~k$A`hk!`XgAJM=yQeU6DBY@apteq>eakOyhaknvrH++0A*-4bpRA3J}` zUSiXbg8-ZxeT@(mzt4BBL2sDnHmrUeekmqP6xBnCmr=8wrWydJPg{x$bD0wrRQkv> zH5AxC{-f%D-ssI&*rj@i3-Tjm>tth>CK^23sV%mS6xt+o@Rxbb-pscj z0k;_JG<_P@tl2WzXukanWA9h3jG^ppyxSwn2AF`M?fovbePSM#&YIs-QShbKl>=lT zUnz-e_eKu{&nHuXNACLi6ErQ-Te2%2n-jKEP`%(QpF!NrGL&AQCw1k9*r?3%3Mcu+ zRK2^eJLgMXk{fFpTj5~v^f>H{x_Z~qNTXf|i$wjs#;G5TL7y=;W(LQ*MeFR6C$%sh z{uvQe8YsI-Zf3)be8_X7EzlY0g zuloD(mtD*)Q7$EnD@*DvAe0QS^ji8`jv-S5|DbxQUgRy!FD6(jMa1YFyNp_a^4T6F?)+B#$nwd9}*lqow$a6<~6rsm6_t#=MyIAeqU`qwgl!U72Ar zL5T3&Rh`aOw93H zRc!QU+FMS1s$+m?&_2L*KC=G4LWW+v%23uR|6L3g9A%yKdWP z23z+`23^Z%H5Hb!V^UQ60kHFUp%Yy0P>rr>`3Us~O}0X8^u7L4YE_0a9nO3wy$18J z?fkmer7n1UcX0qPr`m%z3 zfG?RM>#oQgIUt0}%6jYHBT~kr2N?N(9=pP4`)`#^6R;|`q(z@`HWRGuRKz~LW&eEj>d4D z1*mYbWRGK_v-a8FMsk!T>Q@&T6Pba3%VF@%d1d?(t`^Lcd^H3&zj7ZVA|evK9LXEC zPiTP&0N9>qB1G5hH8VGc1rwy(`SJF@e`M;%pG{>8n)q&()Hb&Qs1v;+kAi~Vsz9v@ zEl9U>$HCW)iZ{cqIm?4ZAH{p5966M#0)>amwCP3TaTWrlWQRkjw5sv{iY}FFSI9ot znUOx1EbSK%FVUk>`PizFxQQ3nh#9RHtH9q*Ob}zbag8lO>Ink|FlE z9YgfF1z_#d%D12$us>*{$|ER$_(~j+U9aP{bjTAPY)7 zI;QD?j)EVFyUqm`s)g02^)45^dAOE)mQWpiV2n~G1%!aJ?puy!?N@-Dpo2>M4hX~t zCBBlah-w=|yc5duQwuY0)fs$XifH-=Bk8eRg-v)|&4HjoD7v`FbW9D|HA(aS0S$16 z#4Z;Q@a)=v8>Bj?O4X;+HqYPGzVbwxK)!~OE>j)M^VYd?+Ra-`dF8UK^cU>x-RK=q z5WW z2JW7*2jjvcf;ZlY$RQXuAjexhjD=0Ucx;~i92b_s7VN}t7Z%Dg;xRl}CS$;T%?)Pmd#pBg`#XHa4+Srd z3l&-DptY4eFi2-H-+}0v0@WVjFI@NxGpVeXo`+10>2u&CseZk}KgnfD;&P8AihD{8>Ipl2UHpTLTy5w1!ZLeT zdBzEN$}$HK&i913L9Ca&D*}(gJ}hi{5BzJ?fV4hK+WL>GlZXQ2~1%dQDF$?8> z{C$2fi}rfQXWBpDXi-e?%6_U4Psv%Y0uxkVG*O@`Nq;Nf+1%f5zCxl)=l!W>~jsOrn=?-^Q$yD`pKs^O_)p6~G&3-p9|$o#=v+v5il;tn76 z&+vkO$@u<2^x>#uY#H{4CKUHk45WEW6`hZmX(Ux%GnthjsI zY>m$1mrAeb?nq7Q(Vd;jOsxxvlH~p z8wua|F{6sLrwHLejkN>$bwf@!U|f4$&gm_Q>Au{U`LB*T@Q2cpQ;}JUDE~u8ld%&F zWIV=Y7}a)p&8ZkIY?~;XoY_)(d_?_S*US-Iv!(R(ko1sws7SeFFW@zS%d>ZAMFd4l z#Or`n3E!SYLF!KyC*mO6$O)kYIvhS6^sD)0(I~wZctBXdUYQBFIzh~tquyM3B`@Hb z8%p^$O^O95jh|AM5QOktqJHbpGzQHrO_eeR@5udEL$e^9I`zv;VxJ@}UOXN9Y+@gE zp4Ax5D5~fpsl2}gSbpouX>o0VVYN`HP9{UHz z;#Kv&7fGB4qckDv@s~s0Hq>jy=m3kL{p$5!#d|o!W;HMh59BhF+vAls$8V;l=8M7| zIXMuO3cxwT5yC4drgx;rZa137l6#scWy~WH_bnt_hBdabUO^>XvBA((k&tCFLL%Jo zZZ}Md&l)3?Le>uGRsdh`bJ~@Lg}H72WDcN$oaLYoWTMpEgH&1qmEzT}DZ&;P9(rd$t?MA+5 z&XF<3b!As%fTNt%1j1C!3yJ*rlNy%uTI0I~pJ0!8`=ctyal@bIr7ge=hb~w$2|bsC z?xoBa23e*HrTG{!XSvJJ>~>_y~-fbTrrJwC*czFZa=Tm@GRbR9eL2dONmc7yQ7 z1XBcJx>5bRygM?jJ#^k)E>$6Y82n(LaIxJ6&eyV@g%iaRx7er{6Q@w1tQYYF9s9ZA zU=0F;DRy>Omp^*?#Q6?5koKQDFBr2H^bq>k`F9vac`u*F7zhEhqd(tq4w!ju@yAna zQj`BISnx{-sK5I;*pKTf`v#JP4%x-kpGhH`Em2Y6k{5yem&#@bkh)3hkX0*LVIb}k z`V^6;AcRbQJv(*eX9ZJ*f9P!$C)1`O>^B`+z92Em#OKZo`pvm5*_Uk>1XSIqRw{5x zYaNt6M6g#k=r0iS<)sEzhrsY0Bb1Qcl^W-WBhbII*5@>4y3^z_QpNLOD&<{en4FVp z-3qITDR8D0j1feHGdFv=i*?%mF6cfNgt*XZ0Uh(9QX?8pR>4?}# zfu;1;Qh;gpbbFd++vu0Uv#RI~E1AA@kMeGZRO%kJK+`4P@}oXc6?xtrEbvqVUzPPK z%J`P#xYw2V8o(Ov^HC4 zOvdZ6oU?w4glFBfHdF$BJkPAc)vcBKDqwTS-uzK3*Q?3Z>VS@z$rYRO0}I~#N6w~~ zy@g5ai>pdxJ~TH|XdEn8YUrFd*5-^)cW!u^ZCct|vXWqo3ySc9CeQAz?vU)mFJ<3zIqtZoBXG7LX%4UbB;mMT0N969gg?s%xin%k=Plxtkviz zgjMOu6#H<}!O`HU_Te@STUaIuhDt)NZ=Va|wHSQ`DIdl0g6m|AR^lN(Qhc`maXsUA z-|=+{Sv%w83L>%8fWU3H`-u18sw64-Y9en}o&`Ydk=}_B5f}-RY&RLlq=8Q(Wtc?(;&-HQ)2&HxzS+h`aM40G>U5NHp0Yci+SC z)+1wA0GaN*bnOZke1*XO)=lDuROQBzVBn662^#%;+AQI!pu#tcCLvCQwr%AwTfns z<67>Dl62p9f_$a2)p=(QhSs)G024pDOE*(-i_OF1nFiFDF0v1r#;vP{mK+`M{XR@j zu}0O(H`y}s9IuZ}RsOQBAwBT%e(9uScTd~+)t!g)Pla$Sfk34*H0U*bPe(B<@Y=rE zvSjsHv7|~cEs1UlXi9M#@!Il)_N|}c>?YhKt8MAdmZ)|B|AO@(Pc-kjloFg_OwQA> zu}f$~hj7Tq-7@%|vzT88VC4OiLh${TD9`#O^LM%zx$o;$gNFyOC&!K;0i-FywX!Is z&K#@LXa`oFcIxUGvK2(L;+6Y9X|9qTZ~o3El~lcQDzd-KyxIF>u`hwo-u9hM%BkWs zll00lA5oUkz;oJ9imoE#-gj)JaBkL%FuL^%KgB^ zy|+13L4}UBh7qm6J)YmSQ?%fnE{s;z#2?t4X4GN(m+_IN6s-!XO4TAUXjZRg;2*G- za|Eq*D7WgR-dSr<`-(Zcl$(@}v7)W;m&8tzFe08z-d0J%!Gf`9gQKt*5b=!M0(**> zYZxcs^3Dj-bbn+E;c_j1jRiZ}n1;33#XJ3U^;yqWU6u|3DSQUWFQe=VOP!#nhm) zY3TJard3 zZC5)*mMUwTaYT}I>ir(V4~|YO!~yf|SRzAQ=*gGM*dP@j=h+x?u*Mm%D~V*VcHWFT zl6zFvu%)I8(+pd{XkX_3v*)jhZuGJ0Pc^zo(&KaHOb|FIayLaOxmf!8n#U&n9O*o~*)X$v$TP;#vP$1WBPWr9yPg63b5 zruJBCW{Z}83HLqpRWC7e?)KQh*tc@;YXHqZBlTUQbgF;obaSbtTK!-e*927QcGPc{(g)N)}z z3A`VznQP2S($3!tYiptzRq8sh-qODfuPI9XV9_2c+Z?9dIY+LcJRK3t?FuNKLt2W~ znxd#0rm`_b^vHbxeYHgI`8XcBioaiwfO>7Cx*-VAgq-R$c^;c1H=82q8YX!V9Jaxc z(t-)BZ#t)tzcGsd{m&jap#HmoI3#p~HmvU6#A9?(?8~7vRa&-_`7N1G*r7k;mFFz1`>X zmfVPadw8(DrRQ-&q@=Y9tTu6D#`ihF+f!(d;a#*_wKtiqF+r^bI{8_{@8~{_s{AEk zz^;iv^tJUVL2pa*u_vr7<~hFFV<*crd3A0CgSF#t`f}t(qVKtpe1vNCZn}fE!*?NN zlkZqQpUDK>i>_c@n|>Tc!=9Nt9hG+uMZi)~=-1{i)vDRmCgn4%KTcn&U@SYteu`pc zKGS~qR6M8I9r(@Y-OGk-3#r7m?8YaobG07D+WSv;;`p2<9fziK#SK_(-QRGPbfIkP zxQW@h**e}t7Ab!34bP93!(v6NAJYvki~h={NB_6+RAePEj{*5`yr(}>ddzSh8p@kD zl5`#B#sM;h?z@KH52V*p&D&W`L8C@B(q-DJ_bcQz<>l+sWFF%$VnBg*rXT&FA3Llo zx(8tcl`#57OWd5c%Jt$Xq%?Oe5yNmv-uLau-#QHp!N_?$9v6OBWi&W@yjv`4bH%3( z2OodCuL!Q#>B4Uru7f|oMb&@N_FYWaTTz!-=qyX*+EB^cXje>LKbp3A`926dB86QD zg+fLWiYrtEZ}1UFYV&N?U2@P3Rn0y06mTMP4p&_IPjTPYL$I~}y`7R(*(5P$*`UJ^ zu2&#a^%EohHck~cJN5j~zF&ooC_U^RisqN?%_k`Kp*W*i5F>UKBV5RS@QIDK8%&=C?W(J8|m-ief2u?*1ZLl-c&^A1J zHXRucP4N*9eI})Uz6sfzDMf)zMQ^s}druc_O@d&{u*oPpuWw*Q4rdE!MX1h#K^PMB z_DgoIO8+IPp+m(AJ0(arHqqhJw@P{)M{*J7imJMN`ZZfw+@fLAG8;P^*iVax=b)yJ zV`hlTGh9vyv$vhdf641@W6@5JJ44U-=e@Xh zuw$9pcnnXWWT@EP1d`g!bX|B)hQqXqjRH}POLMLqGvXiA!3RGqbPqZ|w;Pu1ZlJkWK(Y;oa8u{t*c)dI3n53bO#YlZMW>;42 zivw%C(=|8&5b9=wN3fLyg{0F-BPrSk*Cj@>6*OG19x#Y9kYUG_789dXU50bHPaR-M zNvf_7>fX(JiJP4e&URu?qch{ixe-GCt%9Qk8V`Uob;Y?_99@%H)FDyw84|8lM9J)R zI)a+SU=A*sS;|t(aAdYc9<$jV{-MIdmo#6bMqGJ@*=%p|fuUnr%vZ9XQMBD}6>KfJ z#g{mphfd<4NV0H|FUyRLIQ8o#zOaQ~FJ}gfC{wlz@ZvMZhU#oG_WF9M)oLkpZA8v6MLxCfKE1qH?g5iU zV3p(oC|J!{n2w+}u|A)FX1A=KNZV(Ema20)C{v6wQxW%gxDmxpa*S@chQB#Xkd<-GUJ*KaSGi=23A@X z0+(_9f%I4+;^P3F9!!r--@8v1wND1bOdo- zwSJyL&^_LNq;`e z)AgH_fU)e8{4>@pzWVGjlDb)CCWYJXYVt$hn3GvZiiUVattbli(R+!}@y3oUG~ts% zFiKjXo+bQMp63?ZNqYeS`{tvvjM8Q`Dln#JTRkCvP|6c|)(-qTA=!BQ$%_JdkR+Vz)X_6Hv<8*}Z0;XY=UI;hRCIQ#BNMOw)_A#2`0OBz%vplB%W zUGUY>N1hPzDd4HL)dvrlUgOqbZ<-3Vuo?2q1gH z3JAy0TZ^zTpw+GIw;{TU{gWb@0R(10ReFv(x*J&Jt0IL(9$t-^`6_l6HqoKTFvwNr z5OVE8k6xlZ;=)Oh*sFAK7;H^XZ{kFa%aCfwq4?VF9}+GE8O=BkR^bwc_i-EK`OQdyzm%~8<{vH|2Ya`APC#k)^kCnw;*P%G*gz6;)A3DCLHMVpnwPH976RpOWARyQK(;*P6JKOMc-P2Mso)sS>9`af@ry0NHLEpE(h}w>9eg<8K$A5qtY@ zumnL?b}$PcLeSb$oxu5i4*B~)dJm7{iopA51f#%-xf8f9jPaIf< zPwLoV3yc6%I01=J_*%thimZQ$I1k)%({dx>He{AySp7d-Vuz7HgFW8I1*2Dr-;p>p?D`xR)zpk{0uU7WB4&K$9~T z4Vm%}9W%Ym`m`9Xgi){Y=}SUk&T}7Oo6cC~HglfD8L@w@EG)ADH?f z?HoR$8cn`9IgrQ|Kb0iCOEW%L?p02K6#q39{F_RXxA9Vv^duejgndGtoI2|tUuOI2 z6W-H679&+=0!($8F21p%C@>7Gc=l@-%0BCDV-YhKk@Ysv} zvDCUzwkd!*U0@;+eJD{IO?irtObR9nVJ$ta5=*eh4pKDS51G0o4!HyjiJa(ifkEjI z3{+|&6@4hx51u+CZlM@#-gpnAm3yATEGdeROcI880=*{!xCqspDDjv(Fl-C6!~m#2 z`S&A+qE~XU6BWn$&R-7kAK_*{-=SJbFFmR7dGO8*5Lk`kb;Y|zqB}=j!$%7#_t_A)+927a3c6x$ zoP6$pD((vo#Q{gefy#L_>TB`S8UK?Qkt1P$W87{qv7ey=HR}&qTkRJCRg`p0$Tf;^ z8$Z34jJX|umkoNWjiOWhrr6*(x4D0g$=~B0bw!{%4p7{4?3+gB)6AM(Nh9D=d~@uB zOH2WwCXY+V1C1xN45Go(r#2p-8VdS}A2U>u6Fb-+1apu*yJjr!(pnn zgfR0015_#jS)u?VI7jD3@ihnN`eJ?zv_bK5N9d7oUeCah&Iq2O0}inL;TULYlepvU zzC;s`!OcfnqQf~VZfEc&d8Uvg@lwS2BMaJry8Q5kHqOMmQ`kKvWfZW&siG$6qx(>S z4DES*MbT`5C}^sD18A!BnYtm|?`h+Iz@a-?bMNk_OM0h;l}!p<|D7qd*uSK}6q}@I zidei5N?w!P!<49a23zpA=D+(Zo=JDXOME=%euZY>9biT8HIGR`pb3eeI+05sy>@*R z7zDN_2^|k8$@Y^e!S zlkPXy@*)bxGI|kV5>Qqk`1SoP#jTCVH0U`Y+Y;dsU{)X;+(3tC=h}0|LstSqVDEbR|)P>=3FiMwX zO=K*_`1rrR1OR^Rs8b6p;Vw~G6+>ku(e`V({Wk<48}`l_`s~k@5Zx;&$bN}Kp-hDz z*Qrp`=ZcU_R-fNdugf5N!3chriKYc~y}U(!MU6ft1A|H(Y z#7;$M7*}x*@arIUg*7yZs~^=}4Gzsw{1jy>-V}y!c04`keMQ|n!GR);0--Wr4_=_g z>l2I>si%aeh!mQ9io~M~Q&_T0Z`msaFj|=F^>!?T=&f>(Dlp;oDS`l}97R|xoY zuixywN_yKbmkf?7(DT#8fTs*gL?-uN(;k5hs!_d$Y1{&N8soMq|1dyt0PyPw1`Z$O z?V~mVY$&!1U03{81^uiT70P4^1Nx#zM^Ho%@nC92cMMIQ$v+9Tzv@*nuu{4Q;C}yz z(fwcey;el|qn03>+eyWWmm~$Sy+1{4d6Zl1i!OjlKwnwPADL83#022wKZ9X)^4|i6 za^GO|zLR)u`j9=j*yItG`Onbx0w!@Hi@a^Ut3%>A!P8biD)Sq9$(^G(4ltW|c-up3 zF^cgn+gUWygyumIY80K#%NRoigBfQD2}AxE6t#PqqG+`q&#Sb+0cK|%bDhxga55@O zwb8##5J%Eq=tCG%n1a8D~3zA;aDz)+O0;oL4730gY_mG6b1r zr$pkg=3YT&f&>;`;btZVXCaUG3C&n)5sP=`Z|GU9)a1|lr#HsOMjM~JUSu#YnG zk@G2t94D~ObAq9|tnZdwr{n(r`6+Tp8so=kJ@~9Y16EW%#`eSsg=#TosUtWWkF!9 zSLN#9uly6a9C@zHE^t4%fS&OmhK_EH%`)pBx6PmVQR%zC%MGTlNQqCRbDIHCGVYQ& z2!fIAgAs8lQd!RA8=Erg-TJCmzi{d0wM8rc^HRnCIBu65vKq#dY&K}Gsj{r%@B38a zHC*BGRdai=7>7Y_-On}8idpmfkus;TBZT+`wCQK-(>P)WVdm#AoGNedWUrT}O7M-C znKh#q4O&4h8EbNfPHVp|aC5&JJhS4L{KN0&f$h@f{+*h?XNzPX6`Q#;_6g>%g()j@ z;J$Us;6mKunVp2t3$ELp5rQu?Ev%TAOR?Mp<}l4E3n?~kZ9z8oM6zI)fNPt7cCc;G z3wzf3a-JPoAEfMNkt}dANSeBVIuLke330{!r2?LnLo#onr=$i}?4(9KoV(n%2P9K1 zC+T)L;XuGQ_A0Ib;S)dMvBYWShfOo2kbkKRgZ}m{j{GhA{umF8G1%O)mhj@1;@uLZ zg&5wx_swF@qYlq3T1Z**xN-B0B6pW)9^=zwcokrt#y?A01#Oj+e4nx1?-j+bGpBgZ zK+XjG8>bNlsEk+;VO$yt8(>;u61X8zre75B1x#gap=iTqzhgHo?&5qGx4ahChn|~r zC8RoQ1u%{LbH5hmq^^6?crp(LK@^kD9b0uSbXzO~di9R8SQx}VgwQFhB5lU@H#>fb z+^VI+%D)ddB!~LT9tVU@RKB|d@-7}%-YM^6A5XZ%1J__{pRAS(*CUtq;y>;wefw~M z>Tb_wFYuR2cLEiT!F3MX=L;t;62RF=lLYUX7IvZ2SZny517!a$tq#u&;+N*`z)eqh z_?@jUV@6pj&*lsoD{knTB2S&UAIu0Xsfu}g4ZTi#3v1MDz?#UB;RLvzJ)T}R(Rq0M zQ^~fzHcPfz5W3TrrJLpz%=OV4fZFnIv8gm&wEh5l_Nex2)WS?))G|yxMdL47L>cSz zkAk1OPhigxRf1ex_qo?$KS8;D)ao5sqrmw7-fAaGmpxva!p&NQnHkva@ZRr_j=^|7 zvGjZ{JG32Bb;;uR1hU4hJ73Xdcu}Wv z3@V;Ke5V7${9W|<^lEAu}{mJ+&{4KL=|%yFv32S4(kYRuuxil*J#z#(0t5{cBF`Ac2HUs${U|BD_k)? z0*CA@bHD<5PuQ6g%kC%1@V6MZY>>3g0~?Bxj2q9SD><`$y_enw)2L{I7Ezh4JL$sLGn|r45|n&m_CoZN@g*_MhahW2LuVohd@8A`xwG4bvMY%SE{*CM zqXk(6M^T4GPv_uhokYGEVAcnCiJgAC7Z<0R#A2M}=`a^H$+tN$?{r;>?6n-euo5yg zEq{BEmUJhVc8|4jaVx#QJBO7lNqUh^d&%(VDq5KnnFu7G3XHWuw8$*dx>2&leLcWB z>L2aBZaS`Rx#`&> zb2PMh=mmcY{jTB}kwi*oBvt(Ph$G+eI|;d^gH^GnNw21=Dc|t;@ozkGIT#9+3WcoM z* ah(ug><+aSJqDiy9N%suuVoF0LT%%=uwYW*gI8`2!O!praMHH%~b;cz{8J{vN zfr(1isY-@-vdl}1-rD8NOON)|+CL=6IW0*t)@d^87OM3(g}6(rcXZfk%J)GSbWkzZ zf6}7Y6q%dj@ytwMU6e?fMl=z@{^ToZN|v%pm&$loj41pOpD1G;DXVpd2ARe#<-#4v z0l_yakPv7MP)Ziz=oB|wTn$?mM06sSo-pANZAP{=;snm9rjDJz*m;MaA4 zA8S;W_l{Ml2PQ^5iEtC<>0}Icj6aD0NUjF$=G1xSE=oO zL8%)(5t`qB6R;n32!Z)w@KY0^XeZwJ0Tfs?h@Y;TJ!9wx#(=6qkjIt3KSk4aS^CDm z&@0+M(eb+>PsUY&Uzt$zDj_IC4&iGqx~%DQyj%-Ynw}_5!IZOgvHjQYsPq~3!xmX- zkO&7A0*v>=?dx3L?|N_dJPx1G7bkLmv!ugXuDaqe17)UcEJRAmpkNH~eY z%-!^~Mrst40go;C;DuxK9CG$r)x34R3q<=q=INE~jT`2(8$dXmLS_Rqrsrdl?$;q2 zuz0Ui{}FA~3lw;p7D((hQ9%_y`Pjw8NK$D-F3N0apu27qCv*;?Pq7>yiGYJj)EpKR z_6pyIkV|h}=BoFRVz8YRt0vn1s(V)jNX)cpgpdTJhONz23(wd>fJy%=KbMW#9M`)-sD*U59plxfMag}0!!4EoiyJ4 z6!?(d{fP_$nu6sP$tj?@_97(k%mJaeA#^2gw~q6uzSdpGMmHahZ;43^?v5pkV%Sy}M@CRbTJu@*rk53%FcoB8f z-h}+aO#9aqgmCpw)G=(3`((-*1-&zf8>mTCJ;I7T)?d{5LT$W|Z%7ahfteA36XU&l zgIq&*35RE~&*P|G)~-;Bz`NP@K^F8pn{HRg)65W(sg9{=C$N)HqR}E^g)PmT-G7a( z11EIp1_~wiDdN=PYH2?Y+ehEPN5D4yil!dxNk8Uh=^K-{X&00n`)Y{--LGuwBx{cD z@OKCb3fz;$sW%u~2r>%Xi$(uK)-d4`PLE}Qf-Xw_kMGwRY1a+|<{M1npCS7hY5OgR z9?-4W^p^Vc=P6ukt68uRW-nA7fB_xwJ2O_jo5J=SmRw+(3?%KbQrs<_iYj!t6P3_S zrRd?>c6hnS(MJN;*?(f3M{YVdrwQOlSkuczA!`uX*bBmK4H3%#o-Q5etEvdp-T}LZ zIlw6xi5({m>2NKhER$$#->H_q{Krpe`;1%<7=$k%2X1c-QwPyKXyN(m6gNSZ4`dej z78hXqjp@k?g|`rugO^7%1UWXd1UFnuJch*h3(+K`&x*d5NE=?FVsi^A&JocehTrFx zxtqq7Q>>q5_UgXR2#{l|54mGPWG1ZrwT1E2P{X)1%vq6+mqVb-ChTAaNKneC@Vb9V zcFU74d8;Eb&0^%n@raQ@LuD96>){=qP6o}x$0@=2;aBY8ph0UPk{#lRdd|KEWf6{2 zrM9DV8Cg&hAP$F5qLMU#D6R!@A%tji(Ekc}xlqZLT@3QL&rZjyjpf?*G@1=(z0D?Q36u}dzasLzJjUtohWp4)I9GYhgJJ;luc*+MosfsMzf665H5DY@ zOP=f1FCFmq@Y);RPDS4bEt_vns}I;ljAcE0UqvK%XVDLZV=#OX_Y;PG#|Aqbuvy@w z@;9zuy9ssndPdEW$@l{Ges2GpW}+py6n8|w><<`bf3Rr93^WTvg2TM!dzDy(cwRyf z+NMd&M7)^^Aq!WI)6`Lef|U4hnSP`&v<%ot;K1&FSZ&4HM#1(YBlLT zt_<<(mR$jzlt4e1g&RZvp1j;4@U4Fp5q99W$ZzPfFHHC#f7lSPkx!FF-7nOHSQe*7 z_{d2F7v)mEW!M41wu(NDxnSj10~pw%2q8SPz0(citF>&8C%8a=@0SlT)Y3G^CkUXD z40v=+hs5bGpg!Eieqsr|lr;j#G%ZfG4@hZ-cTnI)Nr*_?U3X(&T0PEFJq5$)C0$;| zSf@I1q#TK-Q4sRD89L?^*V4F8`@Hl*B{^JyqN9y^0`&Jnxa4n0V()(&d_6^vrvMKE zGV0BXFjfU0sCA~C7@gR%W8W5GuC|3^A-i?uS$Sp$RIK2ywWF#JHf2sv()QLHR^7wi z@L<;wL@e>l#=Gqy!eZZNaPxbWFC1t=1gGbe&62VYw)~5JQ41xduS`V4y6E+Xq;K*e zLXy1E7*E8I2n1k)h{@Y^)a0L??}EhoATLbdHG|5-v3nt$QPtV-Z{2;jmYVRFxSYZu z9e!Xx`Q&zpVX$?NA)?+raaa~V4{T5vu%=y}pNJ;hh<_Wfrf!-2$TGA6j5a^Us~h8L zx^oy)9T{vyBmCO*$lwob6TC&Me`A7g)LdTYU<(1X0NTp9Ae^a<7hD+Sgi{#Q(vAcR zQ7jJz0Z_>BhQelaSXp9LmK^c;y;CJCB2E*_T=YK!Q@?4#* z3+DI+P?Os&ZnjSQUIxwQ3L5KQKbrI%?0?yjrSF!heYHhCttO8zY#RUlEfcWdK*}MR zseHd}hf3d*2xI%p{3}!KMUSglo#k5wmU&g$8hhGzPyn!-ja!9ci^jKSr&hNF3iIF< ze}29C_8Z;tkv}L6D7HO~N$&Us*&R9!k!XhqGc=t5S&2Vn3?z1#`aOV19f3XU_f1?> z<%t@982?RK6p)X7qTg2O0s%+?5;q|U;yJ;CpJiOK{GcURJT!g=(%5?fZ_&a3bO}b7GpmSj2?fd6lr; z;fc4}6Mk)@i1rA7w0|3gg}@@gZQ4#qmHnKmY!p^@;&VSNcfxUSn}*1SMQqcteX+mk z#vPUhi^NpzGCA$W9+m`)M70@w`|N4Uk_Uy9Kt)kBI_$trJ|t!$$Eyeuax#WGKc5;p zyy(Vmr%DPRF!HR7LQJ3}%xmd!ulr>GG-@c=WEf#aam~{??1sTaw9F(@HTZ~6rWfWR zjr4etgPwVu`hFXR_?kw1mmlU?j2;X*mV_klgVqgQtBHu9PK^Jy7m|v^j`*xbe3cK3 zxVecR4xtc3R)CBBM7bl7Wf;yLidX@H+r~nYWnF*IPBKr}Q7`OtU(OxIj*Pg6Erq#z zFj^)$AOLF^j#=UcVM2;4%#dP7HQHPBw>vU<)?-#92JAM1Y%dvp`38(9OvwtV)QJ(I zR&x!pca_*@Z3LA8))C|q0e}=qN1Wni985Op?XU=}5@8SA!hEIC`x>6}iiO5>BI)N26o6p zZF75`#bd&N;a@0tU7?%@2q@e{GSPU(ZEIg8CVzVts&&Qfs&kT8_FY~yve)ph2k z2{T$jddG~8&JsmpjSNn(-9p!Ocd=ag^F*|`O3seVj;Sr%yyn|<2NA&=l+1aryOiz3 z{uLYNTaFz}kL8mnQO!SXY;E1lD=?90!Fbl)$L3Q`?LzrEn-%4;hUtG)C+W^mMHAP2 zWEVk`ykFB9()gSA?QKB6rrAz>-(2V8oku(JzkeU?jb^~G>{K6B0G9V5`nN}4-Em|Q zTvp!I==@T%Dv{M9Ur>!69wuAH)N1I#%ACeyQKFO~-Ok&o{n0qV_&yGPox*Kvr(;26-z<{3%2J}Y?x!ubH-nT!_UYE7Sbn!s! z+9tTvHXC1P=NES^F7=XK2K!`+17KwlH8zjjYi%GCzOTtCpm$&5au)VyB=Q<)Wzh%b z?4QNa>1U4)h`t6V9S2h>5y7%0l4&1*gvAb!z&-M$Rvqh$^S0GjU;6Qp#)`ALv5hzocO_C>_JLow zndJ889nL}W5R^0oNgFZZD>r! zdd?@x=DkoBIGx< zAg?qieud+X7}yFvf7llLlq-}yB7>%YHGfC6r3_hgL7G_=J$IVF^I=9Yu^cq>!3bkW9nqk8iV;4f;z1WdMT!P0X(LUL^(>^Jx^ zU?M5E<6nuAm>|UOYN8GYLCx@+*-9JwCD$>yma!I>Hxx4zH;++&<@Cp=#}@4{LWworl*;gK1`w{p__0!672gAPlj$F z-%dx%JzY4u#0uiu9!S9l`)SYN+qR8+Y}>YN z+qP}nHtylSGx_=XPnmh0>`tfBS*fnBs?@H%YOk+!Xt_xg31&;_#~T!1nW6mzik}^C z#yHnwJhLYY&K+xmR;Yon7JRWMgRXmF4ZES2Kg=%xZ0FVm$nS0uOO=``qad_LgDeAX z%lg7(qClA3gfE<8zC=+lMw#{SZ}XOn1;+(YJIharTpBfQPbWcH8K*ni3hkB}GbSgX zr<4+=;06>cZPT0HOgOo7=63|p@)tu2Iq4h zSdGv%8*e&3Ju%J!-;!OR&MOexY_p!XIo|w zSvQ5ILicRH|0jJy@b_LmOB?_I#!>(P%>T8^JDM4@urmHvf<-sHR!&E3iF;*Kzkn&; z47%i2GCkIFwn`-$k0NfZ$4x8~W@X*V%^(}wB@(of9%5Z7zrH*B&;Wu^@jSUzox)Vc z+7>MSVnqw|0(*YH-)?rjV}89}Prw~87064Vklu@2En727woA7{psO$J56TF=#CJRU z8xKBdI)i<3*TpMo1D@EOaq^6<*YU{j3tTloxx5{Snw@y0_f9v#jF73r+8kG|%pnGT z1~*K_$sz+xKi9#}xEo;DOm5ytiy_z}1)ud1fRZveeh+LA6I2@QQ?x|>b8J6>p(MVA zB&7#bgM9aKZ%6RQnPP~`J!O2bxN+OIcsy=$wL6?I#8NmID85L%3!sOd>y4r69Lbhk zD2}KAzT~dJeS+oCFN7YYh9G`PuB)n%^@4#24;pgO$PkkCqpo8Nm$VQ5haO9d&rzCm z;aAMX@&j0A&mipvv3a_4#PG@1M4j92uxy*MGQQX|z8T)>2|w>{kJ`Vtwfwo?KjZ+R zq`_JrGRP{oe{MSbG09N4e7i#&h(oguc24N$i+`WaJy||+#pG+nnjY-ANY#_L7s=bc zyEe`rhg^PRw|(2Ya%93}g-TJvL=gvUk?1#!05Q>7Ty^Lt$$q%2?LdN_(T*oPO6zBx zF8PKKaGAj2mh^;&Puv53$H{UQm@{5Zj$hvv-gzHoUcH{M$k@A$c_v1M#H0_w9fCv{ zs`&Xw9zJ%q+Vc4QZ23O2%nArZ zy=+`+u~}#Me#!iReuMstNqv!q@iW*m@DRqb>CPB$AXrqqQ_g?Oyi8v2myHTa78&ml zATY7YYu9?sRA>_9?fC5>p}ri~A=uo>ioBs)UuT5^kVpCB#bj@Ib4akA`+Vl4QJJ*G z5FX^QpYydz_SWoP?&B=A}2V;sIQE;hV({7Rehwu05r zKiF6F`Goz=0HrY)0Hv@DHvSg^KH!&K3VR_Rbjxl9z0fbbU-;ZW?Rfi_fY$H^a{#y5 zFA+HnyVrC-K|YOgnsw_nG2ffCY#cbcRj}sFj5Ik*QF^W0SrlM!=xRAO-fn!Dupmsa zzmCfv@mis@dvDjkZ$%SFFk;}Ly{KcN;O@)fUypcP(#!Hut z!Np){e%QxqGH#-S4{Dz4j@%$)ie`W({Vy_Sqhyzl`M=?nT1?;N?6*h<4^0HFPcTs$=OUHmph4bn&hD=T%;S+XD7eIwQ!0LZ zcFYX0MFc;dqvQs=JuIvC&=qtfnUuf66HjVJNRt~mSZTtDt}zlF=7brwhT0CKBvaU= z;yzQHE>PwSLsEMIxuw7W%D-5Z5dm39N4Pyp@@Os4H(?VETlB4r$Gx0*MFkS!G)2uH z9d^oSq{zgS>B}UfF4Lz+a#IMv^|*wk7)*XGh`l~9$_PHHxDxZgO1e2QWgyS51&VyfEfy_x+y9rD*MUqlYN9-CiwhIai6I;XB-Bz|k3-R-|6v2%|JK zH2oztDfh}7jrWIb^hZD3%fVedCfJWeu7)^Oq6Eoh!CaJ%oV_jS!Ja28a@mS4%M?m; zX+b|Mb;ml;!NL1$?7=GWC=4p_m}VBDiCwk2J4^p@0h*oo9 z1=tfYgEiW>c8p=YnmDmjL@6#4fB2kQM-V$0gGh*&5v$8_epG*)4@RZ;6!) zBgM)KmMTWIodktC8sSh60B;u560pr!I0}iRp?3vbWB76s<;UHVKHKDCFi;d839$1p zo;3;nVGQEC(24!Eb#>aK*_9In>zGCR`h)qA2_$A%yftolDIFbPkVOXmr~=u;+x%pP zLU0+P7FATtxhO?s^Uxj9wR9F`{1}bb^7~3A_~a@9);Vtkfrs(Bz={XJxS*o-z0*re$6R4n@c0#9SY-Dv{&MxOKf4>Ay`vQ-9=|Srs>IwrxYTbXwx;xif zQhGs8MxPn|L8GZl;s8LJ8}-F+*SSIG+VWR*FAuAT)xd)Om4&Ib=Ejc-klU^eD`&g! z*BpbpEmHcY!}NTaG9{9h9~?9<*%>v>t3nqEv3QSSkglPRyQntB-FRu9p6vuUh6Hka zCS71-JVx&J_;f|0`8uUMNFo({1V1v zN|wH5Y{?iyA;y7qGH=8YM#S~T80>*TTc#3n9qAwJ=E7gH|2i;pU(169PvqFB_pi)^ zS-of=5ECeY-#Cp5HH6rb2Wb`EmpP>t0Bk1(8oPyh{z}1y@0+F^fnbK;MhjS2tp&Rc z?{8nqj@JV`ODic|Q3aYCj1d~t;zh(bS%8hn3moAHFUw*b1%GPLFkehRV(@o?Ra`xq z08gyMXm#<`L0copqIayAF7yT!kVs=076Dalu(sUD9+`Zpf-u`y?6mPd+i>7L8z@RE zh&o)wHd@bX=rnCJiTo?gj!J9Wjap{5@i-YkG1%mHJY@Nc5gBd1vAFnmz?s>PipIw> zmDgh%dOAEms(YaNK2f8!8L#%PIzV`hFfx65Pj#P7+1g(V@1>Q`VcX=R%62Ut$3~0fE&Dcy2!|n zA($7^uzx+ta^r+dt&Uncussfssx$rlsNbAtNbs$);10~#gCvo}-vzqOhrW2$i28aN zQn!4<)s@QDU)mXZT&GV5==2;+&K5nnXP|iwc9^Rw9@xAl zsR{Ze5QHYKzEI-~$-Hnk*F(W~pPGt!co*`TWv^P08j_9BI^ZCU+#DG-jF61eq%Ssf z=}k4r2=vJ8CTjI>PqeSp88%0JtEq3p&FsOsc!hMV4 z`F1&Yp?KlIho^}N5+S>MFg|!&U4c&d%^Tg0; zwWwhkw`;Vj3tOk_JJ7oBT`_E(Xt6hvJ zrkSm)Mg$WZ{s9(CZCDSLYQd;m4iSR!4h&ke?y3wm$wft^tA>_kq4`zLP`MgiJj74h z8qKt{3pGY*2-C(YXz^5cpeZNQVy&u0F)}%Yw9FrZPXHOhwyYDh(5`RPwPbg<^lMo* zM4N!rhkAxdYWA4Nv}lM|bQhV7MuCiJ5>RjQOh<-`Ax6gsVO>UHdCMFP?MP%qL*z|q zc52AUg@b~>Me z6>zoUi5+yBsEiVF)4UjV1r~P}aI?7=-Q%*mCn4x@xeqbu@$ob%=&fqHaL{LjNJ_+I zwV7$qTN)y54jG~C{fSHQ+9E+IK(Bc`2SKozd6qOYEoeJL z8YLRmQcrR2dj53^DFkzcPGdGrS4@>>n>oXamSs$acp%C+$iCxl<0z(P$>;>&@=xh~ z>DNaXrw*z0&6TMQ`)1@*Uih`=C075wx?r$ume8}8sD=5KNcSXv2H*6+aA$1;KEnxS z;2+Y4w3LU!<*TVs++Sj}pA=VG#GW*|jDt)#E-uJn-brfcfGo}qZmV@!FaH7o-(?st z8@I(kp=r8H0ku61PcVnd5KQWnu%t3iDcRz;1jp=OV@{N>iaw7177_MVEUsu;0wE~?mWcP6g* zLeL~oC7@iw{VW$93|C3kwFhuXele6e5CBqBNIk&*t9%)p*ihi#1r!8n;461dqL>Nnhx!ggT39Urhv`1`u-DJ=H4+|JLgn-sMWsh{J(S0+;5B|h zO37&d>^OWf&}d+#F~Ie9B~s&p&LZ+MKEahqS3oIHc^OSPlv=a<77?0MXNPt(r;BKf zI;2S=O>m{=9~+(bU1qIP>_zoFodTj(=iNyDO;FWlnh?dF&ALv3UBK+nHiU*o;b=jh7F^{%q1T{%ysc(_6DxFrAvTQ_p zRDne&E>B#{jH!$6SggNhj6OzV;!_wNEA@m~6fCmt7wtwF%d2+1Y7qwtxKy=z%Vtd( z- zwkb6^y~j*Ws(KO^7`;f3K=%-+&@k&h(YmC3<;V5M<3ta3+R<%+2M7Qkd7#A-fiEa4{SUUPm;0rR;Oi6g;<|3 ze9NE}Web%qhP`sLgU*=s5ladv(q4fw0AEmpX^QM5crcK}sQR-bL<(^OKM*%B?c50w z2hEToDW*kCT~hnCXgp=8_zhgwgjA4?-yQ~h7_Y-%P-@Cs#7Ko0It2^>gp}i6S52Q1 zC)!X72NP)n@m@5A$1M`ihXCZf7ujHO^(sOW{Gv;y+F6xoI1Z z%2nyUMcbTQt2-`8GL)n@oILuj1aEYy z+dH9mP(@^;n6IliZE_u?c)q+^dTKQ$B$lR5vd4XuycsI;RyUUAW8GxG=3Y@ zy0>;Zy2gv?$DVfYLKNlmQ9@M>c*>+EwMxjxBm1UOmiSDEnxx3~qZLY5O(iwj7K=S~ zr((N1qheBUH-k7vlwF={tSW&zXXwwdw9`?|Ovdcv{*u=OW$?$;U9`Z-=51Y zHYp~U(QY{=oWVx#HNdYG^8955)y3iZIW-WFX-4`?osspcRvtTAbse9`myCI-_a(=p zqXvSSW-yL~AL@aPdLcsApD-0*Ec693le>f6GO{d^v}HJ;EB0FeXgn^;`r z|KiRmP^$Wy-!2=w^Sd1P^Iop+OL8B0Pm9DDln++#(t(QA^VC{cttNk-@p1eR-!Z*P z^c?usDTFA*;7`SNWw5+|{tk#2CacXfcB3_my(JN#?A}SWIqK#L2m@;1Zg`hC6_}pm zACrv_dnGV8xB(Oshy*D9wU%k1OCe;z6lrixVUneeRg27fnt-~bUM`_05? z`0+cJ#aA6bg{+B0i3V0g!w!;9qtFGXKU1Y}4TF+t5bj)Alr{U|b^qO}_f-#iaih03 z&7Fa!b#(EKZre(k;b{|rn*pbNeYU)K?|8uv`j82sp~{-L*MP}b2T(Rn%&Z9!{Ah_TYFiSp~FlB7rL2fKvJ$qQo`HSf{P zz4(cVbj;-5bOwh?a2J4%v1WwDVmb;pRcPoe?>d4eK?SFk2&A1}3`HGD2(4}t9ef;>Hcj ztX%_pqXn(OmR)5faH&v0iiSdkT;@Km?(#kiwgg0s478&&j(3@)9P zMb)r|%!(0BX(i*{s0c6G=0(-G5VJ5VW>iJxblZYjS_4MKv9QLb03Ztb{}j7qW?*Cb zFQWA`s{dp-#Snh*D1Qx;eIX>WJtS3fER-Xj0M8<-Y41#_AI{UT$g&$}j!y zss{v;b39ygGt5WT)z#C`)nBh356SIOnSv-K0DI)#Rxh@>dfu81-@r;V zC04>1)2PWnz|(p&47+U9(XdC(pp`uaxjSFD%A$`z*Ww>=0&YQ-!A!tBCL^)U%@ujq zcVq|yQ!_M~Lwwf9k&ws)3@2L@zY17DjQk^-X;EoRC!1nG^IMdP%ll~%U@A*m&DX;k z_=6z-$a)#0lxx5(JrbTl%D4v#5i>wd)}DiwqFos(bH-XzEYP7~NDi8ZN-qE%H`f`2 zNG&mMFN@y*XcMH2STYzxQpAV6SSc-Ik5e9bt&u;&(^ zrjS)>^iK&$ECI<@`|4sSKX2WUZu+h$Wgve zo~kFd2My;(l*bzF7P9zIE0VlN#~Db=+|+F@v_Uh{o}+=Jm}&Itdx7=Wd)#0#b4BIu zWLw@y8Q$9|(?%C-F(Gd(9<^TatIG=el)q?IqKqR|xLClTBx`zAwp6w*)!6L&1n&>s z3A2OU9nHt}B#2L3z1`(sZFBH*>z=Lpdgfqvx?Jo5$;1H&Wr5iIn0Q2_=(Btovpw$+ zei_SN5D8M#iyCrFJX)R6Lu|Wa2&06xIuEeC0{Jm)Ut?;mr4ROT zv+}`dq9;=Q2u(AHD;noTt{ZLj4X=WliPK<l6@=5m3Q3kcd~4By{(NE2X~gZu4#aX)6ssu89juQexlgMqx8zuALqodXEK^{la+@~fN{PkP_x z>SO74Yslg3c?1!-je+v(sRd&kw(@xM~#?ZNuA z+hY58`$83o6l9uJMK0^QYBcpfOJ^*`{d&jxkO~| zxkbxw5%sn6m7fd?3j+_kzuO1JJc&l5A=8us6CWcVSl|yFxC%nAXQqiVP0dSmL zIWYnGT?(9>QEc5k`Et;dpm{{%0~6oLUm`^}89)}>canVyG=WYWcJ@IU_xX$ZhQ?_u zViIK}?c^%uswqj7nV3DIgTm=Y0ZpKYkU3h{m|fkNPVeduFKvp|l#L=S29;U|!qgw; zrtWr}2npzQr!nc68K3n?c!1b(j3^CCj6yPq+F-&M@3}77?Sx`d2ugT{8UHU`+#;VL z&Z|?SVTZrDqY;Otr%&REz-Sq$R9=#Gj0G=(hd2_0Q^>~rHWdbPu2kfdHS8u$0MdEe ziKGx71|_I=vLrq!E%f8l$n*EhPBKj0?Zn*B*4Dww^N+TFh;fi^t6?OPeho5QuwX`Z z=?I(&7!ZGqo%kJ~@%zxo$;dMv2>BWMQq_Zr&}^OEMEo|4T^V{&*VF-RM@LsrM{YE* z5E)E}k^isd7Tqyn0HCp&LM}wf6K{4U0ANx&%|+(N)%GRF&H~#i^G)WMqt833egDv60|n^*J&ilusK?RCQoItws=?*^=)O|&#P6cxnuuF2P2*Taehj@+HyXcAwB zjGZ9d)AM*F!{j2U9}FSUd1Qbc1{C5tjR8I}S&leHV47VRdl3!oBTWL%r=zKc#hAlt zExxa@BBN9}!tAAJX8~l~uV|7IAhz!n4|OAjbf7n4&(FvEI>Yj`$euSdglRw-G=|dsGYuAHbU&Jj9paF0lb?t5(rA$cll0caZA< zs1yU*(inh`2-v=wC$(}Z%e{_~ww#C)6iHGRE(qZ%xTv)8M0Nv6Nk1ekkH=qLAXUSu z5Q+g$j6Ew+6M@6%h-GRZ;=V7M#~dYyUq`iMkI3NSQb*km1!%BW;8dw1cNLLrFP}r+ z`ST!vFwIlzocVAMUKtTleKXb7|h z$S5F@RtM_TT3)>X;%Ag%?!(u%c?8aNC-O}_4L0*D7wP0I+M*bknPDBD1Q62sYPzNs zj|ko$(i_4rVL~LJ@t{?kkf|!;CO2<5m?;6EMIOyCfUBA7noD5bsn2M#6Lxuuz+n`T zHuz^R;tx28L!jTu*}rZT3WyMRj`U#futt2l(j8>vDLGx@p=ihC_vDk=ur8Yg{p(HQ}Xp3Z~+ z5>o33egX;Q<{$t_)J{ zlTt$sQ!2gYI@DJh<)gGx9nYn%X{6x#En+S5wB|yYrtS~{7vo`7U^dsCRLX(!=k-wn z+dzfBzXICWF3ZFITdZwe(e@D=X|?QOe({fvRr0Cnv68y$v(jzURlvr<=3M90iIzOj zRlwZ!j)ryhQQ^jN*gGIjpLiU|s7w}}lOZ8mkXfDA5-|eWV z&|6`quZG>M1e1&B1Ot40+kd)JRCTFy)%5hK-lyyWZpdrI7=w0szoyryp}8D_&2BL% z3XV3tF|)9|gsf0=rCjwR1TpZGhJ_JoQGoUbS8L2H`_Fj$&S&djQ`MDh0TMu^B2^G0)lyw6OlxOTn>Z zbQ+i=#hQma|Hi^{odfmJ9V4;-;4^-0CgOn|dk zSb1l0xqf>)Gsww){>&BfUX_gL2s2y%1G?hEsi>(Fhp!X);X73v|10&BzjQ;h&VfhM z>4gR8=Ab${O;0EGY6o~AYLRsdm~rt4d{>r?{WIm>iQO1aDnM0mNod%0x|~VV2AY8@ zOl*XBlRQ9G&z=|7AG2w$6vXg{3ijAjuZHTb<@(qwjr`;d%;nAV&VBi)lBVV%!+P=B zZ?U?7&Qf$(2fl*{CP=Ykm=Hb3hM%F3bnVxeZwxS_|$Aeoz;nI zCofd8cp~Wa@5>z0Sv{NI#h%)yb;dZ*WnBJak(P+mO){*#p-^ZrvjrmAYT8j}4#wiU z2HJWTLl>4b;f@sRhpD^UgWCr?XIJM3C4M(ngx|Bf{pi$rO>fGXEoVpX+n&W2WTi>7 z8*G$@_DnovvMYOU>-j?#EaVuIO!lU}bU=R;v1S!N04D66n$OzVD291ZUz2!NaSL?3 z)}Ij(ugVM5n*!(`rs-z4gLEKHuo_R`4RF&@fsS1M0+MD(wugnGuHX>j9PP>BK#c); zn8SwbL>*79vSaPDxDsz36*+K=(vBCt*^Yp^30Xkc$-e6|>&ZtEiH7 z>a;a++hn!1$U6R`;a(ZPy!WZGa-AI^MX)4hILHYn#;nw%Q-Ks>VJ6iA^YgqMmF9}2 zbk##A)i~EyF4yYfJw7O8lV(}zGsvM)h_=Z02vmQ`qq-Kgl;Jy?#zr|Mm2f?sg^ku_ z=MgRs%ISR{3r=3wGlb{bpu;|=*s5h}FQGCnS?pQTq}$kx6(9>wv`TXb4Y%W|tW%{q zVJ2QS-zq=?I3|37CN;e=W!!R&+xp^iZ2@H_*EZ?jG(egE`g*`K_qxdc3O98+_hE1q zQ&4B(?;2`OrKQhwX}aF zRDTOoqVCBjqvh4S`nDz`(*ZS&Dq=;dDx1OTZ!H+v1kXZROH-eWdN$;nZjHBjw#huu z7Dup+4Om--qjAYvd;a_k{;oVk`dUCZe7)gKWN46#_$Bu9f$LA3KN|tA31pM*4Rl)b?+AryAy1qzJLd>xdZdu#UNP_fC!LWnbXJUCZ_B zfZu=WgF^xQ$5roPt?{1^|L+aue`O#$89G_htExZ(0AoAco8tU47k6j?K#(^;005AG zlHvgWu_y4qN5lU=py}&d+FCm6>;M0E2L1#5zYR?Ae+0JoFg7%{FxA)pFRT0?RfqV` z2Jka^@7(-%>OlD4sRP#k2C}`ip`|UIvAu`0g`F)e^MA6ljsL$E`rmv=iPDS}vLH&{ z#vF@Fkxk7CnqUcdkWE|ZI*Dko9u356q5HV$#;x_%%EYa!Yho#B2oBFPK7xE8#Hz$E z;DBEtbW|`e>aehFz_zEO*-{*eXeC@zp9lWu?&nPRo8;1>e@#S8>^CcDzuSCU@KKYt z!95y*0uTfd;83Fi5`h3wV!cMH6wTTM&}b&ijw#b7!zf2h8;A`P?~6Q z;4M)x1F&`b8`d~3G8djUSg+lH;REEYIj9C9-k|g>hs+$*wFVv&Z6SP4F|_;Y9r*a9 zs-UzoIuN_;N$x?;xcM{0Igeq!xZq;k4!Zb?PMMLWM3vj573L1QYeu-wdy(Iy)|!Sd zM_sYU1`@sY$aj3zVrcb*pH?W`^C&PEjkGt7obM$qZYf$Dh9I0$l46u9mck;C5#hs{Twwbu9bVM;RP!vg}f87SR7R|Wa{^!#@- z1Z$=sJ6pp!6EGuiR2kshS2a6a#T|0FmEu-C)`;FqLz5%{c1KU!Sx?ohkro}g-+YBC z&?>Q+&2;U&6Du2GzuM1Oep%T@v!x4EVDu?E+RJs#g>Tx<+YTZh&? zJ~mvp(Y?r}o`33Un8wz(P4w@h`G8s(SBhj?-MFTuSkh;xHZ+U3Y+*zGM@gq<92s$BPY3RVSoFcfBNoLNrIB5i1uX5_kR??yB}0CZ3+^%x zG^JQ_v*JnrUgN`>3nLD(C`KrS>biu#nf(kgyP47`rxn{II^yJ5c9)`SsG>CoH(Ftc zH^&s?@qT1r{vt(^*u<8O827>}qh1~ufVr}7VTYVRxIg=VNsK z!6;w=00OW809gJT1L;4emj9b^6r-VSy|s!-=F()nL!>EpIP8+n!d?=4B7Lp1YUSu%wX_2S3s)xOj>$TE8TH;mv{8$f|&LN$k>> zQ31j%uy~g$6zV{x9brNwf9Dl4Wn<*#FfeaEg91HJEgD*QV^%aj+NqW$CA_zEt9NKL zn%ttvg>TFhya{-N&!TynSnco_sCM=dx-g#J=L}5H!fTQEg7MvyjK0J!TGmwDRz`QG zlulN+$CZ)W*M=&qmyyxI#_@7-BzP)1Ru?Cu{}DNyUQb9u%nbcD(*X4(Ai7;R~Px#xiC&t?}ePaYcly(8W zE7Ms=`*I%sbIQ4+)J4mt!P4Uo>#S}mKJe%g7u>oSH6rVL{3*}Ocpp$i)Ux?Auj|+= z`;kYEyDUX7ZsB{YXoc4&SaPb3;up8bgI&~Or*QJBjpC+j_+l%ql+EU>q*V9$O<)343{nI4+d!B+{GGTfSwSD z8$i>evBVsFuKe*tK-%@Li8#!j6cbhLrB6s}C*+|4%tA+$haqrW)o2-4Wey?DRe_>j z*fZ_3?{Y3~2noCcP(?ydIEJaA;D3hnCI&^21T7#Vp~9a6nV`YqXGP$F|EcR#zv*D( zcv|t<*h0uK897m<19Fo}8zAtr(^msK2=T$^_tU#$W{2Z8!I(PIxaXva!hIm2q03yd z&ZOr)OyTQj@F*6c4ITaajm-23?D>-nG*tD4_2YHg&Fgo`DJB=k5+8%-6h$Z-ICjiP z#VGY=j29{m!%mIGM4HQZpvbsfM6$R5n zcQ65a6h6C@v=aSRBtfDYz)STMMv3KLft?XP#&)Z74F=3KD2N#KwPv&{F&66C7Vb5( z_vx7iqL6iH;k;m!3YfdZxdBH>?&}E+ zAQ6nl)6M;WIZo@StDaL(gB5#jzd=?GIHrO$Q<0kW4oCI8GKPAJ4j2>A5L6gSCa7J< zp5x8Yk|Hy$V%ID|fyt_j4^16EfXoVZvTwptFiEiVp7#CLHT00d%urpc0)EO~b5}!mp$CJr0|@9L9FpEv)UnUd99mth^jN>4en14?3wV7ulFIQP(o7d|_tT7ep>2 z(6{^Z{oQJbS5f31d7_dy9PY&=O~4ZY1KVNHK8J(-{TBty(9lwRUGZ7i**8OL(>jh+ znkbRvs%SI!mlGG&?yUqB=1GMNIW(!unwnCPINCTM_L?b9jp-^HBUGMIq)n*mjq4W9 zFf^ReZtH&iyB#vBT@|ssQx#GaS|wk*z{MH``k-9V{RJz&y!QWkT!j*C4ftwcPTZnr zyryJLv0lh4MnRjp`18CXv2(MO$NiD6#$hMk^(fLWoD%Mi*w;GpUQ;|CzuoX0ec39I zR~5<)Zkc`vyv1}no*d>u@~OP4kBYlr%H^wGSs(ey=)>Nh9yvd3FKupb>9`#>qqdfP z8>69vl`GHlbVM$-lGhax+w+DjvFlQ_?hBL+W#qpZcvBb+(P+~gyb)_6wHFPL#B2qi z_End7p&u2bPVi-B#~LrF9mt+ z*CB9fm2OvWp`0|JdqLZrAh2>>dRrcUwDO_ZPtR9;R_~~JYOBX0#j49eqkbzsDE-J! z0Sf!J&2f0XUCueJvO6mAaaiGEwZ8Xcc3H{HSr2+&^GzV4K90plkHuGsg|Z6qa+wF6 zGX3Dri#=X{{GSG3hIWlRCgFYtE!xt2o}>OmK1b3GVSZqi1warvDaE<_ESILDM`$?w{D2g@ z4ViXP2bdwqmUa~NCv~5K4(V-Pk*253%yAWqM|(+7@(@o(EP{x!BIa={z;PGl`@Hf+ zJK|b1LPZES9g@;u5b`Dm{`o!~5pU_scn^$=FY9};3Op7oph%jL^Y2ksM{vrWc>==a1Oy6`afS&K?>u3f1Be%GLyu;CjcD~me7B_4mEB&~R@dCug z2j@VCNHsrAhvg)&NM++SLimMsnd9s1w0vy-t$DZac=u9PxX(=)tbd?dh93+%cXi`< zAB3UnL9y_`5b*C*D?Es_-UUIlBL5|O%+0(1pvS-XkC)Gc_N!yBn05?110P8ffcOMj z#OYW6!m2~C?B7VXp(P;ea1KZ!N|eE|Kg|Bz?IgXXP*tt6U~2^acv{wXhv38sY?b<~D9pmXdSQ)?bQSvjeQ=|O4f!*k=627f=4 z-QTgR@5P~-Iu9?FGVfaK*CL-OjJs35w7)VwUY4H%&MHMOPpDHQ&ZfrqqsI4}-hO>= z>eh10nw`bErY_3dk5KBwAH_)eyjvELShZd;X~7vT=F|#5W6ldu_ag0RJAX}|-=oeS z$h}_9{Sk59SM5Z?avQ{+VR)>=P7Ip+zGoV!={M^v0wz+Fsmp#mgr8)zp!?CV~N%NY~N6Y={ z{$OoA+}zQKLFE;2Xm5d!n!TMYC#0T1zHtM%|zD(D^DQv0YRL9$=2jb;DVKa(K8w=6(bIq{vs` zKHg?K9Mrx#>A|1H*!zZUYd1OBt&jG&zfHY!(;wdPbX1OoMZeG2X{(>79JB~HbDAPf z|NO3V}4+%evt%|3e(*RA*ybvw5N2m;LGO1g%$Rwf)>EC5M27w*)%?Y=}n0 zQ+aXZ-Z-&qG!tZ1M4IZzePxoUd z5s%YIB(^*HxjX!sr=vtXG$qk-=3oB*(JSHG&UA?W=aD$G0RV9PH@p%nQ%56HM?0tg8_%Rg%gP#C z-8J{XNg}dPMA1$fZ^Dsg!c*gsIPrR2?YZ7$DzRGJ+A52Icvj*cdnG-iz!Vbc5`?xA zG?GZey5Y9)rjnm+g$R-g1$vnRi=b-@|7W3)c@S1ehOl4Y0PSy?0doI%-s?8^&_R4+ zl66^?W0UEI5au#m36a?iQl_IqVAPwB zfbw#fv)sv>MO9B8JjrCzL5O{$Q324$BfZFbVu%!9yTVA?4`PeLOc+7U!4yHw$rNGD z(NO&A6KXu(5pg`*eXM3>%_H{aFK8;?-w@ZymTK`-P|{AKNvTL_sD+Uh zim|7}+qkI(_e`F-mIY4>ixBCO;NhzW6!@6qg%@SZA}3eP)DGut8&pzP*4$2diKsx5 zNgHb>x+#Sh=uL%oB{U^(mD6Jp7E+ohsqFI-b%&_JVw}m}LBN{c{w4e(o2voX-v&Tm z?t}iT0dX6Jtz||0T)ONOS+0@n{QIxRP4O(b$7{Lvq+D5a z*%B-{1u08CrfF|XS;~{vULJaFK}}F;D7RX0d8qp8+wQLSvi^8m!sp)E_8jcc@iy8lbnoLrxCrmn zJaDB>QCRot&?(EUlQ83>-VAF>ac0o>sXy4TZha*=A#G?i-+H?L$nfhub=MD@B1t(T zs&UcijXze~KSmPN;ZM>2q&KIk4Vy+t*HxdW@zA)MC-T>I9i!HY*MbyC3Ed`xLb~da zk6*|{JtQ*$98R`7a~a;wQ_NB7Xp6x2yUIWZq9Buq(l<<{-DfVvZ8UYNwZD**IcH!^ zDq*Nw@>EJ`MUo#$eFYFmuOoRH@MMJMi2Dl;eoEEJhU4I$fKo=nB8)%{r`5X#>Jg8n zDQ71p1XHvMBumpoDd}iRUeZNlby~qVy3Ad#8{GYc?)-l!JEvyBf+)>i+g4rMwr$(C zZQHhOTXk*QwrxyBKXk`TOi%PYoQLxVGIL|Ck1XlLfy$I3_W0&y_D09(ijaWe(Y;$r`BGO$`)#r=HG zX8eSAx7szx1=qj$20VMIhnTbv!qKg{t?SkL>SvHCBCMyUF89{!OVp$zLu+y(`%|3M#`&u70QUCVXw>q4e~#5%Sd>Y;!fw z={{Yj?s*ZXK1FbHH%KcFc-1qai@tqFu}0W3UOV=#ReM)Ab*nQm*l$WD@LhCpxG=5< zYUPF!YYIBuKDo9}&Kwij%8*@ZCl#76Q%nSfFP{dya?X5n1OvHOsm-Mqh8ky_l-R1N zw*X`_L9~f2FF^91Ct+_w%e1n&V+tDj7@){5s53oLx1m1@m;c15wdTia3h&D_v#F;U8s{}RXR^wd z-O-$MR>x}c?|2)t=z<^jI*&<0F zQ4Vr$7nTOWW+wnDriRDJbZbm1hU;cKpZX^!2zf23)<>PY3F76h+fD z5VnJe>@`@_M{tVUg*3%s2PxO1&pI}$^wVFh# zHvIgcEeiQifGB#lW3WXT8b#x6kd2nZUgD_|=hO(7drurt4==k#mQDh?Tl?*BJJ6yo*QnAH1MgY?vt$*vOWnDx&9Wpj-y&`eGyS; zL-~L^hZb3&!PS?nqqLsw;&sG3p}XZ|-NL`rPN>#Ts7|$8ZhrWDP1XafU~CkuaecvL zu(Z}!z25&p<}_qb0P~g%pS;HqILj6qxT7)!Xprz9)r826+Ed3ixCU_7IU(i+G>=U% zb`b&a2b6@NCx;CECG|HPKy@B#08v!;kWmdL)*8!m07ce;!Ouhlm{V*7ZLsDx;pDm# zn`WQu-k8cAxtX71J!N{(U40P5fD2()nB^CVNLdtwDYOW<1=uxu4fP)QnZ9{qTZ_q3}5{nor z>r2Zx71ZUfHRrBLJ0;!bBuQj|!rB_YGlQMSSQl2HN{!k8kt%X08}xf$1uKY<@3&NT zyzqBypY`^3HT&bDw<^2KUuMVcV|M$*JU*k!oF7@6<0daM8-VP~2d%(~V(o%ld9!^juzcDknNKE9 z>V5EN|Ek-r1^t?DKWmE&mACnTM584yf;|SS?5DaLa8Y*)T8k%-+M9d2T;^75v3x53 z+)>j|(_mfy(iBR&MBjrRjF>9mQU2mkg~k~m$ggy!|Lg1XTB}xdEA;Gh%S7k6YJ#nS@WhawaZdNsTF7dwzHee>uc)MXqNiX8uYFSuK_&|hVZ3P)y0D<9#*-c zmhznXxzVWuotdMogaONr6Y6cAg#U=UHm{|rpj(f6Y&z#h@g-GcUNXS#XY3hJ{9`UL zl~9u(cG61fue`OH%u6C+$IYj3<&s6+px1-1u%Vu6qs=ht3;Zq3OXIE*^2m~LVLo4* zOcIqVSCC!Z*e|Cy=Qkro)=ZI^@t}sWkzYYffA3SM5#;A0z-!oE>bliExL_o^Y}ccD zB;BFE_7u68eGvO>>qwVB<{sfBsODE)3<3|;F4!E%COYU{Fg3 z>YL_XM^z~Hk>Q&-47uG*O4bu9aug65$hVZBwEsjpv3e%)L3&hrbn>jY=@>uf^kv^n zC}T z>76V{!2OC1mlf(GNa}~~q<*HzO@EWlfqLy~v;RG3DTXLV>I9$+Ur-~i84=&@I-(f{B2Vz{}#!Y~QTFXaSA_f8ZaFv(p zS3$QvRJNvwiVX?r;)xDf(=g@sw!3j-9y_ty5?t^wLWUF?qhYh)Q8eMep*mU>)PY2? z&tc0yoZjf%Fz*G^DXZL>Q)wu?m>*b#))=mH9dOvoSv<$?Q9=DiaKKSicn{y4;3=(s z)*cn~Uq9%|npX^#IKQ4cKUSbTrBo+TYNQ2Bpt$*uB}Su-CUc%sg<88HqvN zf22Z%>_vYgfbiGusd)aa1owVir_xiLxu|+lBMymn6vwQ50jcEZ;tIEI>IiOs8^#Q#Rli(M|Lr6Z3fDH z)BtaQ%O*F7mVLb#678&-6Cj9^{@_IX?hvs(ZH#I7wv7g9i3-=^pF)-miJG@{xJRG)ivAnLH1h4pT?Ua| z;$VfkoBn$laas+~-!T~mz?UM4u{^nv(13j;8u2d$qq|k2l>P=Je{uLLU>bF+`B_ex z>(MuORydtxcC#x;Bw8M?(epTDvxX2YZ#1!fUeGDrp|<9fRhko`@MW@xaJQ*B1u|Lx zK^pa22_oqN=ynq+;!s&sDOEqt#3|V=dLrH);tL>;XC&v;yOqJ) zn?nkXeMJTVw-Ket8x#^^%Y3R>qj=8xDgh`*uub zt1nsk4K^gRYBaWOU^+b(K464Aa`hO#vUHL2-J1Uz|`lyS?4$XZ;X= z#c#v3mRs9e=)(rGH3v+jG7EB49RZ_s7?bx}6aiD9D2e>#EV-XGtbUVn$+pUlFDeLX z3@}(=f@IhElP)Y7>DPa7A(=n|$2*HKk{+eY?tByo9@dC{ysLA~q(#h(;Yi}^^r$c4 zao9h0ol(sV4BkWmqq2vrBH=|QhXg1pA_cqE-K)GKd<3;xt7O?aU(ad}gn z$=L<9n(Rtx>Ggku?DpKvyRJV431@*m;+0IV?C7mo4o1i^ddS^RM-8SnJZtF}XX z)-^Mqjiu3X^kErfDt1D9kuUj|?i4w;T0YkP9=!fiE|T_hOHYTKgY2n^ob&DxnIUo6 zV@W8mZk6=|4l^VCL9)rZn($scWDF04cB7fzA8kBPdrWfTEcv{nAb?9do^QpnK%$g< zbD`%rUckiRoUJJV?ZL@QO%R$de-}&|YVkB*3GO98jQ=bsWMV52S_mHZV08rL$HKqx zkF=-=9s?5w9a6(*M#miidC-+!p|ZtVm6diFfu)xtZJ~6q0IKR_gM5n`kAprvw~hX2 zobm6E*~D|NlXACe1{LR~d)_;8$(}k0UK_wv!ZlPi`2fR1@OYdD-l0sAe~Oan zCT~uuE0<^G zt=H~vqmP;X>wZ~_<}s|YhmjSt*7n^SZ>8-n5aNzL$75Vp0#`UPaUyoKfMAso{#Pw15GuL%GyCUp;3>yNy|LHjbGcSLbzV`DTXZz{Yf`M+prd-JS)2CO?R=Dh?1gDoi@-ONm%x_(IWb?4 zfiE7XXANAV-Bw%Vgj8Z&{Jr7!D1lx(Ij9_(ZV60JHg8a(wtzkNP_{`FbK8!-!*Db* zkGV2_{qEFa>Q}j}z@RhmT!s7zswCJX-E4gM%)Hglw)B2#<`R=0-@Y^&SIzpy{kLYI z=P5uu)u*?sonw;yKjSudN%##`+%NDqR9psjPv{56Q zGEi>k-wmr!fcX*Qk^#+>GwpQk=L=Z|2-Afj3WpW4ot~b6lNA;r2dzFq5m~t&t$d9g z&4njum>S2*&BSOkISPu-%q<<2Cn&^va2UfOlCtMUQi*6ZA+(&~;{0f{gL6L)a2&45 zzup0H@J@lV9|t`;87VCEFHN6EBy=G5H1aP+k9S63G;u_PQ9@NtC!Gnw8y!qKA>mE0 z`eM70Cd@!(ZjBHmN@sMhLj+93LIpT;QttbZ?7M4B>}7{vUy)jZn&O`6jE^ksH!XR-GeB2N=vs?~$m6W))C zv*m`@Thmz`s4Kd=yxs9X3-{7hjFH@Uaq#?*g5cs57rjig6|29tf=8_uASvs8;tZ+* zm!0_Y)fr4#Bhvqp6P348-hZii#|fqD=k_$eNA#{i9xYTV>Spoc9yNh88LHQBN9-jK zP)Vx1-sSaz41a;`rCIbmo!^@=`+0Noysd)HUSo&&OmhRjt8hCqx9zoY=fmuc2b5n) z96OHx9a*eZ1de-gbRKtGREzCJ!?uLv`u7B+^4!l+u&N{4lD3LvFpt$P=9aBBf21~t zrKSOo<;70s*s$qP^O#22g9mO=*C`UhA_#X7ul0srVsHQJfLNCtq|EgoM)?5mGr z+z0v+UU$i}n1Y`&*AFY_PphUQ3=o?OWhF~bOy*8#JuHm&XyHa{oLr@uXv>RL`S-@6 zYK@O*RgOqYQ{F1=)pB6GNDXVKrI8jwybAuwk*oD-;|L7CDZdHW3(=^;(U+}s6ioh@ zKUT+wvBTu+7Q_p0hd=F(J7=wqH?WSk5cIZa!6v2CCuoM%OVbH2%iJ%Qu($jAZ>3qY zTXl%%#sa7Afwk3A&pbKZNTI^Hj#XZ$VIi^eaRj&rus#m^yEtMm5C08+JQdQ>0+7cd zKY8K}Tf1i3P)(xLt|HG&&E$4I*MTK_KQ%h3mT_0oHO0686%UZi5x$kDsimzkgr4`@ zB|Ucxe4O-547@B#DyDr9-Nrh7LcXAyt=V@Vp}yqHCfig=@t7IXfXO+-Jx2XGZy*X9 zoeUnk`35KzP$D#n&Ift;ugSlI>MlA{A@0Mp0`mEI*X(&zrShb2zrbf!`#8?_z)wT1 zOY?1bbJhi>m#%S#ex)x>u95a+o_=LEY&|5*(pt5m(`@DgctU1&@eS&oJBLJVB*yN= zxNCxW@Kt1`{eeerbJ5x&E7Hzq*0RK@+*#J-<*__DtgbJ_v`PcuU)Lt(c0WJQws>}Ot!S#PK{W5WP zHgU8y`2X6=Gf|k8!eK!19k1q7=gJREs|_h><1jZyo2NNwVCzw)^MX7iu3a=uS|{E> zY^@Lbf!Fo2r1}B=!9?YTMSf%#w51JY#jV!0o$E{7F;j~)Ij&MT-hmWtC1fsrAp23UhA4t_dwqi* z!ciu|d8K{jehEJgIo{+wN!mGky@H9l9nh>p*vOQqw+T%Wp)axHa5Pb=40(V}++D9d zDQtbZYNFo8J$Z(@I!kq0daMt_H@K>|<4t#?$LlJGJFqx<=lu1uIMh4|esEB`Hx#3j}1O#%2y7hEC^F&`2>$6y+t zYqyQiB&8`fCes)qv|7SylG*SdA=FyJb&}>ZoRKh_VmTl9O2TQB>r6QOTq2Ik2H+V3 zor_}kHyMMi$GHcfia+K>z3VR0v8x9J+-RPKnpAN3IKO5~#Tjt&JGu!<*c>D(h!ESw z>AE47C|~>vNMSu1iGCkB&T=voZ8^q zQ~S9D{o&eY+9|9NJt@hKizt1$q$CnAlZ6mR91p+?GufozFws0DpJyR-5RFeoXTI2p z5laifcvE}7?PxEHggzLFpbaC{e=dvynTP}90^a3CD3{7rG`YR~?Sr0{c6>hPXxwYo zipMsGI2 zesP)ZWvSU;Iadv$Al_m~1_varP{+QTd6xvvxoT}c&4prPGnV@9d-W6W*>M_{+x$#b zYxw-I5jeAqslCnWW*Ws+!z*Pur@{8-PHx4~!08^y9PYFWH1MWlm6Kv`XY zT8KHgfD!OKu;m+-l?GHjBt+pse`o0L^AX5!PDV;I*}gd$^D_0HAQ@7mV8C12p=2?-+ zY3XwOlIC}HvGKR`Mkx_HGN^YzRU)MwuMywTw=roACA9?1{MpEm>)Cg{W99Yg;zA{+ zW<2Kan(gJy+xFA%s5$jc9e-C=v#N%kQrmg_a!dH1$c0jl$rB?MN8*jcxPmi;)3Jlh zRad!a6HafE zSB|$U#$*p9+hZk)1wAbOUzMm@ft3+F-4jK~l{Nkv`%dc11RU})7v%EwuWl7*#TVS< zL9!LKLiH__ZV;`qF38qCkgWuIMz1R=sP!=%)rx9&*qk}{xEC%}mP*%5sfv0xSrYKk zwI|}RxXTrt%A-?1XH~qqhJJYxbe0n_+Ac+=>IpEMLf+vPCjO7dV(gmSwFjM@bg~MQ z{a?^0tylExM$gT-m1W*_Geu33QVF$9BF~0j3_e$v_vEu2^Bi|ApW-zpqZT<0H$|ye zSKw-RP$-5rza7O7pR*(>0nvM3*8q=Tcwu(-E5@An&j#v9@z$Co1UNAnEABvg9@+b6 z(t=1S>**G8Q=udp@;e&n$>%RoRI&=P+TCkxb2}vaER_4S(igC;N&}MP4BudKh0$4W zy-3LpY5Slis+?gQ^}jNzXl4g?e>?=cFw~5z?F7(@-PuWDSQCbdDr82wpc&xgXShEj z!}CKZhIGq~L=v{ab{HKgq(1|Rfq-8BCB|YCXZTn^A1pptnCo18Ws2bf)xt;U#5Ceh+WXmh z6LQ-qBh4kFfmY~9G>a7$B7k$cgVQbs<3i7dCy1Vb>xrirH6Ix_q-OUXHph=6A90x9 ze%P(z4N1uaP$tr5njFpG1&{-78?sYMvD2~8C=k#ZP&DB{z8T^O77`1iI4H!Ea5I&% zWU3<-Z@B%7!~EYDxPMPJALF zI;P;G*YS6p2hI;Sz(%y6`*#wO6xut48PE!&HgT`|G~`?tli@fmcxby!g_w9y5D+X1 z3{Vpjo&z!Pplg+a9*j5hlV|L7|LNjo&afx@>fBqUIqWHO_)U^3=o!ih5fFC+;EE)= z(9_74_?;H*__m6J^;@m0z1U(2>I!{4uKcz3eP3&*xiE^0X&BYio*zL8ob{wygc@_t zWJ+UA_0uVNRD=DoyujA*8s2C&t=lf3Ua5@s3u2OeP5h|Zc!@cmw!{1*v_@;h9BKDWYNr+hBuG75q zr{ey+O>(w3Xsqr9rM@3%A8@KPr(xg^f+87+4dj9n`^FLYnTw`TWil_ zdr??j1GKemmrJJ5E|<;i-ecR{^!aT(j2n1GqPn*a7m3p>m|lx4c2Z{feLg})|EGqHFS4KEHSL_Hq^ zq4{dBXV!9Xuj8U6y4$S{|9&s5?cmyyE4*{3$os0A&>J*%a<)U8xLjy9*~&Qv&nsswd22Mf zT5WaoKuRZMx7SVByO_;Z(|Z2my}bscDQ)zGZ4||`{^A2%xN_7R&!zNzL>un zZcL}IbeFT}jn;LSbEPS+>IN<5Aw*$VCHgKq{-pV2q0)i*GUPw|RqMT}+bP7Lp?0;L zvu{{oxICCi{nh?jp1KXDtNRxHswwxQxAdm}c$o47{Xv++mA2f?ogWHjt^0CdcxQ|J z2>w9;KZkJo1AhL`fEcT&&2JUa8=%#WKhGPQz;>R65dm%PvNHhdFVDvodkIkBYlsu& zos@wO3si$FeKDivjl3?0<@^)czw2**G@*1j>g}C5U}i&&-zRtXj@GbaH8%BGK4xH>|oRwNM3%Z^4B>9#qVt*H(qL zUdhO)?UR(c{3G<RkY2m1;3Su$i)_1I@X zMDeGov$#t0Efzl);qTk5PUR)kPQuvIU59@p|F{ScIXrxDRM6TlU(Ml z1mFBEbP4e856@eyZKk_e8>srChaV79*4%W07->|9jMfc5TL;d5QGph`D3B}r>FdY1 z-vwJuycBuhxuT&{K}E>91^d=@yPk9t|AIj$6eH;$0!*!Y3v!(;P>Q$l7G@5>ZIs)v z?Y3@4megnE0fRlqK~uFGubbZjJbCYL*4@V8He*xg-oZUCSMs`+RDb52;|X79qo}IQ z0`8fOsq^TsMW^D-nsOOxz@Kuu4HJ8L2Mqr9FpZ}5=HM0 z!N}@g;}6dd&wzCW{m=_jK8nU4r4sE{pfs8?q)6-Uj;FQEuPZnPA}xg!TwfKHFdL8S zm%2P(S2CVd+@NhxI~SUBR7GRCT#2p~&s+~ZC*GLnglF_}=Ia6kNnt^PMFx_QK}TT} zr(Laav2IeBJLS`d=E&_|ROh{+Ab`Z&gsqq(lLZhk_=>N8$D{P|0;P8h!8>F|A$rGF zuJjhyXo@-zjc`bnV(>s-j{eIJi2kVH;uDv|=vG`=p|Fl7;pVT|L=7kWDZMc*FVtp=->B0ss8_y%>DnMTV-Mepa$p>M3AEh1Kk1S z_5{nC!=Vlkx6XKnSZn&5C6dbTiE#zE)6mJ=FDFn?yrW+C{V+}#aNy$2w3n-=(LaFw z9=9Jmi%_oTK6RGVFuQK@_sHwaK+nXilU~rA4(Bhezv4 z>h$3wt13!3&0Ib44ONm|K?Cvlx33gZ@f9l#{j@bR!~sLG0E6!mwFFHsR-RTvq-O(d zoL@gHFg=z5N7_aC&imZ{k5-9IhQW3i1OPzHzc?oB|E4JZ4`k8a<3DNN|4Z3BtYKw$ z*oyRxi~k#N=UX4bDS2?!+GXJcxa!a-nlp3hLe$)@vh#W}ZWLQ)HHuyN)i-gBoskw`?S;(8Gpb$|86CFyQK%A#nf4kUj$7IcLqdbsaI zZib3IE{;hV6Mq>(;sfS#QE*~Jh8ZV+7fHczcZTPbPbxa#0V3c|1P1qJ0P4H@j4*-> z#zb;fsew|1Eb|91yRUCsM$+p|uLmzLcI(~PTffl$c)>Fhxqp6J6C6i=urT5nXQ*z( z{Zg(g?=XsMJ+JSbH{7+Ps-3r1F06#AE&_`r0WbC&7t-&Sco@>b{_XNhBt}E=D1yFE zg4_&a0Sw?$3V4;9H=ZLkz;Swf=#L@%S>8iA{sbgElvXD=#HdihOzg5pcg;F3x1i6R zYZgmVKiAJaZ8vjfi}v`PXkkIN2%tJ&4f8*FczAq#d|i*^4k6iiVJoqmKXFl3;Di+X zBk9%VxKe0%xKqXIfnXhUKwyFe#Mnu10d6NP-N;KCD}E~zBhV@^LD3+F87*=i!YQ*J zJ6-y81qz-kx1F{-ES7N}RjPP_SCXZP^5}DeH|7g?Uf1JqU2cn@CEA{CZbo*@m@qe? zhd0L~)-MN4L~B6#e(SjT8G!5?DT-sI7FhBnxgju~7oi6m2#hQ}V-I)u`b>r8P&_bl zz(fbxc(@2}W*6|h`MB$eA}f%>WDO{#@_U)V*6?+lc?G@3$OeD_lyT{d5jFeN!gZ*N zj6F-L5fuTnCxU^LsYeFJne%f+Rs^H;oO#igaTL69{C?!>>c-^-2?Z8Vg!0F|6hNXf zL?>ka*_!3NG64>UfEqlU#^Yb0G3}a^@+t>(b0uK{f494QtP{g#>V2G?o!&un0mp&3 zwO?wxiW)3JL01-yC6u(UnL}MJ7b)u9LkECC7ZfG!1%#a;@5%WOs43=%r^EY5S^?6w zKq`XFG6jaIyD|y*-N{EH?g0LTavBU)SYrxmgSg8S_HT7;Hj`UJUS`kX$G6)OfZ^Lh z%`+2amCgYg8%EaJIM>^1f;Tyzo)mDnRb@g6YbxSFQ(a8$iNA;qI1#Urm;yix1|@?K ze3*6&oETOrVen@iraoEV@d-d3V0=sz7zCK1y@6J&+Hi%=iPh+Pk*Xf{S1S{0<9c8v zoxPXUgx)5PXecFw$8HqK)`=-g`?Nktrlf2V|9M@q;n{%LJAr@_NJS8%88e@|ah5Q8 z7=*MQo9T>j`QQWaQ`C#m-$(0QT%>F@&3QNMKv76fh2ZB!15ntM{8f8(#(uZ1?GnIt z)GMu6d*||fulf=Zq_r6PrFML?@L?%WfA<~{=!p>2k+u$@Jy~CdgVasj<)i}Hs?6uN z0K^(ZO_Aer(kj^ysdrBhog9C+hALl!-`c{pTC%J2ydo7+dtLbaxXSt7>MWmw1SKiB zxvB^GQa#41@9Pb3M%l;y(!zg-f7mrNlzX`y@t!$y*Bdvk@}yg8Bk z&Ca^j+MPYGQ;~JsLtry=4-PIbZ5P{@jn-nPhnTCit7U2R`g$(H{Y)ucv@e8#q|a~FlAWPPKAGRmm`lZdH& z)oztcGlNyLdU8kN#B%vnB*HR@8Z*_Ui1t2$pt5Y<^nO3>=@BOXC)nReehO8;x7Su6(-@!R`64R=QZYAl-?%}+XJGYT;@BDFg z_ zjd}SrK;5Fo#=#-!OCjG~Teo{?e5*d(B9B=*CbzDQc#cz#Gd5LMP1fZK@rYg=2`O^a zwyn)#ne}Bbza+B+o3n9Zg#qrDT$(T|d7oLDNpXr(Vud@+5@G_K74$FO?19SguxXRh z20r9CYT;UA=d5};>J_5fH)_WJQ7lcweadnPnTPA+Lz6+o*r{QzB7TFZn~)VfGi$mB z@EN}`r6?os9{TZpnb0=bw3+KTe(}l_F|Vi4%H%gLn4&uI@|#4+)-`B{SuIS4TdC>G zuE#bn8%Jgsh^~N6+`^X{#eDz(mjrTPHY_DZ->)c^I5ZUr-|R>-motQTLW#xR^l?eW z;;60y?bdX)W35%Y&uSH0W$;wGZtVmf4u$mXZ-U^KNql;UNBQRL2T@16`>W=f{CL~S zf#|BRH98=(0G|c9`JJD#AP3%9M|+Y^!so8Vk)CqI>Xr~WHqyAkBh2P5K{u$^{gv#3 z{MT&Zfmu?1S;9Bz{FrY?{U8pTersv^F5N|JkO@NQVC%CXoLP`E-5vPoV9?+H(6aoO zM>1k;#MJ#ENoi(_V+axNgF7uDsiOl*DawRn3g!iGA#6Y(_$v@< zP)qE_y~~*%7_WLLSTmOeYAN{3N;s)MQ84GNYK%xg1M}s|^W*u-9@>A6{Kbk91J-s} z#<#C2jXm?g;+8q&m;$LBJ#!?T$u<-X^}~y!<0}%;uUBVRJ1X}N7Oov_8w>+)@5Js0 zxB)M^e?C5()(3fwEBfpTGl044gG3Q~|Cd~}PHX_6WSc(L{P+&pREemc`cL1=Vam2| z7;}d~JXV1x`=`<{Bhl&74pZXv?s)rq@%b8^Q1TsTH{WP5p@aZ1;1W~ZgmCU`E)RXA znpRehElY+wO{Dta-QuMBZ1L|<%?h=eR65kSGa<;Z56@P*5%T!y1jMY+w8;j2^t;Tm zW8fUAFgb@^izfVGzdQT8%NvN#*+-inoGotH+s@#7@~nP_ZzeUTRVpfXw>hA1a16Yo zlDJK}bbD4zy)ewGFQU&CeP!b=Lt2ES2buNydv+FKnu)n#^MTD!MY@xXxsJ&%%XN35 z(QeCcr`;#&b??pE7W&d>AQq?#lRA2&+8bzTzlgtHCma&d=U?a~qU2RQwn*)dzu~Ze z5hT0n^oZ@mhIlutj5s4_qq3ef3fpVJ;_>7Z9tY%6v!rSo5qm*e+4_s8NFF);jdP)% zc)&{4_Q)EIDA@az)+kIVCYC|U;JNoC6KBw8d%3AJM3!kD!CJ8^*ePX*^j$>}cCDJE zgs>Ht-)Dx_KZ!C-yz_>%^SWpEhVnIF7l&<<51vi3G{S5;ESy@;%&}mr#>g!7EUw}U zKRMhsL}<4|;E#8`RqAEp+=mbG+Tz!Zj|_owEk~ciNq9Akc%gNBaNh&|akaFwym_zO zWX=hggi=a$mQxPKs9_~>fROv|M9Y8%_fQp9U8AQPf#^_l9wJzl#w`TGw#UX+(-GYi zWEU$VoUj)-5V;neC18ijy)0t>iJsyj(JWJsvJl_A zAR!q!-f-5A_z0RlKVRo@WIcU^g_I)f;O^gBUKCwvYIvT#il{I9@-p0RHB4fv>iRig zZa8YX7u^=op^wxMgQEE+(3}S+8ckVCt-S_aoP<8TWIj{(PPcE&_8IlXcBY|KVW!>^ z6m4#*=TAR#IPrw&?Y>xZ1h>hpN1W1DJi6pISSEgIR8&$1kQ0Tx8<+_pdDLd`pht&M zCR8@y0XotyJ@7J@)|-YG_Oiju0xU|%)ix=}(@7E3sV`Tis~;TJ7E~f-)(fH{1nY^f zn<#&@2%Wtx!~}}Q=!lKp&q1_Ja1zeg=XQlJf+=%7I41Kf@BS!ZU29>ntHdITA(F8q z9D$o`?Ljh*je=D;D?=nLl?^9TYkHg4NPppgf=|P72Ka8)l7`n7 zcBLD;QI`-|e9@5@pRWH=`&uut#-uB-1LB#CvShdvrJYEK(^f9IC}D8eO?%=Z<7z?! zi#x0v)aoWXs5vmi)(6_)d4L?F4Z+Yla;hOLY~-#dH0^Iax1OzU4c}4u*V<w@S?Z)N*X`vDVuFLgCsk_dD&i+H@5GdoSQj(wGH77k-tgp0$L`=L6V zA;xs0hr{MmKDe1y_}kt4)}{Kr3Fr6MDY`1FigKe&3>NqM@G6LTLu=ld_y|s% zQoZjD7LEY_b!Zd2Go@W6I=3{4kx`jbHn;55-2|mWRKi4E?fgPYR*105clWdDx|X z-RVDkmav@P5wqCZ<6Fbn#@|}ME5qucf&J={Pv;8?frBEv-`YuF+_RwiZ*eUTY_*U z$j@Wq+(fRnl`@k~F>`oke{}iyryxnBc%3>DG$@a%R*}?<8t(mqD{g18?#;F|SYLBy z0aooG)8;r6l-ocuI6+p0S*MJj(1aV3uGmltQ?!X@DopH>7$vd9AU@0XLbsN&u{EYa8`9V#bD~661jG*2 z3w3hn?G;yBV#%thB47roT!Po|5mZ@=|1nLJz|{KG#LOdXD79qxfncpZ8+1O%=ccg3 zRB2#MOM1;At7GRst!U8r=x7<_C9k(BpNm-0&EV0a-=MlYb~ozmfP7?X6+6&CJ?3zd zGc-4FfZVsjEz#834|_YFG%xVsl`Fl+S={K=i^EW-_1Yg9u%5Edn{e1X(ZNxNT_bDi zcnZKry|nA-WDp=2k%=PpEFM3w8cTh8xb;9j=s8>bLNooiCIEVu#tVOxI1|RQZ%&C! z*jL=JJaBk72$a_@H+byJIEc_O2<$0!!bR4_`hvgI3(hV+4h`$p-5!lE#hH3Trl>ym zYVb9}Kr2Nc=@7=`2&8zckDwR=)H8lZdcl_1?1kz3$MX4=cKg?@cY(A2jJ|bUdL5DM zpL!LE74lBN`@-S!$e&I%@037NkiB;u{nU9dSE#f~U#jD+Zy5u`^p6D^iOW@^g5(Br7y2;kcT&y(w@5ZSn$Dn+_7L z+LS{2=J!cQ(Gb-LJjJ9A)}3&=T3aOq^YY#yGo)D<|Dnqpn9MnC(Y)TD$9wgXBf2yA z@p)xha}VpOg2g5M=JI64;gS958Q;4H)YV@0jDv3r%K8~Jp6l85_{Kd8F%+$bgOUEK z7?w~PTo}31^a_THg{mHe50>oT=+Bied`E#7uML)e>x~FEM+M1IB9H@^0AC#%IrK6+ z$+!~fRE6}4k61hQ7sf2Vrc7}fR*R}hI-3le#Dj}_K>NB(EZadz1}mJc{&Uo~>Tt1n zT8FG&VUAg{H^GDi4QHV8n;TAP^KZFTQD8i9%%Mq_+T%<}bnmdOP&Tv6(o)TB!x}Si ztY`L+qy5LZ0c3%Fd~qHJDXRs^_r2%YU>jhI^Z--_XD~9fJy8;Jo(}0eT5yt3X9V36 z&HHWtB8{175 za^7)#0+v?2{xo4i${o66Mlrz9 z3kPYfysR)}eVc}Ge_%H^aVU(p4w5j{7_<3DE5f`2jR*b79cp2H8_vUz((R3J-r~ za``}nY-*xp0%fM`%84^7ig;LCD5R%sd3=sE1gUar72-nH8r2nE+1N2vq3Xjef5Q80 z+%|0U+dpQju(-@S35CqqQnR}1(PcI#*r@6lD}ne4dGn2 zIUPrEWK8_Rf!DMc{N$m-2r04T^Myp@6Ikrds0q)*BH;ciMdRE4&!}qkNa2X~5K{nk zDzh1nCPXa)tF>Vw_a;{a2UM|>kc6j8reiB!DFoi3lm3c=8O(}FKnf7$wVDXwE@~@! zz+0_jpdJb<%&n-Hc?iHDfi#1R4;iEMOSF(Ux5~{shu1Y0o%|;Q`t0nhlW2(&5YA|1 zq;(5dt1YrQu&nbCkJp}DQ^2G3o{wYkXqV1wCZ;yUEW^45pO43MHGiOO5T58^DQAd5 z-OF*QfG~|VqcyRX3>GX_%mncTg2Sd%0O%@SuZWm{`i z*BY74rbGrCf!gHk^lnXr#{GL2v!Rhs7edXBwRRP)S;`ALTQ2O4e>{JmTsg(%Gb~

`)pN z15h2x(MDeK(n*nax)m&hhDvB=*U;E&6T?s~=?NoW?~JfN#-mcWMrCF?DEr#$fGG4C zPeYT5mlnmQm`%oaCA)dJ7MM`Qz}fP)eycqOySlf+=cViD}4VsO!p%aIZ%oBiDJt$mfi{PlS zKy$vRrL;Yy{E>138#gm#gVfMRb;rZfAkUBiSym)5gFeAIAdb%@wtvsl*f3ZuLrHz7mBv*}ZY~b=guSy` z$?BlNC2vZpTXcXhTeys8*VDmBH&fN6ghWLQn$anyjGe>q?E^NTsLyeI%05Q`|26_z8=r* zS68$I@9A%YNu#2Gmcu39L_@B%n);>n_x#J+_NJHZ>KZ*YP48!$<~OeW3JYUe*4O!$ zGYbg&(N^0^6M!O(acv{VDE?p8#c2>IYe`QDUP}CC@0!c4dt3(71hTB#-4@1o)+N>n zTpaOsDt0T|exYhoL-`TddebBMIRDKe&m)TzXUv4s+nQTWc;!#X}*|tsfDw!H5FN0d0_Q> z47@s=cf2?9msv>N%NJD&_aXZ>G@bK}E)aPgiZ^mIo9@P1D1@mC{~XN}OR53ex@BYW zs-YD9jL7d| zMw=!@;wA{3OcBeUZjyBN->m+ARPS5gEj6cn_mow8#{RcUr-0Ch9-c#5c4c4SZ3ms8 zKoIS&yg;eUV`ypQq;9#|sk~y{7xd=YZEh1q zBOR$m097s$R?Yp^_FD56*>ni*`W8#*PieVZG%;Efj&Pk2X|sr+jb>HYOVWmx$mwx`rMaK z;c;u~1~kpB$8bw#lOYJ-dF-7AEP#7H$s=i9 zq!O*AE9`f93r>w|rRcd9}a&?S5rYAA|S$ z_h;Gv>{$UvF8yB$O4MqcC21^+_uVG@GJ5#oj*)cyv@=kVeOgfMru*2pv56ZIqO5H< z71vi#?AxqTTAdHdKctKaX`7?lE5pPa*JZQPZfTYa-NS{VSbv~*Y;^ENVJ0`Wt2*c+ zBM03|U%$h~Mm?w~vaU|7k}S?r7#3~a=Tz|qJVLy(poHtP;E+h-7~Xtyr!Ob~tzN{i z>-A7nMf(boCh1giBIE|b_^+AR-+ydDyH^ER%@URRxpE^LQkP^{_^(o_J663*lPm%g z0N~7G^Y81vT%W(aj3RH1k#$Vk1CuhdJm>@;mYs()aLB_jx*%mZxR?>(dAL6%a=uB(5Ux+ zOHvV*IJJkLdwsB87}NKkiWq;4v8T>Ql0?W0=z(OYz7H|P+BZ%jQNeVMh72w|p-#{- zB~Zk>w=IUA;T`lLjuapzoSc8LzmzxFHy!ULb>KHXIYH|{J^c+ldj9Y6DJmpYgWiAT zfWQAKYH^@-HbOg+&hX-5ZgZ@CVZqWwhRCc4p^e%#%F%@A8L&FiL+YW#+=xIM%2-ZtZbJi3 zJ#525(ZBBj;#-(c+l~`#(MCyi#z_5=pt{)buwscLHXf3i)gozU$thYyU_PO5)6ir% z{a_z#R~_sfVRlk#K1r{$A6TbfsL=;n4SfW^Q&Nm#$jEGk!vi1H8l_Q zhnZ?POTr{9x5k&t(D~s`32rc)??z?bj^xUBJbJqa47Y@z9`NQ0huI^+h)smDq`U>U zL+%_Iul@T`Z?_#-a~PEP-iF>i7_$TY1;7x-!J&c=+UXV=3?pJ)73Y-3TZ?4 zc)6Jmn^;DU!Ip01EOd-9g4CNp!D`<*nV5Pm21V z^_iy#d*J-^X3mB}{V2T0P?})5tMx))X*w$8zP^^qvrr5&)L<%$`3AZeD)Y-%!0Ca| zj=STLw)3zmE{zjd>_@Vg+hOQ(xjq*s|7c~0pWmGmbyF%&p{P%e#y~%0OHnOgTH=Zc zg@bO7u?m_B2TmU*ihWByx5+bfKHJImdk1@+Gwz;1QDQp3xz0q&#lyH;@@U2aUOAt( zPBtG)gq-)%rNHL?M2=D9wPVd8WlUd_SDpW4Kr=B{?Ks=KhHR5)ap0+2EKF7j zj>H*}6P#HpzR}~*4@ofdO82U(n;Gy%{Lg<2u_|)$8;poOB=-b)XTLOx0>3#I5U9lZ#ft)j=cAS;Nl}a^))KD; z-(T?{ED*MUWCm4$i|;voJmSI-7Va_w14d&1U1LV% zGfEb8Oeabnj-g{^{5qZWJ~)x_U*5Ps*AD7Z;mXv2zt%>4vQTOfA5>j=78t;EbVxZ= z-%^^``!?7|!b8eLx$RD?9_06kU6`2B!BnQ6@SxqRXF;?+Vt1wp^jk>i%_HE>PH~M` zmQBJ&f38xdnbNr|B@k(;uR5Zl`dfM01D6PY`KAU{8u{&)F8C&xZXHOj++!=WSJ#F3 zV&Zt*gdl*^%Hkc|Xgy;^vHZ|HA$<1fp(k{a)ymGqQJ)ycQ&gh5g^Vh#SNK)8-FwJ2 zr5}@vbgvz-$uD^%+6vqo(GwNBl)$9&E=x1B;4}$;vRuN$?oyn;g^C>5Pw-B()!;9Y z>d3BG%cfHq*Br3QjAnc07`IAkOg)nVR!~iq2;bbJrrI=fMuWN&CbwhkJA32AssO2+ z$g5lwo~Driu7643tBej%zn*&8e5X!Fo;^A@$fLE+GB$>YDf(OoBqF%ZpW3~~NkMTL)utVEbw4DV}#ah{Rj>N^}JEjnmY&wSU&JXBpx-BJ_AOHkJ@jrg&e>n61ef*CtJO2~8>NSqF^8x3Bw_j-778)b4F$hsS zo>}yaNmz9zX==iDw$v{w6VSJnwH!JMBe&N+gLcx*B!ZBuYrX9$6%m{2-+#8PTDx?d zN|o0u`~T+ZIbkbCFHqg{EwWGBO|fcU7w76(V2Rr7Lr@&`913XXohGQfwPuXqD186n zb~u3TcaE$lyrh{rfNccv@$mPQ;9q16X?tBR z4m?h}v^d~qe?MDWhM{TrCJGfEU8IKpZ846Y(a? zZzY$k68Zs|TA_>FfE?5#*22@)N5WXiGqNO=1LPwQ9iw3U!4_!)kjGz-I_NVMkwab3 zJK>I4jgP|j&xZbNN5IkxBolyha0E{+oZ17Shrwx|lc1&K98bCiFhZhe;_HCS3GOYu z&zwW_WBPD>apL-dk4}s@xOn<`%h1=^jR)u=*ohA<{f-aDaq@L{_I35%AwEhYRzbZp zSh~S2GLD7g;7}9@<8ni0M!e|8I-vZll~! z^5xKpL13L)^M zeMVY3^utxarRA4JCsJ+x6=H{G13HHX7YiUP0v&2HaJ}EcLwKCNQ$JWPu#+Od11v=> zFdUL<0lZS&W`(zEP!$Rw0QsrbVw0_Q2}SQJQl)H*p)}L@iTvxsW(ketU)HbK98!VM z4QMP&RNt2#ADZj0(EZuCMU%zkI*u_D7x~~BuVhjn^*|bvOK+Rhs{-t^$EXd?M=)BC zaK%&QLTCJ72U!;yes@VIE8g~gEzTVhxJ(v_*B!w%3YiWLA}lYG365Ub5&zmS2X@fQ zTGU~>Dp9e>upgR~Abmrc)V(Jm4yD7c^Kwd^b%iwTbJM>H^Q&vV1AJ1*fAXtM8Hzdk z)m$O2{}@#NRl&}A>y@EnC>OdrpP)8LX~G#=>#$rc(GoW+g6%OI#3KsBU;eb4He z!_bODGj<8*el9u&ZGlY;wZxR0d-y_314R&_o9FL`wjT_p!%tRR)ehbB79MN%>=uEI z7-P(P9M7j?0Juv`gEM)DK}~Ulm_a7J&=<8Kg6{^tg|Kkg-qVX?7Cuk{WjGHY3a`g- z`ywcnzaFi@JV1>m#vsSU=Co5d$P6x9DKQ2}NLG!#s7*f1&QZOI4oOBga}G{?z0Q6B?91TLNB{e?Ca=Y@ON5+F@e zK(pFp8SCpBP~1Cdi|38ZX%vOJyBxO<_|=Y60wQhij(xPJ`6a-QZktp_-ZV$>LD*?d zXK4^&F!z}k~=BFfTVR z4d7C^&NS{gmEv|93@f3% z45sSyV0p+XZ~XaWIMpA9rG$lXsIr9sQfGGbAL5juvEt_}pVeLQ5$*}r;n>d2r7kIw zW96a#YF^k4yK6z$!Y-mp*g{|YPV_oM8i!KO7^1m>NWa#5;mreT=i^`yKZ$z z&5ZNmwMDmmOWGVh3lwI|O@lf@s_Ig3y;}9;aDwFD8||z10xC2f?)I$l1b#O^+N)Xo z@Ax|1EH`o%Un8IyFTwB*X0?YW-p$|rm0ydU9MiB{5OyL-}#wMeu;z^?O2l zi8gppc|H(_DG4>;w^H-vKDmGto!mFy>iYyDS0qjLxCX^ReLW&!NvKSQ$!`X1zU`cZ z-n)X^o7XIa=b}-Jlw!e?)`wa^8DrkoH&Z7Fh@>xa#`xTZHJ3Qw?OM8z>Vu|ni!m=8-H=uda3rMe zKNb)1j~QD%EY)Z>f1QiAb<&rDFLe~0QOm&%z<3Q!>Y#Z!d-+F^7j--$!zd{+PpMxD zn6eTdSEE@M&Sn##46{wB+u7N111O)o3^zgZ5MW;`$_BSVBq`#03v+$UDa-f?ip~@L zr%D_KC0+IL-UU6X9vibD1v)cEsq&f(FKEzPd}42kks_=%UB&W+EDC(Enj_otRC9+= zjTygBjoOmBK2f^BhA35>XUs{ws?-F+51X>$O0a^0Bp6nn++#|?sn$gIr(pA|WhFI^ zW`D}C0lycPv|Fl@WTFq_0b`(ia-w~dCcPYYYT`uz%bdvfw4#e9DG+#Kc~c53@Kk` zmx5gqO$fU;j7uoZ;(>4{iyovmT$6C}(6hLFV<6L2UbZnLmela12p zT38UC!6#sqwCHzRKie;VGoBGazT~E#y(GQfWuzA(v87L|bP`w6u*|3BL`ggrv4c|V zSwp%&1@EMigIOL?6`SA1l!`_C<7 zd5OfND^iO)vvuNxkLQ2N6+i@8c1d4S45?PA8-JdB825(zj>3uYk~~qG)v*hL8+Ai- zKC~I{Ej>KlVJKG#_7(JE6qzxeD@g^HU^*@Hi8vtfAG}a1)v{8%PUQbs#mf9)ru2lV zW&qc0GE=NxKT9W98?tflg6J74KI}0oelDGKr}fO%mI`x!clA^Tb3jY@WW6HvTqHR$1=s;+$!r+EQ0$q(1%Np4F&UF46!K?s;(swRl7Rm#u5>-DKl%-SsQ8- zkUdJN_)0X7vMcHI1McRx6&o#? z^u9~#hR_+G`ZWR;q=TUjyJ1{z@-7BmpIKwallf>m!Y)LlMAtlS;zlN7^mfc~|A4)H zin9Bl6*nn?K>USc{$S@)MP%O&oaz!oN}hNqzeL?APN&nKtXt4#T15%oz$h6h6_=VS zX1JY?npqvD(lB3=bEFx?quis$qjjyFBKGcTK9jg_TXgztnQyYqd7 z=n0e-BFEf(%F2F3T>&`=XYB!J!n9tNJ{fAq`cxO|PN6*XxV7!|n=MFz3nHlAm!k+o z8x3Rs0Le8p%>It%n6yUrJ4UG-A{%bsz;aYFIX_tpgw`;M&rg+Ic%4CuFRY>O72gZC zVnpl=iS^!ArOb)ZwF>2=UQN1Ctu?qGaEsQXfcr>gTW6YNe zFl=`LfjCMSRG73xbrJax)x@uOkdYoKEkg@r?xZ0P3B5+U?=!6lEXqY%(0;nmT-h1V z7^tH)%;I>T`+j@v2B09|Xcax!-s)!zVUdw+)ExeCu7{=_Xdaqt2j}vxrA4;v%CXBR z7#Mh)QM*$&j}?m4&9e2Hgnd*wU>iO}0!dC-@xL>+tWx-D`p^ZRVhnQ?aO=`SLl7T1 zN>dyj9=QZp3I&m=4S?i(I?KOnmK?~%8cI_R$RuOQZ)f!7%Wi4XY7FFrIS1BSUaJ_q z$9L>RmAqW~@UBAnwZ!x?Et?dKvSp6!J_5MM>kPxdXdg6?&jgj#4q@3OT!02<(V$z^ z3^*$~Wt00okX^LHP5{C;*m)fKIFM|coM92$TpkAZ4lxkeVY!KIu z~m@RIsyW(!|Z+7BTfWejj!DAsBw2v0^2|-onENV$Y)Uv z2l&gzlCF)02!F3o3D}HxzQ50t5R>jd9(n0?t9y+dVXB@8eEF)Gd3U-#Z_vKkML>A6- zuf!r~QomWZocDv%USFrD`90iEVA(uB*MsTm&Sbq%Rid!7w)o#;Jwq>!@zI;)0zpP6 zG$A9rfiiVyY`5ca~#;!zg^aBmb|WszMX1PDTrYYv8%-x z`{VlCJ~RBxUflk-sOg>EQf2zTTGf<)N?)@76!dX+F|so?ax(qjKt9Jh*Y*dT*nejY zjAs1S)QvNQ3vMPI}Y#^jJ=C{&g-HbgED}HW#f$2UEGoA^;agkW3dGU?% zy7Q-P@LD(7^cB>wE>tgky(@Ng^trH+_(WU zf#T#Xp2|=T(U718%3z@-eFZkw>Ab?#+#x|&&Z(J}@^Y#t~f0O z6C$FRny;3T7YXczH}B))ol$iEg7dxR=XV=xw)YS0Y_Ppc>qd?h<pN&^ulk z-`R0@r9>kA?PCNR28x+QCLpot6X!(n91+jzt%=$=2>7queveKf;LvLN-m#+n?Aym` z+hR4qS+Qa(r@~&jbH9CCGTy+QG}|W+uzJBA*fj+3o!qnXF^}Eo&cp2k?Ax9_9E5yv zuMpy6JV8I7{g)BHqQNT}#-l(dNaeSW+#@r1L-<`Yvc2F{SdNFbNHSBMD_h=2d=wlK zO0k$OkrBEzU|yp5pkL2-UoN!Z{Kxe#os1kQn%zU0$6`0Nu1;*m4O<` z;YqZ<$%eWib0e~_r1*ZM0PGOW8TJ(f4_uFtUK`BvV3>s|6l~t9dS77&4?b3Z0wbk9 zDb}<|dSAhQ3XQSe7x5e>GxGd*F~u|0AY8wc%2L8Yvx4BU=mS z&J3dB4YFg^4^2Lc7Hst0xHV$Uinrff9N#bDxTn^)Fpv1_NuFT5G{2HL0lCj(x6f0~ z5l64fP#Lg8WDVD-HpadZj=u~aHQG9Iowh0gBIYay|AMjBiu6krqseh%EucwoYY0s* zh-BU_mGQ=S z1ywP5B!1+^)mJE^g(l8Z>R_-eiPl~1G|(qlS?InSk<$1sJRT=btom&j@})^_6Aua) zECabyBmFUj;|{{Efp&Tv#P$lZRD|l%>Q&&YkOaHxKGtW0gWrXi0H#n?V@xU(6~A$2 zvGa5~7Xbu}i2VqTi{0(jDd4m0BeZ{kf5bMfGYIB-hf>|;k^`Vl7!izf^Hi8R+ozlnJ4nKlB!=?#_-%tfWd%zC z41`&0R_(kjLWLyD1I_&Dj!qwpLk3uT?GJBkoLZY~y}a>ccY2;_ zUeJD?amjDA31d5Y_9Fo5e@FoYcUZSuMZM4Ok1CV9;j=v{U$X*c7ZJ6?DgHU|&4g)V z8y$59+lvm0{fZB`LY8!!!l6V0@9A2-vAvLDKX>GOYxT&(TqlEWja`?7j|NpL3zx}U z#YP_271Q8CIc?>9b=RRdqUK*zq|lY3g9(R(isupG4PW%i%k4H&EancKOZM-WT4IF< ziq@O#){(qk2|#C8_if=Dxl_^OdD_S#cpQ@;W0xlsp_}S{+Jh_9fxRjfCNI*w^{6PS zE0lA63P0}o*FM&)B6y^8!V3<^Q*&Au1>@-LT6xjt9<4!p<#EzAL~!OGRSy-TB?Frz z^vTIKGO8jY*o9StYGvtFcgOSsHwp_Rfk(%N+l)dxO=0YuzlU#L#9ut}ZG>Azb4Lie zY8qL>;lfVTb8*z?MW*ISO5NwNmrT(KV5$GwDv?aF$?NW55XJkrSsou4+_M}5>#|94qiYkI4-Vk$N-qs%jT4vT z74&v}16w7!nNy7Yp<2$VGG+c%+@rXbD`>aX*xy=~Qu$UxB?LkvZZnc5!$Vw~PvkUg z5kKG2MY*WBTNKT@>>wJVN}3_LL)7qY9?_`go*%Dp{I}5SihWJuFXzbzgeEJ zwMUSgyQ#OXHTXQ1Y@yf(h*dzpF>#am3K0@;$#+r^RuxO?8v3k&ppxFxTp;leVjBql;-73U5!41 z#}oPu)}pf-8~;vR;_!NOZB2EWXz9|*E+;k8YFbJY=UcuK#sjePnwm zttYv}$-|Pno-ZtDG<2t7_E2u}BhE-yw-BZOEC6~FtPS13+$e9%jhSU~Qxjo`Ut-yS z+4Tf#qFCzJoGv!B4Ky*QwW}xjJ}i@ED$q&!=#%^8_!;vlL8oPxl-fLs=jyZ? z#7K%YQdTT(5wf}k zdYM;~x6zbE9kE~b9o}x(!NRp-r{Z?Qm;7;|mzmlZdL&{Ei5o>Cb)uF-9@ELw2(^}U zl~5P$TfhbgG_#Z|&k^n4-Z>Cx2_G7RzKH~|h!ibUbAfjKi%y)9Q%|Ks2lUW1RonOMMHtR+%+)^JEO^n7I zE$y|);_54x8o0ySXBZ3EUh^Gfh7iIitJLy9f1*!QoK`}8mg}^R zMtSg0+IO#yxZLl;;##^zrz{#BrX(nZx;xJ^-etjHQ8493WBd))bhOGDAB!NV61X^K zm-gimH$4>bv|+>vR&%K^1`A)iLophdZf9cDe9S?B$+S{T;|Z6Gk*46PK=@;I9!0H% z*^aDap2CV!m2qUAwa}3`A8gN#nh1ENEe#pl#7{?_$Wr-ck`)dJ-WN%%_`4{$D$msQ zwTT&%hW`UkUw3IX!zN+cjP_|k>_SV+aP7QOuQH1jeA>e#6d@>3Z2r9oOjQ?Q^!K?w zHaP33?#_mnpZi$w)KD>hH{;Xij^e=4$>-ci0tSw-o3E3_N5mVfqN{G)m30bZOyar= z$WgTa>FWx~d0GYd`29dE5Z6~_ss;4st6>bPw7JBYTcbD2s^n{&Tz}cTnP6DSEIXC? zIGD+20PGQkbgJRzYGyv^V=Bv;P8a{6;CKE*lbyf`)1fAzXFm8+&n@m_y@>>Z6iXTm zW}+{iS8MiPg7QhW3JPwupd@%zui?eYou`}=nZn0LrU~QRgp-P=+u;)3dr;RJECT9^ z_D=pF9Lmzal5&9X1qzc~lFJ9qBpa}JDak<9+EfyCQq?NMd2Q}^{I=8ouC`Tnnc-?1 z0SHJ)?te#hyBXP7ni{#-J30Sv_MU58YiDeUhsSdbS*l|IazD&?Qmtm)0V%CB*%W`E z(`mEMasy94=@k8XIBCwLf8R~sItC9R=_h?}3VYoBY;pPS_T$F(_I9q`oBt_~8!jY1 zRQNl-wNCAK*>ksL&)Pe@RhJ{{W3Y%D^|$qnXA<7fF7JV==M_U*V9qS@#R&G@Qrom# zI15%&qzhQ^E*Jvwi9*KZomjcl^OHhNHmGpJe7-0LFJidO`PlRcK1>M75M{z4Cjb%Y zFz<00VQtI($Q0_kkn#l=slkF=lQhUP0%ULM{GE&k#R$^1d=LfLef`tpN;*4NO2?zn z5SMW<$$=afh)rL)Z#80EkYrH*6DUt&@%2JhvI1eP6;jy4JlB*Iu736ls9)7HWDR24 zz_1;=pxczbf$O?c*i*bZ`NkMvQ`YDpySe8rHEs{g!t`k`xD{&QAIW7Xm^H%u*O}; zDk7rcC&bfF)tm_N$q8L7dZ=8%-p(#dg~9G);Hk1&94f!p>P8meKRdd3SV%|Kv;={7 za(!<>Zg&a$ z9<rkQF85C4^!k52(O^4r;1bYz6FPRDXtQFG_i6_?L?u&D3Y$hvE)4qpNy^9 z*kb2Emv%a(2NIha2Nv2baUC=1q!)W24lXjDfc911Ax6P?`vx%W6CY~OM8Q=%IXz*VG*W8ZpWpPO%@q? zj$>->znK?+cXPja)gx26&#ha4$~&+cI|DmTPS6miVB8r?NYtnu+50gnzv$@D60Z~! z80xNg4GhhXp9Adqqx%U01u$pG?!1q@gLcsUC`lruNzTQ<)rBsWTP^p*qq`%)&Xa$e zs-a?$BSqt!#)K~jidGnGCu=WWM|1WFEx^e4hQT|~xik}K8qvqL3iEiohCD&L-x-m=^{0{8kafK*|sDzv@YnlC4qo|uBy2bqL)uGW* z8XbgVgeLlepL-(|gBhuB3^>_)j}Dr34eyHYTvY(?Jnct39iWh$OJrwc5Z&@vF~$!^ zBJYR-9Up;$Y}6h=aO_rqG{%)#9Y}!F;*ld$Jp;F-Y{ymBNR5TknI&>w&YXz!0t5G2 zKHUa9NIzj$K~$tWjNm$lx(W&XW`7%K0cyq%tRysjr6i*TVZBfU>Vu~H6GjdLoL-KpgsJbi@PWZx(K1qnEkGKq`jO)vJ`&Lc=Ku{T zO>ws6&Puib)6!kn@1r4&lE$Y>P-Au^<|FiPLRVQtJ@_z&^2}Z}5~IMhBII-@CR^*T z$a$QYa-ngonbVKTu`V(OQ$SFH^ipEKlY84REi)csYMqjkp^0+@bA(aANPLgL17_dz;QcC7h;it1wDYXT14>CBhziSwFseo6FQ!tmHe~L4}+lX_vEW2$iZGUWUk435sHh zt7j^9xhjGpf@TcBmL?-uQ>cyV*xSo3eRwYC`o=kkT8X;0e3Qe3pO@&VQ&*&+srK}? zv#hLIiBev+epWSk#P@TxK#@^D&LjmPt4n#d81d6k26l(TVG)H1V7`_*tpFz%%P-}) zj}*k7C@nH5p;Prewx=tQQo=eRNbir+Bq^`rD7!v-#4!h@l z22>1@U(N~qm?A?jkAYe(J=*u{u{Q;AHdWftR3SG31pxGPME3d~o>E7wWJg*eqSADv z=bW}>s5V9i)KyxY4&kiXL<^bjyXTSVUrU|y6i+}sMtd4|{yXWpAv(%$3*{_a{ zn7R>z+->r|g(3cc(}-azNL6jv-zStU=<^ap1Fg1cr~SF>I1LB*K+!ox0&P%tS-eJd z_c^=+(({DwZ8r*jp=U3Ew~YOa_GAoY)N)&2>(D9UrmM#|6;o^)nglkx3(s0EB8qG& zmw!(y-U^;sJ>`@KBJRYtm|xZIKM_- zF9qorFlgD#ofX==xDxPhb9cDA>U0(Kmj)0drRucYg)<0oFG-iwIpp?5e$O1 zf4Zq<|6MD1=s(LYf4mvjxnqh)dXph(I5AYq?U4jw9_FEqJP4(!YQ_ExY}Nks_V$Lz z^_{9}yj?(9QZe5{_JLUQR4oJ{`kPPW9SRo)`GdB0e;Rog=Rnd+G>Bj}QRT6S5<=rY zfTgiedtM6`)j_Ro4IyL;i5{!Add$7yWV0VhRUT0F5bQ0sbdX0xH*r*SOk-xd7B&6o zsImfLwP2CjhEmpe-!B~0o;NLj{+3)GCqy+jR(1N*8el3`0yVt4F7bDX9Fe^Jx8($G zJ4^cmx(6X$EUa9QZOevZFvY5N{&hK?a!rXZPR!SN7+FR%H`>X3CX=*@GJBdh>p}b+ z9ib7ovss*-yRy7*yxpp@AH=gI%5HGXsG^oxd}AMx*z|EgjmcFALT)INTE?N*gH0~J zjo8t5Q)m@GNd|sqbtR~T*eq$E9LEq$v2Ez9h{=*WSuq{?2Z$GaPPW6rahxMmzP>m4F!!f z!CtNYzW;%7{N-9#6I>lU`v?Eav2Np2<7+QUM-x(Q9wkUQ=t zqEVoB^vLXX-p~t|X3#I`%V&>wyAp!VqQ9GgTr^b7-Nj$nyu6sEs6)_Iic2qZ+#Fl# zMBg6Qd=7Ol>qHdYGagTb=X_z=qDeDXpX#YR*zEf84tB<0R^92sw$;HLFjwI3H0%Zu zt8SA1jJMa5BZ*Y;dC08YwDKD4k<(jukyAL9Sa~P9c2!w<5Zl3~IUnyamTqTP#)qk( z1W5Im*!X+Xa_N%4zU-^lw`@sz`S39qgcPA&5A1 z33p=sdxf5xFJo#!&CzA*0|4=RU`hgf1xqOC^`8j>5tt;S?h-xYbi6VIF}K4#!~G!E z_O5|@d%4+^gch?Wa6m+FSCnpDYEv)5S_-41iVj*5v8W5*dk1qVoI;rEIfOftrPN+= zZ*&Ksm^CjIfK_JE)u)X29SCxlDfes%iw3o$4<8o6e)AxlX0)wcYj$Gje8v4jl*Wge zer1{%mt^FmUQUPS8I;dR0gTIt-z8(pTvKW|1=x^z52Z~ zQsK?z^LPX36DsU=Lxh-!EOBv*f;1y9?|pG(8A_JOO1%Pa8CB0`wruhP{Xp3W#J%i| zP;60Ebgk}26oofWBdP^`%vMwQ@qXdy|0nJ(5T0}CKWZjA6%i&ATc#BN*AgUrUnARZ zJOZm9mp}I-Xux03iE3UVzqhIki;7xHPQdHnx(!lq1`=yO2E-5{)@{(N2aJajm@h!YCz@?s;i?EW%S{AQQKVx0+L}|&V zt2@4=TN#tC7wvPUm`R@set>SDWwA%websDd;9KBM>cHV{+{U>ZeH09f!2eRfiVUkD z&xGsIFXa^hUkrl)lD`Ah17Fbp=N(HDQe8jdE`aC#RWO?ljCPk27{vg>9as+Q^1xUS zPha zCB9anbwlE^L5!neDWHv<(|q2KGGHhkh|(cyg6OMz#{&Vg8!e-{|`XO|3QBDk+!c5j)dDTS?5=oWM+zJWKwGy zl}-z#Qhr(=vP2@8SR2_`T24+Tg4xKw=8g1{Ze4AH!h=08i}gXlNRj$-Aoc>9qUxYE zzQYX>l@{;=ZlNW>s#7T3G%_M#%M8IeK`8w>u-(U)t63UxI;xaRqzIl)MS|A;Ap*vadqKg7WpW~?U@b~zd?zN!bBP^m`bkTY2| zbX7OCOO0`4!A7u$D!tv8Tq>vB24l|?kcl?5|GycV!=uP)?q za4&*{PfMDF*cLd+q&mO@kRF^ViXO<3&<1=-avfMxW*x`_;x*6%qnhWMPozUGv_8|l((x~X-T z1l=B<4mO7K9FE7w1NSYCJ_n2AYYr#VtZtqzcZ=iwFX!WH!+UpoWam#Zx=sCzXeU9a zx50R&wV5bU;-^S?(6d2y%RXykO3s#iZ?R#3AI6yyTUxo9kBo@?tY1C_K2Cw=#Fi#y zK)LUZ>lP?`1lr%v+}O7IZggSyQCnE`lXwbLe$aJ389kF+7QA8G{T&yWZAHUTJ_QiR z?OKDvc|kiZoy~x6*OmvWkJOebMSob3V(A!PI37>iti zQ3Ax!*8>6$rn3yaU5f!?M7(a>e7>o$FQaAB7+%Dbpli@R&_Uf|A6H_V=UJxj-#t>h z&d8~eQ}!`^wHUXA(4cn=Ed>>_Y&#A$`tr*yFgUH{4t7Rh^9d}PC_#58txUQrDSwu} z-5Xs3U(2iB-Gxr{*O0ZywU`gzO1^rFgtuMMEphj7p1`XRKOuG;SDs=#u@Sw0Lw z1`N2(`oZV58XVJd*F|F9RbuHgb->^dG9Gw@^dJq+7}}}QQ{QV-!8D5#$y1Ls=qxGn z@;OqEQiSTl)M8jO_bI8B!UxO&l3xlMa2$u%k#k^cD)~zr9e35`^dfJm%Qn_F$j9vVoHGMNx z1*q$)9ES3na);lY>)KF`1O#*jhNwENcHP5pK$b&nW?2IQS%W5jF{s&oE=Z?Bm$(Ey z_?o982LIaJ3*@yM1A{-vG8civy!{XwQfQ23+s?*a9Hj;;#*Z&&J;z&qRIIh$ArKI7)?YZFJoy0L=mf<1;H0S`#+oh@(d_uj?sINQ@s4#}`Fb2tzytv*3Z`SxOPdV?TFTN(K z=wABRUV1%|uWFZVUkUrBsMzNZxr^A`;wQGti=yM=J7?&=puy-s(zoPYs;n|JlgtH# zV*l!d8_}*F)vNH#ku)I;wwRzPh$h{EvIcVSDH%-{#l~Vd>olR3=r-CG(bM}Ul+T_- z_4GFyk7@4}_&sK0shU3HiFBTyiNw&lgl5{V$`~u-by-FAQ8Zfd>M_dFX}b^;;^Z$- z^(WBP+R3HE3$q$k6=|RYuwaLZXO84idwFEgSvH7V83rt+R1P-cVVHkTV@%&d@y35s z6OdqnVg2o?!*3W^Nw(RTheN3aYBJ%%v}!@Ng=10JnieyI9;aM>?fDPDgg`DUsx&sr zhRa_V1duU}IT$h2WC2yjBIxl9WOC}?aSIGUwN`+=20y3(M=P-Mp zE=J)&%E+Lw&mO;uL)%RS_y<`}u?;$u2{#~m&P(xSDORIYecmVLTcNVs#4A@SVin4` znGR>@lIC@(f*DeJ>1I`0NrN4Pwi*4^MqRPhuG;3$Q+A<<@=;m-(n-%P7bB@%Q$BTW z#;xgoDI*jOSr%?^VY2FcENYx|3cRYf&E}w?Br;N~lg=}w8FI1@kFQ>p!F_%!jSY_i){jl4TwSJM<WlvU{C;cQflv(y<&|K=4h4CfL%vkwiR-Ntswpbk9e3mT2Z6*`*%^`Yl|n; zD6ZavNT|{Xqc-y%q~Den9>=YK-}c(wbp~LxQ^kc`=z;>ncg-GHxe>%2X0-Af$fQBo zSW|k+@Ke>27yp8q2eNpXKK1>Ctu+Gn1FntJY{CJ!=`iK}ZNEp5cuLez(-;s-BMQDB z4uY)EX9FZDOQ|>p;D9&%x5-T2^;dCA z{08zrybBy^yC^Jq#NhL9VG0|V43^rJU8ZRlubyAI&y?c~Es^033Cb1%germ>R?{o3 zBsW*9*YeUqsjuSFi~9p8f~ww|lMtZ-y!FXS*7n5lFRN=+{`uvoyGb)Shlj@6xWr8# zc4VMU$rZL+nOSdL&YUTzEeqBHwCeyUG&#m4PI8U)|g zb+X;=$jJ}a!M;cO5~T@n9qlA?X>TOdC@`ixqHAbwb=3lL7m#noWt&MZ$X^Ol-grno zE=aqyTy?e96F(bSJitwTGEz#|_g8CP$O#zRMi)B#Fr$N5N;@)hQ0!|Ly3uF(Pyf7t z1Ktt0Gpl^qqiEh5vNg&I-E+hYS5TDJd$53iC)X!Z*_na#J{3M*8cWYmP5Ld~e?r#C zTM8j0tM`W#+RBSUU=wegR>c3(i*rGwf~6|;k%*uSx9*rw+; zsTX1-Uf+PE6Gf;>5F90gA$EL@*!jl+A-J1ls< z)QEa!S`m0wd4aX5iR;826PI)~$V6*|7-B069j){1UUpD=GLJ3BRO``fZnBU$699{@<4yOe@<~dO6x&Pn3HvgCbi> z4cDijHHO!i(_cSviU^*hBJF;P0xHQLYj)TZ?Uw#%zQbMnIM)3Y{n3&(DKCJ=fyJ!)ceH*MZF^{T#E8l$>h@)#vA?s3?UEti0Y=$psc$o(!y z$e9Z&TFY>Z{f{sEm~1}OT`WPuV~jDVc-i3K{L6rRS!q~jGIZiM>`*wdpd>hn(6X_a z*w_{%bQlRNKQ7TE`-E6f7g9-j!C!ZWaNumLbnLLLAS40tdBQY2V;S~n8Z5g@?t!XCL2kb9SW+pv)-n{n8;)+i7I}lC4h*b%jHrhPFjBA!`iSj5Hxn(d@$C&1o)~ptGMvv1Ph_{uSmehQi0d6mk$Cr z#5y-b*ez1ym+)Ny+KyS@=gi%2{d*T}%aWu$T&a`n-E7o=rm3jZw_-B_Jie5LgzLSy z(%@XyxK74uHv^;&#>g#9@E7uVA8L;``u;EVMDq}J4(=EE1rHVbZL}OtKk&^)gS$LQ zTVm=IZ_f8whNhm7tB~)#K&lvnUtoD_1QQ!)r71{r_j|C{`i$G6%v=a_0VTqHNgKX$ zNq}9PU&{6$@l!lps$c|O(x`y5{m^rT(9MH`PzqEp@s5{VtTe33FRF>>!Ue>FXJ4vaEFm5 zF{lX6(ghi+E?0Q4a;|i_d%+JeKidgpDf&dcb)cropTmWYR;x>wtC%PlvV^wX?nnn_ zQR4E^S)+TM$Y!N!;emO!kPaH{m@>77t^2$H?!Xf{16Yj5yZG*8a^AmHw7WOU2ID(x zRGY7~Ikgj*$ZmiY^_%TbogXzeVa0#ERrs(870E!71~7l(-+3V8C92O9{ZDe7L@yB=xzboy6ys7Ar*iwMvJqNkGRseTbGgd6mVowJ*#2clqfhD&45)WJB?h zW~Hs4NYWhNT0IB}Yv!RyK^^`JE~}4W$8QuJ zd6*WJ!YkDUSDNNtYUb=eOO*Paf0UdIVM%GsjEhQbo4K`|ur^hf0+PFZ|6Y3o?DSe& zYvEy^3FfzxnqG=85C6Dob(Zv7>_u9)H0Y2R|1ctGyGX9V2ypbM0_;RMHPnZW=X4+V!TP2wNS7%S->0hCAu9gjTb zAl8qZ*)JFH#|SD`@DpLzGRO%;2id+!#J)N{=%9~(X}t>RFW8CFyoYN2V?=6CaS0&%W4Ny9>!~EyvWd-!1>t=4Uzvn;3PbZ@;w4r_X*05@N|jqemDPADGg+T05A2C zX77$#Q{UTdKgpug*3C@{d?tJ=&@o|&Lb#nS+R~-;^KFYF!;Rfb>RQC$ z3Wyd&j~Hm^Q|Fmn+eX&qz;8D6!wm46R1ME#I@qok=##t$V&z3_qJ|^c2M~Y_VrM*BK&r~dFMu!j_B5IY>~g5*J4cRFk2t( z;!T%C{LjzCZ0%MzxQmT#?(f=Ci2f2jz8x>?zh)1rq|M(Ad>{O+(Tt+ebdJ+`^=YH1Q zEvp={2RUTtX5%OaPFJPM&BexHiDDtiB;)GjKz><}a|*c*;7}mI_ZNcitZ(O2*LUs`1ZFZ)u~GeZ zwr;NG7B9BuuE!wiB>oVxWQi(jY;efTxyfQ@zzF^|I-#5_zU+>2v0&n)0TE+EmWOgw z%BH4#B=Vv|K>EQtioliq^y`T5O1xT}tHH^jq?8vc%{+KfpC5}?iie00uf_+dT`&AM zW!4}(*wn~GQvtE>BdXbr*eb8GEw97|rt0mca2M6gH61qVpo;Ob_EWHh*Q{mxv}H;} zP&7zj=;0zSZ@ry>PP^H5gN3o6sV&53#Fbpv1QfS|zfO;xqpgJB%)CF33t(Rc)|P*) zq2<E7aq)jA?*xTKq*2$LaR#7RUZ_ezn@})suq`wfo^* zo**)szAFw^^ndr>;r`^zjjTN0HFq&qzYXxDzOe1ZGHi~+y2+0XDQ|BfYAe_X=Gh%{ zG~Zpkzdm)@Nj=b?Y1R5DZ_hb$#I{|)iL%lVG`Aj}cOD=d?*UAjq^c%oEFPBkL< zKH1;ZH5tT=!FQ@_>#=`;GQiJvWA{EgPsh|X$UQ)QmZgJ&H-N^6{i?0&;v1kvjrxK& zcyXhPZR2s_~8nEz-5ZY2I-#FB49kDZSh9^&> zA6qnoZ>jwA16Y)zSAN*Rp$qsk?Ppax@LNqK^yZII{TID1U7pFs$m*WRrO_Bp8>Bi?50-`Bt3f(;HvouyvVbqB@eOIzi=Px zR3`_bUzJHwy_kl*q(ofq3{tuNk#lu4Y&i1Di`IA2w z&F_}Kx+r-sWs7O8v zBUEN;P~+&Gw6QOG?maf=SgL-SdPip*VA9Mr_e~D>#6K0qs(*6SRobec#7Av2DM)cb zqm4+o_XD@T(xHYOu^m#IvYu=wU(nFy2o2(CzCe>qIfQH9i=-oqQ7ivs#A|5|QAnm= zDPMy~F(J?;lW5t_md+sPJl{^?QS8z0=0NDjXWdkXBmmH-@as!KyaIOZkAQz;*S_UA zlelPW(-`5452R`%B-cv?Q~V(Qor|(@P*{_<<87vcC3J_1RSS3V1brRJhzNNkxwt3@ z8BVc3^|ZWue!t}1JKEVs2=R*xlpa++Gv&qugDX!@XOXOH?cN zzi5!y(W_E{Spuo5p282xz4#*DO=cDzCZM=&8a32ct|$?@W3OIM`3u|(4ne3bU{3}; zx`8G-RF?)TW6J>XpX7jE`7De$Wv^U}=7*^m*M5;?iwj?Q@T*~`{#fA~yLlnBqBF($ zmTcXKc2+UWXIcJcX45Csi*I&r5!f)+RQ0ej7bOZUao$!5k(&%khxpX+zg168RW-XbG{x$e$mJn3G-yF1;5uj7*e zBqCx{E_1g99qsWeK=vkMstLWr@7v+^v{?a{kkOo9%WnCD>~VaJ(xQ1Ay4#Ip^n|Zn zyxUFsB6p(6$LZQ4<8kj?!i!MekIjee<#E%jerW5#Tlmz63{NU=#zIf)u5nqxR-nDY zgTiIjlp!5=JmxePTP}S(n5Dq(3f)QH#!{OwbD57-k zK#Z`ZpmEP8w|~m9gw;!;s$FU8A(f&l1fQFHdZD}IMt>qkXb_+d;XR!Cp-{o|v(FeeyIOw*##qdX{b zy!B|!Q!=z<^qBT1UI>RtlHVOGPFhfNP}%A(ij2+!MbJ!0rNHW#ZrZQd>KB`5?l8?4 zG%$q79K7IpQ;`b02R1N^9Oc7HjmieEG7rNn+0R77Y)QG8e~EbRi3~j74%h$?((db| z$F;HzwSBjT7qxxw*oI61Z(eH}h#RpTV~Kg}4}0E;EuI0)=2DjmwSDV7BTY#x#x^`_ zAzZNQKV%4T){V3g!m@eC=Ls%1Bfl)|hSq_?9akJy&{74W#Ba}FdYMm zgE~=L9ng1&%>EvcKu4cV4@zdW^VP3ovm>&iROMV7E%Bo;(mqW}cP)KH0HXr&XX{O)ITVvJ`>QfGovftf4^0+whxcO1N0O z&;?~#wAj4RC4#*WR*GJ9L%O&n5zN>HHP4mA1!+=#fKT+CM42 zI0ltNxY%AQsxXJlJ5utmXoqYuHi;f_%`A#ltfYoiX)Q8`f;VQkbB?7Q(i!PIMMpxD zWO0_zInn$!$#-kS3jRQ9xO1B24f2`5yZ{j(L$p)G{PS0#k7#k6n2eGqUFI+cSxw}V z7&S@e5C)l#a$=8hgQ^locy48h6adn!X4P|mAkDSGX^Y7F9rr^6P%PtquR^gv&j)T6 zhXhVeshNs>VkZH<^GvOSEktbUcRS5Rjw?_m`?0GBALWC+_9%tbCxW)tA=WDBz(`623Y}?M9J0; zbP}QxMK1DM0`_rHG{9fbh&!tqeOf|&xBjZWd)GR6Y8<(+ zh*_D%smo*67yRAjyX^kI6Bu)|+CqZAfxoK39~=LtK=@zgsS#swR$Ec<_x}_u%xX&t z{wDsa4*7S%e+x2K|1H?sBY=+WoZtzM2~%(e38aUre%i_`@hYfI#d%z*p&MSQ4jL+{4lfz-a46$z*qQQa;wz{Q@13U! zGp$rTD7MiMf@<_vx(zYk1|oQ(gL@bb$9+)DRfpqNFe=OLA};&614Ipq>%B&*g}*67 z=(9}WBMWptaK?7xJ3ehvr*ZU|9Br24%{C&?Er-(`EU??zC;3>DbwE;G4W$}T1!nzc zDdv)}jx@#SlEs;leNxt0NiVr4Epj~;+AJnA6;)k`Xi)KCCyQ4NcvMbi@5S|}%Nf<4 zEDi^B$uW;vy|o*wl?|>jo60WA?%|D7xOrMByRvAyW(k5Ag?QH@nODCFV*@lS;CObi zvcngZkk8H>&Sc?pu*J+|u2Fryokl8?C0H1K#0X}wdRHL&+onwW^H$J4Fyo_n5I(EN zpqU4$tq}Y;AmdC~zECd1v;R;#x?!HM>XJ0)9`{jh7D_p*$l6A*q^+SGL_CS|mHJOF zhT-Ty5LzB&&BaDh8ye_ssEab>AcY#5P)C*+CyqUhno!%y9Tr~|C$36IZmXDQnaqB0-GWhi$Pc*r0IK6jG!lvPp`rzY|yw-!#^?Y zVS|^O{6V7U4A*aLn<-g1YW2tSpWv{B<{58Dd!0lKH&a?m-HS58wzZK!W_7nbmew1O zAM@|O-(QH?fSs3cY9(aolXRGEOQ%zBLOrRcDr?V1Y@~XIw8# zGoW;+vn$)T@7ZNDl88^hzxDueE?uZ9K1#M>;uX4jEs()KwIGwnS9$(o-p61M%Xc+Op0YV@y^ zpGV=VjNYBi)uB#57OWCWKvWb5>4%ViFOXlx2a#D_h6v{Yz@t08u?an0{9)0~t}<=p zr~hf0waCL9X?zXO+NsX^f}W{*DbMMJu$`^-W_lko3^y?%NbQje#?MPDr>6#CTU^a@ z<=ZChn82?wJt!69f)7@1?}4fsUVmiYOX4Fy;{uDPqt4~^r{|-_MBQl$BOT|1FN>Em zKL-|X*6L&gCVGA?Ch}`o7q{#ge5u7SfVs)}>&P?GFH@$4gCjnP4mxKMKi+p-kHuulX(^d^uPUwPI{Ql3_r|OE_Xzj z&j_lQI!@EMZg_PZpqBQoT_>*x^&@%^5su9_jQ+t~yoMq;>ug@L#8qpvy`5YI>y(Bs zeH)vgmP|cSRzZ!KUI=g)*J4;NBygm-ew;26-Oi9pN}NCox~Tbtsp3$)jS`fc?^YhoL_300w8y{)DfzRK|WWQj=A~)C|EF=`>)>K6qC|UD-q1_e7%BfGPqt zNJyh!!$+|_vFXYXz{!yzo@LOlxV;b!KEDw5_?^U5j~nZdh-e;W=_^{Qweq)<8mL^% z;*v|0Kb$6UCwXYGd|?>M9;R0Oy;WlCDRe+ka$Y{Ohy`a27D|>YTSDZuNb#T1^P4n;A1kn6__G9>- zgszlqvU{R)GEle1m3t=lZ%s~kw`X_l^~^PVI-ewkXUxNtJ2}d~cbY7$2ei09w15gs zG(XSjavRv!m$t7yPecC49v4KbYvMpNLAVi;ys#XJkEWtem^S2YDs#LC^FFmQ$*GG7qQOZK!W(TINN7(sa z7N-w4ZF$^Ts0=Zs*@JH*?-KQ;D}Gs?zj2oVgYLs@?Jrw))&iQBhR9hPFO1f5Uy?l9 z+`h#jwiSb|itH!nbGo1s!qe>cBQO}*lknP3AF-}I7b+Gv-7Y&Tn=fiAu&Zo~%QAkJ z9={)ca|k}_nmN_Nj+q&rcXHbpio5WCKP`MG^86_JJT`FrU|C9YL-y{}1nt{w1VUI- zVDi946a9k>Dox-o>xhU(Gtd1$!VbD%duLZ-v)Sy7gRtR%5mfho6}^lmcLKE@YH$D?woS5|{hlm&o{e6QajY9+ zTFnFJyc*2hu=h52=waSxKc2DE0Q~%={3P`MN+ah( z+^g*%wHjLg;+Ndp9+#bW2?arKZ+ow}nE;o#8C<4=+dqP7t)fLDJOnYvQBl3M-t7rS zJ7%yrxSEqdMwRlFb*Ka zTeyuPmaRv-enUgy^>4-~98%ai^q<+tP_7N@u?#*)FNwf)d@3xXFVJ#7hvM?B{y^;I ze*Do*H4+R_YhF2Z9BikX zy`%$=W=36mk_FKOb5Y%RK7M_r4+>cN@FryroA5U3g;+_*qos&&NM!b={AWEzXW~V< z_9vnNr9(WD6KtoQ0x+BoCaqJkU|}=D!wM7OZYH%h|1q&hU6JCv`zI0>p*1)X7SRMF zQE#+6QWlW}B~kavBOnst$Y3PwqA@NKR5WN(7O7^wkTEthC+q}l$y`DMb;c?5S|XN7 zWpO7uV-2m!ir?weCZ(}@8jPD%boHw5_8vL5rx442qK#rxwhJ*k1D71r*M=>kjh*RR zMQc7&1akoFM)XYnp-bdxfssq*X?5nPxl7b3fs!@UsoVvhDC1{r8_YpKOiPpr#hmOA zAm@3DD`!V;oigBQ*76yzk!+f5N|{Z@q(!W8mO1GRizS_!ZDZsTd|Kc5IkMz<8Ns}> zX-k1=a^Yrc@Deuj3*5XBV#004pORv_)`$a9bMjjO;ikOC+X%Svf~_-PO#*_ZM{Ka- za~tgaAp8~}Yu+`Tt|Ka~o%*yD)V=*89~q1)n)uBL+g zg2}Kk%YuQUcBfp-W|$*C7W{t}-J+iMX$#;30kMkyCtB$L%m4g8=n!=A=m2mvTv_pY z2yv8)C6)eM&JU(iY3=_?1=Qfv{xRit1#mZzQ6?U!jbS!DAqoA{pj0DFT1RCxEek&OdMRdc#>MwdepO z_V>EoW-fA_PI8@QZ|&$XNP#sDp76JMC6Ru_sTf?oKR$kdZjt+u|AI+4Rx)wR4RE5X z(<}Z(ix^ondI~hx4%*19cNONX(VLUI$gewcHu?%QTKC_0uXpHYvk7e3!yIbLUm){iv0DRLu4*cl@}+2gycMHh=pBjlZ+cOx~-kZA3ht^khBbklCPGs*a6o8`yoEj zHrD_l%v>YCA~&0lcV9`$GZx*0xv5VE0*qUL?#~9=E@-S$^bDPtNI%u+uUT&gSB{Y= z)G75a_fRJ#m zUHGtC4@`}rH_IX1cNU>8i{cMnT#S&1TRR&9;&7a#1|o&K0*>`Fb~7(jGYz; zaJZMdEd09a5%c*I6(U->7>oKc=IC{0%pa1IObcJvr=5rdzf?o0DpvqM^GYY zy{ZhX<+N0lO2+N*G&Wk`=clVySoo^j2Qs|ZG?Z?Uvlv*I6}o;(a6QnEad~RcP}x*GK8H1EU^7`Ci$n!X?0Ou2NZ|v# zh+=^*=sKEhl@jh$A@+kJv*}NSOj4P{FEk?gePm17KE0-LiLjZtypb9$4!naS=0%*Z zt`6Wju_B|~7^obkaMx~4M2_9knM?oEH+Dt>+4mHwcX#;^@pP!4#RAN=c=~zMnBl(A`QTN8;@^@GqBjFExs9M@>Be1g0sdpdVTgV(J zF~aItdsxYsQ2w}sfME}H(_^jOsj#(StXbv;MY1sy3;}b24lp{BDQ=EGU`B~|gyx@L z0)nKW14hxxiLuxr##8J9XcR$QH|$t5-MY3!e^`FVRrjkZzu^*56GvovnDa$$K-aTMfZRe-9<~ ze|E`*`?FPNfx~Eq%XoytNIqk?p0#jX{bfIr{o~gqwnEC?g0jk{ zgG!no*$*+XKl31-4{LZT?*8nIh2qC&IJNwZ>)`IH5*Q!n;ZlMwve zig92cbgYvG)4WAy&8b-K)8}tUIUr2jUQf09L&JA@`fk;*#QeG*L7j^(uYc!)sO$4G zmRWYW9AYV&EqKUBN*Y~H8?vGC8Bmoj)AbTLYY^}P!*@kFUmuO^U$@PY zoQJmIFKF(6thKES!Fie*dLR)Iymk zT`H>mV9*nqL33HJ%}kVcyhyS!m1J%bNsCnKsYPE0G@=`LN_PF>kt z@Q?&h?WxCdm`M#RSu-PXg?<>*JR43k&qEnuE+4Jg*Q#Fs?6bMDt#0k&wJeBE-~daU zr8C6_(^n5>&rddRW)~k$PhY$^6Iu`9K)0YE5%c(@MlR%OPHag8JqoR)%yL=k7L`Y_ z+!Z0^`fc2fdDlXm{8={mQhL&P%^W}Fnc=|i_V^w~1 zt#Gf)dwX~S?b>a`6iJltJSPH8?&D50J9vKxYj~vAMC*klnbGC*^*U4<03Az;71NZV zZQ`L*?#|srqFN0@Yxb8I*M;wuQ=KQT+gr;&P*zs*(r5+L>@|5AR?*ZqXWJqIDnWEc z6aIzVPni$`+OMa#QPABeUUGyhuul$O4_YGmT-MV_4UVC0-w@~6`4;|dG%wL}Nvu#l z+TFOl?!(k?^tW4?4%1EMvA9Xab8ro-?m^*JT&(Y*3GZzQDzwJ!;D=p9Rw)>YxtU^4 z72Tpxp84uStKq+}2PbZ>v~qsAz{({?%L2jc6->K_a7xZ}gmJPl7I)epZdHwJ>N&57 zf1^^dp=XBa%RayWXf-+^TT&Z)`}pv^rW&oIcg%7-#t74{uty^KgJvuOpBOnF#Y3{9HtABe9Z(us1cd{p+86Q95b%!yq z*B{I!GITT&v}687&S7cwiW@>7y9d~%!I*Z1I`ss(HKcRMJ2AA=k2U14 zds2iHnQ2+TYs9IWXNyz9+)D4!fwcPtA8wu!XylgR?wfydT79mWe%_>ihfC;pCg<`DVo1>W>KN?t-7Bx+Ca7lokX`~7|0*B}ph?_#s zfch-#8+{EAuS}w=)nNey4~C2r=oaz`vOH?L0TK{H&3_4p#(@>#4S-ivR|_Rzs)G$t zgM&JK_7FIp1Qt4qPuYJ0s7Nq*>$35C-K%#_dOh35V9$WyxCAiJL{@;V)}?c~@M5<` zVc>FbaK9oNB=ge+a=&C`k<6RPs+nl*-3>A3)__Y}1An)g9YsW5z>t=`&W&k=cFU$) zV0J!qS4}N-kHcDobl)9!Bt`Bbq*1WqtA2gC+VcK2Lw10y5y)PtC}J|y$zE8PIsj)Z=cSz>CR4@d zWLV$tPDFX95|NP#HaltsoQrmQ!1yUC+vS$87?2ErdsiDuAor3{&sGw3rBSm2@->V! zJt}|*v7770N+wEn|CXhT`r0rb@jRu>`f`dKO-!LaPeQyTlRbY(gAFf@Cl|-)X8Us^ z8g$tkL5+Rp3_qzBD_1Y`E%hJu5Kno(TWKWgvaH0wyma|6jP%s5H37^&jha8j0O31j$Sb=O%six%one(Vf8|y{zNg=wU zov-p#{W;jxbt?+h=3bW z3?C!>$itGK>i2ExqRQ6Ysw)S2%!ZN(0&uzhDRcjU&L8Cg`sDrGB4No%+xxk=xcH8~ zQ7yel-qiSp)swVhOS01SSrZ5Lz+GZ(QJTXZZ0%sW9I1yK9MtR`{i)e~?H-Yr_g$mh68ze8jmN^|pGf5rF z2q%`@ju=762^U6fdDBlyCr|K(z<&JelrX(&9L`kZ^g8lL{aYzC@j+>qC!5n@w;t!) zu=Hr9_`H8J12X2SKLgD7D1JSM`+8lvl)z$IJb#;<4|00*&P(nxHpB2nF=I z9Ghy-W;XTVyNIIhrD`CsSKWF1$y`2i#7>p3&H9e%6Awm8xjBZjGvq&7}wZ7gXmLP5ims(?5YFDa8gt z0V^B1g%Uf>v{{ZGw*@A_dbJBhDC%GqhR(g?ei?7@@fmR?*JED~BE@Zfz*}v>gYT~s zPrH`>tlzgi3Y3e`9B1B!g@nkiNURB&l0D5qnP(AC5sy0VkH9tx2wOcFJn039mq?zI zW{!WiZtq^x27AwS1oNx}(p-zz6m+dt>VgbfeSE$MH+}>@5%&OptJ+I78m~2y)_IxQ zJIK6NQh0J2*l&=u4gIZURjiEo<9iCIsJf9hOu=<3X*OsEo?CrzKGbekl5qEASBBmb z;P1ERpNf8Dzii1K-b;4!-Y6e#rq`awbw5m9e@qu1-6xIZc((I8_*1OEfn=*V*=&}U z$~Mo0v?X6oHgncGYIXHAjMBsn%l~OG}_TFLkIHhCs8oxcM zx|3a8PIR{-G`9WBBy5`4igu{B+nheH@0=feylAV@Hu`H?o?Wgw>V<1zU!wh7?vkR$ zVY9;4lQ5Go6WC62Xx-|H!>(8G!J1vgws{V<1e=UDZtYfYz7(F+F*ihALoE2@_j{`k zhO)r+*-#--vR3=0Fvb{=n52l*iG_S8{zUD&@S(C)`wc|PLE%;|Nq6oW5&l76Dzr{m zs4Q32ULOTr8rwF3GT?bmvW5?C1sNt)@Bet@~uyNQ!fVnH?@@g3n?54Y+i9Lc)^K z-8ch)2rY(zYkQGhGa6CMw!bhzB0%ejt;t->{)8>I(o*D)0ey(0#;GdE*uZg9exbhY z{y5N}U=ZK9&_QxdZg$JgzvR1JCf7fYZ02{}t%&GsUNFcTbvQbIj<_4drE^vOoFtnH zke@5;LHcJZW&Mt6#*m(=tiFjdj3qeox#;Pk; zds0R>0p^1x)o4Cfz_Hn(S#C*o^Qyx5FV5a6NRz1j_AJ}BZQJOwU2oa!QkQMB%eHNs zUB+9sZFTYVHy0Ce&csaozq!cUof$h~uZ+yKp5L;3slpKyQafwq!;-V*L9#LP!X~~v zPAp`l^C}zGI%i!<-|?SdWL+j+0$|H_Yv|PR#m3uZDm~?CH5)XH)*Us#%LgA*$)!G9 zOp$QblrLz)xi^_?1!A={hhHxrDo;lC-#V@H?p;0coq>QGe=&^Rf0>yu&A3ELcE0pW zIG5h45N@Vf`*v@p4cVm&XKh7!&*j#TY!hsO0d_o3AL|`I)oC=hTo?>vB1*%*#lx{lXKwxpaY# zlnpDNT4~sd%x3J98&}W08X?Ob5G4nNvg)Wh?`_G}mEMw#JIPOccJ;XRYoW)ti2R29 z$nZa&yEpOD%UAw+m7T#)xO4r0#~)oKjT0(>I>W1L0_#^-d8mV!5m3%ylHSFWO&P@e zT7hV&*kSBBX?PdA>g)>Hu;_9w{F=|eo=?Gl3rxux8ie-P!QdwW|ic6WT?h@;1q8JXl=7j zdI&Ukj9Vcq_J_jM_ZmMTNwfkz6qIRD)GJ+So3Ge0Ith^RI;$}8a!LF4*bv2>sk9yC zSP<0yth!%!@b{V9a4N7

WpVZ{j82&LzVmL&oj({V>!EkGQ?zBS1y^P?8MMi5AyC z+px1+w+YJJj@}{oovG*i`(oxa72O7A+)#?b@*hSPo6#OXnA3;*0o<+RKT--+74N%Q z!_mP_<{LeVbD9?`OLS}Fs_Dtk%-cNYBXP@1=v4fpPd(DB6LM*>#|_!W|KN zJ?+KapQdouxttOPJ(${acF~X*Thsl1yKnPub9(o+R4MEwabw+a5W{n~ zcb{(7N48PdoiDw@0iq_|OCn93+G_3G@ob%A|94*tIBC`zW>sHR+w{30!O^yP)7SPo z_dK1nw4VqN@Wen>cocmt@CJU@NSzCixf3O3gEzW}WZVXahDXx^D!GBTS4t(dq8+x5 z3e>I$6NKUp9OnAQf8yVW8LOFUfpz*jr}|2@{9Luszt#5N(@G{Lzh5P~*%;r-j>tvN zcBSqI;)ij6oLe0I)I85j>9Qz!)~WdE*1@HpZl7Y)dWsfMzUEKVd-6u-#Z5;_Ig|wa zw32>Al*>h3V<*#*;mZz=XCP;S@W@H*A zM1}_s#Kc*$LzP2f4HAUESpA5PR&&aQIWe-iU6!S4kC;P`8~aJKxv}n;ZRvdvi$Uob zd|^;aS};z_?s2F@WDx_U$og7Y#|p zyEw8<@+y%^&!mG~;S#-NOl^?SCf=?k(T86SL!t?E2Cnd~MM!fCHp;M%!&$FagMk&uF#(;~}jSJ6sp9vX469^>J*?)K|Hu7FO*I4 zH^h2XGuOf6&?^x@X19mdXjary*25I?@U|y9t8m~d<(p`ywBAUXKa~Dj=u%Oq6JtAdslgHCo!x)VX&A&7(a&m;Ywsc$Z6^YPmm<16OxXY z62P`lU9UI2XMLx7PJB)_$9CGckl=FHC+R>HLJhz96Od`*@CtY`*+))g z79%1@-Kj?9*~k&Pvv|2Ia?PZ)?|(+>P}Ptx%WOo%4%e{07n=@?Zrih-6x$98O z3^7O16w^jB#tiX;sp{aXMH|Gcg_8w314Y^#IYlnob@KtdJ1D^BC;s(22!MTI({sbj zr;k9=u1Cabd;PH7yv$dm%%m$KVxFgcz4x!z&5AkY-?SIk$VB`=VxKDsX%sZER*a$o zTQp+qqDUT@U@?HWlT5qchY63+05VnasRsvID#^D8*aAB1ZoRWWYsAzMdN&82%cfyk~e$i(gV%U#&@!+i?LDWv8+S~7omvKEx+WFymaTMp$a{=@*JvLJs zKDdQxEt-Mh2JwW<;#%dx*ro&&3nXzya*DM!P?YINPHN%b z=MQlRuuwz}OZlFsjcnU7<7}=s}B9 zc+g>wG-3t|ykTmShn=Tq(PGpZ6r1!QgEFOUjcILbc9&q%w~f`ebrAO09kE>*zMHpA zoFv2s+-0i=Opj|P__~Bit)T(JCe|4tY;l}J~$iZlk z1c=A=oIGB4*h=5|>hCmX^j(8yOkcGTQ$3DZ8U7h=z-FFm+S43UDP^MC%HbBD>-o!KaIKiiU5<_@Za0k1NfQ~bGUxWKY}I> zk6_94rUn2hJ$t?2t}^S!z*$f<+}-a3AHT`u!qsyQxg66wff*R<)%0?rP=-g+=zfg5~vJF z4*l6-(x=*BShJdUJ_Dj8eYafJg?W>k%xms<`Pe->sW_)F+Iywqc_h$flrjlOxz}vz z=ERf@B{E%S_WrKq#vB|J9l@6-R_z!zD`+t#`)C&>U&%nSGwp2NJ>tWc2@@pR z{u?2iacAl+NG4X%lOmY~u)6=fMi`I5Kfn7c?AUYSrQPNb2)H!hd-l8$3|Cz#TYjSL z^#iUjzrW=%@%wVWhw7e&8kb&GvG-&d?sHLoV`HLc)Aby=8(`5U*bvrgaF>%G6^$l1*K zMky9_7mNHrSqPjLSluF*7*VS@W+08LXbV&Mt5_v7#c#vXLMVv^jU>35)q+e+WR0Nw zArnGr&a{7o^`c#pRi(KHRj(i0%cYWEOI+MZYT49eWjrA_bHvJR)&-kJ#uXTXiY||g z8Ez!Z8!MLVSh`mg@`E1pW)Cn&IVy5P8)~1x=OVp1follu%sVEfv2yeQ}fptZ& zpoEh965AB$uQ^wa3ioMk0Cm35M`Ke+2lL!@|Ym_7?7HW z8wK8@;+xa}r+&;q$0QlG3qh}ODT6pqzwvOsr@=0$Y~baO zmxSXVGVIw~G96tD1wDZa)IlxRIrc>XLge_7*MMZ0!)$t=5!b`s18V4S@!+9A-@u7- z7@{2s5+0f*d&*i`Q3=7)z~ZxEYL z8~wh0d}UwoMhB9y`-?U#G3WQH^X-F|AIY6+He0kK?z&GosS`I&BS@Yn^{P&qH9Yk1 zGeH|+(>;&nl}>^B=_-|-OO>^}SoN=4U;O|07E!j*=j&v@ci5b)uWk`_YxTDNO0Hpx zztDYu4GJ45BRy4yd!?Kki~!3z-^{e~kPM$HW23~>-z^MU1}4S5J8$*i;J*qC?zq*o zgSSfH)VIoiz|i}h2KTnvZXUbl8*ObnUpUnQ%8YwpD!)JS?*#IV^gJ=eKtbTeHFXEA zBVa$J*8`_K$jvsOTUzNsW=3D~b@=caQ_gSQHN$AUzIy`VCyZP%r`)r?VK=YAWJPG&k-na8zICReSKB=HKqT1`Tw4tB-HWiMk5 z>T?XOqH~*M{n!pTbN^ryTXp-`Mtjb)&$fkv(4O;|;9bwx;7Z~0Rk2D&iVZQ`GGbf) z*K!}|`d_q1IX0e_bdQe!_@gZ{2i_77#j4!J#;Zq*^F_UKA?`0bAatmH9o+?dmm=YE zLm|y&Dw#1e5T1W*%p)?7x4xnrTKuzMFF|EpxS^W<%2O0OtYRNiFLc=~ks&X53OVtc z+=fu6waKziO6RAlU6;nj&$U)>auwgpij+14+FWBGJHtj8H_Fn77qb-`+&KZG`e#QJ z-58q2hb?(#@ZuZ1HttX5NeH8dn^TIa9nU%5R<1_=QD-;(%%OI2)g?pnw#B*M&pMM2 zF<+yMRE$}*`uto3tXilyhC=aP=ufV~0AFhKe7=#6CaekZW>2*6Dtlr;wlG^tczM0Eh%$JS_(TT zonls{KczaAYHanZ)i01lvE|5`f1HSA+@B-A?Ogb4@3gMgt5>y#U&mHmfxna;t@xKO zg#+K}RfS4Z<0lT&E*3r#_N%mfpVoh}-;bgN5O-eO6O`>_W*v5tcOZ-$!u+|cp{Qwn$DB9Fx__H3cIMUywlQW)`ZK(-Z=q^5 zu&1`FUI?g0_6nKO`fhc+!$Pa2I%PI(H_DiI@;yp5&FT>IB(toH-XLQUG!36cnv`8L zbKxP*7!1E}P{{pMIeq>dC(>C4Wm>~U1i8KCY<;_4zBT4N53+J(!6uio31f66P;M;w zf-AAFPzq@8)nS)&S+Yl$XJI@`pJ#LA@OzwvQ$+K(?gT_rGYkq5>{&!z2E5ZFS66g!%1O2S=DAcca)sV@;=#f!kv4HYKg!VejCaP|dF;Bavipv7&CYMm zaW1zWE-t%2W4DG%sI@2ksP6$-U-uf;alA};zb%FNQO+6a1(dU&39q5sJ0~zoH<~o#B*}i25omw%gpG{a|M}U*B77 zg%Cnf{Eg4{jjkZXXZkb=R6wp)XlGY@9$#rU(y!LRQ}OvX5==c(x*F5t{B;ZNOMzylZERNY;|@~8a4y|p}(oIpLKy# zgRS+CyQj)tgDJyN)Ayr=`z+r{Az{tNU=(MRP$_+Ww%R|;`T*kg))~1oQ)GODB=_Fp zpZwMBapkq-jTh2F?|>+;NsQ4*Joeb4E00Nzz*cbZaqo>^Lyv|yU82X0S+u$Ou|htd zA4BkI#8Fy@Rl=&n#dK5!kBDA4O*<@~Ahx}tzjqPe2)F_QH6Q84`dBq_O*(PM9bZ`f zX-Hwwe*95klr}Emn2BSdIs+N zJub8do(Fmj{ao0XvPwUKXb|_S&+z1IRt9V!!C1Wf4@%LEWGg z#%D9T62tXM;?>HNixcKU#`nfW=B&>Vser%8Z@hm=ik{d_2v?)}A!+z+$*9$Vw|f^v z-$5g+$>>uuYQqvkWji(8y29kdQne!qrbdYQ>D4*$N=k)6pqWvs+6lu|DraOWM^x-8 zG79>4Jc|9sDAT-%l%`bOow8r}4`Jgxf|c93*Q%9Sz;lZw7-7=3Em}TcOAMIO#;3~w zvSP10+g4R_Tlot8S;@7%G(6VIA}v5XU^BTpo(+x7>6T!C38aR)?OB-68Lq&q)Zm)_ztxDLUg zzsr9<&AM1~Ta_;aM&~i@M%n5uhVV^=E?Kpb97>AwQ<8)WQj!WaW$RNY1SOoxWlMtB zuT{*wT>zF3(eHq)jm(X8J|wqhE_aR_2O()LyW4FY?U*)1g}cOzxU<*fgb0x5TfG21 zba;t_Kug1$SJc5Qk=%qVYpm%T&mh1syBi}~z|(r|*=vc%zKwt* z+?{grYdZ!GS*^NJjjr~nb)u;AbB3!t>_>`~i7o(8t3X#G@<6mst;2-iuAzoP|JGdu+t(BEbA(Uga%$D#i*j19;j^) ziX>)_jy-a%x`sp{S~wBUn=(b*U+@%*d37Bfu|Fj*lu=8zCpk`b%!V2@^ZZQ@wU(Ba znzQV)mtCQ}b`JcgndiFoZ+m;2(Xec}{Wd{B0{Yy%cfYgAjrcl9zwg>~-fZf2n?gE={Wp_w07KEn-7 zzKnq1+`p*5ERkjfMk~zOnhL2kWlS{sIxFe%R5%!HN3U={JfU`G=CU5BDZ87k2TcV) zxzihJmLCq@1115F5>86VL}Mkz$!*wr zokf!oiu-5bJZ}k_?qd|$21TK+!_Sv&r>Wyr6*(mk7GQI=0k)cYq0uu7Ox?$8ux5bG zHjS^1+%6h)SAwd8$5(V(DC`thsqnq$L;Ymy`vSR$1LWbzqEx)z+8-3!0lObGh!?yd z9!ezg?V1X?NX;esE4^j;s^Zk^-TKXGgaOq}6a^&-aI!t(mmmMDm@8YkcxvR(;$dg@UU{ zQ!OKZefQ8v`flHFNUtTJ0_ji%#!nPW#Lpl)HU<>p^(i&f@hstQZi*Q8X9(ZpoqWZ|9C ztzlzfrK!QgsRh|G>RgA9v!*YA$ZTP*$nbiA>nMRbwA&*^4rk8gY{17f$K1)_N_O!(kR>cS=#) zu!lBeCMBQW$w_`gJRA*#S=SRtufP z6;brJqewW=3lRx$5E|JL5-|42RnylLb~-nFO&2sjD$c>7<2L^!s_9B3#takpH%N6g zE?HH{rc@FocsV9#I~TBDys|@7G;Qxp_3k`mao_ZK3WpAfij1Cmfq#;M+;X4d^$vO7 z7=j6dAxet`~cR!JllYd1V}irWNK1vU4HP!UN6-qsErM; zy`xM(@smbduLS|o7?8YZ;-%Wt$7^g?x|qgf!OeZ8;i;yd*Uc?Dw%*y!fb}@&DK%g_ z&f76(+>9u6hG&U3K{k0rVzTluTA!u##per8r@*_ZI>cAUSJz+Nk?cipw* zY9L`Hx5-Wu;Bt|vm7U}CmCq1R-$wpCiWOv9!xGmw2^XBfI7*T8`njAfk_P!RTKncI zm?FNH;49)^A4xwXvPp#*Uq%m0qI?Mzv%wUF+64T>#FF~pN$7a&>Uf52$+>Q%Tc0A9 zQv?WYOhS~aloqDAyR81`Pd*uYROq((aE0&{>_PUjv=)2E9~<+h z6!Q;g}a0kW@0uCiW zjHdX!@X?6d(F{wNV+7x)`7ZHu9^tCF;rOFq4 zNW@qu%GfVQm3UKB?CV{g_-GQQ^?@f(g79`B=@uu}_-NAFzTgWjC}$GSy%3nb;U|i- zAB~ORIoYNaKL*U5>(#@;5KvKPr1{kEfn?2Ffp+sM3gQcy_A-A;?o|h3c~y-yf7^L4 za}a1db%y~;OXL(4fzf!$fMCM=;LjFpI~WKs$ZU0(z@R{f5A}dC(YYfMPy|t^Mp*!h z8>~8cCYp69+Mq1RMDf;X6k-h|BwpOPdK>j1?5|`%CYmj}A!TFJ-wq$Lw7#x{3?;L) z2l%zAsiYO);0;f~c-xx~B(D2gOELsVx)GUo>Y=7_4!f&n|Jin_cGMh(bY z4Zg(uxaioCa!0^m!Jo<^4Mr#@tY}dDMRVnG1xU(WT8~i9?Bv(NlAp3jhuoCWhTNQx zx?Ieqe;<>(RWj!2&K}2z4XV^HT^q>KN{QrmitDz^J&?@L*lsFz#hO?H7D&qM`#n#7tEFPbgthWzcEu;oU-@KY+&L& zA9=CjK;i6SSUY8Iae}tv<-6mQ=aYu{#N3nqI&*RL15mctINjE6=aL}LW;fz^{>F-6 z)E)qeKRL)`cWJ+^I>O}2yS5Zv8aO)qZFV(^^I#0R)e5WV5W=wy!zwXg^s%?^=L4oc z`!7J|>2%aKzaxdbKiTqnZ(QVh*zu3Ogc8~kd**t^>E6hQ@@7GWCTbb=&=?}BUl zV(cQw_z6wiT9cO`MtTFWxwm*+uky=ol_h?4M1au;`32*nWp#tsFKo?XM?T3@j;u%W zUFcMAn)tOo=(k%Dqcw&iUYMip!aAChj>)!yvs|jx)-ny)(49R?9oyh+4A1- z#yMm#g^Fkr`A96qpsX#(3pp#K?HxN;d=TvKJ#}y198S18ec(iX&LRIA<7+;9yncM8 zI#Z7RYbu-a zOtz!wI+^-hhEp;NW;WAKu|)!)x?RrQLfJ_P#IslUTPQ@b9l-$7*o)X0 zEU}E-xC^yLO16R6D2Q(s&MO`QckQdVk+dIh5(9}}O`$-_Em5EB#AQ~-}X6NeZ| zH98XxtgW>3u=6pq+W&Z^@ctScZ>QR>#g>wdAL@j&?}STK*0_xs7~(9y9v??$jtdF@ zu^Kr6PmT(V#D~peN@<W*dVSEwT~F+l2rQ+_lqk1;f{>ineE9nR2URv*?^E zf^0p?C#VQohKpm9v2?53K@=dU_N22;DN!%Xc~dE*JL$G58^If|__K@dg%*lL^6e3% zsz&Uc!lbewQXnMa;7gN4@Q_0!(N?dMll>VPA&8>Xu(g5Xd|30 zIa$cKI71f&Z#42{r_v-rwgwhwKp<~?f2zdo38MBg7fsR`*3A2*QzzUR}O3lSf(YkjND8VafM$7H>Ae@&C2dUaD6U%M4_EQI%JMBo^KX~V5r4QlF)=IacPYR9OE z(@p;Edw`XMl{+DziwC`ZieQFYAH(Ai*}Q2&LLf|>`i4-EM2N{^PQjmQl00^eFB?TR zaPn-GNqWder6sxheJ;YTox0nB6q-s=-m4xl(tVyO|D3C*rz$cL-Gp6W9g!2sBvekL z=*FP+(xA+)^ciy&X`%_-?!y%x#}kDg%%h89mTA!2e(f304e}N&iCV;Cz#M?W5ALxw z0YS)t65`liXe3^=f}1()HGym;yu_np`m3VCa&198ruQ6Hc9{f6%?6fX z18n%TDz_)em3i-pdE+f|UP}->$rZ%or8$|!NK>Q{ii@?g!0uOt*&}7;{E5(quK_LN z9Hg#eblCKv(a+4H4f>;~E}wqx(^vDf)j)@R1YzS!w#~7mnGPVbWiK-OYd2doWLVQ? z0o>GWm}&sL;ag8d=)}n6cbk|1PXoIU{$Ut)qcG%cGH?$_(~la5CNBaF z{y8n{tFoyrbQVWE!qR4QTq(daX%QRvy9RvTp_-2_M!o)ruDoCyv67hdD0{_aq|dD` z6L_G`dX?iZ-kqEGHs5c)*Dg^SEG2)R z>mrwEesjyV{Y$_7&6dkeN`CMtcIA1JJBY3cl~>i+b|)MbvjiBAehqdkpx#?+>In(X zIE8G+{JP`eDaQEBUV#C%xW1FCfYaYJeZMteQM=dA_*$OK725Sfz>|k?b|1gtuNob_ zk=2~6m#|bud+miDp3Yypi|oj5Ozzj@M=8gxl3op#^RF_N^WFQ_pY69Q#!k}DubA=Q z&l|R8y73l)<8e-qvZHs{6w~DAU6j+`GODLis=&7ynLs3?AT7^dFzAe|Za{eq<^l@V zTIH1C)z43KQ}OYeNM&T&Ul7O#I4Hh8MF%4HzBm~@V%i5zaPKsX)k?N~a;Z`)-`0CK z*k9Mn!ka;bSj)t@ecrvQ;_#+nA*_Qu;Dal1#(B%6e35@iH-9NidEq0#^&lq6=(%Pt zkhNY#R@trrDZ5(fYp+lmc9=!9#si26Aj$X@>6O`Xw{h}U9VkS;W8Qv(cFH);w+uY> zf&*k2nXRRt+g=GK#qfKr&zP$wse09$c3-W373} z$~mesIrZq$IVRKWcT_dNC!;&;lBBRjP=-o{b=Z7Y&{t;6R}|NPRqb8_kG(V0z5R{M z^%Ud1f>92$@iRL_OxH99x=tRwKam)wC#S(>9|8_>5@NvdV{Mr5pLQZuBy*~dP zsjcyXH}YAlRcAALzAV2HvnU9nE@4SUMP#z2e%je{BVC=7N^|yeA4UY%v#V)=QdV$? zIjFkQ1~H{fAYg5g`RTYeZ)d$f!LB)pI1%)d#*=oMU1>M1JA`X?Z>4jJ+csP2G_3n= z+?_tAX&vtBPJDd_qux;QA=t7xKzzlspF3LuuE?KQBz@2!%+Svq_f$L&CX%pEU;y# zv?233fa+cQu|_ikD#uLN;;3mgpu4{sU^;XXny==X7j$3~BK07EC#Ph&FTZ6aoq(u} zA5_f*503$G1~!WH z=h^}VPV51{Cbxw~HncdlTd?-RSJ??xjP3vE<_`L^JgJo%N@K-%p?J2Kz>K31{`f{z z%ff`Or^k|iXf`^GdBtxWF1;91-x!NO3qrNwspLFQ6=Xk5v~{r#6qSOb`b0w1>2??( z^Qz>7EH&Djs^3{&qSt=pYq`Qgcp0$B)4J4T!DjF%>*7y9vOBG@9T0PS&~oV6)O8Q+ zw5f4a$Zn`)mtu%tx3RMXu8dubK>?PV2iE@J{CGUCHm)VKu6ZGIJ=nc0;d*w7gWCSJ z94}%Ad@|c7;EP^*0k|At71*r1M%r^;o&HeYAa4ab`DqrNPhIVX7)nNdsm;TN78j!s zqmO4yF76PY4d1Xg*O4flph>uXFU{0~BDYtg(4BGgU?0hGX$L#wPvtChc|zAFg&#mQ zV92Nr>5qFSgqRK+S7U{-f%rQd!3$jYrWmiFtjD!NFqVzhIer;N>=S}Juwl>MCZ~|< z6t(nOt`jYdiV8mpkNik06D0HVi~JjfyCEe;?>ukGkC@PJPM0>}?#Op|AJ%FnZzkev zs+pL7xK1}L6z5u^#Wv0RaE&&>5=)Wc)M8u9Eps&VN5uO*qq)%XeCDM0q-u^!u;P-0 zSb&~MW>N+YHHjVGQfMSHI)X83oI*F3DaLT)Dc$k3@jX*Qz6R&;@1XN}CMo)wA>3#L zIs2#+2vmd;eeWm%RsK65JwCMQV5LC^wYl8WRVUXaFjlNZBdHF;?)t`9|UF)!TXJU3TX^$#uoX_MLj3ayIR^>Vy6 z33Il3PrP6Rt3<2wjVL|2HqbT7N#BCQYxcSM8#;d4aP7R%>o_x{mY$tEKf5eE-GSC7 zm5531JKxtApu#)d9i1^SnGXG!>wA~JxkS(TRGTGjs9D+7x8R<Xft5yvu`!`@vR!-YF zYz0J4fj+Lb9uc-A4?HYISYglnRU3zc_cL@6iwS^G|iRtAUW4D6gC7bq9&0#Zj)#T8{E2>_q0ACb%FQi%J%`)f*&D zdj%9ExJAtnctCa9FCH;N_leaA!!`gLB)Cyb<`!5S*JIMzQ6~q17swLsAPn)_E<)sO z0ILOD=Dg%bjB$|7l-Xa7PEjIM;sbRxfeh5wd{}eV*=qd^trQLM%svDE<9W89e2Itn zmISFE1axrihT}X0_<5A(V?-kj(9kNx6k8@n)@7S`%DUhq^PKJvV-@kL(M5e;Cuuhy z`ic!!%4r!<__T=9!%AUx2d!i|6WwQF@Ciy_f+tHF!3Lk{ zEgdMGTdY+y-irnw=SH0b5#E#VpzY1G_!sG z(|VOh6nbK?)`?lSwP|T-CY2Xd5I5nLXmGYu^+-$~w__deB!Tur@m02c^a~YB$^8v&dNq|0W3jrI$GMCjV+heiwZQFAq zv!V{ux?;%s_WkZ(JqGpeKe3 zw<-fRv~)LC7&X;4_%!5N=Sr{ItI!%!D>E|{R=Jo9*JEx4Y?uoFti395Yj~q#h5}EK zFgcx}@~N(Tg<aKXcs4UQf@>bEQGjYH}>IfZ7)H1S9u`NA?{cf(YrS;z4!^sQs ziHlH#!w~eE zFAn-XnFSOQ3D2M|I8J-Tt{^lTe5bkb7o&6b`Y`QgO=kj=?Dk>}5ral-F0g1?J1ZSZ zM>ysx`{6&Q=SvxJ&H<~A8d__F1{Hz_avN3EJ#|aDXCqfVs`$s)ZHX(R8a?*w)r4~3 zwi^bO=JxsK{uQY;fvE>2y3bI$Gif%wcvc$jsys#YDW7>Fa+Wwqt1>DZjOyIgagmQx zC=@LI;uuR*q-oQGLgOy!q5pulC4;!MeecRy^xY~#RD)P_I(t{mDs{lH? zj~&@G4~fSOx=m>s=Vt=qyx0APRbtT_qoNI2W>WMPa90XcCzyRAnTCzG!gk*}(?9gaHk(d$GT1iaUiVnr`K= zZ|tcyp(;+J>L$|lz0vjkTh--=)rru$cL&^s>t9zM6@h}wDvs$v@DSIr&GoSrKKHNS zIyZ3_JiN`VRZ}tPuX+xTqbr`=_=vDi$s=JeVmUK7nV%59}p|c zpm5do{cw$TER$h*mI5=pEZ9$;mzE8BC7~CmV9-iK!DXT|xalrX!n4W6!V@`-L16d{ z^?}uj>A()>()f$M=5^uTP2sq=TlyGW_ao{xx6LkO7Q&^+`9NPwT>9rd_G~X*W5>7#^l(#bXBmm1b(^UbUIQGDktH{tcdv{hH=N< zP7y48TA~|myUO4(sMGF^+vIU}67>Ql^vG?um1?dO(>a^i$E-+B!HQW2ox;Nfz5;eI z)Pq^ZOiEDLdUZ8x>S41Gr2;3d6u}TV)?9lX9ZIymiqY^G^^qqA&rq^giegI`gnmLO zoXj7_17x*bWcX}n@eeWR4y3+SSEwQ8W0l>Q)qh^IZ6jN2jIdasuz=$q#5;JxJHC&> z-}$d20&v+XS;NG>3Yw#-cT%*sQV@zAq<+TI4M=^r6f}OU@nB_Mzh6yjC;qIm`L%%g zo9!m!?_)zrUALJDm2ibni?)#d=N4PVTpTNA=5{*x4RH1nkcu4zTp@a!4m7v$N?iSh zytK0i_3Vm~JGe@lB0WLRnbp;d7o>^>;ivty+)KeMG5Rk=FiJta&?ZEXGa(AS(2@UH z3)epgtdH;idR%blmjtlBTQl&F_wKW=MVfMMnU5qlvLrp~*pp4#^)(3{Sg{;1uy98DtZ*Caef%F(Z8AZIq3Ccf5jYRV=B<9>CX7Is`%R6 zQcL8yl5L~p`Ih4+I8(ZJ{3hduF9=la!|n1-eFGdQ5Piu>@%?d`JiW_V4(>azXEZ%s zhP8R=+@T-X4&`=2d@5A`c6S7tKT&(8{lWB-d@4#{;-J6Ndg1otk36&SdXOO7eiyOR z^Y-DY?p}yg4<6Xh`oz8ESlP|OO2ym6N-^0dsqcNMfcPo)fj{*lxvFgqUpKeKF^hEB zG}q%U;;x#S`7pvoq7!ZZe^GW$L83%Wwr=yZ?bEhx+cr+ywr$(CZQHhO+kN|=`*i1F z;!f04MOCeg9kna=id~ss#x&k)A}<6`d)t(?QlNcNW89EZHG7qPXpn-)XY7$@TKV_s zksz4|*a&EwtBEQR^}3qAqPwMXo!kL))*uJf#^kAdl%2^M~1oW|8UO9DOr{?r(Qt2}Ayx{yf5bpZ|mr0lG zOY8i+>GU#t2_G6?aT-wE>Rr5IB@oW05~jg)`NmfMh@lPrEc@feXrO~b< z=k((1Ols-kZ(Ony>V3Xx()*6T?@cqXC1EEb z)&MzsVQEu{75AZySNSb@dJNZhHgAp}4Fx9Vdo#6Q@0;EE_PqJyrZ(V3aE|#|cb5o% zpo`|kWcA}^wZmX`gLB`l@G2Lp#bS)bqFyuIw`;1V$$(&q@OYo_xL!Z#t6jp{wPaPb zHvF3;(^hy<9dE>9my@StGeQJ%K?;RFF2piKbBa1K5`y_b zWW+P4V-SR~V4?AxEAaOHjy>Jdx48H&@OAD}uthg~`9bn;o`8A81FL+c zw+3zp_FG$SGE-kr7`_#Neas|;R?or_v zPVoqtEkNf`Fu3iE%L-2%USaJU6=sHv_rNhqJl20GLY28T6yr zMc0I)J`>T@gDNvsL$H=ZJPrYBAMIP`T4+(cPu1DPkPicS36k;idUe_MD!RLoylSL^ z#gn%0Vw(MB7TBa;mNp-xUKYFCiVf0GbH>Ex29C)FY-jv?U0E+OUr2XvGWVeb#%zQx z64gjgNN_$0(VwmUNR#LOdZgY>$m;=^jl<8HyAJvb-GGW1daev&Mk<@kSMo51wsG6@ zqlmQ$d=trK^lv?%YQa8w5k$54XT@21?yHQWwQ_b;zCeTx$!XAY7Stw+ik_+o6)(ZB zMXq}q`DHLuMUd))eVE+0$q=gqwm+U|bY5h1os$KW4pmx~o8GG1dKv^%!as$f<`CSV zt5)6ix15apMFnNXCA8xHpY(XvRQFLJs7P%K=5-aA_!3klLfk?YFAO+6 z#$N*9Cz`Oa8>T9fV=B^P-@z?9JJxRv9m46Sb+dy<;zV1LyAu2xj2*ZS@zsqpRwVw< z>NQ(_|tDQrd5qPHa>0E%8TQ8t()f_#z{Dl^;qC~N_=}KWjWQM zvvL(M8v6l4yPXoVRi8%A)x z=J5}GFI7UdvM|mkGp9T4-_CvZjI%q7qNv_5bxU*)E*>p9{o8#_9{qQcjPI)_>0||L z^Ja2*f2K=l3+bgd9RtA?PxadDLYM=;R^ScNsVzp#NdmMUuIMCYJn%U2O38>9+1Cda z2E-JkAV`%Uewj z3Rt6a^ZL(1lX^Gd@Sygj2oV{wYdP-gtqvgJxY3TIY_tI-G&M`l-cKA|Z`PUltBkt) zFBgu}ApTSPp|b9AteVX&`sl0;LvqZ6HxU+#u(PtGxFnFaYo*(jDP`NnjNy!cT~YNfaE5cNN`PMIhH4$=SpY zBj4Ok>WyNmHYm1alR>oS6nD0 zTmA^zq^NR+8}~d;Vc_|;=pyC@L1_|K1iq&*T#bo2hI~wq1&BPm7e%lKLw+)T^pq+9kHaAD`(;2#m-5lMaznm_R$6cI8xfm;t_(%Y!+nBM; zxS16EOBYn*u=c9ltLi0K<8UK)VnIsUPuMphx65p+8VCc{KVw4JWpD`ZOgmfV0(15P zbNVB!FID&JL(u9C$jGkQRcMBHJrO)3{_~fb^NEzFBWS@FEf+0G=j%^UxjkPL*xZ}o zck6x(&q`XgB~_{mN>q|->8&&k%%e+KxiuKd4!>^ja}U$P%KfFv_M^)7p*$Nc-L}?f z9&0^_Mcu$BH2!6}NzCHP@yY(B$@HVi^r2##N!>K|h=dC)fTn<2XLv){zDaxvkLS3h z%iyES;G)u~#Br8fBlknucTbkbyn4AHK zR^Eo96t3!pTX8%FAKSTqo4?;3Jsve*kJ+dtUbKPW(pi2!P2zj6Cyrbitkh@a&LAaMJRurfJVABt;@iQui4HQko|txN%Y}r)7a9vCCjTJD-i) zgBpxvr(p^ z5G{Ts8`;p^?VuD7BiF#*)qZsgmC4`He|2M3es#^te|4Fb2uh5xP7fg7tK^l7PMM(| zGxEy81ZgoT{qxYq%7mw1t#VfoA2kWfCFVvbe}k6(C#dvq(83l}cBE!Mp152z`!$Al zkpIZ4t>lTm5s@2}$jU|g^Pd$Teo}|27~WHmWpk7{dXr~!LJlq1ta+1V`&kIma;`{; z1;O?2fD9>880m$V@JFKf?zcI;>1-emDH7zca@JO61T(IAj@Wp21J1u z1w&T#{Z&I9C6~-r5Fpf;xk45rX&QA)*%QY!vuBxeQo+8HW$>H+anI=wX@8=La!N!5{gC!?C74|tURURm+!F(C(M*#o6n zbp%}G)aw#-l_FPzXrDnf{0o+@3i;(i3&`=FseJvTdScDc+QBF?}7TbLo0%U**!iDwRxK zzxXsoe1s9dZ zZ7kVoCB3{`3oGsP?mR`9TaVKTd!ejz<{>TS3TAR?E(ej-xmC zxVlwsH#jEi*O1;#UBrVOSGSw$=&aIn9`!!!{K_H8S zREBHk^*1W#eyyH?1E~&z-9fD0D;dbZ_#E zKrT(D@iGCy&%CoX_tY*@X_j2b+wUa($8=07ysY00XDza(A^>GLvo|cbF=4;H)xhcZ zysHH{i>q1MWzueN&v|pJ+P2(uKRz@?zlxAc-twD-z`Gf#=!G_ZmJF{l4-Z% z$ZkB6b(2A~wGQ)S1=zZIZZ*Co5k_?98Wg-XRDmRYv^lOQw`3~k)8i#c74Tj!GSQV^ z+ZLaPW8Ud@9p}g(J<7W_b`V<0EKI2f(sEZAWSodVC=(+47{A z^KO^R)3kCAA-^wMim5OZjL{l`uV^sOgOIxl z*E9cYAAjKN`3c586GI4kWL>)W1Q19&?n^d)1{#7jPKz|jzz``tAEeD4kVa{~txBQ$ z>C=(ZC5kuR=WNjCD8de6a*0o|!fw>En5IS^5@9c@u=nMh0-^C_D*3q|G<6jr4HYWM z@%Z*ZuJM(8)n0D0Qn^jQ@Cv~|0v@(1MRag*`fz|H6zW_-MZFMpWe~su>p4y>Uehxc z@^AoZ4x41H>uNIfX;5mpMGZKYoeb6-Rz@2WlkLutGtFEAoL1b+ET>Gt*c0pPT>FM^ zz-y)F5Y}8=KiTWgLz#P{7~0te<69W}cXsS%u-0XOahTdR!1>yMLb-r2fxW?Y++uEq z{BV})d>A;=#5M2Kw&j@f*zT-_7QwV`6cg)|_|qC^a#8U$;)+|DTb3)~!mwklc5 z@4@Gh=EDti-H4X9p_^T-Lnu48OSKb@W%+B4jE?BDk~*fK_$i__)(D^(%F$fNY6X4%{ziGhp;orJV$7b?Kr2_HS~179WX&1%FyF^*=ak;Y)Yh=&w$QsUje52Ce{+7qPBzZ56GZuzP1Rgm%BuND4absZ_3YX*fh4G~_#o|<} zWyDbNXZk}Ua>1+PnX3AP(;2lBP{jkPs9k?vm4IqOzTJ%DPGf|aDQ#X=lRW`-l}H)7 zlFmH9S1b{*S*ED(qKSk!xHN22*`Uj-SYT@0@3vCiS2aW z3gy=S_ydjGknjN8#Y`04L-*YY5$y!}G{)^yY$qp%4aca*lF+{|lj>}ys7Iy@CuG&7GBc1LmkNG0Q|CwSPsFV^HIX#1M}`#f z$JAB=4bFor10X{83AKS7ghTNUs5x;z0IMswUcK|?d;Y+gk)Yl{x_wj&lgMbDFZQU0 znQ@Rj0xwZF_~_~#-tut4i>Xb2wppg2bBN)noaUSKx(`+)o|63oXakJJQmV8g>YrUN zIkxcyRU}6e%ak`?F*vD0%z`mUf!pdP{0!e|W{Ab7-^q%>dPEY+rkqzm*A}m|)EPEN zq$88DDiOD~Z5~$`&p%G$A8QilZE9bDQ@BmJv5&Yy)D}iV9q^1Yp8J9MoI7YFW^E+7 zAtrl|%n8iyoS~jsUU+DSPCqJ!3gz$a?w;%5nmfb2pS`C#55vUm=@0}tIMW3d#dIYx zJ`MX$x%IZD9$Vbdfc7tKEQ@Q0=B%L?BrOKXOt={*ap8k}E1bX_9G2R~)i&0q$3;V2&T|7H(kOEsFU({=lI-=A5mQ&cbj{xt2?_mdUH5cc zwMPMQ4%3WmA16b|-v-3Ef|$IDu2>0A==T!Ss)MS=JW3?8I}+wn%j&Q_S#Ov9a&bBAJ(ni|E25P!5k9>@c8;ZBJ^`un{YrP%s%!W!> z3|;J;(HL6QJf)@Zr;x)sGG^Gp*DA$BEd{}_JX>-^gCD56he_j%<9|e4am*$UX~3Mz zL-gt|_fo9?@EmnOYl;}MeaxvFn!di?C-A7tdVO%RJ#&6uVgb;;=FkR~7~jipNF5)E z+y@PZ+$CXF$)=5JsNtlNs_!U}gn!K$8JfPk?v2G)E*<1}sUrEJea@iuD^jZeF(tMD z6sd>m4T%`nB)ZY`+?EB-scujwY%NwF-rlSh%K@g%TnRmNT&M-fgr58CAo2Wpb!;^&huK5>tzEoX8I}<`=5(%Ld zvUi{W`~y-wa$A9(O&wsO|5_A#h>YN8^3PRK%(`9oh*|G-E%uNL-Vcku6MaCM!IkAV zS9nOgl=URG0w6AnHtwlaSc{C!CpJ`hiSyX7^_1Q>M%2I7+VM1D8)YR5pU{)UH(gD6$k8xICL6Zj zHwT{=LT}K-F(N#=( zT=+Y(uiZ%}K1?SGH}dK`_M=M7UTiS`aC@}|ygtmu@Fb7~hsYDO7Mz7_r0mYi%!q8c z91`x7Qah-~T$%SprxZ-wTqDcxurw3HBhtszSmW(6!w5BCqVHbr?4i#9!3KH;3p6=2 zt=^19AL(uiYnBFF>4`K}9o87>4zsUZo}J+SJauT>TRy@< zQxY{FeHJIW9L!y7jwuvZI$-tBpWaduegx?gN<8JgeIaJZXAvjyXOSi#j{-Bf=~5^( z#&U5w6jIa^a+%0lrc`ocL!}f$Lpoj*!UFUDQB#r32ziug`gAbQa0>ADe2U4oT>E^M zQpXjrvkeEyT$SU8;@uhQovi5GsA|w6Y4<*~zZVZ^T)?=jmxOoUx~5@Rs`=$8%9Wxh zJNOZ7tp>+bG*mTo-Rd{%=kxoYTD>Q5&NvBXQ;>`eUzm4dl=j@v2C0B^6Q4l-JpsEm ze_x3~=pnuV{eAp*bMSrBoR!92QzL8>U}25Z037_79Bu8AbYss8VQ>Cu`;8cbGIjaD zpnj^LgC!dmn6;p$bp7#sW2~j?`=kWSMmj|U~h zc-X(2!NN`tl#-I&ZncD1Q@T2S0Xvga>=m$=z$vsRfBB!%eXRS?mL{vJX|~c}Duo=5 zm$%imG%^jYAxLMM`t7X2EDc2%Q&a;N*1f%jub|2HER^)ssj(=M>>Q@yN;cDa00_3O zhK|;VckTstNvenHSAL!ex)rHu!1K*-so!LjF1$^)M{b6H6U2{fxlcZuEw_bBdDe`* z!6NGiz21jAf@V<=dAyka$oReb&xGOqpgz?`D(|DZVm#oyka%7g>BUcf`qJTvK8iYt zmzVZqDeuWhbxJ0%JPPLI8U4H-_4k0vJ7_d(k#T;)#c#zhD71kFkH|YZM{;rooJzzeMl+3;UVdZg)iJMo}p%@H89ZgX{P|5VMb z-1=>fjXK8Jq^mS_tUOYhndvQj*l6`|e|#k7cP0vK>BlXC0clGFyGdJS1Z{4hgc>}Y zsI+EO8$&!`Kd=Sv!m(F=$C)f(JmkB#WeBSj zmLCoM`*==Qr?}1q@g&uSkSH9j0wcy6g^Amk-ZqXN$O~zb28%(NMw?9V)*OVwLz>f9 z;V%_8sy(U=+6`+cFfs#{TY!_)=7R)Fcj$+F=-3ZIVX%xrC7C&|%_OLfH@p#{(x z^gTH6Wz`7q&dY}2fydtJk>-Jg7Jtvut*eW%ZdsNMfji&5#UnYuUpY>!iOW0sm$VTU z9w1lZ>YIos5;0f~y43}Hal~tREQhsA(tS6Km}`L==ejNgqr9{X@C+4Vq@D!u%K>(F z*KvelRNI0p3Z2EYI>M2Qg!UD(**Spz0cZKcgqj54TMlzSFx}SF32QNR=M(#~od5_? zGc4(YNVWt{QPY=0(BYr~E`&=}@x|NyI7Tw?>pWj?F&o~TTz>hs5G0`7uGg-i7Rcae ztMx~F_O?7|dYxD^mf!51djRMLNHP1$cIaXk)a&+J56rm= z(5lYE(`WT@vC*;jlZ<#j9CbBzHRTxPAIn#}A*T(qEudRq z4zLO^qzf_F%I$38nwbR{ri(E=ffpy&mKpUlnbi2>V1KB?nB$yijDR*ky&k(^kkzN# z$;Zu)Rh z0-xj=OEQEe&T3YtLhblzhdY+%r9EDRcBM7s_;8G_(c-Lb{p;{>!CmuU_n=imnvhDg ziBiL2xA;(mHsO}_<=W|vx<7B_;__r-$BE(0)*@hy>nEXFfLwTnFBY9abS}~ za@0fe(kq9}D93Z=YJY6>YtVJY{Cw>2u(_i5_~T+0iqkP2<+dh|*M4YlQ`t~#ZrDDN zc3ofG@%yfXx4?nr!dMV3+X$MfG*z8NwjV6rbV>m-WwI_-JL{R7ykL%2cA1*eK9^3=NY?asyzM9{tWUx>*7l#j*4&sb4vf7ly+6azp>Ht0ZmnM4 z(qxuQlk9sWSl0`;ZIpIrllSgi+wXibzQvduOO2D%`x<(CalBRITm6VN%z9E%)kdEd z8pB;}(TtIMWW}Er5_5CF{GvIOk^5B3h!vEAGnnk(|G*jyTQVo}%;)+`uv3N|g<)IO3evLHdQY#(z}{ScS{OLwOq}{N*`}fD4kTdIoElKUmyu+zm@0 z>-JmUNK7xSGm0H^pA~SN$@J&Il-6q1z;S|cl5P&vNf)aM@`s_>Ud40LH}HY7t&iqC zToA;-pCTNJx%=}42l@mHT2nwmrR!_G5F#-XfEU|5u(RD5E9C)W4=6j3U1K}4cctnysESxmWP*?;U|R0jEgZiNR!IKuRfG|J=X`#% zGlpEgaGqLhiQ_H-dzM46(1~EH%f~rlD$~=&lQFP<9FK|@*Nq{nJX0$P$%tLuGb%vD z_wF%Z0X(_6w&==?r(Wxj3Js2G>!0L{btn#wV6xpbLv-XprEwBM(mma7rY4QH zcO1ldF7`?pk~o^8xI*vYp}#~WQ!T|364YNQl>0Qnd)Z-G93&g>(?4kzf3Ct21Be20NC3QwtuiH$TU#aK`&Iz?6iJdc^ea4zO85GGYKP z2#CIE0Ue74KcOW1puVa^0Pfs5OZ90DY5<$U>PdJQxZv59gcTVL?efVPLo1V15Wb9X z)i_GoaH`op9R3uXZR67c*74Q%Msqbpa)?mZ#462&*Z)XsW^}ZMP*=FP1eLbc?QsYloKZRz z9JRt!LjNXkjjJYeLB*L{&v&OYDJw%gof%l>j44Q$%StLr7bQ{;dYP4rJDHo6pCgw+ z+5L31SA>NTw)Jlf{IT|K@0-T_5d=1Hra!Q|)T_PQ@uwd?9vOWG8t$#n?)#(yvp`?Q z^6#n;i(?5%8YSLGBuA6!RRh`@`og7S;^M}L_%p#?eG-aYNpK^z~+ zN+F_*rg7y(XZ-=%hJ&~6RaY{=&1>4p7BT-xA%uQYt8jIDoz#DLpnSEBuxkaipbky! z_O5)?w3@+p3T<4fRe5T3q<_^KTA~(dT5`07pcHH*$LuutBZL10*!nMfaDB{%X%#IO zEvMZmvpuLuGc+*`T+OXFeP9^^NlaScL8EfX`^%Kvy3sL%1+@x1E?!KZ7!tzaw5~aS zh4$hpg1<6{@zH_uy~yZmejcR#4RE;wrV9(riLfXmEEP04G);W`bDF@w)?>KPGA{U2 zI`&wu4Vc~IIXJqQn6+#Q<_X>xL6HTjwHe)BZ;AwKbPds4?`ss!TW0lkz)gtb_5sgq z<5rPLm8->}@y+wv0h7I9Aup=6zIK7p zBu5SFn2B~W3)~)XIpuz}9W5>^_1XzVj8NMW*d9TQG4`iF<%e_*{R@8#4*6;t>BW+m z)1U=+G*I+J8_6E<Cs6kWVL57*bW&1er>z6wn^_fAdAN^qTay< zL#yLWt3}Hem{z+eJYu60VpO{*A9q;7rcCE|$C`)x(Si4?jthi$iq9t8PDKLd{8k0Q z=@O|`L5V8qQGUk?7k>@U89a9vN7)}Nt*+w?J40u$PTw4(PEzUPta{LgnNK|0$7te( z>{(AJj+mAB51vwg);^OLlNqmClh_hfX!EW;flwQpGg-3+2;Uhx_nEX`EsqJl%sJ(4iTkN{<%IxNq0hcLsRhVgleq2FRozRtW z)Gqi6H^U5wr!`!*nA*W&IsVMsz$}|*%g}6l^7s~5i8R7kScN98(y0XNmM}*eLX;KE za`-omE{I0log}=fh1gAEj%~?TM%FJMBn-d)QNWA0L(`}JRK6AOYdB=B#~W_ zdsn}@q1iP+i!wl~b4G|`aKoc~S%dgX{Ekx?y)jegP`Avs5KV|9QV3ju6Ph?@R~gwr zn#@$~6}pIE`h}}vCX_K}i?Y&)!EB{wC0O_;M$ZW3F}QwYE-8Fr0;L3PpmpD0-tJ$~ z{=NOs5n51b2e|4ZCQ4UpDH?efRmQxGsEw)Fm}S9thOjrN14904!vd}vyWU0xr6Tx* zqB3(CH#oLeem#`R&}O0JvOr7d``=(@$qS_;~QK~}D9qQhx{3RUg9J$r@a3g zh^n_Ph*TY^5KKe4YZU$l+IkW5u0gDEMl;QGPyObaGb%TXAnzd2I-^!|?_*uKi7I<& zdHmLT_onJfQ?{xLY8kSsvP$}*?({$2sJ+Eq?c|RA3jdx^hjW!CyrC)EC$+S}mV|4% zPfa}uMa@BbeYxLIlN;|Zyttm*Da0DhEwE-eYxj6skq1^s4;S>;`GOe&+$ijLy7tpa zCS&@1Pj$pku_-vxw=^*}wy?k&vW~D0=$1cZIAAbqcNn+k?{1U7obsC(JmGpqWxKG; ze!-_aQ~ji%W2uaVq=T_$4}=K-W%h$I;YSSDXMT4&Q0*|{tqe`gb zV~QYj0wSs>RO7sNgm><_>J{aTD#%j15Gst6)idfx7~>H*PsLG?6|QH&He)5YQnL^( zjEwweWcksBmc)Cl1(~A`o1<XQ1%#tNE&{lM8UQJ2dk#k;@E7psdu@D@ zPho}{)86hLHgPkl8HSh>0{IX!muLl)7#~*xyA{Hnx+oT+k%N~}OsjcG9FFNwl8ec< z*H)|%KNAL~W6#U91nx(9ECYi+ZA~GwVLaIH6A%8+V8Ev}h(2$ibS1OuA_eYvuZ9C> znv*|uOqzHNbqq1h6XV;ZqU&O!__ZEV@4xtz2IHtS5@3U9W;zU>1TqIh3WvSgqNffe z<6`3B)b7vyPa+96SmD8ec=3*kafzSV`10LWnf}DzwxeoD5C6u$mdI!OsFKYtnJ2`BxX9{( z1{7qE6(Ime26dke0|eVn2L?24Ev=&{r36Kc#xBLcyyLBk(#lu`oG~wDI#AU^Hz5tD z-1xpqbb4#v?cXW*;Ocg?Cl=gYo5^6LEm8;ac*Wi3pG$jD($M%$Lf^)e#$Q|4kBuDVIq{f$4Xf2<(s? zch&Lm2E^cV_4OTXM0Zx|wy~Ii#H4U?EFi7c_UQK28nEKxwF6FR>BIOTVLfZRyyV)% z&JLt44Dh?d{7S=4n344ye6Mc;!hk-;l{0fk|3JTjNkGc{RubJPH;6@mm z06lQ;s$~d9G~{J)Myd)5-1aGni-DWO#9cAX6d6535*(^=_$1>5#BcZAjfM$d*$Z56 zU~hidTUha${KEF8cF~@ZVz{W}N{0-m>qNv?^_ys7l4)=cTNalwPA*q^yUkQLQj+@b zLx-5$)ep=Le%|f`#ScXmkFC=yTu__PqaF+Ksr{?Fzo&nKU`Kb=X^J0WmQU@nYS=q+ zWRU5#L#yWwICK|m)xbK6Q>PQ~;6|LfizRso2mJj~X-xl1XL5}A@k5`3w^bzO!gDHY z;NHqz7(ts%yWqcWr70rSZ@2Z1!d-bwCuz&f4n5;~lVJY}Z_Tz(`1x<3D7z8xX@Xxw zsV_1B0Mq~66V1xZz~08e#@O+H1JYYk-LgSiL+LSyxw=zD6zJx)C4;yv#u||kc!h`% z^KY<3v}wvSS}|f~aIisaFogqSL@>suHKIs z231CTGzIbAKk>ZHdDpVgn50q0c;IlueKPsN=J2!o)DF-FW|K5qW)1KSWlpo9 z^U)jwy!!&+Pv(o=II5LMSf$)dR4H%aA9Ig=^iWUzFJ>Jnx|9%K2z0n%Y&wwgT%xt$ zI*{}npNrFRbX!QXk$Mi-%EW;GS`0fJci$J33gEO8Iv2VPR|C*hpPH6vea!He-^4Tq z%b1ojx}I*REwwCTh$CHZO~NT;m?d40>-tI)`rHq=>Xj1l+{eEvxbDpc@*&2_H~dwI z6PS#$i|0MlrnAsO;2p6SK8OgRGgTOC&PM6gvs9}SRfQ4Kw7Q;&t+*svmWZ9Auc0N5 zsU3)+VoOjwMJ}#9U?wgY+lgP9t7(>)7`ykKSlfsKGm>Btd?2A9XaUhfLJ#Do37NE^NhMTCutzY?b1c{sUtt~f5?nSWQLm}-TFDR0VnXx@LNp8kZ!%^jicfmYV zAFDC$bv0@_sTDbevEh!0Xj%e+mhciEDi~VT>x5)-17hYMi1I)HoyskP!qO^c`0EA? zKXL+5dcJ9^5Pe>6qtpkkd}mVhSTTrV38pjR6iOk6&b*HJEZGP%d%%@YFis*wq8zQk zx!z?_pf&%di0+Gogg+HLF>`pv$SyVWVHc*@-s@FrFi?vDTW$F${6FTu!9aPCXBAO) zZiL9`*&GdZdDY=q^HpI_cJ5VMP+BmB`(1(%2<*{wxrs~#3Q4!UoiL?Nga+rjZdE{o_k-rZ7%_$NHHY$ zerunfCvT@UPjeSRa~JI|6aFs~Q?_*%qg}GNhQ9~Q(e>fArHM;@yG{3Q2JO2H!trgj z$I92@$7IDvKdA1iA?_N^Dvm41qvfb!cb$4iOgC_#CCvgBT*}H4=G@B#yfnOE-H>3k z+y)@T0fq+Laz5kw4-7WPUs+pIMzG@pSK@@k<4K%1jIEvW=Ze%!kzi`7k!2-8wP>qJ zW2SiSONa1#Wo%(w=++R8O-XTGZr4qe+dm2nLXZwK2ofUWhd?m7YIuBTr_WbG#jGw2 zF7_Ke2P7&4lw@XtSJw!DOtOR+O^{winBLoJgO$6*x5=^( zW9aU+`kE4lg$)yz>GN)A(4C*&UK%QfeO0c=&0mbXe}?@F15jq{SXG6A(*+0Bs`=&1#3T|mNyj><~I#)AeUEiRUc0UaS3qdRq} z%`{&nj#^4`7EeS`fLyn3xLhnFQ0TiB9>JgsjZsd%$>jFRp?%=rsL4Vj-VK8K3YfC1v#Epmh`obOVKuP zUvbT|@N{T9HQVXba(qk#Fu|gL+V%i$r+e+XQihhXK`QA1aotFxIJt4QEq&>J0bFk{ z!^2qN^ap*HLQ?*oh5mkZ_n?HH)8c1KF`20--<>&exqBYUifE@(g+IRU-;{LG?dDD8{3%d%5rw)I z%Z{nt!bzqO17_y@@UZQjZZ@RWWS++iwAYXZ%{k)Q1#nz3L^Z`fZDz{b!0ZE@w+LG( zn^otvIp$11o{XG~0 z@=|T-5~P+69zFb)LV3`~&-`(CH!XLW{Z? z;pQDz^~s#o0*jw?M4FNOQ$t8J!JL;1##kj+JDkSG){X}|9SJTzC`!pz8ssY&L`8}& zgL3_riwhcX)F`A?6yKOc;8wO@MV!yy62M{QUQzG@e&Tg}C(|89x z`M2IkIP}xyF$=U-mHU-?uQmrd0c>G@h}V!!2!R5T-6;6faH~v8N*ZkB6#QQ#E-(J? z^q?u|Qt`tU#)8cynphcK7<;vHc4zLvvPPxsq>z>Y4LAl&%90MUpH!2Zdf0;?TWO;@ zwES5xoPMSOW{bdLtjl9_r=3g%Ka07g#dr?w`4%x98@JOM>$l??I|&Q~SZO{hdZDDt zvUx)8BYpeIAz;hd`62h8^QZV&}l#b04l#|W5)m4j~UolJKEb=I{a_!SdhY$ z1rq-+H$Ka7!SEul${(T%oLs1Gg9MfO3*br=o(KvIu8nFV%c{fixgbGYEH@5H2c)k6 z*P}dEZ zbnz{_gv}EK{SYu%jbJwJ{+Ci~1b&17qBa~VlxfN{K0}Y~1^ob}qT_$q3mTcjkDHMQ zY&7S9@gx?jR>;!un@~}SNH&v<+vED}cqYY_6v)45FAb;3j`UQBaHNT9wi!eK^J|g0 zyWy%EDb__gxRHz$^sSp+2)pmW<3RxXC7`hfxq>X{O zE$4gIHnG0kTrYJ|Zl4P*W9c@uXOul7D7mv#Ig?ev$Th|wP+;JKp-?p+v3DG(Q@G0v zVMg-vKa`kahS`V+{Vvy1Ndi3ziTnfNo@XCn3%0wJIn4P7w^8l+nRC{O1JpIfa@W&E zYlWfHv*#7e92&U9$IBK6&P0#w|4GwkXr4uh<6mfM$UIp6@GzdX4_()s8xGs8MT%T1 zPu0}I%q&5$d@_-~q?))3b$Gh<*MJ062xsh0Y@X7|8YkZLgTr#}o-|$DT)sTZ6o(;_ znm(dOd6#=@^ZvFmLQ@cJfML=UZ0Ks9D)4v;OBx=Oz%jxkQxr@q&JP9GnNYRjWp(YR=|;GtSxdJE>zRXmYJ669QSpzp9mJdUs9 zn{&EMYsV#XobsgOW?sUS^MKVS;O`u@)X9^#Ezt-tQ*MSk4P}F~YYm-Z$E88E@Y}Zh zLh3Zl5+oCZ5QG#!1_C4pSYVDlZ%Nmyd_I9Huw%pa=b4q*W&MBQ-UDOL%Qe6N0JmWO zfB0Gk*8j~%Fr_qOgC&fdz4r8*IwT>6go)o5PLd=Q+R_YZ1}#8AA}p4~KM3&;-)g1f zz%}FU+T9sDb3Y%K?JyNOAB~8paK1F<6DJcpF`!97CRETSnSh4f$#{PCLWNuD+;45` zH-CG(+wJCKdopLO5=hOXf?LR@1mG21DE+aLw~X$NvX&oabvBvKQk=Prc;!%~5;Z`J z^uU!;Ub5D1GWx)fQdzRD&YaXIxQXdPu~Jnn$GFR!66Wf!1#&CQ%B7*t391osSCCx7D>@ynF|>MP+*)e&WsmOn;^RJ z3>DQ((cl0pHG8~LrkAI;{onZWzQ59h6B)O-jwT+l5(Znz=m|=hmi%7hoWq)&$-RP!SRrx=#C@shFVFJmvTD5SQVzUkFL5IfmK zZMz$X`gxb^&ZUuhPy$N?uufD+oQ|ZCHW{q}K-ZE6SB+I4gKI40^DWZ(tX!6ah^Hd* zw8@oK*C?CRs4FTp&K>*%ry5rZ4^TE4R$b*E(LDmv^H&Wpgpkty<#i5p=S~lL(aD_z^F{0OWcM_hTvBw5 z{~y-gGN{eyYxkywLW>72ZpEGAlwtu&(BST_#UXgH00oM>G!O`0T#6JZZY2aSQi_El z#f!iE-o9jGgDWwK z#z%tv6KD@kH{IqwBHV87I`Yr>J&ru`C!`>H?V_C1eDh~$Zvdx}sD-|UzA~Dn`A0Ij zhIpxd6w=d)Cmvb+zSCAg>3MJjA^On5E)!ERx8e$`=5KJ5!<8dJvVe%38}{o7ZrUx6 zyy4m4*UvxIrdVEEM=8ek_`#)RmG0k-TD>E8Q!=HS8E`;+}y>~qfcbMml(kr=^;Whw~nT+z1(P#7M zv|s27zxVJIqxm_@-E01eQhdpKszkb+-d0KRZ{~|0x-0J^$MI2H;^l!Mc2cfr0fH0Ku3rTGm`P zq;B>0eHwxEqT}E@d-|CMiPX<)`QaW*@eYsEnPaSNxgNQo(%AfaJzKtv+O2shL$WGx z7sTSmaD#$xu)ceP^`hpb(|x$@AW}D!+Ntmwn@clf$y;NC*g_uE+$hXcq&az%Fy$Y* zcJy<+N19#?+q~e^WPijS|AxFOU{Q76Ul1?m4$npa*XI3T->=T-hQIowqstsL9_9Pu z)vaEHt11$KAD9Cux8!|ACnx5?zQNLZQ$ZX=YqBEY5UE+m-a)~^W3i8(4Veb|_$Kw0 ziQ2KmN*LpI-*Sn!u?-8JNPYYQ2@k|y07QvkRHroWeX)==H?@Ra9L&%V6H^uxEh!#Jh>LLWtdvETIMk6kF`U}yJb+YRsS zVKb+1YY7Q=G^=3BNA5{WZR_9F2x2S0&GKB&5kKB!9wa0e6BCHnOgvkYO1gzH3J` zeygzX*$rL<9PabcJbtn$C;+>Ac$cFPtgQX-kEMh$Yi9@eMmQgtLDz2n|zr|2>QYE(0!qokfU$pspgiL3c_ zpDFC(U+CGt%#yL`+aJ4Z1x0r@R_`_F^SJ}MKS^7>p_>8B1%8SG%*d`Jd>DqB*^PcL zVOu%Wo50|q<&Nyaq3R+nyYc%Asae-V4Av3c183KFLL1kob+yF!aPca@asla&zepeSY8F9p5?nAW`Rk)14>#cc-k3^+dyNwx;NhlIf35j<1 zlfCh`n_4Ni`D@m>RuRcOK()bwHqs}%VPvxIQ4!OuV#B~&6$-d6wr*J?RvhE!6` zDeccFt04gFB7n$%>UA5N_m&5B7%kfOBizOLR zRGjwFwZY2Zi_crXaZSGZ`?SrPaxsvN>VyO`-BHXmTJa$vVj~VW81(K#GZ9}4m4nqc!F1=3!71`=KnQr9lOj=}?dnCVzYB4I?df6^J zJE0eQ!viIstqmyMLSSZG(`$ESKup?Ccs%tEl1(P`ls1^?FWl@^4#TsNTVk5v}amdcXYZNrsy=Ur8F&wUjz52=F zWHZM#i0>0#wZ&4KF5{4`m+P{7bYO$?sn7lTiLFAQ*CC50kWSY1r-TW1&BR-?HWe65|*zuNZ^a&#rd=5fP}e!>v{nx9o?ZR;+$0i3;Vs zQ)Q}Kab0s+Y6i?|eQ}}ds7;yjxbxooS}|&nqjzbgDS&DfwmL#;H=Cj+|^XE4`F`<&??$c<8v6LBtRtFrJOJLCT4 z{X-c;;B3BhO4dPS=RU*c7NWV9nSTdoB>}-H`00vVZ{vNU-;=oZ48O;O>Fqp_73<3Z z7K*#wCak1=5UKbUyY;$M9~^6n>k#!+Je6`RR)UH8*Y2nkbY8X*)CHk=@%G1;p|*E# z+!}u7#ZeTzs^s$572)|;8rH{^ag&ha_0`+0z2!V9G3luUS6YeUR%&~<=~{<>zX@aA z*ru;;&L!c_M*BaAH4B)L-PTLq%!#5gp(>|YEuxbxZ5~w1(mwEW17eSf!nS+N-=If< z(k_-8LKeIAj;I~O4B28^Xqa48n4iz->UP)B(Zl;5 z*%&(^*SC7=p~g}ERL|>ZThz(1D3iCXpTCyQJwgUoicZW_j_j+PzCQ#XPD}RmQVy%+ z zg3}%dIX%1VW(a=fWz1GSfzF$rF$jeS9H*S23n|1wns|~;-*pec4xf>o8anWUnmUQu zTe=hP-eJwvd|dok-F0KG?YF$FA}lQ=BmWSe(t#1&6&&WZidWIs@1Nvr#=iin)?-p51mSQb z-rGY5%L?)4be%e3eTYg*z_Ae{1RqNOT(sCEx~w+Z>7Q(Rx1gB9)M^_k;VL0HQHtY% zGP_C>PqB*2Wm{z7w_*huNgY@kp(JUsH1869G5o2z?Q6Rcuo7&Iw142i$`rt0IS>|C z`hcl1VWLkv)XF37zT8(#)%W+so8-i!yG!h^Id%7s*NnRJOVuD{dY477^#B@ILytn~ z#h9#u7303As!FH(tD>Fz`*R&tfp4!Yr9x zV2z%t$FdT!`P)~Z^o)N-Lvc2ujz5&*c#TqLUdd{ehO*X^F3Ns{S%Qg$+glb-nD{y6 zgiOE1-iFiSqK5K+Qgn;UYKzMf^8H|7B!9|9JY2!PX8XN7zeBZai_JZOFRQ;GXN&J@ zLab3HrvJ^igFeVJXETi37sk1D7s01^6fzj(P+7RHaXG$mDS?tLzP>G|wT(~FFUq^s z>{$sGM(mHpFNFhA#N@4?FNaiG90~PVFVJ{jQ~jv0sa_a^tK<>P<-kxo2vG)^i_N3E2_-g>5(?o)VbFU=I4wQN6_bs#1U8k`3|cA zA!KIUC9BCT{_3YG$X9?W3vWV7lARryNxctwn7JD0JBiBH^3S$H)mQGOJvn2G+}avO znze~(EgkeG@$lxeY?cze-H*Jg*S!5c?gKt<5}A`yE}2v_dJ+ZS6HJoeh7g{W%U1`tnv|FAA%}K<^}cYZWk!uOyx%e##0#nls+wxr zF$TBkkQ~xpWk;wEVI~DQqDSrv=tkCBL`(XtGnwgl7B^+wGMVUw7#3*IVSmYt|EDE$RsDqdE#n84U${9F zK5{$I#hZVpK>T^dbPTa2LQ}C_nm{kNo4k`@kva?MjqGmlNBOngxi{^Vcm)2izhSSE z*Hq~bQAV}{-+JB^TJi=e*}t#dtST<&Q8t+-%hAn+5FSs^dR+;BFq#-$nBi=#a@Mr_ zXb05>bdw(2cL)3+kuQGF5`rDK`@DC^*E26l)}5&LecIRlAetbWDbXSiifDAIfEmRg zUf;jfzoC9IH$sv()hBa z?w7V`yWFl2kR~r35Cw_b?YFiO03?P{cS#7+Co2Cw-b~yK5T+`CvU&2Q?yX-e{m7}z z8XI{d(Vm+@R?z!2tzL<11effez|I7t|XRBt~2O+_EQ9=tkh5$lXd z<(K1^>qKDn^t`-Ax_&%@F9$#)N3hb&6qsYi)5%vnSNk|3S`k zBh+alG^K#M-us!~VG*PUay)WBYi(VYp3T|N$m-YfZL*uNfE%CnVw;GMLIDr{Lq5Xn z@4M`H0aew;l+diSSF_rGk6(Y99BZLUCgFjZZ!wo-b~4lY-e`{Zap;bj`B!n}6oR$ybkF4l(>cZzETMD8I)^$80m(et<3{SHTI)J`O%9}f7 za&CI65zoGpJp8-OiSCf;D4$HT=M8i6@3QmwWaCn<^$?`ODgS>*d)djl9(@1?#tYaJ z48H$0+C7|X|4(TC@#hO!-7V_DW2-gb&w1@}R&_c30U^96Y1I;iJYN_5dw`BY>h z$Wh!eT;4`$ZjlL!Ww*64KVfdEgP@kB?)i|S*#6__boa~qjLXZA*W2HW19VJ_nC>0RG-4WZ>&!pXcQI4 zlOPPX1G9DTEPYQO$X;kLBsHLLkWBX#IJP@3voTUm)5^4z%TLZ zF%p~Us{V=w&-I^~qPhM!K}PDj)I6@5ThS~%7sqXC7BllJ)3o-4MKqx*P_)DK2x_g6 zL>;DvxsQJC9i@hO;Pi>=)r@5jwROy}PpLG4h{6ikK3l@s96_Z)Wu*jtm1C>HGVv}) zTdlIX9E?=&co!pWm#dbelrudE$s8e}ve8t|E3uOt>~5*IuT~pca``X%izt>SC|+S@i5jf%Z#(8pnBZ?3ZUax5;uw z574^am1^V{!jEmwDv*Vn3^_k9gy+XIoXk&amZO5+u8mV3FSPnc7%|Ss2UQB`3F$4T z%?H?>EVX&Uc#E6{D7F~b)B(y7* znH-=+z4O#smuLJM&B~G?!*{wmEYOTgn~AUkgdQXi80J&DUHm zM$gKmjRsTEyg`uVPTm=*i?iB5gR;wgbjWG98pFa&?6yMA+lKPwi6Nm7Yt5ouO}p#y z!na~YV@*?q-2xWFXK?8dyY5u9OVIUTFw0D;f~7UqQukK5~44sW5oSl!3ca^U&83N7TyDCei@R$ zSfxZsrnPBR6`O>IkO1EPdNm-;)`BB&%*z!YMt86v2o-Ia^^~TV9+C)3R%rT7H>T8d zoV3MgTx$~u745AjC3b_^TtWR{HtbAGubdicow|E07#X%Sr;t~lr}>9 z01G}h;e#Ex3ZfB>8HFDZTfEK;e{=u_T%{5h_aLB1>hfGWR8lk7qY4L1$zcXX=z*#L zvsI{Agb0X|snWs;0~`r*0r=JV1XI*u3y65 z)}FlphG?U8pw~@E2jX)hxD?>LouWDU_7uv^kGSJ!-ctoxD4`6}MVa>a;E&_!!Gnm; zMc{QTdo-ZOk@G;jzz|jRGW0qL=?^%Uh99x);ecd-sO0p}kBB0UJ2J40&b0*WQ0Mv? zEOc>uI4rvDr1|m44J@?EM+O#Jeij70lS3y%uhWo4fOATC5A&V}C`=h8lYSqE2;;n? z0Y7*OquM?>a!je22$O;P(_>hiqmb`_iQ3eO2tkkyKt#g{2bk#LyQ!eA{5=D!xrY?y zr@!yZ7#=kMWn#LYcOAds&3>^YDQ;X@1~)R)8p zC+kX*fnzzPalx_NbP)&@P#VCuG#!={%=K6B##DsZ{#Ygb+cR1V1DvDqlRoYA=*sRL-1N7Djpbe)N3Ykc@% zlWE(_dvd5}AWCNE45Tygoa>y)IT5J{-7}z;MHM5Bfo43s_05FfEYSJha8XQKL$#e^ zsLcN;N?iyctg!0r4bV-i0~b7H0C@td)rT;_9!pnR1Ko5xu)*_OU07g#y$(V!zfK1| znBM^M3}#+&#s%!^c+?%X=azBvgCuaJ_zVK<^~K=Mt_A~7a}hK=aJiCEG!HmP)7!d3qe>2b4X>< zodcA+sOry3EW)B`KWnWAh^j-a)&b6G;A_l#q3|`Py-QG-EQ%rHJ_;ejefJC;rgu#P zyRSVX0^aGMEuhz}$goe2+4+evImCh0Q8`+*(IZz5FCScm)h6Het3}nMK;vO1_gzWB zw2^Hj+yfOEgi!9|iNQMg?0lP;W7^khlY;$f?7nf6P;Rr*T4y-T2FQQMg^bN1!|F{H zep=(Gz)ZqrNo&^}j%Q6>$9F3zqzzR!%X-aH%UY?5FN$QP-Wqct*Fb$7$Xi>zj-K5Aku*oQCLa9lIn&{2t zDBxTdP7akEY7b_GQ4Rfsiq6+RvU^RC2*&%~l?kS>QRfb(bY|0~FK@!phCHeD>g z2#Y{iaNXg8d-SjWJ94k5=Zc8W9pF8Tdv%~N1=Jc`=JCJ*_#ySNWIMwv>dDhydjheK z)LhYv)JX_{c4-Y5O3gd4K%Ic_)W$LS4QMV&w{&3#9{hy8Ir-(q$KeUDLQSl$(Sd^& z9PWR4QE*H{RJz;_A`v0*ephK)@Quoyn>rBn1PN#%1nTCWn%V!c1k%AS=;IIy8H5U` zl5|346krdMMl524eg{leIZTvUoHLPvP{`wJ8@hY>J)_?F zp&lx!5i;Qe84zX|L zlF6eX(2lEtLnUkKx9E6GC(mDr6%x!8?6|e%qg7Bs@JGsL3NO#;5I1*DhlVaH-|K$Q zh#$n9>Xd-S%dq4-SIOzN3eV34LM1I8v+*#%lpwtpeU?gtlSSi5L_+#CK%`h0if9H= zvh0z-A17~JCuvwA8*k&e4^Ub`nlzJT4;Svhyk`WOQbJ{brsPoGCaAY3J5060h`TD{ z^I$k7g1Zp=)*w}h&$Z!yh|h)Ke*ouRa0AA@3{agssw%@g67dLZ zLa-P|7d_ZR3&H|(*X?)#7US-E0d8%QI57bjxa;4vGVSq#JQPvO>8nYI<&4z`gg;jo z9{5NfLIhi_I(rLT`Fs`%43R}gLa#p|V*%#?crx>z4TwP*#h(5)4xz~zLJckgU-Q5Y zb+2h*Z`Zbmd&1jJU`r1qu1@oSPThi@3lzR-oy8@*Zog`p|l}%50svcRUkkyyVNEZ< z{+ug`h&ry7NJJfH2pxD$tAi4}rt8eKXY#19WhnO%;_irfF9@`zj3P=8g(4U@?_Pps zz}K9x(6Tdc;7a)!9`H^ZZ2-M)MtTsRo4{`X=Th)BmOUa+7!XyIe*Y2C!*NFr4%4}o zg57^U(*)jCO{6@~cy2K`gq1$-jKWgbfKD8+7|sD&jYKW#I0P6}0uWJh;(-lv9)u%~ zK~l`lACMZ*B_k(F;6Y^*4b0DA2@`zG-caIt5RK@{xR855c0(cA$bLYxMag~R=sO9S zq|GbOR}WaNb`KapX?e6Pkgn8607eLgyn+$xN#cW(wIyl6${gzQC|fuSKt$1r3s%Od zu8hKmKS~FLb_7nO4lY21Ve}1yO@cfsJ zMe>+9u@7CjSq&l06eCmyESMT9+P7Fn!J%CEYr0 z2G|^jSrj4^{sc(CRimhT%cC8 zZPqUVh14QXiJRrj`niD87U*Ztjt<2GmN2G`QN_KE{{m>o;eQC)?Ek3QGN1pN_0f7z zNb|MpJmX$7s7?Vz0IE|)(V)&(p$M7`cX`wV$U`2*3u7Z8Fc*ran#v+)1Rq!U;oBJ5hV?>P(aORbVne9GP>gsnaEb+b2nej zRXLP@Mt3aYi2Du$ETel3fIX(klLGH_S7QD%n{26~W#f%m2YO7Kf!xCj(b@8N)9I`$qV z5V%E&#rY%B5SXa5^aT7n!w-nUf)@}sH=eqav+jH$X|6)LLzlW{rCihVhd`$2ii=Bm z)aqoA`G0Ov-5??bRDZ#cVtRfT2z3u41^9*|S%`g$k#bN;Lo_i^S{tneq$@k)0Mga^ zV8Pfp)s;{wARS^6Jtt~d8TW)NN)28@?CVoykjEhrl+h-nbRa_wP6kU-fRptk3Bk!a zkT)=UZn|WI1jrj8qKU==O3R^vzzG8gGpw-GhXkhKXD$cZq}7K}RCfKB7jX7?0n6kn zh(WM(7bGEGKY~Z-dq$4)0}rsE=Ik-C$KcW8ZuEd_T6_s%`dlK=J$*?^@D67|GJ+nC zN9_9<$px&@-&52r(zW@+yg68vuy&tE2HSKsfIXwDQfwMX;+1QX9Li)i?y@OoS`s>M zRR)eo)B$Ds7r)X@>x=ub!3wq(7NIT3dT-(bQ}i1Xnol%!xmCFjevDVU!N9NI>Sv*T zR;Oz;uNcgt94V#dppGuICJByN;(m`N)_Y$FXmYf$1@(*eHmLKdejnAUmL}>Ow^kYALtLc zD>N#uPOdx&AqYUVpf=04a~;R08`o7pGd!?SLVQPNc9y z?G75SgD`HlBaVH&_q*0ui?l#;&T`H8slCo=#pj6AJn6aVo1M-B4jx4sK8<1Yi`(m z*_l63`mfFf*ejC@{Gfd;2BZJSdE+RdngJ}C)m&5_GpYm<=sbGeNzKL6Vdb%$%I_H* z&5z=;Ngrf(&PNhLsq30pU~C)*QHX*JKRHw_=qr=6KU|u)xg2Q@T{3ZE03KAG2>_){ zon(Lqb;1BJ4u|wpFb)@86e2Q%@Ns#zOndbi%H5B;e^hWA5&+FD6{Z3!bE(Urbm30W z+*)Bw@av2udDJwhk=XYmvIKDc5^e)HH-ta>TXFahi*pO|7@AumObI?s*N{b#rfUFE zx1!4T!0#DpsQbqdgOSq{7zJ0s2ZT<>V}PL^Ndn~6lOzCZ>Pymr9XS4X(FGkz2Cy{f z(RlVfS`S>$XEH@a)<>7jl~Y%Bp^t6+V0>PowXc`{0Yof&(vl0Xd@`3rAhnlyI0eHkRW9sSvPBpxv|8B zzSVc3WUQ^pJqGA$h>xhXeEQJaK1^BPaOlmwd7OcagAJH8zhT2cRs zla;x4wB=)Qdg*d9O*nZeb&8qK;IkboF5_x(4bVuItV;F_{h3p=ertQWla*Y!aof~* zkH6zk5Xio>lYbQ`Hi`XrZ8XL+H04wkIhJqHE*Yxx&dA~lQL!N6W6(5q9`tU%TPtf! zgy;L7VZK6|b@a5#? z;LA@hO0!7KGBMXOOf5=t@Ezyl)%2<>H;>=9(%LQalVdjr$3$ZNE}H;lxd_Pp8xv;dUN8Z2!m8sn8z(+dH9==wk-c z-cjaY3V#0@ue3B)SnHXPffg^{_sTH_XZiSg63C|vt=cFCTh@=1|naxeEvzNcuDQaE#)%K&_G0-#y_&a{7|*;q!9(8wqA*HuWxs zAKnmp2d@^d8L%c#bQCYs{QcK?vfyKY<#Km;%?Do%uN&1tzvxi6j^N*|@R|1?C&a!h zlxUXow;n-K`%Ba3#kG;Nie($>ny_Z|DR6)vzrd*#@{(6{ zJB8l+4i426MRtO53S$cdS|EHEo4n$~r-Hp#Q4>=tfq`)sfofOs$@5r$KdRhzL2MJ( z8rzt6>D$}-WV~wYM%(TpQns8}W{}*Jb8y{RI6QH3ys`>!oVTvZH2tm2vxjjL;RajV z#Bw%H!(T-^glrR>b<{cs1W8mzTRE>A?490sPf0b5>Y_@=GHyO}gDhs>T{Vq}sMfe= zy!Bu-{6&z76SBoCHc-SP#%h9l%i2@@{vZ)#=s$jl2)!{2VSyZ}@6LYl@lf0GZS)_a ztzVm^L6-j#9v)v2jJq+DCfX0Ix%s;y*nj!8BNAJb6~C0OU21#yuD15ez50tgr+&X7 z{NR6g$UKARZh*#A9Hnug4zbbeVn&Zr<;2Y zL~o>RjfM|?UHke(c7Hsb5?XXH{kQh>@5D)b{X}4h8EFSZtKP-sUGJP0cjphAr~27% zd}5-FKaX%eej!srepoOquH0HPgK`^WMS1U=!?_e1vBa7m6=mRhw`ve zQ*C!8+iyEr23*{<^9k&rZ(WGFgBl+(8E`;jwYaa&t&O6_z>bDnAnMRR8aR$0$o@I# zRPSh?wP$}%&?fmdSF45nb2VqjenDH5UWtCPv0zTo<+=s>_d%TxBWm5{at+6f(Em@Q z+5SoSh{wGT{hL`<)^3Z*r!rK~(xGQs!he#!y{PoQFf!QcyK+k4%?fDa8*2CM{?Qq}C z7943TjS^`J#SSPjuA3_fSmpcK0LA2XxJX?lpWQQNA@r?jqws*n>CThE4{h>axbV7N zj(PKUSTbC049~{0va!y^CcXO^J7w8^@gz3dq`ojbmOnScU51`T|KHQ1p)tw{tIzk- zpFV|$UKkz+*kw=}2I8dqt3Ckhxj4T}5AeJDm?~WC4U;bhl~~hg8}JPpK>UVRce7)V zCS!h42g9KpC+MWFskoP~$VJby7hjt8_#7Y!%*50lThSU!eGY;Ux}`phrMW0A79w-L zZa5so7tRtlh`q56y1r2KPj-&a`6=+PnNL9!tEJT4w6jX}q>yjqt94qQb((+K0d5gb zk?@<1lMRA`y23fK*PT}He}5Z{SBtw4 zTVSki6oP04M*P7HoC^bBXS=8na zI(fO6m6Dk+$;QjdD$U9&K|T^fSatrAyFqmQVuxn+*T->`U~IQ+?kw+aE#7wEakXf) z;-XS_7ZFy#2&!qCDz@9UgWTNgS4G2yorAvdlI>MMQr+Zzy3>KFKtJwfz|J*c7t>6< zzzK$_qi?=R{er=ttk=D!|xGxqDp*P+(`4Ey6JEv-u+SAh3swftdDYXOeZ5(jrB?A@yTU0H#8NzLxw z&xfBGtY6C>b{?Oqsr6rvAAF3GODp@XXj!|a4HT?=TtuU6Qm{$2S#>t-|C}vLxx8S- z=md1IKj`mpuuo^>yR85!3?tXOsG9xU>QHKUEOLVNH;}vX{*g)OCk5JIC5LC^Pq z)XgPR8-;9@ogwyvFFVmABZ^UZ9#@a6t+#sbG{-;{N1yrABycT&fzV--%HW+09k8Bp zx`##Bb+*EO1||2RlvS|PbZO+#FvzL9WuMc_Ep{Q*+1K$tYH=`Z*UU-(!#>w{ns=ve zc(m3w9gpf_@mTnLVTa(}oRC5ds#PUik57mRX{{NVFQ@7>rs`}mQ+Y+CPoJ;2Y*w@H zUa-$zNvlLG<>qc52?us6mzUk$FdLn};H69%a!~vh@~MhWXRX{$bL$p2>>Hh0UbgQ(h_@qmT2iyZQZ~koEmR$CCk^o68Q1p2JXs9;NUHJyMCQA}nx& zF`xd}YPy|>l*7^X8eS!pBSw$1H@O*EWPE3;B5I{8>p?NRg8oCTO;~8-Q`On#vzWpM z@Q>-9pa*N?Ivbvnq8?IV0rV^LyZCGZmN31dAe=d#dLuF)4eE{L)`8Lrz+nxAS-@A@ z;CKm3HA;WN_4Kc_ZlN(jUvNG%e0O4;HEi%CXf?!9 zSMGx5sWH;jwk=wI-Fk&FMkasD(qzcP4T0jkpYk5e!rl8MoGS$!i)sn&ao{9*R~CJR zGDP7nTH0<1123L}RQOKbQ;c4(d$Q%}1xwoa=M9axA9nk3f4*8!d?2kg`s9wb$8-7Q z0JXESO!xNaj1wB6fbm7eySJEZ0$Nm^+y*BE#@U>{cMh;&(Z0luYf$;Xl}Ek8Hq4s$ zykk<{j|Jrz^XX}xGD_eb)iEPV8H+&4KTl}J=nvrf+rivh(r+&*E{Q2>2*S1Ko)|c^ zl`u(eV1+yn`pc#=ul=!qj$Hgjr0TEgRx7@=rR*F% z&Nb673^0l7zuM5Da-}r;5-dM^Je%FkXV#%n0)!oaq`DuudbUNKF!}Y0@x4JOD*`@& zB)Tg!k4uT#-0uN8jn}tJizNfw%wKl1TLeUx+q-=UZ|NR4*0Eo16G+q5EEJ*S@=PumOrf6h;vYG=bI%@g*XAWIZzwk4J zjeoW&%zt}U%~xD4uhTZ$%7>J;DC3IpNkQb;LYq#ub+q4!}L8llAHHBs#-f}|v7*E6S zDqJc|_}j&=GzIx0sqEwWRFq{!&F|jh#PqN?32YI zKjUA--*$^$>;8UIG=mkiN%g_%<}Y~2a>|7p7+srI{&8T+G)f?mo%|E#)1~Kv+|ktW z<(Iu-Ke+^p#~)+?{oYINe~6{_(+>#EVrvFo$>04WhjA1NzwgC#TIXp+aSCcj+#F> zpR!@KaG3cq{hPf1wpDD2(sqsRfQSy0V!e)2`TCkF2;Vb8B8uX>^>VJ4R3+wBi&qak-i&+#%I}_?p3Sl9F@b{eWzfruy2*d5?*UmRs|J0bk zS!^f%SMK|_01q;Y()qDCSHAV+A7*DSbWKy~trs=-BJm{7vO*vK$^Jq-T@zRjCDCG3 zjrdd1ynp5^Prkh$ee1?{1DLC>iQeH{##yfv5CQO|^7NH(D7J6%!UlPM<a(P6Il~IzzKQO;)%#*Ve@@W?n|b4$7_lfYxzLFbJ}z{=HebWG^lkRpnLs}9B_g># zhOg5|%+tPczD)8wia_?0mP?`^jfh1vski{ab7^7>wC*vz2+q{fH#Wy`oR_lXTdT4G z!S`mkC>y14K|db`4M(r)Pr9UwJCUI$GtYUA%(w%_v0Odhb*47wbta_k^MGbv)%-C? z=6qOL;+Wt?3)b*wo6AB0*gl44A(+s&v$?DU)e-#JILEjXExDP?&A%suz3o;Dcc{Ae|T96Glsorkhmce z*3d`4BFmamM=0EvhSN_(CZJh?zufH2CS9WuPD;{chZgB=R@uCIrU9GD+QqpzP_3d_ z6D0)X&R#m#c zbm(m~JB>^tsQoRW+x4YI+~8RQU9eWZmNV@o`fS}4nKuzVs=+yG=9leO?w1`aY{DT? z-eS^EXQj(!qH3~0y1hXz+VTru8xc!rgvWJ?Q?c{en-Gguy|L6J_PX6SzdT9!^3Z(F&tH;nXHO_d_joY< zDfm3nWaIotekBgN5XYyAHPu(hZ*OAm{_^~l^(yk^u^~O^#vul!Ezp?vp zuj9~)9jI^8aE$enL*(Zx{;P?rUkW)-YQ|I+o-;cYmO4}Cb#4jc2&HhNY4g>=+CJa7 zsa8?znV1i#l*vf-b7)ynZKfc%Ks}B*&QE5kUdZ7TEDl<)YpD?1|F@6d;u)(GTcx?^ zBZXyu{bw0D0chx(~T?^!w}d`Rc2ps2u2tNLw_9A3{#p}q7mSJiy$mYJL^=&K}A#aB+89Mllya1R&?eeVWygP3$i7>+YfeZ*7ChkG-ANKfnQw^0 z2KZ_Y<1q2kEpo*rGiH={4r9WV%$_3EUn<4O-4uMLeO~j;kQOubWg)kKU+*k!JA}2U zIQ!R?FwNDN2|50T^b@Jm2maodYR^QtemJha5K-M_s^QG5*3;5@tne$C&oFd9p}9T{ z%PNOqh|CxN%P#(17B0p6F94wY*z}i`AM2Lue20p}6#KPBG{Yx{0o`eXm&%QL)lY+L z>#*;qi*QEc`q*kpdg}2xpCwgoO zkeXJ*t{)s!=Vkh2y02Xt7=TTZw$ZHPO(ZJ#`A6&DLWcHyh1NfHHSAn3v%ShBZQrzG zE*?lA%$3aS!?Eq5jWpkx>SryA$nV1(vhw;pwQI|$-P^=jMN*bwSEg}iIm6t8BlW$i zN;m?)WS4CooGe%ymP9%u>p=I0|5XV4U^+4=3y4vn>_r2E@@Kf;SQzMEtE zk-_{yuZP|n0(#BI>x<7fojcVGNPqU6#gsT=wacs(Fq!EHr8g zm+9RQs*HL}iCO%XDu3G`d-WS*u2kroF9n4T&F>w2L6A0QcDf+;`OF*c+|j*2d?eOTJJ z6J#LZE~@C%YLlSWuG`bzyeGo|>^^s?M(__Dlq(1wBM0Et!Ck&*klQZkHI28{B-}RB zF8Da_w0&FMM4RWcnDkqz?KHkVv)dI;v>+FJ#Nq{5Uc;~H`QIr zRfMGFw>suZ(*4Rw$seeOu*qMJ3j{$km5QH34Zy2cpe@ZOAAleC5nv=2qrd`95!<1* zUBx&{bswvG!6+xC)y`a<3qhuM2NG&)vhJGjq|VF_+Low$GnbMN1ddI9fu+7m6=4i0^nozaY7q6`!Y|2jaqONyO+blLR)oZgRo zwKib5(@61imi%-jLHj&8=yO!SaRS7v2>2K&zOL}!<_{>Lb90@WLYV| z>`(2js@1Kn7wX2nRz{%&ct7@CT$~(4jdNv{+2=uH9`k+VMr>(A$B z*L#r!Zh+6|ksg8NB%xPVK2B)y>{ewbDjw3#W{2;#w=ekyj=VG?W7<{7qZV~E#E1>3 z39Pwq=r&t2YMJ?SUke+Lz`VIo^f<0i?sDo57~45(K!_!ih0v0MZP_ar+M%mzcpvMy z?w=7UJz7t!7D@W5`#pUXWz^b0*6UC`PeKk@bJKkTIjg5*C|gjGzRaF{;KXyvq)ymcU7lu zlj=45TfXrd(W0LO%fZpnji8OHMZUzC_Jr7h=}W6q`Jx%YboBt)9&cjLK)agIZvs5J zgiqv;<`!5n*<+y034EJQk@3$Ku+||HQJHsnD=BANQWGozao}%EEAi=BoxzDpQJCik z{Z1D}`ph5HgpPy;vBCUcdl*dw-X3c`GigqxPNs%)=GyHF)R{#ShHKP+BJeY*Uupd3 z?U+S60GpKPUYl#@4U>l1k&3Y!;v&Aw4E{!nO$gEPmtz)nQeL-b7_m=N^w#u+J@@C!Tr`KC@v@KDOC~%1^`BG{zCbyk15L zw7-w_Vf4>TF@R)h5BAZy?YH7p+vYMOfYa1-cA?rV=26{xWEnxIyPGczh-UadDJVpC zGB0l!dfX&=EgGQQUAqFO7?lw-$ZzX}l^Eacl7NfPgjrm!}_yACk6yQJ3 z_}AVanUQ3dYb*Xv{3;DO;uM9?{=;r@=q|J_}Tp z=&B#{R1R30^d#KQ;|5&grDA5QUejw-zlCIM*6sFdKKYJ=azz{T$KH82gX%PV){%*+ zjc(jM?7d2UVDALRtqpp0?gSosVv}7j4n~W9V>er{=QMi9ri!w))ep7#9CtHCw%Jvp?m7W0JG zLkqk_clO#lw&@wEO!M2^FyhuXF4`F-I*=neta#FP`4j`)S%Y@0QF=JxZM!J@2 zyD{DzcZ*AUs)FxImMSEr-|aj?pm{7slVJqMOmfRITN=kT{T@$&8tw{&IrLcTlAcbo zbGTMUR_*b_rEP-D7O#oN_i{pw7b}zyu{pIvUcymwc;G`5K2=lxP>oF=89+m6$huu@ zlQ3eF)ciM{6A4xrB&X03yr(kgFZY2Qq8D-U-bvbXKWWGqPN?j|@urvJqp%-Uo6OVpwmJDnHD7#f(D;BQyYi+Pt6oK& zZDns&^zlKB(P*B)L}+$5?+u!}4bx@uuBLLO=o$SJ^16xd4d_1QIWB%w+ zQzc|VAD_QOPkY%1yFKg*u1|*RnW=L86x<<*vMYQJ&kmyn{IIBdCVJr{Vkd$l% zYH^5%YTN3S>g#j%FTGloCyfX-g?jB`db=w~;aRc#s%wA@X5$7efZQT|XU(n$V^Q5D z>6zlh#`3xP7GikTpOEEJu(%#vT{OvP8ErQhl!y$z_jA_y&kR?>Y@ni(r-G{YTt~2JFN&+w+j0yf9DQWt(k z&Rjosl2dDXp`qI@Kvk;*0wBF}BYb%s>0 z2^q#7IU!pyb(l%lCw&j;Q9W|MRt&5kfDUx|zGQ$oj!cry0EOC*Y$!mtdatk?;W6y_ zcg7{~=&QqqD=rLd5 zB7_LUhe+gxdtfdv`waGY7K(SOtjy|mQvi%^3H|4Ds;si=T3I!N5k;=}P!Nd)O`&A$ zSSH1x&;Iue5`w@6YCU{TcxgWjwv|$U8owACEDm2xI6*d5&U4h=`mehuW$_3;m2YS` zqB$JCyQSLBegPZ;$sG143<3!%&#B`=R&ppAS&o33Fubk{Tmp!41!L~1XsUgH@;kw# z7=l7kBCL6330_%Ht21l%^RTmpG1CN+LU~e6(YL+zY~2F>rh_y>326SeIbOF(nad8R;%VK^Zrw6TqGXYF=RGap0+)3|3iap6SaB){p%;fptd zif8VOl5e6vB@SwZ&W*}-*1lE2OX(mb%NT+}aU$0h6}&vq<(qS+C@Uc|f(vK6Od1kD z(t=TZ35Kq)K)}{b7j7gK{di&&9wbHm87BPRK+NWtQk0P>g1pgKeeGyJtUAfXyOMYk z5cJ0%DPfEz70W>*P9Df+)*uWj-q>)$Rm}{!6sy{)ifVwSPM!dh3GSvygM*Y#{NIbE z$(iGvDyjN{5sx9ssmF}nqC+>w?G0B$b8fBxlH+wlu1FR{ma2pc-@eaa%#VB{0TQUs z+!qsa$F62d*736xa>E7HtD>#Bn;3d!)vJaSMV2&;(;T9{eEn&E$B=WcOBF+xvzat5 zpQd%6E>*{0vzLY|rf>^$#ptBiY>0I)BH%U*7{R;utBQAv;{G0;9fx3M6pkL+Krumg2Di|H0Bx4BhhlJE*+kPDK(rV$9v4XzDoHV3}gc9q_phVwi_>YJ( zYPrjx#VdxAc%FpYJ`gp6N&VBvn{n(*S>FN|KZ1PG*cxlx6>bj08v-?f2~^88gn}?h zEYWj5R~aw1xZv;goV6n5?sn?tCfAG|+Cf)CP9n&Q6)}nHrsegjoXsM?QZ%?0p5~%! z-5DiB7^bYwK|BY#m={20c6M&m-a%6=pRo+3IuVVpgtYJas{ zz1H7QW+XR^X@1mPb*vktG2Aj`DGdP)Kz}vT_ua$PCzR`aNoCJXn*s(s&gQJ$)S2S(2)T?oi!xSc5^pkf(=;=`Y0*(| z!w6Mh`^X@ioE{CNKbAIk*|HY`O0GR^TiFbl66Y%F(aVD2TX*`{WWk+N79Rs4Ctfho zlkfg$A5*IJK=^Qbua5HK^IK96!AYD`=v$(kc; zk;b7iMUkw@DZ%jpPjnFA&1f{&*ZR56%d&BVLblksp}W*XV$s7@*Xxgo*x|YaGEq9t z_WHk7Yh~rq;J`;M%7S1#)vlmR#Z&a0U>Q@sJ1G>618Ti~LG6lDF7Rvuu>_C)*Y@)_ z=+g2TGitIT*|a>n-1hIJH5B=-)eH*p(?C10v(rnO z_*~f<)L!j1sl!W|x-22%8J;w9c1;hB-;|15YyZMl*&ljdkc^8CoNJ|Vha9!8J(~#2 z^#~Lzqp!5fj|kG_*ZJHvEKtqtYBX&jO@)YF7DJ3rgW9HAYxEwBgfwriQ;v4&MIJ3X7I)4><3CWIN%)7GGQ-OKJ*zpX%T3>!f> z0s)5KxXJzVNYK*qNlDCS(r%VOGgANB7gpv4pNhV8Eii_Lv{$#4py`0m74?kC%^--wlF#K zp=iY?5qQomnb@a#$~~a@AVa<0{#^4_utd@`{(|ye z_~W=H^;Az-L~;QI8pYGEB)X$P**LjsJ2VX<1|v#vTOCrcK&2zwW@tJ-^97N;Q(CYu zxn+xfDKRj`#f4zopzRImhfB6&$wWYR+3**H4?%J#fzbV31Nkb8fh7v*(?-1#R}Djy zx8DL7*_;TBR!W9soJp`>BZj_*33xS$*(_q4&kJZ|DqK^zmJE=`8KrWMJ73CSTu2b% zt$FVLNN6|pV%f2pOFo;_j{h=DK(^3KQ#&ul5=h&jc2!FL`sussa!3-iW(;VNhFIS zQA!YVW?IwC*;!|jXO6LLqaJMG!&S~I;> zZL$XHGQ1Gm91rEjQQmL|Old!|>AHPAnVT;Q@g*ojQf0j4H0R|U9UWG8jw$&o7Z{^3 zfKCZ=j?=t0WDKkEQM3wrp5QlIgC%j zd#a>iceGGM{&8kS>W0#z=cHm{rW+rLhYF%;f7|HF$a!|?)N7x*D*m`mOR<~6A+KaW zdir-DnF=Lbhqp!`6|;JBNu%?OAl~8uD08+}?K=4!uRcY`c$wdYil%m)1nqK@q&^4R zrM^KNF`JId%TsWhX(^+EX~A8mIZ=?G|EU!P#6dGxFl`rRQQd)}6hc2M=1 zS~Mx02kq9#1s8hXQ_PM2zOG5My~N9j^;UP8Q_30G3v5mCgo|ptzf#V+5S*aWCKfYb zk7g64O7p&zmoubp#sl2-kZSq+TV_z_0hscyp`3qE?F2b7O93HuQ$s}3%?r9sQIn6} zcA{F(%XvPS`8KAH9W5Y$b2j?26?kxA#H>-W_ILsZOz1uP|A@RaFt_MoD!bG+5Kt?X zpKKioZj1Opp+{@MJ(nT?rtVkYq-ovg(q`os*pw9QAIxx`?_*=15(JVV zQ4`$;3?apLjvf;+3uI0fQ0;?w7L1HutOsp8w*ekzB*gNnYzjZocj(Oqn9H7oC}&H; zuA7+Q{OXu5>Xc7$%lT&ZScIdtTW(j_G1EJo*Ha&RP#asOpw|Cgm?uH0F+z+91CB`@ zH1y^i_!8yjGWLM*G(GV#GY^v5rePmaji3F`7_dvy70BJrdVhIZFtc3l(KzSLBUc7M z0KoGRqLTui5ZTeIlrp_IF-AkN-c&nWw8b>OSo`8ARZXKGx$EYlbco7d^pqg+D9hNS zFE!EnFJ!5vF;_h1lGAccIrlnb-@pWSzO<^D$jCiYa_qhV(0N3nvg0AkCNLz4`H^TG zhEM@WPW63oup;`=iWQr#8+iqPYAE~3C~2ngVj4P~_IOgWd{^Wje$q|?e#LczzuVCf zwSRyN%AVfl;Y%#Z2@eYRKq&W)d1l9kGw?z3#g2gegBOIj4qSe^*f8a~5a=P49*+## zq)HD=9{R9UG_K1A3?K%P!32s^JQt4HeF#o-M<3D#BVOz zw!TD<78dY+TNva0H7)wZm@s=J+YBMM!6x0jnu7~KRenE0On$O7MSKbd35F@-c+B}F?+i7O-F%jGgSt+yl7q5+ z+8VAm$%Cc7xT*WI>IHqH3|GWu7r{T{gD;kEmX0;i(_-=E~VKxb-YSxtHq1O6qoAc zI7rf#FR%%Q^9SCmttS+Ej)4N-r0t(D>U;Vqnx@w4DEAbgv~d(Dy4FYva&)xs$ZMii z`XQU$8$~Q@o<_;#`;8A2wqPjeO4=+r24{$BITsWmFQt#N6?0KV7WB>cGVgeEdTkI8 z9{;GlK8S(4WM!-vam#=$$cL!K7wSYUbV#~LqA2#sLH{#&#JCxK19zPWxH^Pn!P*be zW%0&|#BJEW_KhPW8*}KG0q5AL*qlW4>WL$9=?KOF+F1ld6{JZ>ICwM$|6 z=9ux#ZS(Z_vAkm`ZZQ{9(SiGM82&ANDu3V+Q{xN{xe=oasic!@>Egx>5ee&O)DXL)#tMKt0S>eY?Q<|G-bV! z%)mczdJ10Ly#Hwh$kn1xw1cL5G{|mRMtUOl27LG*Rn+rL6*BToJL+}nq^@Qn;$oP@ zg2BDvsOwgVJkG)k+}@I}d4q48Py)5QkfqySb+@hKb%0H4&NEXcnG9A^(hgo9!WHpk1wdx3& zTs=LNC@)O?lrxEccTHB{IP>&I)aKJamBrshOhHIHKeF=biR4`Tvs z_DhVm0Y5T2m9pU2+<9N$(w*%Cg5LH!oa@KSCQ4%vD!WJ`t(4#6QSD+7j1#SS@`l2- zLKQ-zt%QwX5T=2u#msD;z9uq}a-=FSzF-Cif*mMFRj~9n&m0nv2-#uL*8Q0tBeMbK z9RkiOhH}P-46#198&#ZCslbiAm;hdSYxtw7GB)k?Jui(byycBs+YMg*7K1prIo`ts zZCy2<5NzLuv9pEAL$gCs<`H3E7;gkhIe2Z;WQf!{YP|~EW78n%_1*DWRj+OYnkGa*EyYtza7$oxFuEE#?M6NhZ>;n> zfw6ca05>QO-`wNF6?mli5Q-8mrI~_iJ`6Hz4UzeyCm0H|tgrW9GqK#^PD8|7LqvckQsP_{_{Mt_l>4S~APsXW+k(BYNx}L83cx!;^mWi>@0k*e6 zo_*k-@LxSDG#+bf=1W}d=p7dO2ilf+&OQAmjPIXpX7y0%VR%FGBz05zB7dM_CUh)U zeA`*D)={`EdS&RM*89s9&KAKa>3Khs_O0ukEnY<_i@coJ2J*Z*^nAUYp4`$L+vj%= z5Ap8q<6d8Rc)ua>exl?2`bT>Y4tMYFZ(m>Gy+6sgpYd+vhX)65?#}M)l_&b^^7f42 z@ep}$4i5o&aSsj=czFj$>+bJ4czgOrjl4g>@OneQH7J)OYgP=ZwzxOkRiuVpn|tJLrWYobO-q() z+5Fh6+3pe+bHwUSBcsFuA{3+1?RDy;#1F@J9LP94$GP*G87eVgm=#zo-pBy9~|sNH6Nc86VWo=;|1XVY%J zy&peUz&@=m$2D$d-rmj3+EX55M$Ot;z9*;u<<;fX@o-PlFx_2zHEk`tJ*Szq$2_KV z=h^9L&(uh~EJEgd8QVTP4`#vyCDACR+@%DQz6Epi6ZOy4}b;-5>K-G_k1e5gb zAd*ZK#&3ZDN=%Y1+m1X`wN5&Lfx{O-1O~M4P&I{@jma!3W)(oUs?iJ}*fPyx$ z)PP1Qoy@!BVjdgm^p?jFvR&GcqjWkRR)LuNbmygtS&Lr{j_=jg;!!?4}9T z*YMOAd=(+Z0?K~n0vqWUT~YMda!8fHt;~B>>As!Jdsb=ZZpM>ewVWfXC1LQmHx=1q zP{v!QsedoqIk>20t`5rkd@)DV$O#SUckv+TUZDsRfK;DJtVKc%q*{)ue--L9ezk_} z6#KV>7IRQz>>1c-A-P*{l~h(AO_b@hyZY;%4D;8X}&_Ldl8arnq7`w=Z9Pe!gfip2mfaeq7!X-Yw3cuN?-d zpIEd(_)J;iZ=sWgp|8poz@e|p1_7$Cz~)VIy_DwSQ-`m)Jgoq$ep>Dt)GZCGpJXJ% zJQMtt{Tuns0B0ZVXg#|$q*tbA-y(uV>)>^9vGiDv*FAwFM9@Y{YBF=Hm^LX4l zo3R#nCx@WRWk6cdpM8B0bY6yZgw|om%-5?y{qh)=<+Zx7l+Acb5U8fC*ar|-@fkk$ zGSBQd{jp-E+Ie|oedMG2j*)m~i%FdZg+ZDf>%L|MA+|pVv8vU&40s8_seVys4XZ^A%-N-K?1HMAuD`}?7 z)B5(#YNkON9>3M0yqj3H4gjsLDvTJCy~f%Vl)Xy0RsWmL%zh1UTYGF=ysW;O&O^2H z0Gr3a!K^;GIWM&)!v9DQV+;7|?2vf5KfB`?i1P&M*oOjwzp;E4fIvSf#~r-Vhy;Ll z8FT^RUitS0g1&43gPz82Q~o%t4vE#++QLlYFA)nK>QVg5d93dscMD@5^(d0iOkNE? zhkmZnK>VOtl{}#O5jxvZ&YWr~Vm|c}$uxck5jFagCKwI?~ejMe+l;`1DzVN!kopfhuV51W3sdi*Z!n1gCLSeXBND1>j>*6$9JrVd+Kna^ z0Mr+ujUd#Q^+44Zl{J8u9p_d6Suf1s;?Qd=&Fg@!F3Zn=Nf+b%|?RR?+1A{Ms%|MI0K=Yrn;~Lbq z-&}lh4t4d{)k*5?>xP_OZ-#$5uN{Jikv1nKf#6P`yNdop&&|-oM2OT8!MCL16l@tw z#yr{&Nnd%X1A~5AK4Ywvi`Yjzx<8%?RO&*))OQtpQauLv*s+7^FM^ZmZxTC*)cG5P zXgOH5oOz2V@Y<5fCQu8D(o%qn3-A(f?nOO3w^1{k9pdRmL|$hd#_8L~TI&l7j~)Q+ z&MM3pqWxRX3I8uoJFC(Im~%CkbDZ`;Mk`}%!8H=U)~}O=yT>}Z-`@%R{+a zf!5}x$JF}4pI0mM%Z!8j6=(o>$0ZElAZPTikkcIh6Y}#>kL^VfH>WpDY(Xyj=>9b+ zp!5YTHK_FND)kf$eN|^YHvO!Fdor@W$hLUeubHc;`KxTZtoXa=G{fpEh0*A1xl!Qg zrybt8uKk8kc?~?v4rdqkYf!uAH;ui6wkc=y*^h<>yLVO744cIvyXU383TQflJd@au zq75Xbn}30{ms7NXJ2*&VoJFQoEpXcU6>J*UIcM{6TmD2FQS zW9PxITN^#Da=CG)=7H5A=s>G-3ZAI1K0(q`&RdkzNk_+bXsd-7_OXkxIMuR}{H4Ml zFKSF1q+?Vnr<~?7OV@ih@z;p`EzT+vfRETxp>H}Wfa=L-j61Np^_U1Dc3#RrsT_^{ z9%SHUfzl~vmZFE!T|8x&^)m`C?>14GeWgPfM$cjly;fIfF^*#F9ZNth9F-vl=8C^H zu6!j=XeTV740~DQj9d}VeMDh8wMg(6L2#I5a?VQTAAqd4fYRyTPGE=*_TTW@^7-E1 z4@wcKdJ_vh3?{sx7hEGUYViB9&rE02X-O)0XDNe}H1Q=E(# zEyk=d>-(vOsUd1C$|egEc*f0EW7qimhpC9EA(|}8CX*5!<7eCRSzg8-Ek<8sAjZcL zdA%u&&T5)4YpU=mz}b3UE@Q@E>2$LL#-v8;s;Sr%!ZGXzn9De!71!XYdzuU+<@c!>vTNz=wuos{(?F;K>HEk=y%$jKc=!Z6K8Zl&am$YXvJ zK~+k8rK61ODP$Vo6iD@oVClD1Y0wPH*&~xuW5{ypIY}1d3+|+Zj4l&B6K_>Z{Kcb; z>M3Mu-joEImUxTZ#B=<`?h-y8V_Cb3vbd>rnpNM}sjWdjKD0-82lRVsO;g8Io|FWl zdjF{dnhX--RJ`vG25kY;6f;D|q?W7lXti9?u{OK&$9JLa$jv>H!bahN#uCXfl->x< zR@_FOqM5@CN)P`{_%{ItcUGUIBAooRB2QB778MrTtHN@W__QGi}i(14#41V1x*;71MW)b1e{jR9f z&v`iOWu&!A&2D%JH^;y55E*#5?mW*d4Tqsw2vXdU_*4ykC^=0rp1I2QOG#e(jRJUr zapRNt5?T>1`P8|jJYNS)1S9+XEy3Q~%DdGe1z{FgSrErW^kVVqkzGY!MYZ?CQbzi% z9IP@<&kuMByK@4ycp9ok+lQdkwF3Ae7Ue=fR&1d&*=Mbg_sF^n{xrW`jA#S1t22)? z|4nRdIZjlKTFqOXJ8llhT4Ce%Cjmjv_i;Ad`f44OMj*9r`1P`KKQ{cuks@WNiLnO1 zfm5Q%r&+KoL#(|C^qsNPK+X`zZ%^jr#fs32s?SX+j%Yz(%tvkCnIvah zkRR#VQB_1Kd)%1*AP=juB)0l8n9|kbW67UsG~I%KeQ(N@Pum&2-H$e+B(@Zk(`fh+ z^x{q@TMo}RL1bAq) z_unL)p5GX4FWvCqay`B%gvl+o;GycXrVmyCfC_*|Kf^q-of4?KI~QC-dr;OXfjGXt zwr=i2IC3X8LAxYz1qh2Rw8tm)2r!6yS4#sWdULxbmhqpD_I5KE<7@CDhH@ZssOQ#! z4{F1MswcqLdaP0hOcae|{v z&@N+Ygjq{}yJoWyXesVs_-UhMJuonv7*ifty`@8K<#xS+6%*{RT7aMB7}KRLIh8a? zcJ}eaUTjA+iG1+miT%SJ)FAjNw)F(&uEb5w;eaa44U(9SD*8h|rO^H2=t2$@Et?5{ zhgKI&^Y7|nOc4e(j~Q?4XPJrh$iEzKhE!j|RHSGNiK#3(u%zzV(&~<8NIH=*|0g)Ape@1yj^*4)If<6QDb3pielTzR+X9ImW8MJ z`e!^HjS!s%63Rf=4%{0^<`}6+`E)AO45;c=OdSQ5gNtOX=wHewKJ~q^Ei}Px%p-q0 zq4Wv~XXbI>O;c1R#0#GtxG646S}SbgU?Pdm{BDGl=%Q--BXhhXBbJFA6_i-aHv>S^ zhaz1ic1`49oM=652xQaYB`6nUav(13+wpm%Z5X_`*-^-g@W%H;QN`}o=>CJlVZ{8S zaK|8)b8!WzWL&xwKogSg&-F*CvDe;ynTwRqCGhb$WBckJD0x6d?D4(B4Jy18{A04; z;nls~udm{~roB({pz=P3-(%-#J7RI4Qx6+*EaG39(Y^2+9ys}6<>TT!EZwmR&?~qt z#-BEGw`mWmVCTFHa$`~PpMUaoJ1f)>XyZ~m!?PP9ywVOfS{3mUm{1cgONp{|IK!rS zOon5s-#rb#D{NE!JS}~%dSCUetK1HnbTr)~ao(K&4uJJ`CtZ3#{^c$#^c=4K?lE;8 zm!uM}Zlq1W-_&B&qU_x*D=_FRbd@TG07^FVZcJ?1GhT zqw#8nS$oGmR@i;!_hfqN6i?5(SQ$i-EW54OJst_rY~~fs`V5xg)@if+Iu+k2u#lhq z>|_K+dm6u2_2flP`PBpO)Ts0qfN(C2ue!gB2#!Qu=hII}j)sz!MC$0a@-Vk-a=$ow z(|S;vp#G?^oQs=Ev{`;aaPXgvIoby3Klz{p1v(dRqT6=It@l}%GM-m<3EyBjZ2#oW zA#yG~3Bz~!j2bMr6pA zy~>nu19qJ(o(wpKOd7U+UePScs5xM?(T4!UWU4nHNQUZTh1`n1|wD!fN=3L#LcNPy0XFU=8ALo=X{P&%MckFK=O zt{y0n1|r39zMvl_tr6Q7n<2^#$Yo-k8<4}~GV8DN`*sG>TjXvpcp%kL=loDZyfz{j z#@~elz!txq1d%a%<(Pg#AdxK%8J_}ie9xf#_bi?x{kDMOftAy2hwyrrEy|kL-nB}A z)d}iFJoA)R8KlHy*M*HZ=Lv=j!Fo39w7C^#kgw-LYfJytVp7jBfD_}nYoE3>C)?W1 zQ}M1x-!poaZvB^q>0HoT*_!}7HnBRbStXB_OmH6@L=yb4=Bz5(zQqg^VRQ<4^$+~3_;CtXF&ZrSR2YLc)rP=ALtRPqt z3#gI4UgE0{c8I~*uUX%@SOK+8U9N-{3lYbS_@O0EV=PwKS%C$4jr`t(SZ?L5v zevQv)V*pS*@FejMG584zybxkW2DXht{o2%#dDN^uZOWciQgA`Chr(h!_Dr;Dwxz3P zRRmGJ(ZG>Z|L@G89*Urx8R^>0*}fSw($#T{dT7$^|A3%{cAZXs1iMP5XNjs^7J;Ld zOV5;8=_mwHWxg%t5|@-#+X_lCBPFYcS_^8|QzNLzfFI-}hJF0DYW$vKtW&^Z<&v)G z)X$nt7x`wAh75*9d((e5OPaX?aN=dE8H6LQH7hM~6>9vjZd}5x=P6zKrPHi5<|=4N zjyO)Y94H=S`tncUQC}CFfjFV?gSldiARSNV>0_INu@maXfhz zW6=y=HYJfpArU$kE8PtwaoI_Y7ua~a$E7KLJAJDo zLRA7C{1s(WQae{)cGHOxC~>XEV+By+w#Fju6MrL{)kcV}_;ZA?oCPoa&y_J1XkVc8 zm!Lj)Qz-q)`nUk@uMe?$n*m5MQ2)Bm(lf-BI-{1~;77?eA8~gh0oJ#1 zs#AVpt!h^4SEw0v077-RRs0gzpJCnJ+Ld)#(&>l zdb8|f62B{5k3G4;Wxla8ftZIAM4@CyQcG`-Cm!KC5Sv9bkGk(2{$w&P$LIRddG!EI z2Q67Y@qu`pj=1;=p=B$QE%6Z_YlVY8h97Uf*=n)BG->tdK!I0t;hoo)6h1@o1s^8^ z=Ulou+n%}76fqR5PPSCu`ClWH_5!;1Khq>NmB3HgWn{|$=?hFArNai`sFRwN)2j!M z(?OvcJwyeOKzRLSl@Ls9OrNQ;5QmF6njd(DNHmH%H`)V9REj#6_WY%K_(>wc;Ok_- zkn^AJz)6b7ep9@5mR5Vf(F$YcdbshRdMJM)p5zi3gUdeb`2grxcQ3mLqCM zP&G4c6BgrX@&?=P-8cnA<3n5Yj42l5C6qCI@#_#gYcbxhK_fuk2f?0$yNF{RW^lwz zX)9g)j>_kk<%w_Z(RpGu#+fvivYun8l-M1!?u@tA6iW=4ENARaFxhA{>|sc=7Bc+3 zy)4OwxjWVXV1|?S3B56w(qI)jm+B0l&S8XWwD3*E{x%Go^=+ae9IkZb;4XUFIR5&F zD@Awwb=;(PC^dbX!aXU8UOfJzRs+|E!bAKG@Un`XNeWOr=%~rx89S34p?Dk^ldt?8 zKDZ!}Umv^{y_HcC?l&yn@EqiUOU0L_jmYd?rAYvh%5by9OcWx-kY=}3?`1e47LTnd zve9nF_@t$i?UTiD1#`8{+4`RL*P%bB?YFHdax%TBU%jXqYtT(&vMsh75 z@F|h>i<;#w`=D#YQrgry)DUoMJ6rqmr^zT^;XI0efuJrOw!3v3R?WnMPTF*Me@ZM1 zmbnl@Qy>f)jVWKq)uZWsb{PMI04GD8CW=_y5{{>F3;rTkItT}`R1O(80OykT{F!YT zAtoe|9gr($F!9rGIZ(uBhYOgCteP-P-{x+rb==GqED@TJz)Z<{1R9W7O}J2&vYJKs zw`S10C>qpI*!I~%Dy3bnP7s2pl1bz2=yW21))N{ywi|a%ZW_1W`b&W%0kg4k0B#E@ z<_; zTf4tY&^2$KH7EQUu0asX`dJhJ@rQ8XP4Xtx0QiX??>aYNJ^tXYNd;F#J+^=&fJOZ& z#l>myLhzY+6OJZdelntpWUnR;m8Qw(9#LB7VrOf?O`&odQycq#y9@eFC5u75Nv;`IVr+Xc z^!Ujq8`EayC^dr}uN1#wUS4%R@RY<_QM)rZ;_9dIZCk(Vsf^DA@HlP)%nn7^t>3RD zpUUV=f=BpuvD9D~#wQjM&aXh`x$qU4lyYJO_Ma%JT=A4eM zKnB%_)IYv8lsOc%sv`eaP!w(tY1=~^iL>U=JvT4Q#<%HP^@4gZ0Q;9q@T<2{Di@k;0J!Z% za9207;#$YWYaF^wt{{_bmn9f}PL2S>eq>e!Bp) zn>j9MBtr2_on|88e;Kq5(^@R@U;TBmM__<;9!oxgxJsw@k+=uBN~YJY;{)a-6W`UF z^4IC=%Q@%!_fu$_t|>Q6vbnD&Z1Fdjg|?C2Q6|1)z<>vdO}|y>`Fz(zrbZwEcw8M`Rr|M>|xvw2`MdX`N+ zoWaOHA1h_&09G{8BpVuids=B!6RfHKqwJf)GYPtNV_OqWtcf|Xt%+@YvF%K3+n(6A zZQHiKI63+EbI!%S+2`38eO2AnYpu7ss=8{``*ty|Dj_ja8k`ALJ*r>$wZbUb&sAvb z>h5^BrBE#@n{=Z6RA0qoc0L_GL)VS{2pZlz0l!7}v~W^SAOXSBPCY3{nE@3fCUvWQ zlnCr4kpUO&HI!-le=}o(cqs1gdxlAK?}G$yj=M|VTnNy3z+D7Wk$8P!T?T7tSJ(`= z++Mx`?|0C5?|X<5z*ym9bne!tc)8c=VAreSHU^y8Ii+VFju-(L4Fk!n`NP^nq# zBN|((CVXo@i|;FkSAagJJ<+PV!aYmaz^B`x7F0qV%Pfjm(y@XsAUZj{J>iEE>Z~d=tDq1SL zaBD_xgJ0~QhC&=YnWRhGOQ<=nAUgO?;8$qn-6M}V@8WVLxc;!d~aXc}D#}Ap#vXIP3z(zaTHSb8!LTqF%_0`F0GWj1fm#Wfy8g#}q0Y+RirZl#gNO z69x%vj)4H4Fg1r_LC_c6PY@{>1er?tdRLkp6)Mt>5e|F53Z=yJ*HJkt7 z0>5{P32+Q?lX#xb(&Gr{3~~7F$g*gPpPKd$6VU2b9$OGw>IMH%M?ZJ^X)t~Jw6xA| z=(Mw+{7jHkK?qyGR6s2=-ipiJ2P}cN3=4ka5!7FE@ArvW90T@$jb4~8{x2l1dA^O- z$7dAG^C6)GRl+y}DB<43T6U547**~5QEjQ>*O`r@h}y{-s+!60w1?t8rZJwZ;*;p2 zi9pyH9NUpLoh}FvuVx!0-&qWg4!d}vGZ<*~bf&1&U#58t(90#9o6Y)`T zFL8@qYK!NKQB)vU=CTfYIXu*##8p$_WW@sntmI|Hy&l_FvSFTPW7{*zx$e2RXgv>= zwo=M@rIiTV=C3}7f4aC!X_0{?s!`{Q^6WpU?|JnEe@O>S`l-AnnhCAuOL2-Xdv^6U zrH*+oa`Zr$g#0SHmpR%Ba=1T~IGtCJYSuNp={9aNdLuuU1g1Q5JP-SlLEWz5Gw$KX z9S~J5A%$8>yz-wShuhR_rohZS=X^b%&c}3WwBPt$M2+O|w|dsg?Lw{+#^v}<0!?-L zp!W#l^n5CxOgBkD(D38FUcPcX>vd7VII-hD30=E*t|x;(A%9~FYnIRmpO0z<+eeN!?;LN1z-KkfRF0imvJq+n{eo#p8k{5sw)0Js~_olH~y5f5GXRn<_ zBa6~g>3G|F(_`?P6|n28`}zy$ecGQu`R5bzzpD`Ujlm;HQh|Wfq=SGk|IaGK4yHz| zY)nl58zth23{NMFW%nKcdF4-<%D^qZpO%bG8UnWWtWXbN5QgLpU;}?q3$kd;4P3-F z(lF6nBKMwEmYs7c*u4u~HkbUltVN~JIg2Vc+9cQJ=L-(4;8!yz1~AI z(4XF}CN8cfD&!B0GR#*0l)q)P#$5Y6`E0uaUV_&z_jXFo76|4Z*oQwTQ|=N9zPj3r z{q}W_A?SNxk%)zz0$IRtb|(Z(IcQ=rU7#{|F9cjTC}Yv55D$Xy!Q2hhdJcOmSq9(j z1apZlkXrhK{QK+_azm2kP?Y+t_u5}`L{>pr zs(_c*)`|^T_`6Fa2eB~$L259Yfay3|uor@Rbv0N+s-T`DLqAO}4D@4G*0iQqEcA8p z)_YcP^(`fvf~<|L2x_?2pV^sIkt=$K*jbifDn^&Ku!hq88&|G8BWuO|E1PR8BdtN2 zW`}+Ptk7#F2h0uDvDd*am@*J;09G_L!;;xSm-<$CHJ44C7A98EHL4j?YuJ|HOE%{K zZX<#oE^CideJjcu9kSs*E}V75igDFrxgj9Px@EcJ52MW<;Oc8@1`}b;&-Imd>~qMb z?I9rJ67+=a`LXWMt3N@_X+=hDKo8RDYh6q&sD6lKeb5UwJP5bY8C^w4Z9z{qQ54qF z_zIJLK$FiE;DUp3tGJ$TDA*6u+W8d+-47M-9AJgL5*kIIZ-t>gVwwYu!wq^-D9aFn zjqV?0{eiD914gk9{M#QH^}Xb01Uf{;IJlHT8d=&yva>gFL1nbxBe%YS9w`fw(NJp? znFR_gwEl#`@q}ARv3eo^T$t+vBy)mpBV|F~>Z}ojcanm8cpa~?Me#X#uvz&^@<7q) z{F=4ghJ3PC-_pE)amH5!AY`FLPTQiz^DSHDTg1jMabwtgCo)PVqUH@yvEzv<|A1KO`KjJlC8&e=QVhdx18 z@YstPffP0TWUW}m%s{Lf{<_T{1{X2@A7Qe~`;nc97kEu?ax5;eD<*RW2I!F=)HSYF zPqNHFS$$vA_G<(qU!)5Lt0&&k71kP>rnhXv3$32dIreKk!;4=v-F2H!tVY{VKmsjK z08R!du zN?|;z(0;3r!!MyiqA);n%oy?WC9{-A@II$?9W9z}IN*gOAKTSgDvmL)Ln^Rk{?9_T zfvxJs;eNl!Ne(`#6c58Kr|t$zajoR^zIW!n_kF)=suJ z-d9IfP+u4c9wdczv!jB(p({6`C@9?Ta3Kt7d5i)oL51*q1X0d#X!#0(TC~Am7*SN| z@~j1Bg11!Rk5ufrEB^VIqIlsh7z9*Y3Kv4N5qlVL;X;CW`JuVk;`X?M5aE&-0C}FU zzX5V@Xjd@42-VI%+F!WDTl~P87ZBpzNyb|OIcon3B=3NfPlUER-&o*9CnNpu(gnMDS817FnE3uO#Nf)QIIhmF z4M2T4%%9bNkwG<6%@j3P*h?%mwWj?LyO;C z4d>8Dms)v6wpJGRKvdCP14S;c6c)OVTHszPvE93C#6;)FSk~E06>n3^&x2f3k6drA z)Z$5E;pf`FhDsT(+L>3vD2Fe-7DJ|XMe3voEoqq;Y!S(NDA*9 ziN;XujQ*MbmyZ&@uk~-XhL~a^D!4N02scWqSnRe3VXFr5uhSL{sQxz@{OXeo`h>VC zrw|1K6^*X>lA)oS{qG#E(p#Y|R=b?v%We9zDzkk9WcwWZSGo8<6Ua$QPkJkV#UtL5 zXX0raQ=ikM&^%?XJKEpv9gt6NU=hAY*qlaLpGJ8Ahk4#?Jyi8FGw*G(SJ~_7URSnO zj64gnuTo3ij?toac3TkkG{*I?;bL({$p~pAv}whs<1NIxLMp0h%I@V>hn#v1Rw@-%DrHhb$CpRJ zknNJ0lyyz+-{Q792^Rq*p& zKZ&Za#F}r9Ir$|8%6P``ywasP1X(b3CQ|(A3+%PwPtv ze#Si;9iD71`*oDgwX4@)u2x~LwouP~v^uG}SQLI*cUnh-sYa8ZEz2}bp{=N8Cu%L( zm`&;1nV6O`L*fnB9>N_S!`+#|I2Z^ekmSumm zNG8(Ql0Q04$-m9b(e6u9be8fA%Wthl8i*1i+jm{nuoB%vs@*Wdox!H_F~D+~!(W6{7;N|d*6 zGr6xL?n1PMtY*AK2*PAQ-mckV4ZTuEwMDc2i$Kvc3($(crnEwH!ta8RX(KWC#6)@e~4BM z!|~J7+SjEZX9sRnkQPE5+6z(I9@`JS7ETwVLE?X~w^URwo$48M`I6ps?ZJ zFfaIV!J=hgLz7+91BF#BKS!VL7H7!b}q6=N=1pCRkQ^a|^Dyz0O>a$hcdn+~}zUcmh4jFBD)Nod^K!cIa1?LB;Jv%hv(%6{^%nf-N;kHEsK_T=O9FT zA&zU9N1+#}brd2;ljHW5X#dAdCEZWVD+E)T5C%oKbUysJiWMJ7Uz##TilOovTBRrn z6#rW=x?s@A*A+?@yBjMK2w^zK*~o{`sOm>T{MervE^nWPD3Ui$Eam4F5le<4AopWI z=O(S%>X{j11V8_C5nPfNNh>^eUYAPKYZI*IA<04tBYCLMyCQc|FE(gXAS|OAHzE)r ze`XD~VLpn5zQ>U)^QgB8WL84=R89!gdf<#VZdAcIoEJHX^Qv2reKvSi@1u&ZsO}eU zJ|hS~ogGz;L(@%NIKH&ksid~POn}Ucnw^n{@ob%ByxTQsF(jnDLE(r(@+}u?wj7}j zh^F4m%kaaFjO>*o5~rf7b~H?kp;G@-ZsQU9L5A(W$e4z&nz7|vsPnpT|Lf1X(iIm7 zO96wjuU%pw?B&c`F&p(*N31$`)~g}nonmaLe9e4=p+{t8=+)eqqq4@;(6dEzZPE?e zNp04qT>C=?x_BtJ!Cc-P@2l003(5Qpj;aZCoKO#t*`+vhfjU94Cg%H~qO1+YrhxYr z&v{qObpPIq;vFdANQVZ4mY3{kzG#|D5$cU(cxQfv;zGl`$sFvXy z$0;P5NDSI-zsE0GnqF|(Rhp=v@0VZh+1ZDj6sBSj?9pEHtd1u@JxnHaJo`JZ+B`SO zzsSED09BVe8$G*bIz*~JLfc{nHpCf4%XyZ4y6%Ml794j4?#@p^WYmE|HD+XeaQ6jI zFblp`p-Mecwk)%jQ$S#E50GzGX_-reO)Uw#gU;EyR6e1ti7`4%Zr(M5ti)y^L`@)J(m)91;N$uz|iY(Ek-e1zUI((SwcPs!TpMW=T&>_LD?2O|C1f-t#8ddZFUFt zR9eZOq4Cw{lGU24lhN(4Kli8G;X%+Sb&{`!q5A+jp*~Q-U6J9b!4%lyA!%3~jYc-!*lkMs|dPBMUs6CHAcf zYp{B1YtV9PYe~eMD|Kj_gIU+*2^Krz@jaP3CxBuPTCS>0Q0QNrS_tr>(x70HWEk}o z@)y`Yjbwk8#i+r#iOU1~*k%32&axQH*s_i&8|SSEKNzE=_?QQ}3#85_eo@b;)a{yH zzGgIL2r%tHNM-awC$g7V9Fmr+Vm(&}d zXTiP2)8F-=SNGxgY`$r)n2@F^=4d29%pj+XQnzh3O77+j6{e>#ysM$} ztD#dxH^iwi#}KG|*$^Yykb*0L34+wMFow#m$hV>-S{HexEM2_3L9_nTnZYkktI}<{ zr|?wIN5rS#^DD&pu?FV)4`^P;Kll+g_>tE5k!>-<8^cPCyB&IKc1(D)B)^)_b(&7e zI;~O!*m@!sF;taNvwWihVwyY#?y9Img_^M{WC=@lHM3}#(y;>*1| z{9JGcZO0@dRw))J%bRw5YMGOkm%s3j7mg4BN5uMIiz~e~Yx!^sCW{G+$+fC>d8miW z01tP=!Bp~XEm5nF%jQMf)7f_Qa#vljd1g+Ly^j)ywq3VNNG3gXU`ey)fwUumi!~;< zlY+VK&EQk{bXw(H;nBq$uz4Xb!oty4`dZC53x)J=aQXL8(JK6dW`dW#8Tec;0pPFi z$Cp-&E2sP>Bp{@E{lbMcAHtkIC>m{X#9oXYBB!ihHZ(e8O)AuCPeRh+iM0G7EWN&F z!g*eIsx#kS<)m{N?$I>Jv);g_$(O~M$!}FE*`(x-h(i~h=_eZ?FU%e zYGfLsb@OKbV%Ie?>R7>M)K4B{chesNRxmxAzUwu+o&f1dD8;#HG$?^iT$K${1LpUj z;>poT@4Y`n6)+Bkn-{|rXr$^&XWMWn9%d zJs!^%J*$zWd;2v_AIGkeHe+yq{toSxqh5ifS#mY#eWm9WD9_T_HKZC{E0?jp3KP;% zeN2nO1f)vt)uCf7*Lofm)UOq0pV$#G4E|EY)NnR=@HBk!gfCfEZ_<05D)DTjjqs9) z{6tj8x-B+|o9*hHUCoHYh68&wMlVV4IuMl&&o_Om=b{jBI`NBcHMvf$L)1iXU9;da z{mDpmCK`~hyN-`;cj&vFJSO@<8DLbJ6&lcMd3#gCe*DfQy1w^k9k}FX#|o6o7p`7g z>ApU?h}U=tfS-N|26**5biLwWe4bP=GXJ{brM%>&yfZ@MFJ^Cyn7o-%E8V?=GJ4%; zj$lf-px}Dwm$@tEOt^626AF$h@qfvO`xSv(la0g0(Tne?PGX{)rG z8ShCd#GhV~aC!!Tfn~2W7xIwa%gDYbn0}64{Jl8c!N@@>LLZT(RyajN;;XV(JvZJp zq}?bzI;sxAZUk+#B49Sggt9)In`WBd4|y_2kzktc=zKo-5$Cqia{XKTx;^LwrEc3* zddm1TPn`@23#`Vq8Fdjn0tOj{fWCiWmrSVSOz@Owd{L&Aq)C2Vunqndl0hZP;MsjKTd1J^Bj~W>CG{dJqr3F@7S%&2 zL3-Z>R+YZh(CEV9wqlU(un!LxK0ZQtX(U0K)WzYa8LgvUz$L2)jCGYQtBAUFwi(k( zJi8fkt7Mn8NQjoe#n<2}*|w%-+K_gf3hi*RQFqtNkKcnkPlY>Ak(2jnNonG7!>DVf zY%OaYYwynE30O>SQgGR8|8&ZLl-#NjY7yN>IX8wiYH&b{w24R3a*BP2QEOe+(&E7GIsrk-(`^Ot@{eQ4vcdKQNB zKI}hmq|HRw4!g@*GRN`>@7C159l?s5lKv(g%GNTVbueOQMP~x8cFeY>sUL93v|Y7Z zb&7=O^~_&3^Jg`UH$BX1=9<&h_|o05Th%r8QE1V0LY+A45FZaLPCCB-T45d6ohMQU z>g6DdGn|{Io9j5%e(Oo+<(z<|L?f?il~3TdI@8Q1ofKHcRO5(&G75kRiRXBP5|k80 zBW$&NRN*F7oOa1uLMA6zb>kV~l5oA7{Oo6_VxN6meM8s~&?Uv^-!pAOkcch_!k1b-g^GnC{mG3(UcpP-2JY-R`dqX4 zT;H)jvNUpiHE;jGo0f_Ki2A7Sg_v^!SOKzNrp2g95y4gBPQ0R02{N{Yl0%_L-9e&< z+|d-H9k#}eqp6k|UeGS#KAk!ZA0j(r=8+hbp-8^qfi^hQatCEcZ_3!DHtBPM{`{)SdZitTF2`~a9vlNTS^qq1fTqO(62 z9%KkMFiqLxu9vOSA|b~&DEmi>cZ&3H2HfX@b-04_A|bwYF}dc)`>EW*U+;9hQ{$>D zMwN6p1i_b{GURP7>IhvtT$DnFvGBH*(fW5-HSa0XLhRK^wBErqp!je;53v2C$XVy= zB%8PKn2hwV}=HoN7pKw%w}1!2TxcSTx_-rMsRKMAe~$I@Rh&kDRM zSF1nh*DdC#Pt>zhh$endH~6!fpD#E_hNJVYP4fw%8Lh7Zt`nPrI0FclG=b~`Kcy(IyL)10Npnb`OVe~l!slgI3nJV4FQqK>RwcQ-az2Q9R% z#=LAkM$jMtVMx9sMk|Td-gcjy-N!iH#}Usz?DI}X<`s7@YE~FY*cbyNGywI9*pqkT z%hvL5cJd{QjRtgoRKNQOeH6Y0jA9cMb@(+SOHFpgLLZg|$PE$qm6CYX+6hajK`3+o zSCV99LHf`D74{Yb^`Viv<%gA|&SI@<4~vz%vF!15kC`9&6~#@RRKtR%0Z{8^`H@U; zvy9k}9+~TV9?>T^+XCyk5qT?9T6h5NW;GlBwzp?`YtzG;rJ2QVQPJ{8J?LzR6YJZy zq;r~O!b$$@Z^l#lGz1l>dGRh?vvVcn+RKIo)05v)@Cw}uCo{Gat#=iWSMBR;as?I1Q2p>bcVw25fPYS|BUI)Ob#aCvUTV5`P9_KK4!I7iC_Qy=B%9D|>QVNf;#6uF#~iuiw~OZP*VP%@6WsCI zkiPw#-K9I}T;Di?fNQRG*5n;%Vo_XAd#JU)I+XfJRq&Pz@R5U$>zP6PkX}=DWxYZU zMVdT&^z{v`kAPU5@V8g6%1%tD6!nqXD>2L4f&TuRy9WsLdQYb^Zu^CFB6I%=VhP4| za~$A55POFg330ts3J_B1z}R!Gc=fx9A=xEtMEw-1g6SSG^YUJ;PXJFE97aH#pcDzQ zdE__ZXJuo|>8Nr#Jx9ubhgfNgg=dr+klr2UKhl=CD-j9Ng_5*MB~+`v&{(}UyWa0K ztdWLu!7&XYtoC|85s&%aKmQ}un;;PHEfMd{9{+AWrTnmR#l@TN50&uqM;KCoi--2a zqW7BzNj+3&E*w|;B-S$I;dCfc!Am4$k#)VO8Q*JzC^jc0d$eSfslKq~)w9ObE82Qs zxWdrYIJ8Iza(xaJ0b1c>4RR*3W!r|8`=;u&#=il4yn7Rmje5nX>n8+k40zNOLtljX zDgeC$C02Go(60-(sp;Tdt=r7T6pon|XQd5f;e>q~>aq^8&7pK9J zet5%q(bCiWkv~%J#$u-G^$x~|p>8)VPB$Et5YifM%%nV6M+F!e*Rh8DlW7>1&SiWD zL~>Z3BfMl>+Tg&K5{fsk=Qg=x^5I5(093DVCS%mjy>PQ|M%K(MN}6atKPA`3N)MQ& z5vw+JL$)$F@67t8(1fe z%=HZkIVMhHF%5-~TSg=!&%`7>PR|Y7hv%6uK~&0i9sUZHRE5%Nv=A4w-S5Ro@mZB@^eDv`HK zE9^EmBj_A-lNq#Z?*V-2LK5d14>6bz+k5Q!}X0u6! zO0l8nkfxSO#e{mf_F!3LV^gVmR;_AKI2(?oN?8jp-M9j0pIXvTbJ&_)(wIY;$#(2d zTaTMyZ5bSikx%n6cCjPd*(G#l!V=exL$rNM{NMEzdmL63BR==%b_aD6dL>C;4x`Q) zT$;cj8G;IJ{JMv~bqrR&)`_T6N{xja-IdDyeQoJN4&!mwapmc=YOAFV;$vkOQX)u` zA%4A)CZZ6jiD;-sMmb*rU(Ehsu}z3H$Ub@wVZ}AYwCPi=vWed0=YcJ-8t33zx>&2c zwAKdCh|Dt}CQlllF!~dF!6Fd+-H=DaX{5(#Ch?3as*ZL}`aAtO6yi z*wMYb)GJvKzPL!?dK=uqp>`W`;=qs{CZAdvW*xKhItCgz8{ILu+)>u z3JoJAhP@TX7W^50a)U55!wSF?4q<7TDU`=%!M76p85}U_7#I)~!TuSh&B2D5os*Ux zKW?)DKX{DPf#@P+yPY1fHPlRHek~>disD3?ZVesWCnU`tnSw|o+8Y1K8N3k8QYKnM z(DS5Rm0zy8du?m$cBhBFEYA(9 z9$qlzxm=$i%?HhK?4<{fVZPz6%+p7j07Q=Ge!}pr#VvI&G9a?ZJ!M37sjx9`4oY3N z_(-xdl7ROwG*Ymqk4b#Xjl$Sd^?g%_C!?r!hLspL8`Y63^(T9iM)*%Q+f_s7eBB2q zGF$!L`m5bDt)RAK%sL14iu1%XF32j=$|})uE~=$QNoVU=mCir^wwk^4U+UDoCCd27 z>@Y1G>4dB!*7%%5P$8-`bxfBQgcbBtdKN1ep%ywCv)Uo)YgAQhdn{Mae+sq1HqgMM zQzoSTa*|Z|S*m-iNUV?&C{pX-?LGhxkdwHPpD$N$?E>SF4jQzSl)#{Ao~S$$X<|dy zSk^w1DLn;V9OF!9TTg;93+!BLv^cSal?tUKwlRH}6t=dnwM3(F@X3s2I@7T@xFvlH6G*f_=uPb%L6 zux*5(V@>yatJ0`eZC664D|++@2g7W@z@w}Em(@YzIS(+z`?b}K}@ zQl&!McWLt2ma=5Q)4(X7;y=!8P`Dd&^E9EOA1{3#w4jBd2A=;^;AAlufik!i&5kgnI!xvPgz0BMbi1ZG>|k_npTMiw({>te+>l0rKXp4bT{80!H+LXdKJ z3Rdj(R3CqSJ=s1}9!6c{Xb(AJ!I8JeyXDV_GPoqs{KrB#!Y{bb0ops2-Ncch!CJCn zIGsBrHI0(t_>q*BO3U>oN+jQ<&l+#yKYL>nQOxpt_`1CB&Tk1W){P9Rncq8|X8iU; zk|@y#{oG;Z^PTTG&r7^7g`iYDutW=`VTOlgMlG07CFp2;*j<(1O=Dk_I5H|?Us49M zO@!c*JGVBo<{6ds7-?|K88dku+llKhZ%-dY{38r7K_mau5aW9qH0g4JZ<*8*rop&d z6smE2qei=6^NIi2tg-jHU4rv<>9Z~E%5Jx@Vj)%69E%NnM?N;tM*)vsi|K5ip} zJs&isAo|;vQH96MD7&xN?@x>9l8r)r`6iaHLm2CCA@p~xg}%|=6_y7E40TKjNdwAx z(sOVWYiyYgVaQtPQETrUf%gR(iWxxMCynpNe5@d`D2DzEZ1*)wuLgscGvVZhUBTOw zsI|YA*wy0QfIs?8CKdBfBw_x58p-uJ*LD?9KR7aj=$(RguwF; zyXX;xZpUZS`vU*(NsId#so5Zuy|AkF{()Lwm()TBblq5*r&*~y!>RRL*)|Z zW%RmDd0wlAryr^HkO1rT1p42Dw6&tRjfV#UlEwG`&FnO?wQ(_VaQffGXoE}33PUYf zWpUG`x&0D|x2{iRg*Fem!DHBi#Dr~x2L8Qp=C@8E+gcvE{xIG=Hsq3yicTKSLc(qO zyWPMAeUvaG61@%%_Yyh{5e?^3!b?>=$S}#+yikSju5rp(HQ;%b_gIy`j1Y=4BPri{ zv#a^)e8X{?^NGi1(NY)R-_M$ykJLmm2s#gO-4I$Uc&*0!z-s}|K_ zeQ+|?b0FAfsGr|dx@+*#Q+?Cjv`ISp;*^+7s!O!ajn+fMcY3uqyX)%bSIbK( ztZI~Xi8y7U-y8v&@v2#6@6y&t0}5RDao|iM(@Os-kW4^>L5{CiN>pm$PhhzRY@$+} zKG82Jk0dhaz|;dm_+StMUwv(&I$hL6B}B1i815=OcrlUgSfTMhKQI%iU~4E~YkRl< zqA?4R5A;$MZ*knCF4&Z4y{4H42Q7)R1U?{>pOX?@UM4Ouf!e?vO{fQ_mRAfjyT(A1 zNbaWg(J1_+;-*6l$`NDM59k^9vp8^|+2$Ui+5g+8_pON`qAP@UDHDS{w;D$U+wXHk z7WYT7xG^wfJ59rc2Y2_0+<+V~DrkoHgTzoGUTObDCyOJr8#fR~2}CWqq%eyoHarGL z0C;Dp98XFY4yxG<>p+CPFfJa{gNftDC0D2}0VC1F2QM%eQ3wMDHK(Po#5@=3%X1nP zx6_a-v1RV>Hk?n4I&=H_`Zg|ZWTOP#Sv z8Wl!jw@ShHA1}VbT4&zQzvZ4OJhY${K9HX(`Tk}j8DxJftyH%m_Q0N>3kGtCm8ASe z#01J=Kks}-s#wZhA})Kv+Z_zH*I9m>9&N^`axS^(uj;&d94+z_O^H5==$YM<{rKcMGjw@K03Fd^sr+Pe_9LR5&{xGyB}OGH5Ek#EAHarg3oOqu-N(^3 zetsTy=bcwLU}X$cEm(IfwsRC)uO)3jfz zVy2y7J${j=>H~P6)#PRo1RaZr3j|;_hmK~;lw)Ngl$?A1&V3LYcbuT~Y;RKU+L#d1 zeU1&Hikavb#X7dM!WVfroM)4(O?@6VxxY>)w_zeo=YV&nSK^2G!ke_mLMSVW;fYuf zy9KQT$R?mgsz?Suv~k~C#d<>5<BIbMi12@apI>)D= z7S{xdC?YbKFgUj-NdY|4>&ENsia!CN(#8rU2WN3GG=Gu8Sh^2-Rnv(o2C4k|D-oeb zbe|)yOy>X%aBh=6rru+mm2x>s7En7kx#TmKBDml*@WYH>1I6vJ)NUg1St~zKGqA=; z7rkdCT#?JbN#*%yw_BZv6}t3jwsWq=0exRSe;_V#ID0S_xX;%H4e+<4aq^)*4J74} z#EeBlA;>nv`<>oeh?Ke!on>*&lB-6w!ihG1pj5j{l2CzQ?h^1Q?ETC!)!!6W4$z=S%^{)0+;~;o9^lDG`Kdmsf4eW#8A{4N};d}pP zJK_iJ-q^p;3Y5({&WLE-u$}_#_#2fKk&2D$M3N!Uu%Ey=?_X98&%DsY+vCn8Tbd%k6vvtXyhiNnZ=?L_*K7ZI0PY`G1M&c%ju+<7C8YRonKtW zuqC-TIg zE3C?((o+2rH#pip8q6t(rIk)wfT>8sIfp5F$dLHgaogPmCcUIh{q;S>5=rYaY=(6I zr$Pm7e88@{1W7ef1cw8Z;4C0Q7hzX72PGLn42Z*1fm)nsf8Z)0PZS@N%a4m-?A{Uu zDPGvRfoz15{LVdgcsTW0%^lKxhA-!&yTHXzCUjFim8(hfIh&Z@?(#MqwmpEmo0Ivg|qt@z-OZ zyK2PBZ&buIgd*}G_gMGqBYoOi?|Du(SWFx|7J+T_CCANjor!xGqfVLMO8j_&8xH5x z-^upIXZ@H|FS0Nrl7M%3X8#0Ed~iqo?qAv;gO7A+bi#-3aLbQ$$-xX%T&b0f&pXO~YJvIkLNG-ER+MDmTpR+<-rwa|R_y_;M*V?Ye3VX@ zsO>}AA~jRiBJ+z7u|Se*L&c_xjXlXqd)IuQ7}f6M-8kY!S4qtLbcSRO=2C(*&kFCp1%xx(`XX5?~7~P-?%iE_XSVr)39j8Ks$Nq;=!s1R(Xw$OSrVLu>T8iv^@V z%J6YsQak7Zd{ZA;2xl@mEq^WviT|i5U}M3n*r$Cns-^m@RmTRhASY~|H_xBza5ri; z4a#ZR$Qu=zPyI|d@YAIjsS}Ye$8m+k$KL-$}e2CaWgn>0xJa(i- zz^sUx%z1d}m81+%l96<=JQC9saF{s=deda1b)mPG&pV&JvX*Ck>9*pyyE|i9=Btc2 zlCCF-AZsqH6qapX3DB%;3m;9AiBa8f){n)9VMsXcd)wa$@IEu|cDYl`7oYKfXtcmc zprP?M|68h`t{Q>L;&tf9^$`V5FmWv%-DUPN=aPHQ_;g5&m4n<&VBP$&>yDKDWfwbm z>_Wryqif$YfJq3ZUKz#Hg&@ph6BfsM}5%(-XgQ)Qxz3H#_gf%=VS^Gn?(nlXZ#Ng;ZloS z#UiARY?+jyh2CAKBn#qAcC1Jk;!qaS7BD$d=7d_J=m!f8HA8ofSZcGFy?kk>S(EGD z_Q&*QtxY=z1D9Ie^%~*LntefXw=eM)-AH&jyAmdKj=tHqNguKiS z9;cOEmD4kS7L-apm)(UMI+Pm%)n&p%b6aK*&Vbl)J(EcyXW6OO52PqfM;oWMGDyIZ zj?h}FTlDV)Bh;V?;;&nNVH5p9ok!rqw>Sy|gW6JoP}>OZi`T5fN3v*%YPaKQrs~(b z*J@q8PpzD@hkQ3r^TuA9ulsIepyhg9r2Y^cvzLjjMp@_n0#C?Q^d{jF*K}Dm zl6e-N^P62CU;e7Na(Z%>%JLt6;)Vvt;Idf%{Eu@VI->STS1?1Q$!+~fF-kQtj1c#z zi!>tMFLtnU?foi^I=fmba?4#I_JP$wlHwkQsX@9`BSBmsl?}^=Hfd_dJ&b9!O)_JV zm#oYy#&P;v6BtH9dZgB1zOZ{uUL(h<#c!P+&iZr4F@wwuwkPY!^`~xQ`wFrYqlZY2 zV;ksrJ+m7@oNg5X>SzcuKCU6k?v<6R-2$>r;`taTGGfMT9K7s!OdsvkTjXkK$!qqX4mOt9Bj^E0q>qORoar3@@3g^ZIS5rvG`;}9+Ythx1s77sUK zk~`CzcVL&9$XKvN2TYd$@rcsjkibL|QzU9;%%Num5)<|6B=RD> z3mm^tDsjNH$RQDzS{pf;s1ptSS?wth!{niEwp2gVXU}MXPS76eFHu2Ris=&x^>d_Y zd7m!RrX|OHw~)E%O%k{?0qc+bvLTdCk5wJEYOnnY4eYNP+T8~WIRWb_7e>Au8#rQsY0^J9r(84whD{rG8g4yI{W?49^{M z_m!YOHIb(yTTX^VEhWiLcAt88yM87e5_n!;yfhenCTX>!Rb6tjxnA}iL~-_XJ_H?Z zLSNN=Y1YYm(8N=1n+)w}_AM5)dMKxNm0E%Aw@!xq_EG6KGcUK}mN{j7q6BnWRQ|@O zk)$@w&+yg1qbGFG(+R*Ol_kMDF2<>Qkz{DCUv%Khyif<3pr;CNq0@b!enN%Wyv&~% z;Sk>*;WHKI$-I*ARfdEHXv1kURS;oIztTf){_bC_mPSgf;~)9EldH}UZ(yN5Q^}FC zrhD^N(xbxMbtt8BGAw#P01-w=H!?^aCNo-S9;N(lP$76T3FP0yM_}t+XtVfHj8-K! zx#-pjXl+5;&i72ox(aG~`7vAOL1?q-SwdIasI$H%cTTfNC*36CT&}vwwOzlr*5qbm zz9YB3N${-D-%`<*7$`lf4F}?wtj8~^vF6I7ztm%14AfBi4PrWUv^J`J{HhseHkxMO zJr=oFG24V6ygrzZ?>6|y|2UKdp7zB%Gfg7K|Mgnr|M2xqvBL0Rc*nMF+vay{+qP}n zwr$(CZQJ%a`?u_7S+*u^deir=P5M6Kez%6%fIutTkMdo}H4?)mi;Md&?G{Er8k#Nx zghTbei+KjrL1GaTHtou)R=oyHsSAQK0)V?><-g$!29p=FL+G8v4HXMQDCAGLLnquu1VPkT%mnCKp%&NULR z0PeX6*Kkdn6h_yXq-+<`>!{=<(%2(W!KfregFLmT`J{P(rG^nS-fAjZG1I>R=8H2$ zfyof9j(PSQfm(G)bBv0=?)aA5nJIo-@)|ZB!nvYEb8twi+<`Z9fFe{m^U_Yanl3&i zvduR$-g0$Z4y@mqN8*>CZMAv}YNEZAhJLlQk9qf(IN(GJHWw9AKOqPXbPZb?xAAYG z3Q3|z$e;|m8(mMT4jroLFJnS`s#Q3~SxnuKpZd4>-Ds>V*0~7L+U}ZfWo2(~>F%y$ z-pBG@eU9<(K~1jj@XoiR?Cbb%B6h+n{U?<29k3sM<2Rvi;w$$A|P&y z-$srd3wvjqmEqpf{f<9n$xzaNwpOF>S6+ zy7%4Xo^B84*R6Hu0>OW871{;(dE5qi;;%=tuP9#s-1u25cud`xhvrETB46gmc(xqz z>cE^zsc0$o$I)_8-jS$Q?~mO(uc_8)WXxTi)+t-7{~Yc?3?)KYR%r{2`y_;>{Zg2Z z?>B|&s*NLzwr9_@z@S`0qOl`%gs2Vy&-!Qzd1wWQhw!{{Jmj=CM6-Bq48>sdm;_q= z4Ovom0D)ha#^%8SqaubB?LnF;PyrPY{>GoM4b2?ho&CWrDGLb__ENoxxlP2Bbpy+*Ex z6^W+A1(E353S`IFTUfKnN(j~XZ%J1Yt5(pdvMm29m2uFJrWklEq1!K7c&$N~;(n$b z!k`TXemA#sfDHpPF{fEOIX|DzjSah5KK{1(`LW4DZ-sH92h+hUzY}V-cc_Ru5^vJh zyy0&Nf*-u*bF5)}FVZyz2Uw#$jFKncWk7FVe^Pl;%jQF$+7TtQ`wha2We>;8?&iC0 zV`ty>+5z@bv4N>U@^95OHFj!~x+?6UD~6a?@Wz z8jc<^?c9eclUEWRJ``>yq?+cXL&Y|whRyA0N|;!&QzKFi4SK1OKE>-{u)XSJ%i0GiPf54mC|$j~pd;kqrcRr9hrmBKD;Zy-hehWrz27ViAD$?-a-?F0wf&rwgQ zDED+~=TNBr7jW0^EEXAf3?!++$-l_lCnTcYtEAm*tyg>oUZcD!G0D|1>hdNqPh}w) zQHo+E>1Q!a72>XDf^%2dNOuAQ=lOj*FhF{ff-O{7H#-^#r=g6vbsc${@gi|BVC&a! z^+Y!PR#=#93X_JYJ8BgoY@bWZa9wLxUS*_dC8CnU&d25`(JZ)}+qkgq1p166ZPBir z*zJn(?|t-~577o8avu}Q9R&>*5r^hIG-RTl0{Ap^*1IUO*VfhrZRr)ZLS;yN zdK{-OOZ1Fx@Fj)XVZ6Q_xqHDIWCXnw8rMOgo4J+sh)v?hZOGL9tLQA}`rwTF7 zXn?8LMg>Ww6N0;TaXug+`4_rGu?vhn6I`gFGR{%re0t1tG7C9@A30T|!^M1TYf&af z8VL74;A&uOLM^sGp#KTOLH&nJ{%5M&ZW&u--x-l+p0M-3Dl1Y>+x7nPCY0Jqgc-;T}Y&eDnomH}I$XeHXZ>1|H$?OZD# z#Jc{(%VQ%yfh9Bd;^OYsgrWy}hV*Y69~+jS6dr4|#X;EUIMDE)nb7Xn6{+SJzSEblVi<_ocipJRNzfQ1^+% z^Pk@S&VSiI35K<|6?1&?DG=cjI)}_rQYTMa0)pg`@@t;--iHuTb872=&7id--i4{r z6sO!seF5lsbavzE5|D3vjAlA!S-o8 z4fWKw?rdSXfCPD+mY_$YcyyslO>_5>e@Es#oxe~;Vg^EW& zVzjYuQhUteb!yZr1q`VvY zdi!sXL$h-r{vP(=`ik}b%^`1dr&_yu`LX<(58_+UWe82w3Ex%y{d|xE{dpZNeX-+< zJC|scPZXT=Eurmvsw(&mEZ6;gu3_V_dcXEu{9?UA+KesuR3^*)!sZ3qI(r5BkiY1a zTOfCzK)IcS3-ki(L-0@(JfNpzXl*C8)o;*(#DAVX;!4*6b0^>uQ+=dD56wjbAgHv% z=<)d`#lHFNniMD?7V6gVkg)@bMkkG4NVKW&3pOrZvs{tOyl>oM9XI+hl8DvfOm8ZI zaabr4h@d&4mbLN_1sz;R{;Xt z&WU~%8?fAK8G}{v;;s5##o2`(ziqBKKU+9wTzK^Zo+RI^`Ooo5Um$Y&KH0)1Zj*2J zxIPt!^$~Fx>qlTm+=T*7bn8vmsg1Xyn?En zCQjS(&DNH6U^nffO$2nsFA(#CtaHo&aCTv8+k~1uO=5_arO?DQSD3A|Q=_`b_$v4I0it51+7R)Mz_hK&SoHc!+U&vUZZcAOrI+o4*zw zc-8->vD8OBCBpmgmsmRMm-p8+?7BOTh3pYgtcza~t;<1~w`sNy0IDO@TJPqrOc}bH zn=vgjxNbC_!FcdyizCE^|3ub@Z~~j2OpQ}7*f#Coz0J({73C14Q!?IP>ew{gW9Kg8 z)h@6vwsS~&7DM0W8q_Nl>j0)6!hqm|gSksDZmLV4=_Zw5p6c%~@wJ77dUMqabL9m- z334(wtbs7X&Z*?Q~JS#=wiU9QMI3^&D0+x~W~ zIQy&*@X?7RCQe=Qc};}o0jZtj~B z>*VPxs(B*{`L7*mB=lnc5hmD}V5W8wVf-ZvoLsVVENlu+_$6x2o7mQ(iz+CULIe&8v%4#7YO!Bo2;^En-o+7Rj3STk<*F8=sJUdUHg;z(jJWT6_}Ex-&M zTHmWxy`MjdN^zg797D7T6yYV>vqu9w{r*mZ8Id1HzBukV*cld>-gZPt_g0+TCn+^y z+oLcO@s_m61;i%kz?h5YN)I0V3V6%2NA@bGI@H~EX@oCju!lB*x~}4zt+Z`=b|I{| zMe}gUV!Dg>5(ZzIyI!B(G(*rGlv@{aa1eZa8yzm=nH~am8Hut5^Ma9^DU?#+C!>-) z68{E+ktR(xgBV3f5ZDHs5ypVJBgE9u)CNj!06HG0RTL6uexE4}-e5_paa*+UnZQnW zfGX>n_;#X_VVh~=qglKysiTt6t`abn$wsS&#An=h$eh@|L1z%sdSr~DS2znjqL%fb zRbH+HA;R&?1QI7FznU)M)*}tnd^sj~%UyZW>p;s)>XJ@hKy0^XMQo_BwO%-8%%lpT zPlgAua;ws_QfBM?*jm(xYDJx9*jra83DKAIQz@?HjkIO>=YAllLVUcluvWz2wngv+ z(KJ~x2ZWs!LM>+}+`SuIfZ^SY07WNjADWC*q=QCNY>~@DJ?~{KYANfJKFfqSIDf&q zZOE<}>4_C$UhN#5tLSycIa!_{9i?dL+K0e1Y3;TgmjMXg96#K-f;{b?MTMq0J(BZ~ zz0a{I;b(jxHiS9H;*PjuQ`bcHz)IyM3Wl)7`x0c!H$*7^1ukz>0Gr8;_*sBW-MAiL zivn#+Gg|OeNH1slmB1I|1pmH@;bB+#yA`XstW4{~@Sk&3<*s>-s8d;q<;v45ll*pK ziNKXo%Z+J_Y}fdg%)AF_xpjH#hX4o55xAj76b*yQuz;HE2CkTsrTN|rWax)h$|72H zG#r|2AANA+t0f}aE8AFJ#*NGd4||7#R*ESrE2tHwQNMMmy0L6^X}Uru=Tq^?_4jB~ z`Q{tiHnU7bh3~lnK1n-{WSxL=Ze?T%uFa7)lnOI3nNwy+yC-cqZze3AQDwX%3cG#! z+)T#l2WJC;o0(ffeuwSchK$P9OQ%)lAUXa!;o%3X8&OEX{B!i>Alh#L?}t}3(H@XM z?|`B5a!9Tk$tEW+P)fdfiOaGq+<-8E4(*|8rpw1#5)M_p;q0SYk~v|F8b|8?@yFNTtq7N`*_j%!2!iR=1@ zG!%D#Ovh~sh_zPrQ zu<;Q{?+4zm=V#a5)aeWRsU}gKV3>@`;zMVHrLiNwa-``gl73Saa#^sY7!ncXtqv{q zj4hc5GrUk%?ow+n9QvSIvu{zsq>9P}rL`*Q5c5S*+XogXg zCo^s%?#S#(yz`B1%KZv}AQu)TY;wDPxpS=c5*$gNky5Mvg!0<~A0&Rf)Gc6BOfJwX za2%o@@kgxD?rxjr>Duk+^?<=H=nIeOiviY=pq{+iSPrZp$i6g^7=J_7_(tWOQ@`jC zg?J`LApJBIQxg+HrwGD#e@%N}*62Ok5kV#~IZWCQ4G!C=KSix-0l7eu5W5&)9&51Y z7su}SfS%km{UOBfCp4ColLW`3Q$TaX_8D;y8;l+Jw$)o?`_a!@NO>sB{plKdyau{{aH>gOsYLMpWPy;;U6 z_vT6X;!XrrtQZ_g3}MmdD~-TdNi;BoZ}{!fJKoE4{4UUT=cmwsp|SN_eH8V(&e)t) zIZaCbhm5LPCL|?QMbF5A6Ywp4^dT>5BlkQoTYkj&LlU#wU{!9claOzYIS)OF>4bH* zYtIkvvf6Dc zX;ucP_q9dBaJ28p#SDeKqE52uTxCMYVYK+~R1v{Nu7|JGEiOavtnU@i0Cu3V$^p9o z#h=0?D>f1oPRpGPB>q^1RGVSjhGqa*n%c;N zg<0Jz4xG$Rma7q1^BVs?C+5iwACU+4oMq;g`yMGqh(eCQVy$%;Qv|L|`TW$iu5?4TrPQ=N z&lg!{1(}?TTE)cDm0whWHIizbf4jPIW_M;y4~&c1$56QYp(N z>w;Y#jn8_gn3m*hr{Y`L!YOFf_<37wkt)MDW_KfeaLR(y6sic!A++B%*WjE(fZxFi z`H&(}A-9r2p?xlX7S@E;s+L=KgW(9!TB+U*%`QIjKj%$bXp_>Rm~G3-ARO=FF?IH6 zmDIQ$81@ywi9%O4v&${6ZG*C{F_RLNxK$|(D& z#>;G(6@u#%+#-Y2!3zsT1`04qwP4sOGN1=X4KJLNOEPZ*{#lfNIXb%1485j*gk4_| zP?MQw*b-3E(liSNxgfVTbH@cU6vQ>+>eck&8v`#sOj=mPNEC_KupStihnaNy&~mf>gL4AohRh;9sP1#Mj<(7TdBVZWidH@9mA3wgi3tGf zEhF9l%dtrMzTg`Bv|a$T6M?GIVUXTQh`HsWkMAq1by7Oumr3+M^wZdD{8be($?buL z6zf0Bo*&0oGbqg|#;sS5;08$gHh(6XZ?}4ubt#jJ#d|0O%#plmh1>%AuBsqW3ptxq zzJA<--;joC$ zZqbI?uIBap!jY>6N!ZbaC?&*@57iKHg%(Yo@yAEOM+adN-{&fG%N#x(90uF^kRB$t zih0xwODFmKpxcI9H;<#pZ%T@w%*~fFi}@h8cP+jX15x!DJw&;oF7cLB_jV#P9AxN&HqV`k7@B9@k-!Gdks*1>M=C5WRnt0Z z>`YY3XNfz0kWJk7ZLn2Z)Ya2rhQqd;{e-9^o9Y^IMfJ3fVm`7uHPAI98N7p9iws=c z9#V@OG2#-KJ!G1jwx>}I`u_;3H~PUh?pQ0-XGj_x4!kg)VHNMeHmbO8{T1b$LB?`? z-W=v2eXx%@+hz`+?{x1)%5~2-6FQL`R!22n=cm@W4S1Ry%$ZjqYwc6;Z60o=GE7`F z0^RY!FgIw<9@tQoI)Kc(OziyhjHOS`*F7A{TGA*eIWR}SR$9RIf~Umf1MWgRYH7<^M|_dtv329y78>kT-DB~1s<-UAjc|7jMC=T0Fl&tv zU-73N%Y$S)U#u~yXn_32;B+G{D|~krgNI^L$}I!39v&F0LM?1kqC=@g?OmZwb(Gw* zZN^OnrfP-o+mSgk#%Jy?80c6fH0JT-d9?0QMMSls;~t8I2Zy($!@Qv0P{CYUk6Oye z==HW3f~XsBPT~T*rW^V7P`um1H>If36qHp-9Xh1R_+@5>XFUsM(_+p3scuT(n7T_w zjNg4Wmn@5AObj!(SKJ zEN@xCZ8k9USrE)~N1>~^KVWG$g>*toMCj5>US$F7d3pp{N~ro-hqh^ZPT(!GX!W5k zeL{PDIY{>LU64Dn^Y1xuwo9$G+O)7))}61t%X0bdKdL$B8g(Uc!J2*Bz2*?(M3u2g zy7TbVBy`6NF2=$;+aCEkGA1^9Z?3c`b^k`K8)$`8x|tPegh=kDfDxcZ*&Dw~x(wY& z$qG=ca!lQLE#Fsq-wWr4kcJ9YhaK*F02e7+h!+hg@e;*5q{9r&D>9~$c%brs6odRZ z63{+#t)(8~VOYWzSp@v-JSNh7B1w=ylD&@gSMDr(x{sx9Hz!zMm`VpcZxGFFyjklc zy=au^7cE_-K8!M-RxuyUeh`fjE}aG;gM6dpf*AYu_{`? zjsySj95bJKu^2zo<9t9>G|r3**LT`-4l#SbpJVx-s**VaBi3I_rB=p_rPB(umBFqP zfmG)|hH#0P0m(;TLc%kafT2pGq>U``ET`^QfadL2_nsNVFy*a&)RY}7xM$FcFsA~o z4_VsaZdtMWyY>E(3{RJxmlPFpF0Nj$ZthNH*|LBU;NgL}eXYpBadwN2r>Y*gQP~QSLiIHo;T%KPXGR4c}^+e?I(0 zO15eqwIZ7{?XySP3PY5wT3xip2VfJJ{o8A0U3VYa(?4C*Mvy0RakOMo1&QtOlD~|YzC_yvQ8&Y}x2tH;*7O@o zZb_d89Y=0SwCX&5ZO6qrNS|PN&fB(#iMVp>Hp@+>E%(MS)5CL{AW>na>I*+UsLvji zzZ*4gjlqnL00$F(#Osb9k%r&|G+#0lG&6WJ$Axt`VFTqee})qYD?UU=s*f=>;xXv~ zamlFn3~a%r`AloiYP+owD>a@QlQy>wY0{xFc*p&E^?*$mui%b-?!1Lel_@yiEhunV z5b@AA#hPPem~cuUlE)m~EnPHgnsaQF{95~-JXXiU?AGPU)J?vbTq&WDvoANGsUuok zDrxwKOInFUbQc%2;$^x=4YUuQ!zlvLBKdjraAsx7OD#wlZv~EeO9tF3!bOYv5u%nX zt0Byd|C#Rj1Wi}ei~t1GTA_S&;wvpV`|)%o&>98*rylrS87U2}yAyr!#4XZ| z{5YO|3&GzQZ*XNy+bafle5Yozz?v}}P|n%Fwx@<+ha1!2EvAmzl^}ilv$~VX!X8U- zIk;m#`~~0jB`>TZl3YRSnagk@IxeZ)z7Zkb&{=9429X&=+Cr%yq@?#b`h8ZmK26dXFTTuN{iEBM8XQI9Gha}U#{wK)cLfS@O&&80&SR85 za9%ZI|d;Bp-ViK#y4d~_v?4gB%z3cne0#L~x+IxntT zhXe~io>iTVPKF1i+dxirKh%Mn1|I=zxtpS#dGvW3oz=rG?XJ4sdo$o5U|3_c#{6be zBRpD|_!pp5loVIItAv`BT>_=Pg!P#@e!O$@jrioj5;aJ_P^psD_t3w49i7PC;*mFf z)}wpJQa*c5;A{kFf`;tLa{+SWDiB2m_GOgX5{!*mIvn%w4uxG?k}NYg6-o88*YRjq zgRaKK8a_qHdP-G0*5`5EGq6=ARS*k9AOCC0gVC)_@plHOn(`p~0kvS?1z~7!9?e~S z+A^c$z+-{k*U2r`kgX6->3-S9;;Xzfbb=$cJ0(jO?Ep0SkuQb<;Th9Wy4y3|m|Wr? z^?3x%fjqDwyuZQ<3;lF3kG-)bs?|9?zFQj{?MFQ7R2jwl@tchi^7>Vdpe^pL+0DLL zJg1cD0|3)NRw}d&VSb8_meA>L0Za`vByXNUMPTfiECK?l?G2dRK|U_sXU`ZkX%)hg zi)0?Z<|?Z#P-8*xuPY5~JauJL>Jvsx=eY>T++q_i|FEW?P6$mD=m>9r+9Qe#gtfB; z%>bE|Gnz${t!lAmwLg+7ZsvZ{acvx1J`qE|t$|#6ajaL|Zz9T0%Obq#a}UdbV3`kBXNLGaDx~|I z;H`sjA+UPj&v`Xa^cu;rYYLB6ZW5Or(1ov86$I_*f(q{RH#0)zh}Po>*Z7@{=Lxj( znLVv3E^Feuqhn1@+l7i#Nm8&(tB*WNl=rGWS%ZCOKjv|T3bdZl;tuR=mkAnU>(Ce0 z$Q!%E{UN7=nAtk(I9R2Q)Ouu`fToz68@g;3CrS)H#tkZIs??$L0gZ;b^Az(A1BIc% z&>J%06n%cbs6$Vg{9VqQ+YOIB{%i~h>W1DfoPAym&|8eX3dycSvptm}`|DYGIaAu4 zYUw;q+-QD}vLy?3#T-3aRXk|Ai)$4|r6%JK8~cX634k~YT_;~dD3tFi(n zLz6n#0&_uvU!Z3~a>7m#1S|(VPLxRNGuT2Qo1>m!btk~eP)(*G}FAG~>#%WW6#eZ;^U$hM`t56a20op6U!+o^DRn~u_ zjl9E%hpWAmf?X|o5jjjFtns-8PvY0r`!}P8cT}!f(=*k12{A3bCR!ORLIj7&`6}|q z@P}T6nzn?2buIaBzYxkg(Q|VA>Pr`#-^`i+F`gY?Kb$>z+c`FV{1fb&ub-T`u<~3; z*C$uYaW6baYZS(+NMg{oPK(f_GpeqCh-T5B1j^ngbvXcVQ*xP~onRET0T?aJQ`HGj zpMv*Diu?Kj3O&8jP9fCtEpxPx5aKdnhexPt?Q0c?d7BPIq_*Y_1kO|IEmSNsgAPVm zI${c)uZQ!2C}vr(fe)`yA$6JYbm`t|<(dlToAuyr#%`NwwNh~0P>>sJiZPVR!=VPp zHy~q#opbDA>t~vfQ_qmjAwkc{zMs9FwOV0@>;^3xWOD%*MDl9K{B#3$-y=>S^=FDn zSGm{M&E9WW5&)#=0cwKQXuzBovZjF~uNhv@_;Yo!w4pcM!jN>$l@4p|m$VM@$!uRH z`pve6kkTpklAawXYn|d|^&5EAlLS~lerG+x1|0fpH*BJBn~06 z{coL7yMA;fu7eKOJ6&$QvQDBk(T_PK_5a>|8V@BbJVW;K6k25EKXn&)#(3iD7IIZk zX;y;xD!5AVPuWFjXn4s;e44z93Z@x4@_&OO{S>j$mL|6iuBIU&KRT|#*@iPSe42`o zZPPj+fl1#R=1#M|O~qb?QV9ai8s5PG^jV1ZIqn5%MOh{cs|8%k)Fx-;LlqdC5{`@( zbvvgdl%?EhY$L8=0Xw7~oMA>o`In#qYSiM{#~OF&2&+OB#NB8nv>sC%!ooz<1GV3~ z@C)BguwerBcIGx&BQ{%tx2!&&Z0ZXN94wxvn^ABR`c}#~>29K@^Y57>7}*u@C_B~? zyt%zRo~AU`nHKv+N7Ecvv^Xf*_$H;XAbw$&(obf8tWYKw2<_C}2Tgv!+B$g!ZPFjF zB5Hq##zRnapwA$G2@);wNmX5nyD*$EI`}j~ijGAC1V{ETU~cKv#W?qPrgc0u9LrDu zM|t%tSThZ=^pS59X=Vt$C>!w3_z-5Ea2F#D#v}W|5Rd28(ziN=!;plKQ{LP~6}M?# z9GcXS1v`jg@h!f+qs>W>6XT!v2)q+ZgV$5R!nns|1VW(4T^PARwml8W!c9A)9KKav zf&XK*66Pr8KzcNOdPw8Ioh```s@-RVq)tG1v`+OVHfSlw7}(OEe~SXM2>^j0PAfqZ zYU|+&0O4{L4Js}`7qY4x7cjUNF8~#TW1|s>>$`tZM4a@75WWbz5tLH0xJe%E9UH;) z3oR!QR=XtCytHsp-=;A2Cmfr&X+3PukmPx3^%!h6HtK4Zs*f>1C2|%T;l0A-euNtx z3DzAtz`9aI+SRh}0GE<>J`Ah6Mu2YfG5|4=&3_lD zA9r!zG?Y7I_gVzjTG(jF{?oVIF zyNG+a1^#a(FLw3KxH<|{c~FLqezeTaHU@)gAzB0A4Z_v>!a*S0-toyvuAAG^rdMbI z2;|-5zpzsM&1d@-_#3Pg^%~s?4`T5|PCHq|cCvg*6;OUB5v#{p`AX~zxwSa0QMCWS z4(2nVf-JvIyt&4Dmekr+&49)ax$o#RZGa`ckoq#`V?pn%nwvaBXDh_Te z(R`UX@-nkB^0bpC2~BG(BGZ}vV|4Oer9P;B>DQv#k+cFoUvv1sC?jq2$U^ZiB@#Jq(O%hD$DIY*Aj6Er0bSw!*V zOG9#$$at%r#^g>$`6;5QlX2IpEYdkIncmTzpy|Xc5%jbor!Uqg%VIG^sZf)~a|;OI zmu}n%VOo*A?S#a^68=;_b=|h)oS9!W42lIKB1P~f;5k0WE;gm0^-1#K7)a}>T$O^G z4+$tDuM^@|gj`T_`d^c|*iMoN7fh_`Tvn?aeDutj<2cd9{r+H5Z-`+s)z z{;D7wra!p_a7&9siwPcTHES5pR*N7I14pwt_M)>*<~+^{6R<>R$-_yF%x9>swE^#0 zvG`2?xvI$TA>6(OgxmM0fUr_e5*+|c@`(lgY2r1G6`Ec}Z%tJvt#?SRF|Q@BJ09?S zM6DchKzT52)M4nE@o8&d1IzM+O=OWB*KRU~?0vJnMp_c@>6#vMN8k++ICc}KYsU4a zjW~}3VOf7KEx^-YBSq!BzH5aOi}IXGte`jT$xDnyGtDnSVZ5PF`Ohl}*PK7p5|3CF zTt$szv*6+%u6r2(c{%jSRIj&O8@KNyz*Rn;OPEfkG^LY*k2@-GP9o!;fKt$iYe?hh z#jjsH?8o9~vAPpHHJLs%FE+buN5y!-Z*6InGyofA2Qv_Fd$F87uT1sO(UIHrW(zA! z-7nV+g`dS|*5(xR**<6)zl}3AA>jp0`Ed;DFZW1P6X|veEOIF<8Rn>SMM3imhFD}G zXXq7*X+H|!KIrSxuM^jIcMMDthm(usuFH{GusUI_RVLDMep#Q?Oyfc3f%{I4r(;vd zEE9V3V;KloI>pa2^bI#>frIs zBg9DY2V9y`ncIcM>!!3{EdtzvsMXiRTCibq#*(~$8lo2e`j03QA#i_QiM{j8kUtG= zNm3Zup({w0Ej`(+2{Q>KP44vqjk0+Vf9j=5&pjoX?DJGDtZMMo)B{9_Yvv}V5B~Ab zN|-;iDX>z4|2kVjdtr8|m+n+OR?O{PCc$pu-J&C6DiZ*+!W_YJHEn5$ppdsX2%9#0 zd$o^n7aCw_v-WUwaqyBc;x%_d5g-BiB7nq?6qyq_S>DrjvHk$=X|a3QF0tgxI~2b* zGx;@qhlFS_=Q zEBT>Ld8ve-ktwuwdbzM9#Bnw`DN6P%l#P7qQ?MU?-#`vD(X&jWU8EF2puW?utr_V< zhgUy`MJ4HER-^qmYWJpD%^=ZsJg02;S`M^EZ9+6{_Qt$xL5eWBb)P>FL2K=}->F$) zd6-<=Aa++Wy|$X{&8%K?yWB!A8n_Db?j8AZ&>N33ry2}KpxaG)8f}G*a9%8pxZdxN zT}(oPi9cg+%4}&N9a&${w2LS^NDfK0(u3+?j!=Acy_*dJp|U}x*o{E+l3R1e`G)gO z;l^Q5S>kgOy}{;^{d*RqlNp}H_WwsK`ih2_bG|pwr*BG->UzPVa?D*6r*X~5?-ozx zlv=PLB*06Gh9%Z3p=#+8kwlT4-nyTZNL8lvWNPxB9pA*{eY@y(=Y-++*ohwC)Frve zctB%g|L7Xrqh8c;Ym6qX4q7JRha|CIs{DyQsvuCS?bhOaZykFpCY2e4SyE^_M#6i|ACqzlH3@u0&1wdxVZe)8!w$%K|typh}mk5h2e5&8T?5Ps`V^`XZhFya0R^ zi0AykQs42MOx$kOur;x*r^(aOITAO-1;^iVV}O_kYEvpp|CZFU0TC&aE<2|qB(P%2 zZUG*-^T}aPB6+LqjaUSpq^aV)=!rB7n0Mht4Na|*FS4DufYfS1#7<0 zVov#}G9DRQS@nHJEn>tQkqp20u>9Q{<-4b)$o=*F@|ausiz z1iB37g#O^Bja0@9dqOwbcZ)WCMCD5@ibgu`7Zf}}zUG)*@g|TAu)vN5ljX9_86J-y zDtq3O4v;Sw`?u&-i_yeo$@=QKbb}GicCnrPB*a*+=U0RJ!zz$~q^4fphMXZ@ID}%a zgNwNSDyx9&RKy^?aMs+HK*s7&#k7vC3Gm`A#By^1b$sQFsc;tbjTq=zCU*wm<+yL; z2v~e8m01Z6NnFWBx;zm+HfmvOP!$KiI)f`8UA{v{;{b`=3Y>sLrFHFXNiUHHdJY)( z-F8|Pf~@(?djJK0qZ!EcZ^-sRI(;X#AKcEKv$?G;vYsVs{An=Y=+kG}MOG#O83+@H zZT@<71UBrw+4a4aCwZPcAhXrdyEH}|ysq#eAqQjqlYaG_#H3jVSET@JchdENwz(2h zc+}|!n1-&g@goDrPvLE%OBnjAq(;N2h#3FRZ|wn=!rlntkQ-?MLW&*OxgdIc_v*E<%2sz5!a1_NhE+D1w1>p#=HJO1I`xu%>Dxxl-zm> zvt>UXYmK^saoSMN4i143t4sKM%P9}M# zIvDrEizx5%<(?M*rpWDZa`raePH5v`$q%hzHA;yb;%VxK!|?Ru2ltZ6kBg=#-k*_v zXO0s__aP@gR$Fu<{n4-cCvnz^*gUBPYLoe@C51LplspVaj9$Xx-SwOD>Whdtq~YN! z`G)HomrY}J-`a+%)W@|M<7e2-n0>y0UHE(2=oCB?`r2nycnbMOur)#&a8SB->&;)LCy zP^BxBWj#753<7z29a|zk7z-Q6A}S-zhQ+A>_GO^S@Ivmi(uI4`*TN_yQVs|P?T8cN z_Mg`Va@mekW-GhrKQBLm0`w82e(EF3jO-dA0!Y>{S0k1ype95AN{J!{G;q? zoHxu-Z6K}swr1e^Fp=w!^lvLrRyd@{V%GlZ)t+Hph@`x6=Gd5Qf)f)TuKtA9^7b*U zB(AH#X)3-r28n=K?=3pJYAz32kszZmrtV z|JAvI6mKfKz~(M(y9p}X4_CdQwGYAk1@jeFV*Y1<4_ni6zGp&UaCsKFi|1ZRLNA?5 z-h!U;j~H^q-^hZKug*K}T;^D2p(ISpi_}(^LoQEW3y>O`zf`GqZxB<*H;UW?+thw~ zt)cImtemvvL0JSe1MAeRckJ+OaaD+F8Vuj$5*<&mCqA(>Jp^n7ajx$PE;$S0IrA;_ zalRQjkK|JZQX|~(mOVft;q&AWpNwUbkH*%<#3Ij`$*att#L=7U1~F0`&fk11lS# zHX2A6YBpg7m}+>|wM1ZGSB}79G=Mlqrs>q8qKse9RFb(k zC!g9pt;b=IH_wkU{#G8A8uG-VX}7P`z?Y>V9Oz_HWwQ?_oOge3pv}XE9jmViE#V)9 zrXXoi13;oG_VMdkF%`JvHS9G2KY zr`Nf7#+zZ`MpDB5Xaenb7P?ZSI7N;2Hmn~O%lhgGkA#PAOLvA^R{;~F3c_0eChVwf zf^D`$X5d8I;?U%DglC>6xFi_2!MQ}9$LANa2UZIRY_>CkG-LYU#; zb#N4N^S0s9nGD3h zfu2M>ur(8H?ob;TQ51IY<4O%#G!apc;8s33FNa}2+)jcrF0O5cOKt`mshCNGm%|b^ zbH(8R6L-e-Pxw9@5+|KAtmaK1k_1B$3-RHswKBj@%ejX8_`B9NS(_I*kAn4iyjj_F z?bMXK%7g1o#Qw$r9R??6=6Dl;2bK5Rog8oX5S0n3X&^6e+VrK@Tbo#qX`aWG$i?Nc zbCj=*i$-*E4=o(F7?1XVe0j|>XX_tCv`E>0IbP9azj-=?d+?V$^STm{ z#^XP*iiAR`7o_W14FY?EYo%80w`$wa z26)!THP_yBS;T}&HjRpo40Q${YVy#=iAg7RWG&^!4*Kv-2B#Z6`cXQ-*5#Nr76V{5 zaYoST0uC43?D->sVt)rK{RHNnbjFNZ07R#c>z1k5o z%fU1`U=V-C!?!1w=fr0Lgs_v=mI1$Mirc_B%_Y9K$uVON1_T~+J+bJpl|64W*jV%3 zU$oK72&oH~Bh#})Zqb|vTEa;qoEMyXri{`5MHlS~U+JGP|Fg(Lvs;RIH}d{d!c2^J z*avpme6yr4CUtM#5nTkXm>|=6SgT=QUn+V5Uptr)0waK8h87^)C_hViItLlu(vQTx z$Ml~Un(J@y>-fWH9Q_f!-_-jl){?bp#tFhPOTo?-AYobuCaAdq7Ju7+W<>CD#xgut zhe)%AuMB!}_$L_f%xFOBkVLuh;CxwgDaa~tT}1%5!;hR%xIL~YUehbf3G>glg^h4k z+uqnizw)BrNhct#83I`Z-+`y>Z#3CZ=XsEA?DE`fE}~mW9|MTBUQ`3kp4$9YYsV*^6BCGIE6!%Dx$uk4>4j~Z+KK0r2L*10r)ywb=i+ToG zA|EousSi0kykkz}5aJwGR)jj(Y}qml7ZH<8<&Yp@*0tp)ok=EMW=eJ9>kcRh9X{_X zWUH1{9M)97pR$6C5AL3AfQ3?_(`t1CHUGK|DeFjBWZ0)!FcO>*__SoD+lh`A5XI&G z7$Nv#(e_xl*;Nhi49jk9B!qM_!S;sw>KFCI&QP*s-6lH?Lj>vshC9bzitUk$5a*$Cd>JU~l?rA;9uklVsk{s&j@7+zV>w2e+|+qP{R6HPQb$;7suOl;el*tV02ZQHgpXXkm}=X~Ee*R}uj zYS(>tt=-+VsuFta;XN@EnD5!+MQsf5g|LTa=v^>LUu+K4D}=aTl)x;f>^xmlybYyR z)pV%1UHs#)w&claX|IPiw*=n{AdFSxNRhCaq=eHHXTfp(x}YC=9VkiaMS{d<7w5WJ zyDj9Q?Lh9p?vq`tu`2fjr)`JjW5TuKv2+H1nXovB?o9dv>;jvQqfv-5#cPO&tt@qp zJ{>rCc(T472K_C~M>()lGT>_j%Kv=iIl@qO`--kNfy&nst%kQ}kNsBWZ?d zOgI-D-3Ht?iEDKuIu!t}%~I~F-_}X+BEt1^&WVpgrD7;!VuY(VB`;h>f2}Yc>eRSh zr&BCyyzt3md{&zZ3TL>n_?owg49lb)WC&Z0YjVzfE_l*FA$dMe+`=D0F1z707XNWI zRNfSKYwjiBHK7aCqG!+Ni)2}65z9#)^~>TjHRyPAA^dF$;gg_-th!=K!Dezf0`INd z>mm{OS>*Xgeln!VW|t&gi?S~KzJhk1O~YzUf7Krm1dgDL7)P+$*HlN*MnNc-<;Oa@ zWlp1Aw*K}$!b`JqAP7dAWxo$!bo-7)o=Ww^@2r@n*kMIsI;X__y_vB5LP~c^Sb4~G;s zHp8y4DgJ>rO2eiNbnzfs@szB!5u-SO(Z5q~^=*XJE?e&NR@PleF<{x3l~RAFMWx!B z!EvzYnP*Kx33A!WQyKf7b-$3ZN7brUM`&`ECpx)Cr2zq@rF1M=UWMFCMk#@DuqzEF zqWnj8-j;h)AepZbHbfPT2fWLpBz$&K(`OtvW8Ln=me#*(`RAzQ_3p~7nd9%7ahJ68+){EN|KP(%YsDMgp>RA$qR_uTt(hfyR(}87-z!Pr(DRa3Ij&o z>yBL2XUuIFI6(zb+?O#X=3_0z$(9vNS88X@A*9$YE-Z43uhUznT3HpB@!=bWq_bvb ze+v+NBh<_3*6bnj-WF7hUJ_s=IFal)^rsPqQES#Yys zkriJ~>efaiOtr2C9elLnmz3a(TBojgHeAkjLVUyIaFWekq3i^$mPq8&M=r`X1O_AJ zBx>Wcd^KTqYi~!jMM)&6(}d*y1aL$)xhkohD3FP>4F$CNRfc;0GeCbo4F6s`)P}m< z)cHeOA8QhgmM1zSErU7!@`Aqn(Jr;sMulhjL*&Eclh_lLj7TgV2OA6Ep`l{=_O{hs z@J$@t$E#+W2vK^VN`xw?n{eWGzn94Z{1?SI(8Bx_U~#l6GBK#RuCK5B%+W@$j%4=k zi_p+2tXNQt=wr6=CgSuKY2$MhOw^3lc^15LeTD?5mqhfg@eDKr+GEUbT4y)MUGGK+~GvBKbH zsV~OQ(#h8R%wm_XWt%>1CAiO=p0K*;d1SeUIH_D#aGwcl%_Pt20 z)*vlDyd=ubo!obn!%OQs5Ka^kKTk`Lnd+#Hb|=NfwcUsAoM-7MwrU`yRrq@uKr)iN zCCBJ5O^UITke|zxyVGbP?y4sIMh9u6UIeEc6*-T>C^8E7r&eDYMP3r1s?oI3!yONb zu}g%#uQsxE=;prP?xs+0kWDGSFI*?~*2JI#V+_KpJOkG_$s8CexS80OpTxp(Y}JG) z71G1AsZ^a%^Q>OW^kB z3w#UjXjEMZpzmRGtQhSeP!#hPN+n$BS$&!=JIt3Utg4qGE|uMDv;V_E(jn@w zO?}hncf?NxwyY!>^C6%6>+Fw;_~}i7Rs(#orALZSKuuSCc%AONl0uFODy3@cY(&Sh zFi+`se0{n)$6#v%U(amL{NTSF+RlNbij_?oeq1Bba;u}b^P{Rw5jFsNN06u4t0V0q zk^xVL@_W;4dODvG8ig|Al_>wm+LyH5$s+DdPlt>hNxAhI@9=`;B;9^0m3hlc-Zm=z znWSjU$B`@>paGs+(M6(^$rQ&$USx{Ty%@V#Z;6C(PwiY2PQ^o`Yd17g09^G_{M3qJQvckrf5a}1G)-DS^rZ_5TM8JknUnShwaj_9@(gzIRL}yNW-gnYF z$YE+;y-&ZM978$9M`-dFHRfLtw-Jfxy_awmiF=;a1R4{&P{}aDml0%H^y}$*YJ!`| z5bn;mUL47Ozk{?g#T%V>r=fuI-o~TcYsrIwCwDWnQOCS|7)xn69&^$}-p>;QVS)sS zJWFCD!>KK4%7lh+;W2&3mmE$ z-Re%FD1e;nrY7@}UHVpO9k8Fx|LFLsMitA1or)&fDeI9JKYucSlgTB}ntvVly!XKc zLpg5Q8K2C-UyGPDv2=+7@}Xk2J3=6N-;uRrv<6j(K?9?QKymq@M@V75%uD<|qkPT} zU$bT2D~2^nyZ4gC<611`o_VxAz0aAH$&caP}!+++ZxkB0cVo9{fIWVBJ|_7lr5aN-O^-n zk4QNaikso@XKlu;YyP`EaZ;xTpf^( zAp7%YTrSK`NBzIA+5RUVo5;CKt8yIvW5kEDHVt8Yf>B)Vl7oGoH0Tmnxg=-)x%FdFOGDLUmf3rB+byu84~i*rese9?HK);bATeijQ6VSaC3mdRb!YKtoF3 z8o?INl}7~}nluYs!jSa{fIt^JQE4?P15FdjI>^DuAOn)@x~h;{=XZRH_7W5F9Rr?g zE%jLV!rR#BF7}TC&_C<-=P|%{9lV5^xTmhGMPmr{Ejg!y2Hf&b8I6^yiPdA?hQIbB zE($xnHPuG)yVZdWX%^)H>$HWXa!-B4JacOJ2D48%kRvK<_ZedPMwhW7d~+I)i|Lu2Clbm9mq7bwGC6%5aw&W@&nf=8P#T z?IUfrabArDbVbl$2DgJPE}YhpUM{%Yp1EDy7d^Fxt^YrG;Ua9gh z=Yta{lSP3rZD*5z&=Sd-w<|rp)Sj6GjB-AA)^o?J{R|?V^|A$U9zJ3O%_7TXI1rL{ zO9sHN!Mhtw-qRZIEb&BPxR-gAF2H3~Z*fZK|CzIl==+bZu8dHn=W|@i7q1_uh_op< zC!a{u7&!RO8?%##f~A%`c&WEpNTn)K>INA(c_9{%`97w#FH~P5CKMzQ+5HK?Uyyxi ze(E!6y<;V^%H~623HVE}dup30TFptR^|zxw)e1LS;Ch1W(I&B8gdXsciEv7SSJlPd zkjrb?-+aQDRe_LiUYbLiXG`8+DbMM*{8-cWTkjR=Jg@RMt#|&6SlQ3` zK{RC@M6U`RyYj&8|HW)M8mgebsI5mGT@AiiXQ!r(bCVp@ zY*!uD-_t5_E@BZUpFA)quK$53Q-**xHGYvD5rOakW*@ZD%E(#dy+4c|knq?Nyp)c^)Cp{i{;%WrdUb-%p zAAd7?5WZo{VxQG>Yp2(PN`jRH0--@5hIy7KZ=SB;qx&N}#=6^@0)>3*_ZIoSTpKi_ za6}Ny^MITNOq$qD-~BUOTOS9o$t|}vu}+G zOpT|9YjJ{)i+OeklE%00NvQ+-zLn9B=^%}+)ap><>MTh(B$D)wvWKKRb?WSyTIRaj zAx|v><<6lBsqEI8N0s%u}a zd>y!eDmlpg-Yt0+O))$g5*Oc+W4~$sM%hJ`)KM59#u>41P&}v5^COvqD5rC@R}bu^ zQ9ZV-Y!vowEN*Y}%K+MzMll?CfK7!D^RF>n#Xp-e;GDVbpXFXvmJ~{cipHY-(a8wc zL)DbZx_}3~uqML!U$m3)`}VFSQVuKhgvjpUmL$(`<4_5&!LLGB1Y?Ihf4iCNXD&#q_N)ye_wCmg7tNE9QN|r zU;zVf{JzDZcB%v%&4?N{zb?8xlLDAOVNRGcmK5ArEjBacq5BA6Lb%JhbVcS&TU%2BTYb+%abH-0|xz@Bwc-IqY~sdcPtzT)wVtfLm%e7D1^ z$B|o$wRQ=+?CG?|C|x~nJ;h$e5p5~fE9{&UKP3es7#O}OGRY4yqY@XA&8C>kACK3$ z*mFOz9u}9d|E&&l)e1s$xhXXty-=@ldOI${+pdkR;A794DYA@N8g?U=HGv$}{D`Sv zX0m^AN&2@DfbX`c-r;dP65Yu;;t$_C$gk;@L#l5j#XjNGouPMyRV!uSU%YGdZS`_` zbL*slm{vR|%uvi1=Aj3=dn)Iz4X)p!onW`g{aw>GSGHbGaISd!fT2p*Nh+m)dHJ_G zt)6X-ZOPl{hAr-FI(Y^AFowPq;Jcb8N`=SnL-V`rk_hyaMnPx7M zNt$3q?f^jnJ|7ZAzu5Up=$nCQmhWL%M$jiiWMgVq&frnM@S3SWRq9$gEvd3mOk_&n z*5ppetbAL4zL$0JR;lM4upavtB&R zUBM^Hs9ryRrRb1Q^82DnQzqsBCDnwZT<~Ja0RK#8*c_}G+MOycZ|(OpR`dh=C6=CN z{~pdi#y_;qGK$AbAqlMB(B3o?tf|Co(s*U;cIab%=O&C<0(a9FkOj>!-?;>GM$sBi z|1b}}dCwwPz2$Q2h$yug{r)`#b~~`n`8w>8T|nMHs;W)#hS1BAXvbPxx}1g3O3Tt{ zqXB~)M-Gg&}xJH`_ra&`fi`n#u25GQ@a6l zyCY-EQ8$6}Wbz>2YtW~CvE7`?u?EwR2gPGDx!(a4uo;1zS>!l6rc2rCj<96g`yH0^ z_aOB$eUmHD`ply%`w)dDm=5uvWb`d3(QdhjTw=@GM;AgF?f3Ve<;(Vzg4z5brFV%l zf5(O2F@#0}(SxAeE@6LH{%xTbRn+6c6hMpDUGHB2Ww%QO^s*u8wcO>!DVT*FRZ0=z zVi+j@5zgx@d~ViB%N~vbn$@kk7$wVy1uwgnn0imnK^I`1h!Fkz;8b{_My(IzBLR^a znd1n&y(W>=WwQMVUA?37s~~P9@H7lB-4kE6rzpoNNp@De@Lky zC-%$?1eFhV#0_K0%%hBJj`6K#nGaf;RZ~009r0_uDIXka+v5*w8IfC(TwPyU zN~Z~pZYbh|^XEd(&MW4GALP3QRl{x=wa?|rU~FybT`?gn0VWfOcL z5tJ)fd#rAmMXq8Gc7|j8<0e+%Zhd)S%@=E*fV3v{?BAz@@z3cyW_h0pL+NDk<<|i2 zRp8{jxpR)e*a3>A1bNldj~s{Ke2zc6l&)Vq>(1@(wUR&4rjFuS*{dAty9*?Hi&M5q zKy!TH`_>;)6mms#Mnxl%Y)I|Kd*+F#uh|56dDY4%NIKwpW1z3lP_6+zoChgpta9x#hdg0NPZ@CYEjCqBDcGCpxWHyOMpNPeG8hwwZV%7^-86x#T_Rxsv(# z{!JzMfDLPMg5#;ob@hmoQ%+GYT`BvO0&XGt5EzU5P|MhTLbjsKW>61Rvn1!ggPG2# ze6AeQ?#8)w)-?GTnRdMDd!|13TNv5(JOg$tbUX&!ku!GF4uXtxCQgq+YHe=&E*yI< zq4VO)xj(g*F0Mv6em_m{j~6f^gL`3)J?BymoG>MP}W?_OG)3@>nu?YjA4Nxs3t{{ z9;2@k&sDIwGo}q-0($;33Gi%kZ_Tgn)QgTfszT)MPtj4uN;%k)()kJS(?e<||B#Jc2eK`ohez+ZGNN`RU4;93BD-_LBNcgMA;ve&V5#ALkOo3l*> zuaxi4f5yEVQ!lDUXBy;xC+KjL6TIbe)Ol3Z{YZHTL&-kh^{XhID)`RJResDHqtqW(VjAfT9G+HwolHf2cRQfN*tGnF3 z6%*DcBOXmh4U3leD8ZEC5n7!yf3ok|(SmBHMl)@a^%0@uCG_X_lM1;QD|V0(nGy*l z(uEqpnUeTM9xh79MyC2<%*jg?oE!|1j16574_`a0cRX6j6*4ui6}Nw++5~42K!B`4Ner`6JNA{a zLlP_noj`7 zfkN&7X4;BnCzjT?sQZ$>JKkG7!ti|pG%CCg=Q^!3JZlm^SR1*jV`T(COMIWK-1sjN zFB(K+>(KEtT=`}S0=0K%)C-LjR8I=-NJe*o09JixU%83FiF4MAs}rTkuf?IpDXBsC zzhT#;W*XRqi|g*c*PQUKX7U0RC=w?k3@`GJ>>O*GH_c^l@K-RF5kVi*yVr zpUfSE|4ilLmEI&gJ}VwtUoj!=k;en0mBr0ST*>R#TFim)=u}w|a*e7j%lszlUxANr zO5>S)x&IrBGY!9R$(b@_o!eL2kpdK?;g3r*sWUb_Xyuf661L3>UeIC6X0BnGfzlXM z0_>nfYnty?6u;9j7{_~oGo}Np_-Q2VL8&y+q~4;p4{8vRgHg}4SZR-`$F|7bb8e?y z^1GH5g@Q`mdu;6uy=qDi4eo3OlO5MK9CXEbP5#*GZ48lI^oT}{Mz&mZ9I~?z2`&kXojv}Zl5|kPX&umxQJ}3J^6TY*l$pXKiES(LyTS0 z9D#iqL={F5=b$g-GKXqi1pv5rwDJcE;$JJ%@$)Rd1jZ=B@Muqtg_v9)Bhve z;b-zeOuc>T_QlE#0aJ(XF6WBsR_qKeZPv~72r}##9ns)Foy+pM6|f{HdiI8_JGj`m z_V)20j~{VBV6scH4&@hmNm9^^yyy|;yJ`8<#yEtx@IzU9JHPWOlsF7{nDmLsdZZG% z|FH%0N#%J2)&$)ZvzCDrsbKT1WzZ@x&)|N#D1M^Qb?y55nWC#1!s08j2x0XLjfEeL zYhc9^N{0_b`4#URaU$XSQ@mL_)GF1|Kb8|;h-nLVgpgPs2)wf2vw6SXPf`a6RkNM#v- z_EyWnkx4o0!bPoagCDnje04SrxI%clN%EgAWA728#n`f~pE!`7C(cmVt**fRZ&lT# zqEw2cVvuct(TcZ>|RH zh16+Fs1KKgTwA3S%R3xjIPca1oSSyR_jbYcy6G8>(5={abEROp*+U4ByY@n$E%m$a zfWaqGS8})2FjMt96Jfp@|LxoQ>j!#e`;P|SjIib(>2846+h+CTe+WlgSAZAbkE>p# zo5cOGPDKzu865Y}-$x{IWNkuJ9$OEE=vtRruws*xrw` z(;vSu9Y+2H3#8T>FVc+oqZuRoTptN(XTCXTVdMZz1s40*FOeIhnaLfiKCkHtUao5W zdsfPguKx*|dGt&C5Jp4rd79ycjEJ9BD5B%NyL=6#^57o`o%vBfW}YE&gnH}@_6y}4 zBAUWU(#8ar;3fa9POGT8U|Men*4pS+8SW(W9rb_%YmB;|6jHto3m#~%pEbm1pJEX6 z2pcRE>-eTAC+D?nWJI98bqCC0? z*HlS*BPtk?;Lx-4p);+Zm!>gXhA%{9K@*KBC`9uyH?r{ZVs(?X!}Z@#!R0Avxi;c&#=R`{sP#ma)>EaH5_N+)rtIMc>$4P zOm$^_!ra(dy`pJx!gteLZNS;2fBi$!4V9cH%D)sPaX}-bQdk%$x`4G9$N2p2b`Mzj zY-Gt%#W>EQjE^wWrBJUc-{U`jWk1EM_1>Q&X730i3sZ$&5i!xvY!eiRLUrzAo`_h| zM|S99@btRq(kscY%ROt$WP9 zXT+X?1IT>d22q$u+&Vk9t9m5WhJ5el2$q``0Xf`u`=Dq%)77=t${NTzq{Rjx381$S zokf58SPJD}k{Je(3^G`)Ar>ep=gf`ywULX$(VkBnm20hxzZX7PJS(4n8}}JbmV2ky zA%<8z1 z8(5VamG2oP&3X|sVQ6bMQ!t6kAo;!hw+Ri~E`_(bES*A*lc$#j{%+c(AWS1)%2%{` zKMfyND#GYgSbN=vz^>44udLpC2L>%uzkw} z7I9?c;H|APxSE@qw_#}eq%BVKaK_PkPi`EI$mBZ};-%?ncI{@A51~x@3cpAj?7Yg( z>z#DEhk2jeYwr4Xy_Dm&)w*6>J*pT(*z_1W8qqDMw3!hFmRK}|7~jK&+V((@hrW%_ zT|cQR^o~BPmERj9dAzYR*zWaP49eTSoYNtRCU*CSCW2uxX_=LKS+e$l!om1AwUkQ) z!=|6(-1(^hG#*2T)1pjN7Lj#1UMRS$L2{izk_6YV`^s1y@nHH;(`mfj~EWr3JdZqkI3$z1euU$mhX3A zLo;dynWcTi7Z+j-1;IUeA8cQ4Ldv#gEom zQ{2c5EUas&p9r3cEc@nBUZ9MN$ezlKtz*hQ4TolQT$2wbi|CB)@Ge0D#v~t`H;8wy5DiX>bK>lDIj&u~-+XcMa?=pLa)qw`IPXt}21&}@v40n@pLNGVidJAFJq|+Q zbxNH9p>e5Sgvpu2boJ2>L}W;I5|*up4A1$@pVc=I)3ZFu+lZa5h?+c@&%&#%vN*{D zwzw#KL?_cbiVT5k#Vjvgzjz{d@s}%aV;S&TWKNpS@m<$~s|)7h@8T@`ceI%b^Vd?+ zg6IF~41#6?Q2dWN%#B^#50VWYnCtvW`+cfAompTF04N65Zk&9RR{Gr?sWd$f*)MLz zWtr}ms45v<+T7?Q51gB2N^iiQ?cV=(E!oapBK)_`)8QTQf!P3f&EYGJfS zqLU}Tddp&qtD1ivgNB%}Vg|~2GELfvNp?ItDH{Z;%|+GwEa{hsB|a%r&bK1zR{(%N`lK!yjl)}q0cX`XDEB}P@s1z+Cz?dfwkGUw zx&~8EhrX}?L6baLM_`otze`-83VvuLMR%v?i$zcn06{nBz0o889{&E-hQ5Oi@QHI@ zaZDGr6MhBhpWKs!m{Pp}}xoOiW6urK-!#v@9bFG}vr73X05U-X?o7xaEK4MOYy z;(#f~3&cS#Nb#Rr;q*-b%-mg7a@8sfjpqa|o!4t|H7tQpniASm1N)+l^vty8Uhhks z=um4|Y?OdNXCs;ldxOUFJrgZKH+H^Q48@_$%=E9l-a+ZSy}rQFmg3@07t!$KM-S(` z|Fc%i%&UFX+YhHC+axtSFMgvlTsW7_vT#WJXCxAGo>|!?PMQC0ZT44jS!xb0%3a&4 zCDb2a)uj|z0=NGxi&QFOT{+JW2@aKagFfln>hew(;qc%`+5!T6v>C)V507$vQg-%5 zBfI1%B^O`~0uv{Z@Zi6%8RWZMK#ZCDnNe^7r?vr(R0wRW&xI%eC+t}a9^6&hw`aZk zB~YG!_-Qp~7iTAx1ZWEty_=((Z5*@8fVT3lC9$|>XXh0Ef2oK?z|LG+$e zR^JHJ@}x8?)?vA#5=bc3P(d=ft-R#Fs|Y~tKqXrn!O$&X(xtO9v7rubjjoW4LROD_*4 zaa_pDegrZNch!>n`9?HvPYO+tKEz|ylIja+EM0V7#z?*1GmC11*!;rIUy*9Oe}j*w z4a4kJg0%prXM>Hhp<&|?iO2#)PQnq%pq_cBU|5v*AhMx^KX`K`ujcal zlf=k^^jj!u{$L`b*^G)w^@8#B>Nsmj`Gku|L^7{uLD>Qq<-CP#DCUngV3&EF$`gH( zlZIa{uqZ|-j8eTn>UnVpyvb4Ro7EN3g*P;;|%imu%3HP?3UH8tU1$JVP2wQokssDp~<5AP9+1;4xG|2(lGDk2W|hApxzeHh~B5pf-nG8sn44>#lSE~!Y}oT=&u?(YeQ79Btw)v>cJj7 zb-ek7Uv>=EhQig85IKdf8BvE3wY^p9C}cd9{7bYGJ-slDj~iv;ky6XJ0du zs%WGe(dohB7ZwbhgqbB{+hJ+ON{T5L!9YzME(!MlO_3HzK9Vl$)u|x^@Z~fXEaWZ zI+(e!<^SPPqXm5zrvd%q*vkK=%kZ@EW)SY{T%5(_>LvLSj$YWvj$S-)+9Q9=R18jL z_O6&qLUaOQMC9YmEBqNTXbTiiDvB8ZVD&|fT1OtuBNNE-W*YAIsLbQ{ZTs`MmaR3|6-_b89dJ}DcY_hs4bnvznZ(STaFiwY! zGWzv2xqbKlnVW5AcZ%wI2B}B@K@pJT3RlM820G)Op*rP%eUV<|>Y(UuGZeQXWpIoe zV}keCJ27f>c)VtQR+KNd;3tyKuwN@P8*}5m(w-{&Ssq+kqJusu&4Ch=Mv6UcI>)pG zD|g#?N$%Go)R&?H$}ac%B0?7(NRPm*Q{&Uq&}0(?r#M+!l^^70HT}#OxG-&fdUiBf z8qYwsrLW9<(cO$%<8^viwmK#2YY4bz4anr%Ol;)rY<>Te#LoO>syYqF7I<7!fCfl! zRDOO`1TsblXNBd|c>k-5O7?j7S~4{A+7KY0zeJhDSmrL^6aTYi6z@>$aK>hYNnLU?L}4+G0^{=PXC#MwTR42UsFPXk*&Y(&%_sSHnx= z|1DyY;$YatUdz(_!0L=soc}XJXY^umcEDw9act5UNEBu4oo(& z1}f4nb!eOnrE=@e4sC*&*@}t3Guxus^moANu(K7C0n$0No*(yRNsJ6YFV`2x#=aB) zfRWx!_NqeuAv!sD4VYeK@bYvhKxSn@v9UNiIQW{eH&FeusX(`~fVk*=JqpH*>d+3m zKa-Vzc3$yl{f`hTDQ}HfSnO-e&Wtx%6(s7L(uV^E2L^icD^sk$q_S#p%Oum+EgzTL z3q7X_{Er~R&+QXkkBE|D5;~(N<9g3-S@wPwP@pVzZ+2Hq7N7p0E;2P}E_HugUxF8( z-l!=uWweSS@JfFg{Kq5z3rdqi?mU7D5FZp6=5%)xpvR`KRb zVQC9`$FT zL?~tHK6aGvj1HidG)?v*X~!+X%oG@c;nm5f8mUnW$VA!ULYh~>S2!Y4KD>p7VkF>r zXX}*DXN=L9i`I#gIQkHz)cWoQLYm4}o%MJYx}XUsQ`ZNhXD!OQ?g(%+?KQTzy7Vf_ z``49jJbU!;0b|gc(nkug|AgO;kFF_3pIZ|&n*)1<5mZpoV(b?}5TB%X{|XW)4M%i) ztv5DTbk7L=>+y#Ug7R_SSx0+)@tP3+G)Uqt{r6j3UgrH<%v*%9Fy?d-wL*mvVI?RM zAv_w<8GxdJLFotZu#(6W(C#-P(PkVNHqm5iN)SjGSao%*Vh@7UNB_z@%( zQMNMSKr5AIs%8xHI_+UsKd=A0Zs;uF$YomVS4A~WbGj8`UuBb9bF z(&yN%5Nek+y3o;`J(DGa>LO@Hh?bgHa)it6s2`nphmjbmrI)hoF77SeMXIs5?dZ_i z>pmF9Gh#Ti(1S?+Fq5~iXiLq%ShT)o@Ib|3ioXDYPrs(y4Nk9_wgOQ3Jx6ey`ooZh zHkYSui34dTYgy2`%zjzN*0TASvP;Wy>7`xch|Uk%i;^N#g2Cb1zdhCStq9O~?U*&G z51?7OKhIjc-dc)Q?x= z1I^;&4?-e?g5n@lDL(1%ue`95J(9jozZ z>L7;I^-=MJ9C@mU^V;4rM|Ez-Or*jl5|>Xpu%*j+qDxV0{qr7HP4jPVBmb7Ft<22( zT5T-cIEt26bny)OSGWIyYt{%&A=JMK2~5W8w1L+U($2038(#_=5BzVAU2g>s&HmbQ z1;#Rq5ZU$M`e0x*K8zdU*?q{G+_+n0YPv@8PFDr4;soIhIYpds*PxVIRt)^%!lGU;jdlWy2br@29b}h}G z$>J;rpVTAbBv^_axQ)W~9V1q((v&FRtMCXjg&YpI~7* zOwznD*JmyJLL)1F8Z_>0lsBMiwQNX9+kCp4Kav83dg76EO^E`&e9GNUX6;da_8|>B zpHQr@jZw=~UkWP|OUvI?(9FIQADc4Gs#O(sp@(qEDdqe+mB7{_ z@fsauQhhW{Q~a4@Bf9M~sORWkE6PaL$&aHVgfQGpDCmttuZntuQg4HWuj*WovNtpfv*Tipi8EaEd?B~%hc8xibzFq# z%TTug6*yUm$VCX%;_+4H(BL(4CxeUCqgozv-NXmY+C4Mb!OMu5RTx3{!7k)|00e@9 z-6Eo;niTR9j`0icq!|^+kfOm6<3fJ&YsfN@>wwwAJN7duSacS)FDc^XABd3@^6%QF zGJ1bDdav)F57TBp{j2a^2!BZH-F3jK{KMZAC`C!RMWgaZ^>OP|cLd++Cx^)_a^;qK5n$=tR7uu z1)Fg`{-I6n_WZBUlKb5rGP!4M*3do>4)NwK8NRv%VL)7Qa+~QZyn(%lWn$$cEPlSL zv8^^WWY+oP$_Nkia_L#%5%K2iP~Nd*FGE` z$$sOV$uH9%Hux6sPIlS#sM+Bte@kDHe6<_3%%_=+jUe4~bo+jHR${l{H3#s~BHNaM zfNfNcRv63iUUZ5)9W;_ zBX#rtaH9<|>xSQv1HFDLK2G+vm-zG<1r6nn)e}gl+_cPJ;u(p;YC+jA`pN0^Uz|}h zd~eDqgqr%k!E-aP3e&;USHEbL><DMTBP&8$ieDy{)Yo||h{aJ5Tqd7s#{$-*|TRI>3ar`>$W-B_zaB~{-B z!wy!wzVOOE3j`s?tXG-TVqd7?^8zTQbP0qcJ~2XtUHvH@9pWx&*deCE@Rw0EIyBHN zDyI%F`a3|U&=;bNRNv@cn)nNUFO188R^c=j4%OjO8A)chtc9p}?UV2C-=@bN}^6u^l=(^OAN+r))^sPBN=cEk3;jyDdrjscgAVcXQCN|3^AeI=Bpp0CZPxQoC@q#76bpo&EVB`9sGG=6wHHuUMB&@$hP z1-CS}fVw2M8+J=O$;F0?iK>}wfjwc<^w%u+mDgV&(+sr!VdjT$3u+-5*8@=|pkN3v zJA^q)72No-4|L#itYv|rejXHHCetS}st)pNA5vKq);Rkv6F!qTl<=hPubg?W-lR#Q zTYTVD5b0xTH$6W%M8+M>n(g<}rD1M=j&pahpcGl^!=OH=-{t3xacA+y0AF9xYtx-B z)h61lWY?GWi|UsC_b@(K#8dL5_&NPziS~ zY2Pp&D+YI=VHrkuAJlO(ZIy`ui3D5Y&<)=!))>`}rV4QAIX?{=u_vS@PUinvlLh=a zMKQV}g$fpxZb2O9wdd_|{FtG`>_1?wN4>l0=n`z+R3=H4#3WSj(7-33F$2&E&9YMi zZej>9kMBLmd`$lAtursjz*MGR(XK#P!FFJ{o}(FSJ1QY!-c*DP-sdKN^Gt&n^%~N8 zCb42Qjra8)J~|45MsGgcVIK%8v+zX!L_;eRAs2 zE@8RpY*N`wA1yiUQMqb&AiKmg46DK!8?~mI95~Xt&;fn$;_^2bO3o%&Dcnic!toG4 z3%K<3Xs9<8NI}L9g$*gx+!)=`UN2K51_Vpn(IxDS)RNymB$z1@uCd}7M8oAX&zzdL zwK0znH6_t+)5GF8l&1!am$uV{jl$*I?u zy0|#|_MT@*wcDh~Bimksp=6<;)=>P$vbSoeYn-d%e7FOX8o+H-ksUwvA-&&H<5fumn}~u zTz`cqQW%cs9z=4ioTdtLXq%vac;{e0$-cmVb@XRMrj);26a9YxUqGP0-Y81J?UnAKfMK__Y@zI5Y}k#^+Z?olu6RFJsuO5o6ug_Vu_>Tw=cZp%*`An6q(dKmE`djnqv+npk39MzzN&Z`Mj`p?JY!*Y`yzTEcvu`29RssZ@+W0; zxGo`YaB7Ohyt!k?H?a`N!&XI5w{g;n>xyt)F<{8Z_6R@wze10Aax3*>$XlJ%F@c90r?iu zQi~Q>cU2V)Yw}m@%zjbk5w};5sq0>5R|cE8VHma#IlVjSF%Z_cBnGavXNEGxpyy3 zt{28^e)=-=V&!C9x1|}}No89HKieA3&0+#=zPYHZti_SO_3;pM+`x)+Xm4$8Z*Aeu z_2Z6=Qs#$s^^yXulGRQF!sjDUom;3UScNFqS&uw1u)N4!v0Y6aec}lv!c|cKyE9L!~Y&a~i0ajvP3pJ&}QO7Dd>lCA_H>X#g zsd`jxexcU{CeZKjBwfIhuy z$q{-1^GFbYR2-eE!dSTZhs91K{&aj`+Y~5h40~nvVaAg>XVWTNiFLoP_zW-fJb)K+ z?Z7ALVq$W}!t%%`; zmCd~vQEIW9$=qLB%*EbPY`do~W7+Zfn|(u^&1WUjT96e{Ba;tX4A|DoGw&Ro&MHXh zQ@QtG*CzsIGVW|29B$}Uv0dU6jZB&-F%(5c(FZIVRlhEWuIcGGYh1bQr%!GG^Xh@H zFQ_k`g@s#n=9kSmB7y!wrz-a1Qx;JW`g!q7E~ec3RRdH{?pWAWMGgo^#&iWpo0fCz*O(YthQ; zI(lxk>$WmtuV{{u7indW=#t9LciW_Pm{BXjDPN>l#$3KgF_(2vDISFQE|u?pU=3L= z*~t{Up1@FM!v8g`%7BlCnAS=dJfp;a8i@@&YX{H~dJgDJ)W^BW#;wR}zR3HYQ~_qn zZ`43CQfsgXg9y5KIwt{6mKkxQ6zvy@Uhv3GAMIB$*Q{s66t=G37*UBPFpL>R@R1m;LYo&22=&B z|0$2MVOQMX*3LAMDDXZZJGU0AB(-jdn$FS*Efz+Ht@pSc9y7TpBqlO?vyKr==N3drUn)`XB~6zsxV%yg zySi(MOZBNNB=)AL{M--kiFcJlpwG8zNs+>GkS@BI4=>PR7w8yM8zTuRdy8zXGC*c! zXr<4Upb_M+XlUIOonpAXql~Mm?1qwr`H_p>~=mG*m;saTml^>L{*vl3>O_8UrH-HIEBNFZ3GEBodGr9w4dl z(vb!{z>bX@r+xUH?J0kC9-I=sq%2?!vwnn!xJcH7mt-dFVa=(09Z@?9QF(Plp&-i` zRm-psK( z<419c&)0~7fg2OMuMi7-LNHk&Y$UChCudfimDbZJ*)HqIG%PIsreq%|WW%gX zsK}_|@j~7-&*Qp7K^c4P2T{6_;+;F8^Zax|m?u7!l++PDe>|2sZy!Au3b@yCwowu% zW2@pJSFyK-_I}NgWSFp!U8>vU(5sYkeb>%%Qh_2faupX6b2XuD;hs51qq+^>Frc6S z@KL3Bv+w1A-@d>=cm$1N95^XDw9&$=M0n<`10_b;LJei*ZphisHjbRgs;q1(#WTM1 zXEK<9K0iG>t%;bdZBUj2EZ?H6ytO7twDMw8@<1_Ra_PJG@`B$~A<&Ojevp}!!(;+m zyd0`bm`w9Iv=G9Z0?jbpjeofgd?rjXIExd3rbs_391m#8ImVGuNG_E)W`e))XY75t zQic*zkls9wN#Wi)T?X1(w2EB zp{2aHh%0`dM>7NqET!nsp}jn@Woav|P}{Jk%wfx0S?DwXy{yaQADtKhA?0{|-3YC~ zvuqWHuqZ#+tdikm>@ri4pk(EzWV(##j+hOZIF4c%D@?@rp7@Dadr2a$xK9NG;8Qk& z;u}&Ntiv671cqMNIVR=qwAQCe+#LQ?OaRIknTbFtK%kTenwW*dsl?%ITYKGPJS&gk zHc-hjgjibH*~yEB($`^SadIn0w^F`dEH!l;ssICH70!GNa~u0!w!-58PO?ijTv6jG z74q>@$V~u0pgepD?lqDz=KGA3vSui=dL^OjaBs_xyUFl1uUr7-B6h@CB zUmV$ly8LC*3Xk{_bEPI7&MyiT545C>l&fx0MkW!>hFl@y^o^>rYhB;DJHe}r#UbUTJ z2t!kzZ1YMLujLIjo(h6hmuTjOhA!k5%Y9Wl(u)-32YhSva!44dn$;L{N{T#Ez;&cb zQTvKU*Le4D7y3#nyY2UsZhC+M3Dp~gZ`3i&1-4LF+FYm`4|Yb|J{X%|NxJ!J!s=i) z&$H@y#R{-$_SQJ|ALPXs=I1D{L7iA|WrAMIL{{v?mew!w2GSyo5X?Vxlay)!&1sQ6 z@HL9>6Lyx96`~U&Y-QOlIahLbmwn82Q|4iqy?Eg~aahfag3wQsF?@)S`>Z;w{0nI1 z*{es6H-3~!v1rldYC#`N^6#mB^bYO;%BP4<%%Pb*h1}+ zlbHEc3JxmRwIq9)n&-$R5l*7=2HOhcN(DWYBm45&LV%5V9AyXHYhYc;vE70N>a~Mg zWi0(I_39)mlMEBVC%l~Tt57JCz^RGAXpE5o79QByY9^qdcY2vRXgJJeDx`_y`bp`w zaInOqwN{c9>SqRsa|ljx4p}PBfl9>+W>lD6=i#E_3Zy6jc$5&9r6sO`fXbC48=Pn2 z70c0xh7SD7w-7YyDt5CH<**|bh(4(T-Xoxph$mAC1isqh<4^2k%GXD?PUyi7mV-Jg zZN&v(0@L!r359>Ufpmfb<-m^xq!P8A6=0m?Q*0PGf-E`&CdZo(f%egZM1Ttr zJRz>X^sB(&E=ZC%G$SZq!goGCt%r!j0$xO5sUM627Wc0BHDEFCR7y>>N-_2^cb^$L zCAtnq>exiX+E!Y3{uIjclx7*>V|24@C7-g;M2RmSBOG^RB**_%%J%OXMYv zx0nNV(CY;A1<_nVvVf(}lE`|wQZY86>@qr8aUo1|6NtuQjOPQ%wRb{+94_b>8v(ol?>1pRvu(l zjRj>B{+O8l8U8m78a|^2uD1Mgu*T!FDV2Nd;#9e~<{lU9!~9T$UL0{yOM1aAJ?s^c z=$l^2JRai7!tp&VM1Kx(2u%yJbl?0XdR9^6qD+~ZSOXBo7zgjKYyUeejEt}3*5s-5 zi!Kb6Ed+vIqlxbphx~+4@UYuJidc=*W=?3;zh88nuYdA2?aI0HW9SR*F6ns9k;n2` zcZ7k4=hz`H1z$Vjw3o)*`sp)E0+UfHD&y;pICRj6&=D#aVo@yAVB?X9`(QC3@;-=# z1%~oyfMP7f5jBVBd(qp$!*o)Ed4zh@Aii@kkmuH~Im{?DVz1Z;CD;hs!JYH(V2eUw zn=<0~1bJa{fZ*SdMjRBohxRrjmQxD*F@ergRB+_2(cK+}=$ch5r1Vt3p$s=kJMRO_?op68@`Wu!fY08Cy zPq5R!b$HUb1v|DBzgh3G$3#LbB_abBvoD|oZH5>lAxNKL=K5}K=g!VWxRQna$k87I zi$4vtKM!~^T%d-5C3Q#I|0F1rACk-kit&DF!|v3rz5sof}dCEoW$&2qLk1l zc){^#EZ=00(}KK$FgpH5(u9N^V9krud^p(kk)|eGbwNOEl{#X@j z$U|=FO9Q^hWtS;Pkzf#T|LcK}EG(xee=5krIz$l<-4d6J2s*D==G>D3bUxhl=r&j0 zK5P5XCij7BnaV zU2CiE<9eSAme_PZWNwpnx7b&d2N3r#!CckV3<{|xFjy@s?cQ1fraC>pbJGo%$RJDtReQy||Oj?>MC0uh0Yw`B=;Ba;+PZyIn~xutksBCeuWj+pi#ZxO=#}jp6CpU|4w( zqE5(2bhsw5fP~Z;1@Hn7Q^TM9v<-iv2cSbUY|)Rb!cn6BR$ijl!tV+Tm4YR>FdB21?7DoKlYi?B9Y^oFp&CXLxfkW2KH3#zMe z>n*4>*J_Mvm?Zzi1dl(!wvPTlQZq{b!G8WfPW*Rl_xn$3kNxhC)^~3B->gV9@4NJQ zN$?Jf^hKL1RQLb>_y79tJNWy*|Cg6+9~}O3_|I+l&r6(tQU&wBEqeF=@+xBI5o-9q z85Q3-t`8-DD{_$K0LHDn^?&}``upGUIr#VeJCX5Y`{UMsQK%CrjiV^_5&}CZxDgY_ z&3$tF45c;e-?q1LrMyN-Jvf-2V=oTO@94?*m*o+xV~89pi5| zh*ofWiN9g3tNR}N&@uZ^V)RS=JY(S{)HG4?Ef`sx-%!=b6h_VP!`k2fBfM5eLzIQ_ zRD2#LQ{9Uc;0Fiybag8xLIw4FUes2?7kp%Q90e71R2fNNRVoRR>gTpKpWD%VZnyMY zY5NY9?dyK_Q1dyM9hwi839NZ=U-!W>jml{cC|@t%E_YNFip;^s-4`lSpFD&otLiLu z!uAV<7b`qycybFa_V$oQ?S9Z5Q1;e~-=<(>HmD1SABVbQUjM;zyK5fYZk)g}vQ~2n z?|#%9fK{DS{hZ#M+tp>yZpB=$eok*p>}pQ-T}@fEr%B(QCVhLF9kQo0Td3i;+#%J^ z4I2j+Vy66Dt4Eakvw65qN7M5Q;?AAWPZm`x-|1hjPbZh7^HSa8^U>L5sr2OR^Xc?@ zaB))Zl+oqYd{!zxzXF}Kt_2Si4hJ_%6+|PfJ8VsGMSuDIdS*fu z18M930Xqz|N9zbxwU71z>{+&K`vuKd=)EUNQR)5v0Z>Z=1QY-O00;oEd2CoEDf}3u zN&o=e_yGVR02}~pWMObKFK}{ibZ=vCY%gMh zWgKzvWp#K9009K|0RR956aWAK++FK);<%RoK2`UBQ1yQ3nW{7m=9To$-YNn~H#H>T z0-3o}`(aAh0<-|clgKO ze)td4m5fHrBO)M9wbrQAsuiaO1z6UJqlJ*4$Y(AdX%KMIg+FOTlj5#ettFo?BK1r1 z0seBTFIAo_ct~d4X9WIUQ5g|2Bfdvh^-5AheZkV1WQ>Gj7ClkPK9RMEiAw__na9IO z@@X8wOCmx8@1u}pDLg(~;|t(f9C%EUXu(Ltx@R7+sW_$36)_8p_Dx`{VKj(`5fL11W6i1Yru_fxVaj2zrasA zm;FJ1@;jg>*Zs-u)p$&uXpiG4Hk5x z$0Ex8FeUtV7~c>;`W{)(M+W2UGX4kFKF558{fD^N+r6C;a&L3eKI-rz`Id z=a0r8p}Sy9O8$$eS@o~K{XpQKcalE6`$Up&>IsdKft{>ZEQG@U&I?tAABj_GRvMKm zx$WFsk@sTyKg^A~J`Kb7q<1y$lJ}$QZlhUqJ`r6;Tr6Z6r?Vj9(fU2P`p11o52UKr z_po5bnY^KqyCCD=VW|H}YL$AWRjEOXwMwngf{(RkrRKnwO8uPt^zLjcJ}AFP00O7R zZWO~{+`R%duVtY|%m7Os3GNsMb#V3J*UsSnirn6PxQEgGaC6t|U-!G6N&oJa+>bk- zuV8)wheblJ?^eJ?I4fVIw02&pC6u~KPEPoeg%Mq@HfW5Xggh-cpiO9e0-2(J2a-lF~kv5K0w77*Dmb0fG|I`4Zy^ zC>FjCLqf7&ZHU`9G-zpKFmqFC724iyN@MTV&~k5|j9M$3Sqks{eZQBIf}dX^2FnVf z5FfoN|5R(WQ_+%lTot>lT4^P8Q9l|p`G|6$z=lx5BuqCjQITT#2o=xP{N=Psbx_X{&+DvJMbSCcv5zL@N zA-0PMubv|?d*MB=U}RXwLpL&Qv@E!_W)bh8*BSn*eXCaxW3AK$+l@8bhhuFNv5q_A z!3}d4G~nTKi{YHX#foHU)ZBqxo8JPs;Z*B5GL?;fy#`ArmTVK{EGaPHChl{X2!~^s z_j}S(%Y-j@zMhZ;o2FiEG;?K%PBB{oDE(gj3j?-GLw5B{-DqdM(%fAZ?@m$EqG*%H zHBo6uVuP-?LQvvEW@aZs09ibW{VmLumJ+FpUu30gF2krRmMam!qn#P6y1zl@1Xr#fBAJG!zAW}RX1=6xMeRhTRt$y^=OWsOSH6i8{ zmi=}jz-m5kRIz%k-mX_GO7*3JNwS$KT%C&+YUIq3Bv8&I2DR=-g9Bx2+V@%H_gh%0 zc9F##Lc6~lPe#UL7%Sx5U>@$y^Z%+l?bi9fUm>BMNf#Gvm-ia;HbIgTgf#pZ z{-o9#bQm%ZisRbKLm-|4uug$z?uVMzOeUYaFP&yjK@THk|?U1E`%#5wG4V zxydw1jZqw#Ay{iqprHyg{-dUMm6YOi$J(YD;YKVPNBcl*RR2|TUYNn=&zvUCon{(X z@adHK%)1};&GD$VVcOgW9A@s4j94gQ=`xa=HF{A`ucCs=RWCVE>AqsuqEW>E&lI({fNfa^G_WWHYbPfRWph#RVC*Kk42 zsW|YoT4|>Sy71ku2xfeK&HYUO;AbV9)!HdWwxB|sC|+%OLT|pRdiM5I_om>YNI{Qh zlB1Ve$1hSbrS1c`=iiltT24X7by>b5tG|&X=12xG+=l}F=LaR}u6pFX0y}=cH{A1< zf!9+JQJD1|H?v;53+6tMPInLzItQ5>MmlaAs7)mB6Oao#nSpz#kZnL61E=qcr@UYB z8_cDUDMTJy0h_4VHOqo#hjsJ5Q0oR%IS*f*gv%vvi|~2C68ZXlCt%Zno?4@K$HBEP zl*Se)R-^~qhCn&y#X!($b-*!ZojK{^XwmPD*puWDdjkTYZA1HOD17d&zbjLo7a)zm zrh8t!fxa@d)n%%B5}`y=&+ZgD$$&oYUk;$?8^CAl+FIATv6L*pkv^_Fu(j!$)pT$} zpNG&#Fb_*<-Fc~X7#gBSBRZvd6m z3=!O8GaBQHGnMY*QsF&L9Pm{DhC1r;kS2P+Ts>54nINLXLb4W2GELO$PcrMMxMuQ3 zm63zCl_3hQp25dPg;6s^q|ka+z(G~SvrN5zi`jPZAd3KXlsUA>wCW1-YDXz z6!~K)u72S9v6qOGJUp9J?c&i&a94+gt+=%HjewU;2!=dvI;TOo9Uby)!F zF98@wY*hw=^F{$dKZr^p-m#sA0S%)Y;gv9x&kZ#-*s_e6sfT=x@&ATiFzMn;9v!R_ zj$w1xO;BNk83;B z1&-}5gDCGY$!0yaD#KQH3I^Z}mr_U&D?9c6fn#1bR4OzH_T)g&gFVS3%)xrC2y94q z8;!&G(J7csHzMGXkURQ~hmMA!+V8gQ-pR!Li@SH;sHg|p>P6c6rLCVH1;3&9?;e@- z={oa|QwRG54szX4km=%ISFTslnEKJRT9hh7NY`7NFuu@mQF`3l&{0F~m8GNVhC~?p z@tnW940sa4FNz3CRM8DXON_t_x(ocBf_Mjt!$!?)R&U1Ia3T+s^=-3>mCs$e(ZY)Z zeFUk}sBg5NujiC7u#Ju8OPp1W=0@wd3kt#jgzBtb`I^IA zQZ)|dmlV4(88@EI`16s($~QnUWyv~l??YBR)<2FgVNM8z=}Bd^7a7k!B=yQznylG4 zCD_4lAOd({jO3&{yoABbw|IBsFcM1w&&gC3kPxKQjx4sfL@*R(iR%C@!$ZK8+kIs4 z-fbEBcrqAwJ6$F*Hix?$%kqd?7cXNdC-_^fw5v9T@_V6OdkMiWY+V`%#|FVy3ns@g zFGGq$>vg;J(Ln7GF2wW zU6w`sx!pQ=K#_2Tf5Ug$PH=GRro0itFHOBTgB!1;nzFul{vJ_Yn4sdV`Uy{*y_YO^rwp{OyD`% z+zIq@;5imN)NL!laj+AX$e182QpXH2D2`Ykrfc;5@Kgu5r1~&#DcsQ7z#YcRyjSVe zX9fo+<>;MqFF8ARa(AX??|h!BwNmqV3|f+DS^|}?7H1me0iFlN!^FKy-~|_dg~z=f z*iJs!5&E{Vf%+Gg3yE(5)u$>amb=`|qhUH;L%yS?sze&xX5PN~6; zu%WD0vHI~=phKIB+EB45`r8XB0uhHfyQ;%6r$1%pXl^ku4(Z&IPWWAmCE(C-#axwE z6MFd!=l(Bh?w{af?CX%51sxWxaUIw?A4insqK+P8tPFfrJRpbtTTZ81LbZ467Nvgg z))4vS$aza%_Ira3Oz^Crhu}#`)}Pg1Y8UNBd=UV_V@&4_0yAP|@7H$}Ul=F{JYZB> zSk)IJtpyPQX1O3#B|#~L^Uf`Z!hPsLU%9z9hiT!%Q_PEv@(?5=_2&Y_&7y>59>+c` z+MDW)g-M#qfWzoAx#XeBlcx^1rUFqV&Mrs!U6=s%`JZt_(c@3MaD~YMKpd(v5@KPQ zv!!Oml>y^oX=rEos1MvOs05L>WJ@&XC7bVP@*Kg%u(Y0$dI8<2AAKH1I%kRmXfUmN z<4zd^Tet0S7*ZL5i=79*)9+=UKyivD4pDdtQX^K3+SD6!)vzc zubyT}3Cr+Q>jkH3ay`}=fHOy78VVo%1h5s+JxDVImtr~i-l2DZpqbFBcZpEmK4KQ`wCab`65~T$O6(JIZF?+>Jo(lc&kWAySB)%!e#}iybA^aPf zg{a_T7S9DPdE`Eu>w6zEI#xoIaNI%tZz+LW0cJ*KVe|xEkcJ!)%OH)lD1(E+lz>m+ zN(5mkLGrqF3L1gl2OgVUD?6ir7bhQ`W5#B@9&iR+@1@`qyQCbzTm2MtyCw@6f89{V z(2Ry@DAkae^ele1+05VKNpnwGO+#%XkoL)$Lf20uB-- zbq|t5>Y4ytYR|Hkd%9$M`r1>Anz|hZQm98tu3X{i_N>S83+N%q5~-u^#0(=wz4ZDd zA^DtRN?4hn06g_%ZdR<5hw7+rI(^{_DPx;V9iQbWbZXCmnD;KT_^I07Y{%?j{`q2_ z?;hEn_4Pnl&K6jAEAxfd0pM6@UXQ@Kk=2(!Kg<}jA?%uE_!PvQM<@yc4`I=w7v zSg9vdaO2p@=8Et_{b&~Zm;)6ooDvS+BE06dA@)5Jn()2s;DOrbqwbDGxtVSQ$}Z`^ zc|1#0cNv}A+KwLAHD91W3!BhPkgxC5<+z-^=bx?E@~E zf&#@A#rC_}zK;PqUhR_2slpp)z1ZJfR3AuAyEr=&;5wI3@fxA8P1GRUxtv}%B+~bs z-ZiSVEt&Wkh4_%>w-DSg1rF7Z{&+tc7>a16s-8qxpIg9u1U6>*PNt-*P^o+(KkK_w zj9cdZenx(_p!V|XHLz@%(6z0&w0MW3Zv?B=n@xP1Q>j(6+s_rgyX;o5&x*ikL8JU4 zUovIB2l!MU(!ZDdT-u4ub3&{5{j)$ zn8DDQsyp@68ff9x@YB1!HH!%|gfy6IVUzAZPQp#<-WUu`Vm>sq(UOWpk7jsAGLr}h zf(km4e?~khR%e9iaKz~)7?9;`k~Lzpe!lU4LLV@gEt$T+MFn1Q$AymF$THSL6wvx6 zP&F6sy7tsC=6*?C*w{p-|L$aWZx^LZNywTnA-kIuvE9u|N7sINMr{VKu(Ed z9cW4>7p9NTmj+Hl1fX}?sFL!v;nkDZT>u8=O?ZCo9p zFvRs7GrCfr|E1qkxY4Uny7$dq4V%#8-qUV%OFQqDj_Zmzh;aMy3!Os)eYYFcHFf`} z>fftpj?)Pjc_&;`?#GgCBOlzzC9n;PoYNC=mQ0!%S)BAMw22J%4EXt6(B`?EejBLVH7t^3@ z%ur`fQrw;NCO~7g2zVr+_9T%R$G9#zgNnPQd=(zIdpLidBGwyc)GjJ4I8(@hh_mGQ z;bby6%Wq!|FxG%(k^LAqG5MH;sPKF;8J&!3bM`8zLlJW8zSd+{5)k71$}L$XHBc`I zovB-&7&{rr=H}4c(C2@|Os5pE2Pb=+jtx}h%Xn$TB>&V^_Tnk0{SCldo4|*-Ni;Os ze@q`YLF2=8-(3n9mC{0OAPezm*KYD=f6)Ki-nTzDZX*f*epUBBuyUyyPgTaNr)5vR zy(*1m&-mhpBH7vOU0tPUl9ISXky?=&+nd_|{p-dXAV`stEjxQkc4H9)f$j#-=mz@H z%LDxj4KbiC1Pnhw2=3m85ji^Hu+w~_53>M7qa~4#0Akp6Q@YtAI#0wV#iO4`uwH`0 z=^=IUBhf0IFilrgE#c~;cx=x4o5>_n3_Qoce(1u5DU#54#5sf<8vD%8U7psz6r3j} zoT^*SP#S5R;kL}Yj2cI-EwDQyCPM>CsLnC>p9zw?{~GJAQbTHB%3KGo*14Q z)R#G0q0v)X^tOnesP#o01b($GerxfsdDu2Vz0wbfrL;}~U7=ycD;y=a8v1m|@L&t3 zWgw4ScLYW&2gU{L#S(~DH}-5b^iicS#!7DNU5Jlbb}a_PI0`VUSal$_zMebMX3fJ~ zWX|Oak;V#fSRRr$FnR!TO9S~0xoQ#U+8T6Mt{Bj{yGRu=`cH|T_U0{6wxhv*jX78F zI0%qf1Y)xj#m=0Rm*DjB>f(`l8v!s6mdWBSUIrl9q?v>ni=CA$*Q|tIez9wN^*Bv` ziN5Jx6NXgm@eIP5gAtJ(2KP>`>|5IYEP(wfcuI=_#8 z6l=|IVG>cN!rcJgvI2gce2!K!WEN8--Bp&%0XWZ@!du`59y!lN?WsQ)P(!7g!Kj*B z#P*=Kt)P=snHC+7=^r7kH4jg*RM)VV(nB=^e+5YD{#6Pki_xbXe-|TtWQA_{0QzPzc%$=Er`qQo{F(^-N=Z=&3M~@_DvK8!sXWX=08GVZ=0*|mqq|2tI;i87 zdQ*sdb@{@$Qh%1TkQ)%9Z4zSL@lpXT{^)e*m~_y$yfccMiZ_Ut@d_}f9yiZ+^}GS> zT@!Z22lSFTOneQV=%poYZY1R@aRnuADk@e!Y>c^VkV-sGZ3Ibq;Q*4iI~hOCE$0_E zLiI#-j>2a=szpy^in0)0sAthMMBgYaWz(}AlcM{j6i>d!$wL(Q(*T`xFx#nm^>cpO zYITo3I-(NnpGvK*VEet@>Kz^bvjoJBxQ9rgvv=ug8IyC(_a=D6+UQ{7&co>Gy@Qnw z()S8;V8+Gh4j!finb^5!*=31yR51*EDuX~Ax)F`Xog)u@si=9f!z#hxVg?Dkp9^qy=TqfVb*b54}r&bFv zuNJJ{_HdjiaDbRXVZk4L-(M1ERSOjO9!))#jPKh`a$Y3W^Y6`8>7wP~zwq`DZwr@G zHxBH-e2Qs{jBjW7vGMt>ECS71qCW#1y@eQU@gG z#0!bT0Wl;|IYyN}I)X2u82fn@`uU!ihBL*NKVY~5&?`xg_aLgrGjvw+$LjYLjz-G1 z6cPXGewBu}d7naWQ^gumK*lRLo~ZH4vsM^DC$PpNvGxqO>07??tU#lDQvf)=+JMJ5 z%i!*5aGxfYX~2M{Ec}JZ+-a0j`B;JWW-aVgEdPN<$AL zfV>StfK_#PU5*Z|{kn5qm@8*N6f9;*92AH(xBR`sD+s`iPc`U`clA-| zHb6Ek#h|HR@K^%cWL)lutK0HFuGRhUUfl^xWz3CAu7je>Gu_dRUW27KM zgD~xBmhg01X>aOJs`kXST)l}g;~K3TrFO0|xEid~FG zObUF?<*$NlmiYM%nAgL53A!E3SR99%OB0m|*scn2 zn{PzSR03w`Vi7Ul3U=$57ixK3j0(vs^W?6oLk*GLCC{zAu#U?h<{J<7Gt2?UTqB8< zBk|rY3J_J&g*XX*h%G&kQs;oj?jlIO-=G(M%(_gX;KuV-3pdWwI$vx8}!4u z5PCi-sWvV9LAP;2{pUPc?FVva^W#1609{9rRcfW?DIHtRnY{jbKu`Ox1}5h|=uwAB zPM$`=w}dW(OJY}S1z6MuZqKWeI0FXk>w!Bd1CFyG1@lVaDfM3zzz%0Q-ZBCGRLy@I z<`)}-4XbJpVt|O+U^N?Ma7jN2a`a2}gm=@}BEU_;CFn=bddk^p3)v@R83=O14t+tA z#3XZa2!_`zc6Z`#gwDUqm#=!y z1%p_E4Ck)agC_$iUPn8@s-%~ciJl!Px6ydrWj7uornmjV!_q`$GL`90UCy8AEW5Ic z8Egt#qzwU}`h8{5r)&VbT=bbG!1zj533+c{9xrp;vGyLR+setAJU>{T(JAt!QmMkQ zmTf!Tw$OT_%w4l1k~-!t_~Uc#f?dvT{kd;FzvB5j2UmkieDsL((M1}p{3L!7miNFj zTaANGHhT|iioaxT#DTc7DD9$wq2t<})?xFc)o8RE4cJN>hfT#_Z|;V8ceI>%$F0^C zJlrSx$w#x*>wHAJ6?pH63YK|!(eD;aO?Xp(cD9aw2YTA)W)WH~>Fnm?r5(KhKTYO~ zBqm0L23~(^wK~0z?4BGHAyID^=&e`v3P+D`2=XRmz^?j@VPlw?Hzp<5UC)o^x=>f0 z6I^nNb8f)qB>5|p@OO)^UV6gbDdX5~9XCEY7=g-rQfvWmnUKm{LnqgYu;<&a9-e>l z7M_F@PF`_L`k0-?c;(>VjPj>^FS8NUUTPg7^~(69V%o8|6jd!Ao(F?QrzXJ_W&xdj zC8xgMk`?;T3}``)4Ppg+@31f4+Ng+w%OsiSj$SDW_$q(c`bOXvS8}r?%TFs(>KuG- z!#F%vip$?>0}PEu!6j7@6vyhp3k@JD4OJQ&@94FNsygzI%hTZyBiF8kQIoD{6`H zwlQfNm>8+21THM~)Emd9V_?%Kr;-IrgC1EHV6?MU(ltQ7WLjAc=!mOp3cw<{#@ic< zmbBBFCG%j2H^A@c@7zstPK3Z(@}57x6Th%|Ks`h`pGyO88Dy?zj-<{v<^9g5natCL zAv1)ATH(ybuICr_!-Xq%M0||a=n;AccEu;!QY4;Zq$aDaqQax!kilZ15-y@= zf(V1AGlW;U%8U~GHXgWl4%zDa2<7D$28*w*HGfH0u z--4(JESiqmA$4lOSHXC&5I&*kQIGGdFvjRBg&;D&aI6L!(axZ38Bo#~F>9eD)#9B& z**1i-aX5{EpDy$3XvhUKQKjbTc0Itv5z@u&D4Gp?E1CYhuq^!muOm7s3?C|704P5cH&JJlT$w%t$2YCi_&$dHUiQRSq09Lt z#(z$p0*gx(!Iyb`xDjXw>d?jx|M0a&c0;^72Hv+%i~J~K>Qr)=LMoB@OXEDy-Q`WG zM@L-B`P(9x4vi~ZijM32*YNDK6VBafHLJuTdv5DQQoK0m(ztYC&vK__iwEOnW&zF^ zCtW08;a9{y+AX0sokYUwF$Kl`>f-9GzyhD3J^bl({2x6cZUp|o&0NYbSiD{g1UUW^ zwo%E;t`0|Qs?H1uMYEM36D|$W)s42;(thLz7zzB&`45mNhUdR-4k7=5{>yihY2YP7 zFUIJ=pU+Nj#tyKU$p4WT+-1&ye6W~$=gBpJ=1hN6{GuKZZF5NVvslF6INO_OfC{~~wO+5o^g75)cL7W9M%=9DwVc%eRf!+1WX3t>>jJq6`gc*S5|O zV@+@Xp1dN`@|%uzlAW}@``H6q6oFKw%t#s)sONX$L^@l(GkUh5ruBe|aOP+UiZ~u7 zZ0+0@`T0A-E!YNNa79ML3BJT$eb@L_K|X^O_lO(qi$JC2oH;@Co^w+svQG$`8>$TF`=eLd6WfLm@@Ju;h@F278NSkf3YYD=XC+y{!mFAp|rd z(lP22WL~+j*<73+cr0n>qj4k5N7w~OSE*erkAo^a)isD=dKKzf-d^nFR7vK$pljky z;7NeGppP?&1mPNd@q+~ zUM-|%5QYvF&46-<8%rEhK|k@2ObwgxOb#f7nk4E|3+rT13=sb1|0;Jd$L?6~At<98 zg_p07jq}yLdiElDb~~6h#r#gMR|-6NR~ZI0x@$4}$_Sg*w-XF`8U}E7UC?Tb^67R7 z2%Rt?`QVkfx*-X^v}i$Zt_>cIk)TZQnm0MAHg@_Nk8!1k$Z%xFSf$h&Fd?RdG@TJS zTb!GJ6VfInh%NxGZgyL^&Px18oacdg&@i$&z$ZiOUwBU;ls!uLj6>avJy=w`cO;PW zQI8%bfXy%d%1X9WIzFeEt)F5kUdUN@+D_E^NW;)m=#Pe|;54TqZU@vH#r8dmnV|e7 z*^@mcTi87#oN%U<`ZUlbtAk<$LMHnQ>iJlR_;HX_A|RAeu`m`XKUiB1tC&GfDD|95 ztHzLBIxi?=cF4HL_%_`C_r7SJJ6#ZbDEUQ6=68K)`*$g9LzJ8$`rIih?$W{|slMV0wfLR3FFGnj{ZC$dLLe);OWx(!Gu zt@<)PVy_{HFr2`7(0NNT&*PVK0>uE8@Fko2L}aIOFGOM*+9TPsLp15Sq7-&bnX;pH z0)_maW#UNa`=23o24up22cRP6P8oX}CRbR8iGwPJACvp|y^A7iR!iWzxR?b_!t-|r z?&d03wF%G&`%}J#)QR?CseS7O!=dD6mZCH#Esf1JDwrgv5SJcrL~{rfNG0$uFH)5)Wg@5E-VG|+5}A#;J9 z&5t5yj=;BHxh<-YH+tYx`TfoGsozBS@jO@_efe`%M_?!MeR==B4u$mneiKAmTl$au zjV%9w#K}6hD&KFxPU|qon9cwTDHY}-YDknhjgZZZp?N53g;~cTOh~K}0a2MSJ%b-D z%-0f+;7uXXqkfq|TO=Z{Uu3Za9#ChONDvSnSG%dGVK^}B#;)s5Cy$Cvz)yhPYnP2X zJw;s%R_5{cuK(t8m1S4|Pn(Gy6d z3IyGivKJnQDK75-mXKFh;m0sfxd5)deokyIC^i;)GFu~~=*;WW&KrC5-YNAHmF@nk z>U*x}4%Mvp4PRtX2B~a()BxvQCPI6Sc-+-|wU%aIMy8?D&oXZQb65NEh5&#}-Jxkk( zrF$}QmiWr)+*4O%!9Ln0|1tzWbktn%9Vz-E5`bB6e8}r8f_sMSXwVlT9b_Eb?}6ar z6SeJmb}z&I0FW#Qs`JwaKZ6>g$}vh9cSO4@#3?^#nCF;J_W-j{DYn3(MHW`CJW2>h z$(CS2%WhpPf&vtN$#Jj3`3|$Rb)kbV!Km{V$x-uKh=(6(we^c+pm%Y6ZMBn_icL&o zGbFkzG{*UnQd?_JPK&^t`WDXRn6O>rRsma@&sx891O7AM=$lCU$D$hYGEY1HXp0+GtRdfr8sn&vu$jY&j- zj+o0v&*clUNP3tz4m|~i{tSE+>$z8~IzsJA9i*qV&dkw7KkDgjPsek`lbr6#SDWbn>aM^g;{WS}JZi`K3ve{vyp@(MxSxMOM&!DyUXCwM=Q-L3ruw)pOEv|ph?pA&I6S*s+TzoPgjC^R7vh^ z^T1a&z3KNy*C6y^Wteo2)>D|w2j&=~btL(LXz_kutk3T!dNuh#;O~IC5LGS3cm@AV zvhVj$O-ItJhMf9fZ`GI}E=Du=_mVUNiaCAi{2QP!XjfJh3_>Fa_hQ&mDD_1v?0lm4 zHA)YB+NeoWZv8|9<3wX1mw(6U^OkIZf}s;aVu3_K7b80>E_okl{++`!TA07o%;^%x z>G(sx-iJG^K^(ugYxv=TFFI}P0}vdHtb&BtJVQb82MDpY8%w6B5w3;L0r7~6p7sOd zAMt0z)J+=q1}GmTeogY|E)VR!Us5dk{QvfeNM-VUkP;FZy#;Ldk=yx*W%EM;%*2;| z?;H0!ZcUKxJw*n(Da&{dHh&+ly8e7BjrJ1y>L;HFc$JPAn=`T_ZV%JyM|dBfEQ48ggC(nFs=LwUuQr0)D& zEC-wPyg+h#ppOd^7C0j54IlUYVmYHLdOd{E zNGlPmk4dO`{Q82Jp)x(4*L>71d-?|*cp~1Z5xJ;%DC?bI@LH4YL^wS?YH#q|Y2l<8 z2{nA8OLq4$&f!C7>OdGq2b_CvU@~f41CH70(Ugq;xLt2O=@XgHl9=3gP2emCo!rVY z{*#bds5Yi%S=;-oT6@ZZUgh1qQj%%#eWnlAPpG3YN9;${D0uy~YMNmL?fXA(S=RLU z!#*79Wl+SX4gPzI?$REtdWtoIF{nlfP02qIvD%3`C1>?uIankDcz)V))hWs0f@trC zUX_19g)B)+f5V9)1tbc*Dlm*w-=%_V#fdS1UToEB9F(?ZS&eqbI21gZ5u1)~Is?Gy zU|g2z${&=?qAu1|tBV5{ou~;cXo?W7NC~C?K^Yh3fxjI~q5SKeeP94LZHyFO+jp+S z(qUD{tc=!Te!XBFB}yMsciJujlg-EeS)#~J%^pb++n|S6gWZbu*Qm9W(q4TgSXJ?~ zUjf=^R@|IurUePKiN@7OEN($|vR7OKr%dUl9R)luGMBkePYtr`Q z04{q?GxYp@*68*gUu`IbMW2IJ+z@&6&u)j2!oJ`rL|5ZOgCCL~27{3Ys&X+PQ zZALr;BNxwi1OmnW9TgK=eD%BCs#DhFv-FyH)bgJ_I#lVLxCcgqS6mW6*2x;aq8di} z+Io%ZH33l%9O4MgVyXg}WQ09`84$h{G^0YgI3SwX{|)r}^N+x*mP$0M=DXBaNN}X| zs#Z+#VtO@8QWf6MM9JA5p_6yA-ESso`phO}k4Z`ZDXO}(hnr4_oZM)5aiC!a z*PsI}ZAZu0@3AczX-HyN=vK-HPo#m%OvZXi@;HZH_opcsY2Zk(ho0o<^xNMOth|a; zY2$r42rL0fMhtj%YeQaa#eMa}Y-cbuC`lRTk++g~idgBE@@L1~qN__pFP($>?rWC_ z-rGiXJa@a^+x=lP|4-t|HT-W=rwE06ZgW>xyj$(<_i;Gw1`VS(IH0cY3O%C-q)Ee2 zbY4Gj{l9Wp`^>2-#4i(r`krevh~CFWb-e#%kN-pVzY_(VHI7Pz)RtWwi{f>(zx5=~;PEz6$5zw_pgaoA5 zZ~7?3EGb{ni7EA2YDEiB6bNHO<0};hb`xR=+AQsnHr?!%cws_p=vtfmDZ)olyE3tO z@iq;3-&6_abMG_!u?B^Yr&gudRd~Pa&n61mP1gtmpd(`%CB$K1kb6BM#&^lC+&S{v zwA)L5wqm7x;5vdnNV_qKSRf)Cpi7t&a0n`*HL_$hhci|oq*JpmH-&uY8p8=etq|9f z=EZw~mzE%!_Bc28hsP=mYZ{?;+&W+<8=db-iW=x)h26IN*RepVIJCER?;hzA1C?_= z#j1CQi&BwHEx-u55ArMFD;u5B2bx+s9C~P9R=$I!Tefm=)wcfz2EcM^vRg*~{7xFN zGqL}HA<>*D%=Uq|M0lF*RjnEV|J~;cBZyj>b$&s?j+3m>E*HTiXQHFc&E6grmmOZk~ zFHNM?Izp0NUk|zlml?3^h5qg4Lje9nS_Z-henG$RBAI~EclfTbPXTBf^*JoChLnlN zrSkIF2jc!JzrX(N?{%rW9czzQnqFB66~|VY?lY4C)syU5%DoM^EGD6;zcK8)4MPxK z|MU5L@K7Z1VZDFEh2or?V{rV--6Xtc&lbeXy}Zr6_=il4$^XXe7FN~0h@<#q%bEk| zKFzR5#_f8dYZTUt07f9G%8MZWU?{hwS_ceS|3O3bcj%1!UU!!k7?b#%&H~T6`wY+Z zIp3`0XeE~i>FM5ajg%{T-jBijRDr|!%h1<>iXL_#dwqI*oR3n-EpUseBwfXxbX>7R z(s=K=)dc(>iTM1n<%HkIxP7y)aFkrbNUNZ{lEJw?$NQFOZ47-vLp&cT_|2IskYUIH z)>)z!6e=T+dfI4yYrV}`6vnT2%bIR5Cp9{8#R%xmWY;GSYXagn(5k_lPF!;*L0?ERakuV`IaOq>loxO} z5P|&go0xPrr`hZw>sxnX9EDm0TT6C-%vhY8u>7^;7FjQwp1XIB{OHEN&xW;tAI-e8 zCtPV5dpN@Fbc!ZrL16F9>;+0>^?wiCMoQAy!e0)oB-T5^4ukByUCI@pj>Nl^pzsk^ zcp zDwKk{NA5?V61N5oJH#j^YnKp@kXDdm&_;3~)z z4hSPu4An$Y+kupw1PniP(6`eaXQf|3?u(W`9Pb@$b(r(65i){mnAfS(S724Igw_=g zjH*{75Yud7O>`o$sYUR=zjCwYL*(bB>O0+>fVSyW`+2hW4_Sd$n{pD(S_f%t7WG{M z2H($Cj?;#$O~y`(mUV&_VP#G}ntCdtEDWX^J{t+TIC$M`V^x4r*|^Z_mt!Rq;#4~t zx{MCgm%n=Ym~S#`4z5?uU5RH-uP*3_&hp2XdI@zz`TM@Pv%iXf-oQO6CP)rfbJJ{n zwHGozHo8g0z)_Wx(P|#&Z?qNBI(PHrNidiFQAu?ml6>gSE$A!6yrgX{VZj?ewrMI) zkXFOxO_*iy8tpDnwCin4N(LaNTI}|d{tr;*>o;8^1Ex_Ja>S+VEbRo=H?eP_|j{Ij!|#?8E#EiGer*@B!PM5Ng^ z{f8qlQL}xMZ-x)_GR4*bp&J4dTtGEqQB;es+eo<3Nq0bJ2|PZQADAIv2WPvDR>w4r zZ4K^U(`B}B+vtTA4-a=I_G>WGklOW5UC!8fC(>O!0a4?lI*^pv$ z$=}icv@jE$0U1XWbKhKf_2Q!9wZ7%Oa*{Yf7Ts8uUK!sO$F5{eM@)&F$i9(CHPX_p zwo6k&{iMaFa%`K&D{~*X9pXcm?85~fw0H9en`*v@mnEmSlzrsZjx2W<9#>5IcQHj* z(uUg>)+d;zqtsS#Ei4Z2-hySGBvgkm#W{Jhi~E$Ns)7rfV~<7Rmp-C1Dur?7J;fZt zR_qH?lolPNtxRn@{D@3;EGu+r+=d6Qn_tJ5nMsMXih&&?(ywj>rYyk>BoV3|IPN#< zr$;Mo*EMJUJ8|I|Q$3hoc%-E#y5TN;31!a)CNG@we{IY^1|0Ew;x1NN=cdd~smhtK z+9oe3x_XD+OSY?Xz~GQS;=KJ89HzGqkXe!-9%Gw0^;HT+cqE zPFptYyab9QB4{{IFqdzpW>_h$+S|qPahDMsVi=|P#rD#*nEZ9Z`NLjFjtx=Q(xui8 zAx*zpZDGM4)B@+P0^tmawhvt$BC64r17tGtDUq=r>WAZgdLzW4gHeN}q3*dMivzY% zTt#M`EGJL2kn}`C?DmMbYJ+UVuaxJSZj?j;eG~~J_Q7Po2kc6;sId7xNHce;J3NDY2xdg`rjO)#^>QcOqAx+H9YJEb1j%g$8$T#6RF*o7pjn z99C<3!1ycKkShe86ma$WDn1S+f$E@7i=#t+@XTU);^u!3HOkYXTt-aS zHYRen#w}4MiffV`Hp{jHr@4N{tSf%Yz$I#eivLbE#xn3wt*R5h8Q~_Qa74ACX>mY! z_@&o5r$pw80I_=h$;?k2G)LJzH1M9<&QGfe-(Q5lgM8B~SUgvLN;EtrTG1SrOh~N6 zboLhp)xG?&31ko%-?uhqGT6O#uG5w=Rr~3Jjm~iZ6;~qDxhgBVbbVsb9irG6bb3jZWGhC$i_1gZoS#F~0XcGmfno%%d@5 zyXh50Uou5U-yy_1{3!@5ZzZFp7Qq0rm~xEuc0>3}vO+&b&V>{(i#Ai>Om$b?8hYer z8+sQoSd>(SkG2$G(wrMH*Bk}XzI44=RggoZ49y-8Nd(herMuYBm#&iV2WgpicVBqF zi{}p6fZ|F!esFhZxR$(LwfV(}790#d!NgCDYT4bwUGAjvG&_KmXlAaBrS9E;<7q9# zL{vjTG#ir-&a*Vsa%Wm1*cur}WEp2pQ^)pqmI93@z&KZvz|V3%@2W0#=9_Rr*CZ~* zWyTE6-i4~#Ho_Oz#tS{oZ@rr~Z(1E|awer6_h9zhxWJ=erf1@dT@`@5Zh6nf`tJJL z9xh}3wkXEr9%fWMlcPhozHTY7iteVGi<1ofggf>22_mi=7LkDAkeCxkU(=p~Ttf}1 z7@wlEJyM7wDMd~?_F2y1MM036Uz9wp>-3t~VU&}UfaVcIr+b!rWr>UySV78HFSN?Z z3#{#;-B+X?E8aB^WLpwg?-U2F;*SiT6MDL5)9RHQk5EI};qDj#Lj(s^rZisjXB*im zWjOuMa^U?#GFQv1S>f>t@V>Wok(x9KouT=={3hQS8mdgS2z&FPrs#WIgjxesG3jB{ zUKghaRwekY%xrwZ5Ychu3e?18r2CeYUWbv30@ljVciP?>cM4eNM5##dY(<0S zbl>=}>{g@N*K};K>_Ao@jON6sr<1(~Jd?OhZ#y9?i)@}ndkF+IKCE&yDES!V z8X!o9IUjaSAE@d=s9P+=P)7CE2lvJ+0xKD(Vyh;-R!;CAxlD5pK-?m8e62Ow(!o5MX*3X?>C`)i3-7LwN9d{%9U9$9nKbvj)Sn zmkn=Ry@{y`4X7`wsC{`O(Q}uiun$GVsfl{{SJ1yjFMwAEgp=d34~k7SQ^1~qjz$?# z4L=(Q_;M@7iKc`}N4a7rLicx~ywFdfL<4%pv9)n6WLG(aQ3F<9l$vw-mt zlBH5Q0hmAS3Qj4eZmWd@2<`u9Hy`(8R=NdFg`VmSFNvMq41VnLAYFQ)j+_S5?>xwN z*Au>~lhLX=I$wMU_*cf9Snt`TJLC5f;X^oqzh+|npt)6RGi+YB-_6cyzv}mlKgY=9pN4L)=K|(ZaEW(@ELzvsr76Al(ag=f8VdCNAwgSUDy%Ax+NS z7H6aqr>TL_rL~CPgpb@3H-G-0b3UE~Rmq;TIpU3vAP$wOUkPE=3q&Nl6J;xZ z3nNYpaS6%-TXhJ=Yno_x<2 zs{7V7S(Z%{b@w^dJaHsi2}9|bdn2NxG=7y#%AU3~LZ}yW@R2;EEv{`z_zIT#Ip4RgivufHGu%nMRVEUi4OW^|BH52xwphWNmaQ&D$diO zL(Z$H=J=PuC&C-PNv1cxXemN5u7ZksAg+QSUh)};lAE*-=s&m*`jwG8cw7{IFnLak zL3nRR)G<({o8I;V#F3uW{7RLyKwvZbo_rd91u-e4tB~yt4Jbcq;f`8w)17c z&I{Te#5JFxuSnZ9rpK2--~GOSi~uFokd8WmSnxtod&~W#01ano>$HFpIU+j2?StV^ z^udftrgR}*GNO8mg;fdb4&;wy()F)jqD!&Z`L#yyOacP=ZRjI_$WMzDwBy?;v#RCB z`Px^ACChCk3psQATg8y#A>b1C6OREw8sEJZYOVLIcW1hH*E;CQb=>$`CUaR@$vtkn zP~x5Y@j?@Q_NwWxik1Lgk?b>FJ9>zHIjhxP9DCdpc9NOms z9;E`DAxpNqu?9xi;8qgOYMhDWk2x_yKI@^EM>rvv%)CGj^cZHQL_vQin zZuD;!edrpHd$QQiIAP4@w^{$cZMVI_fByd1TOQGW?P~vV^?Ou#<7{CmtAhw;GGnr>N4{FTjx;-%K3f2&HAbn|TOGS$ex8^b5h zyBEwWqz8s}+ltV=N-o(B+E}|Ks@`=q31pR)g|S(&xaZ~5(ci}t-GhY#VX-5&Ab<4m z=Z+ZiX7Au}{q1FNxj?6p&7oF6QZDW9|HNOx{KH=X{U`qFKOg>AApYOuuM7+7%JtqJ4&i`gXM|#sqhple-JX#$Wc8${z$J4qR zW}Twnib?KPQY^)qHEB9E4TrS4HpodH;lylT=jSge`6Qmf-9q?8w}}(5CDdKjK?ERR zRMPMX1)aW!!)rJA_&%pV|31V2txe$jJX_-||Igp2-8+Gw?@Nup&(d$FRY$vjAKlO5 z{XNb8d>p5KFEbdd8~lA}`R0h$*!{l#>-QY{od5UZxyruR2Xszg7h>hq{tx7n{}^I5 zB}`5iXHZ+bH&)T^H_KnV_wRh6$0FzXUJKVg8wWOsx>%O!c`ywZsA*-8+MQQMkLHyS|@@VivJGp@{{0 z;B&&=Ts&CfD|WL$&L~ii0aAhx%1!VX$?IL`Z`0xZE?f{zmmHJBZzt2s&lV4E%(z?f zwdQ7b?5N#5yKXD-3^Y zjf6X$D`g*WIf%aD=W%S!$+ryiU~6f4Ej4D4#Ky7&=I9>JsrnGnnTGd^bmgGZ8ql!C zA!QB!=)&`|qs_~I-pyC7E{{g- zDHb>Hr#+r7r{6}8!M-8iw-Y069#s~d@MuEVmkU^|HKZk>87JV$peV%zr7nd1WK(R^ zcC@PERYpH4iDm&Zj&@??4D*};2%`QmV?J2Bga{BMflcer*LBhR-b25FSiW4HT-osD zAleS643rX}zwz)x{(`$|F~$0xdPtu0&43a#VDU+7TLQXFSpDmWxw&a2M{B67q8`ow z$3m;u@XQk+=ArYe{-)@W6zlxhxU;ms{nQoTkdhXz$#qz>#6*F4n-t;vzOkl2Pw_Jy z1O$hBN~CB9fhCcEK=w&jZz+oBJ<62erd8qY@jB7@%h8~Kl%O7uk6oB~mu6aMp#X_+ zH9)p{-X!itZW*|7hCE&gZD$Vt;zbhF2hS6`*FN!iox9@*U*75=EaXw=&kARXUETUK zq8)Unk5A=*&)=NO&5S&0FM+{&a3Z@pJlPpD^)X;Pp|Da%*78)rxR!Wl@PHzcjaSAs zL3=XK<#%H=;+e6xwM0ks1TkcjM@>t$oTQ_Ahd@?XOi7jGkoAxH{f(&Yvr(*( zRNH0bQg9UGayc%od7SgOW}|kP96mksI(G|7NbFb#(jQGH?ig{FHaQm6l2@9tVsr5+ z_RR*#c`mFGB=5bsKMe{pC*q5%rBA1Dz=lXb!;1MIqb%DtOs|10FuA#h13G5|-z%?s zv^(4Vg3{ou&RO}2K9iIn@+gd1+O5g`Q#&oD5Z_h&T`@vl2hlbXH6sJFyx8!$+-{?ccFl{sX%4`u1yGAgAq=`Q-8Ux#P!TS!~nv_+c#e3^L%T0r? zKL~Ma%<1cVl49=M6e+CaP+(CD)F6q=L-+Jvk^Tp-HN{K+}P_C6ub{yVW#eXifLb0g))sbr7Dr*90Y$`x1Mfp6W=E%KAnrqKpzVh%U?yF)m1~9 zW8PvQ^uFuhKOHL0qDVsp)0)x2nN|mbJ2FaYfh!0BN?Zc2Oy%8tCyBcdmOx=feVZZL z@ZA&i4-7{09;w1K#{WuZCahmlf2u}{u4~0bM6D`3t7%^=4;m7hEIFdfceo`Yn#DvO z#j{BnBxF6U8J+f@H4*rza_5N+v3&IG6t|mT6wyREq=9SWmQ{mg;eqB6a9LyfOEx8o zW%!hjYK>IaU-D2y(RIKpGimDU=mV)s$_9QIALOXoYalorea^ zD08oKe~XXb$qN(A0ncQu8)k9QN7`Gri#erd4WW+k9!7Ug0u@)7*>!R)RlrKFx+WB3 zcFTC(1_5pPJB3s#I~zE-+>DfRVm{EfTu#z1mXb~K>gKLZ&Z=qM!Sqh?%LQv! zb2M6 zL@3gQlr9UDfwdF`#Z4~f0;-@Hvh0P$z$f#vfZB2gz^cH9`-PN=f@w6cXmgxTgPnn> zeB*XeUpjYEevmBc79|^I#Cp+OW0)LD7uWc%PK0`6q0 z0v`PxB0W^3Zsi@eZ;)>w=6lKzE~GGsv6_ZYymzBWbHhBrSV*^c_WU1rUbkVo?A|ty zxThX|9u7vDk>s{2mA$IPkR}2j4r0#1@AigDovdOK0Kx z3E(7PVAAHh4dR1iEMaX0#ldwciZzb;Zk^+fxpG*LsROF8FTT)oY74NEQqazpq8F*8 zx#EehmD=A>_ec$?1YC(n*RP7d+nzQb8SM27y5P`fi@k0nWHSg1k)*vUP#iHR@0)6- zi@)mGQD~G+JS;oXJdSD7cex6NfXd52saWo4ajkW{=;eDuUKj&fb&XFWMN-0UIpz8y zF0>derT5JX(<+t4OH%U9qePN~@6$wUOVTDy!l#$w!dfAQWvWX02M^3zs+o%C>2qjv z#a!PlD~ikFuB}S5={t?99k=YfM#p>`Aw}^7R|?_D=)5gEG=oV zUT?#cM7(yec(QM;Y6w<$haxt4% zQ6U>|3o}IKa#Pr|wfn)0f8ZC|J|p+9xA&&Mrp|)Z$|$?bS;VEx7IfFyj|cG*)`*wt z<#`0J@|WyXV{CCvyl*AP-Hw6OXkQB?6eJuZQs5F5@QTynGYmvxliOUzU1lhwY+{ZA z-1d{lF9<&@7{Ze@l2cL22O=b6LDR^jMPtcQaD%G&xn3XBVXageS0*lpcPQl`?mIV6 zcEssc#dxOK^>FPtKexUOM&V1PDZHy=MdR#qs&^WAr9~{;a)a~I zAZ>Dhw?neog=Ui6Dz8P3tgZ!quO~TDbd2Y^N|$}Tpj^veSpw=0d0Qh3RPA2leZLbP z&bG&rO(4TH;LkQk*Yr-k8LI-9 zVo5M92Y)O#=AU;OI|)tWO*NAIW1DE^K{SQ#bOf*AQ~y&%S3WTXU`5O?SXPV`-%?+L zcsuNU1eKYvuo%*cgTaN&->*UUUqzw&6Ng@RjYvccUAJXl?gu00xZV9{uwR=N=dR!g zAx)nS*--yHi;?KmPu#o0-HLz=wXrx!ukmJo({c|-xnSPo<(lBxFT)* zk`~=Wh}NE^une+NtD4eOX9^P>M&2@B_R?cGL6A+nYrr?gd~A~p=VZd*&q86Nd%gL+ zNpcEZ**p6T-xFFbY)#Jm9fE(I*R;ZElT|OqE%m9#SV_8ED0wHt<)@KBzQ#H-hQ}R} z*Eq-rlepW-Mj|hqg7t%Y4z;p9$UbJ#^5TJ!_Lf>ju!Az8+Y0^w1Orj)VD^_@U(imgw46=Bbt{qT}x z^puoCff!^xcu^pObB_!81Zi53Rd~dp0j2}L$wGGt3pM7I)YQ!Cv#DEm{T_QRIO5F@ zNnhhq=6LL2ZjCB9vlhCP1_B7N?>o|&Z%vWF(=dzhJP`$u)MrYe?B3f0;J?D1ryc@k zYaa9ta@+-XxFeNG0-_|eQ6 zidiQ?u(+lXrCiYHNMT6ZXvpc?l=Mhi+AnLh9$HUB5?r3a^y0q3e{9ohx?~sX#5;>A?YlW z-r}~OF2aRVk9JL6vfL5R-kzOi-~vlV3=@z8g6Mv$>Li#no3a+Jz)Bnz`On+5B%Xat zix)3j>~RxK(buKN;eE1k83#w|b?RriHEKjHol{Eljo=|ZZ_-p$m3a0c{nUfes1dN8 zmEmO2R$Ml7aroKm(s#!v+f>=;cUlk6>;%B;-;!e_1=GEj{k|y$$N)i3>J_MhKPrD2 z+0vqwfv?WVuO-i#%UlneTg&*z)SLk8z*>M;UF+5wSvgK0M;|u2_8nWaCLlz!r?z_o zW8m(ubMCz_#Pe+?`D^pvLilJQ(xKh^615UzarMt?EOG=hK54|I(k-i509O|Rr_CSI zIEeiND@NHH_EuLA;y(0(^vW5}`Rmc*(*f^c+Hh2;=1aB=(Z3RZ6GZ_qt2lmy~uO(E@SjU@b-Z4a?Tu$CfV=!TK>AW>sn=w zM>{grNqG39v+P8E_Rf?4z78+Z)I{p6jQs+uNGpLi&0ry8;#?}^)auq6-KBd>h8FykICZ{ zE!cJeYc6pEdi!qQODkA+jEb7k&=>#I$F+$am+O89?ib?mHpnc7jD{zeTP~=qwd1Qg zv)rtrR!{G}Use4CZ!uG4zO|AN3=q#Nj$~DLKZcu)>$Bao0)ka9`lC8-=rJ5D(=_Xw zXT99_CxL$wed%DQ^*s}*3v3SS@td6HyXhk!Mgz^>qr>CgUOK8Po7ZFD3B(=bq@zpP zSs&@UP#=q+DpRw(Sk=BDZpd_`@pMC32dqww8l5lAlsVT2tu%aY>j1{!(#Sszi0BCYf{;Q{2E@EfF2I$9R# z$Xj5_eTH^DDT^4zT~<%~$M1HKx4$!>~>23=U8jxU|x zUTZK@L#<{}(;K4jghU2bn5Ee0j(7z9_&GyNDxaEH@WqhM8c0dZx37Q54V|SY#j{TY zh(8R1-U|fNWVTZT7w%N;A5FY31&eSgg%xlJG;d6lN=6(Rp{OEEO6@ole{+dLTygm! zeh-kp9aiPg7geUw$EPw#wm@%A#$YW~a4hW~UQ}$0mtZ92Karxr5@gMM}gRJ5^y>9>y0X2bGm1tf{G>CeP{xK zYVs^7N}4p<294(Vobc+4za=AacDJl3OOYlV@?JDOdz9 zsXRVEV2>DtqC(sqt%)X{yf1;bEj5}B9{*DWjdr@<>D>;-e5l|nLmgeafO2Lg<{zw6 zM>MR*ar=E$PmsW^C!own%KB29{aKsXQ3&b4=YUsr6L}jYZ7$Aw*XMfA(@o0j0Aylh9$0oPMM-ahk8 zGi82%Q{E?Z`f<%3kfzrqG;f1@rn`(X+C8FnQBBPMq*xh};Uh;&geYzpL*NMnx>*KY zZf5^Uiy8HflQ6$8ARIw1(TY%sbYjDlkR>RI}TzG7?~HODO*t#xIgjHW^L zsw)w(zyG2|-^_u;0~Vb770iK$!JjP8#EDLM8FBCO%f$WNmflH8#J>%|p z<{|kApSZ`-YicHOvMsRw`W>eL&F~gP?~|~akqbcni%mQ_Y6D{;ez%XYtHWDT8qq@b zc_uo_8MX&Ce(16G%R?~b-H24F$;yw3o0`Ruc1TdLUQ9?I;w9;nIcL~{T!0EIp#o%# z7o3u>n_XT~7#F6|5_3i#xZ?1T#no<*(doA!IsSPip;prFN|#E;#@3<=`Uc5aQJ34D z2Y7J}!>Us0_mS-lo1v&T1BbtqsJ2kBp!qyTPmGv-(0s(DeD;XE)o0aZ`&8)dtREY zy3nCG6G`_7f_Iu-HQt@gP;+UbhQkqfp4ry3pIXjgwhYWI^n_Y%_uy!W)}&jNCk1=p zz%@s>D~~4k)&&-wPEp4z=5a)<-QCoVs){Y0j_GU{?cj$ZP83TLn%-Fsm)PF$6|t_^Saz-hv_jT%j5b#^c;IcWDPtNE$4OY(N`wv?~9Vu4R?|A_6Yi1Wkd8i|b??7vKN9^wzdH zl1e$800Mim!$C2kH@!O`3%vs>AzG`*E(V?UUw~50G(I;P+0yiud1A!_F&3H2NtH#E z)n4FUAh-W?oW7%jZf)}GiTg3JWR_$QQ&rXT5p1g`O~pj~^TUgYQ7u5=tZur$+A!cH zEw!qz6qE@Vp=;+&d{!Zu3&t&&r43*o?J!%L{T28v8OSF-4(NH@SHOP4ep))vTZXz* z1m@fTW8ukwbrY%M5UOHok4JB}Y~bp~wKv2mHud0ezU4j#RX5p?@kK)1fEmgkI0l3Q ztgFdl9~RTvb`yWJO9s<6Okz1*TwYGRH;cV(%yR_!j$uLpT;r3Ju70~a~+W9B^%l6kcUzxj>&(m6Ta4B-$YiAO*^ucb0Ct{p){f#kkY!_ zzsffeqgi{LGE_A=-EiiZT334-5uA-EOu)C{XzOBCPtMHB!=`-hX@>fCBNlT}yBn;^ zcTfA;2@ock2OX^Gz4aIM6M^SP)8T#|a$+Qt*Yf*8p-!r>u}eC}{WbA$S7z4n=D3KI z?8ql}u@28x2sy~fB_yPhDK5g5OoV40V|=j8 z%I!@I%%n>{OB@nmWR%!lzbL&28<$hNI~gIO=GeO%yoGk&;_q@wV7-yT!~oN~!`JLq z40e-j3us?DIDU9X^}0Kq#7l~I!%{(u&7PGi`X7{?Ly#s+)Mm@JZL`a^ZQHipd|kaQ94Eq+4w*HaNFnE- zvs~bMGPrlh)mG8oX&JSaIIf`GDK=CV zq3ch@u;EN{w4GU1M~K9YBfeQ%2|UDxjK&u575xPl>SG|QFIIL|){J@QmOM#=0!H1U z&+?f(BcaOHZwFCn>{@8|G_^4QjUc{9S3b5i&-RZgo2$0(a%kZA`e>#jnqgs~Y0FV8 zZtjJ@2yaHhV@cX&MXE(cjCrk>1N~WzvYIADIjIPa-@|DcgP@c}bN{*;6;8e>L@K`O zwn!eDoKItL`G1;INK>uRjSAIX=$lp3G1+T39@7tT(-C`Ptsienu(LntOjt!&vH_f@ zE=n^^4UoBr_ZhMEv{!s?CTv)sSBum5DT&KiQtO?>-907SEoAoV_3?0^8%lw(dkym7 zp)FXRRfj2R+4Kx@YEB<3qYM(?NC10}pj*vcy&V7c#dR|)elGzY$E>yLe8Fu|D6J}R zP~N#g`>9AUrqQ7XLpKu|9(@qaQ6O6s zyNTimOdNbXzdI#l>#Pu_J~^eeR$)nFdA#{RX1uHz_e_i zz;w=@;0Oaj_noiDDI2rK?R=yluo(yex_zYA&O@A$4 z8UeJVo#2|Ya(~1kQLzOXZ8yyZ$KVwG{!4#1*Gf9*S+sT#Tt6i;77!Vt0nUMd{wIgK z^;1FbFg~ZVzb9xt4#+pJ#XMLps#M=t{kg-oep?!x;5Khs#kh43IEyHJs>d~u7iY0` z@LJ1m*G}a>Tl=?yaTkFTh}AO>fjjX;cSJ#xeQuWX7v|FotuD4H0D=I7XX1;s9ckK3}&zqv)OV52(ed-wg>G%K#iH6v6kkB1YaS40J~ zMy#j@yH`~xo|mGmA}K#35Ac{Y&MS_2rSK=GC@>zXnNpJ4m+7=0_q&}PJ8N>o+fAVB z$T-+S@$cH@JD_MRdL54w(LcJjJK8X>#CRmX%(lwJxD1FZlWyT7e~M12sX&(cUw7$} zxaue`rnXa&2d4+6k>rT?TOX4X@x6K85*3~b(VPC*iqhd&<^14ldy~adO zMVi65&SWH=|0JltHqSC$d$xwqX(@b(UVDK#dHH@nK9&<W1tQ-6&+ zCqm~==gJP1;dqddk|wS35!#a!5zMJz1PL_ihtqxQFWI^;u>k#T`}-4)=-;X*_?>CV za)!_TmJM$%qF0c#m>*Y^rT_51zw(wBdW8UM4Ff7`Svrc8N5(29uv zLsI`p-e*AO@o(YdzK@)8BwzB&m-@dXq5N0>J8(lqvWOlyIB8Fy@HkOu#=W})st2$- zA*VMew095#5Rhz=?vb^zTLj4PSn&k!PvtpIfcl^v(q|Nq7h15?nOzDG{>~2R(}J?0 ztY}`%@z<>Wg4u>Sn0zpqcSe}M;;d0+cOFUg#k!?Clh7k1$KBy_YH(m;aDOT%?!yaQ zvW&sn#92D>8^~z^&)mV5@oa=WU|A(35TZjXMCXYfAASS2LIS5^x$%#S^Y2U4s-U*K z;$-=a)t1eTF)L2)?u_{3&~M0}Ct#WYx#0JZRkrgxw(I(0*L5h8Q5ur}q9tYA1loDF zX^jWKJl3T@Z9$-wj#G$@x~My~Nnjq_V9*#AN{01#iJ9jfLZ)0HI)^AT*qPIi z71~ZJU9%DiVbr1Ur+vf>ZokCxvB|DptYpG+t5O@a21rle+CiG26ZD2%)bl13Lj|`0 z{8lHqbSO4cGtEgkbBN_Cy;es3PG(=_F8f~cjA}KNl*%#^b43tkOG57eDTRMsnPXHo zF!_o{l-mwUH%Cxv#WUl;-J$uk{Zg}xzN%y1chf>FPN3fMFX}7uq*4iF%{*_kwBDqy zvAE+bJ<@#DEyisZa*;Q;@{e_+H5Bccw}57O3eap)?dqI@j~!TOAadx#>9UM$1gB8n ze|zL*jI!<|{82FmvsEYp5%{>fd#PT-ttFB9b~Ip~n@VzS8?cWginjH8Msn{4(#OX|$7wN{hW9H) zd^eAkgvTr^g(s_Hl}>LO?(3ZljYz{}t|I0xW#M=`U*qdMjW} zJv@efrarj&%?LIiI&n|5g-b&u(z(sf6A5T@76d+_AFy(G$AnZ8?_Sv?;F6Oc-)_JZ zb{&a>xqE@q#X`A|6{LLSM^n$KnNTtF3)O}>>K3e4D(QqLRao4W`qBB@2@eRC=0JPw6E_A32vk+!DRX&_+k!!jG!=*;q^A08@v|s|8jJ9iCOcAA)OyveIPXzg>3G!$f(a#c;R;#!1JV=IcuC#!UH7shL zz+BIYcxq^fchQ&;>d>n~)3_cu2jgm_vA`kJrSD{K^TeIKO@rh?E=C^g{m;>zoU^{K zSc(Pk#v_{M1F>Gijue~5IgpU@I+Cor%eTptc~j~}of zJ4Y$7HDmyTiFllhsUJ3eeuxui4Eo^SDDi{UiTc(nQ5!aw&=&F7DB-mL>QIoBc3WPk zukYs*<@e8lQseNk@iB3J`hD4qf7#ZMSK0_~`n1lRVc>mKB;<)RG-)`V&aetjJ%0j? zG9z#{X|GHSe1Wg*rKO6AS_UQ6aW~qaPYQweyeaF5BqawpylQs){10b0dX{K)% zIISbn?FyZ}Nyc*%9MZs@`zBne`}Rsj-8u6LbRyWwec=5hjao;5-RA7-tYl95GPZ%C zVM;W)-!9ls;>8(V?y`ZOJZQhFxs%(*q`QOJ{#azH*5xO7QC7rjDA`FP$2c$>4r8TI zd=4x^BQr2L4I}o$3l6xtQd{#b$6OM^SW@ymk#Hg*;zyEFMO1TV6Uh72=y(UUHI+C)l&Tu>7DN1PUK0&T!|}|)>$ioPWD z#q&eo_Iqi<9k$h~YE*8C2sEQdm$0BU$QE9>z;mii0WxmBm^r)~Zt7IuR!DJIJhL!V zG|vVwZmR4XSNJ-D5@io>aYaPMN*?Vhs!7oBf$|ItZe2k$bkPBL$ce&1x~%ZAyaoi4 zgs?#}i`MMWN1*ZbnH3@fwFKB$UmSAz{72|z@*@mgUv>0Ri44##9 z{Qlmg3DvsaPVocXW&jIZ>1a}&@v)qR`vyXTcR4_OIo{^x86r*@683GwUu%pSG8*5- zWxM0T3QO7t5pxx9$DF2eN2Qc}*ikC9#(bXtTRP-g^LIfTN*U#oK}@P3nT=bOc^&UD zF9*LCRSOcRnK%AGqF6qs3^;un2XoqVfKKfqy=8yE6_JDkr~Yl;Gs&Sa3aTb`jVpli z!nChjOOjQY_*0N{TLjt zI$YvIlOuPQl29*0Qk5y#h-X=raZ1y#+M4}^J4?-gCU`_OFGBmzhBwwb@N zHRM({3PPZp`D@<)7eR9$1NToD4VH?AGzFcc{+2!}Kv?Xv5%^3Kw9GZ3dI4{^lg>s3 z;oK6gVzzK{{OsZTOgXsfucn?#dE9GJ?&_O?T+&y;A0C(~%)&{fkS%EK?R+Z#J6g<1 zQ>s0GojE6&n|62I4j2Z?e7kB((7mR_4dQF+_y!bOGhhakbvRpn^Je=yo^5`oY)`lH zPEWK&8>Jc%FWkJnJdIuFDtT@Um1w!>15ScLIyb{ozw);_=fO|t7 zrXBk}6RSQ;R7xnlZ4SZl95SH^?TWQL#}ClLi=H;`0PpYp>E-KUJh%32`9<}w^5UdR zDZuH=M?sLE5l2c?e$ zEIcjvX_Lxi1;}b8!_JNjqI$9)ta#2bKTY?fXtQ&^D)xs?qX*)6(LKm;SIKXIwWgg% zs6ByKM+7d5!y|E+wE`cMtC&c+O6-L0a5h((r3r&>MSW~CTc#@PMVgauB4%HYoI7iH zH?_G0qcFUwnreJJvQ{UYfzUFXwlw6kFiH}EV=c=1Mv_$|rm;OU6gP*gF#7}u0-CC| zry9szH3&P$;`gDi@Cpin64W;!^MQWqvByNuZYcHVxSbK5GPczuoY?) z5_7PGjIuWtiJ9l;6VIu;sarKPJ5V+K)u2%Ls38_gZQNK;ofJ?GCTPpfDjs@@FXU8| zRN6!YFbp>LZ2Bp1d3Z-c;|$uIP=dtsO_Yo|YXvwtBV@OTApMz6-=(JAWzQzOE z-N}igowaQY$AkK6cu4nu*{l1{zD_9a(nRAG=yPaON?MtHTUp$%+HeOh*x zRh?6cTToKidIxpiz9mHyxY`dx=KfI}z@aHx3Gji#Kh?ywaA?PMeS4~@;Vi*4)+0?_ znvO;FXx=#{aq7J1Ie)vtNsYig6xFIK^QQ0URJd`U5j_xzHg> z^>g8NSz4en>|M&s7K`wE;Ca~%%I%?komc5L*Lh1h6)n2-U&%GBC?VBJY^Y!A^DwU(Ed>l3+= z0%SJnwa?sYh#z8ddWTASWwx`f-jawLa`wKIO^GWFOK~Af@nYkR@Ts&9k!wv;3R3J$ zvbj%XS$Ko)xgt~ebU6R@MO!xTuKw!zqG5N%M{=@W@56*UP3>e&4@0%lnfeO4o}b>v ztKz!ng@(S$_5|L4HYPh51yxIs83Nes%FmWRXR_N&n~q|Cl5{Y|EPmXuu42w7J}N3F zIeh%*N*4)W{p{SUhFxnLMlR1`2etQ~C%81g;qqPFMmLzwG}sHglf`6f8z#=rWhQ&V zFI=fgn_$dYOh(hEQ$aALEUZVhht3k$>oJl(8qPFpqk0&Mxa}?(XmpmpE23CTX1L9j zG5QVBlt-}UX`a45DeI$>;ZeD+-&+QX#X9JL_Up@(Arn@C+&G}W$lyRXQCv5 zmqE)BK)dA&^4uKG7<_=G%iS?S2|zmR)$j@X&9iRs9;E)s>GC@s$^8pw1XuiXGY4p{ zFJNAEG@`dLPJapzCvZ@!umEmua#?MX62Q0foM-AiZ|XtDWlvo#O|0}NYJUYQ+7Pk}v6EnSsnj}J4Gcm5R&IU7&DJmM8cP<3f} z;6=<#LQ1F2;&bY>ZVkWB^CVbvZX{t`n1{RikM|9h`zj3(91#=iA#_>fcY z!PepdJ{oKqU-I$gCQl+Ts<@g&*%Q3yS!pj)go?2dK?@Lk$7%8I`=J z8UyM@dGZV{K)*5bx-k-ySwb5I5d$`{4Pfso>Hw}Gn%aGwPfY*&5mG3srxaW zpISmb8S$a2rOMdH5CwcbV7%;#@yNwUH+AWo65wDCM>#xzL(RUjNL76djh$d}Jw)NXi^W25 zHH;&Zy;B6u7mP_JMbrP)3hMC@B(bnW84EK`x;5Xk8p^=N{4O* z<}s|zVl9Fbh9FJ!>(yewzO|ato+2yv)miLa@GXfxVTDq4mV!u>@5))`KY61scGqj1 zm<5q#I@!8qN~8U_>JE7yd_*=po0?(CExX!Crmzjf)av`8NUqx=m)!yZr}KGv#qA1P z8yM(-{Y6d0t2L)#9NJaE0^*pmvJIDv;{x*qL16{uv^2kA3v$^{;sWs?HkHZ>`Eyx$ z7h4ZT9NyV=kNT0>9cA%J%0(}#IfgiPhB}4KaP*rXPAt+U7*a`f*ZT|gknKJ1A4FCX zQrNMND%{kQyabet2>s^d93)slB`^ZhpXk`mJ9yw+5uYKtSdwu>=Gm)(6fxjPzVlYd z^GoILX?ZOUZK@hsqHxxq%ZRK>AFYlDoqG0z%JDGdb(?!LCxJ_OpYe@pO5hZnWtsCo?LX6nLf2bu9Zj? zau1@06^Eo#iWzJY|Dw>z_kN4rT9}M4C6z^?F?!&lQ~$q_Us*6DZG? zD=uo+yMu6EB4i6@pN>k9q`t)qF=&WDnqh+>*qN4VdG@Medtc~tSVFF5At{aOyxDub`pL*BFkh>AP;uGUdSda zTrVMcJ=U-QS?_6GzkY2`V_oe|&cxH|L2l%mGkIBWdyImwMqhuVVNslzLP)8sEo3~9 zPqBjLesjy+kmK4EWWH1$P~|-mKy%U|#QBQhBg5uK&Jj<)s?*LTtQO%UnZi8mm)+;u z53qeF#La(r?`xU71Dm2$kIoM@PM<2UdJx2TE`zp%)+>0}iEM#g>i+7Unq%CZ)7zR~ zk`;Ec+DLb3%drR&)`c8~k-h6IwgUobYGg^X#vIsX(92A9ouinOswAC6(yOS8&GM+2 zoF-G}7D{y5ADZx4y2sqK=}{b%l-}(bs&)6b#YN57TQ89bV-XgVeqhN(YliC8rT^lLLkBp^CPV&aY*4Ki?2`WwKGIE4ZJcWrkCubQMabPa&Em zeKIJaf(25sWn_atL*g;*8n_NCdp;&M$gsv&g!v`s)G)v%tZz)FEsEj}fA}OQIYKAF z&V~idXpE^DlUxH0v9SUoU`5azDCmU82bpG|P?__~AqA-^-o~4(1=-R>r#l_nwVYy2 zc`akgnA(TOF~7Vrh9V7lhl7sArA!N>WJ|Gq;?fAjYgN33UU7EkBjB*FVj6|T{O@>f(U&26^55PQ}g(hY#o&+4h?vG zST@nBv~XSbLGa76O;g!+W~Iy$ zKJyTJwOYN%4GR*G4nq3(DPVUuNdofMxBp%|Nm@}Ub65!=Fl|w(wiM>3+}P>?UW^ru zM$}>p$~KS9Q>L=AXdBgAOUC+cbOj6rlE7)-pGTh~P5&gCfDLX$im1T%*;`p-$p2t^E1DOIK>P`6N>DAUBi!+)Vg zi%!GI5(120X?%;2%nlhJ6R3?zC>0tpyrkwS&Ic1AGtT;V+=y{N$S=hfZKHe1gs9J7 z=_1%&P|Ok4ZBQPG3@kCTBU7f>3J#!kC8_--U-dyA(m$Q^l&Y&pTLsx+Lx3BSB{eI{ z>65X-q%jKADl7A~XgrN|vP3SKRHFIYRSgI2iSKQp$4{xdlhSO&+8ioqX>Tf*qx}Zi zZ7JQtHA>?w^+lt61L~BHD>BwM8zu}|k}%b3)!6$3AU`-Qe*Y^AR$IV_V!UFd3nB0n zB!>p*j9O)4>;rgvISKWCY2ye&`YFp$<=j3qdL>ED&SyY738SIjA?cdy#q&o+4OK|5 zfos?k*_rE#Bfk{JI`wvuaKQ!q{tW;jh}BU%awT_>l6)Xz9sA1uM4+OJd+|WEKs@v- zL=e9~lSo5CbbAWfu2Cl74)KHS?jqA>r`fl;+|w2VlRLBxfrKsan}%C6c)6NEL))&> zz~3f}qL36#!?x`rRN6W-LVkV|G-|zR!A+iDfmm)Gk(Scg4VgIErJnZ+j8F1H6IFEPNd!gFIk9}KH$|Um7-s{>$!{ylWPDs(8ebYw zBe$xjEC)$^hbHTuT~9}x51?V)48k+Pdiy-=4L421XxLL4$nm5@>;i@o7y+~hrqr0k` zCyxbaUv(tdE7UTq+f% zbLg#vJ}x(&(y>H`!@OG=^~RkGVTlJ1S>Be7xu0(d9Lr!Q|id`gwJ`nS{4SsG8u);^HDM}+C`!T_{GcNc8ign#lhYY z_mvnK%u{T3Q+DJ5=T)<5I?-u}kw@9_nB1ab#-wm2ADBf**u-r~aeVZLGxzIuN1~uA zLcs1n+*JEMeHx>!zr@L%(HN*z=RO ze1Ql9sRaWmOqcip!fam)*e|92+cGuwRXRFP|9T83NMZuI`{#TZ%2eeN%?yaIW@AmT z4lJxT-<(IL!kX;FZ5yet208x2QlwjTPq7o)Gw!(*q*fV8CtyIl_E%dL8ZF+ebL>wg zE9L>~8rvCW`2m4VEse(%{z&hb52)8-M5sCP)##ZBw_C>}6miw!hb=#$%b*^yqoKS4 z8429_=iT5X&q+Oy);YJ)>>243CLKT4p%Rps?gwnQ;R#fA#kbpr1`L>FxbjCsQXG3S zq7r+@w~MOe9e%m?0fV);##)2jz4TrlgzSAG-SpbC-Ni$3llPY1JUQ}%|9%UUJ;T7m z-qf20Je+Cu*NinkP%G@gr=*7H9k$*_r@1#{b&il1@b5WUytDAJ4~35xr^k~L_eA%I za%Rji@gCPhpI9@I1FxkIRvKdfn`zqhNT9IB#?6Z?M0LMM*>rwaMJgr5=ra^o(N0F47wP>6vxeL9WK{UaJvl2QL}l6Y+kHFr#*4BNF|mdcsI9pKjXg0dk6=Nad;INzOBX;eO*P zO6Ec;C* zKWHB~CIv*fFaZRN49+0onZv&OPD#SbSzx*6CPX{byW9isPZ3^ z-@lKA*yU}3=?4$wsPbM~WIixtDKy(>N4RFm-xG&iNJnq9QKQnV%c*voqffJ7hgNugH-TDHum(dWDA2hsydJ+()(#T=lXC|| zdQ^=|;byrhAd|tVa$9VV;yS^Me+I(U{gYOjf@BXYqu@Tsl#4nm?*7jZI-Q=tCK|zP zfvZ99+%cenhlo%{CO9m?_vdhp@S7S50?0M2+t){iW602!Kov|H)Fbj_Hpk zde$SiQZd-QbxqC(1>P1$4&yiLS_Ds)DSv9EXPtSZWnF}~y#H&64GLz1hJb&4*mLIL z7>e)d?4p$#w4%CeErYw&+XGKh_I9`=+pbZ$Bsp~wyS0W9N3)%f1xZ%_Yj;xZkw%Y) z*34c})r1PoKG4RxuLzorFy~dpON+17R(k67%rCX%HJOW8?%}Aqon>}TZ0>K^PT?d$ z&>lq+&k*bmJ6ei*Tvv4%YkQ8V^puGCa&R?E$a2)-6>9t~${;C|hbF1jHM-gLO5A0v zusaZ`xsu$B+DJxxR#L+$DU=Lo6qo?3b5lk-h@$hQ_> zb3is96a1KEEMqFE?$VW=L^-9w>CTykMynPwB-~P2zckB|#-K zXpQ~r!Vlq}!I2ryn<^7BWI_W2VG5@U;fbH#zZ%Zw_|&T~&(EZxLBk04LQIw12NJig z04Mx+(O4p=&t*gQ5Pl~kb)GJ{iPvTe%a%e4E0N*FW_m)>M&*hpwyZwc%44x(v9d>0 z^lYY8#(hWmO&n=HNqnPE0Qs~_Y^^Y~nu(MJ0_D%>ao^1=Qjui*91-~m;Up%Uw|>@g z0w6~0Q9ZJWeEqJUv)@1M17sk#6uI-1|ebxAW(8|*gxBXS*#iDaz7)t@@81=d}x!=iynhkI~1kh2?|VAauSgJ|GwqoNbVN{;&3&ta)$X*{#Y$mA$WHFH}uR6q)Zzb2()yf(eOAJLkHNc z$Fa04>71(MOlP|aAOGp9i-P{5Z+WCJGL%cq5l_U|;#vJ3_(tiaK8=UQN9ba{druGU z&!qO2UQBl1ukh@{1F!PTsb>T7 zZ-=0F07#tJ8JoJx4ojweC=3Z26;GvSJ!suw8ofC^{nZ5@d04;iG%!eHq+2jk?9Aho z#sr^w$5oaUf`XfT@bTf3X3J2*O5S##|A+;XwSxWj5r4#36Mp7@cN*h(+7+)U{VRlG zaNa1B)a5~1Ly!z8wfjLcd6 z$xiT=x5Pm9ZbAP6eXx&2ZVN?CM`|2e8A-xBHasKm9Ta2do~CsD37<5cJ!8xIgGOXi ztId^EASGvFX_`N|xBD)5+GHm6gXNvaRsqqQYxjKi=vMqx;Ka9>KcV;C-#ha);YIR? z=05_?rDuV_?Cjoz!8&XdCiPS3r!_r1jBDz9?P=?-dlw%e(r0dG?u5d__oJ%oi9J)h zgDiY`3q)uWAeV`6`l^_`joogSa_*&O3ucL)f1qaagiB|xu!gCZ{HN79(Rw`_7xrje zZT@T;$5ebV_di?=r54BdViI13a=6tcT1drFh-SAj;YD1k@fiaFBnR>HweB?4d~vSS z(9m{;PJ-pz@_^qMYK>{phBejU-mu>BQDk{bGPALW^i`>7JYTu6Emh6B)2R>~u%jZU z$K$u{2`Ind&_(@cFt~KL2V~Lvp>a=W{H<5?lz z$Tua=F!kbA<6rOZQSTqXWc0rm;$R3p%9h!pVKEq^(okmzT{0NZk2F11D6Tz;$MgeY z5k|W$NPtxGc$FGsL`Px;I@idjWD+R;ax%(TLtwE*#0d<}+A;-|o;RRyJ9%E-#jh&4 z;l;0_z6ny7*lM~QX@$TMyOK@CsEiH8NW;Cg)H1`yxLlq=MvdqeZ9>I|P7-!Hav1=T zFir{xqKo`j_fW3G3~01kn_C{j1ovV1@<}R_nn<5A5fLM7=eSmak+9K0X(qnbnvJK} zQ%|G>dAMcuXxnOe()B%?pG(rhr^mSe-G9-vYALivh(-s!oh?FmEALV3t_+gEO3Y{YM4Q zB^TL$3Oj+11zsYJ>6GPV>Iu8N=Pv;%ha}B=3 zU8P&bzt_fNR&?n&;yal6>Zx|@l&0-z4pxN*b7&?H97|X645sp$SpQzcNEfZ5{}sCr zHYU_R$81=q1NXYrGf}(kWQ|C?>>DK7&Sxmkc33;-I)keYqa4xe6A`PZ@!npPZ^4$} z)IOE~-uZy{*eFDz7Vyr6>uPV#XIn}A4M(s5Rf?WCer)({$ZVK;ZY0r|JjUV}-hDH0reO%?!J^-}{mVZc}v$4M&Y@yfAL%qMyU&A+a3Iv(rR@+7bKB$Xw1wj z$|^NUo)ck9TN#ztWM;2#s3^N7p^m$Zh*5$m%0z@vgmwyEjCU#kh#QJqdc3!lb^jpZ z{Bj0b0DfuMyyez8S>-;eu=n>%AU4MC&((RV%fl-Wi#QyxIF2GaX+A-hTMN!DktWKY zc);*5BPQ9sKnjVVDzrdH4@LZslc1(Hd*+M5r?vYJj#${-1H#9g2Rnx%ZzQ9u{_&8G zO`dE6Wkqe9*(}H~I>BXNd~$Dbmtma7TUf1ITvY)WFTu~^D;s~I?^b^DC9R=FFt%;O z|LMJ`R@KhTmGiZIAGR5zj|YhRW<=*Ttv0=Ci&SU~V>>}eBjh`07CBp~_;Wc@{qh9# z1>F+pOd&d_7~(Ce;I595>%=)7)T}W14Lrb79s%s-^EH1WuL2?m2^_!4S&Lrv0l8LB zoM9xQH4>N%;l1O{GE%2lQj`n_Ux>nesp32T$(g0tO7AtH@W3D(w4LN<>EdbfTHwTv z&Q3{!MQT&EHU1dqg?MYxRhm*klfXG|(FxpbT7sz>ezLq@?oxdi3?Bh<5s&mwYV})t zG9Z72GqL=7f>d7a{_a44#RoiZ27Fe3D*QfG8hpPnJ|&NRNAJExVeQktA{2Q!Hpe=B zD$rzaqLBU4`5kzXS(|^Iw0R^wE(5gM?qa_7W)OK91mp{;qT#yTr~PIKE!CyH)}+vv zps@e zY#$-AJFLnmmm*#CXF@TbomS00^<-ozd~!8nI^2{kjp{>dfNPZxpoz#MUg^WRqgM#= zr#VbtG}Vjc(H;hQe13GkLHnU!UhsF9cWrX*ESR)@SHLo+_)Js78@w(jfHQQrOiyN` zqqa{}zf7r1%^-nRlhK`&OML1fZ&^_>i>NjEKTAa) zD&7ksQ4ai+UncgIPJ~4;@vh%+l_oDHXd6YXU9)(s?H}Bf18DQ5)KcMBHF;NI%@vEW zVS)xG0utoB)4saekK%Ctk>4F==7o)n(2-qt`%bYe z+4^QCK=|aRy$;zS$RkOj+ff~3#Z>K5X?Qgb+u=%4?lgKp?7nQa(>%nSAl;Xv)m`|07IY(vxu^ZFSFSAD>Y3NVH?8au}(}$R9tEao(0j7n5e8Q$e9u zHrdS-gSmnjkImS&b8RKtNZw7zjWsIXPmI>yT*6iiIY6hU5i_Di#64ZQ_| zJPi#F4){DI?DYoy{rYD7o&Na_*zI|beF{2c9)YYGsl z((YWTSRPlqeaPy9HUFKuYP+4M@|J)&P2~6TaG7^##$9<8Z9&Gx)e;Tjib#$ABjA4c z%;WrXXy?G1^~2?7cV;-aW%dOac>&1&__AGp%i=VfSF6|v#>HqCE(gZNxK|tXr)ocj z_7vkqep^VT1RsN8-)7Y*y+Scbrry|LtH!`1S~&ItJ4#MsY{FF%KGj=xWb zPhR%l8L!>Sg|BKHxi5Tr%HySqU;-N$ghwx~!GGz6u*+M=Bq?UHz%-uJXre8uwFw!+ z(H|L|gRCVDLE<34(@Nw!^!uJIxdfOY{4h!FJWua^LCmG<)V2?{T{2c61TAyV5NVzh zRe_9V*S_L|rCp@`%k2pG7MWLlC*GS!*Q<|ly4xpa_V@q@Hy(;JDJHbd1GwHcE1p=Z z4(Aq?OEFe97s1L^-Ydo@jurvpiKZBiqt8afCxG))?arMyeHg-qq0kOjzHk(rGXmA&Gofoyi!oE$9#|-Iq|=^oFw0Z){z8B>aglqQ1x0j<%Tj$1*~2P zWW@s^OC!9L44+v^GW|d{4Iyn0=D&$MsX{iTbB4%$n$Jeib)%k(C<)WX5o0gXS~W;mVb@7&LXd28L6O}jfo2I!P9*Lua{i9p;Y0F+Y2}8^v2U2Q z6$&|gVS8R%^}S)Vr`D>OOy2Y>>X?-!?wGocUy(m=TQ(1?&deV~nHG0x1*&Zt{B1Q` z&g7(Tj#26cx+LGXMLpuRQ=FSw5iSuc*Yrg2@fT3WX`kzctby|!kF{FSxfT}dsGKvQ z?IZiG`U(x&C_&~4D00`;%5JKh+?xPvW(#6}*I7tnexlH-4ar$DnSz%S1!8`qxNmV( zUy*LJ-5LL{V2L~MuY&<4Bv3o4_}F1jQ=1CD>2kQ}sY)Me_-^kHfPR@VCo+O{Ic3VjS$FkBfTy(4EQ`}I7db1Za_}?P-l*=TEKCj+ z>Ji$U1vfevbBsf4SZ{P;wLC6#@Zh36ucW3QtvhO608)RDs*H8u$k;aTreM{l0B~kj zDlc=~G7%o^ z1w)>Aius(jH?KiF+0JFNZ5*(BHZoakki?@EU2`Iz!zOF)3yLjQG&jukLx@~lq7iNM zTZ0F{L=%lD9gzkES7uxWo~5t(aIA>$KdS~)rtGW#9h)8uCA@=Mzg{=>F60eM7p{56 zRC4qGt+sOGq5N&g3^HfXu&vYBks8|+l@vk*+{r!Br$h3_uwfWE9EcyyAQJf2Ndy|% zj{^4Sw^waS*(%pT#vQGfFQ>W3!aCv+|1$u(0U?*6#uBp68G<^wX!$-RG;L&8AC`%N z>r8vU`Yb#~z|P!)%u)7y$_#Y5iI3nUQ^`?3LWllx?=ckC0SLNL ztI8@jlFtoj#ON1FeZp-!duhkqj9G3B@C2`dAf?`<%jHrf&HWF$qWcAXfQD7IuXd%J z2b<6}xO=KM5ZtE@q`D9X)W2K9n*Hu8dK)&{>^HQa`U_c3m`-2J%Vxy8{|nAq@i3aN z8H0}s3fYWCD}nQJJS2w}PMXfM946#aT)t^BW4=DG8#}Sbau9`A{5G}ggQ|(EYkgOp z?VZAPt9(xCnmUAze(s`L>!TMb&hl!zP14b#g63dV9PSewtkAk^(!Vr^@Y-Ad?#u0r zf?b_lM)1dA=6bNCI?%Wi23YG@Sr2IPmpi?@NWYTrHOcn%O`DAnHHLYhFcrSwdmb=K z2^A9MS!`CVStsvG;%JbOrd^6S{d@`iYkLItqO6nOxsG}%D(rI;okLymnVp$l{sF9e z6s;19g)j)Nh}TC?eK0XIeSwh)lMmK*oUDZ{DjRz1-zi4Z_y?PzF#(Sm5#RmO)O_S+ zbzdX8jc6(-I*vLUe{R)Q+9l4pY*el3Ioq(I9b$g3p%bi?zk>GqcjpQyq^&&amRQM_ehzfo zEXui0Lx310{MNscik-3tD_2!GCuD;M2H0nL+>? z|5RkpJJjK6y+Z4u2`)gr{7|9h&`^B7etI>mU?MD*5`Y#=#!l>kX2$kp$LOTYqznf9 z(lUH`k?XovXnM5&weT#lEdD51P&L8;_B4+KVnZ90)62dT;G*%Hm=+2Fl+`2+6y|Rm zQVdPo!@;S zoT?Bo9UaWg;4Y~YDLB-`R>=>77|)CuNhy7Dud`7CH90r#_nhhw#y=TY4kt>d6B>EF z-7LXq`Ovq6m6gEs>ojZiULJ9nv3jr6juN@VE2){`*x*h;OS`6@AVnS zs2gS`8ghI(r@J8-3F(5rU)LcRAA@dV7l0qw+7t#$$KZxb#wUquKy*XrO}+D*k;vyY z;b>Upo=uH+OY8WC`lg~R-L}^AXU5(6y6?H5bxic$)p{R%8dFYJhDblrI|oN64(!0Y zbSotU9NM`mW`e*orBSR>Ug2%%fMh{e>&UK@Rmvxn9pB&)*{b2xeTP`lXFp-OvZ(|n zOFvODnB`|cwjT<~b0*WQyq8N~w(z3{y-&dxzu+v-`;;f*M2S7j!V@QgU2r(!fXv}F z@IshRR`d~%Oae>8uPY_G95~>O+9v9WFa;%QafBR3)5cmN@Eon{6uA*}mWB@1Ss1uD z(@B;i!dBWBND|9wsN6D%fQ#$jQ!o6ubx}dI;9&05aFJ2h$77m!z;|#4j9}xh@GRCHtK@1OKC-P1&_A$3 zJbVeJR{cOs`Z$UsY8jw2#_vEpuL0QL?4SDAR~N&NPaMUoRG91VM6gCp8^x;tz1Bj+ zMuI)jr(W{F50a>0RdIUd=qJD|$teoNFg%oepQVT|A7s{cW(`sY8c z`ZVHpNpr<(+|SjHt`T9Yh||Cr2?LK5&#vL<8W~bem=3P&valaqDU#lZc-Q3Qa4_0{ z1kXy^2cDR*_O#IwS+5(hL%;)%Nr=Wbi<#lHdQ0$x0&?W~jB*XC_@We;Ac2qdCI}U^ zNKA0uiH0z+?*=eZcA>#xMR@R(IN~u%MCvU9kTc8UZ`@e=5zfI(rURy>A$=F7mhqJv zi2`-v#Azl7Q6rkMB~Dd*@_f!Drs&pZ0~q2-eGr49jYQaJaG^A`fH6Q^t`v<7ALSv~ zCFLOMR&0gFJ7gr@40DhTK?edD=NEGw6AKn4qXFzFeX)uwKB!+i1>Jn15+ zoqaceL=$tp{s{MG>_Jh0L5>SFl*@6*x*fQycYQXw9-U9mkM9aM_2mkvM7Eq$9WB;? z79Yi4&_2iy9q3jG`I+nQgPX#`!+shF>puu&OWt`0DQ;AT@I) zs9Dn9Hw;;z7u`lm^(OI*&?v28bZnckSq`NwVQjK2)qDeAJk3i18t_S*B?oGHF_G1F zbGKj?1s-|@U>u?|kX7R~V^C;{am<6q^-s&7x617u@d$Gr;2B|$fq`tmX36@>xj-@kA-EF;_=;PF+uK4seFs9MrZ&rqu#BWl%wzp+nOupm?Wj1!{xxwaO>( zoWxm!LPUf#VLV6YK>Q#^c1XCNMO1{1!C*PSrzixhCL-WX?QAmQy!9P6zYwNH z2`;WXy1>fF3BCgy?_}6hQ^W|~txgHLSkom>e%~&}Vwo|#`8rJFrXHjLYg24}ov|go zcLT0ip>j)XmNsM;g(yK`@{PmkJpKTLuHfsExvLLYIN*bw{`lLY%bBJg=n<&JUat}m zliQM!5F|(uELCWYQVwGg6ML)sdxwYcRa1}n2;3k`GG`z?IWFtHYOT`{p z$Tam}j{tomB+5A+InT!%zkvGTER{E~YO(keqfT}sQNZ1Wi}hD|aYpaR>$qLhjs}WD zxY^2uFT_B`OB0_JAY>`cQLq@C zQFHu5v52m{ZGJsRMHYBYepEnY?1(EEQC?;VJ^A$)xPs@YzBVwlo$cUpvvLOkQp!YX z0eZsjfhZR@sJGk@X@-BhTL?K*D(G!rX2SNtN_uHJfK6s#{@Z4c&|_pllU<49#`*cz zqA;vTtPzF((iavLkL7#;pi|9`2|N!AL-_N&RJE*7Eib4*Ur4z&Cs1z2Fg=dC`2|*Y z%t4RF`QEz{c}Sb24gkR7UXx09DjWg0Hr#{3B#LPPHoZ-Q4ARRq@+)7&MP06qS9rx0 z9q7Y^-KnKk2|AgYzV+iRJ4VQ@=6lr!nS{SPyVDK9TXQ=VB0Ds zYg@CaxP~R~*J?D|ZTw?atx?Z!4HxjP^Et{lxSdYyY?iLuKDvk7 z&^Ry$Nd1KrGgd;RZH4n(Dpr3Qn;OuKW73P?o)!0c>po zlmG7JmsXeMiy2_;UBIsAWoXxP)8M+h7t?0Y4Hk=|1>J-wmf@syU15dxBJh6{8UVc2 zMNL#}_=XQoe+dwnGj)p#nB>AQ_4A3Vq7nHMtI5e?p12SVo6gk?e~|%3(u!j z5P!p>!X`(mUEj%gIJZ_c5@(G0XeKfBDCjH*FxFj_y6*F@;(U`Fh>{oWl*^bPb$Mf6 zyhOO6^Eujl7}|<~n~!);@0U|r(#Do*+Kwen>HQ*l%#kWIr`2|m&cwGxc@pHyeVo-p zO>#>$UQ^sygtZUs!?CnXh8`all7xt)T0qLv%>V=TtEHNWDb$OAKTz(-^WplHX(UV; zD;7xt@{QC3n#-TTP~W>WZ4(zT8z7>&LBuWADzxvE%(9;-2m4GER*0k@q!|Op$7v~d z&>~QgX!A~f#+=H&{GMG%EAuSHL$D$v*EYMwmNT)6R$TdlLNN!OKgnSCvP<=py&zza zl-Og$U@Yab;T$REK6xSlu8(i=JOeBR@|C?9%IfZqyR(UVjJckX%K8&}zlj+iW+`+TTGT~L zkqs8%fvjqhW^c^hP0XKV9RO_+V2uDV+;rx8B1n=!mzQ=vEE$+XT-Zba7<6qURV-4o z7Fi~?{J95fh1C`{c`i>>j3jOpB~`Q9_NMTp%<SGy{hVfw4d@@4o@<&|*4MEMhu z$eh{h;)zJQ%&PKKtaX3zc&dyMUIk-$E+NkhMNd9`MnZ8wIOGAQkQ%sK3_q&Z4}>?& z3#ju+neOWursgmrTgWFl+2lqtXm)hO0MM4om{U&u$V+S(v`KnjNoFM6GvLA^A;)3f z|F`#L%Z(#Rf>k@SHoN^aHnzLZu%0qYrCCYIQ6wAsGR)4InUfdB|lN2+>QM0Fyw73 z8Mu^+Y!<#DApX-SvPR%@Dfsy)bl>*7a=R6OTT`QC*i)*9F;w;kfyCK5- zGfeZo6}aIoNS4LWjZTi7c4NQg@Z@g}5k&7XR%j68<-G8=eFh{nY4bV`fjX)7_v6(~ zh7n7tt_I)6Kw;V3Yb@`VNj^d_XqgyL*1O>1yJa*9EWvxNCiXj3m=A#ISl$qcT7=J(FTSxUIF6NSLV_5$@M|+nxHE_ zn`g}1;Ztx=b&+_ck?f_!b(46Qs7U#69_G?3Dv>d@`6K0p(?{Mu$LwhiH9xo!N+YUM z6F%czEV>O-j0L|!U4o_|`ZQ@-ksj+J6#XS7Px2{FZll1T2IyXcnL|~r&dE`$)!l#V zh)Qs5DzzR2+RyD)Z~x#=#SnIck|Bk@UZtyLOl~e;o6r&4p`D3452O3n4p!PpUn_Kh z83?22c9;@eV&{hCX(digg&^={3>3BZgA*JMW&PeJ#7ZtPUq+SPRRgD&64*D zeU4UWpK)Q1VW-`}+?2f><6Zqg7#Yn``L@g;45|fW>%4 z*a{f69Efb1*=sSY!mf059Go^9UCz)xLgjG$>%Wkf`ZT<;iZ+g_9sl}qY$~P>E2C#Og5xKv&_8ToIC8RwfWav$Y<%fBDLNyi4sgne7ZPUy zViuy3iV9tH1U*8w_5CXJ^Bpm9W{NMr#h3yhLXr+|fHRM0=wsxM)$c3ZfRvmgA}ZC* zDh=_xK7!7sibw5e5Ab8*=(N0ty^6u+E-l z#ZH%$_NM-VYVZHt?3OJker6G+Ma&q0a6GsuSX^2?V2}qFjNN}OZ1&5r;pZ4eC{NK4 z)-Rd~StEC>A@`vjgbzHXL}V>sh_f(e>D-Aee3Bnvr4qN8PnJ(EJ*}ae;_RZ4i~^q% z_wyi|C4T`=t671JcPh$EtwRYG>Ws*s6*4bM9SaL%X`=G*wJXBg=Eo1S ze1O%tSVYVxg6R_TOf0X95gK`Ao-I{%gCU%{q_vgz)IkZr{J5chfjQWiCnGUbByQG4 zahr;J5Es3-v84l2>g@1%S_H+{^*iCWsLLb@EjHtSQY#5g*}QU!P;#n+4se)K=_9=5|0*f{A?@U8@%QvWI8>u^%zEfWw#)pW99ew#7S zu&M?iMsTPNRkKk7mh^5Q*Sb_Dcr}eJ4BI4Jf++NucbJ{FV0J|M)XPu1-pj@@b)To&pAZuxQFxp+Z8ZdRxX+}^%H+BeCOgRl3MY7 zrEWQkch_w+m@=)Hd&i~FU^)jDznIpO3Y4&>x8;5bY@B5JB|`x$=1=nF7gb)t6c*#c ziK_K#$-s%%(e9`!i6AA6W=FDVG*ot(B144Jw(Bu0O;jGF5-F+6=@MOG=XSn=Ek6r; zA>dQLugvO{%wCtXItpNC8o)vR&KBz)I_c{4oq`}Hh;(K8)52Uiy*y&`m z*RY%TOXlhu2u(y;4-Jgt*6y_Snuo1Mqupr0;n~=0DxP(7H$;8Va^fAdTIcX^ljxTl z%~r4T77b9~y(21EmgH%_Td*qOP5p)0+W#3w)4D8+uxd%aG#}M)RGWR2%oj;atN;zP z-n3es-dm>h28l=1dk*Z@igbl@$BzN2;21Eqy)kJFF;fvzqQZK7EY}2|>Kx)`Q#@z` zwjjyhLeze>_~fOB?42@;?bbo#t%EV4yn98jk6VOP=5jbu6v8=g*C{;y$}PI>C|tSX z67()Rj!~E3Uyky(cuzzB>u$4-U~*-UP_gD%%!sPS3y*_9qf>9V6*>WZeIi%7pOY1O zybNeTjsRi>eDAO?Uf7(7d&wl3=Pp($2KXv}mHINk7kai?lI7PFDRp+)QN0^&fuU7-QJ3_!RxmB)*DapQO>cub8mqR?X@IptQ_3j|%{8JoMYJGHD| z8WTjkeH0_oI`DD+-A}v~x~5uLcnWGxx+Ss0*mo~)YpD__E2Xn+_GX-9e%;Lq(L`zy*&60UA zM4j#{`a7o^&hZUcORDYj=kF71`)lFJDO?(O%OG<#yCQY5Des?qjmczK7|lY6qZO`Z ztP*`;H=LhxN5m;;jo7fEAXL~pXNTs4FVa0{gyuhfk?uJY6OX?{_fm&?+5aN_^IhoS zUta`*gWLs!anGd^1C|)VxMRpU5yJ=c?-z22DhkL26;$Zo>(M0DekoYW3uF&1&?n0< zi2dmPsKD`o-J!5r!rLK!28+#FXmOrjHs=Vr>g{IJ4ocKPdlQtIrib|d$; z(g1ZfxZLmV8<$hV)lGzW=g;;9fAgI8gLeCX=04SwqOP>pZtSTcgFJV67J5OPY8D8+ z!vnnEoP{0+kD%`z68dpUv*nOf$~08&OTkFoKL-nUnc-;XeFF$y;zB)jTu0U>A}1=k zV~x{!K?rt)@*qrM@b68#5rUnxX(wl}l7NWBy=0#%sYIU~!Sz<>Hf%Ye#K_CZePD5c zBIq(#4L1UTK%Lmw;U9jfdEE@{j)C^o{USfdn30s+nvhCl@zNj+^i+9C!q7hFZ2qta zrb9z9OR;gCe;FRXcfz?lt!7(TV2o{DMT+kQ-4yO@Fqe|~y?Twpv;upWMYH2%jP;V}Y#;ASqR6)ajVhU6Q+!8R)S#MPi> zP1OqlfoQh!Gr~C_y0OucTH1qr3-f^AIsXW3#PHA(CGnFd}WL|_cf`~LXo za_j(ciTv+~<(!wy=Wq%Z-ab6Pt(T5TTe-s=@O&F8MlO$Zx^U64Jt0_;`%GU}&&P17 zcVk=+W={P`hMDm!h$0nW6;7IiCZ$!L7f2CfWaj$G?U|cqG@X_L2MLQ^-Qu@Kz(V@( zz6Qd%c1QlyefRXf-MeS(`#|d(lXmEL3s2quq1OLt3@a`C{G1an>{}=V$0Xa*bN1iV z`ag->=N$f~o?P@gG<8}V?EUqfwzW<#!t^4@Ogn!|=SC2#M>T!b;NwIymXKX7!-Z7u z@KPsZ#ZRFJG=LHg+lw*H6FgL6Y_lSV@E17^#gnh1{Tyt}izEjhcRrzqe3^~B(M3;m z!Q0m5m(!ur__Ggy$dwU$qlKqKc6o8+jD|;F0IEYVW*?F?Gso+5M=`^8iRhkW8FAhA zKy-+lWDZFC$e}=hS0j1V8c|`2Lm-^HsTD#jFNUzy?e6ja8|&bF zFkPvMpEwR&&(P1G_m4!-EtuXpUh*PJu-`D%I$rt^GlN-h$6Ak*jL8*t-`wf1#S>)}|+0AaXA z!iuAXgR#m*xdSh3(W+j;3Ka1&1hmRL_XP$}NF(3AL=@U43KlnIiAu4j(w9XBzwR}< zJrZwwuO%}#zDieVz!Ijaakud|8s**2f+bM(;MTdM$x)qjmaHNl)d{did4NKnr(AvZ zaNIgpZ3U}~;4b441f&dfmpQALTy8S6o6`Yiag2q2BujY60_6tGxea|9u^B%|i}+#T z)z3<6XRodoz*)z=qu_oX#wO}favLn2cL{<-F0ijT{x1`qu8NL(XQH!OEPhew?C1BJ z%rh!4H+iyRo@$gPpO$-$EYTOV;d%;MG=#(n%g4ZFXeCJl?kyS(_>TdnCr^-MMu$+| zRmqY6!BsMNz}^>O>37MS-9E^MOOj^yK=C zQUd3`PGWfijk6%0W-|`zoSH?+^coR)O_mKFq^Rn8nKY`|(`jx2ek>W*FA%>21wRfx zCRpdFk!0&M_8-qTQ-swQ*d>SRF8LHhTBgY-6uB+TV?!OtXf>5`(tw1x+l+O!|O1e+yF1daVil(wQEDsO~+6G{Ke=aBX3&Pbg;9{rv zZ&yj?TEKg{D{2dDT?4jj*qdo&f$E{DTm(%2Cc*o)7ytUL^RGI%C`gh_+XbHxsqHG9 zW2W)>BL97>(d;xEtxl`aX?70(r@a+&={2~>f9=J;Spz`i!;-&`Gxsh?^WX234N6A{ z+{E_t$K8v|tKARR=lzS_(Q$v!e|H8maW%R=UYofzXA;81UKZ5p@mk&&EoTnBysFzm zPu{ZP0;>D@0sCAt|M_wE-RVVt^!webQU79may$Yoe|vpOa=%h6A8!N>^8h$B+SYSI z(QH`2pz$T26bzDKXrF*WQibg`Wk9aRp%fp!*z^DsOaU6GY&5%4EQq+&-rwsT?)O@) z1G0Jc_}CIbqGtDePm2irJW6xTcDe!$erL1Uc5CtRkTKZv(bsD>$#Hy70~&$&>pMt+ zYd6HH3GjBCqQ}X}DLo}?f6wU&T5CS$I&AYnA_|;->^s!O$&H-r(?RXl_()w)%is-1 ztIe^!+yDel_%1QLfDCt6uayqpTbHQ**bt2lCpy%NS;q9Q*$kheApnt)l#-jl)8z0l zAJ0wE;(MNX@r>D}43jWwHg+f)<54F?Xv*iM$X!0=52ZWZmeSB&l}7O2h9u``4$;b5fEAnPnH%CnkBD;trX~_2HW-ZOFpl@JI}bgsWFv2e z1S zdf+b~f181!ktnhEES?#DFpxig6hC>)EkumRzrr45EGl?X<8vToLx(H)TXR=}XXy%r zeQ>*f@mn#+$Bs=CcrwSD@hicSn~TDOW^2iw(ZrFq#ti`JlNbooI7=;}``2bQ#Fvw< zv}L8LR*DrdRZq=z&{WoerViRJgTKOMfYJY(Z5eG%$%})Bt4wmF&AvTT5zb9fo*-Nf z`Me3`Fm>`U+2JuVQ6U^^#;5XLxJJ^`$WW`~^Q4u6F05f0hgcQjEvLBU6t|q>mQ!5ADRL^qkA|t#LEt*o3~*FB zW9W%-E)qYS+^Z#vTc3_UX^Ix~Jra=*HsvR^_yi^r=%y@qzjQskvLhv>koWA6zhH>@ zkyn(LNw9d^yoZM<_;5X>j~_zc7rPVY<2+%k+N@ zP70TJndb_A@+^#D*APO&i$=js82kP7I#q6c0sVk)gjCs2clW=WCH?uS*l;B1uw1W$ z8x)6vInZQxd9RjVB+yI;Zy+2v#sg>j&fiPIQwacRlz`~syu6lu@h#Uk)U z`CyqWuH$6@TO`eR`FL@W45={23r0bdxF9L;lB=Z~r_suTD#-AA`QnS@eY6U4#qVHM zkh3KBW_SzhSb0S^u4r91d@tXI&75*dB*aj6<3i1~0bS5|vp@xXS(eMmQQETzI6$od z*T{%>%~n(PguKWyX7TRB@!*1yyR!ZcZ2dh!KRr{+V|bBkyc0m;O498IXzt7S0+O$t z>^LR2d1=r4X3y(o!Et|lb{=?eW`*e-G5!opRFcoYCoE z6x@<@o}%cFly)cuBVcFm7;S$CEDRva2$`F?H|T6npTg8tz#4=ZJAu%?jTIi>WlI-< zNjabBMJs;Loas6V!ZpsrOfZYe(7*$Y9?woFAG$b8_~AjHhc0J|C?7;pS@M=I4OI&( zg|jSj8Seb(CKnrHH_A@PEtme1DY>vD^d)@MuT1@|fzQt?jmy;@^hsrfS{GQRxB1g5 zTuQz!RY>S4NwUHCSUwDY$B3|-M*Y>@0w{JWOE7qqe1bzcn#;#=;0=}Pfrsg0@A(rd zWKRd|362IbgX|GD(huT{R#+CvH7o%qM#GPW?^crupBQA!m8P!F#z(4pO^$;3MlJ$; zQ}l%_2QF8C6)t9&Mn-HAEE}B>UPdj@J{q~PuN44g2q*VPQ7BG7C>(qs+FGq5XHw7k z;-Sa-h|m+xCkc(RWUCg5I7Qh_oNN}jA$O{aC@NEh9Ks;T0#AG|SwG;BMv{TbfcpR# z`E&p1jO+qmDZrCh^fI8X=z1kyYOASs%*zM`I$0)yZM-^RM$V!@7us^dE)}DwgiSd* z8q+K%?17vj>cBw)Ttp@qARQf$99Ih82Pen7VCH@fb9~<=-zTDExLQsFvsUEiOOQ$$ zrSAl-MJKXM+x|yM6d^^6Cy6*cFwQ-!3spg%a1l|C2Rw$c`pAL>s70YBeM3P8vd9ug zjFr5{PS7QZJxBOF=1eT-aR(ssMM99^rNmkO@<=bFfALYo=8$ssI1AV^1uj@SSmD`Nw@`x7j~FX#ZeoRnwKKM( zV4m>CnKVjxQnkbYk`{^$4Wt+;GFxV!;^Y=MlWAaBd5}MJ<_kqOVrxJ+X!KnmK;!?o zDQJ4!Z=9P|3cDvwk9e-=Zy0ZUM0YtpfQ$hm`a5DavzXnd7zLmEQqgye!75<*rcg6x zRbU%tAw6DL3>>H|`9YmKL>?S@fA#$L=RRv{kp?S2iSKbTZJFpvZ)Bg5B zB5yY7h8mvaawRK;S8T+LY`sbePauo1soC#vHV_OmO&89EB_9@<6`Ar#=|Cg_!4^e6 z4Knb0Dhe!;sT-Vc96h;#Qa}QCeBoL`sL-FtJ|EkS(l8 z4Uxi%1Se+t&pT556Lw^p^LVKU(KSVgt>~~79k!ywR&>~k4*d64bg-eb6&<#s!&Y?I ziVj=R;XkVA(8(#1o=x%5&UL-je8{4$__7sWw&KfHeA$XGTk%B{ZN-OrJ8Wf#t?aOs9k#Lq|GkwRZ0Kxdhpp_el^wRS!&Y|qk19KG9~yhsqg*_U zWSKI^NiYnUqEukQ(ljVeW-P6PLqrH@oy9N0`GW-vhk#GnS3ZfQ#j{?D3ixX||&f!tR zE++;_$MzSuJ{3oF7d++_#;{Nc^F@-)6#qUfIyXjK(re(q1VcutBO3||5x%&M$=^#j z?k+uVwQx!Oxf_#s7;*#kNfa+K%oq~FC6LN+ZG5IquSNk)XQ;1O)~_WkomlK@KCaTG zSrmioQKN3H3$wL0Omu0|5fXWttN1YTw4vNH61T8G)$2l8x0D9!H&ictb)|$ij}g3f z^Nx({7)_EDBOk6Xr_z0lL{?gm#Jn!|S-LHY(fR0|l>~y^w67Y`2J_3jyJyXpRWVwi ztv&0u*(fgH`T+r)9~jAR(`{2Pj#q_VI-AGbdT8q9rG2cAn)T2gio;+%wB@3>R_og>BWP>FTRm{+76i9>Xsh`*H5Q9R^-{yHn&2(%E7E3=z4{XWXHot7xG{+zMNbW%~kz}ZECk*^XHnO8CcRHxf)y>(;-)*H<6 z_0T~e``167o}Knbzb{%Y`(iPYo2XpdZtSoZyh%Xr`snI<)IXyL=5Mg9U4bA@jjdg&4Qvyt-TjF^0ceQq}4! z=au&Kn&*pS)f~K9b5I9s4!H_W|MzGuP_$EfVrlUOt_*)0Xvtegz9_ z(B!+OU4wSTWISJ|1p$NYo2q#z&IwK+`vby$o#=d#XbvMjGArZVo3%x{b! za~qIX=4$dt@ro)r^1GN*l$!lEWxwyEd7b6_qni!S#P?UwiD>sW#sfD8~v7C9hjf-K|q6gG7tz0VGtK>uRX(lYs zYqqjMfKJ1DMT^(@qD@&gH(k+4Am^=TUO&T&3|9f6ZUvh6(y(nyY?(=40lMt%Zpt`?D%76vvC>wsCTJZA8aFU3fQ`T21UO;4Narch z!-%Tt&YY#1W{8=OPO60kWZFmV-yjV345)BpBEC6LTiOQe(XX?lFN#)QkRzfzjD5{j z+16JjjeoB#OHx#@9yJEhx*YBP07YT;?U^rf5%@R2v1Q=Mcao0fl3J0c)c&=Q5v$$1 zB3%w~bLb;XmZ(EEP2FJ@Bpb(3p#kQ`x36GjDb^m+p1N!Xz#IY=#_cSYQgPnLjB;M! z6JyDL@|W%;+l4`%!_Jun;d~c!mhPf953Bw2lPH62lFuE_jF9K|tN7jH7@SVvZi^Hn16_s(V&lK=l(#xOJJZ@^U9(w+)*@n)e&4 z39&Y^gTdI?uT*a))MmcmzEkQIl5R{8^?Wo>;^=0}N>zVr=%>kh;~ZfFLrwiRn?=PT zuO@5<8fX+0^)iG*7h&d|4S_pznRj5_anpd~o+9E>fjsXfla1Gp=6jN?^INny9p+LX zB@cCTtiQIj%OU0|V=!Pm;VDy*ZaQ2xH=MOuo^q+2tjV8hqpf32q*x2rN!X%|4q}RM zEuYfY%19M@mYQkoHqUIOc&ctNdM$JGauNeU-REkP#}XErO`W})JMu}M~--%nb?uS2jG))Wy^ab=X0K^$r9_6n0*bc+qsDnF~xWT z;()u+`9%?{HEKhliLNkjPgaJNXsgxTf9tr8cvEC1>ao#Hi3;KUD)dO!S2Y=64G;BhlcP+QFX9{VTlqNArD&Y=pad&4|Sb`oZ0akO}w%{P$I`1i{yhH0vY7W6mkgeEE$t zalJI0hY_&0=0{?Za^XD8SRZOC(b8BSb*Hs!nN~M~t(>i!T%fiqQmt@~SKCQ`8I#OS zVQBah3qj#8itXM>EE_bhx6f&QtmM2_1hQvciNgYrb8AsWf&R`DMIK#eyR59sibNn{ zYpZ0U4y+S3N~CdB$uun!ZdheKIAbCD;y&AVZL-K}&>xE{ss<)9a67N}^O+M@A5j zs2K9UhGqM#t8+cI5uSOjjFp2*RcPEcmr5)k^R@|!IPHDFC;2p!9*!XrG zx`5Rx-YyGz8$hbd@l^IsSsbBnOr(;Uh;cc@ANMU=U(q|=r+8Q9PEj)6ahU>}(Sh8k zn1`}8bY3w~Tnh06)OFe5VlOI8xfYkNgyz&4G|o=LR!OK&3r;f~0JKN4KuoJTu2z@u zS2kxjf&__?Cw)~);1NFZqBgE25^l>bS}HMX2uQ460U$fF&M5fI;_RK#yLY9f{JXve zKK0#PCO}J7j~%=EjbYZ)k0^Tiu=b#$_a*YYf=%f=^jk*~)6zps4fygLM;T|gaMHQk zfU;RE*kVl#rA9prLba}C9szVoN1`cC=4@_tpXO^yUXfT=)$R{1+L8UW(YGH&nQJVN z;=Va!;*HLP6%8?YgQKp(rY~EQ#VgqgV#x&(XFmM7Uknoun7I{^UxbJ(f-WsSg(jiy z9`tZq4ZlAvCd)93m8o*8CHp$+=X%0^s*_=|d>(@ee^Wq#OYjgZ0&b9_(U}#MvLUOu z`PHlAR=2UIggKH)0rLLkjo#r~=4$9tyl7Z*^d@{A5mzcUiEvbujo|dC*8{c?EPV-)FlAePU*Zb*P3`42y=nBZ5pU!YIkO z)b}b5Zii~Y>(ZMd9N&=ALTd!$<-|K^wa(ozx*>#W;(ktW;)22Yn8tGp1;o;!LEqG1 zsAk~eV&ZK%BL3jUK_+2MVD&HM<2<>s%YhiAHD6p18X1;OG+a_+1CNCmP~aYi)0l)m zwbPTL$>h7-^@z@;_%vnn#Uf*9xk2RV$<-$OW<o9zt6L=(WVu&PTznHBOw5#|=}$!O5YZW25b_qOmdAlUjfs8WT7s zc1AToTnkmq;oo=;Yat{hdP3;S7UY~bcJOn6@fc=2W($})%BAv<&f*&UuQ4FREcJ3p z%rIhw#Y3*KB0rd89?PQXn=O~Ht{T64s`9&e-gq4+eOKWQu7H`h@%^e~P;a4dRsoJ_ zIOWJ>4BaIoVT?`4yXvacDqSt(a=Mitp6&cS*8K5f)4v!Gl)YXwbNx}^(S3J5kUxJE zKQG4O=lD`qKEh7eQ$6^48X-dOku1n_h?FsQd4whyBT^4Y78aUB%-|X&wW1?X3qF43 zG69Mo`_cW8YVg6VKXO#ls9Y4Bt*BFRYe3l6%bXR(jz({-M*{M+`rK*>E9wB#RDl`b z4KP_iscZJ&kNYGsNM`l_DQurhz(3J%&rrew5etp3isg;eJdDHnYR=z@ z@NDPqomyTX$l5~Xap>Um!kNfxj(Ud&ZygdN1Zp^!x{7nCsE};R?ED6FSAJM;TDPjJw2&PaqBmAbCg%7!YN6qL!g$ak=a4uNkf_V?=Wzf>(Q8P z6Qaza6`b2Jn>oYF@#&B9J|Qi+GFMU>!k=P5rpj-e4<&$v{gNnFD+%Dx}6H7yZyCU9WU>M+3+m||>KLMStUH`oHw9>)GTn!%g~qKKw) zW50>zFa7;HcNtS_bNYN5yVTW;7aZR$!lisXiQH+G@o1?lfcTsg&A-$suys&82y$kv zLqWCT*P%Hq6~Gm_EqG2K8?>-g1*sA_gP6D29&7pBU8JPq&><$`s1{l9x;yF0o56|d zWF8>AbXNZ2HTw?sHBt~LoTIrY(W`t%uGh41yUbb@28(@$ek8GS{RZ1R!No;_yb4D) zH%?;Y2-#QI`r6o>GCdMCbf(2apR~7VY&7&31h<88!f!zA;OSA4)Zd1P|jQttKOZj| zSU1%9K^E&5+qEp!N`p-YX!C*I7wZwjHWrd7ytVq4tx2jFw=FOF&w9-91-5A4n0wBE z^x%v?Twb3IoSOjYoR4IK=(tIsT8w^*6SVGh)bg1X9e=q~gtH+P2xm_WAX|ooV;Ix- zrTel1QDeK}-Q5*Hx70u7qfF!UVPMCjsljMSnSVkL84?QJU4M1-j>-u7df zrw+L6DnPJ_r?4EepnwWw8;}rTR}}_9aL{NCG>e)(qZgF9b)oqq$EBjdcl?#y==7hO z+Z_O&yPmkq^7&mr%n61&}z3*!6W zKDQ>=O$QtF1>UH8gcqaIlJhAjv&G?Sgxth?G*T5jj>)(9C@85SYSa}Nx)K9=vtl5@ z?_E;1uGys%Ln$UH8Hpk`xGUEAiN-4c#Lq%^l_hgz#Lvril3HuSP2Dp)l<_!Nf!*dN zzo|tFbgsmsW(!vbLR9y5+pQJ}dm)57JZO9~zIvs|`D(j8V8@7unif}%BnBnH7>{(H zED>0PYTS*W=My+T@PL{V{Q~)Z{i$K5e5?g$IK;z z)snrg_2<)vx}yv=U3R=b5i}B~k7~s6I)PT&<+UnV?3&qWE!k@?2(j51jjpj`Oe9Er zIc{De-tncOBVM+o&FrLgVBA+=B%hl=(l#FeWi4=eCOFT#%U<%PI8cV>$gMUmNBzx5 zr51393UGrstp**r{AJ(fa!J`6F|&8)8}Q=aj78ol*$DadC)(7n z>D!OI1^pXV2hIEN9gV_{{ME02^`~FC|NB3G_0_L_rd5{iE!6l~f=5{v=1*Y-jn=Ru z$I_7Jzq415wOr--uae*JyC!oTCcl9bbA8gSO1Zy`yi5<8`)X}%yacpH^ijwBc?dM#yt&`Hwf~&*#Ti#t_pd zOy_3C%=P^gNtlcYy1)HKN4?Y0(0kQw3nZ6z3;GN_ScgmUr>qe z;GYGx+Y!C*(WAMnpt@b{hjo80Rk z@c$htb!18gsHX}5aMla-e~pwfHZphMWc+_cN*(IV#2>IZ>Tz=xYCq{XOo1Lv_~@y) zNG;+^-OCW0yOJ-P9mX}fWClhM3nBFsNzndGPP)&)tpCeX&>4OR*SmQp1z+V$U;MyMav%e%`3qPKH=9EPA$@R9H>7=5AVfD8% ztdqUV6*wBOzO#NL!(<3dm)wW`4wl%?lLrYVQ zFxw^pt|uGQ?{`NBtXPn{4BgObTCEMoces!FyLC)P1!XW0-YceV`2@P6_WEt?uD+r< z@H&mE)PF6W8YAWy=sm8$@W#!YqxiBb=&;(i^cPSvFVcY`*^Zy zMB0uN=-G_$)6~rR#_r&zjk2|*Cts)&HkN^9X?7?IN%<+*PzVZ80!b;N-~Y`ws<@xl z^v>ki7Ke0a(+YQ_W^xZ326Q5L|0{Al@QP;7fB~5)V~f@^8FGX88%TbeQgLx{cWP0K zVfq~&@aOdAmf(}VbRyjRl6yp0>c$@JHFW4yVP2Yf1GnH!3w3VJK#IrGC3uoVlU67+E|bw#>foR z>|!08Gh*Gqfg|9ml+bo=?>kZ?MtSfesb}L2uc_TP4)?XC5~Ab}N zZj67S%tCzKMlp2I%sOaBDub*1s+wpeB%Czbgj4;f^NS<~%>q`f&4%pngu(X4rp_Yf z{z0qeda|mIV(p~X7}Y?gaw}^WxLD(Yy2LnP{K=Vc1#^>E3oxi>un}jcX^0I|%{22) zaKVg&gdC5yIE(R|^N-HvUzoxG7$5?SizPpIf7rEXeDte?OixURDsKDK@!0C8r4by+bGg;zZsz^dMY&V1ftkys9fvqXSG&RA=CJKDapy zE3{1>2w=C)GH2&f2@oixEFnZxkv+Y_-V9g*UZOK)c#3Lwh^74E<^$@;^+if(`QcRM zx!~sA=T8XyFt--w5Lh?80bg*eDL9QE3av0HaWS+eQC&J|VKO1s=ku!Xi+97LKu7i4 zmAz9ooC;fYJHE#qvQFoe>`O;MQy`r44VyD~WfJ<)qAzT5YgmSS^!!^@Q=oSmi={6 zQEqu|xLZ_&o{VM^w39cIeIv6K&Hhkmbn*ty)< zT<-?<90~HnJyqrgF^noM_X`YjrzX4xz#LC2#r{qm0XODAwXKHHivRn+{yU7SzOE76 zLetlkx)ZPPJ?Hx#MLMJB)^WZiA_bFiM1{N8vTmsgTnh}C!$_{`fH+I^fAYhr65HjH z!2yefBUV}91v5Uk3S(Rmp(T%=UCFI~(ekO=_h_ISU(@T6%uK*|_#Kv+?qW^IBN*Of zB<@ajsX=+*{8l16h9*OP z))L@Ci~;6v8nvTq7ml~rLtl82CpHF?H;e2#yb1a--%%hA1*C2+)tXI08YCPC2aGAQ zuChwS#x}Bo_;P_WSsVIT9JS+Tm+c}B=~%tAvb=ToUjJTG1xp*jQeoiIlhyH9jP?a<&WkcrKI@dt9qBdE% zC;ow*hcH_06FJbXBOWXHDF0l8-Y&Y-|N& zvxfy%uTeYRD(zLjVLlMmtVdtSO>)Dt^gSj(Pi6qBk3guNZlUCp^XOV~T z<_5noIlA7L@hezrWiMK*&|Nx4@PVJbc(4I&d~2@5OkzUpQNd-N+J90uZ!*zLAp`j-%nrvo7^PJfvYEobZO+mUA%Z+AEg5g_{RNLc z8YhQC4+1|45}{LgjU?>r?v3ygGmHi%{He7d=^g=IBV1oSg+CP9&Ye2l;l|_MPoCP& z;1_?^%~^w;lzMUsa2FCSA$E0Q3hIVM_yz6~)xl>AUyB7+bi4Ju1VXI0e%e`Ak+8n+ zS&wES0s$2@+^82A9AXY=&Cd0yNtG^J=D4(v*(b?hfG63M9bbMR#|9vw&4(^t zNc^U|pQ<#SBO(zRQu8|yjV;{d$)i7RJkZn(IzfhW0$mDLW?_r)Sv9NaG`*H5E*zO-{^EvHfw z5}F7$j)+U_RRw>RMP~?n=@0FS$^KdEXcVHzvI^bIR`qF-(5NQGh1s2}9}7eJR+OgT z^DItg;%%lxNSSR5d3NZzH3k~|f?DBf8B^D91Bcd|GhOUwi#ZM+Ew%>UarEJZzi>3* zp?rSQY`fRhQ@+kt)X4%41CHRoNC~)Xd+-DW7T4f1n|hn}kKs>T zrX0-HA`dJuKMW`W^F$mpCHgP|1S`S4$eHT}B4M$HLsd4zf)5VtvILY9$(Z%~pc8Sr9|9X=ZMoVAN5Pc$S&);zFB5zogEW zh*a)0LqMOSUDuh{;lVJVam`Ti0;fJo_MS)NMxOI!yHwf0mi7+yqqoVJu^i0ZtY#4 z11@%!TcWl<{gp}27JJ9kciA8Qxigai91hU5EE_f`*J*4Wc0QhU5d2eVg8tw8M9jaL z^1vDn9t5sT_QoR{k(HzE4MH4a_(;Z5^x2^-#P@!4;0YzsKH-_EzZE&{J<6P0p`%Wi z5jGl@+^AnrG+yae=WJ5{+mOSOg_rvUyLNM}uunKutHnUZCn3g!{mo}cV3YcDcVIlX zx<}LI&pp#h5MO(To7dNTOdR3&Z(S3DXO}C#@iay z2dmP9UP!-x@YO2Vt0%=3UhsGY8+&sgic^VgO;vBad4+!GFRu2MPE%eG7IayQHNp<& zBvR!tyZ<0#b_V+NP2J7lXSu8g7iAR!Fw+<;B-hv_PE{h6R8%l83&X!!^t@}{#}3vw z#(0THS)wy~Jt$67_DKBIwU|GSRo`z!`}=f z6H1*TO_e3T67wI9ULbAg!0Fz~ z1Om~kB(Wx!G=k;J%dAK>DC%@rUF+i5h>D_AO4eLzSh4w*r%`$4Xq%rouWzX)UE|Y^ zLcIqTV{1}beN6J6qW8QfZUTp;sQl#_<~Hle6}?6kpY z&EsF92OiJG@}#b9nYd&+z@0ulI8CDk6b%_hAq4u+m8ob)88z?O@|J1Y1mdtjU2q)=klB01ySQ+d3l62ZN)0^wm+RGLc;yog{eU@x%3ZvtX0fk=&kSdkE z=W;V_^y>?4=BGDb>+IVuyfY28j34H8sGFa_tZqHn>teC2+FC@7=~+F2Uh6kOr9>I% zN%5A4g$y+9V6TFB-<+Bk^}L$1A4gU#@M>8@RBP9#57&#(Qnb4{=(NDKql+ESEa!@m zT>$fm*65#4=3rjQ&OtZHQRH_Qe~4 zGi_xDn>JDLa4eobHR(Hj?XM7e`Id5P2X)(Sx2IS_=?3HJ0^)hi9*ZH}>G+suS>JN0 zF~%z!8Dk?j@@*+U`7`^#&iBxO9bIfHd0fbJiJq$-%)!W$d{Lk>@K@7heeGgSYl;Sb z`d6RlFCO+-MZe}DkGFt`f1kUv`f*IdZv7$e-_K)rkey_&kDt-^YO}T)D?YZ}pCkY9 z2{pKF?aV5rg}jTToSj2vHM=YGgQsS1&YRi>;nADOHX%oE#dz=FO|Rny?}^d*JG)cT$j3*P}xYb~Lg7ejVfm*nkU-~p658E=mlTo5@U z^Gjj5jM5^b1w5|~Yu|rn)N1`W-00R&-WFG_9_q%miMB(#Z62xc?nwVq!__8fWy}c| zN_llR28#d;ZS;?_w_TZ7kDR$nI;9qK9&YcNd&RIQ^-%y_gQ-DYGrPv(JJFMpO1ph0 zU_H_cmu_?=gP=+JNK;D{gsyu-@6KqqOi1IA`?K4+0@a{eX!1edE}G`^0YNy>TlQ_* zu6qGaepU8fJIS=pynS3 z=oe$pY4f0^=>fy0WvLmZrLfurarNsk_pjbb9)|XsY;09_c*}i>o)jfwnr#UFGavIk zi*Tr<)TP`eEHi;TX=i|y`8D|`h|;O#g;}AAQL^U4Vc`x$>p?{^(wyQ-h!9%haDbFC zr2_3{tRK#TFDX6hMTL$NE|n{$&Q$!O1W;yziJ=WVb98ocxy_VY&7@%K z2wfsvht{S5`FHPpBKt%xOd`l_t_*7wx=%~2U5X>ir8bXIzfV{WSC-VgG)0Pyk9iB1 zDWxkQvQQEmwA8A}iK7`JBnx!T;7~Wt^r=sQXOoRfC(V*|N5tMxl3bPuCJ{!^qvGnT z%E%oqx<@Cgxy)3h_V8COAii`$O=KylPAqk1>dCeT>df5|O_CKqP!4Ka|(u357$6@SFCVxOrtH32DE7vMZ{W zVv+Nto0`8hzdfoivyMW_Zk0;^l3?(1VV;h#F*3sjoy+qED<3phl4>8N_`T z{_zJu%4My1GCJAF2O`y&Os@zQos?;L7FZ&St@5}QaxM*!C1?}3<7iRv?83!Nk?qs6 z{zG}Wb2?X|VCkBXxuBT|3ykhytDqRKjl#SOJbWx`r7^3C8IzorTOGAVE&sn)tL+uVqS5Ogz|nU{?-V)h~mm!)c%zE z&6^0ju81PFE}p-7!i1|CIc}4bmVHs5sAVZP0VxL({;x9yMmF69QxKkeL~UEMj-^g9 zG%|lz4YXAumDdUPRFs86&XKOhyW@{cAQITOpTz0>mlv*h-O;}IFXL0ZJJ22!!Q??e zlr&_Z9URT|x#`JI4@pMsxNb|4*Ck0H^mjXsIsuRLG}Ibs@nPr|cT_086o3>LSDr|C zBMKdWpoHIvdF`qz)T>~rbZ2;zY<=X>c7;z7F!>C#l_Y&q)&%ORJhinaAInu{ikq+f zx~#>I<A$Amk-}Tt#Qr$w{K~0)YG~4yR*cTrf(^Ob;6 zFu>MgU&*)5>&npiq$;+WS5C?sT8iqh<1#qiB;K--ehw^WYEFAvHOFZjTq@|kVDpGS z#mTfMm!)uJ)77De+^D-M1{u$t&qy1TR6|U8 zlI7CTW?#e8b+F&UsVRiMC~)VeqV4Y`AYs6ZAQE}CBmkX_gDJ|=`7$7NVYxE2h*IaA zO4N|*Tu#Ao7MEr|7zL$cW=jyQ0>=GTGQ@RhBFFWyw}`7N-g#c~VsK+9eqFmsql|?~ zG%{k;{h))xg{SBvO!68DOjCstjn94V1WE6NMbVfeyOX2yI&8w|IA#Ce&hp!KqB3hIgh%y!KgGoSl;41Rjgu72*J(thv&rF!v z1K{BT9JSk`oUba0#9$jWcj0kG4ac(ut0=O+y$2!>MhEI^jjMW&Rc`sr6CS7l&u;9? z=klsGn*RG}ie0sbIfJ_+_C4wdKkm{oQ-TV^b+t+5-N+~I+(%j2)x9+nXt&scrR!gl z>IPZl?*aue9ARX5FuAcR0*7@D+h28$$Hv&%N#d+7!_jG*$#`rGy3glufRs@6%CSAg z8i22gV9~O}7A+U|{il%LPhl==Se1v%V%#~ax|bZU}(_tW&^-1XliFyleC<^vX_$zZ|MR4g&|GwV`HMrH6YT~sBip8R#TY#|!x(Sr z>N^!F?0H3J$&#_7KQxCV|3i&XBCq~A-!s{WxjGyf#<(#w(g?r0g~=qf4D~{3?2O2+ zz(+>QWK_ZNl7JRBeQG0^1tV2^NjYt3Zk9q)g-5+O4tAbzYromG;p)semSqSL20f1* z;5u=Seio4SBg1ViPJUV-m<0zF$k70>c5$Al&1nMq$OG~Wn18akAkoBpp?>4RPd7m4*|kSurSKZH+-`HP?{q{FR1D3i3VGxM>Yt#Re=UJ0beL8u&M_h(Ms8&`e&ZanZaME2RT5z{*14B8W zh+^iDvTl(8(_<;sjF=AjcXhe)Gtder1bYOSrWNdVLIpyiH37UxtS@;(QreLmw0M=xEU z3e~z}+j0CLjN?&CB)Ja6=WFCB+;y}M`kO;(#Av=B|29I=^yjrsFx>GIzo0{MNZ|ge zl$__tCwzCDIU?7OR%~J5pIKjZ@yOpgNnq>R@)Zf|ko4I=g?L%{Rn^)#iD;wIVJ<<) zwWUTbPa-fzsDK6xLPK?R5PGX7q}KrAupe$r`$DQ|c<$H?qWwP8R5T;|%zLky; zRh!KIsjVxR6pc=8KK?v$UqmZJug0O&{MT(mK_G9#8e^J|d@xg{DjQqt6AzrRKAu{Q z%tmvMh@Me>Bj9i~_ghvF=~K%T+Q&gCy*kz1Jt3bM1H#58h9~Q=@6eX{$ZrQ3n+o z*{9=T$MVpJqA(`^#n)9tE+yVl;8d5utTg{pDb6A`mb*es<_-DcgJTZH4xRXRj`1iE zz3&0YyVR<(AMY85WH#VQ?m~5U6FHDI$)>zobr4&Zt19d2UGBeF1aD^_=B-i8~g#Y*EK81Sl8 zV8qT^T;`cwQ0AjZe*NnC)dI%e8{TN*mT5!;%s0rpl0YyX zcA(ZP&7^cA+@WYhBjaia6>=NnA|%$v6)1Z>>{%1=);gf8K1g+UR{4NvKF4;5pXEzdIhc-aa26Xa$(8XaJsS>ZE7QcgahkVrZ5 zUw;JMuwGNV?NXyp5l4}8CKc)E`eG4jthaT1{kxy_+PGCD9L#)Y)27nY(F6sr*b6Ey z*peF6b@RZ7HOP4$94n-i6`t9$H8F#$N*)J)A5ei9BN|Hd0Y^p-;d-cIf^AbR$py;D~Is97qBwBfy!oA(@rrg*hY1*FG4Gf8=fkRUi z^8OjHIu8WB$9oXAVrkC?u@V@vlCf+5c1AsALwFg4A%y7{MY>%-o!_gs=!&=uNWEbR zpiY7eU;o~>zy0Pg5$RI5sS625Ns|UB#Pb+|9-sB5Dewg4w@(_N3r!~;0zKZ!+dH>e z5l>Ct0jgdj!yp=tj45Dyx4EsL=+xo$#e)LZKqF!$LMvy%9dzu_`+3<(`=FLht&s(Qk#te1HcWEoc7uW-*xJU z9O>_C{1)B0!KR)|E(#>impK?3B-_@^RD(h|d?0mlJZ1(u0gNlHsb=*tsR>Cwr$QZz ze;&KgIEm#dh?Xn(aTOY^)n`)pcYrA5_@d*{_#ajpJYHnt(;5_&IA|$Ln6Pwhgd+_g zH%B=(V5ajT)S_Z0E+oUI)V+;5Or!G0^kB`Ph;roWl2rwTm-z~A+szgxW>J}ULjP_^}`H>Y0xc3SgU?YC=axzUD_(2O~5H&|TZmy5^< z_h5C7M*936O4TQY%~W|hUN?8^5bfM#K*^@yl+lOT^vXKx`G%N>BkIr*QW5^9MfF#` z6sKW>=*RJd#ACOx)km8QQ>I5#AT76or>GS;spH4q=ly+gQJS&$4Z?!KSSMRV8CONe z$RhzVR~u)RxIgws5=jx_N)~}#DItN}61snHsSz06r=1S1+QU*WKULn(ci_%VviuL3 zEGS{2gpUm2Db zbXWxBTr57?1&MBfmDmoe_-=yce!zsO(2gdzP3YGKtuFYy zLqNZijNF0jU-W~!v9~L)PKht_pgeemCvMY8Ox=~jftJRR=y_x6P@J+*9)cKcr0+u; zXUTX-PrSB+v^F#2zZNLd$r^oj7h=&y>~5CU>2f5 z&#PJ+EkWbbf_{(#c)mk1O%wODIelIik(4R|hg<>&AV8TYkp(6myO68kx$p}cOdu9q zdo=ME)C*7L(2@Pt*>3Lq2i02z=eMvMu)m6o?>abD6kYK??TJ)`4(H_ z7yOVeItI9ILbtX0q?g{&6&}sI3|9g-K@)l7`p$6Yuy2aHGz5PSF-0GVENq5yJVR}gbqg1#5-6IKR@!sOM|I<8GV?_FI+% zuT*MgN7THiC9HLp>tT`-rpbR?qbR|Vg7a?vTchBc7p43SOq!IlLaFH2*cn+!*;^>= z8vhB&EnkLrb|K(g3Z9hN=2IIz2MM)_b!_e}mH?OJ&SWaHqVZ)2vz3kFDo|mDkWP8T zrUy!Aj#gu1ve=?Bi z+~5vhKM%vKOT}&IG69YhLUdOVK9I2v&+s8)I9LL1AKHii@-8ofywgsE0nla$(nyuKS#EVm4pREd?8aEt}_I%$*C+&&zEGq7z9q>i4BW_M<+#g5)Ipq5^%5 zk7L9OLQk4*R%T9?+%WrzTFQ`egZ~{vpna!$Z+crOTFx`#d;yH&v2eX#9h-U)m68z) za1Q0PLIhMHxBQik#$Ux`6fjaLq!!IG=abya+A;;Vk0H%cn^l7XyJRzIB72Ku_om-w zZCKcPQYV{V@G>;g__^0Pbd|&2PC?^2*A8GRc>7WuOM%+D-_vYw(!rQ$QsAnvrIvP_ zKTYrn&_DRI1D`)x3s+@0E*<^%KKo>LQwEoG^WiFYE`VhP@eVPBR~0N>p?o*gg}_P0 zo-k!Jkn}6kC?63p5)Soh2d70E^6>Y$zua7YSw+CRYyl6mfXDtVegX0G@Nvf8Zo9L% z_UvcW>FmnnW9r7+EqysPrJ59QXMQ!M8AieOkczUBvl1NOOXw7fb#vQ2oN_ze0#pa3 z!z=t;@Ly1fQg-f8dg1alZe>Wi0oJ>(<_%$LIP;X8HWjxh(y1rAx*9aoI1YrhA0>71 z!ii|@GZpzwy5%w(WLAM&cLLlsOWu8lcDXLdr$C^X$6Xg}26Jj9ezZ_(KYVGquXkHsBW+my`6% zTNgekH(xRZxFXs)KOp$^9AwM_|7_ky&tHm?8i~7EJrTThYRgjkh?@xt9PkQpS2^02 z@3`a83I7iA2EJK1-Dh-pjmVyX+Bt}eFD(i0BbtcofMIxwKRtfwhA7{kbkV(fFN)bZ ze%GmjHLf?4bO1LQfIBx@>J+EI%%>k-{*a(vW?){vH#xcb_^Ex{fgRZGJGlN`p?&-g z?K(6NgsqUlhlwsL*?N@dw9ro*f3khhUlx$_MxblI&?x@UEbvmpCzcV-$f^2&80s}F z2Ds!?_2H|X8a!hZJ)M#Jp1_QO*l*DLNpHuwVt-T-k^~3D{)pW&$|W%LsWP^U+edan zvwNwl!6;En05|tCca$U*4t6XB6j6~1GQ#}3YL=Df$;p$(;0* zT@ap=Ckk;|NFovEny!D!ptcsYQTFA&mPi7SIAOEnqRJe(>T}nIp6-SsF9SthmOM@r zobYG>G|vrK6wv{Pg1Z_6OUx6))s(L9YBK^}OrHZrJ!a+?SiOB$Zc!%yMew+oy|&Wl zQZ@*Hqj3;;&=&x&w2OenAV!T$qXtDz2BEj9hLp_9|5^iZDg;z+8&x%q-q%rWq7-*x z0b4q`J96@RGw>=CR28c1E?XP{pP$kCtYMS#QAouFJ&w3L;t;z=p}mpM%l#3C4SlDpz{Vzku=hxUI*Z~DzujXhbpWblv44V5Mcw(NYSvy`qcH6XqN44U({ie zJ#C^`iSvSyk3VH?#HmP$8bbMtUBJ<%0ArckclW;Lww49UI?s10hHq4$#Ihk^p9<^n zgy}d+0tFOd_`XzuQF{khe@9hLVVMYbL}=KlRdu<-TidjL=2u|Vi_QM#bj8oJt{T~b zeJg>*pi53Er1nB9??50KTb@kCMv=Maui&hw?ak5k?dIj|N$II$W7<%O>T5xH1QvhT z*415VptlNpQR?Uum|OvHBfOFMEZCzzsk2WDS>$>EeVcP>b(+^%jUSu!)^N0rhcn6& z5|FG`D3Lnkuxha?EVIC?wk5ZiTSGGJldh{=RiLuvtjzORtEOMhK`YUer&M`Q#pz1p zg!kq}ad=7WRBuVhiExF3ay>J5 zJ#OlR;%}RVbMcUa9i52IpZ7^zhp6wy=f8=QbA~#x&o)mSJF0MZshaCQp(i~P)MKw?ga{i;uin?Xem1IWI-P6U_4>ZxccyRn)qk7LYo6A=eI7R{yGa8Cdr)DQ+p6bb2{!C;IDf3iD)%*gVN?&TS4fDbl{*NC9e&49Nh?O&1+BBbMZ zPzr6ZYqL|iY=Z8T&*Zui-01O(mQC|n0p}*2R+Rwh5qB;@J<5+;)*S+e4CG0_ViqbE zPE=6Thy$w*LSx(uBMKMB_$YP-)j}$CFNI~y90D?mGk#f0I|Ekt7Ix+i8F&b~Gb8-@ zDQ!O|D+OvhAn3=H&f2utEsb!RGOJ)@t0d+y#&s^Tt-=`oz-UD;4`)-CPG|3Z@TfB} z6U59|w+#S6(UASW749``kT-Hr3uO4!fV@_a1BD=`=pFFBDYMFpe$@&j2nBq2t`U3A zC1@_f8*ePS+&+Dp>Eg!~7U`0u$TgIrc<>@@mswkm-7_gi8M-mHnbs5q5Cb?;suF*v z*ccR4{H3&ar+?=rph)Ruy)OZt1VOgwop7SzhgkdJ`4TcX;HWTi?1AXfpADU=%s3Eo z-W+XJSdwWW9_*kKi2&34Q!qdi9v1N?9>S>cYa2kn8=Dz9EOvA)KRs2xh8aAgnVjGk zg-!u!Wm=%hr(fIU(lq?j{=9`oI}m|J&n;5DYENbX!V?TWc&!O_M7ks zzNEVF*#2>iWBvh-`N1VkYB*euPId~(V{p6WVZ6|@jX49FhEIvLVD;Z@gdOMOtu|_Fj+Sj&KKrFJcMV z>0k`GAWFV_V>Eix0atpb)99SwAlIOS?q#(?sb7Ede&)gAihaNa_4B{e5FsL--XZVb zV9LL9ZXs!FLAyrz?Ul}mY{m>$oYhekHu-1Xill$g#WQSB9sF@=m(Hep{U-HvVy zO!uisM6$XSHkoj}cg~}E?IdA;PYmLREo%=q3czqz6^4g4Y&(B^avfaJO%05sL`KJf zwr)b9MI@l`>UGEv2)+mduc<4gw@@Je9#^zvFpyUz0x*i-u_eWuDDrVudCIZOa5~YKj_JvTu-v)0fFAUlDOnSm-A!_N zmg`vP4ga2Ady~he^kU)Iq!d*#;ZaJT@5p05l_+an?BrDJ1h%Yms%;J*G@Z1J)IZlY zZ}pb+B%k!#o^P*u$Z>EG7>wW)HW8zHEI*EN&Ex2hITX{n#$u4MmnfD^AueKSLwUqWRSd;U#fS%Sf z?_!BCYn2L92B+|}RZrq&oKvw&rEw%*8n2~f8GS_dQ#;1FV!0{p-{7XHbAzp+v<6dL zX37cuQnErR{n4~Uv?n^Z_^jmtgFJkzv*HMGelGy}W$OSZ{^U=NlS56hY~P>!*I8wP zESsBB?(@Jto^yC#+h78xlvA4Ul(uVPBs&hs&B0wE>4GHLcq8u=8oarA))-=E)8{ck zLs3Qpe9p`N)w1c&Gx?A+$AJjB|Z_TQ&gVLan z3E(h~MJB%DK}ql=#%B13Y)u{y`6hyhtd>3TAlrV7eCoD{k{N~^-7Wvk<`B6e6x@%b z5QVOZePe%M|E`*=PrJ+CSEa|0pJ410WG>}X(gY4EBuY4sJt?BK7*+?w^Y?cmOf;LC!O_^Zc6b1l(JTGFa;#^Z1El zTBt~Y{WUe~AlD01f*3kaQ+J%WcEW}0CN37vmOk$8{&_itkUt+xojJKMc5`M0+TXI8 zT(F3pUgVG`Ci=d3qL4-*D46yVOJRZjKj||u(yw)#+-I#IWu&ev}Sb%@w{WD zF>p$o!N?trmXDz(vz?@rtVj(e1se+rE%+*DK zec=5mAjJFEoIcagAc-kAL%-wPtzq|yDZ8*Rfz3mL3boVgB+!oZy%3RHjqjtxQ}OTh zK4BTUvmGd1)=*&8&s?BZ^nf62mp%YPAdyW5G}6{jfkc#S>JY*4Nd|?#HSfo?{&H)V zEvN#VWU;#~K6`}-o4-_%8)Uu<&|NHFEe+vu%mI{eV?ooX`| zpbD=5VQ$ro4I9vjoBSrQGP~V};kgq7(Z12cOR|;#R#x86l*p&8eZ&Ek@h;?_^7%M@ z!cM~I0sPs<$Q<)$^cTaI-dvW0z{rLIjQX$wrfZ@5DWF4T{C-o&=@&!moN14SWRPWI zuCk&Qo>U#jE`FRWT28(*SNBLwW^4!w-S!Nqcl8Uh?z9{PHiE$=xa-`5XtB9E^c>C1 zYW=twN&z^2zF%xglRH8dUcBv$F#Mw`3i5a@*GlHAQV?kOh{PSuC_sMYy5=ek@}%KYtsF-c}Xzq%uNaa(+lCg{Je@&_Tk(Mq6nX@C7~M)E`^}o6eB* z`h3i4AJRL~8-iiM#)aF0%Q80rOUwp|=GLlY9)&ZaTq<(#f^r9j1d#dsoz`&~D)^Uc zuc+LH8sF@K-EVk3>4}SsP2q$5*W(RC!2Xyl8KeqM#`jE7@FX86dZM`+=?N?E{B0dDIPEX38ofe z2xyL0#^$2W*+rLd(S|OAx_Gr0hCR0qF<&3z^s}SY%e|K7ONr;@(6}@^>{{UMq=eu| z!BKsq`kNKOUN^bF%MN5?ha2JFNlDL>=CXkTr0l?qXM+*1SBB9$3Ks0F6+AnJ!Hg## zc!6!dOe*YDeja?n;OS2HW8@^gj`<+oT~W099?3U;cE2!B0m2CR?<=et!sgoA>;9iX zl97tEap=1j7_eSg=<^N2`M-d0Ik6m50B~4ezw?6vW*j~1jZjY_Nu2s*>@=bt5IX>C z^O^W$Pk{qHi{Qf|M&#cvX%EQ%`F2U+5?d~6HH;T?B z&g=a?dULI^L1iq`9^{a<%W+m?FA8w>UIq&#?`D}g(lIz^Iu+?a7J}7@KM`o-N>7JS zNjl)srcsKk zpCmv0!q4v|emEvO`^Tb1xtw$LdA@B`2ee-NVJL4b!I$Q_XHg4PNz=}!pp^^>NF zK9+i8KK7mX83e->FOp%Yzo@jH%K&Yi`QA9CC?>FwQ+W!hW_Y7(+wxeeG#DZwPC)_PGAMt(BQXeV2*aXwv=FUK~mDeV)+{* zuE;EaUl()`O!B6+&=&7cbsa{MIa=d5iBf8$?GV8fUnyZvTTn?^WSmREXy24KJ6~J@ z5z&at+%<|DfV*$2z_j>8mJGFB=2jZm1Y=j)L`VIY7Fr;Aj`4;$F(a!=#mAldd7L}h zH9zqVXzLK7hBJ=uWRi{HarzxngL+2NllxRiImRPlQX*>~QZ7sR@Ez*3jtpWsynck7 z%A!7|i#@||{E^kln9dxm{s_fcj|Sd1fof8aiWG@NZ~G-e!p%0W498eJwp^*hAliK# zd0ytgaHk4Q4;{0PDpW@~zE#lw-eTEU%tR}xVS9<37r=w( zLW=oJ&Suf?+BD_?>S=35YbY4`B3^3k5q^Gx0h@h3g*N_*vEazlMyW$4K>tmtgy`QX zUk@5!tbb2R2cuAzT?;`9Kf*!&XEex!8$gP&Pp()6xV(?VVq3h=V~jKYE|)cbco(fi z{TAIEi8|m80U8aPG%kvcDa+)N*U$sQHESOFz4|Vd@4Qy98{|He>e4BgogtCsqxa7r zc@|^I)TGMpV(CYFFx@yhIwIhdgZy2f?YPxB!=ruN>`9pUc1P^{Z?y6};=JI{I6W&} z2J+g@e{7zC(1XQxAiiPw37#4vx?NQki1|u+(e;EWEqejZi+`DlwbM$c`tclvTCS^g z?$=LvfZq8u*O^1yDunkb-lA>aYyTX%)Q6Eree{85fI#h#n;o}fsgJqPpPLLQh8rDS zqEV-frKVCeX|v` zi1$u*I>uN<@IGeh>;!2^K+?iDN;;rs^9kQFK00%z8K`FOXOFrB+#`{(70t-7MA^Y3 z?%*pijM>GQQ~eBjR-dK?q`8jM44)UfG4f@l;!rz8vRcNe;aSJ?W%A6sAv{+@%ObbV z2(wJd-KGq>l71DF;sT7@wGmY#-v4ufY&09wsiVp6HSXFEaUy4kC3a20U?~@kK174? z0JIhCrhu_zZ88oRl2;aKv>=uB`_z1bUmx^Tg2kJ}$DKZ%Qs*A7>QaUtvf;hYg*LxX zb{DP3#oAj*tA2P*t}(dOV*BU0R_)>b9*Jh$NU^QjTwb7J>8)hB#AJ`(2C_{=ZbDnNypl5Zy#94y$e=k+%?Lh@26kdS(rA7q1#qpARA~4m~W9tU~1F z5}0&p=~m5?B5C(5L0yFWYC^x+%one6DzPzzZo7rPnV)k7Ec)V#G;hK8tJ40F@nR8f z?HIUy=|(wishB+Y1<{bdgg$;@p^rNcag^d9tRoo>fs2-Lij+S=)Y@PhDK z*31aVS2gbEB)W`JvdoawC3zxWaIHR?L4_AAGs<3JKeKpIXeD=Bz(-&TP@oAJwT~n( z4!>52{i$E*Q>Yu8))oVzFPO5(+-AoZdd~%ws%f(PD}?=7GKj(LmbIN+&Y9Vewatlb zHiIaDc3oF}=^E1_BeGC4zGjYg^D?5UAdnY+V=FzMLD=wgJBLz*nB1xE#uyL%3#7H3 z1?%KdM1ROnv=@O)csjLKY&yJmgSAZ*U4zDL^9ySL+d1ws^89#Cs)%Km5}4Lg_8zEt zeni@8Tr79@`pYFAom|O^*SsIaqP&-W0$75i- zl5FeQ8Om)!typl6g$c3RX$A@$TX~bf$D4G@w6wn3lx4Uk0Uda{PO(W1f){r4SxGtp z86ziaV;dFLDDEjr*yHnuFpBvnga*l36rVo9wU`|Hi}_8whD&x}6D(AkGA0W&QNCj% zD~~QB*UP$1i@1V)xBU={zX5SW6mVUq71fM({~R#2bd2}%!*5K=?bHA*i==F`gt++Hl8urNJB@GhSGt{Mq!wnYstR^4Ri}0U>3N+ z3s^GQ$wRz`UzXUcr=B*FI8Wr;`u^U3<}dN16XxUKQG3}>O9ta-+)=0sZY4ua9!dVK zttfqMl`V@KG463z;!A(aT5(ZC&TFer{$!kw z=*Y#-nW8B~mR>IYf<0N7V<}ud$?6!gD@O6wS2F z@)&M9w|xW06$uYu%ouNx6*>`72;-F;W|CqF+xZ8bFwx!;M;tTF$CMm7D(R6PP#hO; zgddd3AG-&f=a^)Y31*6mqMT>uO_`V~5pJp=q?2zHYxXOTM_Q0PUgp}BXsR#ujNyU@ zz~gaQoF!8%!T2GyxAY3D{OHFsOM0MXIxqa?tZ=)tLiK2{qBFB(F$mkyyc~Y>-f4A3 zyeU%k9tu)d>q0eS%m8DX&Z%uw_azTQmOM~Ft-;Hghe0GCussmokW6N`tnK{j7#qrX z0pnc@Yl00B=IhL*0F6H)gza$5492H(%r@+ZM*c+X%IU!=2SavlKm$;X?Ya`YA7!mP zJpk-}w%3=M@q1EZZi`u2IdM_FwXnBj_xvm$3}~D(FR#xcNGeQoN<0K8xw^kZp9P6S z{`Z{cq$rJNS!06I^-3J0#cR9)mK$gU3+|nRgxj7-M&x`&j(L?WJ?@N)0OABE!PC43 zg~5;R5Uxa9}o zoHHQQP|Obv)!Vl-@Ww(1vjcR!PW*2G~dwv=`dC1{Kb++-ga$_4RAbyDA=iqXJR zO0hRgAB2!(w zWXg3fOk>v{oKCV1S%!PAK~8zkg6Z;r$bAWT(hGI2GMsMtIMNiym;GrfIfdZpltjnhlX zCw)PdPivH^cB7C?E(RLQ?Xe@vpolD+%MdIw4wPeA49?eLHZ5VkT&AB~1U0F8K4qHk z4J6!Hw!l*1c2$*2Dz4Bvvr@@|5*}=V6^#Np9#Qt6Nmr$#zLJaF;a^PdRw} z_;yoNC&)FBY=^}QQRYPt`9WCjIe7aX03-9~;<2d%Oxi3&2HvjfsxM~XDWu+nx?Vw$GXKUJ6Zk$hfHn-9VwGSr5PJzJRVP}yN2G%qgXf)Z9wF@_-xL>l9EXd%Y z!@)ikydZ4L#hWR5O4F5gm#%ogwoX{_K;8Ak@JMNc0G34ZLC9hG3MIs{Ox)xW^XDv% zJS@4cR^qS(JQW(Wyh$FJw~3Ki4v>*B&8HhdF|1s|Q}q;sizxauenhSUWA)U7?QbS3 z78cnuXk1VnW{U#m{FoH65CX%pvf@tj)W&lPqY{50THg~FGHs!M&uJtFTd3ZXpF}*w z;a%){3K%4+m_EBi=?6DP3NoPPi=N8gemK9x^J@N5Jags!HVx<$QZC6>qmba35d0mFnoFDP%^opV4v|kzF;MG6ZX;PRcJ{IRQ<<1*v?6O4b`C&BhB>2zWk3 zG{7ln7GFf4f`PGKv8dJTqpAChAz(SY*JvSM(85j!%nwy_BWuo+j$Ad8h098f;>umA z?Z%BCko2Bv>e}h+*28YqeZw_@_$^EgcMfp&Yi^6xRTzC^!EVOihC6{?g*F1-<_ID- zoy8}bjc+_vquCy2rx0fQ`eMIWzuQ>9znHMUn6ST?u=`=cmI>~vfx%M9n<%_qL6%Aa z0Dq-c>%t8;vAbds8B&W}lY+mb%4F8sNYbi^y52?TAn2&R6jGOWEWL_1SJ1$&@I&R2 zpB(MJjCL0NWUZ97?=y|1J>UvSYtDqQ_JGS+t(gi#t&s@3s;50=)7%hC^$J<426<;t zGTdWMT4+|RmduGv9+9AIQK5yEt=$l#oexZhuBN`Ih6FJgsT#JOi^VpSOOkuj9%XQJ zHieZN0>Sl|aRM&g$SG|Tyg#2KR(w1|>vpw5F+79vVD2KN-ayt#$wNQ9h&~s8S^V&F zy~MlLMb^&Z;?&3Ey>RmnF-*D6Gl+^F%~xoFH*iJpu*U`Ph^Gbc3#zUX8tal#UL|Rg8(aSKXbm7kn z2$MZ7piI9149CJ}gdYn=WY0{)5oRp-j6E}bMoL?tX9(|NTL4nyM=74Rv4{uX?8l_XMLkAE+8S{CF}s}JUjXtnwFV*CNkd#Z`HPVQ!AvnL})J(Lw@Qs9LDVDbz9 z#iUikc-rCP$oO1GRk2}$n!+m*(*P%$lYVtif4&>@>yZfNvAaafPJ30X`!d!yZt}?r zYbC8bn@84_NTCMK7tU(~1=#yMyWZ5)*h1i(+RP#t$mBbYB1S$2eLfA1Jb)ums=hLM z&D;mM{C9negu*wJ;gh6J(bYfd1V5){D(f_*tECZ$2Sc-xaH{bohcwS)CKa;3T4PkG zHJmDHBO`-7x;eTx!-+?Eb+O%?mgtNv5wv5_uC6DxL8GeHC{z?XLA9qVhZ?9hq$;+f zf#A1hWR#;zeMb@d&a2D)K|d$=owfvj15~A3FdpP3-vqgl-{{NIg>YX?wIho4koyeu zTc0beG^oCrZPb+;yVXa$q!cad`z4)NvScb=VuK~>Ryw4t>NV86Y$_4akWN?G3Sej- zsAy*)-5WhhdNt8K$S-Uz#WO!;Mp`$+dWY&9Xes1XlKJ?D;I>lojOA)uEW@0aN08Fl zx$ly+T;iF?x3Y>5N?Y#w3I@g0eP&f*{qVu`f+&N;ft38Ypp=v1M{=(HSWUcVW3nuR zuLn=aHaJw5~e$`v4TsJ?P`q)NHRuF9(6pP4^7fkI8LM;9)KzsF%SBYfrFfp`nA zRtawZStV0fg5)2iPdtw}oUFbHm}v-K$Pe!P(BsSLG>)UVdY_9&8n$8a1r$z=kqzJ; z-*G^tLD2d6FK}VPfrVaNL=%Gc>bopo1b34KfV6P=$~R%h%Yhsg6wF6ScsSn zs(yIkk%sS zcXd@CFIuMs#O@8uUqJbF;|RT?_vwW_SWu_yI7D7$*kZJdo{%-&W3-}aLdki!#Yb1` zwDMO;F}(|@k!&YoutB#9NcBRf5^ph_xWcC3yQ1;dcT}Wf8=TAeywqS)zn}+pQ^v$y zxpzL+kv`=z^GozHR>P7v-_zCWVkN0-(~@_G`n&iEeYMvg4(VO#{oc`r9{b(z`tV}4 z*Bl%84lBRh|E~JG7_F|&%e@L@>J5510vKK!b#pW~lc_hV(A&^C+Q4R~{8q$jJk%SE zFv_^83VHa;n`X z85dcxoDG6~8wC3{2=;9d%-b_1FCSI6C-KWUqos`Nx>if2TTusFXi5I^z~*Hudf3d0 z4JQq3IB8(RNdp_0hc+`fv=YyTtx2XzdV>SFFR*L1Mh7w)3b?g+AW?lpE}4 z$W7O=(esekrNhcYAK`y*7@4?Ip%N3+%e2^X_P-l#=ozj9W|a#J{puJLxTi#KO5qU$ zpirLc(GAVpIyXb7!RfAzwJz-7=uUr;bmPEl7U>AOcLQc_fg!Tol4i2 zkpPa)n?bkN9e&q6`qn(i=f@}@HBV!NDtf)hU)+byUDPLu@K0ZU`&a+^Hy=NG(c>}DZ&DIp_?x?r!O=2IkG>E5 zyYE*o>0=ar57%P%apzGQEu!Fi3QF=lfO6Cue7Ab}xBvJ*mLx>-f5!g_L-K3<|Ktt+ z$6x;H*T4StU;e|dfBn~g`4#-b@&5CF`Ro7ttH1lp#eYBjtN(`o`g{7n_;2vb{~u6G z0|XQR000O8uz74)^=&a*!=nHIkqiX@I{+L2Y-C|@GcRy*Z**^CZ)`7fV`ybmU5TaX zk0ATsKYsf0-+%l}e*6@J*Ps6RbN(OfH$a-k=rK#-<`BVz{Mo3~Aee%Ce7k9Ip-q+FW;pX$7fBGkprR}~^ti4YrZtoTaDU8QBOaTgEoCvM0 z4Sp6}&KeAg)dIK$-r?rW+ktQkCyV+*@4n6H52SXdYsG5ba=wc3R`6Mh??=~6yLx;J zw?|fqz!szkha0qqLd)s4#OBD)A^FAVYkYn8_QB}i!^5aNM4i9Ap;avA<2^YaqK{LT z+n+)HO1*YEZ{2lo4Wj^g?D^isIE(Hwc4+~ULz2S%Z2-1n=k(ns7t7v* zd$aD%my_x3bUfNjmkZ(7YVvc1TrWmZs`L~M`^9okYnR%E8A!-U+V4Rqc6tYfoOK@# z`gQBR!O<@nPQgP0w&HJD@G$iUdVQ_sbh5$hj?Pf{d>sgziZfoTW0i+%@6La5Q3{Wb zb7!taGi+{}+@AZ(tTzraa-d@<_D1DytfiOd7DWm4mao)Dui+C}HuMDFs4n_O$yenT z1MGnSeP?!ef|4izhpE^;B~6oN8I@!GHlOxf;?u(ISMn)*@~^CO-==F#AT)>6`X>lZUSG!225q8Ab*tze9Bcjl;nQ|bh z_xnbld@%ZxKlx~fQ!IRA#P(}z<*~&P-CQ!mIm#7V#}vLD)ng?d@++}$qHD-vOwAZJ zBBX_TGd8BgQL^nRy_lw5;@dPPzIg@6eH6FdGL}HEycT)9Yn-LTX}K_dL4tNb5*Ba* zA&Su+#D{4}9&pH>FbJmZWYHp+ki4;)r8hlxi(p&kT=n}FUvA^xyhSL66Ockv>_nNe zs~RU)H59MfKe?*j*{UDeJgqbrKK8Obxjq||2AzctrbGTe=c+UiSx9URQ+kFAaZWL@Wfxf%F zy4OH1Zy6ktiv$Stq$Kp^xfRnoMvE@`u9gaARACK-Gpf+{$f>_Y0i?@M!~4hIAp$Hp z-)r%J1H|;0ar$)v14s{?aK!j7z&hhC=zV)w^BFGmaOjhJIf2P@iX$cF=e=2QoI&kF z%s~jY1Q5+!wG3l<4dUr!6a)p3USS-xJOF3x+_FnB6vHUk;0OnJdvH^5SU%mnK`#@w zM3NTSs4ZVo7ju{b0vo_z;V{-J4+)HW3!I9^9c_|8;?jf57=WeGp^Iq@S=pXoNQ703^u-J|PM$)FKMa9-4I&Im6pLwdfu~kA-F6Kde7>suN&O zz7^&X_kxBp{`4|+mRHyNjSL10-skS9NP_K9 z^!x8gCJWWCrNs-Dv`toA#HEs;*vi+XE89k&{B;@+lsyp7$f9A=eKx#KdlSUF0r3{5 zG!zsBy;9z+42A7xD9j>J=;v|pTumITS!UCpO7L4*B8$=z6C21qmY>M@U(^WKV*QFNm&wL0PR zCFq`k#z|)ipkt1BF2y$4cI|b4!FxDCF?roMJ}3>*jEd;br9g!*Ddrn)rw^DsDy)T>^dB z+rWJk2%D-Fc+&3M$M}^K$%-(n#RYo=RU(=(P@5dLOtS$HT&Am9##<0xAT^_zX2Ww+ zbzpDw#5f!=^UwlM^OMUsDjH%vkYyBauiwpW#}b}-}y5JD<>xF!(( z75Oa!dEskfHQ?8nUX*2)J`!u>FCg0P9&zVY3uM)XFaH9PDa){>h`d>UG5)u*gx=W`|;*h6iF^ zPmaq(Cwkq@^@n z!I-;bf$zqYUyV{KIqKA$5!>lhTc-7UUvQSdsZVSR3FFmj40YXTU^tJG30z6e@v`1m znpWnFte2bAc2Zpd|MZa#rb|CS z*5W`*RoIl!hgH~6kRz|65>@ZkDSpa_sobDpab-&6EfQMKm_Tu-D11>HOpxkw0jH{S zqqaYHIZCzVy520Un?Snc(rqKDmo`A<5q(5)y6fEhoVEqE-6rfN?m@3*5f5Gb94KRO zShrn`=foVL5b}>ekC;*>TN^f=4_!G9L2wVn*+s#~=UBkH!8qtXsMQ)!mBcCxC#Uo@fdb@NK(Wf;gI;&Y_RmAsxx(DT4ry@txRtm={H z5=rvZ*Y4NVN#drX$W*^7!_plLBI;QUg{e?_Vf&3xboBiWhP3VojxuuA#V(Yjcd&V< zgcuS3cY#7H&Cu#94;0dRxd{xw;VX#II}gzr+hFv|Gh8(hP>Y!KD~m^$l#a&-2vyfN z=~q0_!h5s`7C0G0X?t<}clOB_n!~ldB=(38n~fN!B46BE^Lp!fFOT%nLoILHX@FT` z|Nc?uk1^gyqk2zv1}#GWkQRmLjL=rrM+JjUwLgq~KjU#sPLkn2@yJajattSeG)+kMOkzZ&`_w`7D}fdhbi(n#N49f)%iyU7l}PQyYZca5>QvPCraURrIId!M?a`}yk3vPn_u zuW74yAi2$gpy)PyB=A%vTXW2M5_{~f6g4j`I3eSxUkW+DlPvGb#-tw8P;t{B-E5rX zF%ATaab-KvHA}ZPljStrvZJiJ7gLFnx5!uD)md|#(>=<>78T%i3;k@d$a9EaNrbh9 zA87kdpIX5y!6Ro#y{8X-MyAr0E|Hpc21X;q6VCa_MsS(&aMJ3s;Eh zy44`8a?xHZ0bQqkIe2J}L-Z_&3ffemIdyzBhdu&p2>dho?FO*1Ibbi7sTTk^I?o!A zh$K$k%ScSQIem)p{)S2~M8WDgedLToAvb$^LT{Z%@dNIdStpmy2!jt>>TzLBrW)B8dPH{>mURG-@lvnSI%>o?h3xvQ21Dzdn;%F^fZw}|qVPy$08>ypm zX^Z3g-!d2#w|V__(|(}{c-k8#qw7;)0pM73CpLw10~Rp)Y#)co*~s#U%8 zYZGaYS5_)@8Sqo|f&=m*FVLW@TrgXVl@CPg>v|KhCIml#FkQLJ%Ln!rM-t+01iWXkeK)PPYa?Rnr|OL_ zqOj5RW;c=gBu6%rSlzoVn3Us5;uv2d2ivT%|6VKSQyvMC_?Bl6d{)S~h7pbh3!l$T zwV91E9m^OIWR=@(H;d@U5DbD^5cyRZWnSMm1K~F7e$q8pNj$B~b{}^S9STE=zVEy{ zLHW39XNQK9P_U9tyt7l)5pS{}K1O|g^C?!lBG7X}?piQidERlgdB;PV*mrk;tbB_D zAI3{s0M+pc(zT{nKW-Cu)>xObIw&`*N~U!codM zEefi5$b$QnVfxQu7lt*n!ldu$cF|B5JONSpSeY|Fq<;Ai3pj$WU z#gvoe0*!*4VVz7_(@}~=DdoshonNh5Nq>|oaZ!LT)mL>`G2CTteX}EBFvECs%&F4M z8GrG4ZhaJ!UsA~C1q&ZJ;mQuJ4qqo(6u`H3z*Ty{$Whaxd^#}=e{rVvYB^4QTt+E` z>5H>=f;hb@P0n$8n}THFt!SsVB3@i3D$lBAKyrB&n>wW?-J&(8G%+rSauh5ufXN28 za4>>t0iAwNsqqV63Z>*JE!msT6;BF!2U_iE5Z zdNn9+)u4;CYEay%K@;iJptwv+c+(9xcE zO8u!*d&TR~WcuLtZizpG{xo{A=oBaoJ69V_IC*!9%()ED_LgTvc5Q9HT82vQJPF1>mru1vYbcvUHVV5>9X=7nrJ`)mjtP zSv!?Im^t$s;4Kcn;7qijQErRFiq%Ng>yi5vhCYtDeG@MjYeS^)9eN-TtxXqa!JO(Q z6vO0}4@zBT-)JQ1d#tB_1Uy(a9j19!mGhHnd}8npwfECWF4G>ntIm7Jn6=zUkL3V! zQZp9}E0#pinee;{;^2=BuEDe?UmN2st3l_{2HHmf3-zF1^x^Hg=aXL5 zpVR)Jtl{ki`-578@@=wyopXSKM=U=1O3>90sUtNjxZ&PD82yDiAFXZ?41Drpk#IUh z3U1J5zopH4g+aio-SWoKYDX{7;=%#)7n+8 z1k`M<&Ylz8P;{^JTj(Aots__6!!X7{z-XcvzaU?D(z|R}&PQk;LhmxA-WDIUN!M&S z-%Gr{fDi9^ZrglZ_>MNmY~D|9M*+3<>2BYm8HkLh;T_-O>16amtS`mzE8J`?-(e!C zyn`WpOK0!}25yQ4lc2KHv}PX1nPU(HkHC9w)A2zv$Yh?UHW7k(o+*LUfO#GlMu5o= zl)hw>iz#99oMPJX;z?9sA+7o^35DgHsluKp7(T19&8b!FW}^@k{)G`ViiI3nt#llF zWSt!PDwPn}mB&Psr4XJg+(v9=H0Y3CF?FbriK-1>blq;y+q4K#ZQ)~yM2@m%g=moN z`XU1oY^Q|QnW~X!Ae_3xrqZ(5{f+Wz_Wj=5Xa4sa$xtv^K2u_N8;t^Reh^0fx<^buLX6zEF}5zZyyu z(+Pz19(4=|HOp+uC`y@*TFI?`Rh86&169%kK@lodx{ILkj^Y zN4<1>;tQKcyk(fMLpzs$d;SlfgQB3BX?>ll#~1Kv-(ldT=tXS_m|3s2?xfDTNLy4A zDmF7TpR+l2CyN$OP&|d9Id*-J8EXtQqa?V>3@O?6uT&O6Ry5zOs8p4pIW;Ng#w~Iz z8$72KsWCH=Dlc(0NbERa&I4@0_AGKka1E|Q@$-Z)g*$BDlr$2%&2qyRHH-IM3P6%F zmq29@NecE2wy!g$iX1NE-QiLyH!*nKB;Dde82!c%O9E;qlCN<~HZ3K7+Y>zKV zcYgiWlI$gkrYEwnn765#N*oJWTI*Zi#UfY771F;$@`Kh&x;Dq$qz#kK{}; zO$}|UiSAejb595R$)LS~(rRuY6C1(|7g3yK9lGX`?K;ivO7P#-f3~L`a>lBIH#BMX zt#`WP>u=Y#oXF{+VFNfc-lhZBeK}8|scz_98D(V0RcCd~?7x*V>pCNa!1@PCrb&{~ zCI~v8=OjKvMY*#jw;Cy|{Ruan+a{B+Sh1Bk?N@td4^Y#Se)I1zUl|$H<#_7a{(z-xGa&`6eGxz)BTydAmjwSBoaqZy5%o^>59M zIAF=IS<|++^gTJ-u6E?LJ`+a8>@nJr$1FKdK3Rm82Ez-P2^%hjMWeVfv+r1)efukv zgttAj8}}784@-qFqHqQboZ_s@88O|+!?9YD{d%5F)?dI!-Rk-xyEa@cw!rP36bD((e1Qo+iO#f-)EV$Doi<1p!w zQm9vVmu0FGds9cQ$vdn0tb)>tO}Ci*p7z&E8_#_UlEhnG$i4*vw|H z0I6=1G@)PiTSZ-M;QVMZ;IB)~jq+Nw6e ztb0nEJ^d9~E{j_@c4-@X8>>QIwnwI&;(V6CFgG>Azv`i?!06!$N9;C{hu z0;eYu#AUk8qQik?^LS0N(6+$9lbrNuMNI34C+n7` z>b|hABMXCQFT;YBR%x-)^z}6MKt}BVh+%Alt|L`}#I?E{Xqhc-9z%nkWXxabk6;tG z>CJzgfFas7g@EC+wy}{a+Y}G!D-(r9@H$OWU9ExX+(s}lDz-emR|&0hboa8h>PIn4 zyORIY_Tevx<+~;NK5{By>jnEqs;+_PI~$mD=vF4`-0vxS*&Ygg7ZAgFwn*EoZn!nT zqj{5f1v74vvVWd=w=pZTcSTrhRlkP>=Wz1v;ZqZT<7TKm{*Et9e+M*XUH0?`D#NSi zswd7>bZ)b&JHVryt4WF=dp8!gFfCLzimV{DuN%eS@PMnJ*<6IGC;0c~Yx4#$n1$#}__3;g3xeMuGtIfh9dC%9nTM7Lz zE{>$hDGJ&HQ$f7ojPM|538!z(SeNdlKI1zwP6!{_ttN`5dTF5NV??kgk3niB`4lpwb3W&r>vLj6IU z#1Sn~8a?us5gvB*aCOr2-ntY=O8?4tdFRY5U>Gw$(uQ$wWhr29%5GL#co&xWyJJ_5 zCT>szX`lNeuYN)x8m3Cs(!OPhhnD3zSSU=bgX$OH5w<}KFhy4ID$ z#ZYWRg54@U*=)F+p3o<-EJrXF@n>H_Wo2cr_6G{_=8kFLjw7a>`DWt#!4I%zzK@?I zY$yp6t~?;vKS3lXzZUw3I8kq5Yhs^-reW1+z8PcnowQ!J z5XMC=lJA7u0Oo(3l9%8#iFaRPAk^iW>edEV+2Dfs!aQ5JV@zvt11>!a`Geun!(JE0 z=;F6VF+_u{+<*xoBp6jWpntO%xnlJ$9;YdLHg%lv6orXoB-vRe1?|Nvat^kB1D{x391v@d@6=yD*#+&zU1pW{~3}{(fj(Go{~4x#BkOKXY5H_ zo0=A}3F2LH_Gvk4TX4#dPJt6}q!}dsNlte60-0TUjnu19`b)a40qdq6)rOptANPzB z7<=;P{-q=(`M;#h;^1U`2}G__Nlen7{5| zYb|(}JF?cL?-_Hgx)*xLPth-^FYR*&={11|1rL7*GUi)e5IrwMQzKm5RJ=v1X&h^k zJ)V-EHWz#B%6zALor$i~RngU{|L5})fKCzZ*s^3-hQ$-HI{tJV$y&Q^)~Zfv-GuCG zyabZy?n-{^okAXlm_JZ~op&NMjBxeK_0li*`{=cGM9vwi3UaCFen^wB&5J^zFQLMj z_Gyp0SqcqU5&}@!ouk+m&`6879_BAC{I|F;l~3Q&?bn+mCs~!G0PmY=k~B<9Harxg zG$*0mFK~d?NBfg~{l;)4p>egtQ=^CKQor!ai+pyVSRYXe`F)vI$!Ni8ni2Mr!Kv-( zg6m$WDQJteG6&iy#h36FRnWh#xC4w6IB_Vt}9a%%v!<0_LcN%CVkJJjt;{#RRnokiy$0|p`F z{#X!0SDX{H8DZ-ByKznwg6J5}^Uq1%1i);-4RwSYP`+Fv_}^Ai%GKhnD;00=$b0QE zzumEXAMz07<|7r&`Az*!`z$%z$0G;cg}u=e4{~eyT%+awNGbQf=Hw~?yuD+l=Q>x< zwnfB!{>aYS3{Hse8A#E%ao2>K>eH;KqmZuIq_kZe4l!5|Y=%j8j&itpKSjSy>uk(x zN2d;EU-T`=V%_iwb9$~ww664;dGRR-zn7_Pr;Zx);fy+SeVcK&;lf{yI2U6%S*=%x zj?$f0YTVhWB$CB;9`9c5>b{}8 zM)k_m*80QTf$}l)G3xsGmIGCCKC_VQE-9ZtI04mslKFQ(ru$M_H)CwAL12I3Q{6_z z*6k^-AC>TV5&ZW?=WtzEsNTMLR8&gy`xsUstPwwKKh0OZb^5C#S#&{Z47@^Gg@bRA zy-&y$IPJOQt~oa*=J9I+Kg(lM=7b|``{-7>jDj!MMM@myiy&>J!!x6m37kuf7HWf0 z_Tg17#bUCnd_gNwlJV=@I{RFju>wZISYEpAyXn+ZCXD2rGkaaK`=oEje#=xDk%W-L z>yt1fdA^AbM@@cNgGdu+aLH5T`>FlCME@vmqm0%$1>wdWR_prlP`R0*gL(|2Qx(O< z10OM^>V6a$XFO1p;DA@d;RJDeyGb#d-h$&)XP>~Pqu|s4Wz#QS2i*$*oJp_jhouNJ zC?p;OJv@#E%NPw9J5~4aCDB)112-|E?nVQSxKq zQ~!1?ORn@}>d8MnCFO3OvmI?!PL8|kz@1IOO+AhqNTUsdOp()EyD?7JckyQ1p<5EVV<%w=T&c6n7m=o2yY>)L1iU73^qpig5o+7|U{ES8IZglWW-zXx>l}l;qG48S zx#d)!!*Y`$#8?r?Y-g(n7E^Yo3uWXeS2q~&2`j#P8O2M4qOD(D;Z=4tM^Y`3%|SDNVofo;bu7!7J;nK9z8?Twz4FcDf9N#V2P1 z*pINPFNc?4xBmG)0;lznNd1De2M8GkvEN%*N(j3X67`H(RP#`cd&S)$2wNwDTX|2I z;i?&AlV6N zAVKzPx=nzM@F#N%yZiX5KddioW|bl0_Uw*>ByjDA3H!=;rY^w<42WN4JCZfj0Gml> zm7P6F(=2)I%+F`C1F^(=Rtk*9w6>m<)3 zdayFb42ZeRbyZ<)=3k6NGeEC2JDotiGo>?#?aXDAH;L0VJ@dQb*JqAY^VCi_fKW<@ ztHtzLchqj&I;uV$%Vf2uS0@Nqte$NBu?Q0>NJGM>W;cfmSpijyYqcalTQ*R*T2}Xz z#zMFNV?dn0Qh(C)8NIQo7>?9a^mGFM-~2uXz^+K_sGD1^i(qyk^LR>EKMSg1BkwR8 z^jezxS`zax6EmBAw1=%rZ8Koo*ML@HYOdNmE=G&Ujs>{u_DAZab4$#Uc4MmYB!98| zt|-*zhnS~pddkZ3bWH{uf>W&3*$FDH_w@XIcr7fEoQBwfCai9;7f~kI=o$IDj4}{M z6a+M`EjK6bf7}5wwE4Z4J+r7r&@|;Q5;5TLuXGj;hVrVFNJUR8fY-I zM>oTXgvQuS45I&q6*cS_`=;*WzM61aS;am^S?i-jW&eu8Zb^!Bkl)2*Z>*?(KTkgS zB<6QBi(It2(1H|M1!}{>;L~u~rorvu) z8nKM@IOO9kyT?9uD@B!FX2r7B5$7#KFZ9zEOwR!k2gARNe?ct=vL3ncVs_O*bxPPQ z_uPT>RL*I$nuJG>BB^S5^gG+)^h0k88OJ7}DFHWlu{;)}--(ha&;fX=_6C8irTMys z3*1L5p#8?5`Rn9lRTt)V9kmJ#@*D);(4d{jD}CiVU>ZoYtyt;JRSlXw8KRFd1kQ6h z35VdU=sm9)$cm)SBQ4M3AUeTB*6R3Ij7In*e?z#NxMk+QCro7-VDtqHAMfE>H}+iV zP-OO&_QT!!j(id`uSdpGu2mpz90;$OA&Pr`aQmC$zek(LuG^%Xczp zqwlIzqsu7}!lq@G>!un1V}1^1Jnn-qkIoS-KFNus&^g*4Esu~NQq6-PTDHL`$o%H< zuH8If`k%4U?L!=9Z|tYN!yV*Fbxl1u_>*>cJ3c`E{QyB1Vn%ZDF-+-7Ul=>KN5&cT zl#3mx+6P@UKtH+HMLtBZ+}Oo&#upM5n0UMdn)yRF$yCrGAkbYwW3`+kj+rZ=1xUBo z`xH!3o!;0{m)iE&Zs1*%D7GgddjhQ10U0-@JTVGzMhvPa0lWQ50^DqRcI_+jl z>pm7EbdrnmDebeth=qHHH*otmSyfj`xI6^e3%#?a$?3EvS(IpAn}*-YNcEzhOz*LM zd)S!dGj33Tf*E@+OV=26P6Yh+cVss`23cO&c3C_V5zGJ+2}Rz4|O zPEHno+#NtcFEY_=MREx1wIHQ0Me?m)Vfl|J0gAGcwnG$McdSepEBjr^#MvG%z^l#b zqznY0FRzn4dgb73+Y_p>s<*xFN5TdTlL8D&{E|^J_a(z>4QIVgeS$IgwtV4UTYmYX zPfEE}farQ^>Ijn?L}yx{JXa#3_^Nkti{#4s9{|CH)&m#@7vlX%oc|;lq(L$e=pNK) zH3@9;i`Pl!*UOD_3Irme-R^WlkEhLzR=BjZACJ!5o~Tvu;UkQvK76tyIa^8e8)7HL zfxrB_-mj`}Wa)IJZ18^~UD`X#!5q6jTA4YvUDrCe5+#!n4wzMUSIZ^DmEUt9{hst} zrUysc-lWc0ihFuZWR&7g%o8Y%t!_6?F6wIlXSwSL%G>KBURp6n@4OMMa@Y}QQ9SpDMtGUb+rg0i8HAR05Sx))RGDyydb;Kc4g zEr+2Lp2sgq8Sj>KrH?N+l7Oy$C9YI{EPZ%6Zi4*(NqpOvUxA4j8C<#K&&Y`uHrd;1 zzo+e!^#QzxLifXZ`t8dzk5RHqu0YceHirU-2p=x|NcZOhtMeNIRa}$=CJPSkFxG)x zbmux@UMbv33Im+D;2_r>qSqX6sA`Gz*TEQG>i3n;2~0|Oyp;trpzdXTx6n1=Fm$rQ zh9R5J)*1N`B_$ih@lJi6r~#oG_uDPR4D6eNH08+k9W+wTcqI9du-ND*4-r4Gt>tmN zzDghD>Uit>dVnN9n4dxES+UxG^Lv|Kxq=0gPgjc$YYbt1K_hWXrN-|hWV2+@pM&mQ#5F96|WRPLf1aY-2|N1L)U!y=baz9a=p(`)%= z8DW&xWx%?%#D*c>Efx3I%x6Y-Xyz*JWS@h|g7RLz>0L>axTPP+E={7iu7U01b@1kcF3a3ft2y^xVqA(5`af)sv{u`~as@EByn?r7tZvGGfAV1a>d1Nb8(3`;Kj%#D0I=(6Xg`>D+-~)WZ>9`ZRwcZ)~VyK)0f95Jc?uWj!?mkD!&H zRlL>Wp*NItd<=X%1|a%@C~ez-y>h2AB~J%Xl+HHk%p%R!t>4zp1)62O6sOr_Z4&8b zW*?`TtMLKxB8ro&{VB16@wm#j^Hoz-(_l-Fx);vutF$smwwsmS!<`jY_`T*l&9qd* zeUpUWld_nV*}IFUHTY_TAM8HMYXJ+!{aA5rV=mYA?fN?CcFQ=Tr+MAt=!SS}5=N>U z)*Yxf>^;U#BkX;nI4^?J>1*^%eh{mEgU(1sk#gGVzc%DO>s^(Yiw*`Qc70XytZ~4CF6RyR~)k_GcqU>}Jt`CXiXolo1F#_>p$H|oq1#+k`x3#*3h`MqlN zyw&!6EZK=vWM6IF0@VRXUDW*aH&p!vEEnxosj`vB{5L>oR;Q9Xbr=5zBS6@sTfI&0 zOrkT*^PJRGD6+B8uBb+Qab=5CJ99qli=cR_x{K}PephI)G-Ay^<1a!I=mbzdn#~DO*(E{}PbS(0mM#t|i5< zOl{)j&)%;@QA)DjGK*iWQuSPS`loE+$BCl2o#C|~4><4(xDIQqSnwLo9M~v{R(jOR z=NV-hwwdN815$jWuEap*&I|gFTJqEeeFbmNZR_p3+^sIZJW(KvViN<1ZKEvurMP?j zv5ltuI?&jmbdji@%=~2A&B$>a4qe=M6so@@g}oy1%upPbX@KQEX_68|NBo^5rY2LC zRXd}%xXy&PFyM+(;-6LLho%p0l=QXcXf3IsC+Dilcw+)H0KjD^469JB0qav=ak7UX zwTj-&{oWK`FN1HE+T@r72#aJwSNN4V3bOEM9RWuQdkI_J$nM`jMliJNzcLi`E`VBG zGSX~rvR(3@acemWgrlg83JO6_*VCv(|A0X(tk7XT1zdW=idGLfAut@EE5^ zc}HfPgalO4##;mlDK7j%3mc(~!x-~*YzZSTPf{oR6JDvtIrs>~2|A!3I8oJXyLCj% zCbXr($@)SGT7@b__C`7!8xGJW_7NZA)JULR2bd^PQg%IZcj4NCNG2+%lY`<&!Z>bD zzKEM0#LUs8;hM7!-s#*HX2$KhcZn;@`g$esf&C*=HK;V@uL+FD1&LR5RlMnZ(XC^(-PJ*-AiU*eb{{c#6mK~-AB-H8@ zknnKmdA?V()GR)k$>7izeUGzKt1Gk0rIDFlb!X1#jAf|C7E)`^M@7;4_OT8?f;=M) zKtAn3H2b^1_Ztz=d6%%bWI>{qwRA88)7s1 zjM#p&Di5qMM8M*XF#$=%s|?{bw-uJ<)i$7TPt9=j)V34{4t*(vBRyMcGnpL;Mjq$8 z?Q&tWhGknJbnj~{@iY|irt;Es{(Bw#*9PAIGtQ(e`?vH#wJ3|`$pPTi$CKT$%0$lp zP)FKOUEp(!T9M_<*psb~{RWN@*Esd9^~dn$rm9B0|5)AnuxpU5mL&oGRw(aHV5><( z+*VKg-PBW@E0jW=;c5BZss@7@zmnd=s!E2W0ic_gAo)|nG0=l)H<*j|$;8}!u)r@U zrRo&zYmB-L0o6{Rc;tZ8-|iUXYbr9+nC_MEU1vCu`a>=Y&k>((7jMIvprd$Cm3(j- z#kM&rt~-%-{8YrOv}@jD(a`?Bv3719PSJOyd+=D&$hS|-9_8P08sRrPdjLmJ=Z7!8 z%6$rGv^invkE9>`1Lw8NLe>4WZ*#+Ro~x02yE*)kD1zeeoe!F z$HlSS#n}A0t}~U0P~Q<=V4Ov93O8n+d@RP=O8~6Bf4Y)qk@&EV(~D)^7o*RgGyEL4 z%<-xeOPDzv_?HR+$O{w|*fdJ$nJdKtABCiX39{=$_Ow3~w_p`+QsbTt<-e+FVsAk% z=F|R{P06B-zsIMiyudaq3}6J;Po&N%9sSPPpf4BouP7jm+tQzRBlheLrRPH%jxwXv ztJ-|ec#sC2$UQ#e1Rt(FFH`jkHgy+aPQDaQUQJYNPI~KKN+o4ry8I7F%J3CX@D4(! zfhAt!kmUr@k##6#=*)!iRq0;d^Mh9u-DklGMXU4c7*1BK#yT=~Z{=ViKJY$tFw7de zQn|IcpX=9Js)Odb83``$aT1eM)jrgOH5F~zZs#;C0 z{qrsEQWT!sP&NCY8wwa0`}b_bIXPvUw9VoJ)S5O$VO+=;b!C0TZ>w}3y~3C{`W2(M zZJO8wCXc3WqcMzLAu;BNx?8vQtG{H`)#niKogkE90ro(e2o8;_;f6ng{K&u^R>x_Q z09ZB6r3jB)p6NnIWwn=Lerh-cKAyg9$`rrMLa%~ANKhk}u|R2sHo$D9 z&gv*^Lm1tJjhp>B15?->+;FBKNwcK}W4!{1HS`}8>ueSS&o!gE6SD$xT9_z8bkY!Z zGUe>ecyUHyNgx5RjDtf;&S@N47uj^D{ZE74XAqISRUM+is3FVH>~=mWxo^Nk3F=ZG zJ6PMuD30f=%o|iMkd7Jpg!jpS8Qjf9f=H>+YvHjjlUAxe;~mB?JB&4?7!<=1vnQ%W zVQeeHFnMrNWMfg}z~)0;j)AX@25Nnu4gh5JWf{tsrGgbhw17`c{seKhYk96aVQRUg zD*)>F_IVjtROX=|Itj?=U(>Mccz(9;u;|obFu$BpMhCZwlNWWZONTSm@cXqYhFXpV z<67B3fK3CjxHee^Jlwn}g|d`4UCL~n`g=tiAFNGLrf907Iuig=3?sk-!@oGG$_kiz z-c1AmY1Q}xQm7^YS-k)(28G)-C8LvaZNa_{fZ2^Xk3psh7PUwx*! zdOqUT$*68$*fh}LIWPB2z-5gN71za6PUXd}ak-<(*W8hQn`T=RdROBTae$|7YA3f&1$fWTr&%i+6amqJ%?tmw!Vl_7-yIkqRM;l)Q` zX6k3GI-nVd>)<6iqZGE8rLug5p0;_j2U9Vmtb=zLXCxOm+y3QTnxfeJ$^#au$(35? z2hhdF2T}gj=IfubWjuEhryDN#;p&Pi%1Lp=(9(j3-}X`*uvKw3(&{krS2|<(j?yZC z*;bi{wXtA|Ha{FP@QFfu(B;?xH3DVOSz4(#2drg?(!7+6ZfQqSK}VR%2ujeq2IWEn z@6PB@)CfV_l2&InBzPwaqH~pat=*nS5ZoeRa8nHZ;-W@&S6^aH*(@A3xGQgo(yJB& zQx)JNf-?SvFIgI>B}zjCU^&-oSjLk`{<9Os(&13v&x1N_)LT_uJkWH_^wQ-PQ%stBiJRBUrk0l%Kfu z-`Nmz{#`nvcAz&*YJB$(HGa!KcG|D2kBm;~Dte9b;>=j6)!{XtWrOo^wXqUDD&-)Q zfDG5>_jLOLzm-bFlm_c zYFKCGSXDq%@;5aZu^MFivQ)zz?Js|j{;~q+Hf0+=DTvf1xMrN?6r9Q>ZmIQQRrz8% zWwro}P*hDWY_Ksnk1TlK$KWwxZCx=QOC#*fqLxu((V*?AIjQrcLF2b~6kcju z_&^nf2_(l>R^sjO;<2FJ<%;KF4EZ@68TOWViQU5m9@g@t7kIGh*TXHqes zJFM<;sLbw>^`3&fcu4VEx?66#&jN!XN6Y?PQ7m=ko@+M~2-vNX>0NQWJskkD>C-2( zS+ldjXFVxuv(=3hP}XrOx)gV?x{;kcsT6P9KozE(T6zpxN2z=jq8h?}T@Ww_3Z>(I(vGE-E?-HQ0(x%BNX(#w zimv|~B?(QBpZM0@R;Uj@mFsDCu%A3*c%x2_JU^^;nYtzx0N}2E(@~n!=l|z^XR(SK zGmc~_aDooFhz0UmH_~#miD)10Sx_MRH1`Wn1=7K{G{Z>(@X4MQMf7VQA(#O%+-*_> zhT4{jhyckLVP6|SwO%RP7*BO0OLiQ<>!Rqgv zP5RA7#J_|g$*Rwnq>0Hhu%f#qNKPfI81fPR*S85ObOku=^?$+qz;IvAekHLHv= zd*kA&w?Z;R>P)%TU#v~aHmU`gq0DLtzuUtyNx^2kuX=W;F<0D0q5aV!n|~eg2{Exl zyQ?};<|ck8QT`veY%+6^hT?VQx&ErS3^vmxC)EzWW+iX4#4qeF3CdULf`sKPNanN< z(Nwii-R+5FDv${1N}zng$y3Mhyw%V`&{B_*%R15pB;TH&5v}ERD7=OVYF2aVANdwL zcm|p$FB-6=?VIt{ueX5RmxuHCef#{JD*}hj4SpI_8rn;*PA3$R_7>3!2WrX7Q|Y0h zn&M5<7(3pF1V1rJ59k8bF1EUms59W?4#mpJSPO+iWgb@F-p_G4p=#OC;7b8V)){1n zAdPx%iZA#GkXgCeC$aBQWC| z7w=)U^yc2GWUD-&YkQ-_p`iTT818_^o7J9mB$h83iSTyESX}sv0=c$nLe6U!PG2)N z{--VZI=EJ7Xr-s#2r8Wkc*_t+$a}Loke@KMNf2_tBv)?m_W7P96}x-UX^|Qev9ZN5B+J4 zVK}VhBAqzXlh0P3jqt6T?EPZ(&M}7_DhxoUQU){6FH=18+9anOZNu<#4pe0^)FDgL zhT!?{eUQJba=5%p(rTvaqBz5BZ z#MJArYt>4&olDB-+)i-$G_lnc{=r*-PKJNYEjTPO>~}#2weNeBonq1xX-WXA?;M8{ z*+NfuTCVmK2KmU)IhVa3w_$+_zsM*-^wwc#!wSNVzMd4IM;`(-N#Hi?$qC!{BsIp- z3o>OjD23osd41J4t77t69hA?Q&p|1K4wZSeJ%YPtw?G$Era5M%b`jCQ^Ql)9fndp=1zHS04c%Baou|rZ`5vzhDOOZ-Re#Ks70(xc^KtRsT4bJ$heG1p z6hrF@@UGLBIiY`N%W<3SYLykZwI9mKRi_1o&i-mRFq}+`B!a+pwcKNRK!KKIvzi(3 z@s_{dLaDudQ>JK}VwgsJh}TO|(StszM;fI;@4Htjm|ksj7so?EuL3l&_L|Ilb7fu$ zM*VmAxmLZKt5Gel&I{F%$PGSBHX0owNE++Lb ztVmk7i(x;J!id=B-g3;HN?Do)SWppTGw*I14%ZpTZtm+KrV~?244bE+s%oPt-I!vU zTppNtZGwz56)Ji{8?o1EfV! zkJt2Caq)wyNHgfhOe+212hO#CBfD`y=8Vh7!2>6QJ^)3ylU{Ko2`3HW#5>}`Dq7m@ z3%G6AeLSrFRn+#pcruzw?S&}L0}B8Pb*U>H8&dzm@Ob<5-yJ$>KI?(7}N#&Yj1?Q*7z#Rx=H$*?_4= z<5S+&V0?-{s1I(acK0>jTm3(_D>J~w6iG)|c_=mXh}#WhE|}TXAqME4OQeTN(RhVJ zmW)Vwo-2MK<&Qrc^3vkldw87Z;LQ|hdb%1Zw$@c;eoaH@oPE3g3eHRb?E*9G7fvoG zWS&}J-fngU7~r}NM@NOdX*pQVLg1f*>Sh^&sz?F}ku&gUv< zHc#*~imh)u3ruE` z%KiqY6+Ez;(d}d+Fp!u2-CA30*yPnR1l%bIk8z4>QeX){qJ-erK$jGz+EUGUspzAE zjSM>R6qpSip)h{L>ESVcwJEkvw=Yco4;4=s7wb67a0bB5)dz(Sz82Jo+Gp{Obe82z@ozQI^bOSb(lr%cj6?CN3FIkzbdiA~aC&;PdgAd00iin+ze*llPp zQ1b|lD`7g?oAFczIzPae)*Aw;AKeinI{>kQbQt6!N?_~ODldmYggF+Ce8dihOkCZi zq)9Rh4vNoJF2in$vlBVaLf@DqaoOH%{q~L3hy8{=JcR=KX>iVuxCCY2@4Y2{OA{PK zs>1?fnmTiL0-AaO9%9i0y8g^{sx#HOxIATh#Ni9R6#F9_Y@FEbU#CN9Lh?TsTm+@! zxJ4c?D?%IgNUQu;ki?OmKa%NIi|JEV2i$gd;Y{Suyi9Z8?9a))w#;;xi3J5Y$1K^e zbat}p!9=2~Ft_((5aBnf_+ZyJ)MX&H4|rIxsRb!ktErHCidIm4e2G@MeFdcHbn>?q zh;0L0w?ArzF+s3~%7A?`Ci(jHx2RY%Vy~udmWm+zz})-tPZ@nKAyM_044RC=3`f}( z*HAxsC`g#Z2O#QoTfK(3!FLyy2y~R;+v{OT;YvUyl!-T{IP& z6Fdb>%F^0g-F2q_-`>0RIF4j#f>kpE%xu3k28(%hBpT>WY%9|xzc;oPBbVGG)Zua| zM0sXaH5v)JXp-1LkxG*CaL+~mp!qlRuuuIf8rZjaT07_1l{c9p!n3M27*!D|ni-8o zquH@@{f@=@zG2BA;Sc0AHD}o!KRNSV@Jf$9zOatU8T)w$>b2X1FP;3Ft$n^^KMzLq zb1W@a2C`pWSla7a{~@KG74mZ(9_Y#K?7ZExg-*kV?_uU>B>oJ2jhRXW4gM0j^7R3O zyNXYyIQ-G@(!bUtle~s-S#orWqcFD^82Q>?sbGRXMF| z76B^wtEVeERs3v#diEc~;1Gpy&8yKulnT371=8ttP0!zZufzYoyZHlTRY?N?V41s- zX_x&~8@{XOaIphGzyss)4lubXZA~^BzEZx*i>|e~yrFW_IlvV2$)Q@>k&#Z^G20a0 z@yp2`3M>V{zz)H-IAAsncbw#j%~QqzPV`ILm@gDP23IoV5?&c%{`|!9?Vb9Z9&$l( z9LCN$lRg!QS57F1Zm*4`f38!VK@OB#f02b7PM1|OlmnpBwZL^ z^#J>HAO`g(ZTq6DD*4Ua{tAh+)S(}FeVLzN0AO3Ma_(Pg7iiAOU;7#RH5{*dy$dTw z1HD^*{d91><1@>}?rj1%g#@lc0B2uX1$uRAVP{C6K0qLN{ba0XmbLAHfDgQvcp-9N zy^d$dvB4WX@lX0CW4#3$o>WY&!YB6XEWx>oYT61txe>HBSi1@ZpKMy{S*lo>#1VFo z1HAiZ90M12=G9*zbJL~Toh1jx$-}2gUh293tcUQ;BL3zdj{eCWQh&8d*@}PD>RW=* z9Goxs0zihWe1DxL^R$?$S9J5YNBxK2AN}1Cq(9;kd$@?pkPps4QC8|vjf#i08I}WkURMteG|+#*hy7A=k>Rd zN(rSOCJOkm5%WR&5iir$d<8C&nPY}y=IGm+{d}(dkOO@7S2r<7#~YF4APQP4X6;sYmrGq&P%E^XD%O`M>DYD^$S zR&Wc+=-bJv5mux@R^f(|gyMF)lypkNbmiI=!ZScT5{PH}ohpq4mZzhPk8T<7hFL>( zV{f0jv7Ni>6?dYrdq{CHih;jwxx!ityVCjqq9TM9sDpYKB4I@^k#_Q`_vvZVK5Z?a za`LLMgnQp<=MI)n(iNADv#*dn6q*Hc=JwFnH0zJW2vBYp8iy~UO(^B&gu)%9D}@kY zKN_SAtNaLtnihrw@lH^n!hDZDMM2?5xo3?7(&_N>95TV+CoWvwCvOI@rMCDfpa(rW zdLYIPZwT-<4j$qVk|62N0XbmJtVl4}IDCGQDF7pY5qX-&23Fr~YzJ{nfttIo{V`-wby5O<{N69Cr6jVt3yxcK1zVci%jA_f2GX z-%R#kCTnzayD(6DV`ctkizE~KqQa@TmfVU{sd?#pUcBE>D?d7@?>(PyNLQgkt^54jM;}P&y{jTeLh( z?OZ9v;CV?g2!79Sq_p!^hfe|lbV`R(9)znRMn$h~-;D<41Q_l7SF2^NEL$pwF88f_ zMDtdMc)>!7X>a!k`HLUheO{-G=^AR%c8+RnnZ2Sd^D7mE9d-B0aax1V0A9AzDZ6xY zqAdtIT@)e;wzFOn9AV_NoK8EC8sv#GOVD}UPFwZnw(x`c+bsl{FT>TYwS_ipPMy=N zb$i{|qpeUb`Xt!w(hPorv0=et|GTE|L4zSmrR0?CR&B;0snC{%EnnWhP+^!dvHfq}gX z%S1C{S+YwPs;Bk?)SR$a_6a*n+Q|GeMwdD{?6J5m&8yRD>tVYpYobmi+ZV*yJ%XgS z(^R#t3`M2}wC6`otCnjza;(ibMwHT^h@JhFO z=Nv<1T5G>TUjP9U{^tb$@E3>iV2US_4KzQbt88+9-sq>2wZ^1qz~7nR_ZBUys%rD zVH#?H%OqW}yJVFtm(Zjp8!j>#ix0^z9}44vD4Fc?$s+_%W8sfs%%>KrynbPb#mrc` z$N8F{0_!BA)EUpyk3k=~mJJ`P{rir^t9%WYW>5Vbn4M{wYr2!$v~JN#P6E~-xf^Z3|&S&RHgE3Q$S2^#s)?}o^1K6LCg}o@q8RU zvp_BWbTlMEKUG;!;TTRC6H~NhAMQfjGyE5ScVZex;9Bv7t93O6cNF|F+2&%cZn6%l z5HPWi*cFIADVH~_DE#!0tIFt&z#Ui$BHujSW%gbDD8i&jZ)(@5kXP zg_m#f0O}`91oEt_KvlTTAhE@ zrD@~q|1$TpR${8lDQjig#))VnDBB3iHiEK^pll;3+X%{6il8+8OccUSn2r7IS9i|r z_rp2X6D0f_+BvG`lrKu0vVekYm38~oPGs}Dux)<#Bad%Nn!k498m#eBAQ5b2e#bszy_7L5GXT?RKszX{=mSIp7LN*o1bn>H{+6L7pb9&!)C@ zpH|qq+u5m6K3Rq|6@??=j?HpD6kxMmFx?SKb zwDVNsfn%vB+gYk%G1V*qZeu%3HGa@4%EcSMzX1%aZ5n26W{f?H>$qnL#bcJP7z|A4 zB-<#_#zl9fgVCn%M&K{f;nS0FV)oMMuf9eImDWM2bx>*@lv)R+)KJ2@yFq892( zj&Pas<0Ob)(00%wYu0MB4bN*c;H%C0TjvKMmD&WJ*UnOnK}k-Nuc1=KaokRs)Yd9T zK~9fD!Hl(WNrgF*-lmJ$-H>yDc&hO}rb+k}iV&{ZwWapRA9!tuc*9I72h=j;c{^h@ zlwC)ij^B4$9d7+pU7Ef|U)>xDZN~y$VZX{FXA#@3lbC5?-4@heDOFLcC2`i0OyTq7 z;ewyS+sJ=Wllp23lrNIH$(C$441PTD&*oGjBtNX}9cFJ{|CJ3lpu)#rxa3m=NfY_$rXx@nW{XCnRH zSL!`15*6C%{_H4~!*U0{Mq0o_5&{1C#MGR2O<&pmb_-#QU)=(8)G3~57e|U_zaecx zJ6|w6fj1$usoHP({<{WEyg)%yOK$SrgiZo<6f!;~RO?#c*K%JQz;nJIFp z=gNs4UfMM`=7sk2tHkka=efpp`N}*}X*g{ta?_-pe%I3(ZFsl$UWd-tR_JVINaV)m zJClX0*egD-owsVK>eSMlan`)m0X4YZ$#cN}O7SOMGyRqlX|&=&qwHF4GF&{X7$F`!uOJk^+}F3KjV8Cxmqyr+D$S{+HlJYGm10}w;CM?*VXHOHjw zYs87!JvrifVU)B7W}TK?2l9{KcLuvGPc|JjLG7$n@64XDGh1-O`l&imD$8IzY-gzE zxI8uq7XpfAC`~Glm^Pb%Ifu0vE|NVP5o9Nul4>rF3U=T-DA7P>Y{uu zEraqyhz=KWJoMYZ?7ae3uR*|SC#@zht!u5d+kQJy)lQRgaRtk) z&En|D@hageS?s_qfs3MHduG-~99Rk>8SkQl>Dqa#b~=*NrZPCvqsPfpo5it-^q&|m zyRELfd9qYC!gMrjbFMX#vEy?~3>~#nXyc3t&x14D^FRbP1B1~*(KWHJDmp{^Ew;3* zdD19PwB*eUAY0|=;u`XCW-=_3E%f0>x6IFXZAeiaw{mKG%h++@Z8UhpUO(1Wt=pL= zD5Te7Ro5QGC)Pnc0~gNr9Nt40&(2MK2;A;O4aF&bVxQvP?lD`W;kMNi)UVQ>o-@d& z!=LlS-{T#7ky&-V&ZIi7>C~jnXZvn+6Q@ZO2|Y_|@~_{imtgm`*3nR=9AQq zLf%iSXsKRoXL6_JFI#pOKBj(~f28R!xU>(0d9qESWYtbtU4DDZE3^NLw@6xlk~&sJ zK{)Wyuafk|bYE@ftj4UWaw2S6{4FP0^`xX(AJ1>vv{Us}&t7+J_8Q%3+fdEsg?6d-g+eu%F&Hd_f47q+9X{oul%y*^4uA2< zumQ-!?Hth@^^P@}+&#A07n)9l%TrUZtqnJ9r>~mlk+Ub#qIg?AHvo9k&R0#uT+cH5 zc=&RHhiRv*Qn4v*;ec9rCuLpEN3^nT-J}6#?YZW_z}fnj&VWx$>WgHP=z86HE!L-( zQM2cb-@o6nU3&o3#er!H;b1cEK*(I!>Qw6IONC6M3HvsT^7gRQynRn;fp;x+uU$k} z(ipQ{zhohotUwA_LV=mj-Pl)Ry=|oP3O1XZ=0%b}lWM^cD@^E%FQqycXM_E{g8h)EJGt z{=4z?tHl~o6ZX$~?!F1UL6TxDzQ4jl06=@c`G=!_vZuFue%!_X;h*o0|5(!-7xp-# zxC^s23qblS_cXZwU4OMoxzw4nzvmZZVufE8`o!N42fw?W%x=6n{JQI3S3fX}L7-kB zAud1bwE8AYsrv%?hP~Y1Y|Hocj=QJ)RnNPaVH|n$*~4J|Fzeru zE=9Cc3!0WW6oG7!=}QXEEEn{SzCEfZoyzpe$Ut2+4AlB8VyWH9SQ`3~61HIDfwm{v z!9O2kQq(ZkkFo>@gRvJ%(Suha3d5)lGeuUo)HC+CLZ9S%#M+s*MsaQ)ukcdE2)Xhb zs#}L_>F=UkzOO1LK~P_YvGV}s@Hi=wUVShq+yAWe?G@pA*ao1TaeiF)N-r}Axw?TA z0oydpSZ5LjO^Xd$gFdV?XPoTvhju2TA-*-#@ZTLJnOmiUsb^h-nyPc3Lds(hw7p zr;HI3;HQiA8~#=>{Ks9!KYW(SBZZiY+>f-zh^_}oAUKbF!aweUT_>=!r6FXFV?dn0jfyqp3T&v2(YHU`bYzgKksi8X#oG5+q`<6zC9BUDsQDp@b{qCa zY)~wE$9M;e4}6;455jZp8Z_GYE6##;rrtE85icZd{FGVIt{@iNW4CMLJ=PyBrQ4<* zy6Me>IAUsB04v_yV#WY%fd%fX=R|5*{ej2%%$PMWVY~@H{O4e{nQ`JWW$A5{eB>jd ziYfCyT>EkGF%0r`v2rN*RI9unK{9uKEX=$grs~$}4ylw*5okW4d3$u0T z5`F-4;i@^E35=n)$=@T}oObyY~npDe&?*F~&yrY`5hW!6BJQnpDr ze}b*bC4rG@jfKBwL_Jy)zk-989`h2oF0!f6SP?qy9A?Xn!zw z?DbOe5J8;%ksqQB?;9-S8}YWV***?QSpf%`DEa;EjIL0(02+oQ4*ZlXyu28=*X4^{ zY@T|-y(f_SUWnDZ_d27@3s*4PZmCR0_j+rim!w+mt}0qpIybJp&;3Kew5#_ zc!iY4s2y>3!#89~7{|T$?&c3P7Jhus=Xa$c7K-8hk?$SFU=`=Rajq(3`n75DIjh1} z5&$>io7!*~klpZ7{+2_*&nCuu>e}j|>Qc^pa6-war1)6fLMwm--7=;G_!pQiyL7Ni zp;xSM+ac&%dD7%tIom}w>l+re5GimNbo0$}$ki65UQD@Ix@e((6doob`^cOzB@pIJ*{>L^qS7;LR-OJQmK&Yt1C$WAGxy+y;BQ{ zSf#6O5IqZO6cH+bgTmXTyf{xbk6F&?8#mC26NeIiJw8gorHEi{QjXNYXO+IY)f2Ll&hM-hGg?Qi->(1g`_bK~ zKl=kcC!WiFp~( zgY{?sda)(^etsap82Ght2ZNtdZ3@4olrC6Bu`^@Rr5J)XZ^|izV28xj&{C{GA+cBT z29hb{)!5HIh@Yr~RIS2X{U&Bm9l6<#e<_5>u&?X~C-|eP%w&Oa%t{!CE1|kZiUGZj z0y!e_P2sn-TIe;N^`w#}3>UpSi8--JjAg5--FK}kTI-6oufeb4isrh`RT5BiOVTmR zu)ZtcI7uIT-L5 z=b0NVPNKD?DZ>&@mGWefL?hyNuuS)O9VL$k7>>G@;mAW{vq*L&EFh-+$gZigAK1`oV?LB7(fdVlu{4 z2ep0tVg%amrN3aZfPdH({s!e(M8z9_vF1E=Kjr_)`F!rsyE5cLx$YH~W)wc+dU#@- zl|nT*4OKdVvwXMZJPKdFfv%LQ5W13_!ISBB{WdI?+<~&3zeg@CL5y=6@xtC4F!A9n z#u}pTNPsxeLAu+nQa=D!gJ8GFg}z-)7PgKbsEsNDB|N7HhQ@7MeY;u;;##Pi&^;iE z9zxO(x^rIg%SQ=lC4yVdxHYXuK;%yuBPPQ6DGKYV2-*bC0hkS~Dk_RmhQ`XCez4w2 z^6EMeDVda&_y&pM za#JpKAc=YM-4}fC%tE}D1|0hYuQ{%Upu~F)H@l6zO-O23!-ZI<8dDXg2T+vLtV)o* zBKFKbyQvs58q63{FkW>NFVdGS`2kx^?@02j5=zZ_LyR?xErGRa;-)EEz;a$NOaC$T zCVgOsST=Vx{Gslww@-KWIT{KT=_ND}BjH+At;8~EKXQ7^XHJNi zB;eT(la2`P)=;HZne{zeX)+9PynfnfpPTXfe!$aHalELzKjgcdHhq`dIWR$cU6o!+c4? zha`bc>sV|hpm3g`gs|A9a%BCY`a%DB#$xtSUCqPA2bS+w9)_{m(m_wixzFd9yKu>J z(s{C5Pnim~yGQ;Dycc8%&E=0_zzRjucrRo(UjFmWkH8~tsm<2tvRrOy+2XLbLEn|t zQ{vWnN!$X}AJ}<*U7@Qsqwtktj>>M(wfZv4y~p_kxlj?|??wg{vE|^Z39+fyQixH! z7h&Gua|4(@RK_pJEP+>?VH#!Gj_=ta=R((1IN+}cj#!oo1mMphxK27#ka>`oPB?E9 z`CGFHZwy#qKTC{e;7w(J3QnDlk0a@+IO}V}r7F~|J0h&l!m|es*sd_x`eDV}lZ&*oFbm$mH=(4c_{DvG>gBsfqv|$E8Q(~vL`q}b!nM*b z6Ey5w<_E%-f<{euMPsk1Xf*k`YErIrj7pU_+Dfjn{07Zme+eu-%gLF`sQx_wlubKa%l8$5k9j|6aL0n4s!|wV#p;4~~c) zij8ibt(OporSLDzUb38RCUFD{8sVGm!SfRuH|}JKJ_4M%)*WHsQpOLET}(kt+0B+e zm8DVvl1XZ9tL4vU|w=&W@A3#I>ci;lh6N@YN|pT9L9z{XUjUj!8XS2kVmtVSp+UiGbxx_fJ$^zmbEp$R%lu7MAbymLm#$Q3v-~L zG4bIr@sQIfm*`0=R7mGHPD;v^Z@>8{~)ebdR#zW$XEH}Pl*gh}&xMuMHW*s*tp?)5DoINF$$d-Cgk!#wasEsu%O!8#&W5?okZ@nhN-U^aPq0A-I7dS4LWlS?-HyFerZ5&J*Cde_+B( zS}Gq6Kh}?rY$JR{mfm;*o~iOUB#}_EiZBGCsW`>LkyS2OEQ>*4pan+4B9@A+CtTe5 z6Im3!1B@5y4cBP~93tmLR_tvO1#}o!ikU*l(6<(w;bPKinq3MaDEOn`BPqfGjz-j_ ztd%YWn$tV596&a_!4xmUOsZSyxKXFdGR+18>e8Nsr3Biti}|Whj$^>ylkpI|5>Qef ztiveKUZ)kMreC|Lwpg1|nR&xD$pmYx%o$ zM*Q##Ky#@89A$(10q7_PyEIdQGO}&2FSgM`u^6F}+R8wzkLsf|?qGH8; z64P4AuJ2@-DB$dL{}YL2+tW%i$vJ9-dP)P3; zgr1f@US~Fudg+ej5VMYc4LM>(2W$rn<+*Xcke;4pYzF;a00$(vRxuhuOlEBHvatP1 z{77vsNxMuPiQPinZ#9s#ZHAz%n=+_^ejf~4LGdS>3W`8xIS9flEy2lBhBL|Y#h#rJ zQ0zcEvYSHD7HKu`9I>^u3VVr*NLUx}Wh;0AB0 z5oc3|w9r0bfc$|92jwP)C_5wIiaC3yb;odQ4vfk}B&3sbOVjv^qC@+f#Ehm|O>Xm{ zqMczoGl?qifcPV2c7n1uj59Ui0vk3k*V3Sju%eSCN(B3?1hly1P!-xwg(FN60LWSL z(xB}nZS5W{XARy2K(!EG?7hSbZ$}nhXK)!Q`b4OJ24TEp(5bQZlwo{A8G7w*QPS}P zL+>-5T;&&OaI1>fGd0^<^cCrhabXE?ky0i4n^aZY`XPoR>tj?n0CnCBI?(U{U4(@< zi6kBfucX<9kUh)9R`7Dfd+me4>Et*d^4&667mpXI#;tpe8j4XqYb-Cy5!y-nnS7cQ zQEaFtVjIcVQnrLX53t6cT-hX#@}?Si&m;Q zzV|#rHmm4Ca*E9zG_^8^DcV&$2j5apo52>!SE#C#&#kJ1Oa%bwP+h4DZ(?-#b7vn^ zo<>BP2%Nzz2+`oE2tUEERNVLhJd9zx!|*3gFZfBv@=vfi(Y=*sC#vE^EDQwAbtnDS zmKf79WeXmXC8RI>2};>B)3_=v>^4pr`H?hnA#q|z-=qg2Ld0bj2Z|%VgNcUPOl}Im zZZ@FTx`29LkvW3s<7YzXyMM>?Mz4nKOK8`7UE6|6U1Q#WI-g+6XiAQ9r2sxzD8(nb z;wQ>ZUx9THw20kONv~9LQYtxBC47f%y4F?Cx;nA0^nIx47ocK}a+Ty$GD1z*FIZ80 zR~&vIo{oMMTxeuio->~-zZg024(~l02VIsQUvj{x!EF?02=A{1-&mFjDpd;ZMv|VA z6odo%4@qQz9#wjctF|8c+4CWA@pcZ+9|g}s?JY~hC1>fBgwRkpS-W$w zXEqmWaFPcxv(}xaa!~M_d~E$)5ayXKr!b(PvWMal{^A^N`Q$q`L+`!}4K`qn6aXRU z3Kzc4s!-4ASk%OVFf_ttG!C(L`LNm&zi~jQyyk+$YVUSC`#EpjR(&43NGVcv@d3~@ zR|+&3kwgyuI(55E!|E?~n?^JM+|(Anv%L#6o~Z204r&sG^Dq}+Fm!D=q=^z>q!aTN z6S_ncO(CizTh}R3NVz57ZQJ1YTXd2Wa5g5Ubs6ln7CKdVn;IVRTJCmN8=N+&4L~cs zM+R)vXdf_+<4RS_0nYZ;AtG0>nHiv#qBnB1MC^W@giY=dGfE%gjo**M6_EU(Ie5s7 z7bh?IRctIB=~q7tS1ij5SNsVzcj+30s5^iU>?%~n4VPQq-*qN;{i%&nP64d@I77Ny zl4H7>Db!+VaTgT>618-}^)8G8eQ8U0M!9rW6W0bP)x+#gmm{%Ql*^4XmI@4CI#Hrr zNgJ7@Q&{1r=ltg}#FJjBXc8+aMl+xhGKn3qx^(7AXBc7}9h3opqI=x$nNk%4)Qn3M z%W~$;P+3Jz5&W(k&rZR*7gfi+frfe_|~53Lx|&*NVj1DB{?_eZt$K>_t%3 zhx*{W1|E-F-|Su&g55w+1$V21+`#E*Sc@!32&$tYf%eiCNHCsuG@OE?NwUkT>Od*0 zukHbc&H4C0`R+^wl@Lp9hv5lMsUC^OWTnI>6&LQ!AlGc=LOV2q9`gw(FbXid3?ZM8 zYrMeP&&KFfa6f~XY3_e@{rY?*Fun=IDG9VDz-ZPnB72jzzs zrqyy~fV0kQXt-J!t?wDm72Kl0>vb=ac*ua7SXE*6W}tu1CPQ@vhAUIlL(@wNxYmfa zozIeB@tF#R?uDf2VZ2OzX~kzmgBv8&d$k~_>7lXES}aC8KYb}UVfThYdl;vsB$OlN zD?p#lvn4gGnWOhk%Gp{UfQ59QKPhDzs(feio!MI=UW*Os5y z+VW&`h*Hrc#Z;oi9-&~Q#KXR@*I|)B7PSh6cG*x+tExYh9@5$BA=#vKyAY`*XbL4z z_$R3EwTVCko$kR9lFeikD*Wz=--ASB3(2}S23xMKf#G&%u}^IloB#dwIc($D5hW_7 z;xHZ@!Y_Hxu&qtbJV|rh)4J#(4k2Z4Ma>}E(V%q^yjCy`x5m4TIfEHWus`ET)8Ffh z`CvMl>Pt|WvAG|8Fj#(YQK^?8?i7$)AU9dFXz^z1nK`s|p_w{cmA(ZxN@JS#Nf#A5 zI;qnzj`4<&?qPq5;6Ip40p1fzM$;jS57Pt~7)!V>_Il;WEu*lk`R{+^lq&Wkvj~@| ziWryhw^*~|r{@miUNp_eDDlc-X$2NKHXNidKh)w zjmYaI^>|GzCor)TTsby^D~0@7u7GvN7ktGn;90@{=F-84A~J=MvRJV%7<9PI1ZTae zjrODvj`BbxstEtoz_kO*`@G=vjsGYPL-LwtgVIZs8r8nl;UT6M+6p_Lj!hEhWQH|V zr>-%rR~E-K;|%v_#I#=41+`ulqFOI&!&*sAEEjl{k)KAjEgSsn(~v3kcrG;EUpDR7 zUsjT_8sM{)(h$4{geNiRb+XHBBs7e%P_G~hrUH2k6P0OnF)Z0^{rE+F4nuf`8{Zn3 zW}A%fsrB2^Bk5cFk+f4(!K>NH(Ig%l8D=R25e61&@O*gqZT%;~`mq95BQNv0^|3|a zsP=Ph*4boMcwfMIe#B+vXApJbQ#jyuYR=|ptEWU8%jbzmhhn&7VY@tB+=gkEn{uzL z0QRY>d}w|nt7bqStn#LU`42P({cDfKM2yixyEN$jBA>*dqKKB0ZNeak)XtMh=_JD4CuXTLXf7;2i<2sl+sgcGrt0oGNj|^{iW`ccSgAt9g5^RT zDBBco>s8&?E8cj>fpV!{?p=@pGWQd7!P%(2F6DT`yWy?MO(aBRC?>Cn{)%sCG!IrZ znM#m30}_>nfM{Ih3NbEas)aIBp#|4M<)NSQkTDY#fC>jHenKBa;$`Rrt9cEobazv@ zG)-|7^>mczw-=$P_(*vnab_!5as}9;MpksER2L;mCBp9=15Rv;QQY`d zBx)Z$aG-ql{mwM+K*jHct@ynkdHkEuyzEu|@`qYMx}x|tWKp0XSakUa(0c1CNsV09 z-Hc_N@2{%iBQ@kA8oxL0Pw^QLs@AlSYivN0@RFJ3i}*!d$!%hK3GOxwZEDnS5ybXW zuxl?%ibf!sk5+(;lU}i;K6JIb+sFY@Ee9E;jlKljrFc|9$F22pWY8*?4?}+ya|Ruc z1f$M4RE(z`ta9sh?W7Bq~qIa^7S5Aj#7_V22+Pl5L^Y6jECBY?L;EoQ-oRh0{z zeNlwI=(g-KkOrz)MDWphS4z8QB1$Ve_ZI`+_WFfE@si?zUL||q&HQ>a@g%!+NG`vvVhfH4 zErrjrLg;{HmnJe}0zzOM5wbh%O$Fm?;(C`-!pHM*_^kY|(aVLHTFW&7)G`u)gMAQ^ zD*wgDMWj!0)3v$dJIF3mA|T@0t&Euz@Bn|MdsA@3z|)6JmT^b9OW-9 z_<&+~#U9uAx=cU9C#4YeOr2}20i#fx#LTk7ho$1F&{L0wS)qLa#7cPAlnm3^Py*M4 zoN+|2J-u@!5`}%Q<>52RgvcxlFnwfosYsyhe16H#o5P-$B&{KUr!spJ-VEH`C|)ER zay!N{GU3qdU;(&>#rhtE)KH1BRX6-BS|vs|;!{z*DGQ182Wi4dIRi`%&N}3_4!$rf zqtti`^<%x0ACQBmAI)iMg!V+T3j*VaQ0Y9u|AJZwT7&tO4;y}hyr6h92}h{25m6wz z{LqA*Qk#HSg@4`bYj;o>l1f^iG&=U^&;grRHw6tCpru95Oq-3AMP&J%#qG4T2 z-ynC*A!;H%Ju{~H9;fO(bqhg-8Ljs@W(vbMP19CHvnxS23FA_0vH$V5z3@f7PO6Gv#T;WFcH%C@gNeJXs zIuxV;`uvHY(DOVpuC&g>Y=Tl9Z0&k@Xy>R~l>-)|Zk>|nXyDkRT9j^g(N_+@FNKDG zR`QCX7EvWic1d?^(pdg{&q^%Oz{V=;Ag9Qo$Y$%{W>w*0Wx7|rIurYs#IiQczO)4| zW_Lr#1_}&gXeC$PBjNaHs^EKd#$=?D%xJCkwxzm&MY&(TV|J(TZ6V&LzQewJ>VbQw zdm>p3f8g!&l;%y~D4i^an7)Nyno>Hy9Q)66$b1YL1o)c0jZhIx6;tMaxc1}VV;JOX ztFpi1GATJx>3e~DQ1?oOvvr&8%?x8p`1-w1CQE3OQJLYD3Rkcu(c$!(GUf!=_ z&P}6HL$_FuOGX}gOwg5hPR=9bIdUX(N+hW?RUpc{yuf}eh0@Bnd(Gvo{`jcQWKgyW z6fx2Z=ZElX!~x>UlU#QHm%Cwqs@1qd6Fyou`eIH^pW%fh4Fxtjun<7%WH?h~D`V+8 zJ8kq%jMRk)wBIp9hw7Q z?1Ck%V0)5kRq{B^Ak!r$mcx4tn>|9c8z~~?x2ub41tjevjJB*Z;#xbDMW=(Fv7MpU z?;x3LXbGXs?B^Zi4=pwKhDyFQmI!FrX*QGtg&bi8*7spC9#^JVAkmxmXTB^!IooJF zR({^vAdthebsZS$aPr-me7{1VywlEDvk1IS{1Xr{_=&p$*3S%rAA7@zcclDlQDssH zl7~LP7B5fYnwGLB`AE+FS3lBy=c!zAnC8tX3nZ6yP)&$<-YbxB+O%qyo6sV!ltUy;Y|EX%-PDt*As1FAy4z0h-tjNN=pkN4S{t85WVjo23HJ z$K5AU>Evd8551B=H6-Ja%IjGy8M|c-L_s!#J`aY!>t1!W;$|iQ>?nf0QGxSmDw>k6 zg}|FQlQr{xn5uiKdur0R$uCa2hP+7(Q#Q*cWBr~a8YVqGSH?)Nj5WiwMn@&|Xp(bP zlpOWa}}9ziqqo$=V3%Se=?>W|=i=uUOyLRb>=f#gPU|ykojVZnJw@-B}8AiN$e0Aq#=BamrLUUBZ;mD9)G}*FbokHrB5qN z1QE1+%Q?|ZUI5}`mMfiu|Ljrf1n~|=waA=-!^Vdo?7|)7%_y{r^Qj8lIKn87JM#KD zGAzE6ha=l;f}M3HZZ^z=yU#rPX7KH}IT@MCPMJ$>LFGB;xff;W&T@e4$&<^#|VV4s~|XK zE1CclQ=R@2F$k2<4^Qg|s?!l0rNS_{$JchUc>rE}P4JE~dOR6lD318=^v-oIs z19{kUrcY2P18STW*UNF zB4PxkyYoz%A^8jJ12g6tM8od9SJ`{7)O~qaCzW@el@B3EypR%#Ju3W99m)_>Wu zl?0bs_^J42M<&3T0R|>`LBq=hS)z9XuiL`|>yZH@_H1-iV-5KP(3CUFOP~WsvV-67 zpV|Xhb;pMbRJBl4czBJ!uz5$>Bghwa`+yXx1p^%jA~g{g6=AjJ zT{>LWDupmcci4+7TeSkYRbC5_tlRSwjZ02fg%o4L7l$4AwBE4GBqete8P*_^1g^D=~93g&InmqAubO>b2v7&N}<$Lmm zQVSD3O%#z_OTP;nhYH1V*99g#JC&Ho=Tsth8(kR-%IL;$f~68LV1if;ijJ5R6jU)G zFEfF_MP-7@$Y5>JPzLaecbn?pn0M3|Qt$-dDPx6lK}hIghMH8Pzf6d5%$SZDqgAmm zda;lgspuvS>;ltzD~tFsb$~hWqHGQ%Jc3mC9;9E!LU{Jwg*^NLL_$;JrsIl{H>_^V zUvrrz8>OL=$GljM0(G}=hmqS!@eP`i8{VrdyC2M$pB-W;y0Tq3Y;OF3JaQE_C>_c+ ze%~4FvOL*zFila|n8pyBt9G4RJPi+W{82&O@TD4~mf?B1gp4uLlLy{g#(7A=z6<0xo8FK8?N<1NkY@^LGds!|MwAMm zaw6Yq1g_qr%58Q$bb~$-7A2PLdpN zA$+C~d{yP~)SOu~4xbawcR_@F+`o1-+_^mNolr2_{_MxayQaeFTm%KwH&6jobq!_=gGmm^ zA*iD9!fnPD_k42l(4g`38dz6}wGvLfn?dO=!4Xwg3SGB5SJZ3ZiuRm8H40BdrCF)+ zRHrD|*DYly9f?BMT2UndvdcAvC*1&jS{(AFdR^;F-S+o>o60Y0#u;G?!mB*oOZQae zZCz&jk)RJa&=n&k(pU324fhd)Z}+;K)niP#dudwy`OMB1T{lEWR~6Z{0y!owbeueW zVW8s^!+XvdPc??v6k6J(cyx}(Rj%9$;Brr<*e5@X2%RLcLE>klA(ZKKv4`eM?H!+6 z$MNV-a~fAGh|g>Vu@MBhH$uAl4l}s9GR0H@edKj>PAM!9~4f_4QF%rB^5IA@ft{U|aVrD3Q^9DX4BO23AdSmMYApOlm&94L%>u=#QJgR|>vYAw!tSH{_l-gNxFRr?n_bLH>BohN_J!TZ0T z(cTZJ42_xC9tuKEaWNPYq7HDeP=13{NFr9DUP11DcM6l2lVD&Bt`RD@VH3)R2PILz z>}oZYXP_Q8!z?RgWf89l_BzT8fR}jZAqp%`5S7k|pA;1qbHip**a&5XV>yB>B*Si% zO`CF__GKzsb@)K(o$0Zft&@+VxUaPW#*=_Bu$8}ffx8eT=3bJphRm^VSTabGGyoGJ z%lc6s=DVP#_ReptP2!cTuJIEFcdnZl;=KYhC9mlQY&hsTFH;R1z0+`*RkF(AiMb^a z;#;|*LsuvX(|t9HxU8C{N$L%z2O~%DulUHhc9G=gR>wn#3JiC+XCEn^Ak!5nAeTxZ zx}jJ$ASy}aGH^q7A7>xIe89Pl%)E!nf#*k^XsJ&=A~EE9bb(i*K&c*M_(bW5W^0VI zHSw6y;XFwq^X=e3j9x}D*zNi1u^S7opMyA~uFVM@|x8;NbZwoYLZkb9@bP+kFsoMF&zdV zr+%=N!c9OIoAsj@qw)X@MYAWWcXFwzdWOg{<<#gJKUcW9vF2)EV zDH9<6$Tv9ptt`l~e9U6ltr+nwm8nzV!ks~`%wk~$QlSVJH~Yg|?IN|zjGLjuoH+bD z5ER5X8N@gzD|JbOzCkzm3`ARbaQqAaz)F+FAR*@fa^>P7g2Ni`B5*Q}FpAK86L&Zh zJDY^J_Jic314>avVpm7Sh%`7Ajo*gk_lYn==lVzo75^`t0fQvVA~YX4lFu{i8&3d) zK>);PMkvH4%At7t{vVSaC&Q7r0)4v?{g2s0fHxMu&4^!7gxbZ$i!@%8K@iam(-#?0 zMHvo4(F9o_hEggg52A{W`4#1eWr50@goU^W7k(xqt`2Z3)Vfm$d{;s5P3#vm z6msDqeo>dEp@a5RgTqZNH_=m?m0j&}6)Z$`gvNT6vBR)B>D* zcXF&1M(7GvozF$P5tiUiBAr%NQm=-Dvm25GfC)RYQo<>*0K=Iztf?p$Cc#<}2~-oJ z4S{|DuZ$SB`Kqy2rvb+o}BKPC$M0Y zPbgLrM1cuSG2=wZj|!P8?-^oYLygRtWi*!dn~EwHn0^Gc;0NxRt00STVqs=NMJ3qY z-yFGw&(~$c5_K@!(tVKTR&;X{2V0Q*l~P(4DWDNuG>vwvP!GurB^PdwBI6ez2YUV=mEZt=R=<|HNOcippmUuKB9 z9F?wl3FIT-bMl2(Q;VLZMlE^>-0K0-OUf%Qo^NUIegg8YGAyAhM-y7TaN{64Abxj@|O|Izjur~aa zZZP0|pC>xFk8yHCLA8phDZ8XLhqUe$gU_|4#uy?eGr+F8JIL<#J*(3B)dKrenKkzb zs||TL4^NS)s3^eGhmWE>o6_tbpu)9tWIx0o0Q#=zXXEM)+6?u6ptN%?^=Ux?5xStU zuFIk*mWkZ+f!8l#K+}>g?R=O6eu}P`4I}I7o_K8X%OkJBjW*Y`c0OezVQ}G%05hfz8Y^f|A+sF%gM*z{jTr|`Zm6} z;64BqI6wWyYV@y_L!$%-NMA~0`=)zx+Us6i^e(GkYv9pX^z`K9yW>AL^ilWRrati3zfw=%Q0(GQAX2};ED!E~r}An2J-;9| z9{jSx2mXFI_+5Xz}xB7lA zzaVzZfFwNdtE+f8C$Tqm_d`tZI!$6YunxI13jA&3SJBJrA3lb0_iz6DzI7Ix%e{i0 z)(`?!?@Bq$8xABo=2(bZ=W;RPio4uFUf=b1RL%;d+oDH(5pqCOct7cLo|x*Vs61$u zo&SoPGXtkzcolE=D36}GMO+~Bj`Gr%n z3r;c|nq8foIW+6>1IwjZ@8n|Ntk5yyG$AM5D~E^jqtv0*>BWgdt2555IrP=NaASJ2`Qhu!~c-&RpJ-v(-*RJMEUfc#rQMY6mSZPL99B z1b%MKx=v3$J9c{2%d?)-2X$%Hy*hSTkKL zR4mLwtL`!Eva9c$POFQ{ie|dQ)86q3Zrbl$h&`X<-k#S5;B;yCEx$1Uf+a~bUvt?w z$cj(Id`IX$H4GuO)IvJNRWt-uCm`?6*y5?8nisS1iCyoOOO_Vv!Po`&2@P$e)~$fr_i%!Cx`(7pthc_VdMh#`0Ynk6DJ$b``BK4Y3U4si=pb5R7TBc?v=1a@nr3 zK8#g;)x&iq{}%A36>aW~;M4k6Kll;q{u-*#cpd^?b+HjGkulpO=?nT<78{Ut&}bl* zj>GyChRE{rEFXV+dh`0;-I#%AaF}f>*83aJ>rY3;UU_N9o8I5NnG|boem}pN-S_WG zqR{BgjW_R%hi7%VBB|RMW=gSh|LuSLxBvXpPeHQy>8F4DYd`o2IPss--cQ8d|J#2x zih|7l34E#l$8Y}M-|#>G>zD7h6jt^9lb?RS#0&=6_doT%@0~0@JRe8Tz23#y<@0m4 z{ONh|^U3-c{;Yofe*XP7+;(zQ+;$#+imo@6aWAK2mr8oY*^`Plfxd7 z008N;1OPYy8~|)&VQ@1qaB^>SZ)0z4FLPsPWo=<|FJE79d1GN?Xk}ktFJyBwI5{q3 zaCvlSZ*DC!F)=Q1d1F;n2>=5daqwjuaqwkzcnbgl1or^|00a~O007)wTXW+^b{=p1 zIQBL61& z0jbJco^np(4iYn@2ue_9YHYFr0)0K#@0{~*zyJL=ui($${rcbRzy9OvSO57c^XIGR z|Nry1@SlHuWxe|AE9;L`g8~TTT|N7N8|MCriKd(J{_xf8B ze$fro-#wk_&@`|jO4Q+%h)C3EP<*N4$n>iZt~d$+#_)jet%EqoW5onCx68#jI&o?Va0&yCCJ>4(#c%(F+_ zW2P^?2Qp(G%;f<&eEqgKklY)(gKqn1fS;masKAof3V#~*8$Z8MhvaT4i9;U<@d82c zrUNqm^Y!rT^y)9fq>7F2sp+2%yXVw5mt=PR{p@O*yD$rG6pUCbRCLQ1$7>vC#yGnk zU9KI@`gJjkUME=?WmDH`aG`uEOlEPf!bNFSv??XrtDS5wA6Mc;2Ez9qPNc=2b_^F+ zWcDD;r6&ddjrwp#OZQf*f7CoO@I9^eAnLsf3-2=z)?hBD>FwX6_Q`=tbb%FfX?Ng=^cdLbsV2eB8oe%&4`OXhy)HIUFL-( z%Z5h)#nR6pcKDDDj&(0T(CgXo!e4O^PjhMnNL((`e%h9j79pEZ=r zOjr+-AOllG&WZjFN$w^$4^J#!>>^PZ?Pl==xOT7rZfDB{{BKc1(%S@;!f1D3Km()M zY&T&@`0uEl$Q%yk_JN*`zG2{(8+o4>Hqt3yr&T0Zc2q0Eb7XW5plvjsOvfj~tMO>H zW1FtlakH1z2jAOtQKbr4)dC51Mb)P>dc*7-X-HaYB{Chy9NVSN_};Vw3yxuy354I^ zu=|p*@CGvXq(dgdb3y}ui6q*L)Rrw7!W0Jm1NC>4IlA$#umqhlNBRt<3p5kNLkL^R z4Kx!oYd+XzQ-HXz>3+cej4pDUA#8d^M%zl(9VE<4SYnfXkEgLFY_?2TJ}%PhWTqO( zk{Yl>nTva|j+7w)VnCh0`wF9rV~Z^iPGI}|47!&n?lRG=Cft_(uCyUhWPe%$A15fB zE25vg#q_tDM#5xVs??qItdk`b3+T^*duI*Na;QxyQR89R8pOXQt^`Hxp>~=~*XZSJ zLuXX^XL2Fu^V*t*@FmgTW~`_$sU`2m_byCCLe70EEDAHPEhmq#mz1g?c%DI^>TN~5 z1=cn(}R?eh`?bUH)opB=VXE0 zmF;DL_Nv`xE5&Ru=&xu7A3WfKxW})!6DbIVrYBSnHn9I!B}xWdW9 z-gDc3>Rq-2aw^8SASmiW`onpq^J8J5GUfv-3AHXzueD-*x8!h&L7^rL0X>8(0+)E! z?YdwB7=X=xV-~Wa@Z4WcN8>4srFiwygKeEM+%Ip_&L-HZf-^2Lg~ZM{k11&fcqUhU zac7{l;n>rARK^8|bD*DsXCkJJ>V11rz2eDTebow>izua;|C1J}rG85uy&aESud?j~($yEH;kd zo$uhEtKa*sWLAGES_i3e=l(loI^b9J}AfcI-`^+iXm1h=pXBurC z;ox!`bmeM|_NoDrbJS59`0|{ghIuMXJ5c+ne!O)Y^z`oaT4+^CLc|+}^ zh}M*;9Di7ML#<$fW%ia%tS4uemD(}>L{zdYu)F^mkLWv>I{L#_kd=Pk2C#pq?B@Fa>XV!J%;r%i6Y?N>OB5%~HdH)m?Y=mhka<^m}7$`j=WIk{=Hux*z zz~O~UR1hgxV(=%hd<33Mh+F?ZLOnV~LC&G~R)pV|m1>#$mE8>ZoW~&9=eVmm(EltPHVlm; z)~0bjmF&-*Eyjalu8NR5KX0h(T2M%Qu3#0I#)aeqi!qT4CUp4t`YrkRnv3)saEFht zEsZ3!KE943k5O@>I$cXeN{<2p3w!&9MIdJ#qJ6_{4fx(5+O%2VhQON|@L3{a{Bt}I z9r;4rL2yX$D-!>T*zA_sYP0B5Y*@sJ6%r~OwQfy)AH^EWj$gl+0e}V;_lxjmr_y8# zdnPIEX7Sir55Um583owB9578UbvZ3O_d2tdbT=ku(VQ*8rYO!t5gC&DGiL-E4MtNK7dN)4&>y9E!twH`$@(_T&lzdyV5F2?6=4 zG1rErh5&K9p~-(OX<`?sdZHp&r&lKuwu$hkfz5KB5_$6rJTAqpzUQ9uljIRwC^EZB z`ei0IJC~@%vmc}>+3yR8vq--gfjuKL(AJJ2G*BR)T;-a3CKAN3S|fyMeo-?0Jham z4Zcp^;SqkrAv(G0cwCwYRv+l>21Ty!?vntzr6Y-38E0BmQbM9kVM%r?A0o)vA2KH_+}^I?>k z3pGMBb_c0XI86{+ea64N+TMD_DEiX)W*{4tdQ|tUiu7A6X5w>t4~xX8uR=R<_WO&? z6>{9~t9w%02_Zip_lL`GNc73g%jUdKc=O5mcMS1akKtUlmiYmW%|zq%G#b zIPEBOcYSo^j?n)LbP4i6&Vxp`#KV0?D>a5rmZ*^+>@y|Dt zydN)WMPc(v{<1JzGqd2Bap=IqIq1UD+Nd9`&gTG;TL!Kq;mB}eW+-X#G)$>h$HpiE zt3#9gJ_4)u8kt}eB`1vt1o@e{6z!L_8%Q4N8}~kpwns;KCgJF_L4EOTC1jO}rOxU< z(@B{>1l(eqo$uCeM=4248QSh9DawF*m1Y>(ca{`mP~4+oj-rMicsH`)JbA5wT_B$Q z?iy{&4i0iV#F>t*g$>+oUyXbL}^>(mU^5Dt@*4V#vb7eX&Jq3oFOUr zB2r0CUl0-Pw)5FiFoq8nY~+Eo_k#4Pb`pxX@LU9KgVei5+^UVaztqDV4dd3n{l4ND zytTOO4a4rji|2e1Dib=Fqs|DNwPTju^ei?_=+5jcvWbi-lP+2wA2B-5WYU*{C^IJQm(bOo1N|# zHR!a8NIahRSCf&v6Skz*6d#*7&+rR*6IEZc$Q}2W1a8*t*Y2T4Y*^7RG4%`A0E6n$ zDUYcy(r;!HL}3#4TekNcQ9Jr;OG5IiKsVln##!>uV@&elXC zpzYS7_uL7b3Qyq{o16SNw8`UtWOEwU8bmNtWwIk$4l}SI=%VEeXGm?d+DI7wq1jW^<`x{Cy$7 zK90TD)pa5_@{`r5!2`N-Vrz9q2SvBVXX54q!Cy|<#BMKj2hR9!>@$@Ti^UNY+#VK1 zByS>&+2NkbBUTbik)+DgZmg{k_s?N#?G#ecot)0t=W1N@A_Kfu6k^tyh2n8>#>4{sW zetiK#VQEBmQAFUD&HNgR?;6RHq;tua`964->fn#b*xG7k5=~7!mWiuIF*ocEarK4J zVkv0I-JUt8lu=}r4u?MIO%Ezd4ucFz}aEm($%pw5E7?Ev`N_9C#QkC5ndr(qn2V?J9-C zy~pn!ujAB1+g(zXaO(K$i{;dvW=aV37Qjt-I(n~#-@0goI)*nf{>SgWf>+lwgtr() zx{`fLS9f3Q;!!c1&}H4<;qKm zSm?|yOD+~&u3dhyl<6ngJ>lo))Xj!H?aKC7wWMu1eI|%7HK-##z(urR9X(4Wwz*C^ zkcmzlbS?O=0jm^1wGWhjCI~SeK@x;`=`COsewtMAGMCVq;6;L0x5Vu17=T!UB1mfN za!*%HuekbT<(|k`EcwM{i^)>@37CVDKTXCT2zTgWGg+g*sjVXWkZg6^B(GPlylry& ziuG+vD%q0I?YC1o+u}gBt6A?&rIa_gX1vhwD}J#DF;0yDsCm8*aK-0Gw_h4!X}KZo#{xK zFuezN(?IA>vuxegKXHptgte~Wz+12pv+3rwuAe(&P#L{S>TE5g!zL0$K|9H+u}*A5 zkbjBjhL^S%-#V+oBBiPQug+$zoWzC=b@Ea+k5iY?IN5JQdw~h-mQKxuhPY}8WeGcGI>U@QntoP^@jjdg-Y9JWeXAr-6=Hpjqt~yh~wRT8m1TCCK1t7VTjTQBpPNUQkYuBT31@N=JdJSUzfk=%A-P|Ar;Xe zFXqq~tt4nW8(W*i22UB9$?IX;&pkD%h!ImTEOdd{B57JxDEf+JF?@*u4(y(p!BZE; zC>Z$L#q2v_MF9*$5!4SnYBy{u76DzbRjdC+cn68^c#})FgOorU@RQRVmeQ_^A-^=R zxSP?{d$1QUZPp2>2)s(}v+sD~SZK?}6MvrwJL{r}(@gzanmiv7OWbYeeaB~VA;k|e zsMM&x?^xW_{TM;itoQq`DZQ1ir_8<(OT%%RF^_4_BekoY{_3m=#!*@>B(f*Wm??!d zM*S*N07mIn7PcO)RnniVc-0nWhPC^vX=ISYoZVGk4s8eSr=k7E33r#p3YnSq=Zc8d z-Hv8`P3U%6zTfAw_zjB1Bh%V9pM|&Y4$&x90D8K*H)Z;34TV*qCZ4nc)4wR@0?4%2 zXgdLcPt&`2!R<8l6UCxHJ*Y^O7a*4TF$`MQWSO$tC{b)S8_>^3-R6KKHxVznODBXp zs5+5=v6XwVIq0Rsh}?@gb7j%DsPG~&VJHj)v1heb9uJa`IKi~{C9KhNvZS`nG684T z=wX9lmoJ={N5WD0*91(JbLjV7@_inwBBT2g8^qvEp-FZAXSnR%WYa6IcAR|*j z-Ftc(2wgH$RSGFOLaORZH3}5zieQOBMv)9%YA`=&|II$nuNYw8&eNLtjZOwBdMM~j zs=NB43_34vZtiYwZf^EjHjdDFjwRr6#pkTWEJnjEx&^_r^xV!5@vA>ALzYE?f)wCO zd5XpacC|DbV3UfZhm{K2>iw2P94m-(-R8CEAp*6 z$nRyk1SQyba68hT;D!pleFFAdUW?`5x&lL!kmc zba3bt_H0{4=rt$sVIE4cd(QJ?Bz{VI$%42T|7|(S$-zBy$WB=BjhgT+gy(=ksPFMD z4}*~4pWz34qGJ3=w-5AovQ>(r)*iiwH@@T zWHX+EF+RX%!~zPZQ<`Lty9c0jK;%Z*Y3&B$)BFNrj7>q9g&f88OTyl*6T-fNLRAsM z{;D9Tvh5m6xDZE(B>S2q?ACrM#>oViK6*ILW2du%R~tROt5|3AiK zG?@%WXDx}eRkPEMbS2|vr{iUkM)Pg+fd_`{Quclkhl}}n^0Up+^(R- zs?^j5uZt;i6GiFBiDBVa9Aq|zt=TKmyI%adT;yG!CMBV{w(gq_y=hpeDoN!iSYgwE zE{5O=6)2Fi6BG|k>Y#9c{gjHe)ZG|Rn z9bI&hINK(mFI~oNr&kdBpg6E@oV%{37Ndp)IfxS2EPkCVc}kd0q3CB+tr11OSG2-0 z58^AdTa`sRefb_KJAUuy_dzUC1|n3cAEU&M)pFMq=09VXdj=8I`tn1KIp*+@>q2D&+c?d!RgBo zC}tjVd`yi?H#LcB>yE`Okw76Jw<#Wd!NBmRT5+q@8u7;9vfC?Qr(qP*4NCHg9ANDJ zVG%?i7q0Gy=t%kcLe_Wpvu2H>W^LW}n$CGI-@nj^GI|=i65o)&)uHJvjfu>3@EwUU zD^MP{xXU4UJ9~LM%URekF2E*MmentB;egzFFH>0{3^&YRmZJ7AQ7DIoykX(-mGukU zYWHlkX11>-wDya56jEr-ok#cw!A(0TtI8wO#el;|^YJnqB-aWuDgMUjZGXC$16`>kT)Q5Tf}`)!wGX$9F!iS;n^fo7gxkbW4(s|ZaHVG13^ovlhND3L8u zTaTwC#l2Anw{{hgk2})Dk;YHQ2pcjc2}xgn*dxu#uq|y1w~m{D+7^(jVuA*^^~kIZ z^<)>r?#oOC>~m{GVoDt*yHNPAA1%!TA*$CL`L}j`~u@T~XbId9t7@8;!Vt z$sa^8MJ+^CeQ^K?bmNqYNktoo)>Df6!nBb_bC4TsOn?Z1q3xpxmirV2rxV?Re5NSb zDUDo{k1?nX@r?}stew25FI7`!Nuscz1b6x4=Vgid7^FeQ9@77eDqrHOAg>jCvZu(p24Jv|iL@1T7 zH+WXuXo{0!aC|OhnQ#z8T$*`Fn8KGA(G|MN-eIPzbl4#@OfD0?q09*zS^9-=ExvJL zJj)G>n{=hTLpyZaJ}e50&EWWx4=9jez?p|sBm)^ zMo{Jiiem$dG>4}x_H=%G7cJApGJS40*MV&Dl?U6>cJ0G{h-pcU+5I=g?otw-J=DjnF`)SR)QFt7gaEqNq_a+mJMo zd?bj|_k6-3-C@3cAXNLwU~Q+wsu(^cTI6ClI(=+ibZ zu~BK)?TZE=;4bsR!qL*Cr>cEum+Qdl*Oh!Tf+Cr3<`m&&0-C#2a5Go5Cg;qgnUQI0 z{kUPM--fz9^CJ|x_{Xc!G>a!=Sz)ausF!ad_+adNu*ObBN=VDU#T1+gaQtmoJP7Tr zgMDfJS+ESZ-l+=h&C9G)W*Au$+q*fGrGp$YgOa_4!Q4&|f_VK@AS@&+@PA>aF$Hy| zaCdFBW=F%=v*FR>x8yM~>N7_NwFETH9dM@UtAb_<;D z;C|A1Vr8r`8yGz|h!WCkI2Wzy{MWlH2vMr>>1KI*OC?ALTU521+R2V#+z1a`U=;|x z;E9^mbeIueW7|G2xg zB{DpU4VJq3y7AWprz}Pyt?3lGCr5@GEqvGz#*xV+QpQ3oaJ4E4uV`Zt)7XAz856}K ziwP4a2<}PMuM-Lp$kl9FN_`Wk`H*E!WE=C%vemsHJL2v^W~|M^fmh>cJ2mMlMT-R`5nUmrlmzFBJ++{FEH3wK=lie#rt(}#CZv@Um?89MDWDwXiFUyG z3ky*e%f=TXb}HPv}oV_SVY4f$>d3m<{e7+HE@Os9qIR zlebZhqo`q|=%(?!b4W^8PEs9h_yw|SWQbM?kDBE_9AOx0-||%w-&`PRjVNcaJ}jL1 z&`(fFn&f2V=jZ`fI?zEpn9_6h2&`&uu=EJRJ&{NDlZjZ(#KD!?V>8}6TX{pWN5ZF` z-!NL`%M~T+RXskrkjO?kO=;!sYY51)_lh!f?mS|umad9U8mcYF{_H6MQ5l?&z=v0! zE@33Qgo7e>84GdOKFDoy2dH6c~YaJvk+Ke>Jh=O zJnt`s;D4Br(Bf~SKC&9L)2hwuSs-DV=dR2vK7Xr2W@@{?Uj$E3K?l?*ir43lZf_M) zmejTpnLhH>fe7!2c41i5WOz0_Jti?8p}GoU5dw1%1a!qCW+HQ1@a?%Z`GD`Oo1?a7 z3Q!O?Qh5-Wzu65%y)wKgzrh~dz`_lRy2p&Z9WlpNEEYMFvI@$cS*$lCb4}AXjq}}; z9G#-&1%!VFn}i@@IVh!90i<+zxC({+DRx}Kt*)rivg>H-3sdYX&}u7VaYe+1$ihbR zL_{JbI$zqU3yS5vC@gc6I9bhoIU2!7oYgt`q~7Sz5`EB@n{NK{nBc({8efa#${~ar z`{%2x5ikXWRr+CgvP+Y~qNk0^cW#Xtn;42 zeY(W~tTSv>1z9L|mf(_I`$0fuPna=cFRV7=6rQ zkNLSHQkfpp-cCAEI0@2^jtIQdq zzukScxia)q8r2n#o#xFv8~Tg%rA;?lehq)(sU!B$P5=sA+QHNpl|-%)04f&tpe@Hi?SfLDSfyFMR=R7JbFDjT;fTb3* ztr~&d9k>kqbi~*+q9-uxImr~k6scGJ+*vS5{hE>}6hoq`&-^=R>8|qjmPfi#au%|& zFyXo8yJ!QfIG4_12&oSMbBbvrX~J60ue*7lKA|wu^O6kpY(TG3^s>-2u|K6qwSHnb zK@dHlDX?W1IT-do;^h5+Hf;Q{mdn;*esiz-4jAj3m!({gnEe@)n-}GmeRh?+p@|(? zceIMvUm1K|gvfD8oOUzxx)`&%TQGpDc&Zo`ltAb85+<2k%TZ?CJyD`MUuOVo)@|n? zJVF>Yq4z8Xe}`Q6r7K)9&UDadu=IwzFBodlMLFkMVqkCnQakwz&>JPluTW^mGLb`z zIoDb`1F-F#q6+3lVVI)xXlDaODq>A#a5gjmKJ(>ZttU$mtdm7VT?+DN1nQj*9Te=z zL67kMNZjW%RZj{AR8>l-(-4no)7-C?pAW2w-d_xY-7c(b2@|qCk&-D}<9uovNuLBj z0T0u+X3Mz~TKqlX%?{04fDS?WSzN>F~HV$M%&)S}mS za3fL14^)v_hBBTmP5L-D>daGhqAOD_KyO4YX2kPOc*3-{tmu+6_4FdJsR&7u2IQV}ad(k-Xcm&2h3cGz4&sJ3 z=hfV3ypC-b*BN>s%L1c1sPl1fXK7@Pqa;ycl1ENqF2eZy7XcyKgE*6OS+wJBnO{QUBGtO4|EH=n7}) z`6=CJ_}%fBtU$irR+Q`g3-a*2A5!;mwET3}Zc))3nSeS>TZrCiI-GNNTh40c!aoos zcGm8fX>1a7++V@)@x=4e|#5|*s536uIOzoxKVXk_&9fh|t-lqr)z|cF6 zqwvkueHb)nh7%IZX)+gm%kYrvF?rSs#} z=z4*0<751&MCii{>kXcMI0&Bh;HNVS9;M|7YyOrVGB4?y7+&lLIk>bh3R8ZtRd$YX zPNt6g1OqOC4c9Bu`0aiXCLtz2FX4l|gyLNFFl%%dVG_dRTk?bhBPT(5S%;2iq{%7n z?oOo2jv#Y(&mv3{pflCB3v%O`gwwd(>`8OI`!)I}(OhUP2PXAvg56f4l=5V*0biZ1 zQWGZ$hR$LPV(fA9x(?rM`=BT?qGfsmJYm+oo*&UPh)~!;TWTc=_bRF{byr0P4m>iF z7bXvj8jC5R0f1t(v7{KEmcB>y=J19%&;6~v6~=HsG>$p4ewLmV_|n`;}H=?XT661}E`97Hkqg}`J)o$}ES6B-&H7Pqmov_oo`y;A`EI6j?p2kaw<5VUPW z6ZYTR?-dY>Srj7xM*;WiY;ZBKK20XQ!RXA&o|4YHtPh&PT)LP{m^@==1MB&l6azCe z+`hT<2>&E7qneE!GORJ!TScr3)rAI4Rvku~4wDlSkd(Nk^S5xXV=`x+OfQ!6VKV*W zGD@8s;rUzLHCFPh_s3KJd&f^lejdQJaIaJBub2$txS1@RIK>0!yn)*nAPkA+SlL6= z?&F7+6Iv?pLyK;#&*FerC?hgoj~gX}Y|wOJA72r+wW^MPhVG6q_bKY)^1`4ZzH35* zqHx?|VM#$~J&IwcLy~nA(;5q;rHi4b~G@R3P zNnaA!V(aiAQ!zMBRvwVEh>&$l?^-VA@{E0Fvo%Yb{KEE&(+r!LX3x=@#wsqx4_0Co zzpAVawrv-cIT+bKS~Y0|`0HuNwvx>+jpneDL?LmLZaSuw`b#Ni`k?b)C$LqV&l}Ie zW*VruIGj8`x$Dj0W55;Eqo&1d*Y~p_C;_?+3!K#wD zWMYnv0_I)vDl{Y8-Ya5QC^EV;4obx+vLbrLEvoM`RDx@A+{yWaUkN?S4)l)$;)LVt@46uZgjK+CXXMZGhKjp5#Z%y>BfP%=2zt)?oZ-`prb>MJQS8s1_-SwpyFlMjCpo`k9UKgm0Nfey_&mCy&Y1ki6$!{<1|wXUZQm-rk>+pawwZ-{>+dyp zOFYbXif(;XM6LmQZD%I}L+5ejKw!?W3i(Mu8u5dGmJR{0b`gJxZJRN7%k8qGBA*V7)6k>XcUQx6x=~vlI>jeCwf)R} z96z~@?lm$>!C}DTJeJ;1pK=~%0+!sDx0y%TX5Fwc*g1&Z%Gk$ST-}D@>BU(4 zg)=1{!m$SGjP1}sM`Q0`v52F4Qj)E?MH*|!lkdm=%t#|%eW z%9m@5+JKF)iw2~4uE1ZPad_(YmUV?oMAi$lDDV;rSHeARytisr7SR_-;12q)REwSthU+vU#GG>rRyIoedovVTVyf z$oAn^lh~(CBBZG(=sN{%#N+wYdWiTKGRM0bUkUMwrM!~REZ8v1U^vnd_+&XT;o6Hw zhaWxE$B^|nnt#dU*Z2*47rS(COWNboH250+!uoy{om0>_;dVshq+lLmn{n#!SSjkQ z>f))g$B&M*pzU+iQfEv&nMSShjGy9JC$V#zuIF)3bU9FPwnA86!dK*TuzQ$O9!If% z|9aF$+de1?hJwdl2m1k|T4-|L%glYK5cE>K-6@5j?196yLr2+^W09*z&|l z0*n#kSbDwJm3zhBD@rY33kN>%(6AZlgdMsf|fjjp8_Tld=D5J^~xyL{^0@{0$CeQ}-FsP1lGl^XdS|gISmd=%V zMzumK=!A6@0q zaydRZ9RuN_lzw~-J4OyYt}^#xl{c8M+@UkrapVz%KahLs@j2#-Wa$f^SdJ!=v$-!Cx#e)a%v>f*Z$u zJ({shtw>p%k4N3a*E6>~WFOM9pHL55u|V=|eTNoHaZ@aL z*4%l5QIj{--$W5cMCh&w`^`AuhReB1y>9z=F#SAh|0B@DccbdAI7FC6-_4ypFr6!R zXMLS(do^FkT4vWnnfVNZ07rpvMeF>+fXAG(quj0_>7@K>jwwG_!4c1!A_F z$94HFq97V%haXO6BnTSYAyyuSykLizAtTb&8N?{vgLe|!yE2TqI6y)#>`~h}HDA3h z-LId8mb1vLvlG<8C$1CbeB+RO3-D|c<%uEeyseidhIj>b-tukvfwC*Vh|(hhI;aYs7^l=V2oI%v9)Lns z*@v0$vSVDjAmU*!#hy^~lqm^etqKqa4INnuoAtuowKwfMI-B;&WEe%&m!5hzdRo#T zf~c*eno8rPn=XNIx#N-Q&}(gF>7a!;Etv6svIv}~6`yydypxAL?7uRqVD7k5lWi<> z#D*X@+eH8c*jRf}7<4gWr6MX+Y^Pm6&Qd217O+Azjor7Q3zkd{B>Y2AbzTWtGZW8N zp)EtF^LzzEM-2+dm3PR8Tg?DS!*h%w7Hk3sTAAh|bJ!fAuh#_Dv1h<={rMsw)L*3p z85i|Y{Wyjf;Nfl`th2#7*vf%0aF@=jHF3nhbnt0qNU%JrCksr<>buW*?j`hz^$xmn zZjqbf!rA>5NTw&)qWdl?EU!ke?}|p`GB2R&?>u!!vR8Q66gvQ|qzfnQroo-APFW_0 zkfw5&&!e#AOb+Eno?`L_g|IbpH%P0TGd~O6VCeyYx3|7r+}IV&-ZTQ~Lm!}9meF8H zp_x%NcJ+}law{-&?`J37$bmy)9S~xe(6M~UM znCazue6G50!X-ny;7?f#_Sn~S1P0Cx35bVh^Oe9C*)XJ~8;-&WBjcHQBT+;b5y<@j z4|Chk(z>QCbhoJVyGh7FuRAE8!elZzw{sgmEa;F{+TS`{aj!a$+&fTxPL?qj8h9SC zQuqpB0}DP&LJs+h&oJN{PlUM9cD66oG{+B+yw?`lY1>;X18KNSQg(pIK_`{#S1^1k zu@+>G>(IHH#U#P75EX186@_#eo{|*z!VHr+7RTXqAExEfZVrUm-Y((DK&}EY@fypBNoUr*)KQNpN37ZS; z9VC4zfV$mX34;h44w)|k9DI#hKN~xRDs_+%GMS^cT*KDGy?ZujeRFN5*k3J4Zrk1| zF06Cs5j7jf!;DE70{3cGQ@h{KoG_^bZ2$ayBOi}FiByk4#0)D7t+`97sr~R3g$N=) zeD%)y;VTXpM6W;v{oyN*CRXx(_==i%mkBdfc=SUJHE`Vk-d4z4!1huYjg9n-Io#1uw5UMd6bf4Si44Chm;=EGNfCom%pR! zdS_joPpA}~OwL=%Ius`7(R2bL4?Qk&=0m0Y3t17VdyW{&-r3cJd+3nyGRS8|;G(f( z$q;t!JbV(uvz|1X{;}DhOEvvQ5$cKpLST9t#K%}-7NjVMVs(iOak+B>i{;*>5m@*L zhmt@iN%ki9Z$tO{8)8Mvbg@jI%gWJ##jrF&Qh36;PH>sdNPIjPU60S?T#-SN^JS3w zJ+{BbLm3Rj!{=cu7!b4sC$Aw&vM-Zipln0a;+VyI7Q7dzQIZu=lO#M7)9^fgK1~a| zXP?~8ycRJC^fH&Ju?uJDt6$y1Jt(w8WtrxF9}UX7MnI@QS&8b2&3vED>5v|`@_S-ccE1yP5>1s)d5w`8DMYZJgF(qL_6)L@;iI;06 zm025XMQBd3MeN^>=WM8;QQz@KXztW9dl`7+>?EYAR6R}1V!P;Z#S#Z_ANx*DV;b+f zCwE4F=e*mb-jUrXs2rOg74B?^i@7Ja6>hY^{oBVlYFOPhd(=eT->#xN5*B^p zXkmx^;&uMI+jefcRqka$nLn)d8&=fmW=b$}kFo;9hJ$O0|jYV}CIN1+}PUi1H4Z2zN6R;q@Yj9Ph{py$9dR;;m$X z^~MjaZ;w8pw_C&lD6J)Z2NCxOBGX4*F&Nrghbxc+Vl$HDqL-S{qc#i8wfjW`mE=B7 zotsXs&lI+QJKH^`&U4u?=mTFa55_f3A0W{ba}%;~uT$Q@Mdzf$f&dR43QExnU`#Ka zDdB(`FjI0KN?EDJ->}3R=&-~NU8%DUh4AOTS#!E9l7x98-4JdI$JOBtEDs*T3xE4c zmWm2Y{i1mADOo+5UOu@a51pKQ<(b(FHspj*PmwO@Ayry%hN(@@r6`^w{&@RE;{Wn` zuB1iZv+7XUYwaEp&?v=*o!nw5&Z`+qwtcX&5+wmFoy5KC&7vd?8wZSOa8){xqY9Up zuTh$jOV}$$_kQS-4n|~`Q@BR#}aiyF)kBG_ON3ROlZ`aOeo$4ly>Nt!0yZAF)wr`GMVDVQl878?;XpsXrYBi@x&C)cd(hC61YJgzL5J} zn2da{$Zl5DDPA8Ik0RAjUxHJQPUy7RETX0ZeKYTZ^C-Hz0?D+T&Yr>6D#B?6@D_%g z<7?b1^u~qB>U#>X_FF?xTk9^+i2j18D7m2~3Oh8|{;2!$vcSHwa@xZ_?BiKq>`c4U3Sb z70+~NQt#v=KUf%LqsN!#GjIqc`aZaaHZ*yXk<0tgNVv3uIt<%mG|AxZ3v`}_2f2}y z0sR9BVLy*N>OYjQC7_w}tS=RWFO?{<2Z23{$@C75TA1v8dF~<8nZfdgXmZiB?p+=5 z-m>kTRm5VdUU(b_FKYB;(s)R{3WKEBfN;Z;rxtfOC~8yvVDkn+j_jgtk%aR_&u>^M zGLu9@`s>m(iwdA|x3Vnu4~ke3WdZ0N-IrCKk;pUF$X(81A0=I0+csRIFOdFe$aYT2 z!GNt~MB?uWX)?8y`J5&zvzG3AL1d=OIK*t~Qw(gS*5}uj5zgKc=wA6ip%Z8mra9-K zLgMljSP^+xxKx;MtizyR2?;M|YxrWZ;l;@6A_!H2F?r>vBbfoupVL5mhG~v5d~cu` zh!l`ML~rSVKIRL73;H=veO~TqU+DSO94u9S!O0d&A0*b|R89W%h4MC4M6!w=laZ{K z@iYrxRl`;-EZ)Q$d&BtEDz^b8x*5+QTb0h6M4rjSgMN&bN!anz`Al=Fbq&Q?&0H%F zH!yYWN#v@N`Wq;+#6r(T4aUUd{B>E%nJ=2B*6wc!;+^8a2@}){u*?n6-FxTE39_Xmc>V^)uuaVT}UMzwKtodBJum!!U*Ia*lB{z7h+|LQHW%#9J2L!i^=4 z0p|uW0jb$BSr8W!b9FkLs4}cOGpKtmE;7`&!xfh0s>qh+@f@GAaF#AlD|D^_F|ec9 zQueel!?EpH z%n19XhAlJe9UiQ85G1of(BRnf2;=e*)4Vh`|BG+&*k0RKGA{Dn_H{x&r}JP4iYrXM zM_#&2$P7y7wDheGz*J0qV|ZoF()NTC+qP}nwryu(+cqb*J+WyVl*sX!%`nCB7Ej$jKVCi`clgQc15^>kEvomyX^WF*UXK#^s9) z`Y{{zEpQ=W^k;GM6N4lSpVAKv=+Pxz!u3=JCE*d1V+;nA(oFUv0l$iFR;2EL`8x+L znQ}ZS)^O$_OwM6t_&d`S()M7P6z$VV`{^jS{~#@gGF&qHJ@Y*Ol8SMqfG=a(>6|%SePl%HItL$o!RofWlzZndPF@4b%nVG-FISJngnW;K{?lcK^2YJPM49xZG8^m|Q5 zP{NNHvp0s|)m}OX{b_|OR={Bpl&K`ZX~0C}sh7n04v}5cp>#Tix@aO_*GOC3FNJY) zhr6#5G5K-1?@SY}N)u)9J}X!`IejC7S^beJ_Q&|mUnc}=&Zc{2p6zV5tON;jkR|s# zJw#7Y*hS%tmEE0zem2X>aP`CKEDl0TUKv!sI#cHgwH9&ij7(wO6FpNLgJw~K#Go^9 zn5(xd7D7w?P17E0#8CqvgM35YX!b;S~Y$96*+ns=edZfX}`d!pB<(XjV#d!w|AYLc)bT{2t7R=c4gX_5Ei299` zR;%`Vn|Bm&pwrOAo884UH8Sofho%hw&=V<=hO2-wr&~K1pw5|ugv@QA7qO`PssSP+d*!6q(V~DSr)F^Qf6+fOvjb|-x^zFDmH=;r!*oH3WO)|qzLDf!O zDSSh(v8h10UrY86=bCyzhBhDWtgrh>_iMWVHbl;`d7?~t1G$oE*e%bAtTG|!tvZCD zHtKRvIFzyP80)`&A^84;i~jKXe&Iwz@g2DfV&T#p|du8{7Dqd-B+Dv#nX>5 zvXI5GFmKJ)p^-!H(G_tdDpXSuUNf{O7-JB3(jSw|oN(B4!1pqXoNK(Ah1!j~Y5IbS zA;Vlx0E(P~^V*ypN_YpnqL`1z>IP+T`Dbu1Z7ngw3~Kziqi{$!$%;dgw0T=d0VKoW z=KJGoB#Wdg-PQi9_PLaKarUIN7T`SQlW!eZ%E+^~a)UFAI0Aa_9$7!`8|uTAcZ!ceiLD10o%l^%Rem!ER;08>;VvBu9$iuzXZNk6*o%p50mh-lf}M1al6rWgDjj_IXCM?E zj&8)Y_iTQmT#owMM^H+9Mq__ZKE zq52#Si3>{N98=DGkwR^;=A&V~JpxA&dz=t{cle*We%j@j4;1vym4#;73>Wj=$r-uO zX(IdjPaIx`+1n5oXIBTKY@MA$3x;II5bSY(7acI_P7TuJg1`a}@E53QhU2mVY5mK9Td^!o3ZxSWSmBA> zfyO~CI)tPFDFd}W?Qkp^pm~FqIPmCMRCh~IUiAP>r@fbnm$!;SF36xU>6Or)jg{pj z%K4b4G;XKBos`W%UjXOjA2agqoLp`stG#cT9ycd5@QmCH*VgGWBcN?=fbA}Gv18-z zai{PcSGM#5z{$t8CfWRO;mEPIJssgEb#@KB*btixFFBxnEr$09zWaj^73ut*+JNsW z+EOkkIVV6(((+|vd4=EZP*Xv;@3`@(2wpZdE;+DhrJEwm?Z>E8svR2}g~bFT(g^T@ zNqs?uHXhLB@(L2hg`!gIh^(Uhhwv#d7&kdlRC_W(w9tX^1C~dK#D0BaAE%#VN+n4+ zU#P=ji4O3+n;II+V4V)sR?pwp^ZwC7cm28?fFb16fWbvbVY8JW6VVG@r5q|~vB~jg zlc)f6&iGu9D%#_uL)qXT9kF}9;`#0x;E0Pmh=BxSyk;`l_MoX{vsCBN&>ZI^ zu67fQ7ix-w&BZoq2py*aF}cqXzS=wE!*v})(Fd!W3<3js1Avlg?C~`}mA<`%pNGjm zag>nze8p_FI=trp49Gkmo1C@E6I+d38E{jv?rz#t!WQDzQy5sMTV%WlUUcC^7tB+O zV=b0B?t`l15O!hPaiUsBil{rh`&%}nK4<8Th_pmuh}gtcADLdvmeqi|rcpi#nKOZG zu5ov(CUO~;Sqnvx8UbN<+)KFcv&f%=cS4;`-@yCF^V4Mu;I(vxPJVO!TZe(2Ee`!O z@H;(zB@Cl`rA6KII7&oB((!Mq;%5rB?*sRF?MrIi?9lD8s`bd(Pt(d^BqZw1(X3W1 zqx!u|-WOLZ#<$~k{Z(}Ra3YrE>bG`U3IT#{bi`S79E#S|s*h~Gzi=yx`lE55u>@hD ze9;Ny(pfy!FSy!JL%%$zw1|lCtL3G)7ejZERg1S@|lElcnoNZ;;U_pHl{IL6vOe&iLW$)GA_OwrNm95vJAD48&GJ zHN#L+6#A{P`n9lJYT8uFX7??w!YA!6VD+fSZ|%FF*8Nf@vp26wnRfWgMpKBlyeFHp z4?S*fv2Z?xnC<>s0|EyAJ?|OscWkz3xEPN1h;I+Y1CdW5*F++Ndvzyfqj7R;$o8Xe zr*CeR_~Ay-=6HV5CG`^V(dhx83pPSQV?%Fz(l&p{FOWynOV!aRoGh}&?0Q;gY_M!0 z1+mJ0frfWr1@-T5E2&gdi17FQW*U*m5Ncj^Hh=`N9QMFd_`&&VlOs1i9~|gNTQE5C zw0)%KQ(Jh}`(CXOP;U*d*1=|;QgO1^d3d%`6ACDX;BYYN%k3@QS%qoff&y+HiHJ8< zI0`lu7OK{FOk~>F(}oI-45{7P%fRS?L@`p_2~TuOR(iR>2`))_UWgYn4J&uqH>XD| zJs^9sl@$$h8W$;s3DV|Za{r`dy=_$IjW?zkfG~C${2p=QyM^$))B74Si0ESuB!%0z zF%cW$`5mS2qj3YeRa3@LxpuMS+4x%1QFtLwps?Tvl($)}Q7Lm6KKcQby(^P2Km5z6 zW5P|4oQR<9A4aav{)Q)05H%}%15c>RZ*|2&e~zv!CgAZ zj|=x$_C?$go2a9etdBMZY}-YjP9%hCiO*~Ak^LIC7_No+P937?x>nRJ)w!MyfensG zGGt~Pqd`pFh19xXt`7tFgw>6s+Tr^ig5XiMIU;f`t|M=YlJPrDLj?Q3-JXu&k|DH{ zU(NcZ(fk1Cye4<`&ZHKQnHQ00teTSW%;$vE{>dSL|KSX*EN_i=VYw~`zl+7Y@m>J>B8qMg`q(Q^!Rl(1D+>6VR%OR{K;*3=gjo!g)M2NE*pC|+H z&$C15<(>-eciAa40NRaglCk$B`?7IhKcfdPNC z7qY)WlLw!Fn3+9lIg+Sb)DPv~_or8)Le zqqVhvwZC&BPLN4GcMGVrp+0ySlXq@5(g7D6i5Phxuc$LtScqC(F<*KsE=hM=#(tx9 zUBCL6mG>ck7Ji)Own1Es!~W?OE!Tb5(>LjtZ*)0Zk|$ee7?z>Qc9=OZVh7-z#vkU76lF>wW2!SujdwcI z@Z;KAZPnIAL(@*O#bVk$Cfv7^+_%3iXndIls4^TcLto&kb95;VU&+xgiqmkl54M)L z8e2Pg_;GbGcpyH{$vmR@aKT z_S#brQnv9!kMpQyV%R&TL??s$S-NbTRyJH;brso!~(p-L83h%|m>ci7{d3kPad!p*MW`>Ja#ckSh(qB08?OLc8 zzz4liwui{!v5If&s&{dKZPBqcin=e1xr-^zBLKn)^L8pLD#A>2dd?LFH|y^b}n@`<9da^ zYx`Hr=VOfku6biH!Aw{9Byx?H!W`@iE^^Jk%IZb6xFpAds?SL`vsO&CKmzhR z2^;!RN!pT~%#!?=Ik%%{MnJ zs#gd*lY)GVe5VbSb)qv$M%9_bkYuj8x_lthEGP`C>p-Xz@f6VpR^Q^u-)@qXLV zMpqn9g>Eh+y3yf_a%vbseAbDZyH9y3hoIZ*o`Ra6X ze4@}^F0Qt!F=-*HvN6uQbYHeKM@OkL*0<3m<%WDh0`YH@g20w3e0e0qcg&#Q@XUz? z`W>Dp(s+nK4oOY}hr30FQ>l6_R(@0Ht4{Q<^??h?Bk-+@y*FQ`@ z_WIont@v*i2p7S34WV=cI%r7}O|?Px>ORB5RbOzjJ)%*E?fKP+m&${+SlLscYnJ2= zC%^Hg{eduU7M;qAD3Ef;5gi*W;Wtr*(!^os4*QY01K8 zN&b{O@Yc11XBoD4a5q1ri#f3sxxt^wG%(v&k_hFWd zo!^UKDa$n8u7SFuiVM9?mmv_Vrc3|#4{@_4r~6yvDs4ZX^QlCGm4+QLqt&ewA-r03 zKVIm`#5&y>;EZ4dKg=@yATTk>)pFB-^HCL;*o4<}O@q|nO;0qFH3}r+2kW|C3P`Vq zbN>tA83FVQOImP1=M@bo(+_Zyx$Z4bi^O0MShRa^bxg?n{%@#U(G2pV`EcB^{M0Ht zAwX13tA<(ezFiFxz=9y3Oo9Tu)G!MQwH!#0IdMHQ2zh;=jVz0mu_PC`@Jv`IA&^YY z8gsy;50NB`@23)kAoMcv`9lbI$%~aK3U_PeLg0Go1j12-N0jC2OpVFrgZ`l_EAvdS z0EuQu83a-3s}I(v8KIVC>MZs?g5Ulb5BY06t1YShk!r}dsMJ);^iWT*JGMW#*=8)W z(8wkyb^Sb~u3e#!tmc)RJq&`OXu^}qO0~8|Q@N^4FczPHin28*(ud4rnd!9*$ini} z=`RVkPR+@nG*kbXfOUGeikUaacyx8KHdaZ#Ugdo;(>}I>nGJ3AJOk{5R&g#>L4-a) z^)OUg1*KZUSNO!x@64bUb^SE34_HU?^EvNHKwb^i#fD#Z4|GO>0zFTF0zJq8-fwd4 zQp1!0GTp24(3Z|+krD19!`zSt{_}rB$K7%N?@W0^=Y#RE81n6{E#m-&Siu_*Si8Rc zXPyOMQfI7V3R0)D!O6?>BwtpO3{||^Yj8_e1WGf5m@^ckZd$ZXijI%sZxM)~Q=ddu zuGOb2g3wM!Fw}YlD0lWSp)tL>IvBk)Pd_zZ2WTChM?u172)VF0P5T;+9{Kbs8sJxj z8PEZi#q+d?#Y-fR_RZK--!G$mFeM04G7==aHr-4A(>ykl=%4%FnVcs_uq2a%!yIyJ zaea;DGA?50i45{{3zt^+%ZgkkR9=LvbI@89g@9Jp;o{^;Y2-vrY2z=W3_nNd6#6mN zi&|_gz3WYlW zFh6ZVVR%C^N=1Z~W4s0egobDReOpUQ%bNuwQcFBJRYrROF1KJD`B~l zHY`GKd0PI3Dh2!gtvN|CkS;)U!cl*@K{zCn`DOb5vV(OQyW?dKWBsG`X^EL7N7;(h zCXK)28OXW_PccyM z`O80bOJCuiEi`p(4u$D%82BG3P!DC+sxs9~#pjP8>;u4*M{I||bLwjqh0mnhbsQBt8mP80d5vFlKzo})QulOHBVM^?mMSOA17 z4`u$XN;EWh;9s0q`9h;|NG88u<^M+`3ybO!n&{+e0o()25*x+btjfR^yKqRfJxpsJ z&Y5L}tpWfMaQxIJFtP-d=T;R*lymbcVZ69TJ*nd8M1nI8G zg0fOr6$k@M;Tr|6Ck>-~WNN!-et*wT2$ce7i~1rkr6!bRXjS`ehCFsQSS9HtuF>a=5Uh zqfHi}BILiSn0VWGdMkx~dNgqT$xcbonAMrB>#JzDm-wK1}-H+q!0o z7J;a6lB{RYMNxt-M!qn4h5~kxg++tp)rnI6{;0q#jgS04L+6i?b?rNaz;!YR0qSP| zxhte%sfLqnp4BtchWhIsgnQL4Frmm%N|K$+O9~@xt1)>~dTsmL~PGS1CZB zJ|TK_W$q#i%i3Ie6fQn&j@Zj{Q#-3L6xvIdXY&71OWLc8L;0kYp`LhU;&>5`QfvL( zB5#(FDbZe2-OD!MtG{!_ydjZWiC$`{tHj*Ao_GZsFH^qg`JuN}NU|-U{oXtU4g|1_ z2iQ2BTvXaC+q?9Cw6?5WsX((Gq^U{6t-w`kYFe>&Y0|^StZrZb^08&@cDd0fH?ol) zy}1f^(V}&23scW-b-;V5Pgj*`IG+k%M&NlV(8yB#da{^>bs z1e0vAoafutoVX-t2f)yJR&IAiC!`(x%BKwVY4Z~pOHh>D59^d_A2CuR?4c*K#t|M$ zfD~Hws#82L=#ikuR_-cMz9N@@wvQYVYYd`6?$foQbQuqbY@?+L8E!Vhg?lF1U&2yd zu92#K0Cev%m8H1>roqyrT&9J3HzGFJnF9zoN~}yO6<(Ep+mpW9S(aPf3TnK`#nkwC zyMCd5&08KMBvzixrqlDKVx16RrVr=*dBeR<33@M8031l_`zyq$aLI^zPsg zk8s=y?5O;Rm=Ha?%72^|b~bEeVPu@2w)w9U@~w(6G8vRk4qN`kL|KiuFfny*&Eq-% z@$2V9xclCm2M}g-VcF`MPnI~>`D75cQ)rnc5l&zqY)Z0D-q~& ze9xC{CNlfwNrpmLr8Aes4sHPLH6avBx?y^_r|i9)80AI=gwpJUziDQ;r_Y_-ADSx} zi%!qAS{cAx?YBhN{G+3zC1_(7crYKhj&)+k+7cMci=8sb3iOV%Cf;M5KwhxlJUMH= zy4y}CZOw^_fp!6+0gic{pct_5s0i~@JHf~d2VI)@0dUvD`VmixNYU4czE7dUNRKJ z23R3S;i07z3U@nm746Kl!3y9oSe8V}LShii!Z%ONsxQ3)=!zap4EsF`(mKWgmc=^h zKZP|qCL<2g$I2HCBeYFWu8p`IPZ>lt8~cwFixplUA4AaCc=Jw>M4_2`xKSaRiD=;pWPIEVxF0Es#b z(-wfdHld|L>X6t3AlUWg3G**wWLo1qgx>n6>to~>=8%4&b4X}uUpgeV9thMyn?6_d zD=9VA4O8j@767bT>o#B44GIs>TKUE{1i*{`5z|hs;=`+O(#qz~X>fknXcdAI4^wc#5$OwbIn$6W|Pygh%gYS}q zLH~jn0@n6f@WyfHzkskf>4ER6?4fYp2|?s)(wGOPe894&`oL2H@r7^JOZ{@y`LFUw z+4#&pvbu*`?XUdG2d$dxSNWgE1|Uf{pR=y23`3WK?}bo;VNEi~h;-#-PLqH!|DSbE zlsuJK0E;nucup<)2%_vM7=*$Ur8rVo=JT^ zDL_ZES?}nde`NPedgf*;yn2sG6E`g~7x6ltu_^)*%X0zle*ouMPGEjpj{9XMa8d3D zEvibMOP^0R`B=!feq7p=U#fuoqAoan-SAHrC;&pM369U+0C~w=ff|sPI(sCxAN6J2 zZO;$;zW|W)Hqr2uCivfIolFA$oB2$}QgZ`f;Y{qWUl1RWg+6sT%%@~Tq>}1UDauP% zYavA1;aj9!?|}KpO*4@=Vkaqi2$!lc8`NsE9GdXguw&8ZV3edGZ^|MebT|{wcew(U zHWF=7gRP(kGHF(mI>01}|?&if?Ho9iIIJf3hNq>=~=#{}f(6eH~8k!N=E1PiJ-6kbpW0%x3Au77vkDM>!(8l;pI_B5F382qVj2MuQW`m{ZfYpn_7|D8 z^!{V_=FjgVm92^&H&AFwu7=x--5Ny&qr2EQj>DQ5;OK~*3Da39p8{_dF3(7&?~{^M z*g^(*;FJ*&Bduq`VO}H-#<_452Sd4ASL@o#`ltMU1A!2t-z2u0 z>=7p-BLTcP^!1XAlZ7%0xf)YcYQT5+(1^HgEwU!s>tc$>Qode#@Ec5_NHxWlM3y6+iysH z&~YF{)bm^wJ_vR|zD^$%zLgxO?lQ(rb%~p-?|T-+k-*v|EYw=$mzLDa4oV_FIy9v9 z@e$j6JH@tWv8i-gtcWW(T&0)x}>UqX6(xUOxF5jZp zRXz;7_3AEo&+j5Vd~%kZtGE`8iZq3l;u7**LG1JessqLQbyj59(X^a-ilgk){MejrI^z;n)KEL)rUv4#fs+%iVqQhy) zM0&K~1?jSVHG{DDJ1K4L|2WNBNFPv3%0_S>x3(g_vvjy1hhAT-OOaBos(GYdNZRnef3xK$a9WO{ePxMFjhfKT^5Xj7C(mlYZUXO1=L82c!WxpF zLGA#`|M=i3URfk5lCHH9uu8HrT!SM@TQ47%G}X-+4ld%9x*gz=WWTawL@0DW3;v{c zURH0UN7@M5?bXNc_SyWvz_#8DKW1Z{A>U9lfoQaulV35a?ok9W145t-QLGTehJhU`kZ@l znkvYgoE-gjy853YfzhRL=>}so#YDZWKsABb0&(9<&=EvakdD#yU+KK0vzY?3GkQhV z+RVC?u@-1~RJhJZ+L1%m)s!ZJi6i_kve^GzpWAL-K^YP?w|K^N~{3P^LzF4gS9GKi-`%d}$m_Zq^ zb7^1_(baXh7kZZsHYNLG{E=E!3}Fe=@WnoBjtdW7;}0+~ zY;MF)37icM=tz2r%+~3^UWSg4`qP^(CejZ~RQ6lml89bC56q%Z&Q32SLP}Fq@<1eC zjxITC(3Jra$gB`{s8nTsZx7;hF45Ct{R`R?a&b8>ZAu=H1fLF=%@k}4ehr^>ZOYeJ z_<*I`*}_IneeXo%`xmcL!puW!HB(U?GLKe+?@ zP@I2PMo>PPY_7*Zpw-PrMn_bQ>*`l{#~~f^;0Rn($|9{tCUduOL)#KtS|Fw70SC*m zB~DBnDVEYFMpRm*4=0AzIk2+R7d;(U>Ckh(-WbeAl&{L{{YlItF?B?7a@&~VL*es- zT5oG%`?@w=QZ5mWnBJI-2hEA?@L0Y|ZrlX;J^i`PDo`O};jrKu#Wxkv3k$91=Vsv* zpBuX_S;+5;WlX$mnU|8{XSTBdsp`&rA!2I3?noqG`TPN5_6bWGF)z%p*wnEF!0Mdn zFO*1LZ7;A_o5T}nX5e=rxQjsPE$Yao67su8Lp=v`s53F7iW^mL?Hq|-sUs4gm59uF z{WbIv6Dhnl@h~Ot1CoP-y~s)Q01cs+>^MFyhzV|+u{1aFdiAP>Gvr&P3fk+x^=_Ww|aYVazVjbyrU$Q6b_2ugr>ls zmfl-uhCVeTk~<1%>v7PtLHC9kKAyV$#v7+|5`s=!PNpc6Cb zP>JA=E2*1&zB}}0ASEqE{+lLy5mzx1*A)eG0u8jw#jrmp_-&?4yjDXXbpl3m()#Y~ zY{OIdP#;Uvo#sZ(!9xVuviL$`AI{oSL$N3d2Zm6z zdE<>*0xc>kn}wN6NO;GNnC+1};s*k@jm;swB~88DZTLMfye_h^;0fqK;&g>LPeMRj z=s8nyq>1!-f*uccX_zsO(g~oDtK~vVp^@KxwOs)gtpsP}YDDjxlmh~5M z3ZTQ|dGR5Rg!iQAbNT2z*Jt&;U~h9fNIdWHzv>dOJ`xw%QBIK81QUAv@`Z z6uVNv1%MyD@`4LmeFEbt8Tf+LOcjB&E}+|(n?0l;E*780IPqNfWH_lIk_1;)I;%$Hpw|;60&I^LkZcqWhX>OkqX-O`C7dxtR0dts~gp|Ffiv@Rk2 zd5fi7%U=&e%=lFyaB3j8rwrWBxeD)*X>8@AFis7-Kh$qj1rqV~fu_77(Ip_H8=o9A zCtk-04%cd8CC6kX=r3zg9fsROCJsWilQ7xoAx4u^*MX5+c3pAIl+x^Ouu_B;GxNt) zlBIL%m+E?crThvNgM0lWz1}z;b(>P`NNTy&QIN}OgQAFTzzjRVUU{l!k`Q{bCEjCF zg;@|7agk!C-T3p){bdWj>x7W;?CJJtclEY%Vfhun~;Xln_Jeak2t z`1Z?zA+Ki?1MmfQ;;E{G-c;74Sw(ZQc?PnuupZmm_wPWNx$|q@g{iadzWFpXf4m|1aJ35UXK2*4rcHR>72%@P3+yj0k1LuRE8@OaqE_OI)uM16RdoEuEu-%hn5r2* z$nnCtVI4-y)o$A#&ihG;ua%L71$!>d>*4JiXwJ`pqrg$Xlxlx`^PE-S9x0BY5;Y9< zw_(|XL?T=0G&3d%qV8T>z^_}dX|Z7F5LZ>K-*W?%+hIowMb5z_53iq39iyM2eN8!; ze9hQ-M{Oj*mZ{=Ukk!{zXoJ)hluGqxL(vqd5Dvcq=`;DTGA^Z&9+6I63AC!elSe*x z5IU7sBmh8V^@}}4F*T+_s=Ld>PLG#a?~XYQ6G{4bHxqWMS4!&V`rGufg)Q2a`5mn2 z=}0E_q4pI#<2eisOW5P`^5Zg^o$B`0sDZIBo;oe@?7PMvWC9#6;3bEUcJ~yBfb3so z$c5uk8>GKSRT9W^6o6GxAB3VzZX&2-`3PznDR>n7U&SdEbmT?nEIg120v*e<^y8qz z!038!&#eP;lAm`psC_wx5Kd#pQo>5`mXdN$nFEgQs5>RFuZgOj0;Uqq_t89t{Eke! zx^mAi8S_JbW~QG-Lv*LDCqvZpZ1qn;uDg+kYxJw&2k>&%q8(TVE<_%rozAZ}6=jC&OH&I~k@?trXzs3ak|RPp4my*NOV>H6lGt%ps4NbyMspCMu_o z68gEKO^t>3yWDPvoX$AV-W0J?8(H&&Epv+aj_syW3lKd>khow++0Vh_lZwNR*b0g%^D`31P% zwu~focQH*~d<+ErdjBTE9u$enm|m;eK?feHbz#PIhmLla-hx8>=k)H{$@`C)OL)*z zm53I21Cf>7t)ViIm%B$ncHx31IHeEO6W+zG$hGuv)@9JZ6b@OlI){5i@XNxS(Lfqu3Ad5sd1=;P4_G%bP-1zh6W52(5C+` zxSM%JGiGntbM&x$zwg5&eeg?8pRJwI(|q^v%C*!n>T4~rIhhx&)zQn+nSb{+mDY&clN&%bz#}fr2P4x* z&Bsy#l4g)5hj6@6;JLliq#m~$TxrlQ?jv;L3~`w2{|1Vg`iuHZvXR34RNUi-8}!X) z1sR3l{jNfK)}&)Tsz$=9zu_ZK_n~~qZiR~avkNMhz=81uY{v(k~>NFkV zZ~KQ^_)EU-$nMP&fXU&N|UYp2wDG*zP*RY-)L+GFEg1(XXg61nifjvIMSH`gG zZX}m`6S4^O-6`jxF_tL|f%)8etv?sWx)*3-yb^O;9qoxGSJ4|Vl3*@aet+^9!%+{f zeXzmzzW3*M)Bki6R7#h1!+r>Sm(rv@ooY)mVQ+L@*;TY^7JL2q0=dY#sqku|N4j=g z<1f_CZ%TAb)Uhxd*^t6Yh%b0|YYCJa$oe-qY@&|ZPSe^XQX<_o7s0X4G&i2r)XcEL z1gJdrXJcYBH>-)rf-K5h6=}>bX#VGf49@H0(TIF@HTd)2mWQrvI|e#74C~1O5B-L! zhjR{Pt0Qu)Lwe~zcptrPpd_SIiw;*Kr$}t&8_k$vcpk%=L~mpuH2I;_ii01)Qa-R2 zcwwvJ%gR5wY}}2Hhs`0*tb^@sDPxr79in8t(qH~eX3{4uwi8-eNs>2dP~fm_?Kiv1 zR2L|uk6uqu@iEY9BM{;iiS!+_=+=#1D=nShHe-^hnrFmwWbFMu_H`HUoWPOr?pB13 zyi5Txngg|V4~6Lv7!F@Yl9b5MHnGacXQUQZ_O1cF#Pt&lItwjB`nbe3Rgg8o=i!HL zIDQs8l8Fw#fV1Hb^smE}_?%8ZI*_CS#=*{{@mW%m3mR>Zb@cv@Ukb@B%xZ(p&THcn zyJvOv-R!mS$gIGFX-F zGW#_`+EAuK{G{9_J^zo|0!#6H%Gw|bP?NEaNVZxXHN17YWPL|n_ayql5s;=Eyf(u* zBX68lV@jR@ zUZ6oWFJ2;%Dw(i1(LzP@a}K^S5w3tosW22GQ_)CvaHq4!I{vYgkqh(lF^FPQVqrSF z*Ta{KY_c>bQsPWGhyQc@y)G^X3Tz{Q<2QOlQmyF?LglKuk5|w8Aft>%9qp32qlU6n zTX*ge)t+AhdK*0Yt;v#r@$M&wctQK&76Vh>w{gW1%f?qn4BK2o3?6?hMyM{#cS1rUVjinqKQuS^@O%G$* zM1#Gd)PsE8{)2wEs{^o}a-w8>+7AL|+^{hWS7%O~bcT$BMlHfYwvbT6SFGALC^|A3 zCWJ`j08a^OR6ek#103N#3g1*IoW=(D4@$4xn)v*|&qDS%W2M#>vABRxG+N`dUaI(W z#^TNdJmfcJ+kON#PH{vu7B=^59Ta&9f4}p`75QUc+OI)0AYRU0 z^Hv4pE!n{jHV5mnY0|t`BoafzGgl=BxhV}B0N_$gZ6GQA!8$u`j%`t8JISj6#uCr~ zde|q9l}H3VOpXpAgb)&3s+LFnE_M1u0?`dy7#3d}X~U-b?y&(H^}Oy_ZuT)n|D6<` zr6{<{x1IAQU4#YOA)-j#j%_h^(x8L$V?=tAB494nV@MQ@oy6t`<!8qHf|)t!64z#w+$tAwNG|^Gl0-e|z&=20o%w zP;6s)=i3?nsS4>&xeRV!GWcE>V_X6mTlBM*=mLAP*+UJ_RwIyjY71-Vv#axYas%y< zl>*VJMrhVLLp>6AWd14&#riv> z$W}S&qI|@d-o@dJ$9ZikCU{ah20=x1K=+2@`_62!w^k`0%kCM^Sz$3ZoaKETJpl#pbYCbq%Y#>aq)vk9Alz029A(!02)m?_)DG*O=@G&qgf6%|TU zij9>X9Z-Fj6ZGA+IUX|WD4VY2_Vmd~62uazMGmQ*mWS--zAB+J;MM=b0nVOsdRJhG z6QWE*&>gDroTpV;C-9tPCjzPewqy|1U$)KBB?dz)B`^u&|Qrce-uy z*M#X00;`Ldl;OhwqczmD(i$*cDND&V$uN2{y5(xJk|Lqe7Fe>Q_btR*BD6J7-%@mw z6EBBU_4UUozV8ffN%24r!uyc zkf-=g3Wy!Lt(r@r9)NQ=i!2 zaTAEK94;D<^c2A0Jz|VXGk0YSw5T1Kw&AVDaB{|=|9HsYz`Oe#u}+OYr-;RwDfYOy zWpBt2G>sC)*+gD?L6J&v(>w#woA!F8+FQB5r%OoV*f5H160Aj**%e-R8U;?BmNMEo zlp2~1ZiqTD86#zw!Xm(mGR%A;S=nL)GsKuD9Os2e*KUb$AjH{nFQKS)uODR!jC} za|bWA+fX7}qDIt%r2Zkz*6Q)3Y`t2oqzc|Rfv^d> z4WqPJ*)xW|!yu%vPg9IS7lNo!jTkh%2+H@UllUh=qDe*?agb>vy6Jq** zv#I|_*Ez+A5`1ZVY}}? zm^In*|AHW;a|(5d>|kx}7&b%YxHYOTdyLmirs}DefS7%bp*xlv_Pgxaf^m|OQTX7r zxIo+vOgHyeC9Mkev2ryNC@D=XI$yWK;GK3JfC77~Z+vnOCVk=aUIBje=4QRi^DH+$ zyuxnakGQkM`d$TgVQkr<8E6!GROOv7=?oEgf`n8-`G}hpr2rB3hZ_#YeH;2|(X7#- zT^oU#VVoA3>a;rqhTQputG6*LcFiR@z|?9`9Q<2S7`gPu8DZ{$u(J(n*C7GVE^{Px z=LG*1dCQ&*(5r=q0aCH(6I2mMgP93+Vx~l<3mZ`y_Ez}YLyi#TPoRq=sWP0NLd?Q0 z5LE3Tb%hj>cUI+{Y_LiyW2a{b3o8HB3m=0we5g`KQyg1uqBftqvq!h6@y4Ib(&$jF z?k=o0OM-+Z)L(O4HBUg$fl%zQB_gjkq1k$@coMG(3`HcfhBnJ>6ORKMVhM=QP7Si* zeM|zGMw-+DlK~MyiI^a=L=@4dM9Hx?Mt;XqCAH`X35=_6>vM1iYv<5E~<$i8d7mr!VJ7Y zKG;B-W^l`#e2YP69nUHHi(o5XNLd3G>mP|zBa&;ujbH?O{P@MVQ)$-cBVL#_7j*-h zFvc!0=P%MeQgbr)>bf)q)s34gzskhW<8>INwBzFPloalIA_~W{jn*{;BL5RWi~PqV zCVv%lGcTla)FH^gG%*loLC}TD+7M<_t)D@2Y1`E`-nI1tF8CJIJ4Nsr&4;`3u@TnS z6r1C(f2u&!3_q?%rjOux`*DD{fj=-i=`3pKN~a)sirl^HPM>JkIA$TReS@=1gJ0pu z{0P5oN5DDi<)t?BoesA)0P8tqd~Z1%S;AVb&(lX2_2)34>9GV?Z>w<CLBZ&{yIN(oVIJjZNqz8zO8nx54ID99rt*5gQm0f;?D`I>uK-<+9$`&yXq<9VY z`F{W+92)zkYf+B6b*v4S4ibvx_yf`ur9p3`4lZ#0+U;kU+{mjf&V0(<54zlX#$^ojw7#zyM=_poW5Q&evJVM9cuKRYa%N@z@kkF(4B1Vt zWeh5U>j1)g7JHKm|8fC?4TSBNj{YbhfNgyEXo+E59)}13@=1&bs$j|^;F4gPbBs*> zQ#;u-zB!WM!-@gvU`${t!9v%FV15F__0l2&+^=3|;s1rMQ7u}sisW&Sx45~EUb=1<0+)Bm9)-`KTiDqH@?z*QxQ6ID&>#OAJU1qbn83d%fnOn zVr8Uvw)cx2%p<*q>FcblKaJq<*=b+zAmoLyM7+Njaxy6?B0pEZxq6TkN| zzi+l@@k{Q02mOATo7N9Eyxy<7!Sue6 z-6gDi7man?WG?PcRgbo7T3`}s=3gkHA0Zq=kfOdH*d8)~+U!KjkmWgfT z>aty0NW)l$>70e$kG-=5K{816Rw;t1cGlaP%Yr365IC60o{~Kznp{50sg)f>4S3vj z6+H~Bi8S0EUM`*;RK`{hjrK%Vr z!r-(*v{UlEIFh{Ve&sSZ`So7|n#^(vf?o9a0C0uTY}6{shkSb^iXT1fU-`Yo{X8GU z)z5z4js3jd=mO>aH2fT}ex}u2|J?B{G158s3irJKyp{dj^m*OBrf+_~o_=@pYz+QL`+eI#8SK${N=IC6ePUqG z3_aco?e2K1bC)!cfBJXMvU+D@V)D{!Cc-DDzC@M%y!Czi;ug?7;_d&yp1#6<@_7LJ zeLwVl9<%km&HfzyUh96|cKl6S*{J#8t&iZ~%#6G%qKJjiZ{OW&3eqeFGe*opB zfI(0I001BW>OHL0-G?aQdVgmpzk>?^8^GGwz@CZD-qFt4&dAQ1&dJE!#KyphPEXI? z!^q%wqNn%!Y+-BRtfxn7Wbff@Zf8rw#K1uN`&vaA5&#&>;nw88hl@Kj03gTyz-kj@kyP3sOt+6X?Bo#;$fZ^)KhWlm z_uX%Xn>2yJVQMn8?p?rVpLSEQh%<5;e*AhX+_{>1b>swG;voYYlxZnm9G+3@@4ovs zzg8Rk)IIHKWs`z{mEzlKDIvukuy1KlE}NkdEDYjd0EEB|;=+#(GS;?z)El-;$LZZtmi!0RY5~0Ra&F z|B{&)TR3tsF#js^Kf>VrUttb)w44rF6Mgwq-r&pE!Z<4avUln=ru`P(@T?O}M$#rF zt%p%)1`}V(7Y|19NK*dzI1up17aH?}98IioOPf+x-MJLan=^M}-E8-KT-)7@(w}(r=e@1__H|T_y6o@`9gHF*jroa^+osveFu4WJ`;chw8807<9&m`>4K=H zLVKGR;XlqRp%@Yp)N6l;&4P2yie3N{`1_%Cus#a3hu{Z))8ZS&`)$gl>ca#9__@OC zoNB?Pi^{=i1~6y}u=)27=8ww-(lkTXlmUP3;{-6q75H=gwrdhR?BD|kzdhk~5B2r` zfj##wPv3>_e}K&C(;_hF2j9;1zVV8F2f(IwxLYQAMy9p#*Oqkt&0mOVNkc!p24aJA z3m|~n<8biFH!DE+V$$&P(xT_Hy`g?CWKDY}jnw_b`eDiue53FRi9%gH!wn`g2=yL? zf=6e`yJO6}hN8Z~i~wv0<@w-hEET z!C{fT-u2mzuMeD``d$0h`r3NKscN-1_4@&JR)4=<+X4K%%(Urle}U}#&F85baR2tn z#07gD`jOx*?z?r9@3Potwmp}jKjVQJ@Zz5MUV;ilpKaR-8nE96zY(KV#Y2DK!<-t} z9;$~EZl}V~*KGg_!BvO@=)eN^b#Kjv*sq)M8%g?*lkch6X|}C&4?mY_nIH74VYRDl zp?p&~inFYFAXA_5dJ(D)amN*$<>S6?sE)V}yxIARhi+T%s2H_ZTgs%Kg99sQ*>D;T z1OwYTV3Z$Fw({r5t-8A%D%*DF07)8ym*Td-!^H(J>Qd-y!{Cvn1=5ZJWV*OR2hgq= z4i7qwsMz54475GPgEFdJc|_c!bLGgNi&HfSMn61Q{Mo;G!Ktnb5m@Fr2Gy|Ha{hzL zsM@kU>V=bA%Zl4IFC!e4hB?@Uc4?%9hqfB}{FHt=EG?hY?o=&v$I(vsN!o^QWj+RC zduD4T+BZ!tBptJH)J#HGdxaigF{0mXyp_?vumU_Jv6oRj&dHvhp58%4j*pdj1JU!X z&OiBcMf%nR`~3!Z)0amUm$Y`fcc*mY8r`SugZJ}l%d87yHZ*Xuc6)LJ@e|_fYDtS_ z2;72g3_53;>TGyLi=-4C-7o|JB#KC%IGUe_M7lafX7ywey-5d!RI|)drgnUf76<%~ z|8gvSs%#IYX%0)gS_T(A@8l~koeie!$K&yq9y{7I%HUj$Ie3tlC@5U7onL*^k&nR9 zlSA6)^6FzxVBXA%C3AT_PsDgE6m+6pBt%6S|Eifk{d@+W1FZ()^Zuol`)!ztJmjE; zWLZWk(pprKw0C5Av_2Zczb#c#1zXHh36ICf?HW(si32lH3J)(E6NsN6+vMZGoE}3~ z`fow%cmQt7jv~xuHLZj}XE#pV`xt2_cFJz8#LoTQeG8ipIbE*m%3|7_BvSyDh;XJc z)igWFgilSvvO`jliNvUuh*euF0r?wypuGNoQ@@#C`m$TAjQZ2Ek=6#I+Pm4T^Vv6S zOz>Y&F!0-0B(h@75@QsLh=|8B5@+af@$&8k8Wy*({hT=8Hy@;HMYersY4uMs5db!j zK8EBb__+4!Id`dk4N$WXoHjrBbz3ep+59!+yQFJ=>KYLF2$w7(M56y9b5n8UCggVE zv}&WyLr_;C;I7%E0*6YATwQ%!I%B*zupk!ka16cT!L!?e*Zemi5+lxYxBt4O{A z6I}$jT_(j1?Af)exOAl5;wk@2as0cx$*50M<=7ZzJr_Q5L)jPaU}0o;H6Y%xD#_`? zZb}{5zYyb`FVP8IA-qrpHQ0b%-clHM4FEV(=@WKQTR0naFR^Wn*eJN#I46tjI?|a5VDP9^B z5;Sn~`#l|(YN=a5FLrJK6u$6BCwM&53sg0CoC9*sV>YI=E%t~U* z@0Wgkh;qq&JCi%9D%20E(_3J2F@AzyP_2t}aS+Y}Oor(G;>`=w>BW^;hXnpAq%W2S zL7g63rE^dak!Mx#Y-gJms|frI?nwi*QF>3{7?XXxBt-c}?FxO$k%Te&1Rv?K5GnOm z8CBjVDC;Rf<2td!U1kxA8Fg75hNy-Hi@W+MMI&1Ljl1!rh0){wiCPh*5z4KV4$Zs)uSG9xk<2b$krs;XGb4{4)oC0fLlI3~r=)PN($xh6Y>?WF z_jGK`QRK~`K6+*3`hEuuP)F7vl<9TxP!7(ubS54Nf32**3LL)nLTr7@?Q76}^vdpQ zc2-b7MZ0m(IHtih$xoz@AE-lx;1JYhz2)2y>qb}OP)rpZ?=?IA4#pFBSrP3;{-bqG z+PG93hZRFaAbY14APh(RSnJoeVF`t+5$aJ7lk7BN1YO|{jIs!B?SD}!(5#8cYOz$+ zHbj2kPr`b94pJdMtxz^JF05uof>atC=$@V4ozvQd=@c(s zYR19n)OOHjzNi2IPYE=;I%7CS66^!!8*R@-lewN!p6qdIx5o6A_RL_C*-~_w{WTMS z?rdbOYaqL5c4;Bkr*jXQW(yanxiK5id5%dUTl=?fmdx7x));ds1iM7Pd8zG$WCwad zH000~Xn~7!BX=90iqnzQgtohMk^edczt5~{igi&Ubcn)umv)6VP#w{L5wgpL4^1e2 zuASr<$V`&N+@N-XasAJ8ZZq=q3`nziAZEX?lmvs7o5?A&2<;=!7>H>q%2;^@q7%)) zdul|3T{`Na}on5z?u5EJYzY5tvWX zqcG5l+lG7MK4QZiz}?+fB#hp864L}~e+bu%B?{E~|MXm|J_=ti92j~P&tbhpmV z;@<`M%T4PZKz6*4C)B70fkZ!gPQvC$TcWM3O3c^dZlsR05#q^p{MJ;dmZ{B*aR`y4 zNrM0OU|JGWp7N3MH}@Y>`bLBtI83ZBTR_ATtA!S&Ew_N)Mw~kXOl*mMDIjNz>An zP|}BBOEH1}CC#hC>H0Z8vRVz9f$vkM5}U3}5xsWCq@JCek)l}k@HVkp_Qk~PoRE9t z!T?zT%dCj=)E|aP6Tj==mHcMsY5Hv~1aqcKaxwp#$RvO9z@*7pD&OT^E)i^Pv(#AJgAQ`z)44{^mHcei+C4TK z<*K25(ciQ1j5mEnYuE<3vDMmfn!j1y^P!C?8}3{4iWuxgc5||bGDX2PyUi1Szs2WNCl8BLGwqcKkOH zW13xAY;XMpy50t^d#KWWn-&k;1|E;V4Af4O=%;QP`mOVr>^C2c-0!A|6{=1F8)3&E zk&&v?LnPCR9@4{-3XCP`P}9qJP&~##0!3VDn*X2%jkM!_+Sv+{v~)u4>&pd#E(!rL;vnBD#@|Jk?ezmy3*gzNabgCZf}Z z8hk*Ql9qN8VZ_Z$-lYCeETxljb#2UhD=ri$RX0PL#IcLA zy$>a0Eq*cX(A*fik#Vj0`cW~GC17oxvyzzYv`tKt)a9Wn7u_r@RpzGKMp0V6`LxF* zsiRyT_85iD_m+R+;kPU=j<;yE&O)5#^!nQ$ZG80CtWvfcCt9;{+PdCy-Eqmk27WSx z-2q;)yj^)nn+rc$8!QY1@5dI(qsKU#+a=AvOyGIYXp$+{0{5!Vf^=;Xf1O$uzt8Cu`kWVj0Td?K}SNlWcH zmCzW5EfK9b zP;-_%Wxn!S(a8n16(0i1{4b(@T{7`S-PiO}PpP^I?L4E;iFApc5a!Sdx`0Li07^MdV()w ze(+4E&;`e_A*e1>NQOqAlW@4t$0SM217S7lv4E#gh)?X_g*MTM&Rw@aAG&fwLK1`@ z)hJJeuqmivNG95ti0P`0mNx3sxGVi6?iFqGQxJzdPkqKXIq!64JHufF)XS^#qhUp= z0So2UN`<$ofCP_ecm-w_^Pci28i99hkZt=dE_0G&Iy3=Wbd2Yumc539ypWQ6vCzq13*TBn!w+=Hsvo&ZApuR2m@F$Efxd zvq(A;R2iCDLQuNyz^RHs(?DG9aLUJ)Q&gVNc5KR&m#U&yCxdsWB+1hnkMzYCr3F7i z-0Sf=H78MU?-7{03h$6ya+(!pPzVP4ZNQHwpq2wx^Bk|b_LDeyC-NncUsBF#qGLg+ zF?mZz&)h=aNO07k9HO|XO&K@%B!7)Jpp*(z2DPm~O7tDtDrb(hUK{vi3#&bN3FG;q zv>I)Fo&*(@MR8)rA*~`x{3St6|JRXJ$YULF+kUWqe*r5A-1P%BaQV_;Ydn4PD{c0L zx`bzLBWZ1tv)x+a3*R;;TK7U`>!*foq~?s*h_~~UUyBKTA43m#t0UXM;TRa_L?%-D zDa9Y#f;tKomMi?=fv@|er(gvQ)HHB6y6RIZM}!s2Od7fUmv=3p1m`_>=hSNWf3GA> zGdO|mj0I_l{-J8+Dhcs>kAqgBj_`OXS=TZ(+x?9fE0igoC4!RC5PgN0oPy6@or~{8 zAN!3~D?EA^e`dvXE-0RbS^awyIn`TZ*$MT!{nG~RD4LT*q+8Az&Ol{#1=S`2@Hsj} z(CD=~9ElwI!Rb5*q$Y+_nI@^yDb|Sa+s@$TDD&P-1&v_|QEj1C=VITKR;ZYiO)|=a1XQOuxdX2aIdIEi@MmZ?tZY$QPH1O6_{aTWFrlZkh@P z>@HoxxJQ+EV8Og0FDdV^&xBsQFlED5p#;_Z6tU z>d|%-c=-|e<;{x8#je3=oS((+*bixU){i`RU%vI{5uM_tHZ|lbj+ePUlq zb~+Mbt$zj#QauA!vM|j@_qJ^uNO%bzUR@&*VXnq>tCnmvwguRZ-%QnRRrG7qUF|a_ zJo5%L^@UW?d3|k_GWS9^X;c*ht6H6Yq$)B_MtJ;$Y8=@DTL5`smhI3x6^dP2Lc5{S zERdmo{A4m|$l>{3>H2Xy3yqw>S?(~JO*CwaU}SCbUg?RdXf;lBa6x6HAdq`Y*(P0U zFdwDmcM8QCBJSu}S+s^km@G>TZEVlAASDYttTrO~CJx8C7RFo!=x7qdwV( zL}+JJ*!(8AV&oIUlYU%R-|VCYPVmK+x(56ie1L{IIXd=2l4z z|D#>zSCJT`w56WHZuF>UM90^sIRig`)Zj5pv{or~lmKHdf@?)+k$sO*vnqaN@~R03e%IC_ZLFmo zxVDlTlE|z(_LsBCbESg-w#JE~#F8H=)0415s{OWNBQiTasWap^7+G;O9}=vTBtXA) zh>;rbxiTH%V-)W13w3{bK9D?(P}9K}w=hXiRc4+@&gUu6dUhMa^I0B==va7Ckb6ih z-&|AV=(*t`><}g1W6TCQIoPH;*KQZ)V-2A*bggqAY7e=gX8=6g7^8>)d!uWL->MiI zYR+iUr4XBh;`U4gT+Fr>wMAgs5T}l@7Hc|F#foeUfj>$=ASz}Uq=QTQzF1gCk1!mK zk-zjvZFU5);9Z+cRR$5ExEMsN}Xda-!-rk))>Wi5N4Jz&WCe+i^8BBz6SI9453~9=~S%vNtFnt8tu1 zYSsJpQVNRbkv|+<8YqnBB8)tmI*gk)WDox-bwWhG*;1^Ol9wr!x3Rk)ue$EgXVKjp z@w=zItPU6IjhSV=J$Lr449mv;HMffSt?GJ$+57_ZH6`r!Oarp$!|5lNXu!IPsV;U#jvXc> z4}N2C_@0oQ0tBjFqN;mPz#y{oMApJ?M{AB1&$f?9C3)^{Fn2#(8ca*Va%D>W)4FP2=2^1$Fr6Hq^j5@{NQ z5N^&Mf(s2)DmV7tOLr>GSsDa|m5t}4X?=oFGPO3NL&}t06f8Ymx}VkU)o0dNB1k{J z-R~dqQ_!v^(k-mYKU<0Y%!KEMZFR2hbc??aj7+F*SoBoFNth;0hqC%l1dcJo_0y#{|egBrrQ|-5my)KidOGK*f^-9y%tO=zf^zOhjGDk$)%WpI zFiqtNLv&hy>_!xH!dDJj3Un&qi&|-bH4Ss$h`n%Kx?Y+&Ym(OI;aQRas0IS%sCTYX zTlQ{U&}Fbi`1g=OV7@wv9GGOai0YAu8$FOp<{34)G(QUFdoco1+_^T}dG=6y59r(W zY{T^hNV_gjvu`{ay9-a7y$OH4sqwq5Gdr)cZnUhU(S;?Y^sEZa6^-#unk!IZ>8LBh z&r{^)7aN34PY!Z$_YR zASGQkN5EZ-*G~RRd-<8eufhZD+aXSD#Zs(_H?9U{Ji~IR!xk|L++^tW4+fYJE6-{F zR95Lpn8;xZy_ZzvztL*ku$XrYqb!z+YVW@?`Y#ataZnADgdd#|Pq+>a#4cT=^UHl> zBoDOLM|{1){IBfWWfT|G$UP!iPqWoX=9FbRB$5<u zX(V8aV$GTJA*^8|s3DLbszRxWBqEx!enhCoia#BUWnXRmhcGlVPbhx%UL}s92CcQh zP|2$F285&4TodK)n)cN%4wp2Q;v5x|eE(b^ayOSXEIW{L>r6we*;V}jrxClXU?uBnS`9SK4 zW6s#}CPXD#A$MFtpgujj`8*}+o@{OzwA~-h1L;WTnC~*sF0w>LmrBo5)y2K?EkIDP zpe$8QfzSc!y|I_PWYFBX_diWI|l_F{YUJhwWeM#aOsA)%AcJmL?;LE4iZC zuhYfUB#SaytI!yF0)xiYnG(hMRLp^?*0~_{k}`*-R21stg5s;?T1cKA*deI9&+_GsvIx!G@Cpc$Rb>4_ikBd)t zq;aD0)CmJ#mC{0rVL~?P)xDbk_rcN2(`v$n!XS@kg)p9ILtxKwF5^zgdC=x$U;#LppL9^0N{-c9^Q39HJ3 z!cF4OWh(;T5vZ8cDmTD}!Wu^is0BNqpdu2L!?mqU7}D)ND8%@2W} zET`cZEv}w)H)2c|HXg;1-#PtaDF9gFTB1Z9_QRFk!k#(&Qw2*zon9L@QHm9^XEywy_c8lo0RIW z3SU2Q{S{Wd%t6jpM5dx%Owm+6hY{v44&N_OU|qMxC1|LVqWiaTn1R z3~B40&{(^?DS-yOi;!kdtuyl8vladGm%pk80O}dWdL>&OI6x0wikf7vju*VES)XKB z2dSVCWPt{@O%cc&c)&k#!RVc={Sa4{p^f1S@j)x;8>>&U){Ek)G8U19xy;GmjW=w5_s!Ebsz3&R~%ma({9C zRe-qw-bf(6PQ8#D1N=dKK-oXoHwzsn$db}H zsD8oJ2`2+A!<~~7%h;y0K2n%MK2oFC3O@f5-roM5$?>SnU%q&m3-xY#A?`yUakEu8 zyqW(PWrqGqM>S8Rs)xdwCkgbfu<#8MmT~t$rp&)bLTTt6s#9Tm2$1ATfcV4Zb&X4RgA&=cmaC zbOZ1s&=&j?N$98l`(|9s}D#!M=e?JU{#)gO6$g;+|~}q zDp0Z?BpS)S1P8nUM?;i@R*L5bxtm{dV8FnH17j%WZylCM6q4vP?q^91nT8k$*qZG_ zWqVJz!%CEq@gahA(QxVFk)Nk5o7Dn^mM%Jj5>u=^n`s zKLE$J{Wy{Q?V6k_}cO0;oyDfFpJP%NkR!s8on*1TZ#vAD|m9F|g!dggnN8 z^lB!_skojpMKZq^QFF`_>~9HrwHpJcm{nb9+q!?fMAq!5w)u3vCNL^)Cl7^4fa(dp zw$iy*FRbAL|2C~D^SMEbqa}PvZ{Py)It4lh8W*;Y(Pa%{G8mL3LLdeoL7i(%tf)N} zWqZyL=te7BdRxeXxWF0QwBFzmR*|!Dwm$-3Ro{jN>HyJc-~p;_EAby~n~RN-$=)TB z>9ocz5|{S!Kb(KWacB(fq;jJFSmCG5glV3{rZutp4~P%t$L4oDdKD|-66Y^dk-Kc@ zQdB3fvtYb$yB?2FP{{u+l3iRbmBsIh7$F#YP#$z@9DT)fpl)T}LW@Td`zC*Yi!md_ zk-*f->~dlk&pids60@HzqKsNEu!n{@;BVwHXxy@ouzFf(j9iWbPn=J5;1L%FM=Df* zSdhk&fW;+V5CV3iB2jJ*+ZPvfxU>sIaKG4-C6$w}OQ%Mrq()j7dL8dy45I6U49A-c zA3N1TxJq;*njpJ>jIu3!-1ms;au`?}giP!kwSxKVJIIp*NNfjv>ykTK2qOti>BXzu z+TQ$r!=+H^qMptWN8}W7$yk{43?A9I}?ubp*gGX9kgi%2=bmVX3)h$_3 z!cGR$Py#B4Gm(2SIPPk^D>kISmQE(l)oFS8R#@v*Zi0Z1yi(Z89x+9vVaOJ~TdJnL zh_;y*{$u)Z`jgS=v70P zTkWY}>Zeo8pvt>5e$nd9vob~3j^Q-l9a4KZ!*gnd32JXo{<>O*$9OrMa;>h|4m{d& z!QW*eQI(Z&wl3JnAd^s%HSp>NiADNaF%Rvr2@?de3jQ~Fc^=jR&nq1KQnK^rzZ3lf z;^!5d6>w7%Ru0A87}(Lxmd~gD3@I^)5klCN*|~>^JmLf? zHHeS`*yKXsTik_V<8uMlxuo-^U81uB?~Z0#9yai#zW5g(cOE~hNpDi=o~kV4F9QPw zvA+d_-`K(zK6bjvMif>rJN!`a7G&jo>b>*)D+g=}?7DV& z-9j#hU}c)=v|%>|FrV@pc^vxECO+SgL}E-W@b;{*$ue}EjDPCn(|f}hO_TjU7h)0Q zUn=u^cDLCMbZ;25d-QqfjeK|6hU7QHOgG`*Wl-h+ShJ6NDHl^b}KiJLVi09F>am_;sALJp^tg(v3 zP{zjlo(Gp_7{_XMvm2mG)>0Y|cYDmz%uL)GBj?GpJ9Gl~-ySVJ33O=I(2Sa7P)=Q* zFO0V@*tXH91<#S$btJ-y52`8oolKa=d2aE>a4Plz0I!41^+X=4d4y-r2{`2uNk+^D zImJXwHW|%j*bCrF@T!k zKu>~~8X{5n?b!`7$AAIqB^hMhv&-G5xGAt2h`;Wh3X@T2pk^V9lwgT2&UIH5M+7uK zGRT^_LRVhyrk%YXOuUN=Lv5D*=S>efLa|73( zI5A-{Y{3ECjK`;undHMWglk=@VAGZGr;9k12F@p1 zqI-8BabJRZeWu4T#E31XF zBR|Xk=(_mx9ct9)CwU)7BKbei6`;o1*(HXSmosP zR@{^;d8L~~<#X21PKBqqDK(ne;kz@6*YM93$z{lTyyIrV=4@Vx7_1ovTK!c_Ij zjpke~*BMnR#Dl0VqN6QtwQ@XDU)1`JVc!kVhRIX&j%IB-8ZEU*V@Afqz;xh}UVw962Wa0)YVL4@wHVWqyQm%OeP)voJku3yI+^+rT}Q`csu^l zrl5B8Rcd(k)M-}!;=yFgSUZfIj0g~!KGEthbjf6+=e3^11#%3seVg)c|jjPmcQ7mp~XX;KbiMaV@7aud<|kd2vu?98Nmvc+!&M+hCeiQFe!4!tQV2EE#^ zVbh&<_QISH3Yh#^hFo`a{@7j~J6*n8PX01?d7U(q2y&VtQZ4-E@E`5;I-NR%IWB6! zgslY!j5I-xH~DNn@xS`hik~zb$;%6sYuM%9=t}hW`D1=W9P#i41SwSK4W2p>cQ_L6 zG6DCnM4BZ5j&w#JA&&*%Sb4=`00-_w`|jv{m1ILZvCfQ(D|j-X)G<=(F{ulp9l5)0J`H)#4#XFr$i_K$yHfQ^`$J}-Oq z-y*LVBT~%*t{TQya{0N|{=OAyo2s)_ z$`rI8Ja>*K2b7e>NR`h*(qlQqZ4BI#4Inz-upGPMCwL?xUA?khxb9NrPT_b)$vxJ` zU`0>@kRxo%i#G>hm79x{YKp#0jOM?avVIbSw`<+PxD_qu_B zE71)cOrehB%Aa0v;|nq94vK1h^uRZ62fR3cCmp8b*C-3GG!;{xb(c~wwY}D{-_GkQ znhk?NbHeXWa6-*_3C zImN@v!2p$!;3TW#V6PSmkH&FowjG~uuA-MXz_LHiISz}<>7$(essiQ86^3fg$enFSre4&E zp0eWy1=Qq?;iax|&UZ>N+f$7Fbbfy)q2w&H6v8k^0GmMwZE?V`KzK)Mn=r?ZwIp(= z7GQVH&?5qd0zEO5lxMGy8Md&2=&8jCPrMY+A^-4kqkgQ|qfO<(fpsf5KT9eC;<}iP z&E@5xycJBFhQfb*Qvek9dAnXlzwIsYPYW>TcQ`3t)ZzYk8fmJFGV?oy6H1$fGC#dP zt7Ula^hSFPGr_MuYLa8ov!nl`pkB6x4T?II&x>)bWUagd7ke)E==-I?IcHYEg%m*a39ZxX1)8giiI(bATrC|DD*`&! z)k}hPN?Et#5>^0j1uFSivF^0GJ@md}Up|ZEX2jmCosc3PO1sDN5;9!gTgFmd=N$SJ zGcTWKj>^y64=v@T%2>|fR@Xm7p`m(qzvZUJ`JVo~*;2+U;(6_4TzpZJ+qHnX>^30Q zQf4{xaD{%`1OqMAq7o=F^WE%LL+vL*m-FMV z=WshMh4_(i#Qw19(n}PZ_h;s8R~3e~_pN!m=`G@_)&bQ$g=!Ez(MidbzC^nesB20q`iX-&J?1Lx<+{qDg0V4HL2x%B++#Y7w zqhD|J)8huZ@Q1I3=nb8Exr4P;Azeq6-d$t%1)m*WVbQ&TS%)K$FTeY*RL7WI4A~r2 zN8p&glihn%DLx{!mn;wG%XscV4Mq7pWPQ!#4fk$LZ;d=YKfGRQZsQIEe|+p4a(3a; z(H`$|euk59#UQ@l)gk}=+xPXVrifQ1BscYW~@cIe`aMod`Ki^SV^YZ6`CfZQHhO+qRtBtQth37KFm8^vp??JTv#c$4`)Y;$E74>ehAE+t?E0p5pS>pbZ9u(YigzwM^VB{sSOoB??V9tv{8fUx`fS#9< z>$vOR$THk_K6-;MQ;HRRI#F@g46}B@l?VWDc>`pNFqozjLXRYY2oK9np2>bEsosg? z@Oq3BujozI@>w=|M+gWhHmurJ0$yZwz`c2#ft=S}4~LZ%UCv7eB%i)vSKZ1D(6z*> zwGfv4sw*A-@!izsd zT9}DRLM;=IfU(vrwCh%aR*7t!IKi5Eh2oPEm)~fVFmdLljAKrkb9`s=d{BH9>4cI$ z)46W;5otqc{Ew9ANjc; z_B#E;QZAD;r>-Y@H|n<=Z$H2RAVh~HOcO@ap4Y^VwL#82Q zns$-tos50I_*HREI6VXEEr=Q0m1J}~V>Ve!$^M%pUdTt%*o2?tIpIAi{y;QhoYYv6 zLKIo zeU{*hNj;}2s+0|zqp+j`Tef4XkFmeBI=I$4!uz?r>uVhLvP?r#0W{j1u<|#mG3q+` zy(eL%$_`1maNa`EVp-A9SFeZk%N)z9wLV}Bj!0$XEha?Ml$?Aq&U~+IYC{_XPd_w{ zENU?$2>KAOv55iAbh1^99(P*DcpHJmITAts$1d?PG9<>F6$YO=De)MSeGgCC!sM}8 z=ek|Gk-~{oIsJ06Zslj>L^#&4TNlW9a>9$qarzX~6Rtg9RHW=Fi1)3V2%fVV*>wPK zfeIJSzN(M}rY}5M33Y}8`9!ly?h=U!yI{=>G1{#^m81L-V2#v9THWJ~ge)qU`I);k zNB~syZ251Ifpt0;Ml~)q9m!0fevrS413}xxUkA6S_A%RwJ>Z|^wW8`7<4_I+TxTU1 z4Ruo6CgpMLlbWudw8A%zb%5T&G*vl*9VY~B$zGSN+SUqf+0@74`}$$MmK?z~=uE@f z(#=Na=+3LV6=L;&J;tl3jinTmIBGWz4WKTBfc1n9A?%Rqa>?f0Z-?DJBf^WO4kjX5 zsm+Z+3jqH}uT+YO!5d9(bW-J3#(6(vZL$YziXqV9Nl7?h>2L{(F!cOQ|6z$_>51!W z^ZJ6?q%j)9N)STeZ;Kg(6P=!uO73JkJ|c1`GG1RM94f10Q}-joDTWBibQ)0I&t^$a z`$v%`;qw52MT~i<^c`TEWrS7S6bZ29q_4x>?Qd1>B9ek^YK72 zWU`lAFzN+casnRVGa$n5tLRlAJSe|q6aW)y@W5yiwi%js=dVwv10N1xei1AVK=3&| za7<={4@&D}%$0W$y`(lQw;Qc1viC3Cn-bf;br+(`0^HPhf+wp!PqyIYSv zvMbVtZfb}z98Kz%<4 zYFZ~57@&xJWS0cSe(j}vJOR5Pp(A4mCl@M2CG@@{nK?kJqd{=O8sHD!rVwtWVt}O& z(sfUO)uCY?jUr1Wc;!C6T`Di9mJ$;@6btN1i~3HgbIXuZ0Ke(}9+|KRpj4>KnO;OY zZ|>Iy9yGml>8FkB%%IZlw`5ZRd-v&Sf$%_m!&wgfU1}djJX~a%zJ?&nP^QWHabjd7 zBcf!|pBay~2I;?j4_2{q@rJJ#0PSKROAkH`p$1;(fkQ+4&Wj~~gZYjjb)W~BZN3ud zw2GaHk%kEOH0~V1<~m*1jOYjNq3Vgh#lpQzDdIh4y^|7%vKX;pAfjVlBb9jgPe(dB zbhUD{jzhD)`u35@8gYBvV#qL;d6|g$GEawz?SJg$1bjLnvy7U}6;F0WOAAvyE)I6O zy4;3HgryE#OA~#&C3;-bF`Ex!s>ysVsTDe zBbf9HpW>0Hc2#lecpo`KAgc`bj|{}1K^suj0WP5nuRZmYnKe^UcTp z?zQQGDYwACQ?kCpRFm=<;?bBu0hM&Xwe(m~4{bcR5~xG1)IjpQR(cg;#Ymbn=Sty1 zE$}W_*<0nWjNZ`7=-P@yFmnWFBI47F1&Rp$chC)fThv~pt(`ep>6b@Wn5*479Cb*r zy5gHr8`+p^rRm|U^T8{Inz??j#*G?CEL{?W#TrBh-{!g%SNo2U9+dT@A96AwzO67x5PfHde=E28zZA01v@UWvAvAG;n#(=a$vHD<31b`=-c-( z0?Lk5U@HeX2it2&b7ZQk9cp1d)Abr@6)T3SI;+N1 z6geZo*6++|QTG(MZABc49>HvbsgfglvMEOgkg>7#YoXW)@&znyX^GgCbNghk54=dI zXo-l|H9^*$QPvMaSz~OUUZtLJgx{c+ALLr)A`Qi~!tv8pBY8cMye{lVmYC%0toWR2 zPT{G-J#9R&ZNL|J%u)@ToQ7sNv;t`8h$GlEcLZRb0b>~cY ziarM`MW()dG};}cIusxRTL6wez$Ejszg4sd4*Qt!#*&o7BNP`2aC{0K{``J-djny= z8Yk>TRDFES8Qt&z3F5Mjkey8;XXvuOwEgJw;Cu6#46(6KcY*(2;jV1lf7Cm2>=PQGa#?Zgmd^~?&2BKJt%ciNVwYhOXwT3rETJZp< zlOb*JTyk;t4DmMM3cZC4VeT~mmvlkZ@f*@b=%Zyv1>2uzN5yV7C-Nm!IdP&(E+hcs z$OBv%QqhCZ$*foL@c>8xu-c?!-hVC{+Hja(6SDW#R^M-j^zuoI4PgpRUp_DmCqdoM zO0WZzu)(vPaqZoY`{q72RY@8eucYTcwV`rZ+QZR-8HZu20}(tX-)*)%SUB*Kbn!`k zh{fcAPk6T>sBqzEKVePfPVPdE`mBMhK zaQi^jsUbbPWb?YkmI^(>kGwCa_yTLK*-@9&XCsuXKL6Du~QVT)1et5RTYCjK|J?}X+6QyqhHK`%sR7<1AF;ReN>~G zjgWy;KhaB!Q0%si)HZBW=9DOBtTcrr7hI^=D>OE}xo{6|3v)4~KbLfu1l}`gzh5#^ zjmT*S=2yfCps|+y@p2N+@NNv;y^4i|7i61t19eMV(u8YAC{iTVv(m^Hvd8<8jA@T$ z(j@IGmeC68ci6Gb(CE@*2GDX`mhrTt82m2qy{h?nFmj7m4-w+^A-oPnfQAn2`LTJ= zk!711n;k9Wk^RJm4z4uj&5K?s#a-O?_TZ#sPes+&eq^A?u(09Qh6J?Mt^z9HE}zor zm#;-H=s{pJa(?#!{_8#4Hk0ty^PSnJhfoXMq{7#rQas}v@x8T~i4!VD!Ho7rQeaR! zah%cRQo%_GgM=Gdg?Moe7PW7Xg+#FZlrUD?f(K~sxs05GVCu(9m{JA@W?1z)f6x@8 z4O=rWu(1~j3XGZUt`INNb4|E^M2iZ{i=VkS}`}PEnLLyQ8ltvDy-xPgQLr)U){k-QU63xIbTRg z^U6jarVE}zQAE(R+$At8V1XyC>t$kSO&~>dHub|o4P0=HO}c%hGv-wDWx?qtaPo{o zqmj7RFCt2x8%q=0!0z&PT_GDoJHQ+;4crB%Jrsm`8B#xE3;0syjeNAZS^e^J&pe#! zS#S1#H$ccSz>O?c4s~qvf23*CZKR^Jm!_If1yjPEk_gFv;t5uxhyUQTa#Sej$)*sD zra%d9w=<5|O&~Gu#lTy`p;jZn?_1L8NS`ZZ+O&ASjR3QP39f=uvXX_4O=1zV5-&0f z%4)8$6Ofu1khG}{n%Wx~9y@oTdXm96$=4sxJjij+JW0<+WMC+H1rnFzq;e%5`vUKC zM)tMDt@PvPB|4-H8ndGwY+Ww2+Gih>7Z-=G$`$8J zZ=UHsW@-u!AQJ^QW9r_?+^#-Cde!b*1_PbFG=~;A9MFA-YnJFP> zzq-WiHE7Ybp2Cd9dl^Ob5XQE z;QGPz&UOFKHe{DV?#T8BLp$A@m?yDsGPF!Ph^~38!^cZi984|*1Mvf#|t%uq?K@7siqcV;$?c5=Vfm0!W-$dok7p?3l0b=DpW)nfsN;IEdy zX19NN-X=-!(K<*s)!ej#Psc83Q&8>>|GGR3p)i!JPX7~~JHvFrUg9*78?&`$2h;3T zF8BJD0FAyoT3lBL_W(R#>!~(NaS+N4h^A!948BB8!>hm* zUCJ`WX)7fjFHFW9EbdfT?~7Cw^N@XX*`#(ke{DTm+l|rtKnMvL25)^~Zk;-#O!%@$ zwk6#O!3y3AV*j-b%1)S)Gl-QHO~1sMO&>vOAWE@G2;^80uy|4BEBS%@_n15 z_*%%E1OwBhe2D0Alb54lNNbLi%uMk)d$D!E@~PthWs0fMrfmy(h^d^!gk}j7^@v{* z7j)nGiRW$VAe^lWR)?Fm$tAV2j5n7IZ6KTYpyu1WCEYjteiBfQzS4tPm#}0<3{_t! zH*Jq77flZt7*~Jk!7R>NUoXP;1N1m2@nU?Y5losLp=$JU}cA0WTG4l)=}Z$B_=j90Nt@c;5U1%LqN)18Fj?We0x z?Y=0O7M&!6kB0;Pqz)j!$gchH%a)buwJhSow=I%ZafQfm>uN=jV^wp6iQJfEwR3B= zgtQzRvJV;N3X)gtzM?6d2jt*hde;WYYi$)aB1dIR$9^y{%?St7=jyk?z2gCiDs8`t zYj9;Ke;W>EgoG;k)!v>(z+gw8{ArQyS)wmu*EouZe-@rtG{l;wNdJAb{(geSgp~OK z% z`pz)bg&w!!V@S>?Qzwxrs)cS|Ud&mwBttjtx30+gat+@Q-VBmF^Xby-=8W5u(U@7~ zoB=h6{0m%3|BbGcA+uB&5x;kOUi(N2c1aaQ-`)%+yzq48HqTsc?$Cz?iGat2HT=&w zGUdWw>Zwn%izB`&i*s5e!5`7IlK({*f4%3|6A!PCt%ZdZt)05H87{Q(SGF+1KAs@2 zuTV6XAC0`lAVbJxN3s@U2jFxNAzK1Ml9KFf6aN`JZ>b5-xmGb!2}V*VQA5?qdN`>l zGo1;kq(jfpe$kBEgLS3o5SXinW0b8Jy6nA5;aXWrT1*5o$C#NaE1L32Ei-QLlL2qz zlM|MF;8F;+2s0^oxTTo<>I$poZ|Oq^MfyvS1}bs&L@d3`D?|U-KnBMRM6Z_K@hwf33_qH~-y zjtWy&YlABo`lcx5rh4D=AAZtK@KeAneyb~NGoOj52^+DOm_`1Xn2hzT=Y2c@a!K|W zYP4emvRQW=kkb`TIJ1NlEH30%6%`Hv^Kot8-r6*e>B=-K_-ZM-unKW(af%VBW_Ai6 z;@nZZKVT2)xfk#PD=xjj&lTVv!M`54ILQLjuPbW-R_ETLgy%yQ-J9PZ{sN~e#T}&B zySrxZw?wCtQn%i?7)MFH~9}b&AOD z3%x%z5E%>n6cC({SU1MDeqdp98h&KY=MXvNimvPowrFc~i1y|)g;Z_jTnL-+?oW=~ znj-!CctO46jg%Q6Na8QDiCq=PgJkv6yrrAxR4$g#d#Mv9tYTaIck{yvQ%{wCRRA|2 zNe^*m0HnAx-+K)dvHuKK{9A04UC9PenRbnmwgomhIaOBemD>RCU3`jC3ejV3|7UKT z$?y}EV9A$NY7qd8qtmKRIuj*uBHhNx#&{3V~nIHlUo|SKixQdY2omuxPBAa z3dd6V=H1-^E4*P+J1aU8xK}#C2BvjT8J3+EjI$Vbfi8YMIVRi{tP#=-u?e}{KFR$a z27e(SP(}Hasm}Y_H9QVAe$j0VPkaH&QV%72P#^-A)U*43zW#pdhkM!f{bp?~Ie(tt z_Uwl9eMY)|2IxcmUL=6~9>gEma)sW}#X#i!S$i- zzz7O{hpw^;?dpsG=0#er+P_61{9d86rg^ch`+$+@)VChP5e5|dm(b93&yLg zQ*aQn60Fv(AdGq#Z@9MUCdOReL~C3S@nr zr}_%oA`Ob>`x_~E(2kE$DE$DVj1h%yeac^aKw0^;c}eU1`kMkHNZ^P#nHkvyzr|8P z9f5MS-I>y6gW|2Rb$JtrnPBDd*kv%!J}sRBxXhbRi+wp|k=y>7A_zQw}3oCl`iT8Ej)~V%hu+3bso03CMZ!+xI%Wd3`iyMZLs`Cez z=@89MeY$DTeowMZuKUT2v+R`~tVda0ly)ee&cb4`#}KkKhYh1a(yymK3V9u$lxRPB z?~v5)&x(x-rN8m!=tpzQo8XtL@)ELe>#_1rT{usx?=B~%*X?_@tSX3|)xerDsSo~C zqgRGU5>DI6CtXyt-l_%f)k4qrLJjAhe9OBnwWy(RG$a}1rkb~=bnEoNomRu}PxXPX zb*TDZ%|FesedF6M{p&JTtLrHYKeq*Q3L3BLGD?^SjZ#G$z%$`v{z%C{WRze(kF@d< zT4Zs&|ydNxz@R48)C`gd;OJ5XHi~P*>9zV>E}{2 zX^HM3aP{GxlUzcvX~CQ0a7^EC-~YF}s~|{*?x73-Fx342>F%FXN4cQ^ghDe+x&(1>r;}xz&lLkNN6qfg=`?W8m|ea}NroGg30`rgc#V9n6=a(>i!TrTM9SjEFFjf4Pvd)j&c+Aa4qPk8TBzF|GU z9kf`&3GB3=@2o!Tc-q+s)-vGi@I$@&hvN1FAVK(@s`0ktuC$?Q;DG~vG|bfHfd$Y2 z13tL$U<7{b+SCIZp1i-fy3Y9LmkW+n{{q&Eoq6qr1_#3Z`NP?cM}G!XTQ{&T8@nRg z+6dr4K3mm3jBQO%GqKNDZ+!#Kf70)4_AN9U0{G(G_;ORL<+pX4skQ zyACGc^F7zs$H%8@jcqsi+}fvkmF;W#+gW%CRz>t$G4*R(*Lrsf_#5J+{_XA472x|i z+LWi;9j<_PHaCr*=^u0V?Ira)@gw0Y7?1C>!g;a7qOqsQl^59dme^Bq{yA5B+5-x- z-yN?5hh5DZd*a*ZH<%|{KL`A7bzZFdAS80D5VzNXmDS7DXro{lZ}xZ0&s+&8Vs;Z z)HC7n0Rw>51YU>7!{D458ao5gA!t4!qK$*_b&~-E*DJ`3$|AVjIVmk zjql8McE-3#hkphOgSQ#IvqQ zQIcwYmWiQ*rS9KAM=<@TzL=ZaaA1X725E0pkOKPMM1cdo z`F^#nhdx3F4-RP_E9=hzfko3xHqB9Qy2k&ByT-xFD)`y|4{`VGA8}XcA91&d#5p?! zc{Qp?$}96vvQ?@=AI z;5?f4Ck$lS#0;!E=r{Fc3oJSfJObzSqBzvHSV}R-XL9J1)biHVjT$&-oE`p`nu9=; z26uysqEZnWO@5)d%$jtURb8hbFc{3kzHg#h>IC4iM(S;@1F)YU0JLE6IzallM_?%O zL~^XlNC=c!|L2nP4)F%Jfb1CT0wX6tvD-LBKpOE5(<3!S;Cqi|<0@pcrH`Eo)7QJv zn(&5Rd?Z{N6TBIa05w}6M2g_akH$Q^o-(w=;h@Kjd9mkG}1FNaXxx=DHKP$Uwbau^? zd;pC(gxWpNzOY!36TLMnAF{2jx=#Jyx_Fz3qpz~%P8CBf%0mo{

VlW7&H{-bOKjLoR;r|tPBim{By6z|b6?e(c`F>9%;f8^q^{%t^aRzcCv5%~d z2qjFf$RgD9DZ*WpfMdPO>zMJ^n5yFvqZQC;E}+>vX5f=nfVokjxxx2r^2G6f)ej&Y z&?|G#th>)JTew1Nl?JdzxlK!tVsaAvo;lny6^12u-u&`zNMr?cBKJ0-HwmuGn`d$n zetAAZYlL!j6zT&k0ot5dE)+)4k1MGR4NNNhU8)a80k%srk(Gp+RJA}_Bg;5fk>|5( zN9t!e&~*S?U--E`!|xk(!}C^{B$&?AcPINel4N_HR^djhyu6Swj2#2?UNWMxa-HE` zmrOvAu(?AVC=_wGzn%jWXuAAf*{B#9M|R;k+3xTs8;b54w~>7AV|>D)?A2$d6;NY* zK>VzVY2buY+Mekuk(;XkpXpFVd{p!Ci~&4MdoN@GCGoQ8?o^0EG<9|M7=*Bnqh3hE z>)fFnTzmCIEF%6zQCk%_eA89X>R#K{kmF>U+}HdxFK>ZntG|9slWUBRMjt;=mjd1) zsKa6hrYp8}I>xDpIyla|^!QhBF8}k9NCz@z<`gN@VRdZglTG&ABoOyfM{MDz?1*sc5^18HU8mt5%!!lSQ;@4 zWlm0eEscJ-U2{oR3lU|`7Y}HinaGCJKz7sI@^Y?sr{UNpC(oPNu|}{N5m{nKhfWa* zRb$aqy!kM~9b&-3^uMHk4h(`AP&I9q;U)?T58GhIMw01B6mPOb0G$>5-l|EcR!wNo zAPeJMI~AyY)ll{PaJ&0H6rsN}Y$Zg&rV`a>>e>iT^}a88Doisv;|xH5&q^dra4Zu# zWe}mcRWDq9AeyA04ws!GICA&CWu({Dq@k`KR(~!yia(l$bG{}xB9NJPTDaJZE^M$N z-uO-a!f9q*V%PkLyA!3XlH?o4L5UtfFU2>bne!Fs>z!^_gfSM%- z4ruisTF3QLtLp1K727m7-s5NdU>ECJZbWZ|!B0=0A$mvO5@eAZqnQNw;1dUkA6j+R z(k|F%c7^h4h2%!Y4)F~t(GDtg7Xq+@Tw_y!<5D!X7|QC+xoi(s3-I%V4J`z7wHo_S^Nj_5f@Yqu*cC64!Xz zhe~880|u5z)om7;9B~j?BADw{6DV8zlW$T#C*Bl;=TTf;fAsPGt4y+(aON*E?g{w9 zxV%PFN3F^zAu=ZW-WpyW-<^;b^%BVY6N(a7^^5jf1eT&O87b{lY~^Tb0H0&j>*2#a zv0w-HU<4}lR$4Pf&aX)0kSBC{c*Xf&$?cw`ZSk5MEaK}yD!ERviED{dR;3pSbR`gM z^3oiMMT9(1%Id`m6vcbIh7OJtN&e!*>Sye7%`aM)E1#-#y6uo0ydMfxn9Ph8lN+aV z>UpWzX%c5YhJ{MS*BpaWB;LL2%=0A7f+B(QbeK79!d{|x(wF_(!{PJFOp#YprDW*i zfIm}w%||(b%e8_KGr=*d8Q@d6Ie+c>XbMwyh!nOJygU+Ax_H@kq#YP%Wl8oYjj2uzBQ4vcW2^MtR?3{Tt;+CRdnXzY8 z3A1+BZ@2IHL!aF-;J6w|t9=x+{MO^jDMV5G3+H*;TdcXM`8#M&gyD8YDdP^Kom1E%3w#+_q!U$2GZ^fd{upVo zC2+&5j)hW>Ls0r=Qn+?+dLMJ>aq96mh#K18^2&7)LtS^YrA2pI6Qvq4RXDD4W3 zyt?%sExWCg*c4tX`nkd=+M~DYx0y_&^>~|fqHk&s0zvVd3f&g85&M5v!=Tz`m~`ZR zXjlpZ0tf}k7v{|fj7dyhb>Cy535w-k7FHr=jfoH3Dft-Oh>CahVWplT3rzaf$C*&8 zpwI5h;Kx>C751Hb!TjPfoPB^aQ#CD+E~m-7u_S`UaK<%A2PNz}8(-ElNKVKyaM4lU zcA{OX+;3!z8XUb;HoBqM7rWyo@`_Mtun@O3bXIrdaJQd?-j=Z^Gjs$`9Lr)3s$8}+ z*9H|UBM?E|DEm1Jgbj#w3f_^03=QKhv@ClOM&r50(=H&^pL(!HvQ``p5wZ=ax)^s- z!JJ-{9xTRCbs0_PPvucdX$f94Kd%QC^E$;_(Xg8~SdQMlPSuGqeOe(Y0BS9}nl%Al zMtzcu5A}aXUV#{AnVYCo(;>rkKmUEHUXL&7* zI33VxyR1hRrR04{a%@dyG1x*65+OAbnJ_+1B-Ins)K0S{ z4?)Sl@xw&CoULO#iGXuXUw**d-q@s6NsK^YF4`TS?@z+!Tjv>pS3Ub#BK?hAJv@)h z3nA4cXl4?@(MfB5$!|;~+*F?-f1@S0v8Foc14#5*C6tEI0#c<>^cwq``N?LNc2*om zAXho^BA!X7D!)&u40Q-1s*a@ywN zp!@;XQ=?&xxu>K@`|P6iag~nm+pD^r;H$>PX$Pw6qmD!=vEdIaYZ!=_Q|{XAb_i15 zr5P!e)SkWOf?iaQ2!+IXSb?9`RatFWvt(s=cf034=x%&0{i>4FJ7S-jF6N|Bv=|Z7 z)i=LrUHbD4f-ngr4+;o!w_php2n-o09Y!V3mojZ_-9;>E>h^Pws-?0;v1o){R@x5O z_{Ws1#;p-bEw@R`6DsX}^KvWhL7glZy{aPEluM$Rkx&pfiq9+oGW7waKe!1lI|uYm zZO{M-$(kmB4arnbh+tkf5oq;sGFEF19TDjf+`k+$ZGej3(rrnFmWUO0OYD9=N_k%= zS_T}wI(1%3Un=l!nL|rj)?^Mb8;(@1eLSsLVpg!Fj^aA%mwoGVn7`TQm}e) znz}h)sqC%#Irwp~``KL1q*@5;g5=r2;yXYbh9q2Hdsksi$~3H-<(3_ayK+Q-+nDoa z^u^}lPRi8srfHErCyL*4fDO%&ogU_rp$ESa8^#{bbRyFvl&ropm`7 zm8IbqYewoejtSA6zIBUGL=R3z>DP%Qc{XpcY|tL9hT9HPg*Rwl^fi|Q6BktO# zt}LQnNof?zN<4k1Gp>r^`BeQQ?*1ADgFE|A+~r5lT;aXME3B}dJ=nkvo}dIr?jmgw zf2Yp4la$*e)T|G?zHVkZUoLmO_EfXab?PWr9g4LidnNOP!qXF-T5x2ohjZC|rJ_|r zNt1TC9oE+2YI3v~8NF=yU>6!Dc^Sm6Eb@*9>4x6PP$3boTb&xZo0^ECtPt6Is{6RZ z*pO_l;NZYK9ax;$+iOabu-#UItV<47yRbfojB9EbS=sY&*2<=?rcdw*E0oZ(*Ssuq z%@Jp)lvFZL9#|^dMF=)&!PSy96;>iHAXP2z3RfOI1MxrRWpk6>J0$=1@&};JY%Yrk z{eu|DCt<#7quOZj%v|VY(as5{BlR}#+uP55l+I(Wc*Q}TOMs%6?M9_eYt!C1xscUW zt({j~yVfc_3u0*a)KYRR+3lS`20xgkn=mt=|D)kfbO|I+EQ@r`^Qe|^4iSqVS340% zkqW~k%0WkB5*{4taX53Yt{1rcS!7!#2_+o*=ir_iC`?|~qG45192JW?Gn@a0!B6I- z4A>0pM-B0ZFfGbWyz#P;?f68NjkJdHW9Kbc+Jw{=4#v2Qg$!R3G}5ogOKD> zIJ^volJ{p7`6hX~Q$!g2qojftkaMTVW@pJuz+t(nI7kug zKMS|(g;r>mjJMWr>)qXHQ7^(IEQRbu^z4pmT$$uq6HT|>ZSO{2dl+C4>BhASO6{5pl8 zAXB`xQY~!-_Nj@*ldVLnY z$pAoci3z)Z+dRcc5|w8VpY0|Xv(O~YsF;2eOF z!3`57p39U8f|a0zHc!{xugK`fw% z;4t8#z$M+HTv%!O?2tY86z`_lr{*#i&+aLC!qFelA`;A#Td&<Y|eQpN3nt6IgE{$m)>%(MzCdbLbU`1#@0wkyv_Z#26qEO>@R} z8XxL~$F0w4EB<6gfl_0IgTpvHlG+|P4z*lwNKBLuDztGL=FK0g4?u#)ntTE&vpeWC z%2>KHD(5T>W6xRC_LKow&jJ9_8{SUrZQX8bsB7-u>7K0gnhM)?fn)nW{}xo0sha!Z z9M8q(B$j$ldpwz@1Dz$RJRr!b4lyZ7p#(Kd=vUfWTy$lGGAFjKO9y+wc@p?W#btHD zr1n66BGw$eLs3HCcr;yg>g}WhOLkDZE_YDN>)=vgiE?M4d<~Ae?&8{L<)yOaE@2m| ze3?MHkF+)s7^t4uRt5m~xIy@z;6OmG)QDlCTBJQ({DFHSO|9feM}}+JZPW1bQ)pdU z9Vcf-BWK;a(K!&Dei<^xn~_=~!Z3!tP5FYo~+(09< zV<^hil&P1X)T!6PfP2H{J2RO4V?hT|vFs1r7Y~H%O!S&tVcIwx+p_D8)S84l@*6L~ zP}*5WG>Oz$qnZ!tb};T>TINxr zo1YBpNep_k{q6mr^C01OGByS6_Y_mKK#RNtM-#sT|MhP1M5h^(xIzvo zTcLHL?j7>c^jtCwP!03RI_fd1d@w5OztS!SM(NcMhW+*15|2f!HGvy@ zIPS%tm@Ztd&FX}xnhHzz&;Y1p-0 zmsFp;?XCqnO^ft>HhZ7tqW~x;t~idaj@MS-o)mP2i?u6P@<%95_LcoQiGzx*d$F@u z)gTw78+O>pzHq_``w3VLyu9POAOAKwpTzY)|CZ)n_J96uR$X?#n|qVlzy2+@W4){# z4`-#wu}t%if6M=me@nnxzG@F;Uj%G@-B0GRl|NLXw7M1A*lM9s3#wos=XGxv{f~dU zBXk`8xYy{B3<)jukIYsHI#&EU^c>ayPQe81P66d<+Iz zIuf?Wc#U+4NXy_E|abeparLaeq!0o5WxNCUGsGwjmXE^KDBgX+Ofx%%s zJ0>3iS>s|VSOJv7N{cP_o4#N6*|RYb`)gVn)uYO=V@Lr!U~o7bu32r8C!EHf(#JhJ z{84v6li6Q=X>zI-ai?N@FIL%NG^`-i5|H(f=O1&o#5nMiS5jzuSu8_{OfibtB2;ss zOg%A63ErTxck`+zLEB``X5voSlO8b-ORU`}-d_|ENn5?y+GfI^ZNsszzN{q($u2C; zO**e3)Yqc97>ki_N*@DqvYPGU37UmWZr7>I2)p;&fD1#+$Y*m|_NldLkR`Y>SRVcw ziJj~TkIcmDAGkY+K~dMb`9|2vO_lmB@(Pm{P}-qDU||RYFb*DBDg%j)>Vmc|<4>#)gHu3ip$$&2>A_`qux8 z{U_yNoWQ9}Z0$3&{cUYQB*xw5Cj2@-8;it_$VT$Bxa+s-()LVY_nOj(LB(7-xnYY& zd{F*~W#&{Dxdq1bn5RCMC6OPNso*vf&|A zi&9mlg->3b+)4Q%xdgEczi#pMWqGTyC*^!FOo%0;l{rHKinn0-boX1k%O`rg%^>%S zx*&m|O(>!L)9kjMN^^N%D@lZFT-2=py%*ER-Dh$!JTagRb z=6q6%gsST5WA;+0bH1s=h69GouZz$msou)J<`p&y1BoE)hY`XxKAmNQMz{Wg=K!r9 z$(9%uF;Nx|le+mOze##B1RHB^m;^?D(VCUD-}1R<2s8*;=n0*v8mT+3pSb`c?cs@~ zrfb}$EI>yuNNo<(E4h+Dnz1^IqZboT_;wx?%1^D<59hkx`aj8Iy!!v8z>)%def`2c zANQy)vU-It!y{jbA^xpwx%Rsf2jv{RI;)HwM9NID71>r2`rV{Ug-2K^XE1v#wB8{c zgM2{jMqECaayTD(gTxO9v<{&$^bEZfK?yT`g*}_@E}QQXKuz*OMC9U3QviqF0G7s{ zQ{Jv$z*(N5gOaWmzZ|)O#KsV$WiaQ0oK@{Ta(5WO^+LkezN(^PQI-c*FhexnuPS7x zoTrB?yJ0Te++2)3i&BB?$(3AX9GoB$LjMP>RmuY7UL4pc7qv}Ruvua^KyK@VD56R6 zjy5zWsA`6WIWGjtZq&2zsHkd#O^iLs|B*y|j`V7AU|TR6Lpj!ni_6?AF;-0CuKo{U z_Y@r1)~*XUwr$($*tVT?Y}>YNvtzqs+wR!5ebQ_F|E@awT%4+LKQF%;-+1TqmRndb z4l=ij?toNtlnlV?FIt|08vD96eh37j_jMbF>y(}m!31yTPM_RMU z%)#_vq5j}dyDP$@1Is8T1_Q-Vr9b%QjF~dK3sj?KnqDv+PL;T6-zLs2$s7}kn@KE2O&@K$CV>^n72z(8*^5h#y&X7t#uMv!NdZWyi#*?~LWx+hg?3Yl5P0w!qTd>!X=P$R>k<0f+rE1! z7A9iXR&JkFXv#c}W(G+C?Y>CDx80gjkKLOEXaR0bnH_9&tE|{VFAbsT^*C<)dYy1$fG;I+l3DrUjfS=IebLt}5uHI;o*&6)oJbx0Hh_2eu7>)-O;gn^q zM5a>{rwlyd9uGru;)i5c>jBzV+rcUCzK<}|n zTSu2pGfOkfBcTK?T9nmy)#=_VR8frLWFqFGNUJ?@cTyJ%k|zd~EDO|ruLm|t6!g&c z82sbGlvF3)X9+0rHQ4o)EA(@B)MH_9{N5Jz_Lo-A7UlNW{%s5KaF=e+$KJ4ye9xQi zq3dwWXRY7MaI8Agu9#hi%l`!;Qy zd{OKs1SBa@02{wZc{X3!%6B%Wy@KC{D>C4IB_Uyla$ ztr_`?h1kzGkFfFE`*GJ~!$OV{v=q5xVo^Uc8#zk zRZbSTzBq0sMK9cAAPLOE(_(L`w=vK`SA=8TM#v%W6K!zEM3-JkoixyoEcBF%>Dpxk z%ghM0!W+aGyZXIKw@f}Yo(Qg~zo%JfT)rguWLVdW-OSuweL@;Ma0QWIE#Ig}o+hOu^^KQ$y z2aQ1|2OU$Duf+vx!8K6s_rYs@!cHn@*>zc*urWqan8DR3VLYxvU_HlzkQy#m$SCTy zh{Rf4K;|3W+NDG0Q(ta%oaRRk+|cjg0`lMrDtr8*g6Y0=Jr~t$4-yN8fGSA@vH*8q zL{4jyQ_p7dw2M^LS3Wg4K{5;=bmdoKUcrUyz%2*kRQYu2whpHO@Fu8N&h;~0WjlK+ zkzdQ#H!8}1hkQl~B#ObeE4`2}@Bocgo7@{1QMvm=XjF-a#LIKGT$D+Gl5L4NVyKP_ zSc!Wt*Kj;v57p#t6u}F=G)1Mr7Wpw3y;SN0AyIeK^QTwm$EnP6`+kto=}%Uf5R1N5 zOeSNQ;$4t!(^E}tq0z%WA(5s3jnvxG(uw>JQp>F_GQFSVy6S1C!^xK+crG6&qhDo< zr=APo8@`Cu^Xqzv4JgS5D**}Aq@mA&sOqVKp-WUIR5b!P>c2?s0V&Xbky?ag$w6^l z$SPzW;Df#gwl@fw*`cbPDpmrkxkF|?bWKNvDt{>Wjhv(c{t8EgYRU&5U2sNo0^1bF z-=_*x-$*T~n7|3mI(2H!0T)h;{lzy@`wAsl3&Q9wY;%Ey8@9;} zHN$M<(G_L7>n2Bfs#k7c@AaU+|HPpT_!;~Ea!SI1wW z2>{1a(O8HH*3!dxOSpjC-AIwru0VfRuJl=7@#P=0=H;cX7l~s??0Gp!Ztr1 zIo>dOdwa;4YpW`rQzR~{N}a~8wsU%>P~eeKFqV==6IU6lmj8ePUM#Sb1gacaUlPi2 z_jA=vu?_`}EW)rwyUEp5xsiU6rtibcQ<=@QPD2Ahp2(&bMwPg-1@F zNa(&TxDC>Q5xR7AmIL=}H0JJ27=_pij+Bs-|fSD6uM-%2mzmRC`sgZPT+UJmwgqLUIv9 zrwH>#m?T!nim8_oMyowS)a+fPK1g_iBaDhEgmDM}l2a8PHr~qa0$e5jaXr-&cE+gb zCZ;7e7STH^USSd&gQ2vF5$_ykm^^QfHd~0IxQZ1|8b)kv)}1MGkAe9ob#h*#b;Eil zF_(KQrK-aP0C_9*;lt?kol}P!JY1_B?1hk>eP(v;w_NUro#XLjqydfb#V5A-4&wy~ z$47k3CgPn)*-ld8Fc<%<|KSph!-X@!&&;DPd7Tjb# z_8+5mCh7(8uThJae#0A5LGt@buGf3uIhS*TZYeYl1=QO?r`>a!-nox<5}Bqq&j%g& zH2nSmwKaemWgtaNV*Duyi*!2H75izm%cvaouTkrJKI8F;LH5_Eoxw~H*zMW|v-u^q z`E$QTEa4bh7M?{Y-n}$PsyT87ID%;ZXIrm_F4HjWQC1yn@yS0%trp#M`T8i8XrbNV zBVz=^7B^UA(2Q}GVDqmxVMc&?`AP8hIRIt9!xb!9zt-;EcT?709 z%(;ljd&d^RWw2|BRz;i<#0(c|3aShlmC{eozKEH1Z;o(HAbWhkp=&ps~QolQ1t!# zN5$v^iQpxS^_2n&-)qyEGZPlWIvl{|NL(iQuNnkLv_DH#ta`HkEU~Bj0?CU`l#%xF zmnLp^1~t)pTW9bR;)4~M8^eidIx7y?V{4$G!^0uX*$;D5Y4KLY*yQuk`a~?N`g|7* zostDZ97yAr;O0+BGpb=YzdF~wh7BChY*^7yKWR@%YvIJqLrEu-c@)SU@DXE-r0Bn5 zDu25F*<-)3KN-@s{dg#}#`GM=lPkt6^v)u1x|;!G22Y@)JnJ+7@5lUW)Se!Wzg%45 z+g?^5IH$M2a9a=N{-NsdFABW0sj+y*PWj+GZKa=eY3U{WYt$YeIeEzcW7Il;Leqqv zc~VSY{it^gE1$aQ{nw}^6d9xWYt+iI^gk)H{@18&r_vf4H*luxzS5^3_O$;qV=F|y z1(c%sS;y$V|CTRb)(&why2!_*+r*7LTvD=4e5*yByjc+mjSoj}G7jc;J!=C@?dvAq z2qXn6uvX?gtzAV_r>$UWWaWAEx-hsdhc0b1%lG6HvbA%qSbB^kMb6Mf*;t49nK4u~^=p0*4O3YzE4rLHIAoFOfhL^ z?NlQ=2qb2aM^LmF>pATeh+K8Z3gJv#fsox8sHz82L(h$ZQlpBLuAx@dt%*!2@0li( z`Ng`r%fwn+`VvH~RVmwmHWcW+YRF%`MVsSZ6Rvp$>hH@lffH?BX%x43&iqtX8PV3b z>vroE*%iDHU*pOv!@A>MYt3F%Sz0xx9Ef(!GahOaS=ZV(DwH{34Y*teX~UdQf(7_H zAiVIMp>9*`FHPGjlm|K|tZG*?)8cTZsZvN66I6cfo4t|6chOghLtMF>EDHd0#UPD` z)^PCdb@rO6D|u;$YD>U|cnKI0134H;v5p5H;f);O${2ywX5Ycc5{i_;j8cWD%S3ku z)U1mMJA-qOKUy8g4kt}$>r616x3X1ljCDotiIPem<;tLpi>bnP-FFfHcX$`)YyahB zF#z4*NVrXX>>_t@QMB1JJoJG7;bhx)A--4K>^ecSoYF`r;%We$pOh3mw*x^3Mk=r8 z+r7W0)diC-v#iF+_5{t^xMOImt9BS+ZA9hVH z$UwdS!$h;$#<5I@ybM2BudUH5N|~H;U$}^s+ueryr@Ahc7U4~_6IaS_9`%wE#S&F? z%g^?!tf(PT0i}AaQA;$qGXT{gS$56keVB=F&wdu~{SEC!z|$ou#@;N(@b1TA&v${M zsf35(71aRhK1l8=p_Yi<>LOE54o+JxwggK|ZhJ_o{1@2Dnty z6$Ka{PVbihke`y4LdTW}uS*DE-*l`6LKYI6h#7%sQ#|`DLDouIR6byER@M^`%1~1{ zdlhW{GA(!kfxa5L+luL&njLO5t>J#4oNLG>7W!%Z@cWVB)N{N4kJ695XHJfHn!di$W{0JW=KLc* z?#K_ueuu>Q3s{fmub932(2wpzKq!ev+&1e?01`-7OrqTn?+y=Ptrn1xtY8Llds$09 zS|N20tEIN9Ih|WZlbTuOoB(|$&Sx+ z8?R}(oEJJ;ABz!%;VKLl2WaERZ7PKNaGMq*=M-~ zv1{(wKHN(b&hECS#7^wqTp+wpY`WYSb2WeTToHX7Dac*NRc}b;3A0L;9bU|lHFWkK`#;?rI31K+rC8dzMmAFvHI(8 z*trM|@Lga#Pus-WwBoJw8Dwwd??}JC8#Fhbv1{Uq)(r>4@5M;5Qlr+QAa~`r~PfZ)pAHP0&x!k$m-bilN_kDw~w_dE>88p-AdfL7N z3E9FBAI~k!-yrPQGn*pLFCpZiug}}0!_*}~?UASGTK3;JuyPKanXa`RrUTg>LENuc zn2a2TzCdyZD1{B!l|*zk)3(VA#L*KS{h-8k*K*a_p&DUvn_S!4=vX>#puw~HN zhYYj7E?wup085B2!)g!Vi#P^QTx8Cw7r>S#sz^FD0nez;7d-n1_T4u={mSMNsFac} z{&7C~z5{RT*(V$d(d`M&32XGwC}M_O2@M68kMS4Z2S>$zG`FvvT3z>GhJHA!*%Jm> z*e~dYofUu;PKNfhgAdEsd``2Tva+TR}R8_oT*(Cg#y zHKdQ2Pu#nlTg|!btqTfZvVuAZo&=g_4^C#W*%hJ37qHF!s;!Im3)&z>ymV?PQYGTE z7|6(}Wvd(+{Bts;yZFtnUG=deuB=^W8q&81ySlX=DyLTVuLrB|N^+nOw8UG~OF(aZ zN1)F|u%!crw^GeOl%@Z}lH<f7#X|Mg%C{3M#Y({v(h zE}t0D%GJ-;jLGy^(sedzh5ez^{OZh1$RMTmfRlnzChc~JM{8a{+TRMYe{B`X4Fac4 zs0+`nTK_l-*FeVGT=nW|57^ z^`V;~;BJ{IYRH%;e&a(K#gEvB7a>9!8ngT$Be7$5m$*NO0;;)t8 zJ^@ov4*SJYi)W$esMq9YqgwGX1&c)eaSe84OhyIa@E;0RU3##-b+b;mHxnGg9;b0O zmoMDJgOJYixuJ?X0Rfwl7ug=zy{DJMT%0t>NmTSrzk8KoXTGROT~ZOYrO>xHToH54 zT)u4on+VQzE2|QMxg{UF7z#K8yNt)@3L1{I^I!ag-3P zn<2jSMYWrLAucvaf}ct(-a@gT7J+%y28{>8tpo45ZSmxrcYEpE_VFCPV&r3TZeEV) z;8ZecuMK+xX66TNf?rc~4ISnBi|6EtI|kn3rs$30NEG4zvj&Hr`7g~2MsbleJ(p;~LW#-n{*_>l zN-qumkzk!3M_fSNEXNQi?q>7?$vl-aUQTRu8&D4ZBkg*?hT$E|>%^Gzw1ch%-Cd+$iJ*bcY~3IcW0)Ht0oQ*e z*f3tQt1l!QZYCR>ENzLxWIfAKR@PDy-dD?7pEO?SxeS_ij3p8Zb98K1+@t3JfG^#J z?l5xhT2cY37s%m}k?=Wb;JutVFcm4Yz4v9QPt^&UqDF79%CtT%R|_unpEoeP#ykyq zIUuWP9sGafsGy#1DyTi?VRJ(ZviYN_rQ!pU<$ODmKqkXS7#KXPEz0 zF?c(H>)17ttcP2FT#&WAl)2J&EIZnXYh}zYSQV{t+4on1tswU8e{D!qb(U?R^2I`} zs=HTYul=>Yv*=c@m2=_%v*Gjg78~J`pgTigF3J>{;BHKgpJ$;2mFhQ;K1UfKVc2=u zz?fbe;D!y)i1r>>Y0PpAR|kVu?@8Mn)WSt0j(C7^ptJM^ISM(;@Pl(8muyF4+${n) z($S(k;%49mEe8|NnKsB;>AYR+;X(J&Om0y#i^1$1SwFarqM<38sGEGi0#qkK9Yj(l zLX`B!qui3^gwUE>cOU=`SCl&X9>zZsYyrl%1k3#`!M=oHa&l;)O`+&vd?lraM{}#q zaRfZ*y^|eJ@wW+_k@iO)0m)k}*fneX~}Gn8dc@0fHSFpUd3wwZG!bbuUl_6ynhXbuiB^T&8Bjx3L8@iK z-E&WJ8wHOaF*29Qxi-$p=q`Z_PfJgFS^L*5*`Y+pg<&mhvD(r44>gV((K%Rn>f+GNM9+H-X zVV{Nv*7!9Eb~&tAAsC%GN^XN09M>PK34@FlEBY1UbDFjl*?%Eelz$*tKo=S`J>ef9 z{{z9Y`wR*znmSyHYNa$XfzSGxA+u5&)I-$kUv3tQ5gEbr6r)#fqbaJ70Vg7DfgH)j z#lzHAPamqMm|`G7(xe%JqJlw)g4`M=jPThPq4Fw3)k`r}gnuVYrbU_n|MERc900pj5d1secT@pB%~( z@H*DPvy?Y^?W2v@_@nw;ts*a3SV*aa~agIe=08qE@ zeu1)bm~xFA$FnsP4`h4DO19hJ$SDp$(dwh?%Ut@jcl^#;|D@NIfC#jeZ_dDa#`TS- zDJ{W9JZEJtIL5C#98wL=!T0BhK>=DHAiJ>C3q^g|igRtzLJ|Yz^N#8Rkd>+>y8}$= zXdr%F#W>iO{!~Cg6?1omaDlp=l}jgVh9w#U59xFhINv6Z#~$FV9P}ld;=I{nu)Co? z05rC3?d1%)Mw+gz@ zx+Ny7OVbZ|$!oF_PYb;}gvbRisVZC71GhX;cP$p zHrNsMs+Ph_>MFTutU&&>Ur-O(xDd(RHL)^46fiJei|%|i zlA;_*b0o)fK(+ZEM84ztq+ysSo@qX(*QK=d8QtZY{WBzOBl@X8OYlPU+b6!O5(2WH zP0*hx1sDnUsK+n@2XtOp&bD|lzK9L_;rcuW>On+Fg}v^0*;^WLtgTtV-W7!>i_M3m z5x1=rcR$za=r}cVYM0Z31U@pL#nrhERvXYSLsF(`oNMB`5@Q8g=?2p%Z!|86r3nY* zdN!ZP=MG#~1l=E^1VUAl!bcg1T%#`wUSbBH$a zp~WQ6hGE5yIWg~O@b&V^BP5_~%CQ-AHdaq+Jby_*LgXRtT}=m*x4GcbZ{)SA^k|>* zGd}5gC;S_GOA(5e8KTT9U@qR>y`=*~*Z5!Lb?{#J)5!lH7v zcd|KxdDuzvF*m>A)rn>AkPFyQapD~i7xNp0{^VJ`Nwdx*=g^+?YIJVVAY)P}qbF29 zICA1fl4w8b?Xk^Ko1JpN1b)I(820x|PKNSv_?B??+zxSf$>$$AgPXgQ%3~w`u@;rc z!N>`Zkd7!q{8#-78AWKAPuJKfDjge8HU_{BqWTn8X0Th0=pE_)GX}zW7zu(=KEi{zS&=D}I}r%Plzc}w`N`Bi9q zX@Bw6{&pN4Iytre{<*}{zEovm&v|Hc5Wdp|zwK+rO+CVgi# zNkZm{kq=w;bbr`aLAjfMa>%o4W1p)7b@YKQ#=UD_h*hQGdRRI@HI#-&|MRfA5X*mnS4~t2!+(KSMF=!#f<}HE4IO(n{Mo|DY!+D}TeJkYj@@W4 zc7bb~?R%R;z?HIC*Ot4pk4Nb99?|h(h_)OIz*+~Eh71Kr4q78Fcykz_mmVhn@M2N* z;x96Q{B6gytdUJW=fhs=G^qipG!rz^?(_-ArOD^FZ?H zVm?~Z2wT-q|MIeAVnYYHTU%?Wlf*JJJQ|U1{Q1*FM9(KCb?e$dcY&nr1)tCFs8xAK zXRV5=d`=wn^7oFHb@b5SxXo&a8^T_eE|H@*r*c9Afev4#3Eq8FL?d~$l5#Xs;q+C! zYh1M_QfCa>BTo7t#D`|C3q1ZKV9^PqQblT6F|~m8P%ODTP=(m!t4`g11{NMxubsk16oOH^#jXm!q;a=v*BU(08)`F#PmD}g#eZr8o8_cUth{sCR3qtyQcx~@Taxul5!X9!G4tu`dZBJE|xVc-w4!7m@T zZ`=2L=}4oqG)b9vh+`Wjox2)v(frv%P_@aUB*)+sgKY684uwVMs{dI5a)5!c3}i%^ zS@h$M3Vv5O`?&oat+3p(5hM?2F?FMv)ruyA>e8w4VtnZ7_xQQ!xVv-+4S5bmF}nNc zS}g76%wYoHs=tAknZriig)v*od8$p&8R)7myQP}4bLHVK0cOOo#KWBf z)!HJxQ7Yw~qGmXruuP1xC5BBnd~WpF&M4*q!@GNz$~`E{&sMo?D@?4eLPIJEU~At8 zSM3D#)jrG`4&g2%ZmG zcxUhXl_kj7*UqD!jaO=O*sJUe4C{%Fx78$8c!*Eq*pkN$TAC%|-zW!@twVQ9bHB4& za^wpIF3|{K^Q>&bp!@J-pI9h_I{=i8)qbSH5(8s@Z>z9nkBMK0FlPBwv@uSsq#)@- za&CjT6&{A;~K*umfOj236)9q>T%h@GR14KZ!OM7g0Ksf(W8!sxkEsLX@wo0iJ zCu}Uh)LvV=!-&)Fb64Y5I?$_?TgLAUL$(olD0f50oGOq-cjyLh8v5P;gz|$z<{(q2 z0Tlc-ZQA8jcmB8~>$gHvnFCCg{Jj8~09IDWeviUFf5L)Ae=MN3e9Or}Zw)2fsr-Di zoFb_pCxct_+k!2q3SK1J_X|I!awk~nBO<#uYTg%3o6E|7ppH`ZQM2RO-XEMt_6 zf!6MpL>e=1iY4Cnd77TK-4W`AO>u{V_Irsx{>AZT1q9%ZRp!aBWt>jwDDoQSP8|dZ zcj^GFfWraOSPkx2`eq>#muPYdB~F4We79p zk*Fo3YwXqz!Dh2RJg1c2zFKnIqUKZUJNBaJOXeHec{)pQ#PyN>zVV%j%c@x*zh zxVq(?!yDBd{Ft|yQu|W~!{;+jI(e-g@4z?m#ds#kG#CXyiG@P7i zKTdb9PApfQFIsazV3_d<)3O#Pyjd)K%}PjFU)!>qD-x!74P8{ch6C)=uKHc)82DWHU2vQ(uEXeEVX>!>B;!_{5`&9 zd!=_S7VQOKi-e|Qd1w>3_N2w6GQLH$@K*B13nkXkub}c&YULl#T%j3Dcv{uLCWDR= zsef(OOq#Li+JFlBA}Z6n2Ec_0^g-|Hckrar)$#NsBcTU;%#25h!NNO5mnK4dO}T8c z<2g53bFO~-SD?Dn6-o`)cHD?WIO3O z`tG49Ob#2R`tqd|COLi@g+}2$ai}Tz)2k;oIoZORNau^=?4@2i(~cO4yi+^UXg-pL zm&`=596a@=zb?ZV4!wqQ(s_x0V9g+tnAI`(EnH=AcE_Mkf7`61v|3Lm4YB{*W<~Y* zwpsNVR?qP^I{wdcc8I zB&)j~aBi2o##3zt(y){0vAg?ejE1Y7du8#ta6s&*Rp7PGFy=9&j)Nm_29t}% z*wc{THY@e!x6OK$_6}RjQ)HQq+>9ZtKTCS*R2+8T+20Ue_fYu9A{||~jV?V&-d6UU z*z*=&9LQX$&CL79hFlwOxyj-!Tupu)rErd`waVpza@BH>(#v}=!8Kq*zR-)jXTbeV zp6i#eFx0HK7n%Wftq0?1>`#P2x6)f|p%-fxkvRsPZVC~)#h>XGI<3BSP_Fb_iIIGH zN4^$wRd?Y*MA90x{Av*6RPkS;No}MC8o2xMy;6 z$=)OI1wHm{5FM9wQqQ}jALpXGHNSDzdReh=oRvI6;CWE6*&p=W+h=8cVPQpkyZ+A% zH^#{O8%9W!FU-feKg}&bvv3)z6eg?dvV+DM7&mgnw!EmkB9Hs>a;eaJQrb(UW3p_T zi98<6WOE-Sc?Qm6Wm-DTC?a;Oef5pqn0jmy{Nud|##S6dj!BhhlL9RRE-GbX(rmR2 zUHOc{k{ikzbdJ5v9A4FJUddVv7Pr|*f-*7)VK^)$gBTlBi~(xaG8=TD&kzl}^=dHL zvn27498@x0x95U?gx2XzS#JW#$2fYr;}(?EG;8@-rs(73io!*)4k%<=Ch9o<(!nWC7i+&qb-b+yM>YliBc-G3oKEu#j8f zoDhG)ubGYjUP5aJigA=uq?GHB4>~gZoH(=Tof1+kxlvYCRrv+X$Jf_;YQK}Fl||+F zl``~Ue*|zO%x}=G9J9W}c{%wMre_;?S9gN8pU1((kJiU8$IcuyjzM*E3Va1orS`%*5&BN%;Jt9%D?Rap2)}<@l_U)g9v+9^tYtKKdfZ z@iIlp0fWw5fWemwo)Xx8{`KSZz7n|1#$s6BCB}ztj_aPPBDzXCDrr%-xmm@*7%~NW z-?{ObmYdCci!bR?(Ov!jNrb{Fu-Rv(M_Nyye41k>fm$lR%7q+ z*zsq}d-73y6YHI6NnqkSJlh0$$aE6#> z>4Ep*O(}Faa)7VV^Q)JK`&-Gui$OXxiHjre;2s?D>f6=zG-HKl95~3q&50BD$VbS* zQhJ$-M;py!VC*y`llOvSh+EEKOj|DT&rSi~?S1dY-q#gHik5wt$ME2Qt3xy+7>HHl9T46e$1A3RM=>{z?MhV$anNXJ0?=x+7c+A>fgU%F~^ z&^?JT$@8`k^bd{S!@44~g9tmVJGZ#JAx*m9y5Mb7yrwB*4Zl9ZVFd!K7uPzO?w`Oq zY4k&$hBkI0g*>Ke*l0LPJ9{we` zj_*wA(1o&juELp87fD56`mRA;BmfO<(UJc=zep$;+-feUFOt7$sVa45;ONMc|Ad_pURA^%Kc)##pTyxQ`!@{Gk!%`1l?2)Vl zQ+0!{8geiz>5}Q?|KhpxzsZZ*cIm0!sN|?4velO5RoBz&jr@FDFGk$S&?P_@+dU-3 z42K5>|Lwy^v-Lsw`82pWYQdP48^D>*im3bb@hq}!H%(u$qz9BuNWxcth>#pXP3D!) zzIvs`mP=Q|JTvX9m9wQISIq?fD>ZiteVlLdmxjc9qq_8As=L`mV4t3^R|a-%$?|KO z8UN^kE~lw}kU7~Ka5hxDZenK39Qy#7MIT`~3S(A9AEpx3(lk<;)-@7v|}QAbV} zUkJ9MEURFtS=E_QQRVOq-{3C0?rYA_>+h#8;Qt$SO=aNKn=1kUFhd6gAOgSvurkuO zW2U!ruywLEw6&slG&D1|)_0`WH)3L7WKv}M|ER75KQ$cpnp1rKs;(7Bgiop>Q0U=F zOy8`lyMl(6aGU4vLqgC*gkVMyyVe!e>0EpO5&^}F96ywNl11xwV@MD?yD8VMhVA(h zIliy^@Xv=kxvv6gVhE&TDt37%73}*TO*NMLps#;OWZ>9ef3}G|qk;e`{@S;V^Lsy_ zgp)(Og@g1gnIqP9dJyaG;L1~9CB~=Pw}dDV?)4mW6)?NM+tTBkQF}rRl8ky9#SYuP z8iOo}00trrpo>U^;33Lf2q1pt_yT~;<}ccg>$=L_FO!RqQ_bprXg^79a6(0?h3DCh zn>gm@jhwiFed)S|NoEOoTlh-mvCg2-J!}tsn3qkj?4r^oTe~o7dV8(ePaQ=|P}`xN z;Dy2!!jG3DLyq8&%NlWZ9nS0dDsUc6CQThxQ4*)j0gr#2;7vkCVBH z<+T)javwXM-6N<7kxdDVchzo>+dR(@W@ zk?dS`e>^@uER!cyS?JD3?aZ88dOMJS8yf%6*re*d zep;K6AWq7<%sp(-MR}uMZT(XAnSB-I^M!U#l;~Ov@s?RW<}2G@9;rlc>6}g+oUgi_ zmg|O!wk{LpeP+yA?c~}=Ud`V1vm#s#Qa7`+evUkLJG4uKKN5mxFIjUv0sw-aQeBMi z@?2BLZO+WCKIrE-J0R=J*>+$}i?4>QbO2RziG@K1iY<%BbM3PHE9wu~Q&;S%z zUDU*r>8DZ_@QOfo>$vkLC#%|$acsKeLHxO;Rc(6L{^C@hS);bA#kJiRY(*}pPo$P4 zYQekdW2ppM2f&C}vKPNXm+v1cDy71QRj#7a-M@oRDchq2!+n#DmQ3MXss^q#ZOSz< zbqWMZ&(>8t)oNrpY(l6n=J^sDjpRnRuz`s+S=*XW@A-%yxw#-0{*7Kxvn;2OFE2o! zi0H#)KVbj(qt!~j2NttkecIP9*+oruVhH|xj6L7Wj1tPrJ~?ReM^(c7mjc!w`f>MZ zGBUbr-o# z+J1rLeqnQl7tNPFMb0CZOdG-Uf_BIc#(?!Zo>AhmAHU|AXr*l9;?D1(c`P)TV433q zkPFld1peuP*nvY${DY6o&N=h;M_o-th*VDW>v|9#p1rpZT+D7LMHRwUlz9L;D_{4! z4rn*DNL#~zklxEpuG-|(8F{k@*OpYf z+~W4exF1>4UQ|FL9!4?Au8uSxC7VCWm4??iltHmeyii{ z9@1e)u)S1}P>1`Or&E1yJk=ZnNT6-RsK#2-hWJ7Ku)~J%t0Mr^pO$JP7)d6K;x@o)4)0+=w+T&AY_X1G^N%?O7!RuKh!5geps^8@ zoJqc`^8|1ca|mHIIXA?LAN1aps>|$a%jArjRUbrW{Ta*54+1#T+jt5^gqQ|qOJ?%H zDbVM}_7ZO>>=WQ#paxc6XD6{glJ{KhWs5C^4!=T(?E@56+Ucff?~cm!CV|26!(ZYi zj4il>_?pz%R|J{H)sC5@J>g7#10xC7i#q#qiko0+(YQ)IKxO)EAv!e_QX}Ya!0Y@p z!flLr^l;kKNnyB!kb}l>8_jS3G4m$GsiU9u6N8*$BwaL>ijhV%izRQ@$=XN-o(|ex z-fuID?-H&own}j#b=!N_9q~R4YK#B6-dLB|ql;9cT_44R#VczI4Drz$3XCkqQ53+7 z;TLJOFpabFPqz%K9<**m7z;g=ABotc+ekl~NQTh|2axR&fc&lfT=m_k6ZN|M%7kev z&n#%qdpq8Wc}Dw9!BIXRbef=a%aTVtWXo6~E1}cXcUdx5dz{S1)^phUM8@vWO<9zHQsjnrP=Now={<{&^SM?Ot?=20irJwE_THhm zCqjnXWS(uF>uqu!J$IU3e5hOxNMG zpc?y!-jRHlziEXdPE~~i@O)N}GtSM|o1nT4b))H^k6gwNcA2j^o%wY@XqH=&nmhInFfcu-LFJRe!DZc6TV`Q9?bea)tgq;$I1y8bc<;sd!o~CY7?i z#yPWRP}qrX435gH%4*%#LLd+w-J<`{P0p0R5K-hAdoUjd&YL3SUrmU(1_kA#C1^h~ z$3+#~ca3JtjcxBC2hCBJ-}A;!UoSBRkg5!ocJ8u&$tQaiM!TOf*h>}6+mMTPXv=G9 zF$Sy|)87FnDv@5URefo=fu3qGCs6W+7;R{YkPPlklJ@=|08l`$zqYf#;OON_!AG+a zWv6kf%IfweA@9PHv$S0U1FPg#Vh4v%l*?*aKsV$bUwAmhv>d%awO25LLyiFQ(8eah z33jkxs|?XaB`Sjtlm}XAHu98gs3$5-9ajGohiX_qQv}LV?ouv}9`Q0XhY{po&^HiK zPN(xAXu)Ituaiw9XoGrU$_+e#SA?V9MOfpa z1~9c^Ya4lisE^bZ;*EKwJ|H;u4Y~~*aZ$6}e#Sca6rO8uud>uNx1n@h<3nR^Qk?D{S462OoDi(6ZhfGP@ei%99E(flIr?Cpnq)s=bly9O zr_()c1<_RN=$Tbw3>qxGhGR71iZZ8FD9-Tx6AShGK6KZ1_xV3#^IRELQzVy2Zi$Sp z8?~k_KZu`bW7$z0P2?#?vY$c~c?wJNQ|M!nr!Zwd#Yp5ShO(c+5_t--z9APpg(>nB zVr@h&c#5IOQ^+mB)wODqrxh^^H2ahl$a{HZw(nCfspI}mA1}y2WI@D?WZMO?cw12S z;Dil3m^G^2(M1B?n%qFQHssyRvUG1O74?+VPM>4ennDyC zv`t~*y&>WQ^!@G%z&_?@i<4gRvkX^el|6FYQk@rVvaD4*0ZA&?(Jym?;{$%12YKGz z4aVX*GQ#2eLW8sL{oI~BE;koeYzmWvb-jH6@m=csd9UQN%u#8HaN|KW3O=MF7A@zALG zf5M@n)-Inqs2$E8O-d|^h-NS|r#PyYuYRy>tt~n~n6CXapU~23+SO!_8f2<8OWm)u z-UEum*;reE$Ehvo+%+kg<=QWTN1VW{E=zh$ z!cqqnugPYF^EfSuQy(aY2b)JfUJZsLceOI1g{D`fbU-bInMBa$w?C7O@tN7f;; zx3M=3t6^Hh%`(!Tr9Xc`E^H8yYyunx>RE7*5p$2kRSPz$?_Z0U(|L@Nz%ZCxpD0CxsQv(e_!BA?iO7k-COsQ4b5=oDw*RBGA1s z^ZG5`pm3cg9+uspP}hfNJmc6p9AZtyzi4be|Dm$lSR5u$}DT*=+ zcatJ4!0z^7^&Hn2T-WQZUh}e*-TiKX_ArrF{!bpiM$54N!Fkp_)!|8m{US?RZlspq zD0l?#TNuDMN#=^8fnnAE+zOM@EoU~?3Imnr6;2Px&j{ozWfq!R*&ri|X>nGwD?Zx! z!g}=vzfA;RDQ|r*-X2Lja;Ixm3_ueOh=TrthojZfUBlnheIVJV4@^?JZYz@WWM=oI#^jZsa{5T5j6Rkc-kQ_Q_^mql;QGV!E2j zzxz$q^*WG^38DZ&va#2HgX?c{j6rXyM?@{3uXl%Lc2sW-wGN9r(s&5uN~qf4DSNf+ z5gw3a%41xcKQVsj$jQPcz`kvn>ab8KtZxD1NH4gwSaei=CkvR`Gy7&agFybp5M!;H zEc{0bQ}I|$>%I^?cP0eR3-G?Xt+#V+GSEM&c)m`$j;_}moK&x`WcM;l+~1sTIlomM z$U#hDrJQ7y(HrQ@`!`WN+`E5#F1d_^~F)TLGAXDb%Y4o%5=D$hV(fE9i%4Q ze_6qq)fFy4;H46-{N~vf`)$#HD46qCG#J#UmytXM^WsJ96P3-}r|o+^9y%~r(X zT%pAJBO1J<+%xL#MljfUq0m~qKO@Z!un&L?eTRJ)Mr&Gf)wLMuTHVZ_x3jzG%9_hM zK-Vi+=GFAdJHed4%Qhp|+f@i$DDFF9gVh>{jLOS(KoHZjH(M;^+h{HhPIkDLFi1NW zI!=lL+KGcEPc;i>wQn+ZmSD8Q$LBb~w4qRl=qc`<*XUt19#t8aExkT6ui~6I z(!;Z5GwdG)SZw6utF?n2m6Ui9p5Gmao6LY8z2Q}E%#Ck;7M`C(`Gk$f)jL3noElY}-xCG!WpQ){;G2|0i%&-T zXfom@ZNm9pmAFZk@5S!ck`$%U>Nim_%82q9%w>S_4mU72qM-zxzNyF@3|{jT%)g@z zGtr5)sQ;NR%zLR`D->^zN)e+sGZ0n5*fX&RNBhe+E1I}EtXK%(f{Rth9}X+IV}xmq zJ{(qN1BU|1s^_Ix^-O4~Y+5;ZNV5yR(Sk17`uI2em?5yO*pN4hbR(-meZ{!AC zG^;dov_FOood_lqFM^Q93O67EVwcpn&t1|*I!DNE9HEOej*#6qLKo>9A-ipaCek)S zcGn0^q-%uSrV%DDxj^(b=QI%P5ZBtn(L{Pw$Zb(!mTAWsFV}#CY&mI>mKd@-VrU{A zF(fy{&^4hh6mruGN{bu`k{oF5jNGO46#0{MNyOz<&xJg_leadxi^vea64d0`A>7}4V6lU) zeXjC!;0Sp%S$>A%&l ztjFjQApaSQ-|r=A{72NX4oU=K-#r=X%3e-3cL@3}*<2(XL}`aWXs6;r{k=ioXEkubr^P7;*=JyAQ4ZGtfUj390oN4UH(bsdadql{z36L$7nTYi3_X7T**B|#E-pFOuh zK4n`)$#eT*5MkeEY*K_@kt=-heQU>^-z9zuoGaCvoBV=NI%vat%o@}&@Vkj#n)Xl^ zKdbfYMgNbuYimyw>DIrd08p3W`&Nwm%#=3Sq!mh(5f6GL^sO=Xw-E(b`>x0s;! z@(I16*eg@T8LBpxZH+Gb(1jnzFMjaa#(zS$2_@%{5OP7zp%t#ReR2+YDDw%4!R(73 zF_tDOUdt35I1Z{r4SjJz13Emf3D4{RMe=QqJJ&8Vk-bZz%B|R2js%(v>R6?kfoiz5vF(Wjh=csmu;#KUPA&#+H5ZZGcRz^_ zlbKYuZBb6{9<=R@$X1x|xhzX?=-q5#w*=)arBoU=DM=~9w;rtjT^xD61Nw5C_e0^V$;0knlWe|w7A4zb=Zcg(uRI!OR+)`EzLuBL| z$z(o~O0ml=kN!OU!xCOhn6Qc$;yz@42)@aFP)2Wtb!Q_{@ZF8ryPkG%P8Nwvr2(TW zZ@Fpl5L-+>tl31&Y$K*cPk@^noe{H*gL-RcxHD4qmeH=7nNfe^e;lj2A?Q21HZK#L zT|F>LU;FRiQ)ISY0FZ{Y2I@Z@G@FSQrfosQ)*($CLk`4#w*qfeJK%Wkk{0!wu7)w7v>x&}dPPIgP9 zA2W|kyPUeS7F^LaMl%K2VVstbj*OuMB6kkplG<0TnK)^=%oZy4i;|oVz^5om|12Sc z-9cJ-g*l&Am|5zI!!(<4li#xt@0K3=Z>7!()dhOl(+%iuh3^%1t9jSew9B+{!S1Pt zuu%LG?N2Y!B=yJUqQhhQhU+I)C+coRu&yKDHr^tp^@e5YYiV9A;XIf>=O&D9i`xmx z)$g_=t5wv@RH7)# z72QKRI0QJZqa@7-__0UEi#K~HK!tnn$)H-vn#o4w(8BfL3N)NuzrW4}OqRp^BfwJf zHaWWT?YR;Oc8AZ-C`Ta`yEQSp|60nfZA~S5?C&UDq-l;DBu> zb83&bPv=4TOrA}Acs>xPf`;z&i(ll1M*&2%mu5c+YbI?obpjIMjTCzTYFU6!o1k3Xa%?JSLGdQPOZ{_{9HEl; zE-QHh%v0|0Lgw+fb$P>I-Xr>WLdj8aHlX(+Y~e)p>Fk5BGDYsK;hSfL40nMse%@G) zC75z;(qxB7Okuc1{_CX|Xoq{

yD7JW)JU0vEs7<|sg+aU+nKFuqQ6eDO;KKzDaM zWBiLxaq9Pn15(GMZ*xBdU{%t%cWjJtwT_YvqhYSvyl-j^0#E&#t8Rx+-x0I?8arY0 zLuIDeJw+jU$kX%u&Ljdgo?M7p$W$sQTP3q;e$Vpw+sfvymhp+Mdz`-)yi1 zI!}34WuIs-=gCYi(|$fJ=i6^!2ygZgGwyEiyxs$KcwW#TEyG%(=3&27QH#kEm>cw6(x0M(nH1sux^S z;6lo{8x-N;Hfx6PaMu-HH-TT2eQ-)FcOpOE-%+9%%B!EMJ(Vi>`Y1C^og(*YiN*Th zd9@s{y25O+%t(#v<-eHC#=syVu0+eok5j`lVoQty-FSl~v4wd3BAJR8CW123I z=AC`za~(eA+u&+j9_B4hesWY#u+^^}ClVmDLvP5BQ3$|pUtF!3E1maST*alZ+?!rS z?*ZHx!P0zvxIsqdBlR3sSB6PJaH-`-;-4e6SUGK)FJn%V(JkPw`!q}O7yePxVp~{M zYB2?vCXGlaqn{{j!hQ{;?%K9i>kL!FY z+Vk60fhL=KX|2Dlk{#YVfWY4(uDJ~qGMUO2^v%dSCOVGp<=(&Tscb%Ft|s67ptdLDPzQpG4VMXt7nwh5`{>(%^}%Q&sq7b zXhy2<;mkA&AiXgT(N1N_6BP?nG-kOmx*?4nA!eW!Ji$`#G-=>EkAwGe5|6_pO=T-- zxHe`olBN)A|9z2Ws+tDvaStbS)RcUD&LUj+sIF*rm67D>b|v4a^OJyc*TW4ns-y(P z?koAPlw@PxmbS19Q7%^Gnc-vpvOkvU#w5BEaUL^TA9!29Qj0c$5t>XVX%RiqMr2v# zpDMHN`T>^_sDt^B`@1&&%q@X__AXzD?hk0vs`Tuy^o>{dSeNgy%wo>4zJcxQRJl_6 z`KP(EiBY4pT15S752{rbqV7{AHks?9Us|HOngkD@}v0$Oc@r8X85OOOb%Qn1+Kw}(SE4hiMDvcy!ov)NTw+5 zmcv10`YOppYMZBJ8l;A^JFPLVqrtWOC+?Suk`?pKyKO`5(ycd{J_Eo^dcht{d7RnB z@hQLyOOjibDo)O|33lVpX^X3ZK&u{@$L$ba=uu!e;bFpR!tfMiP<$#LLnCzoFT<*NN5y64>jn5ZEX;*HPTBY_L$8nMgR*k2DY?3&?lW3Ot&_M*(^qhBQcMJD(Ydju zQH!2?2*Y7dlwb?o+|rw`&0ctBODy>fdV|CvpgR! zz75-fq8R@Jc3`gd^tV9^jO8R}%yU4Vj(w?%qoxc0;u!YrP@Z>GCwv7p;fD!AOE zE)dku89n1J=i+*b(rax83|G>#2;P^2Ohik+W?>Dj|os&Tz5 z!9_WgK%r?c8%PTj_J&H^_)uw{L*;Go;s$gaw_7`OPTzXXMwq$cXaB8275bmF$`d~} zKRJ|h z^Dg=cRc8;JM0{qj9V4X#pXBI$6eUu#Zq#=1Wh;xePYoeti}Hs!{oCmCp4lRSs<-XY zwuUkmyYT*edIWGP!tGq1hE-5LBD2#|%MuL2n@+CoqPA_w#QG0G5c^$;uk930A?;g9eCbE!SD8}!zH0boykmyiMWsRG-2i16pHf#%yx`gK_ zF$PNFiq2snQ)}-dDRnj6H{k)zN-0oYheN;}=Zb6(?K+O_k5N{j!0?wiX2wj1xCgPw zWGdixjRRGyt17d}*cTXiWNR@$;N(UCRaVEq`SBu01t<$=|Ja3?U8I)U#6y2>)|aKmwI>*_YQj;Jdk3eC;$xDNn9 zGFtccs<>3Mv6W5U(>3>&&TGaAOH%}!WR#zy0*>Ol=$A>Q?dkK(J%qR`{qXZdHB#dS z`Y%uSuH~XddFKbORc72hq``(LPfuT1r{9U#@P9KzjL@dc*0B>yYF}$X@N(lBYnZ1a z3F)M$HQUool?1%SYZ1byB|N5K#{3>hh~!^c8%6g&4bJf~)!c|#_+&B^$>BR73Uy9E zx2IBo4(?)9x&8Wxq&OTVezCzv=b2TXp8qx5 z*zM_~02bzIX(H@ikXwOD0}A~#_xj(nM?!WvA%Sf{?0@05-ANrcbR;j5T7SLv|8t`S zx-x#$EaD<6Yt4I4rdkaANbdJ{t7p$VyVeqn#Gqyd!XmEE!B@%Pmt=Eb_gqm+pIbu$ z>7l_s&r@0zh@x?a=w|Yb1W7lAOA-}pKWilc)a0shNKB4T>V&5D<>4+wf|A31jVn}? z(*xc-$z7Pz0+d3SW2!B__SjS;pA>^LxnUIEse8-cG?`{_LqIY4c@UtY*hR;aB5AEn zT#GfnWI)nIWne+!pJi()$F)z1sGW$}l7BXlj%w(y9{eb-Q^#o1C5z+gkx*mJ#*!o* zAa2;EAYm|^m&?UXcu&0zayUEk;}(cqi=uWsya3IK;H!ru7;acaG*^5Y(S$Mp)AUy$ zfzzTK8H!|}wVx1Uv?tGOP9VPQ`08cNW(DHQ+E*`YHbBmD1ezJaL%Ll^Upcez1~z?B zoi6LwTH->w;wlG*LuRQ0OuLs=Igr7D(&*=k<9q#g%M&jJrx?l}=-5i-O2;N21B*DV z!c{@mwOL_1TUtkI$_m!-Nzy{0t()V@Xw!{@GC$PgKE$EvzhkjdZ98PrTJW8}f za>18=PR!*y4Jw$4x3@l0rl&AVbPv@&x1fc|}IY)=0<`9;m~tXX)Qg*qeVHj9dxq{!JX zpYKU1TVKb^)RN9}Fbw3@fxY?O3k;>bSD)#1j5bjT7$utE?vZcL1AM{{B81RjIuD+&2Pd4qD=4=qp*U^U=C-NSt@FRw^YiSatJIVm7R_j|Tafz|LQaW(6I za5b7V2RO0s;1Pp{=STt!_ohSW(jUwVNCUy{pYssqEp^D6qFrfy&$BE~-v_Jn8HFI% zWud`(PyR-OEunhYc-*OJh2II$X*?ee1v0y@+t$>TH-K$g6cOHIiHQd!d={!=v`&LP zro2nQ2b`f6p;?~7W<-|fCMw!Q3TyBGL%srtY1S$;ly|`O+QIXB@uWJg*KaIk?~qOU ze849u2xiRgaibXzN-0rGGO22-$DU;kXc6|-2L0W&pTpI1+mTuhZmxZ&XpnkqyD^!{ z8)_VbfpO83gR#xSNSfZ4YA}e0$tqdk7m)k)q>}a?E&4Fk)h)<}h}oLaKHFtoP2+iB z++_h*XL5|(Dk-Py$dH-2ZI7n%5p+wMlzQJPGcbRWtgL<<%WMP=o?X$BmrF%&8Mn2US-54e`BRKESnxI z>SrT4;kEX;eTeez=aAAW=H=c7m1n=`#}aTRDUbh{-+3sZhc(HXH2bVM+p>-dfd~9Y zR4Ataw6RBJPD97-;-N|iB>``MKKVl_rwxBYs%Fj@rKW8t!tCucVO4{u6BA@kr3 z_GSF0wvP1Ep_oMiwVp9OQ^cQ(6p}Ci9IJ6Gf%T<$!@AFS#GHx_J8$W2)7Y#U%^q5E zaq1TZ2+yH?i_ts2={|rDM&qri@9p&ysvR4HDw8y6h$$4UGb1;>=6=g_N>8|EOZ+H? ziLTlCF`uYVI=~K5Uv$$71D8AE5@6{Ym{j&+u{U#VVSgm1oIRx3jVy6jCjOL)`5W4t zC#JPpsDCkC7KgSq;aCvp;~tj}B$d(Zie~1o^@{GxOAgMHeMP|@Og6fm+KjkFn%I&>S`tg;@|vd#r|%!vtckk2nCo&L8AAFm?6ydc=IcCe zpUIJ7I2_&C@7Iai^e9Mh_XN@Uyy^D$k?!>_$hT5RF z2r$rku(puydGzxae26d7INqW>N)?Y$-A`sJd+W~^y)0sfH7&)Gx+O4uj=|f-kC{oU z5F`kMC|sQUyr|8^Om2@1@c<*|A9%AUs0XI$2kl;%5#cLFcu6P0hjHsAi!)s4R`tAE zK0$6-^s_|{`#-g(_#ZH`Ny89_GO(YhF18ULc3!RP@=)1zhBW_qdkm#MkAO3lHo{Hf z{0!d~D)wsi=076|ObM2Do*rr2Gig9s`v(hF)CTDVZsV*cBs%~@dYcx}I|Xw)A8yTL z#qV{O6f&NemtdpfRfO(&s0g;JIW2DObj;F!s~2hr=2b811ecq&kG3mEst{pAbjCHy zQ!QIcuG%km$=hsx1ITMMpDQuG@DZ3N#os80983Zh^}@cEW6$P4Y3-zc*xWkZU|>ZQ zhVcy@pgR3pqUz#~JvvkKq;3IeZ$lkaAiB_`j79roaa6r4{ev{s*FT^AKs-sxC)r+A;nJ4olIs@81AU+cr4_t3L$ z{oqw~_NJdm>`LF{W--`3H-R{Vr+RBH2Hoo**lZQiAwfTWGNTDgG$j(PMV=PL4jqhs zEMs=mHHWLAGnJ8?lcE)+T6s__@@JOO5f!Df9Y&kLTc+Q`?L*ClZCNeq&0SL0@;60B1qTs(!3;cSEHBbdg`d45Bm8~yK*pjv8Sjd)r22L%;@RwA3q?Y zQaM*pTV}|*uA<6NPU!0fg(j9Opp*5W@{2j8#&l0&95Y2gkg9u^Yof|hvqd3%KdvJ% zZ(w!b1U|6c!#u0p9$jQ}d#eZKWVbffS&VHK%)b}Ds;&E1SNO6*Zm#m53>~+pwCsMG zX33kjyRJ1XwRvvmaN3l0w7@y}&h9YNx`q;F9He1w>Ge@+@ z$6Wx5jz$Y9YbJmCUX@V~M$Z0Fha2@tT*He=cb&##ATn||mg{7wkypt}S|#BIKkU=X zt)!x>AB!ziBpVNIkNPoV!l+;qYNfLNlD?b zKCRkqY(AukJA;55nvX zD$<%f|BH97eFSq#O|f`h4@ln#j~MhAHhhw!0mmjGBU+++mLK)ex!_5zOSlS7`Vj4tXQQp#pOSP$U z1$(Mi4k+5*dwljm*|o;`yc4Flt^G3UDwSHJn4}C4V$N7@>PVuJVfC%cY*+&tO4i-g z>T`_!|D61}LvM9a255)TL618Vp$OwcGu)Y9yhK7IBjT>`dlvd6%es1L2e<07ewoxO ztL+I_$)UG)54aA_1^ZyBt$$V~R?qk*MP)cU@6YX=+A*jG!fIR53-m9jw1HHDKjK4l zT$~`2Qt9Gj=Z4dOJ1tdVbSsD{g6qsr?M#5nO;l`9NfHFRK4<=)xGQUK6i3&;$o&|+ z;Y%m3RCyA|evGSo&LsiGW(p$@ODd^ffAk5^LXs&-AnL9!x|?96Z+#b!xrVh(=k57W zELf(g!Nq10ILZq*SCUct7SzI-gK5Bz1w!PJ+>_{vQJf$1HIusD9(x;ee>y}Cv9|_R(M1W_&~KJ3#x%r|DMUN zD{EbX(B&|wOPBjeWaug(RCi&43ctu`0_bLr!@#x?X=*aMwh2zOmQlVw?zFRogVZqB zK1fVLcrURfr z9R@m;NQ1V;SZ16&L;B*k(3BG0?XI*sI{NAwdQIv(R@a?L=;F#(+VZbFXJ*~k+BD?a zxUvl(E;koI_IC$T$&^o{ArMOwwjaFSZ|>0>g$7vson2B&2>R8ZF#A5JM|C!>f~I_} z54w&mYbh|;ZUN2zDt|zM8YIxPLt+KsQx-=jbVfl`Y3XRf9+X4EXN?kTjT`s32VFS6 z>R5R~{x`yWoz#Pe(Jo!1OOQriUc;n>oe=rb)K=qdfIaY>VRx>EShrqxu^#h6k|+uX z^xqP2mc1RvdK~3QeQduuU|uf~gh4c2BCL`)P%X7}44K`jNb9CUCg?IqeQ&p%m@EVe zA)Qp71E3j!vAFdizm#JscW4B&meCQ9*0Ew^H|_2G0)n&oF_QIaZ(?C*D0L^xz*Q^e zZJgrF!k$?g1-a4{`mRXh(K*=OxTQ0{yVfGlmfhng?0ALs%wKUAXI#Ir!-K;gxGdIX z_AU+eH|O%$#eL55hA_h{jqC`_QMK+S+rG}m<1&p&Xm8pdRZnwO>`9$*-I<(m2U%Eo ztT~R;yamb9551)n%3GlPAm+=(&PT8$@I?&8%7L z7w#2aBvvZT%^?}*6}UC5%Tg{_%pyB&^o%kM&(IFW2~wz| z_RPR3&kOpGS}NNnEeCJltvd*~+@LQnpC~9svB3dUxLH>HRI0xD;6|GPE#U1`x=&Q; zW_7Xd+2lA5$3#BvDJ5V{N`6H!o2jxblPb%7(m^GNt_6mNU@bhBWrt(axXyyNH{khF zA*@wrjmA%H75j}?YNPU@Cq=8wv}4jYfbV5+4!hv53F~8DaB_rjwTWKM4enHbVTKH? zWY#f>6gGK`uJE2Y3bOEQA67?7ehI$aO7~wt_As<;FEbSsIDp<<5#g*Z!(H;v@jOxfQ~s|=T=zt>NpLh7(nFxy}<^HqfnfSGFZ(g%zqC z-L5n|Hb0sgc^e7T{4Lz#K;84#V{YX-`y8e+tF1g?R{Fd=f&32%ob>%NJ-H zywWi*%$R$2Diar;%`HpdBl~Bh>dk3Pn-kcUwR?`c%2ZG7He-1Jf-DzBB zqdH*TNV@ZbO`)CS!+wn;9cy!AsZ6g0x`b$5Dj2<)J*~lMmvK^nUaW1+ICmlW=aAp^ z-{7uo+fA3r6w#;p=o)0eg4fbAH2j>cHQ(30{|yAyY`bj>$g0gHAaUX}+WY&49B1>< zOreMV)^|9&^t)}V?J1eP*MP2+&RoWP>>$;Sd{h+u?=G8ABnV2(*jhBjm z`76Vs%z{K$w+*Tn5ePo)Xp~~E zjJnzXh;ZTvA&yh-`hO1ZeCjH7|8KkNB6b_H&AMX3cZCXfgKsTb(!6?7_QodbTv`=M zkG+=ZuX0pa@~gSO-_*&G^agZe6C}TDMkbn2@D^)w075f2T`ceqlv2G63*xA5OZ#;g zgdaI2&G$P8`IZVQ4<$L{FqUVg$`>7r!8%~QqxBC}s>M~%+e7|08&q3xBS>_Rp@3%5Cps%Tf``46@jsg8z z{DJkUGjZ8uQCc#fu-;BRkkmYB( zS)z#F=RmO{)5)b1uO+znb?-lrSYMQpZ3ecyVxYEu`&wvGgMryC*R)EcI!IYZHIoKW zx~~UvvPc;S5#sR{bmgfL&L2?rcb(}(Y9G1CJx7!FUeQgLg7V`Xl^Mcm6kDgnxb8wi z3Q)1N%DMW8Vdn*PIYjKc*5t`C`*Ft9+Ye?i!&@a*r>9TxLw_H8Dqonro2O*$a!0s5B1;K%O1V7Z6Lv<*G^4b zR0~3&kCmR5&I;8qO3YY@qVl5+adHS+Imws2*aP~eH+CHd$P|HfP3k!lZqMJ+@SnIi zS34Z5FYG#=M85ip@GZt!6sK@;R>}JUt;cM@1^`cQ@Cpj8 zfh|tulqCq#t_>-@=q!aXS7qlu@`D!?-DSZAMVsr(9FAA4#&a^aujSYyJ|RC1G4z_d zQVI5Wx6-e_ln2vIpAwX>aT1fnWdXH9@-kC!i_;&b@^qb|^TLto0#P-22ogWI)Sal- z2D_7s7DfNI#Mj=*odTX_fa^Bn9H6R&+GX(xDp0FpH7+ENrs6*1pPO_Qy}(pC`a4EH zcWGi3`8@O7R@)f8K%UGIb^7k_y+391HHQ(PqafX313f|73y!yIV2s~_{LD}ycIR%A zN?ASorBIPvo&ZC)Ww*~_?r}H;wCpC0&?|iPY6@uYq%~K4DPQ$le7WG%FX$Hm9Ni|} zKH16Qt|P{oM^cvF-Ok32bC2E*n7lqY_Ey>1b9U37vlyjOLRDY;H`Ev}L`ToY48i)? zz;$J(>jOH)fEYj#OqqKxxZUwwB46*WRSvsDbd_LEEbLa1GIu=+4BeyP#|=qjKjTQg z*M_IMMl3Ti`wWU9@(VX^)LT@X6=$6AnUx7a?9%!m8*LXN0HV5FmoEH4s(SlCo(a2~ zQJPoy!M+ddVm6c7G)>xiuO*0d84_8^_gRUb-o$O38jc6%n}-K}-)1lL*0iti^N2GfG8)&{{fwrc<}B-fSym=DC51{%qE zY|Ra-^Q-6*rw{QZR;AQxt%js6C!2H9ym1$Vs?C)78DxR>zhGM2ci&iRrZsb!D+cB6 z58Pe)p(il+tgAZC+Z39&VB=|j#V{FG$2**(NYZX48rf_OVhuS8)dHM_!)rt99>#uw z92ut25M4Bcr;N#hOJ1>2kQ1m8tmEL6lG7T8_LV_hZ~S50`v_}tv@4P{nYBbB+MUn` zwRjhZl^}ohzQeT+wBjJa+K@u^9%-4wFL)yjNW{ZRB%@Rc!#1AlGUccGQ{G_w7 zAU053R3#3KP5u@FHnpA&0Pd(E9ofAHEEsLnzifW`Vq4X7bM&<*< zPrU_M-CcVNLLAnR_5Qp|VJ{hqIK;juTXSCAp2O>RD$00|-hNYK8M_+@rRC8-pbIWg zeN6l7jz0TTO<8@${c~a6v9P0}Yj*$dhkO4=Y1vY2%8+*eMjvL=>N<022ffK#dh$B5 z_Nr-*Yl^+@f7(;vb|(BuRrduAU$l=ct5P`2g*0rs3*v@J6NE+l0+UXhc9_6*0v*f+ z#4ynCjzM-p>RTz}erPU(qi!`2Xv+6i)^geVyGqAXF>7_jx;1?R1#Z9%QY12&Gb$N^ zVd}NYdHwEhP1ydxWlgD$x=B3qRRa(H_etW{qTj{h|*jJt;Qv=1vq7sT&xc zeeF5YE|=M9ax=F<=GM?gu*IDJ4V768^DCP~IVgY^JRbsQCanhcwyham!H8ohS6Bu- z0x;T<*L|&4Y7`1n zK0yh3)nIq%pz0X|i+Vd~oAPSSkOU8DK_9PH-nHBh38G*mB0d&VzbMs6_Zs^zkB!e^ z2fW#@QTnDu|5U~ciSUkp;WA4DwZv(PEUadL6Z!j*u>O4*snzLJ-tvR8Z8X|a8^HV= zUn|3TzX&c@OD*Sg)>4445$q!hVOPBGU4^4PZV?g}$VM7*xHklS&wKP%Ys?M8E~^3` z+b34`Bh_c_|4mzh)W0f2*dYXyN%imkruy&ub-i&@kYseASJQcvmu}`7vktEWZ5zJN z>t&blVJX|8f_Au8zo|PG__b8JrgEI`UFE92BMfoZ$jb`zXC^t@Z{lHjyd}AP7o#L% zO3hY}(~Rj3(9Ie-QR_z^7SwhdR>l>t;%@rGO6;A?TT+d~xcD|TOIp|)HZdzfq5bDK(tp}qj%9y2;%1)C3F$U`ldrOY_TpD^m-ZpY?EG+asXeZU5 zG?o1Fib9e_s=}z5(pui(elTI+2bwfh!xK8|s-nfK8eqENvO+lAZL6*C!{(;Xf~|(y zvSA(0i`_G+AAYW@{uCTHcmye<{?%-vWqDd67C)J!X#fSV@3Ojm(PM# zONDR{`saiJEOFJ(k_S?MtvVxv*Hpiui~QU253Vze=|-%F1TB~X9!X{zm5QI+SQCW7 zCi5agr1sF{M3`M0!R`F8@&$1W;FKvY!Zk2|%Q=TW-~Ih%1YAL2UVc^mbTI`dk84$)J`ek zI`xV{K}E zDBq;FBtmCFvZ9rVrp$)&T2SO~fm*>}LhB38*E)ySorW-jp1hS@>XG&!`SSdXXnl7; z;aixXc7><@p}U+s&i*F9HNaLaxDPhJZ~;rRJ;2QF$&V=(w6pJZyg%*ywx!-(wy~fob zt8a&fPZcLw%aEOdH2xLT>ZkAg(G6RB){;Dxd7Og!P$k8no|SacZi_k(XcN1GbdT-S zpR>H->kVa#u;hE1{rzUWU+p&)HRc|@^*D8$3IgV>5fF&c*==cOVnvgYaBq3s#ns6u zGHjP7C1rh`o`Es8Te5peYZ3SZdC#x{2E9&-?)8U=KEWiTN9Jn1u+QF7SP zE)2_Speod%fq?Q_((S*FLH=Wt!!2HuRy0-D>(TdMVpI0`+N{hoT;NbucR_v2I%PJS zB!E~^&ibr0WYfJ!%`4S-gup<`FdF+CC%0!%=(L1<7&m7##dV9UvuH9c)|NB2KP4^t zHYNem)DKrVd@ZG>nc5o;F15)vdr1|ldkQljCc38hKkaWpxx;_UZP-XLe0f0!yRS!- zU1HKPX-XJtY%He>*)&jhz^?ch1|G@KHJ3dvcVU4FzsM**wexJWWpH6h4N!{Kvv<*& zq;#uw=7KGXk_J4v4>D!FDwQx(+nO~utR@rN9j-5#cS9xW4n=#tcY-@-xpo({vN`^x zF-XyX32GD>b58`zAYiQrM61zOxf9no7h(x(z``4MkUDOOaX)p(A_%Iea8 ze80W#FHA4zQy~#P7E}9r_O3IQDXIUb<`9A=%6etA+`S(Dz9G?>w31!>-Iu*a?+(CX^yrIcvtl#xoo`vx=I~FsfVme`^ zbhK3(stQdSQ=TbE%H=VOf~0`BPxDXTqXTEc9q#KL-u0TGW03R+?*H&Ox80Ap9(JX^ zGP;Yiycn(h72snO^@NRY7nfqFD>s8)&8P>MzGHq1*tD+OHD_Ku51zP~i~)4Q%>#=w zNk3^2C;Kxl>;kggv49PSoyq;y-$cDnm=`lo>O4f{AXppNC|6zK?2x(`#?8B@{~XXo z^I_fWiJEWveDG^z$uRrH2_ti!_5fo*oWHj)KB5p-DlnpTe9a!-eC?7vm~_tMiG>c> zTy;`C7an6x7PuaKNPP&5K3bo%WAE`HkfAxgp;{2o`RSVfvt`W#F8@dx#@Z^XrKsF< zOmo4%uL(B5HeDkIGN;ibEVneyI|Vc)h#>p_C`z$tuN#fO-ds)t>k zV~&0emeSc$Ddx)$Ivz%dh5F6kZnj@6dOJ8v0UdVqZ!%~>ZgH9d5E-Yd&^id#6BOFg z!Y=~SSOW%EN2a%nT$}T;T$|OiJoSVIh=WzE3;!);4HOXd*$trU<2fzW55Y}L85z`# z#V43n(g794oL9Zd?z#6Do(e3o+ufD|6|}Y$ofpz>+i~kThd-clWw4s|W{#*Fw zHuW=)y=&#Zd!Q)(-c!P2DcJ@*;klh+nKK$J4D1Q!7Np6UN0h&N7@q zoCG*RzsI@>kK>sf9uFul6WwKs&ep~i95AAMbg3gT6{(L4WlVfmy6@CoNP)UGCInZA zxB}5xUNO&DY6MITpr^|#`SC#>7oKkqTgDC2!ZORY)!nx0MD_peeG6~fNS5wjF&YEx z4(=+jWcf9~09TgmL>uc7QSP3Z#bQ8gu8%N zbwV-$khtGmMC{wU%AZrIV{vm&aGD_pl zP?V-hE`t8QwRyAeqq*lc%>}VC2z(NKX3jh0n(rTH(C*R2&Ln)jK#+$Bv|w%VF>TOW5Dt-eP4bh&}$9R=?!-(K`BHOiNL zl)8kS{+_|eiZ{(9ff^^jx`FRC%L4Ukdzb>%6wCbG1&{8z{i#P`0ssO7zQ5l)sN&LO zG5Bg$r~kN#O}7D6v7%$-XHGV*7d;^c#XDzB?J3W=oVP7x>ID?p_dOYPMpY3K5beEj z@&h26E-ub1d6IWe0^B=3%@Q;NOb5}*3Un#uU*Ij#bWYXeNI@!f<6O*O=~zxnKrMv$ zseGR!$o5k^HSlX8p!){2iob>s!5@~=vU_=H=7k?qWY|28*0EbJ3gGolKT@9&h=cNN zlyapp%7$w%7mMAxxH1jEwN!G_ryrR0_*`vL@^+mw_v@7#dQZNWZr;)36`rgDq`8_4{eDn%(gVe){d9`nee2hnST4eNz2>bv?lkUZ_6^T6fcIAJA z1@XR;bl=RjJo49^F2C`y4whLtvl|uwzWMv-Wa=wE*F)9(Z@$+=fn4@-v>c^w?|o5z zdR^1AcBSg`6?52goqXdNjM%J}ZqN*3-D!1A<}0NWdoMI;GS}#-sO2)p_2v zHkmV0PCpGyIIj;7(;kv^1W(vD^OkQYmnaYy04-|*x6x!m4dl{G7j$znSXX-`3}!rP8+!(Iq}2Vsi9sCB`oI@B)fOd4REG2yFrGR8+VoXTTY}^ zs+Wey4E0?eGjMc<z!NiAm}Oc56FMlJ3h4>_dZ1ctVqB=1jP2{3e(HJ1?M4M z1pyA>2V|o?wJdda1jFFGge#Hl>z#Z|jtzF{k$=`V4LKLkeNuz9_8-~%^9W}ukZLDX z>qe~Ha8p-Yc)d}oXK8L__Da}DHPGt6=S(=aQ_ud03{@9um*zYpXLqj^%k+c)+ZeHb8!i~QfP1Qy zfXp5-Ab#>W`X-olFtw_BE(h!amHtXUOcd~AB;+Ipff4Z4DnhgGW^zVD$gFDazJ63N<@)uUDgzZg?N#VSRYhYiBXF0bpPvNAn*!?kI z*bsGvo&Izmpys5>DdTrjI@flhiYH2^=a5NI_%h|JLBcvSFtE0>Ry1qp$H&JS1AG-n zNwQ!Mh67eRO{g(46qgpDw%qJ)DEjoz{sO)ym z3i*grE$sq`6j-SE!T4e!54BTQICW<_nsK~ESpUx4nJ4Xhl`XXj)h$emwDGpnS4iDX z3`kICe;=~;ASjtCrNMhxjvm_mShgP}_Z9C}oWYM@{;lSXO0(vL$={;z=actq8w?F( zXiAoBeCuYeRth+xT{ceyidcqh{A0?<=&SK0{xe`}cl82yf%RxK zl`m9)kR+?@Af!P+K}f~5GDNAQHVW6Wx(L#i7pLqwy$&Hqw>Mj8`YU{)|}SGtxCF*BUG4?5#;#tZukh>6;>*@NK>ssH78-E=KWIY$qlqN1Fx{B z0c(;FMcYqRY&)?0B4y-t%Ys);8)_hXhcuAwYVZ?huBOq)A?&FgehTP8&yF65al=PK-3`6F(1(Og`g1@sTQh?b3^w$i?=Xua zu_#CHsx`stm9;1onqK!neeXd1$$|R*f%?+}^=Aj_&kxjJ9H_rMG(X3O8XTIz?x88{ z9-71Mp-Jo>n#Jy+Y3v@F$L^tt>>irQ9?WEkrf%MMf4{$wXjU9M1iEzxVVY)tuNDK+6)PE82D(QvA?6IY6N0x@?=o015A!)W+AmO|p}DjytRTTmTgQn5+a00{Gg-2o{XL{#zHj$>sa~dQC{5c*Dzk9* zvKG#tR3fgc%vavk8psBax|NE#RzD}&sGu`hA!uPc?`2UGM*hwDyaQ=U9x1~Go!jla zm27YejA*diL16lWzuvbd(yINb^R2a>u{F4p?y=3D=mgO1w3WHZoLg=(cYYh1Ut`u( zmK(t9`?6>ImbEKAF|9q>!7LWc17#GXyKg70*wx}#*@t8f7I5;1^k8j_#G%PM(Ua$~ zXTr`Hx~UsPt=_X_&J;kPzvItp)t+ju2;D#~s5IKu)yye?%f~3#Z`ndK)n#h3>L!+Q%!^Rr?9b4%$ompj||5JbwYmmpVV} z!PH)zm;GYHV!JTQ!c-*#=!MA?LD<`QDqLBHa#KU*^OL95)K#85)_$BI-l>-b<^IX$ zu64U@-ELdA+t%&2b-Pv9wcKvyDImsIKh(%H;{JqA0s?XTp9wMIUk?_-6jCH7Xnx7s z63W?Gr3*{a8ki1p;7|mn|Qw{ri@M>vRK` zW>13@Se|(tZFx<2y}TOF9C1{J{LERPEVX;`gmRQ*9)2w(7}crHqr@*_hAyQJs#W>5 zDJDkO69a1-KQdU?F%c)6e**`S3c9JP0WG7k(6Hz1TfpbyXHFc+IDdb=Nnxb!-t$4P zPM?Dpup3AH_E_>YjduLiAh-$McscQ(nWq+iJRXs_AFIr(a2Cgmi7DE#ueUz#8UBmE zJF$*q@VI!y)w-U8n+pDz?NYH;w@C*T379WP>~=736Gi40 zr%vB{3?KXu^7OW5?rBn+~O9o=!fTs)%l~548v$hc;rr zU?Y;2uAQ@rl&=cK7o3+z&Y+#FGLA%2dOv)K-6W0ot8^c;yPel=%aU1Bm{3}CiI`B- z5m*k|c`LIipV;1=QR~uK<}fT7xOle`)}MB&N@$q&e&te?)55kNkf{2$M8*HK0#)UV z9ZL<|?|T-%w94=5&Db+GV+(&%E0Kcsv;y!5jC|d>D>evMo2cEERaiLI%pnvG?>B8F z@bblWt{o$n^GU~WbZI>!>!Jx=T3qacxj~C2WX&2GuH@#7;PQU|OH)A%>|wsezLcq+|VYo+tXnP{Ue z+i1%++OmzdY@;pPXv_DCwlqCZ6fBRQOx)d1chJ;u(K*&LB>W!QNh)EN&vWduK$2_~ zcQrInWClF9&4AOf!}ldkU^{bFHhL*|P!LtCcsev|my)oV@lE?JTf*qtNh`B=UF7Ut zBbSd2(Ae5JE3wmeEe$7`yg+PfXRK_MNzVq)xf{1gi3es&S-cSJm6lga{twKWf) z{~Kvk>G zpuZDV$99f#bJSOJG>@Y+T17!SNhPl4Qmqv4RyYmqM3wpGSPIK_n#y=hHBA8h*iKWK zr?d)&aVB4`0YYmR`$?N-tfapAmYc^<8Rxms;PY)_1A(T~gPze3u$&h`N$1e2DpZ;sq~gOlYAw%az-PU$z+) z)+Q7#^^cG`ZUWwGr>V@uB?BEV)Yam4#Q8ux z+juAQ$o~liiQ2ilr6S24I&C<4)l?}5)jW23J7s0$U5BSmzI0lRZpB<(m~Kcv-6RRU z#|mEIu<|2i0o!e&kZG~q7TMn^^--%YsjV-W!{Dv5F&ptg?r8qAI{fE=_@a(V5^% zZD*_m>Ql~^N5rVL%N*E>(i*r5I8}F68@6@ZxhgXO+F7Do%U?Z%^QmEQZq3ZrY?-b@ za+;!Wwb-rN2`a<9J~P~5_*hJ)tJVIL&YN^h6FL2UQs-ik{m{-KXh*U%OGx-0xdxkL z7yKuRyXkjLN7}(|2l0+S-3qI#VLZ{^j}-fUO`3&v!peg8lwo8sa4@C|6#o*StUUs1 zOyOl$8vqs}Q_-!z_0yIe)3znKF#||e%lmGpCda9sDJOS$>)JUt&$SC+AqHqW(`BB` zm*&Yz<7wlTD`&0$p{KLs@P4OGhmP4+06oB%$j!|+C-c{#lYL-2aU}v)-_oRUF1=L= zRe9#g!@&JXp(|@=5zb}gXeEW}88b5EfSQ*7`8aPw^h?F|6O+04vghL(lGjT+Wo16H z7OH_XhfB_)<;)JuU-v>`*C}kQ`Tkz|gtpUG;%6)-ZT~YSZf%35{z;vG+F+?RSgH+{ z`qv7UD&%P_H=_>ZvTH+rN;w#1>+&Ih9+LkpV>e88QQV4URlaO}+n0?_pjIV!U~gV# zJRU&7)J|5JaB*o17qi>JyhYwMCQXD;Nf~yfe5m2*+ozi-ZmnMB%j;N?FvfstwG&ll zv^viltrl#pjP{Ol-)glbRTFtGSq(rN)t(ORbd?>Jwi^;BXj5|3b^IV|kIho0xsLmv zeCZ7LNg8cCYKGcrE7_bqV{^8sh!t~nqV$*EWYkVk*`axC5-$WJO;EB_t}<;>1ZxsY zabF~x7T*jndc9k4=9;^$bYAWoc$^oThWq<=m6ZkqU07D;J0BB(x5=3GoS80z@|@ID zQ0O)&WK%0o$L!%Q^nc$ogd%FEwoHGkgONKSOFJ;|4j=gmK{2!e$(7VkfmirD{;(-q zN2%|&f!v3MtzLz&)y`U32wT@$Z8w8J&ybopnxELGxwF4dR*sK>|7wT&5i*s{#ay;R)Gzfg&QLA_PlRQ(i-Ks~&RN-MaALV`4!$|7sC73fWmy#N10Vi6ieF48*LKp%46Z7{ z!nQ^4swcRf(0b%WM-}ZOC!j z?98Pz#hEZ=nJ_1&uBx-Ebav*rYb#169SE5FQ2UXmW{77H_**}Yqu3eF+fQ7|WFj|NkZ)Z*Uh04Pziq~%Fe{;#;0Vu}pB#BAt9cyB_zi;z7 zRGteLeN)aY4N+|8uY~)N( zMPJTNw4!h6tO5A#ndZd6E&E$%$Y&;YMJh{l(r$el%ULo#ea_^|mp$9Jr$A}sn6@1b zXOj*@+4-%KrDDQVs5RQRZ~P!_k4%Hh?5Vh&u+kYBp#s-%lC_+%F-hJ0B+cUpR2}UsmBqbUS*3n;gFS0ug(~JtBR>-0 zOZYX6p2F6r|IoypN$V!PMiuUhJPACfg+wR~x;r+tM`LI3c{2ZLQA+fT{kJiDzj)3t ziZO)WUE^5*0KmWe>FB>QGu%Bp?&AOW--qMBm3GKQKh8Gp{ba*DkOd1m8&3Z`Sg&I) zgr@92_yrkX;g|@*}trK?XdVw)oYgBM;eBqaEL9QD@U5A-(s%B1HsR);Av^J%WW=Y z9k0l%^~>|#G*otf`dEjVZmTC>iQ zahlAZ+L?_<_});%e|MDpZj}z_j&%*ntj;t_iNLFJbo=tZ5vi2qoR=>nJchuGTmLO7 zCQz~lt2hE*-UlPjyzDji^Qp6cc<`UaD&%9hVjK6-kK&Hd%*k>m-;}qW3YmIwD0#N7 zQue%L@z&=rX6d&d+!g0?{D3WUojmi?Ru2#JhJ<2n#?EM}+QsOA#A4>@*8JP1KD8c) z9>}*5G~LDQfyKO~e2)oBH>jo8w0UoJTR5VOC{53<)pWa66r~#o<=!TXvu0ZD~SX8x96SeL7 z=GW_vjCM6rQ&+56`yPuNm=&;S^)UlAzed4+%RY)dibbCp?_l+nPjrI=@l3lDjkoTa zGpL=pGf!y9D@h<=$_D{t zljo_pm!)nlj8>_JwlLWdvQvj^iosu?*~6E2`(ZV+9<&tXoXHo9QMTn{7CF`2;M=Jglz0idC-Ghvn!YsUS@;+eVyE!S@lz+V1mGP#peC(xb2J1!xx9 zTBbwE9VmidpA<<>Cf==tW1gTvW@z8h;EIoQFkIH{_CoR!UYPuiAEp&=?5*TG@wTwv zo<^k9fCEjG{N-jrSEz#kO+*xWZcHX&UJQ)v!;4*Po_^lc5wL(S#Pm&_&Ny-Wb;vwb z0GGe{>1OI&4^LDnUhzY6wog^rgp+3=(aU(Bq=Rs^iDFeZa^U!gy+N>sJ-68=s%mjF zJU#Aq0h}S?Zv{qY`!S!~WTWo0tGH<7MO()W(pwg;k=PiuW6pNChKLE{m^z=Y|4L)w z$M|x2n;T-L7~UT_;Bg3Mblw~1t`eqSnSh2 z1&)JmzJ7RMXuFgeH98xO7Vu_K!ih{-12CK(?nXjla*@mP)zncPnd@Na$vDirn7&-y zHW6q0#h!#t)nT1!D;P~G6+(V-C5hwX224b+Z^0d_T-gW%9p37yV!}cW?bZjg@0O_a{|4EU(afHRRo|ooA?XzaSCol zM1GUDqzsoU_vx*kkgu%&)>>7gHOl(^26ulM-;M{1ztV%krQ95v7=auWGm~ua`C0*= z7Ck(G3>&S!a=u6MgQA4f|JgmfA{PGUb8`Ho8!tD&PDKI9?$7flZ-71xd@3@(HTec@ zug|<8urh-bb~NAiK=woSoG$3VfATb(EnN#=Ce=;M9(|z@G2O$W>xm%?p!ObXuES$RRh6TN7`V3#@OsAn{e$40Q%E#F7h6hvjCgbj#35ia{&gyuZ0^K{FKU6 z_$`HY!8D598Io?rkh^(PP9_9jB(6r5q6G?x&yqKgbRn-MZt_+9M7^YH<)`X5v4!g7 zP4@g#A?AjCWj{E=A4O#*GmK+avN>D{jW$vZ=ymML5s8lqzpdp$ukoxWl~iN6>Kl-m z6PwIfww=Ji{)TG?krNU@G;IlSDKaWSpf!9zgI&z9VR3Z1`4Dl9~dGaTW{-XAdY{tZSfqB2QfL(zG<->qZU1NQ`PzeJZhZ1+F;%J~Ii89@plD1{Z`&4#5SzqB5kc2Q#+>zkQLgjN)W^X_RK%LsVXuWEEtk8UUeO=;+Gvc z5?f7gNenHLP|bQnrZtN#>9uI$<}q8rf?hF8A2N4l17M6;vaD?rM0Hy4kUH(VG!`me zOlTy=!XK+xwVjtn2^2xlW6_5^|HSJ*ak9+kP6(VN?%5BMehLjtrAp7T7&x{TW#r?4 z-MG?nx8V2vil?aJe^I61=+pG8KFwk4Vd+i6c34mOSn8(GJ)$_gb&zFUX_%5BLv>B5+%Urg|lH}~hd{x4yBneNeU2MgmaIc`0wAiI`g?&?< zq5HgGA$w9+OMms1rH2)YerUF=p*!T9==001|G-kxgR&b(*${U7d;SZ&8)OO1n zGDXs~FGM+B{`=kyz;EtB+qBW?Ip5N<(qV7IL2af_314S9;S1D(U;_HVB3Nlw<4eUR zO`? zeBX{ZN4lZHA%92k*0R(hfV2*wdeYf~Y=^vb#<`rp-I+yrqsKh^Sz!c7-vA9he)t78yV{z}tk(Mit6KliZap&qb@A_YlRM zg;wMra`SXRvz%~-OjTR2EUi9;FJKr6vsDAFVJcGD`V&VXfd(6ur{S@B8?D7csM4L%=HEx`DPFgpoFo2rY(5Ws80P zoXHn3Y|tX(7t^%wr2BiL>L!XA-%FxI%4XfnwbDBi{_H2_dcw$p7S9Ii$6i+bXfk%i z1YKz!m4b1+lk8P}J%aK#GjzT_sEe{fq*iPo522e20-E~}HOFwGwJNS;GgZcJW2I3ju|HoAVcUP7Fi!VNKbNm90*g#oN- z#EG^C&rfRHyt4;%BH(j;Vd(sN``P)r7ix1T`aE&Q!cj)GnEPI)fZkf@D!~M(h!?aO zlUk8HlZ{&;h({QWjbc8{TwKz^0hOYlku9V!plm7d1|Sv7@&Rob3aBQF%%9Ga035(#cF@TOqj zIWUO@d~6@68tA`bln-$vf@cmNla}@hk8G_26eXXH&s6VhU3jZpzr2idSD?=a)@&Sp zzSnhzN?w$33Ig|oKQ~K}9bCQS9@yaQ?j4_7W~w{?pDyxAEyP{S2Pg3IYN^Sz+v#Hl zEGMzNS7VHrkVncUic`b8^^ZC3Wyc#xw~g4(^y7e10%9nH>+eo~La`MrI}6;Aaylq> zFcw^go_Wc+nyvYSD<4nqL|#uo7*C>LkF;gKgW=%fcKA8T%%RQ%LBk93fHmGa-RnDdQ528^HeP>bY&XZx;{9iI zpQxGEbVZK;FSvJ8qvWrd5y;`#X)`}U!o^1Qz0GXI5Ejr zeu~lu-wbGyoA5sR>QMi>y~fjscoJ0vTi=$q`o>Pz-1 zO{DUnZ>+!u=r+*GM$)5MhDEjyw=^wz*gr6TWv6ah1jZjvy4 z)n1^rZLRtN9{(~(--a${u%dNMYKk6-kvcjxas7P{Axd}?XrX!c%u_CA4?uss;Dtz5 z?FqTGa4b#js7lD_e4cy0)TvxnebknkWzugRz1egn*}IUQqn&J>jb zptpbzNKc@75i%SYd1YM2gr%;CAA{n%-7*5^`&T9$s--s4@OOQ>XItS*^59Hn;K3@- zM3N3A#|T3p!irNY9A4#$#j+422U=hxH)5&Se8L}|KamB&X8@0(-f*2Jz$kKdWX(QB zfk!8Dp~NYq4Sj3287?NRwAsfXje@@lK9b@g;Cw{Q%0_8cpgFw*O98sW8P4(2Po(~p z&Kz~LJjBURAZgl@@E}pV>|(wulyezy`D9cCmjx8shZ{fev~y}fsp$eQsxAH|S7zR@ zixRYbkHJ;Ur&yAe%fA=AnX%S=Ikl4294-9yCbjx1gcpHTnQmD8TmIv2Ay@{)9{|nd z^YJ3pgV}O=TY;albtw#3$d%cM2rHHWY!s@11YG_uoiRTEJy2vSd`Q_~Is}#Fa33cs ztVR}&!+Y@YnKJ&~_qp2HJ}s_>N;UPyHdK|UEy`9*qmb50a&;@qL;>fi2j5^f>YCY3 z1}I_W(oMeVO1LU2&)j79sBbdMlTK#x^Rlq+LU{<8U z@|hVYH~SzE>f;+7^D!3IBCAL!WAd#B+VBVwiNZf95L#RMc%8*es;N7YO-wraHROmD z9k6{flvBraCA~rOpbq-I0Axt8u3|KTm@L@pWo5gZxPjVSl6INO61#=C-)bOf+X69P zw|OuI{XQ7pf-+Dt7Ziakbr7-m$=h0VqIyG>GLn3r~spCyxT;%XsYuHYOcvFmk@*(M6t<2G6QEK2y=HWnhs_ z85frTCdpNzCrVMpjq76wvp!6Pb5Q5wumcU7s3j~wOQiHbe+jmt<;#Ihz*-yj<;KQ0ZgFIuePBtP&7*{q-k$uw4XP}RyDrf662 z9DGYXZ3c%ZU!kZ{KDVe2av}f{L~*4qybjSHumK~X@y|ks~g`)S)}_Q<#{m)kG(Q4`;)IZ89MH1&Jz%OnxU~e}hkX zR_XANyotuW*R?IH)Hfz7D03aQjH%>Hmkaung;JoRD}J=>^%WQmL9f`&mGp8YC%KZo zD&gB~+qJHG*42r1rSC)KzknvID``oVB_YIx!=e^NgoXZBV({o!#=%BL^3~^h^{Up-|1xz;x16l7nzn|1}B>;G{zLa@E#BmwY}3 zF7hs60Auf2=)z@*xa9m@JfR3m^uvJ@kUvQ!%YbVQ;+3%9r-rlHkur=_qBdCUkV=|u zVnbIGrmefG_O2`ShPD@i1y5c2NWLSZl@AStJ9Y!6_S9x-4aTw&Z)@FYDh&nu$p<&s zdw!bea*7-B3VX;d42kU8bvrfaoakg5Q5!yJFeCd7qOeiV8z&XM8Ab};+G zCpRIygA@fbdO>CDmO1Zs(Q0GdLE@X$Ry}<>%s)Ict(MON9C>C#!zaUNJ!LpoaErpm z*S*Zb5d(^1Rr$%sq5i#?jnoy`woKU%Z8I?-W+RSwx`@2h_i7os=aQ`Z;X~|7dp{#W zTp_bg)rz2|jU%bGq>L^B^sV5eJs3#sV04!fSdNri0ew8j7TvIB7JIx%^4iuTjR5Sw z8ZeEj%jb`V4pW!jrbpW*>PC|uQ;Cv-gzAxUAiKh* zheZOd)G8FJXG43fs{Tm(1GkzQbH+j#nwM{NPic{Rzy67(S zA%So~%`n*0pmhvOVFgTr5k)T*neAwv;zl&cF5On;{Hz*H)MxJEU5K(l@qTL*gdB?FNp#Lc9z02Cq`JNkVf+r zu=4ntFSrF@=WQ?Q=tNX+Z1R2S_#ccK-AVsVekd8qQsy#(LS+J z)i5$cy@D*53luXi@1k`SArm>eetYrdt?a#+x0E&=NdlvNr6!g}Q^#JH3l7s^ci z7F-MchknXk!c0g3Djce~3w;)em!U(f=SN^w!!r3qiOj`(5 zz*Zh_Da2ef(tJ^2M3=0x=;g^d$f^#iKHcZ>^~#Ls!0hp0^SN0n;DN+RW4BcMG?BM>mm^hLg7<%oPug9b~|Qz zEsAfi)sCo)A_Ywpx=OXT)|r`WO8^f=IZuF{pAT;U))3`GK6cH~LJa_+y-58QFAy%q z*Cq}~LRDbZEGqx)%dMcS_5IJYIs0llf~^KN68im~KiCh4cJ@9|IHmAdbcnfyTq` zRN%lSV0bPYeYl+X&&pdHonVN+wcHj!OCwP{*jFL9@?U&hMEw+FU7EJOgPb#E8zKhY z%Fqe&Ier!h12B3cT?30TA`UY7T6YbC0G$i+HRdfU94nzF4P-ex4)B{GT{u4tWjdN+ z?VcryDUHx|xaRYM3B9FS)TqtfROZKCDxF!T1zie|*16KRljOR6Ta#Rxf!8>Izku0H zol~f#pOElb$;3@l=NhuW zDAcAhvn=y%sdz3_*W*!=X`eyE65cmClXWtZ2sl1xAkni=?_LRMVc%RuT16m?R2s1}<+LuA(jZCu12|c4&IA0DQ+neGh_jsD#|A z8-5_IBcmJft*G9Vi$rpTIO6o20lEigAW~Z|pBa`>YCMJdvEIq`$P3gBmNYd&nx1_lVKk>#bzZq+ZaTU87yQgEwBS(6n(a|2~2jw*-!@wO%`dkX&bj9MjO zAr16SmL^g~TQowCP;?rbDg+5lT8QX#5_b51y{Yw0>vUzdn#iSJ0nX}(Bby@(vh;Wv>j z6%qJR1JC>FN&Qs3TcH?S?x{x!0(PruB3)_mf)4*CL2yd*m>Ax1MeJ}Uek<=3?M)p3 zG?Q~=MijfgLC!R$qC$qfH9*+D(;K*fg+eE>j9FU2TtIv<1l7TQIwI$9hZ#WEQJlG? zmJOV~l$$GhNO6kEyGaVNU=(?NAp@Ph1j--FnJXpY(@)yh?|TWbmY4i8sAW1LI0-LChv7<-rCo zN1m=9v8xi#V#IE(6g?V{_NWvByn!$*N8sjS%fBlU==ranXjs_v?bm z*e01wTWfQ3bsh^+H-E?CRzc@Ngiv{h1NqdZ+oyXXxea&d9P+B>P2f8=hhTfC!r5mequ;x-KxmxLafss)6NNx;l2u2uqx3r^@{X+yiC$psX4+2sv*Isi$;V)z1m}{l+25Qt;HGL z31c3Vi6qG|yW}@(mEXDuqHLA%CF{QY>T>?Bp`})S&AbY`{IkZW;TDQXSEV!-`Rs*c zE!@#4Sv`alQP+)duDaR-cJifT@YBV|DyvWd6!Ge&J*lE!tjAR&4?iY|OSmKt6LK#( zl6fnlSQ;@9L|$HCKbDqhZQQ-#0@z@3RAx-b+Y7P~?3q(UI6&e6aq&r>d+_acG?;7k z?#M)^){WlG_31l&m81#51|JsUNSRD$ig0>H}{>iu&;!!@}TRG91Q^HMUk?oYZZ6KN|v!pNo^}RrzVhFlT*ym6vJ(g zP#H)1N%{54qG185JB!mT>x_8V4(00Upc8Fpnd78Of>s_4;f2y&7F~wca22? zns=HF1_lbl=LYn!a zFZhP#w1@Iu?w@_W>N$NCO3kv=mO9I%m4tmmtSG>?<*{wvW81cE+qP}nzQ?w0+qP}H zZ~vqRFP)z^sOcV6R#w%*mPw>N$uLtoAM!3CZvYc93A#cUvO*)RM|8>cj=N)0C{#*c zP%N$5>aj?iFv7-f5|>%P@6yomFAi~%n`*pAk@%veTnts~+zKZ3pcA9;OjNY}wR)4y z$-&a>@a$-pUMt2ec{3@nBrZv4%P#Q|u@Gr1$zNzJ#23kj3QS%N2}sU>qY5OFDemyT zCD*2LtrQ}T)cih7Ip5yN$X}ls^;`u$`J(NP_NKq$4T=I53Bv;dWZYtN!95MV8Y$q9 z{QHc;4a!6qLo^UUb@}H7sy4!RmATqM7B_apZ=AVaJDq2K1pPs(7cO1&mWp`*K^qZ6 zcL+R0t}{lp$Z%FQdU4RfV-2w-r2MN9!(`j`VqjtPuZTecEvFQcKZb9BJkiN6WC+jvHwaT zY)D4j0s>YaC{uc*5>vZmc(~W#LtPR=E1ve371AmBzLkWSF6~cP2s5C?mUCdE1N@lWMB={c#i^YwtknOT0fG7){&$NV~ zr!Y^p$Buf|35U|>0v%fTOq5l7fR51e!0u1P=f<65mw@ZELOAp}@j3(mhDcM|A&2p#kJBAu1LTjm0#1j3p&eXX49l zMvO`aBRcC?%dKSN%ML-){DVVwN*b7vxIht;XZYgK6QFg!T(>~z@TS2Z82}v}%kdM2 z6O|uCWZ>9Nz^}vM^VNlCtC;yz9H152y|{yL0)CvRly@>x)wg_;7-OY}nTOx=xM zodWl2p*>OnnTfgvWw?lUB!J9yIvZw2HH9BiOB6Z$w+O5NYG(Q>J32yVAGs|RA6hCU z=(;V7<}3n;^EtWN;C#!_RKYYe+<;IJq_xvUI+NfX`U*Jd8B2KZrb}(ji*D7&SDh@x z?eEbI_xScYT~}jnr&9Bz+^UW1z}yV%8Z51uYIa7E5UxxBF=)_ne3^!rtBJ5#C%Lkg z4oc;==ALmt7EYqT{=OG_CH-6=ihnF#nR$`41MR&>|8=5L`ajzQ>w2mrqw^a*p-&TC;ML#XrM+-r~6jLX;iU^21izdCLX#GHfb6M-fM=F|VTTJ7$5s z;fX^S%UjRmt3_ke9SAr^VYCi|{R*tnlByWp@NC8?ugtoCa*;K`-#%L}sXopshpRmY zEbY_ojKZE^KwM0pBT->u(%&5&2DRf9nOP)-lanI%n`3P8c^PT`7PkPq{kTiUX>H5hYh z)3aF^vvo9eb6NLvNi=i-B_+ptXZ^o?M>^a`xtv=IEgFA0f4`Y3qZ}OuJAIjnk#b zZmq~aghwqvnbWZk$%w^3U)kYpSOPZiO2=AUn9GB5Yo4jIC1X}X3sJvQqg55mzC!}5 z;uJookHBne)9=v{ArQ#NXZDnVyFIW6uuJaH75oLylTOwtqHz<8WIdR=Po5y2$C3$o z#E?uLZwGn{?L(|ut$he0eF(7Lsj-jQU-o{#ai<5^^_Q$c|DqqmhtQLFdo!ar$hA^1 z@~P+mkNo+5&-oy6N6;h@4{-k!nR-o;ANgesX`$cu8CuP(@e283XSK|3rEm%~!@aA0 zxR~-XKn~)9_-&OC7z!`j05Zvd2sKX;R^8ohC0xfPNR5qvrm>u;!yQPGUfh|s>~1UC ztwoV9eh*+&dzBUae)@+Zi5fxF-qTy8mduB937?>)MK66F0_~{(TSn8~3F4-#O@Xop z%U+}l8s@x*L#Ysi6*(g)QpPFUe_>nBe{PO~wH8Pj(V0^_&V7zmwp20Sdf`%S=fcGP z<^t7Qj+qur1M&TUy3^&8Li$3$5ly#!WUeNiGL|`Ay38kx^y5B9RE<+r5kOTsTuXO_ zvut8ibvaD<(hWDPVI5Qr&&XbZPzPHz@YR@c6#GnwzzN3|>?Xeb-<_1l_b@0wDe0@^30o zddU$1-Se!-8`6kc9GdjirKDfKgwu*mrJZ)pPl=o*RZz@ix6gFt8W4$H6h7U=^FVf# zpvJBPB21VxLT&-JlphDMtL6xW;-e=p-oa8*hmvv^;DqWH&(ot!DpzVfl89V^8z#;4TLx(uQe7fmdxxQB?A=`(V!{!V^+P+7Q7 zlw#x5RRnm*+`?F8X_r1w@f6>UUAN49oIVE=va@N^^h$fWG+8KB6f2LW3U-Rjc>hJF zB(m;?DwmfLGE?QYxdFQ`?l))k@Ey%}$T^d#irpRSrgjcsAC^{xbrB7vxpx8~bK4Mb87;^vj4l zXAX0FC1w-SA;UYN2$bMwOkY3;A9n+VZ7~6+R)A>CRRtsVp`SR}q> zDCldlRZ(Va$FGW<6wY`z{GzS*P^@0?pY*AWA|&r*>eh^tdSZnES5wgc1vv_+-d={@ z3UOyrk{G8{T=6xYr;jv*zY3?u1S!wG=}z3xYHj$R5{{u(jO^YTp>V{?m~15L;)A zkg`7V2nw$P`e0$Tys2!eki2l~_4sg-lu38^b)R(Z0FMBtKM@}ADM2v)6ARk8-ol1s zN>ABp1p+mHgnot3(@m`c8(Eyv=l2;SfgZ2-jA3*~2-aTTff}%(@$yZz6<1FZ?;xAM zeJ{%ltR7`U$=i;>t@7n9R8pV{c4>B;T{iGgxu-?U#WgTh92%dufNEZNP5w~5AkpWq zO;&%0PWr>;mN#fkI?co~hD!G}+bDys%~W4ToO=#{@~~=Ezi>_5>)KRY5*#l(`}paF zJcIB0_uo8#Bxl_97R!T4sFA9*#NRuEvEtXuA>`i|9HL^k8E8Z-N#;<( zN3fAl)T8iORn(43G_wt*5Lm0jpr=W$wBLQn;tQCy)B$|U z4`pV3?^nAfXqt~q&lyN={m?+b8fL=)6%{sj6ba}RzIp={)Nu3of*TtY?;6H~Izw=H z-V^s5$h-iyk%D6cn)gTm^P_N?gfu#IpOu4cDG2bccT6Bz#7*0k}H^3Ft7Qzw7lGO?`UwmeuXIiQrY1K`7)zCUZacMVd9_5PEioXeW>bOF_m(> zJTb}`>5s0YQ8@^h5XqPuGrDB51Z*4`TS(zxvfl_B8_^)wf#$`n%$ ztRw--h1o?47f`V9X&e-c`U`szpr_gS}KaE0a} zq|1tR-sx2p4-aL|x=G~CJFAY7zIUOY%RTcE3b^58$`jJt0Zm*~FLg@ZMNu51=mz>RCdgw1^9VYDDmKL_d`f;wf zoc`1CFa5iIJimFL-`4wVJ#koI>J2(S&JQ{-fZx%cp_gcD=&pM@iLKwWs)BT%oNr%_ zb=%*x&()~)#oXU)A9x=;JrjE(eU$8Hzk03j-9$h|PEcaDcf_9sp7Ym^)6?##hSyCl zB}v#l)GZ%P7xW4ctnKF^j)I4<=h#lN(b8_)*Q#AUj(7X7)(Kn5T-|lp@2}p1Ry}gc zhg*D)-o7FDQa@FV?w=sN_z8Gljd_S)2CN?s`UCij{@Ts{l&^wbe>G6&qcVG`ALpNA z-}jK;OHaQrub)4!KQ|;dyYm>Yr$kjqROe}HJ_oJXmltU%@A?f|5QaK;H(}tKjKu@2 zu;8}$$uFH>y@ydo;U(n1jDr50%u^kO4^1HQbCY(57O%k1kNFkIl9#e#E`0~sWAK5D zAf-H@+kaKuo<25BYQhp%_jheOa5%&g*TYo6Yr`+&xs&!v?Wxh*6OyBlS`N@9Vum#t z`@o+FeV;#VzMew`{-#~8$i1(0IhBY=mAiSa(_98diH2J<5$_{%e?*4%mA|-npd(at zMHC{y4TQ3R|Lv^&5%+BWJ|Bng^!pboUDY$U4JAa<5tUXB+Bh2RDx^4P3=t3Nb3e@$L8b9Jcq4(U-nuj4gXMr%ehNSe0pSV)p`i0-_gnT0y{AB<1^2kJuK6eSz zI%f*OVQ_Z4>7G3gnT67b@A~*Wcw=u3hst!Bow;o0I%O`F?VL2yr(*}41J{yM$Aml1)@KYt&;2cJ??Z`5hs36hJu?7kbesNET@ zUas=;(6;)wn&q>ZSL?Om#;vk7*=w}B(erx7k|(XTQet|>lJ~WNbh)y1-M!QEwjW%* z_TLEZ*NbbSnaCCIxJAVhH3g4i6Y8SJBIuhz(~I030oMMcg5pez6`s&(xA**=byr`7 zC0V!iTio0|+aLK$`Mt(%uD2C`R63buP&&9XGX)fCHf{CS#4RO;W8@Ft81J##=0sW_ z5gGvoX!k+r7EkJm)8i>WW3|sPaI{k_e-F4D6s+R{xF$Bw{l|PwL1y%xh)&bJ2UTUa z^cy@@5oF8UsKF%z?Im+d z;Z;@U&t+J76AhKH7e74uPN!<~Y3ViANWD2L=GDNeEK%tCR7)C714$b7Mo_Vn{y#YZ zPFx0i_g7?_1u=K?4q%TCHD`C-+b~?z#u39000mGbspC0GMln2UGw6m;g8c*2V_*Omy~+cFuN2cGh%` zrbdkH%pA1#9xBR^0KnJ|cP2Rhj*B}q03gUKAOOJsjJnp;vfJcD@}-;m?UVUqTo{SP zwa$9UL%Zja&FmkCyms>kB-CII3D=5BikCQL>DSkcT#;=u%~|fH98h!f$ljFw>qPYY z=;-LX6Zz}*yHjc5I9l=~ft+~yaU^8XobyzTKENqQot9{au+{fTdT@?R=Pg&VqO^0~ zbMU*gSea@Z)0=tL4KXgQ2OpYGAB1-`Sqh0pd~g0aq>y3>K3m6rBs?7LA;fWoFpHd& z78cU%FCFpgX*~#O;@sRPhC@Rnw_m*g7(H6ppF?3<%!KG#kcmFL)*!p0*f;Ao7B;rM<7WV$7T z08Adzay*E}dogxBKuNGa8VhD%r&o->n94;%puxC4p<_{C3U5WMHdh%}9bUh8?rd!$ zQ|Y&|c&w|~l+u(sW7~nj2~83HI^QkHj@ut^_s7S>9#BSP2Xc5p!m)2}!veb+cjh7| z%5`#S=F1THJipH4f@}}ze?jZ$&uh~&*m@U_V~t8g4++Rwu=#kOM9+($PaN0a(P`}(x5({RAXovJ9f!!>(n3|}lD!vo7VaWo z3D4=g)%H8F``uBBybUA3MMc)cTLQbWyUr6&mXG=LA@(8Lgc-Ftq5C?`0`M9%`Uc3@S6xXqGefA&zB>i%R&HT!NA;>X zAKZUujGzh60!gyxng>cZyooZ>c^2_apI1KJKz_VkK8V>0$?oEqFdyTiJ*sBl!ek>l zjc?o-FSed$Zou3Qne6inqP|42re|9YSl(8`7TfD3+{}~ag-SPrYG1!U0i%K5W=8fL z%I~uG#@~~@1z68QiyZ)-jPi z3K?T2`lA;15;8%Q#or{`pY;C>KM;GeJ^fN8C zW{ivIRUXsr+j~>bq9hBd2L&NDO>B^WTOv$~jeG8d2rSMTGEb7@pr0d$+wfqHu^ah8 z@%!92BaaWR{@v`xcVf+e9Qjm0TCxRy6 z`B#nE2I}eAS!ov=x~z|Rpk?UX6|%F1)tq~!&a!JM@PW8ZmcMXP#rHNV1*jL@=sfx{ zjq*-Gmfba6NRxj7?JU_35JnGB=5r2HANfZI zr<@1bL+;rjg8CD40|)2(Hy}X0^BF+|SJlM?Z>fFxF9?ha{gB`N>shVABI$GCzZ&}P= zx^DlGh`l}AkZeAUSIUcHkzZe-;UInr=-ifIp>jtxlk0K|ez>DAJu^0e4kX~lQzj0+ z&T!j+Ou7*i+mutR_^GMkQ)*Ii9!Z@}!x3U54uNaXl?j|)2xClnYj6;zI|maVQS!;)`l{rv!`U?3cC$t;4_*^t=4>S zRz{;dzCpNk2{Fpv&#T@8mYCvlX|)Z3wYRyWar)7*Co#kcz!3*J_w*~ct(8YxU;PXg z{yur0(d6L4qriP?; zBcEREO48d}Qyc$7H=f$Nt0&~^t%G9M z%rdRI-a4$wluo_LvZQI0b7KOn9teo_;dICJ_*paAL`!rg@k)gWnjpl$%Z5?%1d{*43g84;3 zCpMr*Rl=eWH(Argi>>xU*=Alok&a7TCGYPMo1(*}q5+x}*B=w%;V3YcdSes-g-IZD z+7aU*kL04DSa^ou$qf#ah!4 zRLPe_3F#naSzAYfJ=Uc{Zu^)5Sx=n|T@qfZ+uYGHb4pB!L{7!%n+aX2b43ZpT4!7m z3AWtY6z7yAko7Z_0f^*cFQYA9VQ=`tw0Q0!TJa}nj*PM=G}l|wi_KUg2(Sx7HH)qw z5y=FW3r`3{P0gaOZ~Vd|4}4Yc(K#+D%Ac4&3YBCQL|!lIYjc^6W_*#u&v~9)As$=O zwtHvQC>b~#;(tH-Se>O;s3j9P30U$yxJd0(x`y|%i^-{-s+2;o9s@Ig@hg{c^@QV- zR8b15YJ#G1H^fc@nNicl&Q!i_-`y)6ecuU!Wl6`C!ms8B;bKEv9iw!b!<4Nu`Ff3> zn4gB6D?w=Mt{FSLX_bk=k}R` z&dD9Y!bftthBH$YfPY^4@vll|qA2G-+ck)Q-dZG1nF$Af69Y}7a4hyFH|I$>iap>= z>?{Nu=}Av3v)D5e7R^PIvJ(-~2k72;a)@fOSSsJZG%_Gm$FflF!bFlubp(mXXUBl2 z9o@p!;%)0&bjvfc5!6Hh9*IJF!kX3IPUbO|AnEI`$RwbdN}ar#(aUu zkT;GZ44fwHF_{2jn6W?nwMI?t4;?pXNKtO=lrjmQL2UEgLRKYLE9UH#he$%*SHVeVNqH z=i@BI7s}ZE_^>@au3i`P$mt+7U@^Mf(4hltUr{X-@h{K#xAB`^+TgrChV*U@Jef}5 zn5f8tY# zuRh+%Jj@dCw>cu(l~fvvMV(}U24^Yj%^60Xlt35<58yV5hcf@}2PUUDU+e&m!9?UF zHO+zs)+;;c9^36PsB;EA6$@#&5CvXAzYs>P`OVxld!~@k35o}_;x~yNnaCR;wJz=jIVO$UW`2_=Y;zx=Y3AIcYKm$%nohONbn)1ziBzUN=aYI+OL8lnVHn|d z8JUkqVAN~$YV^QPI$}Jvtw;OO zB{WnKDFkiSia|nbg;+o_31D}&N*56HL_wZ~YkNtN{H*%rVBHc?v5K;Syj{VQYClVt z%%l23gtIW9Z|)&z{6NFzXaSGoQY?uzfD&$`aNQ2#vj>OLX5dqXsqaAls+K#>n}or6 zXOzh|l@K7Cm&~0ns1|W1Z+6oHZbMTCQJ1_L)JT`DAW8nogcJcT%>hNNz?D1~<)cZW zg%)?zX3nwvk(@W}{b)>F6g`c4p&sIDT8k8GhtS5#!L-_1M5~d@reFcXeVBJZpbp4s zeK?oItr8n0b@B!LzANC7Miy%rkr@s(bt4us*IQYR5m zBUZGC7PER7ty2?uFeON|dfb==5Y9pC6m$Sx(X^|^8K}_7ei%)#u75oZeGUL#HQ^oG zSWjewd&bO|v7}^+Nx7l@#&?HzRd~@KW`hw|$$@(P=zD^)UJh6@kFFsWw9;t4cqsvG zp%BgsKorgHanjC1b1|C3o)Wkwnp_!~gAmCV5Qdx8+g)y<0!aj4u*fOho9#Bqa_RhE&*kr59Y75=?+%$91$MCm&n65?5lsY;~# zZIWfOtBw}j4Te+q{sY75qVF9WAzUggZYCYn0IVEbazp7tF>+OLJi`}sgVmr$aTw_s z;D8+^`1pQYj28_CR;`@|$qnxxVv4tv*Oylz7*u%Y)QhGsqoQAS|Du{{9xj<*SHfZiwFYPJp z?>V!$H2h(nRwVfh;tHdrK>R!jkPCG?;|Gi5wyL)YkfPI93Zsbyu^IO}TJp=BMg**` z2DmPDR(W|0c;kfX8s%bqW~z|kYOf|(qo8QIPSyyL=F-`}+UZ$JNIOHQj{ZH^z}JE% zZt4E175@CDBvWG*<2LRA#-XsY*x6NmN2G_1BHQDr&Eq5sT#sJ^gFEkL^%EPKL70Sn z%0hwk*@Ck(8H__mIM>KM9-Y&wN7snuYK~=%^I%qmc|8xlkOrbf?al)hyZ_n4b5SJ(jGy!N=9wp7$0pS`S(AI6nsg7-{_y)pFgU zHsY5+SooOb4UUYP$%|975(LlbM@}nE^bwIht+@M+z)PA%lTOfL90u|Lk3W^H(dyaF zh1Ta`10exIFd+P}ncmGqFuXZT(i&Ke?LnI8=9}u1P{43>_bWuSi|9LLVGSduN3G1k z^@80By@+=trWnh<)39m#GAKdabCjzMAv#w(HA^$R&4O&%hm2hYb3(9TvA0Bh z{!;1qZ}$^thC4PJ`-4#sS{P_aXW?hN4G$W5LaCvqOIS%IEprIRDbTiD{N(5RDGT{b zZZ4}>OIB0JGSICM8WTFupNdHyOpWIk-+pI`N_@KkE;F>dVcb3S%Vk zub!}3vIv>kjOM7khy{iRb}V4fFRxNg^uss3KUPiUF;bvhfOcw6<*PHnUJO^47crKqXQru<(LA1ZS{j z8Rliag7v5y8fYC%l;R7MUC^ z`5p?%=2AqXxOjkCXJ}bWfcqs)p}*M7?I*Z45z?+EgmDy|69pM*E@hm6YGM7-p0d4N1`DTmcOcy zfzjy2!2ecPSP@iD%m@*!(QC@ixH5g79T|^yZ#!yCuyRj`Sp67PFzx-NDK9o_gPYR5 zg_L4K6<2K7-|xY8^~<RW&MMs#+ZO$N~1Txj1DLQ zphjQ{De6la#A=A5OKzZvn*W zKT!3JrH{^4LzplS^XOxRR#`E#^kg1Uq}3zo)pFf^&(N~eP-dz0jIaSQ$uO-sA{(4* zbIaWC@F7t*;sR*VYD9XJY|`1t9>BF-l1-ts@Kh?wDmkG1)p^mk)#836tcgw6Q%igy z4Nhol?cg^Fz1iSe7;?td>KJ}aEm^ng4jC6BAf&lLYiODhRY@lGrxh9q5M(ycj$K018G~sVH zJZ|xFo38+4u4_vQr}7=r8W<&0BDA#K)uS@TeW>m`JE;EXtuDGW?fKiCV`AlTP+g?8 zvMtktc8&$9CEpT#EpBK<(TO!bbRwIm>JZcF@6a$3t7lE3CNf4Kt72{w8PBk)I?#yW zTvwM=7VSQ(rD@G3jY(olKp&JXWGdQD%jyKwm2y-u)v>-#-MfMFSW5kvOEej6q4Wou zQ&u_^(=-@~1180p9%&%`1Qipxi#g1cl1E%+OTn7 zGyREF&PY?fK4KFvzlC9mFdr{30r9U2>>-$~@k1H+kfB+A0SBMs^;o3<;E&nqn=ihm<13 zKDt44K85YD#fa~ND{~J9nA!It+hJ7Wetn;AJACi8nD?%NPrGjHN}=X}#Iw8PE3QhGJ0GTl(x=@C%^x}^{Cg(K}7CEdh__zW$X zl0VmF@8*z@N%dMTbhymtm1bX@v9|;F5K$q>WITuB1i+uXJ?FQF(x3C=J0i?zIk_-k z9C^HP^DiVjeNPWoUS1EP8vPG(TC(rfK^bqZ6)PWhGdCVsvaGtS%9t!fJAO5t+vkI4 zq~g+YBv97vp$@C&)iA6~f&rDzfWV%q%ODSK{46iy@0sO?tuohn9jzU)WAze~oq?vp zhf!OMf$wB7{rMvwA)7!nTz9TNvhhloTt39TUBR+HNZVP~vuWlu9dKF$w5*QQjpdyI zAm^2XgR8NfxJ&PHxG(z1_V6-3s!e(VYn;3sEp~`~c=QqM>!?D%z$3~ksch)&FRvA7 z4@CDi;4qy2?euRoHfwKQat>nCIM($Z9*Ih_Fc12`#7{z@PvNa?2J?!|0@95bh-}=K zyGV2|;BrHTe^=}am9{r3Wf8pok_k9{jFOw9hj`2-Zf~kNT4Gty2CX3Nx$YwK$cfxj z*dHe{+Pw$NKNPnPkh4v{6qEDRk!f_9C9SO*d@xrz-*zG>Hv4E27l!3z5>t602+HkA z2<-|q)Qd0eWoTfH-bIf>cSp1x80d*5A7GiI)$tS_+$i}CP#?V%4bd7c zv&}5)&R!U~xO3k~aB9;YvLI}1dg^_Al*;SUS6zE;M=^)4YYm}U=Udr1?O|(UbV9xo zLn)!&)@Wh9cbES>G(?n%yPcu6-msek_loX(O(5p7tt5Ot;-DuIzS0lx#XLLGX|<|K z(b>-H8iDq84p*ouWrgwD)a2k=URz5J+L&8U<1`K(q?-gnsRyE|1f0*MwTXlrf6y;` zFk{7qva=kBAyr{7T&%6l$&OIWj`EnW)(M2Apyo^rt!A)y!aF&`Y4XCClyWcFxl|cv zX9JE6YNjM^6l$W?Mv+4T^y@h2(NeZsVq^#k0GXA}@i=`!BVMokHebX79oBl}+9Jy# zzKNipQ<3qxhb)D;UixXZ3F@Zllo4ndGBB4YaBuN97z9Th-{pTPfnW#k?+8pIu(-Wk zvvh_4u+F6CFe!r*{@%pRbZxxjmI|;4YiXNQ{u(#@Ob~*6Wdf~77o-geg{Kzlh^#bg zIl9<~TPbkr*q;E9RXunQ*B+O)Q-#s_VRMdDvpYwwEXyULw&P!sN-&!c^I1#5(&hap^n{tuWtwFh^?rBnoB3Q?G^{2#b?z5v%puBi^ z_wxnC))%X#ZSdk?`LEAgf?yi_9~Wj0tJlG| zrN!XdUiap@r3lZeY_k;FC_Z;Ps`?lIx{2pcK4JF~ovyxdRkiowTm%MJXQCBJyakWT zekq(8{m?v{`?JIGg827%zhH`ZkzAPm+f@YfcgFX&LWaKHvL;dy zO*=SZ!0)m&;#)H$dTtM_Mtz&AwQ*vcF9w-F?Y#<-fJ@fqkdHtqo_I~Xca$J@_8((U zL!*2ZUQGl;K*Zlh$tn}RLsa?;NO1=gX}!9|U67{I@y)t@L^pAVPqoJ|lu1(y*7)WH ztI6tkMWH?t{3+;Rl&ScZ*nkY^B={!6k?XCHS&xYf;h6)a{rlp5?ZsIY=u zD<3R9#dZAFBsPz4vS(7q;f}wd>RL6RdzXDN2-Ax?DSxU)^Jv~z*i@_6RtDQrH7@hl z2hPaw&iCGu;+`H7HbN2J%>~Z9*oKTkCSpFAq8~hzM*7HEknS#qM+|N%=k#dAjjVz_ z>+>vKncH}^SdQU9U;Ic^<=sZqqcXJrUXY?HbXnc$d%BUr_DosmQItbgobZ#5GLVzF zjJ>#&HS%Qg|0?8%3g{;vXv6*1buJ`KH!5}WZs`@MRyw4Avt_Hu&0+O>g|15Aa6H(X zYSNK&P(BASH%K1{s!-B;6|awzQWB~ z3K?F$dPPoq<8)(CZooo!#v(gRwS8UcrVt5o!KV8C7|k$IZBpm*36d|cL0aW=pnlh{8?ak)A@v;2*8Z;=uCDS00) zmElyCh*@aRfdyJ#F4fD=qiScBZmhlW%;cYTv34edf1>kSN@;ZL^bx9XRAPNf>U^7Q zht{~sm|ui z;(wDc7+E=3|BHkXqq^&Kz>45IEBzCevn4dOXll$kaO;RTzC zHJ)PZ*!1hI_5)Z%vik3T_WGuE*S8ZXJ0~aSZ}xiJVv-vIxiOehJWx%C@9bmeUq2x* zE9_KL5*0k#_APn>c95rW7^|rO>Xt}4wUWqS=#P$zo)etfw$SKPh$kI-6Mob9(yB9$ z7_sKM6={ON)C><(sL#3-5@Kopfn=+~w*qDmL;r{;MN0L_WHT*jey?J2g#Zl#3}q`D zr?uhhE5MR6mUUZ&JVTDHw5V({`eR6_n7;7j?RhF`niWGW&{&$3vV0&TiMJ_x3T=K_ zS5R!_%#}GSB^G~LaT5m|Q)@sdV}nD^Ax~%yiXP~1x%W>>rM&_mo$)|QO+>Wix2Z=Q zG>GDns;TWrn}3oB@ej9OxB)!Ju5yIk7MC3;o}rMg^39_df#&H(>_ckbg=B5pM7XK0TNp00^6!=77F>hcuR{ z6B$GX-D@@n@XC8L#ZM@z*1*bVAs=8BjN|8myW7LiqK*}*D+{!EE-QlGzYmRFt;|Y% zUQ3j>$g4~n4uFzif|+T}D=tn`7({*_9^T*AwIUaiEIl$-J)Vx~{_=2TBwCTTNJH;3 zZ31;G-o-4dE!fW@2ay)=MixUO8`wuokaYi0D-gRAtJkrVyi|*%ug9dbHg)>(A*G88 zJPx$c+Z@?Z(=iwuM)c3DfN0tk8rNv;ii|%#m9JOZ1w+M)3T+N&`VhU)XABo=Ayw|; z^`-cI?|&HGem{e^wE>)7T(16=3){V&TOizm^&@k`XfomY^q&z3jYK<^PbF`6HS!qk zxyD59s~60!fp!Unx_TlW&sedk!5Xqq&G|WpoGY9RNui{qUtfHHbMy0GHOC>1c+)%U z8e1}TS6g>wsj3qr+RGbl+7Iz#n?rSMtpYxq0JJUiyZQ$U#bn*ws~pujg2j;~ z336LZ^^~pPjFHV*SSE%)+*@YV0#+mqc)KD@eiyy*MVdGVQ~>7+vJh}Rm)q?1B74*M z)RqT0r{&_78$6!{63TXC=bX7Q%TTpEf%m+E>RP}VX&6>ceP-H~-n9Ljr~VzBSH>@f zH68J|rBP;WvBdIpuQ}ih=l(@}A`f+MaizgmqtfTLi{oLpnDyha>Ka6m!QNMwN}mBW zQ!ye9J;CY5OKoS=>Vxj!)z)^$tHZH7IJBSiWC5cZBing!9CZrQeNv&*(^+w8J!+qThVer4M>x@=cX zpL1_a+%t3L&X1juzj8RW}t{o zElRDo2ohC`GJ}K-sw|oT_tgs3=Y4q1!FJC30{OKE-xIDcaN9Eu<~7LdVz`72`E~6w zhdpS?O#n}s2g_8rLT?Q$U(Pu*KENivgf!xc{)&5FJugK7NUEW}$5U<<$Ak{iG_v?@ z*$9r$wpzdyVKj(*9Du{ zsZ4M0=@i%dHQnM)sqPFeCH}{$$Zt(U_vBOPQvyVgY0 zCdLW#ufl*zmB5@lxQ<2^>br)tSj6dLXd!GB&Mh5zIau@x>NyOng>CF9QC-wvcz)LO zgvadycF$`nQ_29}NJ;{-%4c5ByN*D}lp=ju&ec^#>@6u*EX28X} zAnL{yWrl~pEMMORU^g{OZ$Bvle0mYmSKwB^$LUb9EiLr+hN zc3)uS4o}Ef7sR(QynhkFVCH1G^6FJ-lWe(ib#le>`hK{9mP0WSs0&Dd~*KC-7=uJ)GHv-cd2x?-JYT1xyWtw8&?WDr{r59rl`mLyo;|s8hCZqeY*1;A@I6QSToFc0pui}b%N{;kYLkyl$6 zzdI)YaL(47DWtlI_dl>L+3!7hp7!-omT=?ds#7lfv{mDWXt%5?vMWt3Gju-+fznR* z=&{b?B6{{AQP|yVIhmK0674%%wJ6T5t+}AAzP3rr0*dbJVjwbQd91iUjaH2pPG8BI zKlnIZcX{zo^OtL7l>^jn&yYPTUH?94@Mt(s+xf5T+WK0awqySG+6{eu+z)x8y}tjt z(S3uY;RyZHO9cN%y~M`O!tsCE-=@`+qBjJQ`~=#6m~;ufgmJuKeA}O4Dl5=yq+{@u zqx6!;&CWZsukF!(d@YhQSm_spKjxsawlm+{dL7JHva_=OKDiGRfd#HKni+? z$|?p=BhmfMb+Tw5_Gk^F#t~^{mR^$WFIs~k7)%+Zf(I!s*@_!ya?;#1!RBn|V%%l4qC)sVU2=Gq|t$$R}P(97K_THVAuUba% z*`==!MC8Su>*)T8MR&q z#|i~DKJbW*NNd-ISV1mzF?3v1gQ={|IdW{aMNty46^sOH{+=|UXy@aP$zWRR=<5aX z@~9ljbm+OsJC*YYn5ADapkYKq^S^$+O~%2T->^5pi{-|*Z)Zyz$8wm(&Z*w$fcogJ zV%=g@BGO{`yTxrVR!U!ME zA10lC2L@S|;eF%cV9p>_7y>J*VP)hNYC?rQBnH(fmMSs4LL0fXr1a-cYv%BdkMpJ8 zE2Es>saa|<4qaHuQ)J5GgvL|Z&ar=(XH-ccuvqhy$x*&;1gj!vl#AsksHx(W&F#N@#WGT5w};K#{tQB7jGS}`Ft5)HbKf`zb>zuIX;!1Ia1_HWA1OlS@Z|8)8ft9_Li-Ey^ zJ1PDHsQHiQe*tPz)u&Z(B`|J;c0qtaA`yd4c=ixK17BJ8d^oY$ND~spJ;c`vb4}GN zBw8=ArR-yEZz*)RPtJ6F9;v%@yrr(F*QJ*U?h!4kpPASxHLj?`Yl~~Z-|6{g!J+aPd`@sUWgv)NuWqc5(rcpyd2{L zA|SmZFufxYKOzV}q<|nLkszfk75a(sD2%pbyqpNn2a!<#UnPWy3BbIP5KbwgcSzU+ zgQi%cl5nF^c<~9yywc)#SlEMyrg-@z<+os&{mG^%`4r`M-bZ{sVL1ScaV?*?oWYyq zmpin~fkjiCe9F^1aA#lxGR!-2XXx1kY@bZs5sfi)pH$u9)iHKn8FQx~vRk~&!3R?U z#su(gNsK!bt%22X*KXOgI~XlMwJG{;z?J|J$8Go#=qK_UlD{nf0LS>~E2=Z9zcfF9 zY-AA21eLCho7Dmy+uSs!rVxv( zxEvB&=hpv&hx2bAKK{21de7l+=NWep%Yj1md!t%s?x8%Tg(;m)4;{hO9ct69Oz|bs z0({jwelhPn{72OQ*=u2O39giGO;VJ^>De0mZWE)JTJP7qC$8_UcMyLg-^ji{E;WO! z>5>zl!D{{BHkdcgzT0%#V5kfZ8DVMzd5ex`$21{H;`F>iDblxSKhXneZ3Te#U&m3LU*>*IFMQyIx`WPG7BW5*M_e zsZZ?RI4)`;tQ)w*pRhcc*nrp?T=Za!OPcAMRX7eZ8ZI-+?9CP3zO)&8Gt<@TNbQj) znm5@M_=)^uGc{z^*#TuQy_NgbriFj_QJvL+`o@!;+0dT@2r@2mdyD(MWEIoZ`lCl5 z@!ya@kL+BjDrUa)wUYJ%q(f+6wiok{X?0hYo?O+0;!vQj7E-g+nYpdqTWOFRpJ_DZ zrfR9BzZ$p1JXS^J+VUDkwO%deLgK)mL2k*BQ;Pqj<7t zb^T5<^K<=4b)5#+b5i85&Wgx7665H`vAGz#zVOvjjaH@B@h{J;$SWtbv;wbec%&EL zt&IN>=bU3==y7tY4+l6owF*ZN4iLKAJN7b)scq~Gp-mk}<~)KK(RTU#-=#JUjLa7h zdkKruG^bu0UPH1Y@RQ2g%Npwj61|197c%ymDUYEYZ{T`*0c5NP7!`sq z(i;af*^L#9oxQ5s%l8Rd_Bx3!?2xnLPt`>v$4zw-n})P@5wNT2Z!ZUbQGR;)`}Vxn zdZ28KDHvtAv$43+);}3iJ6tQLKIV{v`q7^>V#-~!zXxEvDE7i!d*&JlRV(YddOE*{ z3Z9%>K%^yC;j0yY3E|DT8ZSlv(QV%RrkT>e!@Ri6z#GVwu;iWnsG6tyY^=Af^_4Y$ci6 zX};#x;Y>KDX#YaoE+r0~5@5NR5=l@Ygf!U&zv)=)Zne&EnKipWccVSh9iT;2bnRxD^p=w}|_<6Xdi5$aN^8j2Tw*>7e(T7l;OK%C z#FwIQXU1&xdCOIIO$YMW9~r*ksSbKA^oMi2$6*FszCm^V$vwQ_7i?MP40Fdk05}9D zwyrVL;2ujbEnFQ-1XG4tf+5qW8%v5zDT|fZN|*Ep*($>wX59jMQMHgaGquL9`hFG-K*f| zi5*0{8PHlFxMS|223+<<$DSHxT}En5!0p&teb-l(kGGC`lJlrV`%(k$QpPbk`{uPN z+qeRo-E!4Z8g=czVx<)+(Q3x+f${>yEIjXM!LAUva0_tu%xk8|?>KJjHM6bRsMAdR zlcbo{4aT_~L{&`Y0j$Ht{9?aj;GI`~UARPtA6mn6V?0uNWh)WOD=Am1q#AS&FdP|B zZ8R?r?ufCQWAU<}ZTQBVD9kY8wbFD>-**r0F=Q|Jvke>KNBfP?@$jCL$}|dHs7W)k zZXZrATQ1jORG-k%qo?ly7H2cBU<3M!4AvF0IgUkR)AG@5N$*MoQA?|!|_Ogt_3^ms|_((>#3FpcuR5K`VpYInFzGbnoC>TWJiqgh8o>oICfwARh8Jnw=DG*y)t;c%SGXlC}5{oVCK;=Y9na-1WD+5sIh1ctWI zIg@?iye%HnWIYNglIuf_VC%sPxWcu9$Q|=wy&R&@v24QrG+&2CVDqgvF4v*@D=Lxw zHFGNp3(uXrs%^QI*}fobvWM9>G_{pDIH&qM0CX+r3n?GmX<%>~2nm#QTHnI(&-$q- zg&{+70DhFnCBTFAAScX40eI0LrY6`TATrP7A}`z(@$e~D_&vue{3QDtRexpQab~kIa$xhxZ5MIpq21l0v1w{kO@(=%vECf9=-$ z%S5fZPje+(Dro&Erc+RJZQF=VxjPs`IHNP1e8UYcqb|O|(bL81Wn^3rmakv4O^3P< zw(xu6t)yjP_|J`F!jjjjqrAQ>7DDG5Hy0k;&VMx9{~9ok+abp}*^47bq^)$+K_Tml zm+;^d?He3~Af2DM{eriZn|SVz%G=*t`8lEj3hzmadHLmF{XhT7Z~XUx1LFS_cE4Sm zja?Rf_@;wO|h79So5Le^&cS_bHC$f_Lc#}k2#cg|6D_ke2ECCPJyup z6mV3QxzMuh(C9Q8v&8ZM^_adNbL%t-rpO^N{WtKj#v~YIkLM?)#qZ0s&-5fC5opn` ziQ<y3dTUls1skOBqTQbkkRy0;bkEobR>6Ci5X%xkx;jXU$3AY z#>&FG-XmI~BF@=UgZ-o$furrFAs}LFBpOqYiVw9}F9^_?Wg!XfApMJ+NZtQjXups> z4HH8g?iUQD_n#snfMml*Bz;APAj(|>kLaNTr`M+@CLX}w$@X9lq-_n^X#>D6yx|5C zrm&^RbjXYlspX9C@0_0(r^B(i2>nS2XDO2(?k*R14e27_z1Be&6M~*7;DDIuD2jM@ zK&FBAyx6e6!B}T@_4V~;_<{G2wvTOjv*gFSvZ1*s+fI|$k8cN;-$J(hGPZVPB@l>J z!bF)fe%Kr^r6v0X^M~1>O7$No6RN;KMDlCSKta#F=sbY#sqO^JpE2+QiVF8+TJ#5{ zdiM6GugWLyyj9U2u5|$e;;5xzl29GGNDK!Ai46s-)toyy{QlpsuV-|g2N9NUyi1x# z4;(W9U`NG(4e5Pf^E&{51jXinlgutJ?)%P&jUaAoy?k^2k3<@s8y^4@umEmXZUftA1M{sM(-P4WT)jWUn?(D;ltJm%z&_NVv@UOf^W=vTd$Km-H{*Lah zeyn*hL1y5y{A@UD4qKM2Jq5%%1xn+s=$R<&&FiwEqUj<#6_g$eD_f+}q;Mmf$zDsi zfbPgSp87l~j7$8#Y;8P8a{m5De)IgRvCF)Oo!;V_n3(hGuXfdYxQDYLUzK+^c@hQFC$&6mctwOmgysBWY;JRFZdA~zdI98lkwmQ!f%HSmTt0|*1h zlt@Ry<`unR0OE;3^HYu(q`qV+*&_W*3=y|jrHcY06tCsWT^q}!c#35RnXIl@P_!tw zS2oL3Vgupw$0wWL#k^Y@WrQ(cC zIBkn(FBk$_!Ll@%zlx4^m={>K8z=+UAkjq}ABQkV)cR&*)RV!!m6{A+AW=Y-pvuPN zciaR$3piOR#-WtpHlU?BG`+93Lb@D#LYJNR;{##}>r`xT)OD(OuV|%5yv(%OA=?NO zaH?h)P}n#=7hkEuAAEQ-vwjHhqs@>0i_QY<6%J90d&sy3kDMrh7Qd0Qx0&z)^5A7zJI3_0BLQPYHKIjtQV>rBW3K zPpI=+7g?7mO$^DaJ%W-FIG=MP4cB=DogI1ryMu=0!bPU}4|H4Rp^7j9@nd8Ux{;*^ zGaE>Dkx-@CoM6)yq$;~1rW{T{uymn@zxYVdjevp|Z7YMqbgJG6(nbf8^l+svOb{%F zI>iM5nDb80_*R%W)8ORUo{AcmCCkMYm`}|s27ZY0sR=1Ws9$1ksFT61|`#F^ezsR~2 zWPs6>&SDC(AE{f|mVK&?^_7AHgIP1`?Uy-9Oc-VZq?m9Y?*y2&y*vVlLV|w74I&on z*{xOc3UyqBrc-CZHk4yw6mpUE3h2T7>ZWw)Z=)=cByb$R#QZOvn8O@GmQ#HM>w)(TY_gSMiy|p)r66n zi7ypj)a4?++7cl(y9ND$y|a`EErxeAw55dC+N|$OcThDAX1vk|?X&THb|tXpxK}lv zUr$ZwAG5dMKzA$YgE#BmW>QRxTgkL%eaG=jec}^dAT*+g-6%?KvPejwMl31f`Gc_* zj?AoCrD7uG2Xv(u>|K$8cANt3_jIo=xS{sz{Jng3NozeDY}eUa z`tm1ULMO;I zzWICcStufC_JeJ(Yz_Qn@npuJd0G{e?&6lQ#X>DrEG zKHwU;nW;&+Y~6l6TeHcRb|_Dco!eL74xwAhsOeAhOj6c^Tj7Glw=D(u4qsrb0~^tE z?zmybicb<3Gvcbv(pf@-G}bN&@mE{@r80%?EilWl!9HT+eED+T`>P_m8gIL~f6i73pp_&FuSL|8M%9TW%l`X<_WgN&D=D^03J^bWy@vFtExwfgK|$19MkS?U$?{IpGbt^Hr)!Ie={vfjx#3x_DIZ1uYKVC~er{!YyNaG5s7 zSAP!dp3V1eDy-vrnH2CT7r_a5RPyp`GZt|cq-gO~#7P}eRoInO#}7Kf*INx=WY7;u zq(zD@Gqoxq#Y4x=7!~!oT&QxN&(7aVb^Axtx_+sHY`j#^+ubtKfe;b|z-O0OZghs! zMYqySgr^XfD~9e2dnUOUtKrJUmk~E$;yJ@<+ITw9siIFF@$o`xt@6m#{+&MivZw6X zRaBW&u8{?2Jytcj96$Y0hORm?oDKYf}KaGNw=lB6VnBR2RP)B1j!M8%aM{D49_A7tRbdq~gs&`Q< zw(}v8SrHlFfd^irE6^e{A6DIQX$$nny#r{|?RC4Y-$BLObwfSLQO(Jl3}Ho<><$6G z*9Kv^M;DfQ7@awLd98wYLxKvfw|1g`oDegW zzy_^OTF`t;#!-F4jyOkua<&qW@cF=5)#Xy6%Wq}%Nu^~x%5}lVp?fxBbo+8qh2JBZ zz%lMBTaO3QtWue>jYnF2dr5~5Awig=TLUv1k0pC7RRs}V`RolaxE|B(Yu$vJTs?unC zCYJUl(evjr%-ZrchLL_D63S9}zxUK^a$e|F$_M^jt=4Z&cR~{@^6%H#U7zdzxlsd2 z&}rf`(~km@{-QV(M-G5!HIh;|& zB*fsK?&yv3{t#UbS#E*XtFiLmQw|BlG~8mra8jSQO0P@XbJcuh_vBF3xZ?K6x4@pC zj>6*^HJFrs_*G_uT7{UCJ`>667`Okk_j)wsIe*i~I}hMiKBneyK^_|bb|96TDafRm zwnXP))046dDSZ8Y+|cI?Mm=R5_0`?jJB|nH%oX}6{cWrM+D`tf4ldf8? z2uUp^B-~9@=)0=XC$!#OQ4UALKMhbD5cqvJ=B})-O7G2}?9KMcZ3pq4`AR=rfNHMUE&Cm`0| zVK~`V+9y@&L@DAeTG4cPR2a`Gt9Seh z*i9t!8e*{(27=k8Pv!oqsJfFIv3qlx=4L>-@sh~X1NCBlaN4-80jWb3_i;d<@_qRF zCLx1&>|gi9?>gzn@5Bhc*4nRQ(Mq(kf^^Cga?oy)T1MCMClFWmzJAXhN2oytW&$yM zR{xhofM%M}CHvd|axUIrix9d&1_Y$n3Iv4nzem7!4kk9jM!(JeFH!I%- z*-rzb5HU`w+N6BWkOrorDfx0R-5VLXZ=f~OpZ2CV;Y9AFrfS;vzTGK5C-;`6@WY*_ z9oWDz6s|5F10Gf$o=INs=gUopy#3L(U0%wo7zl89sjP&<;uEXGGqJ-XD1yD_m8N!? zX4ZRt>6>7(NJ(7&U=pPG&2!^au{L*b8!3eS**hil+gFB(ak?n#z`kfAT1jqFCoDR7 z9FU-|{_^JkFhXcPARarz)+&`@fk#Q2XPStn>(s)SlM)Id`y`$o1sH8x$UyK=1a0&vEXhpXVzPavK@a07{rdG35YBA%B#>yJJ!n)d@cl># z1V<85{+M@PSM){_S71Rz1)F3H?qPzMo@?}BVY%S7dF48q59EDc$8+s2PI_<8L`Ltt zj1$*&h1j!_pzDjJ4=Yhq;iONJjsc46@3v zn>K2A9Z`UnmzT{x*^G4B-aq1v^9@me-SHZTQbqC5|HP`u&lD|xs>ww@po{nu8Bx5t zyWoMit6UJHnn)ol*0`l0)(mA^W)JYEU>GWes6(wGHtcWJLp~w*m)j_zf9Kzrza`5T zZ?$(GYrY>wTiDc&ikUIz)`t`zRbnQe*A|a`X>5$2Bu|5u+MHP-Y-Ql7v9I;`S>S~@ zP`%f4hFLS1oXw)7cfZ5Kd{zv|n#g~y!pCRqYST8e=XYUXPQ;X`{BP#i%7uRQB*VWk zc4^_)8q536Ni-n1vf#mu5N&;n<-&!zE{qza*E)Sz^trmS<9!y(`+Ys*f?)Q&`K?*S z@`(5|JqihE^FhaG_qsJd#5{O!GRJ<6>%vRFEgzYxzaMs$!U(D-_(!gnh=)4|}3 zF1IQ|!#oZ0PcO^A0IL8=%_}1|+il(xYRL{l2C|o@W{vEy-RiQ`)0@*u5%uUwHlua~ zcF+g+{7x`8;^>2$`z~9T_TG@Y4(5arfVfMtZj(5FWTl6Io$zLXoVDzYfn{fz`!3{w zaNe}rQ`h?@&~*)~b#k90e9PTO3MC@&Icwu@?d-w0opnI$GQ`y38($PMfEE{Y{~*-q zxds<>V+a`DR)^pjx7!GoVH#oj3Mb@# z*1TWm!76F~71e}-L*D1&&6m(1K=3Nau=XzVg!IRj*AmeSxPvr_crFk z+~6_teFQgi*3i2CC2zWHwA?}7EIxVKBmA> zTtCbqF7oH&9v6`K=3{QUJ9)W1Aa%5KS;BWKW^D#VTNuon)KJz4=8jTq29dBmx?)+8 zO>aAp=8J#Do`s|q;0{LzMevD=S+k6m&N{ox$XkhWB&5&>|Ml9;P_{%QqZgZU1Ie=? zoFI!qTiI^2Mt_YaX`wBYMD&NC(I&IiTgf0?uIVuGZG%w^+nLkkt^N^BFDX8LtRtsS zlsm4Bb&o(u532%T87qO?jgv|Tfm@!DL>ulHK>SN=fh;xMtlFp+okt`cn52x@!klGv zH@?y%W0`Ix|3D;bDF4MLT+d*-sBR#rO(J=f6XMvea`N%6dpHxnquc1)_pfpMZXNm!doCmRxLwX|y z&EG!A%hN)5y1pKyW|M|BI6)Nk%7{=;KPiAH>4vGFmiS;sD!5uP+dn zA$#E7l#*X&oAqiRHvRoDds1}~BHWy7&w{XzU8Kz_B;+Wdmm0C^Y!66H5RpLY6i#9^ zAjr#8tEYT{pSCPR&=#iCn-NX9IS%`O^ibpD4WU zU{2e^6{W-nJyi{$^>K&>Jx;J>W>UFPliqe#=AanIM~JRAaTJMR-2VzemDLjsP_@e~ z;87$&S#yFJ{H3J|FVD)+O)l)_YadAHS|;_sU89gP5~dG8u0YhFjmh1Egl9begiue? zs78c#WQh$-7BM1Z>iu}mRw`!?F#`sBJlrqfAUQQvw)qu@TW^5Jo;97E&ZvMpJrX@4 z^&kfy%uB%gP@zU=JZ}10C&yIQb8>-n(K#X%Mrfo5GrzJ2qQZ1q(n@C@UT?$823k#_ zOperEnos%{Kj*HFMVqc!l#YOpFYo}Ljpgpx(AmSwZMrL~C@hgy)ZyO|-2A}d1m(xj zybob|M(@orTi&wLI0p6Pno*1@rOJLkfOS&cgV+(2H~{F=gfFqDU*&B%Xm1JdJ0s?q zRTBvP_GqjVAB1en+zAVXidyo_A+(=BiEEU=Rks+s%ilaoRLODXjxm2GlqJa0`dBZP zEO;nV_)T{3`=jZ{2Geyn|6h&zGMFPul*J*|5pKtMqO~C8^25r5W_eg}gw9Uo{(niw zt;F`RP;kL640{4pm2DvrJ;ICrGptq8)1w#dj`xb(^>e7zp(<(}(A$pk8Cr9=iSY@pGKJ4cmv=3~ z#jJPRQP4gjxP7^~dLW3%hFs^$YW4~y+!b5U8>#CcykJd*F>SXELk7C)V$P@y05;A7 z_2zFQeYT>E+tCoH8}dDQboC&#(-0N2+B)1hW~xNe)B}7?R;4(P-bz|Qq_=@uUvX1O ztIZm)OBQ%zfvMn@@i8EK$F?E6o3hF7fb}wEst#P)+FT>77QwO1Y-407%RW0BrmLwu z&lW4^yg|H7$QJHQ-BmS|vmCi4&=S;#Wui@>a$=idYKz*MIA5+)*sy-~U;prNdj%{4 zW@$(4Sq$s2ILl1jcr#nuO$eY*;4>J`N0NR)oZ=F~zDa*>lYDj~X`lS_`kO(H2;$0{ z2S~`U0bxunKoijbS?wFE955#q!&%P25>dHRRABPG3{LE?GZgrk&1)L0eBiQvrj~UINEs9u4*fC&C)SAbze(0K(XZ!hv?gJz z=r;*q-Pnu!xKVIGt!Bpz2Y5^*nA=Y4_i!8FzjrQWhtBs%Jb2(^baq*9lMs#JpvgXd zb+R{rnoF}}+?l8lLm~5}%?$E^qA;AoqLfX6Nn7$O+cWE}!zE~|iMI|waJ&xbpSEsN z;B!Kn|5c6~a{NQY9_7?BlR8HNT2B|zkIMDJ)Qw~D5BD~T&rn3)Ia=Ltf2(i7d7CL3 z9tauv#V}^5NTK}Z9t_hLw;g;T&t@f7Hn*?`#J>0|v_y4~8d(&yJOf5~63V zD(Ju|0N5*019wJ7x~r3+ppofNwBzrIgE7W57Z0%qgIBHa(uL<#)UUc$KLYNDsjC^2t2^E;N~>F#Vc{M101l8O%IkiBO#_{rIu?00J^ zwD0^batDIlpg5e2u&_WZ4%-Z7cn>*iu*Mvuw`_fzx>zX)b_cetF_r(&$5#|Q0J)v zMd$b06@G&#aPa6chO>Ih4zNY{v+A%E7tUG^IcG4{v>P4_W2_uJ0lY0jlsmQ`q4=Z_ zJ8vtS2EV8BqO5#ura!5V>A>EzM!HBShokBDR&f@BM9o`lX;zS?PQDiB)!*6%r7&=Y zNE-9IiLtU7Y3dVLO}VHw=@L3;+aVIw%_ntk2umie&a@L*WO_`~h!BkGBU6Iov%*)) zV^lUyr9=&Sh?UHV(Pgs;_pH@xpIvn;qd(b=dvlkyo!}^xIO{_)M`SwKm?3cZbjaWT z3~gYjhRgNXbz;__FkrJn^7^L&dw*f8mdThHSCTP^tA`IHHxav)i#yfGbwq2=HfHx$ z>r$Ay@Q56+-x)$$ z5%eu22X@ozSaC9_sTc=As>h~vPi@pb>*2^%_BOx!J6>(WVj0h4GBAsaMb02E8hSKC7Jd<<=Nb)b4lBQssSo?v z6C0ancnl)oo|kz?w>%#!KpRM_UV|0_EN2~&)2k8rE7+l7WzL+66ZMOI@v4=sDN9dg za5MB;{}>82G8|v*0Tc%p(a?6J^n^u)+`(D^LMp4~nbN^O{ zy6`4tt2q2BbA_EfUt(~(vezt!sX|OE>hCcdS$~??rHp1;1~-3%Ei!YazM!>a`U{LZ zS9X_Fm6Inre)aJH^=xv%YmDnE`Y)CVCNk@b0$hx3`5HXPtX5;H!)z-pVq4@w-7j>)I7^J+!%KBV7@p+C3FOAbrEP^Tn{cbathD!SgSPq>gFnSb|Wu3e4@=&|(m#%q(y4iF)% zGs4f0W?W9ZQ1J!Mk2r(s_b8qG3mpEX0AOVkBH*hRE8F_*%_5Uvkz+{%5UQ^n`Hj;6 zOe+20>H*0>^jt5*ZvRd|bHW0dSC*h=8Xi}J@ng92L9d6D~NES;1Z)+MrVKj6gK7t_YLkf(J(?*FcQ)85Y-9JW!$?-HPP ztA*K@XOpxodDY5`QT^(HP14cs?H6(7^q|bM!wQZijh~9xJ^AQb*}og;ROo)S>DppC zFv~cw)3eWrVK^|99+v6cV*2Y!d=Z~1`DY=vnrM)|?w(KH-!_t=+GJ8A9*RDc$_SWvZ3wrv#xe!c5FzcsX7^&&L`XTXypm`XOQ3Zon2{=NMZ<- z8N@c(Ls$LwE5k#W;`T7aLy2Yj4DXC}W=_lKW^uGT2~!)7*8ZHh#;X5MF&etViJ%6E zF^1YUgZq)AnEBgyp3(&Zf!Fk6nU)Lgz7WTH#uqvONE*3&U%2}a63>`Bz6{x$*oj)d zc`(ywyE%ti^Jli>+)<`9E(f=kg8ixFBm(|%DQR7Hl2OjugK26R@6mxF4Hj2B`ZAey zZTS{LF9A4&N0y02(F>RamXMsG8xd4qwRv^8i|X}_#IakwQ6NiVJsKA@a2Pee{R4I8 zOo}D%S(88?y`%A|t;GI%BohGgV7{lSbPiy5I9!K@IN&@diAQt%2fol9KrT`MTIC>r z$v!Dp4G-wE6B;%tq-%w3+w(xYYpj&lXAOD|?D}0@)$qqH6Y5;!ti;XATo1mmd8DB< zd2zJ1smZOHs7&Lo>m%euukM2|x3`tg$gPJeK=8zTfjvH8=q(aeq90uS)Wp!sK2tb; z!B6ujLV=QYiP7OP9nnCqSI8eYhV18fv~hX1%a~NL8kMC)rcwtfFTM?^4V4*WpfsRA zNB`*)u5{=6i_81kRJsw8lx*hx5Q{6Sy~{h>KWjMd$vD5o4|5pA2k^AW;~#s@bK5ID zh$+mO-o~+lsoW7ERb6OVJ?t!b*LuW(8!{X#jFQssWCeo1b*m<-qM@DC-4F%<_%7({+ywEFEO`idqc4z zPtV%%JP+}6sg&t>9FYd9l8!KEs=_hO32aJ=La z*VXMw3?YFm$AXUmhjpHPaaf;{OJ6L`_sPXXY*w-yF8ixM_t_7m@UXZXzZ~ZK_>$cR zom<;|)yD6AWQF)0l?Q=~iVgp_{O7oqw%Ehh9>E{bKp&#axe!TmcwcCKIYu;NvCvtx>s@7Hwk|CubN`W< z05vvc^&0p!^pOe*t_xC}IT@X~%I@@B&+2}+lVJwTkh#>z4?cj&E>(`5s(G@1EOzqK zhl99)3n0;}k5MQ6G&u%2UI@Yw!Ujzm4z^EXQ!HLH@{Iq@!v+Kc^zRlz`4FwOqiY8T-!R%jtGICB#-g$}*@tb~L0p3W8 zw(2YmFH|`&1N37szE=GKu-sj%CTM9;C~VQDTv<|sf&z>!#WN!2OD1Gj1_V>W%oYjl zer-u~tP}*VwM9-8OyT^OlIEp!s43^qhxkW6J9r;37qxswA0n}H;TG8W{L6|pl7Q*~ zFC5T|9_X;J;%!dHvT)E}0i4cZS4OEIs=WR-Ri667(3G|rmXCK7d`?gaElZMY`N zAb%R36cAN?3&Nji;r60DJcBLnpnfo>5+*s*uECf|nqp2%GC1KpBQ=DKxxM?#1-CN) z#0oinsU#-F(gSD@GrD;=$rK#n+w6$Xxw5R8lB(X?iY(`pE=vJY8)&HBAbgfy2MCdc zad~KvJ*kVUue8Q>`7-Unft_J}_{|_`DHb}?M&aB{QjOCN8a(|2gj8L95*W6l^4UL; z(sEpro$ScaIA@zh%vR(Iy6RCX0|o1FEGao^@VMtM~L zZP4Ow!ZV%P=0P4ak6G-;_uleb0tlKjf!Fs*x~Bp3%}LAMw<<2mxiDbzq;Nx78A+*iC?N5 z`WcR`4OzfViZ6?g*%70TDqgS|&`qVU&QSjrp+LBExHyb`zOg!@5uMap)B;0~TK4Xu zO`?_b1}zMF3(1RhLyg zD%?K!H0g|T@@FIL2Gq1%(TsBW^78{po?C(LU|72E^h{vGvs!~6|5Ua|(%2oC;5321 zaR}lGi}P6a%so39l^Au-z&^@4g)FRN^t#|$mh{VB;<8a97#n$UF^zKrMa8w%BF}jIngs8 zgbKOTvpJ}X?lt(yDtrzqxQ^kPdw_eSUN8S(2OuYm)@`D|jGqB#`FC^ifK_NyU zI@Maaw;@S*)&$8Y`yM!c{u!I2W`ZX0y5JQ4G4l4hb8HK&@N7Mm!LER;ZLM_|b4suI z0qXOx!pcQ6Q;=pKe*VTdQh=qzA(I8t@r(FJ7_W`gq@ECkZ&ZFXpn~Y=|D)G)M zrO1dw5ry-hFVuI+^!N3sm})kzeMcY{kLMbH2dlYR@la^-vIS;)uC~@_2{|>_Mq^HA z#+F}^HQ58AYn*EaGWL{noh9+8RZ|3ha*Vex${!Q=OTsumu>1ZS3S;W_XRW$V=`7su z4PBm|sZG!^oES=~54|k7b+Tlljbu9ZjT$BEAJoVbNsHV513e$_43uxGG zG4I#VSV5EZn}<|87Xu~1sPaW-enHU%%%{MsI&DxT{V&oKT3LSpHOO4y`BfFG8>294g= zr&xh9?tW{xk)(^{VKmgY(Wo%1R`-&7QEY`#t2<6<2pE8wq$^8D8ys=6gFud-PhTtE z>uLu=`HCMb8<+WlR22i{kgdjv7#L~SO235pwLba#`n>3bndRICp<`??I49PIrher^xMhp_a*XS&YJpFz3d!#`rVCs!q>i_ z%jw+Y9$TK|*VM|6#8^_tNSuUei643l%K!Tb;*3J5bW{w(8LNcFoiyCX1mz zUQBaveT%%Tmn$M}d#Tg!_DF}d>)C%NWtlgaWW67BTuiYH#0fXsVID=Bu9cTD`(3id zhb0F;ey14WdZHjJExeKxc)cbwSv7s|Lz?Zg*}?69cKqOVTbN^JF?bwHy?83I4{(G4 z1aqYS4$S}egJTQiE+Jazes(Z(kF`eNmb27$S1Pmn+jy}9n$c$@tpaTJQ(D3;a)h71 z7TrVy>ne`K*zX!mVtwM9&FzSJ?P;UHgP93CX#9tQi!E5|(yg(rELJssbQX+g`0t&r zDc9SLlLx;SZ+gT$?x+cbSgNvX{rY)$B4YfF|xUw}{Uxf-80;l`kxCFCzzd(Y%l`P)mYt{_G{J_BU$v`r1GhT^AVm zvlhe9^8M396^Q-Ggp~kCiA4#(BPCTCYO*~d5VIxHb|dl({K>JCs96wvJE`V!c$jZ? zgeh|h&-nP6$%bFSYnueOLxP{}hKQ@fMuPz~#~}k(Ybqe+;`Ej)|8>^`)Bdc(i9&jtVy4t6`LLTY~1603M3C?fspdESB4O796$L`@r zI+mgK2m4M5u-?q2Xt#ZrMGmL)bFgKf)Snf*`Mb7;RuWReu?yxeVf78NkK*28= z9__ZDGsmt{VG9sxRr}v~L@YZCb_TS*h7CCMaAAD1;Rp?H+=XcESGKL#AV4(pEiH^^sKrG&{hu#B zabdEOuAHM`I)FCD5#H!KGM0XRes=iZS3HDfkcAY`5xa-Ox3|S?pZ#3k%`YI^S*B-- zB%_ByB-a!th#Wyb7Lv=8O!eC&^M>ga8i$yl9t_U#zpq^4SYZm{Q)iKc)KGRmzDCdU zyt`xA?IDqUHQ2tjZg z8bEGQ{1(svu}f}@M~dW=jE;s3*p6QqNdKK#-uX_SJa`(2thJ9e~GZE@BwtiI0rHf4(m zmO``o00ID*3G(O+%p43LweW6Tj{e|r^daiu%#0wbi!WC~g|U`N5OyxMG3B*XS)(_!;4J| zPS!D@Q{Dr1AI$fHaOY5gV=&^~PVhyO%KhH1lX3C=m$;u<^d)_YvVHHaA59tC*_99) zgv$@fB|!S*YZdFN&xVU0Pd%p}>ll(WvN9azfvlON*7($srVIID-QlT*1X-390VyFV zJJ;NqDASAg#M*Mx(1988WNd3{$%ub0-|vqNnQ_f(q5b!c5R;4K&UI z*Yhi1&{P|ML49@zQYD^l;xep zG_Rf(HDC%Icwco*`6+Rb;sZqcG2n=m9OVvRa6-cneP%^TPdL7ki%LT}bBkwfbqhB~9QS z>QE4BWmTXU!5T*e1bPzS>?&z$GTfeoSmsD3$yjlK7eFj6B<8I4;r{)dg zPm){KD#|!T$tqS5Qe=`;O+gnIe4<*DSe4Bw8mJ2Wkzf|02ku5o<8|fvnyu=gNk0(l zS+BlBg-b6ViNg;8j_0RzF*s5v=2PLzl~WvL(S3h(8FI6h2wBCfpnNdD2K3t|^8jOYZY$tCioK_WWdtp{_)a6b7mts86*Psjd@zlGUemYT ztX5z3K}w(S7x~#FVF3r8>6Mm`XDn|9xd!@|ax#dDcq4PhDy%GZRB-3%yQeeAtBe^W zPXV85kqY4g^+Auk$Sf>* zJ#>3leu8g5f|>vLxYCzNjdxSJlQIYT2UkF>)UOnbGpQmd4&;;*$^wXUANVLI0pF*< zY@Vq`yazq2r3*V;SifN!Pfj3LtVMLxA~}iY^@+w+>wLnFsYiIJvLF~Pc(jI9&9BcH zFpr`_r~DN|g1ImH+d~z2j_jQ+^q$7y+g}AYk{7@UDE1G$w*vs5x^s0wQ+Ld=Hg?_YVrg#3lDYcGECOl-;@12)C<_X#yc1F+I1vaJgQjvCMNO~6f+ubK`2 zN@Wid8CEp|)bEB$$9%p;(-76*_WDxP5g&S}HybG#fhDMbG%by5h!{Xj4ca%Wa)q~C z-aKbc_Q1yzzRQd3^!VPhHRw%@Kg%>D85oF?8h3Ezgq z=R9v#eNlKU1#f8!a&%fkU9Ie~<|GWRj?SFacH;5}Fv(514!a-nw-Gl~jIKlO-Qm_$ zQIe4>=ZR`uTOjQL2`03RLn}@slTo#;Ebyax$v0wkD^9D~;D|$gGK+k~@^Q$yC-s7{{f zsPP{V3|`x-(;&<#RHn5U>wUD`ErA;cRb2D9)VTok-wfZ{daX6~=l6YXMI;qmF#ytK zqg^kUT;7}zJ9n6d#@dwO`xxUXu4+EgMS&;khy!?npE^JDjMd6C zXwpaXYvXv4yRpc)Y@#C=Jy+M^26f>kMsH23ud2{?8H)>tkwNVDQ`NArqWFt4mW@1Y#Tyb82wV`bT%T;b=WY8uwRw%XWm=~hk8 z`2K`zw%8uOIr0+R2`g!I!B^0#u>9moserT4Z{1s@2g$mN3Spk{83cQcp!pkJz zrbV`%KF(%QGaEXu6fg<1)aIa}kx8^|w4hJ?T{Oo7196ik+a-~c^kVq}h9JMvm}qTi zjbWm?BVR(*W%zC}+q}K;q;d3X!fQF*%||k@btjeirvgkBgViY290JD$15vI&Ti#%d z<42eIm)&g&YR};31Xg&6)st${V^fOFYNb<1ZY`)wvN_s8te{jA^J_!j%MG+VKHd4W z`%%{`Y#Z^Di`(;S!;1l@=To2=D@Az$W#296J4dd56!s_-zUtMIYAUs@|E#ngWP^*# zNG2l>Xn6@HS!r3TxPAy}npL}HWzMD86!MS;FTRn7#WME-ReQO3E?d?*Zi;qD9rU%r z3kq%dATSSM=yK;4i;bSBW^yH>ptiHnVCa60wy2x4Gof0UuRzG6R#EbNgR54mJGct> z*>%qix~HpIi@b2gyR-N^2I)ttNGH+xjeLMjg5B7GiQ()X(q^U#MX0Con2)4_p`c1$ z4XZm&JCYrWh#Iy=I3tyqM~R&>NPaYAclPxwopWh!RHt7=a8=6j5Vx7Bu%$*TsK6AY zb)|E)egei8s8xWP^{%I%g(cu0n)wZPx0SlfhhJ#vh9J25yiG{xHJ+rE^56_%_*4DyP!5AJzX6IIIuMO4n@G#ORyOx{*vU5Mg5VEwbWIFt1Y;_d zYV1o=SukU<>8fk}R3(E=4y$a<+AC#&$Uw?L;c7QEpXUnez|KP)bgyU$`{jHAtdsDNL!H{2?yX{f zB6(7Bauw>CP~}S$FcuB$cnT+KwK$^k>blK?ah-AH`I0tib8lI83YFCmCYnd|nhoj&G9yKHh}a-tM1W1DlNJ-&ob<|!e8yl( zn^Ra=641k&sPYwc*ouE8lbyT_mY&ME}o%o~qOuSOP#8<55OOBdg@I95jKa4VdW*=Y7##HK>> zWOoL6l$z{bf5lL7%~vjo$c>+3bcs-LV_}Vb>B8N@2^ygZ6@=$oDcaNB{6CLadO9rJ zaYc%!D({qij@d7_6x6Hc3gYH6f)^Mgtx<}87H{23G`P$BEws1oIuP6_UQPVDW}dUd z_ld$sQdwRtKCuEnq4_Xmy0IWNCiXfU`A^RQz?M+!#{2Hj!`6=NNPNel1NRcBS{mI%Z)b%R|9IMZ)Y>M>Q|7 zJA@7ljHnIWK>A-MUj$}1H+4b?olNtY(|GYGS6?lFtZIcAx)I8!vn zblImsr0`;-nCYMz`96bPzyq}ooSu7sU(Fb$8ekhoNyd*4mZ6eFA~7b}rxWKr(Mr{8 z7LN>BV*OD;HBkU~X&u&CqbAkk(G}Y>Z((0n86;HlkpArRo{-2%D-fJOe%#=JQRhc* zw-(qvb(P`Kq+}ZN!ZJB|#hFsuX04=S7gP%Lb zVSk1Xv?^&j@f(kOzxP<~W*+1NIfbm3N68LQs_h~OLdl7jmkQhigQXpKtW;igx&xAp!f-3H|s zgbDGVSj;o|XexD7001YW|1py1XyW4ZfAL8kaeu{aa>n+~>g9U{i6C_?W&2)g>DN5? zJ7+wDa!pT>rC&Wq4&1U&4AsVFH)o|E(_H)UB_`Tvq#*sVxv^IV{tA~-KoLO z_2qnn{Lad1n2ZMJ$Zcdcn4Qh(ew@*DpViCC8c6LY(<@o$@Io(!7f2MoMEZui_vh6u zxv)XoqI0qw>WuoxRL!G$C0disT6LTNOxYbnf5xsPo;McYCMv)iTavN}#- z&a_p>AfY~Z5I@v#ZXE{{nF%!hW}aT7%odBHX$n)zG@fBfq2rkJXhB*7{B~#SF;UZo zczurj!wqfd+Sndd7_TEjC+uM12ucl-Zpq`~PZ_>=m@}ef zuL$>g|9*U6{s{+K{MzdV3XCl)4wHbus#!-e{UP1wuS@gb?eqP3c5qPWmTTR`-06ok zsXMf&*PWCkl2U^a4lrAYddCDxNb5UUTTZ?`sxSbmH@W(Tv}A<`n0|f{t^2sHg5|3~ zfF+CQWKOZ;rF-YfnDyJ?2dk|O^>Lkb;*(AialQ$n1*L*hTs8~ZTyOsIWcEGi#q7cT zr#t3yAeM%3u!WbduLd9C)F&kZ>{=y8M6iMq;ZnU5%cGIK8bOm` zSgQu7;Mz#xR1-C=IW!SS?J9sb7H?xovs(JaTII>3)U(_M{ox4rqIK`;Qz7?HFr}(< zR9WQ3d?N=0l?!A~ky455#9d@)s)Q- zD}|42(qtaqklGou#tVzr7mjS_FZEkx6;_W7Gts|O3H&w184{1TQYgdc#C)|tGyz(< zLoyJN4rxjw^-)GlgzWy~AI34ga4hC8|-$;@bF4(ghXSjiwvg$$E`BQf&0SY?wPIo*S`iIF(IQTgPxcNNZB1P#G}R~0B90c6p5Mr zmcbk8ibLIp4~RHjYSR-#aR^drI%pXYCBpN7 z*9&4F)-KMd7M19VSV~zhy5nr?=2q&WJdNEO0PU0L)@DqJXtX#H^6U?UmC$}e?ycC) zO(=u79jTP2+N*E}iWfPJFH#;g8EmG69;n7c^hqYQfCDHd|3&dQrQmW0`4B?UTP zOyDdm4kCwf@C33W=pVyfo_ui9{+n~;xi(3BbFREk>YBfR(>7C11gOarMO(0%YTpnm zC-w8yhi0EPO-V3_i)mR7a+x_fHf3bnbh|I0=HU^RhJsJ$e6;^=hYIa6NnVl#8WzlU z{{=L_b{DHqjnnL?m(lc`4Rv%Y2ktJYEn?|)=0ArjQ!C7yF!(G><8 zQwmTh1F5#24)ByTbjR^^%IuL7QVCu;vuaX8TAP!{f%3TtY#uJtGq*Ji{ITG4OUGK0 z+f|7_Ne{f{E?GxkyL0uF0YVrcwpzl$?`dIE2d$$v=`l@sTzO`Vgz*1dTG9zz8@2j} zyUD7%C3}`O>zfG!zH9Wswz{hJ?fj@WDC^`{-iT)CBkreG*gCj=+TGZB;GB~|i9VD1 z5deLbt!13zKd*PUEP2Zcklq-yB{JRxs*V?hCQpz_`07+AoXi`KN-NEFDhj-mUf3x} zbJFv#MK_IW#dfxi1`44WT03lrB^K%KI$`WgZjcTjv>tF$97jsITr4-A;=9gGo;r(` zQr~_$YGprwlh79Ca;)iiJ!3)K$SMt%mCjO4Tnvp_OS#$U}#^Tg2sa|Lo{Sp!5O zD^?%Aw3$%kPzAU`pTXN3(Z@Z{`_(;T&us>D3Lg>kNH))Xh1~HQa#)<_pf;~$uJnR@ zA%-$5k)#5ibC30#x{J&2bmLa6zeCDqxjx0Lb*{HMi46d40HWRM|A^Y}-DEAVmMQ6^ zuO?qN@_j|1kvxivL+|$|P)MVe#8x-axxIGNVNn?y_YZAHl%hp^Rrrlzue?=zLV;GT z8;XXJ_Y!M?w1wRQ_b@JT5kwl&ZR+&%P1i@R+c!??a1|}mt-5C1%PoH@scji$6!+yt z?SO+$xx#FGaMD)l;zGAicEGjj09SEVO6AGyd!S_z!`Jj2{vin)KH)kHm>R|ofx*&g zj~Ht!<~<7Nec*hz{Htku#tRci<^`8PVTrF}>?4#3A$_;=)_rrrhgiw~^!XK5 zh;ctC#4`Tl$gG(=;Utc>xx>S(J?wz*TE|ks6K?|j3NVzKwexdpVUO`^Q zNdtH~jfpyNz!{}0df&71WU%?B-4xmwGbmEi7Gg_{NK%pVv&Le3?SmTQKxK1_dXq<= z8VaK2RAC9+t;TmLq&_q)%eGHtNX=E+74ppnN2{bTO4ST&%wW)0D@-ml!=OC_);8d3sibQSIi+^);_A+H;39x6n-4=LwwYz(llBYk!14*uD#|lD7G=&b4-Bz(x%ot6)(D z_LNy}{Ta}aURfQ|T=SK*INa@nn)Gh)OHoqZI>0M#3XoUzmoRMP)}3VOa?=+I7hzO_ zro56XnMX_?og+3|h}fnW=B;H-_lb{)DW88_uJZ?>jbBlyf~tAykXQQkHZ}g#retIU zHIFUWFgdjm59aald7t}%{Ma}fFqReAz$=JN6o|kvz+rQfaRnp1FU0U^@Z5^?y2N`R zTih6IU5eYH(ee6$$EaWm&`bv?Iu;Et=8zy>&z*3?Qoxhq^6@3xs6f= z*w5_t2MkTxgX(|M5|=58dWFsnaJCZUJl?8zcvz$V{hDMt8es|JA(PA4fATp~$`g`z zeBR*)i#A!qVkT9h*$S{zY>lStd#83`)S@0F8_0Ip@(GWmMq#cyMy9!K3P^LG7!7fX^g5q{!q!DkC~ zq|9E3*m)@+9POmUTgQ!B&V9H2PEsV7CU=8|dqhq6((G?#1NXCv^)3+bBc@`086jW) zwH}-mDpcpxCPy2&z;zGZOQ`zZu92Hn#*EdcAjQQSHz|yKq1$#ZP9+@fs-nJLvH`E9pGG!c#;wg&1)k$N6jL> zvR_z00*hintQ ze2+kF&@wy?Jpu*(7Q|y!%?q*g}e zZ$5F0Cic}>f$hT-aBQ<^wGt~cYv#hLM)PQ__Bk>C$APrnm`@G2=AQP6GkIcjwmrD= zfPQ;?R1>gNM5HGndI#}&M4(L0I|f(>J^Z|3JbN;@%ArOp6q@!w`ZWm7BtbK`r9B$X zW-(BUD@gg$Asr#bTzKpRRj{K0FXwt?46(Txy2md;zItzhO(t%ljQ+&-AaU4p{YQ1S zdTbU!9RC(w*yE*EBdd|Afx2v5bNjHV?Zhy>)2R^TPB2G^edbuefX5)6vZGbtIz@H{ znf+>LBS?D)MI*6`A)7wjInW$}l>FJ>_N70N-t}@8m{J%=c$_la{*6R1wm!IvKXmmh z1Jm_EIYGzXz_=#zjCzY)dblcfm&h+vrgb*(m0_)dY2%sSX_80BWNdP1hBlAr;jqV4 zU~5QUf)`gyfg}~j87l$Kez71v@?m;|X!a=Tzz6^*#oThRCn{=02brtkdz4I2w8uuIV*(!2vMZY@436Ib=xJWLAKNbS(n57ZEJqy><>;p5PC% zBcii8H1wOId{f6bDVb^;SNJ1-NQbF{p>i++W8XX+++vGjv?~c`ZTXbrE&-)0T_`0( z>-6&5>ww7K3D zT9i$t3oWa&^OE;%^Twe36efI|$(ES-MyTJAT+6R8h~|oUZ^MLfqvBe7{$h1v9o-3f zdjW{YUnwF%yO&$I99CPe-arm>|H|{MK*1}ra*tbc4%L!l(U6DJNxCU)(b;{t#-gK+IHU=9Ms<{;^1U;4r02~D0a=W7U zzs-ZNesfl=-iP|di_P>EyRSOABVZ*|EYBx*E)&mQL}|{hM41w2RFzzJ$$BeKOv&f( z<#Z=RQ^b&`yBxTBNFjT5&O_lcYviufs_Q)XAbHPLB$T`URHj#kKf7h^S(5AT1UUDHAR`ndT_To-Lqt&{y5rZj%kSsQ)sA)#cnZxW zuiX{Ul#c}aqci}o&2c+##H@G(Shh8fi}-{0&<`J(ZbDw7UZ%Vt{c^fLkI--4*4LwY zotxGxpAijXZrmdLhrZmpIFWh{ai3)m<}B1(v0?R= zK8Yx@R63(>v`{$NpoXRS1%KldVBIGgzqVheJh7O9SA@RSdjFouuxKQ<91R*yaG<_< z+sjgZ`TZ)mVk~_B0^Dwk6C%iOdj>oji`zGb;_v3!G9@&}kyN0|kxv>rWKUOXELY|n z|5a~=YJJ5=}Z6s zxc_~M;P`(%LAcVg`P~OZ`p(f~*es}vaml`RFO-RR9489*|(J#h(6{ zpsc-9+lzTV{8#$zD8tpu4Y4kUI&skBgo*en3Y~67ch}F1Zcoy|)Ez{zuh!1@t@`EI z=4RT?jLxAbHzPzD{gyB#PC6W;=2p)%4Ywhs|O`)BElXoWrs8Sd3> z_%9$w5Q$-BD-V~gorQG?J2;J*=`>2Oe~dJtF%U|ep^frqJQj(8f5fRarTPSUj*UGJ zucXKjY8oi`;IiT(*yF+A)t|OK&4V>?+BQST=!Gy6xIHqs_Bk93M`5|gKr!)i1EW

@Z7xQPSeg6@{_+kTsT?o3(R#0T~~S=(@A$Zb8?LinOzch2rl zXC-{0^QCvEwv4BM((DYw4qpaaGgS%l0f=nWvd&}=Jen%RK@uR)&tvl)gmL%@JYa5$$oY#sR9z64?v*IsPoYx>q(@fZPnzm`^=Ir6z1Xd_khlaq_5 z4mNZPxr#TB#H)hYou`=@Q%TzXA*o8K2)HWb88x$Ec+BshOmEd%wW)L`Y^;GwC+EE;yC@Zt)A$=HGJF;hmdK1er!H6vM%srdbZ^$-%c*wX8dW^W6 z5gqrPT$tJ!au*0p=OE11G*FH#L=^0w<(R$@}v*!xprJ>I-qgMlWn!vqY1f{=eU zYLMAcOnp@QOb~(ULu3#e8GjmUSQyKdjkS)E&m31@;HoIm=j}}+rP3|PRtELGE9!S&EL<>Ot+>;t8!|ud?7#$$PwUfX z!12LpW}9ZL9Ev4m#)bt+WGlxnMly7DeS(`yAaf595#5W92fKDA7x2we z=k9d>$tegES8KCU9MAhxuxUvL!8mc%E72-akC4bh7DiiSG7#kKjU1Yi%6O~CPbC=$ zfSlM0#mRDxN)bLNa*~l-Mg2_#Ir1C*aI_=vE-)u^<8T&XwrouH8HEu$Z7P_C>yskV zkW9OvSRO)2_?|LUTCa8HVZM(IYUWCAkIYn#xL07sm1IGt6!;9Hrq*Z+zkA$Nr)lrl zv}_i{e7ZWkY>`>dt}r|u;JD(>ZuRvm-s$%gc%4$<=CL8%K0Ah-PU5RfEab&)kD(SR zjkkM{#eN|CK0D0GVTv-lm7SAE?pEPL#$UwsY9#*+14 z4FMQUOPI-j&N;Afi?HgWInzxOpC;}NM=325$0lEqht26S(l!fHo||9XHVLoc&e+fx zdu{{vu2?HK!i*>~Hvm$m7Vc(5rj1l@g=Q(ZjyH%T&k03qN3)HH=SFTxctRD-@v&YB z>`9nO2)NRf!#YG&%0jq&deZtB)hrzf7F8Fd%^_6386o%H0=;ic;#Y4(1JOGPvqpUI zh2j~ISif=AK^~%pThvHbn1}@AuEPNuBJ>&}3ae_I4fQ44EtLve{Zh5b+eKRI+#U=b zCi!rCy2>(0&jQ4a*JU*M^oHzpFZcOM$7ui&$d;Yg$&+axl~Bp1biV(%J=@1#?Y7-9jepzciaYM(W&%r{`YZSwiwR=k-JLPr_7%GfSWWfi` zmN{g-)|3krgS_sT8<{)<{IiZmpQ9?yGkcS`6;VL;_h`vBgP3~UFz*UuhxJ6hE ztg|XK+}p)t3*eQxtX3qpqJn>iSX2#yT zdv{=($GL>ff1XDsPBCh_*ql&M`mM(i4DW`{Lqsw!hdK5lrv<|$jaxqTyZq_cFXQ$l zIpYud`cD4JCzwjnQ~GOr{3l+>p%dgAtkf8e7R$h1wHeCTp}*Nu_W-L++}Woo&uVv> z;|b2R-{wOiS@NI#jBOFhZ;VOhKiFRKS4_opx{`)hV5%=#op3*lcp{{v8#axOW+`Me zub3M&Q*h3W;EJB~Eld*$EauG_JY?u^$~VQ6PrGUx!^vv)a z@Yi}-Wfjjg0c}#*egOIhPky}8d#2yftXKrXy*CJ_>;)eZXotr7iKP^;uZRuna0PEl zA3@^GM|ouADvF$~lgb-*gGH5U1Sy$XGKwauxy7kDeZV+6R}pRXr1Pac0_n2<4Zp+L zR2{slFRzT0%T#r_C94Td4VI)pn)b`TFM44}^nJskuuRwgU`y`fS%n6-7EHcFHf` zy%L{BkMdtH0mEbiw_ql_^*%jb{Sv|W3|B-)U;DAXwqZuoq0r@W*09QWy&mGyXSJO? z`ahgRKW=8tyGEC^f7B@;vx=6gYNi+*#`dn1jkBL}8{M3!VHQm!e_H!zuxsAI|H6X3 zA+h=j=x$O@3^W-q{=I*QqC1QiumvAv9lq_N z(>SF&*|bfY)H`Btw(wHw-Lbxg_Bt@;w9xz$`#(_m{(ryef3SfC{!@|j|3Rs_tf3=~qv6`4@}>5* z^VtMwB<E~UU0a&?S#rn{9&50C21_h5D zA*@N)xoz$tJPw`k+@J8A-=RXqiAtyud0*#YY4vAeVnXP;`n;wl)YOdGL-Or?iRUH9 z>$?5qU&qPCJ#xl7rG33R~DT zh`!9P&0wh7pi;B-wuK$F1cKV?=*mHC4bd$$o6_z;$H8r_dWB*e`6aa5L2nJc7IJmS zYOvX|GrKlwHSFTxyH4*2_cPsHs7;`n>utncsZFA~^R@Br*uGKI?crpfW)H3TdT(}A zYp~jKYjW`pdJkH~=I#!EXmh{@grJ{Y->L_|n#Sy?OwANPH&cohqP5ZGfk6Hz$Nn=% z*t@UDU9_YmEg>YNJwhv&I(nMQjDe4diYN}aH(+n zuV9pgZFFFtorOSU) z15;P&6vomAOQ&O(+6p&<)H9@u`xwCzWlMWG=_p~Bv82dO6}aYtKZex(s?EVi?y}tN zC`&5%29M`d#b9CWL{)U(3j&2^2Bc)a&a9YN zK{%CD2wbs!X4gM7_V&p^-H#^>4k5AnuvGNv;w7M*NHLCqd6wx2XXYdVbdJuNyD1CY zG-MVD$igz9c#(n1I0#bIg^+W?+&s1Csw~11gOYbCYVCMJiv@YRLtki zyomq>#T|!K%6>9`kJSCU1f{{H=VIMM4Aaz!$QWUYZq)=RO#=>6QRrqx6{VTe#qAZk z3PHG$WqQ#CDKNA|Vxg)<_01{98*xwsr})ix4IkGv`FdIDZ?mORS66~bO=;dg_a*s! zQ*y)51k2Sa$whY=|NKhtz9qQ{bs_KShvhACJ;)IU9&})m3lJky4Odb%!)VN}(aq$7 z>uZfU!`?x=n0x_Z$$O=KBluFjr zvKXzJg^!+g3)rTyPGP5*)ETgV9iYDdXr8cIVd67-tI8zj}mD4G9E`4Gup=~ z*aU6VH5!l1WYid8TB4k}-#5aBF%)5nfpN2(0j|i6ly*!}e63V`vHIYmo?M0|v6y9v za7EuMmxrpdB{DRokZm<6+#Zf%)7H=ES5`VM+O#p*7A_4C4?!;N{8&n| z?BUPJ-YaheaKDbPdc+qqUT15{AC+tGQTqFcH`HX1Sk*4QW30FCZQa_u{^o4oEr}Vo z4@O5P!!Y3++%VQZ{GKukGj?K!7hMkAr{pImGchkHo;l+-J4L!a+t-ZZ*^h%@vET2l zhjHy@))-evkt4Huu$hWBgbIWfIjY;5h51H#%MrsJ9c5V~G%-09M`x`&m9t=%hfnir_dd#{Vgv*{9AE)h(sg2pC!O@IK(VXa2L*B>3KHn zqN%+X8BxbrBK(5$iZ2U$sI07+Yh17rq}=0?L4CHrKFkF1vIf zj4Lhxq(Ml|>v9BkLQeJE*c{q^ufycw4e zm7!!EQKA@O$RAEcc@$GH4{U#{Y)vu2g%{HR6`WBhoZ3k`T1C6K14|K`8Z1lj0@)x@ zEJ69szedL4j9XAQQYTlW9xaoal2V!6Cs<6cf;A#w6i=Zm4V@lmp`dIniN2+ZQ=AY3 zFqi!C4t&8~q(@m1K|vegaWU{=KPYMZp>0ZuS@9JzBFWtMRy3uf?QAV$U{WoAuRqk$Lu$)ztiZ=K%M;#HWlU+ndc)!NO(LaWKU>&kKiM}2dK-Pu-G zBg<>ynfD?%=-mFbU)XrcQJKeUpCiHd@$AvvpL=#H8lL3Tg?q(gDu9#-iw1x`>UMtL z5WVPUPthLWU7R>f;np(m&0!kL59t-L-fF8?NA;S{S2*USXymu+xM$C!>ph^lx7rHh zO(&GotuJcqHd^o+JFolcfNs&V^PJ|VMC$>@ z`fxq?C3GaNjJBUzGhZ*$kD4V130}6gm#@oqE-@qIpZi-j_|}_i?vz>BOIVZHEl$g; z@6pNimAIpoIB0+Cc2D8fugjXH)Uj6h%a|S}MD!Y8Py`D7`_b0vYChbQOgdEm(YTnK zt>>OA?0=JEK82wAwjCno&R*~2YrSr~*j*IhcD8aST3l{na9*KKJcH{wi0x*=mbm>+ zTSWK3Z1CV@PQXcaw5H&uhXLumFV|~sd>b)`XLE!+X@%e~D~*rg(sAOCWB3m~Y*2k0 z%(CVv(}qo3%1zz;fw3BjOgn;x4-(eAWUBUr1fVrzkIP?#5jj(fI-MuR%%d-)?{JiM zJ}2-#xEy+;GmZ-gCCj4 zsoOSUDVCF7nIsjE`%4PAh1qhu<=_;I5LGXN%1D~r*!q@ZK~-x+#?VUxUT`VO&@3IjbK=S9^ePLH z3-f4=GdLNh5r5RdaL&AS9%<-*QT9zSqAXC~cUQ&r1q_CHWJ(x7HkPQ8}yA@+S%->)<9kifc&hgN-7F^iGNyMD=Y znNmhgPte@)=?Ajp(MY*th9vz5pU5$8bvSwz+{>PfZrnswf5ysJq$IlCB@{27F1#Vh zhmx+&n&1ecwCfkEb&}6clGhAd8=W-*K~U5(5Ebn~s!zV(jn9F?SNOxgfEZ(kP`f|~ zp^PX|(Gsi$>roYE=xHi|-Y}BL)4l(CmU@#10Z8T}9@r_@SC+wd%GA@4EkbA*Q0RgL zZ8Rf29imCv2AvAw6a2K-zUh;M zRvoSsW_M5k9?*Yc@C3i9A$LWK`zs>icLk2CNY@wyvcq%*jLS&Zk%M@5s03D!0qYBf zXVdQnb)UT_omD8lNmYH1F6*m)XUKTLojkkM2_u1V}vo~AE_GEv}lUSx`26DR90bE>l z|DHS;)Q@ty}u`fwc{oD-*Gah!WUab#;E2t#Z5ku&}!2g5%t&lIX)6k{bC5}aoekwVFF^VEZz zlr^p!pGopkz3%37pCi@leC>QMU1%=VTugYq+SQry+%&P{7WBKhMH1`j=xwLY!RM;$ zVf9-GU zi)$x0M(I_5ptSW4++#YpaEHmfRGy2buylAN5!G1n>3rI+wxqE7kX;HFbpVcHi1G z&v#yxr{)|(iae3%hc{O`Dlps;t%sOjf_T~j{5>xKxwJj=jvz?9uOK%xk}^eF;0ofI zA%sy{mYWZl?fPt}^sgauGaoO-jESsqWN%Efk#f#A8xfFb2P$}(6f#|I#;IIx#>kJ~ z0M%Bor!?31<};s7%3XkY!z}W9&5oW2d}qyZN6odIY3Ims&3#p+k(2l3{!7ud*ssPW z?emnW75-Q=Jjv?T=C4}bnbs+$^}l0Xv&_dvxIwg;`!B&BzFY4bueU84OoeKd@IbUHAx{fBEkS7+c!dYuzp} zz-RYUEq^8r3KKM9WK%xD+0eWRrxpO02Em5C3b|77XkfMn)V%4alPow_zP}p;hwo+) z5yTfd*K-{5Fn8*~u6`4r-kbB-qFPtj0C}J*=5Zt$;c6)%AuJ}vOB2Rn$e%y$RW>#* zrCw5-xJ9fi0|4ZflAn6_$>albVnKqT>rs7TA%ZuK%%Xf$7!{PQDFpG6k(QI!SVx#L z=4)eaT|z=)U>>*#tmlL%jPrvZxg9k&(S&d47xy8CpR3_$(jWpT;(-iB)v;p$1Y{79 zTfEgr{b7nG<3Y0J4M+Wv%Kx_h${G)Qkxwq9@HZ06lB_mC|D}EZOPl-`Sj!uf7o9dD zYa~-j;)zrtfNU-=lr66|V0)A*^>T;`N3Q(-zaRflo}V{lng9SWn*adx|9jJI_@5ci z|DoR=;?l9k7W3@%UaM5 zAb{_lnM#zR6KS`7oMUC>-kqKD-euqY7pi`1YGyod0@{pwHqH;ngF0>>e=*BFFYw{R>UG)K{f+iVv(#{%UGX!M2L04?ZV*p z@*O&{dce2>l9qD3X`KPlD^?rmc3^q?fG_!RtH7V_Pw${B81KTY_BI0J-$Z&w>RIf_3ttU4v{ffC$^5uL61V!CwM(*T6sa zZ0oX`Y7am60Wb)jJ$>O}f*7`-Uk23rsO|CB#O`!`5pKXg_Yp9N>f-nS-~)r~F<_9} z0{B4Sg9h&)IDqs(YX^$ZC+fo1|VfLia<_Dt+EmNwtn_i@sRpW*QOsP~}C-5%`z38+(* zgTJ>D0%IuN9@O@eh!1!$z$+1eYV--h+1mrs^oi6#r1c@~U!E-5W6}&>?r|Lf!V~&~ z;2(gd17a%f4%hZ!?}4ENgzw=I)OYine)d&_a0%6S-pX6^xjiQQ!&Vy6bda_TX&tC| z?uf5H&<5ujs+Xgs85-xu*^!YU>Z(bUR_8YftEHI09cY`AB}&`u65y2#N=>6?MMj%8 z63l71*m1LBtbRmfO%*W>2)oCsNQOy{jAfUsi-_;TRr#1$hoec5n3IYcBgD0>M(wWz zjZH}yF{5JB&0XfzInS{2c#tE=)6egT4Wd@K@Qe!UL717DFyj~!*hh)b?cp7!xsfAg zWeEk1iJ1N+P-|8*|Bi^!4XJW4QkF6gz>rrzG^_+9+$X#(nQQ8khd>*eDjbne5=H*g ztU;VDu5n_rBtIL&3l!!lO9CMuXo^qfbam#PiD2hcIEB>D)!6TdZw~?29EU(ERnnA6 z#;(jJxeNxAPTxo4P>_D$s^CruuvZZ;4ex_#O+8Q*w;{|(WIpKFA)_M~;bcVJC3DP1 zR>xfrPe?Fy!aW^qtB)p#!t9YgD{P8jIbx~=UH?i?L`Vt@2BUlN*Um?qt{h^lG~}{g z+)B5=S|@EEv!F8;=S-Tot4FPF@z2It#X8Vdl%_pziOa8FoyYk|qL~a2alqsptUFJx zVm((kEFeN+Z0&=|(p9f5Hm?TT*@AzV;zhzlNt!D=3$dPpq_q7^?>3cXBUU!JU}knu zkGj^T1xwSIxtnYfMWz|w*qfZFZe%Aj(U6|4oyb;hm~h20fZJ?7@i@BMJbpo+GcD&X zai*HCWnSKFQWLpUy!KR((m{(tfN3o)IC#AMVZs^Wd-fuM5GvdsxBr}K-DAUHo zr6v-SPSKQviZUNSXEIEXvC7nwd8FBiz4uJR_#;DNBQrw|dUUecQN(H$n0D8LFV*;ODJE;~J8hQ`WH6<JhtqWiAvuZSLxf zBpqup1I=77Y)!*fvMfv-F|8WKfW9I#t=ofTW5*i$_ui&A6w7T9B}Q70)|BVe`4G z;-Bnkqs!U#{>9n{_Y(2av)PD#e(p1oF8!rY3A_V~^`SZcns3WJoKAq9@Y|mj3+$eV z=c1l3Yi6pfbu{Icy6Q4(6W}tKI-4?UqfLeN8Q1)Vple|ha%^Ff_-jEE^v#$FTejc{ zgih#`PIdNJ4whMS#e)MTu9WuS=c_+z5WE}Rl%jNvpP1RW5xhGT|>8Zz?t5g-z6W! zB!gz5IEJ-bnmKXJ*7B3NL`~XiRW|Z*@z!~m4+U?rkx9LEtXv5;GSG?HD8^m9^##bC zCG5Jyq>;Ybq{NnZV7S-m2{O=8nNob3@@s?^Y>?H))3nA2bmPob$xArY88EsnHOh+m z@$c;B>yaLl(9kkoy{jOzSrQKBgo8yYbg+zrLW5z7tE+H#R)d3LaX4C9NoeWK zOEE%H;CGGgMih)qiMp7=h=@>sz)vxMI8crbg}gm|%}sQ4Cm@8}|5Y<0^jMivst$=+s)-OE#6+_fZu>m71M6cM%Dzo z3$greJ>5|Voe*|nJwaW-vs<+IRVP~l%eY&GXB$yZ%yF;4oeQ3O4!h`|%lqSYaHl-z z%CrACW}6L$bUCkHJhzmCVHCW1B)PxAM7eUb*d+7xT2j%+|86+cKbYRcNG2R@CD2|q zxG{C#8p2GBLkn{zz@8PtjDC<4vBq`YH_KE9KIU2R$9nGMKH;~cD3dmlh|U4eD~30M zmobWmF_@Q;1rL9mD~dHighnGRK0&C%$rL-@Db)EChHzI`Bc;(dcmRj&DsE*?pF*4X zAV;8)2nkbWD2w%6`G}#vC0hd8AS%4NWL~kKQUouE6-F0iOyLVPRF8#?(~R$W>J`r0Tk>8QRgV1!H_Emh*QKWONtO55>gV!`z7hZCBWm;2mU>23 zfj@{$(IiP`8Eu>Ba>$l2tvy=1#X;3t0=J=?3*P~u$j|9RT9x&z0Gn6pbR5h~ zUNWm<{aAAIQc4nkOTlw9s@Tlx;Aoblnz03CLjd|0?0IhOVG{rGULq?Nm>Cuqt46Wg z8l|;hu^(2`l3~6A2S!oNB{uAto;a_(dKJT?fa|BARx^+6Gt>0A#X>d>I~r}}5`-Gg zF5RqqNMW1kdf7#%C=ENxWhGanMM47uxKVt2Px4A*P2Gms^EBS zTC;PyndqN(=4qG$Mx7E)&ARk*7S^zr_{~^1+}Cq2-EP+?I^E?P26$1o1$;K^1NMh< zCJpP8AB|6!!bO?L0qSe3?ksfO&70(uK+AZk^i|d}+=FgL;uRHMuE6WkSY9BYo_= zsTwO8nAVXJRTE<(QFb)Rw~H96Ag=`+N<0~a%Jp%r#(gQYd#szG9!WYM+~^;;gKWx} zBq1R*6kKwVjD*Gb#jE0)c9(HXp4v=kKbkqj%%VHnxm~0n-hjFU4jn5d(@;wDX$g|u zArD%lCI(uHt~B@QOkD|!oh2$oq4=mT&Bcqz9o^Rwmb}!}X3fJ;Z6^{nd9fB|MOwe)EtunXba9gmvT%=3Qzab&fCrE8tBDC0&tM5`} z@QyjXGK?`NBsigHI6AZZ*6QQdL6qNp6xki(h}bi{KZ_C`ntW|3PHvSqw%Kg5i71Vt z7GBR0*HX#R*($tdsI%)`n_jml2AtYnu|G>M?P}Xjy5J8%;J2~6QRTVa@7rF_nzPJy zpS5u(UELL}=q{RR`FZb|e>jRj#Co{Cp8qK;)_fdD-iIlw4&^u6a8mf~^;0%eM(-0$ zIEF3lYbefse)T$jS6|xk!1KKF`oTPZkKETE-n3mno^;E+?kIKpXeF22$oG^(JFw$; zj`?OQe9D!5`}#+mD~)-2#?pzC;Ktg>dNCTXR{p!W-02Poa(XM z=Sym@37h?6NrE1JwtQNE2MW2lRKfP_E7rW6Q}VdqKij!{S6;gRX3CKZJzHT=T+sRrH&*tUa2)!59u^AvHhC)yY>+4V*Ob-kMywn%r7jpvapy?WO0J_?D<3H?o|RhDulM*f7yu70X=; zvg?@#!55384wK`~eGmT=Z};uG4;{Go(kJn&^oRb_kNasD;Uu@aI95j$t|tR}syu*m z_)BOEf38s_NNfO=9QABy1z%Z9&Q>8ew6Tc^Yn6Idb2H_i+n6+#_g39HSC_~#ORtW_ zR9Ohd@hT z-_;xK)9ek-Qs)`oORh4Q!}Dnu9hJ@+s({M(mOZg;%gy)=S14`*)!Ne};`WugjmTBW zN0SeY{KHkm61OkvmrH3ndkI)=MWD3YW_YSka>r}4r5EPN->Jv`{R7SCw_MK-HeQ_( zAEDt)UN!ATvAnn5tC@E)mEB^+uYFdp*p+n>9M|8+J@d`t#Rsp_%Pon|TWm4G)7bT2 z`>9y}3v~I?>R&r{*e^KF4_4%z@B|XMXKg(mEeB?UqgT{<)oQ|bx#gD-cI1Hu30Wg$ z3kVSpx{3)U(pGjRGe@I+j|^2l4eC#5BcaBa7%iBUWMHOe?!B0-@JL_p!LcckN8W^lAU>9c>xa^XgDPU#p8?i&JmMzY!2(r{ zK25a80}AV~bT^`eYuXXpV`pA}YS4sh?#06W7R&p>H#)i6v5=;Fgq6*%nFQ>^;70biiHYF-*RU(J`YRVjI<|;C?kn%N-_s8v-=0# zFVd0i(P3QeFCZlw_paVj2@Wy?zU3e?#NBN(Y#Bym#6$M<+dtoa(3xA!N+tP_z!Sq7 z&j+l}hJOJhTYrMt!x^DHrq!LDeP{D~bZ%#E;nd)(O`|rSC?M6nA(zwSy(92*(FM_* z)t5pPuAY`!trlCUPcKz`x+81RL1`^7@o=z16s(_?c6-lnXWw7Tet0AOd-&yHoib zyYe$GFzM83f+^p^iQY$;|C zj+m!#$!vl2wTtzq-b`D4?>MOlPc;A*q|f- zPR}fkHaQ$~8W{z}^s`|A2l!Ls4}$<5C6SSUh!a2}AV~wg1FZIwIRLTcFd~$7TU7E= zwoaUzw<@VLh4djDGES^}c%H_tuJyGWjMJK=sORArOM3L$ffK1r#5Z4Qz#LW+OOB z0U14g)Aa&E!>C|Pm^!3mc~GZX6fUeHkk`rW`O{Qd6VFe@2>$71G!@=-`~{mh4>u8M zl;@M6A{b(zRKAN0g$j36PfKl~ov-Q@&AJ|)2#o@bb*8x_*I+*_CMUFIY3O}1vk+as z<6XRul{sH)l7L@`MaziX2!}Jrrw(hf6W9$soon6KnrkIYNmV)%w+Qfb)^D*Bw6Iu) zpbt!yw9D!v`;hJXD*@<2RXi6Yd0nMwTHJMG^4oUf(|ehFLVe89#^3ur|F?26%0e_C ziK{2U^cnhkpQ#23v{?hQS45RQd#l*QVwnNUlj@&!K$)>PX*3_XPu>YE_6T7LA=iCS zbDX@5ezQR4%X{_4i?#W7)JgjFDCZ0BEF&%#EC#zy$z+n91A5AdnC~(BPOF_fWuiQF zqMbTm^XD#!5x|L>y+;;rxEz=0sUy(QU?G zGbp}4V<5m)g~RtDC_UUFo1__F)On0O1P8b5nWsU8)FS@?c!3E3R08rJVAcG0!S-B6 zGJjk!Z9xB~*9R8u0w3O_8r zuoAGCaZlxaz?yMZFV65jqjY4awpjhMg+Hrb#hQ#6?_FSTf=)GeZN)!In?z~ijF2K0 z#-HizfS9#^dJ`H3?DM3ivPEPdXB+x=iAf?mc66&cvUaNt^F;L1`_u_If(jG0Kx_v> zv0mD@n#}LRy3^+08q<8#fTvjfRfy7z*CAJF4zn_W>SK5~Zm{MlOr#!CUJ3f3$RC5_ zV%!}VC6Izr)AfCn=vanTSM*w;7Iq&HG?cs+j^4Lohi8qe3I@to{4(1uqAbAi_&~ zS1-?RuQ-_~Ouat3fpg5j;+}EO(VzR}g8_F$m&C}_8L<&aUn3B1)fs<)d^y8VX@f`N zhMCA)B^HKF$Xv`b771(&$uZQWGq~f^f*hiJkbqW4hJY~LI0AC;u%SV|0DIGA_N1qh zr5XtWT__*Xq0@eVMBCM^;KiFR2`5acV+f2i+08PEo-ChR;Kk57@tt`%p7ReI@oGNe zX{h&UYI(Gp(W;felp|q~Z(`|rrCw%dy&Xc`Ud2nS`12dHT2&!dpb*ZohkP4OGE&F(5Q#F+E+eh;|v z*h!9H9R|^Z_oW6H22bk+@g_CYtJ20p$@-))Rl1%GbmiP&(S4cdCxScyemqhz|U$aAyysUXx_DE!SwGEr8u|pnT2`HF?8H{nancQm_6Oo-5f#eGE+T8*SOO=8Yy+X!uEfH?G8fl z!rU5zl1KH)E#l^fPz@ytqZE>GLorM9V<(F>#2ITf>=KPa|tRHdJdYwBVt- z!aTM#242&caaTs}U8K^wxV_S`?e30hy+EY$;{1rQsM|AV#zKLs%ECLD&EA*JLYK}y z-aP)=C94Y;{Aq$*cafvaI>+j+X*|)E+Pqilvf;0TwQmVn{yK2e+OcbQx$6${_AQCm z!_3o~u>)$>%9AA>+n$Ww?!`raaprS{8l4G>oI~HElY>YTNX9OX8(`2*#w&Va#DH_p zSMPTS&$rKkSY->jJfw@Y+AD;Qz4Rn$>qgqrg=vK!ydFgObe_#E@a@{|kj;<}8)ul` z(`$DQ>E!Cy%S54*d4Nq~n*Qk* zv7MIOK56*2u(gn4@ir#eF?Q?&adSYH1{iVZdT2V)zsHqP#1p}~LiQ$WMbaE^S+7F%dibusMPpnoC%Dd5 zL595QGJK`X^H5QyLy_2!9wnz*kG>Jz63UR6fjWWl7p-4XpO~d8SFsJ8bQK@28!O=* zY&ckal1^Mta(B7Yn}(Y=Bf2B7YLXo=RKlrYMDCaf?A~J8CKawQPf>l<)q^Wgc9d}b zh||+^j@#bdoS&;O@DD70Yxtl>4Tu6~%yv-|SDRjezHih^y6^>1YheS8+`dzyh+RYF z=2DBvWQ$x!@Q3P-BYz#v-d(S=Vxf#HE5F_r2MiYpx3oYJnCNvwNowm7WGWZjZ||EE zRXG5)l=7HleFLjtO0!zd@^oN{$2|&sCwZ6S8$QAHFz9-9nc8jJW%=jH>J$9g>XV<| zims%OuBENpC0}icLRp3zgVS9XbpN_~jJ{+Ht16sfqzYtAgLaA}Jdl1kt+Kv6pNu3A~GE4<& z&@#t7b_nWwg4UTB>K~esAHfsh906FeyU+(ou?_1Qia~Bh;)htxFCjv;l^$R*)hkFc z$x=FTr<5*I;58(~9^bhXV*~xijxQs=AvOTE8anwkNB$HaHA^?u|8X6_hVe*|L?@&d z!2+T})-Xnd(vEUp?qMc4HsVho^+!>iG6GJRxjRzkK!Fh9I+1-N1D-M%!wuNdURTi; z^*7$ghO7p2LPKaJnf9g~r>gT{u&o6+H*L0@7yPJ-YB82YVzij@EclDks4Kn!O#LKh zA>qkSO3OH5k`-A|nmo9aa0H0GkK-Mvd!^Ih*cnwSO~f|sF7-m?b;hgYRVuG7 zj;=F~F2zx(sB4qDt(&4VSxnmKJ$4war%Q#x?wFQ&Zu(m4W4l=72QTEeas`>cHOlwDLRk21S->^TyUtkAT z4B_~|V^Clvyk&?QGlFV@j`4NR!vk1oX0LdZrlisxSXHm}^U3{dHO_O}J5fS3A-|E( z;Ry`FFCY_>gHC(TxU4dkURd(y1<4rbF3SXT!mHB}7Yo@tu!iLd)_p0%B2y)642ia4 zZ{C8Hc|Bp zog%;}nWsiL9P*X?63Cu?1|3MbGoM>1GeuI{i=!~>zbh_$EQ~Ljs)ei~5No`NWp?yq z=H=rH@#G}bVq>tTC?y?E4$A`C!(zRTFm9AK!{Dxam*$KwO}~vKSy?2KAGHcYPv`MD zMI8?8D}EGfkpbveo}hM>Z!euOh`Mi@c*W{*WN6fo8!ZjlSY3B(ShqdJn87NT65q4L z*%jE2XBQQ*KP$%=S$Fe(m7GcbWG|GWRQRQekuFqS83?ep~Pm0ij?@bEYOiTx6(JCOn zysLVGb>3VqV{P?jdJA1yfa^O2;BjJ1Mw}E|ky17KG~y*a7peAOPR5)NQ3!L-YeR}T z5tFN2iGYQ_3OxI0$4%tMz?4%`7L^2GPY+kEJxZe6QhYl)wb(CmY6W|?8vNaf{#$DG za++3_uCfUiTvVf8)60>GU0b^F)#Q^7$lST*F4U3uL%X4>$8VOJPHP&sUbOO5X}^@( zp}TbztEmvRVc71+Vk)^{K;|+8XN`d>TpxyZmKE0XZHYb!{e4f~yO8$h-DbOP^Ab~t z1-N?O6&0kAiurFjoVqL?vDMhAW{S)~P^W@C9@<8L(MU{tD>UdwMoQYZktI(`1Sst+ zL%5k$D`7Aa3tPM47uKu(Ysqsh0+}}ufj8a{uP9A$lM~ABuf3Yke?K0!CFWS+E<#;6 zLh&8T{pld;sXIL6CBdBSE}9VLjD$~vhAumb5H6SVmJZh>N)n?Ev3oq`fg86C>9V?b zQS@*-46OY{-t;(zw+HC-h&7JJx+*&@1l3D3enFt#=<}g*A9n#%{a6{qbnl;H+EI-U z?H`Z&-$T;`Y81bK`{=?mcM97k6wZHbPZu<9wjfs71BvcsNpW8z0ybSm8YMv^=WumM~|eA3agY2PfYNk2T3n{3OG-82|E#*MS8f;AQ(uYZ z1LgB!GR#wr>`xtKL0E-xr+@oZ21$(fE=1@3>4!xqWLuOp^Q#d?SJxy-Xfg++?~ra{ z#J%cKQm0EHHff&8A=PO~U`xt|#;OF;hw!CNG(D0@@mburpDG$-H(i6>Tp?#_u(u<= z2Cy|Cz4~DfHCt51=zJt&=E&f2cOBV@Snv+0;Km`>OnPnG%WiIZhBbQ1WGE~<9jsxk z(VzArt5L^3NCRlpd?O!WAakR-jHKr_6l;`oW*M$>rY&$CU0a}ZoC)PI=9w3Sty=j z9Cz~P+(NR_PfTkdk)6y-J(6w$b!-xEz&f-379j`_-j?Z|#jKJ-Q7i01!7WBq{2e}w zs`ggdv{5Q7JCIPgc2u~I^upI`(xcdz-TxJ4d{YAYgiw_uq?qMmL|CKRJW{#BbMLiMG)1^973;=`Wj=jlB%e# z9A{pg-GrT7$>^%2bu!+ZA1&`)YeZ;HUhePoyBG1R7#b4-CYg4#+x6Y6!HXbVVI=u` z%;bAa6sDlk=O9->xgF%bjrtfqn4pD38y12fw5EeSH?e{u9{Y~P@xS_wZar?Krj7NV zBFC_f_N0QrDdW?GS}asbQ7b&TE-3L(bu~x$C9+EM*6+M)b-j)8YKD+vGDRX1X=Jkb zJR9kJvav++v+rc;a}%vn3rVk`T~o67W`oHDp5#t*Dijh4UlVlEaUory2s?lh1_iXc z0_qrii@3Z=Cxy1N-;}+berlO~E5GlXn%g|eS{wg{*9}aVTWB0d)=*`4c81qYhS#Y} zkJn85DGNNos(x3LQ_heVBe>)9O$f&-!p|p{M-wZP5D@>1$lp8WDHV@}*AHqH)FC9! zXgw^cVVFl$O5&t(%h8)-@=a|ezrv1RYLybyMR%@*(<5KXhitDuQ9P^mrPq7DV8=D= z9!)m4NbJsV&r^5S@VTwSdOmO9v-J}0zs!qZttPKOa6S~(zv##mS4re zm&OshME5G$%E;*LMnfVu7!I+6$E$@=6kYSK7-JFJ?P)na4#XGPL-=EZO40J7lZmjj z^|xK-_;O8gkJm|MK8aR+C>I@+Wb54bg{xU-&wt?WyP?b6_D7xOnd`y5TqM+1p;z^R z^gaN0SR=HPvaKF2jZZOPY(fzy%rgpavjle?UOReVbG)(nhTl$mJcFG5lK$UnYsbSE zt|@3sbIKX?s#iT4P>XPqIqcQzZNe3789{GJ4X!42O>KQ9)Y_eSnt7r>b}hpW#Eq=v zeeC*tOzL{)V$wUET7{>oZ)@*U(-lrZ=REw93WC*x?xwaV-|oig9?;O_G`f^p+oyre zt`BIl_tw;O`6#aL7~;J%^Yy;u&LgJ9dr^t7B>*rV%hPhUQ6j zI9zgzzyoo<^Mx&;U)&*OsZwyzmSH)QzUw-0pI4<^n}y1uu0qq?CFM2M`tGoiQHSN? z=c|EC;?k^*C^b*n6fvmQYgB>ddaMJ(!5+{IPluA4@9U_m_OOPu0_icRw==j~r&|A5 zj9vgN^6Q%vo+mirwhvWpWk}W4&@h9n8kYZgI_g@)Z~Mp51Da{(zgroxA@6J_Qwo3( z{c3@e=eDk@<+cOcarp4T{&TQSnoAaw2a2Y6sP-H7Tc5v7sC1@=P`bbDW`KV4NzG#v zVqtb}DGq_$O%&R)K+m_)=brG)Yxs+E%YLb-$wBDf9#ayAFv@EJk~o)W-;nZDAR`vX{LeP-knI1Zc${trfgJ#=Xw8y=?D*Np8T`0l%+isb+}&W!o+ z=%T`|*eTIR_|Nft=-Jxn?GO#VjaW1|nwIh5U;sI=g3%S=Esp?Cu*+W5#$MzUnH4rM zvP3DhC*ubJ+Z6kY!{|qRBmUQnn0P>lNDT3WcX1f3nsjIB`sSM!@Gi^LD$FgGTa1Jm zwL#Q=(4#R(JdTZ=LE}#~_h>KVx8=-+sdHR|~!d_Jb*YJ$h5`{K2;-9?IT4eKV z=*8Vp7L%kKsew&t4AmNiHq_!?jzzpmdArV&Tx=bVi|^C}mLD@_87p2C8xu6c9avGs z(DxpT4W;ZKWsjA{V7WxSn)w4j)4&dlj^G0-p{?6=aOj_v#-dUeF~cq^Q+RiNTX=K> zfwL{ka*#cHg887J%ZaJc8+CQ=X&r%7u-|=#wZ1(PUH*Pp{tC)UCijkhgw= z&-ZjQx!?fhk{Kk`yF;D`QbZPRf9#o6$cz;d+AzF-V5EZh2ug@0G8m47)i!9+ktfB$ zqtBP1)J>V#tN0VmJUUh2F1ppG{+`wGL%lxuu1~R3>;% zH2|d{CIJ=-4{-|)p;)5n(x6#$U1y|_6#$gOf>!lKTe+fsw$WEK>a8u*J`t{MIYAOo zd9suDpOQUSTNor{*O5m;jXF9%qRHrD0nj;;%yJy3lv~>5Fs>6&_`C%``w^5;W+$z{ zT8+Bc5q7!NO|Q-6Uq+^{FhgE$^lnC1@p6kEr!rd#sNkWm2t`s6;!!}qI!n41x^FD= z`4IUG5&i`2@xg1JbxOrf*f*zaXtIC1y@<(4EH3bLV=?GMRtx(%3MesM#lsbRaouqQ z(va<{gCV66y0_S23ZOyGKgTqJyUJZ7-udHy1&p{I)}goI^`h$WNomXn+9{Eg!@ZTt zu&-gpdSZqf&VEbp+Y(GxTQqJmF)}?imLt^e(U3kgE4McHn9BbbugryGOav2lHPGO^B5QLN{N>uU`lnp zRaY~-#^(a;u4He7tw#=}8Fv9QSee!C;^T^dF>bQ#nM68|Ud5CA zI@)0Ox!8)Yhg?(v99@A6fChMRs1BqOI*rU=N{$zBmkWr7SU%G(junM3u~#bVfLd(f zgu)C*W)uGA{56kvFO5ar9%i9$DrXt@i_xai=8Up&JUgDm3L8Jif`%vs@$k6kYt%=s zu+QucZI3U?a-8Ty5-{^D^;}gN6iaoU#*bg2B25O>F#Q!4 zJ#9B-K(jBw{R+eF$3DzFQd>9#)!9y*eO$vwP96$$_l6Wbw_Z&xH;;`BmMg=3wElqr zLh6?i{5RBZ$@Qc5!_@8!8tm5nVlg(swCR89Wa>nu3#b1Dw^0LVvSw>&>wr9#O(-n} z*%nyYqkzI3M1@uWAzEvA9RGH3XbleaxX6)s8X8Xh&-}A6Ae=?@bclNUd3A`SWPBve zqj-5~c8UFeedVgfn6iu&;+;O%|dD=9Md~gnjiYB7?s0 zVg)}Y3r?(M;>mk;@P?*gZ%%~`B2fz+uf|W;C7;;VS)xyx)P0N!*paZj%lSDTJ3aoF zkZ?MWHqgU>o!9PLFTngJA|<1$puQ|F0HUJ%yGQ1;qvI#27lMwC@$Sc++CC=_O&Q;= zf!RcTdPs=S#Loe_bp3Xlz~dIiR4F{$Nv9TKAYIKUc!F6HyBtAPe~~b)#xZWl+)B`g z#m~X55G(U9t*&RT23_zE@1XMW=|6gQRqf+(r{^*z0uQ*P9v=PmrU}?iNnQ`}$VZgh zo|iNYGm2_tQQF`~J`RUJtV?{OTJ!{$pai#)Nz`+vxL7_dfb_G_g9*q$ zq!7bSQHsXqW3c?#MkQq})ZkFK(o66opD*0LTw|+p1s~B8N*5M6r<7|+@}_s25fFEJzJQ6Q3?`)1FpG?t4WCK>GIprTM+#wq($ku!Oy)Uhke zrsS89%q$Oug@sI#d-NZTZ=`qDhe_;;pMeJ`GR zB8Bz~GNGx)7qheiVNY`fHWpV>(x{Q1vX#I?p6~**hQe^d2wKb=fn$W5r$Wa?Op5|W zd_xmsU0GVXeHIdzwFK4P2ruVwj{t8LJRxe4H@Mtjz*)lG?nHvkC*bw`MPGipNhk2C z0Gt%4X`wba14>ySJ;^Ws)>z+pp+5oo+M;D~i?ZsNX5SWVW5L_Z*tX%c=itlyaJM}D z3aDf>-Rg|a4E0!raE!Ui-gS8#=>T?H z=AFUuwT7OowEgw+UgQmyI*!nkyW%`}l^>qa*FCjq*~w*fTv#Thwk+V-aGfDbS{zyRwb%c2yhjnBs-ljxO>e(J!f7*kb+NPYW6@)S)hy$rrq;IS zwYAUil@ivTXx}me)pH3#$ulYYPB;q0q=UwaZInxi^ky<`+l&E>f_T_HqgTwZ$!?22 zUeZ{svoKkWvAHq2{6Oq0T8#3re$mPrmqoF;_G-K!cWDMCTANIpytXpWHeCe)k0KiY z>gD0=;SozslA)Ts)HKb^C%29Lz=CA)18P#z`8nEw)%%Is_bL^4i#~Nfj`SA@C-RZU z=^T;H>?(v1*95-nORV#irQ+-RRtXfdH&ZkM6Pp+>4oSh>9vf1jt}(g{f}=MmQHhA#ECrnapf71M z3b7&FfC{p~upmtQiJ<@`g8zYyC`w`#d@<@^1B1+XWJX^upurIhL3Fq+0Dq+fef|bCcOw*~>%E3Ywt!5~J=_ut(rdwAr7kO&_7P*I>VtJ{ zZ`fsi!uKrH)1TUtzV6UV`@=m#HwJ&2^KNuIeYd-#Mv)t8!8;zQ0Noyju z{%Ji#5uJtY_SJi5pV_cF=?eZE!Y%k$bG!gI6|%dXGpshT1FKnX-;STHFj0x0nt4#$ zdnByxsm@x0*OaCsFQs=8uWIA${UyN}X9=owlSbWRMQ)ip_Wfv?zuBoS6B-hCs8e>N zHB8u&Xsh%CRO8H|c*HzeFJ}AFOzMqOQDj*!wfvrvP5)XAe8UaHh!y4dm+rdA2SrMH zap+h-O!}0_z$PaH)Z-FEN^x%f+0V1Df96ctF)L+@&b~q%UggBByN}q7#60`$84_sk{B)<@YubIY=`KyR;AO~6q4}I?Z+o%vq!3t(5Jn103 z61juNmRh6DG%x#|#iJ zkQ(=>24yQ6%y9pQvU7?R1y{uPL$sL&wGVlmznvCZ!EdcH9P~2*7ScBXxUkJu|RrWq$2xL{6)mo zA3!hr?U4=P-{q3);8cnT4ces^I?E@dIn~cGmY}wha$3+5;M^rfqyeKH<^5}=&&Vi| zerit;M7dd9{1GoC>Y1G6-MCj~S6vD_Y-ikwA!D;_`0Up8PI2&RzL{?^k&&xKmzdkNgkKt;D;&G$K z(|mn@g{g+fKw_2b?_$b?hzw+ySB>IO3&Mlp=i>8dNjx;o9h=BUegpIXpJ75>ZYy?+ zbJf?8u}YkGiKC)TMeYui7JKSA+)=s#;dxR%&b2lC#0pV3fkOmk;l=_X^cs?fTlLM+v-i}0Kkxn$`SLhS(G}047K;iwC@+54^#;IcqMDlPyyCamwWgVo zdLX3P1W~Jt!rdCQ5L>qe)ULERY}VOq(8A$CVYfs#sD^TH5%(V2DCIPYzs1l%V{7=V z34=GT(?YSnO|~`*n6c}9iG#8tJwFXUeP)+VecD+E3*T|P! zGZc8!-63vB1-uB{W%}i@8`;VMi>PMJl0=Bu{Ex%_HKrBH0vZ=Y3j%_@y zN@Ht0)0D*#C||0cegi=JX4FZ72x4%8MxAQIa~izcX4XAqyk+oeKSOHJikm{ZY&sy# z>sNMJ_`J*Nn;4l)qeDgG*vY1U13u)#gQx)+SylGPJ0TitlT`+$`s~3|-E3*=0H4aw zSG!U)HTd!YhegZxAoseJk2vs=Yl6m8ixi(+u4 zug_-ZA8>-*H+X~~2v+Os0uBxqgSds2s)HofA6tV2NzYU%erZ^!I2hcfx^cBjZOQCb zX4`bE>`Z>8q;e?UX2rLyWV#7Yvw{q#vr#Fp$YND<>%91z^NZ=l&6GymS&@-)_ zwK|pc&gbWsUde-PSZZ9>w0l7}El0EED8o{tN;%#?ED^C!{?{OmYac~-#p)(wesbOzD`;z~DD|V-||^vO{%j zOz6XTU-$x=bT^Kco%V_YD=229PiSX81Xri4-n`rDaK|(~PN^eR33sX-jyTLeri;O; z+v9sDREJ)3zPxcwz3y2aL4wNaKhM?LD4^yCJv@oDPsCeMFUA#E2@Z;3t9@)f!IlbhDy&>eJD4^=J5CQDkX# zmhI)y1-Q-DzZEtQyRgf~c~IDZ;Z-&j{NEdx(+xaV7a7az6+0uOg{th7)HV}^wwaIV zF7+c99xgFIFB}uEO3=2D%k4eB^J|YAFYAjdyKp#;0* zj$tGN&UOk8#^C~)rdiO0#*U|TzJ48WCT8;$uHk`|lQ7_hYCK*%Z`s;eh=0%(8~uuxZS_(S9M1-tm<7$NzlN> ze>lYD=;#j(FjyQ(5$Yc=+_&TnFL_P)H{R#E*-!9!Shfrge>>{G{hdjk^6=sNh+yg$ zUyyuDf$eIKx%MlSh_$GUQt}qSGuANNg6Z8y)?Pq@ZtMyt$=_RFqe5jxus@ukb9Xjd z4F9yo2v_QRTxbrXgnq7&xjF|4_Fk=dhy^aFZd1 zp0KK0(_^iIgbDLiF?uh}-fS|w=*iJJ7nG7Zf|nga)t5bL|7q~|^-jzL zVyaVCyM7m6e|M5WZqil{fCu~&g+LHSU~)1Y!*a^zZfj$e{4t=tTZGpk)Q`s%4BIdf z_$TEJ+kOehEu%f9qQScm;VDjX^-DoLCOcsoTqFH5Q8%YIndCa;ZPeKn{ZEnjL`Cn3 z_>=p026ZvAz{--o*wU>KPLjn)*nx20QgVp9nz6My2d5Z-+jNCGc3N_uS5$c^t43Nf zc(jD(R{A!x)=rKZGwfB7gPG5bhn)xiWKC@`{t5G}Zgp-D6xr4l(W)!3aZ9Q_Bhdrf z(QKJ-_OPoI7N6Yw0F(@(XD^+B;&{(|-S3S{>8uW!E-phXW)ak&>dcI#g+EL|WcGw^ zm5%iIOwH&ybKj^h7tttY$1P$xZ+_BjKt)~7Z{jRFfoXH4Q?Pi#u*E6m_+&}#nd4cG zr*Q@<-E6gbf114ofQrx-YZ;O4JA)=2-r*`2i#DrC2ceS`?2wbuJG%K0JF&SuskQihCq{49 zV%8pXCBt_vHuu>hB!jRdFXvh;X6aH+6vTi@X3J7JhU4SD(E%u>_#cbL9I&ZT3M6rOc z(&M%o_*GaiXz)Qu`IctKwjOb4NB%Yo0@h;okRf@>Yj?-+OfLYV&P!j21za~~zm4hl z6VsED{HT-5azOwXDZ{Zp9B58{ z&?Fn6b*f$PEN0o$rA4Di+w~Yw=#U2fQn!_w zm2x}ngov{vI-Y9JfwqejAkgG?sK|YsbQ6*nxQkKH6GVevJkM<9p0bk~?l)w3uTZsn zqwDRd8bBJv&~FyeP4 znm+R!`2wZ(Z8-Q1Lq_^D1a4r9PQIWJ6#UI!2&3kru);9N~Iww)FUcJjppW4yFpq z#He^ll~S{#9w$PmbziwTlFGLPJv;V{kI!JCifO`0Y?FatjBVlgm$Lg70yY zjjyNX>3%Htv2PH->#)5u`Q3mCHbb8<1x;xea?u1p8*RMS(Sz2}-S8gPr`bC(BN7|+ z=%2yN)C+f@hEP~^(BXCGo{G~frnt;;ft4#8V_nMX;%8kBw8T;o=})`G^-I?p zizp@H8K|m^WH(!(?L9#&tT%B7l6lG=XfLpbd=lI2z+SgSp!xFR?5_U|-`AnM(|k9W zb~7P)mJm)U7bV?J-JBezV4oepdQzgSISAO~L7+DgI^o&Pe41$?QaasS*sq%qJVZ{I z_K{)hr4Oi?21lf9Q)iehcyX<~ zxM*|HvTNn?4$NS$aYSUd4uaXN<7jA$>n$)-myD*#w)}-PD>~948IJ2IIuE7DnpU@r zZx{V>lef3Mlq%~a+1 zjT-%CfWhwqjAC~iLCUznYap7`H1D6^s)0q^l%73zWoaN`TTqhOYm|1G0XgmK#HB%& zzw^EnehD5DdQzI$W*}^S{#Jq0x`l+Ll|y?l!jRwoU5T^xC2K5UCptL}1Fb_Zl+aT| z(VlG_QJ|gxrOjphCrV~*qiJ(WYjb!I*l8!Ho!p%EVA|EXg{U!`md64pQ>w0=6KFvl zj9+S*E7snHjR%Qw;)T&N5R=7Q6nCZ!n7+r7pf%`U3^RV<^TIjx3dL39;fe;^cHf7z z+a27IDt=OCic=J0Cu7cv{K^D{w|mMY=^#om^h1*6YdUi{RNaj0rXM$J-JecF-Y6nI z`^Ek~c$8b@oz#%tkSo(O>ir^;<%3wP#~o)NlLEamz+)vbr#YZCS=USrww?-qf-z$r zr(|3+e6qpMXJ?B74=>$5rrO*XC@ov$hKI&2Sz#4@6DQCtEo=`l%fsNygLO=V=AuNx z{K%x`*xdd!i!X;NyY|>D>^Be^`Y8>0PK;^FeP{KzI6%|#I6eWtLx5pJF zx?VUjP6?#{=avBqQC`q93fm%LiSOBz$+?(ULTPsXF}k9+Y|{_148 z1%=#|g+p8*rb|cUsbWpH6pShk8*8Zh!+vczEze3uY=+oiMKhrwM7^rQm~SXO9z?l- zaL_4Z3sOUvY26!>MCp3ILtKv5T<=t_!1SYiRh3B?2%`#!xQ2MbJxnt~WCA#lH}{i> zUApMP%QiYX4IKf?+je=Isg?c|8WW&{%k#~C{2KI-WgaXEm4@|nuK{HOs8OMq6?E_9 z&kqy0efAbN@ozr>Q7K{&9u{|GqAk2hCz^W14Ks8E0NrW6r&Fw#N8d3drcSWnYrEH} zj(v)>W9=>(QMT5Rs!?KOhzG!l736^!0@$KRkSI#7V&yYM=QBstDSUouFhweKUU6A8 zP1~%1AA!$O9cvMCwPm|1r}@3{!ZD%;@6Ye16X-mGvMBR6?W;{?9#49xUZorY9 z`g@4O6WMNp@pF}?9}+q}Z!Wj)&MC^6J|D+(P%_4f30tQfvrnFwSp}eXCY!5)5jvwQ zVuo$4FSR;f=!lMYH}-0$hY##Nsl4cVj4purLu4pZAcf0e|7UE=L=b-&m*R#xU>KuU zT%1viQ~<$$=tBEu5@mL0Y@`84{|*tjV-z2iFtAaZ7fwTHeIYJ~Xl`--58@UJCHqX_ zgsUR#1ZiC%Hb+VBwy03+U9*K^i&8A^j8HE+fX?N>aa~9~yDq(_6gmMJ0qmmk6lAWx zY}StSx5A97+?*rrR2M3)jlrCDScD}oXj>U3>h>D0FKg7M9fSyppu&3$B038MDoX%U zTLDehka~nJJ!CMskHjLq%y3p6?*jKkFG7e>8 ztwrGOWZO}KybA?=XeDQUDw26)=F5VN*SYC1PI>AW@xlS!I|TJR{S8jMDrrCsjFehv zG1cHga==qxf^23NR#RN3c{HmA5_76G{4ESmI*KIS70lrR*uJ6A9$e2FiSp_oxfJB3 zA%!2L1bYfjWK12Kc{vQzs2XFREKWmM+}<6yWDhaFt*FfqBk;^S{8` zcKW*Kv;_*@+eLUs0kOsG=By$*;Wxx2rC$yz#@JPAx3QHtz;(IqHq{o#_x!EKC8_m( z6LV{h&8ZvWJUy6&QiqcAox4g*vLZQBmCpPsRNAP203AJrhULP+ifM6W65%om*Yk~o7qP@bXg3jRtb)^H4vypf`7 zt0cOemb9P7c`4>xy2#0S-q6Y0?aL#*kooz!#D5@=L4@d=nAuQ6y=M5kK%K z!k%TraU}7Zf=sR2%qHFPo}Ta;9<O^GcO}Aa2Bg3LCGx` zF>}S5r9vjMi(NBG%=D*U#ZKI(hei_4%|9Rr(7Ra;_H4_nU_9H2KOD) zMae~bv8V;HsO8G!{}A+;Vywax)^qfj#YXTH&V3ryJt?Ac?qyBunn;nDJ&TZsj$Da1DFvccILnV$yTY4K0N zduaJP`yI<)Q=RYHVMWcd6q36;C&q7b?@}`?l7Q5bT|(`5(}#=bdfreMQtd9s;L@vI`p3zG`<}vlgjPp{?Gp3 zLEu8nf$7bcsF%F?p6jFN=QZ`%sAvC4g~7}RqJ)FLOAfWjCTt+ya`-&AnWD6HVke&| z4!ewYy8S1p#<~HK6&^}>tODHmNtsUtljM~bPIi6cYI^<4YB{h!rU`7l(bINBkDI&R zjdq;RJ^1t!-c{VF5!rgD*RtOodzC;vZBE^=BkF&QH&?t=+zAQ`g!W6EI5`L>PK1X;J!Y#&qD+Jb(nGZ#=Wa&0@BNuE#=3qMZT7JJq-gP)U;Fkzqe3L>$&EW) zUzI{On?N>`6s@s75*FEl@TTYmeHyQceu-^vyu7xGX%em>6Jy1jC)z#h;D#(i*-PWx zF!wbU>l`^p(%TzFYg_c4qQ;w;rMxLTzXG&eK$CabU$1P!&s%T>r?e5Rb~fa3__z|m z9J4bwqie{#_eH$4%ewrXEmM~=C$f>%gzPzHp_=fi2B9PL3l%O}iNR#wq6UYz+Vkj~ zgjnk3Qr!`Vq`)qFpW*NOd7kX&Z}x(B7O3oTsUE0aWU-on2gVwMf%$V{Dc&E{BCOhV zn++b5B?5EUT<=*$%G^9{xGfn^a7qQwr=}Tq8B)N)lb)-$slOu2(WOU|%w{Qh>_aRt zF`1kAOfj#hPJyNJ7ykZ*O=y=_5%R}sWsFB%<)$24-eI}5}uB9Y|6sliE|+m zA{P&7=Mw8eyKxM4W-!T-l7@N-jLe_8^$g)Nr2&4Mv4xRQrH%feiYM>CRNmalO{QgC z#*7|JTx6GKBMgk`Y$v2nYXT&*8BFO_9LeMA9z~NJ02b-mKwZ#p7q@d#Sg_^G+ISXVLUm)a*nqqMk*;jr#G zwTmW!pLM6GHSir(fTzuHKBbf1;!baO1RIrZozxJ6joPW(31CyA>dgC=*`BGB#9IUB zn`Fx&G?~w`sqc4;yAeY8vJMX$g}o$)@J~F8#X2rERJ)CMa#j9*z_eF~U<*@!cLcs6 z|IH0_zVVL)?yNanQrp6ITR2}v302(4(+e9@Gy6vsuoLT)-KiJ&L_Gb-NLK2E6oOieAzr2uVB z;89#F>Mc_QE=nYLkWwNOFVI+L*<~7Mnl6@77PV;jKDo$V`H!awvckLu!WG$2E%h`v zBr9V@&HO>wO@|d2PoP^sJ0zcGeaBgO62a6yFqg$5bOkjR!W4Oul#bmXE5p<1bEyj5 zQHq8lLnD2TKvuALL01kVW7;@TG5*J+meYNbf5~aCG0JjydfMU zGYp-~rHWdW;v%^M5G~gYJ1d>B zokyja$7N@^@|v&mP4i{BJ4+K$NmW-g(1NpAeb&NeYC{j*DApjfOfL%~1U|bbNSX3W zER9KHm>YAf+=eS>TL2|RcAz&aHOQw?KZg=2-Grpn>BP#iA+Lhe9fkkWhdFsK_ADFi z7<4PwQWG#LJ)-1GIGSrGf_*IS`xF!ob&h~#)SkI>JHsD8L*Xsb5@Zj*g4~j?*>W-H z`fIn|;CXw)D8L10_eZd?%GyzTpuN&zhuEqy*d}U}uH|5N**QnsR+BCesJgd=mZJ6g z1mugjQvdaZijBhE9%;mLT@w){^EoVUtx5`H*v8NsglJtXiq%UtIQ$Fgp-~<0qt`I$ zzDWPO*|5>Uf$U!nfk?{AMLGa-o|I3I&mhWy&yVT-N8NN(B&`kW@U%Rbo4aWp?B9~z z!~@2~O)cw>gwob6N+83g+l1t-m&gM3>#qMsVI%X_uA18P>enL=WDOgm3CW}D6&tq5 z>Q`?tP^zYH+%*fZvF(l3k;aio(Kq!$R~9hn(E&|P1Nz7B!7%y~ z*n|b^+_niCo%D7xW&b%|ZUy54!R z^m4tPuR6m2CW1a5E9WM7Z_2=@xjvs@(v{KsZTCXdNKV#JZs+N2U9gSs8Vhs3Cp_pz zrz6xA{!y!K4fN0b&8B`GL~?k*mmg+Psrx7l z8PX9C-tkHnb}3_bhmWtM6y?YS(o}ZXYb3HF!vd@U_xX1aq7wHT#!<1;0>mi$(C`s< zH1v=YcTvoMOr(5jHb1HAc4l4|2S-E8EM6Xu{e$=W^LtyxYT+VU`@p^_r){`pEUB5w zWB_y8{wW}eW>?zrQOx+5`Y9ybRfPP_R9YEb#cbrmMKw~o?&6M-TG?2+sOVUMV%d~P zVvRG`>X!sM;aP@22$qh6t3TZcW`ywxl#e=9j5vs-0yfmtm@S6)>ipcQGpfXR^4YIp zbwSl8xVP~JWS7BdkuHGFjkf-%)}VcoEl7Fb;p|r?-2jzql>W=sEd2PF!0Ll509(U1 zKn|fq}bEg35Wp+KiyLFauh9iQ&eQXT>!nN=bbr>XO=fv-ZRT)M=J3OIAuO-Nni+DV+%! z?Y!omP}5o#^mbe$i;qlCrHXp2`+XUHJ;-ioV!aTD+=RCxaEQA zdpx|z)DD;U_|KPKeFtaRV*7Uv@K<)F?gCzuK|0=_2I)yZjc!hrfi>ANf zM+6BXbzmdOi<%;f*AB)*>yXVBe zC7*3H!)LlVtU2IUFYdx{+d|z{P(45p`57wfcIiQeBbj}43ythav(#+DA?f6#L+pz2 zuDAz9ZwNRv$73Z=cgTRr%-<<_)`%t?^$~f9&2b@<6a&$UT)VW-n)V;m&R1SWln#ULO)^e6d7cn@sE`652|uEh;!v zlikhArwX%Pm0Gn*eM{EQN``Z#yJ@-R5P_Z0%1sW9!#8$a{mypdy_pPFe(FA%%z41q zrl}OgO_d7jY&dBpv$i{3gCt<03gccqiX}hFH_>y%embrw9hwb)HGhf(CpB00b=T#R?Bdj+~vy$ zsv1Q0u^L3l%7wEYEAOyfs;x`@6Wrwbhh5q86aJ5yd$^xR=1|DM zXH2(>1vI;QgB{Cou?F}DQ>@mRg9+EX97GFhWQ!$9xK*5HO--iQgB`a@35!s%7H}7B z1*R&Hiij19WAu@MNL*hh3i5a1JDYktArACj-vmKCd4sm{%!RrG?R3j`C!SaxzSmn3 zOl~Y9iSNlf$~ex;ve$xNsonkjEfg{;=#@Z!PN^~BDfn4F;rN@PphXcVa z?u3_cT%wf-SzkY?n{PlycL+2I#WbQhwSL9BU=BoWyBrerg9V8chrIOhTlZY11s-NR z-7nqO!p=V2KCvyJXZjlw7gSZ_{5#z|A&l)G z$52MW0zas*vYW11OKO>Okq?R^kvXdwbm`Xg1eYi8pL;k08%#V^n}cc+*=PGo!V`)I zh4LJ3Ir?z5W1#<`C03_QG%vtTX|mQ&5^ev&=Lj zAj|n4!wdbw2^lev%8oCjcYsIS=rZOtEfg`}GbO;Ht>DG&Er5E5POU1{NbI4p)clhp z$b^1U&u8~iTUnauGGRFQr)%VA0y~4MCDURHJmo`%gzX7=ijV}Dk)j3S^#6R#2y`zc z2PrQ2r}KFVxETqRtojFxv8v4#PK>8stxoJ^ScoFLP=d!zM;AD~=UHM(F0r+uZ6sHI z8zEP~iVQtqmw07$mLUYdxF*3ExTl2B(u9;l9!Eh6l@_d=vyg<*+6R#e0?!6j=7G8g ziI06o0?k0sOHfPpSX8l=t3YIuntQ4q#>eh-H83LarTjKC(dvndc%6gFUQk?jxJ_uR zB`Nw%PR_a^4`bXLyA^mx4W&*$-gq`2%4)vy6)qgFzPh<}ez|r-($lE-`?6^J_poKd z&1s9!QGEbT0#NGY6{r+yAp-N1hGn4YaNL}B2ULjsN|~DZ6eNyrLWtXfWpLBMcgqmv zx_f!-oQ3_KS$w@^Vf2t?A*X3=nuEfGbU*#o5^C_3g7F=k!yQsT2!3Adn;Xe(J!4#bQFSFF_1bFGP0C zvz;tObQKD!{GZY`?hm=@bMDK9J04NFQ~h7DP!MW5;}#jU1m3i6yNW@|xX_b6PPojH zHbS|KB-L7v&gC}*6G~MeZ{oQDi>q;W8fgn!-Z>cL{#92<(mZFe%Qv!FIV=M!etvH{ z+TU5+y{X>4nf*ORwlfJlJ>GkV-3-01yypM>o66UAuSQ1lYo1cKIe z+0ZTo8O*vfrnwI*=64Bi0%_%A1!(=r#V2j@1#bKc7<^CT$n_5l-1D!>W@T3NXXC#8 zF#dXVIlWJW!(IVOTRB6sCs1z%5|rSJ41NA+m;I|y>vnhJ>i7P`si52UmZ|#1s29fW zeU_I@GZUT{^V3j~w>NB;#NioKplFN%8g8d$Pr2Alj$whp<^S6I2Xdb)}zshzasYggL zPYe>~r{SgXyw~=pivt-W87N3H@6~`DnVk^SGZ!>gau8XoKb%@&(UJO+04_RyVa?=x z<9TY$HHTdA0kXk<3>eHZYb@q3l06-puu$h-4QK% z$G8tZtII8WYc{vB=~6ru(~Q~4>C;<|q>YnkDL%XzBq0{`ad>dn-RUOyu{;eYt?PDS zk|mehfmmAWRW_S9re|D7pV6Su>W`k&p+6JWPrZIxwpRj$hM~$CK(Cd@B|D`uW-S>r z+?q4YGGj8xii;pvbX1srxmUMBhbCaL=%q_MKj!b@Z^PHp{we<`ka+ zSRYjn^Xp=%_}R&^IkUmEWBJh7w#AjFiBhpn{z+# zqAZ(xnzwuLXTVaz3gn+Zr<(57u)n~x8QAR;S)Dye)#yPT(W!=Uq$E_on>r0 zNLh4*)Ww*hdD760zso=kx(Qrzyd2*mm3rIblTvIYZg)f@1Y-U?3jz*hh$(>RqX`u= zG%`?LG+6P3#bsx3gF9wnUX=y?80MQ)6ss zO!;Xz5fb@puBYYNq9ug&x6JDgneZ@DVP@lZBzyEj4TH`+GJb~qXh*6+K6MXXSM8g!)XJjewZ63ASxwK|v{PBj`m z{`MN@WH+Ie{9cJr?N_&RQFsZ;@qD&$e=_FatuGQCM|NK=uMWPDr15e;`Vo`GF^J;7%=yw=F?8_a4*_Vax>@|g0$im| zvRyYv4%>{S2ACFeFn@!FfA~Xm-%$9*(y%r>kO6n-Fl8Bm3AaaJ$~KHcDqTt;$2Y^m zsW>$Q-dEvHQZ@1Ag);nPw6~S)&$O-EwcH=5U}H{Gp-P%imlpEOO4VoSO_3fbsg9*};&0j+TR2@=3)U5Og_PD|3$Nvi* z9QEbAOVpy{(oks7cipuct_V{rNmOvy4(yllOH?ok=PS;sPKG94gj@`N8PBBBgbsDR z*DZTrtlp6lmJC{z83Qze)ox0`d!{e(^g3}P3e9KH<5*|W#;I6iQ2##H!Y)}lUG(=27A3-=lXaFvFFoE1DRae%*_U#*#WA#sT|}wu!0Wz z=f?&J9t;DY9Wg2!L1XVgvuZPA^H5M@ZO!rr5Z^K;KF;4beHZHC7Et__5gvRgR8Od* zE^=s-7hR$Gl9tBHD+ ziNy{AQ*Huv3h^8S>su!c3~sSKPy?E7y*9Z3-D*3mEJm7_FpcJJ!YBdj;@_e zf`6hDo3_BM6p5aFlh76V^u)8^@L@kLW3i-U+#_#k*}k`)=(kTE5P4v}7X6*aTZ9t{ zS(`k}l8JPp+X~t@u2Rv9s@O|wBAJ;{ zUnG5t{@>$DNZ(k6J8BKh;9<6K$*iDM<*=~graC=ROLeGHxqUl?yL=T{<<(uCUse)o zVkL$YP5l%O%M_tVB>J&4apM$V!sI`TGx?^)*OpHgsrv4SgOaND&wsc zORPP7T^aEHn$ib$ou>j`HxVS&FA61r^I z?vRIUs_a@)w=|Q^Ob5RL!M{vEX+a~+B{ThWVGmX^`w`}QVwha&FQh5s!*`63=jxzj z!3-`+yVh8KTqW|8C_lF?CGclm!(#KH@Mh|vk%N?~zvf_m%nb9_OK8<+F<`N@zJ_!# zu{{ckxSEK|F>Y>Oet)DV)t585hL>D@Ed1gPm`yeF)98hcLIZ1WZfx2+sHE1myjp;_ z<$%drfynrf`FgVZ*@a&U|HqaFvv9oET1Z z`MaC4_dPF+$Thi^l`t$uDkEb8dHZT9{VuioO}75_XJYQgU14_^sa0J1ru{5FjqFH2 zBFl=EO8}5j zMd&^Z2=Er?BM=r^d6nqu`$Y*eEn7_xM;0H zkYpo3P`bSo7;ZcH31|$@OeKxT0gvK}X?}^+l-Yk6^2-GBgA?!@ z2(Zz1mrHnu4)KK(knHWVAv=}}PA*|iIz8i+x}8jdV2;teX5gWTWlPOBx({tMgWV$e zc|)Baw5{@jtT6yX-q{W8O5-7K(il{8(RWxkm?H|#o7oL+a^yc6LVlTNE9MOEIT_GF zDXa{R63*zn=Wd}4jrj{!r^6(U37A>iNMbelY0!dxM6^?O$XNyrb@jx7)Qq zYncBCdd-T~F%wLOSB{EB*x~k=*+1Iwl2j8~@CmF5zNt4yc%;dUvdR%dV{eO}_n z&T&u}0vKdaBtZjOV#8kn01okpH~ftDl|1;>>+KeEo-En30WFX_NY?i^M4muaycjRU z|0EqRq>b>KAyyDZ@?ZZfc}i}j*_K2gKyuLQH23gMB;9-J^A}uR3K#?h00002pw7cu zU4_LR>O=$p;7=6*0MmaDA#Lo8tOWm`Ufd;b3wvy}40SeJ1Tu*`5b;1Z0fjF3coY() zF5!3}l7tR@35+mUi8zNjSb1>tq;71pP{%afHImeQjcK^9%k1J6NgA?xrHr8(cgkke z-#cjl6|x&=R3*vcC!>Tb+UCP@^Jk*O+wPHhSpS5s7v*XHz17;?_+$+~7STIbFYHVuCO?$OwA`6bXs0qM#wQa3LVIaG(DafEC)BRXUY6M{y;c7% zt6i2oFLPXYKgW3L1r_$Mo|zBX!0wRhH5RU~9+=;+Ik=e%S)WCb`clPv7#Rp8PovDhKRG$I*BlpgKz&% z;(E2QIz!|!MNk10|%(eIM#7^ zTyHB4>06+>ncHf}yoJ0g`5T{;rV~sM6Wzbn)^PN_RUiI7KYY&d8R%r_i)X)_M$K-3 z&%?pV!v)po5;HAFCmS0*Q$kN~c1oGJTyjk&W>z|yKQY9vZ|Ldl8bBqHvVJ;u2*-5_ zhntR}bu=|@UB>D+!odk$hR+AABTGk3Yd<_bP~ToSDta1VeJUqyUs5$Capn_9HG9D; zvvN+BRhOHQlO5t>Pdme55SZxnD7IJ_c&wL&otY^!vzp}_io0U#ywP*U&B4PK=`f&D zgx?GSoRiJP!f=z-$aOl3h>sTA9(ZHnH+Ky`P@v-yO9Ykd=qQ}vD~su@<6IaFMP@z` zOO9Qe0=@P>0B}H$zbokREqmS0<>cxD%a&h64Cx91A75C38p*1#q-7Taw9ge1mjU%7 zE?#zB0zOGH#Ztf@q61!_C#g4ZiPHdZy8W&TUN^L0!@YC^CZ<7@b<`aU!XvqYV{{-CSPFROmN|7Yb9x+M z<-&@`OQnVqbb39((9_bc_U`t5y`Ak{T|Iq${q0@tz3n|+gHPovp^JO>EeX}54E~Y$ z`<0hK>M=xSibB#%`p5A9Vfrp6A@Y30b$$#zeVFbI)GG1MB^BvX5V8`x=jm^L^BbF# zu7M014TMwBSjyfdeuXMMr8|~s&s9K3$5j{IaWUYf+;p(R+1=6Iv-HaKPVe>Z?t#92 z*RKaJI79R(U;tzy%(I`L7zV~*x~hD=vclHx*YI#pe5+( z2qux;;RF6f*l%CH!Rh!R07e6^c--_1jAIr4gEj!K6Wf}?ciP@+zuo?2QS*bM=0uT= zDY7Lrt&FC1vwO2=vxm`i#AO}yG}IR1Ifb!bSumd61ehNLGCe?9Nhuj6eS>t!u=0^} z`eTU77BG=5xI;^_tbXu%&EkH-k}%;+7lui=%ix@VyYxy?s4Tsr6ly2S)P(0s?KCQ$ zgaOEco>e!eqTRve05BY<;E@6OZhwfAQ31ajh#u~|7wKbY@#fItX_jbU%q8HX(2XGK z+X^502r5!Jok-L=ovUTyxwWSXUd!N^HI=W+Hq>mn6)rlqv=S~F)>MKsO%>>}4u2TO z_9Y=HDpSb$jKs(xX(dKUx&lS6!NjkmQ3PqpF6nd|wE9BQU6Y21>*OwVb+GIbXWl+T z%FIB8V-PdSD|k_8L)HSJS)?pk!e1QHW%?4cov>cWkf}vUU+no%l5Q`yjn-r#qo6-B zR4nLE5;6%!1atl{LwH1}EK_zxn{Fc$Klu_^-go3{@~|{4zla&Z&Jl}<91DODSG=Jy zq{G!9nU^lRsc}13NO@eB{DC0QTuMv=$zF8Rw9Ct>QWDXo!_>*s={x`s)^0z&fNqZ? zfH<7qhd=`Y)u@VLVPgIy*ePJr&5eU%qYt87J>^C+JT3PX^dgZWex;8e0)7r>OtDU? zE=V>!hoFMs`69&`GCx>ftHoJdfik}f#lbHL%n=&H4neBTh!@5;rXLoW)|G5=+3k^- z>4S>R@q5$vWuK@MZKLtpQKtCNx{6h4*VP;9$l~oY2~{;pLJu2*?*ya0cSaIrHm1z> zKx5k>Wa?J7+=9AfE74_UedbYR^Lrh4I?&A{bH|qarY+O@y!kjIh+-jzli6gomeq-Xyo~5W4`rPt;R>$&DCID7isyOF()f*-bd) zlnkJPs-P4g$(586?o@E6f;%;(hPwi)0HB7_0Mt@ifI3PCP*3Rr8YlxmBV`0wNEHGs zqKW_(Q^f#HlnG!7RRXZoT}G9@k;V3oa;lOlhi6q#WxzUSu%VMWEoD)xwiO_%Ls`}( zFW5m=FmtRxo__ZdvVpBBZHTKa3G4s@(JU6L-zBqc1fd|gBG5Hr5fH2r3ZHC&m9K}4 z=*wSzMNpm*cvxsE(s!s#DY{do@1&QINL6Qgi4_oeK9uYdY%}jE#G;TSE}`Busryhy zI}o8t!AwO0j;;??<*!F6VU}rOeI+es!^Dqao*$;?N@7iowYAF5NhwcgkyC<7rf-bf zpQ@MqBS8?2KG)=3l2fHj-_`eUt{}24SxIQB7)=#=o7L*v6&9BN zHEKPJmziy7fmJdvs#>PiFi#`%nSLFCKSbb<5H|Jv66}g?EnqXSoI-Y0K4hnhKNjNJmd15s9$XJ( zaNWgdyS9!ewEcWCj=u=k1Gpl_^`dBdqfQ~apSR$p^z8H1O$M#V+Rq>}+kTaR%^8-6 zg)-Qia*A9b=%P?soa4nLR~6X;{EtYeD_tRJNm#xn5!&E6y()yZcUU2`oU>G8ljylH zzCR%;x!ATA_YLKWFbPokLuJnR6i79!zFS~TevZ*@sPNXvbHqTP>)w1}<7dHI1C< zGqGati4}F?hk6&i9>3elYeB2u?WTfgJWy?!4qWw6FyCvJ-F_<~^|ZZX^#rXez$fjt z0=gft$TL)sK<)^>C;A%7sY3v{D!2kqkk_e8ZqR~g0GtdB(5A$iiqmI2M<|<<KM@o!Xw84_)4osCA*f@;rd&Kvo-_yNI+!6}uf8GqBPPfq9&sqN&>rxw!$V4q&ogf*0`LeL(l$QrTl+UKN4_VupiI-dGa?b zL-o|V@t100_cGwUdZG(7)HTU<=^5f0NfKuWGP%{aY3$g{pX4;W35GYu*iSFoqo5rE zG8uo>Mj(xdyc6dN*GQ4+oTXOYl57+$@G28_*vPK2NjOP+C$BHj2$S0KX~BN92SCTp z2Ugp2)MR>3-@e})SaNxT2ii0B{~q;)JgTn~@qu&v_w&Y2757(us{2Hj&cd2BHN`PB zMbYe(so5O>@QyS&zlt^TmNb@crHNZ$zTc9G&3~A0WpchYl71UqLOz;D92cM{q@&*x5J+R__`Q)jQT;|<0oK_5k%*>Lg5$LMX8SCDZB@%C^5e-KKcqg%D#eJ$x9Qu7`l^jxj*xoA_HEO6pO zDh+Cr8d3pYh&;xelt!n*$gYM2{ikRd^Z>qNwSFhH9kIT|uj>u8u9ds5D}x#z17?5n z1XhvN6>c~gT|J{~+aa3O6&P$+SYt)+neUj_kFbV{nCXKWrgng-9gZ7@9}^8a%eJK> zVd-KlT@f`~3r2By;ke{6hLLHu%o-bK8V<(G4uU;hQp=WGx6O^QD_a#z)9|O~6XsdQ zJc~*WlWf=U{b{CaGTu2AEr<;!%J*j6R=uc7<9*X7HO$}~GkB62ycoZ<%nZKD4Bo^= zzXrK3nL_k*STc_;3zD;vuh88&7z>o0M|bD~WiH7D$v>dG3liLzt!daPNzE36#|V5y zi1K()N|e{W``X*DCCXZuvX;%G56T7~6NM$?lKa#r0p`FWbKqtEe!HRh{fQ4IqH4CS zf9nR*Ho8OTD$bLSF^tZ#HT8F1V`}=Cn*B`83=E@cZ~WNVICYt!f(*3^gLRXKB=~Y1 zjrlmfKrObpEw-{#^Mb>zBdVHybo2*DH`@}H0md>Aw+yg*+oN{2uJhxu`|6+AKe9il zI|SRPssr2YU3cC0+%e5|SMS!DpHzQT9n-Vj!#jke_9n^0*b%mQ&j+tD%_B_nIMcik zUp&t=JDKLoFtWy*B-_&SWy{cmmZAH-pB!X{k2Axknc++E%QQ0_WQN0umNlkjE#9*B zgtgkfw01tQc5ayy))B@!61R@*=!p8R>@n@=iGAluBuE#|0!$2?V+PJer(?c^r5C=B z%?O!0)!70ik1+CGgTxIUrG9cOnf(~UuP}sNqAgM02H$OSeeB5nhPe4)!hDc11LZ0T z4`2`(W6LU|UAM2s&cw^wVgFZhV0&-R*4TaWqshDH@12jg?T2paW3CUH66Lmdx$RM1 z%VzQB@q4B3w|~$cRkG%~O&edGX&sK60lQ?y0oKwOTiUGs;38w$`=zD#fu(orRKhaC zSVrQOktf?N?VGEKmLaBPDBe6AQAceFV*@*QC?dOUV2n+Sv2}AOVeAKH**QwSAX(T+ z!c?&{_oCJF01y|?t`KZO3hhwuY>D(gmX4y!-;_<(!{rMliC~FrwnF)Zg#;)%=T0BU zJjCig{7rY5lCWf#J~BH@g0?=dPFOOsyPZS+Q*EHTQad^Y&Zs&1eFV}P&L++17y2F& z)d)4|y}p)q`vO9NoO6YHH8ZE*Q4aZelt#Wk$*Vra82ZO&D%Q1-zuz?_E}{76u~OtPA})+Gf&&h zp<)RwAVfGJ70k#dC6e<^|dU`+yBN4j7Ae z6sn9OfN@M9SCAPXC&%T?K9D<9}mV$MiM0>Ov%W40jn`ZkHj@iC=llm$=c5Gr_oK@hRPrIB@DF; za>0|jGvv0h_??O9!Oih|b4=Uh=dv#h3FB$Tcsg!8y*S2II8JNx^pO1ermoS}WOlRY!v)iS%&4zm&OzU`}bb=|Jh#R5X z;%HyoU`=&<_FL*!Yy7_bO?$L2X1X)HDc^M8)81cMw4MSWkomhY1a^ zSI5p)IVE3{ogw^7*9hJ?0wo|g^2|ia2;Ki7Z6=)~HVygfVWpDpR~TWF$;}a)0uh|Q zb&lASiR$HX`2!YDfQoodt*}gl_ihl!g82(Z1>!g?7YkjwFjStYv8DhlE77=|X@TzV z4Ov7r)N4wAYgS$XDdA6hM-FO0XXj+t z&!ON$+c~{!C3G1Cl4l7=-q5F^{;Fob%OCLH@C8zoP1QpSGg8X(g%|jSxC>1po*L3X=#p-6(P?hn2-9OCKf=ZbH6{8z|SX}n*(Az`N z%bWW9szmW9Q#^`12EE&Losk)~+8UW+Yi*J7+eact9@XtfSv`@d$ke0ieGv^?ITTSw zl&r2KTJ=EJgbuZvw<}xLXV}v6^(nTZ7G`v0{m7%rUX<0eKJ~EL##YsAH+F0(KdnhL zPBV?uti{UKH^Yw1SOhyF4AezIBn|)Ee31AL`cb3wX9f~rehu+=#Pc;omh9jCcteKe zV4e^b(U#ltygFgo2oVxQE`qj@tSLawXhnI_HANUoUNk5Lq>Sv242NLTe*^bem^?Km zqd@$D5Lk>We(J6)A3NLBG#U`ULCr9bT(Nj!GV?x)&=$h6g ztVS0x-L7E@o55&{YxW>Av#~}~+Kbd3H@0WUZhh)eWd};P>_%@pN*SUv9;l0+VSiNS z#@2ol>XHg=jWziTP#a0Nf(}h@cZ45kEf-S=T_B<`1yGpMUo6~&@%j%a(J0E3V~r;j zZMT%qdU=3SU`kXbDG}|5c->ZncLr7$MIi;lyLXE51@s#2c2PI1?&}^OPci$LY#GM7(>xIq`1%R*5$x7qyh`+ES5aT;|!ugHW}H<EEIm%TU}f1Z<}3WRr%> zg_v#gM54HdDeeJAE3DnF>q{CkV71isXVTUEi0L|bru&8(BOPRhP9%Se8bicrz*PK& z4w$OTT4~*y78Hj`l&6P0b*NO7XIRsQHI!TwXr>jto0P3Mj976L@`{5~_}$m$DL<#> zjp#Wqh3-(a#X>UT18Wo*c%Q=%Xe6fdGr z{u)QXOW}JhDoBU8=qNu{JOMws3O|J6xFXQ*$Qi{nyKhq*Rw;T zpY3Iaj>XGPzXPf;w#L--CCd7lvi>-HPo7@aZkJa@FTAI|qh8l#Ysbfg8EHrJ4pF8X ziYf609gS9PzRJ{gZH*;r2ky5eY9|vFQ%uEFM8WnAe&l5OW|+RY__2AWZ{f?n(+~Pi zC;A*rpF?m&-=8pcv(D~5w?Qz>+L=&A(7@Ok8CbqDAhtR_SE%<^4Shm^oe$~fi_p3g8^)vc2 zni)Kj=$c`=W)ihCiHcdKV)ko})!OiZfwA^8)}i|V4n=gr17JFC>fUba-s-<=zh{r{ z8II_p96sNW{9;yugnsgMv=Hbl^^0gC(9Cii zK>x3CSghcH56fABh7n45&^F>SO(y-OF|17ml+#~<>{r7M{Ms!ey|T;r(*Ydx;`3@; zNx$bxA9(S)VPU9!CRo2JBnYRyWy}h%*Cxa33q<-y0eVWg5k+q{-!kR|BCEqV5P4(s zxicO88Z+JVjc1x~4o}f&1y+l|>yi1OceiurnH_E%AvbDa&9%ujUrVmJMyQqHsm3)W z)a-{+6>L2q>ja*SM zIvNNLMn{%qG8DaFjSQ2N;0=VgBpaFq6lae6z%l0%KG+|58u=4+l z>_0>^uM=^@LH--eaMjh=Gc%+lIsE3=s3-PKb!hkv32byhK~&CtlW3IzlG`0 zfB)^Qs78``RigJC|NXq|sm@p?ss+Y z?SfU_v&erxQ~s;Tt%199_vX@Bcxt~y!eg~-_oepumuSpFS<79I5Bg!3nyHa|of>#M zdFC%dkS2v7^jge2WD-SVViXC@ev$E>g*su`Es0PnKF@(fk=b#gungnqr^$FZIzga! zcQ_UPDLt4oH+obl`I3wWe*K%Q+aOvubk51Y#?w0|5yE)r z#>W$%)_=P6S>sQyd~)UIJ)d8XpFZ=&A0%d8W@cVa9C$e~be0)98^7d__XZNZ0j4*Q z+X+w36)X4$1QAzeEuO$9Qbr@E5bqPg{*Ej^{r^A!z2rlqpF*Mk90Bw`58Z(fqu_t< zlXu^D5-G>Y&v6+a4o$ZcyLeFwclYoAZ$jwW=VZW!L0+Zm1GMLo2mKlh|8|cSBRUnS z^0!3la9{^j)}VKGl50mlMQm3{gB-8muN$6s4qQ|b zwJ}8v>q@q?Y+b|RAKbz^^)FgByYHLgbq5l42bj78kdrVRWDEz_Ww~CGBc$3U@(3`d z?)3?_s_sXQA2{ASd*|%BowYXa5Tm4Sl6=fxB3jncvT0^4eGzpkwRMrPjKHnAc~irf zd$&$8=8=esEw;qSw-4+PBZZSBTV~yq$IJHa5SkJvxz)m7S#!;ugN(V0G4F$|f5jQ{ z{^BQ2W@LdGaWErS_^fy!$OLYFMG(v6qy%4%@|SanF3(FY@pqT`%Zh|=^=lwi$r`G0 zQ!*)ijP9nSU-1{nJR+Tu{sX$3k@EGoTPLD3Y}29WRCMYgR>r_09j6l=r8w0&vmd0^>Ds@BD`0296E7=V`ZjOBdXavl7J4Xm%GqK~yU z#yoLrXTsX~a8D0LD%0!Qh9GzQh_g9)wn|_VdR^(tx&vmn7>Kleh@DTsv*O3Yk(P> z_o5exx>76gj}Nh?{d^yQ#GXZF&tg;_^(4w$;G4#mPJ}OQ$t0Ov^%Lj;kIdE4>+g-+ z8QC0tfO=O|KzZvyH2N7d`W>09YLeWMWJ~%qyve_0H7>z;yh+-VMUOH33d5K@=1E|} zd9ovsK!4k?(i*mPBBqQf-&a0)^5n4@4RfcOFq%;i*GnYZbx`1`>`oZlpL|UpVGy}F zz9=o5?T~!Yp_v_#=Rbk`J1P2^i|0noN+Klvi**9_iX?hTJ;$>r3(N2iApAT0V>|+n zq3{Hfo`W)h=Po38Wd-)PFHzz!0r~DHlF0C&6bP;SwFOde5!eWO;5b;>3OIHKkOm7srLVW_O3prjcdz~jlmcU z9%2Il10KSMZ9Z(kgpUvigb+dsgapziX%Ye%LQII04o;fzO!_KSdJrKkeMTkpNU7HWt!xk(PCYx-bgVO-1`^XJZrT&(2q9m%L3n zD#7PPZ4%qEc!|x%bC!wad9^vaq*#2yl0Mqm%)_j>ZZPrIikRjrVy5{X#b>Gor8iNj zi8fmj)BH;mvFQ`f2qN&QA_Cx!`FIhZI}sm04SYQCwU`U!O_#)LJ)b`_ivRbj0*u4Y zI97WF<{)AYMiYq0pm0#aou(o}&sk%41n!uL=nYS>OoUu!Hk)jw$8L`~r-7XpWu?Ho zb4RGHgBOB6OB5&pL3XyHZ%e_NfGvYkwy4_85U4~(Y!qg|;Sd)PYP(K#9|Iiqky9u7 zhq>>eAUIizG3z1S=)|3g%V6OzW){Vy1Tgha5D++3f`kjJA@@m?s{eriwBf87iTM2x zEh6E@aK}TsxI1JIzyXk|h={9+;XT3>y%Z<^%#@5sz72ez41AI}fcx_s1k+n5Ur53c10M}-+Ad`Ld z(0V;`^sG-J$KcaD$Z^JRI)l5exFzT~_{WYvbO?@a{87!-Lh_^h7(q2rA zCB_i<3FSvo`BA?7XwYn5&Ew6@JR`fp8eC#nOO+j0EUP!_dV}`*jpnX(^EZct<~LFE zn?YLx9<+VsxaNK3%V~Jfn0?-+RqVx0ubS;2GH3i2?1*t0hTk`t7uVYmUy4!er zzo7FIlIVi68Ic!vmnS7j$r7WZnZ2Hr#3n>>C}5e9Qgc0N ziN%5OuT2Hz`gcstmf-K_FQWysDc6C$+X*#E*rOe_B+f9bfz84!B_&1eif>6K#cF3W zFte~3_&K6u{e4+^M|n+*)62#xBMwJQOq1@ytez{C&B0XdnbWxb z(UXDu^zZM}9%bSdF3|J3d3s)fH*6|a|6a0ZGKSDcCtnX(!-{g-DgtYjf}4}BNtmKr zpjfe!ks>RdVzIzoA!)l())UHjK_<-EBwH6*N=!!`Vc)fLS)MF5S7OJ#_0*eoUzbPQ zPA%3i-dw=NCm=- z?P8S1?ckeo#x)Tu{}C{P3`ImKxjo|LbuY2Mn)>C``_m7mqc=r#u{6Hb&f#92N3W~Si=GjZqg!~~m6qzY&CAE+Xo{n}1DdqIg`T^i|W2;BLs6cEs) z!WT|CNx6y^QeSKZv>=_X5{86TtSIrY_JiM^kcQxeop4Rx#pAk2#ue{eW~`}XtT}jF z$4MltX`*0;obm(hp;Y3>LzEtn&7J5NDlVZN6kcOMpjln9% zXZBC*LRA~8YFnG-tNOxfi2BboYEW@r!H+um0jGFtRTFG#U%Q5yj`MY%RpqLZ9~wbJ zqiE;~8k*v--9$rg@!ZeQkSCm?umA*<7{*shrXcRQG;xxMmP14YAKe&Qb47X1e?vg< z+Q=p>N8XtPxs8s8+~*96Ezu7d0ocfan2eoy+v&b4ihf{S2^l6plmw`@;?pqd0-q{0 zH|Cs~7=_t+6C^S-AKHuNzW0Ia;x`UnHFa=5R#tbLo;??i0am1Ehsn=4I34&&e7g zBDVo_n;{S2iNX5g_Jel>of+xO^Qs`7zpO?yGoKo>uL@>nFIDlGMPW**DGO@z0@`A~ zws@IEC9Q(?0MZ`dwFhFiFAIRGu#ea7+axQF@9k9&vLC_UgxnsK+cTf>ZQed_v#$k} zHLkLcZ=j}r)HKYGP4F{!@OG?6*#|qY9_5Jm-<#rp({LI*tGuTqhvj|ZnfYlrGtYk= z&e3uB9SP?%gSq)YGriPx{{WZ^*9LV`%UoSO91L4lNB(&359fY={_*+sH~ssE$h{z4 z7@$l2bg8#opv{Oj^R)T*P`qM71$I>60IT9!5-g<#^?QHS_RF^S z+aI(C^j1IKg_nO;^-0yoHIHfpeKXPn!h25bTKD>`r=#D@@WXF>b@%JLPp9}d&wu55 zI*NKP@CPrDBtb(-z);~gRCp%@Lk%+2@P?Z2!C1LAoJM8qMLJSmk&c9wZ0ZW|CRwO^XtNk^H+4Cu6=Jy56EqYD4CQ`9d2pXOtc+hol7*Ws2cPIr z%OGkw#SfoBEoZ~2aQiul{7y`mnpT+?rf~3_O3Tgv4uUWVvZ=jBZxx?kBg#*L=4xaH zT)6_E3c}^ypsDhsxnIwH_|D2Zt5v+|Any5M>n3B_sBT<6`^C(9>)+mca_{MwaOecu zKg6HBfc9S$sz*`vC?tepAp8rpSK)08mYIEN4-c+3`^yf%E*@8CssFre)%kndW7~R; z&~O-8y4U-W^UX~)pePix)ZZ2J}RE;^vlx+vqPWfF{6}fL=Q!sU@bE#5MYGGoiQq1=xxN*DX=t|9*VWk^^`hD23)3{r=GWUCHqpx> z{%fdnkYqLo=6VvrU1+!7or8eik+t=UI2E;Ka3C8HRWD+|t}3VN%8ig==GM)dH#j%g zlzwe7#mlTPWwt31|6~M1Bs=<(Xqw>Hf3)}n2AWyqGAaEHm@F3E5I&gZ_#`fUf}1mBaTE$5uhSvX$phIr4f+5 z7F0YCrnFgwBv{f!z%snfRmH<;zrG<%W#$wDlxofc4{tu|&p#TbG`U@hV5J!Zw&ly} z4U2kk)Frm94+6HINe)E>@E1No{LBr?Q^dOvwc$FDhYDz%E3;<2OUa2R8SQ#lEWjtQvVu45ErbY?`5PAOhNXwU=YsOF`hbdVZ+l80E zNmj<33dcmt@upJ=J|0yv|Aq>vH`xl~z9s?2CwNfa9nV?F>d2cok)p|dx&6mtOASn)%0cv7YF z5Z4LF0qKd&Hsq@WH|0s&QM%VcE>vm8FJ)E7VQEU$~@io8ok34mgB&W%Q=lzV?Ht-DFmHo0u5(%qUk9RW~`&E;sh z(!1LL6x$@NN|<{afTFZ@2e-BEMNhCYB2D{&Pw6hlv1wOx`sB6|?1*pUl9EuAq?K&C zH10O2ZAsHgOn2XPxVvIyPnAY%ls*Yb@+N;i;z2Q7N>($cVKd^WIxZ_&qImXhd$Jfj zdiJ>tfST9=-5EQj5LAD_(d3+Fv5wWoQQ0G-MWSx_Zp#koNRt1DQ|HleZPL=b`=|sT zHiJ!x^Hav`AeVMqu2g8BShK8^Wzm*t+?|s9Q4>ko-RS#bR!vclvf^aEndFK5>s>sN z_jdo*yfBL2nVDXR5oYYO)Avc-inzP=p=Vd?!==R!ca`t)wsmDNmR?*}W@uUbP<%Z1 z-fp?03(j4PF+kc%#zWe=1gK-X8-sye_2pIQOZc;9kAa}3>xz4VVc8tFd9fas})SgC<68*xG^iiNhkjgGn4X!I?YJkl2RDGI(q z<71&>uyu10X)EKr!i+InC@!R4VhG0!o*2RPj)Cpq?FkN(3Pi+OVIyT9K5?SIr)!X8 zn_;dy?~qhPk1={IMx3DHipKAf$XNR#;$x5;4~h~l(EOaO?Gew{z|f0OE^3Ru5RF$& z@XE)g$%$krWz2PVR%xpWrCtHMDyss2nI4;*u~u<^2{o33JWdns7h*@n0rG4p#XUC3 z!NDm9qs@H`rRkk6Jb)2w_K4q04h{}DFc0Sdd@iH`7fT#5*os5oQ9EZ?=cLmu>XiPD zlAc70@<`ZEb1=7)WB3-5ISj=qxrtC(L^huSVC`y<>H>PZ`t)F5_lYAtp^U!X!4s!? zy1RyZh@g-IOK1-GQewqs)rv5`Di{K;3=$B_vaBmk4iM$VQ()2Mmv{h5+)`~FenthC zq8%YUb88$Ah0`?|5t@e5t~*&4)1&1kCMWJh?h=!UZNNUH&u1&PBgZF@!~QRvls2c6 zlhSl*ukrm`4{m`g@{NL`4|7*?@z?ClOxGk~&Bm0<_gnTYcu$ z0|MQF=nkG-kf-GXw?ESurY$^8?_?xj&#a`L!l*7Gm}b+9m|foSPtGFrY26o@%xWb;w1zT2UFPk5ctW5X5#7ksjgcBE{B(tP5>++}bPJ+e zcyd7vV*ai2NmrcOD&LobjMd1vfBwi~Kb%Hi@YSQ@T2u@-2IuiV(tpni?EWnKbLs?S z+gr4f?Y)im+UEN}YFXk_1Lo54V6hp_t~;JX00-DbUR4x7s1-3iyuRl-m6_8KEUk#* zC-B%sak&Cn9U^z8tWIk&Db^C{hRt|ykZ-;L-VDIwVy99eTvUihP8>W5U z{U6S*%ziq&TKMtkqftKy?ox_70JKOO@hnv!Fl~rwB|!q>MZ ztFPj7lVIvXrmldg*Kg_-Onu1I_su!}%=j~QMi_9T0e4_v);};S40zCh$8YlNrZW8H zPvHXGJEWh&g=9RQ71a2%YMxVve(KpDy=Sd{zzVnHp0%F&k(^JE)kK8ou8JEm7$sF! z0|}Ch5^h^g1K7;=i-K_PS;1gO20Kr#O&l>8FjV>tmEOC8p&l9Pd2)p{Tjho`#E01A z&$2wH%H$Mm5=75IURMRKtt)-*NB7p8$bO9c+9<1d*!tVO z%R(88%2=Le@U>Z10in*YtXj$Db(OGiTvYfPA9bu%pz2QXCt#Sle5X+fm|^BzREXiy z(V(H+r}~t8boYzG^`qaM5L(Zp*7Jh>0R7OuT5Rva`}pl*I8fyt|@#Y zk1nqDqS_#Bdqe)=}*eB;^KtHORK+V2#qr%?5jP(CHlQ-n|x zWU~5HkFq0f=k~9c3zlAF=_L_Fo#|p=Xxu+E&R?G5r*8^FZ=s>LNF=FApe?wdZ;iz( z2l&dSFUFrtebexDyU=llH=Y%YXOZ#jd_Ni4bQpp37mTbLk8I-SPnCOs1n~Ts1IAjv zvG&ucwcIatf^7)dh6LkDWW>o*3J$>AsXtIu<1ec5osGKd!`CK`7z`BI{6#k3U7@HI z6}9r@!czm6uBCDdl1!bPEyBZl#HnNSXO)BMO9Sq;^w0bKmQM2Pg^SNlruEbEf3Etc zD*p6E{*sfwc1t*Z8y&yB+X=736cMt*XALrK3U0&ec*+T z`x}Zte#hY{#5||MSyV_jDk_K)XA@5MUD2DYTH=Nd9M6Zc2|qdNz9A+L(J_asB2Y&t z@Bga1nwU0@D7<654q(F?2qX{^6MmwQf(bPIrw$IJQCgaxhLRsp9f}PYh>g~UBtTSB zMJAJnaVwWrsUlSzcioM=+Q<@@9(r@6sH%GEyxIT7&`9l}6_d~7 zo$+RNcJ{q}GjHCflAl^?GS-^b@b~03cfM@%YbCS@mcC+7D0q+5_tUqoekAPaT=NQh zPI0-r(@Z&6ap=iup6M1C2tkO4chzCe)6BUl)B9UjBmDjoK-`eKPxLgwj^IiH%V$KU zB*oMunHsLPYwZlr^a~77lNMBpyY?jFiMUq2(wC}jPu8}t6|NWZwHJii3mleFOjuyT z#`>8YoX6sHd3N*88L-63=>1w5y^Bb(!)U@SBJz1#Wpyw(}2Ocw3)<0RG?=O9pwf^4VhY4?l&n`+1t5z-ut%AwCKo^3I~fATf4O z-fnE`B#xw=h0Akyy6<+Uocof_eY~?ua8`j4Rr%=r3}V(8)Pcce#Hb|niKZ8e zS;;?NXF%Pwn|`Z_a`syzGl}IlW~VR9rnE&mh^(=gEt`U}?%0N2uqXyPXd`DbhT6BP zF2|zd7FJHUZVstyh_0-w)@(gY90Bz!*QcYi68|mkFh+8W?>Cgt<`!ALSsZm1?Q&bj z?B}VVsqX_?pBk4mjgk2_Eqc{wuSduh^()iPYdpGX(aRW{FYB+Zi(d7P(^8(o)^w^* z%AaAQ@#tuD`pgXRZ=3h(VUuE^NU%z&+5kJUBl5f!nGlS|tAKHkOsUnELA+-WL;+<7 zx2*SxuiVF!>U+mTLf18>s6aT#-h!eYfa3tLI3N|rLh)WTH1zQs;MvFaLMc$cv!6hf z3VB{FfJIm&b~PLaH$Ihrig@V1MQt%b21^bqb(KqP2<*X-n@Y&5^7RHvuIb>&jCyX# zt(ItewOu2zNV9s)S!he_(1r7*n}jYL{uCtb+lWx)Rv$=JwkHx-|bZSv1Iu%zT7XA`+-82xK-D}%l8yYdk)>d`QT>4m2PNV zo#Y$*LW4iyx;MnT>(hCHhw?_?-=D&l`fLYwhUzF7Exyyk|)83?*DDt53@9PrCh28=jv%|9s#w zH#E)W)2@DTrteNIM!`j@fU=v=Hk zG2}Ywb3iJoV}+e=#cz-*xa@R0

o2q{}mu85$5>fICzL$3ZAC!vJzXRs(k#y(>d$ zaQFyaoS`(BMx~I|z`GZ68u+Rpr$HZTfvg4-XaYgrfCD-2Ai6n28StX5n;ym2Y`}SR z5PqS-0GdKHw$}`JImbztLPsf3K{<*uHWz%w@G=K~y*(@+s4S+B<1=rE^6i3~RDXp9 zk2v;6B2plC5^^AiCHKq?5CUG1B3O2Y=VUixvKxsQIv^FKLM>>h7nth^E1%@n56W>P z3Eh`epdTIy1_|4eRHPqM2wMojj8v>2mxHtQMM#u?1!PNN(NaX00nPYlF(Kj$SQ)AKN}BE$8dWib21k#d3p5^O)wf|LtcHGl)Q2Q z+L^6Z<+S7?m1MTSn1NP`gytZ0ge0OKVVSZ}=@6%H5_u2e^pVhfl1ph$xGy{!Cq%bW zu6!sMk@*m`D1cJ2sujJlk(dmGLs6>K3dW-BRcu^_*q9eT@{!;O8)U(Qg>9Edg<6jt z8*ORpY-2kpvW`Ul!|CX_tdDf{bkxveFrH)`MvUYFb@|E*yCaDnG@t)SYjd-#M*XTT zHB^B953zAsiPA{5AKoQ53%o2c{rWRr^dzLUt>VC)bb~O(FsdLWFC{ zD83?8cTnCp^Lewm>=YrnoHz1uI&7tiGr62mD%5AQMJpp%C=#qsr=^NJIh`lna^+{U z>+i%gf4^4yg@}FR>~zQywD*4K2U5Uo9XfxJ4=zXDS8ZgoZhJiOG;hl#;honLC3_|^ zlGeiDU-!h;=#Q;R8#I8wna;0V8VtJ4%_!sA!Pn+yZ44GZ4^>*Z)^3<7DRQ zY-DU}_P=RbRCC+dZl1Um=cdxFCzAEyXT=_JI(XVYq2~8*)rxgRK{&TsbRE#^x;xqTQtN}8VIH3F`nYyy)o)$7i>A9H64@IX`{+`SfR zf_3Wo%6%i?$3sjCM!F(j>(vX^6uI#Ap6+D{-fI`tZOtR5Phdab3WV+vV}!T;rf>^< zo7Uf|eA6#=%!T6cRZtfYeP*msV}i~|QQ?I(<48l%jL<{aWYw^hGDVF(;mnZN_opu# zZn%07!6k9BVRN2;*EFTa;BsTG44G|U&XI+Us&IaC5|+KIo{rQedT_E$b@+ICefsV*Y z6VsgSP%B@RD+Ldbo2+QQYfR=G3(eWMNm5C`oH@Z7SN*dK^sI6dj8qO4&3;3kQkiT%EjcT0_7l&Ootlwp9Lyy@>tHKpqwaH^^7s!gLGO z&C-qDSH22Zuu0fBzyx~+J0~kEXEA$>AKf!0H#fqH$B;)}?w_c!k{A8Q z1Mh~fmy?@0IX8AzZjR?$-yQE4A=nRYz%K|8#kmjFkh$jGG{aQYL}X+Uiln0^iG1M0 z8WyvC8*=p_s^#~zU@Q;zrjF>=$Qp1bHe^5bDD>P=JCM3bfpgHDS_7Mz@ac#z!C95L zubFR4dmY3_x6auG7NNrn3!Ut?jwx^dTY>sNFd&Ewb#f>>V$zd)h|(CVVC_GPU@hdO z*oG`Bh=Dt`@26|g!7r_p*b#rhuxm^AA{3__>Q%iGP+&QizAEE+b0jAm^v~)Ybr#}5 zBRZ24(oDVWN6zY$w;Y%psf-V955FAtcm}qPys(lOFC>(GaAVe$fTFoWAN6yPCh6L zmnK33o5QjAbAhz>H^NQ9DbI^KO>m3Qw+s%dg0bRK`$_>Bn}Xe;JS$-^FI*@ZlO-J7 z?ex=6U{C1QbkM8o2CGSWl#+Nef#SlLltsaalz?xwq@$2!Fk@#XF=b#VOmtSFWs*nJ zk5_;h!`ZNo%0p9G9xJa0Pgv}9YCV*&rc6sZWkTYyUNnZ2lb2~$5dM>vpQ`^A4mB_w zq5E@*I+i5-8Av^1BGGPpo_jHrr*9073QPV^Utd0=THcNe=uFDV%165YLpkzru3_K^ zjM|YNSj0d$8fL7Fkj+ZTQdRuoF@}()+4lUy_d&(!L`4}kkT~lkjVl$hfd-4k(v9dm z35oByhqIZsRNb&ER2}7D&N$OVQwgUqEG!g}ltFiAOpkzopZ8(?51xmLmkDt2F$Y#L|;+E93ah!M&{61kCEE_Du= z5cUyZc%TSG|q1@#@K7?M#fG4!V=g-brPAmWVyA{*Wr@6EoYMardsfeTKZ% zSv+4b8#><{aS%?B8t`R!%C2b1Q@9Lsyo}qN{?@?nu+R?wDLy5Awp* z4Yv_-9mgu^b`R=j&309-c1_1Bc=}I&8P}3r5X_56yPnbo9GOGX#$XKbrsUJVOR+}Z zP~L2a4_wVaz*X&8g4%%>i6^N~?W)ctn6p8YR`!_~Yci}g%f^AQNNp7H7OTAG^I=_) z1X5MZ(jP?1)Kk_iNcMMBz@nMrF-BeH3WFZYrF{!{9x&?8Wbz>6FZM+!K_OJVaN`Sq zk;d~+FSVCCZ$5j%mUsSibpFW_tpVJMtJH0N+1~ZR~V4O09v2;Ldn2 zoeX4Yxmq%>^0v&cJX@d&TzIBg^i|t(VPL+I#uthrTB#1_cyqgQY94%b{A9cpRL*w zq>!3zn6_)&+R-oQ?PtCqHF?-?HpNR2DB_t|&0;(S=4W?YOQ(#Vv$zkfx-_5DOjtS< z!@wzv!pDAaDZa33DIt?4RvfH?_RQxpEfDqH5EhV2K4dK$iP|{>b(hdzAP_OA*3YRO z;8A7`>Ied{K|r&>XE@U0_N?LrUW4N^=2`^o_p@!8*QH|k3=j4!9&wqh59wyviQgDH z$A41pu`t)-6SL5y7!4&Ne}`_cXMCyX^!@AQZCL0N8~$rTjjOsu`Z>D2kn#!O$643t z@F>U=#*LQ#ciu&Xd$(4R!Z4^kFj;p?WJ9@I+e3AtHqu5)1c*8l!Ipx*fq^NL*x{f$ zLe#*#nl(wSh4iaWSo(MYOsKzhiuvs>b3Qx{A#O-i-0AcSxXo3>G(;}LS z1#&76VHEcP7L-C#5nDWS5?);A+r*W`cSgP!jG%+^45}d{&;=+3dJkCgkp%XhPWXJ< zxA^X69`Y&h`xwp?e7K+Tbmd>nxL>Pvi96|Seb1|OWWY{Rmc=^FDP@&?s9t2?k!=zF zWqL)ai-x^u2g2u}@W%j29gb|XtwV8zCoL-VtFB^I?itW)0sTW|rUW1{b3zt$Xj#mOO= zilea@ol32NQISBWQ(9RV(-5TPkpG|GoQCwU*(qt;9J?HDNN3XXl2gkdAgjvOezq*% zF>Ss*H?Xuadh{EOHJ3TFvMj%XzUZD8Tuu&K?)lK_NF22(IIJx?>{a6K4qbZKa|k)2 z@6RpezRgqeLk@|4RBlUw|A*@*`U1D`ME7L&jTgSszL7P}xS3vScG|Zi&&P}7fCe|@ zC_s;bGpJv7C4}||E2X9Y0tP#WNxIFZj(CgQl3t&|@dtEMufHw?AsbR?pJd5bkpUtx z#Qx7ga3|!&xH@L!xVlIKOr&8I@_WU&4=uMuK{WXVCm+wNu#3Il6|r(~HGHO9zD+`W zDT*P5hGym7&|I>E|HbN+12o!cc%atG6&_8vMR=jkz%1A&GMam29gzbLFsnaj9MFSM zW*9m%ue54IrV4Lf!co0QUs__Kcqyxfk#6yRvZGvBIW7d`;tyH_gLpTH>Vlf>`s2^Z zB_w~cfcE!dL>xKV-?tO05rL28+TEAaSlVrV=TF(2tHc8Zy_ln(Ufuj#jYk6rz)0_# zp4o45=U-{;@Jdi6G9^Nl0jC8u-=^=)FXax5w4yu2cjQ;tqWg~8()y^7qoKN zt!$mxiuyxA=%rl$-N9IxJ>JLhTVC8Qi2%RXVfg~H4^3%v^w0JY{;EOWT^43?>S^+v zvmnxXvk3-0iQ@0ix$bH30?;O3gSa0)oE~4pvNzFGT#p1{0K@jM7a18HEKn3CyRs}Y zdLtDQX!up*n+ubF?E6?a_+++!F<2Hq)?fFpoQPL)r=41gx2`^_>9y|KAiYcxZoo%3 z@^_>48^_}Zz>9(D4hwFGM@kLOp#=WlpLXo5mf5|&1sOOgD7NikKVc``#`D|iIb2$l zpPgI@;)}AEjJ5lE9gQ&@z1^pN*b&uC8RHRjw0@}xvQ!1j*yQ^3m0ghnlpe}bPwlby zW~3-OIrOb{cMwL#(6C&ZSnr zmTUhF_ExDi+|k=B^|+a;v4aaHoYlv$QGS<-8AzuY$X@;@RNbv7vekE#@aVe?CYX1T5(QJZ@0t|`QV^x^Bet}0lDrW7kdtwLMoYCRXep3; z)8-9Paed=`lH_3kezP_eu_Nn0@-!4-=>s-_S_-jLAxUU?6tcoAH^rjIv9{E!oomv? zz%S?F^E{|1!A_sLcy3m)1#Ce(s1uPI>+(~f@?ZV(UvpXfbX7?CBgmJ-!3kp{dl}-F z@k2|G5HKZM!EDCnEM3<(s3Aba!^@ZuZA;wwMswC>{2cgCjwBKDSvSvFIGp!QY&;MR zZeNgT$DOo|VRudYXcL*Y1@xQH(OCUBZlE5Lr^p@k>D{E~k09|EbkGAQ1Yf$!AZuA8 znPT#HDw9kTXpB=mGl5B6JifnRe1j0<8BkM}-Rd=++BnUDDjUM%sCO~6A}pTvvOgsz zOHgT{CH;3y!O8G2ryp$>9w6n@`g;Zjj zPx}5g_|gW!z8;@P;6Sm~9x15h@I6(&1)S^~2ZCvw!`VK-FrXw^*gh~D+_%o8>^g*>oYSMej(7p&zkGwCSQx=0u-<;-NzRK#wRohYo zgQo6f%H@7{Tfl9AB51MxzcLOIU=wVWJ$VzpIR*$Oke;SR+n`U@#8F}~;_Gj6jDy>% zvH7e4(@cZhae{66aJo(wP6Q+P_Mix%q=7nQ_vELK8#&`7q78#)EhG8aEx_&HIeyPN z--p>`ZuEaS-xXf!iW`g8-d;4^vB*QU%yhv~a>ATr7q2AMz2ey)Dt!E2`28>XkQ_&Vk+%Zy`qw}@)@SiM@iX$l<0QlCL4ngt^}cCpXf#xM?Ov?YIy4fOcyUv_oM|*5NbH*KN#bZE*A4b8&EH(#UYy|D{0zI}G z4C%A(5)Q;Z_fNk^gvx&N4H9(kP8L0^hGhLBRyu#VX8~F_*|gF)hi#WGJpdq^6n6qp zI&Q$fcV|-SaQ=234zT(HGSy2_FI+%yR^xELHIn5v`!Q$ zV1AzF?7~pE3qxa%ge738%%Kp8s6F;>droiFzKoU$XWxf#>F`&{d~NK*{1y=eq+bJJ z>RBq>$Wt)H?TnCiJ(a_35`4!dXyun!v@+Zp+-l|w?SCv}v&zN$m zzAQYA$Oh6pwOeIMQCQ*hWuYf9UsOcEitZE8{t$owP{5nw;visI3B=u=>T*pMl{6-+s4$kFpcv68J|<6n7cBj6PL`-)d`O2 z)jA@-(gohh5;H0%`nqpjs}L(jn0Q)n9-l8?d#ZNddv0;oB*1c*E$861o<%*A(#EG; zsWo_O&_qrNFpf}E1X+8kxha!iS|W?(5Ki%6l$6J3;8QMwwjD7xAN!B58DpO^s=d&`+filfS7HnT`ld#^T>r*K*-S*;J7N$z1> zI)5738e7GEI>v@)iFc045dp6?My58C1ueqOlD0AY1H&uGrUHZJzjrkdMIoZ^ONqlD z?=fOXDOBer^~ubYf0l-2GD2xO&AgW5!!_>&`y%zjdmC9Zke?LmO7~73GSR;yjYis) z(RO#MJ5RkR%`s~V-%UTHFlfkdnpG@qK13fW3ssh`ZM0gv)ua}lw&>`=#SEkai_Cl* z)#<;P-|0_sD0_r4E!&!b(ic-fc3Vr&K;P3Otk|d8izO1|dyc4+Hd_|OVmh{>)qJ~A z;`|llgCzQa_=1^EYzg=4>DNihI!KjrI<(Ou0ZGl`sdw#q%9a}4#ygUec4-rMrs=yi z{|;WdZx^fJ8InutIw)gy-T4v3Iu7e?!!v8=tGLNU)$@wg2EVSEXFm#1!tC#|n7xNJsH}pMyuLMdb zfJAG1y%iQ7nByhB!jQi@Q@K23;LB2>WnqQdWXX{cnTHLg# zCCHwSPYv07UvTNIm(TK^{x@kG%-5uw#O5F*{YI`gM)qZB`K%9Ai|$^GKq zstjQDT;_V+p&2U~@5I%J>m+6a0d1OrWcQn^g1d#3PPo)aD@aL7?Xm^g;sGQfM&Un>p-W)gG@=TmcHkw0)txP3NMd`Gg;Ie!U@b$g z+;w;>G`JvYL1nqDjL_OR zV5EX?$R_CoMM~%1-kryYCTh zuo^;}v0o(;fyJDiTlL^{-xpnIfgy8rKA?R-_y|nldmRIG5ap*2bR$&6g3A`0;qBSS zSNeG_?d9&!)yfCssND)9b9IKkRzfkCi1Zp+ida&Y?+1v{cw3RPrNAxLI-0IZ-Zau@ ziy&Q(92GreVd7M{**PBr3ttui$feAF4zU5t4PDNNUMpj(V}0w@l{1PTjojFGZ1Ary z`I+*npw<*A-`!0wx#(P*9NF7c7Ox*&*-eOCpPCkgx8-{H|I!^WkbclqboAWiizZj# zmNiZvj7anfbV;yh)7lgu)oT6#uBI0QsO7f6ziB(Uetk8gbT$drkMncF zb|n>T@uQ0*e| zJYrnp9{7|c+_GNse8b;9?+PRpxU?I^g$eKlL&O#Zs0@C#*~9+4@RfT)NplGcFhMK4 zH;GUwgg@emRkcuTP!*H#E_7TQ=L92ka`+kbiiWzA_^Ojr?Ip2|}Q_gRQ)StxI5kHT0hk zi{zKmzIiUea0S*S{y8#va|}*6J8E z{g_~WV#lMHfyPZR`N0O_h%*8HNe?Y%9ApV8+X+rC4zW4o4N0z7!wK#P4YBG+mU?Ae z5@kr!q-R&9;{C8d21=Ejbb=eD0W?LGTZ6Gb&-Jm5tCSs@_*xOf7KlXN{w=}T|q703EQ9j#PZ3=v-~8Y_i~#fCc$KXBYp=ZroXp?=r7W0e?Zkf4D3pP z?QOVLYJSrmgccoQZXT`i{ocDvJ=OqUTUBB8aiR5pk&u2jv<0k}eU)Sn?=V*ml*;a- zq{Dv;BSY(*>#_R2Iz6ZP*GoUIYfC4@4;Q6z5d`d5WxePWdc2@MEulW8+R>%GHq?EZ zXWp8}T$U_+IssEkWf3jw4(YBqu`Al^+I+#dmQY<%?d##r4g7y*M_R8(jA}O>s&|L4 zOPJu^qp;@COx1zEpnxnZp}&6q7Cvx&cs|(g%bN2KjvFWyLTOK|uYy_-`ge?jG|2!@ zAueDTgf4^%=lsf|8@GVgyjpw9BHi>r4Cx_lFnkZl*wSOmUH-Veiq$vd8MNcX1XOel zzVIDDOs?nXx{TG1oz#(=c)D#eyMLqeK0O9fYM1PZwC^)d)E;C>sQEZQkTbOxQmfEC zklW}9XTZRBvW4syd`+21q)c(zG2J&_SQqwg?ctEMS}C{E&Tzyh)_P0Fe3f#GOMIM0-z$qr5P-KVNpvBkbF}oHVCHkK-(3}%uF4yjR=6=bb$Us`=DeIz%W^c11IZVq7U^{$&)O0aTvX ziz+d2WF%k|RS#B97*2UJ`5z(%HbT_biXPVK~`HmFWvtuhB_lXI?uX}HBV z;iJj1^Ab`J&HTsjglm&4O-)!hE3vub-{%YL9sxF4Z2 z`_-)I*Y8^4@^%##GuUf)TL!zbdmp7H_$s1pE&|-;z$>(n`_$zUVu>k|JGKdb%yC%G z3+gN?>nZv!ebM*N(ZQyB;fv7{|3IsP=@ZhUj|ImDSF9U>i95j*7V*g?N#!L_PcMTB zNlOM*cA+zzt9)Zl5;klEP3gx=;SSP;Z`QRhj|o|at?Dn-cRRU?u(GXE2_>1Mo3%UP z1$TI-`C4s;EOrEqMoATsBZ9R8(lephH*%{$Vg;$APQ{I1^C!{<-_%X+jA{ZW#WIh- zS8RT+RjUQJirj&&ss_UbTY#HfLsuy?8)>b&nm&F+RT+pLqHzYq!$GOn3lhW&RqLl} zX~Hm@()Xw0F6jkqlkdJPOT?oh?A2aKG^X)BbK1JlI({$%hKG=rjQIJp z(L=%Fzn$K%t4YYKExFdqQvV4hZoULHZu}41k4MJSbfH-66{ew0e0OP%tK8)6CIXXd zf?0n5E6{3RBAV#+=V}XDHKx=8S+gQmMi>eXyx!!Y*R?5bAL(ng-bNg?*8Iuse;=`B z)Nw&_X~_k2$ClncDXz_qvB*bQM)-f~v=$mvkD2NZJ*Aext32qPka!${$qpByd0}um z#&?8!@dP-owyC^dy&jUXvVGy!$JVY4MxoY&rwe~-Dj3JEjonI4>bKJgf!@d4>-3z^gfeN~^)}_+gvHabcc?)Tk9i>P1irebfCis85-5Xj=Z$S4o#lOF1kw zR6Jn?M||OZ^Np50F$}X(KfkWfCXXVv$+{X+_rMM`RCM!ErG7<+{@kQgMHGJuA8E@z%}K?o`?P_>=qdiUT=v7Kiz}RXvk4&% ztjJQBJtA%oF84m9^qnmxg3Fmpf9|pc0b1?XiHqR9;+%T^c(a}JG~i)Tkv#^k;Yg(_ zuDvWm30-I*6VRb0gvwdwkj$&wF|~3|C-kN_#xr`|MIWjAt>AC65T zMJ|ily*Ro&!&*G?EuakEQ=VRY(QaYEd!>tQ`&Uw2-UMk*vyMl2kQmE!U%P46ehclx z3W=%v=AI0jn8%YQ<-DUC#)0_%l{=`huYNh6neo;C8;)`E9e)g2nERV(t-StbnLf}fF4Y5*91-oA__@0m+8l;?_0D|LZYs2c z-K_R_`gvUUU*_fes2!up9V~#Z2VYd3!`2VDcL`jDsQ#pbP*AR?{2a^^-TllC_hluy zC#9+Fk2g=&_fS_8nV^$}3n$&g9ZDQRAbpoLNq4HJ!)&s$U4%9&sl@@7+WE0lB+Rf( zlGu_NVa`idh*56*XeQj_*n;Miy_}P-0%M%f@WXbM^dylCqb)JB?SWy3iaCdcz3>V7 z%GU5Iheg=JHF{_bLi)r3(BvAoWK=Ko!cbuXbX$5llN(7k{qIWl-zW9sB3Cl&OueUC#JQhhKD)E38oJm)R31 zycA_T)gugh$8?*wL|PY!DT@EQfsf|mf!dUsLWw5(vkAXcrrbh zhkfRAt5FQKioo8=VDur}N^)wM1gL7Zh_3Q4I^5KAv+YLy-E`-5{|Peif7IuxL!L*< zO>Uj#TyeS&mGvD*iDbh-N=!3fRG~%ZbcON;>V0!KUAfUCMND&yq&D^wMPh2mQzLK2 z%$J4z2ExeA3ZDHd9Q0 z<*Wz_^Wonl>XE+$>s^PV`Vh5jSX4twLK$j0x)Q1FW)#iHD6IT85gdNQu4c06|5aKo z52r2HuoX{o_Xkkt>ySRNBhRqAl}_G~jYr;R)n2d5x>7kL7!D*{>g9pW*Glb&ynckB zWU}k=OMZ4Ye#}y-o`c>p}631@2WpLsUNS;Yg}IL*-&kwSDI$4?T>l2S?#cD*Lo!g4!aUU?Dfi?t>0HSJ|;U;3m_qRZ0P#A;b`2xpn(8I8q4;fx!CM2BabVAG6vPwe+Iyp{*$TK&tTS98C>~!-r^mw+lEIq+!+e48D zlLKDB!r($&AcN5fAvi$jFtCzu@PyC;-Z zcwbx=QRt@qS#2rX;{ED-1pCL}sRB^Ehx`6re}y~oNl&snqDzuS$!`7hLSmIB+DmFb z@|pKQ0rT~rCS24<@gzuEB90wa0+z9hU}nY-W$Q|>H#-Rm8agOmF#*6_Bs`JN6 zR#`_kb=?hHdwC#BSk!@TFuu12Q00ow$Zw*vQVb4=TqlK$=(t1wyV`2jB~k}}kWdXN z-bh{mDW(nP2>T-#HFP_&&$E^!_m+zwxt8LxbKGWYV{nj=i4eW?{q+YK)Yoif`So*y zaO!cESrcjDKvkd_H{S>G6>~u>eMm=RXQqqI=y5sEtLB0Y_KQrXmF|YCXi8X5wFXo) zJn>5$-ufjUYtVFEPQXWGrIW2SmWL+-fiIyHj1iNWCTs4CtVqLCZ%O%^lRn3 zE~ENcgxe;ey_(Ht%1I`53Qd;|I5pE-`q{_g>tXt7>G(cm3Uh4C0*FJ8Pn{|YHzzwM zJ5$sD;GDx;P3L6gz?eEo37l?J8nHFtRB=RjaEfDr17H?dS6fX+whLhK@1eq#P}bWBj?I$%un2Sy~=6r z2rNh;l}a^VK2oIJ>37Cj+p4;LQ_wmIpaMCxI$kY9fKG&D@4z9$G$80RN&1@+r z@11#G{_C*H!})!8x}Y%$M?loy7kl7j@#`0KuYZ5P#@haR@w{d}C?9b&{SBY0AoH~A z5mnkP+w~WWAZ>!9a1<-+7?yw@IsXn(bO@DJ#U%iaa%pd4P^@*t$Yw~P>@&JDJOx#k z@1|qe9WCk})m;$x!<0v90xnaUVuRh3lF%kL+G8CKlWAu6by!%-_7>d$2;JR?Kv`C#o-45uGo z1)LO3QFdkvu(uE0y6s*9$M-uS#_<1f$*W`lh`M$QK34ww!gm$2^4{r}=e&g{21tgE z#~kwPPI-IZ%3_(!-Hl4pb`Iyv5}G?QoJ#lXzs@x7yVKw1NbGp7^Yl@OAN^!`I$}pm zHG03Zgx$_Qire@lQbqWKL3JR%wn$9s!Uvk@k?OxhB}2QP90Gg8^Q5wHWJ zyg)-|lLoBV4H}udsSjnDm7?tXSMXsUw6vI_B2Cc>Nh3q2YU4mSA&gh4u2V|x*@Vk* zGqIxTusU)9U-vy(NNaFQ{e?6xdk*=NRM)2Jo(A20!rWI9lWLuNc;6Hp5$4o-G|DgS zlf6d3(7+1$CTC{s8xZG{c>+{Zac?EzQ>u4`YXi_cv8rto%~;gif}Q4B0Qmx-DOz#&*it`nxbf^FFEJwBug9z#iD zOc03#PN|I@d0$#dO^sCgF2@-BGQ6d+@wT+PM6c*WWT?D(j@9{Q(lfEn9H@<$h8HS~ zt9oA-C>GlCqFof*y5ZSs8B={wGq(PMs!{Sf4;3i(G~QD(p?&Ku{8SaepeMy~qg^!H z@<#TS%X&u2uev22Sg&Iwr>trcTk8Jjoro zXSyXe+IRU2oNh&I+lT2)suD%?ltUb7h;BDA3rs(AI&*9$RPq|}P z@!SEo&J=E-0?OhwE6VYT?U;?yPDZc`h`gg>qUB=Mt&iMXPbgDf4{uh9qQ04&hc9=E zH3R9{iF5F;COU8)-G9YsSN!247lhPcoTcLjOUbp>bQe zQJgNuqN*@ftm!SPFin{mo;cYk_z5mq)BnZ1zU$pw4PNTO&QsvKq;>Zf`gl*^e{M0J z*E^DPbRZySJ|H0W|98#X$;{cs$jRk@OJ7~_*vaCpy0P$l_C&d3Vqh6EfnFJ7;F|PC z=QYSN8nouYv&WB;%eUH?_eZ7arDw2V34K`~hyCSMd!n+cIFkI5RMu%wqvfKjK#52@ zWwn1=n9j#-(6*{lRr`DN4^>H-ZL)5Mr-_H~a-_jv;f1a4@OZZ8)Gx>RrsFi%`Q{A( z19OGtLv7xc(PuwW|96Nrj_UE}148x(rl^4_delk;Ess4K+aZ~va2QJn*GgrH(+-D4 zC_ST9bY?M?33eLS%4Uh%4!22ebL?s{mT9cnd75g#Za(l_&!nqV&!pDsHQjrIf zl-+;+MT2Q$Ky!zj@d}?LYFv|8F4|D&)V=*%Mit?J3Ki2VJ!60Y-f5m^;;!J{!Ffy;@Goqw>&C^w@UgS9kL{?#oHKO)Y+=&b;od}XZBQ5|BC#1=hb zEEJm_`BFewq85(Sitnhv!8I+uu9HSS_>@2wg z;NfA(X~w<7=hSGSJEbF%+Gatv!@P!t@NScTufa4vuh)F9<})qXWr^yOWyxU|0AR5T zX~EclP@y?kN{?~tUy|oBy2yt$yeOWDSIJdHE(R(HyBkmBx1S?24E`HFV32kQ1x%n( zRhs-o(i+|e@7+`MBs$d_9+J##=T9cA!F(aDMLhTh;tG-JfjfI2Yn~fV2H-g~xvuV< zx08lmUUwx6t36sufpIC(TVEih?pWd;mtNen{9EbK4lr%@_GtcmJMWzvKkw~rDx&!J zRKlx$cXl_?n~SV!nk_t5vfVIrAcvMd)Y8y)xxT(>c~}Q>o>V^5Qhxj}z}o@QIDx z0W->WvC;HThK((Bw(mfi#M7(A>K`B-hrYlGhWh4Z*yU7^Dw~oyV=%7aDlwt00%@oAyl#=>s$3n{YE$UiM0dCpttJIh zfF|{n$?skN2P*FgTrTpYTU$enf zy0wnyzFS(Q^=#;wtNR}QO_q$%r!7!YjbKnGOaZ584K;kcM$^|u`~Gt~m6$uEG6{Dj z>i1?X#oz7Pd~u@Bd^t*`=9OM2nHgiJwbTMtLD&2(30~)f-%Xp9HCBekRWbwXpf?In z4E|7^d4_FK>tSn-ZalAax-!_}{Q`N`o06B?&Ho7Vh9=!elP~C&>f5UllqX(yFQMAL zqka<4&&H5^V!hJh{qbB})2UXcEbiCoTDj?%W6O;|dC0E>>3&&0z1zi2Nci+J29GCY zFxPt*k~7I$bj21Kr!sDxKgg6hsTrf1en4sfrxsd)Jb|FZ-LMZerZ~QNF@;l**d-=L zULJg8Mr9&w=qBkYXoj?=&ZblWC1Eu!F5OsG0lk*hH?7z({6rR7a)6p_ZJ>fJlTk2_ zS5HFmBFR)JenJr9}))98Y8IgHH zv{2lC-5oUyn8oH&4nhqGM(JD#U?sEpgxSLF5fZae5-F2}PMM6cB1Z&np%YQKcRDI( z2s+fD)HJceJSWp=i zZf(W`QxFj47bwgKArISZDQpI*Bb6oUi0LAsnB5a$Vzg(f;4fRvT(R z;$3Hz5VaR}(~3aAH-)R8!I819|GaKLMG8Mz9r7@?%98AFQ@wvny??JeyuY+xb2_@5 zZ=Eh@UhDYVy-q*2FAKY1+q=NrSKHPtHUmQ?uz5~iKs1&$G=r|GbE_+R)?u@IO{KUf z*WI0ov@}~6zN>l+jM%`J&kMH!q{D?klrXj??PZ(sFR8soD3$U8g#$!%vZKQT>5M}` z8J7k|nvQMzxK!Jz3(Z{~84zSMgm0 zRrbs<@0#l_=#uKoEDpE+90K$TZ+Y)>Fnvz

&Q0gvq+!U)Mod&9Y#-0|0cDEPSVbU8D&xl8Yv`7ncQLt8=xhs zL`V@w6qPToY$B55BY2}0{-5~m5OD$?_))oFtaMPTt(VRU_l}*;*sVM7*;~G=?@Le6 zEn)ZWbH2>e3lJb~?|R>kdB1 z=LeaVV;~GvO8u5401suVF&Woys>$Njno%pj_}#F z|HIikMQ0W+?b@+zCmq{nC+XO>ZQHifvCTKOZQHi(E>$i3M?`H&gWQSByR*3G)JKn1v&{J zGg+icS{H@KrWX?4i(JfX5+|WLu7E#4$3%K=uIPHe-j|vs)mg%lK2Ng3V89`3SgmZ1 z-{eHqs}OQmTo72H1&r<>WDJqhb$Lwg>!{~IW(=uVTFfOIVW{0`zjWE+vGVFM2`Z_2 zUI>9iI(1qfUMhKS8{J_0U(B<;Y>@(Z}wR3)ej!i`o=eAi#IrX9gM6J{v{>^s~ff}KIbv9&5+LO3Cv zeW&SAm)yJw{Ntou!MlxQv~aWO+~I(8Y)U~*51P1+em$qh6!?3{em!7YYPnRqavpzW zybTJ!mDeD^EScxKOtU3T_y}HmKFJZONRy-4w2O^1pE069;s)bzuVWlja*XP}?`kVw zBxb%qJ51ziK_07e_UZ2A0#wai4e&VheaYlA_4D|QB}1!`lh;7E*>il^&?%TQxmM;h zochQ^ns+PO5~>uLlQUBKZ2ZtjgG#LM%k<0QF1ZvyH&gy0)*5NO#ZnW360W)|6mUy| z!^=iNBT&rHSs$64HF_OX8Rcp=%*^csw|^_G00(sJPGaer}0p$W`z`tPRm(&Ohp zgeVRS38I3G2TJBG&zV)$v>X| zy-p-cJFS!sHTZ|P{kMFKGK`iz7$=*&QM{;xMgwM@Ag@W1?a6FY78;f&)Fl$;cyJJN zYl93_xhO^ir&K-|G;35N$3|p{{ckYg`QLC;1s@%gboq;I*nj6@jATE@hS22s7mZdmg!f*ze`zJG|@5e1E^RyeACkrN~6Qim60c; ze`hdQ*-{k7hJ(=!5@1)%^t0(lIE6Fi?!uGSC|So%pnJRw8N!qCONAIqO@w= zYChJ=^)g1Em=36S;&>PejHCuPGhxSa{v+dvx5UCD8aNvdpE(`6f&a3;e9MFH#Vce%a3RVkO7#v2(W? zvx}schuB?=XeY)*%6(L532pYK%k0LOTY>Pl39O;hS!iFTSjK~33j^QTGq$)o zpEsq7ltI^<28?&hIPP!<5&NTpw8@cD0CQ2rC#?}-mT{7@_zry3!Z`N;wKI$#Nxw|X z)GLw3f!vq<3)$oQ!XI#lKs@9P9$Oq~$4|>uk_h>bnmSB9et%KWmB3F2ZOcYitq*7A z@NGbd-Q^VZd{5=m{p8F1F|-FLbKopvYc`U^yN>F$csxQ_ zthEpuyMUfkfW|Y2-PqOS)~U%%so7!Qb_sYtnD^us3vg1lk1cTnS3To6$h&TX7vS{O z#qz?Ao(k_U?E`4^aZl(3ynlT8Yzbbj2ztr+zq(kt`5=mXhBEi{i*-!ABN!0kQ*-SR zeb3nlTWGj_L9^VAS_g)Re5s-hs)k0(Nv$)*wUyOkD__T&1 zJ-czhsi9>4C0C#IX(|mq+9vJ3sl@JDYcY0T*E$dp-excjC-k<8F1+1F>}H#ObCh?p zlIC?14{{HQk9K}t_C2a4QL9sdOgWkJISG_OH@}a3$mbC8TU>f8&D}mf&0+~GWkoyN z!lrmfPsLSw=7bZcOoXU{n^YTdVv`Ox^qVLD{$t zvvfF8!lW42Dz+a7X$ZZ8hq8bRAG6B$ zaYuCbvh_6bH5lfLI_bB%+EsZ1^_)ra42*d`1i%Pg5Qyc%2{1NseaCC_M9VW*$ zrIzd$ezIjI(BOurvLGh<8-?c5?{^-Vr=S$r869%sPNy2T-o7#Y8NTKECb)r-l0m; z&-Xw%-CFCeO2*13vxAs40{QPmVM4$N5 z!;Zp{8Mopu8(kZkYUgiN?Kx`PtnRpHGVma9hdI_2(kB@wi~`ICnR=v(_i6e_vzj2x zO#Yrj#5r80?3;`;`^Jsyw3$Viv|GD+1>f}}o=j+ag{8fs*18M22fcY0QG>L1u{MIx zqS4&Co3TQS63NahL#@`gn!f_SZl`lQDCxNCp>E0e8yY~AC9{>$+>B21tlIdkEXeyv z1hrqcE5hp@R}4>08e^;2mor#;i~K0jc}#@jd5=u&iGp}NNxBiL8fpAamO1u4DaUN$ zc2ZtQei=?oPh&78o;qU)E=h&0L~^{CuhBe9tLP9(=9so#JZ^Ess65Cb4DLQ_Ov~+^ z0nwo(@?-RHh}c*gkr)ZxuFqdUKqP|g0ed4i-iv~bp#b3*{nTsUIAg8O zQygvIQzj#1+t-#9kg)t zo{S0gup4$4{fxep;hZ%E-LTFc(~GiJ3Ephi-KdjxO5>0jxq7x~)n%N@^xYswAP?L# z1hoYel>sl0VEtwSABcswhu19b9=();&J*a&GfX6zm+~f=N2_8+SWuuEC9q#DV+&}x zOm_GswIHk0HGV|s13pEq7g~vxfldFVE2w)iAA*Jzy^?=}Rex3hl88*YQ4V(^({SNR zB!Zj>XYmA)YNc<7O->4akFhhRx`Wzl8?QqXZnNAJ|Z-PP$gO)^SQVaRV# z)e?|%0n{S6Q500vOocRNhm+4gbTg$lTW4=RJ6<=}PIc-)CdGo|h%)}UwI*%Fxoa@| zAVC<6gSBz*ts%(z?$DE*kfx5_20+?4m4hjLj__rNCuO&=<~2X? z<#vEtrdljFLr>Sc;asVbzwUfT3Xwle>0+Byi-j*ODY85anbQXls*u-6Sg)ja<3@>} z#r;j3IOYegpe%c7K3cQ;E$aAGjCC?jr5z&T>s#&>q=?b}jxbnKeCdmE*}_(ZezN=^ zVl!gs_SV0@0;34}E7>r35{-4$zXH|0vunOHKp9xgp#J5s<=GDqVKVLq{NFxj(7L~R zh5!VlLj(lG@jv^VwXub%yrZ45i;;=r|3)(_=F+mpUHQx69b1M>rjcST(afv($Veg; zjXzXFUUxJq`WZ94zfP-6biwVy|2YTp zHYpZxMPVUrUZf$@>>r5JzRKf03R6!wr<2GN%|!1Cg7-F1?)!gq52Vq*gh!T;65 z@%N1&^i6K~C4zl>=M&dokBK?S#8?%f-1=8Ce4RQ%<(?2JZvIg?&Xnj;8J?0+h&wxi zjRF_IF(kzrmd?qtU^c^s?pC9FHpPa9v_WEhyPz49yB~9Q?%Y=f~sf0H>A1QDR@6r{NN-XTlrQ{ zKvTR{BQ*PlZPlcck>2fSas1iV5Nr;{==wKYG4bCY-SW>Oe1Uj~@}Q+i<3uDtN-A<` zo-!-94n-~8)SOEun?{3oKRmV6k2EKDsz^w+R8=wD_^_$K+`NGL1hd*zBE>?Yvs}DB z@WO>I`JsaLxUoQxRRwdY)7E=vJ^8_mR0sH+Ojx5m^I?Mca8#(IUOtT$_8w}?nw>U` z->@FJO)1uUumCI%BgqKpz!8s#!U;(0P{$GE9o3O$(Z2!6i7f{g{qvuM)~u-bIQt>XoMYJQ|U71hVm~`U2cQuqU!1sK%qH z#>mN>(XHf2sa5d$kUofP`B@CA(2l^a-pedTx1-CBh4crfhWW1M5N@u8J1t4Z4|BD!ra5o4yqR37mJ}U% zL;HW2^d@l&%tanMhO(A47ylU7QeGsY(^zCwjH(h-pyS$x><(9vdXg%L<&t3I)S)C+ zM8fL7h?Q2Q#h8o8tNf#%_L`{M!0-GDWC(yZ0&CO*#l!ytqYJrB&55IuB563iM1{Xb z2eq>;kt+U;0LAJfMtmkB6B6;*=uYZ$xU>m5QByV{7K`U~^?G05O-X-Z+vE9w{z!1`; zBI%QxFL`xQ@w&LKq~~`*rxqijm$#*3kluAv(J%>UWRj*oq~ff|w~I;JK&VK8nMsr- z!pTyh49F8SYuto{F_%iuQDK_%eb~kLeP^C)JLFgavCW14YoIL1 zL7vQ>yB!@em+t%@-7qEU%>wN-!b!3erJFqpV5R1W6V8MTY#t4 z$Cr|6W$jokUCq*4?1vM%fb!7-d9JTx>#*F~&`D4s{3o@~D3)~6!yC4owm|Vd$a9+x z0ZBPyr>mMX5!}oTXaB7xNW+`ABIWEg^bAFjG_|Pi@L$AVX}_DvY*Ki5$qrVNOc|l_ zg=P~rA)+?^L|)#y|7-aD;$$I6`l{kPu6wQ>BlNvTWcx1D@#g2;5AUbD8Z=&+3tAcI zje}?G9op|4i5xtyD{3lg8S=CvP2GfK&`~pE=n7HO7s{I$bpd<2n z9!==MPaLz>5JK7@(v^f8N(bQy@$@ZfXr#|;9^G(XyA_*@!7BZg8=ihw*Tr|70tmIYBV6PIgOfn+$6>af-s@Eej)3XCk;=&$94N@p zeXnb^AhdjS+lV#Wl#9SN0(0#Em|QG>7j!cu{DRevW!lLsWx0I8qN6n^U%)QuLhX_GZNA*nWcB!^q%thEjISk~Y{Wx+W<9_%t&sCfYC$`b$ zAS?)?>vO}^Vlxt1>EVq(Hvo>6Z0V{emgImv`%1?OLdTii9z`@;<)`-=Z+on24;Qs@ zbSWJ9X1oP8l$%R-A%s$>?fC`6*nY)i1xbKscd>W=ROEc4mr>@G%iN?__q$|kSd z@_v>v+h0=QaI6t5Rz#cACg?=Tc*(#+jgH=fu3~he!T|lF$t{iYym*AmVnHWGRmY5~ z@R-jb*UCFlc%zv5fNRtZuu!Cc;kF+W3IY_|4Bq+cDlx!dmS%n#1S#}l|qZ`L-4d`^dar`-w%q3rJz zgmf$KahYEul}H=S&xKNax`aHv z2m%lX!fvm}nh(6`mvkoa8R5M5I;l6y-o-IQY6C}N#zLtMeqe)e20wWDT?n3wu@WpT zyyfNFLC#th`r=!!=^gFkDI+T$O34t@YA8*^ih*YR>9zs?&*W{t_=#0KdJD2Z)>VuS z!hqjAL^VZW4ftX%l5N^;@~VB0S^5@)&0@9|Z^VLn+u}N-SuE*)^Ij|;eeI-%=e6dY zq1t=>MZ$+ulpopIU1*YIY<$GL;Y$`EH9W1mSxvQacJcpFQ-`z=s$ck+Cm+wwcP%tS zk{2(ry_Q+N8_hoFLNsTX8ctT%H*mWc1Tx+~lev74Ckl^W!C7xEj#b*)-6ynZ`LtMb z=y8_rw|WAuYR!ZnUAP*dPn;=@Rsf;hrfFo)ILo)-P2Gfs;JfSK6w6i}ll=E2fNnSOB-Hx7Xw~Hr=C<+zw!o-lo=a92j0Kxlyg??^0UI#c?ZlEzY~; zO>2mnT}Q>bGVK09;$&-wvBy|T-30OLlADb9yt`7N99LEVzqQKgZA40}Huf7me4cqF zC-N|O{2=*9<;StrSakZNa$9uQTy0Cb=^jqsVsvLnatPmeRcitRrF(yfjgQMb5F><~ zh?_X*C+7 z`R_jGmb(RoZxTqiAK^EiC+MM`g}=XUyhd-@a6W#tVmt>&Y2gc)cj{4*8r-oB2IZCi zwlmVa{~E)E>2r!`Zwa+k-y}{*xwRaLTvPJ_{vyKasEKA@inOtPF!Qhc39uM^GyT{l zN43>3UOAEzaA)^?JUg9RKXq_=e8pUl6Wginn9UTNWUQUz>&(&W(Yzqw=olfC$=ph^ zI=N-v+h_6pQS$xKgVgnye;BIuxOcp|Jv#pz?Lnr-lT`^ndhD-#fS#mQ(YY@b@V)MK zIv3X+o;Jd;OiuqT!fsZ)9;|$!#rT0?sXcw@sB-eg^M)82BY0$!rW)CV7*`FgU^q6_ ztcJjPloodDgqLZr?(#FD0G_s3G;b1@Qak7h|gS0Ym3aXiUGO#=^sbZMDCy`MM$F*fQpXr z11~N@H%+A#VU?(bTA*?wfDD>eA2Ud2wp`h(N5R0NxSg8G${Dp#4nG_l?cv zuyO1t_M+*`f@X16?RNFGl=<^+T75y*a6!hK^}O0XCz^eTJ#-Zu;YRoVMvvm)WNGDhup-{vFN389BySQF>@p1$LZk04-x z7^al(bYgvVHrVk&OiEs0PWGn`Xt7fLSme%CLlKwHK_R&*i*kO#`kp$_2$16X~br)1KhJ2T%sIS2`)7qDzTLw*q0ZSHKH z1RZG1${kq@AwFCH$$^dO{HJyRoELWsp4aJj70Y_d7+4==To?W7h-giH_*Fj^uFZfU z=wN|D`cRWjnsH&;6erO#&Q{o=9XLBjJY+fFA2AWwBesuW+M=_^Toj%q>luqb>B=ci zl4JbWT$U#$BsJ$r@oQW8*J#skqTSpQ7*0wx`23w@G{xzbNEf4b<*2UK>jakr8t8_z zMN5&pdMvCiO+y%HM=hHd&G(%W)X`V1&cS)5v>n)nYf!boy~v?kS|-o0x!em%@cb?% zR|H@DX2X?zrQ1a&fOj3a>~sLT*ZE|E2Gc>WLQ ze`nSwnlR}!us}f582`^UK?A3MZKz7ljwS{+|C_{m3QNm+WBDnuVB3*&!;w~?crX@q zE#goNWyJP;xcY!r>fE(5lUS8~HP-Gfx14#8@vh`sc)bU@7OEVi@Nyqk-={oV_A&b@ zPn~Qd&4%I+mI`$7gH;PW?Y9Hm3n~VFrHs09ix5ueDfrqwe8rj1)028~k5}QoonRoU z-uj7A(eW1DE1`XDHJ^oM)Ydra=o}lQD4NJ6SV9&Xa3;b{2g8i!!CGpd*iKe7M;<*% zx7m-cR!Y9p&F$jxP8>}92VaJ3^ayKo?t!?74BJtfUG`iI(H4e_iUI~jY=U^IA>D&- zw6;p25R)tPNPnFkwtzUQA(WOgo;aRYJVl&K{oW|PKpiqrHbrQ5h#T3tfgX&n3RjTf zLJ;rndy=|Pd$RUQyU&Ja$JF_^#1D`n2t_x`WVr)@WCpp1xcciAMLQ&3AA*Pv~pNV zl_xM-_=outs1=!N6-Zun^JN7<_)EEXIbmd;^aCL$1HY4v=hbrf zlg$X&3em7UUoq^;F%@25W7Ox*0Vr;EV@T3J#IzGokABm)K{&YhVr=@_nLEi~**QVR zG!%AviHlwa^0PCF;rNsADpZQhHeYqeWCZt+>3sb)+Al?kE(19Z zi=s-rN;d-K3t9?^Nf0qJ^)0Jw|4W&dqPb}&X-|!p<39}j8gb0_;I;fu<~aN(qWR98Jl$b#=Io}rXrs7P%J!r?wjuYFo?h7bM z?>tDxB9TecE9yucTZkOv^s5_U!O5uMWDBt8XOLc@Ei_mAVmz+utxeA-y zYLwgpJGMrasg@SKv+r=5c+4)P{) zG5P`}t5BCeGZE>nBdlQ%#=vmN7TdF0tFdy{eW2aZ$;h*5@yA5ZDD5;;Q7H3{xr1X~ zrVm`eh34Y@V*j>Ac0OZ)Sc#oignZ>mbY7C^pNYyjNZt)5xJ!xmfA3~TFcWoAH2tHF zs*U@bbH1IunqA(c{yiF*T<5159rkfU$6#i-C#|SVZ z7Na1;FHC+wECSCc$66oS{gvdEodTM?)$X!oIjCea5q#UI+i4h3TW$B8vrVX{iXaMX zNOUTaYXPA#T;vaU>=oMR$1X}~9^hyZDOG(YL4vrXgOl~@ZV<>l@&nx<4g|Yt0e&Aw znY%Z@!oLe_6HSFe7HIm7dqPGafKL=Q3_BWwHC2mf*7x@&2K!LR0k<+mccD|uBUOX0p3>E)Aa~mqW3=&7eDu`CqJ(1zHW44HeNTWjg`BBTj2Fr z6=5oUF8(Nq#TDMh*)@inI5alps7)EPk~XYec%Z0yXhk?b4{M^T#~A^u#(GGlrV66Q zy3|EY%X@>fYlCeIK@s_bv$Lb8qxy!V4%|#Qh{DkvlH;{rg&xQza^051HryjnW$xmV z$L<7%Y%AFu2BODAu_;JOV4%bNOVTg|9ICVt*uaK+=K$|m5noi--8IgoMf|o-JU84q z*_X9MZZ*#YWDL$N6Y{|JnbtZiHL5KZ#Pkqa$&*KaqVe=M=?tcOcDzZWW207^t^|qF zhc(`~*iG0ftC4fAJJ1DyVZvA1V2<`fi*?9S^Bw-rtJ3WG)e4Rldm(2(JoaxXI9vJ5 zK4OH}QNNofoLwr29si7O&)v6&lc)Avu*{p!Qz|HqN2_XlODjB)b%g!&ZIa_?ZcfcOJ!h9k+WmtX`Li>-bLc7y>V}20!2H9tANwCyJd~x z&(oz!L%xXD;_28Y&qW4>HOcfRP(>TB#WvI>uE{$w3E%0`zS94~>dkJ+n>iMu3z z&U@l2cDFTxMQLa=CEI+Dm$7|^S%(N0a|Hpmk9e8baEmr2vjDKCeML4o4 z{StKZT}`1-)bP@Oi7^u<+3iRqaX;V>ue)4cs`ndF2;>JqizPi!VzIm)srFiNVpFM$ zv;KIh4v&)?M6Ev}auUc(yby*Lb&%)xyO2=yuJ!Zj&p_pEPCJ+G{<)>l3P+rQ_WU`XResAgq3^Ud}jwRNNtjLQBqJXJK22@Xa1=_ zv{5v_0Is(YTT20&PU-^Mj}tJ@`5KT92o_vRIc|v6?0G{4IZOc-*XAfB%w=i2{ zdt8YFkNT$b9v}hlhGn{FDNJ^%GEBjm%h@K0_stel30|mf6v@W~O>K}LiS)+uxYH*y zZo*eR8C2kqwYBRNKo+O(BA)}$=D4n6^hoA|!ZnxdB2uTvE35$am{gDhIRv*|t)k`S zkebMgQ#13^kuaWKhRiU$jlp;$^6PGfBn^ zuVV7#%&&YrG!rJeduYyF0)98oNw`?LMD#f8ox#ZuNk%#$`o8Ltwk+gxIGcGN53T_z zXf%7fGzBc!f$%Bv8i2n3-A%|zCsh|%uOXyAiWE@JAtaQfj$olw1xkh7l91z0 zQ(M96($1=VNuCe#f^NbEs8)%PNC_zBO_=a_^h+reyG@EVbG`EA&F1=f%39}7-aX1S z$$Vz4KlvAlLa8F_##Oc^zZ1-lwObUZFF&Z%?BpLMNdc;)@}LD#u> zy5kZLeN*?}>l$>38z?LpV~k1IY#*VG3{|X%8s&uAqjZ*Zf6***O`8zWWkhj~ET-!! zwb_+R3N=RFe7>E&AF_WwPZs_7Gxa*Q5P)iq%|woKwSZm;^E#@EPjbHzBmKZx!+~%L z9WbPJk?}wqBiI{Cg1HQb<-0=w82 z9*INh@W6t&+%S$1I+Q^&wi!4_W@Kd)nu=ae$0``b*~ZAsY-ML;eUX$je-IQI%Grr} zn5ym;fHX8>FplLUL_k{_+u9yqPsyDOn;tEQ=VlOOVhies!P#7oQDwsb>oi!6r9p&_ zeTTRwmT-p3l_v5ELsLb@j({CvPt`{EDqB@V&8u{<4l71DCs(eYI1`JEV6ISdYq-=Z zUPO><^N+A7&^JeCFjxJaD?gO*ZW}NkBn1b+V3Bh$Re~fHrBh!YI9?5&jy}>xbC5_E zrypXC6mvGAR50q_DLabxA*Pw2W@;v8%lFn5z|sm&q|~LSmt&`=<)mk1wzIJzFW9+O zb*}LwPfhznL2&TO8X=>`{6PJgY=oACwF#Y<)Y>JltB|VEt3Js@K+$!YaL757axsoJ z(hrDEgf^EUHj~KNQ^f*=eG=2tCh>x)A1jV2hf);QVGTUMjOqkLizFR_2%EZ_G7TgO zMWSKp$|K9qD2r0Mgj1vv@#BS&nW3A5{|dc04r^|Op1Mh3767hf<(nJVh#%7J)n#bP z!9t>4qSNcWm#Q)p1I0qMX4c=A7fpbUjHEaK5pkf5>1|?pfa{?2(%{Z0F)TMujL1LQ zpA#p2i-j$1dxeQsawi)P!BnE1viD9qhkbb($pJjqSNiz;+}<56srV*n#_(O}U5l*D zH{5D-;>$sXP__(0^?^rrC5pqS^;>)Y%F+!&mJFS9|Ju7Z3`Q+Rhb>-dRpoqqC^@jg zqUIq8o$^LR+kpfxkR{e^Im<4`bC4jWj~FZlnWIF$;=$+I@BEX6Iq{M!&j=SlF&>cH zkk@Ng=h2FG@!D>&)oH5{7~oxyuBgfRB1*%RQ_l@ zqXFaKetKZO-DNAKDK?Pq@=om{cz1CP^?fc!y(zIegQMNGz_LRpGvU_>V8epfs#Inr zZi8pMm@XQ3EW^SnX_*~{;Kz9D7wf6F3l_&=JIh6IS&C#XdbE^DwvbVAoV})+ZFw@L z%K~TkTI0o7hv#X@(|Bt{ zY2tXG3ih1`?Ca}icuJSfc4T?M;ovo+FJsC;*t)51n+5XYj?3C0^M^jz1*6$$u6ZuD zs``rzSmHTY*19sz?JDb2-roL2y+^$-6PONIWKn8jX-)6bzRde5{b8Y(Eyl zrl@WzIhfCDX|n!FNvcz?LZ)`Ju4uykr-H2l(HuvTgJSBIi9SaZgISisL<=M_{1oK@ z7j`A&8JPR2l?de*rLkK`WFItmhKbk_P-=u@p|vQj3~+q*X;!iFO{-Gba78;pZk-7^ z@?W1iIEEq=G-qmH3IwgJT3}bne)-#aIp`kS5Mxx{0WRlT`%~w=Sp(wCxqExcFbDG! z`_mSvR4!2LLKOD3{*rG0S=UjIkk)+wTSn+)!m(w1d0f=+URBx>Rv}o>$!yNCJTa_$ z8@sWgl-SCua&iiOF_waZrt9B{@$PzuVjHpES}5(vBNHz!%1#`_sD3xD$I4{B^`gaV zZu}{oXX0$JDzz=vdcL8d)MWWltRXL8V(HK*lD}g`N}WJP2znTcy#jUueKxU~j{~uv zY^eL3ZvnVm1%3l{Y;{h)FOJ{ZC!rn-G|0yJUH<~{o+`Db=FSEKuhZGJCkSt2xdV^- zgYZi}Qm+@BXNJR3Eff!$6U(jEj;2IAZY{9t>q@)$)q1pyFa%o2e!^~wEnnKLlA$4r zc|%dn$!>6c=*+<=An60ASFOjq#Sx`Xcpy4j#k@`8`;+&U@T>Q%IB%Ve+lF7|%|Gzw zWo9rV{v;yS`2`VV?4gUzK#r)yuln632S06VYysemrgyK}y?eV@8FUu5+RK;%NM zUqkX63sB`M90H+}J6c<9FkRjV#W-jN`ZfP+&3ny7%T0JTp%fjc*UnT^H0JR2_sM_& z?`C%c3q#Z675uTLEylF-*SF*KB-z$X}4aTTbPdiCy;#+KY*Bl3V)z`TekjOtg zO{XpYgPpMA!-&Z49m$DTb61TpsFwy6t0vfSNoE>#3k7W7c2~2uy*dnno!s$E)($@J zIRW=2!MIDD_!h~2Ix_3B4DAkw_oCZP?ag-OxAso*BFB@{O{~w$zAdXyQ%*X7$y#0%?ft&TUoG2Bq!)`i#Y*7r?4F7=eqlI}NJDg?5n3L%?~ z)XKJXSj8)Ftc8pb^?bmdln}4igZ}5z>55WYyGOaLZdE43BINV=3-sCkXeIicfpkW} zkh`QbtRgR{ngXNZbNSv_P~|p$psnhBfzVR|cpbUnzSxVKKQET2zrwF+ z^7W81;7@aUP`ieID>j)c@xu?aD=DFGxMrbTdioTj z=EkkE67?QD_4V8*ROu zCVj%lITd1+D7?|GxX#0F)^?>nLcw+VV^N)?M3sueTWsflBwACF3a1@`#>cH;>zdlA zSg7@dP}ZiTDm68If5Kx<)IklCtD0`Y!70eVg?9OyB+e~7%0Qgp%?2Jf zv`z=C&bl7w+6-7(slKzUAJnlQ=>BWPIu3H0Y~C^@{g#8uUAv%<=AdEi6~6Kd-Dy9) z`yGMpV%}QRC+O>WvHbjj+1Y?A6(f39k`PnJ?|-c9D9?~bP#@pZYkCk67nqy$I8QtL z=WXuRuX6>!Oa9^qwnLR8!q8U@8Rf#^Z@<~aT^7?62M+ij+j`vD4x zS!DInlkP*T>s6qN-dWnynf2f*zKt*%vboa-)4lH3M$!yVpsttR^L*?bN4i5Y_flqG z;qrU>7}pEbp(n1WN~ z=z?Us+D%Z>l)P7XdHG~Qs1FJU-oTwLuvSkWe5Pke1%+YUl#UzpPAg*$u4d zeG>Tyi&d|iV|*%(;=<6m$2v+ z*C%%-J0Am-3*kyg8#5$zxMHZ%uat{*WwZ(<*m~Y#Im)nQ)pR_6L`Ul0Q2+z;C^?B> zUE_-`H+?QgcoZ8fLRm+`)|L`7-jW2?i;4O5lC&u6<6R_x$_f6_FI4%T`u-Xr4ORmz z)j_67xEE?PAD|0N!QAiZptwH=*^q97FFPKya%{ftN= zs8Pg$?m%+8LSl-4VE2(XPx+N`tr%?u#Wlh5WZ9o}X{;(y zTSl09XZS3jy=E2VWTML%7eLh%QZk{EdHroC+eQV+>JajoPi;%#?dhE?ICIaAxAe?J z990a1wr-M^M$6$Ti|O8=L05eK4_q>nmj!e-77$S8KV&k)|7@iHXmS5n1L6HM&VSDT zVW6phsASxc^bRRS?+XJ36f#AOr&`)|Pt8P|wR_=a^O3rz@KH|YBu^O!H558WsvCfH z`mdyd)2B_IgWikcviTCuFL6i9g}iR!p*MfD6Er@eq2gXZE!Pd*@7~^gf%^lXb{S;7 z@6D;n#0fIGBZpQ{Tal@U%s12Sx9;?t57Y1Ivqpp6ht1K2y8*1{o3v{d^nHPE8Yo|X z1$C@K`^fMEgDhtGVa^1`V0dVw)ilNs8BU0C>AQ+xE^Ar!{*+)gYnj#l=3qW+InI6r zWj%B^@`{0_hzxs~0(R}pGT4=TM<;K&0)Fkd`IJ_gIV4+g)=*qjnZ1%=o=aKQuuN3C zJq%^L7%!CVT8=p!TM-W}Z@U7z%}^sS(Ul%}(f3&PfZDj;X`|$?4XmTQ${lup?jY3_ zS!BV&l>2 z0#$Po=r@v#Lb#*CqM{M7%MZ5H)h0M94%;0VpqhZRQCGkO zn~uW?!I}W)|E&+46}n(1>^7t)0ILxd3FH zF2g*=2H0^UYdbzL552#eXpAeitD3{RiSp;wFA&0R$uQ=`d15OCvCl)RB07kA#Yi0E z#5eHfAh}~(AEEGJ3JtW9#KaA9c_G7m+FD4KGlE;ZSR);nRY<#HFnrjG96I3d9rPw0 z&Kqt?0VXEY{$nG~UrS#G`27l-j35FRivSlACLd9HSH|K4BV#ZKC6~XE-5!b3PR17K zM_J-GSwMDlr?})ompwfHx{_4;dS_BuMeRT3 znjx@KRL$nWzkpw66Tq~U$5!9#jS=k7#`AtFST3mG6Ojvjob;i~HEGW~HO zY(-ZChK%vTVL5&i;Bd0y>1Yr}*AQ|$8$X`DbGL{C#O&Z05c}=UhJTyuvo)`eh^hC6 z_`n)_)ArpOf!?k5_nzDMa*e_L_8tHg0TB2f+~{>py#uW)2k9cbM{bEkS)*z z{`!WZ!i&U_lnR(89E5sfFbHN<=x#Ys&(PPCHdzkW* zGwiGen+vJis_lf6Qei4K%g`aB9a=D#3#7PEGGU4=P$ z%n?@Y;U&uyVPBKxUxozlfw@e)eosCJ5~-*SW7wmK{c`b(wxFHsoNKbce3uPRNlH8_ z(&wVu;PaR?=IiEqJC0s-fhc|mp7YQKxOAyL)VjKNxT;s-|Fskg*}sthbo0a^PahQj zCg4wG>sBRMa+PWdy5BR>G*zekz9$EIIUGys#5U|52LT|^+dY8A`uM-d!eR4c4GLl{ z-C=MmA?@f46YT^%Z3Nu3rqnyygtTe4!vD1tuNHAInPV4{4g)&-AUdnQ!&)^=$7(22 z7CDfJE%6O36xq{P`g{N4_|dXJ_F(N^+(U8yJ|M=((B^P+vz zBq4mFpm}}P#p2;6>UfDd%U}l-QdWXi>pLrktz#|H?mYo_Rv&C)4>N;=mH=#KGYmCP zJ|15VV!`s-B0n6>CSwe5&1*A`a(S_=L)lio^V!5uowRmO$7N*94_a?d)py@c07z|i z5i56|13FZhUZq6UD;zMOx#23_r>o8m1&#GtXkXx@af2D&XxnhtZofm)=Y_x<z{?xtMp9WPSjfoSuqF!+g$_4@maoG5HXLNzQ zoAN;10L{d5$;`f0{qZb-q?Q^IN8JywWOXtfI4R1YD^}{0t=JPrQ+L&HfaUmzA#lU; zJ543ijr3G>65--p@#627yTbN#t_2{5B6}_qpd&m_Z*)i9?B>!+wORUJz^$0%mx3(c zk534jqcUJ@!BI|y$<>n80`K$ z61O{?hjIWW(de1quM^BgCu!F?ggCQYVntr`Z;M8wnps4L5O%2KQj010P!+Hc%MR5> zuI%}-X14(R-zzz8&I$k??rvMgmfBC0Yc*^4*?{Y7ca_}iJW!eZ^cRGs-0-7_Gf=W> zxhRl$px`gwmFuA%Vv)}d#iDLFhHn>2AZIAGbLRRSWhIn0d`?32J(6xx`OWyRVogk( z#WfS|_Wn1+sCG&7feOno2n-=J0a&t|q#qEyiiA)AnEsR?>2C!=_1HIlx7eElS>g_4 z@)Cgn5@k5px?(v?1Ff=4Ul6zTMU5$$y^it+rB{rELZJp;;6N-NRJ7#(kFR$K5;a=3 zFw3@W+qP}nwr$&0r)=9cPuaF@tIzF0N56L?-sGR{_$NDduE;NQEzFoHEhE4w^5wZ( z=;}HkR15$IEq}@?d&AgQT2jy5QxE@2QCt#$b@6vJyTU%kVr>Jv<-MESjmz8H4mgtJ~g9krRaPk zn2x_>=>elNlwlY{)UBdye+cGHP=#^UfXP^G!;UAPxS-$TT?2i zVGLO)8rw(z;;E?WAfoEz5D3>j9$A6R>xXJ-XoI}KL7ub@(^GpS>S3W%z_H4UOZL-7 z0U}MJ#ts)*JLVH9bM;fTz{4?>*BvNNXL*j-$C^U5vK<1HAA%68)IPFJEqjas$?8^Z zt@(`6tzLB)r)=+V&xq@Of=G95T_DrYHk#Ad+dZnT>7`WJdBx;3x{b5$jA`UGk;|`L z>W!GnZ(^5`%+3kV?%U4pdw07Wb)R{PJ@6#wOv&+0bZqWe`7D0kPzxeTTBrfKnJL(8-?rhm35D}B$=4{bh|;Td~hdg00Zn2BY^6gDI1 zrykJzM;Su;LqT>5Pl4{li54 zRW1GO0$pc2J`*f7(Row$^g%;+NMR=sP$^CxdKPr#J|95~#b|Y8&eia%^GJWaJnc0e za*WQ`Ll`8*la2}}TI#a`Hr(ef#KB38;~nQs68sdzJ$}nwii4M41|)Ry@nD!oLfTio ze+}>Y+Jl(#nzzAl95&{Q=W%hW?gU?i9|wKV@!m*>Cow^e1cZ#Tx)Eqdik!nSARWwO zV4K?eOK5kv)f}i=_c3}@2ONX;1%_ZHkHIDlVvs_lTfhgb2=oBn3Phk#1WAlNA}gRe z{|@cG0*g27dc_b8R-pt!;sBok3^iwp3m-(G0EDIHUW*iQG0@k9s~eP; z_{f_E*sd*hh={kN#41~75tr*(y{YA^i8!Cvm+eh#VgJMlt3&TP3^he!-`@){G@lF zd@W0M)Xdm#*E$!3+9!)6WpnC;S9k7G+@S57Whzu<6QQdY=UL0?MA1C+1w}I!R0Z!J z23Cu9q~3#ELSpGYU9m{JllPwNz6yoFnp@6EgstHfopxV-fD0y>Hmza;NMjZ@Wn}5 zI2hSdM^y9p9KRPJ3`e)0$GrhF%sLu$RhR-4wuz-&4_u^lFWE1Hq)5`@?t-BN3spsB z(T0ft9}~}@m>y&`JY-mt_4^hh>7;3PUQab5$05;|6tQ+K3@6L8+LmQfeD11`UTvtO zO5pSsW_wxDo9Clg4?L03&_4bSe!bY+&9YpU+#y}{1`U6m?^U+Sip%b~|FkabQEe1{ zUjN|X(wALVZ;RotO7xl$@KtpQArY5w2yt50%_?A*wA`g^_-Iz~)vC`{8s`cQ2Ate-V>0zH5u4vbH+i!pTaiO%f9Omlj<8abzABT(^;i%kA;Vz z^o0yI+v^nv{iO1xalsT9?_VcmbI8A$jAr*;zWS(jr8&OnPiBkHX7nlA?>9>Fia=vQ z8lc6(!B-U_#o1ne6F1PbTZwu~o|Liw^B)ygOna;E3+X&9$R2R}v6WQpuT_n%pxZ7Z zQ7fnv!itSwaTkn*=?m)lz{*d5mXErgD9wW#?-ZJJ%SmLUH1%@#Q}{Tl*t%KMYHmdBQW=Z&p-;jKTw|T$xs@pWM=19`m=J zHu&j8qhqMn_s_E=3m5yr9M3wSSiS-K>zh%+le6>DS4aR*lyL_MrNoe2%N$GmTmJ3- z<^CXF@Ub|2TmBXf4sQ;Bz03X29De5$1vPkBd`v80NZ@eK@v(4j@FkyX8L4F+&Gmdqg~eid+7e8|M-QCQfO#95V#G^!P&g6%5;UP4^leOZ-? zlxP`G%t-Kx{^s&kfIPGjgcE$?s42LhB!5U0R^Dk8TH2-p4byWnLHkm`y*b3vbXyr~ z8z`&qTWULM{0pUl7S*m$s!9QCA3Rbaz{uvnClC&-SeHir*TYesS5ht8`wp&@8}K%8 z1EXFOq2ZCz^iZz6(37|pLQBR4Qz(1hlKLV79>=U!l&x44gX$S^e0xGX zw^XQ6uEwfA2)XTOc7u|0x?8KctEQ4uvOiSiGn!ldh6-@j16Deq(TIMPYq_#TrN?er#bpUr`0dh&hZ6gR=IkLuTy(!BZ z-!Kz)8oje3ct!vXd^!0#8gs<^H1~Pc`ntXg>)-yfiHx6v(4$Uri#p(40^kF(W;UIE zr!#y1IUB(XSV3OzD0qYGvxdEP1IrT;+0&$Sdo{W=x^xSV_pv_l$%`*f3jtnqFi`Ho z@bOU+3!TM|@N|B?vk0F#vJ2m%Pd9$V;$aNr2pr}e|v)#eVugjJ%UQ?@XujAVsRDYkm?bW`As3i|&MrYHm4@^c| z1>TGH3ol1wouyZk_&x5J>vLBZnOnSMMlqm^H}JIcrO$f9>pAeAops^7{%(Qwyacs@ zn$C43wAQ26`^)dlSBdLBXpNWNbr!n!y-e)=%I&g)#|*gW>z_IcO`+36rf~Zts!E$M z-Wny*IU4F{1-^}ovK3a^M96l9nSJNlg|f-%?R+ z3Ed$sna6A}R=dbR?QVLfx>_^+@?YDW|Ezu8EN;kOLrmfl3SxhH<7>^4;`T>qv zRrQ57hYvaYpgk7%uyNKVA@DQHFp`vmCFI?2kyn2!51wFPg&N(q7e0l zxJWYXW>v4j`64l>mdSQwAE<`>xprRDM`5E60gzm+#f@PZO`hCft4Wd%Q+D)oedKKX zY!0CdJcq{Ghi2w^ELr;ET0`EyNQz?$8rxEH*%cfFopodDmsIPkfEi@Kryz|8CPE z_=g|Ll!ne{U49e};+P-PTkwsG9}^qZ?PEftPvOV==w_?F@5X0{(g4;|dM*I?WP@`m zj$iD)tZS)=_1*q|qN2PT7taAG003kP008X&rXc^Bbrk%6@rQ$_stP0k@PBX+?tc@H zYb{&*O%9|Vz5L%m3&(mO4!fPj(kxJ&&1)a*_8LcvLh5+Mh z4f@b-BK>xcV#Q%e@E;}F#r-%9dlG$`mVJ_cTYXL{;yk)eq9;5iAbzVVRzxQxFlQgl zsY)5(I62az5lGJ8BBWhJ*oeq^Vj_(J)U@xy)q)XZEKoa;l4?YIkFZby?v5x7l21v9 z(??SKIB$2R4&rthN(?WdqB08!F$duZpGRSzG)gfF0HO9vNuU&$hQ=8D#3_P24 zP6;qjl33@kdt#7nJ&vd72A2L8yH92MfV}Tpd2n9IkncP=$!wS{V~c*LH>JE}MP2t6 z9Oo?%e;7hW6#DIuXJecCV*nRZ!l{(MsNd89#~BEuKgRoK`3~a&5|QwUZ0zw1X|SR! z3{z&V{#a~d#`V5{>ob@&ey+e$tYT+nuxLp5%Mlf1i3FQq?O;wf64jz@E)Q_9+ufSlSUhk4J-6G)Vwrw)Si){A``*vj#lwcF8IxI% zdh7Eqj4}nXUp$RWL!ghA6%$`3dq`IjAyRukdYd7&5nPf$uB9C*e@e%6ePBtJ87asG zB{K5pL(AWiiPr4*H3rR!5Y@74Er0mqb7xIWIL+u9-ZbFAh28dH7omtF|2R|mugauzVG;>$VgZp{IoUHO5!@m7uku8+{fEwI? zD@kdx7z4v>9RoW9Ma}B~5wC)_vwEq02SQ`Q^{V;M437`{P_gHR52s(f(hgOkbAHH| zJ%O|y%d~Rji6-*N%w6q$_q|T2J~iBH4R+~gH+$6)guciVi z6B_J6`sgmwFX8qK=H8a^x5rK}EIrB>e}zQJ(^DK=Hj6{NT1JIyc+B*m1x4$PsG0!u zAepHl%%E?dy4E`Z8AjF+IWH{|_4kx{*xdAhUG`E2>UIT%7hTRHHncLR@ac3BW zt~4C?4DIqy(ok=fa^LO(5{`stvHvj<3#9?^``#KiFhfe;0)tu4tpb8+rWd(5U6MG1 zZlG6VB+GZMGQN8F=)}bSIpY}&YYH|_lDRtNXC|j-r6TB~!9-&7)vr8lRnW(P@(OaP#zKG)hivW`x6K z`R%iup1LK(k0_Q}X+f`-ffBWQpBZ1cX4|H;xP~GLk8bC&b@+x28%@r1U%k92)g^K| zRIpeM|TgxEy5w^w^nqw zJ;;A(EkMTc->XpRB5CSt!ZW&pvx)Xx5FtS$U7!W!(P;_-uSWl7g^83BNq4qO_!MYj20jLh|rW=5pJ=UHvrXw90mM%)YsaZLfXka2U zdfCDOJ%6Q}1N8JsNBnng$Z*=p73&Extc*gq6AUm(n=s?sbEkPm20a&DVwu8cnn~GoLS~M4BDJ%@E^W@kM=h94H zv8X_@0fR&aRPy;!EbDjl&4HlY4rjXwz@t9xQG+#-%`?%5eDpFCb@Y?PfZVfXw(A|p zG?QhDGD*;*qW++9FSx71vYnW z-%nkd0rf@HsU^|Sf>upMt-yUIq#LmgO~X`D$>wCL>L)?&h)i~xOZ zyi}^80(0ZI?wf2|Dvpg83j`~qfVMGYr0Ve%0-rWfDv&h0gU{zEyqg3TclV5qkHyVr zTBh-D$wv;_UYI=f6ccF)#0}(j`B2ns)`!!mFx$)Ik#YcYa}anwR;K8?v(PITgYKod zso#(QV){->x{~lWQZrNUAN)=eOL>#Iv7PkNn`td}nobUt(@RLj%*L{ae_UuD_7bHitkf{!|;uiV0zd)NM`oZ9kAwe!6Z;tQV)m&yn*~I6{0g(H{r6+K{MaEFuh;S z@CqKQbOZTWZk&GD8sQ3(<1-8_!Fqqi&%6o1oP|D6$3WpyYy`^Yy8PI;zVJ6C1(@$L znbFOrf^39#3Hk*6M1Hd^Gkz^j@+X*S+S2a9J_r*-+1cdR@`xWy=P+$qCUUxX^@OMK>jgn#J z`Qpbpc(q;*XtBIS9tlu+3M<3*S3co)AB2)~Eb4C!26ICmWRvl90zbaQ@>HGvH}?Nj z#izE{PgkG-00)Qw0J#6HivR!1`Tw^r?ot1zi`fu<@CbhQ6a4C9I-(wfS})T8^)idW z7KUB3Q3Vkonq68u<_o2iCc5?eh@a^;B?C|&!8aFrc6r^!Z?3PeZ?4wswsY7WDibhc z1V$a!_&rWvcR#^>i8M9{SfMNU20_!~Y2rAu7ucC;$n*Z1l)U*EW|MT6olFE- zXE+85^g$|v9l?kUClT|XI>4uKDM#cVPw_B@;v14GLukT45!c2ZEG{J=0n^02lmwN; zyxEwd&ULZGDFkW~V5msj+OCC1S82D4)I_=kGE$Klq{xB7?&Tj9^3kDbib~Jha z{QB4crfBp2?Biq#yj}1TO$(I1%;O|V)G}s{fzAc-4R={RIhiO3)LW#|IpQl(#{>as zP)}F5DjE`VR(DR6uc=(VPTYN{3Of4FL7%_mKu#IJZ0aQ?1*lOD;ZVnaf#heGV8UJ8al@wfKVbwYv*D|p zf)_yq9x+(SO2e}{&1Uf>v z5xD~!T=vAO(>iTI2X>Y0dx8*;?WLt`F=kcj#Ls^R)?K>_#U6wSS;e-~J}Or%oFcqK z;p#SRLur!L#kY)nefzEXykY4zFiIzv@C2dUo8W5ew}Kr84mek~iHlt8^SZYXY3sJ+ zW-`~ruplshT4+<3&pPX#co9f$@mH)qZKyV$?cF@P`oTi)I@#KPz<6JhBa?}1WcRn- zciiwgU%$hrom{Eqqp+V=*fY|pe=QG1w%%Gdb=gn5ofea~d_2!RJuBExYIc~}G+DP_ z8f2_(7ffUuNqw0|PNbc{u*wvTfg9I&aegg-qrc+(t z;lZ}K8aDI&@*P8|yqdt@ts2xTXy(NhEKj`MLTtU|8hu8E-M1UHKSLMKngnVuH-JKA zw&amJ_X^a}*OD~5pqUFk-50G4n{XGD+J#S=@3&Fv$e61|TM{Vu~iLZos{^oxa<) zX78`+%YN)(M=lb~Yd2nXWqMOp>UCaqcXh8=qnXT;#0p3|J6pYv_I}Uy{x?0N$%_qf&4I zV;;5p{VfCD9_ki)i{6@sdqQQlkK*+EYq~Zn$hW|7)v2}Fy`gwZZw=q4Z?&w9!M0fm@?Oxh8 zZwOaYBth+W4eLx?yX5k!mwM0{O~A@~z0-nmD}82fz6!&H&i=x542euUdGLFAb?5QP zG>cswHCL2)gi7H-HHtXX;Nlr501rc%e+IG5|E*Mj)VCje<=@>|0rek+Xrvuv>dV-H z-=i$cBL@~o_QCt6&X`ftec1VV{@#W1j1a%BB&erC(C`NS_wv^U;hJj%kRy!)##MKO zxMD?9^oOfa8v<2xWi?g**#}()?;eFPZn25)(W6J1!tfBGweUy@(?Ji{%W3pq1^!Y{ zF0x;Bmhlrq4NFB1R7L1?OJAlD!)?^ys$OVPM1kGQg|?%#s2xJteQksS6pCo(pm7$# zY_R&tOTk{vHJG$L)P$3XTF!D9J4%aVC>giO=?8i#36mMHfqN{QFlx@6F=x;nbYjvT zu!5_SM^5MVseiL=e2XT=qo(vc%Yg2wwO8oZv;(Y^5eQ$l$uE0ifL z&z3h??je*jgQjJOmC)fetHo!Kp9+=z{mD1Bp*h=Lm6Efg<4%F%(QZ)hAHCwMR zZJuiBig*JHB1mh11)6mT9541m2q{75uZj7cqHGfX z<_=h`H}r28N=V3Q0a6oW=617Nr-b9|9dij^Bnw~oVlvxI2tX-W$d`lAI=WzZ4q)odm4-4`>-@{{k`BG7t2e;g8Qc^ur( zzSvMieo&euZCGV(k$&@R4#OTs1xL1V={Wsw4Yvb5)H zVV#E7ZD|LfDx+I)en$LIr(0dt+2wNYT77LVp?HVAXX=l0wq!>F=ZY2o;|EA#!(fku zk@=@Xb_4G#*Wo( z&b@*t&$xWocg>x1FN4!UnrDe7YhP1XU`FAFdxp@Md=4KeH#566iGI~r@(VLtYjlNC zr4*GS7&epHZ7839l#i{Y+_Ifb(+=SkB4}OS!Gk4_n?4I>~dE8LHsK7({51*}vqk zS?&Yry?(O z@CjHOoQwN6NaL*0u=c$Y-s&#zW;}T{XQ_~FHd2F`hu+QJkuh6p?JkAZb*}2q?=cD- z`o_TZ_qoI_)@~$krCRsy}MS}(zf9({;i!7l(} zY`+b2+ifJQ#Y>1Ma9TO-RSpk)t@5$d8G{FfELxhvvNKIP|Jw^4zRQY+^Pm4d3J3rI z)_+&=|1U52|E}P%%DT}93@EhU@RrHWw-cPNJ1<^6c4g>kcBjZm!!}pw>V$E3rX=xBM zDL*tcu=5#M9dq?65~np=%ej&~A#`A)2L@1@Y=Hr@R=NqHbr88%1EJi5W}Ouc*H5UyouM&Hkaf$C_RC3_n+U0!?KRvD-dN?t=(CZ2v!~71!-5%;EO_~2(d8)}pUoASeV%C-!n%e3u;>^M(zm{p$VxTUFy&Y<( zvQK>-+c$9F%PZ=sB{qHqcI_C0^%L3OrL5s3aEhG~R)m#z`MX=uwzchxOw^g919_Sd zm9%5*e#`zkWC#9*qGHsQs`YXGGLuO4Srck&*Ie3-n`>?2vBNBaU)*B~%JYEw`!KT7 zK;a{9W?j4WzgXRgFkO4Ye>mMF007#5Uq&NCXH&ZW`yyWPT03uwCG9>_n_X`ZVJtS2 zj%9I^%H+^2!daUtiYhtkaG^p0g%Pa~^bY|TWmJ9Mu5L2}!vp|IaL(9O-e_n>XN$|r zyUX{TG|1=jaC!m#a(n%qQNA(dF_4^+)5Gh->ix3w`1&}bT*^LPr;?Ok|77sIJK!)m zy{k+2RPoHUakKR3`&*9g4d*YXw~j?=j1pcbv1DI27ce5m)A5c-a-9ou@EGnxSP>7L$8C zpV{|S5Hz6ct>=_7y^;F6F3QIh(UT_)$0GnS4I(ujKzSGLvv+vJ6e`h`F3?^Njm!by zA>mTlRbUyAUz55Q38;O45=uXZUf5b0&ALGwUw*eSVnWB6W|k-CKtL#?pbjZ^#xxYc zz*nmwN(1+d(?Gf>i-62yjBhrLU#1@Y+WIm1%e@U7cbAUO2i^wIW_}vK10%#I8lS+slrhc~;XPTZ;UiyfD-`PGF@Yeu%de)ja*^7EC| zzn20t%UL8!`1iY67b!U)0PvNWJ|-mliQJ$H0H!FQrW+jY>e=%R;LURiynrji9pG3CH`Ft0=|IiDgb_gmZ*Z(?R`v)?0kWFo#2um=UmuFe0~>t~h17BnSzXL+RXy zwbLLixokj)HKOTv#NXx9tQgtyO%7SZ0(UpBQ&9mY zPNTFFKgNU6NB+qNSP2dpryA>FITIh+OM$zf;_`cSNQGAkHQ4Y@kDv1gAAkj(p06iE zFJAn5Z-GJi15=ONpq;xF9JRTC9?q=zg7uM5?^cZ|GW%Ne!;UZB9<13JwB+++&6XP{ zt@n4g2R|PDcKn^*6^u86QsI0jJitv9Hv6)hW0(Dz8M4O)?w?~HpU{MYPaB@T-hin4 zF2?GPXeby-wLNV>FipPgfG?x-m@o{5{VyB8d$O2dNuN}*SB7>1wsNThfT!qbAq!vu zwETlXjMSH`?d&oF*~V#qB;ba9*Dp@FR*nrYhJCPz!jnEHI;Nr^5ookOR1e9|SRw=D z)!RmDHw%wVB-@leObRE_(H$4car6y&j~onQ7}f-0>z+vFmPo312^{o;tl+d}OEdyu zA*bjFEZdJTs?xb(B_gFkT?+ZyHVY)uUnE$i(!ZOlV`F62d;qdN-U?glmGdsl29*vE zZU9iT(%-2^n-~e(midt<=X20Nu!y~#6`6rqq;?1&{kED?D665e6bspw0uSmvtNAo_ zaq}SL5VuB@3-szz9AAo7!$H<9rU}DoVoCGMX*iaPpml7C!d}76ke?RU%n803>6G47 zFl;P;%N>*5-0P`WkMFunwJO{BD(2veayGZeqUthD#DCFr3=8b$W-O+u{I$gBtzRIB zep!Po0jwghA~E496;oLt=M6oQ&-31~Gk5I>e%2X{tWSkZ=S zCSxjJYMKMYd8jc6{54B;R5T{^%PAP#1AHuXmF09E)%ASfgP>njg8>5n4p9gIM{=pO z?~Q29J>JYcp(U&FZ{86&nJF6fpe0)5XM}{>$PDFc!fU-8+5i5qZ<~$wNLVSBT>HNi zX0v>%MyGe2rF2+Z0#*Wh64BX!Q{<8CjjMe@lSOq> zKC7Ubtq-G0I4WqWW{lgzB6k){hmOKtK*);>5r80$^MTYsL&E8GRRw-Ey?hlFadLF* z6}Ly#cDEjh#aAcuqZD!$pVedi0H!Fq{f7_EG1HaFh|gX6z_z@b&*dkWRF=k7higrx1>W*^<) z&lS?^D#57S)3+KlGJY%wbZ88qRO-)X_k#FL=&;8OO}XL@6qOh$tt-M3TuV3OU=fHv zw=SpAy^#?Gm!Jp%Fd3yAkXyql9V){ox3w06 z5hkhENBf@m5SswH1&qsI$_`{ZjE7$VJu!?+Cw%7bGGgw%`}NK+rm<~M4TCTM2c@FE z8i>Ax+t3ZvIwu<5#UvqkDZXKkW*Y2&Qy?E9tBk&_*L4M_l(5Z9y_V6X=U>~-o&P`bhXs&p!10)oN?0CoM%@@a*(7Yao*1N zP!9_=le1-gM%?~@I+RGki;}Qc0Gu0QoulrYGfIr*t*mH?Lk_D7?8(VX&6y%4`b4v} z+Ag_E=Up~R$T=V}t`w}nW|E1v&9!}~4l$qsgam~`P-yXltW$xboPA(1<9*3~4*LbD zIfn=aHdr(+854LSWSN;4iDk$hLrP)S+RA@OgG9ylS&%~E$51R7&Qs_s_Xn}aS6yO?==|H7zjW|09_3GeME)5GPNNNvNK`4JB(b8#n^xay7 zD#KEzDnv2qTi<=(gFQ!dB8XZg2EIKd3gh}xTotZF&1GuD#v4H=yCH#+z!mb3E`~69 zXo(MrVTZmMOPHGsl($7ymtZl%BIv1saxfx&?z!Yfyc5{Now(W4B$pq%l$g?Y% z2aFT`Hs(UIYLON#Ry4x;?t_{Wft9hB%gft(>FN->P$kXH0SgK9T2w(K!ph*hRFv*= zIJ_0?7rMuB(aA>b#$+{r(MWg~dr5<)jTy8t&!SnsQCo8-P|K@np{md~(Q@>@M4UW! zlt}Wl9(%BKmV_NhJa*jUfPi?Wq$#Rd9CJyyHS2;+-^F7XZi}36Yx{n=-w+obhr8uI z%XsknH5jKgYZT?0vte_nU&Ko%Xm^TT@nr+*5&0mAEW#Z+tFQ>6)4K>QtjLzFAN^aJ z{~eH8!$iXSL`($-np72cFg>aLRyUg)n7k3}-;mg|d{3LyxlCQ*Z($`1^!NU1aOcjt zmx$5nLfwMvmEZk^n0ebMnM_z6swilyN3OmShIE<8RzQ8JGqOce`kqi8OAuL0zO zAkH@=cUtqxX*El(orQfl;@8^aJnT~1*nPe*;=CAKC%R%<;iCIQ&A-M28vJKOQy^Q|fUXG^-Y{&WTY*=Fn1V`bX8!#f+l22n&(nO0S!Ryk_fxe*i$DN$Ejt zM01&Cr5npS^`yk>O(1uv0%O-nSTOIQVShfN8tW)+JO%~fdGozAB18`}a1QXsOL;wN z>X;=Q@v>sxhi6cnQk82=nZvBxIkff9r(9k=Y7Q^hZ^gk#t}|)e^A$A9B|D55r;BUx zE~6Z+0*B3189_D*Qu20Tb<~km%9|dD-WRU^0U-x07z-fFs2im|x#^V+z}NUXFPmiY zm*2=8j$x#*Jir&vGv^Sl0H&J>7|>d$4x+7Zmhl1_ltBv~R;Y_u?FzVh6pq)Vp;mhx zI-T&A)%0C9d5%i4v#$u0J?!sMFFdY34PmZ{Q#cAK?y%!z>;OY3(vlJd*q;>qa(VUx zlf<;lzmp88eCACw^K6TOD7lOj-n3X{k& zfyA)?NwijK1szzhp8Oia0Ht~`Nm-7?K%SGj_Fv4?0$pq3xiLRWyrNSRnA3eST$b$t z8aB%}1hFr?{valK>7>Pj{37c5EgG;DDgr?z{vr%>tyHVl*(_^06F614eMmGHv&6ul@^yHn6Q9Mm2AeQpgxJ@ z1P~L#g(q&}Z3KoR`#p4DaFz^6oIOU3CQg$47+!j5V4Tm%t?kUI_Yj`g7HMqRpiTm| zMyp8nSFXx2J^Ga!wRcJahU6t~wA<-XXPSrU!cFL<(#i|FIPKB!6zLZVUL#LvGl`6h z6x<22-kQzgtgKovYj{E5db8zFJC=427?#JKO?6s-LGMa_dVL8giGKQif93CgVP7rujwSzo zhYNM$`hGx=?rI;P5-htI2(%yeg72VMOPS+y(H5{~oRet7x|q|{wcp}g*XB3i@_Y=R z?<7R=HcG&>RkTquv3m(Dev_$h_UmlVPu!hhkmCq6m2CX#>P*GXP&0HGfznE2+iEsl zl*a2Romm&g3W_&Sg_X7{kRak9@)u)x%60(fD`uvXP z{#{7Q7A0Zhad^%V;d(cE;l7*d7mR~Uh?x(tAni;}veX~?64;ngFx*2Yi zYHr|vI4Jk+(&J!m&p)%_e68A!EpU53ba5E1&m?v^DtH>F>{|4236UCNiAarv?hN1H z_vC$>YYiy2Cy3L5T5Pvc{>V3?OQyeVgth;rErLX!BE&*R&vb^()#)T=UIzLe<`u(G zKgj8zJ=eNgQ?|C2V|%xVoQOSoBes2AQk=r+?&Ld^vHirLqlWI}-Bw1m+ZiZe_;Qn7 zTg9~tCm%K@yS-eK{9NHoqUDGygRE1Yfk;m{2_hj84$s=z!{5+&)6U~t@2o5(aoMq9 zIORXR)o5tjx7kew#t_prj0nQoBGu=In5D(D(l}FQF zAn5RF`es4fd8~8gDrD{wUb%bPIyCNQd7OgfqYcb;di{)#C7ml@ZdtWf<8fn6VY^wm z<>frRax`gyk^RbEDs4+EL?qC9upbnB8`rs3SDYIT-dqZni2;UE2^%+9FNgKF(M0~U zqBi);-W7UO;UE-uK>6mwMQl1Zq#c;Dh^LVdcsZke$+LZrcO>#+Jls+{#8Br+mATuR z77>KIIybst)x1#mnnU$iiO6rpad%pWIp1e$-(ps7Cxam_Hh+7~t3b-9oFQ#EkeJ2? z9vsJqp7i-T6NIT@j8`2fulONM^SK>bMf;@kRco>5yXr8ffo3;gj%x(ACopKf>|0cn zkDA%x-<%q}rjl@_lZh|RFlAklA5RtyS^BN6l&lWDm#=W|)tL7Zi*7dXU(e^YpX*nPi$I2(YzEMY&-BnX=w^F6N!`%gCslKS1sF#=;P7(?A?szTI=rC_0xqH# zt=SwtDmRDO&*Y1p6!alQdp-ObR#Vlw*@!b!`7Fx7@70a|sWb<;cc4pDCy`{V_ALoz z`ULRFs-!0N>|DSBx+Ka6;Q}0*VSDxN0&fiRAHXE2->aiK{t@R4-LYBa4!7e1ah3QH zCvkMJ_&>uw+FiZ1dVNO6nvy|+Qh&g&Gxty4C$44Xtz2Cg#h=r&sw*E}%eJ6+wht_u z#8zrd8R%z|9%RaWRm$nEh6H|-!lL^@Beg@k>3W_B2RL)^Zt^ABLq+S3FVaj*0;Spx z^@;Q|yQFT-uS&C{z6Zri`g*q)J(36Gs_X5Y|6Y+ANJ zjj6jESQp`B*YB2A7MvE=4<1~aYdPdTod}8<{@PSd1)c#1jHnw&R;EZyPFj2OVt;o^ zha1u02b}-mL=>v1rD1J*r5YU_#Ij40wHDc(0Dm`)fG5<-4p9PL)k|?U=~K)pe0z(z zTTD39U&1n78ZIvY3iVX1^m~ON6=Zas2k_6&EU)n5vY^=gif}JUNxBT72ND`j_Iz!T zOUh6}H2ODR_Z2$B3P!+_T!xsQC=PDf1MU+Cfnu8rwRM(U)3HXLbqp}FjoJ^L2chg} zIvXV{&j$ze=!i2lkkq|5Mb!#3dRelwLaUE+dG2))Aa8RPl;t(4eeuH!%TwsL)@_e? z0jG4GTpUx!UMp(9mA!*>ny+5f0|Z>8XAFF)6z5m&YpIz-Mo7Kpx^th5lJX$VeJ|9v zDjxsbVl#d@Yu-y-0^@J#^X1KE+dWH3kP!M`bIXf&Z!{l zvz)kUE|pe=f;}X$IiV%|afH6;rUO4Z56#7{vfQ9IWnuJs)yNv453YXf9r#&(nxCSc zpy>bM>zsl_3BoMhwr$(CZQHhO+qP}nw%xaF+qm6(cXoFoCU$r7A)}t^Av2=#uRqWE z4scmmNuolcJa)Lyg!60{E+>Lv&EN1#mgit8+>R|fpVX@|ZzK+kUh7D7cs!4%m#EJ( z%4FIHA#o3QMVAsXjXCgTAH16%w6Q-~{ms7DSEEBWe|soj=qh)pRD5Bs7|@PXBptwK z{#9&JtQPM)o)IDLUVCq^&^UfpDeHlfj4JFX+__c^@I{OGgdZXBk*y*m6&;+PD@IKz z=)O~aqG34kBuUp5DxH1sPodEw{tIyA>0Wu+Y_2mSp)qxrUly`dtuCoYKj8bxp+8yX z)g%D@z~UtB?#64%ANoS2tR?kZzj!R?Oejo zDynv%Du2W|{k2~Mk)G^VY<+6x;(rMrqYwA6v<=~CrW#r6NSFZjAu*AclQ*zv)(?jl zEaqu9)vul4ONMB)&v1VH^q=Nl+hub)di#l@4H8fyf=;^8xq~?mV1a`Zq@N>nTf_qq z){wrk@J?DQPo+yo`+IjXlc2*FwsI@=3R(dKGD*kDjN>$Uz|$|O*CPNBxJ^11)DTEQ z7no@hel*DDWetx)kUjC6@7=CJLi)R^n^&s)0?YblFsd8>Ll?1|dv~tHeZCHF zt)yA1y;+p4zvpuMm10mIQta_o_w4d?{0;X{27W( zsek>1gRRDPXnR+UxYCp}fuiDVBbApd8w&83^QSt;Fy~GIh7^_$?^f!T5o@W<4#voh zr)1DB;?qW2E4Uk^r-gNFbZz89P%3`&mlwqFDBPuSX~=8fYTW}^mGp{u@|>`K%GhA) zL`A#+#MKu92-7|L;p&O1tQsRK&?RvaDduY-)T&EGyhN%tfD9qcU=qyBVumXAD=d}P zL7=#2$kuY))SimE#`>voH_Y0z)6vw83$IQac#@UgjACo;KtyF86Lf;2D+uI!3Mz~~o; zjo|EV@L{tfU9kl1L22(b67C3cG&4`RkZ|o_wK`ipoo+b5Y^6eBa$B=?w1KPyp0D{b z4N2ATaph4AFi1DqFhOfLZ6Po06>en%9mP(_tuhyx3}I(sgb%_+n!|2{-61=rI9b(Gu|VLZ4t3shI)XHrt`DKj0+_ST zl4y4biXd>!6L!vs{R~lf04X@jkdnKTurf38D#L%wxJFgkk=W;kWnCB(p$2-Y*GRfm z?&|1~B9}F(PD^4T)T&KbrXSRVenoW%W4ek|I0F_ATpw>foES0ldOcre4A?nv^Wr-$ zk_ti6OPOtB0?z^(1+CC7p;-ZIUaF1zofllLV^`U_yE;}j2sZurI{c>1jC$S;SEcxl z9K$~8>d6vdHNo!?LgHx2axc^yUg{`)r%QX;ppXJR?#nc;nx9u6k(#toO3C;VlAUO~jVpii?85*|kKlUBqLMkD9N2)rhx3~T zE0R^TJPW5Or|0FeZjXqU-50z!TfB2sl(@6}=kJi2K9s-Ng#CauPHi#wwM!Z9(Ml)XtjE$-f$L8|WT!0gg4+ z>{l*c3FJE)EA%rr`aQyP!^+NNKia>?ts_BvRAVN(Wg4iRzxBYKRkKy`GlUjbHg1@| zx1n&>+>EtfftuhnpCZ^*Ta)L9YhQS5$;!f;rg%rY<_APu5r8WT_l(cThs+{8B;M3r z!@!_oS9I5Vn2f)Cp?^KKJ3@o=6rvWei|NL$Zexb|xOg<=@fEcONJaed2^bMl5@Ami zO~Uvi0`oKitYXhFziY_$E)!4_e6TM*98u08X~F%QD8i=T1Zr=QHm+3 zmVKmID)8f&g*%yBMieU1{c8cxi#%FHD@l`{ zIF;_?X>Mw-n5u?h53QCDKehh}t9Hec8!yRQn<(-SQ^U01L$V9M-^jE@VeayV2X9QV~k z=|X1i^VOv5JNPQF;YeOl;QboPc13MJD2@UvRV;<|W5F(j2}?7M_BfeQl<1{031%*l zDY(FB{ltbs{e=IpDy_XOMMY4RsJ9o!_z&cDroRFpCekpgs(WgPV{|juoi_lLn9$VB z=28l29Ot8TwZqPVI38Z=s9-SRuMr;s>c{mygmD4PwgaNX4y*&xs`WD7@`Lv!1}C9G zG~)A!GV}=35WD_{w)A$}ItpbhGQDc&Wu@vITxueMgX)O8PBmY$P`@e-IA50{!u@56 z0LjYjxo7@^Azs;?I%y9iztP#%POX4r$6Kzz3d5D)D;@=WkQU7!Lu@05_9{n(ZX@hIYk27_9jdlGx3ODB-TjG0 zlKxr*-Lij-0xaRMXzS`lh#Kkm)#rwW!PlB>a%ns&&fjF*|S<2q=@3t2j9^ft+hNx$s$1jq6A@)weqZFhT{EC-^8Acig`ZOJ3-uf3PZhH4F4?=Ju8AMKml=ZG7{jp!hkAq_b%gJa1=9P}sI`iethV_D<;yBw@7R!Nuy?57TCVqqg$q4GI(UW^g;nLDzjO1c6DA{&a54@N%t0lb4XT zC~eWpbE_=@+w|KpFRiQN*ZKMV9^9?l_T`$wrQ4LUV(I_-yp-)=#L_IC53d73T|O2- z^p2DKEt^HCHV}iad#Ho$m1{H1w<#Bd#@X*?O6_aK^La9*_R~gX!mQguWyv-k$Wp0> zNkQ=Je0(#za@Br6{KFnj521z^J!mm-y(B(2px5gReOig%+-aQ4OZS&)S;g9;mSr!_ zvU!eTG?8O;!hRx)oEeE59BO-y&IHbvMz0=;U8?ifIm!wvgbDRt;dHsL=|1%j zf;L@Y=w`FVmM@i%Fce(0UbG;R8I8EHYKoAu!N#T~eAwlasb{}-&_U6bq+CM_N%&Gl zoq-BAM9Y9|H}d4mM!|E?XC@!&yfm}KY(*==ScG&iPbrb4e5@75Kub1${p3{;bvMEI zL0xCJQG4E#@IeO|7+Jnzy-NZETt2ru{4m!bpM6D6o}{bzHJEgO{t%e_=#0w7^>@L9IVvK#nt_Ntj!JE(}s%}xL(2v zSHcju4yiaz^4RlwvUFp)t^1>Q8DBid7akj?=L&IYPcWeav2h(0oziq8Uf!3fnD>Hl zO}5;6d}ngzv|FyP@5b2d9Kz%QxCcW{ewdhoBQNsf+a3!l57ODPDCWpf=v&Lio+?04 z^%-yq@(xtw=hpSTFNzC$4WD@@xL5S5GX|QkiYXNv`1R1bvdug7A3%+0{MS$xi#RV1kgBSM#huW(s%|f@r}+4MKe3%QQ|t<*srzKaA(hMd>z(#O zxGLF^)>9Wss;uSYfl6zE7j3H%4c2;nUk5iYv(JA|s8z%~qXImCAd9rsp46B1A2Zkd z8UvnQR8}kA&b~AsZ}~oQ3=>ar(aZ@~$e~!vUg@9Ytu^IjoIZiJQ<6~jN{omY?b*)z zk25k)xU%cqsmFL%aAK@PBbS;uQKRSvfl|Nk$AF=XwCVgCFhj*H(jWb59j?ZaOSMY-K$mTgTzoC0PXp>5vj zVyqjb&UG0%_{Jop*<8W4jiwak&VM0fL5!~RaCs#kj9w%-s=SKBH4H8;hY|$jO_$sh z8}io7odZ5joO@b5Z!;JDwPG?8{K&Go(=KEhYTz!JE@d})!)}{v^WW|1?eg))j6zMW z9|fqvEf3*PL3MF>=y`U}>vJh+sB+Tqjt=^RPabh?vf9LTTHoe&l@OcPA6pZ_`U$A!@LacRwX-VUP4ajQw7unwx)+(*p=z@yI0Yk7 zn1mP)!_s!fCq=Ha_yKVHjj(O9sG_u3T;M@5A~WpH4(e!dvAWK1$->Lz#k_Qv*f^9D zwX50XgsENZZ0UZR%(zh zO6x`Yj{je6nW?oVD@y-7HOV;tPc`m;2DAP5BFI^d|K-X2$0|8kFlYd_nCgPXNT37W z9Xd~p_2r59ph-{0TED}?i{JwJ+@6|{vm6+`^6heq5x_jULO0?hY@%(!U``7#L zB}^Tvd004s@%vAAJAaq`UYEW95M&m1sTuVusSnCy;%H-l_4ho?ba}mLle$qeYZ_AD zX#QQlwRX=RC|GMm$AP^NN?<2g#fc>RZJ$uwg=;NGIIX%_WaV$9SEkT_(SNJjqIgKi zIxzweJq%rGKrY<4iwyjoHb$s!(1rt}&MoV`uzz%oR;FW}^EF{yrvVcEOo#+1BRXI_ z8%Rj;S=7!$q6hCS{T^6A<4kccNaSx85`()BbcV{~RO$%BkD`47gPRcb4wFd;h%ym! zK8N^%N3`N0=|%J-IE5f$lWAufgk+nDKJ`vg1cAp$;v^P`5g4vrdLtf1-0*_Btz3I^z z0`Ckj)_~zzJ^6Cuay)prrahBxjBYRqiAD~#L#3x}T!TKWop^#Ggx34m z;w&IqJY<4E0RGBW_;8d6)4paQl#jWx{w%tC@|yTV=HXUOv7^!4cgZMl63fUEXMtjM zUfVcnIy$<%oZKC`yiO%Mnqo^_|NBtsx+Zly@Cu9~sk%e%AM2+ZN%za_cK(!l4_h|P z*#Gi zQCsm*=VlKR4abEq4$4g0yI&JBS4LCb4IjjcVqeOxZwhT9MZ0|oe$)WVLI}@c845Y} zOQEr0Cu-koA;d9Vp~6h%qapqjjr{fqs3qI$a0kC*YzuhqsSM~=5FPeMX7hVtjC>$> zt0)g!)wL<!2k`@Ssw`EnHAdVNsDxq9{QIPR?>f&~BA%DLj;vHK9X*S_d!G1LJ8TUX7(v=qQ1- z2^ldIR<%S9%%PK8laDZ=Yig4kWmp;r24PbjGBLGUrbS@HjT9F$gQj|O6d+`@VUh68 zf0iEW2%$c(eDp_#-hULHEN(WQPr;euJPn|yP1}<4s`|F!nt)YxRmW4#Od5fth*}?5 zyVCPHt>?H6za*L(piIMu8e!i+xdb2VULn)OMZuOWh(L@}Vpw!gVc?EO)_DtDq4mdF z-}3Wy!{DN#C-%ZoF-JckKy`En36TGpdSIwFE-2YnKsd~;+=HWxJXO7W~}gM&`GdR|nJXG_G6%5((V-g0>iqCvvZ#6Y)Z0FsrV6aIgOc zsBpf+pz2;S5@P2d<^CIfBGoJHr`;phz9XruLb6j-EZTHaGFGZKH;()q3-EmH4h3fe zfhMFU*sMHeTLk`~zOjI8h^o?i@F?Do)fzU~OEN4zj+OlWVnfE>s|VZo!i3UB#6Bn- z^UU8+GYZkEQH(THqUj3H1iGEOfxs9pRKk+$pGlyJtp!B$?I&IN{fqqxw-@gFF7^`h zjov1W%S1&DwkMI%%_zed+V`+`4zjWjb?3eJ81^-sBqH0c!rBK2U){#nS5(0F42Kg6`CDvaZEXe ztDFtsQ5bB3&PmEA55c>J?#{n+IZgcT=b~2nF;Yi^!&Ch#6FK;hy~}(0V&siYZLa*G z`l-gw$aSR`t6cCn!ZuBa!^f8Vf_1D?ds}~%J|qjfItu?#lOZUaPzb#+nmc)jUTx@) zB%@EK8M_6y`x_dpNJ)84Q3+_umj}$|F#q~239`D%l2|P}Qne4O>Z*bFN`Xsh%%(J_ z+Pg`bj`>Y=Z$Db|l~o1<7ueRv!RoqwWWp=hw0#;(2Lec2yWBT@P6k-1@D(%-50prX zEaG8D`E;W{VCD_Sg|ZpD;9&Rt(JZ!^u@-G}Io0%3n&G`XrVv~wy#bGmkv>YDx_2lm z_y|K5HTN;|Hn*WZm@FnMu>6Kmi9QLeT>((?!s} z_eWJAJz5WlJA4tJ#cmbZmHZg}uoc1!i0&2?(TRF{t$P@1-)L5v0H5K!1gOIuTe0j? z3g2aW`1?$D44nnzSI+sN-<}3;tl3u7Quvbi2kd{I(*GD@|3-tSjmCdG{O{>MZ3?tZ zbewdIbS9S0F0__*X7=>|K@+dMc+cMN=eAq5oy+=9_?=&&>ZyF)4qJ=erYZJ% z-E^P3=o*4t+VQ_i8F%-_ZKwYDZ2?w+6hru~-Yx|rV0gISwhH~+@d zd--&_PX~$O+bgUet&SSsN*xCu@$>T=oA)=zzS)+!1x9DFCUE0+G0o_iL#RNRpy_%i zO-|v>cK1bD>kK|#cdfS?y0bBy(BAoTGq%0tDgLd*dcZcQ0|SyXx5Crn>E&v@WeID* z9k^EreZ9+7Z%J8$eu$(YSaqszIxH@Y=)8Xc6yS8&MMC~C@~9X+?&Lwv;eep+L|Y)) zo((k-&vu8^r=@52G8Z5m#P;M74gydU==V)Kj1m8HJgo5h56mW0y(i^&Y`S3zB^(!* z=rV<*kEe_4tIYXE$2YbB5FU?=@;79-&CXOStwrvAc}0HEVSGFrEpE(fZxQY*K4)n@ zO=sW_>-45BlX{H;Jn?s;oF{1i;f2p6@w28%ac_xN( z-XGF68Xd89Ko{PQybll31s>$e#ref<4+2{RHvp^k zZ?$%Le}_baMKir1CiC>Md$zkx=~?C<8;+zaa}Au9yU39wgoq1_g#L9EY3rikiKeHr z16c3+F7`6C!`nc^TYbnpFJnMKcRYZB27)`Xj*3gIy^T;#mPNOOlHwq}$3FPzN(MbdxxO2G6AQ)iql@*-<)1LXwuV+W4`9Vh5Y4Cwz3cP!} zXq>%A_+3kjK|gu7Ie8tv2*7kra(`;WI$&_yX)Z;v9wf@A*5__B46fZQXcX2=P{*F< z>g_Qh%iUZY6-U5;n&$~w7GfgCfmeHz3>i|XClU6pnc@O>^70vV75S%$(MQ$3iBPCE z1Ew+{P*sZn>FZw?vmECCFka^c{)p>h&(o!tCB!rQApKcy7)Z~Qx@ix zge72&q(%V?d4HI&Xmo-nq1R+_w}Gm#%O7Qzy!07YR+1p^@UziioJc61?_`}Po%cUwQxkPqGg#)iwq`^6P?Mp^^t3#tPXT1RkYc1cil7? zUj0~8XqRi8F{g}l>+$Yz6UDz`|D_@~5E(*I?vw|tFrH!$Dj*_0 zkWrIkc5z`+!v=zmz(*=7>3_#X^=_ZdQdFmVgRqD|;M7T@zW_Xy98!bNl?b;F|9rQ2 zqah9($2J`_5z|Rm2U)(qpNOw{^3q656yy=~sUT{w)_4_oK%Og9GqhPubGdkF(zK7z zhJ=+$Ymw3uq7nd~6h&6Nh!v4CiC;iNOn22Tx?-j6Dj|i)uB#31=l~C9nLb$hcp6JAoFlD~HV3o*7S_@c&tX$;e8f;d;$d0P{4ach3dFI5WOzoVP zTQ%%JA`o4)(ExL71hc@Cbcxzf7@noPVB2R4PJ7ijKj7g!p#>E0?=H`-{Zdk_MFT&8 z$054k4-AUn{6`-h;cJ)yq0_plWH~*Ny-}@c#d4U;6O&l-ypJT~S~Dq|76FPi>C4cc zdNhT_D9;Qwv`50FxWR{H3yMr5LQalXZgf44bPVQi=IFV($j1e_P(U5DYbRIvMQ}!B zpwbbDpwY>oQcEn|5U^<8eDY#$!Op=ek+RuzJ0xd#VabL1Eiwd!TNcrHsicH1lw0y} z0o4TbvOTc`mV^-&OMVCXxt7KW%0Q$Fs~AX}Aw}{4np`9{$?fE`Z#TD+jc5(9hDM44 z`7{8E!VGjL$y4EEc4=}nq1-riRqh94NenJTske%(Z4T2YF$V-}3h^M9izVTa2p6r8 zNFmi;ex{*2AyvP$^Lx5r%hv6ipR1?aqrXK{Pj7#Ge={$+Q!}OAy2MKEmVlNWDLa{F z8~a>rUK4!UNqfA#5V3h_oxbqUBk!w|>WZWCS8JpnBtZrBvD{Yn<6X0 zEPq}Z*|*;nxjj#^A%GlY2YnfFf!vsK9wEuSmp}CH<-?OXwxiy>V-5ulXOYc>_|x#Qw7BJ ztWG% z)1eedR#yGD&Fg9rtcOohi8JemSBMRR-=9Eichr55WY{k3TyYJD)06AH5|aRsh=#8@ z!sLMHlvNP`gnDp^Q-R77;j@t{^LYc1`U!Fpv(eay!dCxDhvh2ozV+K4WDt@J`q%TjkOj+L7R4z8e9;>LR(>L+qfJBYyVO~8{? zc>ga7P>7v$57+4GG+yA;1~RE$and`^r&whhYqo^RsRqN4i2b;diUW1@{gj|Z_Aa8q z<`c26YL|I0K7J8QlW$|v!oS!grO8|k#Fj>py!RXt2$OJhqIPzg#$YNUG!i(xvO^B& z-3u=S9mK|A>DpXle+;1J(*CxV2&IW^=10bjXx?yiY?=_s<88T>r?}7*3`7Wy#QS3Y zdS%)HK$e4*4F6Hli^8_L+u!9zkMYmIb%UCTwVnyB3ZB%db_VCCwh6Sb-Ugu%MMK5J zHPYW$pB<#NY^^Dcq5x1KaROo%@OC!%5{wIT?*O0vvJE0CCe|D}XIA>ZYPlJqH4q@G zG*D^6sb3MhSREA;RydE~BAQm^Z8%0DB5tc{HXS}Y3&DfBr_Id^s)fe?_Re)$4ry`S zH(PjHRwTS?0uC*_sdk-C8Ch2k^vSq@<}oyDijq3#xE$&7WF2}~L>66SNazj{$l-(5 z9|85A@>hOngfp_S>~+!O&Ph-UbSuzpe>^_E=q&T$PF^y!RX(Ay6~mm!d36Mypt>6} zrR(B>$+5-iy_r$8^#WdiGT8EuZ3lTTNmZ- zzy3Hu;{=2qNSJ$Cjhr!F$xpxxmIrli6%l#(-FQL!VSzv>Cd&d^vy)!|9iYI?!Mm#d zgS3&r=44N7zTmD-ljeuh_;(U`b(pzADFjhZ)z$y_^vfy^c{Qa>r<9g$0&D&z4CPKx zt3}}iP=6Jw6Z6&Z@extJba|5Te+^C^#KqI7wi3zrr)*=*D3g&l%qZ(c!rcMs-L+Th zSEA2;pf}a8<0OE)twbZ7aRky#?I%RfWXdv5_Zs7jH%f4;HIzE_B1w-kXUs$RTk2&7 zqlxh45V3l!?Bd(*y_4iAX|D&kiHJFGJTv+uiIGIk=^0r4CUGml=7#(Mj0D zABhk~%1X1=mSpLNW6~B@LR{1WOF>}=+H47$kcWJTU+(pusa{pt%=ITlgdM_nx(Nkj zHtjn-lEh$xYN`+Qr_msIV4q~MD%!~(K|Qz^5ln*-w3<_OvW`CyQ$gviH1WP|EMG*{ z2X3I*I%)W4xEm*^v;=G%m>b7-;%4k@nkhUYF32)%x6xZNZM?}>sp}Ed2w$Dez9X&J z9vmZ>A@1EFOrjC^@c`R2(oCOEazzCH72|jZZul25{Q8+QD0Ykqt?%*EW0T|^GDhmu z8O}!z+@!@1Nrx%!1FI9` zz=|m_I2DqPW$QTJkSc1LDdbE;r9?@^X=R>sArRRbDfKqK7ttu}3kl1tM>VKxrfp`4 z0Y;m6vie$l3N)gI)VN(YO@^1M_U&Ar%qoA(K8EZ_`8aEhZpu!RFg<+OVOG8#D;71E z6W0bfHVLFLf2^()N(b+XS*j>2_4%&(=|~{hY0XdqnkFQt{~wlSq6!o-#0W zno@5lQiXmt;nOj)cqka~<4Kd{Y>fIpaZ-W;VilDhkYHlQUNUr#3z0$_U)ft4pr?Ue z5Hv=r=QVueqH!$fy!-Iok5DNIB)4NIN<@v_^PYk_VCTcmz&?U(%W7yzL=iSyHrP@F z?BImLF2a;LN>u+?%G+d&AZw++G&G&1)Q@kJR)+vkZi2By()UCNR#%a0DlavXf+h7txdu&jqx8%w?S!zRlqg*8* zajn*5C&V4(i{WtzXMTRqufFa03qVsq{ms@{3`G41moA1#-px$NAeTQgu{N(vob*K^ zNf*{Hpj_%fwmp)x3|zy~NWPmVR#o=QyD6zqQR7RVE6P>$Q-a2T92uod2+f6HM#kX= zayg6c85gz3gm9Bx4^aBZvl=g9k|7rJ#RSE@kjP{SLQK-T8B|V|is67UXz^UGT4<9s zcWbrx#8#0|F3gMz<-i}Q}#$@LV8wlwD0tRl6GpPY-tHey8(oX zkAWdu1`IfRfY=Ko5a-<#zIZag zp}DfPL>SIBQKe-u0unH_X6C`_xuQ9@xR8(qqDR(+*8+dd9YYg-t2Q6D+#{8Q1b)rK zp$3;t=|B?^qlH*T&BRioV8ufJ@ur@YYdq*D8x(WD0_iRahGdWEy@^)zq@yAZ4FaMX z<3`x*4(h>EO>=a0kn53fd&O|kp@(}J+ZWx8fh8=f-30$8$w;Bxb?!N%jF=+_`H(A# z+w3}eJveSPe$=E|HBCuEM2W{=6K*b3Zbe+l>ZPN#C~Y?K7is*^rOD=@3R44eY3r$} zpo$aKYD)V8Co_PD3R@B%h)F>kBk%vd?srCYqcH|*$&6c$NeRk`D6N?o2Lvk!wYhpy z4<4Q)uGT4fOv^09o;RyOO@i_!T2dKOL#Bl+CmaOAATv>1)@9YH|05De#?Z>vI5jrz zhPDsuLm@}wBJ3#=fPzZZ)&(=pUHA``#WopN1m_eexFs5(;vC%RB5OX^YtCu4h0X(OJ@_Nsh9 zwYrdWvGNfO~1P153JCfm)yl&9iAY5GgJI=!N*nv7a8pBa+%q4()5B&!cDpcNVW;xUYqQY z6r?*j))e2`+Z!kmM61J#xZE?>}IB&V5%-mB`84%J7=_4sgzH2k^H8_ z!tq>2tST|cd^&)M_9Sn!pfc>n70SaSp)wVrG(ZWX50r@WheXbiSdb(Effn573yEwi zZ-SUcMh(>ULDULH8~sBJOFPGlQ=`<|_B$R6Nr)3WbiU_p?gxqb{}Xvspx_g$DF&N_zkqhX`{!xfsussv%s-8p*!2 z^(HrRAC(%pn^v}18$*0Z7z})9^@`6lIiym~hXKKoChxSxOf0zQPCA zoPRPvEollMDLy~>MmVllGMR&mn3*C+2o9hQXXQ4uFJhG=P0(#fiwDJTWS2z0z{PjD zs4y*F{$-esGnY$j7d`E*fPqr2=bf=)+ecQ)b7EID9)?GN-q(Plh3-;P+TzQXhw7nf zAq+0*G2~mB&#L1;2`2Spa3kiplYVyr@h94Prf7=6Lw4CFiGZ3Co7}{n-A0p52|^;| z6goe`C|z~eRk3;61?9LwY?G$_RKi4gp(Swv@n}C1IK2WLz=mFLWg{lDPNaVf3%MA%lvH4{UuQlA4thyAnfOOjwq#c-hA!g`mO?*bZ6{eXXLqHZCFm zblxwhPmL~WjZ7&d5lcs@b#{KbV5w@2hDZ1`2%qiIGR`EDORq81MXxtc0MN+Nb+oUb zBEK~VmS{z@vs{hH;B-t77stjGr=L*TREdxVv6adeUq8mHg~C1LA?MEVK)xVCjT5Gw ziL2j{3=s6_v_7Wd@zrVx3~*NN8mW#&5ga#(5^c(X%qnlHY-diKVN+Fdro671MPkjS zQe7#aX3%eyT^*+SpiV;P5IP<1`(}U8B=&Itcc-V9&`0mRKA<-G4x+NLgx-%2W3iAY z$6gk|qYD;qGSPl1pQXRCk0+P3vnmuh{$dg!w@Iu*I>N9jG3vkvoR_DWRiu}3d~Ip6 zL0=SbqZ_p)pT7~-2K9BUjfM&lc+!IIMdp8k@gy{)!An9%K8rbRn%tBeRJxX-3(v(H zY{G|K=UTr?Kk2Bg5n^&qH#RInA`+(3F5RPJHBT<2(G_)I@x#TFjuI7m>LuwSiEUqe z2#MlR5BbnP>jVy{Y9U$2PY3zJX?7cK?P?^={w7Qffkrok8>7_HbvE&4G)&UNH|Uhe z1D|20HWb{;uO#F8{u1g@Y$qaY^daHlkgg{}F9iU1cGgGepb7B}5l31UVLBX(Fr6HUkRL4}q>M;vcs2Y+;JKUYnN_whtm=PYm>a3Ar@$1WLKZW5F;*lK}=r@Wz+h1~cwYQ}#ZpJG#QH(QFY_4CQOOf=wC?;jaq z2f4u~{IGRm3)$WjR0C-^Na#|x1~DNBsq_2(b9Sk!ewTCXJnBJLY~Z#&BABcvI3ArA zEXBa$pEn8F;(uVS>$_}b_cvwuJ}qO!wA&RkDBI}`#wU^J=2LA+D(3ZT;j|w zLalu(K!Xi@M<|GFYVA9b-%(dvJgzSdJAoz*r%|u<05(ea$?SzW$9bG{rnuklZF+F<3Ld`n=noAnttUBfdAGdX9Fm??C@{B+< zU>KQXA=)NbA_PchQqh-ImRGXP&4^0OZJ2)u`J9QzM~4!D9ajt)X4wj$w+YV9!%w+< z2WB)vUQ5H}62fviNDyt?1N;u{H>wgLWacm!caIv<_eghpmgS@feGo`LWQ4*kk~4RJ z@VfA}`KvM{+dM`pQBE=Q>ox`_rzsslOe=eE%di=b^Tk0YZ}2oV^X6uV7jH2l0_ys!Z~w* z0rth9>+>OzuAfLg&l8WQb?Ld12S;J3ICG7T&4VLi7MZlP_Otx1Imos^wVr*5mjbcZ zkBGn1@R;0I!yhUY;R7#yanNnfwEo^wYF+e85BgO7FK4 zp=cC-DXtYKTGJb=XRw1>kpK=CZCa2y*HAP51mBp(8XOt8}ta6Ryw<*AD0?dWSn6o|@r-``*&Ah!@7sENYy8HrjDv{!Y)rRsvt&QwD0e z0-WKCo~eCf)b_h0^$%~kuuH8G(5h=yOmdZt247HTf4*aa#tI&S?yvROA*DQ-UDwk(gJg`&JrNFpmmdfM`1N#2138r0F)n0n0RlSqS zb}E*M+I3=J7mszj1QrNw8%RIpu?4`UR1L+#H)$_5X|Y}3oJd2*BiMPDj;)$GvIx{6 zKxoQ}$aiQ*rKz)C6LL%ARY>Cp92UkuNrcf1@C*{FRFRWUE#@6|HNK``vx$=cGevxPzsI=a*R&TEi2ZNNqJ6NkJSA_Avn)q(Z$;EH-7-_t58XpmTyx0zvoWHM{= z)w$ZdW>+<^l%mNW4T}{jPQEO5dpM`-{*EZ}Kh>w5n=Q-LNLiSe1daOuWOn1fhJuPk z@nFGb$Q*RSJt_WE_CF^{f!x-;ITHzQg|8}56pZ9CZu>zPt*|BYV3Wa)zOTz*j_5sF zCppe*1(X7@NIi&A%L`|!k_uZqm1+rhkW*+sAYHF3D-&nvPjF71KW@sAAJvD&UVERn z!Vyq{>BmBb3MVbe)lGIXnoWoawusY8OlM3x!UK(V(r0$DHC4*sTw8nZHh151h@pjH z(C1UmOk`e$vaOQ9Y(cl;qm8vHHY`Z#1u-u}o|2GkJP`N!ut)MpBpHkM&y_y02H<7d zaE?oTUxUFE*i-`v&-BoE)gnhCz40zVQ}W^wj8m#3Pa7cAkq?(ry-D-(JNGsCW|R{b z^Xf6_n)vhn5F#})WWJ0R#p#+r%fGVvjuqBQdMPAgzpN3_kzC?wl{eB;!cllf-dkql zMxkT5`js6hv`>w5fXT8?5I?XiC}#@s z9DL=yH-2A;O8pJhAoR1Ugj+~A`UVEy<;*Hi?D)+`-__4zZSr8u3?n$Bo0PJ7^8(ko zS>x8Q!p25pvm~aCJM97X7E78vIhd>XZ2@~cg#T(}qTZdiRk36mv|iagVC75~+?S;D zp%fkns?FwtQHg}|td+eTaJ)c?uzu9A-r-Z(A)@~vkc%EhQGc-Sa1&c}xwA@AB8=cB zg5{6rhq`|EbR_5hq%CXAKnnZ>cd}}q7=-6=&l9fNxO%)*vG5o;pY)H592*l4Gl(a1 z{N68?8M_lQ|CfRzVw@?L8hP0;E}T6wJT9WuxJna6Tp)>k(r2fPTXn6Ex_X?u+ksOm z5=~u6P$|1kd5~2I%F!cq>J87D0KBC>QAD+q3~fr32VOoQ?j}s@DutSpAi^}d4B&l-opFhJt)0&r!v8`c5GQq+&*I@csTGR?v@}gp)g;|LvekO_# z-pbHM!gu81d)Lg=Kt>fYhNPX7?bekuRzh&XZxUu+=Nu=lBNRy|d-=8v9TPj$aFy5G^GwE@nAKODvu;m*NBI$w8T zga>Rt)hbSos%uQ2!@B2GSuzlX;}=cNDneghDGOA@=5FsBeBH zDI`d5yX(7ONWa>AS_=wMurN74-4^xJXM<{~bd4GGnHhsQMNS3OT(wnc!>eSk7yA~> z*qcFVVrkZBFfUOB*MQ^mcNDjok%Pv7B%p|SEJg*7MC8kpQTpmd!342%K4P4aPv~Q* zq3-pxa{5|Ry+$e9VT#Jg*u_q0h>Q73)R*KbuRA_42O*h0l?P;7?mb zsz6sI5h+nuNxL7!DYwbYbzYU1e1$;UEC zRq=uLQgnRH4xt$Qjg;$iE?ic-h44kSdLSHyP)PJBC%L5u`;vF7SX%?$3sMv2IlQCx zn6*e@#^$tIm;{x+Q_$ar&VEebR;EH??j6uB;L?DL9KwNxKC=FV3 z$Fx6{EzAK*_!}q%g#Pn&YBb)TMOC1B zl^SMW1U*;&L;8DR(?zh4L$y^BMN`YNcT&c`B50_u&X&fmOyyDGv=E5)I?4OQ=iLl* z9alIZ1Jf`*&Qs|<(fi)=2CvCJ_@?ZRR`=N2JI1;uY;8@GUG(bV)!1Kzojrd)o=;xP zv$VJGWgmaHrR!~(EZ?Wghqt%CzF%xE@8_>RJ`V1AJY5-P=}dI(jB9*zW$SI5=cV!+g_Wx8abqTwrXt9(s>`E{%BEkZ_#*ty1IBg+@9@yegyHWKH*+Y+nFxc zr?(G&pv8PNx$;Nnj*-=C0eQrEYHWCRym=h=^7FO536y(GezmrE@J}8=>sowOpQpcG z()tR7)AJ!t{C?ZtyZhL?clR?*>&z#mtG=oW2gQxTYi}nK4g7pC(8AxD0n0vOKgK^D zUTq&7^s^7LtMF9c(3!)F=uYkN`g%2V7WTWmpL|@r{GdVRnWGALOdq`DXXXkpeCFqy z{*VeV)I6BKxbujb%rnBrpEcPXSzRulo*{603V(()^r`s!@7q*47{5_Pw_dz@J-efbn-H$3=q?%vF75o{SQ!c9 zvFjOppimD|%l0uoolZTEo<|DEOg)`1wr@A;X7dq35Ae6l&UPTLEkp|Fpb&k4I(y%1 zvuxAuDLZ1U-XfBOL+Gpdizhd)t{(mqz&u%^KcEc8wu{`R}gu{oC|cQo?WzTj!q}4O)Sh z-$C^|eqv@k*i)tH-gxf_`c0bzHSvB|T0wO4 z3}R>)PpdpY7O9ZyPb4aK0=2AsAvdW#q}M}MuJ3YkmGvDW^*RObRl@Y~tk8AIY9u2G zyOy~)2&EDnjWh5JTA7wg?f$vcn(aq+gzR02N~r#-EAb|2_Rdf}ZJSz*+m${%Xrr_c zevIV+V_N+f{kOYU3JV?Q>FN#@AO6?-^70c)s{Wi#AE~?oyRS!9v2<7dSoXu*L6vDy zpzR#uTn9>ZE`E|p{ifJeC@||S+6+imGniJLZ2wg50F5=ptmTcr%d7hcg9UHlC$Rb< zs&$=iK!6%9yVB|2v(2gM$ku_^L%i6*v{!AaylGNqMz-m9k9v=uIkay6kHn0g^*Q(F zQMF1E3Ho>acY&wlriq(=RDNh3E}o?xjEB~ zd7bT(3k0-2gHQ4ayx650Fw&>%LHeBV#n#>%o5>#kI7Z^@N;}>m5+vP;z6!xGi}TeL zWnvusx`jIZl1;8hirN8b+fGvXfm68t))=VJ(~V^7;y=E@$xWeNvk%Qa3b)juFA6EU zb>2KrpGU{nUG839eC{Q|^+ld9Q&Ngu?|}wsxlahN;MB{jLgMQ2XP+>M$-x`VzMrK9}s4RUY=4ZPw4y)7TO`h1u!vPO<})5t6) z2sS+Gn8>~!O4s~O=Xzf}E?2(_VdhOYrnWY9bv(M#^*kbVa+^Im-Rd>ENgY4GaS@(A z&S*64CiVpzYYJRY+2SzF`|j!j>|3r0o_9l=Z-d6w7%4m;A+&jI*&(bQ@0jlO%2_Zl zVZOVNjLhbZ@|tdDC$@ll7irpmaPA)Sm0-r&*08u$7i0toBmHY77ErgBZh*n!TPPfu z#SVlR8{vBx#X;BWrsXja-rk&sa^&4mR7&S+-hq(+!R|ZS)2R4zmLn}zhe-(XD-?e5 zHiM}YSrz6kNWDFhCCrDDmrNxjzRT;*{U;^yD0_c?bxfFSuwF^>)hn)^^YyR%NAed{ zq6B&g0{mZbT%E2w*pg8%Sx&0!WFC(jUvr|Bgs~G-3TsPjBjsG5Q|n7<@FslB%^iML zn8ZZwtte9Zf;ZZ0Tm4CC)n}|*7TZ#DhqU@+){oYMNYk31KGFSJzOeR=zITmJ`VfdJ zvUK!M1>p?UAzG2YkSAd+N}g7|iPMMUB5q9YTRyK|9p2OIKik|^l+B_)+ujZ@yaE36 zn1O}!jPbzFvMx(OfS(})8~|%$1AFHGHfEqGDlD%k^6$e7|HCTuhBV3KJk8{w<3`m_ z5%U5p_Wm~35gd`B_lx<9&n!>4R8U>e>D=y- z?w)SH0*hlw2a4~0YZNn5`tLXno#Te?wcp%UhVVkQ-?1nfI4cFhod%rj2>=jsQ8SFL zVH6E}1W5Ic>^=o*Xe$%;Kq6o7-F0@v8#%wNrjmrR7~P3hh6v%cVg=X1jw}l66g~We zEBuv`bkK<`6r%bza8L%LLWEssZ)ug*{WO)JydV#4 zPtYw{+_?-b2JP#nHltRW6x^v1LX(A|0@M9KT}UIOum0K^<#s8~RERX4?^s`!Vv6-l zk62CRsE_6F)wqc)@AoZCSE5sQs+kHBRuS5*Cp|SV(1kN)HJ7S7H?Wye03l4bU=3Td zIJ3EbU6+lXf(?6th}kD8l@s^Qx3RlKE;bOC^aNyLSz1JmolDg?OLHu>2XeZ%y`fDz z%z-wM~f z(6MfY6flesToTmILDl#~n$ZCbgS*~1&OS9t7y|K5)VSPvYqL|vE&cf}8-kzmUG&}W zFoKvCB%TPMBZ=jPA*`saAGmacT!;XIn>Jl@UMEFc(a!dfJ9T|lRN+kl72bsBT|)UhJY)B5ZHO;z zzlq`IqhEgHmrxEmzhgm|G2ID)!U{UQLRa9B9*G%uozj&-cug`LM-(Z{yUcc-$MXZI#EEww8b_ zY%m;y3#cqL@V@mK{4SJMmMA&}n7!|0|JY^88I3K@Cj&$2*21uMsvF9 zhHdnQhCqD{C#1^Kg(0ya)1R9iWLSwFy%RqcuRMnLIJU(P(mHSEhqx*AcP zc%&APzy0dNbq2dlmE2vtY)LBADS4;X*r3&91nW;$1j0ZT{FiNaHDimX3$Z;`v*LQ@dM@4*J=om7nCEwnB+R~N=C(tg&3Fg$uzn>;7rswtV?BXt@W0cRyI(92xKTQ~FnKS~*=}S$;OlYV!{7 z6TfWayqdyzB7Hq1GbK$cgGAD<=ee8k4XY#rE40z|#m(`r74__z2k%hU%uk!Uro5|d zHKyljnOndUm1wV!H}_1n!CVi~t%msw-H}AQ&rc%VD3u0FB&^&abJ zhW9T_QV;=d+?5{jj+!-FTfHEzh{UEP%BTlQPyWW+SNLt-9wMsav8E!Bc8w-*S~12u z$bP;UeKf|{j=Y*q3nQ91%|_{EXAG`9Yu(I=lG_EIuB8;d(?C!yOQ&g@ogmS&+1wbw6JB)y46y-P%_e1;4W<`r!|n1LZtykLAafK>Zpa1>T10mwQ1 z9qRab1z&MOPZbH|I5gUNC{4T86xuX9Y2jJ5ocR7T=6;V=B5>KdhlI6CT2?r~$)wE| z2-Lz2g9gKExT>7yviEghz5xSd|KX4`Jm?;|ml$Uek=iw};xA!wwmK7xhB2NH+OYo@ z&XztVrve3bD{))o^%!{h#!ni6+2nfCA3esS-kPfoOL zmYC)~VJl}291#D0VxJ<6fe52MadF`Y7C&%}yUwygbaS@DKjst;eZ@ujXTuz;jb*88 z4xA!5d&#h?_#On+L3fXSi-{3yJ%XB3&J085Bdb8|?cNmDyvyeS@r%c@@H55FZstdgqWOM)k4i78$NGl-j)^6(`M!&fXepN(oPeREr_ z&y7$Jm=OZ-3%<0PHjF!MxPetd-Y*5oRjnlsU|d^hBsC0hTKAZYNwka+&s5p|II?Gl zRdsY9JA&>B6w;`fQk0tdaodMezr%7D@zB~L&zd$z0=`ed;bcHo#z}PC|H0VlppMw99>Mn2blGWR<9p zPXNyoHI0UMB17Ag@8EUx6v^0ZzK;;Omj*UoLylvr*+bYtIJk>U4PdnuwnvPEHX)TM z$RM>LoW3pZc6p)@GM*jYh~?178tm%TrV~Q~_>^um(Nwto#w^Ckup<4%MK!MTMM^*Nn~Grttx#7s zEl<7jS=d@wXSDw?Vh^ygbA*e)rUixrZM4gKiRtuGW_m3VVKcEBV-HnC8iD1a8H-j^eqbceVNYOmOLI)jn$4_Xe81qvN18lsD45KG z{7ya@wrO6%elxToCMgQ3itK8|`s*{P5ON_GbCX>uH7C9rd-Ld%@IG=NMCFd)-lW4b z+S6&Zw4D6vh!4=-m}LMrcxbzBi(RWfcT>sLrCr#AvoK|N(U;}Fct2X4>y??mP5NoZ z)K9>>K#y`3p_N5CcZNlpoK#3abJ@vntRq7`VZ0t)veRO!HVra~3B8yj4Ha@W(7LMr zL81jCgE?Hd%*SF@q6%16>W1lkmcH5jV7F^I777#&6iLt|Y9j7Ur`bB>(O4<1If~wB zTWT#pK=PQ9+!1p=3W6 z*{kT0hQkYNRWT@8&ns(!acdvW>zqGy&0w#jIiZXou%q`Kz^%JY`ws59$b5^7-L~*2 zfl7DA&8ZIgZg!?#S5(%><1escgpc+C@}uyNpr<1<$-><^uU2+xRJL$0Kg+m38|#!L zCJwbu#NsB6y z2~`lxKUAr4Uh=oKZ?!)S7VxWzWD$lunH}9q`A)H!`)Cj{3k2@WPm!&c2QXc4j;abH zGonCHCRLm%hx9v?Vx3CcNPol+{a$g}vmD+}lnqZqrypf3+(mVgQ;)1*-;|54(9HuW zVE4ni!m*rSKhWE_Odcc`T|874OZidFjl#+MqM@sl-5d8b7M{#l4MHc5txs%4JKi6M z_KMhHUuxcOiJvm+;({1LyMWsvLz-3ZlNj&bAX#R4>CAMz z`T~bKll!PIaR+h%K2aSk)kEx>-VuaG){A|dt}#Gh2NC=LeyGg&CTyGBpz`VR|1v6h zH{eoW$~diPaicUmL_C;!f9V4cn`}hr67&Rv@1L<5ydav?#~8X1M}3_78jp%s{lO{D zBK5xuf8Nl$H^cO}MvBk=1r^dA8miGbF6zZcMrk2+0|5QHqPaHhiWi>H*2vG(r+>vM zKH@Sl#}+_qh)f$p6Y^cZOk#)CY%NJ%l@&o)*?#`?f^xZ|)qnBJvN}__hLodWry9w~ zYY9XC6)4SvB>dzQ8z5U*VM+k#dlK*QnEvq@Lv|}SN{)HBMhfo3gAIf`2!sf6fytsv z-?Vv#qby4u>b88w{zp{kIfGXY%VoFrd)d!X=p|F%1M2sB*G*#;5-2+h| zZ=jp)d!FzIN*w5|pzYYsK{wW^C)DJyLB`Xe#JZlt!?O!lpDz3iZy@XL`mosYc-MOm z8BZg>PvaG#viHXf;-|m&>!4AJ+aa&|((m5qCmORLa;r?K)epmv4_2iNT5cFp$J4y{ z45RdMLkTkoH?@3xi)|g}xwf9wk-f=ny-dATpdwb`J1zZ(lzB!B>HMS9$!Cvt#cN&?5us6* zJgIZ3H(zkQqq^@tUHa6d`MXpAI9F9*Qy}QMZUsj{!0{ zD#SHi#Y2WU!r<5&SC%@JUe=d@LpwEae)vnyk=#VE$7`G3iaOyC9+95WaKVU z0h+au!*fAt6&|l0g!q-nMjE`(3X!P^H^`CvKe(H$ax7GwnNg zCO5iIKhEFAZue%Uy?oPp-*=7QCOa9nLs(yQH`ovPLR-duS=P2k{b1lah397MnHSU)H5M+k0Nn zV40I-zF%X_xy>yWlng6ClRhDe!ye>u^o9!;&nKa51&CRVOksKH2CiD5G*dy;PA97> zYRS?Bey7e*^Wb`avqkbP%04ufDSZ#>R2b{;IXAH;b@=H;PbIKeX>wcx<05)SGm}d!ag&Hs3j#hoU^+N)lY5k7g`Tl612&MiWk$yF-FD+9E4om z2+tV+S`!wyMWfv*2z>7 z`^=V7Zewv{C?Xvf_ODdd^Sp5_9Y_x;c>Fw`NHS}UJ4-Wr-D+sGhht68B`eo05D4TJ zY0ID;7tt3lBlkPcBTWTHs0VYs)}E;6xK=Lf8{mmcjAe%1n?24?Gxh425; z8K)z2=QH}z_X)xS0HFA%o$>!)fJa7DNl8@kf79XV)UdJJZ$bRB?fLc{NtOm!eqW<@ zqkt-CyF z5Z&D7;BsG2*PH!ZGU#|JY6`PME%zAycsGHSNp?#8Tq#J*0g|oMZchp@?3>Bi*Myp~We0*7U9nrUn3c~h~%L=%xQ`iPu zwbaC5!%*fVx}DObMWOv`P^{T%y(;li!t0!?@OUK!AXvkBv1CV<_ z8#M1iwrCz90sY;LHr->~_ZnAknU`$&>?I(%zE7F7Z<_BGj6=WgF}G2wXSauU*9pBM z=`h8dZ~^csoRE?4@Y;T15T)tRD4p)tXXiNh<8(M|rPma$1ujKbJ%dW+am7+b&QkD0 zWKGNI>~V`j(Ivd9E_hPXt(Fs*LBm090;IsCI9TJEtog-|638UHqwPXhMV&x3h{heJ z##zK>2#bo$W7petGCkf&iM17&o1isEcjF`W ze4kosT37O`>;!9Q8u}F!hhRr?d9qYnO?8bmYxaP!xIqZ!bm;&OVq@r+o0;L{=`@{Q z*!HQKLdy+I@c;se9<@;Nh3}AUDC-^ za2K{lxv1g#b=fSfE-*b;n5}I=?H=N63F?x#79aIcdlGERUBxkl4TX^T;K<^}yu(~j zNk<~a$)V<{MG{eHKBuQ9hLw(*f#J{CDBnW?kWeoHt4RO*gKR-Gt-7@pm=@^p&DKaW z^uZqTs{S%w*h`Q0Bwuv`CwNca5_yw3TXf-7a3lXgC1S3m7{@2>58A9=?1i~7Tx%(0 zo=hOlr9L}!Unicn1k{QYU>Z4-;at3wSpj-Y`I8|!hzxEUhC5}BoaJE;Oh~vyjLk^0i-@HSm;JjO5$2i+Z4f5H=x9Vo`&kFw`A`*xFmAy`QV*iZ}k1vLik; z;6!&K)|0L6l%z~(!QN(ffPw^)G;MW_BGHhRPP;AMvSGXrC%^J~J%*@6=$V9_5)+ha z9qh+Q@?!{zc;;bRIZx15g=_@l14)}HAmGz2=VaNzz+*wQUG*nDXCD`^EF;;ubBo(3 z1P*X;i9N)w%X2+L<`D8O zs34CUszh2wCXhGZzl(Wa28EbRYMWDrUvh#WspZ*w5B3cREX*Z=^6tiIPO-1Dhb((8h>oGc1H>H1Q9^@e+#q7CpmJDhZJ|`p)D*u6o-p zjHaq$(8Nb(T*B#R3j2ev-X?RrM=S%xJ1CMi$FB6i`OQ=@_%PM80;b18C)K038%^OR z`1#iifMlUK5H1DnS^At3ka+vdBFA(?UU$Q^;yeR7YJ$FcAzID^_Jl(I#2Zh%& zFHO^=;FP2n%*@>m1WR5H+L}Q}-ifC;=!*4w6dD;Nr0Yh^jUEt@Gp0j6#SZ(Q2^~C8L#ui?`Mc1kXD25BRq95YY%h@>9?ZQJP-F1P`XlaLN9Ok{}t7gxRwuJJ0 zaMVi1Luzg#FZ7>-i24)M%wK6HSn%R+9f)4T(?v6KsK$t`ak2CtSQ9a&Snst21&K0O!Sz zM9^4tjp%YV2qZ}azDBe(tkGhLV;YNimJ8&6Rhv=lNoo~*!u2zTbJB3gUmBq!D#xh$ zL2|E^AfG6!QuwtnzQ#lu7Zry(9WzY~d-`Pv4;DmZ&l zRGn$oORJ;0Dty#c3mI<)*^Wv?e$y`!ACe8gY9$g(Mm-5&=va(~Q$cB++a%xcvd+2+ zW5G3KP6Ooc#5?7)qzGAVF(;BvfiGd^iq+>Q=#NlD;5TVEvmlXth{`NWz*6bGNkIyp z?t+HNa`_s#negOqmwfeFmRiq%!hpmrnji_X;WR`k*z zF>j?|Y*ix)lc=!0N%pYkF>hg%aZn?PB&j0wKPwFV%uS0WJj6l#jlQd+N~Q1}wdcU< zCgMmo75OddXW}|vlXV?>^l9Xvyq$pvTn;f5(UX-0E z4+zB|7HRo6;Qb#;n&{*424Fw_{^Jn;Q=gse?DecooK39%H_ZKSj25W>d@V$&jo1l* z008Ac|4Lj_Mp9T*PD%8C`-8|h!RT}bgurWwk6@P#DMTE%b=5@k1mjqBKZx0|d|=_4 zgOw3B!H;)1V>PYEy3SR+t@P{3UypMJHAj|%upSpQh#99JBs9E6Y{Xc(2BnEpT7NNl z1>GPvhlch{HCHDMdg$|QNBf>ZRDfNPDFWX9=6Xzz8i&th$^a{K4p-S zhW*ySk#C3KnDrAexOud1|0BuMm(&q6R#|JMTV}+yn1}ANcgRL^JwY~;V(@jn80h;; zOmDfO;>A5FdScy3q4?F{Rf}&*VQANxl&jP{SCZR&pWQy=)a?5624{GlMO2MfY)IGW z(fn{vZ}#65)c+%*egf&=KluMNq7+3HR791OMgN26^beudKd#UKfFRF5!2*KvW8@!k z^dE+Y@ss;Net!MO`R9fu<&=~KWn@GZ{}qAC-opOB1Stx$9#{zk0003h007=U^;%X` zSx`h!S@2(_Z>749-8u)F=W;bcO%Dm8A!j6axCXFB1-T@1sw6V8+1TI z#b8u%+fKA@u=EC&SK3CwpI(%k9hs)BRqvc?P*I7WJ3}RbP|U_^iu5%^tAEv_p?MX4 zYrtxdKW4{y#pfM}9SLb*w6h{`}c)NMu&-{gH=q%EV*P|#Aq6p!+dBR9W!@w9+frOpKcA-x^9ThlvUAG29Kbq zbj6lPgv&7@W|Or9!LjiNe}L+m_aJTq-0*?B&8711_(z}0YsT;Z`hrcPJg-Rw)cZf| ze#-R8TcNyI>o2$V{BN$jr77S!cH)@P$26a9XmU>hYKStOz8CUZ<*HdC_m)%CV% z&K>Es!L9meDDbO7GMreG4P#8DT(R@}R~7>D`>6Y6H}L*2UlHn+x%>rbYl#TU?z_nP zLrys`u-J)9@;4=wHZz>ZMJJq_R=Wer2N_*}m#EB!s(|wk{-7q4FR?-h7x;iPJjMqfOzcEVB<(3`4t zGZjn}p+wn5{{{pc&0VT~mYoRXky~w(@}||`S(D>U(13mw=_huF`Zm=_`J$5CFK(rJUVqS=-+hj$Ot+$}6B zOlN?h6WXg48MEcIbk_7U@}?K#?ITV&MFK`B(7}G#nm%Yp6LGit z&2@MnE4!L>@Y~QGFpE}qvSS@s!?h7bq_6$;I~^^S90g;fZJIC6f?@BH_!X? z6BdD3)N`0m&U%J8kmG3Ch|DJ~e6LV4>2ou7NTK2p?%q_0CFz{D6a@gA+zXoPPvj3l ztFW@71qurA*7{3?I0BFZr!2C3_H18PZeLTwPcUkbD1hU;FNdW3Nq(P2qp1NS-^CA6 z!$vt*v&+^WXtPtJSX`}~j-~@%krtB|lTTO6N-}lfd;>}3(UKg&)XLv!83k{r4rdA^ zy<~(By($#OK>PqCO+=SclF*UtQ_rs~IOSN4zMca4-y>u)b1D-5_lp!Ay2B!tMTjExw&}8O{bEhy};>IBMr}8 zYvUV#rqTO{S4zo2*b}2DV}xUX;g2f;?eTs9zm*a~bK*69`&RTvZ^wl^VarDVRfRla z*dk@B={jPwPwX3oxVliu&lI?u|5IlgwSBJ71Cc6HYECZ}r-rs2d=L`5k_gPA11hO& z-u#o}h^T`jcN^-Mc*T+Ek(f_*VT+}9SP|JuUqAru4{8M6$0<%1WP{_yO~d2;~I zcP;M7wNrdx4cABISxleVKgUJQsiJ|R5rP2}O3s(??pS`pS{JUzHoUH`UH((&w;@AL zz2_;o$HHZx;mJrSc?gYL*$eE&5&f;!B+v0Ie>f&79@%QiASa3D^j7vxE*;d879NzB zRji9VXyrEVKJ+Rh{@4stm-mPEK5M=PbEm#wOJ@%6tfab_LoOAQ@Ilt53ofx47~3R* zD;{^Ex=L12vz5J~zbK4h1{#FHuxd#C0wGm#YfNc8;U`qh50O{DW1l_mB-za=(?b2e z5lFmiol7kGyKaUJqmb8g$R_MzK11vDd5+c`dRz$H*1eTFsS~NeCHV#ZpTX6?L$;qU z;6M1s{;$DrTgLxaLLd7Fnf}>1}oc>ok|3G^X|0eCfxSg~!^aB93 zK>+~J|C=25H5mM5O(3L{h)3F0vU(F|oWm|~W2j%7 z?@~aRPd`r9rqXo=5l%7cSUUBLEs~~or8g;GCWfv=-h7G&gLU#{GR>De&@a{UXOWJ6 zF*YaACl^D8imTWM2F@p7G>f!Xpc3EK@j=FgrE3-?Z?OvC`dVm`V|wS3?_anWNuz@l z;h;2~GV|~VC4mz}*Jf}|-axe74UfT8Fehm)&>*>0OlPQFWp>jEa|&>A=OEBlJ0%o<8iA0YMAOZDrE^z%dGf&O*?|{ z(JEeE%m2>TFEPPqV8M5S~%(H{V#!m8o>zX&wv2p-fc*VWqt>I z7DB`#hmSk8i!;P_m+H4YtV}#9F~9qXJV?cz&sb}uLWOQAR?t)8@+D=U_Ip0SUz=bW z-iV8$m@3q{qLm=5j0B$QD}pv<+N#buEgK^?xf1rR_XF^sXBO7~;JN)@BLgFI6Ft5E zizK0y5-9Wjse{UXsw0MfY4iU}7$f_?PUd#Dw9Jf*KX+vG@Ab<+Qv1IYU6m@+^4Q`i zS*wroH}V-E7dvRbG^IdktO9zlMW|6JBT;67IWAQ-hn^x*HGinWYIh(U@O{YFfm(U$FDS4VpeZoOk8+fyKlQQziTn9086xY zdKU3G0^hKkTWRNeD-j)u698jc>O-3nfIuY(c0A@x*a)rV3kHtgFnI$o(XA#rP-jJ` zImgG!KOvkacMd#_@EN+B@Ye#8ra+F)n&bqGV)GgY9sBHYk*Sl@K166;ky7h&_Qd$X zP!7cO!BF7CUa4vc;kX96<2pg8{89HaGP+d{bRddTVxyUdsAd z6pOpe9#oc`3(Hsp1d~fpd)!q7F4AZe(+_i39Gjd!ErwmPKAz5NPrG zcWaVydBPztc3-ZQWOYBOiri)78047rtxy6AaZ@{Tp%y?PB&GaMMAK;sLS{M3hhY;1 zUt*SYB_+Ax8GJ1}orv)qV?Ua0lVD;~Xerr%rjWI{Go|fH!g&AQ7WrJlF4AwsAc~nu z*@{;vNu>w9y*yvEPgi#BF`U_n&ghl34!IyY6R?zx!IPAY?1mxOZez8_67|K})WzRn zlSasY&}*~XLTgTRjiqj$Pc0QoNCV{@+R`fuy!B1m=&qJqqHu;?MZy6*B_b|2XBRUB zo7~irWCpO&X}Vn(^)yS!3N;na1`_O;a8G-jV7uHqI3sc{$yp;$TLaq7B9Vp&gG0M1 z(5`u4`Qi19RDKP$DA?R!Ib1jF!s(T+x&k*taIwDrELPl@Gg7o08ray7aT6lpazn{1 ztfx+mF3si(mU%ersrTJ;Wu;r#!yUikM;6WoNK%ci(3TD63+4k|?nWNwP(5sN|1+&@ z|9n@}<*-hcQA#$bS+`I4^bL_q(sCwJm||W+IWVUlfP?3bq2SGyy)G~!zidvqO6Ms) zZ@neJ)FwLY)n;=d4!F+exKpEJ{Juhhxdw>pJ;>Jv|9l69OPemSxO_Uo2@Dh#(dqe*=@WMYawZ^>|hluX_y?K$A* zA~E}DeeSH3`9hn^n)^P(=jSH5OXZ*&g;$Ft?*`vlp}r6)&94SAd}M0I*gh5ma2yV_ zJ+1%TJH)>%Tp#>t%Vfd>05JZ`2c3njlZly$Bi;YSlP*$C%NltVGb?-;Z=1;hM~}eN zVPr8p#Hb!r5wQ#)-A~=GjE3e>Rn}&Dg>l8`*tHMLNJ-g-6r6A|NAwSsYFeVR1%>B` zFuvFMUEj~ym(I|D*}jEA z`t?Wy-62uImR;LlpmF?2JiYN2M0wq#5Rlu-X=5{pTt*=nOfmt4gy8~POids>!QIL3 zdqiZuErU&NJPzh|LB)1I{W!tYpaxE(P<5uIkVFz!Y`c%Nh!t0EJ3l+_X)jq3H&;iz z$&_?vG#(?HNf0;Z*qT;=%G5ds$_ymZNdmg!`7~LC`*DGkWC1Cet2uiGpE;RXdusy) z^;wx(dlXjFeUw=*nVVqMu1|1Pq1X{6bL3EK`q+~wws~9h&|~|>@y^6|cb-R_t9wVg zY9tks-U8#ZgX7VrxVDy4AZuW|*ge>|*H8C58NjR(0C{zvpe*t*6y+EPxEvc7cf`Lw z5SrcL*2wxS!d%p3fM)Qe|N1!qAbOHXm@we;L@u!LQFAwrl6%_}_(A2ku@!|0&l60W_@JEWR z$ciW=pg)@`2ze6`3rqF6P@#{mq{1~2yYl`rqC}W6x0av;prOVArHpJY(m=*c(hOWl z3E@5TD?Rk;@d1wl=S{U@fmk>%W_~8l$k~0*(|3I?zLhwV6yQNpR@IzA*=4A?$(MH) zk54o$`Yr`!la)ihqE9P^xoiK4uJ+Dr@ptXGdQdgJ%-Da%lnVZP+;CD{P0AXY=#`N_&+k{(m@o=ithsU=KGF+qUhAor!JRwmq?v z$%)O0ZQHhO+kClx_rA-wYp<$x_O9yHb^ch@>+9d{{-$Z=!gtDXqU1DK5yCU_0#>kK zm?~tVxEIcBS({TY+{jmfI?&6xR`sjoBh!ZgH9|?p#0ia4D=G9tOxOKaC5>;1Q6l;4 zM1S{CbuzjYS$a9xE{~GR@w~9wgnn@U>`RXr4Cut*nX>Vo<54N-#vs@?jf+f{26Py~ z&FibV*N8Nlw?^9mISfX5Qj%_OhG{~h+V*LXR=B|5Fs^TCv7kMuERyp#O+h!>(uivx zSs)dG3v(T;}1#TmMF;oA&g!IK!@})Y{Lw^|F6v4%QS-JGv$&ZU~JKn`+<%If^ zo{k39ns6%AGH(Fx-4&@Q zmX#gZy?v?ReM+oBzrn@QFkP&kD^(WL!cSEumZ+esFl+Vn(&~qv8J8+%%+=tDN-k;hyou$o3%1_!AZk4uIWx@oa*g-wsYc57 z&T5hoPQorR!wQ__L&|138a<$)jHa3mAz4LVr29%5v*H6E&I&Sp6XAtDj#I8n%h;XyrtnshO%CabDH^7 zbqJE_FiWuRZn)fvJr#D|<#`|XFtf7XQ6n5c&%{Fa2O73i=|74t?bYz);E8sIW@ZML zd{qtHcnDO~P^X$tu^84GTl}%PfwZSHZs3J&^PjdLgEp_E9tmWx$sF~V1YC2`!x6#A zd|H0m)hh&?{!#(o<$1hF&d|>i&8kaww(_%bK<=ht3-c;QV{DCSC&KTB5gFUt< z05UX9Iexb5NKOufC}5O7+?Gy-=f%&lN~|`c3=oJx@VU0=^gO-ku)Cz1BwFB9Hf?I| z98F!A%~y1R(k!&*m?qkA(Xul!ePDJrp;5!q=AC05UZvhIZLwZH%rGglO`G(zo?>Bl zo^zHS$t1VNIR`<*l0zTqQk=?dPxcc1J(_>Sf^E18gG?g(8@%uMv$%a46BhUfbj~W2 z+!0kdm5#y(-7Q(#jgg38#rw`@-`f`S?YZWmhUv#^nbN@q7csP#afn@|I=Q7338Nx~` zfoK&AB13o|MJG;3JQO`_9fm8yh$VQ>>l$A4+hV$ToF0l-!$wkmm*YpYmGK;FUh|;x z(sHYogLG-kNNtVAs0U5>>Fl1??RY%x<)RIux>{9&nL$s;xPnZ1yj9bZowcx@uq8#I z-o(6YhTnxeU+eX&r_E>bumDnGJ$c0<=*O0cn#Xjym<+*WD9H01i zc~Oz}jUOojD52qndMdINn_kXWaO|}s(Uj{cqtOe?Oy1i-oH#kAHE6&YqDNP~%BfOf ze}&PF>wP;ivZlvQpm^VQxCqRQwI8kMJMMMGO&l$VNWzfIQEKxR=N6iJg0kdtT?~oK zYHAWNCx(=$GMXOvkv_acg)!U(x9@hWK8CX09lx0_p|hNmq`E#Lqxr zUgx1Me|%b_m|0zY^@1+4YuuE^wRq{5KiH`!XUFzfX`a@Qvt56%E=16=O;|9!lK z*N>*(i0R4IQ z^T-;j<__@ zO;|cVl!X@4A#Fi>NTTq)Y;=i?ey8U;4wPoKD1sRmp^M!mBMEgRJYkQ}PK0xTmIABc z#L|7wmU^tbG=TB}3mOC#Q%!-l2BOGcP4q>gQ56k+S5;Nu+>tu#WHfBkJbGS+GLaR+ z#S`j0Vh4F;33KTiwch455Pq})T*k|iLcbDh2hXe+wP}E(2r3G0qt1RYSDE(p#xx=1 z4B4D`o|>jqA)GsT)*i-kH-Z(yHB;DQ6pDv_xriX(gTCm>X_-QpfyXFqc0A?k(X5=i zy8DQ5C2r374T6dk&PM)2-;iEf(0sw}tf=r**(t2U_9+pSBH{rxfFO|EVjF$S7^aW2 z+!vmgJ#qpesEE!hnrRWM_X)9UYY^jZtpEm6wR%NB&?6nxc6)JTC+$g^a^_n9F_dN8 zr9OYO>E;h&x&sIaj}B6w&Br;GrBRt40(suV;cu&KtYY>Zsp-;MWFV538XbwvFWX@@ zlQU2hlK6dz^}9gvhQAZg1l(7Me9mV?=n)5UW5rPMsQ3!O8bq6yXPWc=euVD?dPIgX zZ_pgPd6s%LEl6$1_Pa@_{P(Zhc;Rbw{fFapbB9j@N{i9^pqTkqkTDSHd#`$-E_obU z@C~vMi#txWz7A9EtTB{w2RMBs_XO|ukcODkwAo9M3u6LDnmHG06=w?zn7-$G8Vxu; zf3V;uSO#o+>$v-}h!0o>76o&q7ld3mJ@0HK~#VfR_wx0b?oM{M7FN=w5Fzc-cq1?B&E-na!G?D_SNH1FT=G!iMV8Ob+! zYlQ^@Lio2W!Nk$g&hdYsj{~YwPHSw4op);I%c0^}sg68zk%cGyGTy`W@y4gkypo8` zs55_nV17HK$bNZY07>|x;&IOjdF+6+ZSi&bT=Q^-#s)L~iA46lWSv7-hIbi@^8O)u z@R(&G9q$D2t~gbV6f!XANw#uSN7|_zCM*_QYh3`;g7ql z3dm<^_U~O?wO%~aCt4V0*3vI*mI&6&*G?YKt2tw)EC{ZUtj!{AHy-Q`eN3CTtylGQ zxC=J22?mVG06Tv-o&FeyeVjD%%XpsCDQI=70cb39zX&1*L?XThj?tA#`1jQZ=sqiV)K4BVE>|4h(Ip9 zSNX*HRwf8RmtmsH72s*Z@Bq{JBxz3+%dsrmv04*+Y{{-u_Y#WT~+NOg^ zdxys3CgALaPnaww?UrS`A?AJ}l#&4o#s!1WGh3!vhTUKT;iWARsaMX9ksB}7m1|QU zl?t6VLU=Fcf77!16~4}u#+itTRCDX?WC+c=L7GxnIhG{Z{!9M5n~^F6e9NqEB&kG+ zF`Wric>u4bBqj@UK0?w+d7o`@N-@Z>$!}~P$=J#e{TR-Om0L83^wx_pdX)9c5E8eJ zTn71K=6p6BZB|ytI2d@WI@-zg>vADzqhGTis{?iLyDQM2pJtpat5@aL*A0L{OY#CZ zJdB3vnxkJGYmK5uG8A^(b@KB+Vj?9-d<(QM4!7Nq{C+8J+ad!gpwW7}QcDcU6}i>V z9z0b9kH!`UAXz9wFdxH#5#brAf=;2w7zl~<)FX7$`tvzQ+sVVIMpVU_Gp^g07RmDA zr4`Dp+tj&DYP35YPz+T%peLm7?vdJ31MvomJ%KsSw)(1J#n@Da|*kl8It zEkzT&MoH^M**GN<@kif?nqJ*$NoA@8A0PU>#`?=vjE5d;$<0_Ddu{m=6?W$>6*)4_ zHy(?&=YeK~I8$s0$fp(K1-yVe#c{|0WcgTrz(Hb{vOo{-GhMQ4j*Q zMF4dF{D!!``hbkYxPlJ)>tdnIVAFnXJ{QAV2Hz)i-a$xU3O9qiHLz=WJ>Qrxwh@7(%JjIl&7KhQCus6_YZ#<4SCbGtsq zkO16_qy{2_+6g%}NjV4wL-m~>l=I`Q1^`ay|l<2@A22{;@xe`3h?dX~nO;ew2`}(C7l6+1j<56Tnce#>zVQGohf(SoiN$Cfg zL`2s|`$Mxhdb0EhR;WCB&d=wYrM|t`Ap$Ss6j~}Q^FcH5SDbwWzf3wxsa|nf*|^6D zk#4m65$!YOhu9cLs9aF&GtPcuMIscj?pWkf!IOMa3dkeRxSabERG1<(tpebMCCF9jdhjEJ zb`{OtS0^!os?NWUsdMK{=c2ekk&?4{{t-tG> zb5ELiSLMeIGAG%8D^}X7l^I#u+$T8_$KHh+(kwZju6aT5ztsg0AMw&Qrhb1Vz>n!@ zXaokw3K zX{=kDRnI;GcDg1Q{dIM}ZW{R-(?+~~^mw-}9`sS{H*btxb2w_?F21J@FQ zHH=sT>C@iDd*bGWw$p+LCEp2Rkcx?SQmB2Yv>}SEda_A-OD+X?RBo9GWx9my>sam) z1<9flFbqd-D*6C+hRD>Jq^4^60W-+4BGj~}RGwW=TqQl#QGVpKaAi>JqwA4Jxx#uF zEy`!+ZP9YRk_R3A13-C(*gr2i3ZIsHZE*jV?PiZA39dl_QfzD2^1CgFaApk+iz$Y4JtB4?nJ-8$EMtI)yd|O)1qH7(U%&HYJM=rF0Mk zMXR%i918)KQ+KdVu8%%lpy>fyuGJ+o>#|EFY^awLzgIL1P-^3~Ap*fpz%k1YNnRW3 z9dQz@dzzuh)&Nzx##-Pslq*TzXk=@%Uf&aEFtRl(U7?Z1*|UFm3`e%cd@Wy_$k2sH zwpLIDN4b(E5)QBbQhmT_{6n{DN^tNE8# z(R|P6<=TIu`46Jkkh>6W%-CO41ovK7IcS*BQV=OZ!TM_9&OH30S@6q|Ysc91R94z6 zzecL}M&T0hh_=>_@~0oS=w%VY&<1HG9{Q-In!j_cMi%Anhsh~5Th;M%nFnQ9YOII( zT1U(NOp%wY<pq5Fo&R)Mm!9b zNCz7cYW8gDU9P3qSpa)soqoQvF)NLoa-^?gq*s9S5MY25FEAmJ)Nc$NFS5#YpL0xP+-<_URGHnxbo6d!79jv?-jyu(xAQA;Kx)EPi#3|VQKrQemmaxS+Wbl zPb|**f@c*bMHRz^*r1@Q*PI1`|6ikM=7^vZ;4+We$)=#*^0SgYcJ&t>q5tgN~6 zRGo74@Nx>Wd5a@cy#mW7PC&z(b(+zLZIEt-%X4i;uem(d%iraHaxU1lpt`Z$Hr zA-BFNYZR87jq-4DdsF!nh z9$$@vq7ov1uRD(x%t;I)`wY7~a18`oPbH+ zvUyvMO91WAl72X^G^MY7JrZ1X6-}s!#4w(HhCC*m2V2sLwe6#wowV#U=SW4OK*kqd zGN%L+3LXR*u#zVS1u`F?FPdrumHKPV;Nd5ryJ!6wZO2PW_MrI!er`RG^!vGY$aM#b z&U|`EwXaVtygWGEw^1xLYSO~nN73orRbun|(0jO&trXQp-|`X6PC50$U&PY4Bwl0C z(91L&o&b{|(MP>(v2SblW=xOs-KrhZ}mxyvC6O-*B(g|)mwjL?tV zNzMLUIsgca$4tI;0|N)Rb7S1-%jdB8k?xnmB7^-MG|2%p_YHVC&&lD)h*lsY#dgxs z;Lov!_zVhIUwIam`Sxy}qaQNODs{HaAz`$yyN~e^jHBi~e6Thm4jdA~_v`GkQDZcN z*Ic~31Io7>`vbK`Nb|nonWz_yKuYyub0mAW7^>ILC1NpN`^gjxXM{`G{z?9h1k@U` z2)E(5@p@6ZoKpKbcz{ose^0oC1%eehzT+A0@9_^R@c%6S_*b^|-=i5NRmhQHT2=9} zaS0WmS&x#Dl7WG6kwj>+7wDGol@e$&!jpvYyl;Z#onxQ(OVH5K)zGsPALBpB(*HHK z`koN}mk#~^QF(XL7rO$Nw}s4W00rGnZ5Tn#b3;BJxqz!{}gR0VtZZQz!9 z3q=+Yg>EoK!sao8Y93nqeqeCedeNCr;XbbJVL2bWBq{n4vc9`u?DkBbtDknJo9(F{ zKg;~A&8ro!@7k01I*sfW;by(xT(#3rPNRQIo2@?k9yRRFutCVF*TJJ{{xZ@k+@G_L8Ke2x#x z{8`+|A9gaMYfFs`&ZrNGvK|O5XT@05hFvlu*v&}{_k?p8#udVgkjxNEn&eg_wd8+T z)rMEY%fXB*&}!j{tw1!qg2yF{@d%w%hqZ+dfi=v6%j1XF3GbAL*M$$kG}MB}g^V`{ z&r1GyghzpCFdWgvyC7*048PKhx}dB84a3{(nAGAE{^#~jJ{cB0|IBP z-+;69&~VSM%mp5;h}XUwL8J}C!|nf&DNq98EDk@P7r>tvZe{%=qrgF5iV@=u|XjDG+qMhRb2-tUt3D#jTb; z!{;G^d{V=oTZiIOnzy<5h244EdL@D}w|7YwX?}Q>CIDN*OGKW;stVH5_ySEZy1aw< zT|L%2O}qka$1F|UZsPmdye87*_wtsNV*G`7VdS-ri8U2jOTx9ROZlt$CAzV`uqRbG zoQepw#;m2$IAtj8x)hh{naz7HyR!4)+!`3N9morVnUyGRh4|X@;50K*>nq))Pm0^X z;d&v2zBelU5g6g;h{Nz|!-WD@1BxB~C&O`Iqi*+pHv?i)jUIfxH`>P3*s?ukM7?x2 z<@zCeFQ5omPS>O7y}jq_u=}Zh1-XAY z5`#y}yapP5*4$h_OvEi8E-#Pl6|u3$kM&Gkd+jZWUN_xl`OS3U>+q*R-_U5E9xF1s zdeUWaUBrqczn`%yEg?I&2jvL*mUEuRhAPhBWa!yK^0)iOHwl3>u45-*CkeXaO6J8i zm54=G7#hWP$CzRd^$#-j@I1o8F++T?Km^`QV`IQdF6!IUA+3ZNY~sUqHX%ifAS=!# zqsBseP#}l?x~5x^JC*-* zFp?i?(qBtdNce{eUAmeYn`t^>wh0v{<{O!vcXw_47~{6HC7hioQY6AA1^B`44bl68 zWeF%P-cvAG7U=69!FylUBsZ9^+vhQZN(&Xrnp&HZn3}vw<@2>(?~{ugbUo`DeUc#1 zJ(Affnj_JsR1}Uc{uniibHV18L<3@bH2l$-ouJ%3u;rE%W*$BsQU;8J1j^RAHt9mp zJ(#fs)Q|`r;zL@8eN>gAOD@VIfV9FZCC#qcjRJE}C(7?SYN`#wW+ouFjop9FG+?k^ z%kwYPx}Fahm}Br~W=K-JEY*jq5Th_yc|t|hzSs8nio~q;h+BJ?&nxUrqN+jybVsDt*O++vr;G-bAw7xWI4dgaiLJj zH!DI5n8_I|T@C5emfgQC(kr-|eEF*a-?#(`3Nv$XEZ5M!i2rs;op?Cm(g=@`B0rp} zh>+q=gy5bDW8v8ib3ucMO8#rXEeT!4GW!MT+d`9YS+e{#6}%x2f)rB(WqA7!ICNLZu=WzZ)n4d z6nefp;SyHA^dd~{ABqIq%D%{f4{SAp7<|k|rIA14f$S4%2%t)9kEm&x8f`M1oA!Ef zCB+jc2r;h#T+56^#94z{iAyH!gNLUIR`Fr4B-}5xqyw;0g!PcS7^;J_M;X#1`_kRU zu+Crj<&9SyUBW9#xZyO?VYEkjO|?8hy{7hDo0j?NjV2mf_)_22TBO&0FSAt}c`)1G z|9E0p`Z{?{w$iII0VnVG56Au6G)!t_=0@*3U$@rPmg?dhP#ZGYu>eu=glzakb^ECE z<~DM*vAYlKF~-(Xs}tyDx4DJdI{EAMu;6_?bpviIbuD#_OFLkNYzj3y&dtb;N1Ty5 zF$GdREnDGLoiCD}+8El4OSr^Lp|Qlqi*0BbZhBCXn5HLhRSAm1??pL4q97g@X59-% zUzgtQlruZGe1>O|u4TexLPvR6#oE?N!-;pT?wMi_qpY!96*Q;b#<#^3G+62~v=!lD z;qW!aR;(+kbi%^3lsGRy$Wpx_Mv-HnhGB}a`O|BIVjeoNaI#v`Bbh6!NnE}X|6c}Lu}X={fP_@SQ})&tvvE^>6M%g2Kx6(m%%-?Br@ z71qjl>Deg*6%+61$=G7G(s2F&EdxPx(ZRqEV`%73Fd?_sm&0oHGFH4OkoJ7pM%E+W zFxU}Hc1?Wra%UOOSjHkCyHyV|!XX=RZOW%%1k+Ob2k382Fe7+MbfPf5Uqh)IYmx`X z%}Yq+60$<#(AgMoXSvB0r7@J&A?1V9U^_3F(Uu1iL6hvD-RJxeNLEn!!sFYaVf2fj zj^Il3tl7m36tywd&mrhueUG9K9a&Et1G7pd%;Tw+L860VcQ@GPBa-q8;p+<`- z^=v1#O1H2g2M#(SbHtpIa2*63N#M&Wdo zmM09yjHOV`;;tV#DoL}Jw0A|eqzlFwR?f3q?n8&jq-C9?nBbSCl#T5P#|HDCMbz>? zYzg%{0wOrt)8H3ztOX}}bJ-`OLr*@IN?+s;d>`a!W(nRSDNhMeVN4U{jcD~{V%-Ug zfxd<7jffk}Wfuc{MI|P9!mV8E?nLlvOZT1h#qsB=9jxAf7@m@G848sg0cS3v8a+t_6Sq$93iaAdzbkE`#dD4xGqk*k^ z!oWaJ)4`~oSREoke=}rT#SYU5OQZy+oeYrMO%Zh1}we_MhworS8dF98oHgDDgaj1Sq-lKie|54q3jti3=_uKZ29bUH+s6$jG3+kq5Tg{H0Dc;ZZG2ve)!}{jaUv8`QDQTHCttK}7k*SC8 zarkn%<#~9cqv_^k$17Cisajx`J%m3>`qS5#`KO}-ZVTm~gt@tixqGGJZDdt&778Vj zh28h%HlrY?zylMmwGB7Bi=O+X%y2nncGq_#2#x)nKigt-hVCdT+_N{YnJWroxp)kR1atSc z`=Uc}dZ+(N4@E6Ak+4h%cnQA0zuaZ`TbjDzwSbpnZhkEbmgm<=&lS9BED6rAQn%`R z_1$03_DL--QOzz{eBX*IERPKr)0ZAK3s2kK>^8s7NDD$`Us{ZO4XuRp-Nr;+Je~ru zmK2cYp!^HIjPXAY{8)U~o~w~)+*6eqrKnTL(8g!w?3;aAzs6poI;85|pdKrS;E!TR z!hfvV`OsmI7jMZ%$-$lavCrDyWL&!O=QH_L+C{K>Pn{Bdef-!Te;GfRF$IN!Dq~#T zt|D0}q!y|s3x3CG-J(h0g7sNn?&OVk;b_wHUFUs{#*#Kq$!9Ho`TfK2L6TT4aI_(i zGpW=Otxx#gkrHAoU67e7H~m#0cr2JYVPR)d8Bz55Gl2XFL%I5yN`WtVWQaO*K4MFV zK@P$Uqo@kB=!kw&PNs{#0W|&qWxgnW3E1&|Hm-y&9p0vOK^b4?13`tu-1u#BodC!T z{k4#Y_Z{Y?r7z619gRUdDmkbi*!RKW9tI%-iK`-V_Vxny1YvV^NDO1Kg)w976Z?%E zBKlpA=%sr4ezw@Bt^DQ|``!-{HxcIwb6p}lrl-6EE~DuL^Vw>y#(GNd7QoA+YP`#I zk;1ch`yt=LfK1S)GY7{nKkR1&qf713SN>Mr&EW)VLntL5hwTz#bR3W-tQtdo7hf|3;2mD~;bjLh!sxlQPUkWyX#2b1sL$P zW=UQHNc1>b2Sm{Gtul-~jc$ld_Zx1((`4n?9RJP%@MRlri9O*Y>bJ-Hby(@wd>Q42 zv$v*h^ptKjcwefvnHV+9xt7FdK!6vjWMiq4<732>Y1gQM!=qY+$W^kY|}GVTR7z^&uxHnIuJJJ{5{?H zLEKilc&Pwap*x-!->!P)8)xG(oyl1WfSdr4yJ^ugMwnJF2Ao&&4Gj6lS+PwQIVzJ8 zf&V`8joT2OL#I`ibv;rjG3gp+Rl@K+r3mCuP1F;0k_$`*G6spBi2TB#5g;Dnx_QL{`d?pAfB z`(=Ky*N_3X;;LAnWUQWh#Zn->rBQQbUHQW#THRRJc-`w;Rf=_mG~-2jBp|31Txn|D zMCIP&g{nAshSBk<%^krde;+Yi4>L(5j&(#d<3V{O90wy(6(K#O+o#)C6yp`6O;OvC zHrgsbFSEK%#H{mc3bH_YDrNa+(wQKZlreqW36kd!p^0Z~c*l@q2j$ru{Zef04`QbX z>89?OT|b}QmqwXOhQ}&mH5g{xpyLJ4Y5DK)*-5z^U= z_P~m!+X)=@)REFn!}ri1LqsO8auFXC{@>l+zFpqK;Qd^;u%-nwUQ1{bsB@Jm0%=T| z`_Yy*ms|Wjr29_(=uDi*7oIp%PTO-CqZE0)JigoNvtQ4w5p-o*iP@t02_fAy(da+$ zer56Rh0Ja5Xj4G1r{Nz7#x?bdwf))9(RD*`e2ef5Au?$v$#WxJip~3x*cSC`^gb$* zciV&#N7>_&qd@w~q2|f`l5jMHWen*kPRA8iF@%@AmimYazH9VhRB~yG)-FYr*RL=> zYp7CDpmCx_ip9iclg+e(Zo6jC06RuC(Rk_^mEcX}64|DZ2(glsdra=8MsNT7jN=X( z$!&BKfqvD9^d&BS_x10YB&RoFF9sqI&@9dW4%Gcie)RtU>IO7)tZ{}KHg)K~Bow|9 zC>1poYCq4#Kb7|RCF1Bbl8mHeNsE}gv;uZ3Nk>s7t}2Zsa=cs^-g9s;qaEH5!CZiN z>s#2;fa#}!e1}B>SrB}*(P5O;yMO;CM)1i;!eG30J{q@tX-il-=_7+MGdtqub~+p% z`e_#WwdcwWd2i7Ye}F6)@XW1nZNb&-yA|flN2DG=w$~4hMJ!RQR4f}zsm(qhL*pDa z=)z^ITN6avY%A(wH5_qZY=~ zfe|xB74VGrcO#Ssl}Vy{@(uKCx0IiqXgs0MlJQVf9ZgLsV8L)au==$2=#)`4uzHob z9N)+VvW%e*+Yr=D&vyPYxkD3fqWI9s`9o*2ri(bvG~QssRA)jHPbPbZPYc%S70wDA z)~XSE(Ryy7d~U}0dwyogmSCZo90-0%A9 z7|a+CMbwqBT+tuA8k@JKIU7BajvqciY&|6g#vSj&o;mPA}9_+ryMO4D>qAkitY92D=+8gdu|w&|SRY6Q5FmiUo-$ zK`NAo|GkVSLXjeNG9Tb)V+ivmrJfWexqCN-b`T{jNbelU?^oXKF;8zpimP=ro zj%vkBHVA+cWXz|>e15NH`?G6gg%pRQ9(fG{Gs00Tj|rKL%i%%o>Gk36{jooi+w=46 ztoN5YujkSHtiv&31g|BOfY9jhP`ucxSz(Z4bE!~{~b_=8AwgK@z^oWzPRua1?SRE`!#D3KrNvo7%JnxSVs1x_v71MdsxzmYJFZ|u!lPT;4bvlFQ?wrMdZQi3t46wpwy>m+jWBgnZGui~*hZcsam=9APlc>nUaQ<@`Q;$B z!aTO2ae%B~8J8L#XE=l`_CXAZV7uCLk8SUI#%lZgeq!nD*E1+(oc;tED{%*gN1Lit3 z(h+0SW=7!mobX2cPWyr(i=P@V)~h&VLpfv8a68@UM5;8=zWT%>(O9^|SSf`vt&7ff zet1Z$AXuE~{J~M#aM0fH`-8R49&@W4d+V8f4<{UR(RC^y#boj)!rgd4bIP95jl(c- zNlhdvJ|m~@1OD|Wvc%tJ&@rL3d8>+HQhZmTfwa|bW8`v=SycPNBUatv8*oSbokDuM zcAGG)M^44WwRkW3ukUQ(?bZ5fOM}-_i431FCrU~JNIbv_J+TY6M6CfcZ`eTwcP>8+ z>{$NWGu$r+)RM0HgeVbCA&28+yTQm^4p7>YUWeg;UBtVpejg{ zeE*tfhJE*|8lojdAR6b4Qa{urDzk%g*x`7FhrgjjKLU&)6jE(1`8Xg=qyFbm3ssyJ z=e6#<@+_U{aQi5tA}x@bM3!VclvLXA9g$3s(^-1qXgyWA4fXWoP22<-o+&;u)BqPd z8&)Tut58jdLY6NtK+)Q%$yR!sTuWWp3))f$3pxmKz%j>=*IccTgw*e>H|*vX?RM z>@(DA^pWi~IVqSc!8ksu&?p--^TE`x#tl!v_t`@@BFMYG)n?)PkXB8vph;GP}P5httT zqzFh-OnaPE&Xy|biss!O+wHqyP-zuB#&{7nurdg=2Sj`{lQ=ljj6XuzBJeJ@Zo&w2 zmhKIJhg|2UP|KD#57?@~?fNF1;zSbeccu~4XfiHy*gko3Sf>8E4L61~*yC*~j+2ytUTz#E0a2J%NAy?7X{qjsIkLJ?LaAv7@yjwxW+?nD!du zctIX3r=|-k!}lckxM&%Y`jYZHm~_@o;-=p#JZjKwX$0vwTV(X=;p24Igop1Ez>98Y zRB*{>fFdPq!J1gjczhb^NNN=8i%st|kJp;C)m!U)JmrpMms&MXPRA+<#Tb8t6^-cqA= ziuKZZveqa)6)nBz<+$gi_~2!p2I>27s#D79cz z%yU<|Wb;#(YjxA}IHfEb-^W?`@j%SxQ*H)h5I2NKOuruq(|$i2y;tXL zdn4A2FKwh5xR!>n1^6xN)g~Dzw0rA*UYAGC+v#)OJ^N$|Ji#UY6^q}R z#jgiDuUwPXr4T<^p7;EozHGF2PQ*W4dl}&bbMBgH_E|HaxSWt`;k`jlU8M$Aj#GOZ zt+iXL5Az|?Y;y5jvx_FS!^j7}@W8p2Jzez1CkmYojg_g~^J*PNzNl&t|L8f08 zoD<nDhPe(yVTDWeYhzHD-b;(<$J|Az|4pOofu4Qu)N>UtF+$qa}uzFnx>V=5# z1K*D9**iY;9;U-8s3tanI!h}Gig-v*ik{vPVlBnXdv|w2B3k5~6HBQk)Ums}DW0n)PZ=s9`U6&MSI3hwY>epVM@z7j{;-2!bsy`?N^Z_z)*t_TFyB za0S7-st=-3i}B|sA1hn2h3swIykaHA6NEVf!?77aig0arm4h9nhBXGm5$-W^$gMJL@^=RniI2>RA!>QLbA4AKa5T20hw(hQx_;;%SfO6uhBjV8VB z1C!1L!8rTY3WmRnP7L-3CPe%8f9x0K$z9uY|M8_+ux87$j{A?~8g; zt~bRQcsVqFdYnb}K7XL(pr7nx_LwJ7>EcBVc#h`p$}#8oG;w2Zp;|jiEeLsD0kz91 zakwFc5tfVu99dHwAPdlaomAU|w3u9g#c6W-Yn|?I?^e}%p#7mi_EBd6OYT_7LK}5k zoJnvXs{!?R=_ZMbzGCB5v4h7MYaIQkPp6CDU`&UJC#vBsza>Mk;!@+RA@nmno)Et6 zaYibRo+JHkb#4=udMA(my9g{K8M;=4XC7_BMd{KRC|P)yx9;J9fbGM)LGKck2ROlu z=N^0!(tF1XEt zX4V21Pbf}~#2bTYZXa)|El3Q)mD01_E9R5wq!m`jv{-x7n?OiwqP-qyyZnzIr^u{h zinM>rkoLa^$Nxew^shRp{{x7Si4lbEWkeJ~i6jni2a?;)i)jpt*hN}D<}0wN?@1}N zD8C`a7vxFCplo(BfkyL=eA=Ee#sBa{;0*B?P_1ORhp>IUdoQ%C1b1dP72-WM+{> z=ni^nIxF2e{Y#c;5*aT--;qC?aVl9{_M zVPGcrpA2f`KmrFR4YIY>7NeDDulGGPxjmCBG-eEU6do}o4SO7o|0H#p<|dpYLouFI zBz(@E`-RL$@sbvC&Wq$t@0SY})B#fP-hb!PgDxcz&@9K-?)B6+6Y55=2{+84qr?oL z)gnBL)yMyAR98p}VbaSaz51QXG-Jf9>_!xaru=9+lAG%c- zMaqzlY$&xkHMmmh(e?Ml+jV}1+i!jNJ$k@ShV$USvoF7SX6u9e@!m?t!S^q;vd&y; zX;0PU$-Db`+jX;Zok$*VadjQ=9#B>PNQlE*De*aG0Z(M0(ItJz#tS5gh?*9YPvbV6 zGNsl2-fd8+leV?|9Nv$ntq#%EVwc>Q=M5)&&#t%H{R3U02-*Orz`Y_C#yVpZ0$ zi#3n5l*lT}_^^`E;oIBr{0??p_QoT}xiNZ=^M~PV0*1b&*A2`T`_M0x6}ISSZVprA z66G{05z3yY_G14Xxer}oNFBIf6|ua1x-?R&$Y0?G4DDy>(wzwTgjEM9@giI(8aEXY zj#5qrNU1Dv(r559f5X>OlJL`+Jx4IfU;3FnkcONO>5F*`Su!kA?MvLKKCyx+$M!Sx z(j=5t{crXJJ7m{e);FwAES|-Cb<`M|pCt1| zo|24x08d!2l1YESTvI@1%2+6-m4>c%;RS;?_B>0s+X$&2EL8U zEPde2kfkLJN7 z_X=>}wPtNO&i7ph4aTOSLg{SWa9w+!`gf9f**L6EbU{K*$TrrDnh5Pg?s+8BSLkm4 zAKu<6$kuSn5>4k$+qP}nwr$(CZQHi3o!;rpowjXvR(G6=u5+uZ@9DU4AJ%$V5nuf4 z;s53wbIdWuaX6QhTf1$9mV*w`o^NsC-4p3I%0pi|tIg_mj0Mz3SA$KyA6u!+%k}8t zt{+=y4A`HgR#EVi@`^Q}P6nGte_Lx^B=-b^JlY$^pL7o(9gHg48|a`jAn9~#S+#QRkYy?% z8_%8^x4{SVO%uxqOFW39nM2~4zr9p`U9U$A;roORpk_M95-TgRH+p__D|9$wjK8*XSYbh2Js zaoiva(T>m7FQ5NOuGkf!E4x+VxUd@wKX5mWh}j(L8DJSR+JrEN;;N?QvW@&?Exvf2K?gQm5)Qe9Rgku=Eb<+ay$GQS*&;xn zVFwgbfkM~eA3e2fBVp=d{Ss+WdP^7C9n6IAaQSc`zTO~)aC zAN($m%mjKB(UmLT%6RBkpC+U=MnIDqN+eye!Yuc59riT{wpbB1W2f^`2Ov2Vo;A0*byij8JPxuTLzR%Jhfw2q*U~p7C z^!=lJ-O|nO_Li7f3_$BeG8!CuZXl0hL{?2N;v1AqU%?+{5^2NR_H&zp_)2P!#1bo? z6zc`W3+A?d3=IJCidCcHN+Gj1Vqhp_bhxFG14WR?sJFz9WXB|(O z>5z`t&d-MrK8P*}T)kXpbMZjRgx4A9&8@d!a<6WdpZqDj)z+Cv(=(HoxWn?nSpnx|C|RT3pB zq1WxU3xvlTmE45r0b7ahw!CIOcX~YcdkRKG%{3#Ek*+|MLJuM%BTqlFo3%5{O5IO- z0uEBBDM^;GgnY68++19QCGD==So1G58!|Hx>IprPZE=5e&!meFshg(#=|NzaWx<;p zO&5%lmBR{_cSuc#ku$CqB9Qa&&14*E;gG=!u{UZ&KA|G{+5RF$!VP0kBW@H7q}OdI zb`6$RxpD2A8c8}9L6BM?FNAutUo^*tIWf28Cjj0*AN@T?HhaI9Y$4P4D@ezBT0KQF zl^tSxAO!p=C_${;W#hm0*a*V zup;_|i7z74M^t*ru#@$X8# zh0g_3Bdo4J^^e(Ea|7n!L7FwPhJ2_wd%M4`$~D0`bJDh62K00R(tPt|o_rjoYLvpw z2BAib+LPg>Ko_*(ItO*3nkdp*uXJMC*a}?6A5Y_O#Wxy(e$jI0)~K}Y)l>hjW+uMl z)S%XibfJ)vQAHk8q10rsi7$Agm!~{DZoIkZOfg>oe`E!fqXzA~wiK;?b0nY~`b`zF zka)kbDjF{(PRtOVisod4=;l<5PH&_b$&|WpBLEq^9SCAw(15vI!|11`QU3E;fO0)1| zqUgJEr2UEiFtTQqVPzrqJycG?>8J@0kJTPisrsmcd5aI%DeZgdB+0>?f~b$ynH6;?74}%m0RY4tAnjU>c#}K<+y*W zR$uJ-6hYvVDHd#E`AeE2d2X;XRf_=IG$Xp$A7)$gvKko$B$xTthzuB}caRHD9+?Cm z=BEAA%L`La79DIP&9A?S6ZI>pL%?jUFJ2k-aa^x#CJA?AHZNz-ThAF#1f~hzdpCh+ zbog0cwYk6jWE$GyUBX0*C$V#Qk2HaSO+_qo8fs+lrFV=>V!5V_?lv(5cx6zUVVMFX zIv!VeTcX<)6**Xu-nm!TGuuY}gqTz+r>rVckA1cd*5@k^TZXc|O~@&Fm9C#UECglB zcUVi?ObtW}ZPO zjtn!gdRw=p2EKQm^Q}11{C!lAwP*WINY!>e|H-TNf0rm>|7Z8;zvJ%z{v!SVUY~^X zpFhq2jW~(Si-s)pCpCuTr&uumpN{4HwuC8jEEDkJ~IisnI z#hq9}Nvo2G427*r!L`Vo#n4GP=bfDINoxwq(9{+1G`#7FiTsE+1;sQTCst5CCq{T| z1_X@q@RE3Ut%b>nWw~7MbrKfW8$3=|vm8z{ZZkY?efO`#AT^(+0ph&DU;HdFbUn|$ zL%%k~IOiJz5Y-3L@1h5Y)k9p|mv<1m2Z3i#y`vRCz+wn>)I~a@>YHjC2g#@f<<{=R z3#<%1nh!<` zzx9QNz8eLUF(c$G9OaP!S=iJM>%9ALS^Ao!0(G!2AiE9J0D7_5^*x%dBJy#sr8rLp zSmmUdOn~+Y$IT_lk`IrPZb8>s6tn9?_9UB^WlA5mys+k~@x=!?710OJ+#m5(vuFCz zG_)e&tBRQ-t(@nei&(ES=)J!^=65RDvfrdc308dKz9MO7lLG0B*K; zPl1rme3Uz3dnqkZlMpwB34dNmfnEd61vAL>HXqOY%<%>R$YbOo#D?wgv7&^zVN(UKJgqU?Ck3Kp`X$gb;ZLAxXsHrdu|8?> zQ`poXlSt!e4f$jNjQlfhp@HX)?~XYNfa3)5)z9yVno{DfvOLD3IU z@*d;q;>4SI#&ITsWA|Wwi*o1iw|S|$VgaJuhH?h9w4tTNYbB~D1z|o?DW4!w%1Vrk zC?A!Gw*I>*4tzf|1;E|b0LoWi@2>qEv83%WC!Av_YH4nBuSF02S=^8_k`S*o9tJ!0 z+h&1-pT>cgiVm+T=FWM78eFc)I4L(1cN~?P-%*>*qH|r)0f)2&{l&lwFlM(AY+X&^ zD4$LRD4{_kh*$;_c-_gy;+H?BgC&d|n~HI0;z)i3@|bw0uuVcOhZDC-3PTn-ayOEM zMz8g}lF>U{K>Nn69sGh&%4-!!8JbH-Zp5Y4)ie}W?h%mT=AEm&E|wP7I)p3WEwi1r zXEk5uq+4j7*C6QP$<%Bi2i6QDS?%ht;LlQ$-H**TUC{8yYOkM-563$dvhQG&?_>T;iNrMI5@CxrCrh| zpQ)#yi8b8o-F^Md_nV*~#%Usg`j4J2g9IWn%Dq>T6lh^RvdUg1C+Y?+qPxF7TJQr2 zPpFfrXP(6Je_|RfkgN2}FNE1fc z8k>r?r`1zzH0mcsQ|yKiLkcR~mD0WZ*$OKkg_o#)jc>_X!UefSW~*yZFlMJtdW|cHKcEr74N`9 zcx2t@KB3{hc8K{NaU?uv|BmDm?_O~4x~=d2j_*d3_^Pg_0WII;qY)Zw7VS+Of4o69p!+E}uSk=M5NQ!bj7y|_p6--@Qpjg$cif(3k+fyG$ z(;r(|&j;J!U_bzTMCUf`Xh1u1_ItN(zHn_k0NsF$@f4uR6aj_dR|?!Fn)wZ~lhSiU z^tkl^#@AH%P4SxdoT6KE0N(jIxjQZL*rKoWk(WV)sO)WHyScNcmz-s1o?E-uLF-7~ zf7-Cvp} zL2o;hu3|S8q%_LmMH$dp7QtDJ3&7|pqZLkh%bA}HI>&&A8vQ^I2>lXdV;MOxP?a$V zs~KA)EryIQ0iEnc#N;W{C`UN36xdHm$-u&fBkTY`fJlG`h?Ib6yy|`aO8Y3yH$ZfM zH8hu$CvGq}`MvTOy$LrErWBB80xD2fIm!@tiX*RBCC+C^s9I%~5`N}tR-Bcq{weU* z6FGd|iMRf!n6N5uCOD1Xj)(u&R;jVuRwd)m39HE47u`-rA_pKR z(y+=!%8&r%~$@)G>co+wPL~=2QSZLDBj(4er zLzZ{6XV`WCp*wyAG#H89n_chNeh$T(5|s9={sNcsSgcqSUlAUDTt~PTkI=)wv5>q9 z6kF2P#Z^E%)5rQvHIFy9ty!I{GYSQR*Y6jV$fpQhOE3}XjoP#u7gsj@pjtG&p57`P z*%?%gc;%NqUycpEMAw=tq7RY%WgjOX7eLZ8zM@H*Q!mq6B1f{b$Cw&w8XE3QR8-Zy z)ZWHNkC@ZFoacB$>`P>Pmwo1j2@!Y1ILtAY^n~s5*>_mXxC_u~++6u&cs7EV@8kH# z1!Cz^+-y0Kctut0=5VULPBMl5; zsZ$xT2!aR~$~X<1kz9VUGZ_@&(vmS`WvfXei_ECW;6oSaxUow`JCF;LJK?%?Xu3f0 zj^@2oqN$^?UST~}qGFH=lQTQS_gsnnr9sT)R z*l^*PL!P(W#hV+N&b4qe=GZs#-ygaBC4D|EOFtT!7L+mOrVSsu9dRu)klML+R!Mo3 zjlE_!4dz-MT)3+<_wG6H)?swRnyx(nu~-bqHbBECzjN3&lrbMz<8*&I0(zAbP5&q2 z7stlko8G6sdl*(mRyzyRf~YBG9L84g?lf~_o4u8(S@Z=oAn(Xfj52JSDWzTUolV^s zmjgdj^6@YIxmMv{!F!_i#&qmY4D8F$u~-AQopsZJ{LM41Kn#QE*;pP<&uv}PFCs*~ z3Dpx?gaP2{DW)c-D|H-o+xB38 zv0o2a^~wU+{E18ywEUw1o+cEWs$s-r4vA&l8|3vpxX|E1cr&3vyZLZU}pDH!!^{>1T|-n?Lscnl*;y5Ocj&WPF& z-QgDBF6Zy96O*Q=mpc6A#nwqvqV^8x_5-;4h?DQ98^=aK>`PYf7I_rO>>&$SbL#Gn=zM#&SPlgT_yje36F*?VR z(~Xw&(`gk6@xbEZN@2eW8nsduDJ9M*CU3`6DOnw-5rj#`MbYhctqONNAgn)zcPUTQdjIrL&xX}_Z(Bm7VreJlwFWkDG`OMu@I1E})2gXHv2u0`B&>t6cZq%t(+zn<8E`If*FmyM=H=yxP31c6LOJX2dI- z189$jHuS}_B99oYzSD1wR)Taw)cdOx7)U4ISg5D$FQq5btq_-327O$^ih24hMW=TE zwH4$4gJm)LmsplK*O%zRpTSuo!hdoj|Jzaj01p5Cja;MlZMVmY{LSMR@?!@mFOZ+z z+GSLP=~hD4>?;r=nPp36838k{ z9)zkT7T+f!vPEcQB?3S?wUn^NmVY@rBtV(n83sC5ezF~4ZPglkC%s{DZVyH3eXJI# z5(t5^w3ujED{Ra%O#TqU>0M(AkH?O)M1eUc5%*P_Dz=tI+~xv47j52BkJ~PL8UVX< zdqiEL$vuAwxJZGCz5CKb7hQp39GrkqbRS`wNZ|NMeVY>L0miO;v>&xWr_ghSs6A1c z{1zcHGJOQnkmai%_q^>qw;;0#)T3BoG#g~RP$WnkyjGwYXA}YoEA(rv$g0nk207tIb2yU}HG3(6Wwfy6O|>7W7fMazgWtUy&EI!K8#EkjO|Y5}P!cwP zUIv?S8+!#mjL0BPNsq&9t{b3Xgk=&X$j#;f)y&t{uL55z7tU7eI7o|dSFCqO8WDBq ziL)qvJ88WOa6|g992#2isFUMdAND%RV&F7nNwMQ9ICd~LJQl=W_AsIC*NmbV3yGBJdlSk=;nw)( zGCKw7JrmJ1=~iFZUaxK2LhYWP#Fs+MUm+5n{(b5fnhpKo0Bf3IB3#&)PX@8BDZnPz zeW0s4Q@Q$1BS-HAOC)tBG2N_*RK1ki)k*Z}q2V+m6Ua}K(#;Yp+;eK)uzx3(BDv5h?258V>q z3lEiimGWyS$+yJM=dt*|6FDvpv9!JvYFq^j>aG$BHQQWD^&KSbGGMa|(rOCr#@!de zx~esg6OTIpKi=|iKR91am{-|?bR1p%&yT4kG{jxH=fai7jfLJsS) zZO)Q)maQ;rmi*YRH_wg(UnXh88`I)sqA)01x32eRU8^xlm8RrOC)g!1)H4fRt&@gd zYa{K(0$>-nem9OZw>elTM zJk;TLP&&eu)+XpMjw?QpFpDZWe;JMjSEcyBOZa)mu#%Ye6}TIzUSXoX^;1&IOcn-} z0Eo16y8D|xY1BiDvyFF&ZeD%rr64e+6R6l6|7qi2`_b?j!#zXW0{odODU3SgOqh6@sRsa zs8uB-wL8;PHNm4^-;~wCE3WfdSAXSe@Ftq)I4zsx0RaX337s&_uipkSeW1M%)3xLZ ztMWUMza-nBua^hv74|EQHyNE)52j0JoQKbZh>EhHVC4#NlH%fGU@EnMY~}ddxNtt~ z4vV_TrX#;Ioa{60K5+!tfv8xZS-Ubgm4e8YEagVZ#!u5it7s{*#0$`4i^W z7frU;N4%ONt`uN!N-atPmysMFVB}GpGM8tB?#7HO$Wy8icmQn(y~ZO$})K^pC_u?*{0pl z%5oMGXh9~cNjw-%C)(A6+^{R`{Nf@yf7ULlh_9-}&&M-NuPbP~;?srF?fC@Fa z>vks(fO`UuHQq_eX7$x4%zxC#{gzM`{0k-TVK66#HLK^M6B%p`rtR;-Ufo zc+mYP1Hykk_8-XWUqGeVnpW0WYOc8$j=y)Mip3?1jU`GS8!N&{G$cMJ-blt9v7>y& zZ4H+rB%MSVO?VG75{Rmli#9RUIpHx$?e$IBMj3xxKbZ%YL0kR(9>gMT0v_-zpfL^o z0YD&uS>%y7I-$_Nns}aJ@q{8Bb8zOuo*ia-j&r?^vafaD)KH@m{LNOTfu8MnKyLAZ z&m55Z@;=*A@vo4m2NDek1>YnPQ!40D=3ZFZt0An2n)6~$J~*{kLLU)EXLlH3OoFxn zOmM37@;^i)(}~rOU6oW^d|@|jXi?VPP@z-+F{{M|eEEBJ zr(yX59d+sQirIGSvUu2Jm*wWB!+XriE0QQ00!!Cal6h^?s(jxwm1^00*?Lhqx$=RSRrUHMo&~J;bBNgV7XA9u=;8G)=V#AL zjd@6$A=<_AmZIOZRs)(-3t$>-`_pBA3*6DBT2qm3t54{SE4K&=9mN9n?3g?GNryT8 zsAG3pB8I>L+;CtazE#oWF1@p5T2X=4O^p_6`|DwSb)I~>Ne&?jv9g?n%xpGDWEJ)< znZ}@8!vW4U_2vD8++JUHCEm2 zX-l=ME^yHtZ|-0eg)h%1uy@W^RD`9g@_D<%m<`m7$%n>x~i=-xTwnEiHc)-&K5K^2_|WjdOlySdS;+VN<|k4qat;(J-W> zPjqo1DsfbCEhX7bsCzLwo$WMoBw5pHZ`TW4oQ4X+;3Q)V3>+0ud!O2Wk% z(%OlDj6n2aAUH+j6B9b`W=Q#gMwULKhF=ONh$-@|N=c`+^S2)mCQGK%c8)i(MbbK= zSXwP+n#y32%?tOC$&Ro%*gQf3CB^gFTfJjXj-|?m838gN>$Jl|iHOim7m3{c9%aNx z7`I{^hj1Qes^>Wf?bvx#m)_wYQ33>fk}SFYI^#vA4#734yQuAY1Ia*_0C7|ub6egT zTi$w@p61CyYg#54=S(&Tt)KSRrHLDMPlj|y7J0qm%$ipqqMmIqrSEn+hN9eCj<0NaZXt{eYu;`l;w*Io9jLKzg}A$A}Cz6Q(- z{&ByQy(Q>)vD!N(I?19D*UY6n1Yd+YwTD%9n-B!J*?f_vTZ&ov0PR#UB7{R#VC*cz zPf&2Ri1HO(bRlJe?WUb8wrtIS+fdeWJcQ-Pe5hmI&b4 zssw$qVVtIHzm1kzcbJOv&HL z2M9$fWd$;%-|AJ5$eM-r@_z@kpt;TxT_r|m7&6hYbC!6d$cLNRI#_DkQa_y z2ncIG13#<~2?N*K&a!n;g=bl2oIG5ohy>l)_fB{7z5sKVYER?w`Td`r-?$vo%vewl zxqZhB;f~bzx(uvtk1*>w@DU}8pq-(N*fNVP+VCqAz z+3#)~W^^<#kJ&FOcCKF%Ancifi%+x;mf_*`uS+c`c#C(HHfP@bozsmo`HMI~Jx2N9CZgmb4? zq3baa-Y}*#|1Q$moeRAo51V{5cc2)Jr^hi$kkD8owg=>O_kpY+%vT#y@=iVo8P&F_ zirKS_XY%*H#13iH91u;<0S#n+ILx+r_Q89fuQSWh9Y2+kKDexX7s7)xxztJQp(>co zs>T{qv@?<34EM?2ShUr^!++{r@Hv<}w0^Fr_K|LkGnq2-NaFF(-#4#( zZ~7W5#U18UGR=8&C0zGmu<9dTqcfRG`vWqj1cecDX_#Six1MYL{964PXxtaipvP~` zCn;kptphq}gFe;fOgzJDVJn04LGDPGnC?CQH&^pT$ZtlTaw~gAF>GF|8CL}3Px)nG%Gd!xBC9#!l5JYtioaub6 zT%E7$W5bdbesiks(u)`#*B8jnPxJzAOdrO}My3NCm6N(w|F6`6?5zJ|(kOU=f!7q-c@D<_TjX5+k>^s@Wt z$DvR-%=!I@Q0n~@bi2@7-Ue1F)jDGz9wFU6~e-N4XBi~&McBik4K5};vy>OCqc znBGJdhTOxr{4)VzSOQ06gkYxEr0{G(vsXqGN1(81$Ja0au=s?L)wN@}p zW|1()9l5Awm2|^Dl>O>?9Xs6sV9+Z$S8{%SMn2@k+?cMTdg=UfKXXjh`PVSJCC$CAvh>Va{k~9WLU`DyMxe4tK5c_!%bapF2_weWo zd*`cU7YfhtL5`(JpZeqiSVNs;^)XR&20B zP-##kSkP-gU8-^Oo-pwI0M6*d3Cl-!e*Y#%;o$;2Ksw`X03h`(Los^v}G zTVJY5#Sawa(Kp4_kBO`g*mykC$39`9W&;~08KMa?7bXnxgy&U9;AOw%$=@+f6ZZZv zX#i~^A^~E)qeRc(^(g8B#uCer47vviR1<$k)XC3SE}~PN1wg<-*SeAQHDX70kTsY5960vn6Zm+X8;IILpJez2AD@L+x&XO|U z5X+#HQ@|^=pIV4kx%|Q?zoW$Wv<1Y}HG7%b_*mP@p39!irY<$^!;Nvr)5Y#qXHK2? z8)b+T7sU4-koaNRl%_SR#2P*4H?#gmyWkH&lT&2b5wwoot|4j=o^AN6pAG;u+yD!t#}5R>h|fY5*K&cVf!?w?L-DD@eiiN)8yMK zg;5J%I-b0YVzA(!RNz9$ZqOZwbL>cNdC zbV-^kt-5t}vIz23pQh+mZV?)xzj!}WQ zv5r6nkg}e`S2$)@AJxf!d)$chn&shx4a@%tDy(UvK3y8;ynRAs8@c->@|#lx3=|E39#0GJK-M>k@}A)>N^ z*#iJi8*E!r{@53h6qSNSNIG+)oc#)Mupb#!jj`yDD4*h)d#7~Sza(Iq?M@b`v(RoD ziS>dv0^?vrvR;?5e-!zCBfX*A@r?L82KIzzb~bCDv|P>hFLD_Po9NzAd+*s(!;vmT z&VHe5>dSWrzy{`d4ZLaTQH7>`7edTe=LB!^*K_X8C&X63)COG!nOA`e<#eBf_xY5ooh9@c;?biGU8~&G@OUVzc~VK{et=F z+cX4fVF(N;BWsxeDT{8}qA_8#ojC>z^u$bXU_4n){qfLJ6`)8 z)eqFy!hQF+{cIATA{kK(O?31vBBBJj6v4wZ9-x?#O~3+)dpC!lbGSKS#yOFt?Y$?PcB)?l^4 zkzdlp3C=f2#fj0Ta6RKm=X%&v*t|UC%x;ZyzBA4E0z3*8sl<3_E%@Az9VweHhILHGu}@w+v&WZC|Ql-~iLn$6<_x5>Fo zG@?ti-Om1d=d+N6kv`m#-9&S3{?n5r_fo}m&m(N_3+Qz;*)flE*O!&@+I&~@SgmJO zQQsS^sCt!t>My&BH{wj}%qGQNJsgH8s9%emvB*Z_BQmFxGh9KLGOV!)`NGq8pc_8!vo1dk!6obF1o^S1}765R^1yj(p-BHQx z9GBoM7f>#jGB=n0DCaz(BmTHVz&ooUWtO-{#o6_l=C+0#6`U-jKyd=mBK1}*{O7v{ zA+suNaXxpBl?qSfAPML3qP(a~Z*tBzbK%uxWQc!Xn!FSKs8pC%aq*3rPcmQ1=96{l zScnQ6%0T0_!V)w65Nt#BOGI*cHa9yvi`PTI)U-}JoxkMoQir^2EL}6H#H0-p%$uc} zRu<7xawY1)zQL?};OYYK1mwZU%_@b;kc0vtH16mFLxNr>4J%({SQz$eN?*Y`t4eY? zY+3DRnw}IMA5WLvo8wZZM?D_bGUNl$JZlxtDIIN0hn6M{+*&lVJ-L2Ly6qJE9;0~)4}XHObx15FCq;OCii1COF0oTniGTjz70V!$3=b=vvDlf~hSqD~;Z zOQ888nZCH;{pcX*&bKF^zS-xL_tng@+XxV7yY&R6L%*xOJ*N|H3|R6jGE;N=omCm z%%?wOAYS9C0xBErSECfV)4eCxJoLHW1>|xU2Sg^_va(J@{@$zUdI#y;!c3WsG!V zg2a|P`&e-{gNbxYXry)d>QS8xlZF4)T+hO1lh281s)U9R+rzScf*nbAdt!LI_y7;C zKM{V+RdG6}a{=nilAsih>6yKf1<@h7FZ_31XAf6)*`)KU^P%;~TUq5F##t}cdlK22 z?wPyJB*IT^AD}ZNc|3jigfG)YLJ4)ap7d+R!9N%-Gado>0Sp%)LiXBxYr(r%&w)=Y zQ+p_-jO|3igBQcggOqQZuYv}4H#fNvi_9w~g>BJ1%|$U%@xk&s8;kPalXkWF#gp;Bvb3Y>R~=r>vi zE_rCyo7zBN-9XRUrX#van_xB-1`h@Ag}3nvcEc=Sms)uRm~?_Pt|U9}%`p{#yQ&3hdL5kN90w#4##347r=$BDm<#4vphjR(-u?l6i66qFk7 zXR)@Ci&RQsf25O+WiCm%i;dsl)e0q36I*zi8^>u}xxpuO(=ii`Db{#} zz)Zx>(YLVKu@_8-fW5|Nw60E^#7%QOcYcTP8`)Y;<=^7%!|60`n{k?Xi)Y9~ zn4}+_l_qu^sI!$RjK86s$t4>Q#NqEu-BB@K_?l}Z3;oc{fO#Rv{f_0ma0T5B2yd|6 zZ*T*!KAA&W9?;~yNG=S_s^RsB5xGb04LoYUWk$vSN)SUZdts`Q{~p(dwDO@EX$hnz zG5N5FwYFz41BjT@WJ?P)PP!E{WTiWzFD_DQLawi`U4x7<$YgSP znz8xa#)7#F;6E+CSv8VNqN0A>s^~Vm%`280(>1qb&YQzW zMOFesou{)Oyk;$%8v}XTV(zQeOLMdn=MGQ8T3Sd!Epk3)PuN$(;bL^Q=I3|tTZmyU zl3=O%1`hu_ur1os_2A*k=k8^NMR*Oh{JO_?2}@P9PPN-%2}>>e7SDV4bEJ+{Z>#Es zSJ?+|Ier{yCS}SnX5kt;8R@Nn-<`C7 zg_;yNN0d-h)$sVsvbLLe!jP$<82;f4Mxt0;s(4f?7L1@xngFbL!@H_?w`Ym0?J4Yg zif4CXk_F7izJc>mAO<%dtsL`BZ&5v9s%t})11s!l8pN_DyT*lSfm#6qlL-QB=owsY zV3)-r7v=Le?F75lY|vr23ZYwsa4n=oGCZSpURtsaN2%ljnM0n2ETg4nzJQQDjOvs`0>JI+4B zY0?a{&$)(%cC22ULsV4*i7oHb+}M3XR*vi%rf~{8%SWvenaT1=Iz=V*V<*Fxlo8M6^R1|r4+dJz!D zVdpG7>4PJ)g89ai=;4*^xpt7J4D_;R)|oXgh1?06*Z}!%tY=zx&e$W-ZwCnhe_#n- z!8kR2F&qL3nJ&yesA@rdJ~d5tT3mJV=Jvuk z=_>Jkn9x-N+vMc(kDw}g$^u)!U1n@=IX)*^@A4zKikAh9S|S&C+Hg85f1gfLC7-E) z70gotBwX|pPkig7nG(7BcnhK7**tby#Am@ua<^R|yN#uGxPl)6+~zz{siVbu%?H zxNeGMdNGP=kpDD}mA#8r`S}&;>e3)=Qo0Aus$1yks^aU!YOsgr!alR&*DmMy%xJB6 zeL`E<8#k!#)yp^fDoirQ-I>O--hXT(cx44f2Oqmox}eZ`iOrwloCNG_=lks z>IhN$oR9f}d5}d`X+tsD?XSI#ZvKHBs-F}It!{8X)_ePGhDPbAP#YV)6S$2>p61RX zbeuV8yj=0ezYRU!%;F#7l8;-=%c$`iW_bS(+TJNvv@qJz z+_r7owr$(CZQI`aY}@wPwr$(CQRjBjmCCK^o2pLt!%EiE%>S^m^3O5H{Ko6B_(Es5 zE|cy^%+z5B(i=@sQnHU+lx$xk@W2CSFRawXs~g}02R)lnA}@jI5=>; zKO|WJF`n790MF)B`hJ?lg4u6|xjg_|ZH^MmV&Nv^p8a8;pGm>`3j_z!SjU8qhdy~` zpOSr)ho6xmcj-K`0iRt{%CxH4Xq*v}lT7rN$bHm>1^h)Nfa4D3kSS<@ua61JGb{v$ z$AmEq@g`Ly4SVmU`B*lo!|a>n|GwZPz1t5iiKI(wCZhE329*5U#GaHA|K-c)0TP3l zuBpcmus=YKDb+tDhc1HBtXFW}Ah{7UsZ75RNvN(EvL|?d``zR7Nzg%Ic|jk%Qaz8t z@gIUlJx5SLeGdML5Eda~stmr>FT>aXl!7jBeI>ZfXg?kBDS z?p47Ty>nxc$hKG;v*y$dn&vV?A=3k!Rp=^HKaatydi~^n2!x zV!ESbLK|HpfxScrll%w~KZKbz!z4lL0aYhO(pXBid@XX6SbdS`$up7X`4$tZ6Lt6U z{XC!HN+hQzF8c4LpK$trZicentH@@{$YC>kTb;aJ9UYBj-Y-p6HC3?QRNcQGx|^>I z0g$nzU$z}CvM=fzUhFBv;eJ=Ky(r%z62nFfzvX}cVJ9J&5fb!WRKqoiFK}oJb|9BC zlE5}n?0NpZ?=uZR956(u<0{yr$1z3Y z1E2}E32dC6BoKiknfMDj*gr`!GiJYNe9+}y^Or}OEh2ywxskUwwEoX&3E_y>bMc~? z@EJ^k++%g3G8HXsF+Lf<;h037g=rN^CH7+C4fvHx97pZ2LWmElV}8g82^dXNdun4mpsp3>hTkpu4iA7G$FuNIf0#3dN z$c@T#1E2moS0twUlKLu`5evoOF-i0p764%uOE&&thVl48QrVGsJjs&4UxW#8*rYb; zE70acD;O$xtDsgwY`QiE@r~CGffmL4NQ;HYT}T^D2d!GH7wb%Oc&jb9LtfiyD0wvi zer>l;u<2U`@ASP36Dp;Mz*mINeDvONF#;FR`7~K|QcW8ZNvlypD>zZvbky$RHL&11 zq`qp-*QtRv7VSGzTTnuF$2i`D6%>`K#9k@`&H_2C>iG1kt3}Z2>!RR(0|j7J+@Kr5 znR@c(G~eDH6trxix*W~zy&u%1&@(_DoCf89nrmZU6et&iJg~$y&mL+vt7LeMEe#Fm~TL5_#2Y6J+WHMNZF1Savw*Pi4 z(NMU5+<&p09yae~^=#a=6YwgDScx1a?gL7qc7d{%KI<%yyt6?siyfSjk3}Mdx4rqeo zYZOxX-KcI$*$&-Ib!Fj<*k>gLyapHMYaVgns?OHX!rHcWnuLuqo?=s6{-LUsZz~Ie zY^K7h7T8o$sq}CRw?*|>PbAc0KW3-gFg@n+xrE^9fV1p}tQIjUo0om99RwUk7*Eb2 zw-FDy;L#Vv2rPB7KUgz5Ym#oGoyp-eKt%L0Iu5cuSwjooCH`o0?vx*LKiEPoElgOF zjVK6nXe>Wh7zE9eYMmlpE1W>9Tn}fl(&_eK9d@tN+B65=VUsn+*J=qbq7!#_ogxU* z{KnB9ya|KL({<7w07?)3j%d%#AbppKkfLPS)JC-s!8&li3_Z$P?nWclB`i~1`ml%U z#Ef4DO&D19AMv4#?IvB@2pC1mE@vT<8Xa)5LYwu{jtXrThiMS{f9I7 zTsD43Cl4nFn^#IdR)CX+%_Fm_x9aR&H~~esu!DW!TJI5W{FzFjONG(lSsNXeq_+BN z#4@CR%}L6TxJno_c!|SAp|5kqiRpf_51a`-O`U$WnCYBYad|vs0vQO0p1~Cz#{_~W#QFHV7k0(^KC#J zb*}BB9C+=Y`{`D?>}DXWkirrpVwolqSghdY^6~^UC3P7l3)c0qn%`(7e|h`20$eQt z8#vXI*Q8ubg+?V*V2ehULsq*apR*{cpGR*ILQUH<+Y^ZSWNB9>%UH^>l?`L;LM0W7 zHUpzZsGU?-nM^w=di*@A?eKEk#m9-4kC)Gzb!2lOZOen2i$s|sN`}?*AqhE6EjN0T z*D*NGT%AS27Xa<9pS){&l8r4+_&ZcSY}kx~1jp}9{`zMtFR)6*Jru|XKs@ap_G-hv zJX*v)_$ayEjF{2<`4QmmrP2f-&E`l@=Z|<50_Ymmo~MG)n6nnsSF1VR7a2B{5TS|% zB#TNF^mgdSet(fg@a(+WhJp4uTb|4bn3QI2BB(-O>>ap3zuH+anTACRLU{;Gr1TgN zL950vf|UoA5uI_rlmT%mEfDRTt)AFXxekjBQBC1yZNZ7D)}q&KeC8N$AkvGrZE>*| z`O0C3z#CV!a<(mpDSkvz%+r)8rq$!#o7KzQ+7E2z9Gtx6y+qiHG%lw%lT))mJ97DW zu)S8<%1>VgRn-(-Kt>^(9=K(q!sMQjj)akYqs+jzkiiBvo#fOjq|vot5xO519ARNT zvAXkJm&bh&!v|*aR*Kx{hHLDSy_~_I{$Qe-BON@C(^;aqx+*wa&XYMT=Ow(K{x9qg zSoocL{tujW-p4m4o?SGsoh?X3_0kv=Ud_X+DuRPg$4UDvgOnS_9%4#ria?*$c+j(y zuP1KETNOA^VLBrUz2?xgCo)>=I+fhrDFVsxj31r)6)!EJ$g=-`x*7kE)?bYOysY`( zTZaGoTKxaL?HBWZKFR+Z%kP=g@3h;Q)R~&IQz>~3VQLb`hCNNqHR6;o zMENKH8yIw$%Q6rS=Dd66>R{!3+?KziWR_RO+F z^u0|y4;T}~L?g6&UWrlP;>B9tbwH?gRpC}A!v z#w`l58rfTPR`LSG*fVFwqKCS$g&bKlT-xNk5-HnFR6<81kxKn@97zAxMNw{9F*OKl z0mu{iHPuK+_;-k2LNhpBRS$qnMR-9)aDS0OJ94%ntXhFdmk9=kr-i}-I?02!Xfoxp zgp-qZlpbnwjLAX zBISelYH?Tyr2Kr&LP$xW^bCscsbgk(9a=Z#gc{=lLvTpd*$Sy?>ljdE+!N35EBAOc z*)A#!rKkE_QWGX9O98pE@pwb>d8qejs<*LmnI4z#Z7yF{M|zL5(+vk++bxMbNt2V? z5I~N^$e4^2roKw-eKFB2Nz>$rj#y|`eieCA`G(7a9uC3s{FPIpbcu;7n^MK+r@OXg zQR)TWp2BVT0U%|wdu_++mppd|U*>PiLn07;;DDgtvaMscrmQZtuJC zo8sY|DQ9x%MBgex+OPxDN@QXg(JnnIy(rJxacut(Nku(Z8wIoYs(caTSoKQqgcK%v@%QHdTODn>K=Bji_h4~ABH{o+kZV4 zIQ?yA!ZI7nXO7&GBz7I#j8TA%wS+++nQYUPyvV{3GQpI$%v3Ms%21kQYuFD5ovFw; z*oq0_4XqBRU2vR@xByKYMz+R=R=tn1g?ipdNUPT@%P8QWrI4aBaV`Sj%ui8O$nvQy zDceO!!CA4DrgrZ9C!0v=AN^fbd;*{eD{tCzJ%;YQh?S-v2L*E-bRR)Vk!IyS&JOg)^6Z|> zr`5zZ%S0lo5cH1G&GBI2Zx(-dBA5T;LP_LhMaASIvQ|QhJ6-@Kt5R-fJI@4MST|#M z{#r5~oq#Z|ukoBP^geibXn2{y_`>e1s9m1jUu()Ctc+~x~$BRfNF zx@)kaV7sMG_LDJkgb?R1G21PHDYQldp;_^4)YI`_zKI7C4UMQmM3)j3Lq(~QDB6l8 zBe5yUHyoLgn;WB3gXp@25*gB=Xte@MI+X+o4N4#2*`iRC{K7nPa`2jDky9%9V20W1!seMvh z-K<)9pnT$42jhNFo^hlK`hy{Cy1zcTKS+TG*l2pYpXQ&!DIS}&@?A$z9$@wN04pyX z`Uf$m2yh!3Ys^oqbnv4^SFZaH3|1Fv5sFRw)?FW5b;7{APL+wZX2|T#cDuYv8kTEI z++JJ3zZJNaE3eVP6Daq{#Q%KGq*!m3+lMgUs+l8*0d;A&r&Tn&GaK{R-dr*$q{YY1hy2lK}1@+7H)YV-bz0&i;bXl!K0 zJDEK_EI$U(v8oxo7(Q8TB*66H3gl_O^sSN-msPkHEu1oUx@(aknbe=LvT#fK8HxuK zv3xRm*}mg+$?QGSjt1%HwhVeO{6LX`WNQi;)THG^Hq(l1vLd{N`2=6XZpG`=Z>D2E zz8=EXn41&{C0bCoj&)QA6@lRKvDz$!q4KI^V`c6d<%`LQ%FUfu!Og$4w2egFXlf=# z?LYoq*Ss4Wy4=$mAfYTLGD8_Wg(1iu$3)7h3$yN8^Hna9gOf9@WRlm?e+uplWde@j z1C&LUnZK1NTxqaGeX4i}v6(E;4Vh)%myc(H=-#~#iRP2x>FHs#{Q#rgB_KMu7b>Qn zb@e@t=k5C9F#iCjY4*39y)R2_ZTY-}WL~fr{dm;r-5#iiBa{7gob<;js9!jf{904{ z%D}{LIVdtCu@p`6q|4x_cn6^;Kndw=Cpvhn)sV+GD7jSkQ||G1my6s$ubawa$#|{*m5u6sq@d zT;Z$m!-_J}$nMG5w<5?*_090*8?F5T^>)k;vBMfru_3U`d0_}8R8Q8QJchx_zQmSLf+H+pL z?W&{VTpO!XFQ{}(ypL!E(U?Iqv=%XfC5^;SzE$GMAAu$cMUMnR@kdi6SgVV-3ax++(u6Juniw>A62DB zps>5a(I*qs7ce4s+ytc)KNI^43sn)WO`9dgzEZ*b(`o6j>K=%kjNXbqQA#5&5(Z*; zo{+v{L9-^EZK=2!NgBI|GW>*BFe)Hsvr*D z@8@TBdd`o!*?(DeZ-Wn_7vIn0^u8e0FqzxPQT$;mQAqo1J`f&0!`4?#d-vqIrnM-e zwNcwDew0m*@oy2DJIgFCZOEp2a4Is+_{(?vjGu>F(`?K$FhY$}r~r(>G(IiJrW*O( zRx3XaHOQ+k!~4(C$C|P2AucnA4QTjd|NgawkLtMd{l=sltYRg1QY;Gp4QoGqqGewc zHMO_=UAqB(s{7vK0(brHbq}|G@iThP%uT6e0WTp2G+kb=R%ejT>hvv<=jLav_pt42 z*U6*tEMDVe1G8a>4~}2p3#;9#bp}KKQebsq=d-_SedeuP6kJ9a)obnK>!oC1Al3He zA5uR>h4e{&Q2^fQ3AniIJ^v}_r~znqP))(XT#rQD-mFjXrt&!JUyvZ(`+tUgf2(mI ztP3BpvG`nbHC*+1zrxP0}p2^UIDx<5P@0E|JbIxNpx zdJeTQ6V=~_p*2Q?9vFsa2VSOCoBb2N_@z3DY3WRvW9C`0O8gtpLg%9gyVCVL$(1prsy=v&p8tX^)qFLE)XHvJ!WawH1@*< zRMLC2no2{b;eTWW>-Uq9owrpOwI(ZI8z`0=DKLb9b$u~DeY;bHeLd6EnZIaN#%mgf z44o((H8pFau##_Ct)cce&LbNe$>)9y0X<`TS1?km)^$j=#9B+dorUD;EH1%*q=W0K zZ9mm5W?nEXGd3GKL!xS857)tl?**;DWo?n7DQV`CSiZ&{#Y*~IitLi25-D;lpGDf- zTc8O2pDddfqvHG;QsR5e#PpjA>yCq$tvg|ZrqTRebhl9W($0x(`QJp%`MB)FMr+PI z_&9!4%byKb>vr_Ky}w7$#OnB1D3%<3d<>I6ud%W1tMk4e*YfljgUhP-DtzuxL|PhZ zPX>bmAw{Kq``jw>K#btYsLQTR@W@%xV|q?Zh>ZTFQ|p>Pn|7bIv{*{>DyY%cqH_l# z($vMJRL__-;~$dO#qziVqz1)%CXe(x%lpcl%Ge?*(=q@s2VW1iRC(j56t)&C+H z=-T(&eNm$E?Dn0y`KZ1XbCe{|mzf>B37T-~Su^ZTBBRq=Lr&qUwI-Uzlaw>^b;sBL zv+CkjUej%=Pv9dP6Gu{aTUS?CUst!gvk5y#KA8!NoHBB6*HcGDkuUCKvV97!kO^OX z)ltxkyYueYkxw6O+(b+C+K`-UYxj3?Xa8s4j~%Ocl7p)v$p%O@58>sIK3OxnxZ9A= z8_HFmR5&U1h$2&Mxr@i^Eum$OT7svt)FcIdQZI?0WPOmORzj0kMl*D$IkRNWiz(}L zu7w1>_d)54D*bq7W~P12ym0etI6{YxtOvcA;z7tCup1}Q@HPqMA(`jZM?r0F7ZXO_ z2QA$^#3zbg*-1>FwIVr%eErO2t7`x!6T?Jxrwh#JnbhZ`hB0e2_3iE;y?=du?|C*? z-b+#~F>(OH&(ZO3$oRc)HaxXb>Vfv#B|@e9y?A8rgk8ul|4?tIVylEQFhmZ5;`{Ui zCJ(pcNx9Zc}@ki6Mq50|Z`K&_V0(EtSq>@^(N2)woNHaZMqlXwBUB^5}EV*f( z@6*B2duJZKUN%l%4~OUG`ug~T{=cy_0EAKL=Un59nIJoAT}Mt5YoC0@M8>gM~gf3o2+=SF1yRCL!wd?3U_j0viMA1uGySry{H zU70m_#Rih|cI?!`dAkq|o~&fUbiZ4ajCf|HXG9}*DM_}9(y#c&ppUDzUaGg|88*j2hY?a&GGQ?RbK;xYR#gNOu*XlN6>TG$)TY*3sR0yKp zu=pw-ETE&|n7+Ou&1_oBZ=~Oev4j*;9U5=1rU!RKa?<_e(wca;OPF$M(%`5mj-(=* zvMO#;<_vfXSC~iNUK`QZBDO*Ew#7)Iz0Wdwxp*Q2edaT1y*`E{`MCxdvU;rYkLDcy zDoEJ?rI9*`mrGkRH)v#^%}71(0d$T#65trW@prs>J(8p=gB!8RXR+ko`K@12a}vxM z3D#-xBrLj34=fZ-YA_D%WaY8tp{1Ri1HnP~trVlqzVk z`&4}`r#0c<7k`Y3*k$&2*={jUp|0}c)`7GW0CJ-_?4b*>wU!%yq`QG}B?ascF9DX{ zB&bLb6m8FVC)2LgsviG|geEpB?2OfEV0!^Ge}xO^Y+JRs3~w+1VoQqJI)A88hBYO~ zJg+b&(~|W{71my+GjO6UcEUNAIkZK0Q$4=@#!kGV+@3uRA1eSjJr&nOM!HZdu$+=k zeQkD0gipP5nu5+Zi7g6pm9l1Vd+dwJtT+^JQP_Y(IbHu$8npwPIoU;@J2_l`+lSm< zP)E2PfB%HzeR=&sXJ)wgof{p!02Iz3eH%yv@rwaS;6cRs3n&wSwRVvabGPyV?ZQu) z4C9anE14B^Ddwl$e0~9(@D%y}j>;aDdMnhdMux0#e7-Ozc6tE`G|=-A(XyMu%DIt7 z@^b2#o5ax+vE2z`Rgpc&Snh*8L7<-4h3h14XHe71TF)#tF9;ISd^;+w1SlA&+eynt z0NA>TTPl|p&B?%OiL@zx(sTK4)ii!CVp-M~Uh8(IgEv zr;;?V5X`Ev5*-uVan6od0jvw02UW%e&@?ON|Jhe8CT5N6?G<~QC&u4V6IMF1*}cLU zj;>48_Z5X=Ja^CzKYG@x+hPY>i?lSq!*!;g9*4Tad#Mhgk*5wY%%&>D`RPXRn7bz@ znm9~Zq*Qx5b2tw{^*nw4sA15Sa5Td6iHR6`lg0IGbOEQW?F4=!L0w?G1 zmDub8$_WMVv%k&|@)K>Eq7K5AMRh3&RlzyLs}jH}2lSgmn4D5a1;_ysxqi^%ab!OB zDsx$8FUmqMVdDNtN_ufKAuPHmpey}}=bt?X#O5=hIwH%Bn>DfgZ@jc@;NwVjoB324 z*UT0eu~`pVTcO{vUMn5_gTHhiH}~Hbc=8ra>qbrmf76ZU zt-U^)bJ?C=bO)M!9|k_QuKcfWygIzdg`OU~Q3&F@LRbI>PA0$p{kpr{H9P}~jk zB~$4RtcD!L((BL{5*2>W9cBJv8y&S76h@g1eWcfwjH4Q47PR z3$U91AOzmw0Aw5J;aVBys_;!Dx6rp>1E(ruX9e*#l`jJ)sW z1o2?*JF$3vefoqa6QYDj&;V!4)m$c@@86fFBXdMhsF3Bq$m|is3Z1dye_kC4PTI;H zf(Jz7Wkw5jVi`mZ%TH`rbdr-bAYI19N46b!7mD%N^&E64CE&UK^ez*&bf)2n^t%$_ z7qM0SjGzCRj;H6|*%;3_e75X0vwJE`&dkgH{>Y)IX`%PGiA1T7LY!AzXARk~rrtdiCGvyRgS`~)BTUqNIS>KM4#-+U#pZnyvAfU2WC;n@g!*3L0 z(;J-(;Xjt{a)77Z;{UWdl8^N=ji<7oFn4Pwbhz8+^yAsV$x+!M1#)hC+>yX>tK#<%@L8`)O6NnHJs^U>(k+N=6(${V$H`=?<9 z>>|5~?}MyB2l}98E^rOo7gor;;0B-4yAUpZk|a91#6*#;5s0`dYsNbm<~lSbA0eb9 z=*!1GS6F@>sD0J(%5U^DHq@(+^1P8(a#`L0+Fm}l+e$M)LD~9o{+eG1&SkGTrGUiy ziY;yVfH_88S?@&mGP&pq*#C*IsrO`!lr!v)eZVPNBf1V{%xQ{%;p$0Lf$svCm=g|a zp6^BOmNDav8ER>1V)jCKz^zMkzz4uU-{Y76HQKg)g3o?VaKAJUM54HSo>=@lixO5W zAYi&24h_K_63W&fs{)&ZG8166;u4_-wk`@86}Pw!Yk}?O=sN&OW9XI25`Xgr{ue%f z!05=~U(YCD=qwm9EQkf3`AVt}a^qV0kr9`gj1l7zmOB$DxrnlEzh-uJ>vUtzitvr% zv_X#JCMzL;Y8)W^5U&wv#E{Kgcj7tLDPl%B_~e*80r&gmm|Y0~J~`sqD+e=Y0d!?+ zc&Zi$!Ir!5UjIQ~68IHK86Y4p&^2v+-p`f}ti3+fh9^6t`v(3(;a)@Q%V+IXzIn&Z zG?LA8F>nH`*P0QVDW|h=oDV}Jb0EN!k%`2rz+n@VnOP7_gW>vNz{(O zd|~a_T8Re8PebPOhoP#Iw+Ry(!+_y|eBl;KyBjULW83b^F*s?*U(Jv5palpWKZEk- zoPCg$#@kNskJ3GAagUL`qsGs~_}j$Imy*YY+0$YA?BB?K9*^IhEWgJ63UdW_ zdldVwBae&5U=ajAT%Ki$EWSk<6t9{9nndBsR-RoQ{q}Hs`uaTFT^-?&%YWhK^c2U- z>1)+9P|u~%L={&j5ejiO@_8WOe&sLf^Tmmcd&t}=Kx|jh7j>7hu*!F^WV-JiEvKNY zwqtEW1^zVrwak*Z$d}*D0Sz~-+;)o|UZ?7mCtDS8#wdiG)fm}3H3az zI2XtvV#&iEC|uvl7)>?hcmxoJ8tGHlQ6X>y6u?9c2%^qlxj8MHM>B%tBv7%-+Tr|O zZyo99J2U*<1J)S$68xKy43w)e6HS(AmlEaZkE97!4go0^IXB;ro*Pxjcv_j1~|Kvj%lFZ#^#$B5SOGb)G z|ED<4v90o#2`tKmKYMuDA*%ftzaCs}*sEnkPUbm>law{oB3NP;^=AAz#MV}zDYXPD zR)Ad@6)kvO!?VzaH}B@S9Z|xX1wk&#)O66Q&j2`pR&CpM#=X~}-OX2x@hY3`AcP#l zy4pSJz$#bhQngC*=b;Y2M?#&{?_hADnI1P5yIj8~+oLN{yF3FYXf==!fnLsk$sRj@ ziI82DKL(Cp3*?D4(TGSKz)=@WqddSTomPQwqJQfYJC>By0o_9gtUYth1gf}OnRBP~A*@8aYtMXTl7;(lY>t+m+ zY(U?I_^0^*{)#~gW*HyyQVLd7U4qt$4iJNHrT4V^?DhJjx{@AZ>VRgvoGmV~GQ(R5 zNTeGsubl6>)X|g6+-t}3J}Bl;^n$JqY^VG4c+BF%Z`_4`X{6LsvhmDmJQqeU0bNjE{-ftA6XF9ALDZ6Z!|# zZZ5)jK3b@xaY%w$V&hAFY4d?j`seQ*5d2^4Za*#CfEAjRrh13pok0?xv(UA$VDL^O zqR6b91WtR-{>_OkthX$Ln|d!;7zwKTGr@n97Ko}%Aqe+zBdqPL0BN<97C4Wn1+KsS zLp|fD^R(Wj?Dfvlpt?s&uXWJsPI|159~c~!>caK^AT=Q+k{sRoXO=P-G_bN3HP{#{8a%>^ zC5bPFihy4Ylf#Z#)8`;oHDqP>B7;L472W0Q;?!^vSEvQ(r33<1N+A#+=+uKO-&L5a z-0QF$3({@|glvIPFqdMPGW>YfG_q*QOES{V4=VUgDqwdM3nWGuk8N4dZy8gB*&!R{vPruJeQU9b~ zqqc(EzVo^6ImN{X*oaDFhYNwQSQ!M}zbV7wyPUttk)Gq0No&c4orf--NPO!s5@pqU z7mhwJ*XMtyoA9wt*a-lwVpPvfvl?Z;X<|Epm7hz(^mx{hoo$9LGb5tgfOOttap~9L z7&zXGm*uzW!A2TYEOUq=*37$(NS=3dw!=S9J1n2qnT(^BrP|hN<$CRlA){ukU=7D2 z4wq$_at$tYxc6Rd)8F267O%Qm1iWps?%_%<(~hC2@jqYBD#G-byn7zh|$%;>omP^_{<=HUEIr|tDcA{nJiyAp$+m|F<9T`?4#a2w>XeZ+t7;;ik zgiU9yY>;)m&Z##4Xc7o|8#Zh8ZTahwHNLVENEmj8mR&=L5ovS*}{! zWDyI034~%BuV0iCB$n&B3d=89yB8i6o?lk*WM-oe;2vVXi~QsL`s5qzN3lAL0{8VM zr}W@+--p0WtH7{#KzDUWcQq(|kVkxFoB~tDCN8upL%sB_)Ii{F2v$-tS&eAXXT24Q z^~F{ICaX##Z^YQ*yRU7Ekze%QdB4XO@LESU?rVpvmk;>9K?L2U`^gmq^`-I2a}Uxc zFt~~$)u(xG4nd}H+PESaAAZc<%;w>ISvE0U|?XM!X54~7I$PfpSwx&4Mx7747E+D!a*&lZG*=4nR5+hJK@$0 ze6c|@%B1tqW#MA&qGz?VW#!}8U~r^AEwfQfm9YJSnV`!m;&S39f!W3%T^**iQS98v znYmufKEBNJAVI`PQ*`v#lZ%6|fDQ~##1y-@t$lwQyF(ZlsK+8#IDKuU zf1l`cp&WVME?et6zmh&jc3}f_94sejgB0nF^&{T7i~2e33)|i1 zNn&6QcC4kRM(i}u?~qO#Nm4S8RqOylnlWPcSG87y4JlkpJcwJtI&w7AA+v>~jKW%C z4uGg9;&D))lf+OIQUr0Hq95V0@1S=}y$=0PbFW|8b-wFMlPB~-rDQ{`rD!|b|l9Esm7AG9&4sPxSXt{1i3OVJ?Z2gyI&^dL(-Se|S>gC}b?xhG z%x=4r3ihXJP8Z_@RnN1IX0vd{)h=3D6kXn?-9J!?cD8)p-|n$1z%kj(j?A%?oqoqJ zALaV~79PwJX}?yxut*F#{L!VKEqZBfJI_>IlAlml+`#fa`7%gk{r1zv)Gdc-_Q?jDwd{Mj01<&!7iHO)zW6WZ0RGn3OMzl`Wy}MURW< zW#S(A*D*OIH4kSZfLp*k`&r#W7Hide4%Z$~V(g_5U);vX}5)J3%RwP1hl(ZM- z*-o`1GJ?9J{+1B@O7Z))ho`MPGwFALjx5){_?*|<6$_hT$5@M^Thj*HFicLyh zti0~mIU?Il1C`%$bcl$7r@!Mdqv}bLfm`$7Tvem2c#<`@azU!6v zx${AU{ZITrW#+39#cw%(nODLNJCULkyV=ib)cBVpbRlzoi6j{-ljYi0n%tf)DKXz0 z>;3J_d%6AJ7cqTp{%oR<_plRcV`rUHI&8>2TgRBlhH2Z31eCWtf&J8ajP12OlNF%VoB z6A>sMxMUeG5L(f8Pa+{;9;xu8n<{r7vc&HXuwuSau!{jY~B*sd>pt#B>@a7|IN z;=Qm<#i8HU%u_#DtwYb;GLjh+*dKS@*bsN!Wy!8!Mk`C2mLUB)`r~S%*#MkXYfLBQmFnbKvpiPKa#v0o=h#-) z_tK5p#3C9#g7BMQ@zyN{Xs%rFd62YX}aWbBK?%FASJeq$KGB}N7CpCY1gC3T-Nn0 zE@t;5*r;b_Va-#e+E-fO8lQuxW~DJ8C>L3?lnCBfm1+i&!&7iz^T*{ zve=ySkw~0TQ_)A2{i{;XA4|sF0`&8K^sY{goVNL*&%%d01~VO%UDgRM3a7MXl_fa^ z?ei%QZx1x({!%)YpA37psQWClMvsqw@l^d+AZMc2jYj_2qsST3_p8*1ks50J$x^$) zcf8(m&cS!S5VP8VpIrg)@*Xnr>jciD^S$Uz@0)L0y!muVhdjpYKMUgKs(iP5y8G-d zLiXkE>@#G=zV*BB0E1kdyxkoC8pVI4$p@&OL4m+Q922|F?%miIZY>n9e~T_KR7}Vr z6G`cJ>nECk7U(k$RUqA(YVjEGPyQ9~V&D+7ASKV;(V>1ibSIBpJK0q(~K<$g!XOsj{LH%YtAmp^6nzX=xFDrKG^pBZM zbo|})1%GZ?#R3X<%#;H0!ig@Ju2=PTI1y@|B-^ytLoabKwvx0zdGFdrnl+6}A7Sk3 zlPqA84p)P7=3yLl)#j={`zgoPJsl=ju{=K<-g2*TO*Q8AJ2kKMgo*djf7~N$trFBu z6|`b9lLcUS<n(`Q!q`7Lo;ursqPUjIH14WVU{!N;*Cy8U?NV`?8@a4#;S z^%?3NZk2xbwyhmYM1sBeHyVU@hOnbg}&LeVAUq!suLkPTwy+kkMMcMjQ z#uLn?18DdMD>cimxcW=NSddQ0o%m&84JbunqKUE^`l!cEBb7qsQ7Wp@t4F7W3hqJ; z^tQQ`iDW6(*qsDKzU>~hMC>SISfb@55)bCY4^TIlSbT2O8+0vst3;70J>*>zLkD!` zla@^yHMd9a`ah)0d%toZd9s@&4w#jEt=i}3{>i<0eZ3<2-pX;ca^!UWBxRJ5Pf9GX zTxciX?d?~0_-H&mybmzwY0nX{ZqNg^Fgt{fl@VHJEQZF_y_%VLv1yq1?+df1qrjgY zHtD^E!sNP_Ka7xIcReiP@R$i95g{5mA?B(`IKG_wQmbLwd5nXFTwVhmH{N1i^0`k% z_}D(Lz2D`wH5K^!wQ^@gvKi$si$52ZRpYFN42&^#Q1bZ(?7sI!RTxtGKNpRNFXzAA z^#hX7sLBxWmg$y1ijtHNT8^kt-Ggk}VSx{X-fcUgAb;o`Y^URDr!dJ1r(J9d^@1WA z)wJrj&zR`e_kl?AfYMe_DI@&te0(n%C#zz6?BY5#f`AL+CQ-n{Sj>2PJjk>^M^Cr?c*UDzPp|STUIVJx!$dh_pq z2CE`~R(V1OjnB?!cuM!4_!Vu83tPxGBTW)4W3MUT@2lm(jrShJ_V+o-OiWw_qk?wmFkBX6 zMlvUb9v1Jd@Ygy%d*#_%%U*na3!I|Bc_Mq)g4kJLN#I4UQ5YiXUKGRdN%L*Z1oB0y+|Rx&TREhOGPix7*)05jbxf>FN@QC1LbASl(v+ zgPJ2Rm}*7X)IL*m=^@#j&Ekf53cbd-SrD|`|AJmu##o!`DAjf$1)X`xbn5vuD;Jh2&uUN!l|yzZDtB zFw@;;nqA(`zNQYW4{3d>zGtzio3n*cDlxVgc^;H!P_yEiJJ)iY!B9%6?%Q{2c3L?M(hV2s5}udBldb@y+%tOi>osj!ym0Wu%6d?)RcD6P%!=gJ7S1c!1GkH2(ITtH#uhh!+CeD^=bpm9E&0t>R%esuryRC@($Fo zm&)tx=aXos3ztM`Rj}V#TDQXOD@TSfLI>H=s21Ad@?U}Bjqq=g3Vj?GxOYmjd65iW z1Ir#Nm$epXqi0znEAzO>>?CSF#@-TxV^gAzVP8`m@9bca!#{#6e+^0gc_Mwp_Q8Dc zDVLt)^R^$9nd<)jQ-=qR3!|9m*a1Nk&9xgiu}lW1>7myU;9K^XoNzfqbb?Tyys8}q4CR|qu2;Ie5-6fqYrwz1jbA- zTvx$EK_!AsW0`X?g2{V7a0in|9ZD>J;h#%KSp1otyJY+PkJ9Iqd zgUs&79T3C{S#(#C6;4g%s?o*8ak=Var5P7E6-H*1r1K| zW*c|BKZ-|tuP#!IyP+QgQn>*;H|p1bhI*VY8(Pg2;8ldR9jC{%Ud=o#fz0yU^5na% zI5|!=RyGFTbUMo2HZ-R%GczyE)pV^rGVm$eY#oqwH5;tdWos23d)aI`30!||pto34 zjcV%j%Fvydb~lt-;xWRED;;T1ejhN2&=$N>1A-{Z-zVmajRQxA|k#A z>N(_)r7xI|3-H1%O0S`Mm^T{p(f{lY-ZAEx#uG<&EGKYNQacO9kDgsrl>POd=eFoQ z+Jr_lGak}{jLsP16K&5DIzSxIPWeFe>cpsdy145y+O58k(%oO}$Y7V93>25kB3$*N)^XXZXH;(fCLWl6%eTRNo!_$!=u=&&4TcqmtkXws0XvYFlB>w6|oTAzF-&lL6;M{_6 zT{pIEW5%{^+nKR#JDIU<+qVDMwyhaEXRf2Y_Nuk_#i?^Osz%l5`l`Awx_f-j^A6K# zcbW^?Lr1}8ri%YU(d(R?J|L66*iID@WDwF6>cyX6REpeyv2s!N^$UWI zr|wHjmQ`#*UB71oZC7gmA&idsgnajBZc*4M1Ns-CMVkz3_{f3d50TJ(-!aoP5XVML zZVIbhdToomaAa`RGv?nG&y}+W8%Y}@`@Pt9=g5m^c0iij=%H;!R8X@GN!z2}b$&Vz zJ7x}d>(cMW8lx!0LqE{1rP^I0=nO1I#N`e?{Yz%2?#|_jK`%199kk2{kA3NSbn`qo zW5&F;e=&jM<;l^@1?BW=AIEl&k|m}^2ArNh9ks;r)C=|h0Nh(4vAK^pOB}M!Cz{4k z4J_dRO0$WxxADzzz};?CQk$y9A4Myiv;u=oeJ7nuG%&4bo?diB#W{4cIMn%>yob$uG7kFVWCSL@nDoz8sX|x zC2>?_x1Jn-R7}D2Ip>uaKCQF7jrqo+xBG~Lm$O4osc}HE30YB{GrP`~hKLyM9iw8;9XaCpxz*}kff2>P zo@!uj*yXJzF%1o3Gy8%GWoqA2ucDi z%WG^BV7CIML=N<89q+H+Zkj8y7a<#7)AxlcZVR}QJC|CK9a&ZNW@-S8x(jphyjWz; z00=>xkbVEq#c$=(C0+wXoI%-inRB|bZFQDu#I=R9*ka{mGJm+WW}s^|lJ?M%tYWH7 z<5&p|sd2j`iaD0RhvOof9Ga8W79M^_L+ zbg;KHV1>vo&jiGIvwSL5xaRWBM%Q(m(IR_YsE^wl=BqbSWF4~E6YuY28Nu5-;-#W>~2v1qQ z%VajIUamo>EE%kYx292qEz*PuVdBGNG=u%V&BS{E>9C*}AZoS}Fp9!3%h-?sZ+|D$ zqEFV0vsi6y$(5jNnHBn6?itKPU%0Y4AkdY|dEbJbNmfEXZf+2E?xlw~0pEAk?XIfg zzy+@Uox*mz>z|@`!1Ooqr+fbo&(b$~AE71B640haxLsPsQEC4y-k;gdLM@1HPeHB3 z^VP0b9VIORR^JmM?r4JR>e1cR7~T~+3yChp`Syq6*(BxjG{Q|mapf)qLw%m3S)8lt z^nrw)islyRA%nBa5&=er!K$RFfwyr6Oa}Q_g@k{$_$7=1R-^%12z^XkoxlpBp zb6FjkZcCvAtw_EX?JCeubvj#`8R&oAZsk$&uMEalL=>-UEx$t%ygQq41O@f@eZT5M znZQIF=Km#b?ZxlzjHzZPhB9LEd;}%k4Vt#wOeLo+qGYBrePc*K9T7NM#f6#tv7qRCun53s((zBio zb{KbIpBkP=986vGE+`!+46FQWi^rkOoDt4RAuM{%B8MZ3BB&UF3@P=66kO5>pBe|4 ziLKeW&64G_pUZj0q}T?);Alp3z`1IoH8vur^Ke3Z6P7t5|BXmGUgyt`*aZM06ZZM8YMtb;~J?26?23aLa z_h;LU7LGQrdPTzPk&zH}noy+3S|i03t$Qxl16XJrZ)bc=QkEIeCnL>*G|R-Gfk=V{ z$OP(mkfxMqMkUO!GK z0j(LUV=oXS9PUdzl(@>AE!^iLl4#s}@;g%5j>`1b2O8L8xne;2NB;G%@*QG_yIrvvv$nV9l51St$39WNo$o$i9Pfr45rj@52l_m!3cicwHz;L zf=hR^%wff91`;+x{wQegw#B%>s>@QfV3M^0`)Jn9Jn_#K0mc(!cPT%D7BJkgcW0?b z9Ko#V!H^BQapcV7E7tj~hrMt;NY^#e><{(98=k|?RhX4kqt_NN;~7h-zi1j4(m4O9 zDoEbO?H4p-2iVN()pY)2h!YMm{~bJ^3vafOum(Zy8zr@`qUXUM@=&~e3Q_0|8MvHm~JlF>$-f&esNKXg@IDEF%&OzfN7Z zBzs*`Q)Uty{(v4`a*Np*%=LP9kn~Yfk6ok3syTbbm-0PlhmCu@MXUZP zUC*&>_cX&M+McOEqo20Ns}D07u)h~Ro9aTWVes+upeAnklG0 z`hD1iZHKT`++!XKIj9EKNSldRn;p5nn2g}9?62s0U`fauP_5owGpC!CALyi3) z{?GnD%teTKD_|fXe~^DF;r~jV{09hOYHv^fpCE|;hAr_`8nD7;Lh8Asf$$l#b7;{K zVJM}7Ck_;}L~!(`5|cez*K5(XOc-_jdcm*B;pS=vH4-o4xaAXvZ3&p(V|JNAmCR*i z8b&AuJ-Nehy7Gwo)2t13Paz+E^d4By$X31ayq%@iWtHY|iwMqoCE=pK z$>|rrt}vrK)*Ke-IdNIaMSUjPejM03Z+2}YQt)>yx#KSYnD6dPtVhO?w`0L4efWw~ z?C*O>#`oLU8jUHOmpz>BKpQN~X86qjvt#dTZE_=lbJ(VH8@127(g~j)?6&yYMGMFu zI@k7xPxPY~bzN(||4a7!fA+56{dZIM|AIpQ`}zC- z-@StW-&gbh#lNEAwxadP0R+?;_}^%*|6_d`82pc6{~rb8{|b!4b-Xim^?(He27CFp zj zrlBP|O7z#GSe{%NH=~AavSSavF^hmU^@5x#0U<)V^5HK|H1b?_j;DxWnTyKfu zS1c-8#pG1P+o`vk%Pr^GsGqgDe9FB;ue$y(?+~Kz;9nn{&%OTX97w~YLFAgulCN_d z=wu?vaU@DvVeHpMjymY7p;&~$o3e`d3$Lv0H3(KB+<6FXY(l-P)K-92UPrZcyz6M!yA1ex4WrJ*Y=V#jZU)2 z>jeS4wGmgUf(X5q5~n>yYnNBcRGp$ck^i#>NUh&d2!Na_ zRQF!_tx#@9%*$cDO4Ju=y>=%V7tR}}oc0PY2VhW55(bWI@0f>ozraI0#9=N8>x0p% zbayz9QJft%tQYO$_Fk^kZXu6Y|8Rm6UX$G49X!^PIwg~RBXK{0 z*OMi{Bwi&`@04iIi?k-ng5+4TFJw?!}@vBVP2ow1EsvrW- z?oY;f>TQ0Erf?61y)V;W6nSBGnY4vtv9pQN^z#}=J zFEq8WOUqe7d&m}kroOa0VA#DL-*ceaK^7g5#9qzNq)x<;bh}n&Y!3$(YGhB zih=GQ6LH)c%y57ennKON{oJe05yqUjmLT85vG&;LGZ2zQb)FYmYj)?0Xs6Hiyu7Kn zc%&e1g|801e0|<2lR+uRAuvS4#YNNa=m;R|5@K_)u=n;7=xJ*j_}D+*KtF2v*?ahT zu+?*8Jv>b6+T6_uJCLBo%E3W`x`%0S7`c=Fe!Z6%q70u0!3e)~_^j{7^0ROytxMXh zul48}tUydzlQ689_XoNU7<)pH+8~v(ok;455H1$U~VQfE&S)YxeYkydQD@TTUiSwWxE;kjWvJ~-*HELY$S-IwvVl?sTF@s z=a_Pm0qTJ$%PI@jO_zY3!u9K5g6?Dvz9t-MD{{XeB4DZuB!HTE$!{A?#2EUeR9Zgf z!(cXHMan>a!>`$30tN$9XfW1k`p+ceRH9(2SJa-u(pEZig_EhW*w?8@gyUM~Y-WBT z>x4iRPjf!qVkl-Y+v0A%2Dpu|1#k#yjV3g%El>(Dl`ctYWn(=QrCMCd+Vl3l9vR(V z)Q+d<`~1ELlET>`bGNCjt}(z%e;fS;KPA(erL`&7aDGxdlEBZP^)A+AzDSb+5Iw}& zjZ2nMGX;W|?1(iwj!gKd_9X=*E{9(hoE(&PNKWBH)j)J0VTzlD4W9NFDL${~er9}p z@8P7a7RvY-r|8h`tgp8)a^@~;0@)}&0b`krWtE$EKN!9l_ghPTV$go)hMsJP@M z<482dkQTau*}K;o^}&yP%~TytJ_^#rf22_jgs_3AebX{3;fg_-E+9z;qMVU)3qn;g zjP<4Jg>e^1S%5nT1yPG2!w_Q7i<;t76+~6Myg|Flw*8PX(v(c9Q+-&Hi1j|ywf#;G z;s1@~0$r3J_pL9n)HQl%!-33_n$uXic0v5ALWXQjf0&}KitS5=V+1cvT5qV$U)0~i zRxexOBkm*4ucmf6`!USz8|9G~t@RAp-!xib_N)MhPiLQ|9=8%8)xwXKZS)d?FRGxC zAcYpfw*_^%3~c16AC+Ezpcd+pOfXCalUo{4hBh9NmPMzrEYFA=!%99uh6^gah{mNE z<#QiHzy$~0_-$k0Ff1)K(eT`;g+sHd@>cvSPh7J>%5tQkw$ZWb9a@b!ieu@@ywOP@ zJO;v><%{r2POXW9?v~#MOeiKNSDR5>$a^m~`4RV4B8SBP3+_lI#;QWdm)xSLG%};o z4XQ^8YJ(L}H0;f9H<&vX6N5gicf;wr@`W!9Xz@l);jz=*LLA)kB&i*JUclGrBF2hq ze|Yal(Ol1%v$8Q}_e0q=q`# z`ukjHk1rSp*sA)DF&v)tIzr|>>BiaF-815yAbDUFHRWA!F=<^D#=B4d1*RJsk5l;O z>zr3sggf7zs$-xF6_Q5c`F`<4<3o5r@{_o_b-c3PGDjWfN3*AdGFvnu*$b|W##Ps@ zT()|#`qjmDSAQK1ejY{yQO>n%zE1l(;jQsFRZdgA@;)*12GruOfNJDXi6=gyOYyoA|DrYgP|4QA?@6fBq`@h!symNCu6V)p0t?G|DuRu6acY6hq@wb}!hz(4zT2aHWfSP3GC;J|xKJ?qe8w+s z4B$Lok?h=7#Nmk#53E$tvv1odXqiSnq-xUY5R=L_=Zb71v!WOX-rraOi20mCoL z`6(i`r%%rt5l`%4)1>y+;^JM#n?`$K^C)(RymdPfueW-LlG~?C{j|tkz?b82TUK%f zR_mWV^-4wswz_$rxnt2pex6Gv&4MchIx4kk6AkHgQfotHC;8=kBWd{7&UQNug24=u zK{_X`F(++!Mg}~rQ9iN$`(%;`Ruq+oUJHp#@B&DvXy zxwn&pY1u(67Yi(9#h3ZTfgb$FkL6*c#s9C(tTd_0dID92IrkB(jHQ-8{?e%v%nF7C@Jyea4l`Q33vCBn&;iB2_&0y3~ z#Q9+l{?7H$vlUy2ydiHqN0k0?s=+UuK+th=9dMuVB)dlIQjnQp(K^LeGNmckNml_c z6ot@EUo3BtfRKb3c@!(`m1agtClo(6Ef`Tv=8OD3fIO0%oFpJbF24gN2$^Y{3R%CD zX(Zlk;+RnCf{#I9kF{ZoDG$dgB-~b zH8SM`ZIU>rOTmiPW$6^K43cqXvGJQXGqL}8elO;lXx$Sa5WWpKp&#oVTT;lRP|`bK zJW^L`E~%nP7Qz6wh!m&mx~Y*Dui8Q@i&K_)SJfe!t7Dh<9#&@ejbq)@3M+Tc^i4uU zDmVcWTRRZJbf<=MHjDQ(0Ro+V2Q=R8X43&gA zYEdM9tVoHfkU26u9?=r&W8GTiS*1L9tr9r73MtjXh0EBRF@y;?JK^R4e0LK%fav5J z2C4RpZJUpR$_mDj-_+PgI&Avc9}1b3rSMMt>GcmW@1NRj(hWWax#uz$uak!FKYkC% z7Tm-c@+NYWtzKby^vy z{;I?{ew*5=5MWFFQf;#P^!L-ui{aQ3)Uf+uj)G9ty!EQKSeUR7CNl=y0Zm>|GQ_|N z?E;}W(dzGpZBHhmb)HY zU`C}imFXYL-H82cJKJUWW)AKMRDlLb%N$yT-93n!L0`+x{P`3W-=Y~Jm8J(F0)OUs}tl3|)&mj`6bjDbI=r(bk9ImE}4G>9SG-7x~HT?4na0z#c3h{|IY_ zJ1l7j-}!P;sUy9Mi>d>n4KDFA+k`)lEpK-xeyYxIk*3#Ag>@G#hQj~{M=5|$<_1g7 zXmPDo$tp87nnmj{+Co%-i(uvU@Vh?tjt;5dLzTlY{s5R=PH$d)7S1}R`m4p?j=U=J2kqF zvIiUeG^f9x;kA|G~&#RYN;Un9@{E{T;dgbvwRTU_Q|L)tkVQj6$KoY&VasD1T^ zt4HKuZkdN6x}+(OvZ;Og-SF>R5^f*@iFrs>(#vf4H*|>4$ii!lU*c8ZZ1%OZLK>J0 z&%7}AmaJ9p*toM$R${mceCa&>Gn2V;>oe9?FjX7e*WDO15?Zwzr_12H)IJ|`ES(gJ zKXo($lB8(rGs@6fA4jrE8kUn$$d64&JP?r=YUV()1hRT~%2xSe93`>a1V#mAZAUE#=jq;4lqo>?i` zUQDu-I-r2JpyIWX@Pf4fdu_3c40vVa0FM=>*u7WC{bG#)o-2}D!Hd`+=X8(H{UpS; z4Sg5=etV~rR@Sr(%xQx8Gp?lx%;u1JWg?r-hV1Dl#`G3^IenoPJRaJb0(-#vb1|E< z=>y$3SE_4l$r2UY+Q+|*PEFiTcq&bdE$R5ocCkm&0Tls?X-oM~A?@b9@6?*{c-d$x z*<~Xi<-be+^ReXZucU4bIpu9K^17TDG0dv2O8xD+9q%W;cfwaL+nGavc*$mm0{AS# zd=sf7wWIXB04d5&Gb?FlTQ9+WY2Vw`j`=y$4a-22&f}GQ_QbL_s+CjZk##c!#o;}< zPGV98%V4QpZ?BHawItr`-Z6)*qq&W1$KZJb<@Ue_!jSn};v-!;BIP@?8O=+pp`A3| zv`&Ef&U1J!c7xGfbR{o~)$<{-61L=V!xAnwp6nM#X&FZ=d$oP#Z;ARFB`Z?YU%U zhzrbm_fGAZd(im+Lp<$KFyv-Z^TRHpni2}!HbbTC)g@01=0|zog?13G4ero+=C~b6{jSwZQdP*1Gj30R^zKF95H!fzY zogIG$2bse;OINyfd&|}V#C(}0K~Y^KGjUnkcHFAuL&T$(i3w=jiXCrr@0XocIPjR3 zCZ{<>yu`LR`wKrgrd)6LYNtZ>e%72K_fZZ27m3kX6oxBWsdYna!}q`5j_ zs=qm%rmKgj1njMa76L=~+lolgVf`8BR2Jgta{T-Kv5aaqZ8pX{S5Y(Cw>X9Z#F0YE z@6ikCg$HLMF-`gfYz1TKmRBlFxse5)1)fD7!X1>YO-{D5nYHcl6YnQaX;RZel8V$N z4=WP3zYa}%2-J<`9L0~aARqna4rl`Sr{FK(^S*&?dShC6Td$wqzv=~tvU^Q#4|KL# zmui=u(6WpOZ&2}a{uKQwa){vRS;*(*`aa^^<)-Bn7X?7s6O6CtK+{D-=|^$Fomx`K zW{+vwZvEjkZQG-P^Cyj>q&)st@63t(jT{8H4s0Y6R~O~F(`;TDZ93R?wO02~*Jihbw6a@C(pE z3_Qin^5Mi6QG@=0Nmawk6RY^{bEs1zF&M%T?MMaoYXN(xBu&@g8|b`fEG@Y6kh=I6 zJy8jSP>3fK5X@nD;4gu?6#p(SmrWfAt_DU?uFNaqrOS63&}}hTM|JmsuP9B*u?3iX zb&vSv^B2eHbz#U~cpsfybp$2f=Q?!5C3K_HKr8FJ#d>kln&nqa_Hn7~g@Potbx=b- ztZ_k5(@?M}W~N}KqP=D=L`fwC#rP7TD)KV}c*y1t;wLEtFSF@v!jv;E#8`@i`WB8vloCYXJhn|yux3()&w`o+f0lcG^EO5RW}I#k%hH#>@LW0S}yVlP;tR*p<6PhQ#Aa9 zsN#fmOGBlEtE{}gOU|ZGzDGFhLcEO6cV!m*8APi}QL|N%Aj4U}oP;Q8)CY8K(ZgB4~UU7{vn5%c`b-eI$mDxcSuGzFDk4=M!_MU`AUG< zm`^&F9%e9R_EdI7R0lVLupTYDJi%aF-L$CCgz=s(v%KgXeK)3by?+dwWoi7m3EP#& zqjLIjJ^0vqgrg*JAia^DSI`&Dr+8{OYva3-928Sh<@kyr%bGWte{m&PX3ZBCHwYgU zt7)zN04%ztfH41Si;LFY9g(%nm1MLzo?mU!rR*6qMV5t?NP>k%J!lpEimlN9O&^Q(DoknczQfBM3`KiOppe6~I=erXEq~?pQttS%} zccOyX_6upH<`HwenGm~Wo70V(TrJL|{JeGI%R=|@tTMPTb`&7QC6$=z-4A!Zr(13Q zr`N5vG7VmZtG-Hqr$9oUpY4yJpTe`gSK+eOB}#GTRBpS^n-A=$C?5Bhp20;H!@Q3q zJ{f!H6^i+dNA$5`gH{0>e=D)(w36$rebd{+6MNi{n(*P8@bBpkryGOqJ|}@~uf$@0 zu93J{U-wM^+pixiA_hS#g3JySg|aI|*`O*lmlhD%T6=jmfwLnQhCc-|rfY3h ztrW3lnLNt5$&}lX{*$b4n+@HdqRt;Xm}s`^FFJ7dWOK^w7M{v!jSnk8b%?6M>oTox zmeX13$Y^UI2TG1&8Q?X{iNhPl?K@{IJi{l@r^dWU1%P5!Mf-<8qg)`77b9V z>QE1kKyKaQY4)H>gD4o63Rn4i@q5h$p(*7%BjqD)H}Q{v$QDHkpz~H3>St|-Mup&b5p6+YkFQF9Bo%FbNlgP%ke?CfuH8QOrE-{ zTdMV>^T4cC1>q((OXU42wlN;t`ZxZ4r^vgj^;5SeK9ec_&V}o*+k?r`36!>w?z;4j z_sEQ<5G&Z4(juPyigv>0`b;ZWnnwJcP19Ss(3dBqHcT^JexB4AGl>Rvt3#ZXx?fcl z+O2N2@m-8fXCmda8m{Uv$JLJ3=lXT;?X0R@iyzqt??O{h3$t;GC^#^Md}LlmM_dz& z&ePO_=F_La3EMWm2*A;mF)El4%OBAZ44 z!!0QIS1W8>r@h%o|-;t2)_5ZYGS%g;Rg8p>sevolBVc zeZah=^qLtzWR159URe%AHwC-99Yyex`8QCo9#^x=TIjfXCAwDN?5s~@=?H}$sXjO) z$IXQmu?AMor-Fi2wkp(LW7>XrZho83gdMFvav_1td?mScJpZNd{aBMWG|j%{CVy3c zp5dQge=$K6U>)TFcsyv%C{MD@#`WaCCzy@uLsrr(zVkI*QZ-q>wfEzpWdsLxFwIZS zZ}plW{tD2Y{gkV2CpLC=C=eqpBWcqcKY8=WZ5*`b$V{Lwxq2y`uU`UU#{QK}*+CG! zhNBecug+J+&|MoG&%`YDSii>{hl!uu#}|v`UuH#3Lx;&e<_OGCl76(uu@- zBWCL1qZB?-A1tbRrgf%#6c{UL^gF^!T0is_>V~xN1InH!k!95>kgTWu?Pgu{mKxi> zN{-sF)rI_e{0{>!S*JE+kl}>uPmtm&{Yp!n>m|mm9pL$0!&i197w2t(=9OE_z}!pn z&i2$xhA)L%a{`_&80~#WA1og-3H9i*>fyY=^nLy;jgartf{UyfpUfV5|KkbqLIw3D zt9>VXF-3J-1bJa6#bkVy<0I9bKF+`E^l~T;L4cpahD&(Ih->w06f(v#d~b8`iNA@f zV@GT|k$yfnXN%7tSE8him0AMKJ?`vg-?qLM#@MjY#ngr#%g^pJmq+3JZv*3+iF)xW z&WN?;&X~x0z7Wqvt3#zZ=M-a>Nm!*h)ihm(a^hciFPQhDPJ1syX*sB!*hl$+F1Go! zBm=Irss5U9L2t`zWW1h2Q1o<=&P7G^ZO=TC@1~}58h!X#{ak2dcm*TpWyQRQ5uy+u zv+T;C_hufyS37y**(x8LbbBcMa;lm`2|`JRXLd{NdsV8l5=u*Wuf*yf^5t09-uaRe zS5BWV2*xpo@qbzh{np{Wbn6*Y~RRzLAQK-Lq~Wl9_HE%wd0&&h5g*Vflz8?J6c;S&U@*I|}( z7gNM6f#{m=O|cnO$m0wi0iThBuP!#VEp+P2&4cN~aB#7Y@Q=Y0Y+TN2%JxRiZ1Wjf zy%9%i0~cIqn7uOw zAP)kkrq*LqCkoOCQPZ0sBvDJv>_kQKF_=k(@`?rU2lh@?g_0&##06V~HO?h%Fk<>r zm0|0}F3{GWYMUfX>{-5`Yfa3ZRmMG2lfA>xVth%vK`!VD?GBy-X)C(*?*-51+1ccGfIs0);~m~GK@*N~rX zlD&7L-15WPND=-3SbiK%F25zdg!kx}?$mQHnzKs{;vE`NRh%(dW=46{tOdl((`O!Q z!_{jUPJfHert+55TI=7Sx)V}1EQiS{2HPj=KXH)9@iXx<-A&c+5h8z)cKeeZno3sC zS0vv$it_S4x&Y$4&mvUOd=os)B<~QTzJKos$VNiUM`2~|*$OA0IVt}8XNg! zn|jq1hqOBS+{|#Tv-8j%jQBice*Euh=Jg}VcQzAbZf6wOE5%Z(LgTsa>QrYIMz(M4 z@j+I=3uV<-`c1j_G4OcO=b`IPYn|2?w${C)ccd4yh;`=TmOsBDwf2#!p-SV5n+EKC zM9@EX!wx$n*YMZ0SFgD7?F^%B#n@2!*p(3AGHsSuuAI)T4%}M*eCGtRMe0??dI1M( zt7h}J61z*0iWi5x9tT``5AM8Rz9oC)%=B6EPWp}aQs2U;dk&dGRbt&M*CV<@rN+DZ zyT?z!9zI%6aJM_-;eD_hIX6#nA|@f^Nbr|J+w)`;0!Ac(CRhK*2l#Ek8U9`mXt4#Z zRRQ2Ex(b+%;XIk4roHb%zpwc^MU=M;N_ zfY}MUa~%ixy@heD9_z6^ENSMxRvmfv3cu|o&x!nVM0L*9@9r^($(Ch*dI$=WK#Rg8 z%c?~8!rT&M7G1vNf9IczO3F++8a)M*i89~o;`O2T}!XFbfoD9e;oz8Ah;h7vrd_f2TmL%(9}|_XxZxKRO+Fh6H6< zeV_sKS?lsqS-V@#CcSa!@CVad28L^&i_M@lhopnXFyEeUjTa-9ExqK>-Jp2zj(wCWc`ilvoYd1=? zkLrJY|6iGsyCBz}JSuC0{W>2_oqAMu@OZXBNr60VbmLzpzPp)KHyQJ{(WR&~BG{|y z^DS(az+}iOr4b=%d?BdPFC>sWF7#po2L+++`z2d zKsD=877{OUGSYgfrleMVYe1XV%_#7$bS%|kI6aUwC>V0UmnL7I7lG#}%MD+lH=@(6 zR+9!F*T=9;C!aBj5w<8^N>Es z)V1}ne%&^vXL?oQ_0uuFW~4uE4_Pz=a^)7iiu2UYRZ2Ql)WMek#XQtv{-%^1syijYaK(O~^b;!hJES%!U%66Pi(>)xBl^I2ztlK~-A8k`_+PZwo zKCWjd))(6;2;0hagiBT^Wp4MPHo8#|eaDCxpstiY{-!9MUf)d5?tKNoXV4FI2Pz#J z9Eo&$(F~eC7iziM4tiDhvd6P87TdXsm|;)$qi~kw28A4i3|tEUv%hz>L!JJmyca~* zx>JmB!A7h%pjL6tW!81XFUSlE_pl!vNN0JpkNJvCQ1ge56hTV;gWzj~%M%QsVf7~KeqDHaN?*8H>Gx)93?8eqwi&i(wDCVikd zLV9^w)8yfSsl^*Cky#34M;R)bW3?p{fM+o?rtLKs++oLWo`(p4g{L_OK8uL5(N__- zOPv<*vN&+2z>23!NGu#HH&|f>-jSOG=iVuCx4=ds)Xiuiy|nB;KJPd`9}m7DDJl+9zx z7iCDyiNpbo{66OmsfEqR4AD#yME}EvNn1-OFJJ44vsh4NI(}|bbBpuxxaweV@JPl` z+_U;jddi4UW#-kr;|9thnl#4jnMJ4Fc7IfMcT$fiynU3MRch$kLtpZzzb3D$aZ=oU%dOAi)V#9{)4$QZH*a-juE*5y6p6FbPToE4q!f3?DtUo=Lk$rf zqKny7j!pYZs||CM)}=x{`_V7A+iGqdXC~_oOI_yd%OUMM$mi^<8H)4wqN7T> zz)bk`Z<|sh?;Jim=-*NJgf(E{n<3Y3AT`w>5wK`ABjJ=t4A zTA}o-LEdV7GzN`WqtrJpXA}NTB-rp&PA!S@Z7XO9U~5J!*(FQ;ZUKg>(RCf1!p?=Q zx2A`3Ps++1dA>}q$M>x&16e1HtM!#!jZVc&sQanXY0C%r8&^m(p2XPhnlk#qpi^5& zNHL4$pf)G+y&B!-qLe>Xz5VPIC#D&44$)d5`jv}3nElermv2U5mv7OSF{`Q-m1MeO zs_&*o-T{E;fDGE>?JIukF?AopzuZ{DQ(P1$qt{6{7G>=tnlAg#rw9l8$=4<{S#C@X zR%surmyY^$(KC76D^c8r6_J#8t(Is;J(~KNVdzJpO#5Q;wz%lak#*(j*_d*X;Rgjl z;h=r?;99&jz^F0bNS87>i6AR!WozBJ=%2`Oe?@0iR~_@5;tuxP$7puoo;=Srv%2+w z9h%qfqui{Wmg*}YG*IAcLE^XKFSQo&&;RD6re_J>T1j7Fp&s9#;{dg`?@19CF@#0; zMw>jEQhD7t%sW>xWZtn@9c;tYxzymKu8w-6zlpH5{W`D-;hlh-z z{N;}(gnmR+#uOv#L=!*;hh@S+(Z0`LUXo%W^kl`8QyqVO0I5z!L@fiqHgFD;O!iW% z6xm+{OKpiOyoQoV5Y<$SM@3;bic-#tXi*^Yi$cb2Z6YT22}u7_=?t`@5DF65hlx`A zIq{i+1k&#S`zDKA&m27W1ihJ4t}H=e$R`|>hRO^}IV(0}C@u$V{ne}pBu0pg zqSiX-O%F84(eJ%F>NgU=V8%-jCnld86)w|_>oUJ-7jdW?9eVf|HryEbqF`JtCpH@~ zoC4bB!{<}zpAAMP5eNAfk+?rZDH|3qxPUkk+=9@Rjv!Q62neB&An`X?$etjIGk$Lf z)@P<@Tg#FzWh(c0-@}sdBifAq4pP||3On{T6l2Vo75Cgs;yBLMxloP$%DGYoCU;L? z{C0KXfDzxA88GqU+1ZR&77!cpNS$X^-MjK9fYAReL2AJJz6 z5h%Uvk|@BllZfE5e+jAqSaew!kCEb%Oa^ng?Wxz{t|Pc=FBRP4zZ10abdf3}yPvOgqf-hhXI{23$|-8OXhlwgMuaKjkTw3~hModME|e}V zijG8LV6?Ala~#RXzmZjFK`Eo2?6^i@DBWU&qnYOU!>;~)+aTYxUYc5EuJIfxx0w`f zqPb*=9oJHzVRIJ+--QIt@ruhEjrD?xwqzL;#4V?&Smv1U6?KrWt{qr1H%%=K(bL}g z^45Q`lLm@?8*-K-Nf6ID!vrwX;m*C)k&2)rr81v*`x{QLiT>x!>RsP&@+OAr)!!QO zv#8dag-v2OleGK*YHDFRp>vqa`KzvuoNY)a0JSK%;zkZ1Wt)%Yd%5;9X^by;D8~0O zy*ZH&OZ=dI=;Gi~!9d!;Yowj~>)}3aQseKBcW-M|Tn*mjt6OAmP6XJv36MlCFrFub z!x3-;Bf5USCwS2tZi?N>`AW{{YFL}XGgIA5%oPjn?wO118@xSSgTu}3nvVUuoG%Bz ze-fnpRoq>{hICoQH!zqV7%9XZJ`<2Nv7616y&%6)GiV^ z<9=<=r+a=~z~skjCbv4>E4nPOdbsut2+*n=lrJr>tp6tvQp?0Eu}w&W$eIfdL?Nxs zKDjXj3wC^_(cCenR(t6BS534VJBvvG0o$-X+uS!=*5||(nuxg9b{N(tk>XX|oAL$w zk?!550E^1Nc}K?lBdf?hYO4 z9ti}vWs9lajx~=X&$3lf8rYF`ucTAqNVsIYe@TJMDKk|BMov(>Wa$$<4hbzC6tj|y zw&#}nH!i}x;b@~rpx0Xpeg2UzKeZ>}Mu-5=EsNwXU_Bu^Y9_XNJ4T=zCP1kMYvP@I zT&&eSYcOO*211iO(w0iirm!^c)7`apBB>}o#&_gGcQxw&pzIujM2F%m-*&&Y_1d;= z+qP}nwr$(CZQI?iZFg_aZ0(2L+Nr7ea+69@xs_CIlKZdoJEu)U-8Y&4B4&y7tgTtX!D_l;uB~ z6zZ}%knsjrpi`+8x47dwI-GdQ#2dg&5-=0ytJD6t82{y{&>DUP#`b$PH(XSaArsV- z(?NZO5%$rerJTZ#`w41KD^#;-BtA1BeknUgNHB81WI{525RA~v8`4Ro@RwMr&_u|J z7mRmHBG4cs39;>oc%fyzAHX}343^*Bhhzeo~*^)@K+J(JbS7CrsPvTe!EbvW<=iuKgoWaS&xF2 z5t#*hIwg8avKPd1H1y11@IYZY-YMWPa(4#0F+f>810HP42fq7(G>JY8y^CULd|tJy zz^g*}iP2D{G*f3h$?~de$W_K>_{w3YW`*I3%f13wd3SV8Y?Gri13J5EU3=PKpS-`Xcrhkc|eDW}YN)Z#9vp9@GW%dA}QipkK zY-Gv)Q-4~e4bA`UFAd6Od%ss50l2WY4^uh-S+qlgyVIv58KKxg8*$)>fiu8*8wlnq zK?YDrYtZPe9vv2jP_r3ff(?ZLmZJ*c!sEcVTPSS?3zoEqR$aw+{jC6==Z~)x=Uj-n zVXx&V_RwP`4=`HD8GirKr=V$YO8x ztU`l2EDUw#z(E$S2%N#W+d#Ya2$Vm&=42(XjK44^y3b~U_scCJ4_uOGujP!wnlg+< zktfdijMAEPti$Ps@SkEuwa32)--42tzDkBPD$Sy9D#J>xlg1W`s>V;EbB8DM3|-Pu z*k&TVI)2j%;_<}`yEVDCPS{uR@r}tH${l0e?{MxXy#Jeo1w;HU2LJ{D$O8cYp!@Ft z#{ZyV{|A(zvEsBPl01BFYvxUCNiM-xL71?IS!>CwynMY9WkAcE5*($|`ejd1rj5(u z_9{zq82ckUzL>2JSD2Wx$K4t)p#YpdKRlPaq`55j+fGSl(c_ij2`i_qsSl&=vnCfV zU`GfG<|_{PEgDD4k5+D#!X1K=T>Kw*B7z}0QF>Ab=G-dLb*-h>P@zF zWlb@;t~C8;)SZtKahB~9fkC!-Q}(zN{HV!uXiYGfNo}=fz!d%<*0!8L#D1uxZlqM^ zA<{;I{W5)0r*#5Zc|;g)nh9m8s!p4C<0>mIKo^@*n^ZSzYisG`$W+#nBx-93)cA(~ zC|a!eC7{MJjJw&Y(GtfwTdz?gT|_7-uox{Dt&CZNQ1bIoNFbwwe*@GOOdr6~QJko$ zkzK|z%;ktTN2K}bm8&4ktsvK!N})Jal1O|OSLYkb9dm$}^mk3P{XLp0-}3;;xI%s4 zbU&J2y-Qd=&rEqyroG*Y%PAk0(R>lRms^|XZo@el=}CnK$K9#KWrPy$OFGIKu@j4; zrPX;~hLp16S)K1CR#@wY!Ir|!LPS)Kte}uWOE=E*8Ch#5TfP?NTFhjPw#DaEp-Yle z#U&=uoHi^DeDs3NL0aqZ^qd)|t~a4P2xcfeuT)OBpL)LUA3T1;FDq(R1jC_pVXyB* zw-0l#3b9`P;Qc^N;{>0?xYtnHK`AAnVd9@*knvi+dVR-(X`xPcQEeUw&4sgc@(Q~^ ztr@6pQziVu%@<98+S5QMXXz*|L&Xzd%a}$5%7f}>K8?X})$$e%^)2hVD|-k6(KLL7 z%;?u!&gd1|TfPOVlmhH)5JT|B9_p9cy#H``P0pIG(1VBcjK92lGH6BD4;kM7ALjg_ z6{Kj;763qy4iJFpzZ+@)Cy4LA8g2g{AiYcDe>1)NAJXA);!BfBPesI%EuV3^@zmo9 z1!^fslJ$wDD2 z!jiOfhQl7fchrf150NuXa?0z>JljI6HrtpD!#@-LA1P&wD#FV9JR5%kW@xh;%tLJa zp1Xu+m?ekxsMm`TYNR6;fR%^m*{#v!``IyD?n@ZpevE}Dt#NsYIq|XfERLlrF1KhYNr+)}=vE?|bFfEUIyN_wXBE8uJ7Csv>?e+)|jFI4qT>0Q9;8YAez>0JKQJxuX| zx&Rsi`)SMRq0ze_)JaCr)9PO`=&2$*v`5va0$>?=P}WhRcS5Z(gFYjUgaBZv=mnx< z0bX_hbw2bSEt{(0t@UfRm ztQQKnD<Ohn)L{pxbD4*-7%mpi-lN>oAERqrlPgW(w z%juS(H=FCrBwrT<*k~kQX9d{kBwu$0TstdwNJ4ddR5+zl=4|i@qi1O75iAi1+6qG^ z$9~3K3~gR1MTJujNvitHlW}W`k)0N!hr9)2WQ++WEHl!R4A80Wy?@|5X5Qe}BrrXt z1*wnSQ{AiI@P|lp=cz>$x>-n)(GJug&V09eV4+;K2T8@6KrPG4HN}rW+x$PjXR7DX8`NXco`AZ53uXNAJZO z^mZ&5<_nB%kWU1Zau6SSHi0-gMJ)`x;g#GcMa1Kq4M}PiGL0pP102mM2H-e9$3!MQtGtaNNl0}OG*=^&@UV__8-9f54&;>5&YHnoUO=nTEkoO84U@> zMg0tCV1AAM?|o;Vh}Xvi^Ugid4L(i~<@cg4pr2o!av^DHawBM7Uf{Ai>$;|+!$fIHpX1$++UDm`fU#GK>6~y{LoYTO*1V=?E3=|IG((zZBeYc7u0J%D0tOb}gT*ZpWb6S9i6AyBQ9_Li_AN4sQ=nO%$tS?a z%Eq*)xuvN8-)ZmmmYt`&=<%p(<6ZT}>%PyMv(hma%4;zJ4HY-B-KB3>^9I@V^=A_MebDj?I(g%_prfhT>kgDlAzGDACv zCbf^L5AQqK6zE|OsSaPK&>o53unl}<8<+-mX;a#mLLe|bYV#ftft7jl=a$eQOuJ_L zkKLZf&}|580$ybwFGxX4y^I4I=S)n+l0 zb6bDMB9t=-6f=@kaNF>;>8s8aIyi?!iNw2Xi^9zfLbD9w_rV_nw)3+8wsafuyL-QW zD|p2(rly4GNz%*<#t;?A(|Yl~y;!Vx zqNJ;)@(ds4e0V~c2HHJmGcRuK7l}U7jF_Q@i39Qs#1lSV-7vp7)l&$v@lt` zlr)h~BSm|K!dx%khcHYdV#W&*;xdJJ`N(y;P}qhA_VXIKh@o1y_~V=5^V9(cKo!*S z+>f{ceI)LfkHo#_Z&Y}wD+ zesX;<_f+(sBNzyI()_p%i3R&Hv8&`hyq@UjTxg-GnlJYQ?38-Owup1DLz4^af@evW z5Vb2`io#c^g=Y}WtEDkx@}NUE8v>1@Nt1d9&^SqsrlZ4@X~~hKJY&x&>dL`~U7-mh zQ8QOd(n;vWi15aFjBWxmwO(!&j6J%aMY>OdO-H$pnDrG;T5+2gbFqM+TW;X@2V6YL zVi72k!b|j(u1N=EEt%Q_bRu6g+`CbX7rg|eB9B}G259ELMJ3nX2VN~64h3?7aMvS?rz5Li<#cD-$0rqs|>CC*_ zo_ep7dxbfgB_qWOhLWMA5MDZXMtnbi6$3mk{RnZWb(8Y7Qa~2zi^u(`*OL9^XoPz}bB~=912w++^-#2CXjX zLDLfUzVT6%SJhSXw}OlnU6^V zzcr50q#~7UQw;_w$BC@luhWzDsl?G1t`PWq#@19#JnfXhV#4EP==dDyiMNw@!sT-G zcoeNW<;vyZ76Xi_Z@`q@0W4H=2m0%xYv;Fie*U0S_AlK%Bv}(E5=Q>|hW+5`od}R=e*eqRLczHl`(rFk}HJzKeD&4&^XkvIX!vn9{yC89~R{h|Yi&C!>q>D^4!`Gbn!;g;eVeo~Fy7BTP@b^VfJrXKIE$oGH zQtnK^pD~byvTclONefVN2L{@WOmFv0{VQ>0G*2{i%@VyF-ouE{;~V)5tI z6Pv=S0`^Ttomsn~FMM5(8WmY6Ad&MEnVr_Ml2QC#?Hq(>&>0m~&~)?s{r7NH^IPJ| z<(;E!^=TY0E=g{?MPtp1(`Iv&CD{e0#AXOGWa-FOSmx8bsm!j)2O2dn#%XZX1JLu| zf}hvHo@OWoU&m=i*@u&bXQ_?F+`C6p?yrl&i^4j9Zsv=^kC+u_vI~t?ot>Ob&^+-{^BEqnup*QWHTdrxBFZ0wj-^jf#1S%lS9t2Zzt`5yUhtoEWX|w3Uz2jD z*eg(sdG^cPfCkTJIRI$vAqMe>I5I>9Qe-s;z(yF{5$P-UTK_WP%MHp02kylan!rlw zIGWV#Oum>2h6DwTxwIKnQNzm#)JOU(LMdz`hFh6| zqOasSt}d_5$G|E=_|nRzwc9ATg<05zP?2_kA9aod=Q=e`K3vM*U=NJ<lH3!S zAUHo z0!C00QtYz=q6|<3k|=h0rA~$d#9E0VZx`at1Sj5y$a3wcOPU6gq^Y%llhY{dsKL3q zAn{CqeqCS2%d3I z{TVMvon}kknm^$A#lpqOgw-E6*yIR>CNI=Jgvg79;ra`5iT1XEQBf4xU`^)XFoS|r zGxf~%C#S=8NDmrRAQay)ZOGH5>bj21=Mqn*`}NqMtiS`=!cLnLTStPsDVjVUIC8>8 z)Q!OWEAZM>6I$?X2UXHyPLdnmew8scI>5+P{$&X;TU-;aY90 zRgfWc8b2s~Z=NS~CU>@@e3>rrg2gYh+t%y29a*hKde1Os+C&?!5tOc7PyTT(3MPD$AX{CHa7XRXcka z5uUU+PqrUC1%EuuZ{$Z{#Xy=Apm z7T=0Z_sUKGsvd6_xROF^40!Hi1w8&q+&w^DCA_YQZmFtt+-%ycU(IpZ_Pa3!9-z0T z^ogXfGtDNAa~h2_2qfS1bm;z)Jy_qFw{0@|K!+Uc9G$X%{RgvbF(q!Ze5-JfVKW%dW8#254pAyblp&D zy(#;0{#3n-DrCPflWEPGVUxLu;da)dfLAsVttmHrkZ#f*G>v^iYsxT*V_<5}&wMrN zEh*2V)eb_O-U-QsWvqi});NmnTaNnBSn-ApZ=hD)?XZXb^8fDZYtj99l_=R)YS~|k zJgd_q@RDBdxTd|J;jQk>s=T*uvBKTu`p);xoLO$R(j`BG+)cKHsGhx}wpbyBf(>fC z-Xo=ILYQfBI7b)fwCO{8437PMsd|p#8m69*jwcgmQnS^<7apcGMIiBZ6>pV}PrQ&> zs@T6MFf3$|7#HD-epQP^eQ#T~BuQi5O}f*1ya*uPd90g6M!P1@BCq>bzY1}OMv0H? zCK>0kXt?TK>&dR0cc*cR-S0c-_#J!!wh!XP|DCd`8p9b&Vm9_w$ggI;_=r`$2dK2b z)yv7yN7#=M3FAFeO%r(h{g3u(3wi)RHAV;QBYslO4ljAHx|ZM0IjD8TBbHy#OUm z9qe3~He>B*Z)4WxB8MkAx|AAQ&#yi&k!`}`T)gHvI{W8{yE}5G3NQJ`$?s!^qbv1F z$aDP}6M~etT=FsmoF>a#ew6ewJze=lW~$&C^g^h2fYU9|yJhJUx&g>YeZf0vB|05$ z_g8e{#@V5nI{Or|dW4Pt4_;40Mc&|e>6 z)e8rl#`A3!tiO)!k+Eb@XW;v%k|$YX%FKoL!TF%W?C&Ag_`67q4pKXZZruw0w0ymg z7c;jvD<{r`46V@yDnre1l_kBk=I6w_?-sY_uV~PPkw`ck`PXKu3|x3T!D>B)YP}wj z)5U;19%(%WTeAh})OK$I6e7_ln(hY=7!jf4x)3i4q}oF#Ut=lxOB5$8l6ev%UT1 zmI`B4vy&I^$BApPgLAWkb9-;KjNX&6rMvQU#cGzoqo1^B1i(Om$j}^|eXvHJVd?5L zn?i>(y`>u_xASSiwS)huJl{ww52Z?vSGQKn!qLf}J*mY!j-4!MgIDY-&Js|dR1cB@ zMWCiIPvC5cA}B&#%>ol1ngZxZ0lpeBpOy@VNgluAIImFTuL){++IAM%O(sQE)@=KQ+A~}zaYvE#y5SSdtKY4_M}RIYCc;!1d{qVQ!hHR9CD>P=SXVK_*c~% z(SGwTWe@qCslE`uwWZyz!OkjL7{CK)zj`HT`gk5&7t@9VYfn`WDQv49B57;_l1u1E z!HOQnkBg-nVi2eqXO}+uUSDLf4p;E!(*_D0`<2vdWT*`mq!*)MC39G+(?CbifmYw3 zLRdu?^Jq5RM_Xz0t2Q=_2-JA&OlgvuJM3Z~k0Fh-cx1HFY~%@3+6Hv5an$P<(rr(Pvn4Yp+Y+;vNzJ4pE%#dcV)#}Q)#6aknv!uL)((PW)$8uu3#Qp1y`yl%*?KoKQyQ; z`SYJKH#%Er+UGwbNc(u^+kR0Mdf&%oY*ajk2eOi1ln=>5geF)MFmGXJL+K>eNq#IB zOIrx^jFCKvx&?z>MB^FE#Dq^WW~G4k*Y+eD(t?=^*1N%PL;K%~uH_9?gPr7JK!_CZ zPsweS?eKvuN+Ln9#LZge*>(GyLRsx~3vE*7n{Q2x=rurqHyfBM?Dp%q!o04ktmDwQ z%JbsHNJPzkpGC6ui2&Pbb~`NUv{UB@wpkl@k6fUsg5q= zq50QLxM$m4;>NrOZ7l^BTMGQoiHL3wXS@yfGheNx?Kd|l89V>?pr@)+3+Md+qNtaJnVF>_oKc)poYPsINj6tWYPx{K zU%S%IJJb;b>-?eLd?WXLn^)DrAA9yi<{bN+DGu2ZYEosMj?{$~`B$&6jK^#nId5DF zCHjpg1?|4~NQ3*-HXEIiC7>0Vr52Z+_00dA21;O9mR*xMDOM|4fK=9CM}+AsEfY~o zixm)=o{PhG#0RBe37wwXnRTeRwNt4aUwre1DK{&ZAqFZyOG$V!4FY`*~*~+g64TVPtdj|o_p@@NqE8-*rqlR?T=c`mFVX#`?o%EcSZcGfUtu+6?P@f zTPk?nlq@O%SY#ZM`3vm2eJrX7y6xvPmg!}CV?{b*UDs@~*g;{XjI9cM@CIOnzFo`S zE3K{9gPn~2Z>rgvLAb?46dJNW6oKPoAB#jg{+h5oZbpSdsI2BYu!W9q&bwbtLT|Z4 z=CM+os}l0!7ZklVPnW0zmU_Y5B?GE(@6b72#6h3n!C&o{>0eUb{yZ#9h?2dC|DHBF zqzzOY47~mQ@$5DnmgpZA8!000ks$iMkQR1ey`$ zQTv@zIUV$o>%IB`0H(weaR2|`gHj4XY9;;WId!>riC}craWO_ zqq5+xdY>p^pO8OdVaiDa07Iw+cXM6?x>K~A1E`Wu8@S_iB<@RlD+B}Bql6}TlERGj z?UJYKY9|`hfpYSvMSOp|PIv%5EEKq2rBQPBMHfO!YX2 zO6sM4jn6fBo4ak#Kn$|h?2nk7a=S`8FfH4E97lC>URx1GT%4di$pV?(kL3t4x=(;UYtj|kup?-G5*Jm~|8H- zq#D03NbPoPW;)Tv7H@MZaGSsEWy=e<8;wT0-Ye-*E*_dITz$hZCK-n;Ov&x+HE}r7 z$SU-HN-?-Vm$VP>cdw#Kx%0RmK4Z~cmM&C#2FdF?;fNS*-d~WfR=YkVLEbmH6m{^j z+kXhH3l^U2yNXm0r&;4pFh5oQW03ab|FOCY_+AGx%zJR_{mHp>K%lKv5P)CHbiA4G z@HpS!e~}vj`pR*BK26hhr7=kZ96M>?XGw)6ZG}bcaPX{j;UZdh{&e29d#Tr6^1ZU) zwOLthG9er)}rvV!PZ;wlO=8PJjD7~bdHNcWsCPf8W$-e`>&r&3+Go zP65qZJ#@j<-auO+h(n%C3c>r^wP6xZk{Yvg?zDhHClZz`TY;-OV|EBDV!^k{*wUD< zl?c;H-*Uf|gDWO9r-&c3I&phyYQm0sr|R)fIl?#T;DEmfvZ@+$%~&%6UQF-lg<=F| zGIjDfH*ER)1iR#YQ%jV@sO6j)Nk_oUdLC02EsMxS@^w(zb}4cXRWWbzgWkA&oGlf< zA{2L4fx9;O=dJDe;!@UtjQ;Yv;1oXTph!6 zzdKuB$xw}tf^^mrWbbk^L;OsP+n?gQ8$GKZeq7x&aQ>aLIkSJG>@Za+PHFmLh@vGY z1NG?Fc8=(|sBppsfA>c9F+g4S(#`v!hXuiC_vW1y9T8Ztqf%p9F1X)=b)2+*ts2Kc z&4)vZ3dw6j4pM1=%frKA+LgF2og?4X*l6BhRqP%SqVv^Zypf*pQ$zNmR^)kxjW8~phdq@s_A}??vtgaUvx)E01s6K14jxGf z+e-1Pil9a$2_Jh3{UzuK@hV9Zs+umQW1c6`C6tb^$1|WgIF&`m!w*gFj`yRH$fg`b z$ZT_B_hM#(C47?WQ0qRkKPrby`Xjk>Ld+PZB6;HZy&}ui$}QRAP|EA7;A+Sr`zGCD zbo6jmIxm&Si*+Uo7qi8kiow-`$|jS8@YA~_&~XLtrJ|eABd_p}AY89QbyIye(P?Kd zoKk+`ad{~9rX(;_B1U+}mde@^l`OaZa!lh^tvajt4NFpQ8c~eKX!FI03Rr!TZ-W6q z0P7GjXL60R@p)#coY@l&>NM05XL~&+FhIJ_UutPR@rsRTZRKmT_wJ?o?Ss$5%0gYd z=)Eyp)|4|>_Jid5*+^7ou=NoTu&ezC(AW&@94?{Q@J$=puQOTZ%_b};{#>g2MT{-I zka)G_%Rk5E(hZ>P=^Gbmr~ysSY}bA?3-WRj?0J90KbmNDG*t)wlYOYyc6uQdcx&dA zqxCdnQ?(P2iZZ}hxQ-8(nizHBT9%cGocH)oEZYMFVbP^8<{%5aA~9jg&xD#8_X|z! zM||k2vWY~-=gHaMTDrH-GUc~QD9y#xcyGt05(Y@}8ML&e_(My(+1?Dw(i1*PwpLg50(3d)su`RWrK8y+3M;U6D;}%ACk^y9+~>*!lNpt z6%0N6dF_c^%q8IUTNq#Pdu9M!Mr!*yTS9j(Gb5Vrp#d7r6b{%cT#2V1Qx)z6qltXA znu-za8t;cVm>T<07MAiY+uhL-c;vqljy95LcFp?yfG>^fT}37fw5*=&M2_LRVCqN< z#oo%33a4?VL0ry3&GyB)Tx!2^gJbdwif;PSsjA)|`gdeag|Oaa&46#^T5|BJ#hQp> z?5@b>!=KbBm8s)&CD&sHvD-=ds_Mb7*hfa6vtv0V>vc_E{EL85Fa~XV$!Zb+UJz?Itr&a|4MfvlFw& z@<-kdi~~g$qKl%P6Ypes=Y&rc*2kF>=XBE9p}zh-=Tr-a4@ygaZP_R+AIdB&55M}T zfs14W+qW8;)tlC)SXK8w7-p;Qy~;k>B~Z6emNU#~7#X`{MDmU6nRyDQMq88KS)Qbb z*Om{<`wOG(>RZG!tWUox*2YH<4QYbHy3~)jqNY2bR;Zt^egLT~?AV;iG0B#u!_Uy_ zSm4IyKwbe#4}tL(=Vz4~3K~bS;qGT7vd-;`nXU)$lsVk7V}8Kz?v|k|)?#A@>I<(X z0<$TyxFw`abkCT<@^mz+L>JZFcyi9Tv9bj%HSW9$^<4W=SVf*kPj7|Ff6JClnI!I< zK8x_#;m`4TiPBhDAyle_^I}xE?a0VaNQI^>(Fy!Eix^!_?j)!&V6-%1t|K~IFflWS zl7s}S1N{k4<$BqKp>jCK-{}--pDbVXbV(@>poH=)K*b1I+k;4lUxED?2T$Ov0jYxZ zds@g}kYoJHa_Ivd#u@3bqT%|Mi~tah-t=eqPDmh5`;h*Bc5UcA?H1uLJ!!}`h{I$i zhC9}8jm&H~YR2)h(v|vF+r?jO-#G&n-I!F9x>AInlvdsC9A}A~njZ~dX|OZXLt^48 zhdve5FHO(8aWZQJSU}7ArCp1whQ{?AQ@P}bC^03D<`h%^PpN|sms`u~T;jag2V);ZLWDqU zBN88Bu)>LCQ~7pUO%<2%1y~_3MDCDMX75BV1x%=0y>dr(G!6VtESUcHpo1ntGgK@h z2Emv5DvwgZ&>!N50K)Sc6d8BL#1BTSl1_Z6PhinzaI!K3RDnH|Y9`tdTxtj>2R`9r z-;^vjM*ztXR9Ok?idJDmb9h|Xw8O=br~yj)A@+oBl{AQOy3zJO;&pwlPIX85YjRnA z1+EnZ!>U!WLtz);XG*5%p%OyCD#R?45snR<*aUR0FoJdF*Zzp9&DL8I;8}31%T*l1p z4la1O;XWZV&Cb5xGo?318}AL)-T~@#wVYh);E>v*p*ZWm73qzTm5q>|9H~}V;|-BU z>%uf@+ajQB^)~A<9>#c^Ouv9wj}SjfS$4pLK1XpDEH|1{o5>63tFQK)ZQV=Dle}lbWW^+kPYmpZoo2IL7Das&4M> zc3WqLMR&7l9|(KAlAHFfGjl*RZBJFWt!xR`Xw&c1Zc8|e3yGT-2?!!0d_Y8jzmUHT z*c}5p;X~cjpdTzqAdZzF_UKwnc90XOI16sP)eCLMVY)KIxyX*O>2lN}nIgk+tkFc% zI>x)|c}rurD*K<-rlx;^E~T>bYd9>{tlYcp0v!o8bZ*&F?|VCM_IRSFIjdhio-;RD zH;u4_n{-pxZ^)Icgx%iw zsflP+laYh>1}ZuMN5oNGL<(|EI&vs9Wl%dBHpb8~`2mK|>}}Y#u3vUG_PEJ7-)5hK z;c&F{DLNwSozmK=WKjr)>EnHz4qiG@a z!3Yek!WA@|OQ`R~TJ?eR``zSAqh~QRyn%o>lrkgSO(cd}hEr$gd7e>=>7QTUK3cpU zlPtvJw4HDOjZzc1W915yI3ESx`^c(tZFAEoNj=&xCODdM{!kR?9|$dbV-oUhd6t6-R~eXgoom8v|~0;4l`rEIqzSLb$D=gssjF38I<1GaW=of?PsmzP$_ z8{-nOAaTriPf^7=7wp{|vuPoUt6pOEdD+?7W;Dw3NK7FcDY|+SqPIQoP(OGQ`5At` zdW&+nPCJgyjUl*3XZ|E|)9ToOuvVN1g33t=$FlSItUtMoYW53HuYC&LHuj;^*U2nS zR$0wi!YPe_=6sm+Dqx*xlW})+Ld?RnyBgJ>x6Vr*A-u%AmT;OIsxyT#j#ERzD-7XO ziLb633C`ArYMW!{Fo1-rziM%c)LIe8vdXc8V2PGpZ1Vt=eiA^HN61pKy%$rN(96vBP^&C5jJ%upY8svJ_S7RI3cxwzveC{oKXvy@=jl(!)ZGq(1 zVQX49(OrxK8ya!2C3KkXZHq{^AU*Zw6wuls*6hCQx%Idv($iy0Q*qotPlx$Wre}NO zFEZVZ5$3m5Ep;t`Mp$bnwYJO6HAe-7f>zsf6@&LhlWt(pfPI{U{?~c&l~uyYw``4x zjVhuO6?dDGGb&)Ko23I+ic^ZI>(8d}m#l~VTGbad{dJacjU4gKkm{QD`b+9|>PzZC zgYxbDmj@OZsks8o-2CoxJ&nrY!D%y>5`8MfHs%oyac(hsu0=ht%dUm*i!kf$?}d`J z!M7vD+M-XmO1qHcs6IISYYylf7J?z5aA9# z)bTl%+SIih6=YiGljTcVBCB~~DqdI$ukxSMuNI^?d7mO(*4JFKV`u{iMOw zI-7D!?6vU8Pp@@HdcI3hkw7QC z%L*$J*val;J54HJ#afA;?H=tO#%{*wqG5P`gj9F|5cDGMQzidmYC1y(YxbMfSC~Vz z4E^`T(xH=?Z8s`z{v3on&SQ6l3$lf@AiO4{$l3A$qq1_=Gga^eU^$%1V_Tlemqp=b zh_0-lUYcZCv#DvHPE2i}|HIb4>4LxR>T{7Pm=RxL4%Sla?-7$cy?;wiO;0gj%S{8w z>Ke!uXm3J-AZM}ENU_~|;2K|%%FBQxi*>0vS2F`?$qwt}Wb5)uYi?#}S-BE$`wlet z7w36A*YRPn<{h8jHPn$Sa$UN*%{p+6RrSGsaExO@ zP4uq+PgQXx{|d|Rw5TaSqV`0B56fRU#^SRk^J;9Vi4Hk4l3fG|@=zVez`3yM8D=3z zzsZy!&yD~CStd!rAXw4oEH!Z*JfWx~ZHvhWF_TDoKEX-D6V+u6TTS?@sNx_= z>pfh9M}_FE=q%__EB;a^{N2iVg&Q1pbUFF7i9MHM|5Xtdc2oo6p&Yj+O!1KPzK6hq z>r~a1{Ki}UDCj;$G3U3*4Ilk0;7$o~j3b*L_uWInUiU;W-rAw))kP$~BOW4hY?Pz0 zpeN_`Di+@rV?4W0*gw%i#Ng(;2!nhOG9^5=$5n6FW;Han_iEM1Zb@Jjur*`X`}fNy z3I_Ly+-79lOs%%%2i?G^ZlaXHsE&aiyQ<)1c>v$gHh3=V(0@nga-x~9?OL>tZ64e42PB1^Uc-7oxFe| z*0Q-&QVC$nFNGWDt%^e>XSuy3f!m`l?}a`ND!2n7hk!1mV*g}F3AoaMvqW&vbF?Du zToK??(&HvV@>1dR#|}2>O#es9G+HSKJ$XOksD9Nnf3O)+raHHd$kJwWrrS=(Q&4+K z+Y#a<2-r{U1l;ManNrEQ;UKUTVht*r)QCL32uK52b86N@CFFd6lzx$UUC10~Mj7PN zE`ASCczh4QVRa$1J#%!=1Q%ZtF#35!M$4{|OAIW!b z0pK5v1x|gjLVsQSW;rg~EKh!P8L@hB&EbU}QhyBrCyjAtkBxtn9sD;Bp0|>Vu5ow* z1inbCmuTYb+oscA#>RVZh!cHvsX0=_dA7N?k~Y2c58PB}2SaaO<+V$ccga4PId6Zy z|4Do0XFR+0PI#BVAUBcN>@Phwzn;|dEVv4NUhF+P>&FhMBWMbLiz-=72fxJ9NA=1+ z$Uyo)-I4jR=#^@Q6~q!2l9WB20)T?2S!^y39z19^q^>jen| z_(W-zC~_g6kh(k)S$T}6bOefVfc9f+{^11B``hgc_v;jqYX1&y zkva*I5r4|?6Tea1{0+I63-}GXrwfSagH`~r3Gf33UkcWp3%CU?mR9Nm0C1W6vJ2?< zLCA!G-_XSi{))ZF3-FD!*9+hScnb>PRN7s4Js(LK?~sAFd`;zEhI}v%6bA?oMkCYX z-ng&v#}Av2|AvGSEhY(o0)Uwh7l(3EJuSTjjwO1n*?J>W8mZCRlRqLC!JSFv>SDNn zd_k?rMnkO7d618Ngu0XQNbOwz5_jdA-zD~T2hhD4XfbtC8z&XWRXIE=x=&j<&)^jN zP!dTpbzt~Pm)Tu-1hG&Z*5c4aKmKP0OWW2Nv^EGjn@d+&1yX+Kt%8A+f>VG1!pnSbPQ zNbs$~H2wa;O?R>XXCCq!23;N+a8H^c)=vax#kKP$h7L@CUtN#Cmx^Lol&#o2M(TT% zUTZVeTx%b$1aHPrdj8+W=!oGtRoU$v%M($y?uYWc+E>$e7J9UBP3eM~chenq_w>() zFTuqRLA)_TE)r?OQqY(JUe?$EJzl%e!x$HRKc1C`hiWY&Qeu>8#FG^MEV7I+7jlZs zGYJs>@Cq)KYEjAC=t3;B6s**y9gBT)G=AOHwbej6?}{KaM4f`z3-E;xBwY+?pIwzS znmO+3``b?@PL47-BTv6mmg#T69!D%5IvjHG(ebGPI`-N|AYLRJCeOcbyC8eNT>(!V z)hnoRf|d?vP207VP7mYi=;mzUmPVL$-#=OD-MH%o~zLiPI6Qat9D$W8NH3{AY%CYJVJoJlpR^`~UGyF{0gcz`+>+oRY`w@y9 zTwGI`%;VC{kMU<5UJ$pOo!Mbi&mX>?Xk2vN7otiDIB^RMB$aF?jl7X5{Mpw6F8AeG z7UqXgu=47KQ|QGB`|2L6Toa(=T9SfW>f6jOKUD1yyjM75Neltek_} zS!v_R5wB8$wgxl$71Jo~Y5o{Jnk|?&m!CaiZ)gkjXT#-L)so~t|M(sZMzd>%X%yg^ z{qKe)tJ?phU)V+8a^j%~{nf#41}BSA3yE}TOwSm5YC_s~~w{6?DZQHhO+k2mF+qP}nwryKy&Yk--$v>HguB1~* zKUDgus@D1xvpYJ6ogYO@voX#wV2;fF%;Y8_V9$<`>{X@G(S=95d0xr1V4RJ5OpLC7 zvB)r~G)mmM4vk=&LShFn%X>DDdD7Gl!#tm3y%%J$N`cv@q20;Q$(1urCyuITeX{$0 zR*vSFR*2hA3GRzEqF9c+vOSIlwb4UbEWENcDNt&N9%R0Wl*wpZVCW)E3t`L;2eFgv zWucf2C(}*cU^@7DM9N74z-KVt_tK_Lv}bnIf=* z9wgJwn=Mhf@=WqZgPgjqa-#Dk-gRFjjl%*yL(BrYL!BdsH=2jZe*k%D zWy>^;gqtEmHu95M`6o%7hbMVw5bw047-pXNS!gxCB%|abr{vsZU#H3>EZ8jcQj)oR zl`c*ANab`}Y35l;zIuw-UeE8?L`=Y!2!Yebyd_h8dWArc8Qxps(U` z`y5Y3x1Z_;D~qqx%W8Ihh=F%{+MsGo666*~=Ahls|B|Rp`qWmnjIQa#r^q&`pH=(b znS1)9=RSJ_;47OD4opw0+V4H3)g8@oJmw}L8ZgyMi}6PE;LN0$Xd4AN8ekOdP)M*9 z0!KmN?Rc(DbuE}V?TV(tBuDj}Nm7I60uDT5(&8*FAKaOY5YAeNjc&RcE3dCND~(`e zX%vBD@#tj161QUk|3k>; zyx&3oepYKTGNP%KXY9zE*_AFJ}3MGnW-Fj!85FvC(lc3!d|+P#Wg?s#B&l;=hoA^IC<32FSD3u zS?DAI^ztB8DW8vxgnnjQiTonUu@0?whYEnok^s||#qlIl^83jK&+zu~K%59|+oN(; z5P$nB${=DZX2UU2&W8njbVKhM%0*DjoId2yDbfmmq6iz~Pm?bo!#*a0$=9K#ObwY0jO-Ia00Fy|d%?G{1}U1tj5+qp(x)ShOK`RP(m zmofcJqPbDMJf&obWwl|2Z(_)7*Ek|QiZz_108~FrpK7ATBlF|qg8_W|%NIXqUP$9< z@r#KREVhezT`&ik<5_MxOg=|B*fo1G4H^t`JUXG89#@se_E?&H0?vwT zk3BB=={fmRC4&cfuQHPU4gIx-XXwltG1^~Yn zADH}UYT&UcuMNza-+8&oq^9@m0Xmuxxw_pLYb@^Rk;JWrjaS7lcB^+n`O`oJ+JdQg zmC$*;L+s9t;R<{%?NdbaKGRjlJWAYUwSvXt)dp>?GhgvZQKH0Rv=S->PoI5C6B|-8 z6Pge%^>^ps4hDRapF)GmRFzg@Ww2a}LpAX4NPHx%m6_@cv~S2-LIpPa3~NE)Nt&iJ zIg@)3QUl`s+aMDe_c_s!qX~d+ahoA3qQYQnljNtU*O6I;YXfnyx%8Ey(!N=R5OY>Ym)(;;zSRT7 zMHvyLhjK>zErD=Ag(K&aDnj|YEQh);DHI;ofNP{HCS!0yrr9!?gG|FVVROV>0b}!b zW~*tWIl=Ve5t!ctBRB>hLzxE#qdqWRpi@{v!sB#B(qS=a4CYD!v|ZSy)h4mIizgFP zwoaph^|4tCtBs77vC59ND|6wop~$pEk8<-y_r&@nl4>iJRPCGK#;01ut+S+@zx6Fw z+q7$vP9i=XHs#1`dyMlf+uLrZ^DLLx8aQUTtW=~TV^_dYx|N7@MIuK22;ePrVv%Yf zd!Vw>U_K(nYXCwAZNC>w-neRjp6VUbw1uhZM#)B{-Bpi!gE!#qM41}$RMK}KM5QNy zqR2&M1i586yjg5CG!wW(fmjZ~`Vi@_si=Pz67k}XGC~5>G83!N^h#W9ers*K7Y>#E zi7!#;Wu1)F;a5Ij1qTl4_ZPg1v9eq?ui0*odT)dT~?gc*6b|o(P>7Rd&huv#>Q6m6Wm=luwRQLj1reat!&?Y?%}2Q zyO%?@En!pb>9Xj%Hz|>$I)fd@-@0dYc%}jE?PFWNM>g}GnU&oG>pK&xyZ(@|fi?GP z%zKwrgKByG&E>}*Wz08}-f1piOX@oq6KmXySbBrG2Iy%X9bwJC4~L-)vF`m0=bCG_ z7@ST9&gXfv{3}04q4e|)!AWz^77(twz`@ucfdK4alsj@0&l=xM9!Ro&%q_w?D-8Oq z*%eq}VD3+^{aP!zt2Q=tJ~=+oWG%S@Zs$6!kTl%9`^Y22ToQ=%229t31g67+hH$Ki zGxE^ZIe9t$k8-2i%FhaRk~@c$Jl4qGGY~~RYTsP>ta?O^uCFaoAN&s1i>fdi$1}^i zB4bO22kgqE+>ywVU_?);atOd75WQh(bPiUnbD4&YLF*B~J;?(Gj)@$?=lwP(E&M=u zfyBC~eTdmSoY>~^Y~D9QB#2-lcQquZB8H@`Zy-BIeD#v!$R&1gXWLpY@&Q75rLDg=@&Hy}_7ODVZP zp)WOGLX6r>N!HxxA^}P`RV1;lD)di>CD`Rv+`b1hHuy&cV5N~KvV9JTNF()#&%60X zPTYd5*{9tt?No92hm0@?mGhQ8PUU4cJOqDH=GtLBOWKL@&_4-Fg;KF~AjX>Ed;f(kIi1H@l1}vU7Ln+^0?CzEKo{Qp>4~i` zxzk%*GUrC@{yRYMb0Nf?>vU4i_zF$o@%JtYiAf}dXZcP;$yNO(k)MeAQ-+eCv1 z{Yw7DnaC6%f$=KfAI?KZm~-^9y1fjs)S(8B_4R0`y8@@bunvv}I!r0Fg9%oe*wi`@ z7S%^Up);ibCO297Ywt&{nqP~VTUyJbor$S6`Qck$n+{t7*!I|#$hKMvN31zgQo#N$ zsQsZ(ID!qCixAe_P36$^OU#a+f#ZP&nl2*m`LAR6#xNR0be`=}3|44-ndQ6GEF@K# z)IO<(E2b4I94%srodo2D?TZt&P*+^{nxJEp&led|H1Gor6&+K?>dv2>2Uotc2;Hu( zKzmHnf#SOD<{^L1grB5cYN6!JFF1N9!MQ@{DL8%kTKKv#BA8fIk?!Xi*uj63&rXqQ z8%Lpz^M1e`yrG=Aw-!IT#xhb5qJ7C;7+xHx-%oZ}Z^TtMT5tEEPs@5 z)K|{kSf{&o&Wp*eUaKuVgPDWjX>cA*+48ad4}3NB-v_NV)G2?8Af$AS%#4!#-b}~a zLne~RYH9T((~FE-Xd3cWzo{%u_)JLcWYh7-sH05lK}xz2OcFQVGvJyZs7K`zY3C!< z5^$NkrkT7ZWekf;Nk<^$k-$}kJ3+i9B~ce+uI^AB=(VwuL6~IJ8WT%8Oj2ABsWoZ8 zGPRNI=~HuAh-pxaF;d<|$WNj4yEJoLu70T!m>8nYbC17HsfJGtDSR7SL-@f&e>F_L z8*s+)r4PE=mPJ)Gk8vFUMph-WeU`<43uIB#Jbvue8U3R+>*2QB6~rKP@|p{nk@>6z z%v0W{XE!UP624$c8+TzjlUWkww185-df5}BxH5E>aVgMUBboHosh(_bRjEgH z<_S7h#eTu|1~wBvV7bP48sD%)>!%7L2Z-H$?H&?Uqkx|a*HbQ~&3V;3cE{^ya zLse9E8yDRWwVkKHjgb1Zmi~=)N`6^;FzN&*ot>bH3*@qdtfCqntn@bumzR=`IX_xj zv`#ixNoszN}nC;NoFf;vQcyjYM0ewYx-fh}c)6y2o1C3bnhyRFjYH!v{ zMAJg2!kl+fG3>ZK|Fc`eJ|zVgbHEJ&)ZM|T-GR7Q+oAFmp(myBvRHgny$z-cu0jO& z_#1wuqSRqIKkqjO@wLDslCit^M^i0LS53W)1-`Iy8;)3stfb&a%wI(<@Usw``J{`q zh$o^2se^viNq1``F|xfkVV7#bkZd(cCGDIsN+(VNgrLjgr@4FgpK;R<_xyn4Gd(-#n^(IZ7Y|dS3?9vxU{I%)S_g@FRd0FbA z663DAc&57AQ}@xWS6{jYp&E0=L1sX)!6Y}z>xNw-lhhaOB?Mj*mN{_Ox00mRQvPJ_ za4gDlkGee`*|e#PWX*C!rzlhh=xzD|Uz)*+YJo|kD!*;9X~dg}4g~IFl%+imkF&Pj zR}}qk1`TaH9zXej>)(fq5GFLKqoiyjl{5YEOBbrX(4!jZf0MM@Qkl`IUNalINe5qV zeAo)5PxVU_9kH`|C&@_r53>lAvBvK{wg3YU{Cq)PrG-CYFBWV+w zSlae-y+_654)|BS_t#6P5FX)(;diHn(83;ckaS}|K#TSZh?6+F_Yo0BE+lyIb5ke6 zPOO68`@TK@zrG6hz{4sIe7)oJ9*E23Ar~LuwI7>3UIO6BNdL25CW@k(`6W3LZ3txAwvZLq2v%-JQAu}Ar&&7}ZNJ%QaNXJQazDk}(k%WO} zKo^jlXhkrYPzZ(LZ$r`5i>exgqInq82{J5{rvE5yLyuT62}<3fTqQS4*Jc)+sbfNj zLu7@Yk@^CEQaAE_cfR5|}nQRdNH#6e3Qqklm(qC-L=ld73D z_9XlQ1`a$ju)!okf1)-fl<2arDVGPjT`;`__y#_PRpGzPl3q|vb^v|B8b?KA0oo6t ziW|8=06nQ0Rp7qUE~rlJ@13ZHsFK%W?A+5SV0HTBEXX^CaRzc@{J;WZo0WN{rqu^% zb#@L+IHBN*iUBK@{nnSj9W|&6voO^xvU)Ye(Om?tQzmg)3!D`pPORs^O+w0rACxre zD}{_pCmNnV4yFKlASKxh6^XEV{9)*kiD1fQc!grb-D4wdCL;li@S%~7xF?edZ$prE zN-02|3DOhzY@xxWgFpq40*?^odndl^-SrvMEJcsB>PBZqvL6FSCYof2TX<3fVb;c( zQT&s1dMP5Ai+H1gh%Z%b>#T}=*Uik%?MTYuYt4Iz*t(@}{U78{{RZ@f-uGmFuMuZK7&kh!qr@$GBV78WdLjWl%c+9U(Nh#z|9OZlN2auxuIAk!uMQm;;6n6~0!Wo4Dh59EkJ9Gh$ z{qZt5<*Gm&=-`9oT#QfMR%YCRFH#KfyrQ>t2vdFNO1w5RR_qK4I6}Y^CrZ(Cct+zlmR&^PuQ2ye6WmT*HkX9d~{B>T=QHs6HrYs3qp2S2$eOcasbn; ze5^x?k&;dZ8=BlAL=Oaht*}~E$|(Rna-7HND<~u*Bo`_uSoiW&hQSJwP|OivCL8ez zMuD+`ZN-{c2`w3qW*cf#*7HEk<2A3|;cIUN6xUoy6WibQ@<{n&coeeMFQ5(|f&JMk z+I(OO@LI6(hAT5yrFL&UeLH(%U0nZiIhC1S_42Z5{|9M+7cjG4(W|9_zvcwj_uZzg z#D1xrwZ3J%Mdpz)pj`Q^yxr=3J5*`a%rv8%7#%kCERZ}$(!Jh35X z2kZgXAC4;qd)!%#KW*6Ac_Pd$dI$a5afZq@SL&?zYsDG#vA%whRX0c0Ura5&+-O_m zw=I!2xu73y8Dr@X3JrtJ`ow7eD28)kc>9BbQonX`#I*n+V*5;G<{xY%m5H}bOA z>pNGQaY^1(SvAC0H*#5xy|*s1sWy^Vugxv9u{XU-+6U&T=E^$y@psTcbrXaztJG~< z-`H>Z*`1>;x@TMcyw+0+tzROgx;%O}&7kodEG>5K&-b`zjW=ofR?9gx;V(Hg2o%*X z+QF4ueU5*gdPcr>rS!);yV!-YyXbvMuk1A8eZ3fY0m<)d@y@uyINv6ohvl;Tm8V*8 z!R-riH5a?qf)Ku2byv1OO>hx4K`F!SKgnB}Ox``~TVsTUq^Mfe5&^9^~{EG#l=W zaC+(YY-SNDJO%L2K!;3T3Ne{O?n@+#ZE1U7LY-YyxA`xPc#AJ4T}-HV&E$k5oLvyD zzqtAOc`NsDj(CbYR9??Zd>)2HIK!LWHa7<&$VP9Ys-~VFA`Ye z-F*tzPUK~7ySfy+bOoi)B525o=dn4&QqFSCXqPdsTE^#PMt2;QR91OKuiM`2x!A?n z@*ZlHy{}RtVBv#RKofB8&;uQ1`v$ei2OPgQ<{nZ*py92RIm@3amF9ewy3Ra(w(_P7 z37KVaDJNA-;A%g4Z8>M5M*wxMo$t&$#q?A>=jCXG{cNoEMr-rv*|xd=YmeUy`FuHCGI>PU$mE?~^X=YlLGZP~qvW9X z<-EY#fUpPk;cv@01tWj&i-6(FN85Ho8jiZ1j<(}qMjc| z&Box>x`x~19^wekA8J++^S(}H{NoqnVC9J{uW~P~@sDmvqJ_iK?zxI_pnkuac~Q=a zKGAU*m$>8h0{s~UfrGUrgv&XoHut>Rh<>3toQM8HZ~QvoH=VTcDR!^m>9plb!$`FLI}=9xl4>gb^G4U}Ei#W1V@m+&D;j?T2cZShZT|{c z!YNR18@yG_Un70xHeqa;a~`n|4Ae#B!PZu$q)Rxuk}(g3FXdCDv?GlEzN`A4p{Adr z6T!c>a#z`>T5(&R7DD|%4#y84l6Q593H#|u^Bt}}3!Rxpm2y*fiVgF|u-(eV-|^nk z^3&1c>uV>S^$=^)eI$Ryy!)1y@o@p_=M|dgm)At*VNGN#YoG>WHXTf_YF>GV$o&%I z)AQyI+h;quOx$wP?2>QR=4#&a8w0xQO=K&T^+>y-3!+&EpIa3~Q*)J=rRVeMV(M{b*q`w8g~9|auXwPq#R_kQFt*ci$?|1Hf`dsv>SsUW9K zcH|n$Vb5vR>%TWeXXNN787QM3L49)P^ZHVB1kjCKqg|!V`8JK~K2z-kHjBBg#A)zN zAWg>8;L7h_F6nmRJLScv?#WNqih&SqC#9rj5PV!bUo1$2@CGSe2R=zPwqKXP8sAJnE_MyaBp37QL((#;Va4Rt;|L< zYEd8;3%Jbgs`ezUcYjDk^6>0ElT>Yqv=VxB`f%#NY>;2s4J36x!3qa|oqpTL_qwz2 zi|jLDERH;LvT~k1Jbi!FeX^@L5d7I(jYe14#pOQp!t(}p#?=zWS;i`Ss#>d^Ag=@T z;@&vQ<{_aHUa~G9bjvO>H-B)6oOL;g; z8RkvF@BaABf)+we?ducU(=WQKD{#Lfg7>QHi^eXVV;$pl zjVyzdAYE!$4$?+_o^*+~50sDM+rWCdR_FOLm7h}@TeH=T+w3&5<(1NoyY8TP(-S%G zNOy56Nz=ecMm6+9B!dKsovb{~wlEIY=@Q%pxn`%AKRo0hnxe7^%k}v^71xxyn3X3j zc^EEQM3w~S(ObZ0_u(oA*~Cw2CC|CXDBN-c*os|cR+0vaq+Ex${%IRlG}f|8)+SFS zmU=5+!MsBmB!Hl^2t%&tR0c68;Sf(DfH_o|0`*ElbuwrL~may z4iA-upQh5EO}yJ|ztD27m@Mr^;?8Qc0ww`@GV?-cmeEBd_LK9YM)Se+} zchFVWyXM?Sp4z24u|sucN4m81(^vU(GOHmdPV?5DD6O4+Y@ac+@V6L$5afZK^fs32 zlwGy%ny+J|p*urVD+-D(u%X$4_gb*!1Tid~mn%I7Z z_sD&mTQfl4tkWAhogVt1dKO1ttr4Jax9{oDjjXrlA8+u;J=eAl|JctxVB{*eBW-&& zBq{hxge+>!4qWf-KwJOc*7;8v$J?(ohza*6GKhaHL9_u7U}bzn+x;b9kf>Xa-#128 zp#Q+cE$?U{K78^xg1uFeM;UJ`#lzL2W?=jLlUd zp2Skg;7WrlfVALUqeAQ;w6^2l^{IOb$&F$SB7+D5B$gFIwKq;wUzLv~> zWfWjyq2rxdvAdM`J6UPjTjXR~;0p4qTn$KA$Y9=Q<; z^XHp;2H?ZXl@tmpftE>3@`PXEvy%%KGT;PYk)A_C2cSbzAuktK#28_+^Nq9+R!+Wt z_dCnZmaf%>&DJuPac^;dVJRUN_(M*=a)c~Zj$M%$vL^)6>Ek^7x)6e*Sb=%Hbh^^P zw4;&_kzC<09B9ncb*w(Vc$K_bw`_t-$oM|mE-f0v0@D7;x64e`6`Bta7ZVaDbgAuf zR4v`)VU%=*@THeM_>=+B<}uyMZ{9qAM`Q%bCb3#BUKTBrLM!)H)S^rU=`15PPEbSt zV;@S=4_-_na2imqWTK;ui3ukb9FG{BxCTnAZ#DIJlvLj-A$aG~i;e>uHVC-1nK8Zx zCrF?u@M{`D-@?H}C>91HskBycuBy=vO9~%pbdF|%z-+8lHq;ItKqwZrH$a&Lj+;rijN3_nH3SGNPu#DUBtu)X{)(~uEa=ri)xX! zB_cERr%AB?y>rukrb=srGT3jcD)!!CPJ$jWV7E*OhryR6z|}&dUX5BX#;zX^7>q6T zn@q%zM`A|%sxWMnNQ1F?+kG4I&?z}3!VFs$x~fGlhm=)Ug*#lPbbV~zRYD+!1|h%Y zRX5l;p#Zz4re6$D7c2oDpRd~d5W)T#?4<$#FdV?Kr-(AjSTpv7W3^$({C5`#y~Y?g z((4&)vPuI$%2MdVirZ9h8$wpWJ?HY`k#}(dC_Pv0X;??g58-=oA3;`cxRzf{*nS@SFAkwt!y4)j-kvLW^8OZ?&;C6;;kXetE<}K)ZN)z9Y9m2|QW_Msv%oc~6jW=}AU zCvtTV4X^udkTHFI{UH|q`MC_azti+Re22F@jV|F@k2~R;Nk5C0yd}AEIg;}R_~IxX zq&N3S#Ke@_23i1eddgNvd=Zd^C~A`deDN}U(yNjO1Wn_DY_``WZg*6&@XjoeMO18h zveU@JM|xWGEatLcFq2I*z(h*~+o5|>LF9OFJ~aqrk%8?1VPt()dh~q*mswuMx}mwk zmYE^YADQl8cnF?`x9pz06mFz4e z^Y3sI)pfpN-R#&&*n88cS||}ET~{O0{$Lu~y@}pn?lRO;6UIKzjPboQ)l&J?UCJQd zMi>*iQm??y4h;EPoq3?`j1%cFSQjHRrorweEdJQc_qH;!#@b308wAkzH-iFGH|*Uw z|IGhl2@RHrR`B*=8Bw>+;~Q%`qd`^dLBN3RzAuI`3Qh1raEE#r7-nK|*-4ikba6qb z>IHEQ%^$bE3^_D_7(FV~i;0OSfn;Zs1p2jka{Dexqo@{MXi_v@@Y;&U3aEp$DHB6m zi$JT+U@?8-4#&7pQ=3-!3odF}y3&TOvVYeFNj?2!-4j-gtl=VBOkvd*BMenJ95fn6 zn2ByZ;Ia{dsyLUdjKLJ?(g-Q-%EgD-I)AByF?yM{Rv}&pMJB*PRSgJFU!~-)L;m_Qpl!7dA4!r==L^T=W+Q}|+u zN>cqWG>m@TO~VGd8!Oo6ow1D3$K_$BCGz|%N6Z{mC__Eu@zcO zxC-Nv7mYDxjpxcd`tq@5#bMS;7d95ljVXQ{31$jIM-Kz5JZT$T-9-eAE<94IVrFbk z4jqaZBNZY52d-32P!WYtBeCjKqI{gdO6^)bZXsKB5qt@&K<@&IU%gn2Or!<2f$_)k zMNwuu!NqZZ`zpF+(P6yV^OH1iLYd@-8deL4v5-PhkXmfLB7$sjwb|%!&YTj>Ri~D) zp7rUv;&JJ#T{4~>0ksT&YeP)*y}303nx);Of1_N`#RBLt4OI-WDRj`%u~T6HLGU*=O#sk z=&1!!hoY8ntr>a+zdBe%-&y#Ehb-4=+x$bkUITk#?E@vCZjXs)rW(PBHb^MFPWhc0 z(ZOjO$}2B8>Xnx@wcT_g|H0{B+)@edo-HHR5M{1LtjRwSdvTh=mNP_am+HTI zV((ls(6WmCCijgiR&xl#nq{BrI2M5(bFTExTubSVk=Jh+Q52D^cNzwp;A>WA(>X#> znn^GApFNPzPV3T!8MS8d7Sp^pa-LJ_w59X)Me4XA_rZweqOukRAk&qU^FSu)K(8Lp zGG)o543j);qYU3K1eu*6Lq(kp%FwQY96^iI2rsiDS>h7&rsDHlj*}Q47)7{-KjC++ z{Yjw!4ssX}G5bBM{zphLh<}ScJ<#{L#h2lrXq`#^+FtXooH!ef(K^FiEjGQJhhs@E zhfr9^_5U=mmmXprv|P-OuP=9ocll~Y(Aa1WKOw!HXCegoGUWy5d$jD+9t36nmIr$MyRkCeV`U}d)!AKbH?%tD5nTGbwuaN#GkFcS< zQ%qgukQlReonrk;r{|^7>Z5bpg;Uj0xU7?Lm3ig$xjsamAp>C)7Ki=j!}QZ;@B64$ zJyi8$VW}A*)gmVPxd2J0Xj~YlV!)kWx$~^X2{Ej7vH8?p#+mTmPvcB)E`wg3id# zrRDpaf3ya!5#TPZ`lN1*l3#aLDYQU?v`G%-{Wa@`b8~skR{;Gkn?-EkEoY)&J5Khv zzIJUf1X?Z^TfjI$c7&eh$eAzD7?Gfw)e}w84EB(>Fr=Ou(NAARq^`2lp>0rhrcXTK zp!{0KJk1V_qpZ_)?^Ru{NNJTlqcuU9)kko)OoAz|X5C$BcR*WWm6v@bYi2WQ3&sZY zG9A0Rf$Y4~uzf>~D*H4eC92HR=5Y&`zj_6}?Dg|-13MaXO()x#4n-j0rUo0hq1>Jz zJEZPv+aUWVS+?0z7hXD3$NTuSRztE)X^|G)g`An`u{(|zmH)!ef#K9vv7450j&G#t zAAgJP=pu=>WD+f}VFeEmBAWh;iQt2$t`tj;6F;TRCe68pShM;}Sg5L2f6Yt(pna|* zQJpF~FRclHR#(xg1$bxT3j2tr_~^n79F4?yB^yKo2S#qIxZn+kBD7?u4o3}K?|2ie zlT2d4WZW)t!Za;bNJ6|b-p$z!A}xV#+rnBok+itK?Ivx#)he#KvGu4F6|F3^~eoUEkjRIeV!~V zWx1eFENmgw3c(`tJ`}qh=-~Mk6ZOf~U#fdU0=3=zWcF#h$TO7LoSryna!uH{DCx5* z74+|>u_M*4(><^IQKh5DUX2yal1rQEn;h5K-6-@_e}xynmBCdF!y=`1j;qKn=sveJ zey22HfRUS&9X*dnz2Bd2&$aEFz5~A5h>o8~Y^;cXzD^7*HA5y_EuX0xzJVug<1|hd zK74fj7@is{d))bHyS-G(rNQtC)cJsYo~omPQA`lqG8ynI@7bV|w`^A-qelIz;73$G zXN|8yAzd?)voW2X0QV=S?zI^35apQtCceyvLn^rMs2hcqNl>oBm`2&4n=HXHj=;hF zU-gh=QZ#YO--^1zB`aK;GBFr-dQ>#A(kgLvBdO+qGnWd(q(dSJFFBWNf~+*tijNMmV9k}HRCa(Bo`kn|^L|iqZYS`8a{-f}}uvB{Wi5mh-hJ&7QzF&H`JY@qc_D#pLaFCiuBHG0E$8j^8uC zg_E>Rw?~y&C2<89LJhzMxFP(aNvCchj&3n1d=L^uBmPG2zo|GgMzVp3BQz6p1n#2* z(Sg(vo)cp$gQOwoh%y8Kpx2HhB#%;Oy#2BV{S~~&0$L1Wl`+s|8BRpvl#uUvBYirA zJhUW&OI6j~a7X+G4dMj3BlN%@fJgKR2|#i157__eM5@_zsvs@2?XHRVP3yAdVdCK= z!$I?(tGq=n7Ar5F&ug$@$}?;-Z@j0UHMv0FV15SY#nmQbE;%K(>nS1cw&6XLY5IR5 z>0g+(+wdy(R-)C8<2XvI5zpo%i^1&7(+}){iX)yCsy=NLbgcHQhJDyxseX*MP{PYl`pK=?#870rK z*H*1tt*#quCu(Jxs0Me^oTAEIiyjLMrm2)G{^NABpxUXy+}Am@YXC`$oku~~snyim z3v~1BZ{6j#!xBVsIbf`T=Vy?$1_XvCgL4fa($-GG0`b-Y9h(hUnw>g=((}IGIC~h9+Y-UE!3|yrRBYoE9L$c~+Ow~e- z?F}|nQDK1Aa%NmsNM17(iePP6cuf3oZy;0Rc7kDC{KT`d`PNZ8f@BY|58^fPl*~E1*NVxlW)-be_49QOn$D$25%(E1AIx;a_p_7yO?4( zi!;;gfGw=ldzk|UQ|o@5Tme=9BinkmATsU*dW+mB)+vh(MP4@YUdoA0 ztYDR_U1o^)DHALSOw53pu#0!9EwBk^;L>pyyQ_pU-4P|9bcANakO~R{w+K^l!fw`y zMv+SS@2(YrqGwWV z*v=>?+OOipQf!dv=3v& zDizDD2>?L|c{TnUoz?49SJ%W1FH%kaq*ez3Q`DA{tzt4Sg@l(=$btls=hu>@l}PKP zIp;H(q9Bz9BIr2@kIU%p1+=><9dsx;r zjoGCNj-CpRWBSx~vzSk0*R1NH#c8BYKh5b){>kAj|De*WSu$vt*0f(W9}^e%=i=bw z;=`(Ma=2+&;t59w_{@%?_tzECLx3}vdaFUl_--$oN zbclfS_`&e}gl7s~7?45dR1u;Ee1QsZvC(z)VtR>$iZc1mmyZ^$7AUt=vJxFYkS`Cm zj7L>9akvtprn{S_hnv5vm#@p?pLH3`VKzOLh^G^~F7QKbA9mBKrjj%^wA0J=W;;Uy<*Tig%3RL2u-Eqc~+bhUO-S8esD~4!gx?8AhC6D!S^hp z+rS_g&ujhJ(D*NW2lzC@a_k+p6EYMfKvwNq3_tPhpI@xyFeEAB_{WQv3{XW zIQwnvl31RczPwL?JfL-zQD{CMpd+L-U*e$ER$$IeGYtiUSh@ZPg$0B811>H$LFH%H z6XPN&kKGc+z(wWU<^7%zqoVQ+NBD%}3ydK+zXCk|0k7UZL5zehcJGE(=-+_gK2M@&Y7zNA7xR&)LX&L?0u{o)|u+ zy}tbVre0yUecN&+PL{0gR+II+>-Uuu`3~Lyg|Yo%PtE(25pn9p;}TIfi)57Z#Q5lt zobn0dIMzA(w%W8^**Q8SjA~n`{I6uMGSz|%kAqmpUL|@@IbASVnNaxI%d;!>3uy&a zYIyHM?(GJA(E^@6qIjc4e!xUqX`D`)7p@P}m%55d8Ed>o11`IkhZcc0$QOmBXof)N zymddYbU3)=WH+7x!xE%andAvj9`9J`L2lt7Xo+H9yoGoyv^}6g#q6z;b%IvQ02N90 z(pO&Bm#4;&{*K^zuR{t5`u3k(bpAd9cAZUiRrpjNM8o&xJ*ev8>)FZWvn6)UhTY%L zg`Y*3vQL#+&a*MClsFAQJ=1K-kJ<1GdoL$_3q`dRz4?N}&r>42bx?){6#j5-th6kCKqw3UdGxkYqNsMGJp@cW7RyeHh+%- zBQLo(?egH%oU)6koG9b7sg_^$Z?5CME2NPCCCwdG&JnX9E;G*SAb@+`M=S;Cmk5&h z87j@UfOLdB!y%CvLnt|stMyP7qW=@5 zx3WnR@~{;X0JAWsW31Fc2KwQKOkO zC4z4h>5m1g{X(53ntk{`vV5S?1Z6_Lk|CRs+HJwYgMwwSupVRji8Ia7*~#tY{w~`% zJ-aBM#Z^0JCyRA}S!d<)A`A}T}DXWrg61%J*b?3>G@WdD*FAv_1=@Jb788>YDi%zK7iHF01z+T z)4}J>$4JfF*s=T*1jqGUjD5k$EW*ib3rZHgixPX#KnuH)UZDxQWTYUXRE;r03XalR zkNGGf7&)6?3XuLA@gc$6gg?3F)d{x@N}W0__;aUj$N)_tKIZ~NsxqVkFsr;fAD3Ir zK|#n8#5PT80l@+w?HqlJC`FGTGyEsl_iO@+AU1R9p;164N%7~*YfMus@hEaGkfg@W7zw|htTium z@#`#!_m>5>(TGQ9BEijesNM~866`yROrvkosfAHDld$1B)!Fa;?|3cCCNyIc>R3Dw z1PS-EzqWBp0syz4BNnZX8;g$JiiMB~AXTsQDw}rgE0tcvbY{elKN+j_I~$~3ib)o2 zuj!*>b$W5aV(N|y^!sS|63h9Wu5$&5hPiX5)1C1UR)pm}q+qb?+CT)}64SNC552&D zQTC2Onncl-=vQ`^ZFSkUZQHhO+h&(-ySi-Kw(Y9d_r{BvcVEohiTQCdPDVzYJb5C2 z?7jBdYa#tuj~P0-dP!U?nem44yW@G=M81kaywQNTzHyl^10Z(Ch9DJ-u&{?#m9x}hy*o4-nOHRP9_Cz zxs`vHxDm5rp{XeGEQ>Dsc<>sgY%e!(ef1uX>&}N>rZH}lO=IX3$sUc67O$)o`!EL7 zdy1fA7bY%MbCy0pa9`Q4II)2#r0;5_kxW2rK>0{+^F#6_;%EUtX05k>PaUlSJ;i<< zMT{T#r_m&lz|JIFma1Jhfeg{s>b~EeX7t-i^dp;S{k3RwBj?ZWN;ZT2yBpeGYV z_vYc?J?6gDz@id_q9CmEHmNonqhobCEDJFPRy_hYzD|_x>5DsMa7$<1j zgLne+MkO$b+D)d*(Qr$=;H{IM+sqdN4NWt-`~_3h`Vrc-W%lmmR_fqNR>qG5&#Jk$ zHb>=4l1gO}RQ#(nKF@Z4J#<>jT_kj>;~Rq_mbH#Rp3ynG=r6Pw$`&0iUFUjg&{h1M z$x!4e%khZMIzR+|{8b|AiR8+kukHY)e4>0^D_*L?oa-2QTkwxdImi3dOxC?E5*IeN+ms3OPAKBP@{06mO*%=+ z4VDuyZ=0VKu?#&yW+oKEtfZRfBmP<3^B1r{*(Vq^0*%WG?PA0snAQSfb!km@Y_T@ z@RE|cq0xQ2>EZq?w3!rcf@5_$#$0sD+*+yZpmdCvOi^sRvQK7=%4ZIkm;!$4YERb{ zQo%ivm7t+DC%K!JZSku*#Mr}*M?N(JGf%gm!P-kPKL zJ|VQjU#kYUUOqO{(G)o4g^-X$&~0LH8kA50`Ru~Qw&L4k8xUAz76FT zA1)N*a|y)uWE7MOWp6_01`pN2JYPutu{8Y+9F)XQTWHibG^vhm0#&9+rhpt#U?X>I9O&Ph8LHAT9azCo|1}fWzcf82v;>j%f!FVqY%% z$w36`_S>-|*E?0@9>HYoNvj1*KIYlFlbJ2(!(wiWQ;!i{=OhYdUG2-1c!&s3?slF) z_C2qWYcDcFvBbb(Rf4{`OaW1^>6Uf-Y6oj&+Sa9qB0D$y>wK{~TxA%iwec>M4i%;K zHUm>zFwFV^=pncgIr8EOTf|@^WytUYR;=F@%Q2~hE31pY3-2Z2VABxo>1&B&nFlL7 zGDWfDq|DuqBM4;j9Ny1qtbDno_jHQK7y)r3KAFqpLDJ5j3+EVXEI-wNi>cNbPZ9+J z)+b%XU5LdDrkkVOG*Z}jgn?x5498fpHC|GSP_oHDca`0K^ogWkks<4`U%%8_ph5C; zqo+ws;XCNJx+D*c#qAQNkIJtTN1>oYP6ftxf zgjEE&w<}T8wMJ?rJ!Ykuy&U=$Vdj7?vQcIX6Aj1oyBjm)RxcHZ0t}ix|7dl%9eMu&R%|W z{M0!FHjVQthFLNr|RDl14dF0r)wv_#%t&+ML0sFPe#|qP`EY9>L|rPdogm`9Gm1&oOWZg~@_WgjxZ3Jog~CTMcXwkw+2xTXkYJLd>si z2UsE*n^}2RnD(>ho2aIIp0%KBERVl^zv2k=RN1i$7VjAjrHWYCS~F^~TGmU#6PH~l zCBR#;z`aM=3EojL3TOWIV#qQl7AeTbbb3~2H2#iVch$gU$~~6i=+r!!DB9HhXMRl=@r4v&M!a_{THlxf6+{>|niHYM!`IMgNpNnjpfzm{z}`W4KLO?mhjian|9E9t$kMsN>B3(OS$bupbXXz*yk;J9fgJu zxtX=%?JQn9m|wN4x@u6#Rzx9}K#Zfs8rz1^kC@p>Y$1P*PWQF3&LzRfl0A**Y(xCK zZ*5}AEVlO!F2ct1{7Z}X4wi`?rd80Q@@5&GQ-PPu3_5?v6=M4Uiny6#t~r`QJ{A{M zCPS1H-Cx`{9$szOwXva{bKa%C8`}Jr##0SmTBf+Ke?ca^BOxA61p@=c~gTIY#Q0MS#g@lagBMB^xZOI0EXcFdh3u$ zcFq`B6D!^QXJXN0;q(dqt`u3vc9q?rdGHf6egxlF&{{V~jz>@DMd5x9hF(z)K6&nyA zL}VpvTKMnE^JNi$r;109u1fRt2DbXd!aS<($7hqS&V?V?F1ub?&@K>)iW*;x;coM^ zkMbz?ui(?arNvG!8}`vsdKI}n-D;}qNq&nxWTRh$KQf&{$~Efr z>E`M+gRdsNWLk2P>W&hAW|}oJs~<_M5A#Bbk6GPvy*?1^Ujg~`cr>HtJ?!L6<8@M! z!`&8G)R89=1vy}o-3dHptrFt%z1#w;);~`6lf0={akBY!a2i0;JIf7aTTH+SqqMtx+0%_n8;3A*;H>u+m&{~I;n{6On_;**~ z5$LL)Nwx}I7e%&en}+r8A^#B+D*#e%_d#Xc46oWZI3VrLI`3Ln5A>}e-H?*9)_{&L zkebTf_4VY}KdTn_o1b_A9|-JZyP~+VW3V&RuHlWglRlmoy#>LhZgjzH36$lgb zhQpMfWu?DUCd@YZ1LmQY=qc7xb`aFwnlUqix-qxvd+zSF)p|6vb~iKqk&@L-6xh^e zDxymf3-^F+%Wuwq$DS zAL>Zu#M<&VwA2JOsM#9GGWSCT)J}i1&=z0V1K6En-u!P2-Sze6I;VOv*ga6~C?WN)TzWoIUOr+^Ks!2mF2k_^F_RSBaP7xdqFrCR>3J8@;-nYfp zaXMKI2H(%zoAH!Nbd|rEE{8*vXqcJ8Vb?G9R z0?qa^g#DBJV>2feDM?=B`~!a<0K#P*JZZnm7@Df&o1I8}0f@wE!QYGZyAHHwH`pRj#&O9A z|FiGxB3>>D^i=6!WyvFqG@Ei8@8OinzY+AEiK}!e2}P2j@QOtFf`{mJ|N<2hXMB0Qb&{O$uM%DKNW=Z_1&ihLz2AD-(+ zWhL7w)_eRf;>R8MA%6R*f7bBzo2Su0r-tT@R*+|Ww^;*DC+wYZC=D~5>U&0SB;O6F zviv^r1NyJ^g{mqA3VTQZ01^uT!2JK$7o40OO$=--Y|Z`;)rD?#DW?r~q@D{k{geSo z79<-pEBM05lHab$nkz+yY4}N#y5!;3nixueG{BYpuZN9RYyf_qG1r)EHKhp!(tCif z_ZN#^jBb5a^(-|q2fa6)yG8oAx`GppT)Jw8$04b3p_==>G^z{5bxWvBB88Wa_vg&p z#X%Cj*(G-^hZZK`jr=2A8$936RoiHx@RhIN8axqDxj|pcFp8&x^C7h`>FuI5p-Mz- zFek7_vJ=QU&XFv^dZte7@=%TZX{P)XS#g$J$8w>9YK6{0^AFy*V#*gjkrMjsr>4Xm zJ=RcKZ?~zGA|elec}QY?e1@Uj>LGsPnK`qhV+{+}!5A8yi_PrTR%s$SSTb^c!9$c% zjX?(ngLlk`(GT*!{y*dKqC_V+`x!P29h(pr=7umnN{~tG_CCJlQXE$TIJQ$@(tb$s z429bEj>bSm%v5W_b}>Ko63J9Y4+wL)!llm0Wb+Rm2}@si)ksBXQs3?aMxdJk zxZJ$gMwu8wF$et@dHs0OgVSJUdCA;HP&#-FI$}qvl0NxRjjn?uo}x5Kn2V1Y?i(H8wz9UVR9Jc5o9E@{|rT<@DM4MS4l(!=Ms zA!AN<##^hgSh4CO;Dx>F@m!h5wsANWV2ivw=|lPIPM9Mn#u)+G>`CX)Vho*H)!sp~ zR<(s(QKgi5s_RR(BYhu8oVpRaap?Ymn8t~>F<2qk^d1wVTThn-r8`P;$|^!i)G4OA zBmNHWF@3Spx!L<|ToWVPbq-^Y1rC(gnT2%EY8iRGJ^DN%qr@+pv176vaIH=29%I^; zfDQ}$$f7$-M*%n9=cOzm(=r2bMs{2h;#p44-EOMR7ErAj_~m{h3Rr32y)*M(;QrB1 z1Wl(CKU&EUILmX^MFT|m39zj46*u|7igXa#gjAhp8~c%j9(slEMQ zLgyg(zL1#eHY-_iWzk`$dvFZ={W&nGk0`Q;ZpG}F~b$kJt%V`Qbfc^j(VBIjl zcGO@D-ShB^A`j=^zNnXA8fpa`;oObI_eFVn(-!qfG_&-)#g{>9UxRz4OZd>{li!k& zN;9`*ab#aT%<(5l6dw_xgPltst*!XB`wJT{H)?8kPj9_ygvZ<*s?PvxP9B2S&ANJD z9PoD^w*>2W*p(GuVfGe=xh3#&ki>#m(`KU(fXpsL)Tt8yAfAZ|NYBaKuXI# z;hnSuh^cT$QDjKf&3W!?=Sur~6YC|Z zPToYY6ZW0;{H;ov>`eW|e>MA2h434=%D~M)g*;9#`&^7_L3>Dqmv>nIq299-EG&r| z0R>tXC*-IfE`>vQe?XT<%xXBi&FUB&Q)t22KgxghG592eli5xAg7_1s^5HDUp?l^XaGleVFb-AZnE(NGq;|L!>vy0;>mY4A$~Pw8b5SGd9wk zi=l6uQe~a(&pJ_~h-_BKimYz%foi7gwchArJkqjnkf28g`~biHXN1)q#31|m(OE0X zHQ}{?>*;03$uG3COXLg`XlqL@Hd-rdqX^xv*!%B@$vUVO?FH#mF)!)ZxKcWl#EmZo zk{vy%I4w{4V^(D{Ruenz^gqZ}=RFj;U*j)bJxB91EOzu6XCg}EYpRLRlgod-r~?LA zI4~k}oK$-r*pZQ_@_btiLV4K;e!3u@1;Ar5K=dXPfw!MVRg`*SyT5+k57Eo;RWjxe zW(HIRt#(#bme&__j*Jk^rA6kIJQQw!lm~SlaKZ}sZdfTu8dhO_IV)_d-nRG~L8}io z?Obdudr{vtPKa-@QTracKE{Ueyq6TCwIUuXst*0LH>elBS>s_mzN9oiuZ{kI)w2{E zUlGTq6^2K3T?@*@%vDkZ=BXyR998D8{%>N*b{P)ZVCDl=K3JUU;`4u`k zx)rK2>ao$8g$X*z6*&o-1v+sWa&W{B@ZnU`ckR17lX8)vj5m+FJLneZb8ycR&(L#i zz<+E8`roSofI1Ir_5YmwzZc~H?`G^hj0}v-P4x8W{yUz=fBmuopFA%&H~=678vr2x zUoU2CV(4P_zvadJ2OGr29R>gd`T_(1fTH}{Sh2dDwbBY|?@jF=+#e_s2SKDjWXL}L zZv;(I3YZX*B2s;Gsm}fR_ShXMdwc7LZ5X&==QCk8_+lbyaVahN#_~evCM0~;2)d6Z zpR#9@nNg&*1tO75${0IQdZ@eN&J$j~kF{S-iaTDsJwG??C)xijiMHvqX(9UMCNjDn z?a&2(1X9DOKKVZBe)kFyA(dl5WBn+{_y0IY=NbmWf|V50QH(L~9R|-)KyjWk2aSl060b_wWWxxyW%!LP0AKF3 z )OQ%w@Q5`G;;-lqB}-p@|6tXmZ5vX7;$DED4H^mShG&N3@**%qMG8aV;yDRS;| zSlbJq;s0meN-)1Mu}T>EP9D;XLn0NKQFav>QROUdSY>GDbTgirl_!4#Re~owJw4ud z%T+QHv9vVtg@Sw92P^5+ZHMsC%!M^KT&hDRQVfZR8HJR%FW9I)T;;xr;_Vla2UI{) zP}67xvo0<%qq|GhsNpzbuE&N`*3yhIG^-Ty~Gj zq+Z_qB2kR0hq9Ds1NqGTHj3mzql*a>YCC1x8yM%5@~yEZZc7bxZaQ=KXzj34W_j+9 zn1dY6x@t~XjctY~Vg4vXe}_IW=O1o#)qO6-s~oLnDL=;l) z04Co~+bDy^h~auD859|DfK}qOB!ji?0K_)NoK9_J14^zZ$G;*%+qN$~pVqTaxDZ1+ z>7gZbPouf|?L&?yWuk2>$WpanpM@muQkZ;sW;_+4d}W(}J-o&uT&6$f+Haag_kD85|_J;oB>^co(*4o9YkQSba?I(_#ma0~+ zldI|Is>Ma2GX=|bi+>6qwKhD7HqeKez!_?)pff!APc^e0_C!?9N5Ql*r<#EcC7pr` zPs3IhG{x6m{T-eC9U(PUvkAzY%=t#ecD>$oV=N)#H9i`GoVmF%b6 zuc2t%LQ+Hes&*%!c&9#%?Ku&toRZribEyN{a5&>Dwyew-)#`Qw=otP4(|~!RU^IjX zMn>AuA5q*1LAweF_34i+)Of6q4Z8n;0y? ze~51dto<^kLcj=;re4W329b7-mp1P4Xi43O7dtXW9%?p%VStizz>TjU8AhT1*TMWj zYW%duK24A65Q<8%-)R<3hc?{34WR}O}d0`a>|bO2OUEi@;7D5dnQ zQQTMJNb;#-C?`eRArr0KW$50qk?KMLr`(%RZ;p+gtTpmDww=7=;E!#O~vu>mA)L*$WAr=s)kDq@YsA5kV{ilz$PiB0M9W{Bd=U24h9sMgQA-17HG z-yH0Ob!E#=s4*E7MJ-9vq-&y|^cxht@+&>Xn|#b;P|rBe3U8}<*whN-+Bh^F2}$SL z->vO(5|EFe&S8j#zzFx|9y~QEeGjKCMSGx%cpjX1BeDZ#!616$-CJVZS$5oLx$@o= zo}F^w3-=3hWzS@b9}T#vJ*L#un(J?zDazFeF}w0C3Gp*;9g5Cra_EC)NO(~aM7uPJ zw_eT=5heM5=l<4Bhm8t{W|e^`!ox0umKZTG1w-cpcX9?5W?Z8c-`zS()37sQdKXN~ z{w{FPVRv``5kDRMHtL|K%)tgPB5ySAGCFxacuGLxGh?@jovhkGl0XfT5-}sJ-6(MI z&q@T|fD^3S|fPw zSMG9PR`@4+yU9%J!>Rf!gq2%!C)esKWHWNN>#`&GU|VmeCuqlx^=sh=zSs3r_*tIb zjl67c=EGH$Jp)Sk-R!p5DJsp0U>5dGqw zhNXr2QjfjPe)oKmJFC=V1)*7aC0lGV^Sk)HZ9T5D?SHb=O4we zhvV^$zr`2A7>`f4#wq|PjGRj6x#h4+XFV1DCVY(sqG7u)+fBX_call|?e)&6OL!%7 zLX38AX&Y^?o2lT+=L$Qlg{`O?6L|g8b{TV;V*u;z{z7s>FVoVa~7B1@^6- z5nWdpBr6_KyxN_>rtjc@*;o zU_oHlv0OOwds=2oQ8060Q5O6$=qZkT4W?d8Jc}eTx{5(n3rZ2fBxG1gep#?l5_lDQ zP)M*Fw`loDMq-Wd>&Q}q#*X#}n2|<|63DBa8SxBFn&{D50EaRMUnploAHM>nsBc$v zkjLG*1q=jGuh4bqou~gJ5%QhC6@C1itJ3;Cc|36$7V+J0Aoq%F0oCZH#aYguMk=zJ z+;q6ZHP&C$n}T`;r13K&B+6(aWrMVhgl zQLvgv6eHB^H7~hEd;U`7J^>0>#VzVi&X_fZ{9X-HnyH7?ILUfcyO67D>wxU(&|mnt z32s4&xa=&9+|q)e=qkk&mp^xNaQGd&+Q;dtB<=RE2XIZ5jsA{DAbA)M@}}fdrimDf zq~Y^*Gf21jVSAZr+!u`2psn>ITMHai(sJ5WgYMX;Hu%Vw`sHE-{4 zXC{42Gjw$;Lqlx5u@*L5y{gSEUw#rMAs`%k{-V5>xKTV2Q}E zbjYPD_DN`~>Vd3Y3LKBhA&MRI3+fkOZUNM{SiXc+@y0L8#PBA6Dy8P%gU3|@}ZU5=!g z+>h2v#6sXNimbxM6AyxD5-DO7v`<6bf3@Uq_@6jWbnRx-y+9+Wc#BkON!=*zkuPJ5GfJIh$PdjAS%2QLoQ zdqZ4SH(eD=HxuhGDle?l71^)_vl+_F$7@jc*vI1!$faTnaX4b{iNtEq+E<7p zij+;EhWyp^nu6u)=K}%Gw4mc~`T8_X?Nc+vU%UiTJ{%CIJm;`EE8=JWg*+Tq@==SfOY=O^XXT7EUvdRCWy;KA<> zYJ8#O7X2mDVM!7cwC^yjeA$`oG(!`AL9?<|Ws7mZPvUchOj>zk`@d99Ubf#+Qa(4~ z4|_NBmF=fVkjE$~s0d8F0#=0Y8I@OvksXR@d;QM7s?3C@8wHSAQTXGkksg!trZJsH zC6kd^#%lEg2g)vghnKYdhO`3fC$=peemiV-caLGJR_I?x1^OtwYBe|x^v2D&8O#_;;mUxL;zm5qbP?(X z#bG+u8MxkbZwJLEd_W@-n zPk?5cSlSe9GO*KiIpHLWJQ}l7!t@j9lZP_p`aD#bWemp~;1?%Z%vVZppK0>Y6$I>V zls{GG^Dsr=TC8kC>d=7lTraZkD$jeWETPZ(`BJ959({QY`+~iZZIc?5cDnoXUlTj? zoin#$2mpZjUq<%7N$gA<9qkBM4Dk5)jiS54&J{s-( zKV>M$dljvZat$k$J@P2ViD}TZmB4BN+%XkGU4gr(0cu!#7J+O)U5rbi?jn5)0c;!v zYDitswA+Fo8t&>r zmn)$@Yv-AvUbqI28rkbV5>rnP36I zRvIk(krzr-;1y3%*Bo}jJsU|@d0s@4RI5-z4_q-D;K;I867aO;G^6q-tg_5(dMtV@ z#kjCRXC0(hgH!9aWNkg2ay{@GD@RKhWRw%w3rAf1jLA!RSq*Ys^dzaSOlu}>Bsq5< zjC3uX$P(P_wO|cJ8^R~vE1z?wENzHxLa&4&u0OHO9%PC*tmfrHa~XZ7+6Z%NDsHI6 z2G?l2Gzl#!Do6Ppid2tM;IgZ9*pA1U%XFcOHcwH8?t-zQknHK#8&jfxvpaVyhINuy zG<&QD6tP4b=ei8H)_M+Y*|OC9zK@?>R~cKXtEsM}+-+=GY*~TH)DQKe?uXz8d@2v_ zTCr*x=O8`1uDswP0z+?ocut>O2JE@Ru!pD1VUf=7PPwbdxWNwP#*@;feN{iZ?hhxa z>??i2{buaLIA#bc9AIX)lXDep$*Q`mv>n$f3b_G(ypf3T-xa8nl?0y*M>@wQ2B%)x zwhxj>jdJVE6EAGGN>Rk2G@^(m=wRtI{)8s>58|tEz^!6}y+RRmz`3iD(f@qegVDqT z6Rn>A-UNRb2RZVCoOxnE+IqSgcfw@sx89O6q*RsV(yG}0mfmiZM>!Kt4b;t6YB9Qd z3JzK6q!(QG2OimwPQ?OWbkvL$u};d0aPP&rvjS5E_j_jX7nCvK6h$)PUqz7*1#EL< z#CR0B;epLW#KY^Vn#%d~d^}CQ)tXM<$oQ^#b1U(sm)~5tu)+aTH8bvy1W7YQ`wr1_ z_H4P_wOe9n=`6&sn+(+XOwg;Nt`tH{LhRh%y*8^0eX@~HralG) z9t!3+(aR$hP$AR7LN6&AgVWQ z+2)0@cZYb4cjVgNPWKj(G025)il-?UE_|wr$V?7ecGcg_0spva#Yg?Z@ves$IL$_0 zfIiEcs8>&?e=_v7ooFpb4nOXK+%Sf&g^T2I*i zxbQpbHefpV`W;yYU)vBEB}j=&T2KB6v`C1eADI&lulvQzM>BW`&YLZj4m0vHxTb}N zhrtW7N~Ru9YhkKxUm?t`0lQo0e+?81rtW;+{{DKDnBEmu?!bw@Og3coaVJ+1zb8ZD zvp-RoMJ^atR)acZD*1)nFu!w;6P#IP=yEH-%s&_boU&FhTiZv-gfp%1q|KkNJ65Cc z9I4K1>_x`K+cfH9P@R=CTM~m4Szzgkivuaf@WACC!U_oqvd_ay+-P$lvTtwBD#Vxi zE5y1+ZmJf?aIwTT{sz8nY1pCwj8?STa=rw5QbTk2L!$Koea|QN%-$8IE57H53&%Co ztZGws*eylIrPZEm?@Q-P{f%ii`J(($ci7UD^;F=&sjT3^nAAOZS1nr}4}f;1)|iVx z#yGH`njOO;(**V92qCX;JOAx`2rI-%crHuotl(nii-In3^9m*S4gz#mszm2A_cnr$ zC&vO`k_jS`<9%Y`a-H{{)V=atxzgi(l=sZKnY5$yb-420Ui;|uVt1|MQ`PH`*ISSO zV@x#a6T{;*7#rGfDJZRKFClZp0Wn*p+QBZLD^%1DGl2OzU}8*rQs8Eh=@+y2*_iMa zw3fz@Fx7V%hHjA&8>PZ2+0mrFpbd=2w&SS5oax%HE^D)y7?DaSWJ0_Q@S0{zY+t0-h zky%j@gj`#3>%bt{Q--^LMUMN$zoa6(4cY$lOt>98Kes^YjYaz6=NH~u=_8I$<&;B`&Ni&K06lVt9feEFxh%g^Ku0Y6T0db7R= znJDlM_rHb#gQIM{BbS8oIUJK{x3jv zeDJsuTqFP>K=r>c9{zI`BRkuFoCgC7Tj&1+!SyZcjqHp zo34$3>6!`HFO6ANoSArn1$7S*agMsZl)>qlH!Q(y&Jp+Fjfk*igLs5a*W1DUbN^N3 zPxgnEWGEE;3E(}loX#%;BKad08>|-SnZ`|neAS;i(U<~!=1(PNcDe$c20fi)$Uxx< zwfFTxaKvGIEg)M2>DBQWQF=<~9GMMTr$rhPj_387fl(*P?GuF9?3c$upj ztc1JtFmB8^o4!wtKRBCvfnd?%W`8fH)pdQv(*D}^A$6*Cz^#y!23PM%y^O$6q5-1( zthMx#lw(J3X^Mcb<35hH3s#sSoR3Vch>rYu_qGSdL{J!m)Om>wl2LA9rCk%!Nh{em zCu&IVI@tLG3fL#W*50(caUyxdEm9LtlLu|X(WR0UY1JppJLxrTFPLWSjR&t#Pw_7|{b> zH-`^^-~V~{@@fJSAn&DjVad0rXAt2lsd@#>Kk~&)6{PVX;bD-su$arLNtP?k_F0H% zWUU+nzL=16AYs+C^+SXM+2&HmH|8aEMyN#nL7iM39ScO$M}?NbJVN&yu~2*)P$Sh? zFj|QBRp1aGuEO1Qf(*EbbkW24BY^vQK)4_}$wEGkhiDW%vkT{N;`;T}aa4{vEPgxj z?a1rVL-p-SVLmZOe(Ky}ZSpIrm3o3>aSZ#9RhJo@U|BOj7WUW?j83Vp$!C&SH;5uh zQelZAWCR6B82Xkrt;Zd2PMPLfjrR#P)v&t|b4+P#SEr5(#hR8p9zI}=5`_PK-$y*Xz>5Lso zNuti4UK;X>*cEF_@*=fXetti&`%}S)n(!50 zsfFsU-TH6?pyAc&4&}{O#TX=`9C+Mpajb3opIvjO|yEZu} z$A{;vssG;RqWlvh@E768W_xP2!j59isrf-NaNUXb5DO zDs$1oUT8>ZfPZ+36E|bJn=O>K1|Dj-4v}iRVxgLj$~JQ=fnMOF>x5d6bzl`*>)D%H zFLwZ3JP@F-mhpr`2Cw6H#4xj4a4Nb|dXH^WBZyi+*+Z*k4gP`uKq6E%&w$3;%!L>> zcX@j%Clco9>+t;iVHc_vBA^%O_6Gfp`(=TRzCg5@!tPMWb)HoFPVc890K$jsgR)S? z{3S8GU7I_o)hz4qSTOA1a!*AmZWUfAWr7yF29*92j7B5ZTXL(0^!xJ=5Q3G)5&VYx zh2zWl!D)kXL0PjkX@G0Igs>cI$r8YH{z262%OKcN1c*_>Sf+;lYBrcB!5N&lVE>>i zY>TlypPsAW8)FPU&cDHYBAfpmDJzONNFs|Rc;*(53|je5o|=ft+F}>1SLy&2%~R&} zbb$Ew%2J|M;7Ru65+8Q{n~bU8_q?L?H_{pByCt@k2GxU@{#$HjmEziXz7J+?0M=hs zb$YC;k@aTLqLDaOB?et~-KgQE|$ z=dyMRemuof1&5E;T9;nUj9EhhL&=}U!pw%EX4j#9+3bxj=)K{~+@&he)P!jerAP2X z%w0{HDtw>-UJ)UF|0@IhPjt4=<}*2>y|;*srRd)uf&@Atx;TQ;|vVadK(^a z|F4C$V3R`Q&d5`Wik4bFwzg60(%(_7_LT+I8hXQV%KVlWDSb{#_UaO|GQ8NY3rjbt z^5IYDE&=YzYZM-4H(?sDPU9=^vtW~KWXLCZFbWFHwmu{rd#5>)<))>?5JUNEL8DSJ zP+qx#N-h1c0X&p2&vVR^8fDz+PC(A<8sjg00c`^*Yn-kqE?-!V)on* z=)*L8G-_kFIwzM8&RC8 z7~xnyNjy;>Q`Xc8;kE8PQ?{=&GgW@w^VvHu#Q0?)OCJiW(M1p215KDO%j2A6|MAV& z@oh!IS#mz9K^U#&>tb+qxd6d&y0*zSM0tx2m5gaDzPd(&YogSURzUuk`k3P~)LKD% z6R%=ZwaaR%m+=8I(j&S&J>ORej8O;s1&G})L5yK?wl{aek~_;*Nys%-M|C1gl=@}8 ze>>8+cf{hGvzuG3ANeQ_+OqPJ63(1$X1kpGsqA!%a{ri0SIBWHbelY%Oe~^NaVU;VQkg^gNw;MhhhrP^*O0tjsItWej?c#N@??^O zVa+Zl@q_%^-xX{%Qv2)SSKtQwMEskok+REqP;}KX3}d;~RkkrWx8|Gv4`v(o?ca-j z0UpJ2$6l4LXwX4)sWXx~ILECtAp%DrsNtdgK76PEF5p^Y8~b?^%abDS)VVRCdNLA) z69VolS`i=ldIV2|wZ(udPz0MTDNUpB(>B}EK12lNv1P+@Dfj%6On>CRGqC#Dn+m}ubpXrUnThK(902yV>amSnW)V+O;%rG5FiS_TU2B@Cvt_BC{XCp)Z zB=Bgw_AqZ!xm40$7{OiX`oyGHd{fm26(MO-jb+_r+#i&!S~-5P2x1{KDYUYxtT>3S)42aYR%;u z-cl^lfO|XG!Di7>NV9yUbLz;x(O9OPi4W_#QNooqGIF*yS3J*j*wIVTa{0!z_|m~) z{|4YPYpy9b09I?Zkay#C%P{8`Eh^T!lxI?tin~*ceOAX;fT5ADhPbM}(EWP99Cd7b zDF z5Z+3;h90TG{{Tn;O0E!rB0W*pbMzCN6!IF$MZ{S_@2H7g;#kCPgmMS*01X;tEx0_& zuoZ7}7YnULq-kWd)wAPA@Y6`h%d*S;6QD5CYjw51P>%{zJ3aWi*>GdEs8N$V9EvZT z(X_QQV(6uIm0}(4i!hY-t}&&&D>pNAJyYQ5!{4I5?7iQy*)iKXv9zJ+D{AZmM<08r z-Zxa#rFsYO_lP%TH}9c%%N^(UV~Dw!9iV{h3wyG31&dwnYnE&8kqgl+0tl&X9{eLNIPS7%YY3v5S7t0C61y?BZo_pH+e+D?w#dy`oXG6(eEr z!ARIu`P}ORNJdM)XW+GbgR_e*&yn3Au4BHLdW4Bdfcs5*u%w-Gy z5G&ccgBgGLWZhbK^42kT$2(@Gfs*`BpFiVa`;pI^=vH z!ye3I{C(tW!`u)%>A)33)GeyJmN;1tIC_v=gRB@SO?hTrT+KY^LCF&30@^RNYOc^N zdS5+DuL9+;`11k|*+qk#6BsB2|xL988PN3?5B0X7y#G% zt%|4FdUVR%myGuK{>#nI>EcdDFJz5HX820W-tA!@4Q_U8YL15b^0=*ya0tS=vwH7( zZh4P}ch)j@B`}{QdConxP;vg|6GaS6kw>)B3@mnqXSyCy`~x!~#hIjOe7+m9Y7GeT zQlRhp)CkBZAnSPZH9pkf3(;w#pY_lUeC6Sa4f&}J&&vxkmX9;{xOx-*B1+|-T3=mH zT-!aUunGyKw&c?>66cjWXy4Hxn>n}8E;|Z1(u@nF43a4-1pY-U9$aFYGZ2s=kdccI-_5@Q`7r#*}6ho#U)di9*>RC*lSKj*MBh zO0z{c!M%WttS)d*p%es$1+Qki#jE96zyu2cWvyBn=Y!J$suasTwBqLVyv(ajmnT&= zcm3S9k6h!G|ND14rLj$27|m=!?SZT2&JyU5w<`b$v@KI z6E5{VAH9fN*>j|FWqw$mYU(E5{jPaP$F@8IAEh6$jXw+DBR-LOzH2)bgk=&uln*T} zZ`p=fGjggjG^MD~M5}cF4`c5bBTCe5i?(gs?%r+Nw!3%Rwr$(CZQHhO+wQy1y~)cv z-%IX!KdO@YRV$UsTx*Uo<`}V;a1N-oBLoA6gze6X>zJ2ZC!h0hQ=<3e z4aQjaE+tiByhz^0Vwo%Q&cEGQjTApmEmfRi9q$tf-Y@tJ#+yb;CvjpVN^V2z`De;L z)<-TpaA*$98S!7mF=Nr+rUtuiHp&b{GAN91IaOMRQnP!uQzm-#fGs6oFs+2rWNnxi z3LqMPQ;a3shUXDL8ZP;J4(8UNo`q*mN%HU~aI?+_+4Qnk-N2}M?~ZqR|6{@?uGq_M z;2*#T{7-?2@*k+x{~`JQ?*i3-MrKkV3^2jB->ClWR{<@DeyIY&8ZUKw{ef=q+fz+* zti|CpkGIt^;Eob*?)bN`CVsI9pebn(A2n+zZvGwlN#F=NPa)A&m>rKp&X)GDP~g5n z<~aDbrS@32dkL&TjUx>%PvI|z#?u&y&sn)#pJ+U&`IrF~$?NSr{j39(U>yzU*y{@R zkjcW@8-Uo%r8zy!GrrX{%_Fb|HCvNCwzb+^zv3epx$+>q4Bqqql8Xn`pI+VHOu1*k zK9+7+cKFSDpPFO-o|w(XpYz8T_v+So=l}jI^ksx9{OXi z+57YVN|pR6!%aeEdVs}fZrn{DVdo^Dgs-S#-o>Y(X++)9(*5;vcJy}ihU^WG=ogzj z&e7U6_&)sZ(bF1Ar`n0Xz2z1%r}qzRE|y@;Dej#NaHS<*bGkW?ZQ&KUUPrNQ0sjbEkZ6; z$m9WL$@v-O0{ff~Sh;ue==}v|rBV>ybq#)CikN0qm8WMcaUR_rI%9v`Ra5wiC@w*y zi}Pm_3Oqx|XDX*Q3!0s2s+cCuxkF9ihkHv?@yM#fm#D z6kfWA!CrXL&Py)?)l31~*K=9>r)9}ZenX6097sX~7Q!9bm4l=F;dGb; ztw%c1y7UdeM+kBk{>e1^Fa|d`)%LoyQZ_#yCyPwrky*iW<>3i|F##kn59?Y%D&wDU z@f8Y{&yw)fINK5JjB0@st+ubd~AlBzx#mWeZL*6QYPRb*tojA#Y6^ z4(s$qN22SBdT9&%{F8jz>B9g?G^>OVBKmbN<>Bjew_XT6pz3osu|&X$5$>jdfV861 zSSy3}&!q}%+DgY@1Fs#UjD0B!XrW~Q*!cB752QQfExis?9-Gt^Dw2-UY|Hwze>_Pt z3_J4>`I=98cCX9Hn`=mMu$;QL6SiyEpes{(8*@Tp6U!kOSJ|;wZK7+hJ|TsGy0*rNyH9+a(WFxv2)>*IeFXQaZp8|gERpDCQ+IEu_;ipEo zpM{=;t);3>n+@Z6g~+@E;1U|GwNDd-mN?t0C7~={85w)n=QE~=L@Fh_M5N9;-A|p) zwQDuhbrgpk+^EGUVTcAW;57?M#7+7EHF+H|o?BH-+3yyI;FMujE#OZ|gqwbDRN&s| zK05|DutQ1}g?ov5OJ8wpKQFgNQ4*=o*rKl8^({@1^gs|z^2D(ba|4zaAhV)Wm>Y%n zh*(@SQU!m7f&u!QR5Dpvb}@(8A`uByO2FYzKxuM1DPquGfyCW1RcHhj?YU1uL1cFm zkzp>bDQ~F+V{Rg)`)yCh7eqcMASP4_HSHFleXbB#0GSo+JPhno?#@)q^kMK}*O9Hc zB0$Z`!q>y{_(txe+Nk|NkfcP*v)cyvZ+qT*Lhz}iUe+ga=pIY1AxN~dHd-$UXULd$=YLn8A+lKy7(%EHq% z%``){G%59L6_uI=X-?1KZhgxkEEr%=(YRkyu3Wo#Ip?S}2|WSd^YnwyIi!0sG1^)N z)d-WJfpjsDfFPcLIMNIsYC8+^HfN+uW;*~2lTocMxK8OcXeaL^_a%+!dWbuy@)&Z9 zo@7B&=*wZk#N&aY;22Z&VGI0|vu^c|k_+s7C3{L< z7t}+KW+Tms@xZh5?GDdi7`Cb-Qc8T2G6)8Q0YEgtQ~Z3n8gAU!2|l`FJ%!@f944SI zsx<$SUL#j>l<3gaj8}0A_hY+y93ti?{2iNq>f2vT@sObmvsWuph-N}=jgcj<8wv3P z0rOiFYB5ozw2SBi)~|(B6XCs-9GP)4s5fMRf-cpFb=)tHysV3)?2GgvwqEF z(uiRi|0$(Q-gMbzj7T#p;WC?ss_u+xhuyh#!%O8e3-gVe}BP1n;OwhTWkC~VY1=9DqS zy{t+*!?J%)NkzBKZ-`fI3%%@sC%$V7ym$%9xBSI_vFEzwM)a_kJNFd`iIcHV#RL$x zw4vzCg^lbvXh!`vO&Tt%>lw{R2W;l9^9y#$Frs)_^(U7zluM50i~g=&oh)y<8j3W# z+9o_d>S#m@&V_p|SsXqCtJ?4k`=gVg3CUQI&239mayAbbO6SZW*tG@+Y%a+uDS1AZWTX`ST`!U;lmZ+rFS}Xn=w8X@ zls;O~sxx1?2GeRj-h7%BZS;`=l_g=Pa{X{_G#0aXu#VQyZ6uAu9)TDR#{*60phV<; zx8_(%D9-Mzge+8iT+gb*vfsudrOyl-S5FRqv!PctuouH*m{uCdfjxR9ie`kDF$0j0 z+v^a0{@V=T&MIVO>b7!Opbw>dK)=bLtxa0alT?yLb$c2q`Xicr|owv!Ey&3rQmu%e_=mm#;?P+$~^aAa* z*R{l^vip+z8f8DFnLF=dU_;<_3;d75~ z{Q6Dy_s;|Tf8Rqo5W*ET|BXw1^8o;0{Kv`CM&H`l=)XAL|7jcfyY0BiisZYh>n}xC z7&{S_X|Bs`Us7}V3X_~EMFHrS?oct#Ks4nt?Nk>@XKHA)tw`aPQXUU=(s|tGBmgFX z(7nF*_jxDs8~xMJA)(sPfkxd2xQed)V?Q%fWU7IJ60O$n6;{e@<~(RBSp8xA@zf%u ztjM0~g!vB=Ui|^bbgpTAo)-5kiV!n;B#en^q%mN@J=#3r1*SwjaloEML7 zl1L76FkgACUtwehWdgYzZVsSiC`ktrfX)RP(ukm`h=d^$N(b5r6`+B{!NPL2&(?^>qR9k@3}`q2oT>4hkM9D1ji21~@9VN&@3P1N6< z_c2{WV?nY>XBN_`<8Fp)%W}CQ1@&iPWFf;#Avl$k_+KU+4ixoI=Pdh*URGM;o>XAU z?D+GfV`=G9VA;lXby>ca61+qM3CE@Le#$B*^~ivyc_%6v=e!{s7zqY=nmUAAecC@I zgd@01$prkG-)3~c-{N$G2@7s&Q4xSEKTJM%Rac3o!U>`ls_%w8&vm8%Ytpc)O0rkg zYeBz2cgZ73(M!T`zOzU&RTEiHy1a)QX@=9ox)SeM=}kyQhtj2*?u+MbgadP`kl*WT z&3^pqoF4Isp)mG&Vb*zBHvmtq0Pmqrnfc`cvh-WGQrs)1UpdcBeUU&|M z;r@ZZ_-1F4L}_`@#Bfr#tcWK_XEj-M018zq2sl>gN14WuH#!l`{z4gO6wt-dojYmU z7z0;y_=Ow3+YmRj-jY4hiGL{+6*15C1GO8Y0LuhGjdOPzn>_S0_IW9*Ak>YGYGpCf za+$}Rpp0W^7^cLFdN1GG_Y1TXfNxf@JM%UvNBnCmlUp2s7Cln>AwuR1Oj6Ok76%G) zNY&Mxr0smQ87lh4I#JLlrG#Cz`^W!iJJud3K>N?b+qV>CE@L1mLUJ)6eT`Dd77LX; zkT=%6LcPDy>hQxJ9aQ8~0O1xp-EvYVY>tCeXlof{Pf@8INQ@Wd!p@w}QfH96jQi#K z^xl5etW2gd>ocW{;jo@_prBEtOT&%5-}m}(^YU<#^>P}$?bn6Z;rY*w@2{Q~fRM)W zRA5rKuO$YBL}Yb$vU70pcpWB=vNe6&A3YtseIDYExsKMt`+7MF^lZ46@j2Hlp+t6s z)w71MnRcUoddSGDVd#So=F^qn6MsAl-X6n&`18`>ygLZk5^VT3!~Y4GHb9l2%z#KS z+Vnk((a8wb(noda(KFbwO;87ts_;d5?7B^A^G{fQaCyF zs@It^BUvR@&0Cxn;`SImPErM=4^uOJgmr%e0Gitj#hYBcz(6gyvz=Ntxla5%36hWn*VJ9`Z(v(ESZDtT6tpi$h%&3gUa`Tf)ZM#H0LP*&D-FG7o+Ru176k&P*K#?{z8y zTiz-h|0_5-kXtWBtq#^rR54c^XOWrb=F^2;(8%?m$`kZf`J?5kxu%b3_AUY#trJ}t z;LcW6Q0`7&>EuWtB13oR!4^nT&XE9vWXTo^mlmjyIj_~{j%Y}*r}e9 zifQ{UGpOv5V}YV5{A^h3e`2lvR&4&7W^a~GBKTzE4e>4wxt3;pWTIQdn+<@uA41#|A<60yq0-!Hm>QV?bB`do8cU+P-YO02tD z#8_xjHpDS~gLyk;V4z!HXkBO3yd1kWSR)IURibK##VS6*V5ab#KY2+T49g{b>_P}@ zJL6o~E3#SA`fXI`K_qPo&{64v^==wy!4zKQgTg9~-3>pyG7P;?B6Bo$S zeZ8Lt(76F#K7YBxPt}%G*TyV4$=*lEy7@-EmWvG+HI#N+PM$4)Lwg0y$9z6jp?|Cj zG$r9BG^SLU_u+a&YbYvwf>FR!VHO9b;RWS30e~;lJv3vIBkT0tpd9X0pI-4a_*Up7 z#0v@z@|kutl%9Iz)XfF~$c1VG-gRo|;H|MlY%+ zSmBkPy-F5%T#SsLlq9?{O7Zl>1U|FVMO zdqlw6Bq!GE#w=xrN0iyp8(c|fMXeO+o}n3>UPbd8nW-Pucow@d$W_HNOWHMmBihG=fMsnVL$q zJcgHk(DrG-kHaj$;tZN_O;=h@wFJ~W?RjZP{QSHkO;c5l zv8e5zR9D)zqK&Q^#SyaEJ(H?j6^cLWq*eqU(R~nw@>`qjv39IFWwCWvXqs@eY}65d z8yaw&2mSQvt57f8)Z$40^q)X``q<|5Dt_4B%Ct}e+yP5ZAmb7K>{)-IYb%V|`Z-^I zeu9+rHKvUy1Jj6f7T9YOH_Y;+>Q5qPE0M9eKjNub->dDb$n@Bh6*NKVWDBn zX=4{a^a+?$u>i*SSMbZtf6-kk_`>}Sma)1fX9*vOn!+ZPIOogNZd#v|!Q~%8LzrN3 z>!Kh)+Z-oq!yO105`8(f`6#=2)3YrLrLrm4SPNFxl6;jKcb>W@jY*30N8aaP0A@I{ zkLdc1Ji=ax*EkAehbluYomjt?RnZ(^YB|VH%xT@GI@)9|vr$>N+dApa^inRa0731e zq26?rxVh&kx$j%$j8&7v#czoJRbF*$^nlOEY}q@`m;qE@TzcA8b6AjkF+4sS$q6s%!H*K5=)-0r6ZPcz7B1G55DKp!rde^49xu#=oxu#-i8Qac)S#Bicbz>`fW?ABvJ9_u(vzr9Xg~&LLXYLPKn+Q9LqdN+U61qYpic*}Btd zOVHvITU`m(@EUz})bYFHt%cJK2J zfQpjKx3%_0aPf{<6A$Sl;5Xaew&2H8_b`icJ6N53h~WAb}7=d_ZQEWcfUQGh^pg=dc8o`cux{#h;Iaz zE0$kfUu!_;=NVO%I86~_GWLiicBfHLE$djJ2Pv^c&U0oK<7g+gTQQRb%tFC$v!ez; z`w}U;OGavl*r?7JLv~s-g8?Ir1_E~ZRi1QOiGoJbCiSsrSexY>1``#gsS2esmqhG% z0*iq!hr(M)x3g{gT`XVaa#xe=LL|s~|HV%;Vv+ieY%I);NwM${LZ%Ye8t)lZFN^z` zv-QpLd`zv4-7dWpJ;eRxKZr7z;snqCTob<-yfG}C4>KSl&59~QB2g?=D%dTng90Y@ z3IU#gYw{Rb&CbqN8p0q9rXxqc9SEc&D5T6r+yk*p{mZ~H!H}R2;VWYfl>QP$+ULB4t0guLLzF}CP@yeqP_<`Zl>E<1LohKc zmO)I{C9lnC|5x^ri+040$fn9})H5A0u~Fw7p#&FIZ;s`6(-H2{4a(O_QIcqy+Tjra zCEWacxcLZ0DYQBwmPC|_M3@lp(5u}|JJGRfL8StT8C7{fxHaCxroL00Mh1x~+x?V5 ze6ZEQJx=euzfSy0{*{?=&;s=jA8d?XxH3t2T|esNCo)C`4m``JJo=WNv_xl7wahGT zq#=ev7)<*p9Iq8Kx-ucBc~4ReJH8H9y1x0{6jhZ-_FWNE339?PR8+5~Bf;O5h$&Ic zO%ch$<&wD24*7b=;L_vbD`JjdVb3V?-HQMw=wy>83J^KZa)eHV%(^f$Ci?pZ8&AI8}hfL6nuK)LAuwvgOBKQ z*U204IP@5KFZ~2@%sEXSKPMoPN6&!Y8=#r8Q}gaSpxL1j&Li!?qyZJuBzb>=fR)nn zgBLMip#|F(D0H593(Bd+?j~sH$2FcHMeJ)A?+=p0SN!<&NOE{rjMMVW0apIRk=+b$I_t^sXoS9VA>Bdzv|T zAd(f``51_-J29()xf!8st+X0pwQy#%EETpM$H!;`(CC)K+O>uLnql{I`>!-1mciVz zZun)!S@2j*V^AoqScTwoNCi}yQ3ZUaoJYQP@L&wDRyXsg+gCp8jR|LfGMZK6^6XUe z6}1vfa?4B^{Ppp#j7x2*iev3M{!&WGfS1DgU0ps~_o&0#Ho4PYe*1P-AJDrbCpGMT z87@|*C=3vkTnorv4V0rKzM8e9W~_p(xjShX=~n!0Zj>MWrk26`bZ?K$$nkkw&f!I0 zePCt6NZTB=UDH_EA^Q^9)II=rd42Y{@8Fre+rNKtIn1#P{%z!~p|;-~^fiKSJ$i%h zY%85J-)jEd4^X_rIEJu*s{`76em;cmmNQIH?si|LD%b4OC{ca#)4ZOkZZNsx#Jo@H zS$kEz83=+br$1cc)-xjhgy1Dzz+2fOMNmDVCfn^eq^LcB`bBevU$Q#h9_%DyU?zP2(l4Up~(T4ce(62S(HY z{9ef|W{6CSc&uPzF9rIJ@h#oBeV}N9wRvMfXDYbT(8q?0srIejs0Zqpn=%R=3#%`g z#Lp^@m|i=*pf?mG={V_-w$jXp1qQx|#fLZysgNQ@R-T*1rM2zf1$mprgM4eQMQoX~ z1^Br6p*l-H%04_So#h121nPa8peUQy1H9R|!WrXR8~#Ao_#0pokOv+cl6TCO{CAHH z(CancO0xO3sCCX3=%X~Y&bNg< z^cNZ2s47n=#$K#1{n_vTo}c+I(Ick^nVv4D5*k> zkI|@#Pfkgw04%tdkCzV*hl?abk-kH}MxElYugkwmVZ@m@!^hSp(iPELLv*{JW@1 zU`JpTA?Eggnl@9!N*G|JL0u^-g>S5E^s?l3?mj;*F77_=yuq6V`gQbLR^w0TPnoZq z3HLOjLU?nrW7+!Ci0n$1K2_Bl+X`&Lk!dr z>>(Upc-txzH8(#|wS~lKG$_NvP81dDab@ zTZ7xM+<`LP_ZIh~xsk`u2cSX31$MB9K*`Vwz~gF`ON8H# z$x~z78v7OXselxe!;9auRl=7Q#f2zUa2hGAEP*$~kB^nx1cHf*Po9&FmBoz&xo9V1 zoAM%3r0*(PWL){Bcl)x)r^!(Yp2yToK;#0S%+FnAyOd8Z`IoD?i0H#EO1${j)){zRRx7Z zeiCCNv025lZYJ_Y3MujkX>=xB45cX0x3*Q76C>!HWZR7${+X*moE24i^FUM(!rUsr zk}Cn`@1!MeE97OSE~GfQKgz{pK6j=5>TFSj;h9^iEy`1EnmLuC5;Af1@H#5t!~QJ$ z2-AT$2asy7g_QXtRR4-O+c|Bd$Hfu$DZbhAo%llaw4KuzbJO^x`)s(ZW_H7Rn9rsb zo{H>2Hb)&{#CN`ZJv?m(Y(E9cX3xE%ZdG!lBiG5rqpOH=4ZTYX4SBd`P=;m$;w0v^ zh`HWweqA5{Q*9oaKDgTb#$5jkyM5!ec1tZ1PPO8{;;CZ=tvuzfN zf{+|vPV*AbMp*1Svl4>bvNpc+0hp<_!Fl9Q%BJ44up~qtDq^LJ)&U#KA;F9<4>KjRV`7xiA$o05f&IOC(L8#$F1k_3>FWt4t^{2EpZ zkDIqsSI{r0AmZcoxCL^Ch-?3jz}e~lb@P7OQ?PSLM(Jly9|HX1ihf`m8|in#Lp^tq zH#&R}N*etJkIg%pwBnpioUCMo2;J5*wY=P%&aTd`*0Ezx7wZ>DFG`hv)|mQvdpved zlKvRH`rugd&W1T`3UdvtY{)|El*_3@`*6pJo~U$7f{pY^;0a$OPb`ayd>9W>InzyE zMKByy zGei#3B*IRy*DwQ}cxOh-1y?}y}#C zz>j@hobPPo#_I)`s+W8Y{-(NzH`P{MtQxi4=cB7_2OkC_*k<-Y$N@owA2 zOAghM=W}7f;CY7@J_6#R{uj?TS#Q^pd)Z7b0V&O_kUwV%NdhPkrFZq&zt7%A;6xke zX08gBIxds-Lb6=`yeGt%4id}XoCb@q(P_^8#HMnd@+0+b>VK7jKBtpVY^|_2O{ED< ze*q5V1bIg`Baje^$ch|=T7m3m#h!KCr`*U0ObRzlmdL?a#!zP^JrR^=2b9=AtWW)= zjgD3CtDJ1Jvu@zSGp08ISs(#4pn&j`7pyl!fq`UO2(m++CG87^@{giaszf!1yEC4p zcr=M263eB!QVj0tmr0PpKm-gGURDD9l?C&BL7 z-3I-RO?cpM8CC{q{zaMy)SVaeZx~d&9xY#`!wl zv%Zs}myCGLG)#jZxVC{G(L>e^%Dfx==boqxIplyG0@?;{M7MPg_PfGB@Nwa$T)q4v zt52WxT%nsEth5$SppVo?8-%+9`F4E;R$Gt{Z|vHkIc~Fzxf0J~9G4{8Y2cIRi+>H4 zrxt*a77W%RHUaGexxFGnHgV{XQYt`F!91rdcx;YTXif?Too6%%vP@Vu`XGt?(Nln* z&j*3$p3b5$pTdTH(0lir8n!M+NwL=zM%L}u`;%ifYErFJ=iE6AIR@$4nq-zIt}+c8 zH`hWHC$6##l)0Lemt;h?%Y2ODt<(!#j@F8=`t38EtWLdbmRB3?Sk2l5Is&R&fQ}9?!133s30J7 z4Xv*3!2xPN)4KFxmr%@*e3{Gi_m0oa9aVD&E(@T@Z@JI-J)!OUVxSt88E`ao<9ea( zn-AUQx(||{_lRs*g^@OO=ysh6J)n}`>t_p)0qf7Cn=Th-Eh;BIf)Ln z9Z(#6`{lZk#1X63STis=fP4I83hv6N?2)EFvY*$OOe1`WVi1@~qSY-##cDuE1yzga zcTG(5@{HgdPDVr zH7FOV@QQOf5vq!%Slu{H)6q&oIYP@jY*Fs25lOHIKjCeK5dwgN-PRD%S-HLJ<)UY7OVl-3A6`i zT~s#I|4hGHO(<&y=nHV;U>s%SqZ893l@A%GMJfMgO{hE%mEHm z0bZ;i?q{tDt~dyas_ot;0QVbEF>|;8ngsXTg9lI~lOG3{fd3^q%Z>=2vz5laxnRgm z`lZYroi12v=1JougT7Jr^D<@m!~FOTJAyj_h5T&wJ&bSQ@p*C56+YqPZgoaJ5~ekC zyig)z2Y2=#767-@WZCf_3Vjw`58j-=XsiNlu>8yAqW-JcOwoR~QB-$+RT2m!ftxEv zPY5?JzyP(@V#+8^Cc#l_*ApeRysAWelu;OD>w7OFH2B=L^Pp+#?mh5V=MuM8&TbUi zmwEHfBa&=wv(2w2RO`2@>$teDXu1S_^dC3-68j{$?pe7tzL^Wx#CXe8IraKkyNl~~ z51i+znJVkxtPOSdG`lON$6VtYGc*&wR{TlS8uM1Qp|x#8 zE)K9F>74zops^Q&KMrvDKAY^%q;<^#T`_=v^$>wSzmprig8>~XtqwsMC~C?OI}Ap^ zjM1hd(mud8P%#_3A_8F#+M*+%+p{~domyI3T3h#iab*Gbo2{#QlL9i!f4ZDFM#&quz=8INW&Y3$>-LSAog7)DHpE?Vz{&HfM$9 z8W27AV-#FulPiQw4CFZ>Y1pINqUtw|&^bcA14ZJBLuH-rCfYROhmcF;dt>a=Ful)f z<7YiL=4QBy-&)7YjX0xqi;R0O3N#kzUB0Ci1I32r(NSL?DR$Q^m+l3fa41boc4+n+ z?7x@`P}=-5zO|3$30Jb##qK@ef>RTaS;yBwWidw9Ffb#0NQOr=ZuLeLt^&)Yyyjq7 z5EoinY<)ftH2wQ)!?67qahV5ub<(ro;&EBt`=;+Hr|iQ^q=I*~?1O?m>85UCdyr<% zJSTabK9k0Y%R_#-Tp<9|=Z{3fnUXhxl8<)UefGp)fC=+~7=`QUAQeLfnb7$2ViI{1g!pBFF zoG6+jb#v%y?h#{Q?uUj*3WNk*6-RbHC?fSbZEfI1m_VzD&@`rf9!(spTA4k?uBe^O zucB)*Gmo%xtr^4vl8_tzR*X~2;uu6}@7*>_bxZN{QofWM0d2o;ezyQ&at!vs%b=C5 z70lX-uPY7M(+d$_XEtR8r9;C^7o-KnQivhMpo~STL93J$yiW^;%lZxI(FoK^u7d_3 zEP`WNW;-s+%2UM*9Bg92ChN6ZDu(t*R{Z37O%#SIhtwfzs+hHgt*W=X{lVU$;wN5u zpoO3Kj_ij~8CHCR>R}f|-cUnBOA#}}9;Lp6qIRnG6pU-0x%)`rF!2zu3GZXtcZ|tTipUL9^k49}*9| zsxHA<#Cq;QLE3t9Pu+T-T%%8Yp?bt`CGKr?bZM=RZS**V+NzQvR|6RSps{!nkB(|b zH8=44honOraPoF9D-HF}?-9V)7bh7_t4$kl9^)4o>xKE#IBZnF9ra)a>i!#AiYS;b z4m~G79~4vgl$wCXn5j{??S>Jv-V*&UXg9MqwKO1YNWfF}v*YAYuH;}F0M(@XKO_PY zzRQXTd+5@?@^W0lO;OTY!3ZGxneVb{(bI(3fjfNHvYGQUxy*-$He&k}&8 z5ebRWLDPZX$EvY+3_R#hm6;kp5XfB=EhiR~erg*m3h+pFhcy$b=hSYWvrnN5DN4qydJ? zk|Rc^VbM{_Tw4EaLNjcDfWBzsv1Xw2fybhou!+W>wrE;B|7DU|xN{;{!QDzTt)evk zvC_8-1ZUEOm=;lp6yZz_NcN0S{( zY=@N0BT<#IDboy;TfU|u9k6x-tt=x9$+x#wF*$2MO(K36q|U+8^n>Vc2@8Z4xPYFj zn_e;4e%23~eWnkvblz|)@EI4|}7JZZegL(p{ z0$BVbA15i_k?%g=?r~N-%L1ai)*d2cMyp&hm^{luz#p-|=i}}`plaxWxVPujNhMBr z{`U_5h3>oknjOM#*(J$Bt~K|DyP6BCZ)3fX3eIzC)9TfKrwAyYu|VYU(##$4&+jy+ zChwc@z3x(BP~o?NzaaP*+(f>^3O16-mhx? ziKu$J-mxgdaYG#p1-k7GK}MH-Ko2OMJ=~;@dZ5MqrwU4KCo2gnh7B1fzk9p3bzpoH z`69~EqoeCvMiN%5LmPu9KfzfxFsu%C=-3vg)tP=%<~>&^eoxeb?6{1DK8nj6xwIq6 z;uQS%GCn%|a*#HbipN^)2;8v?9H|!?Y}ykwZ0*C{$`e8EyV!K=ADaDE=YBrn*QrCn z#+LXoVJWGb#?9a)rFk(L^a2UGJ6z48lK}MjFWJ3>3G}9ZHm1TuwW4BA`H#pxo0B z@nl?3@`M5|2iwNZ-0sCUf|H%(k)LySEe+p8DxBXch4bP5sY(}`zT3csf6C0!i79Ft zx^QMBdB618-r}ao>cl4>UXT1K?1*oKm}`xpNqL(QL)o)8!{ozP-}YS=jo_d=a8$7$ zav1hKYg8;zZ>73D*%q@K5n0R%r;GAdEV=)D$^LuM@RNt~hjJ%FcBhf4LIh+i;hdE$ zyXiew^J6>e>Xwg=228>El)<3e&^CzJ8DF~eN%vj=(?=%G_M-N~exa{MkeN1w$+gZ? zAU?lML)Lq)=fI(SIW{iJ<|!qUKQfKV{mW4N9q8kSXcp9zuMlUFT#mt0xf~+SHGe!g zJ839G?IQe(l(HTUT6sOA|8JfenkTVc+R3^ZE69$_8ljS~2lB+wd^60;0sq*mw1N(p z%@zl-nH!LwL0VHjLoyg@cfj;1t9!gl8z1nuG?WC8i+Cg<6zmBbL%DI@Gbv4?{q7M} zheU%$O`)9~aND#Q+n!LACSGy}%u_wKFOjZ3oUWTa>an>N1h-u%ywHS+5?S(Z7HaVX zKvo1rhXZ}|eqo{*4$kohkp+=n^pWVF821!GF)#+NZ+A5GGm$O{A_gk8wOk9Z4hVG` z!`;10#+~CDiDhtUUZ5hzr3l3$rU%6#SFD}``XW~gg`C3G1qR(@MzgNTmuUF`2r|uK`E>uobG{LT18h z6&>}^&oG9uEQ9?6x1y^XyDyvjq&ZoB`5f>~u3h(19vBA5o)oF+y2rL&$H>pCRy3sT zj>poio3w(ad_J@i4lNp@&ixy#yZlII+Ih0>$w3Qfqy7B?2**VK9>2bO0YyChn-xA) zTfKvYfn0iwizjKrbnJ7Sx)myrxf7t37-#7fYY)hxA3Y`|z6=8^s&vPfh~0r~Vv)BH zlxH|**R&`$8f_D|#j}cJ)$pxYy@x{qu?|`#EgYhzIYd=6oZ}(5pAPUhUeA%SqM_xB zCWhs#Fi+6@^?qba{hqk@Xt!Fr!>+jgnMKtt9%s8i0>76YDv`I{?A1{2fHr`*dNLi~E3xR`Mt^ z`~r8xq18o)9c|XSS`AKJi$PC(k))YmUh3Kc#;|%=0xN&$Q0=z{Pl3_=it{6;F#pd2 zqR^MnTOpLdWa1D21kfj(@28JubYqxN_nolJ={+?rGc(vo{p5v@sK0;$KzIaJ_uoZk9o3 zF|3CQ4%%S{y&z|A)NBlK^pvKV#&+H+RywAB%5U0ic@6vc9ijoYevE0V1SE6U)`fX! z&0L(O#V>Wg+1Wp?-+X0+?S+qkHFd@eb4{C@-Od;_^pHJ&L-)a6u|q7YKBucvBUip% zpq9IE*;7;(TN`2{5~*hMu%j+U-9WzTU+}+Ke~2X$DPPJ>0%PP6uSb5&1o%TQx`{! zBz+Za$jl(~xYu#bWIo>997&T!j^OWXb6$0hiw2!qKysm_5oxXkA}+17x{8@L9@-x& zNmaMl`9zWBeKRltw;J^0xohb~O&$((M69A0ZTu6NKdWgYAjWc#e7do+gK3n!hksii z`<%IUcx7VsU|q9@9epc@tE6*~6^C(;9u6keBv^`8MF^(7x=-2{+p8m%qZ8b=6D?-u z3jbmREfhk^OHmZXpVw*=6)|E_*R+XywR2u{Eah=&PZl=Py8*jpj@B5K#WA^Lf6DHR z%pXnOr^cCzw+q4dU&V?hy#xjaoh!-p2gDk*h+w7rqy`!Igs7o3lio*=-?M;f5E!hs z$90M7gdd5a-ZvXY-Ob2|8 z0R-6Wyzc8NbMu+0O2<-sqFen1tY*#;r@rwhGx>hw78V{tB&%&_;-Gd#B-Q#BvTj zkCNUkybI-kr*q6NypJW#fAg=IJC>Ti7PuV$)$?38``d;+A)u{Eb1}s_p0>LoQmivz zQ;w$8cw7t&HiB&HjE8@Rb1A8U0>0_>H4`bYYGnqOh0N+XdanHs*5HLb)&7eWgWTlV zin=+5z2%yx>8ymO3rnV?cbb1J6f`7Fg^CW%Tf^QH777~!ViK}g+aPY1j%Hk6x1M*R zsoFS!0E=iN?u3E}SvD`bP2|coRf*@=0`yG7=g~wn&f>8}`IJQtt8vKFpRU2C&N5iu zAB~+6^2H_!UT7t%y7x^1s)3K38FHnMHm~^qMcFyUh!%BQx@_BZ%66TyZQHhOJL#l5_u(cpYp?yXA9vOqW3KVRuvchG?Z+ZY^Py#4FScJq5;h6u-RX~~ z24tm8e^|_%kPL*5T&S0~Sqws*tH?buXfAObw7M~jut)B4`05wrS+i#*d***9{u}Cl z?h|^nRgw>h9=sUQgW~sxuim`a1iq&}FwTCMr1s4|c0*KRPgx}$!Zy+6u<4Dp`C_f{ z^=NT-d;Hp)+Z+3VAex1UZWFBGpgle13evaEALB|m;dpGQ{LACmBw5^-YmMI>BXk)y^8MIey=0JQ=rkM24{mXe8G2QrITln?B)=54b_xWE;RB z@IRurH__;}g(-pAQaI8IZL<`-lh3c}-8n^D{DU0zEn&MJXnb%hgbz+_LDtE}OUIwG z_3N|xyBOFev`7EN-qjMle$Hi|rY+3C{a1U@q}Lg|(yI?Biri#M`&f03CAo?iLdfF| z%!WamoK$`tC8)~^lqmf~Lc6fE!+HJnm&Y9zM;-LCF3=!P@HTkd0_4CF-+p10f$=|b zHCILvDpPSfcLdqVX-74tBF%48KG^Oa=$5g$n_|_sv;lMf>s~&UHRf~=u%$7F1P6cR z@@*6j4A+)6;;$BJF$b2eAEsH8kh3bX0@j)e%Gprb0_e{G5?BWhsKP;{RE^$l0_LJZ z&HP2tFzaQOyvrYaCnnUJ42>!lqFzHvq;~f4K}A(PIljvL&K>>hCjJ$42VG4XyZP+$h^j9uRZ#>?@xNg@{ z?nBfXmspht)>!feUiPn~_pxUaa?LudL_+x|Fh9J^j$Gg^`W^ z_Qdlun#MFrU+@&T&oWu$nv*j`MG$nY&BI~H^tMFU7Q9*%2aSJKuT_rsZaTr-FK}4s zFKd2?{CNF&+~43%v>h4#!uWB&_S_=SW{^q50`AD-W$iWCng*m%dfy~b{CHQ~gss*JD$(IW6te#1u93!^|62hJFNLXrMi;*lr;xkz3!Pgq3Ls<@oZ0$S_2FAvnSTAZ)+DFM_fQ*58Z$m+8t z4O1VukrB9fkla!4YwjTR+jk1sv;fMwP?NfoL!dbX0<{KU)KDFtETL`)v2#22AwvA^ zwQOPJ6=brdJ`Gz}H-&=^NPOTUw-ouhmk3!-a0?SUadx3b-bJ`7XeIUQxoa zt-{sd8`2^v?po>N`ZlE>ZCm>mub9}5@u*adq1=?SN9K6pq*)bAH(_iQP*6P1S4`G;}w-50yo?wff-VU6SaQVf zE8jn|0F5AHVZzO_u?Xvz_yQvDA3=HKgw>Y?*edvwBrJD#PMJ#o_~cH_g+;*f=b`#d z$fytGU+SC}CBnf^IyP&y;T5b9U<$gjf^I>k<0a}65l~)%W=wHk#&6oSqNqK%ab$nC z=$SE2fSmXqees(+lB@{q386*8bGOd9+Z}&Tc2DMPsv_q5;}>yzBf|x#$4L1WM2wUM zL5ay1Xo}QXT&TxU_6q&2mds$sSq50w<;f}Aj`-qPlWFV>DM67&UK}}1NE5YquhzWx2ED#NCUe-V&5{eX|*6u0aS*lU&Fg}W!kZt>> zAZ9Tl=E)?29_9@qG5#-O+4NAw%>0eg$%69nFjFBe@eSLl9527#cD2JY5-DJ1r=EaDWzX(@L)wnbL8x#X}JIW@wY%=bhwdx$KTGRV!}$(*=i2+`vr9F12iz>CWbgC` z!K23VQ9?2Zo|sW+;GiPT*0Gbk2{?8MpG?(j#3@CCGtC9*ylpaDEx^F#Xs}kx{NaD{ z=7%thv992xAeVuYuxUl*y zWy1;ab`e_CPxS9cQkuqw{-(!w;$CIc*7|?|wo;a>>Ioc+=Yv{B;n{X4bZJcV3nmRn zWRm$hB{tlat4E$T4LXoteWHi@h^oIwwa6<}08VN(=_!|;HNAWLdY9CTO*Jqkx+Mxe zc`NMG3c-Q-V~@=?=EaC*w^A+dBGfm5f~>><=CzBIX)j*G>Px5CdQCOh%FMkbai_K7 z*0q1#ZmV?Rhw~k7Y9?!bRMMMIV6`hol5Hw*NNA)q0MNp(lkNOs(**G%?GDUM8hZ?bkg_p7`O+W+p=4rmKnc9@%BB3?- zJ4vg+nXORZG3Zo%`Xde1RH1n`6StX4QNVCVIA@tuO)KS;^qJGvtl7gn9YJBMe$!BS zSyfEX-dM@@`6Qo&W14ex=tCJ3_SQXYW1jYEKZPM%xAL^OPTaOJFywmMT|X{G>2fsJ z5L^r9*?e*)9SJN0<%5A)#19iWyOlAhdZ1hvqAyf+;XrhCy^u25UqR>@zif?GZyZ^a zj$T?g(kVYPG*VEu&|wi&D%r-=D6|2#yE>|7TaCc9!dyNHLo)>8NK{)9B= zkQv7+n}SUse}1@GMWUns!FA@Rw=~gj%QzIOH#0_Ko9u)N%87mbH}!Z)#bV@ufp#&m*J*D?gw=(9e4mhBFp8wGk2)=}H{`mL z;O`!nPO;t`u^s}QFaVXo#^rkl8=MP6)Yf%y7i@r`a}>I-;XmkXnp_eoN;*Qa&rvdg zxt>{zH-hLPAl$pzbeeVfAtzT(@de@ugf51ML-QAh2`)pEZsSfirx$#4Q6_w2If<+R zdE2~lUF4QLp_A6>U&f4}EyryS>@s@~r0IIv)7xoh_+VQ2w7@B*_=cnQfk!1?Mf2Wo z#2DI#neOH}VO<|`BA+#C_bC_ct%v994P7r7nBveA0fKxcKJ30@(4D*)K+YgD?$eriO*IA>=DH5MtLc2R9I&^uaFa6Hx2vi z0Tkrmwy;sI!*8OVCA!G#4v2k+)tlxBHnmvshy~OHL>7WlSia)@`zX2+{AqYG68=99 zq4ivDXwW#u#+6Uv-)wE+j!5KwL1dE-kLjGIB(>B#xaL(A$9|0LfMNx;Y<|QsX;MV= zaiL?0w4UNkKGw%~Al4?3GB&;_UQXs^BJAV$xsmF2U}^aKx5@vCF@=qTG7#0}8N^sx ze`Q#IVyfCqk@+ASo32a}qDT6ZQv>Q$xdr)_00nHyUW3{c(b-SrS25pF4SGBnMxFjZ z!xESf0sN={q3ozAG4cAII{oGi5XPvc`Haq(7UT3XiFG?lVq4x4ZZ(JDrgz2d$BCzaRsnEowds_Nz_WO(mKvS)mRoOH| zUr4r*^Q^F^yJdv2f$nyBnd@zGOQu)feum(Z+Ku%z0nm-HabpSL^aDXM&eJFx6GORh zM19dgDlzAO57vuPd$63mste9gj1^xFBs8B*!e$Rd`@R88gY_cq7cT9{WHlq(V_M7{ zyt*#X@RiiW%L!|odK+9?0_gDigvL#)dL613g#Pk**~5|cg!fwyP`#?Ycw-KrIT&f= zT=^@sDlyF9wuZn%sX0ut4{$-@w9A4%>~Zko8w*NgAJ8tJfLx4Ov5WQ?@ z9>;wMmkgm_`2hbzjYeSdpJnwRr@g}yxo{kZxP`jRzuCa6MeLj%%0Xq@2=xXsf7FZhcNs<`I zrN`L+<=N((Z7jke0cu>K?=B-@;Gp1Z#pUjl5zY4=2D7gs@aDzW!yCz~K$Q0FMvAOF z4N7-3h6pkF6V1gfhocK>t@eUV$CJxA8o9_~X)d_w%?l$Y@qE_4a)imtt6}NMWEE=< zfj>nl`Se^@)>zaIcFElp7Aw~fO&+0G;U`VI2sbY{LuLyOb|_)lo%AZ$!eVdp$|9Z= zmvXYu7%n)Tz=uvCB>4LBHJip5QRz--P#WFgsq)Q>h2Q3AFxLaPl8eHG9JH!#XXGK_ z($49_ka@`!p@Oh>nR`rcK2|uAG!wkxuI?H~6{}(1QM1K~%tcAwdE>?Th(ylQFB;^k zAfRI{_oJ|RUdqg0Z^Gw--gSw;$ZBQU+Qyiq&Qr}5wQgxk5yY<8QtTQK0h|>LVBx(O z_<$@jPF(v0MdQFazK&+So1O)UlYnTOTzDIME(YE4GG(+2*0-7&24Z*mJ@DTi55fA| z;d#N9fK|S!gAy}VT=8vmc$7tGr%^@>B&DlC+FT)CGdQl5l20xPj~(e{*{ylbh3JUr zLPO1g($r6W=;q=pwfmOIn!F5EOlsHLCiA*q5;g_a4x9ukcfX$LXZ{qt23%w?WRW(y zFAYJ}yEtb&>IZ@flPM8T%pnkH37uAg+adpG1S>_jC%wjV$+6yAy?6gDu58XV%g=&^ z;pM+@^gv6paE)L*eDg?6vL1~hSyzVPZDCdM^Med>v3u#xcWFT3=xbqh+luT(+LMPZrKw>QTvYpl4 zi<}-T%D8)mfYJqZ8~N?*D%qWd=q#P6U?e3y@1;e?+hZn3N|GC0V}BY{rE)cXAI;%f zHKAZFNm%~etAVN$<+BINfK=g`efIPAN(b73W-ba+z4U!U&MIa?up>Aaxv0 zv9LjEhZxj?P6X>X)I%86y|Y8YZ^_cOg}v5gL#d=erDJ?0na(Gv7t%)j19AK@_q(vN zm4Ld(F8TR_t^Zjjmlz)^%F5eohe@zo!YI2?_TzKyf--A|`Zricfmf~`w#QAfyF}72 z)>AR)sUF@Wor=sO(JRk*{`ja=*DPAV;(5d2`dc+~yT1#aYmKpUlgshGA)7WXI?vw0 zv!I6aFM>tsn5f~hd}{@?%$CLr&A6&7v>}d==+Yp*RdKq!)zjW_u$+0ks$-G7^5I-% z20cOb1-UiO(4Sw&G>X&V^t?G^RBwa0fmWlvd$F~MbFMlK%{2?@Mezx1$)sMbBP!Vu zJI%#cIw+o~a^cEeV~@O@sWi_dx^7~{D)YdQY^z3^YJEO@PQQ(skI6Kfsc}S}+)X4K z<%IgkIUE*N`Wm{eI*;dOK)qH!uMpPpi{eY9tD7N|@0H|EcLB~Jb~53)(Vf|kZ@1Wl zcPF}00?Hlg{>5Ys`Of^@=4IRUoAB*DQ+BHXAd`Ugn9{f6^Deg zTNQ?AQf(jrV{WAqc`)fuC8VvHyVb@~<(IU=GNC?Bnpv2lrb2MhGwhYQZejYBv~&lf;K8OzfI3R2(aE4ObocO?EsY(=3+qH^2gW~Ee%hPYF4D0f(=(wqr~o)^ z*o%@xI0?@=v)te#rIQKX4f?T4%VbrBA`MNmrsNp1DOgC<5WEb1H@AgwV>yiANXe+B z_-I%j_rbAN-;HNzYEt{IwteW$M=WnxAjXw6n3QRwQ7=TK*&CLGJTRNACA;5Bstif0 zY{-OZxWm8_-6}0kM4s!9l1osoT22~%qwh=6KM$N10NP}az;ud{!9!q0ErxP zbUrseT?(zRLQ>^&9lgnfnpISJ48X{;_rtCem*_SLzf8fPblWYQaxw7_H!k*E5USu- z1SN7F4~iyyjk{7UL()RgOFNY_;3s{QfjjOG^sXr*#eUWA3<-qO9X{SzF2l;I+32{R z21t=Us&!gYw(Yg~X6T8SM6=PH$ZCjbS-ypP^$6EUw62xk?>(AkN%~A(Csl}0%6r-_ z_z?8SqHxNhNaU7g3U21ae6&vpR?r~O)hdir8{i42Rftk>2_tcgGAN##;hrJyHun$? zjMNbdTxo1ht5TK27*T)*p`!i_#l*16IKYuAMKsxQ_IUvA{x2N=Y7<8@ml@90 z%mWnAb{!3QXL4?L7%0Xst=1y5`C6s&_JFji)h2M&Q|mV34;Hg6Zja-pg}#8A9e1E& zHTf^4T@(Kx9Xcb)8he3ZeNrFKrD75ADRTQ9DUsCc4B++F{tkhn7RQmL>q^MB_^&Gm zxELtPN~mdyF0rwn6rv;+R>*bSb1-BobA0`>`mtwxCi@)GN4> zU&YiZ9BwDP!ri4xd82}nHPu~KkQ1<+wZKlc$NOocz5uFxmZUv|yG0`%<>JnqJnJJ5)TPRAZr!v(?Ee@UL$&Tr$=hTR4Qw2j)8kTFQScjndxe?=2(|iYT(TQ~4 z_gv6VHDlEZrTEU6is9!x??C5V+AW{LE9t+^AI zf`rw@9}C*1E2Qj$gK;+6xj#1~_^s?4^q7`SG&!aJ(vpjoN052<4#LjJT)5&;|IUc8 z0|zx-AlKAAn3sr5^20{rIs~{CXltq4NOQ3cx>*M}f z4BJnI%gS0Z8EO7fULn4(!6HNe1i7GQcxk~J=foPWraLUiXJs$*!h0*iks|T`q>%Oz zK@R;0)6p@8d>aX-czM(Q3?3U_LHDhq`))sp=y@Iy3yFn{th+Y%?LrR}VfF0#+{ACXhX7mhLZmk-A($hSoO--QH*@n9Y%PE zzLjZk{_=;F%zJPo<{kA{>(M}hWG4c$N z4mhwE-!(H6uru1X+LMXsn9jF34^qUGFRH6*Z-`w^mA`OlAMy@Wp%Y0SZ3cG$Y9NIE_-}NiL-CJ^2&)yHy|7& zL04YSNnpu=D#JWjb@rPiJZXI+xYr4}WP5g}y!90vH&0P6I~X(Yl0OmBKCiphO$jU} zwA&B)H6r7qTRmiF1^CM}T(nyntvVzlQy$)nJ#BMzGn53;I3DloIo9e4d6%-wivxL8 zF)`wClM+1mv0)6Slqu5O-yPAF4uQB{177EM|IlCa)| zT^TxhlHu~2@F%-F*OK-N)Xib*aq?Jn}uK%a*HEPkgk`vb|dvZF!Ynpy5!UWD(CUHf)IcStPUv0XlBaFYmiM(=Y3p6y+VaePFDFj1pNzOe6v&)Yk zsR{)TS3?7Hw{b``rN?k-UGO;23jUI3nNHcBohB_1Ji>~$&`BV%L$YL}Y1|@fqy<*p z(mek_y3Pi9-RyjvWJ*^SC zd{Nkf$2#OQc1SbnF4s0>k4zJN(cro`i)tMFRLa|p@+mL4SB$+Hpiw1INrj~{Ib;Hs z)iAuyWwF)$9#`E_TJV}hXZA(J_(=Lyi+*g;wXQaw{CxPY?UY6abkeeX%ZheTp`ZQu}#$5!*?!4=ve#-iTYBWdlRsVPU%R$!xN#i7-(c9d#!+Li!*b?4BBiVy$8m1(zNq^z7lPUv*rE`Pb{>8|4aHrmnv&oLF72yOj#l<&dBUdi(EB^KU zht$K|8Gdi}Pev?xC#)o0$q9|r7l!eWQx2ny<9A}rKsQ&!pn9cR8j1whm~&<+_EjUZ z^MhNYxf$N7$Zc7GR|HcmsYVL6KT2yX1Vj1l8-n{) zLBZp+Rak@VsPH^@j9Z)8we9uo?SLOww*%F?tAJtOf3`%q8UbNpH$Z`^zk?S#I5=K( zzc^%K%5&+N5HWHUDUpe0o!#+Nu^h@`nWatwJ#J|XP9Rpe{J8a)bvN_RIclwR8ggz{ zljfKdQacpduj}0&Uk)}0a490e1xGh0huf6EmS@^DCC|R^xgU@kxNcr94mZ@!S9~2; zMXuZ%bIY2)FaD;4L@N0+AIL(C$?;W0*g_SfNHyoN zWtpDRZ13_9TTRhVBvW->8PO3#tWbeu)@{ymix1mZ3{%FeE^n02uNz-qKdNRne8P-F zrqsgknZTd_JcJ=90hK&CzU#%|0w~4D5s%Jx~sr8s-yiOW1P0{#1NL7L-;5x>pyDBeNi9+eCT5#2G%M^!7Nex zl_hr+*-6QZF1eeH#g!4{p%=tMo@R)czw^&gv)eUp=j$J+zSMjdz;gJTO880vb+MCC z@!hj0YV`9XNm=3LCd#93@oSOA6=6yup}GOttuVT@uj%54?>NSHsmYie1yoGbtSmW- z#cvtyWs$#zv{UTLC)(9S0Tic5`i~z-)%VBR1 z9O2@LZLufxBVSHAa3`dlG>>pxgP9)OZSoL5hO6SG8Z%C#EiUl#!Pv}9@$=T-3CGx~ zYz zyk3IKykFZsuXk7VXp=T7$QCEUyIl#hecVY4dbm<$q+yPapUSMjx{+#81H~41g#;AA z93G5WnTMy?iRgl+ym4#C)BOmqxQJK8hX`81@m>i*byde!nq2BmvGvr&@OdGelps#< zN=dP~J%9F@D}sN*0fb}ldB3S=HJ~0*2JxoA1G`r?MN~9Hf;u*10l?*k>Um7nBS)CR zFiG&}JooR?D!DR-JL&LzU0LE-EIP-W1QtwC)KV%%a(8g=A>L{ThY~-SA&I^|D87z& zLYUO{vZlA87!r6P22tDZT(ryDw{QxNH`7n1<!q*8D^c&wfaKPzN?1V(_KN0W(WBYeTGTK*IvaVL_j5QZ~ytIf+nRFX1aNDCK{@&4L!_6ac+RWlPhFSFyn#EJ>? z>bX$eYXJ0^ryYg)CMfPPiLuor$0Xd)#!PKN<*Q{ShJ22tpyh@7Ts{K_6xJxy#N!hg z6y6qE5=KUvOI9-Sb=RARt%K22v7%*?8WMr@Pe((BO#(5>*;;kw_bg9@jxDdkJTo5oLqka3c_`sEgFzVqvdB$bK_n4 zh?n&Nx0+$8ek`%>p3m0)!lY+e9SZ<=_T+Adq>Mzr~!Js6lB21z}K!A8l4-Iyd zNI|{P1&Y@&=p*E!n-Bx~KWmLYWQ$qXIVG=VR5Jwz6$xUg!%*SvLw#`Ecx%ro!?Q^0 z8veNOpm-im^9Q>?lftRW{^gONFIR7#}f z6k97(%&fJXQOavNZ;-1}yG#JB;-Zgw!4~Ws#Lg{UjX8!&yKssqU1}ZgLu-!~cRjwA z^yZT8W=cRVM2m5HHf4FkIg`Z)0w;ByoWxl#_LgeP0Tq{mQ{j}dPE1#XJyt4A*xPbd zQ*cB>O2w?E+9cr#clXG=b??De+D(M2#NXfx)A(jR9}Jy z7hF7?Cf|Mr<+xWaY_Qx2CcJXO3M^C ziCu&)7lzr0^==|Ag>bSeS?BsGsZ9%={-K|3{QL@7z58o=b%3VBH)V1zha#h-INs3! zKs28lEN}S4baz!U4$j+KgsVBL4o9AlkSnjKn#8bfm^YQ*Rt+`-^7qgWP6#QI`p2Dr zvpdaAGE*mi@S>Rmo4El}D!cHU8B_ak>4yBhG93_=TWV_X_VoobAF~$~p5BWCpfF4N za2U4Z55N4hNf1&>*?aY0+!a3C5=I52%cy*eB4D%}z96kpbaZTY%i=tTpz&b8Au5$y zux85=>USWu#rn=x%AIr_Ub)j%RT!8gAVE<3e-2jE=7M?3`mfb>JMK2ghaL}|F=l;O z2ffM<3yJ<~b~?9lTD>+b_bf1z8U%vKI{}wtZG%#j1&erijg3(GRf#;ZZ38eBQ)pPE z%@!dPrmpZO$Dx3A*4t@!JQnB`(ZME9z7i!CikHwKYWj)e^Gy_>tdhzn(!_o_mz6dx zOCet}=4+8r%MU0J8RSI3mJ$qE<&bXXOJKYsuma2p;WYXQ)*hrl8OO~&@S61uaZ|-3mZaEVKp`U| zi|WQ&64DZ1iK9MRRo)LTR&ys!LK=ZGjRQ?6Y;Y>rO~7yqxZq5TGV8gQ+2W^T6tQSk zIE8BmOWG^9iIT~8cPjxU!77qo7F63p3?5PD>088$o#$HSl?Xge*&Altb@TENxat>e zU!PmYJ0dq%TtLPDR36a;Zh7nRD4x1LJD`h*h+f`BC}p<4z($-BwRb@jcehP}zyp#$ zm^yN+*8Z+1@2ghS)oUxkxUN2}r}H(x_F||+Oli=?`6S0;$yGkTev9k%boct;=6(4h zZt{|L&Yu6#*qjY%LL-@KMu#`9&-TDd{XnGbmq@zr-cY`GNPb@jtbR$y)_M3@ z0cM$jgcD3rl2z6B3?pK4fw_I71idBky+vqBPaq&%+PIsAzj+z*bkaDz`W}RrjpTPry<{g^!VH z43>dZ)UivL%wg5xkZ?h|FGO4(j122pyQP2RTQJeqfhMT*fAX+rM2;v&PRK*RXN>;g zDz9>=fX&G4qpu3-$eO}Hgv}D+UplG%(vb=wPhv+s6kR$glO2IW+me1vECZtc=%qg` zD@4rY5{E%loHJHn2+1>0QpOzuVd!q3+EgZu$xjoqU&5Tm>#MxADN!RxZAA3lm_K#6 zJT5wtT+sz4t2`S@`c`=5WALg);c@$V3XgalklVXub5;45)X1L6jcP!`14mUkD6I7j zHN)<@JA;dX`?TX0fm%!12T2KwQ~?FeC9>pGxo%sru6x(WwzErVq}X0F^v0cDBl&`; z+S<>ViAYQrAQ)_`WdO=&0UvKH%Y`#=8)^l)MOn6+#poJc_$D#+qN;>}$5#kW2kBbui)4<}6 znl80@m`!*J!;|8(zn6Lxa6lj6mT^9akRR~R0wz|YvG*xLWzLxc_Ca@=91|&VBXGW9 z+S~ak#*KoB0|z$Z!SEMm0`M?nbl)+I9WWkcH2@eLh?q z^?iGbhAzG}m=c;c%Hyy_Ll=VN3qzHB9b34KO6i+7oU%RpWGFOj#kploe$?5QqaL*ju`ZC-uws7tdP9? z3(PKO1S2c}o9PgVyq+*-cb=!`pHHAYw<#hghPWN)hHT`m<1B~a#$3@``vmhgz2it(2hwzA| z;jgNq0qoUELtAq&%5sG+P)LjRe4YxtD7sd!L#S6*VP%MFS=T5fM46ogW}hqv>t=O( zx9>Ac;)@hTl{V6PA(0EgD`VBF5#wt2aJ}@kJs}UB%29AA*&CLDOV0S%xpb9a;8F{N zQ|XX@^^0XO8%fH6fNk2j5VL0pXIP_ zTL|?y@Jg%Tzz0-S^q;S;=QRmlfcrQfKF1l@m7?HK&i>5gbNaI1_l>?oM;1tqq|ETZ z1f`%u69V&U_SB{lUy4*-A5&TNyv4Uw-E=saHc3BiOCGn_z*4&BO?fa9Jnbjd(qaOL zF0H9h6Bf)Z)KUm;D}~Iq439|fg)l3#4l+*s1ZUjS80gsHlK*u^?>x=xkhO#FSIE0a z+8G_lL3yPI|-~Yn`yKBLzMG3q+=N~8&5Km`#un}*eei5Xu%wkvhzuC7y zdS9lg;8W-bdT;$XAzih`aYXVBu$`&fE^QlsrrF|rZ?VsXipQ&H-pGSZqv`ACPET6Gq zE)?Ny(AZhGi#dBFG^34VoRGIn3u^i%pAejRMIU3UrUMw8M1PQG+sLUo(6amvgF6q< zag@FADsn(Qefqq~7pZ(6{Bg0;T7|>z;EekKuX7hyMuCW#X&p0jCy1#M!qysPmI%Pi z=zZKng6+$j0WaS>!D`KDAproUGm3O3s@a@9KeQIzX6j-c;9 zuMNe`3W~D9x3k09JgZ-yWZj(KvY$hGH{q5|`ZV=(NZM&yyg|OMvY#%6PP%?8#lfjo;13Pu-hZ?5E@{#*2kmX`SmRn#B#A!_!>P zIX`Q3Ajuy}x(9X{wA{_RJj1vO_r}H}#2RiJzwLn(H>bbo!JWAt51E&f4^C(p4}##` zZ(4`R85YM}Pt0+pj=Gka3mzp(F4Btci_M*XklXgaJEsi(K{tk8CWm!-`A0)Bd)zN# z8ZD0Lgaquyeu!k-A#wW~qdUH3Gh1Pybbnco9PC^@@oAVMoz3}0*x*f8Hh6`s4|+|(CjgmF5M~nPQ?h2bL|t1 z8#ykR1`q>@dG|%|xZ8uKjY;&{0)6jcarscldl}uD2;OG;*#v|9R0Xm5xY&&E*(a1g zTaNp<0)ANs55M}5xcazlKBSkn>F#ziC~_r2;Ft4sBWg7q>Zv~1*@AYZLviU=fa$K^ z_x+s3RttHCdm%u``iRT+jLSAKQl+T3JUa~Jd;MAOcwTL;e(!PZkw_MjmtBZP z4GX8?jLuxIHePJL9CR)(j0l7kS4|_ONQ)M-NGUY5S1Lyx;zI{3MxpFC(GhHDKS?!4k zdsr?vmt{)+fi%|EZZ%xA&8qK8esX!HQ|x8&uplGSv(R2dPB4g*m&SA@7$yq72Xi&o}Ms0MFimHIb%k()yKJHaST3 za5I=Q=8UxF{zp(0!1gjDI_<%f9A1T0p6c2@%#Db3Afc<><*{&prd>w`O~_~!fLx>P2FzOF#B?W$Q$53=M&wdLk+PP=6lYl+5kh^W2Rml4fA?HWyT3o97~IFq&vAa95|(M#${-w@FntN+Z6t!SDZw*g ztCy12#E_E}K@+^GzJFSzFxfGg6Eg&##q+u9SmLCXf7`jhpL8f$kR8?3RE?gxHY`-j zGC5Bm4yhs)&R+;o0AqeNkpe#fUxVD!>@uoT(oErVU(bUY197gZofi!)$)OT?wt}+m z{_N0MiB93sC^YsOt^}AD`)WJU!7oVCI??-e z=|M>QaR^4eQiNGZvi8Tqgh-}d$rSQgFg##P24rc76`_!gZ%!|hy+a+OiXI4sOQn=#-J@8_2?D*33P;cBU4#oq!(-Ez?F z6K00&Bz42a3!yL}(w6UxvsKkDK+yZ4!`z&xOV#;+^61?(6B=1V(ejXs?GmO+(93K! zz%$RsX?86&BC4qLe6#uDTM9K)w6Fi z#vbSA1z;+L*y@ZOsH!}M2Q-X>ktHXrn$iE19s$|Gd854y*fArK$heB(r}pEJJUK-M z2rtQEr*9S8FCEknw5{$NaDZlK@^KByARQ|^(@AySfs~X_f)3RT7SO4u812i9JTTBW z2T8?S@bATCFAD?k^a}*;_{R$iBAT4Gos|+D#E@splyb2HtmLMY>qrhS?*lqQPI9Vw zG!O=B7g{rICGSaG`)JHo%`E}kJC%o^m^$WeE`ek1=wW6CYi@l%Ikqimb^%{dwRi+( zboCkB5dD%q9J1>dy(O_$6T$9H!{-G_AQzKqZscg4zmB|=?qv20Vv9_L(<_;PQG#^u zVE){j`az&cPfZV?nl8V23SLsn**$bma!fgjE+g9W{ZW|8%xuooQcoc%A>B?s*0|N z3(El9Gfs^q@`+s?=4VWyKy??W8JT=}>tOwN|5m|}8>pAZD}Nxdkr{@EXwC>D1#4w+ z=u}{zq+VpNIso);5N9Fyba2{B)t91yM&Co>r6rMHbCLv&zMz(xag$hTDgPlqyap?T z+nN$J!j#wI@Q&GDc`5isvk~u9Rt*f4o<_y*93HGe#!2N13BCcLdjF``>oT07Q}AK^ z*PsD+W=LoD-sv6PkaS*S9;)SEC`Jd!HI)EIvrJzyn;*r6w<*3ZP`znNEUEc^PmG5Y zsMa0_D<)DLCL@gOE|_rS6-yptDyBUjzD zc@B&-p(x-^{5lNXA`)#IjpO^`8bNd-L3H9Ed-NqdbM5(Qp|^4|qQm)IbigV`{E9)a zGJPad^)`;@+bwwqvsZA4N%}&9_vZw{oYrG>O6Ng1 zvrgz0q)`)kMYdiRzaTD4BclN?6B>+bi9pBMgU$**_`s+I8hB6c<3xFm)F>84h-TWJ!t>0jPPy9i(k zn}6-URMH&stR#;O!kIc|*J0Th?u3M(Mc?_?0KN(!F;k@Z1x387sCc_m&fYFCxllOQ~QBKO0q~{6d+CG1wHF3R4M26 zpA5h!A@5q;SdtqZAd?4VdQIKJ3@emHK^7>i$VVR;Hy`@_5mmuB9;r~Guhi>E7(J{% zee{BiyZ!=D_@`(r&F~+3b2cY*B=k%j2aA7tGN3(w8z?{T1HGN;)B+->i&f_hAibRp zG3F}}Bt%2EDbS9oa5-oL+mYHj1kYh8oBkDHvqe$4%0_-?y|HXsXjI64H@>P|0$7_i zpo6^}1c?8l?3-dmft9YeZQHibwtcp3+qP}nwr$(CZJYo3@;}{|o7|>pnzqxoVlr#i zifD{fL-$ef#Pb6OgS#e_lG41ClUpM&CFjP)d~s9@(v#N|(G=>G6#8ua3jDKCAuY4E zFecH$Vj;%$Qstb=iLb!|Gb(uvl#z$Zj}b-)I+nPD@f>X6bRth!q%)@#S&ix~<08KE8eS3A^Ep}n~> zqUZ$p_^0pkur?aq$J4Nbg+u#_Py2!|n@jcOV7Y&tO$E=#t=hR7m0mJC@V#<4MxLhT zc0HG?kxlvOYUAPMXyYn6&+z06pT?wSwr{FfBkFYlC@{~_6xWyH0;0nQ89erYdbyGjM1MI89)f^|Guj1ru|CtnB4kjK2rw$XUvVQfgeceuWCg6A2sy zzf7J#`?=6h2eJ0nO(oh0iAqMzrmpNu9fZqXn{|9F7nlzI4xDYc|9-#_Xl|H4N?Sy7 zRKVki?|t~Dd5*gKvipOUiqZ=eF**@=uMmq;pu6QvQMKWqD=Tc+xJ(sKr*?!!IQ<%M z#3u*~^g8^Tw*94I3Bp8n_hQeckEh<9iO>7c{6T1V*SUA`wba{Kfi#%M_G+}$V6VWBnEqqY8i*zL(|~yF=CskMGuYc|4QgiQx9PEwoG9b@nsc!yQ<3 zR>>w{K5DWec>dGd-J?vl4C_dHHNp`AJ9BcE^2C^9qaFIhr!3 z{uP~z{1-h|Y;MF-I)f?+p6b43#}Bq)Frss%FZ9oFdQ|L)eS+Gbk#EvccPYVZlMr_) ztjmFTPvW+Hi;4pWH3O+BT0t1UwfP4622pb;%=zC_)y*TDr3y|;53)cp z?pBs@`q#m&{c7|!m^u(^Tyd#faHUwz#UZE-?DX4iNC1YH3#Q?V0oHyf|$= zaCe=%x5f2f(tDIh=1>kZHygiEwl(hZZJ>z#*aWX+bKH52@9y;R>T+82T!yh*62#sV z#BIch84QU$|6p;nTXUF?5fhXDOj(HFVRG0r$~*s?6B;AdhKyk`M=M38yd-esL%&QK zmbG^54LbFqT)NmnQwisKafSDPw*)Bbgea{q;D)GjGjg7sv}SeB+B z1cm8{W`EJfb_u8L%pk<3qwIu_h=>T!-O%32`F$c-{2{ZbJa85BA+;9M0dwYxT!!2c zGP#FPwRz|Xe)C`(7FrkSB)>iS)NT|L4h2bCOc~<(7iFb@H%k7*s0|sF*Swt+QfgQ8 zwnsUmBPAtbp0Z;7Zr4V7ARK#oK@Yh9sBFAyVJufa@`*RUs&d|IU}tL9bjP;Qw?`X1 z?0$o-IsU-kUvb2ttI_zrbX5yyWe;hD)tvz_vPYu&5}~!2hmB}6S#gkMkd1&V%wwjw(7UR;lB?%yx<$3O$oZaB8i1ONHaV!2J7 z{PiUIFyrvM2<)g5B`YNI4IFji!ez?vWNyqHZFtYV1sV(#Z*JXA_{vP++tp4A`MXe8 zfa`=!x$k9%4iB$t1{&-&(YCTDt%K$xfzBL3b`j!BqvkldLg)dk*qO18Ta3{bwGo5r}qnc25b~0eJ z;I9Hs*%4~&%jzvaw6H5D@g6UNCshwJdOlyMB3KE64k?ZjSW{>Uq3907Yn!g*=ox+! z7u}!?C4)|4t)7N6M1Y*NnBb)a^w+MS&#+h0yv_eLeg?b~W@?Q1%B6Eq%H;{mB^65~ zQA+XIM>Sg^i@1k2ujcX?RYbhg+TGGKu50A8?DC<$%Zko?gb?`U|Awcx$xgYh5+8{y zw&St8(Yo-4xI1#4A^b8cy){0oH=jmv9~VLYT;MCl)poot!U4LX@=nM8f17i%rpG*; zXJjqfl|(= z@cR>fU2mLOq*_8V-WyRZ+;Th=PTZN2z_J0d6y``8J;*l;V=X~VeoX{Fp|b6)ajUY) zURH-~bR8X8(#LycnfsxjN9ivD0t5zx;ysobU^TCo>oJqPZx@o4PqB%em*m9Ce7fT} z+y1)c*yDNf@JCwu8OFAQz zQ`G4<;vcI{S}Ml;BOtNE&|`Y0KCdf!x|Chg38)6{{)Cy1F3jjU(3mj?jhHuRTtfv5 zGJzcgBy|VEYy~CtI0XxRbgfD|k)islB+gvM#SQc0OF@f~ucl~T+(fh~cvoFw2L%OX zA~>uJl7s)h86(ce&qEA5PeKaoNSMaMK@M^~ZWDbgMvuI>z1KcFurXI-Nv(N^-YU=`j zmK`&y1~hCJtnIMq+lDvYmoRC$T8?8;>P(0*K#D*!Wn@}|NpN;(JrQJU1MH-0Ggf5W z0_cVfAi;a!G1cdy&Hmf(d=f*(-vSS5e9_5;P&O_#IGq!6YTnI@J{c8V_H&HZLYd z=P7v!JDLGoT-h>VdKBIDKRZAEZ=H^#NRHp%r7~GLnTjQbj`x|sjiYzWj*YHee~67^ zDgwBLmI@W?htiECc@{I{N<5e!FRVC0e?dr>S0gX;{@6euPfrzYDM$jfqq(R`V$&jV z3Gf<2MD!Zq-Fn@m;=XdFa8FKS_l)F%`XH&@*SxEo=>p+5%4*Sf58rk5!LX{wB+ipS8#>sBE&~b@4uE(O8IG-<-<& zq&;E7wvVM_c~}fcA|RqK3;bGDqdZ9N+{0f>kVKhIGeQx3l_<`~7kC9DW3NT=GNOZf zWXSe8OL5iLj?s|rrww)>o`Dv%9XY^r&or>3l5rg^0aF(ey zCKOs$e)XhoryIw9oom-)dY>I1)wi-soz#2r5i01M#?YkvFtMAycoFox^_o*r4M~xI zXm~b5U1355E5@93P!Y!^5_<-*Xbi#los}v3(|+(AvFZ0aXiF|#EsLKD!a6UssFB^) z`8G?^cm6N*^VS70RJ-TBQl2|o+Oy>rv z$oR~>dl}8>cqf?W?ZLCjTN{^i89F<&W*&45kGY?-_FdO1u@Hxzd@7(@y$K#ti1U@8 zq(FA*(Rz0O@1*b)qL>0gbAWYlj6voqqg7yV$DY7V)R1zCw4e(Lm;{*=XrUG0Z4TX6 zmtcKM>_Jua$P2{^J1p?zIf^4#Tk2L;)R#gX!QnE0yRQEUM@tHo&7mhBGJ(r zR-zY4;EEO%pQOj@3InR^3g+N*lxet==sI_X3*;Z?joujs#b zh2#1$qc;UOVrdW6{FE)Jp(FT>N}P9HYf8L+!-Q9JFn&khF$!3AmsD&Pg$lejHj{rs z@tvwzUr#bU9eZ}j)7k5eR64^g)8(|TwU&)FiE z#*ADJ9chh>IT^~<4Na-<+KtunBS-$YM^S>d1Hd|zSXZojvPev*u@zbe)XLD`v3Y1% zbopoK6lM6JZnb)Fqr(7(S#h+__Z;pdYsG;(tvMtptoRS~!v@`_#3c8na)GV5!c<+e z$M4z`p>x-(pT6W)7#zqyVl>knjIm^jjfM%)}(e=5eTVVrHW__3IF(NJXl{2nCO*U74te zn`ug8$_L?$6yQT&DVM}YfWcg}hSu}DQo0h?j%fO+0+h~w2YoT|`l3dzVt7X{k_w;d z`XEQP*1Z8LI{i2$v!X}3R8U8Dp!u@#*xV37W2H`fc);cLHm}K#_Sa#EP)~LPY{nVv z8@CI&6{FjEBGf(^cq)yo#?@YG=s!AlssufEcxS?lKHGMv`SRU(P6fAqrEErXKLOdi z9wh7ZT{CtqKAAIj*9dCXt!gR!Mg2x2SZNc>$XZ8PZQnN(}!MYfrL{`c4-ZnGR7 z=40Z=n0R%u94d-2^YVIJgO6#@6aOHnQP7VG%R$oLwY)QViy>Fng6mGi&LV|cK;?NE zYY;)v7oE6wz#lKG3lvY21h2jVbtMIi28FKmm6pCsF@~2k%RSlDEbyXM<mcH#_<w%2-HB<|~a`2_`c^ z3aTq%tAUCNOFy2YtUH7?gAL0BOOX)@^jc`3JLcfyVMo8r_b<3>BOBd;rzsV+ibcbB z^Atp{67Y#TDhDRcjgu7bohq=!Q^+K$%(G}JK5h&R;a(XT$%qHMtk|4Ovp_`)J2*kL z959IAp`W-bZ@zeZltaj*BnbpwOCggMHtfUXfF6tq#7v z-U0KBO`2_0N3U5!hO%PEA`@Y;$S2aIJf)~DN)Q6u{Lr>s&ZAgB)VSSzI>LT3 z_Tj8Pn854kTH=ni!X06Ovu)ocC0GpHu-$>OAyT+7{y7BX%V+|?^npUyme9i7IO(Qf8vD z-#q?&3gorSfJY_oe<3wDYxdbK(1&PlqC!gYTxFl4@=QxXnkL*ngbF~L#QYuv^e*X6){=S+wIy1*z+lN=gZFR zx)Jx!Vw0N3vAy2uMEozemj|sK89saCcw457Er{!OwJt~fMmHLF7Chd}{BCs04C;MP zk|m@+wGHQYo1<&b;~F}yWp?R9cBwG@2^74M4RLl$7bxDU}wu5e%^I5l)e3biqZ!oQMu%ouu0LhDOMuk(i^CjwY|Ch{1AYl$8nVkO@$HQQ?+(hSL& zir2<<3;elQaH^j4P&ey8EHcU2?WKM4leBIqtl8@xp*^!UVbV6}vm}&(Q9S~^o?knA z9)oxt(7M-db3bOMA3s0WwyV*K(x>YY({|}L1wS`BJGXJg4AFnjwKhkq&OU~ec_kyS zHt8}77_&Vh-KDdvWCzb3?X5DuJEy<)b_`G689yOa>9RMp4tg&Pt$5#hCT@gPgRqnD zi{}OZ-Myq?$>V#$IRZN2lSgdzgb(@_3||PbXvmmH=v#KU_vl-Y2@5j1tXi4)V78Lz z{^xCzL}+dbl99hoxhA=54s}e#wa>k47rK}k8D?fW9nbrZle4u~y0&ZDoPx{U^IUgl z-CnoFSufaL?O#Vpsq6R}kNPTAc!}89u>QvaQxw&PqT`xIkIJ7ho`vr(_(x~-J!+oE zbYFX-9?P+}SsK0ej$^4pJz9#7zbs5Y+qxfc)t_+H5%6@??_du-{#y5{qYyf#QT(CB zFcfZ)!}xOdj#0#NbvA#!rQMX(&9dTmk*z81IiP5F9ES9GE-wKvCaBi;gUz=cp`dcb zOHJ;2K{6>pH7*biT0m}Ap@_{Q6}X2cP{jvS`Wm7SRxl2_iek!{ta!*gTl^4I52+|u zmIv!0Rx=zBIKYgVc-S#>QSWFW)2B`oWo&|Ns`ZYL5El9OA7^(xzXHWbjQ;wEKEhT|L%?DfK zfn>k4AA9#rUK!4mp%Shy`gAa@o;O)x2#_-$Cn^lH%vEeF8iJHo@x6l^>K} zk*_7=vkS!!lZ8zw%Z2jQ8lh;F>a}KR2tfAc3D==2%A&Wh(>&n)G|{b^@`Vk1?Yis< zefd#YvE15Y_PagvEELE}xG(R%1BSSS8p*jr=4^+92#EIQU*zFyLeNn86avsf5|`it zMXeVSLh0Q{mXx4OWgQA83ZvY%nXzc05tuB>4-wTqKwdRJ6kpQZY%&xR$sv~bwI{=WN=UX3YvC8I?Ke+w&8X&-l zQy>UMdsSbkxil1*tVLs_a4Z8}x5MX|l@|vK{@-8ZOo5^ydrJ(}l0SwgNk3X&XC@$% z&lDGM4{^OB#1Nhpc0|7e3n8jxG0=( zi?K;^t$qdO4&t<`7_*$h7{Y$6O{73r-f>J&714^>X!ycj7BjrBSz2#)%C1N+&|pO2 z$ABV6jUhcT38I5=(ja7A{M8fGmwX(Qy_FUWwjh3MnqNIyrC!se^V@jnt> z9)v3f@x9lD6HhZ#ervt{GAnqUQavXWF9WaXun;L8c5}u`64()1yWWjU>GC&LO)YpV zxFHBZS?0rgUjB^M@+zi0bqO-jCQ$xx+lHp*Ab2Y#$u+<@5_Pe}r))sjwxnO{G~fwa z6(o^_0vZv8nJOGzeyhKWakvV7_;M6^v2elXXM}GO*0dNmLcWTO>cb@D?;uwoNGKG@ z0!#k4xwkB7QP#K*Mxm8s=8~!3C?0XaM1D=+=ZaGAp2DTI;Tpy&IV9&*_-FAbptB8! zfUUI1v&+h?0B^g5I3u>lW~RTVy)aI-;2o-BD?nlo{>06IHlbHq=UNh&Xs@V|&};9| zQK*r+CWujs4qM94DB<#EUGayBfsS7jJvk(8CA7~AZjiouw5I}D7wg&J_Epe$iA2*x z4(RWjb>?)&Ruu4MNs^UcM-&X{RnfIK5UeOQ?`+ec1@H?hmzj3Pc5+gGpUY*H|KWq% zsgOb}qeMAt?atWP|45N>i%d~I4A@t>;600!yhZOOfNMB$4^XOf0p-_1ZxtfC#D?P{2@6hmp$FRMgqG#}(EELty#Rwhpj@;>F$dzZ1u&<=}Kpp;*9#&;o2DBiZa`rJ%y zVZxAn%Og8+=d|;k{!F>va=d08zAIs^;J4rGm^u?n1kJaen&zzrziBrK@Yj|abVux- zd1jHiG;6$4fNI04nUxQwYJ^L#gxK8G?~*tB#Gz*~J1T!U2;2Lb7Y4_qz&`-7u+=mw`tGp?Lkv*)Mw5 z-IWH$`wkBm8!=+DGm_Mx!cr%W7rFi=B#78yIf#qzRnQMhA|W2txfi1g3Tf~Khj3R$ zAcA>{&_kf}(TirHP5Bn_pVBppgS^Hy%94znog{el=|&xkLx50`bKC-9E$ZGDtTcmW zbD37IKdGJDT4Y%fMyWdYI-2m%1?>w5*b@e@BLZMY%$fqT<5e0Pp#vlbf-od0+Jk=u zXCJN788ySMZfue?4#B>B-OQ`a3ZI$wpQ9B5OED=idQPXR_d`hylO1JIRF^Y5(1(V+ zGw5Fj8gP7TS3_dn}CIO0UBq5E^dwo^#dy|_?`!)65P7? z3(N|>I`L`P9qS*fd3QnzT5>Sn?QoN(N;98Evw-L`nqs6212;ed51sI2vL*9mvc{q>cCzh{@LqGDj8BQ-*>t2;Pt zF*QO(Nj;NyB4d5X4zzr6iR&#JZh~;8hm379>8NRijz(?EEdDRTRXikPY%%`-grH?a z@%CVk3#xd51PV72eq6*tL55zm)6LmkveOl*?-)vhd>xptNK{29#bw$V**d55D9H=! zz8R;=nv{Ihty!6^ij}}*`B(_vrWdUfMrm4?hZ&Fz=kp-v~Y+IDui)pXlGi;G~NFAh}Pqj9=| z3L1gbF2loUo*8W=LozQV+ltH@s|t#f7S8?FEB4b<_m%%o5F><}k0GIM`lXs%EV(%N3&rp4{ziXh#*4V(H6bLgl<0Aaxit%efP8@12l3L zZ(R~y0d=h1>p?;w-g^|Wc8xbPyJz-Po@$xD=dW3J`)LR|*ZalvsH*i8X^fol2;Z}4h0r1j#>$f&zw z;lGLR`#tt2<&#L1$E!v*U({pMdm5>qpi>5F75&GH|sl}vVD;|v2 z5n*REnP5dFb?$)%T1IuW4GX~(Xu|p=4Wq7g)NQ1fWn=3@G%J4*68RQow6uwR#u!}= zPE#kSIH+59);mn-q^tjAoOA~xPrBV)Zbit3cXVBf({~K=d1b+m^wJ1zBvwg?RqwX~ zf|#;T_`U+*ED$$vE7`GIVx{4AZvJ!bX~bs6u~-sb5A^KMEId6wBOTz1=dl6Yk{T3k zln%XL8Amfp2cNNf2A_dmpNNF>TOIriUSm2Eys?iFd}qcl!997(6~<7(2hGR8xts}9 z-M)bwhFl8aj_c7;9qKH?%6o;pSexdQtX9&A0d!(Z*Y7=K>`v;cHpqfw+9}1Z`>`dx zp9CNVGr->6yu9W|tGJ{{+Yj@EUaE{%J{;*ujAGre+lJ|52@T+5^adgl#o3bs-vKh4 zv(Tzc*)Q*pxp~V6Oo=nW*gwzcFn`eCKa1fhIGSYk72yT~U#~kbVeD1Z^o1aM*_o!1 z>Zrj>6o?nw@Z0gWrlHJky#*@T>NHyrD_Jf%TZVUm-Ho!K5act5=IgJtAHH(Zw>zFA zz)kUAFxI?d9``*}9s!BArAAE&KVnf=-|k<}DdjsoUJ7%n#PZ1L70=#qO zWlydY;qZ%4s;0?wVWZdRs|%jxXwKyp{@9Ljf6uoIb8>F~!R~}Bb)TId+L3cGcX|2Y z^<}^6-Jg9cw5vbcO^)v#-n*H3>FI`-I<;+Lo{_R@6d~L^*rB;0m(Yzaq~y*S=yslG zVY*g5TwEOY#^6g)8c))KoasZ!Hu}roedc6WKE;HWFp99eE!lLh34>3%{RPjq()>EYH@>c_a{m`KR%{p@ zWYnR*Q|K@+4)KWVGsrj+_~TcFTPA`YFJ{`AB2cz(ZB)>ZwP}`K-E7OGbWFiFXG$l1 z*{XJG;TH=H1Zd(8A!ZcEj{FQqog3i#?+y~0WzsGYaB=o8<}JFfbt?(Z9~oQ=+Ba~& zXZW+`ysid3LZ9UU~3e(%0f@rqI%gF+w1;9OVX}s`-0n*|BF$-Xnur7MozNorVmayc!gvZngd;Q`J?q9S0%Q(|0YFXrJ#HKn@Xvlja2%`qm}wZ)D z&TqC~D&LmA^l+yxM`+&2jcbk{Agzq>rLeU&0Q2Qd*Y`heZ6=E2`0E4cA|LZfh2dh0 zOHvHGXN_gsJyU<~5!+ahB-nw?iAAnojD0Xv2TG8>{MH#xf<0LF*`ZcVh*(2f_WrHq zMGv87?$^c$DZ04M{9?ot)?phSg#5oP+X;4I0*y%&knyHZ3S2&|e_&#D@R{Q;5LeF{ z$J|0nKY9WF6QGkTa^8*!2LM1u2mrwFUjRBb`qsuqF8Wsg3p{68!_o?Q9kqw~&>m;A zKAYVZ2nNzUjTBPCk4|EYZX2Kz0aHV5qofmKlo=3tl#Mwt^|Gn*S_M{lDTHddWK+Ak z)uJ`ey4ZRd+*^D*_vXDbs)RsiYzi6%hz1g7xAcLHlY-VbahMRH22b=7mt!BxMx! zau}RQ!NGMNB4IPrk`C-7T`VDrUeA?Ul}o?MeKk%zz*F+^NLP8d}}vk9zXF)G@(o9MT*B zJ`@w8UKG#`x)p>oKnCUCmr5LPe09<;MriLS_XoUk56^fLiu|}2X zag?W@zubN23OuG4|0Op`p#>ZAcSvP+@#adKVki3w6#@kxM)s@M`L%oURMx_WWKlfJ zh#2Ij@9Puxpa6lRVgD=01&;&r{R}7`9f8}Q!8eqCIX4JlNUbEeU&1ROEj~=6UAQwA7}PExDqm_JS%+#hGX!|F;qJctzHys;&HFrTD-BD{m>Wg%AQF@vMAcTDl2ZsP|! zBdyGVG<8{Niy z0eN=>%&R$>v$2)FQNnvRi4$A)zgDr%f?j9G^1>T_+jDTkOTG*SEb-w+hRNmeF|6^i zqhzRaBdFuxd~M~MqN69D_ZggR%q0W6Y4@!7_VD4wyjILL7QM)T5{a11yH)VX zsLH#62!#7+seMu+Gq~t_QCdQS49wSIL6BU)x?E6;^MP+A4eIT#j+rP zU-)yaozaO6okNfMb;kX(&Ea)gxAHjbbl5I+$T96`V=4PO@pdsJ>b=o!*|-RP`x8BA zZrXWbwQFJN>v~Wfj{mXyavBC}4PfVOVC+?G`RLm>GM_*^bJ0>AlJXp>G3eO4XA|?g zm3xCZ{uH$ZSK^toh&958rN&Xeyag(3xj|8--qIzF4Ze%F+$Em(;xrD4kNb6&*YaEJ zbXhKSNm>1~q;kq^nc{pp^4?VHy|@Z}TNC}SXF0jpR(~2|INf0~-OT@+Bs`;XCeUB@ zMg61x;__LqveQ&?a1r)+`Gc0f=|d($rQJp^n}DK7S#pf9 z(rxBvV&ONLcT%Z5N8ps~H$4FBvJ8fr4zgR0bB$t)h@WZv31^fp0y>yYFjjr%W`;jp zh8i(FGK$1=f*B>|&!1`-zY_!|wFY{wFA8K^joL+tjEjt*YUEnHF?$qn2=lNhL5~M>z}# z!;IbHTyT?X7_2F7_MdxK-xVm@B`qul@G`fw?{Rwn>HaIVL z($4$Ubv+lZ>&wo1CMHMXj=Rb5FM%m3YjfpKRHIO#>jlw|0RIEd02$o)H9zqX*4D(a z@2h8-rgGq9qOl><_|#m+=@{*ZZ{)bfotq=IEq+c;nUqOA7|;SMgJkwP1%+ar7(MGa zPZ;mvDsp9bbn0!#CadOWqQj9>j03(*oKFy-6F+8SSyMLV#7R96-gRygm^%#?qB9q4 z60I`R+4lZ z^%SrUQO&q#p!7>JN+I-@9Z1Wx^7Sv#gvfIPf+g!A8e2z+v_EKRVi39cYIeAvzZL(G zt&lI=@T7~u)D+<9mUt*3FWO{KRx_MJWc|Rf?mwOC*Rg1pJB58iEm35>IBm19%Q&;s z(w=i^XvIP!hGfR4NZHuuK`U*o2ee2Z_l%o*fusI#D`U90EN5r#lswlfiH&R)bLd;1 z+6=UnOWR}K>P)Bi5_+k)4!FqJ3o_SoZ6A3`^WKmh9!lNN#dLV1Zhe;>%FLHD z#VA+Qe7!Tps_b_~21M*Uj6)1ytF_VH&UQ2hUKX0S#@Rz>NUz;UwD8wQDo8P%I4W<6 zl7=W6gyR{9%*4yaHLULkDKmpj5@pHy88xOGQJUgjUgt^u@h@+~noiBHkpQPgHwGlS0J+aWHN?kN{$$&LSy$lD=xvQ%j@REE!XL`c5yfpOnyewoN!0 zE1cY6^1y@qSiFge>J(~p=GG2q=tW|No*4-m9fKyl)mx{J6B{0cJG$fUGauN4V2R>m zzw}JSd`x2*i8Ox!a!=GBv*=cHVlae3UTiF7`|*Q z=q=}c%v~Mb{&kHMib?b~!#C|050Ox^lS648C7>GeN!Blzy~?J(xLDmy z|C{~0eiTc->v>FGTjUCF;sXD3a=b~5A1k$mn=T&v#!US4l+TEDrKBN8BmC=0tz}JpVBsXRq}5$+4$!8`&dn5BL(ZZ(X)3%fpg=h>!5XW>ClZL} z5~%CuJ(0-`M2+*n=1D^TMfz|%|IWpYfz2Yu1*e(Y^W|*P#gowpF4hHw%o^V@ma2;4m_1pQY>1VqrJqeX= zB76di?Q_E>i_&4us1#y7DL=xpFNuv2uUskl@L=dZAxNdQI=*}$zoXT&Fgh_1GB)~7 zjo-@{@as2@-?u$E<=oPMzsG+A$ah8c21xd8lMtKmQG>{e614iH)(%dvUwH&yyb%8t zyXFUQ2QYKAL;T_WNKlhl{vqY9DleLyxOVU0M24jq2BoO43=wG;0Vf+u+Aekv3(Z^U zg@Z|ei&^TGqDaDOi9Wcvm_Q>UgcSWS+|J*dxB%!($(L6Vse}xR%KFCBpzPejv7&Lk zK{FTlIVc2Rej5){lqL2=OQ?EH)!*GwBBdRwvTAR8b{Fc{i}Uk*H!4KGgX?iG^R2tF zAcW2&gwE2&qx%Cs>Y@Eh0>Ck_(&m7(G;B>gb7Z@+lz=^25yR@}qZ=8;JGBAqzn;b( zYD%>wq@4*Z`Xmd7VLhxyfe>fkNpdTOA;=zeM>7C1ARly!pu_KmxQ{XbGN2yh2tl9d zm6qBYVTVW<=J&fs6N-37As~Am*slP9j&(y6=vaT3YS`(n8AFg|4EEN7Lpi{rIE+6L zPqf6y?bA--=d6ijr~sHlvO4ov=Sd$BxqlyN4VZUF(Q~ZtIq7*%3xC{B1Apm_m<96- z`URjR$Tit&po5o1b353|y{6U!z5Ae7d7y2U;gDDI`uSF+{CiXFJ3cD%2g(0lZ<$Z$ z+=j99BHvmGU)azg>+IK%UjSUl$tX<=S6_o=!K$kjXPWxER{6M!X_Egm*}nP`|LJ{J z>}c`l7xX_}&@_EdQYZuf06CWbP6ushrtk2-xSz)w-c~5%$+bDR_iiRuv7>A-_^=~v zjV+^kR<-*6(W$Z8wl6S4S0^*B?e?A>*6>lLQqJ&tE1rUt%jU8gB31z?jryqM9asCB za%>7j$F+;v53dr;W+YW9ad9%@r@tYAd@=H-FQB7IfyuaX zE;1Y(Ok%>P^lg->N8G1uOVaK8Bih>`=FKYGcamV-S(+;m=Bu) zYr7*>2i$P`Hi?>*?gXP+QQhJzT&km5Vcj+>-SkH`0lTu5yVyn!{aY&|R_PoPNjf}% z@yQCZE|MswgLa^sc2?0CBN}Wj*TRY58sZ;tVCMEZT$ z#0@HpmH}A5+1pA~r7TV^W*XWpv5XBwAC`tolvE(z$j9BvfvCkdJr((JA)wEc!dG70 zn3R{yz?{@yq)3r{@LUrLU9w24dtt~NlL0d zA#^#3hfZr+D(2GEiRWUS-n;o={o)r9zXRaPpJ;k!jE4vX#iJYys=UNQD9)RX-uE1cY;g(WwG%xV<8#r_`yUUp3?>oA(5h zI*Jj^rc5Zp4pP%ZNWjj0Q(7HUD5h}Xl!1yVs&r5U2?$C*7zh;t#Y}9{@uo94Hj`$n ztuUs>)vR4GCa5|17GZRKO++eI@=J)e};`B?T(turE>=;A3cL`9S}E zrl<@+LHxN_kiG`z^2P$jL@S|4Z$CSl_ID7K7v-@moq@MewPJH=&69}Uw5g&dNdNaV zL^RIR_NBo+O+2V{-@B>n0wcv4|@i{4cY)uVq?#yJw(Es|O2;~3az9#F--tRTnU|cIIb8(jdi=Pa4V}hjy!mV&IYgD1_Hc`ZFNXk&Yp5qrabpKg@_ZP|N zf|xhiE8qt=VWvb(dEoc5)4St8_&WA3p9~DFg^$(gp_v__C#STBkR^MmDXX)EeDw8wDg_AxfiuI4F$#sNA! zA|+6jm_K=LxwOQ;lc;rX_XgwVr%lIz7KU zU;d{*m1FtxX&o=PDOY2C*3b5H;;Op0TfMTmX=_ct(SCRK(LWfQ_41NJ4k8}EmZ=#b zGk5=VzBuYe^yW57_wdMgyJq>qbhQC{)iY98spjSf^H`2lXt^c4RMPPbAwVqGJ~A(Z zLnZnDC_9HBU3hR?w{6?D&A)B)YumQ1-L`Gpwr$(oZJ&LIcXF!EAXU*IsZ>&_2TH0(`EJ$xecsw<&jSd!7mnvWY4p@J=$rH3R`MgZacWHvA zMU_%Vml}pD;K<QOigbd3|7%d;g)C>#H&Z`N*V@+junpb&k{N4%b{$^={> z6KTB7d~wI#baK)AaEizx*y<7mY?j+OdjE;X39iq4iBgNWc&hPCQ+7Je!CAemGu}s^9W!-Nk|a zy9-X%_nQMUf9^rdlN;9!i0IC;_SLwOq<-qoMU2B3EW*0b(wFGt%8Yx$AnAD}33ew9 z-h=x-l@wr6kBC0e9wQKUt3%l1@_MwWW&e0Gw0_0cXJC6e%$li9L8YZs5C3@|zeL`) zf>=Y0Uf!@WdAc669rK!q!HWOAkA6RR`D|sT-2SPj4`_CucJ~?fYo$xg+CoyOY%7>7 z7b=1hi6scx%9P78eJvz1vNF`=dg7hSF$8rI?8inxvR$(5D)sTZ{}|9Y;%LR0jCR2m zmsiE6cFIc*Z-gnzBh06iTIP6g`VV?%&ZlVeAYK-6f4mw2TR0qU&3#`6d=bntr5gCtcHeBvnbF-wruS+>M=I-{@RkS zHis`yN%g&69v63AofJnksn$k|XFctxdNuk`m(Oz3bEMYV^Pkx?MK2`!XL6el8~Nt9 zs+m@emtHqFGmRlsMJ%n&{yEK#g-*>|SWBq4sm_Q+;a{$lZ)Ks%<82$vKo}@2~Jm~L_apELj$q_nAxg@RC21; zB5JWy(qgaN~;!*ZJr0xVLs>?zL#lV{-O5opdIk`at;EGT4j|@v85p0qPq|4bQOGbAI_F zsXq>cc5(*sQLZPnbXOq<(MOIpHmf(gu1S*XF7;V)tn7{-&TS8N^cKRnE!oGR90_mI zGfdBIw#=(MgpiQD!R)Z?-+eUROvW%L%BCGgGn|3|6XcF=jEy&v`mw);rlFA)J zoxYF+N0tAKz}@911+^+3s#G`#Cba&V1_b3CU1t~mONeD!db?pg*FGT zJ^zcapn=368ZvXOPx=lhB-Q18bv8F{c{X=cKr|Y)s6HdyEx$adU$;?yb=VLbbZpjm0(EDFv}ZMLUY*Q`HB`P#YeDg zl(i=z&ZSZt=*W` z`bG`Omr=1)`DeM^M${?IPaD{@uEd5yj6~ySpbu|BMSg+fB;^|;n0rHod^Z$Tgu zmat|+s9fODf_h6H z`suQn0p1Xz*eRzkJCqtFtBbH=Gvd-FF6mu%@&4I`BXV-1H#wIsgq9d&(U#1<4x$S> z$hXEG0|ye-yZ7BY;_fq{&MTN;i~nh_86%r(&17hKql?>v46P7E!f6?<5^7D zdaY*r*P?N+OALHX-rxrvO~>ywc#gK9qCH4zk+Cx57?H3*AqF@}RhcsarMG?;DN*_c z?COJ6d{rUg7e`YHc-|_xLG_<)Z9ttyvee8z5#e6uBwKVBO_08p-<%$!#wk3-ma0x& zzsma>hMqot5<2zlImVGd9*mPVzA8Jw6kKrE_oGmCS+uwC=^?lwdL|grLvFGHki28u zEb3TwHt%Yh?>+^l>^U|Xls}&XcnL6-seMpc5)1`@Rdy_E@_Y8p7Si#tHmJi+>gc#l zJ20l0*LNomIbmn%s2WVyZ9WRO1?Tv}Th^E*F3d%}y{YzsdrB?NxN5P8vhS=wf4qfw zoKF0&$P#IP0hC++vSQ&guM8Sw=szNIR>B={Fve=sp>3RVJ3tej?kq3ji;TLQhLhkO~g{Z;1j zj4x%dRuU$a*njrq`w0&MPJ2=cDGd96_5c6(hC~NY4Cq`Spi63y{}n&wYG>*8e|c}X z=7arz_^Gb1ND^u#3UU=f8Es#wOOeUOlQ^3_u^%c&yzz<>w4RygV{~_Nr9w&1jzn@X zcLzjlOXIETwN5zAEnHvgQcr@FkUtPv<2=J)H+g8U&Sfu80U|<;48bH5AVBy`& zZDN;{{9boZ;-ZWd=3>-%#h4JLSBDJ>xAhCuF{wB&PR=#OiH3wZHP zbyjgs{7XGSVr_^EIzViZK~ke>h3qD*Iqi8dc|WsiLDR&VE?M!BqIh?*Y34Soz+ za@D*bx8$wz3QZs0^-KFbi)aS0%I8X7@E1faM$ww43iZ6>TRXN4=dbVm=jnt>GYoL6 zfF&}{y4PYX;^qVFbEzASlooyR%1yr%YQZL=Y9M|&0#c<{z7-Ne`ebI?Nttu0V5@@pGXiCwPkmTyI=S|c=qX4w*)+#;;S z+dSVP2df)W30lq*%AlgfNqrU6cw5*=L=F3&mPPogNC*v_D*u1usu&ceJ&LOus;eTC z9|d$IPwA6hQd($}5K-c#ab;r__XBavtQe)vZo+6PBxKe9(SXNAc_^cpfemvhGfTxU z#y842S_0?RYSLt+iXvDLX=EH@faz)L4wFz$&^bffNFSQj3-DpIkJK}2IO;*_kP~C0GRVh~y*mnba{1!4Pj|q)W#{BO3&58kp|F&NO=$tAIA>?bjWDw& z>ddG`m-r>h&_Q=Z6(>e0b?S$H_)Kfh<3gi(5v>j`Ripa^*vdbuqfKx(;}z4oSeB)p z(vKp0pWaHnM zD+n|PCBo4$4+&<+it0SE> znw+`>M+qbAV`wOKSc(ENMD7`;A2su83_Jbj-;a2$>pgs0ix-UyX2?nvb%MG0Fm}m? z-%cD+1l~{>$H!mpd#*GkO*xhlM`c8R@=wf|7F0**ZSnv1V5ny~Q6T$9134p@&dM^T zLUN|cyG^8x%nqmiYhU4PL<*Ks|T703{mperrt z^PtgUfVFCqEim1u8a&sY<7}sk*l#n&a~qPqYL>^595Iq1k*y@BZUG`=W=PN+fwscY zG?gvpvJ_Ke(lU)ukhf>-Y(*0rg<0;x{tx_TYoDXc!);9;ON+Y zWyT_9MHdgw{+}0p`6(XBrz{&|ZQ(>hA&9$Fj$g)!2TcJLvPb%%$Gj9CT4F>UbYW$J zGc6uY-9mkGp(NPmVdzhVC=G`o-!vVHjN{3tvJTkAFWh|SvKkLxc3HnZ6BgU?$^=jn zqu}rm1E^T9n3>00asinC*%-wvzxOT5Bh1j)(&P71{eCz?*rx&92QuU1GsnHgjt;^2Y&AME?wb&7?)bG4#_Z-Qr- zmhymF3wGu7ukG|n!__hmzilMwx9$g~<@Rs?qzU#^hpQLN*05V69q70k?pk8DvlGhM z_3^Q<^=v8z3Q{uiU8eK2{)qvuM*A6k|^ zwq!LN0s%fxYhz+=u1=&bHydw2Uk2?$)7i=!kH$<+!uXR^{tZwA7TnkDOI zZaloQ+a=>ydTwvJ1nD3I%1DMgz_1-&0MTE2;t#YTE-dtB%4>y6Q$YEBYwQfzb4>-XaS=DnDup^0CJyS||yrul|KkkLzBkBSVG zM|9k6-F9zwaBE{K>!{+aAsr||=2pOSnHfo#!*ab#rdc+Epovg=T~GsvQsaHjRhZ3| z)5>f{)u*G8hbQ%{t7S(WKB%)V$_NL#8`pT6QpYl3uQ~W}^B@#jPHCCS4tm8?nlCzS zjLEKICU-4Hv3F=^X{Szg=mt8%KC!ExrU__LX}npSx;NxV4tZL}k{V=3BN&hW_z)ZU z#cm!=oYMfz>j{}IqltPO)_7=>n3ppKGxW^C9$~#}SiLuR0GiTRuHr~-FWTm&EMYt< zTuWEc27Z=xuBTM`=F~~HD8qHvEwhs*(dTrgt#U!{YQeLkMx9t$-TY+Ta@XTo0u1_V zVyFF&v3Ia)xp#mOC>BdySzYuZ7!pE~Q@s8YWs;K6T~9I42BifsM@aH9Ai=)c?uCYd zy^KE2r+nTm4;?$c+-HQT-GgZ7b`L7N%=R=lMur;9H#x~3web`@B3081U}dsJM5KW) zoJAIjgpirYE=F@)#K{=Qrd{C;-gHNV+m+(BWX?9edQ7QeWfDSth!<rGJ}W%zM2XsVx!-MVCsuj2yqjF(?9fqPA%H z&g6pKy&)nW4w=SzM3S6Farg3G9Xf6y*JFiXlb#pIbb*sPvWs$fsKaO)_ZoKHv3xroUy@cXos=56zQxeZm8zUo|i zce`Uq;ZUq*D~hz|6{G8XS0qdGc2Y)30~2HO7jEYJ>)s$PlrT%UUccjL53}*HTivJd z@@mTGd(vRT_HH|7P)b&}pE3;6#8ao*-)nrl+H2W$wVSb}&?tnpI;2a7v}tt?L|}Na zWk#hl43$E@W6mTS^hsJ-Z}tXS2k&qF7GtTyOyFV)h@GGxYy3HC{Ph@h{_?j(mQ6;R ztkH}lN!hdD0edei8TPu^-DqP>Mw8*ph>#SmCa|L1S|6oxTJ=y?HbTuDrm!rg_K>7v z_mT{H6L>i*LNk8d;qmztUEQMb2C&Yq_Lwr+Ol+W397nTgk)itU$JWoE$D&Q^6IDzW z7}aa}mtEgYd+@w!haRGpaAU9rr;w@dD~5i;9e@`8DAx^d0#MuZXT7#e>;a=2>eGd~ z#t&kbNm%6x&x@6-L27n1y4pC~`3fa+xGth!=qRm9uJmCK~XctIj4{REpLAbN^G(%v}pPyk}7M?6qTy*XwLl zq@cymI=i2Hf60)vR?K94oI>=2P~q=Z_jE=dPKk+d*hrMQt83Zb$LXZ*MEnEO;(Tr3 za;M)?y<~(xUSMCPxTK8cp!L@+x#>?u37LKb|B9`Cto*6PLi=9TFz0~Gu~?T~Z)G`Q zA&LVtFyg_6d)1@c-Dpa6ncPeBPCj7=Ka#fEYQ@wD#Or0nRv8Pysfhng%$XZj-jJB~ z{DlD^PAPt-wO^`$mz)3ZU$;EVIX3P{N|>dVC`r9vxxY?qS2w9WJJ{y0adEZ} zYRA(UsE3iZX()7T4CFAU65^>EoK|;iraiiiZL~+%n*%CM%Xa)N4DpNLXI&2)9H#an z#Z4k#Y08pfBWw787?Pp#(JHz$9Et~`+R_fkOzhJlZNH>Lyc=eH6Z-IAvQO*QbKG@|hg ze)JPOl4wp=+-?^;s~D0f3YdTI@|tC~YCE%;W7tmfh#qkB@?}16|NU%4zW;9PO-k2H z5hgOw%JFhGVY?}Q@Ox8|_ezT3AMKVqRMMNhCn}E_ma|H#D4PPSaCMC@T|Hf4?2@Qm zNI#xo#*{&LS{LN4U2xin%lFCam#A0k7uKHU8E&m>uV6D^C#P#lBN>A1pPjF1&O`0k1Kwf4T0#KY)Gg^S(Q*s|YZN5?x!LrE^@TL3^ z^VQwbSaq0M@+z8!NCtgheLj-qw2ba^G|>eDT+Pi|2=k$}5(#ICm;27Hnl+v)sviO< zD4z){cO)^Dr*WL+-0^V=IYU9}e%3G=U2$O+77T&0QY_|a_5JisQhNrg$M{u=3Etoe zTiUoMFuQat0X3xSIJIp#(Z9Gq9fPc*pnq#KU2smKUWQuX@FQ_eL<)m)bdmSS$EJ`= zVz)TnfcroM5?wi51Qkol6}XQU#7NTL=6R?ERs@wR65uT413Z8QvKD>YQ12+UW~GM=-{a15jUAswb|6_n z_?Kd>ivTOh{^#m(*Sy)!_zAuewYuw0%0K%x@z+5HKK_=CwXxr1CME>q}% z@Y=N&+xrCS&2~!g0T2>yXl#|ham-cw=aYU<#xxFSrs2#bAkL|kHEG{F`#APoZ8pt0 z!e*+9L8O0rtf&6da5FST55T&StOFT;F_Z>JP)Ta$51~fqBe!l_vsDsTl-ml{tOO|! zJiBF6tiDH(tpIAwNmu@NGV!jsZW&(81dDg|fWNB*&QZA#P^m|^0zOj51r>i$+eDw- zMf1hxbOh{bvE595c7UJ!1r>+{ied5s2XvrKR*X2O$YyPZABd9NOelbp zn{xh%%{mMsgA3ofLfL6oHh`bcc_#L&E?q zVcDE8SGHh~9ISoL{H=@`CTM8?$G~nwzXK|Hn!^-_x#^ zjq`Fm{290CUI}wRUK${;&oC(m(g4?IsAuT&8q9PzQXjTfCCh6wh{U~w$2gXuWeO1x zi89}o?HG@ZRq%Jf$+oW5|p}_xl!_VA6@mm z`J%r|ow2IhDg4`SIz-imMFnr{Tw=UMxbRD8FBI&!*6{hrSpa%W;lkemy(47zA7^6L zyxcLx6R;C%XU2Aj9WiGCU_#C!>|d6YvtVmN?i}G?OVW18EeU5q*S{js&o9l1(^NF7+TG zgb(GOdI%wjdtTf<{r+aB=r*mxp1a@Z(Pu?6n>9jX3Ax1`3+iD$jR=dh^U^e0C*R`W zZzOymFOCAVV>l5E6ub^YK2(m5Sa1qvt$N6k+hf}-9tIB&vd-$oZsdTTA+cWzAN zdrJ&FM;O_x5EDiGeHLM2X{ZnkStuD-0kIq^BrX%Nkj+wQtP*dL7JWq{X{WT>rls4q z+9t7Dr>n$7s&q}V>P1uv&!YG0Oi*{$&h@N#j#W!nG|$ScYSqQAbKdvQ*L6Ibtwa^` z>7?J?&gU)v+4kdX$1CsHgzx4!=L==qp@Q)I>pgA#8-CQEo_WxC^&f&7Q6XEu#0`;a zxOI@DR;j-5X!tBbqVzz+xSA+QofM)_NBe>ev%0F9s;ZIS7cTJn;=Q9&{KAfVCa?L` z-Nn_--Co{>;9q^a6n6`*{kmi4Mjz+AD7Ntql^l6M-J_8C>rrcykh4C#I>zm!wgmg@ zjTWK0UCM=VZ|GXQy^m9nbpb(Jzwb$=g{C3u8*sw8D5+i0=Op_=GMc2kogyW{oR$(H z8GgT7lGW-T>&-~8HVXX}qK?Xe-GtPSSM-8e)NMW6DstpYkcEzX*HGy}ASoL!c7G}* zxya=dx4`i5q+b%NDN!90|jXcZdU@n~bpbPq=>J zlXTCdsK;55!la~RMl9v`+5Vr-#w}!J>YjObRR*Jn$*(B`TZ-Zmdn+9Ekutx z(qboT$yLyW&KIaSf2;|NP4#iF_znCe3Iea$DHl4zXzIOm>*Ou@7)w+{@pV;{{AwMRxb0sajZpN5yihrZy&h%^%fn{pUZG z?|!Ylpeyc7;c+Y_t~M7-| zi;75XtJ7@@W7?&yF-+~P zm6}t+CfpH>KjNN*U-iD9m}-EE_iK!p4{->1Q*|{NQr9Bpt`v2D*@gCGI;VRfQiOvZ?1Vv>zV!$@!$Kk^mhRe7Tw5*j6S}~i9^4S<4g<>5#@oEzha|-MN^k9 zmyk&V%in1TRh%X#OXs7z-q?Sf;ndlf-vHu$rzGGXlL*=T*YR4~ST|qTp5DVhi{~Z> z5sIs-Sft~fjFvnhrtDOB*8$doHVsh(MV(ilIe#42S#40q}N z(P+y%Rnb?}SUU%-FD18D_-$^C%U>E4+~_UrTz0ObR^3=zf;D9dcgwKX44U2J7Z83N z8$x_OFtkVlPk+itaQ#xJA?Ut-8;m&ELMZnvdYAE5R+u^utVbgrFOgeo!B<**7P}NZ zihj-fn`^@>aLuw6NY0qe47e`w%$kS%b!^7pQa6Z%Z)utiYREW%9A5hzr+R-2lNFoy zD0|rUSbE6njZM8~$d_RM++YgTnda(6IU*op1X573WPA&|Q5LsCZeYCgyNE@EpfoY? zE~JS2%;cd`%C4s%2j?`9E;=%Z`AoC1OLkolT7y=F7!zx6ghCxd<;|7s5Pv|gP_Pah zgC(?*w^KNA!g1UX4N?{#4)5h*7w%lXHTE*(qiQE~IS3Yx+=Qv>%wkB61OrM65E10s zLfRZaBlv#?!~UdQXp|FAFBNU5JaMOBJ%1)%`pDb+P(s6m^OSCC;ug(07-nSKKY$!u zYHaX|_x$wtzg0x$2#2dqgRFB4x?Zo3;ujr()++tZ#tfGD17!illj=gkuCrj}NXi7&FKCFZ1pnfIzVy z^A$6>9U1!xa~W^s%)@D!I+OiZ*xfL#)MzRt?xBOmJQYW-SeU* zoW|i7gSq#&9pCmY4W)7kJge*D#~d^Y?)Uh80Xpv9R9+)01X+d6b3vvl2$@OnDkPy~ z`a8sz=+{i)=aR@=Gq-OTY=)Qi!mWp&Q$S6rkZ(g2kYF29d>T%&!F5ldov&+eci@+; zfw0=_)goc8OBpinrKZv;EsoS}2BWTah!hzMK8D`yLG0?YE%o5+vUXoR)dl@4BWX0~ zmK^y5+bJm0l}8#VOeIm4z63&K-rLOZ8zIt88$|sAe$b^N3F!!f4|w_D$LitvOpjtS z)t@WbYtEXw+>0r!n}1DOD&?X{vU>IRj&=dphxN>kWRczMHnkhDmuolgzoi;fq8w0blt8lwMgRSpHpnAgEi z*ZJEYUqV^?Uwffi-x<{8jBj>W@T0X5bgrz;;c!ZrGel-r-Lj#HaW&&7hxO9tG) z)~`yLzhtmQbNJ#$my#=}T7~!*(lBYexQ)>1D_t#?eTW!!7z|N0;Ta(n zYe&iqK+ul-s4Vk)2vENa1YE^%HmGdRXnV)Em@j;&E`Kc76pdl0L3W656qU^{sI*ah z$?kKzkwj1gT`v$>^Z%(f*V2W$_%E6xdGz?3RysBbSY`;Hv)OlrIAxmcL~x3#f|6bB zkT$4P)Y|cTt_`77}+lOQNT5yehr?)$5G2_i@N?Y2V1ozO5WmCM_}Bg{8U_ zO^*dVdoWUIvZb8wip>dM<`gFas85}fNq`$89tk!mFo+@&5m^CS3&O@;Dqcph4jIvU zZ&ur#=qgss+I)HQeX0@swTyD3)^B-b4v&ApEyth+beyOEa$EAutofGBZ+r|<`l$FR z{k60q3&R`9k~%j>fLIpgTPwTUuiqsLp#;#d_=VnQ%9Q3QN!X=FCkKguJJ1jX_`WfTc&gqi-e7|IjADDn?2zUz0M<&{AQ+voW0&FQ+$aH6%4#JA!erWe-bj;y9e~j}MbDuaC zZjVND4v1u=aTF5d$4dxkpcd|33D@6=2P~~GOJpHJEI@D_h)zpE^RFpG38T+Dk{j62 zZC>8Tm5P0|K8`soXVKtHwH@rDtzk1@(cwx6r7gKhU2=wjny_}fekA^#|Lp_jZSdP} z{&fH`lPfiy9&EcBKAMpCL8t!+a|8G91aQ5}!?C1;U02kc7j!lg>5lgLcSozWz){a^ zRZg@WWz|-s3orJ~tO-YPPK9QBmNIgJ(2Zv@0XJ#1yrWyN=t#nta%2?YHu%y0b<~Nh z%}Tc5ltqoD&Q2Z~w7eDjS?Nxtpb9jslu9$;d#0^)yfT%-5CBvuu$~^I2RxS{1hRuJ z;T$z?I<(Sd>_Q)spLZV%{U4Hk2#|_1ot;%wp3krRgjmp)(G8MKEF){hf3OobrZf_z zfA4?p1Mh)NDu-9gYWGio69J{=An0n{#@W0+o---zHVYW)ZLWT}Ro2GMwjn=VU68|7 ziQT4{B`J%7@@w9^egrupk*^2j2@{_ob`tO|OcM3oP z!)tR$JJ6&c+-gW=b`TX$X=N)-Y&{AX2uw^LctgUV3oP9`GvVq*<-Y zl40&PW2JZ58KAq&%d_Od(6HvWT%Yl=g;8nRq^%Xq6oq3F1mXKF*D{{>6#n*{a~W4f zyGqEgAhMumO$m(PM!@%NOOx2C9bmNv?KRwn0cV06-CHY$-EHEwmw9^6%K8yYR3k(1^1Xc+#j( zy>7#Ry7J`hkMdn7k)u{AS`0+jWBmRp1Eu9-zlx8Zo*@kjeTF zBSP&S>Ow;ed+{pHxvh;A`s!Zv3jpRbzmo47Hc(M>}=HpYz#>Jb*XDh&WPhkz*CPD@$ENBml_5&#RLE8n>?f*WS-FcL%eKo4-4)aEqczZ` zAuN%PwXyb?ma}Iv7!&NY3AKu0fTAZ}sdT+}>9wxM5{=T6K6wh(sKk^*0k6={;>3OQ zZAv*?@`_}u0QSMQ0J%3lD%LySn2Os&4yv=4!1iOL9D?iSpq~`jJrn-TWQ5mLkWy0x zT~g>U@*4@$Nx$>OXVMZ3rXUQ5s>B_n@W`pAdvx31FGPL+Z&yWAdvcDNrPnyLug<6* z()QAo6O8a7M_4W6BVdM31?IUGMTznL$qhpUk<;lHw zsM*H{7CZq(kxf<70hS+NOz?h?Lj@GZ5vD@_B9*vqdc!~pg$CJy64hV8UULycwiG>$ zha)Gm-h)l(gddOBCmJ5i#|#n@LiW`@@YlndMpRqOBfNtJvm?mw@DqRm;1pKS@zN)y z{rF>`(;&3W;%kn6D2CW$6;hqoL@L<_ z$biBC;u>uH`%hrs4C(W(i-%bZ;2NS69PhBCxP;)w(pP!K|4Mz}SBXjj!`BZGPL1Gg zaNfQSlKmZn6M%Z=WxqX(8)4~aKhcbR`%jaO+YWVF4g?0d?t|j|lV!e9UJmTUP5vPI z>`=u<9(}SxyR_Bhgb|y5$=m)6TZzDpYlDw>vgtR>ie&7crm9>1qqT!>`|si-X0ARP zr|1lP0>;mn*)3L-nY@1eG*3~O>y#>XFNQ`YeLDLr4kKGQY|&_xsZ~mWMTN=NjQvfr*CQb9~>Kw;3ht4@7rx+}48ns-vx?FRy*(|DM zWOhWeE_a9GZ1QqFIe&R^IP>#%ORd-{e6;J(;;il?!RTV_%|;@L&0H!Py>U@16rdVh z49ZJA+MA>8XD74Gn!&!aG4iul)a+g7v&(yTm$lBU%02%Q{|(666HJRBV}Z`x0#5!z z-U#C0^;t@%-c%vKk<#pC_F68)huhN8lXsykv^12W^aIHHMr>7YbQw0mK;EIgZ@PF@ zWA>!+M6SF$a-ptE#U^J$hbGu1Cd@69*8GJoqq>QqwA)f3oPKYl*3wwcmbJ^=ZEvJ{ zeI}EW=rK&}akbo&wyDP2P_U~ei~W_z8L{YYfKH38dgu!(tqFpcWt|z)p!qaWtcldh zZMr6I9$8J)b;PkJhM8B>nUckw(lMalVjdq7gRSU}nTS$c)@*phIP(rcexuoJ;&(LN>L9! ztAo3HJ{Gq17HF`f2$S0j`<2PK+9XELN?C_r@qDj^wCF_O?hTht)=pe6kA6q^cbu2@r^F*qk54QkqYfyO_Sv zW`xWVBx5o?Mv|PS(3)dscGiZj!uiL4zE$@|@#fa8+VGE1@v%|IIo}#oKkzUpES{J!5uisb%`jSkP@NjGHU#*8RuwSxX#f4EO$=WXUz>Uy zLr!fxq5Zn2^pNAO&y2rk_Eb}P)Fsn^cbH{vnwc0Y@m3B5wkaUE zVZwuWxFJa=MG#LK7neIKQr4Iz-e+kW*Tr>fG2AO@`xDY%^b#(UDixsmt3*@c&t0iZ zOw+=@$Njjw(K0~6Df&<=FqfOb?L0f3;oR%od-wXOI7zgddZHccc)2dcT0L{lo*J@d zR0C;8s+1ob_*WGrgW~Fni%_fZi}Jpe?uLU)8^dl>8;tVLpg7=Y9+?`YBzthHQT9|} zCBCK-Tl;lqmMZWn6-30ET2Gj0(5$Id7+Cb6RVy!uUa5UXJ)bB|v~&cfr%0NII?H?{ z84|8K@ohDFarQU5n4{XV57SNRzg=KM~LB68oOa&`Fc0|P= z7xVU`TxXYM+-K&~a=}|+XXhzTo=n_1Z+4=z@yc9y6d;_dQ9fniY0{K9&te#+I91}) z1R5MSLy8I_v&6|US>=&*sY)bPDfE9eC}yacO$!T)9#HGWF63Jw%Ku`oP1CI_@toz< zn1H7x(1(3g-_zqNfgY96jRa`+le~hc#T&z@g&R|;N2XPXi`!Bg49KEG{m-)%Nk){D zaucD=iEg(G0n{~!Jq{!SaA@R0?I=7;0yRd_$Yi3R!68Cg7pl zxg083T2%Htrqrt%OIefl%B;}JNnVSOB!qu<6)_$#AK@$lTQBmrY?f1*r4mCO$;B)) zwug(!hkm%42R^UiC~B8cR1-N0A#+1~7F03`^)o@!@;!GlOqsCULDPySrtsO^VxK3i zfwn>v{$~%Q#EsO1%T6Txb2K9kDo@Q-Bjvi8I!Z4GSZt6^xN_N7Nwj^cV8oqR)>BRi zKBOnp)g#lZEFKuLcW^1Lt*P+@=oT?UCyj)BQ^;M5qJS$IeUr&b3DCs_1xz&WT2rj} z=;Qn?8ElDXBu^pE4)drmpdXg`z{74LzDRs8kV>QbzDC&`+buA_R>UC^bs}f6{NY6M zkaEmeoPK^?T-M%5{Ho*xoXXIMkHrYcq4tu+Nv0h4B@T2*Yn;d&{`m+g?0se-e-P{W zPw6h$nauT)JCVl~Ps*oW2FeY)p49bnJ>hMC>A!o+eX+?L{&7>`eYmmH5xJDLC`#|L z*2mezmL-xMyU=IB98GJ?#{^{J7CD}tIlAbiDID42JB3f&9`e2I$ zK$(F59B3%7pi9zMWJbT}UdeE&u#|Z52dF%;rb(CyY^9oW0+U85mS zLV*XH?l9`ahNHti{8~h!XVmr14ql3-#HiPp00`opD5>WEN5-AYra*q`E==4BMkI24 zF?rQRab%QKWeEml#w*1YMWpWlF&3Hkm39ID3B|d#jLqY%yoqhV9<_J*(>ictQ3QR@ z@89~jGj8}l-GZPE(?5ZQ)MvU12R3uh>bokW9#-n*+t-cgN%%Iz1#z2#Hv08Gi8Gk3 zP@(kMeJ8s+2JadvH9Gn5Su$vjW%(YpFHYY&-$4>olUJr$$eM_AJmI5vgD)|SA z8p77ZaQ7le=w6?$0FwiR0td*my}*wTIVxVNcrufzaiho9y>1e=yMy~zbvywb2O;}z z<}4}hY}I;)R!=V*vuI~~oY1u&jrSb4OJ{HMRr$R4KlJ3fdYA6IVRlKLq*8|YCD=)W z{ga>R3cTw^(w)FfD2aF^Uo+hkpOfJF+-GzO5dT=1v;XGjq7G`KTq#Vwp9rDEoF{$K zpIy3D8bfNzf`inu9+;K9R}NaH;<}&zRnE)o7)I-Abp6N{n-B>tZ(~B~nNz~q&f7c6 zsp*;@F>2~xdes$xDR#|^fR6)fL0Hgz1nwa*a0zS%&5IDn{a9+jTlH2Pi}+6r&M~{= zc2|qo)21E~OC8DU`OYe`G{ide_!-iDNzICo(UCH>)v1G)>1~GLi}96*#wdg~w%s~n zdvm@L?2uswm1g)rs^8BZn;{ zZQA{lBsF4i{+L-<&9N#j`;E(I7gH}A#*__=n2sTHa)l(wuJPlu}7Fjnb8iXIjBT zd4b06W&sW2jY!(Zrlsn9v2~e-Mh%JBqCm389s^C;iZS+zs7Q=QJxrSkIl+pD55J_0 z$~LBD)Z+6U-Tar)6SVKirx7xgx#(e z^a6_XV3pkN?9}J#1>K>q%`my@_m4u5=zdI&mWLldq1#mp)=C2NL|`~v?x5V7MN?YI zMTm54`o0&NGCuiIP;8F3rFS-}^&T(%PjAy)XAENkNQtwiI~g_j@g}8_zoi6`B#+mx zW#de#jw@g47f$m8S1HkK(y?+jA4ptL;ICoKW$TwB4Iyly6J$psvUZOWaGQMF+NQY! zEFVgAC4b*3=j(~f87=5zSDG+Wmodd2e)4lJ-<+FG4D2HK^Zc zxXn)>P|dUbm`txwr~uUkjV-lC-Bzmq208J$=~V8DpiL7VL-GK=xCADgZgC@a9C1!4 zVm*@&^)2o76_F+{1D2Y39TzV+(Kk0Q`O17#ri{#g!3>3kKF?-|-Nr=n`%n&V`zJZg z2He<;ZZs2F&xoZ=!+XrZ*YYWu!A@#D#aZQTiIR4v^~e4{i>s`*e5S1fM{;@~;R7NM z+|pSxzDUUwH`#eOpcxyKxq}heu>NkklxMlKkBOn>s<~JEo3W#z2j{X4%CTHYzv8(D zgHg3*i;MNX;4?U9=Ks9L)m#hiV%EPlaGzF~|H^!mGauQI^>g|4J)W3iRYM8AVm3tS z$P`IP$d66n$cAC9hPQ`Z32ACovRIk>R^s=CBnEA5^DZ}T{R+>PWN!>_XLWapJFEd^ zPr}PWA09diyrk>Cocb#ISLD8?Lhm+CM4Kug`M_P(r(f&1b(Cc?WQRVV6L_t%cKr?k zZHVJPUMIxG`g>%nzMIja_^72Rg6rk}C&fv4e!6{#X$gHEeRrMQ_hhaAFEVt+C+Kwr zrdNAbD=X|bsG9{YCb!vg&;<{NH8Zrw2Z`M*b3~^m*Uy;Lc1+UBHJCW8gV zkF5iN*Xd!*{swxXh>5taKMCDpMgPcf9SKaPv1@9UB_p;aTkJGI{@GEAQhSRN9vyHt zXaX`F)LMz7_mROw|HzUBh9MRRN|xxex`s+1!bR!^syAf*6SPwBHU*F{ z=**d<7eNKh2H!d)COc8T3TqPii|*W6&vYiXlLYgptcz~X2lh+$S^sp-OwLr!VjwtW z0e;rqlW&tX41Zvjp6;FLoua4cyPyhGb9vQ^Pj`MsbN;Sx%_bP@O)%D*&{%JyvOQCs zv$@l|d1uLF_hk37-SM9Nf_=*WZqCJ=$(*~cTwtA{c~_a>D&y>BX;#AigCg_&3Hmtn z-q2(>qo!+OBdH)Gnnq|EH$$(gCmAtn#24$v%}6$&ysOrhH?yX^*M?dIlOS6T?X3cd ze%$m>$~%xUDm5YY=Oh&aO-Xw>&7P-|VCBouX7crIMmAmFfd+FyYB1R@)J){IVs#J! zZN&}qfjqHoT=4-(@8tvYJ1>{amGJJc;0|-{Fc|Aln^^Ye!oS5VC-jBYi_Yx#c3s%@ z{(k7>E(hkz2=g!RtP-5yWxa+LurB=u7RjUZh1-T97Uxk?hd6S zi_|=IWkQmK159z8q~Th~6ySeAV9Glf3#C=f|D$wz77e|YZZ%WpdA~n)sE{2Wvq!8?B~PyokU9wP5)) z`{V2zaX#EGgxmRocHY$?xH>p{M{<}o$`{lN1@$-lzbQ;#Wx3~QU!}?#y743;E2(ML8CC#u$Lby#W?juhmuH(O zqb^N;7ao}1Rez`Om9pVVIU7GkO-*y@)BCg}4jpn^sPCERQn!*IQeFC>95U7AhLr>9 zqPA4a8yLf*@0Ju=^*m_FQa>5M)NUH)-+uOQ;R5yR2Q94urG%Hbu)mUmCBp9~MlL~Q zak8w7XLzsC;(7r)LE}K}fG0jGVv7_^rVi0GO;g5*CI!cYK~Fj$l3NlSz#{kPfJoZ_ zhy-GcUMCP~71+_DtMHv&DX~Xt08Q+61{$(op{-RbrhG>kIzkdHw4(yFFj3eX4ljV? zM3JZ4OFPznQ*Qwg0urikrRb2?awD@0MW?8=CY!>uvU~&Ht&k5$ckps zNC4Qzd;TSo(2jTcV3$v|3li#eP$LVVjAY@Yt(#znC~UM9sw)Zf6Qb5jBKar4E+t`0 zf?Jab-la8m#2 z5IG(kW8TYHVRecH+g%K-Esq1LMvJK-=ixlUv7y&vZ;XcGr%or{h&(L#Wpqu^)A2Qo zW2U2XW5aJq{`-j&u|y~i*FZOR6nxybqdnUX_r``sun~B$*Z|V(Q0v zf?7g>|1!FxcwsA9al}^FY`6uox%H1gBPpfCaIMPP>0MXu#kXf!?V3P;#P<-I2_DU{ zQi64qFDYpO-t+ zc#SzYjFN8D!D)b2g6?xTejFnhWs>-Z9*4-KY9DZ1QnR8rRcJLWNr*A$)AOH4>W8=W^tSWPJ0*jOv-4=^xnz`9n_h@n~6N{aT0mm-7uM3M_anCx1V z&K>)UPJSw4Y+kU?h%#8&)3#f(31M5Wwq5Yf47*$3jT8 zI5v0=$E``6h$rh`icYsCHfEg3_EdTy{ONYd`<{;{&alHtnajTwW%S6%$dHzaovdOE zuvj}xS6QT8BOM|fuRmTd);uCX`;DrvxdlsP#19KQ74V`GKMjZohCSI`o7g<<6vu_V%3lfxrN+bgt+7 zHG!2BXM6o|>_4EEOrNFLC)Ls4lxe2QVPDQqnQVgBtub0u=ih79#89y5J%}6{=L?uX zrX(lMNKZ~|;E}AQA_i#HAF!qho?laA`|7yX3DfX?ZEX?-$~H#({y^%MC|2^)dwgm3 z83vsvj-C%!k1I(L%Oj5d`*huy|Jm3OnrxklGt!I>>E>e=aPS^8iNPO?aZE7MiZ~`8 zFsFWMSq01F7qLvgps_!YNPCM1!M(ac5TlyvlKP)?klb6)BZ2Mi9f~X7PreJsZuO#n zSB}nCT|PN?Qcf2+aO;gL)}~Y}fTO8WCvl7X)V@jugQ$XFie!I{?S6WF>>(=k&x#SB z3q41^H}XE~y%qc78MJxbH-GSI;k80}AMrGG5mYg(8!18XSfEQ#IrJ&s_=>OoPB;Xb z^^yZtfCxMh#|Ka&gR}60%id#sX!dRZP)Sztq#FJfYO_pZLoU#@epOt@XVnW?^+4d@ z1;6#&>Gqj+&RMFZZN*l*MVEIfJ~_TZnZdPR^55J3)XmD9m7n>4Um|qA$l>o-(U*nj zF+O@ih@RjEUlpP!IrQ}pCHeS)S74xsw1}J5-)8-N)@NOO+b*GP7fRrZ_X|h{286%> z=N`Cs$5)Imt%waNgxQQi1uL0A<5^Hjp5o1BB>2#C0+I#$go1sO&rCjZ@23ibWOg=XB7%rg;z%Bn=g;ejor?Qknjk;63$t2H^(RBlyW(xpH;%=mjBBV zq3w+ zg`WdVci3Oik|hH>OX$oQUP&B)iWSpZb4D1<86aMKB#sR$mLy}k?q?xvi6V1-Hhp-} zBw^Dqc&>yCtVih;N+sK9Ya<-07v#>t{W7+u{JTkSO<_z?ivz4ER=wRkYQw2Ic{*AU$K0Q~V~S9!GbyzgrDi9k zmSCRHQp^(?!aSjyFi&V1M0SXl14n4I0ysgVm6!#zifLi;(3Pt(4`?_ZdG!hT{y0>e zr9p9Go`E?+YcNM>?XVNGgw|n}(0a@g`v2@*3v650dA^qqiION?iKHHu^`KssXgw@Z zmTcLwYgrFlwWG)n6?rubtxLsBEK0eQ{E+3w2-1yCjfBdShR){ z+0d@*){R%agEbA>ya5Ip3>_3C83Js}cK&l8y!Z0*N^~S7DPj}9$ou@yf6n>OfBy6T z-`RyxLYpy4Xv?}!Gty3Uotv&ew3V(zbT?gvXd7LPXgiWh4dQJNy#xK)OV=XWLDwO= zk9HxtpWcaRCtZ)|0lERvgLEUJU!j{2J+$uIP4q5wT~~mjo6+CH@)~`nTasuu-Ga{c z&~8L~=~hJh=-r4O0cV424+C1?d*%zaa)#sZq?I#%{@z8?7#kl}JsMPg0K}m0toOW+ z-y+JZUV-xmoEOgehtE2Py#N^~@Z~$_8$}}r&)6uem;{5~23%Cko$uoKSO8tHS!;4) zp&ocuu1>Mgl*qC4Adzzg+^O(-esu_*{^eTUmuq>S`C8tfzwV^Z`{^TV2K{(7?PPD) zapj3|zj*Gl)McElExTLVI)t9n(%c~R7-wUf^Gaq?UeLo10Lyja1K{4qHW$ClHn3v! z2S%n$jfi3c?mfs~(_T_|gy4PYPZ%Lx?~37yahhbxz;z7io6;U-`S?f?zZ)TKoXW=e zt0a@5zH$*=33*Z@*u6aP9^QLEN`>RCcs}K5g&YN65c=y=CLFEgc|3tJW)#=&VI-NB z=BWaxoTh~1HE28uK0)A=N?YNz^bi?p33-=uC~$Y$!(9=>Okc$N>M{It*_s`;T{{x$ zf-ia3`a)f6W&+ZZ5-){4!1KZt;S-??p&XqAghf+I&d^VEH=ZU1S^tM>OKX_}Uk+TL zdUm_&E~D%&OVYcxtL`#wdG?g5 z{B+uRk||BXbGq_c&D2rl(=1Y-Am(L>q4F|n?Q*GVCCTfgDEV_~3vC!lNIO+MIjKy8 zjtQ9s9-jv!xZ8iQ!Ry*H6u^y%l zkk8_I3{wiSoU-wIlM2bo8@h9`G+FKF-A!Aj*RMAj9At{Su%#qVSLOioD?*`_odm4A zANP*>oSuBd3?cj(!L9P~6&bLML7WTgV2wT+76}5v~@dSB4;jkGFf0RZPmhhg-UzmSk zj@3QP77TI)gR$Jf)!gDp+kD>K-rGYwL;!dPoy(4*+5R;ne5!%ezKKjnln4>Q-(KE)!0|~C;?a=5-yQpU@Eh749zjnwC=(|)aia8 z_1o-+g~Qmi7ve0K%WB^(q+?Cx%6cLO%NT;r*hTPQLnhq9UO)Ki!P_-a)2;f2de+{= z*_&e4rjPGaC0L$uvTQF8cZNG*yKyIg1cC5gsHi3uGTp}SlWrwUkQC2SNvMNLwgJ@1P0@I>P zibv?gB1qSX@h}z-Jf|Pc84@6m{J}x~)Km_xDCzeTP)&BenhKzoU5?Omqf1nM%u=5i z$dtOUSxMLr^$&bbq&?~nJb<{>($4VU=V*yL(;s|DI5$NJ@)i&HWde7I0uL-v4Ka%b zUW+8~GF^e6SA|9~KO;552F-rVQKrBV`aTKF5GqP{i%$si1&(%Xtb|XtQaa2>x(zLOJ zXJWmCXB^|1Eik~xbxtD=WSP#JFRG-;-%FY+S;yrv!nxSb1BbuXz9k{xSG=&* zLdZ-_2uI~Y2u_~yc)poj2omsuK8Mq!9*?PV_*I1vF^i#uwj8OE#!20_yg4#XORWTh zav6_~p|0?)t(I|$9G+Cj7_;~?u=r0Bi*isl30#QYun-k)pag+V>n2Bu3QxeJ7$QWi z_ccO2#{u7-BXczrPktLby%t?+JD~TiO4!NkD?>hQ!iWA!rI-O-Hm1nTh(P!EPzi@8Mp+0 zm{0;#6~1WCt!EdW)i1$kQUzxTX&U13Odu-|7vhhg-{0Fp)s!NaV82b}iE@_MyajCj z`xcI)hSb;$0Gm|2J!2iZV2)?%s+#l=Tjpl%t(?6zW^LUnQKwjjaYEK07_kt4l28cL zswbnTZ(UxvoLC6CEiP5WK0>`{kjk7~w9~Pp3oCw2SQ}B9U_6^Qf$0K*M{Tja))sNh z?4RAwQso>~9?))iG;z zBD2z%^gTj2vRQv8e@=vf}1uDC|I8WBG(TPaYEZCVC7>|LRB!@5ke85kDX zke1vqXi$zIHvui^`%ud#2tE^@y1qYBJ?Fx3qGr4!`s{uP8MGHI=Q?JyB3-jNx9#(% z7am{CTX=Hu^ba5ZY2FW?WGi~OiXJw%=Y6BW0WpaVJ|BnT$MfePkxD|-++mA%a>YAYs-8>YtdRP^(G3?-U93z!g`;NwMM7b%A@+X^ zJ)uOwe%rj`#{Rkekp>=9UYcodGUHjPF#h{;#sfaog?|FW(QoyKqX3bLW>F)fUolLR zcmYm3m(QSPAENceX7nvWY(cm|T_@Cb^DBg`b1`F+0i^f;5}ML(0&68}-fJ}x(@gzr zedIaTTEST>LOfQbF(Y3b6udJBW)H-y&U${`AF0F`;LMi zpU3l$TKxEyl3;SC#*blre*Rd_kMB8;XBn#J<4vd@WktFaNIm zke1Cq^ER`xqS3r?A1LU<3gidBy0bFDB;p=Sq!4$mjnpj2Zwdp|-}28P!6b zP<0<`JHpwH#H>enMC4$yt^7z)MoEz#TqN_iS{0HbE!E-Gswum2{SF`e2y|Nd{6x)y!uz9*miJ4%BRlUc>^Bxb09b^2g8?I#u;d? z6PNf}$8yKz*1{@rEGz`l3v-p0OR>_U}cr-By}d-AX|4Evg}CkMMic*Ikfuk)~{ zR|#Rxg6)57Gh>qxTTs}dz=Jv-N%8Q7hY_sKv07zd5s5JX`D;SxMNB&U%miWuqDnrp zi{xJ+`N(KeCLg&V`3T5qlCTwA{py;@Vzw>Yi^6SuoJGj8?AR9WjqI3tX!fB{#xhkH z*%qTJL#B}F<9k{8sAHOKadNL5M)r^;+_6mM!8IY%S~@xo;Uu|Rg4$}%TQiu=g=o5N zE|kDY;Xuv~bLJW$kwMZ7IZaBEL!{-b88XccYXl;2d(MlG@CSA(UDoK!LH+&O_T23SY z`$;4*#ZCXG-o1&1Pd7KK3(reH^^lV6OT{(B?W|VgpOLLbtRb}1?S4so9>5E=w@Fl8w@z9ekKV#SB9^x-?TeLE z#UuNPDOC@a(*(~*6=m>CWWnF%Y@~p9)JNlVqhRu)h;l$XD&%qs^&#_y>1C* zEzNnrDQih}30&6I3JiZXy}k?Vbs!^~02YvcH@j>p zyNu0tBEuS8WFhRe;X2N?gS8=Acl8+j=UD@W6y|{#;{3sX5{cRPFA|TLFnX{VqX(y9 z^x$-i9&Ewr!5MT3&PmV2n88_eDV>deS#f@OHqI~4!TIHsFPF|6G0--2HV?kT{}B^y zN55@8JLH(;3Kw zC}$wk$J=SzdJ}?Id6Up^<8}mo8nPu6cEpCP2*B}3-HZU_51e2LuXiRNC@{yo7Ve+$ zjXve1(YSRUgCtAcu*=Eckq{ybJP~-4{nFkicW(|kO$0m>%F7+_p3w5W2-1vt_T>G5P zDyI`w&ch?n6N3Ix|2Z%7DaT0JyYRSls`tcD??892^Wi>c|G??qBfTee-=J*g2b}#p zuy>to6gek*#Q{a(Tw2#O`7R=n(shrwxLX^XyW83uoO||me4W2G!OIL;fgk*c5Viwo zm3x{2%1^nN+e3W4@(BZE6kjn-8>bD})vLK2MknTGnjn7<@OiIS$+Kgp36GSzqMaWX zpWICoBcz|0HY|`YlO#d&aTzY-O146Z{CEhX;M7jkdPh*x!%cpCEGXbXV1@Oppo7K% z1~XW}*bwtB%ZhQzKQ2pbgLwRvT#xhu-hjaFzZJWNro`JEiQCeeyhy(>u*R`sM6bgs zZt9Ib;rglacr)z^(71_$uM&p^`6m!X!U%qo!14Q86a~R(dic_y&^%<7{|Q0Jk={%OEwJFqq;)4PFsHFNLD|vy&h;5qO)#~pxg+F|n!y>3dzk{DHOu1(iglq= zU(z+tLw!9at1oNrU2E-c6%-S1w0Gqiwb$7mBh+grDvWF+ zO95H$ZvxDdmy~M zgs`5*WjSvjiDlIzrIgXQY_o^DL){;x5%z*G%@x$Mwg%4D5bD0?*cLK{PF>3gq5nE~ z%oBtjuJ%SYb63hld(-x0aMUKI2i877U@K|o`GFu$b2%E0PL(7P)9~12VB!^!QX?Vl zW6C*PcOA`3j%L>3<{WO8YUQZbyHv*#)$vXZOC92#ra(o#ev(8*mNqiJ7F4cmn3aH{OMOgE(2ID%lX?e zh9V}RUepO+Irh@Ah?%vPaaMp;M4x-|76v;ISMLb*aMp?#{y=A|#mD&>B?xX{SXRV% zz%n2eBJmloQo3m0M&55sdFQ?6_cbJi;Hcgx7&4k839<)X2 z*OsrFBb{xHUmZ7{1f881Ker)_-VN*QEUY~kyFu(AW>BR;zQ??&SfA%tTP5A?N|R|E zb8y1TOstrK6Jz7d{}MuL3PLqGWk%DRdi@KdzTbd$1S_0a3qczwT}4V~Vy0uZBh+)h zxHK}smG8b=zHg~~A6wqZm3PL94_u={>EQyTo@@o-k(rX&l2F>336Iysk@oL&zR?*q zM<*9)cKdz~ee9hvYv+Tif2gE)%_Uux#JiR4hl`TrI`gQy>jUU3YmJn3QUhNb>B7#S z2@z#3batvNi6n)aq9DssUY1}Smfp40ELmz;OD$)C$X5P?yI7yX0?81|@ohpcj72qm zNoVHeJvB*Lp+CGu>aFvr!ifk^JRXIQGeI&cGzg+_nO96SnlG$m_(VVIN?LG?K^8u* z=%6`@icY#qspw2_{nYj(GKG_W8dq|w&gxZb{%a$V(_E?hZfVC-X$M=npDW$JTu~i; z8a0=~J?|5Ud`R%$viE)nB z3n;QuguKG6_%#sC9Ym6~J7FJ@MG(^-BEga%Gx8UAbFD}5w`IE{+;X3?g?DrIIv$uJ z+Qm|hF-v2jJV1{?&<5UqXBZXJ&|Z0QnKf2qH*+gZ@JzMo}d1X7{}5M*mzt3+uN#;tS`Y?qyrSU0dUl ztuZ>x+T5HC(z>J%=qCO`o!rT0@P`e|}r z=0uR)Z=5#Gr)!=8J)u*fsCrJN{#2E9sea-#RQMgkz#VcWXZReN&S3vR-#PEoE(_m9 zYNUSR1%l&>^5NKaAP^LMNAM=3k6!AAM=-k$!c+%6Q|Xsb`W9C5J@}p7%8RBNlC>$V ztN#KT7>v`X6IRu7ReSGN9bBq9$W|TVst&CY=^2A0Pg!gE|C4vEF>R&k`J7`L4A@|> z!CW148!+KIBm=`_$PfsGX#&{^)46GO;@Ah`46&(gG6QS2nRe7Mt5hY@L``=ZiB*$| zs2Mdsx>8hirR=ooZ<`(!3n>zR=0|^2@@QwJi1tUn_dU1o93LCVtSW5_=)*qeJKyC! z-|f9UZ*qLYlc{KW@J_0t8_;1cvd^4Ncf(%?h2F`ub4qYdWf@E5MK^CJ52-IO#@FosiuK+(?y}_B3az30Uf4VLWjY`%2YRs4?P}yQob{MetY?&`CUJP>GzsB$t6um zW}dKdpIgb1k2-AWF}o2djT23@quqsS6j2Tkf?v+>%7Z&)(jVzcNNJR`jcU)DB|Jfn zmQ?KDc&YkXEfWJr9A}wzQ_Q^11-SP}%hwNyzQz`)oyJC9=i)B46x_Qksu@R=OIS#q z90tvKnXDxu)QC<*Est?YXL4mlkq%OLD`)>`IYjP5ws<55Y&EugB^HQ=mPFmIY?3O4 zqPhIRhnIavjNlByq zAbbzSK>legb_Tr>$v1O+fV$Qhn)h~TWU5^#G3Vo?p6M_~*ID#~#93P?!peHX{3ldd zNbdzc9;1u__#jGPMR@`FLK*-?O0P(#3l_;u(K1JQq@^ZBPf5X{l2lXxX{kCr4;{k> zMWM17G*4|mh8fZrj&zfJIHaJ>m!&$iWy&FnNRN4cP!33BP(0NwiadqTZ%A`#0Gv*# zeqT2!fb0!a%Vql(t&s-(7J7|KmN0Rou_TWl-IyW$ksCP^`9sm#Mr&B3DO@C(Vr2tA zhrj?jq|#5@4Yh-+`cpd`BT@Mk8gx#FRHV^H(IZXGa*$REep*p2MhF{$SAu)4cJ83& z>cWb;HEUE?IR*%Nz0qtS&c`psqogmi?g)Os_(4;!Pv10=7%_?nt^KG4MMa(Ta%Dqi zFAfiF4ZX&q^v?dgRn3sBhb*I8p2x4lL;BA31{QgLG=HDM;@~`VUDW(|9ebKnatszT z4XMcbrJ=v9H^fy#_p~%e#N|e8VkrJXt%C*NaE%k2Lz@TaDl`_iLxmkNpi;|g+d{$-@19z=u|@vF6-R7PC|E^yH&4-MyW$V zgBr+*Z2P;#(iq<@qZ)?ie(6wu^X5$|gvwZ+BfN2cjiRbpNylQZk+PoOWC+ve>Q|FY zttV?@s_S-KecP_S$3;(ypEjgj7X;S@T}D-^y8n{epgu{(j%O6IeMXk!umeW@;RW7j z6WN^qf&{TeRW4W+5F%srh>@8f)WH@@3y~}?L{-lzNM45oWrahstnjk;@@1Kg25PVN z9Eo240z3~ul|Fw?sPo$ij-9lq` zx~4~{=}AsyISrBY#BK3ywchV0%(kolJGk(@bj#kKEn;jH8lkABHPCibL*NQKBeXo+zUE4_XYq#0J^5Vw$7U>r^I~51UcgVO=XpFnI(D z#R)6$X^9dLEhH>|OM3BlN>5nkR!c(U`B)>K&lqnHc|KO*`6#?+jY)j23!YN)T4{n( z1;lIA5iAOUO%PFMCTiPFz%5~Z7V#^6WG39oS* zY`8vQ)0L2~zd0fN!vC!qTO5t%d`&4shsXT|Y2Se6xl+w@4&&#d?tFbpaF6tAA1?g& zx?ZtSZJoA5)@eIJoy&RXR+Qkr;)3LDf5qj7K_t|8FJX=mPCNQG84rq5DO#K;y;dcE zTPh;o6eZJ|onsPqP+mpA76?*{c9V?tk^Bm0A6H`Ckaj6oB~;8>&TD5Anon z$dbprasS68hl2R(D>!_VYRHi!9K`_##V;UcF%pZQt?3G7g<42BqL*Qi8b1y#Q6{Z1FM5>Y z3{>m5?vDqq&iNN!tZYTJKnf6xf_b4W{D-z*u7mDLZdC_KRABL-a;rWtYG&o@@5UDf zeh%*sqdYbZ%TR7f@5qbcsJa#^8AR>lC`o7b>&LYM9~gp!!3u@>;6oNI4OSg9k#G+^ z&R3gpAy^Je8TCRVf84v@KCTrLiOb1CPbdtTNw=;nlKH-G_TGqjeKq-6oo+?JqcS~J zvgw4#@0iHSCt|{&t*KRB642>w`+5)^AVTDre zmp6yD2JfGG%-%npat}TBC(k`=>)GPdZ6}1b6A-3h0F$)CyHRx4nsK;x9LKjE$1|?R zyEoFV_RUXI17|X>rqr>%?<`#9!1oMEvT6dZwaGu&D=YtDtR7R>B-C~#?R#1yyAv6Y zH#wV}B^i#j3ZB8_?4J9j9e3BZyK8Ikm&IxKu;3m}+V;vEcgQ0R5F%qJ1JL|t`y`vG zZQrRqzFm7fUE3qn_H0;gTlOlO9=KDL;Ok5>NbxB;C(<=%g_^S|$63P2lIvhI(|Gsn zgA?~(Pgf2I(A5S~u7mJ~W%fY`!LbHfz_GOJjNm$xHIa*Za$S$xQ&8csP&>R~*|6+Y zc^)jJs(K*o13sDfdQRwhBkdX!Tw_^NF+AC}Q`@y&+x56QRoj)W9TIAX;7KY-$6kBa z=G&WZZ%u4XkOo#moCfzGgwPm-cQBZ>GUcS}_L8BkY5bRZRs6r_suf&aq_5Qj8CSDF z7;_U>-MefXk^=Y5+Y#?DUmStyzQG7^1HUVMjBZ63Pi*hf`}MHpzefcz3s`0yQZ|Y zanIX_Mjm?=&SY5us0}evFRhyY%tn7xt^6)&41{pD7LjG_f`2I&6GS~QV20I~@>(@& z@@*6=@pN&3Hi2P5PsZsMob7@W1Pfqp(1TZV`=nSk0!qdgq*qC1o&_x_%@3_pJ<@aF zdhMx?o5`sFrFu~H9afU+Rjje=oG~KJZSIys4aE-2^g|O$@Wgc#1$Cko5G|%Vc@VK; zMxwdD1lkQSvS`jRq9z%aJ8NPptHJRuAUL{ox5XI9T(n2oOO*F{S%Ozlt6ptBuyuE! zC9g^?F>9*APDBiWa6S$;D_A58mRh zM{b};mbwkcaDTqSlM6g5Hm@(mSCpfuf%6;uoFfNIIM2r*W)eR?59iKESm!zpr_T^M zAw>9?SMRx|lyqe|v=}Ely?WG*zN?|I9DM-=)%mS|;qK3im3RzU8`Ip1^E+cazZH6k zp&{bbE!s90DEE+E{l|kTm*Y98r`aW*_l^*r@+x5!bF@F;?sYu^AOhiei0~vH<&d*e z^{&Vpq8A#eHU0_D%Zv)NLsM-`6L16VU|fb&1=qEBUaI2Vzfr0BTSC=NJyi`oR{ot4 z?WTh)#!6(3S4`2$4eY8_liwHzV3mb{|0b9ZUsKGUxS&Z4zJT>`T0^I0CTdSm=1!j# zk^E*c=dIQR$(=`zsI#Gvo;U?9^I2xl7;m2&DcxtitHq~q#*F%kqx(Q-^f5lo$;VNo zJsv^iQp_OxF!3%OOrl0+x^#QJ(y5YxmaNFHYY-4WjD_R!n7^BU}C5z~e`b$|8eBN_-HhpQwag=qF&%HY>r?y)l##PI>&@!HOjN_dO)tJ)I z)czj|44JRkAV(Y2tHXudG2Juc5K=^5pS8nl)(i{oU<+8|mrhEuz#xV4f*4Q(ONA>% zl8I)qG$730o>A|<$@`Pi=oQkweYSL$UGrH)$2oOuh{t&9wE-(38^6N9hz9k>uTki4 z-ZO%(s9(V-SkaAw<9&}_+akYD%>Ps_49}*-zq*Ub@{Dwj;7ZQ1x;IX~1qDz4j^~YS z&l^vx)1E28GnKYYky{l_o91*y+h%Nwf9!u4N_PyWD~6v8rYlBM*3kkdk8S1v=bIzg z$QD9WmL!^3n#Qd15Do=oeW?bie~v9LdrcWQF%ye{z;4xGd~cH<6f8=xrubFD*6KDx zDuNQlA5;6o^t`uA+89uRq_G-_1CJiR8j2YdcMT+ov~K*sLPaANC=)ccUcVI58wFlU z`=kwJp7+O>NmVLZ1KkYT{9+k=;HAjlk{nIm-Sv8FQA(R1%|`tOX5*K=d_2(WJDQQp z0fDY0x`yTtN6_2?lt@|m-mgSI*qeb$GJ#MeCq{A183HqrIIroG@@4KSA4RzcDJewG zA5oCp8lDI)u8`_AwbN%f>R>>M)Mb`I2ozWIC4V#?3WSzmOozgne)UB8MGzdTLUvgM zACulL3VbkxSkxQmMSCDTGoo)V8B($VSI{5#gFrkIQwK=o%8gKDIR+$)K|T#hK|B=k zE-Z(FAmxmLm@6ipn808t5Q8Z5i&SA`&5Q&|^?l?feo&qw??Ws(5DCYTaVRySkA{Ls zo~|x=(t!C_SC^ht*ZtuYiX@ad+KtHK4QN7?UszuBN9CC!7cSDy9}UH?lCxqc(2eKK zC{N~U40=drf=_*ilXGN$(YhLnj$&{Ckq|q@BL!^&f4Y!&inLn%E9@el<1UhYg|Rtk zKY==g75uiWJQ)`%+R|n1LRtIQ&aJtJb&u+{%U)Kq?0H%Q&)|+{WZN^6_M8$tr(mDK z&87)Akq7Qn1Sg9M}rf^xc&@d6vlnH> z!ywCfNIZQU$zz6W8ZJDPLI`n_u2l9`MZyF=HRz~cjXuMNa&TaoaDQtaqu@63(pkn> zWvBBuqk=Mkr+{ccEF1m;MIM^{wWQLwmc!mKAK+s#e{{tg02v}qH8S>KzUp=~1!y9$ zLQR_q3I4(_E=%HE6-A*r{NaKhbWj@cJ1lN7YFW9m;=N2kcUP0w zk5J#YQ-5;1{$#p-NT?qIG=yeM*54$|K=odQ>t1oH0^COJbs0zPUV}F|wK2YaK6yTC zE-G=OkxS#Yt?}+VXgF9xYguYRrQzMw|l?r-K-RBOAvZILAho_mLue-efe?XJn}G7@ zSBsv-t(@#W=|guAPI8?>=b-4Y@{a2ig+e(bZ$t7vBrwyXAIV%D9?wOdZwV3|4pg(3X%!7%rcT?l*D7P^aJdrl$7hf76SmJl2oylF%|$Jm9)rW>42DfR1&Mz0*)b6>S6{*p2oAx2dt&RAYJ8{ zf#J-+$&9Zj(|;mce4VwpvP@3;V-q5?asb-OQJ}4G!7AMvfm;DU%*6s^YFfnQ8;0IsxVu;No6YD zH**YcQCE2Urebhf)b*WwR?Lfn1^qPNFAZ|d@9ypf%l$s*#gQ^2Bcdo>`qy znesNFy!+-nS4h=n@n_e(+gcJBm1FiUIt&pouTm z_WgY;V$qc#7F{V~(Ul<@IYgy%1Z^a(4B9^j=vY9eb0RXGi?0T3 zI$g~*!AiiE<7?~SBPcTSm20)|VIuvRIB8!V6%-jE8WV+u+Xu1hr@flS7dsJY$-yJL+ zRgV^y?k72(M1*02F$W)~$4-jA9Jzp}^Py-g-h&yHT;AD>bJMdkW9M_T`xkimqlALz zoj5x=_V)QX?}>g*?zMtF)w?+<^Tz-q|J@9FX zf#ieK$b51w1vr480P{M$#HpXAAQWP%tfYypI-1Uk#C{kr*jdq zq#IZ{h#-8O2lPilkRLa@pgmlMThYX*8z5l5rr z;Fcqx#tmq=6dMb`a0GW}+UXOVzLd>ZAa?vqjHvITWmh+tB`aQG)hlwqp@b^Z+chH$ z5G~WY4LZW^gIf%OPLR5M^wEk{#h-Dy@177Ex>HW_H~rZB#4HR?r~0Q;wrOLu4+Z@s zpA`v>__0n2;0pPO9Bf|#g$_d15LoCAD?*JVm=7!STbM`?Ayq*tLe5X&mA}X7ZA(^x zgs&Z9xFSRdWn!|xhslN)9bE&89w$XT7hywE&N=e86$2bHFf4I(iC5@9(YAz!E%~W| zfr*G(a+s-vZA(By06y(Gyj!)hU-G{ie`*%q_)+@QTf(Wg(yv?+Ub#fBr=4>G$zYo+ zpq_n~k>L*W1((tS8@4e~2de?|qH}9SkTUYwn&P2`MEFcExMqP0#}B500ulMgKnSpQ zLdZdTU&h@)X6KemaQCJhz0bdO0v4LRPffHL#6OTk_sQr|e`2d({=)4uZLvO+F`=#; zolw;*bJ*BkGRYv4S3Pdu@(!T&2sDc%L}IG4Nj)0QZY3cVP)#-STpc)wzB!Nl8Blpj zq4FdvQPC;5ds2=bnaqOtCX7P}-qLt$pOrfz%fjQctnQBYKLZQ;F0y z9Z%x$o9aB9u9*~SCR2|8VeeXF+qkmx3|}H8lA=h8k|;{%Q?Vpk*2|KtSh8NWY)P^6 za1ta<;wXC9a#GnD%9~oHg8nG5ayJdQXxe(WNmm;rg@Vm)we6-*7iiZB0yM}X-5KH{ zVvQQmA8&t_LAJ%VKZ@RShck0$IHV{$cHBk+eN4{t&Yk->=iGC??>N-?xVp|Godp`U z$eO2~u%Pai@mo1UeW#}{F*7I!3ASvV2i4_3Y?e%B`K{49Jv&RZo1KR`>Bu*rLgJ)C zGM$Hrws7sjdY91HCfE;VVh1-OLM*p=MzDu@@*%_Asb+g&uQBlk!<;I*gkj*}z71vm z4v0U__lVrE)5YU}ZT%7y?JpUXbILl-TgS5ogDnD%@SL!+HV8SCgoU+1tScq)mdD9= zSz64tgW#Rd38&cx{fd%!%Q*QiOQ*rs1NYMk@flt>=#V9X5AVx=Wwg4LUK~yiM4A;r zq&2kRvhynsHO@>OC4c9v5I1^Oc9AXGmnhC4dJlcpB~OxBqk_MbKMl4Wb5?Py$yz}< zg%L$s0GW$PtWMQgmAy1Iw@59yLcQH^oSmg!zBB>=LbYo8BKmN>PRo{5;O{|;d6^-a zWD&gRo1y6185HXkLVYOI2l04~B#MXRP{%2-&Rfw|@|7enckvAq8%tZgC(^wqgx(3% zI{|0_P`sMJfvS-N{vO;S4DHnQu| zQ8=GpRp~^`&vFiK%R!?24YxXz9-0?5o0Ex00n#R`RRqCVA5yzfx8=#Y(%aDZK43`W ztEfU1jn@)FMFat7r_>>(gjoyWs0Uz7F2iku~GJu)!{JKv-96p~?4j&anDsOErQp~=h#k^!m7W9)S@8ETo zeg}CaCvKEoV~i+4mmS--ZNIT?+qUg_W81d%#;ky z4&R(6p~>W!li~bRbFw)p!F56pubrg^B5{CC$81^Bu-$u$vcHKi(O2gpF5qwN;qdKj zDe^ZG`Bp$KG7vcuhv^_LT>Kyb9x|lc<{>Qn2~g%quBaX-0@-dgKeifoTb9f$()80h z5;QBP+_0CgI5|V*ozs;QP(BUc*q@)*U3~$lOZxq+vl)C}ru6cfd|f` zP&j;Ljfj!9*n~XC43#UI1fEuHs-?c+kxzPgf7Q|zu_MP^(;!CKp7O>qj2rQ$Uq45| zw-H7|t~N0?9zQQhZm@TC#?7=ijD0MO9>1tNYh&FgbE{<9|M^mo>|tXW8rS@F1VzJ8 zOCN<-j%V5Bi9sdK3offr-n>boRuEns7pYy--$h7_ylNu_yF>pVdI{w;uuhpsH7!j& zcIL`!wZc9}5pTO&y&=VnY7*AQ)xy>F;W((&z?D+b!PUc^QI78dv1+q$VLyPbb?J0a zScm?S+f*UxxL_|&bjq-9RqRc^!%TAU!atgcXMG}ib3&4Qy#O@}H-lpJNDz6ka_3pW#L>!KT1zKlKA>2cSE`@5L zkoRc6jF;4?y~!1jpsI60*DraY5~`f{fupL)mqH27NNaOa)6eiFR!}M^$}$w#u|ND8 zQ^jeXBH<+e@17GcILvYx^Zo}UME2Ce}YlpDH2XS;85B4fK2|) z3VlFFBWnE(G=+kfDwOh8FICC%U+fbINPHlpLi?UhLA}BY1Z+5L@_s@pcYWq0+-spD z4Vo!_SS6%d#)B;7ctFF5|L;-Qwuc7{H|1a0Z%JrCBSz}?@6cxUw)Ql?5Aitp7`F>n zF+B&o>0S*+fm#lusu@EgJ?gtPs+Jo<-B!#tT{U|H^*UQzUYy0ZDEzIm!uMdO;mh(*@THgUdX<#@xqwTZi?&2jpO9__9&WJ#>$vU{bIN(f!LQ4+En>_#`4 z`pDD-HkmQ0lEpzYKE`*Bq^H>k@6i1dCLhpNgL@jM`iM!$epps;vVEr zyv3Oh`7vcmRIogX-wM3<{v}`IAe4}P0cLc>ixkU6BB@x#G=yNQDpDKWL-xD!zqC)p zNI5#(yqu+qVtmi|PQn@<3!TcjYTUpW5vm=lYSou4@1SzQuIZE)?&Z$Bu=_KYg%#0T zM|_69YyEz-20fQi?ZxF7;bKLoA?VeRV0KN(!-%Z|(>A@YZjn8j7o47AF5gsO<_tR7 z6KO}CJV*FI48p!cM#KxmmljgQ9U?|%*tlpzoHIwBZN0FSAnf3Ys6G>*bpw&)QVsI= zoN#naBb-q<^8`+aYPGrZCPqqx7{@|GLc&0D`w;`?AaBLlfrGj$kg!BB@s@$Yb0TfE zN6$oi37`b9H=8L}*!=M2JsHPBZI5yV_gzlb>DnTokT zgg=N?86!~zDg%;5xasdcW!-@-%h#jZ@vLjsV$4sp7dmC%yXTANN#@t;)?%m*4ZNM4 z$$+C=i3jGx$QqdvUKs&o#t~D9vV-IxKP2~Z_uFGy@hMHF-8S+N@Fi6BCWpP~qjMap zM-&1?%_b?@(?kw`A4{yf{zMC2Au4;3n1t+Rx4F&at@`g`3gh*Q-;-oQ2Kh3)eT_vY zU&Q``kjq}~tP%xxAyM3kTrPWD4H4f85F*3$s3Nu;0;Yu5TZo9yMn|9M2$^Dt4mzpB zCi?$0`{)Z^75+7Y@ffxzRql#{M&5yPE&O;o%B{*< zcsP9&A@o(a)f4=d>U=>;dXVU*f@Adv`0DN9c+x_uhwjWSqY3E0lQ<5Uo$ug@x2}1KcG=a$TVp?@RDDZUcR2%#MC5HuC{Xg z3LN+uP<|20EYsz^fZ}Hiwc>C^NkGwuG%9`zdqJ4c@(oaN12~>&@@z_M>kRJkna+{> zq3sUJd(}hEqAL)s_PS2JF)LWr%=oNnXoJT3bocQ-xRXBmz4SYoLA~Ny!0kA+%YFV5 z2jS#5jm*b<#jS_K*RR<97Kre2zlzhh6Lkg1=|yAv_vaXM?KRM9Q7Lj0k(ZOGRV*HR zWuzxBF?Wq*B3oey@n7(~&`6pYII6e` zX+MKPh~Jnc)kybou@nKJQze=ij3t0__E0+0)mtsDj&)wGfP9}6kD4Ipi~6&CpPMi! zx{BwJ*pG||sG5!~JfSx{;ioJ@e{wh7ey&bV?#Lf-(xec(#F}vGi%(~|2Ee#|x?_Y+ z@r%5?gR&M0QvOZ`@F5koKBTixkXu-6XQb<{cZ`2$$q(py8A|J$V>qGa2r$#a-0a|N zv~<`OWRWCTakqz~q($R^rm3wYVO9=j1?v>a*H|lXeezsV&?Lo$_68d$>P%f&0Q|!B zBm2DhzN6?h;uF$TtFD}*S?T}?7QThv3c9rizJhEtBqS`X|I`Vpkz0%7kgrRFmmwj> zJ9NZdJ141|tYPOqL$b9xkJ>~ezEv7os44l7ox460#s*2yf(R*&QL`-%}tTZ7W zdROR*CIwVk1K-LrbR9BV*$AV!d7WBrOq|ggd88|;xZAs_jW>sWRDO(=Sg`}TjKoqY zzVA|(0Dq!scd}WuN586}eb1VC&5_X^9Lox5LeP9dNV|v#AQM)a7g%M>m+`nz{`*3k4U+2|7*_%(Eo=gO3zc0?&ryux)Fi zIqX01HXm7w94Rt;>O`H^FmNCe#{>bF)EwVp^ z-u8R@U*L_S`26@lhG+AwyS5=(D;~gSze2> zgdv_qHwUm-k{l4UfYk9~Ml?>1WiGbLT=XlSoZFvRer}BfFEAH9MImw#warMHdkaE$ zfp=S3M^xZ3p;8@ARdb>~pOWCbLf-9xW!3LNmco$6u@ib)3o*n1fHm}Zqb)C!#Kfo{%pPwn9Ha&)7-W^@^i~f87p1HmQP0kZ988`Pv+>tz#GLcRVWr*Q z?1n#E<&^1o7c^lWTJ$YL+3`WhEz7!w_xcl+N-Lw|B8VnqA4#g4#GGhk$qgAh!(PD% zAS$n#h~M}jgY3b2Vh0J53%Q#@3`O+|0-u?X#QX0TDvX+<0A=I`zJhyb&oQtqO72q> z;qY0=H_SEyK*NTWYLv8dxFC7FKyRZR+PnpZ{!1Zql1mvwFSqjn{P_}Hd#BJc%?S$9 z7ip)S+UjjeKsK0?LzeFx?Vrv71Xe&oTZV}wNTB$W2F(ASfUJr(YG-V~2y7NjlSSr) ztj$7xsk-YFAFTF}INM%l3gN^&Vyub2s$WiU$d>fTeATrw@=tp5lckbau3ma0e=;CO zx{3qYZYE`D>PSPBHpjq;hGPc7G>bcZvF?!OKb^Or(S!wPY){G(tkvFdX;#GDqHuX> z);fc~Pe4D>nuAxpeuZcPj`SMpF!Gtd)Czww3cWBJIL!=R)^Ro`yK;qF6{;k07Ff_w z;2Rez1u0FYB#r|tlN&0(jDt;(i!GtL?XCtg0?1?iEMgjtiU37jPL94q*d*WN>{@7r zgjmHiF%CUgtDzv8@5N0P@>=v0gKD;lke^QEq_gVk*MPHooN7p>c9l`nS+X&raC44)UyM5T7+ zS;s#>&amb)D*rmxBXFNRJm9dk%gG9>MJtL2EN1qmN-hxloNzp19-a?2^jlB#Ei0Rl z5i!Sqv4{@4d`P*%LZu))As@lqZB&<%_yaS3^XbgzBzH~}UmH;wW|U!BA8u0(hm*wW z|BmI@qnKNd%w@SUK*gvX8}}D(^?|2C5>yl0z=mC`5hCG(m+^f!FMkI1MnXdIo-Jl@ z@Vrf7ABHuUzg1*>(?`)BszB}Trj`J%f{riOHK;-E9em4L)aKA!(p|+Y`b~T!8oEVztlW3XaPtyPfdJ>#kU+wu;TkVyMdK^V#Q!GZsUd!z z#e8)) zN@~d_9V!`a`6C*;>=nQL!a4sz2j;mG$bQ2G{gCoBF;A}L4Q}lFnKaUznYq(<7 zr(=H1l-gT+T}<7PwzkMll#2<$0Kr)LjX4-=vQepfzhZ$n9o}V8XiD0(dM>xL?Z?1& zSc)RU449Q?Y&hQI4Uice&O!_-rsj#zT$+__VRj-KyL%}%{jGA~8jLQ;nU&6u0J`1` zBy`q0>k^B=9s)F?ioae1lQ$mLs!C??Xx7QPQt_rgGHl>`i_&~%xwTqS>0;zmH6C61 zPu`mPRi6`L*w-EcG*mH0TE@Au2C>q{3us~2-xk%Z z2PQhXa|d2~{V%8;z5u&Jm;HfG*{~OTG>4o(g@QZG)hD%bmrk;0(*0F;ZwEkXACI(b z{?D$nU86qqBB}4< zORn!^!WC5tFsJDFo76#>S+noJH>fCYuN;ZmiOMS0dl^f=!c%8sPIxms^R3n_R?#Vg zyu*^A#h+%kCq^5SwJ)9x4B%n5=0L(YeGDW9LJ&b-GLVD-42UzjIWSY#gt4lTJq}3b zL1W!f7UMA*X04`a2$wUe`MfLDK-KIB3ogq=)hqK#$urf8=N{e$x&C57k?IQDpNe#Y z;w_b*Q=XIV*bm;x5nHDD3drfFhmM%rlI~aRf%ZPx*GQ$I_lN+>mY~Cw?(*QRJ$jpHetU=# z6Pkq#L67kkAv&{@WT>JX7@{X*h;s4)ah^8ta&qc;Po{(lPbKCFh~oBOQ3@~U8>;p= z0S~+NaGY`0(R}SlobeBTfwytrL+Kjiza-I6gvN|;#F2M+`i!!yP{}K}f`@Le)W0Ih z-!&aURQDhH6%u95RT314$j$t@WJC4eg@?zH>>R}0uGWH33 z+JO*ZFJth&53h;jqafEDe)mq_hh~$xn_jqsv)95$|Ki%6LOWv$Yh4&ZF=IT*ghv{kMN9VCio32HoQLh^z=+p3g}(nF ze{q8s@PO+cyp(7P7=ZT*xLbn2$ux;>*vz_A0qH{(kM6IfR1Cm9jJ!&Hq!(Rn7FNhj zCOu?OiIK>ETi#ErD+Vp+$pqD~3_RBG~0;^|9>PRcxsZAgq zA|i*2!a%;L`V1s03CTNzG0H*i`#F)R0W)}P(wEMNXc5JGa>c(6Fa13^U z_=hsOO2WDLq-eqkXfI{>{5 z_yfj^e?!_?_E%UrWD=YCW zl+bg)NdG3s{he{hVX%ZVwIxu8VwD1>fI$(s>aFAF+K*iD{JFmYcX{EI5uT@h2ZhYX z;=wOp@GnkPDm&{EKfhvxy?Ud3&gaMJd$$unnP>G)*|l2vnO5!Dg!;hI#Cr`tmD}N? zS>T#9Ua2h=<}ZcmuQ2K2oD`kN6 zL1)mSO9MWzzRtmNYw>pb0;@jGF|E`GP!m08Mw%73(e6U(?iv$4wdEDsk9N}7y@uep z{boVWT1PLQxynhpn>@1B`A$N)wDl2r=}^BAsBUwmKDxnO8%@WtDf;m~rG%B+0FfLz zZtKX1t;SmQhXoG+YbyHhRGsR+r(552MXOze4~g{tZJQdWS|Dy1?S_$~-SFhy^rPK$ z>swL|h#Kz8k@IDv7<4hjPCNR)2XbN{%%IaM7X7XSI3&OiRQ&=#b*OREWzo)bc7)mF z(Q+k+eYF!lwUT{mq_um%1?`gy)Ybwx;PF}|zC_$Z+%KN^218Lwr_Fwt%kg5pvW%`y z36rKqk|$;0Y8suPV|6~4)lTQyPS)?f!tr4o2YM4xG%*xu*G>8$d!X(A`W75-8xMJ4 zU9N|@D`!&C-Wet;)8-;wZEP$r!DUskm}Onf4IEc)C)r(~kAT&%c7e6u?G{`lpY){J zgYF`#nY{(zFw6kqmTe@WK}dEsuUuM6SQXWEZ5Y3>>JxjSM$A8}#Ql{;(c|V4;Hb?i zeI*sxzGWk7mS>mDaecth)8Y{&7N}U$_CSnr1J&fh*)T^IY&;Szm(XKy)#iHwn!lh! zf4S4OAPmZuY88ePD)rV&gl*^Yrl)3jbaifo&v(=sew8o^eAD+S+Ae|GKF-@bH@czK ztDRm`dNMHrS*SmlYkp)isDK1g1pkoCHQ*Zkn+#72BX>Gp*V2O{*VdsOX)y??dQ}zj zSE(Kc2UL{j7E)xnd7oO$e(tTCnd#hy8v=Ye01#*%A0Bd5oC0_-YDZF)PbH?YM+cc5 z+cZjbBH`tFA&t2_on&jb z+5{d91Ogl&E#KY~TB<+)p^K@Ttf>P2d+dDok%elUgu94pU#yRV9wiIS9TSN;EcoK( z1&|?c!OjOAU~UfK_NVk8Dp{9Ek3z4v9u-|K?DMv){4Dsn!mtrkR)95`{B zWOuUU#i<`7v^+k_J%{?vwKjVJx`2m;)BMA5Gzs8tslc=~Va94f?g~~HZ3)G6n5U{T z0=a~dI?rv6S8(0Rw_>ND>ru6UF6S#+f2v}%DIq+Uvtz2Dx?AP-7^H!CtJ#rTxq+VC zv%E`>|H=ZYH_s9MElxU%@}k+MRn9+Dxq*MB26wB9=9Hwk_^%G(EKDg+5dXyDxCLuW z`3M|Uj>hea?5*#1=iBgchNqgAr=_)@m+A2)J&iWv>tZx@WiS*+J8RuUL!oxk7|E?KZXtoa~H@;+sMedNlzi-&AseiP_Hf$CZM67^<``3nxN;whc^{|oz zyY$_p8U1+}|JcBKSBdT!IOveuiL^I9B6mnUQ*>Mle%Y?)F|L~%B~eB1(VUSOHHqoq z=X_nS4H>P;Ggq~HX0BkKU|B;Mwf;pDd`vHpYp)PiKG7IkBj)EU|8PM+)Wd0(Z%P;!~9s0@7F1H9Ev`&-R zclroNasZ97t^7QyUmu3@iA%=g*_$Yafl114wg z;_ySA1grcx9Y^{(3%~3xyzee-B}OlQzumg&?qJV}Zk&jBrJU`?E6;dQPyNR_^!~Y` zK%;xP9q!13JY-ns4OOLpQWPwj{P~!GCl2^ckmswHZc`m+a^K`UHO3KM|$>v2!_fEESe3iqov`(&ILTGnw|9mm&4ZYEZ8zM7&fECSW0 z6H7}z&ZjP=$kYZ_vBL~v#aHndPzc8{`ka}Nki*%yL)`WK;2$b8BMXNp`;FTAe(D?@ z(T)kZ1dh_0sxb4nnhTDCBPZbrTp~@XH2087Ua>~+81px3LQP93<~$7Msa+-HFTHAu!@`1C148GUwGx!qpe)t~N7uvA~KWMpN|D&ON zv|v5jHr5=~l<%o!qOiNKij0Yv^~UU-=f8-ePMdLiP2PiO+MqZEYFky&`Ees3mJnJ_ zL6bO7$zbPTu}BL(dkPVJ{ywVTW9ukt{NOZmkv%nP|}b;eny29U*!(2;RVE-YS@goz(Dj zvpb*^?t;HAopJ)x71x~X@2-m9t4dX#8*SNf32$fN+syo+Ki{akAKt-h`J^XFO~ID~ zlZ|sHAoU3}72i?(9CMi3*#GrT40)j^ObogB&pC45>`KWF42+Q3KFky(B0%Jk*qSNu zk9I}em3xPOWObLTCXTLk`HR)lF~8746Y zv9t&%12wv*isrEg9)y)>Tm@c5?5#3{;HNO{N75IY)l-ITF-rvVn**guq_pXs5RRNq z#Er8=@7HnIR!|04Q9`1JuQrq^WBUt-wU58ZdlAWTZ86MO1T|}%9`jH#4yZZQxDu-S zMTh8}op2(R)1}7u6tgv)@AtW!LiZ&G3(QB6l`y9<9)nmbljtyjZ8KLpz>fj0csTX$ z=!vs^{}>JH+W{5`$8mE_JM__EAnJ2B!-6pa$rXdgpaFV4?}d)jIu9g9n>U{_N3YtU zkqmZ^pI(!1>N>1Brtd{XS~B;qH>fWYx;VPUhTf{xsMJ=3f&DplOFCkVvF=sARR**z z1Ctgo#n~ANf^tlrbP7&wM?UxqEGoDxo7xmr1e;4{EjnEv=1DWU^XCUcrv5`8Dk{I# zC`cj9GEl};zGD6I(M-r@s{aD+Jy1MkX)d2V18c7e1=p;!3d>S{sv19H8e7Ht)PMuq;c3a8B{l&&osm&f z-b2edSXEH2y+8){3K#e4&@a*PA+y|TWAoGdTsJ}72FD#PM-+1ZtLv`&`x~$cBsJmi z&V-9&Q~8OVG$PRu8|}ARz3=LpC1(g-pkYeQqJ^kZq474Gz*4;VK~quhve5(v?rVJm z0&b@d;ql4V$m#A8gRoiAj}`q3{08`$zu-Yn{@&bo-?!BAD@yf7_ZAt?RN_^;hOc!KjQdxvyk7hvn3%l5rS~00Y9g(Zlc6;tmsULn7jM$TLb;C8n@Z@D%>r^02$lZ_+E*x*Tb!i(b`RVUil;nyM7E*03q z)5{j==76r=jqVAb@&gHO%p3G{r3m^YSG{jZt3xXiv%#}PgW3W~ld6m_yk+KbRN|s8 zo@sfSu02L+d2`>+67>=6#1ZV;y=Yr!ytF{%_ye3C;%}zeh#A!mjI4=5!GBrz3ZBK} zpy#qMjg|VU1}r%fO@G>KC45uQIMKA#@;e!Y<(1~5t0$u@%Y=xbz*BK0S?2;G!amqd z+U1lf1w>K9L5f$X#qu4_k@|UPz-Xi)#(}|B8~1TXfw64oYR7OozXk!-bz4JZ0JL^1 zD1pqXAr2cByO8!}2PMV*!BPr930Ux5OlH@IS9N*T^WoQ?PItGuK@%&3I@@PpVXST5-3f5iqzmf5I z`8GzpnQ(eO>y(0vW7c;{oZ{AFQy;`1{T=cy#Nn|HFgZc6%z5r<1x*vgOU7# zyVE-*!}frxmu5HPv@BdVo}^NmBX?ygCpQOSu2-hu=Ee_wn3jG9-L+ zR`*@yH+Z|H9^Hvq=9!YkP1vpVW2Re9-A6!OjdINYV@aD<;`Wwctu$Te*RTcwzE|B3 zu)Gv72nqlI00cmthqb!w_Z7Y#7y!T(JOBU#01kk?hk=tVBfYbSy$QXZp1p^Wfswh1 zo*uoOy@~CA2I-9KJ)F($Y-yPp8R>p6t0+SP0AoAcn*67^xI+T~g1i6%0Q|RwE43** zWHFT7CZiDtB(#1pEegXVyTa9w*$RDDaY_lQ#pQe#DuD{uu5Da$spXE$wfcHO5gff>V9apTG1EvHjV4GBLZZPzHz{w zK*oyr032oH0&tKsLP;O;em7#LSfo_M?%i=S+Ji88yAkL51M?Eur>%>*Jh#C&05O^*Ze`EFsj*veM|4Xf>LfK`|3xj4sxx1}&yqbcHI>eT}z7Fb+*H-L`Kr zTOmV>oNO3u+S)Fa6&7p^q;RBk^=aTi)yVZt?72O`=xC`mC+O(6W-Sq|)=HO_73GTP zLM`g*+I!W(@;~ zs|?XU*ikR5V&PY?Oj9^0%U`f}Khf-uHBXleW_bR{7Ho0_YCptNm|Um~46XXaUe*Ex z43L#beg8%RLDB_@&^JL7F1B!6FxTE61LaHI{9lywf(S{HMx}D5 zWHbL%lsLn{=ZwAkZjozye7K~1%PT zx=>t)hy+3)E_QFHJ&r6mbdOA?$8t>X8$&p#h>a4@^?Uglh(Vb-sd}wnCY302BUnsGM`H_ap$j>!~#sC``H>$30UGQ$8jfa|XW-STZ0*7-<42$G40C zSEU)AK>Zy{`MLS&WwW=>yx3n2?Tdm7fRX8^b2c>G({=)8CK?U|URY0rpwk1$Kriv0 zRz+F{ih&9~pHdUdak_IPS^B!}VAJ}U5$6CA+(L!qvuf>HB^3cYDe?W>?fy7qz`1?E zFuyCr&giW_^)J6+!PtvXaNo-_)7jdjj_aJpI5<0oO)s>MCChpQ0d{}*jULP#-SK!h z>g8<8NOxOR`Cu2#MLxQd$7-K+;AIug9L@1~cwod8!g0YD~Ui`}yjRn%Y}72Rg92F~LsqWpaA z^^dWyxiZ0(sKCiQ=SOqT<7;);T;fKY4d6XD7s0n{6x=x6@wRNkS;#BwT01EM%!RWF z?^SKXLA1VWY@~|0As2R?MS=NGL-SYJ!1e|glFxdf#q^V~ee~j^g1DZ@Ym?Wl`ecWd zv(|7C-G2RgrSX=%hdlOb!l)yh5pa%~Z_?&=poU_qsGv8o+47#Z$QU`N@LQ5E$jT~0 zFf>Rlv_D%^Lr5EI-#X$SI;n`9Q(t-MiTiZ?iFA@S34-_GH(4EMuBtIzia8?0RU_e0RZU!k3i;ZU}j@r|NjYN*{WK0*dwSp z8oG_0O8Ip4sMJ;(%_5>iK2nJgHBcOuMFkKBTA~WjA}iF_5t`xJ^9@p(B+3J{QG)Oy z^!x$mjPSu$0}#8pvju+oke7k{z5W5bPvtP1;KXt~%wBs5iW%%l_M_>{PSb95PSbB% zM2I4{>Fqm8-eAv}t=xG*KD@Od9*f+=&Uu1vpFo;T1;5 z;Q(Q!4DgE`BIb1>#lMZ5LT-9phi`=S+a9jk!nhWWxE?sd9FiQe&lY6?WF&C(W)lhM zOXUXe0H}=uUb+m8LN-m|78{@bRX|QziF}**J6A#N$wJk8qEsLrLL{EyBv~f;)LxMs zY6q`7y^-qFZ1j#rQUGDuw9Zg81%*ll?O52@!CwoJC$3v&k(^@RU}C+(LS|5}9PjLN zms6Dz<&~3mr76M-2t2wHtW#XfJO%@c+&}mc!%{3MG>04Yhm=SKRfv#Ni_RUtxe8fC zjpYE&WwfA9-3}JOQ0z3cy`lLi-$&g}qTQ8aM%zIAs5AOOcSnLQLs4cyMT0Qnatz2n z6RN2uA5cvdwy8t{)jl#%M4q*8Rh9dM)Ah8&@@qq%F7Q|J1|@LxCg|m7Ac;+`pO`{M z1R2j7cx-GuWwDImA;T+dvxs19@nW?Mv{Q?b>tsjbx`SdFvv(gssb zyAr#u*S?*Rsw1uAC9N)im?|SCPHW>?)_YK9roW$}*9S`5H!jX_nBAETVcH|3cGrbP zh^G(WUgLHQPSGQFL`y2e-($9+35|x&Xm!-LWxckEMO5Wx4r=<09)v7{-BXD`V?%MNid$Dfwk@jMAA! z!L09F1KH*_u7ZdO*$D_4NC;nXN!%sgt*8juNeCZpkPc^gOQOcR_l z$5PEN@Wfr?_}hT*8vmeKaQpqLgg9G1Lm$+_S4T=^D@lQmsnsW;W`_JleuLzV$mLz^ zX3?!uUs2@>X05DSPS?E{T!D+YTtwk{qU37&I2w;+ytsEX`wn6CD`fU5MDE$k;uMmr zelzh|rmWHoUYdTiB=3eQRXhkClRf`CrpKNmxhhl4B1P&)6j15#@ouxc`N89(zgz@5 zuu~FB7D&@<_2Ol|iyOxdTdkG-rQ;ZlC(Y3E)DJQ4U^#qfwvG2R&S1H7$;!R{L|%Sy zN=%+#`nqlb-nFvC#|QT1lj!$zl~2z#yS4emv4JOZWg!*cPzB!j@Pflsu zLh>ORw=oiz%lg(}7rt5Jmlo`*?(_%f=*LtByens?GrQx_deWD&aS@t~-dk=f+-_b+ zd0eRdDqC;1K|$^11~20?{idALBjKEZLQ|o6J-l02Jwgb~%OU|5C346*1LDzE8Ksi7 zO(Ec3xHRJfw%icC@)|-qvk3_WD$dH->d_;coKB=0p7g=FVf%Rt9VH1SWglh zc%4ha*v`=YF}#uB>A8uMZm8b-yO}H4Z3D<8(pUArBN_QsnD|yD=p*?J%85e#?7|b( zQu>s$dILdk1!=G@1J9k-@Lapr6i~ZQbz8R9d~kn*k2OC(Dl|@UUM%y_JAD{Qxzg~y&!`{YH-B!^zkdM#cOpTMY?}{+3;>YF0suh$ zekzf z17}0Khe3jE;2(8`si;M&PBe?To0yCkF;vD<1m81!kt&s+b>*9p3dbU`NJ?CsYBgH9 zqKrW?s^U_P)6GXCED6k4WwXoY^-0?=_w<_Q#cgLtMdb~`8;c$-Y1k&{Ge@1*_Uh-3 zJ8mXS+L%zFBnVM}09n}8n=p#qm}x&Lo0x8mbw6c`7*AYnGzYO(n^BR{OU&ExC~QYy zo8;dORs5IaZb)KWZ5C%>Je4Y%|G$cae|b2alA?l+=3zmV_=c+LqaCP{N-UQ%wMxa| z-$6-ZorzI;isqt{hgMHj-Oikd_=$_|RO#?%>0jkV6_aJA!<1M(B;`;O>^TKW37jao zlH^I=+3|ojOjOx;N~q~Ca8Kll&aV1Un1d=>$Mxw<={F>VjDSum9CPC!+rU%6NpMk3dy8=@x(^3>xmc}_boRc>J==3lr#ViS0+DTf_99NPLm&aHc zw3-^BkmmUU#lMsRWx{-f=0@odmG>UPZ#k-q$`ce4EQe_jmn0-mM~aHrE5Z^gB#jay zXeuZb<}W5oP^IN0&{3A5O^t;)aug26!q41I6|rO}_St1*!l4?`l+KF;iL(yiW$A|B{Y&sN9ddx;Yv-H#*`H=afPtYcuHjhC9)Q@{&kZnL1MD^ z`Gb%u=DU&~TmPI^ho5^v|k|+Qf%`=;sbUYnD02jbrNc+lHhJq+WE6F>323LTnm8 zWRaW3esjf}E$GJp1)OjerDV!NE*uA`f=@*;^&qesX_i)(E>TvHBvHhta$J>ipz-)A zU+b23Tw&C9x$na;Cqr8>qrqpI_a?gcB{t%pR@<-=im_50mp=C4#?Kw7>7*_s8Gg_$ zoRMt!^XGy*P_tLU-Lso(Dz)lb3h4?DoEjwYJm%_pdyCoCz|_pp^yT{Idg~8!B4+GV zl+I=PW_WIR}cYxsYojN)~K^!w%(J5CFLWBP+#KeSUg|nit6!{Sb@Hb=!o}Z3dd3C%2pME*RKJCF8-3Ny~!@2dd*tl;uT69BWRJ%82n;tR91k4sshWa?5cR zjRsoLr``x#ak#G}vDpw)d00_tg4+e8iMzMaJD3|nnI4X=_vPK*)=4ep%eJB?qX%;5 zuhOcsJz*;Xjl1|#`;a-^Y=%isal>oy{&^R>fY%wDa#=n?{|idVELe$rCFe;nbk#9J z8>z4zWFusbi^Zn3LKEa(_)todZp@|YGblRIK6#m=(1g85S(3?NH1B~3r*>uO5&J?TUx6ZQMA6-Be>pO zMJ^MS3jyj3NyXa{P*O8n|B8h3UPMhWv$1|CG+An^l<Am1gI+LK9_B-*YoqI55uX_kT&Vc ze1lhP(|1~~{HkLBBs2I*&IlFz6FafVJ&Hv6QXlb$KJD)mWYwevr4wp$8?6bRRr(i5 zarv<-=#_9V!&g{HLNi9jy5!{3*2J=#eB6{il_4WUf`E%}4QC4fg`anrdG~$dM6Px> z-4Bz?M&`y^%jRaw{4b&tr)?{4W2t9z6TV!J%(nZdvSDKC1HTP-2|O2p0Cc~M`}G`E z{SF6Im0K(Tbw-|G2s8&SVSb28WNHX1m)>w_!FVcCMLjJt6PyrD@-@o*v#~&S!FX6) z3m*Q}!xg7?}cc=GF$Ew8&i0}-cuuV^)h;-O!1)w49-1Z-Kqs;-+_v=BL^!OqdE3-C-RtEoc^TT z3$cJ%X=uEDkYp_38(u=9xH`_?If3oWlJZ8uC5`S)>p3yc$PZ9_&tzE!>ISXdIl3P- z99CPq0D?8$y_jCGqC~7zY$DA-5Rex*2z!@(N{Ns=31TZ+n?dqu_s;7SAV%?QWN4Uu zr*`=LMA3-EL1Y^C$L83qxXyRpnX-ilVHzY_kphLqAQ71qqMSYmHFBzYZe8cVq+OAx ze-9P@?zloxn=p*`41;BV2}N~7FjSZZM@JBd`Glf?U>GafE&GmG2Fp;eD<~sjm&RGu z5D68oxs`9XB}($838 z*;FU0vvE^i#rwd)_Vark8;a}F5ub!V>wKA}OE0#tLjj)QZn^pF5Ue6!b zx4h(4Bki4LJb8zlOg6zxx&HD$WFQ@-GbA)B>^sT z$$Z8S9B1!u*Ht^LqOh1)!iyR#nS9i2@p!F!2t|m&YmtOGVCRJ5?d)mM1BHkZ0>eZ{ zYr14k8Shag;n8aPOXdj>Pb*PRH9y28c+LRfMnBU7;NmK1aR&(Q0bbw1ku8F-uq%DV z1LT*jwdsd6AH?KxqOAx}M63r8XNxy(v0RRF{TF5L9OFs!ZvD2Wd)l^b+qP}n#4?evaLqIPd_{;q-9ilk$e->XUm;^Ub*ANe6UR17a>QA-T!!=` z?D;zyGTMyytYWc@C0$w7#&0pjqFhwxG8ALp-HLGKfA0vpk+xta?^VSpg=PQgyOi=D zs#)GAIWpjyP9Z@t-Flj(eqJcfAd_573)}vE^3HD$zpAgOW%@g@189E99fFYKapG3< zaa1+E*GWy_^O{I+%=hg;^uicut{_ZOj%9q!lxgWFkZn)*`{_(C~}R>UDqwPMFg5{SCS1g3vOIC&Myhtwd2r>q?rF3@3Lxj|Li zwv-ps3S6An)h&}nM_K+d9C0$M6@!F?pxN7mViO58dNrz7h6_q}=r#oN2)g5BfZ^8=5+8E~_r?Yr{r`lsc|MbVZ`)H%G)e6Y)1tFyT9G|@Q) zVpm#!fUxtv=Aqmpk%~jfEqPcXQ!M;TU{uH~s@;*$H>#P8)!F(zD>Ro~BXqN!dBrnt zH+V!m-B;*!p@bbkpb5!$YcC>GY;5YhF@JP4^#{EGdhS=&26};?*X;70Da%R=|Aepm z^gcT_SH=^7hF2bYcx8fY+3?pf%`qFHhOD_BhI!~yh(qRQGcXxPJA?^I83HUvUZLo^ zL3%)Ry5Q_Ar1TH8+U4$VC|f-RbVN1@GvT=`tD29P&X4P!md!6VlIC3Y_bV_E!YZK@ zND)<%g`q-m69D`UQ$CIHo9039RrgyE_dt7)eXZ{&)!s%Xr`M8_edg>j(pt0=np#yG=mKhAk!?!^GU#^%pkOI0s; zb&F52+e9;OE}oXv2UB9T&%-l7NB(E4M`y-S!lJh?3mzl5Z85EK3jk~5H)j3YE(1iA zrWQ=aEKI}g@dR|_BZ8-%_<6(Lt`q%y+N-m7>1$B@zl3b&aWBX(jQD@6?Opj50b9P@ z++DdI3Pe}$fAS@kvES5QkdM~zsf^&~zrRh3UAxn_4FBtiSNF-Exqpj>-t?^mA~%99 z;Z7Ipp4`4JB#mDQs1yAIH)P+S(y_ffr5>1aZBoL0rrO1t@BHrd0S50uSmI`G;-&IZ&_#6iewL72+{GJ%CI-${{rWiZZ(b}QpAJNG8rU}iP z<7VpJl}wPx`Y6@k_8`GHuyw-0>CNYb{J*$tA_JW12YK&`V6oK3Eg|#2+pT1U#p=Fx zG#>FNPb`PwUa;@GaOFBdDjV^(CwZmOq;@bE^SzhM&%&DX3$Falj?Nm7ut%7=H{t8) z_Uc*i){FeWhu0q|ncv?u4g(4-bwaOU7OBd;Eh<*qKE)kC0@s2I(nCnMuyTAb)X9ff zCaD4y9e`$niTD4cm$J_Vpg2;I4$NVDHfW#$lTqfVB{meZvw~l7SQNjQ#dbo%G-wno zVLVCdM~Q0zW8r}MjZK_q)LIbw_grQdE>rG;GK`ww^;RfXzAyDt`vI5Mdh)1X_{3g>^+dB+FO&OiL4YV@gA+>c|5(RXp zcOGNfE&zV$JymzS2ez55sn!rqte|UseUZIvCp({0sogK1mm#r+d%j;K7avYBIXfb; zn?4t+I1TGS)Z$2rIZ)R>JoQGqWa1?W}+7f(^}FkUpZlnGB z9FuOLL7dfaXu0qFj&+H4`j-Y?N%wFNPw~b=SV7%pN{k(#1B$kM&p)ew@xI}`3k=zJ zq|!^nLtl6{%w=Ha&za5apx-AI2h1y+eY-Ntd8|G9WjWC~UBZru#GMk7^yRD2{mN=%f2j0mJx)fk;GstDGros*Xgyl9H(zb9<7at?ucLtK-a$n)#pi zAU8~HqV>LnVif11H()HAPlh-krLP=4Z=)~qZJG&Jt|3nsoFW5D47IXkJo1^ZF&~oOkuw<1RItVsnxY-kj`!A0T(UKu-`1^g%WSv zi$u-%aiKXVf`oX<+VWd?dMn3x`5t1wMDi^hyzPRH2}Ixi%!)oUqrVZiNm%U7k9?rN z=+{ozMsGfd&uX*PEVAirOc1@N7T=h-4nWi9_!M z7vSy9J#KQ@_L(h1;Z(krq#){v6GE6uxPywXeZxTYH>12rPi(RDWDA&w`+|2zR-X5Y z+@FXG^1Y2OxLjVb2$cmJX}vxp6B=jCTdmff=@K z(;i^wd)@uy)pg1yQMA0JMgXy@sTPR2j!bCyp4G}oBY*DqKExls-x((F(Hh#~Q z^Z3=$*5lMci0BBL#a?{sQEue1Py3avYk$ z4@AiUE=U0uQO78aRn;3fadtzAkfT#h0XFJY)&ytP(8DNgwb$G7Emd|{n@=fyj%Tw9 zrm9BMv?~cMq#Tf33cZ0}|3ki<=vaD=VDLS@5aRy-+y`f|(v!*{|3LruHk(AXVVCYd zrO0m(ARyZRq0MIMbJKeW<-M5J8wFs>D7`-?*xrw^?fPbzeuK32pbDvYKOsF%b zttOt~MXPE)D_CMw7+fuC&7K^$R)6uTq%e^{`BP9M4laaa#Vk~SMA%{-+s>s9i5Wwg zs}3+M3GU^54ra|y+=D`GyKzc_!bb+hzS_2(-48Ilw7G!@*dZ6RU&L!sff0Mf`jfg6 zuL6^9;{vtQh}$04zBHsq5muA*k6YZ&^oU`0ZY)cWVx>h{7VusPCF8fEUBkeOSX?Fi zRyHY`NvVITDT#twlw*37@4)clK~WKv@pb|=$R$Kk1HA4X5_5!GOP~_HN6&NVSMm5H zPw8|0>%Wg-=-pL|79kK&swof<CQ1MNmaPEumyk+X$XXQG8NNq46c4Q>iXfc7cS-Z=nsLZLta5O|Gx9)*M}Fftez1}(^DzCh(7Cjo;(-py3v2ce~AYVF~Zzx$&>UE0kWjQFdzJ~1*GHE&m#Ru+1*#+=(+{}DA1)VY5 z$i}@i=ARlbc&p8Ub^f zE`mWYiS(jbm`{y8b2=3Gbmr&!S)3VJn!z`jqqR1aSW#g_+DfbRT(~K562QW})KU?L z=mm>q2>;>konwKdq&iuKi=}P~*b^tHH*@>TO#U>wRk!0g9xs{!(=m0u28nSF94I~o zsE@J;&a-3}KV7hWFiFpkn8ayrtSE;b!bi}b_m|6@4mW24C+8VJ+B0sOr*byjc6LXP zyBiQc^U4SL`@x<^EeevENBN5s!~MOEidQ>7QqMfTe!Q8n;wx0d+}0P;=qkRbCF2sh zzK0Pv2Go@9o=_M#x`P6&pAoIU_F^u)pVCK$C+(x*!^l+mxxWr>n<%dsVaelgD)Qr9 znusV5tEBTH$-rC^S!@Q&KyFCo@nq}YG7jiW1V$2Utm&ehMqnCI;S8DsDPXQyhP+B# zAnI8JvK$?70d)N_PJ88C&=`7^`6Si&3#w69VLMYnJ63h@t3?Mp|K@BcnR2ndYgiwk zNPe>0Jg3ytkQ}%N#Ml_!_HlX1OBWdf;Y$@7DyjZY6b#ruF5Xr4?9xr@TI2oZMyck= z6~LrUtl)ffw?z0UA{GKL;^suZf!R=&*!zb|az*p%94(Y~*KRjAyHGli6f+NxOKYAI z(Pk3x%)?5E2o-TUXr@MpKaX@|=l5w=Q5^=|h=sR`yx22GGy@l4FDHkL6%TnQ`rG4y z(hVx5zVx1i_3Bdy-6(qEiJ=;F$Vgu~JXX936J zsXFu>{x;YY%vo_Ad=ECo_?|6_!4-9c(k$Yfw^CW5SDWctor%mMFhP!nVY6IM{+K@$ zsY^3n>*5l28_d_Hk#KdZD|L+g?$Af%5pMwsLQge<2ZJ>58$waOY{B66U#6h3W(e1` z5XV9kjACVl3eA*yMIyVu6s~&m`u5Y=DVFz*lzxxHa@I>QjYwncI zF4_X-|GI`OfWP!FGyNk1O)`|7BqsTU978GIlr_G?bVi=>X`8@=IWTO&MlwwW>Q4qL zu!dfKfEo2L(wO)!ysRSv%7$ahJ@n{&I(dPf`%5y*4|Zen`bsXbF9JbyEjDv&1puWL41^~U;zuwajb1d zLtPnQ1?(T^{uc-iwh(=wFW4Uh7^2lU14v*xC=j_ZOl=*1JH(=pE}syF$X%GEj?CPsUWx_tKQsLuA6*U9aa~(_po&Gt`(H6js9pX1a-f@n#^K11;c|2V5QP0Q|fp>o6w%WLK1AS3x^-K|3I)FYy2B8mq={fVKw& zZtBKw{5vL|{EIJ}87uW5A0b4D>J0wEgl_}qs0(e@@C!Ydqq>UQ2=1<3hui(* z#^<~ex7{W;HFFD@)ZRfG1r&-Pf=Ss26Fq!B>mV0NhO7~$1i7P{Yvd+xBvDK=sMbtK zO%SsSJKsUt+o)5XUx4B|df%i-*qpD=B2;p$NvZll5DvmU>?b3TNo%ff`1t_hfi3omD93EjL8W7x%qV`J+0S@ZV9v(dvxp!f>K zUt**|C_L4Hmt8aviuD4^jOxv2WTOGN++HOJyetDJiG{|<#N=YWgK%*;{O`vZP;L%= z{@qQ*MHO*StkZb&88+&`vdvW!xhZ44(#9>+2oxrbeRms2D_}lmS3>xXY4~6xUWyU9 zdm%M{0|fdMX!Bf=!*s!j&OZ1JXu8XOJ3%3Q9XK0WF6YJ-7^fTLL{5pJ7J<;S*5Jj3 z$%gnccIRsKPB8=UVE{~4vg+a=7^U=OhRaKJHkF~O>V+oStTyc|;^gVr4wL?w&*m%9 z3x-v?6@}_*RcIsLmQ=IB2N}(iqE;y<^GZo@$f@ex%V7_%G!{deO{f>nE&EE^mJ7`w z6P=6s-TYfvfVG}Zi;tF*!v-zeV)2#8FHY@p+I6Wj=N6^XIu9Eji`#tcZiXU$HbOTh0;7 z10RKFJ!ywM##vG)qnF@FHHzLa5IArvSM$a;E+D6MY z$g}((7F$BzVXR+Hf~~OU`?ls>%zHOIfr>1!wXi3tX_Nc1lMED+@{Y-2-W$`>!3xJ5 zcYy7!rarF0V3n3)sXyFKg`C#=e1ma+NM-OL;tdVbOo^1PMJE4H9Mch*&9j#B;4fEq zsMmgmzNI;N`+YQgx`83NZ&LN6buX5US+GANjVfiPh;qE`e+3Ol+bCd|kEEP@pJtvY z=f1!9+W>qW*%%cvc(q7<_|*Wvo|nMeJ!{{4LdIOIy*r}4&qv-_Ky}ouLJK_c^rGKt z>)a~)y%(zPKZhGTZtptX(GS0kC3osFWlbO#FO1a-ka!j6F_nYk%&-7TUJ&D%Fs2fI zdi(nD;^aci2VKeKtSB?(Z#MN->8yy{=*ar;L(Bk>0xL!5`tjMiNCkU=co)*@p$fd5 zP9#7^+*DNLq#mf8MWs*-8w=g>T@?+alxE2sg&fU$NzWomB%O&C3`Ha1(txYl=r!vD zBto)H8G~^yno*Ru3fR&5+vz6`eV-tsyebF|LqEt2uCj4!h7>3WpqvQ}33j>-mUP^c zO4)Q&WTY8#0qf2)?R;|B>nbOnff&o21E)Lcnn>&unq~E4Fe26Na!{byys+KXR>2Ni zhV>>X>%~ybczxq@w$ps8ll%xbxjQIbJ@>hp?-5ty1y|xN)MN+Y*mFUa7C!5_mi1vC<-^xJkvHCio-f_QuYZ01;smFaG*PFpx#*3W2Jti&yrO~OoOXn9qs_Zy_k10Q=|_wAv{lLU*#VB380Ia ziKi3beDA^sf3Qr z@1D43>=eqjtD^hOS{>}3&JTL|3d~6R8q5t>ETT;!>N=EmcY_`*Xz>usL2E$)oDkc$ zDpwRZnvmvNMCahTglCqokP~zO4Rv=@L3{_t*tbw3M#1+7Ncl@O zcV}Wt4f=0IbaO*_L^OeOzt!@^WAh{&8j^^;GyA$rb8Z4lPqwiyQHj9hAB*IBcyw)4 zID^8$#fJfZ499WoVkwpPm2iu2Dfgo6ocGmQJXxkR7_csu4vp4jK3c#LSRGO$+ccEHMGme<$Tx|-{vBG!Xn!ylh4GK z?m3rs`q*h(0Y${O1Fh3uPSs+dn!!-*2YsNen~oB0_;Oqg@RJJ9#QdMPLE&;4FSv5& z@>;)Sdy9U_4#}2hj(hg8$ZpOKIS@;UQ#pEXBAgw(!fif?7AtW4-pC!|3UbjBOq>t7 zue^3}vLz_b>OM8HX;vN&Y;RTuS*9|p>eG8M0?h%EQ)a;=OT+QF+;!o7Lwf?2Ri++? z)f5wGFdlb2`|67QW5mxfApVx+xOZz*>ewn~2YkBRi35n1CHUIuM^EKB0ph7laX;mz z^)pl3evE6lO#sf~mzc#*=oKeX`GG~`)l5k|=3HBW@1;EPhrw*IsigQ9)>mrP?tr(q zSbl-WELJg~#i||5-ZcRH@hqwrF1UgXt3Bl>Vad#qS@mN#(a}kMcDhz@(z-9HAu7j5 zGaO5cF^JvY7p15#Wd>2{Epl~9ChQnU+9o6dt1g_Z3VP3m&>F3zUei)kZ5!rJ@lVF9 zo$?T7NTuHJox`+Ap&_-74HPAZt2z0)Eb$0VS4M+MY(@BsdMk&jKJM^y zS%NL0$+K0XPeUkmEcae@Gxs8uwxN@z#m1CI8Igku%Y%^fC&FV%Q!g{MIK^F^v>j9I z_`1lpwLc}6l9p{-0F!vSm6G-tMmgy%LR=h5?g|N@!r3s(W6ifhgtfkAt-f7rJEu41;haN$=-G>$6z%9R$TK20~!>aeHwA?iqR&W@&)dzxl) zfOg>H`ZgrSWO{-Y8#%W%4)O_JOsi>TLBtXTviV{1 z(o-bN2^0-Z^Y(&@<*agFLuEo0oebup{f(ZuDvW7AIqTLHnFy-3-h;3FCSZvH2%7S6Ub=@FtVuY z3)U=Bempt08j;VUM9*hMyTB#=t*r=AfbuFc^hxNiqKI}D~#Z<*YGejp2 zDNyEV_YhzKIGWr*ARzzNKsBabcv}wF*Y?2vOHbLLBQdx_USJ|MsZ<|%Zp7C)bllag z!qcs945~#(s=Z4z zEh;e^^N03n)6Bal9TS=OL7HnoYvHFdczg6;ybe=qRry(6#9VhKGp9Ub5^*a87|L%m zxT(YNR&CZ=e@#Y;uN!{HO>UxRAuD;xH$yGYs;v%mgwtkcJ@ArWLg}mz&>4FuZLXwi zo>&9tftLWIJ`&nUb#^Vq3EIGXyY%{H<@sV=zHRJuQ}24hSml`^=kB&su7Rrjul!VA zZTwi@oC_at)VyB%NOMUqpG}aD%^Qv3b4jBQsmUCKHYHY(v>0<15e^l%baiNJV&~e` zHvVZT21Fvghy5@J27l%&WwnJAUGrO7Qa1fO#i3>T_Knj_5w06il*}S=w9-Ke=RcS| z8@t&*ImRk?7SF$(xtZJ9xgB@!{9%6Be&{j$nvHtzDc^}XHJ?5wpQ#4$m}m2Z+3%() z!)^q(on+bQ_c8rxyn_C9H7W)Xr1OPib-)?p2|ljywpT^Uo0K71=+2_d2Yv#b8$UjFftI zi{(iLR!i-cui-Q^18sN%l_z!`J#8tQ(M<^^^!(EG9p+x3x8yjpasF>9MbKV;XNmaq zUV=4zuUW~@#>;avT_q^#6l23h{IHYa76Jy~_xOi3PAzM;oS~6pea0-EQ!|s&iYDly zW3YrwDZetiX!Dk&=u|{rz6Re`s6`$+qcePDT(JWAo1c9vqeY46^E<^=DXfE)m6adh zvQIT<>KD5k!xz3p+?$VKG?>fApVUL$+baPQwZ9ILh;4|Q@jgLDYliy&!g}D_#yVB) z(l<`jtt#3#@s~bz0y_Bj`&oEfd2dGiSBnOTh)hgXlOE6`8@Qmi12o(b_Wlh5^xAkrC+jWXgIf?~{?jy<4+3NEMN|+ZHP$SQv>KrteZ{r~`8Pk$T((J3Y zzJ=1mXM?=%+cAsNXN-~{TRc{b$csJWMm4Ov!z~T}gp43X*Lxy`?jhp2pBW+m)NS@M z^7vU*c-XVlg9(y*@F*XM>4_>ToyQDP9Lp z{kzn|!#&?IgZ!Sy3xR%M3rlmzav;yeM;}!%848aKziBnF{~AUWLxeB=Koe;H<99VN zes@aC+eQ9Z@&alw{}IGlauGJ^Z9_kpo#YA@l$f*Z@Dh6om3^p2egA#|L;o&#+d1RZH zgAV`S7q1~3jvh?M!w2=nBmex=rswCEL--c%8$nP9w^dsVzaC7=*BQ2$<(Muiou?|PLLlj+QQjB`?)GD|4R zs}cz$tm}@7!LCHyn`mrnl^CZ;lc?V+)0&)I2WD&_n~ZqqX9*rcK`Dx;6D);9e`q_K zXk@C9?4=<_($+~SbynE0o7}g+X#Vt0nFF|cf$bObQAT0>U|?rvlFQ=mZ|VoxL*C0g zy(+`q9Yl|G5j3daaR??%DZuNgRCcjxEXIrHCX1L<^8RhSEU&n86?-bSU2@-5gKpWr zES4V;F5_eC8VHSSr7eSO>m%CrACh%5j|xC$$DrYnVtBKgg+ShYk&*k0T;r*FWZHEf zKWS;Q4BIdz^)q1*SRA|`@kar|_6z!TSA=6u(P)K>&p*5WH2ywlKTOY|qpr{X@7QG4 z&OzV7G0IVa0?pz|q@f%3ByuJ~6(l&+9%rs`Z}0h^@2ts!81(vPOtIS_ei6=mG>K1H zR+3D;!PAv&Ov1f;Ts><;8PY!fhMKE8_Ts90)V|?b1sfir`g)(@C5aOIaCM5iYY&h`-rI9*;vs1P?C8uE|ZAtw{ge>DcY zt9nmjhNy@EJY)iqCy5(wKcY&cE$5J+?&cV}b$aufUuZk6^Mz)mddG6Tm>su`(f4bx zRj=o}0gqb%XKFjf?N<#ue3)M!d|2zvGh<(r{R5p(h`0t|;5~@1lwg`t1Go-rTpi-8 z8C8*7zTH&~m@+d_(Mf}#{H1r}P)#F9Nkqh=vA?Ozs3IP390QFYTVQyLAj@a)hD_FI zRGH1M2#h)?l=vP6DMC|!1F!?Z1^jIE`AjHp%NKmE#*G5X6UbTNBnB#Hc0X8V`C-Yw zZ<`w@Mc&%DWO2S^+`Uwa`-DdCZIN>Ye%ng`5fuLm#uv;E7!HGh0m0C=KuIKuQ+@j1 zUKF&@AWv<~ZcDCibgG9-9SSY@XavJTpr3+WD!u3!Cj$pQnDl1r8+HP04t%argnuo*g2nwgqMA#ML%!XpOFM?at+v*o<&dD{yb)g*E@OR(7U6M?i0Y zQXPtuc}ia*7C=WrhU$$_8DFWGk|ua`4g$xV9&*~T)$*-A5SkAS7A|$(73j5@S?-^q zl@QvH%hf=B{$LoQk+Mz5aC%VP<{5sFq6Ywck4&)Z681eu4h~4;4YpssvMc%zR`o01A;@5_%M2sO1$_~&^}r_ zxfyxEOZ?b>WlES?D>LnVgxCd8RPSUdlwQ!*t-b#?H2yhBJD{#rj*D{Yx;pT9x$<}! zzZkyGU-DQFAF$iaDUmx398LT49s}4r3Ox#Sat@o@{I!L;b@FLG-G6abz7+c)Hsa}1 z`UcWXc>gn~Rrs~OKdx@i`!NtzDQhgYkdB94Ifsl;8BAx+FM^`vf~4f;rO3ev{75Vf z!^|f#j*<{L^|9uscAaz zXj8ah))C$m!5};Xeb5-0ouKhm|>5 z%ZX3#JZ~}o!xOchLWVlU%OjUiNUEG#Z6S-ndD`Sg#Y!T1iNf^<+=PmrTJ#eGv%X9U zME9TpB+whogmxM(mRc)_7V;O4=NnE!8n2hljPScN`q%s1Ir`+qy~ktaEP9>K`HjDP zcT#clv7YWdE-stzDl3=GUtf9p&yizgF+MTj;d!XTFMjz*bXn2Urw(?Hd>WNxR z+ie>FYurND4hLz)K#6YU()oTVkFiR-MMiTTS8dJE-!<6A zndIzTMFcRFLTrI;(0g2h_-jx>FPKN(SC!yM0!HCE9E4R?fp}%Ouf)b@i(S880ti#V zcAx?OCKc5EY-M)y{129S2EY#jBmwc1et9y#*GW}xZ}Afxq@m!Ode;s7Cg?CiKyP3B zcD|sWkp(qaC4#NIcHHx{9c)B5YEkQ4DjoyQFTa1SsJ`NU;dYt?k#5;Qgj>ync)guy zJNCIh4C3#I55jYj2GX5g=tn+m((cFx?2Qak{XCsgAbsavj^ynTp@%ur<^l0-w_d}% zFZ}nW`!(COKbq}4atNAjVtCjes%+Vgje$Dq;n}_CTQE=i1;bvhgTrpwuucg|;kf6- z7Z}_FY(qC2qIj^RyE-6U#7nRwhr-SfmZ@2k@=dgD^*x4q>VX&*%JV>+?DSPphl8?= zfkd+@6DJM4rUmVOtbjL^&ALd7cbSq=$zsX&Xi6iGI4OwH0RiH7>;zdW%!~lM=nRqP zjne`KF4hoP|8h#OpL(#b8=BLeO>%`0lXwzJTH}_%_TpQ?OU_K=f7vtc$hb=j>H8tD zGwN8JJ%;6YzBdk?E-#gnu4mWk85eU~wNl~s{zEyEsRbz#;qocMbH#VXcTe1NIj?NF zP7>|D0=4-5{iG6{gQW)2bZ(g^^|!AJN29#=FMQgGuwZX)(Xgr}#n*VB?Khh-zuw?H zPDrUG%hnus+Og?HJ$RJAT`(t*Kf8McIoGJV@J^4mqlyD}PL%)p{RaUi&$EYs0uBhM zAMbxQ&bvCBnz`EiZJM98x5d!; zexjslhA&@V(jdMe9)rw;hav3PM#q};6F}1;ZJs&m;*Pj~pY(W#p1{~WU|~99JO(C{!353y$~|aG}Mg?Ion4 zwsFd)a(0uY^i=iK@lmK^6ki%87*L(3@2Zlv75hKPw3FpB6b)M7z!u{uFMZs33IS@H z5?96>MVxUUGFoC(d{`sLPLRJI0%uB9-n<_SeF?!lnrGbI|KclAVysduGhW6`LVzYQ z!9}*B7S4=>ffkhql>JePN2T`E&x{KW49LUL>d(Up$-3WBvw||@I7}(U3nB+>;M_0WzgOC#R!Q)6zwwMDWCTK>)+LpxcHhN82!mzP{KHurNUG{&0DgwS`eiPIF=7T>}dTlfgu+1_!JF z{fb%{%^K}f<#t`~<1PFv8qmwcObq4pNI~n--*gBS33$tEBY;j6zm;wLInoMtWwr+hxL_#FSx!2?JjfdxjO4q;|s5Nx2Z(;(-KRc{Vl2 ziaPX|WuC-qJYMs_Es)>zju9d9$TXr@sX{0d{m`E)DSBee9hTAb`1o5L;gjvGD)|F zS4fG~mfCb2`mwp;FH@4DUjJt~SH_$vP4hqFxsGloIk;!%a8zetn0Uhjcm}5ZyAXA# zKpYA%UIPT|*WeDnfn>1Qf%44ZPzRLy(ea5`>$>J?Rovb)-WN)~yCPWe#|xbdj3&b# zBtRh`Ah8IBVM<6O%A53Sn6L@=)i9hTtqH%+OpF( zGKQLaUe~UQ#dJ)PV9fPj7)|n$oO$wgA;XAKg=Rs{B-TrLoKJXuM+eoXwwvaxzOM6i ztUN`eh@gvjSx2Bzz2Am%FY49vl^nz<&O2$o3_q7}yL`9lwWOSiJYaWmmPBDu9mMpS zOiH+=#!5Y!Q7mbLr&UlS^cI8#nCtHlO94!Mq7Pixy&rkdT?MLFeZj_R_BCup$YH!< zK2tH)<-b2H5;`NUnTu278}fYU`di*zHcMOnOYcG`RL56?FYzQ2f92(o_Q-5T+4z18(N03_0k@D%7Y5wUt&K8UL=Z0{< ztSJh(WFl{t5qs=ff~1>5OV{0i;I^U6h)Sg_k}}g6&v%hA`Z)KX(MLD*a37+|+8&=i z->K?Mr!?JBCo+!y>d4P#zC(|h^TQhki6G`NCzdt`MPSJN5+$rTr6lOR4YuSegy8d) zzwAF0nJHhjvz1p(F@JfNh)1uZuspJRnjbf3g`rbylNX|ve2xMR2-f140J8-Oxs$W` zA#Zm}zs4=G&Jr`a97}oys@f0m^s@*Zd?yJF+6Gu?p!}ZG>1^_eZP7%y3E%rDSQmOF6EYUTz+GOkvU{r&d4t3zVbkKKPc1Vmg@H8dWZ_ z-UvxVuLD2XoKb_!bvTl9f5Zu4knnF73-<7RvihD-VEEpnDvf#?UHs>PkAxm79mTlR zlB=JEU>@osHIuIKJAS2H&rKblN5&b8=Ar3aPpsL^z+ymz8UB zc>ZW$%RtX-yXlU&V(#G{+bI|CbjLXJtpm#s4?XibJyQTXu7n(NNtkl%jM;a|MPrRC z+k(sI4LLgwHac4a^E0e4_(r|Vo>5wf~T)d*SwsXxfi7yKPsFfR8T#?QgU1Tan9ld+q)6JlM)J0N8P-(+2dEN#D+P5(zj+STg zLszZ~*key!;rYAM;R9^Rx4980w!dhHy?>MY13!_^a&;zLbSBzr&9_z-o-Y^zuo(in zpg6Pd@@b=Jt?v*#Cu4dubliP>A11P}Yc9+4Wjbp#_O;SsUIBy@MgGdM0^lZ6}vo_$sf~tFE;0*DNNUVf~!l z8*hv{ZkAi|OFxbmdfsHJ)2mSrgzxgzch;~B<0oV&y|2q=xMGVoLVGgCn{>xH_(r+- zB-H%`js?OQet|Y{^TqH*mz1z?-dPO0ky&#mvE?KX6#R7GeTL(G3GQ$?MSm2IF|J2{ zuWoXA0X~-JeH?*&xM#h}GpHxX2ucd)Z1IJavB;Wpqk#A|616S(qDc9oD#HUL-MC5} z`<^kN6Ra8gkDe5T!1+bH$v-;E3VAk0Zocc>hA><+h!e8*V%IkWiWIt8sn4P8){mwV zR}+a72ou74B2<`d6xr673-)Q|1f#c-R8>D}6ZUHgY21Cm(_V$W)gubK&PPa4lfk=2 z)Kfd8_4q#AtOOuG>(dNu=s5fx>QQq$EJI3R{sU~$@@c`@l z0265kxZ(YzW8wKT13~y3Slyf*>_M$d-i8oLUa=^Mvw%Jf@C)9y&$3^nk)fBUhDC_a z*&$V6EMdLc^n(jkfc7f`{Ud0BiK#ydEiu?m!M8{GmNk8+&EDuEcocjJu2$vpe3E!_ zZEQCCx;MU=ba;9k9Jo9*+xuqJ>&~p#1cgENeR$|j<8b8s<7QWU z91v@xU6h{S0km;-uqTO=+6hnWUR6(Ph2sWCjFx?f_);6&lbYerfHx8wI}>qud0n-^ zQN+FoTy1>LAGTxMec7Mlg3bnnF;^5yyddRTX@zk0x@8cui0R7hm~E|Ar%r5BIC(6P ze_;Alfzp6y>3{F8S?1*pW0yd}iG$J5?`0`8DM*us@?sy?!(WZPElGd_J*N7`NI8Ge zmRcVTWLG+x@~H15F1I_et&9(KP1lfTeCWle`{4Kjk4_l*U^lcK=vHo7Z&43udszd% z7z^=7iT&w0Ov*fO7q%)8(J-wZY@z@-Q(!>#&ws0pz`-k42`;~LPf;KJo{_s#xr(Lc z0sGA-#MBqfciAg)0Ihot4_wa2M~s3M+YbLa$x<=^7xk3LmzW&Nrmf`p0!$TGAE0EJrIr<<+(Y zE^qWE^%les#7cy6EfwZ~jQNrza+cfWYQM@Rh0q9*rSL`XGz> z8-XLvU?^e!!emDKQe#G@3j`8m=)b*#i)NTcke0ujMu@&!zHw5Piw?ctiM@*rkFB9X zaH5Kd9hab?q7GT!p^k+NV?q$b>y_ab=*Mg3X(wtV1GEaVP;!kkveb>rbCWWP^c6G{ z6LNnQAw@mFJV{eQD?J??Fh4L!?;kwu7v9eDeCMf3^0Dv&aq)fEJ|?2&OZC?BqW-i6U*veI(o(1;N4ui z=kfqzrgy(mDK#3SL42W!Si@OSNEJVkk~J=P6IgI^_NI446s20$tZtKlYDyMz$WE*f*x1Ct9NHG50_cc+Uec`T>?0mymaj-yLdxy3n_`Vs|gSwYKBJ1I2@=IlfDoCR#k&6K!6e!rM%482H81MX#m^qQOlppv!F#a zmHf>eg1sWtAG%dYK;8cvlvW@Q{|G=RO&emudW&_3ur5V6@sLACJqg^eEa5)3C6Wdn z;$FP{&$LQ>(QwLU8qvd>o|#m@0MYGZ3xq+U*2g<+=M;BG*nI3RLL{3Np3$3hT<@2Q z+^&ddlrm`~@JdY;)BC6=VP9M7mz%Li2Yw-29o_P$H3)_B73 z2W?alnBMR6g{zAdmaqv9eG@sF@jDw@$iy52|qP;fGgoU7WNtdw~K0-;QjJ$$uWA{4mQQ2fV z*Iw*`hvify6!WMG>cy+wu%K7hwGqhnbi5qkY77NuhXt8!u6dhnM?zO=Ddce(1>-;) zQRCujQcm?ZbY|b|!asiFH{Y>_0&^Q}&F$&1LOjVZj#IUApI3Cf@r9%?EOI(8Ennzf z)%ZX^=w+U6R0n-f8AP3TRxuanb{mhBRM-fWSk`>zrH%dkdGF+j8E#tOwW_q1YF~() z49H0O)!U8J2i*n+v)x2{gdo2W)>Cp_WbmyH%sW&~-qv!^kIvkN!x*ngckI{< zhS=>rGl283KQ7SGZ!ZHzG6olZxez`k>byV$qPov4`NP%|cyjLqe*ykvR zjF1nas>9p|+IVX_t_t!z3xgZ0GWztky>#FJx7UP4`l38LK-w}aS9;sCc$iWjLqTuoeMg1>1Cf>nlmHK#DVZ;@ zIYTo=m5&re!|`Qns`B=l=HE7(J&9n2e*Xa^E6S$r+(iNc;#LO&LjI3}Z)E6f`u|t# zd93ZR#S?elsJ(14yo0eeI5&L>h=^nNfk5b59FhJHYi|Km<@&u1Z6Dc3@#j(hc&x+wIkV3=&YX3vyws+fpw|SiJbr&7#W;lsIz^)b&>rAKrDx82M&Dw^hqGR3qh-Yn6`)A;9)OW#%T~bP^|%=Us4Nz#>)6 zE4QH(ZJk$+Q&_+T&S{YDmZ)J;A*9<;DU}G!?K?a-aG_R6dTvLu|KXtAx9Nf6mht09 z^?WSt(~0OcwGkP|%VmBahnJoZS4KIjD`u!|P@f>4xWZS^8D!)+8O|UeZxDQBu>-Ck zCGof(3Fc)mltv3v%^~;D=YSnnJjcPf8IEdAKOh*o#ZC%6FHxMD z0fY>MJHibWcyPvWL%QJ{|5nXfOhqt#+yTzc911)J{G=O-dVX2FHL|C~Gh&N_^sm%r z{n;P9OPf}TKHg~F6TvbC+oQR;w!I%$6_z}e!4;~~Q*nmPsOPlLdw+`r`FNE{tMLH0 zX47L3F)@Q(EBFAbA}3JDb1QQmv131o+y`9tmPl9_&V>oLO^4g_Zs!=qH!LHZc!?*4 zr+9{9H$7iMyw2ul#bbcZex;C*Gpp}|QfXTe8LjM6+0aT?!34(1Tc4h# zeV*-5tC~I1M`-wzO5vG>`YRs-Y^AWhCY0?!4a8ct{uQyw$M=Sq)TLVu_F#gxC72UM z>`%Z94;0RM2HH~IZ`qI|voY0YzDKLzx*Ljc^7<05EIQC>5-r5ZU@eCNIpTy{5hiTY zh$DNHTjb4I*WE%xbnnL9vwr@mtmVg8aBm|BG~QHWxO1R4pM;@-J)JYah4aOL>q9CF zD0sHIK(GlPS3ZcG^)l?k9rk4`2Zffty#QnSgVGdd{yPVo=dic6nk)Rrbso6!Hd000 zK!KIXeKp}u!(W!b@}!;?ZeZDLd$;NWPk;qUbwY$VM)LWDx~XHKC)@^jJZ(XxiT9#4 z7evhs;Mp4%MlaU)GKp_h454}nYpOwK@y+9~b-1Wwf}}ks95YS>N3$~~hblBxse`XT zWp~vW$_z0DYl$Oq;_X?K2=Bs7fyqq_t_~b|Wr(;N*RXOP_S-)Bl+szDC-tx$%|ADS zRcA0OW=VQtwx@5vro;Q;$6b*nCT^12{JF4(WJOnf7gI1JuT(WNYzh$*)4ReG%Zt6S z3eV!CkY;ZxJP=l?>Pb&Q+wv+GT8>_t(ZoBZa#GYG?#0h`2xnH~-FlDFJuQ{kob-IK zSI)>l;!w>}R%q6}id3(0Aew0jYaV4hba?_P@%Vuhe2F<^grTOy{Ht3&4UZF41RqNe! zpEy7zxW@yD7U!j`mO^=6>RH3#*}+@BiCI#1D4B%a7gZLT{H&a8?1+asNA{oC9ZPbb zdL5;!At}=muZkTu^{3@xxgq9Y^K2`Yk4xTYDZg-0CV3RQ#mbtS&whV|nBwdJE}eIv z#;TP|Yd=+{l=Jz(3AqjM+Xpzi*+bib^(pJj@mLSzsc@*#5K>)@lKiZ&cc$*Oo8)<2 zLXYH?<9FZHvx|&#eq5e7CmmIc!U-n2aDe_Xu>;pg39(!sG z`n!1-RT`3v#Yp5$vDk6tH?$aT64B}VJCsDfh(%U~hCT?S^+{Nr=cFHouGptGWrN_u zYlp$synoN*2F^O15f3IDl@92wv0wnqP5mYXFMGPY)-y?s8HrxhQb*u_R$Eg zT2LzS{Tgw|VFciy!_wuVEduHAoZ$B>pW2wSI#-4x$x%>4Dv|F#wR<#%C$MW8k`fu> zsb`OeHCtRgffbKaqgdaq_ilVdiR>j)SaeDDv-A!D&LPbqwZV|CGem-BBZiJ`XRoQ% zM?RGT=IGOSm2tkW$1T z#9jR%8vMxJ;TMd~>m$&^H}BU!-l7;7>^V0E-r*wb1J(1Jyl^k|Lp_m*M#qD2O$oPU>}wjYLDGF>v{;9i z$7KuC_FzOgHy=<)WLbCoPFkjAmNvZnV|Hw3h;h8kbc>Aj^^ z%@De_mN4eV=FIXW34F~AL}lsmwzE8c`4_R}C4LVQf>cb`q?%CYauP@4A|DE%9cFC5 zPAU=0BI$ZvE);HKFK|HvQ``@Rg?gN@LK4Y}L|*a1^VpR043Qz$B-fL++&V4tV@Ckh zdHK1QCj?66*ex9}NZLTzc3P7jSg=sPdvo)Cyr`pB59dxQ#y)Nn{V!I|XK!X%q*W1L2>*5#qvV-i1EG=%qs z*xZjU#@;zPt2=IXP#uiGJqgCu&$7@tx8xra^7oeXKJPWBj;q=VEAI=Q573Kl%zBWJ z{4T+8wUxkoQukOA$}i6a+Hac^ncLrIn^R1M$KU5JJ~V+)(+dx9wEIQal{SYBufwMs zp4}ekOz&o@>2QxR930(9@;&AseVsl~gwqpCe-2v~gubp)=&FhPm|ZX1rQ72bSM!ar znMX-_Pp}1@7!tRZt+SX^l)MaO`(yO>{m% zr?86r*`?5_IF7-(hCA(Oj#ay`j>#G?mKSwifm6~lXbXf$W!}>z?pUtEgTS)cPIehL)ipvEQhe&SB`%h){6%v$32Q!SI8?>jzkui3V>1LpE_gP{?*t^;c zRvr<*UQE^#jF)(eVW_^8_=q_)WU0Sr&8v^HCje&8u9Jj<;vI{wC#5bY64X%Dv-a@g z*E;hWG**hm!yQc1_s>*A(a+D&iaJpy#mio241AO>t5VMmB8ub)YTl!NPxNG0#)bfr znY{-c_%0`W+e;7cmZZ)WDumO6NbyL;7qJwd%=i^gEW@XXVKOu}8M=z%=fiMkTFIPe z<}`B+B-~u7_>~7S(#V65FxaXT;q6b$#qSg9go)OSb2rw2eWFD#>YYKTWm`zk-jJx} z44H{7Z>Mucw)NV|XG`_$1VJC_Ugl1>rMo}r9Z6#(Qbc!;s7QkrJd(hMDVkwY)eE}K zlc`n~^tK#^KVT}J#8Bw+M(iSOH6g1MgZy^IjzcveM3#7REbN6|Qv~2zKX? zRH9%Wf>H+5RE5FE;grc@uH1)h=@2|!3g^&yP$oiIY%er@-(iKfYb-R~F_X~b5r)cb z3T}F?F~hojw@by_mbpf{bACK{o+Q+qDBq_EZwi}zV%qNf9eZ$gzEAk@i~xEBGNhcR zD35hjK^;B9;zaLmBZz=>zvg6WW;u@!U$a5)+~F-#i1(7N1;ep$bqNKapN zO^u?nEG{?sbKi8zX$9*3G0!<7q0yGIg_4gWK~(SUoa&BFc%0lOApw@2bW|VrxRj|1SJ;G% zjpU4WCA}C(uVd<{X4&C5iNuD2Vp=JqR{VDlkkNw^x9|G|4eHuF?X~Exby3hZHrl0$ z7KZdm?KFCe2BywUJNm#j7_LS~xi&yosc_emc*>gxAK@d$5=;U@9)JJ6F;P6u`V|b6 zw=|F#+pQAQqaW}K6BM&9i0J(|J%Fz@XOf$|i$ftNpv}CofQ+O?%GRE?KEnSRdwc03 zW@~Ty;_{_t$$|DIUFc@L)5}UKdyDl^)OvFn549SEn>~IvX!3gLQVr{#3ng?bFP z%M#hl7e68lJk@l>f~66bSzxc$%o{1)j)pCDLUjT)5J>B}LS>^Xxhr;^CiIOdyOD1MHm{M;lAJHObU)k^G` zp%EpI7L~Ym(}LP>IYEZ7OaVr_C7K#$kbEYMY*~wg&OnZxOZzm~1UL^52yU_N9xY?I zz(NddNPm!ssb?`l+qJV`jC*_oF!Xq9_S zefT4^l(Yp0MhItQ3G%FL3IHa0v|yn>lMY zf}a}YHK#2q6`>Z)Kj4lXvzj&)a2tj)>!^bjBgd?Nmtid(TPtyMpJLs8H#>l83=^(!)6)q^v|F6%2d}MEL34!Ce=5=%~u#oI!|GnqBokT zMu$`PGMVUXU3kdYqE;S8kgHDmD&cI-x`o~r-)MQVGj4rXfY`Bbas}^Fx&(J4b&_hy z5x;CFgnI+ zG?o{jb*jO;_0mSMnYs!6_rSI>aUz2vp{0B&ogJLBS$%@$gzk$+v~#DQ5OpHT(?DZB z%`t+`(u?*wV(d1~P;^jQ1YY)_G3IB$n`gmC9K^0(hvt4Q#<()ed@6+1ZkiSPs&zjV zl%g`gT^d8bcR$Q`_28z0_Q44dp^j)Y z1frJMG&-@9r7P4sPihPeKnv!qbk_ScjXd}o$!i)K0VM*4Gt(!As)7Dn(qaLY8hF(Cxz}oT4X~c)#>0Oi*%#Z}Kct90=JjWuiB2{JOZeA^DaA*tg!O%?tb6C_E0eJ5tj8u_NT>Wkb zL=a=LOHjtV(UCqu3nk2c>AvRdy5|v4$nW#4# z3$Z34eZkGpt-d0waOnkU7$*KYnZvUX;uKH z*S2;Ey6ilYZ>{tXWDX?B%6CRW`ZnvD-by!qv`#dbX@>J;n+S(AUMDP1PEPJEqsg!| zvg2l0lqOl|l*7iPdl2(HF$*IzNWpy``EIT(%PQu1dZ$ET`~%$RySKd^ zqXpPYrZoMc-`K_64`*{lI#q7PQJQYDt$tE|nsuj{B{tue@5AdGI2R1Y)*tuUxtvcH z^0hwgxSp6d?s+j3=RKyAvRFn*Xke9-D}Wp+wWdaNGaB>BA8 zn1pX*(xnzX=(eu32bCIq$;8~O#}u}Nz(t6V5!TC63cfl#gim4eyK_nf(ha^$_a19y zYc*AlI3`u@(%pUafUVbvoT9(_O5}$9VzT2Ic0*?e>Sk5W^NPOv7tlShVHtHQz|ijCxa!cq1n}{GQ$i zp6u-0P70F#@{|!(Vlb;9U2@{X=IC*Wab|S+hUSEBPZ4q*dZEiGb23Sown6wEYwa}! z(QG_98`&^mm(S5#>lgoC)aj=>8MI;nN#GSgz*1;MI;J%^l*|5&26l34yP&t_JJ+D z1Cod)jro*?N;G&kEc_0wZ|v<6k{N^&E{VzTc>@KB<4Xl327jlf{j`Kdo7xayZXX;s%K=f${tUlFN#T!mg-Cwq|h|;>dtK9v}ZL68{Cc< zyxTjK##RE6)izw`LgD`^y#ta zK*&2wb(%OAZ`D^ap_JEMqTCX!){Mz>xi!TtR6~a;any|C<@N#wTDan*!JWe1HgYA6 z+&L?I2y0Y(GSd~Qn_W<`(CFfLd+SXM*)C}#%EVNdLaKOEk(+7*?t$t&?7gNN_zar5 zw^Jp<2uiso0z?s-4c8>?llY~3Eu&X%lKcC65mEM(*a;4FP$xf}ONeqAB%2_1h>>95 zZjePT$AoXSp75S%gs;9a(>A>rkItQ-?*H_o!s|H5Jhy776G-MWGf7*r_aD)%4~x2Q zIqQRpPtiGbcq_`+d~c=26JZ*$-=q-Rc|+{K?OPy3+Cd2Xwe>89SU^zbJ2!x@Xx|iZ zp-I}u9L?~^6>V(=Yi)Z_Hy~ubVk#QBOhIQJuuVm!4?fjoYtB1#S;zVsUp6!v_Z1Yg z!cB$YBHgvi3Dzf?p&uprW>4ZWgOU+C*w|9)k3WJkH|d+%ZCt(Xw4_-w41v|aDU`$r zjVogor=AnYr}NN)Vuxn3`#%VLd}YGzEjnbr3v)UU-M~&*Xa=)MoWXlXhTlAu-fcpf ze$Fq(6*lIUeHZ7D+#9~LZds)}LmdVUzFy7fDmHziW66)!oW~Xnz{AqoW2!$n>tr%9 z`IiPY-f=O|6Gvvj|UyDB0hw%EW)$3jpu%`QO;0~ubkM1GXI5pj}p z2|NZ5k z|9roIN6SFRO2r_ z2VS%d)MAhjyU{`jQ$`d^!RW7gej2SwmrK*>6xD1kIkj&aY0tDTr#)5S!@mmQ?y2on zw%Je?^va#Il_9QIWWbZn_Ey62?9|66{!50As-88rHRXELu*Tj~_QB;tI7X6vDMO*& z*{z_X*~_>6#kc{eXoAkB6I%$i_nHSg2GYnB=svU(=GY4(2u8htU?=mQCl=$YiHnv1 z2V;2lDS;M_yqTGNA9BVnHrQNjpo3CLA=kj%fYsTO33JtBcSAO<(-O}b6W0}-GJ)6) zb`(N-%G1c?7%M00GnCeh$0G@iRDA+PC{Rlowqb+35yaR$K8w z7ig|3uuaPdYhL!WABN17`l~PwVSrb%yBgjPC7@d=%9$l2i6^UsCEa8=w>ME9>7&AH z8kW5K3dq0I>5%+}9(s{|EW>j0JSLmoN$8h?D_9G1}kVfyKOjT;JQU+{;q7`hw@WZ(De zxaTi&d7ne2jJ4m+LwJ#C<|ezY%)iR39!I6!%3RCN)=F7`ZXS3@~dq|Fo zheW;V+Lha_@GLlSk4x9iGkc)@WiOC1`i3fuQMjaG3%3zPx`KoG!AJv=k5NCUkKLt~ zD~p&*6wBg}C11Ur;bCaRF;l3XDpoX{zQNoaL0)QY2}*%Ra}jw{uqFaO;Zk}Oo@0wx zwRVDFx05C{=bS5*YNYtkZ_`vWl{k)*OA}JVw;BJH5-1jmBt3~z!LWEz0Ma? zGW2EWFTDpDP%$3C9Cw@0425&D-G@o(+oRz`_aH_)0Y5bvu6z3AaTdOGbylp^D?Xl9HqJOguA^hu^ti~o1()O z$?wixd!C_R?Sx$b&4-|!FZ3ctzmAGt)!39!suLvKIBvg{X8We<>AOUDMOydjqTHcw z`WHI5*eZ?;P&`q@HKT80eQKd^QqFt2)@WLHz#)12a*wexad5^&7EY4Zn_}%g<0?Hy_zC(_rgcsv!m-!i*)>n`&v!XafQw?9m#^ew{rNO zM)ajry;WjBubJ_vS+{&D^RdO+x(+O*AvGk;NrrY=L06PVBGX6~Dz!TQ9r5#<{c*8N zBU@o|ww@C!x*S zyoBxWZnK}Gcoq! zS=gs*NfTM`S_$Zg3gxM!^uW2jNNQoK4Z&gXl-ogFjH#OOM;k?5Pz$aOo6=2pHEAhz zcxzZDAHE!c=-8d~amEz4?+ua;+LN(`k2JF$s!nX&%tjhkoY;~i#L$zo&b@Di0|e#C zn2Bz(_CcXtx;#dGi0=k-TC=PoHf#DC{1s8#ZCY~hlu{VXB<*dASZcLcCrgAGYl8a!5zZw7{$39I2IW_qG`(%i?v2Vy+Yh9qTPKo8b*-sT+L{mRrtdg z&zWu$O;xAjd5WF4FHf}C67}S2sQjL3tdOwE1#w~`Ab1dcxNzKg<~q&4y>)_)Z6srd z$aE_O73-;&G!<#5_AwJK7iN*h%L_9CJLEJFUP?h)^N)|qwpnI9(+1kS74X6PbwgGb z6BfSzyM7GUFDBJHh#*Nz-PhA!D#!4adCu-ZuOzJmO(%VcoR~x>4P5{|RF3Qb!vHhm z0Q0~iY*#=1;33T@0wt|PZ|D6IIZ7&OsU=wP`;~H(*(^i7-TjgyQa!mo0azqLRX=>= zpnLc6W*zWM2OF@IB>uJ1_r(Q;rR9a`?Cc$Wr+T8C_Jc_VWcU6o_FZuKQAIJ=cbTSE z^A!{swnkjf@Am5IBW(jQH4&vMuz^?Sdmc{x{G=h1y~zTe(` zvcwH(@$$}Glk|QRVH&GBGI6UB;r;ApR&vvIE+`h%*MIF-hyI@KNY%Ti&J;RT_wzSz{x(hlvS$57|hVH#A(C^qs2 zVmdx_ss-V9Tw)(ZL{Tm0VnKuKQiz%n%*=*~5z_}>+7m_>y=PJ#rcl@MbHRL0BfFAh zA#MQ=OU_De*hY$$LE}SAV@)F*WdMJdJMk8;?Tz~R*O28#sz(J63O@yRLxeIJ1P0yC z?l689K{0{rl8@3A0&c{Z?M1N)=hoYa5Lpw;K+>deZY(b407ErdgdWFrDN0!umHzzk z0&AdQdYA7|wq&m^nGjB@l7^OU(};4153Fs}v-XzcIEo|W=jfX9Zz$1E-xBw*#+1;o zJUjPFu%^P;>os9P*nP&WlHubs^+@I=zZkFIX8bS*Ek~$;T#slnWwFr9id(lKvLA2@ z^eJN(I49Y--{J1UK(9~MOxZ(lPM&6(r+KqfL?Y)%`C!HZj}4{@JX$Ly=7~v&$q8&I zl5dDYTwbVcKjA6F)yZ8EmSGVXuR)(bq`$5V2WuN`3qvPE3pxkq-`0lBBVBtd#{UiR z-~DVve+?ohEUPFiuOR$=j{nK};HvuVw_}>X0ok8FzmY61Ew8|T|Gu!?@5ZteA`TG%-d@lH?H(+yH}Tegyt*j&}BadeKDcVRH@hbtUUGKf+?YBVva zLTl1LTXGObs}%#6cj<#WiD7;-SV6FDl9Evzfw_?%#u2^WpI*0TzZQL4-zR2}E6%@3 z=T>1``}D<@Y}*}@RQvo-$N`(5PTx<5;pe8Sx#pB=9%`@UGN&-rk3uqk=PY49`i9L4viDb3;3K@+BS z0%!5hp5rU!pq14(A3o;WYqk`Poz;Kem`MRa+pq6N93h-ibTra@(RN2)xDRny1A{MO zS?NizA!<0xhNc$!kh;kLT|Ps@Q36=N+a-&~O^Drcx#mHv4&!;&){Y#l1SUzv562r| zQ&#b0dzeiz)HnO)1f{{03LAU*jr=3v={A(?HmT z9=^Zen9(LcP7U=HFQe(Kq7y?Xwyr^4>?10jZ#xRJDU>Ux`G7b4gqC^A^`RXLCw{1& zr3ISsy#=GbarB#v5b9}L_=T(Uoe-YORIX#J>o3+%9&pri zBm{b2tnhAqJi9o`q+rcp8Nc%c7AA4R4RNI;nWX1pI4XC2pn!3^8TD}Lej#;SMo*Pb z$(o(<=mK4T?2O!6u4-m33p{T^ZyB;Q5-~Pr54++%`iH?gZT`c^VA5m{3g+I%CaP341m`q( zFbAmUNYc{w=qoYGM`a9Q?ou`7{L>*w#To$a%|P>Sa7MYEtwK6NI)6nG^x zmcwVg#^N7H-WSb;em}A$Ku4bkF>@JG6WJ7V#!CJf_~Lx0(L&Rb9k!%;D{?FkZG@JD z89&BL36Ezl_OjqfZu?ssxG=1_Vc|O_a&IBJJ>J!0Sp9Ug*m<(MzO{;L*X1enfpwGp z+0l`7KY7~w8G;uyLYt^|jw#VvixJUM?;Ki>oP0M3Ub9W$cH?bv$8@H8vAW*JplKQP zuD%6Xi;<4k;A5^7a5Rp)M=EysDLDV|k^n*^+%6Hvf~C4as9T_TfJ+M#-ozPvAu5tE zY_lQM7p)fo0bZu7=%GS?@}_N6OlAyKh;DP83WBNl=#8h;h2e{N{7?DoFGFqen<=9a zoTlhL7|oeJ6<+nW9z4BBH$T1~CJPNo3q}%QZbhsHfu&X&DCi8+HX}i->@PUIPzRB^ zSlRka(Qi+4U{4#_Y0lYX#yk%!+0i_I%&In~_>qSN0W+qfiTdkqNvl)^EDj2G1K84? z*TfnF43aRfomEJ~;zwIH&}|m=QU%?WX`-k=hG`J>7zIz1rWM4PcDVc;?QE!X77Q9` zQ>+6roYi+Tl2}un;WJ00t)0O26JO z3n-eP(N|06<%iPeU3c$R@-n9Z>ufLR1~JHo8-#5ynkgxqpn33>SBLEj1K+IE6<;yG z@7n*o=nQiw%mlG1Q$ka=jIflQBoCF*(W8~7dR&g1khzA`O9Q$m%YO~cjBbJDafg^^ z%5z4x4+8~w18L7V%2D4Wgt zx9Ua2H?dgR3$^Me@nn@(5D3%-F>>Bt#;@h!x%ssyKarp+6PQ17;}ls1ciX zQSDBOvDU4;{UN9S}m&J7*eSH)Zz?;|Gt6Ktt67-NSYTDDrp4QjBC~`ZvD}^O2`l_iZ zEcjL-LxLP_24(%}eXUz0;tRd|D~z%Ndr6O&)%C?3UL{X9``=IFxuF3kc^Z$;z_~85 zR%$9-ezI`-ZrZGpYn{zlI)C3{*y%~2)&tY&-h$$s%%eb~g9t>HA?f3D zP(5w;O2Iu_--h7U<((6AsM+F!nh|Sjgp!ldqHUEP=P0m%huEtcvqeRh?yR;pSpngf z>qkc|hHz^njnCyICuLw@oAq2zo`;AvoFIm+Wh&fwDWjn{VarPf>!bHB8@IIDDi1v_ z&6Axo?It=bUd+G_|19i@Wy?qxsFwtm{RUm;5?xGnI&{WTxqnZiU3CtNq*x{olLwCf(ju-WQ5%iMf3UFE{xaN+Oj zePOH~gHN;8R(j!C<2h1s-s=Qy(E`Il>FChtimY~u&$VJcYLKCJYEh=dQ(oeQH7-k5 znvAM{%j_9_V&_KApV$%BxFxvAQol z7XRK@;Ix>KGQVS(sEM^t`b|!?cFq9Lq_yM``j8r$(H#Cd;r#)6Jjdq&J~XiNYc#` z9hnsirU#f1Qw%^T&ATVbHU-gX}HVpZ%@ z@DL!IzZ*ghOMLpw#0GMC(N8F~@WsVqtj|*yJ$#IrDnf@3itIs9-r^(UbV8??8z0Hk z;23(#t0*=e3S2PTE`}iw!mPQ7g{{8LvF$kJ_ewBzqD39d7+=nt)NHSyNk25C&@->> z$|D&Yii7gGtYAAkg_y?mym!-w@+=;G8r>sQ3S8RTFK>;-#rWxNv-~|y8M1xq4lh2V zkPqItoY|YTT!}sQ*~mNl&t!KYDbJ{G40D)N$pLrBQRCAc-p(nd-bjxXT#!d=;#7W} z_70iqJ$J{zuE0|Q2`4O`@O1Am%@$vXV>J-5Xkda_Y&D2S^ez-73QmN859OHhYvkMz z-(l+A3C{>+#nko8>MR@-Sz^BCZK_uW3#t)n>yypiLzvD?EUHH2={tOe4C)C$KRqTkwguWCYxSzeit<81rksNsgKN^)LeO zmwe>~{VH-~tDwPZK?bJEHYX_cRYa?R)79|Z{OG{RB-+ZHJ;XpIPU@&)t&b_}%!mh= z$N2J8{e8%n4k2~e(*us^bT#51tTNks6}g%|(6Z~l8Y!{$g0x@5uDb&Pg0zt>0j05p z%w52+$Z%sa`Y0DpCFpm<3(1p2Aij|b<#tT(ii+O%HOx=%JvzHsnZEesR^Ln)e;K(` zEPPXi^?bhm7DF3RBH-D=I6vOS|K8#JzCxrx$>+iZ)^MLc$iNEG&d}D;)Xvb- z(8|I7+miG1sSd%v5Bk3>Io)`G<11JT16>h{CQDb(-oZ{+-{B8JzZ(t`2`Afv z1c4p`M`+kr44?bAP+bQHJ0U}(ulD~^=kMavp%|Yc0wx480C!feh$lk&YX3K#KZ`fj zb9DIfmG9p<7}9%uwIqb2#*E9yyp;ThTHz zG6JE||GjD7UH2sFHl)2GPyv0PpSS&z^Ph7y-4mMQx2EYk+S&i?(c<5E^gHZG3{+}7 zP|8w5KN`Fo@>|&N>2XbiKcW-VX#sBD%KiM)JO9_X86zh9Gl2izfg1WBA49Q$K*Byh5>(P35bOlfIUX~F6ybgS>dO9Hc_rU)U%r$Y{PGwMw0WUWJ{p#v0 zr~c~qxZjxPn#e|3YLxE47>^AP0?}W|Etj(2BY&prYl2c7^u7kxPoR%LDP485Ud``8 zzZCFwaS6FmS*rk&odZ5s-Q3swd)#mQdrgba78leW02aFdj|p5IZ4O%gjr<>bm5BTS zW+_mo%D~F#YAbx+`)}d@xbRPn2;WNd^XM0U_*MQF8u-K9_j8eGS46)5QKXeMa6WJG2g%=) z#eVYbsw&`YE?^UYW&I|EvwL3kwj-KXoW# zXKneVFt6L$3C=nd)PdAW0NlfIMVT=2KPzKw=pXXC9%wOFBcnzA zXZT-c`86XmGPfPS0z_s57&Zj1IHQFA&)NWU-9KSbu>OAwim^`D;u7GM5uo0=ujql! z^JhJ-^o47BVrOq-M-@nkXFyzpuV`Q+@MjHxC5(gVXF}Ef-)57xzO|#3!*w&XBt~J8 z76=Ln5EPLss)&jGS(RV(u4}qwvb||Z9dOHCfJpeR=yIs=XI=i)0j{Y+r2pTob)&b-DWuu=w%;26wJ2 z=x=rZjQ)Rzi)$+2pm6Zm4;Z4%2|vGa_J8**Ax(d-z^{1wPrdT{gxF3YW!C|W%OODM zzxK*6Q@{Z*MSnTjx;jODr{}*%S+#i0ngle2;(yH=7!E&2`DK6ndr*xmP(bEC0}jm< zcj7z$9Q5ZD^Y@6+hAte|Kmcz60i?QuNCj-+|IC>`q4z(*{e0cwn?q>sj)3mIpWhn57*3e+l-j z-mi!Abv^XOV}rlL`98M&?V+5R{}T{9z@#p>Kp=@LTtXM{8-ufh&IDS@c(`0Eb-mz?K0plF9!+og!qC2sFL{Dt-m{Ty4J8)qkbPH#WGYC*UjR zx;lUgK}P<5jQ*t&YSjEvfnQbWpBU+T|8*Jh<{|=MLjYK!e**9YHnj1VuwV1YEM$n8yIj)m{kK{!5sjq}ksiqEPgz_XDM_0!-PIR}3@i{UzcLEc5qhC*5@~?Ew4w z0sE-0pv4UR6765P`}cTtr^(0KK-~!31p#RPcT}?+{{in?V*W|`&l~&KE#xn4ieUa< z(!ckNzim#+7-lmtfU`-@H2X0c$lY16@0Vzuvz+Yv<>p}eLF z>p0y5sQ|MuqyM=3DP?Hw5K0VEwIYA1g!tM?fs?8Ytj7*{~wG0R9oLi3Cy;| zyO;n#6_E2+PY>)Fe+BYGp8q{qDMLpM0l-Wj0sN~=-F3EKfyw-sOMimi);c zkFvjW>fa7YtH~iKviCqBwYcvmnqRnE!tn>izYG5-S+2P2`#B4!}}-Kn~ye zR>_|eLi+75@$5e5^EJKNa+)OS3rxDB|6gg>0TtD;h8IOtuwcg;1W{2@K~WSNA}Wa$ zj9qboMb^MBE})`DLlRA5jlDe;8_^j1iv^X$Mq){#rWt#T4I{qTh$eZw_uakRdv|7U z+tG72$KyHqzxn$=|NJvIOxpVJ3~sut2$-3UDvA}cY0p%TWxfVOWWU@og+7qqL0h;KSbfM&oWwIZjKNS61jbh;+Cu3LM$fvDs5^+W+d z)7hOj#d?4!DMEbQ_}frOY#1cWN(cgZ5ZQ; z0%M?4fpL|h2!l&9YZn+2>G#i%ZgdaLj3Eu^nkck2x!4q|D|9FPlIMON;brXr+7yyI zl5{N@DXA{_-hj~yqc1`C8AyVS2pgLfO%hJC+A`wson&*OF~e%p_HTI&N|h0pWIum{ z#CS#X5P}D99v=N@;!>iq*IhbHW!=7{_pd?j6W zJYw=5%m&G+@mJguDnTeSu#r*)9y};h^I>)SB}F5sV{B+dN!if2fvBk#0NQSErOoYBZ zZ%B;~C}Uz)!N!VMIKT7BOw1o2Xh$Pn%2P&!Ax&aMe9&Xp@YZmaMsOC=JNI2sM&zPB zqflpr_s<=OLV992y(Q{>TNyA>zM9qHCwu?1V@79$9_|p19E5-A=Ajr3Q1QjZ8x!8* zte2J3UrXMNJdW#N*Kw(ltZ6q?Qbxwe=c`29e{XMs?kwJW$B(?WbIwN@R7_NiO6}DT zZ5dQwo8h5kY4@-$iE8%_t!hasKwkLP>RSWu_b1$*?DsTpND?k}b^W9*7jr)J#HocD zTUWBao8w24hVkhq`{75Gs&wYk9qf&4Bi#rl$#N-9Ki!hqy^Y=|#X`{eBJU2E!brM= z?dk^z+_t?W8;(-BDXqgZJxBn1ywOiMdy8LAE^@|?7zZSExbh8(FkfisCw)J7+`gn%&RCML;ICS=u}b{eos}}&{+H7KR2B0m z*KYMQ3AEE})(mTcRsUs#n41SDT*iW%JDJB@&P2t5B^T^3`OiF$!N~pra898xa6P>7A&DvA(QV6N;e|+hB#HKWa5%SJT)FCI* zFzpPR)uruz`4{=!%-A0V=hAnE!j3r6w!MJ5rBt9iLU zyCg@xUE2;JE(pG_`=&LCAiV-!Pm(Wt&51nc_$DMoHd_}?0{HDr-hC(X>Be*|gO~Rr z;nat7D!j~4C{I~Ta%{`@C0y002tw`3blgmtnfM~_GAuL_78)v|aI75Gfs&SDG|N{< zI-nP=e%GTpdI#BfU4yKS+>4Z?C^5(>Otw1Gf!yut>WTA!n$dwivt0dB8~H7h4Y!)C z% zYipw?n#Y^cGx{fnvWmXq+R)jD;VQTBBbi^`L>pdoBe_~phvHLL8LxeSLS{ZIVs|HY6?|!T&JiB|L1vgH(%_2jQcEeuR_0cdqw<6Vyj)C)o%<^OJ9ukd7c4 zzZQsmtQJx*AFJ~RI)RAx^{Vu_imLh`C;CZNTPmK7K|fgcdG@BNP5!qOZL>Cb7>7Lk zPg12XL20H;$$bB?e7|i4Lh@1=7I`IdRJIQV zOq*A3n+kmKMzC;6AHAqIrn%o*DM?C%l zcJ%;1@~Tz!vwBw{nw(3LkdJplisP%^=yOhMa4anJ8eMAlgq?0UL92t}i5xOrrw)Mq zM@U%vPOQT9N{UT*hDHINT1MIlf)(N!ah*LDV3xWEh92!aB{>GcF+a$;~$#O~Fy%MmOp} zrOQaw1#sOLM$F@9ysAVuM;B~0t>fbtRWW&Yl0To*vE}$}&B}ELkq>U*M;i6yzg2PB z5`h#yu3w6|Q6HPUwV3}Rjrw2zr~(U}7MBDqpMazzYOVnC_o+z7k96F)#)ApEtKoP3 z|Eh6p5w?#<+^H=?hBEQQ^mbvLTqsQg0{`*Z{5p;|U${|McNToA$U%CFF)cBqy(Wyj zprny`uJtnixgv~c6>K{c@@{0I8je&V>a7f77G5}ibOAMFI3$L-bSRv#3~s=4#y$6k6A zzdEH3*kg;QdIU-9M3|D@ zM=ZD8bE0qL7N2ahTCADcBbE{mwGvPK)*bfL5pG9D@ia_=@cV92=-dafV{jsZCyb2o zDXy?mIA~tW;W#i)PoPER`Ii%n&4jsR*XaBGI_%a3*y<{bb2Th=IX-;vuUds>0~7SR zS&%nRvbBD_t`mgl3tHABPoHdMh18RwFV&HH!^f`X9lDo?IhFIJTOA*$18}ArVfPKj zNa8v5??+8X;w7^y^nBJofvT*0(9#vpy^7hE%Zk?t$P zv7IV59Z4DSjR$XCDnxc01D7TTg|~;Q;-}!r@9b?*Q;2Y$Gf8nPNS%O?iu01N> ziMHrITJ+`X8leK`kLZ3sRZ2eyAHixJ+&U32Fa??Mtg-G3Spfr|U8&R-kCM)%tJm-X zCEAe#2aSjx(1-t2m)h-b$x6+W&L^IP`AmqQheI|NE5XD>MGlO?=b?e1BZ;+cI;~p* zWHuXse&8e|fsuYuv9VDxuJE({udmm}VdH4Qk96y7A0@P5eWRlKsrN=D zo!2?L#E8=+1NRe}u)IHn)>Q(azT2%&Gk&W+ufG(Ox5N3!?aN9!VB%DB8bD+!qq?|Q?A)A&SNXu9=@oU z$Y|KLff6UuN5j>WA~7P03V$gtCTH$Uq-%h;f&T`c#s*%VSQUcU42hWieSQ6pLjHJT z`ON}|b~G}NaA?Czy1~((4v)AL_qjJUCCokL;0MYbJ7Ex?r&=U<;>0xaPy@ zissJbsa>LuIs>1#{d6YM*r!kdd9CGlRr;lJVytdnE82496wGoh_NV06-+l;Euc4{cPTk;a?1sf$S6WV7L`d0Ir}{gC`%#DyLr(FALvDS^qg$&q!R2#TZy zpCFs0|5=>iK}~uzhdEjN=qQ(@KpE@C+O-8DNx4^#SutU-9W>{t!`Zvh@~aoEhE3|i zge~vwlV4W?aoy*q&f3->3@_Sk3#GS_7j&SQEWGF#eWBBI-{W;~`R8Iw8hq+lZ59Q+ zF@pEM>JxPY3cQUUIiOv}stqnGlo35VeB(|euoCF`G2C)wjEV$9EoF=PoDktIV`P?OfWB>+eFA_uZRnjr%qszM7vKB5VGPhK*0 zX38SC?pV#H1vQ(EA~*n2BB#qNS`dP!8BJ?i;?3a=P~N0~UlKWfwgz*8t{9QG?*1Y? z5AO6Ue&ijShjTTMMI|yq_fMR);0cV<6E{9cqpUSw23im?o5_&QG{t##{hrgf`i)-CEm3qg-FwOTEU;JP!__Hp}fBkaPn+R!Hb zo)(0lX-2!UH4gmd7qm#~pgJX;sp=jL<^)|aB6r)>qD0=Ah91&D7L~{deQxW+si&ae z(*d+m&dig67DTLNGV(@A7Qw4dQ2-(@TGZtYQrL#^(cQnmiMs2?ct8EIxdi55YeMfF zCaICfQ7XFL+}neUTKV|C=eh%ktk>`(H%d2uQejIJpi8jw(j)_4nM)KbZVT!Te8%_+ zvHwQ@ZeNfa75MtgkrkXt%L*hLtMk3bg$daE%tU{P-02UkSWRd}@Vgdn-6pFmpHx#W zQL1^#5EpfzwS0N8lO@V}c?8!DdDx_%M*M>})bg_F*jB6sA-KFtHYMrCqk73U12(}q z$k=43VO%d+@kz{adSXO}Ep zVT3LS`@E_b4v&5U<79#1e@F&eP^^}rO1k{)v%!IB*vV9=M>oCRyFdX*Ay7a0kPR0D zBOtn-_z4qL@M`p5dtVmGi$c<(EAL;zs}_8c_}-DOWO(Wga7i8;-_Dsf8CB>kjHC_Pye;V2N;|DL#`qDJ0)0oV*3~Nqa1SM0EddKr}B;^d__*7$> z3yZ${;ohy>w>35cjU?^mNs`V?Hzj4JxIjA3`=gkV@P_~5RxerU4fG~STa2luL{2g; zP(ONiK<#F*{>826r)mC%j!Tal?9xt1HnMj3$l}2oKoS-$Tr2cQntUGn<&fW?$slNw zB>sXTj;}dbTog$}z@0q>T?__yd|+INYrFxrYC*0%6JJ5ql(oDo3Yz2tX7}+VVaE|4 zy-{<-?fkE1HA5#ZgMO54kqULiAu$~X0D)geeiG_$Fyv3B%lPRFmHBZ93ND2-N&D-g z3J+mw(9pCoUHdfLr;Ka&4qRbot$kJ+rv-ST)jFs>E#I7D%BXg)VdQghTG`qa*I`a4 zunhIEpZ7&&M7vQkA`U1idMysUlp<`-$f|N?S`8u^I9jOaV~nW&!y=FViWroN4i5Qf zV&BQisHHKQ5z}{>WkVTs?Q@__G7m4Bsfx*JK7Dr>kBmVW!AG3MuVW+2p{RMWSQ+q@ zYK_^Ci}sI%k1RLQ+ub8el_8}p!YJCDtbE_*aL?ly#~{_2yQD%kXnh=?W{LYcY zU7T5J*R9>tW7uxgM{kPU4-C9P5{8RurZ*`pHy+fWdu2%DDvA~IKmmBEH1q=MXNlb3bxur0gR_;#19OLEIFY-n=|&;eUKO zBf4FJkqB)F4sdh!7-bNL0VqX2B*_<~elkZGNg|JX9z9p&L&r>#gmCup^rC!3t`5*I zdAVp)u_A&nD`ZR0P#2b@kvBct-iE9&`9go}>gY>F92bV4BqRWcf26}7cNvYgYHw&TmnD6S4BHLJcOybeUh{k%(O uiFj6eRj6sOnI>kM@hL=9+v(zPnC$FcIc~1aV01IO?Ob9oY{CC)F#I1tg2kc$ diff --git a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/lambda_function.py b/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/lambda_function.py deleted file mode 100644 index 6bfc2634945..00000000000 --- a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/lambda_function.py +++ /dev/null @@ -1,136 +0,0 @@ -import json -import boto3 -from ldap3 import Server, Connection, SUBTREE - - -# checks for objects within active directory -def check_ad_for_object( - hostname, domain_fqdn, domain_name, search_base, account_id, secret_suffix -): - - # create a secrets manager connection - secrets_manager = boto3.client("secretsmanager") - secret_arn = f"arn:aws:secretsmanager:eu-west-2:{account_id}:secret:/microsoft/AD/{domain_fqdn}/shared-passwords-{secret_suffix}" - print(secret_arn) - - # extract the secret value from hmpps-domain-services-test / hmpps-domain-services-prod - secret_value_response = secrets_manager.get_secret_value(SecretId=secret_arn) - secret_value = secret_value_response["SecretString"] - - # parse the JSON format secret value to get AD password - secret_json = json.loads(secret_value) - ad_password = secret_json.get("svc_join_domain") - - # domain connection details - domain_controller = Server(f"{domain_fqdn}:389") - ad_username = rf"{domain_name}\aws-lambda" - - with Connection( - Server, user=ad_username, password=ad_password, auto_bind=True - ) as conn: - ad_search = search_base - search_filter = f"(sAMAccountName={hostname})" - # subtree for recursive search through defined OU - search_result = conn.search(ad_search, search_filter, SUBTREE) - print(search_result) - - if conn.entries: - # Get the distinguished name (DN) of the found object - object_dn = conn.entries[0].entry_dn - print(object_dn) - print( - f"The object {object_dn} is present in Active Directory and will be deleted..." - ) - # conn.delete(object_dn) # action removed during testing - return 0 # success status - else: - print( - f"The terminated server object {hostname} was not found in Active Directory - no further action taken." - ) - return 1 # object not found status - - -# function to iterate through instance tags -def get_tag_value(tags, key): - for tag in tags: - if tag["Key"] == key: - return tag["Value"] - return None - - -# function to determine test or prod domain values to be used -def determine_domain(environment_tag): - domain_info = {} - if "development" in environment_tag.split( - "-" - ) or "test" in environment_tag.split("-"): - domain_info["domain_type"] = "dev/test" - domain_info["domain_name"] = "azure" - domain_info["domain_fqdn"] = "noms" - domain_info["search_base"] = "ou=Managed-Windows-Servers,ou=Computers,dc=azure,dc=noms,dc=root" - domain_info["account_id"] = "161282055413" # hmpps-domain-services-test - domain_info["secret_suffix"] = "HZv6pW" - elif "preproduction" in environment_tag.split( - "-" - ) or "production" in environment_tag.split("-"): - domain_info["domain_type"] = "preprod/prod" - domain_info["domain_name"] = "hmpp" - domain_info["domain_fqdn"] = "hmpp" - domain_info["search_base"] = "ou=MEMBER_SERVERS,dc=azure,dc=hmpp,dc=root" - domain_info["account_id"] = "905761223702" # hmpps-domain-services-production - domain_info["secret_suffix"] = "NLo3yC" - else: - print("Unexpected environment-name tag. Aborting lambda function...") - return None - return domain_info - - -# function to search active directory if an instance is terminated -def lambda_handler(event, context): - - if event["detail"]["state"] == "terminated": - instance_id = event["detail"]["instance-id"] - - # creates an ec2 connection for terminated instance - ec2 = boto3.client("ec2") - response = ec2.describe_instances(InstanceIds=[instance_id]) - # return the tags associated with the terminated instance - tags = response["Reservations"][0]["Instances"][0]["Tags"] - # terminated instance server-name value, same as hostname - resource_name = "server-name" - - # obtain the hostame for the terminated server - hostname = get_tag_value(tags, resource_name) - print(f"Server hostname is: {hostname}") - - # obtain terminated instance environment-name value - resource_environment = "environment-name" - environment_tag = get_tag_value(tags, resource_environment) - print(f"Server environment is: {environment_tag}") - - # determine appropriate domain variables - domain = determine_domain(environment_tag) - print(domain) - print("Server belongs to {} domain".format(domain["domain_type"])) - - # pass hostname and domain variables into AD oject deletion function - if hostname is not None and domain is not None: - check_ad_for_object( - hostname, - domain["domain_fqdn"], - domain["domain_name"], - domain["search_base"], - domain["account_id"], - domain["secret_suffix"], - ) - print(f"The Active Directory object {hostname} has been deleted.") - else: - print( - f"The '{resource_name}' tag was not found for the terminated instance." - ) - - # 200 http response lambda run successful - return { - "statusCode": 200, - "body": "Active Directory clean up complete. Computer object {resource_name} has been removed.", - } diff --git a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/requirements.txt b/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/requirements.txt deleted file mode 100644 index 1aacc03f58c..00000000000 --- a/terraform/environments/corporate-staff-rostering/lambda/ad-clean-up/requirements.txt +++ /dev/null @@ -1,2 +0,0 @@ -pyasn1~=0.5 -ldap3~=2.9 diff --git a/terraform/environments/corporate-staff-rostering/locals_development.tf b/terraform/environments/corporate-staff-rostering/locals_development.tf index 42412f3af9a..d2edb5537b1 100644 --- a/terraform/environments/corporate-staff-rostering/locals_development.tf +++ b/terraform/environments/corporate-staff-rostering/locals_development.tf @@ -159,13 +159,5 @@ locals { } } } - - secretsmanager_secrets = { - "/activedirectory/devtest/aws-lambda" = { - secrets = { - passwords = { description = "active directory lambda service account" } - } - } - } } } From 34b0f0266c826dc61ee56cf7061a94ebde14814c Mon Sep 17 00:00:00 2001 From: Madhu Kadiri Date: Thu, 21 Nov 2024 13:01:32 +0000 Subject: [PATCH 263/308] dms_sg_outbound_group modified to access rds-db - 1 --- .../electronic-monitoring-data/dms_security_groups.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/terraform/environments/electronic-monitoring-data/dms_security_groups.tf b/terraform/environments/electronic-monitoring-data/dms_security_groups.tf index d8ca7821c75..c5c7e8d5f98 100644 --- a/terraform/environments/electronic-monitoring-data/dms_security_groups.tf +++ b/terraform/environments/electronic-monitoring-data/dms_security_groups.tf @@ -46,6 +46,16 @@ resource "aws_security_group_rule" "dms_tcp_outbound" { description = "DMS Terraform" } +resource "aws_vpc_security_group_egress_rule" "dms_db_ob_access" { + + security_group_id = aws_security_group.dms_ri_security_group.id + description = "dms_rds_db_outbound" + ip_protocol = "tcp" + from_port = 1433 + to_port = 1433 + referenced_security_group_id = aws_security_group.db.id +} + resource "aws_vpc_security_group_ingress_rule" "dms_to_rds_sg_rule" { security_group_id = aws_security_group.db.id From 94b99e9825f7191c1d4cb42b26032f058b6cf980 Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Thu, 21 Nov 2024 13:10:23 +0000 Subject: [PATCH 264/308] Add production helm release for actions runner to create a derived table --- .../helm-charts-actions-runners.tf | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf index 936a236ccb4..fdd2a9e30b5 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf @@ -174,3 +174,27 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_test" ) ] } + +resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_prod" { + count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 + + /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ + name = "actions-runner-mojas-create-a-derived-table-emds-prod" + repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" + version = "2.320.0-4" + chart = "actions-runner" + namespace = kubernetes_namespace.actions_runners[0].metadata[0].name + values = [ + templatefile( + "${path.module}/src/helm/values/actions-runners/create-a-derived-table/values.yml.tftpl", + { + github_app_application_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["app_id"] + github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] + github_organisation = "moj-analytical-services" + github_repository = "create-a-derived-table" + github_runner_labels = "electronic-monitoring-data-prod" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["electronic-monitoring-data-prod"]}:role/test-data-api-cross-account-role" + } + ) + ] +} From a90b7f5a0f7b2719e03bbac7bea7e3f53a1df8b3 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 21 Nov 2024 14:19:16 +0000 Subject: [PATCH 265/308] Chuck all 10.0.0.0/8 down TGW Signed-off-by: Jacob Woffenden --- .../environment-configuration.tf | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf index 574db8dde12..6cf3e66b916 100644 --- a/terraform/environments/analytical-platform-compute/environment-configuration.tf +++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf @@ -13,11 +13,7 @@ locals { vpc_single_nat_gateway = false /* Transit Gateway */ - transit_gateway_routes = [ - "10.26.0.0/15", # modernisation-platform - "10.40.0.0/18", # noms-live-vnet - "10.205.0.0/20" # laa-lz-prod - ] + transit_gateway_routes = ["10.0.0.0/8"] /* Route53 */ route53_zone = "compute.development.analytical-platform.service.justice.gov.uk" @@ -64,11 +60,7 @@ locals { vpc_single_nat_gateway = false /* Transit Gateway */ - transit_gateway_routes = [ - "10.26.0.0/15", # modernisation-platform - "10.40.0.0/18", # noms-live-vnet - "10.205.0.0/20" # laa-lz-prod - ] + transit_gateway_routes = ["10.0.0.0/8"] /* Route53 */ route53_zone = "compute.test.analytical-platform.service.justice.gov.uk" @@ -115,10 +107,7 @@ locals { vpc_single_nat_gateway = false /* Transit Gateway */ - transit_gateway_routes = [ - "10.26.0.0/15", # modernisation-platform - "10.40.0.0/18" # noms-live-vnet - ] + transit_gateway_routes = ["10.0.0.0/8"] /* Route53 */ route53_zone = "compute.analytical-platform.service.justice.gov.uk" From 8e782070928f13e67b1e5338c7090160fa706a0e Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Thu, 21 Nov 2024 15:58:22 +0000 Subject: [PATCH 266/308] Refactor helm release for actions runner to unify derived table naming and adjust environment-specific configurations --- .../helm-charts-actions-runners.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf index fdd2a9e30b5..31e2dc848b8 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf @@ -175,11 +175,11 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_test" ] } -resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_prod" { +resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds" { count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0 /* https://github.com/ministryofjustice/analytical-platform-actions-runner */ - name = "actions-runner-mojas-create-a-derived-table-emds-prod" + name = "actions-runner-mojas-create-a-derived-table-emds" repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts" version = "2.320.0-4" chart = "actions-runner" @@ -192,8 +192,8 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_prod" github_app_installation_id = jsondecode(data.aws_secretsmanager_secret_version.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_string)["installation_id"] github_organisation = "moj-analytical-services" github_repository = "create-a-derived-table" - github_runner_labels = "electronic-monitoring-data-prod" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["electronic-monitoring-data-prod"]}:role/test-data-api-cross-account-role" + github_runner_labels = "electronic-monitoring-data" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["electronic-monitoring-data-production"]}:role/test-data-api-cross-account-role" } ) ] From 4bb10d3c80fd8a531d858e50a7b326867e0abf5c Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 21 Nov 2024 16:21:06 +0000 Subject: [PATCH 267/308] fix: use http1 for TG protocol (#8730) --- .../delius-core/modules/delius_environment/weblogic.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index c3be3e11fba..efe23f4e243 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -22,6 +22,8 @@ module "weblogic" { health_check_path = "/NDelius-war/delius/JSP/healthcheck.jsp?ping" microservice_lb = aws_lb.delius_core_frontend + target_group_protocol_version = "HTTP1" + name = "weblogic" container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-weblogic:${var.delius_microservice_configs.weblogic.image_tag}" platform_vars = var.platform_vars From 9696e95e73d9c8bef0b9e42df1b7201676476819 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 21 Nov 2024 16:21:19 +0000 Subject: [PATCH 268/308] test potential changes to the ECS module (#8723) --- .../delius-core/modules/delius_environment/ldap_ecs.tf | 3 +-- .../delius-core/modules/delius_environment/pwm.tf | 3 +-- .../delius-core/modules/delius_environment/weblogic.tf | 3 +-- .../delius-core/modules/delius_environment/weblogic_eis.tf | 3 +-- .../delius-core/modules/helpers/delius_microservice/ecs.tf | 4 ++-- .../modules/helpers/delius_microservice/variables.tf | 6 ------ 6 files changed, 6 insertions(+), 16 deletions(-) diff --git a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf index 27ccc657d48..4e9b328bd62 100644 --- a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf +++ b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf @@ -60,8 +60,7 @@ module "ldap_ecs" { } account_info = var.account_info - ignore_changes_service_task_definition = false - force_new_deployment = false + ignore_changes_service_task_definition = true extra_task_exec_role_policies = { efs = data.aws_iam_policy_document.ldap_efs_access_policy diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf index 3509f9b3016..935e9003e23 100644 --- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf +++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf @@ -90,8 +90,7 @@ module "pwm" { } container_vars_env_specific = try(var.delius_microservice_configs.pwm.container_vars_env_specific, {}) - ignore_changes_service_task_definition = false - force_new_deployment = false + ignore_changes_service_task_definition = true providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index efe23f4e243..4a2ad04c7b4 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -51,8 +51,7 @@ module "weblogic" { cluster_security_group_id = aws_security_group.cluster.id - ignore_changes_service_task_definition = false - force_new_deployment = false + ignore_changes_service_task_definition = true providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf index 503c863ff9b..cd68c989724 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf @@ -88,8 +88,7 @@ module "weblogic_eis" { platform_vars = var.platform_vars tags = var.tags - ignore_changes_service_task_definition = false - force_new_deployment = false + ignore_changes_service_task_definition = true providers = { aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf index f03b5554344..8b7c00fe182 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf @@ -1,5 +1,5 @@ module "container_definition" { - source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0" + source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=ignore-changes" name = var.name image = var.container_image memory = var.container_memory @@ -35,7 +35,7 @@ module "ecs_policies" { } module "ecs_service" { - source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.3.0" + source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=ignore-changes" container_definitions = nonsensitive(module.container_definition.json_encoded_list) cluster_arn = var.ecs_cluster_arn name = "${var.env_name}-${var.name}" diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf index 51c3cf601fa..8676dcb62ed 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf @@ -496,12 +496,6 @@ variable "redeploy_on_apply" { default = false } -variable "force_new_deployment" { - description = "Force a new deployment" - type = bool - default = false -} - variable "ecs_service_ingress_security_group_ids" { description = "Security group ids to allow ingress to the ECS service" type = list(object({ From f94f7f5da687fc8703bed481eeb3d7772d3f6fcc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 00:50:25 +0000 Subject: [PATCH 269/308] Bump github/codeql-action from 3.27.4 to 3.27.5 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.4 to 3.27.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/ea9e4e37992a54ee68a9622e985e60c8e8f12d9f...f09c1c0a94de965c15400f5634aa42fac8fb8f88) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index c079de2c60b..5a3ed09abd1 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -38,7 +38,7 @@ jobs: run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: tflint.sarif trivy: @@ -63,7 +63,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: success() || failure() - uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: 'trivy-results.sarif' checkov: @@ -90,6 +90,6 @@ jobs: skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 - name: Upload SARIF file if: success() || failure() - uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: ./checkov.sarif diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index c035475ffb6..4acfbb7a874 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -67,6 +67,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4 + uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 with: sarif_file: results.sarif From 8afc278578fdf4c550046a498f3d203006d560dc Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 22 Nov 2024 00:51:08 +0000 Subject: [PATCH 270/308] Bump bridgecrewio/checkov-action from 12.2912.0 to 12.2917.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2912.0 to 12.2917.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/6fe02213c515948c8da243a6554a3bff49129295...cc23a656ff707900310d6870ca2b4289fa070396) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index c079de2c60b..e284290292e 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@6fe02213c515948c8da243a6554a3bff49129295 # v12.2912.0 + uses: bridgecrewio/checkov-action@cc23a656ff707900310d6870ca2b4289fa070396 # v12.2917.0 with: directory: ./ framework: terraform From 2dbb16e94f1447ffa23192ea3111bb72979d493e Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Fri, 22 Nov 2024 09:26:31 +0000 Subject: [PATCH 271/308] forgot to change to prod here --- .../analytical-platform-compute/helm-charts-actions-runners.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf index 31e2dc848b8..e37b997235b 100644 --- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf +++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf @@ -193,7 +193,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds" { github_organisation = "moj-analytical-services" github_repository = "create-a-derived-table" github_runner_labels = "electronic-monitoring-data" - eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["electronic-monitoring-data-production"]}:role/test-data-api-cross-account-role" + eks_role_arn = "arn:aws:iam::${local.environment_management.account_ids["electronic-monitoring-data-production"]}:role/prod-data-api-cross-account-role" } ) ] From aa24d2d1b33faffe69752e6960d2896d545f209e Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 22 Nov 2024 10:20:35 +0000 Subject: [PATCH 272/308] Oasys: INC2742748: ip allow list update (#8747) * oasys: add additional serco IPs * rename cidr allow list for azure landing zone * update security groups - add missing serco IPs and tidy up * fix * Fix * fix --- .../environments/delius-jitbit/locals.tf | 2 +- .../oasys/locals_security_groups.tf | 35 +++++++++++-------- terraform/modules/ip_addresses/external.tf | 6 +++- terraform/modules/ip_addresses/moj.tf | 5 ++- 4 files changed, 28 insertions(+), 20 deletions(-) diff --git a/terraform/environments/delius-jitbit/locals.tf b/terraform/environments/delius-jitbit/locals.tf index 561d1ffa9e0..e8e6e1cb010 100644 --- a/terraform/environments/delius-jitbit/locals.tf +++ b/terraform/environments/delius-jitbit/locals.tf @@ -41,7 +41,7 @@ locals { module.ip_addresses.moj_cidr.ark_dc_external_internet, module.ip_addresses.moj_cidr.vodafone_dia_networks, module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate, - module.ip_addresses.moj_cidr.digital_prisons, + module.ip_addresses.moj_cidr.mojo_azure_landing_zone_egress, [ # Route53 Healthcheck Access Cidrs # London Region not support yet, so metrics are not yet publised, can be enabled at later stage for Route53 endpoint monitor diff --git a/terraform/environments/oasys/locals_security_groups.tf b/terraform/environments/oasys/locals_security_groups.tf index e980af0f315..85f1c0467c6 100644 --- a/terraform/environments/oasys/locals_security_groups.tf +++ b/terraform/environments/oasys/locals_security_groups.tf @@ -37,16 +37,27 @@ locals { ]) ssh = ["10.0.0.0/8"] https_internal = flatten([ - module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, "10.0.0.0/8", + module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16" ]) https_external = flatten([ module.ip_addresses.azure_fixngo_cidrs.internet_egress, module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, - module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16" + module.ip_addresses.moj_cidr.vodafone_dia_networks, + module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate, module.ip_addresses.external_cidrs.cloud_platform, module.ip_addresses.azure_studio_hosting_public.prod, - "10.0.0.0/8" + "35.177.125.252/32", "35.177.137.160/32", # infra_ip.j5_phones - probably not needed + module.ip_addresses.external_cidrs.sodeco, + module.ip_addresses.external_cidrs.interserve, + module.ip_addresses.external_cidrs.meganexus, + module.ip_addresses.external_cidrs.serco, + module.ip_addresses.external_cidrs.rrp, + module.ip_addresses.external_cidrs.eos, + module.ip_addresses.external_cidrs.oasys_sscl, + module.ip_addresses.external_cidrs.dtv, + module.ip_addresses.external_cidrs.nps_wales, + module.ip_addresses.external_cidrs.dxw, ]) https_external_monitoring = flatten([ module.ip_addresses.mp_cidrs.live_eu_west_nat, @@ -80,14 +91,11 @@ locals { https_external = flatten([ module.ip_addresses.azure_fixngo_cidrs.internet_egress, module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, - module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16" module.ip_addresses.moj_cidr.vodafone_dia_networks, module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate, module.ip_addresses.external_cidrs.cloud_platform, module.ip_addresses.azure_studio_hosting_public.prod, - "35.177.125.252/32", "35.177.137.160/32", # trusted_appgw_external_client_ips infra_ip.j5_phones - "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", # Azure Landing Zone Egress - "195.59.75.0/24", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", # dom1_eucs_ras + "35.177.125.252/32", "35.177.137.160/32", # infra_ip.j5_phones - probably not needed module.ip_addresses.external_cidrs.sodeco, module.ip_addresses.external_cidrs.interserve, module.ip_addresses.external_cidrs.meganexus, @@ -226,14 +234,11 @@ locals { self = true } http8080 = { - description = "Allow http8080 ingress" - from_port = 0 - to_port = 8080 - protocol = "tcp" - cidr_blocks = flatten([ - local.security_group_cidrs.https_internal, - local.security_group_cidrs.https_external, - ]) + description = "Allow http8080 ingress" + from_port = 0 + to_port = 8080 + protocol = "tcp" + cidr_blocks = local.security_group_cidrs.https_internal security_groups = ["private_lb", "public_lb"] } } diff --git a/terraform/modules/ip_addresses/external.tf b/terraform/modules/ip_addresses/external.tf index 58387cb00f3..d75a7732a77 100644 --- a/terraform/modules/ip_addresses/external.tf +++ b/terraform/modules/ip_addresses/external.tf @@ -30,7 +30,11 @@ locals { "49.248.250.6/32" ] serco = [ - "217.22.14.0/24" + "217.22.14.0/24", + "18.135.54.44/32", + "18.175.105.241/32", + "35.177.142.157/32", + "128.77.110.45/32", ] rrp = [ "62.253.83.37/32" diff --git a/terraform/modules/ip_addresses/moj.tf b/terraform/modules/ip_addresses/moj.tf index f880ce0d7c1..0016980e68e 100644 --- a/terraform/modules/ip_addresses/moj.tf +++ b/terraform/modules/ip_addresses/moj.tf @@ -27,7 +27,6 @@ locals { mojo_arkf_internet_egress_exponential_e = "51.149.249.32/29" mojo_arkf_internet_egress_vodafone = "194.33.248.0/29" - ark_dc_external_internet = [ "195.59.75.0/24", "194.33.192.0/25", @@ -42,7 +41,7 @@ locals { "194.33.218.0/24" ] - digital_prisons = [ + mojo_azure_landing_zone_egress = [ "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", @@ -53,7 +52,6 @@ locals { palo_alto_primsa_access_third_party = "128.77.75.0/25" palo_alto_primsa_access_residents = "128.77.75.128/26" - ark_dc_external_internet = [ "195.59.75.0/24", "194.33.192.0/25", @@ -92,6 +90,7 @@ locals { local.moj_cidr.mojo_arkf_internet_egress_exponential_e, local.moj_cidr.mojo_arkf_internet_egress_vodafone, local.moj_cidr.ark_dc_external_internet, + local.moj_cidr.mojo_azure_landing_zone_egress ]) trusted_moj_enduser_internal = [ From 2a3b9cf74580817fe7f4732831f82edfe5f277bd Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 22 Nov 2024 10:26:43 +0000 Subject: [PATCH 273/308] Update_221124_1 --- .../ppud/cloudwatch_alarms_windows.tf | 4 +- terraform/environments/ppud/security_group.tf | 155 ++++++++++++++++++ 2 files changed, 157 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ppud/cloudwatch_alarms_windows.tf b/terraform/environments/ppud/cloudwatch_alarms_windows.tf index 91df665a47d..0f428cdb999 100644 --- a/terraform/environments/ppud/cloudwatch_alarms_windows.tf +++ b/terraform/environments/ppud/cloudwatch_alarms_windows.tf @@ -277,9 +277,9 @@ resource "aws_cloudwatch_metric_alarm" "low_disk_space_H_volume_rgvw027" { namespace = "CWAgent" period = "60" statistic = "Average" - threshold = "5" + threshold = "3" treat_missing_data = "notBreaching" - alarm_description = "This metric monitors the amount of free disk space on the instance. If the amount of free disk space falls below 5% for 5 minutes, the alarm will trigger" + alarm_description = "This metric monitors the amount of free disk space on the instance. If the amount of free disk space falls below 3% for 5 minutes, the alarm will trigger" alarm_actions = [aws_sns_topic.cw_alerts[0].arn] dimensions = { InstanceId = "i-00cbccc46d25e77c6" diff --git a/terraform/environments/ppud/security_group.tf b/terraform/environments/ppud/security_group.tf index c341c214913..dfb37a7ffc7 100644 --- a/terraform/environments/ppud/security_group.tf +++ b/terraform/environments/ppud/security_group.tf @@ -416,6 +416,84 @@ resource "aws_security_group_rule" "Primary-DOC-Server-Egress-2" { } +resource "aws_security_group" "Live-DOC-Server" { + count = local.is-preproduction == false ? 1 : 0 + vpc_id = data.aws_vpc.shared.id + name = "Live-DOC-Server" + description = "Live-DOC-Server for DEV & PROD" + + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}" + } +} + +resource "aws_security_group_rule" "Live-DOC-Server-Ingress" { + description = "Rule to allow port 80 traffic inbound" + count = local.is-preproduction == false ? 1 : 0 + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Live-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Live-DOC-Server-Ingress-1" { + description = "Rule to allow port 445 traffic inbound" + count = local.is-preproduction == false ? 1 : 0 + type = "ingress" + from_port = 445 + to_port = 445 + protocol = "tcp" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Live-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Live-DOC-Server-Ingress-2" { + description = "Rule to allow port 3389 traffic inbound" + count = local.is-preproduction == false ? 1 : 0 + type = "ingress" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Live-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Live-DOC-Server-Egress" { + description = "Rule to allow all traffic outbound" + count = local.is-preproduction == false ? 1 : 0 + type = "egress" + from_port = 0 + to_port = 0 + protocol = "all" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Live-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Live-DOC-Server-Egress-1" { + description = "Rule to allow port 443 traffic outbound" + count = local.is-preproduction == false ? 1 : 0 + type = "egress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.Live-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Live-DOC-Server-Egress-2" { + description = "Rule to allow port 80 traffic outbound" + count = local.is-preproduction == false ? 1 : 0 + type = "egress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.Live-DOC-Server[0].id +} + + resource "aws_security_group" "Secondary-DOC-Server" { count = local.is-preproduction == false ? 1 : 0 vpc_id = data.aws_vpc.shared.id @@ -493,6 +571,83 @@ resource "aws_security_group_rule" "Secondary-DOC-Server-Egress-2" { security_group_id = aws_security_group.Secondary-DOC-Server[0].id } +resource "aws_security_group" "Archive-DOC-Server" { + count = local.is-preproduction == false ? 1 : 0 + vpc_id = data.aws_vpc.shared.id + name = "Archive-DOC-Server" + description = "Archive-DOC-Server for DEV & PROD" + + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}" + } +} + +resource "aws_security_group_rule" "Archive-DOC-Server-Ingress" { + description = "Rule to allow port 80 traffic inbound" + count = local.is-preproduction == false ? 1 : 0 + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Archive-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Archive-DOC-Server-Ingress-1" { + description = "Rule to allow port 445 traffic inbound" + count = local.is-preproduction == false ? 1 : 0 + type = "ingress" + from_port = 445 + to_port = 445 + protocol = "tcp" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Archive-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Archive-DOC-Server-Ingress-2" { + description = "Rule to allow port 3389 traffic inbound" + count = local.is-preproduction == false ? 1 : 0 + type = "ingress" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Archive-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Archive-DOC-Server-Egress" { + description = "Rule to allow all traffic outbound" + count = local.is-preproduction == false ? 1 : 0 + type = "egress" + from_port = 0 + to_port = 0 + protocol = "all" + cidr_blocks = [data.aws_vpc.shared.cidr_block] + security_group_id = aws_security_group.Archive-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Archive-DOC-Server-Egress-1" { + description = "Rule to allow port 443 traffic outbound" + count = local.is-preproduction == false ? 1 : 0 + type = "egress" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.Archive-DOC-Server[0].id +} + +resource "aws_security_group_rule" "Archive-DOC-Server-Egress-2" { + description = "Rule to allow port 80 traffic outbound" + count = local.is-preproduction == false ? 1 : 0 + type = "egress" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.Archive-DOC-Server[0].id +} + resource "aws_security_group" "PPUD-Database-Server" { count = local.is-development == true ? 1 : 0 vpc_id = data.aws_vpc.shared.id From 3a7664f924a5a008a070780045d4c9b98e9978ce Mon Sep 17 00:00:00 2001 From: Matthew Price Date: Fri, 22 Nov 2024 11:25:52 +0000 Subject: [PATCH 274/308] elm-3069 Refactor of landing buckets (#8751) * Refactor module so landing bucket move lambda is distinct for each landing bucket * Add lambda image name --- .../electronic-monitoring-data/lambdas_iam.tf | 52 ----------- .../lambdas_main.tf | 19 ---- .../modules/landing_bucket/main.tf | 87 ++++++++++++++++++- .../modules/landing_bucket/variables.tf | 14 ++- .../electronic-monitoring-data/s3.tf | 52 +++++++---- 5 files changed, 130 insertions(+), 94 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf index 2f80712abc1..b452ed71980 100644 --- a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf +++ b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf @@ -492,58 +492,6 @@ resource "aws_iam_role" "rotate_iam_keys" { assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json } -#----------------------------------------------------------------------------------- -# Process landing bucket files -#----------------------------------------------------------------------------------- - -resource "aws_iam_role" "process_landing_bucket_files" { - name = "process_landing_bucket_files" - assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json -} - -data "aws_iam_policy_document" "process_landing_bucket_files_s3_policy_document" { - statement { - sid = "S3PermissionsForLandingBuckets" - effect = "Allow" - actions = [ - "s3:PutObjectTagging", - "s3:GetObject", - "s3:GetObjectTagging", - "s3:DeleteObject" - ] - resources = [ - "${module.s3-fms-general-landing-bucket.bucket_arn}/*", - "${module.s3-fms-specials-landing-bucket.bucket_arn}/*", - "${module.s3-mdss-general-landing-bucket.bucket_arn}/*", - "${module.s3-mdss-ho-landing-bucket.bucket_arn}/*", - "${module.s3-mdss-specials-landing-bucket.bucket_arn}/*", - ] - } - - statement { - sid = "S3PermissionsForReceivedFilesBucket" - effect = "Allow" - actions = [ - "s3:PutObject", - "s3:PutObjectTagging" - ] - resources = [ - "${module.s3-received-files-bucket.bucket.arn}/*", - ] - } -} - -resource "aws_iam_policy" "process_landing_bucket_files_s3" { - name = "process-landing-bucket-files-s3-policy" - description = "Policy for Lambda to create presigned url for unzipped file from S3" - policy = data.aws_iam_policy_document.process_landing_bucket_files_s3_policy_document.json -} - -resource "aws_iam_role_policy_attachment" "process_landing_bucket_files_s3_policy_policy_attachment" { - role = aws_iam_role.process_landing_bucket_files.name - policy_arn = aws_iam_policy.process_landing_bucket_files_s3.arn -} - #----------------------------------------------------------------------------------- # Virus scanning - definition upload #----------------------------------------------------------------------------------- diff --git a/terraform/environments/electronic-monitoring-data/lambdas_main.tf b/terraform/environments/electronic-monitoring-data/lambdas_main.tf index f45cebed9a6..df247af5d39 100644 --- a/terraform/environments/electronic-monitoring-data/lambdas_main.tf +++ b/terraform/environments/electronic-monitoring-data/lambdas_main.tf @@ -254,25 +254,6 @@ module "rotate_iam_key" { production_dev = local.is-production ? "prod" : "dev" } -#----------------------------------------------------------------------------------- -# Process landing bucket files -#----------------------------------------------------------------------------------- - -module "process_landing_bucket_files" { - source = "./modules/lambdas" - function_name = "process_landing_bucket_files" - is_image = true - role_name = aws_iam_role.process_landing_bucket_files.name - role_arn = aws_iam_role.process_landing_bucket_files.arn - memory_size = 1024 - timeout = 900 - core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"] - production_dev = local.is-production ? "prod" : "dev" - environment_variables = { - DESTINATION_BUCKET = module.s3-received-files-bucket.bucket.id - } -} - #----------------------------------------------------------------------------------- # Virus scanning - definition upload #----------------------------------------------------------------------------------- diff --git a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf index 3c5c67d8f07..e037ec81188 100644 --- a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf @@ -77,10 +77,14 @@ module "this-bucket" { ) } +#----------------------------------------------------------------------------------- +# Process landing bucket files - lambda triggers +#----------------------------------------------------------------------------------- + resource "aws_lambda_permission" "allow_bucket" { statement_id = "AllowExecutionFromS3Bucket-${var.data_feed}-${var.order_type}" action = "lambda:InvokeFunction" - function_name = var.s3_trigger_lambda_arn + function_name = module.process_landing_bucket_files.lambda_function_arn principal = "s3.amazonaws.com" source_arn = module.this-bucket.bucket.arn } @@ -89,9 +93,88 @@ resource "aws_s3_bucket_notification" "bucket_notification" { bucket = module.this-bucket.bucket.id lambda_function { - lambda_function_arn = var.s3_trigger_lambda_arn + lambda_function_arn = module.process_landing_bucket_files.lambda_function_arn events = ["s3:ObjectCreated:*"] } depends_on = [aws_lambda_permission.allow_bucket] } + +#----------------------------------------------------------------------------------- +# Process landing bucket files - lambda +#----------------------------------------------------------------------------------- + +module "process_landing_bucket_files" { + source = "../lambdas" + function_name = "process_landing_bucket_files_${var.data_feed}_${var.order_type}" + image_name = "process_landing_bucket_files" + is_image = true + role_name = aws_iam_role.process_landing_bucket_files.name + role_arn = aws_iam_role.process_landing_bucket_files.arn + memory_size = 1024 + timeout = 900 + core_shared_services_id = var.core_shared_services_id + production_dev = var.production_dev + environment_variables = { + DESTINATION_BUCKET = var.received_files_bucket_id + } +} + +#----------------------------------------------------------------------------------- +# Process landing bucket files - lambda IAM role and policy +#----------------------------------------------------------------------------------- + +resource "aws_iam_role" "process_landing_bucket_files" { + name = "process_landing_bucket_files_${var.data_feed}_${var.order_type}" + assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json +} + +data "aws_iam_policy_document" "process_landing_bucket_files_s3_policy_document" { + statement { + sid = "S3PermissionsForLandingBuckets" + effect = "Allow" + actions = [ + "s3:PutObjectTagging", + "s3:GetObject", + "s3:GetObjectTagging", + "s3:DeleteObject" + ] + resources = [ + "${module.this-bucket.bucket.arn}/*", + ] + } + + statement { + sid = "S3PermissionsForReceivedFilesBucket" + effect = "Allow" + actions = [ + "s3:PutObject", + "s3:PutObjectTagging" + ] + resources = [ + "arn:aws:s3:::${var.received_files_bucket_id}/*", + ] + } +} + +resource "aws_iam_policy" "process_landing_bucket_files_s3" { + name = "process_landing_bucket_files_s3_policy_${var.data_feed}_${var.order_type}" + description = "Policy for Lambda to process files in ${var.data_feed} ${var.order_type} landing bucket" + policy = data.aws_iam_policy_document.process_landing_bucket_files_s3_policy_document.json +} + +resource "aws_iam_role_policy_attachment" "process_landing_bucket_files_s3_policy_policy_attachment" { + role = aws_iam_role.process_landing_bucket_files.name + policy_arn = aws_iam_policy.process_landing_bucket_files_s3.arn +} + +data "aws_iam_policy_document" "lambda_assume_role" { + statement { + effect = "Allow" + principals { + type = "Service" + identifiers = ["lambda.amazonaws.com"] + } + actions = ["sts:AssumeRole"] + } +} diff --git a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf index ac72a17b0d2..1be92a4e491 100644 --- a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf +++ b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/variables.tf @@ -1,3 +1,8 @@ +variable "core_shared_services_id" { + description = "The core shared services id" + type = string +} + variable "cross_account_access_role" { description = "An object containing the cross account number and role name." type = object({ @@ -40,7 +45,12 @@ variable "order_type" { type = string } -variable "s3_trigger_lambda_arn" { - description = "The lambda arn used with s3 notification to be triggered on ObjectCreated*" +variable "production_dev" { + description = "The environment the lambda is being deployed to" + type = string +} + +variable "received_files_bucket_id" { + description = "The id of the bucket data will be moved to" type = string } diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index 03189aeaae2..aee27ac6c45 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -546,12 +546,15 @@ module "s3-data-bucket" { module "s3-fms-general-landing-bucket" { source = "./modules/landing_bucket/" - data_feed = "fms" - local_bucket_prefix = local.bucket_prefix - local_tags = local.tags - logging_bucket = module.s3-logging-bucket - order_type = "general" - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + data_feed = "fms" + order_type = "general" + + core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"] + local_bucket_prefix = local.bucket_prefix + local_tags = local.tags + logging_bucket = module.s3-logging-bucket + production_dev = local.is-production ? "prod" : "dev" + received_files_bucket_id = module.s3-received-files-bucket.bucket.id providers = { aws = aws @@ -561,11 +564,12 @@ module "s3-fms-general-landing-bucket" { module "s3-fms-general-landing-bucket-iam-user" { source = "./modules/landing_bucket_iam_user_access/" - data_feed = "fms" + data_feed = "fms" + order_type = "general" + landing_bucket_arn = module.s3-fms-general-landing-bucket.bucket_arn local_bucket_prefix = local.bucket_prefix local_tags = local.tags - order_type = "general" rotation_lambda = module.rotate_iam_key rotation_lambda_role_name = aws_iam_role.rotate_iam_keys.name } @@ -573,12 +577,15 @@ module "s3-fms-general-landing-bucket-iam-user" { module "s3-fms-specials-landing-bucket" { source = "./modules/landing_bucket/" - data_feed = "fms" - local_bucket_prefix = local.bucket_prefix - local_tags = local.tags - logging_bucket = module.s3-logging-bucket - order_type = "specials" - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + data_feed = "fms" + order_type = "specials" + + core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"] + local_bucket_prefix = local.bucket_prefix + local_tags = local.tags + logging_bucket = module.s3-logging-bucket + production_dev = local.is-production ? "prod" : "dev" + received_files_bucket_id = module.s3-received-files-bucket.bucket.id providers = { aws = aws @@ -588,11 +595,12 @@ module "s3-fms-specials-landing-bucket" { module "s3-fms-specials-landing-bucket-iam-user" { source = "./modules/landing_bucket_iam_user_access/" - data_feed = "fms" + data_feed = "fms" + order_type = "specials" + landing_bucket_arn = module.s3-fms-specials-landing-bucket.bucket_arn local_bucket_prefix = local.bucket_prefix local_tags = local.tags - order_type = "specials" rotation_lambda = module.rotate_iam_key rotation_lambda_role_name = aws_iam_role.rotate_iam_keys.name } @@ -607,11 +615,13 @@ module "s3-mdss-general-landing-bucket" { data_feed = "mdss" order_type = "general" + core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"] cross_account_access_role = local.mdss_supplier_account_mapping[local.environment] local_bucket_prefix = local.bucket_prefix local_tags = local.tags logging_bucket = module.s3-logging-bucket - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + production_dev = local.is-production ? "prod" : "dev" + received_files_bucket_id = module.s3-received-files-bucket.bucket.id providers = { aws = aws @@ -624,11 +634,13 @@ module "s3-mdss-ho-landing-bucket" { data_feed = "mdss" order_type = "ho" + core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"] cross_account_access_role = local.mdss_supplier_account_mapping[local.environment] local_bucket_prefix = local.bucket_prefix local_tags = local.tags logging_bucket = module.s3-logging-bucket - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + production_dev = local.is-production ? "prod" : "dev" + received_files_bucket_id = module.s3-received-files-bucket.bucket.id providers = { aws = aws @@ -641,11 +653,13 @@ module "s3-mdss-specials-landing-bucket" { data_feed = "mdss" order_type = "specials" + core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"] cross_account_access_role = local.mdss_supplier_account_mapping[local.environment] local_bucket_prefix = local.bucket_prefix local_tags = local.tags logging_bucket = module.s3-logging-bucket - s3_trigger_lambda_arn = module.process_landing_bucket_files.lambda_function_arn + production_dev = local.is-production ? "prod" : "dev" + received_files_bucket_id = module.s3-received-files-bucket.bucket.id providers = { aws = aws From 8e05e7d187e83a0f0891d48056e348dbc3a1f67c Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 22 Nov 2024 11:26:00 +0000 Subject: [PATCH 275/308] TM-749: remove unused IPs in oasys whitelist (#8749) --- terraform/environments/oasys/locals_security_groups.tf | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/terraform/environments/oasys/locals_security_groups.tf b/terraform/environments/oasys/locals_security_groups.tf index 85f1c0467c6..3f274f4c8e1 100644 --- a/terraform/environments/oasys/locals_security_groups.tf +++ b/terraform/environments/oasys/locals_security_groups.tf @@ -12,9 +12,7 @@ locals { https_external = flatten([ module.ip_addresses.azure_fixngo_cidrs.internet_egress, module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, - module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16" module.ip_addresses.external_cidrs.cloud_platform, - module.ip_addresses.azure_studio_hosting_public.devtest, ]) https_external_monitoring = flatten([ module.ip_addresses.mp_cidrs.non_live_eu_west_nat, @@ -46,8 +44,6 @@ locals { module.ip_addresses.moj_cidr.vodafone_dia_networks, module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate, module.ip_addresses.external_cidrs.cloud_platform, - module.ip_addresses.azure_studio_hosting_public.prod, - "35.177.125.252/32", "35.177.137.160/32", # infra_ip.j5_phones - probably not needed module.ip_addresses.external_cidrs.sodeco, module.ip_addresses.external_cidrs.interserve, module.ip_addresses.external_cidrs.meganexus, @@ -88,14 +84,14 @@ locals { "10.0.0.0/8", module.ip_addresses.moj_cidr.aws_cloud_platform_vpc, # "172.20.0.0/16" ]) + # NOTE: this is at the limit for the number of rules in a single SG + # Always test changes in preproduction first https_external = flatten([ module.ip_addresses.azure_fixngo_cidrs.internet_egress, module.ip_addresses.moj_cidrs.trusted_moj_digital_staff_public, module.ip_addresses.moj_cidr.vodafone_dia_networks, module.ip_addresses.moj_cidr.palo_alto_primsa_access_corporate, module.ip_addresses.external_cidrs.cloud_platform, - module.ip_addresses.azure_studio_hosting_public.prod, - "35.177.125.252/32", "35.177.137.160/32", # infra_ip.j5_phones - probably not needed module.ip_addresses.external_cidrs.sodeco, module.ip_addresses.external_cidrs.interserve, module.ip_addresses.external_cidrs.meganexus, From 381485ebc7169e7e8e0916d9143da9c4aff09fa0 Mon Sep 17 00:00:00 2001 From: Matthew Price Date: Fri, 22 Nov 2024 11:38:31 +0000 Subject: [PATCH 276/308] update mdss test transfer role (#8722) * update mdss test transfer role * updated preprod role * add decrypt to bucket policy * remove kms --- .../modules/landing_bucket/main.tf | 2 +- terraform/environments/electronic-monitoring-data/s3.tf | 9 ++++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf index e037ec81188..1438a386f02 100644 --- a/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf +++ b/terraform/environments/electronic-monitoring-data/modules/landing_bucket/main.tf @@ -61,7 +61,7 @@ module "this-bucket" { effect = "Allow" actions = [ "s3:PutObject", - "s3:PutObjectAcl" + "s3:PutObjectAcl", ] principals = { identifiers = ["arn:aws:iam::${var.cross_account_access_role.account_number}:role/${var.cross_account_access_role.role_name}"] diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index aee27ac6c45..b9d23c5236b 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -5,13 +5,16 @@ locals { "production" = null "preproduction" = { "account_number" = 173142358744 - "role_name" = "juniper-dt-lambda-role" + "role_name" = "juniper-datatransfer-lambda-role" } "test" = { "account_number" = 173142358744 - role_name = "dev-dt-lambda-role" + "role_name" = "dev-datatransfer-lambda-role" + } + "development" = { + "account_number" = 173142358744 + "role_name" = "dev-datatransfer-lambda-role" } - "development" = null } } From 4708fee2e507f243b2f593c3a709e991aaa536c8 Mon Sep 17 00:00:00 2001 From: dms1981 Date: Fri, 22 Nov 2024 12:02:01 +0000 Subject: [PATCH 277/308] removed misplaced zip files from xhibit portal (#8742) --- .../xhibit-portal/lambda/delete_old_ami.zip | Bin 902 -> 0 bytes .../xhibit-portal/lambda/lambda_function.zip | Bin 902 -> 0 bytes 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 terraform/environments/xhibit-portal/lambda/delete_old_ami.zip delete mode 100644 terraform/environments/xhibit-portal/lambda/lambda_function.zip diff --git a/terraform/environments/xhibit-portal/lambda/delete_old_ami.zip b/terraform/environments/xhibit-portal/lambda/delete_old_ami.zip deleted file mode 100644 index cf75e6c2d27391f6b1cc975dcdbed41f7ac6633a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 902 zcmWIWW@Zs#-~d7f2E{HQ0SAIWR!VA4YDsE*eojh!Vs55hLFJhc-~7jB0(*al^GL8v zV|35GJUdXfX^C!40k?^3bpUI#n7f%^r-(&~%;6LD`acv;#?R*6F#W3{<4N=UduLvp z<^9vW;qj@as|p+3x))?K?wM#m;gN3c7F7-2qHdJ8E?D_Qm}eJhuBZw*U()@m>9 ztx_kKT|IWlEBf!}j|;D`xlg^w%aM2S6r19{vgevR_A_OlW`A())Gp?2cLZi#%uw0T zRXJUHolCFU!SIkWuBBmO_ur(LF)?h2`e2(<+ZOUN*65@EyR4U?DU8#0&3<>$)G=#o zNx7k2!+W;g&Ii?}>UQntH%!$Hj6C7=G}A(j=XA9g!`g}O9wi#K-%rWC=&`l!+6$r1 z1|9QtySGnS_Oia~;M8!Z{6CqX^!AEQEjIW zynp({Dq`CitDbD!bewmZzTcI@Np{Ot?7F1p;J9k@7t7hzd|@ql)s3NZf?oYswNpy( zfA@G|lx<=6ni)sp4(l(UE0@s}qkkgM%UW%Ey>|uE#4erir^jVGCA|Ec?&|k6Zu)cJ z-vi!Fk_PL)`*E4Ee&b)i-6Mysa?PRX*5Ye4?sW@qI=ONcS60Z$)*W;HwzfRGTHX|4 z*r?MipDw=1Y5LLzo^!(S32Sf03pv(GvXqgR4I?z(2p|3d7w=Brh*yZ_8p-F+eT^!1>^)n`B4T>tTfRpMUm zj0YZ%t@+k|d!3}$*7`8MjrD@t|M)aHwU-68fk8iK%;CM&eRHR$)fVBo8`8Hk{-4IX z>HJ#uj=3CemXEuZ@7!VZ|9tc^`9F$kzgA`55%?Xa-rS=jRKvbbvg?=I>p$`g4FCTJ zc(ZeaDgSK$#Kgd04$LJ1-i%Bl%!n+5ECYJ z#Fj}`{F0v=a~7uzUsU({n_l#vlU}RyrMm(gzo1vTFYXP zb+M>1VCAd#2NMn$G|%a3x%hRO*R;ia1^t)$6hkjP>XvO~W?)z?QQNwr(Qj!LpIh8h zm+bd;T4$H}3H7kW&DPXiVS7z_wXr(KiGVY0Ic9%mPg%Dms4Q1S_e@wMv*4ONH*6o3 zOjZehxnH=gdfuZWSDikeJUvbQPFQ?O4WDE8qJGQiGna+e3b@VablmHHm;LC9rJSZW z*eBZ+UOay9deKexM*Wx5PVxThZ@Q#@Z}mmas~Q`g8+aRW&&u0rb9dK`|GFmA%@oYN zynJ-0OK;$Mm$y#q+)_*TOhqm6w5U2Zmdm#m9Qwa>3hR7^D?FurD;@-7OkHG{pmSAB zGJxCJc&^|7i7ajN!_q?XSrhsWxjy?O{QmH=S4JhN7FkE6d>1Y$86AD!ruXmzo)0}$Z_{|Z~LD8 zIXn53ubR^By)PVktio={=WU2CVGn#;(q*upb*gFZ-raEyp3^7GojN>!tGeK!-S=Pc z8%g~UXJGjMKfs%vV^#5!CoI4u`k0e}A;6oFNrV}ZcaY^kc?SlzHG){MoD|^A$_C;y O0-+g@wgQ^QzyJW_4T&xQ From f8248c54094450e3aeb0ddf6f7247edd9bf67b63 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 22 Nov 2024 12:11:05 +0000 Subject: [PATCH 278/308] feat: add cadet assumable role for apdp->apc-prod metadata copy to glue (and table partition repair) --- .../iam-policies.tf | 70 +++++++++++++++++++ .../analytical-platform-compute/iam-roles.tf | 20 ++++++ 2 files changed, 90 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 84721171ddb..9885f6511c0 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -349,3 +349,73 @@ module "data_production_mojap_derived_bucket_lake_formation_policy" { tags = local.tags } + +data "aws_iam_policy_document" "analytical_platform_cadet_runner_compute_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + statement { + sid = "AthenaAccess" + effect = "Allow" + actions = [ + "athena:List*", + "athena:Get*", + "athena:StartQueryExecution", + "athena:StopQueryExecution" + ] + resources = [ + "arn:aws:athena:eu-west-2:${data.aws_caller_identity.current.account_id}:datacatalog/*", + "arn:aws:athena:eu-west-2:${data.aws_caller_identity.current.account_id}:workgroup/*" + ] + } + statement { + sid = "GlueAccess" + effect = "Allow" + actions = [ + "glue:Get*", + "glue:DeleteTable", + "glue:DeleteTableVersion", + "glue:DeleteSchema", + "glue:DeletePartition", + "glue:DeleteDatabase", + "glue:UpdateTable", + "glue:UpdateSchema", + "glue:UpdatePartition", + "glue:UpdateDatabase", + "glue:CreateTable", + "glue:CreateSchema", + "glue:CreatePartition", + "glue:CreatePartitionIndex", + "glue:BatchCreatePartition", + "glue:CreateDatabase" + ] + resources = [ + "arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:schema/*", + "arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:database/*", + "arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:table/*/*", + "arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:catalog" + ] + } + statement { + effect = "Allow" + actions = [ + "glue:GetTable", + "glue:GetDatabase", + "glue:GetPartition" + ] + resources = ["arn:aws:glue:eu-west-2:${data.aws_caller_identity.current.account_id}:*"] + } +} + +module "analytical_platform_cadet_runner_compute_policy" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "5.48.0" + + name_prefix = "analytical-platform-cadet-runner-compute-policy" + + policy = data.aws_iam_policy_document.analytical_platform_cadet_runner_compute_policy.json + + tags = local.tags +} diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 6bf418383fa..65109f912bb 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -373,3 +373,23 @@ module "lake_formation_to_data_production_mojap_derived_tables_role" { tags = local.tags } + +module "analytical_platform_cadet_runner" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "5.48.0" + + allow_self_assume_role = false + trusted_role_arns = ["arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/create-a-derived-table"] + create_role = true + role_requires_mfa = false + role_name = "analytical-platform-cadet-runner-assumable" + + custom_role_policy_arns = [ + module.analytical_platform_lake_formation_share_policy.arn, + "arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager" + ] + number_of_custom_role_policy_arns = 2 + +} \ No newline at end of file From 8aaaa15bc75affc35690df4ae9fd39bb9bb645ab Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Fri, 22 Nov 2024 12:19:46 +0000 Subject: [PATCH 279/308] Add FMS data loading module to Airflow IAM configuration (#8740) --- .../environments/electronic-monitoring-data/ap_airflow_iam.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf index 39ef390469f..95995067e04 100644 --- a/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf +++ b/terraform/environments/electronic-monitoring-data/ap_airflow_iam.tf @@ -199,11 +199,11 @@ module "load_unstructured_atrium_database" { } -module "load_fms_database" { +module "load_fms" { count = local.is-test ? 1 : 0 source = "./modules/ap_airflow_load_data_iam_role" - name = "serco-fms-database" + name = "fms" environment = local.environment database_name = "serco-fms" path_to_data = "/serco/fms" From cdfb9cc116cf792c3d69ed3d7cc09f14dc88a599 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 22 Nov 2024 12:31:07 +0000 Subject: [PATCH 280/308] fix: role policy arn --- .../analytical-platform-compute/iam-roles.tf | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 65109f912bb..5ee13c920ed 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -386,10 +386,7 @@ module "analytical_platform_cadet_runner" { role_requires_mfa = false role_name = "analytical-platform-cadet-runner-assumable" - custom_role_policy_arns = [ - module.analytical_platform_lake_formation_share_policy.arn, - "arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager" - ] - number_of_custom_role_policy_arns = 2 + custom_role_policy_arns = [module.analytical_platform_cadet_runner_compute_policy.arn] + # number_of_custom_role_policy_arns = 1 -} \ No newline at end of file +} From 47836e8b94cb4c90a5edc573f1d4a849b4c67a52 Mon Sep 17 00:00:00 2001 From: matt-heery <116661071+matt-heery@users.noreply.github.com> Date: Fri, 22 Nov 2024 12:33:51 +0000 Subject: [PATCH 281/308] EM: Share with cloud platform (#8615) * making oidc conditional * initial cloud platform sharing account * star database * reference new ap-lakeformation build * fix variable reference * add tags and update role name * update module commit * comment out not working module for testing --------- Co-authored-by: Matthew Price --- .../cloud_platform_share.tf | 38 ++++++++++++++++++ .../glue-job/glue_data_validation_lib.zip | Bin 0 -> 5870 bytes .../lambdas/create_athena_table.zip | Bin 0 -> 934 bytes .../lambdas/get_file_keys_for_table.zip | Bin 0 -> 1369 bytes .../lambdas/query_output_to_list.zip | Bin 0 -> 309 bytes .../lambdas/send_table_to_ap.zip | Bin 0 -> 1732 bytes 6 files changed, 38 insertions(+) create mode 100644 terraform/environments/electronic-monitoring-data/cloud_platform_share.tf create mode 100644 terraform/environments/electronic-monitoring-data/glue-job/glue_data_validation_lib.zip create mode 100644 terraform/environments/electronic-monitoring-data/lambdas/create_athena_table.zip create mode 100644 terraform/environments/electronic-monitoring-data/lambdas/get_file_keys_for_table.zip create mode 100644 terraform/environments/electronic-monitoring-data/lambdas/query_output_to_list.zip create mode 100644 terraform/environments/electronic-monitoring-data/lambdas/send_table_to_ap.zip diff --git a/terraform/environments/electronic-monitoring-data/cloud_platform_share.tf b/terraform/environments/electronic-monitoring-data/cloud_platform_share.tf new file mode 100644 index 00000000000..0d5549a7a05 --- /dev/null +++ b/terraform/environments/electronic-monitoring-data/cloud_platform_share.tf @@ -0,0 +1,38 @@ +module "cmt_front_end_assumable_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + + trusted_role_arns = [ + "arn:aws:iam::754256621582:root" + ] + + create_role = true + + role_name = "cmt_read_emds_data_${local.environment_shorthand}" + + tags = local.tags +} + +# module "share_api_data_marts" { +# #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions +# #checkov:skip=CKV_TF_2:Module registry does not support tags for versions +# source = "github.com/ministryofjustice/terraform-aws-analytical-platform-lakeformation?ref=32525da937012178e430585ac5a00f05193f58eb" +# data_locations = [{ +# data_location = module.s3-create-a-derived-table-bucket.bucket.arn +# register = true +# share = true +# hybrid_mode = false # will be managed exclusively in LakeFormation +# principal = module.cmt_front_end_assumable_role.iam_role_arn +# }] + +# databases_to_share = [{ +# name = "api_data_marts" +# principal = module.cmt_front_end_assumable_role.iam_role_arn +# }] + +# providers = { +# aws.source = aws +# aws.destination = aws +# } +# } diff --git a/terraform/environments/electronic-monitoring-data/glue-job/glue_data_validation_lib.zip b/terraform/environments/electronic-monitoring-data/glue-job/glue_data_validation_lib.zip new file mode 100644 index 0000000000000000000000000000000000000000..3bf9af0773048c7d2bd441b72ae02da0566ee517 GIT binary patch literal 5870 zcmaKwbyO5yo5#sPS|r7BKsp8(N`?;U?yjM`y98utWoU5dQh^Z>X^?J^7KV@-N>W-8 zSbk^s-Sh6Av-{k8?)~0#zR&Z={o}?*TMZYF3hTjr!@_!&ct8Ai5Z@~+D`yX9KPxL< zuV8E}th+mHHG+SPSor_t(*8fQpWHhf-TdvX>|lN{s{ojr^SyBP^ssVswz;piFS+Qm z2+caWO%&WG&=C}{9cU%5;%Qc_#qA}BRx!g%BQGZ~)y9G6WQNk64I4ZhAIo;b zUd3mTP53;OU$A`qjAF>Qr>l8QF6U|lV$&I)l9IOKr!ZYuhk!dODM`x^HJGMZW5;(d zV|JWCa4E2nUqXo$n4N?!!hsW$Bi)7=XJHH}A?EA1?`*V8Cidc#{nMug1H>1PJlJI7 zf_#@C11fe$`qc9JKXj|_U3cg5 zg;M}BiX$fvDX@+QE>>TMhx&>{f%0w_(Yb%FT!aeFlxSaE_XGtINJ0>M>75hNB!?d( z(quGu%%r?a5V5}f<(zP02 zgnIdR*_$T~{B_}fRIS`;Y60DqN%}K*db0R;E*U(91kRCeNTSc5bSlU$j`I6s$(8|Y}W&z!f7Q0DFPv1zNzVC(vrd6{p{(o<8YWErz zV!3c_pk15NjV11H@P5oX*^vK9mzo=#|N52QH&b0u=qry*@+qe^zqGWF)*;Oco<%#&O!y+hG5tR=gAZgb~kPF5J> zb*9(^cTf&mv%u`a@uxBQAZgF00^R5k)0>CyTpM^2bDfoIyo|6<5~eTPCMarnfJM1+ z7Nxj=BpbIc_Mx=RfpS{s2I*piTAB|-xXM@y(E5pBLW`BQaBi?U+|1e`bj>D;xh}l7 zXY|)x)0>FMMXmHe5$2|*!<2!E^&c0FT}a~Vbq67OOZAT)iagNRHK*fQV+Ze&(LuMs z6rrw?M>^omn+6WuBx9^4kX^tuqDTo&W;mvO;ZjvPwV)CkY%cJ_>&Lt+-yE zg0eq?BBYkVi|@3X9oSB|(YYD;%O`iGxD#&p@Vb$c#yyHb4*( zbUUirqy>W5fx9Rqy7aYit;w6XXq4on9H1^e(s#dBIJNL(_c!99PgkSf;ll7t&Qu5Q zP8sgfeYT%X_F4PT$nKAO_4+@AYf&*Jn;WllWPc=W_k}2&!ul7<2N?C4j~0$qi&J4b z9~^1NyBbtva@>(rp{Ek-c1BZ^M;`r@p-}pzALg&w&aHDLmm+{pMNHWXCb6HFO>iF~ z#mMKC4m<$E`1O7^DlbqH-fQv-+pnET+_ z>7hAs6y!q^)R-Gj(c*1bT<*d3l6cTiw8Xdrxp4@9kmmVDJ!L&b{c^J(6;x_miASMk zjcxdKe2nZPVHa~H?fR#^2wGmTAylvOQPWEfcj^eka!-}t!&2-j$6XX>MduaLpzgA} zt&n-$`Z)$tqCC-^7B*fF(@=32@KVNhe{@vfH_Bnx*qidmD9{7#a(2BMJv}aDumpg(IIz`1 z(8gg|JjrHl558q-s!0cppS7h9*JlXeLE5GzeksBxL6&EI=dZV2GdGADCoWb=k{jBE4Ha{-jULhe| z1H^|{4!~eZ3y$}@ucugpE)!>sKDaCyPx~uOjkUw*#*D$GUJ1;KkOP!GWcNEkx&zBB zH@SeY-TAA?r$+Q)E>6R%bsrKq<z48nj9O(=x6~Z zroW3B3c@C4i7i__#(TcXICZKa(*XHru11QoWk(Ab7mYc1fcv4KynDk9+t4rghb`p0 zL7@-C1m9YkpaO#kI~%v{Vz&?<&&_2M;mzhTVLqHEBKV;ROqk$#SC7e|`VJU-_D;K7 zcV|`|RUE~qJ|TEc_B;}ytt9mlMo`;9kYKt39(^S1DNMnfw!b0;fa5xmMmdi zEN~QESW8(4DQQbrL1+reK1X9p9oGlG22=v(acx$MupH=Y5-n1N^j$Um72)xM!h^Bv8L zX# zxsJIw`MjAAlmdlA@PbY`LZEvhc@EeI+9+#3R-pi>yYYaV5)d1(Af|n6O|2NZ1Dp;> z4FAzC@7XsPXpN75PM0?iA@L54^l|IkdeT<N>mt=DAK_|b&)XxBsp_B!A;|D|6?6R8hcaz~KR*B425X&gxJ_!!jtP@Q=AsPV; z+IJmhiroHrLeEe`U6=)Mv9rX68j0dua2PV^17=Hlb(A)R>qDa4i|2%HCV7QX-wcZh z%GAv=_YCrFD${YpB2AnX-SaOV)m1fGZ~_?33NOzmY-4Vq@g zz`M41udd*^4>T-mBpt#2GeuHU>b001pRG`oa5U*CB(xi(hf)A!TSLjD2{tF4`6nXyF25QyXVXaT;ufeRwYOjH zP({3=;Mx}t7;RLTplNe~X2j&L;iMsojj!F)+&dPpJEGg~VtbH6e-3pE#QIfUoE-`0 zsSwlKkIBU&$`ChIZ?ne_!e75tG?LpA?&>PDG<{ux-*l!5a=pmoTC)A@MNm`oH2$vq z9TAe&O?;%jWw-hua{;-A+3%O|BVGxSp-6LOdIFG^pXGwwKk|5Z_Ea9C%Tlw5U>Ta(S6*-} z)qy4Heip4Oe~kOHk*$0@A`;o!bxignEE?jY5-Aay>ozD2rE23Ku~UXizI5Jpv;ExI z!LYSQ&|fJj@;KqP_cjeRl^<|T7j#-Z%jhYb;{b(&+P*I=H`afk4VV=Xsm%sY(H5|)(4FPKl(Z`cQ| zBoOKWT!a?{___>|$UOmJlOy}FVXpwig%#Vb>rfeYdhMjvf|J8)`ZI}qlGFeh^OiWy zj?Q@U9Q@xzbqtG2IHAz-%i2@58w#>Z73e76n)OOdjbOlcL+Ra?Jtm@!O*i{%SSN`7 z8k1DXK+A6~RLEuwZ=1x68ez*kJ&R;^69*-7{utPkBE1gWYT-JpAid$Qh9rt<(_n7K zoK8N1RNfoC@)s7E+Z-M2nvUUI{{X1DvkH+ot6t?a7VjBoc&5IL^UiYG2bAHQ1vO~j z?igWsDD#;R z_ux7w3KS=uJ3%sb5@4=~@kuAPw*5(RJqp-+Am(oEJ&`Xt-dyF#a?yY~IOxVmi$^_!(#6nCYFhfPB= z+TZ7=<{ty|cBT^w!&ac=l!GSevn_~wccv@HN|khx(Bb5~Hzc4I`5xk0r(s^d81$r= zpno}Ta>wQD`8cNpvz_w9tC!=r3)8s2ya-o;n!O=kSd?*c99YDy|6akaU{J_mQf<5P zS`)!L_#A0y7W*aYhRAt^OLdR>Ob3hI_x*bI7ms6_iW7s#W>7N!3vdN~r_ajc%k%d^ z1Y1J(+GUf6hRPKdOEKSt)-0%#NA=_+A^i-zysSzC)8MEX{%_Lf~dF$L(;314rPuj?XDQv$4M#5=6B zz@EI!671uNw^>fIIK6U~!B9}Wz(x1^=SGJS<_z@OzF+`dJwu%`5&9y6tD{zoQ!*>` z`1k2PeCee2Az6m^r!=eiFlM|%YRp$^pG&UwcbIPUb`1SiG?K>~Xw>Ocg*zSky8V6k zP5FMhw%d$VNZ#!iVYZHS!*fbcxW1C?;*`M&^le*RR=niAT>(gqx#cxpfGjSHc5%{& zXBWoh*E6?VAt5Cz0;hnPo4;C8g}HyYOcP z=fUjV@oOaI?{}HnYzaLAUqzvLE6oIs3^s>~7Fy|*#?xSh>l6;p#V8hc?{@?+%R#u$ zn)tOhX9%j}$+D1C9G_G=T=FKzA}t2tH_`TS&=?x_)8Ho5fB)JAwbrWBpRp9tCkv#; z-Z8nHtvYWo^t417RF83&LL$F?E~#fW^q6&%6?8x7E^iJ1C8;Log8*voKoDs^_+pmCib(7ZY<*=^*UdQ*zVXZkSm-wOHgTo zV0|zl%|r@K?L7ZEW#R+c%mA3g?urIg^8_=Kjc-Q2cO^g%H2$E+#>^35m}ov(`L;k5 zd?vI#_tsB=hl&Rz4#{u)o_7%&*GLpq>E~>Rfhyqr-Ct#WReY6Vv>T7}k*Iw72W29T zuSeMa$}b%m+8>l$Z(hnJ0K`A_KT&Ws3n{wOyZhO4|7_2BHqBctOzJG}85n1|)Yj1s z(u`HKr>j_N=GL!#!lR4;X9b*oTKU*}BOEyC@p&z3QAK-6B~_=Ey3gUv!%zF1F>a6bl@WC zX~?J2V`mWz^GQ7SCFLK#+9y&sVI3KAKRea7Sq~HupTJ)x1zs&TFjfw&pCvic%q}-D zbo?>X$OQ0tT0LseUwHiheKBXYU`ePC-}CB= zk5#p+lS4%TF5G^iJr~E|Cc80llUa4ue6zp4aq}tOA6qy>OzXbeDi>nf;X%tEV}VMc zY`~6NiS{p0?$aqBxpBYy%kJQ;N!Yt*M8Gj5guLA{fTQJagJsvmdleFAKWq!!n@8a+ zUv+d;N_j`bBf$#<+RWkR59=tQI!&~3k%vrcR(i@-ESyiFAcr^%!6mvS98qbk( zW%3Jzc`gS9mbp0{sN@iAmn3B#SIhjF`Ec6rqDLAn4e@C|)PHgix>D0*&7>1Pvz z?(A!x&jNMTUB%G_i`5n#u85g%apo$YKwgj+c!ANErD}WPRn|$A`t4AHv69xa3@v-p z%m}^5?<}&lk1%#Z#D%GQrc$PFK_`y9(HvnvqaWY@NAa$|_7rLeKDzwP5CF z4j;Hho(lF=?GepeRkoKFTE1tKQA73&wv|ME=**1x>kQ2TnJ@doPC8AUO`^eb=A7ft zD%Nb`t_B4c4(N5SQ<14y3f!eA&5Lp)6Vcs$MR$5akfbk9x&p!X*>U2;m&T5!?5pid zs_EL5`^FRO?P4(dA7G_q0l!y3*4XmgJ~48Rskx!oK9q!RG{uo8;Ao3n>rJ9wXXd{T z_#`pb$o@J%c~nZRzr98GqM=5sW=UeIC-+nXtrKhi>xD}5Y{MAZt6*pLgK=?d(~?o# zKog~>5E6}4BfZt#F*h|>pz`8ZmmYc}D<+Z+h>tf*t2s$P8evE?NgsYH1Mt9g9c@rw z4dv%y6@HdN_>5?@n1IrCv}7KZKKlr%SFW$prd!PBu1SO(Wi|GVmdwtg?QqeMVlA%? zdec+NMJQB_oLz+`b`OF_0Tpv*C-J!2Wh!^8n%oJ|sOmqOS%SgX5h8R90H)n~qxE=Y}d}$YP8*SLQA;`|B@KaB5b%N~cp+ zT*FQHCPjQU?d8L$P;Xv#RnfNkXq<35J6VLcpvQl?ZWEKRW;r#yzOBG64K9?^^K{+v zxVs0v|H*~rCK%_&sj;vYeX+2#)v$4>aQ`P){ueX;hb#Xp%A)>J|3;brcjCVn{Rb)k eE6Spz?&bdjn6=gL0sokB?pyTzY)JFZ>OTO&NDT@A literal 0 HcmV?d00001 diff --git a/terraform/environments/electronic-monitoring-data/lambdas/create_athena_table.zip b/terraform/environments/electronic-monitoring-data/lambdas/create_athena_table.zip new file mode 100644 index 0000000000000000000000000000000000000000..5c34af4be1188ff4e6f6daf048b24bac04929768 GIT binary patch literal 934 zcmWIWW@Zs#-~d7f2E{HQ0S970R&r5lVo7RzVo647USfPnVp2}3UO{C|h;RO5Gl9LI z!+CBvFKIn3Q)9efQSL0=uCmL{mxDJ5WMrxsPxY88bCZ+j|M#XPF40>zTXjA;GuvD~ z-{Se3%^MXKhE`v3D7vkv!7G&IS)?tyZowuEPRDuine7+Kl$}&P%a+aEQ?2sy?u_=- zRq{Qm6WGf)1Z|g%n!v|5&Gg!r3$w#5r)+Lt(Q|LH>K4C>2S#%fn|^MU{+PHgMz_D7 zZ%I$t_J;KD`o>!ml=;`aN!hmE1;wck?pK^s)03At8a~hXTC2>0 z8Iw*H9s3tG-TwdI55FH5|NL@!y1T{!i^i(;Yc4KwJ@w<#fyGyD_?*>e-hSbKj^10Y zn5~E7rbT_5kuSmEu$Na|2*DrkJ<-ZEX`bP(i1$J~z zXt?aV*h)t_x%y@I5%$dgvJ;iubb14J8AcwSf7rwRq?~zy&EfeKa?H2B&zSLlUvvBh z=R+RKvGQwXq$s@lAon_C)v_bzPfw&4b9QNN4|UNv_wiH9wk73~1qaWsE@*2F+1zQm zFVsR{$JUPeIGID|iz8=B8UI`1dGYt;h3C_*e0`jA`14tJlV={~npf_+ym~k3s_Ydu z*$iiap!q*$crbR&-gH*XZBbG6!+(L!JDnrjCF`~&uPKZEE3Y(rk5WsxbL8q%=6lz= zbW5$3zc*o*e4ozK>1`Hwb)K1&YS|vwu@3f>-;l8*I{)3_Ex#h|?&`Ox?{W2s@^hv#qs-J421sw zI-Q#WtINLbW5=|=#RK!k|NjBr>>M}pHs)|JGcc5}GcW{rGct)V kBXSe694I%zz>-D~3wz!Q@MdKL$ua_=3y}5!n$5rf01~C5g#Z8m literal 0 HcmV?d00001 diff --git a/terraform/environments/electronic-monitoring-data/lambdas/get_file_keys_for_table.zip b/terraform/environments/electronic-monitoring-data/lambdas/get_file_keys_for_table.zip new file mode 100644 index 0000000000000000000000000000000000000000..76e274356ac12d1aa44d44b12ac90abdb585eb77 GIT binary patch literal 1369 zcmWIWW@Zs#-~d7f2E{HQ0S8h*R(fhld|GBsYJ7HTWpR93eo=f$Vp2}3UP0xQu)zG= z7Cd$5*FV_FzjgbZO^W$!J)=^7M@RbI zuS*_kKPSqcJTEqTtr_3GsI_Sy%a_iL<700=tiLi`dtun&z}q)_)?IKgv`N-33IC_3 z>wVNbVp^n0lGt5Qy9GY%xB0KXw@ceRGj`fmkrgr`j5Ax4XWdAhbT)0ip56byPd{y| z`TX?l{OQ}DemxpLJ)mJ5&(&swD8aN@b2cbFXNz9(tEzWh%;R+>ySAJzIvqQ`?Y8Bb z!s$(Cagw=jrt0?Ctp1`s8B*N;1P?CAa@d|Q zcj3P|4jUDsHk9w*zps5!L&`)3ukM70s2?__VNZgF}P zQIztgW9?+m)(dAIgng2_e89!1UFGBq)fSV5k6+(7F1l;df)gjFt-UCnm9{#yS?z1% z@x}Z$-#e%Nco7h}Ftl*3=s8CD?3?Bhb?%E#XFb2bzV)cJp6aZ0K766eS4M;E+R<@M!$!WdR_Tqe&~K1`i|=ktP%%V%#p*_OMhadCczK#P)5 zqN-fL&!3;KR&L%{dDuo`%Pw=%zDGteJfED(7THRPzFK(c++;bnM@w$rU0wZSZ9|J{ zwel}(u4lRro?a|%uxq~U7ZLIGPQg=wMCocMXRtSNxqb zcSgMipU9I3kvcU>O#y#m80$*5oYu17DcNLxPx(~V4FA~3{1C&~+M~B3#f~ZdP1zvY z&+7U9f0hGB#qxz$*-Xwd-t7=GiGJL-FiU4`aFvAiZh6N#vrYe58=pOntIeb^LVK8#U(!)PMuwN?bO4?-M7lw%%j)1?rz>;rPx;Q_H%8a zc{{sa_5Myf7GXYfv$Nk^%bivAMMSX{7Y(nE8R$qe^w>f|}DzS`n@@6}ts6`>y* zmhXLByds-}$Ddu`{9(QJIj0RS<`$)Ft=KrDjfd&Rg3^z+roR>*xh1*QB{px1kl*A! z{Uy)NKC*aX@<7Ql@KSY2pVz0e3)emSu*Ki_nyAOQhcAyzKNE3BGNv+@=d}q(VovZB z$6tD#n{G!pneI5`E+yNp#&7&0!P2c|9 zXj%R7IAi(q;-ViP{{4FV{PcEl^XWGytaffbJLCP_>t<3e|D9K4S}u}(Fw-^fmEPAy zqSrre(7pb5*`o5`3vyXqE>qLd z-|M<2y!_A3zFW-drJhC!XFJR6ONR=V@0=5Q z^QiIv&evjSnAf|o^$Hq%$-s~KrE$g$U s0(qB!IKZ2cNrV~UH)J`G-(X-#BZ!5=rvcuqY#?byAan)Nw?G^Q0Ns^m_5c6? literal 0 HcmV?d00001 diff --git a/terraform/environments/electronic-monitoring-data/lambdas/send_table_to_ap.zip b/terraform/environments/electronic-monitoring-data/lambdas/send_table_to_ap.zip new file mode 100644 index 0000000000000000000000000000000000000000..b507fcf61e4e448e349bed2e4f85e35d6872782d GIT binary patch literal 1732 zcmV;#20QssO9KQH00;mG0000XiU0rr0000000000022TJ0CQz-WM6b)Vr*q!bZ=i_ za4v9ptXE%eNr zFNUQ4+0J$goL?-GGryVn&2UJHvQpZ@i&1hEzSqjCX*0;UMJq~d#)aB!gxoYkWkw^K zLJe`V7H!aeb#vn+k-WqtnFOK8p#6$(Sd1Il&kz6jeKH!2%rr?0fzm?k9fQc zMx*=3hr_>>htdp$#4Ije_5;`24y0YZ$c|cX2AP zXp>jmkHhR_HUa=(jJf}1RS0W9)fUVYa#0|V6j%jb7hZ7>sVdh(ax0V^Xlt~!mW{zk zV^#1JDVW*qExQKBCXpcvV@AV|L;-o2@)8U3&q)4?V?Ru}!5J8Y3@4t9$mWJUZt!vUHLgMDQ8`5#`?xX@a4_@DD$L?8@s3A`wv zt}4`!b^&?Z#dls-1)jNlcXt=u4B^M8Il5{Yx|*~ql@`*D`-*<;s`Ke;P%xtJZX}Fz za~x`tex)JXIXiS>M;F#0rU>R-N@bh;wAt~itcBCWV~@9SX*QFQ&r+9_7#Q=DxzZr6 zA>DEfLITRVM9po#M0?JP9LDXyO~4)eI+)=y0|9@Dp+MOOfgAXECP-#GQqGrK^(R64 z&p#{signl1jzU7*y7Bw+W^ipx=LK_Q8L&1%8E_x9cndv3v1T3sq8dJ4$~L zeTFWO{l5tQKdAb%DC%&G>T^&v6r7+jvsJad*)vCr12+mXC9iB_!g<-@?u6Y!GJvVL zF(;H=Aj+|LO3A}JEC}hQLt`-tc3iq0OHGeUNMMb*(x>DI`_q{fxl2KClozrtPc!xd z?ctIGX?BW}X%4woEF5B`>w2y^`q+Macx}WR${!qCtF17w6GZ{sS}ZF^QPbaq1f??! zs2?K=IY9A3BhToJmX-@?;9K&I2$%3u8w)5+tM$BQk1e9EC)) zgb^Eo@h*vOoM3?^N^2l)j=gaGNLbhRLUb%)(Tfst{M5^20GPOwAPhQtE&j7dbNeG0 zy3i_`%JBmI_KStVGr5x!w>eNpqYqH&jBhBdOOwU#Hu(4fmKCNV--A)LPBC2h+#1FIiu-GLqr=l3h6E7_i>2uYnQ_b4 z++bq)xFZ0f|wU6Y8yT;LuSM{Pyh6;NU-w zt+G{cIPv;OmC-6(e3l%W-5dC(!cElr1ygzj9oTP9o6Xv)U|(?0X1$ahy`t6ouIxU* zW9`qI03~GTBs~xN1r2VanMz4_<7;1HQO}>@ZO%IuUkvJcAo&IN@d+_Q0it~A;)#3a zhB8akZ>X0d!-Y)sz9OWU-7l7({`xmI6uqB+jhT<_M(rf(o4hWH8`|Ak6(_3)&~hq6_WZ>DxmrCgEw{Cqs|?w53nTJVq!>Q^ zdU9PD?xaBtnmSFz!-UKIBdke&draVD703j4G*&! z9QuyD@5Dt1+-f+Q#y{6{C!_xc00960P)i30=;nN^ECv7oX%PSbP)h*<6ay3h2mlBG z001G1=;nN^ECv7oX%PSb6951J0000000000q=5hc0047kZe(9{VPb4$UvzI@VQ?;R ac~DCQ1^@s60096206_o%0Br^U00029Kq8O; literal 0 HcmV?d00001 From a4be1a6d97ab4d0478abb1eb2225aa6a6f63f5e0 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Fri, 22 Nov 2024 13:57:34 +0000 Subject: [PATCH 282/308] chore: fixes to ensure clean plan + healthy service (#8741) * chore: don't ignore * add key to secret * Update pwm.tf * Update ecs.tf * Update ecs.tf * correct sg rule * use correct fargate sizing --- .../delius_environment/alb_frontend.tf | 25 +++++-------------- .../delius_environment/delius_frontend_alb.tf | 0 .../modules/delius_environment/pwm.tf | 16 +++++++++--- .../modules/delius_environment/weblogic.tf | 9 +++++-- .../helpers/delius_microservice/ecs.tf | 6 ++--- 5 files changed, 29 insertions(+), 27 deletions(-) delete mode 100644 terraform/environments/delius-core/modules/delius_environment/delius_frontend_alb.tf diff --git a/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf b/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf index 2a68a0c40f6..af5a02ea15d 100644 --- a/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf +++ b/terraform/environments/delius-core/modules/delius_environment/alb_frontend.tf @@ -17,15 +17,6 @@ resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress cidr_ipv4 = "81.134.202.29/32" # MoJ Digital VPN } -resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_http_allowlist" { - security_group_id = aws_security_group.delius_frontend_alb_security_group.id - description = "access into delius core frontend alb over http (will redirect)" - from_port = "80" - to_port = "80" - ip_protocol = "tcp" - cidr_ipv4 = "81.134.202.29/32" # MoJ Digital VPN -} - resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_https_global_protect_allowlist" { for_each = toset(local.moj_ips) security_group_id = aws_security_group.delius_frontend_alb_security_group.id @@ -36,15 +27,12 @@ resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress cidr_ipv4 = each.key # Global Protect VPN } -# resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_alb_ingress_http_global_protect_allowlist" { -# for_each = toset(local.moj_ips) -# security_group_id = aws_security_group.delius_frontend_alb_security_group.id -# description = "access into delius core frontend alb over http (will redirect)" -# from_port = "80" -# to_port = "80" -# ip_protocol = "tcp" -# cidr_ipv4 = each.key # Global Protect VPN -# } +resource "aws_vpc_security_group_egress_rule" "delius_core_frontend_alb_egress_to_ecs_cluster" { + security_group_id = aws_security_group.delius_frontend_alb_security_group.id + description = "egress from delius core frontend alb to ecs cluster" + ip_protocol = "-1" + referenced_security_group_id = aws_security_group.cluster.id +} # tfsec:ignore:aws-elb-alb-not-public resource "aws_lb" "delius_core_frontend" { @@ -152,4 +140,3 @@ resource "aws_lb_listener_rule" "blocked_paths_listener_rule" { } } } - diff --git a/terraform/environments/delius-core/modules/delius_environment/delius_frontend_alb.tf b/terraform/environments/delius-core/modules/delius_environment/delius_frontend_alb.tf deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf index 935e9003e23..8a8af54987b 100644 --- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf +++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf @@ -72,6 +72,7 @@ module "pwm" { container_secrets_default = { "CONFIG_PASSWORD" : nonsensitive(aws_ssm_parameter.delius_core_pwm_config_password.arn), "LDAP_PASSWORD" : nonsensitive(aws_ssm_parameter.ldap_admin_password.arn), + "SECURITY_KEY" : nonsensitive(aws_ssm_parameter.security_key.arn), "SES_JSON" : nonsensitive(aws_ssm_parameter.pwm_ses_smtp_user.arn) } @@ -85,8 +86,7 @@ module "pwm" { email_from_address = "no-reply@${aws_ses_domain_identity.pwm.domain}" email_smtp_address = "email-smtp.eu-west-2.amazonaws.com" })), - "SECURITY_KEY" = "${base64encode(uuid())}", - "JAVA_OPTS" = "-Xmx${floor(var.delius_microservice_configs.pwm.container_memory * 0.75)}m -Xms${floor(var.delius_microservice_configs.pwm.container_memory * 0.25)}m" + "JAVA_OPTS" = "-Xmx${floor(var.delius_microservice_configs.pwm.container_memory * 0.75)}m -Xms${floor(var.delius_microservice_configs.pwm.container_memory * 0.25)}m" } container_vars_env_specific = try(var.delius_microservice_configs.pwm.container_vars_env_specific, {}) @@ -119,8 +119,18 @@ module "pwm" { enable_platform_backups = var.enable_platform_backups } +resource "aws_ssm_parameter" "security_key" { + name = "/${var.env_name}/pwm/security_key" + type = "SecureString" + value = random_id.security_key.hex +} - +resource "random_id" "security_key" { + keepers = { + image_tag = var.delius_microservice_configs.pwm.image_tag + } + byte_length = 32 +} ############# # SES diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index 4a2ad04c7b4..a9001a6f926 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -30,6 +30,11 @@ module "weblogic" { tags = var.tags db_ingress_security_groups = [] + container_cpu = var.delius_microservice_configs.weblogic.container_cpu + container_memory = var.delius_microservice_configs.weblogic.container_memory + deployment_maximum_percent = 200 + deployment_minimum_healthy_percent = 100 + ecs_service_ingress_security_group_ids = [] ecs_service_egress_security_group_ids = [ { @@ -51,7 +56,7 @@ module "weblogic" { cluster_security_group_id = aws_security_group.cluster.id - ignore_changes_service_task_definition = true + ignore_changes_service_task_definition = false providers = { aws.core-vpc = aws.core-vpc @@ -71,7 +76,7 @@ module "weblogic" { container_secrets_default = merge({ for name in local.weblogic_ssm.secrets : name => module.weblogic_ssm.arn_map[name] }, { - "JDBC_PASSWORD" = module.oracle_db_shared.database_application_passwords_secret_arn + "JDBC_PASSWORD" = "${module.oracle_db_shared.database_application_passwords_secret_arn}:delius_pool::" } ) } diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf index 8b7c00fe182..6496b869f32 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf @@ -1,5 +1,5 @@ module "container_definition" { - source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=ignore-changes" + source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=main" name = var.name image = var.container_image memory = var.container_memory @@ -35,7 +35,7 @@ module "ecs_policies" { } module "ecs_service" { - source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=ignore-changes" + source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=main" container_definitions = nonsensitive(module.container_definition.json_encoded_list) cluster_arn = var.ecs_cluster_arn name = "${var.env_name}-${var.name}" @@ -62,7 +62,7 @@ module "ecs_service" { efs_volumes = var.efs_volumes - security_groups = [aws_security_group.ecs_service.id] + security_groups = [aws_security_group.ecs_service.id, var.cluster_security_group_id] subnets = var.account_config.private_subnet_ids From 755c82979f9a63ff617f8a8bfcbcbe80eabd059e Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 22 Nov 2024 14:19:47 +0000 Subject: [PATCH 283/308] TM-720: put endpoint alerts in correct channels (#8756) * add additional sns topics * update alarms * fix * fix * Fix * fix --- .../locals_cloudwatch_metric_alarms.tf | 392 ++++-------------- .../hmpps-oem/locals_development.tf | 3 +- .../hmpps-oem/locals_preproduction.tf | 11 +- .../hmpps-oem/locals_production.tf | 11 +- .../environments/hmpps-oem/locals_test.tf | 11 +- .../cloudwatch_metric_alarms.tf | 6 +- terraform/modules/baseline_presets/outputs.tf | 1 + 7 files changed, 110 insertions(+), 325 deletions(-) diff --git a/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf b/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf index 4629216a4af..0bbea69f30f 100644 --- a/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf +++ b/terraform/environments/hmpps-oem/locals_cloudwatch_metric_alarms.tf @@ -1,334 +1,92 @@ locals { - endpoint_down_alarm = module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_endpoint_monitoring["endpoint-down"] - endpoint_cert_expires_soon_alarm = module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_endpoint_monitoring["endpoint-cert-expires-soon"] - # these should match the alarms configured in ansible collectd-endpoint-monitoring role on the given EC2 - cloudwatch_metric_alarms_endpoint_status_environment_specific = { - "development" = { + # format for each dict item is: alarm-postfix = [metric-dimension, is_https, sns_topic] + endpoint_alarms = { + development = { } - - "test" = { - "endpoint-cert-expires-soon" = local.endpoint_cert_expires_soon_alarm - - "endpoint-down-nomis-t1" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "c-t1.test.nomis.service.justice.gov.uk" - } - }) - - "endpoint-down-nomis-t2" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "c-t2.test.nomis.service.justice.gov.uk" - } - }) - - "endpoint-down-nomis-t3" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "c-t3.test.nomis.service.justice.gov.uk" - } - }) - - "endpoint-down-oasys-t1" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "t1-int.oasys.service.justice.gov.uk" - } - }) - - "endpoint-down-oasys-t2" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "t2-int.oasys.service.justice.gov.uk" - } - }) - - "endpoint-down-offloc-stage" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "stage.offloc.service.justice.gov.uk" - } - }) - - "endpoint-down-hmppgw1-rdgateway" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "hmppgw1.justice.gov.uk" - } - }) - - "endpoint-down-hmpps-domain-rdgateway-test" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "rdgateway1.test.hmpps-domain.service.justice.gov.uk" - } - }) + test = { + hmppgw1-rdgateway = ["hmppgw1.justice.gov.uk", true, "azure-fixngo-pagerduty"] + nomis-t1 = ["c-t1.test.nomis.service.justice.gov.uk", true, "nomis-pagerduty"] + nomis-t2 = ["c-t2.test.nomis.service.justice.gov.uk", true, "nomis-pagerduty"] + nomis-t3 = ["c-t3.test.nomis.service.justice.gov.uk", true, "nomis-pagerduty"] + oasys-t1 = ["t1-int.oasys.service.justice.gov.uk", true, "oasys-pagerduty"] + oasys-t2 = ["t2-int.oasys.service.justice.gov.uk", true, "oasys-pagerduty"] + offloc-stage = ["stage.offloc.service.justice.gov.uk", true, "azure-fixngo-pagerduty"] + rdgateway = ["rdgateway1.test.hmpps-domain.service.justice.gov.uk", true, "hmpps-domain-services-pagerduty"] } - - "preproduction" = { - "endpoint-cert-expires-soon" = local.endpoint_cert_expires_soon_alarm - - "endpoint-down-nomis-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "c.pp-nomis.az.justice.gov.uk" - } - }) - - "endpoint-down-nomis-reporting-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "reporting.pp-nomis.az.justice.gov.uk" - } - }) - - "endpoint-down-nomis-lsast" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "c.lsast-nomis.az.justice.gov.uk" - } - }) - - "endpoint-down-oasys-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "pp-oasys.az.justice.gov.uk" - } - }) - - "endpoint-down-onr-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "onr.pp-oasys.az.justice.gov.uk" - } - }) - - "endpoint-down-csr-r1-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r1.pp.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r2-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r2.pp.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r3-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r3.pp.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r4-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r4.pp.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r5-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r5.pp.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r6-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r6.pp.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-traina" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "traina.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-cafmwebx-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "cafmwebx.pp.planetfm.service.justice.gov.uk" - } - }) - - "endpoint-down-cafmtx-pp" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "cafmtx.pp.planetfm.service.justice.gov.uk" - } - }) - - "endpoint-down-hpa-preprod" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "hpa-preprod.service.hmpps.dsd.io" - } - }) - - "endpoint-down-hmpps-domain-rdgateway-preproduction" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "rdgateway1.preproduction.hmpps-domain.service.justice.gov.uk" - } - }) + preproduction = { + cafmtx-pp = ["cafmtx.pp.planetfm.service.justice.gov.uk", true, "planetfm-pagerduty"] + cafmwebx-pp = ["cafmwebx.pp.planetfm.service.justice.gov.uk", true, "planetfm-pagerduty"] + csr-traina = ["traina.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r1-pp = ["r1.pp.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r2-pp = ["r2.pp.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r3-pp = ["r3.pp.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r4-pp = ["r4.pp.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r5-pp = ["r5.pp.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r6-pp = ["r6.pp.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + hpa-preprod = ["hpa-preprod.service.hmpps.dsd.io", true, "azure-fixngo-pagerduty"] + nomis-lsast = ["c.lsast-nomis.az.justice.gov.uk", true, "nomis-pagerduty"] + nomis-pp = ["c.pp-nomis.az.justice.gov.uk", true, "nomis-pagerduty"] + nomis-reporting-pp = ["reporting.pp-nomis.az.justice.gov.uk", true, "nomis-combined-reporting-pagerduty"] + oasys-pp = ["pp-oasys.az.justice.gov.uk", true, "oasys-pagerduty"] + onr-pp = ["onr.pp-oasys.az.justice.gov.uk", true, "oasys-national-reporting-pagerduty"] + rdgateway = ["rdgateway1.preproduction.hmpps-domain.service.justice.gov.uk", true, "hmpps-domain-services-pagerduty"] } + production = { + bridge-oasys = ["bridge-oasys.az.justice.gov.uk", true, "oasys-pagerduty"] + cafmtrainweb = ["cafmtrainweb.az.justice.gov.uk", true, "planetfm-pagerduty"] + cafmtx = ["cafmtx.planetfm.service.justice.gov.uk", true, "planetfm-pagerduty"] + cafmwebx2 = ["cafmwebx2.az.justice.gov.uk", true, "planetfm-pagerduty"] + csr-r1 = ["r1.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r2 = ["r2.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r3 = ["r3.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r4 = ["r4.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r5 = ["r5.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + csr-r6 = ["r6.csr.service.justice.gov.uk", false, "corporate-staff-rostering-pagerduty"] + hpa = ["hpa.service.hmpps.dsd.io", true, "azure-fixngo-pagerduty"] + hmpps-az-gw1-rdgateway = ["hmpps-az-gw1.justice.gov.uk", true, "azure-fixngo-pagerduty"] + nomis = ["c.nomis.az.justice.gov.uk", true, "nomis-pagerduty"] + nomis-reporting = ["reporting.nomis.az.justice.gov.uk", true, "nomis-combined-reporting-pagerduty"] + oasys = ["oasys.az.justice.gov.uk", true, "oasys-pagerduty"] + oasys-practice = ["practice.oasys.az.justice.gov.uk", true, "oasys-pagerduty"] + oasys-training = ["training.oasys.az.justice.gov.uk", true, "oasys-pagerduty"] + offloc = ["www.offloc.service.justice.gov.uk", true, "azure-fixngo-pagerduty"] + onr = ["onr.oasys.az.justice.gov.uk", true, "oasys-national-reporting-pagerduty"] + rdgateway = ["rdgateway1.hmpps-domain.service.justice.gov.uk", true, "hmpps-domain-services-pagerduty"] + } + } - "production" = { - "endpoint-cert-expires-soon" = local.endpoint_cert_expires_soon_alarm - - "endpoint-down-nomis" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "c.nomis.az.justice.gov.uk" - } - }) - - "endpoint-down-nomis-reporting" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "reporting.nomis.az.justice.gov.uk" - } - }) - - "endpoint-down-oasys" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "oasys.az.justice.gov.uk" - } - }) - - "endpoint-down-oasys-training" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "training.oasys.az.justice.gov.uk" - } - }) - - "endpoint-down-oasys-practice" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "practice.oasys.az.justice.gov.uk" - } - }) - - "endpoint-down-bridge-oasys" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "bridge-oasys.az.justice.gov.uk" - } - }) - - "endpoint-down-onr" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "onr.oasys.az.justice.gov.uk" - } - }) - - "endpoint-down-csr-r1" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r1.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r2" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r2.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r3" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r3.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r4" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r4.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r5" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r5.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-csr-r6" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "r6.csr.service.justice.gov.uk" - } - }) - - "endpoint-down-cafmtx" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "cafmtx.planetfm.service.justice.gov.uk" - } - }) - - "endpoint-down-cafmwebx2" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "cafmwebx2.az.justice.gov.uk" - } - }) - - "endpoint-down-cafmtrainweb" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "cafmtrainweb.az.justice.gov.uk" - } - }) - - "endpoint-down-offloc" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "www.offloc.service.justice.gov.uk" - } - }) - - "endpoint-down-hpa" = merge(local.endpoint_down_alarm, { - dimensions = { - type = "exitcode" - type_instance = "hpa.service.hmpps.dsd.io" - } - }) - - "endpoint-down-hmpps-az-gw1-rdgateway" = merge(local.endpoint_down_alarm, { + cloudwatch_metric_alarms_endpoint_monitoring_endpoint = { + for key, value in local.endpoint_alarms[local.environment] : "endpoint-down-${key}" => merge( + module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_endpoint_monitoring["endpoint-down"], + { dimensions = { type = "exitcode" - type_instance = "hmpps-az-gw1.justice.gov.uk" + type_instance = value[0] } - }) - - "endpoint-down-hmpps-domain-rdgateway" = merge(local.endpoint_down_alarm, { + alarm_actions = [value[2]] + ok_actions = [value[2]] + } + ) + } + cloudwatch_metric_alarms_endpoint_monitoring_cert_expiry = { + for key, value in local.endpoint_alarms[local.environment] : "endpoint-cert-expires-soon-${key}" => merge( + module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_endpoint_monitoring["endpoint-cert-expires-soon"], + { dimensions = { type = "exitcode" - type_instance = "rdgateway1.hmpps-domain.service.justice.gov.uk" + type_instance = value[0] } - }) - } + alarm_actions = [value[2]] + ok_actions = [value[2]] + } + ) if value[1] == true } - cloudwatch_metric_alarms_endpoint_monitoring = local.cloudwatch_metric_alarms_endpoint_status_environment_specific[local.environment] + cloudwatch_metric_alarms_endpoint_monitoring = merge( + local.cloudwatch_metric_alarms_endpoint_monitoring_endpoint, + local.cloudwatch_metric_alarms_endpoint_monitoring_cert_expiry + ) } diff --git a/terraform/environments/hmpps-oem/locals_development.tf b/terraform/environments/hmpps-oem/locals_development.tf index 1ae75cf8cdf..dd39b0048f9 100644 --- a/terraform/environments/hmpps-oem/locals_development.tf +++ b/terraform/environments/hmpps-oem/locals_development.tf @@ -6,7 +6,8 @@ locals { sns_topics = { pagerduty_integrations = { - pagerduty = "hmpps-oem-development" + dso-pipelines-pagerduty = "dso-pipelines" + pagerduty = "hmpps-oem-development" } } } diff --git a/terraform/environments/hmpps-oem/locals_preproduction.tf b/terraform/environments/hmpps-oem/locals_preproduction.tf index c00a01ea34b..391efee83d5 100644 --- a/terraform/environments/hmpps-oem/locals_preproduction.tf +++ b/terraform/environments/hmpps-oem/locals_preproduction.tf @@ -6,7 +6,16 @@ locals { sns_topics = { pagerduty_integrations = { - pagerduty = "hmpps-oem-preproduction" + azure-fixngo-pagerduty = "az-noms-production-1-alerts" + corporate-staff-rostering-pagerduty = "corporate-staff-rostering-preproduction" + dso-pipelines-pagerduty = "dso-pipelines" + hmpps-domain-services-pagerduty = "hmpps-domain-services-preproduction" + nomis-combined-reporting-pagerduty = "nomis-combined-reporting-preproduction" + nomis-pagerduty = "nomis-preproduction" + oasys-national-reporting-pagerduty = "oasys-national-reporting-preproduction" + oasys-pagerduty = "oasys-preproduction" + pagerduty = "hmpps-oem-preproduction" + planetfm-pagerduty = "planetfm-preproduction" } } } diff --git a/terraform/environments/hmpps-oem/locals_production.tf b/terraform/environments/hmpps-oem/locals_production.tf index c235d90ddc5..0fd76403de9 100644 --- a/terraform/environments/hmpps-oem/locals_production.tf +++ b/terraform/environments/hmpps-oem/locals_production.tf @@ -4,7 +4,16 @@ locals { options = { sns_topics = { pagerduty_integrations = { - pagerduty = "hmpps-oem-production" + azure-fixngo-pagerduty = "az-noms-production-1-alerts" + corporate-staff-rostering-pagerduty = "corporate-staff-rostering-production" + dso-pipelines-pagerduty = "dso-pipelines" + hmpps-domain-services-pagerduty = "hmpps-domain-services-production" + nomis-combined-reporting-pagerduty = "nomis-combined-reporting-production" + nomis-pagerduty = "nomis-production" + oasys-national-reporting-pagerduty = "oasys-national-reporting-production" + oasys-pagerduty = "oasys-production" + pagerduty = "hmpps-oem-production" + planetfm-pagerduty = "planetfm-production" } } } diff --git a/terraform/environments/hmpps-oem/locals_test.tf b/terraform/environments/hmpps-oem/locals_test.tf index ff162caeb4f..459ff6ee7f5 100644 --- a/terraform/environments/hmpps-oem/locals_test.tf +++ b/terraform/environments/hmpps-oem/locals_test.tf @@ -10,7 +10,12 @@ locals { sns_topics = { pagerduty_integrations = { - pagerduty = "hmpps-oem-test" + azure-fixngo-pagerduty = "az-noms-dev-test-environments-alerts" + dso-pipelines-pagerduty = "dso-pipelines" + hmpps-domain-services-pagerduty = "hmpps-domain-services-test" + nomis-pagerduty = "nomis-test" + oasys-pagerduty = "oasys-test" + pagerduty = "hmpps-oem-test" } } } @@ -19,7 +24,9 @@ locals { # please keep resources in alphabetical order baseline_test = { - cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.github + cloudwatch_metric_alarms = merge( + module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso-pipelines-pagerduty"].github + ) ec2_autoscaling_groups = { test-oem = merge(local.ec2_instances.oem, { diff --git a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf index 98cc4948e7c..2e16b5271e8 100644 --- a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf +++ b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf @@ -339,7 +339,7 @@ locals { period = "60" statistic = "Maximum" threshold = "1" - alarm_description = "Triggers if curl returns error for given endpoint from this EC2" + alarm_description = "Triggers if curl returns error for given endpoint from this EC2. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5295505478" alarm_actions = var.options.cloudwatch_metric_alarms_default_actions ok_actions = var.options.cloudwatch_metric_alarms_default_actions } @@ -349,10 +349,10 @@ locals { datapoints_to_alarm = "1" metric_name = "collectd_endpoint_cert_expiry_value" namespace = "CWAgent" - period = "86400" + period = "7200" statistic = "Minimum" threshold = "14" - alarm_description = "Triggers if collectd-endpoint-monitoring detects an endpoint with a certificate due to expire shortly. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/4615340266" + alarm_description = "Triggers if collectd-endpoint-monitoring detects an endpoint with a certificate due to expire shortly. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/5303664662" alarm_actions = var.options.cloudwatch_metric_alarms_default_actions ok_actions = var.options.cloudwatch_metric_alarms_default_actions } diff --git a/terraform/modules/baseline_presets/outputs.tf b/terraform/modules/baseline_presets/outputs.tf index 7ddb18bcb6c..d085c54f7c9 100644 --- a/terraform/modules/baseline_presets/outputs.tf +++ b/terraform/modules/baseline_presets/outputs.tf @@ -52,6 +52,7 @@ output "cloudwatch_metric_alarms_by_sns_topic" { for namespace_key, namespace_value in local.cloudwatch_metric_alarms : namespace_key => { for alarm_key, alarm_value in namespace_value : alarm_key => merge(alarm_value, { alarm_actions = [sns_key] + ok_actions = [sns_key] }) } } From cedf3d6574c319818862cfff38569fe9d234ca0b Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 22 Nov 2024 14:30:04 +0000 Subject: [PATCH 284/308] feat: add mojap-derived-tables as data lake location --- .../lakeformation-registrations.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf b/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf index e69de29bb2d..f6d3ed5d4a7 100644 --- a/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf +++ b/terraform/environments/analytical-platform-compute/lakeformation-registrations.tf @@ -0,0 +1,4 @@ +resource "aws_lakeformation_resource" "example" { + arn = "arn:aws:s3:::mojap-derived-tables" + role_arn = module.lake_formation_to_data_production_mojap_derived_tables_role.iam_role_arn +} From 5f5fa9d83cb9399a54f7387b9fec2768cc2eede4 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 22 Nov 2024 14:42:49 +0000 Subject: [PATCH 285/308] fix: correct iam role account --- terraform/environments/analytical-platform-compute/iam-roles.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf index 5ee13c920ed..74671b1f0b0 100644 --- a/terraform/environments/analytical-platform-compute/iam-roles.tf +++ b/terraform/environments/analytical-platform-compute/iam-roles.tf @@ -381,7 +381,7 @@ module "analytical_platform_cadet_runner" { version = "5.48.0" allow_self_assume_role = false - trusted_role_arns = ["arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/create-a-derived-table"] + trusted_role_arns = ["arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/create-a-derived-table"] create_role = true role_requires_mfa = false role_name = "analytical-platform-cadet-runner-assumable" From 492184c809d8babd53d1b4509fda3b5bf73ccfab Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 22 Nov 2024 14:44:29 +0000 Subject: [PATCH 286/308] Update_221124_2 --- terraform/environments/ppud/iam.tf | 60 ++++++++++- terraform/environments/ppud/lambda.tf | 42 ++++++++ .../ppud/lambda_scripts/send_cpu_graph_dev.py | 101 ++++++++++++++++++ 3 files changed, 202 insertions(+), 1 deletion(-) create mode 100644 terraform/environments/ppud/lambda_scripts/send_cpu_graph_dev.py diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index c2c40933966..aa7104e6601 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -1138,4 +1138,62 @@ resource "aws_iam_role_policy_attachment" "attach_aws_signer_policy_to_aws_signe count = local.is-development == true ? 1 : 0 role = aws_iam_role.aws_signer_role_dev[0].name policy_arn = aws_iam_policy.aws_signer_policy_dev[0].arn -} \ No newline at end of file +} + +############################################# +# IAM Role & Policy for Send CPU graph - DEV +############################################# + +resource "aws_iam_role" "lambda_role_cloudwatch_get_metric_data_dev" { + count = local.is-development == true ? 1 : 0 + name = "PPUD_Lambda_Function_Role_Cloudwatch_Get_Metric_Data_Dev" + assume_role_policy = <

{email_body}

" + ) + + try: + ses.send_email( + Source=email_sender, + Destination={'ToAddresses': [email_recipient]}, + Message={ + 'Subject': {'Data': email_subject}, + 'Body': { + 'Html': {'Data': email_html_body} + } + } + ) + print(f"Email sent successfully to {email_recipient}") + except ClientError as e: + print(f"Error sending email: {e}") + return {'statusCode': 500, 'body': str(e)} + + return {'statusCode': 200, 'body': 'Email sent successfully'} From 99d196828625a5f17d4814cfb49826be365e4061 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 22 Nov 2024 15:03:31 +0000 Subject: [PATCH 287/308] Update_221124_3 --- terraform/environments/ppud/iam.tf | 21 ++++++++++++++++++++- terraform/environments/ppud/lambda.tf | 6 +++--- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index aa7104e6601..15ecce0c131 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -1172,15 +1172,34 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_get_metric_data_dev" policy = jsonencode({ "Version" : "2012-10-17", "Statement" : [{ + "Sid" : "CloudwatchMetricPolicy", "Effect" : "Allow", "Action" : [ - "cloudwatch:GetMetricData" + "cloudwatch:GetMetricData", + "cloudwatch:ListMetrics" ], "Resource" : [ "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" ] }, { + "Sid" : "SQSPolicy", + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:Lambda-Queue-Production" + ] + }, + { + "Sid" : "SESPolicy", "Effect" : "Allow", "Action" : [ "ses:SendEmail" diff --git a/terraform/environments/ppud/lambda.tf b/terraform/environments/ppud/lambda.tf index 302ec946fa5..0cce3c4a951 100644 --- a/terraform/environments/ppud/lambda.tf +++ b/terraform/environments/ppud/lambda.tf @@ -236,11 +236,11 @@ resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" { resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_terminate_cpu_process_dev" { count = local.is-development == true ? 1 : 0 - statement_id = "AllowExecutionFromCloudWatch" + statement_id = "AllowCloudWatchAccess" action = "lambda:InvokeFunction" function_name = aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev[0].function_name - principal = "lambda.alarms.cloudwatch.amazonaws.com" - source_arn = "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:alarm:*" + principal = "cloudwatch.amazonaws.com" + source_arn = "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" } resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" { From a38616a99207a73b2ea9f143a599a2f1e3e4a1b5 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Fri, 22 Nov 2024 15:27:36 +0000 Subject: [PATCH 288/308] Update_221124_4 --- terraform/environments/ppud/lambda.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ppud/lambda.tf b/terraform/environments/ppud/lambda.tf index 0cce3c4a951..39fd5346772 100644 --- a/terraform/environments/ppud/lambda.tf +++ b/terraform/environments/ppud/lambda.tf @@ -504,7 +504,7 @@ resource "aws_lambda_function" "terraform_lambda_func_send_cpu_graph_dev" { handler = "send_cpu_graph_dev.lambda_handler" runtime = "python3.12" timeout = 300 - depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] + depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_get_metric_data_to_lambda_role_cloudwatch_get_metric_data_dev] reserved_concurrent_executions = 5 # code_signing_config_arn = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f" dead_letter_config { From 24c527f5ccdcbce6d2e5b2aab465453c98761c31 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Tue, 19 Nov 2024 13:19:10 +0000 Subject: [PATCH 289/308] feat: add athena query buckets (london) for environments, kms encrypted with bucket keys --- .../analytical-platform-compute/kms-keys.tf | 16 ++++ .../analytical-platform-compute/s3-buckets.tf | 76 +++++++++++++------ 2 files changed, 69 insertions(+), 23 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index a7b2d2bf3da..77f8052e839 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -275,6 +275,22 @@ module "mlflow_s3_kms" { tags = local.tags } +module "mojap_compute_athena_s3_kms_eu_west_2" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.1" + + aliases = ["s3/mlflow"] + description = "Mojap Athena query bucket S3 KMS key for eu-west-2" + enable_default_policy = true + + deletion_window_in_days = 7 + + tags = local.tags +} + module "mojap_compute_logs_s3_kms_eu_west_2" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index e0bafa32fc1..811de3f16bc 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -136,28 +136,58 @@ module "mojap_compute_logs_bucket_eu_west_1" { ) } -moved { - from = module.mojap_compute_logs_bucket.aws_s3_bucket.this[0] - to = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket.this[0] -} -moved { - from = module.mojap_compute_logs_bucket.aws_s3_bucket_policy.this[0] - to = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_policy.this[0] -} -moved { - from = module.mojap_compute_logs_bucket.aws_s3_bucket_public_access_block.this[0] - to = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_public_access_block.this[0] -} -moved { - from = module.mojap_compute_logs_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0] - to = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_server_side_encryption_configuration.this[0] -} -moved { - from = module.mojap_compute_logs_bucket.aws_s3_bucket_versioning.this[0] - to = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_versioning.this[0] -} -moved { - from = aws_iam_policy_document.s3_server_access_logs_policy - to = aws_iam_policy_document.s3_server_access_logs_eu_west_2_policy +data "aws_iam_policy_document" "athena_query_results_policy_eu_west_2" { + #checkov:skip=CKV_AWS_356:resource "*" limited by condition + statement { + sid = "DenyInsecureTransport" + effect = "Deny" + actions = ["s3:*"] + resources = [ + "arn:aws:s3:::mojap-compute-${local.environment}-athena-query-results-eu-west-2/*", + "arn:aws:s3:::mojap-compute-${local.environment}-athena-query-results-eu-west-2" + ] + principals { + type = "*" + identifiers = ["*"] + } + condition { + test = "Bool" + variable = "aws:SecureTransport" + values = ["false"] + } + } } + +module "mojap_compute_athena_query_results_bucket_eu_west_2" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.2" + + bucket = "mojap-compute-${local.environment}-athena-query-results-eu-west-2" + + force_destroy = false + + attach_policy = true + policy = data.aws_iam_policy_document.athena_query_results_policy_eu_west_2.json + + object_lock_enabled = false + + versioning = { + status = "Disabled" + } + + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = module.mojap_compute_athena_s3_kms_eu_west_2.key_arn + sse_algorithm = "aws:kms" + } + } + } + + tags = local.tags +} \ No newline at end of file From 0142b6d80b13f9612593fe50dc345eb784102d1d Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 22 Nov 2024 10:28:18 +0000 Subject: [PATCH 290/308] feat: no bucket backup (configured via tags) --- .../environments/analytical-platform-compute/s3-buckets.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 811de3f16bc..448bb8b2221 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -189,5 +189,8 @@ module "mojap_compute_athena_query_results_bucket_eu_west_2" { } } - tags = local.tags + tags = merge( + local.tags, + { "backup" = "false" } + ) } \ No newline at end of file From e0ccaa42ff6e684937a5413e1517d0018a5a72f9 Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 22 Nov 2024 10:28:29 +0000 Subject: [PATCH 291/308] feat: no bucket backup (configured via tags) --- .../environments/analytical-platform-compute/s3-buckets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 448bb8b2221..03712ea8813 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -168,7 +168,7 @@ module "mojap_compute_athena_query_results_bucket_eu_west_2" { bucket = "mojap-compute-${local.environment}-athena-query-results-eu-west-2" - force_destroy = false + force_destroy = true attach_policy = true policy = data.aws_iam_policy_document.athena_query_results_policy_eu_west_2.json @@ -193,4 +193,4 @@ module "mojap_compute_athena_query_results_bucket_eu_west_2" { local.tags, { "backup" = "false" } ) -} \ No newline at end of file +} From 78d515d58cc5f4b1183e5f8ce38f7e2623fdc14d Mon Sep 17 00:00:00 2001 From: Tom Webber Date: Fri, 22 Nov 2024 12:18:10 +0000 Subject: [PATCH 292/308] fix: update key alias --- terraform/environments/analytical-platform-compute/kms-keys.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 77f8052e839..7ee087235b5 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -282,7 +282,7 @@ module "mojap_compute_athena_s3_kms_eu_west_2" { source = "terraform-aws-modules/kms/aws" version = "3.1.1" - aliases = ["s3/mlflow"] + aliases = ["s3/mojap-compute-athena-query-results-eu-west-2"] description = "Mojap Athena query bucket S3 KMS key for eu-west-2" enable_default_policy = true From a424ff64beedaa54602d628f25ea7b3a4c2517fd Mon Sep 17 00:00:00 2001 From: George Taylor Date: Fri, 22 Nov 2024 16:09:54 +0000 Subject: [PATCH 293/308] chore: pin weblogic task def revision (#8757) * Update variables.tf * tidy up alb healthchecks * pin for dev for now * correct version --- .../delius-core/locals_development.tf | 9 ++-- .../modules/delius_environment/ldap_ecs.tf | 2 +- .../modules/delius_environment/pwm.tf | 24 ++++++--- .../modules/delius_environment/weblogic.tf | 16 +++++- .../delius_environment/weblogic_eis.tf | 13 +++-- .../helpers/delius_microservice/ecs.tf | 12 ++--- .../delius_microservice/load_balancing.tf | 14 +++--- .../helpers/delius_microservice/variables.tf | 50 ++++++++++++------- 8 files changed, 90 insertions(+), 50 deletions(-) diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 5eda99ec858..f2dc9fd2a72 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -76,10 +76,11 @@ locals { delius_microservices_configs_dev = { weblogic = { - image_tag = "6.2.0.3" - container_port = 8080 - container_memory = 4096 - container_cpu = 2048 + image_tag = "6.2.0.3" + container_port = 8080 + container_memory = 4096 + container_cpu = 2048 + task_definition_revision = 9 } weblogic_eis = { diff --git a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf index 4e9b328bd62..b143dfe5e30 100644 --- a/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf +++ b/terraform/environments/delius-core/modules/delius_environment/ldap_ecs.tf @@ -51,7 +51,7 @@ module "ldap_ecs" { container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-openldap-ecr-repo:${var.delius_microservice_configs.ldap.image_tag}" account_config = var.account_config - health_check = { + container_health_check = { command = ["CMD-SHELL", "ldapsearch -x -H ldap://localhost:389 -b '' -s base '(objectclass=*)' namingContexts"] interval = 30 retries = 3 diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf index 8a8af54987b..c4d7ecd4796 100644 --- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf +++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf @@ -54,14 +54,22 @@ module "pwm" { platform_vars = var.platform_vars - container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}" - account_config = var.account_config - health_check_path = "/" - health_check_interval = "15" - account_info = var.account_info - - target_group_protocol_version = "HTTP1" - health_check_grace_period_seconds = 10 + container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}" + account_config = var.account_config + account_info = var.account_info + + target_group_protocol_version = "HTTP1" + + alb_health_check = { + path = "/NDelius-war/delius/JSP/healthcheck.jsp?ping" + healthy_threshold = 5 + interval = 30 + protocol = "HTTP" + unhealthy_threshold = 5 + matcher = "200-499" + timeout = 10 + grace_period_seconds = 180 + } container_cpu = var.delius_microservice_configs.pwm.container_cpu container_memory = var.delius_microservice_configs.pwm.container_memory diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf index a9001a6f926..2d4314603c2 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic.tf @@ -19,8 +19,20 @@ module "weblogic" { ecs_cluster_arn = module.ecs.ecs_cluster_arn env_name = var.env_name - health_check_path = "/NDelius-war/delius/JSP/healthcheck.jsp?ping" - microservice_lb = aws_lb.delius_core_frontend + pin_task_definition_revision = try(var.delius_microservice_configs.weblogic.task_definition_revision, 0) + + alb_health_check = { + path = "/NDelius-war/delius/JSP/healthcheck.jsp?ping" + healthy_threshold = 5 + interval = 30 + protocol = "HTTP" + unhealthy_threshold = 5 + matcher = "200-499" + timeout = 5 + grace_period_seconds = 300 + } + + microservice_lb = aws_lb.delius_core_frontend target_group_protocol_version = "HTTP1" diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf index cd68c989724..ce08ba24080 100644 --- a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf +++ b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf @@ -68,9 +68,16 @@ module "weblogic_eis" { container_memory = var.delius_microservice_configs.weblogic_eis.container_memory container_cpu = var.delius_microservice_configs.weblogic_eis.container_cpu - health_check_path = "/NDelius-war/delius/JSP/healthcheck.jsp?ping" - health_check_grace_period_seconds = 600 - health_check_interval = 30 + alb_health_check = { + path = "/NDelius-war/delius/JSP/healthcheck.jsp?ping" + healthy_threshold = 5 + interval = 30 + protocol = "HTTP" + unhealthy_threshold = 5 + matcher = "200-499" + timeout = 10 + grace_period_seconds = 300 + } db_ingress_security_groups = [] diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf index 6496b869f32..9fdfde284ab 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf @@ -1,5 +1,5 @@ module "container_definition" { - source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=main" + source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v5.0.0" name = var.name image = var.container_image memory = var.container_memory @@ -9,7 +9,7 @@ module "container_definition" { environment = local.calculated_container_vars_list - health_check = var.health_check + health_check = var.container_health_check secrets = local.calculated_container_secrets_list port_mappings = var.container_port_config @@ -35,7 +35,7 @@ module "ecs_policies" { } module "ecs_service" { - source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=main" + source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v5.0.0" container_definitions = nonsensitive(module.container_definition.json_encoded_list) cluster_arn = var.ecs_cluster_arn name = "${var.env_name}-${var.name}" @@ -43,6 +43,8 @@ module "ecs_service" { task_cpu = var.container_cpu task_memory = var.container_memory + pin_task_definition_revision = var.pin_task_definition_revision + desired_count = var.desired_count deployment_maximum_percent = var.deployment_maximum_percent deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent @@ -51,7 +53,7 @@ module "ecs_service" { task_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}" task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}" - health_check_grace_period_seconds = var.health_check_grace_period_seconds + health_check_grace_period_seconds = var.alb_health_check.grace_period_seconds service_load_balancers = var.microservice_lb != null ? concat([{ target_group_arn = aws_lb_target_group.frontend[0].arn @@ -68,7 +70,5 @@ module "ecs_service" { enable_execute_command = true - ignore_changes = var.ignore_changes_service_task_definition - tags = var.tags } diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf index 7f46a8cd665..90019fa63f9 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf @@ -28,13 +28,13 @@ resource "aws_lb_target_group" "frontend" { } health_check { - path = var.health_check_path - healthy_threshold = "5" - interval = var.health_check_interval - protocol = "HTTP" - unhealthy_threshold = "5" - matcher = "200-499" - timeout = "5" + path = var.alb_health_check.path + healthy_threshold = var.alb_health_check.healthy_threshold + interval = var.alb_health_check.interval + protocol = var.alb_health_check.protocol + unhealthy_threshold = var.alb_health_check.unhealthy_threshold + matcher = var.alb_health_check.matcher + timeout = var.alb_health_check.timeout } lifecycle { diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf index 8676dcb62ed..93ac9c86fe9 100644 --- a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf +++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf @@ -217,12 +217,6 @@ variable "platform_vars" { }) } -variable "health_check_grace_period_seconds" { - description = "The amount of time, in seconds, that Amazon ECS waits before unhealthy instances are shut down." - type = number - default = 60 -} - variable "ecs_cluster_arn" { description = "The ARN of the ECS cluster" type = string @@ -376,18 +370,6 @@ variable "alb_security_group_id" { default = null } -variable "health_check_path" { - description = "The health check path for the alb target group" - type = string - default = "/" -} - -variable "health_check_interval" { - description = "The health check interval for the alb target group" - type = string - default = "300" -} - variable "alb_stickiness_enabled" { description = "Enable or disable stickiness" type = string @@ -581,7 +563,7 @@ variable "extra_task_exec_role_policies" { default = {} } -variable "health_check" { +variable "container_health_check" { description = "The health check configuration for the container" type = object({ command = list(string) @@ -593,6 +575,30 @@ variable "health_check" { default = null } +variable "alb_health_check" { + description = "The health check configuration for the ALB" + type = object({ + path = string + interval = number + timeout = number + healthy_threshold = number + unhealthy_threshold = number + matcher = string + protocol = string + grace_period_seconds = number + }) + default = { + path = "/" + interval = 30 + timeout = 5 + healthy_threshold = 5 + unhealthy_threshold = 5 + matcher = "200-499" + protocol = "HTTP" + grace_period_seconds = 120 + } +} + variable "nlb_ingress_security_group_ids" { description = "Security group ids to allow ingress to the ECS service" type = list(object({ @@ -622,3 +628,9 @@ variable "system_controls" { type = list(any) default = [] } + +variable "pin_task_definition_revision" { + type = number + description = "The revision of the task definition to use" + default = 0 +} From 564a0e823027d3d5e90330f080464ee456049a2c Mon Sep 17 00:00:00 2001 From: George Taylor Date: Fri, 22 Nov 2024 16:48:21 +0000 Subject: [PATCH 294/308] Update pwm.tf (#8766) --- .../environments/delius-core/modules/delius_environment/pwm.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/delius_environment/pwm.tf b/terraform/environments/delius-core/modules/delius_environment/pwm.tf index c4d7ecd4796..c5c6164fcbf 100644 --- a/terraform/environments/delius-core/modules/delius_environment/pwm.tf +++ b/terraform/environments/delius-core/modules/delius_environment/pwm.tf @@ -61,7 +61,7 @@ module "pwm" { target_group_protocol_version = "HTTP1" alb_health_check = { - path = "/NDelius-war/delius/JSP/healthcheck.jsp?ping" + path = "/" healthy_threshold = 5 interval = 30 protocol = "HTTP" From b8119fc4d09b3160a334bbcfc37784e35ce2e0d8 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 22 Nov 2024 16:54:57 +0000 Subject: [PATCH 295/308] TM-720: remove ssm command monitoring from nomis (#8764) --- terraform/environments/nomis/locals.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/environments/nomis/locals.tf b/terraform/environments/nomis/locals.tf index ada318258c9..9b644f9da66 100644 --- a/terraform/environments/nomis/locals.tf +++ b/terraform/environments/nomis/locals.tf @@ -48,7 +48,6 @@ locals { enable_resource_explorer = true } - cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.ssm - security_groups = local.security_groups + security_groups = local.security_groups } } From 1e870b5ca6a607697e4ff3c2d85fa2b18f6a3288 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 22 Nov 2024 16:55:14 +0000 Subject: [PATCH 296/308] TM-720: add ssm endpoint monitoring to hmpp-oem (#8763) * add enable_ssm_command_monitoring option * enable ssm command monitoring --- terraform/environments/hmpps-oem/locals.tf | 1 + terraform/environments/hmpps-oem/main.tf | 1 + .../cloudwatch_metric_alarms.tf | 21 +++++++++++++++++++ terraform/modules/baseline_presets/outputs.tf | 16 ++++++-------- .../modules/baseline_presets/sns_topics.tf | 8 ++++++- .../modules/baseline_presets/variables.tf | 1 + 6 files changed, 37 insertions(+), 11 deletions(-) diff --git a/terraform/environments/hmpps-oem/locals.tf b/terraform/environments/hmpps-oem/locals.tf index 73791385114..e432fdb9efe 100644 --- a/terraform/environments/hmpps-oem/locals.tf +++ b/terraform/environments/hmpps-oem/locals.tf @@ -49,6 +49,7 @@ locals { enable_s3_db_backup_bucket = true enable_s3_shared_bucket = true enable_s3_software_bucket = true + enable_ssm_command_monitoring = true s3_iam_policies = ["EC2S3BucketWriteAndDeleteAccessPolicy"] } } diff --git a/terraform/environments/hmpps-oem/main.tf b/terraform/environments/hmpps-oem/main.tf index a23f7e6d41b..cd706d8538e 100644 --- a/terraform/environments/hmpps-oem/main.tf +++ b/terraform/environments/hmpps-oem/main.tf @@ -74,6 +74,7 @@ module "baseline" { ) cloudwatch_metric_alarms = merge( + module.baseline_presets.cloudwatch_metric_alarms_baseline, lookup(local.baseline_all_environments, "cloudwatch_metric_alarms", {}), lookup(local.baseline_environment_specific, "cloudwatch_metric_alarms", {}), ) diff --git a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf index 2e16b5271e8..795670a383f 100644 --- a/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf +++ b/terraform/modules/baseline_presets/cloudwatch_metric_alarms.tf @@ -449,4 +449,25 @@ locals { } } } + + cloudwatch_metric_alarms_by_sns_topic = { + for sns_key, sns_value in local.sns_topics : sns_key => { + for namespace_key, namespace_value in local.cloudwatch_metric_alarms : namespace_key => { + for alarm_key, alarm_value in namespace_value : alarm_key => merge(alarm_value, { + alarm_actions = [sns_key] + ok_actions = [sns_key] + }) + } + } + } + + # alarms added via baseline. Put SSM command alerts in dso-pipelines so it doesn't clutter main application alerts + cloudwatch_metric_alarms_baseline = merge( + var.options.enable_ssm_command_monitoring ? { + "failed-ssm-command-${var.environment.account_name}" = local.cloudwatch_metric_alarms_by_sns_topic["dso-pipelines-pagerduty"].ssm.failed-ssm-command + } : {}, + var.options.enable_ssm_command_monitoring ? { + "ssm-command-metrics-missing-${var.environment.account_name}" = local.cloudwatch_metric_alarms_by_sns_topic["dso-pipelines-pagerduty"].ssm.ssm-command-metrics-missing + } : {}, + ) } diff --git a/terraform/modules/baseline_presets/outputs.tf b/terraform/modules/baseline_presets/outputs.tf index d085c54f7c9..01cc5560724 100644 --- a/terraform/modules/baseline_presets/outputs.tf +++ b/terraform/modules/baseline_presets/outputs.tf @@ -44,19 +44,15 @@ output "cloudwatch_metric_alarms" { value = local.cloudwatch_metric_alarms } +output "cloudwatch_metric_alarms_baseline" { + description = "Map of common cloudwatch metric alarms that can be passed into baseline directly as specified by var.options.enable_ssm_command_monitoring for example" + value = local.cloudwatch_metric_alarms_baseline +} + output "cloudwatch_metric_alarms_by_sns_topic" { description = "Map of sns topic key to cloudwatch metric alarms grouped by namespace, where the default action is the sns topic key" - value = { - for sns_key, sns_value in local.sns_topics : sns_key => { - for namespace_key, namespace_value in local.cloudwatch_metric_alarms : namespace_key => { - for alarm_key, alarm_value in namespace_value : alarm_key => merge(alarm_value, { - alarm_actions = [sns_key] - ok_actions = [sns_key] - }) - } - } - } + value = local.cloudwatch_metric_alarms_by_sns_topic } output "iam_roles" { diff --git a/terraform/modules/baseline_presets/sns_topics.tf b/terraform/modules/baseline_presets/sns_topics.tf index 89b75eade1a..346a1c9e403 100644 --- a/terraform/modules/baseline_presets/sns_topics.tf +++ b/terraform/modules/baseline_presets/sns_topics.tf @@ -6,8 +6,14 @@ # from the modernisation platform managed pagerduty_integration_keys locals { + + pagerduty_integrations = merge( + var.options.enable_ssm_command_monitoring ? { dso-pipelines-pagerduty = "dso-pipelines" } : {}, + var.options.sns_topics.pagerduty_integrations + ) + sns_topics_pagerduty_integrations = { - for key, value in var.options.sns_topics.pagerduty_integrations : key => { + for key, value in local.pagerduty_integrations : key => { display_name = "Pager duty integration for ${value}" kms_master_key_id = "general" subscriptions = { diff --git a/terraform/modules/baseline_presets/variables.tf b/terraform/modules/baseline_presets/variables.tf index 097391f56d0..250569f6f1c 100644 --- a/terraform/modules/baseline_presets/variables.tf +++ b/terraform/modules/baseline_presets/variables.tf @@ -42,6 +42,7 @@ variable "options" { enable_s3_db_backup_bucket = optional(bool, false) # create db-backup S3 buckets enable_s3_shared_bucket = optional(bool, false) # create devtest and preprodprod S3 bucket for sharing between accounts enable_s3_software_bucket = optional(bool, false) # create software S3 bucket in test account for image builder/configuration-management + enable_ssm_command_monitoring = optional(bool, false) # create SNS topic and alarms for SSM command monitoring enable_vmimport = optional(bool, false) # create role for vm imports route53_resolver_rules = optional(map(list(string)), {}) # create route53 resolver rules; list of map keys to filter local.route53_resolver_rules_all iam_service_linked_roles = optional(list(string)) # create iam service linked roles; list of map keys to filter local.iam_service_linked_roles; default is to create all From 4f60ea3937ef20e841d18c7b8d1f099edc4c6d52 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 00:16:26 +0000 Subject: [PATCH 297/308] Bump oxsecurity/megalinter from 8.2.0 to 8.3.0 Bumps [oxsecurity/megalinter](https://github.com/oxsecurity/megalinter) from 8.2.0 to 8.3.0. - [Release notes](https://github.com/oxsecurity/megalinter/releases) - [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md) - [Commits](https://github.com/oxsecurity/megalinter/compare/d8c95fc6f2237031fb9e9322b0f97100168afa6e...1fc052d03c7a43c78fe0fee19c9d648b749e0c01) --- updated-dependencies: - dependency-name: oxsecurity/megalinter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/format-code.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index b1dea43397b..291666fbab0 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -40,7 +40,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter/flavors/terraform@d8c95fc6f2237031fb9e9322b0f97100168afa6e #v8.2.0 + uses: oxsecurity/megalinter/flavors/terraform@1fc052d03c7a43c78fe0fee19c9d648b749e0c01 #v8.3.0 env: # All available variables are described in documentation # https://megalinter.io/configuration/#shared-variables From 79f9aee49890b17258ae21209661cc7447b4fb31 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 00:17:08 +0000 Subject: [PATCH 298/308] Bump bridgecrewio/checkov-action from 12.2917.0 to 12.2918.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2917.0 to 12.2918.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/cc23a656ff707900310d6870ca2b4289fa070396...05decb42b761b4c4ce4927c084165bb4705bbcef) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index a80a099382c..fa761adf798 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -81,7 +81,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@cc23a656ff707900310d6870ca2b4289fa070396 # v12.2917.0 + uses: bridgecrewio/checkov-action@05decb42b761b4c4ce4927c084165bb4705bbcef # v12.2918.0 with: directory: ./ framework: terraform From 2d450695d9f70c96e534416945a4d6734240ba88 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Mon, 25 Nov 2024 08:37:22 +0000 Subject: [PATCH 299/308] Update_251124_1 --- terraform/environments/ppud/lambda.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/environments/ppud/lambda.tf b/terraform/environments/ppud/lambda.tf index 39fd5346772..9f93dcc960d 100644 --- a/terraform/environments/ppud/lambda.tf +++ b/terraform/environments/ppud/lambda.tf @@ -488,11 +488,11 @@ data "archive_file" "zip_the_send_cpu_notification_code_prod" { resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_send_cpu_graph_dev" { count = local.is-development == true ? 1 : 0 - statement_id = "AllowExecutionFromCloudWatch" + statement_id = "AllowAccesstoCloudWatch" action = "lambda:InvokeFunction" function_name = aws_lambda_function.terraform_lambda_func_send_cpu_graph_dev[0].function_name - principal = "lambda.alarms.cloudwatch.amazonaws.com" - source_arn = "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:alarm:*" + principal = "cloudwatch.amazonaws.com" + source_arn = "arn:aws:cloudwatch:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*" } resource "aws_lambda_function" "terraform_lambda_func_send_cpu_graph_dev" { @@ -507,9 +507,9 @@ resource "aws_lambda_function" "terraform_lambda_func_send_cpu_graph_dev" { depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_get_metric_data_to_lambda_role_cloudwatch_get_metric_data_dev] reserved_concurrent_executions = 5 # code_signing_config_arn = "arn:aws:lambda:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:code-signing-config:csc-0c7136ccff2de748f" - dead_letter_config { - target_arn = aws_sqs_queue.lambda_queue_dev[0].arn - } + # dead_letter_config { + # target_arn = aws_sqs_queue.lambda_queue_dev[0].arn + # } tracing_config { mode = "Active" } From 2bce6cc327ec45567661cf061ced3cfb92cbe1e0 Mon Sep 17 00:00:00 2001 From: julialawrence Date: Mon, 25 Nov 2024 09:40:24 +0000 Subject: [PATCH 300/308] Removing external collaborators. Trying in one PR --- .../environment-configuration.tf | 14 --- .../ext-user-2024.tf | 102 ------------------ 2 files changed, 116 deletions(-) delete mode 100644 terraform/environments/analytical-platform-ingestion/ext-user-2024.tf diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf index 71ad724ce2a..252fc58ef8c 100644 --- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf +++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf @@ -92,20 +92,6 @@ locals { egress_bucket = module.bold_egress_bucket.s3_bucket_id egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn } - "darren-brooke" = { - ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu" - cidr_blocks = ["54.37.241.156/30"] - egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id - egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn - - } - "aaron-willetts" = { - ssh_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali" - cidr_blocks = ["167.71.136.237/32"] - egress_bucket = module.ext_2024_egress_bucket.s3_bucket_id - egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn - - } } /* DataSync */ diff --git a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf b/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf deleted file mode 100644 index dd723bd1057..00000000000 --- a/terraform/environments/analytical-platform-ingestion/ext-user-2024.tf +++ /dev/null @@ -1,102 +0,0 @@ -#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket -#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket -module "ext_2024_egress_bucket" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.2" - - bucket = "mojap-ingestion-${local.environment}-ext-2024-egress" - - force_destroy = true - - versioning = { - enabled = true - } - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - kms_master_key_id = module.s3_ext_2024_egress_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } -} - -module "s3_ext_2024_egress_kms" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/kms/aws" - version = "3.1.0" - - aliases = ["s3/ext-2024-egress"] - description = "Used in the External 2024 Egress Solution" - enable_default_policy = true - key_statements = [ - { - sid = "AllowReadOnlyRole" - actions = [ - "kms:Encrypt", - "kms:GenerateDataKey" - ] - resources = ["*"] - effect = "Allow" - principals = [ - { - type = "AWS" - identifiers = ["arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/security-read-only"] - } - ] - } - ] - deletion_window_in_days = 7 -} - -data "aws_iam_policy_document" "ext_2024_target_bucket_policy" { - statement { - sid = "LandingPermissions" - effect = "Allow" - principals { - type = "AWS" - identifiers = ["arn:aws:iam::471112983409:role/transfer"] - } - actions = [ - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:PutObjectTagging" - ] - resources = [ - "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-target/*", - "arn:aws:s3:::mojap-ingestion-${local.environment}-ext-2024-target" - ] - } -} - -#tfsec:ignore:avd-aws-0088 - The bucket policy is attached to the bucket -#tfsec:ignore:avd-aws-0132 - The bucket policy is attached to the bucket -module "ext_2024_target_bucket" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.1.2" - - bucket = "mojap-ingestion-${local.environment}-ext-2024-target" - - force_destroy = true - - versioning = { - enabled = true - } - attach_policy = true - policy = data.aws_iam_policy_document.ext_2024_target_bucket_policy.json - - server_side_encryption_configuration = { - rule = { - apply_server_side_encryption_by_default = { - sse_algorithm = "AES256" - } - } - } -} From 6778c4772d6f5e33c8fb276085541e3bb220ef33 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 25 Nov 2024 09:48:00 +0000 Subject: [PATCH 301/308] Add cloudwatch_custom_namespaces for DPR Signed-off-by: Jacob Woffenden --- .../observability-platform/environment-configurations.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index a50b07efc2e..da150b3d9f5 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -62,6 +62,7 @@ locals { "aws_accounts" = { "digital-prison-reporting-development" = { cloudwatch_enabled = true + cloudwatch_custom_namespaces = "DPRAgentCustomMetrics,DPRDataReconciliationCustom" prometheus_push_enabled = false amazon_prometheus_query_enabled = false xray_enabled = false @@ -69,6 +70,7 @@ locals { }, "digital-prison-reporting-preproduction" = { cloudwatch_enabled = true + cloudwatch_custom_namespaces = "DPRAgentCustomMetrics,DPRDataReconciliationCustom" prometheus_push_enabled = false amazon_prometheus_query_enabled = false xray_enabled = false @@ -76,6 +78,7 @@ locals { }, "digital-prison-reporting-test" = { cloudwatch_enabled = true + cloudwatch_custom_namespaces = "DPRAgentCustomMetrics,DPRDataReconciliationCustom" prometheus_push_enabled = false amazon_prometheus_query_enabled = false xray_enabled = false @@ -154,6 +157,7 @@ locals { "aws_accounts" = { "digital-prison-reporting-production" = { cloudwatch_enabled = true + cloudwatch_custom_namespaces = "DPRAgentCustomMetrics,DPRDataReconciliationCustom" prometheus_push_enabled = false amazon_prometheus_query_enabled = false xray_enabled = false From 7694fabb529fd5f9561d79ee4ebc8c83e46c5cee Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 25 Nov 2024 10:56:27 +0000 Subject: [PATCH 302/308] Initial update --- .devcontainer/README.md | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.devcontainer/README.md b/.devcontainer/README.md index bf6a524f218..1d71e3c733e 100644 --- a/.devcontainer/README.md +++ b/.devcontainer/README.md @@ -1,28 +1,32 @@ # Dev Container +> [!NOTE] > This is a community supported feature -To assist in the development of `modernisation-platform-environments`, the community have built a [dev container](https://containers.dev/) with the required tooling +To assist with working on this repository, the community has configured a [dev container](https://containers.dev/) with the required tooling. -## Prerequisites +You can run this locally, or with [GitHub Codespaces](https://docs.github.com/en/codespaces/overview). -- GitHub Codespaces +## GitHub Codespaces -or +To launch a GitHub Codespace, use the button below: -- Docker +[![Open in Codespace](https://github.com/codespaces/badge.svg)](https://codespaces.new/ministryofjustice/modernisation-platform-environments) -- Visual Studio Code +## Locally - - Dev Containers Extention +> [!WARNING] +> This has only been tested on macOS -## Running +### Prerequisites -### GitHub Codespaces +- Docker -Launch from GitHub +- Visual Studio Code + + - Dev Containers Extention -### Locally +### Steps 1. Ensure prerequisites are met From 680937858a3dfec5cae5844f902a3c99ea6bcb1b Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 25 Nov 2024 11:00:15 +0000 Subject: [PATCH 303/308] Add button --- .devcontainer/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.devcontainer/README.md b/.devcontainer/README.md index 1d71e3c733e..5aac7ac37f4 100644 --- a/.devcontainer/README.md +++ b/.devcontainer/README.md @@ -9,7 +9,7 @@ You can run this locally, or with [GitHub Codespaces](https://docs.github.com/en ## GitHub Codespaces -To launch a GitHub Codespace, use the button below: +To launch a GitHub Codespace, use the button below [![Open in Codespace](https://github.com/codespaces/badge.svg)](https://codespaces.new/ministryofjustice/modernisation-platform-environments) @@ -28,6 +28,8 @@ To launch a GitHub Codespace, use the button below: ### Steps +[![Open in Dev Container](https://raw.githubusercontent.com/ministryofjustice/.devcontainer/refs/heads/main/contrib/badge.svg)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/ministryofjustice/modernisation-platform-environments) + 1. Ensure prerequisites are met 1. Clone repository From 544a5418d7e0d3dd2749f77b7cab41c0a67deaa4 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 25 Nov 2024 11:26:59 +0000 Subject: [PATCH 304/308] Update wording --- .devcontainer/README.md | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/.devcontainer/README.md b/.devcontainer/README.md index 5aac7ac37f4..a175a0a9dcc 100644 --- a/.devcontainer/README.md +++ b/.devcontainer/README.md @@ -7,12 +7,6 @@ To assist with working on this repository, the community has configured a [dev c You can run this locally, or with [GitHub Codespaces](https://docs.github.com/en/codespaces/overview). -## GitHub Codespaces - -To launch a GitHub Codespace, use the button below - -[![Open in Codespace](https://github.com/codespaces/badge.svg)](https://codespaces.new/ministryofjustice/modernisation-platform-environments) - ## Locally > [!WARNING] @@ -26,17 +20,18 @@ To launch a GitHub Codespace, use the button below - Dev Containers Extention -### Steps +To launch locally, ensure the prerequisites are met, and then click the button below [![Open in Dev Container](https://raw.githubusercontent.com/ministryofjustice/.devcontainer/refs/heads/main/contrib/badge.svg)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/ministryofjustice/modernisation-platform-environments) -1. Ensure prerequisites are met +## GitHub Codespaces -1. Clone repository +> [!IMPORTANT] +> GitHub Codespaces are not currently paid for by the Ministry of Justice and are subject to the quotas [here](https://docs.github.com/en/billing/managing-billing-for-your-products/managing-billing-for-github-codespaces/about-billing-for-github-codespaces#monthly-included-storage-and-core-hours-for-personal-accounts) -1. Open repository in Visual Studio Code +To launch a GitHub Codespace, click the button below -1. Reopen in container +[![Open in Codespace](https://github.com/codespaces/badge.svg)](https://codespaces.new/ministryofjustice/modernisation-platform-environments) ## Tools From f9a34e3ccf179e427ab34bb09973f1651731fc30 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 25 Nov 2024 11:27:15 +0000 Subject: [PATCH 305/308] deploy t2-onr-bods-1 and enable asg for testing adding 2nd bods machine (#8776) --- .../oasys-national-reporting/locals_test.tf | 44 +++++++++---------- 1 file changed, 20 insertions(+), 24 deletions(-) diff --git a/terraform/environments/oasys-national-reporting/locals_test.tf b/terraform/environments/oasys-national-reporting/locals_test.tf index 096a578a62d..cfc069059fc 100644 --- a/terraform/environments/oasys-national-reporting/locals_test.tf +++ b/terraform/environments/oasys-national-reporting/locals_test.tf @@ -133,10 +133,10 @@ locals { instance_profile_policies = concat(local.ec2_autoscaling_groups.bods.config.instance_profile_policies, [ "Ec2SecretPolicy", ]) - # user_data_raw = base64encode(templatefile( - # "./templates/user-data-onr-bods-pwsh.yaml.tftpl", { - # branch = "TM/TM-620/test-pagefile-change" - # })) + user_data_raw = base64encode(templatefile( + "./templates/user-data-onr-bods-pwsh.yaml.tftpl", { + branch = "TM/TM-660/onr-bods-second-server" + })) }) instance = merge(local.ec2_autoscaling_groups.bods.instance, { instance_type = "m4.xlarge" @@ -151,26 +151,22 @@ locals { ec2_instances = { - # t2-onr-bods-1 = merge(local.ec2_instances.bods, { - # config = merge(local.ec2_instances.bods.config, { - # availability_zone = "eu-west-2a" - # user_data_raw = base64encode(templatefile( - # "./templates/user-data-onr-bods-pwsh.yaml.tftpl", { - # } - # )) - # instance_profile_policies = concat(local.ec2_instances.bods.config.instance_profile_policies, [ - # "Ec2SecretPolicy", - # ]) - # }) - # instance = merge(local.ec2_instances.bods.instance, { - # instance_type = "m4.xlarge" - # }) - # cloudwatch_metric_alarms = null - # tags = merge(local.ec2_instances.bods.tags, { - # oasys-national-reporting-environment = "t2" - # domain-name = "azure.noms.root" - # }) - # }) + t2-onr-bods-1 = merge(local.ec2_instances.bods, { + config = merge(local.ec2_instances.bods.config, { + availability_zone = "eu-west-2a" + instance_profile_policies = concat(local.ec2_instances.bods.config.instance_profile_policies, [ + "Ec2SecretPolicy", + ]) + }) + instance = merge(local.ec2_instances.bods.instance, { + instance_type = "m4.xlarge" + }) + cloudwatch_metric_alarms = null + tags = merge(local.ec2_instances.bods.tags, { + oasys-national-reporting-environment = "t2" + domain-name = "azure.noms.root" + }) + }) # Pending sorting out cluster install of Bods in modernisation-platform-configuration-management repo # t2-onr-bods-2 = merge(local.ec2_instances.bods, { From 9b5b07fae1e60d21685c627b8806dbf22304ef31 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Mon, 25 Nov 2024 11:38:56 +0000 Subject: [PATCH 306/308] TM-720: add endpoint dashboard (#8780) * TM-720: add endpoint and pipeline dashboard * fix * revert * fix * fix * fix oem dash --- terraform/environments/hmpps-oem/locals.tf | 48 ++++++++++++++++++---- terraform/environments/hmpps-oem/main.tf | 5 +++ terraform/modules/baseline/ssm.tf | 2 +- 3 files changed, 46 insertions(+), 9 deletions(-) diff --git a/terraform/environments/hmpps-oem/locals.tf b/terraform/environments/hmpps-oem/locals.tf index e432fdb9efe..2fa555f3fd2 100644 --- a/terraform/environments/hmpps-oem/locals.tf +++ b/terraform/environments/hmpps-oem/locals.tf @@ -19,6 +19,7 @@ locals { baseline_environment_specific = local.baseline_environments_specific[local.environment] cloudwatch_dashboard_default_widget_groups = [ + "ec2_instance_endpoint_monitoring", "network_lb", "lb", "ec2", @@ -72,6 +73,16 @@ locals { module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_oracle_db_with_backup, ] } + "endpoints-and-pipelines" = { + account_name = "hmpps-oem-${local.environment}" + periodOverride = "auto" + start = "-PT6H" + widget_groups = [ + module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_endpoint_monitoring, + module.baseline_presets.cloudwatch_dashboard_widget_groups.ssm_command, + module.baseline_presets.cloudwatch_dashboard_widget_groups.github_workflows, + ] + } "hmpps-domain-services-${local.environment}" = { account_name = "hmpps-domain-services-${local.environment}" periodOverride = "auto" @@ -83,16 +94,37 @@ locals { ] } "hmpps-oem-${local.environment}" = { - account_name = "hmpps-oem-${local.environment}" + account_name = null periodOverride = "auto" start = "-PT6H" - widget_groups = [ - module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2, - module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_linux, - module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_linux, - module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_oracle_db_with_backup, - module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_textfile_monitoring, - ] + widget_groups = [{ + header_markdown = "## EC2 Oracle Enterprise Management" + width = 8 + height = 8 + add_ebs_widgets = { + iops = true + throughput = true + } + search_filter = { + ec2_tag = [ + { tag_name = "server-type", tag_value = "hmpps-oem" }, + ] + } + widgets = [ + module.baseline_presets.cloudwatch_dashboard_widgets.ec2.cpu-utilization-high, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2.instance-status-check-failed, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2.system-status-check-failed, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_cwagent_linux.free-disk-space-low, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_cwagent_linux.high-memory-usage, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_cwagent_linux.cpu-iowait-high, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_instance_cwagent_linux.free-disk-space-low, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_service_status_os.service-status-error-os-layer, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_service_status_app.service-status-error-app-layer, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_oracle_db_connected.oracle-db-disconnected, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_oracle_db_backup.oracle-db-rman-backup-error, + module.baseline_presets.cloudwatch_dashboard_widgets.ec2_instance_cwagent_collectd_oracle_db_backup.oracle-db-rman-backup-did-not-run, + ] + }] } "nomis-${local.environment}" = { account_name = "nomis-${local.environment}" diff --git a/terraform/environments/hmpps-oem/main.tf b/terraform/environments/hmpps-oem/main.tf index cd706d8538e..f6c8672c4bd 100644 --- a/terraform/environments/hmpps-oem/main.tf +++ b/terraform/environments/hmpps-oem/main.tf @@ -178,6 +178,11 @@ module "baseline" { lookup(local.baseline_environment_specific, "s3_buckets", {}), ) + schedule_alarms_lambda = merge( + lookup(local.baseline_all_environments, "schedule_alarms", {}), + lookup(local.baseline_environment_specific, "schedule_alarms", {}), + ) + secretsmanager_secrets = merge( module.baseline_presets.secretsmanager_secrets, lookup(local.baseline_all_environments, "secretsmanager_secrets", {}), diff --git a/terraform/modules/baseline/ssm.tf b/terraform/modules/baseline/ssm.tf index 588f02e66a2..ffecf9b6634 100644 --- a/terraform/modules/baseline/ssm.tf +++ b/terraform/modules/baseline/ssm.tf @@ -59,7 +59,7 @@ resource "aws_ssm_association" "this" { apply_only_at_cron_interval = each.value.apply_only_at_cron_interval association_name = each.key - name = each.value.name + name = try(aws_ssm_document.this[each.value.name].name, each.value.name) # so ssm_doc is created first max_concurrency = each.value.max_concurrency max_errors = each.value.max_errors schedule_expression = each.value.schedule_expression From 82eb9d6f9e50de2c52fa3f1b9b8fdc7236d82d8f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 25 Nov 2024 12:10:48 +0000 Subject: [PATCH 307/308] Updates from GitHub Actions Format Code workflow (#8772) Co-authored-by: modernisation-platform-ci Co-authored-by: dms1981 --- .../corporate-information-system/iam.tf | 72 +++++++++---------- .../application_variables.json | 20 ++---- .../modules/dms_s3_v2/versions.tf | 2 +- .../domains/dms-endpoints/variables.tf | 2 +- .../modules/s3_bucket/main.tf | 6 +- terraform/environments/edw/ec2.tf | 2 +- .../electronic-monitoring-data/s3.tf | 6 +- terraform/environments/ppud/iam.tf | 28 ++++---- .../environments/tribunals/cloudfront.tf | 12 ++-- 9 files changed, 69 insertions(+), 81 deletions(-) diff --git a/terraform/environments/corporate-information-system/iam.tf b/terraform/environments/corporate-information-system/iam.tf index aa2fdb4a3b8..4a6865831b6 100644 --- a/terraform/environments/corporate-information-system/iam.tf +++ b/terraform/environments/corporate-information-system/iam.tf @@ -74,44 +74,44 @@ resource "aws_iam_role_policy" "cis_s3fs_policy" { Version = "2012-10-17" Statement = [ { - "Action": [ - "s3:*" + "Action" : [ + "s3:*" ], - "Resource": [ - "arn:aws:s3:::laa-software-bucket2", - "arn:aws:s3:::laa-software-bucket2/*", - "arn:aws:s3:::laa-software-library", - "arn:aws:s3:::laa-software-library/*", - "arn:aws:s3:::laa-cis-inbound-production", - "arn:aws:s3:::laa-cis-inbound-production/*", - "arn:aws:s3:::laa-cis-outbound-production", - "arn:aws:s3:::laa-cis-outbound-production/*", - "arn:aws:s3:::laa-ccms-outbound-production", - "arn:aws:s3:::laa-ccms-outbound-production/*", - "arn:aws:s3:::laa-ccms-inbound-production", - "arn:aws:s3:::laa-ccms-inbound-production/*" + "Resource" : [ + "arn:aws:s3:::laa-software-bucket2", + "arn:aws:s3:::laa-software-bucket2/*", + "arn:aws:s3:::laa-software-library", + "arn:aws:s3:::laa-software-library/*", + "arn:aws:s3:::laa-cis-inbound-production", + "arn:aws:s3:::laa-cis-inbound-production/*", + "arn:aws:s3:::laa-cis-outbound-production", + "arn:aws:s3:::laa-cis-outbound-production/*", + "arn:aws:s3:::laa-ccms-outbound-production", + "arn:aws:s3:::laa-ccms-outbound-production/*", + "arn:aws:s3:::laa-ccms-inbound-production", + "arn:aws:s3:::laa-ccms-inbound-production/*" ], - "Effect": "Allow" - }, - { - "Action": [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:DescribeLogStreams", - "logs:PutRetentionPolicy", - "logs:PutLogEvents", - "ec2:DescribeInstances" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Action": [ - "ec2:CreateTags" - ], - "Resource": "*", - "Effect": "Allow" - } + "Effect" : "Allow" + }, + { + "Action" : [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:DescribeLogStreams", + "logs:PutRetentionPolicy", + "logs:PutLogEvents", + "ec2:DescribeInstances" + ], + "Resource" : "*", + "Effect" : "Allow" + }, + { + "Action" : [ + "ec2:CreateTags" + ], + "Resource" : "*", + "Effect" : "Allow" + } ] }) } \ No newline at end of file diff --git a/terraform/environments/digital-prison-reporting/application_variables.json b/terraform/environments/digital-prison-reporting/application_variables.json index 5ef69277647..18c80c7cd78 100644 --- a/terraform/environments/digital-prison-reporting/application_variables.json +++ b/terraform/environments/digital-prison-reporting/application_variables.json @@ -94,10 +94,7 @@ "setup_sonatype_secrets": true, "setup_scheduled_action_iam_role": true, "setup_redshift_schedule": true, - "dps_domains": [ - "dps-activities", - "dps-case-notes" - ], + "dps_domains": ["dps-activities", "dps-case-notes"], "alarms": { "setup_cw_alarms": true, "redshift": { @@ -272,10 +269,7 @@ "setup_sonatype_secrets": false, "setup_scheduled_action_iam_role": true, "setup_redshift_schedule": true, - "dps_domains": [ - "dps-activities", - "dps-case-notes" - ], + "dps_domains": ["dps-activities", "dps-case-notes"], "alarms": { "setup_cw_alarms": true, "redshift": { @@ -452,10 +446,7 @@ "setup_scheduled_action_iam_role": true, "setup_redshift_schedule": true, "enable_redshift_health_check": true, - "dps_domains": [ - "dps-activities", - "dps-case-notes" - ], + "dps_domains": ["dps-activities", "dps-case-notes"], "alarms": { "setup_cw_alarms": true, "redshift": { @@ -648,10 +639,7 @@ "setup_sonatype_secrets": false, "setup_scheduled_action_iam_role": false, "setup_redshift_schedule": false, - "dps_domains": [ - "dps-activities", - "dps-case-notes" - ], + "dps_domains": ["dps-activities", "dps-case-notes"], "alarms": { "setup_cw_alarms": true, "redshift": { diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf index d2163a87985..bf68a137672 100644 --- a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf +++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/versions.tf @@ -6,7 +6,7 @@ terraform { } template = { - source = "hashicorp/template" + source = "hashicorp/template" version = "~> 2.2" } diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf index aa7f9023442..a2dc57b6c98 100644 --- a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf @@ -117,7 +117,7 @@ variable "identifier" { #-------------------------------------------------------------- variable "target_backup_retention_period" { - type = string + type = string # Days default = "30" description = "Retention of RDS backups" diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf index 4cf22f0992a..50c941d071e 100644 --- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf +++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf @@ -46,7 +46,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { # - Transitions objects to STANDARD_IA after 30 days (cost-effective storage for infrequent access). # - Deletes objects after 90 days. dynamic "transition" { - for_each = var.lifecycle_category == "short_term" ? [ { days = 30, storage_class = "STANDARD_IA" } ] : [] + for_each = var.lifecycle_category == "short_term" ? [{ days = 30, storage_class = "STANDARD_IA" }] : [] content { days = transition.value.days storage_class = transition.value.storage_class @@ -54,8 +54,8 @@ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" { } dynamic "expiration" { - for_each = var.lifecycle_category == "short_term" ? [ { days = 90 } ] : ( - var.lifecycle_category == "temporary" ? [ { days = 30 } ] : []) + for_each = var.lifecycle_category == "short_term" ? [{ days = 90 }] : ( + var.lifecycle_category == "temporary" ? [{ days = 30 }] : []) content { days = expiration.value.days } diff --git a/terraform/environments/edw/ec2.tf b/terraform/environments/edw/ec2.tf index 73dd891836b..67aab63cb4d 100644 --- a/terraform/environments/edw/ec2.tf +++ b/terraform/environments/edw/ec2.tf @@ -347,7 +347,7 @@ EOF ####### IAM role ####### resource "aws_iam_role" "edw_ec2_role" { - name = "${local.application_name}-ec2-instance-role" + name = "${local.application_name}-ec2-instance-role" tags = merge( local.tags, { diff --git a/terraform/environments/electronic-monitoring-data/s3.tf b/terraform/environments/electronic-monitoring-data/s3.tf index b9d23c5236b..a35631c8a09 100644 --- a/terraform/environments/electronic-monitoring-data/s3.tf +++ b/terraform/environments/electronic-monitoring-data/s3.tf @@ -5,15 +5,15 @@ locals { "production" = null "preproduction" = { "account_number" = 173142358744 - "role_name" = "juniper-datatransfer-lambda-role" + "role_name" = "juniper-datatransfer-lambda-role" } "test" = { "account_number" = 173142358744 - "role_name" = "dev-datatransfer-lambda-role" + "role_name" = "dev-datatransfer-lambda-role" } "development" = { "account_number" = 173142358744 - "role_name" = "dev-datatransfer-lambda-role" + "role_name" = "dev-datatransfer-lambda-role" } } } diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index 15ecce0c131..cd6af3eac6f 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -1183,20 +1183,20 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_get_metric_data_dev" ] }, { - "Sid" : "SQSPolicy", - "Effect" : "Allow", - "Action" : [ - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:GetQueueAttributes", - "sqs:GetQueueUrl", - "sqs:ListQueueTags", - "sqs:ReceiveMessage", - "sqs:SendMessage" - ], - "Resource" : [ - "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:Lambda-Queue-Production" - ] + "Sid" : "SQSPolicy", + "Effect" : "Allow", + "Action" : [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource" : [ + "arn:aws:sqs:eu-west-2:${local.environment_management.account_ids["ppud-production"]}:Lambda-Queue-Production" + ] }, { "Sid" : "SESPolicy", diff --git a/terraform/environments/tribunals/cloudfront.tf b/terraform/environments/tribunals/cloudfront.tf index 489a37f5dc1..c81f76104f9 100644 --- a/terraform/environments/tribunals/cloudfront.tf +++ b/terraform/environments/tribunals/cloudfront.tf @@ -10,12 +10,12 @@ resource "aws_cloudfront_distribution" "tribunals_distribution" { origin_id = "tribunalsOrigin" custom_origin_config { - http_port = 80 - https_port = 443 - origin_protocol_policy = "https-only" - origin_ssl_protocols = ["TLSv1.2"] + http_port = 80 + https_port = 443 + origin_protocol_policy = "https-only" + origin_ssl_protocols = ["TLSv1.2"] origin_keepalive_timeout = 60 - origin_read_timeout = 60 + origin_read_timeout = 60 } custom_header { @@ -27,7 +27,7 @@ resource "aws_cloudfront_distribution" "tribunals_distribution" { default_cache_behavior { target_origin_id = "tribunalsOrigin" - cache_policy_id = data.aws_cloudfront_cache_policy.caching_disabled.id + cache_policy_id = data.aws_cloudfront_cache_policy.caching_disabled.id origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer.id viewer_protocol_policy = "redirect-to-https" From cc41b2beb3fd602063d7112cbac28852f721c511 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Mon, 25 Nov 2024 12:38:18 +0000 Subject: [PATCH 308/308] Remote deleted roles from secrets manager sharing (#8782) --- .../hmpps-domain-services/locals_secretsmanager.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/terraform/environments/hmpps-domain-services/locals_secretsmanager.tf b/terraform/environments/hmpps-domain-services/locals_secretsmanager.tf index 0273edb078c..9a1ccda3578 100644 --- a/terraform/environments/hmpps-domain-services/locals_secretsmanager.tf +++ b/terraform/environments/hmpps-domain-services/locals_secretsmanager.tf @@ -9,8 +9,6 @@ locals { "arn:aws:iam::${module.environment.account_ids.corporate-staff-rostering-test}:role/EC2HmppsDomainSecretsRole", "arn:aws:iam::${module.environment.account_ids.planetfm-development}:role/EC2HmppsDomainSecretsRole", "arn:aws:iam::${module.environment.account_ids.planetfm-test}:role/EC2HmppsDomainSecretsRole", - "arn:aws:iam::${module.environment.account_ids.corporate-staff-rostering-development}:role/LambdaFunctionADObjectCleanUp", - "arn:aws:iam::${module.environment.account_ids.corporate-staff-rostering-test}:role/LambdaFunctionADObjectCleanUp", "arn:aws:iam::${module.environment.account_ids.core-shared-services-production}:role/ad-fixngo-ec2-nonlive-role", "arn:aws:iam::${module.environment.account_ids.nomis-development}:role/EC2HmppsDomainSecretsRole", "arn:aws:iam::${module.environment.account_ids.nomis-test}:role/EC2HmppsDomainSecretsRole", @@ -26,8 +24,6 @@ locals { "arn:aws:iam::${module.environment.account_ids.corporate-staff-rostering-production}:role/EC2HmppsDomainSecretsRole", "arn:aws:iam::${module.environment.account_ids.planetfm-preproduction}:role/EC2HmppsDomainSecretsRole", "arn:aws:iam::${module.environment.account_ids.planetfm-production}:role/EC2HmppsDomainSecretsRole", - "arn:aws:iam::${module.environment.account_ids.corporate-staff-rostering-preproduction}:role/LambdaFunctionADObjectCleanUp", - "arn:aws:iam::${module.environment.account_ids.corporate-staff-rostering-production}:role/LambdaFunctionADObjectCleanUp", "arn:aws:iam::${module.environment.account_ids.core-shared-services-production}:role/ad-fixngo-ec2-live-role", "arn:aws:iam::${module.environment.account_ids.nomis-preproduction}:role/EC2HmppsDomainSecretsRole", "arn:aws:iam::${module.environment.account_ids.nomis-production}:role/EC2HmppsDomainSecretsRole",

uTs~hdZJxX=g5oFb_z}M`^WIO$3b@;Hx%J|3p)gO8Tk(Iz zxUHdgNKB4Q(ECxd#SDl2W#$dw@8+Er6nzoKiHoJ|{Iv%-f~i;7iV|YOxJFmgA%s`L zHb^Pjg+R-jfEGs4^~+3|7yQ6IS1%;%cNn3X;4ZH{I@!ac+t&}df*EOpGrN52z}}U~ z^M#<>YdIs4B_alwD<0bsXKp+SZY^Ep5!;;L0Lo z;J}kLRZW9!J*439P21U>E*129GQ>Cxz^mRGWk@uq$A?r>0B!u^w{l{SE@}>v7qPBZ z_Kb-x3;~WuS>ve>A~c%@x+{Xz5TMS+CXe>EwwZ|7Rxk_hilO<2EQ4PaN{Ag3FFf#@ zYvIDt$7XwSa`JARkN|bkb)O63>y=KwzklG4#X#W_A=vXDGJ-fu%Xiz9hG}f>$>R7? z0M9H*lH{$Iqw^O#X5RgD3>(gDnQ9)c36lDPXQ#XC(FJ)`1s&VVmwunH)udPO!RcEQ zaLT7ocgjOZ6h6R6AeyTi=BDBR)Y_Q$?V&Ch?n-(WyY}GyD0p;eKN`bN;4Y416+aP- z)ZRd88?0xyFn5W09elizG#&(rLwI%x2mO$Q1mYe1rdc^cBt3KCnj01H#M|R{{%9d1 zUN)#;x2IfoLM{MU4VvPh_X7L8cWU~uniW4@+}D>hDi=S7O{POVJ#o1vhQwRq`J`ZN z_{Y$?9R>;B>bM|IObr8YEtrTiSKweFm=?!}Hy!h4^<@S_^vvnGJC%WNLR&UWU&qd z8f0tG&>yfX{PEW_s4+X%`N4qc+P0u#0HEA^GTjI|SlKwZE`W8sSt4jkS6HMDQDS^_r9fx>7l{!nBga(ZG$Gaz!Yx}yVJADIeH59fIN!6#sX{B@weB-_Nd z@M3+449G*M4a(`e=^ZrFnOh=}{PzH$yRxx^-+GY|XQS`>xxapsc;eLzg ztA-+An8TAK2KgiWr>gusbTBf_FR>CV7$V!h32;p@x_h%&iZN9x0lOoA`ucGTmjK2_ zBs6A_l6Gcx;~-0*m;Ut74wiz(vDJ=q5IxYh5 zKV@BbC>*mp3A^>p86iOadd&D+Hq|FuLNQ88HdV%__sWZWGwcD_mP1>Gd05tB&RAi& zN`3wzGRG5wGRLHpj{p{ucP<=r86+BAZ_Cj(kgGr^EAGOX%4&OJq*@^`&ej4nqz+Sn z*2!a6iw5+%BPn|npvYurVLxk1ou{eWTaoURbsS?gqIBFam7DCDwpj&TxrA~K8|m-V zTYj@deZrA^GGKW&s8!<>wFyq~_(-j4y?o726dFLy+CFj;l?a}=kC@6k!szZdXzoKdqOED^yrSX z^oWnCh?T19C~O^_E6$=gV2v)+Ng|^&&L}xxmWa$rEZ{O;#;MLMXv#&B!Irv6;{@NX z5?NAXdxEf42pAf#P6Mx&skd=VpNm2D_+pXRzHwB&l77jWx=N#>DJ^8&-R3)6 z>Z{o}zG&{~G52i}-HG6J2~+Z6Q+SCYkYo&Sr0&uwZa%)0+WKM(Zed?!lutoVgKZ1h zN`J)hsBt)~WzxwKW7n|W_K@q6`A#`=>eJ}XX;srYpU6}3Y_(p=ED;FG*I_3i@@xdV z%t^7=I!3*w?eZdQ-;koWsyYxBNo4wSA{C?YkDmss1zdC;2#rQzyi2OWowa^ry{tv9 z1-{b%N7_3E$ri0yyX9T3UADE$wr$%sciFaW+qP}nwr$)xU)jX^*-*Fo<=Nb_fnd4OV zS`yxy$Lb(yU9cJ}S||tH$J>AYR_5&2a*BP3E@VFIt1^fWI>spACt9q}ZwxuXL=_A`UpmhOnF42O}PfZR_`&saeZ zUg>1dRcIE~PP-CNs<;G0M$Jqs8^811(nhpdU;Ht&*Gh&GdlM_~$b7n6j$#-qR}=#m;Y!aU8;=Ee9y%GM*o#yX7fGY zdPn@NJvDzjCb7IuzFDQ|umV`M2272bp)jS?o>xElXu*=3i>Y-jY^qEg2ftG|5K$Xf zeyDqpmOdlYj&mG3;C$yBU=P>f%lpP7?jx-As7-Q@`;Wfme{Ix^{+}mo|1RuRQiK2i z{)ct(e?hAK->uMob{4ayAA@-7AJs7Ze>bGf&*EOs!OX_`en#ImwQSFSVGw${|>9Os>aPP@*|9Q0D zEs{?K!1F7){EiUE#~XNgzdF%oYxn>P&zCVKXW(ELA>J6T^!=`jn0a!JJ^h&mbPf<4 zjTV&XTL2IAU`GKLVA}H$a6SV`(ih|zrO9Jjmm9FsvpY-F^R5?$?s2ry0AWD>?H;bxRwszf+tflt`IJqe$3Qm?zF;YnKHop9*$iCJ<0ckQ5?X2rk@UH z>UdWb?)cdj5DxXhRx^`=Aq9#J%ViEIjZ^0KyS0D!5|HeMI72$1GRcxp?tt=k&b)D1 z5h1n$1uBeO15lIVkclEeE|DQmJ)vG1WOSTZZBdZ8o=9W1t*n17k|NbZtm%oZl6m{+ z23<;^wKa}J1B;ngAh5$6)Ygi-Ip#*Kg8cYc4lO;5omOr%4Z`oniA_zgH8FyORE7Qz zo6g8Sa1O~}?7_(DMd#w~$Jxk8pgoUF!+d;fu&s`Qp9iv6I1IvCZ+S}7Zy z_g}GDYLffbR>Rvar{)}@d-)<4X0mxt8I-eiuQr$MJwdwS14cQ`^HqCF>E(40eIhpC z?q9|-+hFaZ=|I%bS25`4y_PE%+yUX9#?`z9n@72X1s8wEUgYF)7^87W5B2Jy&aH%{ zsPB$%viq_{Sn@F+o`Wv5QQDZ7ba=u;a!ueV*`>mxaMJEaGVfbXG6tu)zq~QRr^G%l z?%L0z{8NF?YoLi&E+2Y2Gwr>ipM=pk6P6}ZP^?%<=wxa?r?GLr05L5 zH62O$I{+G{Ts;2jo6u=im;RmZh%LIms(XZeGT&^TBLC!}YuhK?8=JshS{m}sM!0=g zIbIn}Qo}lijo#0&F^4#B1VNZwGEQrU2Ry&@X6YPkVh^63WBKGNt;~!)2cY@`Dm6mZ z=VC57a;zxzX9CK+RFx7>DhWhHN~&QVpt*0g-R=n|5Dpr!EJE4Pu$IlJOV^S0b3m9! z5KF``n@YM$h=`y_p`?aYslS(uW@8x7PUnXo6zK9b(YvIMV~8s;J~9$?>fN)Nuqe41 zopzji=hEFM&dJwyBgVZ@)^EI;g0Bm7bbmVifyJ%TR` zL(l8J44zvX^lOIFgZXW*jE>b9T6(R+>%8f&#a2tB;RZhszztc))Cvrm(bpJepQ}KN zB{;4UAZBJD^JZAeWpH+nh)TBT&@B|lC2ASK)ioVQTQf-+x8^$?06U`Fo-{GD!GQ6@ zQtGnD`_Z-b9Wcj755p4c-`jM#{k!U}`L9OpT@z?8V}GVlzg{@B4_Rao{(fVXYlAPN zlO*iR^DX14{!VgTuyrw*=SthOnxvh4#4NE=wl`-jHo!RG0XGAoBN>8NYU>bw{iL;^;Z<{ zzproU8;)^q3^^MYA13y!h`pynsM3Br_(&j*iF+X>>e7T-3E-<< z0~Gv_2SN&sQ4He{R!?Xz#X_y)GJX}8VTonQvpTDDNdH3ob8wIV+M8OnC6wbjr_Nct zBR)k;dK1!Gk)aV=CXuPVi5Oo+K1noH_1al!d=(u}!m zVVS(T)yiZZwBB5WxhvqU@bG2t_JS2uC2Ip?5(mQOrZXsg5*m8V`nj*R-=-=S^0vWG zT$@8fphbllex5ksM*P$h!Zo9T+i}I&QYa_NDi2DPOZIXwZxS~99d5%BQM(}RJ%*wW z+~n%dBL~`hLNs8^+2*%v`Ay`(#Co?k#zNZFX|5@LT5msOsg0{y22G8g;*_zHw$^3k zgfrNL+XACA82rf4T{)yS^ zBWIS*xJL3ga-e--*G1C>)NapCl%VCB*=_`y!_0EMWHAr~)Tu*sSfr*w__XN6g3#Ky zsY6-{)Tp(=gXqTd@QUs;?t(02BqYSD&H^2My z0gLYU^+!9B9m3(I7|(1~DA>cR!xYx+_Q@{93XRSLg98&us5FN7%Lq!8+e)XNe2^); zI8Q6YxG|wYQ=3cbcVm!QV5`u_t9kpW<0sX#y*pra&h6S(srLYg4Q+rD7(YsSz$my6 zsbh?7HwoHOXEg-K=DRZRGTwkTQ}Md*_sm^zwrR2P7wZ2#Lkb0JfBB2}BeJ0XFJuG% z?56T>9kc(1ykb(_!V*)(sY}4_PnTFH@wpHenS6pN7o}PhvPcxsx|Ya!BbrUWWpWN1 zVdyAyDKyzI$%*lLk%kS+deQV_lh7`R+H#lzBb9m%)f$hGcY~1J44Lm1?2fVT7x+g$ zz~UcOMxL}Sdy}AyT+vmqHmSjK2Inh_Bai0{`)Mxw@19F1yu0Ol^;DjApP6pLP26&A zo=*v|+-pME!QaESB);%cbcp_}3?}dsdBn!>t7sJJ2FkT$OM+u+Q{*dx?i14YQhovs zLm7-Vh?;pEM@6pfJMf)!G?N@4*(+EUMXtp&1WiNgW?RG!p_jEzY0gmC`X&|eM_l~L zE7<2nuGO}Z7om?c9Wp1#@A{sM+msLCz_oyBHt-*Nx|T6V8iDwKS(zp8t@=V(F)#~X zo%AH32Y?v2@gu@}Rb!4g0%KU=({o;_@hPQ;NX)u4QViMw^IQT2gl9(^>X7LM@*jBL-sU zjOE+XQRqii_CpQn>(i%V`>5qpc0}#9JH{kdU8oVaAi@e?IAMQw~nD$fZ{ zi%@!1pX@!ZEXgM;3wA4)1_hIlI#Q&y2;oG*lglh;+9KZ^yCSh%ofO3j>O+Y-0Lktv zir5TB>9QomU|Ml<8b$6lMbe3yU4aVaOPDsKXTg@LZA_8|p>7^fPdF8~W{I3Hh?-oe zvkGkon_n1di0#nDuILlu(btfjK}!I;%=M(tV1V<{!FYiBd-Bl)BK$)Qwgl-IOb8bG zQX!1kpx}9wxtrWFBL;3aRGfEKK@yG`PBr~R^AZ?OhXOgluZyi5Hh>g(Z^em&nP+h7 zVG%K9jOWa<^4d+}sMNGq60jHRC?octy}J-sW963-*tqSe@P(KefJ9Ql222PT>PJrr-)Hh-7Qz#<1bs^6j8{AjmU@=U0ipRB{xJy_%0dbwIh>o$r-(YYXm#=d~HhV*Q zk)mfetiYh>k%}EXJ<~2d0Q|<%s3gm2FSzn5^a9-^e();XQk5_sYp`}H3H)g86NsJ< zwvGk#E_x(Uz>DA1%0xL*GPn5}=}(1}%sTLzd{D+jpP=Mxofx<$>GqC>rcN)48kg$m z2^TC|V2krRxNF^S;5DR5g?G-Hq``v77`PS%Ih!9SAqu#tS6GY+2QW_YQ@e;HJMAy( zwjkGjTjOC5Q_+4q`H(0$aC(?(#r3G4<4prlFi!GOSiKV`Nlcm)oPR8r( zAfNV{m>`do=D!B;Oby3Yp%*>cM_ zJuj|q!)X8_I1LyX-mfEs9r9N3>7c;zwqn8m!-UY$aYyYFf&>WkdHOCYfRXASTsaeL z)?F8>H#}CtUjh9N16GGDE)IsLA(8N_rv@zjP@y`zD-fD_T#%ZQw>Ab>!VB62)Y*7`bXC*}(c~DbATY9d9tC>Y@P#g&drEALO_ZZO7aQGdzPD90 zGu|L1&*jj-5LwI~B9w!XX4TQ(x4~5YFT`S+uiw;fq?Go8t~oeya698fqwDV8c!9t zs^iw>TzMyucx_K1gp6qqC%U)hrrzm!TDB5jqm68 z&&$R|-SiB=vO99dL#1!@Du`;@PUS4=Wca`C3%88pQ?a$JiK_s*#lGgnvLqG597e{X z1gS|2tFDglvZW4RTVfCt*j8gDLKiD zf%VAPz8AkX(0D3=bYA8v<6){|tMw#PsMCI)L%H)_jAY7f{v9cAP4fn+19V%99_pC_ zl9$qco_!GpqG<#{^oo$SC)zTHW`OdI2_L#i_BEaw$Q5veJ*FB6P=d-6X2b|jky>-~ zQqWBTkx<5ocgiFbjfK6PjeU3y+;X>NPu1$kOZR|B5McfAd zJo9%zdFVlTU3@p#mr4et-8g=0`Iz>-v=Lkmgzn29zzVBRs+hiQg#ufUpExBueG?Y7 zyi3oOMOXJX-}2`rm9xYLZ1UUXgpZL`NaD|y^6RC*;4NQ{q_}U^CmG#uqNm_mZEkT(QJAj4+ zzIQ8xmC~mW?&5$F9mR(M+q3T%A45`nd&|a&Geo#w(80;ti%=19fC-I(Ge}sV13q!9 z3jznrhk+LKj5lq49aIDp;s=+be`CwEd^9g*cw^fc7A#Su{>9&T~Sd2m+LWs$zonAJK2)%OiGjob&Of(fN{4wa9~)*}vx4Ub%ohu<5^31MA<<{&8!&v)Sr=w4MGd zSc!?mcr(2YV?7zS->KISdXo!#{}OCS43LRIw+E?uUXo8%?gZe=sZm#X@iqbrVq_Qg z8-y^rdCpZdy!{<>ewgH2IS@}372Ei^1cTmkP%$q9O| zHFxh-_&g7|pa(LN2W(pD7bnCg=1=zCK)ZN-Gfn$&pqFw4P)fppCo~dWY3jr`STB5Ed9n4X!jOkzddd3ls|*n-;&$l0NP^! z+hcedRXx$V%A9;==JO!wW)w|3=jYe7XFAiwO?)!vg3~)?jr2J##>i7>{_H-L!)Rkr z!N?lyhv(!3{38V<9-l2K-Hp51e%Fi4Yj!1}Scjr0Git}HE%KN+Q7A6JnYcA^AcCo% zZv(bnLJsM8@uXR50`wfQlLc^v4i<<38i+v*DO5oEHkJ5X<-;F{tob#aTp;c65Vw#K z2nT+v`RLBay|B`=&=gqBo_Hu`??0^P3fX&y^v25g_%*V%^2?xxQ%V6mPbUb>G1m>l zP|8@auDB|nL%XjPF#a|uWuf5%u3$cyn+cB|i0^kE&3+Eees)Cg;&1R-RAP|0g+OB2 z_@L1Z13F)ro?jDMbMIb80Wb|F>Tv3Y!B1qt67iW`ce6o;lj)`BbqdczeDMpFz4gQ7 zBaEe7$mHJF{U&76y{yLS}mJj zvP_=fXMn}WNA$h3ULkZzKe50=#MqT%Q*4%Z-&FUjjb2v?BSiD1zYCAO&$O$M*!*Rv z_6HeUoN##R!9KE!|G%foi_ZHfz>GZ+fL3G|=ut6d-F69-$5c5jZWk(*6!mVr$xRrbl#qzhxnm5NJ z7JCxb2EK2#sSdMZ4j!oEA`YIUi}&BFaBi#|n{aL?U(-Wut{iY&lIfJ2fb6V@pXRgo z{N!Xtb*YmZdV2AAyxmtbTBRD|<&DE(pgGPXoX z6LYHLjT2*NU`l%k;$4{r$F+&y(5CN3wIK4Uw*=WoP4HjD*CbXmF4k8&#WNyUlShaX zMl>bJGZRjZ#rLLlB*5E$qoE)!?*nCTjaiL1S$(;ASg;JjdperGm4Ui?VUO70Q8nDB z^Ljyz*Z{wB$E@>u0US8X=Ho@fbbSD;yv7pVWX-9s@}*`MmffoTx^wKxq;Leg(FKQ- z+0CV;4D@vsHAF;UhavvDwQKK3T@!)5LC5;N{MVFYwJpf%DD>zuMlCktyUQVmJzz0vNeRfeD%ybhYqw z%~)Z3Ut#H3Vej=l8r;xIJLf3I|w0>iiJALm7cX7GK$*O|O z5fQ9Ni2Zf?7Aej*W6S3Nz)!&Dvv<7fX;fdO%D%GOF|B=#_2F@}epM|nedTeDF$@^& zv2VZYjx7#rhKl63L{E{@aFLY3J)=>5kNCjFb_3_u$QE(_Msyke0OYo}=sYZQHnw2BLSiLrcUaIuhtYbQ)OsRm5t0KlgEO*R@DQ+5{LmT@ zOr6~H2EYV&!Cy+e<0RPrD!Io&Mcs~I|K!%&k;IqV(DBGWNT@i9cvlFK1~o3lmwvKp zu3BJBlOfA?oZv%fD1Tn?bJ4A)6@9S; zsyBtF0f`!nv;fWM-2p$=R${@wll^92Nk?qg#e73u9}sB@b*I1$!dXcYZz{~QI@MdA z2(~X=J;rsYOlVWKR@<`UxsYY1g=5d6aO4yb&wy(`=8i~`uHZh=rf{r|MVO|#Q-Hfu zHGd4KQ^^P6Sr`E=s_U$B+d_H5x_~&7H;TcX6QSyZAfk?s7&cNMk$}^ZLo9ly7EDCK zQf+Mo!hT`4ol0m^wNq)-WXy0Vs0!Rrt5jB=G%}hkkf__xs3eA(gbKrsGM*w!w^SWJ z=ru-Dl&et2a;cTpD@eq*UsX+oo3duD@D-ij_gBjzTlTAYo@x*dR>5gB87@ zT-pgDLcCC#_e%`yWL)Lk;&@&LS!0#=53^4h&t`O&)+}89l!rA(C03Zb@*8FW+SD=SeVOSMNs|M9&RBZ=m($ZDjY>;Cam)0UsplPEt& z|KQkRZV0 z2+JF>yI_8Zn!h}?j^Ew3QF`w&iMs`E&~jc>S#)%Aa&og1<|!ua?p36lt^p|UiAKfc z=0NS{K+TTjZ4lFUl8@X88}B3q2`2k;8yX)`K*vSezKTc;cz$`l%?o#}-^bv`q3iix zQ2;Xpm)jZ4&WPym`pu*m;hU7}`hs7*uh)}=5g0BrkH&2nXztOa#xMC` zjNKlTn)vJ)I$0k)f>5hBi!Ac`hKwbV49ickp!gaclGisv%-TmA7q2e@H81ieS`Mry zP^m4RPPjop3vHhvn!v>{#uSBQcE&9o?S*;UqqA$X$I$iHHc9!SVQcF z$;-1NH!gdCrHBpvf}KaC;3n0SAs_T;5q7u_*z@w)(LX+!%_gcQ*|%J6C%)0(?)ETZ z$*5wrjeN(ilKENM+Z&U~Dgmh<7nHOut7H0eZ$S6I0~iHn&=#{f4EAPUU+?eh>ybkV z7oRxAFHi2fvCcAOM@en5a0Tp;=EV#djZ_F4RO%lu_4li6iWL~;jf{9ajca9XX}Tn> zjd@_shN>9~!P!y;_5a9aq2Ssb`Me^~NyBDjy~GwXsjm8fF4GwYGCm*fdrz?V&z?f; zAlCfWOop=7Y_3*Af~BkF#|svs&x(wT#i1$GZH49Q!)}Eu%Sy*!eWL z9wZ1eh;pd@)2I}|>-U!snGzH9Q}|Cm3Km?sE~X-{fHf1nm2FSWW$)~--Q_;VVA%&} zE$eYfI*d1mKdI)Unox#NL>L=%H1mpWT3QtN=BD5D&pTVwV{0@Drc8k%-v?JVYMjH&u&f= z_vUrZ@Tf6mb#r?{F_yU)S1bt$t#e~ps?>Pk|oCvWpN#_?^!ig)`oAs|23V0 z@*hzWdj~yhLp?h~n*TYP^4RN1Rsse9aEk^2K=d!ilhrdZGW>rnPXGJ+^rWhl&DxJb zPrLM6FX0R+hLzN8tsO^&TyC$R1Stkz++N9$>ItYEgGRkNe&6eJvZ}KQP~c)b*6?`!D39v`ZZl1@^|H${`fD@jlfOlYDC=Poc@?C`Y4V}pK)n$a3b?j4 zixLNI@_`~Q<}0A*1<;}BA~Emu1>nl6y-Lm2I0c4koFUf97m`Q_Wah5L^Fa?}&AVqc zHM25+aQ-|^p1nkB>vwNCXP0(n?fgazr3+}0z%?TXt6TyU7&VQ-%iYM?67OSKKlS8G zx;p;K;pr5)+->8*UW%_q(&bN7SA=lc8nnlzbjX(> z*5fmT?jC*-E-~EckK>e&s25o!EEDbNhc3qwAPxuN)HKbHW^$ONHtJ8m~)`U^}`$ zc)DMxy+qMmjq<#7`sKX&E+&m4VN{QcaThXCdLGQ?8{Ab361m4K9CTuS04t)feELM% zWZ`|ix^L#qn9F!UzrieE&=ZuZ6nOLbROqhejL4@tM z+6mToFpi^Gk8Em*0`%iwYl8W_D0TrHZj)c{!EJyVbgOJU(qyY;bB82iqB|%H)jg5EiGIJ7B&8I9VXibYcntXY&ml-sgW+RJi6@=<29IJ)5)P?K zpXXsl!-U%|pu`rYWXLM`hZhX5oUr^ip%+fSDYdjt!pD&3A9c^fYE1uLYV2KV@@{- zyT_AC?@6vtg=7%L8(GPa>rV+m>yMv9)Hj4JpXpo*;y33tCuQCemm9;qEP_bXAS2-j zC^|(6f)ChfRZTR^LZ193&0Egf0~;RXXO2ZID;r5ilOI-Q#48)g9qb?Wfc{4@p9dOh z@dbufF@LHy7uFLHx2*QGVR0wd09JWQ0g&~tz<8HzTX$~#Y+w4Y6Qlf%sR;sYL4kn;@+&53^mQFY;{;C zPo^!i47b=7{Wyr}8ELh?V4jVhI>9u>;gs@?80l=47ULxlOYPp#Km`5rzRs0!a&xMx zjOwBSeyY8NLLSGD*JLUQ-tYldIqf(Zb z)Z#1Mrb(4QZAVW!fOAjcOXr#AN3}z-x2bFL`MiH0b^di#{ZAHD|5jE1jXn6M68I1P z)6oSA01)IE5C8z=AFG~!Jv70;EU^EKIQ-9x_l9v3faFi&T**)3+<%JR{HMSD@676d zP}~16Ac{y72}>lArZ{OMVoC-}{!jcrMhP z(=BbkqV+O9Lx6uF)gsKjr67tO2=3MVqNXrvOvZB0rZPxxNuj3-l{yzkP7ap(q?tADP2c_Jh= zOK~T`r*G2$vZD`?GND?JZYJdy;#Lqd21rwOOgshcxs(8x3!pyT4U7q?? zphrI8WoyH+^Cj`ok&`gRDI-M;UiA4mXrVswqLX|6wvH>X!?@Z4s%^F%XW2EvZh-_w zdyo$ZCNR?LdubP4chfp<#!F}^U?*F5JPq6wTQHKVdpI|Yd;?yr+EW)WVeOdy_PZ#z zHz+VpD@UQ;$*GPYb4jX$X=JcPRgadTjSCkn(l$?R1KjvejZ6mS6^z@*N$hEcVxRDS zbc&_M@cMwN7JL&M$0?S0<-BwSz0Y$@&B%MPoe~fnoky`9?^=*AWC#zcn`2cfU1H}J z>sckr1($3~976$4jZQ66FmRO_o8jf_ywu;Swt-=#d(p^?HH;RXvym~T58`2%_@z5i z3Ubie4*hv0=xM}Z){@$ChZ>AzlF&@3*T6v~#^zukSru)*nCB>J5j_MW!@rSAX}!Yf z<762W(Z|xq{lThuL7Wlb{9`w8{^;cWAZ0bil}KW+Vr_>(qsmap4)X!PaLwEv0D{m6 zw#7Coip_~%Oe^2s;CpTyoI3#`-5D=$JMk2cHxYpN{*pLjqlN+^*hB@Ifp*)ljFx6>zFD*3Yn3XWNsD?)B0(C{7a$>xA<%f!B#| zBd#U~9|F0tUo-1Y&D2==>wdA*DLOSYbb>?!JO*7jU&Eug3MO0yv6-$T9HX-|GE4F3 z=~3T?GMw07dNW@S>Rj%dquSe@TM_=eGL%<@&CiK?H?UGuQfV3RI&MpC2#R`OPW)@h zP66SUY0iCB*rqmw<>gpdd@u0(>-jYtq#Cm-eO}#tonn1TG%2qvx4$`8hHRW5!Mk|V zlz*?ifdNycBjs>4+|3HO&-A;`5W3Igb3E7>M2opuIi@Y>pj|6ll#FQ!SxAbj+7gbJ z&5n)Znb9I|s&j^G(1dKguFfa3PX~@WEJl)*kr`AK38m&yo2aiyk(X%_$RN~qo?QmE?F*wo>|+fPN92O-_47*VixHZX zD5(`frdab+>oIi-^pMSD7B2csNzqDCL~jbVDpsA`Xx?7AnYgG(U#n;P0(JfA{dRaVZVSkZ2O$I2zQ53(X)9M3W!d!o~IeNyPTyTAqb ziLQW~2hcEK`FWXyzL`dGOv_o~)Ci!qWRrPF9C$+?Ip`Hd`e*Hm&siz@iHk>GR-GRWVQZU_;? z!{2oGR@|WjCdzM`n&3w5y?XS{_m<=g03Y3F?h%p`0mkR9Iyj3mrY2_XI7m>AY*di1 z8lqL~+A)E;aenaJa+IE0jkvX-_%<#BGkt8XIP19ykvyp=-Rzo5sy(H>yWd*8=$C1} zeLqgM{!GycB;#2p8dK*-&NB~SjzN6#u0j^J$&DGvHI6=7un);Ftz^6rT2=!%P+bUm z!))%=Ebo4kH>2#9*QRNX+&T}&iNMdB>A+JonA`SKwDE%#nB=FMDXz=03A=08FW}C{ zZ@_=d5dOVCiVV?_VEv;ImiX~~;QAlU5dL{N{=X>UnJOBVh~wy4TH8xcZ)vQk$1wqD z{8-s5t?+$RT)wQtzY(PMS$FtR_cw`1&KpxVZ4nw`Wfy}vv6RdfA*B~3q7>!G%fg25 zRZEY3hhf$Tg(>ib%E%L02wiwN9gU?td~=#ixZWo}>|c+wZH&LYKTM*BL2u@r%85EG z0e7-wE(CbM^Q$?vQ1nlyYVk-6u5!64VJb99fyAt2Ko^br4>TFqjP`SmiNX zi?>hIX*nFPGNwNlaJky7r9T&Xx_Yl=!xaF(>avRh`l3*F_?z5JhkC9~yb<^V(LI-E4{btqf z^GqW(ZcSZ9VqxKC%07romLa7nC^9xVioDUZ``U8|OV1W3Z9Of$S0JlrVvEh_!N4dY z9io{)0Zoy!12vP5Q4u6Qqovf>o3%CA0U@&&Kyv9%%1BSoWUwqAIxd#RoCs`PUAQ=1 zHS4E~m-M9LaGuhQOI8>~uW&p9-F3MGjix&<&E1aP2G9Lgp!o3`4{YWIWucg)&5@re zRxJZoJOc#nAv9OfE=K8X3;uPk%^6j-@a7^8sws4I>i9#b%YLRKeF%eUFkx6YmN%Ho zRhCILmcu5>WtK@emRFn|pCSX8;fN-jdHY;?E2{Oo{hqeiOtfBelCY!58tgiz?0rMl z{E3lcsrXe`#V!>E`6~jWBkX(`bJ@Q|Ctpx`O!3I3C$4@d4bR4`@(xwOleWywNS%s7 zakl#q=tnh_zg<7CzviR%aVAq{GTwRo67)ugWQ&lwR3^QptkAUl0}kG`=|Bqm%*ijh z1MuG6?j}+2)_FlFQ>pYMy9C=PKLL7Gg6(o~qAD!rd&n=^ru$)vizq3xmmj*N>(wKy zw&Pwa-dgkYU~!k-i26PsamrqHTW0Z~DRb3;GAsc+x!~+P%L%oCT*;~CAO8(UsC+8T z29&5`AJrnQb&M+}|6F_r$et2OM0{g73tkcG${F4+(N2-=JU`HYxqR~FV*>ajFX0%J zLe>Bxr4^5SDL4JPzTa*2aNMR@8lzK!;1JlJFdVbx*W>e{B^(2brxJyv47tlJ@_o_u zaA@J-rloawxe@iiGk9;B&38&jpzD+dTqhgR&Qz>(6l=wLJh;8-j!`uTw_KV-}UBBC6=8^<{<*`t@TJ zM5MMeAx#y;(N1KT%tq!fBCtmcZDTA%X1jQ}GX8`XQK9P|Fv!$TUM;5PuZ4tUt&+K` zoRkx@%eHq9W8A#f&JnFw1OC)lD8j@fz2|zCJlLF za5RP$PqfSKgqZgOlt@EYH7t;ThEIyUp4*Hv!O3t zc3j^ouhtzIli}#W2!S}>r~Yb-MdXM?8XwB>?6y@FN-(iGl%Cv@=^Gm87s3{UxS^|W z`=`BQjiw3~7Ke?qt&N<do)suzw)>Ko z8o4M$>@-p^!r`RMh`8_`LyU|j-gzdASTyQ#M3J**g0r4n47e32I8Xo6)o}I2VC>HJ zi!*9MpAW=YlqWIos=fvtgZoy)_1B$~LiN@{`|j55uWRXC+je6s;Y%*JclgP*Aa=Md zu5yiMe3_jqqC2JyE`QChctCG8o+YWpuA8k?`M)mHal;J^ZUwa=QY?ft6M3sM&XC0Evfe? zjvDm&&C8a0h616eR5tUIA&O_{oGY(M+};vrT+gLUx3$bU>Mz0ewh|r9wX3Pq%~mVs zI=ZgE$6tT+F`ZL-7>W+b=Iy$T(og47sUuIxXHiVh0@tpx7X^YFvZfzqUbf**bL(Y< zA7#xA>v)(bi?1e3Oo)6-jV%MK^mOq!7z8w#stf)`BqOJ)^ zv)`nX04`63q_ABCb5H{by)WLawwFVNG<)U2Q8_za(y^-vnuCg$a)$QeI}Pe`MEHu4`5HPvJh%m zIdHX^85}rU|0|E64oe@$-tEFP$9JeP#A6L? z5Ax{mLU6oH{UmEsZZpZFomaJSf5cfFmv;l+09Ut$RTd44RF^-ZE)Hl1S{Z3joee}zb{${(lFuU?3I2{C%kn{9Z6M|^??eJ|2* z*<5(KKo1JbS|SZb<*cBEVONQXAz{)(k=EEiMCvUgU{C-?Q|b4C`IG(y<9P}Cy9OaL zQSZAEnbvrVtOp;=^K1Avka8Fu0KqPI5*mg=TsmRDL$M3AW)%o&?=XG19o#ZVGh0mu zF=O)PoDy!xdvt7e6?%yhP=?qNkviAgd0sN>3+Sg1BZ_a+liq=P2_X&bG_-!E@PDu% z>zeS(5vS!ng8P;M0~Yl7h&ueP@ePhCJmD{9V`#Z-YxE z3lfgX2j(i_2zvvQs5~Zvd@qKx^#!ZtW3)wh^ayjyGd>f@Ck@TYLKBBhR)1E=MR);E z$@u&a!NKPk<1=|bB4Y;RA1j#u*(C4(PqrMImgV};>mNA;V)-OWjwZwQrjK}Larp7t z`*~I~#NxkgjN$Q&X3Z@q zUwQFau|Y7pkw$_cCm0Q${a9K3yb2&A3ir64uXDmeZtqI8}MXulA+m3(45p61oLFR1mt_h=i@gMoiOy%wCAjnA4sl zxP2Osl1|na9C*V-@lE|_=x2fo@K)=QyLYbk;yNMdj&^bVczXOK1puwP>>jU<%qCx?oIM)8wrJ^1JI1(?wqRKD7n!>2t*{2qQx?29lRcv9# zjV+y^;j|N5@|>W&Ge@bgJx{-=bK^l+ac!pS%%|{t=H$z095rH^JkFsA>wZfg{+vko zGDsiHP($PFQ3-5yf1)<6qBaA)d;u}pUa&K6F?#v35!mfs!bgf7 zQAcTJ#wP}~mPasUpd=@uu0CH&iDWmXiJ>VRD}?=FPDTd#`VoPrEpgn?kauS02gTsZ z7GH;^ihpvqktc-6or0Dy7?F6LP_iqR*T?8?9!X^$NHfG9(>McFeDXFfD; z#7!LA2WD6cJ!s}`!L^&zr@R4X;IO43kD9Rw&4cQOhaUDPATlyi{6Pw@BhcH!se#ez zaU%gcPQ0&Ywa#{Cm{@s_v?fSjKVp`1e{Mk>p_9XwhMy7Q#RaTn#(f1d72SUn!Xq{g zZ-;P+TEVtUwHmwt#k zaBgrNaoUf8AI$VsIlp}Aw$wP`UC z0gAf?Fiy$6Pw}M}YfSB~3ya-P`i&MVCm7n??Xye`lGOtfSzO}{y#*7;PjOA-7iW#Z z>+d-b>Dc}=HAhumrUXYj`26wAEXm9)@3668MKH$IqfLu3Je+)=L244p@$Qia+P_#t zwAHyA?Y4G;psjTR*G+_-V=JXt(|NR|GH4M<$u~m12j!igKAg%hFd6g>3{S1=i&2%c zG`O2*83freEq|%8No=wmHDqVmtH*~|XSk0PF1J2xzYkyIeqyS)N>n^a2zM(U8v4gm zWLVN~R1ivEfrTybRH@+xLE8#l4yis#s zF*7$1>f~;1%k_dZnU-$e0Vf;4={YnH=l%vSll}O>Cc|@f+HQ6Px1hD-I^CcA?6tnW z{r^z*PSKS>(Yj`A+t!Y4+qP}ncEy#7?WAJcwr!(gyK_(XxZUTBi@p#0bwBJe)?91P z`Ooh=W{m|SUvqGQaqPb!T90RaE13cKO9DifKx-VR2Mm)MZjgXGpjQDvru(h250{=O zX-YCMQ2|_$+=seIyOOR)_tc^ld8kT`Jo%JS;2ylc8kQQG2&}=@;KCpSB}q#aO!muL z344`CFdUi>wiTf4GB3v|aCNxkD_f=xQ6@?`jO}Qyaq5VfnI$J*J58q5?0a`1s5g7X z8{NV<3OZs>CE>#cQUQ<|U7&=25q%IVp9x;-KZVA9ADbX0rhb~0{woz}*aQ?@9BJkit0E^A`rKj?L^d%^ei{#d&i`%Nhj zDoYCU0VBs7;5_;Lh~;Yv_}6nhk>bg-(J7My7j1Y4g^!0!TF)M z;>P8z;czm{(OdgP7@N8?A?bndM0uq+#?FN@{S}DcX0(sZa~F;>6IX=q$xf}?vHi%# zxZzdB7=Ls@uC>r4yXrKVzzEu=sAg->6ihyJkS|z?o*x>7LdMEqSwzzJez^cV`eMs5 zU;@N?m*03`t0;DA?PRsWzFmUh68ge0>dqdn6UArxww&J0_V!!z4>nU;A`FXh{mf-y}Et?ZcPc{~S3} zlkcX_sqk`0VW+xY0`3VapI2-vwOf$}bBC3_+eCK~8?$MgCWB?pkm+qLXeM4`zb4qD zJ^kTm%C{4aVY>HAK_NpYIZ6!@QL6QgH8X5h223f1lcCO67@zpcUmcBQ{ag zHQPq9*DRGnDH}`dGy1PjwX;r*nIX3fBp-MSs>?-F15tFbFaYt09&Js&D|H%RRojpR zcNUzMZl@SKKLf*UnnF0vCW~OIv4-7ar<_3huM&x*xLSLjt;bH!?Or)Aa$~r2v{s(X zV}Xf*(zC~K@M#4J|Ef*kL2MZ-U;ry%L)?ZxpmF5izpq`rLKYiW0`FC>?rkpr@7+`e zRUQKlZiAXZgMhm-I_PHPODiDF+KQTUHh~A?&>!lZ@#mkfTy>plEIJM9N%Yvo&RjUT z&^e90QPI-xzX&k97&64r54X9%Sz)t}#G~&iJ^xnd|CKpu{N8{ZsKV(Hqq)p;DG>tY zMoh%}!gx!t{yGs)Pw_1ezxrIUrRP*E!Pg$5oHGpwXjdex3z0HBZxs7ov2E>Cxd*S6 z8M-mFeR{av%tn; zA7k!G0_Y2#Vb1fN*^VL)&kXO=J##E4-bCDaP?Equjki6A*E`^DVqob|i`2`Vtrn+@ zrnLijGOl__@{`>93WCjHa9v|ZyG>0hzH)?U4t3z{RNpMy15`G+x~ZU9{-om)s=063 zAhvbu?#k$4B<0|%M|tEE``mfh1E+$@d5Wk-Dkp+-0#mg-nbI%rq$V}AlO<$KZ;M|4 zh8QFc*%77pIuSoKYd^dyXm{W%YH$Aw+H1dR8Eff{}AE)8p9pf3aXzJz502{5KU#9)hQPe3BN8n2I z>(6E<-PzQ}Y8ql}0=mA^uhZG+cH5RR-t;x_GSM!Sh!rdvd(u~thpfQWY26laT*Cg~ z27*PVKw6)uKvd}k*8I^0eLz4l^Q!Su9vaObIcfQ#@ULY#5UZwk#vPmevgcdEq zFQ30;UF+vRSd<)!Uo8r{rSEGn&;T%loqW1ow^dvIEd!l)VJ#uFZ|IqKJNe3A|Fs1g zxT-co0}2Er{)4~e{Qvbj_ONsivXlBh!Q{B9N;xbDqWPQfSfRRs);WmfbBPLWQrL>A z6_aR#N$v@fFG?~xvn&knu13N(NICss+wiQ%Z6PCB+l3v_#Ac9GN17Ntokit%oK_(3?SU;Ooeiw1xO> zRC0!@drRdZM6n=4!y88=a{yK>^T;#%VzLZ{;IhOG0OEmPqmXbX zPW)j>GP1J+gMucm%apzbad`dkU{6eFoQHguym4A@XFlVzR409+9v_}$BQY2cN%;cm zl^=x}9QUTPV>Hg`vBu_lTmt#Pg(HqGN4}C;Z)|R{`zAGz@>?7W)Exnz_eT%o>X{Wr zHBZgD2(Br{RXnK7ywm6?T9hnF6U=ixXlfoI#q>Z&P;$JY%RP}cuo{R);myoWrWdX^ z@RaS0M_L#Tm8yHggn*SkY6F1{OG0oQC62xe2zvcIN zV|TtGND*oK{C-o;PE=Qpsk7jbu@E2fZ^7e!>ffc{YX3q2JB-cWc@Gbd6@PFQ8$!o!WhLikA8VkmjJ+(Jw_ZPe}2jEqif~ z3tu}iDP1cO%(te{LqE=8CbJ@Cdh917*{tZ@pJ$id_Spw$nrt28rOU#dX->6h4ca{? zUH*h!O#pTGI4ck0En)uwNGJ|e6M86Xetw`$APlhVgEs7NaLBTJNkWk~CqxLQzgYIp zw^O9%=YN?`=w#g+))*Z)(${y#~Q{{clTR`n-L$@m{KGtN3h zyW;8D{-=DOL}oBOG6*U~HOq_yT!Tn*6N_fhDgV#upk(RGMsaDp_p2PAoDLc8Z268Q z=y>-Fd^kGic#xRzi|wVrM~KQDQjuD*;+fd4ARQ}rT^nc-Z|9l#<9q-$4M$rI=^h{5 zN>>0EgUcDwZ!sXP;$>X3yFAd)XH=*Fbn3M6AXtu<{ubBh!}Bp%U%8h*nW`B z92-Wn_-G{zkgK|N5QcBu?wq~eC^CD?0#90=i)n{gYzj?UDx!1=V;0w4*iSus#y6ZP?395+D)s0j&E~h;<}-OTyz0_Q$h+wF7>a%p)4I4 z&D9MMc}rMQsBAFpN;kftG1Qd zTjiJixtAhe)|AHW1N)@x{WJxceexoUmP-&PsNDxSr}87$b9d{R`|~^B#%U6E$6194 z!OG`2!j60yxxJDP^9rQrWSKMf?@X5nYMZzL^ry-FYm{sQ zn{Kfe5DSgU8UA`2cBp5!8ifh;?CdTmmoVZ_o2$&4gkY{u(l1FTj8nETSe0a>;T1Gx z>hIvNmZgTRd$7aLd+0mNy;}@*Ae1{(*XGM^n1b z_3hF9M=*!6kN?7V!5lv1!2CH7tv^X6%Kz!1_%G?C|MlUhQn&kWGT8q}8ZUkVN$S2; ze9rR7?`y7;)S&@)sWown*)s!Q1ZOwkYkqxBb4o!oY*njAXbbZ)624$wVw z2j}~AM{B~`lBUsuGqOJ_kRVo!H8(};7t9n22;@rnO>L~su-Iv06d1VSd2UhzX9@Wq z6-cfPs0{vu=>UQyody$*BP>{ixs?~9e;XlRA5sDfi0by4utlh)P&d?pb_t-9=n&&Kuid+)3#0)=L&QiawyVUHMb+Bi>{Vz`GT9QvCA_?TUbMHq6O` z8TTP4d}W&Gwu}!wBF~6 zAJXLyTRAyEe#Ww8o~k4#a=)yU z>Fy(T07x?iWrHaBps^FX+%H(V5F8%?ZccLXGC#sIqh@30v8$?NRvn-4{)&lNb1ZzU zrFu6*GifU--KA$L^{|T-FxIpT7)LB=ay=~XQM=(9M(TF-N0>e=%HH)W-Y zI;rE_`6RZ>e>PlaI2)^UhOYxac32?v?9uR5Ntf*c*pxP1aq_%Sb(;{Jmh_Z;9kQ3Z zsw^l*asw5_#fH59xnc6)E!v#wA)JqYqe8l+3hWztT#(`^Hg*incra^l?L_$`$(L?F z#;a~J2?K(0@*h3jFPWNNWaxi&Z*RuBJtt#Yw5eSaq)$5&$o3aV5kAOSu(wG34QuM@ zo~z-+%P{Y3AR3lbv4Em!s)^;QpuW<^xX}qs4_Tua=w{*#R5nAqN7Z|a63syKBr3v| z?9}8=3l&cVH}RAH%-_^++f*xvG>6Pc<*jn0R3^ZBy3>bTq{@-Cw74$t<^fzQ_0{1^ z)nEI=<{wL%q(4TO;W}o@2NsnV77c+)M>jckECQVVYI7V0S847MTTVzK1K{gq864Hq z$h4rFcLT7`kb^JCRU`gb^&cQb9thw z^5x34q*RLNgjB{9V$>MVHvV<@yX4#9;o-~a;0G7KH)v`Sikt}&oR2fE^>@88!8@QN?hy;%;_9uB+1sf~QibRkL4XuORP{a!1SiQ^iCrHSn(;&nOX|s-Z;Ass``h$Ss=(r#Zst@gR65fPv6O$PkW)bE1l<8 zkiJ_gh&@iut61&`=YXrx)Te?pzj_>=~qymQ42F^(gf>itvq+YVhK7*w_ z3@_F17UhHs8z7IFdhIlJ_`LRL>lQyZuw?7TqDQ}X?hcHarhxHx?P%-K6!^Yl=);}s z5jbTrR4g{=L?vt0*a*j@0(wHV;nt_Jrk|(*OZiT)ZW`GP5sM@U3i)Xt2S#$+{@#yly-~E2tu;d3Xe{fs^`%4NJb`oV*I5)Uo?=!(s!RUFQV1(cJ)0n7-Ow#&kh7pabuhhcOGr3m1Ql^vDJ*tg>*=2m;1I5Vh<=TZ}X z)2XG1a~nDvUq}*JCS19h`{=_Ze=Z|dTS8W=mxhYhu(-1NED0}dug(p@1M2gMe<|IH zJD!hb`ZeD2z^Dy0QZKD4)yplMujUsr&+@k#8ZK+CJfT*!fN})t8KhIWgG&6pWLUI@ zgq&CcK0{Ct`c=iBc1}@y!vtDCUA8hA_pIpJJ2x%MIIGTj!RhTZ^G|mF5j4LZ*1m=? zCIP@(#oFiX$Ie85khXT3uhS9y!ub418-$joebQ{9KHq&>km z&ze4K`I!D4?r<5-Wj-XZOABAL|Ys+qvvB2hE4`N9)f?>P)SXQermjdWbHd` zE#j7Y$<7){%~i<@3fmTHrKwPd-W4~w4HUXfFi(P4~!} zINdbJxC21RnvA-ibC%zgSQ3g^?Fl}!D-0=XSUgqnlBMoWZ8zY>x{6%xxxm6r7V4!W zM$0t7rwmhd=6sZ2V5RX`!PmE1W>v9kBb(!^IZL&VH!*3Yz+pF-oydWB>`X&X#Mv&5 ztCb}E)vKR1oyyhlA=||Av=yuMc#-noJtjJ&{AEYmdpSzLs-_#zyC&+)l}QU|DdXes zjqYEF9cSia@;!%KO1V9c_)(%tb#%YEvKtp z`&WBt-S5msn{}3Q(gXgZdGJ4`X~X{a3&_O5+3f#dNl^!>BU%vuXU8E72ng*ze~F8k zv%8ry{r~#HI^wf&IbcuP`J}03X(9(GvCeo>$|rLVrC6w5)cGZ4{Y#!0Di9kzMi8SW zGmEEA{r2CAg#<=fTo^mLYRs$?1&S5-DD0R6%9zRFRIvAsiv*2@m+(EbTuq?Uo(rc+b+VbJ(4^NWH2!cxNYu)uZ?6xhx+sAI`7Q+&!9;e8}^Z)=V1hvtE$jzuFh0l)BazElB-0^rLVWvq&qA}ig@ zCP+~91t!lT#5+8@I}PlM5Tu`{f^py>`bf`_|MjvW29grUXOSwS=$03T82VBRyhPNk z7P!a}K<7O~d4m}qcJ7%JI9lfj^EklZd~5+X74!`>4re6+gOEN_cC~w##-@ZAmM5(l z9+VvyKKH$0pcdEVRr-f+ z>AJ?LccYE7$j1FhI$Hn<`FnJRnc`TJrR|f$a1DiSPNcVoRa^58>4Mntv=%*Rre6I-8QoLeBDxp`bI29VMBsJ~R2#7=aqw4h7^6oJetE6?b$x z>s1J7alBRyj+#*fA_(jF3+&%MUpx9KQIX{4OI)DorUK=&rotX5b*}WVAwDxg73eVO zu0j@#kBDU+;Azb+NfeJU;>idvuRjnZil9|=R+1XIQV2uaP^Jp}Yp3uKDX6a|I>j(5 z$&*V4BY2_(XqojaXz&Wf5KbW;TlQrDp(A*BWolR>wmERIz3;0G^o}xNu>VCZzXiF{ zI(A-Zhx12>HbS0Gthqf`FKEDPD0IBz#3=gqgQwEDL_G?KJ4cH(*i2h zS5J)+09OSE))%!6HnxZ;M9j5WWj@fH2USz6yu;Y&xBd~FW8%UHkyn932f8yUh7#fc zSt3a7y(U*nM2YU-G3n)Q`U+Y3z_ce5P*85#v;@uhCOS1tlIwpz-K%n7-A1p|H=MFd zN7i_g0PzQolO8+zQZ(Gm$$4hxzv&Gk70IBhHR@ea2V zVe^Sdslp;ejtl`BNPJMHiiLV`#-J%!7o+B8p~&&DQ7&;H5>?he&}Hfc--!Gb_-|`Z z3Uf+iAgRv1(-mbyG0a%%*7+AH(|$NrJ)l(BOZ3AbwgHD7SBc=l{KX`wpRshHlZ#QWJ)bbOWEI>3cu6_(y-iXMK;=W#@vSG zpc$!nq6*Y}WusZw>FKl;$Pl&_7QrF$K&6nW-Nv=7uQ2abe66OpB3bcoUOz`UDw<5F z{LNb9CU{bVt@1I8s(AK38b&B>1DLzR6U1JL`QB9$rsC{+I)gg{jP3CmMSeb0QBrRw z4>`SbEUWZYSzfOpIy#<3z(NsV-k84}%1_YOEIC1Q0A_>+5`#1_g)G~;99_)^o(f_W z7`dKlGhWrk?gRc^>gLWa;+VeLGqANde!74*nH79Z<_55h;1Bs6td85`DGLd(Htiq4 z2T{=6pa8!{TB5oIO_42C!g8s*-(7e(4-4O6wOR(%8kM+ObeHo7*6$0pX0*3yb{!9`Hoyhkeo<34#SZU z8s0Z#aISXdcfwGk5pNjy6pdUxAp&-lM6ME3-YpD3SHsOXtS6hW>^tZ|5c%3<*w1w{ zdCz9fw;A~n^Y&)kLuTK!f#-FAf#m#l5KOfks78z`GVV-Xf{XczZU!)XL%jJc%IUB4`QhSALJI(-|K+d(_&1Pm9@ZTYQ(f z2Kr=!!IF-03jTP#oanV!J~$7WntK_pB4~+=eN4iLR2NP-ICe(Y1|Gue9 z?)<|e;L1%KCpM=`SglA{zV^@yKth#=mo~gbQ=loRE(A9YoRjlwjb>8Il#$qz*4fao_-=~QBeA=X(%=C^}wmtMPFEWz-t(0$yf z6ey!-zd?i-{y*C?8S+&Y7-kAaf}=Dt9CK zJ-4cq)zk6B0DW<20p06QD+GCSGRlwzj_pvXYH>uns)=&!tt7j}7)iF{l9|R^^uCeP z_Jpsnh0Kx`fJ>h$dhP#$c2I^ zPW00YC>JK9&^O583YGMGvI$`{aoQjlG`9hyUE7?6aid4U8HV9cQm5OHX|8!(T1nh&E(*m~TeQ5_0aUKuaQ1XBhiY(|~< zpzzMQgG70e)3c!}+<}=gx`*%}4bS_ICnWUhdPn>$PAIOzn7DyujH2MQdV@t>sHw6I zw4J{I=7cALq>Y(b^3Suva-+ofZ0H3GPSG`h^P?)M_dvIWGVN@VW$Jb?*B!n%lvcJ( z?4d8S;%xgD-8&>c-Q80Z&>LlTDb9ziY$t)~RTeb=qKeH9(H!JoO57i`_J>#r{y@<1 zIdwYxw{_i}cS^2N33b1dzuTcy=-1*j{>;V(ym~OVY6*?8}aV)Z0age0x}G&BA%w? zF7oCdxP0PM!RJk#JPc4^Gs2yR^W<3m;i}W(A>RHfl7~-4&<*sR=8hv6GoxxrumH>@ zmux=3JKIr6{gX1-6&G(#lg-=v1yGdHVrOa~{EKkz0z(RR7YD(ml3!JsOD|TW(~x~%YcH%-4Z0W8$em%b zJU0>DAH#et_@X<^yz#+zu154<`i*kVT4AkUuthMg>yZ=6D*y_h{D(7VqZ)~miW7p{ z_t+S3Pl8_~EQlewosn1Qtc;cgX_ln@FM{(Qcd0)7s3ke<4jn=_3RbQDvSX_kpo>Bt zAVh2Ks(P}!2Hi6F8!g>xKL5jf#|m-hP~4>Hh0~Y(z+`1n&fj`(V_gtc@KQ=fOm;j_ zWoxWewjHMpM{$jnI8tIxX}RaoGJdAMMKz=@f<97{=qIEyWT^%=7pYmSUil6~QY7bK zy6jr0%l8_K%MUG9!j^WzHoi{rql^&`teT2EPX1z66@9pO_a*nF7eE4<(A&)@t@= zj-7ebS@%<<_Y~aDs??g^pHJp`AMRo|&D#ztxmH+(WS8YF4ew$EWbtpFqo)H)tGGEI z%$3k_4$*V!+;qX zUy#*X(|(bi0N2(-1W~KlP~$+>Iqp>=xQ$bJ^kv~ZA#l+*85X-UpPOuQ7pwG~{wk|7 z8@DIDN>)LLI&R6~DQhbQf<*-8MQ#xY?FKmT1`cC3fKsg`-wXSXZI&T^~4^-qR< z1&IO!F$Rh~z~;t(2N`E7(4DiDIf>zqUCj-man2g_G-ulI&B92qWs+csgM^}#EAZ=k z=sDya4wZff;XdLYrP&G4{nFJ;cMQ<92om_#I{dYcxmd=*{XRy%J* z;wj`v2=tC{rk>?UKxfZ2I_oUKX>hrEbuk>vH#eJ95~zUnyR@1T+lB&*)81|qzJg06 z-e;H#SM-w!XBw8l4?r&w=mihqF+G-!7p0d%1Jf+EG@%&iX z$RR#DFK;PAJ8x*Wm%_61u5?b0lThjYzb0$|o1^4%o8Mhdge10_dh{XMxl_v@+_HSA zfE&9Lx?70P{%f(3nCZx0U4ntP0!MVxD1hY3-TH2wk}!}FqQ4|>#w8k(1=HZ8a3oZL zL9+SkD9{ISxmzkDgEmt`DkF^QKm%6F*lB7amhsYQUE*R6o3~G0>OQ)ArZUoMTc+vz zvv+2Hn?FmswrNw+o&$EM?HPBc;Pj2sB}FvG95PT#xvLNxVR4mq=Ev+NO>dmT=xU3- zeO_884E7F7)SD}m`aPEltQk~v9LzP==h$LgaVFh(E1QZH2Kq01bxv3l02I7#MqVpK zAzm)-6PzMr)|%$Q%+gUbT+AbABwAxEN2B0osDC9}wa$B6(avY1{t6ROq?JMiTE>08 z1|fmM>w0&D5aaat6%x024%FbKIev;+%X9d-T^%1VI7KX%%hq z+Xd71ckAH#Bpk%!;eO9F^)=>BnMjEwtzJDH&j{b+xNkkzrp()#kc$yd1(2oWcL zx<6N1vy951 zjvLve=0~dag|Oy1kFjG_&$Te^HARZ>*>0gGpd^@~%{qMef7mwhB|AknmB&x%m1HcQ z(&1amt;)&LB=V(UWczvR4pJ@#VycJmv+Du)Pbwg#4bDK%HD}7a zpPF}>cEV3L1G5R+u}B>C;*l~q1@kd)rHz_K(FAwg(O0HjRYfK0Ah4Dtywl}vqZFC3 zfrb*F6Ddsb!AE6!(8v@P?a^l|PAt%SF7o+>e6w5b_on@O)U#0_iu%TbG!e8kR;tJ# zwgEe=el!=drU`CN!M5s5g?BBN*X*=IsWf_Sc#ugSr4idJ7!K!@gV?OSi6Z{hHULD; zXEj!ozEV3}j8+6`Sn-qAfUP+sq$0&XB%a2kyzStOYyyEGP%r~h*1;%vfQ=e~Zry7u z#z>um7Mc9k^-~kQ6gHd-()RsPOa%3g{p{kw@=r^TeecqwT6K(?dN{~bIu205#UG*= zqZ;mesRFG|-%^0H2U>wC%6co9L(f6cM^57TFF~~E5?pbIjeehlK4bOw z5)E}h30LF<=NJ4ajWErzIy0v_&IFbIK-&HG{bC_bjz=O8x4qQpQ}7VCT5xxXa43Ew z$Yg;GxzCwmo$`9k`dvvsK&nj+9@E}Erb4vXbYem}>3c>%_KK~nATcEkM+LY}$K>RT zL|cTxwxkvchf^}`SWgM-nL~->nS;1E?@iKK2`IgwXh5nI%AW|8*sGz#x!!__6dD6J+;H@-8Sp4J8q zWtJfBf$AjtZ`{@|)Gk%j*nf%cS{ov06FmpVa}~7D#Vv>!fE2al0wc<&&n$i*r@Y?DgW}>TxlR#Od|noMxsB1hPXRsBnIO)+f>Nc z7)zfZ!J^UUZlK<_hjUJwp&k}{v<7tsJ`Dk@gpVT^_D?J3k&BUMgKg^lrRbGggKKnG zE2%EZ_}DG1fFs6;irje_8%*QRJ$%QO<` zuD|AN5mrhAiB*kpZLZ+E7Zky)TbaK1JBQAJg3gHo-4unY;?J(uK>03KhKSl za}b`ZDzoD@8dAehV9!CK=B&D?C+q`&h% z*L6AOejzNu;<^&RR2(*7-<{P5qk;6Gnnp0_^TGq-(CF*SKxy z{!;k$vWIG7-+A)FAoq+yZSV~)<@Ius-ln|LpgeR$eIM5VU^cW&*J~ zY+rhNX5GntZJv{mp@Ldskg$2|j}?NheMwYQ5+Zn&w|T8xMdf7Hk#Hc5AT!WvX)uZE zwPwj62mZ@c^pd5kx#abhx}~5 zhir`m^4i;kU2MAT}vwz8|_P^`>n)cITnVcqG^r}k&)(|tow`cV(v^z85TAw7^ z)Xz}^oyP*xDoa10+;52goGCK(5>UGSq0V*wtTLnj=V`37nTwmPtIPjp92={t<#5=F z?9Z|LEhtOij(OwlJHj#skw@NKB}nJy>N$)H20~Z21-ED%k!1S}@xId%?I&3^Fvc5W zx7=4zQ=w__T&j>87tg;JFd`8^l7i8Rf~^GJ#>vye#n-{t#R~~MZmCC?{3U%=?0qCg z90mS;AMG%dqFvSGtEFn`CFUPah-qOmJ|~=FO79}HdlG#SUB)%W(%sIxWt}FV$h{(* zpgi@Lqk2fAUY$+KOQ>3mt8XTLh7xVCi z;y#NPRyoyJ|Adlay`5wy>$ESPRJe=sE*1j#v7odkkU1HtXkX1%ckGBdbr&0DzO!r@ ziNiaszSkQF)%&DX{sC<6cND4@E!@~3A{03bj%XZu2P;tnXWA<<4>=hcR*E3xH|~BL z0HZf8Dte-Gll%+pk&bwjmlXDkI&Zo>p$3VB65zV}ttav@ASj9PXAO8whKL4~@3K!CrG504+JJnlLS8Wu$G0n@n~a~ee8j&5h`7yVPg zXnOsiTZw#f?KOr8dxMbw+UC&*H&M^}1YH2kACs}rc4E*mHw6@MCK&rC5F81_v1B2R zwWt#l?uK+i(c#jN|#0M~Xe@Wh#4v^os&lo+G`8^P<}^s}?(>OjsD4sn}h3+V3%3SzUkgj5MIO z;z&CZ+D5x?=bgN2PDX@^EA4I$A%nR2FGP=-qmG!k7bb`*uoNy49eKJ!Tv-H(2=Nyu zJ_c4nakpGX0xO<-D&3vFRG*t+#z|!xjR=g|acbtnY5W z+_DsUWPcp=t?6z=>-S`KqJ=DiW^+jeoBj;xJ8JJcqDRQRF|Ey4beu!+bEecX&Uj_Zf`s6r#HO1Owr~Y&J*k zG|Fa|kF5-f*}oFfxMAkmz-7=DfnwQ%oUS=$w`7}Ht6-f?A8Wqh3kwOsd^!I&0bgDE zxnaygyBZK55B0&Lt86faXqH`4s}aD-mEeJiK?MRm7yg+nYg5bv5g`M&sG+S!t@fI5 z*Q*WsOPW56Cbi!9x*REelv^Ei0^uOF$IsHO7DPxuO=dUOxc^=`rfgr{mX%b`16{&{ zOw-A5N(H!)=3W(j`R|{3HHNY+doaIUB;lT?-}t(Ha5gB z)K>h{zyh0SUtlQAiphPc((b7BM)!*mRpaq(1%vf}`u_yQ<5Q;Ye|g1mY8N{!{XR$U zwQD_IHs`>tW8~9%4f5IL=J(pmUf!W*Gwpt8(*a*Cl7H=M?e>F!kCRdr1y75PBsG0V z<_ArDLV|pI<=i#a`X{5Ql*@WoyAB46b!6}qYCgr5>eSLLD$~Y0vR$IFQ`KDxg>I-pAVoMY>Jy z7MU;)PW3`nl&r9>1Y2D6X?;Z2;Zty{VIxcn^H1y7ngX z@|OB*X%xE9~bYxgu7F3#Su|ED=OlVferSNn@9)zwXs8cwtY_?x| zK)S)f0=vO#8vZ&7HwNziF(YE`%REZxQ!0u69Ko~QB!Fc~727yt@mvoa{!w#KDDWRV z-2az$clDHV;QeC*+4>>gq5PNEgQ@-h_UWLm7$?G!cU z6%NAYh@CO!X{uwWhc`w!=4fB~-9@t&UPyd)3)I~B{?iGpR(I{t)3i=unJNS6SCItM z$Z)I@oX@h%2*!A6Eml^NYzx+nEUgc;Z`nA@>QhvFc$p3bb9@b6d0?{NYA* z2HG|dWd;d=88e~gaCe}Jmadm8sY2aksw2;0!P@7TJ1iaoB!~^8Rcgrt2f&iBMY0_N z0M&XO4un(N+CS;!%EvfK?m+3}1f)2rVp*%PePz;6_B8`2=ou2T3z$!*@co&!wRtvv!buXIL^=s}VB6LY_tJtJy(3)vv=)jvZ}d$cqfbEX)%N0^0>|d*L;VGi2Mdg14)AVze>vomF2Q@{7=jg*EE5%{7yG z-VPJlNkltb91^6;AlS>m{!st1MtTTL%#N+;t($ptXP3kkrNyBd`_d2?7+W3kB+3e& zZ22VAVxmgK4LS{%3bupHoJfHM(Pv2f-WgZcU_{5W)zsN<6YNlbw72`Sm*0e52Tq4u z+u`9$cvIWi?6BsLe=WJOYi1uR*t4fG`ds&84Z=G8hpy0$-`Cx{v!+V+`g>yey$*`S zUU3&3w@bdA-^C(vz7|g|S+lP5z7a9VifvXE@y&#-sTQ51FNEQ%R(H zlHo?iBEo2`R4B6IHKoY!=$1M@m;GD?D&Bbvor1X0Y*p&{Sc@}EXQ zbxcIA>l|Z@TGl-4th{jPn}}s6*#);iRZ~$;o{`gA^y0jXiX7V598vo+v#b>=&d-vf zhw~E!|Anyc9)mFTXsd_#VcRSoi?&jAIYs~NI{u89kg(CE0r}F$%4&VM06v|hYAWot z@(Wqxg}a_9X8yl8JEvw*fM_{y+qP}n#@V)Q+qP}nwsp2`+qRW+Z>54tQmNz*%)>lP z&FWs=U$t-j#?AElhbSYsc#jK%9Ytn$7MuZ<;cx*x9PFHw?Z%*LY#S9OuMM*G?rqve z@7m5)nqlEZ7b>VP*+vNBcmr{82aT)5n2o44G{QO5DECZNn3#|q3MjJQe*gXF^dVtS z5m36E(FBL9Zvp7-bpkGSvE32tFl{`^@dg476%FbSxV;~X-D`B2VOcC{wF|T6)oK=% zXJ5xMa4PX_?It`cRqVJleT=(m~*`t*mI`{Ly$L z?5r(p&HgVl z(6!d}KTZbL?~EQ}T4kdGq|C;5GIff%RHwPp7?1+0C?b8O@Kj(t(p%4iy3_$Cq>tTm z@A&9@9tWFIaw17?i5y-Lx-oLy_)-)^k#Br4O?tHwK>`x}!|q5ljS+vkjXp1rrZ}Go ziH>}tV(XuHK;QR;F49#NN&PG67>Y+B$EMuifn;rPB`nfpcLGE{Nwg(!#Uxlgw~#=X z5`rTtum@eNzY0Nf03(SUT#NPUJT~1Vs5{|9eZpT zC2`8~P^nc60E783kA=>_OuzwkIRnSH^@ZORUfa0a0eeT4+!rpP!j8-M@oXIy@M7DO zo0l*CTU&6pA49T9@r0rU6xF*no0x7$7;|M6=)nd~Ym;TAiGa2MG!x zbs|RfJ@9?U3BS-pDlirz$OuDF4?LPGa&=w6hZKTfKH7R_4+Vdf+Q9WTdS<`tV41GI zJT}jDTt|w!vStu^5U?K2O*_@P_5) z8BFqbycZ2=NV*Bx-X!eyOzP&k%jT{m{E!?lkm~#w`^>_SR^z(;BcmBxvFxt1jMLfVX zNv^sNic0RK?O4O1K@9XLF*`|&M*K7VLuVc|;uj%yh)Por%_kc#8@S?4aD-a0<1A<{ zk;Wp`@W-PQ5E{g|-?-C>ZQY2PJ==eBe(UN1Ax1DfU-?J2mkfBvHLQNOOZc`jnp_U$-fK4j8&%BZ4ddu>}5^ zDR>1=ftsTr&I4H$dZx9>ZhE6Z#PMvy({(0IdoN&6+0-%e(N$*%CoHlh-KlhrE{;N0 zy&+1BVDfB;YIX)5A)BosYks(uJ*O+Do>)l!zEtZ3(Q&_d!lDyh(}-N#-yWCkASQn_ z#OP8hu#qX;^1$jd0k0k7!!7p4AJLL_JF3+zHoAFh&nnayZ?!t@N~Vf@R})~%c&E3z z9RlLk(q}Hy`pit49t5tuGffECyLHc&$oVA?6UL+Z;=C)Z8_Z-;ER8E|aQs}Wf!WX5 zOhyWVM5+1ci5+_9jPXHP&o~gOKa7@WVyJdh$1IJskEN7*=?~gp-HDcDIC)b*V7Um7 zQ8|SuuxRvmr%eP8qk&?jzEFEy;U_gso)Nm7d6SJE`$=u{qRBXNfK-S}h~|9~bIe9; zux=V!m)oPQ9wK?rWTVv}Q<(MVTu&IGFWGpbuq*F&4D@jKQe@wZ!>tivXgfqa@A4Us z-FLlf>o{58?Rl@RasGP~(%_}xKo1?vbNpbg>*DP`(C4=AP!OTQC!IR5B1}k%+*SdP zDR@j>O*^paWD4pd7Xyv&>F5F|%GZQjIygC=4GgzHrc$J!Gb9H4ROVLRd4wNig8GgI z6e`Y<<3Dq?%GXuA-^HI0m9-*}7-pGdokXA=%;YGoR<;3|C!pe&tIO|-XElrNxFsIB zDM_eJU~+b3$wP>6VX}MRhH=O|HhV5MJ=p+=Ymaj5O8w*{F_IGx+k=ZhaWN!yH806o zLr_r@3iXttQW$OqICbsvf6l90l)7 zojtN>e^vrH-ZS=-J3}4Z6EAH|$PO*7slq(NQ@|rQ>73^nT?|lgWHNbBOh_;1F4(#m zzVqybp)jJ3P1RThx`@e*`8@Bbm$TH3dqleg+J;!89Vu2iaRWrt8Vv-hFV#>}X_+BI z(fYVPo6!Rrq$Fy4)R(Sd*Kb%;qYOed$|hr0zPN4>ovMV1wxa2p@2V!9HfnWp-J6cN zo%4cEJ}X+qck8EdCA92f|69=Wbu@R^4}(B87Yu@gEp#me(+@Y@dg1}S2Nj+4*m>wmErhX7_BYfPbn8Hmo1x>_{2#EHUFE@1>@l z=9o6S3gkgkColG>N4?N{J86Fd+wN*3ZA}`S-M2s2uMW<;@O3rbcfaWyvETb?n%p2r z2@Rg(;83UW*Yok+AI63HvfCdH+Rvqk77ubNG%PKFdSuqmCGn9k^L+r?F`m*6wibO0 zC^f{!ImuDS9kKr!&~gMM$hbLX2iBe}#`iD#bvu^{$MV-9ZJBOwKNB8PXOnw2yaEo*StZ&jMmRw#-qCin z*Vy|zQrlAy5}|2hk$=!3E>Kn4!5eznUEaO3prR6UMjUlKDAq@fg5%~NpVap+{40K0 zWDz~j3ax%d$BL`*dat7v2H(CgXLc z`py+VQHE41<>tgX20h!V4LPG~4CSrUJ8X?O*vhx)diJw`{9MLL?CNRioPg>cnL1IQ zIG0_z&+CC(ktm!4*#+)rOKr-v!1d+En#Mr_Fk!ohSE@Ve%9p6hFQ)G3YVY0?18)VMuiZwwuYXq zHLc-d*Q(^oo=Df#7HV!;%TQK0L}hgam5GWswKGjSsZ-^~^Ez-07=gLeRWCQdf!y4> zzMtNky1d<0y~9yeE5rc4Lkk;_FfXFgod)%lNlKEpdqBC$M1!-ota(cZ%Fb+cG?@6_;Rvlx`mNMg1; zTEo|MV$$A3iHbTF#S`i%4)0irjyfL2{i<*dA6bz}0qmh#iIO@d#p9|-<=|yH!h-_-WiFsI_NU=ur6Y7Z*co9G(HT@BW{%Q`{(#zNJ}gDS24IxxFnJ0 z;spIz7R2g^B&=|=8;3}`v9)9>g&)&zrhFj-VN zICy-#Z2Qk%VI!qqK6h#0+$a2Jx6^|kVP9czI6OyrT**}9{iSlRd7}Eks;PjmGOtg9 zGkAV-mF^o}H{EWAbC-D?&MVwGRG8eCdA%&WhrEaQ4{)z}{Jcq2Liy1DGI|kkVfy0v!L`oGaMS=SJ&j znG`_p@C;Z{VQ&hwlmIx?hjom}N%=M?F65I^^mKi5HWV1+M+3vfa!w3i#{fy-8pqak z3|~>$lkAv=1b|!kJ09%L&M{_R5yymm`9x6rZ?liQ$2gg(d^XyD&4$bg07tTzp&U4Z z=2(C6mL-v6r%R?N?wIHMml=f1oF#yglqhj6cNzwg@2{4QrjGWG&XWxWxt$ywFEox3v-w_t{nKEv7wG*2PYT+vB4ab_HJm}_aq z-A`U5J*x@a5l<^*C-+P(D1*MYznaj9$UpANR|%KK)wzet0Iw^}33r6O7BZmKi5T>8 zMuoaOvqb5%fW?}&WnpuOgGrzBr*$lXcLr{QabA=-TpcdO5c}l0UAi_b`4|?=Zql8~2 zO>;8M6|A6OzcwBG6C5!iDj=^7;}$MV+JzMrf~oA7%#TuHAW;zPe2<1`n=A*<+`o4U z?A_VS(Wd=VCJ*+?a4^|!G=FE~Mt~Ky6Z;p9^UpCA(Pb|tRG1(~6pnD2v>V!dIu@Su zD;}SF@uUx)iEpoq-{ucoM&c>d-4F~y&!#N`W8vT|dj1ZeF>{C6+A#h26k*26D)lyo zW0KoG2XxcVU;DXgEMw0n_`Th4dTQP1agKd8Bnu{k*d!|wg}tOrT4a*JqFyXJ86}9Y z(j7sb9hJBGSdI;dxxcR!QlQ`|(p6OGSZ9z<5-(hngek zCQ2I6HPcpr8K-l3$z~y$=#OP-}0s zNp|#+B3cJ3H>+^-8?_Rx$4^mHC(O3;k}e^!U$d=lp+@gm9H`gH?vDcPw51MnC)=zW zLK!VViw&e<2W%TJNT-vD!@rqD@;B|I?Cfq2kfa(tWhB=ZTvv$}U6DiucwM{1@3JZ# z55_~i`1Cu%ksdt}+|Myq@(;zV`OR?<+Mt*6xmsk2;Z__v z*#|7npqbN84zN|Cb|}|>`y&R6;gH_d8U@QQrPaKWrY)WSlX3Ja2Sq%XFm6snZ#0bBk9VBeEWiiw`L_vq>G~ zlxqcCtViJZdiv_q<83wAb)%_{Ja>r&tEK3+RHY%TCO0;|wC7TvfU9^zK0`z%I`CF% z6)B=WyMOH9GbTNq*q5DIlJsD8x>C}kcQ1Yt9NBO>r|jfNtIgcnDNcMV3-Y;uzN7d6 z^MQ3AD(@U}J(V`2?DVu8byFUu@uwZ9Q9A`6D;$75t(0~b^yKMfT-)ni$)EA&m5l1m zjLbtB%v|GBsJY2zz)?_&J-NzzFc-85uWMUXzRQZ{jp1i-@_Op3Om5}wO`OkD@oeDk zvW_nPW%+qsl7peg9CX&-cXxX&150LWG7eUQ+le{T@r5l|Eg@cuM*vpwxVp;c#yZ>% zzz&eds207EWlwk5!f91=pkTbv74YO=kV=24Ec&Kf`2AIi>B()x;>6p?0z zV1^)cea1pQQsUaep`_(WZ7#>n)hn#U(OVFRQVuP|!54`1^EW$d?u9R2Q_3Bplrbkv zUvS{T))WviWXEJv39i@31s)QVf@TX=em7)so}_R47oU(pQ;tpsJC-@G-8sRGy$15n zHSJ$WTQG#qqr=dOexO_gB8s4u3MclY?*w=ex6U;-sBUBs(KySZ`SV0s#Q*nQ7@9q{ zUL{>JJ)-mvAzT8SDA0a#?l7sT0YPb`P`36E!B8qtK9T&KV#C}$~T0=?~?q=kfmz0ubEaYtCEP%Lrm13x9?7i?aIiNFOAf|s- z@o_e0b`DKp5KYK zdiq0c^JO=Di2Ge9@HMdR@-u=7)URY#o|@v<5DDAHnyS-Fm!A zy$GA=5(5A<8?BpR+sDI3DzGs95)oV9D(<)de`ap zI(bZPG+WqcK1QqnCqDPX8PLTyTu3ru{b|9+#~Yn3Zo)Fb@ezu}O1@tM@wH83gQleq zFY&EdqF4Wllh;-D7dPF^>BTKvU+T4?_6gF6CDyiDb(J~XnDZR>Joh};Dl(KQQ(o*) zS?tnS>~c`3=A>NC)}G&Ctx4xwj{$>}%y_CQ*MCVV=rRgyaSbbHZmDDKIevF|jq7B` z8V)5^97_0n&VrTOPc~M%)H2eN5ogbe-B}HnAuldPE-dl&a3-z4*eGybF>u_}XxVu6 zJg^nAcdfQko7+9SZq%f>VyJ*?n|$f%ph#tvHksxI(KsM&!<}Jw5!xRA>^{Rt#1RfO zGVdysF~>)u?p6#@tM_t)iNC);9OV`(Y~)jVh@1_FQu?&K?J?3?-p*Ry#>Q&sRI9uh z-ZPfo)GB~=4BE)wiL`FX-m>QO;HPMXk)Q=GEI~}+Zr@02PN@aa(+V_nspIt3{w&&f z)-v?TQ{D{|^Z?D7Kw0|q_xo)<;~?jpfsA$9M8!1}O;esHUF(tuu6gRoY)@Jv{G%$j zpwV`0z3JRq^BO*5JH8%Mp8AJ~leODN-Px0*3_O9BU(U9xa`y=;rU*WZ?;*SvbDWj9 z-L$m|4g!2OTm@NiIe0H!pm}AC)iS0Nd)Lv`mW#UyW%Q9!)`VgL)FmfL`xIogWE8`;_FpMoKudrZxrkZSk+se|nT~Bd-9jl+@W*I6QWEz_|YZEuyYXmeFXPOsoBdyd-8EIG|>xwj* z=fDy^4OLKB#h#TYd`UCZr&{9(=rgrC&O2aXeutGh)`*$!M5o^e^MwcYLzFbmmOo%CBbtU-tp8RD>V@5A@UQ)g2KZxg?Vp9ro1h} z$Uiybt+B_1=G6GbF*P0r;Ots zFq)RxB3mSCv#FPFrI&BtNrhH_9AhAB8%F02N5^-uBMj5_E_H zeXv07p1OVCZuV1#um$y#ZIyT}l~~Nkb)~Ckwz^0*UZh*U2}%(%tgqc?DVB28d)hr6 zj9vnCt1*4g-pUoLGmvKVkgVu@yw~ZwC8X&?|4yzJPp`zD&%6LnkuuG;X%Wykw7= zLy!3+J@g%D|3!8h#*QlNP-R*b>f`FQY3M0H&JJS>6`5olclgP8Mp$^O3B(Q(x#~gklqk=HC3u@&f-kO4iLRuE+(J zmyG^uCj0lehobr$59v06qdYh(rXS86M;XZ^FMcQUM_eGV26=K2PpIOB;$T-6a^jQ}68@g%g}kB4$#Gzc!Imaa6K6R>{IdyC~2KK^yuG1hYnQ(o5z) zK8BC5xyCpx{^INn#o|zS8*+3SbIcf~bE$b9!}O>{?D7N)mU@wQXU8&U9uTF308a8! zc`GI`zWf{8pWk?qJy7$Hf=b!LG663pZm|Q|3)#)wH<>HA zw;jQnw--)Tvo_r{8)5fn*{CB$gYEFW`{m|ww6FB9eui~#2KW55y2qkkNyc`XH*yzonV)FefLLW=CL;`7Q&f>yaSuZb!J`7CE{#!wq|GJ+N#&X~@6 zS%HS*l1g)aHc*{BP@#3=0c@s*<%bz$sj-vW1*l6=NxNKgptGKA^8u{R0R70o3sms^ zbHD*>*aENiVO{kL5aA(8@;jtj;O6K4L3jY=SN3Ks4F0AE@y&fhIb}_NVt5b;(p+2l zlY&${h-c6Xz>gW#spA`16qbz>rRC-m?gq<;peVSh8v0HsxR~{@55M#vc&w@Ow3A1r zCW;)~#F{hGsgIM!3+9^pq^E=fSbDjdxkw*|T0ZP-pSBR}eWWkLCB5zD(Ua;uZl55R z5MmEFyAMxxo*(!u5xI!t%tTn?3(0dUTU;Ry8{JwqW$c@>{Mm?`rNyn3^Bg7iR_N7E z80YzRm-_mT`U34-)OguRa5E7j9WW)Efi4)tEjXK&9;Qvl8Q^dYChC@$XfZ<=W*#3Z zhfMDfVhsOe&KU@>HbS1jLr;u>i;yTXw;0XkbdxNP<=}K&@%L1bloDiG_4Qsn^5doq z)X48$mW2F2{#9z_>=m;Ub(D+ta4d%pB6BF}h;@|EL^4wsr(+;3LSmassmi)82Z?-s zy~VAax=ONtmY3wU_cMofRS_(yAX?CaQ&ECbO%0{NNaRS8+)z76%FpPXESD0eU&+f8 ziU^)=JH=*wf{@aFgOb}z8PU6h3g%NnW)#hpO2=J9VwARaGsEl7lD_?ReI9UGsCHGv z$SQX)_2x%=B_V&y`C6-jXTN-2GjvEPcB|k~EL~b-R=S1$RupWL(`r2LMVu%tYj_TA z<-WfIuXEItv~UmNtn;(59OvYUS&rWo`%Q31>xz9d8<};lVcMn5fYQnI1vMSv9~6~S zqe3e7_zyp#F({K5!ri{>mECZZMdZb=`C)%C`3aSj*8)=tZxmMVFncRF12F_Pj15+l ze4pzCZE$V75aB?B4Q^G`(i8$R9`{H8;tHAf()i(Td1vYJf2=075n+FQXT;R6G36KU zhiLF!Rm}3EJD64P-T;KjQSp8E`MnL{^RUvq3Dn!qg~Fav%CNX5^#J|bS-u}PPzluW z2bkGZJUJg9F#BF)R@(VtZd|!10)fj8Z8hu1#6B>Ia@XYllQBADC};XRwYQ$!;x`39 z&BDRS$itS%RJ01+WA-td`wZ8>P_K^mkXfJf@T768Kf!?xVep*@nuC`0daMM;@b^#& zE>3l)DkX@X$C^eV)YRLY8*c5&RNMDr$EFj!nMB(#-6d>UOzQ=dg8m0ws#BjQHGPE74M>i?p96jD`p&+ z)@VlD$?KZAG)_C$n}pG%G%ee6AF8XfTE)V`@Idgm@b7W9(7ouvo_%}14klO64dOEw zU2VH~yUwoH2%V0>J4J|3W0tM<4b5FuGwI+#fN_ zVU~~)%u={u?tGyD+xcE_#bc-7Pt%l65LL$E+i_Rk$o75*%CA7H);?JKCoiL3$AS&_ z&sCG-wCE4lY!yV4ri|kh#PS5l2h^Z9J)^~|144C?fT4skhU}B0f*WHFXowwka#`K_ zVq52?tP`Bu*T585rYcV?Hxt*-e9&b4(}pTe6)4#BQZwm;NE-~gPAl?q-d4+eU7>d1 zAYOpuGGEP*eoT)BI>L(AnCYIQ50B)Q$V4VSa5Ac`k}u$Zc26ZZwJ{~N=E3n`c(>^P z_VSKve>8oAzz(%&%l~82v13H~i%*qLd zk4je)QW4K?{9gGb9L^I{!T^dZ4*(C)+Nv3+ zw9et>6W8}1&rPgVPhyWtk4STyog1zP{a4bN*F2B=f^Ki2wB{A{cU>$k{B=5{mWH5j zNZ>YA^}?|JZH^V72sWy8VDZ3yMsgPXFh%%w!$IiWpZY3-2}S>?N2BUIU@oDqFQV4;ExF%`}FQ2v**Ik|npLzxCL)Ujl z*`v_OEU!MT{pEtR8PZ{SboyQUT?$oJ!9ecGc?M^?*uN~l(5PWq;-J-=Dm@X3TJL85 zf!7K1!NDPG1NtCy2`{V5odetH#>vKwYX9RE~TT+~}C0w@oMY9c1aZUWwc`iwM# zKeW(qMS_RYHq@2){@2RJ7D=y<&9S{oByw0k4heI8AUk0xA?7rO#B4@Faep4Im^JI6 z<>(FX6;R%9>2!8hA~8rWux^tzkAHp5?S}KECPb=RX#1Vrfml;B3b=1fyX-GI;(EMy z5@Tz>2Dl( zDF$uDsRiM?0R{Snz)$+8xSSh&jI54eSeT?!vpq0kck{{w)J}UNCLcm&zJF*JoUCcn zggQbn6t&?$@5e*v-iRztu+D@d4up5WAt=H2PPq}C1M@VE0Iytqm4(Pj%sYoS86L{q z-VI2*og%0wLM&89#*9;8XiR^%_kKgG`iIfh^I=k;krL^HW6~)jE(UATI>NOwBOuSEbWHj{##XZ`L=9qZCZc zHWOx(lIn87jG_#%tcl7aF%7Q_QD&kAsvk%#Tc)V7+6vnCNgfq z-fXM3T$G7MMh)D{aw{jUS<6(uP2EqF1T?Vt;_L#dNW)--rSL~aaNeORD=`_8b^pHC zOIOiLgP)3<{7`w?53u^wsEKB7%6xk3VlE2P4S{2E%Y11?(38h3EC%qUIr)!@Rh4+UIM$LoV+|h~?n|i=;;XN(Jk#fsPRMgF5Nd=ezzFLfN?8<0Q6{0Y z-T^gJK-*rfF{a5NoDU5sBW{$NZHd61ub6R4FgiX)@!)o0%4C#^&(6M;h0@8EIJ-L< z{$eIDs&5MijFMqjN18-X_?DkMal3vtSLxod{v^x50;O8*AGIVKE-i}Ego&a?0D!s7@+Uv-5cB>A% z;pShAZvj3!1qtTn@Xmg}!tjR@iG)xiUnrHXJ?5fOJWj$48@402(hO-;g0BwOJtmnG z-iL$ZuMqNxxG}isbH)ErV`m#2oO24alfBAK>pVqteP-W-2Oo2&~ z6yHuQvRRyO-Jx#br{&5`z?p@3`=m$$+9`#rJGz5{yMDyR&zeVUBAZ7ri07hL*SB&qEkk)N(tzfP=9%w zkldX4AowMHhEwnWlXW^uwpiiVgtO`;PB_emIJ-PFL0a z$pTXuY8_u)p~pCYpRR)4_##&1!nF(Q&UC2bbrJ9~kbRaOkF$2We6!ZrX1k%anu9G< z_+4(yPqh|js5C>YqS$19n{?$9*h3$8#Ztk>9vMqH&Pd8p`ty=7O^Ttj7*Q{sBpKMgv-=(m@49xfG_w%pjL(PxbdL04uH(D$QV(mFi22xr+yHI_9rn;NniP zaR}5DnsF{jBTIr~feu%Z_2M0F6@;cBu+tOQI5 zn7Cbw!ii~UBDYA945ZHl@2ChSnk}@9`@gK3jP&}q1&&|1?5>Lf!CNT2=H@mx;QxC{SIAs7QlwBU=C_iuD_Ut(Fw1bdj-z zb{Czd=J8o;jdo+pSF_QgD@a}Scj&JDDY=rllF5wiN7s+>Tdc9iy0^|sq_v3NiQyaWFYu|z;cyy>< zh9nBua^EIkCOIC}tatSd`odq_ew)J}Pv)q^i>AW)T!(5PCK{gcP& zl_(}X;s(ZQ)ubEnatzybpv%dUN}rj|vz)4$%XR<3pCmb+?Q-9Bf$uEBE??68UIsjy z*q}whTu~5Dvy)vT4JT6qa5UQb>e;&$0%f27lHCS@ zj{)Z4QT7#u*ng5^8<6c~W~fG)JrHKA9zq7shpS+yHf>%omg21Q?$6>KL;Q{={8;-7 zvd`1jipS!lRRUHkq*~YYd=BdkXa7kMmFcis%4K`Y`L^bryRdK| zwhXSu+l;osKpY2@f>gxt(nDL<$(&GaD2P6p(8W*CcR`xYQuOFiAvfX9%^vxOr$9}A zr06&46~&&k1ul_>bb)Ya-MF!g_iMSm5O-+hJwZY7VNW__F^pxJDY`})_I_j3AIsM{ zT%j5EEuAI^nvOWq;~ks1tMJ#1ZC&U%nQ|K}&v4blCMd6V?MP@)6Fu^bLv^YuXe=mo z@O+J{lC5DArynur&AFt>CNEnjwAd!K*x*Rv;q6{uuH{p6dvS#zE5ijHgSRTksb2g- zQ-c+ny9L^Lx)(*(su(Ca_S#&@yF3$Q+Y9xU>o8X@S1<8ZR%*_YQeqTMusv1TrI&T6 zN5n~w-4aI1+Cn8b|D-NUnb0a~aGP_UJ#PRhYG`&ZZKAK{Z9;UvetlzAIK34p{Oj9D z&`2*RQ4sq#(q)=~KJ_#_aR!iq(zh@zS8q?yh7*AaS{OsFQ$c{p9a6jKOL~{Ke1xA zUvt*)ck4YgReqM01R24{K`k=lu9JsMxtRqAw{8#6b~B3rb!JBZAO6s5fy2SJnD5xl z!?j@U+>$7SpO)eH0jU4pMgHu<>a`Ra=>a~M#OP-iRy=JuirS>88kx*KJGC}+^i|Ev zbAW4UV#ro~0qnK0A!VX6an*yvN*lB%)`8ZvfXcBbTsK?B32Cy6FMPbhcyuA!#7-rD zgM6t%{IiMYbVc$Q^0y&2k_fbwWMxIkAbsF)O@@uj4!B$sR|=L@mE3W~s9zQ@9(#Hi zEw**dOqh0=@N-plL^i_Uk(QP7f zn_r)1-+uOWaq&^vef@k1Wm!U|=&&#@#a1oUdQuL|u1S5g*3U9p`H?buN$2M^m}1k4 zJ_J+RZpB&DiW{uCY#qzFQ7qxUrW~xfdiEn@X+lxLzpwb_`z@YScY{KQqb~_zLBTYl z>5thrL_NFVQ9W*c(bsO!I&DuE8xGxo(JR&+((cPyIB#gx9Y^(I$jhAAiSuI6J`KCCiSP+;z)*uxuhk zBZ}h4hLU_l?hj!sV*$WC&rJdX@DWOfN?cUdPpp0eUX=)R`l*nH&IC3o@OC}VD=_>m zT!~%b(5`eIMEjDd0Kt}1RF+>uv``1g6&dh0fWew-K>`DMEPn!lU?7OT4+ku;hPJ+y z`UL}t?iROPV!$Vk3+V zNIl_eBL3)5gEI&qQM@9Ks2@J;6&diIIVzQg3AaF=K5ikLHo(Emmj^M4oU6hp_}(`n zKiO>_3fXRWIJhtoeGjO(_MKB{*Ys}sN5Ogjre0l))Y`@uKSedf){2|7AM#N3HDh&p zL8rCVvL8GUhil*JYC7yV@LBP{3~6lfMNW_>1B7cEAuq|9bPzq3@1L3BIbR@gd1Tb{ z>a_A)X2dtof&4GvG2n;@XWkG~Ib_@&?J%zq{IgX$m{wRo-m^|~$k9(AxGzrY%3 zDLT92)b{dSejjdH*eENJnO`VvshcdZX>Y!k{g9flTrrj1nTX-G!EY7CD&ky@-}FFy z*F?#kTrFyci7kk*aCQNc1DUh_x6&R5wri%FY!=0`VB z^$fm>h9Ap==jRNU)9&B3BZyv?Ut!^WPnD_h7d`FhL#zE~r4kqYO+MgOLuYZZGuB*Z zbZFaA2fz06v(}20^dHqhyVdis%f@XJk3}r%avz~#s8#iW;n!iMh-itUA7@SrJt40c ztN%yiX@$mV%e%;>=h}g<{#^9zNpy>S=J|}4=N=GqDF&CJ98%}{FKL~UhSo#~d##84 zVMAFA@cam1hXVvVoWiR5H+FNorGPkHMf0u8mDO-BJK?Goo0!@s8@Gg;UVqV|xhdYZ z`!8tr;M4lqECM76%;rpe8KOIvl^1yK3=?jQ5s}J*KfWfNcB5a79G!(Y>2<@wL)W#v zt2C2u&wY{G-6gKQJhToFOJb`>bT{DbUXz-_9*F1ZA+$j6=&*)+U|#t54&9ZFCU#1Xc*3iBx6rMtSf0{{5JQ)p=($*6%c>le3^wG@ zg_zK#=jjmFI&bi{utd*+nTWf_fe;Wct&nmmz_zmc*4i?UH^I3$_|?CPRDMfjNY-ow z^Eqrr?oGM)k+)?Z`{1;R(~{MJ1fe%Hb6oezhi|0oBE#NYIi$rPJYK`E@BDrnma|`Q4U4isG06@U5n89HGLtpd8q|f3!q5M2R z2Q6|*Y#Y6#C(z(`P6UM1-7#qhiOoMBpuunS7yz<43JX5Azts6zBB4Poz7H-~=r$*9jcT(urC*(H#_U4)a$$BoQN{Up1DA{F&d(|l*Pe}_ZZ|f8b9=>mQm(U#F$+%GW5;k3sKFmx2(EJm=LnB+8qd^<*Pacd z_B1xZbAQHr4l5DBry?u$HEA0M{;iSxmW6R3l*zjIq-1HMGa9B=v=1aNy>2DarHq9K z-z?S|P*k!J+q7SsBrBKfQ{(P|o36-&c2*wLI1?8Yr$vJ>=HzE-iL{?#% z4pF&l?IZ5r?9E8%ay<5p%x(ZTy9!XfMlvd4oy=(qlQHbmp~?b?FS?Pvx)Hem)mb2I z9CP3XF+tQ_;O%ScxsiOA+E%(#=>+dAmAb?-*}Nw00p7)Jr8eE>KA$_A(4Kvr^+PU{ zG$r?)^_~+YZ=uWV)hio(inOR3?sfrC*66hOD}IH7>i@UZrSFO-HfJ=!6HrmFYz&C> z;yBW>tsS&U_l8pN12({NYY^fqSAu%j0LFIhd`Bx(5z&1OT2!t~6kK3Zi=yR;+Eg-& zRfokieM*xuyTW)J?^U=I)3S8!ShPYnmAcNVGRHzZ327wnF7aM%fVh<=@qXy~mz;J( zkU#O1g1<4tK3vf>Dw?uelVk`Uhhso3oOOQYX9kAJn7wq|G zw5Ho~pt9i-*NWV?ZfdL`GrcH3HcV?U$2JF^8|A=)XoCw!Ke|M{^T2p?25WksNpMj^ z&(RmF%e>e{{_@V!N-MpERc_bZ=0@tAnCHie&2(8&+q3inV@peEM+dOY^;=@AtgN{e z->BvHPYI{v{ugDi9@}yIzYxZKoQP~vf+jU6DgUoGL47_|oq|b))xy!#R=Zx_K>%aW zx^&c*6l{;8RdCG|8DaKude5?)WtAEu*F?z_TvocIqNJ3rT=3_H!qQD^Z(N zR!Z%1RTlg90F1y@-LjX(7nKq!vln%KQq4uoy57*H-7}Ndf1&K0fQ%Z-N6tAlk%9PAJ z37}VuRREX}`-AixfipmYsEye5Sa1qx{_V$5lcu{;;TF@Bhu?kx{XJI^I8}QKu3T%+ zGPw%Ksgg(2ZY8^z)W`Gm2mwntj`CerHM!#u`vpGg$-B>=yHN-sCq5hRuRB45OD|}! zyDM&R5d#DF)33LPhXu!(=6}Qd6Fa2Eq}si-@i2Sj1JRSri&|df0jU3?^5x4$W!e?O zNM7cww)KP}d=-!Us(|~p>WNE>@4GiX{Tgp7|3YOjd*HC@uzHGcz`yA6bI8NQ^KJA) z`am_71A3*dcEeCjp18PSXxy3FY2$1CZkd_>URnNnc|6tq#|_z2!*eSoX}w4Nd@%WQ z)#G@AsO@1a;!tok;xckN3rS75<#OonS_E|3n2WF^=_||LLTPhGN{#izM6>xcZ700p ztNsy>)HE2=F&w-_cq)ElQW>R@Hi> zrN+wTQ3j3HV)H@Yjl@xn(&P^H!x9Hodmb1}S*{A86lxI;z4CsULa^W^?)rAj_Vw7d zOr@RLjLqP>_1L-z(B#bmdSGHhVig)^eB)#KWaAagfYe8M_nlh$ow@q5z30L%S$GhS z1@+YfM6P>9hejfgB_d>V2;O&OQ1N1FUu?@=0D@$Ts#aI3Rl8d&H70-<^3ule`t2RN z3lzEr-&X{BO8g5ZA7t~AG=N|T8wyIY<_h_M-nkEisVbeN7|h?D`H573xhojGzb}({ zc6zBkBZ2r22m}*oX5$6c(E7fgD+U$?bf2;zPLW6p(;%7idUexAS1T-^WFcuJX!MFL zVeX>{jZ_3CkZOf35$$HcpG)C9C~e~`oaSPymhmE#V{qi+^Oy>NYGv`aMXEndJb@vMFPBFU3x3#ztcjAN76+>w5Cx41jx9P7>% zmrcbkUT=9ND_MH?<;jZr;7+C%2$nE>P@OW0Vx(X*Nq*lDw-CcVLEB)UpY<^U`p{YG z+%y3^wsk+>i$Huq3xi;a(X)8B>L|BsHoYzqZ#mK9F#P;u+`|eWNxtW-phR3rAa9TR zV9FF6@}mDNn+#G&Z}e7$K7wJ;0wmnq%V&X;@U*ypx$N{vaUF=RlrJ%_1nTFoM{d01u?$TX)!n|Ev1= zt}_=waHR4Y1V7z@jh3B8vbjIrl?eY;Spg}&jr)Q?7O$5lU!o0;V!HXmI7o;YRrI9E zM+4-~ldQ*>1_Z!(r=vzKQ5QS#CZTqO$dX~ho=SPvWs)a2eWuf);s&-v`As7vxu~58 zn%ru{4HcG%NmVQys}r!(DH#jTdbu$_@941YuH}kbyfTtT&>}IQG6E%OufOfk8{XVr zgiDnrU>jTDX!wS`zd%~=iPTQ!E2CC`L<=V0R5Z1nR8=(O5TSy_YX$n=xBcpQ3;Q#F z*S+7&cuB^?PN|AFtlVv;$DzS2-ED}0quqF{+b7bzC`;v3>BIB zX;=e<5O;wJ$lP`u-b$Y#sK%{|W`CE&{k$Z^%^Y9Oe7^$|Yk@dP{bl#$qs^3xLYD{< zz4>(e=0Wi3EprYnq57fv@y>=Jf&Dx=d;qh+hN6`w$33%SWw*K>nsE3)%YlZ60(h zh6i_AKBixX1D>W}1)T`QDZhNuBraXZevG7O1b14YNEgiv_|fUO0Hk@M=-IQ~gVOQ~ zwz=GyQR1)D`a|4K!_3A#5G`iSGp4 z`h0?6xF?}hBk(U@LR?GD{f9*=9sdGetcShTmLAx2{dlbMR)TxduDVHxQDW~;Z*YMA z;Q;XDw^75ylm2Lkp^3{zGj(?>>l(7I=ZhAr`v zuH}+2x7WE_08Hr=RwR!(`&+PXZOae-%iPu<^-VHs_)Of$Sh(-Oc-h#m?Rinr!cSR+ zUp4!8i$#k?^txuIT(^TvfOo8VOhG$B%Z1>4vU-JNF?gIyVVrC9EEuz14Aqf93*FGh zWYW_u!agsQGV1T8X0nTo$2_}gQI}?YRV)eX&3gsa!G246HX?vorDtbDXd1tu!ZoJ_c)u?M2vmW>2h+YC#db&! zwpo{(^Bu30vMT>GzN8nR^?%UFFR#@;@gN#3!G$oe}u5M%T1!G{i3vkF`~s7 ziH1aMy3#V@@2)fa%K#9GH!pI@kU+cRATwjY&;kx{@_a`pA#4O3d_kLM#}$&&p-Mb9VoIGlAZH~z9n?MH3c1^{Xz0K57l3f5!V+CsA<}lF)7B38*;7p5~ zSIrX3I*=a3!p@!KnScvPN;~lr3<~tZe*?zg>d7Vbho$?18smA&2^qmCO#5Z3$h(NJ zuNaC%-cD?i%pRgX)^&l^m|tTheM*o{RszIQNi*P>SQN&JK~BA|graiF}Dhx85M6? zw6Idg4uUZKXV0Md+$@wFiPGN{1F00iRie-jT)%=vC=~i#S6sH z77NVCaHPg~__v;;rQYz6BjWBOAUoriQCp!80K$JQrL6h3V3eS{hJ09|Ed@=d9=eyeI zUH7&%*}eVV$$U3AA(h?J*tu@!#1Qx)E|$j2E&()2gG)2U;0rVcbesa1YQzSa7G2C;vB;-%*dIyA=lfc6H< zK@UeaA>B0w8Kcky#Wenefzn6{Hy73@RB&wvTP&zT-h{F!3a-&TR3qX6ML1}sn&hxp zlfK!mg;?#;-FKnBOP>_nq*yPWzEG_$*!`Paqvg@N3}q=(+0p4<8@9Tw?Kx`WG3_kB z@2XwzGkRaUf^|@F?df`T($j{{WR2=a3nF;)T=4uT;9CFYQ2%C850P>{YKK>Vt?WUSRn>#y#e$aQ zmELBPcyobq;Mc2~54ejroI zn;@()Q8Pyi`Phmr@((CoKL8891b1T5g#I!*?G zlL^h{%YX71>i+Hecw&1ptxMa()T*1lscpzPBmG`G@W84^F2@tS@K<3&OrKE6D04W< z!LtDKbV27&LDJf4{9^q`c1``4uiG7aknxuq2TvAinWm==xtkT$0hE#_Lq6E*j-h|)Ors4RYBST{ej6?zU z?Rz~MJr1}F?G5MJ2!YeYgjgwzd+pvuqPRUS*Y{Z{mbPQFWtBvRW-!GSJIbPcLD%6D zaLei8W7FZ)jq+CyxC;h!#au9{0!OeN=00^0BZM2sooikEfrVHD7bn0J*Vn(l%v<0Y z+sjuuB^S5PVnFT{xi|433=uyV*YPNrO1k{IcnpJ&qurKoOi=X0RZ4uPr*f)+{q7N= zI$OXV0>58*{YDa^Bh6}s@b8`9J#f7MXXQx?IRfQifB+IfIhP5|_qwxgi9q4@Z#NIS zY+sE1B!j=u{~dv@)uI1eh6Mm{_>X<@_y4ngSULVDOGlH2w$ z;Ao8Dvafj7?}=&lkV_U@j3wuJwT*&~aFI1TQgNKqfthh$TPt*1q+Ts;oWWxp)x+G0 z$-L8iD0N(@P9A(W-wl?z9il&8ZK6ccyEd_5=vR9l=qJ@}kq_v<%41(61U_j+D7M}cE$lvC0X8U;fa5cu$9Kr%; z-uNC{dDi*A-kWRb{o&>1_4iR+|4!N_Lg}X=Li9uz(Zd;w82Y5_o%kciMj~_-gk={@ zv=ig$MuaqvV9n|YhXqp;6ye9{$X;mojg0p}S%|im%xahhX}FmKU%P~X1w}gC%uh4L z`S**0S5KbEf{J;_$rDo-K4NM*VY-s{Svt&2?C$mowH(ZB%pMx9vGCHpp7sx4tz!-M zTJYrK5E$w45@2-V{_&>?NR0NHIg=1_N$&KN4{;(m9?l#zWG8FwQN+;qOtqm`DMI4( zQO?Mgd-2e;V&eKK{4Uy&WHp5}eE*6Lj`9H~?-}odlcq=+=Ee)EI?2$6tV9kTj@yHty$d977g2$_Ww{WE_Ol)AjG_*(vjSabQg_&Zk|}?u z=dhm%FdXe=(hONuLCZrQ?QQbh+2NDCvd|THPyNVprch{ij)X}at#f3@($Hn`F{3c(6HOXM&TcL_mt2Fwp|!&4=2~;r|?hmA$h62mA4`@|g5-ki(**V6Y$O?SO%%SQd4e-Z4y=GkB@O1^_GzS{ z&{Gekw2sm<@0Ah^83Zm^94%we{}{eZSm^PWOA+Q6G#WgRW(;0_S;vu!w=xh`;haAU z^`+Hgbd43S+7b~X(lRJBfT36OUFyXaK9u$4FNdAvLqk*6;!v4zA=X(Bp9%l|BqLL2 zdo6> z(beP9);m`@Jm0b7l7@7z{ZsWvR(1#aIbT8j4@gWdFT-V@$naPdFpiq2VrZ9bb_`D$ z>n9M7cduW}4z=@>by*<=O{$ z(gwpLfY!6CqF^jf-jcKLIuerG)?hzHTN(f@?c%79A^?2(xJ3J)1%ME2P|jiGd68{f z`%(^2&}~l-GlvYEUN)X0aJ!d-p{KLq`~G?ZdnCQXv!gkTZN&_E#OoSD4J*P8-r>Jr zIeZ13Z^K2zk{*3Q&}J7;_-g|NF_L@Ka)5L~NAFZjOamT9M00ta{jQREowyAuhcW`; z3|&m*K2>y)TD?V`$m3VoOkjnkKJ|m?+Y)6KF(xoDRlRwwJzdyl{R?%OJ&|a@O zo%Zey3YZ3INNr%IuK9b{vA!3-*Ns}xMHd3Rig=T|R&4c#e^Ah8;hxAC z2zTN6nrJ;WU+b(C#3raR3-$eU~37e}N6E!}G9KAQmwr zp?)^Nm%jT-6Iwp+bT^s{Pm@FFhk08>l-y_IgRgNWO>eZ+dgLIMsu5A-bU-q3vE>4- zHR@oEKxYzY1)A~TDW*qrX3FysshJ9bM0A2WlXDs^+?1eW|2~=Z_gY8Wd2-@O?fzaL zqBS4KtvEm+Ls@%Inlg1L=W9aylP(#SN`D16yftBBE(#b*m`#!X7;n;09g|#)z;D;R z-Tw<&XXffCzvisITM@jthk{h&2n!S&_^;;B-= ze(O4w!GbG)#EIZ3NcdW!(CO9O#-~c8{lNO1U5|);*CR3!7)x5`q_IjS=g^0G;lJ%L zSfJxzlf-2quL8`_61_%X_H`RS>Bs~3bb94gl>s`j-)_`_-7R%_4r1m`!_A_(yjgec zP`jC9)!IVu_(iYwvfozuh96bnEewJ6a;cBQpAoXr*BGe4Boee z(Sy9O$~~cR!x>ffo%RJ9cwpRdBoRl3{GJJo+ax(5kjNTvAP&yzjT&^oY_sQzL&=A( zMMD)4=NC`V8Swt?P)8#k47p)tangE2FN^<4<@^w&el2s7_1}3P z#<2b^TW~+#{~CNZmHg}NY^X7cp5<~^u;6@Me_Jox?j&7|EPS9|eAycIMpeC_s*}6& zg@0dnn5fh29J|sXTKtMau`%Oqap||hk+%R0+Og07$$jG^VSTZZ(V^VY$+zm0)wXKi zdntR~iC^Mf?GN{sB5tRY-@$wG!|qypU0BR18DZMlmRffWdGT0l4_0iWK zFA(I&)%2jb;&v>dO^B#Ldy6={vUJ%z11bfXBpvV=O~Pi4RI#HbkSrZ=8BNk=g|uZ$ z)o-1+=WYmzn+bA@C3&|&{I(+ml$9wKa}wt3z?6|Sq7$yL1bk()e8>@hdAp8J7{Zc! z_}f-GD`SbAIstoykHTEHC>J<_`?wdZCgHBM44@3=F~Tf@rrh*Ohw6qi*@AQ>Wu{rB zCji2Uyg@{nhLB$-YHvEU{BHz^r`#SK;=VtG%-U#&5ECnJ{CpX_ZEA-lDN)H`L%nrM zKAWJ@RrX1Y`AxFHuny#z>QSQs#y4iMZy<+xicqI9fmUs>D`iuYm&JRMgWk!z|I>wk z6Jgi|pg1Q!bs}i2t8uT&W--Xo@%XX$@!r*A;J^hx|G3x%zd9#*C2sqe^J^PYTU7do zNbak2)r&Owt(L+kjiq<0^6W9vB0ULRaJolm?yHX4b@yGAqGxH-4#hH~u}iBY3sk4+1@ISg_BTZOj!=%Uj88E zZPk_L-I?!7&PNour-8@fnYNUUc=Ee zqIUxg#5DV35(%~m?36-E-yeG0kl`5w)j`QQi});B@X;*xGFi5X{RYnFxe=JuaL;c1 z+k6bV#&he3b!zmB4N6fLO^Q|iFr{NxfjC1Cz{5yC8z=#%2Min~2vsMILi=YYYlceATM*KcXW| zfqLT(I}C=7It2&POrrf3?bg}pm+&G(9SKyJs$J%Ama+d5lJ=~Br@RjJpEz67yuro4 za^hr@E&Wf3=0njW(^gt|q&l3QR$H&bZxQ#te6md$fi$m_;L+M8@TLIUv-kt)K*Vio^WhyOqf8sQMzFA(QBmboEf_W4MWYCYu<_hwdL8 zt8$R+2BGx$P@N4S57d+NwngL};7CrTmD8t{sLj!~sap_9wnA835w9;gd@al#9_ENS z-ON9#aAxvV1z(e^mo633*+wx>ZPECRu;*Fs@H1?=qcEm4f!7c~FrM*i`b5Z14#fM} zf(o6BRmo1?hMpgyL4DM^Eu-c*#00mWB9G8>Qr%9Yb%a0 zr3hTp2pV>Gu;B`w{CF0 zGY^Csv{!%rKGe8)71&+jH5neRI894mr{VV!$$dbTQvRU+!t)r6&U_9Wo|FA^0vBpr z&ZGL~w*bbSVe&6$k>H6ooo$M|lvibYjgFxaa^{G_Rf)ju(G4`hU2mZte_L*RsxvzX zMsCU7>E_qm-z>`_=N746f~`O_ELrVZ811HpHu>u_GZYAmB#n(t>Q$p%{qvpZixMn- zaV>RYUif&4Tw-{&=yLvY9($ai@)wN}gd$!1#Nb5Y4YXb>G}yZW)x#Y$7^M z+SLLTMjvMs+ntR0qwv#k=pDM?@+WG2ynvyIa+z|OmepL%2xp*5urDH@H*`s_6U~Yi z+*dRy1=6?y`}e!Iz}-l1&+#?&-@2@JjXB>TLU%kIlf4n+O*zx)WPc3;tZf-{kx|oo zd+`zUO<02ShXxyODMl7eCTl@P3Kc9AnoQQWS?Le8px-$+7mP!Ub(hyQ%zgg+ zua+2D7q9uEYi?yW2Q5wp9X1aEPLF!KFQxtKL|vRw3B3h1{ig+ux$Z~pIk4h?FJ9qW zFbslObM#Wcyi3Ms+sG%u?R->Mg(m*Bu4m_W`u;b=M>X?ARrV3= z9CX|1cIdEB}=IRwD3Vq z1nJ=h3RYU?b2?Vn(Bxrg5Td@{Ht_bZ|NZ{fW_Vkjrpev3yc2SK`v}>=SqMMrBo-?o ziB~x-1)VxQBjrPa(LnRLR<=?{Y*W%iK*=+Q>J>{JP9P+pQkt!@Tnw} zwS?yuPB;#2OdzLQG+n&8>;-Fr{MNdA&3ob+!0a_P!iE!A?QP&cQRr-E89B#@Qz;E} zD|SwP*Z_+50OAkD2MJRTe?Hvl@~H?ehU{d8UX_Ibl|3W`h?~%)K}tQRS=s>x>`m^$ z%aVUaAuK*FnSNcSW3vige>Gck(pVZ8d2B}lM@{;C>sS5y^*H+h6P+3f^dL|Y(})$u zbEj=8#neL$Y$XK7Twsh+nJF&DL#rbyYBH?R!v&S)t>Lx)HY*d6SiyUG1?nUrA|a(F zdpH%V2zXw6?yMc&rzx>7`TU$rcl9zpetq`5enXn~w6e_LOaKzTDzpzF0>L>3ANRD& znwX4F5pwoR#76*uG7UB^+Fn}syH>XB;q7nYmEBO;o7QtqcC2{F0@z;gl(k;QC|`91 za>^*#m49E8tDfx!HF|Os#2V`SShSK>MQA%l*y7COyIHe79@KK10*SnrYrD$d$g{#*|E;(XTPfymf!itmCl z)5!oGu5sJYcgiZ|JiWRoRCs2!GJ9_u$?g zW>n3G4SV5iXqp<@Y@VgIj_~f|Wdft~nd^~Dp&geUN90fNGY{7-h|EU4`$Snl#b_a` zg`d1xT|-%`KgteDgDBke1wQuwRCa`#q{T&4gwL2u4qbJ8dag8W$`kM&dgYSnWmf0WbIqM6z$+)G-HrJ2l;ALpMHfQ@^R?*S;p z=p2jPgVRVC9`?(1`KW_N;p;05OT`Axxbh)!y&2DzwY@#6+cMV!kQN26X$3H%A!1xM zAet@7DeN`*$&oiS=L^A|wHyy1wQcc+lFVlO;6o9da1hL7VI+R ztD7y`F+a#2d3ZvE_=Woe!~nF)pki|@1J?&3PbC`L@{nxR8xIG_&k0aGW8s&jPem4< zwRK7JCrn8x^$DDCq~v*W|YNqxe=d>5L^T0U%Y(!W&q_^KG&S4a#yKx0+KUp9wb0 zKhiqifjn?%pJA1+_OY5!*fUTlLs&MQQS8&0xMM;KxO-T1c+q$UUsb;HEEKm&sF$cM zmg5rfOB`eAyV2le_aNr;%m1f`VP++WL=jJtMX}q%4T@$xwif(jr$7(1n6TCfeV*G0 ztd~$1-1m9IzGsYfVV8RdX0$~ZP@{G|q9t-G8y&$yjxSd}bGRJd$;G-jn;UD4$6ySaoFyZY6+F#Y*zr7w7-jCKMk zBZtZRh4ov_5Z1ZzZspT7;|eBm*R!%>UhL-I zl;ea_nZLqr{+s!!eqFberTryz8|zScD@Q!vwJUXe5c}W`nxT$bH1i&CGcE`1n0>0R-w&JSH}2@i2O{Czmt+YmxgsHNL}_{K|P zLgNuvP{h;RiuQ??K~{W%AaD)^hgZhcss@m3p(nMzUH7y4lM6B`^HOle6}hKmxsOkq~bGLs;>%lyW5VyVsDNa@AiJzAN1ZBc@*I+_Qgx z&twe!B+!$H8qTJ{h6Q1wJ&FlB1hv3VxQ@~ypc$ZTa)$eIQt4*QO4Z#M9d`)+s1Au; zwf0Y)?r!#(dJ|Cnlz8tS`TPU9+R=w|sm$tbW_&Q#Um46r;~@LvR2aFlf-b@PVk-Qg z2`&Ma4+IMLOhHzDqA%YfO!Sdw@k7$P%;JV>$nHou>*`C@=i7Lb*9B%t+6;>Bwx9D5 zb7m<5X$u-ik`8=QWeVvcrj&(@M)XCL?tBhgq*H0DPW2W+OEr}l(xf@7+r3p{Z#685 zr7#oD(91*<&d5u}!7ikcCYcHay!em0rBPzZBtP{rmn1H$v*HESJn!#~kLC+tv6V2i zGqv6oI;Dj_6}rh_VN8C-fE*y*hs2%waPRb|jHL}va(qf=962d6Uy(S!)->&ww?eV! zl59C>34M=N-&?BQi9Gwlav4!}w1nR0Ci<)4ejQooE;g;*l-z%>N)U>FLH~O!&_^V~ z{0nf-0(lhBk)#{mckN6$ytAH zg96o$AV5+nSoU!BlTOiY%-(b6!LoNWBSU|cE|Ja#Iw;yMN=~{ubJj(JO?kIci#VmCgu~Ek4F?r zf)JE4DwxT%`>J>ho3?v81e`T!|zF z|2zU8t3#M1TO&Z6DI7^S4@?R@+#HdAo|>OA$}_#`E@2%zF&3tB5;8K6IAo3uG|&=m z>tSyx`HB3dDD`egcxyraHOm%d#+ z!hp{vSwshutk8T7;;_5mxS16$!fQb zIM{wm!j!sMY_!-Y)gl8gE2j;c*jU+^p;0i=-@&1E)+5`EGD)fE*ikZ4L&1aU{`qpX z1I?z{hnEiYmbLMSv633LenWVDk*~=#0it=(ZkKh>$4<*GSCs`#HDJ1577@~93#N!zP>$^q+ zKHMbF8q&MHz^!&@_0{w(O==Q|w^%l!@f6n$q@Ab-Yu2|Wf z5p`9=eR|oXE18KcKr1>p&gSo?Kv>>_Ho`8=oZ15FG~3i&RIiGvWImj*j=z;N1dT4y zn!}_%VI}bc)%Lk|9kp~c`y@?MvV|m9eOaj+{Y7;ARDznsK-okCS^Dx|u=*o(fNudA zXvD(w;l{#2@fiIRV+>QE$;N>%#@!-XtO8}E$yfxZH+>%@8qknZe{na9tk^6d4X_9g2ZIsNg;+jT8`wjFAF^d7+I8o}+s6K8b#xhD zYs1s6Zo-k8A00Bt)0jTp6*zb>re?M9f=cGyqPv{Wx3DyKeHfUOVewZ`e2NKn@r1;C z_$7n5TAZQ2`#xw8&XKee$(lD(rijwq!4Atsn#8FQ`45%#%B)P4FLNl*VsE;;g;D0m zL)nP-ZJe`j&g19hD-dj_|6JnvX-ziYsZAau*4b3H+4|Y`nRhd~)g)0WuM$DK-e5?> z551D1^_gU4-6|fIFXT7Mhw@LMXQ{7Mt1pZiC(gZgUg@Z-Y%FI-`@e#akY{x2YOJK^ zZav1z)eop~{%W}TjvCYAOMd^4=SdZ0tG&n)otx0tozv}J?R((w>_NUkH-@YF?t-#E z4diGISM&<5;Zo4LY%Ysz;dXLzZyfBW|G?^B@@@Jq?8^}5699m-e@^F~sXB6QMc&>5 zHC7&RX?vm{&&)oC9$OiI9OV}N^f|jLNpHj&t{r6#L0YM&Y*=g6Bl2-q`DmN#B775!$I}Nxg8nT%&;_6M@;i$4m>nVog30G&vp)taX zS1Chjgy$D2cp9DzYHxe#%q|UmAc>POD1C|IaWHhD-B;H2eE@-=QRhe;b$oq({=?Wn zSN!QyIu08Z7A}pI;u9$i{RaNUn#<3s-oL8awY?R;G`}(kUoaoeTU#l=)Khf7{cAou z2j80{C|?orX>3IG36z614fZa}sIK*DE~Z+zG6Q+STE!d2Z24ndREY2U``i zH=56*-VMrvO-yK}P`XM*Oh;u)ubiFJox4RY{xaI5Ew7T)+qWKh^bK(*U9bP*t^s^n+v=SjXP-`?gW^ekYJ<5APTvsgTC2 zNjS(SWF~MW9TgX0N>mgR$0T?q9hDXVklZH`%PGVq2qYTQ&MvyXgh@et;IAakzd29*#xO7!k7caw4S5{f9h#2vj69aOP zkl7V*Sgfep6EIWiPPPF2E;EZ8DwLsMBCaKCRG`VMD+WzWFiI6%T~z;@PmruRP3CVU zTPfP8rcz!c@*eZolq7wjT6bFfytwnFsKg*ah+DXukc{6VSVChmg&Qg^)d(N~L-X6p zT+(dg*ru@QL_x!RA-_QWv`jqDfHFZ%qJ+_s957I_d_v=IaE2VIEQrlGKz+cL1!3-_ zF#zrzK&+J?*}$n)f8kg<31}?#eJ7Tndt6Vj)b?C8@gIR$LW1LbAuDnhCg;PM_^E8Q ztL4Mm?e;<{lA9tMTy6FM-$~ZclaPmVFA(m&hANR7G6pi0#*6TLsgDo2pPG(@NjT#o zqn|Umzu-p%3{?g1ouITBCYRH2kH{qBfoJYXy#;%vQ!1xFp}5(Wn->=&uQAm&h`XGv z9v=7IlM=UheXqEb-Q9=zr}Ac%t?-fC#up|XkhhnkuJZ}mPAA(-jJLpnZ#$Oz((Pfs zXlCzbuwXBj{@@{101!v?BkQ8^Tg>`x zt!|YxPdGk0XLkfS9hbEwx<|Wgqb)pG^tz5l@)M1<$r;?^T82TvaJo{O_VxdMo#D`G zyQCy{ai(YmzEOXwsWc=%0w-xjzENvx{onQ!fzRYkYO>Yw7XZm8LT~d((*J8$o`7J> z>Q{Rl7q0-^rZI=ta~VnC2{4b&6?Re06VG8V*MxZsh#Xh$$Z4vL$@$vA_fq2nH0AmIX=fw` zDd~b1z0FBllYlG5QL*_M`fSYXP{7y1t-D5UC%pN%z=uNbxVOOd(bV?d#Ns8J>1 zfbmcHjYIw8i3qYBW+bt}yk2eL`FOtKwhz2A?9N^rea#j^W&6j>xg9W}N`IL_gYU^~ z1@+M!8cD?x7kv%WNM5omGxbAgI(%|J1bcBaJux-6qNoSfn7LhGMG`%j%7qgl=&w7@ zK0@>ZZrgq$^-r`^!}tVtQB#N8-L!SPBHv|D-%D~vXskzQ`qw%=uC)I|U(UCoMH3Ba z)+h!YFr9E-W)K2FdMlFjREmFJSW|!a^Rv7&wbWr~`qfW*TrouTREq8{&pH1BS8+y! z&$P`T6C!=gq=p?tdVH0jbz34t^F~kGjF{+K>BLSCo(14)&&@f1(x9v$PRg#)4+seC zs)ZkSTYh+2YCQGyJN%ei`5>Q<(wvut%ujkeHH6gkcEShe;-@Iq*#Fnyw*H5^iCW!Y z0oo&v^BE5;k(u*&M>)1vkmFfCn-UGvAA1Za#kkCZ$JxHIG+d0pfwe>paxK3tP!3-h zk(rD5Mme_6B2*}J0@r!@pWKh<@JhS4zfn{d@xtU(KFM1C15igQF0XmC9&zEk)8~p5 zY*_(_;;~|KaXlI{0tC?QRlpELr_W>V|Ww;o@17~>ieZ27P zk4+!!e=t^w4pB)*CYjeFFWw1%(3=n0qNL8^A<3n<+ChTZ$EL4kem|LaW8Tl)WB6~@ zZZ19xz8>iq%0)@@>E4f6P|)yO<@C3x2KSBssL%hSX8Je-^8xa~UDX_*LPITcA5CmW zt`Q=?60*$q3TTeOmMp}&yya07apIT&zLcc02UsFQHgOR&?r7Moh>!5r%eefN2MEyH;L^SgZb?x`dmTu&H;Z|0m8f@_A4gMZ>Be@~y~?X<#+1_*WIjWx6?0kDYb{MQ;1h&cQp?k7>8voy^L zSmVKewP1yWJkQbnEIhG%R^_W+Vg}nli|A##JLcj&$s79yL<0Rk9C`i zEsNuZ;0E*X)VOv5wX51?;deUMcpkRxymB1ruoiK1Iie=~RYr7{+4{5i=?l}2hqWMc zw!Ktm;gAeom9SOm*p1b|!v@tZFSv0oUXe%1C0=%~-=|h=ZBx2HHi6penC!C~vB(MW znGZQ?akb$No3fUzszbTkf+k5bX-1du2}XgzGyuE15BQM!DpOBJXgFJYM?H{tv3jk?YU-WhPk(|a#!a1 z=s=*xRm@7XtCfh_yeCTOhXJp*no0o@N%lyUM{G)!=Z+0ef&y|lm7P9HbU)QZ0XZ_y zDajPGjXL~%SnSNA%(ZNRZKE{-*aWsac4A{Xd{8ck$lK%Qz~^rGJ!Z2!APu1DAAoiI zXNIPME-^WcYN}H=W}E_@iz!->#!Vq)dxTI+ld3~5F}`u~A|l{Zf@$^erJ0MTQ7U_% z;%^n6L(SZBy)GfmaZ$Yqybx~h>-fQ;@S#|^aRNAjYn%>JD8Z_Eb?DGoFK~N*K`=a% z*IS{et%dgdG@nzZ`Lnh`>l;V(?c#e+bY>i{nGmysHKa5i4VQ$~UFN{Pb;1yVgld) z>MFn!psWAp*!{(Tey>AZ9y2x&%p90wL3X3q*(>qGoHjK8ckZ8AhQdQsOt6#bVv7scW#?0MV4lN#WhphITvjI=&EJs1Mo zt4NbZL|;o9d({Xie=svN@L^N&*_G=#@bmu z3~87h#Av$W|CezR^2>GV4NR~^`8IzvlsB9w29vCezuV(h&vk<~^ zs;&#)=N1{?*5{ocXOWNfZL-L>{8I?%lsV)q`H)KNUz;{wok}TNmJ8kMQRuixH1sgY z7*ysY2+=BOkC^rrG|QN#;)Jew@6nmiKC`}4@$-o6!K1}62AjMZ;#7Qg7o|NUP7=S* z{^=e;a8<~I>)mY1XMc_i&z1eMdYC^N95)S|A5E8Sh;4l0ACxn^mo|&o#^kAim*wFq ze3T#c??xU5_N@Isl$}F#C_u7?W81cE+jeqe+qP}nc5-9ewr$(ayKgy*SX|4nyD?~Y!LJU=fX`0l^s$UBTIC3X=-j2It)Zk?_6AOd5H^{tseogI6Q5O z`E($ryizl&+HrqlR>jZsk3q)bzxTG*#_ud;4UC)lc6`Vy_2cYjEQ9X?&DvSW-1)Gi zEIYOvAkC)-i~%p!DI2`f<_PA6Uq7nMmO%N60NFsTHL=f@C$X(1WggDn5D}UvL4q{; z!5;*4Kr=#yx#QGl2nyoF*_#KTJ9HR42KDtujIGXgbR1GM}8w=U9LUW*-$z*us1%Wg)aW?wz&8agaN$#-Wb9sjIEoZBgv^n|LK6V!6O3n8F2CtqAlP-voDBYk6)Y9+I*`ZAcmeO- zR=WpN{ssaWZ>qa)4maQ}QBZ_4TB{qurRr(PM2YFmQtSH`cb{$4avqvGFsto(3Ap#Jx1rBurDe<@*4+#wN`9`h?F=dgWAvm}YWDKw*Fsy}yq!h)` zax#*XhCXFUazk<@ud|R-sHF&%g5B#ZFlcy zr`t`m^Ts*OWWUu)OH_I2X&Zf8*B=*GFN+xdAxO)1^;$U;^2($kNy`xR z0y#ADsuaT#F462lIn=Vs#UYCeXNL|h;p~DL6tl|4Aq~qE^%AwHWy=`#q8T)^s%FC) zP4blrryzvq-D+Je{#t{gQZM!iO3vFALb2R`B!CEY<1{eq z7|%WktvOAN0%C+G!|JdZu;Hi1>rm5W0n}#duo<%;tdRz72daVAj6-XNs*%=ELbs#W zRrD7zTA&)w`%D?G(56g*vWDxl7^{HPrWx=WvGf};Td*26^<7|`4A{Wev_sn&v%szS z20^CK06GH=V$yXWt8)#k7&@WWmSL<0uCVl>F;Duf5$nK0Ylf{E>qud=!q%1aCoxWj zuQc^n8LKfHF9T@J(%~Di{cH5o@f)!NwukD_rqqBsGYnb{TAeQyN0%{D@u}x+Bcwn^R);0AnFFZ2Gn~hF@Pt4N8HK6M@Fat++{TL9I$2T7(x^jn#)LVS2kPWPghkInh2d19)%;WQu?3~)W%Cc`rRJEN zna?nqpqyzsK%H?qP@Rbm1SjV$=OD*GFGOtTBqac91Y+`&=CS6amYl}``IO_qUrGy` z^B3p1=FZ2UJ78FYW(4@=+Q;BMNi6}pp|-(1VWIqILcGP+rnl2?z&-srAMvJoz^@1fU5#E4>cTKx=}mXRUBeA_`>zo7|84P2`2k#w z(=%`SpA_@OGnj8jufqE9jMm&3xxubD244(ci1p)`tKl1w`*QWy_@;bet|UWw{nwTI z#KA`hwnOXUQ*ZBdx0u18xUx@0`FkCSj{lH$B27Ue4=>xh4>WI_7q1LKk zyigkTfW2Z2#2G(f>sB#egr|I=|Dl3 znXX7ogZlUk*C?kJ`uI!@9kCku0X~Bb%osl5_4AmntdAObv)_`&PV-NRh6QVX_V|3({{7I-A!K( zBIhWYM0&VXDYzQ0_igAOIumU|A&r_gmED0qi}{z=Or^_PftD z*5TdV8b{fi>fSZhE)F-{MIl@SUZod3oDH zUO@J10_TBG2kQ9h6^+uq3E}NrLN=db$sFw8-_zQwN%su~nK9!#vU+%1O`QzBBQWk9 zLQC4<^`gHj)asb(d;?a*ytY8ixyv&oH@?2@8Oi%r1zz_c^!8urEYSU4GzU^A*OHKW z@p{jh!-}-5!vIlEUlR{c6~wwhw|#=-L1*gc@;Z&J)0z8{5eP2MUcR>WofDP=4~4Se z#X>a+uLB0SwI-D=$17{s&?+g|H-kmDodgOqjSqin2ck<6lkc^3M#BWbKPcImqh}HK zldMfx^WYyWI*ph28zgD#@?j)re%so_rkjxbU}F+Y3Ntkb&p=M3L!j5BW#KJ z<#Y1pvM?->fJ_NHhyn+$&UQNC{+sdsFNTXfmWY)L>E>b_ZsOmCbFjsW@yYMZ&7fgE zwSp1!#f!>%Tg{#2Vh;Y{-+Rf}mWG!b9FfpQf4L87?@A-?>}CmI#v3D)a~9#KCphr0 zXeGFQ>Uc*h;EqP>K#F^xK`Wgkp(Lx4NL(-?{l`mCQat>2m)uBAEW&h5?KDn)lPx4H zpxiXUWwlOg4vlqZ32ZVBYHBh#Z@62z8J@o>kxtWd6LxcJ5Wax3(^_d>b9b?|f?y>{ z9um@7;Y#SSZ$!~476w9K|X`4O#hH{taTMy|bJ?!Y>O?}>rc=@#yQ4I&ZS;iJm#dMr zBeX`%_!_A{YyIzUbd{3fMOw!mdNo}8)q?gMTYl4ROz|64pNs=!oD`8MY)NRmpYs>np?R_L6tlO%A?#6br*9&#~S z3_Uns+yWN4nhA4{(Xe9glo&*Eh%;^Ftp>p=5tmSGuOdfAN@>y5&GxxbQ^Pc41G3I( zm0qopTyxCCLEr&&gdg91Nan4;*z33T6}7d-*qW{3&wje8+g|p|h41?-Iot$as`uUW zWVqQU^cn(XkT3LBSNPr?c_L3X!>7o^a3A>>8aL_kcOu}aoiB^AbGF&+zH*jT zU3Z=xEslz6IR?G2WgENnS210 za~jm{LOS#k)h35fOs{W^Myk+!v`+keOmTcc8-D+X(Ugm{^enNd(eh1hLVD1nn<{HQ69z8M}Gr}Deseu+q z-pw%c5E`=Wcu4f7A(%|n(j!ow{23!s&^t^yrc4csAH8%Gr6x~sszQ@71Z|1=IfACx ze1rFf#)m)g0f)g1-1}cX@LZqC7tXCM$~As7qz)GbVDt}Hv=zGQk^_q-eWtJ8rsT<~ zwj6~t*(5j47u2t6iCON3Rl&4Z`~DxPMBNdau-awxQfM?(HD8;^tP$do_5Ds?VI|Q&9EJtK?UJ-MFp%_0KxS=J?UW$-K<|>K#a#*WWb#2uzZXQY@eX^N28(6X4z5y(Jgqpa3ll3jxo zccg^v$J+{+5@1KNv}7nY8*@z8TFf1I@nXg4t+2=%64+ojnTLaDi_6EV$|G&7>l8sm ztD_MUxGjuWpbqmJoQ_6vM2MOk%6Jbo2h-)xb*3TE?h*C0;Y*Ps+Df%LsYN=>-G+0$ zU~OA!hmCS1m@N?nHkBexue(zul3#W#XFCV(;PT;$EgY97HDDfY5mgw8ZO;Z(7XPxU7j6WLFKcy1AAxUF?UA zaHT+ooke4*JZB}ixFw6zTI6Gi-bRX=m!)V9BKo@)AX~vDsZUW7wws(La+!1aeD3wB zwuUb|O0DJ2$0l6C6L_1h;k;U!Gx*~2;YdS?N}V8VL#nsD!k^}Ecwe^6uy1nHvn9;$ zgGz$g6O5WpeTwdmiXyXv5n-9LERQ|-6Ofxuzh8LFjzrh5JH6dskvt+>wykDeYu8oS z7ow}sB0~&#V)C~?!?O#h>t=O9PneB1+VruLJl+}xF9nJCORDbjyQx%;Lv}#XW2aJv z9L;eF9CKay^k+TfMmRGr&J+fq-X8Yr9KIE}I;+E81c`d{zu`9?^Yq{T%8`0icj1ve z5M4jl@&2V0PK8!W4GaHDY~f*vjJ1imRwz^)J6GrewZL_lW~zcmerLV*Ui)|1f?fCS z12N9&jn(MH;^AMZFFb~`%#9@R2Bd48g;9%&M7>2eaT|@pQP)#TS4_65;z!>Y3A>9s zaqEw@Guk-Ld{{BJ0*HPvJ6;J}1|~k)68ttk-YoMojc{!~YAtcdnE5vNt!7cmn&Ib~ z@c7H|IOpwOOnZ<-K~0ayFWIMX=cgy`Lv1{+lvyd0N3TgDKLUUD#uZs|ZqNLoSc1|L z!-)>1`KeEnMEHtwS5K<7$RoE)Z1V9=u(b}P zaC{~cVcZB+9pKJ#yW6q4jEcJ0-C_EXZ`k9Bhq{XxiU=fw@Nqrge0$+KPC%8K;Tf zB}6KX*{wI@$&x%l(@0WnlU|^i+9h3(%<8q8_3kq0fzvQ~03}k~I1l74d)P8uAGq=% zg50?B@iIkSIuwNNg%3Y#+66B%&!#RRJyi2~AxyB{xDxg(kc!H+9!X81kwGceu%fK2$bSe3tOKjGhp6;0{~fuhD;&sZJ!Rwnv1 zf0e&(|8v^TK0Z#zw*d(a)h*pz_me#axbflSwerZc8|OM=%v(~xR-7?CLsLj&c?X&h zc829`@E7cjJ#C~_98FCRiBm?)$70sfQa3wDV$+uM@F!tRapN)Wh37P$ek@b5O*)oR z(j_?K8#Upu>Gx037;W3ukUoL%U(ZB967jG4@@3LJd6C@wnqT8tE@o+=BJP@#7=C0< z$*k}7Tufa7W3Fb>+;4-yyHGzu$5ghjDBi(J!q6kckdVh!k=)Xp-j-ACjI zas28b$5|HI=-=1h&GwFTwptpV)sxXs{R4Lh!mqV2Ofca-4ibTdCJRX@TDgVz#84JO zI<^X}x^vt`1gw_pN@|x9iL4tn&5jGpajNBqIdHrWff5nRVlk-_H7xPi3C+kRpD|&4 zwM>cYO8&|YroDil0cus579u|k1=qtli~^E8d$yLh-w2o?8gGaD4} zkJU^XBIdG@+R`cR+*q~h`PfXbh3cFC5oO7swv-<;p6?4vnRpnSIlxsZ75AuFRV(2W9R#1;5r-&`&KPG9DSUZv9n-~30jaqe=5jYPUgA0 z0WBa|6QZWYP~7uP8_$i57UiNG8PpI!dsLa#ju`QffXG+f%SoWT|DIGWjkXH2JtgG` z_O&tdWJ#k}5J7zvo7PMe>B=kUg}=)37<;J6q7ZYe6fVx&fYCX)ci;+lDJ!c{Va^WVg zJOTb5qT_cg9EStBSo+ezJLF&KkQWQVsi7<83r=4wjA~XG`k1iwohAz6iU5{nHW9~R zG8-IZ2h}D~%$1g2E{UJ2{M|QbukdN#BZG3TeB4_}3;Te5K#1MTWH{v-7e=`&Kj+mr zUuXGfO=m3H1)!66H1hIs>OWsUKV(Rt_H3GX2IZ-mdp`anCUM5oD4_H`QH$`A70!ss z``jua_|U$=tn5jhe&UfDEve*F@pWV(6XL2vBu#lv`ui0saXv!%-so96W5z=mJ@SQ- z^0hUUnHTt!{2c-vDxs0egVlKK@GoiAd0K*{#XyHrE|s48LpnIA{`(}W`>R=KN7 zwQ~mRr>I#Gb-K6^q272((OCOk`t-WEyIv>iIHbp*-BVaUJOzI(NUGr#uOSZ)r7GS+ z`cIU$9!|ae`NpF`kT7v{OK+nQC&|=>A|0n-e(_#O1KheR*l*$ByZK?!a5zi=k5t1y z;|N~p1fOLwTLV{DUevS^bgqZ8Bz{z^PNKTvf^$k}`qq|ph`tB|n49~Lp+{DAN~+$CSD*TH zuGg_@lC`fZ@iZqvWLOzwaC zn|bc`=OS+h_sxa%ste?eBdIzNcBnN;qH^tIWnz31{Qkav@07H2FXs>$m0xI9ReVqG z<$>|1tJn5&dDuMIDf{JUI_SabLI1@nn(<*Lvt{)e*gfJq=7ZCL7tI-LC00Bg+n!e* zSj#v&TVFd{FMqUdI?=8^$yRW>(Usn8IK9|vZXfQyWutm=8aL$kwK`(^^hjZFJb27J zE0|v^m^Z&RPv*rml83q)zrE4I?rrM0Q7=Ift+`2GrnSEI{oMP0ut_^b8@JQz{L0kd zh+tkotR>jSN8}dR@Lmx{ISU!FGFH0PMu0^PStd$?eE7Uu5t-lxk^DXNV{Aw=y^y&} zy_g9sS$bXhUAoCS=NtShmE_G9;UvlHRUES=DNHiV&pC~}p6(emA1-zBzGxZ~CYi5? zJj3xDhJ?W;4<^I`;}JHC2&HXbt!J?(@G6gSk$?`oz#xuFzvtF>3>>TG`x5fJ%e*3& zEsV8sTGECdn1Fu&Y+Sj7epI5T+ZH|>R3PCmWuz%I6(d#PKTxRU0!vJdl9tYFDp^4= ze&Ic8-)<~&LygmKJA`>Ac^>4M5e(cwgt-^#?=dT4$v2wx$}S@nr78JgbHvFDg=vlq-VUlm4V!FK-+jQa0Z0xS6t#F-Z%*Yp!|Be^TodXtkI6dva8k zH1B9vy+xhg^-2p@@H2-#vN<^4uUy}+JpZArIH^9xM3z2MXUW#%qYszGy3Eh#aztu} zA>mW`P-?~`CO@$@!RyJvH2Vww&AB z`D8&!MB(j?-BQj%ZN2X4X60jTwYeP&+zQ2q*>3T(MAO9oJltm%#?OyKiyM&=3js>J zhO!m57kLXWA00OeYk+sU?q2UL4=KOj0t%HPv3~;sH4q-?DkQk3FvmdwfdwV~Pn@)? zV9#Ebf1o&LP7(bFiW*WAunrd>8La~tz?lR}I6@7$udTEhz=eb2UxDx$02YAYj8a=m zAPX=XfEJ+UpG^hG1+WR&8K7^NrwKV98sKI+f3Hk#zX2I)^>z-A!W}UV8`R;k1CK=S z#tESh9Kecnoe~Q-d0rj^*L6M$4Oer%2<4k=ei#WCZ~hkH`xgyhj_^hnz!^n&miDPg zNRRA^OlTDEsaCKR-C0C155ajsAPw?K=ZzU)<4F%x0NJgHO`O`EWkjsVoJCPg*`R4d zR9Tb7TGUCo=~u*R3LC&YpQDe2g`w$Kc#*5gR#=OLyl)E^AqJkq}f&|M%-{MbD> zW^}@RAS$euqv6gONgnEc4sLe#P5?SC{Vp3^UiVG_M4s~Q3*hzHp%vGy$3YnDHQeD4 z?N!mis*$Z8km7c#zf`@8!GG97?uv4}le>1PC#;KfUyf$N#089m8SaF|w-P%0>UymdoE|~@rDo$>+N~37azmaqsbB&maS|6<9HaE*S z&6PS%OC!9QMXo%hoR*h8(_{Xzq05SYXZWTSvtDe)z??;Dt~a8~xh|To5vLV5@wcP- z`mR@TnhRB(mNI9i$1YD;0^m6Fi+V5qoy3}(*KscH$oUL8_K%%dNT~d0A>4C0atXUc zzuDmWxCAT8Ut|*k(aM_hl`!7>%&bv0=cd5g|KzvE6*^TmB=km)!f-_oj$|}8T-z3! zZ7jqTCWW~~>xhde!Ppq6ixFDHtA`Or3%y3^2px8Wu`yZWEBMVeAD&|ieTL}FL$$#$ z#B7na_Zo(Ru`ye7EjX-Gk0`*!cnnq#DaaXnjaH8-z%sszY{sZmb~GK07xwszC#)`1 zA7H>)aLrhcC@c%JNo5}wIgQ~+RZWXwX|l#Uu)~-zsDM3qgX%dOP6yL$WR4m3OgTG;9H{fYGBSk z=n9={bU=*3)mMi*P)j~6&iI6(h{P+w@Ws)eor{)7Ksk)3U|6$$CH=yx)v7{k#n!sV z*<q*7I7uu379|Yargwp&R`h&5I#=Pv87OO~8qWXE2$iIm8{FaZUFsd-%a(tL&T>IFU@TP8|kNx9}xl^DQ16UDB&(aM7b@Z^o?p~ zyi-kf-!wF{m}7O8vNqH1eMv+yFY93%qSa6r_NZOj-6s7splbsOZ_-0pW$rbw_5-gZ zDBAM$ACO@fsmrpHh1JW)+nrFNs>NMqPx%YX6Qu|U9hv0KTyogM_s|OrwdtR7qatLk z@IpJilZhKmBON;1JeqQ*8R%1}wgCmi`;c(co$Gb7rH zJ}XLhryFxyMv^D2UBRqs1X@!?nWw#yi!kC&$eD7+snW#Tz`$0pIT|LcR7`dA>g`~; zJtS(fxO>jSt77nFK-mCm17>iZzifak7LqU~M-!D0@}k3<45}zrNauG@Qkz5AtUP>X zih)7&k`h^l@f}4xqFgJLstpkaB#odxvsimbP5#tD%}JNE3_oF-NiiKXfU1z!(Q z%Rr+Z77;BGWg#Ra4?Q9PmeCcvlHH!03a(Jqd7JCpF8m}+y*d-f}Ud6Un57UrsEeFQGO zx*h!2SKylgS_>=$a!!Z{v6%`pes-DKym2-P9*c;2&1wJ zc{SyiTVE!12DmcW{8+K#f$UC91KEFRDubZe-c+I{8&nC~EM#eBoxsK3RicUmoF$cN zS*K2QS|6j3N_t11<+e!*6DCxbIvv`AtEt~vVM1lBRT``K=N-kDpInoI6S|Al>Rnr* zmiCus8SOz@SBP%u!byjjkzhG(c2w|?-IELpoA(1uwvos)=O!GIl9Eb-aZMISYsv0( zZM9>FJy5P$Gm9_*#WPFkx*~g4A%_!;NoG0dbk-C~E_W-sA>u1?tjspDJV*uEnY|Kw z-HZk+uEc|9cnE9@LPUW(FnTRE_mfbv0M1NfdL!Pa1XvX6;)Kt?!A@yyOKT%O2Y(!l zOE4cj)6=D;0=pa1c-{4BGqJhzXX?4EmcK%-YXMeEBP_pwh690Lc%^qL8Am0V+9l`)-z7ZhS&;N%nH}%K!JwZ1x{6_SrX9iKumPN zH1-iEo6hV@J@XubhH-dx>Nn2kx8I=r993ZeqSrs6cU|pXYU>LGdb$)IId?{C>U6yM#V*D4j4sc3$7&g%m%Kb%O&vc z&4FHTRTF%`3t@@p*`#X8hs*E}S2aw193K}H7p9 zp;hNr$msQYn9iOf7xFZ7VFtY8^BPt%@atZ8h>`{zGF|EQ1_?^Tp5f9{ZeaV{W zV-7CZf}65B)I8>pEkqshE4k^$LU2BM!!oSu0klw`bjwN1YRec~>pP$_+AQ;y2y>$F zv2EeCA?QrdlP&xP>7Y;Hv(lv-#~T-*;~538+f{oI7U!T)-=l(oCb3&tV;#Ib%kP!t z=Fem$v3||-k10v!?OYqu+S7_ z;=Q49j=)l4(62#dLoscYbym+hkbLm2yBs4csR7k0gah2LqFtxR0a zFB6ZXv}#a5&Q}iev5HQede8%i0Sh!foNwt7^TfF?=XUNUdz?eW2U#sp8%wFC2(`J= z#zZzupiXzX@_kQO8fiq(~OC>vg&O-8q&3D zg(`w~==Z$`UyeV9RF_gvO5!C0#`(p>!DM1nqf)fTkNc$UGIl730u?b7MvPLwm^O2P zHRYm7g3v_xW~8GvZ8t>x`KQER{ySNO7xBCc3iaaFB^2rxL~kz#E8w_TY@yg%5Y9z~ zAa2@gon>*hmRct`mHJMbjJQ4mZP}j0+b_iJ3)`HbW71iL0D=>d=`u%k>`~q;oU#g4 z@l)dx^^5^i`S;i{-i00cf9rrO?!eaBwF6U2)@*d2YllGS3P~Mr6rAeKD^PbuKxmsR zi8J6sC=w&QU9oSRMdo<==5$1gN(nt+s^&mY!YGScYlU(-PD|pF9~ZFf;7~u|vAoQp z^Kun!5X_C_x52hXdogyMgkg^V>gG4{@!z=s>CFO~R9yRQcs*?H%y;k1lRrA%mM?IF zd!D+E21DseJ$My1E{tO^xy#V48w<~?ml$9 zmkzw$_1Qk_#v6RPGfGZ+8*%0N5Ldn><%u(|+6S$S>IdWRdU5pFumGN=G%I+=B z&HyztJ$?s0o(f#R2I?;G?z#1@$+M>Fq1(F*jCNJWzEz_ldVFe(1P(b|}h#r^aIkJo_&p zWK(UkN(bIC3%qO9$4=EL*2|2BJB==iO*sp37d@7n;A5Az#arzz?vH+5E|sRuoucK4 zJ~b?D+dp2=4XEv(m>0xK8VU68rEz*Pt|_iu%HScN>=x$R5be0=CkbW8ex&8ElPY z#S{t}_U*CX2;Mqr@;haLBaFLb?WwPR2uFwRLx$@*n zShLDQze?O1pT~1_#-fUY%UrE-J9yymv6tuD;5|8cgkNh$Dr1J$k&{0)j3H407%P-{w!#fRJ@zA!;cN1z5t%>FF);;TNx5 zve)_->4QTo6ZAJ^pq^^O9JkqG*?z1)`uqcqJQ@31O7U2sD17(aO7~X-6#81s*F@BQ z02rk1bp5K|g9NH;S%JZ5F=To29AN|2~ktbW4`V9S$=^-Q;vOnsQ z(f1WkR|UaH@rTC`fv{L;m}L)jfSgLOZ07UnF-M_bR19DG^PQFIQc-erkCid2aJVXu zNYyf%{CS0r3GPkfx^ht3P{8oZQC@UHu1S^wK@+>neNasA`5MsAYpF?DV?ZilL*#5k z_ZZa!CgH9pz+W4D-bk>Xbr@|bLz1oW75GLBvG;5McHnnlx9bh8&$H!X;?SCUvlKUS zdp9CcN1N^m*~wZ$4=I&P=;nS%MJ`;<@MKt8Xf4LhY~$$vc|0^!--(l-6- zzlWE_AN8_&GCw{u{mMO*s=Bypo^(Kb&{JA4=hzw#CqB3XdT;$3R(iy5!MR-JgJuZl zJbo@kNg05Eh{2O9dU(S?h&b+H^8mhRL*xPZK>H_fJyAqMZ|43e$e4rv^r6V_>J!jU z+)<#K*jn&wP5BY+pap?mv%B!O6|unjmjbT!jIea?ZoTx8fv1`LpzYmKO>5jI^U z^ceNI!2o7KfU&W)e-9+-GJMx6xdAV2$6wkS``GlYe%IVy<=$2w1YsQW47dr)f684? z`FG@6D`T5qe70Da|Ft-qk6vJb$qYU2*e~-5O82pkeqcR>^YhKFwCbJ>Sn-|vm`F+?3ce} zEFde^V#Wd^g7@bP<1CLB0$37+@8FCmxi5M5OYliRx<#mcVt&WvDo7Co-P2?dj@VW$ zvIo_}gg?R+Mv)7d%jFYg<+WXx9QMzn&Er1HMvL(jCbXHLy6_+pg3~vdQK+4Q_8Lq( z3ly|54QH{zcrT(gC>~X}4XM?*IwXnNE@3g!qIax{tA<6RPlAF=amHgdny_kH5xPGN!7Vi z@@Fiu715PeVL$tW`0r&EMW@e6O>d4I;*J@94eZg$CPI(SA->@McL8U6mHDn8(PQd_ zKTcRX$y4Lvy%pvfA@SOxlY!=QAjgC(=3K^lEGk#fe?mPp`pVp2L++m79>>nkJK#0w z6XL4qg7||#dP_n4I?R?kCY_v^&sIjJwziJP4wg#p+o?Awg+6GBS*8i8a6$2aN^=Vy z7@kvpVP%#XEj_P(RbZ-CLuPhZ6xd>x+8`i7s?2Uhj41NelEI|{=-p9}kXsS3*@^JC zGmg~+#Ze>;Nq+=MU4?ax`qMJ!geG5>7vF+MNAO|8Ec6MsC7#p<{Ldk z=7NbCs&u$K05a*vUc``AxqR?TZt_CSrS4yW{eE+i@%dRz zzXQC`bBX3AxjG^RZpHAP#E#BnJ!BPl{!v>ea*bPR_jlfW^Ur@U%y0ex0TVFz*ZuwV zwP*i`>fybuH&gL>R#;K?>wOul#FcKbyPIb%xqTju?e3v$clh@GwiU2|nTY8p&w5x6 zXF^X%TS;ku#c{?-XFvO?rwW2eh_*$jk_3(R%O zH#=H2lG;Qu&kCgI0A*U60Z($oC;uC+Zz655=r23@_RAd;gwie>m#=BNs9b)5dBP+$ z&2VeZkMo#aXv>66;gXaPU(24csd>RhRW}@+x1aJTG;iBUp68Mj{>oDU$T5_hWLL=oSyL3@@>DFr) zUM0qU(xthBh!{74351(6j#aBDk%KOUpB^A{j~HmYSwPap^)@H0w@zdyc3Y>37yF76 z+ZoFI0%f6#oXBg}9WTy3PYQP;nm9tcz_IJdT2A;aK_C(HkV$L!EWoE3|WV5+(h z%XPv`XqDy1^@0sK@RW`7mdes2>N_ITg z{P$vAR8?pb);2rrs{L6tTn6O>R5pzR}Tqszx|(WnWp^ayRN|39MR6QP?+Y+f(dUXXGS8_8Irurw*-l`hs3C`m33$7AOEJWcZ+-^Zr&yw z)ZpSFBsVnHU{`XoZDS`yAvP*|nu(JAv?nVH@S%7`z`!YQvT(yBA@8VerzCVJ1vKzK zk}~O1ttxH!8J$=fWuA`!d`)c(T^xLztawyjbdmDHdSN20PW2{|E|v(eVHm7i;Q|Gg zvVx)qT^G?PZ&;=xn-YlI@oKV)vB>i~irgEbj4%1BL7{Dd7ut$7s}TR7E$+2yEJhL( z;dbgDP_j$(e}0IKi%ahft^{F^Ex$r>lXHR)vN*`j3yBA!-ko}!^mLSX7W^xBdGD zzZ^%c|42}clSmzQSG4IE__SF6FD9lH%uztc_$T|+lc}~W0u0+~ki1k$y*y?t4bPsm zoa7_KhX5b|aq0maO2g*Q8w^8XxGO=0KsVR}mV+9Jg+WHFLycWNLiSJ$nfLi)*f0=_ zMGZu-^$^N6K@^h#7MR~*$va3an)vQiVh@juRLB&mM`43nWH*ev^W*Kq)PmXTmGD)-fhJwXv@zSP-`yXKJ>f*BfjJR~~V5#=Z7%vp#x!yYfDuTXq(d zadRf(2sQ*uSZ6P${F}q>4s4!Hl7}p^XT6@W@yuf#91xBZE?@=%h4=)rwfIr|D=(by zV`=8n`n!){9XEE3IEUxqiO5w}z)+*$;_L80Pl(X-VSZ76`U=ayLlYJTNVWK<;1LU@ zmXN8{%xH>cFuidpQPo&I?j>5hu9!00U_