From 0d1bd2bbd95608957be024c12d03a0510325e5e2 Mon Sep 17 00:00:00 2001 From: Yoav Rotem Date: Wed, 9 Jun 2021 11:17:16 +0300 Subject: [PATCH] mkdocs support and update docs (#884) * Delete README.md * Edit readme and separate into different files * Update README.md * Update Running.md * Update CONTRIBUTING.md * Create Contributing.md * Add files via upload * Update Index.md * Rename Flags and Commands.md to Flags_and_commands.md * Rename Index.md to index.md * Create mkdocs.yml * Delete images directory * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Update README.md * Create mkdocs-dev.yaml * Create mkdocs-latest.yaml * Update mkdocs.yml * Update mkdocs.yml * Update mkdocs.yml Add yamllint --- * Make it yamllint comply * Make Yamllint comply * Make Yamllint comply * Change description Co-authored-by: Itay Shakury * Fix syntax Co-authored-by: Itay Shakury * Update docs/Architecture.md Co-authored-by: Itay Shakury * Update docs/Architecture.md Co-authored-by: Itay Shakury * Update example for test files * Update contributing * Delete Contributing.md * Update Flags_and_commands.md * Change syntax and add source * Update Platforms.md * lower case file names * lower case file names * Lower case file names * Lower case file names * Lower case file names * Lower case file names * Add note about inspect master in some platforms * Add quick start * Lower case files names * Lower case files names * Fixing typo * Remove section about old ocp * Fix typos Co-authored-by: Itay Shakury --- .github/workflows/mkdocs-dev.yaml | 35 ++ .github/workflows/mkdocs-latest.yaml | 30 ++ CONTRIBUTING.md | 83 +++- README.md | 416 +----------------- docs/architecture.md | 25 ++ docs/{README.md => controls.md} | 46 +- docs/flags-and-commands.md | 137 ++++++ .../images}/asff-example-finding.png | Bin docs/images/kube-bench-logo-only.png | Bin 0 -> 66033 bytes .../images}/kube-bench-security-hub.png | Bin docs/images/kube-bench.jpg | Bin 0 -> 59097 bytes docs/images/kube-bench.png | Bin 0 -> 87909 bytes docs/images/kube-bench.svg | 86 ++++ {images => docs/images}/output.png | Bin docs/index.md | 35 ++ docs/installation.md | 79 ++++ docs/platforms.md | 16 + docs/running.md | 145 ++++++ images/kube-bench.png | Bin 17501 -> 0 bytes images/kube-bench.svg | 121 ----- mkdocs.yml | 41 ++ 21 files changed, 747 insertions(+), 548 deletions(-) create mode 100644 .github/workflows/mkdocs-dev.yaml create mode 100644 .github/workflows/mkdocs-latest.yaml create mode 100644 docs/architecture.md rename docs/{README.md => controls.md} (89%) create mode 100644 docs/flags-and-commands.md rename {images => docs/images}/asff-example-finding.png (100%) create mode 100644 docs/images/kube-bench-logo-only.png rename {images => docs/images}/kube-bench-security-hub.png (100%) create mode 100644 docs/images/kube-bench.jpg create mode 100644 docs/images/kube-bench.png create mode 100644 docs/images/kube-bench.svg rename {images => docs/images}/output.png (100%) create mode 100644 docs/index.md create mode 100644 docs/installation.md create mode 100644 docs/platforms.md create mode 100644 docs/running.md delete mode 100644 images/kube-bench.png delete mode 100644 images/kube-bench.svg create mode 100644 mkdocs.yml diff --git a/.github/workflows/mkdocs-dev.yaml b/.github/workflows/mkdocs-dev.yaml new file mode 100644 index 0000000..4148be2 --- /dev/null +++ b/.github/workflows/mkdocs-dev.yaml @@ -0,0 +1,35 @@ +--- +name: Deploy the dev documentation +on: + push: + paths: + - 'docs/**' + - mkdocs.yml + branches: + - main +jobs: + deploy: + name: Deploy the dev documentation + runs-on: ubuntu-18.04 + steps: + - name: Checkout main + uses: actions/checkout@v2 + with: + fetch-depth: 0 + persist-credentials: true + - uses: actions/setup-python@v2 + with: + python-version: 3.x + - name: Install dependencies + run: | + pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git + pip install mike + pip install mkdocs-macros-plugin + env: + GH_TOKEN: ${{ secrets.MKDOCS_AQUA_BOT }} + - name: Setup Git + run: | + git config user.name "github-actions" + git config user.email "github-actions@github.com" + - name: Deploy the dev documents + run: mike deploy --push dev diff --git a/.github/workflows/mkdocs-latest.yaml b/.github/workflows/mkdocs-latest.yaml new file mode 100644 index 0000000..0ca1762 --- /dev/null +++ b/.github/workflows/mkdocs-latest.yaml @@ -0,0 +1,30 @@ +--- +name: Deploy the latest documentation +on: + push: + tags: + - "v*" +jobs: + deploy: + name: Deploy the latest documentation + runs-on: ubuntu-18.04 + steps: + - name: Checkout main + uses: actions/checkout@v2 + with: + fetch-depth: 0 + persist-credentials: true + - uses: actions/setup-python@v2 + with: + python-version: 3.x + - name: Install dependencies + run: | + pip install git+https://${GH_TOKEN}@github.com/squidfunk/mkdocs-material-insiders.git + pip install mike + pip install mkdocs-macros-plugin + env: + GH_TOKEN: ${{ secrets.ORG_GITHUB_TOKEN }} + - name: Deploy the latest documents + run: | + VERSION=$(echo ${{ github.ref }} | sed -e "s#refs/tags/##g") + mike deploy --push --update-aliases $VERSION latest diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 8fbd1c8..66c3e17 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,8 @@ Thank you for taking an interest in contributing to kube-bench ! -## Issues +## Contributing, bug reporting, openning issues and starting discussions + +### Issues - Feel free to open an issue for any reason as long as you make it clear if the issue is about a bug/feature/question/comment. - Please spend some time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue. @@ -9,16 +11,69 @@ Thank you for taking an interest in contributing to kube-bench ! - For questions and bug reports, please include the following information: - version of kube-bench you are running (from kube-bench version) along with the command line options you are using. - version of Kubernetes you are running (from kubectl version or oc version for Openshift). - - Verbose log output, by setting the `-v 10` command line option. - -## Pull Requests - -1. Every Pull Request should have an associated Issue, unless you are fixing a trivial documentation issue. -1. We will not accept changes to LICENSE, NOTICE or CONTRIBUTING from outside the Aqua Security team. Please raise an Issue if you believe there is a problem with any of these files. -1. Your PR is more likely to be accepted if it focuses on just one change. -1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that start with "fix"/"add"/"improve"/"remove" are good examples. -1. Please add the associated Issue in the PR description. -1. There's no need to add or tag reviewers. -1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side). -1. Please include a comment with the results before and after your change. -1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!). + - Verbose log output, by setting the `-v 3` command line option. + +### Bugs + +If you think you have found a bug please follow the instructions below. + +- Open a [new bug](https://github.com/aquasecurity/kube-bench/issues/new?assignees=&labels=&template=bug_report.md) if a duplicate doesn't already exist. +- Make sure to give as much information as possible in the following questions + - Overview + - How did you run kube-bench? + - What happened? + - What did you expect to happen + - Environment + - Running processes + - Configuration files + - Anything else you would like to add +- Set `-v 3` command line option and save the log output. Please paste this into your issue. + + +### Features + +We also use the GitHub discussions to track feature requests. If you have an idea to make kube-bench even more awesome follow the steps below. + +- Open a [new discussion](https://github.com/aquasecurity/kube-bench/discussions/new?category_id=19113743) if a duplicate doesn't already exist. +- Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others. +- Clearly define the use case, using concrete examples. For example, I type `this` and kube-bench does `that`. +- If you would like to include a technical design for your feature please feel free to do so. + +### Questions + +We also use the GitHub discussions to Q&A. + +- Open a [new discussion](https://github.com/aquasecurity/kube-bench/discussions/new) if a duplicate doesn't already exist. +- Remember users might be searching for your discussion in the future, so please give it a meaningful title to helps others. + + +### Pull Requests + +We welcome pull requests! +- Every Pull Request should have an associated Issue, unless you are fixing a trivial documentation issue. +- We will not accept changes to LICENSE, NOTICE or CONTRIBUTING from outside the Aqua Security team. Please raise an Issue if you believe there is a problem with any of these files. +- Your PR is more likely to be accepted if it focuses on just one change. +- Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that start with "fix"/"add"/"improve"/"remove" are good examples. +- Please add the associated Issue in the PR description. +- Please include a comment with the results before and after your change. +- There's no need to add or tag reviewers. +- If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side). +- Please include a comment with the results before and after your change. +- Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!). +- You're welcome to submit a draft PR if you would like early feedback on an idea or an approach. +- Happy coding! + +## Testing locally with kind + +Our makefile contains targets to test your current version of kube-bench inside a [Kind](https://kind.sigs.k8s.io/) cluster. This can be very handy if you don't want to run a real Kubernetes cluster for development purposes. + +First, you'll need to create the cluster using `make kind-test-cluster` this will create a new cluster if it cannot be found on your machine. By default, the cluster is named `kube-bench` but you can change the name by using the environment variable `KIND_PROFILE`. + +*If kind cannot be found on your system the target will try to install it using `go get`* + +Next, you'll have to build the kube-bench docker image using `make build-docker`, then we will be able to push the docker image to the cluster using `make kind-push`. + +Finally, we can use the `make kind-run` target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit) + +Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` ) + diff --git a/README.md b/README.md index fe58696..a8c4260 100644 --- a/README.md +++ b/README.md @@ -17,160 +17,20 @@ [report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench [report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench -kube-bench logo +kube-bench logo -kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). +kube-bench is tool that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). Tests are configured with YAML files, making this tool easy to update as test specifications evolve. -### Please Note - -1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org). - -1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark. - -1. It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments. - - -![Kubernetes Bench for Security](https://raw.githubusercontent.com/aquasecurity/kube-bench/main/images/output.png "Kubernetes Bench for Security") - -Table of Contents -================= - - - [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support) - - [Installation](#installation) - - [Running kube-bench](#running-kube-bench) - - [Specifying the benchmark or Kubernetes version](#specifying-the-benchmark-or-kubernetes-version) - - [Specifying Benchmark sections](#specifying-benchmark-sections) - - [Running inside a container](#running-inside-a-container) - - [Running in a Kubernetes cluster](#running-in-a-kubernetes-cluster) - - [Running in an AKS cluster](#running-in-an-aks-cluster) - - [Running in an EKS cluster](#running-in-an-eks-cluster) - - [Running on OpenShift](#running-on-openshift) - - [Running in an GKE cluster](#running-in-a-gke-cluster) - - [Running in an ACK cluster](#running-in-a-ack-cluster) - - [Installing from a container](#installing-from-a-container) - - [Download and Install binaries](#download-and-install-binaries) - - [Installing from sources](#installing-from-sources) - - [Output](#output) - - [Configuration](#configuration) - - [Troubleshooting](#troubleshooting) - - [Test config YAML representation](#test-config-yaml-representation) - - [Omitting checks](#omitting-checks) - - [Roadmap](#roadmap) - - [Testing locally with kind](#testing-locally-with-kind) - - [Contributing](#contributing) - - [Bugs](#bugs) - - [Features](#features) - - [Pull Requests](#pull-requests) - - -## CIS Kubernetes Benchmark support - -kube-bench supports the tests for Kubernetes as defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). - -| CIS Kubernetes Benchmark | kube-bench config | Kubernetes versions | -|---|---|---| -| [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15- | -| [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16- | -| [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE | -| [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS | -| [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK | -| Red Hat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | - -By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine, but please note that kube-bench does not automatically detect OpenShift and GKE - see the section below on [Running kube-bench](https://github.com/aquasecurity/kube-bench#running-kube-bench). - -The test files for the various versions of CIS Benchmark can be found in directories -with same name as the CIS Benchmark versions under `cfg/`, for example `cfg/cis-1.5`. -## Installation - -You can choose to -* Run kube-bench from inside a container (sharing PID namespace with the host). See [Running inside a container](#running-inside-a-container) for additional details. -* Run a container that installs kube-bench on the host, and then run kube-bench directly on the host. See [Installing from a container](#installing-from-a-container) for additional details. -* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), though please note that you also need to download the config and test files from the `cfg` directory. See [Download and Install binaries](#download-and-install-binaries) for details. -* Compile it from source. See [Installing from sources](#installing-from-sources) for details. - -## Running kube-bench - -If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config files. - -By default kube-bench attempts to auto-detect the running version of Kubernetes, and map this to the corresponding CIS Benchmark version. For example, Kubernetes version 1.15 is mapped to CIS Benchmark version `cis-1.15` which is the benchmark version valid for Kubernetes 1.15. - -kube-bench also attempts to identify the components running on the node, and uses this to determine which tests to run (for example, only running the master node tests if the node is running an API server). - -### Specifying the benchmark or Kubernetes version - -kube-bench uses the Kubernetes API, or access to the `kubectl` or `kubelet` executables to try to determine the Kubernetes version, and hence which benchmark to run. If you wish to override this, or if none of these methods are available, you can specify either the Kubernetes version or CIS Benchmark as a command line parameter. - -You can specify a particular version of Kubernetes by setting the `--version` flag or with the `KUBE_BENCH_VERSION` environment variable. The value of `--version` takes precedence over the value of `KUBE_BENCH_VERSION`. - -For example, run kube-bench using the tests for Kubernetes version 1.13: - -``` -kube-bench --version 1.13 -``` - - -You can specify `--benchmark` to run a specific CIS Benchmark version: - -``` -kube-bench --benchmark cis-1.5 -``` - -**Note:** It is an error to specify both `--version` and `--benchmark` flags together - -### Specifying Benchmark sections - -If you want to run specific CIS Benchmark sections (i.e master, node, etcd, etc...) -you can use the `run --targets` subcommand. - -``` -kube-bench run --targets master,node -``` - -or - -``` -kube-bench run --targets master,node,etcd,policies -``` +![Kubernetes Bench for Security](/docs/images/output.png "Kubernetes Bench for Security") -Check the contents of the benchmark directory under `cfg` to see which targets are available for that benchmark. Each file except `config.yaml` represents a target (also known as a `control` in other parts of this documentation). - -The following table shows the valid targets based on the CIS Benchmark version. -| CIS Benchmark | Targets | -|---|---| -| cis-1.5| master, controlplane, node, etcd, policies | -| cis-1.6| master, controlplane, node, etcd, policies | -| gke-1.0| master, controlplane, node, etcd, policies, managedservices | -| eks-1.0| controlplane, node, policies, managedservices | -| ack-1.0| master, controlplane, node, etcd, policies, managedservices | - -If no targets are specified, `kube-bench` will determine the appropriate targets based on the CIS Benchmark version and the components detected on the node. The detection is done by verifying which components are running, as defined in the config files (see [Configuration](#configuration). -### Running inside a container - -You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions. - -``` -docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.13 -``` - -> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example: - -``` -docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest -``` - -You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` - -``` -docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yam -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest -``` - -### Running in a Kubernetes cluster +### Quick start +There are multiple ways to run kube-bench. You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored. -The supplied `job.yaml` file can be applied to run the tests as a job. For example: +The supplied `job.yaml` [file](job.yaml) can be applied to run the tests as a job. For example: ```bash $ kubectl apply -f job.yaml @@ -191,268 +51,22 @@ kubectl logs kube-bench-j76s9 [INFO] 1.1 API Server ... ``` +For more information and different ways to run kube-bench see [documentation](docs/running.md) +### Please Note -To run tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec. - -The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node. -### Running in an AKS cluster - -1. Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures - -1. Use the [kubectl-enter plugin](https://github.com/kvaps/kubectl-enter) to shell into a node -` -kubectl-enter {node-name} -` -or ssh to one agent node -could open nsg 22 port and assign a public ip for one agent node (only for testing purpose) - -1. Run CIS benchmark to view results: -``` -docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install -./kube-bench -``` -kube-bench cannot be run on AKS master nodes - -### Running in an EKS cluster - -There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed - -1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide* - - Information on configuring `eksctl`, `kubectl` and the AWS CLI is within -2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image -``` -aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE -``` -3. Download, build and push the kube-bench container image to your ECR repo -``` -git clone https://github.com/aquasecurity/kube-bench.git -cd kube-bench -aws ecr get-login-password --region | docker login --username AWS --password-stdin .dkr.ecr..amazonaws.com -docker build -t k8s/kube-bench . -docker tag k8s/kube-bench:latest .dkr.ecr..amazonaws.com/k8s/kube-bench:latest -docker push .dkr.ecr..amazonaws.com/k8s/kube-bench:latest -``` -4. Copy the URI of your pushed image, the URI format is like this: `.dkr.ecr..amazonaws.com/k8s/kube-bench:latest` -5. Replace the `image` value in `job-eks.yaml` with the URI from Step 4 -6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks.yaml` -7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces` -8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-` - - You can save the report for later reference: `kubectl logs kube-bench- > kube-bench-report.txt` - -#### Report kube-bench findings to AWS Security Hub - -You can configure kube-bench with the `--asff` option to send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page][kube-bench-aws-security-hub] for more information on how to enable the kube-bench integration with AWS Security Hub. - -### Running on OpenShift - -| OpenShift Hardening Guide | kube-bench config | -|---|---| -| ocp-3.10| rh-0.7 | -| ocp-3.11| rh-0.7 | -| ocp-4.* | Not supported | - -kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 3.11. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or `--version ocp-3.11` - -when you run the `kube-bench` command (either directly or through YAML). - -There is work in progress on a [CIS Red Hat OpenShift Container Platform Benchmark](https://workbench.cisecurity.org/benchmarks/5248) which we believe should cover OCP 4.* and we intend to add support in kube-bench when it's published. - -### Running in a GKE cluster - -| CIS Benchmark | Targets | -|---|---| -| gke-1.0| master, controlplane, node, etcd, policies, managedservices | - -kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` when you run the `kube-bench` command. - -To run the benchmark as a job in your GKE cluster apply the included `job-gke.yaml`. - -``` -kubectl apply -f job-gke.yaml -``` - -### Running in a ACK cluster - -| CIS Benchmark | Targets | -|---|---| -| ack-1.0| master, controlplane, node, etcd, policies, managedservices | - -kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK). -To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command. - -To run the benchmark as a job in your ACK cluster apply the included `job-ack.yaml`. - -``` -kubectl apply -f job-ack.yaml -``` - -### Installing from a container - -This command copies the kube-bench binary and configuration files to your host from the Docker container: -**binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)** -``` -docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install -``` - -You can then run `./kube-bench`. - -### Download and Install binaries - -It is possible to manually install and run kube-bench release binaries. In order to do that, you must have access to your Kubernetes cluster nodes. Note that if you're using one of the managed Kubernetes services (e.g. EKS, AKS, GKE, ACK), you will not have access to the master nodes of your cluster and you can’t perform any tests on the master nodes. - -First, log into one of the nodes using SSH. - -Install kube-bench binary for your platform using the commands below. Note that there may be newer releases available. See [releases page](https://github.com/aquasecurity/kube-bench/releases). - -Ubuntu/Debian: - -``` -curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.3.1/kube-bench_0.3.1_linux_amd64.deb -o kube-bench_0.3.1_linux_amd64.deb - -sudo apt install ./kube-bench_0.3.1_linux_amd64.deb -f -``` - -RHEL: - -``` -curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.3.1/kube-bench_0.3.1_linux_amd64.rpm -o kube-bench_0.3.1_linux_amd64.rpm - -sudo yum install kube-bench_0.3.1_linux_amd64.rpm -y -``` - -Alternatively, you can manually download and extract the kube-bench binary: - -``` -curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.3.1/kube-bench_0.3.1_linux_amd64.tar.gz -o kube-bench_0.3.1_linux_amd64.tar.gz - -tar -xvf kube-bench_0.3.1_linux_amd64.tar.gz -``` - -You can then run kube-bench directly: -``` -kube-bench -``` - -If you manually downloaded the kube-bench binary (using curl command above), you have to specify the location of configuration directory and file. For example: -``` -./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml -``` - -See previous section on [Running kube-bench](#running-kube-bench) for further details on using the kube-bench binary. - -### Installing from sources - -If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your [`GOPATH` is set](https://github.com/golang/go/wiki/GOPATH)): - -```shell -go get github.com/aquasecurity/kube-bench -cd $GOPATH/src/github.com/aquasecurity/kube-bench -go build -o kube-bench . - -# See all supported options -./kube-bench --help - -# Run all checks -./kube-bench -``` - -## Output - -There are four output states: -- [PASS] indicates that the test was run successfully, and passed. -- [FAIL] indicates that the test was run successfully, and failed. The remediation output describes how to correct the configuration, or includes an error message describing why the test could not be run. -- [WARN] means this test needs further attention, for example it is a test that needs to be run manually. Check the remediation output for further information. -- [INFO] is informational output that needs no further action. - -Note: -- If the test is Manual, this always generates WARN (because the user has to run it manually) -- If the test is Scored, and kube-bench was unable to run the test, this generates FAIL (because the test has not been passed, and as a Scored test, if it doesn't pass then it must be considered a failure). -- If the test is Not Scored, and kube-bench was unable to run the test, this generates WARN. -- If the test is Scored, type is empty, and there are no `test_items` present, it generates a WARN. This is to highlight tests that appear to be incompletely defined. - -## Configuration - -Kubernetes configuration and binary file locations and names can vary from installation to installation, so these are configurable in the `cfg/config.yaml` file. - -Any settings in the version-specific config file `cfg//config.yaml` take precedence over settings in the main `cfg/config.yaml` file. - -You can read more about `kube-bench` configuration in our [documentation](docs/README.md#configuration-and-variables). - -## Troubleshooting - -Running `kube-bench` with the `-v 3` parameter will generate debug logs that can be very helpful for debugging problems. - -If you are using one of the example `job*.yaml` files, you will need to edit the `command` field, for example `["kube-bench", "-v", "3"]`. Once the job has run, the logs can be retrieved using `kubectl logs` on the job's pod. - -## Test config YAML representation +1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org). -The tests (or "controls") are represented as YAML documents (installed by default into `./cfg`). There are different versions of these test YAML files reflecting different versions of the CIS Kubernetes Benchmark. You will find more information about the test file YAML definitions in our [documentation](docs/README.md). +1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](docs/platforms.md#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark. -### Omitting checks -If you decide that a recommendation is not appropriate for your environment, you can choose to omit it by editing the test YAML file to give it the check type `skip` as in this example: +By default, kube-bench will determine the test set to run based on the Kubernetes version running on the machine. +- see the following documentation on [Running kube-bench](docs/running.md#running-kube-bench) for more details. -```yaml - checks: - - id: 2.1.1 - text: "Ensure that the --allow-privileged argument is set to false (Scored)" - type: "skip" - scored: true -``` -No tests will be run for this check and the output will be marked [INFO]. +## Contributing +Kindly read [Contributing](CONTRIBUTING.md) before contributing. +We welcome PRs and issue reports. ## Roadmap Going forward we plan to release updates to kube-bench to add support for new releases of the CIS Benchmark. Note that these are not released as frequently as Kubernetes releases. - -We welcome PRs and issue reports. - -## Testing locally with kind - -Our makefile contains targets to test your current version of kube-bench inside a [Kind](https://kind.sigs.k8s.io/) cluster. This can be very handy if you don't want to run a real Kubernetes cluster for development purposes. - -First, you'll need to create the cluster using `make kind-test-cluster` this will create a new cluster if it cannot be found on your machine. By default, the cluster is named `kube-bench` but you can change the name by using the environment variable `KIND_PROFILE`. - -*If kind cannot be found on your system the target will try to install it using `go get`* - -Next, you'll have to build the kube-bench docker image using `make build-docker`, then we will be able to push the docker image to the cluster using `make kind-push`. - -Finally, we can use the `make kind-run` target to run the current version of kube-bench in the cluster and follow the logs of pods created. (Ctrl+C to exit) - -Every time you want to test a change, you'll need to rebuild the docker image and push it to cluster before running it again. ( `make build-docker kind-push kind-run` ) - -## Contributing -Kindly read [Contributing.md](CONTRIBUTING.md) before contributing. Some instructions for the common contributions are stated below. - -### Bugs - -If you think you have found a bug please follow the instructions below. - -- Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. -- Open a [new issue](https://github.com/aquasecurity/kube-bench/issues/new) if a duplicate doesn't already exist. -- Note the version of kube-bench you are running (from `kube-bench version`) and the command line options you are using. -- Note the version of Kubernetes you are running (from `kubectl version` or `oc version` for OpenShift). -- Set `-v 10` command line option and save the log output. Please paste this into your issue. -- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others. - -### Features - -We also use the GitHub issue tracker to track feature requests. If you have an idea to make kube-bench even more awesome follow the steps below. - -- Open a [new issue](https://github.com/aquasecurity/kube-bench/issues/new). -- Remember users might be searching for your issue in the future, so please give it a meaningful title to helps others. -- Clearly define the use case, using concrete examples. For example, I type `this` and kube-bench does `that`. -- If you would like to include a technical design for your feature please feel free to do so. - -### Pull Requests - -We welcome pull requests! - -- Your PR is more likely to be accepted if it focuses on just one change. -- Please include a comment with the results before and after your change. -- Your PR is more likely to be accepted if it includes tests. (We have not historically been very strict about tests, but we would like to improve this!). -- You're welcome to submit a draft PR if you would like early feedback on an idea or an approach. -- Happy coding! - -[kube-bench-aws-security-hub]: ./docs/asff.md diff --git a/docs/architecture.md b/docs/architecture.md new file mode 100644 index 0000000..2352cab --- /dev/null +++ b/docs/architecture.md @@ -0,0 +1,25 @@ +## Test config YAML representation + +The tests (or "controls") are maintained in YAML documents. There are different versions of these test YAML files reflecting different [versions and platforms of the CIS Kubernetes Benchmark](./platforms.md). You will find more information about the test file YAML definitions in our [controls documentation](./controls.md). + +## Kube-bench benchmarks + +The test files for the various versions of Benchmarks can be found in directories +with same name as the Benchmark versions under the `cfg` directory next to the kube-bench executable, +for example `./cfg/cis-1.5` will contain all test files for [CIS Kubernetes Benchmark v1.5.1](https://workbench.cisecurity.org/benchmarks/4892) which are: +master.yaml, controlplane.yaml, node.yaml, etcd.yaml, policies.yaml and config.yaml + +Check the contents of the benchmark directory under `cfg` to see which targets are available for that benchmark. Each file except `config.yaml` represents a target (also known as a `control` in other parts of this documentation). + +The following table shows the valid targets based on the CIS Benchmark version. +| CIS Benchmark | Targets | +|---|---| +| cis-1.5| master, controlplane, node, etcd, policies | +| cis-1.6| master, controlplane, node, etcd, policies | +| gke-1.0| master, controlplane, node, etcd, policies, managedservices | +| eks-1.0| controlplane, node, policies, managedservices | +| ack-1.0| master, controlplane, node, etcd, policies, managedservices | +| rh-0.7| master,node| +| rh-1.0| master, controlplane, node, etcd, policies | + + diff --git a/docs/README.md b/docs/controls.md similarity index 89% rename from docs/README.md rename to docs/controls.md index 423093b..8655f31 100644 --- a/docs/README.md +++ b/docs/controls.md @@ -41,7 +41,7 @@ groups: text: "Ensure that the --profiling argument is set to false (Scored)" audit: "ps -ef | grep kube-scheduler | grep -v grep" tests: - bin_op: or + bin_op: and test_items: - flag: "--profiling" set: true @@ -150,11 +150,15 @@ pass a check. This criteria is made up of keywords extracted from the output of the `audit` command and operations that compare these keywords against values expected by the CIS Kubernetes Benchmark. -There are three ways to extract keywords from the output of the `audit` command, -`flag`, `path`, `env`. +There are three ways to run and extract keywords from the output of the command used, +| Command | Output var | +|---|---| +| `audit` | `flag` | +| `audit_config` | `path` | +| `audit_env` | `env` | -`flag` is used when the keyword is a command-line flag. The associated `audit` -command is usually a `ps` command and a `grep` for the binary whose flag we are +`flag` is used when the keyword is a command-line flag. The associated `audit` command could +be any binaries available on the system like `ps` command and a `grep` for the binary whose flag we are checking: ```sh @@ -173,7 +177,7 @@ tests: ``` `path` is used when the keyword is an option set in a JSON or YAML config file. -The associated `audit` command is usually `cat /path/to/config-yaml-or-json`. +The associated `audit_command` command is usually `cat /path/to/config-yaml-or-json`. For example: ```yml @@ -189,7 +193,7 @@ tests: `env` is used to check if the value is present within a specified environment variable. The presence of `env` is treated as an OR operation, if both `flag` and `env` are supplied it will use either to attempt pass the check. The command used for checking the environment variables of a process **is generated by default**. -If the command being generated is causing errors, you can override the command used by setting `auditEnv` on the check. +If the command being generated is causing errors, you can override the command used by setting `audit_env` on the check. Similarly, if you don't want the environment checking command to be generated or run at all, specify `disableEnvTesting` as true on the check. The example below will check if the flag `--auto-tls` is equal to false *OR* `ETCD_AUTO_TLS` is equal to false @@ -202,6 +206,7 @@ The example below will check if the flag `--auto-tls` is equal to false *OR* `ET op: eq value: false ``` +**Note:** flag, path and env will act as OR if more then one present. `test_item` compares the output of the audit command and keywords using the `set` and `compare` fields. @@ -220,6 +225,7 @@ The example below will check if the flag `--auto-tls` is equal to false *OR* `ET If `set` is true, the check passes only if the keyword is present in the output of the audit command, or config file. If `set` is false, the check passes only if the keyword is not present in the output of the audit command, or config file. +`set` is true by default. `compare` has two fields `op` and `value` to compare keywords with expected value. `op` specifies which operation is used for the comparison, and `value` @@ -240,6 +246,22 @@ The `op` (operations) currently supported in `kube-bench` are: - `regex`: tests if the flag value matches the compared value regular expression. When defining regular expressions in YAML it is generally easier to wrap them in single quotes, for example `'^[abc]$'`, to avoid issues with string escaping. +- `bitmask` : tests if keyward is bitmasked with the compared value, common usege is for + comparing file permissions in linux. + +## Omitting checks + +If you decide that a recommendation is not appropriate for your environment, you can choose to omit it by editing the test YAML file to give it the check type `skip` as in this example: + +```yaml + checks: + - id: 2.1.1 + text: "Ensure that the --allow-privileged argument is set to false (Scored)" + type: "skip" + scored: true +``` + +No tests will be run for this check and the output will be marked [INFO]. ## Configuration and Variables @@ -256,7 +278,7 @@ version-specific config overwrite similar values in `cfg/config.yaml`. For example, the kube-apiserver in Red Hat OCP distribution is run as `hypershift openshift-kube-apiserver` instead of the default `kube-apiserver`. This difference can be specified by editing the `master.apiserver.defaultbin` -entry `cfg/ocp-3.10/config.yaml`. +entry `cfg/rh-0.7/config.yaml`. Below is the structure of `cfg/config.yaml`: @@ -283,7 +305,7 @@ Every node type has a subsection that specifies the main configuration items. Each component has the following entries: - `bins`: A list of candidate binaries for a component. `kube-bench` checks this - list and selects the first binary that is running on the node. + list and selects the **first** binary that is running on the node. If none of the binaries in `bins` list is running, `kube-bench` checks if the binary specified by `defaultbin` is running and terminates if none of the @@ -302,7 +324,7 @@ Every node type has a subsection that specifies the main configuration items. ``` - `confs`: A list of candidate configuration files for a component. `kube-bench` - checks this list and selects the first config file that is found on the node. + checks this list and selects the **first** config file that is found on the node. If none of the config files exists, `kube-bench` defaults conf to the value of `defaultconf`. @@ -319,7 +341,7 @@ Every node type has a subsection that specifies the main configuration items. ``` - `svcs`: A list of candidate unitfiles for a component. `kube-bench` checks this - list and selects the first unitfile that is found on the node. If none of the + list and selects the **first** unitfile that is found on the node. If none of the unitfiles exists, `kube-bench` defaults unitfile to the value of `defaultsvc`. The selected unitfile for a component can be referenced in `controls` via a @@ -341,7 +363,7 @@ Every node type has a subsection that specifies the main configuration items. ``` - `kubeconfig`: A list of candidate kubeconfig files for a component. `kube-bench` - checks this list and selects the first file that is found on the node. If none + checks this list and selects the **first** file that is found on the node. If none of the files exists, `kube-bench` defaults kubeconfig to the value of `defaultkubeconfig`. diff --git a/docs/flags-and-commands.md b/docs/flags-and-commands.md new file mode 100644 index 0000000..27a2544 --- /dev/null +++ b/docs/flags-and-commands.md @@ -0,0 +1,137 @@ +## Commands +Command | Description +--- | --- +help | Prints help about any command +run | List of components to run +version | Print kube-bench version + +## Flags +Flag | Description +--- | --- +--alsologtostderr | log to standard error as well as files +--asff | Send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page][kube-bench-aws-security-hub] for more information on how to enable the kube-bench integration with AWS Security Hub. +--benchmark | Manually specify CIS benchmark version +-c, --check | A comma-delimited list of checks to run as specified in Benchmark document. +--config | config file (default is ./cfg/config.yaml) +--exit-code | Specify the exit code for when checks fail +--group | Run all the checks under this comma-delimited list of groups. +--include-test-output | Prints the actual result when test fails. +--json | Prints the results as JSON +--junit | Prints the results as JUnit +--log_backtrace_at traceLocation | when logging hits line file:N, emit a stack trace (default :0) +--logtostderr | log to standard error instead of files +--noremediations | Disable printing of remediations section to stdout. +--noresults | Disable printing of results section to stdout. +--nototals | Disable calculating and printing of totals for failed, passed, ... checks across all sections +--outputfile | Writes the JSON results to output file +--pgsql | Save the results to PostgreSQL +--scored | Run the scored CIS checks (default true) +--skip string | List of comma separated values of checks to be skipped +--stderrthreshold severity | logs at or above this threshold go to stderr (default 2) +-v, --v Level | log level for V logs (default 0) +--version string | Manually specify Kubernetes version, automatically detected if unset +--vmodule moduleSpec | comma-separated list of pattern=N settings for file-filtered logging + +### Examples + +#### Report kube-bench findings to AWS Security Hub + +You can configure kube-bench with the `--asff` option to send findings to AWS Security Hub for any benchmark tests that fail or that generate a warning. See [this page](asff.md) for more information on how to enable the kube-bench integration with AWS Security Hub. + +#### Specifying the benchmark or Kubernetes version + +`kube-bench` uses the Kubernetes API, or access to the `kubectl` or `kubelet` executables to try to determine the Kubernetes version, and hence which benchmark to run. If you wish to override this, or if none of these methods are available, you can specify either the Kubernetes version or CIS Benchmark as a command line parameter. + +You can specify a particular version of Kubernetes by setting the `--version` flag or with the `KUBE_BENCH_VERSION` environment variable. The value of `--version` takes precedence over the value of `KUBE_BENCH_VERSION`. + +For example, run kube-bench using the tests for Kubernetes version 1.13: + +``` +kube-bench --version 1.13 +``` + + +You can specify `--benchmark` to run a specific CIS Benchmark version: + +``` +kube-bench --benchmark cis-1.5 +``` + +**Note:** It is an error to specify both `--version` and `--benchmark` flags together + +#### Specifying Benchmark sections + +If you want to run specific CIS Benchmark sections (i.e master, node, etcd, etc...) +you can use the `run --targets` subcommand. + +``` +kube-bench run --targets master,node +``` + +or + +``` +kube-bench run --targets master,node,etcd,policies +``` + + +If no targets are specified, `kube-bench` will determine the appropriate targets based on the CIS Benchmark version and the components detected on the node. The detection is done by verifying which components are running, as defined in the config files (see [Configuration](controls.md#configuration-and-variables). + +#### Run specific check or group + +`kube-bench` supports running individual checks by specifying the check's `id` +as a comma-delimited list on the command line with the `--check` | `-c` flag. +`kube-bench --check="1.1.1,1.1.2,1.2.1,1.3.3"` + +`kube-bench` supports running all checks under group by specifying the group's `id` +as a comma-delimited list on the command line with the `--group` | `-g` flag. +`kube-bench --check="1.1,2.2"` +Will run all checks 1.1.X and 2.2.X. + +#### Skip specific check or group + +`kube-bench` supports skipping checks or groups by specifying the `id` +as a comma-delimited list on the command line with the `--skip` flag. +`kube-bench --skip="1.1,1.2.1,1.3.3"` +Will skip 1.1.X group and individual checks 1.2.1, 1.3.3. +Skipped checks returns [INFO] output. + +#### Exit code + +`kube-bench` supports using uniqe exit code when failing a check or more. +`kube-bench --exit-code 42` +Will return 42 if one check or more failed, and 0 incase none failed. +**Note:** [WARN] is not [FAIL]. + +#### Output manipulation flags + +There are four output states: +- [PASS] indicates that the test was run successfully, and passed. +- [FAIL] indicates that the test was run successfully, and failed. The remediation output describes how to correct the configuration, or includes an error message describing why the test could not be run. +- [WARN] means this test needs further attention, for example it is a test that needs to be run manually. Check the remediation output for further information. +- [INFO] is informational output that needs no further action. + +Note: +- If the test is Manual, this always generates WARN (because the user has to run it manually) +- If the test is Scored, and kube-bench was unable to run the test, this generates FAIL (because the test has not been passed, and as a Scored test, if it doesn't pass then it must be considered a failure). +- If the test is Not Scored, and kube-bench was unable to run the test, this generates WARN. +- If the test is Scored, type is empty, and there are no `test_items` present, it generates a WARN. This is to highlight tests that appear to be incompletely defined. + +`kube-bench` supports multiple output manipulation flags. +`kube-bench --include-test-output` will print failing checks output in the results section +``` +[INFO] 1 Master Node Security Configuration +[INFO] 1.1 Master Node Configuration Files +[FAIL] 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) + **permissions=777** +``` + +**Note:** `--noresults` `--noremediations` and `--include-test-output` **will not** effect the json output but only stdout. +Only `--nototals` will effect the json output and thats because it will not call the function to calculate totals. + + +#### Troubleshooting + +Running `kube-bench` with the `-v 3` parameter will generate debug logs that can be very helpful for debugging problems. + +If you are using one of the example `job*.yaml` files, you will need to edit the `command` field, for example `["kube-bench", "-v", "3"]`. Once the job has run, the logs can be retrieved using `kubectl logs` on the job's pod. diff --git a/images/asff-example-finding.png b/docs/images/asff-example-finding.png similarity index 100% rename from images/asff-example-finding.png rename to docs/images/asff-example-finding.png diff --git a/docs/images/kube-bench-logo-only.png b/docs/images/kube-bench-logo-only.png new file mode 100644 index 0000000000000000000000000000000000000000..6c56bfa57a87a91625ac7e7abc9c633a7acd9039 GIT binary patch literal 66033 zcmeFZ`8(9@`#*k-A)y+(B8nkBMl zNtTecL~1Zhmib=K!TtLD1>c|E_i^0E9LIe>=Xze(xjfFt`8cm}&p_|YZboiK0Kjf7 zP4#mC&`$xdBV^|e_+Q#9y^Y`pgPZ0BPXMF@k$+LQGSs{PzydAx6UMg^XTK>qCz!p@ z{;n^?@mXG@w7+96}lDO1Nkq zV4+5~jLg-j2=KZ=^t>I|V$qw$MN;}WhCIHwa{+$W?R1-qbVN#ZOz6rxt-CAwy{k<5 zYbk%TDA&KLKJtzX>#oRAI~maTz!%w@1a)s!2YB=;S2)Ll;z<`WDv2!^9>c-aU&*tS ze~qFW>&rS3MQX1WeK&4${4Xe&(JpnXBy-(MF9u5CpBjj!TC&+fEYKfKsj zxTbkP1wLf{Liy&&B;Sqr4lh=573-78W%uA7r{N(dD}P z_*@mm1wKCN9O45%4oUj)21)w~sKq@0YyX(kJaVf?VV^BUlHc{w`1-fc6}i_%m=-NQ zBj=WvrQvqY1})-Le6JRG}rQ+Rc%`e0=uC3o>jV5h_U^mjCL zG;VnFTiS(#RvWKrIPhNHW%3qvXtRz}KIo+T2nB-6tpqDOM&B3BihgfSx7O@sy z`0cT*Sda`5sKXUR{Bc-?WCK&d0%S(uAa zYx^)IbNbED!y*bRvNB$qZ3>=1G(w_jq~rFQc2ZETc<#(+f1j#KVwRTQRCg7*$Xj*# zTuRX4A4T3C6fGpKZ&R(xn5%h0)nSoy>|@$TbxKfRh2o=SZ%?JJ4Ns+hCg07)nW>Av zwkzptCN+*6I!Vy)QYFs^U99M_Ab0PlT2z@#Y3vs4gvK{upr%IXf)>G2dca;^db0Zg z*+DaHwp(*mZlKC4@Im;S6Iqp)i!exB+Y2CJW3X3a5ApDKxY>R09*tXhD)a_5vM&{K zEz%%SlW_ofhTzxc;ws5RbkeAN;~NBxr|Y$CJTGffThJ%1l*sVDJ9>UC{#OZDotoBP9f zLirphW$csP8)SISZykMS;O6n&3`i!nUfy@d|Ek}ltFmL_!-C|vW$!b8|4!X%7dgx! z)=7!O!F}Ucs8QIe0b}=G_-cRCzjJitCQ>sse3df{Ne<}&+}AD7Q7uy@f>=hzD4CY* z$C7{UOLsL%N2O}@X0hL-zN{lmrzsh(WZU}|_JY5?wO4s)pry}Ky(4QFgH2AyCfE8W z?fU(2yl(E?T!LDg9_h9PVh*f4)f|~Q{d4aM*8l!8QTRD9d{RO!aUS{`M)X7L@*=@G zwUVgHl%VIik#um^9MtpaYV_V-Xn``SFJ%ndT;{`^ z%>y!S`+F?;sKgFWT!G(sWZLLnYIyH4DVgmDjL>)BpFhjjho_>ze`2+Y)E7^^giI3%wvt4U6I%NpMvx3#aDT(|IJv#%H_F`)yoN8ay@PErdKvMY@`&JBdLt7N4^E zh#Ik{2QY&%Fg6ZSU(0q7ah+R^T}cTm%W~o4C2_r(p!9%Es1+wAe}P*av_B)FMt;El zqh!Z(lItVLMe!}vTwGx~u`&2o?PcSb%i%L$gML%v?({%V1N2~^NJ%m?eA1j6rYn(l zC2=2na+!#hC5xGyX32dEYb+g-bI@yx`6r1y$o6D3i@r|QM9W%wk0!>~Bz zphI-PfV`SxzkJXRvDWInHwFgFDCvlKZzFavu)e)Uj<$tvI~T3?b^p{t-K3G4-wA01 z1OAvGQHG;dtMC;=f?BdubOW2j3BTp;L6PxK9~lBqGt zLB*8bDl*g8$nZDew~qfPT4q}QiG&0<5)vsiwB#18?KH~0UF5nkSC|%+Y#xqeP)#y5 zgARU~C3R*0^JDpY$FHh%l0G6z!SWy#k)21@4z9EOD4~DuRoz+50JjlGjml^P&WUa& za_nklA{F;DhhQ2-d9`IdU(l`hDh{LOMmCnZ10hHXwAF`LCq(SsOE~+Ijgk1>b1dwz zBk%M=9Y++h5rY#{D}1m$u@QKzAh01o?=%(lP3@^h(-)kZOGqy5b7)y6#!h#S0HDxhAs4n_v0L zS()^n@CTYZtg}DWv|#k4fEq9W?7+{XvE> zTnOvmyqa3U=2xelG9Yo1qK<$9KG6}$#-@LleqTE_8$&5Ba#Ed3 zw71iv2~e-#yD_l(h!;K@?>`84NRZufYul_u<;#ZN>7|^t_i-M1iVqEcmDW_B5Xkti zlH$iUUw@L2oJ<9G$Q?|#2mz_BBaCWJ9AeIzL`Z>_B$`Tw8fG)L(q%z}=;Kc<)_yr-0;*@iptT6zRS02=XFH+FznL*_W*XfD!g$gYF1~YBr7uPbIo_X|EOy!b zb8pnu8HvlZWb*3ozKiCo4Ho1F+FP|N$($LnzlSzbSmJ{>Ywdm6x-o2(*Y?AdSpKi#YS*bI;*DF4lZa&hVX0o<4Xd{0QXOJU;gQqu!yJ#b zRECIhM%vQ^2$pr?)n7j*wd~8F3OI^>wE3&dX7JW z*s2jYc#Z`zYNk4JB!xQ=4wDdY&9%{5ov5Zbe6}F(;~Co57&b_1nHF$b}E0OwcRMk_s#TDJnGRpEd4QuIaX3?8Q?y?~JY*V77 zTAkpH2AF;BG4SDOYBjy8%0P4oTf6TmR=gF7YOZHqjVlbvbXBQ)6>M^n8bu^eagz+h z$tcn%X*Fl{>mA9JK7TfTi>eOqH(TG^d>SdF3iKleaN(Fo?|(Jf0NOXr7< z)~ZT(iLT0ZsYVoM-Poc;bB@pudelwC2sXtHZt{xUe}^a9vv2OFPpHe`KlOB*6>TB~ z&K4S%zrcOzw!c=tc(UsqrSTQF!7B0-Y5}dnAx72Cg;8ybz^j)J($x8?i zx-K{;ZlxAc8X2AiiPL7nj1EE-B&CR!>{v!66TKGX3Y{$qnWT+m0KSVI+#R8tvLPlg+tk{qZ?iw7fQ#G>$|fEc)~&yk2_qh{`6MAqC1(*jS1*Tw9&L zB5!(ju%C}gIJ0*lz7qNVzOg~-wxshtM+~M8DApVTE8A%%Ecn?lK-Q>&8gU={v+_yIEZaO+ zl$ZM2knMsgv`HNX#4TAJ(%18@r>js93=W#pgt=OP)M30i>@GSkM2E3KqrUjOAaeae zdccBfGVk-X5dB3Y1@}Nq7d<{=1Gify)a3b$$`~AS{rh2$H||!a=~tzR#0jH5;wX;{ zcp#1X$lJ=6n@AmPG;lQ8tG!O_T*}D(@Hv=&^91IwQF{Mb255=v3oC{Pcpl$uian#aGns(kUdMKSMMqPx1A?!*0i@rre99s0?rR)q!*INJmt{D*}z6gP6k2;R1o8$V7A# z+w2&Xg~Xa+-$!bbJ+VGZSBadgHN;gBdVz^;;^|!~Pxxrzvmp^tsDEY7x|SAJ6Dwf^ zb4Q0DMYwpZU?aBs%9HJ&^Y8!uQS_1NT!Q@}lAw+Ffuudh=K{{aa<2OfF<0URYKk1q z`k3BJ;BRuU7XA_{_5XPY$rGPRIU$vlaKN|hGDo)bxqj*{Jj)$<8qVyl9ku8;v& z)j^gh)glj_RPz#Uz?XC4lHNUs_rx5&wm4F==dn#2$re1HOGVfOJO&a>)yxx5Gd9s# z!LxnR%5!hpm;6&#Vv*yF)>4n7PW2@F#5@DBReL~$vabICuIKV!k(R}Xbs{8DNsk`_ zpEwdGhoqQ@%Z1qLb4v?W#a%k&MH@b;vGF$difSbfuhy3BcBAT33H*wI;cexG;!TeF z4ISrEdiZ{t2_zrl!EmJ&Vd{FBn+-_`tRGsw=4gTCWu8HcIIy^Z#Yp6;)cOW&%^7)2yJaiP>5vcfjVRDFnT;!_&?xKXseJ74Bcs(qZ&Rmx&FY0QWT z3gC{eoQC^kdUV7rv?g5ojNA#0GE%Pop7qnB{ya+($ZUv-7u|$86xNquV);oH7j7jVP2X2JnSW^=U7pY zOd@Y@VmXm?M01N0_;`$Obv#Cl2#T>sBgv!KIZFy``q;}vWVi4YOSWh|l>`IrJ|sK8 zLkcv5H#F3hc_Be{;ebffA%75N{27Gu_(2Ti6TP#A%*y1bZ5|V?2?YXV`H5s?c~5MU z(P>h1ly}+}_x;X$zOmU-9odc?Mg|@R0w~3hkmU@ek;$-#>^ZV*l>at!F>-{p?O&DC z4uD_#69GGpR@`PST*!P#jk~ujB=)-U#=5=55k*;xh>x0B5Fce~60#U$hkM3m7T%X< z%51mPVT|xRRNm4LU#^BYT=)F8VBmWq>D;SjE*o-iC6T@3^NhkC`G-YW=eDU!YcO&e zHlh{*;=Oo#Oo7g3BUSGs`XXrk3Oi+E_3JmoqsYNqgI)Du{y%y4&BB+XTB^zD=r$hf zyCX^jY^H5Tlw%ezsXIfl?s^|ww;Q1^HFU7$nU-iim4UQ#%Iuf#6X_F9Eo;VXlNViT zahMirGP>z-BY@jF`E>uOeVcubF_pd<2_ehuL)1>Bf6SUeB2J&2{+Lu({212kRfqb3 zO?U2rc_CaUF9w^=-J9)3B8Q3hRsh0pY}I30JtW^{s2y42NkW*~rJ*+sOCqFZBa1E8 z!lxSb!k^m}q1mf@AjC?YhCqw&fc#1>XTw5$ZPa$~h@5;+B} z|MC(0B<5I{%l@jlo5#ii8!wBjy1a}y7a|=Je??)V;%gYVG+EeIx+(CFEQ_k@|Iv<6EEmok? z8?#-I72*)FW-uRaVIIjlZK$}Z*`MH3NXw9aSNgBwcWHKo^{T?KO0g@S6vAEb50OR1 z7>I7}OB+xl$}{8JAZ%JEGy?~f(m}{9M-I~f0}W)C8C|oaF9na6N`@p7EeAxXvYbkg zRBhH~@2tdDnz&70vbjf!Ae=F7HIbs`iIv1Zwp-=6P95>5@gwBrsSHFJ#gX-k51gvM ziet947%NCZgJ6-HS26{lSr_^;g|Jl*U6`e$=VGe=X1gD0=2Q5#RguHQzH&liiXxIO z{v^wUHSyd-eM8j-pV42?hb0}49u|fD)CvxC>U5w?J%kUkjl732hNzMU54gZB@NTz4 zZl-l4*fs~h9Qb6>Ij>*`-;WS+Y)Jt&NbSIHjr#iuw?A#iU!70J<1E~xl^v~5eD&fv)yjB!VW+M3m}6=_5?8GPGwnAT;4A)IhYZLF zF6p9CuX2KK>K9edfM@SMQY!lhQ!48DKG#l#QB39>59cR>7 z_{0~(hVtRX(*vj4k=WRL5VAvpG$iuGy3;+RHHMwtvD+1fptQwT-a_MCSa<`s!1j5T zWO~2`%7D^MryiLHor`R^EI4azx@j%A@T0k_($svnL%?D59O6(WqPQL#af>vUbHwLw zPH=dYCK4c9tZ79WMe}ehh79S~=EwrmYRYY!e0m`3GYR*b%2{$CrRGH9&J&9Lhy?IH z>dxAhSP)F!OVz}GET$?TR?Yk#-s=UKQ zJ}N@nU^sXwd@_vGd@AWb^1}WEIa3A#PHV^xiXrv)X-Z4$b>Hu@7cLjK#aV1=fE!=c z8;DJiHtM9!1hG$~mTos_0=dH@ybX;BSC-L}d6F>x-1uNj;TmkIx~j>#L`u^(UnbaZ zvpaN#0P>_T@}vd>(SUEeJHyb)P?hdZlN03GtHFVd-)O*}gUDl{Fi2v;OOqpB!;=d^ z;XyrZxt8-#)A0P1kNFlXr(PRY;rod6ebMI`7cSk= zTYaaq17M*=@g7cIem_mt-eWP7(NI%cKId>_`z}Bq5%>2$b46dIvY2Nmkb~rcXsQHN zWK9YAk0ccCxj(bTWlm`zVaqYivmfADSte4CZ!-gf8(U+ye7}&H{}GwryddQ`vKv-J zAV(AqOmE&6e?AtCgCRz0i@Zo`JJkRuRtKT+jKg5+7+7uLsi5(x%4#SG&BlZs(K6hy z^8BHf`V0mb{yx$*GHMdS91G0&n#HM&O|bSL%)jMVflyhtofw2Wq=AtNXI_=zD<3LP zESaxn@QtiH<|;>UiGwO0Kf8)_(>;TW&L!Mu>g;VW?0=MY+tt%LIDW66*X8TIG;7 z)hfS(bAQ@XvmQ@_SY}EHsfdPrqx##FIlDlvT{Yqz{mPDDK9B;CE$(BR2rh)BP;*O< zRdy5pA7y#83t%n%VS364A_NrTcgs_>rRSuH$}?D(=mSUOp*;KflRjRS73QS}g7onP z)P~!soqJ_VL{ktMRl7Skerx$_mCxwVe}c=%UleGKgMOAdcw5=c;=d$W)7Z3+dFPgp z9nS{S-Kuu0B(`%ZL~dgA$`dMzHn#65-35(BBP*~c7iXyXmd>N`L^aMWS~%L z+2?@KJw?s38z>;G18s$fh<(jANOtNrdslxM8;~Y7qo?JaDOIj~R@z92GayZG)qzcF zV`T#+L7qr%k+fNq)B);b1eGZYb&2q=h@icP8;p)2K9y#k2zJ;4Wt7zTW{)gOn|WQ0 zX%QI*;~)H$WCk@NNZZdj(U-_1BkABDz`I*5#s z8qY$E$G{*Ft)$MVe)Tu`LI;#>sRXyIW~hVf;(!I56q4-8FgfsD&9~RqC7N~Zbd1K3Z`X~Tg7^Z~w$Wg=Kviz?vaFKnx_eAqMpHfPV-LL+-nAOn_V zL_UQo5`lh8!}YNuZC7P<8PbTwAXpQ+42RC%2{?-_Rm#UIkeYzUz0f#|xij^!)KObN z1|X`0oD7b%mrosgYeAs*I5-z&8Td7PAW5wZPuAK}{Q0nrFkDht{dH&oyB=(?S}dA! z%T%zD+t6II7ICrBJx}ol8;)gdbEGs9fdaP3pg&Zg39YdW$Q%ToZCN43ptw*4nQR+y zL#H7Ga)-RhK zLTS7h47t+iE#;IU`ogw|hR%R2?88*&B#lW?6x~1G61dAKxK)HT8n*sx zD6-ZexRyfU|1&(^lYM`yL#qnz(h-~sgW7(uwvIK@uT;PNcLIPYL=hbkYC@ZsZez2f z=IYdls?u>XgMmBj7S_FbF*G0^k>3?eAaA=e1G~hOod3v5H$(QL?NB1Xu?_y-pE*|W zhYOKR9}q#z&22u4TS})kHGuM%X8pnD0GF2uxLH7B{o%i@Ttk7EPC|X~hmg@)71^+* z$_L-E#Zsn`ZHhJJ+K$h-D(=RQEN`=B0~4`keki=C)x^Q6Sxp%X3#Jr$7o00+{W z7Gg&{=0VWAZDd|C9@r|!pj~Jy&)iWU2%;SvL;K)eU(HF@6Hoa~qN=V^yPLTLdW9@l zxe%=w*`n!og9z*k5w?ua)heIrZubH0XCYOAQ7f7Ng|*0Vc!6W=HmYiFyZ8Ac2`4^~ z`afr@X;|ZAf&9~Nkc`4DA#1Wi6ErMNuB(GuV+{nLq1nv~2c2vW zBcw(ld2^-<*@Z&bW*CijL1fEjhOTBjv{?u7Oqx_62JO>SMUm8o)@=&pcIRi&N7{)~ zba)TqZg#-_5Q~x7<^m2h=8$M^PLpAPb)s?iU~gc+jPM$GRptriIIX<4#4`2}7#5yA|LY3Tx?2Bbt?uXT z5Q@*IG8K9ZAj5)PvmY5?a88&Fp=xei-fALInPS_O7}&i{h9eBGML^JpduS!VJ@{>L zt54|Gn!JGh^L!ZIqcv*~G6_b=BRIs9tK+UPgbR(fk{4y?;AX#{-(^r9BV#Yt>8epr zLLhS=kU{Py>V6hE5%^6J-D>)u$U*|G1IV>8Nx?akht(EoiI*NRK-I8A-bS4wD%T|b zN9Ajj|LbF@6<)?3S=V5z3M!hxGKnNHnA+qnP_o9gr*Cl=MIfVuJdMX<2>cGYYY=Ip z4B-a)s3vQ4L1B}T!FxP1a+88(2)T8|NCaefFVUTK8Wmr?Em)(P-fUfefz#~F#u5|Y zhT5!#?HH`ucJ)9JuWqW=N~or4#21gsY4D#Q!5G~S!)5K_mez-!_&nOKpgIJ#s}w{C zkEemJulj$hAmP-u#D`1T)~@k1TGmvt)yo06`M^^pjzwXEqz{-Tvf%>z#W94S|H_Pk zC`3^t@#97l#K8*86a$HE!h%1baFMt1``yQ+8jAhA%gI^oZsq*sRgU|)?K=|{jXxP@ z*V5#6VI_4>b(}sbgRb2Bp3%9vd}e>E#4fwzXLq+YUskDPax*$ActZNFfhDiCX1twr?Za? zFDTD11ZhU^Pyx=kE717Y)zp-#hWII=_B4dMKl`))MT{i-UIGl{Wy;)(f0T{(E^)M` z*|kneq>0J;53Z4oHTz*fF!bo7GHB=~&}$lf6$$z?(h4C}Q#ZT-^Oz(sz=ux{&0JIK zPNBySevYS4IX~FZ!DsQY*Qp6DB&ypScFzZN6)L=al}!1}{+;8Tm4=vF2nX-!E>>XKK&+ujw z=CwRFQT@jhMPwy4Q$Eh?Cy4q1BHN4Ex+-!*K16Q1l?x^&lv%{SmMy4`ugQPF~j0or$DRUSn zT_D<3B9%2=J-&n{@USfaA?sE0g=_T`o%|(W`!(RW!`MTVsM*(}{9f&7gV$=6Ln;*6 zAUe<#tjz^JmscEI=Ynh5?ko>II*IzK_}n>X`KhRulgkizB{HH)s8V2h`nb$5{G~y!*=%dNqsOWL|z@PzL zh~$?9+EwcZ&;}Ko@kyVdMhm(!#^`W2qy(Fj?!ToM)d`mv4ixTT!eiE#)GioTubo|; zLgjh$;cvk3V2)|YT+{gskHnx9qDHRT=?C7L&YSdFuK$%z2%<5lpuEY+sZLYG;2a;O z0p;nf7Tj?MxXGfcqJ=W@FzjaHl((UexSbUaJLJ0yXO8m8|z{Nd&k(EzO4SJ7Qb| z_Vys=afI#@lQTVehYpzLFW>4?A4KD)lz|w`7b_VgUruf4xPlbr)Kpe(agdkemhUv( zGtUeHHDG}jy4H%83EvE%&@7CBuwgxLu06yKhLJ-p`hNhO4Th%d!p+!J!BYiF)C&nN4uoCU)faD^hdDb$ZPxXt-% zaGTdD^*02;+|#6pXXpLEtuxo!)xHG=di_WR%xsoYU@HO ziz`BHpsZt!C0@TugBs1&88wU#M6q7vts%qf(1 zf#>m;nf9a&n$Ac85wZ@osq}mGB}~%~_(BM-nUYeq3Cx?JBwre`*nwrS zK5!U@;#bWZDAATNl2`MTG2g}df-xYtfP`KkT1~Xw+1fD!JPV9cyC%j={(qU%Ny%W4L&_G+MaPf<) zeO>%1i4letWKGXU;c{vl3f{z3od6z%)`zZSd#-m{GJ^LL;wqb~C1x<|!t2}*iRoOG-)1L^yjTgqCsrTQsbM4<)6dXB}824c04^*n2+s74zAczG!-EkWyCE)Ddp* z^T(~DV{sdYK&LR=u1i)@(C5h_e`Zp!Lp!?up!(|Fa7)m1x%6T2@>g3qe6+-G*PG;S zuj45+I3HxsZ!A<#!@#S*@@um69*GWr?)(T1;Sod@NzCzeSJL;%6h=^VGG;eEp?4w7 z#6)FwTubs%@w0U+uuJC(4gOr{<%Mq95h0NO>(<4MHzP}2D10$QXE&b8)802L_;=xX zDk6xxDYSUjxn$jSKH6||{iQTllclwO!o6`E!o2ukl`rx zQswb}H1n%T`)=XpDiJT}3`Tgmx8C_Wzw$b=dWLRs!so;Dj8xTEXmCH*^k~ET#44(nEGCaM6Q1r1cq%^j7y*QTme7QkgDmdaI;JGzMgcaD^Fo=hWC6da}i zy_3g+9Nx5pKJo`+Ny;zu2*phTk>MbV0U)1qH$U zHG(>?)NihOi?#Em9JQAIJsZ;jz}M)Jmtg(E(DRSPqR6?Y^j4Rv;0c=R;*+#hcwkf) z)!g6*MdIn5;YIX6zB(IAK6;^T^f1R|2ktoH&>Y{uz2o$!)#cMrPuQRBAbqF7mDkSq zuCt9C0+;V!Em*zt*aH6@PP1^|>6}6RsRm8eu5oxJdlg=!-A0 z=fl5SaRj3Qh9BKS6;^k;YNCa#VXlzT;6@#t0^X&keB6=jaO0EEi&@n92Q&M@{DWhU zoZx}1Y{wT2yCnd4|1QYJb{B3iHh+&pkEanlw=O*Qvc{@)KC?Y0@5osi@FT3n4b1sL zt9{AJfjQBP9ONCX%j*3?`cjqr_nYAd$%rD6~Hsx%=bGexVD()&%9%ptRi`QZ%yycHr{(b%xwAyc{@^|F!(WKv**HlWy>NPpfe zd%dUdNB0@Tga?s~$ewO&yFNlotr@Dqa;THC0POujDs(^UGv|Gz<~Zl_lk9cn@KJk! z6+lcL(<*5R!Q6~#H@OpDp&82yI`Y^CotFbEUHaqLYc_BT*#oFQri-hSBkxM9IXWy7kLiTmL|6q#WKNB-3AX0}b5!eHGu@ zcw2h7*L${#V2&uHY@3qf+X}C{aIHO*kw85Gu3W zxZF~HtPo7@j3Qdw@Bz(BE6@2L$<(YW_Kf#Ea1g9R8iOTc!ZgB<>nxidt$7pr^F0jQ z?$l&=?FmZyqrNrzfR&eGr5^q$JR88-ZOfU^qB_I5ytlRmm~AI ze%4`0%G(JxG1QNwkIK0Ig8txx?R-s_uQd;fLusr(@EGhXS!?hfl8*|mwGPT+Y9e6R zG?TD#L8~%{`CoJZ4|d_7?6WAWrPL@YBL^egOT<2yAV6}&fBKInU_Q*d3twP+GeJJ; zhb%sK=Weo$7Co3~Y35EbeyZD2ZR^N~cY65;6+JV?IbWB!F({6P11io1E=Jz z77?$Mq@!o>1rkK=f;^avPKtBrXz^E>{>(2rAi66uob}0vB>7QZl^t>5A9u>GmbEXe zc4kiKl*{kAz-03g3n%v?jt}~%yfT@?_OQo@K4{)F=qJ&|Ct5e=;`P%CLeH+`Ti3Sl z0+hx=Gn5rP>|?dZOkj1J=TuFi>G7WVMWAZ~RkS@ScB$kw$dF4?ZcazhdVt$%b5KkjM4 zkTk_~AvjABBlJ=A0)*M`wH8n@XwsTGnou_sbqIAnIZ6dSM!}sQY9mb@C8XLN`2APi zToU{VhHSwz7=z_<{p~urA$1gn-xGKwhZ(ZFiAiG_ZJ$qj+uA4*>-${OnZ)$btks~@WW3@;mj*9YV#m-U72pd2m^iRYZY(xD9aVS%=is^EvY?RpcLRaJl+)9*`&Y zNeSo3s4K^Ai>aYU!u;ITho+DQVOdkfT;(M|-pk5HsIdP$KO~)Z%*e{)An1c^R8;5j z;foIh{icEyW)t3v!VCMZp9${a;4JSSbB|(Wo?*?xyZgWR4`}Bb*v-aD=SR= z!Qd2Q!@`{X#wA)%Br^LfxzeKwjG0apt%cGbUSkIJb)R@s_G^rEU5+hj*%jW@VBy1d z9pF|;Nw9j4nT`gMOQ7QMhXZkl=)c(C2_CNYXqKIH3xCU?Y>^Vc#RamGB$zWG6MSN{ z3-*wK`#*G`a6-t@3>PK8{b4yDSJts>Z+!R#km3YszvmPPZyU>Ap*;l+zILBY3CAGi zGR+xus;?2-S(0ZKINg(h1u1?A#py?5g-w}EBM+?X1K}Ysc=qx6c4*AYp?5Ib*e>%8 zk{Q9GJq4y{c;nc$S2^|#mV3`dp-0V-mydeE*hsO@`~vV*kYTp%qs8uMDL0xIkem8N zwx(612P}xO?gW^|4G)dnADae5POoOy${Rg9z(1~b>~{$onRJ=`0%d>9dM3d&g$#7` z3Fj{d%iHj8L$%&jiU{`t{P&PTO@%1f1+PzvBM(6wo_L#79<%x=Z?Lsdpz~n)WfVR& zv@ra^?HU5-8As{)JR4U0U3icUxv7!DyzyN>!eRZ!NkC5HIBo37_ro$k=4CAX#_GbJ zcZvWJC&+%Iyg??iht;|j&;uM^Wy3z-Z|w&4S62JKW}Haz&YaA}er8R%6$95~*}pcz zHa5#OHXF=&?*SdKv2EMaDStFhyk8cBhyVY}jE}-1zwamhi;%TkEDAbe@@EHlfpkB= zyud%^bBw<(Uk?-iy7}gg8;0o>hF zPo8D&7rihT@A`lJ1|KTV^AgeRK;IC4y+?U~=%4F#zIS1KZ;%Z5mv(`co_j?T&zL#HG@byc-ET=j)zxk&0-51EbTe+T(oqW1%0yCbLK_Bcs+m zYP{gN(OKHfXB8k|nz9MEc_lxSL&G}yB(;#bP?aj0Y+IM?AbJUz)3ED`&|oe1{3|K?^LOXax%g-d#7pp!$;qeK z;?QoIgjc&&Ue{uG<36kv(>58Z^hH~KI61`a#+2&z2KsJ7$o%-O?gfw_BU#P*N(9B2 zS+J8J5<%t&x%BP3mwZhl)Rn-5=TYVIFV$F5YbY4^+m#!R@kEc)SJj+|#y4+KXt z`Awes&JC}6ey160e>tU`mxOe?PvlJx{A5iz4_)KqQDgaeOmmjo?I;w`@I%+tc+9$G zr+KYzKJeSY`^Bn58J7z4#KWkg?)yfk-{rHV-z0r^-x`_iEq%XG`*MB|&m zqfg`Mhix5q!M{FGgtg*$u=<7O?a#cN=|-)M3E*6>#e-FI`Sw<RPdDWoWEZfHWrG=U5!^kimt%nYxDVb zJZ>u8M4qTy3*c9-Y6Gn|c19m!f3d7@-iZRuoWfJy$&T%4e*5aRk9@)# z3+TKZ5kB||g`Sd{#)Hu<5Wn$E)_oPdsx>CD$!DPue~kF&2$>asdu5J+z;*b%BrFNG zj1ANM;*D1TzU1T+g3g1QRn9XzxGx?cv!=)#iUdCHDXu5tmYk znl)yU2X_~15D((4Z}0*S!;YhqmnH<+n%$w8^_Kru0Sl-{VT2@fgh`@h{0Qg0@Xxp?SMFv3#x0YfJm@Nu^qBURO zwQ&@1>4FV%tPE`i)6FNLAs@VYJ?|U?bcUg{O<|XcC7J#@8>39)sd)Wl(N2--QhcX^KM6rPy`#v#QMdKfzmr2VB-t~TaHUY4$nQi!LOxZ|^Qrsh zd+TX918&M#1l6_Nq%>=a5Rp^0wd{Qx_ZTn$FBNimq0mhGAwj%+((lTj9VtMs4g6&D z?nUQcC%o;9=E`RTozE*p4$KLdJ@DgRP%#`qiy|Q0JX3bcPygB1;-}ww2+x?`aNEqH zz>h~E2bzqKLZ19@#7keuhK3z75$tuFx4uGEySrGuk`Nx!8R@p~2pl_*^S36fj6Zm~kidb3`VTb}axL55`d}RePTnLnALas9 zJHLBejZdWSvbz|_{Nym|NR|x)L8{~$J#4cqciV8jF!I*pxQzmLiq*oBK@3yT7j-5n#jX{*(aeE%j@- zA?`4R(54<4C^psnd8QMkFSPH(ea__`l^yBB^n}CkH0&@Q{+iaY*kk@O7`_xZ!U6EN zbUR+}yFJl*y0;crOAxwBb5(bV6?^s>5$!lOi(!w$ata*imE#1sMA*M&aGy9SH%V`A z!-u^BW7WY!lRy5YPk7@7{0S(4O{c}38&Hb#xl{)OA({bq7eZy%Vv`?FEYAcpJ(6T& zT&$03%XWufs#J10N3$<6T^Fwlp)dVY{aQ_JV~&E~UQ_sE_36-Y34miPws@4Vz{4!v zP5f-IjBbkVmccpBlwB%(d~5s;#}2j^2Ji+3(9}_=4*lta)$2l~35c;_5k>2#yVEgN z9sbuc@vzlb$pGLU!*ofWD_?jAvCtuEk0yK11~@V)FNyOVdKRIM1Zf@c(i7=jY)$6? zxckDnXWD%Bgtv@o1_&Nvl|>b#!z#i@zYq@pgo#cNZRe{_!bsrMP9{Joa7*(1%sOWC z2YVcfut(B!7zj^%1I!-Hz>!*^089`(o` z5LRTv$|C0MjE?*|mV~+R<79jaBT}^|#1ogj^o~xay22E=$hR_LQ4jgsx1SD()*;G?il+eEzpEEjeed1?N7A|&2#?MTn+(m`-XS5S+aRe@ zBuaRI??>1>e}?So9XG)ds0I-B(En{JbJ#P-;5W%(3+vGls_LBLXI+XTTC(<_QAft) zrE!ciWj}IgLn@tB9j!g#%mqX{ksQsx`Ft;Dd|zCuwDhnWdx8xss8zqdTTyAz++%nnsMmFgIJqcqpL9W*bb$DzkURx7b#D=K~Ud1r|=?6ZOV(@Jjnd{T|w%pEN@Tm2_O zjx<+mT&?jdinm0X>XnBi*v(EohCl3cK?Z8Vx$p-gXX9h_pQ)e4@5&CLsehf65UU@p z;8$uPn)6$gLyHmA%*j0_MLy@ZW}9KxG7_Y1LNI%1|9iIL(&;-~Z#`heHiS^qTROz> zi|H&`Mjcmxyc0od7n>Z`;+^uJ0~TxPPaeMM|2qi&YWa2haiQ~(--CB)excP&GLpaz z4c$FEbW(S}f5Vp+_XYTSGN{pB?MjzHmB{hD)Soy37jn;e0rGREQ^kUQtfyc1@xJ&^ z5O2w%!U%9YQl^6BFSiG~qC4(hJ&Ui0`BdK``E^%F@JcTy*Y% zl|uf~&OTxsC^NdTjQRX@u8?v5wx@>5)@aQW@ zwstd4G}bHQYS&D6gm(+hACw-O6?=@}@Z!OAxiV%(%M8xP8RISKFbE)kF^iN~%Cfm+ z_tB4Wh{2N@Usv<&p#>@YoAjdSJFm`RQrVLt27+ksIlO|Rm3`CMo7$D-|49Tq63;*uP-MrPF;|F)fdS8xhj~@`g zy@2>XHtzQPB{QUttzn0KnAo(f&%s}8-Yp2S8Bw-nTB5H*U5G;72{UCy`Hvp)V0%(x z=%;j5t zq0nBRrMFLlPC&!3j+e;cBxZcRN(RjaL|cosC+(V5eJ<)o0|+7OY+Tx(l6!p`9#=3B z_QE~hf?Ls)JuKax6cYNJcuAV~APQ*Kt@!ttON2VNo#uMAAbRiO0i2Do5o+vvtdq6B zOjM3R&ye4XYzBb4SliI$_JQ5ws;$Lis4y#_G()09amuryhg!#)&d55jqG6Wg)Y5gk zeP;J4EY138APQ9m26$;9JnYU5>sb1zoZ+Qc@kIzuQj=Onzdj0LHm1(tkTiQuQ(4DH_GQ}Zd#0v>vaDu)^KlZ3x?dNCbtc&%C70D7$4P2eV_KGe9Yu+;uy z(#P+%2SmVQC_(K_y7VSIN$|M0#lwX2`tZl%AKKiA&Z$|#v-WEOE{-9j2>8nUB8k#1z<;)+6cDI?>ejD{#h z2+2x9R5rQBMIvtYdO!F2{@(Zf2sMnPtr3c|om zb(^!kdztv_7IDKMNE>!AK zjgH7*zn{JU>kwNWKFYlJG)L^htMx%XJ}f|%4i4a3GXwCu&iwc}gwt6#N{A>}rRT_^ zW!@)xDEqI~bcVMlo^u2ce;u(C7(#;Fh6+dNx%ZFKao!$eZ^`@c z`)i-sWbX>xUl355^HM!%M2OHdq2u@z3xpZ7CPWV-oZQ^e!Vwyq3^6z_kagVg;h4R)zsT_4^( zD=E1}p;Q;PZq9q22<9ky9dEF3F1Yf=luldh%<=EehK(jp5j0n0vfXU8|OQo5B8PEtu9A#7I=e{L|FNU2gy5Pa@ z?WBI?{y#^~vu<<-#~un09k}XWwA5+;hJI&4mRob9k)>#FDXmFMzi;}H3;o?tL=p^T zyYl{1FO1W4ezV*;%y(J1%_})EVH5v}qh;I`UQ*Ft6IP$w`u z{UkZ3ow-v>JZ6I2onHynN}W#tK(0X_0a&M(C3%Cp&wVj_`OaAi=17i|u(T)9{D3U- z*F&kxhG7y7WPhY}j+0*8uwRM$fuR=KMhv26eUbVQ`3&Y6X)N^X^k%@tE9ZyX!*uP*xbhLU764K zOqLh(459L1PRR!?eb)D(ODg_n@!N}~Wt1w8r(l%i+UL>#Z6YfS1MtN~t= z{-3@(|4XZ0)y5r1EC6w=rajao9mMXt^IX^R=gsgwR?4~UYv;j$IFlZvU2Gdky-yr)53kSZ+SY_~9skD=K^R&@ z26*`lT^?QQ6qGUU>ORSeb=YP!|8DT8a>>Jrg0qt$JNIH4z?&&wsG&TSUvPh-=@74S zhA;OjLPT#P2p`7q0%GsMc@Hx*m+}K0lu-PX61KGe=u^w6ip7>BapTUgf}O}jXf7VF zHYTAb!3sT*!kLig{b5@fE}Cyi#{r!MMEQmFqG!*-GnDPv#Qr`+FHhfb+X)$k|4nnC zS<03r+sQ{t{heZvcV&XyZ~JZ&|69e}{z=qq?nKn~AA%)>zwGV5@uR|d=-;y4L2+g#l2=y9fJ`ca+>TA5E5B@}T&8S7i8|1E0V=L2SK zI;QstjTu_gwIAF@ zc}gwYa}^ykO$fu@YR5mq&O%Lw;~4CfeW70>$^QMN%p|A=@;RdsyMR@ft>Rp~f!bJ> ztzhK&)RMh(yW6mP@N~5CyK=`S&y-zqm|cCF5&HQzwMndkff%5-I@k4V=vK+daU)P9 zEJJj|_mwVLbt|{2d{;m*J(*%}k73S`542g$H_MO{Mpk)K=Z7{1WiovCsEvh`*6y{N zJio#|G^^C5ntZEJ6RpBsy@4tpCY+qD`}NdwHuA%L#M{hLS1EPAX06uua9PR8DgocT zK_&gyxA`2YsZ5XOU#geMdeDfgyU(_lGs*XJ+`zm6 zwnL@{n>K^cCd`FoW^h})U$U}weps({K`BC_)dXh4GmCg9SE2Ege z`)b#nMZ@na%MJ4B;7!YpHgso0vKzbLND0`TqDtvy{w?N9a{E3{Hpou?`lbS#0 zEj@MFI)mkWBWt@V_+vhr?Yws`I|b#=?aJwSj^i_g^_MqigP+NX@xT<5s=Xc3J+Umu zHyI{U9*AIVru3T0$qyvH#U|VBA<(t+#rR7eOoK%2_8S3& z#j;B$yz%Re5^AHRnVLSR|IG|!tr-8*>Q5q9q%{?|(EV$gr1ln3)3VNO_q!v$?6QwY z<=_F+puYX5z`lS3#rxz@+bJQ^WvK7Ofi~-vSd5fa)Js3RQ0TCve@cO#$PQfbEs^=| zFW&3xwM)zMHNB|p++5ansfV`+K4o?%N**~;n567^2};}CAau&=@s293hzD-|yw~w5 z3~X3*S})RjL5%O4wTN2_`ojFJ(|>di3Zt+U+gwp6j`t0lMU$MXwIj{D7$zbCL0WaX zJTJK)%d}QG2qxSIKfmN8P2RA^i=sAJJ06d@oc)pz&1}B|tCz-ssGn&Y*tho<`=j~D0i5t)IhAFJ*+#a;`Xm?WCM~-Dk3Jws= zUUB?VF^KwXF~l$t(x6=_3!vTrJKPuQ+CZ<+0o#r0EP?z&94Zl5zz4*lffE%hr- ze}s=7d-29JmO*E}11TqmF%=2#H`^msH_?OZiYaQe7-oldO`1?1ONjdPX>PzI8`6{i zYR>7_T<(|NE60wz^>P=)i8`@JJJa^Q<@)rBuUuvM*_7}i>Y_PvX!N9*qw2K>_xUxJ z`trINu{PUOdZJ`2$@PHpFOQZ+XiK|T;6>-%(xqEdz8%P~B=F)E|MY6^K(k`Cwx^6b zfy;9KgQ1@Bmj{^7L}a(uK60R+*vu zK3ne-dhw?<3TOG9j$pElLD|Dr_0aWZlgkJFUYOqIzYfuKI)6J*-Dv^yh5gFniSuQO5;50S3U1;qj%9VRwsXp;5Ehb?W&Ei{zBQXu zWps{~o{#4x8Zw66n&DXVT$xVCL{ogZ4A$s$G72h)pI%xdm|lcPam;X#S^-mkN>iuE z^YY$*<5ja)UQ?Rn87H6(p=PR1Gl3Jg*u`G|47$d~Gm#>$?M<&+mxWb&J=3g?wC3II ze*hFBPaYHD$NPgP)Q_Mf_<75$q3T_~53z!yN7_M~Z!Rq?ZBn)@Ek%FnY`ZTSZRNlv zFQe+r5o^$=MTbg{e!f?*@*HwL7fQ8}7y6dEqFHiV4(kK{Hy5F|ZZ!ufJJqeByw_c4 z@ymn#3uXkae0BO4*%{#j^Nkt8n&)Nr;2rV0SMFKTVDtmY>u*_VyLH5}Dg$cCHt0%g z!Xo5DUo?1FyoN4_q)d|!-M-VA$wDYc9dO^;6QNNv^1^eQey`8zFA75FyldRp9S<(b zC+x*7R#Oj#{05#1&jp;+mYOGLkOeMFO?r*alszM#(nry@kZP16sQFrOwiZ&3kdgOe zsF?z}$dW@BWyJ3k==fBYlB<13g~-r;;GqlQM+8pt$*(I>l8MKHk+XSnVrUb8 z!q>2WMd_AbR~|!oseXh0h!%$|ss!A^U+<>g=W3s~=~t|f+nqWOL2^;7-g-_o&<+LD zeBAYRX}CGrzNE%q^htuUx2QkkmA>4#-9$_5ATMsg!o4|DM%a6+b6gI1N$ zy;!Ynm>|y9zVD1Hq0ftZZ@`yY(llI`A+L@qI%Kkf0qlFb& zWF8Bl4|-0)S-N$0wDA3kgLztDGQ#>m94TV^Z=&*x4K_JvTPqO=EHJzVC~F8+uWMZk zKNWqs3y-QDHA+TMgfk$shvEE>n8YRb+2X|FQYab7#X%Fc;;9&>vfZWnaz|PDkP9R! z;~=DFAJ73*YWu6d8zpPsmn_Tb>;)55n3K4kQ@y=*UT_=waL7}kFQLbOYEcGF@nOMq zH6Ea);17;M5;*r;XMHSh`TOpK9=_1{J#4fYkD;m*k%70b6q&IFN&q+%Jv4hM713~>N>VGs* zwzT#Wtv=ZgPCAubq&HsHKW`OXcMDAEslRCz`f)Eo0K%hwV_QDMX1CxBNNK$|VyVjo z_7-E1oBVO+nO2k8B!adCxbUG-yex=I*eRf{5)K?`q``+ydx@$s)ez)4@-KtK61!B znDmo6Q5|yzp-r@r))j_MV(R&jT^~G}w|?gAMqhOVu-sS$v%EIPt^3oD{RgLZlY2>YY45vnM_}^u(_C%e)-hq#ABaEE)zJ{Xg9njU)M`+xaPl1 zxM)G(EU==-r`Ztys<#F`Y8`zKzwB?&TQ>^-k-712mr1nFr;bGCV?&TbJ?Ni)&Z&n4 zy{wgu8U8R4i{Sg|+nAI{)0V0HkoBOo#uWEJj;7vRW$e+KCwC*G|OiuO9%V)XXT@4<@rBJ zQmpU()R><{=Z+oQ`D@?8y16#rdaq;%X3d;|Z7veI{%~kBePhaD<8if$Kt31J3JRK`W`xA^wN)N9xU39H+=70#&^pom+Okc{>GB2 z2l&?bdz8@{_tn^nq|dk$o~I;-%h#PHLgksTv^&u2r`o7K{=>v7RsAQ*;Gf^|e3uyJ zIe1GthVz;uk=4=U89y@noO~^?)<_|ibfslh$27oK0{O#cIWJMZSt|O+?=@s0m}R>* zk6RD9?|*eYG(yOg&guamBV0sjSPBXRu0X}KDulSp)A#e^`_yz1wx@y2`ZVq9(H}>m zb^7mSNfQnhSRwdhB7C;axZtaQ8&v}in)*1vZ&*#1+oM6rSB#E8)}wkQb5jg9cBccNkZpTum=zY?Xo!#ni_{WkG0b)b2{F9CWJVQy_4y$CAlUStUzRbPzO58i3UbP zX=kXO?K8c#$*s1*f%@f}gW>7HN0oit+2>1e@3iuzQ!YP`!m`KH^9wXF8tnM($Y`&o zbQ)b$^XyX7-^(RY32K5T3CCVsIDCWSh2o)4&wJDNzd4t1qM7vuPflHPRU~%MfN38~ zjL-QG>v`{--~H^k`{ADPhG4bc!AAzIU$(|7waIC1%;M5bh6gCxO!(FnU1c=povw4X zHlh{j``$0_OTxgs$^p2XpaHH##HanpPzihd=0|WzL>#7iF;CPEDVM&DpN_4b4{m!( zAFg|8Q&k!)X_8-F#ahg|fK7#i=u!3bRh_O7y6C1Z4?^6VUcS5S)xP^aI1GnJVHW>Z zz3O+q0#0+zVcnSrGM@0?Pvx`n{&r@Io8%c`kxS@kxHD2HL57Q2hdVK+IeJ7hK+ShcyenLn?FaTS({1DIp| z326W1FrL%6w7`CyjE=`@sjObjAXUEdc3{dd8F49e7GtMD*)8*MN(&IO9<7|z_ z83OeooziJlE|rY#{lRT{vnMR|GS{U7`}Z%Wysco?L%GI=hU-4u%mWyH}BPCM=XB$)d44NQd5-Rem=MUNZZ#HM^@~EX#b(?hJ4hyr0rO z`}Jw!_#r(mm5}B9{cg!|aVnYX>=&5DHE?Qy2Fu}#!3TEZM=e8z%zS}Lr{xL{MpcXt zZFx3-@Z8K@8_POoD#<7WZ_LDZ1UVxQBBhWuJ`tDdo9+_GLL{Q6<=ZA+tM}JtDR)cP zX}!vaQK<1t6yixOFq?Q`R1@f}zLi zWk?0zcu1jF3opOx-z+$)9z3!9o#Km*EoMfhWSZ&Y-}nVruEl&F5*zZ3)=B)zBumg? zp%uM09Ukl2{4T|UjA8+BUtCA8%TH;&j?JX%4OTDCvDYXzM|9Oa`hg#_ zhKas)y!`H^b}Xec50w{Vv52EKkj{jMy;ASP{>_SuKmxR>AN`3-fCy3T7{qSeZ?Ej( zt-*rbBkL}$L+LZCHb&j_*Z~87BvpDQRcz^m8gL$O)mysh!^zC$?wLK|H~Q1wQ!-YT zBW}!|i4#T4HDKepp#7FOOr3T;1n!dD$iSeB*c}=}lqf`&z3)M_B+hJHm(dr|S}q{( zzJNw<@$8VB&yWqu2Ojhq_)g>Q7TrYhII|WnlbGqx8PTif zsFy9mpVT8BbdwC;T>x4DU`I@48N2VOpuK+tsiMbjZH10Z>wUm2IX1$5c2wb3kL2sQ zd#kO|cj{bJL&%A42r=RHiHT?WmqnX*i0N%sY>~q!`IPajy>d?f7MK>zw5v*h6X zjM+j&iyJ6?;{|V`>sFhCiSp*x;*VRQ3vZ$(H`lHST|@GdLA3ko?I<|%y3cB6mHdaT zo)6FuddKUOTn!g+Rlur_h3E->i_NE9Rf)NtgZJj%s6KXcUO2ALh3vSsX?6`5(z_N& zrGx3+^zr$k?=hXs+zq#Kd&8~Rd*ACcdupl#?|rF|u0D;JheXVq?OscOU&qBEXP#{J*mCWilIzR&6X1}MhoL_*aX-L5eW%FP z>amTs0aZ-1XnstL1=9D|o6b9dSzor>-XiEr!Bf@AEM^DQb;O(w(5blp@YySBuBh#pNRGN0o*6U~GBoeVaBM$ft^kVe$ePzJcgyK5&GhMSiKVCa7?VviR5%gyc$RqwodpLD z86u;=V~Zi%@eJZ zy*}bF@w9rKk}0f%9FyDaP!=!1<*;+T&8SdMxmAB7&6bTeGd4(h=252Vh)RkiOviL= zQt>2(sN6nRy>)GMAb9@gFBv4h@4*)wuC z1&4-sx}xl)ZZ=*7iYooq(;tF-a9#C-B<=5)4=n_kDl;y#z$ST@c79|a={E=l&!?Zd zt1^R%UW3^BkIv0$qtIYzQE*CFQt8Txq?qr5dl+=#35oK$Q1NIvUB|lc=mYhE1e~%s z@;9q{x7gC>#%uo2&|X}lwaIxB0K6CZA^nFIx}5%c;)wT0jm_oskEZ@hpXqBF>(@y2 z6tifZeI)JESAwUOayd0?6ajHN)>_n}bEn|OS|8myoe-qmkcTv)w4$uM)xAz%qb}KO zR-SB=7Ji~fh4C-EqdCEbCaBz&>T<~6+w3X4P>4lbLou&6=am2T%b*c0tMi9+tXk|C zaH9K0;PM4D=;XD9fVscqraeNZ3|3;Unsw>g;v5_;#BAZ#M4WdZ_;&!^qSM^s+#U8i zv9TERL(Iiw)HR;*5T&Ahe0LL1CJvpdMl6K;Y zAwF_QE4)C`&g0YaN%Thayp5BKK|dG_4_>X&k%`sPA$(gUU5%3Z*-T?lCr{A{81&Qm zK!J%$xcBm9*Q`mv-_U_Ek+IS`o!hufaYW6oUqTGR6H_>?=39Jht!DjU^U>pJ;T@Q7 z{Iof{ekbseTbJv{@$h8A!;XOb3vYWXO; zw>|H82v?Dfs1Nu5wA&+JGlzs{W#_n&=AySJH=pNiM$Iu2B9=q zIiDl0EqcVr@}yPbS({e8D1!vajMqrN_f8iJc&N>8l^!Pb6GUD!l5I zICKCr^Vce)aW`Fi5c}5r=0`p75Aq(hs!gRHfGMQ^ro4puFQuHD$_`=7J0J2kvX+R5ErNTr+za2!|plh)SxJ z?T6Ri<;6MDt)G%tb#S5+a80Du8rDTKr2@8-Mm?&WX1Q_ zeRSz?i{qb8V9T1EFQgo77htz6No7Wcflv<17L`VkGhM%CU%`nU9e-j;d;`0T5eYYN zsc$4K%eG&_>0RizWI=B70JJV(D1;QAUE_nXPWn6A&jap{iq1^zvDnndnO*49{fD$G z00jMV0;d|Q)#3lHRF_TF7Awd~!S2%JifrW>oBf`f!-H~_#)%@j{84$%rTE8@6csg@ z47zlXACJ+Gv8Fs@rGgf^u+Vq7U6pX{LnaJJ47|%aAqg8!3NlN~v&;ziecmES(5^cH zh25-!^5r$>h0mtxu7H~i{3pgkVCs4sHs-w>5`HT`$qQOG;j0Q)AG*MT^@2Tn|7h-* z^mg1lLEgND6ZLsZGvF)}@SvgVuB9)XtUO~Hg*qOu!}%-5otFTL)gjblQ=lP zI$aV)DU#pyg3t<@=-nLF=y&A&$a%er?t&aXRMP_t8hfseG+}wt<&fSGNqf2pw}>T! zvJ3bZ;3fA|Q}x7S82&iDN2LEMpp}n|a;>o9_rU!Nuk-JI^uR2Hx~h6{^Zm1YV={tE zI~z9cf>($G?ms@zQNAFB+?KV{@?nM;?;QXuW2)2 z1LNj&1Sj|b9pOQqhgP5VJn@ihuKw4X)bY<`X?};?jAnGsjsag5EEizDS6o1^F+d=I zk34*?Ulr|r546P{S+m~}^JDYhSO{qbX%3q?4jM9u+Wq>roG8pzzfGI^pRT*vE4l33 zgPr4CcUV;I40RTW)4a?>&{o(Q9ui}?g}A0h%onon8nDz`zkKM%#+}@aUh^mK!J!ql zAc8p~DvAUcT#cCjac>O`&)s6VNXG&IPtuxI*FS3gU;yVsv9zS)H_$Fvi_2G1tOIZqcDO(*NU^_JGTdFuxUlDG;;ie5<;Zzu$|+Zce;nBCnv#+hAY}014%43jggcExNI`tvQoxQdn-&c zKOPXh+`#S)@wwW7uIe#958D9gz&V+r{l3Cc>EfV>CRSCD{=;dnl7K*VlFdeGdDbND z^l!883;A7j09}Wk%ekdR%!4E8N!lqsW8&>AS(9G3ax0SZUFDV^1{WGVJH$?0F57p>Uu)hIm4#=0|fXJ8zZf%#t7OOAo$M|(-v`CGS^+7lOmPd|%z8aPMHe-)tVG+$ow@4ax9 z-XlM>wO)m5!i~!?)LjV-v$T*aym;bzpmEnX7PF1NkF)XYb*2fxp>|?S1P{Zs;HmC7 zCcOgirm@2RIUfz``Xp_|%TfaES3nnEjMb0~n9E)V2}{j?gaJ7ixQA#(?4}fZ*{8h< zhj|H37V{x1@(pUvFzszy9i0al!mr;U)Xh{67*(*3A2CeviCo)3ReS#fG|VbmB zOpF!FkJ1mbaQD^fB?!zrnT#28nYvBF^i^vRHq26I}&!9_yhJ`Aad2< zox#dtRDi%pl_B!(zmX!v%gg)2oRud=cx|h225=R23 zMFzLlcwh@%cltIr^wpC{5R?fBmnLG&KCNuBmq40GEn&xli-!}*Ii%&r5q807)*2-m zS0ecD5C9gAUD3p4F!j026V$=OyF9t{;?W-VZ0)}D=MSZGwK^PBM=H2!48-kZF;_c$ zvLTzk&VOgKh9mJIAjVBQ(V`+^4x$#Gv7Vo+Q>0%RM-d-s8i^*}Ss9B&-J9fs^;1u7 z45mfW_rlvLspIj&Ii@@#&UyIh?ui(@hp z65Sgy&mlkK7QMC;_1{K`0Sb~c>bQ)%#fRBlcLO#cT+3cB5zgVt*3P-NwsT|?(p*I%nt~&q(UbNHcnfDr*JH}Fu8LWWO z|KGB@gGSvk7&H21QH~O@RciX%+RNs&+eokKWYYpUMw9Q2KBJ@GHWGYrw*>=u$e;Tq z_!vqeVf-DfJNb#SX5acJSyZ%vCv0$=n{JsLNUA$To{kAB(}rm>&Q+}RFG-5KT-lyW z6-3LLoi|lXpS!@}cnsE*Y;~wyCt%R+=Ebth%Wxi|vAxd!z`<=+;`HpsTKXY5yxH29 z?n&+GYEwFNf|oXpYBq49#1N|AT0~MVHiH_v>Q}*(T1zkVG+^eXi=qDs4XrmR zpc>TL5&e6ZEu$}b>b3{Lb4#sva+KcN`XDP%n$eZr^Cxx_LdcAc`jcd^t+^p^mDTtw zj+p=kM@-w+=a_$BmxN!Y0?xkjL=l|#s~8_ilToeWq<=a5a;GaD+97eDz52*gzGwVP zIt?G<5Dp_6!Q!jI>j*WhF=xPKM7KN*@@x%5JbuN%jK&=nJ1sH})qjY?ZAl@Ycxe1P z`kR(M$hmqs;t1^KV)bXFx28|6ox!KYlFcHc97cndzrH0^!?Gh1fq$>~Oic9J{~PI7d{S3n z_DC#@ENOG3HyKwHZnCVFX;ytl%N6NA@E8zdt(n*cqds!!HbfmN*%wXH@+7N->0`z@ zg_|CRD>O(pcd8ewj)Qp^-{A81SHndUoYP1q?M`iXhJLDLBLYq8e&Nwx<2uQVQgB~8+< zNq3s_P^i5F5t&@KE(zJ!Qox-~q!_xL0ByC2BcpBz@ z!cX=axXasjlj=Fk;MDfp!$f9BJdFp4&z%xpy7-qLOUpyl{ZKI@F@jA-z+G- z@kCu2S=n7~n&v`BD=rYQ5BxeAZ;+PZx|PK6Z_8!O<{UJ#w)+VDs0A<8xTesbXi+&v zr#UBH|7sdSsch|NiP%rtK%#b(@wUfO(nGc6S-1NlDAAvfD#Q3;I{%5K@lz*aMV-X6 z*H69*{OnkheD;xPUMS@pr&vuGO)jvz>Lq(28PKBWuAk<@QFxSbXMLYyJbT5MaQD6W zPK`i@@Z*pX$n8lnab{7G*oI5G*iT*H8=V#(SvbM78JpwxhVjO5w}gSeta<;r_d!12 zK0HJifpK==Hm81Xx&GxN7C3!#SIA&olx|hMA7qxsyi-4!8Kz{#@{MKr;XE((JFwP_ z0zmb#E8UvPt@I`rzbQm3k??r=+Y-QU&hTxlesH@`)dxQ@>vx#sI!SP%iC;+Wz53V1 zt^z_PczIs3aIJ1AgBsKmMr)oma777ik$wk@H|s~XrfU!Di(?OO@43@TmVG43(~zXC z|JOs<6&}233K^K+{dVE@K}b;BiLuEJKynguh>s|~%?ff(ICq8nj6iPHFe<-Qai~F% zF#0S0{Di3TS@V|>^I-5~@6rUlDV^*o8|!(D1IjHs;k)sxEGu^I2;)MLGu(wvTTk4@ z^u=wbl}B}=?(1~aF;mps)$S2PwyCjL*ceU4hKN87Kvdx#y z+^zYD*ljSFi(Y_%yUjOHNPO3S#S1<1gCL&#JFrN4nm zMLeKZ+gzrR{U$*c?H{$KEEX{O`aB&J23C@)m)P~KA;Xhzt>6=5_zJsF=dW8^dYLvO zFYstJRI^;~Qk}S&PYgs%^_KFc*R6%M*`43OVZfeoO1P@v!#E|?N|C3kv5QcnofI;0=Q*%_=nx+hzW`!iXHrdK;9^65ROm{Alz zh#__G$D8KyGPo)V6m?!hoO5$7{`-+^ZMC6o-9iL6ccadqc&s@2hpOu6$+X!L;HR%Q z1Gx!!>e^hwD?U)Y(s5d9n{LS!W|WP`IOyR-Wov&W7UYJmah?*}m>+^}X-ehJ6Q2z~%F$)S&V^puzrs=3E8)v2JBGl2ViJ^zDj*J!7g- z+HBeeB-&$!qUkAylFPjqL{bqRi4c z7zakRtmIAdf;|88YBY>+qNUrjY@V;%2#iy zJ!dkPq_IayoMCQ_Y2C`t?#xx4$MpnvQ21vSg(oW`=WF(e28`aY)_r%G19gHQM=QFl zKM}RT1r0k4dNL6iop5dn2N=6!F+)4mqftFjzJ2D0G((w||H8^duXsDXc?OhEJd3FL z2(!8sudPL~2ul0);{5M#22=t4Eju&GK-9*ieV|b| z_3HKBPK!Jp6oeAHX3e{pktRsoo&NZ&&RC~n<)DSA?CJhCF!Va<2AxyX2{j_2IFhU2%ah0w_o3=usXh~a^)=`!uR zZ1&3U=TUAxmpjYo6OGf_LNRFnd-d7HuKYw<5`JX)DCb2mQO)C7GJM(E=HX@4Uf^m5 zXruOtw~`O1g;&-|ezQ_wGgre^S>#$)YjiCfhMtHP`b%EM=1ig+lV4!cBcgBhd0BT$AeZ<>!UtK1$({dbVj~=4*z`$rHy78+87IL5Xps z7d8h|DEnX}J9TDqX6(1u6D7 z;{gY0>lkgv`sF|FF>eVvY|+D#8CrU%XM1UTyOFNt?^MLXPrOFLzvH?Yh!Adp9XKz- ze!BQ2^X7Zsp_%VPoN8U*+v%p!ojyhbVl2WiQy_>=lZX7~Vxu4fyJ_$2MF7!TvT=1PCF9>>rbe8YhL0J5*`wg$+imf(e)YdEC{Evyy-1Q z>az8}mkd_e{D{oGqtJ=)uUjhVtK5GJt5jL_3rA_AQfo>p-7%9p@?%uciHDP4)ik`# z(`llAc>`+4A2*1|X(QSWb8Ikpx1usWBIrT|YFJOzXWywZTGW>R=qfd75~a6d`gqHL z7)r8lkD$yjGeYu_DnWMzqcqJF)Au`Jr6MWki;6k&!5d8c7-|wJ*(~;c6MuC}m)J*= zx=PKhf`1zKDA@h`RjA+$DvUGqLYR;qa|x>ml(pKh@BgOiar%n{obKZG{i-ZxquPb+ z2!IBTCwZ|OO+{VCY2gF!H(6ZSaaCv4AEDlY;>rG_kv+ye7NT@sxBL+`b4EsX@KKe) zCnzajRvU{^}pea*L_Yk_A zB+p;6B1X(ZI`7)oA$pZU2o5@+7~X*X??>ed0&WdXCIlsJviz8hI&B;G&)j9?8AIt_ zyEIvXevLr-2lm`)Sd38>aHI2%#5iOHwL#|SDd6>(=tVa1W_tHo(u$181vYa&n!MWG zxV|~%h?B+&Mp7OYUlq+ygzbI~Z3#2*C!`xvtI=2;8i#s+oNl>n4QYxlY#t1~PN!fF z@9N1Og}}^AR`hiywV1uR3$6id?8(&fuf@=Rr-`{)-^)xp?^C=4j02-g4c$ZVDzaH9 zd=cTl{hDIKJrEzkrRegj{6t+EE_?S0Txf7IMy~OYPaaHyysyAkAoelIWcw zTXAGJR|d#=$VpohT@|_5VV@TvqjXq3gzvy0WL0ED>8GNOpT|e_mlR$zIC_)tSztm>LtBZo*Y9Mp3qdT|&^1V! z=meFFq1!>cOham_xWJhP5-nyHY=|tv?uE^tI?KleZGf^4_k$PBTQ7NAH22+Lc_W@|K|0SnROYA1VyO}f>r1tM$jT5T0Mv_eHUxHB+36w{#_`;M7t&qJ=R zTz7s0h{>?!Fx5CTc z29CrH2{YW9+S_VbYNaOJ=7J=iOcQ&YGab^wN~zhS{bCwyM!o}nohpdN$VG7~p}{+} z6pWIl8iu$_)Y1&+`iBrENK+ig47%)sozseNP`gj&A#g-cO?pA-)w{?unbx@aqiV#{ zunShBo}r^~2%wExYQDbtECtm>pen_TeTrf>yZRN;5Lm4w^h7Wvo=9eH@cM0)>6WvU zMIO9$7AAdPopMS|?@`l1gt@8WYk9{?5`fj1Usk& zQuS&yA||+$0@PC5hoo#z%eCScj*>#09;RukZ&c4z;U0sy zGHKl$q)`pFTpr|Uoh&$pO5Nx4bJ>^=6F4+5$sw6kGL0Uz3@=A1gC5q&^D(NEkmnuixP*abv|ZsF&Yy$ zjIFQ{p+$H%IN1;)oB+lgnV81u&eg1vhD5&n(m*+$^6^HE(#%*JChZtQyEbV(_E4~s zf;krz2pKVB?R>hDI4yJ3ycAW_yYSN*9BwfX{qdCkpH&>eGDJo|wAw}nw9`FLvpzJU ze*k-#CK()30-DwnEbZ=9frHRtLgWVoJZl|zHS&?4I6!Lp0byXQJ!4ZeZD#{@q=s%F zIc0@ubw4%H^krfRWeq}l^hd$km`*&M_a{)Ly;gx8?r;wt6~S#j?*ugH+C{7G1R0an z^HF194J>YshwKr>>O|0aH$oB5ZKXR^nEAgy^wnoKSoO1DD9R-|Mum=HdztY&* z$vPfgU|0=BF}ss-IyZWz|M!DOfa*}g7^LI@M((#Z+)<$p+SL#-PZR}~78Q2je2v&a* zYH{92$s_n`7q}r`77%XuT+G10A9+`2M26bJHeH5vie2Ho)9m^vWOwHrM!ALl4lwEP zzkp5;-72F*=3mfaSLtkxng<y{J+T!$l6hs%+|htmqzO>_x^&rySqC+VrBu?Dua&*7v9dG z3=-k(lR1l3(B&hH@e(*)F&?tAeGoRyGtw$i$YPLWfL!Y;##AeZ4xwCGJx|mOTKn0? z!D)qjY7+qHA0Z6_MH^S@Eh}wCYi#`f| zIs8YPnz0JJSqzA)i8#bfwt0i&%umvga`Y{Yopf8b(Aic*A3f=?yXtU@Abl!HND6q% z60I6W3c9v>6%!Z5k%o?W8rHZ6?-4$zZD#31vpNTE_F2U_6x{em)=%@i3pID9C^X8^ zRxy?m`dmgE=-|25`ro9f`&8IK?=O4U49RM2) zA<0PvrAoieNC+j7y{;G1JpX-ujTNnAL}^`}nA5gF2O{PVAt%?-+~GFD8NVNBO~UKK zk&G2)!s`-+*1r8{$IX_~F|X=TQeB@X}9v<)E-H+Ibp9G*(=- z*Mc^*qZvxFk5?{BM&N$KcV zK%ptg*%zGjdD=!_nJS0^Wn6hAkhiWMeQlRo==tUv=%=6XpoQnSOL2dM0h$;8OZY!Q zE}Bw#!662Mn@-Sjf}5w213&&^^r+4pM-ZBrRrv?e>PcE_s{3T4U044}1R1@&oh*pg zpke7fHBks^x|JJsP9MRI>Rrx5 zwVQLsQYokIsaXRkoBUX;ox%&v@@z|GbZX(Wty@t=^Z#)5=7CUu-~ad>Ba;eAi^A}t zvQ;Ey$ujMdQfUauM6$0TTZ~sFm8k5yHfqSeWS>fuy(Bx?_a$2<8o%>IukZW!`M0j; z+WP19&pgXkjITZ0Zbu!xnm>fS2xH!5JO}k&A4eQ+Nvt1zKYDZb z?%u#Eq{HDi1@D>|PdVeQL@VyDg)_(N$$NbMnT9yhHuZOl!aR#8OtEcdXCYN@+uWa^ zRUA5MoLud_Q((h*B*6jMk>?g34-d2 z(>E@wjkiY6t1L_V}8WkB^CvNZ8Wq-sAfm{N(t zqa|4JUKQ!>=*EJb^yVwXw+5qJn=nQv=69#uFmpeObHqZ}D_uk}TAB4?+d%zpPEVUf zM`0BNp(^k0S5023v$2z z(IZWti1Ne&<(=EHd!utUnUxVpMp-bcsxc>1iNDmsW$AWTrxzJA2ex*k| zU}}(I5fHuyuBNTKCbWgz63rq+8%ZFXcw;k3!fC<1tj*E3qBlk z26FZ~VE)j3^5Ljhms@~^#Otmj|wB;@rwGZY zjh=arqu$@RzQ5QqnQD)1@3`W>0I;ZTyZMV`=Lkr)4o-XPqcb8ofhi5aFAB=NZ#;w*|p_ss9f>22_%H~r>~;+-8<$4 zL|zp?`es%suR7_JieMnuIn^>O0PEJ68xzo0n4{8wYB6F1GNWG9xB-`dEDsmO&w%hogG<@%G;>;@te>IY7{ZEh-m5AdiaQCeC65 zuj1&_x776zY@=C6al+mzpThZXU5028-44?e-fP~qGNwVcmSr{}C_ zw0FP&@zyNAiIn*TPn~t}Q$EWJC$1xuH5FfZf#RaEvWrhJRhfbYB-X+0PrGZg2<14Zy&048<#I7ia`imH>`hr4Qj3u$VJjoKO?cr|ne`?^_ z5dzS)tp0fG-Z>Bq*mnppNa^8haZ_O8OK)&0zOz}brJuaMOE|}DInIIdFz!tl4WzHI zpUiy-wM|qLBJ0o^Xg_pc+-reqIqYL?uo@H@@I0skZes5^suk#9Qm$_!b%Lc|10oF4d4lj%5cAJjaK0u@0cmTPZd11T9-lL*|tOj2@5KvDp_yD#py2_E;ZX%Oz=SsqMmUz9=ej> z>umv+TM|z^)1fYYvq6o8l(U)_Wq!o6W*giH)W1+9PN2z{yzmyDPI>W1{AKZhFxcu6 zvRvq1Y=Ae)WWRtp4|YT^8deH`1acCHXBJxv@Z>aOqFBkd4}-yPAC#HFb4!#9FdzJm zGkXC|#Z0j4Nw`(2>;Ct}*ur`C$HPUFt31d0er`T)macBR(TG>-s?;;$r+hVh>FB+8 zW}BTw27*^fuv<6#oT=kmwYzJx+K|Dv?dev*6W^coeq4u>wC4$1_mcj~^dI-9xCgwQ zNgMvjbSXHk?3rVG&FIAUj^rVlyNaNhg=B2qxsl(@YK8b-@3ak-_=EAZ?pqFlCywES zLer}~od%PV@zUh-?(~OK531m`!DZoxbIYd zM41U9DMpe7hMPJ4A}Peib7X-??Pfgb3=1cUze6xVkF>*|+|VI5ZVFDvKbPh&sq&SN zdy5`b=ol9B+7jotkEu33pF$chCVfZhm@N@_q)?^fbg9mrA{Pc65WJkK!iqLD$z7M* z^QJJN7Zy5bGRr?c#}>}qnWWpmAw zoE1IcrXp!^upDboL=6gQ;YdOGwDX>nZ$7u?t{iRk^DVs3fpS~(3RV3J7O%8=rJm@= zHE!yC+?W8joeClcy%Y<{5%13wBO-4u&Ho_x-juKKr74=##0j^_OqL$T-bz z&LZm4+oVSHsLp{r&$%s3>0eh$QnSwesnNt^Na%5KD`R&ol9os*S~wP^tC&y(3oXbk z&1*DvzEhHRCXW_zp{qM~;V3~$EO_d-WU`aTqr%nn9*|r9Gn#RRfh8B(Zd@pho~L{M z4$2TmkF<0RIzXXM$a(mY_)eic$4d5|MpTb>rP-4pJVOu~H=MSl{O8*H?1&MR@%s8$ zIX= zcK5tD;mSus3GSl?uKnk{U!OPMB5m$->+M!8>)4E%`%m2R)rolyw(T z$(u_S#*xlU!8z;TVhHJbea$)nh$K9JZLIWV)~`%{>IsQOue7x6S85=A+F4?lHYlkp zQ_{E3kqu2M$RG5rf0?1kML#m?+UaQ(WoV^>qdH=$h#RG6f+l!g(~J{a*}n?FJ=s+h zR8$cTA7&e>Fnk4fd3DblQHI$2yzi0gzXX_pX|x4H0NzirSRzLex3TX*YosDxQkii zR_-i$J9?zXe&xGn>{ka^r_7Mt5^xP$m$fU1kat*`OQXQ~*q5j?IFgEOp|i5~nM<{< z)Dm?u!}oBzS+pm)EH4{x@J|>a{xG>r`{=aeTF{1q=Tr6p+$U3~L92{ItH4`51PhWz zNul60ug}3LCJt{vG7^%btM;K>h)&x?x9k~KL_JyuURCErUcf0n|Ef-DUPt(;d$b_g z9)i!Cmig{a^Ma*II*IEpH{K;Vf)je9a07ax@O3$j=M3Ms&#$9Lr`XM_cSYAZQT-*a zER-^iJyk+InbVd_Wow5@vFNKAI}tN%S^e%_N8?DjbOyggBH^oAM&U!GzG1*mP`3#R)UTlXSetpxasm=g> zI`IQ9ovRebLe0#kHUG*Y+1OO#qYv^^G6hN3mSOn z9E4-0H%-5Et`jHe!S7B%0+1JO|6-0l^>)~Px9|DGCQL5MPnGBg-YM0(j^2N9IbVhysa@@zyW=vP zHLS;(`T+drzK$XD@LKq7Px1-F4qP_)?8auDaOE~Ost4;~lyBNOQ4jA5tC=R!ZVIlQ zXkeWpZ6gab2pf^huyn4NdwWV-4DYAox{=Ieu0mgPdAP4Pb55KNc0*0z4E9G0p8o`A zNb#HxlxJob4k^-kgUZfgM>w|;oTvI;b*?1W1a{%(*5FO*%#Z8Q6Y-or%{`aCJ5%?* z&76%n3-+eBxg4()MIovs&?0prr$&cQLk?Ln^$@(@Sw{XWnEE}OQ0xrNzo=+=?Q2@( z!4p$?P{3Lx?Jg|}&sXG_fH|KJG z^1tX&jT^b;_?n3q62UBuU@XJjKf@gmX%B?LdyCh5ful%#Milj zUMC(9QQi^R%Y)QjDy(geA*}i#zPb;`)W*{I7WBzvN$1ouNb#=USka4&OZ7zuSGjD4 zGuoOPx>x6Imw#=>enE!%qI4_&eZVZsjF+1ED`?u5won3;L- zvoB4vi+M{~k!xc2-D|cbC$@BuH=|GedgOdiz7iC)6%l)6vCiPc4BB$m2@%kH@@#PMjv;RGK z*tcY>q1Rhb&-ufzXX+9h1=JE+1B)GgzAD9&REh|zcyaHP=vuFa22RMTLN@-Jo*aaN zH?5@+Ut4S5u83ww9Lu_t4F9%8izug%}_!MWgMx5^mqB^>b_MJt}VHDzz zrpm086QB|Gvst!%$szdY?4>vhiqosNKiz^m{`|ZS)pQ?!iMQ|D*B<{jH4Q|`?63v1 zdf|wjViKjJj32CS1q-s7t1HtS^T`=cNH!;O;>2^ z?}zwbe!o9(ZK#vLK+q}6afJpzKtb1|r^usLqV!kneYhAca+$+XE1C%ENzZdUz**H^ z>lDXR-eC@CG6KV6XPN#*c)u75kzyJ&e~P(kGkVf=QD4?zjfS#52?@RFr5&(imEIGq zjvw*s6yiKuV#=MSa}p;Mpr7-rEV4}Hi#UT_E?W4r16UqMj{x@6wP0EYUjgXi9=2G6a)b8Q_7W%&0PdCcu%Pp~ z4ei0j38SdnBv_fgdL5xkeZHZ7Gl)iVw8FxjdNRkM>u?f(ahxVNaa8^!%KrcYG^;#O zB9H|+sMVY;{@vd+RdLvr+9m?uz4CV6^vxrG+Zv?y?Dk~n_x3s)iV}OIRLQ4fNBH_%9V{&ZsCYUBf?;PzGSDVZS|u&k=k*@rm=y`2L!yK zyyJ@}wM}ObM<3uIq{#`ZJn+Srb0F9M_1`?skq9USx}HB6w}5-(GDeb>=sj>_p)}hl z?bYRc$lhv39hGetRd1^2dmCsmiOm=Fzri&;2~t6XuwCG3dtVPVT6}`;-DM4v#g@{B-frejwBSU!AlzEkY1Dn;fHQU+?4N=jMqhX1 zly(Kh8Ee=7Jam+&7LV?&{zSD0Y7tO1`WkLoW5FVQMS=szTihu$dmJprp2S$On8&|V z{pPu52Nb1cdbw+{Qi>M>0@-PLMt~v%x41U08cnRfoUgZ}9}^P?BIUv|$fQZ3o;pAr z8jw`!d;U9(gC!Fn`fkE;(B_UP0y^JBv*_5zqM?Ybq7C(ZU!V~om?xex?XDf+Fd#Tz zVC28F>O<(fIG;j)CO>5ooWxm|Tt?tN4Ik#&o}QM?3pm|EAyouQ!>osRz%7Er6S@0au!Cz8;P=upq-~W|%eGT(5;l8{W(Q zaCPm$BlDR=#ox_b(#r4{o@Y1P6jKDjD|A&2JWxJLd}#-%iB7Mquhs-uoHae z+R-O9l4$Aj0GRw*bG!c>A|a2heoMb{e~RSC*%p2hx8wh@}t zGFN~aONCPK&LAk!DT*N7Fbxxn_F@X2B;2bq9sJ-#7QahU`jzKa%?N$fg;cL0h3y{1 zHZ$xozh*O1JKV^objGzriy0#ZA6SwYCJWr$O$fUTR>DrMw@=`J4#&~u5}Fu)d$N}s zE<-H8Mwa6{fD1Fi7HQX~H6>>e&<2GJ$1@Xb3lD>NwnVf5`6A(S11UcHsz&`R$6xZ& zS3aJM9+mwsYcNdui_iXn+~m;bP;KB!wZTkYp!{2b7mh$ZI$PEH5Q3h$LhZuMRH&xb zLl{UuON=`RGS-TtMK+{OjY{ewp?kM7Ze27`Ol*792-aR!%J|p^3D~5N_B^E*wE<8L z+dv+T*@&(J{gEE|^-<$WIW-5D?_D~OnAa4?PPz*^iC@ym^z=I9pbL&BO<)hctAL?W zWz=INPl$Ui@o-g`%7;Uj?)w_+5s>Tuat96ncu(^70|%l9q(acX5UdDx41}nw&Oxx> zC(Jn@htLSk!B5?d@Q}3NO7ymN-@Jxx0k0Le$npvG#38u;~`CzlYrTpv!6BJX>O+g?NJ|N5{aDg4P| z=3=%s1j(x7mCkc)RDY-wYjKb}X){t2SgH6EE3q5~sLO;1tW*JHOd`Tw$HFWPn^@4v zpx_3m=q%+laJ5#|)y&J6N@ny~?hHM(Zjz05U|ccj;su+KQNWDMX=r z&L-bI@}XW)J1n$1zXHD%sl7I=KXZy@so?05;V((^efwhc|2nbs@xQ3k0nlJlaxB!Z zR9mo-M;ch#d;mq;RmfX?Mf;^ydcAJ&Sw4_}9Mft!UcR;$H^&F(xJ^?G5ovwPLe*$@ z8+A*HdK=d-&E|gjtsr0jmPk#6fwzt?4v2UhzC+pIk*^0kG+G91$A?!i=Y_3cJ;@fg zq>+c*J0;TjQS~>M^NnEPv!u)|yzdA8+WT~3^Pn0czBw;QZS}e3A}Xv>eHq@c==nbS z2P*=*0Z0GlJork_!q!)u7N*Ma=p(!RGE3ueWM5LWNly)U%dq-=HeKyQ> zxqz{+7<~lvLI7A|-0dmBqp~R{4)I>3q-D5nz0rvI}gjYjh4e<{>4shY`qsEV!e&a@oY`_GTI-S zztbDS4|8yhIa_j@M&+*ytY}g!F$ch;-aC$(IE~M-Kma;I8e%Z5bZc-fQ2e5zr?g1@ zsYDtJa$UWpbI|o03la}L9e91T?<8`O!1i_gzg&6lyM3tOkI$F%+-tV3hUy!}v-Uw* zH(}s5YOx2xE`V^jKkCO9Fuu}vP2Li~GZoIR+m4iY-YFrj`Xc6NmSi5HZco0XWU*gP z={;C`0AShR)yQE`2M_^2wg22}A_@TG!iqBB)QA{QB^Pk>S@*VwCY&TVu9N(970T?QINM7sNxzoU9ufte^+Do1KqP2KR z|J%J>bRIs=uDje2!e?pQP|rktgVcdved9oTcfYv6!T_Q@f(zwNCn~zRanjEKcQkp;fv62uASPO9^4f2}*zL^z%|3XM&^9^0(7r+PK z!w6eKrJ>wd3xxhZWMO9H>kIKcs-wkkTwxb(<^PlW-X>EP4g)%n;?{VjB;GZ%of5R;^1B#M1}HNd(Etgh@nlPj6hhDO*xO$U=# z80M2nd!nu5`>*H)bu>XT`@=$2DvvK?ICqO6KWJ!BAHN#9X5o3t2~L^5p>=w19UXd= zYUa6Z)2mTF@T_z(00WP4RMytvYukdVI88&U2R8v&Y`1Y?r5Zq`L%G^qPq{9!4!H)^ zUjH*KE?_DgTqXih)7p6n)+mO6gSA1aOL@_}>54L$4K@%lF^Lb1SK0<08686;6fjx% zt-up6%?>`}cPU?@GEW+*y>6`1Zs2&-i)O8d^iN% z6Fl@P6#ln_QLIju@b*}uM`R44I3<)-Vr6172NH9PG$0?43*z7e zjF@=X743Wo!bmgMxm%T!Sc0gm7}W-iEbR=**#f&__TCCmVrdr5pDUA(dJ;Q!5=}8% z*hse?1P8&yxO0LmU^)T>H2fA-w*1!_6cSHfx7f?<62J9(H`~>Dw z0Es|D26&;7c%jNT^^nwcff|$^1Zj>$IA=9_-M z4HfJUC2qZ^EY%vY(wY13MBuO#9pK51m89>1J72*G-u|glgU(HZ)inU^VjYq*aBy>g z29yS)n13Cl zUV4d{P5@}=6KJS>=x6%B{4r$q-c#_^$roQzEJV3+VJeV2c0w@I&gF`Suw6FvwMkyq z{YaUs1rT=oBex(-ImauSIq0$wC8h0~$yXBoa*|NDD>Wk9C+2n%L50J)7 z^%fL%0hGhfJ#MysSveTM%BwOC7I(!c|7d8;owg=W^e`uWGSj>X+L3YgU0WK%<#cGNwEK)00)A{uQ;tilXj|6wvv$>&+NIR4HVyVtFuwIauO`` zZ;6@fspfn6OUk%^`upHWoPTp$i!9$prSHHq^|b~Q;!a^2IPEsNW*-vr-cTA+-`k`8 ze$Jtt1XTHJZ0iHtAgpLTH!%2asS^$WHK@MVm z-x=#%gj>t)U?GX>nsCu&^=)*bV5iW|l})S~%!bCrNemsm_{sx=gihGwwDX&-iVU3C z(Dqb^)~cV$K>F{we3S8D>6d>)6)Hf88wNkp0M9>Y4Q93-dc8qEvY&&L{qKCx$q2!*t_j`;D)pZ$UznGHC__0jOdNDbmWDKrSOsK6>JKNMr>zoQ0o>^;A* zu>!~iZ14dmv;~wB{iP^9##ZO)l2ZCjRw>pcTB(Tftp`*8O|~BX2bz_AxPhR*Cpf1a z7fK$`h=uJ(3L>G0KrqKR;~zbS_*V^l$5QW@J!sQ__EXJRnH`4ly;wZ+`Jgb$CM1dd z+J*YG%i7Ne_n@A$hua~dIl8L{o!AKdh$>9I*OHZwtVZGx_y&@k_cw=dVi9-8Z{U#g zlvk;X*?z!*{1YuYzMw}K_DPPk)OiUTU(QnDm)uy3r(UJmx_O#mr3PfvdMuM5Wm0mLEy z-FjpOzX(UWnZ<#&pVdwX9dvcBfy88Q=NyNJHE#L2>(QKKun~GxWw)Ln+!YU8FsI?o zKSl+vBY|%hDFOZgP2d2w+AuX|Zl&$CZzB$QJhmY75$%Q4 z`msbliYDy9M9*93&~y{opnN3{0lSptuJQl!(P0HXdBgf@0t@{HG?gD|ljXFg^szR_ z-Ia{gM!dD5Jbx7P;2gd+IO;gWZ=w8L=lX4cNC085baU$~*gwtP4e>Lr-DW2%B0fFO zkJ15aE*Fy-4J=6Jt&_VKzw6=$>>QrssVn@T^H3~1a(Ph&H6;;I%YZQ?oLD=CSL!4sY~#rFRo@ok-5||LmbD%35V!e-Cn**>b+*Xm0I0~t7b})+5)Yt9M|3}4 z)=r=5S!qPyfqIPL-pqk&Aa|h-sCiy9PS4<|{8*_1aUt&yYq>Qu-5epc=M6TztSAP& z5Gupg)A`Sj0~{`GHo|KCmVmR_YlARft%q3z>~RU_Rgp{Pe?0kX6gO|v)-DL6Fh>&v zpJ{ydYW8yPVqQY@PnQyhu9@MG3r3Xx*xO9Dt{7s4^GxI>S@cH&zadY5-kXDPV$(^OZT0S`aeQ{&=UgYU93drW5H35 zVhjD6>uqe3aik5fN_RBo-3r+JV}U0TcLWtb??BRun1)pfo$Fyv(Oy?OKa}JNbwB%D zAVS9Jmtbh25lLeetqbSqec-$&Incn{^yb1OmvLG;cU;Ay2cmai$x(7G!rC7QIwe?Y zcVeaTN8Fp_X^Rw-ibU#S9WxIRqI*epnC_A!AV1(jkTZ!am(!oXkn6BvVMV1R(AB{gFnX2Faz+_WCS%YZEHuB&uQ;(Vw7v@gf0b}Ql>lFVv$-men zl`t859S9T*v|(J~iDKIG1Q3oVSQQ1hq#u3tn_!nYeH9XO=34LPz^V=dUuc}zHcdby zED($RNckJ8y+&9-)SEnX*;P*iBQ{+5&;$KQTVj*MH=z+uY#orFZo1sqzz}Bs8QVO! zt?(x1m05gDL^TiwoB5(=qw^7m1mt!nc2)!}{2tWenGnUH(ie~wBhga1LFKm4DXGel z>|U~~8@k-8ugjl%110wx+F44F7$Ny-EbZ)KzJ$%?Xb|AZ%RGjM87E^02*|k-W+^lk za1_tMpiG-?9sFgz@Oa6*y|De$r&Dm&(Z249my zGA?tX4ZOe98Cc&2c+&ZLz@B~0U~u%?0F>!_EOaWZ2XV;JP*>bgyCR_3rUUr)(&Pr4 zKA7Z%CM9z2xRmd}iCMp1QBs&-u*_o+ru}L7@BHKr8|Y2!ga$uy*3Gx57LdnCu`sE` zz7tPxPj(lXfD9tuIP(Z1=~b8@am~Tkna11D6W(LgB8RT`pIE#QrK|PlCqWed03NdQ zXuezZZv~`ANzkcYa>!N1iV%I93cxjf;8Fb1m*Z{Wd)qy9PcF)?fW<%lki~A48@Lv-Q3rd0{Ln}R_{+_$ zS}%eIivFiSQkspOSs_0>B_T;(%eXx6D~Q6*WBdF!OLFMI%xaXElJr6R!$>ZY%o%A2!>%hux1Td_K+;M-pOhIxf8{#g`e4yuZ9-c0U>8R%clXWPMu2Bfh+$X!l~)7&WjlCJKelxjO? zzo2QKW=q`^3}b{jPr+o3BR9gDBS_0e-fXNg)P0IDy#d9a)zvYK?kka$Y_(~E@plSJpI`#)ZsdKb|~L8qRZxL z*Y8a+Mvrd6ffbG9&AvBzCBYcxsv>6lZ1ZnZXrt^gaVXNLjf^2s%~R{KwzvMu>Z`E2 zVF=&r#)D%w=is4P6+_9{u3n4_HMj`YJgmuP+M|hnu#8KV{i8CBd z6?ypUvG;K;db(FBBWd%#M8)L6HK+%R)c#vJBMwf%6d4X09qebv%0k&0Kqp3(PkZQE z8)~=WQJ_&4Ezc{_Snvssx~P(a>@|WM)k;L z1;A3kWCt2}1uBBe*O_o%1gL0nvfFoYZvOLY&+r(p590c$afdzz!L}i!01!UzgU_vN z%I!7K_$VEi6139%4D$S1xgg#Z>s73L3|>+?#ole2s5tgY9`yi+PW1;QeEukZohjl? z+fWipDq@`qOm2;q;+gK{gp*pBocGiU#t8x4j~rX=YFople)Vw;>_>i|#xLIkd)#?l zotYmLId#`d@MpQ;&Z!y#YD)#skQ|DrprQ>xkYJ?lGj`B+^kn~*>;%jNrb9AWr%o`d zreVUj0LHd74RBO&MH2DDp@Q}^)p&HUQ;s0av|eDb%IxZYUKT<%HLgAfpx%&*Yn+0p#k;~y;ACK@S zQgXc+VT`)jX%7ah{^kHvm=-wH0o)(;_R6#~=B+>SgXVvl9A@4~>Dm27^^a-E)0!Mn z5WoqHjlZxOx$uHGx9_tO1zBOw&Kn3Z)nO-=!>6QcqJwUVP;S5sD@d%;dKJ02}g z&U>znxu9!l$nrbAkBBCRu;Bth#8?6B;okHs0L=i>Vpm!gKsO)t=g zC-hBXfb7zQ@)OB|SsF3pEzlz$aYnROe1F9#BV5&~H+D55!d#xQb}*uff;}Q;3m92M z@e5((*lx=S_M4GWKE1%Fe}4_Bp-r;pD=iNs?;;G2@q^Fj*3K~1cnReAwV|UW=806S z-|<`pLz|jVaW^y&-$dh-`hutl;G>9HYFC?-sTwB(-xJ6cG~C%!q3l}v{68~yJdpw| z>{vvv10aCBAlesl|1>!|1(E+v>mwSu&S66GN^?-Gq@d1>;mD@ zk8lvGN)}Gn<0uy4Ph$CZgh>sLf<~kZ0jFG>;X*Fj*me)XsyB>N60G!Zj0HlA7ED=~ z%0L84%9fHG!%^~DANYnYpKd3%{PFVX)RD%W6~EMohd8dRZ1}wuPj?K%Wu2J75{^K8I8utEmkfj2vY?Q?j6F5Y=T;*hx8ZSFh?%;~ zh4&BzLpvJ6%=b+tj1Dp;*->DEVf~l7Er=qDJy=wRUzTS|j=Yw7&q%$9ue^;RbI5S4 z7Eiz0NE-^PUyCRSOUn-M%jWb+z2-&vW5eUt5Og&2p0-ATsr9lcqmg8H?w{weNqck< zvjwH#Wl#WBrgPPjj_XdREL=Gl2eFSnCU#}v61gnoH^cx8Yba$w!g=7^K<1>TNyzn7 z1bO6&Yvu%>WyV6l;aYt81^MY?${RxTGXM;brZp&Uw2&bP(<&l5E5SJCQn}tdq#R6g z18;Pkb|vmZ(rYkzgs+1f`z$=FBk^D4=O^w8wzllAb)hWO$IVGYVOmCraskuwK8TbT zk6t=|2svK@|MOnxS3RqrUA18D?pEXhpFzpv;m#npwT2Q9FFWQTCyUNk{hbB41i|6h z(S-|}aE*I+_(@?C_?<1xdE zXgmoKZQ06yz;v=I%)!4@L3DYDu~Y#VTES@Ba+V2>Ue5(Xo6jG_3a86_y_h#kDr1AT zQf)EwC9gufSO!Y%_PNzp?U5_zMRLNK1!1|fs5R)Wy?EV}Ew3-@k77)>P+X?+VWLr6 zM>q}R@{B@>b&oEB#&{-8&J&%Fghzl~n%pN+D`DoLa-IVrXY8E35bm)&y9U2~hQS4C z3OM)tH~)o*CM#?rU=a48zw~SdWsbU?JMtYqEP;@q(kzG^PK zV~MuA4l~Aw1qEX6>Q@i3lY1eT29xm}{EabB?(PX+Nr4o-Hp?TfDQ^(<9u{Rw#};#L zNFCH}(~Y4v#7wV#EwYvSRy_W5pdY*FuBW>@wdF#C^kjI>s*sK=9eT&ZtBU)^bF`;G zKb|oAN@&pgarW8BTi@;{;Wk{*plm#PQoP;{#tQGI*By}G)1NNYA^KGLqzRkl9pz84 zo{MCi)0WKa&-m%H?T;2`?}sRTaCTDd>Z`~;$wlgD6)$(WYKce*VQA4q=Tt8n3njKkDJR17iT;xmA#v>uHRc*#WEImQ{_5b`NLmz znDH7o5(9t}NIN;%NKQE0nk5cDnfrS@IrE*;#Hps3VunoDP*EpxJmNE{Im&_tU_1|{ zIylw0hS!LWie}?d57!(JAsT*va<}`Us#VJrV-vcfo>O!?+-8x;NzJOwXn+rnR;%#e(eTnI zT#u;ePr7OmFD9+)+ZWdmLkLT7Kem3I-1JhV-HISKSVN*5Uyn)Vca!MukO$~)O;A2(O5vIpR|9q9Vm>l%86h7*p zf~BBn9i7wC#nxJ=Z2E&KcgJP(53X_g-?>C=lx_8=5&ww;y|ED+QSA+I#keg)G}o`5 zM*1lBQBA$+Ddx;7t$&j%@~4{OY7R~#kIKSles|;XXdTQdqk%hl_p^Lm1ipCS=5kFV zxdWsuKOc$hsbUl;r@&OBmTkHj zE-lx1Ad{_uN4y)bg_0oPh>ooNR9_bvbNxxuqKQ~+PQR*`NjSYx;8@AaXI4cB-NItK zTS9UK#j~Z4`lUR?qa9Q5E=JPL?Ea~6cdC7}M0r><6bvx;isC|-PvuU3_1E7hZ_|~% zrc6reZ=PZ+y_O(mT=N}A{Raz;g%@<;dlHNRg*VE@_RrXMVf$S0Nt_u*PXU zgZ(*uH>|mNU;KGseM;qnE2VX^&jU8grc6)e|LCHoXH{CJA_+dM z(`{$YmB#F5LB`O8Kx|KwjjWw*JwF`xzU=0eZ2cMB%!~f>s`O&-)GSDh*#wT3CWk0X z5R&qZtRWoHw-E7$rEv1L1o49V*a~-LTjSS;g0BfJ{{B}N-{v@I&=ON) zI)>Y9iCLu|4lSkkZ{+KyD&tj}Bm5V`R$L9=7COq1Vs5iPa&Obcu)D{${_@*`;xGd` z{yaJ2tjY(*etklp`YGZ-;>?F^1!&NWHzD)^-JYmWa9e;PrFewTzRi?{F@G7rY zq1cD$b%+`Zg&}%=VJQ`k;zdJ#b!Yq&`>O}%V>T7XF_6{o9oQmX-ndT=Q4KLygOyd$ zi~>2;pL~d4zx`1SxN#7HH+^02zNnf<#2+ri%_gn;Bw;mhrsz1t$E8yhucC{Zf5saJ z*EE}wVryFQ9Unlu~_HB=-HwuAtZm0-`5?C7@PVTcl4 z%EX=NvyRhjDZy_hyT8avM_4a)7z9^9Ed@}m#^>1;dp+WqAlCi3iUmbsEbLz zj1A*jr`8@&kyXYaT_QzI>3`rai?mBjq=PUkZ!Va!f z4=kO3wB)6pIJWi1t_|qNG`7>&vpV+H-=he>CG;n^ei}E-JWM5DRP}p1Q(*lCe^WNP zEm$>O8By!7EVkg2cR!!|Cp{|eu8dy|7=kO(mi#NLoA$D6dzEkEklk^x0IKn;#Kwod z)*1iCeCi(pjrI@Y2K)hF<@9IuKb0EWXrh$98&NZ`$MPRB*ngvM>g4=A*F$B>Eq*Q@ zx~GV76$iMQsh8b}c_WaakMOaeFfK3^`ri8guu9%>SY`++Xqk#FPM05ufy^l2jzeLB z*h2PYoZ`L570Y30S`$#!D8r+VIPmY_NbIfh!E=_YqzE8=0rlHc}u76tHM_ib(BT!BpD+07f}Y zL=+|_)&%gYLdHGDyC+KttpBtt@)_)_@J*bz4kTU-S%N5hh_ZKOZCVKTm7`OuHbXdW zdQ=mygg%6>U@GrpEg1TOp^%T5XGa|}*#D5R<=X1C*$s-J_8e8Jr4l1L38Ghxmpj|Lwh$x&xH1@un zsttVucWZ=;3LzfT115Fn*9|}}rx4S{7r$-Cq0O4$T+*UW^-AWddo|^s|LSiJSr}fs zlYPkzm(J&dH@%)B*8OxVJQ!=}QO*oWd>8I=g5#a(Zn{>|U7w^ek1&-_%0P{;{v6Q)ZbWxtMmyl7zd z4la}sEZ09Z>ybU+t@&A+`2=3Dq%bh)u06X1y|O3RU5_wZB;m&^HQS?W*lxBzC3se8 zpYsvjiI6tdR!kLIPUU@TRRjNqO-g&ZGGu4pD*W?1#W`9*X{N9`5raM#9|81gDr9i% z^9cu_znk%^UxStUv7Dl^uQW=Ha)2^9X2#fHAZ>6S3Ld0#K%UE~3|@^;9!4Cc3NKX-cAiFr>EqcwkQl)& zd1-*zJ+|6Ab=)6(fTeJ&wJ0thvm8mtqGGX~3lYk-u75EK-6csddz7(o_{I`IQH77j zV5Ql`w7mN*+&>>G*Xk}wY#*?{dw zqZu=xHan%Qm0pa3n|;KPegKzFQ*3Ae8@3{qeIrjr{gIn}e_lB}b2pG=SJRc3E2vZ# zTVbO_u_d}^+86vi?$(gR*ohJy=MV2q4nl3#1f#WQ#=qwK>eq;T=i+z_b>GqnZ{yH! z%#mx)EuWBU?c={rhh@M8j$HAzX_&)hBJ>Bd^nq6x#O#NtDzI0l>B(XTQ1q&%$tZPo zQv}#r_P`aDC9rY|QJEODalB}-AH#o^vnAn61=?cgz6@5X$)}Z4%Fa#mflM+q#7V^% zvQSJ;?rPo@b+@jixG}qDA9M~w`fqqWn45Gh>GOViecS&W6Knj&5#X4|OYr$!C4ZwU z#R-yp_pj!usH4j;GoB6AdSNyivz!d)yBcGxk1G`=LAWw_{M4g8W^o}n*pC0keHmi- zMnsp!T*U2JGO%}y7k^5s=U%MD*FN~R&|g&A*>KY!$iBl0As=jRrB>v>0=F|XMnkx0 z5kL`gGyo_)XIa9L5;V0o;J(Zl?^;ApU3z>x95YFQOVw?~0S5w>ftGJyj7NL0s?1tM zy@EO5^x5U&{e~oE z=i2|8s{8mCNQ5V7%qMe}1!>A-sZ2x|>UJb3GC}eZmr^$$tRa$Xfn40!FvAO%4AV$S zPhdqa5WJA6Anho`lX96nNaBlV@}Mt}+mzAdz;@2_`JQe5(l7l1@+0SazWZK2pU?a9 z{ccQCk?Hmc{R?AxZ4jd2fl#j_xP>Ug#*1VdakjqT+T_FAUudg?&8uMMnKlfgm6*dY zo%;|HZpAOW1k8W`{u%tpxAcM`Y2Nq<*gD8#lP#vt4D_fr99GJQLXl03t<-mL-pkB$ zob@sjrqNqqr>IN9IL_Gxz9G&-3PH92Ixd>}YW+B7yPzL@yG%jSH#c@)uxtrFmOa{j zmgkIQ9=H^^tmQz2bU9>`30FJe;zh$LG0>S?y!?0p<}=SvdV#vZzK75U>P!*Yc^^4S zEgJtGs?0m*MlPMs^&dHy=?2~?R&4?dBAkA|fAT`#91eDo`aP%yU8dV5r3$RylRS}Z zBR7ckF_H01cAfbK$0?Dh^73-hbK-JnlsCsdp>Ww70{N(*H`NXw;DE^jjBta!3e@aq z;&8vEb1EEga!hS^S^2!L4b_Hcn(&6`Rp8sok6ck>UtrUbNV+uM+Zj=@I7M7fRUQLJ zDfRadj;k8=`I*xYwF2A$&P++UhOLP}XC%bu3RzC&<*`j}q7wSQQ=qg^{v3j79|iSp zu7h^R&+?p*Y>1l|m?JPRaT>+^QazXKfz9#Xs$v>%{um?2n4fUU1=&=UV7JY3`7>v$ z7r9#vG7vRYYXr){jII*-QU5%{tJl-x2N1%6{wCxRSQ9@NE+9|oO9#(G1i$NWQ5J+^ z!zBPA4CI2snjBqN!_w{2PwnZphb?zT;zO8ETsB)ux?j7VE*jF!2FlL0FR%l@O6mip z@Y_KfQPuGAX6=0hmj~}){f_3Wk6C;m;h1TADj~NsOUTQ;qZum36cfFa;LM~@`f1n) zZ@gZ7$c^7DmEHO_+xGSs0g8cJ*DRJ7Y_ZHOUIE$$D?#D9ozr=<|5s@x*E;kX>MwVI z*gvBB5`H^Onjh{1;rNgnM>L2*O_!0H?{HpFRDSA{HUhPFD_IGF$xI?>Qk6&Oel2las$co!|D^m>NTy52?Qe zBY4*qrw?AcF%2$Ae2fqE5Ci%kpVqnc$sbqG2O+K|sYF3u^7g~);)^l(jmsEXo!8dyO@M+J~w=)Q)9-;uP@qHgxyyvVB zhMxUkh;BjlD6srclheJw^QGUv8{Mm}zH0(*kK~1RS7g$d@Z5D`w8#ljaX7(5UvUCU z=G6{%THxKP`8-6ats@G)RC2I$MZZaA2y1|PdPUa;4?e+BE~>`FBT}WQxUl{)aLJS$ z5M?ImiR0O$;V+KIL49C4TLi}s9r+y$C~WWk`IN{3AcCN=4?hn0H8 zRD?|2dNvG{ZEGg_Te@j)N$xl{)Dcx?=b@83K8b=Q%*H_bapKO7r%b$MlRsG}lRpB( zGW!{e5aQqNjhsxDcag2H(?Paz{0ommzAol0pKnMR**590Qcz0E#1`;fi~}6L8KFex z;$g@Z4V2MDfbKmyz+jWzK+i@;)PIordDhWL`9iw2i8aBRGQ3cNPDY<*lB$H2;;*(!gFkcRV>r-585V4&r=mdlEWb+LtNSq38pwBk5zUz zUz;ioZ>TRxx(dM(I};CfHGoPos0D+lo!tzS;|qf>L5Wc4kzu;XZ%*Y1Y4*DqR6Eyr zdly2>;95MQ)^%X+s1eqSnC}sm^=$HS^9m2R&`ZqTq&mRTdM) zS60v&jst=age?6!mOVL6vPSPEhiCi>&1T^KmVp;JjkQRbmzi7I+80?fxkj@OdMe)a zJYTzrxvy6RdZ3jC9KZeFP4KkW-(k##^Zl@iMM(`r;>ds4cJh2LJY0yE>39s=6ZHb& ze&09H6$ul<3HRR8Xir3WaqmxuLmA2^Gog`c!PJwIr^eWw<`!am zHT(jxm*PXMe>z(j=f>Xr5yrV35A0;X(?h+!AyzFDSFfpWA4hwH$HhlIo1>WIKTlV& z)jT$@?%^ykdh+*V1^&7M3jzjSLC7g|RanS|zdn8PpTD&Nl=~YEI+x(+h}w+ZYvEvR8=E4orIobO%EpFW?Ml1qyXp#Un^s$-l~yZhB?u(6 z1QVL+riBuE3BC6oIsr@zp@iOhD8cVYvaxXpd7kHe-tYJQk@e5Ivs2ETIp@robI#1{ zy64utVw({TQbF6$@Q{rJ|7`0%u!#i)>$Oq$Ql|~UsMyE{w%#+NSHm_0{;mJJ z?p5;QvT4?qIULo-QdZD8aVf7?92Q%1Kuett+a7ybHI`RJbCeS$xw>NEN4MOua8wpn zEX=_%XRH^doGOJRnh$cH~RkUhjnYChJANVqm?qxd` zj`pjV>WYPEuh-FhEIAs`4RO@F)H%jGot{yje<|ekz&_{hqb{e*>3|>ygp5J(G8kIs z@s6&47OtEEQhOLeX&HkD*LMfrRxDgUu6Dby#H!f< zG=v;K)ecbShlW2%_-6$Wus-|peVqZ9akeR-eqMG^R z+#cwjm}zoPdY5Tz6|mSE6T}kR)Xaq|QEI=Q{EsGTVs$jtr|)P~m-NOcsT*=v2STjv z;TS;pG2}t+k2~xmyg6=r0C`*%1M^Z~O%`WOaV6*x8gqKaoW3;VTIO;sgJHYVz0B#{ z!|_jbHyL-oOc&%*XLBe{|1wvveQ`a2jg>ZQ9xz0Jz~;?=3W-f>{uB(|Nb9<`a-d$Q zjp8!uf|t5Rcge|BL2oy99pKZ4wZ6q>z|!Srg{!i%*4T`?J(B;JxC2ga;AXG9#u^Q= zH#b%++%P#dm8p%Q0Vvm-+{@asV3t?9U~eC0f?G73G+ zu!i7f+WktUex*#IVh-M=KIR!-D;IM;e9C>KGDT?pyWIW(!%SgAC3OI#7=oI`Ua~)Y ztPS4P{(GYbG(ZW}tk!>b_Am*Ago>sKAUPPazu&XUky(@NB^`sFxm>o)gGw0MYlNyo zD66m_f#JPZG{$R8itd%;y>cm5gqTzx;HH^{%_;#Pp8oJbGtP~{Jg^;Dl9nQ&SdGF7 zIFXj5R4D7_LRqH}fapFzz+Iz|533XrZ*h67%vHg-LyX3|fW)nTh-#nPQjha-g@EHq z!HmfsYeV_^zXJ?;s4q`pCKGeT(yA*iJ3CQjAQGE3__wbE8g5!G2skEh$iTZ9Ang4& zhKuEb8v7Fx35o~8-K+NlK+X%Q;tB-vaP>z(F}VU5WqLB8ox=VIXdu<&Ua|~+%!Xer z=Hto_06`vT0OoQgCb1;rxd(MvA7eZblUX8+!eJ z3UEUwgTI@}VKf-lij{1qn1hvK3d^y%teefj)xPXjn3@pMTAYm4`WS-5&&y!IN`awk zd?gE*laaE$dF#@e#SWM~E?8yrOpSASBsS-f`T+lp^#2(1{u}1%VYt2^T}yhA8yc>kml-r5p-B{@(GZP_XdpJ2DG?y(C{CgAHtOqX zb%w?wD1iVaj1|$K2Q9QQ9Su2AUc%fc*+wNg5JIU2s-l4`8rIQjJD{Qw6*Z(lXMkap zM_VY4p|JwmY2!2+&!Db0E}@AG>TLsMmn@+6Hdv@=9>ZxOjWQ}mwh0YQHL#dOc+j*5 zW9VQE%~Dt&V2%z-XpYA?DF~tYHYT-0QM5>56)99kSru#0AsFQetV5FwDyW!;CTnPk z!t4@-qf$E%L@5E43xQ~x@(eIki9o6y&Y+qzP;7@Sw5kWnXe5Ewq<}6(8mLhSwCQLR zH8TMZ8a2>X2Iy?SK&yaLbj(D%5>B_{NfgrYKER?B@1SlEE=!3V>ZNc)N_bI($DQq@ z1jdTnX*vWXfS^#?#P9}@LYXWUiV-}`*fFY2RHT%SMGJ(5rqg|ZSb_j7NZT>m86?q+ zfu;3eiq00W93K?gxe!(?1Zz?b!uU)OqVpP7Dughpki%p?6mJ9CXljU+iatzlhx!1k zG~2=&fR8k%V66;^wfQ2}X^=@;NMbI66i_jQ!76E>q670&Butk)0klDpZK)F=3RF%i zHv<$!X_8#;0}Mnxlv7fwfn+00psE%~>)~`;Qv-Q5th6g?fYZa>c2x_M8WDols{zFs z$)dG-Kqn#sGz@GpZf z90OR#>P&|rbwc7(;c_@gROnP0izq}RmhxCJoan^Tv;`JYPb^)-l0m|r$zWx=8YI*V zTTTsz9E>3GHomAm;syySGnyTwkt?s0k3yc&0*?kZl&CotNR!R1&YCc%9Sv9uOQ3M?IGbgPwV+!q z$V^2D)ty|M>1N43K+#zOj!TwGIb|jl7s6ylQ&OxJMhM-VszMQ~H%*{;w4%1;bf6aF z)s8n!hvO;Ll}-y*BAkJnX+ub&gn!_tq~Undokgn|GDtTeB9zHuOa&q<86}u11*2rf zil_5XqMmUSGqjdUX5(fy63jwbKAgj$BA=~mIX@&2SvZ{UW9SJ=tsDszI*`ida$2z& z)JgD%t!W07b7na$+tTuQmM?4FTs|cTV$dDVmun&y^!oE{f2okQcME7%%DMsreOO3Z z<+Lj#7fM+FQi{k}Ko1%c z?+V1INJ?s@@T@1{ErZ2HqS8t^BL?f9LZV!agdh*^E5mjQqslco<_*U@m0};DT=GVW zlo64;fvBdp5G9m|b#$kt6y>Y<9{iUbFOt#hm#u19iun^lB*vQi7Os^!giYHXzvsJ|Z zJ1Ji@(CErt!=N=Y+<^#RE@Da{m&kE#(gF55Xy;8fYp_ugNtA0GnPBp|}p$ zVsd`P=ZUoRl-=R;ds~h?%E$0VJ6FOyNVwECTX-&(1VICm=r*!Zi&sKSgTpN+NwyHl z--&hyQ!mk|z#T=2m`KCb@o}*@-+{X6eB9(cuCBo)sq|4nzIPEc8O2M8qU^1yX5;+2v+?75+tqJUAZ&i;qWyG7|YR*KB^EUGa zpJ@4f6lW5mi}%S&(@gkLAJT2-lDLNCqn5)Fi6K_CTXWD(e=G`RlKFw<;IFt{c83_T zV^vQ*se0^u$(wZ;RlB={V2)0~k*fNeEja2hyAH18a5(Iqo` z9@yBJL<4&_Lts)Sh)HS)qYL3cTLLDV6va_J5@_p@p23Wx?cRSHM?FabMG`m`O9wGJ zO;~L%WHorwLQ4H1_Y(d8ZK7w&#c|YG06i2!mq72FIYR0WSXSW{}g5((K$ z?gUXTu%t{?BC@9g1l=A`;Z#AJ^#Rga&7X~?Jh5CTUk)VYbVsdpsa(NA?G@8+ zHQfqk_r|&w*(4YwX?0Mq7WBqp8FEF^8J{m}@?as0$Epo8Hdv&5GLbBH!eR}N29psv zjuQ1^J}Z|qsFAN_`3~RYa19VKT2}17F5|J>3NI;kcT1q-q*ksb(&32G@i6|R2kB#I zoKH%l2B1=(zm;m{RYwJ0_(Ta~a7=*Ned@-;~^mK&7anP#Crl z-D1UfN`qQyk3SI($Ou@Ih;UKMLgc^{2{z*?rQUXX39_Xyc{$K=B3^qoS`VbeWY(a8 zqZ11Wut&pk?lcGuVo^?S6p3oIX4#`Pg<&i#n0M7_g@%RxkW-DCT9HK@;!+-kQk4=E zG>A?kQty}pUJ41=W8Fobkj(>`!~2mxm8 z#Z1d*`RRtwl?V1>gf7>@R4pWVx)xJoG76l^z}Z?xH?a_~}HkjuLL$%bg8?3~Fe&U{+0#fy!2 z0?MTVK32?Uh)g)*Z#d(@R2rfN81@`hJe$shbZ@a^bqWnLZIQCoam$Q7=}V*qSH2!| zB8*ZY@k%+8Ddu6mRV5^QDV~f65zDR_nqSW~Sa%KT)395Q5s^HfAp)f=94r?)fpo>_ zrVu-(xOL15Ch~cTNH{UKUQ+~-D@9F1@MgJm9*INB)5nlnQA3T z4TQl5{xX*~6Oh<#8g0Bv;=v^0OVv_Fk_Z+wD6d<2on{n<4x^1Ef+iEKoMstfoh^#2 z5$0TGnROw8QH!@?R59x6582)nxd!RUR8>V*VvL7sXAq@hm=%w+9U^fu!jQaL0rEk~ zO-CD}8b}WInN<+Xhb=3G#6lUb3k_Br0?ZF+Skc_5vw}2movAjcFpLFD-XhS!L7|lpf&J6$=5jSV=MTs!C>!SVR*2HoNGcE!(I(XG z4;jIY4yId1wrr*iEmM`4!A5rNIVl&BaSN1pgQEh zvs~Wo6P$H-hj*FnLIVSe#eqY~rh~Nbd?ne1c^3lQID6A8)D#CA%muu5!>wkE0}GZ3 zM-$~(MoC!|l#vQZBF-9+yUXE3L9FCpGOv0aWF1rGFkT3%IY}(~!oDoj^7Br+qX~jB z(RfjDYMy*e$@Pcq#OuXyOVQY@7{^9d^pV6i`8ntgEYN-UO@>i+)=?QfpU<} zx!a!8FUKm)g-J&ny^jJtiEmZkHH(xF4 zyj_A5xT|LPqiP2&NCjVpbD)&mNkqF=J!sWQU#nY&MalG)#h}4;BMrXOH6xw=kS!*~ z#062$^HJKT=qw(IAk`d_uY@>P9=K9IA)`o;Xf=yc81 zP}w3vr;LGMTVmM}LBv`PWBn$i%2nFsbcYhTcsrYwy}X2!ta1x=L@|3NQS!UOcCwT+ zl5NCM^;KGNS2f8L;9`Le(NNCO$1v6HI#3L0BV~v~+Fa9BQBz!|VC3Mur4iwX zW8zdFptD?X$8@;DkSRWf(vh^i0fY6#&s4%}tsC;lmIpOz_H0#6#5sv!84PUL3jsfy z&0<24p&Dg>Tn=QimApsm1I!l`uBKQ$wV{_fT|}qd4m2((Kq0pv$t@{IUPJdrx2$4C%fM(Iooj+ZolG&H~v77}n71kjXd!tzAp0g4O+T0uIS2}xj) zw}cd1l_NZi8RrQV0mUNxS9P%D&4CcN%QUe>dNRnH1_Dr{J&1v$CpN+fXL zwS!H`t_Bm%e3vVETOZbY(Xcwur!f_`jwXlSeC(3Fx zobYFHq?t)&;f$P&In#R69n!FLcAy*>QA1)816W#&orcr6zu@#6Rd0*yC$0z3EF{IVS4s;pYTz&D3B68p z6}1}3OKD&o*G0J25FB8GppygPeg*_I6HX8u?Xp%0c>V;_%5|N|yaNpcfve;7s=$Gl zRgLhrt--Dt*!mUFjEz>Cagm9_eVAQxH7){1}d0>m^ z^@NzWqIN%@!2LQYHd7wZ3s{{>y@{_yi>11%4`zz9Sfs+is+M)CIn3ZwR7d4WPa_l! z)0&oT);$TThQwm=kl}^la)V075<2THx%i+zkp~a-hi_JZ z8jP`4v25Y35R45r7m_}^A0pyGP3Z-RqEI#;NY?CbpTDXDOR(!M)P2Exp)UCg&8iuX zfY3+`DH00jROpbRX7U9G%!G)PLW;!!Q{+T3$$Ls{h!vAqA{Wc6MlXJ%m?Y+0qvRUBs9vy=2*8DLvtPlErNq<#RxC;ZJQKoWr%3D;q5luIWG=Q zouo0vo{uGxR)UrbNY;wWJ{O!V2GxASYflzjrM8`V1VANM^nz7`7hHa~x!CF+O8r1@nQ7@&U$zW5kXA@x~oDN0u zWpErJ*G3y|Un^SirJ^#KiaOFcXD00h8$Og8bks7=4xY}(I)fnxL(yWMWqe}V+jfF; zDRm>D>p3dHgP>jAjMu|e40i-#mR)Tt&4@c0j21$@hyq0LE=R+S)nk>4qITOzBs=i+ zbP_}rs!rVLi*YWat$2r-nnzc-YNXO_3l!X%**qT7Qs@4hcVVc z)Pr>gnjn3m<&m?Jm2@$gqLVC^8cNL{XRHE4IJz}%V6-Qzyy^9U@FocJCCzlsk*6%h zQDYDaZ0dF#tX(z<69oPlBjnPGRjq7#R25hvaz{t4I0$TZ!S+Ae?HPiD!+5|CN+ih; z7O%wUDAUZEU|SK0V>gvXn#s7Rrt{evoM{R1bjQKRfLgD3t3e?Za{Iwig#uMEVV&_} zyrwbb!MYqzr(;I00Q|)o9tLZDGDL_($Le|#F)^V@UX49Y}g<8u%c?O(DNd?0!1vX2qiKiY1jY;uoD83o z22KW6unaR4;RsCzTL*m%$sC)ey-5%j5#oeZ)m$0{nSdRkCLMNbZXd38A!3jH3 zO{5b@#iR5Dt6mjyP)o=;A%nN%oV&{C13AUf+7byWZrGhM;t9! zYx}dh4ohgdf!mV;5_fSq4V)ttOp;hfvrR*7Az3pFpis1pb*pccnW@o%%HecfEYhuAlHO* zcn;<>VOnODfonzp%P5P~9IB?fHCad(+|GvCP<1VpVBAfWl}cDyx@Cl%VDC)?VJ59=M(c5% zlY>?^uk;A*h>>9rqUtF^uheipf&j0@q2h4bS?baQfQ7o*E#|tIKkBS`q=HVm>@kya zw!-Z!hDYk5rjJ)z6+e_TgO!e_gu|&Mlxp#gNXu+>YBJSIBd}i`2y>r?Jxgf4Z2w=U z`T+m0p=<)64{#%X4u^|gv0~!|lELke&F_!=cP=RPE)o6YrJLS0rC4kk1@D5*5x>jhcVj^ugCIZTL4i0paW@1zkpQv* z?Vo7>Pkk_ARgio476TgFXsld+g=_MNbg>)YZ_@l<_t7qkRd8hyTn`3U79n5S2`_W`mO<_f zR~84D^lSZVAPv1_wpl|&C7=L);@V&!FzRwGg*Lr8IDq@(hX1+)z6`E*io#0AhOuqP z*u2S4E6e|X@b15+Y5$4!n-8%!m`%9yGuKTwsr9dc{Fnv*{>tb7r;Ho0^T%^>!^HmQ zxx2?E7nhf%Ox7@)wWOh!WN@1}X~7;iCcn zq_cj|DgT>^jl=rigt{55|8%k$L4N-AKjiv(`fOJEA98I*ke`4354nDxKAV;Phg_Qx zZLb6Up@;yhXkHK zkCDmI(T(~4rPNHmW|-iMN=Z=LEr9O^f%IV@t+mZsFaKkZp2MlV^zgV|+5iZG^wzz! zG)V8>uQN#R)k_PNssQTraIOgzp_jfFq<`CLiXc4_1?eMNve*Xcr$Krrtyz&l`tKk; zry{Zqn{C{*UcM>vWsr7)^fV*Q1VDNZn{CoGX_GX!N!k=GfTztC&}$vw6_?G?UHDx` zL0|_A(KN@B;9F3vA%HJ6RcdUtW3vs$+-qf<)uZhwAhH+od%a`8RqAICetx!a zlX^dw?D2L`{u$lp+0fiaHs)a*JeY$0JJ%7V;*;!&341#Hrv)OY|Pu~_cq&> zhuLh`KfcL$=Jw=elaENrBEPgp&>xeDM9B(H>EGT?60! z8Et@1afzd2n+x&(xZx&fZGy+{;Ok8yh)960vOvn@ssz}*KCUz>SN|1<|A);s!J(HN z$TdjJKL2~$oc)&CW;{N}HuAwEwsEtk+D7(13zQ7~z_;k+tgScmayz^=kb95@<^A6u z{R|%qUWXg9G}_A!FzHdgX|#H2FeiFH<84!HTiWK>wy|w*TV&hCHfD3#e75Dby=;Un zY)jbEwt{V68*eMyDmKH`wjF5uwe1MoQMTi3C)w86&bFOzyV!Px?P}W%wp(p?+3vSJ zYahwmDGc=(y&SBBpk{$j*7GIeC` z$c`gpBgjZ#Br#GPDUBE-2aT*6IeFyVkt;@S9(iEo&m*slyg%~wxC!HCj~g8~Hg5Si za$IH{KdwIRpmDz&w`SZ$upyCd{3%^90`nazbH(GU0#;zngI8gexc9IpN6(uTS`5;>3yD zOtep2F)=ZbooG%xV&Z8NFPnJB#HS{{G4bz{rcT;nl50|MQgKps(jk*ho^;8i+b2CW z>8(lMPM$G&@#JNb6O)C>oyo^eK7aDflOLb_#^i6O%$&0GloeCbQC>k#nZDQb;&gNRG1D)ee$Vumr~iG6*;_2#g4#mZ;@~Y#-{Sf$p4#HWEhlfecuRE4 zeYfmxdGeOmZ29<>@6VV#W66xb40gsrGftmz(~Pw(9E}I zO`Nr47BNehb=a))X5BOE_1Pn{7tIdL=4T%|`~2DW&3YAvbH*XtJ}7EW$wt_C3C5{+T3I3UOo5Ox!=rNFb|z4&O37674x2&_tn1HX-~OE) zX78|a2YH7RcerDRcSpAxMMt&KQ%CO|{dmXuJCZv#cRXju$9DX7;m!*)3lCX%<-)%# znz9I4R9bZ6qPrJ;yweUl#dbPyr%QKwVe#a}$l~(iQx-q4_^Ty5FUc+W&5|3IyuI_* zJ5xJ%cfNGzmv))H%bvT`cR6>Lr+1yOE3&J)>zTVgvD@%&@NVVZPT%cu`>@?>m+fcT zpWJ=??*84YyPv!J+OcV4=vZs)(y>>U&RrT^ddSinmVW5i$x(D1?|8uRy%Tn7&hwow zLbISSbO>}a^r>q%7wxeWUvmkKH4B&hk75&xT|0Z{WM(e|UXf!+VAI z9p6sA{e5Tn)*^F|B=S4tLH~F^=0DhftN-g|-eu;ptCxMWd~CV8{F3Ew@3He9;vVPk z@%oB|E7%q1taxSR=*s<9{(j{vd+xX=yXU!kzP8t*y@b6k*y}BHS5!eSLqEivn1Nk~ zeHB<1_+{Wud;|~StMJE&Swx0dL%bYZ7?gsS20sS(fer}WNscEYXOu#X)Jwg`o+vHnP%qh?3UTRvlnN-0()$$bFbtb`CsNAE^J$n z3pW-g7PG|*ieLPK_{B-Tcw=vP?<4kpcAuU1vG#dr-);BR_PuStE%#&hyJr9K`{(w* zWdHBj1bZ&~1xImba3Avl{uKT_VK3oC;T>^>xLSOxw4$`S^tQA@Izf7;yl463^80c? zUL${^kjmN0S877NP+h0xv@0u&ZI=%JxcD8+uH4_|Jc%-vi=g7`m-C*|*2aG#_Kj7{I zcRcXd2fq4C^q1!xG;|Pm(A@_wI{2`I-}qJNR~P+y%CFU5KYEDskkyBLerWE{n-5!X z*sl(I{qWG?mmaaj5ylZ~f3y5IXa9EGZ{^=UcBK2r(~kUpm9XkhM>&r=`Ka%H$N%n6 zM?*)Sdi1(uO2<5QtoPWnj+<~?^|)t`-}Cs3R?l4BUH$qAu@kO8arDGhCw_j?ekVP2 zvghQpPnmK`^ORRkjh=erX*->E+-cvfDX)3vbnNsi&zOJ4k!O5$rf}v{XYF;?6=yFv z`>3V>ad#9Vam z#lDL#zGVI-$6h*oY4g%|F5COECoab?zwwH(E6%xc?v+RV(e}sYAK$%d|Er$8I&$^h z*C5wiaqZ%3&$w>(b*ru)y1sM$$2XL3c;&{zjZfYbzUl6pm*0HdElY2?@YWq~J^i+= zZaen&DYqYX`?@>2cYJYY?aue_lJ0u_?)~n5@t*uWPv1-5``CSv`yRYMc>g^Qpby;f z;ED%teQ4Q3H~k6u(+v-MAHMz(_>t=#g&)1{G4Es7Kkj?{#wYww-2CJoPu~92o=@HN zXZ+9iKTSRT@H6peo_sd*>~m}PUi->(!gFswuRZ_C3#}KveeqW>jelv?UuOK}+M_L3BL2h zyT5q%jrVHref$0qAI$vVj1PDD@Y;{|`sk65^B=$QiSfz0Pk;B>HlJPix##n{zes-Z z@|Tq_zx`^}-?#buMPDOdKk!ZNo43Age>d^FQ~$B+KW_d$^8HKeD(lv*`_Q&UKV)nZ z?gX~L(7G3GhXMEEzx)hud`5nF*0&xW8Um%@{|^QK)x^3xZ8Im?emnH}$k0sN@XVo+ znM3RDwY?3@8vv{ay=S-dp2<@tO&vF3;`kBp4OsAL*KxhVK?(SsFmC+BNh6b|3=d76 z0p5m(MuvySO`b4$!j@p5!z1IyPq0m#G;`ME*;96$11;RjkGdA^H23;>H(1zpt!LZY z(A)`&eL3W}H-d8?CvBbowL6gV;3uv<^+Br8*>>4X+tA3!5P&gp%H&CtCicE7J3KNI zyzdCjnuyZu>`C=sAAi-t$seC{m&;f*=gC(w=IVxLD|jw<$hiR0H7#WI-B0agKAqX- z6aIwsb>4YXUOV(2eDRX4cV72`ZQ2NcHgjaAZBN@B_s?`5d02EI0C*~X_mcnjFY~fD z?Yrv>AKw1u+5@izA1bQfHv~QoaDqI0{*k|%Fz3myPg!+7v0&-qS?3?Q{G{|cTl#S5 zuo3$wr(Sk)>6073i_UuKuY10EwfB@8zgXkhcIc`2o!-^MS1BtJ7n%nx-22N*ZolpU z_MGisT086NT^>lj*0J66^m+N+-db?uw=UYDbf#^G^Y`9%_dm>dcfa&`r|){+9Tr`1xxIOLz>F&_s|JXY5QS-~)CcJYC_vT*DZ@v9{4_#FJ>Y<&^V5n(3 zOVh0d(5vITyDl;V_f*e#bHCsI?(;KVf9s&&r|WFwi?@C9T>iHE?f$p6QvX)D?7$gE z9iW^%ylCl~`UelbKJMs)s()Ym={pb3Tzi>lpLfl}w_m=^8S%THSu5^Sxa7!(rbx?X zJ#qQ`6+!NnnL=#*ywKm~U;9D+($U7)+mjzXbdT`gGf!CyQj5?0;KB*sk5)zO5AJmg zzu=b_onMoM)pwHWE%)Dk`R>O}XrHlY{%0fk&(_{`tTXP5{Ozp=joZI|Y|Z^sKmGO= ze(Rd!`o)jWy2~^Et}C38dEI;FUvY6=)&BaxvAb_OQ5$#Q+(*AK|M29U7rb=O{$}p! zoga%m@%vVL&Xd*r>Rm>6hQt}ARimSO)h_xjbma=^)z5P8e7OA91+G)C|KOXe?x{Wb z-7bpt&Mohr@oD>GpYh^jN$aaOR^C42wd-z}d)m`io|ic2!{zgCx%`yQfUExzvfa~?Th{`?2v zyU%&FL2V&#hmJeMd-y|-AO6Vys~Pt8@*U*&&J66m@AKDGYjZC7X2E@5f4%k{`0GEc zLihYr@Y;9VS3fmzm*%3@#h2Z*&bAtT`1W~2Yo2bOx8RWL*S!1j_tPp%4!!(=H?O*_ zTA#jPG5*ELH$VB(ZTH-<=jB&tPkkg{|KfxPx4U<*E5}t{_*z(G*5QxZf$-tq<6oa} zOzFHAKH63pe~SN?!bJYBMZY?K;V8G&qun#sTz>xEr@S}x)V@^q?$o^Ng3>NuJbK2H zXKlOWMDJI7@BJ0eehc3;{$*;(=(Wwc_b>S4)8Q%a>1S;J$t}yJhkx_8>-X3j$=q?7 zzUIvbo!*h<{QUN_p1S^Q?$2Ky_rhK1z7xJpT=3dg zYiF0FufEWIrR#>%mcOw2yx*Bar<@4=O!+nwem7?`|ICG{rb(fqI-RJ^@G3X{9EVKPfy%3J+frqJ9isB zXYM{Ty!snE@BZoh$DgUc`szoE?zxXz`d0b*Iq*x9zdYc1@|EAx_urZr+x_Uz&$c>$ zJ1ce8wqNc(ZJ)mtm96{0pT7D&xO(=f*XI8= z@1(QNKE7!mTllxIeffc3q;|jgTxKX0J@d`CnHf{?2W`x+fKz|{f!U?^Og{S1nX8Wc zXN9^dcDQzpK6!D!ve8ZeeFTdi{Et|W%GxkEkPE39Efaj)CTgSLFmd(v;3!6)84^Ni>Lk^Q#2|ADI>tv!c5eB0!QAN}_Jwdb$A=C+mCxQDxs z%d`LT*|n$5ocZqWFCG3MxzhoMA2xE^!z0(WxD%(o`{j4;t>67{?{}tGW^VIhaJ!r7 zYaaNbal<96hdvm3;`x#1|9nqowV!@%_UZFayJ?Fj{nRg3Exq*p3orYUX+Aq~P4F%4 zvg4NRO4`~dK6hc@*zNZ<-@I$511EfR)Gw07XI-(Q_xR1DG4+A>&RCAJ2d+_~&#t=q zjx8RLmp(syY-W3NXvQ-Oq*otiUVZq(&#ygn@v&R2c>cVl+b+8?w$0eY$ke@G|6}N; z*0F!u(n>4^=h*LSESo65|JiTlGjC1tFTeih`-j%NaN)VxmEMuu-pu(CeD{~eR_}V) z2d#aVcDJB!T5x~#?mOgNw_5m2{I+BA#{@^_Pt&t0_DW1LXrR;>4Bd32g<>PCs<(J>O@wjI_vxXWE zmUo)+^x<2sUAE2^GS(&@x&(di@o-XQ~!APF9K?5 z&k6sBw6|=EEBv~=o8Te1CAdql;O_43mO#+P9U6Cc_u%f(NMpgB;2x}TcY+Q7nYy2P zW~%1R+~)(FIxnuXcdfO4``TQgfnIA;i~QA-)I&un3mY{HD;-AAoSX$uhVfk8+kayb zhUAts5JtF*!QKbfL4v`U7|Rb)g=X`Ti#<)cn^vyNS!M-_5JBH=l07v&+3Bnq>xl{z z*H3WdN)5+lWN@-nqpn&S1Bz_vd-PJ!(7xSf1g*a)VG*;tXT|@iO>6rEsHNXwLD|~` z3xWF>(=uI$F`StTe1TK)hfAc+SzS5x;)L#Pll&uV3mlqLo`pJtZD-`w)LQn5gnNGR zSu|2RG#?uREfFJ1M9_c8A{t1#;@D(D6^<~iJYlm91a%Y~`G!u&0+9*ZcDX9AN=Nz{#TcK$CFrY`sLpZ+D zAm^iHzIq$Be^YP+vRvSLk4wDgLG>ff$=%PN&2OB^I> z)!m7Ze|Zt>FymX)x=S22*n)UZXki||&H9LeS#r1Xh^T>6ww}dG0qYjL2~jUrh{K1AVFDt_o=VSDEzZbdZtAtoNg)_5SZBJlBatK90DCMCJeY%M z@rhM_|15Ts;PklhRrzUvBi6Ov#Ix7j;Za@crD47{b7bGqdHe3n7JO#EqF>iG^*vvm z0hJxoBqBDqc2ruicbv_h5}Ot45)%D08`Kops9i)GQ@m>*dBly^8D|B|+_co&i$@|mA&U%II^(8}8`lv}>7PPfVB6*z!TBTDAW3D9 z3)}%A1D7^MftfOtmJEmcAF3574zgG*fj;cAIm`S`Ps$5=|LT@%PPp})6AJ6YXXsOOpl_5{dN5uodN_Vlc5L{x7U?3B3t{`?HN0k#NaKyXRnhiT)9Ada zjZ)V++omQP@r#_f_ST8ZIRavWRM3=urX;Nq<;E)VGM(#+is9m-yGNLMSBtauZ2C7P} zrjqY6rznP$e3)JEuBge#ctvUn=X|c*M;BvX30IV*b}hc%c7D7H(Esv69dM`L=7*muVugWP#5ld_?GWmG3s zT2YP?Ad|SB8vvo_UwFe*oIyJzXNym{Exj&!<1C6#huT}~13 z67dO^^P1TIpmb?F+3NZec4uEQ^+3Mjtrb!FtNIJ>sSTW`ga_`PQkVNE6^m`l1Nz3y zwcZ&1D}KVG6IPlQZXMR$(=pMDCwhGkA8mgXcpvP6}7DRc!+d*P2c;l*{j3D#Ecz{^{n2Kt|uqHS}Nq@;aOs>Gwb zxX;Pf+#jHrs(;96dIMPBjM|pXWl>EXNDUUeuZb2ZKFFHz#*(Y}N+UP0fB!57E*bGg9I<)gd8$HN|?5#kMm3 z%-o>lrC~WWT7B7SM2ZSBC{HD$NF=+fr*q3UI#eosPUpjL!p0^M=RixEfHiE6=JjsW zikg+Pl`EmU`BM--+Bw|@dJ5>y@oVt^yOW?o3Jq0U=*jg|vTKM0&tI@MoGfEk1XCT~ zNEw-p$fVzYJOkFO7EgQK-1v(K@q&d&HsjDO*OGeByEDd_U*7{5#CRDZZ>Zx9+?gqWi?7r2I(iWah8mz zHhXvy;@IGx#tecA0B4O6fT=KEb-~R^^>_a1&wGm4Bnuozhk=tch1s6{```^zkG0v9 zYUr@8BJ*9E^>X}50V|WMTW*75>K|UMHvMI~!{}n>)^)o4$bwGT3Y2W9jv5_?$ZwO; zN6a1eWFrb!*U89fR`W0E&4VM}*Y5T>toN)F_OL+)V-d1`#N#gZNbnHpa15Bgl~G@+ z)2Wief-`M|j3x&#GFs$f-c2I)r=ATZw9S&(_SWI59kV}_v(Jx5#hL@{C5aJD7Hnqi zxSGWUpDGkdBXdTX)}jJbHSu(?j^+Eq=t9FLUvIw`pw4)HQPlY(wQ3M=a8TYV%|uKk zz=2wnfKXo*7gc=z<(1?OaI>nO`~6VI!$ru%d4n}*xe?-O^w2{{2zTQWKNDjb9PdBK zMRo`~@l%f{U2@oR-hFbV-a5Skx)V$QmJv$9clf0$`R(}P$Q2DH4@+j))TMzyY9Uei zJ1#@4t_e6|c5<%)fun8Gu~2XNtAXqi;6u?3Jdl(?{iuF^RxiWC!XdOvKs;To%7Ha< z&=vm&RhGknQaIe4SB=tp9IAO3_Gk!OyWye7WpJYxQVnw-uyylnIlM&+4(Khk+e0f} z_G?GUZSyrbL^T^5hxRA3Bd3Pm{pL09Kd@;qd~j_7byaMD)XDP!vM$P7)3RDW;MW3w z;4%m__pW&tK2GnrM*?yGjY#Zh)s+p}pgbE8=1a;h&)=TBu7j7B$s9C;viMi99B*5- znWvp}Bn>*8-UE*{s;bzYmZ8s27cd!vL9?QJHM0x(%c0#&c~Kbqcq?@pvqcwa*wA7E zzLwnPui5^0OCDV-d|2{Y*6SppF-xo|k8qrOJC&;}Y;I*)yqRT|hbZ|=C(gF#7h}UI z!a25NnH51lc)wIkZ%ZPJrav4sB8|9d;Xrxb62D$>WYWgQV)U3<;ML*pEpOZ6l)l}&pq78`= zww{}cozd~;8=&_Mfb9;(w$9$%hgY4VcTb}?Sh@R*(AT{Dv+`E%IVIJJ7f~rbHrujz z@WoNJAn~f9;fPPSeKN^zodZv_FU(t)G5J!-wmJ?@A%6*BJr9G>|6?g^Kx1p8?aLEr zHNyJbG80C9wJB#ekE|G(XKKQTUfhG=Dx()o(IHfAKy`Ype5u0vC8I#IepG&dBgEEh z@nZEucF+@C&?9d}bIXT|!fX_E!X@Z<29oiAGprp2qG7Pwad*}NV;F!+ZLa{&IvmhaF1Gbf0umh zdsNn3`1?4zb4__gp|v&kF}>P-gQ-oqp2zw0+QQq5rl~ivutjUw5u@S%Lr#_ojeG?GBlWMySacKXNOLwWWlhLn6rqV7v|-j= z{kIj17eLTJw4h4`RoXg@1+@#-L)?5zt9aL)={Czq)-G3BwEzrzh*F(6UWCe4UY`zk zYyPpD5MGdAy?-b2CdwkwDXz<0rXlL9goa2&fK(7=N}KK2FR(kD4ac%#k^NJjEABpW zsST;gSmmI5egK zkL`gp#`zD$c=fm@TZT_h&#hiHv88uui$uV1Jj;TEEn>4-b=Ma5#vJy-#xr%pS z;iRRg2HPsP@_xSSFN&GX(9|S74S#9f55InQ`07vZnkoM`6sk6*qwa|J@+!i(DQ+L{ zs>DjwP^}|62HLz8UV7Hn27HtxMffv+yXyg|lwEFSJx?}nPWau=NCeoM1C;JmStAMo z8D|P5OOKHG=aJ^L$WO6_kj(j0e#s{1cK)wC_KYpD7)11HEB@R_p!UT$&1NN$bi~;> z-*SRH!Y|{@}c;d zU289c#vN5p&x0K7`z2^%bLz!@N zy)rK+;*lagXA|=lq}u^(i-Z`^lM#b9GyB=au4ISO+AVUD7VcCO2C~}swG6X!w2c!9 zp1YUTV}hd!Rfz@@@HHp?s6?q-rgDW8^V7VMjp^%RG3uD4u`NI8^ZRa;y}Mo^xf{m$ zv&cP+Kd($bX7RBcmXD%|Z^IGyGB$xutb82+chuy1wvKTK0H3!4*r>f&;qv=yrDyXd zKHFD=_CLPH0uGDBf4RGoBV%h%4V96J_N*s>p}|U86ntKIWxYSC@8E0`(|&?<>ieZD zWL2XPD&996;eQ2pnc7va+nxAq6)CNGA?6hXYY>l8<_sA%TnS8mb2N~m+lwg*Xn0pm zSc@<%$)$1^=3U2~LAsU;=++)}>)!}J2!7yhlHy!acSOZZRFJ5kTVNh4#>$En9TCAn zI1`k_IJ+6p1o^06y%w0Z4DrkJarxXTae7A+vFi!QaGz2xtWwqbNJ@FCj>AQT1JH*L0ifEI$~$C>(NStxiWROttZh+~)|j4o?Q`3*M#o~JCU zY9+pli@MC_b$#F-=jxnW9Fvmu?|+MAYkRB^CjjgUSCXjQv@KbS|Ey&`Wg|YAH1`ca zk-f8!Dnx%VHt>3|@N{hTdjz;DxF@DHYs=hf@gqu(&1aW;0x0N=u98ei@B9UM`H{wE z%m0wMK<@JZpZDeV$!RWaYfcGGWpi`-{GN|X-1qv~}k zXzQKU6dt`$^bze~AE!Lzw)!687ziCf%<6#;Z%YN+wMsp*I&OkPBa)?0;E?fpc?U@W zT8_IUa%xO!xJ|t-pL~TZm#stQ=oHl(plMZ(;NBjwc0@(=cmwU$ylKqr8>>&?zvUUJ zi5Lf}kFKy{M0{Y(*4t04d%{Wlh$)kP9*|}UM``ne5-*1MxzEcKOVlK5vzbcJc2~x< zDcF{#%yv~eiDGTx@}m#=4%)S90n*iyo$+-|IVB=zG$a!}ce%~tpcFS_O3O=>9n4Yg z(`ti_-nkb3pQ1nK{$I6e)C4zEnXq2vAb4s zMjM6RK1@`N@ z&(F$ zE?xqI9mASz8)DY|u6s>;F`#GEY0!1?pF?7UV2TjgiOAto>KJ02$k5}1!avwmP@_;B zJ&N*C_3UDW$Lmx`_vkgPW^c)5SHJXXuAXL{$PCXeWzi{WOb1Vqv!1*tGhyclv#JH} zY%Nn$C~YJ^%f8(ikM%0hJYk6ZfW=ju!s_vgH~$Yr2{!>^Xp=>-D(nuHsbnx|kfEof zxm6_z{1vGYZ?nvb$zcA8peW027`wodTP7kNPz*p@bGd`XEv{=>@k7Q4!?(itX+tb- zHE*6-m)=3Ly@}|BOu}AYv?G~Pb zNUk&?S(0}Xyg5Hn762%muyRDTtc>g&!uBbL{0Q4wcN>~CjBA|e*pOzi>S|fwZXb|0 z1g1m36rFtSBj;4kRkND6ZIC07)0xDybnS;q{lX^Km9W7Be~OExC;`tbs$rd;pmKLvu=MeF}w+mjG^Y7*3JG?aFl zmC^CDAI2@st(pBknbnkbZ6z|G@Voy$=8-A0oy`+i(`M7){lgtB0x*p#V!>QtmhAYs z1up-7Nb8r>xKQ|)eY;fGw(m^3eP?f&q9L-ZrURUjt+*bKtNCe!YMw`0?@LL9Qh9C< z-Ih2pTk;#=+aJlK5B~xaW`Ad2K{W&>XF~Z!2rC%Hi<*3U`(=pS&S-)HzfZ$ZImj#s z~W_LMuSiYZDdA;Y2dU*!_lt#yLTT*H(lf3J64^sQd+7Wq{c3E}aA`hrVuTOH@`ct$`<8a<&a?#Ic`1zd z=ja0|1_o)qh#wM~mE1iJk^`DmrP6kHt8w}NVvj2L&)!RSSydhtfd z99O(xUW~0dsUKyWj%`1lNoa==x}?Upy$Kd(VE)NbQdBXs32v08k=zH7SL$|TuNu7g z?-W~9gh}~v6{l=D7>Bc)`OnT*ie{y4KDJzS^WcTn35Fji(2n-Dl)BYkyM+Z=^Au>6 zDJ97tW{%~BMs%`MPG;k*&pxb0RkduoYZJ3J6iv-BGgFS#BcCFoWAfYPvN{sx2nl|> z0W?V;L0wh)W57`cvfm~h`o--DRr5#K^sN@uXj-uYkjCZV=BE!rQ;fG|DE%FP)5t_c z1v4Q79B%Km&}klG?EGrGdVIV#lS+o#(puR{q0#I4Agi^nKw$WH2NA&UU@Rx2|8wwChPZz7c)Bl0?j27e;kG8eqn z=(pL=g*J^Za%SNbPbCvE{*Xz{UV!ZmH3+%wk_viR(L6<$G$(B~*g1wp5j}UY5cY-Ll zW8v!CyfVFOsXA)50(T-X^}-9SP@Bj8%Q0IFD}O z`s;1M@2rYj&l!`g2pYen*RN#%sj_mT`;=k zMISgu{wpJ-V!*e^_S0tTsQOnXt}MzY*xLj}Rmo%`FQBkx!wa@-JCN)vPLXx0>-`S8 z*bk24sJ2d=g%-DlDb&tYvqTWRKp_`-r6XYswZj6bXC8M@Rdmu=C`ISgr98-i`0 zR*4MH!%^vhR0+$gLI(X94MjsJ40n4?cI4HVYdLe98FNKbTn*-b5Ksx~twj_YX@)uM z(g6UPAeYEU2>=~VKD>fIDF858U6gP&d}w5S&yxhDDfZ0o?rI(RtC$E8(00e_($0j@ z9^QTrn*(d8rfrB(67oJK=%h*Mg&vpQP9z^iP8!cs{E64`yGpDN4_0VKk4)nTg%dYB>pf)mF!xGBeK2c^&vYIV8;>gOtA+UCJW@x(Ihf*<0>0t&km1HJ87Y5G#l!!0Gv{5b&+N=I#v6^# z7OFt6D(!Mg7@&q?SSP*;ywIvR-rYUEv$X7h!%38_N>szRW{gjW_RdsNm;7zj@pCs4 zMuQv;U>6D?`IQ`umpBW-bp&SKg@J)GWmmX&&X+zkn9|w;&t{f>6xi90dFxv1ZQ7oL zgioh&qVn3x>Ob`5CuIc6J9VoesiU~d+Lw}A*>fMIq~mlx7IbQ2vcjdLf*V#4!~0}B zepQ3qRbrcMhE1xklpC*U znPs>T>m$M`Z9yX1HE(7wh&(SaL;q(A<oTiJe@hCL}+bKR{La7-~6Wl-{xR<*e1C zQnfv$=C#g5KJGec&R67@2ZqCoR+0U`>5LI6ttua?}kzr`h$HVeZxq5mu)i#*2h;to_3VIbHq>1*VI?BDQ`!hEilF z=8R|ql}Zd?6mRA3hM!e#H0aP@IcXf|iTJ{LD!qjgCL(q>gxmYqe`X7omwqCZ;#w%I zYZnu!HnMxUHTeBvKk-64Mn^heAKWVsB18P1N9(wL!Q;zMHuU>awZ1Wu)T&pyU6!sr zSQ6{Yd*j697$#OQMeli^`lQ`wPq$?a?U?h5J=++9F}0_<=Vl*X$`3@!G-hlVy;_ha zvaxdB_zyKATW~m~XjLs*)eN7SG~=eN%cPvx9=o!zu);mz=;+Aa? z7${2y=*(?4P$C8xIwfB*;9o`hej^io_(zYf9QM%n{Ob*nBoO{IBDl>PhpShhq<=NJ zy*Jypz_#gbTlg!9-4VOR*s$);_Hrz4eN+60Y54g*LZ>}R;FA>&fI#u@799Morbg-Be*4^!=-Wk;=k z0M~QalisHW%y26!MaoHy5LL|Pt}JBGc5(`M2 z5yaTBR`cpZMD167UZ65H-M`d7IxSu4QHpXlP!uae^EHuC@fvZ-qD7P8|vfB#4 z=Dupf`bUH7dVMor7A9*dHisCH z|5*D{${d_uM66g zdK&SV%Is^WuX{3_8mnGnYi(jDig(Ai6B44F>b*Kgq2?HwJ-NM}HLKo9ncw~z)rL4V zfwD~~Hc)l*6T%J-NlUeN;KtL2)9Cw#Q>lm?`W=?$`?f6+$)HpX({4*rz^m!BSg*pw zSirZa3{sL;-KWoGB`j1>stvBVn3y=5#>Ff2jVh_}rF!$FNFKM#)sT;wvNY<%;^`k% zFfl&;8Z~2WRj?fdayr82l1w7g=6de_RO$Vsz$VWzGpskf9TVfcn{WpFJebDgk8JEX zL^Z?pS#N*z9aswmAa3LMZg#`}_}rms&s!uk`R`(6cH&#dI+)hB(}_H)kdV$Gt#4VuQ7 zP@NDBj<;=Ma$s^cK>yc6)*=m}jfl2lBe$wVAy<>)WyLe0us|IpmMn|w*HC~xv=I&# zPIzbcF5PC=GtSvt_RX5}$Q~a(i3GMnS@HNO=|7p|_%1dw_K5SS@*E6QcP1vhx1zT3;g@R)LH0{W4x!Q~w+D|uj zXzrIQqyegpfk(*JGZg{Z8cg)F@>f~wqt|T2aUWqL$4wBvhcc$(L z%ez&+vk?nlPyLf#Xo#sjsDHKX%I_TGN#pzf`eKx(U!rjLzOx^Z*ZFN?R8p4kvf}ff zTiggXzsGl3c8Yo%(kxCk#`J&6uPF7FsrPR{Sn_){W$M1HB~NPc9U(p0xxyn$djqg` zy!?lXY3bj^G`sn~nQrY|?{ARmK>vqo`}#e8s>J&eiV|zQmvf_BZhdgK?sMbK{s!=f zdr;fR;2QUxOnT@}o{!`hIvo~{d&ydu{}fc!@?VWs1!km@^$c`uDlGB4-S&jGx`7_H zTp`7liecbJgzp~Lb!R*u$@g1c?bby7%=wU&A}pRXy8u^u2atB%K$(4&NM+#nAvD#B zL~nQ}lCSOD6V+5tJ{*v;lQx7_F?wA&m|FX?5$YZCoEg#zB=n$kX_$N>ImZ2@b@`3= zs%zT=Ii?EDr8aFDt`+`@0k@z(p11=b5LooC@2IWCT`(02Z$1V+7y50YhZ%Kg3qm)p zQ2t_j%6jsT(w8*vk_a8}>2|gjPp*mW^a_j%Fq`wy#`5#a0$k!gLE0@dS}s<+s_tb$ z<*ct54t3XyITxay+xqn8`Zy&0(^g};D?F$99@{@Ncr$L@7wZ$33R&u#JOdWlH|{?j zVY(-F?vfAGm@|snx zCH1}{s^*Qizb0;Mb%Tm)A+SjniO+|fA-T*=nnCc#+2TqC1Jb>pbeDANPzHI&!Q*|z zrnX}Ro#B$GPqs{aNBe1CN%I>?YrdV(%5Df;xV+@5t9_@vM5_EnYh|lrtz&SG_`kQb zHR;Ini}@PA4*WO3lHm7a;hDmJKMao72kz|;m3N%=U$=Q_a|EBt{rZJ0p3>ak01?}` z`z-(1ebaAw)%FM92PjalcjUe6S64zVORSSV&~ zXt-JgW>m?}pP}M_6!S`c%l+0`OcLT7?(p?bFSM0k)}Z9uJ~7t>pYGJ-5edIa6R{NP zJKF6dDD-eOXh|}<=>s#EigwJ;5~ij59Q8j#$vp7)-v9yiiC+^Y(u{QHRb|@Di(@0! zyggRyqvM|>6M>A;6`Ets9<{^Lbm=wQdz1zkFT`~&iIJWcEnWM0{;wV*b~CFsFLf{{ z?nLR&)j?|>L?VoAt7E_AiBM<)%@c0b2lrZ}B)h~mI#zthUj7;<0JE<|cl^8`X8y7? zqivX2WfqO(jUF*|;Pm!+h0d38J4pPNzqmm=*DZ5C3v8x^wkUQ#xyy*kj3Au5uJ|mbONk(i7N^PWfXsp zj7!c2{kgsCd&$~+aD$RZOOF#vE;Q1uO2Y&{g00Y z1A`U_dkF*cPelB}e_ybAej;Yvy+utHb(f9va(D<&FzyE$aA_}oudN2q+!Kfdhapzl z(bP1oC;!6_$9ZXrurQIAfRrc!@(!Dt1_0Cd65pM^un(eexKO;zx&~Y-(^e)x0e9qbzxwv%H(A<^rrD<03jPbQ3RQfi;aS3lD&nL8Hh zrvRnDcf&?BwV~N;aK4;%9aMIsFS@@{KXd5F3RCPS%$n7IYwA)Iq?|BxwELqi{OO*! z&}uO0_tA1{``>TRAU)rSWv-*lNH=oJN}3mnH^6=oP&v~4@C`7Dd5t#lUeKlawf2d_ z{DNDCIW!mU;Y;fq!1h<^z59AkX9j!dN6el_N`^|Wgo>i2s}8*n_dFxLFXB-tQ(T|-udleLbxvX=)bIfbi-h7%55JW?HJ1+ zX7`5H``=>XOp7vqO&6;dNJ-o5yD;OIu0I zkNd3W(`cIV=&BYPBI%MN$E)xLFhnTpa9gRk#>P!H+)dIPa@bl?e$;QD5(Asu5)W$a zv<5CjlkyHK#*p5DlvNI|G~&drx%YjSxAQ

%7K0uI?^eOYI4Q=}k9-V~ItzIPGbK zg8C=Hh0E$T5gjtvwI4R>D$;K?&ArT2-WY;Tm}AuX{bM>ntw_{`2K!k7-jgc$L> z*_zCyvN&sA$uk$TegaTs9FNii(!j^ZX;1+Ai?|-b&A>Lig zVDlCB5bfY~MHe$|EOMni`3pU`Qa}58Qt}2+c7vkmG94>5M`jtuEteULUvyS$-YTtO zlT7nuH*0BapFvx8FT%9#UV8Ep^sm4}#6PHy^#^tP8k(vN2)peKwGchzu4&D#R^I?t zc{5BXh(&%UZ-A#SkHYo#=jX!j=4Dp__;B+h{x^r7>uacp%tTFVp{fVTn!@x`?Cl@nyN)4TVLewdR~giRS~z! zuu=~#NnLfwxU%aa(hYHeUd)h>r#p1*gfL}AxVdLa>X=CYI`iRYY>4k86DF`;Co(B{ zT%8YS#9>{2SGGKxNLZ#*eWA?;jx?b}EcCpwxh?lOtE~fj#xB=n^c9idJx0LgN%BSL z$kqt%#xq;Y0Kp!lEGXK#=bELQgAW$wc`{azH4ti;-Y?2vCMm7dUyY|yAW@{l zV^^ALVF|Va7eKw%Wn!0UHs~AtO)6<=_V}nd^~yR z+YOu9)F)i7^TqOKaW(RZEx)x1+A8zT2GM60H2%U5njKvR7Ic`#Np4sko z9Q@)J(lbfP%kj=gboRBaC%LAq^GxfTwy21!P!r9#>nX^A*tmgo4Z+X<^l8IC`98ay|HpebUkEV7{1j4wv=+N|rtsytDZ~$%4c?<$B>XY~h_Q zy4BzPv+_7s#or6wcea(pu|~|@MzxQgU5Zo6irrSYD99+d<0INviC0%~^PH$n+kLE^p7iyMDNp{liD(yB|5ej z+-%&D7D&AZ8$N`HgC*LTzXuUh_3CFaXN~^nVZO4O)1o|j19;*puFblEN&{O6UR8mi=1)#m zNK|JrrPS2K#Zq*x5~oc`P36XqEuvf|99cr_Yp7UG7+cz2)=%^KK}hg^lG_oj$i7Y( z3GSX^<=wb~Vb;1U!Cv;)F+1@Q63S!JfyF22_4%$uYpyJ=j?T!X z;&La_%aIiKtO*?{VObM%mspq{x#cW&-;rd_uM*ss-zpTMPa8_xL1s2jvH$HYgBcZ< z^SAAa{;6s)V6o9Cx}=GWbSM_|xI{dWpzX;LA)|)#_$yt(6pNgmlKU!G+K>mt0!AG6 zI0vfNW<;oqhl=c$&~0%*VxTd6LI1x+xk768nuZ!5Rf2a%HgqU4{^diRQC@Hcxm=Bl z)a8pDyhY%Z!&EEz+$|bens59bQkvV>EUIzb$aQOln26 zW!AGl5@WZl3@&hCO~lLWgUHp`>2zMO5;+q9C>tdCg>1 ze$iZU!rD2qj%{O~O6yUgES{xpgzSR$gj8^v%|1X_NH?C|01A##+RNNh?-J-XMziXx z45rnXYxP01Nn}*ktQk>n1AS{^R(7&+fx=FDKJ0|{*9h4kn; z(Umrb%XAhW)aWvd=|5eJWEF%LIGm21@cC+goFKD0`p``*J^JgOZ)Q1`sX1hd*iJww zK$^hQQX5+Y^!vsz*NcxZFuYrY^1@Ilx|J)`27UMr!zOgIIh zW;Z+G+nFM#f>5sSSSi%9iVcyZfc|o>xTOgU3bOmzS!th{5C{8YnOAl`2FH7(IL_3Po2N5NPyfA!AXnQ8N=KsNt4t)mW9Y7XcTk3vE zIZ>FbyEY3`xiGR*UfR3X0goBKvqeD?6Fq{YY*i^@jUa|J2Q&qvCE|)~30?a5L!X&F zxAIA47&S{vBUf2)u3Nci!V;CXZtdOx`K~#Uvj#!;{*HlhW+3DtW)@r2_pqvWB+EB_ zodwg22JL$hx2TWtcdyXtCI*sUh!uX8Lj!G?M+hQ$FoaZkzV2L&f>nYdj^6oRa}E1? zdQz{1mU)!YvI2ldE}nlP#*~tv-w&sDjhqp?ESN2BNwoqlQoS~dt2Ef2r3G(Ee zpI+0-sMSmYL%&shk|*0OPph!3aJ=ceGZbdm*ZB#IQza6nH%|RGvwU7W&Jxr4qxUsI z>RD5(Y-fs!!-C<~2JLXCYrM+V*2?4-+tjQ|05^O^6mDAcglHF-yehwNl2GiFHz74l zwtTJ1>!T61Mr`9O&WO%BKC>9x%-qrrh6F3yTs*|d+>*qD(B@B<``c!bTF>TmX<}1s z(iyk7j_Cp^7Yiye*}qT?5kHse8s=WhO&g}xE-!YsZBY7STg|vZJ#<#iZK*-r_Os1j zOVE?KOI^q1drX6$V_U5%zQMP#Ro>zPtItVrjRs+S7SBK2hzzBeFlumsIhG#l@0O&s zF)X4sEbPbDrNosO{XQ-bus_8CVRepEzTQb(maTgpoz*_+XlyfIxCH1jVh^b-pECb) zNnK2x(PGH5G7A*Zr3`G`uhZ#N49kPh2v>}4i*7y@ir>rY1<9b9hAy;z;0lpBE~#G@ zBJ&PB(%(J(*+GG?a&l3`~;l*_S#zrAB*F;@iF8 zI$G}G8FI!Q$GD9eM@3DBc9pr&JbYmS4%su&Ef>@bx%h8g|Fqw1b!lqK?z(E;uULjs z#^G!TPdV0flzy4L7j$=|wFqBs(3WP&UOafhOP0YNfD|uc*##A~Ag`hL8|;y1Cg%hq zV&hXk7+$bPUX0bAb3$VaTgS%S!%}*B*0v0#0MZdYO1D{P=^bD@sVvJj&DyL z*RG$Vo48_Y{@q~CuTcQv&)L(UCC%{Fwx+1r51Xs$oETnSnoDp<6V3ZTUYZnq9=pQW z>1M?)RK2u(9^q1*d9=OW82rOtBSX`bFD&XE)(-;s2V`~HxazelnpajO-0CM8oeO{| zn&)dE(~zF7D01YjOj=XQZ-%RhpHde;;rGST)A8jI_L)VDr$jqc=20;aZ z#DjfExE!rzxnsR6`4i`mM(pY`X5YL@OpX0gww8s9cxw4+4GAZrhh0)4dx}|^;FA;_mq^4&+(;4@VHFMhqNnlvd z!|8L`MB1)`?J_V$+mYhS3j&c!)JhWRX;kRtRNk+r1RyHB+PZ_m8H6KFUy#jmUp)<} z8ix1(lN?6nQN=kjgEqDe_Ic8H`x9ju>ZMo{>ZCuT#^eJ4`2ZULOdWt5{>hB(NrB=O z3E=PVkA&ocK^l&PKJ$Sz7?JnXuExgBw6h^m#-2Q(HdczK{se^NY&7(4s7^S**T7+j zkOkrjt{0bx&FG^%6y^?ktP>>+Pe1I&Y&M^Oh)@iMI8xhc;CQf*$ZEER%DAVqLl&;) zuZUEPe(Xq}s*_J$o&4<^;q-M-2>f6kVqHHe=!+B~@;8!Hdp6GB*pt!V`49TV(-bi7 z4X|u`D*Wsw+GlRf@SU15J3#8^uUKv&=@YYE1@9D_Q;)O>7CxVOUSpJ8&YQSMVU(7l zE4F)1M$c#sS6bM+Ct#G78Q4}d36nKFlzqjG&s}PTZ*K5=miJ%HCBFHoGsmZ`cjxqm zRNQy(u#M~Y>y$;xMnk<&#Y;2oAB)`(GsF5b$Ib4~tx1&?-XK4gku&kWLu>dSDQaxZ zwx!3BA?<7_C`9e6Xooi8wN+alW9v~;h85? zkvA|`vy;W_)>S^$Szl}vz!cx;->-r}oTSOa^=h%#WZqFG;O*P5%}&iY>|jiZ9I{9; zwfL*QJ=p8~r|FhhQel#_P-d^xdW1AB*4!M|x`Q&`!kA@6RkQ+~gu7djv*qg&fDU00 zT$C4j^=qL8{4eymtv?N08**m(U;~t{D6(1EB1O6(je9}V+4)Oy3?Eu8jzh)h#tX39 z-m0%bBg~H;IJ*57i8`n^z{oUA`hjLS>*tL1JQYEHBvr`T+L$YSs=79*2(hRcKMIPs zYimmjj^&1zftReHZ*`wZ5iNx91^h7f{FVFV%qBa@>J9KG?{O-gj-=^Dh~*ti&4xPW zVHmp(!3c*K^8U*sOgITUY6V^ol+#(o^-S_9jW^@a!PS1) zOCjlHH}z;=`5WNJ)U)#G=luQUlsCX!(92Z!W6@Y{!E4yV8(^;zA^Z(+*8S-BB59Dv z{RRNBykCj|rZ?WRH0apz6Nx$~n*`kr4DAbvlmh!oTlDJx2W#&X9a$T`eOAz6$Lv(l zvDF>hw%M_5r<0Ct+qRvKZQHKc>Z$iXYi7-SC*Q%$KHEo6ty+)veP7q_8p+}nKUC+X zw5@ePio+aQuV6tUexbQbz#K)-GMD}}(?mCTkZEnx%q+4kE;@iH?l)?BiS3=XpqNJQ z@pV2g_OB&`lPeBEho|4gIbYECzEd@w-t|s@d!rz&zqN5QI$mymR2I!$2$pUwO$CF& z6NP*M3yobdLvN*GrHS;HX^nQv_j4&EW-sDPG}Rjox<GfK~s__ss3_yGz zffmt>Zlelf6gx$Lw?0ae9s^48xuC@(GAwLPYRDk4sC5PsSo$uhYw{wk|UV-K4 z<(L5T@2cPVm(OME&rRohkKPqpQ`w6=BX>Oq44SY@B$FV58miCpdd7KC-zp**%aIV- z47v`D9sBwV>iZ!^yg@+`l2U^4Bp};^l#7Zz1~rjgMB@t8&;?XsPPy?)2GPq+SnL%Z{PA$9ng=Wz66iZKZ;SHY6t{Do{~P3Q~b<{_kuYS^i&2ZR(3Z z8&^`3qtvN`GSr7tFz4B=f^>0t1*4=hyS>W$me@-HzCZQiJYvD4g8Z(^_jVy>)ES zG?|@9v`&}mG9Sc2L3nXQ)h=-wHkG-BWAH=a&Sb|}5Fg`3=+Bq~H3lswe;J|(Zws-2 zDh!x|mEaaAD}So71e*`6I}ZbfmUilCe6d{s4~`9!U)Ae1&dGo4aVIpYdd z;+#u{OXP++keXBI&P!0Nm$)&rP6u>GDlA36pp1Br6-b!;(s6LYYYv)yR6b@Oo#SeL zq;&_$S=&#GuB+uso%h@yz~^E8)$3h5zC){FLRs3|^o(f2Tj` z8Yv&%_&x_cK4f|hIxZO)ms)$?CVM^#_|8U${7TblGs6j(E&-^|$C$C>@Q`Y4g%5vtE%OmGtYUR- zNXg8%w06!s%%v9e4$iNrZgJinZpWXVd`BNrPV7G|dg8HxW1kCP;Fx*B?N}p97?IT` zrHv(mI$39+jIL%;U0%M;0y5Ve`JX~il9(oRA@L#GW?_`hG%>kRgib^}Hr35kfg+dT z;qgS4sZC|dON%&h@LUEPcvtX(9rJxn+HEX!5?Zf}b8Do*WwSon<9>WVP%gZOH#o3s z3K(KoDCi2CZJG=kJinC*{9di98|JlIJCs1I2A$Nb!gg4^_7lxAJnx(sNQ}_>YJ8!~ zUyY#9pV?(pL5*Uj2=Ii1+Ar_awV+d(yBLwc+k3tlvgZ)^Z0r7G&5L)4ekqQB;h=Ejb>Ez}SxrYKvuH z7d^kTx35rc?zY86_GSVT=*&yL677UH&pPt}C!Suql*fG9gRCa8nFa&&O?@qW3Pw`V z_-NE*)rL6rTuY{x6>CGR)5Ed8J|+qJuc%RP^;g4~T>TMeHAhKzx~btCRPXiaTx(6f zW9qLQ4T-iZ69$t6CJVc;Qv$r&YR$e(4jrl8&M*6hVsa-(uKxf&p2voE^our<{byS> zxhbh#NSu$ewKr}LDKT+o6`tqaCt5{H-e zuXtS*lonW}M*}J%z!v8%0c8mURTZ5b8a!4C+n37epC3h+Qi*rysr^znWAs{LVpx_0w5eSDINyGwj-TVSA4W24z57wY4rfz`vCFkr1qL?hxmP-2iEc#l zN~#GbWHL_WYaCa=M8N{KQBujwdTV3d0V;g+D@MV)`;P~QIZjP-v)+|ZW z&`mp`B4=lDhorPLOm*9HxvYwP6dxpO1_;VtlKRlLA}0v9=${r+E8EcN%8?F*@9-YFRy8$mKbyOwbU}?EdGZ-PSQI#d=B7$O~Hx9j+jFm<0s%(Jy7t z#&Qa1x3CI}Ot0HFC_Uko1M+kXE38QGMvS0mi?@&|bP@^!S_=`EFqE+?1KnXs4yVcMGC||dU8**o61y+6I1;t%^5G}bs zPF)>`)c*q%a(V9r9G3{?Eoc1x4h$Ki?btv#~zM@SELb~(gdm$<0%TAqn}FsX))(5^=@(uSa~)4ofoJYSzBhV zwOLKYHe{m4;;fnPq3-87yv> zstFb3W6P{|+@fST_hEx@Z0M_Wxf|CnRDoC}jyB&!rq<+*whU~I`3%NAL59Sw zh~}vS(e{=L+{udlO*(B_f6i{D*W*YZ!Iakp+VgXoyO_bh;dRbvHXhJz+mRMG5HoyQ zNoA%z5bRdjffZ_o#*~%GlI|-A@0il6IZ~6d6Fg#EG!)Dcj#Rq`fe}yC`Qeg@!-~TG zQjjFyc*t0Axb+cHSgXAPaN!+T0M79>llyOL9=TSpb3M+th(@i}HXTNh7L=5wtcO)n zt{uxnJS!D=P4wpeRBLu@sSWtKr{|P6vlgunXrh#1s4;30y2mDr^o;;9E{QVU#tqov zGffnN0?;~Y0-4Tf=u7Tw)diUiWg{w2$8z4C_?q1S?PYsf!meueRo)Y(jMlkY#j>_@ z_TPo%rxOa7gs}QDzQClj`XgB-EOg0+IQz|5d^z`HegH~@HK?CRI+ln?KaWr@;NW?g z{4u6Jp2S+ZAQQ~MPzCGO0+7vDmenItjNOmFuAm` z@87?ZKtjcuq`1}0|EKcy&Yl}v0Cz+Y?u-ZFiO* z?2)wv@t4Dh6dXrv@$MoVC*u|GXL}-VP8}{;UUz>|AVk^3@ZDWY?iLP?f@dAJ^J*I3(QOu&^RF0>swF*;2V~I_@wP8)eEw zBMup$vhlOV){ojO%IapfR&@JZ`6w5wqs549ff*j!w>Wo~HgiZl0BIY~H4LSr4jBreu5MKC|J_j?_)xkWNmmnRLV zYWn4IHq`Kilny0GOO9f=UqkOuwbx2zRA?0cjyzoLh*?>sL?m54?yT5C8oP2s364zR zept`zT*3%hJ-y)f=w~xxc-}bC2Y5NGuE#t?M$O=}Jx&sLy8T!eWVuV>LZqDFl_bO- zz}7xmp7m{taKJm7`=4=AzP`Bw`9Ix?o6ytf*0~@K$&^T z`Qh9jMN86mQlky=rY&*tIy zBYUXdNbVo5zKlpT%gU4>Kngm$xO7sgj>H*GrFV7;B!DXEcuSX*L^YiLLxJ_|%r+1_aaAROOq za){bm9H?uM;XIvaHnWY6?c?D_vm-Z)D>0sHae@HuhrS3O0HPu-I3u#^s+_diKBoA+ z8U6u215WHVHrXjw^j0r!JC@Wa7xkJ8U+Las>l#MbLw?D)e=KQm5mCl?d zU42N{6mipen-`H2_kDakOrJ5G5UCnH4;2IYQAS4}%S9p)N%BRH8b^d(pG3Az)e>s& z{pYY4q!C@B!ns3cA8%O*iCfWWg%?+6R9n012_-nFlOU<;!_b8{}I>+Ir(G;6C_9z&7L+|zLy0r}2BWWU;m4*;igKcpjbTq~@vBoR%_SqN*Z zr2m#Q;P$5R)nB3GV!{x_#wSJ={U^u}w2Z#e?D(B9erkXAp!`bV`@LHOD9b^W(iMTjGdisdv5s2;u6?1 z_(f4eMFd@yBY}>b-Gf^M;2AQXV*MNE?BvWmB8NuOdt;HH(6{Ky^pDKgCe13sUTU`~^Be#%ftRRO|YZT7Ba>myqc z^?Ta*U*vqKIoT5FGOBkJv-u_gm)hv&<5w;I*^Bq4k}P+g`=Sfp+{UHjpMAYGBT0K> z)M@>RDf#4M(js{X=SS(Nk(woS>-SXbobwL}l&XMZMUq>;=`E<`zc<%0amuZuZ>igZ zSH29_@8vBza(nVWIpuDz<%rHE(;A3oGt{TOD4IOgVu;gLu~HCTiV)E2B52kG&2jWo zLrRs>&@Mq}jM@WF*w@M+WGlhVUxT;}4c#3KZy5NuYw98SO(pV%6IYi}ce?)oF2BHd z`z5gcL90Fo^t^pe`s|V9c4mF`@YB=x^*!YV=_qRsk=143Q;F01kQ~*1(}VQCuDYPC zikhUfV1g>SGE?Fp6C5sV?mP2qKf#9)AEEJwbQbs5AM@i+OWx1!H<}0Q(Z15pQEkmA z=*^F=?NB@G$j`vG<|S{qY5}GgwOr1Cd}y%5u@nBU9dRVjFI)mD7>7_aDk&M+ zBI4FX-wLV=dCF{>)gKB){0Wn&m+3Fyv=V)3DC+emVx<^po=^`jAi)0SuZe#Lm@DaC zK6*=10t|;!41Z=PO25x`xOivn)(kZ7#0C*d31JozBR~_w0hD5kkb|hD2mnP?umXVB zAJ7eW{{R}If<*2MHi`^__RYHK)?%JX6 zUxaJsPw%bl2y?*!uC*+-Pp+nxZNK&nP?!CLg9VrT-$S(m=9X%aVTCAKr zj*ffQZsDuqJ?80*fa4ACU?V0DvXxbP`A;*G-);lesZZB)oxE68v@Nxjy`LxBtlLkj zhw>k`H4hckpW9KN_52}eYM;eZ{{YJDC08|nmqX=QYP30wpTauxT_@KNnp|fWLR+m* z8v-ZdK^xzza!=|0jN(f<;zAdL_hmR_ehs6L`^aaHl-<5#xV&I3Z*G+=cjgXol@O3U<^cS4UM9OZIn*sU%Pm!Mw;mt$|UJK&>9_I0=E z=M~f|+WYRqm;OqAE0l?rr9)2?3>TUY+9ArA6VC-lG>2&p|KW41AElj`?C5y0i>9JHX1AXa&p*!_u0(2!uO zPRI3)6-E}OSCDxCgLj@mhxyk2QGIlP_WDfm;|Hm$CE=Z0lRP70*;9vkbJf8&lYu^l zs0MIHq`LnzK>K$p+0WA)9uJ}Yl$R18j5Doj-fm~h%lNtTd>Lm)Tlq?~&ZY#yR zQNZ6nw$jlz-Bc=I3b2!&Ue^*M(CA|iG4b|~uAcL~^ z>M}7N$HCDQI`-bjK)Dqf&D>R$4Ag;_Xnkp2o<*NT^8u1An%bpREB=rJGJwyK=^25) z3kBDxsLbMfkdOdQi_R6s|GuBa7sM6An zVhAxQ*n0fP3cQ&SZ>_Rm^hO(&RnJ^jJ{R?Q4Qm<~0r&r2!v&37`+z-+vn zZzDyeO$ML8i!x!2vOnhYTh!1HKc_IK6TS^57`^I9k1kUlW66 z1`$s>>Ci0y7bXHW+Q38O1ubW!AGJ31hCm4+U#t5ra@9X|xUveXSkb(7h@RasMbdj> zrD7KAjs+^ZA!l(YNNonHXhUPUKCBIqx?0buy2z-^a|Ynt^=D-^TBZ9=r>YZ^S&TUuGOrp2so zKAZQ-`V7q;N9LXrH`kFS(*Mkg@y{O?faV^l4-1P;jc`YPBPRQtgX1D#PHuG>G67b2 zluC~VKbA>LPnue%PW#XXQLVPrwh_4pMyauv4%Hj2c#OIC z>ZSH3M>|JJ)Y{e5r&$)iIf(L4d|KP;!yF6f4<$-E+$Nph#i=NTlR6+NPglI;q z$Z4DTAaKEaQ>g@V&v`h&-K=eE+(Ao7&zD^`K-KMY3_VVTB;l zKmwA)9-`lbLZq0vZoOW@xzTm2OI+A2lLjSy8;B8(R}DC-(ZDsgne4h5Pwys#RYIiq zYb73kRsGh7k=0Z@epcGJozXTqB!h~Lu!u`s>eYMpG1=7l9rz;G0)`_@RX`S@!RHQ%^_NR zdRIL3^5RMPc2s#;xj^8rYkD+DUvNyhM3Wp0zH{~#RxY(>`+Pboa@3c9@`+rkiWdC! z%q4Xl+uL;YdZyln5aI_`*y)LF$BErP=9zL9Pu&(Tr2k>NPUta{mix#MtnOEJ4AW!( zq}Zbl?rJ-hi+1{|7S02AQs$wVkv1<=0i0v#3=ehlhBdo~MhG4HlTV^o@er}Z!`yPX z!8>1Z9ku(H%<)T4oO9>Y0u>f z;C@{N{n?^o2lbUllk6>N1)e?W|X^Lh8xa);{GfYU8O*Ra{`x~OKioeI)qSf%lx z*v%)g(0Y{=#$tsOs#A>+bpuW4O&pQweOJaW{DMR{uG@ThlKh)xwvXF$I`dsc*@iRP zmm42QRd`ECiCpe4cm#Y6qw(9a`+WQb?u^(f^-RpP(F}e1@d?g7cXq)n`Jhc)X9FEt`#{rRJWw~kHmscwIb9ozo*OQKxi{$rZIW5vnZ7x;n~oSO@x37UB7vRnO^i^XJ@zo^#2-^TrEO~Er8 zy~168NDEcIo~`vEC%BhSHM++3^6mvyYujdkHHrXg{FH%Dxt2acDVx5jzX#pQz1fZ~ zRscgFuSRntlNHV8P0RR${?D`-XY~C7|2WW%o!non@FW*ilmx%{#6C3Q_@f83$>UOD zdiFb^&bT2gbhk$(;Nr=-=DOwPcS@60&8`_OC;QHN&Ld9qD|Cf6*0=lW;sdehO!q<> zoN}dU&2CM&7v%=;Me+}|$fF9UP?FvD(^sitT4vWW>=d29Fmem_Ss_-s3%)?O7d6(p zj`m(-NiTT}pOnUn(q|is7lfYT#3y9;)QyE=?7=o+w9-RWNr;r(OG{9EhJ6i>MleU6 zv$2uM*}SPl(d&5s=qL+SD5fgZ1C^-pfZot0Au{n29O>n&nn-|>!EsDX*H>QR-amZ8 zN8}=m@!-$%?Dkw}U8tc94&J{OQYsZ2>~b?j+PLS~iu9q5*^mj!v0hTGniRiyP#+4j zil;d1;eD;ux0w*xS~YjTJV?viDmwva^(ohw5TOPWR%gXI9$ms$kdy!JEktd?daa9k zzTi8eQ_U!QoYd6l0SayT>z|xq7%C)gMMmjmSFWfKV{7c&DAoEE!$OMcX6S6iGHbjt z{Q5#`xXxsE<2b#ADEC+;6MAb9K8auJWamPFAlPT|OVwe1^=q+gbzA3Go9d(4LL9<` z#;gE03+_iOL!CzI|4QGDM;=^nV?06s0QlbZA0OKd#G1Y#C`TDD#0D}oAnBaPFn+p< zaQEmZPIJvDQL!0c;fuM~aVv#gk~0VIKrbMxRUtTuWjO8Xuq9zHvQ|{U-U^a2XSwrZP=2Kqr4^ z?p7w+5Ay($!0{DI5Sipv-98z+rLerw9LpV@~R;wl0p^B0&o`NT*1aGkIl2jMk7 z3L^LE(hkGXE_G4mQ_sG2ij7HhX-g~U{7P2t&gpTi^lPl@_Q{(|U#x1ty|K zLxpY5lz#vlH|a3a+ABhXHsgv+8OPm!0M&+kCcNK)o4GmEK<^@}$(zZkPXTxNqr*Wf z*Pay33V3(|?lB~kA3G#u2m86jfvRfsYeDvdNmE&L{#hb?Ak~IMEKPs{kdG^muCpnE z+?qq)O85GNm*2z4+f-=(i|-{{x_Yn}VgES+>;cWEXTb*1p0t(HiVjq=>ZJW?A2d%E zt<^Gp;(C$KZv2WPnWIaErc#1gnEK!j?@VNUq*#Jk;M(d^oY<8YE+Z|t|+ zn1b$n?wpZ=Jf&PiOQuFeCL+oP%7WZE1SVy}PvN@-HafGQ>2a>{j149(UKpV5fyGBw znMgc-)_hKKy>4YH*MgIbB)$SJYP|=)nP@%pvxvlC15L?WefPaP%C5SyZ>x<=xBhP-{!G5ye6Ie-+V^oETlM~%h$pM( z`%hSojJLqtgI`bgqdi<#VE)=(kIDM)hT#_oGeTvW2b~z_r%hJd&yB{GyNTpqOutKF z@>R^#K8M|of#-_D7pq_@!p6gAra8(HK~<7x$noHT+elS9Cn?(uSTD5!R(nlSh28Lc@Fc4XYzbkyaC0 z;K>RYdW-GNxOPd16T?b-yv27LZE{i4cgV3qLBFy{3&@ zdxS`#sE%~c>i#CyWMk{!)|ll~ae*E+BBCd+$c6#8d}D2pQ%YMSthZqrD8l8h8+FMeWRsTTR>Kl@nzQ1Dm30 zMDCT1hh4jh;JDT#qfPJFjR9a{L^emPHO7LX;3q244yUA}C2eL;l2T)E zLelYha-vR4m(;B^up!`j9eb1oV%hK&p5xiITK<2tD(L<%Rz>vx!m1Fh4A|s-YS8`% zs0Go#kCP_I5S>7sVue50fdXEdtAaDZHwZ&y;BSOXkB`}fALK5tGC7%Um6dTZACM>$ zV6ewn=Z@-sfvu<7Fk$d@XIE!;VV|P2K5BMwLTM8^;i62eapn}Kv<?AdqtrD2z~j z%R-p`0eC&A3&6~vaj#1qD~^AFMF#C*Xpp&cvzrWTTl=5Jf_(7^m_M|5G6$oX*g`Miad-{8znpcW>t?x|BEB3+cB4~pbD7FTf{pl|i< zXIQtIV0N`0T#F$}7B7>u2h^8ZZs``8DGOC+q1mzn#Ti4F251+greSe3ryH zhnnlirxFv035$X$zG3#c!S7AyS%YYF`FO*cY{ZI9GdVe%X4MuTx){}Hayj4fQ$l=s zrEgd=%xhDUuE58S&ZQ`Wfu&%8pK7vjdU?&3#HQ%?>wyf`j#m`l%nbjROO`~4x&wZ5 zuLxtD0rhARj-=}G*5*QeV4OA|8hTfZYnXtGEcNcJ_fq`ISIFGeqOb7`X6l49vW8@% zB>vho9aE(~pIc8AIRrXuZXvd!+i|;;q6fNvdE{6YRzrpJ6KIJsVF@e->AMMu6=@0B zq|`Z=)n+sf8AKe@+DS24ksbN}0jxS>j^bWfC;~X2SK2ViX}0--345`>O2* zj+wPB9LZY_tEq3s6FYz?5M=dJQ1ebseLKh}Bq(W%^wFFSDJ+~J7P(>eJhlm3>T8B#OqGPNh*ksmYF$5b-51?m7f56Ttq2?0p z67}CqE2Vyg!I9blu`Fda2Twy8*x_Sei)`WU1yckwN1AWo&A@7INwU(`RE&>TMs1`# z&2eduX8(F>U7T`?lBBFmnjCL0mLVw_PT{vrq2dX;%Q3ml(6s%4mnzw;Slc29@_cOW zBTve|Z^uVce62y$E0P&}mCF_-5b?st^&!P+MX=39NBr7}om}M)^023Lp>ABR61wBE zydsbF*-#Q&;$Tr&>HrV`Dhw_0oIoCB4?&Q!^Wya?HXc$X61)cIh&Xl?tgR#JwrLT8 zvkte>_&=EEuZU4rh&KSd!gNX;eBwN|WI2+`a2iHn#|Oxq&|kD~lS^CemQ-!ix%#X~ z$eP!nb{Ahj+fo@c=!!0bgHDqkRvI_wMnH`ZBHO6>e%$EKeVeJrt$gbq9aq z|6Nf(xE6K7$j!=|s-Ok7ot(N%L3L2e) zr9_7D1n-{~O_ndCFQP({&BkH-iMotwb|+}VqfOBpxCGQLwf3R+gwd17X6n6VO$m12 zY?t(~xpu4>Y|Oo61@g{|r?S)Gm~ZJp!Fy&*)!6j?x%5{Y2`$!BI#R1f=ZmhcUCh>* zjt5iQGVRL)@zs1~ljE63u!sW^`Mq*{Z3T-uV_Dio*_K|ep@#$qM$Lg9uil?Y`lF}P z+{Pzs??NEJM?V7&FN8hrGIfvYM25)Y9sQdE|+&s>Sw1!BD34md1otQ3LPBGLmAV zAH0qD@rST+yk+CYZj1y83mvo`{nl=ch=R>D$>J)_<~jrq|N`;~Sx#5v422POFMXmX`k^>{xAm(8a~U_&Jn{YY5}Ls#euj zYFB)oitCrhUU)ZOl_&#i`le2YXfos=<^upgyfo3%8874vSKyJ=gy2N~>aMIK-Fec_6_1Tvq+y(kplrSE3^MWu?S`vX;C+#`IEWITvBHfFoR# z*8=8HV}dk}q*|24*Q0;FMNmlN>IV)^$vF}!FrD4!?ixWiqHonOLj%Hjz{aa3`|k{_ z{#|^LHkIn8C~W){vX1Dj7u@LOW@u9WrR9PAD(2)}4WD4r5d|wHBCm~J9h>j!gy>d& z#xepvZnylB%{d)iW`m*$CaX`f(B8<0?pHG}xvNg!FPgWh(sUJ8O!S!uuu-4FGvWq! zsO2?okFK{-QT}^)+bQV?(`wX{x9BaN)&2Pz*wU?De2zVk!$#t4{AO}p@s=Sv-Rugz z;w`}b4mf_Ng?uIRirTC4^dD0*J3demOAR$aTeDd|Yv}BkeXZ@pGqx{UsCWsuEB46D z@gClS$5D5t=H0zWnvN#nPMJ^@;T|6bdp&*a4WBRt<_3 zcFFIv4*9?22TZxe9qg(-6)V$dofT>4&79jOo~d%7v$d#}FYRmf_p0X-uN4k45E9ad zOEek~{>>+sB}<@|Qc46skzP7w?;WG-$jueY7?J2lGXa6303ZM=mtj070t7DCswA#& zE!&FOfFaaC{={UP;o)ySN4@-EqgtiQ_x0Y^FsAER@$BI7PLD}`w z2G0xcuE&7$H`!>pW;uBLQqITyLvuyZJH3P-)gPxpOv|9xqcM!=!#B^ zA^{r(`>9q z1FO7k6G-IhWl1VuZ;skZeqAM#$3lg+2{ziK5jf#(Di;HkXxuFQWo&n4dVkG3^(geg zE)MNo&cT+KN7G|D>pskjeS1fhe12A~eRp_H+hdFj_d1zGQ}f}ir<+hT@!3*;z?Hc; zw}e)SmPL&W5The4PeSLB36Z0qhnZZ!R8*Yla7^U@VjX@Ao>x#8z#K*OUuMr0Jx}l^ zQzy1yC4zbS`>QM5u-PS+2{QTWswjLio#fY7qxBG$D`<{d6~4oDqJexLOOr;xwd@Ad z^}~X^=C9lfFtmp1E5#~fVFU>1vPu$VEZ(cc3L&kU#?^FP$zF=S)SE|V&(>->)d=IX zpbcINhc{(4%mpO{{fEQIAv zB6=Pf?S-89jl#)uNUQ{e5L@j_a)fLO$VitMmlWg-ZV~}-5Z#)k>V882n!a`t=NL(+ z>}0WP?Up}Xloof+C{a3<&Muvd=z0<+B|H9o+niPM>ERoTYlohB5b!Exg2Jk2i>0N{ zc!!o9*kkCBkjUiaGKRZ(#097}1Xx&jqmU$$kb8SNd(tsdX{=R7 z!ngo^Ot59p1yEjbRM1OA)|q;T@G~ww$MNJ9OE)>a$japVBVNm#e70Hxw_}p)v%hx9 z)UXejn?NEeU%pe~Xm&{jD+oMdr$tKYaU#{x9grJyp09kQiguIRG_ex}JFP3fA{A8V z20lP7ReB7_@^TJmQ{IFKtRCzYU!=3g;Hk@NnCgq}{2iaN;6|=GsPliOeY6qR3#p5W?gDX% zI(FeQPj@LY4c#1Q4N{BT;?v0rYYLjQ8uu@&V)KB|sM!e^C_cTBS2>7;*Kq! zCa_?JY;I6m%14t>GP1QUL{Isku3k?3qFZJnp?EJ<>MZlor+B)YL;aiJF4YJb|NB*m zELUfEg8c6Bzz?;lBaRU*u*!qBJJ+R5`*0YU<9te&m$ATuvATc_iBMD_HtNT)8sD&d zUH+!)1$|=%Eh#yzX8kb5!69kz8HAdsD6o}eQcd#sQr*1;^i){&8+UJgy@o`OYu$d&9p^A+c0~Y z^wp)9jiD*}jj3TFG&JvpQ#%~7>a11%&N&fu$!{U+**ziXV)=}_9Kw}xDjP`HJ%}@4 z5z*-?#yx5rHDQJ&uvfj**7e<`BGK4IHUX}j^@w|YaWsc?V^{9rw^0nyeAnU2gprna@0W|VAuzB2 zOtEA{+G_X7UaW#+AwdGwj+S@%yu6}fqai;S64GA3PhKZ-%kcVOdE)aC?AS2h6zz&* z?OCM+wGQ>evN+Irr;ev6=1WCWu7G7TXAE%o3@%<_ttNz{N%1CxYEIbuf~M#8Iv@Ow z!nUM9ix~?2cUNcsyLGj!PVzdskARVu>V0Evy3scrL>BkizhC1)nYm6B^)$t{f0Te)HO~7Tb=w_4A-N)=Lyc4aP))xP{Yq1PLN)X{9Ty&dsl^w^nV) z^}#_FYHih6(1fuC4To|bL&xdZj6jMoy(9o!z=pA;5Q6-sLphCG<;@AQRAdZb8cEC zh%SAWBPSJO?eJc0X%}BmCmj%v1{Pz(d}IY4&~<4gNK#_1Sk}tvW#015UDp$Z`eAD? z@iwklPD!_u=J%29Ex2TA&82d z5YyxU6ee|txfIlmpIEBJ!`-o3BjYX`pGJPhhXTee@h(X-2)^cnnYg0VeY={QJ!`Qr z2p2J7`NAi!UTHxJTD>*{V`(Af=9@+t&cq?NzNzveEYkUgq}z+*LXV%{5dZ{dN8fLd zE-#D%UmId;3Yxo~!?tU$$TT)aKw0=~PYfhY^sP|A$EsUAcZW+`BEyY~} z)7+la_{BXOVUoL1W*6QO@TRhb`P(e<(VlTSKYjm>F@9?o0P}3=R>z%6!%uPf0x zj>hdTPG;lcEPvo*6yG_TI?R%G55k+hD~w(K!-kx~5ko4#=z_P5#@ZdAbCwsCb?0D3l{7ORj)ue!HdFvq2oBXj6tNu0V0%+w-4flc)!66yccd5Irs9p zV1^SVB}R+%prTZ^L#z?V2w`r@ybX2YwWOw6yj+dba-Cmz<7;x8XMl|9N$gI)>Jx4r zR=~{gc0{;dBU2j$#jIS4-wEt8q!s?0n@9P13LVW&95;M~?j}miC&sgEq_amF!1GQ& zsgct9VxX9d*vb{k+NK@|E- zkj|mgW5BN3KR~6-8W`0K?8&eSl1LVuTmHd`XGux}@@>A545FmJlPlVaanLT#^Jh~$ z0k+&}48cR-G1)x;M9LDoj?SFIqA8f3gvYbhPvn$OA1$(=qFRRcfkK}Unx^ib@q1=! zng?q>ZTNez^;_70*^YK2$`qRU1420XOBC zNUG?$XN${L6YZ5!8|fYDdDXeZQenr2P!9$w23M{hemS!zIkhK;t?>e3pZ~zAU#z`6 zHxHNNa1L%y{W&+^*A2zw_3ghBSKm(ol0xLsO_e{{BpzFvsyt9|!H7t3O4S|Ya==d% z7}2UiH|E&}@#b6yg^>Ef4;}wWd^!4Ek3IC5(icRLbxE?xjF?&*pFd_;nxbKMQt;>x zs%iwsmJ%|}-!b?2QqdeS|Cpf363@DGN}TNas1M-i1ZR6WBlu@*q|9A;?@%$Yn6E!*#n@cMf?l~ zFTWnH9G?+B|*eWQK=l+f;Y>zzp%( zR|9(6?G%#!Bs#B>3-rN=76eZwQb!^bmi)>qckM>#W=kmdk_8#n*KNJ_&YxHUoU~H z=>B!ppLsmn{sXV|i#`7ts{G%1UWk94Tu?t{DR3%r0!*{#6is6~WnAE9c@X=u7%deU)`!-Gpe0d^~ zHAeeRqM7c~_0`@~ literal 0 HcmV?d00001 diff --git a/docs/images/kube-bench.png b/docs/images/kube-bench.png new file mode 100644 index 0000000000000000000000000000000000000000..631799290bb8058efbe78e5aac84ec3cd43c0466 GIT binary patch literal 87909 zcmeEOi9eOw_uj`W^H5}-LJA@CbW$8LCdpJX&ms~br$RE%ig1b&LWWF9GDevbk`R?L z%Ut;F_dUA5f8u*TpL>0}cfaqu_FB(+*0a{$?p-4T9Nj*SeE_W?jc5cwP9|5)7*06w5|>V%2^gV|AKcatAm(-YSu=vioEkGQU% zePH6bYY=zbMCYKWpe6~m&^5l#{5I6N+R68%^V#pJsfnN4X<6~H5L*nRU9yU;A3mb& zF2^sI^{!SWF4WO&A?E(-jpEcBTVLRp|M%DbJn%mc{Lcgb^T7W+@IMcr9=JqrG5Y2D zmR%+MQ-jNZ9#Xma#^Ap*J(bHhH8UHvW4N}t6S98!#bktI36Ds|WSr{YOvHxxpYH95 zjgVodt=}Vr{u^_H82DfT4od=m#Ip<+@mrd+E{BwL$CTfAIgrg!x?ILX$#6%iURrU+ zdROL{PRNeDz#3(y-`D~bd?GmmPX>Qn(t#h=IuQNWa4q1w+0;qvzZTgPLha6W%#<&i z%vG!+Pp=7n-E}q8cvB;0pdar55v^r>z9Zn#h! zJ2@BA`;7N_Hu<5^6M5U87Z~7j)@RRxMAUG+QLo{f5H<%HCpS8)mJoaj2H#hIiT(y2bD*}Q!sZ`ArD8+;6? z8K8mk(lS@La)bu=F-`WhWQfbDnIBvCcMKwN^nQ1I{uty52|;`C5162W1K@%2#m0o( z;lh@0FFU)pUb@8STR0_=9u^8vnXU+V*OZ1V6=Ok{{=IElmG-g!b5w-eJ9=E=C-3I- z>d*Al)z4cv$hb>-q;%d{E9cZ%`@I|n-%D^M6GGk}GWp7D>Ux%AvL}y@eEfqpd)cp@ zNl8DQVySfCf4!tbT*dp=O(D_B|4dwzA*alyIfSFar>+*U42H+}sbNC@mv@7M&@cF9 zX4DXS1jh$r-M@JY$J`MA=qc~CB{TMgz2#-$j%yo} z+qLvFA+mo46(Q`{J@g!Re4L2>_7O(?EmjEewqJJaha%TzKa8tcfO+=2ZiA(_(BHy^ zKATJBD@p=9xaJ%PIi>Zn18@WTPN5z*F*p#L%ZZbVT%2XQ_+j#Ef2-AQOhv13QTbsi zegtOk@1fXy8vQ6tP$$Pa>fN=B{{3>l{VG%=lRB3Yvp4j1Xm!>oGW}j-#}KexA*Nii zMd65LT!iItL3(4TpiZQgu}Y#qqNer{_b)1nha1H*;)bIl{%9b0-cTVyeh`ws(BM3^ zny)iud#~nc1ueM+KivKPT=i~K=7h#>=RuZ4xTwL25q0Ea<8Ut_^8oWWT?P)_%_^b~ z!z>(rOLg~O&p46yD*JT_qVP8bQU9EN2>r8qd|lw{_1^5foq_|

P-Pt~^(c?rpVi zPr7$^dsd4X-Ehz?bi<+*(qV!j7B5GmwL)r2JfQie!+NG^Te6NiDAKd}&^PbPAD9cy zEXqHu4`C4WDS}4wm*R%7)CIewkHg7&>NGlQ9c!1MAznPhO&TEx@SA*VI&9$i%|TT{ z)p=?>s+WGiFTCCE^!T?)8U$@^;y*aF4iI#C-^lX z9TNsO7-dZJY7<-5sp*Fl#zOh1L zt|hK-PEgYeai5mU`QaeZ7D1xpN4p2lL+-#26EjbD@YmW$!LO#31&*)8M2wYV&0h9L zZx!0sJvwN8zxhp*jh?B`qQe05Q{dwO0r*xiBG}*S7mkcXMl3+Um~ZDZ!79=HZcs7p&9%vm z?U6G#voC$$8jcY{!M<**qu5ivqw%foO&!G()oJ znNFcw-@Xj#|9tjt)k-E&BhiUz$+^enwL}XGBs(Ju^pWw;7NZv}&iKd()XR0oS-u>F z_B;5NDaPh_K>zW>@P{GvHgzA56u1p{bA?1tuHj=Xudgk+2ujpF{joaJ*}N2&voV?B zO`T<59Ez?^MOP~%nO0TtFb#$Z=9R)q6v8;wg#d zn3Q=kkWuw%Y`PWz9={b7FMhrr#}!MxnIM$A&__L4+EoHU=r(d97e| z%VBX;;l{3C^6ksU3Xs|5rYqJ9)sXs}dJ<)?AQR~Lw~rEL8WYO@ET?Hz+$cuk-VA9k z9NBLF4L`xVDAvP>Sl{KR!Oc5NP-XLvDkXaI<`*ob=y0iUwb~C{?p8#p*Gv=z%CSRS z_hbGQio#iYA1>U8>G1o8%S=oDJuVCTcaS3RRu)}rVg;?}FdeWe+&bzw(RW+xS>3bm zztS1FcNHSl>ks~z(cOPu{bj-_1iKAZs6rq-D)SN=RVe#*?UEdHdRt3gjI>IJUhaN5 zmlS;qm!|i6Cle$5)ut<~Igh{(l?xzbgO6m2eUF12{9>e2TJ2L!w4AW_bLFFpEK{bD zILPjTD1Vis#DtG@z8W}K?q%O}zuR<90oH7pUnO;}oA+SFURrAv4Y7X4g@*QhXcY(i zg3*=6gw2;L1g0aBGY%o|eH1?*Y<&(ZBiCbpd&w4|+XgSKKjlHhT=GQ2WTb%>cw>bt zXBDKaA>iYnrgFH^eE;4vt-63K(%bg)#@bh`(H)x;cYF!~!hzUl$|IYu{}fSph~FME z51{p|As@|b0$HeFRNA8i*0|h=(Eh+cJ60&1^xaFdoC-bG3Rildy$@pKxe&826?sY) z<<+nupp3dogz)*F2~Gk<&yg)S+Zo@=JN)23a^KZNaYMdxQQ^wyrudhRch{}1_dNY% z*R6-Dj6(tG8lSp7g#s?Fo`A1kWJ3eY8sTNX`K!dW)Gtr*f=$y8T{rhWCC=1>>{0Eq zAM9`)T9mMu3PfLV4PUwV?uFmWgE95z#meJNhiM^jrtk;~0s6M7`(8rUdxEVX&c;!= zkm+*P13mTjFxEts*oarKMt?#m%Ona-x+_piUWkgwXiWI)yygm(Wce?&*IJtYHDv!Ahs4B)A5G4;mHBeu#Dpq(L`&w^@=U_b9BVj-`yozuMfCYWt`(}YRr|DbIGI&i`PhO zyKV4CzKtAOLXTQv#yFu}`XN>jp@*H0nIui6PdqK{->a1vtb+bP?%cDcH-Hpc4}4&a z>${#F$mBixENT)>xQbfGUPzHp`aUZ=%!4EX_6>@qO9r8WEmtQrRiVdCf@yVSh*aL2 zCt0^g<;0ElqA0!83hVRWa5~3?Hb!>qMRiaW67XfB)GaDI{QMuG5cp7UAA{b$eB`CK z{X4y=!1vUmYEiygtma$!)(3V>Z4HLeIr>!nK9&!iDFu zPaUp{jc6lMdGXdUxW8p>6s6fvTOg{A2G_wKCU}^S-@1<@qoOOkj}g%bQ^_bix^+EA-{*c&8oOhX`pY*q7C+#wMG@4KjVR_I^jwgo-ej_4uP$(e9 zbO>RzdqHj}ul1wS&*0{wCQ)aS^E45m^~({Da|85T@iBTsbXs#J0& zvdv3(QHLxtH72-1`H2X#bG#>QXo)hSKrLL%KkMTNt_neI9&THTgYPs#G+6;sMDPJ<+8XH~Arz=*i#0KS#-Y`s@D``L`79-p6~CebPbyA7%fMg`QL3y{rp= zJSCf;YDX2h%T;}I+L0uM&j(F|X;0<)PkEnGL2G@G8cGX~5l}~_XD}_jNGh&`I?{W| zB?p?GxhEqA+8SP?6{_n5f)4CqhY9UkZ~G?d{^>#6IluB{AJM|wqc+iU&&npoj8&FZ zimG5Q7i0Y7h1OHOZExwH7pAsunqgJy;m6(^(mj}>zBY&hFvpiQm ze=1;%2;JKI$)DT5E5ue7l}%ixMvCChO$3MdM&{T>LnsYNmKtL zcG>0AaMi93YV-u8$QamyN^ngq9RHVJCuRTDJgx@{2H-3&im@cRJd5&UPCST9qyY`L$EQMEPaK8(Ng{<|~x^q1YZ z`#H6gr^;?dcjc;A>YSv?t!`Pf(Q`DaUU7 zx|8x#ByIVDT_BAmf zRQmFH7{_}@Ca8Y<66y4wRNj?pnP?lhweODq1P*H=3WpjfKcF^;bRx`U!^5#{0jB`z z;(2oBG5)`&?6;_WP|>#!MMZ-iEEZPs=HDOtalsOMaP|B}4=*{im9Fdv58DtI;DM@A zbrLdIWP>HrygF(qGzwg}-V>3Mc2(v_`Q9WVyzS8n?Bmhh6{F;@kOl=S+?}Oxy8vt` zRZT-&@5yG1|I-Gx5l8!u3*C+Q0jtrAcG$KApzY##ITg+<9F{HU>%1fG<0{4~uu(jI zG8IwJd(G2Z78IgRur3yBHbX~8r4scDnInHusm_f1r9C_RCz0soL)^~{Lz)(DmCk)3 z>k>@&-WVA^SUNNr|EI7PL?MnH(CNmaP9xLuC1Qi9K;!6H#~F(Ji*1|8*$j}cq!+V*%#B09s~1id1Tah~XX zQRy}vnN>ar$@xoNFhm|!LBsO`v8Sbv2vZp1hH}bwXsY)gE8pWpe1HvuaI47re({vm zdLZ`8@j#?%{ zd(EvV)A02k?Hid2?DrDMXWv5H z{gWH&syUWX`Osb^dwmh?Z4 z@aruoQ{5w-p!%!(FOiHK_xwhB|6jwy8iC~7rEr)aS_fjF%)&PBi4nSQ^7YbpZ{KOU z_e{y%KMpaKI1)TYibR9J~4@GE8Y&>R(H>@waT({vV-p#cFz9Siuw_*L%m+nAzV~} z+4=Y%3rk@DR?R;Na?l6bWl6IsvKIFf73>}$TQx@XF1Me)k zVYDHp;qcR~kxAhtoC|wTXpT;elkPDxMb`;LI!Lox~IB2Haf> z@2oj`w`x2Sy-x250q-~Nt9y0T%K-5sVI@@XSYYQxafvaH^rH`Y_r@)k=n+@%EvY~_ z8IHOY9qwiRYeR3A-`^V#kbM^j6Y3WD+6(8G9?kHf>*#xZ;d`x#RKFO2o=kY8(7iW@ z(+wI(1mi1pa}fHcbM_iyrhD1MPPCS~NpY`?wNm{SLCEDS+J=U~@nf+QBn<`qd)dT3 zRG3yK9?~1EOchd624)ZTx?M+ls8RJ1mSauzB0G@xpAtFL@C<78OV^yUp8F&I-JrT0 z3?r=Jg668K*a0GQs!Ml~^9RIvCTM+pD?34T^!$Ir_J$xmQ$aX3zkh>77muvpF%^za{U6O!9eq2(nd5)$ zs{7}7-hX_Nf)0`l%5*?Za4f0K)N>`>Z45h=K*pIFiPC!%IqPyXXitQxUDQ=$_+zzAdphcn6*9j$2kH81*1h3AvF_J@8$0}Z)O4~B~VA5pPFx1f`R z3=uM`u1tB=G~_T9{D#Rnd+4f=A1|hFf0LkhvVOg15}`%S+E-{ZQ=bg*og+aUn<9Qo z@U>Ye4xf5Zg=V6)yUoUb_Bt?TYa43zmc!0)iz_7tIUd0P?HEo0n5%tcI0C0!CC=u` zC11LVmNZ_+iNb5&*Jx@_K%T@;A-AvqTV>g`4Nt0x1-N!Qb^VTwhm*a?L(Q*L8F{aj zsDCefucWILq|mv+qOmc%d0W|f2zDUpLP(N6aAV@S%Z>Z;!lLI!PR@zyrSj6u&;v>} zNq5FVf^269f%Rr&I%@loWI2ple;iMLGL=g*l?Zs-Ot#lT1Yxtw&Tp2nngP&R`D5iqHG6+(tJ5%qhz*vwU2!c20XnD z;IoTtQRCXP3eqpcdQ_zpm`R1Oe>z`h+(GuRS=$-P!-$x105JnUPPKyNGH1aJHZ#d# z<^OK}`Mo$RqBV?-YvyaeoTXm46g)&QNKy2Nr6)& zzVG&Y>9>FD+iy)=V)q<8dUm+t1MOFZSlKSGl-c+0&q-wlZdTk-^BFnsT)G}*B<#tj zk+5I4by)DKrHZMOglnY~*~4Sz61eZsEARO(>fvi!{8Tn#%l$FPw#6rrhm<^-xHek^ z6i8OyF8VWi{te=y=$=*b9sSMQ*~A-iZ`f(NDn}E?d;$_=@hS9y(_UnVui1H(woY2B zY)=W;pxXkx`$CrthQDdR1^I_80Ld)Uc=}M{KJrN zvI!t45f@P)sdHaE8k!NJet3s`>*ugx+2W6d?m4wZeaTxw*{UI4Ki>X=0n|r=(_?%j z@XmtdEy1&aRCSEXan1BX*pL<`IhYV!E~H-J-5OM{Sz##09Xyj^4Rj#G;meOMFf@JY zdbt%C7cnI={s$Ukvg4W-hopG@2Nu-Ts70!>6d3xiAuTc7d$IlqcONg5Ldo8Q{NFm=s@P$vJLJ23>bu8-00M z*)@d=(fI+;r0R&rB2CYCob8M7GQq1|DnXkM&&V~TaEU|Dn5zN&JPVY$c(OWHu7I%{ zfK673BeY75gH6yKe3{yFWD%3sIRsg%e8_g`pbf=h;aax-LgCt=iv>6IcV{vwUf;)! z+zQ7eM9u$q9?4=e9f0@reg}=FGaFV8y2iv6Ft|l}zLW@CH%cor+BgW9=35wth>3); zP)0P5r|B^eHBS@9sf@zg-yCyyk9&5=%Ozy%jmqDNw)|iq$KU zF$(8Y=e*OKFsb5ob@Mva?pmDn{#_E2aT&zpepe=;@%tIMFa^)|jHa;~Ilu6}DUFxI zfz;$QWH<;9ufo$5H7|s43rZ^ajggTi+1wfco3$(eaZ90&4S>1s>C4A z#~9EjjJR>I0s`PURjj*(A;JB&6aVMGe{_~4vF4B#A-OS^xp?Z|RH90RG;V-|v{>7V z?5Xao3bS%NNEQ#rW!<=9d*P;13usqI@GVnF58@A08A6Sv1C8-k>6AP$=?cVN)GF^g z5_jjo!KZp$b}Vhf;KQtQZ^9{PIv*3_M6VOK1hJ!9xZ7TnPIfc&CK9n_iZyo0bUjpv z3r-;n)u3p)M!z85`hhAIy!ij3FimeFY0WS(wzE|D)fyiTnN2;6Q7w39yo*f^65$Qc zhp;@*BEFVTf=L{Muk~<`Yn*DB<{+q*lIqN!BI$X~&a)W<^9Z|*cyXK)`tFH1G1b(- zi$BB?_+DHko&+%_of$BNTB{)$Ukn8i z4!REi#gYtX+m_%mHb~<9aon6re)op)Uz(m|cAmRA?#ov#fe;P}r3T`UmDF*n`1F{$ zGxxY?=V*GW65s$eB)PU4IRdKZS#@fU1WpQ$Ofmw(ryW=)A751y2^KGubio35}9EFji}#n zfKI2l1x+}_h`hcZzTPe^VVxX@H=)Z4^P2oIc}&Ic6lI^!6%mHlyBp12z+*|0KXgn5 ziM}!g@CxwEgWt&2^qOLeTBO33edLX4>`Qt`N0PXDhu3MsQ2kg3g>%Xtf8%x0ubhQ0 zm%IBWft?SdJxWv%b1Xe_n(;!Ri!V_+UWc;=J;aL!NEXY7E+U?{jE<#15Z*$?iT}{D zsLkb&R5Bt)NU`;wlIIUKB!@)Qg@7De2-QUC8k_p@SI1^{`8 zE1gqd?kha{p2r^==tu9IL!^pX?w-@$p`HEKnW3B4d^o9mHDTC{VQjI;22#yX804#x zesU$U1^sQON=E0BB;|mO?KTlV#%T_SGr~IZ0qyj0s-8oagOAfsp2T?*wzGDfd3H9M z-W!lyAnLI>3D6_&Sp-*h!3yU{HF3M;X}Z2LneUrDNv2DXfjP=tmVZVL>l9o+t&K3( zN;rUJqaAWet(YJ8-BBE-R9bO`#+n`yA%NS8Yx_&)pM=2pI>WiOd70NidL* zUCW__o43{L3^e7QuI=sR`@Atcq(=J6YY&W$q`@mK0@};@FrYntNFtd)DS=A2Pgq{s z|L{9Yu{HTmk}33@hj7Qv)U?C!OG8vyqXcoudH3d*yBD-=<(ct3EU*w;AoUX8M;!}- zD_88gICA@6A){>)2c|^t|D<0?S#?rg|%j^fF$_%|JSmuUr?4#ykm$d!4xV?^9EJpQRfviM?R33`09 zn%#!9q3|CR3qai$r>Ii7T6l`A(__g7@Ve&1%75=LHnL1G;m?--j##8>m?=`>31521 zA%~Z#cY?KQoY!h~4Jkc8Q?%iXFnNgh(jeBmo}~ZHvDQ_xafh?se|b7BxQY*?er| zk}R+?p#4&$&Sfr(|Lq~6l%N2oOD|BP_e-fTOBQHQEtns~pKs~dOlgbl1Lybe#UfvoIs~#xCsNz7~ z@K(+lcAmfqY9lDDy_w#Vj%(OP*tZ#Dz&S)uVg1R*xk@c=Tp6dLGfIW~d7}a(W`p6b z2(F&5p-eM?3p!!heO^0rNCZ1aW-H?4l@&<#ms|I82c2go)ktbfU55YCI5zY5`fM`m_F@RU=aC+Ufvwi9XbHl;#wu_D=A6x=L*jw)? zsbQ@8lHkYkHAz7S0>&Qs&7%}JwYOigLXUatFf1x@j^x-rBLSg9-ApX zYM|jNqBd4qTr~SGTkp7(7u}ts^lzWKWEOn}5Dt1r$GmO=Y-fEBsIFdo>%?m&2gYk3 zv_d&8Xe#tdnls>r59_jQTqv+Pvsn+-t~lU$!ou3nVqazbQ*3KSbMOqnANdWh8xt4| zjwE~u95qx5v1DV$i^l3lz_6rO?RZUHmTur|wv9JqU8Z||!IzgDR5K$kE>O08B|_%lV2qLO57KIM@9Yh9UdVO!m78hB{kXQxB+9> z+;fiD{UKdUq=|ks3VWr!_48Y+njvLoHOF^jqXG!l(OSUyj)Lpaolc7J4}Wbn`Mi@m zU#8N6YFZIVfS2fSTDZd~arKOSG+mDf6f0&UQneHW@vmdE8&#Zyg|ec@@rDwA*Nxbi z0qi^=^VWX%?OF~S} z2lJaPwqKSWH}4bXXC^S%?*FrBwqF@LGR;H2^2MI9>|ORqNUi8`3{XgeRTG;wRqg`I zY~jwS;csI1frZo0_U9W6c)!SyCK1Y=Ski6Qwn3{mDYeNYV0)^99Q264uI@5C>&sWO zanu2CdZvcHhi)d$H<4uP@JQ{I!Jc(CauEP7BZG#X{ds987Oa2dwU>OPXCv(Y$Q#=@ ze*YDT^UIAY71-o#30ZT7Z+5zE&%HE#11lT@0`1W=9S%L8**OWfZGR*T-6X?%vh&h6 z{wijq?%^GtI}%e8a9=_QG}NHZA%xBgO4_#$0d5)Ci+>Alv&I*j2dJ>plU>ir^?XW3tG28` zUF3~PWNZ?=c$CEVJng<#DF<*NHAUIA^1~leK(ItU{i$T-UG`?@8S?>s5Mw^d9k%qa zmjYa>XxcZv%Pt)ok8elqhoXG3n3WX4RV4F!wEN|H`TDp<%BK2e^272iF- z2~DckK^`eu9)_jVGbQ^X8#BQJ7TOk?Q()_GtmJQ1;H%k^<8b7NHU@k`U;j!h+uZ8R zV;1ZogkCFimbnNEUqv}HpW-DHYF?RqGhE8DhM3JjeN(vX`fx~M5C)O%YgA*5M@R{v zvhi0Dg=Ft>p!@5R-o=LyvhYt0N6_`tzNSkRv4);7DJYgSZGvp5K=0Hg_SCHEEwWFA zPs%q)UkiYScMl#xzvowqJ#;VZORWKe2do)e*}|ZLQ23}<&FEa1-t~21iyS)SdpLAp zrfVT{hsfU8+#zIXve$}?e>+1OkGUv4P?(r8_;RAh$gzQm!QFU+NCYkn`AbxghT9Sqg zI4^{XV1b5kNceUwuKmk;AqLbTojqJ?JwLT-eF;;CZfc#|1yg-*6{lp1nTsE=Zdmes z>y&Xr72wgur(-J8GCA!?g>0d}E|QTnXl~AfPXaGTwU@N!G7T{JXXMDI z6)PYJTZE8yjtrS<(l>l-nLnp%Xmy9=XUAZ;&5iPe=Oe1G4*)FElsIQ<72e`-eoV6% z2{j2jH+4D2OST?|PnK0ss$4r$1F-36EFSmjX3hpe>hpnp;Pbi#cAAEP7JAbeMC0`( zd&v5ImusW|qSXPUz&TB8q@!!s)vDqH`BTfFiKN2}S zVY(o^^bzj!@cTnqaCgV~P$3997?mwrx=ca7Le1z9gfqwM%Wz1EI+#btgj9COm~A?L zU^F2u2qYUQFlpFH-AaRcMP zC~af3ymIm-AXmNSl}!aBgf}GmBt)s_&3&E+$NpKdnW`+wpQ$bYf|`K_06%rtmW8uvL$&e7aL5!* z3-}Id6=2TkR_El=3xOWHEh!R^EBSM?X?R`OW@9%fr9lMqslZM0=Z%dj`Np`NH7%0t zT%O&n*E_5?mdbZa7}UjjWMHwISm(_S4I1qtJ*4}JT`+r;=JxB&G%_`6U?hX=Jo#IB z=M<^XWy3~$X{w1rm79j76`fO;hH9iRmi;;#hU@29HiUo`j#j>SKDH4~kIZodlO-;0 z>C#ZhCb{;z2>w-v?rH`LyXD}Hs;>m+xG5J<*`Xais(&CIJ`SGKs-fd^#I9AS0 zIp>&CpDImt?ceWD*=_onuX)IV6=VdAt+hBeCv$mFlf5UNo#!A=;3frD8A|;9Hrn_? zXY+|LBvL0mH{eL^>T8d{{zUUG>`B|1-S(SyqF`>na(uIa5IEmk)>{I#)`;FX{Oxbq zD?Sh=#ilXOsprza(SCSOBM)kAf8NCkc?Fb?3uIRmvsll}9|HIp?>>0QaRyM^GnC5oZw%utIm1K3{p&x~z&^8(-2Qx4Wbcrqh=u_@2%0gT0a4lA<{! zGnhVDZU#4DH2sVqJq%}TXu*9 z+acX}Lhn0$9K!N?b3VkTYUa~$??3CXOgmcf`zar?4fk`D@%T@}kA>M2_8F`oqXqC;DtU{G}W#*gAm(MLe_M*L_Ijub8aw z6{+|&li@dlMUANKEp;_*G;!0=U#b&+3~=50%L?B6QgZv_9pLneco(3Drqp4#wX%U7 z)LqKu>?yq!83=nD6#kJ2@8v$05p=(Jtd*j+TUQ$R4=nl{1*wy$4s<3IXTB@}pk5!b zVE?8&hsHfW5B0JUUFx8H1hIF2nvN-YRgmE?M~=nm8V2Dscw3faxgmvv6+8v-BqeUz*nstr#99M1-+&=aN#x_af<}q!f6tzxUUX=@+Xwu>#DvfNfjxzy*Hh z=_rFZ?@p)8*$4YT5Nb1b=BtRqtwX-$BsAAuezqUeqvsOAj6X8vVQAVgT4dhhoAIMG zK&r~*XPAAteA!obn6=oLr^C%OUsVb+Qh>DmFR!&E$YHOwEERc&>fae%ouL7vD5HnZ zQ)<^<2qS;RXnnm%ePx*j6br=Oh=MJ^%QDN!;)P-)tG!V=svcVnjyPuq;B zGz>H|d3m#P^_)mL(R(v@@(F*o{`M9L_L?Fb#pO<15PYkHp?$ zc^f)^_k#Ry9m$=s`Ic>Ru#z&O4)9ODmHTg&4c`fVTbatd!P?;9Qo{hg1xPW|Pp1Z~ zBaqvqF91DGh#{RbowO5myyC$Rec)MV%R31`;3CejeNS=?r?38aHj<%C3#J7TivK=3 z*Uw|Wo!@cGz-)BDkrxy&;+kR@g4;CMR-PF(!XiI?3|+Tca2-d<>>RgY?DnnHP7s(l z*abd&$L8D6K9?2a)`>`LEUt!{3^*I3G!*>lHXKKf{2KnoQDGExf4?;xLJiy@t>?PrIn$QHf*{e`I(Qp)M4jWaq1?Bztx{`NPsM=;~!4~+H3OZ*smJss?H4oq_(5qEsrXAapS9ccj{i^PV3c(DtOeEMCb zAxoYDP|k_o&CnpOiYN;4DGGV$*ED&;EM#g|6_)H-Y+3Eh9}eS0&Xz6d7Aeppm30M5 z(1)jg94e?H+~6D$OUDrCpszFskMYroRKfmJQ_bf!25^6!!T_Txq$u38STAw7OcRgI z{OG5psVM_`=u6%1jf>>k%>Ug&PDhC+YpXsr%XFpNCAtbvanCNrro4w5vw87t>)KH4 zi6*r3Co6sZCgLKPW~>T_(hDx<7#3&yYV=}b`LO9RQZOf@#zl2gqv?BBQHhV_t2i=X zmBK;^&v~qh>%!@Uj9!`5Jlj?U6=_nwJ%sj#je)@t+RgW>l)yI>;i>KD=K(Q86lM`* z1?6zqB9?~1`&ou4FjIw5G%v|MX#a0v=JI{r6#2IZ!p=p!Nq~dB5YR(T%*+o*My^~8 zzWuWOhBTZ|eCC70LtXq7U8G+F3pX=CuT&#oJ0VRE^c>PP47a&5?#lKH%AuyePn>?q zd%@o-=blK0UXwhh_~Y1Fjt)3eX|j8B6vlCE$tZiaa!K~bJy^l?w^&GshtTNCdt)3T z+nWUa)b(>BP$T@5rdT~Q?Zv-tv3L-J_o>z)15b6;qS6j$eEicHU3&8hJVmkbXwy9e zrpwUczg2%ntaB`jRnT2wFj$ui%>BrxgmSgOTS9cCkB7ZD=c)FMX$NMo@}^_bhKY;3 zAmL|Xz!{}t5-cT>ogZ+rUE~gypGcdoHg^eL6vALbptOwyhmFdRCciOEG#!JdM_R0> zajp+&(#N=5m}t*ez(K%YO0d$lI5e&FRD-KDowM}1_vZUol%V2)r6wGVLg~)f_`$;Z zftX}<-O$zMcY5$t)#N6P=oW3&#ot=J^J$P2 zn_Z;Nv42z>KNEF9N+ygh?P}EpUN*2Hj3mVM&sAM%ERr+J8A^v6G+Vj^OJU~pSW9Vh zoD^zU{TUf>DAEZKz9F5x-4&8tEkjDhsW@T&p7m8vh0^R%yle&X*lrzW;{- zI7`V#LrfZl`H+7iZ`!oYxSrAqTXI;sqWGx2WJ@_6XCvEFpuezD0VE{gsf8K~Pt7BL z8~NR?>XdBmU(8K{r59A;6DooY13$w9#I-g^uu(|4H!)o8l&!A5UEZ>`QV@l~5B5H$ zEtVLOuK&)#+6!Oz-+q~Q>sN+b1lu(Yp~ZrsSU7a{7lA?tVG&MhFR5Yi?%_jT@KuQAA{E^jaaJ~Y%d^l9#l@$ql>0|XzxRgpsu)3%vx&!*uuw+_LowNxEF{{X-1l3Ow zEde!VLxA+Cz!t~6#&v+Ec?SLu*UGB@UX`y z?)0O36u<%*zY{D9JWor@w}xl+-{1k&5_XH@?wg;Ey}x|@i-f)!ivR|H02#YKJ*_sv z%6Hh%F`7=5&3c12ZX32DRu_U&Bf41|svIn9?W$b0p zu-f7jx#5nf6C1hm<>>IJ!S->`!(sscHxUE9!MXO|&-CNaq2!svv>;hT&9d2vcHHEK zk4g0NhbED(fDop_gaIZ$>R*TtetyiOid?VQYC5wd34hh?qKX~JGhjVpVk0vp6DA9K zq&?vcn1Y;7Pe^?1+@});E)2W@SXp1i+a-!lriik)K>k74x2fl!EAZX8pACuVmuvQ< zuz}8&ZN1Z2uwq&Hf_3@sE`!)3nIoVgdIV13U7wcaYfH6$e{x!<)&rh5&cyxAA_W5@ zLp+>mxRTDxF@NgG&KX;g0&%2d8_}JU+us)!S`7btKmsZFAfV<$RorKpbmDDvNq*mP zn1k~>{-8${ks|{}4rlqyT;Fn1AY2Kfn<}}m~) z%0!-#V+gDG8E1Cy*!g=#cLGOunJ@%pBoRCEYM)S8(Dlp0Qx)saP!k;T<1-&w(#X8= z)>HZH$5RP(pdtcc@lBJ#4}96Qjek8ZXitZK+qOZJ1;HgtcRK2QK$+U6UIg^42I5)0 zP4~0-T(x2GNi}EnlzM=5_0`Imv6a%`vN?$yxeyMi!0BPKu79qUQhbl!Qp@|+%0(&= zpW5%lYU5F>E2S|vzc%}W9RCpko@iP@I!B9?+;D2mK*b<>PUFVJ0CGiQOYcs)6MUji zdfa*m35yy|fALpFtFl(p3%PP0f2FzKepB!uYz`G1C1Xc!OSFI8NWVKalMWTl6FV4H z{K#pzKEEK}yzVcJ#IE!G4FSiigVP*>H#mYZdC(;uT z$W>NJ;R;#(lix#RCB)kKt}eB_>tlIc2(W*isrQ|TSyQfgWzUx3gA7;dcNRg<0Z$1G z=*UTbazdrIxh6cg4JdwC zR3<*@#(Zf-5(stCDFdwHyhYph8b%>av8xz3;0}3O&N0V~%lgjpCXY)oOSeEzec6R%$365K~aJjx|^v@5HGXLYEMe&{+tc4jR@F^k7RqKPiBO}_WSiu zfehc~#fV>4fDi?*>orX^tV)X?J2-86|G>Hkh(Bhy0Wa13SQg~3jgODq6S9Ot4 z@bYnnz2zOW|9N(e27pe z^cn6YDZMIX0?!W*at9nH0bZ#J9a=-FwTh&b+G;)}B;YR0JW#D9=x)I`VjQ5gi5#%k zEx%e1pmsP{v$(%-pDkBf3?sDV&(KP!CGxAH*E6xyOhkNi`UzYGc;+hBh+ z&SA@bUS7T+adf%vi?LE2304EapoHO7JsKB>_g9}m<;4$gZ>XG4ARr1**H0@Q<>844a7@6^=RTp=#&8cMC0T(m1E(ice`x=!UUir5O~xK~m3N?iiV+&G@v= zg#HP(hWBj3U{PuKR{g=bM$gSog0IqK(3BgBkydi!aHu#xmcp(9e!ZFr9@}!IafqKc z$<7pSF{|?rR?{+?^Y(*a?U&HnA ziskHP)RFee2Xjiz!8AY!xj{7k$fU`)751B5&tX@h1Y>TLEztZ&n^HkS5~{!_C!=X8 z@MI_!9snI298WEBK&jBH0q^>51ss?x`|98Kxu#eb4yf^D{sPcT3IoTuZKLTVIe8dN zUXg&~dh!Yqg8k-YZpc^zflAMD1pQHG>H7JHJ&IyCKeevC{TvMN;rnykdG@Vd!6e;W zk{!+ceFQ#>SSYY;P8;WLQ8<5Zj4LdtbMlzj1$dE!Is4s5cq_nPhWn86jOQ2|Y#YC~ za)EJMU*4aD8r`-pobceX!>&yL&Zps3*Qg)I6{2DjGao}Se*C@uVbIX>xyoQP$%8t6 z#oRrizSP5031B0?`lK`6t}~bwI;ecQPY1!t_I|*D9H)9o6v3yzbM>uoNJ!R<-?;^2VLbbc4i9HX47m1%!0ZB7pD8`=fow0nXGnth3jH z4_Gacl!&G(Nr8JcyqQ`|?NxbEi@hu2)2Uca(Ae_B{YW3a{Ziq`PTAWFVHB3jg> z*prBl;3d9X5$Uvq%>CBV_c9pb=_e9gp=Fdy0iJdvK7o?@6#Oh(3oP*3F9E$>d)aSr zYvne*(CCXw83gM+D#QmwCYw%3b%o!M@~gP^A4zLVO5E(zp%b^LIV|4?A$iXPChMkI_{5ko495t(80XKaC>CH9pH2=d49-*-+fH zjNraMg2;)xe)pfN7MC7{p3lOMiFRVNmEG&+ao=M(e{p6=CSnWNyt`y@8dF!R8) zMz2VJ_x-Nx?5(mE^yu4rEDb~OZWJ6~_4G zHn?3Of5zm)aANR&#ShB>71|uZ?pqfU;Ru-}@RLtuARss*O+txNmuFn(<=E&_m;3Bo zcO~h7vjJ`F-{qtbCrStu5;k}U+80xN@_XwbVpn5rMZYiQ5r{3T{@u}^nLmrNx8IS8+6BeX34O(u|8P+$ zxz2my-74f6h?f6j>bc`${{Mg7wX|J>l-Av;NLnhTbU1aT>7uxXHtjm3 zB-$c0(4>f>lG)Ny8lpkJ=lk;cK7Rl3N3YktUe7&W&-Z@$n9_)kqfVE^zPys(p?@~& z5q6TbCG7ZkU+S?jS3)^oEY~im;f%<$$bReK*>lmdLhrZJv(-NUN8SgH48?9%Fm5Gy zbXCFUFxs1vlDp?cnB2=;6=*ErTkIMRX*2Opb;10oqt-$l)$-=O-MEST`zlruU(d)i zG%$Q`#nxdGkR$$-WM1@pUB=BLdPPQxkWBngM6$N}`U8IT}7J?Rgmc!@xj*jl%z-77sOoUxb%A;)U9S@7Okz z{!_6f!}GU{pOV@#x?0`+I(<$=PTf0}^0{2=ar{;Z07(KNdQraPSL12x<5BHU&x;Vf z0Vyli1=}89X?&)#t>cJ_M)%cmQidx;=HR&8O0mW^tvU8A6}Z^o&Pu;0g67IBPNC?q zC$%S@8vflB{@^~29$5)(wG7Axu6TKKL*Y?)o});`-HK(Y2N@*;a_+hs?F|N9wHzPr z(U7^4*$L<)F5f<2bGvs$SaF9|#bti{t;FTkCd>Jni6cCw?z|&D$09@EX>wK^4w-(u zFOYGvP_0n&eI#241fzi2xC&N_!kXl+^0}V#^EO=&sOJyh=_3zB;Tg-#$Z%e-N~R{0$;UQ(bGM)hdHW7xd6is@ChT$`vt11|ME zZHKu3x9R)WxiYJ1>xP5g&N@waO85r>==I+AbX^@mbIxRS%K?TcQ=;eHD(0qT9+{1h z{LygfpqjP*(}1^(^8YQv$9Bf^cH zwW82xibTC(u*sLH&^`OsSysanl3smu`~J@f`KKgNP;IB9zQ+GFeE9XPkxI7W3s$LO z*9Q@ZHLkwWkAvh3jt`*B@Lu)S0N(&9Jkr=)elQlak4m5BXCTP)V_KYt6U zD#|Whel`>=ulw}Mt*eT!AlZKUE7D+Gi|;x^jw!mP3p}M%@aP8di}AhEo`z0OB?AH* zWf$m1dbP#9r&l1`wtm-`Ztr<1X5ca`z@rc5q3y(B{^Vqm8uYMG_eyk`iB?!HE z$y3nU$r5p2TRxpwLBHn(=Y2%hc|qP@6pQ!g_uS*@-0v%s`e1)`Bs?H^Ewz?D0@`P1 z0Q)@VPNv>-)6w3S_2``tdXDvt%%r-A7OsmaQGK*91rft8Yfp50*$@mRvl?KZ3%@d} zT)Az)Gw;6>#;QMldpP)B*><-ZTlG|zDm!!cGQj5|Uln;}@DF&NyH0I~pdNhn=L5~F z5m-{U2Nf-1>AV(CxXtyJC8y@@_aUa`#j~ewT_BzCDPlwGu#VOF;qu+PZt~ppl3xZi3vZSbW@lG#Zsq>u`lsm;=HU|-tUY(l-Rq1%FFPY9biKkKKFGCZa# zctjfY;+KaFuRaPOR*r9|;L+)<(iSLCoo;!2^s!s)sT$m^m>;ycFhi(;UK?r-{r0z@ zDKqufMF{xJ)y&)w#WsK6wf*l^YmT~2SCuH~;>~ZGEiKscLe4M%9$C$kZnzZ^A-{i} zIM?zAPQil7q3p92`MbkQD^~_r1w3JO!Z0`dbB%)ckah8oo1H0vZkNH5s#RZn4t_c% z0+{G;$n3aML*c0IkHt;z|hugJ5R!~t_tyndIHfJ5s}b^?DiKi}8w9pjq)0tWh*z*O~?vh?_yYQdTCr(cI>$Q;l6-Nw=&+1m6W5n7!PQNx}0HpO*A*| ztlfgEdaL9~b`5lj5St?}h0`Qek2d%pb$9oBS-0x&K-@}1CIhKm`h9us9{Q6+&#BaT zxA4+p{34fAQ~+6Taz(Ld^|X6!%$m;5wu){?T_F$#BD~mU8py@9MNUfg*c|WMEJrD* zBRN-1&khXw>uU+cB5V7RPpuJS!;D}lM8ihYbkygI96q?9p}BRFo2z^96IV`(1Z>%* zJN4t6LF?!0-(|AF8=1!^KWbI8l~unrOW(Fb{`6r-M0=)XjhLFIH`{KfHL80oyf*gv z<}9y*doLqp;A-DMre~=!EV*vecwMv;~XkPYj z*_^B>*?zWDeVoqabRmGOG`S+~@L8@^`$BA5z4S7zof>Xfy%0d{*yzf8Ug7+Atur6p ze7Gy-(dRya0Q5#EHfNm_?!EVm`qX?=OFQ(h7hrJq8m&Pg7K%CQ&JBdStL z#-=wZFI>_oLg@qdgP#>}P+WTB%j-y#o^6wFPhB4=X!zxpZF7uGQq5}>68ga}0M5WL z$(LAIl7GU+CwjDcG<9CC5S5>ri`9owVKiO5Z~eU(%g0O3Km+ZdZ77b8ffmuO;5+EO zuCt4(Yky&_%-t1+SC@v8@3;_q3Cuk`=QgWXekwVA&*TJ|7X}^B+2M&a#l%gnE%j}e z%170)$+upOK{mE*6dgir-CKAKB?8`>#phkFS!tGzxRw^=xp_@J6I&|!iL<+2#Iq%kp9Fq!N0{CI^&M{xGm|B&q7 z`@V67kxPk=$NY+_v{MbF&ed$SB4dkqbgwv+qI|JD^x>a-se>`5q7U?akw`47xA-;pG<#A)aO_{A1ni# zV1R^*Ti@%a{WIJ%cRJRS|7|i{-gE#qE%>lS(N4D*%f(R)W&^}fu?7HRH+1^U(|%^% zLhbP>nwuw^iX;nkrf>G|k&3~qQP1YGBqwzGBtJ_4SzMBe>65PKGnw~0XN(F6xFtMZr#y~3L|CzzHP})zxy!gv~`)cySrL& z*ycJ?ZJSA9tnPuq1Dbt76=sFSp~l_9c)HS$?*d4yR4;2&W$FjPYEq5x#S$+`%T7S+ zbWOz#ZU4WY9496|oZt{9#G-o)ZnA1b&gO#Y!XjDMvetn9!^cq<8KaqlCQs8Fmy4ZU zAI=0Wkcl|EX{j!spy`Rfe~L7JeSh3KvW_T)bMfiXsu1JX-5%inXkIDM?Zmc=E#fq@) zsRQsC`H=*wHP=3|qr&@PLvDvxHwuoja~Sww99aw*6|DTg(vGsDE;2)6Rn>CYui469yyiv7VsrBqK-;^ekXXS8cqPMz z5m9Zuie+L%q`APt&VRcD3NtoY{cvdR9tf(?>f1WMpmPp1np_R)N?ADlNi$WabkVTJ zp@Jj6?I|!S8`FbmxsyECKkfvO23{2}I za05f4cgdsvvy3mKifb2lC=lJ5NXQv#xrQ%D<^}fKg?wosHk{*HOy0a*1MlO-0IJM zEnIVjbn9mStkag-wLhsUQ&S;_oCHGVlI4YIPKH#H>Y4u5&Jg!-oTfryNwX~b#3+v` z%`R^jJN(ZB z?|zV+l690}@4PtDlrOw~c1f$Tb>!)T`&S-)*t;m8RBXwPB>HLmNM*C>74wXWqLRu# zmET)uI~^CFpa%wFq;D@j_h6W*CrJX=8c)2m__OP4!SsDi&_C-H-npquDFvKGo<0~S zIc03Pw&he-f0S1zNNv#{)U(eRo4*515DU|2l;C$FI@_E9QcsonX?lpTkgKlP~q4Z9&`UE zcozkQMc2*->Fz`iv>!F2+PJZ)&FkNed{AnwkY3asHj|#D*^&xz-YQG3Thl%-J?kC} znXh^zPvHIt8nL|ZWqVJ0$nVd}z_X96zJQtItj!`IH_Xb53FR3nymP=e$1D{&pW9|S zMd)>~2eWOSzG7EzS{lQ^SbR7(fSsx5n#dXA-T%k*;2FP9GX&0Kmg-Win(Du*zkA_p zf5I#=x~x~WQoXpXByZK9)+L>vhKxtAC$_Y|`Z$DwBb*#2^dI?5J#r@f!7ik1KgnqL zydd54XW~70cxf+w1>Cn&vHv_&q-%;EU^6RK_`D)>oLA|Z>^^;F{Axa1f?^)w)DOJh z%FF$R@WLk(wlB4Ml|77ejQkpSQ2+b9IOmCE0LR@JQ>oz~2+DGCV_mB1Z#6W%q~|N7 zD<5)-<<8mmsB#)*YuS=E?1*1M9q;k8p02%c-|X+n&NoTh0ivQ6 z%}b*mvFX`Mr{6D09nGA6#l_baFw^Zg_{k#(wAZ%J2uHu>85y?y!P!@{&FgDY{k5v+ zwob>I_2XM&fxp3<>#IsT#?Nr)lhb(;IB;|-fUc& zluri*_x^*=t44X*`nT$Qi2>{~(uubgXJ!ZG4L_Mpsn@?v10hir%XxsG%Q56dqnM|= z^9x27zjJ-K<`~eEqypT$Q0L2yORtr!mY##!nDPOK7o6M*Eq!a7%=wd;(Z2XXmW&?Y zwzh)e8=DkalhCZ8IhxVCbnBFUT55(GJAD%f*woL6BKPz_ontonl_RjnwPH=|DqUN2 z2>aTF7(UNXEF)!yx4OSxS+Lq|ar6*OSkve73GU>25?^*O{JsG2n0bX_o`Iv@u8V_? z@_)fZ2ahC%qvACndunw#PXlbbZvWB`E|70+OLgEyofuQ>{?@VLg2?e3MgEsfKAbw& zqjmNQ7jr9YDE%=16cg6g8uhxZw8v4kwcn@cIJ@9#Zali_;}Z7d@Pv4}*skDC_4@%s z$kza3%iOJI9@)mE?&!-lH@Vr03)aLMmvPYjFs^x{t?|_E?#qy~zTl^{e>f?C(!qOH z=)Cg#tdC{)onHcYwiDNt&>a@pMxQ$qaNHL(KB>0b{O#b9M;;;W3t)HA(0SnSvpu%y zsgDiasE>o{wyxO!^qkPYZ7t3OP7lBF=YAR`lM4|=^Ya1}Eik0d2onSe?$@24^q4}0 zR8G2IS12diJy^ct!s-DAVcbmD4IPGVsCXpJ!sy_x>?d2NM=U^P{PIXk zyd)6Vh03ub+?E5mV}C+~4q+yAf3t%%Ovu9MCYMLOMX4jjR{#9ae_=fM$Jw&S6G@E% z6h#2Q??GS7Z1d&>*UJ-K?`*0YucZFJjT`c)V&$%V@ft5;GhL**f}dRAlF9e@+iF%% zLRV7e8gna0Qw1A|1=G2)=1P|mVI~_E)Z}Lf9V>npW%%w+#+J60S4XCP;Ap*-H34~N z#=cHO8KMoPn7=>!Z5xAj@SA_YVuuTh8-vkrOu;H#u^{rjx!fD?`RmBUX2nK9<8xee zXR7X0UA6S#ophey-U7^kzuf%Kxr^+!#nWAXJFY-U-<}W0S((LLJ2P{)=%b31mCxs* zkRt6;-=^l*!!8Z z>*Td>>3^b5{@IS~+KFrD-b{VA-a>z#89XvMxO8?QTdS-fS7P72Bln<9!3G;`nB^c~Lr}NX!#1mqhMuFX3M+$lTo$Q47bRbd9tr2Q)y zV~N->h9MCexkj;=JMGodI|z||fA5v9QkCDDX^tBjUR6O`%X{u&(tlr|E=ARnKbFi+jb@9VZiNXtvu-)CRczOYLPv;Dt zYfh)!n;JwCQVj5vk3_Ku&;A#Ne|^61fjhleFxB`qaqi5{7qY}_yZhoJ?xX!h*bGVz z?+s!0ekFvU8}S{8?{ob`wN_=R97Kln;$KguTc?iaY2I5!6x!fW!%ZK-;vuGj=>_xR zLQT8lWWVTKPUf~(f9kg;29SwDXoc!E6**D&a7NhklmK4JPjO5Z#PYT)?CX>$Qcaux z@n&zxA+&*D`A)ZF;!>jRWHwHw&fzJ;FgMj4XhalH!kJeY0D(jroL5G+cU~O*TVK}N zyYtlo8=H!!D@4)Yjy^b82a4a}Fx;u6E!vP*N)z3~RQWnD@v!T4oTI6h*(0ZJ{A_wt zLY8Pi{ljKU{oeyJ zwZ|J#$%yZn*3w{JtH;uOh}+-U`s_2;(b*OtmE%BN=(|-0)Tg!GL3k!M?vE*A8fqSv z(HpO!`Y`a!=X~9BVyJ?g8>2h>8)301borMGEF}+NbM-do|{@|F)vYw(=GWD@AC4$g&BW;;LT>eFB`tA zJD_>wlmeSdm6q+&ndwK_5~(`)T9fa#x;-1W&795ST}M2|Tx*ACx?p!??TLJ88{k6f@% z^X&dI!(|l}(Es{=mSV4L{h)Vr1*eRea@FrLqb*Ydq^0f-0&?Hb`vZh<*zX#Z%onYv zfNuY{vwOpODJ$U{caPU;pgG2y~0Pay&P_PfDMUGH~$kRE;ZmQ`X;KpjyuQ{ZD>hksxrh9TVDw-eTkXDt$&S zjOi{kwAVM1THh|bv5b*!`XZ0}GTwcvwQ~AbBn>^tPtoyq7(P^ip%krk#4`^AN@e`F z>dAUf4O!c|X8nF*$vJIoKdlWxLYqFsG+Je=LK`Qvh2za1ggfdU{;?8wD;`urQzkdr z0VXf27j4siz?Cri+m$XJ0SCmZ%S$N_iti?HhnGonP_AH{QC*lZ>)Cr@BcBG~&VptS zit&$dJSxt5w#P6XRH97>`1J}Y5f9LQETh%ml3C_(Y-m{#HlGvGq$mLw+bGI$j@#;5 z_ou~Ph;d!UII7A`?t}CWm0R=Jxs4? z`@Fw!Gk|&rW!G@fq>h$2sj1>1nMF)Y&-A+qm8GMBJ@c zQ`Hu&pSWHLj{5|CzAjUEkdvu{VcZfg6nIR1I#MjY%6qX^#^3}SUpUM#ks`!w)IaS~ zoZT6;I=onmgMy_>D1{kQOdm~EeK%kPAJDVfe`x3}Adt`27$05WdhzAL>Rn>7Hbs1t z1FYqbneFS-lSdzg{Cbi2x*PTHq~cXBCj}?R{pblm$cw|EtD4yp0NYI&+?8lQHXOOXX;?sqB-Nd=g~O`HK$9{~ zB+mIS{k2T5|NN+@3@=6pYnfhuDXVB|ZzQcL<$v42F78sb2BI4ltHZZ)5jTcjQ7U&FRTA98Bf|6d6JyTW7Lqu%0~uDAW`S=&_mhNlt^; z3A)<}+;eK->~t5*?|W>c{r0N^*Il7lw~v5oGXqz)IB5bmCG}v8w94>=I8jKgym9Bh zU)3`8Yuhl{G-F?WI=YKfMjtLwS{GK6GShe|g4Psm1dw9>VShuuz+u0^xAOHQ?mEVI zv3vY+&%u-GQS`f2Xc+vbqJ zA=L|?`j;B+5zjGJoWE;rUGwelQ~igyeudl^Ff{INO2oOmn#p^E-@kv_I`sO#P=_7y zWnxl!*+R0M*c)&7Iq+q#oJjg7!>chGW^46SQ(m#V9jzk?hPWsB4!pb0MQHW~nK~0G zw(w!tP&bobC_XM?%MVE4+WmkGIO->v`cQc5NZ%vkdlpu|68PDN(~BJX8WF5Nvm&=& zM}oe{%DqT@(~(g7^85t4jV1rQi88Xa3e zB8u^+>FGf69J17Kj71W~no4#C>dv1G{5(S?&p3e#2>0U4!eEKuCX=V@1gnWs!*M|$ zLNz03Z$S2Dtjw{IQVbRvnv*B%d$Av>(0OHOgs5G;Qis# z8#U{}**Wy~Bspdvw`vsNk+roYX zabmM?XFPP%GBbMVN^pR@fp6n2cY4M00p%pQsZ3qpwvp3R>W)jsZ5(!O7;*)SrH{Qh zT@|!fHz8l_Z7_%y7>jb+GAZt+)UBRmM4bI76yHV&I)wPJ*|trg?GkQAbtL7p6H%*_ zj{~_iqXhMAVcLN*_lv*D}_(WN~40pwN=*QJ*1C6FuPxu%# zr_|t$%S&foF&!-p+Jt0lD@oJ(*rbMnRhS!$_oY~Y*l6C8u}B=@C6IU6(8%3 zFRfRY5F6%i%Vp52%NKvW3)l_PeL2b~2*QVy2g$MoZY3{Kb#wt6B0FEvE^J34ibq`5 zpQLr$=iJ}=HMHW-aQ0(8ZljbK2ITi*HcF-&e;}C=g$}FqL>m$T2+TUow6Y7iZ@3t*J-I%?I92pY}d8pQb< z<^w1U(r>uY-R#VN zsIja_Ur8#T7X3FX`_X=24at=()^J&6G1I$xKsY{*-uw{pVM*qpsA19_Ma>`fq}V{? z@mPI$3c-{hCTymXDVOa>XuzIZsAS{jPpi-c)@|%tk<>ZQnP_`q>9O>c((pY$8tqOtLT2m@@2fmhx8G`D7Cxff&NOvOE zlT|OXGkIA*SKB6eROkJNnuQau&U~Sg-Qxc!Ax_Mg`Mw(FE1VpYFpDz$9S7cCYV-=O zq4O-uV$9Mk^5=etMm@O%N|5vv_mD_5A`ugw z+5R1nJu5Oouo%gF}{16irXcHwEi9>Gq zG<-#tR+)05wkVsGw1G~wz#;QraoNt9i%yB zBf_5$n{u`hK8x~z+X9p+mVIx_RLoOlCtryO=ntO=E=fIdkMP3RKIy@uq0qwReU)2T z!34WImHL!F z7bV2Dao(s8tzH(x$}@Jq!UrJ|d=+j&h%Xkn^uMKjx{9(=*GyDHA(W&S?xIe;iPA3{ zw}5hcWlHv=4#;hMIa9ojD71}Lf;Y!(NZUH)H=+zDs_u@S*=+&m)LhmwU6*?Omn?k1 z@LT;_A3>v6*Ha&1-~O)iWd^%&08Rn(Je)oUl&ffmKl#EiYzkNH z|L?aecIn!COP&&r-~WpJD2l|wsE2m*O_bn2SArpqBiv{@F3yb+47*6h??PHKm3*L# zi<9yigKhQc!vkLdisdAU&)IN zf|mlqKGf?A)iJ#3kd%4@GS(jXAYkA(PIzSK3L|HCkPGy-KgX=cdpW5!ppkB>2twe&qjOjdUk36v2*|_yNl2P17@qX{;r^O|gVQ6ii^<&7Caw3aEyctOTkZJNca#QBpBtq-Rtpqy&V?Mi2&7pRZ*q6BEFN zgt8Q72bt`|gePV4oRoOh%GpC7)glbVh)YZ~v&=KUZ-G<5{!GM>s^(NCH;p&P3g2yV z%Fj83VpaAVq_Jr)Bjz1-OX*_Q`qAz2RPqH!TRwU(Cf=tZqhiv&@zBRoNS<8}2-_aT zO$O@B7_s;f@p*LxlY#pg%gF$9vlMj6xXemNG<;bjZ)~Qv}fuAf+dIBKFL-^>|F+gSt zGYY#-oS2rEy5?w*#a78+^p{+!(Vxo%_GbzRj#amr^Ms6 zt0}tpR)_vG(c8F&dLUJIRxN@`RnsGI^YxJN+q`Nm9Dl$uC3&+Ph`A9XF@J-PtWt98N4YgcBdb1i@3D z4~fSKm+SiD!+(9c6TJS*YJ2v;=p9@`;96u>)%aNYj4xIZg~Z}OZJ5e6Z8xEk*;J$; zYE-zWZcY(6t~=l^)+t!5&76`05%asI=b7ku`MtfFMrv z20~|%laRfJbSEvE%GDIg5~(C*R>*TJm678l_Y-f<=kXGr8|KD3KEDb{Yd!KTe(>QJ>z?a2qOoL>PmA>t5M|9{ zRW_8beIP#dq;1GyU3|I-D>*?CU`ZWw};886a&ZVlS?qk<3R_zY|g z7ZzO;!GE*s5MI**6hz*UP`BmFtg$D4fc#+ADw|7;oGr^56!}F7RyR9G8Z!)KE{ml~-Dt;o%d+_POeD9b z+><8_5wyq>D15M(aOxXBwmi6S&B|EHVO1SHgIjF!Rn~=TdNqN9oO}aynYhu z1sanp%Ig&TWDHq%ZmR+3-UG6H14gwX_GVwYwX!P0=DdHZqweX0fF7dE@LpC9z4ZMn z!6S^lBl3chaX?f+U5*w_es%?woT~O@HNEAG1Si_(73(TkM{27Qy9*zeq?j)M zx;1o7u?xv45sWIvvT<=59?--x({LjIrnDwNQI`_3xRWc6wEW8rK&PiRPVo%#9=YFm zSPM^yc^W)UkMZjNh3=z3hYp=MMb=WMPPRwNn}Hn;pKwZLkhjjZp{6t~J0ugHd9Y;b zqfb=|QlWfx>MK85?OKEcrht zN8=~*X4&f3qo{J3U(4;!_dK6uldIg`NF`g9#Bx$99?#)Xd!@I_)8+^PU=1_XKs|$E zwtfQ^t=~j&yQ?Z_tK+{{w#OdQZelQU z{Ab%yQ-anJWOum1y@HG>r&2RrJV!+QSVJjWCCg_CZH)k0YeKRo$C9=Dz74V)Z6M{X zJ1q2?W-Jvk>Pj!o(Dn6HyUhNN8;ez|CANQ}lB>MdZAMm87kQEKPRbkn#b!@ zvS{IXJhyE78dy`D$4R;R_#+^)%lRj?J=Ll__$J+y$x=6WK;1xM!O@Sol9(WsGR8}} z__!NZ{cKYOUI95W(KoZ*CcUw6wB*{kXJfC3Iw;iwy# z{K2Xq`DLeVx4cwnXm?G(yROqRuB@y42>s7bASlE!ax8*2%-=yGPbHL4@c~mKvM(gI z)4<(%W4BH4N2u6GsdgIjUbb4T4)~rwk8CT1%vA_RCyi%0WVU{C#L@41?^QWF*kQqWCcg~!71?>tZePMM;btLm-u>mR4N1QhVqww=4_HW)p z%xGeB0Vfn+?*6S-UmAr^a`Ga#@OFX)$Xcd-&I07)g61jjSi*U07gi%-7n36x6^xbO z;zT`)Q0>975*O=VGdDw&q(UR-xK?4F1o#zvA0bx3Tiv2Fax@+ln$C03HwO3sZtar~ z^rUsU&Aqu9a-=s_fNWp4)tm=pln`$dFpzD0?viW-d>FXIB5VEr9n?4C3vS2(OXs5t)$XTZKosm}?P?ybB{aWhB7P+Lf`B)1h^$P~Mfs-^L zLhsl^O-QQJM5S0Lr|Fs}+OuVHg{QiryufD2W!@2v(_<-^-4!8|Ze`%EXUPKXoOR!8 zWC*fRn!)yh3M$?Mq4F{J>y1xXga| zcOYM$tosgKyfMk(DV75hTKtzt$zp_kz>-w{B42W;WD6_k=M6s}at?9sU>&w_$OG6g z$8&s!WcmwV&nR$XMQ+gdX%uCPBxH%Hk-=Ih5c`&xrX!XJyJ&X=8c(mVDxM1AEIF)< z$S0`=v)idt$<`HRZP^lZ9OleP42abEQ8!Qhv^;04izoLiW#i99E5!A(&KfEFkjmI#; zw$-thL#pVmUR*T8!D6fi*M@!E(9;K4uhW$QGvr%e9dUV?5%3|6Z5PWXT-&4S*WdI; z)m4BjPwZBK+YDX7h`pjuy$HI4f*)Y%{=HLZ-STQ))ybBAb*2e1f!~Yq-%UK{zuxW| z1I7+!?445GC&eVQ__|z4E~~y@9X>BW)3np|j^m|&!o1bXp7X~_ndw%d0q7)S1zp4E;qNml<=D<@F zR}uvOAA`LE;^Jznb7M(<96IZWm9mKd3u|-gh?yS1o&mO$K|{MCUki$6L$xIe7K*n? zR&@J!M(SyD|D>B7Fj>_Q; zrH+)$)IYjtKgPQsXjk$i?Vk}fHzDtnGrHz#tRL3wgKVB$Vhi#n5$8bBz-J^dl*EtZ z#sXAt{&@&mOd1R8ZgtB=Sez?|!yf7sFX%Z=PP!?^G7{Yu?IW;dpAytR%R(maeB%;f z1v_C95fLXavtz^QUCF7DP zRJE_-5=aM=rFU9V5r&9Im^6HRvmPaa1?KNtDf?Fmzd*Z*#C%sZ6)1Co5OrGAr?ecI zIO>)Kh5t2+WYlggVIpY0fd%Zly0Fre{ha34pOb{(t9NbM82jp7&>#4p{uq&7Pyfnz zJp=yV3^mk#Ie9XTgjdF^MC>tR>`%UjC{@k579Zd@Ive^^f* zzP`Flg-^-SM*1H?>*5sy@>ccV@CXune{krPotYNkH*Jd_Uy?C3;VL6%Q*JzN=YeBX zdptMF#FEORYx;*ThW|1E$=yJRr9#CA;66-D(5dT)PuYf7*?(mh890rDjUtcXKakV^ zq3nN7&3^g6gkez3f>H|LE!@4waG3lxF7>9d_cp^2N)N?rYrh;=6+ia;3%ukM!kF(F zFyFPR6obt|iC7;dT^w>(uF-nto8d@8e8ys#Eg_z-Emb&H3(SU#Ehke*bQd{D4TC2P z;Q6gExuO9EcFCjm4sj zjw20;vs5)K`?`z(L;l|I{kr(#YOzx_&{*^q7YTlX8FinWa0A+=@`C}-O_mpOHQd-9 zU8f60GOQE#(7CbwWl;RMxULnRL|BJ9tb11mUD)fhW%Q9sr}VN)>F&IdtPAeo{z%`{~QhKmN`8up_UCu51TWkCGFK1T@&VXERCcr5Z zf{`k6(&?IWTDXwqP5{;~QMhFx!;TZ2EPypZTDT5rp0p!0zvMdyCKdaZ>7DgcBF`W@ zqa=k(*%w_KV)u*V#R?Hv3pY__r4{19%Cbdb8j0x#2iTc-<%#tUEJ1*@4j^To{pT#` z8ZiS{z@F)<38=7wi2i*t&TbE*`YUE3S)jg(a{G{PGtX-ss~76=L(e ziWoY9p>eB^4GxxVV(IA5lho4Sc~PJjPpme z&(%6R*_nebj-cfpA6ZSQ;fbP^W-9Pey5Y{|Wy?&LanSDji6grBxMVE21a%O!p_U15 zjc~l1iLqovge{sWU^2)rBA&vaC;-#%h0BMV&~xg6DFW@sz8w~LPH;a!+q&f(r|f2|K)DCWD~+SlVryA9zZ}JFt2)d}KPysfb`Ns#JrEUZ#6hjZ>r{dM-?wg<7mr z$2OHMEOzO<50anQd=&L7P6rp~JMC ze+oIB+?d_8_%vn^nrYr%(q^R@(DTw&@r&)Be;=OC+&cc^>&b~fo?_^kdS5D@a{a9=p>y)EmKQPSx5@BZIJ;>X+_ z$N!je>T@BsukZ-xR;QbEwhh)es(K!iZa>Ycu?d`t4d{$pmftM9 zpfmWQqQRszRvc%m)qz~J33SZaiK#`>0;{fz)4zg(pj7GTU6X;<(rV~l@Bl*p%)xyT zm-EB%S;(y|nPhoAJeVp_H`yH0XBY3+2H3scmtF$5v zEP)@*)ZwN5mxcZwyN0sspy}F_=n*dZ`+A4Mls1l9&!21KeFJHH^sktR+=a|XOM%&8 zJNolGmtj>}J+&~Ug`@Vz32*p(sWDdfE{ABs{Jz-Rkg2vOpyueiP3)fw+wZ1BI|?)^ zV{~`6OwWd#9fcA9r(u@O{03IRqmog_%}b0rs8X}w&}pssnGcrEMv>(gpj+WJ3uxq> z7ZozMGV3v!HhwIozc8P?Q2|N!ia^hvN-!_I!A}#3VCs!bP_CP_U#r}NJnu3LS-v<@ zae_2RZY-ie7N2R3scRQdg6>!@UkghR$s^A7_RT2|I8Z0lh|IBOLlrx1p0`_Z;V%;{35F{3vQY@NSfxZL+EJ>^=2_Bo!?=srEvFPC@ ze=YPT-c2dyKw9nls8f=>f|T7D{oC*7&2>yZ4TAIm=uWq0@GP5eg&+khD*K zv`~3ipJkB?rQ7$*q4jmQmLMm8XC2z5wwITFxAZ+R1UG=77pJConLF2r0y%a?lH zQk5Q93I0RdRk1(P;8wslpSBynjO0Fy;&zFrQ%*csuLp!VZ4bA+t^!nsbIR6u&*o!85{?(orp4Oca=c|3%|^sGGrUrMjLMy{{N% zI1C;I51xj#=Kc))6Nt$n#kSXl4s|;l0-~(4S379jgr^s}5s7D7cj9C;Fs^j{C=3NW zG{4G{9Wnre+NiA{g&~?)0;N!iXefT;WH2|mWAwOk>Z|I>asYcHv^XyIuZH3>bt7~o zgfjXcNeQ8R?1Bg3oyf<{tv#;Ue_!9PeuveCe)l1YCd)xGz@sBkMu+|i;F%s;5t#R| z{L`nVuCMu5*-=7GZIFK3@`s<2hv{?{rL6AkhGGyk3iXeX2=G95*?fpD zjBQmu)6LFY;dO;R3iZH5S4j7LJWPeQOwWN`g1mIimO}^7t)AZlgG=sdj+Wm?5#{fv zx#5qk&q989q(>DkUd-d5>{A`yeQO0}`{`F_8=!6Eje00}p{IW;A_}2*|8K~Bm|kLw zOImMgR0#;i03$j z1}rb@va1_Xc+FydLCDb5lM7OuI8gXpLF%g%G9M)f#E8<@k4Nhw6}gB+ub&8|mteJ6 zql3s?=29(u5)ZE9RG4K0{Y>T=tQHsKMqRA(f=a+WJahl-#PX6ueJiBUuJ>5+@66}* zf`W7jwMriP)5>a2`a8@gj!1oFY^oB#&B3HWYkpc783M3n%cPL>%oden{-@38tGk@& zW@Lz12Gq&sa6eR4^LIO~pgj3h9r&9U9ma~3g+D#+U~3e)p=Hif1Bay5Do4gtEi-ZE zn}bdxUrY}zK5aRf)|r+&S0RdH?)TDo0(I0ZX(T-PYlrbIJpE~^IN!fGpwdi~etkJ` zeQkRZ-HVFY50!pn4$9ZRizC;R;iDk{{qH#J?wbSFb1OYb!ROB=>66AIn~4|fn4J2WpPF#Hocf+bmGD*EixN;P(`i!6Jn{WO)SAJY?l;yr zJ?*PK6nt&=`ZH>O{pP5h_7^wmgeQOd5#)O^H?c0}ul}zI|B!8V)^qm3QSq6G?sC!Qy?<(aZn`!izEn8*-x+oloqiq|$wi+AoP;Gvoae#5? zmk#RRl&Rv`0G}GVTC~-clcJiD!fE#z8yWkmm+JtEj5|!*C&7&drcUZ1j@PiAhK)2c zJMgyTI&??w`%vxm{-6%!TDb|%Tx`z~6deX5A%2_)Ji3A|l=GvhHJsOx+dQR1C*i#z zVy;w#f5k*$V9uA+H0eVVf$Pw2Pq)X?)9RM3Ld=!x*QSW)!YZ@!SfsKWhIG_AwrJ|t z;wiH)%|3b$!e3q{;>=T)tlqvfVpGw<79_iz^Zb*2l!w00Cbd#i_Y8Cb@4Jzt{{pAb zbofBy2{sP9By2K>iSs%7k?F%IN#<06vTb(7J%PCV4)PW8n}{i+_l(`H16y?W$Ayik z9#FLf!5qQTBSDvG_9lu;%){V5-^E``vo)7_>HBipHA0-zP*@$VOkYe?<>&m1XE(pN~8G|l!ct!TODF>b*uc5Lz~Ufd+hVfT~}|% zJR+!0{6q@7Tx5)3qR#vJ>{m!c;a*IO_(pV!g#DB?i!FYhM@hs}53;i#p2$K<*JOF< z_?u;IRku$|iPLAXfq|!8O1sk#o!Iiq=5k-(FMeSr$G!lv1~_Wl_XX5_zKLsN(Jy9m zk5H9k5FSMqKUR_CYLt?Yt6kBWX)Ug~6Toy#FKa{p7HU`v>nU?n*1yRQ8yIajl|#`q zm-A^`F?FKQy!$}o^$2_$Hpr^B(5XUxuu2Zyq{#~xw%Dkf(SxswGxrILAQ7^XZL7Ef zIwcQ)jHTUUVh$lnT@YD|#d9AM21&T@N6VWSja9RBETr`rM0`#|rt70@mI zYu|LDz7I~pm?!p*#0I2|4RSespv>g8YlR|WuDI`!QNb@*+z8zGW}cnm>{y_4&_tAO zvtNz_jfHR5KYE#QUw0F_`TM6w^_tK6(-zb0U2Khw6OCr>i%sodC$8L<+GK^JXl{nH zgRbB1bEmch9l?mZ0r03{Mn7^@JnQP}Ts=j!&gfg_NfQzJ2Ta(4a&Px}*Qvk#jd9XztIqbqn>ssYF3Rw0$G5EgtGCMuf`myip?0l3Y7jF0tuDBM1 zHt2SD#gInNY7|%XH9vf`yZDDLWupaFK^nxB)(sIQxt#T|}+xk&>YA zd%VDm={&krat80V(?xQw`?;W=Bw7bt^;Jj|IqZRvfW^vb-=nOG_$ljSF8?}yZtylN zeVu1wip=9QLMAv^-@2s-Tf8kvsZf2q1>M}D@26;*_26U{vi9`(x?}Cyps{9PNSz+t z*BM@%^gGy17fw}lKL_sGc=X{G-FlGnJ*_7BPq+~e5ga5{Ojd*6E>iTm-A*FP?3?u$ zMTkbyxPXWG7XBAoP2k|82dtCu%(WQ1R2PgK^4J0KURVbu0scQ*GV`tfN~-HoE_%Y9 z{r46>CEM(G9qbgNceix{<#;I0*xB(Q zQ^q~wa^RB=zT8wlIk_;%{ex@Y&h{rIjai@)bIMwTbGcd5WaxYMD3RUk@#fJ3;m%9u zJZ-dA+6fYO@b>%lj_A1@uzmTC1C1{4dsX<+ZdJb# z(+o_2Dc^E9b48?H*RfN!zq|eZvo+3q8>nEWMw*g9`dTCcL~~gyUE{%|A6Y|jSus6FZAO52%BY65w6Gk<|KslN-6p$16KGPSz!+QHT@fj-7+(7MI|uz*Kqs-j-|KLr8(+c=91MC(B8!fi zjC8E~UTs1=(AAj8$%C--9B&79?I?9|$4u1(W~%B19Y`AT&SrR~%&^;(gU_}#NXHDY z+4S0>OcKw!e!zoP!M4-b<>i+z-;CPMVBh}fztzo?>Q+HTGC}fYAEGLK_Hc5SUu_^G zp7O4YJuq|fXMp}YKHrRTA(6m}GT=&nmh(f_gc-v3;FfBg6{ z3rR|p5g{cB;VC1YmCQ5!u%QCH3%H6r0>vh}14b~6PJLV=m{HctJ#4TZ( z{=3+ev6J~Rn6e-^+JW9y(^=|;rp~+reau++Y@R#Ig1)?h03Ch&o_9VMbK1)z=)nK{ zc_#J38Tx?O1!irS(U$Ak?+g2(T_GSQM&uNR)oH>&kZ#B zx&6FP0p9U?=(%<@p3^AD`;L})@{i8^jl8X>m68$WFC$zy)O{CiGz%zY^L8};X;v%u zzA`$bDx=pRei60GV2!3}*RC>DBnvPS=`^WSt$8V08UF<)14=NpYPYvZ5BCEud5j5T zSZkAW9!6hz`-%US!;)#~#xGk-=o`IUfXn7%56V%Z4lKm7q$NGUzh{I)@N-P3>(BT+Kv*CQ_$fe-WHHEbODWU$ zm_t8$YU1Y6|2Jy^nf%ne7tG3s=tG`AFlS^zF7Ia^AY#k5ztcL3`PNhDX>ZpS=lq4g zfmJ(OpEkH2-w%t9U(}Rs>|#F1*MFvD3y&-2Yg$gj z{olQMnx=IH25H~9Pb^M$(~&e+1BYzIP&&h_bU1rF0fZ7PFjohmq+DGDu}~FMB;Ix9 zWAFHGbRaBs^s*!jDt7Qb@t|af;E9GU(b#-%Kd*(nf?=>6ZSyDX(4lV_X0f6y`hz(K znPiCd?K;z32!=nINFQv;hU9HV8zUhY{`?FoEa?O1#(BofyazcM|2m5ER^M9Vg4353 zRvV(q+6w=2G*Ca#6tA1$NbvoM1xsZ)qoxe|wYeawMRXh}dN#@9W5KaD+YAV# zo575hj?0xCm^E|EBngQ+h3*VooJv?_|y%RrluyhBc#Jq2l8Bl6R(;RO4={I`hK zoN9f{Ri_b)*;{G2aB2MB4?Zg7)g8?(a;Eg2A1s>&e7;z-D&f5r;Shd+?Z>kV4&cA>2{s66YJLBWljw^qJe@j;|uH-@VsusO+jhe=?X&w&oyprx7#Ddwv_PjMmW z(U7eus>OTW0X?sPp5q~}6t&xd3nWpl9xQ0sp3dZoxwf0c8%wx1$JC(D z7+s*L6_mpRfwBG-9o#d5WiKWX;lg3B7pbDD6PtK^RY(h}g$i0)I}ppYRB5JdaLWdE zNa}Wpj$;IKKuHz57O(y347qyhajbbXBoyp-!6ZK^=^{%Jh$|#6>m2jWahm9@HQD~K(30xY2N$66hn0bZ@%cX7WE4G7fB3v?_-YnF&YMtE6r%>Q?<4oR_I?w1=d5gka%K zL3)Bs)_Ab_PxIy#$_sb-9`5_rANSat&a-Gz1kq>eH?7N4qnp@~-{}v-?IO-NY$MXe zpX=JYPU&*qdP%h}c#av-r*}(yphSC z2V{%!3n%uYxR(yqOYqZp+k;iC=W0BuF5ER8xV^E&*m3K|xFY~uIATu?0K>osD@x)z zHvbD3wadD)o()t{9J({hk$&Q53lt0~qgkF`2h@rU+)7H@kG!!ikN~m@$H7{@%=;Sp zVD^)Hv5+*k5T03ph!ohTlww+JM-Z`D^YL8*P3x=1)|l)qq`PzBPS9Zg;d_t>_@7h= zP%7ann2bE6pGXE^KHAn z5Uqdbfg4Mph-Ptxsf|91^^osUlcSW~#7hcrGqRsq011k#FFgT#Iz&f0b@>5&4a>Qn zT+YmPYT*Qr33FPa#Z~kGf|>Vu(DQ?Wa+*ygP>+CXgW)3MH!Zf)m=r%xK^!w6`9apz z4|5?xK@{|;k~Tt6vVb2IuC<+<3%A>c%Jr=cRNzv<4|6NMkhk=}9VXYlNS81`{R31z z`arnwK39M^n8iwn)aoVPu~`0_C9n^h2I)d*bq;HFCfx3|o;XD`HO%C|($ekBSf@>k zW!y*FdD#Unvce#}Wmrn0IVJA6&qde>~o# zZV<(xZ?@WHNuVXUm{DY1%KRm6B@Y;8GpHXC)U<9@?PJ!E1qT%;oyLG}VGfG;Sh7Pt z)0~<}2YzI`0eiHBpj^Kv2kBJGvgcOx`zYp{p4;Sj>r~Q_c0wkluTFI)Og0yvvr9-# zR4$?8RTB-8QGr3>Valvx-2v9>tE}lqt#-p})f>2^W9pFkwY_S9M%cw7JXBQ+HD;NN z)JRV~LB76%sk{xc)Qo&ly9Y22InpuEG0ZIy1;T~lI$_FaYORDn+k8$2XognL%v%k= z#E^`WJe(bS9P8T?i4J0>IW3V6bLTn1M0>AEN-WQZ>jS;;pA)arsr@gHB1l$v``~ZT ziV11>8MmXk(h&@3$1}KMr@SGWn~Aso-84ne=YLU1S$}dfp6+D<4Yv$G2d6w?k$2GM zZ5t~kDTRw;vTU_d`*dv61Al3Th6mK3Y7m}_EHK42OGKGkxZzhRVz1nuDWK zS8I9Tx7`}d=+TrfCc#tFw`~F-L8P3c$WXQLUS7Uu;WwVAorklR<9^cx0tUb@liH!3 z`X4LlCd?l@t*XhTP2Da~KnE^cRrgRLxll}wli_x6Ux$Gd-_+UGsO0&?$SK$fd1#hw z?QufnFh|LnG(zzwN(S?^rPDAjw2JCP2O}2aKptNuwgS=j= zU#@c&|HvOvH{jLi_sH@p!AcWeSa$lII4a?f<|nlohgzQb`&TF z_X9Von(N+5Qw4oy*@t;B=?}@8H_ZNwhbYrTQ%4bk;bV`nk8Qa$pYChcltNM71w_b$ z1SJ!xC2vTLOQuwus-bTNSl>RG9^-AU;vjVbR1{yOkqu_I15#2C(q6HSR~a;@m4NAT zfMrgQKtw7(c&NV*HyZa*bT|X7ngnJwqxDr9v|`3uZMVt^Hm~9&Tcam+$4&3i=d2vi zru|hav=PI)X-bWN+&LhF1BPMKs6!CK(WYMz_QxXh#R_kfz_@O~uanooMjS zCOyWvSIu7nLh-^LEOC2~BMm2ur60t8bm@}FHMe?N^nu{&Vzr0=4g{L!t)x?x1Pe>@7oz{oASu3w&rboU5h*aBKS#ae8wqI5XfFVbSqE;QC|<(gLTHr^3o@Hn@Ndu; zIws|6uL?C=%}NIFPIg$REQ;SGAItUW17mm4xvSy0Fn$Y>?hnDjlmaPXF`6U{w5Y$I zUK%Y~5{v^eHQyd^f*=Lf!peN2ff}`A_q&mVfs%dVw_9Y(rYO8jiPGi}^k+|FLHgl@ z1T-PTI+Ljb*vIWNwT%dE-zV5G-$sD z4%pUdA0(vOhX)WcIY_(ac7V5g!4GuzA8(N18xYtN7}dFSu?3c<9ZR|7JXZ-YVGS z4Q=#go2opxjp7J~V$#QwWOVAEKYKyL;|hsUKL9PKPG!*kfKu^hB~1qtoX?9 z(l|32-U2N*vkK`y_sHyr@oEbl@gUUxK3$|j(iki=5z&x|EbdD~X3KiiH5?cGlre7DEIR@wKJ>t15$R+pmFcle|M{>g+#=0XhU z!?R*OjQcI(l5y`hf^hxguMHw8rAhbDqaaDl))zD~{SPQY$#RniWFI8BE8vN&9nHU= zOltcPK0gXS31G2LBu7BQSrKPfr+|J#T=V

znUzFAd5tN{Hyg6xpfPGpZJz)eZ=j-60Ik*UY_(&LaDqSuw<5;9+_4W%q{4`{qC*-= zrJrC$QYOTmfuUj=@ztFe2?#@^;}d|=RSSmXV0tfN)4M0k+`#5T;yMk<7Qh#SvfOF< zHb{?h7iOtQ!k59)r%lM`(-Z`LpNPF!xiTSNs1zRN20V-u_y&81aon<^x7wE_v=YAqMPw{1BLZJD2e+Y z^aT%XgI;A|y|N6g@VhJpQNabv){H*2F7J(R#z;5erL$m=<`J{W2)31j%0Y3%4ua@s zm@?;?(t?+=xs7cU@wCrD?Q?s@DM(xfw$<-}!o*lvl8#l*Cvy!5Ayqj3`gF)w`PDQ< zG)k_@(*_n33pCNr;S=xOLn*-4pK8ebsy|@38cuPj-lHK1_89NQG$czCtDJtcfr9#x z>>IJfGrH}^$;mINlCdV4V4(v%AXWw;5ysAJgBy~FIhq`B2%^n5rgS0WgD6t8E!l-12F=jJA9KA<%GN{fn3PJ8E+mJ;`tYeMHOhPD93yS{8PU?4AGV}EF zlK`j--PRliBDeVHbaFcM9OnW>#s@}OCs{^74j55wjH0qEz{|i6nwZXCl>rZZ)H(q2 zD##ZPef3a08x9vHUB@Icd-JdC*miiLQGF!A9hPk0A~=7Lj-f}jdRUXeST<%G0a(?w z8N044lxTk0j{N-Ek`^)r5O&QxYO~Dw>QUvg2bl>;y2cvksWBdg*udHlOG!)+)^Sd` zwZ@E4ND>V&ps=b8N{>pV22dF9yuDF*exRjr+1$nWj7*6W%p$9o07~ae*5=yvdIvJO z2Q(G>par=t?~ulJQfJo}N14y8fspV)Y5;*GB}_sUkv3vsc@N2!@ox!hh_1#C(yKU( z!3(*^!l^m|<%hgmtj=WS8?j@9Q?8fR#!dxFFFkh%06@-q!}+LTNQlV_h9w;+3gf>X`p(V=MD!ogevOR1^@KnXpUy#I|5S z5G=;iqL7mG&nz#M`5oWOEW&;m<;g(#Ykg_sZ|>!Zs68XPLGpoMBV`yh{^bSWC1XO> zGx)iCy9fxe!~jQhJ+#VYFU)16zqEUQw~E3V;dKKA$qp-BjP(H~dWFsT8SoHT)io#^ zQk4Plciks_sDG>lN1?A&5015$0;ZW@3~$`cJ#5BsH_bd}SN@ zAPE%!fC@bg=QjWyt#}{Zf)xpXZ!&z2t*&?HD@r zq{z(a3k#5(xZ|>c%B%z`Zw4=a)wBFu=ar8;fR0`ffFt=ZW&M2M|xKxZ&lpFrdvu|dB zbSDrO;u0oA(^+m1LYx3bZ~s@Qb<}4c(myPzevZHx3ZWXi{1U5=JQU`)`9g)t+i=ul zEFk$D5QIxjH&7-Rl(+*;F?IxfvVYrV1O^&sqGHYF{=90{0yqv#5Lz0jhG0SBcUJt2 z+uN~8So;TwlR~zk8Pq6V$vM_M1vv0e5=Q)Ip@0RF82W5MGgw4{v6;$C>jN$Vcrvq3 zurg|`lVI~7;0>(yfe5Ggg%Z1Z3?P7#N%6nj#wY2YL0F6sM0p$pWddUebQ4P(k>#cN z8xd8)c95Qd_dW}GsGP-YN+w)j$_%6>>GlPvgQBJL_q;j%{I)PphgeYX=x!`jaF@w$ ztXeqEl%5a=SXmG+1{vsyc<^9ootW7~XuHHuMSKp{x>h(axUsmQ?6sOt0k*#z`{r5< z*6vGDG`9tBe|#m;vUVuiqzAgMBHk#SnwimtDPZ@nVUy9HKmW`nf(cerpt@*zuP^3dm|>h_cNJ&R>0_N0q)yPy*^wedpK_@h3j++hN>! zc)J7qV!D}0!YdOk1byZDvMZeHCVVPyVIk7Q2t+$KS?CNtlw9m{5Bq{yc%^%VDO#WQ zoXD*^K2zN%*CT{+nEbw~$Yho^S;oA84H0GWp*gx|4otLr<~j08Tr}>q8ZUV|kgP zmUfI;%&2L)R03#htV)So>Y^2F_q#VmP)-@ctSZ6m20yhPkMSpjK&@h3i{Ah2CFd0P zU2r}O7M4kdpf#IQtBW4o2?i8F5%PX1%b#B|6cH8El1#tJ0u;nu`1l7{5%wQgcZnz+ zGJJNfDK=E{KyH9s)#i9!l~qtc3qP-Em!-7OqVjuq|L?#%R^hO#GdwV=$CAr^<4nwX z4gSPnMGiV58#b{onL7GX;w&P0;aVWS zcW%Jn&#l3e%IrvXK^sPSEdma&36={8JMmEUnF z+Z+qkSJu2S*w>CsprM=JjK&7)m{583eun;Y0O8pDuXY!JlDoK{|AMs zU=?#%Ai2=Y5T*FaL!^Id%RY8ERbQLSwTc139zA|YmTQ1m5aivbxUB@XH)+dg%`Wyd z%N(N@B+j&pWCx?H9$2Mv-3jhc#%K0P5oj8Zd+!8={%B+gv%<#n=HQEJeZeq3(+L~( zT~f$07a(A$IW@X~huJ;BPF>mzd1F2>rq>of(Xa zB1GIADzCVUJ+%@`2$_`oZ|P5XAFN&t6_D#^x{gT2xZ(PN&(R_%S5cTKdaq>rHwVuJ zyKt;n#`yEYM)yks$ufUD;9}vKe{C@%58UHTZBn@UC(qAyyA4-G-Sk5UDNRb^bZEuu z3zW>*wxB~8PmQw3vYN1>mBBSOP#t;i?#IKUzUK+;Dn{$+V}{;_O^ksL|>;}>l2KK8KO*A*EHd$ zQPw2g{}AUy5L5}N?m+1VnzQ9eEwDZZH{7hsXzne%{cC=G%E+ZZs*riw6=t^n09co2 z;eW@;0&oCp!CC-|K%}rCA~L{m(uQm?r%Ko0Rw#scwf@*BJz0~Zf~ouQo|Si)$cC^! z;zZgORLg~nthp&NRr(pS7tabv-w*2VT4joCtMr{d4Lx$DLceicuml6cxPZ#7CcCiN za*_mdOktCM^>5PtgwT5`afw3xf0xs7iIoaeop~X zf_fESa`zS#?THW0FWR-^JD8!UaUhd&=}99Y1T1D{tF02SeT0w_ZnvYPnh03;GItcd zj)6|J7b2o%Y5JoE!DUOHTLU^cE9O2%0XbjF147gPYChfD$ zYqsCvEc>P(awBYw9SVy0A0C+^^~Z@z`fN-9`8578BM>ySUYRt5#plYsh=kjf9JoR< z9NBv3T7lE?{^6c_nPSU-<8Bw>`>2rOq2#9T>vBN>7%Q+!heSahXoMI>A}X1@3! zhaJC&kL3=c6^_4lBa#AnG&$x5s{Gtaw%xh5+HYAZQkdv`-$i=$t5Ohn{RNtD#s}|CC2qNCFZqJ9d%W#pocV9xC;ZQmT$3aI!8HFYpqCol6GC%Go@;w}rLCV6 zT{IiYafBzF$;UMEO2Zn5BQp&^$cjk;cJ#xnm&K%(`vHVwm|V&>aOPlLfpAak3>X(V zlrnBFhZWh%HKl;;*fD_*m6EgeA-XIhYc5rPzC?HGn}mfrB@S4NUTbfo%{2gSttb<> zl#{e;A32$Q?Ba!e95XiI@0RAAo^`O|deia0D7w&MtzC9sY6~(E!aHwr&-+S%Um?NNq-S-(hS_J) zE|qU8u~BKJ!1xTO&u>-I8Z7)A(B?W1>!OhX4!?Xk<{%SF3l~ox_IA7#<4nDj|3cx( z(pOJrQ*L)o6Op)DSaw?$u1gCi?BKs~15Y6UiNDjM^5n&WWA%6C-Zt<&u4|u0Zw6KB5l%L^nSU^iNl|7l5-(GeRrZSNF1xPlhl=Yxk+s71gxgO)2-ir z7$7;tk7O6u9|OqeR+tpK`uQJ(Jh4Ar3!`I38EAQB;r}FtMPWbt(KajfL zHC23&IidUU@zp!S)HyaMcwydNyPX68hE)WRj5#^K@4O@Ix#`X+Ty*J!@)y+Y_=|Kl zg?>SWOcHRRO~GN+zWN|-y-*Y%TLg$a7SW}M+r!uSgp;e~n$aAVzNH4a$;`5SM` z?p#y>IPT6eZKx|q5}EU9{T$VNJWbBHx6t~*p)1>TtADhanbn$87vDU6=!OXIfy~h( z*BV54W)|$*je2}1bWMhLtGHA6cis4`8+lo;^unI+$0%#!i$-nxwNq$C-rA1dyp(Y4 zdYO;en4ES^RLz!C*UdeWUJtL1UKFX${bG^O63D1dg^1XiWK?@K=HwL!mtUxgoW2-7 zURqbk3LtWMEj4`f=P#gqGND|$Y^1O~WecoI#T{drKW)Zt<_JUMEj+y5t0tW?Ax3vR z@}>^;XFeP--x>W=)6y)ag=t<9Y#-yc5SJ8t={5Nu=BZ;g6p_#MmA^>0%xjZ8WY=sv zm2NIPI(gF7@Xx$y$0`MScNg;*L8tiDnWuUB51pmFRWTqw&>WnQ@PsS8f3d``X3~c5 z&Y!%xu`*{Th&P9^?iU5u@iaT_qN}A*D3r42%*(yjS*wT#Zyj$@`QHy@3%su!vq2~c z_l~R95`I;Ftsi)6Z|W;YpQv}lf_6YIMZ2{WFTrE&xG3;ow7kOs zeU<{CVUBGkKyHb3z3=V}-f6l+`#E>#bd_`}U+tNMDEM-RAAiY)dHmkX zO7~&_@8~dC4^D?Uj+MhbmX!ICndiUT@h3#-9e?)_7m)#>AzZ}cIb;$4`})d?i$V=D z+o(VK=U%4G?ZCck0+eYbjvS|S;Jc_IUi+T3`&`{eXP}pm+R{`4=ux17DoGEPvd$KG zj~lqdhc)n#wuw2}>F?((v_E%E6%-pU1@}fiq0L}*Y*hSU zN%MyH{CODheNh?3MYgG{qT53(`R*jyF8+0F8-?W*2k~)~%Rn$RH zZf1GSuZPK>@<)4>atr5WUFZo;pBx7puvaSGoxIg|b?GYzT0q%&Ql?q}obZ4hDO7D! zPE}}+mHW~0jJn?6ha#MX=nl?Jw10G_jD<8V05reYcYXl!TKfFdM5j z0VBhU-~IU(byD`!9tkCcG@hm8EOSZYev!(8kTbT!1hI&-mzpcu>Rmkk02W`rP*9XR zaXp)4F0<(!D2m4>hGJ~Cr|kOQ3zF=mRem3@Y4`0W(Wgh*=sw2miu-|JnM`PGr_IJOnRsGoNgrZ#j8>enh*uY*16 z693^{&jUB%JNWil{QRa{rdZ;}b#cW}h%T!GMuk5fxI}(zR-@)GV<)cS^0toWmndm-HIGwDC;u-7h8Vm zGE%6HfC`8PK1-F2mOEPb`opyo>h|51u*cvw>NbS2<+H1=Bh;SV!t9vSqTm7GObJ8u z$lPAyxb^-#%U@QnSoXluQWhSH=vTPM7;)pUe2&?5I5;|d$pNawXBA32%_;K!)5brU zeO4}yZ6#`h(sQrN_G@`gOML%jq>uw^yhu41@<2oXn^?LFHk+m@c95h8-oueY)x-C1 z`=9xN56cie1#naC1k-+fn*YN2MIGKR(h1JgCi{*;t~}oNF^qcjdTvYLtU1u@9T;Xs zPN2chAb+86{1M3gBrq8UUex%XKi@ifO@X%>{D28Bq`r6&Thuk?r0to~c-0FGWH
&_-CM6T=tIDHn7G)_|8;Eg zphEb5Nkp{61dUKJAwadnczwt8+*6t@mauDTGc5Y+wT{f2mZ(8{7i?gNsZVGf5AfQD z(?3&#pz$$$LqDe)X)J6ykEYf@KbR`c%f`T=Ve3B7yU0489NudUX75U40wK;o7$wR= z;&|SbF|?ixEsP;^l))Bs;Eh>lAuPq878`jPUg#sYJqXpx{~OCIYI&VwWjRf-8sjn_Rn02Y**YQ?D^d{*an99acSvcLFWOy_jVA;K-%6e*t~n|O4Wck z>yBvke?f9Q|8b;|0wIMHwz%L4Lu0$;4qaf&1*e<;0V#A#k3ML1dVR@_3-J;({xe;kzUMfm;z2`dR0;{mQdRCK8UshBl*awJnGTXzEcZg} zS0ykvY_6ZLY0aL8BLN%gB8SM^$K;!pIOx(`u(=%rSf`86tv}4|HAT6A;~u`lC*;NL zx!gT|6r(8*a86n@yH>xa8Y#TjXN9C1TQP?$pO8Vuqv_=T87pVYLxnS5-aegbl+3OG zV9dA>`i-shLeUqM?zKMg6V~F}cbjE;5eo=YfBr#@Gvn_sDQ5ymJK4epo)VYzJNN=h z{s@7Vi=dKRx}h+-H#GkR%C1{MC4AKqFf6k;fVWJ-!;>V{_{+_#3rhMr-g~wH8E~s2 z&Pd_Ut=mxLH6b^St>avt@z6S8{|kO;1z%;E_jHukx1{Qm%ms4#=1(H+-;7|?;e%m(qT zrxd(*kb|EnHw+@v2G{h+dx|V|_TMm1TMUi20wlnVu+}Z+>qU}T1HZu_*=1LDYyv?I zSCCZmBvem#;@=i}LaVIYmJ()O0<=Wo>eW?xrniyIm)1o4XII))!UxVlJpP2gfx9wdGFUh!Z#znK9(3SVUTwMAqDx5<09K$; z>BG#u>81{QMesU~we!9Rk)$vx9_d?1_(4teo0-jcoiadn7P#OKkZoHmkE%@fgHO`s zeZhvIz@$py&RgF~;<(HY^R8Pq0yIjRH~48_50LQx5J5raUQ-_?H|xO z)))S969S_wT?jp^-lY!}_Rg#tPRtMJw6H->x*uSEuvS0jWXc&%$>1a5Gn^+*NP_lz z#b>G`Vj1R3BEydmtBPWS2k*8D2a=&yjiCcCd*R! zE9>p$KMfTnLGuo>zz$@AV=aDf;$ie@yg0^@uVSTeiTx5#hTz0AdKNe!VjafaexxWF zhqQ|a;YrZn4r-DqWTZa%+!-_XB$IUjh*-@sLYR1lo6NaAjMv1#S(S!7(gj$oOMN&R zA@W)P93rRYp8z1o!lPOSrJBUzCL;y=?8zK33m5$LYIt3^|J@_Ax<-b-WDx$WxpODF z1nd0BFkGz-i(%j$Nujt%GS?;i9y2?3G%`R$LX$(|p%Cg|_Ci~6w0Q<_<6hkOos{l< z+{fHv&_EynvtsWjZ7NG#6O8uWw90H|8mzPgXWgKNe|{zTxj z-6aB!h>WU!r~CsaUuYa|I2`DYaMD*s7!t>mq>RQi42J#sWCX5S0!OK}R*=t#5pq9& z*`5~bOpS(2e?4>rhOFYTi|5*L<1}?jDAM3aKn5mSh}ki7Y;1~y9DYg5Dj4gbdUa>W zrbllAJD9;bkG}5@N%d>ZVr8Bl*aBuSM~^Cv0f^J6)=v|DUuLA^$5vseGtb7|JtTR-pkoRsm~%A7RH4LbG_> zy>S-&EklKlY4g}WTm1bRuwYqxW1+v9lvE&RW3N7pOeQ|&-Njgf0$`BUrof&&qX>LY zLbmWiD;UI0#`myv2;UTqdWHRIm9e?jOYUkv@h|m3H7oye$kF}T{#Pb|y@-X+?<0S{ z&T@woU%#4g^WNd#od#T@Y-e*3UV4nbbk0P=Z{F|Yi55P)|KX~O zl*qy5uU;wlq;krtXyCU`yP2gt)?%=AO3_N>w+?YzW$tEXv-tEJqACp>scm*2{F6FG zh{A1!WJ1VVr_2XaO-RYk<0|0`p@1SJH4Ip)S`{p7fo)Kq!K*{&vFd&K*G_9Lm|9v~ z=?@*s4Th1gQfrpvf>IO~-_dmd8uomuWgSm}NCY&3=QGii;Ae+6wD_4!&OQ&=+b0K6eRp3^AmQ;rP^g+ zQ^Z-^d0aZeZR2!+cb(I5ZnA6<&sUL2^FMe!SOxVsr8J*gwv6ERiMXWVGdd?jxE1!~ z2E^(jlDjlHnXE`YO1uF**T->#$@loX{Ko4;mJv}sk3Z(V1)1Kx=wafMFI4DK;yn(^ zC5$VVs4}4MA*GOPx6Pyn);`V87H(f0*jO!08<@*9z&Mp10Kl;=1&GLqCHWhRKUw(m zmc9?zf%=b~!wTksX}PIbH5ZR)ME@u2vp>Ia@-FihQliQddquCvV!i?&uZfrJfUywf zW=Y{Y1t^gDSxe}$435#FDQ>%90v&vMidU9-+R$S+JItFs9#}1->wLWP zp5Egho*4_51_erw*kFd`pU4|8+eRNy+F1S-8^*sjtEzZ}{yA(qj?)Q-l@u=xlomWU zmORRIp{*Mi{`1d&mi3&y%dZ|#NI`0DtvVSz7!5+W`U7PAf6xCLf&VuG|34f7QqEYI z=&R1+nbE%y-Geti=9(ssnO=2w7UpF&c0FnMvdyu%Z;uPpL(eVZdA;nHFB@r$WxEs$ zNgwC@Gm&%cq|v}jo2EzEfWz=qg{T>UG`A3L~=4 zi}!W2Lt9dJ-`rs(tY9(XEV$uxM60I#oOknj*hYa?A3y%nB=?;>cXZ49?md=1@?o72 z@y0=vE^_sgRbhJmrzk1)jrI>WiYtHlk4xl=&}S*0JxeGPIk(Q{ZtkkNW|F)FrGTT#@Ci#pk+odvQg6Q?b5;Na!T{hYN2V&6I`=;e@ zf<+T~tnmQV1z z-d81m^2aWoI~#O7tI`eu&8qYQUb~q)0`itqVfd=#ay2#h4ve3#N?Fi2M#=AxWYpx_&UC z$QOhxw&%Ls%B4D0#eBgLd+mq93~N#ewZ}!|ESwnv6}=Z4dcGyRmc+kB3f;x?CN%yo z-+^{E^XuXdciOu+$ISUMPJDW36-0{CG0BjBK~wXyMlbX(pNM{?KR?rq*lGNAlutvk zQ-&{_I2dEyo}TfNpr*B}qKm+76RIz(IiR+EwQ=HIcNp zg`+S~cP6uWZVHG(c#6(K=dGnL*F9MHuO*DLBfaUlamVn0`@XDL#=h&UP8=0FYe)Ux zmruy&8th4l$Z2d20zw2Hq7@~7mQMGp9_!_y-&s{&wx?qzrD`V38IN9PC1}Y8m=a#b zd6{W&blf(wP&a`x20Xp<(9OtvX%DF_hd&8Orpnp(2Qz9#v>QfrghTsht0z1=XLRCq zRqv#Je>jf6f|7WNr;-Q#zq0Jpo18LZbK0e9O7Ke~ka##%?$mrAOIG0VRwv!p*>TD(v3<+V$_c6a zDu>Rw4aWWZs}a0CK({|%M?a#&xszWqS9d4xn>~HOEowGSncrKWBnXeF7D)fqZvXuj z{iG3*iK>aF`jnh3z8gEW_6zsK=yqJWY_yw~tei3;%Tme2&|m(A^U~eL=M=}4OBML~ zd3aqC)*T*eQ9L?-Gsx8HT#NK_+}bbc+v`r&^0^hS)?JNqv!(5d(tZV1edm;qc#wS3 z&1~jMoX`5RsNA*04Nt?@nS(#TWtEilbuYY*x#7V_c zWAI$EWlJ?ZVe8y8@%HrRyqEz!=U)x?w%X{*mr@1OkQx@v&3d%vOdr6xebFUwI?AUS zK3&h?6!C1HB}ba`k6~n=Mg4ZE;o7Ot_3qm(MZ-t(^3wCe-+ONC*#Nd29+J-JULlRA zQtaH7he(b=Qc8s$FEr{}D)zq=vG}ML{^!?fK0(z&E_V(5z)|-?Y3ip#^TT`XYaKYn z)90F5pX*MtTHZ?>|2t|4zVbw_=PN~ep-c5gLpR=czOJj!9+B=i!TBdLst&d{VoxLN z()GV&*|4Ia+1j7%_YvHI?7NwJH`Dv|t?3eHoId;@yzenna#D|Il`^l(3b{w!Vm@am zXYg(D0%>rfNtzgPk1fz*N4@oc6YKKp_cgsv_-B#zu&dIkh9gJPjKaPu^+$F#Iu?vh zsf2jv`5f>3{OS~?$UaZ4JM;Mu#3k?LaSc}WWM<05AM_QtxwTib`$F1}Yw{t~-DYru zSun@)xm??qlO@o8P(x8>ETtuMAe^n5YoSgF1}za(829qE<4=rB{J{eZJ3K^Tx}e%UdEc&Oz8#CS z4X9q#olgs)qI+@JHoLXbMn93>fVn<}Fw`V7b6CrcU)wfIMEFRW&iuAolV#6~O|xFo z+!@*&(&abhbD6YHGC;ZjPc7_SkWkfDj<#*FbGoH(pZ#w1uX&y2#c!PgeZfhD!1MgM zZ)`8I@P>^{pO#S4_TkoYGy5FyIOw#?h;(xQ-}~fni=9IDhWW59ccQbK8LvaHj$`D= zy9e3y-HR&r+#g^)8>C4`P;>7Pv5r0{`hvsBUZ>%;EC3vR(V(8 zbwzpPyKf{gOae0x{-hQ=d=BF<`tQf2-lyAx)>_4UyQCFwNhHvfFcflEUHa>JV;F*V!6TvI68#s4x7s}0Uc6}-uw7E)!e75<>h3Wa6>3uYmmHsH zR5ZWr;(TS50-6+AJRvrwEm2m>xjRdo>(Z^W&6QyD3%;B9r5lPb+0UiQTj-5UtuqdF zb&EN>lRAAdwqFh{86EJ+D2xmwS>@+T8-GweBYrCPnU}fi z&8fG-?^*4w4s$hcnhE4%qwfc4M|AC$oYxrCXs@Z+2fb(Wh^oKyIPYh~T-;p+^?;0# zc=~`eEA^i>!JYMU+Fx^zEcXCohdtT+#8Y;^80)W{ybn^(=V-`smuVe-5)_ajJ?$~P zc*wc4#D(Fs!o`7JrmBmh4yJ>{DT8%t&W_0@45}6LwD>pP9e_Th3_dWdFn-&jQQ;|+ zF*LM5E4`#;U9ukfE>e(3Llfo1=vHu#tAeSXT7cwX2Uq?=!2>?!B3* zX0uz~$TYFa=G!bicU=AG@DZW;9*Vob2f>3K+<8Hr;b-#WM7=k)+1cLrBsPA0x%Bgg zYVp>%yW0#~8_#_anv*Bwe2!~$%IUb{5^t7JyRy}q{FA8y#8ZaP+ILL;ptWM@t4BCk>8ypWAr_yT=tgpOU z_eq#w^@!5{StWMhsrA^Ky=pWMKFuv=G!}R?<1dk#!6e_S(Wt2T9uAMbwCCy{<<_UR z+bl^t7e}{7*bDBy);d|6^z84-Z#}Zg=|fo08LOwYG6)zQ`4N12*MToF`pnRy3(4v} z+#A~WZ1C@*cd*NJbTsr-OH&wQ{oPcqgUi0R9~lq3_AiACZlqK_t7U;Yn4xF2TG!;p z(K&hYOWAw?L!8Ii7UEvTR-M{KD{;Cd+*_?HjnDRfou#n6Z)aKZYeMCO;@HDw#5Q{opiH{2F9VrW z2ftmcW|f%wU4=}? z_wG)JMK~AsunLN0zR&vp^kdCE&JfRoG^Z8bOpu`({>J#{Q!P1vbQi?6t(^>}EL_wo zk7R#Ok^J?b=ggPFoj&Sn_XpHy#@Da>h81ksV+m)qfa#}=+l5r0OYA*Q&u^*x(qB{D zX2nTobX_gQHL);oMB1s6jocjM*6lN8CjgdW^Y;{>_6bjDtkhq5^=swuZp%+vy(iRs zy+dqhddM)C^Z+#bkD6_kfYt2ce^$Da;0%nX-29z|`I~-&AnHCGO!QaI4-TK*jG)9auwqvqVYk~pkmnd4n+`kFcIsy4_r*4WxMKa5_67KH z!KMdV){!w&PVv6vJRy1j+|1{Yh}6f$Tg7L!zcT6TUp6W*nq9HGm&VY2y5n`Gjc>d1 z+Z%`84_0b2JbDgGMBpK92bb0iKxK>XX?`}YN16r2Wvz<#*_V^Y)^bkD>%=vR5mMc& zXX=hd_;&x{;Xa|I*k@|{)_+2bJUX1PCS2pfjP63kbB%hen<1UhW#J~uuRou?YSU>L zewOBw+-qRZ=9PB1J9BQ0>@;e5U{sCPpWRM0zh52^TfB9*Eax9PHhX22H&Gqg`E3h_ zxRfma=I6{TzJFT(Ch1-8iH3`?zl{8oT;Tq-IuCh8jvRj)5pOIV(ZLuJ_~h_jUaRqZ z0Gkax4@1hPIxCcAcR%aN927II7%HBzPBir-ziqh{FxviHy{Fw?T`WrPI#Y{<`LEhP z6XI&NzOrY(@#M2&2ZJ*!D$gbhV4phvN-eBRKncr-x3H?#Jip*Ui6IF1-inLbAv2 z!%YU&CMScambL7Q_WSd+zor_hSBW_@ti_I1_!Fdr+*T$IcPI-SwhjnWar!Kr0vt6w zwe}#u4~Wy}&L~Urt4lxWZCUXBweS*9W4MZad+*UvCG9FPccbjBHowL`Mx-TY-P@ZT zc=k%FrFq4fe?SIy_`G>^RQIDQ`*OcQpTq z+TbxhzuSJ$JSgm)o4MHTW;Hv0^~_HqWSPuCrtcLTAG9};e1sjIcJJmF8~_WEy|+WP zz44rKtQ;%9bYAC@Q$lgzM?#=pT#b5EgnVIfU>hVV+K$_5ZK_PngF96A4G;KHZ}JSl ze&1L6!I7!$5F#+9buvUlIri1r*9O|kZD%8>RbLNj{L$xpQGY>OYQ6HvocM0ewjWUj z&ypgD-La!#8n)+XRF78o&XRlg?m|s}{Uzzj>F9p{-WRH0pA{;V+S@n1^M}#D_{aw9 z!$R)<8ezNs8kr|fK_x;xac#ertFDEvW#25R>Y{YW25U~{f2B3W9yq|GU~2s0V-)AU zzsDYOna@Xl_5xbtb)7{);}Z*lqv-siW5V{D7R9ggDvQ|{hmy!W7(D~R{ER4Z9p0hz z@;M=|Awy;(<*PocbV$q(q}pgSVvU77!h5@+Iq(Ez#=O6(T{hR_`h`Q%!nv5AcU^5WVJJ&=JV!6?o1BpbLOmVCrMaUlGF`YLWOFLZ>0<84XDkPhZUb&DNmW{74 z!xT)vP+UL!DEID*kBwKIyxi@}==CHjGfMavZ%J;E8Z{B#qCC2DpX%7nMB0|=SF468 z5|_z7izo{W1wHi9z-pjdA|lSWFN*L`xjtWWpiIgC6u)yu1c%9XYmeJ6DmNnp6zAVa z&U`P}p;|IHb)MrCTk7_}vs;5#mAXp!{)N&E_~v1Es*UG~1a*dh%n<YQ>-8&+d8Rb20${z1E%kksep-DkTNvjs?G;2Ow^wwTt`` zETTUp^y~j)?=7RM{G$IsIwhpLyOESm=~n43NkO`ikZx4E1(A}HPDx4WPNgn#xe}LV z4t{_CHS>1Xnt3s^{`b}8@;vA4Q~T`w*~QoU3GLluG42WONP=_9I^5hxN$S63dY_>q zV=il8C#jFDFH)YhF#Pul@T-iN12^DmO!P^j^Q#X)Ty@P`&doCSE&I+m{Z~w|R&vMG zL<7D&b3D`s4ruHD05AyCK-q5uPX|lYZGKP@QF8sJoV~2?)Y`)>@i(meJmVYMH(k#0 zOQ6{~-F;AxJZ$xU^gn_J&|CH%#Nyd^)Cs-5u1${35AR@=OR}JUTk@9pQAI`LU@FQI zbtvpeHTNHbvjEn&y?F4BCN5)xi$~jRscaVmLWW9!Ku z!EwG@oH&un54X=v271jK<1}kvOM3W-JqvwHpPT!?d;uafe^7qz5hx;amppX7_BI3MG4hu_`ngS-vOtRapE*LH_~$h6@2|=K%hV10 z^Jn=fx3M+oK2)5I^jpCgz9)J3d4EB}^*Pm|{SO)g|6Tsy`|baQP4R#G02VL@bpCfA zhVnj~Z|_*8v?>%6jmE=`LsSZ36gqxU+#ykhM-o?UkVL*C^sFT~?}{jd3i`(T1D$Xv_< zhz#M&@@)=Mo;=&=Onmkz3891t+Z3Ijex3GdsNhXKZGV?ED#S`Rgn$sfz9mhY-JQ1B zw{2fri?DicI-gKz9cLjEgC;xoz30}eG8Yygvf8%2<}VQ_T`Qh5T1_U6PUtDuaX@{a z)g~l8wG#P9XB+cfQ^t;slx%ne$a*5)2-qLuRnP76 zx9qb(p&D)(BLf#t)n|4BUWvZDvKUs0FEo#=3yrt>xPN>nc3qoKDHUK&fpWfLoN0=< zZU1=wY+jTiLiGy9n67A~vm%wl#`VTHKtH~wQ~On5iYB7RLB+sKuRvT|v`<4giqqHZ zp7P+Tz53lq9OXa2IoMm%7lp2?S>LDs*F6)rZ^&3M72=$qBu4s8k;V4~4l?OD+0VZg zx1ch^ypMfFtNvJ^n&a zPC)r{Skb7)mCSIN_Auy4n(ZBSn%nF5M7FL|q>|I@~`XIdj>B2p6`D=XS?&G?vKkS-pTkuC-_&s2lWVYh%+$Xdtrt3nBuZ< zN~k>2o}}Z#RJwBSvi51&({DRQ(%`_@Tfw$+k1=FuaMUMjrnOeq&n;6Q&Q8up)t5L) z`L_#__s;k%m&3iJUpd3I*V5ie&2&f|ieaSPFnu0$5fTd~3ExsQ&$w3E3^T2e5PXw1 z20QbpOrkJfQTy)UX#IsBc5_ktcKxiQV$P%^Z5C(*3o#f;fuAkjFiRj2z5YrG8yq0% zs6KJ9syC@J=bSqh8kit`XPLUar^*nIx?&_B_hp&voyvGIe)Z?>#`t_*Pw1=H#cu9I zP*$Ta9`+-%S1P|(16{2RE{@s=4s!bEM$5Y_)L(D}&*ux0iBT;*O1rqN26gA$UW5E> zPy2fR#`(I}RH5GRJc<*-+6)}HSo~4u;l>z0ODw+5=8a?ysK7&yeBC)C8DgfSv#C7! zo_^b&^Y;2yC7u=vcV?aw$XDFd;)6Ke+Qpyj6>Qw*JK^*uYK@lH2vO-F^+m?Q>uD(t z(cnVa6Y-3>&Ld|NbJ7SK!Jz2M&b)@nhYByBhy^Iifw6eJ=M5B4ZzwVGDjDX%8u0kr zB@`?_C3Yl2{=T<|&%|N|FGuj}vH;v5lj=EIE6c2Bb@uzX8bDm7M7Q0@6x=n$8h+Ay?0_FZ7g1CUj$dM`Pi>AK%&?pjB{M0VfBRHiz49x zcXc|yykB=@OG58Yg?DBKW>!ygljF-vTH(Kelj-C`V(QMtNJ1F3 zw@y9!9UyYfCD_z+L7ot4^D3to&UTJYO&meZX?GLfdo7u-Fqq;KyCS}O+oiKJQ_NpV z5VJ8ff{xH5@SM8zFdhbFta47!u*wRVR<}EAd?kKXz~NkLcy_Q z>yby0{jOP1e7=fr*Xx;$&spnUR8;Sad>GNJf8_X^+@`$SnGx6*OYE!Pj%3XAu9ki? z+0FuTyKKA!3sXv34xi`ugT0YV2p)tg5oXnqOV{uF+;Ggud;-#=EXv6md!Sb7dP|wI zzUa0+$r_Zhw$^E-ZO;>BnA28$%xWUX-#^>}>eQ3+lNvYin>&}b9GHT+ho(i8JETuw z6I*mFf>5ro_pBsF@%fjBI9Ng?C5)?CI{Lnf@OHDrBC@pclHq+Er_H;|_1>xW~du`03OC?C*@R0s4s&h0YA~t{0 zp&T)4kAue;=cRx9TAg?R<@&<%FT9Evx<4v?QMSAVY@Ya0yzKS3-VZUVqU?C>j=F zTm`g<&;F;_$J@Qqf`a6kfeRRJrkaS|TK{ziOz$(BaHjOG=V$Aee(~iqqvbwKQt~}( zCRbki)IJ2jCHWgYC@TGSPpoLwHTaexL&c7vR{qDuFtkR_9zu(fZZ+xE2hyt%5fMBI zj&=V`sp5x5P2l-w6dD<35j^mmKOzchIqCH)+~TzndT-PT5I0?CawUOJJYOdU;|%_S zQ~y`W7|iR@Et8$30WF<8Lxp!MR_>|i!kie(HG1rf6wMzssDl4C7pUle7R$*CpWq$g)>#N2hG7JR`u zBPONc2FDz?L4;oj<2-3OGw{BBF?VjPc!S0tEJY^W?@yrU+8o;^p}iEM>=%J&4}ADdKu%?g!0@g3m&3Np^~*l~16o3@u#-7g^C9c6$g^9H zi?~z{0v%-1tymvkn-2-)vw1E*HH*3%AF}g2^?7y7$Mg&oS)?s={tU8}zxxMjd;@aim$&iS{jp}i8`uREOXr@kxm^7CC zi%-(R2VM}`J}QQG#$$tzN{J1ZD|AfE+NS8H1*{;-Jn$JHl>j|fVD^b6tsxg5$N0>? z%!qHsthl&##hF}L8SGIj1DUj!Kf$02ne>VOuiGx8i9?S3mndq~$S=z7G7MIO?wFWf zUx*stm6r;WuD2Xj7f{xadN@q|>^WG|C>xD3(D<5hz}IucG1YqEb8hHOG|&J+WCq!UF@5SaIgvfrT+?nN zDsO1+vOY>zmv7hgD|;so(5=b90tOo86N&5PlfIm+ADBZ)z+;|*6@)Dm*F&}wBb2^w zpz_5^wzWffu(IHg9^Ja<&IK4zNk8eJp zZ9a~pB9lgFv;PRE#z^8T=*HQud%T@T)i}`2s1&5#66|_1MA|`##5DO?wULa8|nhRlbnc+8ENDrFy!qg=*`R?j@9n923%&BZm&Xp>OqRg zw*!3%CyJZWjUZVtb3KAL4z{Ut&jlixQq!dWUj1$AF@~}B=TP@dWM_vKBWSjsMLOQF< z7}$Zd_pUA2gJwiMZNs;UVUSF9Dp@P|LcZ{zIvf;tgWX@U#QICFI^E6uVexYVicj9A zRj8mQ8hq|9c&V%2d5Lz#{GJ-hkqzaldb)?D3)CSk%A3V?%%(eAQM*>y=`!(sJ`~L| zdu~tzN*A0&v(rpP0Lgz5*S~wRU${xOyqdwbV_mN(V?-9g*Z#?awi$6l`5-uQ%{kE$0<%cVp=jHmdJa=v}3Q<0O;~VJbE#~AN2ng?bdVeREtF*B_e}T(t znh_IOtEBVQp^zC;0Vw^5S#A9s))DN?^lLJznuS^(Mox=6poyJ-rc*5bo86$!&rPK@ z0K&T}{(}np7p%kU{-!J?%=D)d)AAP^Zd>E;K54_9%WU2>!l$n5exOr-+fXU-iO&J# zf@pxxh7DnY(HtY!&%X8<7a5AB-}+L@3I4Ofq$iQi6XyzL{c!G3%(WIJy2bI%GKc z24tPVAFO4o&6iKHve^?~#DtCE)$YCUSaza5WQ*NesiML=s&eqA!0WA+etzQ&k%E3n z!i?Vi74-w#9g5ylLA3sRW3_YVs}tOi)Ndxwex}Og)S7F=ga>Q=JO9i2ogD;~xyym6 zRo;*vg84@{JF{A;l1)>dG>_?88l{+oAQXpm+Ecv()<0Ec?xg;a{p${p&Gf&>ep4LW z11TdgGQ}nN9$fj=K+h|M#pt`Vnj3qYH%;VN@gZuM0SGypvP$^SL8Rz@R1w?K#B*on z8$=Kpxzy`l-!+oNyv8a0oB~0WyuDSm(&1LyLAF8MZc{c4(o8(@x$2aXSNAo-=fJy_ zfXN?J1ye{tI!?NAUGmA&Ol;rEvXHTpoqq=&U+1|dPAenSUWMKSv6G~}Lm0lrNCK(n zBG`fTK_&E;YLMlQMmg^o3>PMEYpU{vYpM@vqz&a`o!TJ(K5w;?Iv18iOysXDtXx)@ z)NA_CQ=;AKS!ge(cQBd9=@ORLi*Etdf-C;dbsxL3g&9b*tgHr^uLeT=R7elWy{h8& z615eY-KXi)&5ZRYSauMI6Gu*Zd^x-{9LINGw&D;WF^P!9KGo!JR6@M;zO4rcj3Yj8 zBDio?2K-h6+8WMAQb`S4WAtbzdh& zYP**4k&eEW!@=b;kgZL$etcuOfAan4s(8Em`$dc6u^3j;Y_yvbH`HYH`sM-M2w81& zFBgZkg$1H;cP8YQeXu&NH|Q!h*@ca-Occfi`WzkMgkPRy#|{{rd4&GhnfWeMZY3hf zy%XfR-)ZO7se#CVqSq6 z{_=S=B%HAy{d*L{-c?;4-SF~7M=@9aSRp5c_4gtlZYSi%2}HB!lZXX7Lgiz-a~Tmz zeg+1IAYPh2rh6OKpYTV1v!879ap?Xj;m0q~wp#piQ7oZPTBQ|i zQ+-EkQxh7Jqb?jkGw_#4h@cHmq?}J%<*FWM# zF9@j?8+4L6gJ|k&)QsG}`Z0X>7ZgMj@>H96F^Vv_^m%jaiK?Aidplvhoh3?Mf1qO$=&yAKTvAv`2*<=hn{5Y) znC66$$LRbioIjHQLjOy+u?9QX-j6ozUIeq+_D#5)#&Fyam=`Vci{Lfg$CjT{uOSeW zc{f&KqAfE;$h}=ymAvWC%CO{S9tS_KF1;k?F*R1!qZ9lGe-pmIWh_DDZQ>KhLfJPG!E&1IGFI~8V@sVVy={ct` zlKjbIYEEB1V7*T=HrqSEAxTjS3gP@Vgh}jA2xZkE=@h{^s$r%fe>fv*E}!lzC*@4; zgI`DeTBnEUCRMJ~Y_P>roS70hih_J2MRXS?lkUMkVHJJXkwWEfdouh32ak)7mCXi& z=erDixP>>eHz=lnP!-0d519uC(s@&Zs_AFoX25g-rHVuTm}Q~(XH}C1@t8<*Y*Xa$ z)xSQb$63>|J&Ky26}yVt7ONTOW3D0FqVnwx6FZ6yrbJfumN80{RP0ni4wDHbeQ;rM zQ;&V0#DHfwL^Ph2wz%3`IZIhHLJS4o%bGyM@e^9NwAb52T>rk%z1|Lr4y6|wCmRB6 zfny<;4k%C6U9kdEyO92pwm!wLMRFzl`(ny&>`jHDC&aZIFSe{?+yN!ZUC51>)T<&f zEpHseJK$K4tkav>cO5wG_t$47eY_@yHRmr)7oG;!%TCtzdA%#zMR>Sm^e5Hb*q2+Q z?LP>WQ}$)}H``w5_%fAwOe8}3p^)!#Z3{-?SV&CCCJp7+1`8uwFM#em;6;+sLVx^NB_<4=Fm{i{Xmb9=00RN&bJaXH%Ia9FUF{u&7y{d{UH%7p5E5&r6m zDrcYM*AI2MvO|p}*Ba%fXin|~N^@+Zu9jab+Dk5V_dP;WcV>bndjy=+9yj>;f4?^d zu)7E zZ7VsXYKfG^s3`Giw~EctjwwEpqR;RVcMl2DUbt;c=fPqo-fCZ8mo22PBuFazEW7SE zDR4ltrJOw#W~4ZdSj40K!wcJb^=AR{>Q09;1)T-R1NC2C06-DrVD9QTPSnJx&+?*!q7RFq3X!T^lOC68U-kq7bk|PKF z(F1Au&6J$c*GGG?>##%B!!PX~V0o0`Z$$URbbs^?Xgn;?EO($JpH5d-uN)KT{*xzd zEn7X~&yG*&uoDGR0td=Xr=)7>h!HbxfNUm*8J4*HBz_S@f4(uTbwYXPotky zvys!El%0<*rS$OE?#{96KIv*H>wz}!KBGrbri)o{(N>#Ji3FzeL%|H}UlsL5wnXHrGWtq;Ki772Og!P!%Z=ZFKgMN)Ngu^aoX z$wUo$s=hV~{J}&|3ni77#F8qK@l{%Rm?AxCVZqX!gQ!H!Ui9Qi$3xL*{oN->JR)aQ z1<6kv?MbS%cPUgX=~D^jo+^QeY{COGq_*LWH;s2ewFd1F5`B*A8%fZUmurz!f^VKJ zZ-i}jU;0UyQoAxAdT_J*h3ng9EDkpj;}Wu; zwe~X?R`HTN1!NaY4y+Sv#lJib;xhCC>~z`~y{g@D66;|r%0P2q`3k_(2Z&Q)4Emn> zg#ZZZ=i`YRA#9Tn{}U?+B{bhMt22#V#1^b+uTcLI!BED4vyyLp#`1i~wL=iGWA9yR z(6%NiF0bW$Fbs>`jn)RTrPrKxF`g+ygsgVauIKf4CAmXw%bN1ZtL}iF?+$&pOxGrL z*hzwm^nlYpo6@)dA}nN2_%FZflSY==hb;ou0MsMmh-sdOIY(A2v}M)ba- zHKW;Z5>!v&6#$_&8__-@zdKpSh`pg%RWwtIN_jcKLJZ*AcQO7*!*PNhwBJ+w-d?{) z4ZZAlO|4v)C&iUkcB9rN*qoDi!rL(3F_d+AtI#YIHM(6kTz~GPAjA1qmUW_%hFSc_ zlaq}3l(!`9`j9MrL~7@HNs(v3D@0#B+G6OKcDMLm1E5h9Q_vP0Gn+h*Cf&LI>NE_V zWceLbo3_AB?+D{GWwQeD90*w=2AZ8D66hr6mnj2Q)=^+$2cq&tT$(7&>+)=@JUGYu93`Hc*+=BGu21}S3`%d{_Jdzn zVjp`GwWS@z)`PoVG%;qvF7fGUX}rgQwW1eA^3#pEhNE0RpzUkExs&vCPTRm@2$3w68g9MihMuRhL$2@t{fV`#GCp|^GZ9r?EWO~+)6c7ng-V0 zN!fdBHUBxSd#7zLnP>sb$acAUtj%a-%UY%w%Vjw)=dQH{1{c8eih$H68Eaax>xx4Q zn^p%eW64PyCb(%x>3_?GT03t%6B7r99k}4xwcJ3!B`0d^iq+kjUT>Ud{Mf@#;sPuN z{FZt~t+}>yjFe1_+Yq-B?nV5>(ZW-+$;lQ^Q%oVI)&^mL8sk6bEjAxYhHh(l?vWhv*x$ip!s zYAnFk_xGx^6lnHA@Y%6M()(cNbIHOzxhJLjA%0s4ouD~OPR{U2u(=+0on3oUKo_sV z77r6rwa7_4hr*Ty+4=;90e#<>w4H(5tU)B%c~%rZFrC`KSKL0%qNh*UsNh2(;Mb3Vu?W{;Lz()4!N zI&@s0I0LY@&;ziPMXJnhBKBn@HGPD9D+YlPo+?W4I1Bbra=x5gX5F6|%GUY+c*r|GayyROK=xTt-4siYg2xX4&8AU=gMT zAZ`bb;9r2G*opYe4WbaC=oDxzE47{(kSwX#UZ!uzRe#CLy zK|O7bPs9G4RMWJ2ZuM%A%2c}g;ves94W>4968#6MX+9h>-04+^Q)Y9 zn%}l%g8lvg5djZdg!(DTLW|lH?r9ItL!@RT@fXu9G^kHdKevP&wx;JguhF;TBu3{@N3Y20K>!2t2K9sH{F`vgNlc#cgocQ0 z<>QdEO@*G1_pAA;8^kFsbXR*0%Ge&v@rfvQ|Ftzn&TPfcaM7&dMCQhq;4=PJuzdHX zaePL_aTi6oKx35&@^;P>fxVe@zVH)M`_ZErO=T>SIP*ZX7el9cPnQ@f#&raHp_l7K zh}fh`7o}K;8iCK9N@0Op%C;1iw~ZFHE%eJi24`&`7N}u&?Dyh6GVePC2e!%Qbl%;z zOXZTPh!R-R-qO0_s1#qjjpAM=Vz{lBq6Sag?~uQU`jAvRESQH{_v&rIbLzUPLj6@l zolumepR|T2D?Yf%QLfrAhEGj7Cc9TJCCj`LYswW+Oa!<;BsC6w@gU;9SZlf&Zeg$x zN=&<@TUUpDRA1S*p;C+a2Cs#{-5bfSOGEqIPODPenH(I_H)6@x)?c86S*Y5 zu7Jj@D>!DgB>>d4Md%4a+fkGc-v55IYYKIpV#u3o=p6ZYzOZOoZqrj>iY^s#`$}aR z$|9FI>sXHe85vU@qMz^cz8y~;~&9?Bx2J%t$Z&!>d-xo^fgH$!2QqTl zE9M99nNgbZHz=Ngcm6!Q^Le$%zMnUBis7J(xZd^8I}6h3g#10UJ~ zED%M+*Qt(JXnORc%3Bv@{%ZyGXO$0%FW=%d1JQByK)gkROx^Mjeh*Czj2j?C5CPEJ zIYtWbJNv4_dD42zJFLZ;gASi|1Zlod=DU6Cs08@EhxkVXv_X(x#(FnUr)07tlo57p zk&wYKe^WUC-{^oA32~vW@{e>Yz~HxWry7I-ibIdGj^JuPIJ6H(0;IuA)4!FMv#=n^$68s_Hz0>MEBCSWqvzrOr?=n1JOeK3f5%RYLD zIkHgOjTsO47aE61us}>tpb7+XICvnJ8h!d=eD~4hH(&Vq9S-PHhT{J8MfZ^>eQFr# z+ctcam`ze|`*nNFw8axpmvlG-58;>nHb^;K42Dll$bguti;r*w>19>6z8RmUfW~=U z`=sWNcMu=R?i#QeeSifdZ%`m8gRD-^=oEUnGj9Y?Q4upVOZziSrL2ROAC^KC#*Iik z{5QA`5>O$7h4ATuaoFo17P~tEMcIN$j%h{i147I&vik0%y=kK$Tu+<`u{rW}paGHc z0wBX83OuDC$3*n(x>uE3-)U9J!pP9554qdL*S<3Qk|teiklKRvLq%hP27(E=^`EgQ z0A>9XnT5|r_nXFV(dIQqUB;{GuM&1isvgso8-KucSYzEdYR{Hglt4yg14+!)WuhZ$ zhMxFcNC7XoM6UkOd*Qt03YPhVAddM9_pC)(n4Aor1y_a>-sl1m~B} zZeK(R8Zq#pqN)j(osXk;H{Sg&e(T^xp9=QwZ7%aW{#JYyxIj8Z*zlpKyhvE}ak&gI zw-)3C@_Kz~Q4ADjZB^i7KqN4lrFObpYckJOAAEmwwV2B-VaAJFb@`; zTp_wdoadL$+x!qxhQ%%kaezY`Ep#Ab6L`f0XnZh5jdjmohIZzU)a#)hx7r+V2|SZ! zR@~sf*#Z@Ec2P_qCCI~`dBBjA1xIkp74&eV#6)aPWOTNW(!%B`?KG&KdrfGfq!Fy~ zw_a4YSjxeh2t(CmI5Fw!c|e55kYJ)DFt$##so1vS(8cvz@s4OULZ0?KFlB@oew1#F zCu8NPQHaeTA|9xA8Z;zS41Np>b$W&@cqDBHX`f6Rsd4m2W;AmGVv#gTJt78u2QOSA zq))0P>Jgqz{&{xR@{)NP{&X&fZn`xV9)RGQ>Hy#o)NYWe(&CvM(<7Tp>V+gEwzHu+ zi^}VvS)x}5sr%RMWaSX8Qq#_W*c^o7i=?DRj?B)9+BL=}9r?Z@h#M?y`CFOrDprP!_Wn1||Q5YEsW>wJEX>o9eqmyDzBmEL}E!oNx5;- zBGZBL-Nd2UHdz2HK|BV*EXvQKOB^z%c9%#$Ou&R}YqyInhLMcpFy)N95-#l5BVov2 z1JGkJZPga2T@Ei@zgas6tGnSK{7QHEw?g&+6Qie3wX?nIq*atne`AY<_-Vg7Eo0b! zk?7SViyMa8y671$IJ!H28XAj2-E(9r%08a%orGd5cM18%<+8K*@ zu+WC1)GnLMeulUk&-fl6>jO7}pyOMX)@&Q`52`7I7VtbamUQ;bK#QLi-9pAuVhE|q zqW`8w08C8=zDn8?ZvXvg?ds>74<`XJ^-nw7Cc~u(N=RMfMZVRj?FxTmKJYnkEXvTX zcFsl|SCTTT$@cJsu#j5cQTuG%(u6{6vj0sDs2rfI8C~);Gx5reN#?E9$5*At0PH%) zCGL((=XUmajGA6+E0OghjI{fxrHOUzCkvfJ>LP#=< zVgi`izyqQN{78~z=p&Su@Yg*`@rMgf{oLy`&OPZ`a#;aR$GpAugDEo2*UUDMwRYp* zibpCh1=;-c?Vin{2<2tU{Wl%Kl-W% z_vU*|L(xmW-YzHOiHNTV-kPMTZ)^^w-cUJ_7ZbXn7VwepJ`4&_;}D^omFzN~e(Hy4 z)l_)I=;doQO1$aS8y6`3;%({uHOoz#>-UGb>2OmwaE)n8Qtyyuu;xF~#=s8cv@sEZ zOwFj*I z#|6*7J$()9R59Zv@TN5!#TV6}bR+IXvS4dHw=+gIGeAcJ5)Kx#f^LU%oEf^e`tSFi zO`H9IRn7G;6D)knFrM3;r?TeR=2?#fUNt&5dl_GIwqA9_Bj%@J^ON~?@$c&` z2|O2{m65+12gJyySB+eCj0)9^iRPOrkUpfvL6o6UQt86(u?&3&q>{}D<%4w3`I$WG z)yqD99P$a4vDR0{1d3TURz1=Xm|Q&-Iq^hA{H`!>k+O9UwnbA;T)sLAOZ_{79jq)n z-1=-i ze~3YXpc$*AsysYpRkuWij^wKT=qUHh@A2k)Lo5Yj?GnTVNyH9`Cp5N;*`LIhWadI4 zy*k1O&c6A+4;*5W4w2yV5S>EmS>%aRgfbcdG;68JLZWL=6~?sx+t!ubw5XcxxcUsw zQuC)DJLG6hF?I6g+~hU`NxSC+(gHVPM<&3i=VQKCnJV=f?xKJ@c=d6>u7}xo{q}l( z-*dpu#0-5jB&T}aq<$taKt!L$o)|AyA;Sm!`g}*IHlAue z*{SoP(FJ68kR~o=4+1y-uwR+G)`n}?PrC9KG7!79ckJh6J!R1f9^d~}ln(*|gciV% zNf|Dan{)qYJlyCW5@P`|(|g_;fV8v{@ewlsNmaWU9@MHR#v<*t^;wI1RP0T8!3WH@ zoAFt+yM2vq3~dhNxK;%Ums9dK-c(NoMbWmxi!qj;)V=b^xivj458zlaZel!J$*~Y~ z4;eG*8=g@)VQU?-4I=TP6fiRbQudBO$^u4O2gX&E2Ki*3!Ni0_+0k4{Fu<~d(m?)M zGN9FKmm73X$CTh^67JC+?&X>6yqsnI$&m$X_aYiBd6Lwm`0o6e(u}$FL&buSP>Qd} z5Dm>!Qku89lXHP`kt^mv;B;bP^spFwL#7t3V9nYL-Z_WrRGLG}9JxPDuf5Lig75t_98Ol&y)KI%|d}Z?1j@%&E zLOHTW7>w96WQ>H3+cJ@XNvaM>41QXNUibEKKU&HmeO=RB3Bm!mt>1(8pPhT~tur?# ze(85DCyfbtCf-sujozfbphQqrRUf5Pm)JrO`&aAmlzOnBIrH{zri0X}<58QfCSOt5 zQO$lUYu{NqpVngnS{3@i1MZ@Lq$5U|bGl3+_E0pyxR4{1zqqB}T#KJlC$M7WE=rq= ze=4=@l}eQ}GUlyA6H4_Nqwwccs53?-77>@WeQJitVXeuRcQ|-(RyU5Rno;4~MJp@2 znG%_p*IkqYxbvK{=P7a>u%bT0NJ;08rCKBIQK=lP5;JnnuWz+6uW_y%}|F%w-q#LLXnAG-D z99$B0lR+pfKgTeomSp{;!>^s#Ee8)h!gP1Ifakbnm=pU;(9`%d5KEYJwC%N=bj6<- zAfIO<0hbXO>j>o^#Qll8s5c1tos8H6a6MgClvO1=`;^PPt(Lz<$s^phqwk5h0$6T* zMSyzO_4Qc!{76zeE!ARmpThi&)m8u`wDHJaDX;n7Rl^LW3PolLTVXj2v ztyEcE2j+=ywP;)lNTa|~Lcyecr)G8}i@Ve$(_`I&L7#G8a(UixA%P7v`Q~`$m z5AoH9b$an&z#tVY`^Ms>q_f@ph4TwOCLbqoeN4w!`KfA{BYs>IARaC-uC^cHMn!1! z*S8|A*Bi~HiuS!*M_~iMz7gkNPIFOu*lYUE>vZ^=TfP^mUo;%h%y0aTFWk%~UddV+6aNb`R*00T|IJA9S(-$j`WT7mYT8u=S6+Ua8# zO~3A#TJ}5d3Vtlad(9s9(fo$Td$hmEx4i$8Yb^vmN7}JvcvjcVNbFDAnk2)49=j33 z*?w``Ipbz#;#02V?ya;WXs&SJ{mmy|-cym&y?R^Jz=D&%jK^KFJ8Pz!jxTWDdL&Xg zROO#rZVJ)9#@i~NYiRi;>b5L@+feR1Z&l(?ykQ^7a+;fD=Tmg!*5g2FU`wSM7YZJK zq4_YM{rSnfSI_1x6^+-r39kRm@^aJ=si(03>=XP1cm`wMLYTkp>%$ZFD4!Imt zHxoe5CjiG{HiCAtpZ>ju9=LF}wW9YQ60{|99j1TjwZz`8&Mq0;dQ;x!A21u=V!*^J zbJh#c43c~m1=;7fdlel97vq=pV>=5ZS%6uKJMsQRzJm=?k?K zyPwbtYKgYkwuwO`eV3jTMMWiP*|>KnVe_9zh#4~U_1sGIUo?B^Oa%IW#!Drl^h|)< z8R)o`u&!Vo%4v8UY|WRDoJciAD2M(8hM{=^26iPXTRnfu@BJ1%7hNfGyho^_v5ONN zSczOk-xG3my#fRcUIoAG4XSUGeuTB&7~g0HzX{6Q*7fF$6>R)tLPH|HZY#aU5}S4F zaUgHolL9!!b8Fs2|9xncB2~q#sl87JF`AOtYe$^j{)rdMwG7`2oUU5D+LwI_YwriV z=3hRl5Te3W=L&n(IOd~jlC}ikX#xhsXD~ckPD6zsr}C*Ieq^YARt&W38s%~3tgzgd zjd}+hKUr$Nc_g(#p=ApiIp^Z>ihu5(8$?4SqGb$Wz>aZWvALU}+|+%kR$5CsQA}&) zUO0F1hIcFTMSn({=HZXvl#>JRErx-~8u9_{!;KK4?XvU8PmXzp4fKl=qHT9;S8Anl zhZZ!)pX<7Zv979>qhJpKmqy|Xhvas0I!tn>Fm#0fDAnxN{&Ho&!emFTj7_DZjcmgZ0`<`-zTEUNxrl zZ|%AdI1-~MA03KfZ4T;5(QfB?lWiY<{TumvZTe+m+!w)9-&~bJZ7ydosO!3jb~?GE z-HkRLVybxCLUWVmHv<}v?eEQlG%qFa_DmH-Yp#k#wk|Jg-$Fh42gw}W4!KnEqOgzcDGXhOm`MPEbDjojT1fjkBu8VG zKJ~~R`28etnneT?-Fxz4vQlE36^GQ+`aaoLw4T|)VMgZfK{@as^#J4 zILtt<1?b@ViD`V}%hV{cbZnD$FE`eZT1VpF8Q|M?$h@tw;R$; zrHwG;s^#SjN|V0Z)A>7^wz&QiHeWn>KlB8mj;OqE_%w!nwFvJg%A$k^C#{YX@4GH0 zNPWna_+8Jf+5-viU6}>j_shp$bw|^@>`eLUgMaT_t#bSLzVpn)e|jKmMkKteo+%*w zD#{+ujdx1Fq!3w!e9Pp%3H2VM%9DZpHlQ``L{|2CyuZ1B7u)Q%#ImagwT5Fb7MH0Q zlApWFpVBqng-!^28Mm6r8ODrd$kT=ZCz9z-guIcBmi$Ywnajg9Y z=>?c_my@&9tq>AJ)AZp5VyO^tZ2XpT%<+V%~A@w zXNh$Wmb-9QgsNpqDq6Qy>0ZW=1HA){hVpkPJVlLO^>3@d1MtW$eLmW^N}=vKeSvj` zJJT!j`jr7k$S9=*PG>cN8;?%u2_UN=DlQqphe1I%e$d!+EwpfVYM(FDa5>hF07|S> z6@t5x^#K2jc|U6lyA*5!8K;M3q<)?aGYawyJCZuY25-E%@GrFaNyVl2WV~u|D?cS-?6HGT`?QJ;NCkQq8%{Bog}{ zHID;JZbo|d9C3v5Lh3`Wy^Q*N`F3iFVW@S!92Y}qpvO7TW57d?-g{CFd;LO*4|3gw zo5hpZb&+WNVfQ6$8&}Zj(bJbuw8vO{`8#3*c**aM3{B*tQJRSn2`pG6l>ZVkY*Hxc zRHBv^UUcLRlC(dBtb7fKT{i~LQ-J3a@iFK34rrt=+(KOdjpB?7srib$!Wc>24Mbf{ zGu*xas*rNa!9jlLi9L87%nW5bEgiT=swbzNm8yTQ_r8Gbr8a^GISMv)e((we&tl>P9$y+kT#rFW}B z@MR3GG+hJ?jVqCneLxYb_-D~fT|Gq~Nr$i4`+6D<)mLiwa!zL+J8OvkB%!e&T3v+W zMJRcHuRhwL!Zb%@eo#WqE{r6X>v12g0J|n12Yu>|)z6CSM6=l|fuiKxWW~YOjwS(j zDwr8;lI+V;?J>saKyyWQJyeMxzhdH>YyLpeF^0C7#{mmKaE?H^OtM^jz#F&}#M>an z$+^>I!#S{*pF{wEPvYiDVkMF7e6d%lD-wKo7P7emzM|w%TX_PdgW! zfo+4dCuP+WDP9&9q+sW$0BOha>z*x=PSh^eq90D|#<)g}d{=YjvGCiyyt8id@maoL zx)@O&^`S9%)kH_Dfl^z&qS}%&X-8 zXzx1TnmYS15SAK*6eI}9ewE4)h-FDLkS(H&8U(Qf0*F8aWNJv5FH0G5yg|SSQX>u! zs4^6g0Hz|!&`Q}OG;G2&0TR-O_Fs7WjW6fZxt?>*Z=CDCp5J}nkKtf^XL;jwP+w>< zXQzxZsBuzUsF-V6g$Ornp7c04#{utjK`6aQx|hNrTD- z#I9!aLa^>*5yt17)1T}vim0*Rh%?8zZT`P zS+OSz5ihg1xa+`WHw!b;gHSdkc->ZK}f!xN=^UV8!b)+d^00G zO-ePiA>Zn!+l9lf`U>8O&phVO5f@bl6dJaMpAtlE`%)vJIX*A+f-VYp8((=zE4G*x zqDDHBO3yf(0R+s-9ImNI=N$2D>Z*^(1x-fl=w4a+l3gFn*9pAre5uIANZ6Zlx%U$s z&b+td+Idx`^|JfE_OR)_6;-PzO9IvGtMrxwvQfktEgsLaB+&GotjA>|^%o)JYsv9x z+1#xw(WeUA!}+=lQDVCxc8{*uco@e=LnMcLn|@yiHc5b6x4hYFQ+piqY)1N(*pMr{ zL7r6PF&bR4WsmjqjTF;CD+5%EG{nw<%}0|0hf;1>oPuF*-Hsd}78JWW>smC3md1l2YMDDG17G<&2=i(hOG>e65pRx*^H0|_ zJE(tLNORmOZiK4_yEjko06ucgtNI$;QpfUvw@26zZcNG2aK%lH_bME2Z6II78L#cI zGE}tbk|SZCcmp*5ZBTE0#a)-i=gw_vz1jn*ePtX>R%SYcH;yw_{99lRTZE!1{vQ<^ zmC8BlEqY^KDyyQHzDkuC4G$jS0x&Mr>j+!0T10@Kew*Lv+0&inw0rJX{=D?!V5_B3 z-lt~bf6(WK%gFU!u~=?d_px%>{HSBe9~H0qk3aHWy4D2PN1T=PcE1SfSg*-6vXJ)L zF-5{KM$__Zlzi7i=@)`JPkps^K?W-22UK*D!Ei#IQ&dk}GZ{iR zo^SC(UNK16Jvm1o)59>qL_|nheYWRhwL|CQiTj_2PtxpReAF`MYY`LJCY;R<3rkf` zXVG7#Rjy)ik2bhUW80=|NUk5U+po{A#EM|hKsqEl!ts{zFNT`>0kP;F9|WCXEYg2v z&4ezQwUfvrHg2?=J{eLeX_a2^+%!AtM>{N~(T<^$H8Sr!dPhg>yg@4PFYt{rR-b-- z^w;kW&twUkZ7$h7zH?$Qu9?H^;@)W<<(9x$QV)z$TxeZp_s_rVDks0(54{cgMK@W_ zv2kLRw^k6UPdcQC%r~EbXZq8XIv2By-s2QnW%qF;qhPEBY<9O=LK-j(ze$Mag4|k*wDpe2>$#p-$=p{p6Fv{_~|DMi)eKPQ@SKL+CWUPmPARR+T51YwaDpq_&KrWt?lLI69e#8cuMleSPAEm^rU=wO#^m!ZT`=E3(_~q zuBR!J3zNr8?_&X?uv| z@D(1Yfd4J9#N zD(P2d(s;pjZD@V1t$F0t3){f6hLrfkHex)Rdkcdj#>ol@+Puw|8lhy_L)%=`1d2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/images/output.png b/docs/images/output.png similarity index 100% rename from images/output.png rename to docs/images/output.png diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..815db57 --- /dev/null +++ b/docs/index.md @@ -0,0 +1,35 @@ +[download]: https://img.shields.io/github/downloads/aquasecurity/kube-bench/total?logo=github +[release-img]: https://img.shields.io/github/release/aquasecurity/kube-bench.svg?logo=github +[release]: https://github.com/aquasecurity/kube-bench/releases +[docker-pull]: https://img.shields.io/docker/pulls/aquasec/kube-bench?logo=docker&label=docker%20pulls%20%2F%20kube-bench +[cov-img]: https://codecov.io/github/aquasecurity/kube-bench/branch/main/graph/badge.svg +[cov]: https://codecov.io/github/aquasecurity/kube-bench +[report-card-img]: https://goreportcard.com/badge/github.com/aquasecurity/kube-bench +[report-card]: https://goreportcard.com/report/github.com/aquasecurity/kube-bench + +![Kube-bench Logo](images/kube-bench.jpg) +[![GitHub Release][release-img]][release] +![Downloads][download] +![Docker Pulls][docker-pull] +[![Go Report Card][report-card-img]][report-card] +[![Build Status](https://github.com/aquasecurity/kube-bench/workflows/Build/badge.svg?branch=main)](https://github.com/aquasecurity/kube-bench/actions) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/aquasecurity/kube-bench/blob/main/LICENSE) +[![Docker image](https://images.microbadger.com/badges/image/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench "Get your own image badge on microbadger.com") +[![Source commit](https://images.microbadger.com/badges/commit/aquasec/kube-bench.svg)](https://microbadger.com/images/aquasec/kube-bench) +[![Coverage Status][cov-img]][cov] + + +# Kube-bench + +kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). + +Tests are configured with YAML files, making this tool easy to update as test specifications evolve. + + +1. kube-bench implements the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) as closely as possible. Please raise issues here if kube-bench is not correctly implementing the test as described in the Benchmark. To report issues in the Benchmark itself (for example, tests that you believe are inappropriate), please join the [CIS community](https://cisecurity.org). + +1. There is not a one-to-one mapping between releases of Kubernetes and releases of the CIS benchmark. See [CIS Kubernetes Benchmark support](#cis-kubernetes-benchmark-support) to see which releases of Kubernetes are covered by different releases of the benchmark. + +1. It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments. + +For help and more information go to our [github discussions q&a](https://github.com/aquasecurity/kube-bench/discussions/categories/q-a) diff --git a/docs/installation.md b/docs/installation.md new file mode 100644 index 0000000..789b760 --- /dev/null +++ b/docs/installation.md @@ -0,0 +1,79 @@ +## Installation + +You can choose to +* Run kube-bench from inside a container (sharing PID namespace with the host). See [Running inside a container](./running.md#running-inside-a-container) for additional details. +* Run a container that installs kube-bench on the host, and then run kube-bench directly on the host. See [Installing from a container](#installing-from-a-container) for additional details. +* install the latest binaries from the [Releases page](https://github.com/aquasecurity/kube-bench/releases), though please note that you also need to download the config and test files from the `cfg` directory. See [Download and Install binaries](#download-and-install-binaries) for details. +* Compile it from source. See [Installing from sources](#installing-from-sources) for details. + + +### Download and Install binaries + +It is possible to manually install and run kube-bench release binaries. In order to do that, you must have access to your Kubernetes cluster nodes. Note that if you're using one of the managed Kubernetes services (e.g. EKS, AKS, GKE, ACK, OCP), you will not have access to the master nodes of your cluster and you can’t perform any tests on the master nodes. + +First, log into one of the nodes using SSH. + +Install kube-bench binary for your platform using the commands below. Note that there may be newer releases available. See [releases page](https://github.com/aquasecurity/kube-bench/releases). + +Ubuntu/Debian: + +``` +curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.deb -o kube-bench_0.6.2_linux_amd64.deb + +sudo apt install ./kube-bench_0.6.2_linux_amd64.deb -f +``` + +RHEL: + +``` +curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.rpm -o kube-bench_0.6.2_linux_amd64.rpm + +sudo yum install kube-bench_0.6.2_linux_amd64.rpm -y +``` + +Alternatively, you can manually download and extract the kube-bench binary: + +``` +curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.6.2/kube-bench_0.6.2_linux_amd64.tar.gz -o kube-bench_0.6.2_linux_amd64.tar.gz + +tar -xvf kube-bench_0.6.2_linux_amd64.tar.gz +``` + +You can then run kube-bench directly: +``` +kube-bench +``` + +If you manually downloaded the kube-bench binary (using curl command above), you have to specify the location of configuration directory and file. For example: +``` +./kube-bench --config-dir `pwd`/cfg --config `pwd`/cfg/config.yaml +``` + +See previous section on [Running kube-bench](./running.md#running-kube-bench) for further details on using the kube-bench binary. + +### Installing from sources + +If Go is installed on the target machines, you can simply clone this repository and run as follows (assuming your [`GOPATH` is set](https://github.com/golang/go/wiki/GOPATH)): + +```shell +go get github.com/aquasecurity/kube-bench +cd $GOPATH/src/github.com/aquasecurity/kube-bench +go build -o kube-bench . + +# See all supported options +./kube-bench --help + +# Run all checks +./kube-bench +``` + + +### Installing from a container + +This command copies the kube-bench binary and configuration files to your host from the Docker container: +**binaries compiled for linux-x86-64 only (so they won't run on macOS or Windows)** +``` +docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install +``` + +You can then run `./kube-bench`. diff --git a/docs/platforms.md b/docs/platforms.md new file mode 100644 index 0000000..b8b20b4 --- /dev/null +++ b/docs/platforms.md @@ -0,0 +1,16 @@ + +## CIS Kubernetes Benchmark support + +kube-bench supports running tests for Kubernetes. +Most of our supported benchmarks are defined in the [CIS Kubernetes Benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). +Some defined by other hardenening guides. + +| Source | Kubernetes Benchmark | kube-bench config | Kubernetes versions | +|---|---|---|---| +| CIS | [1.5.1](https://workbench.cisecurity.org/benchmarks/4892) | cis-1.5 | 1.15- | +| CIS | [1.6.0](https://workbench.cisecurity.org/benchmarks/4834) | cis-1.6 | 1.16- | +| CIS | [GKE 1.0.0](https://workbench.cisecurity.org/benchmarks/4536) | gke-1.0 | GKE | +| CIS | [EKS 1.0.0](https://workbench.cisecurity.org/benchmarks/5190) | eks-1.0 | EKS | +| CIS | [ACK 1.0.0](https://workbench.cisecurity.org/benchmarks/6467) | ack-1.0 | ACK | +| RHEL | RedHat OpenShift hardening guide | rh-0.7 | OCP 3.10-3.11 | +| CIS | [OCP4 1.1.0](https://workbench.cisecurity.org/benchmarks/6778) | rh-1.0 | OCP 4.1- | diff --git a/docs/running.md b/docs/running.md new file mode 100644 index 0000000..265209e --- /dev/null +++ b/docs/running.md @@ -0,0 +1,145 @@ + +## Running kube-bench + +If you run kube-bench directly from the command line you may need to be root / sudo to have access to all the config files. + +By default kube-bench attempts to auto-detect the running version of Kubernetes, and map this to the corresponding CIS Benchmark version. For example, Kubernetes version 1.15 is mapped to CIS Benchmark version `cis-1.15` which is the benchmark version valid for Kubernetes 1.15. + +kube-bench also attempts to identify the components running on the node, and uses this to determine which tests to run (for example, only running the master node tests if the node is running an API server). + +**Please note** +It is impossible to inspect the master nodes of managed clusters, e.g. GKE, EKS, AKS and ACK, using kube-bench as one does not have access to such nodes, although it is still possible to use kube-bench to check worker node configuration in these environments. + +### Running inside a container + +You can avoid installing kube-bench on the host by running it inside a container using the host PID namespace and mounting the `/etc` and `/var` directories where the configuration and other files are located on the host so that kube-bench can check their existence and permissions. + +``` +docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t aquasec/kube-bench:latest --version 1.18 +``` + +> Note: the tests require either the kubelet or kubectl binary in the path in order to auto-detect the Kubernetes version. You can pass `-v $(which kubectl):/usr/local/mount-from-host/bin/kubectl` to resolve this. You will also need to pass in kubeconfig credentials. For example: + +``` +docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config -t aquasec/kube-bench:latest +``` + +You can use your own configs by mounting them over the default ones in `/opt/kube-bench/cfg/` + +``` +docker run --pid=host -v /etc:/etc:ro -v /var:/var:ro -t -v path/to/my-config.yaml:/opt/kube-bench/cfg/config.yaml -v $(which kubectl):/usr/local/mount-from-host/bin/kubectl -v ~/.kube:/.kube -e KUBECONFIG=/.kube/config aquasec/kube-bench:latest +``` + +### Running in a Kubernetes cluster + +You can run kube-bench inside a pod, but it will need access to the host's PID namespace in order to check the running processes, as well as access to some directories on the host where config files and other files are stored. + +The supplied `job.yaml` file can be applied to run the tests as a job. For example: + +```bash +$ kubectl apply -f job.yaml +job.batch/kube-bench created + +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +kube-bench-j76s9 0/1 ContainerCreating 0 3s + +# Wait for a few seconds for the job to complete +$ kubectl get pods +NAME READY STATUS RESTARTS AGE +kube-bench-j76s9 0/1 Completed 0 11s + +# The results are held in the pod's logs +kubectl logs kube-bench-j76s9 +[INFO] 1 Master Node Security Configuration +[INFO] 1.1 API Server +... +``` + +To run tests on the master node, the pod needs to be scheduled on that node. This involves setting a nodeSelector and tolerations in the pod spec. + +The default labels applied to master nodes has changed since Kubernetes 1.11, so if you are using an older version you may need to modify the nodeSelector and tolerations to run the job on the master node. +### Running in an AKS cluster + +1. Create an AKS cluster(e.g. 1.13.7) with RBAC enabled, otherwise there would be 4 failures + +1. Use the [kubectl-enter plugin](https://github.com/kvaps/kubectl-enter) to shell into a node +` +kubectl-enter {node-name} +` +or ssh to one agent node +could open nsg 22 port and assign a public ip for one agent node (only for testing purpose) + +1. Run CIS benchmark to view results: +``` +docker run --rm -v `pwd`:/host aquasec/kube-bench:latest install +./kube-bench +``` +kube-bench cannot be run on AKS master nodes + +### Running in an EKS cluster + +There is a `job-eks.yaml` file for running the kube-bench node checks on an EKS cluster. The significant difference on EKS is that it's not possible to schedule jobs onto the master node, so master checks can't be performed + +1. To create an EKS Cluster refer to [Getting Started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html) in the *Amazon EKS User Guide* + - Information on configuring `eksctl`, `kubectl` and the AWS CLI is within +2. Create an [Amazon Elastic Container Registry (ECR)](https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html) repository to host the kube-bench container image +``` +aws ecr create-repository --repository-name k8s/kube-bench --image-tag-mutability MUTABLE +``` +3. Download, build and push the kube-bench container image to your ECR repo +``` +git clone https://github.com/aquasecurity/kube-bench.git +cd kube-bench +aws ecr get-login-password --region | docker login --username AWS --password-stdin .dkr.ecr..amazonaws.com +docker build -t k8s/kube-bench . +docker tag k8s/kube-bench:latest .dkr.ecr..amazonaws.com/k8s/kube-bench:latest +docker push .dkr.ecr..amazonaws.com/k8s/kube-bench:latest +``` +4. Copy the URI of your pushed image, the URI format is like this: `.dkr.ecr..amazonaws.com/k8s/kube-bench:latest` +5. Replace the `image` value in `job-eks.yaml` with the URI from Step 4 +6. Run the kube-bench job on a Pod in your Cluster: `kubectl apply -f job-eks.yaml` +7. Find the Pod that was created, it *should* be in the `default` namespace: `kubectl get pods --all-namespaces` +8. Retrieve the value of this Pod and output the report, note the Pod name will vary: `kubectl logs kube-bench-` + - You can save the report for later reference: `kubectl logs kube-bench- > kube-bench-report.txt` + + +### Running on OpenShift + +| OpenShift Hardening Guide | kube-bench config | +|---|---| +| ocp-3.10 +| rh-0.7 | +| ocp-4.1 +| rh-1.0 | + +kube-bench includes a set of test files for Red Hat's OpenShift hardening guide for OCP 3.10 and 4.1. To run this you will need to specify `--benchmark rh-07`, or `--version ocp-3.10` or,`--version ocp-4.5` or `--benchmark rh-1.0` + +`kube-bench` supports auto-detection, when you run the `kube-bench` command it will autodetect if running in openshift environment. + +### Running in a GKE cluster + +| CIS Benchmark | Targets | +|---|---| +| gke-1.0| master, controlplane, node, etcd, policies, managedservices | + +kube-bench includes benchmarks for GKE. To run this you will need to specify `--benchmark gke-1.0` when you run the `kube-bench` command. + +To run the benchmark as a job in your GKE cluster apply the included `job-gke.yaml`. + +``` +kubectl apply -f job-gke.yaml +``` + +### Running in a ACK cluster + +| CIS Benchmark | Targets | +|---|---| +| ack-1.0| master, controlplane, node, etcd, policies, managedservices | + +kube-bench includes benchmarks for Alibaba Cloud Container Service For Kubernetes (ACK). +To run this you will need to specify `--benchmark ack-1.0` when you run the `kube-bench` command. + +To run the benchmark as a job in your ACK cluster apply the included `job-ack.yaml`. + +``` +kubectl apply -f job-ack.yaml +``` diff --git a/images/kube-bench.png b/images/kube-bench.png deleted file mode 100644 index c13539686fe9f9ea23fc717f574e05a433341275..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 17501 zcmdtJWmH{F*Ch%BcPBVOgA<$(-2K2g5Znn4A-EF=?(VJ!cY=omcPDs)26wmKlAyxCz+lM9N~*!Yzmv#)Xa=b-5mzZ-od~~JjqFlLEIMhGkrhm z%{U)b(JCad61O7SguW!+7a#UJ_(pr78ANZdZ-YAAM)V77w_DUe5QQ+ck*iC@;;}k% zHD8H?W9n)+h4QS(mgObq`mZ*{S9r`^+~hF_E(?YNigM(whTtL2ez8Wny}9=73eV_# zou_TQTS+tlBV{I8Av-xhQJFb)qR_nXKZaSSWkK(Oj$!JW$z z^hqh%(aX;4+zGeUH9-IX;-o30>rLX`-sW|CQk>V}Ub+80i13dg4t=3djr)a@r5jat zWIEifw`8M&T&oWS`>Z6U1OUHeLlcC7ffWlAqa3$V$P`bVbV#i$-8nn*Jv}y0x4PK{Y3H2B zTrKmCJWzmYUM-Eeu#-p(<2Zb`$)fGm1THW>>=!_T?iaGzgn$Qv7ADLb8Pw2kd*=SD zQ`J)P1YmL~FzmfQPH$oDCftU0UoaEJ;J`iiI3i)o2b{^epMdER-unWV6&3(5ZO6y= z*PYC$RkB(xN0X70TwPLhX*>VQ$NjcT21$))LI|mmP|d_LWmk?8X2m@Bga#hyiD7m^ zQi^^i>pQMhQe^jVM6G9ko@4Wh1dy1O)dd#2g>U_IZx4o=nO*FaRW=tEhEBi%ICs+* zisv@_oCgU63G1%2lGw}E!vn9q!an~#p?o^k)zg~V7^7+zx8Ab64I2N3qrWc?9PLjBUa*1 z=m!BR#aN(VL;Pr8?Wt-dE>IN~5*RDJ=`sAeYh%RVwPNXJpYx&KP!8!;8PMOK%BH~Z zCe#3L)-2_nY*m`Q_gTNv9zcdgW`a@ECXbw%|IW2OTu9uWY_rD?00+1q;l+>jRgq7Z zK&;xvt94nHkn8dC_2y6Qbh|x+0WeITF_La3_HAC#2}Nd7>P%Z(>`G&60J5IK-G9P?L4==`gxZ<``^z@1V{t^8NVx=*t4JKeSUZOQMFd%32$7K9X<1fW_2>mqq*AmAxtoym;s#h7<|hKBWz-8~zaq<=dYL%}#gw+j&ef)af;lT_{;TU-NH zEKqTM%l!H=wk|YjG6MndWLm(+(z9W#a$V79U%YZuvvMz`QD-Ru2)>};J~8bS!S>h5 zvX<1uI!g)J*+Cztx|g2`Bo-JE_w^o~NmCub3Z-3Yo%KIvU>O@o&;aH)pvgT`>UmIs z-Dlxk0f6jg3Nt#_R0G_K^9e61Er0wy7zjuNJVBhKI1sK}9Tu0@Gm%iQ27Cbhe<-YG zg_Z=sU`>AdUt+jJQPR&uRbt2vNa@|=@2O6Hu9VZO`VPS8q|>ue;p$KS@Ho7Hdk1im zoTPK(@$j{UTW_!gG4Z#*NX1N+5Zh<+tZ*{Zu%~zEaR0SPzB4qIBi<6NJd_gJ#&x!= zGU*!L`;SLup+=k^owTz!h@i!R8{aU;3&c~F^nsNTBHz#>XT;?-5TFyrI=HU_H z3H-+&9=~Nj{Lyrwb{hi!mG9{fUL2;o0M&r$?P2xl0C7?b;G(eGMgP3WlW(6z@GwQD zGJ|!K#k-`^Dj}yKfGXSwR3#wt*h!Y`6y=y~5l5RhE@yliH1SOqOeb?s4~UJvU4=>X zFw@hd<{Hax8ZTl8`DFD*{=^B?znFr@hJe;qk)+??N$pzo67rcJ%v!3Wj&PkaR@C76 z*^1mmKechl3j$p*`$IYK^dmJ_rz%?p9MLo?Z%_edjbKeX80Vz3+O>K-$^Sh8=lKhn z>02>Q>&IUr;ep0>x5ETl2Eik?FU`rfa-rerj^)b=T$|rDe^Yv(_(+3bg-0eFX^hF` zKNu^Uc)KK1DNC?^mQ^Q<(sHi#FD75GZ&Q1`dF-i~l31@t^hf#9qBi3{|?jK0j0?MG_|S?2BWJ5%y(qcM|D zC1OvqSyD{?s36n&Uv0id`&0gJ&A;D`Vg_#A?oYqPQ0cXwPz+tZ>#34?wjruK?c`Bl zyhR9g<}p!7BSsh2ivff+mBRe^vF8mR{Ik9`<|GX1Td1W_;#MgdYp_->(C^A`~b4dpd5}e zHgJzIbI&)tTf*xe9x zl__FH5JY8BDuYel7Jh=m=o>Be>~PBt$mrnqp_y^Sf%MZ8^`fq%L-@S6!uZsfN|e9e zyXO^EHL+vf@7Z5qEl)j&4W`wPzmrIFlD1EqLUhj#ILF$qVIuw_#P(XvIoL`c>^<+- z+b!YD%N5ZyEPuk9wnxP69^7#iy}>9PkRvXAvT~HESx|J;(?>W$-;?tyOiZ8g0s{Gd z9&#ZCdX-IaR^pL&C_lc_f|Z$~YH-j!;Gc;n4|8 zQ$g6m>Z<9ss48!g#7Ig26g~f4b9*KP258T&O)5(yu0g;Uvg4ZpCa;+=!&t!X)-lfk z9_5~bbE9S>y!MAs%6J|zIs;sP)cNm6m5@nSZ(!CY>cOu5(&V+*CT$?VKYuC(`n(BM zW>~It#+{j8qd_p5@saVFfj9Nb5ik8S5|Kj~tqfFRzWHKskMVJ(tCHOxm6-ZlC4^cb zipWH%+1aX#zAJAYkYC3s^DX$7m;1K>@&s`9a&&Cmp}RIopf;)a;g-6t-glp$hZp$m zPW6C5o_SF&W!EMrQ~c|xa1E%u%r>+yqa)ZoN;1yW9=?G^Y^TsThh|kd}O_Gc`o^{pZ;porpYZq@Eh%75f zag$JM2hbC4AWh{xnAyX?F`Oe33v|kJeK8mpw+?)PUBjJs43|EdMSJ#m0p7vrr~B59 z9uoS3mx}K+mh-eK8sOlcoh{3-5bdbZr{`6qnHiZs1u-08CBfUI?0O{vKzWsnh zXYke4hKv6BsC(4ZkRbw`I@hkO-}2L>i@+$m*3T|xhB%h0{_gP$>UOXEFPiz%je znsA1u=jAPe61|IVh=MrimF>#~SF6mqm)-*oTIp{wB7QrmS!Ce=xw4}=<=1yW$hE-F z{OkaChXe2xX4RxvO{9ctn?G~9l!M6X<>s4G6IW^H@git=zOW)e=lD{))mj`jL>5b$ z{YUCoOHkINt<>Rw>E|`pv{~6R=a&~~^QTID8=&>PkmD!o&~Z_-9)(wXblxU_LziKEcp~Gu`DF2$R+{%!r<9OX7LfG-UWhJ%F*3 zqTEu%krZN)tf@aHEN7?BPe;Gp=x|TyK2VPXRk^Vvt!)kmVP%TLLZS|v8+eqgJmxbw zy~63!JPpc$WLx&d1lbDr>|82`BE%g09;}rJ_ueME#6io3Q zY0T_kl)t!fOsM=i4pv)my;K`;wbL(ouViM+#0U{kaHkeHY)^^2VO(lGZFF!G$F?Ta3q<(a!KoltwrwnI#(Z9vSBcigIcVF_%zE zL~#$Nk60v{9Wi^xl@@pIQLS1NOUp6Fcs$)xdn>1?lbqw#=t906pT$f$Jdh)CX@6W> z&_xA(($yfX-O8DJr|BcLo;B8xSA_Qk(3kui+&|$t;-?|5E4Q4Q0D!9CNHbHloTB81 zYSAW(`r`9bglE;KjdpWQ@(Kj0Wn%DP47&}Li`R8djq3ztp47=A!1L5~?;(#_m%e9t zo)(}Cwsm`|Q%soiYxEa7+&xYK*`Wfq$bBV%nTVh5hKW*EHE$PZBAqnoBxMY4zEcCa zm4OVRD*aK#>k`ue84xVb1w)BCE78n+DHPhv$!Vz$PHy`ITHNKY%vS#VtV6UYq?ZY$ zhZU+ocV_yp^XApC$m}*^D`Kp3xyLxrG_-rrXKPrZdeC7 zpgN*Lk#*r6N>Bb2p&Gh|>DYGVgytGInw5vUuDXIAv9~+%keitJ6Op+Gym>7d`v$wEvR^sm4uXS*lY0Q8BGL@5}#CAi9f@o zXa>&A6(I@2KI`fwP{N|syjZc9CM{jH)qCMN{s)>bV|}$i5(S)N{%KY$H1Q4q$AGjd z;WKm6r?nMq08XF`zrylD{4-*89Gr8kvWu4_J8wZh2TE zB$@zGUEa%^{eJp9YN~b9V3xlxi{;)AGp)RcWT-!6^B3Hl*B6%d^~w&Wgj z0F05N>3f+!oZ`oM%P4pvVNQO}PCxD*#xHJRb=v=4kENp&L-4F&8WvOh>HBcpI)%Q} zp_75N18tnYD1lmbd*V?lKNh|cu_!Kz`={u(taLtE+@50paO%pwk}q?mQkuWkm?vT69m#v zYo2A$p=ISUjctq;bRM4WmG9weO-fImXgrC}7~6CQr9$(H*mO|sL&_(uyM8*Zky&Y@ zoXh}&XL>ML<9T#MiEf*F?H>vO+5|Zi$AIhj{Uv2;TZ(A zhjuXl3z!^AYPxmOj`yDJVenPED#1?#MZOBr+@Q3ulXY3@P<_<)9;O)1+ZS^NYsq;x8jyA^u*l$ zBO|r&Va|HEG~210w2UOgw7KY0L|Bf$RQKBNm5ElJWMZb}?qae?EW6H6mq3fMf+3WI zJ{#SY(7&m*Ess#U=SiUN=9)TaAp+U85c#)#;uVyT+jLpq|pm-d*GjC9n~pP z#B&+k3Rg_ks9qvsERaX-@r%g!sV38q+6|f#Lo^)9Z!gurM72WKI(cUNqEHCNam>nC zgev%N+O(xnB0V#`DHGU9zZmd#9v#H#8X&-?M5iF^k9y*0R8HlqmS5C7*_C3!Bvht6 z3zwi69iz$p7tb|@T6edz=FVtQC8a8nN%dSsvHRW*r1 z3@b0(FY7mXC~nSOygy;hR0GIjw<3Hz=x+q%`!+D3-KkOLIDN8EoRcwoB`W8|a`0L9 z(t_zZBK5GfP&AR1hafKF{a^97(?S%N9Gq7=b@6E@|DL!6$r~BXCoxu!=u=0gAV-F7Ao_?P?Er7&O4i94DI@e9vB&MX- zhz~c5Tk{^o9;u`Ox^bO=L}q8#!qAcK;z;HHg%X=I=w3?|TtlwWZn?|#x_w6E{JPb< zMVM6yRvw7uB*?JycA%=#=1V|3+&H+esH;iD@TpyQ1d6$qi4!g}_^)nL(SYLQKrcuK z?)Kd&rs@Ko#b~nbT?1H&!N&SrEDLAqMEM9{KTvK5R^BDZoivl?uWVA(Q#So9FJf~Q z6xu-pr44`6>{#D!hkxB1@`P_frKZaj_>U`{}F9`tUfxcpLBCup49nWC@`_a`S<=xD5p;N$`ZkXUzBKQSKoe=FCQMm%hJBA_3 z$(W+Qlj5{RhVz?QKlBppp8N))De@fJa7bh@bO043KW@~F@(;yS^Q}Ai9IW0NIf4zM zr0pAn7ppSbw;ktbzw5|r@HYXaW`T)Xc7k&gx3q|DFH<5(SB1NKAoorCJVl4cf$rUl zgl-l2r9hK|e`0+im#$HG!YWO7eJ>n^-OsR#Or{)&xwW^CjKUQ1jMhlnuUk+5jk1uaV?pt<+edl?t2Acv z=Fp;|)>grlof#cob?%u)SDT?s1u?Bx+|SaFYV|eU$~9xf`-iB9GNpo8ZYJZQ-2wD0 z*;&p|(w{N^1&j`T_om(*W&$Z8#- zsC+c4jF%YqqCh}&=Yosq{DWr*ohajloWOT$Cg&w=2uJwp!%8`H$3Ehs!-;gS^LA4P zSi)Q0e+vPiTbFZPkY!CHp})t*hLl8AJ*?Q2TC#mcnGIlJZlEaIqDBWX5%B&@Zg@ki z2o437=3P{~cr0}QUmB)Jgm+;c#p06}G{}J6;G?nql=CuZdpF&y66~W>2>k(hd#fdzk-~3`*cqUB z7Tz{691fD4bJO2QfIJXW#&>WhKF6M7?k7L1yd{UcdA*;DNrK61MAKOZT_C?WH{MiK zV4o4tW*t!3!BbArlpJ{Nq82@3Q_yF{+TBlWH@berlIc0m;_!D>_L`plkyb3Y7;yOm z(he)Hh1|kh4BY^L7ZX`Yo&SyHKbyF<=iLP5HHxvYRmUrcy1T+(H6>vuI>P3R2d=vhP;jh4H zAPEse7)gkf{WJrZImq`X%}H1zavGZW^Dz7k2>w>=kb-}R*u`IB2_yfzD3j5r3y3Ql zWS}1(ofFdDrZMCL^J57#vD_82u$62C@R`1dqu4qUA~I-D`Aus7EEL%Bwz8suMhhOe z6<=+Pr}Sc-69Cbe;~HWVR0OO&U^?!9yQ)sb6tuQ9c&3mj08X-Q%Ll5_XEB@WW1=^& zpC2aWx?0A>6bOsTc{T=Thyz7*cnFnjGlc?p#Xw>V7!5p?X)7F};t-(%AJ&UOC~Q0Q ztPJsWq31GXa?xmcS*{qc&=_!zq$z>A$QOHCVuE(vw(D1Huqa^VThTJ%sZ+Ec=4mcc})`ET{A7 z{jksl|2$KX*N!57j*yj}ssG@DcHo!e54)Rg?eIRbrchK5f3=_^NM$%FZA2fa=21RG zk%u!ZwyA6YU{u^XXfquDP?~re>>>*4`bn0)tQKBGVgfYhsLVi`!W6Q7VroQrU^uSG z?wKMD6uIUuOTBBY4-m-A`I8d1UDI@on-$z;*>UcZRE*3dIqBPEOaFF&447f|O+9FY zWppaDT{ynD4L1x?7LsE_3_A*8jcwok+{JD;i@V)gP*)j82de!Hv~|UWwMb|WBwGBm zZ4taPbj6BrNJLy}>SgGi_uqb3A$ektP_k4yKQwWkl+c{vV!4Xr%Dn+kwe`G;Hil( zBKGWjgFXO*@;|g`jkm#)9&lUUpMGx~otc+bJN6~VpH--3->6hAg=Pprec{vg>mC!A z)0M_R2rDv^=GF!$tCAY($AjS<2C>gSvKawEFJ3nK|xiX*ftT`FetLrbgVq!Bf8~F>ESotb8RpKsGOjI!3NLg&hLy zx#D^x!_dXoZ{C6_3*tAa%0uWGaj<~pR_~2jOB(IPoGho0QvcTnI&5G+j8@Dq&PXle zkD+UByeO^X-}=17_luWg{(D{=J|lR z1uE3OZ=`G;!344zOf_Th6KEXxdap`N3SdSeA$92D(fHQ#^;bQnk`J7+%a4i8XU+BBfvLB3mk%2v}%eTe+y@`xQ^AwXrB{s_iH2$z+2t|DGhV728 zwLFWVZSvu0z?PIG94RPB4&($ZEF$aaJ!@exwSdjRxmIIaHV$qee&9G+bD|3NB@mu}+6JYDc!1s=?v`Y0E0IK*eVv~dv1%aCJ zRH6g4g+Hc~^H!Z$mqX}+1K#ieJOCz5Q*vYwClGWZ#N)<2(WFxgq zb@XV@Mi9*Uo!zg+tO(%w2gd&J~!C)20(9On)E(pB20v4@w#MxjDb+ zMA6^JG7!f`h|2<}>wY|PFoiiwpiK+KV2pL}8W=cLzLiG5)1wDKMg>RF`-fL(1%a^u zgs*ad$fNx%%UZ4buNJzn0mi7qCA_9L!B^%3ASgi`uML(X zHi-gOHf=q%v@O9Fufadk|N23VD662T_gMKO<>LyI8?nq^%t~_igX94DH+vCvkI43! z9T^8WwluC2#t-7|Bia6Wo@n7$#*=eMqlO49lS5R%I&*;TMFD#P@$tO-Y)-f#rkK%gvb&VZ)1C7k8OGaQ@Z^3(rU#WJNq~$fVfiH!kx?GG4Fy{YeEzY1sga1 zF54_m$EqgR;ANb~Zn}B7XKFqe`Gq4c`d3T%*E`Oj-Hcc%nq<3|xIC;(){Z`ZigIfZ z^6Mj{ktKnnY#VaTA&M;)`MK}sliW9LEH!+X1Rn@2s4;#d*7*V&y<5|8uNndA58OG9 zQ@}%;;?&mBEyav#tc76kflwsjls*Qb($g9JQG6VcK?b3IyKXy)?fH=hm5<}l7CZ}( z_D}TJ6#eViZj0SMnNxf3aF^o=V~oJxdqHLwJ6A+|W4zqwywe-j780BEG}tIk-;>y1 zy3AK<%PB*gdkG^jm$~spm6liAou*<~Y%Qgw{&qW#w?AoRj5u)+=ys$8O}I3Ellzcb z%*;WY!YRXWu&J3QZU{V}+MhCTayAAm_Wt~04d@~)nu?X$9cK+#D(e~u2>Fdpkf;3_ zCkNu9Bv8iTwM-|`WFQNxy0WX+PH9kYZ_8@@`VLjg_+4o;RapeklABf&3bl^JpL@Hbo*VolkO3 zy$oC*e8y9t_}G6XVuv8*vjG7Q4{878$9m`K(gO`u@B~D4Rxw53uaBL;{5SF6JB1TJ zb-uEo=(6bVZcn@2YFW(w{Rf}gj|&Kt!ifkn=AU5=7+|f?ma*gwF|+-a#I9MOD2E2BWzq{k z31g%Z&PXly!4kHz^q`wAQY)4Sp%3;SWY=D;i~7B)9+f}eBgDR;>jsmi5MegFY^2Pi6yIw;kkP- zGq5Bwev|fR$h_4fWz)Jp!h_kD`8On2bm6H#>siAzdUg5ap@RlxTM%hxX${s9nWZ*t zaGt}$&z>3uSUXU3g*dUrO_uglgnuD|JYT`0P(*qiX&{iaiB`1m#-l3eSten{RsSJX zp+PAr>W?{$?ew$y>Mf~)+{x055$C7Pz_fYRdJav#ElW7rVM8A5oQ*9UNu@}BQ9DcZ zWu!^xGMBs}Lk2DjIN7)&Hs5LDx9jH}63Oa-bY1_ktP?GCgEdq!dL-; zU*?}#y@?iDH%@eBFGN^t!vus5gI7BVT^y|Psb2&aP2H2BVz`>HGvfqP1 zP{XKN?vAH^|9y~XoX}5WAwt1O6{adXL@A{NBu^nx-#vZb^FJ4fo_YR`@H1N7*whB&X>>HpqP`BdnH0fZKdVtmi$WNCw=Rq~3=tS8|7 zwd9$a&vU_l>-0!_X)Ut_0LC` z|2+Ns@!zNaeEfe`?7ubt*V^BX{KxL!rvA6ZL^)GpLyFtnPS!rZ&_lwac;|Ef<$imz zP(h7&m_kuP>9O-N$Xjfp&cx2`(Ke!Swu zcRjeZLyQbP@MqFjk?G?T@)6ya_4E{^5iCekRtymG%*s!UD=fl$EIiMA&5VI?QfisR zGjqu`O)lu70S+-QX4lV+lez?f=e*}zo8p6NV>&v7v4EZTD5*AI7*QITsB^axsI{V` zL)|Qk2AY+tYtv7hqih_($z|`DlZx+;40O+nT`{Cg3f&Ru)ZaV23&!s**M_U{8M`j_nd_^m0yH2q!|aWV_q?j?&O9 zx+;eMnoWqn894TV+1n@jhfDuJD31s5=zoRu|4bFpv{W%X#jWd;b-R;V0Ho`OWi`49 z0rbn(R#BlsGRcD) zYu&(Ta}4wQnu#p)vfFxI5hj0aZ~cSSCy5&_Rayl_MbEq4NK#7G8Xivkw}OHUSjedv zSi)b8mRlM;W{i(kl3QC_BYnb=mZdPmU`rvz8e4vv-)73*%Wx5Q!z-j`^Q(GM99dOO zhEkKB+AwRd7}OXCV%*}imrcxEfTM%7wM|30qtNdx7Gx0PBMP&!C~k^f9o`Zvb519- zXw`mDYGu2UMI2jc&qTs>QhH3nAmuGV*SlG6T0K165n#eH*csS#Tp8H|wA0yEg;{V8 zdMmkLqx)6i@IZ04PtpDpE_AVe=MAgU?-SP3+r=jPvbS#v=n93@I}}J9YqcDdqS3uC z;xZ=fP7kkE?g;Rv)F~t=q}wQaZqKGH*=yf&%1EN^%|3h{j1CQ;^DS}<<8&*)Bk1gR zrrVT2uh^H8!6LifG3^{DI)!jn794#?XC)Tk+#HHBPpwWwl&=14zOd)4M~CBf!Is5I zG+S|3d(V{yOKhXqf|9gv6HOR?#{~@G_ zaL^0;_Z(XZ=Xtj8W8i>(8+-SL?ayN#OV~&W@dEEtY4MlT`l~YRB~|T>opooM-)!l~ z8J3GD=;8)y&BxHX_B&SkJdeAAnT3M9a)z%MN4w9-Svo_A=j(TLJd(Ah_`Wqujff~HhT2GULE?kOn!`foolDU0S8sl=y${Y%yW-mkb zpbARMeeoy6hJ}0Wym5r_Z+Ok9Wd*;Gx!Fa3NmT+J;4(b9OnQvJRiJ;^N{oEq?w16Cde(N~&x^p8`1r z#4}oa5iL)Z=0k|=)#21oig|fv^*q7!B;2M}kAubz9=?)G%69qNrv|Sfd>-`^F0W9H zm+nb7TxJtF%WRA9q`YrKkT&(WE4h|>QQo!4@7jG_UT5!?o)k27G+&c=` zB8LAwXJv0$lJ_cE1sSHLNg`MFp*|+74*xADw}cFL=CrzKIK-`O*zZqQDw?jo*El_ z`aGcvM4(njaL8)@)aB*n7y7PRydJb=Y8wXx@|PHX@-1AYYqtIOyZc`ATN7pj)aoay zCK+g#O~v&Q>MAJ}(*Ye(%8s4QQNYb-VTEE^m5DVsWm=~6>-4TJu{Y8_$?|s65^W{5 zP5@by0$)9l8VYP~RoGZrrCpOImVYsmQND&SO&nh?E;CuGcvYAcSAYEd9nf1kc5{xO zSzW1I-bv;^G;E~d)jP?r8qygMwWkw83PNYGD{y;IEsr4Z>a-)t3T#2wT}Yi8jAIIZ z+otJ;T!m_^bubCr5JmP(BA-$zPI9mJ@z zp?1V(po4`AJ^O5Rij@OFspU8}-ukXz9|YJQEVJ1>*S_4?$|drZCa4$Tp4w0h`Kh6N zDJ13fs;E0NYj+*-zM;0BtxuluY`PB${SXnMn33B8JKK@L>F{a(Jbs|r^=LIz*PWm6 zl&jT6NZlE2F4>ggT}i3=q)gZ*lI~)Kupvt)SI%XJ$^d0F`NCvqugNJ_N28I4N0ilx z)P{oV{?DS*nNzMw*Im-+ux5~#r62b+kUGTsCM_d7^!?5f8oP1sD#PS5=*WB*ARph- z3K#Yu><(tSPf1|Fk5?OLNos?o0sOVweKZ06N#%KoZJb-bte24yreWiugkrCp!Jlj9 zam};^ULe-+mOYRbkT*RKQ&&4jUbd3*fp3seXdQSfr$@64ORTUukP_PqVa)sW*0w{L ztoEwR$6xDV3$b*{4?a$`6tt=e4UpkQOdRF^sKg2x9#zCyTM` z^n-j;siQ0pf$yyS*DtpiucI02$!c_ckg9)bIKN*v4vksf&N{pCmhFKpvTj#PL+)87 za#lT|yKh!o${-y3rsssX&|C6a?{Mqm^@oJ0yOpcQ+4rt{wg3@HeWI0TnsU_?f4v1` z319PE_@ErwG&WUX8d4L?*`g?=(kg@*BJ6nSHCAremR#voa~@gG`DmRm{BX_gkLVZm zbELc>xLBQRSi;iv{K={!;621buqTmK0xU$w?&O)haU{3kIg~V8$;ObL>!yxZtPk6v!d-c1Ni}&{f z$H_w4+JuNn@eS5PMs&~3cnW8wGa{*MHvFJ&I}Q{7J8eg zDn+Gc5$xnFYmy5zRF^^XU@2t z)z(gi)lS0^oAF!C2lHi-3Ph-G->WqGd8XU!1Ru2?zoGg(C%XFxYWw1=?3_(?EbL2| z_QqJvEr zte3BUc zb(I%rgt$4V!GsZn+=QtE-&635zvR`$$XnIjEYxBiCwAh0>#=yJ{OODwPSgc~=VK9@ z-N0WDaj)!(<5T|l+J_7r6^l@|gi`flJpRlu> z_h!=sS&r3D5n!+(;m3(t*ql;@;`UvrDy7wyQzivc(@nDm;xsV+B#eF0lnh>!Ocjzs zkAQlqSiU>LCr`xMkgpf!(X&$FmFdT~{2I&@9yEXnt%_U%=E0QM#q(c7)b>Arsk5|0 z9?3)|Bwi6opk zc`}wBd_Uw|TeXFi4v+O-nXfoV$fe5ZUrqWNqoVAY^dn*kY+YUXJS7Ljx!Gw_?Wcmv zj~t9%B^I2a1847^Lw2Yn%)!sg#x$nG)+7B3asgE^wGXh$6l0C9`uXJrQVY7C0tRJM z9MyFEHeDqLn2_JGC|Vl$eX$`bW{6gC=~G*7t!}FPcaQ+%$uTdLeaPzhNO)0g1Fef1j(%#+?lpj%$i*U~E-zgSG&EJw4u&QdhPHqz^FsE#RSM*pHt;K^Rq2hAiyMOg$9-OTD{eYlaYZsxrmu56%m@+!S6(3tYZOKb|8`X*PAq68tWgia@0As4ud4uv^apJQhkLE*<(A$#c zW~~XzPmUJBzTh2BcdZ>k_to>j#|q8gG}jVa{;S^FmO@AR*m&JrZR{URx7B;F%XOMG zyoV3w&-~FXqJO-f^D5DyPCd?3tJSE4lqd+xQ>YN?^X}JwozHJ+@$mo_|0k6!^iygM z@m~IymopS)louM#2t1l<20Kxem6ZeQVvo}LrU28`KypfNrSz3B5 z6rT<(FC#T`M&%^Q*c3)!NlmfG&+=4dF;^6JM8w`#qkG^m#qJK2ao>2>AQQ4hcZ(z< z5iV=j6?ylBZBjcQ?#C6AlePVvay$np^&sp5UCNrnPdrjHARDT?I6t@fSuN&Z$*jUW z#u6p2HMgiIz{AH^n4{_6I`ir~&0%;1-;Q8Y=u)ZUqy;AtT)9ZwqE?5(vN=J(%7nwx zkDiQ2>C@ptk$%E`>4M21PTJ{qm%|OJ68$1w`t)1< z_>_wV>&|_nhX>3nIhR~Pu{S)_;v_%vOSM%j9Sv6Lc6~Pb33upgF7j@blzMKz9=4bp zlY;ie8Ifja?kW?ihJ<(Ud z^RnF7G&_P!E1{VF;)^2TNtoA7dEw4DjS^Fx;c3yyuV040{>X}gm@&sI*(fbNvwd#o zfqjxQY)Eg6fh2po@3%zhPOc|66xPxsyO-B39T_-~yiGlf5Y>xK$4SV7$_m{#_d0H9 zS^2BZPE4)f;N;eu zEMwzU>}lN@gcx?D*~Ml3)+E^N7gB}z%Y_@QfkR+|!i4M-^+-*@U9FGt{#D<#NScp2 zJO>sda+p#P4dl**Fju-b89MP?S6H18Rt=dn2rrk6nmReE40NV zukNVPfCIVY*pzTN@EGh4@4rWH)Q=60l?fY`42!0Vw#t>#uoQBwxA49G=AxT*|T%c8)@%&i%|}PT#X)?N++iSY>Pi z_`@;#d+c#vMer@};GT-Ufs6CQ^t#FB`_f7=BqXHvvn;Q>Mc?0pp)ZTry?4SHlrxZ1 z+XnQG8|v%7G^HFi7eyc)T(I&rVqlzaR2Qe-+$LizdI`jKVNE4G?5|(}0>9-eH zU&v}WK~D#(D`$4UMV`(?Fh0E0qm=q!@e<5cNC&JZ*eIDF3Qy0Baobtrj)7l@7wP_{ zy%<4X;y~87B~_Z<+^QB+!R_j1u2iG}>_;-wt;OMNxkmR?+++VrYSH@WIPZ{3a!)vNlIE}5CkTFi8bW1`N|J3TC8jo%8n_s8I^Ry=SlFUGjey;PuErGDU9 z#+bBd)m_T)pB(Co&IV;*Y8P3}uc4mm=Z%xZtE=y_xcf}ll);_iQI*7F{ONYd9)5j5 zuY~LNIlFlrC+!7(UP-zDcZ`)3YQL(BMYt*ddD_(g}W)IYeF;x zTM!Y+Wqv!@c)Zbfwm3a|oBSEcZx7d!IGDtsxIWT%f~GyzbKJt1#;8^uwchSj zmyq?`VoD*CJwv_Ds9XA*&FB4nL#~GZpX~Mjdl2yN)4!X`|33ZaRO7!D`+t0Jk#zQi b@De7I#y$B+K`s->ZDHi3lqD<04gLQIwmU4q diff --git a/images/kube-bench.svg b/images/kube-bench.svg deleted file mode 100644 index ba64a9e..0000000 --- a/images/kube-bench.svg +++ /dev/null @@ -1,121 +0,0 @@ - -image/svg+xml \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 0000000..3921d6f --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,41 @@ +--- +site_name: Kube-bench +site_url: https://aquasecurity.github.io/kube-bench/ +site_description: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark +docs_dir: docs/ +repo_name: GitHub +repo_url: https://github.com/aquasecurity/kube-bench/ +edit_uri: "" + +nav: + - Overview: index.md + - Getting Started: + - Installation: Installation.md + - Platforms: Platforms.md + - How to run: Running.md + - ASFF: asff.md + - Flags: Flags_and_commands.md + - Configuration Options: + - Understanding the yamls: Controls.md + - Architecture: Architecture.md + - Contributing: Contributing.md + +markdown_extensions: + - pymdownx.highlight + - pymdownx.superfences + - admonition + +extra: + generator: false + version: + method: mike + provider: mike + +theme: + name: material + language: 'en' + logo: images/kube-bench-logo-only.png + +plugins: + - search + - macros