From b5394a8ba11f2fb0278131959c0032437c6284bf Mon Sep 17 00:00:00 2001
From: Joel Verhagen <joel.verhagen@gmail.com>
Date: Mon, 29 Jul 2024 19:15:43 -0400
Subject: [PATCH 01/15] Add spec for Trusted Publishers (OIDC auth for NuGet)

---
 .../scope-form.png                            | Bin 0 -> 48032 bytes
 .../trust-policy-form.png                     | Bin 0 -> 77997 bytes
 .../trusted-publishers-flow.png               | Bin 0 -> 45827 bytes
 .../trusted-publishers-oidc-for-nuget-push.md | 523 ++++++++++++++++++
 ...ublishers-oidc-for-nuget-push.technical.md | 169 ++++++
 5 files changed, 692 insertions(+)
 create mode 100644 accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/scope-form.png
 create mode 100644 accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/trust-policy-form.png
 create mode 100644 accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/trusted-publishers-flow.png
 create mode 100644 accepted/2024/trusted-publishers-oidc-for-nuget-push.md
 create mode 100644 accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md

diff --git a/accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/scope-form.png b/accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/scope-form.png
new file mode 100644
index 0000000000000000000000000000000000000000..674db5709c9b64c6655e952932802ce4e170701b
GIT binary patch
literal 48032
zcmc$`2UHZ_vo4AvphT4n0*aDhkenGnf|8Y-K^St*ISPm*k(?ZqEEyyY83oCiAqUB6
zkTiq=<~H~{|F_mV=l$2Y_r3e>tmU$q?%ut-_O7b0s=k^CRb@E>Tq;})3=D!-FQwmL
zVB8_cz_=ZM7aRCSN@?*Y@ZT+$H*!)Kr2~&Pfj{n8NGeHUU{u87U6^12f8TR_spEoy
zLD+Hq?^c&Xff)t{jPI4Sq`If!&Lxp6jaKF&>dNe`)MGoThWI?wp!i=>@P|W~M`mgE
zi}Ln3OgzJJ@V>80$C$KH#ZD9=E~dkVWFFWE@8>p8I62LTBH%x?CW7TsX7F7H<717Z
zD&ky&Xj6ED)?#xsd*$Ei+CP4B|Kj!&XZEJ^-D#M$R;Do8^%?5rx&H(!D&rhx1CMh>
zmihZ=bzEFrd<EtUeAtJvQQ(`S)=&5KZw@f{p49z4u$FSXb#pZKZt?cbLBYMY>lekq
zP$dq=yE({WycQDhkx-&qTVE&N-Dc3!)-Er*`L5Nv+N5K|`MxzS$Wm1@zc-mP-O8zA
zP4Mp+b?sDCR4X!^-f^kCt*Uk(O<uKO5zyBK2GjmYvnh>>rWQzRzZoWQTxRAh8D#K@
z+|aY_*@HTX7rDC^-$L;GjhAvc{Wd?TG2UDzaXGx$UKVh<{p~ish79&aYx^<WNX7W(
z6$1HWXU?bBJa*CYVG;#`!dY>6O0lQ?4*pN!1|FH2f8S+--VSAh-|Cjgocnb#IP%Q~
zp@Ht5o1wK~`Y0pQTi?{NU;IqPOT+yl(ukb4*?n|#vOLKOU&8bj6)|(Jt)t{qV*8P}
zr^ki&Z_XL-j#316-oBWWNczA-?us+r6)gGaW=7g{yx3V4fo~<T^1r>5tk3*A&Fb7w
z+7dEtSaT18{t9U#-`VLF_dg<jo%rK6g~b2Nn%o85Od~Mu|Lx-be?QQehoi}Nt+e!X
zyuA6>utu`=@SNVAGOf<t;`8TBFY3pH=nBdnCLR80s_j909%fziHRD{rOR-%Mw~L9{
zAU77pR`fkj*O%x7zdihuF_ZhxI+D=>XLKhq-Nz+*GX4QYqCR^i2Thzakn8&b`E1<o
zkk=e{PxeLi^+ml}sBxV5RXFY@(9-C%IXBE1f6gtuU@SbtRAPSi{%Fh#yMwrcNk;s{
z{|ptI!GlIGuS@&$iJB+hD8j@yjimY^W)T+?HN89w2&f28(w;eGTcK=};l=tcJrs_W
zz5NdH#BxV&W|C#R4k|LdYR5xM(>3_*5BwFU0!4rCd#_<uKO$Eg3v0X0BvYJSA)<99
zWc%qY4@IB6*HZ@WA#6UU;;b)Jugp@__%yy3+XqO_W!{ZVoY$N?A0j@GgKj^Znqc6Z
zVLYfD#M-0VDp$DK7B=Ioc%Z)S&Bpp#&XExk-qyix=?1(u^%hrYNenv@3s)ZI`^B|g
z{JTUk-Q9DNqgNNjeQ83Ump&J~E+N>Dc~Qe2)cryXt84giU`q_uR6NaWiccS{ou0D0
z{XHY$Xpc2pq?Br&@k|NF60CdEWevTrW->K*P_P4Y9w|kONS?(*XrH&?Xz1uL<)S}|
zXeM!;&BK&?daq*9&sxv{uH9wx$1UB&?)R>j#CTVi22gp56p?k1>JY0R>ig6z2(uIw
zsN5yu_NCu?2&45uI>8W2$gnq4uE@A2)NOm03Lg{CTA?=M2q|V>h0~7h_h@Cv_?-^Z
zR`X(%g1<JJsK<L^p(|%)kYxV2OqRs9e2ThiwC#0GDC%<xfxHK!LxYy<eCAz_A9EaE
zE2oX6Ng;0Q)Z=PW;TKmtD!=v?NE;is!QFIXhtQRYzt+!~Kra+i*gC5f>+Tx^a$97O
zi~TefhIhQjA7a^@h4~5<-p=g&SMSsgN}GFAEE8ulK@=5g&hDajpZ55sBwW$xpk7)x
zHnI3}@jciP>&C*9PRn^UI76cV7Yoomkkm<YHffdY`g(T|rsg~og7#&cd0Nge8Jqe5
z`zb4Dkw^2jpfI$HY$fC}vA;?L^(t<NA{OjoW#(`W@|74vxP%krkM|NJ)AyfOGWpYY
zoQ4S3z4c`Za7;G%xHvae8+{?QFFu>#1rP86F-K6v(FV-EKYURM=RaD0{3@HbdISB`
zc}1K+)K%WTmOxN(odHa9(NdyRv&E`WSYCYda8FH>HK`|lypV}GWC2QItb{%Vxzb<x
zZnp`^LbA!k{lnwHN3r%+zJW9U<a4irr?X`~BOz6}ddPIQ-+n2D#;vdN4Y2iV30oTH
ziJ!%I5nLi+9d1nd!MWzPSk#UwRB>@EaTBuxo~pl`zk%3p9$BG5qi;Fev@pL*Wa%Da
zlObY0`>xHCro)}%rDXyFXGic(huB&n?k=j4i^QFP%uMDxT?}1hp>S+|Z1y%uuP5_c
zRA3)Tf))>1ry1j(n52|UDq-6}(sQ{stVg_<U#1aw8p)(LPbxC;_xB%e9{65Y$Bc)E
z=e#+>Q17|_)povd3KYcY@BPl5gZUBf!|Q7U$2ZzT@hYuG8K>%;vTY~JB?14n^Jy||
zgUm@I3fVb_6U?&pslo>Q*L1fwNI9BNrUo$(kq3bO8grWmbM!Y)m3ZwMd2@il7W3b6
zty@=C4+cdKqePF#)DC7{2B(C8yR`=0;08<rbFT5TjvWN<gcuk$dJHO&1>1|k*kt|(
z@z9s1rrG)dm&fja6KEYj+^HJuS&jvR%Dl&m?moxBm<ZKCGt2jDKQ0Fb+luh#tlzDf
z={q68z_|Yn7{fjE?}=!C@Rwe|!*XG}{&j}`tN7qwE~I#BvHdj2+)Dhp{ld7lzIQsz
zY@^W+R;=l~a3hrBMm}nNOR(rup75Dn5kT-G;%D6|J)wByJFt`ilmmLVWy%8s<1yZ~
zG+P_;gF<m=JtgKZ5gtsp@z2i}+d|CgTLDDkWW!(g+~X_TIENIBj#t5j_ZZvdQy)J=
z5_NXdNCx#MA=Jdnezs=18LZ#Z<;|eOUICG31~M_3vqn`%G1FL@Z@tP@b{~$owR4&r
z%w9rDKPw7+idqF+5Dt3F=#tIK);6KOzMi>t@ird%FyKn1YRBlRH^2%G;6<zLXD*V|
za4~KlM@4gU^FCg8M@{cHw}N7Pl{+t1bxiqf2VbqL8!F40KI`iq8h)_Z*rG>uY%q1H
zD35jpvCECwJx%dYUrCuVS3IwY_M8Dsy78rFKnb_=ch7nY#DKzJxq;=obx_ytL8_#c
z@OJ^B&JM@emA#tYSdShvZ(w`a%&zsPuU0`XZRuMVamYG5J9p9mnf0FE1x2kv%=Dm-
zW=i_es>_H=!;g<GTi2PgF@m^z!w)0ygH>TG?n?4kQFilCFvnS;a<?5^AaN&O;~bgW
z6?}J1Y_Y~F0f7>c$+NJ-c;Xo_IkS){WR;or(PhnGY2OSLh>xf&OB6dXR1+TuHQ_LT
zTBiA!G40QghMP0|EW}kvF$|1tY2j800Gb8%lteDJ&zedq)aSC;2U6?ha#%}4<0Dw&
z;>4Wbfop5DlyN$#{dFM=&1IaHnNa>{bUlw(Tu75-yn#k7^n+C`UTq7_CAXDDc$ZCL
z4I_#_MChc@fAf9MC_7C!Bg9!4Uj^7eDRjoyn^|IYLdNmSJ~Hc=26FpUze69Bpk%~j
z!i~mp^wsA4TTR93N;T)NIz(wgk3YdiLpi?9sxa`DJAUUtARTKsnX5T7A<vnrMv;)#
z3{+{Gx>s-nlNAQW$8Ic&yX*iau0I~;Xpf2?;`AZLq(mh8cXum~Za5@l3dLQa-eB^P
zk(NRO93>8h#nr1(ES#BcUs4}Btp&RefBZp#&n^7;QVm%>;zEaDp|}Is8<PB6z&=u~
zcjL}7h2f_J;fwq(y(N72?K~azQVxF2GZ@h`D1TgzDc!F>?|ILbY3_WRQxRH9ArKpG
zMk)(1aFb6H#lC`ic8Me^#MEc4``4(L6C3a~P?SHo*0FNif6%&OWMpJzdHLgOcpXX3
zX*m4y>ZAqj=XJSl<glP2M_1yR15s4=4iPLRa^X(c{uqI>_$^6w3!}BNXw?S@m5L(7
zKYNYlDOEZx%TAS>gz)n6PBK*RrPV(Noh@lPu)jO*a6Nhd+3*IPwD#!5w_*87b?mg6
zD$q$gk){H`$jxJjNs_mFu`kfi`>&Z~bLe-!Hjmn`d{u5?6q9e)>HW1lb#MM<L;i(l
z3%3{BukGNVII7qWK!~bzN2myY;698m4TPXs*HI<&@|=i>dm_NO#jTM&hVx75mV97O
zs2YGdr2Mw^7CvzXob?`L(_Q`=0Pd>uHoV-@>NW6~V+c4653pPZgjJ()@cn%Q(LY$a
zC|vIK4GIh-mHVFxkpA=J|4pRT-2ec&%#BZLYvw#|nJHB+e<k>)BxbSQ(t+guOXVhR
zd#yq+uqt>xDb%=z8kQQLnXcE?xT)xHG1x9^kFsJ<E7EDx4)O7d1yxf#?)~}tG{%^h
zqY2`NVOh{TO9&4SH?flGNNqnzcXguI>o2&?0|b|m{`q^Ev@Q`+9_B}5oq)KIu>Sn(
z^j3?A<a3&Wyca?JkN?zg@`FOa?jbGqo)@$c&iC`qb352M=c`Rv)>!~B&*pX!45HAP
zW5?ZkQN=#%%#n?r@9$N0yZ})OJ0#2CZmZ=3xS!&BM&*oSZjL543PpYl++LOrvdiP-
z{2zS6cJ(ak@++N)6iw^P**aFf#HfdeiYj+~5qzv#v^6k_t?GWHQ1~##t+GMK($5V0
z_SpNQ)1U`0))_GI8Oz@|UcA~|Si&Lvwo7&MTG}OB!gWKQ7Rrt0wN{N}utPEb$Mz&1
zw6zAfF&<$&dFK#^Zl)K2HTEm5m}T{|=-BNdoX*A}aQ09{3s%}ZM>IRusH6q!?1mp-
zW=%egwB3&9s#2Ck25IzrS@TOhlGul-M!hmp5Y(bZ4+{_PhjfpJ(=IpD-y(OoY%_2-
zbnKMVzs#ij)C4MjSVHYFM=?c=O~0o6C}OMdcrk?|+Xzs1z@6#7UceN#-%N^^%oelv
z43|Y(F3-SFw7j0Nb)Bw5i*%FrMh=5A(H8*vMrwo&2W=4gY`2+?G%@(@3Y=Te;Zeb_
zoW7g*P2!Q?fzV9OSuUs-jvS6X{xw|C4f3<N43x=sr9%*2WyX(sC9B;pJ`5bFsyXRg
z7EoMWb(KU)IbS0EoKhJN^Oc^zy^!R*OI$JoggLL3x^1mn?Db4h625-d)5Nfm^1~rd
z;BP#R@sM2B+xs&UcCz!%?hm%&bb#kNm<!o<WQ)u^Z=E%*LTZ$2?P4$0oV-CRIktn9
z71U-ejR+Gn@-yNi3eqLxd8Zz~d{gK~mD_DDu;I`2d$i`ww!^*ondC1*shKsLO7;3;
zs5$BOOU6pBuTD%94mWx*@%5YtB$yh#_o^GpLdLC~TRQ1gBd^EpT;AB{<vI6)y}y&0
z|0RH00CjNF6>Gy{viy#S?Yv!{HvK!S4onyfUTs3$Vu`NpD%tsQigA@=@c3dm;nzED
zGM#l6zzKP?LrhLWR14iM`a+8P!pF|D&jb%U%&bpSiS{Q+HdzqJArPj!A+Nv8<6)(n
z?Nz=t?&c_o!^mFOyBq6s-?E{J%kuqRLWYg1PY9>*GR_Au_Q;<ub7oK7jtqR7@({Z7
zu3_~6G|NNDdhaU4FN+wvkLvqg*wH9YTg=_0MQAdcg>@!Q6QA-<G<3e4Et#t|r==O(
z9P)B~ZfSbgBbkC^qzF@t2`&5#r{u;u7BdhW9v(&_-SU3^l+n@F{-}@)>i!u?4mn)w
zckk{Q#kTI26W_}E0DAhwa?+jDPc&Ox<H@6op@n>NmJHXB=P^igaKmd2&qo0P=ghxW
zOu3f1b2QvOPj3v8di^l{ZW!T)-@<<W>(|jTliI_sLE+kzqL4T1IVy+7s&dzI)}{gJ
z*F8?>xBCQSZhFE9sB^x2X#+)!yR8K;7(D40wI8whL$<wK2G|sH{w?AfA~XCvimgVl
zU&iThWb<>_<1v3hpG<a*Op8C?M4&t7_am@V*(+i;`QPkRq-1iZ_^aoXLIwR#>-zir
zaAx*6&wfOevtj+k+S+<s!Y;S8f}!=QqOiZqAzpIc_t%}MqW`nuHTjQoB&PpZ_5Yo=
z{NH8G{xvt=zQIAxX?Q9bIXT3{L=t4s@C@+B3H|8;GYnerxGH+O%dfw3d);Lzsg0f;
z#Q8`g_sV&$1&<-2Lk`masFcp%-5E^{=?Ehj85%N9{-J5NCdC(omAk#ge{-3!SIP9E
z6hlyGz-1SGz+p?I==q)u!pqOC?e5Ka)l@!_wRR+0W@VvKBj?OR<_f_?zi=66pxQYb
z0kX2US5`9McAYO(&ECgc5{D`G-9#Y(9JaUNt}8#ojyq}6SqV53i%W%mz`v~i6>725
z&X5X3z`f+ge<#496W<mJGh{ocfxj0;2mktYA|s0)02OqWN~Wf!-piBR<mF*x2ne&q
zyt#g4Lf=ucifn$K_25JDhl|}<>8lx!-Czcr<k`|c<10r(afdHPAPw?IJ)VLh2zjT+
zX-{7W!E@;|yybT3W4GxmGUom+Zr$}rU$SLZh-%)89vA-#ID^uI8;!}?r|MS1JG4qT
z^g75PQFI&EelqWU_Y0a4(-WHpgIR%RD>64T(aZ({(#Z;?l}MDdc#GUhY?`$FdC7B|
zrLg1=zNWG(WA6-{Si*d4H6>%CQYbSk13a?5G%D=;xXl|h`+l{$iwru=fnvflL1xxc
z1EGJDquLspZjMVe3lFTCWL8S~<G=wv6t<qDWN}b2wu6NL=7TZxV5v46@iU5#?x>m!
zq@Ul&H%`FEX1}ZrXU6+l$f19e6%5p{*1#dhZUG$x_$#fDw><Q+sd_o6Cu2YV?4TC?
z_yAs=cS{;m7+bAb57&jv95QhSe{IFpf21$M7H~4=GhCZ9c|04)o7dEaX<nw_5yeE}
z2XG3;VaJKslhz*v|3dpVPROYwmFK=n>%;RC%{6CmeJP&kbDwBzBf4p5B;i5U&E3Yw
zddF>{76HWO&qWXFe*Jz+p?;dqw9`&H48pX}xKnMT8ne2y{r0=w&n0;gjhkD_8?JXf
zj?%$zvJf&<dwZ~cgX=4hVIy<8fJ2Q!X{pvMr}Ji|AMvS?5wUyp>F_8$^eibewQ^sE
zzD3abZ?qU#`Cr<dlIgzC*jZw1ybLsIPv&YlSssVXmHO{f8v)h0u@V^CUN(T?xcPPr
z=Rc>k|D~M&f}8&avHiES{C{eo_^`9HGZ~cd=<nZO+1c5D<tikv{QenP>2+uhGxPI4
z-^_=&x~ey$FZX&?{11qE_7cl{a~rRY%aV6zYI_~fNQZQ<n|CY5`Y$cSU6A^cjS(tM
z^x{v4^LnO74~@s{lj!JZ^Q+m}4AFyMPo3BLD7^-K=ASzF%*^!p-i)Ow5{%dT5)%)7
z*@E_{KbiMgozQcrc8UM&`TL&N#+UFFC=d)Q2i^#^oKgLuzHwhDuBF!9er;w_ZPf-v
z_^_K>y7QW{>nj%*7wfH0Uk=?vsiNubo=myD9T?DAnDFrH>sAGcqUT?WY|9ISpBbzj
z&ao}KPn>guntCq|34mFQ0p$nMAuh7-Y|@3T!P(mz4GsMxK<G?J_4s;@f#V^IQdq8k
zWNA#lylE)4SF11x;pX8XRty=jGFOzp!k@x!od$O0n#Dzqt3yTA^(}nwfLo3V@7w?B
zl;3DTym~lp^^cjU?^8c0VEY+lshog7<Q0GSfHP#7>DB}^Zn!;P4GYfpl=azdZfDst
zUtE*hhN=IlQ!IUyT6mWD2<*1g=a&nQ*y>q_>uI-y&Z&>MkwRmq@)mtH&b@!YOGj)H
zs||lskQy?feH)bTK=ZjT?4RzhGw5_4xUB?Cw6h#OYO*2m_rGYUR@-V|7_<=mmi^;O
z4c@Fxo?>Zam`OUo=ETut^W3bKXZ25++}reG`v;+Lq1W^Br7pwE*DIh!))tDZ-|VYX
zTE9kxDit-*sx6%V_eL+-_8l2j+-I80wzLWL7W_%<46DFh%6kji4FRL&*4FWwnOuBN
z@>oRDh>#>{eu}YzKtz0A3M4O&(Qk2M7fh(rTw?pv(0)&Seq-xto>lf`PTFjjs9{@R
z=ZJZ_*$WGQ%{5TJ=rmDr70-(TGR<xy@Tb~?{Mc;unqOSF;|vFjLbNxx$DEkOp+G8{
zlvd=@>(zwArZ6sb?^VrIuy>^!+}lx68DWo4)m`<*5fbk6wbPwpUG1PMb)?QGAccW9
zF?qDmW&1j#(yQM)`Tj_56}M);OzxEqil|qQ;y#OeW|0srAe{0_Kmiu73s8-J+VPME
zUN>7M>jCM!n`<;&d8&+{)cP9b$GeL?#oP>oZM!>(?zleSyNa|<Y_4i31578`fKyx0
zsMidJ2rX^zuFH!0P~$9+LomP0`a;1wsrcAfujroOyHtvNhO+2F1EJ9r&H<VQwnIm8
zOL?p8KW2gpilx5s+$Oqt%iPA)-qV)R6CxSn(^jz0v`qNy1;`Hj7U6mj>r(xXpoavq
z@3!%$+2h~qF*T6Y_!?qPFuRrDCrddnY2l1k6^7ZJZIi%5M4-6RbFRP7-R4~7;lqJ;
z>^^YLl#z8opWiRFRoa{sjU|D4L;SG6h1pKlJ+)A1dhwyqjD@&X1vj++Hb~)DW;))^
zRI64loO>~59crP!x4+KzWchHVN5spr)px@5XQ@l^&i=K+kjgrKxn1VF$_B9qok5yO
zfUTwTa5SZ`F=(iHkiYV1pyr+`NnW9x&V5i-RxzU$_hmbEZsE_q^619XnDbw>>0z05
zYO_Fa!I*HL7ini&#z2n!h*$8rhzX+7eck}EGrNBbsq9-rxF+2G+;B)ecL}1&NEID(
zppFrm+B^<W$vZ^p;I=s#biN~}uxb&R(vO{pD3z)7P1G;?I6sc;dBaPbJ?mx-WaLX}
zYvj}IQj&-*`hTF@Sc|eR89GVd?;SCT;}jnGgB6|}`hJy2QbSbf{4xNmS(H{dlsVMf
zP##t}PUph0WC-2fL70EJ-i7#m{($x+gAF9o5djj=wz@;k`sW<pVo2+?^57rk(ss=k
zOgTvVlxe<)@8e<dbeLx06y$PdPgEU=AcS?B<M7VUn_bZfHNeeST<7QPFbS(ZfpZDI
zX<FfFv9x76ICfebFg|`VGabBE(XaR(!I+Qebht-lvi9@+O1Ao`5T$Tj1Cg)e(0nK&
zxe0_NW;shcECNU9lFU-p+G2-Nfi-gWw;+t~;%R=AwcGGn?CrpW-97e;)(P;pDrH&k
z^XqHOD&=n?7u9s~VrHvPwqMp#%DXCTBuFN|E@z^pGro{i+Kc6(#jTWz>KVwNw5V!D
z>Ytw7>k%=dMqve&y@gl4XRhiTk494-noT4UG;3s!+*lg6Xuy8fI4poH1~TH9K6|zg
zuqfY{`ZSqn$S$0AUaUVqt#LooY;V9?K}|OBt<Vn-`D|E+`2lvE3qeg`ch=aF!Cd(h
zK9;8)R1`1G@yuM-sTbPp`*))TSsKza8eK|PT`=EvuHtR|j5=JLVVygfflY)X8LM#g
z$rII$kewnfHEVJ?T|2down24tEo?@D_2Nh4hHM^$-LTWdKiJrA9^Z>L)1kvkOkA?E
zal#);o3!K_2HvHvPtDteu(f$dI6eEl{keEXejq=1(EL`dQMyt^iHi5GR}w5~sxgYV
z%$M<be3FLNupmj3WH;;UpZ}L0v|P@#aO?rDa^*`nEi0w*5Tqfdv}k6m6sUXz`1}X-
zIa0Q%5UK8!*h@%ij;9s4(_tGTG4@d&>)wYCd-l|?7cS~<0X2*+zabhL;>QNfeQjK|
zM3b=P>8#yPPd1Y-OJ~;zy@lDn>M5T?aJRh5vuIt5-?4V`Gdq`j4J#ROyI9sNxOA+v
zuiW~U!d%rc)KEU>8Z6ALBe!-j+ST2o4rFa{b~4=w)E`mA!lDWmz4OaVmd;2fT+Rl~
zpS0L098~G7R<lcWNimC;$}aH@7e`t?`oO^KFA8jSV+h~BiBGl%;mt@suhXUQ)d7*c
z1QA5tQ*Y7Sn2IceC%mSTn0SBTgZeAfT)Ig4KJlZi<axdt4`g+ED=xNcDM^3vP}D8E
ztcj7<riZ`t<t#sDyK3FUZq@aUOTo6&-(T_D&oWc<+kOlS!-hSRU6Uf^wH#VlaA0+|
zw0tT4Cx|HJmC?4SfvmAf2`*jL#>nzA2vc&|ePN4;eXMENunf^uO3#23dmSe`=HAyY
z_~h;ZWJc$o(4i)~%p4tu6wh_nIaIXn7E?__zVu-PXbYJycJh7Xx(12GSpQM0ks0Rr
ziyDgs|NnrB|1Kch9tB@Wt)MT`er?{1OJ(Zt>KBOIu_Znea3J;?XKVkrsPC74L3=(r
z{MR;mfy(iL(3O20)So`%sCr-&(m)8jFp!<Umx@O^lGVmE@ZNXrlHS3yIy3cPjxM6{
zM2()VQEkO9z|7)rl>H&DzFhG;+mEY3CQLjZbeT;3l{nXEGny?Uzt@!pa0x6H2<c>A
z0fGFy>$IO%!SHF2Bh-LtZ6||m*_y_K?|tc6kdugopU&R;wM{M70BmZODf^CHEG8b6
z>M7cnCuYp|Jbg(t_g^3{W)%;pUICx-5x{>-;5b}pIp7<i!73zsGQX2H8yb{;x)b#D
z^(j6lkk3!$VmafPJ?@$wtwWie>VRkMfrKt#yYa4Xh2jpIho=diHMKW0#OUR1H!!_Y
z2g;bRcCGl)b?E`3SIL{K!)&04#^)uz%3;nX0(S(CW2R+j;Tm6jYk|z_F*0!;8sOWa
zCpQebpWWo1dHSewpm*J)=zVXdc$vD8%L_@Rf;#cp^VdRi!idvhe(_qP5+*c-zYgAZ
z!Q+0gu$%~lmQ5VK(I9<Hs<OGAT1?#1=pGsvU{{HJ@L`*^*<a`I!+5nv2IdQQ5j~a7
z!}6I^C{)|TPxCUB&G}j_F|@F+0bT?9!Ef>@0n#A=T5m-w_zU`uPgnB!zV18?BHV;l
zI($eG9eX0?-jX--(@%!VFi&#!=~HA0PbE{flkn_Qpir_)E!HV9S)e#G&*nFC1o#>Q
zQ?#Nuvy5X5j!*8`<+fRUh}fg*)dALZfJ%^pZ39$}-&L8@@$~BmW!A1{0JWcU^p3RW
z#q5Cb?%VG^9|EEtY&sE499D7Lta$~Wzo&vt56ulb#Jqk}Zs_R`6kU)2@V+OH(r)`4
zavqC`L#6$4tow8OcJB5mT=oq0o=^Vdl3$B4VA`K?p!?mKs9Vp~oaAmovCW`kz=hD5
z9WqBj<A<~F+P51Z7f31zU=biK!fhl|E&(66V<qEFYZoakje}6Tk55i8ndaI2jKa6A
zJ$wY;{p~sVF^X!6rF3|2&t}KCNQaDXho*L5syWN5I2hZ*Tvj@Jr*FzHV<a!jW~Wvj
zF~Gg9oiqDdXmsvX*kNA9lz*+=a~ov19eb_)DEB+aBXDlD{?%z_SBLQX0Vh_@{NqQp
zuD!2ZW*wc~NN63D!(yhx?A4o%dpz=QQ&tUo0~fXie`p{`vFgJ%XN0u>c=UTwO`Ts$
z;6ZH+Hha5U`vK{ub(I+TM5ajXu<t45Y$8t()Y*+@J3+F__wj@0A9{2gufD8a^(Bg2
zW7xpN>sJS~Us3<Ak;kQf92a@;lzl4Td)OnaBp9eIbHDGo5G?p_KEL&$U1aPvnY3EE
zT>?Zzz%I=zLgYNUR$xktg+pmcSTF6Feg|J59v@<!PT=JrG^ufZX+9}FvqsWD(WJhk
zGl$K>M77hIU~N+;l_z>tvwQV>!gMQb^3>)cWNNuqK3(K^;}M5T?OfghjvBW@>)aU;
z)d@;o|L2BsK>kXjv1+Br3syFUo|Hc|PU~CJ+m>rGnr9>WS{Z-NLxYkR?|OtoIQ8H$
z1hN!*4Um@I`E1I&<}la1kZN{lJ!=dO@T$fTz;d?^@W-{BE1#aX?0~q}q@K@ki~@W9
zLt<k`$t;a7=g)-*#Mds5`bc*lW>Xu5$#=18D<MzKb2hcg47~g2HXaB$8+qn899}`{
zs&?S%srstsMc=Iq6jvc-<~Wv*O*|&=LNf-!qXXco96fkRb+9wZ_!=vPA&dZ3nCOqx
zTOl<j)RkR?6MuNHI#qH?U#TJ;VGlMVsM?pgvw{LQK+V*PJRFF(50g1KK+tq$vhFaa
zRNANcVePF7tcxZjCEK>U;k(|Ts<(AaF0<jQ=Y1O9H)_mw9k5>Y&q&8$?Y8V)G5ex-
zFzL}{0$r5&dp<6LDx1RBu?f!}p`9mr!;1sS>|t^u#QNMSXvT41!qWmY>yv=>VBxrw
zk75xiCIpef3yp@eN>5P@&mB2_ppGwP>oju|_0XE-KM$8vG@YGG<z#5UL!2L?Jl3;q
zK0U&GBJN(^`6Z^nR?LfstqmM2{X*~?T0N;XDf1IgP-Il4(6GTpov%47U+b4%|MDr4
zD{YF^ZQ&5;)Puyq-aGs3y%wb(ZeXA`<uxe&ruF{OnOfY5KP%z$N2n@nV%4F|HZb1$
zCbxkcpq|!n5T-x$+#tl6-NJ}G+oLJ@JOvz&71yjsJAaFlqU(#U;g)xO(4*cFXW2_c
zl}z-6#OUs{bTsv4B9=h#p*Vu3qX=HmRuXLUyYsGNU){aUiu;wf#oN3dxh&(Q+`=~q
zlPfr^>y>q)$`#o&f~r$;G(|%D@|c<Y<s%S0Tx2p>ZU*-P^dsJpp7)W8-KY`i@N+QO
z$n1X5(EmNxQsu|EEPS+yeo~1(r1uHoUu*F;z3`N$F_nZ#S#|<ci}@3|C11}YM5R}7
zF#n_N`lb9>nX#xKZ%zwlfImW5pnaxIb8V_s3-QQ7zw(sQ&6Yc(D@{7Ett^=zfdczN
zSuKYaQRwhHq%4)|RrD>WHpdaTuuAd+?Uzn0+lb*P7}7<q9=rP%-7<)h&m!b{EC~X@
zf4zc<_!cXy#GwsV$mKc!1k|{?iCYo2nH8w8TNy;(4!ZLb+vXbc1hNI$-;{kZvX~qG
zW;Fk|)-L~*3Hx^mtd%Wcx2=Q>QLi__2QxysO{YIOlS)fL^(X}FA7Z8I06_UL`%lGX
z4Ql<m>$DU2ste8BawyVbx}Japhz^QZ9Ra6A2SYE2{z*({WylBP71ijyGiO()0#Z-*
zxjKLGO_p<1{YP&9EFFM-n7jQWBa@hwza^ob*uXq}4RbklPYX8g=f6Bs1hGS0r>7<w
zD(46306Dfg)7Pn%$@;+6AAfDt1>X>7wdL-D^d+NVDgfe$>U(5g>+&Jp$9AGwS8U?^
ztb}8iI}2{T_8(a$4C9EqAolUIC!5?>t4-XrO@w)~A4#?aUk}-}E(|EPH3v^kV`VQ7
znbi$AsyuIz-fHN@c)8mV0dv6*wfd8~diZ8V<sB*#7ElLq|F(7!%opxFU(+@wq6_2+
zQIUo?@e6!Ep>)cjC}+1tMvfP^(7GuH<Vj77vubd^#>ESb&|`7~xxI5pp90ju7xc5#
z1j+ZZcyC-w(vPuc+hG}+j80{9zcENQlx?AD(Ju#M{410oafSYr1qEEByaN}zNv*th
zPNF6~lvO{g2TCf@ZV@FV@UUElH&!by*E7`{IQr8>bh<b#;|S*j^fVX#bX0j1bytyg
z>pfNRdfq4>MMejq$Cb&8T8qg>mM7YK;yxVi1k-(yK;{Po3qa@!6mHKiCk_|nUDce(
zFYx<u(R=yWgJ9Xm#$}cf4<#vW%v6L^J~f7o>xUFyrXP^qk^UZYc}Nxalz*|x7XIjZ
zk-kYeelZ6ihURE*m+i8u8M30!XH=$|_7NV8xDP)?)(o{oNhvZ(1sdzLH{UwX0PH<M
zo2QRfSX~AA6o3^Pl$-Uac8l5VjhH+HdS+97XBYWVbP39S;0(^Yh6yV%G>VurY+~Tp
z+RMe#YZ7Vsorbb<Tf;LmP4ntDF=1os1_V`TeA1JpC<B#PVz*7lIqV%*(b+1+!L%@U
zb%EDYzqj|)wF06mdB`VTdD<h+Yvd8iO>dV!2}piA)o&NhNVrH{sYaHWJaZ$!t-p+P
zr6qz#_K0XuJa^fy+vXDT1Nkl`{54zEK-Tg>cjrh(pK^Fvn!SoZe|k<gZ`4hqh1u2;
zVx4R_(>futAIh?^S|_qyx?lL4JEwZhJqe%n-G!f*&aJ%d;JmtgM0@fuK(LuKmDux7
z-^GKmtLNmhu%af&s1wRR8PI-OjqG%rtZtG1L*G0KEq)5#1*g2Bq%XDqZTEXIP|fa=
zZ$1@oTLF_|T}5I3j;M2`TCcyqW_#6eaZtG;mJYV;0hOjN!PiR<c@QqPZDNgj>$5Rd
zJEf(f4e!aU-bw?2G!HOIaN9x?3My6>43LOGnC!Uodu$0&YJp$KJRZUi&IDlefZL-x
zI-0|o9s;41WRUALmbssY7TA(vK}!kaXC(pr)ZX8bLANH&9!KuT9>xYOk}KMG_o=wB
zp|s^msKZ-e_3P@`WhB~-rfPR#ib;_OguS4H=;kP{sgNg>NaP;ZLh@I>f6hB_KJSxO
z)sx)B4VLO=$IpC7iEEW;7{a0Sa6)sI<7t)6OQBx3{_E^&G3y=jH&h;bwS~vR?vkG2
zf(<qX2ZWy0jUvm23zxxt@4sTwc6#(=_l29o7n;<N$<~gV%nf)nb6!OG@;DojRk)4*
zr-o#~ua7Q7hYcKSp(}G|1-_eH>^1ASWsvgg)P&Vm(j{Y4OZgMgN~T#*Cc}__?JnbM
z)f(;N<MmQ2Rl<0sC4;W4VcNuDb5Kg5VvT|fywx%}W83-dpis|u0QxqOy4w|8cwS3*
z;uByxJ@+Gx*uki&!5!FvtHE5J=&sG)Il|`%;er*bT^x!`^tc>dek|w2c-R(=wV2Y3
zAT=jT$oBZ6Hif}ATsb9NymCP=IR|UL{B~GJll{cnk*z5k+HCL5F>3n6%mNA!F}uiz
zZsGsrgeHj?49?(un!+#Srcx+qDX@7rov5HMM`QGLkz)LyR8sdXJH8zF1k$<5T=?TU
zm4Z=B^Y2R7<8E7HEJ9ufId@iTUF1hwrL?q?XZ=p*+zGcb#R)ph@b!aQmHQj7^9KcH
zfAa_0GXD>?p~c%1&F6$5%i5&kTT~(t$9nFY8g>@pO}zrkxZd*qyVmOvH_+|<ze>fa
zf7=9%e?HK^o-M}za;L=q>9Ud=xqgbsFhhTTzxkFhm&JOi)-{W0`)hr@LfF8})Xlr8
zn*elqS)c4c3FoauCz$+Y1;NRz>Yr~JPMiIrU=f;vg{m9cLDoPBUQJN5#gAqq4qok{
zCjg7ht|ZJSrx}ywdYr)H;?fX27bc`P!I3g$MrvHDB~^U0o%?XwZ|J)5p8?7^TJ9ST
z5QbX;aN&9$(=J=wL`c(!y-_%T-oPKzm;gte1j4$axU-~gtB)P9gB>vU=Tz+Bs;=U(
zLby(ILSKmcrr4yl5e~pdB#+#&CuzzyHwg+BW~nHR+X{PFl0GGt`^yVp-hcv{W<N&x
zxM@0G9G&Z!N{|$16I0$mGskLxya5o9X3IZ|ey{Bd3^56TSxh#&eOHiVSf))0voX;M
z1IogM7&4w2F)y4Jm*uI!i&&hZPkr7*yU$Q?7Q}xFK0Ivr@}2fke9-PWs}Pu<UThP)
z8T$!9QTiGNRBiKLW~NFgd0#FXpkvgHvyE>aD<KAub)}Xwh4$O=@+t~FimDI|C<4U5
za*bY_(@f!G%Si;snb~_G%7#HceZAa0+q%n?UMdPiL`<sX<Q~=cIr895TPQD9)ilwz
zPnk$ZjW{LGHi@}Tf&d89Fr<;MR*kAd>ow(Eg@IV~Bex(DbVmDQ$?wfY$@qZ%dp5AQ
zg81`Z))llwGOkkoGp@itUh@5ht|vrM5d6$%PDmCN3u}zp8E%zv1j)^b$FGam^$y&S
zl=S(I#j=)@?1fT?na4$rBEFwx1$qCN%Os-uv6P7f62@b{pc&#8Mi2^`_uOQ<M6~e;
zjwKs#9T!S_$P*cxO|aBqSofHDJ8<E?5qJL`M;5f<<EMi2Trf1UgDIPvO3z(>AQ}vm
znbs7WTv+cuw55B${Yzk*@5pTj2Yr!afPFB>U-#f(o9WxaurIyf0~)3R=p|)P;66@M
z)&QnG`r5OOH})}dYXWQnMnaNmIz#!Po0*qqY>Cum@wR^STG!*Dv<)<Ir*C*cC$94(
z+le+>OVtulp@U+bEOHNVobj<b&D-Ch%g<#Q9x@a{DmN{Z*Ur)WK4jk+Sc0nA^lGBM
zC1i=8{8*pyYAhc%d_Ev8D-imo>ljx5Zq3Ynx_NAQrjI1^w>?ulH`g`}^@Yt3&l~%p
zO0)&8TQtL_{Nzyq4?9xhdZU9&rL7%Tfuox{?sMMxtI({<025EkB_pD9j)|wi#WG2*
zvo-ccnb@q4?~rE{AD!pb2re$hhAgTSCiojI?+WWmF>~<;fvw1Ip#>SZpJ<NErZy6=
zpPCYph$oGL^FJ9#iPqyZR?s&(G4ggSy3S*hT{w|*Hxwrbm!gkiRe^NQWOBseD`h8v
z<Xa+x;Du@m;~VQYo(m|YcWvY1>yKA;I6-+c)bXZ-&!~QW*~f&8tY218;(nIrVtRqI
z^El$l>F7cHmD;ml=VNmMDj}c<*XwD~R31e8r%TJR(Pc#V)!4G7!&+8~xjq)B$m2(f
zuQTH#j;=8GJ@3(iF?f8RmG&;C=%|!fwupT5+HB!GR*x-EK7R1!icir!{>CKf8@NI1
zKT=>yGPNkQ)`)NNc~n#9qJmCA-hzv!qKN?{*$V~A$V-7`O6ld>&tl^#7M?I`iB3zv
zR=)1w*0!ut(mfug@L28hl{Vv6{aDb|cU-cIIZsR>o6~hiwefH`>%*Lic@rbILQf*s
zBHiFjZR$g}Eh5*=*zO?~R5IkT()BD_-vFkfO{GGGCsyzXCY-`W+4$XGWxH)Y%S%5j
zZ<gFk|Lywa<}!)<3suI*c584(lX8Esb7yRz`gCU2uL?zh;9_B`#G2n4Y`ds8w-PXy
zL)WwCo_-ih7LVc4k!`{@#X8I=K7IkYjguFNt#Z>P5Li_5Z@Lt2efwfSJ*&pS`}h-8
z!A+xrYVv>W^_p+dygun9;<bqKSrP-e!2NIEY{>Gk`}(aPn1vCc?vNoShZ|8(;0NPr
zyX)yyc4;zGFx}8`${C;kLz-az!1cEwt@Xpx|3<4|{5b(AgYHx5nz_|LN&`R}O4OXL
zJL31~9`Zuf&_*HUUF=_em<TMamG9A)Th~NnlsB?oMd|CfFg5h}5^5rOY+?e8XPaMe
zjZY9C>qfF2`{>4wvNvTTci*Heur;-PmRiOMZh@2PpRl1^z(DI5)u79((g~-syhP!3
z;d8`o3})4qwor~aXJ>O+b64ScmdX;9&K*=djCxnTNP0^F{(<}0{Y^vd<cT(!&9@-+
zRSRkAds_5a@H$jZ-wN#KrRym3&k-|T@zRyOMQ?TF#SG-}>5OpsT(bf8Zg@xw9B5O3
z{T>0I1je>tVw5)w{Zl3wGb6<zZ|5DTgGq0~-Y}jUn9aTE9g#1i&buYs%Qvp3cI9!@
zn-ldicA)n|Yd#E%B&URYK0;(Y`Dw*q6wJLLpw|95!w8ARv9`TVp^FDgOt*_-o@m}c
z%ct`S1z*NY{^^=o@ykI;$NB6~j}7Z4r0(aK7xDBRV&+Y!8AT|3vSO$pdW9RT_P99q
zV8)CVd^o-BzB!m&3*DeFnLELc1j4erNnSJ0km=`*UL!h0dCiwDf552u?cZ*+1*bge
z&CQ#GHY`Y&^+Y~Y)x*-{V;5EanWxM4l|o@Bhx!+Xsps{~UKX6y_Nl@O{<M_=d7oHM
zA7MXSe^c3rI80@g`^}@d!eg`bo$1t0gym9X$M;g7^o&No(cg|zd2+CRs&jznIIddB
zip`k=Z$gQK)8(qd5w_uC8$i~jU|6-nw;^U~p|@`#RPE4_zK$k*{%L*4?d`+>(NB~c
z?g_Mb`=~;}5i*RPLq=3$T|nB@|G0eC{p@9XD0Ey?Vh%+#n2kw(SAMH=Ae?yFw35@4
zptH`jGbq&%^Y9adtswScmrg0LUV&_uKnqaC*wMw|AgB1rtjjeGUOyu}U9XX~xgo&G
zW<BC(K)C}sc^BD<!(2lOb=3MrhcT!+W<7#9vc3crQc_$NBU3gylX?<>NZN98j%50L
zcOlX6gpN$bm9dwX-x97w*CNsBba6PkJLgml8tDx_LA6jdEA6rAFNnC8U)`&+*ACx5
zd$$@p$kY!yIkAh$^lbqH&AWaH1$2AoF_-m5c@o`zVe9vyFg8=)W`?p<mH^~BJ%?9`
zhNmsscchE;eul+?@J|T*5V>u=Q-pNeszMV<Qg*;eAGNGhtN6=)NK|0xC40Fipwap6
zM`ioq$0VU?4{Pwxtw!U3T=A-a&(lT~&e*?~Nf81~B}O&D&Us+1pJv6$lUl=r7TV(I
z!>@anHc9t)@=pg<b<fXd8vgXei7p&KUmS{8C_^C3r%}1{<mkRFpS{D9594mbgXtV0
z0S0r8AHV^h8H^Or`aLD-hP1W@`wLlP&5C|LDDIj3UJcKkx6pXAIqVDQ@sB~jPN9v3
zcVl}|W|<aaFNUG0qXrga<K<=gGSfU0IGh2TFWD5@;?lHCHU>FHjqNUT=Werm#mJy*
z65hsaqVXYg9q2O_Gx+|AX%C`_(<j4Nx$U@gY5hLXtQ?JHsVHHJN%i#C2b$u6zR=;u
zD1g{uIzNdQ4Leb|Zp0z44`JnItFoU$y5I8&9_Zc#m_hS&Cnvlp$^i@Mw%%e9ph4pk
zyBZ21kBX~Nu!rX;PEzx(=gFKCy7vH7#6y3CqT#bzp84be1dzZ+moDzm_BJ>Govd<l
zIfti#Vha-G{vKmxH5%u%ju6{_`ezhogFYG?85;Sy>;OdO3cWjfIA0Hej*<F_jYq77
zbp4$hsfc*47PK9(`p}U14c}lF&n!+sw){`q>Bsd2t#8CbW^fwC`@Q?);T*zcS>JbO
zn$l9!K3cv~m95Iz+3z**QAu^qjfPTPW9ohX+7oQ8nqOWHgIEyfRWK8ATbkdng+ZCh
zpW)_F5qRadvp(!zA|LqGK*o1(H=Vxg>X8HG(RpO@)uYg|SZR-m<8?P@t<r<RH?Jt6
zgNOMH;BgjI6BMr`JWfppF_(BwDbI%DNqn<8*j6g(Pz+e|__I-&(sbO?L!G^<B4~x(
z(@!2AprVUDvTrLMFI2<)HjA_`_xiM>;gz!ue3t}0i$+?9u=%28Rxs0=#bA-%p~w$(
z`Wi`wsUu-H4nx5z>m7(r`=H-5!7?s~;`d0uHZL!T19&F@6tdtj>{hbkfv7t|Y$WF`
zckgq2*yC9~u`3@m#c4__UF1<ea!`1%#1-qceDDsXi0(TFgMTKR52$WB;f^1;+y&ZA
zin!~ZpJ)$pTUp6pzMf&VoB56HE%gUycV#MLg-?k;PM4h5Jx^K|SvMw}$(uWYdPu?2
zWbdBJT3ekv?oUaPeBr9>jv#C{PT}NLunH8?UDLF(sdUf^OqyBG|C8=2TV#6)#4Lkf
z7%BTGCT+S=>>hrR{-B<sa~{iQqc5sqLD?Zt0{N8l)R$ZYRIhou7!)m#Z#sJETGDKc
z8udf3VWnHV<IJ7t{ld5FC6LPK_AE(mYF_4sy&5CmV}*)4&|_SjB>jir)rp+2WG;aH
zSoaWfI1wfG02`-+vu|n8#w6SI-UmN%3#Q*B9s;|REN80?lYmB7w{#^TUG7_2vrXUc
zpI}zvK<2*gx8PT(w`u50TGma{shzgbiu@J}p-Kb^l3YYnD`VfM_l^NrDk`ec-!AJp
zAqw%&{G+Eq1WQ-PJj)5_Op(fbIdh^IQo;-!SLo8-Ox}#bm}}~w%y0{b45?7wRi7qt
z4h#L&KzU`?Eew4cK=MPLK7ZgMhmo!k;GOf;0a3fRs?ScPDE;e4IorI$`@|FJ(<)_0
zIGgPExiuIYs!XYkqx0In8g(AwDg0SAe??G^+q?qbn039VR-%3`r`!3pf$|Vhnot4-
zXt<t^{HMVQJ0d#PP+4#2T4a)1+j0MeeuCDeg(~$68g8cm{TQG}BMu^~MYI;XdN2}4
z_<Vyu&*>pHMGsxeh>cOR{wtHGWrv=P&FQ$!&#9L(oe3DDplJjlX5JRc;BD^`%}TBu
zf~ah}VKsB}fuuUjy&bBAwxlbwORYab)-5yhc6x}wR}<@MExy}x<I+08g}>gTAOT?`
z@>hxs9Ge~$tQCW{CNG|;?*dZCYN1ZjD}h(`HB?^_e3M<P=+RfZq~wy6>Gx(%nu;GU
z7X`CvT;9{`8T4bh+UL7lZYqV8JKnR<0OUU7<*S-T==Q8jjJbYLRhX>{4b$tkDA-s?
zQe4_Q?NiKx+`ae#F`8P&z$lFwpW<lG(LL!k+#@=gjc6J%+EMWP19@uCyG4$H;yzuj
z;b9sHFk%?K;NCV*u)2_DKvmc5B+S<62sw}Ox86R7*djOLejEMhsU(1j8HR|R((|aB
zU<&vCdcBts?7bU-kjUMWdS}%Yhr4C5jfj`*=puTaFmI89nC8SBKD!eglf5qnt%MhE
ztbe^d?vEW(*4qu!^*$MB9&@I9-)q@ir{}`ty&SZ2Az}%MHQKD^)F`#hi(A~Q#dpcf
zi~aSW{}&fzv^CX#0x+=%NL`1K^f}_&W~s4J@>|3a!)<)hi_hf-FOc(aP9^_u<@~N6
z{89zrqYB4FrGtjxqO8evwE(R<TGK7apNVJniY(|G%M}E-lLnhM`2^b-ap!u!Ij4&P
zn=FYNQ28H2r=&>rN3E@%R!p`!_d0R(mgsFSWLc*?mLP=^=dMx@DC`wJ1fL)+e!mYO
zBx2+t>f4hmOAkJ?Rh$wC%DtME8(Am4P>kG8%DP3;vQ!lG5XF6=n25?OioH<8qF|j|
zU-=UBLp=5rdh!Vx`8z<5cSGCOQI42h>^mHlT7CR+JTW)w_X1_oiQt1nmlRqIGJwod
zJd!W-BOuFw%2-Z3d8cR(ula7j>}DCwr@^0A5$92MqaVvrTxxICSF|_X@OsC1>{=El
z6IA1Cw9OWllJ8#1@A|P2^>C=g^YOKQ?=uOROY)EtpDZ(|yOSwNdD7swo0?c>^nG`o
za{SOR^`&bn^J_4zT31b}w_NXz+TI;n6;LuN-lI_7u<9W+@_RYB2K?475!z;aIUgcv
z+L<RKAb<mZ(l9ekq5rTf%IDb@?T9C=MJe{>SU~l~J{t^~+e11c-t{)dw58mR?j=Gi
z|BXjSU-H7@cGF3yla0b39q3kqe%!fcsGA{8fKMh88(J&BXIw)^i<egEtz?_`vK#6L
z3Gi22&mqX{YhIOgB)A;h^P@*y76*TY4lb_KLmQF85cunQXm0|pKY&j!geFPV2mI`z
zGH*JFb#u!Y==OMqA>U>#CiD>E$&@W2y+)&~zzYAMIfK+EF~B+YMQXmbNNNlXc29}#
zW%T$dtEWT@aPP*Bf7J9OJcFru9E2=@5f1M_3v8&|K|Fl;fr|rxEo#&djqUqdU-zXH
z?+>H;GH|aL!xW<A1J()exLNq;Z>?7a`<<`r{qgy_vi@~)fs8=7hHTH?s$m&RPZn&t
zWWi4>kn8-jh35{dpmIq7Q2y4^42jvYG_ugu*G~uy#j1DR{G{LL`I_Hh-Zt6TFE#Q_
zoPq#uDR+}vF-yf}Cqa4p(Y^=GD2f<Ul5iC}hh@(%)iApBbTC0&c<=r9OoKKME}QX%
zL~<WO&j2FZ!+M5VY7pkgt#H_wyTnOfF?(xEiGd*x`>*I%HS#><f$Sy?Zu=rXTXF9-
z7w?HB&;lyYTzb%Y8>~iZ16DM?r4_iTt4hC}^)Ss#3h47KzkL^EOgbu(0m^)n|9sB7
z+ruUBo0YrNpDCW$WIa59vXU3r@D->l59Vy@N<7BHP=#)g-B8FeK79SB`%~NLUq3bT
ze>#CW{y-ndks0*&k7T4Ym~HradzD4a=s-9i>BEM5r~6|f*2#ZkX2NklpxF{&K<#ZL
zzd|+BM(-4gwi*xQ*Xvvd!a_jvyHeKI4-(h(1`G_hugxKNKx?|wuQ1ZT3?|-a8e80T
zBZ8T8v%UmVpcOo{N>*8ej7(4<^8up}n5_!QaC2vo5)BUdn%Tz2%hNZQc;Pc0aLr}J
zEuf`&!OVFIgVfdN56oaCEcmI`x7Y4#x*f@*Rc-E)sV?27ohZEIWBhahZs2ztwCCBD
zr^o4g`Y7T)8>b5vJ!t}SR<&(UaG6y-Il9m{mp%;IKXrS~!1MQ++Tw1H^aYuS)s~6|
zU;w9OLED{RLosh@j+l2mz7ocHhrqjK<|jZGBAIar5&~#KdNsVSvbEM;YM>6S9CKcr
z6Ql5YbnjnK#Q7)BEm0#Ps>E-{hhuLz-z>ZKgCbLjF4q3c?(nwY0#vYj_FW!)*_b@)
z_3Msp_gcYu$^oi@Wc&9vt*v(i^_RhuUE&0R-+Kea4BrMY7JYf$aLB`5$Cfef?Z~ce
zAu(M`^s8^G*_h~?8g|GoKprQd><@2?b0v=|Y|L=S)X@cKIm-mLwLA$kpy`w1zPy^7
z^)nV4b8<8(`kvd#V>#<L!u!=AD~m#)RMN)YVkn1*Z{E;0DvZ&}d5$e@+V({w71ez~
zE0|?Y!`q!#>&oi(2rd!a7m|;kmZ&-VtG02ak_2(IouyL7bGNnL)S&}ORlC}-97IEw
zK7Z@PpPYVZFOUkRfv`wNAK%`mxfERfqEwS6B;!f>fDzR?@L9y^hZ%L9Vz9I1#}Ch9
za^vyLZq{CvZmU60dKqClJWA1i>wZTRMgV&dJMdF2?fCCDO8*COZypZi|Ni|ep^{WW
z_EJjLvM(`-D1;*WpzO)MjBSP}Ew*GQTlNUq84M}=I+n4GA-loY_Zh#}cz-_k_r5>(
z_je!1{m1Y4%^x}rrn%<2=9<^*JkRIze4KtYPv(f&rxJ=b&-P(AFl(ZmF%OzOc=ft$
z?yDTgU#6cQs`Np{X)umU&;PCuA-|x%xAvU5(A%lY7FHDV9K?Qx8{9_KGt(VrLsH>y
z&G~OM@!XNI><JA`^`Hwf=M+%5d_l`l-VddFATLQBaEq6KkY!R-Z+3i?a(o3TwzB_E
zwX5SZu*3ehI=}c{=|7EWPBZ^kT{8@v4*_1LNOb`wMo~YK9qw0?z~^<Dr-2Hb+jC`9
z;)2`Wx~13TJLZmiL{QJxmo=s&k%3dpwet_Np8AyqoU`MuT<s9;Zqe41<LQ>$`I-by
z#c9hJhIM!8dm`CNCpl&|XDq#6t4?_q{6Gy=34b*(T?Z0o%0X@68w>c4(1W}+AHM+_
zX0f8x$dp4RRyMYoeSBdBxz(s3**XQT%jtLM>@|>Q;{K5G+<uZe%6KuhgBi8^M{jwB
z5%j6|czE?7Bmo>p$h4J0k*DEZH7PHHh4vH^uztw(5_l@G9*KL&E}50GdNQ@sJi^xi
z-2nfYw1PpMSRuS2+2`DHC&oTTKDeL{uJD#JD#bWgDA7AxRg?*_k%)_vRR+S$lOv{i
z+$rK{s^9fRsu!T{=P#29%QS|a&de<Wf9@m-I!)c_SEHspzH&0NBFt`I!8ME`J-K?^
zGG$qXd@8e0KjQY0f<kIvQsGEq*N?wI;@BGNu8z91m~@*{@(hL3regqjL+?`q6v^H4
zsTx(np<A0X7eS}~;<DqZe_lMxl=Teg)k7~X6OIoD-u3^47_;NAyfebzS#>SG#BqR3
z4slqCc0NEnmj-LFcoZCLW9O18{wZAQUjq$Y<P~>QeFvbP{7Xl@@NbeUs0}hQA6t}{
zQ-BiykC}Wd=%O!lV}JFf!M8$e!~p+rY9&%+!@ng$@jBX1XL?A6w&3`g1^Hzx#yu;i
ze3YnZSqG-jqhmaZ>E4p2NVUrz@poXvbjwb(>?`I|9mSMWt?mIkXR`PeYv7oVm66Kc
zI8yQF7-5rfpQf(u8#_<AufOnka1-XPI@ka9YYDmO2>4LX*xjl899t{9{zcYk$$^+r
zn+UlsDhfLC?UlU0Q8ax0n%vbIXCQIioW{s<+Q#J^4a-VItxJc1<f!J(Z-tX|0&(W=
zN4q=DsR|jt3^;i+^4E${tT@NwY5+5<K5)CO#DqUKs)O*_cPw2e#5xZ0BY`6^z?J>p
zy{okiGAd^S{?Xn9Qp$iNcs9#E@(V;eUjYlyRFwsnLeX%)?3T@Zx~r!M^vzgaRzk;P
zyZx@C0tM+RS;NNHka&oFIhS9N>GZ_ih4D*5jJB~3B`d&Bp{Y9O44LTV6gvcOI*RW6
zKfsYq2YOrr9MZ!aHTd(O6335QA)=+fcDI<EF7JHbj261&?DfymkFXQ2EE2rcy#7M>
z{)>vhv-1qMj4J{;T07pTKe3mfAR{;$Mn_9n*XJx=et$lauw<0Cwrv(f_qsz)!j9TZ
zfRnlh{vl+^8OrUp7;!N^+93J#@e5ae8l3kJTNVL*{5N`+Q%|z$ON}tO%f_AAzG!{^
za+*0?9CIkT|56QHfIs!;^O5o=ZNKy3_>vP;ke&-4w|}^C{XjFjR{>Utu=cV0*`MDr
zl$!Y@d39XVU>OGNFUIj<O>6p&q*i7tp>teo+mb@HKFZ$;&Mw1XZPRJBA7>PA`g|jA
z!GXoQly^q#3FRC-Vw5kxn^J!>`w*6R=cOq>_Wh$Hc<$Y+?2*n5*KeJmxPNB$;K2+o
zR22=M`Q$6y`fPb0|CS|RmQ}I+yu60);&Ucn`feT?k7jQM1htrv@8jWBeE$fYP|h-?
zh{qk9&xD+%SVgHIh45vU9s!^1#IvHz9#n#d2Y(&Tl+ZL=)Q3i1V0WDLjFe6`l7E4G
zJU>KZMWKvzgk}XwDv!RpGyOWHLmA7t{b?+v<7*H6T=}M&N@=)R8+#8hlwEz|XxyPX
zCv^L+#DL+K0j=yc6UQd{9#2JLyzEcCeIx28SyEG&=MMH%%%#pL;WYPjMy_J$9}azR
zjD6!K8Sq=8`re9*)B39aR{_tjmXU6AweDyx32aJ5IIrggC(BktD;xi7hMZBZ$U03<
z6w#@sHvar*=4|Dk<j>#(9jpZfC}HUZY%GJc*!}YB6qlVHyq_5wm5;!3`bWCR8ohrS
zR*na#pcUk-^<rym=VC}-fcqkcAPfVkLiDaMXW0covn?dg!0r)IL-It+ank16gw+JT
z^-j9ZoOP$@K@Tztx+Z@Kt8VXocm_LYZ$1~l?=%|K8noIi9rwLTJ4GN7^@IOCoUKQI
z0+KgCaCv&jE@uGMQy-q%3XZ+yRipKS#eA|j`9%cKj~nW0WYh=r7Syr%c9*-m$KK0o
z9!V{1XgpfZOC>#PC&GEUEEiH3^eSdqvtyAPXK?R2>OL7;Z<Jgh+;WDi#z=Z4Llu$^
zPz-$4q=!3%LBS2z=<n&CxK<q145I0iUs$7y1w!cQIN&?J%w5=<OEL9bshVRFHmRwU
zl9a6Q<be}>a3zI{jgWJ*OckWPI5IG0uq2w4TwGLCwEK%zIF9fFLR`>X9?RT+|A!%|
z>JNkF5X=(QH@|Ph>>7Avh7%SFBkm3U`C&8#7eKfl{T=KAMMOSh$WKjZo%_*CvE~}h
z0`qNyQg-v;19xHo{05G2^c`-G(X88Pv%B0S>V7dvrP^W1%d0)z%S5`v>&D<?)`N||
zbD!^-6#H7m`_)-_`G&n4Wr}IfKluIekMXzhrW*MES-i^5q&&?)w8}eoM$^a#BoduA
z1i^9^68!j2;nSKY-`Oo8!MR(3`=co%dfqt1UK6#wfrxyeI9%hf8}=<()wCj`zlv%!
zjAz>*zlLQl*FA<*6H`rMT*8?;Y!fhg-Uk!aU+)}fAkH`LwC=A)AF${B-O@ANbPObg
z_MjN|CCzzk1@4=l^u8B*(c;f}&_WTgFgQ_t4cue-OzD(pVd-I8WRS#oeB|Jy?>6*F
zCX_cz#u9}gmJnA{-9|7}OZ$POos8vLbZpmWvLSt3X8B-WHCA!+v4KfN_ojRWy(d<E
zl&2zZC=&T8KC*AG)yBzzF{~k4AQCmUaE~*#{cAIM+aUCf&>zfwrd|B`MdjmYu~&1i
z>yq3M-}UTY=y?2mvV@2H&|E=XDq^gznFlg<yDA4!WA5O%v%Szq4BmvycbV+;@>R)h
zEw#s5ONShng_~;}I*wO*;DdTUXQ1?#mC+Z`2*1&0&}r?gR&mbr0R3j<R`&9M1jGpL
z(s5)k%n`$LFLu1LZgYd*OBy;o5=;EL#2Nx2%vv|dg%<R?w=*4mJ(WU*?EW(IV;lA$
zNOduNw|n3#%aZ)s9&LeIMGRa__<F<E(iVala9hF!T`lFC@r=iTfVc*#zdcHlcQXtT
zA9YdsnSi@K*ZbNZPxw}xzg8h~o863z5;9ur^3^N5^+lc-X~*ZeYTN`R*>5Mx+|dOL
z(PE^$&yN%_M7;;?gM9Y6XI1aj8RH%KUVpW%h|NMGJNy2qr>n9VBVArlww+^7j;!Hu
zyN67Cz<beC<Y35=ZJ#kJ+sai$RuFALqZA&O{hg71{PLY}SFSbcXY^Te3O{1`tmC`C
z;W*N!v<~l8ZT8K+oUD4AyX7zn+AR3iJ-y2^x*zB4x~tg%Vou!jdb#ma$sm#AtMG=W
zU**B}oMyb;#1Vq_X07s53f@Uo-!P2ualm9}=*e6{c>PLie#&x%I-AYa+j^`{K<nF@
zUXRvh^oVs<(VI)?`UmgT$GB4ZCWMeVFO4$ojg+w&G!%vJB(A{JTSzvz=<(%&Vn$of
zhoJ_YgK@w`=q#P&C}MDSq$O&iI*f*{;J3e9Z~bH-w~y+nD>Zke#dsOzBx=8{_kUNq
z|2-k-2ZB>v^xAh<*-UDLChwX-fBmnBn4dNfbDF8SDn`espgFYHz2`w@d{_FRf_ttn
z8EYL3#Og0_T5EZ~_D@syDnT^m0ncl({MpM#hw*kr{JzDCFWWk#P?u7`VmJZz%z8ts
zXF*d!7cV|Rmcwdk<D!-<tN^kwVOi^~{m^CxbtnFD#taQW@mzh?-vvlKL~cZa+ndM2
z1F}O8xae;Q5vAcY&jNY3E&qu9fo2@lJqz3$;DtBq6~2cX7{(zW#m!t%j>g_QH`v0K
zVRoPAKTI1L$2@QnydkXOcBm1{#AO^T6_*;ye;^XM{J^PHElm9&cXp=ToYl(&bJDdo
zYbo(;{Dw53sr95FG~Dhylg$>;rXdzr^rs>i{h0cOFTXH^|2|~r2^U9jAKqK2x`EGo
z%j2i<^(977u+nP0dtop}N(-o;H%rnt32$96sPFr{pV#(eAvYAg>9$zU?L>97e0;v`
z`Y!XBBT!^T6`GZP9i1?IhnC=d5W1s}Joj~(VeMJm1}wHZk~Pb4=gE!|UXpN;MICa}
z$0(&V$tAa)V^(@SGvykvGYan6q;R}Xu;}r5Te)EEpiN9n3><Xhc5N`?49zf=(roT$
zef>B~=ax!MVZ?&o%JNZ^j<1SgyM%|+pc;X2Q98N0&yKYs5`9@bWb^!*MbG@kN!2Iz
zB5dx&`Om%%`J336$Zog5y4POi^eqzwm9oD~hK1oglq?O5!*lZ19y$nk&Hma=LUquL
zAW`~pU-wk17|*j+?O|4MvFy|3zN2bICdFGiyW7;)_2v4u&wDxvweFwIda0S2GwFKi
zwhQ(P=*!)49f|1vW3Cw`;5g~Ubg01#Bj)9XpQB1aaWr(-oDm8_75?q6)cBLKuGQPk
z7?Yu(;$B)PDkvn>_Mf~6-Q=v2!*K#J`51Z#QtbMH9WwMV-0#qQ<BwZr1}YHiy8&Q0
z&o5=#XP>0zSLPCgDUEaqnKM)A*o0zg<-1mG5<{XFZ~o+iF5sKG=Lfc@BQ@Lp7t6j)
zky;E6<g0C*c?F`(4%G`c_W&_Xn1O+TOkk`Z$i%4~1IP>@ze?90OWwaaSh_|j$3uNe
zsrGO6<f}Y<2i4XON4Q$u;f!#5IAZhqKVUMitvpjfkYL6hPI8gbl1fAh9A<xgWf8dB
zYidHH-p+p2KGR8W^HZPf{=N<s$2sRt?7&WbS;xCP59}^W?Z~2_YuZX6+0KD~iggFB
zk$%R18~w%Kk-vH1@qdIj>ppf;;BrL^07oF*xL`T}tIQB2iFF~s6#t^?{AE+*7kAZ<
z<(lgM5MTlg+y9|eEgsVZf7eA#JV*4`8Dnl{`Zceg0!c-^OlEg;H(l#jc<^P{zTEzu
zAJQys;%bhJxF=gp8kjSvrshmZINfHo(-ciTU&+}3+6Lj}bXG%~=q~6FtFD$@%R@_K
zrjbThM@t7ei!*Sy!<cDl2;x)S5?DZ%(ue^OV9|akmyL#aHQs+O+4I=IadW81*r4=<
z**E;#M@GRd(w#SXQYp+B^NuEd?e%?0K{G%3G8)UkU~;8P1=XKkiV*&r_?4OTHw?*e
z10#r|`$hQjBAXkvOI)F~Jd%2)G%{-K?nmC1`F+KK?RvK&Kty@YHk%uEdz0R$GAtCG
z-Il8@Bg5sG-fnF0<tYN?fIe8Qz~rvfk@Ic=r1C;ncgtOAZek;`0o80V>x9KEp7j5=
zC=a-lHvw|^rJlwJIX0DmGr&Rt@Dx%L3<1We^1D6`Bd@O|?Z9YI<=w4s&uDm(!7u2R
z)jfmwGU4lua_{IS%uJfoRx4kvYpL{JmhS5rXMk;LWey690q)-FbG!Dzb<2K=hA>hQ
zr`nl8{M`e4fGl_sg;@C+AlKfKEajB?=8aQgPfIdqA+6dY%o<*~3T^}49R+@f=+D)|
zU#eTpRuYhw9|?~Z62(ZJaZUz=Gd`4!%OzuUQT^-Vy-tvQ_<a;TkE7NN$JE^e5nT59
zbHnSy_Rl1>MNmcyYqSnxnc)lLK85K7?d$0D1I_+OQw=}UcdW3KD6;Vex$0v#SD@k3
z*fJu2KlMcYckQ``cjPMJn*ih%^J~z8mx)xaMD7*@``dZKR2`5coDgLe|C^++_Z(*}
zyd_BK&s6*ExxY4@4{FvtJfTIdkQRvAl$<R_I(p8z-80B4#>xfxEO7~9{0ULS{pMT?
zmO#i*meJ#@i@F!pz36Iot<twZv-N`CKFysGE5O-Qcd~wVQ@!Kbd6$fCp4q`(|A&<t
z`gLxxVHzx@&1*;CTjXzOJ5{T=UUm0i=iY9?my+QAs9L*%_O9*6cB}B~uc81hlcCpR
zU(QS^EF*yGx>tmG^%$b!3WTQ@=SDQS<7IPoSHjGe5*}W0Ps${*Hn0$vVo1OEb8P2=
zebLT`O2QS<K(w2UWAUUsJNw}YXx8YdIWJR`m>2#an`JmTQiG7C<9WUPz~q~xeff+<
zHva6SO`s{h8E(DCdUV}q{Y%N5Sf$;weL{QJ1wkhSZ_a@Ni_{oDyiY}ynuj8Fd;sQj
zZShhXs<hF@$&F?V&)SQq;COSNt<PaqrPJ+>Yve_OTho1m+|!=>=Y2r~z^i;m`!j4i
z!++J!!Ze=8K8`mF;<)wAf(5%4&_t}eba8bOu^@@BN>%3_PD*PmFn`FxFfOrAGg>G1
z&E1Wn?brIl_**MN_wPJUZUA4_Hdc<$h=oXVlhrzS1uXK~uEs^dQMBMepfYL6yxf+(
zhU-H)t>b!zW6|6AZ$Gyi$E9><eH2!q^<oK)Y@A8WwKEMQWG#W?%zly(uaRSE4b+=n
zb$#}C0ddXqw64y!8F9M<jt{*JOIH%5QQAM>6i><e`tw-VZ|Uf%6zzjLd4MQAUH9hs
zea8#&SKm?V*ZkxFD+3_iKIrG+j@;=#jY;L`YXAIXie8kX)Y<p<DYmgBcbFdP*%bY&
zeIs8C){^J)2a#)kJ5KdkroEkaKqa<iq8MB6@j{z^psh;i4k1lbx1L?xGQ&-JC|rlA
zZm`9kpgW~xz~XSVRg7SGBY9~uxP30`j^ed0fsZ2c+X9&TkHI?W=Dg_;pwrI9mOKB1
z$@Fj5dmQwcqi3nAQ6$_b=yrvNW#~2|C+ez?*f+Y(yR9>2b`OgXABBp%uk&_X;rO@X
zKrMkyZ(mO125jz`9WBLRq0D(9&rr8WZe~f<bY&X_%!i8$6`_+-Z5(_pzB#JCnA-VW
zie4@V42CLe;kp@G{r*H4uWN&PnM6)-^xYNJOWWq9_)~sTed-xd)7^#7d@>dNo@b55
zu3Q<f$|$+B#Bl-TYgG*AAa;Dn85<qRaMK67fzEdTRuwn3h4oyf6JWRfh<YDg`#Am0
zI}V0o$o}{&F0O}-)4A!sbk-Otlu<IehK0f7XU`UOX10xg+8QvNyt?y3Ot|ExngU8~
zvGWq0zu032mQxg3WxzdXbJjFMxf)M>t<f1*YGaZ*pk^7|w?gSnQ)i~`kN!qoah6oi
zNK9u1J*Rt9Oc@JO)B{#pQO^oO05*El%NpA-gcfYBsaGM`u%CXK)QpXz4I`b{L5Y>B
z;+zWwbPpykv2anzSQeSx0|n<I3#*Vfh+%wawASZ_I9m;??1u>sFu&+2Hps(Hjg}0*
z$g2^(SH@Q#S@0%veMx(Xy;e51z{bfFs#eGhz6nnT#;(RkUsthCC&ceVUAE^hvV5!_
z96TdRanm4)V$t+?_yRo1*4g<f6BE-kI#bPM?eD|k8m|)Q$;+QoIMV_-yx@GG?(-ZC
z=ofW+fb?|xSHs2hpgOBlHq`zS#^L3yaX2j6ia%~87?f%%p69u(pzrk(C48>3^Sb;c
zv9Np)QEv3=z48Pplj-WIJF=vm6J;gX6rV9-j}{U&pfAX?_D*IH7CngfuzZ?pj(?JQ
zNm8I=d(XHgOfKg9X_l1m!O;k%y>x<1*7*viL4~N=pX#{4ZwhzzOsK9dwBAaI`cKrH
z019+AM#(WXQ1#!~qq>#_HSk;nC3Cfk8j#f08)`c?yp!>}%%hv)G@<-2&ne<_71$xQ
z-nW1<P1J*b)3~(%cVW-K-CW4V06e!qY}wqK=Pr0^>SfM{RZ51`NkXP|0>U+`0rA<E
z;Bfl4SK9l;F~--0y?cW@n7{KgT3oH9px}Ks@gRD0msP9h@lg)G^h-3jR|lDiVLx^D
zYb^i_0v!KWANTiEKOJ#3g(DQ0>(B|M{O4U#^v71y2~~zrW%hz<m%n#9P7l=Ilc<@+
zsI)|xlKn_t<maV2EbK56$4^q!d+Wg(sA?%EsulmKyLY(bZUh4HbDRu84Esqw;X?8W
zU)9lTpkm&G#nb97KGg)jR!h@#Sw*41&1W)TiH9CZVb=9|!4dfZ{_Zp%_;1<fLc2%c
z9F6JH)6>_<nCZJm%#Axh4tPLrnc+ENUF1>=ZL=G}{SV^fx*8XLHW6UdVw#yb8TUFQ
zADZNRvzr!YQyM?8ih$L$c7X%isp^(b)BEizO1sX6z;7KxzyJ}<@IYvLvrn@fM7|wY
z`$v*W$SB8Ltg4^zNr3y)l;4~FM5H6D!w-hdf8;69eWw%Pg_>4?H;8Wp6FBTxxVS0^
z5B5#wKsfOl&sVAS*zCmy9XAc((q1r@d*|q5i@R`v{8g|k=oW$r9%?s@>az*%@)Q&;
z<plw>Gd5QzlQAD__B<lmX}Pr_OkNJ-LIRWV*2xj$<0iu;*5UU^yHi%lq(TA?K)>79
zrkXoz26*vf-=ErI=a2SD!KR1byi5fvH05GAT{9~;dW)-DIb3hMyJxo1QRH+~posSI
ziHRkIFK%^0paS;pw2&uh-Xj7s&iAcWh2*U}Z8!I8Z@`<hH#g&&a`5$VQ4jT{qHgO)
z*4hWHO!q0)#jXDNK^Nc6bS`mtBDjcs;E#d_d`49>Teg4`(TN^g(j*7ULIrG7Xk@@l
z0=e0S<_i|8n(G0l&?lT0(nsyML{!u&Ps0kBrH?iyx<}nC4QLJAC~^R*SacOFi`&zX
zW&W;@wfQ^=T3ho0^IdM1D2!O6W$@3rm0+3rh6?PQ^zt@sd3}kvL#vX*AU223Z{D1U
zeCIrBUlH#G7-*LG!5`bt%U#;>26JmH@$t^bkZa~t4U1EHfNi1Y>R5D&Vv(zX3cnS~
zU07u>joIMFN!=3JVnC*<hRbcog@lB}VaQM$^+4^t+Z*I--DwBO95-#&tlB~9*u<WY
z?5-WWjg77+c%=3<LrBh%cT+cq9O^U-;!hL=2WW)L@8={XPIH;w!a7R-SybM`a=V#w
zkyhV7aZ+I0IM`ke?t0p-*xk&b*DZ>rYJm8mNILt6#OjUq35>%2SgAU0w@GqI7Tl~;
z9J9uUcKMb$(+SyoGaDfLs1#YL#tRLj{QP<!1F_xz!71jGl2Bon<{#V`l+v{0oKh31
zOGy7D$I@fAKLl?Ka+=Q3Gcbv*&oX8A_pNXJ-l(($_X-l;^vGM`y7rtc=A?=#lDddQ
zV4bzC=8`Md3@^+j75vN#eT7AB<Z8nC05%H0+pI?~x2XlT_aDaCsC3K2p7-(=B3z$(
zix;J<H!!Zw?vd^!1Xfz6yD*SUmA;wNJ2Jv&Z*OmvT%c`Bk=if5v#=)zXnV6|gAwh2
z0n;EeuK#H4vr@Wx$o9=@^|%=m*e4KN*Wq9F%6^B9F1z%-t0x3R)X);DS#E3_WQ{7U
z@6N1D_*nLuhsPlCghEr_BgR-gyapcKp9aMh8qEmPW)(1a<hE+f1L*_6H$7ybFcrT$
z)=J)PaKg|Z{2wdG*P`aTqeEU<^2Oz62BjuuX(IVcZfmczp1gk>FI1TtC_%zQnD(ZT
zN~EQ*Rid3_aOt5#PbK|Gx@pQquSEl-OLXbQ1=i1y-3Iz^uiuo?BUS@%CYdy|YwdSv
zW#(><IKdXSN9uJPs?zDk($dm?%ai$7t~J6mbT2YDu!vHHf>L$WoxBZqu4-Y-&_L7j
z=4PoubM%@y*Fjv(lBKZdMwF4tF)Lsvd(Py0uc<ATm+oHWRJG9Qk)A=3MfpRAGlr%J
z=2Ln?Fb7q<X82qeE-8^zSi0g{urjuuo$Rfe?6V?W1(xzB&}#fQv6czzpv&4z2?urC
zWrgt@eePsjd(3D{@-J!&vhFv87WR2^9R^q(VUOmVF_teiG&JWdIy^G3$b!<UN@VCv
zgq&Av{7fKPdW>Por?7=`az79m5VRhc+vHi)Wg=~bv;q@l+%(7PHF~MtRK_8s{LRbu
zV|J9)DmNDQoz<svBszl6U{d6ytS}V^nlzN(c?<6j2y<k+^vahx$kvF2r(9wwZMO;|
z%S3OAB2XaneZ`@gx0ys2GlR@@2GcCQF4NAs1&y*hNFMN-3M<soU^>|w9n5Dr7^SVs
z&vcoOKC0=oDFmwLp93W7_E&m}=Z3I`cWkD7>x*n4fVs5bTiXIvIM{g7z}18EemunZ
z*N2B>5|vJ8WUusUN{?+Mg|wNy{3Whns+y8K{o?RwBjspJOrsCWf*wB66)HJy!&=?8
ztY}NA&-TkZ1gxRU9u6(0v#i)^dTi{J$gR@Df(Ftjy_#RIrz+ju(C0oro7sH+Ome1@
zdT)DqlmW`;>karI`(tB!{GHrAF4-kl*!8l#&tX%N^O7sl>HHwOsdJ*z28a0ImGmKT
zm{`s#pjrN@shbLu?KlF-boTE!+7ZvPjnSR0kEcS%(inU)QI=ZN<)c&$tl0NcTV!<-
z-~V=Z3JT-o`dqX(B2)!!@I!8^m`j)9u(w6z5?|*NSV8icE(hQ;3Y4;bGF4%BZ)I;p
zqP<YCL+nAOt5izm6emk(dkbhT+G;2HgAc6;&lTMEa)+Filals7wcAl0um`hlzQC4y
zTRK3N7Ws?hZY2TZ_;X8YooB*7&=tZ$io9_<{-ZbVh5s&FE3li|-gc5>ST%cno+8=^
zd?K{nAACup+>mo4xxy$R-%X2A!AX5u+!;g_WWx^m_mb`PXUz;+2vr1+@f6zfR3&oE
zw&2AgE)=7T|M$2L+j9p7r%VB*p3M5CYIpO&>Lp0HL78cYI7{~3(uSqBg)A4?s9i4G
z4C^dnwz0ooXL#j`tx$0N6V{&Gw=oz3b=rw5bTI-n*zN<|5n{s-q}mQ3%*d}yz38<x
zk-y3H>Wf0*i`Tohhc_RhDt`$6K#x3|@sE9C|L`OQ5MBAA?O#;WSx7d`aV9d_+J0gk
zo3SWF9V@0vML9X&W&~dXKkzz*x*p|`@Av1>S{)_P8)0fgTLBIiC|(r_H5<nr{%kRY
z-#RBY<`US#FZr(UsIG{v_C~@W;UwjN#ARX#1qz4K45Y+ju~ulzNDt=qsam6>YD{fc
z{#4Vcp2vNpl9;OHvKI$26*UhXs%Ds~wg!zlW&W(J*ahx~I{KP_`zljaa6;(d+feGe
zfx%E}i822$?=bIzmBXz{m2l27yO^vube*1BD`Rea;*~F%P$p%@hVqcUbS4LN8tj}O
zvG8c1iwdmIq3!i)Hy6glxm6CM{6J!3AB>)9yiBx|kbQc?ER7C6`mmk@r_QsIkzI1*
z(~40BNP=2ZOmL@3OtFiMS}#-LyJ$iY2k28w9-u@&Z(PczR2HKp9Nj|^xH9)zV_g<Z
zV$n}<XEd&Ck{wk^zObjdikTdqdng2Dir>p^nSzwiY9B81WriE{D`!hwcCY_!N?MQg
zc<ek9t-#i;$~J+(AyR}kN?2EFcgAy^^M)yfpg3nNZ*h#Rxh^H;$nKy!nUAIfn<^71
z;1ARcq#>>4MHeLIH`UU<+;tmIQ+$7ErdQ;Z<OkLHJ?6YVRU3{f{FIG>{CY%qoMjoh
zgF!HbQ;||lCK+`5@~hF9_5VCeZ85Q$D#kIwMn4-@jfB8%nnD|8+E*_YPRfw=?n}2x
zKb42$89)!8IQ4^zFJeOxEUPqM?-_Cn-$&j!g@14U<n3&!(T8b^Y}}*5${OA3b30qX
z>`Qcjr(*WfC{d}3V??~MF5lRF>)FRDhT1jh{dlHx^QTi)|NHK62KZsD(Z2qIvi*;`
z)tnaVy4&l&9_*5WVyWr2CL|BD@Je;Ww=J8RjeGKR0yR6G+yu|aBxlA2tWT|L0o{SB
z_8!Q#Y-5E@%L~8n{444uBU-X(Un(jFLZ2aL4oosmygdeK333EpgMF7~@8}L~NF6@w
zW0gtBA3sA+Bj-jpF$hgkFgLO|3JGJou;Tic6mJtk&0(WO0|{y3b&99=z*$}WweWTG
z$&QMpt(??ssBLPqEVupakVn^>RNscX*OAn<3TL&|httujxV5j-J2qMOrMeV64~gU3
ztsA0KJf7xHql6tl$>Hi^%;0*nN?zKSYdPIrlf%FF63jUh)T4O5Q#zXd!Dkko7oFR~
z+<fXdIrqz0JJL2H*7&6<nD8^656wk^X)z>d6^Pm=e!U`(ukfF#*bb!KN-J_k{d(3A
z$_UF0r!m9kRZRS<W<R$1*bP@M{OU;<eXPhuQE&kORX+Hf;x-_cn&qDmHRTmvl<P24
zgLxq7WSgcwhHTr^5B;}!bMW%9x&@M?|C$r{zvp=WA3~Kg{txam1H^*)KZ3ye?yq!!
zmd<LSrS(vzDj2@HJ}wztGxfv+<cj**AkBPj`kb(kof7k(nQy;CCW`q4g>J>I6knG=
zB<f6PrBm9{&%x)j56Z~sb-V|-P9WhMtv)NH!=~>PQ+?d{O@TjQE|l@QPGNci%I){l
zXqp7MShe!UL*Wd0%G2idc3ZNX&-7X|m*mE#AN*(qhB6A{f;i0nP&Sy;rK_kN4AdY;
z<I7(@n`)Bo)&X>mE)+(R=!P8C_#RGig@+|3k0G}F;Dw{drT>_qi2xPKGdndJ)14K;
z#wHiy_kXsyZg{+4EPZiM)eYA`0QI5O2)D1>XQMnHp~CsI@Bt7svXYPAd>(THRW}z_
zXua9!p_|PoR5Ih<NR<<!tm~_^IculPzmgRgysz4GxZUJtUtizNL<QRmvow%hh0+cf
zFwnJF1K`B>lcFREjET<=-+4tY5dwCz09M<cj~N`i2}}tG9d=N?*oAWP0sVnE1`Oow
z568DzBXCtF(}&#;o3dkL%2tQW!&_TgK6nw6cWP7|DkrHoMhGUUP)cLH6GWVNc^~xj
z;U;`0n~227WNPmd3#esmcPQ*z_~ptI3nTq}o81|E7J5~<0Id3O3J+k;pULQI@#_iI
z1@uR|;YYlh_txGXM*6L50y%<I#Rt<cG?9yug&d8cM|a)WI&bz)*?d+Aq;E^g%Tqk6
zHKmXK3aCJNfBqLbevuWKUJXx{*=nnVnm+{CfdYQ7dlZ$QK+;#}c-gD7lN*)Hyw@Zh
zk()9^^?V;4TW5hjEIV-!Bw5qY6}nKY>HC)<E8@rIk)!Vv+w2y|`GNz4PMRL=W72~P
z(>F@fmgem+y8}m%!%2E;5Ah!2{7<;|AyAUipZY7X^;i4NX{YS#=;*3o*1`)pz30<-
zZL~T7*!u+u2E8tZRIFWbFBClj0{OSOi7w5ZyVBCOCd}z`+pCTAi5S3DDjf3|wV!pr
z?TtXl>9`<3RNxSaMx~=E0_{q(2f3E%*a$R>wYTNC<@E9zP_GtGQ+!u+y5`ikrO>#e
z8-X|FUaxTFHutk;)_KfUQ*f<dfwU6lJwm=2B0m*Q-Q|T_<)D=dCC2(}4?%`tOH@=;
z{0O%Rgof|T2>T7!VD=m!BXaj`<D*ve=J4`vrb6{;p-#)?sm3gj?VsU1#b?K402~Vd
z(I9d#W&z%;+}u{TH$BUK;J!~>w~=V%H{DZ3DtoO|7A)~WA@V;Wj}B9gN~BeOMCSWz
zGU@rPNd5D%b^WhH2X5|)=nP87#}y090e<y}-d6TTWwQ01q~%CmQEOeR!UtK(a+r%0
z{V%ap%x*nR<QWPn=SG(OJXCf`Wr+_B5qf0!{@#8_i+1-&bY2FXseP0kr6Jq5|B9<s
zUyrl1ORXNq)dBw%S6|88Lc(+Al6^Fiy%%r0{!gLx%>M|jS5`>;CTnL)LZ=3MAB)~l
zjTU{<jm*sCIcsGTd%DxG66C^5tTVO-rRs=bH7e#!*7>p?SC1(HonHfX)nQ-}OC0$}
z#QG7a5vu0c|E^wRMFaVGix5%7kYgqLwjH#Et2JLsd?Gc*@OsKxJYzeS?Gp2^57jp8
zSBi%(yik6#qB#dkiVHTu_sg<6R9KWSDC9nm6tll8d~#uh0imn-0&`Y7C`5>Ut;)ih
zC#v8&g+6u=>NMFD`>968hF=1E1HI=Rfei52P7Htuptimg@&Df8J2M!YN@v4ir(kOc
z7l&`5)}ssKj-bl^?W&Jl8%`$~O9V&+l|>+c>6UTK@(7e+_y7c!S3heMUxzMTBUDq&
z9|^HFW{3LfX-Ga7;r)hZbzYx-yn&*1%RlwQr<U4K*YE2))k^<&DV>uvF5og4HSs{$
z>t5Lpvx<GS&YU25_gonaLJVALIBoacR0d5)mNdFsf{t;S<*#2&+px#wG_`QDu@5oC
zWB>+LX`&wM?))PTA0_YC6c&f~y;;CWH882k*i(6W1IM)YqQ}E`&wVoe)~LgoX2adC
zz0|vVcF31>Vq4=>)TM<ew(itR2xWiV94@=z&B}^{=z?8rXlkgnB;t(~L*=>C%OVkF
z9rlIsXC1xTjizIa9PVN-M}^s?;xn3UdP0IE>()X)x-3pp>$(jy8&E#v!<vL=Z|Zw@
zM5oU5IA7AK25f<y$Y-T1?zQlP?f8jLDS%T{pYUQO*)DxloFr>`w4xjV8sX7yv8S_t
z2EI@^8987UQ{`|OnCd0;=bVrL--Dq=8hwpg5#)BYUVo8wznZqmX}tZsR+5NK4E>NY
zYNi~Z&Yx!8wD?HB`N@X)W2ATTD>1I*12TK0nG2v@8V-P^e!JxCw;559B5YUQv!602
z{maatVO4kb%*pJ=D>jug)De0PXHAdblXUw$eJWb70(IE3WX%48nu!`RLu$EgqWY?h
z)34B~&spt<`P6=&A9Ql|6tKu+Lb>hYsd>ciq_QwqchP{zHfOES(iwZtm-QZR%=4#V
zc-Azrp|s|F6(|(?RQKIrBj5uuyIY^2Fnb~rYCT#M{*2UkTXn`Xz_kw{NdfsBQOqBE
zj!*w)<OA`t0WsYG7T1Qb3NT4?CG0}zo7CaUS-!36@3!F{Awf3MQ1Dr+{kP@&Ka5Z4
zG`aY(IX|Ay1#$}u3`xF$)jXcoJi0$UVy9HM36Gc>{&>=*GiV~bNB&@z51lP%Gx$bg
zsq9Vo%v^Fz+M6WRYA;X=MS%&)qj~@W0tP$$3wzf`_48k~SA;P7=Lz-t`-EgJq1R~q
z5QSW0LiB}k19}_{?YFHm{x{TT{<`Z7B4{g~@aZyDK=BPf@3h~i<dogF6mjoByVbnC
zqo3M9)hYF%ExjSix8j3r9o%t)MdbH^2wwhbvE)-u$12&_oQ{O(i_{Kn19B8Ps*V<g
z{kT-IWeJlNeLSD*WUb?QN~*5-iP$4@kZp?MI858~krjQ2!7PJ)dyrXH-@L>=#QGDB
zoBAp>f5^(AN<8hP&PIKRT0dgQqdjghw)WO+hVu?-9v&BeLBqlK41n5i)Pw}Z+_W7-
z-*_?`nwNdP^}V$rOJNv=nV>$Xl6UI#oO`Q%B=nW^vZ4iL&+N4WVUXVM@~nd_?2}`u
zdhd%=r}_&TJiq!sLT)m3L{_G)^xb9s)(ja8tXztGzYQiTd9ZwF`kdo$B^VbHXeKLp
z{_WYt1^uo%p=%}JD0KRI$3r>MgXR^dDe4zhz)$j{DC_^O>EQpvIQPFF)z=2*J1&2j
ziIpGhl*GM`6$lr;$G0Bu_^GDI%vxt6fsUI1FKLk-x3C5gmH5p1O#Alptz^W$?Qp4W
z<m<7@rxLG+uF}!bc|2a$-S@c&#$@@dx8BlQa?~0*cDL9;Ey)q9R&|{N*(4fHjz&bp
z#BQjBvEMzy`v6U1?0=4F_2KeId)@80!%ke>>l2ya8A+%tGWCOUYP-`=0#G@CYu`hg
zY}5}{JzIh2D03`K(2-X5$&{A7+)-Oho(Hl~y<0<}&(~!9XxKNfr2*6*!DmkN<95LY
zF9%#o_L^l`SYD2n^Vx0zV@w@p7eJ*SOF&exLl9#fMxn)BKUf`ne$e<ChRNiXy>6dG
z;)n&(DZu<QwGPk@qgB^-Sb9WW86=S-s;6@Ec-1QNJ#Fz(>)X1@6#9i?iVE70lKI23
zh=w~twF=jfu=2+Vo7gv23o_1`iQn};CEEe>9od}kA(O}uUlv^WxeVG&ae=#XqWAtU
zxk3i7jb-jwW~D5I!1`DXRG-S;0<q$n5=pMptPfVy4Tz0@-rOqmgFmN%#;8)B+8@pd
zLL`fMu6@+>{RIXO=0`0o*dA*Ld5Xw$r$U#;ayeOm+5ZqL>f!=Rhn6>eO^G&Gh#K=a
zFahj4ha))(GlL7ptB1YI+<rCBmELFV;te7SlW6Dk@E!4@B6sh;pf>TIlf~K26*vm}
z47X2{%d5Tslo<`H#Y3%<5ei1_uy#k}vIN6@mMd32vpG~YbhyGA#pW~Iok7qZx06}f
z9l1Y21F<RZdyL<x#utcgoS<lLbbrU2HMTxr4wO-&Ojo_U4*BvRLXKnaQV4KZFOH;Q
z&+#pbJhg&$YJG^^X{%gD_lOFR`^#JtwW{$!4#>+1xoOR(OSFsI7eKK(K!_=~*utZs
z2(Q%M77clx+<R?7^@n*i^zyL$(?Y#8wbTA>7mSM#gc)u}pU@V9v9Jqiu0i<cLZ+qQ
zz3m}$5fPD>Ca5_%!bjF<#97pMtp}9q(9NwPEM<EIhlMR{$`tCns>Sgr-hx;{k_=O#
z&leuR+PUDHPh}-rA$1znIMuSUvUsyVE04p!%qZTW*cdr%XM=F0hC%a2w-E*gJ0vcn
zvCN0|V9TvreP`oy3l2pe@ZQAE+}~L!W)gE%+?naR4u_734=gLIG&(A=MtL=|jhmV9
z)0rH$rW`)j@iV{-cdB6?>T<}c$(d5r^MPTXdt-N5q-snP&eLVE2G~6&`~D(_fvrbZ
zF^~%Mnm}VePCWs=*AY#2@$O|O#;ylG-3k5~Xx}h)Y$=)$0z3!vhQmlO_s<wId1xEo
zvfzUCAkT_ziQs{yljlx*weHP~O(q@K$nU<ijO{$93eer>lp2`nF1ejbq0@^=U6Mxf
zUMlFrUHWQQCo9!>zjfWtEUj5~_HINvQQ@{Z=pShTMQ~16azU_ijU&LD5Wf-}i!Ds@
zqUgUKKs$&J#D)B)Y-9@Z8TE8&>;*Ts_^b-NxndNFu<!Uv(J1zy^kTw!&iQ+gG85B-
z(0-sfHc}lttxj=!Rm*t<hHu(jHtV4-TEXr0XUj8253I4Zb}7=!>6HFV$bwCl`LddM
z{^2)y+Eej7R&KSPGE2SS=~C?Nc1OepoAyoYp!-8F;B=qP%}y@1d%HPAj=4MS1ReeS
z{B-oHm!?}IXUo#@?DstHJf$JY$0!cEJ7fCcH%kk|cq3;79le5Ezj*!qcx#&LXpO70
zMupSs_n{vK3XAvN1p?1yOGuOpPZu+V7EL+*P{D<fhcB=0!svi^<yP4XZ{rLVg0D~D
zrLYv%GpxkgwLM2dw0vv(Lda6U7d$WsTyIPg@suiPZNg%sF?L!_Z*uHZfxD>;KtnER
z+hji9@AAgzw6ln9r!R$0jL<7#AAm?*?e9`_?}-KauEjXalPo!@@ZBWpr?1T#WHDc6
zxc;e6hlUOFV(B-jGTq4Iyq?Jr!o&MOE1%o>xhema{<oDQHe=(-y!8J23dhMAH*Ad0
zg{Y=PlGw${Y{NVhfQB>AYDv~`K8-KC=Pr+&)-7;eM$bb>ka+pe4!(BRwYh?42#Rcx
z-Zf+?YqnMmiFwQxquQR~hLSPeNjpG`*!e56Z4?OS@~3Bw+cge4<1>)b^Hs60Y8GAS
zyyuggnB#`(;K<gcp8Nj%c(Pi_+E!gBk$>yftxg1SY9Z?U*x~AXh!}ohuZ938h;F#y
zMtB<R)8{e}q>YrsYV_8YRDnDczB?uZ{@IH`XDW90LA5JTgM)+f)s-@^8MhMwE}Qp^
z3=O~8O%z1LXhXEU?YCI*K7uGtMTm8^fW34#GlhTkC9&_F(5(ed*~)Jobk0~t;}Lj|
zQ}Wq5pUdZV^{ueOXX3{OZyGg5$NttN5~QYan8N4BL^S1M+CYzCr&&%~jjYUE&nbB2
ztq$&0N?P5Y>#<n!{L0%A7bBs6vyO)p57dX6NHSmH8~JhSzMMX+fr_Ja&GhJJ%dJ3(
z@f7UEI=|)F3D`K{)8St|?*9_fPUO=m+K1R)7sNXh0_o+S6mfzT>5b86OBLdfOX8Rq
z^PCEGSuVpQU>vyGu(=rX8sf5Jg{vY-1miylpRZ$w#g2)qMq4q>ON1GzWV;omvKneS
z)SR%NuXY`;a5Vi}P(_<xvli;u@%kLUU~s#XCl+tQJP;}oMBF5~dH9c3j4I!PF9Wu$
z!?}g^fwt~~p7qT3g+<furx5Kw^IL;kVp?e@SOn9l**8mOyBermRSgz4s6dzEI^p~K
z(3LJ;C?xr>?14tSd*VpO01{~;XdlOA`w__<!VyBiV}#Cyy!|CaN9q$TZ4c`6^oeZQ
zd|jk_5lL-XlxZsSY>G2V(9b)CHRPx8!*bP8iO%v5?Uyx7m@hG0IXj!w`4~ZSf;!dY
z2Xf+9s4%0Kdrz`M_3d5CwSOm*rpEtDCO?rReuPMjyX8}5(urZ9X_rj*+Vnb(R?gS{
zE1MjHI?{>EPawd=bZrI2%{)`$cQC{~%`D!b@IbY%DFgpE^~hRWsO%cv`qI44E2m$Z
z`$8M{caD+>zPGBi3-G%Q=a}!U5x(Ljw6(Qo%g|f6BhpUdk$VlTo(HUX9B4K9Z^U9P
z|6;5Y_)`)O6<A|~`Lh$ndNP`OuD)@B^03Qk)|RVM3bXq67F_h(i}kZz{6!UK%u&6e
zW9V0qTx|RiTvW3^pkg%sdx+}AS%jThoOurdmL0OxdL{UpVypXc8&d=bb?e7IrhVGR
zvmQOEK>8fKV2O1AoQlo%pBOjy(?}khnEQF94;z_6)W+M5KQBv*Qa73ub~OcVtlAY3
zSJnCIwW<$6e{hDlTtQ>6lW*~7YTt}`eP%Li!z_R$mEnFZSvsUuIM^how3Ad3v8K%O
z-o?u?PWkT$r%;v2du7m{)FVzFZ{ED;LR5ZtbAen>9g?DCWuISJk%+7t49c*&z6%>K
zyY~G6NHut}R3omfaIlPXX%}?C|ENfCFJAe^kNL3Go*T)wsmYc<!rR5lTYMRoeNWEh
zEvIICw!+EU;FZDNyG*_nIE0UmkQ@Z_L3hO%&B6p5bAG=Efu_jEUYux~%W~^!S#A{6
z43B&oA~7VMe!mK2$Cwm(XC?goJ-m&a&1_)$T>4z0dnV>-VK%xuC^^uyDP1Kz!O}K5
zSr`=W9`sy^*3qNp$iL&gIlKMFX|>+Q>kgw2t3s>0`$SVw`#Yn-2#n8q8W_J=&Tat1
z2HF!a_3uUrCh<18Jg#Za_YK#brO%7Erm}fH9m(7=>-mhE3}d{EZa40kp#*l$=>dao
zw->QN+l>uXs$g`+#%*l`$Hrezm#Q&Bc-4je`jyBR^}jg#)Frg~Jdvg*99N24QsXEJ
zs@<h$e@%x!BrVFmNS%yfQ!=T#?MvKgk0UO#z8&f5JHY_fWYZCzKUG0V=n18tvdh&S
zRKop01Y&b%=~+5~vHq6|)Tj+qpq7DuR3JJ7!QcYIxGd|v)o@c<=6o%K<~|qOy~Cdu
z+-mcY^95aH7k|J;jus%q?A|)J1HS{uqaR+&HWyk7r`&4!1Wm!i4XPVp68jQkxKOpY
zXE9KP6I5<?blS?GlwRD@@jn0lJcnw3UUIlc)g$DkIa-SP==9JTi)#2~{i4zrc;WD5
zf3uU+twNXnV4hFz$G4BAe)*HkG>IlH%TT@#oKl)%&1g%*-waEf)bR6bJs}%8cjp2-
zKlE0vOv%ih(ag5XNt&(eG|$?RnNA^RJ3oBDoVi&6e>s{j#80vK@PE(EXNS8G=2lgi
z;n5ELgWoq4BAA($66<BbXv}QCt1ipp+@||=Eo<ELH!7_HTUw4&bL6D=4wNl^q`r9_
zolm>7dD?y{c5(J;xES)jDBI@T>~*faM^+Tn6k7A-lq$L<;=0OG-rsEk&e8PaJ>q6x
zv2EYY;Y#Q9g@7UQ6xL&b;DsQ%S)MbZykyH42Jsb}SyB)VJXQZ?K6EL1pDilOyd+w7
zu)59IlaSbW|Bb7a>a-~C@?IhCJff3Wn-u>Is0jK#XiE8NA(s7_C&-WaOsqOR>qsGi
z=yPMIDO$2jzpCD@V85S0%}}#){uGnHI5~IA_plHW5C-1KSjNy@>Aar~(53*xP!?ti
zr?S0xTA3@W<Wy}4_O7%&iOc^cP<ouo`i*8!lDn{q3icYPw)VRH<h{iTHBpqrg%naQ
zoS7S#=_(D6l^v~SG5=JSv->=%APJM_Ae-IqiU1~LeRWKiaSk;ACHv>S`xiI)|CdBM
z{{<i#+r`XUNxB2fBr+$%2|51sfGIPSOq=A*Df1Q+s%13Y$<$9uiC&}ZM7#fj{@m>T
zm~=j5bmmXK8#ZW0z%;B)aEEl^m~iPYuF574Fi}S#9UVgpuQe<Nh3X!B36;t(wJaon
zUWtJ*Hs6H7x~{45?zWCNAn`rgcrL%Q-Kb!2zG4(sX0$@QMmDyYdW!A7@zR=J(bSdy
zr+h)78xLmW@F#s4b-?8bV$sVe8ZD)Cw>fJIC(H--Yf?dH^MO!zENKS7wXgl-u><`Q
zU=*u`(t0L(Ks*Towv@<ms1-EQfkP03tbOs_tGlQLOiS;uf3OhccBJuBtqLP>uHxRf
z<{)(cuPx5Ov~`N7Z%-}yVP*{T!r6<1??%h30bMZRd)}u4?aGvITXK0UryaO*MQ&^p
z26DS_y~2?Vb2%!p(dyaVb;{TL4DRqO3RdNN4nEBFJ{QY)@U{ONaYZA(BW1fSF>}*-
zPQz{3QYN#|@6~9pMb?L5iSIBd=0{{1YJKbT5Rk?v3_}iP_$!+-+usk7O9+?rhyF9&
z&!c|?ZmCqx()Rjc`FL!4Xh2Alzl6Z{hjZ0ptN$cM&XjHWd7%rOEFsU@n$MS0xnh${
z|KE}##_`*n!;!IHu{#q5t@A_g=upnB^cAYOI&d|v`)q%@XV%@=ACB4OGhni>bblld
zT8??FnZ4AZ#|(k{PE;qKuZY6F-?C}*;j7cgT$IfzN#|~^5!v(%ZCTSMkpgAp#4aFA
z%IV`|UPX5~d3|)-e~D?i(iyA-Jx`tK3fjA0Ygr%O5AR4=Uo5^m?B^qex=)u9nIKk1
zcC36Yaipbc9=^zhF;3xVow%<e&+N<jYsQ?$y0#h<<P)wZ*{l@y>P~hP8uRS=bNYrd
zDemT9Q}{B@m9>)&YPWIwf8uC4>28c|$V5oeKzd@C1G<O9A0{VO(5iXP##?7pROoFl
z4POt3kSgP|kMIXD)B)DzaMxMXQM^s2;#K8x8RwyG=3>Us+Suk=xSuiE*XrsEKl&q#
z=yfnK<;&e6Aa;;cbJ>wy<Vq00KIeu8OysHTcWvzEMx<UGVUzG5*fv>+tohniIcnsB
z-B5I~kh1ahrt1bt&sz1&DNA<pAbPR3F5^6Pja!K>NzL|(ay@mzHWXD&$+uO;v<8%y
zTFSpJb)0>v4~+iGFsCJ=!W6$>lSHj*w58issb?wd!7((JXSzfYw_Jp59wpR27*8~P
zm7)+RO(qZ$;hg7Laoc6zXJr^MWOjiFd45#G#VqS|YU_i^N`$44kQ6DuL$~bc66TRT
z*XK7mvKq)~kB=SlOp>rEJeGHPl*qc(zb<X?Q~{g3g%_@rR|tf3TuA_pxQ`cVAf$U@
zE91gRjeB=?&EyN=XtseTPWGHVW*WCM3p2le=M0!qNwMA7n1CkoL^~2eNoX&9^dZSJ
z?~&r_exdcly7J#CO7=DXQ4hKh@$Y)j;_xl`wKFHrQBY(oaM;wgOJmLZy5<1wFS8pN
zH3y6b2~i&dPH+JTrR=rH(UBXwtW_2-Bm<llrF1&sy+skyE_~+_Y!t^FTb{qPQ!CEZ
z$ro@9r@A$Y*73z@6Va|YkEx0E0naxN+XkWHm|SYB9_5N7o!Q^Tk34L93fRKV-;v^#
zae7&l-@zamLz2!_7)T)~+rIiK9C(xXJId<P@0s&>$#dgTM0Kd;mPwtrqEo|uZESE2
z*g#RP@Kxl@Tm!wss#^Y+{C5K6@sGg6TD3QuI0GW*>?CAeE%5Y3hQpW4*N3|iy5m~~
zuy`+^63?C|x>QdFv00dz)w8RFXEzVvS0@7L6TG<gd)|Y>d10AdAsz5ef~up%P52M8
ziEsmqTv^?N`7}~%xwsuVeIneEwHy>olrTw<xDsCa8+)?pye`bNl-y2`Alop)!!7P_
zN!9hFIkf+orEN`Z?!<ZLUqGnnkJ`~;jw+suEszzxkgeV6Zpck1uoU;1*jpDF&rn8-
zMC@t`_7<?oZ=4D=Bk2nXbMQ3%%$ad57E>4w*JUd@OZgz}2fF-;DBE9G`dh+2H;M6R
zvmm$u^J1;9``d|tt^JAY8F9(rLvNF5wg$(FW2M)7>1VTr#f=d6I#8^-8w#DtuEIkt
zW2*~~kklT!swh90srD}R-i~3m+ba~gUWH-2pQ*h-oRTeQ_Xk$m1Y*v)qg|QjuGz+H
z^&|6`jxbYDu%bFpg;A}xr$@@-HodHp)Of~7#HngHULLX$-yJuz!mc)uHdr!PfvQ6l
z=G*-^@&ii0cp=elW*2WI2otkeCwr=DNMN&f7<6^_*_?k`^20R9triJCn46g00~8sM
zsm%KMnHtQ2>iBbJF;*W2IJ)uj@?gv=XMUL8o#O1`H^Zt0NH9C&8L@6o<J|L7Q_Kas
zYOFZ+mx%74443ehh_Q?DTS)rLcU}6qXjApPgP;{}MJ#()PHGd2F?oG!6ZeR$<JAWi
zL)r3Y@8}e1J`Ur!LozGY^byC{K1Rc4#Tm!zj5)n`>d35*(FyhSr?U@wJRuh_X=f%Z
z41>BK54hDFlS%~`T7c!1hS*Iq>4V=~QcXP}cUxxm&6yCdDb2Wjsp><o>uS#lGkKE#
z;S~<lBo5(*snk~gpW@Cds_Ay!_CXX>Kt!asPgHslq$5SCN)thPS9-6ZgCb1?L<FRR
zfQUdqIzf5~y+ddL5ow_bA#})j!?*T2YwdH^zBw1?Dr2OL<X_%0pWmEM9)CcWPzrYQ
zgkkm%k)-IC9wEn5V0aMP!v0;2uN0~9tktL^uj!}&mH6q<oRZV9t#D9@e|^e<ie;Y8
zN8nbJWax!2S7sL<L#43=8VZ)49!$6cG-wO@mVRl`MkhQ`gOIcYh*`f|LP@+HEB`~z
zGO%iV5W_d(S=L`p@5}6jgYyS$iOynY@Fmd+Xu_DeI6MQkg?^4h`u2ae+>zlofC3++
zLeFUk%SqFZhV2dpN;>+vv%TuRD)n*U(Zv*O_IY2-cjW1!pu&%q?fIO!*59vA`PZ;u
zt^Fo!6)>4O!So<k4waado%kdl`HD~jel|8u>>xLxGRc>iXyRtfq<nAPZ9dWSH#Wmj
z`Pe^vQ8~td<?8V}gzbW#CF_`4_6;jD1ZUh#I&53t$a-*Mdad7lpa==lGWDk{&8(iL
z{E*m4=2N9}o(XuiyB%tvTc1O<jwve4bV)x!74*KcgK1@X1X!0Y=y=owWL`yg@(DWp
zVUw~_T0GxMHO-pu&oTOoeeMlawB3m<Ce*d^;MRu?JQnZTBvHy$yMOHosRbSA#hmD0
zVXXAc{@vk&3h(8w@r8&iCk<wejHDS;r5E(0eurq)|8r~bPuES^$uMHLqt6X~96z5G
zjf)N9+R-q%yHkviKWhx)-U+Xc^Z+W(qo<T|LA*ObxO!BRJ9=)ChHf}oAupQ0K5C8L
z`%Hr6<R`J(&t~D@QPDkFWcrQ}_~K@LqjL}oo^4TGc*@|r8erEt!aG9rOKN{c>)sX+
z9aSFERc=p!E~a}!NTl^^0(gwb9qg%NHHtc+X9Jn^TvWXPi#n@xfIFY^`2W7m^7!TJ
znp3L{rP?z4>#cJ-d21#if>RMt#E@*PQ{keEr{-g(S)b+fp<@pwxZ8>!PS1c(ml^7q
z>9<+?+FrA$*VY#_`P`08!0Pv=B+WMBYB4gYo9_E<lp6AgOTlBm|5J%b!fj+nZ*@x{
z`<}7kmMXQ-UmkDHavZx}9RfGQsi4Q3!&lQ9e5UAQ16|G2aHQb~W({tV<8*cQuUC39
ziHFdxvcjC5Rp|ctR!8(r50gF0l5ghVS)A@1$FN7d^75L(rX8iv2zA^)u;lhfSyY3H
z=_0+mv5g{p_&Ad3y8^}tVK?Kfj=WO)94&@uJ~d+oXZ@49;lNTQhFlFP>__pA>A5p6
zNzvc@BZ{Ag@v2yoc=jTcOrDJGToz;Rd(ZK_|5-(bk*q93-)7qW#<X>yG9#I{jgLnL
zxbG^43O&C<yAqg9my^(fPu~^FpfZCpVoYfgM$PXUeNj|VQQ6h6IcJe=eT#ON^KSBP
z0e12#{lVGyG8pD>H23DoQ*Q%9!yJq@aB}PJ*197V5PgHaL}WZOzH7xm{HXr42r|eX
zDdC(~-zhnj5FfSI*Xs5s@4Be<!2WDv;MAid8E9g+A`N#z57S1~&29=ky`+`_H;^}%
z9+<dR@2`veH`t)T?{C=P_1^oK%0KBp$&vRPtGM~%M1JCBFlch+EhEmPz%3%_(Yh9W
zqkE6olZZ;lG?22RVL3#ij2i<bLwUP`D3kq!FJwMs9vr80&g+s>E1ruUS~`2d@g}BQ
z@3>JoXak1H9VP+X(JM9qXk%C7CG^64IEx5$3hR9);%m|lC*=t*I^xv{@4iF<S_-lC
zu?&_a63_}mvO>h|jBSi-|9T|AXZG9FnnrBfcCZP@SnI3nOG>u6B7KG~IqOc#Wbp@-
z(Y2+n3s7=p_2aetjHIBkPx%tR@38p4BF}ujMRpQ)VSa?r_vPNt39i1KL5HhJZZNGl
zRr(@LdfDBQpacCFIG?d6SehJ_{Tp0-qoVb1-6Yg;<?c|JI~*Jj$K2X?5Hj_bLqw)f
zXm#>#rO3_7R|RB}qFI@B02322!pl|IYZbGR<8}SM`}(#LKVb3dbx27Rz646SILayY
z$F!3080a5?!wU*FNA;3nh2)Mu*S_!4t~zqn)-`G;jAp|Y1nFiZfLSXtIMRe0Sp%J<
zZHHl>3^oN@335QwjXNR|)$UX8N}$E)4f=y{Te$k<k{;B-U)|~9R=fxL*MWbBHLxsr
zwIox<xPrXS9<mq1#_+m+=r8N<pfAEN{$B-Wt5ajQ40K-l$z@WP7HdgVhsGAlxo&b2
zCJ1|ZI7Ila-JnS1+`dC_fn+TrW+Cp!8FtL2WPfKY>0e;u?%dAufhf>ERuH2VhX}Hw
z`EoG*{0Ym$0x~|w_qL{c|74Aug&zrvWd|ITuL#oocnT;n=h4!Uy2Gi(re(P1OE9c`
zCL*e6E?BF1b@DN>-4pZ2_D_>cAg@vBBPz)ZjU-#T$|73>Q@-04c^?bq7Gd?nIAgY`
zoaG{9@6bja9KK%1EmvZGgvmo{vy2t!lRA~E){9J6Io@AGV~2txdpfpDm<Yu$G;!tL
z{#7^Xj=359BaLt5J<DXd?r(zQyT>4;YV)zDJ^&1EyYU#zO3W-=y1w*#*F(KyoyH^J
zoyo6)OBvh5m=AttvP7HCPu@KuhkP|%vy(;qvu1w1p>aO%VTfH}=YQgb4?|XL7p~if
zSb5hp-_#wc90QGrN;QD$QKYlxE{kY+bvko@H>b`m@?p<aq;906AdxutM1JhUW5B*n
z1)9ks3grne-ac+&ms#1RsZ%&}{DWLa;Z%RGNG=?n<*p&+%n0nmy;cWRi8o??LLU$I
z2JgzIVLLqoTv3`rey^H<^G*=-R}17ioTxpIlOlYkmeDkB#}aByWM6@p8RF+Y{TK)Y
zw{oB~$kq?TC^Aoev+Ek)PUoSA=%p|9|F(2PnvI5wrFG;wPe*{6D&+nAj0e>`LDJ;U
zn0yr5Ix8N3a51NH)lkY3sD`h4Q%F?3GEos-JuY&+gN`GT-QCXirzS9~{KvLP5=EDd
z4>Pm;t-U=H+D3Z?WS8Eb;XLMMoN)k+bm9`feC>I2#bpBdCF){q+Qs1K(fA~aCSOqg
zJk^@lVjVuWZ2XD)9DUNC)@gz)28)N?^kV-XZ#wX9j2d<{^>-*d66i>Ja^qvc0AqvL
z;t#c*CHcx_NR2NoK7$PM_5RVzs3pR@uyV$vSp&G!r)Hk=>P+CcGiEPi?oL+d88RGe
zN`<)GJ?A-^;K)F4MXPIw^anx{Pkllf)5Pf{B)E&G@tuO|2V6+seVOKFsC%S{5iBcK
ztD35YJmo(Jmb2c0%InBoi-INf^@Ov;Q#T$Y7w8hbZnT`Hs#<w&*H-j3Q-yq`IZvrA
zWy>okuQ-0_&Ue^GvOmjnA6Vb~Bdu2HsFNRzYEC4W>ts5Z6IT{}^=qjiWxTOEjpPHp
zcq3H@IuN?c)|Os|>RwJmqOi5lGw0a(B+;x`+$ej%CnrX$bPwIA(i5kjs`nGtH$gc*
z1b<8+<GFivl9qx&QzHGXo5X_W84@skNO5g?0Z;Hfl@~5a%4;BjG+CSz^<}<<Ef4p#
z^Lui#+1aOEM~1izL9%_2Q6lK~N3SOKiwN+^UzdS4KlpGzA@Y4AKfgGXbTz47Gx(*^
zPHVBCUxoe-bj^)7e{Sqi$PJJ)ZCi_S>+)XbfbhtiGcbCoRm-{e?RqogBeM!-X@ol1
zt+4e(4DxQEA!BnEXn(L$^(t6#wV|>69%VB$P&tMa3Yt6b(Sl&7$5xi(Jwk)3Z^o%5
zU%!sYzkZVB*Ch3;Tr<U>H|o8WcxSE<m5&`_Ci1pmnf+6B_`;-_e4a5MB#Zj*W3K3!
zPz5>+u#lM$k?l{;sINBEX(_5l6O&;_KF}bU%<uN%Glc{>Zx2&?YOY+Ft^FC65<j^*
z&e3Gvp*2xC*Yi<1IsJW?BiP_yqW19n9`Z0OnJ$v&66HIa4_~Mxl^_x4o!^@1$2cV2
zi`hQi3$zn)XtNh-busCv%x?HVcsu5ra^r5-r;UuCP_0h^y-N}{!7sR+PT0$6KX&;?
zgpe=fD?USsoizVNLL9~jk`vi{$}R?Tzxn$d7IjF1Hc0{UF{*Vup<Z1ZDZoaqq~pT#
z+I1C0xsD4&hO$;ww)<JU>5_Me#+8!D&8Xd;K*R)6h?>Z;sx%A6=6NjV>C>C&wAqx<
zeJpcPy#mn#?RdfEQR?M5$tj+EbDMtB&`_Q&U*fLrub~u>Kqg<7L9I!^)TW7$?xd%=
zwcU34e$$Iaj}^*W>)uySC4ceVbo1|Eka>8Y@`I(ibfO?5p~cHs)R}hw%g11(83sLb
z8~;NlHBaO2_jCI?a0QrI8a4P&Hhh~M(U1YVb;l3U45Hm(WDL3IXdBa9)Hq!L&(e?x
zT@Q_wBt$mx-(h;ZV;b1M%hnMV7n;xy@gbs+nr|)aQg=GEz-lV&{NTAf7k&Z_WOIK9
z0$q8>$36kARU0p(`<OTPe{K42rsu0K_yBEpyThpF?f-TzgKwQ2f9{g~p{ZqwLH^q8
z-5oGWZ{jH9)=Z27WY0PJVC+j{&#0Q?_&o&*dS&k|8Ip0o^v?1|3ZDZ*)_nF>%ltFr
zgP=s~3?D`5qoLUDl0Yo?>e^cTv{RiLKJayQYfBU}do*5+$NSf(3RT8ypSL=ea7s3e
z8L?x3;cd(QfEmi+Bgj$=td78!-35h(E$67FsvJ{iz#4Op3D2tOlA~DB6aOIcD^mW=
zu&kEjTuDr=GmLCJ^Ary}sR0RpvH@aH*e(mstp_+WO8&d|*gbCBHg0)oqlGJ7++C54
zjjfj{46OLly*7{b%983;r2%x^1^9h^A7tIE<&v6)Mrto`MWEYR&gNOBbSJxci6Lh7
ztTkr!4Vu6IOY>L;7?cH#_Ud;8b9`JJ1?EU<%O`fmrIl={QslFrpPw3aD^MYgF-LfQ
z>u^rE6eS@sr*?)4Pz!-#X6(~<D>dp~uDH(Z;OQ;4)JLn|QU2*C3zDEE(#byo{@mkY
zZ9~J<D<U>l2t3pE^@l;?fdA6{$kV*oh0LgUX?9&}{HB>7v(_yG+iV?6hAo(qG{(%F
z?0SyAI6{mp!h_fYn9p`Bj(1}VPu9L6@C?cN4bbNIFhu5n(AI&p;pWT1LpUP@a+9^@
zdd;eDoTL*~?b%({AW3#X08upG@LyFi6^yp3m&E-mzCT2J@dyW4T{4UT!xVfbA4PmZ
z^nKW8YNKTc2@`<f0Q<tiHxWC0j_&(2Q8o)(RK^wkEf`R}OUn8$pYdk_<F{6xHitq@
zfAGf2ezG2*2Kcu(^hn1zN#476{Ss|i|Krueb3?`2u}9GA(dYtN+9=)DrIUsI5e|y%
zd~B*ze7~>P1^n5wS{s(TnS4P%UlHGE4%wAHU9dyJ1s;54UdH1w!Voi`)2N_re$~up
znGMLpbI%G1-wN0fAH^z2AM(Y?)ZO;SP4%(zHZllphImaQt>rU($6-cy9S>^5=J6)r
z*OKe~c+P)BN*3|rDQvzV<gQ(aLDC_Lc$iG99wQ?p^l<`lJNAJ^Og^C|XZqG&PP9Xw
z<ukZxddcx%K&@hth(~4NYd6bLqH-bv#%gtVYDk73{MOdUBK_`Q-6o$|DS(<e%3EC#
zV{ql9#b#m_A!D^&vH1A-FFatSZN&stm#8g*Nb!R*$;cs`C2#s5+84^_gfr0LO?8TI
zP?Sbx7Rq72>DG5UEWoA*g3d52_p?AJ987Eu!QD(r<gP0=&GWR#o*bfQf{!K0tFK2j
zkgWQplS3e7=LACY{_B6)wqBhIb)I6~G338e_sHM5A69d5N_ng!+a3~hG?H1RVgZk_
ze_F@xT%-6Ez-Xc^BThfI74fd*K6~6MQwkeyR7)fIUuX{6bDHCP->MNh*n0uh;kvf+
z@fx+Z+}bKIG=JZEbmm&#?S}G1cBzS8qUqm30!Vz;VmZtx=Lhftd~-gXlc52|X`iEG
zDAr(ol>;8VIZ)F2Y}#h9(-;Ykox($o%;|i$W0y=asC0=RYE7^NP=r49z!jY^hdZ4U
zZA=2DA@FD4{<~Avj=xd;H%MftK;6J^Gcl|KCsVK*`J=n?2!p37Tw8E%?UuZux_7}A
z&@aXzTI>L6CsRX;jT2R8D*PEM2^@RCcc)&p8X1sh+lusbb)kdUPF?o`yG#kapDHDp
zW0q~pujvEzje^^{43q{Q4<LnqoIbpb4U)oftM%;R`HOD0A>Tna{?ML?ZTwHRw4t6p
zcdi0Gn4{P!goOL>U4Iu#)X5mMMYfe!G~$Pw*1^#h$@HMgXEJLVTJMATa7xaDMVker
z<;8;+EC)hjgD8|EP?gD^_bCoaPWf6J+KRlY(}EeZm4WRaDjjF&RIA`rkJTxU**isg
z4lmHzP&YGxJOX)fPd7qdJ2``L{^1Y`9hDHF6wfRp{TZepDd1%q@AceG+Z8Z3P(Qy4
zF#`&Xci^P2xF46~C+19iqRpFeMKCSlb}NY?MJyyFBzsg~@GL|$UhxDe(@iZ=CcB?4
zOG@p3ln4C25?7-7_QCOw&b%Jh`!ZBMC)Qr(ZySyCb}2r>Tnj@8feo~=LgnoUjC3=m
ziiq84?o`Nl$y#{EZ>wGtNzlja@`6MR#-K1R==jy%OqOB#oR=ria?1M$FaIaD@!77}
zs>I*|n)U|FUUpm}r7{b!5{vL)F@2PPP6|oqR|`*r7^0#R3=b9z2u9*aBlo_yv)47@
zK~nuECpR+V$RK*|yUr~M2MpTLVOdY3_B_9|w=0ZvHvZk6!d2neXYIR(FUVR~z4}As
zFVme5NfUXM$Ny!v6R~n_RS8j?(uq?;M*1ILiCfJK!vxUlfkL>#>^7U^0wCoX@uWOY
zr6w5!Vh07m?Z@AI2c(aSRufkme)29S{n*`S#eyR-a{_MKxtYGTzbooZj#Cv~52PN~
z%~&%P@`aEbDVf|BkT{IxG6LZnU_EqVcZKg{NwhHz7v#53Nx$r~OmM<p`DD!^t@OIZ
zxIvk==DQ6?P6u+o!rx!sJbfTiyZb(bJf^cbRfIZML?t$_Q<%fHPU@mzIHT`Mo|s_!
zr!R@VdMnwXXZk(fR8+m)QF52>z#<I`67~YDW_2<B-a;RwsvdlhX7T>CKlkH4{S~P#
zO!~6VEP~muXlh}{Jd~u}Q<MH#lJD&=QOc02lA99wwU}omE8)+Hg$*@o2A{XGz9qkt
z@Qd&WxQEiVE<slK7D?dR%(**0BWt-NomkTHi)QvJo)6u>zVFT%e=bGy;TQJVlT4HH
z14Xmt{&eH*R|F746?Q3_VfT@Cl-=Afk8fk1ng$wDl2|jygvqnmP!Gv7?d9B6!e{)i
z!}W<19N`%xkA33{az)d)`h>O~!ATy%FU^CM*|XxO1Q7T`*H_q5KD2=`O&&H?)VTwI
zKziv>&6N~Q;|XVod>nQ)DDY@56CJEglPfWAj(oWPZOxbO&Z=+}Qf*b0tDTW_H6R!9
zixv_bo>ya|QqM6`Exam_;GtQqN#g~Jf>h-@eGR#q>huUv=BAJWzwqU4g|}*+7!l;B
zIVWGnTawz*(+cmI&L|0_0%TgFdh}t}muoa1+!PG>3Iw0Ox&UFgWh_fY<F;59N8=f}
z#u~hlZ-~xPW8u4_pfL3f0(s!je#xk?Y{<Zvoa$0=asG3Z*2n0IyDg!QG;P1h5(G!<
zG`yc)A%W`{(GWPWpq>&t7Pw?*UAP2c4t2Url~T)hVS<_2ld0lTOX%UJucU~HF@Mjw
zf=?+As87cdR%w|SBT2><6~kv!qPIg1yX)c76ycc+QOOf5`LhA+F;eNy18R-Zw6~Wr
z3D08+x(DtLcKOvhua^7VzE-q1D^ff)*P4K2ZnvItC=BcX3)ARvO1|BtSk&r{cjYZ{
zNkeYy{h0PYYa@sK*|Y=IB_FG=JtvG9I(G85ibm?%ziL`{C{$eVQ0<sZK&DF23GAWe
z_loM&aMo8jR&+S;Nch9XoUZ{}fZrHuzNL9P%=v5h*{Sxrj7+ldwqbH?q$qz|Hu7x-
z+5SR(jhkl>BW<Vdmf+0=>#&{0h_jOC7Pv9)$?_DV%m`5!(_6XY9Z&ERCtBc=Mm8eQ
zyH<Nl5!O3nL`jGjJmcuf_wX_Dj-O_l*AQ)3e_i^Hr%YA?lrIJ>kGYEd?tILfz2fR7
zgm#ttupj8{D0J<&q0arFO&8JzX=6X0*^ws$?@~Zrjjldzt258}=i0H7Au)fF5<_Nc
z2~FN1!^zUV`+oI_t#T9BKuKT>HlS|{s!+E;KWn-Q9qpz^%$^>Oo)HZXCMJ)xMi1Ef
z!8#h#TbGx1@NN}{&o0^H_sxSA52>Xn?T)AR4V0r>=V_-6S;p@jkITN3N)qkNl&0S5
z&4`v8^SN0T!0j$6#3?MxZu%)2YU1?3?rdfoZC~W49*nu|`XDf^F~2~}(=m5cFEdsJ
z$t6%JNctkk$h(}`S9>|ghW5)4Yrpc=enKsJK>J7jY7~VvW;r+e&i#CZ?xV<?Jfs@q
zrtW*8UBir&j~!uAU#~GeUUVQ$lg<!rD<AN-)O+k`ns=0D<rq`gFt>Bu6R1>3Dy6?R
zF`lUr#F&~EU9QBsmzmaGwcKhtl~K4?eP91E0=bu2BQoyR0A};x4V(BkBv`YoS^-nf
z(`Tx%G5cFg?%1bkykzzfAvvygbD^J%Hm0#U*J4V9?s3x)Gx&*tle>^lOmF&vSE*Y@
zYy3|Dul>4)N%uf<ab`g{BU$Uc;lU_Ow2TI>2SM+r*{jwzZ&x}f7SuMFynW<K%<amt
zWWh&H%%|2b6ect|kV^lHn@^)7G|Y!L%wqRt+i!k!AFfu0sz**>bO}0)u33$uDN_t8
z5LG^6vTQ`Ds7c-UP=$akV>oStU{iDbk;8MdgUL7L!Pf7+M^Mev4QbOlxu$il=)FTz
zRmF<+p{K)c$_hcG>%5|FTYZDc1w{lB)C*%S77~hu&~OgnnJq-qtBFj0odn+}q&iy`
zarUC}xpr(FCXcuB+uJ^p$=&FN&gj|qN3NHjjTp6!eWx|?IWr^8%!o|3=iE`QzwqU=
zU^1vwAE$(Qj~08)`1cxfhjHIr)_{^EM{+}>AL%Vj2+L%a5&MA21&lRyt)Zir12><f
zeR71ZHSaq5$uHVF=7bvL)Q|m+N`5s^vOR-Uo?Eddr!nCaRmWhTGfeX4hB-9okx|b+
zc*^qm&t`$|pTVW&f=Mu7NKm;?u8H<qKRr^lm%5kI_{!O-6G=ZCdNx3=?PqwiUR0<1
z$sa8SulH5y(Q(2T!j=~7%r)Q%Hm$YgZu?t7(JzoE{@t4kM#$w~upc0z%PbX*cFD%R
ziB$V$JWg!!6E>|V;&XKPb-nKT?ZpnKac>s!AP%lVA{w=_g&s02`sAuEW;rQLWwcv6
zZ7NArZ<;J#45w)Ot7(-sAWs@9UzyZ2`wH#$!PlnfA~|nh#-TeUw>!Hw8DkW5*6}KB
zN@M7NTwF@_SH{RNAEs}VmL`2k@j~x@opf?h3R`V8?gnN|P7f02yu>bqnTXw_G10fQ
z=w@?_H6B>j8a^|coYURotk+Db87@`?rymUu)RTXqi#4#dnfTJN6W1*f#ySfBm4Ag&
zxBq#1(-w1>04d{Fk<qAS^87=p&Bepwms?UMy#3-g+}ZPW8uGS+4&^Ivnf{pFwkOQH
zMG3_{XpPsGlbWkzRntDyu@kdK<c4{9^1T`^4T~BYbkC+mYtEV4rn%obwnbo?K6|5%
z(y1~c3CXtdZ)ov`B#0oG7-I|K-32~u6(){t&J68M>}6`ei)}w{Q4j4IO%52P*OZ-A
ziygie$LlaxrNEl6=g>{1r>Ez8Ma9jis3=#E(lt?Tt<ey!{(P&~WkdcrgDlp_QLs;F
zxg9O1g&$eJInC5i)Ol^ZZD?p%+1QBA$jI>5K(W;tUW|RxItXrXh|R+q*^tpx3rjs&
z9p=vSr>cZnfm8tW5xVm}S`R#0@U2g>ZvQ_%{11P?`o+nvD22>{WgE+K`ThrILJ&mB
z&TYC9doZqhyJ35Asw#RHY~I_6S^Td<H)p!4A&~tSh#01Akg?oBsqrArd6HJtX(qzB
z&PxG+rXU4DQ9}a`w;3Iqe{_{Prarv{0%1xOgMTNGyGrde`-ATE^z^&?a=$+}#6`ww
zu7L>z;eGep-y|cW1=FPmwlre&1px%KeuO)zNl{-Uf&4McJrWu#EC}2XF=pb+&Atw4
z3Mn7*w5Pv%OAiuE%sy6#5*sZoY`x^p1768<0<%346l5twAQG(S8r1*oK|<v3`6|7H
zU^*JFO;x>KqjdFlxknWBEcr6ji&*5X3&B^qn40aJh-rnxz&25gF?maDV|+Sp%>NR^
zJL_9LQAX;!?z(aT$<!nytnFa&1T2bFYanf+<%+lsn%jZ<<q_$VZj~p}zgAT6Sta{m
zIf2k1Z=0Ni{+bv$tor@a`yERWuX^L`H>FmOch{I>B75?f$<<ovzhx`*EH6$EV@h;I
zFHEPo5LDI8N5l^({y4R3L+0-|c4@Gl33HGAoR_4K!37p8wZ>vljl5X510S!LM?QW-
zTDPS3SF|W%txL3|mC${I{yY#D=cOP4y8B980v}7}93|Km9A<OOxzyYB7-e)xKYfb)
zE?O>83*T~Jl#scR<KrBTpWJjTxVEmiRy{+}QzpbkRPW4EZ0T6+)DEpv1#hU=K&EFz
zad+)^8(CZ*m^!Z(6d4s^ZIlstrGEvc@4Fo6w<VeM5{8V9WLHRK6kj4Y#d)<&PulyR
z$Y9-b2Y=b@=}C!jHy-Cl%%M36Ap4fMS?irVoiK|NRSKzH1SaA1(5*~H{d7gIN|^3#
zcU(lROx{m(X+AYYThprjMTf&3?|1D5w0(Z^Z6gCpmUBkEtM!oS3>SikSebqr9ZX<>
zZmSA~X&3YC*<(lHvW><%%I$%I{YSIY*<5oCDLDg*Cujg^^ycBBCr-%^uR>fjtYGy?
z{FOS)v-kXc+2(w!t@o&#Tm4)Y(Xyl;!}V{%z|yU|G-95%PJ&W*X(ynm>aG#w*ERwZ
zik+g^uJ;#{<1+0UhvHs1>I(ROo|x^|H7Q~_uD9M=2!KF_aFtKMLai1(_y+wa%$|M6
zoT6O7vuwsaJN>!u9Y)SDy-^i`YQoZhD>P=Q$MZo-{wLZ2%x^q>8l}^+ISLTqPV&Mv
zG;HWPg4MWfM);1nSD@$|upiEiAbz#Qkq8J*2<<m74xvx3Y#FC=lBFuQGU;s9K1~W!
z?robW#7^t0XZ9qL>(DP*LO3qdnAN4e6~hI#4Y3GcBIPd@ByQ1Qg-MP1&TTSLh~oH7
z>0%C^rDl*cs+Sz5gR6a|b1-@IwmF}oP8j#gMT@+t9J7_)Nm?<fG-nxRU7axLillxY
zFXw>EZJm{`Rx~i8Km53sOgQWNyN&MzZxmUZo12T9I@$X8h$ki{TDZCjIHBNFetYX(
z`w#qAQ&r7g<X)j38GJ)k0BwO{HeyAwT(scEvuNw)2$Q71ZEr-dG~9GOo<mQ=EXhUr
zmoUN~Gva-DZc@r6hO3{Tt<|7K5azc+H*Ir3wnk6{UQ|4!hy3}=!Q<2y1OiP|+UxFO
zu?o)4&bzz2zx~i}NFb$smuVno?rR+`&82wb@c%r(f?;Py3U>!G7#R&Sgsx9eR6Ec0
zBO$@+dA`D9C8#fjt)cw8cxs;T`;g~ayoNL#7}G8gLA)W)0#eXp+KpbR8KI$}i~hBF
zi;IhT1_p22+uLhA*L2n=%h~5Je@?*wi~tu5BsfNmG5Vk*36ns!^WVqZ+gLs2=9d33
z;0~YyZq-Q`DL-ra6Jn}(;wtUOe<%VmJAH=D^yTqiD`a2+(RrzJiQr#@$wkRpYW{Vd
z0)B{Oq5w;u|9=m)`7YV{`Rw4b*bxRl!;D*nPPY5Pcp1#)Rys$5MgUrC8%W~9b63HO
z4wjsR%KEZ#Bt=#zDVnz~^Zn_PhagJz?@v+iRk&-+x8wux1RaUnt8QF01fzOzF-PU8
z7Sa2%;F#7>kJq1bD}DiSJBnQ9<lY=U3&}yDU?Wp7c&9W%+dv;W5IQ?MYX_wNC~%r;
zd@x^_0ow^FZO^R=w8P|A1$9H-KFCV{$Ehq9l6%P&ggc&l0WN5~s-w;BbuhCmO(O~2
zd^ZrdS8m@x3qCy<@XSx965|Xex=jC_$3W=LEU3b0)x7uRE26qrBx$4^slc^*N$YLg
zlf4<c$L4Ze?E>IqO-oNnp~?>*aoKXnbJ@Z|wV!<*bW)Zt+jP0bNlaQmEO(W*J9g3R
zVJCPm1XajLox3<HcPsSDA_9Anq)RH4<gvIJN77Bco5%R0(3gGrT6ZhU+p-L^TeZvJ
zD=viHxkS<qHv=z1L^4_BmG6dLU36S?HJyKyeVH<a<@`fAmnl+MkcBxe*?(z+_XYQD
znaG8<5MDXIhBoZ6soMDRN>RvpX=g>Y4M+IC^G;MllBPI#8uC~{T^{zx?DhWw^q(E9

literal 0
HcmV?d00001

diff --git a/accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/trust-policy-form.png b/accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/trust-policy-form.png
new file mode 100644
index 0000000000000000000000000000000000000000..103a4847a9fcda55a95723fede389fc9409fefd0
GIT binary patch
literal 77997
zcmeFZbyU?`_cy9?z!qr%0o@2l3n(3;bV@hqrW>R|Kr9;Ebfa|RrlmzvO1c|qq`Tg^
z^*qn}yZ^m^-h0Qp$8hN8D17%?bItjwb$p-6iC@1$cIDi;bJry$L=?}RyUcj*+&>JL
zF2Gk9Ua+RXZ|Ch4#h;wZ>$trLZ~ieBmK8pC4jp{;_ysn+zicC+VR!D_jqjLW=bNlE
z49=Z9OO+H6R(9518M~^jEILuUq0;iv`&zpN+oMS~qBi`B%Z4=XXwzs?Xi`iw!hebi
zyWuafVK1wE@kf$~{<y$Mg(g=&IG2hYLo<slb6rA~^AXJqo?`Fb%8<sOfZGcvjhj1r
zC(k<KT7M4>ao9P|*Knk_4;31#z|;Kuic87eC;88tbFVpWdSU(dU7YWw+y8wtDI+rZ
z-#6!s5f?80_Z>F@9`}FW)JFT%p8xN=4v~Lu{P&FwEyCu%Z(eiY{ofz;?`r%XFJKy{
zac2UN<he#&_Z<~fh`?4G2LfCBCZX|uy)S_PKfeghzu)oaKO&PIYUy(Eu5;1GQc_aA
zW)8~Ay<<)j%&N7Lr~5O(EIQ>r0V@k#$??1n_@tA^18K74s1VD+FE7?7zag-=JMB6J
zN*$I}ot*a2`b~oSlW&pq*JKg}-H&!x<N2H@g*=X%QPd4^3NWv@PM_N1cLHv^$1HsI
z3m>=7hKDta+j@GGBFm09TN~0iD;CpYJ&rfTQ3{!-TZw1yyuJOe#d%%2&EhOF`SXHU
zAlc54aiVX4)XuPZzQ9he5&~=J<K3s#r-$b7FS>hr=;Y$=v;X~B+}3zr<}3~l4tfhG
zo2{(KOl%5X`&$o9etvoJ9lp`8<z>bQ&E3Q0e4&%=9t8E)#)j#(Mody#+FVw49zJRG
zcKHP?EYU^<6bki0ps?F~qSB?XInF$n=YmrMky;$DgOov>Wml4DD4jepsrFCJI~OA3
z<0<g)rlzO6<%~E#k97C-72C~sbbobUEgl$uwbjlwW*?e#VfxkfVtV4Z(}X*MI&^%y
z=Im7Ku%=mWTQyJnpqV<@CqO3aQa82)9D2;lX55VN^!?T`JSQ6)o0XLnwRn(>tZXsO
z163uZ(8R>Ee9x2C&d$!Jruk^&1bQYW!sRx4W@aM#s)B+7tcy2%WVZHOqtu5Drl$;$
zcw}}<z4QtO?T`5{PTp$@rV?`9UYPps{fI2ES4NUKrB`=#yh_Wg$#G>+A*a-|CoL{6
zZg1Re?LCR^Ex}j&;cB`(R-<M4)rV62S32a=)Utch<w*z$eXg|;p_KJXtS4Ch$J*Pa
z{rK^Nl*7o`#U(W@jh9~}v$FEIctDrqHmT7PY#%(LdEVDFx4qv8taI}<xPtr7p{k~)
zrr;|?{x;QYRhp7kRXeJvH(wFuP#s5mYpnnC+s6<ws@kuOpTJY$9i$x`t<{MBh?5MZ
z)p6hHLr_agN#WCv5E2qTDEsG&g01bwMXFbK*iAIx<$kz*FzwGOLOCD)<;#~?>uL=H
zgR8_$CKJ_F&4bUOZW-0`2&1odQ3vyPms;zgP*w2L5tz<=?%eAwQatW?=ZyxE<fNpI
zI3DUv9BplFv4C5sj~~A{Z%hXZ9xlLlJUHI!<X~ryV9{Y<u7njNLO+a$Qb)0;E2Ya#
zxbKa<yG&qJzDT?HO$ZKIbF&1xgTXYPUMWr6buqPc%rVyf9+Li?ou8jyg6k4JE-tR8
z=h@1N1)7jq&P-E0n6k=tMhw;DVt8`6166VU{Q0NeH)N%yV|nb-)L-<KSdOI0Cwf4Y
zYI~mSB);18Rd>B>Hjp<qpyw&zvN@||_0@2HeJWcu*Y$X#se$*;Cxf#&94FwWdT%NN
zUa+=40bafYbRXWozfR7X(=~ClHd1Qc9`oqzpwn|{Er`SLM_B2EhgPIxL~ZTk?<1`=
z_wKdDa>*NzDJdz<%+1lV7pzqu$+<p8*(w_t7#JC)HD@T7j=pT2YmXJ3(>|IB7Am)2
zM6eemiw8R{^-3CaT(lf6!lT!4buG7-^SegIVbpdjQ_3$u>d}k3cW_wL3|I*LI1Ijj
zxc>GcE-@)xOGigFtgNV*(QXn{btYE9$<dzYPM?~Q|M0|w=W>58;_cPp{f(Ik&og&u
z4wTN5UVYhW{@4C~TAPID*R+-1dwa)znD}s=yu@~<aeI3kMJ+zeKBn54AdoJfcnWPW
zJS?n8Js`zWYuvq7wKvkpp@k;W+06}?lAjxan2vWEKiFuZY6_xY>|Z1zBH}TR(Tmf|
zaR2)wxT(6b`|foL9$BcWMl>%}ZT?`?d$rN9S~|h9xx2ozBP%aIQSPw(Xh55q_))Cm
z>aZ{2>&BZ{CX#S$kJrEB(#gi$+jO<A-1s0dg?zI5ciz?>_~<e>F>94re0zh9NG>(&
z%Q8-I5i_{`Yi*5+ii(xJ!|rg~6cs{G`w8p0gsql1@*K1E#&pB@_&9=kq|g}G>21X&
zg`<BLK`=?JRruiG0IHIRRKRrVDXzdh_S|4Z(z)6z2%Gs)q0^0ESQ+1d@%cng7R53f
zdNV5OlD}iyMleZ!NLW%*5|O$G-D$#MKnKyo0K?is+}-qgnoKl8(be;K!&_piPV_$y
zkNx^m9JL^n{OG7Q3MHGsf6zjgNEqGkCn#I%*c;hj+uE9KK9Gl?=6gBo^Z)pVpD=ht
zbTclS<;Tb}`NLWjgIEnqTV2!qJDyIcV(G_^Ytv+7MZ{7!*Vi+0a_k)}KT|smUgsM9
zVmZPIyFb?ve*|aJUq;`|%xrXYR77kSb{885$1flmK~2rU!67P^TK+3Si_?0XiG6;U
z%JaA@Rhk5aq7ZN`g4IDJtEsD(IV|_Xk<{}%Q5pUOr*N#oX>A~XLSS!{I{p?i*-peZ
zy9SB~PK{rHN^x;9f`&t&6#Dy-PK9H5L_~R6nf>okjV!#kIM?x)HNBugSK*}4bZfb!
zuB63U71-u1`QTB%eEAYSMhvgRl9qK94SP^lc6Mt=$0>{qk5I|>d}UYs%x$rt+l#+{
zKXWrc2np$#eM)H(a$cX@m}#nLdG+d5V-Q6)Hyx32Gn6$BE+rGY9HI((c$J!g!LF|T
z2VAPt1`<7=04W-QVdF%1T6WG*%BdzQ&t9UVmQcD>_L^xw#^aL{@jx;fntHJkh1)el
z<YrPt^%jLU@$siejqb9tu6a{=?CY$-P*uzBQ`2!!fpP!4Y~}_%bBQ@w=7NaMaD~%E
zwfj!-;!<{g1R3vQs_$ytyw^oa^+KaSXah4%!Fpd`rZzwP21}KKKT_>paX){;b8Wad
zJFor_+I+Y=9I1x1U6Z13$Gaoesr`y(9I3o4;UjS1=mp}{=asRsvAgXSJM1!lFULfV
zSGi3<hw#&4;Qdrqrp|kQcV&qBM9)m$Vg9u}yR)n74d`Ht!MJ~l-sU{-h}5ylM{bc^
zMeKXT{XR79nQ0H$9;YheN;2(BGoi;|t>}KpvEIEaoMSFL{dEU}N6=3?rz&XL<N4J1
z-+2+x$@%oTLK}})ANU6k4-ZBwbT)tW7hZ#M)-XSi?=5NJ?CypIl0A~jdC+8^(cYCT
z-cVj>EFaHX?7V?oeBHon_u(4pW;@q}4@C#I?QPe^#YLp3e*F#CSWZiP#*T!O)1x(6
zYIO``P-k}g6|Po)CAze<RQ&}9Iz3_Pyn1AK_@h_*Ht1OF-@kvqc<}-n0^U)xpTB>D
z8J}!CuL}P=l?jid-0hUrky4V1Xghe?N2!{tqhFP>o&hc+#x?GUV$;8-SEim-`r<nd
zy3R$09D%MgIz2r_$`6InE7e~iKi=+<pJ@!NSSe_&@0hzr!MmNEUyaZAu+g>9X09zd
zRXS2LSPat&`S`R}CNuUXJcS-UEb2;h*LE6nV6EB?8Eo>nc;oi|Ud`F+;vzj|#~Y86
zLpUvVNGdy)s%=Gd=E_@K!JCZRj%(x0{X?e5`y11D$+j@f#AQAn$<>-d>poOqh@=`>
znW)iQ$x&14S!WY-%|AIluD?=+Ic9yX$oC1WbSWL5pL$cet)SugG*_&H>@}s*0|&oR
zdgD^bNl9&PZsOw_2t$!hPfyni{%w69iz77dXFC!RhM6g6)xCTDDMeOHh|Z~eSXNT_
z{N?uy;b}#mo~wncn{hO(`*Xr*Iz6CcRkj>Sh$V1_Eruf;GQPJ~bEeD0PA4RE*1@;-
z>Toe#^z^vYq$>#q?62kg8e$iLhMPCvN4UgdV7QP_4Zsa(A-<x-%4%xHhK7JU<q;EY
zr?5U4gbw4hVmpOSK7mlW{a`j!-l}4?#K*^{yqp)^Y{Xi<kF4=HVdvlorW9ZxjxKcF
zS;7Dfs35|Ft#4jf7e%Cu1lpe8zk7G;1G$xYu~{GVDH`JFtv)rq>#%jzN59Rdk0bb;
zepl}FYo*J^8gV}v?rjVt7Z13FM?_>;)vq3cLfOs)atXrl;o;#46s!xP;7f4(&0}r7
zX4o3xD_WA7krBmhi`@G?mb#TyP@u?E{MdC$vGopnZs&A^e=5H7Qf7Mf!5lfdnLSf7
zk=@WwSv+N!f%uV^@<!@jc}j}N?9OesWoAiP*{a=P^9k4GT&Pi5CU$XN=F}eAJ9lai
z4O@Q#9>wqxDEY>wCh7Ed>So_Mh0XwpGX0DGVCyc$HOZpQ`)Rz*jN8n{?`XU4%ckCt
z)h(snrLCa*N9i3^Qc@CODg6_F9y+`-T%qIjel6=0nAD=xZ22{(hrmcEd@_qT*DAN<
zEG%-GZxxPz9?jF?Lz!^`oB~kG3JBVToV%1@Gz6-L51JbQR{|IE9L?e-=%vNW?=D}x
z8p~lE)I2!pOP8Sj<+)dLk<|oXe0X|MF-O4q{$YmD#ID}B0TqbvLXN2pYOw$t?n|Yv
zJ7$?0g9V2E&0Izeeng)?f8I@a2Q0#4f6BYmYK&p?&pN{Z2q5JUsb<3*WBYE{z6yl(
zTMS!B(F_GlqvI-{=(?0CmMne+KHpPkXJ>*LNuV3W${X>6`x1$dQ~K9n-3SjFEryFE
z83?rA*mRq6I<G%>(=Yvd1RnHiB5d#n&bL#(Q~EHmQZqjqEOhF;@bfMTg?;g&KcQya
z5Z{AG*~iDn-juExX=!4!Dp^p~r_h<GfYyD-72-GR&7c%;^&!F$JUiZkGw9cLKo8A;
z%{%?>^2u5|#r;5ke`#4+BGRhe)e+p=+|OK<?7u&A-TTd~x)9G}CzcY^4!d)ckkEjP
z_3Khrc3oW^AXiE}ycfJr<7Zo0Yr^ChP^JOf&j1t<kz$RNJ5<aB@xg>6Cna@RtJ;&2
zXHacUaNivQjOru9xC_I=KWwF2n$_~*g;J+A-ORzQ%}o*A&hOu6U;*8rJZWX3?x<*?
zduyRv<(C=82V%HmX51N^LElP#wi#%O2_A=wbcwGNUEj6^jf9dBEVdCwH?9m9oB#YI
zY-(zXu>K^UDA=vUzfn(6Xw>dHixU6+b)K>?G`<=TUbnDcfFZnq$E0yELSxf0t4|re
zCm{O#`6MtEdetJ;uV24n#>G_b?d37&nLtGa3F~&)>XhLZrqlh=9L7@lY6dGs1}!0;
zXGaqV{klVSb@F&Ycc5xrjH)>|T?7^jxL@tB!^}QLH&Ir=X>L%&5)ZnKlH*^-n!7<I
z$P`~Ibaq_WyzJuYDwXJxk`&5v5z}0fRQ@8j*CA1X1$`Ox-Plw2<f`f7eveygF8!QE
zT%>ZDs(WAFl;H$LfX*}YO&{Q>!qpZPZD?)GtN6`}F1A?s`5E~heFiOS`tG%&j-%Su
z;bQ5WFR}z{SbMNtw{Qj%oTq)Kr;+GlFQ~pzi<<euPC>>J6Z&c2otT$YWiP&e0Q!!>
z^u^`_r_calk^@orjUijb=4$A48C$9{7!$rkoCI!58eeha7Trmq;S)1!ZV%}FaN|$l
zv73XRl#@ufy)&Rk!f4RFn{;7eXR$}TG&N{D!H=jB`q$Hqn~i`najmVb(S^D;Ha2o{
zL4!~7)6$F<yHk-@vHYkXngeG*nqw)Y$*{SJb7h)gSQ(N!{6|xhc*?fsi2Gy&lLlh9
ztMFHz5oQPvYO>zB^L%Hi4_Q2(sg%yn&Mxy-g|%}1&0yW_9;44WIV&;dd3dDZORyyz
zmVq?Dx>_ilM(=X6KR>x)wgbJK6aDsl=4JLH?QZGNgbs_0?!)ZRYn1%z7Fk?CssRwA
zhhN)&$cGNoNN(M0NgEN<v*11{m%vY-6`C+@_Q+=PF}iN>M>u1{(_1|z4~>!&V1bX}
z7ZWG@GZmE`m>4lteHzK_X+uY~q=L#aG6Bk0LDGQ&U;fn^IRUT+S`E@z0G*k@yyvB)
zEkJX2JTH_QQD3w;Qf8~4uUl0w=BnQmM3mi*3VLRdPC`jpZ8gS=9<Bvt2f*r*JUN>1
zZ|f-NAJpl-EzF(%ZsMLF+drk_uG#8c)Ae`@(W~An&$dlzX=q>r?_8kE4A$LV8M14Q
zU`Fy?ZR@xKTkDE07xgjjv*W(72VHp)KOrH(2&;&Oh6X{SBr=JCf2xBrE1AYL7t(KO
zFRZTW=<2fcYhcQ~zP|n;*#w#3t1{<jLq(=N^;bst*K4tm@&e0`I*KBXL!?>Ir<yX!
z!GKA_P2b6X+cy4ZM^ojWyo?Nql}`h}<<T7lO_Xjj7P(w@b28|TILncezNU{$?q?@^
z$l}YekEhpG#;cBiqc%7a-_QCGG{kGzysaBj<+c|gcMCmS;IcL6OL1-X*Dv2b+7wkC
zixe)mT?=#vd!`078hlbavcTHtD_5@)XtmOU5~Vsg2c->le4Ug%rE9qX05%+2TlCw6
zii(OIGZQkeZ0iSrkTOij9fGKYSQK5$SC=1=c}Yu3;>9jWUJp_??trxy3#Me|?9)Oc
z->X|%z)(S6tx8XDmC7lUF%y99{2wu|K=tsg;XKY%9Fa%pD6p||@ow}f<E9Z!(Bn?8
zOQUdTm{bRAA70plE=j@}jd<1lgW85yz;$~N0Qg`tL(ljw@LxX%<|q8w3E%O`MyzXe
z4r{!<y_wUaMK<cJ%ccM(8o_Ey<COsi_ha6Mu5X9VYazrdi;B91uESCMg<rAQ9?c=1
zQ`lzT!NrJ`k}|+jMUCVeQc=^{fq~)Ery3o^++!+$$6fe2S&W)1jbl>)unscb5Tj~f
zfaZ;YjEwu}j(4d>Q@|cDyr*7Fm07b$VkOzQO5*`@EkGSrWo4hfK(;EPA<NP++Wu$^
z?x+_lfZ?Q@V-k}lKABTVorb|&=-7nca&brpeWQ*zddHqZ$}^6@+Qlb}ii;G2uhcDi
zZ;b`*<cLpVNMA|M)ytRhmU9%Zb(CxqB$4Pk3tQY>9x6;%|5v5vD;}qR8%Olc4!JMe
zov$Y}_I6PwfnOuX#CH19w#DVZ?X?L#3uY~V0_rcYdM;_(nf$&qnj9?1up7oh>}76W
z>vy+jM0RN0VcdS2e&=>j?V^F9p>JQHg2*J!joVNwn4+h@u!mVD=50*(`m?m$T4G+k
zN;1Yydt*-iM1cz1r%t~|hZJWgfyEJ$FGj~xci{Itcsn~PHVGx9`|KG8>qJ*^jgwnf
z-YqGVVOvY8si{%#x|PXBc(g#l@BA!>!zfeZi{Wsss~^=<2@F^2kA4uxt=wJhe$?Hq
zi0<G_o4L^5!9Wk<UBKWI+SU824`q9(ZJ<@+F<N}ea0dY`GdGuL*@6HcAK};!x=^CJ
zaoxiU>4iYH(eJO<3%d5p(>2IT0@3~h?KKQFN!tZc+uy`;A_OoJ@n13R+)A&iJ-SFR
z4+}Yv(}O*Ah2X-Q5YE1(h>=uBCB<itpL`Be^rp?%BH*i4DII;`eS-p@UIXf1^ap4D
zus$e3NG>|lk^Y5MRRdNWS<e=r9EvtJUqHlb3?N0MMxs!673agxW8p-}A&rvf_<9%^
z8AYW!$HsJ0;&OqLBl@Dk8Pzbw6wn*?wLC2?%}+)@!SnP$E}j>LlmiT0jA9gkhW6<n
z#>C5e2xu6OlpJ)fe2hxbQ;;$bf@wu*sS}V3=v+cJleMu{<(X>vx{7vWw{GnZ>IZ{@
z<RfdStE&q#OIi;W11LZw7_vqho%-1$4eD~J!pRziatH8-FvQB#cn~<Gjz><;sOSn~
zF;9ZDwY~jh&GU?roqbVsXLUr)z@pG*>WRF(JPOq(ADZ#$mh$kc;uhVK(!1T#969bG
z4gMsIPhJPI$7k+fxB>m27U`E*$=wPE2NZHqG1_?i0bRG;X7xwNdLNKY^$ZN6qoWaq
zkGt|p5_<kN_{qwiEd2+v*Xno#jvb*yzI)^P2gtBFX(WTD$vbA$PT^H3kYw}C1bKe}
z+OFxtYoFFZyuSb8TlBc;V&wzN;fJUKy{&jts1-bV0nuxXz7|3*;~qzrsE~$+2KppE
zRS8)?M8wv~-h_Xc7l1K6w#`QSxKM{kUDrhddH%cX%+h9}o=2;tptxX!mO*rKM#cgL
z^!$p{t2fgppq07L#H1{9X5L?5*eW8$34$ajktnnm!o&2)_g<Buyx>7f^Ptgmy|3R3
zn}`IfUq8YTG|;9)bR(MwWq6-t-o+;!TI$ONQclB;^UB>_RLW>~l#kBB`YB;oCZO42
zqT796flU#<U5D`}@`F>>^g*t)v@`+z5G-xZEqvp#425LiUAy(>#p!?BM6FA@iumNc
z8yBbIC_O@tVdn_w1q$P%I=V5&$xD3EOP_tGGPV>5^frO}W|VD3FgFHMu__kKUB!Ep
z2>f-}%j3+o-6>7SZME31i@5~X%`7bG!tg%B>G77l=*OKPzTY?LNA~ykeZtySE*F~i
z(4s;Pj*j>qOg4^VnM(q<PXK?#y5?l}cg0#(A5svx3=~F0Dy_oh^D1G3m0Ry!e*R;s
zvwd$^1U!6>czG3Z+gpBB7F;jt{y~Mr3%Heh`t;b~+Won+(K6eaKN8V=SYUB}US5X=
zP1>OCK%Pz-wH5Q%<-7`zFc9n=5s8WL{NLVQ^bfNnoImJ@=gZE@5)qTPC9?n(s4q(e
z^!-0Cx44UJw=TZ1X~**jEvu*~wVu#5FaQ^VB-7|8jH2&x!fafccIMO4s-uQK#4zAQ
zRLT*AYS@1NHkZ0_Io&3t+6RjX(JqbSZx^Zfp+|yDOMF24?DpHhWE(=;JHAy<Z7Qp(
zM5RjHj~r3#UtG3~Knk@YGD;@5Dico8B+bl-WY&rZ3+v6*;zDPz0r>QLT!)3re@C%I
zp|=Ode1HG&_S;}MDt=)CgkB#(p4SI87?JEW+l+#i;Ts@h#v%GcuDZIq%5?`^qM>hP
zX-<<BAoA55Z%U&~h5d$&_21s<^Dk`NQ!X?&Q+*23JQ0)tn{=TCX~AOD($W&pb}<73
zzY!HqDcfmD!uhEB?T0}0_W{BEXO?poRu~`0ePO&bATz~9(Qq>ZSgUkOjIf>fWX%3P
z;LbV{+5T5p*lh&@dHNAZK}quHU1y+T$|)TLFwvnxxQQ#+4UYI88F$=9b-OL+mZq?K
z&c{26j4Sx*f7$p5GaDKs##TC7nOZXIH8?q#PxSlr#L_Ys+1xA3HFi&Nw+y7fm3Z+|
z!#F{AUVeUl1mej?UG6i&3j0P%7@ve0mNM2vM!cNOOifmMsh9RKh9NGhTd7`yCa9{5
z7ejI+S{#3m(ktSC7U>9l%`af3Et&%qpiY=_qjfdpHaXW7!qlOA@;d!yVs{M5nhN9^
zzt7HINMjUHbv<pB5Nq-trde^nwba*4m+9OBQPctI5;g=dn-HKs3^R23TVI2<{Z_y2
zIvVe27k-$yhcPVaqpR@Bnwy(>B76h4<0!rC4zUuPEP|J#ehvBv^yE2`yX|TP(~3>r
zzVA5VMEc0Aw>MKsRLmO6Hk4L&b9dJRnl)G`YUp0MpejGG-h9Gx%E|^?TbIe)qB>&J
zxnKNfZH19CRU3d99$@bv17Pmr;*z$9)+#nrk&y5SoCzSB$_8g*L~A8YKfxj=ol`C(
z^SN~4Iy7GYFpJvP=OeXW`Zf>Bvwc~_&~<u!dV2aaHNSv>02nC}4(;P3pLyEQ!*ub|
z(7g8cNa(%qTX`EDecYS#uZ{j-x+>5~1CXq6{;NHiJ=k^z+x<Bj1jNLSodSEW*1ugu
z;{9EloPy%mibp07FAa=Narq)H7#{^sJDggE4@z|I-gy@oclvrho;KojY;3H=(07=S
zc;yv?2%8)4JXT%Pb)gl3<g0FQO<7qP_OGe6)f}`sj4%QESd*@(UFBE5riX$53<_%L
zGurp5r~%%cg%%k$p1;0sgI11+jm<9eil$+Hwi3Zj92FUZExORLy@;WziUk;lIqWH6
zdt|D!;@Wr>%+4_&f+((aaC#-JKNbl~N%<}6D8x%E99dZ0?2z=0UV@n`!4sQWW~vk=
z(3x6z2%Yr7^#RFh@ae#<kj#b=k_tq|H}&slf6x?U^}D}T>Si8xoplI?T!yWHpCM>7
z`MQ}qw#PeXh^WsbK1Q8Zmg#&C+j&k!na_^>b6<BfeKDo+e1N*Fyd2{-VXT<cs&UV=
z6KHnu^4#tcN20FZb|Y%<5<P_(<{u`rL3p;`B-GLJj5EDrF2)>VV&DHgu?sdwTcVJj
z0h4(U5;`ey<{a3>2*m;p;|`y&1iKkY@TPClM~CBI#l<}X%!`5in~gAd2}nqsU_l!i
z8!371C72vIo6HiE>hsE`ub^J~tkR_Ye5F4bGs9m>XbMNN%$`g{M8u~O4eon;f<OhF
z4a^YyJ`?bFII%d(uHLtHF?wsmOyCjv4>q=MSOS*5xrN9-9m)iHbzd3IH#|P?P3<!8
zSM{rZ`=#R~9wj(9iJqq}hue#3T-)6(t*vfQRN%6k%((Bv2gmf^Orzw5_fGqAYPmfy
zO`kq_A|ggiMU`K+7M}^)C5qSce#dtpAKEF~gyibHXv-AtM4}BL>|)LM@bH}}Z>n*O
z*o#7+0nG6yW?lkE1*5<d^Mvac%PSyd17t>2kkIwJb=z$dv|MBs<Jy{=_aT}fJ8#m5
z+SMsA@U<taJlP%jPpMzy?rw4Dpnqd?`6_`X?J+G|VC}E@dH=9NJTH#E`bZl&sYwuS
zRoey~$3-V)#OKuq;G?eKfuLG!(uD{V3k?f1FunDoVy$|4ejcONp-S7(`p+uAD*E3Q
zh{QV8{{#&JG=IO(JbrwgI_HR4wC^jr!g-66(D-yoZ_MWV^`zUY_oTFmZ{KF3%p>jX
z?TzEMePUpc*8XN%^wCD3Du29bZD;QwS|7UlGBE#!+IrXSyRuOa?y|Eh&c-*PhX-<K
z`pJeZ8?J^GOxG8OayJ-8jE}kk1(=A`^EdztQIiapPG=IMd4Kuxz%Bn@UQSY7IG-DX
z(77omPZ6W7Ox^z|9W%;|d-<H#KdBEqoSxba2@P$yVh2ngMq9G_3!s5z1}*qN-u$X1
zTEIo2>wn~xB)%4*WrfGc^eo`Q5L(|`{Y9)sp^>kEVX{~tK4Tl(YE^Dl7XI?e##X10
z|H%%<btpHYO^|055YWjn2^bV!gYHJcXi<o4xPnf%fTRfWeLEpV`yX#(Wdrscj=nbk
zJ2qV0;LXjK=y+_u&@GrhB#b$Vqb(ND-;wXP;5P;S@^P@W8hG8Jg4~C`ym+fV&kxo3
z)!AMEU6+O7;<-DDN=jg+Bqb*|II>@q<00qC*0@hkk9V{j&3V;st_^S5;Ey^n^)V&o
z-p1ns4BpN8(himpke9sbLo;*@da)<nf3;1aXoTw3I*_*^3~4KgXpiGj%K5VN*_#rd
zubI+i77tx_7n~~++<R`jL&gnP^dXQyqP5W1J9wfXvXZ$6I=e4XBjMBb;Zkc>)uJ%W
z8I0!}7#Y#J?S%&B@4x!D8{Of%`1DO&!}ELE(g7aXPEa>KVdEg>(<|nV@Q|LL)ArM7
zzz~%moE46%`1Ib~j<}RPdAsn${=EQ#P}gN&#d;jAa;1;{Hdz@&gHj*MW$gi{vH?+*
zm6e6jHw>6;e%va9hxHHJiVD(YU}YttcRL2%7SVTj@7}#p`yN>YHG~C>L`B~>N5Mc}
zWW|XIP8~7PFdinx08d0}x^prhUC|$R-F8>-=%W`k490}O`iC{A;I?_*5<&xv2AMg|
zm|wXGP|PQQgWK?0oau;pBw#4Nu(ol0^BaEp+%B6b62)PFOZY(_22~VvAf<rza3;NK
zZO#8=MV`ec7C!4I5H8bYCh-X6$Ao%P_vT`)8LYPZcy-R<m0{ReSk8NDn>2k2i_Z(#
z)f<iEM1_}hojX=XQfyk8OEGgU(S0|%c^RS~YM8u3bJUEw`{F=;qC^Wu%tgIS$kVCt
z3mb=Igvbv{P|vF*iluygeGxQ#w$t@6(nK5IB__h(PPt%;zPxeUoS1N`2u@D<*RSAx
zgO)<4Sb*7kA|l^_6O3A*SaA302cNKbsJqtIR$1c&<p8ufqRC9}?DPcCr(r9xw>}!0
zqob-X4=O)DUt;mmuP_roC<E#FFN<rpz>j8B{96y)6Vw<L9zB#g#7yiFs_oFH@`t%J
z-=N@4iNeZtC~u~=ffy5TAYxK)i?MQ*l$DLdvt#j;Kdz&MP8p$f4=A!i6(8R4a9v2Z
z1DutoSuAC+oikD2g+63A`FRHw0=xFf_i3bzr0mDw;Na%w+sp4eTU!Y-RZSsu17HWB
zta3PXVhR)+@y(le6br!ghLo4ELCg>+^mi0@G2X32%b!3FyA3oV#t)$wbc8TW$N1s4
zlriHyy)4jIPcf88tVF-*M$;RV5s&Io3O)gS6@*t%1);s%w{UF1fy&7ko)>|YBFZ)Q
zkDoWHI+%;~8*)u0mggn-7XVKtIgNW86lvGjFgM!Y8qHG4#>lbkx#3CjTRAON#+pJH
z1{`AgkPKDerN6=P^v1S>)lh*b9tDP%h%D6^@=CPkshe`N>+k-2imL-44neKd)|&n)
zgOxKV^U9@5CIfl#&CPLqe2GEG4~<1d4|`(EHJm^cZflc4ndX87I8g2GhC*qO;p}yK
zo+{b;7eKg2A|+-B(<Bu+kD!YYws&DPUd6^IF!ZE$LAQmH7<b>(L51wBP1Jy-g_wab
z&3#n2odu_I;q7dUbfVC<v7Cc%j;!tWCG>hMdcX8n^o_TSjEn^If9m12|2Q@T*KC1a
z#5^*G+z3V=BPAt;Yz6%XrQ19&MN&GbuyC#cT3F1WWsDKz>-Rj}qH3r#2-F1aNuuQx
z0y<#asT#0okB^V*l-uKx4*3x=ie#|?@os0cOO`V+$$)bKEd<5hgg)$sLxD#v<`a;^
z^P9kB#Ih975g^f5Kp8|DIi(|*4j`)|l2%-PxRkBux=4dUNv_pFj8L>OYP#JW{6Y+j
zV{ex<BVLK`v;zYHaO%c}%fe@Gk;bT`uY)z7XWgmNqK!tz9dQcvp%BxcRg}F$ROavB
zwWgP&cE5uARWTWtRh&f2=GN9gt`;3T=MhkRfLZP+)FaoCX5!>Bf>kgobAx|bS~-o{
zHbJfl1|?m>zahqXJ^-qRHD^aPf5eP!N{{^)q622x-N5lsA<#j%1I6@betv&s-p|cX
z5&anq1fQ_$5Y(b>APmE#_cE`>PseLkI&WYcQ+Cxy%a-rt5(SwR3v{boeZzQe43IR8
z`hxoOQmXd*M|%YQZ`%F3tE|c@D!wxMQqt17qe{6d(QNvSAWe#jVQBZ<?5t0~`JQHN
z(BLH=6_V(^Qb@75Q+(NP!$ma)dod>IRxc3=$sXvHegT$XH<^BaAvvIJ*A5HK!Y=z0
zl!At4>1CoHEH?(K7Zyw!_IWPKIb_z0NCBd-;H~-f6%jx0S8Hrxu>uVR(p20IOJNc%
zan59aJ4)P|Pc6@H$VzPN?11$Kqgzx|l*g8xg-&tXG$EMFoGm`v5;8#u!|=jsUdSYg
zB9TeW>N|ig=$~8wmTM`1MIRH3>@JCkA=4Vq#6+0D=RxSdg;Cm?N7_lKAHL#Oi&3_e
z^?%o#c{I2WkAssX>QC$&V2R0qf?@6xaG8sXOLTA!vZHB*GchVUIvBs3@eL|>2qQ%+
zx*Ac(czJpGT|R`ZNakCsR03%W?16@RNhQrKEzv@r)y?WE>gpLL#CesQKfrYH3*hnN
zPEro1bl+AO@!o?}A%jQSr%SA)e!;;c^yE=N$L7_S;#Q008RQ!*H9#ii@i=xyp}#>y
zHGTi<hj4sz7YaT{<@$YpKR>4H*NR0BeGtV85mqlU%6f7gQd3j?Mqc6n8#XqvA(mYS
zaf)$HFN=hV%5!@`0UfUb!_WnWzpQn9IQY>e55z4}_F&Weh$2$c)BSUIst=bK(Rplu
zk8d6=fT84s)FHqia_`Wwm#xgm_lEGL#6it9@Q?*w?SE0XL_!z*_U#)|Ngo5P$fNZQ
zdqu&K9&COChX3>r#(YAp<*Ka?KBR**o_r2n{JH-T60z8Yb@Yk9o|2N{(>M1D1Vkhs
zLBx$aEG%-Gv0-6gmwEb%Mnua^7+3X6SSJn2t-<FZStcud`AZ5N>;>vB$noLf;U~*_
zXWgp^;%MsdFTnq-3SEK9oPqvTPdo><=Q8NYeU>?w2&6bI2Je*EVQeRD{_+I%7s29`
zE+Q*ABm@N1{iF~0I(E9msdBTk3AEJHx=fa4wvi|v)tL9-X!->*eH<Ri&MTL)$SuWS
z!eRCvvCe^kfe5Zvd!KbkJ=OEtrCh&o;Q~gg8pq6@>)?#-Me%~2>OlJ^D}wr)6=6C8
z$)cg(wKb9zKFSt6=>*_yB$vP<!!t!iM9G(&>ZLvow=~ia7B-|(6%;VK1LIjNN6rB<
z(RCa$L@Eg^VpDS4Jhpfdz1;{!v?SIA**)LX#uOFEQ)-o3#W!oEMiFg+<%ti;eay>d
zmkF;d4J`ab!oqi?Fg<*NgU=xU1ch`19#l=uX>+y(o;{G93q~&k506Hdn_=@JUKz$I
zMVeRr9;=XUqE&4L8F8*Nk(C`sQ~sadnCy!d`TFMOkIqg2k}7Iyth$wDrymRypV<1}
zaig~RK)nvnP>$IR7_7uv%aYdH+lxI7VmRQF*Ap{K@R#aJi%s5x2qp0mdDKHwMMJ~X
z!6%pq(ucdm4L6B>cP_=Hfc^w{VwP*-6}9TE5wyPeNyJV{7M-frb6$z<f>su-D%WCl
z=Fp|y9F0Pe#zBns>d5gE#5ov*g&R*Y{Um{g!3JH$sJG~NFASCAT}>@igW88b-=BLH
zu6Y;LZC;GWow@Ol0<X+`fCW55pa!g}<Z$@Cl~pk@z`^F%y|l*0#*8?Gehza{oL4`5
zU&*UEb<KRib$uUvIA%^xRSSd1S=7j@*(ua#^Fn9zyKL(qp#L%FsIe3)wjsa)n!_rR
zPhfHMW1b+A+OFP_q3@IM+Xz;@Q%o}@YD^j6witYX&Kw5=AE6p+bLT>-aVI6ZI3YVb
zTiL1JELwRY(PfSl#YU@hlSt{&l0@VTD5ida*KUJ$X4WZtvG`9pU2WAAyg;WgnkF|7
z>UK1rlNBK4!R9FC3c#5|7(kkvD>i8lIk`xP_&%ZlPaLL8z-=Byi>y-2@%pzD8+VqV
zP6;UJY<fYE<%C%En>QCwP9d|i28Hn@ynd$(AZIJsmfkA_!y>tiBf5TI0AdT{APKcV
zU;><oc^Fp5M-ykn%i9oKB*e19<UlYo_kUBh&3I+)v0VNEhJa2o7M%rKQX_R4h~CuH
zc<ShkfujR0DI23QIBZ_?hVb(Tz96zkOQG_Dc%%fdE#mIma_L1y_RSyfk_C#*{-TsO
zm4tW?D`dVPy$$oQZ)M|e!fV97_lccS+`Vq|QriOdh9KZ_SybGH6(G-pq7vO`MWd$Y
zUc4<QX`Wgt$<UXSgg`&}eaOnhRJ3sp6C!FLd=Jg{+NDbi&{8mVASf_W4qGrYM@lRS
zvUe~7pb9A~D=Vt>`EZdbMr&zakPQC?N%8P;+05z{h^{dx78)nd!go7>vnSd(h>6k?
zy|EJMh13l$1#cM0Oj?E+UAqS;aY{D6ak-b!Zl&e##(!75i%F1WeL=pr0Dxj^YwP!N
z9OxwSxl)g$@oClGIM^#qEW9AS`8~+$wTX_8TL<1(@GwEq>_y(!IkL<_9c^v<29~N>
z0JvH?{e>^zrM1@qCG);cZp6LN)7Pic#S~S=JL))MsW_$WaqtUa9lpIQDk37WBRYE>
zV}XOx2Tpf)&j||<hS1^1XifPnGKgSbxqh9<#g1_PZHnjFDS*BZsWy<`vZT7d7D45H
z=X_=iwb4y}kDWH<0vppT#N;P|a1oNWLQv)u98$l41p5by*kM;>v)uU{S3c%dMvR*;
zN<pT8yXWP{{euIHX~e*mc|Ou_*`KwV+i@jI-T3ja7z0}aGqbE@LwB+`E<n0S=|vj<
z082s|R-H-=nr(dJiJ1#~o@aFIjVUC9>GD)#6={5(r4~a-GX4lM-NJmi4G+nba$12;
zy?L(A&Jy`*h(~K_#xsx|Y&&K8+czht9f&)gX=yFjYc*WE_25(2!SDJs*OCCQP)xQE
zd9jt4N&QX<=TFzhT1mjHX=PJN$$-4+Rx`@ngR1l=gD3^cA%cKH4^4i13)dA`D2ohz
zsehVJvDx5Df2NnlU|p&7jH2Y`WewhQO;&3I5K8=;PRZc~$zurh@B=16k1po%;}~VZ
zDC5D%J_z5}-{8y^GC~cQ7wb>jW7^QhO;-?~@RtLks}$k_LF}$ij?ypD0E@}q$%({e
z1hca$Dk{^$mP!f=Q|rN$;1@ApcV@p=Qlg}+95y&{;Uatn5Ws^yk7uZmR9AC^9E631
zlNB7L-@JXBE5D$*78l^vgJS7NUi4PyrMcGBGV~jxEgbzdM;_<rF7OHWVDkTPzha3M
z+ywYu{-QTX;o=1V{6t8!VeSbuXTsASzQ0Q1*XGjt{kuL)EZ`%h%~~{7k3hZ<e)8l^
zGgmu=EWsH{11cmpOAZp^-o)8y=`Zn`VtmN1hIPzKvwRhq%?*(|t*d*|bKjrnkNOx3
zaaByF5N&V%7+YSxv$t1S^!V{-OD*$U6EU&IN|!B+vawl$qU4~bZ&`Uwr-X4R!@m`z
zjYE<TRC-y14#qUg0mw47-FO)?UaY3;(%|*D4&ay5{`w2pL}=BZ73Ip%=R9yfw9mvY
zwB6RKf=eJq;N^DX`Bhq`*qK7Gw3}yQL7m07ibyK!4#w)({M9Nto(T;CV^?V5T595c
zy!g*Q7@6ot7(K!|78GQRxN24^yY_2nSYpirZW}DlMhAvy8fChm?WLl|pLdrtf@TVe
zvQDvCc=O*S|CHcU|IGywGN)^2r>ytyOAy-XmpiVyg0YaVj;>p=^kc%~TOQ)ZkxK{7
ze?7wJO0MTM?J5v4bnMz6A&u=I<Br_tI7<um>dDQ@&4r9sxz!cnLKfINNX#{_Fvn<y
zaFbO<P+_IpP1c@YMlE9cF@(gB=F#e(jenghu^2)K>|^K*XL0TK@6?=}B}GNbD@MVf
z@rkkpC*75HN@BkkUJI@SQ6WhTjfxla*uKVZTpxh5?bc%9s$afXUQr<*%PFf6f{fQ?
zq{5<OJ28C%#)G=?H0X<PiDIEYH+HZWlZ`mVuqyEC2Yc8V+uw+|uKmf{M13581Kfp>
znAk6uq8P4?T_&K-=rh|WBbE?nhm=gu2#aRvtAkAdBGUZt44uYZ(pR01Us_y?3))VT
z7!XIN`~Hd47>6s*fk9&NaF)m9=cj|M`PlKXo^m^GoV<i>)KfFjhK`7xg{~Rcg1$hG
z5;<2pAXE&Fg)&YxkI{dV+2>?zsLG7&!C8RnFM!KJ03N{Y4?SgNUK~Wv7)I*Qo=iZ=
zLnnola=*Srgaj^)BKzWb(H}+tkxl?)!G*>`i2W@>7u=MB*eZOmI47)<605P8*jO!9
zRma(8yv&aR0s<8d%d{s#?Cb>~kt37mP~qX2t6Er_tEkbjF$Z}82wRbRtLrGs#c|)Q
zk|pP~_&A;hGY0NNiS2RfK)e~3fBp4f#$^Cjp+9~|1&VC}_mn=%&(2<ESq99reFlW4
z5U3PV$y*{lI<HznTSq7L@FnO|(mM@#UhJ5xDDcA1<~KpJgPcT)<0nA9;M}gT7UK68
zH(;6=B;=&L55e-5=zO`D8YzW)A0_o1mWT6(SmipTI!z%D39A_5r-LB!SDsUBk#0z0
zbX?3OjOA?H7PL|1VZ<4cv_|)qn^{LVOx9v9a~v9di}?6K2Xj?R<^H0@0II`gu}U?&
zubamcW+fm0`Q%v;nBf{(uL{lBS*n_jUTn(Q1n7lGCGv+SW-4F+=^dq%%JbgJlt^_<
z?s||?2mLxVRG5XCIrD;4@SVlJ>_}zgyv<Lo9)Af%K;-fB-QqWNwh+u+@F$07P6^Vi
zN~NiRyP%K2C8o?zOP&8LcG=Ir4#L{I_%{|(mVvokT1#6ZGWmCkoO@j7{+~a>SN`94
zr?httDi3k_+&L!9&89!sE-?3>@-SCN{&m04x&HU_U_JzrSnA(TckbN(U+=;W|G7}s
znORW4j>6o2{`=~nfQw3~m&)0<um+@(UjOII=N|VwRh##?7H5ABl%fL&cc$9+Q2YJ&
zKfl(uFXYsP&I@G0vL`Lj>ND0Ytp9zv_@RmGLYB(^SmM`LasKah<9}E0|6Zd0--Ysj
ze2M!13%AgZR3eQ!$fkNgGL)}re*aztX=>hm7<`jEGV2P7*rAKmqk7}|oVIQ=G~wgr
zmv=a{v(k1Njm+w=6e+&ns&`8bEs|vN{+Xf_!-%=u|5`OL|J?)sOK}2ASyBV3G%{Cl
zZ~Vk@G7$87`dwdFqIJk&L&U{wYwn^bOB;P;NKAK|h8Jpa*x=8PWR|tPth|2t(hZM?
zES8q2G*t`F7mV`3*W$u8vR3z*IyG*QJ``G;b{^xVBBJ#*GmA*qd$vBSkr^G!5>kG(
zLc{u)`BEqU9Y^uyZ{b%l4`WHTCV43_;$t~O{`RE_hM)L8wL=+M_A1&o!Ezp-Lqo@#
ze~c(ob<wkGCx-J{Z(f>^OAxk==41K5tsQQZ-z6Vm$4OjV5IF|Rkt=<WR#~|n*75>N
zpz7^RzwZ8qX1mvIFc4Hp!u{^qcyxu$&8IR4_+DGzj$rv#vA=Ll`%BqNjB9R#V=4cn
zpInj+@0*93<2q?<n1jOh{ERk4DBdn5g(*~f;L*FN&j09|O&8gv;^wK^ezJC9``MnN
ze+rZRml|)0l8j;MRF`Z;q?l}n;;Cv?@$I`ELNS$LUuv6GNStrVjR`2H7%Z`!RwGPP
zN|Np~3Rt~-EcIFaT#@du^!mq)wks%X8!z<6kG>VNY^f~{rL@4P%HgHbKmBz6?PlNQ
zsS|hcO2ytEM_Y@@eEHxV$T+;{&iGl@X>lB*ldx;@tQULSeU0p4>GSrsXV&zYyMgM@
zKC(&1S_rGWx2_LZSR0y>s+sgD>+KAReu$bszSK3GnSb@lm97))sJPoPZKU)(B-@>O
zm2`#{?gDjc<mtON;-gVqe9bDQPwsa{KjK**=A@{+_(3Qpq{P=&)I^}S`ssGK)5qv?
z@*_@yp7SJWjd|Mbd1gvxZTE#bZ^R$JLClOd^Qh8AU?wAXr|C<hYu94b1{sbB7LqG&
z-t;QW<FvL?e^PC`FH1pKe21Ekl}qigRg;oWtm|?{OMs6IJ#qBaP=BYvH!B5&#+|AW
z25r|&Hl_@Ve;s7<@Z~g$bZ+1!6<>{uM;)o;9jiTa%wj+KdJg?WJT#{CS6y|A%f3*w
zf+Bt2$AT4Xyz1Y`%!D+P7n)PLsPmekweP~qF<4REv4ow^<D>fLWJy*7B=4;&Q64h%
zbh<e`q*aw7IT?|}{W>`!=ExJwwzO_33Wcsc#k82oSNJ8bD)tNLGMSjww_NQ_SkZa9
zQ&-XSLPd2Qj}I4E;QzOflQ|ZKU;1;QqQv!hGeqEPtFhR-8<($yoQjFlcq*$#6IhRW
z>fPcJ3e8`rJ@_U{!7KF0<#qF77}bj#CZGD0ylLA4iA*U1{U+Xi^QrJwOuvB)50dtl
zLyEp7rquoep-coR>eU389VT9Xp^G$#jL3EAF5}ZviCTZsi0z?87Do*aalbPv_SwDe
z0^t@O#$*{!hiuA(C=}@n`+0O<3n|I&1MbN;)5}x{#d96hd6AH$if0>_;r)AgI>&b7
zhMNGjex-s_wV93?@yUS+j>sg_NNi-W+&#ln-+YlH|Duq+vNG;uwuhpm2iLz<)VWw*
zqp=K$PzlfTyNbKsHAiPaiW`;9pchHT!TC&gps~<%ebz-IRfVC?tIfv6_d&lw)EKI}
zuGsW)Pu<(M$NUXq(1hrkQs={BNjsII?v->&c8@hHgj)a342*W;(Tq_MyJ!;a%<^sb
z`*;eUL1%Lx(u;|)z`IgCiIqTF+$2Y}ke<V#fA;xU#U~m8Yv;DQwmK}MiwfMjNRyqc
ztbpv$Y=4PcS;MiRwDAv48eABv#-@4{*}0;FoF2JlMfESYJ?YW8PC?%;Depr{uC2$G
zQuT%^P+Ch()9_%IL&a^2ouu&{E|L7bjmtlOhaYOVoS5cjWKCt)+b%?2q+Qs2^5j#c
zvUx(wb-h)7i9-3@7WwF$?9&8E#R`qs#7~|N;<-6WciF9Q1&r<X^8J;&8XqB2Q-dg}
z%+@!Cv}JP`+T(~QopU*<z7BuFDe1-T{b*`Ql=}l$)hWAYmN^J7k!sla5L;GGv(+&D
zYcJ*fHtpM7LuI0U#mA1NJVeo`Mp>;-EtWVjj^VZ)7x86nBX)0*F}$%4lJrJ>EXh1Y
zKaAFI;MH)RJCA;HGqHbLhV{0TN~(Eiy~<;)x^6l)4sol+ABHmJy=e^snx2v&H*`<6
zjU7i^9b%G-hpU#Pt3MyANoR|ix``Pqat^fkWlRjF`~%0~T-?P<>bdlHzD05h9mICY
zlMmkyv##w>G!NkXpwOFhy=sB%86XxvT!?!WXOmDkKMZC8sH;2vGE8O^3_^Z44O2Mo
zxMZvA>kf?wBc<cJNQaL;wp^L>GvxJs{|MXeI!<{|%g^z?C-XK|$2VuzE9CMs9+7hd
zkYRtX>PQ$Xm#F5cqFMS>AJ|l%_Cz>IJv~(2ri4k0=UA0iz~Sqlc+>1JpI_n8jkyt`
z-FBCEDI7m<+>Pyy^i8FP%ce1S<|T314nMa8LTc(8U4tTTb?`LM<3*UNyLBWmbLDAg
zeF->02Cl0~ei+)*oD(qpx-o=&nH9&-8fD;UAoqAXeP{LEXMOCebvf66EfPiK<a7bO
zX3*jgXr4B;{E57uW#(@BQ1|_O|A3A!^+nUoUPD7MEFXu!@2U+cpU`@J&2C%|JZ_)O
zBG9)<Zi`y7XT*Aj6ID_gI^*E9F+UJgkTILq!}i753(OYU(%QVhaGOO!bzG$XvAgA1
ze&z2-Nh<sRYxndS0n@;tw11553rgSej4`|O=txyld9m^qeyl>4MGTYYafY`3@r=~Y
z{s(zqP1(vH+`q6|(7Dn%aS_*7Jq;Ugp=FF-HYkUEnR@?yJ4{gZqsi`86z{{Y%^A+j
zI$xJ0saBKP`)))#_4?uesz_B)3L!QBWf?IcENU9dPX8x%HXrgU;h$9fA$gy`chO%P
z^==0dwQ(J%=Hu;r+#mgp<fG7XO|d*4MmkZ&3p8COUqq<F{ZC%Ixd8Rqn~k*^%GHcY
zDfVJGnq=qFXI9Ne_s}Jy-K<u@?lHG^-+a~kM~#Fw@S5BYuF{F|qIEVjHbP&_vbZny
zyZI(Qj(D0zg{8jXcx5x5e>+9rc+mnjPe(um?&kW<%rvSJYBMex>;tj1C}v~f&^;-G
zpBX7nR;?46O~2tkwaXIt82W&vdp&aX)NZD(+`lM7neFK@qP=>cU~{`gxQCrto=E4b
zk>hiN@}ZsgnaPOIFfLc-&bUc(ZpPN((H^(LX&l_R%3+((;mRSesr*@u>}MUbgTgU`
z3B&|1TnA*%zN9}9Rg6ICJ=YeCsVv4>Q<t!hvaP>C!tz$QGxFdc!Ejo+eBICJXd0K!
zi|SSG1L&257nkQgh?H()7a=$bJfFwyWW7+;5%$}@`)ySEzC3O)htR!CH@aYlwUlK&
zq-H<j!IUSvs<xwn+;+pkO$(BUChxkrVz#N$NJ=H~qX&W0$Zey^DLU5Q>r?wrVPexm
z9^3E91s0TAX-6iJW*!|_k}ku^!V1}h`FSNax*zpKr2KWbF`HV%PFa1v(JSvt;5U-{
zU)RhXgHo-p#T=(hqWax}1G%@08;Iou<+v&ExTUj#RQ$r^qVkKsQEHBz1Y}!CroJZ-
z`jvXm&K#g*jQx$>E0?ZZzEUn1^uqjMpd(&J{?$Ma4@ogOE31U<Qll2a?-M(7_j10l
zD`=U$;k=)*OMy@LP=tr<@s^lo(DnE`dE=j3u7(hK`YHu@<782@tBM}^1w3DV;j|G+
z#UWUiQ933x&2!RoeXnHrgn{oP(Ieh(WwBBoeLKH$(p%&&#g0_ce6UM>?qRV0^ZBZt
zXXgz8v0J+)+2XY6vRo@o`9Go!)!F)ldm@d^<$G5G=E*#Cl3ZB3U+y`X{dls<u;XAP
z#}U3MmR~H&Dk?_i*ehkf`dH$%ExB?6CuiDShA&*yk{-mu6l4|1K<&>j?d;ei_^BwC
zx}1OgRGTtMUXNsWsHs+yQggoit<&}$S%a#uFzOJoN^vn!-;@YifzJE?IHla_e9kcZ
z(^fdJxTEaTbw7z$cR3mAOVLXFG>bIS;mX<XSw8i>mz+V!)^&`ZA6_CL{3$)#t`(bg
zl9IRE*Iz9Bqfn4hpu+Gi9mxaP{)fNj*}7gcj_b+l)-AlN6su{x-69zkW44}f@m`*+
z|2jTty0&4=saJ}l`;x);%z=xdG{#2${u2G0v(XCuGb1-NV?z)^nR|CEH)3wP8f`0%
z7~K*KAu!(WlA|E3cp|tT7qE}IE*eFOXUwf*aFBJsXX1ObTXNs&CeZ_r$}ZN8<EAEm
z#+f(ItV6X#{s2H$=d8dQZEL1{+)IR2$lkqQ0<<oH$3&*>%L><%Z8&K}YLY5zUb{GY
zSfalMcMLW8&fRIOi|5OAAeL&l&1aNWp`a*}tN);0h3y}eB+BTh3O%m8qPf9S{o&q(
zUyY9#?(k;6c$1`0P7oeCd*A4@Hd(BK0Xt)S(JQYPp29ibBs4=M9dH_q2ZWF=AExSU
zLKfu7DJ#41igA8K;F83)^x{#G5+$E_Gn-l*Qk#pbhaSasT~!K}VR>-N+b!q8kaM$D
zZOAH8MM>(~e4Hu8!zMlpVXI&CX#Zzn7B(zUkb!B}Id~PGMl26R$1yDV{2C$e@ct3!
zJafKKxOLA*#c0IqLr+bbMc@X%{t{iGL$KRQj|p0WxTJeHz&^13S1R}E2UC4)aa={D
z(an=j3x{H#(kc~eQj@Z>u8&0PYkZjcn(^pbYR$*!URwW@L#?0B+KXiNRJ=Pnb9>`+
z9yKxG`uCL3uzu1aAsz5=c=jrY8xbFK^0mcoz~`cpN8Yo{CRWxip+R(x$;`a(&o!KE
zve@?pw5;P9&-*^NyvIpzntC()!CGANe14>lN_X^&xfyZU-!e0+B&70Yzr(U+LWMqB
z=omPcWKVPX{hH&pCYJJ@LL~|qJ(R3aeOd)!19k=)2ayk5^|4|-WEZP)S?j(J`5nSk
zI#B(d-IA%V#i1W*fyX16-18j6X-p^xC!%sX$nz`bQPl)1>tx@n=^89q1NhR&s!P-t
zIh<zA{UfG}qqe(v?Bl+mSda}&VY!m=`)Zv%-@Cz5sy8-lyy!4+5;xeFT;XUV<?<qE
zO8w^9SNfJ@@;B?0rA@|6?2BJHC(lG)*1tY%p)f24Tjv+UfEObBf06grL2Ynfw{Tk?
zphZdx6pFV{+=@H2#l1*yDXzg?TeNs_cPF^JyGw!um*8$e!%d&}ckjIO%{O<x`Tn{y
zH-BU%GmuP9&e>=0wbxz?P|ioGOanf<z$5lk)O%~s5q@XL03v%CJ4Y}c#`z%a+__X*
z%O*iaE-!2?03q0VAMxwAjP6^KNpa&(<o<?<qdZtF_yuLGxYGICbZluH?VE}CstIMu
zM0qZ6Wt}iYWNmm+z-(-r;XcHhBD^|zpAIfUN23(K50uM=HJ7gos^ch1abmE-ASap`
znHJ#JOj5e+&>zNyAY`Q@*3)h<wvqP2-K`Y_nmP?A&8JTmNU@?(4aS*Hs|*Lo?vp%M
zXRT{b((&)_Cj!%r#avx=;FS#DGs%CVRt!KTQZ>-oy%bG=iEO^*fN9pe5Z%$dmri`T
z(6q|HR6eL^+h^IR1$JSYE3L@%u<<+(v8urf4x^g3KO)D!_ez>#w0e`kE;6j{n@65&
zgeNMdRlwJuhO6*hyK>w-$FC@#sLCHpA&TXBRTyrBFkR_j)#cZ($}Pelr+@sc_VAME
zcgmgVp;u2X@cnRRck)TOx)xQMnVrXI_Z*Ik?Q^^J_S7rrjJ1Is!}WKZNg!VsR;Zm;
zc-PIh5Z|n>ft}WfoR=VOQ=-?haVv>S@01Wh>Ue}WPxeDoJRyIT2Y+J5nEHlD?S-Gs
zdQ;DoPJG_=#0X0^=4AdoF!mK~l_TZADvUYJJI$N`S*9p?!r#%Sm$pU7pXAZ=w8qED
zz!ruYMJx0sYm1(l*p(yex2cFCN=b&DdnNP$ZOkrdOD=J%8Qg+EbR6tUWLHf-7@3~j
zVtEZ`5tmdCGmnema~b}g!t;P*<I_vh7s82RqYbWUgyi|H1&$bok;7u6zrV+}d!BrZ
z4ua{Z8t?h|jI*+(iRPd51&Ak&hv?{4Ppv)9efnn@o@x2!&j&S&cr9LaN>Ox11+Tfz
zkI|I$j6zu?n|c6Cryw-(DDHi6hyyk;oA@UatI#bza$Rq9;yRpEWvYAE^Ft9zQ+tKt
zniunao9Gt(qr0DTCrHuI#Hi(Pr9(_DGR);mFwUo)=|lK^<o*N(5fJ7f%iX3X{g95B
zVIyi=l89@1uaEqF8{SQRIkXxXQWYjFS?}^u`zVXK=vh4e^ii=JIl28@XJ!Db`1p&<
zB<$4cgLJ?$VYA5TNN&SMX_6U6I)_>*%XhYQUYo1ky_)pcjF2iKS!|o90$3a<98dU<
z8=NP_^6Q1>w@NdT%%4NjAPlZCxPQ)6^w;5J^)`PAl5xHA;!^9wxlf+5SpI=2gmL2U
zZ~Qd!>vZMlRkVyXS{^q|=~n(#q9hC)M#-nlpAmP(ON7Qy_C$L4drlu*{^rzJ*3s9t
zUOU_ryZG?JEV?=P411J2K?A2N-j)aBxTs&d)n4akG8Z5PBRU54F6CN=1ZRv*O}m+a
zWq#4|$NW|vPxbjMA=H;6>Gg)bP!yw(_%K@^ee_#2*JdS2W2VnX%jS0mi^cV`r@{MQ
z=Tcg1(-Iq|fcuurSAu*ky_0^uTS@~m2~oDY4&aqrTdjgK>7uFk&V5?y#_Ps=;I1t}
z$F@=P+ON^?v%YJafPWpI0KtnaMHO7(br!w5i^m49FymApmM&X)!d%@aG81daQBj4K
zLGJYr@&Q*34kr>(lV@n6dz`Z8Tlb#;z)|UVLUZijm^{a>{o?&St}<FdQ~18(uLuUH
zP;ZhuMzk>XzC`#IZ?3K`w%=5R4RLhcT3TV}=6!76CZ@MNIS`Xk)3(YE(dH1~A6lEr
z(Nlb>jCeLeuTEs<^??XKo?rTwt;|bB>zi1X8G7bvpgS>UMV0hu`ZU>6M2Yw&%1xws
zxQMSdpp@~O{4EO~W70hs8+jzxy4BkuZs#0NRzfh=Poa@_5}Xrr1lqj!yi<a|J2mre
z_$n>EEfWk1!<Ch0m2*q*`Fr)JNc1ZF>oig#gY(ZEO)b<UQN{D#_fEH=eDmwh_^qf{
z`N=4H-K&B*zxnfC2(SOTEiy{YgiFp@);0Ic7MEpnHEX!tNHCAdkbZK&9Yb<=D>U}o
zZ6y%L*8$O%V`wuvk7nBhFzVps5H|C3y^u>18~*MJzGM+8JeJuP80Dhfo5VETv!x4k
zZCn7<1L7BU2s}Tz{?&EE&HWu)!6mcA{4=R-#d=3K>V0EUi_Y7gSsaY7Mm^ZJRtfcV
zb>fQ#_eDKw*33iU07RT9NYF~H@+mh|zo_<&VoQ0{Yh}5uzwpW0#`m;%OS}6|@xvkx
zFCXRXgemP3urauHAL8-*#v11Dzqd2+Ezk)Q5_31wUo6BWq)JpqscN}hch?pYOQaSL
zn8iWj-g(8hm|7Sfj_&^cSwI?OG|W*LNIjSfaC$+I-=CUnexO5I4+0qoq%;&R$x%Rm
zIpn^S>xn3~`{;o4Tlc-Kn;QPOlvE9;Ne;g~$m>Z?b_3hbeK!7NfkByl^|<*Aqnun~
zCWjz7^$HmcqozLnvGmskiyF=y78f&(O8HQNZwNFQAO!)tCJL`uxUW7Oty5g9_8cXI
zvR{OjU^uM2L87`5<U{CGoJu2lAv&r-SL_vo?nWx>oaN;~nUAxHDfe05HEk}VCl;0Q
z<}9SFhjsklFBJq-Ho4FGxsJCC^Y-?*>Np%DjHvlWjA-d6e2~8;eP&(nD{VbXUS(C7
zd%kyOH~4~t{@e1s0ja|XBRetfzwjI72b>RV`}8Dlh>Y<uiwLVEGGs?$xHg%vd)OxW
zE10hx&+WT4k^66*f^Xzz+zLeHPcg>ClN?;=1q`1G4^tLTAtJHxsb`eMZ%7{*)~LX0
zcvm*@dDYuSFxGms_GJ%IY@DMJcMCKpk&<fFiuc3SO?dd;w#QJa-F*Ke4ZtN_^Weai
zvu@Xu50$1vf^}ko-Rt<XugJ{WN0v|J4FlA|25zXs$$~BI{GRubg!IhvdcUaBovgx-
zAMyYh4a4Rv&A;aMUw8J*?P86M4D-BdQ77DLrH#?r{}3B;r33M&G)y#2JQS(t;((r}
z0B;L|Fv=yAUO?D38Mfp6YvbXAML|kZeW<9Qb7F~3`A`hkO9T7o#S9v@V13)w2^y`N
z7tj$AojhaPyz(milL5ZXzYt$_cv=Jv1^e~336TOBpJ^5h2c!J?jLHUfd$$FFghUy;
zHAlKbygdUU&g#0-5F^I0C4=KmFtHx??BVBo*~)X7O_DdntBl|hh&yU%Dxum=nI=t4
zwYl$R3w!E1jO3%TR?5SR%|+g%{OfC;2Xn2sGz%{Fl1;;hy_#l;Jmi^pmgZU#s!SP<
z_D4z|FK0($uY<P8J7T+jWR$VG4Zc7s*<Qb^agytJZJ*<ggoh=BSUxV??DWI-qJ`V3
z3<*rPw{~E#9ayPM$g8WfSF&75_Db3YGp4AThY?ks@NM(x7+C9PzP-huRpP{oh>#2u
zgNM*FxoTJtT(xvi&aG>K?6(@kMkXW!`2D><ZcTz#V^iB^aM^XMTAs1H1qcHO)YU-|
z&Ezmo;-rtBnZ_FUU_MJNrZD!FsI2m|OX7%>MT|VVMmgN?2xNrU$NC8Q)q_2^)h8#z
zz{zV6Kqa1RyQT5k=3Spq^kikTLM(@XL-qOxSO3g;H=Gdj_ZQT4C@NHVvqXY+01IgC
zAih5;Vy2ffJf%*W{+2j5bZui@gk}21CV~6>k{mgC5?)&;(N_MNB9E#$K!OvzP+HqS
zq7_sW{WV;%Z5I&F5*DdINR(dm^OuW`ulCK0{kQKqr9YYQ#iB<^4f7N+Ps=il%cLZl
z)V^dM=CW(-BBRU4!NALzc6smfeNg(n$il9Fx49!8&#WVkl!i6$v{o!1)yEox3>0Kt
zn3lC0(Ku?jN$UbYj|k(;*aS!(E$inQiw}hn`=qN~iOMYLEHWx+U1Ir18PFu+K=QIW
zB}hD+*M7567S{>WSY{+smNJaXaW$&m;)HOvezqV$Ll-jf>H%xXuWSqzi~LR#TkcUr
zt~w*T_E}oa-@P$fR8}&5$S|rU$T#o$W64ZnwF<ncf+xZ4^>|8wYjh*ddNoDoe`4=3
z-4GO*%ss{fo17!ir1Ew`0uY>dY#3)tNDk#Fl0NPe9U@*P<1P_Um+?;JITAlK)Nk`^
zGE7%6%+|2UqnWE5k(Bh-{r+9*`_Bb?awGQM#_3_MASI{xVF7DXhjYKJt>m}E7Q5jY
z%^#GQW~7<kj9g(v%m$lqha1-2ILHkTyULYbOU3z)U`FzJ&1;$1GWKAs_;2~8d>Zc6
z`gNjd^Iq^zv3Ib!D^9b*ZSV7o2IAJl|A2}HcgM&YO0Zj-EcHIIb)#ZQ1LnR?R?;RJ
zcWfLPMNXetd3B{EYhSYaduDX&Qccp!*zGe{6Nfy*mx^acw?u~QR2lq+V?I^dCIw5u
zi;SFiw=k=72gm%5wD4Xw3D1CXIu5ADL>_0J(Hqd^CAx^d>#Ts=pP2p(Xj+aj$8$kv
zukz~bK2&L?)XTBD2ea)B-Vaq->%HcsQwg;<sNf|osrzcD3MoMgZ_jFxo}%vebsSpU
z-pxP#&RUGLN~R0LVLg4r9?cU*Uq$7{!@h<{P~eYtP|*Olv$lfxB-8BT?Yq%&m!m-y
zVZXhFsI*<*4r$?X^_~ub&)hfi$?w6tl15t1j&6UNR&~a>c=`M2nayq6&9~39&v_oi
zfUt9=i+Jg`mK8zGFXR+_g!xqwKh1PrZ?hQRO~hWYik&@IzTH!CT_?ehH?T|oiz(QZ
zCm$su<HV<`FLT)QotI(RP*)vM$p)W&pWF%~we~!L%R2FCbBc7T|0m!`X~#`B5m}EM
zG5f2C#nINyeH~49&k2<?`>EG?^D@^Kv3X$TQa1WIJcmRn_%#o7Xswv+q@C@_0l^?u
zdv*QEz(GCGD43aJ(Vu<_uBgd+S{;=$>im}8!uI8->q&c`U_!0%jkwPj$4QsJ?k3&|
z-EswnL`-y8m)WY8)$3HrD{wS15IK8j8R8$RJISZ86|MJ(<r-9`2+pjc4DJgklkrQ1
zP`%}KY+FZQmMSJkU<L_grb52<?`RuE)T_zrf1!@h_upT{qqG~#K6{yV*<~vq#~iza
z#36?J$oUCY-^R+y{Y2nWSs+2cR}@nCk~YJ;mL|uNMjrd~$^B=1jBk0Z5+!pfV>H^l
z!1(W1Y$slr@XgzO<S17$WszWC9?<%GD9ZwbgkCYk!}DO&!>6gE1qOT)`U9mt(yqJ6
zO3T~nnu69kFHD0==*0k29QP@PZgmxtr%e)sg~NF=4yG+zV}w30@Mw$@6)lUwKIS@#
zDwv$k<{B_1CphP^&zQ(>_-i4h;I(dCtYCZow#8z!nV`E(Zi?M}8zmm0M*8It!wK6+
zgN-JxX_?~~5^njrCxdxmw&Ax$jt_61y4AS+W?ka-#69=*%sqdEWG{lNoiDp8skSb}
zbVB_^nh2FqPJsjd^QHo0R<6M%2o&6F8n@ktQ(af5gcCCH$RymUYfJ*;|3u>)1DWX{
zdOgj4a!QZQ;~#q~8N@4GMa?1wy<iquL|hz^>U;q<qOI#(U}(3S9N=ym^kS?S#bDN(
ziMfSXQ!V-9u5jPQ1OE2^QhP_c<lBci1@=fRGS>4p%D=wauCQ8BVm!y~5fm?1@>i)I
zMbCqLo!HqHr1)`R<$~=dTwyFuRRvThjDBO?_=o5sGA-5me)jL`YqjVZ47tafFy?rT
zT_?GV8(U9AG$2}p>Pp-@>ZN3fk8=O!Ik(7ud4He4<t>*<u&e_|Z0^AOQ7;JN2Xi^6
zhfpqUc;Zew8EkcHod3jrWQ4&naUy(r;`c7uXBrP_J(I43>=i(~>B-LuYDn#L4431T
zXR)_G4R!f~UW(9iM{H|*yu(AK?%$01o#`h9%cL1a0Z~;}91?B3sMMUfIC91zP4Xu(
zjh?MoC|_KTp}KJ*DT_7-M^^r~L~~}a5iVYY&x+oA9szmvJ)L_A=0wG$dFh~<cuU&x
z(3GZ6xs}zXCK`{*D(Pr_I|MKmcS<=<GUXOFdL<~xT0Ed(C>}7<Ct$5)bBpi`pEJtE
zqS-zt$H%`GtFAS2*K-il&yCd;;&--6@Dk>cdr?4^P%hAV-rAeRVpt3W8!*-<z?eeF
zjUEmy{VffizVeS6*%c|hv~hDvLX5jN4)U#g2@n!a-dX(t=W%-F6m_66*RAhZncI*f
zrYPdc7{~MwUQU0%TC<C@yUSixb(A5>p@q7T1WjHfkCzc9p2Pr*^ldVYo=FPJ+N(XP
zW87FXoG>3fpDLPFDP7osR?iMV$-bT?bIVFy2#l83P+@VyJIDCpFob%+Q^s)z>RG6$
zzA8PEkF&qPm?s<46)*t}q0BYZpP-x9k7eu6dwIZWjES`h3kss1b#p<VOEq*1!(iV}
z#SE#3-g(SFp!{1P?<8GwwB8h`)R@VaUUdQzvwD$pRNdjmv9B8{X*Uvg;z$>5-4;(I
z_>gdYf-pZV1#MdCf5|M9M!#M|PMRPGNn)pkg@u~~KLav^yLYC7Jf9@JR4vLCUhwW<
z#6tg}`Ca>|YR%efb92-{69OGd@17QuAdl%VB`u?PrX$7)>K3A^77L2%`nzj?nyRU(
z(L8n_n_$RkGOPbd;d0F=8kbF9e&eH3{LTMi&-Ixd8=Zbl>BolxWpVMK$-C#BefeIt
zzoaaRA6uK={C%Tm<0xWlTCo($w5;Rw5JhR#3QI{-IVrnP31jMg+MJ%IK&+pb`hdOa
zfB<Josx$pJWTva(DM;;h9r5j$e6&n|K=kvukpCK)FC(h?UQd%61O3N*r~HB(f9r(e
z&F-?ab0epjk=_c;CP`;86*~s7{Z`~>LO)ZSJm4lq|66+@H$XF{q33iCy{gGG#viGD
z{7mPc%Q?T4^Q*uhionMm0(?P=wKS55e_0woB5O>uKfRbs*`>0ZEfS5LD+?j}(tt8)
ziR5aOAUoqP^xs&ZAQKYzGk^2PXKOh>5L%szZ2x}Kv8ek_-SF0dPdfxAcs?k0Q%dN4
zzVV_r*w0uj+j7`3UUmH2VjCy<yCA7KvJMFYB5w&e2ep}^FEL&c<B@e3j?F%DnNakh
z*>Ac(BgDIM&Yr@Yjf>l+33B@_{_JO17}Qlt^)Pg4cp4_x^REX7Z`5Z@>VH4|?^6~M
zU;SS%zF7TV;M4J6<{3kdV*EdmQm{zbdqtW1o10w%eqBw?WT}7G`|pCRdCe}p%}0tY
z)gw8?@~Pa-fv<mH{eSa8ndx(&_-{@q{Kx-|$5<=z-#Co_M{-^NH(Q{N&-1!eDuZhJ
zIZ`sn11Y1U3`Oc`HvHGA{kxfz{z@{?57PaiK}sCNB36;~9i;Gm9g<evF!?+jN&Eeu
zkF*fB|K$O*=9N!!-q*?cN_-vvzyFOE)&IsP=Kim{%-Rd5^NOc`k9vyA{RrZt@-w?g
zyNenR{6H1E|MnAPasB`GsVUPjP$nrm1rS$d)tT3!qt&A2_|+z>(-C}`G>(jyHMK6V
zU(D852>H*pY5ah!Uki}xc1ZYhBC9bC#qib7FlqPMTwx&eCZIz}l`-L2<NV}*yl^_-
zB8fVa#>_H<Gew-Y^cEyUd#E~I+$KSViB|Wkg)saO@n<aTwf|W)yO(cy8Nmh|xc*><
zt3UHaU6xf?oqa~%dsC!W7~);$r@#AFz3dbZa{131zyA2bEaD*RW@)%4-hC*0xepf^
zA5JRYnV3x=8AIKx0H)`5RoP^nsQZ^8{vbkYPu^nVo-Y2XA{eO~v*AHRXa}FCFQJuo
zgQ#aFnEbR}5hnzdu-Lzab{KYQ60b374Dp;xl=C!Q967*&{HAuHQxK^b&q*+;xAW2O
zh`_DUTs{$iw<oBQ3M;V;{Vr=zWbxs(IPs~fuM_az?JOLr7ZQ{weTcwokPxgnn(;R*
zy8zqh<#<1Ma=gwUkge_AOI+EvJ*aX_)Da#7*Qc_k5vaQ6xv4L4^w|^LNB%~Ju&lnn
zO!8;XSXdw=E7PqyI_k|eE_XTA7x@%KWfHm;h>#-&K=7BS7Qx;enmf;t_K>~0R2)c|
zg2+vmP1PH7)Dnz@!<X{>?G8K1p|OTaV<8;*0tbjUO|zxPg9$NJ6Qmw&9p$yc8a~Qb
z7un6{MwC080Q5Nmsi#Ik_B?HYWn8epPM~8YlTBC1gQ(egO%xMD5dr4&XJ0Ts{_BgR
zqqDE@K(AcF0C^Q{$+nz1PI{Az9Cr|7>T}=R>YA9%jBb|}X0Kh$H&jwd7j%{oxjY(O
zEfmAx-6_F%J<9NB+$BCZaq)pq$T1N<u6tZV(>}r&yHq|2oJs+ZX~b!1f24-C2ny#f
z4nX}+(m6T~rjsIhT&IESocA3dJ=VvW38B1Ho9D!7_ua*65FBsNt^Np(7y7d`O38oy
zm>L`1mW1jyKl1<^4g&_j-o4*CX#lGLZ#U)q{cRUTTf(ZMAr?&44ll>W*9?HnRDsnw
zMW%no>!=QD6fBK;+63A~I!-EAbOo1|gq8$b@2*;@^2~6SY0BmiCy~CzWDPqpm7TW3
zZ=7+Cx?1#MkjL3hy<ZBiQOO<*%ec!g)+TKfhzUGDTA&8bv@CYt>*krkPaQHnNNka+
zR?Oiq(*Vee+dR-rE2UmXC8_B%jhA^=RI6?(_g}6UZ5aa?9C}5d8ebtBK}2%6Lx17~
z{BfEqot(;Pm=A#MQEhqq&0L34(^y`Zjzk?~Dt}7Yg;-#yQ_Ig%l$kxPomv$0d5$f&
zcI^hLBWY_SQ~LKw8ISVhNKSuj122u>7kH=eFC!!6xp?hX`rhd2w99~?#MS;8R&xg(
zkBt6d+bX$8uk%(WcS>yeZ4LLSc{$8JGfySL(79F_J#9cnuABHRciUI<qeD>59iFvb
zwno;6blN@pSpVKz7~UK58s35PV%x0p5+_})rQEJxbHkpNaO@00M&^?*RKQ@=Y4>t(
zPJjM)<Tamb2AvXo1uQeqtmYtJ&t&R6smp*#BmG!M*Ys>g*az08*<{XA>W<hhi5P{^
z%i<sZ8HtFuVFltfjBI@dVd6c&m|u)?o8J-I_%LfFow?IBj5Z%cgEN9BWH|VTxZI0p
zy2aDaFG&pcUKDQH>6&)}P<EPRTdq<%yw;*lbe=B9$oeQdX(VUOtVl-wytOQp_|P06
zM{x?=?i}6I%P@RpSDr3-7UtDaD`0crK%S9McRvD~;A&e&cXigPTq^BoP;K-4mha$5
z;m*M`2CyUx+&mVzzFQjo)pX%`-;9iMKMQV=vtQ!F<j7_%QpSSPKMYCk4+gwr!GfP*
zg{Q@*)U{XYFfk#izzJ{O?(UJLRjzy+SdDHC_@JLTnFNNo=Qpo3wFSEGy^4OGAsl78
zFHEJqF2u{EdT*<@Z$`i$Y=wC~T^DsA@^MhVK}@ZM5m;Se_CxGj3c{RA;JkX}H<5jr
z?Wt^Ff&e|2X4LCTq_EvWwzu3^q!!27uTZAFX#Y%^F=(FW+Icsmm@Qivg<@=)P}ct(
z-tAp}Npfbc+%uwXA#*XKOpbj`nx<-QBjZpbnQ{HCG4teioFV99PCy6zE;-irnkd^%
z{A<Rq3k)*Ms4Qo@+HtM#b;2L#=gfL@=`C(I9vD{R;_tvOGgE2JENDHeiuQxScB_Bs
z&??gx7+2Ys=ko3rn6!m9wI}au85}lhcbcxJu=Z8e_DcszH+kDo>J*C@<cRkx%KSIt
zE#WdRFD}ymSZEDU-|>?qHbX1NCD88BX@S-28F-L<i>TLeR^?sCn6&7gcXE2b>sR?^
zqou3?f=yL1ziGxBVkdGf@`EbIg+3VAx7NEa;U^Y_rN1w_V`6iuyR`kXv0>grgTIsE
zR2Hpmx_l*NIZ;EPKt3<Ru2OCT%k2Bd18tx+ntDI3fK$@*7p6SaxM0Dhl|`c)fYRBw
zd3l_BLatg2ZHa7;m}h2j0?_)#K3(y%O1h-;=G^B`a~-t|K5?gR>iYt;bCs_smKW5S
zz6xQWKVy+XjyRIC8xJA}u&9ty`XwbX*D-GbTIS#Ua+E_}v?wTM7F2R8Mz|d3G7M2e
z!wu!`LJU%6$`<D_K`93}purT<H)(MdN>>=N<4`S{Ylgujl5J)oa}VRS!&V881CKyS
z`Dui9E&GJ^%W_L^wU~MlHck&?(G&Zlg1on)G=)ci;^1DEISQbO#dQq*beHA1DY^s;
z$7+Rc6F-|rx~-v}$=@PNk!<m<zT(_f8{qybx2MJvEMmPdTe?-L2jzn8P0?r4_q<BM
zD4qm=Rf*wnAl5^i??KsBfHE&rZO_jc*>kt35?w+)yvJr8+!Kdmmflr;ElF!!w<k(?
zLGYT;8Q`MxCGU(;1`9%-S#la!+3V$@GNBSVtBIM%|BjziT7Uthu3>0e?#8>E3n&a!
zlm)L?EvB7M7=E*j98yl3o_1G@ORxF>T|B0cAjl6ViO%7jV3ftEP8f((@foUVx!y}-
zkPdq(H&0RI`!F2S3Y+q;wc<Px@6Su+Bum)0HZ@FY0qba#*L-uIt<4%bXpO(p^^AjA
z7*WZuQZ;#pfeHMSqGbk>qj@Dtj+MPLNjb;pG<H2azn#k+QJIcOjdNf%s1nk2{9$MV
zJ-<*fvfZF<EgRBzm)`8Yc!;f$g$>g{>TVr+N{7PJ64bQPaQPVO?7m-~f3uI-F8}>{
z@>nhDGk@1Ea{`|RA=7$^J%T}D)x)TFmSm<51)-S9TfLr3rW6aKM&=gG^KG|(7FPGc
zkKX31!>Ehhw8PpG*4UYCMkZa+9lcPrj*8XU)3xB&Ud`6p0dA)ojV2}{nV+9TKP(#{
zlbeI1bN^N0CSIGNV{CMgV%U`_glwVOD#u9>uc2%SNbl!$Im5T{Q~oJK$5+)lUlo2o
z-c~{Vj--8_XO7}Vx0K7oYJGllaG&>fisl5N$)v>FD2HrACm!BwGZnkGa&~+gul$^N
z#LNw^59P5M*SpOpW7gBh<&l5Fjge_DtyD%pL}V4S7u_~yf9L5ED5OG%m*0UBrBAHw
zD<3MMl0K%3RtcCFPVw6#;bb$H!3O8Zm@m*$#;WED9kKOT)_-R*eNV#Bq2D!A-*!4B
z-1DoC0E{>VIOog2h&Jq1JgWx9mi5u=%=~zFsOp1+YmQ)1a6pp4kvJFU-QxA$$EsOB
zsLUpZipPU`!*6G#vkCs8kLHtMen-E8slYD7O%Ix_+Ac@m3_;x1h*4oU1OPa^zognr
zx8%j$Tg#8(QQ-}~7A{`?0@tHhW~#%&HcPp#jpJd5eOZ@cj@p(rt5<^b?e#UA`MQVg
z*^_I6tRiV-Y-<<HkWH<6`4alB8rMXvcFBBEY&W3E*)gH%0cc%p4`^BYt1gilyV@TZ
zS+7~-o4VyXD??%^0wjyZC`63L4euBfZ<|t>w_=MFY1XOS4VWweBgF0$M&^Fsaqqyc
zh-GnXCc^3pwO&m_hKrywX6Lm|jG6N(`F2~58jDNm!W!4rUip~mxdJ;NS&<l7q;bQ-
zLhvQeAh_zJFO*~K=7j6$ENSycD#|m$Y@|`mU)2U>!|6Qfdh~Ut^#-I5&0T=Tudpwv
z$odCK;-Dn!L~78%j}~e3y}i7gFtx+vrGYPSRsRx<ttgwrOmN3a>?VFQ#mkVLx#&Uh
zW3#}>t1Y@qIyLX=tO*wK6&u8*iTBX6I#V>jI-!m9He^ZIS1k*>z?PpXdWa3H?|=OU
z6DD2$qE7OUW|L{!QYJ0%R#UD}sh9zlzz@)ja=}ncg#P3jPzwmr--i%TV-qD+O20eR
zu^E5(&^G~>S$)6G!z`H}s^#eBuJKril!1j<*13*CTW`J=2u*Ete%e1nqN<dw*tGRU
zgIMs$I1DK+n%wi;m-b85IhT1xJ)1Ba1<^Y9npS^8q~Ff&p^@x2lGjy&%wV%~exS4&
zz9|wg&Hv`jCmW}@<)$QCTVZYzP`}fz_sGc3q>&~<T3(ZEBt)eSQgy@}7iNX;9DoUE
zQ2(Kknj8Kaf_kulf=??ZZfg7`FNqLPm5UHVdO3{_voB2f)E#W{W63KO`z6F}OTgb@
zGFR1H@9DRQc_bffqF@~;IU97Zb$%-T2knzBb12t)#)8!m>+~|@4M~n{=xfn9t99gR
zm0`%REjP5QqEp*4bGr2h!6}8|HN78T>Wk266Q!>zb@zegbR!wY-^-%5dM_!WOO#NV
zpjw}G1@)#Ff1#M+%T%~p`LuRe)C4<btqXDjlSdLGPLmmQJMv;Ba?g}A@~7*jUE{bj
zh#&W=sHq|tQvIF3Dy27Brr{_cu0*2QLA>5pV2^l)ypg#Euy9Rfvxa94Daw&9qOH?5
zZfaB);#o67K2pT-Nc|O^6>joMf<xf3-ACKpBmHtM6V69ovz6yyT^p>e<*@o(g5&Go
z_;g<khGxDC{z&rqTid5<ZS-gk7l&29V#!(_SWK;}?p^(Andt_lq)58T*@jKD(#y21
zI^MjRL9l?m`4uC&9`~Z+&J+U1=PerNn6jY6i?I>0yUb>$Pyy<#Mg!a~`Xxe&Re=<l
zj?4J5Es>9H`JZm$p~SIug`n#;?j5P1<Sz<~N^Hw`FIsBxG?~v#ua0ld!1au{AYnjz
zP(9v;r_i$EY9}f5ev4xOQ<dc@WA%0o6r4bx(LHLB>+4lBn)a$BCA}qwAmg(q&2Ce^
z$#vP&8>_i6NW9Bh-to+9ivr_0BKT1WKi2NUEfcF1Pz|uqQ2;1YZ+c+7y<^)xp#lIZ
zOAXZ!M153Nb*>@FM;yfsQ|OLo$0YW*aL`=TJ_EZ9?dx(maI2|B{c}gNsXftmtYae0
zvpT914@0)W&BIsJIEATvN7Q&5=)z@<*~{a)JT#iW>60_~Hsl;VF936Ce3J5tBT0O7
z^2*?sp2(<E`(!7#j9IXwjkj2YhprbUP^-+peSM_wbJhGONTsBly=7|!3mCy&qK0-E
zuLTnQk+_tUkvMFD+CpMC0!-OhQ_L(yfZE&1`EM!~Alj-W=tdrj0IxF_`zv!>9RzMF
zv9Z7+Df38Rh4mjr)pTB}n38=~JRFuk<LJfjDFA6ZKvqXbD{~?RQa8tXX{!RGY!mM9
z>M2#5>xUc(E2Vd?`xnQ6g7`khyo3ALW)l5nYu_sNmXdfi=RHXiHj31WdQ)hoDI;l<
zah`05<WL$F=!$jLF~CD}j>>5IfW&Mw#bzgr%kzqDhI5a1a+|KM<B$UBnz=KW#^<>I
zv?_;;dx$4H_o0L8L0y1vhHz>|1`9Jjh`A`LnfWL`UEC15vPn)(j+DtqL8J4$PR~aT
z-7x(A|ArWwbwFFGIcnQ1_i3k<<y+3Fb^UPlq`@w`mND#eTwZp?WBRy{84~%C3fg($
zucQToBxzqKBA8|L<_6n>1;2G~)IA1?6CKFc3&teIvOMNSQmjt8YqT?bU4#kI@j*U4
z(43{?Gm2<Ii8)+Lr_6%}#8Y2&5QWO<8k73Ox&?|)#NmM&65c;0jQYk{6c+Y!(J@Kr
zwH6H8t+dJ~zdFeC1y9))GPG<`U%{+%EX0{RD5GaVzT$hR+C&p}EB45oK1VaP6#KU5
zTVjV9OX&8y=w?otya@1i8yO>oq;-Fx!pjcnlE_^N7k4N2nP1t)`bSo4nGZq8dAJSo
zH(bn8sdVEDma1kmTlA!mD#n>nux8ZH8=jc4*#$IWK;DA)fvmHNLnKQOEu(%sT?gUw
zA=@ORAa;4Xin4OQxe8x}84=)yB|F4cQkJ#VP9mpqW@n`~fGF_%A+{=DRV#C{moSdG
z2EI#on>K0AiJa%^Wf)i9(;}j$RSuJd`I7Kz{hL&^FFH6G#?-^FXFrl9j>Cs^S2&of
z+v?x(Yc{Oq`Umxt_~`3%D@A_Bez|vkCNTGu#CLk{>a~&yZdddK$ctaaQNJ@~`LIe#
zL>0W6hps4loPKW!SO2C{s~Z8JHB@^au~4$m1g}!BC5t3$ZWa_mq8KBdvXbWre7J#w
z$PfE^)B5~qO8_l=&Q&F&RKT#^s(iCja~g#K(JV+eo5Fv-_hJfA#+tCgchU0T`8(`-
z1K@nF?|5y)b4=o#XJ@@>pE}?VWjW+H@iDn{8MO3WVuFKRoiW)C2?X7LELihV!ln?b
zj$Rn-=!hiu$A%$Y^11d3GhtnaA21uovq}`m#OSO`Ae?AT*jHg<2_|f1xP&&S*v9_2
z=CjO=y-zSYbv@+a*3_26OmP$jN#|x|Sv0#d6cW_wUs^qjzd7b}SeFgFtw>!=5yDdi
zyt~-4lR{^0$RG0Vm?LjpO?2dsoc6Xkwe#E|vyfg5s@Q+sHlGuYf@3xZsdWuW0|WRM
z@-~wx^*yXYL29YYq}k;g2bRFr(oE0ax2M|9_8xt)4ma}p;cbqwEn^+4;{14d-J0wj
zOpA?FExvhOd_*(5F!*FJ>+hE{WmNnftPuL!vqS}Z3d21|06=_$>8+0yZ=QNfVV_gl
zq_#;LYm@yu6E+92E>PyZ*JCP3C_^*->D|V@cgXzkcXXb_x1vis6Vnj;COe5ihz!3Y
zL0od0X$;<snMF%?e&L@9PH&Wa{u<-D4Y`^QyHDsPneh`mv<*r&%SPKyt)lk@nO<i{
zLHoXU-}}6PH}bG|(<UWNr>S`*B_BWQIOdf{vq{u*uSwQ81GPL8>1#ZE7}aC_@|O|J
z>Y{sVJMTydNlH`~Ib6^cXP<`Fd4_^zu?Y4N>~bA~vXZv4{-tJ)sTU3Hr)@UJHwa~s
zCe7XZGbSFOo8sb!L@uniD@_w?A7IE&Tl?MhZF#l*=$u&78KLbEAiem(>8)9$)8{i?
zz2q%&cc5p_n|31F*FM#Va2d#TboTOSzYOZ0B^@B)8Yn4gxtO+OJhiP_DstX#pK3G^
z2B|63f&jd9t}BtDL(6vRgOu5M>9``CW07liDNqG|?3W7yu+(hdc)c$M{$XH@L?&)h
zws5%q5x3~#XvPpTTl3u_B*>{r#q*ZH_hQ+WAgrvWZS48au<zbCM;AWnHXW^xJ9Ey>
zNYqP0vYRMqm9p984<hd$s&y6yv9&{Wouq=t#v=+I$Qtc=zYe;%Sg<*s#R2BNNIt$d
z;|Y)Os18q6@1i0C*j6Crt4=Jd<1ZmM<AO_I!a$qD^u)w0e`oeZ=jP8HYh_BeGvBnx
z*QlW6lN*<-3zE`D9>>HXYX=6vr8&n}0V)ovZ(~;;_sgUoX@|MEM@@4f%L3o;qa;jD
zpSRNahSbxc^@<bW=ojtq({WBO*`lVXf)n(jeUs8EZ{KBK{Y5&mhO|Kuxy3Z%fg^b3
zDd+ET37BKhO3thGrpYCDA9g>GyfCf*?uiqJf~ILTn_Apa&#rz?93U2)3^G}HguP5-
zn5dM%FDG>7X7Bw*0sZ-*#<~6%%v&f(ve)tnvIVU0t;+FMkq-^4zNy@=q(ArRBXaMj
zuonE=wM`smWpwdTh?j}w;`!>qw4G_4FCmGRtk%GSc<xXK!2XTJ^;q>AwEBhbrUa^I
zQ&7w^;-Om^0P1(I*q0OcO!OT)X>*dP&~6hHTx!O8KLvNcT`Hk3hg|7drq3s4WFHY8
zi`3sQ#(G@;2^OxkI$0-i(A9Fff9<eqShn|}CblHynuYDGjZkrqD=W1{a<1G}Zolo5
z*!^uwLDv335N71IKNt_Xv%lSLjkv-KD)MY>l9k*L$b&!J?hnAe4+LS2na(_a9#gK{
zbD3_b_c5K>%g(V$_5NpQM}2~aEC_=Wb8C*>Ff__(%b}_fiL^R`@jGw|&Gk!5_Qi%h
z{8bjKx~r7#%UxIU9vimNV+~jU=pylE-p3Tvn#UC2V$dL8vmC?X^${VhK2J$Q@B_Op
zztaJqi4R=UA$U6`YD}KYWkW8o1i0mt2{*kWpKS>XP7PN7v3l!}ShT-3q)Q{T$3+Y9
z{?_az*l|JzJ&)G2UVUoON0`=Kh=rWlySzHPx7@pWB3?X*^wF(|!PI9MWt;J2{*#)P
z;)fU1fp_CQa>iQM(jq7VIw@Or@>kVqxjc^lv$moyqn19182Vg#vKAKqT2COw_}6Oq
zpX2Ev8nTJaSGp1wb7{BzjSX{yL;e)rrN9pqq?U*RjY3z7w8A4BwJVBj1-!o9<0*L|
z>%%LH8rY_YCVW~_!am*Q2zz{Jgyh!p?%reU#Su6XNZSk7Bi@5C{*9BiWYhNs7rG+@
za~<B7DnR%8^v|FML^@=)_xZ23j0}#?e0jMx0s{~2l5=8>2*!5!=YJ#Sb3G%P+lYN;
zTjL`A3flyI5m%WL0~9A`9hNkyj@qi`nbLZxNPGq<+u5IQ_u-qKBW5Y}zt}ws7W8@9
zk1ST1fT}I!ZHRZp*xL|%3U8%<b|Sr+FB?@&1TK#o#rO`3y8t|{r1=rwq@fD$XCMy^
zO&;}JYh2o|+w*{aI;LZAPp>b8x5c_FSKp(i)q7ag&6!3Wt!R;%qmcGunkYq~6=nxA
z?}Qh^&#&y_Q&AhpQSMkWDy#@fR+-I*v3>y-w?1!<88wf++@l{S-TUz`o(~Tn%$QyE
zd%Oie&$O49j;n<EW!i}mo(ShxRJFiJNgi2X<Rj~BxutUvC5#G4wf%1T>f+X0-2X%R
z5K1e}lI=C-ml{F^aY%9}+cNp?(bRz{&(Toh#a3d;HKys+^-;+&ZImjbkm>h|Lu=7+
zVvUCSZJ&2Pf+B#(rn?tbk8NU$d1^o6sWETrLmK5nfwt6}W5b!jInpGC)f&L@2qt#z
zY}8>Hrd2V9?3HdG3?_c=gXu3&%f@<&>fRFpi$CvB`zJhnCTJ!!qTf$SF}gu(k?4rx
zt??UcM%L(^li}2TstgHfk*TE&nOI>N-xKoL4(_7vyVMT*_~zhDsbqk<Hb5yZF*CM_
zm)c}@Yc0FWhi9b5nP@6*Uxul7^;|woNC@e6k0Q@t8CEgqnI*OEwP~JSCk8IA{D>d`
z1xwN@BCTpbbbx!s@AE%k=0uJdvAqkHhI-laV(fI^$R~@3Jvb*>DXGoW0h|6n>k@A?
zwA*BnrQ?<6Q@`il5E3GD_pH<feydIyZ`UhwUafoEjDq&E>h-oi*B4}T6qZW2KH^RQ
zGHxE~Z)MZ1(Mfm8)h=s?S-s%Ba9^wV@(XTPa+lpK&&`S}PL)k!6I<QNpP>HRi81Fr
z<qkHzAdv{WvqKhF({%GB=?cr5rKkc+5w2R~xYr4p%`t9%I_OBwCd2~nzW9p6o94=q
zXTHz5^D|FVK8O)YMSL_P0Gh7FR$Uw@yrVO-ayq!)Rdqe0_o=>a!L6BEj}$Gq_ZBW3
zndZ}@&^!j$4@_a}r-R#1eaJb2+}?L+B(jKlAnW~CHc#ax2$i_pKqIQT)Syt@n=SO*
z$hi_qcfo{n1b^_XZ#gsF>U|3u1BMEOi&O3x%37`#z8>53V1;nzu;KO?Qg@ySd@&AA
zy0rBSbdpa6U$95VHeT)*T49fqvb8VOsx;Asif{YmCS@LP3Hw(U3x4PrX<J5nufG6w
zcAU}G@ddGCq4D1tF19>qvn8jdwserPvF{&osa@&DyLbrkz@vFmf$;r$U-hyG_r@j>
zD|QRZ;1%JC$jLtEl7>Bkg`>&21t{SGUyfCH;JS(oIv0^cRM6Z@=h0_9mUL3K5mH>d
zO3pdZ!_1*Kau%-X&7uCL2L<#sW`1FF%;nA8*$<Viok>mwM2g?6uK#9G0jAcu<rrsE
zs2AMEq&Jt}bxp3jdY7S&CruV@rMmS(t+*@4w}?`tB)doYf(1jwJoqOCAy6x8;BguM
zq|r00+?~%pN5glu{dp`JqKM3u`l$`76gg=@du*jqbf0Q$7aNM^!ZpZU$5-g8-bOp1
zmWg#x?AGbB+`Q)ly@t)^Zaf^$&8>ZCLzH2n1Uqpd|B2(hBuH78L1gEbKP_<wD0#Yz
zb=GqA^3U6S@@CY8-EApOCSONjq&KTtWv&(gU)9RDetkQ``~p_JfH^Sc4Skv0<aZyX
zlv=xUMQR~>XrlcueD+s(?(V4_I&+V(X*2;{eMnn4O&xFWwPgK?)Xa`ZOzg6KW&aB)
z$HF5Yxb&59189oDh_ceQ#j?7g<sIBu;8iBY^)1)3703HalAxYs&DKn7Py~G2#B#?P
zD}o$2dGDR2!}pj#eI*I)T&#)KCzGKVuzuJrQ3s^(Sp`f`lkvObV7(@Od#kFm)Lq+p
z<-U!U8=pAheSpYFAN3h(D76p=o-lp`?I6$e7yUv(A^xE!sEkTG05R8aW@&<cQZ!m7
z+wUfequ<P66JT5TdM@&}W?CWJJ@H|YH=6ZBRbE1o2jW^yQ#8@JvegmYL?ju}cB-a*
zFsS5A82xA1GS=ZNR7&SV+ezT78Wqk_k%bf_JsD}r+5F>`dc=hu{94auSnme(t@eVB
z_)=;1Xn_&V1a~<oJ0RnlMqo72)?a=ptBz`KxEC!D8eG<KE>rfVGkGF+XXv{w_aA+f
zYuB|^UoP5Q?$F#v3e+7gU(Bwgk2#MnoESTY2<jb0YV)VwJBtn+pbw&J+AH$}R%`|u
z)wr|?h*08G-?Bgb`TCYrlQo!>{~wPf6Su5jg$KICgQK~Wrr3Ft!~>Z|n~vnE;-d<{
z_4u5tS?Wr{C@lJ|e1xl>rNf4F`LuYSOC}w+PlF<bV0P;Lh9!=Fxn{8bVS2j!aRiu7
zY3)(cHKD~rp6v0K_DF=xW~R>;U&jMJlTP7`P8!y)2C$8B#o8~#y3{&X?~`^f5lRde
z1=r8M&Xs<^dKzx$<U3?R-iQU>^3JRSz|?wc+p{h_>^3$Rdkd>u(R`p;%3~lEr!5Ig
z_(Sywez8YJsrISmkYn>=$Jiy2!L~Kmbh$U->T@A)AfGtUvJ>Po?6|)&RhXOntAiW}
zTfIr6e=3Wvc*b4R_O-rvjIXv(?cOo?y4=Ts!+i8{m=Wd+A712@5)ykIr?yQ&gcz-l
zM-7fli%WGPd1%Yu*WDwvIN`sm?+=QF&TjKw^raN50R+NesawnYmi*r!ex|HxsqxGu
zvh!otzM8eOLGvT8)OnsYevwb(WfKy5oR~2?S+=*ne^Lm^zx$vwA-l-nXQ$R}J9GVz
z?A~~dv;n_CHcf>DN4@vD0|Q^C<t~vusNz-@t!Yph!sv0!E?yH8GCbx=PcTmUs?%wu
zrqDhb8JM>2MltmDXrH?zUEKuWsTxb%-Tjq&Qb$tP#rjx~CgHJ2bsS1EO?mgAAvfae
z=yvCkG*xipcU~<s=Cj?cd9LaH#}^wDTBogN76<DTk4g(wIb0!|UUdLBTZMg<u8fr~
zd#i|nb3WC3(#_@kd=a5Wtyha&{WFW|52jy_j+O&&7R9qr4_>f*8el{={g!pPn2>Cf
z;f_#3XB8%LK8wYQp2d9+(-E8y3WPdY?EOD&I!u?cE$$;7VM`8!nq<9dfOK%18tVlf
zc1g2d*@1W&2><!39fC+r-ER_uip@11Z9ZwC`)gB*TiLk7_XniqGs_JYnlT$vTOFTt
z#n!{OlOAkk`TlZHhy)6RR7kD2e}ucO(D?CR5FA38DEaFoT~6fXN@vkxmzIv3y4JKH
zeyrDj8<sMtD=SwaZ)DqgXt~bm*H@PxP9t2Fp(7U;kRwOyxc=;BA*e4@59oM!8YSA?
zetx|Y5$Hv_wSM(L3V*{_*~s_grn*$FO+zriywH}t(U|{zX%A15+e-%*E@!_h=I^>s
zbhH#MZ|J+O0c+(h@rKi%W3O8>?C0TW2)v(a|L8Gpx0`n?dKPq99mHPoG(*^awmYr1
z<+^O)b>1u17d_&ubp8c7*3BVr{zLap%!8Rcr;S=~EW3Fwf%HAMy|(#MB(f`2Wc>;1
z^l(s7o4tTAY7TwgCcix&R@bBjA&>Fp+wjb{agf#K^jz1OUTJ4(+O`yZ_Kdp<H(=4N
z=iTGex-vxo)dQL+vh>{EXMxX_Ggl$BZ_nGB4R|cQHAWx+#5=upws_T+(&}Q&c~4{2
zxXUOS=8Erd`9eC@8mWBcfheB#nfR7q79W77HWm3w&i1iK`EUwJGJQNW>*jFyZ?kcT
zBbO=&9Toc=AUgrP9Wk6;>8C+eb#PGH^!giwJNp2xD{;pS*KSY>3=+rqoyO>E#yN$_
zEn{+&?hOuEh9?F_q{Zf^wrBEsG8#Wd&93wn$x6Ll8~{Tmi2#FqW6Q&qo`koLjT)}r
zV~_^he3+Vc2#VoNcJky8XM>GcX>kVU&JVuvG#uA~a-OLqX~+>zmbDz%wxRt7ony17
zjvQ@zdSLFFeQL0m*+BCl<+59O^R(CPwS|q1t47D|A9tVtzpHr}mvj6<1Ge|}WY_{N
z&*HS~aW=Vk>h)?$DBjG5%W}?<E;AAL&Q0NT#*wZmwG+h;SH%VuJ?kSJeSmt2YQ{%$
z9=>AGvQ6RmAc{V87*13>q~F{ats72r#__;GhF%Qm0>MX4F7-G-n*lz+x=eP3j3L&d
z3}Mfc$%U4N%<n#1#S2YV54GMiA|+!YPTTOH5O`V_qPr^45n5Ejaev8LU+DNEU~Hq>
zHx0zGNVHV@F^A^#Wg7chsyY%+>UezCl#h5^8#37oK2C3@Vte}C7oCpI1*-MOe0TAT
zM`V-GO0lj)fF)RSnY9W;So-dr0!RJFXV0`XF}ih+r>~LVh11tYq-=1+DGAowUp1*G
z&dr+K4j84&bXBd!xeq7LY#*Po*y=BL#!p~4sSI)=3Cxqy(;_K(&gXQE@_a+nXGOVw
zFT!(W$TL<Pco{&IwXa0N9ns`hQk;%DlxjA<$%~RoG9cMoZQcVTPc}?d^R#-})c{vK
z0jhBp%d{QRvKoS-wnr!Xf*jm1qqo-y@0URGr@QOSk}qn`LsQCFnmy6wWX749rAR-S
za2AKn{cbjLJ#q{$tnk|L1Uc7xfv%(t8xpm#R*#scUS9x;{mN%1ARFrktRlz}lREY?
z=4A$Sb$_q;hJ%u^RFVYMQe~0ogbPi>TCIF{R&Im%SPYah6-)@K&QGZ8WMCAU6GCf&
z)%KKUWMr-UM?yNjEA4*P2@|16e?<{TGE8A7;JAV07eNpKpXPmib59AcdAo(sWhzVg
zWP9ODDc(9eCW}?)-(CU*M^;h8cyB1~xb;bN_C%T;DS)$`)Ib=f`(hFw&A{X-&yScf
z$3I+<uIioXgS?!>HCR1olk2Z_gWgnk(We#7GlzDkKu7O8#C5}dN31>sV$%DlJIi$C
zIl1ej&U|ACdR-2Qth94Cmf~SFl62ycW8nYc!!)($PYZkN$+FU1ymjcD9|rsA<XkxV
z*jWfV_W4oL+%qQ7JhW`}rJ`^XearOv(M@4zz!StTg{r0`WdF7A#1Lg+$UBTM<K{N+
za=ZQsPMT?py-M{s)=z4N40pM<x%>yT1g@<S{PsVFK+qNx4`+ykJa-<2M)k~AM(Ehs
zviRH$R@mP1_iY;A3lwcHy9^-zZogDhlUWL>W6$dO%5cJ@&rx$pa6}sm@b(H-wuLpq
z>4+7u6Kgih61&1)qwiiT;y=$qmSIS~R#0`{2URcA@zf&!?sFGc_tV>oE^Ql#40SF@
z3q|-S$HW^S|BsY*E{<({bjW&3$)TW2Xg(ZbGb{%gkIssuATK&OyLyQ=^;%2i9j#eu
z!@R964svY!42tLp<U_5ibI)X%DpEyobo=8AjWRrCy=+>1iU4zY!ccc)(i__n8VZwX
z3e3HOq-*7lL^NKfl`4)^zu~3VPfwwY2};ug^LFt4y>79SKEan*M@QKl@ra~>>oV>#
z8iCKhHZKMjGS8s*r-Vp;>CJ6!&V4(@)MAxs1V)I~)@(xc&9F<y2f0_3A&HhwlVex5
z(eTc7hx>#K(<bj3W9HaQM>nxQXIO23%sz1za1r=zagC@@a{vt!MlAPuTJ)a<EPwnd
zt=jLpov4G4(3Nu}{sYzD@=|$tRJq!L`s%*855b!PMUgi0YPMK3Bxjr>>0KioROSMw
zDdXoaRO;ee;J_7c@J7_x(Z;$<+frEj`hD*9H#^Dpu|yn)p9dnaR!7VMc4VD5>_4QK
zcH`oj-q;bju#T!%-eC2_S93L&>wq8yF_pyIiqHD^d|TCSX-aLvj*s5QUZBkz`Mzd;
z6;L(Dtjpk`?x@%1b3C6>0B^CZB5ZkTu{;{c^Ev)#YBR1nv6<-u^|fq|4W?y)AWqAc
zUbHk_+gmG0xf1H4&U=2pHMDX$h6FLoJMGQt9bfV$x7;?iW;Hck?H+NNj9;BZ#jh4G
z)B1ca`c^1gA_9)ov=A^-TUBZk3imKd8ApcEoc4(GIY}=vU@j7*S(}t8ej~V)k-2&h
z|4~`g-W1kdt=M;%MUXD+o>%LpZ()?WFg$jIb{n^N>KN}xJS4$e_cZ}SpJx;<b~Hio
zKiGS(uqL;tYZSKy6_ITLl&T^iT|s(NQIW3n7J_u?y+afP6a=J87Z8w^0HK#edhaEK
zKtk^!l#ozT{_Oqj?_8bhb8i0J<azSEN#1v^Ip<n)tue<~${k+wEKx<6sUEjNYX<IM
zQK5E6#5LG{mclXeRAM|6oJHU8VJD=@*HFmFZ{C22FfG_<Sn2%4>xLTla2I7L4nX})
z_c4TxvHixsj!QVa9BcZE)4Gtx%2``JIY?j26YzE7R!ytFwQhdoQ}4B)&o4V2&#;mL
zxAF&xdxj}?qQh0<A(>%L&)y~z&gpp`FkGD|B)=$79mpQ*CaKcimSmH9_?a`vPoR8a
z0<9-OoJU^73gqu#@T`{F7<7>1BXRH1Nvgst51k*f2eV7bKTHnl6>n*aIc8!0$;1tp
zVq=q>Oil6M20fEtpAJTrtk%;j-csIq71Z*tHT5Ovtp2#tZoq6;0mYS1mTRe@-kX*=
z4Gd`1P_O@;GW=<F{mv74FxhANnRffP<OfMWRig@>$rQ&w`Hwo%eaSseJ>Wj9*^8WX
zw?DOo16J0xJhtRzd)0pFSp<y~N>S1P<vOf&Z5s^u$(7a;+@N1H_$uJJQ%TcDhVKXw
zS8^dpJLgAQ=pXO=_a@mc<O)^K>RMvtlWTV7Qh!2{=hBF-c3q+K`GNe`Thc|{Fhf|^
zL!R`wb-1o4E{kVkP5)c1zq9W<CN4pc%1i)he#vo})xfBcvfy-(J;TM359Xd&YiX}4
z0^o+@9W-_Z`OU6V8cfXi)}mN9R0o)CI4UQ{KuuR99-y|rQ0|z2>##3o!Ujonc-t6G
zi5)P{8H(Vom_n-z&+ai@uXT5O))q2~_3Ye!d4xjt_aPm94TZns^la>A@?+=Zt|yi~
zYfDqTri@1D@8q<;Wv_cW1qSx0uDBnZ`UwrD>KtZW5zR4*!Oaxc&abvtbu2ZSf3uHP
z2zhb%;kAz*ZqbI8kk`tkN}FWJAA{L@>-6$lFEun`IFPns-hXA62YC#mt%M40mI>Z0
z-VO3^ONh!v?q_&i8uVejHkKMNbjp+ZdO;Sa=^hwf-h_{gV{&AGyS9zD9+(#tWsUyH
zSX|o@G4h8(^0%4=U7r5VL@CA%o_9`Y6`LM*Tn%l7w;*?K0lA<0_vmn(zGW4xn{WKz
z+zkDnW$0&&<(JD@JfvcKn{P%=L5{_zC$U=ngJM(qeS*=|EIQYBxwC523Uz5*9$y}B
z?fEdN8{en^<oA8Mwijdm!$3a|RZ-d^BjjTED;EM>c^#y5(s(IiWc1Qs;^TVtH28|z
zyTxuEh0hl6zCxUE*9vEo|Moxp(tuYWFFO7YLF?ZBHEkKo0UcPzYfhOLuurOE<)b&m
zR=-$(S9gBj0DKm<ez@;hIb=-yvNCv?oDfBWDhsFim6kpl%wpYL=dSnh_N*rTQ2!@3
z);Y?dsn@<}XA4E)(J|LJ<Yaxa{htnjvnEU0J{9Q7x3(%+)E7R9Pv|o_h>M6(y+DZ9
zG%bXDYwFlz9IPakmy7(E!$|u(I!^P28`V7aJkZdM`5E_vQ^4xr`lM2i_m!A>3;P~1
zpjF-QH2bX^HN37rLH_--59VPRfPfDYVIfg`ANUCz$v?!qj{PnHUL+y-90$Dh67fpf
z7Un=?E!J$@SQ%b28x(qRP)n;}{&AgYj;y>X?5?rrQt~NrPTmtt$oo|<xvOa9&ib3B
zjG=+fXPc#h^G{x>F=zvg<Sjd7(&s1z%e@2mY`pboL#JreMd-{4G5Lu5{;abkCX^;M
zSwLrbn9tBztzsVa>Qm@dj9#Er@S*3nlFzp~l?prJzQ>5OSvmwMrg-p`r;v7JqBY^e
zP#2rNHKBqwEZOQUK9~$mj6PC5%-Y{CLbPV{)Oy572(j*jdLq$7x*dV}r^M)xG9dB^
zUn}@^;nw4yhm(=}z1MFKU%{G^G5gfM0qvY8#{TW*QJ!hvZ_MhJ4k~9HgySKFix<Jt
zu_^1zawf#3a!#lO!Sy@(uaoyg9GbY=!z<S55^IJL=gF_>T)02gmpnP|sb*-fQ*PX7
zi5j(!6PCDj#{+j?C(-bGmDrOY%$gMzxcU5@@LE%#*-}^ZjVRY$9!89}7Y$$E)BofL
z<K44vu^DpVuH|({7)`s@Es=x%z#ZiJd9kvqiS5Lp3zKWbBGVCZ3DR`Psj_+*)3){d
z*L;_56^C5S^S~A46uWlQw<}Lk6Z0;E1qY%{2PePtjg``CQ_3uHnGDgHhBB&f^Ga-l
zZ8Q9-fBY}j=Jz3eczxM}X%yBld@K|I_DCtdrU>=#69x3W!Hv<{Gh(xR_qs%;i{Q}M
z^AS8wbyB5v>z@K<-#-(C+}IKz)37@gXUk)*v$tBdUJgcw*r~84@|eYe1Rtc?8-kT=
zLffy%AKh8HKU?!_ej;^;;<=uOStV{0qtCNX<3eRi{C^V=<-?=b7^_P|>i19Exeo{H
zq!EZ*H&yi*Awx0L4avrb%>o_EzPoX61Wg)4F?JzU8<{2HF||x6-*%BAKXLhLC9|O6
z&)?o=!XL{H4zoJB)i!Od#dUb!fFXH>{M1oK2Djg=?|r)1Y(PGb8qjNGbJB{i2C?fB
z>t*cbF?Rv$dl-<EFiB%FgzlrY@WsX3m*Jl-XIZ!Kq^{X2lwglUfZ2cFU0Fw}ttmbx
zmDDK2sw+NJ@(X(XnZ!8zy=RZNF}K^X;Qc=|*^B2}eVTm^_L*{99z*pDt~VhO;OGtR
zeC&JLGxqD2SoPeEyY^&>YU4Y+{eISUtyNYa{?axRVnXbZ_-<^LXNupXk5m^YEuU1~
zQ`yZ#tPFD9k9#gyWn!|`c=1DgKXm%X9#>i_^bO2p1YQ35%QNnPVr}%N1TmWuKHJ+Z
zTmqo0DX`fRX2|^JtJuS=aG&YF5Fghis#jGfR*JhmN2?y<Id4GAJKaK`ci&bnz%)Jm
z?mH;(1EN?cDKCEO0Y2p&=ngnl{*5q=Z8qi#(_{Zv(CU7Jt<hJqAFOK(RM*~My)=1z
zd?{bFo3O&0+(~s(Pkze@i8}vu1?pfH`XFy?d0JKfMe1qpjxEYPQnI(sH!lkKpfhFU
z>vEP_*<>!4|C^acbjdz{9~x}%Vkc<!kNH0U@{c*&T2%rgPOLUsU#vy@8T1Ee^^*Ub
zTMi8xq3lvxnon4@jcU(Daw-J)?Mcw*r*eQQerh{D9h~Fd?(FN7JqzP^ZGJ-AKf1x&
zVK?wRjUcKsLby9MRoUma&#{=qlHaPM`|kz_XA3ZJrSFW(!q@6h?Za7}p50M~<z_M7
zRWzsR@AzM>8mvjE$Fl7e>l25HFIJ-Fvp~VKJK~!uk;6&{2Q1k6JcUyqbIE~$W4+|;
z2&h-CZw1AzX}9={dFlou12O%Iy}Aw-2W};=f0ba?t!ikTcg@qB^}*KOLu;|0$OWto
z>?}_d);|lKIa}vQC%<#4^SuTf2)WoKT)7Qjp()Rrm98cVGw8^jntA{X&gu$OX1Cp(
zO-Gh@FB8ulBtV8_#9clSaEmhUgzHtE8DoV`YT6wvtq$QcG>Cj5=i(&D+dip4a>^E8
z4%S<#oEYhvg8I<k@^kmC3+8VDySnk6-C_DT(IUcKacq`<re--GhGb;GpasN|0xtLl
zS@>mO%i|KGSJTf=6so2QzG)eG$Z&pJ;jc4r#<<1V^*5`B`(uwzY^Dvtygg~mxgV@B
zhZz2?>ccX7_7>IgnCu)2Ap_KP0Dx6_*(YV@?X;O94IE%Gsh>5P@(s_``U6NjQ=6*b
zne(P~Ctan#s#+E>`+Fja5MAZhDlhs~A7Mn*I6KNvej)lfj0cJkqF3KCUt83rK50^6
z^<bzk5_g`sT58YFc{v3G8AV1F6&pd&0c&mnLi`SKmyiv6X@#`JK^t6m{3<D_i(enR
zl{<OEJ``<oW_p_N;nZqOT5tA}^22JBK7elO&*r=;CS^9204{Lbe#9ahn=Lktc3fRN
z!t;pEZX^1d5Q)FA1MO)JBa2G+0hl}6fnQzOc`8cWcU)ECK#kA*1`jY)C{e7^Bbz>F
zL8EI|cz$^|k6zoa3bFqsZ2nd$)>Tisk>{q1rT%A6$Zrp8&F8Skjl-{t#_wcC`&o^*
z&-_wsl-j&zGrqa~h0uOu_1-xF=WF9JHZOrMEld2ec`yDlnglCa?RKiL)jcUUVgEa5
z>B9|dl<QQ9o{d3O^oWY$AciT-e`|6(3m3dD9}fyySJ;2Y$4SYJ6a5yv1ZoV1tDZZ~
zGL`y#3!YFt%u}tk)4f&1+AT_2TdC?XU6SuO7W7qZ+0V=Qw4c8D(kOTzlJ}PZ5&unF
zJ3Bb9*2Boh-&etq6Ei>V8@#bIIJjXgIY6qb`2&cp2nzdTtlBZJ(Nf#8hEma!us*LN
zrs;xosof`6D25m4u@=S6vuh7@&(1!591!|QlF`ow1}^mlZI5*h&Lq_`^9~CZ7L(-p
z`9WR>8!EB2>0F^DOLC*W!cQc8T1p%#0JvYrQhI#D@5bp0pKOu5(#43X^!-oZ^ZS*7
zg@(V+1616!<CH9#S6FKE3HwPCxL8Jx4=(0U@1AE!M@DxNh`HRd)4un(z?>z5u(GP7
z-aj)z6a2JYjt)dMp+c+5N9q{d;!{_1kj+_et02OSJ3T|wJ6RAJt&Ed7K@ZMY>TFYX
zmfj3m2HGkIP{K>B=}Qlzm$KUkMc&l<4E`V#%yjfxGD0b_v3%A2@I4}*l+_fx{a3Dv
zG!A<_kr0QWP6H6sq@92%_D~|j6iAl>VVV~|Er9%jbQ&+j*n)m|f!(*K#X`6LaDO9h
z=)m`TVnVgw`Yr?Lcl}$}*Qoc`JE(h1V4Cjbkct?3Ukuk&^`<3lze_o=^2iUT8KQCe
z>!gC}4OoBAYEGm_QLyoK1nx(eBYNOv6k05FF&BN*Of9nB7L#)oA~aK`Sclp4Nn@>T
zuUPd`uYYzuPJ)nDy3F7p;4r?ppGy0qW+L&7>KHV#I}osQMt_z&f4T%eUQ!+kwRf!A
zC9`gJ%{JBt?~mw$A;(J<&(9TU;F!j#b!);CR8sC51*6kK?f~Wb?MKIEBdN&>3B!M)
z=V?xlX<Y?Urns3nn>=vSVxLo}F}Bo)07lmkG6Z%|+f`p}mJPyFH;$Lv&ab|IAG*)b
z>`M-%CdgA(bA>JP)&SI1fFB9pWd_SNy#RX4@>+iJ;rzkit}fBg{40h$0l~}!BaTXJ
zYu<JO2PaP^2VEgTbETxv`8?Dmc#5g!qK&@(g$b$==+w%~J-*|}6tGBI+(l8=X#>Q)
zbx@>i-~y|nNNwTJ%BS<x19(wV<2H4u!|c!=dkPv4*03)sSP{apw(_lj4r`U=s)e!>
z^qpJxqnOZaQ!X{tF0(k%$w53G^xkMb76T&GQCFY2s~sGneq0KG?NNOk1BS#Z^lcgH
z1gN{JD59u-+titx8wt@oQPD%P(o&Pw+q|@*L&c&=P7Z}b<RLMo3<06CIl%r@uiaxr
zsh#gs*%bHgEJa!Q?Ch*Qaw>E?H@UdZNm<r?ARl?n91sB=bGc0CbSOsYg3mPhY-2(L
zH;1UE$A@4zc?Bv>6;(XQ#E^=PT_jMRo8yJ<dso%8{uJkip3=mNiz4e?P^otVQhtz6
z@-iv;kn-{m4t761eE7Q?75JKj{Ji-F9CMU|2=XV0qVsf8^>C`o+CijIJ4opWB-L`D
zhUBJFdi~r6w&}f?1E|yqJc!&-UcUQhn!8*m>Yf};=8$>}p+LBYQ|I@3;Gm`Ei)!nb
zR=?eO{&*6g$!`Hb-GDH;#TL1ZiYuja_;17IPmqj0((zo;!VKrY@1c6s(?z77ErPn8
zqdcG6s&_AM$U+84Y6bm${haxI40+dYoeEd5v$yxd&id@mHL|*$k;8)Ewj?ZnF8L4y
zS{$OD_WdJVKjaoF!O^@g3VIhTs->k>NP!<sn?Y#j%_3%XHm|{-l-xBMzh`Muzq&wf
z!U5T6rA(L%jRSxb$863*Pxo<j2QzX3L`6ksVF+HY$OJb#(49HmZ4{`np<odgdIC1%
z8k{TMz$u+HFW@52&Zzi9d_{};yeHF)H~I{tB$sk}$S=Li0vE}5r;|#zU9L|C`IA{G
z^SN{0+n~dU^YqtA8>-4zd#d~1ETle`f0FZt+FHLRKKC$oDwCb+0j&INx;!v{hl|cK
z>9odq9}8AWS2zKV^IshRLmKBTCa0Eglx_Pqj975haTgnPfGXytSCa|%4*<WHID-#S
zbU;8uf-3xsD(u7l!qV$Rhl)XrvnNv#2x@Oi4a++jy3GEY`>5p!_)shVoN^0=;XJV9
zI11r%qus^yW<%oIF#f0|@sxdghP$5LC*omL?&c8Q)6B;8AW9^5MDtgqW3JnW%FlFk
z(WiTpCy}@u&=I~liMm;Ugr99F!w+}MFraNS{)zV^)AQ7gTx3j>BZ)?J#<aV7sD=ZQ
zPeCE}gnAJ7>*8DrSrtb<tIq{JI8iP-gM}=Pu5Kk5R&DE0iEW(Jpb>7?=0onvE99~I
zIP4oqhA1*!-Q|e$l>x#x;EJS7c*ut}9OcA})l;QGp4x^ZHOsr+{Pz*eZ;^Gb#le$I
zzZUUZY@_|$*8Lsla=@to!cXvzMrqWxkWjs}4--u3Nw%rDKwsZJ;`F+tGlr5DzUl00
zZ-lF#J9nM#XAPCay+*+@DU)!sR26a?b#$*Yib^ob1qchFPHREl_&*|GQGe!>W#vFu
z+);_jaSV<$@0auA)E+}prn+g_>rp8<42g-Fe+IwSqGw3x5_<}=-<HO|IZyXd$lAB>
z*kv!g5k!io?$aV!?Q)O86?1Uo3Nd55)U|1|$VHw_UNzCyR^ChpHnVgy+30P699dI4
zXT#Zbrb?vNMpv*NA<4BB6e4%@a_W=yx{l8z`cBJjx{qBHcj9!OiuCUMX@oM#YVSA(
z_?wb+0Gg;eD#jq$@C{2_9@ajGgfaMOI0#CNq2iffm80@cYJ2NK_s!@jmMf}$il?>F
z+wD~}5wq1AXA;34M6fTh2L`M%-{&~2GjH-1;AnZFduxv-o%~M|RLLSuz03Bs#r=s6
zCho0Z7aMUC!&+!nUP<j?p8ueZCZrO%Il<EbxgM*j`EdA`UVU|S>Fm6uyf4nFrT%_s
z<~H9sx-K%=jp`(Gf$q=i(<K}^-2L*x)stO6xIC5m+E|T5K!C^yX6DVqDdp3#`0E@p
zdrT120dBWpa~QNIpPp9OaspJQth)h@Q95F+G&M#HX-&GL>K$q$f97FPQIRec^N*Y*
zP2?|C#7vwA@r>4~|7ZO>tsj2j;QOC*Mstzf+GWugaj@lO{!cM4^{-@=z5SQwh3@t~
zgfa!E=~S9er1cx!ffoiJW@3bWWcxosegOj({(Pc|C-O@qjy$>YKQtlFZh(%AKu7<W
zES!6gkpg7xc&E|rcK4M^!#`=d2Xo@$c<*R(y24C?=Y%8aA3_V->-M{M@Am(BM%vdv
zggq3M_g1?IJKXm6XLrz9pFNd?DZZqHY|wb?S?lp1#l?cD&t2D0DS7#`5eicIOqmi-
zT^<2Z{X$QGN)}R~nbIJg2D1T3^R@lVvp=u?AF(~DxnP|JgDy9LL&ZgWDC+aW{}?$m
z`aZi;$sj5Qq7XXJ``LY|UhB=jbOv;EmEUN3z}(~w)qgAmyL*|t^23{je{Y-ap8C!I
zI8VML{!1=E`#AsMf0Q2|AF2I+cUjHqc%jDP0&`-<M;&D{o+f**#pp&;pq9A#@10tj
z{4<Ai-2dyUP4@qrKm0Fm$d^Q={|xfIi0MD#7xUQvHPYX_|BW);OSS)uL-#K6zcGB4
z{C_X|$JYPXApd&Y|6d-W>bVCK`7rV=il>3&wtVGD*5-9Kn8>_+`;7sb=#cF}C(P2d
zSqw4fdLT09UnI9HpKwjp=5wt#X5nn{OD~P$#rGOGly~czdA1Zxa+$4wrf6w?B~#=R
zLwr_R<<dl$^DiAcejO%)QVRs;Yt~>{=UmbPg;8KC*^p~GEfTCSXSC|_{C>Yk$`KX<
zImqfg3t#+DxtbPKcOWC_TWfMSj(IZy;nJL%cOf2W371xwGp-GLBZ?ihT0%NyFCS-R
za)myg=fVZ41+}y(Woc$@D0%}!=CSFVMalix{nHR8KLT9p3HjY|X@HY!lu?2KMD7TF
zwPhZdo4yfA*>s<@^)T4g@<=g}Nd})$Udn)L_U*+X^Od<N<<&#yXmjriZW*u?G>Lz9
z8y-AC@b@~?==dtZz|WoN#(NV&@KJ7XQ=MWQf~;k8zM-@fA9_~{r*DMtF4nZ!c^Qb3
z_uJ0K`G<>uicdX7Il87E%94WZOPe0*5DD<Sp^qcA65(eSYV|!GO!2~?_8+zB*&M+&
zumcU$cINDvh1NGXXPmZVT~hI_4ly5Y=ea5@F(c}bIA7E8N~>i$t@m21QkL<fK1O?B
zhQVD>4U{TAJ@UfogBOkVsDI|y6?0Nw-dLx@7$~+r0%DTexRTz6j-r7Dd6gT<?w%_t
zgf)1}7L$ryPxJB=Dl;%#g<3j$-bIyO$BuQV?-Q$>DG_0KQ7r51;c*gkb8)MaQMoXS
zoBZGL5zEzUiOc+fOp^GmMnXXC<T&Q7MulOmma>c5)Kn>1m3{ZBs)yuPNu}A8Qqd}a
zi-@0CsU$)@{EE=yv+V>*#}NG?sLu1EdE1nu{lw@e@1VJ3D-|u7=to18>SkDA&>=BA
zq#osH#w9QJIB_1rbyw!p#%X!j9U}r-*P`)c9QPg`s_nnQj1*|arpYNZS_SE`FA2*3
zeHP3nd)&ETi!Dm8otCn%*kSpLu2MS<Tr;9{wnI~8rNn=7pS;AjeRZwL!<~<#>N%R-
z;Tr6>lLCi_ZLA`v<`CtR6;x58QrVxdS>@iDa?s|`Gi<4@t4h_mt_8TP%6fX-j$8zT
z7gI#r(%anM-Og<_5H6`ac&Y!^NUI8Jr~x)K?+`{ZKIN(_5JJnif{Q%U8K+H!TTxyo
z(Zo{o3iaFC#v1JOXa?1n;Lb1@pVL_c(0lTdUiPft_8rkiobP5hR7J;+v7+Hk8u)RU
zv7X`lny^bpJdY@!To}HrWcAq|5u5{Elz7+Be_cmvbS-_N@D(P**60&C_W8wFNwRl|
z&wcZRg1O%=`kBzrBU7%6-EIqXbV@qnU#Dm?!X%pbazw#&r@^B}bxk~4k9)4Lpzg@t
zx<E(T(7>i!%roTGP%9@V(c(;b<RV>zZ}zs!aiDutadriNk81O-NF&bB*Gp?Ti8HqT
zbNr+Ct~*D&-pZMZ`*rlD<3Ua9fv@pPOM>1yPKcbz+?53$01vm_YXHkEZE6HRzbOO0
zI-$Jdtdnc?MUwG4M=QVADvcHltUW>2sVUZp=*hUG&EYbWakoz{SVsKV{M2pvd{CLw
z^79L63a8Lc^FR)BEieXs;H=XmW?Btd?X@k-|M!>GXutdycN|_xGLdTrg9?JvxbYTB
zrOpn~!-$FVu_Ht&S!S*Xr1b0436NQaUr&GkauE0R2Mstze!B_l#Vt=GCk*uYC8Bu{
zLQG8cQZX&;7ua||na%nWQ)@!_!_34+wBtz&qp(?*wgwj;BIlMoz+Gc)@5l@`r@*1G
zTRx<q%^+I!1DCXN{B<`R2pI^rTFpK><Jx5pXrA#Pq`SYkgwav_k*zQWBM$d3h_q_V
z<tqkQ0r$WnJ~|iUfiBu`{$*I(O~0g^?BI$s%iy5Bep>PhpXcvR(m;0w60ixdDB=|T
zM3QJKM2wpHSDzj^WV7U}k3w=|$se{Av6AG<&N_Xmh?soQLm82VKsEhppuWw?rD~1$
zn_}77p{=;l5C+M`g+<B&VabVBDpCma+fW8xv)WL=((U1BC!@vc9N@)N;m=55JYLzy
z0ccz@K2=I-BT(9X_^oT5%)9dobJ>nGA3J`)^umiz%^gE_G*Zmwv5SW&M<QpStG_sW
z#<0Ouq<JpM{!)-$#NA=q+PNMvr97kP&u6m4(LJkfmtu$>e%M2wEBhn+SYM?IH_G(7
zC}s*0=Gm*CSNS=u^a_Ka$=gqpD~i%UrS$q5Vs1Z313g$&QP*ZZax*K$sgf)fCYkRU
zgfq^UIMiZ_PgWX`8#7A^Ra?EaeO!3b@96&s9(=$uhxI8T*lb=BJUXRx&>zl5BVr7{
zPnibjrE|21`H#`s-!=FGxd&UEP;I&EE$=05b>F7zG5<VkJ9W2C&q%aaPhM%EO<Lip
zvg^%Zn;`hggX|C|8LH5wo-|<s2NH?VMch^3a_tw6shKMh$2j`ZJ#cv(b7h;9+VN^T
z*f+LU7!&MOJR9!E)enAmlJY*h+>vZrkm5RL50t;70K`yzW%!H;$cSmN9&ajQVg!3k
zxfzspw=W_0^O<Xf6YTME6KYX%AoShXi#H6!2dR|tLDyhkqTRekaNtJNb2`7D_d~r-
z-LQ&S$xV1jM{yc;w2>Ij2;7BDheQSHXkNfwlYTb9nR6SN*`G8^^e-eYAUa+PIPi{}
zQTuMP-ZxjxylZ&WA{OZCZgo<|33k_p8p^5`GCvg;n%A!=<Fey}9p4nYpZ;hjnN@kq
zyyPImjp#d<!uDe$wA{~%Ifx(GrC+KQ3VK{F7Z4*HEoG0sO0Y)EbF4z%mN|<Wdf{vC
zk-?K_#JKz)Ud`Og_LT?h;S-Auqo#a(UcVFN;mU6=1l=AGA*bYWU9ll_8^P=^(z)Ay
zCWbeA(y}y^mZfF9fX%c#ZHncb^s-P^9Q8EYy9dNhShIGp7Jr6_l`hyVu=2+<lmAS9
zdPPE3wWHL<=A;7bHlDePRTa9rWVh;tJYn!l8g4wKy7e^qGRyw@irr#6b2;7$W__Le
zjaB(lQ-!UiT=1BuXjbqee+_5F`b~=(8z>Pi#<w10=ut-4Y1d-b2d}yw<N~f<^hz_^
zS&v^8nFuftQO>>!gjuoj)6YhWbbc#6-!m*`kt|dS;7#+v*6V1uzAOE^=n^4qXYvPp
z*QVSzcEGp>uUF6>1Q*Mzvwslm(I4^B=xb?KX}VTpN`P&dLCGrDv1NI&cU7ma&$rOO
zVUK(M4HW%bqB+WF-QX?jeX#UZ8n(yt(Mfmdd6h1qQ`4(kOGs9>7<lml%PE5ddz|rN
zqLvxvX4c(dp{Pky34(XgLG3l>0Bg$@A^%reu7!Y<6vW<J?GsH#7Jz##VEL7kd0*Xw
z)}I=6%!TERCFcIiUBIIi?a^SBs#)>Al0nw)91+5FKJVRzy|RMXuKMEuMx)(R-6f$V
z-ssk6zJ!>*lWxgfx|e867G^N(D<UIbV3<vQ`OZJ{((j9l>`d2eQ3YAZK|LE(Lfvl<
z<7v4qU9j#%dR<d&kT0gleR{lF9$;%*p)BNF1$8rjuIIIA<Ft3b%1W<U*U2SH<F@6K
zMWfqwvPhjrjmaIYU)oJG^z4=HU>`NTG;B%~J;=0XY@=ThPJ=3L`dc@qtS*=2;gU-~
zra!pK-~2l(QK0JeFMxvbjA3<RG27zuI_rqnu$8G+rff*Hz5%c;(mKK`qdHYqP^4Z2
z&{gDEakMu+Iiju=Oi@p07NC9@(>igCm%J*}*9EMx<@-fA>5BF6J!LSO+OZOx3cRf-
z7xQaK&1^Gt=W1rbxM#nk&rp|Re9m92!(1Xq;JFf!s!y4xCQePt){fC!cYd78aNIQ>
z=rlimrMiFG2t8WC>uP{}id93+JX2#Nt?1~S64c6-D96jR1&T07E#J+CLR%npscLfZ
zm9r75s`DhBK|s$ws+p}_allyB>iznm)hUvJ6|Inpw8!1)Q_yby0hJH(P*5;QI!tG^
z<I~|H8#cga_dF?!Z+-n5*H5O6%kzYuBvJa~#j-*Ie)ld8x41jfyk5bd*xEB3#iP4c
zEE_a>yz(q?p{_e;5vsSzI+&%yk*R!1)Yn)tMNt(v<!`gG<Goix)9}62+<y42s%~tl
z5%6gz?pTGNHT$Y*<0}oqvisTyoI^A^DZS@|EIosf(kJ#if%gpRmqf&D2He+38~Z2A
zTe|BFF_{pf0PY_a$>#w`m1KN^!SO-)suQBCs#v1O*4BX5y;Uvg>uB{TN#*HIUzVh)
z`Q_(%g?wwhfBL@uG%Z9+Dghw})7gJY5e<K6^U(onVSwdqYRuBqS}Q!D>${1j!5J!!
zG2Ygw_mDr{2AZYV!(!2zKUF&E3HSaG_$bKPWa=3IXTxS~U_3$=ewv0g5AF|g;f1OT
zm0Vd=t1%|Y_f+3f_6l8b&}h(Pk0bL1f9MXDy+*1L0F1$XydRZcIT0CLvObn%o{Y$?
z70qawG}FFLJ6n?Z4r;R5m;I6=f;<v!<5Apf5Al8aXikHbFOHGycwgJ$uITJl3yu(l
z<Au4v2KBPvi+7O+vZtO+-6F~Bcx0YEtK*!*qLmQR(B^8fx7oY?jLiNMEi;{w;p$m8
zrYy$sp%`4Yg49jJ&r_*tb>e;;L9&vp4D7J<zA<ae_4TF=@eJjv6lpT8El8^6?UQx5
z)k06nClcg`at93hX02u>*k|`Ldh*zFKhn`fp04as6EoPb%Usj@g5KMQj2VHlT*2n*
zEkB3SnM6G6E+5wZ{;4Qhhkau*CnIcM;Zrgh_k7XU`iPxaVjUD#6+<i+jjOvj@=MXM
z;ZkwNDE>Hw^gvL!(CP`gzoM2?^xelUn_}qCp}x=;eT6NWe-RJfB8KsT6OuA)qWk(N
z8F;5g)V_wyS+Je_Xlk>5wLz;ps%fF#K4|xf(bSxww1IqgWPI&Bw-oF9Mo}++U8~sM
zljqNzjRwXlQ{I5OHb_d;{Q1&k=lhV-A%#rGstJ~if|Gy}i@r!}Td$^WSwWZB%u>ne
zj;{-soHu#VN%O_(DO)q6`*lU~2S(8+S|{=Hj#s5t8K!EFY)XLC+f@yT<}xR5?FiA6
z<Bx7NyqV21!1jQx&zOz9yl%93Fstfp&NWFwmwut^DvPrz`AOl574eKBlet|Lu8yyJ
zn#Cmr34fM=j^IG6HRXz9Vcdtyeit;{HVu6PADZo3?bj_M-PAZ)Vz1#9CP#H=zMP{g
zf5%sq_@~0qHy)mR)81Y;dWB_Taq;;uj)wCZ_7Tm|!hI=@>)_%B1Yh%@bPa}n2(|y>
z?k7v@`xi~@dvwIm|BUeSiLJfSB4i*`p2ZyS@MtKaSk`WQeL`<JGfqo1BZq-s0v=T^
zTOD@zSwcl?6OpQP%`9Q(`EWkxuC4ZjP1>a3ZB6^HN%Dv4n$PNH^kQm`bw1LE9RN1_
zrfXuX0qGI7P=CzNL$N4sq`LxKRLrQky7>9TlfHbm=DjL`n5&CBRrad(2chbBkFgF#
zk-~Da4Rw;>m2u!h1t|2m!~S*L^_E6|pO&X7N-oK|E4TL&%ciOaT4$n@OnpMfZg8Df
zws5!du5cME6*jvSnj-rfj6Lqk$DJIL#s;roNFRDrRo;$)%w-l!{^Ih#S8jg7+fo;n
zAy+4V=M0<l3a$5ZM)u1$X2~B;fUwPWk%Oegoy~)MV1}Z##e-b41OvpL^FV6O)GPb@
z#p5S$P1_y<IB@-0FGQyef1zt%{!e^GNE?b+*#1=}lH_cwZPF5E&JiRou^po>-W*sY
zpCnRGcL>X`RNW*QbsCxn3TQ~jBX!kHrmjDmWVG`@X22bmB%A{ECeC-|kcX=7Rre~g
zW@QiEJoAspecR;m$d(p0otN@0<q$O<Oi7uq26mUk#v|B*ehMgFj2NM10%3o>_lE{A
z9r+)V#|_E{y2`6KhXHzqrIvEg+{*qHo?>3H>i%Eq?v$5=Qjh@)Ur$6tF7^(q*s-mJ
z1I*;Nqlub%&EUvzG~@;YV^CE`s&^X1UEX4gUq(R4MMC08Lb6$vzvGEh%}N$HAWq$E
zxyVuL=&`xZfG@WqcbtHTpB~JC+c{Lv!s`4x{VMf?w!T3~uI_}%9_J!nHQ~>z@wM{z
z%2Ku>C`gT@G;5h+U`D?o`~f2WQO)nER+#`{Jy{L&L%Wn)ULH>s9E9ZtkT`Xrx$%kv
z{F{afF(*zF-=K?hmA>hn>VMUnA{8mR>RH(WgB>rBDnCh>vLcay1!*6JnXker<u*j~
z%+L&It}^ICZIQ%|2AAw$?nfcdeqr9TLlh}DJ?hq7p(FWDcP?wdK(XrKUE{AEl{eQ-
zqPYh|lp+UVt$Ppk9VjRxFwJf;MU&^=f4%ZUj9`osi{_R!zvJ51Vi^&Y@jjiE?`~r?
z(9|6XwskZj0C=H)P6AB2-tCiCyAG7STxjc|!dx+wynSJ-#CarJV!hI(RHb`jO><Ba
zyFO<AAH9PCd0{t=oy=+k2PQv1<`oRg%S+ywlUyZD`o1T}iflRGIJJCKz9H*0ZOR~M
zrq0Wjq!2Uwe9+9Q&voWz77!DosWT%~*vXD4(`N)Wi4Xb}^qG|-i+&m_SN@5}JKx4&
zIA%y&iDiMT_q9;E>dAe<wxX2f#GSsMq+6><N{o<`?=+rS!>lR5yeK&uM<@Kgg3;~@
za+{YWYhl3VW>8$LU9=DtS$WNG-LQSfId!H-NH}Xewxd);FHL>t&Wg@DoAmDck=Zcb
z%#!a_almhvjOs-EeTBUmQM%iv;FBg(D?kp!^duVhyaLRrolYgB2>lq|;ZHX2=jF46
z@rtDnWho{iFO-8RgKp+5DfR^7-7e7vx!e(E3)zBX=Lq4d$!PEm<Q3y3`uE6q5r>8~
z)`@=h8r!r1brH#8r`&?^H6hZLlz~%e6cT5u=GBy{buu0;ow<k;AF#UU0+1o|#?7kl
zRxq0dA5N9L!~)bZp{eAVWJwpeZoZpnG?(H~J(tjjCI++l2<HX|QeATXtt5aZue9;u
zK-F=o>uRxTwNLZQ5IVXqulcG>L4Oe=24Mqsw?Li_PoJ2sU?^LA%on+w951^@=Rksk
zwCwmj<r<^SeEEBT+-l^n$}>NZo1*%#khA$scsN|Nfx**syLCU>{jp=S8M}mX^{|ma
zQsaTj12?XbSYj~_HaFMMe7vG>fGDIs9MMi~s6C!4TJ3t3lDCH$8_e_S+;wzA1GuiQ
zm(5Jv=D5Ru%Z;VvO3de@(w%2P8da-zzDR}&9rt>j|LWEDCAiDU$a80<Y!faLWfqN?
zsW$F7pZ?jBxzu%F@_Y4?Uw@ouEW;4Fy6mWAfAYzDgcD$&y(3|uxzJH{&rdYuaPKJN
z*tQZqH-+}pDLHCrAyB3lvh+b#Ei-@~>7O<%LKe5s+}r_*NBp!4z7}m0ux&3mvx52k
zvx<va1uR<fF>|B0JEQufhewR?wJiDu25Y2&y}p;5nJ9?r1&zJDZvO;cV?z%=mC^QV
zOj&|0)R3iG*kta^@+($ylZa6VYS-<Nc-bn-&nEgbd!=0ymV2kah8Z)<YGGFL_7w?j
zP|utvDV^dc*`p!#l~-7gZ+|){rsA)9mys+j?S~US51(e<p;(;0?|@d6IryrFcE#-w
zWY&cqRF!gm<b647S(NHBpYyZ5C0QmDTJnbC_^`G%2E!f?s<;nW3m6&B39*(rDz+Pm
zyP2|g5dHJnbdv{M2%Qy5?(BtlB4WPo8|kJL%ZB;^T$<?LQ=seJk>iqOl9bw|?b)f~
zRfk3JY(7ZLwHIcF{FEB9SbLRWYAzFb;aYCCFf3eeaBil=eR=$E3w2kEDKvc;_N*}{
zL89#o$1P=?hEbfcD(XDDA*O@I#3}!&BoIBr=G?=7>DDdUsFpcMSR2TPN!k1VcGtU;
zeR=J7O)p_9?eDTCiATSTqO@6%^Mc^Xq88B&wXAvpVA2c)jK*6$_uNYWCp_|fDc#vb
ztEuldt>w>*O*k)2?cxP%ipy$W&I@gJyj&*_g_lU<cG!Yi3w)V_1U_`}@yQYb18=o-
zUJ|M+E}V&5*wTrg(@l{*xXXt82?(Y8_{e4a0yw`(6eeV`f-#ED)pu!umTri;Y(0Cz
zVH&Y{*e2WG33Ns2n%jEqg;iq)g*g%<9ZO;6TQ#^Q?3@K@PtlNh2e_V28A4jl25!4u
z=5KoIV!zj3wfXAs?Z%q%aVxhy<#uU9vjowmf6Ognxxl~x`dj=q1@&VhpxH_N7px>a
zwv>}tL<R5II2l9O{HBE8z3MOXyAUOGYXT>tWGe8k8J*5SLs}rvCI{g{F#WsNQx3*<
z@Qp8*j@n@Bfhg{BNW2^5!_~M^^)KGB3@s8f)$pMF@^S(aR+p{8@pE{HkH1HUKN7f!
z4cQunK@f;}i?ovdcRzA+F0-sE`ta(U{<0ZSi){t0aA@Iq^<I`_xGNdkeGRXVatg>3
zleTBsIw7(kX8ebY+Vg0)wtLNSwd5okwic$I8>yX}CWin}Yg@69Z#tmlyWA<4Q!R(E
zDP2atGTAf2hIM%$d<SR(rT33eiLxY?nDXVZk$tUXi$@QZ*Ksa;aWt$l@@cn*^oxP|
ze~a$&3JdV2g-iORt5~R@2s_>S>CsC$C6O3ubZaT&n-a+H@~gwoUb#ui)5%KJv}u<8
zE@3c@`m`Sbj2(>2RyU~ep8%IuqkNzK8rfe}koS|?*WJ?5Is_L^k1;}TT&!M;4JzFk
z*HT}aJZ_Ip=$qkk`Yj}e@$fqpcG!hZz}eKI80nXMG=lXEyN2GUG#V?Imw(~5nDIjW
z#yn0jz&@HYFvCOaR0#7+wS}xbE+`43)J%$dS8)XNU5J)mut!%c*7dr&SODJsD=7(I
zGRxAb!qmB)KcjHFJ}gqv;9N)Ux$Mjw0r82l4-$S-J{Mb)Be}~_=t=p5ZDdN%4<Y6@
zjuaN81zFb-hr8Ouz{p)bk0#Cau0##6==Ny^tYQ~On+zls+3~%agjx=P-@nJc{2Vet
zgzn5%v^E-#jZLh)3@l5d81!$kHOF^1<4SN!Nv4}}uR-W{&CXDG{@3&zlG^ErF4WvZ
zuZpv6Dwj*GXJyl6u2bSjo^AGQL{k+%!A<v(u}bY$gF!PT(%q7b&ds?Nl`2txd|X)S
z$#eS5hNOM$$D4=~Mz4zsn$+!}-A}Yq(t&;1CL8CH%1Eghb4dd7FpfBC)^RJldahJs
z-p;AJLjW?+fZ6Qef**l+EWuq-<I7t-atTz1FeKVx*qq&F>Q;%avxa&=%xLh2dk{|O
zYv*R4?R6I(^X2g(`dmj1YPT2l&!1(<E(TJP%~InUHbr_)zp+)+0*-4V5bRGQb$Gim
z*K^}vc%IhcbC1))xy90M=Okr3s{ZysEInU+@-xwJ&YRg}+s(8zpLP1MmR0{`H>YZ`
z&bvOlUNw+52!x;%RAy7uNW~TjdGmpBSRrEc;5Y=k=>>r>@q0SX<4ZnyJ2e;kvlbc{
zdocn%gpw=nr!WuX^q7RxvUrMgN>-L+YM<bATWwu#+Iz{7`V7vGH3MUomt4Q%G$2}i
zd79(j#pP4|3uzldk(`@er|I7X){#J+hq}}r!c>J<h)G4P(03o_IVV4Eb!h`gT=tOE
zr(4DJy1Y|?#JI`X+eMiSBg5L4A`lHhyywhKPSOM=Ova9F_CxAtj93YCQd`oRM%rDm
z8Wq3F0H5r2nCRbyAUhX17m;h`z*z*hLM92_Ym7Fu4V07N1?UCnZLWE=Rx<_}IQL;K
z2=>n;pszxYt4j}lJKj|Y@&=W{9`ftd;3{C7ktib9>GKCB&QT67`9BKA^JmL|vo0d%
z;c~M-9M2~ug+~!xspE_&w(CdP7S-SLPq%pIrpJ$h<+Rn65a^?U4Ho0+Q&iRwt$3Vg
z%ZM@HP;AYeANewWn*_+)ETCtTpO|-Kr`PsoZk6h2iOu~{o6RK<uPiTx&&G>V@!PHR
zPWAJ9tJtBDYdYq&fXC-P4r%@6*HuIDUTYt>xE|UXEO~aAQ{`@|;dthFJUd?MM7SUk
zD2Qv3aMFWyR#BUTJ=mImZQdH1@{=OMlmIMcaoi5u0q+-Vth}AY4GzV$hcK5cm$ic7
zjVJtl)y5Nl5{j1i&ndIvV9nK(J<BbJYDatP?IgvXNLAHa_QkrA$4evt#{<18kK%sO
zsOdbSxR9S3nfQ9byQ1P}=`QwecFx_9yxRLAVM?+A`Ch;wE!6II<`=<8R0HoF3rSa-
zJv<3nxY_v?ZyUfyfE*MLT@-a<gcz%sd0c#yB-vd4inVM$dsk0x{}efB`sA$p4ba47
zNV*;TLK1{dbaY+I9l|d~bN&X*B{-Z1r2b_x&`k!<uHkcGoe=S2Vg8%S+Vt*>e)LoO
zsk4#Z_60l8_r$iyNJvHbIjXvr%3gb?)5*NAN$pDSSIy44a&#La#<{Q56?P3f5Qznd
z8orx2ohV_rr2-%t6_?GRctYYQjSQ#i;Vdq%n!kC~oD+o2$~_HO+;KOW;M{zXK|4cv
z+fprvR^q^}-ZCm#%Y%XOw)*@{+}qh-6vAW5hZ=*=s+^#81;qxt_H+96LS8AGiv`Me
zfmS9JE>?o@n(o&hXd8cEh+}Z5_i5``0h8n}zeJi_>0nX&g)V2Ie=mwE(>;6o&^>KF
zmN`B5$;cp}+_-xx$iX<&+TC|MjkUjBO{66Fgd32Gz-s3{7ZPIM3=%n$AUO37RShz)
zOFbhXhNQti`E0hQR`7{Yg-C9GFeP{hxjBU%$8{|37J2tTXM1#pTl_-tG}goVOg7&x
zC-_Z`shBCsi{K&Jv3k9doP{BaQ%ED^gOg14pH7X6P0Xk6jJVc-_m06E8xt-f#O~#0
z$I@|0nP9Ek{R82ycRS!FP4t!xbITf3g|liQ_!E?ONTNxjhM8@i7Mv4b(psi)2J>On
z4-lqc3uuV${q~i<9K6ov0PRS;###s0gi4FG2$PJB{{>l0_V<v<n)K=jDb@v<n(mqy
z(fOr29v`KTWSEy$9Isf({9QQpG{q#XShLz`Xa&!#D8yDVFl8B8>ML0&U0wXTd*aA(
zcZYqG&Xw{YX|;CWyVqOrhWR}y*-*jxn6d!GC5t4ts#uZlN6vEt+iYP$CX88EOq1(J
z;<5%>du<FzXz#J>B&|{6!rbw*E$V#i{u1jo^It8Zq4yk?EO6|izV^tnITABAKMlZ=
zBIKNaR+9a@#*$GdtwGi26jL?*v+@j-6Vy|{?3y@j8xd<<2X`}Y)<S3)moI_4<Jt}-
z;Mr{QTzDrPzCiZv>tuzn!!0AnxM<hXX#*w*<acAe^}<kk%!GAMSkAM)iPkemCO{vm
zG6hjX{wXxiw5w^qt)a2w)n(P(k!N7+mkITtIb3~1qcL`D;%fbk2ti+kIc1V}ph>Lq
zR0A=H_eDc3SARBuB6|B|+9U86Db;^FhQC<ULPmK!Y4?t)lp?7&E)oX`O5>)xr+c$u
z0GwYf==DcIDF91R5^5oOB72Q*7X$kJuue?73d$Z0PJ0>hS|*_?Yv$8~^j&G|_?1MX
zonR>bNk3|RqWI=O|B_#FOG#%~^j5}#gYPk37k-wRslcwO)zWl4-x>X7o(s(k`kMJ!
z2cDijuFyB3(iY!jHp}huMdYfLec~7;wed4;F6Y|f(BYI*Qk?VBDH-*!S~<acm<|<S
zMf`*Vhjt>;-5tp7w)%v_s=_!1=s>HT)0zX`@!kGv=|UE9Zzj{pp(*u^d+`YT1_{s*
zq^^I_z+yiovMyI!i`*aph#IM3$}(Nosg@4DVmLpM2=nS|{Pc3PMmtL#C@xCy*Xw8+
zrn4ww<0_kl1=BdbOgRw`ON+$4)B9~gE7XERL%)Y0*#^t^?A$u6OT@F-HAoK)raVQ(
zO<+8fw_76%GnrntQ2U;7{syyUV6(Hmj-FJ*v*}t7CO1N=CbNYjHpp70wrIt|rh3bX
zvE(#eA$#|^%#$3Liuq7Z3Q$x$WN~ic`s-WRk?R(zB7w>MATh6mn$7ejk1o7-U`eVz
zUMlzQ;Xr;-;Jc7VcBgpDreZG>m1T0QEMipX7%}&wkIQ0{+qA*_rGd{Hi>`)S;xxa(
zxo}Ln$o!X~?A*(Cfy92IsL@(C4dtO&kYxRQq|^q(6gdr?kn)W)Y%DRgR~&qVF-0Aa
zHdff5<5PCFV;i6gTgjl>3SuAL*NrqbOi4_WYP=t`<DGXbe%Wot(6ZHK_>@+uxEc&~
zmB#0+=?Duq#y%=)A@n7T_2}_tXex}&9CSQrb}h^KVOH7^-u?BE*Y5&U=ta&^E|&o0
zH+n+qsjTGQv%ss}+?+Gtn{WI@SDtcV_n_>n^u;r(*wHG-E1<QY<8m7#m_P6m4-#JS
zfgI{SXH3H-g6x-On?9b=a^GfY-ahnI^io0RC{st<k_D%XNekOxEVV&Q=B3GEUuP+2
zP*`A!pKsAK&*P}pO?Xg-;VBO>SzbJ?N^o28i7x5qM!`OXHHJeoB_vTGK3|%7z?{LU
zfH#WUbw|m_unt;Al&>vh@Bj<T0Cjyd5?X91yTb1->qMqzZwqi<9E#1ooElVKu(<0m
zVqIb8AKO_COPhAT>g>O8wB(j?W(yh}5^9lrcW)`IbQY6X($VGS4Zq3`zu*=pU9|l9
z>nFVuW*Y?=C~zVa7#w1-=sC3~?<g^!ZZvOL{?bOvwtH1DX~%Se+HqN%1IQ_A7A`9`
z=d=~HyffFhPq8uCS@h@gyR5&{ARltS{FB5jFSz<Ict~D6Vzp}QVl_B6sG;81b!7)d
zLoTcK_p=e_Im-+0`b}Xq6xE4hSxRStO||Jb^M(h0wS-H6NBtHquAvX=-KJ~rwR~)Q
zX_Y@ydg5z!uVLF>ppP}`W|te26sKs+o?*m5#+~7s=%CcykRPq@9MHDWLR-G{^2-`7
ziPIwA{-il~qPcg2M9KAwlq107#^mVPBKq(yAHlojF5A#NubNq{snf0Z;Amwx$1CHf
zFK<WGTwkq?3Yr}s8tiT3za)m%#lMJPt{QwLV8JfryYn>d*yQVWH5mF|6##BDJ{r>_
zbhhiFzUT@rja<KwVBonYwk)D-qAy7EwXIqDF!%^#>PCz#{K4%n8~ENMgIK1|&7?l3
z?cl%Y_5%1np^U#u$LuU3=1>{1QRA)Nl~23-`KnBPFNs1ievSz26tocZy-r<P`l({7
zQWI^BXKn*hbn!iSiRq1om>I*M6-4AhAl|-d8#jjn9QZClS(PqF847rWD$3(E9%0`3
z-6Kn%w8CEb0e^5(L+x?m^zA&^@dRyQxyPA`Q&R-ZCR+P7X1uaG>8m7@_eE9#^{KLa
zfwj36CYq`M`MjfCj)O(lm576;5FPvLSW~kY;qA=?{@HN>gw-PNW+aPGauz$Ns8%r=
zourYeG&X&jq`xW6ai*q<ja}@u>K_<iHIxc=EO++_wy!)|T-_b6&X_7)%1O;x@SAJJ
zIBZgV66y=n&h$1{(f+?|vr9B)(|7wt1ftYe?w1)%9J`Ntw}w`pq~Fv+Z0=IvSE3lc
zDfs**&gGj>9*-Rv`vpe&5o%Vvb<LfgYvC0o6U~FEq#Z`IQJ_}kH!BU_<uuDz!64OA
zCGBf`-8#7n8KrRA7Et)D*B85UucTr-giPvaIvqkrTo~d;#%wh6*Yc8U=3sGwvJU}r
z4nOpqhIn{hNu@%UJ0QR~XrTuAUWkt<FkBY0w(G5}Pe|H_O_caNm_As4E;$e#QgJ`W
zls~HHl*$)!w`)$xBCRVDQRw3`=LU|!>5$bPTCmHc2M*;#&YFqq*i2rq*NEz|U{}lP
z|HtoFYcZSH*_51yecY50^_AZe`KE^7P{=u+IS-NVvF~47Y;cP?(AuQAf}12Z(hN<j
z>kq$nIe9ypcwZWLFn#K+VIe89YHoGUftj6qrg<>VL`uQ9LDR!A+{4YuH>n2F%Ocgv
zQ?s{Z{)$OQz4t?Bv>g|>7D0I|b+^aMNY&mQxqkEpHjScAFNvjR<|yS-n%!%+QUs-n
z+2vHr=JYEHx%i@Tx5dWaJu-OXM%zEx3L9i!>h@nBczy*wJAL9gmSG4hkh&b7G#>(C
zfmssLTC+z|W`+MZR5A+;Bw5Rp150He!((Nh>aLiILzf|O$>@>aj)5M()^jG$lEN{+
zos<%k(`kWo(9{jKv^X{6=FGCFQBfiv5(c9yXG(SANm@Yrs`=t{Vh4Z{eWC*Qi)2EZ
zm;|i12?eFSq_c!Jdl!ZfkoGi)**@sn=K`s>{u-p?q(WTnURip~VvJrpLi+muY45$m
zn%eqxQI;-cDFP}A(w8Ejv?xdoWm!S0(px}5YJh}ZLWqdKLfQhPh9W2+y%RzU9qH10
zLg+p87RsG~u6@qk_uJ3i_w4WN=iKL;f8|M;8Dq>b$NY`=_rCA1{XNIU0N)PUa)zL9
z62oEQ{#T&0@?T&LGD7#^Yi%poj|HGN%O0^38<yr^X*cQeg_YLbx<6E=O>0zwy+Lhv
zcAxUv5zQXr0((3O7|Qk(9Mp0n_4A-k45M5^oX$qzI-dF4zIz@(=ex2u_6E9xsL<X#
zka|ovH>ik~20N7Vm)zg6Ox+qEoDtd{Q1&0~{JuAtm$*A6=$<)~7cu0`{+siZip?CS
zaA%l!y5DHGutZ!;WpsfTcZY9BczoHdnjCHY7YwK?`+Y*3MJ2u+rWcKXWHs_^y0%(>
z7*TW*$FH|YMt3oME6d8`CN}`-+14eNE+?nJ0}=OHd3}}+2Tnz$=jBu0i3M}JN~kyK
z2972ww|b<dBGhWnw)ABaOtX)|uKJ@EW}7w+FkZo|;zOa*m$H{!D>>F34DOq@h(P!_
zUbE8rCuin;cFD`M4&>d+_KR11`JfywvNN3|$Z2cKM|VF(>n~&D=tpRA8Kx1pFVjsy
zt<424p%MC70&VZNxj|9Y3Xv(4?-XvOs0&L=-D9FREqxQ@!K=TVM|nP_Myo?lp-HiV
zWxsH*>bp0*&MpFG*3L$)?EXc4$pRdqZC?6}5}~{OWkI_-{Ug6`L&^rsDuXHbO@>MF
z`?CPM#Jk8&>D={?UDkmRFK&CDqrBqQ2c$*7Kaw-q%xR9Z?4<(yq3QY+*g)7}uFr(O
z^j+(D?G?4{2x2(juyF6n6i@9yclA1%at&XssMiT!oHDYmSM3{77pSn%Q;7bkpY}Mp
z^8O}d&}TO&CA)f&UZyC^J&|+M5lhJL%h9g!4x2Lwzgv{$_0Tb%ja9xCHDSlD{e}*E
zlX_b4IBgBfQtHnx?yTv%RnXki^W_L8wuOdU1*sP37-i{Ka<*Q74dKCx^_AGtz7hFV
z7z|b8RoI`Z*}7ezZ@Dbr@n~`N>C>{SI4S1Xinc#B2;D=r?yuPqv%q%Ba|nJ_?V_o5
z*3ya{R6b~h_d}t$8i;ZRq2^R<Drz>U)X<)t4Wm@K{=jxnf)4fRZqXB?GWue#!BKRf
z5&CVCK#+9&-O`9e+M1UNzhUM~gr(?+QH8Nes<n@03lJ0Qj-NmM86hosw<xaJqRy#^
zrA?$}&P{sY`iRTj<Zn*y)YQ5w5gXIS=8|PzA(lMB56*KkL-#DI-}Aqo6NgN&gh#|h
z_L6#YD%s8xu0J?uEROj7^`^ft^;EVJboe94#2YLm^tig7qJX~FlMp1p0+vEsch{J(
zLfuM@J5#tD-G*X&NsTF)j^v`0X(N7F73}bz^C{kt?zDp1YP{C+8ow^5ofAIhygip0
zKV2Bk&V(Q=<SJMYrcVYGBpfB?3YgMvj_LsQB@)w(CLL6PEPYXjz~Wj0Qe?kppunv5
zB?Sd<#Q(&FK|k=+lgB^&X6MV8OlxK85hHc0y_t}RbJ_B4U48RXgTHo{P%?6*M^GTX
zZCTrlztyx!NIH>IFnunJn6_kOROYtU?wr%=E$a4e!{%<<;}lQ7ckAs6d};5zsy@a(
z_U4?<eo?%3?e159<7gUpZ%eR;?Q2Ucopsvhlq6UXKp4}ru*)B-VTMrMH%&~Bn3(bB
z3k&bbo(s!5r*Vgap5!+1Xp3(AT&i^Hd8+<*e^}4+bAB+fhK?jT^Rqk`u<+o&v%0tO
za<ws;+aj&kGL23JV2yoXFxBNdoHWm?uk;DM&`}=g-eLrhPjFI*2Z+8;e-7)eDIZKm
zJWl`1UxXo=N4<5Pil;18pco(yIqW2TzbaHV8LBk+7iZMO;yUrdL1?N8DE3nOd4B8{
zyR1YXkQSqSe6ik3y}VE^QR6nHDLZs=Z)6iwJC_;c2BP>)Z7f3BmDTWNSG}Q$N~_6K
zYd>&rIM88#p`Nw_rXPJ}+G5_VyPbm^gBqsWc}7jLX@mO4Q=n@)5M4{#Op}TDRkU&R
zi0P_`#FAIyCti8oVUQ-So4)j()0ec;$w?D+VM!5q@u!D+P;mK3OsH|1h?(W=A9-y$
znR5e^^;eZf_Rqw{>{%#uTEFh~?6IRYtO&TLYp_ad;$hDh)_d(uG7vl(LC&SdMoLQF
ztvD1I{4-hPAnhuZVU#g2y|?)N>zU#WM_<<4Q5r#`KX=hjn`|OBGqR3TihO<Fg+gQo
zq4<xHg-<w}Fn>{}UQ0Whd@+4%wUes5g)J_tsO`DVl!w(26UGn<uoO`nAB%fL#yu0g
z)A%(w>7DSFdZ^;un~?50#khT^Y7g0Ge1}$+oWJ>-tb!hOovT>u<`^tS<_*CTS`W+t
zSx+uobe-kFvGB|0<G`V(UtMP(LQs}+j(t{R2J)!lZ{<6t&e_yi7?u%8f-Nz!#FgH2
zT*Rw_JE5uu-K%@MiKzw1Z#Eg$X@TPgb9&5fSHsjeWc9Wi3uGVW%|lj!T6@$=t*y6*
zEH#f<ucPoHE7KdTb>ENm`DOG$S?Nv<6O=<iG(qu4W8*z?D%}uXT(f%S>Q3D(RTg#h
zE0E^s%6B_os|?L}3H{g`?6VSo@%s*2GP6raNC@>6m5uwns=M0k>=d9Jz=r&KUtc0`
zUR_vBLQpt*_ABI|sF3Hdd}0zIWb7p+PL-VQ<g75f8a5*nCE@hREwBX%t?d+5WgqSh
zh1}5qGwTIkic4Tw+F9RC%PhHh)Sa=+9_4OtZkzW7pKq0yDZ4f!6=zmMypGK)o(POq
z=d`$_)u1kHGsh$?vpbQJ{#2CBFt@KaeV<oJwh^Ql$N~jl?r>UAL>i|{Qa0exY)A>V
zPR<^#Mg#eS1XO>*W?5d!W~!RdL+b=mSd6X|Gy6QFoFZhWEw7<mA$Cgc`WlF<OT#?z
zFJ?VMG4XIM@3qXzPnN@YW@fRjAu)o(7pC5`){W2F4P7S8A5W)n@aBz#j?Qvw+pA2g
zN}A*~qM1I7AU<a<X60?PC2x`ZBYBq2Kr@I?wJ%wJVk9BoH8Y<UDovU2hvk0&AT?z(
z9y2F@_A(A_XoK1LE!k2Z0iY;fP>2JVW$VJ%p+Qwl`_j>r^}Vx$diSPB@7X<ciEi$x
zif4VjYoHvNERcnqh_7gctb)V5BhwUhdgHE9srN{Wz&+fi7vZHE0igXL9%1h^WX<QZ
ze(MYZ%5joi>S~1#c`d!1^w-se*<_d(>wKWHmRXmWGCU)4_{bWf>Ps?CA}CsJk59Zs
z&s10q=j;-Y$a^J}>N+h_yu+3w#TapI?Ix|O#^PGF08W4}flCkEzTOj<))chM?(l}s
z*+o^p^a}bpYw@+w8f7-UhkjXdRw$I|GkTbwiieq_?Ddwmxo2%JbJOJ630W>`MMG{k
zpl+-CO%vAqWd%|d?{a1tS<unagHBoxsBWFnLzf19Y*y=@rs5ekQtwT<$a7z4%c|UH
zSJ<4@x}6CC5QbUKwbjFvfq8f{(^5f%0Sb1LhjF9`4gdM{`h?4b`!C@ihg`uS7nB;w
zhe_CVb(fppgq0LEYN?E)ueQ5tb$myMeGUd?{(4<h;P7p4EZg8<#NLN^U#6Kz4>#C)
zo-sE!D4^o9LsUyT7MC*>q`epvQAwtXc}(%P#jGV+A+n~L_qOmafc$-~j8utc!WUcX
zncjv|Kd&6pcO|^i(OGDslGU>3<r3){KG?*tD=vzQ2&?Y<Vj^V$iBxk6af~6K^(pGI
z!WGyysp4QvPA8M&{%BFgx99P5?0qnD%ahvGw6LcrF<J_J>85Hj589A=Z(Yj5%r{_l
zncp$)A*wo&Y@hU5NkDu=9}7Z$-zlJywO^*7rhq%f#Kg!Spcb+)2F|07dc{^v0s3c=
zV{aW}z(*N9A?iAV%Q2R+s#<}QPj0=`q{oR0Bw_nnIfI;oz8vCvD|58>BMgdRUm~q1
z07gCqMZXVLwDFx+Ly6ZjidSkORlh8(1G*afIh@w?n&HQL2d4ACVN!_Dh^C_HB~Ltw
zQw_z;X2EBRjh!oyxoi7SoPwf+Ns0F8Udc{&oHigk2hPy4i>}<F3nNnha?w3%wjAdw
zCVUyX<W@DcnZrhBETh6o5NQ;`91&ygN4kj5QZPWF!-lt{q(md!9=3^&_lW`;5GFcg
zFinJ*d90FTXKbZ5bpF%o96dOXqAKN<=h=w$CM#I?7TSh@n5C?pz$v$%Pw5D}B;8$p
z(7v}Ul%`b|6Ay!Gced?gB`t@z1Rycy_U;Jloi_qS%ABaUS=4QVBYnY&M-|`MaQEHw
zzeB9eKoAKsYYRQa+l<DM#cec(P-so6Mb?^e0T7il*E3}YQGyQSsA9E;*NAqb7<(32
z@Bsz>+bMm+h)U0$<7B~NMn-n|-P|lw*t(im*j(=K_*MTVPcmfba-aD=Li9^tTJ!v#
zm&^^7te4as!5bv!ZV#ZJH>au}PHcQr@ZIXQp`~TYa9XsUXL08hGk3RhSZh?GVFJ=V
z&(2Wt&1A3&37Po@VTu-mw9M>12Uu5kJd2HM&CKx3OG8VM0l7|7Q_=QUG>Rxoeeki8
zyKymVWA_2=9fzd^9xV=b&s_RL(xY+zp|PX;@w%N@ASCozrIGc)84C3G2!%)iZ!ax5
z%QMmk8{N(Xq^NK?pvi8PJ5eH1l(hcGlGp!U<?errT=-vqdOS7$iK1=2qCvwg5rPiZ
zq$R?dddUkHPt|Ck){yXA>G0jM5Ygq9Aox&!ed|-uqLifA?n|*POS?@Kz)2c7^lL?s
zXSO>x>YxX4w4{t+O4ldPrndHSfK>2^=+54g{NIfbWw_ntt!hkYTJ>B%0`2U`sfn(x
zkSPJ}#{?{|uK3l5dTo1ynlFb#=u!+VvcZyKj6ESCGcgk#*`+~Ng&C-eC%XHwm|{P=
zk~c{t&;l<CHXPL8H438URzChiJ3(8X&ZCjUX&=^b(Mj$%>|C-niGSF^$Fty<1w%<Q
z{UKW1T(#91^}RCQC#{An4S%^XvH|s-=UJdVxR>`=Y1a3)JRkU-%g}Tz2TQB)c6;3l
z?-C^xp|A~`u;+DB@L(M@RAZ$v(6nb)=2G5Z+w=FTCHWdpLparbJ2_>77W$qi8ohIf
zFKwt4HZ{f+UD}^F?`F;GdDR<V?AaZ+y4Fg^*v;Wf+c#P{<&(}zW?Nj6nHcgwzwGt&
zEC4;wpmh8~%=4_H+jV?X+ZKd#Fek-@i@IANkZK4*2Z%4*Tg&aoNZ8wSbHcm1b(z>$
z@6PUN7Nu^^uFMY3QF%tMPkesd2-YQCxccGgaSC;1x)pf5raW_tsZ{+-|2B900y_%q
zUS+EBa(&5j{UNKk>zA~>24J5rD2gnF-7e91ZK37#_rHX3!b!Bw(h^Y&N_9-7SA~wl
zV^UzhRn~8H>CO$zv<|EXgS*kudB%ja?^373@HTu{{lbX;czs{_K7ZeXdmj15TAkT8
zp4!$e>si9YvnOLkp^Z0{A2X$^CA2IY^|^e>01}?%swCRw;n0c7dz}jL-vY81F0q+9
z_MJ2Cj@Ow8oROF4X7#XpMx5cMBvB<?SY&pWaZmaJOa>y-5km>e88J9|g*ci^&UvHV
zHA0^7k};Rr*(|lL_D#0R$RcdRNn_D(I>8er3ZO#LlRZRODuT8Fqm{y@<)re)fFb5o
zqet}B!t0<`qKQp|q5h`TzF|N?9%n#0Exn#+F+5-Ck$VsxGS@Rq6*v<Kb53y&OZ7)O
zRwfmMY36>DZ#LBCO;}u6=LJFw*<XFoIF<nAyP4UE-gjGtA|-_eoOfO!muieM$$OQL
zJE((jhWqDzCpzBew9HD=1@LETjn=}h-?cdzogK-+Cl^LWa;_qYuYT|AEXDD#;5SlK
zSVlB;P_xOz6)vZyraImV%878t-~dHR4$b+`P1Ujs8I}6|`*N_OwAI~h<%H*#a6Nc^
zJ)P??_I=0IeXhoOfSe$_x^>tc_K;qyc*Td7E^c++n%Z~IfLca!S2O7-4LOW+g73tQ
z*<PR{5P&+@OOAn*Wrj@3Z=^-6-S*W{BrgO;qu=?+Zcy9YZ8D^^c_$s`CY2PmSQJIx
ze1#}a&oAEnZhrvCv;A%Nd*B4(bSX%yS4QG^#c;aNEhD3@rJW<OJ&K(e%gD&kJiQUE
zkNY}Fxb*%pBfw$G{s1nY+6d!S{~m4ex%Cp@nzG3d_@n`qi`hlcwQ!jx0x3#o80^p^
z$vikcU~&#W4MCK3@a=}cw%9Fod%XBLH+O*&k_=1H+fGN72iC?!uUpg7F~K<>o^wf%
zY?eE|JgINH9dCgrdl|7Z5|&|7f>%vw=rb})?z8A`zsac|iC%Vbv?r-b{T}8=5^X$6
zLbx|wwwYFUUN_vh&YM4XDC;IGeTn^~?Nu`!)6d6D&G0P>*O*9|&D3KTvs)rT<!6Xj
zn=_c)f;Kh)amsJ9Zypq;$eur1=0RexyjdhHkms&TpD3GHjq^S@)0i;JqW!WVjK!lQ
zPspBFoe6{*8)nPt?daV%Nq~a($=r(R4q}vp_$nJ)*X^BP=%i=8w@&&^S~^;vC-Y+6
zvbi~OZMN#$tof}?*z7E3T%1m%%T@BF#Er!TcODHYquw(5HsyJ=;XJ#})~$rQqW$l~
zZ*CKe1AB?xj71Qj;FS7%T0u>TLE?<_gVAu;*q7ZKE?Z?=lfAp+cy=2sMhI6!X)k5i
zuG7>V7pMYyX=H*_NtWSOqolvCV|bKi!oYAc7WxGO5Q_u=f<9I`v!5k?rM?g7xMQaR
z8mgmLqN`e88Sgx~0x>3L2teFmzmpsRgi(5`OIvH_$+LFmnd|N~mJWfw2_Yi!M;a;&
z?i$tmA~fX;(jkId4q_s_eH&}LRK&1I0VUc8Q!|{ak*PJQ@?}x8-w<k<iDvFZ4iNHQ
zpS=oxy$BRbo4}*H1J<MDs=*k>#y_V$nAY|v)ftv3zo)@~pKVr3?pkAL8)O)smbuqI
z$RSKz=pK3o@|j@ZZ|=G67#n+3_w;GcUV%3)C@St<Oay6s)_AvmZE?{1xpvE&RKB8F
zA$b*IeP`o3!-SNSG5h<DWc?c?i*E_|&oCdAWWIE*B36z;l|vWHG0**5h}kzGj3+DJ
zTV9?pZRGxHBQQidVwOrGof>!Ua&8U$afC@{D1}&C&mY<9+31G47#m>^<?W4goM$Ql
zO0#EioVXO$CfgcO$t(JZSw>p$3XMRY7<}Bk8$ujz!8E8o?w;VlvQAjWFE3%86Uz+h
z6Pzze;?(nX)?ak&Q~FE;CS0j4&Cc&>yHmnAL4h|GT#D^)x(^NY9Gcsl*A!Xrln3=j
zL-(F2tlLx7(<5HJ8e5GSv9Vl;U(|?UX5KZx8!dwInh5)y-;<5ZhC9vH>5Y%lLjCV=
zxoFMATZKRjdpFDx1|dkXvWQ!!J%v^SH-(Xg;RRnoAA*3}L_tf=l=)uQyQfFgj*B#g
zg^9X{w+!I6HEU(eF}2lI=x!n6i@RZTslWqUuRDH!<jz#F%X$Uz)eyFzJK3nBQI{Fx
z<E3NY4Wse(vJh_D?x9z-&vYUP#!=0L(w(l)hYOCw#a4rMwMwF+h1QK62gCx4+HOt|
z*I>T07M?*9nJmDfn}HP?ZNp;9$})_1>Qic<Z&Na%`C4=RbbjzVE81$0mG>iF7G;QI
zV!65G1sWoJ_T7q#+$x@)KbhYBe=7A*X78tzvx%9&VmkuIjJ9dLN6&QALp<SUHJ0QE
zx|y@M(j|YR%s_bUCb8<>8news-!n7Q5ewN5M4bg#<cA@UMIU1g4d?fdJ+WAon#42b
zFtb#xT!ah0XB>OIuRwGL$FbV?L|v0AD%0&`C#shtedtmfv=S=umk-<0cT`Qp3Psq1
z3TH-bvWgdy+lQEIDRmYSfXjq#S?Z+6RSX!7=!QE_ly+%+&Na{&DXjc?JsP;=$1E+k
zr$&9})d_GL^SZ0cJfP6J%%PF`>jq9Mdo?A{5WsynOo_|T+D~+oi+;~iqjxz-RJy0r
zesZ>Iou63JV(GTh8Bysy=La|kI4tt<O=Q6G&+-}soD5E`g>?$KYE)x5l%ZOwP^L%f
z@a4{1Ns?j$weJ~>mOwuut$aTlerKs?(jnxdsi_2LE%O6^X$|p%lJbnBAC<e9T9W^O
z%Mk|^10q1`-aSWK%SDFIk3mjFQhh_}dXuHW%vLu0(bLljlanyo&FxW~i(q!$o5;u+
zr)x_4DFa6CC<#(KtQxX+(wevW=)0c0!6dLgGmTm7oR!slTog6?)5LN<&}12Wx0Fh$
zW3sJL)~wNhnle&&<C(#iP(h^S@1$&KQLk%(#uG;+JpaP^XL#)gGcax+d(w3bs&Pxh
zA(OWxkg!sfR#Rd<-t!01>P<ONHIG?mFwqxn2g(vVFvSOU2zX6q@CT|)>3i6j^{<5Z
z+`8E(!3D-OjxX}?5Vb7Fi7&>uIgI^p&Chk$VhN+#1u^xfK@++b2#1=REh~G6i-cI(
z0Vflr?B>>V?LloScZykeN(ZM8>N`r%-J^&nW0}VH%-Mq+>w&B?n>5QyzGreaHVy>Q
z)ks09{U=(6JFi^neD%PFhH{9|9A}ZEDY>2Bvr=5O4*54e+{qd44hiexMBqBRjx?3I
zqFCnK$6hV_ir|?I1$tZ54vPBVckZqAR4?!D^7EoSmR>9n$A8fu^lcicy8}uC64~o%
zE$FHWp@E3*f-Jti2k<20&LzSbXu_g4KpKAWdnd}sJ(*G86;eCl>YukuJZu`N*VYyV
zSPvEHKf78p4RqBeb4l#}clFDRx49`3z$Ktc<6$L>Vaxe#sjh@>SqlvwBfVN6fX_{{
zL6lb>E^H3tFnz&%QxWr}BUCaGfzEhjck$3zS!KC3fmU<VablD@Jlr{jpocOuF?sBa
zM{i?9XOJ&#r^<9ox8B!UG*x>!<F9#`x+6@c@W6&f$O2p@L4rW+)bh&ii;nXuaH+1N
zclS$&F;>t;Uh!JJ40KIm;b8+SnPz)Sx_=l^;)<}gS7s_+l?Di#GDplAuqY4VsHlAu
z2P_AgZ=6>iZ#ALPYfa1ZY}Biz-NtplI@<>>#=jfpH4IB{?IG4Xe%=~vZ_ulGeKJR1
z;kgvXREtHZ189q;x8M6KKh(<oI5|1@WL({7Eo{Zs!IFu+sZG8srQ=sZIACGd-RA@o
zv(w4bb_)%IB@@styfUAGTao2%0H4BFOIO>kQ^hL}pY24acB>WsKD(n)Fa%|YXdE`Q
z;g1S!oe9Rpv1KDa-32+v;I0{G+K>+6_wGsU>m$g-t*x2!++le>Qm(Kexo$67QK#vK
zzwV}z!D?#xvxGX|g_y;3h|)P>4z>H54*j*mx<QA9oJRuouUQ4YG6M<A^K6EjM!z2S
z>22Gqbx!zQJ?7xb`$BGCEC$i&WFTcJ6=U9nLyo96I|H^Ie<c`NMWvsW_5Fa<veIgt
z4c2qkXP4IROPr{Mlzj-Vx8`qD-WHwOoY(8>YcR%1ARLZV3k-{JW{Yi}8t$e+9}q!7
z)b#HkCjxl@78f@dezeCXr?p)*bM9MGP_RXw&y1`a+Z{WqV(Qhyo$o3U3!V{XtYJt!
z`~Hw#$fS@~@1e07%CYdijAEM>psTh5AfL#zq?5;1RgtM07yNF2<9IN2Y(gbm`aXOk
zFJfnTD3&h~z~0MO6N5f`eV&mi5fip6EHanSPz8Yg!Hu#lkh^JbyNj_EM`(O{k8>RR
zax_pVGcGU-6rjAH#Otw6UHxY`Hm!Jqf$lS?P-MB)T`|*5OQC;kpmj1YA}2FHSna9O
zf=a4@V!Y%QV6v0F`=`*R=W*&GF1GyMCNRs<wRzANjz@WE(VfO=Pn~3^3o<OXF>Fe$
z0Tth02!qwu;t_i2^IRRYQgKMFObL%q(Al=8FhUykuFD}$(N>c{j;ob}k^85GKipq4
zj$8>QXy(<_>#X+nB{osb$Obt|_C)c|zdGZDDP%qI(@ku&1Zg>3IGLyY@%)hjkc*T#
zfA#$8zBdO*ugEr*F2lvv(IL6I-8qY+TVrxNpE5J&QiaZv3p%fy{HW@p;=i}@tTtUb
z+c?uI>sQH5KMr^b`nUuFHZjLXiQsLxKKL+&G)DW3OXd=L8yX2+`M$h|k40zJvssQ}
zdaPSdzDObRSH=swC9&>`<YJ*sjHOw5N=k9|d`dnomn>fHcKalOLIBusN`EgDc0ZYt
z6uFOHLcCSaG!}87tN1zlzOV1S7=}y{AD^7=?R9&0u{-L(>~a|Y^0O`Z$8D(`a`Twf
zZhRcL8mB>w`Z#PkLDmBY(Z(T3<2@?F<9YB0Cnu;1ALsda+Oof<f4+hX|I;1jlK<f~
z2_XX}jLbBrE`@OZ;gS(EOG}>3qbv;GZPc;fdN7|;$c}pBZ^u9DY-xC~<eJ>{DU?Ie
zAIo6ia&z;jmq2M_&j}~&wmYkO7saognk$a2m0jC8+{Ps^MO5*Fgnx<T_XNA|tZeoh
zCY%Pj6jj2LVJgz%c9U|Jf1JUTw?tP-t=7@?8=@+H`t<c5gP+K?CT_rR!OBwm_)D=>
z2koT&pdYa2*wC>ZE?`2kqx*cU^77%i(*aKU{qIKqZ?q}=7w&jG`u{}S@nq=*<Z=Ja
z*HljcQhJTX;AYx|osDi40&;t_XQkMBSdfEbdz9oM%JO6W>lWK$J9>K5=a2MY6`Q3C
z*~9rJ3Z|1xvu7z!XX(o!KIGWx%U2eAKb$73dVgAT{>yCfbZq|FW{Wl#_v$Gq?u9&m
z@=%@P9~gaNEDLap)|CZzEfM^~Ohc3?DTbhmlmMBqnEi8r{o-n7r|gO3Na4E4)YkM&
zgIO(LunQbjTt#zqCBesL#UytZL!>)GLZjs?fIe>SdHIsh8z#unKe2*sixNhqcQgfs
z#SVb<XLfd-rBKN><+itBSf>=5be=Zg`nd9xF)2TzOMiUOW!;{mJFR+ha*S9yt<~jq
z`adZ}|4(4IN{U)hz~q~8^`s;0<2GtA5A2)DH)+KnU{g6cR;Ne&9o=iSw&YzJCb-t{
z-saRCH8&bipW5sdJ$4M=^!14Prl71jKCS&&?Ao8gy(3p>rehFhMmynKUPTqjWXvk|
z<&`pidYbc0%h_qaQQEh*DaW%dB3($;T3V2~lcv3ews0wqO><S^Fxh#qz`=o2m6n67
zgl*bTw+Osc$ROVJma*I9N;MErkGv={CU{jGm}NJW)#b@gt)@2m0D4Gy>V|Z5PyjWH
z9Bn&Vs@r)MRIG)EpBg-JFi2l$JY5<9P+h<iVApo7%*s6keMy(flJ%ACP&WLnHI|*7
zRRZ7Xrs8POk&^i#r<kT(+#Yyzq=m$%<V;S%OiY^mX7(BhH0-%L`hbhh<fMAKGVm*x
z%;HaHM@AfyNHgO7VyBN6X_AP}ne9XP%x5oG9l2x29w8vg+r+!H^?mpw)6J}W^^g9}
zgt&xgM(|eLhj)LS1}+p4xoKBRuyy`fuDg1f7O(c-G-fA3M$hC8Ma<|yYksT=x#evi
ztJ=7HaFP8-S*vnd-F<MEWIX!_hO-g*Iw?{zgb@PxnYGSmQZ=MV6*Mq+ggc~w_a_5t
zI#g)z4AOK1qB|ZtPo6hDA=HxRZD<V)uocI?aNQYL2cyo==YW-3Ccz-uO@Ht}G`hbH
z4FK6VDR+^BcT1~C-*{#g!~M9YGP|eFc&jU;$8K?Z)!#O(rm3H{aduqVVwKi5EaP{P
zZ7wd&p(N}as$v!t;+dCKDtO6Hs~!4Ch?0V%)|$vb89M36P9zsgoX(?grP}C5##*I8
z6`tZ3(}22t{~@_Lr=MTZ#Cm?gjk4pmzp_bQPW-Xm9!LmHxS<^0yTOa_;x4Gf%fz|b
zXA6z4hlS^Fhu;F71}d87bewR2HoxKR1yrtBI82ATbfcwh;d&+qiIG0F=mAb{x||KR
z0IfbL!Tjkv)8k;THetZ7^!7W%C(ah>rT}F$d2=jr2wg19vPhkv^c<M6%is}xE$q@5
zZ<vCKQJP9TE9uZp38H3pG`BL^ZRSH}8!XFmgORYeU`j~H|A1Vt3q6qX;Mr;TH{7~<
z@d*Jr%mdwGRXiONE+4~rX%|aDmMh`GT$JotIeT`Hb&iUI)CPu>HO2XbAvBaXV;sn#
z8I-<Koo-057yyK~vC(bVjfIS53ybG6-z0>iv>h^PR@Gz+grd5-?1D8;Cwrd_Fc4uV
zq02NTl9zMJc$QZpx>d4Yn5<_I{Y83O;RuLYp2tfQlL?uD;r$9f6XOJ<_HCJwSX4*F
z_fy>3aNwm?-rOPO1V6VtB`P6y37WpZHzWfR@2X5S5yKhlOfR@a&UZvAy5qzT8Ac~u
zZ;m*ix`Q6)M8pS}BOl-^5P<h5or2QTPhh?1fxv!d#%kKr3VxW4xtrv+YK9+C^x`yB
za@D9^RHm;7ZZCEUVPqb|ekWMC=qVPS9~r`zju_;Xi_j9@V40f}?;5%s^v&E{DfrUi
zsK%a+y_PP)zG5!PPovSfaRN*QmI;*U6wm$I(z9l;wCo|p(z;HRBUi*xO)>goSY^ax
zZm_a4&X$-}{u%0}w8RNQ@9M%}D@_{UiL?vZ75q2ELE-~@Mn*TkxS>iow->qq<hu(N
zKnTG+2~7nvCm6U)jHFe1VY_h!$!7PW+Iw(BW2xYx9szbjgXO!Ygw;Rralb;@W`E15
z3-L*37McjHJ>Ct=hUS6a`Hg7A$%Om0Bfxb2WeX;o9yw*&K3Z(J94Y5p&kU3%pTYrO
z1A09D!hpTwo9>fE65ci>3FL4VeTgq-_n2!u@2D?YSs*gAmhz@c;ZL4H?A_k1kkTtN
z4KwGa))`FOgAa`y9Ng!-HvUjESQHX;akGY0Tk27E80_q*4#84&-+i?j4{xvB&E-Dc
z;tbh;x>?D~M(FO@EC`7&t1)YC_8}XB4wAuO<#zoTCUzyIl>wMQEJ_^a7DixZqzWrM
zUZ=1JD@H&K8RR{C=@5^JS+o#C1A@s8AMKu9aFhjiS<8ANc5T*WS$p`P+9Bm|bhyiD
za$vx?h-lBLA^fZV;rICRr-nr{FSI$?plMlh!O>u3;U+g$ZScF0$Lr~~SGVY90He4C
zoo`%fYJ<bO&8iGl0RW484`2W3JIKJL^5%|DetsE~-u4@xGdaNlGrz{trJm=isqWz&
z-d?(T8ZK3pS|w$?P?cZI^E`xU_`XzX?n^mj$4r^(`iXLV*v!;@HW5r2gf~>PMXroB
zq-*ch_)KtgfZj;u`O*pl*{rj|j)BA%@^c_-v8}M|*vZVKJv|5nyQ(@^<-#S0K8CcH
z%?dYIVHs`MN~8Mr;?Et^Te>VHnd{01^?{-$=LPqI9YBtr-yEZv5mGr5x-I@^t-%Zt
z&j#CytUH{il%`fgydUwwwHjAm$?iuezSlIcRd_0*m@%}SHG;0DrmeVt6i4S*?cI^F
z`%E&Yh3#ZE<hr2&r+N(}Crk4U53=3pIFylJR;XWuZw>a<*m)<3x_6CX^_{ZHl(Xmq
zUoTJ5RI{4Ia42*X_jQ;sJY#R4IjQE2smeg`xbtN7L@wI|FzCDHXYzQ!Bv}*{+FM&w
zjt<>!<#6cb4Wl)dEZd(SG;?vK2+?Ufnn~suj&^_-crjKPQUgdMNo>mSc({nTEf34Z
zLgA$*KZ2l*zbJv3CM6EctUPsV)mP85mRFBHy#yni>i>Fh1v>cDR^UEdK<H!Fceh{)
znv?GILFqO<d2x4TbOCCZ&94k)s5>Qa!v<|Fu|2`BLm}AW*C8m!VFr`?%tRkW(IWjR
z(MiW&z@nJ>o;f_L>-J#F&b?>`KYpMqnj^V8dx@eWQCg}(?B`%{0G7=QVA<cUg<EH(
z13>3G0b7tv`s4LGF(gpsE-ib_$C@0ka9ierZ1(WT$Ri3(&Em4s0d-A{(JM6Prl;ir
z-qGe&25^>z`|VWT(TvA_V~;-4rP>QTbp2#v_`38I)yN$BfrxKe@_>6qW6|!p@5`F~
zzdTYXtK@4YFJ`Gu1@gw@vHqMj_1Y7w1v8YxYo#^bDZaG*{gPrXjNq3MvCU_m*7UGw
zY!^=I``L-DW(;m{-a(aLt}4Pa<M^UMC&T34{u39EOi}!IxVWaz<Ch<#5F(5A+WNBA
zJ2g{EDm1>2E%KV1f0yF{bu4W~?X)?B+*ml6D@UYT2TnbCalLnYJD}2;xc@D$_-xU+
zxRy{Ei{%4Xcvj0M@B^&ao58duBQ<fMxJY_4n{<rZv39C5mu4e@3Efult4Zc(Tg;CO
zcq=#hYRTG8W$kWsdvtq43f@o7=;I4l9fNPque~9Wx9-JZH+A~{2aNo;@MDZzv@<;|
zOQ4I+in>@+)cdhTQ@3##am=zj<_7s5%O&K;8+)(CZVYIJVLy&*S=y0kw6?-R@}7Dw
zY|IfysEkGWtU!xW&d8^mfCy^BSdGE#S%UR9e&0llW*^n^UU_ir!K{(kwR9j*941tK
zWA^818}=iPAnKP0dFDJ?UnM;Z$&Yw;y9TOuzU}AdxH=dT4=7GTh_}LniWl?&`8vj}
z%*m&gu_*yV`ijT9m!Nhw>Nc!~Hn4Row0kN(9XXmNy`#hzuRa|WQJ1L``89yGVk|tq
z($G|>L?y*HVRoL1oewq+ht4cCtvpOuG$2_WwuG!a)CJ5v_Vs47bWXw3rJlqHvjzsr
zPX#mQ$#yAbA%}gkWbPS)2zc-aZVy{-0W#Tw5Nz`TlU=EMI41(l-tKA~B5pn6?7Xw*
z7db@PF{PsG%IATyhwQw%Ze)mOqd9lAk#Zej0BFnSzM-38g&VkVa5zUCElVr98Q~9M
zviDxLv>K(Oi3ktez)2>^^gSR2ncqE$8>&(;*sCS^%uulMr3csR7@C@@XK0pz;;~L@
zL&Y(B$l#4&z;8nHsTEZ0njDQtuXS*LKdQomyxq4Kl02dci9~GH<gd1u!G<)M-TNak
zOXTYGN}KYs#Qe4P4a5Q|Gt+9e9kG76HC+zU4c4B(4B7dk_R~sF2!UyM{LDL)3hNNU
zY)VPE&95G-A2g{#V}rBMgIHSP3@}S6OO&WkG_Kc4YUHnq2&13SxQnrgsUKf__mCNw
z8Fs;UMtadY8=JP)KE1_$DJWJM@T)Lb0PnogQ|_<QZfT!~!!1M`*Gk9Z<}x$V6jc6L
zs;=Jd=4f^<a^U}BG^cC7(%z#*NykVq(7|HJiaUx!?b+>!ezvM`z)ywTx8F9##Wf9j
zh)pfJpPzi`<nBa|{@*cpRLZ}@;FTi(0}LLwu9ImoCinUcmTju6%qO88M?VX26FUkq
z>@<f`-J+`Ze(^Wq!dSUU3Kyj|Q0?95lO7%3>Wzio#rN55r1I}#;8c-v)v*n1H*UC;
zr;PCgG-1vo*e&qPIXNl^P{|&Y8<9Vc(oN4PYcVMhQ;)VgTl^8z*i8qYezcRDnLbsY
z7||LoR8UiID^YQe;R}7EUr<e&e)0z?rE`uClBe{@7i}C)w;`E>(<ccBHl(rXhFrJ2
zjm<G>$UKQtMo?FNH~TS?Qa~-@rQ_J_i#*bYrTH5NwhKWEwZ1J94(=sTt-Sn_tf_&y
z!<2FZ<bsv~`OWzL>O1w!7rR&KP|hUy>#q@4`~fSCwKvuer8SC<1_ljTty?=VYZ}6A
zjOcya?q&u(pz4hugVy0*`gAHH0t=t~8{cQwImP#XqnCAcCwxA~5Nl;o0v?6|*5tsU
zjZuoOO4euhmjU?Ldo{atRh`G|d#HU<Fi@3dwZT{7C;$FiXJ68s`t!Vo3A1j}5N;(J
z2n+-B0_DWgRSAwBC1!_Z=}scWmG>l8{j+!4M1SSboK6`EGE@wx{6177w0<8T{PRP+
zjD^A)bu05L4>jw<wb;c(Hmi5T8i#eA8X4@q12}M*-jKnK8wk>P)nRh8Bx`zwc#q@n
z?y$w6o;3-#HBo>A-A~Uyb-Wo>0(Aa%nG=Z(JFJ5$K^m#J<(;N=c13C_&7FoJ-}Yb{
zHf!)@Ll<PJ(Su@X*Tu<6@3aa2UQr)ot)%@7>(6vR)jrH53gP&4*;l;>a3Proj2nzq
ziba-VK;b?4012MneNJWA5=PUQt=6_YJwj#Pzy`DYb2jXBLHzg+G2+~@gKDIqjX}vT
z!-t;H3C~<#w<?*BV_Cs8D(`8VjUW?3tjvy(Q*us8#6LjtDbaoUMzg!SJ6V9u%+~o;
z=97!{ME(pVx{13fBo$m1M*RFSB31XI&BY%RFzi<v>FrQ2+P+=@4c^SjF0~_VH`I3C
zMFcsHlwEPYbDBg_QUXp<B|G7#=GTK;#nfK0$V>5L&`bZZoBrd?ZFuh8(LTFHVB6BS
za++_reDeZ}m4F6VZzw3ZU6BpCEAJ|H@uWe2_WYm2wf(QdAoY=BY_5|bt&dN}fFfHQ
zRKD_P{wM=SI|8I$E7#*lUoJwWrcR-cswwBYD+eT$j4+?4o`K~V0lhQMJ1fM69GtY!
zDfQtk^c#1AyWQlske;`{+PFpvc_POBxU+GGZa=Zk?BmI{2SESv0RN{a_xMZVp5!>f
zF6)m1JXJ-<^?r`EsYRhx$ea6Ar!9N(@Ly$lfRXrDouZTJ@DG66pV0b$I<58(OP@Vk
zE+ZV+0M*NmkE$Z83A==}w6vZhAW631*bl(~9O%|>!rv)R_c|0wg*tyj`CWhK&N4!N
zB&`0MDro&HHFbRTfYg)?9V5zAA^Vu6e*6vv#jQdh8lLn+zTQ*sS#sP2%7wU_yjiPV
z**yI?S9h;!$^{|0YH7F)@L5q7!<GMr?o;GmyjqfUywMYu6q06;KAj_P!-qyLi~t36
zM^{^M^V(uI_#HLKS(tC_k25|(gFVU5NVA}4LPzZ#`eH|RY95zFL!;z;yncK`F#C~s
z&IuAxR!hlfpYZ-9a0iODJ-S+=FFNu9*t{Bn)9E4T)B0x=5w|^CR*Bl<z3_Y1W{BE$
z_&rWnBSHiVS@{d-MYQB7;$CHi;ATla;?{a;A$AfQQq5k-zVCKicqtMFRCw|r)K++z
zebDdApXH8hQ>Kxz&pmA4FoO-|XDwGgMy5uV-=1D{7=J=aB-2;gDgb<aGR<auR1~%0
z%aKLB+ELm*%Jp26mL*3r+p<E*2G>b9swCvb1gA|=QX{U0P!te=o)CbtxZGd#{7>9s
zkx0fk7I7Ccb+|CF^O;+c3BQ2?3l;P2Y8ve%Z%q$1Thr1ggPd(!u=W**3=9d8F0-o1
zMU7@d6#*V!DTjy&B4#q06=g#x1_ZRCMcWmnD}g2e<v9bnqy*t0`Et-lqxWCiZ^n@&
z44?nH{z7wWYiC8lcOE)l)^Uw|invf{zOv_rtMs0e!l~Mnq`4V74>a*<B2gU!=(9?C
zUb4yMgQ%|-xpJ^P6;n{F*{ga*T$ld#6Qi`Z(0rVU3Rx~BSeYx{d;!cL{Vj%V|C!?`
zkvO+P<WW2-kvfd5H@z7>>;4sE-gmk@RpoDZ^1c{dS!&O&Z4(yt4OU=0G}x9C(^l75
z@+^*@c>LL~vj-RE1pz8SseHMeu)umJu8UfxJ36S|2GFJk^-q`c-ovl2uL9Tml<IcP
z$NU)C+-`8z^bS^-MWul@+gtrJsBB!Ev+ZZ8ubfu9tJ0MlyQmm+TpTB+Io*XkmJ{j!
z$*Gt|QNQF`iP)$rYY;!d_Km~zc+bFUeDT@9Rmf@&&W8;4Y4FvpVfYeoDc&HdTlWNl
z^biu+^Y6?f=-)t;im<TC(FF64z?bz6ht;s2`haG-DcV0Wr9oDW#LAjb>R@ZS@hxa=
zWw727{LEAkBz=S~kV4etF`h*UG5+8m<T3%b1=U`(_t6?6fKz2#gk;I+&h4(PI8o*I
zS;<-B4ckXpp!Z|U11CxP;Hgvt`+|Zd+7@FJo3!Hd+y43o_W{S%1-)KkYPd#^bWc3p
zXn1%W8clniTbX)t8dju2o8Vr0la$e7yxJ(i1iQd~{i|y!#$KhEG#n_LMX;dqJ=;XZ
z;PCGBPSf^ki>pF@79G{%TZaKKYim<b9KZr=s-CW`w+V|_)rK0+G1s>pO5ES^+5$=l
z<=_egOIk*h!g~>AC`M`Y*0e*KicPspJi~dsz6MfDEDGjk=bi`#KnDf#<D%rUvg@6>
zyrj*kUN93tY6Uk9!hgsiG~m~pS@L|c6Ih_XvHxnoD*tize7}pC#%jqz?JAyJJgN>M
zoUrzvjAwNrN9D1A9p>-qI<5$@k09{_U9pc&T8_PT+u6LwywcO<gyKqQ)l``^0wVVD
zzJ7j&?rUZGDD-S)YW6{|H=?|L`OijYfXo9R?jD)O&SG|t-P3L%h(Kky<0Jd_1^thq
zIgXC;7kpcqEz7PlnBrMj59;&c8;6Ey7Dw4^pJ*CHRQTx)rTIPA3Oro^OD@Wdt;I1j
zU-T6m&(qK!vR&S<gNsGwAH8VFj%~GG-XGMet^QNJcZ8Yd+}@tu9{x1315cJ4v%4)T
z!ETuVbbZ-!z*bMJ<V-=+2)g0G)Rc=wKAIVoT_DO5B>!}DIRfCMtwlN_aFKEzSEUun
zaHE~*W#V?N>}k98&mS+cwt5Hs3$>`#rSNb>8AJBX=suScEEkKupSGh?yW`D{BGEcp
zCxEX<)}KlAS#nef^qu&uW(#Y~lOn=@7hijVoFb{)1XJ2Om`z21mIk(a2C*wTr+*;e
z3(SxTsd%yQ-;Uzq6@82!Yf$>QEq7FO53Qv;vo<R&hNhCsXfYV}<z)o2)Jo;?V=;+G
z8vG!dqH9}S3d->`)3aIc7=KU&?0~DDl+F|!5GRG#zAg<^@rkoWs`UHN+AUd0?HZXu
zc79g{sB#DMi=77<ajK_H5c%+{fNZ8jWm)pl&&{IVl^{s?+7Nf6=~Y0O-ft?Hcgihm
zFSjjx4P9~J__xhra8aFeyR7XG;d)%`BCM2?<wuZjlKUSQ+@ugF_zy#%|JTt5`3U2T
zyRRAUe5R2U2S(Ki9yZP9e=;EIdS2Fi^gfe5pwou0?0){us+3>4)x!cq&*wdFdiEw+
zPuNF<cgkC2II7Jw`T@U>x?z+~Sl3_gECfT(KOT6v;9XJwn!5c1jpM5*uyaSnj2vqf
zlaFC^^xE$G*mcPc@m48Dm+dxtfzxq(qB?f^;`h*>8;p=^KP#Vp`B?z;_PHMc-mSYo
ziilo*{*z=RckxFx(f{nJrl3W-A}kzDXVo)$<&#4L6p~d-Z`gFFC=LEt4*V8X`jO33
zc6NO9{@#ynCUm6we}46|cIlJS@~x^YNSR37=`^}Wv>GiH77sd-f=6n3A^`b7m|<W2
ze&uQJN;WL1J7kXB1vSSiwbv*jGpn);ag|uCIOO#9dv%79iD{_Z)n4$$Smi)6A6!Lp
z^@+WGfz*%g(g8ICnVFc}0NbFjyffSN0=Aw|3yYUO#*QmOH_K^nW6n=?EGA#*^dB!j
z{9hiR|H85U*QtQ3^1pwI|1S^w7xyg979Zo=u5T@ibko#BZPV1{8EUPE3hy$XPTYGT
z2Xmz=SbgQ7dZWA-cP7_&9c-^H{yp^~TiAZw%sUf*zq=~;_vim#@7@39j{Q?sl>cO_
z){1obnS(+me@XAPOjdo~kgR$aa!C|sZ6;z=K7?`95IJ30Zct6xi325V>K`Tk)iKju
z|1$UIcJ~&<05PUJ1n#;!(L8rpIcff5ak^Lh|C6yUS+!W+GK(nRZ4F&&$=~HHFdrNj
z4Glg_9o91Y0Zi%NIJa!1RJPQY%5Jc4$V@^MbhdWMz$6_BAe^xCbElRkb}(BzsGTLw
zv@^-!bke@1`dkGGc%H#tPM$)Qm^`<zYrM|k5tfyuwA8O$Du7nH4d&%OAEtJ+Duw7e
zeJoQ51e_6dQ(!MQ9$kE%g&lcy)ChKFby?#crL`K^oK@M9+I2HA+kHa#!)drK->h*t
z$7)u0Wdv_M_-MXCm{2m&OT7)*!x)`jQbn<gBj%2+I^qTV;<RkwwYV9)_K{mM6lDmr
z`Gh#?%!W|*;R?x6nOQc*Jg!3Ma<pq(A@2d~wD~(mG0o;}hh2qxAks!<1-T;U6kL5P
z^!JnVV@|K-AUxnU?Tai;-f($AfpGabqY_srILuf9AuB<>GPRrIVc%S+Z?ob|5;*Dv
zR}9Y2M3)^zGn-A?`EEI74TSK=<=KvgCil<SH3snw<jd$W*&clfrv=PcwEElS49|$W
zmy%|WD)P%_yfM$*J4fbyai!Tkq2NKx6k>GLxt%;ymW_6FR5++<QlmT~kCMvuEhLGX
zv{^BmW35d~ZJW>C<_rz8S*%(GTj+7F<jIYh9zs&Ia);xz&u^(@GN3Nb%ILa#@-(Z8
zx)a&bl&8%{f6?1rIzb@lofQ1@=CJ%WxwZ+rnW86w6E=IUKg2w@7YHTk9`&<s?u)1&
zmFTM}G*YXv>Do5>J1bd^z>60m_z$<qseS8u6I&zKtqZ0*=G<NO3WMfk^kq<OvClln
zt;y`1kxW0Hp^xssKlg1{v}4N13!k^r>QnoXj^wpDs?XpN4WSu<I8~_)biC|Q5wuz@
z2Q-ko&?JRKK5oM44cFkJamypY&{C(VB`pv5C)=ZjY)XUq!9lGY>!oBy!qFbTe|G!k
zA+f6rAuSIYEuU@)#32m8PN0GBMXzc@9tRF4Ry38Ya@zoQ8plUf0^_;mTN|t%8;#`R
zaLV&xwrVW_y9I`s&L!iS8<y{bwj#W6^9HMH#N|CG6Wv)zjw5QR*LYKBT?0jSR_pGS
zF}Ie`@F0h@FCOC8h?_^Yldq%-i`rs_x@5+?z`=k@RCKO*#qKonfitR&2`Cdf`9Vv%
zhuyV^ptx+61y&p7nTDK9+|qu|pXINRB-q@Z7;{42b`>b7uY*<X(C)P{QRsZBGb`I_
zvIEkW1{oEkytu#nO+gAdr7}OW#XHPwf6^C<Gk4&>xDn=Ety(~uOJ5yO13T}Ec(ZkP
zcM08258Z;<=GuJ{gmafrl=Cy7qBzKyvd3B<tbmw$-c8!Fr~1%SMYJpK<=g@Cpr@~^
zE9&%)y8MSHl|7u~DT`Xk;NE7*L5b?C4c8!Mvaqv};CKl~rw0m~G+GO(ebZDs@553{
z^E(H1bIe<wowi8-!8w7xKl-6KgQA&<J<-}C1N)BAhoq!^$=ce@p&z(`OHx(+0&+=P
zMXGu#yUa=6_$IzNgSo5^ps=l0*qojy;Oxbb<ogc>c6>^Ti|q}WT^9l}3OcbiJN|kF
zoxh0+#Hb!k7gtwK$S9mjaVc(yUMuO`BZG@Up!Q}i4nAEG6DKJ0J7NQFeA9NZB6vR4
zLR7_YC@LY(e7A6zNi;!gL8)7$qrJfl_$u->!j5fOd`G$TbP%d`5~~6=)z$-c?IjXQ
zQ`ed8`$xnbJE^hyvW*q%u)&>RXVlSF(`HH^YSAnw8N;<#d}Q;<!v^Ou%3&YDCCV)!
zp$RhF-`Fp%PHfmH_u(ETZz2rJj~e(kIZ-AWTkDhr5^^<iZk`i9?iIG#9Wb{Z5nJX@
zd(!u}9WTb7@wS;}Sr?e%cfKF2dz6?qp$P^huDe+Zu=t*Dutv;*JBc??Pjyu0AVKP2
z^C4NOKCr2cPyxcCM)#Yr+dO45RwK63zHUJ*%|-m>_BJy@3iutH1CGA7w4?p%;Gl}{
zSRA-);i}k(<Bs~l$o<VZm}vZ)iJIQPA5VkWr=HANTFyB`t2SD|V%$XB0ORL<e8@7A
zmG=FI8XX623M$20X|=%zE`(x?%0}v3HukPFprRwNxJ-J-KZ_!>oF!}R4|`^BD{s=y
z=%N>>yb@w(m!((Q+7OscVVe?lgWZk_5X(0<Y1hzd0xj~p_UZH(<J;BEilA<kTchZ;
zEK*IoJ)xTRQNRa{DHakhE<|{byEv5M;_0@nA>qoW%Xq_+e;79XpBEPW7sN6Gh_Ta~
zXe_wkXN1$h@z2=#{U_tJzn`lA-2Lc()T-uw%OWeWXQ7l|H8aBHInk#`S=GSZA3IaC
zbt<#Jccx4r#F&qdPv}IH%qe|>A~MTe+VIY`7&IDWM>|q-2VPrS+iNK-&huk?84&I+
zO#svqcdms_)Cs`-9@I3!ek^EN4{9Ka9tr{eXCnV1oW6I1RzMKP*`V+<ikG2P8e}~E
r=+968)GhmeG(`V(Ktf&9)FC_hp4;a8*NXYa{d)dX`APPpSMUBWKt8Oz

literal 0
HcmV?d00001

diff --git a/accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/trusted-publishers-flow.png b/accepted/2024/meta/trusted-publishers-oidc-for-nuget-push/trusted-publishers-flow.png
new file mode 100644
index 0000000000000000000000000000000000000000..4c2674a2c3e34588d1ad7c9b9610fe0ba038c898
GIT binary patch
literal 45827
zcmeFY1z1&ox+qK|(jB@5De07u?(Xi8&P{Au8cFFA>6DZ%NkK$PHr*v4A)V6S!uXGq
z=bU@zd}rp~t2{hwz3Z267hy^YlIV9y?!v&ppi4`MsldR%fnZ=@L+&5}5ImPfLl_u3
z42ZZE#LnH^%GL~qie2=_6BQeaCD<84#V$t0#%Ao`z+`G=Y~f^V=geep1_408cRR4D
zmARFf>5nmNENqV%S-2QkSk+j$sn~_tSb<+G+)S)&+&VwT8(Wy!|6EWW>}h3dYfQx^
z!NJ4=EJdTm3Jezkp46YZ*h5@?Jj+?xySM`|cWzEY&c{DsPOiYRtZZCNEVRHENi!20
zFt7?63o8ro!wP^Tteniu!N4?$@1uTfZ3Z#6_;E}JQCG$%RxVFjt)-om9EGigWyCFi
zjBzz{a<&57|Gdp(CQhcuKR!S_9L#<|P0d`bOw4{jolT5we}aK+Z}IUI>||=@^kXD&
zDK;v0aVi#J;KS_?yXa2@0x$N)c0Xq-0XSj&Io;|fB312Kz?vMEhLTPi_FPX?IK-aF
znEd5xzt*&Kmvl0Au#^Xzn%M#io4Wtlot6E`lOJa?_4onddcyGoVBz#@pP$>_0#vO$
ze_iGK!P!_WT&zsZoPVzNV<rR)wuM+Z{5jABY;SL7@{_7RS2T8V0=xbBFmtf&&)fYR
z;{aUz&sM($sQwj7Z=sr2rVz^?W4Sqg9`6<|WoBhz`D<r@{69`<XZ&mMPk^(fu_@T?
z$NcZ0->LEgkH4_#1O@}^{YJFkKmQtJ=PqhydyDK}c>K8!z;OTdxqo28=?~HP-&szS
zTh!iz!`W3*@v*Wsqm`$s2Dj=j_Hs40b@_>MX;WY~D~Jbh2_+}6D?n+dAINitc>LmN
zC$NjX>37)%cvr;D(h6dx>R=2oKf9P4z;Xc05@KfyyxqzzAUY5$fOx{TRu;Dc1OeX;
zFbCU1B#iB>Y;So`6zt+;b-NFXf*C*!K-6zV=60glFQ)wgaxnfAF21AZ9~0zHWRWxj
z+nGU}Zg2H##oLd!+x!#)R@R^IZhvAawqJ~6`5Qa2KlwS(_$M1%{IT}!a{n1p17m)2
z%0E8;t-k#WhWeXS1or)ous=~z$=Jl^R*KkIRLmT}&Q=ic?cHw&{U1ig$DIG?kn!<P
zI{ro?GgCnG{S-W~6T}j10k$``75@`d<j-aCPh;f3w{rGf0<Fy;5Rac~+}H&I{&V>>
zbGL$M{TzAwtPMP~FtKp}qi$ctZsp}x%)h_f3d{Ewdq9|OXZ`W=V;a}@X}2H$H1GS{
zuZhkOC$P;QY8x<vB0nIaU|aAH^T^Kf{U7k<2gBZ?0N4n4`5OxHC&(F4Am7ywFzRng
z2>Xw<AjVD>fQRyZwZA!z^*agvu~hy|t>R>6YYee+{qvLl>u89_KP~*f0&D%?k^k#h
z>xaGhKaaJ3iq>x~gp$isTPtV4b7s*5JK31q0v^`?mgxb458L1LgE`0Te?ULn`Vhat
z|IizMU!(lbdmWGe++02W<zf8hb+G<2X}^0N-2ZY;$Ik%hH@YiIi-`h67X{m!TUod`
z0s0V#nAlj1?M;E-GOCISw;W;i6!<M`=HYAxasKDBg}E80iOD}SDF1TgXZ^(v|9<4>
z{6W0GCcmng({F+B|6<Vamm>dfNL#jlU)ui65B$$K3oJ~(T+dsV@-~9}&$yvKCf&N4
z-yPB0S^p(3^dG8*zi&`}2*E$aMg1vI|DlWe-QNCpx)J}Gwg2P;D}k+m#N8iZHP@fp
zH}+pb@XHnc;i><ebQ_QU$MN#7y}n1ye+2UX_>}B`A^PXW*pIpX%3A&Z7@YkIz<!Ui
z{$mgNyYT!W6F+0R|B_hz6Z!i`XvN0zKhNO*8K(Q^GtjU5|Fy+b10rI;QR1`(B2$s4
zPQa7J?UT5>iKVgq_ax4LhfOs#Hsdz`7x$MQ|8je8(+2=A{u}#Cw@i1d?|viypOSQc
zL`;9l1Hwwuz?}a_{vYK3H;$Irxc`d$KWO_?_-|R`H-GETvwHtQhW#&`<$njk{=+Z$
zDcFCcaeohle#OSW$HBkE=$Ak7FOYoy=`H^)!Tu*w^^dH_-*-m;UOwa>`nEsW^1rp#
z@>kUU<rV(>QJei|#`!mD|35hfbk|Qg{-ZedZ%Em{*3ds><2SWzW^XEdTfhd)k%_Ib
zv$NH$|MXj}^Uu}xZQT0Tm6c!7?Vk!Hw~qWR{{E<?{EfoOzi3_MR~N*8TV3ThKKfPP
z|J@w?g8iq<FaJ1f{1IyY_<dV^{fprC5C7wr)%vB!ep#dc<>>bBZ~3d*{BujzU+=%R
z{1Hz58wS+ufN}f_hge2a_W!<|FgyF7r%YIXrBHrjeb!%Y&+okd3-*f>{^wnx$A4W5
z`dJhB=X<&4{{|`Hza%Z&-{>*<cOmWH&G-M`N!mY(biW**UzX@!L2ADzul`QM+Rwz+
zZ>@p9o5b&5e>Efi`0#VWZ3pO&9=3IrZax?oG8kzwVKsMyt#ssPc<K`$FvSt9dToTU
zic}EtPYFDC#XV!mTTYXL9*{vcS_n5<kga5JW2ngj$U<|-@6eDpAI>(&;=~UqxK{J>
z9?mYToyM(vVjO(Jek!<@6sB5b+Oy{4<I^FASSaL<C?X<)a4I1r1e2c)H$(>`Sa~K_
zlak_pS4$3drUkouVd3TpX)!^yK-1R*xVnpg(-2iBZ2{b?t^+0^*!wg_O@eno5L`N}
z=WzD-#4>E~-)HxmYqr~6KXuKX6qKbCTCd2PnzG`*>wq<sOK>=BxDGE+-p*cz>}c|u
zFbG2vvYJ{#zj@YQdtdC?2en{JnyW4>b0Z40VwmjCtYG8n7r8LV*vpe0ggPR=`-t?F
zk@G5k&?UxI?eamIcH#FHa%Q2y!-i<aNSqy6cd>ZTtcf`LxPi@BqZqGe;<VD9MH$y`
zFtg%CC2NboX8J{Wo$mD5l(!IkBAad`w`P83x-q6{m{@Hw*vq@yyc~z!c6Fjl%<Yg>
zs#Qro>}0$B)^YiR@22&1P0?FUoAFYn+IOyw<pwRLpWlb!2>LwpSWVQ-6AQy(bJ<i&
zzF3!A9xpd!F1+bYq*peVoXI*%d*Yl%JN){<0c)Su*`uXW;wbsq*+EYVy9K5FY{Nm@
z&6VQjSji({Vc~;=KIW!8%>ucUmFhu(c)doaMzttjruk-%YPE6$eH=<DGRM#FW8D_K
zHIdMW$Oclm+$8r|nL6W_#a`Uoc!%l@$7AdHY`=?8rP^HnY`>cnB(uV_KH1=y%b;7w
zAhZ5$Ez@^pveG2(k>Z2Zbz@wg5Suv^kYc8Q`XVscSE}BAZslUPEjgXnO`^E#aBXlb
zaxLm;2He(j{B;5(pmhhdqx8z`r7&!+NOzWS;OHSPvvjS^M3PReb&>E?qUqyxAyUP3
z9xC_i?S(c&I?Xo>YlE4|kd5KSVfo}Y$M3n9KCQLLrn`K8sw#w>R$@0(7ykJkr!CEL
zcXYiZ4~vl7#;`cXeQq)qpM_TM)p$h#<zcy3kENfiFZkY+*}oUOxl|o5(|uH=lCRPZ
zZT0r@I9LgzRLsy@U8uH*HXY2+ziP6bsw$4k^f{MCzc$XLgNYh>ttcCgM@wnY?5<Lz
zLX{%u+nUDfrht`wwiH6T1tzle`Z`{=da&AuG4Na}5S=Gxf4bHt?uoOx$I*IhxK9?p
zev@nBb5z3K`4+F$;|arL*<_|7HfDonn(gV@_?ddJY>rr%>1d&Hv3vvZK2neXrF5Lw
zDln;R_|A5t?@enl{4v~0hXhZSb}FZxS`CVKcPhqFwKz{5c!BBa{8-g5hznyqh0RPx
zy?bw|Q@siIkwPii=2B;ffiDX;&O&HlDDEj|wYxMd#X0JZ^F4@A5+W)=p+#4#_r=Oo
zwZ*1(z1OL|OS$jSkR+RVKT(tCyLa#Cio?AGe6KIr+;;SiZAI^*f^ezju*AgOwx{zA
zIxs*ylptQ$1Z2zyg=@$e{-i$Nvfu6ih#k%nhHvyZEWo2x5xc?|l;Bg1`49!72LwZ7
z(2%c$S}}uxx#cKMG=hBCI1ocug0D^B>PVGV^G%v(!P1jZ3;y1Y>SBkb4mx@m2DhEr
z0JgnT>#^dVqm7ZV!+Y@Oq1Y6r8^igV3%~``%%(F^0+BJ3)JrsqoB(A+9znpUawQ(#
z!|nfdZ)<zBDE`^mYH~4pXxi!Sf?=YS*Mnv7z$=dU63ueDP(Y#zJjXwq5uZqOIG=3S
zFC>+>UF%#8-08uC!gh-kVnwmrj5Dliabm5{Hdd3UEwS8jen&*41&h=W8;nMrgBHi*
zV$JcbQ>Zf-U9~QS)g+iiE%%jya7JMc9g&fv-FqqI`vfrld(=4gRW(*4#i?D&;delU
zOnOS*eyR_1{6moJPXxTrrAjo)@cfoe8>C|}xdhKo0WBg8@Mc2p=XbGOV1tdJ+>poi
zvs&tg_4fLRSjIE(ES<ZZBFIMwEQ{~pCTY|PV?5m#B|g9-ULjoyf%$}Byc>vPG~VbH
z%~$Nj04xz6fJqVm78@Cxf{$-9_#-|`PMcT|23jFZ5J0}djo9{fp(h>(d7c?Yi?bER
zfh2nS_1U5!#TLXFF7A!+dHtzeiZ1g=AomZS^N|PP@5QWqj1`q<T^4sZS|6f2sIZ&i
zbO9M$Dq*yL1~^ZpK#usBp`G0t!1CsE#8|uLy|E%yNq+jhG^d0P5#(M8yau1E^8l*@
zu6cJ+Sj^sTS(@Gt?*4a}U{D6@!L4T!{IB=ekKioHFd-s>&`){N@x^S}*w;~&@K>Ge
zILyB5q5$giWD@C?UKP8g2~l1o8~P~2nB1#pc>tRcQ)SjykcFJ3S*pc)0jQN1?nCf+
z50{>xPr@saP@VBXjEWHvLi{n|w+(%-s8DdJ)oQ}I9MIOuJZId@7W=dG{1CI?qpa?s
z?Xwri#*or-X2B~VJeq&&QesV?L)S1hq+pS~JYndo4$!Ic*_o3IaT+=oj{Q~z3QzOR
z^~C|8_2|807W4dY`+YmCV37e?Re_+diy%<idXWcW_<@Ab6QU79+XIoIu#ZB5>o~aF
zV~pi7db{tlJ>c_Wn*4N9XOwV{yvmix5sS6TKm(kLeMQ9pA%hF|Y6Hy8Ng;Darn^14
zdZChVS)k=;VXSB8^<p6A=ph`+8B3OlJ~2)fe5@*;rla99A~Xprzg_6X+NW3wNwt)^
zb$S>WX2yKkWQ{3QJesTwD?hju*-U|!Nr>1e9z364yD}UE&_AO7?*KKb-qam=?{&u2
zg7;}U9HN-I9X4(=O|~A4;`?MqK1FP0p#)@R$A<9&SR{wbdxLf`=+jY^aM&q@85W+|
z6eb^DY)(a0#qQyRuF>RtlY;38$ET;$LQ92F2%RS@j<jH$Hm%N8-jU4=!9a`AQu8?7
z(Qhhfc(^$07iHQLS9G&@Db;{2R8A%=goLz7C7V>(_RbOG0Uyzhg&UyW_j2@K9<)bt
z+f6^_u*22A+Z2NrrQiC@V+?r)PIvamoorD8BQ=Ut@QnyK^l}pC922J-J<6ZdG>VqA
zd5*!L`J3Q&7#fez1r+p9h%(3|`$-l&7ZSPD%g>cmNB2|}tcLTjXGT$bj}?a9ic<lp
z*<JsjldjwzdX3}ya6=c|LdB?4gSG9Yd-u*B4m`{|UEcWvR)?j?7U_6uYk7nWQg;op
zBp49UqA~_Saj^bgbSQO!I16JS-?u>m##(v!NrJ3kZ)(_3EcFWXMZfzA5o;m2c$~wq
z_l(Z(#gb6Mz#;8bj4TqpXYGoT0+>-5VP=$<oZUU+VUB98wR-+Lz`&OFitz4Tz8}TH
z+3f1OSHKHnOC*V<jgopKf_#p_zi%rc!n-eGd#?mW&i#u?q{924WErt<*h5GROH=lN
zViuQNb%)>hAY=)cbahVzzF@)<*GVCFT;5Th3S}+Ln)kyPjrQO!MSmCh9Qx2Fib*`p
zAnYY6Mrcqfm2EiPu>VJd2Q*S-=Kaf0Nl-=@uxD_IA&X@QLs&teSkIHKq8wU3j0E@r
z?13-_Se`|97y&~m3BVx}<|?Th0&wW)NmXjc!eOHu{rni-{SZ7=l^=kCRugJ4nZfMd
zN}dzO<wz-n41>t5;NB#`O^R~!!I^jvgD(&}Unqrhy?qqb;1!EqKv2E27#<8)XwK7$
zT5*E3<J=0UziUq9OPOx67s>QB_-)a){`^_+Bhb3%wV@CrbTV=(OTu$#lN)#pPmCvK
zcYP>#=~eI=X@NM5y_O+1=f-o48qlC}X|}LP9z1h@T`i{{#y8@OIc!`ZtK-eF%`QAL
ztJJ&B8r_qh)()ZmwJ;7!LGOfewFF^8gt*bwP}g8zlFed1>KF)w3cMfyK^Bn$M*LZn
zG24-ZmS3>9oX&gEZQZf>FnhnQXe!QbpT-B1ru|j$x{6$OXI%mON(A!9Fx*FYwu@gR
ziEvP^-is)T8Iap3nnL}bTZRrV8V97Jb8(WB`eBHrv#f<8V|NsW*0t})l7>OC(`(P%
z3^m#(vf#mebzBx=2zwu*t&q{KUwVFklPDc)uf}W>Rf7i~O4V_Ih!UK?^wUyEMyWBY
zxSLOsLt%*ZLTL47K8cFy?8&`%z8A<PgggW%gj`_7(!M+ua0fYq);(&9AVp&J9yVbd
z`DVl#2{{%F`Vsb^P&3OC@$*`c)=Yp4g}VX;$qNhi1Gr%*p_o1kC`y=gP*MyHYqd*<
z`vtpuWye#!7ravIm<4*agFL#rxdBmyA5hv+$DNFdNt%#{9*8}$jj#s^huG~4kPm3F
zo51tt&Z-K)f`~?K13BAa70@2qjo@erg;fxBxI0jCGtcK>cT{g1R6fD|(tvf{-E07X
z!kSRL2zDU3k2_)9#WDZc4i959#L<x=z@GJWXi)9F25oE-u~7QYy8LPA@EmEqDR`>u
zLQ{2f^nib%>=)>>=x-!@hn;*S{2sHd*IrgTdPt-EEKJ=74wU_YP=mklm3!{Hz`MqL
z_tfDTvap5Fxzg<3#rHv%o>ynR;11<pX767HA--5=jv@yU&F*tXTfmTaOd5o9fQjDk
zv(LX_l@Fk`7Ngutt8RJre69tK1=hhx2WA8{G+}W;>rrqhO$H$m!+u<#KQXhfyTGz`
z)Eesi^biK+D9U67zaXpo)2q~6JZzo{bBsZQtt3(1y`1Nca1oM2gbZ?seq>8iAqV>b
zVOF?&r?41xE)F!EbzX=g1nwEe=xEcJN*#Uo$?u0=e<lu%M0oQ8_hr<F&%QOtcI|EZ
znT$^YFjoAd{2s1vy~)L$b>TWgfHag;OVA-lMLbcTfzza@jkH54_XD)x^v8y~P{X4c
zq#;cq6eM3T<tXZUnDurz*Yt`^x|UJ+ddvW!K5gIJ1P;$^St0J~LpJ!{54wIsG^1f(
zbeT|*vHMbH^D#yYbCSV*NsQKak+Ci1*i9nu6&Pc4980j_LdZVr)mSQ@T^<giJ9A2E
zrQ-1LZ7toQh2yM{x)U<QLTm_&LH?mWHdaT<H*B8d<=t*P7(l>rv^ud|&&kelW>Y&E
zp#D~*rK0aW@xY`v4-%gPVaBn3lDP;Xcj!xKVdW&%xhz9?Uyio{tVqaUY78jU4*2rE
zuHy?`=Jiu1uPUw`bs!!z;MabIf*)EYEVh7cMvXU~rytJf%UYzjl>{gOh*tmN)*ByS
z-ugs;uO`&6)Ykiip9k>{Xo&WGo2~(H#w0gbeK@Egq^GN&K-CXw%o^A<svq$Q*#XP3
z$A-a;^{UH>+9Je-Mra-Skf2&e6__$!<0a=M?;BR+)col#5P6mwnVk$#0h=^XX09?7
zv}t`>*{Z+*HsN{yRKtc2h*e*?Mq8Bwv8Z~~gtoB1mOsXQ#|X?ZmaaE&2H#G!w_HC)
z<}b%Xzgfof;vi$Y6<VgV&2BS4%h2g|doevS>7ManNI>9Z*0s7}+A#sQ%Hs7meCE&A
z%FP*f*EPsi+KpGeU@5vcS~;swXZb@L@|79h`@_w5Il5h-_Rh3C5(`h-%N;B7>&EAX
z2pzV3_Q82f-p=UKEt4mTf4<_60I^?5lBmL>%aZi>Tht~;iNoPJ3jNS*uS&+5wY(p{
zHvIN0R()+OqB5)n{!2FdLP{B|5a?2=QNIO0aL4iL##m3eb(T1eNdirLGDt%)Svgk=
zToA@c>Le6I2_c&1vrSXDMFygY>sMMJDUdM`Icg#j5?lJNuHiP;S4Z?{*#Ks~oPQs@
zLzdkM{bIZf0kQ{BTB2%QMS%Fnw)S}saCu&sqStk)11r6u`}kG99GH1T%?Uw90R?kn
z-g~VI3{-gca?TSV$o;9=CJQaCclXi*FhJ%)9<yvVh=Z)=q$r>dHK@8~WWX9oY{7`B
zpYb5;(C5%>Q3i9DCg8~Rvb}Hv1;E0#1jl99SUk`A3~b9xfYC=-bXbwVfVZJsz(L(r
zy~nrh0q~AS!fJ{Fu<?f6rYeXW@-3lpa?%oDJE(Xe3<c;27M@;cou$HY^6?ySDv0a{
z)Y1X~u2J1kc`m!olEgnrG69TkC?GAb^8=PgC7Np22T(T2ZTsqW{kK%hh#I#{$q{j{
zq%8=;WGb-CQ6AXO=6v586=2B<zgYBHagh-J$j*Wd4L@kME}MZ72Qc$Lxy94FpuyT#
zpT$&Cx35E&cXw}QPXc!|#2bVX4}UPmPbO=RgJO??-stihEEWUj)WlyomQW!pfMTnY
z-T_HeG0l7?Kx9Ax*(*mqZx98}$E#*aETIe>98b0a6by)|vDS!Ij&Tr%?8_;(bV`WU
zhtVxdIRKUK)t(rv-HOVNQmh$~I51V2;higy2Jm1kZxR-a&BI`9-Uo?;8WXEl=duDT
zVXLmXr}N%oO;kL|7!Q~#QHd~PtOYy-b3{^+NUT=`r7(_2_X&09cKgcA%u|@o)p^G;
zSUn|%u9|FI?o0MUzt)FHl|_3!XMgKEScj8!HDR+ZhLTY!X5dNNYATZ~@wV2A#x8ZV
zZjB$ZRRh@~rCfOCC0}LHLo*_Inta(fA3g4WeSJ}MbccvpcEUcn!Esq?<gGg8WLxUV
zZo`nlJ^f((d#*A!v8t=xnL9E82+TdP@`tNe{lr_zt8_C`p0!|d`AxN`H-%a^UL&7G
zO^qg^scZ@$vEyTQQWcl`d$Ii}5AJ`p3oC{b37N>V=z0Yg6s5$~a6N~=QNmCEDTC+X
zZgZ*uT=z3N#E1kn-+QbLAq;8!Ptw{L44Ndbydg%UDO}#o?|nC@q*IyVYb<BP1+1q(
zWVo$<o?`R<Ow;JLt4XUiswnXylj_FnN<O63f}Z_p0o-%hk8v(uAcKqL?NpU~Q-vpv
z8-%jw^=4V{ffHfugr);&tOs+a^?4$>3RU(y+_dVCGw1elUo*w1S}^y76H{!r!9)1G
z&!b;#Ehu9=;HP42LX;6IuNy9KWIWqGy@<;;Lf_w=lF;EQrX|`!MwE{SN884{FQ;@`
zSGry{?|sGSWqNgKB>nB6@2=;jCOv%%?_=jF>}tG{vf6!IE3ImgJTq_arSRsf@vjG-
z;hOqy=&Rr|1bvwtKa07(=<{`6qg~KSlD~&d1<`Bs(7ireOEHy7<<Xell*<mnuuyxN
zF{#pi2kPHMELrc)uFf1U85p24oL}E&JJX;O5PXuzFUc%>uu?viI#z6KMyp#H{Mh!o
zCt~d_66l6+%-{eCEg9GFL7dN=j&!ntXr52}_(4}TmeoRYl3Z$=gg}3~p#;VTt>9cE
zV|B8<)7z3K?3Bqayln|+DOEf!=-DQ>ic>N`0)abU6Ow}Fp@59^ZlXF_IZzj|t)mzd
zbRM15?R!mi_~;uiA_zC+MD2{Abe7VjfHCgyLbEStOxN^%UgN>QyV?`By{1?AS89*D
zlzWv5-@aI%7{Wk;@i*L^OOAVfcxRgT=`bJT-75L3CZmk|2OA$-<0$v(*{nV}J#pEI
zBU5o&9tWKrmbaPCH9N*_mT}eGGfPK%z^?Cey_%8d&XMvyf{=ux(Z{yBIgQL8jhI)|
zoKc(p)aOPt;y&74!i@%(H47`Kz29uJw`BNAU(p*;T^LQ(wemP-g=dVi1sJMrnU$82
za4eT-WL_L4na>){vLAnC6MJKDBW$h7MCII#sqA6FWI(@Mz?}5@=91z`m3czGYRF72
ztV5cB@6`ObOn$`lcBS`%vDFZx5LR}vVVPcol%(8o*e8$N^QQVN6TlyF+M29<$(cHF
z<_C9nxRy+(Ud(M<gq_tnqvGRyZBwM5opry(K@#VYbnz?IqHoB<b<W@-^_#AUR}||+
z+_uec?YDcMvw3ZDPq{AIY%G-3hWnx2<JG^~-p>uGQip%VgRa9pxB4+_IU4!YY~7E^
zX>&z6jF2m1v~)sCU}IP@k(hvIkKyY#NBy2}2Ams3!q~%UR?DViag7J3@sCt;<iv^j
zp5<6CcR5?+DJBzq)~pME=DqoH_N|9#a8$Z^^a=Nz5wk^&Sl;qUdQ%*on|R~#nCo#c
z_#WC?*<==ytgaK@MujkPuT1*uIKH=@QZY9jtGlMFFO=W*hjN`JkKo6ZpT0@3-Oaxl
ztbMsd%<cK={yev09JPn|rth#~m8sloVHspZ7|{>?G3BRaF{88#3FG`BMFQwwN9GL_
zdec^^Ob1G7a*;W7PZHj$_XPz;DW1Pbuo%qf*>VhA+1qDVDKOwoVatgQU*rzJP<vG-
zrjICw3+E+O3D<~6^KjU4ZOxF%?z-6NY>%g`3@kNfKKD4Lhu)i))9q~;t_5>^HDMb%
zGU&}_Zl9KpIanAODK&<lx2xPe_Ky6?3GZtI#1ug`L=lYpL$<nFa1uzoc%jgTRUUJ9
zQ~2x)xA-9QZ`4m+BdOFk-SSTt2?q@=vX(6v<CGaDnw-8&!&{AIRjIvEHYBOFBs6&x
ziN?b+=e%2QXxg8E=yY?<U!>ofg$81m4^LvahrvUQbk<j&%=~d>ihhjUx!Zi3%I-ak
zcFS=LrTi;Bp4#F^FRQGk-ZbgGbyp}({=_&!_$FRuwfJN3U{Y^*SGDO`@D;0l6Bknr
z0_2(3c7Z9Kis}QsYd!QRslJI_CFSty3yqC{C}dy0IMWo_k8{pmrt9CP4)%sj=Dwn{
zFvgSXS~WU8EonYH@m<5vJtm^luHnG&zD~EE@?I=FBIcA<*wHJ7F|znbSmkI;Q@gxo
z^7>OxhqS)}=1Qz^cZeCu$M@|SDsQ!X)D`@D2S%syEwXZr62GWas$rvy7C^|U#o}?O
zo@rlsjwYO0Tic9J`YY6Pu&q0&leTcZ;>r%}zWG|4w7Y_NTtXRy@kp-DbBa&9)hM`h
z&SNyg%VGBfNAOzqv*2cz4hDeYB~naEw}J_^(LAg4s^Pby%tgxemAGZ0e6prc<pLw~
z6c&@BS5?BVSUf{7&%VVTVcxe0iCTKcZnjfnREtDu+yUMACZMk)Lt@t=V_|oWym8pV
zYkHm+dzS$QM5@k6ZK!`He}yhsZ>J|OqM#S)IMd>oO_jBL9T*bFCoA3P;ZzciLH2N~
z&1j6e_Tz9;S{MYzs0yzfM6v;;IoaY`=q*mkb(zAzehvsg(nwQsi0+~lJp#7>bfRou
zH+pf2VY+~?bn)Yjf@xCyQP?vRoDFv_Lws~oYN<C{DeCE3CMx;1tgo|jmBt8$%T-Z1
z%J4X|GesZu#||`M6c%NW`kssTCejdL4CmO`m_nC|1>U~MH=~BEtG_r)2Yi{O7c$u%
zCtH)0x$vHSZzu@22_FvcE4+dXJ1^e3*iG|~+Aa5{#}97>M?=&KH6%&u-LYw1Th+6l
zPy}LJ+8?%-Q_4?65ihk?&X0?h*>*<6@AAkHx+@xZb3AXp5oSuMwvA}%bsezo?J<$0
zbo@-Y>E<3x?RBg^RdY&@NW8w_U;d_~O~1uS`PD>;(Tz5^sU>j%2MX)B@KITVKn_g_
zo>t|;CwCOCs{%atNeFpd-blVP3?w_M@G`?6cV(0C-u8*;QLZ_a;2Fz|7lz%dYB|x3
zsW)MdO9*)~BWkfm2)(IIklpZ`drY`O?38KALGTjtiMhIjT_lhd8g)Zmu3^QpWg$Af
zvivWL9C#2p!*40~za7xmQX`?*=zOxYVYRj4g8@x$1X@Z?);KLI5Elq{FGU`X@nBru
zLly1Z5eq{Bf`jP!)JSNyChHeB3Bbo=r+faT@p8c9oyair;1x|zTnLk2xfVkRWQ$d)
zc+B3C`6KbVR;_6igCV!-_%;u9C$bBnn1F<QT5fMUnP7#aE-{-^9HnR1{#!oXd}VPS
z>Q8#qq$_vl3jL&z$1RVD*>r>@&pM_|7xux3G0Npb-PX$V!!ZJ&$4b)7c04E7(cD2%
zAFsM%P^E{|Y!&%)7=!f$nYGZL;gh(=4MaSW8M@4lppLyS+}-eSuBH~_b-wTgEY9PK
zh`O%YDxLn6N(c0f$*NX}t+Jx4<;a6{<j7d(hb1euD?Rt;l|yTc=ywXlaYsdD5_I2M
z`qX;k*$`Bqe)(8{cp#G#WGyc_k6B%8*IJ3c(VjDK(~_h&Q#Yd@<>R8zI|?ozw}jz=
zK47rrud|EYbhff<k(_p$k0Ri~%AaiA4Yf7o6laWMT*%6ucD?WF2K5rR?kR*#A0>%5
z^tsTleP|nQEgwRE&iz=9(wFil2e+p~hf1~Ct$=!F0=*{Fbn$+S&*e&E%?=4k$7!Nk
zwVpsvd|Tnsx}aR0-LL^P_&B*`dMA-m+K|r%BrGX-!|HVK4SVB6nqq_BGNG=aIxHaN
zTs^!uPn(|7H~T4@*(}SG(_?Av2G7?cRbsUT%h$W7rZt?;eQ!<|@{)k8nQ|208ES~`
zi2w2ZNb7{STHe-}QJv8*hb=QyQZshdw#z=X^cKg%jn<L(vx1;YCQyHUEG>pc*RKZB
z84O`);~I?hU<1wLr^}xP^Ib~}UOCp<8BgDIHWG`zt&e@kKV9g|^I=f0*e97<T?RjW
zJx@58(RdSn&3AFYaPSGJ5II7;G8Li7<Eog=TuJjHDt-xfZQ8BeNOu>(u0^~f8TUOA
z&l|m_hh5e+DlW#SG95uEY90e$)f2OX^$|uSj;Bw?KD~D@%>kY62r9**it%P#Uey;U
zg6%Z>!EpzXH_~tJYp<lzPi*gDspr9?N|$h8@_QlJXu_~W@}Q}pKDC?9z2Q~`YIkeX
zJV`YNU0)E3BehHpM&=C1cJQ}ig!5Kfj&^(fkF&v)Z`PNUf;qf@^#UA?tSr0;!e|L^
z`4|mS4t0NMr^}<w=*e`dEP1x^Re$O3)xnB3;sne|-fm*d0@F^sW;~U8#j7Sgiq%|n
z>x5_zQ8f2_-t1hU?#kwMVq2tE6bIRzpL_W18y&<*2f^lngF<)H23s-ckq0V)dJ-sK
zzJ+19fCa0lJwWcVey>{J8k_pl=u1J908fm3xkL$_+Fd4jfgQ`!P{yyCz2B4rS9b=d
zKec?$N3>zg;eAa}$}3*$MOEQz@#JvKQ5_r~JtMoE1R6ENuJ8Yp#;1c3ycH*I<67c6
zcnv8<x_78%IBe0+Kv8qjoWh2mO%d)jSrLl?FW`(em)9%**3w4Cy6{fW7;bi_3ugNf
zDCc<>>K6?qe-33o16`eJv+`$ejS_A3SmrT6J@M4BB#fRiZy$sER+etixtiwbc9Rwr
z)*IaSb4>e^2Ie11?k$x-m-KBaUEOGnQaC_6IQ^xowo~3p^4VL4yt4Anrl%#3y6c%^
zk9G^#Y?9M=2(vq_igNlb12Mz~E25CG=@~X#-B(|&oRO9A_#)}%vgTVvK>D@c8brwL
zs0xJP`o}u(*i|!KJ6#W}*HV`xxl+qP+dnCgO00P*&T0nmX2X|R11WR{tqLJ4e<?Z@
z(>>vJhfH+sI3FN>J?CIw#n&nsDqd5X@?FWJgkt2pbKKP`>3Ba!zq99G0adO!@7~lS
zmP>zZxnStS-=-LBg?d(zfvlSBhauOs7<#GNlsx5@mJL$<Ql{p>=G+g12+~K2R@d#T
z{P6J#CFCo=vv1{1(z^Y6DA9H(A#+B-kl>9!rif%|N&+HpHjwy0iGA5Meb>lg()Xw|
zfdO<y&To-$7X?Lm>hkjPzPV&8r0Dt)Y5+2~YH9Xi&~uD5y$JD<M{TV%-HL`W@8)!E
zUSHU2%)F;hWXb_bAu)zNO^=#16jYHvP2ngYNT?x<Fg`!@DNG;18iZcCj&gq+tJQU*
z(*J^)a|~~BiRhtGZos%U*v2h{+7>}7*jmT5Sp*U=@V#>JxJW+|sE--7KpzMW0TLp@
zAz5%kG)93@G4LV$ZxS<I1HQI$u=5*~H_@Y^g8ZkABD!3(+9N-H$S+waVVvSV=5h{p
z!-p)I&Nj8p$9wc~^=|O@Z6o&^PaA#STHSO;_=YBw`hlZ%m)xa_x!u*R$)uWZRWn3U
z>SHXfeK|GIeQ^NPN^cT$fx4B)*RuLMAbZU;M4l1=W7_#I2dnO~3}-JKeG`E0kF1SF
zQBkJdX|_C2+HMjc?TzEmMYI?+(*N)Q5jW5AweZ2!0BJ3USOh-b<T!+K4Cxd3n66Bi
zh{xy|2lhzqz53BNbZHj2W8LV-^|Q{J?d5M4&c%n#92N7HcjlUaUXxKN-WYx_*W=ph
zw=Q3cZ;rbdt23(6Y{KOM28u1bH#LP7^}?^S!(oyLr<I;fM|U!~#%|YmgZ)`t-SHvU
zcAyQj^l4pW?F~s$n=w62-SlTaR$JsQ;``}>*HTyLGZ4Zz)1?YzT_MwZeh=OZcr1I-
zDO1_bxzylelX^QRY}Re$)_t5tLa|8ybb@a%Q*X8B$n~snC$#REV`~S&qR&}U!1kug
zb){m>zd?nGFm6*5(-87On;9moX&U)XAJ-NQR}@%%W-L05o5Dr+RGl}M8vQGk2mNDZ
zL)#Azy|idZT>BVW?GoBl*r%F2gYiD5>w9~WIe)0JzF^3CFgZ7zr$AL?ILEJQc<x1V
zNI%<B&{-FQr%Y*EFV+#2RB6&3d{L-pD=KN4>FvwhcTr__lkzemUtgPSMt3un(rU!Q
zsp!6<-m|MF`T&z@W}DZcPmRH0!}w;C4I9$|>x8^@PfI}DVrA+V8BCz<2fB8mjX_aT
zqhqL`I&vQL`xMeOiqr5s6)fys7x`v~IboZ#5#ZJqrf(8G_I6P`hM!LJXJU-r1$qFf
zl1(p4d=i&97w2x2Pb=+07%?f>qlVrI1H|j?Tt@fp#NUhZ)@8#R=9JCngz(sOre@|y
zPWntuZwEz9K6Bz$=5!T}%xn|`IdDlts7>ZzbNjBAVfOV|RCi0I(@i_x%!Twe$}SW~
zGfM<vs0HFWRDOY9c+k-@T&0^8fXCP0XSr|}uE8klxOPQhJ+vY8G23Lt#xlx!`|A}u
zLl>81{bwjVIzDR32Lv>9>7E!#$fv%9mwH7y`c`8Pk8D;w<F?^neKK&~=+O39E=xGj
z35Q0fk}#&+<-q{)GJ-CUd*JPuaFJ05GS|U^QTG>c-i<c{u}dGO;B_9xD;-X|22U+m
ztm&f%Ob@3o=`bogmNb2>N$F6%^y=AzQBgq)H+#8P6waX<WJ_g?^2PO(l}Oa(7R<R(
z_~nb5T32PFH$wr@xdWMt<yp%iGlE4=z6Rd=!h;B+=^WA!>yI_O-tn@Ua7&o|wiGoT
z5IQ(x!ukM*9K_8CSy);QsGBHMQUOIoIn?KxMnD$HIGz>z^oGu>l<A>dP<<2gZUb_N
z(UQ?CbEC9oQ?Dr~S5t4|6>Bla>_)DUXsW6Dj~7PIBkLsUIh;y4u?EKL)IKk=F$kpb
zmDX>LRJqKkk8S{-(wHvCaE3a2P2h}3o4?;7*=6^D5-;iAzTl|Y#k`!_m1$ll@vg;#
zmb(qOJhmZ$_>4Mg=cl`*OjX#G`tw0iJtpvo%6^Mh5$e?}F#0VAk>}hbI06owuI_@{
zsAVKCt&yK1S{s@VTnpPDa|ubV83fi+^jj1$H`MKp8@{UB%)350R1}oiRTx<Payl_O
z$X$zP7%kr6rpT1WU&dH)rE7oVAbNfNRWXIrH<HKUYthLi(P&BfGe?Ka=0kfP+ENfk
z@X6$K$jOU)LxvBmGMg3iK@0?Z-eJxA=Dn8kk>HXSX)L;T@sCwKz*l=Mlu~<D&DS4v
zH`fXU3^BF(;?H~!rs^n$CBF_v?zY7rB-#{Jy{)q%+h8|~wf8oBHd}37q&HlrN?K&_
zI#!MZmyDipa9lyC<q^e)K_H3LuDnZe<<$dQCg^uuTuUNVE=;klJCJLwSOba_Mp6|<
zCMZGQnwDu%UXpUQy?H;*ONmy@{m^-Ea|6e4MkcA&T|ec)sG^rDT~+~n1@|`eLnDbT
zA9h+rSffP<6kC%1aR=cCpyj3`^+_LRf*QExp}r1>5;j`%{=>OeXHAvWH#GIF({B_k
z#X2h24>fF+z+OZj7kmy~wzusgc&sm@PRxnsj_&q4+-g13PTI_u0>WNciG}&;9pP4l
zwz1Czw4fpE*q^&2n9t}qmBFw5FeQ7CK;K;DzP#8ihR?Fy7*EgSNdH<0<<8-Sc@A%w
zp<?*4E9|w^fkvz>^29X9N4=W5{!|vRZ4HMS4xB|O_&wg)(>}O&uqrM(r{g)&9{Jsm
zvJJz<67IkdPaWNDeHZvVtOE5CUUKGicXrqqC}gm@SM9}F;yXNo5N!}a<jTc>D1ywe
z+zESQ99&4UqRUlG{nZVWxH8>6=%8Z3(KfqTQldS7BQ#z%+{%H^r|0UsA4zf_7PLw?
z7Lz?Kou^r|-1k+Df$~xLWiirW`?Wrv+G4`6>Z8^Kf@AuRVX|$O%<}uDJ<W<{DoTE~
z7*D9cE$KSmx~q}(^BRGtUtH)-gI&pKkj^AAZ=g|P%+!qs!4I^rN1}BQ-fFpOm!{*r
zqOdSPyxZNzUC3`ZE(xCTNnhFXZy9d25u`OJ4ghgFWakb}Ebo3R=%=6dEbtfYF2U8b
zi;ZgG<?5qBzi&(0QVm-2`Sz8RQaJ}&{+hzYQdyTytqd1~Ckyi&+5O#wy<oA1o{o(w
z3&&Tk$U6QZR}G6>Mw<78#S1ksns4w(hG~S*9KCczD;7Ukt-+N0Moj8!bEXW?+&6DJ
zC#1|v3SPpyIBL<AYS`b&;UhuaY1w>@t~jQ{P8W?`K0iUbvGH7BUuH?YUEb<fH_H&`
zfkYttL%ZJYxa^nUJpHsuCsF1JA}Fek{3*11!jaVAiKU<=io<h?9#{h?h2*&0W~ZH$
zCA^AOXlQ?Z40zu{cZ?*l!$UA8onD~UBDKvaS10wUZbSfIxfvtXDf6zTjXH@7QDKe@
zw*_psk%{n9VrMp2O>P;Gt~j>|Ny@LQ#~;EAI<S+>;|+*{AQoGZY8U77ClnWjMzDw7
zW-I!0HDTRELNea+V{d42+r)7$hCEmg9&J3uI?Ho5JO-mBfpo`XH4SC63rH*GVNo*6
zyZ!hqwAatsn;Wk77hA93!G0K*11F8&F0~gDfK2x2B2^1dG!Vl0ZrM;*z4j140X601
z5c^@=XSWYTynH5c@%ih^o<p<AcKhPXH{Nh+=_bJ^@tHfbD$q*vE;#Lar`Q0pyzXhE
zbmqga2V?bZv{1(c82$CZ^T8xb$!t>GHnzmk{Y~2I)8Nj*iQN9TiFfJc-yWS{Y9jiT
zS$=xV=GLXrvv2$W<-rpvpP?vwWT_zeSYgSq*$vap<}uf8tTXqs)gT;0uch}x2Ud^K
zc~9?N5n$%<jy#G?SiN_`yJaGGV@U^?-v`u#+7Eqgkh;|nudC6YViU@IPQ@~l#Zv-b
zfBOQj@o}cLDB#J8>@*3QW;R8s@+Z9phOyLBCGc42d&)r-6-GS7EwYEhl|Z6un*w~e
z4IQeJw(HT!iIO9oGo<d<*>reF`(1bVGAlKvaC+mB%!|Sy7zy0p_80KOoZ(WIkWXRO
zY;Ahz+|7GUgO>%5YF=+iI!J%8o2~fG02QZIo85E^&4XWjUGrh=j-Y!XIr>ZU4xPkL
z(>yOxGkpuLPX{JcC*KVYjZ3YE-g%Bbx#!S<e4@k@N3q@>h4O5hK$UlDUY0pN_(TO2
z4@4y*DM!lO%;ec7Lk>$32)f9un?dL~iA2#<KSqFv)feP?AL>j${y;V5vscRhJ{lbL
z49KB#EJ`MkzuBNU5VqES<4uH)Dm&=wEpy@1OLlg=qllx(n~abdi}}P+U8VIZDgZ-F
z(027RYW1V22P%T68?z!8&Cl$uhBzT^YLkl4WiLkDTG|La<8cX?0L~p=TCj~O<0tB8
zBl(#G{)(>{8ed5`9i4e5gh^q+l$8>Ug}ub8lzK@Mdqm8q!}6S6BVv7xp6GlPq8pCJ
zBOsTo#<_h#H!R*TRNFn}!;?Dr80t?OafDb>f{V7V?Y?yZp5liBV#$P)W*N%dOupoN
z+_rE-p|jo|79MJfaB?oDKk;^rrPdFJSJ}auT%by$Iwy0EVD74$-m_aMn&l=S43=&>
zAjsv8mIaH=mJl!G$a+C-`iO+d*D6y?BJcgs4t~OtB|SMzKY_k*A=^_p2pLI$6;WPm
z=cAITT-NE3y8HPRO`4p$JXs2{eD%JGuUfS#jbH1)G`L8w<7vJ}sPG$Lc^*_2Em_Yr
z+FHH8U@}2rA1P)^Cpzt>7DQRKa)-zEtTM{tWZ0$GXTegHFA68SGn?<y1P!0XIj<8N
za(}1*1k|fy)pqj|JGx}1Cd^6=YqdDbbeWu!!Rq0kwLMmc5qlDzq=p;t24KiZ*X&HH
zZgScd<vbuVJ-y$8#|SaPQrvHw*an}yqd@B2*5$&BSrm2nTEjU-&iv^W@mKjedo9LD
zotkRHDz6I(yMgCzw$m4hfJ`pK-MS*zIyJc+zQqW9E;cht)ctzYEj*mniu}(9h=?ID
zN*`>#Dzmr*1#z%QX=SqIDI!b9bGFoMtf%bWOF`msU=j+`DO=rX<i}yQ=i@M|vYJ>s
zSl)m#>+ysGEpCE#OV;=q$hLSTLpl-9R)B;Ti-Yn0mls*E)*&)L3Ve*iEP@b=!Mbd`
zv}sFAK>c9N)3Bm7Tdw6~Q@&NXEPR;4sF@S-sJ1kdkYNHmpL7?Ux5u1ON9nQeCkLoM
zi0NCxGkZG{a-Q{D(@tW<v$~8lhKP-Kzj@RQs)aB9E<koY@Oeoc&w;vav0o>WxbmC>
zkhXZb3C~hzwS=H9S%>2?#`6lZy5;pJyO;G(bLH-h4I13fVSnl4xqLifx?sVK@y-b_
z>9L9Poz!$*4?9>braU=zr+^ZuI@9>N(bt_yyNIz}SiQ+4G#0xVi=fh1Pjo<>h<32j
zYp3O$43MC$DOw*yQ0DUDR%guFi+mWMSa+6Kqm~CB8}MrNpbw~H)D}h8=hvO|oQh{|
zCqSkr)O?3>@PNcKP>bGHwc+7>R;N}VPejX$k**r-i~#be?Mn8;M=REndjb*C+#a~j
zGyRw_W}IgN)WD`YMpLZmmZAlBWIH!~;;uSp@ACLu9KX>qtdzRYVVrh8IYK$JJ$r^i
z1Ul2E;oS8sW#s9CNG$lVs$ArLv0mDQ*)CZPi>FLnnkILZ%q)+_;MqGp5U-M^wnII*
zc;ZyFQ4~tcw%)E2W9WOP9Z*9{Rk~rR)Dje4pjLFIT(j+Xs&7KF-o7}TH)8beF%p6C
zQ{jznez<(43{2CF*PS2{WO9_rx)29J0SApYV#0Q(9|x_KO(0fZGen0Sg<=8{qwi^8
z)+52O1R|CRUSCG&?1jRTHt}IuwU2&y<Sk)MS~FdOboFjdXXZ7htql*>h7cSKrF0sN
z&UgB+k{tx_z&_Es2zZ_hgGITu^A6HEFWS8_9xW(4=G0}j87eSjFaF{VNQ>-Mi>bFA
zwl$%ZUQ?V=i#REx^})A&!vpJsyv;xZ<LFum1mvM8kLkw>hv(|sP9_nRfSrB`*NOZt
zgWs20yT<um1uEhYKBevJ(&4<+#Vs65UV*HTtLk;XwESt;X#|wdCHl7owqo(lsJMD^
zkZzrAtVxK-T6{`>j?gz6lk4Uu`7-Iy3%+90RE_=o4g8tcE1f4BAE$J!2M`DxT_*_Q
z$YB{+t}367z}BuGwzsBF^F+J>YT0d+W}9xKWa+er7j)$m>spU3!Wmw%tE=QIP;hK=
zD6gjRI;$`~&~Jg*CydbhUY}`+qusU_5YPAJ2+KZfbi69&w5wDa3p++P2|iA2yS`MF
zkDerOlUR!km3o1(o=?u9#jBhrMoj$pS%3~p1m4)%*L^O@Sd2?=>phm*uNH&J$)lbG
zlv{VKwfG@Jg0AJwX)M{r^%_^^!(Mwduy+uTzLu8RO%+`+#-3ahoUAKAw!_|(d*0ZS
ztV3rUzi<V^aT`*aERk4~^w&vr5;1xW-31GW3_*;%nsfcig+tuboD|Fa{B^m&p*Mve
zUkA;pM%2pgE3b#nl?&?3Q1Q)N2n&ylLgXfC2?y)Q&ZmLKFPr!GD__H8Q=HUvC5V<e
zA(~Eoz}ilITvXFZ)F%~4Z8xf+QZT99E}2c?`rfE0Llq{%d<4IcZr6(RTSrl;R;ux+
z*g8wGS?Lgyh~(C^$8~>LmE{RuSc&{D-Y`KO2Ku?$wx4l02uR0N=F-b@!~*>?xWpsK
zO`p*KSKWbyG~uQENfrRa3?C?dcH6ZCo*rN*b4B8@?atCHR+E0~w#&5ID}DvrJSp(H
zli_VOX=SdTV>Wz<*kuz`cMhWXKuTy0%3Q;y466uqN$urLm(u6JeG-y<kJ<Vp08<3n
zyFc|V5g|`Up~(7PK}3Z;0BKLX%MA~*%-kM1nT(63K!_m^#1skPD(iWR0x~%DmukJg
zcFb7`YYcScKuMd6{HmeYtkeF^%nm#jV&8y<r;%5ssZe3k+oT(?<BJF}SH3n2>pBBQ
z?{m!9as6DuOQ>gWMR#QxfY&;F^D}|l?ksj{N{G9J#VBx$wDD5fX5h}A2>3>Momc`!
zffzHM2%?XBVIo5}j$|eafZDUZcYdAy+}llGQbCVTQX#OmHeJ*}Z=I#fiFPtvQZ$5b
zWToR_du1As=0e?KfJ_p^eU2#oCPJ@LXFFvI^aH5m%iw!01x0DOniA|P!HOV*f`GJ~
z@f}hYF39_|S)f1{8X-jyh@Kh?bc{K;^>GG3jkQOrmp{=Nok@jMi!{C*oP}aLJEr+#
z%q$s+M-U`lUtNSm*ou{=0ASrcnF#<p4R0RGvNQrW86<iM#Xj7?e-OAsOlrpX259th
z&=*ZIasud{!OD_N@dcXQE%E}gt{mYp2cV^MF1(6w1ZaQTdm)Vi0_MAu*z6Yo3xSIV
z-+GGxY+%tZwho~B!-!VIA5CVscimBWfcuemM}ZDeB4>v_0)PCW{-Uj|jW_%-jO}1;
zaMxkz5zkV;hzfuD>QVTE+Lsfzt!A@jG=1#paPvT`HpW9Q*Kosqa_q<GS1*&NhOc9;
zie;&;WL}lo#GX7_X~!O@droC!TG4rp!^5zIk+eaX-N{y9E@@Ki$CWLb!58EADe~zw
z#K6J`QRIpaCA+ho^XbU!Eq$+ERf)v|H)2T<Mjr-=gb1S<Cz=zj1bzv^DB-?;L44ad
z$C?yH$fE=#Y)>n4fXmYBq<fF&!(@vl>-BHt0f0x(pK_|+u95g;DrHiseGBTiI*o2M
z#32-w*-EytAWsFfToJaBdn6{z1taw3J?ZQ0dAnPkvboz5tdOusEW47Q{8_dDVwI<x
z8axcR;a>CFvg5s>(uXS(UZ?qLvCr5ZxyLl0dEO17u1X|kRqg5UpfruFL+TKI>v8d@
zN4dClwuuPmp8etp8_>U&oPc<K+lWWXf|I(gkJyg^YV75VQxQLuHY!&%9V^fu_FAWG
zJYPlfVDw;X+QYx+k_2?(<mp%QoGid%We8kJN}TM{AV+7!CC$N6WohbKjWi@}@j~>h
zYqlPK{Sp}u*XShWc4O3dHKIRN<sLWkK`ySS;r>FaR+YKT+9*d5#%t5huea0V!y2DT
z!-_~Up!7W*$n{IfUhaS17uWWbz0u1)no|BCoNfAo>Z|lZ)IdH^&{7cYexJ>+-ik=i
z)$`ISV&(FB?7;Cfn-1=_0&rX(68(Ta%L<5eUxO&v)*EgXvmqozl!h66^!uN?;tO2p
zWp6$)s;3xdF9W?aDoyI(o)ZI4L~$vT+PVRQw+6R$E;TxRF>1`OWz+8GmsD2sR6@lG
zjMUu<>G8Y1-;~V}&?_Xp((Effy#V+f@5Pk-Z6yKE-1N~?Rakb>?t^1qN~2l1voDJ}
zO+n~0m@#guuM>c(8br8zo7auXB}3+5ee+?_WMTX>wU*`@umRVH0^lz`SmqA<z-@gw
zJ^oI+*YG`>l|^ttPE>b;1Eb!V6!bmsTj<%;77mD4n6RCqzmkxPWv*k0S&@#HN*`~@
zH(hETUXK6Zbn>}AuG&^~ibYVXIEkJ~cHA~GC1L`ovN=DUb+urkgmCBL9KMu?&Gg4`
zky3ew*<T=du?&AV=)S;1;ICw-J?<{g4(nK8da0Z}Jxhyf?Bn`)^gOf33QhMsZ%_&!
z_9ahFG}F5KUN?nwQe#l~tAsZ*3Z8D3bhpiYmF7Tb`k{lv^sFXUh0M)WeJ3l+>R^38
zlMS%^ARhB*5aqHtgNBXJZ3D-u&HR|5Zh4#zoM)Z7Ab7z|tBea)3x+3L4NQB=?EU6C
zIJ4yOHr+(DU6kWYdLuLyTIr=2x<YFjDLR=}iFoL);LnV?t2sE5g*|;ZfZlV$7nut(
zy9By9OIC}QvoN=vYl#dL5ucU{{qQ6TSX%|Qo=XHoMe+(JXTajF94xt<P?HbGGRe~s
zb7aLct$#b2mhVw%K52`M`lM1XL%adaF?hidfyT4f#O|db6<kxK-l(<Wxi#vc&F1nl
zAPVhyv23_zy!6g}ZL^u-o|CsFT)PiLqBD~y!$e=lWbk_xjF+a(SL+EQjhD{yHL722
ze@?Vfsq;a;7-ZcMdQ9kv%CpCJby?vOH4)8tQ91jPK89COz)ESY>&UKO)^k4vrd}k3
z9{qEzTD#?4A{3ra-p=Yyi8eHXnRATg)Uw5Sy&5@h(01l^NXCi_QF+Xn^&hbll*Qum
zCP_`aTSkbD_P`CEL_P!Bp!yQ9Td4Nw!_wHK)ncRYM<k`M^>$0xur}NePF0C><q=_d
z*a*w0CZg=)HW@voN`g5?b2Rc?y(O))4x)}Wpj(12y68M<IGHJhe$g~o^syME8@#E~
zh-oVAQc!=S+a|>DFN3rc=Pn6jsc!#Yaqk&b)wZmQ5(PoY2nds$C1)l%=Zxf>qY@@6
zk~1PX=bVE`21x>vktjh>k<1hXBqQnd>Dp`WeeT)swR_L~@m6cAH5+4&F?z3Fqt{o}
ztG-fMUP;;j$rlWU(;vWh3i1eai3)-q(A<5vAjiIkHb(SjPFn9H1v@y^Onv{WVPiex
zb-m9lUm2ftY55$?f_?Dn?#<!SzQN3t>}!vEX|xyO_gYF(cZ8KcInfO^vukT*x%%L$
z>{}Af!mwy5JX32(*aXm%@u1lPuWWf&ofU*8lZIaaix6#3IB)c!{UiT1ZQG&)$h^m|
z_I@u6A)DzedX`P}C|;$h!~Q!Of7q|x&z?=xI+qfk8=S(MF?r*lW!6_?B?N*`D3p>|
zOO9RUWuZ;gPxpUC-50U_zOAt_KGCh5VRd19+PXaf$9$x(+pZ7A!PIV7T^)#d1Zje2
z#oo@5xsUFavmDuO-Ei9M{~)XUxnRhvu+(|Dd%-)L$X(;4QQ7hh*w(LohSbCd*<k;j
zaQv9*tBYJD6%jYGef05kE)yq@Bo>m7Vu?tuhLlV4fhld%A`FW}J_^G4#@lB`xtr=I
zGNdDNhaJ_bs;onCOg*@Hi6eCpSRe#o0VygsgrOy*<;Es<JM<o5Z-5aas@J1oll(%R
z(o|g8DB|xN0~2uiya~u{_|T6fF*H{BGf%$E=T0U)QE_7WdPjuqlVO0n`KSQ_@c{zj
zby+`Z{-lB>BoY~#`=NbarRLbT=~CvjN?FAT)xDaLt*v+ZQEl--nV690bWOv}YRcYQ
zZPxF$;7&6Eq$<HK6bf0|7X0yP$=(7}RZgP(?n&};$xmQ%_tqd^<g7_`WF0Ws>cwmR
z&IQ20myV!ZF78IaiW)?wy3+&u0Ix^yr9uJRaNOp6`N_(x3Xx==+5g%6D=3Difo;1#
z{QVjM44lAYtL@xR^;^JOF(EIr!*2=|*f*O%b}>$sVfOWG4XC#Vk1s3uA3pvA7OY$*
zF&5I0nYvpWL^PBq(XCsd-OtXxN-e!Txu$qbBId+hJ4+Nvye(PqLuh+duDX=z(isVn
z38>da!sU@|Y}EH>CJBGf1kZVr<`3YN*PBVY<_|<EFh^BW-j1|2K9HRrLT7}1s9&pl
zkq1)WS7tV?*XY36@CsQsH4G0by5?BjuL`C-W}|j0_Xl{<;Xwg7`^7hB#RwL_uAcD{
zK+}9&#9t|4f_k<D;IE9_^zFZ-k>$bt_d{_2Die)qN(ZJm0(<TQMyHI#-bWjH@Uz^y
zI|U)&RT|dpc7T<@lF_-IGu!M}KCUbdMAm%|{EM)jH4iZwPe$vIBAvj5*li+@iDfc4
zz`tU-AGE8B!Qv^;H7lCmh19uh2ZWG;w<)msJbW!!0M?_46;(rvvEdKeW&n6Gc3U(i
z$#sgwrn8$6T5az+bCwR?PDuE_PN)!kA1?;*G5>)uxs$-Ncny>MXkafUF%W;neMer!
z^9rRjG}b=TeKqrg<Zie>Iw^dz)=>2gLTpy6f*k{kSm^}NYFF*kT<{XA|0d0_nMahz
z;G-(&3)vf}R4oh)%10%nO((T1M0vyVUJ+C$2>b9O#8X|%MMeCU#e#a<tw`&|aX5MZ
zac3bycw_}@<~ei}@;%m*Vrv1_{er|?OtAA(cB{78IT~&thxY02enKcI{2;ol?g1|X
zASUsDCIQH?k2hBGZ<w3`CYwH-xr<%Ur$ps8`0Ep5!IJg{Ty)>RK`ICtw}66~{Ttr?
zr!*{!`$EM3JZAE%L5dRMF(2Z02eAMAT=2hXNv~oAh9B5!fU>mLv7$16k8QFD#X%)a
zRCB8Zn@6kuM7c8EKU9uE7unPIarC5AfItpP7dE8pM3V+wQawAch_EsRkgi%~469J*
z{a2ZqeQ5=lGW@)~T`s2BsYNnEWVH!u^GjAQSMkT)6vK#Ggmd?JwC<}G;vdnTt>{qE
z8Qr)!ptI#)s>cSwsL#`T7QSo)w?wu!LBs<OD%81(BVk20htNoNALGInu#=`|Os?GB
zK6o#hVgDtpNfQ|%!%fV&3(8EmY2IHtB#I1{gu%H0B^N=k!BS!vhj{o4c_+jY^X3j1
zjUkj(bq;22?(40CT+kO2`#qoe?~9_Pff#m2Y#0#ZGm6AFA%nv)#?Ol#g0kx^tOARb
zPEzX~-_*yfA77}f>|S2Yxu1A;MX7Ck$iPlyUKvf~+`8nc*6?956p9nuuV!$z{ZQ<E
zxYK#5U8yLZK`5&D%~wpWv5UuUk@f<1!|HvtWqvqE&SE2Np}}I@A=x<JmT7r?iU;S1
z6`BZle48!2_goC&cp^mpj}5>83;N{ig&{EMHOM^{6}pv?$M>?S)4JPfF6YOw>}NvZ
zQ9~79N9jTR#pyCC^p2M^1Hu;1W<9GyzI^==n_giqx_*Dsy<)09qB=`Z9cz7r=IeFH
z#;L}0+tF1e9KVgBSG?M_Y7)ZlTnma{?%X#7v0m7&gwd0nMGj6TMZ7Bi)202hjo%-s
z81zra>Wtz9v6z5xz5bTpSaD!UzV+c3;(Fg}9N~J$u6huUyQZx;(oL)~cZqM@?{ICY
zqT4PvoYL5E1}X7oO39j~F+Z57o>Q@Mb`qJ}#ggUUoPv~N!zRbH#;fvoGUkSjFJF(D
zcF|BAXJ7p;T=$h|07?D&sD=9_rpsC$YY`%qzOouvTi2Q?-Ur((a9)>sl!DW1`Qgq>
zT${tU-$0Iqtx{5LJzFl1?g$ZfO#0Q;=+i^>+!2qBp_fXze6MUc^i&Yej+t8Su|z`b
z&r2Ktb9C0zmi^N{J?*AJRLO`^**xA5a*9iMf(16wYANu|%DxH2usY6lcb_A`#sbSC
z4(HWYatJ}ay8LNEZ1e3!K!xtRNRDl!4kRliE`P7Z5rx@NmCH>puZ->X{inkiB@)x$
zi!=EuO||5dkjR^lEi>*+ztd8KPge%{y01D{%vPqENHiM~bQ~vsxwz2xu60mj$&^SN
zqZCy9=6$K=eRI`jK`n{41rm;boGI!6XmYY7ZF5%Xcv`QK(@yWTbbJ>BBKY){o+|YT
zHI1|VNW|xFNnuq2qmy?V9#baol#9KCQjTVT{hI9nu{-_Kmaw5i)I@N#b{Gfl!|hru
zQ>~h8WxHdwTb#&DC+k3bo5$i)+2P5zlte_z?bm{eD4uP#El$%EB~QJfa0m^+Rwf8I
zm^oL&hLp(G?>yS~2;*@wY6VDCHZm3|$GkHa*pXOJzH2HbqfGn}B<R$R`_tL(w4_mK
z?CZ`ys5q@dp-pyHNsz)Q<Zy1@O{h^}ta6#i6-&Ad5KRWjfZ#av<s~HR0*t(3?{)p(
z;RmoCrUu7SBCl=qP{r-yBasp$;IJ{)fcy&*m_?x3TaP3P0|^D?d1ofCs^kP5_8<KV
zf_Nnc?Ou6&dqRp`i%q&xav&t%h$+8Kt6!`Tcblx#_fn}ZlX!iiJ6EyrSZ=-L^(7IJ
ztg5i`tUl6_|K>g5i=m=Zr{j2_K@2{<+`O^{zQaPmNMB=I(dmcQwK_MN0=fsXF~y4i
z{5J9fU8g^4gH%vj>_(Ol>!k-Q<co7K-vHl+V)ctspez){zDEHByUV6O!;!}jN9rj-
zm{L2reYPOsBk?>%R_pg@b7w>ogrimoq}zTzTIZNo3_o@#ntSqhF29<qtg68Fi>t4e
zpz<hyBquiaog|0JjXHaHr|(I4r)z9Js<Ucp%@W5_np)l2+EvLupPLe=#MkSOmOjxi
z9k9_@-~Z=$5#KUud{B_Dyk<a!-kZ?HAdl-!*UxRMGj0N2jq!~puY&76);Qn-Hrd$=
zb+X@7Zr@~IZdU%o3#fV4f)<;{&NN|iuO*z8r;JS4JGXjf&d9|8uliXng}A>wEB_u_
z*>lb`n4@+DJUNbBH?3LCY4of4zEYZ$^=$9>`f%a`9YjkCqZtk8i8lKkh)8QyGV`&O
z59cDm=i?EL=K(2f{Xd3oyc#}b#xgiJj~u-6+*l3bue^v|v@XsH1{T5j-wYs7Z7zyJ
zY|;*HW)jYHl?UoLx~Sp=&HcI1vlvkN%X=9-UM3j3cpKhCV6c55HK*!is<_ZZw6F(t
zJ1%nyvIm~QERi~F3ub|#bgQLf3-X(spbU>k<{94Vi&W^8G*%vsG?54Q*CG|2|5{aw
z(|Gs@Nh*qCI!HAAwC&kis;`eth?vpzn|;L|GDtbOh?$wjuS!;2XPs~7%g*(5>ya=@
zA-$WIhq5{5Jm9R3Uyji9KP}2eexK@qwRz!-Z4BqFH}s0EpkB63j@G|Y)PoH1IkbGS
zVEdpAz#^ON6K7az0?x!j2EyL|H}s*T;P&et6JoiQG^_<!E%X5_u;<D_xGd?(la^lF
zZV5(WYo*ow76=S)hbJ)T1<>Lf=WW%y0A$NV@S63C>Qes+g@(crMs}e1zo5*F>ftVC
z1io}f`<G7rF}^nD0Hyvr>H>eI54RCCV+M%Jz9Z<r4ObqzD~@+5f{j3Z;vVIJX5g_e
ziLL$n9wBZ}{YS9zi-F2+Ln}GC^Ed!zn~hZ^K5}5%V5|5mMEOt1v~nEvZx|>E08_44
zG@oNgfLpaf_Vm9)!~`7N-vEP6u1Gz%e$0p{1tpNFCy$1`09k<G*&3G=J4b$CL|sp1
zPN{=Y0CtX6`8U1$3!eAFiT~46z>gdMp!VET;km6#AZg#_@Ll9G{f<>sgf#Uj;!=J$
zq6~z^3T3{T@G~+N_@;v8rWRoz%JeT>03zgL#XOg*S_o+;favyrSndCeHUH<(@o%x+
z2kynsKSM3^i#-WrJy5;md^2NZLC)M9@{kT68f}Tu+#7@C_Od_53d$Vy|Kr#$x`1jg
zx6t_DNg=D(3O&2)xAe1+<24x3_r3_MZBUPksO1nuDD*^n<i7?A{5JeQb?R5|RgLO6
z#S0~eRtQ(OwwMqfUP*s*)`!#XCoG@P!VqiD=w|(_rw<FbkATKYE*7%5welvt?A<j+
z+=7Tsy@BNsY%D}<I8U%lw_@fKJ3j%GHZ1|X%5C)ifHYf)WVK{O2~l*|crSBMP|)iB
zKBsScEP9aF10{etw%y78<^0}raF>p#i|+m7V$#9?=`3^Q_k+rC9>8$`yx+LLo$J7r
z{62%_zN1(XJZMLek8YC(!kPZ1`1kWjaey}+IP|BGo8*t9{jY1_+yCobh0pQa=U0pe
zv{$-oR`ybc*o)`Qqo3F}$6>W1j($XDVLFDPID&WKrB*_bAc=S|Wt$WK(`t4b<r%l1
znREoQ8Yrz#)e?%tgC4)2zm|(L8goX}ci(9gD(EwiU-{!$C;aVLb1}jUL@5-ux#nDl
z{_7+yR6$69nD#hr(vl5>YmC~8i*!qRdg%HS*Ns*6Qe;g5iZU1uG9(CGFLJ}PES8B=
zm^MEy@9+3ie=hkNl;7JD;n0TSh*2s9An5#z5OwIt?CSpq!=r|gPOgIL@tD<byi&sd
zdsF(yJ=SDlA(#dKH-qv;fqrRcn>=S^gprN{h8wUMiYERY00HDBdVI<j7WwCw0P{=g
z&AeB<-uNTixW8rlXCTqwUgm$h7j>h_Nb#%6G$FKuzN5(LKWGuyr2`*;B)$J~+g~vk
zRHN*_r2Svi>Yu9fzpJJil7p%2#t44D)H*dq#mHU2!Ka+c#sUJ^soT$Qt}aRd`BwPu
zqd(d`_)qQDki>XM_7{}|L67)^nq#f={F~tu=XnO#ca4c0rcj+zZkMuu)o7B}*Z!F}
zMbbZoh6*|S!xCV_e`!$Ijoi~9OF&NpoYJPX53h=huCCgIS0qX||0?pgM+aJ~_qM+0
zQgNHBHK@>mvVhLR672u*3701OKklae+^Qtdsi*HS5OyOgcT~>@@r?-1+J8kT=Tj)k
zzyDo<^rRM)>#)DOGxTeQg#Nm{!shq(&8j|q?Z_0UqF2pq5Y4VR^%Ky!?wp@|MIdVZ
zs^eJOcQ~0N2If4YxhPQKIw9gbY(&QGn0xhdzblzFQDYMgH&M`BV`Xx$nTO7f75Jo~
z)l+klLW&5d0D#yu9}<}kxUu@Y+P0e!tBfr@uqO95;$5OOfH}mpE;X?wSE?wypnp5h
zRPQvy0T+WMnp}H?bfk)Ai0Svs=aksVNjT0|$6h~23N6#PO-Q&F8R;o1E4FQsyt_TC
zx5)Q~;SvXu_K@9Y=$-dkvE&<y>8}z7Pi|rQ&1|{rjUn{Ix+bwt&DjijOFVx(l#bBh
z5zcw#d7Pjk2X;CkKSKC$q}OnPb8?1iIT8r46y>(L86N7pFg~C7nNX}`rq%7&Z6gL>
zs%zt`HJ@eKP8Vt{8)>oFU?k&pO~_vEHWJ?x*Oim}r$33#$1YL1*C--)2XaOwnyii*
zvObz*&j2VDryHNx!k61hSb5oC7WPs<^*R}reBi`HG%>S_0zUAU-iK$)+7&ST43IMI
zv<5#)D+bw@723_|6e3>gUAHR=8TfqfDSx`Z>w)s}Oc&^Ih1lTYLat=XKC*@Ch6pid
zt%#$4dEr9{z2P7I_tT?-hs{*f`=#nEQX%iQgJYMT?<xNfO<A9smC>%#V!9}Q=?$v!
zpF~5bLCOhig0uUY<25732=Hp@&HGES@cvYHLhr<7aFB2WFjd*3-@Wq+lt3$keDL+x
z?AY|))AZV9UQa<VqW1W_xGuZ%yk?zkNmF19H??vjY7|s**lw;id01R$leT=#z`hF^
zFSqFsjfTlSA(W2z<(tCJ6AOqM0$jPDU);&)I^gAxu~f-BCaa)D(or~`LWkhqyr3WE
zNz>Fyn)X^!+Q(5VQOX&CR>v-^zHY#!4T+5oa~?W$q$`o!+pYWp@)p*o)+B6wC2>Vy
zW0WF_10M~l=K|@K&+A9#JF2>y%@~@{j$Nw!zjf`uHF}Ej770dF@lAWr{I>}xvekE7
zeEf!Lsk-Rr?*>5U;%pcC2m!n3&S{pu8w0>}(=<PjlczEfco$K_-HwhAS4?9}iGDb#
zMDkamGmF{fvZ8{0g>gwV%t4EDAQvCdhCR1Gt&YFvs8i)pH*~U4aa3>fg9{x(hV?j&
zsFpG5i*Wr&b4k)qFa4+AWN@e?*p&z()M><gPE~6Rg*)xrg6~xuBC33UFZDl~FLt@c
zInA^F6663*;Xb6+*BNtwuN%Lea$x%7AMLHm1%A;w>%6AFc)PKgTB`1~fbpw$Jgq*?
zj=EKa9NX!gu$(c2MtSvJ16oszI6_(RO*K+0s&x>B;?R*lPDSuajFc5d!K%~6l@V!T
zDM5;ZN!@uPq^_)(lL>7O>}}6rNxDy`WQ_Q$3m!DlHtmRLqozDB)`+mXt;m|RjFtMJ
zvvUAI@c~I0rSzCA`WFxdql=FB9uZ6}yzm@}^oQ7<Y<``7es0tDyI)=@m9I``lKY9G
zAhDc7zMNw4oo8CFMUZ*Js+!^-^D3zP3T|U?yK)is-YncT<NxSLDBo0y>MXpeaR9<5
zgPF06M#<K#M8jv6t^5#!39Ujsa$!*V8MWxL<YVv>H><o<2X7_4!KD*A@K95F`#be&
zqmC2sU4VJI>Fv-(0&CiPj$A7Db`yCEW}|u*yXdZ6Ey<Bm^v_eBlehi$OsCbE1?;_J
zMdNT%3D1fTG2{x<#mX#VOZ*Ay>^n;;W*~NTkK(!l5kFzkVe1~FB)JxbSbpWL{Q3xj
zfmUJ42sm+5Vi%9q1_O4YTWz0#y7PL^Tax<cC--Kb?N(<L{WSAFy~?l|PS<N<nl*lk
z2Q7TT=w@lL-irWw6!I1SbVFJmz2^r9?w{z;3822{&@ZjaQ*^og%45~QVvfz7By{0J
zeLra8XDV$U5N{u--C9+BtN@p?pPf{gflDJMrvn7wkzMdMmnKBMMC;@0RwGADTOK%Y
zHVPEj*VY-p_8h$y<MOH&5k@Cg$!N_1Se6f=XMbClyr9@W#01|lzI}@F8cal?iO`75
zGgrDxN=Bi=->S#<yjJ!N72<})oc^ks^1#21Z9!*h-9(e~{QB>vokRgszzD*TqjU+m
z;Z3|a+DvBk%6wQ~i*Q9K|J~q5>_23%GoH0b21y*h&dyq>idWkop8Jpf1%<f(-_RY-
zb-#}NryWPGBW+|{L@YReVO&pc+f9#UVjU57K7R4=f4MbF{$jt1`M<*1KR{&gB@Su0
zGw?4c{y@20#s3E7toR~7xZJO+gHozFx7rGL1X-<firab%q+)$A0nzKRrq@l6KpctD
zH5zM^8U)5E2mkG~=>H7qydZ|Q+KPERr-PC12(15CBzwRLGf;D}zf}2anrnZqI{t;l
zI9b1sK)wHm;Pd|zNSX!WP?_1P2XN0_kIs>*0MJplTVN!!eGscvXhhL3^#OZw1w!Hm
zPWeb$hK8h75$sig;SB!~-EkUs7&h1?a#>0v2w`miz3Q~$VE=0p+pF_mhk%fIq)_g4
z#}})e#}j{$`p&=Hk%Rhvz}U;MF`A}d<1keicKmZmAJD_HaH)bUpbbC~TyN2Xa&iXP
znw8r;HvT+ge@_Y&xFTp#xbsK|@P+Ap?|+`x`3LrU0uOJ$?q`p&qS1X%jR;FvL;{lP
z(Pr1BUH0Kzv35X=%waMb^?;ofPy_QxI@ipjJ;$YGetPx|kHzTAepvcMoyT;G_R!6B
zWsg6D%5S|sP^>!{be+krtUNiS8R@~_wq$PNid$QTB9AzEKyqFvgq-W1A7O@Qd}(#x
z0CdIm-bZ#Vov+C9N5yCVJbeEjykdFNJ=HNe2vV_^O2Fsm=eo2-gg@?ZD|~QJ0Q|t~
zAP1|`>vO$r5}>6fFD{vLzEjZmMSuyGzSOmwQwMM(=?BVY2L&M14fssiic!<c6Q>H}
zmN!yHPMvn(@Xys#I->38=r=ONY6k5h(%MQb{RY99?tfC=;SZa%e3C^7erA3;Zh(-D
zP25l+B--P}vSb$$1Y$IokfeY+TEHuafIZ5Me(lYQ?RNYdC20hTqU^z`!p_g&TM~MQ
z57;Vi%sN#m+g|Lc3I%aqlZuZ#(7Fb-F!3g2<}sg`U(fF)1j|uyva%a9zgEp?P_Ew?
zg8TK|ECGTiOVyrm0|fBxiKY-(>}jGH;EJ6pK&93^xK2Ji&MV^y*mwrmnkH}{gz~tl
zF+S=eGu^kTUR4i<Tk%nC_oqe^g_N}0TZO-=v5}wU#^1}3o_OUh@G<8Bn|Yo%4WT`U
z=P3aVOo*MBR~uOeY#&_dhJCq9J&;F#-eW!bJB5H~LEmHR5j~4pfX<bI+6^vjA(<_O
zvj`28DWGGef#cfudsT2kg^>aN(OLECY;SDE_vI{y%B%F1U2iA312$zpce;kK8Fb3X
zS-&yuWRv*~i>G?}H5p{cCgQKzSBTTlBqm*ld^rTf7am)uxQPONK0N-v33~Q8^a<(y
z(79Cv9${^RysI0mq@&CiV)npi`6Tce@EyPCWOoTH4_S<Nx!tK`-229}RPk8Mdo3n8
zvD?j^jJvpuLiD85;*!5q-z5R3kql4sxbOM;%!TuAh_L_uxFQC%)m3><y~hzUu^N1_
zIjDFdUGC*E)dL);f7@l!J*rQpqi1dO0sLXVjc2vniv8F0rmMZ|g}qi);N?N`L$9i^
z6rn9|IG+b}(Y+R5Dp8~APmAiWSFxBZ({6p?sQ-~B6eo?r23hyLBRWhv!gC{Y<AdDR
z%bgn&{aUlfVRl3DJ=bBz#j<pHTyS*|W8N;vG|Fg#CHcnl*8Uc}vnh%m1;}^0Z>D1>
z^LXV_KjzVh;N+#D-8F0W0kz`Rl4k;m;yQMYGj%Pjw+CB3He)Yb9V7nE1$f(4??3Mj
z$`dGrqzCR(QG2Gjroza0tCp9qZbVqjkNt!_Pr5z?D2edNsGP8pOj+2rqF_rZ<obq{
z*tYNeczXW1*2T7BCO>SH(iOJ-{pgb|VFMBgab(PvBgIeVwXHp01krh3^6{@EEYn6p
z&a*_6%cdlr6(5-h94{5@XbSkkJIj=N<O^yzxm^Vh;+tKyO{X1oa8bkWL>MbZ1yRfp
z-V~KpqL)}Efx7pTv|4QyL={5id+AvLwaQ_@XR=hVHX%W!@<qtqR%b{*QS`$3$Jtib
zjq(pYHhLC-ioP`t#!(IDuMieH)!f12QBJO;K510M)Navus5C`jyDQOd<xnIO0quDf
z_bk};u7v)(Vdo0TXd)pP_3`m~K0Y${JMmSyIs&+4!R^&i-0}YMGJA{-jjm)I3Y~nk
zChA*aKyCKx8zhUtvQSpJuscsQf#}vpMomQ)aOf(_JO}CL5ReK@TO)F;Jxeo<FY1wB
z{rM&g0u7JOrjNkgP08E;k_u`#XZHhc;0jIO);_hIefp&N!NzO*``zZ3xkzI>>gYtt
zOp!9%Ze`_cqb67e=uoaEZRX1*9{Y<2!{+6!JgfU>{wY?%%PA#0XLsk+LQQADaqas|
zoKI~|qcrzJ&9t1M9=_=ci(dErkn7m#(bIJw<tV&#nqeZYoYM>F16e=xRQ#@V-PbSm
z<=oyrp>wQX2g$Nv=R1i$EcpgPqr*ln&TPzqU$G`AQk{vn7v8xysopzG%ZccvN?2~!
z@$_E%*fQIztuU$8?u*>!w$~V?yf}W^deCRCzQk6^-Y~-${dV7sMR!a??WE(%qZias
zctYLYU_R)1vUrwqrLpAY396}iTA%y0c^&yQ862-Y`$`l@%{{#$v;0FUf8?yoe7kYk
zn4RwLWEBhI?Me1~oFFg9++e0h5hG_F;gNKdi0+(_fxTbcnpK7m#L_W&-{RjvPzP%E
zy)_&_M35<r&!trW<g;LCp8CJL#TOaswxE+M9os$hgE#o{g-o|-hxt`w-+Hk8op&Wn
z^5UxF><}B8RD?NW@oZ?|)_T7^8Dw1}ApzrKH0AxoPqR2&t4R9Rk0(qxl<j%0?{vQU
z;}#gei4Vvi4|+}8>T2t1?np;$HQK3(R|ZZM^eNb0Yc#krMXbtrfIJ_N#6<p&Lv<T-
zD?odwP(7r)?WU~<@)xAJvk>uwgS)(S3Ey-P`79@7@JJJTaEy8t*YpBGn_~~NV;8Ru
zq}*O;a!vyj*#-~TjfiaHzKTVjzinK}R0rXJ^!~KZapj17ZV^Pb6v+M#i~;=VL%`}6
zt7QrB0HS=rmpMTTGzIqVUc+TRN^S^F_5I6zlG2>S=)C6V%8YhV4CoY63I+>r9|x@T
zq7P^CKPr$Z6GQlsIUIev;^l!``F-f_m=KQ0K^0Ry;B-e~lK)y8Oe@pKQwEIxw%`a7
zXJ`FbdHoOp{yCPb+1~qMeV7)vl8(4k{g9|yDQSSX1yCucf<79<U)!HQ-Y<IXL5&Ll
zcfppPdrNn|sK2dV9D4eE4$zP<6^x@iB`AThG30_Hz<{fLmMHRy+Jc3)U>5W_P>!6o
z76Lp*eDb1(0TEA{8~byzA{N`^tqo+xG;3!nULpAbo|2!R&phu6g6m9bF5B|F)0PfL
zZ{49lREXTwnledUY^9Kp5L*DYR?r*){u;}ZST0c9qm-?-$9Fzi_<GaJ51BipDmqD>
zwB&pJRxDhH`W<@%{tDeYhlq9z{Jy&bciJ8!1M<~^zM4%-%YQvNupuJk^Y@U55W@)t
ztA;^P=&ze*>tlqhA{l|bmFT@lSv?VmSgB^aBT^XZ!^y!c+3f>&)cT7RqPJ+U$xYq&
z#2_avg7>7=2hY7!ee;(oI-rRKry-{12N|h@vqrz!4(EV3H4x=e-hvQ;iuW8gx-S`&
zQtV2`!`AmP0sRX@GTz6TjnkE;&o9ay$<v}Q|BdT0ZNz=PzX<hmsMjzFbj~<mv<#|M
zyy@+?9V#DAJpB2*u%=M5xy9yWP9{;nuk?2PI>1LC`P=$Q=R{l&S_HCnYr6;$%e^Qc
z_wWbd?Z!c=(m~CwOOsMTmOl?3Jg4e24c{S+c0IWL)|VJisg%Td$gm}jtKoQL>NBCX
zmsO<CaV_sERyCCu&{e?5E;8ws_nvuT_sW*e@+K#O^Oy4g!7H<_7rD^pa=A<OuRNe9
zizsz*-^22eboH>nc$_kVvQ2@td&O(#B}~cmjyzDGAEaImW=Wg13)20{sr<$dViln`
zk4LBji2@yB$Un#JEw`(^)_=<XZg4>{;>}TYzWedj=NSj3!O^q{_)X4Ia*L#8k>?6B
z4TSMMeUrW_k`iUzLlkLf^&Qu2jAwGUZ1yw|r6dM>Z`{4vARe0$X)%oG!ofJo$@i45
z@V%c|S4Q0h;<{D-I@fImd?N9w?3pE>_<v_%Jz$Yq3)$4EUuPMPhf!ykoZ;jqi`kp~
zkQht5ylI3{vg`gXq||;Rdck5b$D^E0&(i(uc+%{laQ>s)<px_3qmwmJqhlRr+u_ut
zyCD+?;;^eB|KDfJ0TrHcL7zI*?2ERDGVeg(@B7a7z7#uc98R~9*TNTPRq*++=WET1
zo7F0J`0rCgOnq<*W=Bb;sRB9*DX-;aGkBrXzXo^o*9*pi#88ZLN@ZFWSZ=-%y<<ra
z_?Rk2qL$qinuiMC{!+=o?>HMY_r^#Xq>t0xI=(KKg&)eFRScjO!ZlIlKE|v>QGMOS
zR#J?(SWwa!#di~!o+|UizR|mpsionwbKqno5>K+50eG_9bmoT(&&6)Tgu_m%7a!gG
z2)(Ng<Ecb?{YYt&-v=wGF?sdWDDd|iFMp1pX9@)H7dU)R8pIv$d?B#teopI`Bp~MX
z#57JhrK%h+Qi?75$CHZ+pY9diT6dL9L2FvI6DqX=pNV>J>)p5Cj(3OY7+FC3o_u-A
z632nnrsQsmDFbw}448%3{mRth20?Q|Rr>JF=xxOapC%(d%Ms~!?mr3mtM#IKW6g_d
zbxNit$g)b;dTZ^=%k*b3i`Ndr%qyOzr8YXwEB#hwk#BQZxi^w7Ox~tn(_dVapuqBQ
zh5W<19XuG`D7J2I^ya(EYsTWf2h5`snevi~5vBcQ7yTmGaK&VyyAWYKb<-vOLN8-n
ztyq%_gDk)`)16G+v&B|+MMkK-P*;`A=n9<+TpuwGgnCg8)n1>>i!eeCGA13NzNnki
zy@trXmi`wT`Y#PZ*9pDb%P)?E+p&d8zj8z)z$YVLa#T`c{<O2;{4T+yalbx_IMWiY
znZ-16{i=i?cM6C8tHI1&k?6b~-WSos#i*XqnwZ*G=XaSM#-o@K@)$f0b3XPA#yh6i
zR!gax707~p>GF<wIM1wN&GfNQ`LUB`uk5Q6>mV3kg<-0?dB8CJeKhnBY*!z=vO4rb
zVGC$>8M338nDEK^<Hqi1_S6tJ`hN5@78QXX{BC@YYiA<SkCxhIh=lynoJkI1uD-z6
zd@p*CXR2%=m1gY)R(G~Z<szvekCiuy*P|*J%zJ1XEo>ui$ncUfg1U&B{jmFW_!u=P
z#pqj<A3K_S7k%fs1LZH*;|WG}diAA(hya$Zq%cLnvT%>k+#OTS=l0C!u>5mi2a~Fx
zG87hD-1>dAU4Kn{II)E56|8!ZXnd1~@4Vxa^OvZHe2%UHaLK{95SqppdqhyrL*~cj
zyHeIn<AurQWdiRgox80=VFu)uWadYR>2+Z8cOw6p-s}a86st)70%d)+Q^LF1VZta*
z+AwkQO;K6~?B35cIm7y`Vyc%on;cJXUZ`mhdnB@`Jez~PNd7o#7s=uJ(9K3+X3p%&
zWP5;L6{`32^8^~oZFj(#KvL}1M6PCAFdTlB)3Q5?6r;FOt#p!!lWxZN(Lg#ZDm8j0
z<CTjU_wGF%6><$+sM{vaE!lYEfz*^--1{=?Z-;8S#V;KFzv@g$zh5qye$LNM3wbwQ
zYu;%yIER)OFm6{p6kD9Y&*{F{N`{LK=R)O!uNr}wxv_hTEI!G}fDuic@Uxo`kC5#B
zus!-*X63n{G?Ge(`*X2517+ZTS)RbY?ID+wrXVBM`M{HH#VD0d+v|}=|0PT1JZ@}u
zEouF;FxNGA%O4KQjdyId8%cFG-_Q%?NXzhed?Bh_)r#Op<|^3sg)&~;D^bARe-xYY
z8Xh7Y%osy1&%g8X$6YB^dpd#XApTb35k-vgueKjCHkVqT$e~SZm05Z|+z?E8^0ig@
zq$)MvElia`<5$z?V(W=F=G$+rMjnce<P8SO?77N~^1kf7M*}JC=&6Bp^1!w=GeJ`!
zs}Py!6MbDk?u2#kUNLA~H2AJ#+5a-;$9%1Z{u`55r@}-x4@I7_b-wr&oXTOU?6or&
zbNB_c!Xk>>kZ_o*HY}Bt0<9VfiWK6eL0CuirP&$YX}$A2$4C;BMyNk%4pa!5wCJR=
z8Lsl>?yZ2%Fj}t&7`DNt9ak6N=Emji<1^D2flIvPih_lUy9Meg;tXGFw<X2nq#&oP
ztcC{iCgBKibC`04OqWb3o)CNXcD?-xyV+G*B=FDdI$u@El<*|z#_?20Ah12pf?_JJ
z#~Yrz?&2;>fs$Yw*CE{HdHY}xro1DEJ)Q9TxvQFA%20ah&v%;V<C@Pb)RKj``SlOO
z#;^{ptx)eralAyw=itJ4tb0Wh9+NTV52<TfP{jDHmLp{3K4+o<=dsb_BjtZF9<sIf
zE1qi~w!<6kk7FiZYu;77cdhVt^G=P&tKHqvU{MGaaRdI9)%Q?rX>@{c3P_}xca2bI
zsbWUdC6dT_%e|fXjJnWn)pz$Y7LWzKG8?6#s@`XxgJF_Qf`HPQ5s4ZFw0kH3?aqv4
zp|BiqJgH{-4)!V)_T`;l7MT|iyIN4M%d}R3G<w%L=*d)>w*^q4D5rm~u_(v=WzvIE
zzAzYQY84uOpIlxo>n4CXd&Q(~g)oiZaL14a0_rXX_|cKslW=rS?f301rayZghTlv#
zpS{fX^XIN*CI~N;QGik(7`HspTIme~oIgyB7Cph3ndn#k2j8XU_#|hhK<6x{nbQ00
z=3OS1X;{2@5_!t0(GIxLd)jg_vEw-+kM5mnIDr@#ks1ac{my*t)=?U-y}B79vXu^_
z5ONEg4V`>pGZY`BS7Ri%?0ckEZQlfF`quaM)PF9ulmYG0?()4bkeR7`{0QoE%GT+B
zo%#Fp=co~`uZ+XzdWQR?T!DjVN$P2Utm<<^L`O%*_CO4I^-2a{2txy3N|VD>u*cT8
z8fft|<;)Xk4O*fdf7o2@e?8KYu0e)1RoKT=dJ-BQJ{?WQiz#t`X()ltPzBwi=o#U3
zfj}XTnF$`=G(JgVv;;YyWpW|ei{Z`a&i0o2IqUg^(E*VW!b)oDV!DUZ?(k^_(DscY
zDYngXYd{(L<;xcXnc$H^YFcVY1P&yMI(wmOcnt;Jo13pTTOuG=k^qNFe2kIGWN%Ut
z^e_rh!r%Zw&K8{@6!dhy^@+T^a9k?NouKy^B#mUCr&`Ha2JZ}DJ3IG|?sQ+1pW6c@
z<H^GxRpk0H2xmZ}u5xg|ePuFLD92J)7<+tnX75rs0}EtE7Qy3kkb>QJUT$_J-vA-c
zMSl4R4b`3DWEMiu<0?YZ1a#Qz3&pg#XEQi6lXN$GQB5&oF>>UEyOgA&g2^P$&F=o$
zKC>{J(Nqyecf+fGpDS1v!vIegbSpqwQGtH?*VTpR4{+_0lFhK5K1!Ibz7&<@0DS2e
z-X_7IFOlUky2<3b2l~_Q*T20gL03WZ-;|V;_yYjapx+!#NbD$~@{v%B)bXDugG2kg
zCM=yYb=y@Wo`ap*Zf#9XJVMf4k{dDyYJsQAT_wPIJJ?TQeOw57t4)EPYP70FytVI{
z?yP~D*%W@9@Q)PJ_%kmhkph2RU!G-12CYjT>2$ns{|!3)c~dzFDlkE4XlP&{K-|>A
zzGfJR)R^<4wqhz2RvuIsy}}H3`SUo~HiZ%)gYpM|+}22-dQXyJpDG`}e)6rOB8_Pb
zb89@ux*?*i81))J4U$Z8KWLW7TS`1UAwT(N^!)Tvb&yKG%hRdzUuzYb1=46#*vF^|
zfvNc*5aydeCF~))Z;T?Uo-I`H+#t-cG~o6|>q=V^n(x@tWtq76)>0<fHeCj4Wvo$W
z)$afntJ)N0e3EbF=|Nx6E0v#{+r_A9+6D%sqdN2XuM+L3&`$Thj+#I8_4U;?1mOR%
zMY0qH8i4Az2{<x&I5M9lLy)L&WR3EJq62k-Mfsk8m-pV--N}1_q>@JoASVAB0r^2w
zIfw7>gOpPSCNe_PRiKhMpdsU+ELImS*R13tq~&|*j}8JHu=2SjLrT|xR70^z?iZsn
zQaFg*BOgHj-0HT1!tXd8`ce9ToZDqHK6YVlro-ElQ9YfU9?Om<9hTozCqDxg`y%XV
zBHtyQMa>b9GEG`J=@ZAK>C;qN=4*DKXc73+L6{GGlfp~C?|0uaItYMve&tLM(D=))
z0nPWWUbR6_G1A1t=GIJo3-O?t(!4w>TvT=pRSum}Rqia<_bg5d?E*5%A*Zvwub(;5
zZYbPX!*J21eOCH{^A6w!t!^|aEII?s@X4^T-cQKd!Pk9HW#`9eAaynN;M1cpM57|8
z?$j!hPo`7A>CB5_cpAC=+h~Vi$}gk|);SluR}b@hGiQ#ywej;ZZhh7#nNfD8#?Kn+
zeM}7z^3mUqrZi@`(C0LFBdxT2^ticDsYx!L$$I_$8<?CD@f+-nlMGSgywb0kfwPxy
zNWFF!^M3d=*KhJYqcZ+8^QV_?+Mxod__XJCG3B@p==s0SZ!Y&M>^^3?;7EPK;G>&-
zkS*?)`B1=R2xWi)M*>6Eh1v>zSy3g0wf`Z$Z0&brr$l<C^Ho`0?A~WmSn4^@{w`X#
zT(pdyt4$~9Tby)iurH}1BO|{&3RQm;;*bFP_q|m@zdQ$RAkXvO^q0c9#%8#^4{a9P
zJek%CJQ-tRVWfRb%_ovo$lY1(&-d%QvByLvSKs^E#FU1q$nrtv;yb*pomM&=!eG=-
z?>LoQ9qmh)Fm^>}iD370amuTftZPZW$<p4EOT+CWa%_I87ZR1`QAByI;1P=Lui)`E
z_UrGgX|Y~jsJ)MlNZ}pjA5W*De%o*2adb37Max)Gj4C~=z>5?kDhFo@dm7!$fLW9l
zsAjz74yh<lBxNhn_L}v%YGf`(4d7y9h<nK4uo;hI^XLRSvzAHlZ2zmC>XNx;<)=Jt
z0=9Jij5%h8?OVOBXg%FT-<ac^-dBB^b6x3)rd~feBOKzj%lF2AlCNu3(ZtPyNZ?2&
z-Sf~wcQ00wmCBZK*y|6LLjzd%?`t=aJ3-@rf1U6_`nl8@)BS<Q6CQ}~|C<xWT{BpS
z>asBooZ@?L@74ODHM+f80QTDly&G~)LX%8h%ASsdf7e!tm!T({VQr~-U!fm&B<>>;
z*KNg=$>)Sdg+az-sFx9|VKYh$`E1^4Ue`yGCoU!HUJvy=6$iIz#J0b8ef`vQhF79!
z<R$hwkfO!aP$Ma&al5AggXklSr+3k!*>Smq^EH{54FPKqX5Zi)?O)SRK=NmMO0VY{
z@#@>PNjZO<lD(|CXV&-cv2Ol&*vK=x!xt+Fjh8{oq=-*@{`9uk&g)TpnpLpl<griD
zj@H_)p*28=bCQn-V614NFkb>D&=)c~LE_Gh+JR+o!2QE9((uT^$LHg6(8!$HFxZC^
zB3VC5+bv6@j20_iVm6cP+iuuT99F$b6SQgkw&ac{^qz_sd=GjakxYd*jka-RwQIvZ
z3R-aJ+e1E8iP?@Nr@XE!`1!aIx1sF!RAr3M`Ew#CnZ;u>Wy6<!r*Vg7?vJt)9^4Qq
zqhk>lA$8*)AODhJBnW4RPHWXUJjkqLHZTvw$;2&=h<Mh&@RBVp&`Ta~+7e=7t7|Wb
zRDeR&=>BR!d8U940{yl5F)I!HuMoK^tu1QP6sAESUAK~4J(?BVeV<Y^-7ob(jp!j^
zXtKO|36*da`$#g_RI+4(6EJabmfl6ORwECe9B|r>B=2%=?Chw3t$kx-g{ikk$|*lX
z3PoJV-?;rQToc1m_w@<cw}{h6vxZWu;P^zruzsW1(i$}#w0lwhMlfyJddP&uO*-99
z$DouM9lTln-Km)=4gx~(@RxkqAB&awzHfdlJ3nJ=8gZBVQpvxgfQ<C;H79X*mlPe7
zTaU1AJ-gPs4z1}RqMuoP>RNUs7N+ZVE@D3vrLMJrL5p*wkiXj3do6?O{pl3bVTGU$
z1CAs$l*&$ieLSP#o6%Q5s-;j~hiY#t%MCwlKHiy+8^+}MPTNS4@noen8g?0;89QX?
znt+DOND*37MAh3cUv1b|a!1qVEx>=-r1!_?+<pw)dZCl9RDXSAD)M8lhTNW5zMP-u
zbFZk)$I`H)LiD`YTr)Mtvu1W*!=j!zl!p-qg!4t|`h`jMCj1c2T#1s&m>v@%_4#K{
zz80UGyx^^q3~GwbXwWX(LoE^$r-q1Oym+)2`$NlY(C9bpiIkLb$rAF{rOENWG+G;1
z`G{>k2sLw1L)uQ&7jggNz(M&H0qdQ*O|ljn7aB-vK9ip*3NpJ1Z8IZe|68Xu_%{Y^
z0$xU#BBuip-gT&~=cFj;r5Zkgsr{X<Ad6#-9TW36HFVTK&v>jv<##x93Fr#TTPM{j
zn7BZ5On$#$GtvnKF4-%-?lEPHJ+Kq`J~#l)->AWHr9%h`4|FV1y?N@`Q;ElFSc>u*
z+b;PqjCU&Pz9k}blp`2%i8jDI(wc}fcGq*@`xIe?RztJNS1*HQb(7Dt&krfy%&gWr
z80bA&>|^*5qR(d29aCD<`Qm<E0#3)C76<3XP)^(-F>~(}cY-mj7`2OfB3GOd1f4#Y
z6?u0?RjXBe&Ci%RF*u4g=4p0SipZeBPK<a@fUjb%f<M{IVD)Iaz>^-`@O??Fjkg=K
zoN@azc0&AfAIV3^^?`3a_~<{P;)5e_A0qb;sk0Ak@8*k1iP1VRbC`Fjf?VS2CP}A&
z;z0Axm;7<B+Tt6~i&14U4W&SD;o3ah6?hV(T2$R)UCEa0Jg|@bQ%V?${X_vz7yZAt
zU|Nxt%Z3-LAF=zLpVP=s2Wif0d(XH@bZ}Z^vQ!B9_ELQ?K-J3NdI_jMeS`d%Mjl_q
z%AeoS0ztvHovVx_qWZc>wMT{xTZQgX-3pnF@N<6aVr%(8+?8HA_qKacPca`J1~-<U
zu_SR7>UU}Kuv&i$S6iBVpRjgU*5Nolw^72k{cur#WVw6(GMUskuC8-&$7?AOhxa+0
ztGG{f+Gex4BrAkEKTPF=UNK$0MufU7E~Ti&Au^MW1HUG28R&NWayrO_b?66n62`+H
zgatHbsxF4ED-+0vC;|6OC>6&eD#xiIT%GTqqMi6p##7xnc_9hq5?AFscQo*we4wEG
zM<5aG>-3%r7yy@@_L$nu;-MI|%I>N`$8*I-KRamM-dRV&$u1};fUOPOPd$#Oky-c@
zwC+7Al%I>|bRp?!wLOC`T;<we_c6WvyP*STd_9%9G;nbiLQ%{K(%rPn)ISEuXvySg
zV2m+SGee-T@46SLckX>J3<a${n|{D&dcE<dEobSdLk5EZMiizD4#Y<j-!P5bn)D_C
z!?0Ky*ogft=r~hqn}pej<8~ezj!K-4{~5&<t^TMth^WbTk~U)Op<PoLDhq{_782eK
zwHvA2#v1Vcf9<>R^q+GT1zLRPPq&zSW7;kc^4y{&L*L3f3j*6AZ!j>=17gLEY+{D(
zYIq1u#GbY!e9NAWMx0?e-J{_n;FC>)$055f%P~X>!O=eWm|G^Z`CyvHUJ{S167F_o
zqwz)=s>x1fN35Zt@sQgJZC+8@j~3h(k0XoK0}F#{PBQn)i-Yjm5p3v-G<5wQCU_s8
z&mB!}GGR$PZqylUj&CryxE$d^)#nfx^(`hr6WqvUy{|$kqFB6szE05F3`DkN7;xXQ
zqMWwMt_C;t$v*G5ol?K5?i^RSJpJi7oX9{?gGxo-xIGl1lZ3-0u0LMSPXigJRr(w;
zi}!Y(!RkkNC@eiH*)_Le-uqScPe~&Du_p<`5%D-n*{B%|FM;tK8pcD5rVdm=E67*8
zsF4p*LQ<<4O9!5?em&DozyJN|-8iJ_Zn|4ckEHUcRS&b^kdQW{JWH8WgHJV63Apr5
zmjW_+hd-_>+%ov2-lqaL<t@V^PZ}fsWJ0X%XsYn;?{1w#Gv5juwq!dAw3`NpNgoEk
zXX9VI9ZtvK&x}=ROFlq*lj#I;ad8=CrJ=iw57Y7%DikBm@!GDuo3W5$-@xAst~{N#
zWn9je)BD_g@1Y>tLBa2X8}^a39i2*Nm8^<P9NE46)hDp~MkMKv^Y0TLMU@aF+@w-}
z*DdZNpf0YZ#v?>It)I$b#cz{Ul^YS5_!Z%VLL1P{U8#zBQ3&@R;42?bAVNRWBuBfC
z&t5L5)BeoWPw;0h$%RqHNKpL|H5e8fQpUGm_;}MR=R6+8#ET&?*=Mvdu`b(O(;RR&
zdX`b6F*)EVv<)dqq#;~}(MY3|n8oo2arH<@n1M>NQo13q?Zl9_wzetI%#O}MfcB}f
zVg##Is??Y)_<6>ACBb>A_ryvHEvGT?^{Eip_gzzt@8J)c=|bN%I!fLp@Kw)a!N+eq
zTrZ>fmQ?=2QP98h+w=bI)r$svoPiCDyh27Rr+}`DkSH4s%Acd7bNhwU8{#R~u@#Tm
zld?)V4P?BriJqmSI^s^#I8H+3uj=vWz*5E2(PENHy`NRYh?Io;I>Pe;ZVURWTC~Xo
zpNqjUGr1B4enORQnaLyr%o>sz<H*(9<ID<VUnOm8vBk6CyDs_#gESe!vW6x%J)|5F
z&*0KAQ%4U8gw~b>X!1ea2UTB|M}RN;<ZW_7HW9Ku9fXElFX=YDN4HUyOgV$~zIR;S
zgD}{(tZAF<v%|cubmf#92jc0VvCM|D^Qls=Dxp!kmDLi5<8yd2mzGuTL_CZwS0wD&
zO?^Tt+EZ)Sv5!0Y4xjR$9DlztjiQo3j=|0z^pOr>WD4jhgzX)>zdXMb8_8y8LLWC%
zck69z{46trpT>_3kHj`QtX>2H&?MI)n}FlF@lQ_`SraPfK-p8+jDrSZerQ~3EN^~V
z<f;XR9FIpa(750ppXV>=wQX#7RRtXB6()s5A_)8rE+&7=$<mqIZL3(;%mZf*@FazG
zk;2-;FJ{WAq72=7WghrWi<NXuzkVo{X;2jGVNGF5xaZte(x@#xUjHRy^zK=Nm3Wi}
z|HxJu_YH4_OBm~eJaZbz0~uyi2U6q@YW?zG!(a{ut@W@a>hH?MYd`azE;RBy?YCn!
zXcfApBJr%#-k^<-?M_BBP$5w*OL@ID*&Nb61=80niPZ+*cI7ZT$C`YqxRj*4{r=6A
zZ_1v_b>UZquNWWXIwG!UxU0`$WrRJM!H47K^6Qe|P#-&0PUlV3DwF1_e#%_2o^V+8
zIZquDoLR4st!aNc&Ae}a@3FJi+U8F-ab0OBTe#*OE@I^S^7tSa{kZiodz2Ook`A`^
z@DKqn^V<4wigS$Ti`b&zmJ17km>`%xWSM)A%M}7qzMqwui8HpZ)lP$mzw5l$YSP(x
z*SP<QT@3!>Y>&PF(p+?r!apjJL8T`^B4CfmdyZMgvHN4b`QlPbz%=GEb>+-k;iTxO
zlqwxUIl|z%t%%fhy<Z~N`>7Pq{(@LJ5MbBFIV?Zt^<%aYz~9?;_$)p6eORTzGJETP
zo2%`gllhS#;o~E2<SIsZU@4vP_?PurS0oJ#HHE-sH=~x5x4E$B!z^Wtv!A7dxB+E>
zhI!hv5&+FLQJ2+rTFhv!GZwEEeKM;%Pm;RBg)pL<`HX%hSjhS`5U!f!;ahfg17c~0
zQC$nNZr@+gBP8Rpj|4*TuNd$7L0zPv-)Dk^=R+wpBQ>Q@;mn%lq+W0_T@5H654IKH
z^Wpwco32qg@A#p%CmZFyQp3K;)RDc0K?rJh482m)tJ1a3c$~D~c%JzmvEXjhmP6VU
zgoyVRWCc4$bql&m;MFO^!8s?3SLV~tb$sB2Z>WgKR45>Pv|`7@$E5WvZCE;n#papb
zq>$gSa>n7F%a4oI*PL|mIO}jpGkl?*CpaQ<=8v=lTb`JdB%roWU$?h>Hf)qh6IYd-
zl%1g|?pqIG!L5u!gmzYvd$REnFCS+X@!3`Kh3*Eu8>=7&#>GKSyI#GW2Al#vnRNEB
zGET&?UU@Zz%<K*2^RCXeo05iR%O}_4J0pH!Gz8shZKj88QZpC#QG6<nLmX^qVk?mi
zIwJPn#=@qN0dSauu1EGs2?RY?=!2784RC?b=lbTz6dp{kL~EyrRfGlFDJp<4R0^lL
zS&iSQP;lTd=I&BU+?TIk9RUR$<Jqg9QspgEFbQ@D(c118V)g!!4`vCo)8571j+hj}
ztr1@yJw}*@QZKH<<ZP0EgsuDonDfeR*2MjAj22=0akt<&AV7CVhM%53G?qfx3cgs}
zO>H570+L6|exK}QeO-QAw3vqZjmig?;<2qOPb4}fDLu_2qiQt%rzV5JJvZG|kH<%Q
ztShV4?%<=1Nxgr#kNa3DLO3f?JUFn3Hvg1iwfr*Kt0E*Yo5ag4Su2|mxyk{WP00E=
zrHYn1EwW1aTZiAMH#e>zeB&WPN>bxgDcps6uQe?#$a-n;;#EG-e8|s`8}gotF1IOo
zCJ9UoL^6$~DJ;;0b}=!nQ~%Lc|2Km83kVsIUo0EMFiVCSJXa=CiuZN=Q6ZVuu=LMB
zu(Tq996C<e$ZfKX44m!NbMFUOxB58<;+6Oja4iN?In_}DZJnTw>eMLPaQyXy5=Q4{
zVgPbn!Wzel48fJD>h0ZnH(}0aL8gqef8Y--vtj8qVu1b&&hB=?oJPr+)t~ji9NrR7
z^TgTV$E(OT6gG_ZZgec5Kg-ZX7^%s~e4C6@8A%TOOUv5+jExQlEvI@rV}#D=DUOO}
z%7H5%qsBR~(~hi27K$>CLk?SB#MYA<4hA6Z{-G7mS1yp0Z9*#$vdF@ic(h7n1uIk&
znzIE;{3<rpr5}np#9#$6$??(^<{W1={G9ejrl@jceHCClA1eB*es8XKl;c#~+m;1S
zbfdK#(W?#tqMYlQHB?ABTCGk@@v8^|BH`Ce=FWZy<dtpIQTbGT{PmCckwEoOaD|DW
z^gq66TS)<AQi{K8Z?EDmji$jAB1TzRSqVK0-}|_#o0asDRF3*h*R2rKJ6>y;o3|vM
z8#fwkKL(+IYn=>gcz9@qQu#K+iMjx?^vL6JMM)|uVuGa1v2D-8K<e+6nBR|%Z;@z+
W1bPpxgkK<m|CHp^W#33!1phx5C_&i(

literal 0
HcmV?d00001

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
new file mode 100644
index 000000000..a28ba85ef
--- /dev/null
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -0,0 +1,523 @@
+# Trusted Publishers, using OpenID Connect for NuGet push
+
+- Author: Joel Verhagen ([@joelverhagen](https://github.com/joelverhagen) on GitHub)
+- Issue: [NuGet/NuGetGallery#9332](https://github.com/NuGet/NuGetGallery/issues/9332)
+
+## Summary
+
+The term "Trusted Publishers" refers to a **trusted** build environment that will **publish** the package to NuGet.org.
+A simple example would be building a NuGet package on GitHub Actions and publishing the .nupkg to NuGet.org via a
+Trusted Publishers *trust policy*, without the need for an API key.
+
+When publishing a package to NuGet.org, users must provide an API key to the tooling, such as `dotnet nuget push
+--api-key {API_KEY}`. This API key is created manually through the NuGet.org web UI and has a fixed lifetime.
+Additionally, it is relatively long lived, living for up to a year before expiring. If the API key is configured to live
+a long time, it's less maintenance for the package author but has a longer viability (negative impact) if leaked. If the
+API key is configured for a short time, the package author must rotate it more often in any continuous
+integration/deployment (CI/CD) system they use.
+
+Alternative to using CLI tooling for publishing is to use the NuGet.org web UI to upload the package manually.
+
+Both using an API key for CLI operations and using the web UI have drawbacks.
+
+This document describes a new authentication method that builds on the existing OpenID Connect (OIDC) standard and
+provides several usability and security benefits.
+
+Similar situations exist for other NuGet package sources, such as using a Personal Access Token in Azure Artifacts
+(Azure DevOps) as a package source password
+([docs](https://learn.microsoft.com/en-us/azure/devops/artifacts/nuget/dotnet-exe?view=azure-devops#publish-packages-from-external-sources))
+or using an API key for GitHub Packages
+([docs](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry#publishing-a-package-using-a-github-personal-access-token-as-your-api-key)).
+This document focuses on NuGet.org but the design proposed could be applied to other package sources, depending on that
+source's available authentication mechanisms.
+
+This document is inspired by [Trusted Publishers for All Package
+Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) document. A broad description
+of motivation, how the design works, and other interesting details are available there. This NuGet proposal will
+duplicate a bit of the information provided in that document but more so focus on the details that are specific to
+NuGet. You should be able to understand this document without reading the OpenSSF document, but you will miss some of
+the rich context and prior art.
+
+## Terminology
+
+There is a lot of lingo in this document, so here is a reference:
+
+| Term              | Definition                                                                                                                                                                                |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CI/CD             | continuous integration/continuous deployment, technologies like GitHub Actions for building or deploying code automatically                                                               |
+| Forge             | A place to store code, often a SaaS offering like GitHub, GitLab, or Bitbucket, often has a CI/CD offering paired                                                                         |
+| JWKs              | JSON web key set, a set of public keys that can be used to verify an OIDC token                                                                                                           |
+| JWT               | A JSON web token, a format of bearer token used for web authentication flows including OIDC, contains interesting "claims" (properties) in clear text                                     |
+| NuGet API key     | one of the authentication mechanisms used for uploading packages to a package source, a hex string starting with `oy2` when from NuGet.org                                                |
+| nupkg             | The file extension for a NuGet package, produced by NuGet pack, uploaded by NuGet push                                                                                                    |
+| OIDC              | OpenID Connect, an authentication protocol build on OAuth 2.0, think of it as a way for NuGet.org to trust GitHub Actions via a JWT included in package upload                            |
+| Pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                    |
+| Package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                         |
+| Push              | The name of the package upload operation in NuGet ecosystem                                                                                                                               |
+| Trusted Publisher | An name for a CI/CD environment that can generate OIDC tokens, using workload identity, [described by OpenSSF](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) |
+
+## Motivation 
+
+The motivation is best summarized by the [Trusted Publishers for All Package
+Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) document, published by the
+[OpenSSF Securing Software Repositories Working Group](https://github.com/ossf/wg-securing-software-repos) (say that 10
+times fast).
+
+> The goal of Trusted Publishers is to reduce the need for long-lived tokens or credentials to be shared with external
+> systems when authenticating with package repositories. 
+
+A long-lived NuGet.org API key poses a real security risk for package authors. If that token were to be leaked, a
+malicious actor could publish packages on behalf of the package authors, threatening the security of all users of that
+package. There are some mitigations for this risk, such as [author-signed
+packages](https://learn.microsoft.com/en-us/nuget/reference/signed-packages-reference), but it's still a very real risk.
+
+The Trusted Publishers pattern allows the package author to perform a one-time trust policy configuration inside of a
+package registry (NuGet.org in this case) and thereafter depend on their secure build environment (such as GitHub
+Actions) to properly authenticate with NuGet.org, exercising the trust policy while publishing a package.
+
+Any secret related to this new flow is short-lived, meaning leaks are less impactful. The burden of rotating an API key
+in a secret store that is available to the package author's publishing pipeline is removed. 
+
+So, it's a usability win and a security win!
+
+## Functional explanation
+
+At the core of this design is a requirement. The package author must publish their package to NuGet.org from an
+environment that is supported by the Trusted Publishers feature. The build environment must support OpenID Connect
+(OIDC) tokens because they take the place of long-lived NuGet API keys as the credential. The NuGet package source must
+also be configured to allow OIDC tokens from this specific build environment.
+
+For the sake of understanding, we'll use GitHub and GitHub Actions as the example below, but it's important to note that
+other build environments (i.e. other Trusted Publishers) could be added later without too much difficulty. To think
+about Bitbucket or GitLab support (for example), simply replace the GitHub feature mentioned with the related feature on
+the other forge.
+
+A package author performs the following steps to make use of the Trusted Publishers feature:
+
+[Prerequisite](#prerequisite-set-up-a-github-repository-for-the-nuget-package): set up a GitHub repository for the NuGet
+package
+   - This is all the package's code to be built and uploaded in the trusted build environment.
+
+[Step 1](#step-1-add-a-github-actions-trust-policy-to-your-nugetorg-account): add a GitHub Actions trust policy to your
+NuGet.org account
+   - This is to instruct NuGet.org to accept a pattern of GitHub tokens as a valid credential, in lieu of API key.
+
+[Step 2](#step-2-add-a-github-actions-workflow-with-nugetorg-trusted-publisher-authentication): add a GitHub Actions
+workflow with NuGet.org Trusted Publisher authentication
+   - This instructs the NuGet client tooling to authenticate with NuGet.org using a GitHub Actions OIDC token.
+
+[Step 3](#step-3-execute-the-workflow-to-push-the-package-to-nugetorg): execute the workflow to push the package to
+NuGet.org
+   - This will trade the GitHub Action OIDC token for a short-lived NuGet API key and perform the package push with the
+     temporary API key.
+
+Let's expand each of these steps for better understanding.
+
+### Prerequisite: set up a GitHub repository for the NuGet package
+
+This step is pretty self explanatory. Many developers, even hobbyist developers who are only producing packages for
+their own consumption, already have their source code stored in a Git repository, hosted on GitHub.
+
+Additionally, GitHub Actions must be enabled for your repository. For public repositories, there is a generous free
+tier, enabled by default after adding a workflow YAML definition to your repository. For more information, see [About
+billing for GitHub
+Actions](https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions). I
+will provide more details below on what the GitHub Actions workflow YAML looks like for NuGet.org Trusted Publishers.
+
+From our data, 61% of active packages have a repository URL or [SourceLink](https://github.com/dotnet/sourcelink)
+pointing to GitHub on the latest version of their package.
+
+Here is a summary of known forges, based on package URL, repository URL, SourceLink information on NuGet.org:
+
+<!--
+   let ForgeBySourceLink = NiPackageVersions
+   | where IsLatestSemVer2
+   | project Identity
+   | join kind=inner NiNuGetPackageExplorerFiles on Identity
+   | where Created > ago(365d)
+   | where array_length(SourceUrlRepoInfo) > 0
+   | mv-expand SourceUrlRepo = SourceUrlRepoInfo
+   | extend Host = tostring(SourceUrlRepo.Repo.Host)
+   | extend RepoType = tostring(SourceUrlRepo.Repo.Type)
+   | extend Forge = case(
+      RepoType == "GitHub", "GitHub",
+      Host endswith "codeberg.org", "Codeberg",
+      Host endswith "gitea.com", "Gitea",
+      Host endswith "gitlab.com", "GitLab",
+      Host endswith "bitbucket.org", "Bitbucket",
+      Host endswith "gitee.com", "Gitee",
+      Host endswith ".visualstudio.com" or Host endswith "dev.azure.com", "Azure DevOps",
+      Host endswith "github.com", "GitHub",
+      Host contains "gitlab", "GitLab",
+      Host contains "bitbucket", "GitLab",
+      "")
+   | where isnotempty(Forge)
+   | summarize FileCount = sum(toint(SourceUrlRepo.FileCount)) by Identity, Forge
+   | summarize arg_max(FileCount, Forge) by Identity
+   | project-away FileCount
+   | project-rename SourceLinkForge = Forge;
+   let ForgeByManifestUrl = NiPackageVersions
+   | where IsLatestSemVer2
+   | project Identity
+   | join kind=inner NiPackageManifests on Identity
+   | where Created > ago(365d)
+   | project-away Owners
+   | join kind=inner NiPackageOwners on LowerId
+   | join kind=inner NiPackageDownloads on Identity
+   | extend RepositoryUrl = tostring(RepositoryMetadata.Url)
+   | project-reorder Id, Version, ProjectUrl, RepositoryUrl
+   | extend HasUrl = isnotempty(ProjectUrl) or isnotempty(RepositoryUrl) and tolower(ProjectUrl) != "project_url_here_or_delete_this_line"
+   | extend Forge = case(
+      strcat(RepositoryUrl, ProjectUrl) contains "codeberg.org", "Codeberg",
+      strcat(RepositoryUrl, ProjectUrl) contains "gitea.com", "Gitea",
+      strcat(RepositoryUrl, ProjectUrl) contains "gitlab.com", "GitLab",
+      strcat(RepositoryUrl, ProjectUrl) contains "bitbucket.org", "Bitbucket",
+      strcat(RepositoryUrl, ProjectUrl) contains "gitee.com", "Gitee",
+      strcat(RepositoryUrl, ProjectUrl) contains ".visualstudio.com" or strcat(RepositoryUrl, ProjectUrl) contains "dev.azure.com", "Azure DevOps",
+      strcat(RepositoryUrl, ProjectUrl) contains "github.com", "GitHub",
+      "(unknown)")
+   | project Identity, LowerId, Owners, TotalDownloads, ManifestUrlForge = Forge;
+   let LatestPackageForges = ForgeByManifestUrl
+   | join kind=leftouter ForgeBySourceLink on Identity
+   | extend Forge = coalesce(SourceLinkForge, ManifestUrlForge)
+   | project-away Identity1, SourceLinkForge, ManifestUrlForge;
+   let Summary = LatestPackageForges
+   | summarize
+      ["Package IDs"] = count(),
+      Owners = count_distinct(tostring(Owners)) by Forge
+   | order by ['Package IDs'] desc;
+   let TotalPackageIds = toscalar(Summary | summarize sum(['Package IDs']));
+   let TotalUniqueOwnersSets = toscalar(Summary | summarize sum(Owners));
+   Summary
+   | extend ["% of package IDs"] = round(100.0 * ['Package IDs'] / TotalPackageIds, 2)
+   | extend ["% of owners"] = round(100.0 * Owners / TotalUniqueOwnersSets, 2)
+-->
+
+| Forge        | Package IDs | Owners | % of package IDs | % of owners |
+| ------------ | ----------- | ------ | ---------------- | ----------- |
+| GitHub       | 74440       | 14742  | 61.37            | 55.77       |
+| (unknown)    | 42738       | 10997  | 35.24            | 41.6        |
+| Azure DevOps | 1448        | 238    | 1.19             | 0.9         |
+| Gitee        | 1440        | 188    | 1.19             | 0.71        |
+| GitLab       | 825         | 165    | 0.68             | 0.62        |
+| Bitbucket    | 392         | 98     | 0.32             | 0.37        |
+| Codeberg     | 6           | 3      | 0                | 0.01        |
+| Gitea        | 1           | 1      | 0                | 0           |
+
+(considering only latest package versions metadata of packages published in the past year, our definition of "active
+packages")
+
+For this reason, we are focused on GitHub Actions as the first Trusted Publisher that NuGet.org supports.
+
+### Step 1. add a GitHub Actions trust policy to your NuGet.org account
+
+Somehow, NuGet.org must verify that an uploaded package is coming from the right person.
+
+Prior to Trusted Publishers, an **API key** acted as both the username and password to authenticate as the package owner
+during package upload. For web UI upload on NuGet.org, the user's logged in session (via browser cookies) authenticates
+the user. In lieu of these two older authentication methods, a package author must tell NuGet.org that they *trust*
+package uploads GitHub Actions coming from a specific **repository**. In addition to restrictions on which GitHub
+repository and workflow are applicable to the trust policy, API scoping will be allowed similar to API keys.
+
+In short, a GitHub Actions trust policy is restricted in two ways:
+
+1. **Which GitHub Actions repository and workflow is trusted?**
+2. **What NuGet API operations can be used inside the GitHub actions workflow?**
+
+#### Which GitHub Actions repository and workflow is trusted?
+
+The user will sign in to NuGet.org, navigate to a new "Trusted Publishers" account page, and configure a trusted GitHub
+repository using a form like this:
+
+![Trust policy form](meta/trusted-publishers-oidc-for-nuget-push/trust-policy-form.png)
+
+In the form, the package author would provide 3 critical pieces of information:
+
+1. The GitHub organization or username owning the repository.
+2. The GitHub repository name.
+3. Some filter on which GitHub Action workflow runs should be allowed to push packages.
+
+The filter on which workflow runs should be allowed to publish packages can potentially be very specific. GitHub Actions
+supplies a variety of metadata in the OIDC token available to workflow runs. Refer to [Understanding the OIDC
+token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
+to see all of the properties.
+
+For the sake of simplicity, we will start with the following workflow filters:
+- Filtering for a specific *branch*, as shown in the UI above (branch filter)
+- Filtering for a specific *environment* (a property set in the workflow, overriding the branch)
+- Filtering for a specific *workflow path* (in addition to the previous two filters)
+
+The screenshot above only shows the branch filter, so the UI will need to be expanded to cover the desired workflow
+filters.
+
+Additional filters can be added in the future based on other properties provided in the GitHub OIDC token.
+
+In short, by adding this trust policy, the package author is saying:
+
+> I trust GitHub to only issue tokens for my repository for my GitHub Actions workflow *and* these tokens are sufficient
+> credentials for uploading packages to my NuGet.org account.
+
+Once the package author has added this trust policy, NuGet.org will trust GitHub Actions OIDC tokens matching this
+pattern much like an existing long-lived API key, with the added benefit of the trust policy never expiring.
+
+#### What NuGet API operations can be used inside the GitHub Actions workflow?
+
+To scope the ways in which a GitHub trust policy can be used, similar scoping rules to the current API key flow can be
+set on the GitHub Actions trust policy:
+
+![Scope form](meta/trusted-publishers-oidc-for-nuget-push/scope-form.png)
+
+Just like the existing API scoping feature, there are 3 dimensions which a trust policy can be scoped. For more
+information about scopes on API keys, see [Scoped API
+keys](https://learn.microsoft.com/en-us/nuget/nuget-org/scoped-api-keys). In summary:
+
+- **Package owner**: for users that are members of one or more organizations, it's important to know which package owner
+  this trust policy acts on behalf of. For example, in my screenshot above the package owner is set to `joelverhagen`,
+  so packages owned only by my `snoozecorp` organization will not accept package uploads via this trust policy. This is
+  also important to define who is the initial owner of a package that is newly created. In this example, if I push a new
+  `Knapcode.MyBestPackage` package ID, the new package ID will be owned by `joelverhagen`, not `snoozecorp` or any other
+  organization that I am a member of based on this package owner definition. This resolves the ["Pending" Trusted
+  Publishers](https://repos.openssf.org/trusted-publishers-for-all-package-repositories#pending-trusted-publishers)
+  problem.
+
+- **Scopes**: the scope radio buttons and checkboxes define what kind of operations the trust policy can be used for.
+  For example, can the trust policy be used to unlist packages in addition to publishing new packages? Can only versions
+  on existing package IDs be published? Or new package IDs be created as well?
+
+- **Glob pattern**: this defines which package IDs the trust policy can apply to, based on a wildcard pattern (called
+  "glob" in this context for historical reasons). If you want the trust policy to apply to all package IDs you own, you
+  would specify `*`. Note that a broad wildcard like `*` does not supersede access controls on package IDs you do not
+  own. It just defines which if your packages the trust policy can work for.
+
+The screenshot above allows only new package versions to be pushed for packages owned by `joelverhagen`, having IDs
+starting in `Knapcode.`. New package IDs cannot be created in this case nor can packages be unlisted.
+
+Unlike API key definitions, there is no "Expires In" field, because a trust policy never expires.
+
+Multiple trust policies can be defined. If any of the trust policies match the incoming package and GitHub Action token,
+the operation will be allowed. If the package ID is new and there is ambiguity on which package owner should be assigned
+to the package (due to multiple matching trust policies), the most recently created trust policy will be used.
+
+### Step 2: add a GitHub Actions workflow with NuGet.org Trusted Publisher authentication
+
+Without Trusted Publisher authentication, an upload to NuGet.org from GitHub Actions would look like this. This is a
+YAML document that describes the steps to perform in the GitHub Actions CI pipeline.
+
+```yaml
+on:
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: NuGet pack
+        run: dotnet pack src/Knapcode.MyBestPackage --output artifacts
+
+      # use a long-lived NuGet API key set in GitHub Actions secret, manually configured in the repository
+      - name: NuGet push
+        run: dotnet nuget push artifacts/*.nupkg -k ${{secrets.NUGET_API_KEY}} -s https://api.nuget.org/v3/index.json
+```
+
+The package author must keep the `NUGET_API_KEY` secret up to date and ensure that they don't leak the secret value, on
+accident (e.g. accidentally committing it to a GitHub repo). At least once a year (more frequently based on the API key
+lifetime), the package author will need to sign in to NuGet.org, refresh the API key, and set it in the repository
+secrets in GitHub.
+
+To enable Trusted Publisher authentication, the GitHub Actions workflow will look something like this:
+
+```yaml
+on:
+  workflow_dispatch:
+permissions:
+  contents: read # required for checkout
+  id-token: write # required to get a token
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: NuGet pack
+        run: dotnet pack src/Knapcode.MyBestPackage --output artifacts
+
+      # this step fetches a GitHub Actions OIDC token and trades it for a short-lived NuGet API key
+      # the NuGet API key is stored as a step output for use in the next step
+      - name: NuGet login
+        uses: nuget/login@v1
+        id: login
+        with:
+          user: joelverhagen # this is the user profile which has the GitHub Actions trust policy
+          source: https://api.nuget.org/v3/index.json
+      
+      # this is exactly the same as before, but uses a short-lived API acquired on the fly
+      - name: NuGet push
+        run: dotnet nuget push artifacts/*.nupkg -k ${{steps.login.outputs.NUGET_API_KEY}} -s https://api.nuget.org/v3/index.json
+```
+
+This experience could be further improved with changes in the .NET SDK, such as allowing the push API key to come from
+an environment variable ([NuGet/Home#12539](https://github.com/NuGet/Home/issues/12539)) or adding a `dotnet nuget
+apikey set` command ([NuGet/Home#6437](https://github.com/NuGet/Home/issues/6437)), either of which could be done
+automatically inside the `nuget/login` step.
+
+The `user` parameter to the `nuget/login` step is the name of the user profile that has the GitHub Actions trust policy
+set, as described in the previous section. This can be a little confusing if the package is actually owned by an
+organization that the user is a member of. In this case, the `user` parameter will still be the user profile, but the
+trust policy will have a **Package owner** set to be the organization name. This aligns with the current API key
+experience where API keys (and therefore trust policies) are not set on the organization. Instead, they are set by the
+user who is a member of the organization. The package will be recorded as being pushed by a specific user *on behalf of*
+an organization instead of being pushed by the organization directly. 
+
+As with the current experience with long-lived API keys, the API key is limited in what it can do based on the scopes
+assigned to the trust policy.
+
+If a symbol package (.snupkg) is produced along with the .nupkg, it can also be pushed using the same API key. `dotnet
+nuget push` handles this automatically.
+
+### Step 3: execute the workflow to push the package to NuGet.org
+
+In the sample above, the workflow has a `workflow_dispatch` trigger meaning it can be queued manually. However your
+workflow is triggered, it will perform the following steps as described in the workflow YAML.
+
+A flow chart of data flow between the Trusted Publisher (Identity Provider) and the Package Repository (NuGet.org) is
+shown below. This is lovingly *stolen* from the OpenSSF Trusted Publishers document linked above.
+
+![Trusted Publishers flow](meta/trusted-publishers-oidc-for-nuget-push/trusted-publishers-flow.png)
+
+This describes a two-legged authentication flow. The first leg is trading an OIDC token for an API key. The second leg
+is using the API key for a privileged action, like package upload.
+
+In written form, this happens:
+
+1. The `nuget/login` workflow step does this:
+   - Fetch a GitHub Actions OIDC token, enabled via the `id-token: write` workflow permission
+   - Send the OIDC token to a NuGet.org endpoint, along with the NuGet.org username
+1. NuGet.org does this:
+   - Receive the OIDC token, verify the token using the public GitHub Actions keyset and other JWT rules
+   - Verify the provided username has a trust policy matching the OIDC token
+   - Generate a short-lived API key and return it to the caller
+1. The `nuget/login` workflow step does this:
+   - Receive the short-lived API key and set it as a step output
+2. The `dotnet nuget push` workflow step does this:
+   - Use the provided API key to perform a package push, using the [`PackagePublish`
+     resource](https://learn.microsoft.com/en-us/nuget/api/package-publish-resource)
+3. NuGet.org does this:
+   - Verify the provided package and package operation match the scopes on the API key
+   - Publish the package!
+
+## Technical explanation
+
+See the [technical document](trusted-publishers-oidc-for-nuget-push.technical.md) in this case directory for more
+information.
+
+## Drawbacks
+
+This workflow only helps users who want to build and push their packages on a recognized, Trusted Publisher. Not all
+CI/CD systems will be supported so some users will still need to use the older authentication flows such as long-lived,
+manually rotated API keys.
+
+The trust policy is configured once and works forever. An API key forces the package author to re-assess CI/CD
+infrastructure on a regular basis. We can consider a ["dead man's
+switch"](https://en.wikipedia.org/wiki/Dead_man%27s_switch) approach to force the package owner to attest that the trust
+policy is still desired if this is a big concern.
+
+If a series of pushes in a workflow outlive a short-lived API keys, later pushes may fail with "API key expired" errors.
+This could be mitigated by creating a NuGet credential provider that fetches the API key during the push operation, if
+it detects the current API key is expired.
+
+Because a trust policy is defined at the user level, there can be a mismatch of user or organization profile the trust
+policy is acting on behalf of. This is disambiguated by the "package owner" scope on the trust policy, much like the
+existing long-lived API key flow, but this can still be confusing. If we find this flow doesn't work well for users, an
+additional parameter can be added to the `nuget/login` step which is `owner`. If provided, this will assert that the
+desired package owner is `X` (such as an organization name). If no trust policy is found on the user for that package
+owner, a helpful error could be provided. We can wait on implementing this until we hear more from users.
+
+## Rationale and alternatives
+
+### Naming
+
+The name "trusted publishers" may seem overly vague. There has been conversations about this [on Hacker
+News](https://news.ycombinator.com/item?id=35646436). I think NuGet should use the term Trusted Publishers to align with
+other registries and OpenSSF guidance, but mention terms like "OIDC", "workload identity", or "GitHub Actions"
+generously in blogs and docs to aid in understanding. See the name of this spec as an example.
+
+### Two-legged vs. one-legged authentication
+
+Original prototypes did not perform a two-legged authentication flow. The OIDC token was used directly during the push
+operation.
+
+The two-legged approach gives use two big wins:
+
+1. We control the duration the the main credential lives for. The package source can choose how long the NuGet API key
+   lives for. Manual revocation or secret leak detection systems and work for this. NuGet.org has no control over how
+   long the GitHub Actions OIDC token lives. It's true that GitHub OIDC token could be leaked also, but this problem can
+   be mitigated with `jti` controls and even stricter validations of the `exp` claim (i.e. enforcing a shorter lifetime
+   for the token trade).
+2. Existing versions of NuGet client tooling can work without any change, since they already accept an API key.
+   Currently NuGet authentication plugins do not support `Bearer` token auth
+   ([NuGet/Home#12877](https://github.com/NuGet/Home/issues/12877),
+   [dotnet/runtime#91867](https://github.com/dotnet/runtime/issues/91867)) so this would limit how NuGet client tooling
+   could express the OIDC token during push for a one-legged approach.
+
+### NuGet operations that support Trusted Publishers
+
+Currently there are two branches of authentication in NuGet world. First is API-key based authentication for package
+push, package delete (unlist), and package relist. These will support Trusted Publisher-based short-lived API keys. This
+spec focuses on package push but package delete (unlist) and package relist should be supported also, as long as the
+implementation cost/complexity is not affected too much.
+
+The other branch of NuGet authentication is package source authentication for read-only operations. This typically uses
+a username/password-like flow via HTTP `Basic` authorization header. This flow is not impacted by Trusted Publishers and
+existing mechanisms will not change (such as how credential providers work).
+
+Trusted Publishers will have the biggest impact on the ecosystem when it is supported on NuGet.org. This only needs the
+first branch of auth (API-key) so considering read-only (package download/restore) scenarios is not needed now.
+
+### Entra ID authentication
+
+We could opt to enable Entra ID service principal-based authentication. Then, users could leverage existing Entra ID
+support for workload identity federation
+([docs](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation)) which uses Federated Identity
+Credentials ([docs](https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview)). This
+is similar to [VS Marketplace](https://marketplace.visualstudio.com/) and how it could provide extension publishing from
+CI/CD workflows. In the end, this approach could support GitHub Actions via
+[`azure/login`](https://github.com/azure/login) or any compute environment you want (such as an Azure VM with a managed
+identity), as long as you can authenticate as an Entra ID service principal. The drawback of this is that NuGet.org
+would have no control over the workload identity tokens which are accepted and would be opening up a lot more
+authentication scenarios than we really need at this point. This would also require us rationalizing how an Entra ID
+service principal relates to a NuGet.org user or organization profile, which is a lot more work! Maybe it's something we
+need in the distant future, but not now.
+
+## Prior Art
+
+- This feature has been prototyped and demoed to the NuGet team a couple of times, as far back as February of 2022. More
+  recently, a prototype was made using credential providers and one-legged auth:
+  - [joelverhagen/token-login-sample](https://github.com/joelverhagen/token-login-sample) - sample one-legged auth
+    GitHub Actions workflow
+  - [joelverhagen/token-login](https://github.com/joelverhagen/token-login) - sample one-legged auth step (used by the
+    above)
+  - [NuGet/NuGetGallery@jver-oidc](https://github.com/NuGet/NuGetGallery/tree/jver-oidc) - branch on NuGetGallery to
+    supported one-legged auth
+- [Trusted Publishers for All Package
+Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories), by Seth Larson
+- Trusted Publishers has been implemented by:
+  - Python Package Index, a.k.a. PyPI ([blog](https://blog.pypi.org/posts/2023-04-20-introducing-trusted-publishers/),
+    [docs](https://docs.pypi.org/trusted-publishers/))
+  - RubyGems ([blog](https://blog.rubygems.org/2023/12/14/trusted-publishing.html),
+    [docs](https://guides.rubygems.org/trusted-publishing/))
+  - pub.dev ([docs](https://dart.dev/tools/pub/automated-publishing))
+
+## Unresolved Questions
+
+Ask away!
+
+## Future Possibilities
+
+- Enable additional CI/CD systems that support OIDC tokens
+  - Azure DevOps is next on the popularity list. Their workload identity federation is very focused on Azure today
+    ([blog](https://devblogs.microsoft.com/devops/workload-identity-federation-for-azure-deployments-is-now-generally-available/)).
+  - Gitee appears to be a Chinese source forge. We have not heard from our users about Gitee and NuGet.org integration.
+  - PyPI supports GitLab. We could follow suit if we hear from our users.
+- Enable NuGet authentication provider integration, to avoid token expiration for long workflows
+- Connect this effort with build provenance, tracked by [NuGet/Home#13581](https://github.com/NuGet/Home/issues/13581)
diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
new file mode 100644
index 000000000..b132b8161
--- /dev/null
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -0,0 +1,169 @@
+# Trusted Publishers, using OpenID Connect for NuGet push (technical)
+
+- Author: Joel Verhagen ([@joelverhagen](https://github.com/joelverhagen) on GitHub)
+- Issue: [NuGet/NuGetGallery#9332](https://github.com/NuGet/NuGetGallery/issues/9332)
+
+This is the technical description of the experience described in [Trusted Publishers, using OpenID Connect for NuGet
+push](trusted-publishers-oidc-for-nuget-push.md). The content is split to clearly separate the functional/UX description
+(the other doc) from the technical description (this doc). This document acts as a supporting document to the other so
+that other one should be read first.
+
+Much of the technical explanation is described in [Trusted Publishers for All Package
+Repositories](https://repos.openssf.org/trusted-publishers-for-all-package-repositories). I will expand on certain
+technical details which are particularly interesting or specific to NuGet.
+
+## Validation of the GitHub OIDC token
+
+The most critical step in this design is understanding how NuGet.org will validate that an incoming OIDC token is
+acceptable to trade for a short-lived NuGet API key.
+
+The following checks are made:
+
+- The token is issued by a known Trusted Publisher (only GitHub Actions at this time)
+- The token is validated per all JWT rules, such as but not limited to:
+  - valid signature via JWKS
+  - validate duration (`nbf` and `exp` claims)
+  - only used once, via `jti`
+  - valid `aud` claim, being `nuget`
+
+The
+[Microsoft.IdentityModel.Protocols.OpenIdConnect](https://www.nuget.org/packages/Microsoft.IdentityModel.Protocols.OpenIdConnect)
+package can help us properly validate JWTs in our NuGet/NuGetGallery ASP.NET application.
+
+In addition to the general JWT checks, specific checks are made for each Trusted Publisher. For GitHub Actions, the
+following checks will be made:
+
+- `sub` claim matches `{repo owner}/{repo name}:.*` (case insensitive)
+  - The suffix of the `sub` is implied by the other checks
+- `repository` claim matches the `{repo name}` name (case insensitive)
+- `repository_owner` claim matches the `{repo owner}` name (case insensitive)
+- `repository_owner_id` claim matches the numeric owner ID recorded at the time of the trust policy creation
+  - This is to avoid resurrection attacks.
+- If a branch filter is provided in the trust policy:
+  - `ref_type` claim must be `branch`
+  - `ref` claim must be `refs/head/{branch}` (case insensitive)
+- If an environment filter is provided in the trust policy:
+  - `environment` claim must be `{environment}` (case insensitive)
+- If a workflow path filter is provided in the trust policy:
+   - `job_workflow_ref` claim must be `{repo owner}/{repo name}/{workflow path}@.*` (case insensitive)
+   - The workflow path should be normalized to `/` path separators at the time of trust policy creation
+
+## Data relationships (persisting trust policies, schema changes)
+
+A new SQL table will be added to the NuGetGallery database to store trust policies. The table should be generic enough
+to allow us to add additional Trusted Publishers without a DB schema change (ideally). The trust policy DB record with
+have a foreign key to the `Users` table (containing both user and organization records) but will be restricted from
+associating with organization records by the application. Many of the columns will be shared with the `Credentials`
+table in order to express the scoping rules to be copied into the short-lived API key.
+
+A nullable column will be added to the `Credentials` table to refer to the trust policy used to create the short-lived
+API key. This will allow package publish operations to audit their related trust policy information.
+
+Deleting a trust policy should have the effect of deleting all related short-lived API keys.
+
+## Trading an OIDC token for an API key
+
+A new endpoint will be needed for trading an bearer token (OIDC token, a JWT) for an API key. The endpoint URL will be
+discoverable via the [V3 service index](https://learn.microsoft.com/en-us/nuget/api/overview#service-index) and a new
+resource type which is `ApiKeyService/1.0.0`. For NuGet.org, the service index is available at
+`https://api.nuget.org/v3/index.json`. The new resource URL be something like `https://www.nuget.org/api/v2/api-key`.
+
+```
+POST /api/v2/api-key HTTP/1.1
+Host: www.nuget.org
+Authorization: Bearer {OIDC token}
+Content-Type: application/json
+
+{
+   "username": "{username of user with trust policy}"
+}
+```
+
+The response will look like this:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+
+{
+   "api_key": "{short lived API key in clear text}",
+   "expires": "{ISO 8601 timestamp of expiration}"
+}
+```
+
+Authorization failures on this endpoint must return HTTP 401 Unauthorized with an `WWW-Authenticate: Bearer` response
+header.
+
+The package source MUST NOT opt to return the an existing compatible API key (i.e. it must not cache the API key for
+subsequent calls). To do so would require the original API key to be stored in plain text. NuGet.org API keys are hashed
+prior to storage (much like standard recommendations around storing passwords). The the package source has concerns on
+scalability it must opt to rate limit the endpoint instead of caching. NuGet.org will rate limit the endpoint to 1 API
+key created per 30 seconds, per user.
+
+Unlike normal API keys, no warning message will be returned from the push endpoint (or any other authenticated endpoint)
+as the API key nears its expiration. Additionally, no reminder email will be sent when these short-lived API keys are
+nearing expiration (i.e. immediately!). Short-lived API keys will be cleaned up soon after their expiration to avoid
+unnecessary bloat in the database.
+
+The clear text (secret) of the short-lived API keys will be hashed in the database, much like existing long-lived API
+keys.
+
+The `jti` claim will be recorded with the created API key so that subsequent calls to the endpoint can rejected, per the
+`jti` uniqueness constraint.
+
+These short-lived API keys will not be visible in the NuGet.org UI.
+
+NuGet.org MAY record the JWT and related details (e.g. JWKS) for auditing and feature adoption purposes.
+
+## Other package sources
+
+Other NuGet package sources aside from NuGet.org could also implement this protocol. They would need to implement the
+token trade endpoint.
+
+The `nuget/login` action could be implemented so that it supports and V3 package source, as long as it has a
+`ApiKeyService/1.0.0` resource in the service index. This level of flexibility should be implemented anyways so that it
+can be tested against NuGet DEV and INT pre-production environments.
+
+It would be the responsibility of the package source to implement OIDC token validation as well as expressing trust
+policies.
+
+## Auditing usage on NuGet.org
+
+To help us understand the success of this feature and record priviledged actions for security auditing, we will at least
+record minimal information about the OIDC token trade, such as the repository owner, repository name, workflow path,
+etc. Existing auditing for API key usage will be used anywhere the short-lived API key is used.
+
+The metadata available in a GitHub Actions OIDC token is mentioned in GitHub's [Understanding the OIDC
+token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).
+
+These claims could offer useful indicators to package consumers about the package. In order to support a future effort
+for [SLSA Build L1](https://slsa.dev/spec/v1.0/levels#build-l1), NuGet.org may record additional properties provided in
+the OIDC token so that they could adorn the package details page. This would be in addition to minimal records kept for
+security auditing purposes but would not extent beyond what is provided by GitHub Actions in their token or their public
+OIDC endpoints (e.g. JWKS). This is not as strong as signed provenance artifacts but can augment the freeform metadata
+we have today such as repository URL, project URL, or SourceLink information.
+
+Imagine showing "this package version was published from GitHub repository X, at commit Y", with some linked docs and
+caveats, on the package details page. I think it can be useful without being authoritative, much like project URL or
+repository URL today. If we begin gathering this information at day 1 of Trusted Publishers auth, we can backfill the
+information visible on the package details sometime in the future.
+
+## The `nuget/login` GitHub Action step
+
+In order to fetch a GitHub OIDC from the GitHub Actions runtime environment, we need a custom GitHub action step. This
+will be a new `NuGet/login` GitHub repository to host the source code for the step. This mimics the pattern of the
+[`azure/login`](https://github.com/Azure/login).
+
+The step will require the ambient `ACTIONS_ID_TOKEN_REQUEST_URL` and `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment
+variables to trade the request token for a GitHub Actions OIDC token with the `nuget` value for the `aud` claim. An
+custom `aud` claim can be fetched by appending `audience={desired aud}` query string to the
+`ACTIONS_ID_TOKEN_REQUEST_URL` or by using the `@actions/core` JavaScript library.
+
+This latter GitHub Actions OIDC token will be send to the `ApiKeyService/1.0.0` resource.
+
+The `NuGet/login` GitHub Action can use the NuGet.Protocol .NET package to determine the URL for the "create API key"
+endpoint, via the `ApiKeyService/1.0.0` resource in the V3 service index. For cross-platform reason, the GitHub Action
+will either be a [JavaScript action or a composite
+action](https://docs.github.com/en/actions/creating-actions/about-custom-actions#types-of-actions) (to be determined
+during implementation). At this times, it seems it would be easiest to implement a JavaScript action and not use
+`NuGet.Protocol` at all.

From 927916699db3c69594ff7e50cb9242b91145d601 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <joel.verhagen@gmail.com>
Date: Mon, 5 Aug 2024 13:15:27 -0400
Subject: [PATCH 02/15] Address comments

Clarify branch, environment, and workflow filters.
Add note about 2FA
Fix typo.
Clarify existing NuGet auth flows
Require HTTPS for service index and ApiKeyService endpoint
Mentioned public marketplace for GitHub Action
---
 .../trusted-publishers-oidc-for-nuget-push.md | 41 +++++++++++++------
 ...ublishers-oidc-for-nuget-push.technical.md | 24 ++++++++++-
 2 files changed, 50 insertions(+), 15 deletions(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index a28ba85ef..b29063d2b 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -244,11 +244,16 @@ to see all of the properties.
 
 For the sake of simplicity, we will start with the following workflow filters:
 - Filtering for a specific *branch*, as shown in the UI above (branch filter)
-- Filtering for a specific *environment* (a property set in the workflow, overriding the branch)
-- Filtering for a specific *workflow path* (in addition to the previous two filters)
+- Filtering for a specific *environment* (a property optionally set in the workflow)
+- Filtering for a specific *workflow path* (relative file path within the repository)
 
 The screenshot above only shows the branch filter, so the UI will need to be expanded to cover the desired workflow
-filters.
+filters. A suggest UI would have 3 checkboxes:
+- [ ] Filter by branch: __________
+- [ ] Filter by environment: __________
+- [ ] Filter by workflow: __________
+
+At least one filter would need to be checked as to prevent an overly broad trust policy.
 
 Additional filters can be added in the future based on other properties provided in the GitHub OIDC token.
 
@@ -260,6 +265,9 @@ In short, by adding this trust policy, the package author is saying:
 Once the package author has added this trust policy, NuGet.org will trust GitHub Actions OIDC tokens matching this
 pattern much like an existing long-lived API key, with the added benefit of the trust policy never expiring.
 
+NuGet package sources must ensure a secure, authenticated session for the user that is adding the trust policy.
+NuGet.org requires two-factor authentication for all web UI sign-ins.
+
 #### What NuGet API operations can be used inside the GitHub Actions workflow?
 
 To scope the ways in which a GitHub trust policy can be used, similar scoping rules to the current API key flow can be
@@ -450,7 +458,7 @@ operation.
 The two-legged approach gives use two big wins:
 
 1. We control the duration the the main credential lives for. The package source can choose how long the NuGet API key
-   lives for. Manual revocation or secret leak detection systems and work for this. NuGet.org has no control over how
+   lives for. Manual revocation or secret leak detection systems can work for this. NuGet.org has no control over how
    long the GitHub Actions OIDC token lives. It's true that GitHub OIDC token could be leaked also, but this problem can
    be mitigated with `jti` controls and even stricter validations of the `exp` claim (i.e. enforcing a shorter lifetime
    for the token trade).
@@ -463,13 +471,17 @@ The two-legged approach gives use two big wins:
 ### NuGet operations that support Trusted Publishers
 
 Currently there are two branches of authentication in NuGet world. First is API-key based authentication for package
-push, package delete (unlist), and package relist. These will support Trusted Publisher-based short-lived API keys. This
-spec focuses on package push but package delete (unlist) and package relist should be supported also, as long as the
-implementation cost/complexity is not affected too much.
-
-The other branch of NuGet authentication is package source authentication for read-only operations. This typically uses
-a username/password-like flow via HTTP `Basic` authorization header. This flow is not impacted by Trusted Publishers and
-existing mechanisms will not change (such as how credential providers work).
+push, package delete (unlist), and package relist. These flows will support Trusted Publisher-based short-lived API
+keys. This spec focuses on package push but package delete (unlist) and package relist should be supported also, as long
+as the implementation cost/complexity is not affected too much. Any additional operation the changes package state could
+be assessed in the future (such as a package deprecation API). All of these "modify package" operations use the
+`X-NuGet-ApiKey` header to send the API key in clear text, thus requiring HTTPS to be secure.
+
+The other branch of NuGet authentication is package source authentication for **read-only** operations. This typically
+uses a username/password-like flow via HTTP `Basic` authorization header. This flow is not impacted by Trusted
+Publishers and existing mechanisms will not change (such as how credential providers work). Note that token-based
+package sources such as Azure DevOps stuff bearer tokens into the `Basic` password field, as a workaround for NuGet's
+lack of bearer token support (as mentioned in the previous section).
 
 Trusted Publishers will have the biggest impact on the ecosystem when it is supported on NuGet.org. This only needs the
 first branch of auth (API-key) so considering read-only (package download/restore) scenarios is not needed now.
@@ -486,8 +498,11 @@ CI/CD workflows. In the end, this approach could support GitHub Actions via
 identity), as long as you can authenticate as an Entra ID service principal. The drawback of this is that NuGet.org
 would have no control over the workload identity tokens which are accepted and would be opening up a lot more
 authentication scenarios than we really need at this point. This would also require us rationalizing how an Entra ID
-service principal relates to a NuGet.org user or organization profile, which is a lot more work! Maybe it's something we
-need in the distant future, but not now.
+service principal relates to a NuGet.org user or organization profile. Today NuGet.org allows Entra ID (formerly AAD,
+Azure Active Directory) user sign in as well as personal Microsoft account (MSA) sign in. Therefore there is already
+some relationship between NuGet.org and Entra ID. In what way this existing integration would be affected by a service
+principal flow is unclear. So this idea would be a lot more work! Maybe it's something we need in the distant future,
+but not now.
 
 ## Prior Art
 
diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index b132b8161..90a7d4c76 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -35,10 +35,12 @@ following checks will be made:
 
 - `sub` claim matches `{repo owner}/{repo name}:.*` (case insensitive)
   - The suffix of the `sub` is implied by the other checks
-- `repository` claim matches the `{repo name}` name (case insensitive)
 - `repository_owner` claim matches the `{repo owner}` name (case insensitive)
 - `repository_owner_id` claim matches the numeric owner ID recorded at the time of the trust policy creation
   - This is to avoid resurrection attacks.
+- `repository` claim matches the `{repo name}` name (case insensitive)
+- `repository_id` claim matches the numeric repository ID recorded at the time of the trust policy creation
+  - This is to avoid resurrection attacks.
 - If a branch filter is provided in the trust policy:
   - `ref_type` claim must be `branch`
   - `ref` claim must be `refs/head/{branch}` (case insensitive)
@@ -48,6 +50,14 @@ following checks will be made:
    - `job_workflow_ref` claim must be `{repo owner}/{repo name}/{workflow path}@.*` (case insensitive)
    - The workflow path should be normalized to `/` path separators at the time of trust policy creation
 
+A list of possible claims to verify against is available in GitHub's [Understanding the OIDC
+token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
+document.
+
+Other Trusted Publishers like Azure DevOps or Bitbucket should have sufficient token claims so both the registry
+(NuGet.org) and the package author are certain that only proper workload identity tokens are traded for privileged
+short-lived API keys.
+
 ## Data relationships (persisting trust policies, schema changes)
 
 A new SQL table will be added to the NuGetGallery database to store trust policies. The table should be generic enough
@@ -148,6 +158,11 @@ caveats, on the package details page. I think it can be useful without being aut
 repository URL today. If we begin gathering this information at day 1 of Trusted Publishers auth, we can backfill the
 information visible on the package details sometime in the future.
 
+Note that this metadata provided in the token is not enough for a build provenance experience like npm's (see the [blog
+announcement](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/)). This is because
+a proper build provenance story has signed attestation occurring inside the Trusted Publisher. See [SLSA Build
+L2](https://slsa.dev/spec/v1.0/levels#build-l2) for more information.
+
 ## The `nuget/login` GitHub Action step
 
 In order to fetch a GitHub OIDC from the GitHub Actions runtime environment, we need a custom GitHub action step. This
@@ -159,7 +174,9 @@ variables to trade the request token for a GitHub Actions OIDC token with the `n
 custom `aud` claim can be fetched by appending `audience={desired aud}` query string to the
 `ACTIONS_ID_TOKEN_REQUEST_URL` or by using the `@actions/core` JavaScript library.
 
-This latter GitHub Actions OIDC token will be send to the `ApiKeyService/1.0.0` resource.
+This latter GitHub Actions OIDC token will be send to the `ApiKeyService/1.0.0` resource, found via the `source`
+parameter provided to the action. The `source` parameter must point to a V3 service index (JSON document). The service
+index and the `ApiKeyService/1.0.0` resource URL must both be HTTPS.
 
 The `NuGet/login` GitHub Action can use the NuGet.Protocol .NET package to determine the URL for the "create API key"
 endpoint, via the `ApiKeyService/1.0.0` resource in the V3 service index. For cross-platform reason, the GitHub Action
@@ -167,3 +184,6 @@ will either be a [JavaScript action or a composite
 action](https://docs.github.com/en/actions/creating-actions/about-custom-actions#types-of-actions) (to be determined
 during implementation). At this times, it seems it would be easiest to implement a JavaScript action and not use
 `NuGet.Protocol` at all.
+
+Once this `nuget/login` GitHub Action is complete, it will be published to the GitHub Action Marketplace, much like
+Ruby's [`rubygems/release-gem` step](https://github.com/marketplace/actions/release-gem).

From 5f7f90e67f47fb5bcef3a1f0f4f3c2683afe57cb Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Tue, 6 Aug 2024 09:34:30 -0400
Subject: [PATCH 03/15] Update
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md

Co-authored-by: Damon Tivel <dtivel@microsoft.com>
---
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index b29063d2b..ec7bbb7fc 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -54,7 +54,7 @@ There is a lot of lingo in this document, so here is a reference:
 | Pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                    |
 | Package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                         |
 | Push              | The name of the package upload operation in NuGet ecosystem                                                                                                                               |
-| Trusted Publisher | An name for a CI/CD environment that can generate OIDC tokens, using workload identity, [described by OpenSSF](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) |
+| Trusted Publisher | A name for a CI/CD environment that can generate OIDC tokens, using workload identity, [described by OpenSSF](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) |
 
 ## Motivation 
 

From 8878bda32494794c600f08cd29e025d1fd089306 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Tue, 6 Aug 2024 09:34:45 -0400
Subject: [PATCH 04/15] Update
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md

Co-authored-by: Damon Tivel <dtivel@microsoft.com>
---
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index ec7bbb7fc..471add85a 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -421,7 +421,7 @@ information.
 
 ## Drawbacks
 
-This workflow only helps users who want to build and push their packages on a recognized, Trusted Publisher. Not all
+This workflow only helps users who want to build and push their packages on a recognized Trusted Publisher. Not all
 CI/CD systems will be supported so some users will still need to use the older authentication flows such as long-lived,
 manually rotated API keys.
 

From d9d2e48fe7e7ab3bfec8b85448d378863c0b04f4 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <joel.verhagen@gmail.com>
Date: Tue, 6 Aug 2024 10:03:12 -0400
Subject: [PATCH 05/15] Address comments

---
 .../trusted-publishers-oidc-for-nuget-push.md | 52 +++++++++++++++----
 1 file changed, 41 insertions(+), 11 deletions(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index 471add85a..2b3b5cb8d 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -45,15 +45,15 @@ There is a lot of lingo in this document, so here is a reference:
 | Term              | Definition                                                                                                                                                                                |
 | ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | CI/CD             | continuous integration/continuous deployment, technologies like GitHub Actions for building or deploying code automatically                                                               |
-| Forge             | A place to store code, often a SaaS offering like GitHub, GitLab, or Bitbucket, often has a CI/CD offering paired                                                                         |
+| forge             | A place to store code, often a SaaS offering like GitHub, GitLab, or Bitbucket, often has a CI/CD offering paired                                                                         |
 | JWKs              | JSON web key set, a set of public keys that can be used to verify an OIDC token                                                                                                           |
 | JWT               | A JSON web token, a format of bearer token used for web authentication flows including OIDC, contains interesting "claims" (properties) in clear text                                     |
 | NuGet API key     | one of the authentication mechanisms used for uploading packages to a package source, a hex string starting with `oy2` when from NuGet.org                                                |
 | nupkg             | The file extension for a NuGet package, produced by NuGet pack, uploaded by NuGet push                                                                                                    |
 | OIDC              | OpenID Connect, an authentication protocol build on OAuth 2.0, think of it as a way for NuGet.org to trust GitHub Actions via a JWT included in package upload                            |
-| Pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                    |
-| Package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                         |
-| Push              | The name of the package upload operation in NuGet ecosystem                                                                                                                               |
+| pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                    |
+| package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                         |
+| push              | The name of the package upload operation in NuGet ecosystem                                                                                                                               |
 | Trusted Publisher | A name for a CI/CD environment that can generate OIDC tokens, using workload identity, [described by OpenSSF](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) |
 
 ## Motivation 
@@ -123,6 +123,8 @@ tier, enabled by default after adding a workflow YAML definition to your reposit
 billing for GitHub
 Actions](https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions). I
 will provide more details below on what the GitHub Actions workflow YAML looks like for NuGet.org Trusted Publishers.
+There is no requirement on whether the GitHub repository is public or private. Any valid token issued by the
+`https://token.actions.githubusercontent.com` issuer is acceptable.
 
 From our data, 61% of active packages have a repository URL or [SourceLink](https://github.com/dotnet/sourcelink)
 pointing to GitHub on the latest version of their package.
@@ -306,6 +308,11 @@ Multiple trust policies can be defined. If any of the trust policies match the i
 the operation will be allowed. If the package ID is new and there is ambiguity on which package owner should be assigned
 to the package (due to multiple matching trust policies), the most recently created trust policy will be used.
 
+If a package is transferred to another owner (i.e. the owner of the trust policy is removed as a owner of the package
+the policy was intended for), the trust policy will no longer be effective. This is much like the current API key flow
+where you could create an API key for `Microsoft.*`, but this does not give you access to all `Microsoft.*` packages --
+only ones that the package owner scope has direct ownership of at the time of package push.
+
 ### Step 2: add a GitHub Actions workflow with NuGet.org Trusted Publisher authentication
 
 Without Trusted Publisher authentication, an upload to NuGet.org from GitHub Actions would look like this. This is a
@@ -529,10 +536,33 @@ Ask away!
 
 ## Future Possibilities
 
-- Enable additional CI/CD systems that support OIDC tokens
-  - Azure DevOps is next on the popularity list. Their workload identity federation is very focused on Azure today
-    ([blog](https://devblogs.microsoft.com/devops/workload-identity-federation-for-azure-deployments-is-now-generally-available/)).
-  - Gitee appears to be a Chinese source forge. We have not heard from our users about Gitee and NuGet.org integration.
-  - PyPI supports GitLab. We could follow suit if we hear from our users.
-- Enable NuGet authentication provider integration, to avoid token expiration for long workflows
-- Connect this effort with build provenance, tracked by [NuGet/Home#13581](https://github.com/NuGet/Home/issues/13581)
+### Enable additional CI/CD systems that support OIDC tokens
+  
+Azure DevOps is next on the popularity list. Their workload identity federation is very focused on Azure today
+([blog](https://devblogs.microsoft.com/devops/workload-identity-federation-for-azure-deployments-is-now-generally-available/)).
+
+Gitee appears to be a Chinese source forge. We have not heard from our users about Gitee and NuGet.org integration.
+
+PyPI supports GitLab. We could follow suit if we hear from our users.
+
+The Trusted Publishers (i.e. forges, CI/CD platforms) that NuGet.org chooses to adopt in the future will be evaluated on
+a case-by-case basis. We will consider factors such (but not limited to):
+- Does the Trusted Publisher provide a generic or NuGet-targeted OIDC token system?
+  - In other words, we don't want to hack in Trusted Publisher support if the OIDC token is really meant for something
+    besides NuGet.
+- How popular is the Trusted Publisher in our user base?
+  - Trusted Publishers need specific UI elements on NuGet.org and this specific work should justifiable given our other
+    priorities.
+- Is there transparency from the Trusted Publisher around the issued tokens?
+  - In other words, is it very clear to us and the even package consumers that a token is a sufficient replacement for
+    an API-key from a security perspective.
+
+### Enable NuGet authentication provider integration, to avoid token expiration for long workflows
+
+We will wait for evidence that the short-lived token lifetime duration (15 minutes) is not sufficient for all workflow
+push operations.
+
+### Connect this effort with build provenance, tracked by [NuGet/Home#13581](https://github.com/NuGet/Home/issues/13581)
+
+This effort can be seen as a first step to enable build provenance, since it encourages package authors to move their
+build, pack, and push operations to a trusted build environment.

From aeeb29df59fdfb6e48b7c83e7713f4f1b1b78557 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Fri, 9 Aug 2024 12:16:27 -0400
Subject: [PATCH 06/15] Update
 accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md

Co-authored-by: Damon Tivel <dtivel@microsoft.com>
---
 .../2024/trusted-publishers-oidc-for-nuget-push.technical.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index 90a7d4c76..48c553dea 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -106,7 +106,7 @@ header.
 
 The package source MUST NOT opt to return the an existing compatible API key (i.e. it must not cache the API key for
 subsequent calls). To do so would require the original API key to be stored in plain text. NuGet.org API keys are hashed
-prior to storage (much like standard recommendations around storing passwords). The the package source has concerns on
+prior to storage (much like standard recommendations around storing passwords). The package source has concerns on
 scalability it must opt to rate limit the endpoint instead of caching. NuGet.org will rate limit the endpoint to 1 API
 key created per 30 seconds, per user.
 

From 8d6c2808e56c70283762a63e3c45bf339c58d68d Mon Sep 17 00:00:00 2001
From: Joel Verhagen <joel.verhagen@gmail.com>
Date: Fri, 9 Aug 2024 13:13:41 -0400
Subject: [PATCH 07/15] Add example sub, clarify API key caching

---
 .../trusted-publishers-oidc-for-nuget-push.md |  4 ++--
 ...ublishers-oidc-for-nuget-push.technical.md | 22 ++++++++++++-------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index 2b3b5cb8d..6e9697490 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -559,8 +559,8 @@ a case-by-case basis. We will consider factors such (but not limited to):
 
 ### Enable NuGet authentication provider integration, to avoid token expiration for long workflows
 
-We will wait for evidence that the short-lived token lifetime duration (15 minutes) is not sufficient for all workflow
-push operations.
+We will wait for evidence that our selected short-lived token lifetime duration is not sufficient for all workflow push
+operations.
 
 ### Connect this effort with build provenance, tracked by [NuGet/Home#13581](https://github.com/NuGet/Home/issues/13581)
 
diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index 48c553dea..09ef0b47a 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -33,8 +33,10 @@ package can help us properly validate JWTs in our NuGet/NuGetGallery ASP.NET app
 In addition to the general JWT checks, specific checks are made for each Trusted Publisher. For GitHub Actions, the
 following checks will be made:
 
-- `sub` claim matches `{repo owner}/{repo name}:.*` (case insensitive)
+- `sub` claim has a `repo:{repo owner}/{repo name}:` prefix (case insensitive)
   - The suffix of the `sub` is implied by the other checks
+  - Example, when an environment is set: `repo:octo-org/octo-repo:environment:Production`
+  - Example, for a specific branch and no environment is set: `repo:octo-org/octo-repo:ref:refs/heads/demo-branch`
 - `repository_owner` claim matches the `{repo owner}` name (case insensitive)
 - `repository_owner_id` claim matches the numeric owner ID recorded at the time of the trust policy creation
   - This is to avoid resurrection attacks.
@@ -43,12 +45,13 @@ following checks will be made:
   - This is to avoid resurrection attacks.
 - If a branch filter is provided in the trust policy:
   - `ref_type` claim must be `branch`
-  - `ref` claim must be `refs/head/{branch}` (case insensitive)
+  - `ref` claim must be `refs/head/{branch}` (case sensitive, branch names of differing case can coexist)
 - If an environment filter is provided in the trust policy:
   - `environment` claim must be `{environment}` (case insensitive)
 - If a workflow path filter is provided in the trust policy:
    - `job_workflow_ref` claim must be `{repo owner}/{repo name}/{workflow path}@.*` (case insensitive)
-   - The workflow path should be normalized to `/` path separators at the time of trust policy creation
+   - The workflow path should be normalized to `/` path separators at the time of trust policy creation, by the package
+     source, for better UX
 
 A list of possible claims to verify against is available in GitHub's [Understanding the OIDC
 token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
@@ -104,11 +107,14 @@ Content-Type: application/json
 Authorization failures on this endpoint must return HTTP 401 Unauthorized with an `WWW-Authenticate: Bearer` response
 header.
 
-The package source MUST NOT opt to return the an existing compatible API key (i.e. it must not cache the API key for
-subsequent calls). To do so would require the original API key to be stored in plain text. NuGet.org API keys are hashed
-prior to storage (much like standard recommendations around storing passwords). The package source has concerns on
-scalability it must opt to rate limit the endpoint instead of caching. NuGet.org will rate limit the endpoint to 1 API
-key created per 30 seconds, per user.
+The package source MUST NOT return an existing compatible API key and MUST generate a new one on demand (e.g. it must
+not cache the API key for subsequent calls). To do so would require the original API key to be stored in plain text.
+NuGet.org API keys are hashed prior to storage (much like standard recommendations around storing passwords). The
+package source has concerns on scalability it must opt to rate limit the endpoint instead of caching. NuGet.org will
+rate limit the endpoint to 1 API key created per 30 seconds, per user.
+
+API keys are expected to be cached on the client side, in a secure manner, to allow the needed number of authorized API
+operations (e.g. push).
 
 Unlike normal API keys, no warning message will be returned from the push endpoint (or any other authenticated endpoint)
 as the API key nears its expiration. Additionally, no reminder email will be sent when these short-lived API keys are

From a822af85de915df3d68e3b6573cc72171a25cd99 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Fri, 9 Aug 2024 13:39:06 -0400
Subject: [PATCH 08/15] Address comments

Renamed resource from ApiKeyService to TokenService to be a bit more flexible for the future.
---
 .../trusted-publishers-oidc-for-nuget-push.md |  2 +-
 ...ublishers-oidc-for-nuget-push.technical.md | 69 +++++++++++++++----
 2 files changed, 58 insertions(+), 13 deletions(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index 6e9697490..59a7e9123 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -560,7 +560,7 @@ a case-by-case basis. We will consider factors such (but not limited to):
 ### Enable NuGet authentication provider integration, to avoid token expiration for long workflows
 
 We will wait for evidence that our selected short-lived token lifetime duration is not sufficient for all workflow push
-operations.
+operations. As mentioned in the technical document, we will start with 15 minutes and adjust later if needed.
 
 ### Connect this effort with build provenance, tracked by [NuGet/Home#13581](https://github.com/NuGet/Home/issues/13581)
 
diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index 09ef0b47a..7fb3c8e54 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -78,11 +78,14 @@ Deleting a trust policy should have the effect of deleting all related short-liv
 
 A new endpoint will be needed for trading an bearer token (OIDC token, a JWT) for an API key. The endpoint URL will be
 discoverable via the [V3 service index](https://learn.microsoft.com/en-us/nuget/api/overview#service-index) and a new
-resource type which is `ApiKeyService/1.0.0`. For NuGet.org, the service index is available at
-`https://api.nuget.org/v3/index.json`. The new resource URL be something like `https://www.nuget.org/api/v2/api-key`.
+resource type which is `TokenService/1.0.0`. For NuGet.org, the service index is available at
+`https://api.nuget.org/v3/index.json`. The new resource URL be something like `https://www.nuget.org/api/v2/token`.
+
+This new resource will be referred to as the **token service**. This generic name will allow for future dynamic
+authorization scenarios beyond trading a bearer token for a NuGet API key.
 
 ```
-POST /api/v2/api-key HTTP/1.1
+POST /api/v2/token HTTP/1.1
 Host: www.nuget.org
 Authorization: Bearer {OIDC token}
 Content-Type: application/json
@@ -99,20 +102,22 @@ HTTP/1.1 200 OK
 Content-Type: application/json
 
 {
-   "api_key": "{short lived API key in clear text}",
-   "expires": "{ISO 8601 timestamp of expiration}"
+   "token_type": "api_key",
+   "expires": "{ISO 8601 timestamp of expiration}",
+   "api_key": "{short lived API key in clear text}"
 }
 ```
 
-Authorization failures on this endpoint must return HTTP 401 Unauthorized with an `WWW-Authenticate: Bearer` response
-header.
-
 The package source MUST NOT return an existing compatible API key and MUST generate a new one on demand (e.g. it must
 not cache the API key for subsequent calls). To do so would require the original API key to be stored in plain text.
 NuGet.org API keys are hashed prior to storage (much like standard recommendations around storing passwords). The
 package source has concerns on scalability it must opt to rate limit the endpoint instead of caching. NuGet.org will
 rate limit the endpoint to 1 API key created per 30 seconds, per user.
 
+Authorization failures on this endpoint must return HTTP 401 Unauthorized with an `WWW-Authenticate: Bearer` response
+header. Throttling failures on this endpoint MUST return HTTP 429 Too Many Requests and MAY return the standard
+`Retry-After` response header.
+
 API keys are expected to be cached on the client side, in a secure manner, to allow the needed number of authorized API
 operations (e.g. push).
 
@@ -131,13 +136,50 @@ These short-lived API keys will not be visible in the NuGet.org UI.
 
 NuGet.org MAY record the JWT and related details (e.g. JWKS) for auditing and feature adoption purposes.
 
+NuGet.org will produce API keys that last 15 minutes, but this value is subject to change as we learn more about how
+this feature is used in practice. PyPI uses this duration ([source](https://docs.pypi.org/trusted-publishers/)). Also,
+15 minutes will support about 99% of push sessions on NuGet.org. For the sake of this analysis, a push session is a
+sequence of push operations from a distinct package owner set, where the pushes are no more than 5 minutes apart. Below
+is a table of push sessions of various durations. The difference between 15 minute and 1 hour API key life givens less
+than 1% of additional coverage.
+
+<!--
+
+```kusto
+let MaxDistanceBetweenNeighbors = 5m;
+let MaxDistanceFromFirst = 30d;
+NiPackageVersions
+| where ResultType == "Available"
+| join kind=inner NiPackageOwners on LowerId
+| extend Owners = array_strcat(array_sort_asc(Owners), ", ")
+| order by Owners asc, Created asc
+| extend PushSession = row_window_session(Created, MaxDistanceFromFirst, MaxDistanceBetweenNeighbors, Owners != prev(Owners))
+| summarize PushCount = count(), PushSessionDuration = max(Created) - min(Created) by Owners, PushSession
+| where PushSession > ago(365d)
+| summarize (PushSessionDuration, PushCount) = arg_max(PushSessionDuration, PushCount) by Owners
+| summarize
+    ['% with single push'] = round(100.0 * countif(PushCount == 1) / count(), 2),
+    ['% < 1m'] = round(100.0 * countif(PushSessionDuration < 1m) / count(), 2),
+    ['% < 5m'] = round(100.0 * countif(PushSessionDuration < 5m) / count(), 2),
+    ['% < 10m'] = round(100.0 * countif(PushSessionDuration < 10m) / count(), 2),
+    ['% < 15m'] = round(100.0 * countif(PushSessionDuration < 15m) / count(), 2),
+    ['% < 30m'] = round(100.0 * countif(PushSessionDuration < 30m) / count(), 2),
+    ['% < 1h'] = round(100.0 * countif(PushSessionDuration < 1h) / count(), 2)
+```
+
+--> 
+
+| % with single push | % < 1m | % < 5m | % < 10m | % < 15m | % < 30m | % < 1h |
+| ------------------ | ------ | ------ | ------- | ------- | ------- | ------ |
+| 63.23              | 75.32  | 93.49  | 98      | 99.12   | 99.84   | 99.95  |
+
 ## Other package sources
 
 Other NuGet package sources aside from NuGet.org could also implement this protocol. They would need to implement the
 token trade endpoint.
 
 The `nuget/login` action could be implemented so that it supports and V3 package source, as long as it has a
-`ApiKeyService/1.0.0` resource in the service index. This level of flexibility should be implemented anyways so that it
+`TokenService/1.0.0` resource in the service index. This level of flexibility should be implemented anyways so that it
 can be tested against NuGet DEV and INT pre-production environments.
 
 It would be the responsibility of the package source to implement OIDC token validation as well as expressing trust
@@ -180,12 +222,12 @@ variables to trade the request token for a GitHub Actions OIDC token with the `n
 custom `aud` claim can be fetched by appending `audience={desired aud}` query string to the
 `ACTIONS_ID_TOKEN_REQUEST_URL` or by using the `@actions/core` JavaScript library.
 
-This latter GitHub Actions OIDC token will be send to the `ApiKeyService/1.0.0` resource, found via the `source`
+This latter GitHub Actions OIDC token will be send to the `TokenService/1.0.0` resource, found via the `source`
 parameter provided to the action. The `source` parameter must point to a V3 service index (JSON document). The service
-index and the `ApiKeyService/1.0.0` resource URL must both be HTTPS.
+index and the `TokenService/1.0.0` resource URL must both be HTTPS.
 
 The `NuGet/login` GitHub Action can use the NuGet.Protocol .NET package to determine the URL for the "create API key"
-endpoint, via the `ApiKeyService/1.0.0` resource in the V3 service index. For cross-platform reason, the GitHub Action
+endpoint, via the `TokenService/1.0.0` resource in the V3 service index. For cross-platform reason, the GitHub Action
 will either be a [JavaScript action or a composite
 action](https://docs.github.com/en/actions/creating-actions/about-custom-actions#types-of-actions) (to be determined
 during implementation). At this times, it seems it would be easiest to implement a JavaScript action and not use
@@ -193,3 +235,6 @@ during implementation). At this times, it seems it would be easiest to implement
 
 Once this `nuget/login` GitHub Action is complete, it will be published to the GitHub Action Marketplace, much like
 Ruby's [`rubygems/release-gem` step](https://github.com/marketplace/actions/release-gem).
+
+The `nuget/login` step should be tolerant of throttling responses from the token service endpoint. The step should allow
+some amount of waiting and retrying on 412 Too Many Requests responses, using retry response headers if available. 

From c3952bc5491048546a8a8ce1f60817d8d0dc5afd Mon Sep 17 00:00:00 2001
From: Joel Verhagen <joel.verhagen@gmail.com>
Date: Fri, 9 Aug 2024 14:04:52 -0400
Subject: [PATCH 09/15] Add note about masking

---
 .../2024/trusted-publishers-oidc-for-nuget-push.technical.md  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index 7fb3c8e54..b11af626a 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -238,3 +238,7 @@ Ruby's [`rubygems/release-gem` step](https://github.com/marketplace/actions/rele
 
 The `nuget/login` step should be tolerant of throttling responses from the token service endpoint. The step should allow
 some amount of waiting and retrying on 412 Too Many Requests responses, using retry response headers if available. 
+
+GitHub Actions [secret
+masking](https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions)
+will be used to reduce the risk of a short-lived NuGet API getting logged in clear text.

From 25fa03e3c5a5f23ff25b7ea773c3aab2acdf325d Mon Sep 17 00:00:00 2001
From: Joel Verhagen <joel.verhagen@gmail.com>
Date: Thu, 15 Aug 2024 16:48:28 -0400
Subject: [PATCH 10/15] Address some comments

---
 .../trusted-publishers-oidc-for-nuget-push.md | 60 ++++++++++++-------
 ...ublishers-oidc-for-nuget-push.technical.md | 20 ++++---
 2 files changed, 52 insertions(+), 28 deletions(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index 59a7e9123..08df7aa7a 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -42,18 +42,18 @@ the rich context and prior art.
 
 There is a lot of lingo in this document, so here is a reference:
 
-| Term              | Definition                                                                                                                                                                                |
-| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| CI/CD             | continuous integration/continuous deployment, technologies like GitHub Actions for building or deploying code automatically                                                               |
-| forge             | A place to store code, often a SaaS offering like GitHub, GitLab, or Bitbucket, often has a CI/CD offering paired                                                                         |
-| JWKs              | JSON web key set, a set of public keys that can be used to verify an OIDC token                                                                                                           |
-| JWT               | A JSON web token, a format of bearer token used for web authentication flows including OIDC, contains interesting "claims" (properties) in clear text                                     |
-| NuGet API key     | one of the authentication mechanisms used for uploading packages to a package source, a hex string starting with `oy2` when from NuGet.org                                                |
-| nupkg             | The file extension for a NuGet package, produced by NuGet pack, uploaded by NuGet push                                                                                                    |
-| OIDC              | OpenID Connect, an authentication protocol build on OAuth 2.0, think of it as a way for NuGet.org to trust GitHub Actions via a JWT included in package upload                            |
-| pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                    |
-| package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                         |
-| push              | The name of the package upload operation in NuGet ecosystem                                                                                                                               |
+| Term              | Definition                                                                                                                                                                               |
+| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CI/CD             | continuous integration/continuous deployment, technologies like GitHub Actions for building or deploying code automatically                                                              |
+| forge             | A place to store code, often a SaaS offering like GitHub, GitLab, or Bitbucket, often has a CI/CD offering paired                                                                        |
+| JWKs              | JSON web key set, a set of public keys that can be used to verify an OIDC token                                                                                                          |
+| JWT               | A JSON web token, a format of bearer token used for web authentication flows including OIDC, contains interesting "claims" (properties) in clear text                                    |
+| NuGet API key     | one of the authentication mechanisms used for uploading packages to a package source, a hex string starting with `oy2` when from NuGet.org                                               |
+| nupkg             | The file extension for a NuGet package, produced by NuGet pack, uploaded by NuGet push                                                                                                   |
+| OIDC              | OpenID Connect, an authentication protocol build on OAuth 2.0, think of it as a way for NuGet.org to trust GitHub Actions via a JWT included in package upload                           |
+| pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                   |
+| package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                        |
+| push              | The name of the package upload operation in NuGet ecosystem                                                                                                                              |
 | Trusted Publisher | A name for a CI/CD environment that can generate OIDC tokens, using workload identity, [described by OpenSSF](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) |
 
 ## Motivation 
@@ -195,16 +195,16 @@ Here is a summary of known forges, based on package URL, repository URL, SourceL
    | extend ["% of owners"] = round(100.0 * Owners / TotalUniqueOwnersSets, 2)
 -->
 
-| Forge        | Package IDs | Owners | % of package IDs | % of owners |
-| ------------ | ----------- | ------ | ---------------- | ----------- |
-| GitHub       | 74440       | 14742  | 61.37            | 55.77       |
+| Forge        | Package IDs | Owners | % of package IDs | % of owners | Has CI/CD OIDC                                                                                                                                         |
+| ------------ | ----------- | ------ | ---------------- | ----------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| GitHub       | 74440       | 14742  | 61.37            | 55.77       | [Yes](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect) |
 | (unknown)    | 42738       | 10997  | 35.24            | 41.6        |
-| Azure DevOps | 1448        | 238    | 1.19             | 0.9         |
-| Gitee        | 1440        | 188    | 1.19             | 0.71        |
-| GitLab       | 825         | 165    | 0.68             | 0.62        |
-| Bitbucket    | 392         | 98     | 0.32             | 0.37        |
-| Codeberg     | 6           | 3      | 0                | 0.01        |
-| Gitea        | 1           | 1      | 0                | 0           |
+| Azure DevOps | 1448        | 238    | 1.19             | 0.9         | [Yes, but Azure-specific](https://learn.microsoft.com/en-us/azure/devops/pipelines/release/configure-workload-identity?view=azure-devops)              |
+| Gitee        | 1440        | 188    | 1.19             | 0.71        | No?                                                                                                                                                    |
+| GitLab       | 825         | 165    | 0.68             | 0.62        | [Yes](https://docs.gitlab.com/ee/integration/openid_connect_provider.html)                                                                             |
+| Bitbucket    | 392         | 98     | 0.32             | 0.37        | [Yes](https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/)                                        |
+| Codeberg     | 6           | 3      | 0                | 0.01        | No?                                                                                                                                                    |
+| Gitea        | 1           | 1      | 0                | 0           | No?                                                                                                                                                    |
 
 (considering only latest package versions metadata of packages published in the past year, our definition of "active
 packages")
@@ -557,6 +557,24 @@ a case-by-case basis. We will consider factors such (but not limited to):
   - In other words, is it very clear to us and the even package consumers that a token is a sufficient replacement for
     an API-key from a security perspective.
 
+### Enforce short-lived (OIDC) auth for onboarded packages/package owners
+
+When a package owner opts to start using this Trusted Publishers feature, they have improved their security posture from
+no longer depending on long-lived secrets that have are very damaging if leaked. We could choose to enforce this
+improved authentication flow by doing some combination of the following:
+
+- Invalidate all existing API keys at the time of trust policy creation
+- Require short-lived API keys (no UI or long-lived API key auth) on a package ID after it has a single short-lived API
+  key push
+- Require all packages owned by the user to use short-lived API keys after a trust policy is created
+
+It's unclear how these enforcements would work for packages with multiple owners or with users that are members of
+organizations.
+
+We will consider this sort of enforcement some time after the initial release of the feature. We won't know what kind of
+blockers users will run in to and in what cases they may still need to use short lived and long lived API keys at the
+same time.
+
 ### Enable NuGet authentication provider integration, to avoid token expiration for long workflows
 
 We will wait for evidence that our selected short-lived token lifetime duration is not sufficient for all workflow push
diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index b11af626a..9f8010f8e 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -187,19 +187,19 @@ policies.
 
 ## Auditing usage on NuGet.org
 
-To help us understand the success of this feature and record priviledged actions for security auditing, we will at least
+To help us understand the success of this feature and record privileged actions for security auditing, we will at least
 record minimal information about the OIDC token trade, such as the repository owner, repository name, workflow path,
 etc. Existing auditing for API key usage will be used anywhere the short-lived API key is used.
 
 The metadata available in a GitHub Actions OIDC token is mentioned in GitHub's [Understanding the OIDC
 token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).
 
-These claims could offer useful indicators to package consumers about the package. In order to support a future effort
-for [SLSA Build L1](https://slsa.dev/spec/v1.0/levels#build-l1), NuGet.org may record additional properties provided in
-the OIDC token so that they could adorn the package details page. This would be in addition to minimal records kept for
-security auditing purposes but would not extent beyond what is provided by GitHub Actions in their token or their public
-OIDC endpoints (e.g. JWKS). This is not as strong as signed provenance artifacts but can augment the freeform metadata
-we have today such as repository URL, project URL, or SourceLink information.
+These claims could offer useful indicators to package consumers about the package. In order to support a future effort,
+NuGet.org may record additional properties provided in the OIDC token so that they could adorn the package details page.
+This would be in addition to minimal records kept for security auditing purposes but would not extent beyond what is
+provided by GitHub Actions in their token or their public OIDC endpoints (e.g. JWKS). This is not as strong as signed
+provenance artifacts but can augment the freeform metadata we have today such as repository URL, project URL, or
+SourceLink information.
 
 Imagine showing "this package version was published from GitHub repository X, at commit Y", with some linked docs and
 caveats, on the package details page. I think it can be useful without being authoritative, much like project URL or
@@ -211,6 +211,12 @@ announcement](https://github.blog/security/supply-chain-security/introducing-npm
 a proper build provenance story has signed attestation occurring inside the Trusted Publisher. See [SLSA Build
 L2](https://slsa.dev/spec/v1.0/levels#build-l2) for more information.
 
+The existing repository metadata (e.g. repository URL) shown on the package details page and any additional metadata we
+show based on the OIDC token requires the package consumer to trust both the Trusted Publisher (GitHub Actions) and the
+registry (NuGet.org) that they are not tampering with the metadata. This is the risk inherent to [SLSA Build
+L1](https://slsa.dev/spec/v1.0/levels#build-l1). If we do opt to adorn package details package with more metadata, we
+will be careful to clarify the risks and the "trustability" of the information shown.
+
 ## The `nuget/login` GitHub Action step
 
 In order to fetch a GitHub OIDC from the GitHub Actions runtime environment, we need a custom GitHub action step. This

From 21128b53897432f722cf4f776af7645a2f9d8cca Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Thu, 15 Aug 2024 17:21:18 -0400
Subject: [PATCH 11/15] Don't allow ID scoping and allowed action scoping

---
 .../trusted-publishers-oidc-for-nuget-push.md | 256 ++++++++++++++----
 1 file changed, 210 insertions(+), 46 deletions(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index 59a7e9123..52abfa7b3 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -42,18 +42,18 @@ the rich context and prior art.
 
 There is a lot of lingo in this document, so here is a reference:
 
-| Term              | Definition                                                                                                                                                                                |
-| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| CI/CD             | continuous integration/continuous deployment, technologies like GitHub Actions for building or deploying code automatically                                                               |
-| forge             | A place to store code, often a SaaS offering like GitHub, GitLab, or Bitbucket, often has a CI/CD offering paired                                                                         |
-| JWKs              | JSON web key set, a set of public keys that can be used to verify an OIDC token                                                                                                           |
-| JWT               | A JSON web token, a format of bearer token used for web authentication flows including OIDC, contains interesting "claims" (properties) in clear text                                     |
-| NuGet API key     | one of the authentication mechanisms used for uploading packages to a package source, a hex string starting with `oy2` when from NuGet.org                                                |
-| nupkg             | The file extension for a NuGet package, produced by NuGet pack, uploaded by NuGet push                                                                                                    |
-| OIDC              | OpenID Connect, an authentication protocol build on OAuth 2.0, think of it as a way for NuGet.org to trust GitHub Actions via a JWT included in package upload                            |
-| pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                    |
-| package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                         |
-| push              | The name of the package upload operation in NuGet ecosystem                                                                                                                               |
+| Term              | Definition                                                                                                                                                                               |
+| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| CI/CD             | continuous integration/continuous deployment, technologies like GitHub Actions for building or deploying code automatically                                                              |
+| forge             | A place to store code, often a SaaS offering like GitHub, GitLab, or Bitbucket, often has a CI/CD offering paired                                                                        |
+| JWKs              | JSON web key set, a set of public keys that can be used to verify an OIDC token                                                                                                          |
+| JWT               | A JSON web token, a format of bearer token used for web authentication flows including OIDC, contains interesting "claims" (properties) in clear text                                    |
+| NuGet API key     | one of the authentication mechanisms used for uploading packages to a package source, a hex string starting with `oy2` when from NuGet.org                                               |
+| nupkg             | The file extension for a NuGet package, produced by NuGet pack, uploaded by NuGet push                                                                                                   |
+| OIDC              | OpenID Connect, an authentication protocol build on OAuth 2.0, think of it as a way for NuGet.org to trust GitHub Actions via a JWT included in package upload                           |
+| pack              | The name of the package creation operation, produces a .nupkg and optionally a .snupkg                                                                                                   |
+| package source    | A NuGet.org package feed, or package registry (all synonymous), a destination for push operations                                                                                        |
+| push              | The name of the package upload operation in NuGet ecosystem                                                                                                                              |
 | Trusted Publisher | A name for a CI/CD environment that can generate OIDC tokens, using workload identity, [described by OpenSSF](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) |
 
 ## Motivation 
@@ -272,37 +272,17 @@ NuGet.org requires two-factor authentication for all web UI sign-ins.
 
 #### What NuGet API operations can be used inside the GitHub Actions workflow?
 
-To scope the ways in which a GitHub trust policy can be used, similar scoping rules to the current API key flow can be
-set on the GitHub Actions trust policy:
+We will not implement scoping rules as flexible as the current long-lived API key flow on the GitHub Actions trust
+policy. See the [Enable existing scoping features allowed on long-lived API
+keys](#enable-existing-scoping-features-allowed-on-long-lived-api-keys) section below for why we are keeping it simple.
 
-![Scope form](meta/trusted-publishers-oidc-for-nuget-push/scope-form.png)
-
-Just like the existing API scoping feature, there are 3 dimensions which a trust policy can be scoped. For more
-information about scopes on API keys, see [Scoped API
-keys](https://learn.microsoft.com/en-us/nuget/nuget-org/scoped-api-keys). In summary:
-
-- **Package owner**: for users that are members of one or more organizations, it's important to know which package owner
-  this trust policy acts on behalf of. For example, in my screenshot above the package owner is set to `joelverhagen`,
-  so packages owned only by my `snoozecorp` organization will not accept package uploads via this trust policy. This is
-  also important to define who is the initial owner of a package that is newly created. In this example, if I push a new
-  `Knapcode.MyBestPackage` package ID, the new package ID will be owned by `joelverhagen`, not `snoozecorp` or any other
-  organization that I am a member of based on this package owner definition. This resolves the ["Pending" Trusted
-  Publishers](https://repos.openssf.org/trusted-publishers-for-all-package-repositories#pending-trusted-publishers)
-  problem.
+In short, all NuGet API key operations will be supported by the GitHub Actions workflow: pushing new package IDs,
+updating existing package IDs, unlisting/relisting package versions.
 
-- **Scopes**: the scope radio buttons and checkboxes define what kind of operations the trust policy can be used for.
-  For example, can the trust policy be used to unlist packages in addition to publishing new packages? Can only versions
-  on existing package IDs be published? Or new package IDs be created as well?
-
-- **Glob pattern**: this defines which package IDs the trust policy can apply to, based on a wildcard pattern (called
-  "glob" in this context for historical reasons). If you want the trust policy to apply to all package IDs you own, you
-  would specify `*`. Note that a broad wildcard like `*` does not supersede access controls on package IDs you do not
-  own. It just defines which if your packages the trust policy can work for.
-
-The screenshot above allows only new package versions to be pushed for packages owned by `joelverhagen`, having IDs
-starting in `Knapcode.`. New package IDs cannot be created in this case nor can packages be unlisted.
-
-Unlike API key definitions, there is no "Expires In" field, because a trust policy never expires.
+The user must still select the package owner that the trust policy applies to since this allows a new package ID to have
+the proper owner: either the user themself or an organization they are a member of. This resolves the ["Pending" Trusted
+Publishers](https://repos.openssf.org/trusted-publishers-for-all-package-repositories#pending-trusted-publishers)
+problem.
 
 Multiple trust policies can be defined. If any of the trust policies match the incoming package and GitHub Action token,
 the operation will be allowed. If the package ID is new and there is ambiguity on which package owner should be assigned
@@ -505,11 +485,195 @@ CI/CD workflows. In the end, this approach could support GitHub Actions via
 identity), as long as you can authenticate as an Entra ID service principal. The drawback of this is that NuGet.org
 would have no control over the workload identity tokens which are accepted and would be opening up a lot more
 authentication scenarios than we really need at this point. This would also require us rationalizing how an Entra ID
-service principal relates to a NuGet.org user or organization profile. Today NuGet.org allows Entra ID (formerly AAD,
-Azure Active Directory) user sign in as well as personal Microsoft account (MSA) sign in. Therefore there is already
-some relationship between NuGet.org and Entra ID. In what way this existing integration would be affected by a service
-principal flow is unclear. So this idea would be a lot more work! Maybe it's something we need in the distant future,
-but not now.
+service principal relates to a NuGet.org user or organization profile.
+
+Today NuGet.org allows Entra ID (formerly AAD, Azure Active Directory) user sign in as well as personal Microsoft
+account (MSA) sign in. Therefore there is already some relationship between NuGet.org and Entra ID. In what way this
+existing integration would be affected by a service principal flow is unclear. So this idea would be a lot more work!
+Maybe it's something we need in the distant future, but not now.
+
+### Enable existing scoping features allowed on long-lived API keys
+
+Today, long-lived API keys can be scoped by package owner, by allowed action, and by package ID (via a wildcard
+pattern).
+
+![Scope form](meta/trusted-publishers-oidc-for-nuget-push/scope-form.png)
+
+For more information about scopes on API keys, see [Scoped API
+keys](https://learn.microsoft.com/en-us/nuget/nuget-org/scoped-api-keys). In summary:
+
+- **Package owner**: for users that are members of one or more organizations, it's important to know which package owner
+  this trust policy acts on behalf of. For example, in my screenshot above the package owner is set to `joelverhagen`,
+  so packages owned only by my `snoozecorp` organization will not accept package uploads via this trust policy. This is
+  also important to define who is the initial owner of a package that is newly created. In this example, if I push a new
+  `Knapcode.MyBestPackage` package ID, the new package ID will be owned by `joelverhagen`, not `snoozecorp` or any other
+  organization that I am a member of based on this package owner definition.
+
+- **Scopes**: the scope radio buttons and checkboxes define what kind of operations the trust policy can be used for.
+  For example, can the trust policy be used to unlist packages in addition to publishing new packages? Can only versions
+  on existing package IDs be published? Or new package IDs be created as well?
+
+- **Glob pattern**: this defines which package IDs the trust policy can apply to, based on a wildcard pattern (called
+  "glob" in this context for historical reasons). If you want the trust policy to apply to all package IDs you own, you
+  would specify `*`. Note that a broad wildcard like `*` does not supersede access controls on package IDs you do not
+  own. It just defines which if your packages the trust policy can work for.
+
+The screenshot above allows only new package versions to be pushed for packages owned by `joelverhagen`, having IDs
+starting in `Knapcode.`. New package IDs cannot be created in this case nor can packages be unlisted.
+
+The package owner scoping is necessary so that an API key operates on behalf of the proper package owner (i.e. the user
+themself or an organization they are a member of).
+
+The other two scoping options both have a mix of adoption, as shown below.
+
+#### Allowed action usage
+
+<!--
+
+  WITH
+  CredentialScopes AS (
+      SELECT
+          c.[Key] AS CredentialKey,
+          c.UserKey,
+          c.Created,
+          c.ExpirationTicks,
+          s.[Key] AS ScopeKey,
+          s.Subject,
+          s.AllowedAction,
+          s.OwnerKey,
+          IIF(s.AllowedAction = 'package:verify', 1, 0) AS AllowsPackageVerify,
+          IIF(s.AllowedAction = 'package:push', 1, 0) AS AllowsPackagePush,
+          IIF(s.AllowedAction = 'package:unlist', 1, 0) AS AllowsPackageUnlist,
+          IIF(s.AllowedAction = 'package:pushversion', 1, 0) AS AllowsPackagePushVersion
+      FROM dbo.[Credentials] c
+      LEFT OUTER JOIN dbo.Scopes s ON c.[Key] = s.CredentialKey
+      WHERE c.Expires > SYSDATETIME() AND c.[Type] LIKE 'apikey.%'
+  ),
+  CredentialAllowedActions AS (
+      SELECT
+          CredentialKey,
+          IIF(SUM(AllowsPackageVerify) > 0, 1, 0) AS AllowsPackageVerify,
+          IIF(SUM(AllowsPackagePush) > 0, 1, 0) AS AllowsPackagePush,
+          IIF(SUM(AllowsPackageUnlist) > 0, 1, 0) AS AllowsPackageUnlist,
+          IIF(SUM(AllowsPackagePushVersion) > 0, 1, 0) AS AllowsPackagePushVersion
+      FROM CredentialScopes
+      GROUP BY CredentialKey
+  ),
+  CredentialAllowedActionsSummary AS (
+      SELECT AllowsPackagePush, AllowsPackagePushVersion, AllowsPackageUnlist, COUNT(*) AS [Count]
+      FROM CredentialAllowedActions
+      WHERE AllowsPackageVerify = 0
+      GROUP BY AllowsPackagePush, AllowsPackagePushVersion, AllowsPackageUnlist
+  )
+  SELECT
+      AllowsPackagePush [Push],
+      AllowsPackagePushVersion [Push version],
+      AllowsPackageUnlist [Unlist],
+      ROUND(100.0 * [Count] / (SELECT SUM([Count]) FROM CredentialAllowedActionsSummary), 2) AS [% of total]
+  FROM CredentialAllowedActionsSummary
+  ORDER BY [Count] DESC
+
+-->
+
+| Push | Push version | Unlist | % of total | Notes                                              |
+| ---- | ------------ | ------ | ---------- | -------------------------------------------------- |
+| 1    | 0            | 0      | 79.76      | Push new IDs and update existing IDs               |
+| 1    | 0            | 1      | 12.58      | Push new IDs and update existing IDs, allow unlist |
+| 0    | 1            | 0      | 6.77       | Update existing IDs                                |
+| 0    | 0            | 1      | 0.48       | Allow unlist                                       |
+| 0    | 1            | 1      | 0.41       | Update existing IDs, allow unlist                  |
+
+Note that "Push" implies "Push version" allowed action.
+
+The first two rows should be considered "high priviledge" API keys. They account for about 93% of the API keys. This
+suggests users do not care much about limiting the allowed action of an API key.
+
+#### Package ID pattern usage
+
+<!--
+
+  WITH
+  CredentialInfo AS (
+      SELECT
+          c.[Key] AS CredentialKey,
+          c.UserKey,
+          c.Created,
+          c.ExpirationTicks,
+          s.[Key] AS ScopeKey,
+          s.Subject,
+          s.AllowedAction,
+          s.OwnerKey,
+          IIF(s.Subject = '*', 1, 0) AS MatchAll,
+          IIF(s.Subject != '*' AND s.Subject LIKE '%*', 1, 0) AS MatchPrefix,
+          IIF(s.Subject != '*' AND s.Subject LIKE '*%', 1, 0) AS MatchSuffix,
+          IIF(s.Subject != '*' AND s.Subject LIKE '%*%', 1, 0) AS MatchPrefixSuffix,
+          IIF(s.Subject NOT LIKE '%*%', 1, 0) AS MatchExact
+      FROM dbo.[Credentials] c
+      LEFT OUTER JOIN dbo.Scopes s ON c.[Key] = s.CredentialKey
+      WHERE c.Expires > SYSDATETIME() AND c.[Type] LIKE 'apikey.%' AND s.AllowedAction != 'package:verify'
+  ),
+  CredentialSubjects AS (
+      SELECT
+          CredentialKey,
+          SUM(MatchAll) AS MatchAll,
+          SUM(MatchPrefix) AS MatchPrefix,
+          SUM(MatchSuffix) AS MatchSuffix,
+          IIF(SUM(MatchPrefix) = 0 AND SUM(MatchSuffix) = 0 AND SUM(MatchPrefixSuffix) > 0, SUM(MatchPrefixSuffix), 0) AS MatchPrefixSuffix,
+          SUM(MatchExact) AS MatchExact
+      FROM CredentialInfo
+      GROUP BY CredentialKey
+  ),
+  CredentialSubjectTypes AS (
+      SELECT
+          CredentialKey,
+          CASE
+              WHEN MatchAll > 0 THEN 'Glob, match all'
+              WHEN MatchExact = 1 AND MatchAll + MatchPrefix + MatchSuffix + MatchPrefixSuffix = 0 THEN 'Exact match, single'
+              WHEN MatchExact > 1 AND MatchAll + MatchPrefix + MatchSuffix + MatchPrefixSuffix = 0 THEN 'Exact match, multiple'
+              WHEN MatchExact = 0 AND MatchAll + MatchPrefix + MatchSuffix + MatchPrefixSuffix > 0 THEN  'Glob, partial match'
+              ELSE 'Glob and exact match'
+          END AS [Type]
+      FROM CredentialSubjects
+  ),
+  CredentialSubjectsSummary AS (
+      SELECT [Type], COUNT(*) AS [Count]
+      FROM CredentialSubjectTypes
+      GROUP BY [Type]
+  )
+  SELECT
+      [Type],
+      ROUND(100.0 * [Count] / (SELECT SUM([Count]) FROM CredentialSubjectsSummary), 2) AS [% of total]
+  FROM CredentialSubjectsSummary
+  ORDER BY [Count] DESC
+
+-->
+
+| Type                  | % of total | Example                              |
+| --------------------- | ---------- | ------------------------------------ |
+| Glob, match all       | 57.26      | `*`                                  |
+| Exact match, single   | 20.58      | `NuGet.Protocol`                     |
+| Glob, partial match   | 14.59      | `NuGet.*`                            |
+| Exact match, multiple | 6.92       | `NuGet.Protocol`, `NuGet.Frameworks` |
+| Glob and exact match  | 0.65       | `Microsoft.*`, `NuGet.Protocol`      |
+
+This form of scoping based on package ID has a lot more variety than the previous section. Close to half of users go
+very broad with their scoping (`*`, allow all package IDs). The 2nd place scoping is very specific: only a single
+package ID can be modified with the API key.
+
+The current UI defaults to an empty glob pattern text field and a list of visible checkboxes for all of the package IDs
+the user has upload permissions for. This requires the user to provide *some* input. It's not clear whether this UI
+gently encourages users to click the checkboxes since that's probably quicker than typing. I were to guess, the adoption
+of `*` would go up a lot if we defaulted the package ID text field to `*`.
+
+#### Conclusion
+
+Since the majority use case for both allowed action and package ID scoping is a very permissive option, we won't enable
+these two scoping options for short-lived API keys. The short-lived API keys will be able to perform any operation on
+any package ID (e.g. `*` pattern).
+
+We can add this level of configuration later as users request it.
+
+The package owner dropdown is still needed.
 
 ## Prior Art
 

From 0cb0adec744173ecc96ca8f690366d0a19246416 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Thu, 22 Aug 2024 11:52:43 -0400
Subject: [PATCH 12/15] Update
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md

---
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index 0658a95c6..a71610d1a 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -585,7 +585,7 @@ The other two scoping options both have a mix of adoption, as shown below.
 
 Note that "Push" implies "Push version" allowed action.
 
-The first two rows should be considered "high priviledge" API keys. They account for about 93% of the API keys. This
+The first two rows should be considered "high privilege" API keys. They account for about 93% of the API keys. This
 suggests users do not care much about limiting the allowed action of an API key.
 
 #### Package ID pattern usage

From f4da52e5618891c3ad557a0c00442e9c3c99a6de Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Thu, 22 Aug 2024 11:52:53 -0400
Subject: [PATCH 13/15] Update
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md

Co-authored-by: Damon Tivel <dtivel@microsoft.com>
---
 accepted/2024/trusted-publishers-oidc-for-nuget-push.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index a71610d1a..4c5d5a318 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -662,7 +662,7 @@ package ID can be modified with the API key.
 
 The current UI defaults to an empty glob pattern text field and a list of visible checkboxes for all of the package IDs
 the user has upload permissions for. This requires the user to provide *some* input. It's not clear whether this UI
-gently encourages users to click the checkboxes since that's probably quicker than typing. I were to guess, the adoption
+gently encourages users to click the checkboxes since that's probably quicker than typing. If I were to guess, the adoption
 of `*` would go up a lot if we defaulted the package ID text field to `*`.
 
 #### Conclusion

From 011fcc5ccfd078dce877f3373dbde803d185f037 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <jver@microsoft.com>
Date: Thu, 22 Aug 2024 11:53:05 -0400
Subject: [PATCH 14/15] Update
 accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md

Co-authored-by: Damon Tivel <dtivel@microsoft.com>
---
 .../2024/trusted-publishers-oidc-for-nuget-push.technical.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index 9f8010f8e..27eea629c 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -140,7 +140,7 @@ NuGet.org will produce API keys that last 15 minutes, but this value is subject
 this feature is used in practice. PyPI uses this duration ([source](https://docs.pypi.org/trusted-publishers/)). Also,
 15 minutes will support about 99% of push sessions on NuGet.org. For the sake of this analysis, a push session is a
 sequence of push operations from a distinct package owner set, where the pushes are no more than 5 minutes apart. Below
-is a table of push sessions of various durations. The difference between 15 minute and 1 hour API key life givens less
+is a table of push sessions of various durations. The difference between 15 minute and 1 hour API key life gives less
 than 1% of additional coverage.
 
 <!--

From 6509acd23c86c91b046e4f6a870d36e2d351b0f2 Mon Sep 17 00:00:00 2001
From: Joel Verhagen <joel.verhagen@gmail.com>
Date: Thu, 5 Sep 2024 10:19:28 -0400
Subject: [PATCH 15/15] Add tag filtering to the proposal

---
 .../2024/trusted-publishers-oidc-for-nuget-push.md | 14 +++++++++-----
 ...ted-publishers-oidc-for-nuget-push.technical.md |  5 ++++-
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
index 4c5d5a318..9183137ce 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.md
@@ -244,16 +244,20 @@ supplies a variety of metadata in the OIDC token available to workflow runs. Ref
 token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)
 to see all of the properties.
 
-For the sake of simplicity, we will start with the following workflow filters:
-- Filtering for a specific *branch*, as shown in the UI above (branch filter)
+We will start with the following workflow filters:
+- Filtering for a *branch* pattern (e.g. `main` or `releases/*`), as shown in the UI above (branch filter)
 - Filtering for a specific *environment* (a property optionally set in the workflow)
 - Filtering for a specific *workflow path* (relative file path within the repository)
+- Filtering for a *tag* pattern (e.g. `v*`)
 
 The screenshot above only shows the branch filter, so the UI will need to be expanded to cover the desired workflow
-filters. A suggest UI would have 3 checkboxes:
-- [ ] Filter by branch: __________
-- [ ] Filter by environment: __________
+filters. A suggest UI would have 4 checkboxes:
 - [ ] Filter by workflow: __________
+- [ ] Filter by environment: __________
+- [ ] Filter by branch: __________ (wildcard pattern supported)
+- [ ] Filter by tag: __________ (wildcard pattern supported)
+
+The branch and tag option are mutually exclusive.
 
 At least one filter would need to be checked as to prevent an overly broad trust policy.
 
diff --git a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
index 27eea629c..0dee944e2 100644
--- a/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
+++ b/accepted/2024/trusted-publishers-oidc-for-nuget-push.technical.md
@@ -45,13 +45,16 @@ following checks will be made:
   - This is to avoid resurrection attacks.
 - If a branch filter is provided in the trust policy:
   - `ref_type` claim must be `branch`
-  - `ref` claim must be `refs/head/{branch}` (case sensitive, branch names of differing case can coexist)
+  - `ref` claim must be `refs/head/{branch}` (case sensitive, branch names of differing case can coexist, branch match supports wildcards)
 - If an environment filter is provided in the trust policy:
   - `environment` claim must be `{environment}` (case insensitive)
 - If a workflow path filter is provided in the trust policy:
    - `job_workflow_ref` claim must be `{repo owner}/{repo name}/{workflow path}@.*` (case insensitive)
    - The workflow path should be normalized to `/` path separators at the time of trust policy creation, by the package
      source, for better UX
+- If a tag filter is provided in the trust policy:
+  - `ref_type` claim must be `tag`
+  - `ref` claim must match `refs/tags/{tag-pattern}` (case sensitive, tag names of differing case can coexist, tag match supports wildcards)
 
 A list of possible claims to verify against is available in GitHub's [Understanding the OIDC
 token](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token)